Steps for
the installation and post install configuration of OpenBSD
Download OpenBSD from one of the ftp or http
sites on a Windows(FAT32) or Linux(ext2) partition
We downloaded it from:
·
http://the.wiretapped.net/OpenBSD/2.9/i386
·
ftp://ftp.openbsd.org/pub/OpenBSD
The list of sites to download it from is
available in :
http://www.openbsd.org/ftp.html
Version downloaded: OpenBSD 2.9
Latest version: OpenBSD 3.0
OpenBSD 3.0 supports pf (packet filter)
instead of ipf. so we have used version 2.9 only.
The main files to be downloaded are:
·
The Base
files(necessary binaries) base29.tgz
·
The BSD Kernel bsd
bsd.rd
·
The C Compiler comp29.tgz
·
The files of
the etc directory etc29.tgz
·
The various man
pages man29.tgz
The boot floppy images are
·
floppy29.fs
·
floppyB29.fs
·
floppyC29.fs
The CDROM image file is available in:
·
cdrom29.fs
Make the OpenBSD Boot Floppy or CD by
downloading the image file (floppy29.fs) and writing to a floppy using
dd(linux), rawrite(dos) or rawwritewin(Windows)
Rawwritewin is an utility to write a raw binary image to
a floppy,
It can be downloaded from:
http://uranus.it.swin.edu.au/~jn/linux/rawwrite.htm
Boot from the Floppy.
Make an OpenBSD partition on the Hard Disk
using fdisk.
OpenBSD filesystem is ffs(fast file system)
with code A6
Installation instructions
·
After booting
from the floppy, follow the instructions and give the appropriate responses.
The openbsd installer remembers the previous responses, thus making it much
easier to perform the installation.
·
First of all,
select an appropriate partition on the hard disk
·
Use disklabel
to make the / and swap partitions within the OpenBSD partition
·
Configure
network card giving IP address
Install the base files via ftp or cdrom or from another hard disk partition
Download and configure a boot manager like
OS-BS, Ranish or GAG to enable multiboot of OpenBSD with Dos or Windows
partitions
X
Configuration
·
Run
/usr/X11/bin/XF86Setup and configure X as per the hardware configuration
·
Otherwise run
xf86config3 or xf86config and do the settings
·
Else edit the
file /etc/X11/config/XF86Config manually
·
Run startx to
see if the configuration works correctly.
Installing
packages
·
Tar the package
.tgz file using tar xvzf
·
cd to the
/usr/share/packages directory and run pkg_add <package_name>
Recompiling
the kernel
Download the kernel source file srcsys.tar.gz
cd to the /usr/src/sys directory. Make one if
not present. Tar it using tar -xvzf
run make all and configure
<config_file> to recompile the /bsd kernel
OpenBSD network setup
·
The installer
detects the network interfaces at install time and configures the necessary
setting like hostname, IP address ,etc.
·
The following
command enables checking of the status of the interface:
·
ifconfig rl0
(where rl0 is the interface)
·
The following
files contain important information regarding network configuration and can be
edited to change the parameters:
o
/etc/hosts, /etc/myname Hostname
o
/etc/mygate Default Gateway
o
/etc/hostname.rl0 Network Interface
Configuration
Setup of
SSH in OpenBSD
SSH or secure shell is used for securely
logging into and running commands on remote machines. SSL (Secure socket Layer)
is the technology used for secure web traffic through the internet. OpenBSD supports OpenSource implementations
of both SSH and SSL, called OpenSSH and OpenSSL respectively
Configuration file for SSH is ~/.ssh/ssh_config
The configuration of the SSH daemon is
defined in ~/.ssh/sshd_config
Public key cryptography
The various files used are:
·
Public key ~/.ssh/identity.
·
Public Keys
Installed in ~/.ssh/authorized_keys
·
Encrypted
contents of Private Key ~/.ssh/identity
Creating your authentication key
·
Command Used:
ssh_keygen
·
Pass Phrase to
be given
·
All Pass
Phrases and data sent encrypted over the net, unlike in Telnet
·
Public keys
used for encryption and private keys for decryption
Other SSH utilities are:
slogin: For
secure login
scp: for secure copy
SSH-agent
If you frequently open connections to remote
systems you can run your session under the ssh-agent. The agent will provide
decrypted authentication keys to all the commands when new connections are
created.
Ssh-add command
is used to add the keys in memory
Running commands on remote systems
The ssh command can also be used to run
commands on remote systems without logging in. The output of the command is
displayed and control returns to the local system.
beowulf% ssh hrothgar who
beowulf% scp -p hrothgar:aliases .
OpenBSD Firewall Configuration Steps
· Edit /etc/rc.conf so that ipf and ipnat are turned ON.
·
Recompile the
kernel with options of IPFILTER and IPFILTER_LOG set
·
Edit
/etc/ipf.rules and make the necessary
changes needed
Adding Rules
The most common method for adding rules to
the kernel's ruleset is via a script file. This file is usually
"/etc/ipf.rules". The ipf program will read in the script file
whenever the machine boots. Additionally, the following command can be used to
flush all of the rules and re-read the contents of the script file:
ipf –Fa –vf /etc/ipf.rules –E
The '-F' flag flushes all rules from the
kernel and the 'a' says to flush the active ruleset.. ‘-E’ option enables the
rules.
Configuration
of NAT and portmapping
·
In IPFilter,
NAT rules are stored separately from IPF rules. The NAT rules are read from a
file called "/etc/ipnat.rules". Likewise, the NAT rules are injected
into the kernel using a different tool.
·
The
following line will activate the NAT rules specified in the /etc/ipnat.rules
file:
ipnat -f
/etc/ipnat.rules
·
Add
"net.inet.ip.forwarding=1" to the file "/etc/sysctl.conf".
·
Edit
/etc/ipnat.rules and make the necessary
rule changes
·
In the end, add
the rules by running
ipnat -CF
–f /etc/ipnat.rules
This would flush the current rules and
substitute them with the new rules from the file /etc/ipnat.rules.
Setup of a VPN in
OpenBSD
ISAKMP
ISAKMP (or IKE) is the key exchange mechanism for a
VPN ISAKMP manages the exchange of cryptographic keys that you would normally
have to manually manage with ipsecadm(8). It employs a two-phase process for
establishing the IPsec connection between two gateways.
Setting Up The VPN
The following settings in
/etc/sysctl.conf will enable ESP, IPsec access control lists, and IP
Forwarding. Note that enabling AH is not necessary in this case because it is
not used.
·
net.inet.ip.forwarding=1
·
net.inet.esp.enable=1
·
net.inet.ip.ipsec-acl=1
If transforms that have AH mentioned are
being used, then AH should be enabled by adding
net.inet.ah.enable=1.
AH is
not required and does not encrypt the payload data; it simply provides for a
better authentication for each packet.
Manual VPN Configuration
The steps are as follows:
·
You will need
to define two Security Associations (SA's) on each end of the VPN.
·
The IPSEC
routes use the SPIs configured within the SA to determine where to send the
IPSEC traffic, and what encryption and authentication schemes to use. The flow
command creates a flow that determines which packets are routed via which SA.
·
Set the IPF
rules to allow packets of esp Protocol
Isakmpd Configuration
The default key exchange policy are setup
according to the files:
/etc/isakmpd.policy
of the gateway concerned.
Starting the VPN
The first time that this daemon is run,
execute the command
$ isakmpd -d -DA=99
The daemon will not be running in daemon mode
but as a regular process. It will log everything to console (stdout and
stderror ).
Final Setup of the VPN
If all has worked well, edit the /etc/rc.conf
file to have isakmpd=YES. This will bring up the VPN whenever OpenBSD is
rebooted.
Setting Up
Of the DNS in OpenBSD
1.
Initially set
the domain name in the configuration file /etc/resolv.conf so that name
resolution requests actually get sent to the named set by us.
domain mnrec.ac.in
lookup file bind
2.
Appropriately
setup the Server in the /etc/hosts file
# Host addresses
127.0.0.1 localhost localhost.localdomain
172.31.52.6 ganesh ganesh.mnrec.ac.in
3.
Setting up of
the “named” daemon
The name daemon named is launched during
system startup from /etc/rc if the line
installed by default in /etc/rc.conf.
named_flags=NO # for normal use: “”
is changed to
named_flags=”” # for normal use: “”
4.
Also, examine
these lines in /etc/rc.conf:
named_user=named #
Named should not run as root unless necessary
named_chroot=/var/named #
Where to chroot named if not empty
These defaults
will be correct for nearly all setups.
5.
To start named
by hand, use the ndc command. For
example:
$ ndc start
or
$ ndc restart
6.
Stopping DNS
The best way to
stop the name daemon is to use the ndc command. For
example:
# ndc stop
MNREC Network setup
The OpenBSD router, which connects the
internal (172.31.0.0) network with the outside world, has two interfaces:
·
fxp0 : the
external interface having address of 210.212.49.13
·
rl0: : the
internal interface having address of 172.31.52.9
The college is connected to the internet
through the Cisco router (address 210.212.49.1), which connects to the VSNL
lines from Allahabad.
The OpenBSD router acts as a DNS client and resolves the DNS queries by referring them to the DNS server ganesh.mnrec.ac.in at address 172.31.52.6.
The routing table of the OpenBSD router is
modified as follows:
·
By default, all
packets are forwarded through the fxp0 interface
route add 0.0.0.0
210.212.49.13
·
All packets
destined for the 172.31.0.0 (internal) network should pass through the rl0
interface:
route add
172.31.0.0 172.31.52.9
·
All packets
destined for the 210.212.49.0 (external) network should pass through the fxp0
interface
route add
210.212.49.0 210.212.49.13
The router also has
·
IP Forwarding
enabled in /etc/sysctl.conf
·
IPNAT and IPF
enabled in /etc/rc.conf
·
An active
firewall with rules specified in /etc/ipf.rules
· An active NAT with rules specified in /etc/ipnat.rules
Explanation of NAT rules on
OpenBSD
The ipnat rules file (/etc/ipnat.rules)
describes rules for network address translation (IP masquerading), port mapping
both forward and reverse and redirection.
IPNAT mappings are defined by using the
keyword “map“ which is used to change
the source IP address of a packet being forwarded from the internal network to
the external. IPNAT maintains a NAT table through which it keeps track of the
packet when it returns from the server in the outside world.
The keyword “rdr” is used for redirection of
packets in the case when an internal server (mail, telnet, http, ftp ,etc) is
running in the internal network having an internal (172.31) address and an
external host wants to access the service provided by it. It changes the destination
IP address of the packet.
An explanation of the ipnat rules
files for the MNREC OpenBSD router is as follows:
·
The following
mapping will provide the internal network with Internet connectivity for
tcp/udp traffic
map fxp0
172.31.0.0/16 -> 210.212.49.13/32 portmap tcp/udp 10000:20000
map fxp0
172.31.0.0/16 -> 210.212.49.13/32
·
The first line
would map (ie change the source address of) all packets coming at fxp0 (the
external interface) from any machine in the internal(172.31) network to
210.212.49.13 (which is the IP address of the fxp0 interface and is a valid IP
address given by VSNL). TCP or UDP packets would be mapped to ports in the
range of 10000 to 20000 while all other packets would be mapped to any random
port number.
·
For redirection
(through rdr command) of input packets, a separate rdr instruction is to be
given for each of the servers needed.
·
The various
servers are:
FTP server port
21 ganga.mnrec.ernet.in
172.31.50.9
UPMCAT http
server port 80 upmcat.mnrec.ac.in 172.31.160.30
Mail (SMTP)
server port
25 ganga.mnrec.ac.in 172.31.50.9
·
Requests to
these servers come at the external fxp0 interface of the firewall at
210.212.49.13.
·
The rules are
such that any requests coming to the local ftp port would be redirected to the
FTP server at ganga, forcing all users to connect through it. Same is with the
other servers.
rdr fxp0
0.0.0.0/0 port 21 -> 172.31.50.9 port 21
rdr fxp0
0.0.0.0/0 port 2000 -> 172.31.160.30 port 80 tcpudp
rdr fxp0
0.0.0.0/0 port 3000 -> 172.31.50.9 port 25
·
The second of
the rules states that any external requests coming to the external interface
fxp0 at port number 2000 should be redirected to the port 80 (http) of the
UPMCAT server at 172.21.160.30. The number 2000 is chosen arbitrarily and has
no special significance.
·
In the main
site web page (http://www.mnrec.ac.in)
referring the UPMCAT server, a corresponding link has to be made in order to
redirect the request to the firewall instead of the proxy i.e. a link to http://210.212.49.13:2000
·
The third rule
is similar to the second. The requests coming at the fxp0 interface of the
router at port 3000 are to be redirected to ganga.mnrec.cc.net , the SMTP
server at 172.31.50.9 at port 25. Here too a corresponding link to http://210.212.49.13:3000/ has to be made in the html page on the
website referring the mail server
Firewall
policy
The firewall implemented follows a “default
to deny” policy. This means that any packets not explicitly allowed are
blocked. Although this is the safest way to secure any network, it is tedious
to open the corresponding port each time a new service is to be allowed.
Ports to
allow
Port numbers and the corresponding services
allowed for the firewall are as follows:
Service TCP
Port Number UDP Port Number
SSH 22
LDAP 389 389
Netmeeting >=1024 >=1024 Videoconferencing
1503
HTTPS 443 SSL
Quicktime 4 RTSP RTP Steaming
Video
MSN Messenger 1863
Squid 3128 3130 Web proxy cache
Mirabilis ICQ >=1024 4000
Yahoo voice chat 5000-5001 5000-5010
Yahoo messenger 5050 Messages
Yahoo messenger 5100 Webcams
VNC 5800+,5900+
Common IRC 6665-6669 Internet Relay Chat
Real Audio RTSP,7070 6970-7170 Steaming audio
and video
RTP 6970-6999 RealTime Transport
Protocol
(Apple QT4)
MSN Gaming Zone 28800-29000 28800-29000
DirectX gaming 47624
Working of
the Firewall and NAT on a packet
When a packet reaches a particular interface,
first of all NAT mapping is done on that packet, if any such NAT mappings are
defined for that interface. Then IPF rules are implemented.
Test Setup
Test network setup is as follows:
·
Internal Host
at 172.31.62.37 with default gateway set to 172.31.52.9 and DNS server set to
172.31.52.6
·
Web Server on
the internal Lan at 172.31.160.30
·
OpenBSD Router
in the middle having the following two interfaces:
rl0 On the internal network having IP 172.31.52.9
fxp0 On the external network having IP
210.212.49.13
·
External Web
Server www.rediff.com at address
64.41.191.70
·
The internal
host (172.31.62.37) sends a request to the web server for the default page
through its web browser. Since its default gateway is set to the rl0 interface
(172.31.52.9) of the OpenBSD router the
request comes to the router. NAT and portmapping is done on the packet and the
IP address of the requesting machine is mapped to the address 210.212.49.13
with the port range within 10000-20000 as specified in the ipnat.rules file.
·
The packet is
checked by the firewall and matched against the rules specified in ipf.rules
file to decide whether or not to forward it.
·
In the end, it
is forwarded to it’s the fxp0 interface of the router as per the settings its
routing table
·
The request
from the translated address 210.212.49.13 arrives at the web server which then
sends back the requested index page index.html back to the router at the port
at which it was mapped to
·
The address is
translated back to the original address in the internal 172.31.0.0 network and
the page www.rediff.com/index.html is forwarded back to the rl0 interface from
the fxp0 interface after again checking against firewall rules
·
Finally the
requested page arrives at the original machine 172.31.62.37 which is displayed
by the browser
The status of the commands is as follows:
·
netstat –rn or route
show for the internal host shows the default gateway as 172.31.52.9
·
The status of
the NAT rules file is shown by ipnat –l and shows the active mapping:
# ipnat
-l
List of
active MAP/Redirect filters:
map fxp0
172.31.0.0/16 ->
210.212.49.13/32 portmap tcp/udp
10000:20000
map fxp0
172.31.0.0/16 -> 210.212.49.13/32
rdr fxp0
0.0.0.0/0 port 21 -> 172.31.50.9 port 21 tcp
rdr fxp0
0.0.0.0/0 port 2000 -> 172.31.160.30 port 80 tcp
rdr fxp0
0.0.0.0/0 port 3000 -> 172.31.50.9 port 25 tcp
List of
active sessions:
MAP 172.31.62.37 1391
<- -> 210.212.49.13 10159
[64.41.191.70 80]
·
The ping
command gives the following status
# ping
www.rediff.com
PING
www.rediff.com (64.41.191.70): 56 data bytes
---
www.rediff.com ping statistics ---
24
packets transmitted, 0 packets received, 100% packet loss
which is
because www.rediff.com does not answer the
ping command.
·
The nslookup
command gives the following output:
#
nslookup www.rediff.com
Server: ganesh.mnrec.ac.in
Address: 210.212.49.14
Non-authoritative answer:
Name: www.rediff.com
Address: 64.41.191.70
Testing of Redirection is done as follows:
·
From an
external PC (outside the MNREC network) from a cybercafe, the following site is
browsed:
http://210.212.49.13:2000
·
The UPMCAT server
at 172.31.160.30 has its default gateway set to 172.31.52.9 and DNS to
172.31.52.6
·
ipnat –l gives
the following output:
RDR 172.31.160.30 80
<- -> 210.212.49.13
2000 [210.131.31.14 38171]
where 210.31.31.14 is the
address of the Cybercafe machine
Thus all tests are successful.
Useful Links
(i)OpenBSD 2.9 for the Intel platform
downloaded from the internet via ftp
·
Ftp site: ftp://ftp.openbsd.org/pub/OpenBSD/2.9/i386/
·
Http site: http://the.wiretapped.net/pub/OpenBSD/2.9/i386/
(ii)OpenBSD Documentation Downloaded from the
following sites:
·
The Official
OpenBSD site: www.openbsd.org
Please note that the current
OpenBSD version is 3.0 and in it the IPFilter firewall package is not used
.Instead, a similar package called PF (Packet Filter) is used for configuring
Firewalls
·
O’Reilly Developers’
Network www.oreillynet.com
(iii)Books on Firewalls and security issues studied:
·
Linux Firewalls
by Robert L Ziegler (Techmedia)
·
Building
Internet Firewalls by D. Brent Chapman & Elizabeth D. Zwicky (O’Reilly and
Associates)
·
Building Linux
and OpenBSD Firewalls by Wes Sonnenreich and Tom Yates (O’Reilly and
Associates)
·
Maximum Linux
Security by Anonymous (BPB Techmedia)
(iv)Previous project reports studied:
·
Firewall Design
and Implementation (1999-2000)
·
Design and
implementation of a TCP/IP internet Firewall (1997-98)
·
Design of an
firewall using proxy server (1998-99)
(v)
OpenBSD mailing lists and forums attended:
·
The Official
Mailing list: Send mail to [email protected]
with the body of the message as subscribe <mailing-list>
·
Tech-tips
forums for OpenBSD server (http://www.tek-tips.com/grelated.cfm/lev2/3/lev3/20/pid/744)
·
OpenBSD news
and forums (unix.about.com/cs/openbsdnews/)
·
BSD Vault (http://bsdvault.net/viewforum.php?forum=7)
·
freebsdforums.org
(http://www.freebsdforums.org/forums/forumdisplay.php?s=&forumid=23)
(vi) Other helpful links
·
IPFilter home
page (www.ipfilter.org or http://coombs.anu.edu.au/~avalon/)
·
SSH home page (www.openssh.com)
·
SSL home page (www.openssl.org)
·
Official
openbsd faq (www.openbsd.org/faq.html)
·
OpenBSD man
pages (www.openbsd.org/cgi-bin/man.cgi)
·
ipf-howto: the
world renowed document and most authoritative reference on ipfilter
(http://www.obfuscation.org/ipf/ipf-howto.txt)
(vii)Internet RFCs (www.ietf.org/rfc/ and www.faqs.org/rfcs )
rfc2685 - Virtual Private Networks Identifier
rfc2663 - IP Network Address Translator (NAT)
Terminology and Considerations
rfc2647 - Benchmarking Terminology for
Firewall Performance
CONFIGURATION
FILES
/etc/ipnat.rules
map fxp0 172.31.0.0/16 ->
210.212.49.13/32 portmap tcp/udp 10000:20000
map fxp0 172.31.0.0/16 ->
210.212.49.13/32
rdr fxp0 0.0.0.0/0 port 21 -> 172.31.50.9
port 21
rdr fxp0 0.0.0.0/0 port 2000 ->
172.31.160.30 port 80 tcpudp
rdr fxp0 0.0.0.0/0 port 3000 ->
172.31.50.9 port 25
/etc/ipf.rules
HEAVY FIREWALL with DEFAULT ALLOW-ALL
POLICY
pass out from any to any
pass in from any to any
block in log quick on fxp0 proto icmp from
any to any icmp-type redir
block in log quick on fxp0 proto tcp/udp all
with short
block in log quick on fxp0 from any to any
with ipopts
block in log quick on fxp0 from
192.168.4.0/24 to any
block in log quick on fxp0 from localhost to
any
block in log quick on fxp0 from 0.0.0.0/32
to any
block in log quick on fxp0 from
255.255.255.255/32 to any
block in on fxp0 proto udp from any to any
block in log on fxp0 proto udp from any to
any port = sunrpc
block in log on fxp0 proto udp from any to any
port = 2049
pass in on fxp0 proto udp from any to any
port = domain
pass in on fxp0 proto udp from any to any
port = talk
pass in on fxp0 proto udp from any to any
port = ntalk
block return-rst in log on fxp0 proto tcp
from any to any flags S/SA
block return-rst in on fxp0 proto tcp from
any to any port = auth flags S/SA
pass in on fxp0 proto tcp from any to any
port 1024 >< 5000
pass in on fxp0 proto tcp/udp from any
to 172.31.50.9 port = 25
pass in on fxp0 proto tcp/udp from any to
172.31.160.30 port = 80
pass in on fxp0 proto tcp/udp from any to
172.31.50.9 port = 21
pass in on fxp0 proto tcp from any to
172.31.52.9 port = ssh
FAIRLY HEAVY FIREWALL WITH DEFAULT
DENY-ALL POLICY
#
#
This is a fairly heavy firewall used to keep everyone out of the MNREC internal network while
# still allowing people within the network to get outside.
#
Pass any packets not explicitly mentioned by subsequent rules
#
pass out from any to any
block in from any to any
#
#
Block any inherently bad packets coming in from the outside world. These include ICMP
#
redirect packets, IP fragments so short the filtering rules won't be
able to examine the whole
#
UDP/TCP header,and anything with IP options.
#
block in log quick on fxp0 proto icmp from
any to any icmp-type redir
block in log quick on fxp0 proto tcp/udp all
with short
block in log quick on fxp0 from any to any
with ipopts
#
#
Block any IP spoofing attempts.
#
block in log quick on fxp0 from
172.31.0.0/24 to any
block in log quick on fxp0 from localhost to
any
block in log quick on fxp0 from 0.0.0.0/32
to any
block in log quick on fxp0 from
255.255.255.255/32 to any
#
#
Block all incoming UDP traffic except talk and DNS traffic. NFS and portmap are special-cased # and logged.
#
block in on fxp0 proto udp from any to any
block in log on fxp0 proto udp from any to
any port = sunrpc
block in log on fxp0 proto udp from any to
any port = 2049
pass in on fxp0 proto udp from any to any
port = domain
pass in on fxp0 proto udp from any to any
port = talk
pass in on fxp0 proto udp from any to any
port = ntalk
#
#
Block all incoming TCP traffic connections to known services, returning
a connection reset so
#
things like ident don't take forever timing out.
#
block return-rst in log on fxp0 proto tcp
from any to any flags S/SA
block return-rst in on fxp0 proto tcp from
any to any port = auth flags S/SA
#
#
Allow incoming TCP connections to ports between 1024 and 5000, as these don't have
#
daemons listening but are used by outgoing services like ftp and talk. The range from 1024 to
#
8000 includes the usage of ports for yahoo messenger , MSN messenger,
voice chat, net to
#
phone, ICQ, VNC, Real Audio, Netmeeting, etc
pass in on fxp0 proto tcp/udp from any to
any port 1024 >< 8000
pass in on fxp0 proto tcp/udp from any port
= ftp-data to any port 1024 >< 6000
#
port 443 is for HTTPS (SSL)
pass in on fxp0 proto tcp/udp from any to
any port 443
#
below is for MSN Gaming Zone
pass in on fxp0 proto tcp/udp from any to
any port 28800 >< 29000
#
The following rule is for DirectX Gaming
pass in on fxp0 proto tcp/udp from any to
any port 47624
#
#
Now it is to be remembered that for EVERY new service to be enabled in
the MNREC network,
# a
seperate new rule would have to be written. Also it is possible that some other
important
#
applications exist that use a different range of ports from those
mentioned above. New rules
#
would have to be added as and when necessary
#
Now allow various incoming TCP connections to particular hosts, SMTP to
the mail host
# ganga.mnrec.ac.in,
www to the UPMCAT web server and ssh to the
OpenBSD firewall
#
gateway itself that can be used to gain access to the protected network
from the outside world.
#
NAT COMES BEFORE IPF, so the addresses would have been mapped already
#
# for the mail server at ganga
pass in on fxp0 proto tcp/udp from any
to 172.31.50.9 port = 25
# for the UPMCAT http server
pass in on fxp0 proto tcp/udp from any to
172.31.160.30 port = 80
# for the ganga ftp server
pass in on fxp0 proto tcp/udp from any to
172.31.50.9 port = 21
# for enabling ssh at the OpenBSD gateway
itself
pass in on fxp0 proto tcp from any to
172.31.52.9 port = ssh
/etc/ssh_config
ForwardX11 no
FallBackToRsh no
UseRsh no
IdentityFile ~/.ssh/identity
Port 22
/etc/sshd_config
Port 22
HostKey /etc/ssh_host_key
HostKey /etc/ssh_host_rsa_key
HostKey /etc/ssh_host_dsa_key
ServerKeyBits 1664
LoginGraceTime 600
KeyRegenerationInterval 3600
PermitRootLogin no
IgnoreRhosts yes
StrictModes yes
X11Forwarding no
X11DisplayOffset 10
PrintMotd yes
KeepAlive yes
SyslogFacility AUTH
LogLevel INFO
RhostsAuthentication no
RhostsRSAAuthentication no
HostbasedAuthentication no
RSAAuthentication yes
PasswordAuthentication yes
PermitEmptyPasswords no
Subsystem sftp /usr/libexec/sftp-server
/etc/sysctl.conf
net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of
packets
net.inet6.ip6.forwarding=1 # 1=Permit forwarding (routing) of packets
machdep.allowaperture=2 # See xf86(4)
/etc/rc.conf
#!/bin/sh -
routed_flags=NO # for normal use: "-q"
mrouted_flags=NO # for normal use: "", if activated
rarpd_flags=NO # for normal use: "-a"
bootparamd_flags=NO # for normal use: ""
rbootd_flags=NO # for normal use: ""
sshd_flags="" # for normal use:
""
sendmail_flags="-q30m" # for normal use: "-bd -q30m"
smtpfwdd_flags=NO # for normal use: "", and no "-bd" above.
named_flags="" # for normal use:
""
rdate_flags=NO # for normal use: name of RFC868 timeserver
timed_flags=NO # for normal use: ""
ntpdate_flags=NO # for normal use: NTP server; run before ntpd starts
photurisd_flags=NO # for normal use: ""
isakmpd_flags=NO # for normal use: ""
mopd_flags=NO # for normal use: "-a"
httpd_flags=NO # for normal use: "" (or
"-DSSL" after reading ssl(8))
apmd_flags=NO # for normal use: ""
dhcpd_flags=NO # for normal use: "-q"
rtadvd_flags=NO # for normal use: list of interfaces
#
be sure to set net.inet6.ip6.forwarding=1
route6d_flags=NO # for normal use: ""
#
be sure to set net.inet6.ip6.forwarding=1
rtsold_flags=NO # for normal use: interface
#
be sure to set net.inet6.ip6.forwarding=0
#
be sure to set net.inet6.ip6.accept_rtadv=1
ftpd_flags=NO # for non-inetd use: "-D"
identd_flags=NO # for non-inetd use: "-b -u nobody -elo"
xdm_flags=NO #
for normal use: ""
# For enabling console mouse support (i386
architecture only)
moused_flags=NO # for ps/2 try: "-p /dev/psm0", serial:
"-p /dev/cua00"
rwhod=NO
nfs_server=NO # see sysctl.conf for nfs client configuration
lockd=NO
gated=NO
kerberos_server=NO # kerberos server. run 'info kth-krb' for assistance.
kerberos_slave=NO # kerberos slave server.
amd=NO
ipfilter=YES
ipnat=YES #
for "YES" ipfilter must also be "YES"
portmap=YES #
almost always needed
inetd=YES #
almost always needed
ntpd=YES #
run ntpd if it exists
afs=NO #
mount and run afs
# Multicast routing configuration
multicast_host=NO # Route all multicast packets to a single interface
multicast_router=NO # A multicast routing daemon will be run, e.g. mrouted
# miscellaneous other flags
gated_flags=
ypserv_flags= # E.g. -1 for YP v1, -d for DNS
etc
yppasswdd_flags= # "-d /etc/yp" if passwd files are in
/etc/yp
nfsd_flags="-tun 4" # Crank the 4 for a busy NFS
fileserver
amd_dir=/tmp_mnt # AMD's mount directory
amd_master=/etc/amd/master # AMD 'master' map
ipfilter_rules=/etc/ipf.rules # Rules for IP packet filtering
ipnat_rules=/etc/ipnat.rules # Rules for Network Address Translation
ipmon_flags=-Ds # To disable logging, use
ipmon_flags=NO
syslogd_flags= # add more flags, ie. "-u -a
/chroot/dev/log"
named_user=named # Named should not run as root unless
necessary
named_chroot=/var/named # Where to chroot named if not
empty
afs_mount_point=/afs # Mountpoint for AFS
afs_device=/dev/xfs0 # Device used by afsd
afsd_flags=-z # Flags passed to afsd
shlib_dirs= #
extra directories for ldconfig
local_rcconf="/etc/rc.conf.local"
[ -f ${local_rcconf} ] && .
${local_rcconf}
/etc/resolv.conf
domain mnrec.ac.in mnrec.cc.net
search mnrec.ac.in mnrec.cc.net
nameserver 210.212.49.14
nameserver 172.31.52.6
hostname.fxp0
inet 210.212.49.13 255.255.255.240 NONE
hostname.rl0
inet 172.31.52.9 255.255.0.0 NONE
SUMMARY
OF IMPORTANT COMMANDS ON OPENBSD
·
To shut down the system: shutdown
now or halt
·
To reboot the
system: reboot
·
To restart the
network: netstat –rn
·
To see the
routing table: route show
·
To modify the
routing table: route add, route del
·
To restart the
network: sh /etc/netstart
·
To start X
windows : startx
·
To reset NAT rules file: ipnat –Cf
–f /etc/ipnat.rules
·
To reset firewall rules file: ipf –Fa –f /etc/ipf.rules
·
To see the NAT
status: ipnat –l
·
To see firewall
status: ipfstat
·
To see the
system startup messeges: dmesg
·
To see IP
Filter statistics: ipmon
·
To see the
Manual pages: man <name of command>
·
To format a
disk: fdisk
·
To label a
disk: disklabel
·
To recompile
the kernel: make depend && make; make all; make install; make
config <kernel config file>
·
To run the name
daemon: named
·
To look up a
DNS name by querying a DNS server: nslookup www.servername.com
or dnsquery
www.servername .com
·
To run SSH: ssh user@hostname
·
To see if
a particular host is active: ping
<hostname or IP address>
·
To mount a
floppy: mount –t <filetype> /dev/fd0a <mountpoint>
For example: mount –t
msdos /dev/fd0a /mnt/floppy
For CDROM the
filesystem is iso9660
·
To take a
backup from a disk to another: tar –cvf <destination> <source>
For example: tar –cvf
sd0b /usr
Important files are:
·
/etc/rc.conf: Startup
scripts
·
/etc/sysctl.conf: System options to be enabled at boot time
·
/etc/ipnat.rules: IPNAT rules configuration file
·
/etc/ipf.rules: Firewall rules configuration file
·
/etc/hostname.<interface name>: Configuration for a network interface
·
/etc/hosts: Information
about network host names
·
/usr/src/sys: Kernel
source files directory
·
/usr/share/ipf/: Example rules files for NAT and Firewall
BOOT MANAGERS IN OPENBSD
GAG: Graphical Boot manager:
GAG can boot upto 9 Operating Systems at the
same time. GAG can be downloaded from: http://www.rastersoft.com/gageng.htm
To install GAG you need a floppy drive and
create a boot floppy with GAG on it. The gagboot image is downloaded at the
website. This boot image has to be written in raw form to a floppy using either
fdisk for windows 98, dd (disk dump) for linux or rawritewin,which is the best,
for windows 98/2000/xp (It can be downloaded from http://uranus.it.swin.edu.au/~jn/linux/rawwrite.htm)
Installation is well documented and a brief
outline is listed:
·
Download the
Image file from the Net
·
Extract the
Files
·
Write the disk
image using rawrite or ntrw, or from your unix box.
·
Boot from the
floppy diskette
·
Set
configuration using a nice easy to follow graphical system
rawrite is supplied with the image file and
also available together with ntrw from the CD Distribution or ftp site.
The main features of GAG are:
·
Boot Manager
allows setting a default OS, and startup timer.
·
Supports
booting from separate drives (eg. HD1, HD2, Floppy)
·
Install after
both OSs have been installed
·
Graphical
installation and startup menu (nice beautiful touch)
·
Well documented
·
Tested with MS
Windows FAT32 & OpenBSD 2.9
·
You don't need
to keep looking for that DOS boot CD/floppy: The GAG floppy is bootable
Other Boot managers are:
·
mattsoft Boot
Manager downloaded from http://www.penguin.cz/~mhi/mbtmgr
·
OS Boot
Selector 2.0Beta8 downloaded from
http://www.prz.tu-berlin.de/~wolf/os-bs.html
·
Partition Magic
5.0 Boot Magic
Useful information about various OpenBSD boot
managers is available at: