Blog von Slagwerks

OpenBSD Firewall on Soekris 4501

Would you believe that a branch office of a certain unnamed organization hasn’t had a firewall (or even a router doing NAT) for close to a year? You could configure the printer from across the world and everything. That is, until the other day, when I got this little guy installed. Questions I had to answer in this project:

  1. Which soekris? Current needs are reasonably simple firewalling for a smaller office, so the 4501 answers nicely. Would consider 5501s for an office with more traffic / servers.
  2. What media? 2 GB CF cards are cheap as dirt now, I remember running OpenBSD on systems with smaller hard drives… the lower heat / power / footprint and higher reliability of CF is very attractive for this application, compared to a hard drive.
  3. What OS / distro? Initially, I’m going with what’s basically a default i386 OpenBSD installation. Commonly used for firewalls, and given the cheapness and reliability of CF these days, a generic setup should work for now. Once I’m comfortable with how things are running I’ll look into more options for minimizing writes, and possibly mounting some or all of the FSes ro. The most promising reference I’ve found so far is Michiel van Baak’s guide.
  4. What style of installation? Having serial access seems like a much better idea than just blindly booting CF cards, for troubleshooting purposes if nothing else. This also flows from the previous question, if I’d settled on a flashdist type approach, I’d be writing via a CF card. As it was, I got a keyspan USB-to-serial connector (drivers for OS X and linux!) & a null modem, and talked to the 4501 via screen /dev/cu.KeySerial1 19200 from my laptop. I then booted the Soekris from a convenient Debian server, with some helpful tips from here.

Stumbling blocks I ran into:

  • The whole TFTP booting situation was tricky due to a missing ‘next-server’ directive in my dhcpd conf file, which I fixed thanks to this.
  • After that, I got hung at 
    
boot> boot bsd.rd
booting tftp:bsd.rd: 4780308+874136 [52+178240+163973]=0x5b821c
entry point at 0x200120
    which was fixed by doing 
    
boot> set tty com0
boot> stty com0 19200
    before booting bsd.rd (thanks to google’s cache of an mailing list discussion for that).