stevaidis/OpenBSD-firewall
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
OpenBSD-firewall/README.md
Ste Vaidis bf583b98d0 initial commit
2022-12-14 10:24:18 +02:00

222 lines
4.0 KiB
Markdown
Raw Permalink Blame History

# Port Forward Opener on OpenBSD
![Port Forward Opener](./forward_opener.png)
This setup allow external users to connect to internal servers through port forwarding.
Usefull for small offices when:
- You cannot use vpn
- You don't like port knocking
Let's say a user wants to connect to the server with RDP
1. The **User** makes a SSH connection to firewall.
2. The Firewall allows for a few seconds the IP of the user to connect to the internal server.
3. The **User** makes a RDP connection to the internal server
3. The Firewall closes SSH connection automatically.
**It's not ready for production, don't use it if you don't know exactly what you are doing**
## Addressing Scheme Example
```
[Desktop A] [Desktop B] [Desktop C]
| | |
[DSL]---[Firewall]---[Switch]---+-----+-----+-----+----+
| |
[Server] [Printer]
Address Node Port Forward
------------- ------------ ------------------------
192.168.1.1 DSL Router
192.168.1.2 Firewall WAN 22 < 60022
192.168.2.1 Firewall LAN
192.168.2.11 Desktop A 22 < 60122, 3389 < 63381
192.168.2.12 Desktop B 22 < 60222, 3389 < 63382
192.168.2.13 Desktop C 22 < 60322, 3389 < 63383
192.168.2.200 Server 3389 < 63389
192.168.2.201 Printer
```
## Dependencies
```bash
pkg_add vim dialog # nothing works properly without vim
```
## Network Settings
:floppy_disk: `vi /etc/hostname.em0`
```bash
dhcp
```
:floppy_disk: `vi /etc/hostname.stge0`
```bash
media 100baseTX
mediaopt full-duplex
inet 192.168.2.1 0xffffff00
```
:floppy_disk: `vi /etc/mygate`
```bash
192.168.1.1
```
:floppy_disk: `vi /etc/resolv.conf`
```bash
nameserver 9.9.9.9
nameserver 1.1.1.1
```
## DHCP Server
:floppy_disk: `vi /etc/dhcpd.conf`
```bash
option domain-name "taxstudio";
option domain-name-servers 9.9.9.9;
subnet 192.168.2.0 netmask 255.255.255.0 {
option routers 192.168.2.1;
range 192.168.2.11 192.168.2.19;
}
```
:floppy_disk: `vi /etc/dhcpd.interfaces`
```bash
stge0
```
Test server `dhcpd -d -c /etc/dhcpd.conf`
Start DHCP server at boot
```bash
rcctl set dhcpd flags stge0
rcctl enable dhcpd
rcctl start dhcpd
```
Show leases
```bash
cat /var/db/dhcpd.lease
```
## Firewall
Port forwarding
```bash
sysctl net.inet.ip.forwarding=1
echo 'net.inet.ip.forwarding=1' >> /etc/sysctl.conf
sysctl | grep ip.forwarding
```
Rules
:floppy_disk: `vi /etc/pf.conf`
```bash
wan = em0
lan = stge0
#----------------------------------
# Defaults
#----------------------------------
pass out keep state
set skip on lo
set block-policy return
set reassemble yes
block in all
block return
match in on $wan scrub (no-df max-mss 1440)
match out on $wan scrub (random-id)
antispoof quick for { $wan lo0 }
#----------------------------------
# Input
#----------------------------------
pass quick on $lan
pass in quick proto tcp to $wan port 22 keep state
pass in quick on $lan
#----------------------------------
# Output
#----------------------------------
pass out on $lan inet keep state
#----------------------------------
# NAT
#----------------------------------
match out on $wan from !($wan) nat-to ($wan)
# Allow outgoing traffic for LAN and the gateway
pass out quick keep state
pass in on { $lan } inet
```
Enable
```bash
pfctl -d
pfctl -f /etc/pf.conf
pfctl -e
```
## Setup Opener
Start at boot and listens the port 3000
```bash
echo "/firewall/fw-server.sh" >> /etc/rc.local
```
Add Users
1. Add user to system
```bash
# fw.sh will executed on user login
useradd -d /dev/null -s /firewall/fw.sh jack
passwd jack
```
2. Add user to opener
Add one or more pf rules to user file.
```bash
vi firewall/user/jack
```
An example to allow user jack to make RDP connections to host 192.168.2.12:
`pass in proto tcp from IP to $wan port 63389 rdr-to 192.168.2.12 port 3388`
The `$wan` changes according to the address of the SSH connection that the user makes every time
## Todo
- chroot shell
- email activity
Reference in New Issue View Git Blame Copy Permalink