The "bsdwall install" command
This is the first command you will use with the bsdwall script. And you may only need to issue it once.
If all you want out of this software is to create an unembellished, basic home or SOHO firewall that will let you share a network connection, protect the internal network, and give machines internal network addresses if asked (i.e. the functions of all those hardware "routers" you can buy), then you're one command away from done.
- Type
bdwall install
- Plug the "inner" NIC into the hub of your internal network, and
- reboot
That's it. You can stop reading now. The bsdwall will need essentially no maintainance or monitoring. It'll run for months at a time with no reboots. Basically, you could even forget the root password and just reboot it a few times a year by giving it an OFF/ON, though it's much better to log in and type "reboot".
Thanks for choosing bsdwall.
What the Install Command Does
For those of you still reading, here's a summary of the "install" function of the bsdwall script, in English:
- Under the machine's "settings directory", called /etc, it creates the directory /etc/bsdwall and the directory /etc/original
- It backs up eight configuration files from /etc into /etc/original (so you can always restore the machine to its "factory defaults" easily)
- It writes out eight files of the same name, but with various machine settings changed to make it a firewall, router, and DHCP server, into the "master copy" directory /etc/bsdwall
- It also overwrites the actual configuration files themselves, the ones in /etc, with the replacements from /etc/bsdwall
Upon reboot, the machine will start up OpenBSD using settings it finds in the new files in /etc - and it will reboot as a firewall/router and DHCP server.
Install options
The changes wrought by "install" make a few assumptions about your networking:
- That your internal network will have the IP number range of 192.168.0.*
- That your bsdwall will have the number "1" in the internal network; by default, 192.168.0.1
- That you will have only 250 or so machines.
The last two of those, there's no way to alter as a parameter. If you have more than 250 machines, you do not want to be doing your firewalling with a basic, cookie-cutter product meant for small networks! The change is easy to make, and you can make it yourself if you learn a small fraction of what you should to be an administrator of a network in the hundreds. Begone from this place and go take a serious computer security course, or hire somebody who has.
But the first assumption, the internal network, many people may want to change. 192.168.*.* is by far the most popular internal network numbers, but you have many other safe choices.
There are several ranges of IP networks agreed by all network providers to be "non-routable" networks - numbers never used out on the Internet itself, and to which no "public" Internet router will respond as destination addresses. They're reserved for use as internal networks:
- 192.168.*.*
- 172.16.*.* through 172.31.*.*
- 10.*.*.*
- 169.254.*.*
- 192.0.2.*
- 204.152.64.*
- 204.152.65.*
- 224.*.*.*
And there's always the possibility that you have your own range of IP addresses you want to use because you have them registered, or if you are firewalling one small part of a larger corporate network. A bsdwall firewall will NOT route incoming traffic to your internal machines, of course, its whole job is to not do that. But you can modify it to do that, with a little learning about the file
ipnat.rules
The network parameter
To set up your bsdwall with a different internal network range of IP numbers, just give the FIRST THREE of the four parts of a "dot format" IP number as a parameter after the word "install". Examples:
- bsdwall install 192.168.1
- bsdwall install 172.16.123
- bsdwall install 10.37.92
- bsdwall install 168.254.167
... and so on. Whichever three numbers you give, the script will make the IP of the bsdwall (from the inside) to be ".1" of that network, and hand out IP numbers to machines that are set to "get IP from server" on the inside, from 10 and up in that network.
"Install over Top"
When things go wrong, a typical easy fix to a software install is to run the install again. This will work with "bsdwall install" and can also be used to to change the internal network number. (Say, if you ran it the first time as "bsdwall install 192.168.23" and the second as "bsdwall install 172.16.34".)
One caveat, though, about the actions on a subsequent install: if the script finds that the "original factor files backup" directory, /etc/original, already exists, then it won't touch that directory. Instead, it will backup the files currently in /etc to a new directory, /etc/original2. On a third and greater install, previous contents of /etc/original2 are wiped out by the replacements from the then-current /etc. The only "sacred" config files are those from before the first install.
Undo!
To "undo" a bsdwall install, see the remove and uninstall commands.