3. Base configuration

Let's take a brief look at the base system configuration, which applies to all of our firewalls.

We won't go through the installation of the operating system, which is deeply documented on the OpenBSD web site. The only (obvious) remark is that you should install only the bare minimum, to prevent firewall security and reliability from being compromised by unnecessary software. Therefore, during installation, you only need to select file sets marked as Required by the documentation, i.e.:

• bsd, the kernel;
• baseXX.tgz, the base system;
• etcXX.tgz, the configuration files in /etc.

There should be no need to install the compiler (compXX.tgz), also to avoid providing such a useful tool to possible intruders (see [PUIS]).

After the first reboot, we can start setting up some configuration files; by default, OpenBSD comes with very few services enabled through inetd(8):

$ grep -v ^# /etc/inetd.conf
ident           stream  tcp     nowait  _identd /usr/libexec/identd     identd -el
ident           stream  tcp6    nowait  _identd /usr/libexec/identd     identd -el
127.0.0.1:comsat dgram  udp     wait    root    /usr/libexec/comsat     comsat
[::1]:comsat    dgram   udp6    wait    root    /usr/libexec/comsat     comsat
daytime         stream  tcp     nowait  root    internal
daytime         stream  tcp6    nowait  root    internal
time            stream  tcp     nowait  root    internal
time            stream  tcp6    nowait  root    internal
$

The system is considered secure also with these services turned on (see [ABSO]); anyway, disabling them all will make no harm.

It's also a good practice to edit the /etc/motd file to give as few information as possible about the system and to warn users, whether legitimate or not, that all access is being logged and that any unauthorized access will be prosecuted (see [PUIS]).

You should already have configured the network during installation; anyway, if you need to make some changes, these are the main files to edit:

/etc/hostname.if(5)

containing information regarding the configuration of each network interface (address, netmask, etc.);

/etc/mygate(5)

containing the address of the gateway host;

/etc/myname(5)

containing the symbolic hostname (FQDN) of the machine;

/etc/resolv.conf(5)

containing the resolver configuration settings (name servers, local domain name, etc.).

Considering the large amount of DNS-based attacks, it is also preferable, especially on firewalls, not to rely on DNS to resolve names and addresses of the most critical systems, but rather inserting them into the /etc/hosts(5) file. To make sure the /etc/hosts(5) file has a higher priority than DNS, just make sure that the first line in /etc/resolv.conf(5) is:

lookup file bind

Packet Filter is enabled by default and loads rules from the /etc/pf.conf(5) file; a different path can be specified by assigning it to the pf_rules variable in /etc/rc.conf.local(8).

pf_rules=/new/path/to/pf.conf

You may also set pflogd(8) flags in the variable pflogd_flags. Last, don't forget to enable IP forwarding by issuing the command:

# sysctl net.inet.ip.forwarding=1
net.inet.ip.forwarding: 0 -> 1
#

and to uncomment the following line in /etc/sysctl.conf(5) to re-enable it after reboot:

net.inet.ip.forwarding=1