The Better Mousetrap
"Build a better mousetrap and the world will NOT beat down your firewall front door".
- Definitely not Ralph Waldo Emerson.
This project is dead. I got started, and then I found PFSense, which does everything TBM could ever do and much more. And it's free. So TBM has no purpose. PFSense is a great thing. http://www.pfsense.com/
--Erik 13:06, 25 November 2009 (UTC)
Getting a gateway to secure your own home network is an easy task. Just go out and get one of those Netgear och Dlink boxes. They are adequate protection for you own home network as long as you keep the workstations on the inside secure. If you want to make servers accessible from the Internet, they are not going to a good choice. An additional problem is most firewalls at the gateway only monitors the state of connections. They keep unsolicited traffic out and lets through responses to requests made from the inside. This is good basic protection, but it does not care about the data passing through.
The purpose of TBM is to do stateful packet inspection and to use a reverse proxy to protect servers from unwanted data getting through. All the software is free and can be downloaded directly from the Internet.
The purpose of the TBM firewall:
- To be secure by default and to use a sensible setup.
- To do the job without require extensive resources such as CPU, memory and disk.
- To have a very small attack surface
- To be reliable and require very little maintenance.
- To be free
What you should understand
- This project will not be gui-based. That means you must understand how to work in the OpenBSD command line.
- The settings will be complex, so you must know basic TCP/IP and how to work with firewall rules.
- TBM is built to allow you to host servers to the Internet. Those servers should be connected to the DMZ network.
- At this time, reverse proxying is meant to protect web servers. You can off course publish other types of servers.
- This project is not meant to an easy way to setup a basic firewall. If you need that consider an appliance.
- This guide will configure the router's external interface to you network address translation (NAT).
- We will only use ipv4. A ipv6 guide may come later.
This is what we need to get started. Hardware: PC with CPU capable of running 64bit instructions Three network cards 1 GB of memory 2 GB of disk space All hardware must be supported by OpenBSD (See http://www.openbsd.org/amd64.html#hardware for more information) Software: OpenBSD 4.4 or later Squid
First let us choose the commin settings. You need to known this to proceed with the installation. Replace my selections with your own. I will setup my system behind a preexisting gateway to keep it protected during the installation.
Name of the gateway: tmb DNS-name: ericade.net Default gateway: 192.168.12.1 <this is your path to the internet> The Internet facing card will use network address translation.
So how do we want the firewall to work?
- Internal to Internet (egress) - Allow all
- Internal to DMZ(egress) - Allow all
- DMZ to Internet (egress) - Deny all
- DMZ to Internal (egress) - Deny all
- Internet to Internal - Allow solicited
- Internet to DMZ - Allow solicited
This is the default rules for this firewall. We will the have to create rules to allow specific settings and port mappings later on. Let's take some time to create the network design. This is the settings I will use. You should substitute it with your own settings.
Network card 1 Alias: tmb-internet Purpose: The card facing the Internet IP-adress: 192.168.12.7 MASK: 255.255.255.0 Default route: 192.168.12.1
The reason I use an Internal address for my Internet-facing network card is that I'm setting up the system behind another router that I will later replace with this router when it's ready for business. I advice against connecting this router to the Internet before you have set it up properly. Next card please.
Network card 2 Alias: tmb-dmz Purpose: Card for the DMZ-network. IP-adress: 192.168.20.1 MASK: 255.255.255.0 Default route: -
And the internal card which will be where your clients are.
Network card 3 Alias: tmb-internal Purpose: Card for the DMZ-network. IP-adress: 192.168.21.1 MASK: 255.255.255.0 Default route: -
Here's a golden rule to remember: don't ever connect anything directly to the Internet before it's been properly installed and configured. OpenBSD is an operating system with an excellent track record when it comes to security. Still, it's not advisable to connect it to Internet before it's ready for it.
Step 1 - installing OpenBSD
First thing is to prepare the computer. Check that the hardware is compatible with OpenBSD (see above). Make sure to remove all partitions on the hard drive. You can use OpenBSD to do this, but this guide assumes the disk is empty.
Then we need a copy of OpenBSD. The current version as I write this is 4.4. OpenBSD can be obtained at http://www.openbsd.org/ftp.html. I suggest you download the .iso-file and burn it to a CD. The download is about 250 MB in size.
Now boot up computer with the CD-rom.
Select [I] to perform a new install. Then you'll be presented with a prompt asking which terminal type you want to use. Press enter to except the default choice of vt220. No you will have to select which keyboard mapping you want. You can select L to list them.
Select your preferred keyboard setting code and press enter. The codes are listed in the picture above.
The next prompt asks you if you should proceed with the installation. Type yes and the press enter.
Next you will select the disk. In my case I only have one disk which OpenBSD lists as wd0 Press enter on the "Which one is the root disk?" prompt assuming that only have one disk. Otherwise you have to select the correct disk. Next question asks you if you want to allocate all of the disk space for the OpenBSD installation. I suggest you select yes. This assumes you have no data you wish to preserve. Some really old computers have partitions for their bios-settings. If yours does, select no.
Now it's time to partition the system. I've used the instructions from the official OpenBSD guide as an inspiration. The commands you must type are shown in bold.
> p m This will list the size of the disk. Note this down! # size offset fstype [fsize bsize cpg]
Ok, onto the main part.
> a a offset:  Enter size:  150m Rounding to cylinder: 321300 FS type: [4.2BSD] Enter mount point: [none] / > a b offset:  Enter size:  300m Rounding to cylinder: 626535 FS type: [swap] Enter > a d offset:  Enter size:  120m Rounding to cylinder: 257040 FS type: [4.2BSD] Enter mount point: [none] /tmp > a e offset:  Enter size:  80m Rounding to cylinder: 176715 FS type: [4.2BSD] Enter mount point: [none] /var
The next two partitions will be use the bulk of the disk. I suggest you split the remaining disk in half. So far you have partitioned 650 MB of the disk. My disk i 2G in size, so my choice looks like this:
> a g offset:  Enter size:  1g Rounding to cylinder: 12594960 FS type: [4.2BSD] Enter mount point: [none] /usr > a h offset:  Enter size:  250m Rounding to nearest cylinder: 8401995 FS type: [4.2BSD] Enter mount point: [none] /home
Now type q and press enter. The prompt "Write new label?: [y]" will pop up. Press enter. Time to select the mount points. In this case you press "Enter" four time and the you type "done" and press enter.
Mount point for wd0d (131584 KBytes)? (or 'none' or 'done') [/tmp] Enter Mount point for wd0e (90624 KBytes)? (or 'none' or 'done') [/var] Enter Mount point for wd0g (6656 MBytes)? (or 'none' or 'done') [/usr] Enter Mount point for wd0h (4096 MBytes)? (or 'none' or 'done') [/home] Enter Mount point for wd0d (131584 KBytes)? (or 'none' or 'done') [/tmp] done No more disks to initialize. OpenBSD filesystems: wd0a / wd0d /tmp wd0e /var wd0g /usr wd0h /home
Good, new type yes and enter to accept and destroy all settings on the disk. The screen scrolls through disk partitions and stops to ask you what you want to call the system. Type in the selected name and press enter. Press enter to configure the network. Now you'll have to cycle through all your three network card. The first one is called [em0] on my system.
Configure the network? [yes] Enter Available interfaces are: em0 em1 em2. Which one do you wish to initialize? (or 'done') [em0] Enter Symbolic (host) name for em0? [puffy] tmb-internetl The media options for em0 are currently media: Ethernet autoselect (1000baseTX full-duplex,master) Do you want to change the media options? [no] Enter IPv4 address for em0? (or 'dhcp') 192.168.12.7 Netmask? [255.255.255.0] Enter IPv6 address for em0? (or 'rtsol' or 'none') [none] Enter
The first interface is now all right. The installation will now reiterate through the other two interfaces. When done, it's time to select the DNS and routing settings.
No more interfaces to initialize. DNS domain name? (e.g. 'bar.com') [my.domain] ericade.net DNS nameserver? (IP address or 'none') 192.168.4.19 192.168.4.20 Enter Use the nameserver now? [yes] Enter Default route? (IP address, 'dhcp' or 'none') [dhcp] 192.168.12.1 Edit hosts with ed? [no] Enter Do you want to do any manual network configuration? [no] Enter
Done. Let's discuss passwords, because that's what's next on the menu. You will now select a password for your root account. Please select a strong and complex password. Using bad passwords kind of makes the plan of creating a secure server pointless.
Password for root account? (will not echo) <A good password goes here> Password for root account? (again) <A good password goes here>
Now press enter to accept the cd as the default location of the sets. A set refers to a set of packages that needs to be installed. Next accept the selected name of the cd0. This assumes you have only one CD-drive on the system and that you booted from it. Press enter on the pathname question. Next up is the prompt " Set name? (or 'done') [bsd.mp]". Type -game44.tgz and press enter. You don't need games on a router, now do you :) The prompt reappears. Type done and press enter. Press enter again to accept.
Sit back with your favorite beverage and watch the installation proceed.
After a while it prompts you for the location of the sets. Type done and press enter. Time for the last leg of the journey to OpenBSD
Start sshd(8) by default? [yes] yes Start ntpd(8) by default? [no] yes NTP server? (hostname or 'default') [default] Enter Do you expect to run the X Window System? [no] Enter Change the default console to com0? [no] Enter
Next question, where in the world are you?
What timezone are you in? ('?' for list) [Canada/Mountain] ? Africa/ Chile/ GB-Eire Israel NZ-CHAT UCT America/ Cuba GMT Jamaica Navajo US/ Antarctica/ EET GMT+0 Japan PRC UTC Arctic/ EST GMT-0 Kwajalein PST8PDT Universal Asia/ EST5EDT GMT0 Libya Pacific/ W-SU Atlantic/ Egypt Greenwich MET Poland WET Australia/ Eire HST MST Portugal Zulu Brazil/ Etc/ Hongkong MST7MDT ROC posix/ CET Europe/ Iceland Mexico/ ROK posixrules CST6CDT Factory Indian/ Mideast/ Singapore right/ Canada/ GB Iran NZ Turkey zone.tab Select a sub-timezone of 'US' ('?' for list): CET
I live in CET, but you should enter your time zone. And that's it for the installation. Well done. Type halt, wait until it tells you it has halted and the press any key to let it reboot.