On Thu, Sep 26, 2024 at 07:21:38PM +0200, Nicolas Goy wrote:
> Hello,
>
> I want to use OpenBSD as firewall for a configuration where every hosts is
> isolated.
>
> For example, let's say I have 1.0.0.0/24 subnet and 2000::/56 subnet.
>
> I want each host to have a single ip for ipv4, and a /64 for ipv6.
>
> On the layer 2 side, I can configure a single VLAN for each host, I can either
> show each VLAN to the OpenBSD router as different VLAN or I an use PVLAN to have
> a single VLAN on the OpenBSD side.
>
> Now, with ipv6 it's easy, I can create a /64 for each host, but for ipv4 it's
> trickier. I'd like to use as few IP as I can and I think the lowest I can do is
> to use 2 IP per host.
>
> I was wondering if you had general advices on what was the best configuration.
>
> I looked at hetzner, and for ipv4, they use point to point ethernet, so the host
> has ip in 1.0.0.24 with route to 1.0.0.23/32. It uses Linux's SystemD "[Address] Peer"
> configuration and I am not sure exactly what it entails. For ipv6 it uses
> fe80::1 as gateway which is also a bit weird as I would expect the gateway to be
> on the same subnet.
>
> The general idea is to be able to manage all firewalling between hosts using pf.
I think you are in danger of overengineering by quite some measure.
The easy way to set up is to go with a setup has has "block all" as the default
(initial) rule, and then add further rules that allow only traffic to and from
the specific hosts and networks you want, on the specific protocols and ports
you want.
The PF User's Guide at https://www.openbsd.org/faq/pf/index.html is a useful place
to start, please also keep the pf.conf man page (https://man.openbsd.org/pf.conf)
within reach. Further the most recent PF tutoral might be of some use in this
context (https://nxdomain.no/~peter/pf_fullday.pdf) and for that matter The Book of PF
(https://nostarch.com/pf3 and via better bookstores).
For a triple set of belts and suspenders configuration, you could do various varations
of isolated VLANS as you mention. If you want to keep the hosts in the 10.0.0.0/24
network, you could set each host to have a default gateway (assuming you want them
to be able to communicate with *something* over IPv4) outside that network using
whatever !route trickery in the individual /etc/hostname.$if you could think of.
There are doubtless further ways to complicate this and your life as the maintainer
of the setup, but unless you have specific reasons I would suggest going for the
relatively simple approach where the initial active line in each /etc/pf.conf reads
block # will expand to block all on load
# from here, specifically allow desirable traffic, nothing more, nothing less.
and you insert whatever you feel is strictly needed in pass rules thereafter.
All the best,
Peter
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
No comments:
Post a Comment