questions/comments send us feedback
  Welcome !
Linux Resources  OpenBSD Resources  Security Resources  General Information 
Jul. 16, 2018  

main | openbsd :: installation :: openbsd-2.5

Installing OpenBSD 2.5 for firewalling

Chapter 8

Installing OpenBSD

Consider yourself fortunate. You are embarking on an exciting journey of discovery. You will be facing challenges that have brought highly skilled system administrators to their knees, with tears flowing into their pocket protectors. You will tread forward, over the backs of those whom fear has crushed. Your bravery comes from the eternal source that has likewise emboldened the hearts of humanity’s most cherished heroes: You have nothing to lose.

Many people embark on the quest to install OpenBSD with the desire to retain an existing operating system on a portion of their hard drive. These poor souls take each tiny step knowing that one wrong move means lengthy recoveries from backup files. Our deepest sympathies go out to the novices, who assume that a recovery from backup is the worst case scenario (if they didn’t backup, they’re about to win a one way trip to hell). The reality is that Windows has a host of little chicken and egg problems, which means that loading the recovery program can become more difficult that one would expect. This is especially true when the recovery program realizes that the OpenBSD installer has changed the partition table (more on that in a bit).

Not that setting up a dual OS system with Linux is a stroll in the park either unless that park is in Cambodia or Kosovo. Those who are using Linux with LILO (LInux LOader the default boot loader for Linux) are in for a rather harsh surprise when the inevitable "wrong move" happens. LILO is VERY sensitive to the way the hard disk is set up. Once you’ve played with the partition table, it can become unbelievably difficult to get LILO to respond to anything short of a shotgun blast to the drive-head. There is a road to recovery, but it’s a windy mountain road that’s only one car-width wide, has deep potholes everywhere, and a whole convoy of 18-wheeler logging rigs driven by inebriated monkeys coming the other way.

You, on the other hand, couldn’t care less if you make a mistake during the install. You can wipe the hard-drive time and time again with reckless abandon each time you splatter your inexperience all over the partition table. You also are working with a very simple system consisting of the most basic hardware. There’s little chance of device conflict.

Think you can get the install right the first time through? Don’t even bother. You should do a full install at least twice, and walk through the upgrade procedure at least once. Now is the best time to play around and figure out how everything works. The knowledge will really pay off when it’s 4:30 a.m. and your network is being torn apart by a bunch of teenagers. Playing with the installer a few times now will ensure that you aren’t confused in the future. Take good notes and keep them near the firewall at all times.

But First…

Suggestion number one: Read this chapter once before actually attempting to install OpenBSD. They tried to teach us to do that in school, but we never listened. To this day, we still get bitten in the rump by it. Speaking of rump roast, just last week, one of the authors was making a frittata with sundried tomatoes, asparagus, and porcini mushrooms. At the bottom of the recipe, it said to immediately place the pan into a preheated oven for a few minutes until the top is golden brown. Two problems became suddenly apparent: 1) the oven hadn’t been preheated because there was no earlier mentioning of it, and 2) the handle of the pan chosen for cooking the frittata was plastic. Excessive application of grated peccorino romano cheese saved the frittata (we like romano), and even improved the "non-slip grip" of the pan by becoming partially embedded in the molten plastic handle. With lessons like that, it’s no wonder we never learn.

Suggestion number two: Print out some of the critical online documentation and read it through at least once (many potential problems have been documented––if you read it now you’ll recognize problems a lot faster later on). It’s also really helpful to have it in front of you on paper––plus you can make notes. The key docs are:

INSTALL.i386: located on the CD-ROM in the directory: /2.5/i386/

The FAQ: most recent version at:

Some important man pages: You can find them online by going to this link: In particular, you should print out: afterboot, disklabel, ifconfig, man, and vi (not linked but you can search for it through the Web interface to man). If you’re connecting to the net via modem, you might want to print ppp (also not linked).

Preparing Your System

We’re assuming that you have a fully assembled computer with a blank or completely sacrificial hard drive installed. To the best of your knowledge, this computer is in working order. If the preceding two sentences describe your present situation, you’re ready to begin the installation. If not, we’re incredibly proud of you for deciding to read all the instructions first, before doing anything irreversible.

Your life will be MUCH easier if your machine is capable of booting off of the CD-ROM drive. This is due to the nature of the installer program. The installer doesn’t attempt to detect the CD drive until it needs to copy the files, which is after it has spent numerous minutes formatting your hard drive. Realizing that OpenBSD can’t see your CD-ROM at that point can be rather frustrating. If the machine can boot off the CD, then it’s almost certainly going to recognize the drive during the installation. Setting up the machine to boot off the CD-ROM drive now will help you avoid this situation. Refer to the section on BIOS tweaking in Chapter 5, "Building the Box," for more information.

If you chose this route, you’ll need to use a boot floppy, so check out the sidebar on using the boot floppy.

Using a Boot Floppy


Get your hands on a machine that already has an OS installed––any OS will do. Put the OpenBSD CD # 1 into that machine. Next, you’ll need to format a couple of floppies––four to be safe. Do a thorough format with bad block checking turned on. If there are any bad blocks, use another floppy.

The next step is to do something useful with the disks. Two of them should be made into bootable DOS disks––this can usually be accomplished by specifying an option in the format program. Onto each disk, copy the program FDISK.EXE, which usually is found in your WINDOWS directory.

The other two disks will become OpenBSD install floppies. There is a disk image (a special system-independent file that expands onto a floppy disk) on the OpenBSD CD (#1) called floppy25.fs. Under DOS/Windows, you’ll extract the image using the rawrite.exe program located in the tools directory of the CD (#1). You can run this program directly off the CD. The program is DOS-based, so when it runs it will open an MS-DOS window. It will ask you for the image file. Type in: floppy25.fs and hit enter. The target drive is the letter of your floppy drive (often A). Perform the same extraction on both remaining floppies so that you’ll have a spare copy in the event that one floppy is defective.

Now you’re ready to insert the boot floppy and power up the computer. If it works, you’re all set––the rest of the install is identical to the CD-ROM installation. @@@OK to run in? WS: YES@@@

If it doesn’t work, try the dos floppy... did that load up to a dos prompt? If not, try using another machine/floppy to create the dos floppy. If it still doesn’t work, you either got two bad floppies in a row or your floppy drive is not installed correctly.

If you can get the dos floppy to work, then the problem could be the physical media for the boot floppy.

Rawrite is really sensitive, and tends to work with about a 50% accuracy rate. Try rawriting to a few different floppies. Also, make sure you fully dos-format the floppy first (clears up any bad sectors and will alert you to media defects).

One final note––make sure you’re rawriting floppy25.fs, and not the install.i386 file or some other file. In an earlier life, one of the authors wasted two hours trying to figure out why the floppy drive was defective because of a mistake remarkably similar to what was just described.

</DIR> </DIR> </DIR> </DIR>

The Install

Okay, let’s say it worked and you see boot stuff happening (as opposed to fire stuff, smoke stuff, or darkness stuff). You will eventually notice a line that says:


This brings us to our first lesson in OS installation: the <CR> key. Usually, hitting <CR> will automatically "do the right thing" by picking a reasonably acceptable choice, but occasionally it will format your hard drive, empty your bank account, and run away to Rio with your spouse. By wantonly hitting <CR>, you’ll be exuding a cool indifference and total disregard for life or limb that embodies all the badness of "do you feel lucky, punk?" growled out by a 15 year old in the #acne-sufferers IRC channel.



There are more ways of denoting the <CR> key on a computer keyboard than there are packets on the Internet. Some call it "Enter," some call it "Return," some label it "arrow pointing down and to the left." We’re calling it <CR>, short for "Carriage Return," because we’re traditionalists.

</DIR> </DIR> </DIR> </DIR>

So gather your courage and take the plunge––hit that <CR> key for all it’s worth. If you can’t muster the inner resolve to take such a leap of faith, the installer will do it for you after about 10 seconds. Either way, you’re going over the edge––by jumping you can at least delude yourself into thinking that you had some choice in the matter.

Booting fd0a:/bsd:#######

(where ####### is a number followed by a twirling cursor)

If all goes well, you’ll see something like the above line. If you’re booting off of a floppy or a slow CD-ROM drive, it will stay this way for a long time. Don’t freak out. Soon, another number will be appended to the line, and you’ll wait even longer. Stay calm.

With little warning, stuff in blue will start scrolling up the screen (if it’s oozing out the side of the screen, run for your life). Reading this stuff carefully can tell an OpenBSD expert a lot about your system, but it won’t mean anything to you. So just wait until the screen shows the following:

sh: ./etc/rc: No such file or directory

Enter pathname of shell or RETURN for sh:

Pull all your money out of your bank account, pray for your hard drive, and keep your spouse out of the room. It’s time to hit <CR> again. If all goes well, you should now see

(I)nstall, (U)pgrade or (S)hell?

Type "I" and hit <CR>.

Next you’ll see a welcome screen with some information on how to restart the install process. Finally, it asks you if you’d like to proceed with the installation. Type "y" and hit <CR>. Hitting just <CR> actually does the WRONG thing here––it quits the installer. Luckily, no harm is done. If you accidentally hit <CR> before typing "y," you can restart the install by typing "install" at the shell prompt followed by <CR>.

The next lines will be

Cool! Let’s get to it…

Specify terminal type [pcvt25]:

Here, hitting <CR> selects the value in brackets––"pcvt25." <CR> always will select the value in brackets if you don’t type anything else. For any standard PC system, pcvt25 will be fine. If you’re playing with hardware that requires a different terminal type, you’re way out of the scope of this book.

Setting up the Hard Drive

This part of the install deals with configuring and formatting your hard drive to run OpenBSD. It’s a rather tricky part of the install, but we can just reboot and try again if we mess up. @@@AU: Please supply copy. WS: just a hanging line… it’s gone now@@@

The installer will first ask you about the root disk. It will show a list of all the drives in your system (there should be only one). The name will be something like "wd0." This should also be the default answer in brackets, so just hit <CR> again.

The next question asks if you want to use the *entire* disk for OpenBSD. We can’t think of any reason why you should settle for less, so type "yes" and hit <CR>.

Suddenly, the installer tells you that a "BIOS ‘A6’ (‘OpenBSD’)" @@@AU: Add closing double quotes? WS: OK@@@ partition has just been created, and proceeds to give you all sorts of confusing information about partition tables, offsets, and disklabels. It then says:

Treating sectors 63-### as the OpenBSD portion of the disk.

You can use the ‘b’ command to change this.

Initial label editor (enter ‘?’ for help at any prompt)


The ### is the total number of sectors on your hard disk.

So now you’re at a ‘>’ prompt. Unfortunately, here the manual talks about disklabel in a very generic way. It doesn’t help your problem, which is that the ‘>’ prompt won’t go away. This is the most complex part of the entire install, so read carefully.

First thing to do is hit ? followed by <CR>. This should give you a list of commands. The first command in the list is ‘p’ for "print label." Let’s do that to see what the current disk setup looks like. Press "p" and hit <CR>.

You should see a bunch of information about your disk geometry, followed by a list of the currently active partitions. Write down the number next to: bytes/sector. You’ll need this later.

If your hard drive was empty prior to this install, you will most likely have a ‘c’ partition and an ‘a’ partition. The ‘c’ partition should never be touched––it spans the total size of the disk. The ‘a’ partition should now be deleted, so that we can re-size it properly. To do this, type "d a" and hit <CR>. ‘d’ is the delete partition command. ‘d a’ says to delete partition ‘a.’

Next we’ll create our real partitions. We’re going to only create two partitions––a root partition that spans most of the disk, and a swap partition of about 200 megs. You could get away with less, but there’s really no point unless you’re using a very small hard drive. In general, you should have twice as much swap space as you have RAM.

When adding a partition, the installer will ask for the partition size. There are two ways to specify this: 1) in megabytes, or 2) in sectors. Specifying megabytes is slightly easier, but there are some funny issues with drive sizing that we discuss in the sidebar. We’re going to show you how to do it both ways, since dealing with sectors is something with which you should be familiar.

When Is 1000 Equal to 1024?


The drive size problem stems from the fact that drive manufacturers often calculate their drive size assuming that 1 meg is equal to 1000 kilobytes (10^3), instead of 1024 kilobytes (2^10) Since computers work off of powers of 2, the latter calculation is actually correct.

The result of this game is that the drives appear slightly larger. This difference normally is not too relevant, but the current trend in storage is toward entry-level drives with sizes upwards of 4 gigs. At those sizes, the few extra bytes can add up. Here’s an example of what we mean:@@@AU: OK? WS:fixed.@@@

If you have a 4 gig drive, you might think you have 4096 megs (4,294,967,296 bytes of space). In reality you may be getting triple whammied. If you’re drive manufacturer is playing the game, they probably have not only defined a meg as only 1000 kilobytes, but also a kilobyte as only 1000 bytes, and a gig as only 1000 megs. The short of it is that you’re losing 294,967,296 bytes (281 real megs).

</DIR> </DIR> </DIR> </DIR>

If you’re going to specify the partition sizes in megabytes, you’ll need to create the swap partition first. If you don’t, then you need to know the exact size of your drive in real megabytes in order to create the main partition. If you overestimate due to the sidebar problem, you might not leave enough room for swap. It’s far easier to start with the swap partition, which is a known size (200 megs) and then use the rest of the drive for the main partition.

Type "a b" and hit <CR>. The ‘a’ means "add a new partition" and the ‘b’ tells it to create partition ‘b.’ The installer will ask for an offset value. The offset should default to ‘63’. Hitting <CR> here is fine. Next you will be asked for the size. Enter in "200M" for the size. It will tell you that it’s rounding to the nearest cylinder. The FS type should be "swap" (the default; just hit <CR>).

Now it’s time to add your main partition. Type "a a" and hit <CR>. This says to add partition ‘a.’ The default offset value should be set to a -@@@AU:OK? WS: fixed@@@ large number. Accept the default by hitting <CR>. The default size should be the rest of this disk. Just to be certain, enter "*" as the value––it tells the installer to use the rest of the space for this partition. The default filesystem (FS) type should be "4.2BSD". Hit <CR> again or change it if necessary. The mount point should be "/". For everything else, the default values should be acceptable.

Partitioning by Sectors


If you feel like doing the partitioning by sectors, you’ll need to first figure out the size of the swap space in sectors. Look at the bytes per sector number that you wrote down. If the number is 512, that means each sector is half a kilobyte. To get 200 megs, you’ll need about 400,000 sectors for your swap space (throw in a few extra for good measure––I used 450,000).

Now you can type "a a" and hit <CR>. This says to add partition ‘a.’ The installer will ask for an offset value. The offset should default to ‘63’. One <CR> later you will be asked for the size. The size you want is the total number of sectors, minus the number of sectors of swap space (technically you should also subtract the 63 sector offset, but if you don’t it will just come out of the swap space and won’t make a difference). The FS type should be 4.2BSD (the default; just hit <CR>). The mount point should be "/". The default values for fragment size, block size, and cpg are fine; just hit <CR> for each of them.

Now you’re ready to create your swap partition. Type ‘a b’ and hit <CR>. The default offset should be the size of the root partition plus 63. If it is, hit <CR>. If it isn’t, you messed up somewhere. Likewise, the default size should be roughly the size you picked for the swap partition (minus 63 if you didn’t subtract it from the size of the root partition). The FS type should be "swap"––this should be the default; if it isn’t, just type it in.

</DIR> </DIR> </DIR> </DIR>

Print your disk label again (‘p’) and you should see partitions a, b, and c properly set up. Now type "w" to write the information to disk, hit <CR>, and then type "q" to quit.

Since you’ve only got two partitions, the OpenBSD installer knows which ones to use for root and swap. It will give you the opportunity to configure another disk, but since you only have one drive, the default should be [done]. Just hit <CR> to continue. It will ask you if you want to edit using ed. The answer is "n". Finally, it will get ready wipe your root partition. Hit "y" and wipe away––remember, you have nothing to lose.

Configuring the Network

So you’ve set up your hard disk. Great. Your next move is to get your network connection up and running. You don’t need to get all of your cards running now, but it will really help if at least one card is configured (especially if your CD-ROM isn’t working and you need to perform a network install).

The installer makes network configuration very simple. If your card is likely to be supported with the default kernel, then the installer will detect it. The installer also will let you configure multiple cards. Therefore, we recommend connecting your firewall to the network in the configuration you ultimately plan on using. This will give you an early heads-up to potential networking problems, and the lights on the cards/switches/hubs will help provide useful diagnostics.

If you aren’t placing your DMZ behind the firewall, then you’ll just need to plug one network card into a switch/hub on the internal network, and either another network card plugged into the external network or a modem. If you’re using a modem, we’ll have to configure it later.

If you are creating a three-legged network with a DMZ, you’ll need three network cards or two network cards and a modem. Plug one network card into a switch/hub on the internal network. Plug another network card into a switch/hub in the DMZ. If you’re connecting to the Internet via Ethernet, then connect the last network card to your external network router/switch/hub.

Assuming that your network card has diagnostic lights, check to make sure that they’re showing a "link." Likewise, the switches/hubs should also show a active links. If the cards aren’t lighting up, they may be installed incorrectly or they may be defective. Catching this type of problem now will spare you numerous headaches a few paragraphs later.

It’s time to move on with the installation. When the installer asks if you want to configure your network, type "y" and hit <CR>.

You’re now asked for the system host name in short form. The system host name is the name you want to give your computer. You might want to call it something other than "firewall"; this makes it a little less obvious to the casual hacking observer. Maybe calling it "pita" or "nostril" would be a better choice. Short form means that you shouldn’t put your domain name after the hostname. If your domain name is, you’d enter just "pita" here, not ""

The next step asks for the domain name. Here, just enter ‘," or whatever your domain name is. If you don’t have a domain name, don’t worry––just leave it blank. You can change this later if you do decide on getting a domain name.

You’ll see a short paragraph about DHCP servers next. If your external IP address is determined by DHCP, then you should pay attention to what it says. We’ll remind you again at the appropriate time.

You should now see a list of "network interfaces"––one for each network card in your system. The list will looks something like

[ ] pn0

[ ] pn1

[ ] pn2

It probably won’t say ‘pn’ in front of the 0,1,2, etc. Instead, you’ll see something like: ne, eth, fxp, xl, etc. What you see depends on the type of network card you have. It’s totally irrelevant. The only thing that matters is that there are as many interfaces listed as there are network cards in your system. If there aren’t, then the installer isn’t recognizing one or more of your network card. The installer should be able to detect 99% of the cards that are supported by OpenBSD. If you’re card is listed under supported hardware and the installer isn’t recognizing it, the problem is most likely on your end. Try using one card at a time––this can help you determine if it’s a card problem, or a motherboard problem.

Hopefully everything went smoothly, and you see the proper number of interfaces. If so, it’s time to configure them. It’s fairly easy to change these settings later, so don’t worry if you can’t answer some of the questions yet. You can just put in dummy values and move on.

Let’s select an interface to configure. The installer will default to the first interface in the list. Hit <CR>. It’s going to ask you for the IP address of this interface. Let’s make this the internal interface. In order to connect the firewall to the internal network, you’ll need know which physical card corresponds to this particular interface. You can figure out which is which by following the techniques in the sidebar. Once you figure this out, you might want to label the cards for easy reference.

Which Interface is Which?


If you have more than one network card, it’s a bit tricky to figure out which is which, especially if they’re all the same type (as they should be).

Technically, the interfaces follow the numbering of the PCI slots. So, if your slots numbers increase as you go left to right along the mainboard, the leftmost network card should be 0, the next one to the right should be 1, etc. Skipping a PCI slot won’t cause the network interface numbers to skip though. Network interfaces are assigned incrementally from the lowest PCI slot to the highest.

On some mainboards, the slots are numbered from left to right. On others it’s right to left. There are two ways to tell:

</DIR> </DIR> </DIR> </DIR>
  1. Open up the case and look on the board. Somewhere around the PCI slot should be a label like "pci0". That’s the slot number.
  2. Open up your motherboard manual and look for a diagram of the motherboard. Often, the PCI slots are labeled in the diagram.



During the installation, it really doesn’t matter which interface gets assigned to which network. In the worst case, you can always reassign them later on. In a later sidebar we’ll explain how to positively identify each network card use the ‘ping’ command.

</DIR> </DIR> </DIR> </DIR>

The next question asks for the IP address of your machine. Are internal addresses already being allocated by DHCP? If so, you have to request a static address within the subnet for the firewall. If there is no existing network structure, then your choices are wide open. For now, we recommend using the address: ‘’. We can always change it, but at least this particular address will give you maximum flexibility later on.

Once you’ve determined the internal address of the firewall, enter it at the prompt and hit <CR>. Now pick a host name for this particular IP address. The default will be the hostname you entered a few screens back. Just accept it and move on, unless there’s a specific reason why the hostname used for the internal network needs to be something different.

If you entered as your IP address, you should enter in as your net mask. If you entered in something else because of an existing network structure, then you’ll need to figure out the netmask for your particular network. See the section Netmasking in Chapter 2, "Fundamentals of Network Security," for more information.

Now you’ll see a bunch of information about media directives. The choice you make here will depend on the nature of your network card. If your card is a 10/100 card that can autodetect the network speed, then type "media autoselect" at the prompt and hit <CR>. Otherwise, choose the setting that is appropriate for your card and hit <CR>.

That’s it! You’ve finished configuring an interface. Now you’ll be looking at the interface selection screen again. If you have more than one interface, you should configure the other ones now. Note that the default answer to the "Configure which interface?" question is "done." You’ll want to manually enter the interface that needs to be configured. If you have a DMZ, configure that interface next.

Eventually you’ll need to make a decision about your DMZ; are you going to be using real IP addresses within the DMZ, or will you use private addresses with NAT and port forwarding, or both? If you plan on using internal addresses, then you’ll need to pick one or more real IP addresses to masquerade behind. Unless you know exactly how you’d like your DMZ to work, you should just enter another internal network address. You’ll get a chance to reconfigure it properly later on. If you chose for your internal network address, you might want to pick as your DMZ network address. There’s no particular reason for this choice, other than the fact that it’s unlikely to clash with your subnetting strategy.

The final interface you need to configure is the interface that connects to the outside world. If you’re going to be connecting via modem, then you don’t have anything to configure yet. But if you’re connecting to the outside world via a network card, you’ll need to configure this interface with a static, external IP address. If your address is assigned via DHCP, then you’ll need enter ‘dhcp’ as the IP address.

Once you’ve finished configuring your interfaces, type ‘done’ at the "Configure which interface" prompt. You’ll be asked for the IP address of the default route. If your IP address is assigned dynamically, leave this and the next question blank. If you have a static IP address, you’ll need to use IP address of your router, or the ISP’s gateway router. Most ISPs will tell you the address of their "gateway" if you ask. Likewise, they’ll give you the IP addresses of their DNS servers. You can leave out the DNS server, but we don’t recommend it. When it asks if you’d "like to use the name server now," you should answer yes if you’ve given it a valid DNS address. @@@AU: OK to run in? WS: yes@@@

Next it will give you the opportunity to escape to the command shell to perform additional configuration. If everything has worked thus far, then there’s no need to go to the command shell. If the network didn’t configure properly, don’t sweat it yet. You’re installing from CD, so you really don’t need network access now. You can continue the installation to get a feel for what the rest of the install is like and to identify any other problems. Later you can go back and figure out what went wrong.

The installer will now mount the hard drive onto the file system. When it’s finished, it will ask you to set a root password. It’s worth taking a few minutes to think about choosing a good password. If someone can guess your password, all the work you’ve done to make your network secure will be totally wasted.

Some Thoughts on Passwords


There are standard rules that you should always try and follow when choosing a password: no words from any language, no variants on any such words––don’t think that mixing a couple of numbers into a word makes it secure.

Hackers have wonderful tools that crack password files very efficiently. You can and should download these tools and run them on your password files. If you have a sizable number of users, you’ll be shocked by the high percentage of passwords that can be "cracked" by these password cracking programs. If you crack a user’s password, they should be instructed to change their password immediately.This should NOT be done through email if you could crack the password, somebody else probably did too and is reading the users email. Pay them a visit, or leave them a voice mail (although first check to see iftheir voice mailbox code is 12345).

Our recommendation would be to take a book down off your bookshelf, pick a sentence at random, and use the initial letters of that sentence. Don’t pick a famous sentence. Don’t open the book at page one. Don’t use the book you’re currently reading (this book!), and don’t leave this book next to the one you do choose, either. If you need to highlight or underline the sentence to give you an emergency reference if you forget the root password, that’s OK (well, it’s better than writing the root password down on a piece of paper, anyway). Pick a good one and spend a little time fixing it in your memory.

</DIR> </DIR> </DIR> </DIR>

The last major step is to get the stuff off the CD and onto your freshly lobotomized drive. The installer will tell you as much, and then ask you to select the installation media. Select (C)D-ROM from the "Install from" prompt by typing ‘c’ followed by <CR>.

You’ll now see a list of CD-ROM drives available for use. If this list is empty, then you need to read the sidebar on "what to do if your CD drive isn’t being recognized." Assuming it worked properly, you should see one CD-ROM drive. Answer the question "Which is the CD-ROM with the installation media by typing in the name of the drive (could be something like "acd0")

When it asks for file system, select cd9660––which should be the default. The directory relative to the mount point that contains the file is /2.5/i386 (which should also be the default).

What to Do If Your CD Drive Isn’t Being Recognized


The easiest way to do a network install is via FTP. Install an FTP server on the other computer (if it’s a Windows box, we suggest using one of the many good free FTP servers, such as WAR-FTPD). Make the CD-ROM drive accessible by anonymous FTP login (It’s OK to use anonymous FTP, since you’re just connecting these two machines to an isolated hub––just make sure you turn off the FTP server when you’re finished). Connect the firewall and the FTP server to a hub. Select appropriate internal IP addresses for the FTP server and the firewall. Make sure they’re both within the same subnet. Now when you’re asked to choose an installation method, select FTP. Specify the FTP server by its IP address. Give the installer the proper path to the CD-ROM drive and it should make the connection.

If the FTP install doesn’t seem to work, look at the FTP server. Does the server log show a connection? If not, the server may not be installed properly or the IP address you gave might be incorrect. If it does show a connection, then the problem might be an incorrect path or a bad username/password combination.

After you finish the install and reboot, you should see if OpenBSD detects the CD-ROM drive. If not, you should definitely return the drive and exchange it for a new one. Don’t buy Mitsumi drives––they tend to create lots of problems. Once you’ve installed the new drive, try doing a full install again. If it autoboots and finds the CD-ROM, then you’re doing much better!

</DIR> </DIR> </DIR> </DIR>

Now comes the fun part: Selecting the various packages to install. This process is somewhat different from that of RedHat 6.0 and quite different from Microsoftland installs. There are three separate systems for packaging programs under OpenBSD. The first is called the "disk set," which are the collections of core programs that make up the OpenBSD OS. The installer will let you chose among these sets (although some are required). The second system is called the "package" system, and it consists of a few tools that operate on a directory of precompiled software deemed stable by the OpenBSD crew. When needed, a simple command adds and removes packages from your system. Finally, there’s the "ports tree," which is for programs that are under active development. These programs are distributed as source code and compiled as needed. The unusual aspect of the ports tree is that the source code for a given program is downloaded from its author’s Web site during the installation. The tree itself is simply an index of "what’s available." When you go to a directory in the tree for a program you need, simply typing "make" will cause the ports system to download the necessary source code, compile it, and install it––all automatically.

What we’re dealing with here is the disk set method. Disk sets are basically gzipped tarballs (a collection of files archived using the tar program and compressed using gzip) that are extracted in the / directory. The problem with this is that it’s an all or nothing approach––you either take all or none of the files in a disk set. To make matters worse, there is no standard method for uninstalling a disk set later on. This is OK because well only be installing core programs that youll want to leave on the system. For the truly adventurous, your benevolent authors have provided you with a tool for managing disk sets after the installation (youll find it on the companion web site). You can send us praise and thanks, but we’d prefer money.

The installer allows you to select the disk sets you want from the following list:

[x] base25.tar.gz

[x] etc25.tar.gz

[ ] misc25.tar.gz

[ ] comp25.tar.gz

[ ] man25.tar.gz

[ ] game25.tar.gz

[ ] xbase25.tar.gz

[ ] xshare25.tar.gz

[ ] xfont25.tar.gz

[ ] xserv25.tar.gz

[x] bsd

Note that base, etc, and bsd are already selected because they are required. We’ll also need misc, comp, and man. You can select these additional packages in a number of ways. The easiest is to type in the file names one at a time.

The fastest is to use wildcard matching. Type m*<CR>, followed by c*<CR>. That will select the other three packages. * alone will select everything, and -* will deselect everything. You don’t need the x packages because you won’t be running X on your firewall. The same applies to games. @@@AU:OK?@@@

Type "done<CR>" and hit <CR> again when it asks if you’re ready. This will start the installation process. With any luck, the process will finish after a few minutes and will ask you if you want to extract any more sets. The default is [n], so just hit <CR>.

The next step is to set a timezone for your location. This is pretty straightforward. Just type "?" for a list of valid timezones. You’ll notice that some locations in the list have a trailing slash. If you select one of those locations, you’ll be prompted to select a more specific region.

Once you’ve finished selecting a timezone, the installer will go through some gyrations. It will lastly ask you if you plan on running X on this system. Your answer should be "n" followed by <CR>.

That’s it! You’ve finished installing OpenBSD. It will tell you to type halt at the command prompt in order to shut down your machine. Actually, you can pop out the CD-ROM and type: reboot<CR> instead. This will halt the machine and force a reboot.

At this point, you should have a system that boots up to a login prompt. If you do, congratulations. If you don’t, then please read over the install.i386 file, look inside the cover booklet for the CD-ROM, and read the FAQ. Somewhere in one of those documents is the answer to the problem you’re having, assuming you’re using relatively standard hardware. If not, you can always try the OpenBSD news groups for support.



If your system is set up to boot from CD-ROM in preference to the hard disc, the computer is going to start trying to reinstall the OS again. The Right Thing would be take the CD out of the drive before you reboot, but most modern CD drives will allow the operating system to lock the drive shut (i.e., disable the eject button) if the OS considers it necessary. Since that is necessary when the CD is mounted, as it has been throughout the installation, it is unlikely that you will be able to eject the CD before rebooting. So, if your computer tries to reboot off the CD, and it starts looking a lot like you’re about to reinstall the OS, don’t panic. Press the reset button on your computer, and then hold the eject button down on your CD-ROM. As soon as the computer has reinitialized the CD-ROM drive, the drive should obey the button and pop the CD tray out. Remove the CD, and close the drive.

You might want to consider tweaking the bios so that it doesn’t boot off the CD-ROM. This isn’t a bad idea, as you may be using the CD later on to install packages and might forget about the CD’s presence. If the system reboots for any reason, you could be stuck on the install screen for a while.

</DIR> </DIR> </DIR> </DIR>

Basic System Configuration

Just because your machine boots to a login prompt doesn’t mean that it’s of much use at the moment. Sorry to break it to you, but you’re far from done setting up your OpenBSD system. You’ve got a lot of work ahead of you in order to configure it properly. There are numerous tasks you’ll need to perform to configure and "tune" the system for use as a firewall. The good news is that we’ll keep walking you through the process. Our first configuration task will involve properly setting up your network cards and/or a modem.

Before you do anything, were going to suggest taking a good look at the afterboot man page. Type man afterboot<CR> at a command prompt. Dont worry if you dont understand everything were actually going to cover many of these topics in the following pages. Reading afterboot now will help your understanding of the rest of this chapter.

Configuring Network Cards

If you’re creating a DMZ you’ll need to go beyond the network configuration performed during the installation. Even if you aren’t building a DMZ, you’ll have occasion to alter the settings of your network cards as your network evolves. This section will describe how to use the ‘ifconfig’ program as well as describing the few critical configuration files needed to set up your network.

The ifconfig Tool

Let’s first work with ifconfig. This program is used to make real-time changes to your interface settings. It’s very useful for diagnostics and initial configuration. It’s important to note that ifconfig doesn’t save the changes you make, but we’ll get to that in a little bit.

Log in as root and type "ifconfig –a" and hit <CR>. This tells ifconfig to print out a status report on the current configuration. You should see a list of each network interface in your system, a number of which will look very unfamiliar. Don’t worry about those––just look for your ethernet adapters. If you see all of them, then you’re in great shape. If you don’t an adapter that you know is in the machine, then your system isn’t recognizing the adapter. You should make sure the adapter is properly seated in the PCI slot and that the adapter is supported by OpenBSD.

There are two other status options for ifconfig: ‘-A’ does the same thing as ‘-a’, but also prints out alias information for each interface. ‘-Am’ and ‘-am’ cause the list of potential media options for each card to be printed out. These are options such as "100baseTX," "10baseT," and "autoselect."

Of course, the real purpose of ifconfig is to actually tweak your card settings. The format for the ifconfig command is as follows:

ifconfig [

] [
] [] @@@Must appear on one line@@@

where is the name of the interface you want to configure. If your network card appeared as pn0 when you typed "ifconfig –a", then that’s your interface name.

The rest of the parameters are somewhat optional, depending on what you’re trying to do (throughout this book, optional arguments are surrounded by [brackets]). For example, if you’re just trying to turn off an interface, you can skip the

parameters and simply type

ifconfig eth0 down


describes the type of network addressing structure on your network. For us, we’re going to use the value ‘inet,’ since we’re connecting to the Internet. Other valid options include ‘ipx,’ ‘atalk’ (appletalk), and a few other more obscure network types.
is the IP address you wish to assign to the interface.

If you provide just the address to ifconfig, it will simply set the interface to the given address. If you make a mistake, just run ifconfig again with the correct address and the old one will be overwritten.

The fun happens within the part. There are many different parameters that you can set for a given interface. Here’s a list of the most important ones. You can figure out the rest by looking at the man page for ifconfig.

down: Turns the interface off. A useful way of "cutting the cable" that can be done remotely. Just remember––if you down the interface that you’re connecting on, you’ll lose your connection. Unless you can get in through another interface, you’ll have to bring the interface back up from the console.

up: Turns it back on again.

netmask: This keyword is followed by the network mask, which can be expressed in dotted quad notation ( or as a single hexadecimal value (0xffffff00).

alias: Allows you to directly set alias addresses for the given interface. For example, if the interface pn0 is currently configured with the address and you’d like the interface to accept packets destine for both and, you could use the command:

ifconfig eth0 alias

delete: Removes the network address specified from the given interface. If you erroneously add an alias to an interface you can use this to remove the bad alias.

media: Many cards today are 10/100 capable. This means that they can function as 10baseT and 100baseTX cards. Some cards also can handle other network technologies such as 10base2, although you really should avoid having anything to do with those older technologies, if at all possible. To figure out what media is supported by your card, do an ‘ifconfig –am’.

mediaopts: Lets you switch between "full-duplex" and "half-duplex" modes if your card supports it. Don't play with this setting unless you know what you're doing; the results can be unpredictable.

Which Interface Is Which—Revisited


Once you’ve configured your interfaces with their appropriate addresses, you’ll want to make sure you know which card physically corresponds to which interface. ‘ifconfig –a’ used to give a status line that made it really easy to figure this out, but now it’s gone. Here’s another way to do it.

Connect one of your network cards to a network with a live computer on it that will respond to a ‘ping’ request. For each interface, execute the following command:

ping –I

where ’’ should be replaced with the address you gave the interface and should be replaced with the IP address of a machine that is accessible from that network. If you get a response, then you’ve just matched a card to an interface. If you don’t get a response, switch the ethernet cable into the next card over and try it again.

</DIR> </DIR> </DIR> </DIR>

Configuration Files

As we mentioned up front, ‘ifconfig’ does not save your changes. It’s good for making runtime alterations, but when you reboot the computer all of your changes will be lost. In order to make your settings permanent, you’ll need to place them in configuration files that are located in the /etc directory. These files are named ‘’ where xxx is the name of a network adapter. There should be one such file for each adapter in your system. The format of this file is

<netmask> [] @@@ needs to appear on one line@@@

[dest <destination address>]

If this interface is configured through DHCP, the file should contain only the word ‘dhcp’. Otherwise, this file controls all of the interface attributes that can be set with the program ifconfig. In fact, this file is read at startup (when the script ‘/etc/netstart’ is executed), and the contents are passed almost verbatim to the ifconfig program.

Editing Files


If you’ve never edited files in a Unix environment, you’re in for a bit of a shock. There’s no "notepad" equivalent for the Unix command line. Instead, there’s ‘vi,’ a powerful text-editing tool that is easily the most unintuitive program ever created by man. Don’t believe us? Type "vi" at a command prompt and hit return. In a few seconds, the screen will fill with a bunch of ‘~’ symbols. You’re now in vi. Okay, now try and quit the program. If you can figure this out within 10 minutes, you’re doing better than any of the authors did the first time we encountered it. We’ll explain how to perform some basic editing tasks (such as quitting) in Chapter 12.

</DIR> </DIR> </DIR> </DIR>

You should be aware that the syntax of this file is not as flexible as the ifconfig syntax. You must give an address family, an address, a netmask, and a broadcast address before specifying extras. For the broadcast address, it’s often easiest to put in the value ‘NONE’, unless you have a specific reason to do otherwise. By using ‘NONE’, the program simply defaults to the broadcast address implied by the IP address and the netmask. This should be correct unless you’re doing something really weird. All of the other fields correspond directly to their ‘ifconfig’ equivalents.

You can force the system to re-read the files by running the command

sh /etc/netstart

While ‘ifconfig’ is useful for setting up interfaces, it doesn’t tell the OS how to get packets from one interface to another. There is another program called ‘route’ which is used to alter the kernel’s packet routing tables. While it’s helpful to know a bit about ‘route’, we actually don’t need to worry about it here, because the proper route commands are automatically executed by the ‘/etc/netstart’ and ‘newifaliases’ scripts. We suggest looking at the man page for ‘route’ some day when your firewall is finished, but it’s not needed for today.

There’s one ‘ifconfig’ parameter that won’t work in the file: ‘alias’. In order to set persistent aliases you’ll need to edit the ‘/etc/ifaliases’ file. Once again, this file is read during start up and the contents are passed to the ‘ifconfig’ program. The format of this file is very simple. Each alias is on a separate line; there can be as many lines as needed. The format of each line is


All three values must be present. If you have multiple aliases for an interface, place one alias on each line. The "netstart" script will not activate the changes in this file. Instead, you should use the script we provide called "newifaliases." Download the script from the companion Web site (or just type it into your favorite editor). If you don’t use our script, there are two other ways to get the aliases to activate: 1) reboot and 2) use the ‘ifconfig’ program with the ‘alias’ parameter.

Another important file is ‘/etc/hosts.’ This file contains mappings of IP addresses to hostnames. The domain name resolver often checks this file first before checking with the DNS system. It’s a good idea to have entries for your firewall system here. A typical file might look like this: localhost firewall-internal one line@@@ firewall-external one line@@@

The first line makes sure that the system knows what to do with the loopback address. The second line handles the internal network interface, and the third line handles the external interface. On the second and third line, we specify the internal and external hostnames, followed by the host + domain name. All three are different ways of referring to the same machine.

Knowing about these files will enable you to configure any combination of interfaces and networks. If one of the interfaces is connected directly to the Internet via a dedicated line, then you’ll be able to skip the next section and move on to "Fine-Tuning the System."@@@AU; Usually hyphenated.@@@ Otherwise, keep reading to figure out how to get on the net with a modem.

Connecting to the Internet via Modem

If you don’t have a dedicated Internet connection through some device such as a T1 multiplexer, an external ISDN modem, or some sort of DSL unit, then you’ll probably need to connect to the net with a modem. This is far less trivial a task than connecting via a network card, because there are numerous additional pieces in the puzzle. We’ll need to deal with determining the port that the modem is on, creating a dialup script, configuring the modem to autodial your ISP, etc. If your IP address is dynamically determined by the ISP, then you’ll have even more issues to deal with.

Finding Your Modem

The first thing to do is work out which serial port the modem is on. If you don’t find this challenging, please skip to the next section. It occurred to us that we’ve hardly ever been able to look at the back of a PC and know which serial port is which. While it’s true that some machines externally label the ports as "1" and "2," these labels don’t necessarily correspond with the internal designations. Because the black art of identification is rather badly documented elsewhere, we’ll dwell on it a little here.

There are only two serial ports on most modern PCs (don’t confuse them with the parallel, or LPT, port), and they are accessed through the device files /dev/cua00 and /dev/cua01, which somewhat correspond to the PC concept of COM1 and COM2. If your modem’s connected to a serial port on the back of your firewall, it can be talked to through /dev/cua00 or /dev/cua01.

Theoretically, there should be some way of determining which is COM1 and which is COM2, by looking at the motherboard. But this isn’t a great guide, because BIOS and OS issues can move the ports around. For example, if you happen to have a serial card of some sort COM1 may be on the card while COM2 is one of the two ports and the other port is disabled.

The easiest way to locate the modem is to plug it into one of the two serial ports. Then at a prompt type "ppp" followed by <CR>. This brings us into the interactive mode of the ppp program. We’ll be in and out of this mode many times over the next several pages.

Before doing anything, look at the modem. Note which lights are on and which are off. Now, at the prompt, type

set device /dev/cua00<CR>


If the program hangs for a while, don’t panic. After some time one of two things will happen: 1) you get another prompt or 2) one or more new status lights illuminate on your modem, the ppp program tells you to type "~?" for help and then it seems to hang. If the former occurs it simply means your modem is on another device. If the latter occurs, type the following:


You won’t see anything on screen as you type, but when you hit return you should hear a dialtone (assuming you have the modem plugged into a live phone line). Even if you don’t hear anything, you should see more status lights on your modem than before. That’s a good sign. It means your modem was found on device cua00. Now let’s turn off that annoying dialtone:


If the modem wasn’t found, then you’ll need to type

set device /dev/cua01


and try again. If that doesn’t work, then you should switch the physical port in back and start again from the top. You can also try the following devices: /dev/cuaa0, /dev/cuaa1, /dev/pccom0, and /dev/pccom1. Just keep repeating the process by changing the device until you find the modem.

If things still aren’t working, don’t go crazy. The cable connecting the modem to the computer is often another source of problems. Assuming the ends are the right size and gender to connect your modem to your computer, there are still two types of modem cables: one is intended to connect modems to computers, and the other is intended to connect computers to computers (or modems to modems). If you have the wrong type (they’re very difficult to tell apart), no signals will get through. If you suspect that might be the case, a device called a "null modem adapter", which plugs into one end of either type of cable and turns it into the other, can be extremely helpful in testing. They don’t cost very much, and most computer stores should carry them. You also might have a defective cable or a cable that has the right gender but is actually meant for something else entirely. (One of the authors has a router that uses a special serial cable for management and spent a while debugging the modem before realizing that he had the wrong cable.)

After You’ve Found The Modem

Once you’ve worked out which port the modem is on, it will save a lot of time in the future if we put in a link––much like the mouse link mentioned above––to point to the modem, and refer to the modem through that.

If your modem turned out to be on /dev/cua00, issue the following commands:

cd /dev

ln -s cua00 modem

If the modem turned out to be on /dev/cua01, change the cua00 in the preceding command to cua01. Once this link is made, every time you refer to "/dev/modem," you’ll automatically be talking to your modem. The rest of the modem section assumes you have done this.

Gettin Jiggy wid PPP (Point-to-Point Protocol)

Given that your modem and computer are talking to each other, we now have to get them talking to the Internet. This involves transmitting IP (Internet Protocol) signals down a serial cable. In the early days of the Internet, the first protocol to try to do this was called SLIP, the Serial Line Internet Protocol. This had limitations, and was replaced nearly everywhere by PPP, the Point-to-Point Protocol.

PPP is what you will very likely be running over your modem line, between your OpenBSD box and your ISP, in order to talk to the Internet. A full discussion on all the aspects of PPP is beyond the scope of this book, and moreover it is unnecessary, because you have just installed an excellent manual on the subject. If you type "man ppp<CR>" at a command prompt, you will find an excellent document that discusses the theory, application, and configuration of PPP. This document, along with every other man page, is available online from

Nonetheless, we won’t leave you to figure it all out on your own. The initial configuration of PPP can be a little bit confusing, so we’ll walk you through it here. Before we do that, we need to make an important point: The ppp program in OpenBSD is a very complex piece of software. It’s got far more features than its Linux counterpart. For example, it includes the ability to do dial-on-demand, which requires an addition program in Linux (diald). It’s also capable of doing its own packet filtering, separate from the filtering we’ll be talking about in the next chapter (we do not recommend using PPP’s filtering system––it just means you’ll have two sets of rules to keep in sync, and that can make your life a living hell when you forget to tweak one or the other). This means that you won’t find too much additional help on PPP outside of the BSD community, because Linux users have a much simpler program.

The first step is to dial your ISP from the ppp program. We need to figure out the login procedure for your ISP. Hopefully this will be fairly straightforward. If it isn’t, we suggest changing your ISP or calling your ISP’s tech support and asking for help. Often changing ISPs is faster and easier. Our example uses MindSpring, which happens to be compatible with the default settings in the ppp.conf file.

Start the ppp program by typing "ppp" at the command line. Once you’re in the program, type

set device /dev/modem


This will put you in terminal mode. To connect with your ISP, type


Replace the 1234567 with your ISPs phone number and hit <CR>.

If your modem is connected correctly, after a few seconds you’ll hear a bunch of beeping, followed by the sound of a pig in a blender on a pogo stick. This is a good, albeit sick, sound. Shortly the blender will stop and you should see something like


Welcome to MindSpring Dialup Service

arc-1a.bos login:

If the prompt doesn’t say "login" then write down exactly what it does say (maybe it says "username:"). Type in your username. For MindSpring, it’s your email address. After hitting <CR> it will say


Once again, if this says something other than "password" you’ll need to write it down. Type in your password and hit <CR>. If both username and password were correct and active, you’ll see something like this

Packet mode enabled: PPP session from to beginning..

.~ }#À!}!}!} }8}!}$}%Ü}"}& }%}&}#+"5}…

This means you’ve successfully established a PPP connection. Exit the term session by typing "~." followed by "close<CR>" at the command prompt. If you had trouble connecting, or it didn’t ask for anything remotely like a login and password, you probably have an ISP that uses a different authentication method. The ppp program can connect to these types of ISPs, but we don’t cover the process in this chapter. The ppp man page and the ppp.conf.sample file give a detailed explanation of this process. If you can’t figure it out, try switching ISPs.

Now let’s create a script to automate the connection process. Go into your /etc/ppp directory via the command

cd /etc/ppp

In this directory there are numerous sample configuration files. These files can be easily turned into real configuration files by removing the .sample extension from them. What we’re going to do is copy one of the files, removing the .extension in the process. We’ll then edit the copied file and convert it into a real configuration file. To do this, type

cp ppp.conf.sample ppp.conf

Now call up "vi," refer back to the command reference in Chapter 12, and let’s edit the ppp.conf file. Use the down arrow on your keyboard (or ctrl-n if that doesn’t work) to move the cursor down past the ‘default:’ to the line that says

set device /dev/cuaa1

Move the cursor to the ‘c’ in "cuaa1" and hit ‘D’ . Now type a followed by "modem" and finish by hitting escape. The result should be a line that says:

set device /dev/modem

Now we need to modify the phone number used to dial our ISP. Move the cursor down past the "pmdemand:" line, to the line that says

set phone 1234567

Position the cursor over the 1 and hit ‘D’ . This should delete the phone number. Now type "a" followed by the phone number of your ISP. When done, hit the escape key. The new line should now have the phone number of your ISP after the word "phone" (there should be a space between "phone" and the phone number).

Now let’s put in your username and password for your ISP. Move the cursor to the line that says

set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp"@@@COMP: should be one line@@@

and position the cursor over the first ppp (after "–login:"). Hit ‘x’ three times to delete the "ppp". Now type ‘i’ followed by your username. Hit escape, move over to the second "ppp", press ‘D’ , hit ‘a’, and type in your password. Whack the escape key again.

When you were connecting manually, you might have written down an alternate login or password prompt. If this were the case, you’ll need to also edit the part that says "ogin:--ogin:" or "word:" to reflect the prompt given. For example, if your ISP prompted with ‘username’, you could change the section to read: "name:--name:". Anything more complex and you’ll have to check with the man page.

The final step will be to delete the lines that we don’t need. Move the cursor down past the pmdemand: section. Place it at the beginning of the line that starts with

# When we want to use PAP or CHAP instead of …

Now delete all the stuff from there to the end of the file. This can be done with the command


This tells vi to delete (‘d’) all the lines from the current one (‘.’) to the end of the file (‘$’). At some point in the future you may wish to read the text you deleted––it has some interesting examples of things you can do with ppp. For now, we’re satisfied that we’ve stripped out all the stuff that’s not relevant for our firewall.

Once you’ve finished making the appropriate changes to both files, it’s time to run the ppp program again. We’ll use it to test whether the changes you made were correct. Type "ppp" at the command prompt to enter the ppp interactive mode. Then type

load pmdemand


If you did everything properly, you’ll hear the modem dialing your ISP. One pureed pig on a pogo later and you should have a running ppp connection to your ISP. If you don’t, check back over all of the steps to see if you missed something. With vi, it’s often easy to accidentally delete or insert a character in the wrong place. Look through the ppp.conf file and check to make sure everything is there. To do this, you can use the commands: "more /etc/ppp/ppp.conf".

Once you’ve established an active connection, it’s time to finish automating the connection process. The ppp program has an option called "auto," which causes ppp to run in the background and automatically dial up your ISP the moment a program tries to use the Internet.

The auto option is great for networks where you’re only concerned about providing outbound access on demand, but it’s not good for servers. This is because auto responds to outbound connections only––there’s no way for it to know if someone is trying to reach your machine if the PPP connection is down. In fact, due to the very nature of PPP, the inbound packet will never reach your machine. Instead, the ISP will send an ICMP unreachable error whenever someone tries to access your IP address. If you’re running important servers on a fixed IP address, you’ll want to make sure your PPP connection is always active. You don’t want a poor phone connection to keep your servers off line for extended periods of time. Luckily, there’s an option for this exact situation called "ddial." This option ensures that the PPP connection is always active––if the link goes down it immediately brings it back up again.

We need to ensure that the ppp program is run with either the auto or the ddial option whenever the computer boots. To do this, add the following line to your "/etc/rc.local" file:

ppp –ddial myisp


ppp –auto myisp

Fine-Tuning the System

We’ve got a computer that can connect to the Internet, but it’s still not ready to be configured as a firewall. We need to patch up a few things (in order to get rid of known security holes) and optimize the system for use as a firewall. This is a process you’ll need to go through once in a while anyhow, so you might as well learn it now while you still have "nothing to lose."

Mounting the CD-ROM @@@Level 3 heading? WS:Yes@@@

Before we can patch anything, we’ll need to be able to access some files on the CD-ROM. Unfortunately, you can’t just stick a CD in the drive and immediately access it. You’ll first need to "mount" the CD drive onto the file system. This basically means you’ll be creating a directory and making the contents of the CD accessible from within that directory.

We like to make the CD accessible from "/mnt/cdrom". Therefore, the first step is to make the directory. Type: "mkdir –p /mnt/cdrom" and hit <CR>.

The next step is to figure out what system device represents your CD-ROM drive. The fastest way to do this is to type: "dmesg | more" and scroll through the file. You’re looking at the output your system created when it first booted. Somewhere in this file should be a line about your CD-ROM drive, often appearing shortly after the network cards are listed. Look for something like "ATAPI" or "volume levels" somewhere on the line.

Once you’ve found the right line, look at the beginning. The first thing on the line is the CD-ROM device name. For us, it happens to be "acd0". Tack an "a" on to the end of that device name and you have the device name for your CD-ROM. So, our CD-ROM is "/dev/acd0a".

If you don’t see anything that could be a CD-ROM drive in the "dmesg" output, then you should re-read the note on CD-ROM troubleshooting in Chapter 5, "Choosing the Right Hardware."Your CD-ROM may need to be connected differently (slave instead of master, etc.).

Now that we’ve found the CD-ROM, let’s verify that we’ve got the right drive. Place the OpenBSD CD#1 in the drive and type

mount_cd9660 /dev/acd0a /mnt/cdrom

cd /mnt/cdrom


Replace "acd0a" with the appropriate device for your CD-ROM. If all goes well, you should see a listing of the files on the OpenBSD CD. If you see nothing, or something other than the contents of the OpenBSD CD-ROM, then you may have mounted the wrong device. Look more carefully at the "dmesg | more" output.

Let’s make our lives a bit easier by making a link to our CD-ROM device, similar to what we did with the modem:

ln –s /dev/acd0a /dev/cdrom

Once again, replace the "acd0a" with your CD-ROM device name. From here on in, we can access the CD via "/dev/cdrom".

Now let’s unmount the CD so that we can eject it:

cd /

umount /mnt/cdrom

Note that the command is "umount" and not "unmount". If it complains that the device is busy, try

umount –f /mnt/cdrom

Make sure that you do the "cd /" first––if you’re current directory is within the CD-ROM tree when you do this it will complain or cause other problems.

To eject the CD, type

eject /dev/cdrom

Finally, lets look at making this process a bit more automatic. Type:

vi /etc/fstab

Move the cursor to the end of the last line and type "a" followed by <CR>. Now add the following line:

/dev/cdrom /mnt/cdrom cd9660 ro 0 0

When finished, hit escape, followed by ":wq" which will save the file. To test your settings, place a CD in the drive and type

mount –A

at a command prompt (the capital A is important). If it worked, then your system will try and mount the CD-ROM at boot time. You can also easily mount the CD at any time with the command

mount /mnt/cdrom

It’s not critical that you get this to work––you can always explicitly mount the CD-ROM drive with a command such as

mount_cd9660 /dev/cdrom /mnt/cdrom

but "mount /mnt/cdrom" is easier to remember. In case you’re wondering, the "mount" command attempts to automatically determine the type of file system that’s being mounted. It then calls the appropriate filesystem specific mount command. For CD-ROMs, this is "mount_cd9660". We explicitly state "mount_cd9660" here because sometimes the mount command doesn’t recognize the CD filesystem. If you make the suggested addition to "/etc/fstab", the mount command will reference that file first before guessing at the file type. Our additional line explicitly states that /dev/cdrom is a cd9660 device.

Optimizing the Kernel

The OpenBSD distribution comes with a fairly generic kernel. This kernel has support for most hardware, but isn’t optimized for firewall usage. If your firewall has to process a large number of packets, the stock kernel may run out of memory. Therefore it’s necessary to rebuild the kernel with certain memory parameters added. While we’re at it, we’ll apply a few patches to the system. This may sound like the scariest part of the entire installation, but in reality it’s no more difficult than anything else we’ve already done.

The first step is to locate the source code for the kernel and make it directly accessible to the filesystem. The kernel source code can be found in the sys directory on the CD-ROM, Disk #1. If we didn’t need to patch anything, we could just compile it directly from the CD-ROM. But, since we need to change the source code, we’ll need to have the source code in a writable directory. Your first inclination might be to copy the entire source code off of the CD-ROM and onto your hard drive. This will take a while, and isn’t necessarily the best option. At the least, it’s one more thing you’ll have to remember to strip out of the system later.

A better thing to do is to use a concept known as a ‘union mount’. This is a cool technique––the CD-ROM is mounted as a writable file system. How does this work? It’s relatively simple: When you edit a file on the CD, it actually creates a temporary file on the hard drive with the changes. When the edited file is read, the union mount system transparently retrieves the changes from the file on the hard drive. This is a very efficient way of working with the CD––only the files that are changed are copied to the hard drive.



There is a downside to the union mount your changes are not permanent. When the device is unmounted, all of your changes are lost.

</DIR> </DIR> </DIR> </DIR>

To perform a union mount, type the following:

mkdir /mnt/cdrom<CR>

mkdir /usr/src<CR>

mount –t union –o –b /mnt/cdrom /usr/src<CR>

Editing the Kernel Configuration File

Configuring the kernel isn’t as easy on OpenBSD as it is on Linux, because it doesn’t have a neat little graphical interface. Nonetheless, it’s a pretty straightforward process that’s entirely managed by a single configuration file. The OpenBSD distribution comes with numerous example configuration files, each of which is tailored to a specific purpose. The one that best fits our purposes is the "GENERIC" configuration file. Assuming that you’ve performed a successful union mount, you’ll be able to view this configuration file by typing:

more /usr/src/sys/arch/i386/conf/GENERIC

Before we edit the file, let’s create a copy of it so that we don’t have to change the original:

cd /usr/src/sys/arch/i386/conf


Now let’s edit the MYKERNEL file with vi:


The goal is to add a few lines that will improve firewalling performance. These lines can be added to the end of the file. Hit ctrl-d until the cursor is at the end of the file. Hit ‘e’ a few times to advance to the end of the line. Hit ‘a’ to append text to the end of the file. Hit <CR> to start a new line and type

option NMBCLUSTERS=8192


option MAX_KMAP=120

option MAX_KMAPENT=6000

This is pure and unadulterated black magic (ok, maybe a wee bit of adultery was thrown in). If you want to know what’s going on here, you’ll need to read the OpenBSD FAQ, section 12, and the man page for "options."

You might notice a line that says "include ../../../conf/GENERIC" toward the beginning of the file. There is actually another GENERIC file that contains the options which apply to all platforms on which OpenBSD compiles (the file we’ve been editing is Intel specific). To view the file, type:

more /usr/src/sys/conf/GENERIC

Note the two lines that say:



These lines enable the IPFilter code in the kernel. If either of these lines start with ‘#’ (the comment symbol), you’ll need to edit the file and remove the ‘#’. If the lines are not present, you’ll need to add them. If you’re using the OpenBSD 2.5 CD, these lines should be present and uncommented.

Once you’ve gotten these changes to successfully compile, you may want to play around with stripping out unnecessary kernel options. The GENERIC configuration file includes everything under the sun––your system needs less than half of the file. The trick is figuring out which half to delete. Slimming down your kernel will improve boot time and the performance of your machine. It will also make it a little more secure––there’s less stuff that might be insecure. We’re not going to help you much here, but here are some general pointers:

  1. Instead of deleting lines you don’t want (done with ‘dd’ in vi), you should "comment them out" by placing a # at the beginning of the line. This turns the line into a comment, which is not processed when the kernel is compiled. The advantage to commenting the line out is that if you accidentally deactivate something critical, it’s very easy to re-activate it again. To add a comment to the beginning of a line, simply position the cursor at the start of the line, type "i", followed by "#" and then hit escape.
  2. Some things you can definitely delete are audio drivers, pcmcia drivers, scsi drivers (assuming you’re using IDE), and excess CD-ROM/network drivers for drives/cards other than the ones you have.

Compiling the Kernel

Now is the moment of truth––if we’re lucky, a few commands will result in a fully compiled kernel. Type:

cd /usr/src/sys/arch/i386/conf

config –s /usr/src/sys –b . MYKERNEL

make clean


If things are working properly, you should see a lot of compiler messages, and it should not immediately return to a prompt. Instead, the system should crunch away for a few minutes, spewing out chunks of compiler commands. After about 2 to 5 minutes (possibly longer depending on the speed of your machine), you should see the following lines:

lots of compiler stuff

rm –f bsd

ld –z Ttext F0100000 –e start -x –o bsd $(SYSTEM_OBJ) vers.o

text data bss dec hex

2023424 143360 1063348 3230132 3149b4

This means everything went well and you have a new kernel ready to be installed (your last line of numbers may be different). If you see something else, or the compilation exited with an error message, you’ve got a problem. Here’s a couple of troubleshooting tips:

  1. Is your compiler installed? Did you select the comp25.tar.gz disk set when installing? If you didn’t, you’ll get a message like: "cc not found" or "gcc not found." You can install it with the following commands (if you’re not sure whether the compiler is installed or not, don’t worry––doing these commands won’t hurt either way):

cd /

umount /mnt/cdrom

mount_cd9660 /dev/cdrom /mnt/cdrom

tar xzf /mnt/cdrom/2.5/i386/comp25.tar.gz


Make sure you do the "cd /" command first, otherwise bad things will happen (at best you’ll have compiler files scattered all over your hard drive, creating a difficult-to-clean mess, and at worst it will cause a kernel panic).

</DIR> </DIR> </DIR>
  1. Try compiling the GENERIC kernel directly from the CD-ROM, without any patches or modifications. Here’s how:

mkdir /tmp/kernel

cd /tmp/kernel

umount /mnt/cdrom

mount_cd9660 /dev/cdrom /mnt/cdrom

cp /mnt/cdrom/sys/arch/i386/conf/GENERIC .

config –s /mnt/cdrom/sys –b . GENERIC



This will create a temporary directory, mount the CD-ROM normally, and compile the GENERIC kernel in the temporary directory. If it still isn’t working, you can try copying the entire source tree over to the hard disk. It’s possible there’s some problem with your CD-ROM. To do this, try the following:

</DIR> </DIR> </DIR>

cd /

umount /mnt/cdrom

mount_cd9660 /dev/cdrom /mnt/cdrom

mkdir –p /usr/src/sys

cd /mnt/cdrom/sys

tar cf - . | (cd /usr/src/sys; tar xvf - )

cd /usr/src/sys/arch/i386/conf

config –s /usr/src/sys –b . GENERIC



This creates a directory on your hard drive called /usr/src/sys and copies the kernel source code into it. It then uses the GENERIC file to compile a kernel directly from the hard drive source.

</DIR> </DIR> </DIR>
  1. If you can get the GENERIC kernel to work off of your hard disk or your CD-ROM, then you probably made an error when you modified the MYKERNEL file. If you’ve patched any system files, you could have a problem with the patches, although it’s unlikely. Finally, the union mount code isn’t perfect, so try using the full hard drive copy method if all else fails.
  2. If NOTHING works, there’s still hope––you can survive without compiling the kernel… although you’ll be sacrificing a degree of security. On the companion Web site we’ve placed a copy of the bsd kernel binary specially tuned for firewall systems. We’ve also patched security holes in the kernel. We’ll try and keep this kernel as up to date as possible, but there will be some lag time between security patches and updates to the Web site. Turn to this option only as a last resort. We can’t make any guarantees as to the security or stability of our kernel binary.



From a security standpoint, using our kernel in a production firewall is a BAD IDEA. This is because you can’t tell if it’s been compromised (someone might hack our Web site and place a trojan bsd kernel on the site, or we may have installed a trojan patch, etc.). It should only be used for experimental purposes.

</DIR> </DIR> </DIR> </DIR>

Installing the New Kernel

Your new kernel is the file called "bsd" sitting in your current directory. Installing this new kernel is relatively easy. First, rename the old kernel to a backup file

mv /bsd /bsd.old

Now copy in the new kernel:

cp ./bsd /

The next time you reboot you’ll be booting from your new kernel. If anything goes wrong, you can use a recovery disk to copy the "bsd.old" file back to "bsd" with the command

cp /mnt/recover/bsd.old /mnt/recover/bsd

Use of a recovery disk is beyond the scope of this chapter, but here’s a hint: Since the recovery disk is a floppy, your "/" directory with the "bsd" kernel in it is actually on the floppy. You’ll need to mount the partition with your root system onto a temporary directory. On our system we’d do this with the following commands:

mkdir /mnt/recover

mount /dev/wd0a /mnt/recover

Applying Patches

Once you’ve compiled your kernel for the first time it only gets easier (the same is true of climbing Mount Everest without oxygen, so we hear). We’ll take advantage of your newly found kernel-compiling skills to patch some security holes in the kernel. The first step is to obtain the necessary patches from the OpenBSD ftp site. Type "cd /tmp" to change directories to the temporary directory. Then type "ftp" and hit return. When it asks you for a username, log in as "ftp" with password "" (you should technically give your real email address…). Next, type "cd /pub/OpenBSD/patches/" followed by <CR>.

To download the file, type: "bin" and hit <CR>. This tells the FTP program that you’ll be transferring binary files. Finally type: "get 2.5.tar.gz" <CR>. This will download all the 2.5 patches to your home directory. Type "bye" and hit <CR> when you’re finished.

To extract the patches, type "tar xzf 2.5.tar.gz" at a command prompt. This will create a directory called "2.5". Type "cd 2.5" to change into the directory. Type "ls" to see a listing of all the files and directories within the 2.5 subdirectory. You should see directories for each architecture supported by OpenBSD. There are two directories here that concern us. The most important is "common," which contains system independent patches. At the time of writing, there are numerous common for 2.5. The other directory of concern is "i386," which contains patches specific to the Intel platform. These are more rare––at the time of this writing there are no Intel-specific security holes. We’ll walk through the process of applying a few of the common patches.

For the most part, we’re only concerned with kernel level patches and server dæmons that are critical to the firewall’s operation (ipf, ipnat, etc.––all other programs can be deactivated or removed). To get some basic information on a patch, type

head patch_filename

This will print out the first few lines of the patch, which often contains installation instructions. For example, the bmap.patch file is installed by doing the following:

cd /usr/src/sys

patch –p0 < bmap.patch

If you actually try doing this, it won’t be able to find the bmap.patch file. That’s because our patch files are in the directory "/tmp/2.5/common." So, you should change the second line to

patch –p0 < /tmp/2.5/common/bmap.patch

Once the patch has been successfully applied, you need to rebuild your kernel.

If you’re patching something other than the kernel, you’ll need to pay careful attention to the output of the patch program. For example, when you apply the fts.patch to "/usr/src", it tells you that you’ll have to rebuild "libc". Where is "libc?" If you look at the patch output, you can see that it patched files in "lib/libc". If you type "cd lib/libc" followed by "make", the patched "libc" program will be recompiled.

Keeping Your Machine Secure

We’ll talk about this in much greater depth in Chapter 10, "Configuring the Firewall" but there are some OpenBSD specific issues we need to address now.

One of the key strengths of OpenBSD is its security audit process. Once a piece of software has passed through this process a few times, it’s important to get future patches and upgrades from the OpenBSD site directly; otherwise, you risk introducing code that hasn’t been audited.

Sidebar: Apache


One notable exception to this rule is Apache. OpenBSD now includes apache as part of its default distribution. The version of Apache that comes with OpenBSD has not been fully audited. Therefore, you should consider the most recent stable version of apache to be the most secure. If a security hole is found in apache and posted at, then you should upgrade your version of apache. This has absolutely no relevance to your firewall, since you won’t be running a web server on your firewall. But after going through this chapter, you might decide to run OpenBSD on a few other machines in your network (such as your Web server). In that case, this will be very relevant.

</DIR> </DIR> </DIR> </DIR>

You should check the OpenBSD site at least once a week for security updates. It’s also useful to scan the changelog between revision 2.5 and whatever is current. This will give you some idea of what will be in the next release.

In Chapter 10 we talk about stripping down the firewall, removing anything that is unnecessary. In OpenBSD, this is not nearly as easy as it is with RedHat Linux. The problem is that most of the tools on the system were installed from a disk set. These are tarballs that are unwound in the ‘/’ directory. This means that files get sprinkled all over your drive––in /usr, /etc, /bin, /sbin, and so on. You can’t simply delete a directory to uninstall these disk sets. Therefore, we provide a script on our companion web site that allows you to remove entire disk sets: "dsuninstall". This tool takes a tarball as input and uses it to locate and remove the files that were installed.

The "dsuninstall" program has an additional use: If you pass it a customized tarball, it can be used to strip out a more specific selection of files. How is this useful? Well, there may be a few programs in base.tar.gz that you don’t want on your firewall. So create a new tarball that contains just the files you want to remove from your system. Place this tarball on a CD or floppy. To uninstall the files, just run the script on it. To reinstall them for maintenance purposes, just untar it into the ‘/’ directory.

Installing ssh

You need to install ssh. It will make your life much easier. Trust us. Ssh is provided as an OpenBSD package, but isn’t actually included on the CD-ROM due to patent restrictions. It is, however, provided on the OpenBSD ftp site. To install ssh from the ftp site, type the command

pkg_add @@@COMP: This must appear on one line.@@@

That’s it––the nifty package installer will handle the rest. The sshd daemon will automatically run the next time that you restart the computer. For now, you can activate the daemon by typing: "/usr/local/sbin/sshd" at a command prompt.


In this chapter you learned how to install OpenBSD. You also learned how to prepare it for use as a firewall. We walked you through configuring PPP, additional network cards, and your kernel. You should go through the process of installing and configuring OpenBSD a number of times. Each time you do it you’ll become more comfortable with working in the OpenBSD environment.

Now that youve finished this chapter, we suggest re-reading the afterboot man page again. This time, follow the instructions for tightening up security on the system. Youll notice that weve covered many of the topics already. Once youve finished going through afterboot youll be ready to start configuring your firewall.

Now it’s time to learn how to turn the machine into a packet filtering firewall. The next chapter will explain the ipfilter and ipnat suite of tools in great detail.

Notify me whenever the openbsd section of this site is updated

Email this page to a friend or colleague

Show a printer-friendly version of this page