How to add a management ip to openbsd firewall

now browsing by category

 

How to add a remote management ip to a bridged openbsd firewall

Adding Management IP to Open BSD Bridged Firewall

I am writing this because sometimes people set things up without setting up a remote management ip on servers and decide to do it later, only to find that now that firewall is running in a production environment and become more critical than it was originally suppose to be.

1. Ensure that you chosen an IP that is configured to the correct vlan

2. Edit /etc/hostname.rl0

Note: On a bridged firewall there will be usually two interfaces one will be the internal interface and the other will be the external interface. If you cat /etc/pf.conf you should see which is the external interface defined, this is the file you will be editing to add the remote management ip.

less /etc/hostname.rl0
up
inet 192.168.1.35 255.255.255.0

or

inet 192.168.1.35/24 (this one seems to work better in my experience)
up
3. Edit /etc/mygate (This is where you configure the gateway the management ip will be using.)

less /etc/mygate
192.168.1.1

4. Edit /etc/rc.conf

less /etc/rc.conf (the sshd_flags should look like the illustrated below)

sshd_flags=”” # for normal use: “”

5. Edit /etc/ssh/sshd_config

less /etc/ssh/sshd_config (Ensure that you allow root login or keys if you are using keys)

PermitRootLogin yes

6. You will also need to ensure that the firewall rules on pf.conf allow the traffic to come in on the interface and port 22 for ssh for tcp and udp

vi /etc/pf.conf

add something like the example below.

Example
pass in log quick on $external_interface proto tcp from $allowed_hosts to 192.168.1.35 port 22 keep state

pass in log quick on $external_interface proto udp from any to 192.168.1.35

6. Reboot Server.

In a Production Environment you probably want to avoid a reboot of the firewall, you can follow the steps below to help you achieve this.

Adding Management IP without Rebooting server

1. Check to see which interface is the external_interface in /etc/pf.conf.

In this case we will assume it is rl0:

2. Run these from the command line. This will set the IP/route on-the-fly, not requiring a reboot.

ifconfig rl0 inet <ip address> <netmask>

route add default <gateway> 

or you can use

route add default gw 192.168.1.254 eth0

or

ip route add default via <gateway>

Note: if you make a mistake by adding the wrong gateway and bring everything down, you can delete the gateway on the fly as well, by using something similar to the example below

————————————————————————————
How to delete the gateway on the fly if you make an error

Example

 ip route delete default
————————————————————————————– 

3. Add this to /etc/hostname.rl0

vi /etc/hostname.rl0 add line: inet <ip address> netmask <netmask>

4. Add your gateway.

vi /etc/mygate add line: <gateway>

5. Modify the SSH configuraiton.

vi /etc/ssh/sshd_config Set to allow root and password logins

6. Run SSH.

/usr/sbin/sshd

7. Do not forget to update the firewall rules in /etc/pf.conf to allow traffic on the external interface to come in on the port 22

Example
pass in log quick on $external_interface proto tcp from $allowed_hosts to 192.168.1.35 port 22 keep state

pass in log quick on $external_interface proto udp from any to 192.168.1.35

8. You should now be able to test the connection with a telnet command from outside and see if you can connect to ssh remotely

telnet 192.168.1.35 22 

Cheers

Hope this has helped you email nick@nicktailor.com if you have questions