Start at Part 1

Xbox 360 and File Server access

Reference: The Book of PF

In this post I’ll describe how I accomplished two goals, as well as talk about a little trick for debugging what is blocked. The two goals are allowing my XBox 360 connect to Xbox Live through my OpenBSD firewall, and Port-forward to my file server so I can access my files remotely.

Let’s start with the Xbox 360. This is very minimal change from Part 4. In Part 4 we created two macros for allowed client services, the services we allow hosts on our local network to utilize, see here:

client_tcp_services = "{ ssh, smtp, domain, www, pop3, auth, https, pop3s, imap,
imaps, 8000, 8080, 5190, 5222 }"
client_udp_services = "{ domain, bootps, 67 }"

The Xbox 360 uses TCP port 3074, and UDP ports 88 and 3074 so we just need to add these to those macros, seen here:

client_tcp_services = "{ ssh, smtp, domain, www, pop3, auth, https, pop3s, imap, imaps, 8000, 8080, 5190, 5222, 3074 }"
client_udp_services = "{ domain, bootps, 67, 88, 3074  }"

Next, I set up NAPT or Network Address Port Translation. I redirect port 5022 on the external interface of my OpenBSD router to port 22 of my file server. This will allow me to SSH, SFTP and RSYNC to/from it when I’m away from home. To do this I need to add a single PF RDR rules, seen here:

# file server
rdr on $ext_if proto { tcp, udp } from any to $ext_if port 5022 -> $file_server port 22

Now I just reload my rules, first checking with pfctl -nf /etc/pf.conf as previously described, then loading with pfctl -f /etc/pf.conf.

One last thing is to describe a method for debugging why connections might be failing. In Part 4 I described blocking all unintended traffic with “block all”. For debugging I’m going to change this to “block log all”.

Now, when ever connectivity issues occur, debugging is simple running the following tcpdump:

# tcpdump -netvvi pflog0

As log as no other lines are configured to log, all output from this command will just describe traffic being blocked.

Our final /etc/pf.conf for this part of the project:

# Interface Globals
ext_if = "rl0"
int_if = "xl0"
wifi_if = "rum0"

# Static machines
file_server = "192.168.0.2"
xbox = "192.168.0.3"

# Protocol Globals
router_daemons = "{ ssh, domain, ntp, bootps, 8080, 5022 }"
client_tcp_services = "{ ssh, smtp, domain, www, pop3, auth, https, pop3s, imap, imaps, 8000, 8080, 5190, 5222, 3074 }"
client_udp_services = "{ domain, bootps, 67, 88, 3074  }"

# Provide NATing for my local subnets
nat on $ext_if from $wifi_if:network to any -> ($ext_if) static-port
nat on $ext_if from $int_if:network to any -> ($ext_if)

# file server
rdr on $ext_if proto { tcp, udp } from any to $ext_if port 5022 -> $file_server port 22

block log all
set skip on lo

# Allowed Client traffic
pass out on $ext_if proto tcp to any port $client_tcp_services
pass out on $ext_if proto udp to any port $client_udp_services

# Router services
pass proto icmp
pass quick inet proto { tcp, udp } to any port $router_daemons

Categories: Projects
No Comments »

Start at Part 1

… Let there be Traffic

Reference: The Book of PF

First I want to enable my router to forward my traffic. This is going to give me a baseline configuration of no filtering nor NATing. So to enable this I run:

sysctl net.inet.ip.forwarding=1
sysctl net.inet6.ip.forwarding=1

Next I uncomment the following two lines in /etc/sysctl.conf to make this reboot-safe.

net.inet.ip.forwarding=1        # 1=Permit forwarding (routing) of IPv4 packets
net.inet6.ip6.forwarding=1      # 1=Permit forwarding (routing) of IPv6 packets

The Book of PF recommends using tests through out building up your environment, this is a good time to get baseline proof of functionality for these tests.

Next, I’m going to set up some macros in pf.conf to ease configuration changes in the future. First my routers interfaces.

# Interface Globals
ext_if = "rl0"
int_if = "xl0"
wifi_if = "rum0"

Next, I want to make variables for the two boxes that I setup MAC association in my DHCPD configs, My file server and my xbox, because they have special TCP and UDP port needs.

# Static machines
file_server = "192.168.0.2"
xbox = "192.168.0.3"

Lastly, I’m defining which services sections. I want to allow access to a few daemons running on the router itself, as well as allowing the hosts on my local subnets to utilize certain protocols themselves (as clients).

# Protocol Globals
router_daemons = "{ ssh, domain, ntp, bootps, 8080, 5022 }"
client_tcp_services = "{ ssh, smtp, domain, www, pop3, auth, https, pop3s, imap,
imaps, 8000, 8080, 5190, 5222 }"
client_udp_services = "{ domain, bootps, 67 }"

Now it’s time to start off blocking everything so I add the statement to start off blocking all traffic, and add an exception to filtering on the loopback interface.

block all
set skip on lo

The location of this line is important. All NAT/RDR lines will occur before this line, and all firewalling rules will occur after this line, so keep that in mind for future configurations.

Now I’m going to allow all traffic, from initiated from hosts on my local subnets, be sent out to the internet (their sessions are kept as well).

To do this I tell my router to NAT for my local subnets:

# Provide NATing for my local subnets
nat on $ext_if from $wifi_if:network to any -> ($ext_if) static-port
nat on $ext_if from $int_if:network to any -> ($ext_if)

And then set which protocols are allowed to be passed out to the internet:

# Allowed Client traffic
pass out on $ext_if proto tcp to any port $client_tcp_services
pass out on $ext_if proto udp to any port $client_udp_services

And I can’t forget about my router itself, so I’ll allow access to its daemons from both my local subnets as well as the outside world.

# Router services
pass proto icmp
pass quick inet proto { tcp, udp } to any port $router_daemons

The last step is enable pf:

pfctl -e

And To make it reboot safe by uncommenting the following two lines in /etc/rc.conf

pf=YES                  # Packet filter / NAT
pf_rules=/etc/pf.conf           # Packet filter rules file

At this point, the file server cannot be access by the outside world, and connecting to xbox live isn’t going to happen. These will be covered in the next part of my OpenBSD router project.

Our final /etc/pf.conf for this part of the project:

# Interface Globals
ext_if = "rl0"
int_if = "xl0"
wifi_if = "rum0"

# Static machines
file_server = "192.168.0.2"
xbox = "192.168.0.3"

# Protocol Globals
router_daemons = "{ ssh, domain, ntp, bootps, 8080, 5022 }"
client_tcp_services = "{ ssh, smtp, domain, www, pop3, auth, https, pop3s, imap, imaps, 8000, 8080, 5190, 5222 }"
client_udp_services = "{ domain, bootps, 67 }"

# Provide NATing for my local subnets
nat on $ext_if from $wifi_if:network to any -> ($ext_if) static-port
nat on $ext_if from $int_if:network to any -> ($ext_if)

block all
set skip on lo

# Allowed Client traffic
pass out on $ext_if proto tcp to any port $client_tcp_services
pass out on $ext_if proto udp to any port $client_udp_services

# Router services
pass proto icmp
pass quick inet proto { tcp, udp } to any port $router_daemons

Continue to Step 5.

Categories: Projects
No Comments »

Start at Part 1

Configuring DHCPD

Reference: DHCPD(8) DHCPD.CONF(5)

I will start off by telling dhcp that I would like to advertise on both local network interfaces. On OpenBSD this information is kept in /etc/dhcpd.interfaces. The syntax is very simple, you merely state which interfaces you want, whether space-separated on the same line or just give each their own line in the file (like I did). Here’s my /etc/dhcpd.interfaces:

xl0
rum0

Now, lets set configure /etc/dhcpd.conf. As I stated in Part 1 I’ll be supporting two separate subnets, which I’ll create like this:

shared-network LOCAL-WIRELESS {
}
shared-network LOCAL-WIRED {
}

Nothing too crazy here, just two logical areas each labeled for ease of readability.

Since the local wireless section is pretty straight forward, I’ll do this one first. I’m going to start off with a global (subnet-wide) optional configuration, which is my domain name server list. I’d like to out that I’m using OpenDNS in this example, and openly invite you to do the same. So to make this configuration I’ll add the following line to the local wireless subnet area:

option domain-name-servers 208.67.222.222, 208.67.220.220;

Next I want everyone in the subnet to know which address to use for a gateway, so I’ll provide that configuration, seen here:

option routers 192.168.1.1;

Next is to set up the subnet which, as describe previously, is 192.168.0.1/24 and configured as follows:

subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.32 192.168.1.127;
}

Here I’ve provided the range of offered IPs to be 192.168.1.32 up to and including 192.168.1.127, as well as provided gateway information to be given with the DHCP advertisements.

So now this whole subnet configuration will look like this:

shared-network LOCAL-WIRELESS {
option domain-name-servers 208.67.222.222, 208.67.220.220;
option routers 192.168.1.1;

 subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.32 192.168.1.127;
}
}

Now lets set up to local wired subnet. For the most part it’s going to be the same. Which appears like this:

shared-network LOCAL-WIRED {
option domain-name-servers 208.67.222.222, 208.67.220.220;

option routers 192.168.0.1;

 subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.2 192.168.0.127;
}
}

However, on this subnet I have two systems in which I’ll static map IPs to based on their MAC address, my xbox 360 and my opensolaris file server. So in this subnet setting, I’m creating a “group” and filling it in with the two hsots:

group {
host vault {
hardware ethernet 00:1a:92:e2:32:e1;
fixed-address 192.168.0.2;
}
host xbox {
hardware ethernet 00:12:5a:b6:92:1b;
fixed-address 192.168.0.3;
}
}

To start dhcpd, just run sudo dhcpd and you’re be all set. Lastly, to make this reboot safe we just need to edit /etc/rc.conf and set the dhcpd_flags to “” like this:

/etc/rc.conf:dhcpd_flags=""             # for normal use: ""

shared-network LOCAL-WIRELESS {
    option domain-name-servers 208.67.222.222, 208.67.220.220;
    option routers 192.168.1.1;
    subnet 192.168.1.0 netmask 255.255.255.0 {
        range 192.168.1.32 192.168.1.127;
    }
}

shared-network LOCAL-WIRED {
    option domain-name-servers 208.67.222.222, 208.67.220.220;
    option routers 192.168.0.1;

    subnet 192.168.0.0 netmask 255.255.255.0 {
        range 192.168.0.2 192.168.0.127;
    }
    group {
        host vault {
        hardware ethernet 00:1a:92:e2:32:e1;
        fixed-address 192.168.0.2;
    }
    host xbox {
        hardware ethernet 00:12:5a:b6:92:1b;
        fixed-address 192.168.0.3;
    }
}
}

Continue to Step 4.

Categories: Projects
No Comments »

Start at Part 1

Configuring the Interfaces

First step is to configure the interfaces. My external interface is rl0 (”Realtek 8139″ - you can see dmesg below), my internal wired interface is xl0 (”3Com 3c905B 100Base-TX”), and my wireless interface is rum0 (”Ralink 802.11 bg WLAN”).

As I stated in Part 1 the external interface (rl0) will be a dhcp client to my cable ISP. To configure this, I created /etc/hostname.rl0 with the following information:

dhcp NONE NONE description "Global Uplink"

ifconfig rl0 looks like this:

rl0: flags=8843 mtu 1500
lladdr 00:0d:87:07:07:56
description: Global Uplink
groups: egress
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::20d:87ff:fe07:756%rl0 prefixlen 64 scopeid 0x2
inet  netmask 0xfffffe00 broadcast 255.255.255.255

Next the internal wired interface (xl0); will be statically configured with the address 192.168.0.1 with a 24 bit subnet mask, later this interface while be advertising DHCP service for the wired local network. I created /etc/hostname.xl0 like this:

inet 192.168.0.1 255.255.255.0 192.168.0.255 description "Local Wired"

ifconfig xl0:

xl0: flags=8843 mtu 1500
lladdr 00:10:5a:0e:da:9a
description: Local Wired
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
inet6 fe80::210:5aff:fe0e:da9a%xl0 prefixlen 64 scopeid 0x1

And lastly the wireless interface (rum0). This interface is being set up as a wireless access point (”hostap”) configured as follows:

• Will be set to only support 802.11B for the time being
• Utilizing channel 6
• Use a hex WEP key
• Configured as 192.168.1.1 with a 24 bit netmask
• And later will be advertising DHCP for the local wireless network

My /etc/hostname.rum0 looks like this:

up mediaopt hostap mode 11b chan 6 nwid Puffy nwkey 0x
inet 192.168.1.1

ifconfig rum0:

rum0: flags=8843 mtu 1500
lladdr 00:1c:f0:90:82:22
groups: wlan
media: IEEE802.11 autoselect mode 11b hostap
status: active
ieee80211: nwid Puffy chan 6 bssid 00:1c:f0:90:82:22 nwkey 0x 100dBm
inet6 fe80::21c:f0ff:fe90:8222%rum0 prefixlen 64 scopeid 0x5
inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255

OpenBSD 4.3 (GENERIC) #698: Wed Mar 12 11:07:05 MDT 2008
deraadt@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: VIA Ezra ("CentaurHauls" 686-class) 801 MHz
cpu0: FPU,DE,TSC,MSR,MTRR,PGE,MMX
real mem  = 259555328 (247MB)
avail mem = 242909184 (231MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 03/17/03, BIOS32 rev. 0 @ 0xfb390, SMBIOS rev. 2.2 @ 0xf0800 (43 entries)
bios0: vendor Phoenix Technologies, LTD version "6.00 PG" date 03/17/2003
bios0: VIA Technologies, Inc. VT8601
apm0 at bios0: Power Management spec V1.2 (slowidle)
apm0: AC on, battery charge unknown
acpi at bios0 function 0x0 not configured
pcibios0 at bios0: rev 2.1 @ 0xf0000/0xdd54
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdce0/112 (5 entries)
pcibios0: PCI Exclusive IRQs: 5 10 11 12
pcibios0: PCI Interrupt Router at 000:07:0 ("VIA VT82C596A ISA" rev 0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc0000/0xc000 0xcc000/0x4000! 0xd0000/0x4000
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "VIA VT8601 PCI" rev 0x05
agp0 at pchb0: v2, aperture at 0xe0000000, size 0x10000000
ppb0 at pci0 dev 1 function 0 "VIA VT82C601 AGP" rev 0x00
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 "Trident CyberBlade i1" rev 0x6a
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
pcib0 at pci0 dev 7 function 0 "VIA VT82C686 ISA" rev 0x40
pciide0 at pci0 dev 7 function 1 "VIA VT82C571 IDE" rev 0x06: ATA100, channel 0 configured to compatibility, channel 1 configured to compatibility
wd0 at pciide0 channel 0 drive 1: <QUANTUM FIREBALLlct15 15>
wd0: 16-sector PIO, LBA, 14324MB, 29336832 sectors
wd0(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 4
pciide0: channel 1 ignored (disabled)
uhci0 at pci0 dev 7 function 2 "VIA VT83C572 USB" rev 0x1a: irq 11
uhci1 at pci0 dev 7 function 3 "VIA VT83C572 USB" rev 0x1a: irq 11
viaenv0 at pci0 dev 7 function 4 "VIA VT82C686 SMBus" rev 0x40: 24-bit timer at 3579545Hz
xl0 at pci0 dev 8 function 0 "3Com 3c905B 100Base-TX" rev 0x24: irq 10, address 00:10:5a:0e:da:9a
exphy0 at xl0 phy 24: 3Com internal media interface
rl0 at pci0 dev 14 function 0 "Realtek 8139" rev 0x10: irq 11, address 00:0d:87:07:07:56
rlphy0 at rl0 phy 0: RTL internal PHY
cmpci0 at pci0 dev 15 function 0 "C-Media Electronics CMI8738/C3DX Audio" rev 0x10: irq 12
audio0 at cmpci0
opl0 at cmpci0: model OPL3
midi0 at opl0: <CMPCI Yamaha OPL3>
mpu at cmpci0 not configured
"C-Media Electronics HSP56 AMR" rev 0x20 at pci0 dev 15 function 1 not configured
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi1 at pcppi0: <PC speaker>
spkr0 at pcppi0
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
usb0 at uhci0: USB revision 1.0
uhub0 at usb0 "VIA UHCI root hub" rev 1.00/1.00 addr 1
usb1 at uhci1: USB revision 1.0
uhub1 at usb1 "VIA UHCI root hub" rev 1.00/1.00 addr 1
biomask ebed netmask efed ttymask efef
rum0 at uhub0 port 2 "Ralink 802.11 bg WLAN" rev 2.00/0.01 addr 2
rum0: MAC/BBP RT2573 (rev 0x2573a), RF RT2528, address 00:1c:f0:90:82:22
softraid0 at root
root on wd0a swap on wd0b dump on wd0b

Continue to Step 3.

Categories: Projects
No Comments »

Planning the Project Specs

Goals:

- Two local subnets, Wired and Wireless

- Support Xbox Live

- Provide external access to my file server

- Limit all communication out of my network strictly to the applications and services I choose to allow (web traffic, mail traffic, ssh, xbox, torrents, etc)

- Improved stability over the over-the-counter home routers

- Shape traffic using ALTQ

Resources:

- For the Operating System, I’m going with OpenBSD 4.3 (STABLE)

- Putting to use my MaxTerm 8300B

• EVE-M 800 mhz (x86)
• 256 MB of RAM
• 15 GB IDE hard drive (spare one sitting around)
• D-Link USB  Wireless Card (rum0 driver in OpenBSD) for local wireless traffic
• Spare old 3com 10/100 Mbit NIC for local wired traffic

The Plan:

• Local wired traffic: 192.168.0.X/24
• Local wireless traffic: 192.168.1.X/24
• Provide DHCP services on both local interfaces
• External Interface running DHCP
• Starting with blocking everything [block all]
• Designate IPs per server and personal computer on my network
• Designate torrent ports to each of the personal computers
• Initially just use WEP for proof of concept, later use WPA or even an authpf with a possible web interface for authenticating
• Perform MRTG graphing if for nothing more than to see what I spend my bandwidth doing

Continue to Part 2.

Categories: Projects
2 Comments »