OpenBSD Live-CD Firewall
page is dedicated to the OpenBSD Live-CD Firewall project.
When I tried to find a Live-CD solution to get started with OpenBSD
I could not find something comparable so I started this project
myself. If you are interested to build your own system, details about
the creation of any OpenBSD based Live-CD system can be found on
If you find a mistake or have suggestions for improvement feel free to
The project idea
The main idea of this project
is to make it as easy as possible for new users of OpenBSD to set it
up as a firewall and use it. OpenBSD offers a highly sophisticated
packet filter called 'pf' and its main target is to deliver a secure
system. Therefore it is often considered as a perfect firewall
system. However many users don't use it, because they think that it
is hard to configure. This Live-CD system should offer these users
an easy way to get into OpenBSD, benefit of its secure architecture
and learn about the mighty pf firewall.
This is NOT a striped down firewall-only system. The ISO which
can be downloaded includes a full featured OpenBSD installation
with all manpages, sample configurations and additional security
related software packages.
- runs without modifying the hard-drive
- external interface will be configured via DHCP - should work
with a Cable Modem connection
- DHCP service for internal LAN
- caching DNS
- Squid Proxy
- NAT (masquerading)
- save your configuration and passwords to an USB mass-storage
device (usb-pen drive) [ /backup/etc2usb ]
If the USB device is connected at boot time these settings will
- save all log files to an USB mass-storage device for future
analysis [ /etc/log2usb ]
The use of an ADSL connection is NOT supported at the moment.
However the system can of course be adopted to fit your needs.
Hopefully this functionality will be available in future
This section lists the installed software packages and version
numbers of the current release only. Not all of the installed
packages are preconfigured. However they are installed to offer
advanced users the possibility to use the programs without the need
to rebuild the whole Live-CD system.
||ARP Proxy Server
||Ping on MAC Layer
||detects ARP spoofing
||another (Linux like) shell
||SOCKS Proxy Server
||DNS & DHCP server
||Netwrok traffic analyser
||graphical Firewall statistics
||real-time Firewall status
||Port knocking daemon
||HTTP Proxy Server
The complete ISO CD-Rom image
can be downloaded from the following server:
The version numbers corresponded with the official OpenBSD release
version numbers. The third number is a counter which will only
be incremented if there are more Live-CD releases available of
the same OpenBSD release. This means that the Live-CD with the
Version number 3.8.x is based on the OpenBSD 3.8 release.
The whole system and all scripts are published under the
Frequently Asked Questions (FAQs)
- What is the default root password?
- How do I change the root password?
The root password should be changed directly after the first
boot. Ideally the machine is not connected to any netwrok in
- Which port is used by sshd?
The secure shell daemon is running by default to enable easy
remote administration and it uses port 2222. Also file transfers
can be done through ssh.
- How can I adopt the firewall configuration?
edit the /etc/pf.conf file and reload the configfile:
# vi /etc/pf.conf
... edit the config file ...
# pfctl -f /etc/pf.conf
- The Live-CD should be able to run on all x86 based
- A minumum of 64MB of RAM is highly recommended.
- A CD-Rom drive will also be necesssary to start the
- Two network interface cards are expected (internal/external),
however the system will boot anyway, but with limited
- To make use of the log and settings saving scripts a USB
host adapter and a mass strage device will also be needed.
The hardware support of the OpenBSD system is not extended in
any way. If you have problems with your hardware and OpenBSD
this Live-CD will cause troubles as well. However no hard-drives
will be changed, so it might also be used to test hardware for
compability with OpenBSD before buying it.
Details about the system
The external interface should get its IP configuration via DHCP from
the external network.
The internal network card (usually the second from top) is
configured to use 192.168.1.1 255.255.255.0 as its IP configuration.
The http proxy squid is configured to work in transparent mode. This
means that no internal client needs to be configured to use the
proxy. The VIA and FORWARDED_FOR header should be filtered by the
proxy, so that no one from the outside can tell that the request was
handeld by a proxy server.
The IP-ID field will be randomised so that no one from the outside
can tell how many internel cleints are active. Not even with
advanced techniques as described by
Steven M. Bellovin.
Sshd running by defaut and uses port 2222.