How To Use OpenBSD Inside VMware To Firewall A Host Machine
by francisco roque last modified 08/09/2002
Table of Contents
1. Introduction
2. Necessary Equipment
3. Instructions
3.1 Installing Windows
3.2 Installing OpenBSD
3.3 Networking Setup
3.4 Firewall Setup
4. Probing The Systems
5. Other OS's
6. Conclusion
7. References
8. Author, Copyright, License
1. Introduction
There are plenty of firewall packages for a Windows system, easily found via
web searches. OpenBSD is highly regarded as a great firewall, but the
drawback of using OpenBSD as a firewall for your Windows system is that you
need a separate machine to run OpenBSD on. Enter VMware: by installing
OpenBSD inside VMware, you can use OpenBSD to firewall the host machine.
There are a variety of drawbacks to this approach: running VMware is much
more resource intensive than a Windows add on firewall, it only effectively
firewalls against non-local systems, knowledge of OpenBSD is necessary (as
opposed to point-and-click Windows firewall GUI's), and more.
I in no way say using OpenBSD in this manner is a Good Idea; I only say that
it can be done.
2. Necessary Equipment
You will need a system capable of running Windows NT/2000/XP with enough RAM
and hard drive space to support an OpenBSD instance in VMware. Without a
network card this process is useless, though perhaps a similar setup would
be possible for modem users. I used an Athlon 700, 128 mb RAM, 10 gb drive
and a cheap-o NIC card.
You will also need copies of Windows and VMware as well as license keys to
make them go vroom.
It is assumed that you know how to read man pages, edit files, install
programs, and edit network configurations on Windows and OpenBSD.
For this howto, i am using OpenBSD 3.1-STABLE (as of 7/30/2002). If you use
a later OpenBSD version (such as 3.1-CURRENT), /etc/nat.conf and pfctl work
different.
3. Instructions
3.1 Installing Windows
Install Windows NT/2000/XP by following the instructions on your legally
acquired Windows cd.
Download VMware from www.vmware.com. Install it.
3.2 Installing OpenBSD
Start VMware. You can use these settings:
Memory - 64 megs
HD Space - 200 megs
Networking - bridged
OS Type - Other
Install OpenBSD via your favourite medium/source. When i install into
VMware, i set up my cd drive to point to a local cd image. The cd image
varies on whether i feel like installing release, stable or current, and
is much more convenient to install without having to change physical cd's
(particularly since sometimes i install from work to a home machine).
You only need to install these packages: base31.tgz, etc31.tgz, bsd. If
you install more, you will need to increase the drive space allocated to
OpenBSD. For those 3 packages, a / partition of 150 megs will suffice.
The remainder can be allocated to swap.
Once you have installed and have rebooted once, i reccomend halting the
OpenBSD instance, powering down the virtual machine, and changing your
allocated ram to 32 megs. To firewall one machine, OpenBSD doesn't need
more than that unless that machine is doing serious serving, and you
aren't going to be following this doc if the machine is doing serious
serving.
Start up the OpenBSD instance.
In /etc/rc.conf, change the pf entry to YES. This will start up pf at
the next boot.
In /etc/sysctl.conf, uncomment the net.inet.ip.forwarding=1 entry. This
will allow us to forward packets.
You may also want to turn off other services, such as inetd, portmap, etc
in /etc/rc.conf.
Reboot.
3.3 Networking Setup
You should now have a working Windows system with OpenBSD running inside
VMware on top of the Windows system.
Decide upon an unrouted range that isn't used in your local network. We
will be providing NAT on this range. I will be using 192.168.10.0/24.
Setup your Windows system with an ip address in this range. I use
192.168.10.7. For the gateway, assign an address in this range. I use
192.168.10.225. Use a netmask of 255.255.255.0.
Setup your OpenBSD sysem with the networking your Windows system would
normally have. That is:
- if your Windows system normally uses dhcp, then enter the line:
dhcp NONE NONE NONE
in /etc/hostname.le1
and run the command `dhclient le1`
- if your Windows system normally has an ip address assigned to it,
then enter the line:
inet 10.0.0.7 255.255.255.0 NONE
in /etc/hostname.le1, using your appropriate address/netmask.
and run the command `ifconfig le1 10.0.0.7 netmask 255.255.255.0`
again using your appropriate address/netmask.
Provide an alias to your network device usng the same ip as the router
that the Windows system has been configured with by running:
ifconfig le1 alias 192.168.10.225
And make it permanent by adding the following to /etc/hostname.le1:
alias 192.168.10.225
Setup the OpenBSD system to NAT for the decided range. In /etc/nat.conf,
enter the following line:
nat on le1 from 192.168.10.7/32 to any -> le1
Load the rules by running `pfctl -N /etc/nat.conf`. In 3.1-CURRENT (and
beyond?) the file is /etc/pf.conf and the command is
`pfctl -f /etc/pf.conf`.
At this point your Windows system will be able to contact the outside
world. It will be doing this through your OpenBSD system, which is
providing NAT for the Windows system.
3.4 Firewall Setup
You may now configure your firewall ruleset. Plenty of other people have
written great docs on how to do this, go follow their docs. Here are a
few reccomendations:
- block all incoming requests, except port 22 (for admin access to the
OpenBSD system).
- pass out anything from the OpenBSD system and the Windows system
- block out everything else.
If you run any services on the Windows system, you will also want to
include a rdr rule in your NAT configuration. For example, if you run
a web server on the Windows system, then add the following to your NAT
rules:
rdr on le1 proto tcp from any to le1/32 port 80 -> 192.168.10.7 port 80
You will want to add the appropriate pf rule as well.
4. Probing the Systems
You will want to probe the windows system from two different locations:
on the local network and off the local network. Both will return the
same results initially. However, you can configure a system on the local
network with an address inside the Windows system's range and thus bypass
the OpenBSD system.
For example let's say our network looks like the following:
1- Windows system: 192.168.10.7
2- OpenBSD system: 10.0.0.7 (outside), 192.168.10.225 (inside)
3- Local probing host: 10.0.0.13
4- Remote probing host: 198.111.176.205
Our logical network is:
---> 2 <---> 1
4 <---> 5 <--|
---> 3
But our physical network is:
---> 2/1
4 <---> 5 <--|
---> 3
Since it is impossible to physically separate systems 1 and 2, system 3
need only add an alias to its network device. Under OpenBSD, it can do:
ifconfig dev alias 192.168.10.13 netmask 255.255.255.0
Under linux:
ifconfig eth0:0 192.168.10.13 netmask 255.255.255.0
Under Windows you can use the GUI to set up the alias.
With the alias, our logical network is now:
---> 2 <---> 1 <--
4 <---> 5 <--| |
---> 3 <----------
That is, system 3 is on the same logical network as system 1, and does
not route through system 2.
5. Conclusion
We have seen how to set up OpenBSD as a firewall running inside a Windows
system. This gives us the power of OpenBSD while only requiring one
physical machine. It also provides no use in protecting our host
machine from local network attacks while requiring more resources than
alternate methods.
The technique outlined in this document should also be applicable to
using OpenBSD inside VMware running on different platforms, such as
linux. It may also be applicable to running OpenBSD inside VirtualPC;
buy me an iBook and a copy of VirtualPC and i'll find out. It should
also be possible to layer the firewalls even more, such as running
instances of OpenBSD and linux on top of Windows, then using OpenBSD to
route/NAT/firewall for the linux system and the linux system to
route/NAT/firewall for the windows system. More layers can be added as
desired.
I do not know why anyone would ever follow these steps for use on a
production system. If you do this for a Good Reason, please let me know
why.
6. References
A concise list of Windows firewalls:
http://www.iopus.com/guides/freefirewalls.htm
OpenBSD pf docs:
http://www.openbsd.org/faq/faq6.html#6.2
http://www.benzedrine.cx/pf.html
http://www.inebriated.demon.nl/pf-howto/
OpenBSD install doc:
http://www.openbsd.org/faq/faq4.html
7. Author, Copyright, License
The author of this document is francisco roque, who can be found at
http://www.blackant.net/
This document is copyright francisco roque 2002.
This document is released under BSD style license and may be used in whole or
part for anything so long as this section remains intact.
The author takes no responsibility for damages incurred by following the
steps in this document, including but not limited to the loss of data or
damage to hardware. Good Luck.
