20090623 Tuesday June 23, 2009

A Trade Show booth with PF and OpenBSD

A few months after I started at Terracotta I attended my first JavaOne conference. Not as an attendee, but as an exhibitor. The boss came and asked me to build up some infrastructure to run a booth. Over the years, the setup of the booth and some of the software and equipment has changed, but the primary design principles have not.

  • Allow all machines in the booth to share a single Internet connection
  • Make it simple to setup and use
  • Allow employees to check their email, etc. from the booth
  • Allow the sales engineers to explore potential client websites
  • Do not allow demo stations to be used by conference attendees to check their email or hog the demo station trying to show us their website
  • Make it secure so that we don't have any demo "surprises"
  • Make sure all the demo stations are consistent

I turned to one of my favorite operating systems to solve the problem, OpenBSD. Here is what the network looks like as of 2009.

tradeshow network diagram

We get our Internet connection from Priority Networks and every year it is rock solid, they are super easy to work with, and when you need help, they actually know what you're talking about!
As you can see, each daemon on the machine serves a purpose to running the overall network. Each daemon (other than PF) is only assigned to the internal interface.

We run a private domain inside the booth (javaone.tc) and also need standard resolving for internal clients
Demo machines are given static IPs, all other clients are assigned to a different part of the subnet, more on this later
Now that machines have gotten faster and we have less graphical demos, we can run all Unix demo stations. Puppet makes sure all the machines are 100% consistent and makes it much easier to setup machines initially or substitute in a new station in case of some kind of problem
This is where all the magic happens, why you can type www.yahoo.com and wind up at Terracotta.org
This was more important before puppet and when we still had Windows, but Apache is still a great way to serve up files to any network
We're a Java clustering company and it's very important to have synchronized clocks in a cluster, then again, isn't it always?

As you can see above, we have a private domain inside the booth. It's just a simple /24 divided in two. Machines in the lower half of the subnet are assigned static IPs by MAC address, this is for the demo stations only. Machines in the top half of the subnet (129-254) are assigned IPs dynamically and this range is for any employee who brings their laptop to the booth and wants to login to check email, fix a bug, etc. PF treats the two IP ranges differently.

Here is the firewall ruleset:
ext_if="bge0" int_if="dc0" DEMOSTATIONS="" EMPLOYEES="" set skip on lo # allow demo stations to access Terracotta and a few other websites we rely upon table <TCOK> {, www.google-analytics.com, now.eloqua.com, secure.eloqua.com, download.terracotta.org } scrub all nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" nat on $ext_if from $int_if:network -> ($ext_if:0) rdr pass on $int_if proto tcp from $int_if:network to port 21 -> port 8021 rdr pass on $int_if proto tcp from $DEMOSTATIONS to ! <TCOK> port 80 -> port 80 rdr pass on $int_if proto tcp from $DEMOSTATIONS to ! <TCOK> port 443 -> port 80 anchor "ftp-proxy/*" block log all pass quick on $int_if no state antispoof quick for { lo $ext_if } # fw inbound - for remote admin when Priority Networks allows this pass in quick on $ext_if proto tcp to ($ext_if) port ssh # fw outbound pass out quick on $ext_if proto tcp from ($ext_if) to any modulate state flags S/SA pass out quick on $ext_if proto udp from ($ext_if) to any keep state # int outbound pass in quick proto tcp from $DEMOSTATIONS to any port { 22 25 80 443 8081 } modulate state flags S/SA pass in quick proto udp from $DEMOSTATIONS to any port { 53 } keep state pass in quick proto tcp from $EMPLOYEES to any modulate state flags S/SA pass in quick proto udp from $EMPLOYEES to any keep state

The only problem with this ruleset is that the name resolution for domains that are hardcoded in the ruleset (e.g. www.google-analytics.com) can only really happen after the OS has booted. Otherwise, the boot sequence stalls on name resolution. The workaround for this is to disable PF in /etc/rc.conf.local and enable it with

pfctl -e -f /etc/pf.conf
in /etc/rc.local. That is really the only necessary workaround.

As you can see, it's actually a REALLY, REALLY permissive ruleset. Much more permissive than we allow in the office. Because there is rarely a Terracotta sysadmin on the show floor during the conference, and because there are tons of open access points which our employees would use if we locked them down too much anyway, we feel this is a pretty acceptable level of risk for the few days of the show. We could certainly lock down the ports employees could access, restrict to their MAC addresses, or even put in authpf for them to authenticate, but that would mean maintaining a password file outside the corporate office, or duplicating the LDAP server, or setting up an IPSEC tunnel, all of which are excessive for a few days of conference.

That's really all there is to it (other than some GENERATE statements in the zone files). Free, functional, easy, and secure by OpenBSD. Posted by Dave Mangot in Applications at 20090623 Comments[3]


Thanks for the great writeup. Is there any chance to get more pr0n on your puppet setup?!

Posted by Paul on June 23, 2009 at 11:54 AM PDT #

Great writeup. Would love to hear more about your puppet setup as well.

Posted by gregf on June 24, 2009 at 09:34 AM PDT #

That's pretty funny. The puppet setup is really pretty simple. I just use a default node and it creates a user for the demos and puts in an ssh key so we can use the pssh tools from http://www.theether.org/pssh/ to push out any last minute directories (puppet had an 'out of file descriptors bug' when distributing big directories in the past). Most of the other main configuration comes from DHCP, though on second thought, I should have done our packages installation through puppet too.

I will try and get the configs up soon.



Posted by Dave on June 25, 2009 at 02:28 PM PDT #

Post a Comment:
Comments are closed for this entry.