In an attempt to clear even more stuff off my desk, I created a ghetto OpenBSD firewall\switch. Basically, I added four network cards to an old Dell Precision 350. Loaded OpenBSD on it. Went the standard route when creating a firewall. The five network cards on the system are em0 (External), dc0 (Internal), dc1, sk0, sk1.
echo 'inet 169.xxx.xxx.xxx 255.255.255.252 NONE' > /etc/hostname.em0
echo 'inet 192.168.4.254 255.255.255.0 NONE' > /etc/hostname.dc0
Then I configured the remaining cards.
echo 'up' > /etc/hostname.dc1
echo 'up' > /etc/hostname.sk0
echo 'up' > /etc/hostname.sk1
Configured a Bridge between the Internal card and the three other cards.
echo 'add dc0 add dc1 add sk0 add sk1 up' > /etc/bridgename.bridge0
Using the same NAT rule set I had before (listed below) and with a few crossover cables (had my student assistant work on that portion) I now have a ghetto OpenBSD firewall\switch. Finally, I have a use for all those extra network cards and old systems laying around the office.
PF.CONF
ext_if="em0"
int_if="dc0"
ext_addr="169.xxx.xxx.xxx"
testDomain = "{192.168.4.0/24}"
set skip on lo0
set loginterface $ext_if
nat on $ext_if from $testDomain to any -> $ext_addr
pass in on $int_if all
pass out on $int_if all
block in log on $ext_if all label "Default block in"
block out log on $ext_if all label "Default block out"
pass out on $ext_if proto tcp from $ext_addr to any port { http https } \
flags S/SA modulate state
pass out on $ext_if proto udp from $ext_addr to any port { domain }
No comments:
Post a Comment