How to add a management ip to openbsd firewall

now browsing by category


How to add a remote management ip to a bridged openbsd firewall

Adding Management IP to Open BSD Bridged Firewall

I am writing this because sometimes people set things up without setting up a remote management ip on servers and decide to do it later, only to find that now that firewall is running in a production environment and become more critical than it was originally suppose to be.

1. Ensure that you chosen an IP that is configured to the correct vlan

2. Edit /etc/hostname.rl0

Note: On a bridged firewall there will be usually two interfaces one will be the internal interface and the other will be the external interface. If you cat /etc/pf.conf you should see which is the external interface defined, this is the file you will be editing to add the remote management ip.

less /etc/hostname.rl0


inet (this one seems to work better in my experience)
3. Edit /etc/mygate (This is where you configure the gateway the management ip will be using.)

less /etc/mygate

4. Edit /etc/rc.conf

less /etc/rc.conf (the sshd_flags should look like the illustrated below)

sshd_flags=”” # for normal use: “”

5. Edit /etc/ssh/sshd_config

less /etc/ssh/sshd_config (Ensure that you allow root login or keys if you are using keys)

PermitRootLogin yes

6. You will also need to ensure that the firewall rules on pf.conf allow the traffic to come in on the interface and port 22 for ssh for tcp and udp

vi /etc/pf.conf

add something like the example below.

pass in log quick on $external_interface proto tcp from $allowed_hosts to port 22 keep state

pass in log quick on $external_interface proto udp from any to

6. Reboot Server.

In a Production Environment you probably want to avoid a reboot of the firewall, you can follow the steps below to help you achieve this.

Adding Management IP without Rebooting server

1. Check to see which interface is the external_interface in /etc/pf.conf.

In this case we will assume it is rl0:

2. Run these from the command line. This will set the IP/route on-the-fly, not requiring a reboot.

ifconfig rl0 inet <ip address> <netmask>

route add default <gateway> 

or you can use

route add default gw eth0


ip route add default via <gateway>

Note: if you make a mistake by adding the wrong gateway and bring everything down, you can delete the gateway on the fly as well, by using something similar to the example below

How to delete the gateway on the fly if you make an error


 ip route delete default

3. Add this to /etc/hostname.rl0

vi /etc/hostname.rl0 add line: inet <ip address> netmask <netmask>

4. Add your gateway.

vi /etc/mygate add line: <gateway>

5. Modify the SSH configuraiton.

vi /etc/ssh/sshd_config Set to allow root and password logins

6. Run SSH.


7. Do not forget to update the firewall rules in /etc/pf.conf to allow traffic on the external interface to come in on the port 22

pass in log quick on $external_interface proto tcp from $allowed_hosts to port 22 keep state

pass in log quick on $external_interface proto udp from any to

8. You should now be able to test the connection with a telnet command from outside and see if you can connect to ssh remotely

telnet 22 


Hope this has helped you email if you have questions