On 4/3/24 12:19, Karel Lucas wrote:
Hi all,
I am creating a bridging firewall with OpenBSD and the following
hardware:
https://www.amazon.nl/dp/B0B6J89MXJ?ref=ppx_pop_dt_b_asin_image&th=1.
OpenBSD is already installed. I want to use ETH1 for the input from my
ADSL modem, ETH2 and ETH3 for the output to my network. Furthermore, I
would like to use ETH4 for the update/upgrade of the firewall. Remove
the connection from ETH1, plug it into ETH4, and update/upgrade. Then
the connection returns to ETH1. ETH4 therefore receives an IP address
and ETH1,ETH2 and ETH3 not. But now the problem: as long as the network
connection of the ADSL modem is in ETH4, my network, including the
firewall, is no longer secured, and attackers can take advantage. I
therefore wonder whether it is possible to let the data flow via ETH1
and ETH4 first pass through PF before an update/upgrade is done via
ETH4. This means that the bridging firewall will have two entrances, one
without and one with an IP address. I would like to know if that is
possible, or if there is another option.
There are lots of options, but I'm not seeing the point of the bridging
firewall here. Sounds like you are making things complicated and I'm
suspicious you won't be getting much benefit from it. I think you would
do much better with NAT.
But...pretending for the moment this is the right solution for you, if
you are already planning on physically moving to the box to do upgrades,
just download the installXX.img file on another machine, drop it on a
thumb drive, walk over to your bridge and reboot from the thumb drive
and upgrade, don't bother fiddling with cables.
I'm also pretty sure you can put an internal IP on one of the ports
other than the bridge, and copy the files and install from there. That
would have the benefit of remote administration, too.
Nick.
