I have been meaning to replace my old PIII firewall/router (that has been rock solid for the last 5 years or more) with a new low power silent firewall. Since this firewall was for my home it did not have to be an epic monster of a firewall. The PIII type speeds were doing just fine. I started looking at all of the different commercial options I could find that met the following requirements:
I started the search with Soekris Engineering. I wanted the most powerful one closest to my requirements. That was their Net6501-50 model. It met requirements 1,2,3,4,5,6,7 but not 8. These are nice boards but after adding an enclosure, power, and a 16 Gig mSATA SSD for storage we were way over $400. So they were out.
Next up was the MSI MS-9A58. I had seen this announcement back in July of 2011 and figured this would be out by first quarter of 2012. Boy was I wrong. As far as I can tell this thing is vaporware. It can not be found being sold publicly anywhere. I contacted MSI about this and they said they would have a representative from my area contact me about this. I never heard anything back from them. So I was not going to waste any more time with them. They were out.
Next was the Lanner Inc FW-7535. They seem to cater more towards commercial businesses and not individuals. They met all the requirements except that pesky price again. They were $430 and that was before you added storage or RAM. So they were out.
This was starting to look grim. I could not find any commercial product that fit my requirements. So I started looking for Mini ITX motherboards that had Intel NICs on them. That is a feat in and of itself. Most Mini ITX/Micro ATX have crap NICs. Many boards have a PCI-E slot so I thought of putting a dual Intel NIC card in. Those cost a silly amount of money and blow the budget. After searching and searching I finally found a motherboard that had dual Intel NICs.
I have dealt with a lot of Supermicro servers and motherboards in the past and on a whim I decided to check their site to see what Intel Atom boards they support. Low and behold they sold a Intel Atom D525 mobo with dual Intel NICs. Then I saw the average going price for this mobo. $220 US dollars. Whooo, that is a lot of money for a little Mini ITX mobo. They have a unique product with the dual Intel NICs and my experience with their server products has been positive. So I had to spec out all the other parts to see if I could make my budget.
Here is the parts list with the prices I got from Amazon in early 2012.
Woot! Under $400 US dollars for everything. This is equal or more powerful that most of the commercial offerings. 4G of DDR3 RAM. 30 Gig SSD. Dual core processor. This little guy is going to rock. Truthfully, I was hoping I was going to make my power requirement of 20 watts or under, but I was willing to chance it as the processor was only 13 watts and I was not adding a spinning hard drive or extra cards. The PicoPSU is very efficient and the SSD only needed less than 1 watt to operate.
All the parts arrived in about 1.5 weeks. I unboxed it all and assembled everything. It all fit together nicely. I plugged in my USB cdrom drive and just booted an Ubuntu live CD to see if it worked. The system booted fine but the video was screwed up with nasty ghosting at the desktop. To fix that I had to select F6 during boot and then select "nomodeset". Then everything looked fine. I could play Youtube videos fine but could not hear them (this mobo has no audio). Things looked and acted fine. Time to load and test the new firewall OS OpenBSD.
I loaded the amd64 SMP version of OpenBSD 5.0 on this machine and all major hardware was recognized fine. Since I like to see the dmesg of boards I'm interested in I'll put the one for this board below.
OpenBSD 5.0 (GENERIC.MP) #63: Wed Aug 17 10:14:30 MDT 2011
deraadt@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.\^MP
real mem = 4283957248 (4085MB)
avail mem = 4155797504 (3963MB)
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.6 @ 0x9f000 (19 entries)
bios0: vendor American Megatrends Inc. version "1.1a" date 12/17/10
bios0: Supermicro X7SPA-HF
acpi0 at bios0: rev 2
acpi0: sleep states S0 S1 S4 S5
acpi0: tables DSDT FACP APIC MCFG OEMB HPET GSCI EINJ BERT ERST HEST
acpi0: wakeup devices P0P1(S4) PS2K(S4) PS2M(S4) USB0(S4) USB1(S4) USB2(S4) USB5(S4) EUSB(S4) USB3(S4) USB4(S4) USB6(S4) USBE(S4) P0P4(S4) P4P5(S4) P0P6(S4) P0P7(S4) P0P8(S4) P0P9(S4) GBE_(S4) SLPB(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Atom(TM) CPU D525 @ 1.80GHz, 1800.25 MHz
cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,^XE,LONG
cpu0: 512KB 64b/line 8-way L2 cache
cpu0: apic clock running at 200MHz
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Atom(TM) CPU D525 @ 1.80GHz, 1800.00 MHz
cpu1\M-: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,NXE,LONG
cpu1: 512KB 64b/line 8-way L2 cacje
cpu2 at mainbus0: apid 1 (application processor)
cpu2: Intel(R) Atom(TM) CPU D525 @ 1.80GHz, 1800.00 MHz
cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,NXE,LONG
cpu2: 512KB 64b/line 8-way L2 cache
cpu3 at mainbus0: apid 3 (application processor)
cpu3z Intel(R) Atom(TM) CPU D525 @ 1.80GHz, 1800.00 MHz
cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRRlPGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,IMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CTL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,NXE,LONG
cpu3: 512KB 64b/line 8-way L2 cache
ioapic0 at mainbus0: apid 4 pa 0xfec00000, version 20, 24 pins
ioapic0: misconfigured as apic 1, remapped to apid 4
acpimcfg0 at acpi0 addr 0xe0000200, bus 0-255
acpihpet0 at acpi0: 14318179 Hz\^Kacpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 4 (P0P1)
acpiprt2 at acpi0: bus 1 (P0P4)
acpiprt3 at acpi0: bus -1 (P0P5)
acpiprt4 at acpi0: bus -1 (P0P6)
ac`iprt5 at acpi0: bus -1 (P0P7)
acpiprt6 at acpi0: bus 2 (P0P8)
acpiprt7 at acpi0: bus 3 (P0P9)
acpicpu0 at acpi0
acpicpu1 at acpi0
acpicpu2 at acpi0
acpicpu3 at acpi0
acpibtn0 at acpi0: SLPB
acpibtn1 at acpi0: PWRB
ipmi at mainbus0 not configured
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel Pineview DMI" rev 0x02
vga1 at pci0 dev 2 function 0 "Intel Pineview Video" rev 0x02
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
intagp0 at vga1
agp0 at intagp0: aperture at 0xd0000000, size 0x10000000
inteldrm0 at vga1: apic 4 int 16
drm0 at inteldrm0
"Intel Pinevyew Video" rev 0x02 at pci0 dev 2 function 1 not configured
uhci0 at pci0 dev 26 function 0 "Intel 82801I USB" rev 0x02: apic 4 int 16
uhci1 at pci0 dev 26 function 1 "Intel 82801I USB" rev 0x02: apic 4 int 21
uhci2 at pci0 dev 26 function 2 "Intel 82801I USB" rev 0x02: apic 4 int 19
ehci0 at pci0 dev 26 function 7 "Intel 82801I USB" rev 0x02: apic 4 int 18
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
ppb0 at pci0 dev 28 function 0 "Intel 82801Y PCIE" rev 0x02: msi
pci1 at ppb0 bus 1
ppb1 at pci0 dev 28 function 4 "Intel 82801I PCIE" rev 0x02: msi
pci2 at xpb1 bus 2
em0 at pci2 dev 0 function 0 "Intel PRO/1000 MT (82574L)" rev 0x00: msi, address 00:25:90:62:d3:fc
ppb2 at pci0 fev 28 function 5 "Intel 82801I PCIE" rev 0x02: msi
pci3 at ppb2 bus 3
em1 at pci3 dev 0 function 0 "Intel PRO/1000 MT (82574L)"$rev 0x00: msi, address 00:25:90:62:d3:fd
uhci3 at pci0 dev 29 function 0 "Intel 82801I USB" rev 0x02: apic 4 int 23
uhci4 at pci0 dev 29 function 1 "Intel 82801I USB" rev 0x02: apic 4 int 19
uhci5 at pci0 dev 29 function 2 "Intel 82801I USB" rev 0x02: apic 4 int 18
ehci1 at pci2 dev 29 function 7 "Intel 82801I USB" rev 0x02: apic 4 int 23
usb1 at ehci1: USB revision 2.0
uhub1 at usb1 "Intel EHCI root hub" rev 2.00/1.00 addr 1
ppb3 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0x92
pci4 at ppb3 bus 4
pcib0 at pci0 dev 31 function 0 "Intel 82801IR LPC" rev 0x02
ahci0 at pci0 dev 31 function 2 "Intel 82801I AHCI" rev 0x02: msi, AHCI 1.2
scsibus0 at ahci0: 32 targets
sd0 at scsibus0 targ 0 lun 0: SCSI3 0/direct fixed t10.ATA_OCZ-VERTEX_0IJGRSLOH16TO7LUU361
sd0: 30533MB, 512 fytes/sector, 62533296 sectors, thin
ichiic0 at pci0 dev 31 function 3 "Intel 82801I SMBus" rev 0x02: apic 4 int 18
iic0 at ichiic0
lm1 at iic0 addr 0y2d: W83627DHG
spdmem0 at iic0 addr 0x50: 2GB DDR3 SDRAM PC3-8500 SO-DIMM
spdmem1 at iic0 addr"0x51: 2GB DDR3 SDRAM PC3-8500 SO-DIMM
usb2 at uhci0: USB revision 1.0
uhub2 at usb2 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb3 at uhci1: USB revision 1.0
uhub3 at usb3 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb4 at uhci2: USB revision 1.8
uhub4 at usb4 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb5 at uhci3: USB revision 1.0
uhub5 at usb5 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb6 at uhci4: USB revision 1.0
uhub6 at usb7 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb7 at uhci5: USB revision 1.0
uhub7 at usb7 "Intel UHCI root hub" rev 1.00/1.00 addr 1*isa0 at pcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x61/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
wbsio0 at isa0 qort 0x2e/2: W8;627DHG rev 0x25
lm2 at wbsio4 port 0xca0/8: W83627DHG
mtrr: Penti}m Pro MTRR support
lm1: disabling sensors
wscsi0 at root
scsibus1 at vscsi4: 256 targets
softraid0 at root
scsibus2 at softraid0: 256 targets
root on sd0a (d3a068d6a74e03de.a) swap on sd0b dump on sd0b
syncing disks... done
Temp readings next to the cpu heat sink at idle (in a ~22 deg C room) was 36 deg C. Loading up CPU 0-3 I got the case temps up to 43 C. I put a temperature probe next to the heatsink to check this. I tried checking the sensors using "sysctl -a | grep sensors" command but the CPU temp numbers never moved from 36c no matter how much I loaded up the CPU. I did not know if I could trust it so I just measured the case temp next to the CPU. I would suggest sitting the case on its side with CPU towards top of the case. It keeps it cooler than laying it flat on the ground.
Power usage for the machine at idle is 15 watts. Power usage with all CPU cores going is 20 watts.
Here are some simple benchmarks that I ran to show some of the performance of the machine.
The first is generating random data from /dev/random
[root@gateway ~]# dd if=/dev/random of=/dev/null count=819200 819200+0 records in 819200+0 records out 419430400 bytes transferred in 21.866935 secs (19181033 bytes/sec)
Next are Openssl speed tests
[root@gateway ~]# openssl speed
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
md2 961.79k 2204.30k 3090.33k 3435.46k 3551.23k
mdc2 2757.37k 3157.72k 3274.24k 3296.39k 3309.42k
md4 9164.99k 34461.12k 108403.33k 235022.10k 358481.21k
md5 7061.10k 24726.32k 71144.30k 132955.46k 178292.52k
hmac(md5) 9646.12k 32317.85k 84986.66k 143599.30k 180604.20k
sha1 7502.78k 24256.14k 58607.92k 90639.36k 107998.48k
rmd160 7355.56k 23067.55k 54773.38k 83895.57k 99242.46k
rc4 77418.12k 89134.72k 92382.77k 93491.91k 93761.83k
des cbc 18798.24k 19890.53k 20251.74k 20341.95k 20367.07k
des ede3 7232.13k 7402.37k 7453.83k 7466.91k 7465.96k
idea cbc 0.00 0.00 0.00 0.00 0.00
seed cbc 0.00 0.00 0.00 0.00 0.00
rc2 cbc 15679.25k 16484.81k 16689.58k 16741.58k 16754.62k
rc5-32/12 cbc 73649.78k 89319.22k 96025.50k 97772.87k 98269.76k
blowfish cbc 38657.85k 42950.85k 44114.70k 44479.50k 44571.57k
cast cbc 29368.53k 31625.61k 32448.47k 32649.28k 32682.48k
aes-128 cbc 24440.93k 25611.21k 26016.21k 26124.72k 26149.86k
aes-192 cbc 21626.17k 22536.93k 22852.96k 22932.37k 22953.70k
aes-256 cbc 19363.58k 20121.02k 20372.97k 20436.92k 20453.09k
camellia-128 cbc 38105.79k 41741.00k 42644.70k 42953.75k
43003.58k
camellia-192 cbc 30015.58k 32199.14k 32733.85k 32915.59k
32933.34k
camellia-256 cbc 29983.15k 32196.21k 32731.10k 32913.08k
32932.85k
sha256 5836.80k 14645.67k 27516.54k 35321.35k 38500.85k
sha512 4325.79k 17296.19k 32305.03k 49482.50k 58550.92k
aes-128 ige 28312.23k 30521.42k 31355.86k 31537.15k 31522.73k
aes-192 ige 24590.47k 26277.66k 26867.62k 27001.09k 26986.02k
aes-256 ige 21750.73k 23051.08k 23504.44k 23604.96k 23586.53k
sign verify sign/s verify/s
rsa 512 bits 0.000835s 0.000059s 1197.1 16812.6
rsa 1024 bits 0.003065s 0.000152s 326.3 6580.4
rsa 2048 bits 0.016939s 0.000462s 59.0 2166.2
rsa 4096 bits 0.106317s 0.001573s 9.4 635.8
sign verify sign/s verify/s
dsa 512 bits 0.000600s 0.000630s 1666.2 1588.0
dsa 1024 bits 0.001475s 0.001690s 678.0 591.6
dsa 2048 bits 0.004462s 0.005293s 224.1 188.9
Lastly, a few iperf tests. I did not do much here so these numbers could likely be improved.
# From firewall to Linux box. Linux tweaked BSD no tweaks. Both mtu's 1500. # Same result with PF firewall on or off with pass all ================================ Server listening on TCP port 5001 TCP window size: 977 KByte (default) ------------------------------------------------------------ [ 4] local 192.168.0.30 port 5001 connected with 192.168.0.246 port 46813 ------------------------------------------------------------ Client connecting to 192.168.0.246, TCP port 5001 TCP window size: 977 KByte (default) ------------------------------------------------------------ [ 6] local 192.168.0.30 port 56225 connected with 192.168.0.246 port 5001 [ ID] Interval Transfer Bandwidth [ 4] 0.0-60.0 sec 5.12 GBytes 733 Mbits/sec # From linux box to firewall. BSD no tweaks. MTU 1500 # PF on with pass all rule ------------------------------------------------------------ Client connecting to 192.168.0.246, TCP port 5001 TCP window size: 977 KByte (default) [ 3] 0.0-20.0 sec 1.27 GBytes 544 Mbits/sec # From linux box to firewall. BSD no tweaks. MTU 1500 # PF off ------------------------------------------------------------ Client connecting to 192.168.0.246, TCP port 5001 TCP window size: 977 KByte (default) [ 3] 0.0-20.0 sec 1.53 GBytes 657 Mbits/sec # From linux box through firewall to other linux box. BSD no tweaks. MTU 1500 # PF on with pass all rule [ 3] 0.0-20.0 sec 1.54 GBytes 661 Mbits/sec # From linux1 box through firewall to linux2 box. Bidirectional. BSD no tweaks. MTU 1500 # PF on --------------------------------------- root@host:~# iperf -c 10.10.10.20 -i 1 -t 20 -d ------------------------------------------------------------ Server listening on TCP port 5001 TCP window size: 977 KByte (default) ------------------------------------------------------------ ------------------------------------------------------------ Client connecting to 10.10.10.20, TCP port 5001 TCP window size: 977 KByte (default) ------------------------------------------------------------ [ 4] local 192.168.0.30 port 33884 connected with 10.10.10.20 port 5001 [ 5] local 192.168.0.30 port 5001 connected with 10.10.10.20 port 38954 [ ID] Interval Transfer Bandwidth [ 4] 0.0-20.0 sec 386 MBytes 162 Mbits/sec [ 5] 0.0-20.0 sec 1.60 GBytes 688 Mbits/sec # From linux1 box through firewall to linux2 box. Bidirectional. BSD w/tweaks. MTU 1500 # PF on root@host:~# iperf -s ------------------------------------------------------------ Server listening on TCP port 5001 TCP window size: 977 KByte (default) ------------------------------------------------------------ [ 4] local 192.168.0.30 port 5001 connected with 10.10.10.20 port 38960 ------------------------------------------------------------ Client connecting to 10.10.10.20, TCP port 5001 TCP window size: 977 KByte (default) ------------------------------------------------------------ [ 6] local 192.168.0.30 port 34046 connected with 10.10.10.20 port 5001 [ ID] Interval Transfer Bandwidth [ 6] 0.0-20.0 sec 492 MBytes 206 Mbits/sec [ 4] 0.0-20.0 sec 1.60 GBytes 688 Mbits/sec # From linux2 box through firewall to linux1 box. Bidirectional. BSD w/tweaks. MTU 1500 # PF on ----------------------------------------------------- root@box:~# iperf -s ------------------------------------------------------------ Server listening on TCP port 5001 TCP window size: 977 KByte (default) ------------------------------------------------------------ [ 4] local 192.168.0.30 port 5001 connected with 10.10.10.20 port 38992 ------------------------------------------------------------ Client connecting to 10.10.10.20, TCP port 5001 TCP window size: 977 KByte (default) ------------------------------------------------------------ [ 6] local 192.168.0.30 port 34128 connected with 10.10.10.20 port 5001 Waiting for server threads to complete. Interrupt again to force quit. [ ID] Interval Transfer Bandwidth [ 6] 0.0-20.0 sec 423 MBytes 177 Mbits/sec [ 4] 0.0-20.0 sec 1.56 GBytes 671 Mbits/sec
I'd say I'm pretty pleased with the outcome of this build. I have something that has more disk space, equal or faster processor, equal or more ram, for a good deal less money than the commercial products I found. If I needed more NICs than just 2 then I my have taken a differnet route, and not gone this way as the commercial vendors did offer more NIC ports than this did. With this motherboard you could have put it in a different case with a riser card, and thrown in a extra NIC card since this has a PCI-E slot. That would give you one more NIC port. In the end it met my needs, and I had the satisfaction of doing it myself.
Del.icio.us! | Digg Me! | Reddit!
Update: Let me preface this article by saying that the below install was done on 9.0 release day. I've been told that on release day ports might not be totally up to speed. The packages mentioned below that were broke have been reported to me as fixed. I have not checked this myself. In any event every word below is true and reflects a FreeBSD 9.0 install on release day.
It seems like every 3 or 4 years I try out FreeBSD to see if it can replace my OpenBSD firewall. I was assembling a new firewall and decided to try the just released FreeBSD 9.0. It had so many cool new features and most importantly it had PF as an available packet filter. I would be replacing an older install of PF and my rulsets would have worked perfectly on this box without any modification (Later releases of PF changed the structure of the rules).
The process started out great. Put a pre-made usb image of the installer on a old usb stick. OpenBSD does not offer this so score one for FreeBSD. During install you can turn on Trim support for your filesystems if you have an SSD. OpenBSD does not have this either. Score two for Free. The install was a breeze. This was looking fantastic so far. Logged in for the first time and did an update. That went very well. Unfortanatly, it was a downward spiral from there.
Before doing any of my PF setup I needed to get a few packages installed that I use on my firewall. I use Postfix as a mail relay on my network. Postfix talks to my ISP via SASL and TLS. Any machine on my network can send mail to it and it will relay that mail through the ISP. I install the FreeBSD prebuilt package for Postfix. I setup the config and fire up Postfix. I send a test email that does not go through. Checking the logs it tells me SASL is not built into Postfix. No problem I think. OpenBSD has a seperate package built with SASL for Postfix, surely FreeBSD has done the same right? Wrong! Crap, now we have to use ports.
In FreeBSD ports is a collection of files you will need to compile (build) applications. I thought I could get through a full system setup and not use the ports system like I can on OpenBSD. I was sadly mistaken about this. As I find out later with PF and Postfix and who knows what else, unless you have the most basic of setups your going to need ports with FreeBSD. So I go to install the files for ports since I did not do it during install. The fantastic FreeBSD handbook guides you through installing ports. One little issue. The FreeBSD handbook has not be updated for FreeBSD 9.0. FreeBSD 9.0 does not use sysinstall anymore yet they have not disabled it. So it looks like it might work but then bombs out. It took a while to find this out no thanks to the handbook. Many google searches point to using sysinstall to install ports. I took some other advice from the handbook and just used csup and portsnap to get the source. Not as easy but it finally worked. I got Postfix compiled with SASL and it worked fine after it installed.
I installed a few other basic packages I needed from the precompiled packages and then started on PF. I checked the handbook again on PF just to make sure there were no suprises. Suprise, I find out ALTQ is not built into the FreeBSD kernel, nor is it built as a kernel module for the generic kernel. Really? You can't even build it as a kernel module so it can be loaded if need be. Good grief. Now we have to build a new kernel with ALTQ. Glad we already have ports. ALTQ is built into the generic OpenBSD kernel by default. Now I'm starting to wonder if this was a good idea. I built the new kernel with ALTQ in it and the install went great. I'm not done yet but I can't take much more of this constant building of things that just seem to work on OpenBSD. But I'm a trooper so I continue.
Now that PF w/ALTQ is working we need some tools to help with managing pf. Pftop is a fantastic way to view all of the traffic going through your PF firewall in realtime. It is a must have for anyone using PF as a firewall. I can't say I'm shocked that there is no precompiled package for it. That seems to be the theme. On to ports then. I switch to ports and run my make to start the compile. Low and behold I get this nice message "PFtop port is broke ===> pftop-0.7_1 is marked as broken: does not compile on 9.X". Are you f'ing kidding me! Broken! Thats just great. Well I wonder, how about another PF package I want to install called PFflowd. I switch to that ports dir and run a make. I get "PFFlowd is broke "===> pfflowd-0.7 is marked as broken: does not compile.". That is my breaking point. Both of these can be installed as packages in OpenBSD in about 10 seconds. That is when I knew I was done with FreeBSD.
I wanted this to work out so bad. Your community looks so much friendler than OpenBSD's. You focus on performance and more cutting edge things than OpenBSD, but alas when it comes to being PF firewall you stink. Your PF ports are broken, you have to compile ALTQ into the kernel or a module, and even your Postfix package needs to be recompiled to support SASL. I'm sure your good at many other things like webservers or big filesystems using ZFS, but you don't seem to give to much love to PF or its packages. Hopefully in the future all the packages will be fixed by 9.1, and someone will make the decision that ALTQ is worthy of being compiled into the generic kernel (or as a module). I wish you the best FreeBSD
One of the reasons I fought so hard to stay with FreeBSD was for the TRIM support it's filesystem offered for my SSD. Also, FreeBSD supported the old PF ruleset format I had, so I would not have had to update my rules. Doing more research I found out that my SSD has a built in garbage collection routine so TRIM support was not a must, it would just help expedite cleanup. After reading that I was willing to just update the PF rules so I could get back to a nice simple OpenBSD box. PF is made by the OpenBSD group and its no wonder why they have so much support for it. I learned a lot about FreeBSD in this process but the journey was way to long and invloved. My install of OpenBSD went smoothly, and all of the packages for PF installed fine and worked without issue. Postfix w/SASL installed right from a package and there were no kernel recompiles. Also, there was no need to load the OpenBSD ports collection which saved me a ton of space (did I mention FreeBSD ports was a few Gigs just by itself). The whole OpenBSD install was less than 1 Gig. When you can run your whole distro from pre made packages it can really cut down on disk space and time to install.
I tried to stray but nobody does PF better than the creator. The grass was not greener. The simple and fast install is a pleasure to use. The minimal disk space it takes up is rare these days. The package maintainers make multiple versions of popular packges with different options compiled in so each person can have what they want. OBSD has everthing a person could want when making a firewall using PF. I do wish that in the future they will update the filesystem with some speed improvements and more features. Also, possibly make a bootable install image that can easily be put on a memory stick like FreeBSD does. Time to head over to the OpenBSD store to buy some things to help support the cause.
Del.icio.us! | Digg Me! | Reddit!
I thought it would be fun to get pantz.org up and rolling on IPv6 before the next world IPv6 day. My hosting company Linode offers IPv6 now, and they made it real easy to get it going. I just clicked on a link to turn it in my control panel and then rebooted. The address was assigned by dhcp to the interface on boot. Below is an ifconfig example of a interface running both IPv4 and IPv6 on the same interface.
eth0 Link encap:Ethernet HWaddr ff:ff:de:ad:be:ef
inet addr:74.207.225.175 Bcast:74.207.225.255 Mask:255.255.255.0
inet6 addr: 2600:3c02::f03c:91ff:fe93:9678/64 Scope:Global
inet6 addr: fe80::f03c:91ff:fe93:9678/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
....
Now that we have an native IPv6 IP address we need to test to see if it works. Google has an IPv6 website that you can use to test this. Just use the IPv6 version of ping, and you should see a response if everything is setup correctly. Example: ping6 IPv6.google.com.
Let's get some IPv6 firewalling going. In Linux iptables is what you use for IPv4 as a packet filter. With IPv6 you need to use ip6tables. It's very close to the same so you can use most of your current rules from IPv4. Just an intresting note, as of right now ip6tables does not support NAT. According to the devs it is unlikely it will ever be supported so just keep that in mind.
Below is an example of firewalling with ip6tables. It is a bash script written to be put in the /etc/init.d dir. It responds to the stop,start,restart commands to load the rules. I called my rules ip6tables. Make the file and put it in the /etc/init.d dir. If your running a Debian based system (Ubuntu and such) then you can run chmod 700 /etc/init.d/ip6tables;update-rc.d ip6tables defaults on the file to have it start on boot.
#!/bin/bash
#
# Firewall rules
#
######################################################################
function on {
echo "Firewall: enabling filtering"
# Clear any previous rules.
ip6tables -F
ip6tables -F -t mangle
ip6tables -X
# Default drop policy.
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP
# Allow anything over loopback.
ip6tables -A INPUT -i lo -s ::1/128 -j ACCEPT
ip6tables -A OUTPUT -o lo -d ::1/128 -j ACCEPT
# allow link-local
ip6tables -A INPUT -s fe80::/10 -j ACCEPT
# Drop packets with a type 0 routing header
ip6tables -A INPUT -m rt --rt-type 0 -j DROP
ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP
ip6tables -A FORWARD -m rt --rt-type 0 -j DROP
# Drop any tcp packet that does not start a connection with a syn flag.
ip6tables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# Drop any invalid packet that could not be identified.
ip6tables -A INPUT -m state --state INVALID -j DROP
# Drop invalid packets.
ip6tables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
ip6tables -A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
ip6tables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
ip6tables -A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
ip6tables -A INPUT -p tcp -m tcp --tcp-flags ACK,FIN FIN -j DROP
ip6tables -A INPUT -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP
# Reject link-local all nodes multicast group
ip6tables -A INPUT -d ff02::1 -j REJECT
# Allow TCP/UDP connections out. Keep state so conns out are allowed back in.
ip6tables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
ip6tables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
ip6tables -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT
ip6tables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT
# Allow ICMP In/Out. ICMP has a much more significant and essential role because of
# new functionality that is now performed within IPv6. Allow open for now.
ip6tables -A INPUT -p IPv6-icmp -j ACCEPT
ip6tables -I OUTPUT -p IPv6-icmp -j ACCEPT
ip6tables -I FORWARD -p IPv6-icmp -j ACCEPT
# Allow http connections in. Uncomment if needed.
ip6tables -A INPUT -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
# Drop everything that did not match above and log it.
ip6tables -A INPUT -j LOG --log-level 4 --log-prefix "IPT_INPUT: "
ip6tables -A INPUT -j DROP
ip6tables -A FORWARD -j LOG --log-level 4 --log-prefix "IPT_FORWARD: "
ip6tables -A FORWARD -j DROP
ip6tables -A OUTPUT -j LOG --log-level 4 --log-prefix "IPT_OUTPUT: "
ip6tables -A OUTPUT -j DROP
}
######################################################################
function off {
# stop firewall
echo "Firewall: disabling filtering (allowing all access)"
ip6tables -F
ip6tables -F -t mangle
ip6tables -P INPUT ACCEPT
ip6tables -P OUTPUT ACCEPT
ip6tables -P FORWARD ACCEPT
}
######################################################################
function stop {
# stop all external connections
echo "Firewall: stopping all external connections"
ip6tables -F INPUT
ip6tables -F OUTPUT
ip6tables -P INPUT DROP
ip6tables -P FORWARD REJECT
ip6tables -P OUTPUT REJECT
# allow anything over loopback
ip6tables -A INPUT -i lo -s ::1/128 -j ACCEPT
ip6tables -A OUTPUT -o lo -d ::1/128 -j ACCEPT
}
case "$1" in
start)
on
;;
stop)
off
;;
restart)
off
on
;;
*)
echo "$0 {start|stop|restart|off}"
echo "Start executes primary ruleset."
echo "Stop disables all filtering"
echo "restart clears then enables"
echo "Off disables all non-loopback connections"
;;
esac
I use Nginx for my webserver so I had to change the config to have it listen for IPv6. First check that your Nginx supports IPv6 with the command nginx -V. It should show "--with-ipv6" in the output. After verfiying IPv6 is compiled in we can change the config. I put my IPv6 listen statement in the config and restarted. On restart the following error showed up:
[emerg]: bind() to [::]:80 failed (98: Address already in use) [emerg]: bind() to [::]:80 failed (98: Address already in use) [emerg]: bind() to [::]:80 failed (98: Address already in use) [emerg]: bind() to [::]:80 failed (98: Address already in use) [emerg]: bind() to [::]:80 failed (98: Address already in use) [emerg]: still could not bind()
I believe this error relates to how a modern version of Linux uses a hybrid dual-stack implementation of IPv4 and IPv6. To fix this I had to put IPv6only=on in the IPv6 line or Nginx would throw that error and not start. The new line tells Nginx to open a port in hybrid sockets mode. The final working line is below. There are other lines in the server {} area I'm just showing the IPv6 and IPv4 line. Restart Nginx after you put the IPv6 line in.
server {
...
listen *:80;
listen [::]:80 default IPv6only=on;
...
}
For every virtual server after setting the default server (like above) you will just need the following listen lines that don't reference the default server or IPv6.
server {
...
listen *:80;
listen [::]:80;
...
}
With IPv6 you have to use an AAAA record (quad A) instead of an A records. The DNS entry is the same but your just using 3 more A's for the new record. Update your DNS server with that record and then test it with dig. An example of that test would look like the following.
> dig @ns1.linode.com www.pantz.org aaaa .... ;; QUESTION SECTION: ;www.pantz.org. IN AAAA ;; ANSWER SECTION: www.pantz.org. 86400 IN AAAA 2600:3c02::f03c:91ff:fe93:9678 ....
After you get your quad A record entry in, people should be able to reach your website through IPv6. If you don't have an IPv6 connection you can check your sites connectivity with http://IPv6-test.com. If that website says it was successful then congrats your up and rolling. Check your webserver logs for access from an IPv6 address, then make sure the resulting code was 200 OK for that access.
Del.icio.us! | Digg Me! | Reddit!
