commit 7c5bdce9e2def35573a5c099d6e39f8b5b3875cb from: gonzalo date: Wed Jul 25 23:43:31 2018 UTC initial apu2_openbsd commit - /dev/null commit + 7c5bdce9e2def35573a5c099d6e39f8b5b3875cb blob - /dev/null blob + 1352aaf6fec081ef4f99bd0f87940c00afac1f21 (mode 644) --- /dev/null +++ Makefile @@ -0,0 +1,36 @@ +# +# Makefile pr0n. +# +# by gonzalo@x61.sh +# +# + +apu2: + @echo "" + @echo "[+] Downloading files from https://github.com/gonzalo-/apu2_openbsd" + @echo "" + @cd /tmp + @ftp -V https://raw.githubusercontent.com/gonzalo-/apu2_openbsd/master/boot.conf + @ftp -V https://raw.githubusercontent.com/gonzalo-/apu2_openbsd/master/hostname.{em0,em1,em2,bridge0,vether0} + @ftp -V https://raw.githubusercontent.com/gonzalo-/apu2_openbsd/master/dhcpd.conf + @ftp -V https://raw.githubusercontent.com/gonzalo-/apu2_openbsd/master/dhclient.conf + @ftp -V https://raw.githubusercontent.com/gonzalo-/apu2_openbsd/master/pf.conf + @ftp -V https://raw.githubusercontent.com/gonzalo-/apu2_openbsd/master/httpd.conf + @ftp -V https://raw.githubusercontent.com/gonzalo-/apu2_openbsd/master/relayd.conf + @ftp -V https://raw.githubusercontent.com/gonzalo-/apu2_openbsd/master/sysctl.conf + @echo "" + @echo "[+] Installing files..." + @echo "" + @install -m 0640 -g wheel -o root /tmp/hostname.{em0,em1,em2,bridge0,vether0} /etc + @install -m 0600 -g wheel -o root /tmp/{pf,relayd,httpd}.conf /etc + @install -m 0644 -g wheel -o root /tmp/sysctl.conf /etc + @install -m 0644 -g wheel -o root /tmp/dhcpd.conf /etc + @install -m 0644 -g wheel -o root /tmp/dhclient.conf /etc + @install -m 0644 -g wheel -o root /tmp/boot.conf / + @rm /tmp/hostname.{em0,em1,em2,bridge0,vether0} /tmp/boot.conf + @rm /tmp/{pf,relayd,httpd}.conf /tmp/sysctl.conf /tmp/dhcpd.conf /tmp/dhclient.conf + @rcctl enable dhcpd && rcctl set dhcpd flags vether0 em1 em2 + @rcctl enable ntpd && rcctl set ntpd flags -s + @echo "" + @echo "[+] All done, you can reboot now." + @echo "" blob - /dev/null blob + 4ebcb37bb02ae493acc54d6cfb8f6bdb180651ef (mode 644) --- /dev/null +++ README.md @@ -0,0 +1,75 @@ +# OpenBSD on Apu2 + +The idea of this repo is to setup an [APU2](http://pcengines.ch/apu2c4.htm) with [OpenBSD](http://openbsd.org) as OS, for +a Firewall/Gateway/AP box at home (or maybe a company). + +At this time you should set the right date on your APU2 with something like: + +``` +# date 201703300045 +Thu Mar 30 00:45:00 -03 2017 +``` + +## Makefile usage + +Assuming that you already have OpenBSD installed (with compXX.tgz) on your APU2 with just an internet connection, you can do this: + +``` +# echo 'https://ftp5.usa.openbsd.org/pub/OpenBSD/' > /etc/installurl # Skip this if you already have a mirror. +# cd /tmp +# ftp -V https://raw.githubusercontent.com/gonzalo-/apu2_openbsd/master/Makefile +# make apu2 + +[+] Downloading files from https://github.com/gonzalo-/apu2_openbsd + +boot.conf 100% |*****************************************************************| 30 00:00 +hostname.em0 100% |*****************************************************************| 31 00:00 +hostname.em1 100% |*****************************************************************| 3 00:00 +hostname.em2 100% |*****************************************************************| 3 00:00 +hostname.bridge0 100% |*****************************************************************| 107 00:00 +hostname.vether0 100% |*****************************************************************| 39 00:00 +dhcpd.conf 100% |*****************************************************************| 420 00:00 +dhclient.conf 100% |********************************************************************| 216 00:00 +pf.conf 100% |*****************************************************************| 1882 00:00 +relayd.conf 100% |*****************************************************************| 683 00:00 +sysctl.conf 100% |*****************************************************************| 25 00:00 + +[+] Installing files... + +[+] All done, you can reboot now. +# reboot +``` + +## apu2.sh usage + +Assuming that you already have OpenBSD installed on your APU2 with just an internet connection, you can do this: + +``` +# echo 'https://ftp5.usa.openbsd.org/pub/OpenBSD/' > /etc/installurl # Skip this if you already have a mirror. +# cd /tmp +# ftp -o - https://raw.githubusercontent.com/gonzalo-/apu2_openbsd/master/apu2.sh | sh - +Trying 151.101.24.133... +Requesting https://raw.githubusercontent.com/gonzalo-/apu2_openbsd/master/apu2.sh +1329 bytes received in 0.00 seconds (6.12 MB/s) + +[+] Downloading files from https://github.com/gonzalo-/apu2_openbsd + +boot.conf 100% |*****************************************************************| 30 00:00 +hostname.em0 100% |*****************************************************************| 31 00:00 +hostname.em1 100% |*****************************************************************| 3 00:00 +hostname.em2 100% |*****************************************************************| 3 00:00 +hostname.bridge0 100% |*****************************************************************| 107 00:00 +hostname.vether0 100% |*****************************************************************| 39 00:00 +dhcpd.conf 100% |*****************************************************************| 420 00:00 +dhclient.conf 100% |********************************************************************| 216 00:00 +pf.conf 100% |*****************************************************************| 1882 00:00 +relayd.conf 100% |*****************************************************************| 683 00:00 +sysctl.conf 100% |*****************************************************************| 25 00:00 + +[+] Installing files... + + +[+] All done, you can reboot now. +# reboot +``` + blob - /dev/null blob + 334be40b7095ad3011db14ec16897043860cc408 (mode 644) --- /dev/null +++ apu2.conf @@ -0,0 +1,11 @@ +System hostname = apu2 +Password for root = lZDI1NTE5AAA +Setup a user = gonzalo +Password for user = WWbQuX3FzDDkhqMO +Public ssh key for user = ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPU/TMtNOSmogKCsZcWWbQuX3FzDDkhqMOHULy/1wqfx gonzalo@r0nin +Allow root ssh login = prohibit-password +What timezone are you in = America/Buenos_Aires +Location of sets = http +HTTP Server = ftp3.usa.openbsd.org +Server directory = pub/OpenBSD/snapshots/amd64 +URL to autopartitioning template for disklabel = http://incre.host/disklabel.apu2 blob - /dev/null blob + 8a059f208c4985750874302d1c7c13f0fe008f42 (mode 644) --- /dev/null +++ apu2.sh @@ -0,0 +1,41 @@ +#!/bin/sh +# +# + +## Debug +#set -x + +## Check for root +if test $(whoami) != root; then + doas "$0" "$@" + exit $? +fi + +echo "" +echo "[+] Downloading files from https://github.com/gonzalo-/apu2_openbsd" +echo "" +cd /tmp +ftp -V https://raw.githubusercontent.com/gonzalo-/apu2_openbsd/master/boot.conf +ftp -V https://raw.githubusercontent.com/gonzalo-/apu2_openbsd/master/hostname.{em0,em1,em2,bridge0,vether0} +ftp -V https://raw.githubusercontent.com/gonzalo-/apu2_openbsd/master/dhcpd.conf +ftp -V https://raw.githubusercontent.com/gonzalo-/apu2_openbsd/master/dhclient.conf +ftp -V https://raw.githubusercontent.com/gonzalo-/apu2_openbsd/master/pf.conf +ftp -V https://raw.githubusercontent.com/gonzalo-/apu2_openbsd/master/httpd.conf +ftp -V https://raw.githubusercontent.com/gonzalo-/apu2_openbsd/master/relayd.conf +ftp -V https://raw.githubusercontent.com/gonzalo-/apu2_openbsd/master/sysctl.conf +echo "" +echo "[+] Installing files..." +echo "" +install -m 0640 -g wheel -o root /tmp/hostname.{em0,em1,em2,bridge0,vether0} /etc +install -m 0600 -g wheel -o root /tmp/{pf,relayd,httpd}.conf /etc +install -m 0644 -g wheel -o root /tmp/sysctl.conf /etc +install -m 0644 -g wheel -o root /tmp/dhcpd.conf /etc +install -m 0644 -g wheel -o root /tmp/dhclient.conf /etc +install -m 0644 -g wheel -o root /tmp/boot.conf / +rm /tmp/hostname.{em0,em1,em2,bridge0,vether0} /tmp/boot.conf +rm /tmp/{pf,relayd,httpd}.conf /tmp/sysctl.conf /tmp/dhcpd.conf /tmp/dhclient.conf +rcctl enable dhcpd && rcctl set dhcpd flags vether0 em1 em2 +rcctl enable ntpd && rcctl set ntpd flags -s +echo "" +echo "[+] All done, you can reboot now." +echo "" blob - /dev/null blob + ae86ee7a6c4c6273141b3ccd9b4a6cdb9ef4024a (mode 644) --- /dev/null +++ boot.conf @@ -0,0 +1,2 @@ +stty com0 115200 +set tty com0 blob - /dev/null blob + 3f368d1e63a897238e6eb02b17b51248fb5d31ad (mode 644) --- /dev/null +++ dhclient.conf @@ -0,0 +1,6 @@ +initial-interval 1; +send host-name "apu"; +supersede host-name "apu"; +supersede domain-name "x61.com.ar"; +supersede domain-name-servers 10.0.0.21, 10.0.0.1, 127.0.0.1; +request subnet-mask, broadcast-address, routers; blob - /dev/null blob + c151659579f55dde633a40be432bfcf5cddf6f92 (mode 644) --- /dev/null +++ dhcpd.conf @@ -0,0 +1,22 @@ +# Cableada +authoritative; + +shared-network LOCAL-NET { + option domain-name "x61.com.ar"; + option domain-name-servers 10.0.0.1, 10.0.0.21; + + subnet 10.0.0.0 netmask 255.255.255.0 { + option routers 10.0.0.1; + option domain-name-servers 10.0.0.21, 10.0.0.1; + range 10.0.0.50 10.0.0.70; + } +} + +group { +# Red + host alix { + hardware ethernet 01:0d:b9:1c:14:ad; + fixed-address 10.0.0.1; + option host-name "alix"; + } +} blob - /dev/null blob + cda41bead1aa0d6c1e969c31caae8b63adacbc19 (mode 644) --- /dev/null +++ disklabel.apu2 @@ -0,0 +1,9 @@ +/ 2G +swap 1G +/tmp 1G +/usr 2G +/usr/local 3G +/var 1G +/var/log 2G +/home 2G +/usr/X11R6 1G blob - /dev/null blob + 072fc2c2cde3d1840a86c4639da92dbc8560d5b0 (mode 644) --- /dev/null +++ hostname.athn0 @@ -0,0 +1,7 @@ +inet 10.0.0.2 255.255.255.0 10.0.0.255 +media autoselect mediaopt hostap +nwid batman +wpakey Alfred.Pennyworth321 +wpaprotos wpa2 +chan 1 +up blob - /dev/null blob + 1d2075895132bcdb83fe0d8f3d590f05ebf35c9b (mode 644) --- /dev/null +++ hostname.bridge0 @@ -0,0 +1,9 @@ +add vether0 +add em1 +add em2 +add athn0 +blocknonip vether0 +blocknonip em1 +blocknonip em2 +blocknonip athn0 +up blob - /dev/null blob + cd6767fae80ad6b4716c6da62ba753e872423b3b (mode 644) --- /dev/null +++ hostname.em0 @@ -0,0 +1,2 @@ +dhcp +description "External IP" blob - /dev/null blob + e31ee94e1765c8787926045939dcae3c98c4215b (mode 644) --- /dev/null +++ hostname.em1 @@ -0,0 +1 @@ +up blob - /dev/null blob + e31ee94e1765c8787926045939dcae3c98c4215b (mode 644) --- /dev/null +++ hostname.em2 @@ -0,0 +1 @@ +up blob - /dev/null blob + f9f7fde575062fa44bc85b521c652e8f6177b408 (mode 644) --- /dev/null +++ hostname.vether0 @@ -0,0 +1 @@ +inet 10.0.0.1 255.255.255.0 10.0.0.255 blob - /dev/null blob + d3839dabeebf3a4487c45eb7341c13ac0c6fa4dc (mode 644) --- /dev/null +++ httpd.conf @@ -0,0 +1,54 @@ +ext_if="*" + +types { include "/usr/share/misc/mime.types" } + +## HTTPS +server "foobar.com" { + listen on $ext_addr tls port 443 + alias "www.foobar.com" + + tls { + certificate "/etc/ssl/acme/fullchain.pem" + key "/etc/ssl/acme/private/privkey.pem" + } + + # Set max upload size to 513M (in bytes) + connection max request body 537919488 + + # We need logs + log { access "logs/https-access.log", error "logs/https-error.log" } + + # PHP still alive + location "*.php" { + fastcgi socket "/run/php-fpm.sock" + } + + # We want /test without index + location "/test/*" { + directory auto index + log style combined + } + + # Where files are + root "/htdocs" +} + +## HTTP +server "foobar.com" { + listen on $ext_addr port 80 + alias "www.foobar.com" + + # We want all over TLS + location "/*" { block return 301 "https://$SERVER_NAME$REQUEST_URI" } + + # We need logs + log { access "logs/http-access.log", error "logs/http-error.log" } + + # PHP still alive + location "*.php" { + fastcgi socket "/run/php-fpm.sock" + } + + # Where files are + root "/htdocs" +} blob - /dev/null blob + cce52db855e193c863ae0f61cf19c953871ab0cc (mode 644) --- /dev/null +++ pf.conf @@ -0,0 +1,59 @@ +ext_if = "em0" +int_if = "{ vether0 athn0 em1 em2 }" +lan = "10.0.0.0/24" +ping = "echoreq" + +## Tables +table persist + +## Opcions +set block-policy return +set optimization aggressive +set skip on lo + +## Scrub +match in all scrub (no-df random-id max-mss 1440) +match out on egress inet from !(egress:network) to any \ + nat-to (egress:0) set prio (5, 6) + +## Block all +block in quick on egress from to any +block all + +## Pass in from interal +pass in on $int_if inet + +## Pass out all +pass out + +## Pass out with prio +pass out quick inet proto tcp from any to any \ + port { 22 2222 } set prio 7 + +pass out quick inet proto tcp from any to any \ + port { 80 443 } set prio (5, 6) + +## We love ping +pass in inet proto icmp all icmp-type $ping + +## Pass on internal DNS +#pass in on $int_if proto udp from $lan to $int_if port 53 \ +# set prio 6 + +## Pass HTTP to relayd +## We setup a max-src-conn and +## max-src-conn-rate for bad people +pass in on $ext_if proto tcp from any \ + to $ext_if port 80 rdr-to $ext_if port 80 \ + flags S/SA modulate state \ + (max-src-conn 30, max-src-conn-rate 10/5, \ + overload flush global) \ + set prio (2, 3) + +## Pass SSH to apu2 +pass in log on $ext_if proto tcp from any os OpenBSD \ + to $ext_if port 22 \ + flags S/SA modulate state \ + (max-src-conn 3, max-src-conn-rate 3/2, \ + overload flush global) \ + set prio 6 blob - /dev/null blob + 34d5c31e25b90cbf54f773d72125a51517562f97 (mode 644) --- /dev/null +++ relayd.conf @@ -0,0 +1,30 @@ +ext_addr="em0" + +table { 10.0.0.1 } +table { 10.0.0.90 } +table { 10.0.0.83 } + +http protocol www { + return error + + block + + match request header "Host" value "apu2.x61.com.ar" tag "apu2" + pass request tagged "apu2" forward to + + match request header "Host" value "www.x61.com.ar" tag "www" + pass request tagged "www" forward to + + match request header "Host" value "ports.x61.com.ar" tag "ports" + pass request tagged "ports" forward to +} + +relay www { + listen on $ext_addr port 80 + + protocol www + + forward to check http "/" code 200 + forward to check http "/" code 200 + forward to check http "/" code 200 +} blob - /dev/null blob + cd3cf1784ae7185fa8b88d92c932e19427522708 (mode 644) --- /dev/null +++ sysctl.conf @@ -0,0 +1 @@ +net.inet.ip.forwarding=1