Firewall on Andrew's Memory Blog

Fixing buffer bloat on OpenBSD 7.2

andrewmemoryblog@gmail.com (Andrew's Memory Blog) — Sat, 01 Feb 2025 01:28:19 -0700

I learned a little today about buffer bloat, which is latency introduced when uploading/downloading. After that, I headed straight over to WaveForm’s buffer bloat test and got a D.

Luckily, the WaveForm page pointed me to a solution, which I found at Paul Smith’s blog.

Following Paul’s instructions, I added a Queue section to my /etc/pf.conf:

#---------------------------------#
# Queues
#---------------------------------#
queue outq on $ext_if flows 1024 bandwidth 10M max 10M qlimit 1024 default
queue inq on $lan_if flows 1024 bandwidth 225M max 225M qlimit 1024 default

then reloaded the rules:

doas pfctl -n -f /etc/pf.conf && doas pfctl -f /etc/pf.conf

I didn’t get an A, but I did move up to a C, which means I’ve at least halved the latency problem. There’s a warning in a comment on Paul Smith’s page:

“This works well if you have OpenBSD acting as a firewall/NAT appliance only, but doesn’t work if you have multiple downstream interfaces, or run any services on the OpenBSD server at all (facing either the LAN or the internet).” The commenter suggests an explict parent queue with the whole LAN bandwidth and subqueues for internet and everything else.

Anyway, I went to CloudFlare’s speed test and I’m “great.”

Block Ad Sites and Nasties on OpenBSD 7.4

andrewmemoryblog@gmail.com (Andrew's Memory Blog) — Sun, 22 Oct 2023 22:03:47 -0700

One of the benefits of building your own firewall is that you get to decide what you want to block. I’d been using a list from pgl.yoyo.org/adservers. There’s a utility called Pf-badhost that blocks evil hosts. I wanted to do a little more: block bad IPs (sorry, Cloudflare, I know you hate that) and have better control over when things get updated.

So I ultimately decided to adapt some of Pf-badhost to a few scripts I created. First, a script to get the latest list of bad hostnames from pgl.yoyo.org — grab-bad-hosts.sh:

Grabbing Bad Hostnames
#

#! /bin/sh
/usr/local/bin/wget -O ./pgl-adhosts.conf 'https://pgl.yoyo.org/adservers/serverlist.php?hostformat=unbound&showintro=1&mimetype=plaintext'
grep -v -f /var/unbound/etc/unbound-whitelist-ads.txt pgl-adhosts.conf > unbound-adhosts.conf
grep -f /var/unbound/etc/unbound-whitelist-ads.txt pgl-adhosts.conf > unbound-adhosts-whitelist.conf
echo "In a root shell, run:"
echo "cat unbound-adhosts.conf > /var/unbound/etc/unbound-adhosts.conf"
echo "cat unbound-adhosts-whitelist.conf > /var/unbound/etc/unbound-adhosts-whitelist.conf"
echo "rcctl restart unbound"
echo "(or run root-update-hosts.sh as root)"

This builds two files: /var/unbound/etc/unbound-adhosts.conf and /var/unbound/etc/unbound-adhosts-whitelists.conf based on a file I created, /var/unbound/etc/unbound-whitelist-ads.txt, which I had to add to make other users happy. /var/unbound/etc/unbound-whitelist-ads.txt looks like this:

adservice.google.com[^.]
googleadservices.com[^.]

… and I’m going to set up unbound to allow one host to have the whitelisted ads.

Grabbing Bad IPs
#

I used Pf-badhost as a source of places to grab bad IP addresses from. I ended up with this script, grab-bad-ips.sh:

#! /bin/sh
/usr/local/bin/wget -O ./banlist_firehol_level1 https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level1.netset
/usr/local/bin/wget -O ./banlist_firehol_level2 https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level2.netset
/usr/local/bin/wget -O ./banlist_binarydefence https://www.binarydefense.com/banlist.txt
/usr/local/bin/wget -O ./banlist_emergingthreats https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
cat ./banlist_firehol_level1 > pf-badguys.table
printf "\n">> pf-badguys.table
cat ./banlist_firehol_level2 >> pf-badguys.table
printf "\n">> pf-badguys.table
cat ./banlist_binarydefence >> pf-badguys.table
printf "\n">> pf-badguys.table
cat ./banlist_emergingthreats >> pf-badguys.table
printf "\n">> pf-badguys.table
grep '^[0-9]' pf-badguys.table | sort | uniq > pf-badguys.table.sort.uniq
mv pf-badguys.table.sort.uniq pf-badguys.table
echo "In a root shell, run:"
echo " cat pf-badguys.table > /etc/pf-badguys.table"
echo " pfctl -F Tables -f /etc/pf.conf"
echo "(or run root-update-ips.sh as root)"

This script creates /etc/pf-badguys.table, which I’ll plug into my PF configuration.

Configuring unbound to use the bad hosts lists
#

It’s not hard to have unbound import the bad hosts, which are already formatted to redirect to 127.0.0.1. Here’s a sample from /var/unbound/etc/unbound-adhosts.conf:

local-zone: "1-1ads.com" redirect
local-data: "1-1ads.com A 127.0.0.1"

unbound-adhosts-whitelist.conf looks the same, but only contains the whitelisted ad servers. After the last local-data:/local-data-ptr: pair for my network, I added the following:

 # open a hole for ad servers
# 192.168.150.180 is unblocked desktop
access-control-view: 192.168.150.180/32 adview

After my access-control: directives, I added:

# Host addresses - spam to block
#
include: /var/unbound/etc/unbound-adhosts.conf
include: /var/unbound/etc/unbound-adhosts-whitelist.conf
include: /var/unbound/etc/unbound-adhosts-local.conf

At the end of the unbound.conf file I added:

view:
name: "adview"
include: /var/unbound/etc/unbound-adhosts.conf
include: /var/unbound/etc/unbound-adhosts-local.conf

Then a quick:

# unbound-checkconf
# rcctl restart unbound

… and I was blocking ad servers. I could update this in cron, but I prefer to do it manually every week or so.

Configuring PF to block the bad IP addresses
#

I know there’s an argument for not blocking bad IP addresses. After all, there may be legitimate sites that are hosted on the same IP address. But… so far I’ve only run into one. So I’m happy to continue blocking them. In my pf.conf, after the table, I added a table:

table <badguys> persist file "/etc/pf-badguys.table"

Then after the block for martians, I added an equivalent for badguys:

# Block addresses in the badguys table
# We use the "quick" parameter here to make this rule the last.
# Note that badguys might contain martians, but they get handled before
# this rule.
block in quick on $ext_if from <badguys> to any
block return out quick on $ext_if from any to <badguys>

Then pfctl -F Tables -f /etc/pf.conf to reread the table.

This post is part of a series on setting up an OpenBSD 7.4 firewall device.

Setting up Wireguard on an OpenBSD 7.4 firewall device

andrewmemoryblog@gmail.com (Andrew's Memory Blog) — Sun, 22 Oct 2023 21:09:01 -0700

It took me a little while after I set up my firewall device to set up Wireguard as a VPN. It’s probably something I should have done right away — the benefits of being able to log in from home (and block ads) while on the road is really nice.

Wireguard needs a publicly available IP or domain name. I used DuckDNS. I posted about that a while back so I won’t do it again here, but you’ll need to do that first.

Wireguard is in the kernel in 7.4. Prior releases required you to pkg_add wireguard_tools, but these days you don’t need to.

The way Wireguard works is that you generate public and private keys. Each device gets its own private key, and you share the public keys. Wireguard has tools to do that. On the OpenBSD firewall side:

# mkdir /etc/wireguard
# chmod 700 /etc/wireguard
# wg genkey > /etc/wireguard/private.key
# chmod 600 /etc/wireguard/private.key
# wg pubkey < private.key > public.key

Next, you need to generate private and public keys on each of your clients. Then set up /etc/wireguard/wg0.conf to contain the firewall’s private key and also the public keys of the client. I decided to do this on a completely different network — 172.16. I assigned individual IP addresses for each device. It’s a little more management headache, but makes it easy to delete something if I lose a device. The /etc/wireguard/wg0.conf looks like this:

[Interface]
PrivateKey = the private key from /etc/wireguard/private.key
ListenPort = 51820
[Peer]
# My first peer - a laptop
PublicKey = the public key from the laptop
AllowedIPs = 172.16.0.2
[Peer]
# My second peer - an Android device running Wireguard from F-Droid
PublicKey = the public key from the device
AllowedIPs = 172.16.0.3
# ... etc...

Obviously, on each device you have to do the reverse: specify the private key generated on device, and put the firewall’s public key in as the peer. Next, you need an /etc/hostname.wg0 to bring the network up:

inet 172.16.0.1 255.255.255.0 NONE up
!/usr/local/bin/wg setconf wg0 /etc/wireguard/wg0.conf

Before you can go further, you need to unblock the Wireguard interface in /etc/pf.conf:

(after the lan_if macro)
vpn_if="wg0"
vpn_port="51820"
(at the end after the NAT rules)
#---------------------------------#
# WireGuard
#---------------------------------#
pass in on $vpn_if
pass in inet proto udp from any to any port $vpn_port
pass out on egress inet from ($vpn_if:network) nat-to ($ext_if:0)

From there, you can restart pf and reload the new rules and sh /etc/netstart wg0.

This post is part of a series on setting up an OpenBSD 7.4 firewall device.

Set up networking for an OpenBSD 7.4 firewall device

andrewmemoryblog@gmail.com (Andrew's Memory Blog) — Sat, 21 Oct 2023 17:14:44 -0700

I had a few wrinkles because I’d already set up networking, and I didn’t want to have to go through and redo all my static IPs. But I wanted to make my network more rational. I had devices on 192.168.150.*/24 and I wanted something bigger, so I decided to go with /20. That gave me a range of 92.168.144.1–192.168.159.254. (I admit I used an IP subnet calculator for that.) My ISP gives me IPv4, so I’m using that and not worrying about IPv6.

First things first: let’s make the box forward packets:

# sysctl net.inet.ip.forwarding=1
# echo 'net.inet.ip.forwarding=1' >> /etc/sysctl.conf

Configure Network Adapters
#

I have two Intel NICs. I’m connecting igc0 to my cable modem. I’m connecting igc1 to a 16-port switch which is my internal network. I’ve got another network port that was autodetected, but I’m not using it yet, so I’ll remove it.

# echo "inet autoconf" > /etc/hostname.igc0
# echo "inet 192.168.144.1 255.255.240.0 NONE" > /etc/hostname.igc1
# rm /etc/hostname.igc2
# sh /etc/netstart.sh

Setting up the PF packet filter
#

Now, set up PF. I got my instructions for this mostly from home.nuug.no/~peter/pf/en/ftpproblem.html. Here’s how I edited /etc/pf.conf:

#---------------------------------#
# Macros
#---------------------------------#
ext_if="igc0"
lan_if="igc1"
ftpproxy="127.0.0.1"
ftpproxyport="8021"
#---------------------------------#
# Tables
#---------------------------------#
table <localonly> { \
# Addresses that can talk to the local network but not to the rest of the world
\
# Local printer
192.168.158.1/32 \
}
# This is a table of non-routable private addresses.
table <martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \
172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \
192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 \
203.0.113.0/24 }
#---------------------------------#
# Protect and block by default
#---------------------------------#
set skip on lo0
set block-policy drop
# Spoofing protection for all NICs.
block in from no-route
block in quick from urpf-failed
# Block non-routable private addresses.
# We use the "quick" parameter here to make this rule the last.
block in quick on $ext_if from <martians> to any
block return out quick on $ext_if from any to <martians>
# Default blocking all traffic in on all LAN NICs from any computer or device
# attached.
block return in on { $lan_if }
# Default blocking all traffic in on the external NIC from the Internet/ISP,
# we'll log that too.
block drop in log on $ext_if
# Don't allow ICMP from outside. Commented out this section.
# Yeah, I know people hate that.
#
#match in on $ext_if inet proto icmp icmp-type {echoreq } tag ICMP_IN
#block drop in on $ext_if proto icmp
#pass in proto icmp tagged ICMP_IN max-pkt-rate 100/10
# We need the router to have access to the Internet, so we'll default allow
# packets to pass out from our router through the external NIC to the Internet.
pass out inet from $ext_if
#---------------------------------#
# LAN Setup
#---------------------------------#
# Allow any computer or device on the LAN to send data packets in through the NIC.
# This means any computer attached to this network interface can pass in data
# reaching anywhere, i.e. the Internet or any of the computers attached to the
# router.
pass in on $lan_if
# Always block DNS queries not addressed to our DNS server.
block return in quick on $lan_if proto { udp tcp } to ! $lan_if port { 53 853 }
# Block localonly from seeing the internet
block in quick on lan_if from <localonly>
# Allow data packets to pass from the router out through the NIC to the
# computers or devices attached to it on the lan NIC.
# Without this we can't even ping computers attached to the lan NIC from
# the router itself.
pass out on $lan_if inet keep state
#---------------------------------#
# FTP
#---------------------------------#
# allow ftp clients to work
anchor "ftp-proxy/*"
pass in quick on $lan_if inet proto tcp to port ftp divert-to $ftpproxy port $ftpproxyport
# no ftp servers so don't pass out
# pass out proto tcp from $ftpproxy to any port ftp
#---------------------------------#
# NAT
#---------------------------------#
pass out on $ext_if inet from $lan_if:network to any nat-to ($ext_if)

Then you can test things out and restart pf. I think my network connection dropped at this point:

# pfctl -n -f /etc/pf.conf
# pfctl -F all
# pfctl -f /etc/pf.conf

Configure dhcpd
#

Now I need to configure serving IPs from this machine. (My old firewall is still on the network at this point and serving real IPs as well as doing DNS, but I need to get the new firewall enabled.) So time to edit /etc/dhcpd.conf:

# $OpenBSD: dhcpd.conf,v 1.1 1998/08/19 04:25:45 form Exp $
#
# DHCP server options.
# See dhcpd.conf(5) and dhcpd(8) for more information.
#
# This is for 192.168.144.* to 192.168.159.*
subnet 192.168.144.0 netmask 255.255.240.0 {
option domain-name "lan.example.net";
option domain-name-servers 192.168.144.1;
option routers 192.168.144.1;
########################################
# Dynamic IP addresses
########################################
range 192.168.145.1 192.168.149.254;
########################################
# Fixed IP machines that humans don't
# (normally) see - WAPs etc.
########################################
host wap {
hardware ethernet dc:9f:44:11:22:33;
fixed-address 192.168.144.13;
}
########################################
# Fixed IP machines that humans see.
########################################
# These are machines I normally ssh
# or telnet to, or run servers on.
#
host fileserver {
hardware ethernet 22:33:44:55:66:77;
fixed-address 192.168.150.171;
option host-name "fileserver";
}
host weather {
hardware ethernet 88:99:00:AA:BB:CC;
fixed-address 192.168.150.177;
option host-name "weather";
}
#... etc...
# I'm putting my laptop on a non-150 address for testing purposes.
# That way I can plug it into the server and get a DHCP address that
# should route on to the internet.
host laptop {
hardware ethernet 00:22:44:66:88:ff;
fixed-address 192.168.161.2;
}
} # subnet

Next, start serving DHCP:

rcctl enable dhcpd
rcctl start dhcpd

At this point I could plug my laptop into the new firewall and get an IP address.

Start Unbound for DNS
#

On my old firewall I was using bind. That was heavyweight, so I decided to do something different here. Originally I thought I needed NSD and Unbound for DNS (I was looking at some instructions at jamsek.dev/blog/2019/Jul/28/openbsd-dns-server-with-unbound-and-nsd/) but eventually realized I could get away with just unbound.

# rcctl enable unbound
# rcctl start unbound

Next, I changed my DNS server so the new firewall was getting it locally instead of going to the old firewall. In /etc/resolv.conf:

nameserver 127.0.0.1
lookup file bind

After that, configure DNSSEC:

# unbound-anchor -a "/var/unbound/db/root.key"
# ftp -S do -o /var/unbound/db/root.hints https://www.internic.net/domain/named.root

With root.key downloaded, I could set up my /var/unbound/etc/unbound.conf:

# $OpenBSD: unbound.conf,v 1.21 2020/10/28 11:35:58 sthen Exp $
server:
interface: 192.168.144.1
interface: ::1
# override the default "any" address to send queries; if multiple
# addresses are available, they are used randomly to counter spoofing
access-control: 0.0.0.0/0 refuse
access-control: ::0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: 192.168.144.0/20 allow
access-control: ::1 allow
hide-identity: yes
hide-version: yes
# Perform DNSSEC validation.
#
auto-trust-anchor-file: "/var/unbound/db/root.key"
root-hints: "/var/unbound/db/root.hints"
qname-minimisation: yes
val-log-level: 2
# Synthesize NXDOMAINs from DNSSEC NSEC chains.
# https://tools.ietf.org/html/rfc8198
#
aggressive-nsec: yes
# Serve zones authoritatively from Unbound to resolver clients.
# Not for external service.
#
local-zone: "lan.example.net." static
#
# Host addresses - infrastructure
#
local-data: "firewall.lan.example.net. IN A 192.168.144.1"
local-data-ptr: "192.168.144.1 firewall.lan.example.net"
#
# Host addresses - named servers
#
local-data: "fileserver.lan.example.net. IN A 192.168.150.171"
local-data-ptr: "192.168.150.171 fileserver.lan.example.net"
local-data: "weather.lan.example.net. IN A 192.168.150.177"
local-data-ptr: "192.168.150.177 weather.lan.example.net"
# ... etc...
remote-control:
control-enable: yes
control-interface: /var/run/unbound.sock

With all that set up, I could make sure I didn’t have any syntax errors and restart unbound:

# unbound-checkconf
# rcctl restart unbound

I think it was at this point that I made the switch from using the old firewall to the new firewall. I changed the new firewall to have the same MAC as the old one (my ISP wanted to see a specific MAC) and then put the new one in place:

# echo "inet autoconf lladdr 11:22:33:44:55:66" > /etc/hostname.igc0
# sh /etc/netstart

Having two devices with the same MAC is a Bad Thing, and I had a lot of weirdness on my network until I unplugged the old firewall.

This post is part of a series on setting up an OpenBSD 7.4 firewall device.

Setting up an OpenBSD 7.4 Firewall Device

andrewmemoryblog@gmail.com (Andrew's Memory Blog) — Sun, 15 Oct 2023 23:59:39 -0700

My PC Engines ALIX running the (mumble) version of OpenBSD has been a great firewall. But now that it looks like PC Engines is wrapping up, it’s time to find something new. For a while I’ve suspected that the ALIX is a little underpowered. It’s harder to find 4G CF cards these days. Plus I want something with a HDMI port so I can put it on a KVM switch and don’t need to worry about serial port speeds.

So… here’s the order of operations:

Here goes!

Installing OpenBSD 7.4 for a Firewall

andrewmemoryblog@gmail.com (Andrew's Memory Blog) — Sun, 15 Oct 2023 23:45:00 -0700

Installing OpenBSD 7.4 was pretty simple. I followed the OpenBSD installation guide and used dd on a Linux box to write install74.img to a USB stick. Don’t use the .iso, it doesn’t boot. Then I booted off the USB stick. (You don’t have to disable UEFI.) I used a standard layout

At the time I wondered if I should install all the packages or not. I decided that maintenance would be simpler if I just went for everything, so I added all the packages including X. That turned out to be the right decision.

I used a relatively standard partitioning scheme, although I think I bumped up a few of the sizes. I probably should have bumped up X11R6 more, right now it’s at 41%:

/dev/sd0a 986M /
/dev/sd0l 295G /home
/dev/sd0d 291M /tmp
/dev/sd0f 5.8G /usr
/dev/sd0g 986M /usr/X11R6
/dev/sd0h 19.4G /usr/local
/dev/sd0k 5.8G /usr/obj
/dev/sd0j 2.9G /usr/src
/dev/sd0e 34.4G /var

Set up doas
#

After installing, I set up doas ‘cause I like seatbelts:

$ su
# vi /etc/doas.conf
permit persist andrewmemory as root
permit persist keepenv root as root

Install patches and packages
#

After that I installed patches:

$ doas syspatch
$ doas shutdown -r now

Next I installed a few useful packages:

$ doas pkg_add -i emacs mutt firefox wget

I picked the -no_x11 version for emacs, and the normal (not gpge, not sasl, not slang) version for mutt. I’m not going to be mailing to the world from this box, just looking at local emails. I also installed Firefox, which turned out to be another good idea. It’s a lot easier to search for doc on the firewall box itself than to ssh in.

Set up mfs for /tmp
#

Finally, I’m paranoid about wearing out my SSD, so I set up /tmp to be mfs in /etc/fstab using the useful instructions from Solene Rapenne:

$ doas vi /etc/fstab
#f1ea06b71e2dca43.d /tmp ffs rw,nodev,nosuid 1 2
swap /tmp mfs rw,nodev,nosuid,-s=300m 0 0

… and I had to boot to single-user mode to fix up permissions for /tmp:

$ doas umount /tmp
$ doas chmod 1777 /tmp
$ doas mount /tmp

Apparently tmpfs has been removed because it’s not supported, so mfs it is. I’ve got plenty of RAM for a /tmp file system, but I have delusions of putting most of /var in its own mfs file system, so I restricted /tmp to 300M.

Once that was done, I could log into a few other machines on my network to establish fingerprints for them. I also tested X by running startx, and then firefox, and it worked.

There were some noisy beeps
#

By default, OpenBSD rings the bell when you mistype certain things. That was annoying other people in the house, so I had to shut those up. That took two things. In ~/.login I added:

/sbin/wsconsctl keyboard.bell.volume=0

Then, I created ~/.xsession and added:

/usr/X11R6/bin/xset b off

This post is part of a series on setting up an OpenBSD 7.4 firewall device.

Buying new hardware for an OpenBSD firewall

andrewmemoryblog@gmail.com (Andrew's Memory Blog) — Sun, 15 Oct 2023 23:30:53 -0700

I knew going in that I wanted more than two ethernet ports for my OpenBSD firewall device. I had visions of multiple networks and/or a spare port that I could use when I screwed up my pf configuration. I also knew that I wanted HDMI so I could pop the firewall on my KVM switch - I’d used serial to the APU2 and that was not always wonderful. The Linux box would sometimes forget about the serial ports when they were plugged in for a while.

In the end, I got a random Intel N5105 mini-PC with four Intel ethernet ports. The HUNSN Micro Firewall Appliance, Mini PC, VPN, Router PC, Intel N5105, HUNSN RJ03, AES-NI, 4 x Intel 2.5GbE I226-V LAN, Type-C, TF, M.2 WiFi 6 Slot, Barebone, NO RAM, NO Storage, NO System was around $250 US. Add a Western Digital NVMe 500G drive and 16G of Cruical laptop RAM and I had something on which I could install a system. It’s low-powered enough that I don’t mind keeping it running 24/7, and high-powered enough that I’m not worried about it being a bottleneck.

[

I learned afterwards that the I226-V might potentially have a problem if you want to do 2.5G ethernet. So far, I haven’t experienced any network instability because of that.

As a belt-and-suspenders kind of thing, I bought a “silent” USB fan that sits on top of the case, just because the server room can get a little warm.

This post is part of a series on setting up an OpenBSD 7.4 firewall device.

Tracking and blocking BRW70188B

andrewmemoryblog@gmail.com (Andrew's Memory Blog) — Mon, 02 Jan 2017 03:00:00 -0700

I’ve been monitoring wifi traffic on my network. I’ve seen a large amount sent up by one device, which was reported as starting with BR70188B (mac address 70:18:8b) with manufacturer HonHaiPr.

HonHaiPr is Hon Hai Precision Industry, which makes network devices. The one in question (with the name BRW70188Bxxyyzz) was from a Brother MFC-650DW that is on the network.

Now that I’ve identified the printer, what to do about it? It was spewing lots of uploaded data - perhaps just to the clients that printed from it, but I’m perhaps a little paranoid. (It seems strange that it’s uploading almost as much as gets downloaded to the printer, though.) So I decided to knock it off the Internet to see what happened.

First, I gave it a static IP address in my dhcpd.conf:

host mfc650dw {
hardware ethernet 70:18:8B:xx:yy:zz;
fixed-address 192.168.1.253;
option host-name "mfc650dw";
}

Next, I updated it in DNS (db and db.rev files) just ‘cause now that it’s static it’s handy to have a name to deal with.

Finally, I added a rule to my pf.conf:

block out log quick from 192.168.1.253/32 to ! 192.168.1/24

Now if the printer’s trying to send data up to the Internet, it’s not going to make it through the firewall.

After I did all this, the printer wouldn’t work - Brother apparently stores the IP address but doesn’t refresh if it can’t find it. So I needed to download the Brother Network Connection Repair Tool to tell the Windows printer driver to look for the printer again. Sheesh.

Setting up a static IP for a Raspberry Pi over wifi using OpenBSD dhcpd

andrewmemoryblog@gmail.com (Andrew's Memory Blog) — Fri, 01 May 2015 00:54:05 -0700

Like the rest of the world, I wanted to have a static IP for a Raspberry Pi that was on a wifi network. Like the rest of the world, I couldn’t figure out how to do it after three attempts. At that point, like the rest of the world I gave up and decided to make my DHCP server do the work instead of the Pi.

Here’s how I did it:

1. On the Pi, edit /etc/wpa_supplicant.conf and add:

network={
    ssid="My_SSID"
    psk="My_wifi_password"
}

2. Reboot and get an IP address through DHCP.

3. Confirm that I can see the world with the DHCP address.

4. ifconfig wlan0 and copy down the hardware Ethernet address for wlan0 (let’s pretend it was 00:11:22:33:44:56).

5. Go to the box running DHCP, and add a stanza inside my shared-network:

       host myserver {
               hardware ethernet 00:11:22:33:44:56;
               fixed-address 192.168.1.17;
               option host-name "myserver";
       }

6. Kill and restart the DHCP daemon.

7. Reboot the pi and confirm it’s getting the right static IP address now.

Changing MAC address on OpenBSD

andrewmemoryblog@gmail.com (Andrew's Memory Blog) — Thu, 06 Dec 2012 00:49:03 -0700

A little while ago, I needed to change my MAC address on the OpenBSD firewall I’ve got running. (My ISP kept feeding me a bad IP address from an old lease and I wanted a new one.)

It’s easy to do this on OpenBSD:

ifconfig vr1 down ifconfig vr1 lladdr 00:11:22:33:44:55 ifconfig vr1 up

The question is, where’s the right place to put this to make it permanent? A few web searches revealed that a bunch of people had modified /etc/netstart by putting the ifconfig vr1 lladdr line somewhere near the beginning. I’d rather not sully my pristine /etc scripts with changes if I don’t have to.

Linux has /etc/network/interfaces, and OpenBSD has /etc/hostname.if. I just changed my /etc/hostname.vr1 to:

dhcp lladdr 00:11:22:33:44:55

and I was requesting an IP address using my new MAC address.

Final cleanup for the ALIX firewall

andrewmemoryblog@gmail.com (Andrew's Memory Blog) — Fri, 06 Jul 2012 22:38:45 -0700

Finally, there are a few things that I either forgot to do or that make life easier.

Setting up localtime By defaut, /etc/localtime is set to Alberta, where OpenBSD has its home. I need to set it to somewhere closer.

rm /etc/localtime; ln -s /usr/share/zoneinfo/US/Mountain /etc/localtime

Now date shows the correct time.

Blinkenlights I wrote a script to make the LEDs move back and forth. I start this at boot. (In an earlier version of the firewall, I edited /etc/rc to turn LEDs on when certain thresholds had been passed in the boot process. But now I don’t want to muck up /etc/rc so much.)

First of all, you need to allow the ports to be written before OpenBSD gets all secure on you. Edit /etc/rc.securelevel and add:

#
# Place local actions here.
#
echo -n 'enabling LED pins'
gpioctl -q /dev/gpio0 6 set out iout
gpioctl -q /dev/gpio0 25 set out iout
gpioctl -q /dev/gpio0 27 set out iout

I got these numbers from the Status LEDs section of the ALIX manual.

Then create /usr/local/bin/cylon:

#!/bin/ksh -
led3on(){
gpioctl -q /dev/gpio0 6 0
gpioctl -q /dev/gpio0 25 0
gpioctl -q /dev/gpio0 27 1
}
led2on(){
gpioctl -q /dev/gpio0 6 0
gpioctl -q /dev/gpio0 25 1
gpioctl -q /dev/gpio0 27 0
}
led1on(){
gpioctl -q /dev/gpio0 6 1
gpioctl -q /dev/gpio0 25 0
gpioctl -q /dev/gpio0 27 0
}
ledsoff(){
gpioctl -q /dev/gpio0 6 0
gpioctl -q /dev/gpio0 25 0
gpioctl -q /dev/gpio0 27 0
}
while [ true ] ; do
led1on
sleep 1
led2on
sleep 1
led3on
sleep 1
led2on
sleep 1
done

Finally, start it from /etc/rc.local:

# Add your local startup actions here.
echo -n 'cylon'
sh /usr/local/bin/cylon &

On reboot, yay, blinky! That at least tells you the kernel hasn’t crashed.

Reducing the mail Because flashrd is really OpenBSD, it sends mail more suited to a server than a firewall with limited disk.

First thing I noticed:

Running security(8):
Checking special files and directories.
Output format is:
filename:
criteria (shouldbe, reallyis)
etc/rc.conf.local:
permissions (0644, 0755)

I fixed that with a chmod 0644 /etc/rc.conf.local. So now /usr/libexec/security shows no problems. Good.

Once that’s done, make things complain less:

crontab -uroot -e

and comment out:

#30 1 * * * /bin/sh /etc/daily
#30 3 * * 6 /bin/sh /etc/weekly

This prevents the daily and weekly reports, leaving just the monthly one.

Next, I noticed that sendmail gets run from root’s crontab, so it doesn’t need to run at boot:

/etc/rc.conf:

sendmail_flags=NO # "-L sm-mta -C/etc/mail/localhost.cf -bd -q30m"

That should keep the thing running a little longer without running out of disk. Actually, /var/mail is on the MFS, so it will keep it from running out of ramdisk.

(This post is part of Building an ALIX firewall)

Setting up BIND on the ALIX firewall

andrewmemoryblog@gmail.com (Andrew's Memory Blog) — Wed, 27 Jun 2012 23:23:07 -0700

Setting up BIND is probably the part that took more thought than any other when building the firewall. This is not because of any particular technical challenges; rather, BIND is managed by a consortium and its doc is… voluminous.

In the end, I went with the default /var/named/etc/named.conf on the assumption that it would do the right thing. According to its comment, it does both “recursive and authoritative queries using one cache,” which is what I want.

There are four files that need to change:

/etc/rc.conf
/var/named/etc/named.conf
/var/named/master/mydomain.net
/var/name/master/mydomain.net.rev

The last two can be named anything, but I stuck with conventions as I saw them.

Warning Unlike everything up to now, the BIND files live on /var/. In flashrd, /var gets unpacked at boot time into a RAM disk. So you need to save any changes you make somewhere else. Do not reboot until you’ve saved your changes! Ultimately, we’ll put these changes in /flash/var.tar so they get re-created when the device reboots.

/etc/rc.conf To enable named, change: named_flags=""

/var/named/etc/named.conf I used the default named.conf, which is really just a copy of named-simple.conf.

I made one addition in the options section:

 forwarders { 8.8.8.8; };

This tells DNS to look for answers at the Google DNS server if it can’t find the answer on the local DNS server. (Actually, I put a few DNS servers that were specific to my ISP, but the Google server will work too.)

I also made a few changes near the end:

// Master zones
//
zone "mydomain.net" {
type master;
file "master/mydomain.net";
};
// Reverse mappings for mydomain.net domain
zone "150.168.192.in-addr.arpa" in {
type master;
file "master/mydomain.net.rev";
};

This tells named to look in /var/named/master/mydomain.net for mappings of mydomain.net, and to look in /var/named/master/mydomain.net.rev for mappings of 192.168.150.*.

/var/named/master/mydomain.net Here’s my mydomain.net:

mydomain.net. IN SOA firewall.mydomain.net. myemail.yahoo.com. (
1 ; Serial
10800 ; Refresh after 3 hours
3600 ; Retry after 1 hour
604800 ; Expire after 1 week
86400 ) ; Minimum TTL of 1 day
;
; Name Servers
;
mydomain.net. IN NS firewall.mydomain.net.
;
; Host addresses
;
localhost.mydomain.net. IN A 127.0.0.1
firewall.mydomain.net. IN A 192.168.150.1
firesign.mydomain.net. IN A 192.168.150.170
frantics.mydomain.net. IN A 192.168.150.171
bundolo.mydomain.net. IN A 192.168.150.172

The first bit says my domain is called mydomain.net. I’ve published my email as myemail@yahoo.com (but note the dot instead of the at sign there).

The next bit is serial number / expiration times. You’re supposed to bump up the serial number every time you edit, but I usually just kill and restart named.

After that, I say that the firewall will be the nameserver for the domain.

Next is the interesting bit: the mapping of host names to host addresses. They must all end in . because BIND requires it. It’s very easy to miss a . in your config file and be confused about why things aren’t working.

/var/name/master/mydomain.net.rev In addition to DNS doing lookup for names, it usually also does lookup for IP addresses. This is what you get when you do nslookup 192.168.150.1, for instance. The reverse domain name file holds that:


150.168.192.in-addr.arpa. IN SOA firewall.mydomain.net. myemail.yahoo.com. (
1 ; Serial
10800 ; Refresh after 3 hours
3600 ; Retry after 1 hour
604800 ; Expire after 1 week
86400 ) ; Minimum TTL of 1 day
;
; Name Servers
;
150.168.192.in-addr.arpa. IN NS firewall.mydomain.net.
;
; Addresses point to canonical name
;
1.150.168.192.in-addr.arpa. IN PTR firewall.mydomain.net.
170.150.168.192.in-addr.arpa. IN PTR firesign.mydomain.net.
171.150.168.192.in-addr.arpa. IN PTR frantics.mydomain.net.
172.150.168.192.in-addr.arpa. IN PTR bundolo.mydomain.net.

Once again, watch for . characters at the end of .arpa. and .net.

At this point, you can kill and restart named, then: nslookup server localhost frantics

You should see something like:

Server: localhost
Address: 127.0.0.1#53
Name: frantics.mydomain.net
Address: 192.168.150.171

/etc/resolv.conf.tail The DHCP client overwrites /etc/resolv.conf, but then appends whatever/s in /etc/resolv.conf.tail to that. So let’s tell OpenBSD that Change /etc/resolv.conf to point to the running nameserver:

nameserver 192.168.150.1
domain mydomain.net
search mydomain.net
lookup bind file

This sets up the firewall as the nameserver to look for, tells what my domain is, says to search foo.mydomain.net when looking for foo, and to look up via bind first and then /etc/hosts.

/etc/dhcpd.conf Now is a good time to change dhcpd.conf to point to your nameserver instead of someone else:

option domain-name-servers 192.168.150.1;

Save those changes To save the changes that are in /var, use the following command: tar cf /flash/var.tar -C /var . Might as well save a copy somewhere else too: tar cf /root/named.tar /var/named

Things are saved away as well as they’re going to be; time to reboot and hope you didn’t miss anything!

(This post is part of Building an ALIX firewall)

Setting up PF for the ALIX firewall

andrewmemoryblog@gmail.com (Andrew's Memory Blog) — Tue, 26 Jun 2012 23:09:49 -0700

The next step on the firewall is to set up the packet filter PF. Most of what I do here comes from the OpenBSD PF FAQ.

Setting up PF itself The file to edit is /etc/pf.conf. Here’s mine:

# macros
int_if="vr0"
ext_if="vr1"
# FTP Proxy rules
anchor "ftp-proxy/*"
pass in quick on $int_if inet proto tcp to any port ftp \
divert-to 127.0.0.1 port 8021
# options
set block-policy return
set loginterface $ext_if
set skip on lo
# match rules
match out on egress inet from !(egress) to any nat-to (egress:0)
# filter rules
block in log
pass out quick
antispoof quick for { lo $int_if }
# uncomment this to respond to pings
# pass in inet proto icmp all icmp-type echoreq
pass in on $int_if

It’s basically the example config file for home or small office, with a couple of changes:

I define an int_if and ext_if for internal network and external network
I don’t have any port forwarding from outside through to the inside network except ftp-proxy
I block all incoming ICMP traffic (which is broken according to spec, but might keep me safer from denial of service attacks).
I keep port 22 closed on the firewall machine.

Basically, I present a blank wall to the Internet. Traffic I initiate can get out, but outside doesn’t get in except via ftp-proxy.

One thing to note is that if you mess up pf, you can get into a state where you can’t talk to your ALIX over the network. So make sure you have a serial port handy to talk to it. I’d recommend making changes to pf.conf over serial, and then testing with the network.

To test, run:

pfctl -F all
pfctl -f /etc/pf.conf

The first command flushes whatever existing PF config is there; the second command loads your new pf config.

Next, hook up a machine to the switch that’s connected to the LAN side of the firewall, and see if you have Internet. If you do, life is good!

Getting FTP running You might have noticed I use ftp-proxy in my pf.conf. That’s a daemon that needs to be enabled in /etc/rc.conf: ftpproxy_flags=""

According to the PF FAQ, you can run ftp-proxy to get the daemon going, but I rebooted instead after changing /etc/rc.conf. Also according to the FAQ, some (fussy) clients may need “-r” on ftpproxy_flags.

Blocking IP addresses using PF I haven’t done this before, but I wanted to try blocking ad servers by IP address using PF. Some instructions are here.

My list of IP addresses came from the excellent pgl.yoyo.org/adservers site. I picked “list ad server IP addresses” as plain HTML text, checked the “view list as plain text” button, and pressed “go”. This gave me a URL that I copied.

I wanted a semi-automatic way to download this list. Luckily, OpenBSD’s ftp is a lot more than plain FTP. You can use it instead of wget/curl/etc. Here’s the command I used:

ftp -o /etc/pf.blocked.ip.conf "http://pgl.yoyo.org\
/adservers/iplist.php?ipformat=plain&;showintro=1&\
mimetype=plaintext"

Then I updated my pf.conf to account for that:

# macros
int_if="vr0"
ext_if="vr1"
# Table of IP addresses to block
table <blockedips> persist file "/etc/pf.blocked.ip.conf"
# FTP Proxy rules
anchor "ftp-proxy/*"
pass in quick on $int_if inet proto tcp to any port ftp \
divert-to 127.0.0.1 port 8021
# options
set block-policy return
set loginterface $ext_if
set skip on lo
# match rules
match out on egress inet from !(egress) to any nat-to (egress:0)
# filter rules
# These two rules block traffic from blacklisted IP addresses
block drop in quick on $ext_if from <blockedips> to any
block return out quick from any to <blockedips>
block in log
pass out quick
antispoof quick for { lo $int_if }
# pass in inet proto icmp all icmp-type $icmp_types
pass in on $int_if

I’m not sure if this strategy will work long term. Previously I excluded ad servers in named instead. Excluding by IP address seems to take less RAM (I’ve got about 163M free of my 256M RAM with this table loaded) and has the advantage of blocking sneaky servers that use IP address URLs. The downside is that if another server uses the same IP address, I won’t get the content, and I have no real way to unblock by name if I need to.

At any rate, to update, I just need to do the ftp command again, and then: pfctl -t blockedips -T replace -f /etc/pf.blocked.ip.conf

(This post is part of Building an ALIX firewall)

Getting OpenBSD 5.1 on the ALIX firewall

andrewmemoryblog@gmail.com (Andrew's Memory Blog) — Wed, 20 Jun 2012 23:11:44 -0700

Getting OpenBSD on the ALIX used to be quite an effort. You had to figure out what your CF card looked like, enter the right drive parameters, and hope. Now it’s dead easy:

Download the flashrd binary image. I used flashimg.i386.wd0.com0-20120531.gz, which is root wd0, com0 38400 console. This matches the Alix BIOS default, which also spits out 38400 serial.
Unzip the image with gzip -d
Write the image to the CF card. I have Cygwin installed, so I was able to use dd. Since I’m running this on Windows 7, I had to open my Cygwin shell as Administrator. The command I used:
```
dd if=flashdist.i386.wd0.com0-20120531 of=/dev/sdd bs=128k
```
I was pleasantly surprised that dd worked. (I found the device by doing sfdisk -l /dev/sda, then sdb, then sdc, until I found a partition table that looked like my 4 GB flash drive.) I picked 128k as the block size because the image was evenly divisible by that. I don’t know if it makes a difference, but I figured why risk it.
Next I hooked up a DB9 F/F mini null modem to my PC serial port, connected that to the Alix serial port, ran hypertrm (which I had to get from an earlier Windows release) and was talking to OpenBSD. Root password was “root” (no quotes).
At this point I reset the password: rw passwd root ro rw is the flashrd way to say “mount the file system read/write”, and ro says “mount the file system read-only”. flashrd boots up read-only (which saves wear on the flash card) so you need to set it to read/write if you want to do pretty much anything.

That’s all there is to it!

(This post is part of Building an ALIX firewall)

Building an ALIX firewall

andrewmemoryblog@gmail.com (Andrew's Memory Blog) — Wed, 20 Jun 2012 23:02:03 -0700

It’s been a long time since I updated my firewall. Right now it’s a PC Engines ALIX 2c2 that I’ve been really happy with. I used flashdist and put OpenBSD 4.4 on it.

I think that’s a winning combination, but it’s time to upgrade. First, I want to go to OpenBSD 5.1. Next, flashdist has been replaced with flashrd, which is easier to install and use, and more appropriate for larger CF cards.

I started by getting an ALIX 2d2 (just one more IDE header than the 2c2, not much change). I bought it from mini-box.com, and I also picked up the custom enclosure for it and a power supply.

I already had a 4 GB CF card: a Kingston 4GB elite pro 133X, which was new when I built the original firewall. Make sure you have a good CF writer. I’ve had failures with cheapies, but got a Kingston FCR-HS219/1 and that worked.

There are a number of steps to get a working firewall. They are:

Firewall on Andrew's Memory Blog

Fixing buffer bloat on OpenBSD 7.2

Block Ad Sites and Nasties on OpenBSD 7.4

Grabbing Bad Hostnames #

Grabbing Bad IPs #

Configuring unbound to use the bad hosts lists #

Configuring PF to block the bad IP addresses #

Setting up Wireguard on an OpenBSD 7.4 firewall device

Set up networking for an OpenBSD 7.4 firewall device

Configure Network Adapters #

Setting up the PF packet filter #

Configure dhcpd #

Start Unbound for DNS #

Setting up an OpenBSD 7.4 Firewall Device

Installing OpenBSD 7.4 for a Firewall

Set up doas #

Install patches and packages #

Set up mfs for /tmp #

There were some noisy beeps #

Buying new hardware for an OpenBSD firewall

Tracking and blocking BRW70188B

Setting up a static IP for a Raspberry Pi over wifi using OpenBSD dhcpd

Changing MAC address on OpenBSD

Final cleanup for the ALIX firewall

Setting up BIND on the ALIX firewall

Setting up PF for the ALIX firewall

Getting OpenBSD 5.1 on the ALIX firewall

Building an ALIX firewall

Grabbing Bad Hostnames
#

Grabbing Bad IPs
#

Configuring unbound to use the bad hosts lists
#

Configuring PF to block the bad IP addresses
#

Configure Network Adapters
#

Setting up the PF packet filter
#

Configure dhcpd
#

Start Unbound for DNS
#

Set up doas
#

Install patches and packages
#

Set up mfs for /tmp
#

There were some noisy beeps
#