kuckucksmuehle:hackerspace:firewall

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
kuckucksmuehle:hackerspace:firewall [2017/11/20 00:32] kimparkerkuckucksmuehle:hackerspace:firewall [2018/03/22 18:20] (current) – add information how to handle network disturbance kimparker
Line 7: Line 7:
  
  
-The firewall is a APU with 3 gigabit network ports and OpenBSD as operating system.+The firewall is a APU with 3 gigabit network ports and Opnfsense as operating system.
  
-The network ports are named em0em1em2+The network ports are named igb0igb1igb2
  
-em0 is the uplink to the DSL network and has a dynamic IP address. +igb0 is the uplink to the DSL network and has a dynamic IP address. 
-em1 is the uplink to the SAT network and has a dynamic IP address. +igb1 is the uplink to the SAT network and has a dynamic IP address. 
-em2 is the interface to the network used by all clients in the premises and has a fixed IP address (192.168.1.1)+igb2 is the interface to the network used by all clients in the premises and has a fixed IP address (192.168.1.1).
- +
-The OpenBSD is used with a minimal configuration. It only runs a ssh server for administration, a dhcp server for the internal network, a nameserver and a OpenVPN client. +
- +
-==== SSH Server ==== +
- +
-The ssh server is available on the FIXME em2 network interface on port 22. It is possible to login as the user 'echo' with public key authentication only. +
- +
-Every new admin key should have a bitlength of 8192 and a passphrase.+
  
 ==== DHCP Server ==== ==== DHCP Server ====
  
-FIXME The dhcp server is available on the em2 network only and gives out dynamic addresses from 192.168.1.100 to 192.168.1.255 and fixed addresses from 192.168.1.10 to 192.168.1.99 . The clients get a nameserver option that is the firewall. +The dhcp server is available on the igb2 network only and gives out dynamic addresses from 192.168.1.100 to 192.168.1.255 and fixed addresses from 192.168.1.10 to 192.168.1.99 .
- +
-==== Nameserver ==== +
- +
-FIXME The nameserver responds to the name requests on the internal network and makes sure that devices in the network can reach each other by name. The domain for the nameserver is echo.local. All domains outside of the domain are forwarded to the VPN provider.+
  
 ==== OpenVPN Client ==== ==== OpenVPN Client ====
  
-FIXME The OpenVPN client connects to a remote host tunnel all the traffic. When the VPN connection is up, all traffic gets forwarded through the VPN, when it is down, no traffic gets forwarded. A cron job takes care of switching between the network interface em0 and em1.+The OpenVPN client connects to a remote host tunnel all the traffic. When the VPN connection is up, all traffic gets forwarded through the VPN, when it is down, no traffic gets forwarded.
  
 ==== Firewall Rules ==== ==== Firewall Rules ====
  
-FIXME +Firewall Rules are set in Opnfsense
-Firewall Rules are set in pf+Outbound Nat Rules make sure that no traffic from the internal network is sent to the internet when the VPN is not up
-If no VPN is running +
-  * input policy: drop everything except +
-    * loopback device +
-    * em2 (internal network+
-    * imcp +
-  * ouput policy: Drop everything except +
-    * loopback device +
-    * em2 (internal network) +
-    * em0/em1 (external network): +
-      * DNS to fixed specific DNS-Server +
-      * FTP, NTP, HTTP(S), SSH +
-      * OpenVPN +
-  * forward policy: Drop everything +
- +
-If the VPN is running the same rules with change following rules +
-  * output policy: +
-    * tun0 (vpn network): +
-      * DNS to fixed specific DNS-Server +
-      * FTP, NTP, HTTP(S), SSH +
-      * OpenVPN +
-    * em0/em1 (external network): +
-      * drop everything except OpenVPN +
-  * forward policy: +
-    * forward everything from em2 +
- +
- +
- +
- +
-=============================== +
-We have at the moment a Debain running on a Z-Box (will be changed in the future). And configured the rules with "ferm":http://ferm.foo-projects.org/+
- +
-There are several configurations in the ''/etc/ferm'' directory that can be loaded with ''ferm [filename]'' +
- +
-''/etc/ferm/default.conf'' +
- +
-This file is loaded every time the VPN connection state changes with a udev rule. It ensures that traffic is only forwarded through the VPN and never leaves the box unless it is VPN traffic or DNS traffic to a limited set of servers. +
- +
-''/etc/ferm/admin.conf'' +
- +
-This file is used to unlock the restrictive firewall during administration. This allows the firewall to connect to the distribution repositories and download updates. +
- +
-''/etc/cron.d/toggle_uplink.sh''+
  
-This script is used to switch between uplinks (satellite or DSL) using a cron job. It is configured to shut down the VPN, set a different configuration (TCP for satellite, UDP for DSL) and trigger the reconnect. The VPN provider is instructed to provide a fixed IP so running downloads should continue.+==== Handle Network Disturbances ====
  
-''crontab -e as root''+Sometimes it is required to check which device is responsible for traffic. In rare circumstances it is also required to shut that device off.
  
-At the moment the router switches at night to the sateliteto use the flatrate of the satelite between 0:00-6:00  UTC + 1.+  - Login to https://192.168.1.1 
 +  - Open "Interfaces/Diagnostics/ARP Table" on a separate tab 
 +  - Open "Reporting/Insight" on a separate tab 
 +  - Open "Reporting/Traffic Graph", Select LAN 
 +  - Find the device causing trafficlook up the IP in the arp-table (gives more info like manufacturer) 
 +  - Open "Firewall/Traffic Shaper/Settings" -> Rules 
 +  - Duplicate the BAD GUI rule and enter the IP address, name the new rule and click apply
  
  • kuckucksmuehle/hackerspace/firewall.1511134333.txt.gz
  • Last modified: 2017/11/20 00:32
  • by kimparker