3. Base configuration

Let's take a brief look at the base system configuration, which applies to all of our firewalls.

We won't go through the installation of the operating system, which is deeply documented on the OpenBSD web site. The only (obvious) remark is that you should install only the bare minimum, to prevent firewall security and reliability from being compromised by unnecessary software. Therefore, during installation, you only need to select file sets marked as Required by the documentation, i.e.:

There should be no need to install the compiler (compXX.tgz), also to avoid providing such a useful tool to possible intruders (see [PUIS]).

After the first reboot, we can start doing some basic configuration; since version 5.4, OpenBSD doesn't start inetd(8) by default, so there are no unnecessary daemons to prevent from running. It's also a good practice to edit the /etc/motd file to give as few information as possible about the system and to warn users, whether legitimate or not, that all access is being logged and that any unauthorized access will be prosecuted (see [PUIS]).

You should already have configured the network during installation; anyway, if you need to make some changes, these are the main files to edit:

/etc/hostname.if(5)
containing information regarding the configuration of each network interface (address, netmask, etc.);
/etc/mygate(5)
containing the address of the gateway host;
/etc/myname(5)
containing the symbolic hostname (FQDN) of the machine;
/etc/resolv.conf(5)
containing the resolver configuration settings (name servers, local domain name, etc.).

Considering the large amount of DNS-based attacks, it is also preferable, especially on firewalls, not to rely on DNS to resolve names and addresses of the most critical systems, but rather inserting them into the /etc/hosts(5) file. To make sure the /etc/hosts(5) file has a higher priority than DNS, just make sure that the first line in /etc/resolv.conf(5) is:

/etc/resolv.conf
lookup file bind

Packet Filter is enabled by default and loads rules from the /etc/pf.conf(5) file; a different path can be specified by assigning it to the pf_rules variable in /etc/rc.conf.local(8).

/etc/rc.conf.local
pf_rules=/new/path/to/pf.conf

You may also set pflogd(8) flags in the variable pflogd_flags. Last, don't forget to enable IP forwarding by issuing the command:

# sysctl net.inet.ip.forwarding=1
net.inet.ip.forwarding: 0 -> 1
#

and to uncomment the following line in /etc/sysctl.conf(5) to re-enable it after reboot:

/etc/sysctl.conf
net.inet.ip.forwarding=1