Building a Simple Router with OpenBSD
32 points by bt
32 points by bt
I like how-tos like this. People sometimes have a mental block due to thinking that it’s a PITA to take the time to gather all the informational pieces and do a thing. When you have a nice, concise how-to like this, it makes it much easier to get over that block. “Oh, look! I can do this in half an hour.”
That it even includes what to do for silly gaming systems that act as though NAT is a new and confusing thing is a nice bonus.
On the other hand, I think they should be taken with a grain of salt. Such articles tend to be written by people inexperienced with the subject matter, for instance as a writeup of a weekend project. Is the setup presented in the article secure? Anyone’s guess. It’s very easy to make a subtle mistake in firewall configs.
That’s definitely true in general, but when a firewall / NAT configuration is this short, we don’t need to worry. It’s not anyone’s guess, or at least isn’t the guess of people who are familiar with packet filters.
This is exactly the format that a how-to should be in when trying to help people who are unfamiliar with firewall / NAT configurations: step through each line of the configuration and explain it, so people can learn for themselves.
If you’re worried about someone posting malicious instructions, don’t worry - if people here saw something misleading or malicious, or even just incorrect, we’d say so.
when a firewall / NAT configuration is this short, we don’t need to worry
But we do need to worry and configuration length is not a relevant factor. In fact, the opposite may be true—the more you battle-test something, the more edge cases it typically gains. I’m not worried about the config being malicious, but rather it having subtle omissions.
The problem is that the people that are most likely to use this configuration are beginners that won’t properly verify its soundness.
Some thoughts that were not addressed or mentioned in the article. Maybe they are not a problem, maybe they are. It’s hard to know without due diligence:
if people here saw something misleading or malicious, or even just incorrect, we’d say so
I don’t buy this. Bugs and eyeballs and all that, disproved time and time again.
My point is rather than be dismissive and handwavy about things based on what you don’t know, let people who do know examine the recommendations.
You ask some good questions, but also ask some questions that aren’t helpful:
are unknown connections blocked by default correctly?
The (I suppose it seemed rhetorical) question about whether traffic can pass from public to private by default answers this. Unless port forwarding is explicitly set up, the answer to do the rhetorical question is no. The answer to your question is therefore no, too.
does hairpin NAT work? That is can internal devices access the public IP of the network itself and have it be forwarded correctly?
The better question is, “How do I make sure hairpin NAT works when I eventually set it up?”, because OP doesn’t configure services through NAT that one might access from the local network via the public IP. You make sure it works when you set up a public service.
USB adapter sets off red flags in my mind – what happens if the rules are applied before the USB adapter is enumerated? Is the ordering deterministic, or can the USB adapters swap numbers?
Well, answer your own question by trying it. But on the other hand, do you think that pf would load rules for some non-existent interface that’d hang around and would somehow incorrectly get applied when the interface finally exists?
What happens if you enumerate them the other way around? Do you think that perhaps OP put the public network on the Mac mini’s primary ethernet to avoid even the possibility of Bad Things™ happening?
So the worst case is that the Xbox network and the primary local network get swapped. Can those Xbox NAT allowances then negatively affect some other unsuspecting machine? Good question! But no, they can’t, because dhcpd will only give the specific IP for the Xbox to the Xbox. If you have another machine with the same MAC, then that’s on you.
why does the Xbox not like the NAT? A workaround is presented, but why is it necessary? I am almost certain there is a more general solution.
If you don’t know, then don’t assume that your ignorance has the same value as everyone else’s knowledge. Games systems have requirements that don’t make much sense, but they’re very well known. Your lack of energy to even do a rudimentary search to find out more really shows here, and this is a very handwavy thing to say.
I don’t buy this. Bugs and eyeballs and all that, disproved time and time again.
What are you even disagreeing with here? I’m saying more eyeballs on this would make a post on a place like Lobste.rs would a relatively safe thing, because it’d have (usually quite technical) eyeballs on it. Having eyeballs that’re dismissive from a place of ignorance does nothing good, as is evidenced on other sites where the noise is louder than good content.
I’m not sure that its brevity means it doesn’t need careful thought by someone more experienced with the subject… For example, I don’t see a block all rule, and according to pf.conf(5):
Each time a packet processed by the packet filter comes in on or goes out through an interface, the filter rules are evaluated in sequential order, from first to last. For block and pass, the last matching rule decides what action is taken; if no rule matches the packet, the default action is to pass the packet without creating a state. For match, rules are evaluated every time they match; the pass/block state of a packet remains unchanged.
As someone who’s familiar with packet filters, I’d say that makes this ruleset a poor choice for the kinds of setups it’s likely to be used for, and for which its author is using it.
As someone who’s familiar with packet filters, I’d say that makes this ruleset a poor choice for the kinds of setups it’s likely to be used for, and for which its author is using it.
How can packets traverse this ruleset from public to private without an explicit block all?
Or are you expecting the author to add things in anticipation of someone later who doesn’t know much about these things adding unsafe things? If so, is that a reasonable assumption?
In this specific case, the author doesn’t show their sshd configuration, and I forget what the defaults are on OpenBSD. Generally, though, I don’t want the ssh port on my router accessible from the WAN; even when I do, I want that to be explicit rather than implicit.
I’m assuming the configuration meets the author’s needs, though, and I don’t expect them to add speculative configuration items based on how someone else might use it.
For most NAT/firewall scenarios, though, if someone is using this as a “how-to” and they’re not very experienced either, they will absolutely want to block all inbound traffic and only explicitly allow what’s desirable. And I was suggesting exactly what I said: the brevity of the ruleset doesn’t absolve its user of the need to think it through carefully. While it might be suitable for the author and informative for others, I don’t think treating it as a how-to for someone inexperienced is necessarily a good idea.
This is a much more in-depth approach than the one I took, which was to install OPNSense and call it a day. Might have to give this a try at some point.
Also, check out my teenage engineering router https://cdn.bsky.app/img/feed_fullsize/plain/did:plc:gv2ro6cuarjxmjk54xno5xwy/bafkreihmrcqaivzunl64rkxhxbrpq7nnnqbolzm2fqdd7aghkfgi6nqpdm@jpeg
Why are there no block rules in the pf.conf?
I’m not sure if the default is to block or pass packets, but e.g. the Book of PF (which, granted, is around a decade old at this point) begins ~all rulesets with an explicit block all.
You are correct. For some reason I could have sworn pf.conf defaulted to blocking all, but it seems you do need to specify this.
I’ve updated the article to reflect this - thank you!
This is great.
Sidenote: I wish Aquantia NICs weren’t practically abandonware in the BSDs - I have a box with 2 i226V NICs and 2 10 gig Aquantias and am stuck on OpenWrt.
Aquantia stuff should work on OpenBSD. If it doesn’t, email me (this username at openbsd dot org) with some hardware details, dmesg, pcidump, etc.
Realised I couldn’t re-test as I only have one of the devices in question and I’m currently posting this using it!
In FreeBSD when you install the drivers, you get a message saying they’re unmaintained. I don’t know how your two projects co-operate if at all, but is this something FreeBSD (and thus OpnSense) could pull across?
I did something similar a few months back when an old RPi + PiHole died on me and replaced it with an OpenBSD system for my LAN. I miss the nice WUI provided by PiHole but it’s been a fun experiment and have learned a lot of OpenBSD by fixing it whenever something I didn’t expect comes up.
I have this handy script to update my blocklist which is very similar to your ftp + awk script (we might have read the same old post from ~2016).
#!/bin/bash
set -e
# Gotten from https://github.com/hagezi/dns-blocklists?tab=readme-ov-file#pro
LIST_URL="${LIST_URL:-https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/hosts/pro.plus.txt}"
TMP_FILE="/tmp/pro.plus.txt"
UNBOUND_DIR="/var/unbound/etc"
LOCAL_ZONES_FILE="$UNBOUND_DIR/blocklist.conf"
wget2 --continue -O "$TMP_FILE" "$LIST_URL"
cat /dev/null > $LOCAL_ZONES_FILE
grep "^0\.0\.0\.0" $TMP_FILE \
| awk '{print "local-zone: \""$2".\" redirect\nlocal-data: \""$2". A 0.0.0.0\""}' > $LOCAL_ZONES_FILE
# rm "$TMP_FILE"
If you don’t use a pf based firewall you can have normal NAT and not do special config for every device and app that needs p2p.
What’s wrong with pf?
It (or whatever part of bsd that does NAT) only does Symmetric / Endpoint Dependent NAT . There’s no way to turn on a Full Cone / Endpoint Independent mode.
It’s near impossible for services behind symmetric nats to make direct, p2p connections with each other. It’s anti p2p.
Static Port like used in the article helps if you have like 1 xbox on your LAN, but it gets annoying as you add people, consoles, tablets etc… to a LAN.
Excuse my ignorance. In absence of PF what does the connection tracking and packing rewriting of the NAT?