Ok, so we now have an OpenBSD gateway, let’s make it useful.

I took the nmproxy source code and created an ISO with it (I used UltraISO; you may have your own preferred method). It’s then possible to mount the ISO, making it appear as a drive in your VM.

You can then mount the drive in OpenBSD:

Create a directory and copy the source code:

# mkdir /usr/src/nmproxy
# cp –R /mnt/cd/nmproxy /usr/src/

Now compile:

# make –f ./Makefile.OpenBSD

If you don’t get any nasty errors, install:

# ./nmproxy_install

There you go, now we just need to set up Packet Filter, edit a few configuration files, and we are ready to clone. I will assume from now on that you are familiar with Linux and the vi editor. If not, then look here.

First let’s allow IP forwarding by editing /etc/sysctl.conf and removing the # comment in front of net.inet.ip.forwarding=1. Save the file and now open up /etc/rc.conf search for pf=NO and change it to pf=YES.

You can pretty much follow the default setup for PF; the following lines need to be added for nmproxy:

# Redirect port 1720
rdr proto tcp from any to any port 1720 -> port 1720

# Nmproxy specific rules. Note that the port number ranges look strange
# because of the way ranges are specified.
pass in proto tcp from any to port 1720 flags S/SA keep state
pass in proto tcp from any to any port 10199><10210 flags S/SA keep state
pass in proto udp from any to any port 10199><10260

Nothing too taxing there. Give the VM a reboot, and the changes made should take effect. We can now check that nmproxy is running and the firewall is letting connections through:

# telnet 1720

All is well, and the connection succeeded.

Now we need to clone the machine. Shut down and we will start.

Select the VM menu and then Clone… to start the cloning wizard.

Most options can be left as default; when you get to the following screen, you must select Create a Full Clone:

The new clone can be called OpenBSD B; locate it wherever you like. You should now have something like this:

<!–[if !vml]–><!–[endif]–>Start up the new VM and we will change the configuration to make this system ready. I have decided to call my second firewall GatewayB.testdomain.com, the internal network address is, and the external one is Ideally, we would re-generate the ssh keys, but I don’t think this is necessary for a test system. 

Files which need to be edited are:

/etc/hosts                     Hostnames
/etc/hostname.le1        IP configuration of internal interface
/etc/hostname.le2        IP configuration of external interface
/etc/nmproxy.conf       NMproxy configuration
/etc/pf.conf                  Firewall configuration (change IP details of networks)
/etc/myname                The system hostname
/etc/mygate                  Default route/gateway

All of these files are self explanatory–nothing complex at all. After we have edited these files, a quick reboot will put everything into action.

Check that the interfaces have taken the new IP details:

# ifconfig –a 

If your changes don’t seem to have taken effect, check that you saved the files after editing!

If we start up the original VM, we should now be able to telnet into port 1720 of that machine to verify that we have communication between the two:

That’s all for now, next week we will finish this off by creating a team consisting of our two firewalls and two Windows XP VM’s. We will also look at some of VMware’s more advanced networking features and finally test nmproxy!