Ok, I ran into some confusion on how to actually make my Virtual Transparent Bridging Firewall work on OpenBSD 4.2, but I finally got it to work.
For this example I will only show how to enable full inbound and outbound access through the bridge with PF, but I won't be inculding any other firewall rules.
I will assume that VMWare ESX 3.5 is already installed and the VMWare Infrastructure Client is also connected to the host.
There are some requirement to meet before we get started.
We will be using three Virtual Switches and two physical NICs.
Virtual Switch: vSwitch0 is bound to
vmnic0 and only bound to the
Service Console Port.
Virtual Switch: vSwitch1 is bound to
vmnic1 and has a
Virtual Machine Port Group named
External Network assigned to it.
Virtual Switch: vSwitch2 has
no NIC bound to it and has a
Virtual Machine Port Group named
Internal Network assigned to it.
The next step is
very important.
On each of your
Internal Network and
External Network vSwitches click on Properties.
Click vSwitch and
click Edit. Click the
Security tab.
Set the
Promiscuous Mode: field to
Accept.
If this step hasn't been done then data will not pass between virtual switches.
Once the above has been done we can proceed with the installation of OpenBSD.
Create a new Virtual Machine with a 1GB disk.
Mount the OpenBSD 4.2 .iso any way you please and boot to it.
Reference the OpenBSD FAQ for more detailed install instruction.
Install to disk sd0.
Use all of disk for install.
Under the Disk Label:
Type:
d a to delete any existing partition.
Type:
a a to create a partition of
65M with the
4.2BSD FS Type and the mount point of
/Type:
a b to create a partition of
1M with
swap as the
FS TypeType:
a d to create a partition of
256M with the
4.2BSD FS Type and the mount point of
/varType:
a e to create a partition of
remaining size with the
4.2BSD FS Type and the mount point of
/usrOk, Done with partitioning.
Set your hostname and domain name.
Create your password.
I added the bsd.mp package and removed the game42.tgz package from my installation.
To remove the game42.tgz package use the command:
-game42.tgz during installation.
Since this is going to be an IPless firewall we will not start SSHD.
Set any other option you want and finish installing and reboot.
Login as root.
vi /etc/rc.conf
change
sendmail_flags=NOchange
inetd=NOchange
pf=YESSave /etc/rc.conf and exit
vi /etc/sysctl.conf
Enable
kern.emul.freebsd=1Save /etc/sysctl.conf and exit
Mount your VMWare FreeBSD Tools .iso
Make sure each of these commands are each on a single line.
mount /dev/cd0c /mnt
tar -xzf /mnt/vmware-freebsd-tools.tar.gz -C /tmp
mkdir -p /emul/freebsd/sbin
install -m 555 -o root -g wheel /tmp/vmware-tools-distrib/lib/sbin32/vmware-guestd /emul/freebsd/sbin
cp -r /tmp/vmware-tools-distrib/etc /etc/vmware-tools
vi /etc/rc.local
Add the following script.
if [ -x /emul/freebsd/sbin/vmware-guestd ]; then
echo -n ' vmware-tools'
/emul/freebsd/sbin/vmware-guestd --background /var/run/vmware-guestd.pid --halt-command "/sbin/shutdown -p -h now" --reboot-command "/sbin/shutdown -r now"
fi
vi /var/cron/tabs/root
Add
ROOTBACKUP=0
underneath HOME/var/log
Comment out the
sendmail line
Type the following command to create the bridge.
echo up > /etc/hostname.pcn0
echo up > /etc/hostname.pcn1
echo add pcn0 > /etc/bridgename.bridge0
echo add pcn1 >> /etc/bridgename.bridge0
echo blocknonip pcn0 >> /etc/bridgename.bridge0
echo blocknonip pcn1 >> /etc/bridgename.bridge0
echo up >> /etc/bridgename.bridge0
echo pass in all > /etc/pf.conf
echo pass out all >> /etc/pf.conf
Reboot!
You should now have a fully functioning bridge with VMWare tools installed. All that is left is to choose how you want to configure your firewall rules.
Note: I had some confusion as to whether or not to enable "net.inet.ip.forwarding" or not. I have finally discoved that it does not need to be enabled.