Following the ‘not enough time on my hands’ FreeBSD dive with a Power Mac, I decided to continue on BSD tourbus to OpenBSD. A good friend recommended it to me in the middle of my FreeBSD install and I’d of like to heard about it alot sooner. OpenBSD turned out to be a really great os, particularly for a router/firewall. I now have OpenBSD running successfully and it’s running good. The install does take a bit of work but the results are b-e-a-utiful.
OpenBSD is a shootoff of NetBSD (Berkly Software Distribution) that focuses on security – the code that is in OpenBSD is carefully audited. This guide will walk you through a basic install of OpenBSD (a few parts are macppc specific) and adds parts if you’d like to make OpenBSD a router.
Dual Boot MacOS?
The OpenBSD installer only has support for fdisk and not mac-fdisk so if you plan to dual-boot MacOS you should partition either with mac-fdisk (see the FreeBSD install link above), or with a Mac OS util like Disk Setup. Create one partition for Mac OS and another for OpenBSD. However, this install focuses on a whole disk install of OpenBSD.
Beginning with the installer
You might want to use OpenBSD’s Installation Guide as a companion guide along with this.
Put in the CD on a mac – you’ll have to start the cd from the Open Firmware prompt. Hold (Apple + option + O + F). at boot and at the OF prompt, type:
boot cd:,ofwboot 4.4/macppc/bsd.rd
The release cd will allow you to install, upgrade or use the shell:
Proceed? [y]
You will now initialize the disk(s) that OpenBSD will use. To enable all available security features you should configure the disk(s) to allow the creation of separate filesystems for /, /tmp, /var, /usr, and /home.
Available disks are: wd0 sd0.
wd0
wd0 must be partitioned using an HFS or an MBR partition table. If you plan to dual-boot MacOS use HFS, otherwise choose MBR.
MBR
Which one is the root disk (or ‘done’) [done] [wd0]
wd0
Do you want to use *all* of wd0 for OpenBSD? [no] y
Creating Master Boot Record (MBR)…done
/dev/rwd01
If you say no, you will be taken to fdisk where all you’ll be able to do is to type and label partitions. OpenBSD uses a two layer disk partitioning system: ‘fdisk’ and ‘disklabel’. If you are using the whole disk fdisk will be automatically configured.
‘disklabel’ is a tool to create partitions.
Initial label editor (enter ‘?’ for help at any prompt)
> p g
# size offset fstype [fsize bsize cpg]
c: 9.6G 0.0G unused 0 0
i: 0.0G 0.0G MSDOS
> a a # add ‘a’ partition
offset: [3024] <enter>
size: [20062224] 3.5g
FS type: [4.2BSD] <enter>
mount point: [none] /
> a b
offset: [17829504] <enter>
size: [2235744] 1.1g
FS type: [swap] <enter>
> a d
<enter>
3.0g
<enter>
/usr
> a e
<enter>
1.0g
<enter>
/tmp
> a f
<enter>
<enter> # to end of drive
<enter>
/var
> p g
OpenBSD area: 0.0G-9.6G; size 9.6G; free: 0.0G
# size offset fstype [fsize bsize cpg]
a: 3.5G 0.0G 4.2BSD 2048 16384 1 # /
b: 1.1G 3.5G swap
c: 9.6G 0.0G unused 0 0
d: 3.0G 4.6G 4.2BSD 2048 16384 1 # /usr
e: 1.0G 7.6G 4.2BSD 2048 16384 1 # /tmp
f: 1.0G 8.6G 4.2BSD 2048 16384 1 # /var
i: 0.0G 0.0G MSDOS
> w # write
> q # quit
Mount point for wd0d (size=3072Mbytes)? (or ‘none’ or ‘done’) [/usr] <enter>
Mount point for wd0e (size=4097144k)? (or ‘none’ or ‘done’) [/tmp] <enter>
Mount point for wd0f (size=6291432k)? (or ‘none’ or ‘done’) [/var] <enter>
Mount point for wd0d (size=3072Mbytes)? (or ‘none’ or ‘done’) [/usr] done
No label changes.
Available disks are: sd0.
Which one do you wish to initialize? (or ‘done’) [done] done
The next step *DESTROYS* all existing data on the partition!
Are you really sure that you’re ready to proceed? [no] y
System hostname (short form, e.g. ‘foo’): dirk-pmac
Configure the network? [yes] <enter>
You’ll be shown available Network Interface Cards (NIC)s. If you’re building a router, you’ll have two. The first one will get it’s address via the ISP DHCP server. On the second one assign a LAN address like 192.168.111.7.
If you choose dhcp, OpenBSD install will try to get a lease from the DHCP server. I didn’t bother connecting the cables because InstallerCD’s are notably insecure and the installer doesn’t need it anyway.
Enter your Domain Name Servers (separated by a space) and password for root account. Choose your install sets, the defaults will give you a basic system.
Location of sets? (cd disk ftp http or ‘done’) [done] <enter>
sshd yes
ntpd yes
ntp server us.pool.ntp.org
Change the default console to com0? [no] <enter>
Enter timezone, and then your done with the basics.
Afterboot Tasks
Reboot and start the Open Firmware prompt and boot OpenBSD by:
boot hd:,owfboot /bsd
There are a few tasks that need to be done to finish the install following the afterboot manpage.
errata check.
If a reliability or security issue effects you, you will have to patch your system – a detailed proposition which I will detail in another post.
check ‘date’, ‘hostname’, networking will be done in a bit.
Add new user
adduser
Enter your default shell: csh ksh nologin sh [ksh]: <enter>
# Default login class defines allocation of system-resources, and
# environment setup.
Default login class: authpf daemon default staff [default]: <enter>
Enter your default HOME partition: [/home]: <enter>
Copy dotfiles from: /etc/skel no [/etc/skel]: <enter>
Send message from file: /etc/adduser.message no [no]: <enter>
Prompt for passwords by default (y/n) [y]: <enter>
Default encryption method for passwords: auto blowfish des md5 old [auto]: <enter>
Don’t worry about mistakes. There will be a chance later to correct any input.
Enter username []: Dirkgen2ly
Enter full name []: Dirk Gently
Enter bash csh ksh nologin sh [ksh]: <enter>
Uid [1000]: 1222
Login group Dirkgen2ly [Dirkgen2ly]: <enter>
# Add to wheel group to allow ‘su’ to root.
Login group is “Dirkgen2ly”. Invite into other groups: guest no
[no]: wheel
Login class authpf daemon default staff [default]: <enter>
Enter password []:
Enter password again []:
Configuring sendmail
Set-mailserver aliases in /etc/mail/aliases:
vi /etc/mail/aliases
# Well-known aliases — these should be filled in!
root: root
manager: root
dumper: root
Run ‘newaliases’ to update sendmail aliases.
A sendmail-configuration file will need to be built, from papamike:
Sendmail configuration files are built with a macro-processor. A macro-processor is basically a program that scans text looking for defined symbols, which it replaces by other text — or other symbols. The one used with Sendmail is called m4… So m4 inputs a macro configuration file, with extension .mc, and outputs a sendmail configuration file to standard output. Typically we redirect this output to a file, with extension .cf
Luckily there are some examples. If not planning to use sendmail externally (i.e. to the internet) use openbsd-localhost.cf.
cp /usr/share/sendmail/cf/openbsd-localhost.mc /usr/share/sendmail/cf/localhost.mc
m4 /usr/share/sendmail/m4/cf.m4 /usr/share/sendmail/cf/localhost.mc > /etc/mail/localhost.cf
Then test it:
sendmail -v -t -C /etc/mail/localhost.cf
^C
A valid config will give no output. Now tell the the sendmail daemon to load the configuration file at boot in /etc/rc.conf.local:
sendmail_flags=”-L sm-mta -C/etc/mail/localhost.cf -bd -q30m”
The -C/ is necessary, it’s not a typo.
Daily, weekly, monthly scripts
Run the daily and weekly scripts to make sure they run alright.
sh /etc/daily
sh /etc/weekly
Warning: When running the weekly script if you get:
Rebuilding locate database:
Not installing locate database; zero size
Try “vi /var/db/locate.database“, put a space in, save it “:x”, and run the weekly script again.
Tighten up security
Covered below.
File Systems
OpenBSD doesn’t have a journaled file-system, meaning that you could lose critical disk data in event of a crash. Rather OpenBSD has incorporated soft updates a userland program that performs a likewise task that also improves disk performance by utilizing a cache. Adding the softdep option to each ffs partition in /etc/fstab will enable soft updates at next boot.
# perl -pi -e ‘s/ffs rw/ffs rw,softdep/’ /etc/fstab
# cat /etc/fstab
/dev/wd0a / ffs rw,softdep 1 1
/dev/wd0e /tmp ffs rw,softdep,nodev,noexec,nosuid 1 2
/dev/wd0d /usr ffs rw,softdep,nodev 1 2
/dev/wd0f /var ffs rw,softdep,nodev,nosuid 1 2
/dev/cd0c /cdrom cd9660 ro,noauto 0 0
CD/DVD define mount point
mkdir /mnt/cdrom
echo “/dev/cd0c /cdrom cd9660 ro,noauto 0 0” >> /etc/fstab
Networking
Following the Network FAQ. The installer will have created /etc/hostname.<NIC> for each device you have. Make sure they are correct:
cat /etc/hostname.*
For a router, ip-forwarding will need to be enabled in /etc/sysctl.conf:
net.inet.ip.forwarding=1
Enter your DNS servers in /etc/dhclient.conf:
request subnet-mask, broadcast-address, routers, domain-name,
domain-name-servers, host-name;
supersede domain-name-servers <domain-name-server1>, <domain-name-server2>;
If you are planning to be testing a firewall and disconnecting your internet-connection from time to time, its good to up dhclients timeout. ‘dhclient’ rechecks it’s connection to the DHCP server on an exponential scale if it is unable to locate it it will take down the WAN NIC. Add to dhclient.conf and get larger timeouts as time goes by:
timeout 216000;
retry 216000;
link-timeout 216000;
To be able to connect the LAN PC to the network this guide uses dnsmasq (a good solution for small networks) but first it is a good idea to setup firewall and close unused ports.
Enabling a Firewall
Building a firewall is a necessary evil, even on the most secure of systems networking will be the greatest security-hole. Here are a few tips for working with PF:
Enable PF at Boot:
echo “pf=YES # PF Firewall” >> /etc/rc.conf.local
‘ftp-proxy’ will need to be enabled to ftp past a firewall, first enable it at boot:
echo “ftpproxy_flags=”” # ftp-proxy daemon” >> /etc/rc.conf.local
Enable ftp-proxy in the NAT section of your pf.conf:
nat-anchor “ftp-proxy/*”
rdr-anchor “ftp-proxy/*”
rdr on $LAN_NIC proto tcp from any to any port 21 -> 127.0.0.1 port $FTPPORT
And in the filter section, anchor ftp and allow pass out:
anchor “ftp-proxy/*”
pass out quick on $WAN_NIC proto tcp from $WAN_NIC to any port {20,21} flags S/AUPRFS modulate state
Another good idea is when writing block-rules to log them to be able to test the firewall and to see if there are any attempts to attack the firewall:
block in log on $WAN_NIC all
To check your PF configuration for errors, run:
pfctl -nf /etc/pf.conf
A couple other commands:
pfctl -e # Enable PF – Enable but will not load ruleset.
pfctl -d # Disable PF
pfctl -f /etc/pf.conf # load the rules
pfctl -sn # Show the current NAT rules
pfctl -sr # Show the current filter rules
pfctl -ss # Show the current state table
pfctl -si # Show filter stats and counters
pfctl -sa # Show EVERYTHING it can show
pfctl -F all # Flush all rules, nat, states, options, tables
To test the firewall in real time, run ‘pflogd’ then:
tcpdump -n -e -ttt -i pflog0
To have pflog load at boot:
echo “pflogd_flags=”” # pflog device” >> /etc/rc.conf.local
You may have to reboot to have pflog0 show up in ifconfig. Now that the firewall is up you can start (or restart) the network:
sh /etc/netstart
Adding a Package
OpenBSD has two ways to add software: package and ports. Packages are pre-built binaries that can be downloaded and quickly installed onto your system and are the recommended way to add software to your system. OpenBSD also has a port system that contains information necessary to build packages and their dependencies from source.
OpenBSD has many prebuilt packages for a number of different architectures. Find a nearby mirror and add it to ~/.profile:
export PKG_PATH=ftp://<your.ftp.mirror>/pub/OpenBSD/`uname -r`/packages/`machine -a`/
Those are back ticks BTW. `uname -r` adds your release version of OpenBSD you are using and `machine -a` will be your architecture. To source (reload) your .profile so the variable is known to the korn shell:
. ~/.profile
Then add a package:
pkg_add -v <packagename>
A couple other package commands:
pkg_info # Show installed packages
pkg_delete -n # Delete applications and their dependencies.
Configure the LAN
Now that you can add a package you can add dnsmasq and get your router going. It is possible to define a static-route and not to have to use a DHCP server to define an address and route, but using a DHCP server makes the job tons easier. dnsmasq is a great lightweight application that will provide a route to and from the LAN machine. dnsmasq is also provides a DNS cacher to make resolving of domain names very very fast.
If planning on creating a LAN of > 50 machines you should use the pre-installed dhcpd.
pkg_add -v dnsmasq
Edit /etc/dnsmasq.conf:
# Only listen to WAN box LAN NIC and use local loopback for DNS caching.
interface=<your-router-LAN-NIC>
# dnsmasq will open TCP port 53 and UDP port 67 to world
# tohelp with dynamic interfaces. dnsmasq will discard
#requests to them, but I like better not to have these
#ports open and let the kernel handle it.
bind-interfaces
# Dynamic range of IPs to make available
dhcp-range=192.168.111.50,192.168.111.100,12h
# If you’d like to have a static ip, bind the LAN computers
# NIC MAC address
dhcp-host=aa:bb:cc:dd:ee:ff,192.168.111.22
dhclient.conf will need to be edited again to know that dnsmasq is handing dns requests. Redirect dhclient to localhost and dnsmasq will take it from there.
request subnet-mask, broadcast-address, routers, domain-name,
domain-name-servers, host-name;
supersede domain-name-servers 127.0.0.1, <dns1>, <dns2>;
dhclient by default appends to /etc/resolv.conf details to use the pre-installed BIND name server assuming people are going to use it. BIND isn’t enabled by default and since dnsmasq is handling this, comment out “lookup file bind” in /etc/resolv.conf.tail and restart the network:
sh /etc/netstart
cat /etc/resolv.conf
search eau.wi.charter.com
nameserver 127.0.0.1
nameserver 208.67.222.222
nameserver 208.67.222.222
#lookup file bind
Now you can start dnsmasq:
dnsmasq
To load at boot put in rc.local:
# Start Dnsmasq
if [ -x /usr/local/sbin/dnsmasq ]; then
echo -n ‘ dnsmasq’; /usr/local/sbin/dnsmasq
fi
To have your LAN computer connect to your router set it to dhcp and connect.
Test DNS caching:
Do it again and you’ll notice a faster lookup.
NTP
Many NTP configurations default to pool.ntp.org which is great for a whole list to choose from from the entire world, but it’s better to use something local ;). Add to /etc/ntpd.conf:
server us.pool.ntp.org
Because ntpd slowly adjusts the clock if it’s off you can add to crontab entry to get it fixed daily:
crontab -e
# Update date and time daily
32 1 * * * ntpd -s
Securing the Network
A good firewall will close ports but some applications may try to open them again. Best to close any ports you don’t need. Run netstat and get a good idea of what’s open:
netstat -ant | egrep ‘udp | LISTEN’
Shows open ports:
TCP – 13 37 22 113
UDP – 514
To find out what these ports do:
grep <port> /etc/services
daytime, time, ssh, auth, and syslog (udp). You can find more infomation about the port (like the program that opened it) with:
lsof -i | grep 22
Most people don’t use daytime, time, auth anymore and can be safely disabled in /etc/rc.conf.local:
inetd=NO
The Syslog port can not be turned off in inetd. It is invoked in rc.conf with no “-u” flag meaning that it is listening on UDP port 514 but that incoming packets are ignored, it is only used to send. You’ll will also see a couple ports open for tcp6 (ipv6) like ::1.587 or ::1.25 these are loopbacks (local) for ipv6 and will be secure from the outside world.
Using nmap is an ever more reliable way to test for open ports. Now that the firewall is up, you might want to add nmap and test it.
nmap -p1-65535 -T4 -sS <WAN-IP>
SSH Daemon
SSH opens port 22 to world by default, If you don’t plan on accessing from outside you can bind it to your LAN computer in /etc/ssh/sshd_config:
ListenAddress <Router LAN_NIC Address>
Also root login is a bad idea, since the regular user is able to su this is a good idea to define:
PermitRootLogin no
Add a key so trusted computers can connect:
ssh-keygen -t dsa
Use a password that is not your login password. Name the output something useful like powermac-dsa-key. These keys by default are generated into the local ~/.ssh/ directory but belong in the accessee’s ~/.ssh directory. Move them to the LAN computer ~/.ssh to be a trusted computer.
Note: SSH attempts to resolve an address even if it’s local through /etc/resolv.conf. When Domain Name Server isn’t setup yet or a DNS hangs, ssh will hang at “debug1: SSH2_MSG_SERVICE_ACCEPT received” you will have to wait about a minute until ssh decides no DNS can be reached.
Wrap-up
That should get you a good start.
I can usually type faster in the terminal than doing mouse click on a gui calculator, so I created this scipt to be able to do it quickly from the terminal. There are alot of command line calculators out there so use the one you are comfortable with but I like using bc because of the syntax. For example, you can type:
I’ve been reinstalling my system as of late (been way too along a comin’) and I realized that I hadn’t set up a firewall yet. This, in turn, had me think how many ports were open. I was up too late and probably had too many cokes by then. I had given myself a dead simple root password so that I could finish the install and began getting that tightening, turning, wretching in the belly feeling. I couldn’t help thinking that, “This could be the time that some random joe comes along and finds a nice open gate”. Doesn’t make much sense now, but decided then to build a script that toggles a 20 character random password to relieved my paranoia. Here it is for anyone who can find use of it. Oh, and I did get my install done.
Getting down to watching you favorite movie on your computer? Start the movie, sit down, grab your snack and ten or so minutes later the screen goes blank. This happens in Linux because the desktop has built-in defaults for display power management (DPMS) and screensaving. Timeout settings can vary from distribution to distribution but they all got them. Here’s a basic script that can toggle DPMS and screensaving on and off.
Linux Tidbits 