The ethernet cards
There is a boring thing of which we must talk about here. You see, there are many kinds of ethernet cards, and you must make sure you have the right ones for your machine. If you have a PCI-based machine, then all is well. Whatever ethernet card you put in there will probably be supported by OpenBSD. However, you must be a bit more careful if you have an ISA-based machine.
It is most likely that your box will not have any ethernet cards to start with since most people did not have networks at home in the pre-historic era of 4 years ago. You need two cards. One will be connected to the DSL modem (the big, bad outerworld), while the other is connected to your internal network hub (your intranet). The gateway's job will be to pass (or block) packets between those two network cards. For security, its very important that the outside world packets cannot reach directly any of the intranet machines. This is the reason why we use two ethernet cards: complete logical and electrical isolation. Why so much isolation? For example, if someone(s) were launching a full (distributed or not) denial of service attack on your gateway box, its internet-connected ethernet card would be extremely busy, but your intranet would see nothing of this. While any communication with the outside world would probably fail, at least your intranet machines would still be able to talk to each other.
ISA cards use dedicated I/O ports and IRQ's in your machine. Those must be setup either with jumpers directly on the card, or with a special DOS program if the card is of the more recent "Plug & Play" type. This DOS program is always supplied with the card, when purchased brand new.
If your card is Plug&Play, you must disable the Plug&Play, and program specific I/O port and IRQ values with the setup software that comes with the card. Make sure that you program both cards with different sets of I/O ports and IRQs! Otherwise they will battle each other for cycles on the bus and the result will not be pretty. Once you have set the parameters on the card it will remember them and you don't have to reprogram anything later on, even if the computer is turned off.
It is good at this point to know a few magic numbers:
Card Type |
I/O #1 |
IRQ #1
| Mem #1 |
I/O #2 |
IRQ #2 |
Mem #2 |
NE2000 (ne) |
0x240 |
9 |
-- |
0x300 |
10 |
-- |
SMC WD-8003 (we) |
0x280 |
9 |
0xd0000 |
0x300 |
10 |
0xcc000 |
For example, i use two cards made by AOpen: the model ALN-101. They are Plug&Play and use the NE2000 chip. The first one is setup at I/O port 0x240, IRQ 9. It is known as "ne0" in the GENERIC openBSD kernel. The second one is set at I/O port 0x300, IRQ 10. It is known as "ne1". If the cards were programmed differently, the GENERIC kernel would not recognize them "out of the box" and you would have to re-configure the kernel. It can be done, but its much easier to setup the hardware once than re-configure the kernel every time it gets upgraded.
One more thing: some cards can be used in the so-called "full-duplex" mode. Be aware that if you want to use an ethernet card in full-duplex, your hub must also be full-duplex, as well as the other ethernet cards in the system. A full-duplex hub is much more expensive and not necessary at all. Unless you know what you are doing, program your ethernet cards to use the half-duplex mode, otherwise it won't play nice with the other components in your local network, including the xDSL modem ;)
The hard disk
The most secure storage medium is one which can't be erased. Some firewalls actually use setups like this (with CD-ROMS) but we'll build our firewall with a classic, writeable hard drive because:
- We don't need "Absolute Security", do we? We can't have it anyway ;)
- We want to use an "out-of-the-box" OpenBSD distro. This will make security maintenance much easier.
Almost any hard disk out there will work OK, since 200 MB is a safe minimum size. The only thing you must remember is that this disk will run 24/7, so if you use an old drive, it will likely die relatively soon. The venerable drive my friend gave me lasted 6 months before i had to change it, YMMV.