OpenBSD Live-CD Firewall

This page is dedicated to the OpenBSD Live-CD Firewall project.
When I tried to find a Live-CD solution to get started with OpenBSD I could not find something comparable so I started this project myself. If you are interested to build your own system, details about the creation of any OpenBSD based Live-CD system can be found on this page.

If you find a mistake or have suggestions for improvement feel free to contact me.



The project idea

The main idea of this project is to make it as easy as possible for new users of OpenBSD to set it up as a firewall and use it. OpenBSD offers a highly sophisticated packet filter called 'pf' and its main target is to deliver a secure system. Therefore it is often considered as a perfect firewall system. However many users don't use it, because they think that it is hard to configure. This Live-CD system should offer these users an easy way to get into OpenBSD, benefit of its secure architecture and learn about the mighty pf firewall.
Note: This is NOT a striped down firewall-only system. The ISO which can be downloaded includes a full featured OpenBSD installation with all manpages, sample configurations and additional security related software packages.


  • runs without modifying the hard-drive
  • external interface will be configured via DHCP - should work with a Cable Modem connection
  • DHCP service for internal LAN
  • caching DNS
  • Squid Proxy
  • NAT (masquerading)
  • save your configuration and passwords to an USB mass-storage device (usb-pen drive) [ /backup/etc2usb ]
    If the USB device is connected at boot time these settings will be used.
  • save all log files to an USB mass-storage device for future analysis [ /etc/log2usb ]


Note: The use of an ADSL connection is NOT supported at the moment. However the system can of course be adopted to fit your needs. Hopefully this functionality will be available in future releases.

Installed Software

This section lists the installed software packages and version numbers of the current release only. Not all of the installed packages are preconfigured. However they are installed to offer advanced users the possibility to use the programs without the need to rebuild the whole Live-CD system.
Package Description Version
arpd ARP Proxy Server 0.2
arping Ping on MAC Layer 2.05p0
arpwatch detects ARP spoofing 2.1a.13
bash another (Linux like) shell 3.0.16p1
dante SOCKS Proxy Server 1.1.17
dnsmasq DNS & DHCP server 2.22
honeyd Honeypot 1.0p0
isc-dhcp-server DHCP Server 3.0.3
logsurfer Logfile analyser 1.5b
ntop Netwrok traffic analyser 1.1
ntp Time synchronisation 4.2.0ap2
pfstat graphical Firewall statistics 1.7
pftop real-time Firewall status 0.4
portsentry Port knocking daemon 1.1
scanlogd detects portscans 2.2.5
squid HTTP Proxy Server 2.5.STABLE12-transparent


The complete ISO CD-Rom image can be downloaded from the following server:
Version Size Link MD5 Checksum
3.8.1 ~330MB Mirror 1:
Mirror 2:
Mirror 3:

Powered by:


Note: The version numbers corresponded with the official OpenBSD release version numbers. The third number is a counter which will only be incremented if there are more Live-CD releases available of the same OpenBSD release. This means that the Live-CD with the Version number 3.8.x is based on the OpenBSD 3.8 release.


The whole system and all scripts are published under the BSD license.

Frequently Asked Questions (FAQs)

  • What is the default root password?
  • How do I change the root password?
    The root password should be changed directly after the first boot. Ideally the machine is not connected to any netwrok in this state.
    # passwd

  • Which port is used by sshd?
    The secure shell daemon is running by default to enable easy remote administration and it uses port 2222. Also file transfers can be done through ssh.
  • How can I adopt the firewall configuration?
    edit the /etc/pf.conf file and reload the configfile:
    # vi /etc/pf.conf
     ... edit the config file ...
    # pfctl -f /etc/pf.conf


  • The Live-CD should be able to run on all x86 based machines.
  • A minumum of 64MB of RAM is highly recommended.
  • A CD-Rom drive will also be necesssary to start the Live-CD.
  • Two network interface cards are expected (internal/external), however the system will boot anyway, but with limited functionality
  • To make use of the log and settings saving scripts a USB host adapter and a mass strage device will also be needed.

    The hardware support of the OpenBSD system is not extended in any way. If you have problems with your hardware and OpenBSD this Live-CD will cause troubles as well. However no hard-drives will be changed, so it might also be used to test hardware for compability with OpenBSD before buying it.


Details about the system

The external interface should get its IP configuration via DHCP from the external network.
The internal network card (usually the second from top) is configured to use as its IP configuration.
The http proxy squid is configured to work in transparent mode. This means that no internal client needs to be configured to use the proxy. The VIA and FORWARDED_FOR header should be filtered by the proxy, so that no one from the outside can tell that the request was handeld by a proxy server.
The IP-ID field will be randomised so that no one from the outside can tell how many internel cleints are active. Not even with advanced techniques as described by Steven M. Bellovin.
Sshd running by defaut and uses port 2222.


last updated 02 November 2008