My Firewall

Written by Michael Cole - June 7th 2015

This is the story of how I switched my main house firewall to OpenBSD. I'm still in the transition phase in switching over more and more of my systems to various BSD operating systems. The firewall is the only one I have completed.

Maybe in a future post I will post some motivating factors for switching from Linux to BSD, but this is not that post.

So to give background, I've been using Linux since about 1995. I have setup very simple host firewalls and more complex firewalls as well. This has been both for personal use and professionally. I moved from ipfwadmin to ipchains to iptables. I never managed to use nftables.

At first when I wanted to switch to BSD, I wanted to use one version. I thought that it would be overly complicated to use multiple BSD operating systems. So I basically looked at the different types of BSDs. I decided that FreeBSD would be best for general use. Coming from Linux and Debian being my favorite pkgng looked apt-get like, jails looked cool and two main areas that OpenBSD seemed lacking were Volume Management and Virtualization.

I didn't want down time for my house so I installed FreeBSD onto a removable drive and would configure it late at night. Then I could remove it and go back to my working Linux setup until I was sure it was right.

At work we were changing around our work areas and had to clean up a bit (I'm not going into any details about my actual work, but this is important to the story). As part of that move a co-worker was trying to clean up some technical books. He was getting his 3rd addition of "The Book of PF" at home, so he gave me his 2nd addition version at work to take home and use. Since I was going to be using FreeBSD the book covered everything I needed. I read it pretty much like a novel from front to back, even though most technical books work better by looking up specific topics as a reference.

I had heard about the other packet filtering software and looked at the others. I know some people may be offended but IPFW seemed a lot like iptables. Rules in a very specific numbered order and some other things (not that it seemed bad). PF just seemed very simple and straight forward. It was almost like writing in english to some point. And tables were much easier to manage than the ipsets where on Linux.

By working with some of the sample rule sets and working with my old Linux iptables rules I came up with what I thought was a good PF rule set. I'm not really going to go into that too much (At least in this post), I think there are a lot of PF resources out there that are very helpful.

So far I've been talking all FreeBSD and not OpenBSD so I'm sure you are wondering where that comes in. Well in order to get to that point I need to explain my over complicated home network a little. The firewall machine itself has a 4 port Intel Gigbit NIC (other hardware doesn't matter). One port is for my upstream internet, one is for my LAN, one is for my WIFI (I use a wireless router basically in passthrough mode and this firewall machine does DHCP, etc), and the last port was for my DMZ. So for the DMZ it has multiple subnets since most of my servers are virtual. One subnet is for the physical machines and then there are 2 subnets for virtuals. Some virtuals have outward facing services and some have services open to the outward facing servers for example a backend database. The details don't matter too much, except that the interface needed some static routes to get to the 2 virtual subnets. Also I would be running DHCP for the LAN and the WIFI. And to top it off my ISP is currently a dynamic DHCP assigned IP Address. Hopefully that gives you some what of a picture in your head.

On FreeBSD this was a pain to setup. For example one of the worst things was that if I setup static routes as soon as the DHCP client on the ISP interface did its thing it would overwrite the routing table. So I solved that by playing with the dhclient hook scripts. It seemed like the rc configuration for the network was getting a little harry too.

After getting everything pretty much the way I wanted it and testing out the configuration, I went into work and discussed my setup with the coworker that gave me the PF book. He thought I was crazy and over complicating things, and asked me why I wasn't using OpenBSD as it makes a better firewall and PF is newer. I explained some of what I have typed above about wanting one BSD system so it would be easier to maintain.

That night I came home, I had been trying to find out everything I could about BSD and I watched many videos, read forums, etc. One of the shows I found was BSD Now. I saw that they helped people and answered questions, so I decided to write in. I had an email conversation with TJ their producer. I told him what my coworker had said and he agreed with him. So I thought, why not I have more removable drives, I'll just pop another one on their and build up an OpenBSD configuration. At this point I could switch to my Linux or FreeBSD if I wanted.

Firstly I have to point this out because it was the most amazing thing about my first experience with OpenBSD. OpenBSD is one of the FASTEST Operating Systems I have every installed and booted. I think I could do a fresh install of OpenBSD faster than some other Operating Systems boot. So I was caught off guard with that right out of the gate.

Once my head stopped spinning from the speed, I proceeded to setup my network. OpenBSD was a little different with its hostname.interface files. So I put static information in all but the ISP connection. I put in my 2 virtual static routes. Then I put a single word "dhcp" into the ISP interface. I restarted the networking, and I noticed 2 more things that amazed me. Firstly it told me I had set the wrong permissions on the files and corrected them (security is no joke on OpenBSD). Secondly it setup the network exactly how I wanted, and DHCP didn't mess it up. I was pretty floored at this moment at how simple and fast OpenBSD was.

I continued to configure OpenBSD for my needs, I did run into some issues with PF as my rule set was for the older FreeBSD version and NAT and Redirects had changed a lot. With some minor tweaks I got it all up and running, and basically was so happy with its performance that I installed OpenBSD over top of my Linux install and copied the few minor configuration files from my removable drive over and I was and still am fully up and running.

I hope someone finds my experience interesting. I hope to post more as I replace those virtuals with jails and maybe try bhyve.