Hi there,
I am trying to setup a openbsd sys-net, and I need to install the firmware of the wireless card that I have, which is not an issue (go to openbsd and install the firmware) the issue is how can I transfer this file inside openbsd itsself? I can’t attach usb’s can’t copy with commands. Anyone maybe have an idea on how to do this?
Hi
You could store the firmwares on an usb memory stick on a fat32 partition, then start the OpenBSD system with the usb controller attached and load the firmwares from there. Not practical but it should work
I would use SFTP for this.
But this sysnet has no networking.
But this makes me think of a simpler solution. Run the qube without attached hardware and put it behind sys-firewall, configure its network and run fw_update to install the firmware. Now you can use it as sys-net
Thank you! I’ve tried SFTP but no result, so I’ve put OpenBSD behind sys-firewall and installed the firmware. It has worked.
I now have a fully functioning OpenBSD sys-net. I’ve come across a couple of older guides (notes/openBSD_as_netvm at master · unman/notes · GitHub and Integrate pfSense/OPNsense VM on QubesOS · Issue #1 · jcholsap/freemod · GitHub) and I’m considering creating a new, up-to-date community guide. This would help others who are interested in installing it alongside qubes-mirage-firewall. (which I am about to test out too)
One thing I’m unsure about is whether OpenBSD sys-net/Mirage Firewall requires any specific firewall configurations for added security or any other settings.
@solene I’m having some issues with my sys-net-openbsd setup. I’ve followed the instructions for configuring mirage-firewall, which is working fine, but my sys-net-openbsd isn’t providing network access to it, so I can’t connect to the internet. @unman, do you have any suggestions? Do I need to configure something within OpenBSD to enable networking for the firewall? I came across some iptables commands, but I’m not sure how to apply them.
OpenBSD is not a linux system and does not use iptables/nftables for the firewall.
This should help you Use OpenBSD for sys-net · Issue #5294 · QubesOS/qubes-issues · GitHub
I got it to work some times ago. All I had to do was add a combination of lines to /etc/pf.conf starting with nat (to indicate that openbsd acts as a NAT router) and pass (to allow packets through the firewall), and a dedicated line for DNS requests (the examples in Combination of OpenBSD sys-net + MirageFW - #12 by nalea are for HardenedBSD, but the syntax for OpenBSD isn’t so far).
Unfortunately, I won’t have access to that laptop this week and won’t be able to help you further for the time being.
Thank guys,
No worries @palainp I’ll find some way and figure it out eventually. If I can’t find a way can I later PM you about this?
sure!
Unfortunately, I didn’t make much progress. The OpenBSD rules referenced earlier are a bit unclear. I’ve sent you a PM. If anyone else has any suggestions, feel free to share. Thanks, everyone!
https://www.openbsd.org/faq/pf/nat.html
Add this at the end of /etc/pf.conf
pass out on tl0 inet from dc0:network to any nat-to tl0
just replace tl0 twice by the public network interface and dc0 by the virtual network interface where sys-firewall is connected.
Then reload with pfctl -f /etc/pf.conf
Hi,
Just a quick update thanks for your help! The solution worked, but I’m getting an error with the Mirage firewall. I’ve messaged @palainp about it and will also post an issue on the qubes-mirage-firewall GitHub page since it seems similar to past issues.
Thanks again!