3) Attach a remote session using a null modem cable
4) Configure the OPNsense OS
** Prerequisites
Hardware is required to host the operating system. I've chosen to go with [[https://www.pcengines.ch/apu2e4.htm][PC Engines APU 2E4]] board. There are multiple storage options on the APU boards - I've chosen to utilize the mSATA bus to attach a storage drive.
Since the PC Engines APU boards lack a display adapter, the best option to send commands to the APU board is via the serial port. A =null modem cable= is required to send commands to the APU via the serial port.
* Flash OPNsense to mSATA
Download the OPNsense amd64 serial console image and validate the checksum against those posted on the [[https://opnsense.org/download/][OPNsense Download page]]. The below =wget= downloads the latest image (20.1 as of this writing) from the dns-root.de mirror.
After ejecting the mSATA from the machine, physically attach it to the PC Engines APU mSATA connector. Do not power it on yet.
* OPNsense Configuration
In order to configure the OPNsense OS, I need to connect to the serial console on the APU from my host. I use =minicom= for this purpose.
** Minicom Configuration
I've had more success with *minicom* over *screen* for connecting to the serial console on the APU. Install using =sudo apt install minicom=.
Unless other USB devices are mounted, the APU will likely appear on =/dev/ttyUSB0=. In order to send keys from the remote host to the APU, I disable /Hardware Flow Control/ in the *minicom* /Serial port setup/ using =sudo minicom -s=. I save the below setup to my defaults.
[[file:img/Minicom_Default_Setup.png]]
Thereafter, start a *minicom* session simply using =sudo minicom=. It's a good idea to perform a loopback test before attaching to the APU by inserting a paperclip in pins 2 and 3 on the serial adapter. After doing so, I can verify send keys are echoed in the *minicom* console. This is the first troubleshooting step to attempt if having problems connecting to the serial console.
When needing to exit =minicom=, I use the key combination: =CTRL-A Z= to access special commands, then =X= to exit.
** OPNsense Installation
Before powering on the APU, ensure each of the NICs are plugged in and connect to the serial port to the remote host, and create a *minicom* session using =sudo minicom=. Then power on the APU. Immediately some BIOS messages should appear in the *minicom* console, and then the GNU Grub bootloader with automatically appear.
The OPNsense initial boot will take *long*, especially the /super-block backups/ if you have a large mSATA drive. It's safe to walk away and come back to the login screen - then OPNsense will automatically assign the NICs, incorrectly. You'll have to login and reassign them. Chose /not/ to configure VLANs. Then assign the interfaces as follows:
| Zone | Interface |
|------+-----------|
| WAN | igb2 |
| LAN | igb0 |
| OPT1 | igb1 |
Wait for initial installation to complete.
* TODO OPNsense Configuration
Login with the username =root= and password =opnsense=. Enter option =2= to set interface IP address.
Configure the LAN interface as follows:
| Option | Configuration |
|------------------------------+---------------|
| Configure via DHCP | n |
| LAN IPv4 Address | 172.27.0.1 |
| LAN IPv4 subnet bit count | 30 |
| LAN upstream gateway address | none |
| Configure IPv6 via WAN/DHCP | n |
| LAN IPv6 Address | none |
| Enable DHCP server on LAN | y |
| start address of IPv4 | 172.27.0.2 |
| end address of IPv4 | 172.27.0.254 |
| revert to HTTP? | n |
Configure the OPT1 interface as follows:
| Option | Configuration |
|-------------------------------+---------------|
| Configure via DHCP | n |
| OPT1 IPv4 Address | 172.22.132.1 |
| OPT1 IPv4 subnet bit count | 29 |
| OPT1 upstream gateway address | none |
| Configure IPv6 via WAN/DHCP | n |
| OPT1 IPv6 Address | none |
| Enable DHCP server on OPT1 | n |
| start address of IPv4 | 172.27.0.2 |
| end address of IPv4 | 172.27.0.254 |
| revert to HTTP? | n |
Thereafter, the OPNsense Web GUI will be accessible at https://172.27.0.1 from the LAN zone with the default firewall settings.
** TODO Access Control
- Setup CA
- Setup users with certs
- Setup TOTP Auth server
** TODO Firmware
- Updates
- Checks
- Audit: Security and Health
*** Update BIOS
I deployed v4.11.0.6, from https://pcengines.github.io/#mr-34
From a minicom session, login as root. Then run below, one step at a time.
Unbound DNS is the default DNS service. Enable DNSSec in the general settings at https://172.27.0.1/services_unbound.php. In the advanced settings at https://172.27.0.1/services_unbound_advanced.php, I enable the following flags and options:
| Key | Value |
|--------------------------+---------|
| Hide Identity | Enabled |
| Hide Version | Enabled |
| Prefetch Support | Enabled |
| Prefetch DNS Key Support | Enabled |
| Harden DNSSEC data | Enabled |
| Log leve verbosity | Level 4 |
| Extended statistics | Enabled |
| Log Queries | Enabled |
I use defaults for the rest of the Unbound DNS config.
This post describes how to bootstrap an Internal Firewall on the IPFire OS using PC Engines APU hardware.
#+END_VERSE
* Overview
This device will serve as the Internal Firewall specified in the below diagram. The device will be used primarily for traffic shaping, and to segment a secure private zone away from a lower-latency zone which may also include guests.
3) Attach a remote session using a null modem cable
4) Configure the IPFire OS
** Prerequisites
Hardware is required to host the operating system. I've chosen to go with [[https://www.pcengines.ch/apu2e4.htm][PC Engines APU 2E4]] board. There are multiple storage options on the APU boards - I've chosen to utilize the mSATA bus to attach a storage drive.
Since the PC Engines APU boards lack a display adapter, the best option to send commands to the APU board is via the serial port. A =null modem cable= is required to send commands to the APU via the serial port.
* Flash IPFire to mSATA
Download the IPFire headless image and validate the checksum against those posted on the [[https://www.ipfire.org/download/ipfire-2.25-core141][IPFire 2.25 Download page]]. As of this writing, 2.25 is the latest build. Future releases should be reflected at https://www.ipfire.org/download.
After ejecting the mSATA from the machine, physically attach it to the PC Engines APU mSATA connector. Do not power it on yet.
* IPFire Configuration
In order to configure the IPFire OS, I need to connect to the serial console on the APU from my host. I use =minicom= for this purpose.
** Minicom Configuration
I've had more success with *minicom* over *screen* for connecting to the serial console on the APU. Install using =sudo apt install minicom=.
Unless other USB devices are mounted, the APU will likely appear on =/dev/ttyUSB0=. In order to send keys from the remote host to the APU, I disable /Hardware Flow Control/ in the *minicom* /Serial port setup/ using =sudo minicom -s=. I save the below setup to my defaults.
[[file:img/Minicom_Default_Setup.png]]
Thereafter, start a *minicom* session simply using =sudo minicom=. It's a good idea to perform a loopback test before attaching to the APU by inserting a paperclip in pins 2 and 3 on the serial adapter. After doing so, I can verify send keys are echoed in the *minicom* console. This is the first troubleshooting step to attempt if having problems connecting to the serial console.
When needing to exit =minicom=, I use the key combination: =CTRL-A Z= to access special commands, then =X= to exit.
** IPFire Installation
Before powering on the APU, connect to the serial port to the remote host, and create a *minicom* session using =sudo minicom=. Then power on the APU. Immediately some BIOS messages should appear in the *minicom* console, and then the GNU Grub bootloader with automatically appear. There should be three options, select *IPFire* over the /Serial Console/.
[[file:img/Bootloader_IPFire_Serial.png]]
Wait patiently for initialization, potentially including a reboot. After reboot, if the /Serial Console/ option is not present, select the normal *IPFire* GRUB entry.
Proceed with installation. The serial console display requires a discerning eye, because the cursor location is ambiguous. It's not difficult to determine where the cursor is by using arrow keys and tab to experiment. For example, in the below screenshot, I've actually selected =us=, although you could not tell this by observing the screenshot alone, without having scrolled around first.
The [[https://wiki.ipfire.org/installation][IPFire Installation Handbook]] is very helpful for additional context and guidance while going through the installation steps (particularly the network setup step).
By convention, I set the APU interfaces to *IPFire* /zones/ as follows.
| IPFire Zone | APU Interface |
|-------------+-----------------|
| Green | [higher bytes]4 |
| Orange | [higher bytes]5 |
| Red | [higher bytes]6 |
After logging in, to gracefully shutdown the device, use =shutdown -h now=. Do /not/ shutdown by removing the power supply. The APU is powered down once all the lights are off - then it is safe to remove the power supply.
* TODO IPFire Configuration
Access the IPFire UI at https://172.22.133.254:444 by default, using the credentials specified during installation.
This asset need be able to reach all other assets on the environment (outbound).
#+END_VERSE
* Debian 10 Images
:PROPERTIES:
:CUSTOM_ID: Debian_10_Images
:END:
[[https://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/][Current and official Debian ISO files]].
[[https://cdimage.debian.org/cdimage/unofficial/non-free/cd-including-firmware/current-live/amd64/iso-hybrid/][Current Debian ISO files including non-free firmware]].
I always roll with the *xfce* images. Install Debian 10 to bare metal using a flashed USB drive. Assuming an attached flash USB drive is identified as =/dev/sda= (verify using =lsblk=), flash the ISO to the USB drive using the following.
#+begin_src sh
# First I format the disk and ensure all bits are zero
Insert the USB, then boot from the flashed drive and proceed with installation. My default username is =user=.
* Sudo User Account
:PROPERTIES:
:CUSTOM_ID: Sudo_User_Account
:END:
Login as =user=. Then get *root*, once and nevermore, using =su -=. Grant sudo rights to =user=, then login again.
#+BEGIN_SRC sh
usermod -aG sudo user && \
exit
#+END_SRC
Logout and in to receive sudo privileges on the =user= account.
#+BEGIN_SRC sh
xfce4-session-logout -l
#+END_SRC
* Tor Package Management
:PROPERTIES:
:CUSTOM_ID: Tor_Package_Management
:END:
For privacy, I use Debian's onion services to download packages from official repositories. First though, this requires installing =tor= and =apt-transport-tor=.
First run =sudo test= to escalate privileges.
#+begin_src sh
sudo apt update && \
sudo apt upgrade -y && \
sudo apt install -y tor apt-transport-tor && \
sudo rm /etc/apt/sources.list && \
sudo bash -c 'cat <<EOT >> /etc/apt/sources.list
# Debian 10, Buster!
# Repos over TOR:
deb tor+http://vwakviie2ienjx6t.onion/debian buster main
deb-src tor+http://vwakviie2ienjx6t.onion/debian buster main
deb tor+http://sgvtcaew4bxjd7ln.onion/debian-security buster/updates main
deb-src tor+http://sgvtcaew4bxjd7ln.onion/debian-security buster/updates main
deb tor+http://vwakviie2ienjx6t.onion/debian buster-updates main
deb-src tor+http://vwakviie2ienjx6t.onion/debian buster-updates main
EOT' && \
sudo apt update
#+end_src
Thereafter, I download a few based utilities over tor.