commit - /dev/null
commit + 7c5bdce9e2def35573a5c099d6e39f8b5b3875cb
blob - /dev/null
blob + 1352aaf6fec081ef4f99bd0f87940c00afac1f21 (mode 644)
--- /dev/null
+++ Makefile
+#
+# Makefile pr0n.
+#
+# by gonzalo@x61.sh
+#
+#
+
+apu2:
+ @echo ""
+ @echo "[+] Downloading files from https://github.com/gonzalo-/apu2_openbsd"
+ @echo ""
+ @cd /tmp
+ @ftp -V https://raw.githubusercontent.com/gonzalo-/apu2_openbsd/master/boot.conf
+ @ftp -V https://raw.githubusercontent.com/gonzalo-/apu2_openbsd/master/hostname.{em0,em1,em2,bridge0,vether0}
+ @ftp -V https://raw.githubusercontent.com/gonzalo-/apu2_openbsd/master/dhcpd.conf
+ @ftp -V https://raw.githubusercontent.com/gonzalo-/apu2_openbsd/master/dhclient.conf
+ @ftp -V https://raw.githubusercontent.com/gonzalo-/apu2_openbsd/master/pf.conf
+ @ftp -V https://raw.githubusercontent.com/gonzalo-/apu2_openbsd/master/httpd.conf
+ @ftp -V https://raw.githubusercontent.com/gonzalo-/apu2_openbsd/master/relayd.conf
+ @ftp -V https://raw.githubusercontent.com/gonzalo-/apu2_openbsd/master/sysctl.conf
+ @echo ""
+ @echo "[+] Installing files..."
+ @echo ""
+ @install -m 0640 -g wheel -o root /tmp/hostname.{em0,em1,em2,bridge0,vether0} /etc
+ @install -m 0600 -g wheel -o root /tmp/{pf,relayd,httpd}.conf /etc
+ @install -m 0644 -g wheel -o root /tmp/sysctl.conf /etc
+ @install -m 0644 -g wheel -o root /tmp/dhcpd.conf /etc
+ @install -m 0644 -g wheel -o root /tmp/dhclient.conf /etc
+ @install -m 0644 -g wheel -o root /tmp/boot.conf /
+ @rm /tmp/hostname.{em0,em1,em2,bridge0,vether0} /tmp/boot.conf
+ @rm /tmp/{pf,relayd,httpd}.conf /tmp/sysctl.conf /tmp/dhcpd.conf /tmp/dhclient.conf
+ @rcctl enable dhcpd && rcctl set dhcpd flags vether0 em1 em2
+ @rcctl enable ntpd && rcctl set ntpd flags -s
+ @echo ""
+ @echo "[+] All done, you can reboot now."
+ @echo ""
blob - /dev/null
blob + 4ebcb37bb02ae493acc54d6cfb8f6bdb180651ef (mode 644)
--- /dev/null
+++ README.md
+# OpenBSD on Apu2
+
+The idea of this repo is to setup an [APU2](http://pcengines.ch/apu2c4.htm) with [OpenBSD](http://openbsd.org) as OS, for
+a Firewall/Gateway/AP box at home (or maybe a company).
+
+At this time you should set the right date on your APU2 with something like:
+
+```
+# date 201703300045
+Thu Mar 30 00:45:00 -03 2017
+```
+
+## Makefile usage
+
+Assuming that you already have OpenBSD installed (with compXX.tgz) on your APU2 with just an internet connection, you can do this:
+
+```
+# echo 'https://ftp5.usa.openbsd.org/pub/OpenBSD/' > /etc/installurl # Skip this if you already have a mirror.
+# cd /tmp
+# ftp -V https://raw.githubusercontent.com/gonzalo-/apu2_openbsd/master/Makefile
+# make apu2
+
+[+] Downloading files from https://github.com/gonzalo-/apu2_openbsd
+
+boot.conf 100% |*****************************************************************| 30 00:00
+hostname.em0 100% |*****************************************************************| 31 00:00
+hostname.em1 100% |*****************************************************************| 3 00:00
+hostname.em2 100% |*****************************************************************| 3 00:00
+hostname.bridge0 100% |*****************************************************************| 107 00:00
+hostname.vether0 100% |*****************************************************************| 39 00:00
+dhcpd.conf 100% |*****************************************************************| 420 00:00
+dhclient.conf 100% |********************************************************************| 216 00:00
+pf.conf 100% |*****************************************************************| 1882 00:00
+relayd.conf 100% |*****************************************************************| 683 00:00
+sysctl.conf 100% |*****************************************************************| 25 00:00
+
+[+] Installing files...
+
+[+] All done, you can reboot now.
+# reboot
+```
+
+## apu2.sh usage
+
+Assuming that you already have OpenBSD installed on your APU2 with just an internet connection, you can do this:
+
+```
+# echo 'https://ftp5.usa.openbsd.org/pub/OpenBSD/' > /etc/installurl # Skip this if you already have a mirror.
+# cd /tmp
+# ftp -o - https://raw.githubusercontent.com/gonzalo-/apu2_openbsd/master/apu2.sh | sh -
+Trying 151.101.24.133...
+Requesting https://raw.githubusercontent.com/gonzalo-/apu2_openbsd/master/apu2.sh
+1329 bytes received in 0.00 seconds (6.12 MB/s)
+
+[+] Downloading files from https://github.com/gonzalo-/apu2_openbsd
+
+boot.conf 100% |*****************************************************************| 30 00:00
+hostname.em0 100% |*****************************************************************| 31 00:00
+hostname.em1 100% |*****************************************************************| 3 00:00
+hostname.em2 100% |*****************************************************************| 3 00:00
+hostname.bridge0 100% |*****************************************************************| 107 00:00
+hostname.vether0 100% |*****************************************************************| 39 00:00
+dhcpd.conf 100% |*****************************************************************| 420 00:00
+dhclient.conf 100% |********************************************************************| 216 00:00
+pf.conf 100% |*****************************************************************| 1882 00:00
+relayd.conf 100% |*****************************************************************| 683 00:00
+sysctl.conf 100% |*****************************************************************| 25 00:00
+
+[+] Installing files...
+
+
+[+] All done, you can reboot now.
+# reboot
+```
+
blob - /dev/null
blob + 334be40b7095ad3011db14ec16897043860cc408 (mode 644)
--- /dev/null
+++ apu2.conf
+System hostname = apu2
+Password for root = lZDI1NTE5AAA
+Setup a user = gonzalo
+Password for user = WWbQuX3FzDDkhqMO
+Public ssh key for user = ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPU/TMtNOSmogKCsZcWWbQuX3FzDDkhqMOHULy/1wqfx gonzalo@r0nin
+Allow root ssh login = prohibit-password
+What timezone are you in = America/Buenos_Aires
+Location of sets = http
+HTTP Server = ftp3.usa.openbsd.org
+Server directory = pub/OpenBSD/snapshots/amd64
+URL to autopartitioning template for disklabel = http://incre.host/disklabel.apu2
blob - /dev/null
blob + 8a059f208c4985750874302d1c7c13f0fe008f42 (mode 644)
--- /dev/null
+++ apu2.sh
+#!/bin/sh
+#
+#
+
+## Debug
+#set -x
+
+## Check for root
+if test $(whoami) != root; then
+ doas "$0" "$@"
+ exit $?
+fi
+
+echo ""
+echo "[+] Downloading files from https://github.com/gonzalo-/apu2_openbsd"
+echo ""
+cd /tmp
+ftp -V https://raw.githubusercontent.com/gonzalo-/apu2_openbsd/master/boot.conf
+ftp -V https://raw.githubusercontent.com/gonzalo-/apu2_openbsd/master/hostname.{em0,em1,em2,bridge0,vether0}
+ftp -V https://raw.githubusercontent.com/gonzalo-/apu2_openbsd/master/dhcpd.conf
+ftp -V https://raw.githubusercontent.com/gonzalo-/apu2_openbsd/master/dhclient.conf
+ftp -V https://raw.githubusercontent.com/gonzalo-/apu2_openbsd/master/pf.conf
+ftp -V https://raw.githubusercontent.com/gonzalo-/apu2_openbsd/master/httpd.conf
+ftp -V https://raw.githubusercontent.com/gonzalo-/apu2_openbsd/master/relayd.conf
+ftp -V https://raw.githubusercontent.com/gonzalo-/apu2_openbsd/master/sysctl.conf
+echo ""
+echo "[+] Installing files..."
+echo ""
+install -m 0640 -g wheel -o root /tmp/hostname.{em0,em1,em2,bridge0,vether0} /etc
+install -m 0600 -g wheel -o root /tmp/{pf,relayd,httpd}.conf /etc
+install -m 0644 -g wheel -o root /tmp/sysctl.conf /etc
+install -m 0644 -g wheel -o root /tmp/dhcpd.conf /etc
+install -m 0644 -g wheel -o root /tmp/dhclient.conf /etc
+install -m 0644 -g wheel -o root /tmp/boot.conf /
+rm /tmp/hostname.{em0,em1,em2,bridge0,vether0} /tmp/boot.conf
+rm /tmp/{pf,relayd,httpd}.conf /tmp/sysctl.conf /tmp/dhcpd.conf /tmp/dhclient.conf
+rcctl enable dhcpd && rcctl set dhcpd flags vether0 em1 em2
+rcctl enable ntpd && rcctl set ntpd flags -s
+echo ""
+echo "[+] All done, you can reboot now."
+echo ""
blob - /dev/null
blob + ae86ee7a6c4c6273141b3ccd9b4a6cdb9ef4024a (mode 644)
--- /dev/null
+++ boot.conf
+stty com0 115200
+set tty com0
blob - /dev/null
blob + 3f368d1e63a897238e6eb02b17b51248fb5d31ad (mode 644)
--- /dev/null
+++ dhclient.conf
+initial-interval 1;
+send host-name "apu";
+supersede host-name "apu";
+supersede domain-name "x61.com.ar";
+supersede domain-name-servers 10.0.0.21, 10.0.0.1, 127.0.0.1;
+request subnet-mask, broadcast-address, routers;
blob - /dev/null
blob + c151659579f55dde633a40be432bfcf5cddf6f92 (mode 644)
--- /dev/null
+++ dhcpd.conf
+# Cableada
+authoritative;
+
+shared-network LOCAL-NET {
+ option domain-name "x61.com.ar";
+ option domain-name-servers 10.0.0.1, 10.0.0.21;
+
+ subnet 10.0.0.0 netmask 255.255.255.0 {
+ option routers 10.0.0.1;
+ option domain-name-servers 10.0.0.21, 10.0.0.1;
+ range 10.0.0.50 10.0.0.70;
+ }
+}
+
+group {
+# Red
+ host alix {
+ hardware ethernet 01:0d:b9:1c:14:ad;
+ fixed-address 10.0.0.1;
+ option host-name "alix";
+ }
+}
blob - /dev/null
blob + cda41bead1aa0d6c1e969c31caae8b63adacbc19 (mode 644)
--- /dev/null
+++ disklabel.apu2
+/ 2G
+swap 1G
+/tmp 1G
+/usr 2G
+/usr/local 3G
+/var 1G
+/var/log 2G
+/home 2G
+/usr/X11R6 1G
blob - /dev/null
blob + 072fc2c2cde3d1840a86c4639da92dbc8560d5b0 (mode 644)
--- /dev/null
+++ hostname.athn0
+inet 10.0.0.2 255.255.255.0 10.0.0.255
+media autoselect mediaopt hostap
+nwid batman
+wpakey Alfred.Pennyworth321
+wpaprotos wpa2
+chan 1
+up
blob - /dev/null
blob + 1d2075895132bcdb83fe0d8f3d590f05ebf35c9b (mode 644)
--- /dev/null
+++ hostname.bridge0
+add vether0
+add em1
+add em2
+add athn0
+blocknonip vether0
+blocknonip em1
+blocknonip em2
+blocknonip athn0
+up
blob - /dev/null
blob + cd6767fae80ad6b4716c6da62ba753e872423b3b (mode 644)
--- /dev/null
+++ hostname.em0
+dhcp
+description "External IP"
blob - /dev/null
blob + e31ee94e1765c8787926045939dcae3c98c4215b (mode 644)
--- /dev/null
+++ hostname.em1
+up
blob - /dev/null
blob + e31ee94e1765c8787926045939dcae3c98c4215b (mode 644)
--- /dev/null
+++ hostname.em2
+up
blob - /dev/null
blob + f9f7fde575062fa44bc85b521c652e8f6177b408 (mode 644)
--- /dev/null
+++ hostname.vether0
+inet 10.0.0.1 255.255.255.0 10.0.0.255
blob - /dev/null
blob + d3839dabeebf3a4487c45eb7341c13ac0c6fa4dc (mode 644)
--- /dev/null
+++ httpd.conf
+ext_if="*"
+
+types { include "/usr/share/misc/mime.types" }
+
+## HTTPS
+server "foobar.com" {
+ listen on $ext_addr tls port 443
+ alias "www.foobar.com"
+
+ tls {
+ certificate "/etc/ssl/acme/fullchain.pem"
+ key "/etc/ssl/acme/private/privkey.pem"
+ }
+
+ # Set max upload size to 513M (in bytes)
+ connection max request body 537919488
+
+ # We need logs
+ log { access "logs/https-access.log", error "logs/https-error.log" }
+
+ # PHP still alive
+ location "*.php" {
+ fastcgi socket "/run/php-fpm.sock"
+ }
+
+ # We want /test without index
+ location "/test/*" {
+ directory auto index
+ log style combined
+ }
+
+ # Where files are
+ root "/htdocs"
+}
+
+## HTTP
+server "foobar.com" {
+ listen on $ext_addr port 80
+ alias "www.foobar.com"
+
+ # We want all over TLS
+ location "/*" { block return 301 "https://$SERVER_NAME$REQUEST_URI" }
+
+ # We need logs
+ log { access "logs/http-access.log", error "logs/http-error.log" }
+
+ # PHP still alive
+ location "*.php" {
+ fastcgi socket "/run/php-fpm.sock"
+ }
+
+ # Where files are
+ root "/htdocs"
+}
blob - /dev/null
blob + cce52db855e193c863ae0f61cf19c953871ab0cc (mode 644)
--- /dev/null
+++ pf.conf
+ext_if = "em0"
+int_if = "{ vether0 athn0 em1 em2 }"
+lan = "10.0.0.0/24"
+ping = "echoreq"
+
+## Tables
+table <bruteforce> persist
+
+## Opcions
+set block-policy return
+set optimization aggressive
+set skip on lo
+
+## Scrub
+match in all scrub (no-df random-id max-mss 1440)
+match out on egress inet from !(egress:network) to any \
+ nat-to (egress:0) set prio (5, 6)
+
+## Block all
+block in quick on egress from <bruteforce> to any
+block all
+
+## Pass in from interal
+pass in on $int_if inet
+
+## Pass out all
+pass out
+
+## Pass out with prio
+pass out quick inet proto tcp from any to any \
+ port { 22 2222 } set prio 7
+
+pass out quick inet proto tcp from any to any \
+ port { 80 443 } set prio (5, 6)
+
+## We love ping
+pass in inet proto icmp all icmp-type $ping
+
+## Pass on internal DNS
+#pass in on $int_if proto udp from $lan to $int_if port 53 \
+# set prio 6
+
+## Pass HTTP to relayd
+## We setup a max-src-conn and
+## max-src-conn-rate for bad people
+pass in on $ext_if proto tcp from any \
+ to $ext_if port 80 rdr-to $ext_if port 80 \
+ flags S/SA modulate state \
+ (max-src-conn 30, max-src-conn-rate 10/5, \
+ overload <bruteforce> flush global) \
+ set prio (2, 3)
+
+## Pass SSH to apu2
+pass in log on $ext_if proto tcp from any os OpenBSD \
+ to $ext_if port 22 \
+ flags S/SA modulate state \
+ (max-src-conn 3, max-src-conn-rate 3/2, \
+ overload <bruteforce> flush global) \
+ set prio 6
blob - /dev/null
blob + 34d5c31e25b90cbf54f773d72125a51517562f97 (mode 644)
--- /dev/null
+++ relayd.conf
+ext_addr="em0"
+
+table <apu2> { 10.0.0.1 }
+table <ports> { 10.0.0.90 }
+table <www> { 10.0.0.83 }
+
+http protocol www {
+ return error
+
+ block
+
+ match request header "Host" value "apu2.x61.com.ar" tag "apu2"
+ pass request tagged "apu2" forward to <apu2>
+
+ match request header "Host" value "www.x61.com.ar" tag "www"
+ pass request tagged "www" forward to <www>
+
+ match request header "Host" value "ports.x61.com.ar" tag "ports"
+ pass request tagged "ports" forward to <ports>
+}
+
+relay www {
+ listen on $ext_addr port 80
+
+ protocol www
+
+ forward to <apu2> check http "/" code 200
+ forward to <www> check http "/" code 200
+ forward to <ports> check http "/" code 200
+}
blob - /dev/null
blob + cd3cf1784ae7185fa8b88d92c932e19427522708 (mode 644)
--- /dev/null
+++ sysctl.conf
+net.inet.ip.forwarding=1
