3. Base configuration

Let's take a brief look at the base system configuration, which applies to all of our firewalls.

We won't go through the installation of the operating system, which is very well documented on the OpenBSD web site. The only note is that you should install only the bare minimum, to prevent firewall security and reliability from being compromised by unnecessary software. Therefore, during installation, you only need to select file sets marked as Required by the documentation, i.e.:

There should be no need to install the compiler (compXX.tgz), also to avoid providing such a useful tool to possible intruders (see [PUIS]).

After the first reboot, we can start doing some basic configuration; by default, OpenBSD doesn't start unnecessary daemons, though I guess we can stop sndiod(8) on a firewall. It's also a good practice to edit the /etc/motd file to give as few information as possible about the system and to warn users, whether legitimate or not, that all access is being logged and that any unauthorized access will be prosecuted (see [PUIS]).

You should already have configured the network during installation; anyway, if you need to make some changes, these are the main files to edit:

/etc/hostname.if(5)
containing information regarding the configuration of each network interface (address, netmask, etc.);
/etc/mygate(5)
containing the address of the gateway host;
/etc/myname(5)
containing the symbolic hostname (FQDN) of the machine;
/etc/resolv.conf(5)
containing the resolver configuration settings (name servers, local domain name, etc.).

Considering the large amount of DNS-based attacks, it is also preferable, especially on firewalls, not to rely on DNS to resolve names and addresses of the most critical systems, but rather inserting them into the /etc/hosts(5) file; to make sure this file has a higher priority than DNS, just make sure that /etc/resolv.conf(5) contains the line:

/etc/resolv.conf
lookup file bind

Packet Filter is enabled by default and loads its rules from the /etc/pf.conf(5) file; you may also want to change the pflogd(8) flags in the variable pflogd_flags. Last, don't forget to enable IP and IPv6 forwarding by issuing the command:

# sysctl net.inet.ip.forwarding=1
net.inet.ip.forwarding: 0 -> 1
# sysctl net.inet.ip6.forwarding=1
net.inet.ip6.forwarding: 0 -> 1
#

and to add the following lines to /etc/sysctl.conf(5) to re-enable forwarding after reboot:

/etc/sysctl.conf
net.inet.ip.forwarding=1
net.inet.ip6.forwarding=1