My concept is to come out of this with an OpenBSD firewall with the following features:
1. Separate WiFi and hard wired segments
2. DNS Caching
3. SSH/VPN tunnel
4. DHCP with static entries for known hosts
5. "Guest" SSID with nocat/authpf captive portal and restricted rulesets
6. Known WiFi hosts have access to wired file shares and other services
7. Squid, preferably in a transparant configuration, to both WiFi and wired
8. Silent and low power (looking for a Mini-ITX solution, quite in the future)
9. IDS with alerting via email/txt
10. Shape traffic and QoS (give email/IM/web traffic priority over downloads)
I do not think I will have web/email services on the main firewall, as that can not be considered best practice. I am setting up this lovely bit of overkill on my home network as practice for doing a similar setup for clients. Unless there is a serious money issue for the client, and they require internal web/mail services, I would do for them what I will do for myself and have a separate box for web/mail/etc.
I'm going to start this on an old Dell PC salvaged from a pawn shop for about $100. This is going to be noisier and take more power than the final machine. This motherboard has an Intel Gigabit NIC onboard which will plug in to the 5 port Gigabit hub. I've added a 10/100Mbit 3Com I had laying around to connect to the ISP router.
My adventure begins tonight, May 22nd, after having purchased a Belkin N300 Micro WiFi-N USB adapter. I have verified the adapter is in working condition by booting an Ubuntu live USB.
Installing OpenBSD 5.1 to a 4GB USB stick (the former Ubuntu live USB) was trivial, as it was detected as sd0. I just let it autopartition from there.
My NIC setup is, xl0 (3Com 3c895C 10/100, "external"), em0 (Intel Pro 10/100/1000, "wired"), and either the Belkin N300 I purchased tonight, or if that proves a bit beyond my abilities, a 3Com 3C905C 10/100 salvaged from an old machine plugged in to an inexpensive WiFi-N "router".
As I turn in for the night, I'm running CVS checkout on -current, to rebuild the kernel and get the proper updated drivers (I hope).
An ambitious project, which I hope will lead to more knowledge and even crazier projects :)
**Edited because I remembered #10 :) **
Subscribe to:
Post Comments (Atom)
2 comments:
Instead of rebuilding the kernel from a CVS checkout, a better approach may be to download the latest OpenBSD snapshot from http://ftp3.usa.openbsd.org/pub/OpenBSD/snapshots/i386/ (download the install51.iso file).
That's a snapshot of -current that the OpenBSD team regularly builds and publishes. OpenBSD expects the kernel and userland tools to stay in sync (especially since features like rthreads have been activated in -current after 5.1), so using a snapshot ensures that you have a "good" copy of -current.
See upcoming post ;)
I came to that conclusion when I woke up to a failed CVS message this morning.
Post a Comment