I had a job where I needed to place a firewall in front of a network of publicly accessible computers. I decided to use a virtual transparent firewall to protect the entire network and make no changes on the client computers. This is document describes how I did it.
First the hardware: I decided to use a Dell Poweredge 1900 with ESXi server. The server has (2) Quad Core Processors, 16GB of RAM and 3 NICs. The storage is local with 4 drives set in a RAID 5 providing 600GB of storage.
Now for the NIC setup. You can see from the below diagram the BSD Bridge is setup on vmnic0
and vmnic1
, vmnic2
is reserved for management and other VM’s.
One VERY IMPORTANT note before I begin to explain the setup of the OpenBSD VM, the two NICS that will be used for the transparent firewall must be setup in ESXi for promiscuous mode! See the image below.
Configure the OpenBSD VM with two NICS, both tied to the NICs configured in promiscuous mode. Install OpenBSD on the VM.
For the configuration of OpenBSD do the following:
Enable PF and IP forwarding (edit /etc/rc.conf and /etc/sysctl.conf
)
Configure the bridge (substitute your NIC names in place of vic0 and vic1)
First create the file /etc/bridgename.bridge0
:
1
|
|
Add the following to the bridgename.bridge0
file:
1 2 3 |
|
After you have added this file reboot the OpenBSD VM, when the system comes back up you should see the following when issuing ifconfig -a
1 2 |
|
Once you have confirmed the bridge is running its time to configure pf to control the traffic. Here is an example /etc/pf.conf
file that blocks all
external traffic destined for the internal network and allows all internal traffic destined for the internet:
1 2 3 4 5 6 7 8 9 10 |
|
A more elaborate example allows SSH traffic from specific IP’s to the internal network and configures OpenDNS redirection for content filtering on the internal network:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
|
Here is a diagram of the hardware setup and wiring: