The next step in building an ALIX firewall is to set up networking.
Setting the hostname
- Edit the file /etc/myname to be the hostname you want (don’t forget to rw first if you need to).
- Run:
hostname `cat /etc/myname`to set the hostname in lieu of rebooting.
Figuring out which port is which On my ALIX, Ethernet port vr1 is the port nearest to the serial port and vr0 is the one nearest to the power cable. I figured this out by plugging one port into the network and running ifconfig. In my case I saw:
vr1: flags=8802 mtu 1500
lladdr 00:0d:ba:36:d9:30
priority: 0
media: Ethernet autoselect (none)
status: active
whereas vr0 had status: no carrier. That told me that vr1 was the one on the network. I labelled the ports so I wouldn’t forget. (Since my plan is to have a firewall with one port for the internal LAN and another for the world, I used labels vr0:lan and vr1:world.)
Setting up the DHCP client on vr1 My ISP assigns me an IP address using DHCP. In the older flashdist, you had to edit /etc/rc to start up dhclient to get this address. With flashrd, it’s easier once again: echo dhcp > /etc/hostname.vr1 sh /etc/netstart
At this point the ALIX will go to your local network and request an IP address via dhclient. Hopefully you have a DHCP server somewhere on your network; otherwise you’ll need to read Section 6 of the OpenBSD FAQ.
Setting up the LAN interface I decided that I wouldn’t mess around with IPv6 just yet… I want to set up a NAT firewall using IPv4. To start with, I had to pick an IP address for my internal network. I’m going to use my ALIX box for DHCP, name resolution, and as a gateway. (Yes, I know this is bad practice… but I’m on a limited budget!)
I picked address 192.168.150.* for my network. This means my firewall will be 192.168.150.1, and I’ll use that as the gateway address of other machines which are its DHCP clients.
echo inet 192.168.150.1 255.255.255.0 NONE > /etc/hostname.vr0 sh /etc/netstart
Run the dhcpd server So that the firewall can serve IP addresses, it needs to have dhcpd enabled. The right place to do this is in a section of rc.conf.local, but I got lazy and edited it in /etc/rc.conf. If I had to do this over, I’d use /etc/rc.conf.local. The code I changed was: dhcpd_flags=""
Next we need to tell it what the subnet is that it will serve DHCP addresses to. This is defined in /etc/dhcpd.conf: option domain-name "mydomain.net"; option domain-name-servers 8.8.8.8; subnet 192.168.150.0 netmask 255.255.255.0 { option routers 192.168.150.1; range 192.168.150.32 192.168.150.127; # host static-client { # hardware ethernet 22:33:44:55:66:77; # fixed-address 192.168.1.200; # } # host pxe-client { # hardware ethernet 02:03:04:05:06:07; # filename "pxeboot"; # next-server 192.168.1.1; # }
In my case for absolutely arbitrary reasons, I said to serve from 192.168.150.32 to 192.168.150.63. I left the pxe-client and static-client things in case I needed them later.
Also note that right now I’m using Google’s 8.8.8.8 as the DNS server. I could have used my ISP’s instead - either way, it’s going to change once I get BIND running on the firewall.
Add myself to hosts This is a good time to add myself to the /etc/hosts file (both under the short name and fully-qualified domain name): 192.168.150.1 myname myname.mydomain.net
Enabling port forwarding Next we need to allow the firewall to forward IPv4 traffic. To do this, edit /etc/sysctl.conf: net.inet.ip.forwarding=1
Update the time from the network Since the ALIX doesn’t have a real time clock that stores the time, we need to update it from the network every time we reboot. This is in /etc/rc.conf: ntpd_flags="-s" The -s says “update the time now to the server time and don’t try to adjust it slowly.” That’s the right thing to do when the box thinks the time is way in the past.
At this point, I figured it was time to reboot the device and see if everything came up as expected. /sbin/shutdown -r now
Now plug a switch into the vr0:lan port, a computer into the switch, and see if you can get an IP address. You’re not doing enough yet to have an Internet connection, but ipconfig /all on a Windows laptop should show a correct IPv4 address, subnet mask, gateway, dhcp server and DNS server. Groovy, you’ve got a network!
(This post is part of Building an ALIX firewall)