On Thu Sep 26, 2024 at 8:57 PM CEST, Peter N. M. Hansteen wrote: > On Thu, Sep 26, 2024 at 07:21:38PM +0200, Nicolas Goy wrote: > > Hello, > > > > I want to use OpenBSD as firewall for a configuration where every hosts is > > isolated. > > > > For example, let's say I have 1.0.0.0/24 subnet and 2000::/56 subnet. > > > > I want each host to have a single ip for ipv4, and a /64 for ipv6. > > > > On the layer 2 side, I can configure a single VLAN for each host, I can > > either > > show each VLAN to the OpenBSD router as different VLAN or I an use PVLAN to > > have > > a single VLAN on the OpenBSD side. > > > > Now, with ipv6 it's easy, I can create a /64 for each host, but for ipv4 > > it's > > trickier. I'd like to use as few IP as I can and I think the lowest I can > > do is > > to use 2 IP per host. > > > > I was wondering if you had general advices on what was the best > > configuration. > > > > I looked at hetzner, and for ipv4, they use point to point ethernet, so the > > host > > has ip in 1.0.0.24 with route to 1.0.0.23/32. It uses Linux's SystemD > > "[Address] Peer" > > configuration and I am not sure exactly what it entails. For ipv6 it uses > > fe80::1 as gateway which is also a bit weird as I would expect the gateway > > to be > > on the same subnet. > > > > The general idea is to be able to manage all firewalling between hosts > > using pf. > > I think you are in danger of overengineering by quite some measure. > > The easy way to set up is to go with a setup has has "block all" as the > default > (initial) rule, and then add further rules that allow only traffic to and > from > the specific hosts and networks you want, on the specific protocols and ports > you want. > > The PF User's Guide at https://www.openbsd.org/faq/pf/index.html is a useful > place > to start, please also keep the pf.conf man page > (https://man.openbsd.org/pf.conf) > within reach. Further the most recent PF tutoral might be of some use in this > context (https://nxdomain.no/~peter/pf_fullday.pdf) and for that matter The > Book of PF > (https://nostarch.com/pf3 and via better bookstores). > > For a triple set of belts and suspenders configuration, you could do various > varations > of isolated VLANS as you mention. If you want to keep the hosts in the > 10.0.0.0/24 > network, you could set each host to have a default gateway (assuming you want > them > to be able to communicate with *something* over IPv4) outside that network > using > whatever !route trickery in the individual /etc/hostname.$if you could think > of. > > There are doubtless further ways to complicate this and your life as the > maintainer > of the setup, but unless you have specific reasons I would suggest going for > the > relatively simple approach where the initial active line in each /etc/pf.conf > reads > > block # will expand to block all on load > # from here, specifically allow desirable traffic, nothing more, nothing less. > > and you insert whatever you feel is strictly needed in pass rules thereafter. > > All the best, > Peter
I might not have been clear enough, the 1.0.0.0/24 example is a public /24 routable network, not a 10.0.0.0/8 network. What I want is to be able to use as much as this network as possible (here 2 ip per host) and allow firewall rules between hosts. The Ipv6 part is easier to manage as I can spawn as many subnet as I want. And the reason is that the hosts are untrusted and must be firewalled between them, so I need layer 2 isolation. Regards -- Nicolas Goy Developer and Engineer Goyman SA
