Groups

From securityrouter.org, an OpenBSD-based firewall
Jump to: navigation, search

Interface groups is a simple, yet powerful, configuration tool. They are most importantly used for naming and grouping network interfaces when performing firewall packet filtering.

The default configuration includes two interface groups: wan and lan. The first physical Ethernet interface is made member of the WAN group, and the second of the LAN group. In that way, it's possible to perform tasks such as firewall filtering based on those name, rather than an interface device name such as em0. In raw configuration, this might look like:

interface em0 {
  group "wan"
  address 212.16.179.42/30
  route default 212.16.179.41
}
interface em1 {
   group "lan"
   address 192.168.1.1/24
}
firewall {
   pass out on wan nat-to (wan) label outgoinginternet
   pass on lan label localnetwork
}

The above configuration is a simplified, yet working, version of the default configuration. Notice how firewall filtering is performed on the group names, rather than the device names. The first rule, named "outgoinginternet" passes any traffic out on interfaces in the WAN group (em0) and NATs the packets using the WAN's (em0's) IP address. The second rule simply "opens" the LAN (em1) interface up, for any traffic, in any direction.

The experienced BSD administrator might already be familiar with interface groups and how they work. Rest assured that they work as you expect.

Usage on the basic network setting page

On various pages, such as the Network > Basic settings page, interface groups are used to identify interfaces. The basic settings page simply finds the first interface which is member of the WAN (and LAN, respectively) groups, and displays their information. Therefore, it's possible to change which interfaces that are used as WAN by moving the group "wan" configuration line to another interface.

Filtering VPN users

The L2TP/PPTP VPN server uses interface groups to simplify the firewall filtering of such users. When creating a VPN user, it's group membership is specified. Consider the example below.

vpn-server {
   authentication "admins" {
      user "desh" {
         full-name "Anders"
         password "$b$YmFkcGFzc3dvcmQ=" # OBFUSCATED
      }
      user "root" {
         password "$b$YmFkcGFzc3dvcmQ=" # OBFUSCATED
      }
   }
   authentication "dudes" {
      user "dude1" {
         password "$b$YmFkcGFzc3dvcmQ=" # OBFUSCATED
      }
   }
   l2tp {
      secret "$b$YmFkcGFzc3dvcmQ=" # OBFUSCATED
   }
}
firewall {
   pass in on admins 
   pass in on dudes to 192.168.6.0/24
}

In this (incomplete) configuration example, we can see how member of the "admins" group (desh and root) enjoys a more relaxed firewall rule set, compared to "dude1".

Some readers might notice that the passwords are actually stored in clear-text, obfuscated with base64 (unsecured, only designed to prevent "shoulder-surfing" attacks when viewing router configurations). Saving the passwords in clear-text is unfortunately necessary because of the way that the MSCHAP authentication works. Other passwords, such as the system user's passwords, are stored using the more secure bcrypt hashing method.