{"id":212,"date":"2012-11-25T03:49:50","date_gmt":"2012-11-25T03:49:50","guid":{"rendered":"https:\/\/www.nicktailor.com\/?p=212"},"modified":"2022-10-21T11:59:54","modified_gmt":"2022-10-21T11:59:54","slug":"how-to-add-a-remote-management-ip-to-a-bridged-openbsd-firewall","status":"publish","type":"post","link":"https:\/\/nicktailor.com\/tech-blog\/how-to-add-a-remote-management-ip-to-a-bridged-openbsd-firewall\/","title":{"rendered":"How to add a remote management ip to a bridged openbsd firewall"},"content":{"rendered":"<p><span style=\"text-decoration: underline;\"><strong>Adding Management IP to Open BSD Bridged Firewall<\/strong><\/span><\/p>\n<p>I am writing this because sometimes people set things up without setting up a remote management ip on servers and decide to do it later, only to find that now that firewall is running in a production environment and become more critical than it was originally suppose to be.<\/p>\n<p>1. Ensure that you chosen an IP that is configured to the correct vlan<\/p>\n<p>2. Edit \/etc\/hostname.rl0<\/p>\n<p><em>Note: On a bridged firewall there will be usually two interfaces one will be the internal interface and the other will be the external interface. If you cat \/etc\/pf.conf you should see which is the external interface defined, this is the file you will be editing to add the remote management ip.<\/em><\/p>\n<p>less \/etc\/hostname.rl0<br \/>\nup<br \/>\ninet 192.168.1.35 255.255.255.0<\/p>\n<p>or<\/p>\n<p>inet 192.168.1.35\/24 (this one seems to work better in my experience)<br \/>\nup<br \/>\n3. Edit \/etc\/mygate <strong>(This is where you configure the gateway the management ip will be using.)<\/strong><\/p>\n<p>less \/etc\/mygate<br \/>\n192.168.1.1<\/p>\n<p>4. Edit \/etc\/rc.conf<\/p>\n<p>less \/etc\/rc.conf (the sshd_flags should look like the illustrated below)<br \/>\n&#8230;<br \/>\nsshd_flags=&#8221;&#8221; # for normal use: &#8220;&#8221;<\/p>\n<p>5. Edit \/etc\/ssh\/sshd_config<\/p>\n<p>less \/etc\/ssh\/sshd_config (Ensure that you allow root login or keys if you are using keys)<br \/>\n&#8230;<br \/>\nPermitRootLogin yes<\/p>\n<p>6. You will also need to ensure that the firewall rules on pf.conf allow the traffic to come in on the interface and port 22 for ssh for tcp and udp<\/p>\n<p>vi \/etc\/pf.conf<\/p>\n<p>add something like the example below.<\/p>\n<p><strong>Example<br \/>\n<\/strong><em>pass in log quick on $external_interface proto tcp from $allowed_hosts to 192.168.1.35 port 22 keep state<\/em><\/p>\n<p><em>pass in log quick on $external_interface proto udp from any to 192.168.1.35<\/em><\/p>\n<p>6. Reboot Server.<\/p>\n<p><em><strong>In a Production Environment you probably want to avoid a reboot of the firewall, you can follow the steps below to help you achieve this.<\/strong><\/em><\/p>\n<p><span style=\"text-decoration: underline;\"><strong>Adding Management IP without Rebooting server<\/strong><\/span><\/p>\n<p>1. Check to see which interface is the external_interface in \/etc\/pf.conf.<\/p>\n<p>In this case we will assume it is rl0:<\/p>\n<p>2. Run these from the command line. This will set the IP\/route on-the-fly, not requiring a reboot.<\/p>\n<p><em>ifconfig rl0 inet &lt;ip address&gt; &lt;netmask&gt;<\/em><\/p>\n<p><em>route add default &lt;gateway&gt;\u00a0<\/em><\/p>\n<p>or you can use<\/p>\n<p><em>route add default gw 192.168.1.254 eth0<br \/>\n<\/em><br \/>\nor<\/p>\n<p><em>ip route add default via &lt;gateway&gt;<\/em><\/p>\n<p>Note: if you make a mistake by adding the wrong gateway and bring everything down, you can delete the gateway on the fly as well, by using something similar to the example below<\/p>\n<p><em><strong>&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;<br \/>\nHow to delete the gateway on the fly if you make an error<\/strong><\/em><\/p>\n<p><span style=\"text-decoration: underline;\"><strong>Example<\/strong><\/span><\/p>\n<p><em>\u00a0ip route delete default<br \/>\n<strong>&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8211;\u00a0<\/strong><\/em><\/p>\n<p>3. Add this to \/etc\/hostname.rl0<\/p>\n<p>vi \/etc\/hostname.rl0 add line: inet &lt;ip address&gt; netmask &lt;netmask&gt;<\/p>\n<p>4. Add your gateway.<\/p>\n<p>vi \/etc\/mygate add line: &lt;gateway&gt;<\/p>\n<p>5. Modify the SSH configuraiton.<\/p>\n<p>vi \/etc\/ssh\/sshd_config Set to allow root and password logins<\/p>\n<p>6. Run SSH.<\/p>\n<p>\/usr\/sbin\/sshd<\/p>\n<p>7. Do not forget to update the firewall rules in \/etc\/pf.conf to allow traffic on the external interface to come in on the port 22<\/p>\n<p><strong>Example<br \/>\n<\/strong><em>pass in log quick on $external_interface proto tcp from $allowed_hosts to 192.168.1.35 port 22 keep state<\/em><\/p>\n<p><em>pass in log quick on $external_interface proto udp from any to 192.168.1.35<\/em><\/p>\n<p>8. You should now be able to test the connection with a telnet command from outside and see if you can connect to ssh remotely<\/p>\n<p><em>telnet 192.168.1.35 22\u00a0<\/em><\/p>\n<p>Cheers<\/p>\n<p>Hope this has helped you email nick@nicktailor.com if you have questions<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Adding Management IP to Open BSD Bridged Firewall I am writing this because sometimes people set things up without setting up a remote management ip on servers and decide to do it later, only to find that now that firewall is running in a production environment and become more critical than it was originally suppose to be. 1. Ensure that<a href=\"https:\/\/nicktailor.com\/tech-blog\/how-to-add-a-remote-management-ip-to-a-bridged-openbsd-firewall\/\" class=\"read-more\">Read More &#8230;<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[58,138],"tags":[],"class_list":["post-212","post","type-post","status-publish","format-standard","hentry","category-centos","category-linux"],"_links":{"self":[{"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/posts\/212","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/comments?post=212"}],"version-history":[{"count":13,"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/posts\/212\/revisions"}],"predecessor-version":[{"id":1619,"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/posts\/212\/revisions\/1619"}],"wp:attachment":[{"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/media?parent=212"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/categories?post=212"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/tags?post=212"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}