asus wl-500g premium

i got one wl-500g router for my home:

• 1 wan ethernet
• 4 lan ethernet
• 2 usb
• wi-fi

here is uname string:

Linux 1 2.4.20 #46 Thu May 25 22:40:57 MSD 2006 mips unknown

some of cpuinfo:

system type : Broadcom BCM947XX
cpu model : BCM3302 V0.6
BogoMIPS : 262.96
wait instruction : no
microsecond timers : yes
tlb_entries : 32

many nice features of this router can be used in custom firmware.

pf based nat gateway for office network

Tonight i replace old FreeBSD based NAT gateway to OpenBSD based NAT gateway and firewall. This is short article about pf configuration.

I use Intel Celeron 500MHz based server with two network cards (vr0 and vr1). Here is configuration steps:

1. buy more beer and pizza!
2. install openbsd
3. set net.inet.ip.forwarding sysctl value to “1” and add string net.inet.ip.forwarding=1 to /etc/sysctl.conf file
4. activate pf. add pf=YES line to /etc/rc.conf.local file
5. let’s edit /etc/pf.conf file:

   # macros
   ext_if="vr0"
   int_if="vr1"
   
   # options
   set block-policy return
   set loginterface $ext_if
   set skip on lo
   
   # scrub
   scrub in
   
   # network address translation (NAT)
   nat on $ext_if from !($ext_if) to any -> ($ext_if)
   
   #filter
   block in
   pass out keep state
   antispoof quick for { lo $int_if }
   pass quick on $int_if

6. load config file. pfctl -f /etc/pf.conf

…and read “The OpenBSD Packet Filter”.

scan with netcat

nc(1) can be used for simple and fast network scan. Here is sample of localhost scan (ports range: 1-1024).

$ nc -v -z 127.0.0.1 1-1024
localhost [127.0.0.1] 80 (www) open
localhost [127.0.0.1] 25 (smtp) open
localhost [127.0.0.1] 22 (ssh) open

secure surfing from public place

Use OpenSSH port forwarding to browse web from public place.
ssh(1) can act as a SOCKS server. SOCKS4 and SOCKS5 protocols are supported. All you need is shell access to remote machine.
Example:

ssh -D 4545 user@IP

Now you can specify “localhost” as SOCKS host and “4545” as SOCKS port in connections settings of your browser.

using trunk(4) interface in openbsd

In OpenBSD you can use trunk(4) interface for creating link aggregation and link failover.

Introduction
The trunk(4) interface support was added in OpenBSD since 3.9 version (last release at present moment) for allowing link aggregation and link failover. One virtual trunk(4) interface can be created from multiple network interfaces.

Example
Simple example, creating failover trunk, using two Gigabit Ethernet interfaces and one wireless interface:

# ifconfig bge0 up
# ifconfig bge1 up
# ifconfig ath0 nwid test_network up
# ifconfig trunk0 trunkproto failover trunkport bge0 trunkport bge1 trunkport ath0 192.168.0.1 netmask 255.255.255.0

Of course, in this example, loadbalance also can be used.

Links

• trunk(4)
• ifconfig(8)

remote ipfw module loading

Remote ipfw module loading dangerous, because, if your firewall rules don’t right, you can lose remote access to the server. To prevent this create at(1) job with `kldunload ipfw’ command. If module loaded and you can login to server remotly with ssh(1) client just delete this job.
Checklist:

• Create /etc/rc.firewall script with ipfw rules;
• Make sure about remote access using ssh(1) through firewall;
• Create at(1) job with `kldunload ipfw’;
• Load ipfw module using `kldload ipfw’;
• Try got access to allowed services;
• If all right delete at(1) job.