OpenBSD Live-CD Firewall
This
page is dedicated to the OpenBSD Live-CD Firewall project.When I tried to find a Live-CD solution to get started with OpenBSD I could not find something comparable so I started this project myself. If you are interested to build your own system, details about the creation of any OpenBSD based Live-CD system can be found on this page.
If you find a mistake or have suggestions for improvement feel free to
contact me.
- The project idea
- Features
- Installed Software
- Download
- License
- Frequently Asked Questions FAQs
- Ressources
- Details about the system
The project idea
The main idea of this project is to make it as easy as possible for new users of OpenBSD to set it up as a firewall and use it. OpenBSD offers a highly sophisticated packet filter called 'pf' and its main target is to deliver a secure system. Therefore it is often considered as a perfect firewall system. However many users don't use it, because they think that it is hard to configure. This Live-CD system should offer these users an easy way to get into OpenBSD, benefit of its secure architecture and learn about the mighty pf firewall.
Note:
This is NOT a striped down firewall-only system. The ISO which
can be downloaded includes a full featured OpenBSD installation
with all manpages, sample configurations and additional security
related software packages.
Features
- runs without modifying the hard-drive
- external interface will be configured via DHCP - should work with a Cable Modem connection
- DHCP service for internal LAN
- caching DNS
- Squid Proxy
- NAT (masquerading)
- save your configuration and passwords to an USB mass-storage
device (usb-pen drive) [ /backup/etc2usb ]
If the USB device is connected at boot time these settings will be used. - save all log files to an USB mass-storage device for future analysis [ /etc/log2usb ]
Note:
The use of an ADSL connection is NOT supported at the moment.
However the system can of course be adopted to fit your needs.
Hopefully this functionality will be available in future
releases.
Installed Software
This section lists the installed software packages and version numbers of the current release only. Not all of the installed packages are preconfigured. However they are installed to offer advanced users the possibility to use the programs without the need to rebuild the whole Live-CD system.| Package | Description | Version |
| arpd | ARP Proxy Server | 0.2 |
| arping | Ping on MAC Layer | 2.05p0 |
| arpwatch | detects ARP spoofing | 2.1a.13 |
| bash | another (Linux like) shell | 3.0.16p1 |
| dante | SOCKS Proxy Server | 1.1.17 |
| dnsmasq | DNS & DHCP server | 2.22 |
| honeyd | Honeypot | 1.0p0 |
| isc-dhcp-server | DHCP Server | 3.0.3 |
| logsurfer | Logfile analyser | 1.5b |
| ntop | Netwrok traffic analyser | 1.1 |
| ntp | Time synchronisation | 4.2.0ap2 |
| pfstat | graphical Firewall statistics | 1.7 |
| pftop | real-time Firewall status | 0.4 |
| portsentry | Port knocking daemon | 1.1 |
| scanlogd | detects portscans | 2.2.5 |
| squid | HTTP Proxy Server | 2.5.STABLE12-transparent |
Download
The complete ISO CD-Rom image can be downloaded from the following server:| Version | Size | Link | MD5 Checksum |
| 3.8.1 | ~330MB |
Mirror 1: HTTP Mirror 2: HTTP FTP Mirror 3: HTTP |
9955EF9E671E177FB9BBD2902742C29A |
Powered by:
Note:
The version numbers corresponded with the official OpenBSD release
version numbers. The third number is a counter which will only
be incremented if there are more Live-CD releases available of
the same OpenBSD release. This means that the Live-CD with the
Version number 3.8.x is based on the OpenBSD 3.8 release.
License
The whole system and all scripts are published under the BSD license.Frequently Asked Questions (FAQs)
- What is the default root password?
changeme
- How do I change the root password?
The root password should be changed directly after the first boot. Ideally the machine is not connected to any netwrok in this state.
# passwd - Which port is used by sshd?
The secure shell daemon is running by default to enable easy remote administration and it uses port 2222. Also file transfers can be done through ssh.
- How can I adopt the firewall configuration?
edit the /etc/pf.conf file and reload the configfile:
# vi /etc/pf.conf
... edit the config file ...
# pfctl -f /etc/pf.conf
Ressources
- The Live-CD should be able to run on all x86 based machines.
- A minumum of 64MB of RAM is highly recommended.
- A CD-Rom drive will also be necesssary to start the Live-CD.
- Two network interface cards are expected (internal/external), however the system will boot anyway, but with limited functionality
- To make use of the log and settings saving scripts a USB
host adapter and a mass strage device will also be needed.
The hardware support of the OpenBSD system is not extended in any way. If you have problems with your hardware and OpenBSD this Live-CD will cause troubles as well. However no hard-drives will be changed, so it might also be used to test hardware for compability with OpenBSD before buying it.
Details about the system
The external interface should get its IP configuration via DHCP from the external network.The internal network card (usually the second from top) is configured to use 192.168.1.1 255.255.255.0 as its IP configuration.
The http proxy squid is configured to work in transparent mode. This means that no internal client needs to be configured to use the proxy. The VIA and FORWARDED_FOR header should be filtered by the proxy, so that no one from the outside can tell that the request was handeld by a proxy server.
The IP-ID field will be randomised so that no one from the outside can tell how many internel cleints are active. Not even with advanced techniques as described by Steven M. Bellovin.
Sshd running by defaut and uses port 2222.
last updated 02 November 2008