adamflott.com

OpenBSD Firewall

Description: My OpenBSD Firewall Setup For Residential Comcast/Xfinity Network
Authored: 2022-03-27;
Permalink: https://adamflott.com/networking/openbsd-firewall/
categories : networking;
tags : comcast; firewall; openbsd; pf;

Table of Contents

• About
• Hardware
• Firewall/Packet Filtering Configuration (pf.conf)
• Router Advertisement Daemon Configuration (rad.conf)
• Interfaces
  • Wireless
  • Wired
    • Local Area Network
    • Wide Area Network
• sysctl.conf

About

My firewall configuration for OpenBSD running Comcast/Xfinity's residential network. Has working IPv6.

Hardware

I use an APU2

$ inxi -v 8 -z
System:
  Host: ki.sumeria Kernel: 7.0 arch: amd64 bits: 64 compiler: clang v: 11.1.0 Console: p0
    OS: OpenBSD 7.0
Machine:
  Type: N/A Mobo: PC Engines model: apu2 v: 1.0 serial: 1267170 BIOS: coreboot v: 4.14.0.4
    rev: 3.0 date: 09/07/2021
Battery:
  Message: No battery data found. Try with --dmidecode
Memory:
  RAM: total: 3.97 GiB used: 1.36 GiB (34.2%)
  RAM Report: no-data: dmidecode is not allowed to read /dev/mem
PCI Slots:
  No-data: dmidecode is not allowed to read /dev/mem
CPU:
  Info: quad core model: AMD GX-412TC SOC bits: 64 type: MCP smt: disabled arch: Puma
    family: 0x16 (22) model-id: 0x30 (48) stepping: 1 microcode: N/A cache: L1: 256 KiB
    desc: d-4x32 KiB; i-4x32 KiB L2: 8 MiB
  Speed (MHz): 998 min/max: 600/1000 cores: No OS support for core speeds.
  Features: 3dnowp abm aes amcr8 apic avx bmi1 cflush cmov cmpleg cx16 cx8 dbkp de eapicsp f16c
    ffxsr fpu fxsr htt ibs itsc lahf long masse mca mce mmx mmxx movbe msr mtrr mwait nxe osvw pae
    page1gb pat pclmul pctrl3 perftsc pge popcnt pse pse36 rdtscp sep skinit sse sse2 sse3 sse4.1
    sse4.2 sse4a ssse3 svm topext tsc vme xsave xsaveopt
  Vulnerabilities: No CPU vulnerability/bugs data available.
Graphics:
  Message: No device data found.
  Display: server: X.org v: 1.20.13 driver: gpu: N/A tty: 178x87
  Message: Unable to show GL data. Required tool glxinfo missing.
Audio:
  Message: No device data found.
  Sound Server-1: sndio v: N/A running: yes
Network:
  Device-1: Atheros AR9281 driver: athn port: N/A bus-ID: 1:0.0 chip-ID: 168c:002a class-ID: 0280
  IF: athn0 state: active speed: N/A duplex: N/A mac: 04:f0:21:3b:3e:64
  IP v4: 10.0.6.1 scope: N/A broadcast: 10.0.6.255
  IP v6: fe80::6f0:21ff:fe3b:3e64%athn0 scope: link
  IP v6: x:x:x::1 scope: N/A
  Device-2: Intel I210 driver: em port: N/A bus-ID: 2:0.0 chip-ID: 8086:157b class-ID: 0200
  IF: em0 state: active speed: 1000baseT duplex: full-duplex mac: 00:0d:b9:4d:58:88
  IP v4: 10.0.5.1 scope: N/A broadcast: 10.0.5.255
  IP v6: fe80::20d:b9ff:fe4d:5888%em0 scope: link
  IP v6: x:x:x::1 scope: N/A
  Device-3: Intel I210 driver: em port: N/A bus-ID: 3:0.0 chip-ID: 8086:157b class-ID: 0200
  IF: em1 state: active speed: 1000baseT duplex: full-duplex mac: 00:0d:b9:4d:58:89
  IP v4: x.x.x.x scope: N/A broadcast: 73.60.255.255
  IP v6: fe80::20d:b9ff:fe4d:5889%em1 scope: link
  IP v6: x:x:x:x scope: N/A
  Device-4: Intel I210 driver: em port: N/A bus-ID: 4:0.0 chip-ID: 8086:157b class-ID: 0200
  IF: em2 state: no carrier speed: N/A duplex: N/A mac: 00:0d:b9:4d:58:8a
  WAN IP: x.x.x.x

Firewall/Packet Filtering Configuration (pf.conf)

Most of this is taken from the OpenBSD FAQ

Features

• sshguard to autoblock SSH abuse
• wireless
• IPv6
• packet queuing

$ cat /etc/pf.conf
# --- Interfaces ---
lo_if="lo0"
wired="em0"
wan_if="em1"
notused_if="em2"
wifi="athn0"
vpn_if="wg0"

# cidr ranges
lan_range = "10.0.5.0/24"
wifi_range = "10.0.6.0/24"

# local machines
an="10.0.5.50"

# services allowed into the router
tcp_services="{ ssh, http, https }"

# --- Tables ---
table <sshguard> persist

table <martians> {
  0.0.0.0/8 10.0.0.0/8 100.64.0.0/10            \
  127.0.0.0/8 169.254.0.0/16 172.16.0.0/12      \
  192.0.0.0/24 192.0.2.0/24 192.88.99.0/24      \
  192.168.0.0/16 198.18.0.0/15 198.51.100.0/24  \
  203.0.113.0/24 224.0.0.0/3 255.255.255.255/32 \
  ::/128 ::/96 ::1/128 ::ffff:0:0/96 100::/64   \
  2001:10::/28 2001:2::/48 2001:db8::/32        \
  3ffe::/16 fec0::/10 fc00::/7 }

set block-policy drop
set loginterface egress
set skip on lo0

match in all scrub (no-df random-id max-mss 1440)
match out on egress inet from !(egress:network) to any nat-to (egress:0)

antispoof quick for { egress $wired $wifi }
block in quick on egress from <martians> to any
block return out quick on egress from any to <martians>

block in quick on egress proto tcp from <sshguard> \
        to any port ssh label "ssh bruteforce"

block all
pass out quick
pass in on { $wired $wifi }

## router's TCP services
pass in on egress proto tcp from any to ($wan_if) port $tcp_services
### router allow ssh from outside
pass in proto tcp from any to ($wan_if) port ssh flags S/SA keep state

pass in on egress inet6 proto icmp6 all \
  icmp6-type { echoreq routersol redir routeradv neighbrsol neighbradv }

pass in on egress inet6 proto udp \
  from fe80::/10 port dhcpv6-server \
  to fe80::/10 port dhcpv6-client \
  no state

pass in on egress inet6 proto icmp6 all icmp6-type echoreq
pass in on egress inet proto icmp all icmp-type echoreq

queue outq on $wan_if flows 1024 bandwidth 30M max 30M qlimit 1024 default
queue inq on $wired flows 1024 bandwidth 300M max 300M qlimit 1024 default

Router Advertisement Daemon Configuration (rad.conf)

$ cat /etc/rad.conf
interface em0

Interfaces

Wireless

$ cat /etc/hostname.athn0
media autoselect mode 11n mediaopt hostap chan 6
nwid "AdamGuest" wpakey "..."
inet 10.0.6.1 255.255.255.0

Wired

Local Area Network

$ cat /etc/hostname.em0
inet 10.0.5.1 255.255.255.0 10.0.5.255 description "lan"

Wide Area Network

$ cat /etc/hostname.em1
dhcp

sysctl.conf

$ cat sysctl.conf
net.inet.ip.forwarding=1	# 1=Permit forwarding (routing) of IPv4 packets
net.inet6.ip6.forwarding=1	# 1=Permit forwarding (routing) of IPv6 packets