This is an old revision of the document!
Firewall
The Firewall is a router called firewall in the internal network. It makes sure all connections are routed through the vpn and switches (and later balances) traffic through our different Internet connections (Satelite, DSL, [planned Fiber, maybe LTE, Wifi]).
Configuration
The firewall is a APU with 3 gigabit network ports and OpenBSD as operating system.
The network ports are named em0, em1, em2
em0 is the uplink to the DSL network and has a dynamic IP address. em1 is the uplink to the SAT network and has a dynamic IP address. em2 is the interface to the network used by all clients in the premises and has a fixed IP address (192.168.1.1).
The OpenBSD is used with a minimal configuration. It only runs a ssh server for administration, a dhcp server for the internal network, a nameserver and a OpenVPN client.
SSH Server
The ssh server is available on the 
em2 network interface on port 22. It is possible to login as the user 'echo' with public key authentication only.
Every new admin key should have a bitlength of 8192 and a passphrase.
DHCP Server
The dhcp server is available on the em2 network only and gives out dynamic addresses from 192.168.1.100 to 192.168.1.255 and fixed addresses from 192.168.1.10 to 192.168.1.99 . The clients get a nameserver option that is the firewall.
Nameserver
The nameserver responds to the name requests on the internal network and makes sure that devices in the network can reach each other by name. The domain for the nameserver is echo.local. All domains outside of the domain are forwarded to the VPN provider.
OpenVPN Client
The OpenVPN client connects to a remote host tunnel all the traffic. When the VPN connection is up, all traffic gets forwarded through the VPN, when it is down, no traffic gets forwarded. A cron job takes care of switching between the network interface em0 and em1.
Firewall Rules
Firewall Rules are set in pf.
If no VPN is running
- input policy: drop everything except
- loopback device
- em2 (internal network)
- imcp
- ouput policy: Drop everything except
- loopback device
- em2 (internal network)
- em0/em1 (external network):
- DNS to fixed specific DNS-Server
- FTP, NTP, HTTP(S), SSH
- OpenVPN
- forward policy: Drop everything
If the VPN is running the same rules with change following rules
- output policy:
- tun0 (vpn network):
- DNS to fixed specific DNS-Server
- FTP, NTP, HTTP(S), SSH
- OpenVPN
- em0/em1 (external network):
- drop everything except OpenVPN
- forward policy:
- forward everything from em2
We have at the moment a Debain running on a Z-Box (will be changed in the future). And configured the rules with “ferm”:http://ferm.foo-projects.org/.
There are several configurations in the /etc/ferm directory that can be loaded with ferm [filename]
/etc/ferm/default.conf
This file is loaded every time the VPN connection state changes with a udev rule. It ensures that traffic is only forwarded through the VPN and never leaves the box unless it is VPN traffic or DNS traffic to a limited set of servers.
/etc/ferm/admin.conf
This file is used to unlock the restrictive firewall during administration. This allows the firewall to connect to the distribution repositories and download updates.
/etc/cron.d/toggle_uplink.sh
This script is used to switch between uplinks (satellite or DSL) using a cron job. It is configured to shut down the VPN, set a different configuration (TCP for satellite, UDP for DSL) and trigger the reconnect. The VPN provider is instructed to provide a fixed IP so running downloads should continue.
crontab -e as root
At the moment the router switches at night to the satelite, to use the flatrate of the satelite between 0:00-6:00 UTC + 1.