Question about installing OpenBSD as Firewall

[afcelie]

Hello,
I am new to openBSD and want to use this OS as a firewall, within a firewall cluster. We have now 2 machines acting as a firewall which is not capable of doing the following:
active / active and load balancing.
I do have experience with Linux and Unix.
Can someone help me on how to set up a system with the features:
active /active firewall
Loadbalancing
Nat

Thanx

[jggimi]

1. Use the FAQ. Avoid third party how to documents like the plague.
2. The FAQ includes the PF Users Guide, which you will need.
3. The man pages are the definitive documentation, and you will need them also, for PF, carp, and pfsync.

[afcelie]

Well thanx, the faq look very wel documented, but when installing my first firewall script I got the following error±
# Removing ip address: lo ::1 prefixlen 128
ifconfig: SIOCGIFXFLAGS: Device not configured
ifconfig: SIOCSIFXFLAGS: Device not configured
ifconfig: SIOCDIFADDR: Device not configured
ifconfig: SIOCGIFFLAGS: Device not configured

It is a firewall for test within a vmware environment.

[jggimi]

Your script has plenty of errors in it. What those errors are, I cannot tell until you post it.

[jggimi]

Actually I can tell what the majority of errors are. You are issuing the ifconfig command against devices that do not exist in your test system. NICs must be present to be provisioned.

[afcelie]

Attached my files :
System config:
em0 --> outside
em1 --> inside
em2 --> future use.
lo

[jggimi]

There is no device called "lo". That is a device type, not a device. Loopback devices are lo0, lo1, etc. There is a device group "lo" however. Best practice is to use the lo0 device unless you have multiple loopback devices.

You did not include a dmesg, but if you had, you may not see the "em" devices you are attempting to configure.....as mentioned already.

I have never used any "builder" application, and cannot answer any questions about your input to one, out the output produced.

[afcelie]

Thanx for the help, it was indeed the naming of the lo interface which was not correct.
The gui we are using is for other persons within my company, whom are not that familiar with command line innterfaces.

[BSDfan666]

No offence, but such people should not have access to firewall configuration.

[afcelie]

I know, but then again, I cannot handle all of our systems by my own. I am also curious if there isn't someone indeed using a gui for maintaining the firewalls. We are using FWBuilder, because of the Linux firewalls. But I have found out that the openBsd firewalls can do more than the Linux firewalls.
But is quite a study for something new.
I am still having trouble on how to use Fwbuilder with NAT.

[jggimi]

Start with the PF Users Guide. Leave your GUI tool in the box that it came in. You will find the Guide in html and pdf from the FAQ top page.

[ocicat]

Quote:

Originally Posted by afcelie

I am also curious if there isn't someone indeed using a gui for maintaining the firewalls.

The project developers don't advocate the use of GUI tools for two reasons:

• GUI tools are yet another layer. Development on pf(4) has been progressed so quickly that no GUI tool has kept up.
• To effectively use pf(4) requires understanding. Understanding comes from studying the pf(4) manpage & PF Users' Guide.

The only third-party document which comes close to serving as a pf(4) introduction is Hansteen's manuscript:

http://home.nuug.no/~peter/pf/

[wimwauters]

Quote:

Originally Posted by afcelie

I know, but then again, I cannot handle all of our systems by my own.

By using UNIX command-line tools you will be able to manage all your firewalls by yourself: the unixverse encourages automation of roll-out, management and monitoring/auditing. All you need is time to study and to build up your experience