Today I reinstalled my firewall to OpenBSD 5.9. I won’t describe the installation process. It is well described in the project page. This post is only for references of what I changed beside the normal installation process.

The computer I install OpenBSD onto is a PC Engines APU2. Therefore the console access is only done with a serial port.

Out of the 3 interfaces, only 2 are used at the moment. The interface em0 is connected to the local network. The interface em1 is connected to the Internet and is affected a public IP.

Configuring serial access

  • Change /etc/boot.conf to switch console to serial port
stty com0 115200
set tty com0

Personalization

  • Prompt customisation
root@cobra ~ # tail -n 1 ~/.profile
export PS1='\u@\h \w \$ '
root@cobra /etc #
  • MOTD Edition
root@cobra ~ # cat motd

OpenBSD 5.9 (GENERIC.MP) #1888: Fri Feb 26 01:20:19 MST 2016

root@cobra /etc #

Network

  • Restoring /etc:bgpd.conf, /etc/hostname.*, /etc/ipsec.conf

  • Enable bgpd & IPSEC at boot

root@cobra ~ # rcctl enable bgpd
root@cobra ~ # rcctl enable ipsec
root@cobra ~ # rcctl enable isakmpd
root@cobra ~ # rcctl set isakmpd flags -K
  • Upgrade configuration of /etc/bgpd.conf. When upgrading, I had to do a small modification of configuration. Here are the lines I modified :

Replace:

allow from any inet prefix 172.16.0.0/12 prefixlen >=24
allow from any inet prefix 192.168.0.0/16 prefixlen >=24

By:

allow from any prefix 172.16.0.0/12 prefixlen >=24
allow from any prefix 192.168.0.0/16 prefixlen >=24
  • Don’t forget to set the rights on /etc/ipsec.conf
root@cobra /etc # chmod 0600 /etc/ipsec.conf

DNS

In my network, I choose NSD to manage my authoritative domains (public and claer.local). I also use unbound to cache entries for the local users and to redirect special domains whne connecting to OpenVPN hosts. For ex. I use unbound to redirect all queries to corp.local to the DNS at the corporate office.

Restoring the configuration from my backup worked straight away.

  • /var/nsd/etc/nsd.conf configuration file
server:
        hide-version: yes
        verbosity: 1
        database: "" # disable database

        ip-address: ::1
        ip-address: 172.16.2.1


remote-control:
        control-enable: yes

zone:
        name: claer.local
        # note that quotes are optional on the value
        zonefile: /var/nsd/zones/master/claer_local.db

zone:
        name: 1.16.172.in-addr.arpa
        # note that quotes are optional on the value
        zonefile: /var/nsd/zones/master/claer-172_16_1.rev

zone:
        name: 2.16.172.in-addr.arpa
        # note that quotes are optional on the value
        zonefile: /var/nsd/zones/master/claer-172_16_2.rev

zone:
        name: 3.16.172.in-addr.arpa
        # note that quotes are optional on the value
        zonefile: /var/nsd/zones/master/claer-172_16_3.rev
zone:
        name: 4.16.172.in-addr.arpa
        # note that quotes are optional on the value
        zonefile: /var/nsd/zones/master/claer-172_16_4.rev
  • Enable nsd
root@cobra ~ # rcctl enable nsd

DHCP

Configure OpenBSD to be the dhcp server of the local lan

  • Change /etc/dhcpd.conf
shared-network LOCAL-NET {
        option domain-name "claer.local";
        option domain-name-servers 172.16.1.1;
        option autoproxy-script "\n\000";

        subnet 172.16.1.0 netmask 255.255.255.0 {
                option routers 172.16.1.1;
                option ntp-servers 172.16.1.1;

                range 172.16.1.106 172.16.1.254;
                host natsume {
                        hardware ethernet 00:26:2D:A8:9B:72;
                        fixed-address 172.16.1.101;
                }
                host sebastian {
                        hardware ethernet 1C:6F:65:32:0D:7D;
                        fixed-address 172.16.1.100;
                }
                host printer {
                        hardware ethernet 00:15:99:A7:88:C4;
                        fixed-address 172.16.1.80;
                }
                host chinami {
                        hardware ethernet 90:E6:BA:9A:43:F5;
                        fixed-address 172.16.1.50;
                }
        }
}
  • Activation du serveur dhcp
root@cobra /etc # rcctl enable dhcpd
root@cobra /etc # rcctl set dhcpd flags em0
  • Configuration de Unbound : /var/unbound/etc/unbound.conf
server:
        interface: 172.16.1.1

        access-control: 0.0.0.0/0 refuse
        access-control: 127.0.0.0/8 allow
        access-control: ::0/0 refuse
        access-control: ::1 allow

        access-control: 172.16.1.0/24 allow
        access-control: 172.16.4.0/24 allow
        access-control: 10.240.240.0/24 allow
        access-control: 10.10.2.0/24 allow

        hide-identity: yes
        hide-version: yes

# non aux pubs google
local-data: "s1.2mdn.net A 127.0.0.1"
local-data: "s0.2mdn.net. A 127.0.0.1"
local-data: "s0.2mdn.net. AAAA ::1"
local-data: "s0-2mdn-net.l.google.com. A 127.0.0.1"
local-zone: "doubleclick.net." static
local-zone: "alenty.com." static
local-zone: "googletagservices.com." static
local-zone: "googlesyndication.com." static
local-zone: "metric.gstatic.com." static
local-zone: "video-stats.l.google.com." static

remote-control:
        control-enable: yes
        control-use-cert: no
        control-interface: /var/run/unbound.sock
stub-zone:
        name: "claer.local"
        stub-host: "172.16.2.1"

stub-zone:
        name: "local"
        stub-host: "172.16.2.1"

stub-zone:
        name: "1.16.172.in-addr.arpa"
        stub-host: 172.16.2.1
stub-zone:
        name: "2.16.172.in-addr.arpa"
        stub-host: 172.16.2.1

stub-zone:
        name: "3.16.172.in-addr.arpa"
        stub-host: 172.16.2.1

stub-zone:
        name: "4.16.172.in-addr.arpa"
        stub-host: 172.16.2.1

stub-zone:
        name: "5.16.172.in-addr.arpa"
        stub-host: 172.16.2.1

stub-zone:
        name: "6.16.172.in-addr.arpa"
        stub-host: 172.16.2.1

stub-zone:
        name: "7.16.172.in-addr.arpa"
        stub-host: 172.16.2.1
  • Persistent configuration
root@cobra /etc # rcctl enable unbound