How to build a CompactFlash solid-state firewall using OpenBSD 12/29/06 Somehow I lost the original instructions! The details below are for a 256mb flash card. Here is the fdisk and disklabel output: # fdisk /dev/rwd0c Disk: /dev/rwd0c geometry: 695/15/48 [500400 Sectors] Offset: 0 Signature: 0xAA55 Starting Ending LBA Info: #: id C H S - C H S [ start: size ] ------------------------------------------------------------------------ 0: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused 1: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused 2: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused *3: A6 0 1 1 - 694 14 48 [ 48: 500352 ] OpenBSD # disklabel /dev/rwd0c # using MBR partition 3: type A6 off 48 (0x30) size 500352 (0x7a280) # /dev/rwd0c: type: ESDI disk: ESDI/IDE disk label: Hitachi XX.V.3.4 flags: bytes/sector: 512 sectors/track: 48 tracks/cylinder: 15 sectors/cylinder: 720 cylinders: 695 total sectors: 500400 rpm: 3600 interleave: 1 trackskew: 0 cylinderskew: 0 headswitch: 0 # microseconds track-to-track seek: 0 # microseconds drivedata: 0 16 partitions: # size offset fstype [fsize bsize cpg] a: 479392 48 4.2BSD 2048 16384 438 # Cyl 0*- 665* b: 20960 479440 swap # Cyl 665*- 694 c: 500400 0 unused 0 0 # Cyl 0 - 694 # Stick in your OpenBSD boot CD. Choose shell. run "fdisk /dev/rwd0c". If your geometry is shown as above, you should be good to go. Time to install! run "/install" choose your root disk (wd0) Use all of the disk for OpenBSD. In disklabel, delete partition a. Add partition A with offset 48, size 479392, 4.2bsd, mount point / Add partition B with offset 479440, size 20960, swap. write label and quit. Go ahead and format wd0a. hostname: fw configure the network. set your first interface to a LAN address with access to your FTP server (or internet) containing the BSD install packs. domain name: vectorstar.com nameserver: 71.41.67.107 use nameserver, do not edit hosts. set root pw (1711fw!) install from ftp (work out your own details) Install the following packages: bsd bsd.rd base40.tgz etc40.tgz misc40.tgz (done) start ssh by default. no NTP, X, etc... timezone: EST5EDT Install done, reboot. Login and create a "vsadmin" user. sh shell, /var/etc home dir. Kill running processes: syslogd, inetd, sendmail Save the MAKEDEV script! cp /dev/MAKEDEV /sbin Create the save-flash script in /usr/local/bin: #!/bin/sh mount -uw / cp -Rpf /var/etc/* /var.orig/etc/ mount -ur / (end of file) chmod 555 /usr/local/bin/save-flash Edit /etc/rc.conf: sendmail_flags=NO spamlogd_flags=NO pf=YES inetd=NO check_quotas=NO dhcpd_flags="vlan4" (vlan for home network) syslogd_flags=NO Edit /etc/sysctl.conf: net.inet.ip.forwarding=1 ddb.panic=0 Edit /etc/fstab: Change the root partition to read-only. Add the following ramdisks: /dev/wd0b /var mfs rw,-s=10240 0 0 /dev/wd0b /dev mfs rw,-i=256,-s=2048 0 0 Edit /etc/dhcpd.conf: shared-network LOCAL-NET { option domain-name "haus.vectorstar.com"; option domain-name-servers 71.41.67.107, 71.41.67.108; subnet 192.168.1.0 netmask 255.255.255.0 { option routers 192.168.1.1; range 192.168.1.32 192.168.1.127; } } Edit /etc/rc: find "mount -uw /" and comment it out. Just below where the "mount -uw /" is found, add the following lines BEFORE the execution of rc.conf: # Custom bits for CFDisk HD behavior: # Copy /var.orig to /var (mfs) cp -R /var.orig/* /var >/dev/null 2>&1 # Make all devices cd /dev;/sbin/MAKEDEV all (End of changes) Find "mount -s /usr" and "mount -s /var" and comment them out. Find "echo -n ' cron" and comment it out. Edit /etc/rc.local and add the following: # Laird's custom stuff here: chgrp wheel /dev/wd0a /dev/wd0b /dev/rwd0a /dev/rwd0b chmod 660 /dev/pf /dev/wd0a /dev/wd0b /dev/rwd0a /dev/rwd0b ###################################################### The below configuration assumes the following: fxp0 connects straight to cable modem fxp1 connects to LAN with dot1q trunk. vlan2 = Public facing network vlan3 = Private VSN network vlan4 = Home Network ###################################################### ### Prepare your var.orig and var directories: mkdir /var.orig cd /var.orig mkdir authpf db empty etc log run tmp chown vsadmin etc cd /etc mv rc.conf /var.orig/etc/ ln -s /var/etc/rc.conf rc.conf mv rc.local /var.orig/etc/ ln -s /var/etc/rc.local rc.local mv sysctl.conf /var.orig/etc/ ln -s /var/etc/sysctl.conf sysctl.conf touch bridgename.bridge0 mv bridgename.bridge0 /var.orig/etc/ ln -s /var/etc/bridgename.bridge0 bridgename.bridge0 touch mygate mv mygate /var.orig/etc/ ln -s /var/etc/mygate mygate mv myname /var.orig/etc/ ln -s /var/etc/myname myname touch hostname.fxp0 mv hostname.fxp0 /var.orig/etc/ ln -s /var/etc/hostname.fxp0 hostname.fxp0 touch /var.orig/etc/hostname.fxp1 ln -s /var/etc/hostname.fxp1 hostname.fxp1 touch /var.orig/etc/hostname.vlan2 ln -s /var/etc/hostname.vlan2 hostname.vlan2 touch /var.orig/etc/hostname.vlan3 ln -s /var/etc/hostname.vlan3 hostname.vlan3 touch /var.orig/etc/hostname.vlan4 ln -s /var/etc/hostname.vlan4 hostname.vlan4 mv dhcpd.conf /var.orig/etc/ ln -s /var.orig/etc/dhcpd.conf dhcpd.conf mv pf.conf /var.orig/etc/ ln -s /var.orig/etc/pf.conf pf.conf cd /var.orig/etc echo "71.41.67.105" > mygate echo "up" > hostname.fxp0 echo "up" > hostname.fxp1 echo "inet 71.41.67.106 255.255.255.248 NONE vlan 2 vlandev fxp1" > hostname.vlan2 echo "down" > hostname.vlan3 echo "inet 192.168.1.1 255.255.255.0 NONE vlan 4 vlandev fxp1" > hostname.vlan4 echo "add fxp0" > bridgename.bridge0 echo "add vlan2" >> bridgename.bridge0 echo "up" >> bridgename.bridge0 ##### Copy in your pf.conf to /var.orig/etc/pf.conf rm -rf /var;mkdir /var mount -a -t nonfs cp -R /var.orig/* /var cd /dev /sbin/MAKEDEV all rm -rf /tmp ln -s /var/tmp /tmp save-flash Okay, reboot it, configure your switch and plug in the appropriate cables!