Last updated July 19, 2001.

Click here to go to my OpenBSD home page (more resources)

Before the Installation of OpenBSD 2.9:

  1. Browse through the official OpenBSD website, at http://www.openbsd.org . It has quite some information, and it just might grow on you.
  2. Do not type in single quotes, such as ', they only signify comments and commands, unless otherwise noted.
  3. Links to (sub)documents I have created are in bold typeface.
  4. Write steps down! It helps to refer to your own notes describing changes/differences instead of wasting your time any other way. My apologies to those of you with photographic memory, please ignore this comment.
  5. Consider purchasing a book "Building Linux and OpenBSD Firewalls", perhaps from bookpool.com , written by Wes Sonnenreich and Tom Yates. It will not give you all the answers to questions related to OpenBSD or firewalls, but it's a pretty good step in the right direction. And, no, they did not pay me to make this recommendation (hint, hint).
  6. You can purchase a copy of the OpenBSD 2.9 CD from http://www.openbsd.org/orders.html if:
    1. You want to install a "trusted version".
    2. You do not want to go through the hassle of downloading complete source or ISO images and burning a CD.
    3. You want to support the development of something you consider worthwhile.

    You do not have to buy the CD, but it is up to you to find the sources, burn the CD and install and configure OpenBSD without the CD.
    Go to OpenBSD.org for sources (burn onto CD)
  7. Use a not-too-old and not-too-new PC. I purchased a Dell OptiPlex GXMT 5166 PC with 32Mb RAM and a 2.5Gb hard drive from an auction site, and it was not very expensive or difficult to set up. I bought two extra network cards listed on the hardware compatibility list . Please note that I have installed and configured my Internet-facing NIC and the two "internal" NICs before I started the OS installation, using manufacturer-supplied floppies with configuration software. Your NIC may not need this. I connected my Internet-facing NIC to a DSL modem. It may be a good idea if you find the IP, DNS, Gateway and other information before the installation (unless you have an Internet connection that uses DHCP, as I do), since you will need it.
  8. The most common firewall setup will require two (for a dual-homed firewall) or three (for a three-legged firewall, with a DMZ) network cards in a PC. You may have some problems with Plug-And-Play (PNP) NICs. I disabled it on all interfaces ahead of time and assigned the memory address/IRQ information manually, but you may not need to do this. If you start the installation before configuring the NICs, you can gather memory addresses/IRQs of all existing devices, otherwise you may use already assigned and conflicting values to the NICs. Existing values can be observed from the first couple of screens, those with inverse letters on a blue background. Do yourself a favor and write these down. Here is how I documented the device names, IPs, IRQs, etc.
  9. Next, think about your IP addresses ahead of time, just to save some time during setup. You can use NAT and assign private IP address ranges on the internal interface(s), but the external interface will have a routable IP, most likely delivered by your ISP via DHCP (see further below). Private address ranges:
    10.0.0.0 - 10.255.255.255
    172.16.0.0 - 172.31.255.255
    192.168.0.0 - 192.168.255.255
    For all practical purposes, you should choose internal IP addresses that do not conflict with your subnetting structure. Subnetting with the netmask of 255.255.255.0 should work under most circumstances.
  10. If you need a refresher on some common UNIX commands:
    http://www.stanford.edu/group/dcg/leland-docs/unixcomm.html
    http://www.indiana.edu/~uitspubs/b017/
  11. If a CD-ROM drive in your OpenBSD computer can't be made bootable (as it won't be if you have downloaded the sources and burned them onto an ISO9660-comliant CD), create a boot disk floppy first. Go to the root directory of your CD with OpenBSD 2.9 files (from the command line), insert a blank 1.44Mb floppy, and type:
    fdimage floppy29.fs a: ¿ (where a: is the letter of your floppy drive)
  12. I have found that I needed to write-protect this floppy if I wanted to re-use it for subsequent installations. Reboot the machine with both the new OpenBSD boot floppy and the OpenBSD 2.9 CD-ROM inserted.

 

Installation Instructions
(OpenBSD 2.9, DSL connection with DHCP-assigned external IP, NAT on internal interfaces, three-legged firewall configuration):

  1. ¿
  2. (I)nstall, (U)pgrade or (S)hell? i ¿
  3. Specify terminal type [vt220] ¿
  4. Which disk is the root disk? [wd0] ¿
  5. Do you want to use the entire disk for OpenBSD? [no] yes ¿ (unless you like suffering)
  6. > p ¿
  7. > d a ¿
  8. > d b ¿
  9. > d e ¿
  10. > d g ¿
  11. > d h ¿
  12. > a a ¿
  13. offset: [63] ¿
  14. size: [...] 1800m ¿
  15. FS type: [4.2BSD] ¿
  16. Mount point: [none] / ¿
  17. > a b ¿
  18. offset: [...] ¿
  19. size: [...] 128m ¿     (usually double the RAM)
  20. FS type: [swap] ¿
  21. > a d ¿
  22. offset: [...] ¿
  23. size: [...] ¿
  24. FS type: [4.2BSD] ¿
  25. Mount point: [none] /var ¿   
  26. p ¿ (visual check)
  27. w ¿
  28. q ¿
  29. Mount point for wd0d (size=...k) [/var, RET, none, or done]? /var ¿
  30. Mount point for wd0d (size=...k) [/var, RET, none, or done]? done ¿
  31. Which one? [done] ¿
  32. Are you really sure that you're ready to proceed? [n] yes ¿
  33. Configure the network? [y] ¿
  34. Enter system hostname (short form, e.g. "foo"): [ ] somehostname ¿
  35. Enter DNS domain name (e.g. "bar.com"): [ ] somedomainname.com ¿
  36. Configure which interface? (or, enter 'done') [ne0] ep0 ¿
  37. IP address (or 'dhcp') ? [ ] dhcp ¿
  38. Symbolic (host) name? [somehostname] ¿
  39. Media directives? [ ] ¿ (see directions on screen)
  40. Configure which interface? (or, enter 'done') [done] ne0 ¿
  41. IP address (or 'dhcp') ? [ ] 10.0.0.1 ¿
  42. Symbolic (host) name? [somehostname] ¿
  43. Netmask ? [255.255.255.0] ¿
  44. Media directives? [ ] ¿ (see directions on screen)
  45. Configure which interface? (or, enter 'done') [done] ne1 ¿
  46. IP address (or 'dhcp') ? [ ] 172.16.0.1 ¿
  47. Symbolic (host) name? [somehostname] ¿
  48. Netmask ? [255.255.255.0] ¿
  49. Media directives? [ ] ¿ (see directions on screen)
  50. Configure which interface? (or, enter 'done') [done] ¿
  51. Enter IP address of default route: ['your gateway's IP address shows up here'] ¿
  52. Enter IP address of primary nameserver: [none] 1.2.3.4 ¿ (DNS IP address, find out from your ISP)
  53. Would you like to use the nameserver now? [y] ¿
  54. Escape to shell? [n] ¿
  55. Password (will not echo): …… ¿ (be creative here, it's your firewall!!!)
  56. Password (again): …… ¿
  57. Do you expect to run the X Window System? [y] n ¿ (not on a firewall, really)
  58. Install from (f)tp, (h)ttp, (t)ape, (C)D-ROM, (N)FS or local (d)isk? C ¿
  59. Which CD-ROM contains the installation media? [cd0] ¿
  60. Enter the directory relative to the mount point that contains the file. [...] . ¿
  61. File name? [ ] * ¿
  62. File name? [ ] -ga* ¿
  63. File name? [ ] -x* ¿
  64. File name? [ ] done ¿
  65. Ready to extract the selected file sets? [y] ¿ (…now wait for the install to finish this phase…)
  66. Extract more sets? [n] ¿
  67. What timezone are you in? ['?' for list] [GMT] ? ¿
  68. What timezone are you in? ['?' for list] [GMT] EST ¿
  69. # halt ¿ (take out the installation floppy disk before rebooting)

 

Configuration Instructions
(OpenBSD 2.9, DSL connection with DHCP-assigned external IP, NAT on internal interfaces, three-legged firewall configuration):

If you rebooted and logged in, congratulations! You have accomplished a very significant portion of the process, but there's a "little" more to it. If you came this far, at least you know that you can build the basic OpenBSD installation from the CD.

The following is also described in the book (p237-240), and in the 'man afterboot' pages, which can be found here or on your system after the first reboot.

Now that you have the system up and running, let's make sure it's up to date:

  1. date 200101312400 (yyyymmddhhmm - hours are 00-24)
  2. Create a mounting point for CD-ROM and floppy drives:
    dmesg | more (look for system names of your drives, cd0 and fd0 in my case)
  3. mkdir -p /cdrom (create a CD-ROM mounting point)
    mkdir -p /fd (create a floppy drive mounting point)
  4. Append the following to the end of the /etc/fstab file ( vi /etc/fstab ). I will not cover basic vi editor commands, and you can find some at http://www.cec.mtu.edu/newuserdoc/node9.html and elsewhere.
    /dev/cd0a /cdrom cd9660 ro 0 0 (make sure to append 'a' to the CD-ROM symbol, cd0)
    Run ' mount -A ' after saving the file to activate the change:
  5. It is NOT a good idea to have the floppy drive mounted the same way, as in:
    /dev/fd0a /fd mdsos rw 0 0 (remember the 'a' from the previous comment?)
    since your system will want to have a formatted floppy disk inserted in the drive during the boot process. As you may have noticed, if you do put the floppy in the drive too early, your PC will want to boot from it, and that's not good either.
    The syntax for a mounting a DOS formatted floppy manually is as follows:
    mount_msdos -l /dev/fd0a /fd ('-l' stands for long file names, and you do want that if you use a computer running Windows to edit your configuration files)
    There are switches that can be used to mount the floppy manually, perhaps on-demand by 'mount -A', and also to have it accessible for other users but root. (search the Net for this)
    If you want to unmount the floppy drive later:
    umount -f /fd (read carefully, it's NOT 'u n mount')
  6. Edit /etc/motd file, remove "Welcome to" before OpenBSD, and make sure to leave the first two lines blank.
  7. Add a user. It is not a good idea to stay logged in as root, unless necessary:
    adduser ¿ (take defaults, I use the name 'myself' here, and later add to the 'wheel' group at /etc/group by hand, e.g. 'wheel:*:0:root,myself' if the 'su' to root access is required for this account. 'myself' can from this point on use 'su' to work under root privileges)
  8. Now you are actually ready to do some firewall work. First create the ipnat.rules and ipf.rules that suit your needs. I won't go into details behind these two files, since you have these two resources to give you more than enough guidance for the start, and then some.

    If you make a donation via PayPal of $7 or more, I will email you sample, and fairly comprehensive,
    ipf.rules and ipnat.rules (and some other useful scripts) for a three-legged firewall configuration (external, DMZ, and internal LAN interfaces). Explanations are included -- it could save you quite some time.

    vi /etc/rc.conf ¿ (make sure that ipfilter=YES and ipnat=YES, set 'sshd_flags=NO', 'portmap=NO', 'inetd=NO', 'ntpd=NO' - you may not want these services running on a firewall anyway)
    vi /etc/sysctl.conf
    ¿ (remove the # in front of 'net.inet.ip.forwarding=1')
    reboot
    ¿ (remember to take out the floppy first)
  9. If you make changes to ipf.rules or ipnat.rules while the OS is up, you can manually reactivate them ( or use my scripts, if you have made the donation ):
    ipf -Fa -f /etc/ipf.rules ¿ (add -E at the end if not already active)
    ipnat -CF -f /etc/ipnat.rules ¿ (check current rules with 'ipnat -l', that's "dash ell")
    I do recommend editing the files on the floppy first, and then copying them before reactivating. This way you always have a backup and the scrolling log messages on the screen can make it painful to use vi anyway.  Back up this floppy as well!
  10. Enable syslog messages to show up on the screen while logged in as 'myself', by replacing 'root' with 'root,myself' at the end of four instruction lines in syslog.conf.
  11. If you want to shut down the computer (without rebooting):
    shutdown -hp now ( or use my script, if you have made the donation )

Click here to go to my OpenBSD home page (more resources)

FROM HERE ON…YOU SHOULD BE IN BUSINESS!

PLEASE do let me know if you see a way to improve this document ( submit comments here ) . This material is copyrighted -- use it freely for yourself or others when installing OpenBSD, but do ask for permission if you want to publish, reproduce, etc.

Also, remember to set the default gateway for the computers connected to your internal network to the IP address of the firewall interface (NIC) connected to the internal network :-)