Following is a copy of our standard completion and instructions letter when we configure and ship out an eRacks/TWINGUARD Firewall:
Dear Customer,
The TWINGUARD installation of OpenBSD and CARP are complete on both units.
Here's a list of what we did, as well as some notes and caveats:
- pf (packet filter, the OpenBSD firewall rules engine) was enabled in rc.conf
- IP forwarding was enabled (required for the firewall to pass packets) for IPv4 only, not IPv6.
- The shell for root was changed to bash
- the sysctl.conf configuration for CARP is set up with the standard defaults, as follows:
net.inet.carp.allow=1
net.inet.carp.preempt=0
net.inet.carp.log=0
net.inet.carp.arpbalance=0- The IP addresses configured are for testing only, and will need to be set up appropriately for your network:
# On TWIN1:
/etc/hostname.vr0: inet 10.1.2.134 255.255.255.0 NONE
/etc/hostname.vr1: inet 192.168.1.134 255.255.255.0 NONE# On TWIN2:
/etc/hostname.vr0: inet 10.1.2.135 255.255.255.0 NONE
/etc/hostname.vr1: inet 192.168.1.135 255.255.255.0 NONE# On Both systems:
/etc/hostname.carp0:
inet 10.1.2.2 255.255.255.0 10.0.0.255 vhid 1 pass foo
/etc/hostname.carp1:
inet 192.168.1.2 255.255.255.0 192.168.0.255 vhid 2 pass bar- DHCP is not enabled (neither client nor server) on either interface.
- The firewall rules are configured to pass all traffic for now, and restrictions need to be installed and tailored to your needs
- Special rules pertaining to CARP (and pfsync) were added to pf.conf to guide you during your rule setup and configuration
- pfsync was not configured, and is not typically necessary under most "stateless" (such as webserver, mailserver) failover configurations - it's only used to keep state tables in sync between the firewalls so stateful connections can fail over. If there are no stateful connections, or they can just retry harmlessly (like SMTP, or example), there's no real need.
- Don't forget to write your rules to refer to the correct NICs, and put them on both firewalls!
- See /usr/share/pf for examples - "man pf.conf" for detailed syntax
- When connecting to your firewalls, ssh to the raw IPs, not the CARP interface - otherwise you'll get one of the two machines randomly, and your ssh client will give you the message:
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
> Someone could be eavesdropping on you right now (man-in-the-middle attack)!And drop your connection. Remember, from the viewpoint of your ssh client, you've just connected to a different machine with the same (CARP) IP address! So it thinks there's spoofing occurring.
- The following packages were installed as part of the installation, either as utilities or direct dependencies:
autoconf-2.13p0 automatically configure source code on many Un*x platforms
autoconf-2.57p0 automatically configure source code on many Un*x platforms
autoconf-2.59p1 automatically configure source code on many Un*x platforms
bash-3.1.17 GNU Bourne Again Shell
bzip2-1.0.3 block-sorting file compressor, unencumbered
db-4.2.52p8 Berkeley DB package, revision 4
expat-2.0.0 XML 1.0 parser written in C
gdbm-1.8.3p0 GNU dbm
gettext-0.14.5p1 GNU gettext
glib2-2.10.3 general-purpose utility library
gmake-3.80p1 GNU make
help2man-1.29 GNU help2man
libiconv-1.9.2p3 character set conversion library
libltdl-1.5.22p1 GNU libtool system independent dlopen wrapper
libtool-1.5.22p0 generic shared library support script
mc-4.6.1p0 free Norton Commander clone with many useful features
metaauto-0.5 wrapper for gnu auto*
pkgconfig-0.19p0 tool for managing library compile/link flags
python-2.4.3p0 interpreted object-oriented programming language
tcl-8.4.7p1 Tool Command Language
tk-8.4.7 graphical toolkit for Tcl
unzip-5.52 extract, list & test files in a ZIP archive
wget-1.10.2p0 retrieve files from the web via HTTP, HTTPS and FTP
zip-2.32 create/update ZIP files compatible with PKZip(tm)- Additional references:
http://www.countersiege.com/doc/pfsync-carp/
http://www.openbsd.org/faq/pf/carp.html
http://www.openbsd.org/faq/faq6.html#CARP
http://www.openbsd.org/cgi-bin/man.cgi?query=carp&sektion=4
http://www.benzedrine.cx/pf.html
http://www.openbsd.org/cgi-bin/man.cgi?query=ifconfig&sektion=8
(see the CARP subsection)
http://www.kernel-panic.it/openbsd/carp/carp4.htmlThanks again for your business, and let us know if you have any questions.
If you need help configuring your environment, firewall rules, DHCP, pfsync setup over IPSec, or other OpenBSD consulting, keep in mind that as our hardware customer you are eligible for a preferred customer discount on consulting. Contact us for further details.