On Wed, Apr 03, 2024 at 06:19:29PM +0200, Karel Lucas wrote: > Hi all, > > I am creating a bridging firewall with OpenBSD and the following hardware: > https://www.amazon.nl/dp/B0B6J89MXJ?ref=ppx_pop_dt_b_asin_image&th=1. > OpenBSD is already installed. I want to use ETH1 for the input from my ADSL > modem, ETH2 and ETH3 for the output to my network. Furthermore, I would like > to use ETH4 for the update/upgrade of the firewall. Remove the connection > from ETH1, plug it into ETH4, and update/upgrade. Then the connection > returns to ETH1. ETH4 therefore receives an IP address and ETH1,ETH2 and > ETH3 not. But now the problem: as long as the network connection of the ADSL > modem is in ETH4, my network, including the firewall, is no longer secured, > and attackers can take advantage. I therefore wonder whether it is possible > to let the data flow via ETH1 and ETH4 first pass through PF before an > update/upgrade is done via ETH4. This means that the bridging firewall will > have two entrances, one without and one with an IP address. I would like to > know if that is possible, or if there is another option. >
I'd just run sysupgrade -n, unplug ETH1, reboot into the installer and upgrade, reboot, and finally plug ETH1 back in. --
