Setting up an OpenBSD Firewall in the ASU Environment Installation



Similar documents
LOCKSS on LINUX. Installation Manual and the OpenBSD Transition 02/17/2011

LOCKSS on LINUX. CentOS6 Installation Manual 08/22/2013

Operating System Installation Guidelines

Configuring Virtual Blades

HOWTO. Bandwidth Management for ADSL with OpenBSD

Setting up pfsense as a Stateful Bridging Firewall.

Red Hat Linux 7.2 Installation Guide

Installing the Operating System or Hypervisor

Amahi Instruction Manual

HOWTO: Set up a Vyatta device with ThreatSTOP in router mode

Create a virtual machine at your assigned virtual server. Use the following specs

Reboot the ExtraHop System and Test Hardware with the Rescue USB Flash Drive

Bitten by The NAS Bug

Guest PC. for Mac OS X. User Guide. Version 1.6. Copyright Lismore Software Systems, Ltd. All rights reserved.

Redhat 6.2 Installation Howto -Basic Proxy and Transparent

Windows 2000 Security Configuration Guide

10 STEPS TO YOUR FIRST QNX PROGRAM. QUICKSTART GUIDE Second Edition

HOWTO: Set up a Vyatta device with ThreatSTOP in bridge mode

PARALLELS SERVER BARE METAL 5.0 README

Using iscsi with BackupAssist. User Guide

VMWare Workstation 11 Installation MICROSOFT WINDOWS SERVER 2008 R2 STANDARD ENTERPRISE ED.

Virtual Appliance for VMware Server. Getting Started Guide. Revision Warning and Disclaimer

[HOW TO RECOVER AN INFINITI/EVOLUTION MODEM IDX ] 1

Quick Start Guide for Linux Based Recovery

Windows Client/Server Local Area Network (LAN) System Security Lab 2 Time allocation 3 hours

Pleiades USB/LAN. User Manual. & Installation Guide. External Storage Enclosure for 3.5 Hard Drive. v1.1

HOUR 3. Installing Windows Server 2003

Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice.

Ultra Thin Client TC-401 TC-402. Users s Guide

readme_asm.txt README.TXT

Lab 1: Introduction to the network lab

Microsoft BackOffice Small Business Server 4.5 Installation Instructions for Compaq Prosignia and ProLiant Servers

OS Installation Guide Red Hat Linux 9.0

integration tools setup guide SIM 3 Remote Guide to controlling a SIM 3 Audio Analyzer remotely over a network connection from a laptop

Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Q&A. DEMO Version

What this document covers: Physical to Virtual Migration with Portlock Storage Manager

NG-NetMS Rel 3.1 User Install documentation

How To Set Up A Two Node Hyperv Cluster With Failover Clustering And Cluster Shared Volume (Csv) Enabled

NetVault : Backup. User s Guide for the VaultDR System Plugins

Chapter 8: Installing Linux The Complete Guide To Linux System Administration Modified by M. L. Malone, 11/05

EaseUS Todo Backup user guide. EaseUS Todo Backup. Central Management Console. User guide - 1 -

ClearOS Network, Gateway, Server Quick Start Guide

II. Installing Debian Linux:

FOG Guide. IPBRICK International. July 17, 2013

Cable Internet Connection & Sharing using Red Hat 7.2 (Version 1.0, )

Navigating the Rescue Mode for Linux

UltraBac Documentation. UBDR Gold. Administrator Guide UBDR Gold v8.0

Cloud.com CloudStack Community Edition 2.1 Beta Installation Guide

Novell Identity Manager Resource Kit

How to Create, Setup, and Configure an Ubuntu Router with a Transparent Proxy.

2 Disabling Network... Boot. 1 Partitioning 2 Configuring The... Network 3 Installing the "install... sets"

HP ProLiant ML110 Server Network Operating System Installation Guide

Windows 2003 Server Installation Guide

Evaluation guide. Vyatta Quick Evaluation Guide

Q N X S O F T W A R E D E V E L O P M E N T P L A T F O R M v Steps to Developing a QNX Program Quickstart Guide

USB External Hard Disk Drive

Best Practices in Hardening Apache Services under Linux

Deploying IBM Lotus Domino on Red Hat Enterprise Linux 5. Version 1.0

3.5 EXTERNAL NETWORK HDD. User s Manual

Server & Workstation Installation of Client Profiles for Windows

Building a Home Firewall/Router Using OpenBSD-Sparc. Joshua Malone (jmalone@ubergeeks.com)

Windows Server 2008 R2 Essentials

Parallels Cloud Server 6.0

Virtual Appliance Setup Guide

Installation and Configuration Guide for Cluster Services running on Microsoft Windows 2000 Advanced Server using Acer Altos Servers

Best Practices for VMware ESX Server 2

Penetration Testing LAB Setup Guide

ML310 VxWorks QuickStart Tutorial. Note: Screen shots in this acrobat file appear best when Acrobat Magnification is set to 133.3%

Storage Sync for Hyper-V. Installation Guide for Microsoft Hyper-V

Lab 1: Network Devices and Technologies - Capturing Network Traffic

Introduction to Operating Systems

Intel Entry Storage System SS4000-E

Red Hat Certifications: Red Hat Certified System Administrator (RHCSA)

NSi Mobile Installation Guide. Version 6.2

SUSE LINUX Enterprise Server for SGI Altix Systems

Load Balancing. Outlook Web Access. Web Mail Using Equalizer

HL2170W Windows Network Connection Repair Instructions

An Oracle White Paper April How to Install the Oracle Solaris 10 Operating System on x86 Systems

Exinda How to Guide: Virtual Appliance. Exinda ExOS Version Exinda, Inc

I N S T A L L A T I O N M A N U A L

NOC PS manual. Copyright Maxnet All rights reserved. Page 1/45 NOC-PS Manuel EN version 1.3

Chapter 1 Hardware and Software Introductions of pcduino

Setup Cisco Call Manager on VMware

Comodo MyDLP Software Version 2.0. Installation Guide Guide Version Comodo Security Solutions 1255 Broad Street Clifton, NJ 07013

H ARDWARE C ONSIDERATIONS

Configure thin client settings locally

Free Dynamic DNS account you can use one of your choosing I like DynDNS but there's also No-IP and probably others.

Course Description and Outline. IT Essential II: Network Operating Systems V2.0

How to Install Microsoft Windows Server 2008 R2 in VMware ESXi

Backup & Disaster Recovery Appliance User Guide

Building a Virtual Desktop Infrastructure A recipe utilizing the Intel Modular Server and VMware View

Installing Ubuntu Server 9.04

How to Test Out Backup & Replication 6.5 for Hyper-V

Core Protection for Virtual Machines 1

Lab 3: VFILER Management and Commands

Enterprise Erase LAN

Microsoft Windows Compute Cluster Server 2003 Getting Started Guide

Network Probe User Guide

Transcription:

Setting up an OpenBSD Firewall in the ASU Environment Installation First you will need to download and install OpenBSD on a computer with the following Requirements: The minimum requirements for the OpenBSD machine are as follows: 133MHz or higher x86 class processor 64 MB of RAM 1 GB hard drive space 2 NICs (High quality recommended, e.g., Intel, 3Com) Switch Optional if you want a setup for more than one server/pc Scratch paper Network Cables A lot of patients An updated list of system requirements for the OS can be found here: http://www.openbsd.org/i386.html#hardware If you want to install open BSD with the minimal amount of media, you can download the CD ISO from ftp.openbsd.org/pub/openbsd/3.8/i386 Here is information for more advanced users floppy38.fs (Desktop PC) supports many PCI and ISA NICs, IDE and simple SCSI adapters and some PCMCIA support. Most users will use this image if booting from a floppy. Requires the Rawrite utility floppyb38.fs (Servers) supports many RAID controllers, and some of the less common SCSI adapters. However, support for many standard SCSI adapters and many EISA and ISA NICS has been removed. Requires the Rawrite utility floppyc38.fs (Laptops) supports the CardBus and PCMCIA devices found in many laptops. Requires the Rawrite utility cdrom38.fs is, in effect a combination of all three boot disks. It can be used to make a bootable 2.88M floppy, or more commonly, as a boot image for a custom recordable CD. Requires the Rawrite utility cd38.iso is an ISO9660 image that can be used to create a bootable CD with most popular CD-ROM creation software on most platforms. This image has the widest selection of drivers, and is usually the recommended choice if your hardware can boot from a CDROM. cdemu38.iso is an ISO9660 image, using "floppy emulation" booting, using the 2.88M image, cdrom37.fs. It is hoped that few people will need this image -- most people will use cd37.iso, only use cdemu37.iso if cd37.iso doesn't work for you. Note: Currently version 3.8 is the latest version as of this writing. You can also use a floppy image using rawrite, and if you know your exact system requirements. Verify that you have registered both NIC s so you can obtain a valid IP address. Burn the ISO image with your favorite utility. Verify your BIOS is setup for the CDROM to be the first boot device Boot off the CDROM. If you are having problems, more detailed instructions for the following can be found at: http://www.openbsd.org/faq/faq4.html#start

There will be a slight delay when you see Boot> Wait 5 seconds or depress the Enter key You will be prompted for (I)nstall, (U)pgrade or (S)hell Depress the <I> key, then Terminal Type? [vt220] Kbd(8) mapping? (? for list) [none] Proceed with install? [no] Type yes If you are having problems, more detailed instructions for the following can be found at: http://www.openbsd.org/faq/faq14.html#disklabel Available disks are: ##### Whatever your hard drive is. Which one is the root disk? (or done ) Do you want to use *all* of ### for OpenBSD? This is up to you, I typed yes to make it easy Note: if you want to see the current label setup type p Type in the following commands: d a This deletes the current setup a a This creates your new labels offset: [##] Accept the default for the starting sector of the partition size: [######] ## This is the size of your partition. If you don t speak sector or partitioneze add a G at the end (example type 69G for 69 Gigabytes, it s nicer than typing 142253248. Rounding to nearest cylinder: ###### Accept the default for FS type: [4.2BSD] You can use 4.2BSD or type swap if you intend to create a swap partition due to lack of RAM mount point: [none] / This is where you type in the name of the filesystem (ie. /, /var, /usr, /tmp etc etc). Choose / for the main partition fragment size: [2048] This is the size of fs block fragments, usually 2048 or 512. If you re unsure, select the default. block size: [16384] This is the size of filesystem blocks. Usually 16384 or 4096. If you re unsure, select the default. cpg: [16] Number of file system cylinders per group. Usually 16 or 8. If you re unsure, select the default. If you left some space for a swap partition Type a b offset: [##] Accept the default for the starting sector of the partition size: [######] ## This is the size of your partition. If you don t speak sector or partitioneze add an G at the end (example type 69G for 69 Gigabytes, it s nicer than typing 142253248. M=Megabytes FS type: [swap] Type swap if it isn t already there by default.

Double check your work with by typing p Note: if you want to see the current label setup and see the disk size in Megabytes type p m Type q This will save your changes and take you to the next step of the installation. The next step *DESTROYS* all existing data on these partitions! Are you really sure that you re ready to proceed? [no] Type yes System hostname (short form, e.g. foo ) Make up a short computer name for your firewall. Configure the network? [yes] Available Interfaces are: #### #### Make note of the interface names, you will need them later. Which one do you wish to initialize? (or done ) [####] Symbolic (host) name for ###? [#####] Do you want to change the media options? [no] Ipv4 address for ##? (or none for dhcp ) Type dhcp Ipv6 address for ###? (or rstool or none ) [none] Which one do you want to initialize? (or done ) [###] Symbolic (host) name for ###? [#####] Do you want to change the media options? [no] Ipv4 address for ##? (or none for dhcp ) Type dhcp Ipv6 address for ###? (or rstool or none ) [none] Which one do you want to initialize? (or done ) [###] Symbolic (host) name for ###? [#####] Do you want to change the media options? [no] Ipv4 address for ##? (or none for dhcp ) Type dhcp DNS domain name? (e.g. bar.com ) [dhcp.asu.edu] This field should be filled in. If not, type it in. DNS nameserver? (IP address or none ) [129.219.17.200 129.219.17.5 129.219.13.81] This field should be filled in. If not, type it in. Use the nameserver now? [yes]

Default Ipv4 route? (Ipv4 address, dhcp or none ) [dhcp] Edit hosts with ed? [no] Do you want to do any manual network configuration? [no] Password for root account? (will not echo) Type in a good Alphanumeric Password! Remember ASU Security Awareness week Let s install the sets! Location of sets? (cd disk ftp http or done ) [cd] This is where you have multiple options, I personally like getting it directly off the internet. Type http I chose http, because it is the simplest installation. For newbies, simple is good!!! HTTP/FTP proxy URL? (e.g. http://proxy:8080, or none ) [none] Display the list of known http servers? [yes] After you ve decided on your favorite server, scroll down or press q. Then type in the number. Note: You may have to fiddle with the locations a few times. Some don t have the latest versions of BSD Now you will select the sets that you want installed. Select the sets by entering a set name, a file name pattern or all. De-select sets by prepending a - to the set name, file name pattern or all. Selected sets are labeled [x]. [ ] bsd [ ] bsd.rd [ ] bsd.mp [ ] base38.tgz [ ] etc38.tgz [ ] misc38.tgz [ ] comp38.tgz [ ] man38.tgz [ ] game38.tgz [ ] xbase38.tgz [ ] xetc38.tgz [ ] xshare38.tgz [ ] xfont38.tgz [ ] xserv38.tgz Set name? (or done ) Note: Here are the descriptions of what each set really is: bsd - This is the Kernel. bsd.rd - RAM disk kernel bsd.mp - Multi-processor (SMP) kernel (only some platforms) base38.tgz - Contains the base OpenBSD system etc38.tgz - Contains all the files in /etc misc38.tgz - Contains misc info, setup documentation comp38.tgz - Contains the compiler and its tools, headers and libraries. man38.tgz - Contains man pages game38.tgz - Contains the games for OpenBSD *Required* *Optional* *Depends on your hardware* *Required* *Required* *Optional* *Recommeded* *Recommeded*

xbase38.tgz - Contains the base install for X11 xetc38.tgz - Contains the /etc/x11 and /etc/fonts configuration files xshare38.tgz - Contains manpages, locale settings, includes, etc. for X xfont38.tgz - Contains X11's font server and fonts xserv38.tgz - Contains X11's X servers Examples of how to add items is type the name (example, type bsd.mp) To remove put a in front of the name (example, type game38.tgz) When you re done type done Ready to install sets? [yes] *********** Break time!!! Go take a break and have some coffee. *********** Location of sets? (cd disk ftp http or done ) [cd] Type done Start sshd(8) by default? [yes] This is used if you wish to remotely administer the firewall via ssh. The choice is yours type yes or no. Start ntpd(8) by default? [no] This is the Network Time Daemon. This is handy if you want to keep accurante times and and setup a syslog server. Do you expect to run the X Window System [yes] Since this is a firewall, the GUI is not required. Change the default console to com0? [no] This option is not recommended since you already have a keyboard, mouse, and monitor connected. What timezone are you in? (? for list) [Canada/Mountain] Type America What sub-timezone of America are you in? (? for list) Type Phoenix Making all Device Nodes done. You will have to wait a few minutes. CONGRADULATIONS!!! Your OpenBSD install has been successfully completed! To boot the new system, enter halt at the command prompt. Once the system has halted, reset the machine and boot from the disk. <Remove your cdrom or floppy> Type halt <Reboot your computer> After you have rebooted, enter your username and password. Terminal Type? [vt220] If you are a VI editor and FTP pro, then you can skip the next part. The basic ftp program doesn t offer many feature and the VI editor has enough special keystrokes to make most peoples eyes glaze over. I recommend installing the Pico editor and the NCFTP program. To install these programs follow these instructions:

Type ftp ftp.openbsd.org Name (ftp.openbsd.org:root): Type anonymous Password: Type anything then press ftp> type cd /pub/openbsd/3.8/packages/i386 ftp> type binary 200 switching to Binary mode ftp> type get pico-4.10.tgz ftp> type get ncftp-3.1.9.tgz ftp> type bye Note: To verify you received the packages type ls You should see the packages you downloaded in your directory. Now type pkg_add pico-4.10.tgz Pkg_add pico-4.10: complete Now type pkg_add ncftp-3.1.9.tgz Pkg_add ncftp-3.1.9: complete You now have a new text editor and a kick n FTP program. To run each of them type either ncftp or pico. Example: Type pico t.txt or type ncftp ftp.openbsd.org Creating a Bootable CDROM Firewall <Optional> Not yet documented

Topology The following diagram shows the inclusion of a PC running OpenBSD that has been inserted inline between the ASU Network and the switch. The finished network topology will look like the diagram below. Type ifconfig Make note of the interface names on scratch paper (ie lo0, fxp0, fxp1,dxp0, etc, etc). Do not use more than two NICs. You will run into problems bridging. Setting up the bridge Note: for the rest of these instructions we are going to assume that your NIC s are fxp0 and fxp1. They may be called something else. Make changes where appropriate. We are also going to assume that you are using 100 MB NIC cards. Again make changes where appropriate. Edit the /etc/sysctl.conf and uncomment (remove the #) from the line that reads: net.inet.ip.forwarding=1 Note: Datacomm sometimes has problems with their switches auto-negotiating. We are going to set the NICs to stay at 100 Mb. This can cause problems if you plug in your servers to a 10 Mb connection (Why would you do that?!?). The Inet media 100BaseT is optional. If you configured the NICs during installation delete them with the next two commands.

ifconfig fxp0 delete ifconfig fxp1 delete Create /etc/hostname.fxp0 In the file type in the following information: Inet media 100BaseT up Create /etc/hostname.fxp1 In the file type in the following information: Inet media 100BaseT up Create /etc/bridgename.bridge0 In the file type in the following information: Add fxp0 add fxp1 up Edit the /etc/resolve.conf file and verify the following information is there. If not, the type it in. (Although if you used dhcp, this should already be in there). If you want to add your own DNS servers, then create /etc/resolve.conf.tail and add your own entries. Otherwise, the DHCP will wipe out the entries on the next boot. lookup file bind nameserver 129.219.17.5 nameserver 129.219.17.200 nameserver 129.219.13.81 Note: We are putting the DNS entries in the host file because the DNS entries in the firewall may not work at boot time. Reboot the computer with the following command: shutdown r now Verify that the bridge is running by typing ifconfig -a In part of the output you should see the following line, if not then bridging isn t working: bridge0: flags=41 <UP,RUNNING> mtu 1500

Enabling the Firewall Edit the /etc/rc.conf.local Note: Although you can edit the /etc/rc.conf file, it contains the system defaults, and should not be altered. Instead you can make your overridden changes in /etc/rc.conf.local, and the system will read the last, and update any changes you had made in it. Add the following lines to the /etc/rc.conf.local file pf=yes Here are common terms you may see when configuring your firewall: lo pflog sl ppp tun enc bridge vlan gre gif carp - Loopback Interface - Packet Filter Logging Interface - SLIP Network Interface - Point to Point Protocol - Tunnel Network Interface - Encapsulating Interface - Ethernet Bridge Interface - IEEE 802.1Q Encapsulation Interface - GRE/MobileIP Encapsulation Interface - Generic IPv4/IPv6 Tunnel Interface - Common Address Redundancy Protocol Interface

FAQs: After I type in the timezone, the computer locks up. Some hardware, (Especially Compaq servers!!) may have problems. My Bridge isn t working. If you have NICs with the TI ThunderLAN chip, then this is the problem. OpenBSD does not support bridging with them. Additional Commands: To test a ruleset Write your rules and save them in pf.test To test your rules type pfctl -n -v -f /etc/pf.test When you are confident that you want to apply the rules type cp pf.conf pf.old && cp pf.test pf.conf To load your rules type pfctl -v -R /etc/pf.conf To show how many states are running concurrently type pfctl -s info To enable logging on the external interface type pfctl -l rl0 To see rejected packets scroll on the screen type tcpdump -n -e -ttt -i pflog0 To show the amount of free disk space type df -h To show the amount of CPU utilization type top Type Ctrl-Z to push the current job into the background and fg to return it to the forground. Ctrl-C kills the job running in the forground. To mount a floppy type mount -t msdos /dev/fd0a /mnt To copy a file to floppy type cp <filename> /mnt To unmount the floppy type umount /mnt

Note: Make sure your default directory isn't on /mnt when you do this or it won't unmount. To display your current default directory type pwd To clear the display type clear

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information