Building Firewalls With OpenBSD And PF, 2nd Edition (2003)
.pdf
Section 3.5: Installing OpenBSD |
57 |
|
|
partitions you may want to create (on OpenBSD, just like on any other Unix, each directory, or Œlesystem, can be mounted on a different partition).
In the example on the facing page, the total number of free sectors on the disk is 3326337, out of which we cut 200000 for the / (root) Œlesystem.
The best way to start computing the size of partitions is to compute the size of the swap space, which should be at least twice the amount of RAM you have installed in your computer (in bytes). Then, divide that number by the number of bytes/sector for your disk and subtract the result from the total number of free sectors. (Note that this parameter too is measured in sectors, not bytes.)
The calculations required to change GB or MB values to bytes/sector are quite simple (suppose our machine has 128MB of RAM, and a 10GB hard disk):
total capacity = 10GB = 10240MB
swap = 2 ´ RAM = 2 ´ 128MB = 256MB
/ = 1GB = 1024MB
/home = 512MB
/tmp = 2GB = 2048MB /usr = 1GB = 1024MB
/usr/local = 1GB = 1024MB /var = 1GB = 1024MB
/var/log = 3GB = 3072MB /var/mail = 256MB
Assuming that our disk has 1024 bytes per sector, the results (in sectors) are as follows:
swap = 256MB = 256 ´ 1024 ´ 1024 bytes = 262144 1024 bytes/sector
/ = 1GB = 1024MB = 1024 ´ 1024 ´ 1024 bytes = 1048576 1024 bytes/sector
/home = 512MB = 512 ´ 1024 ´ 1024 bytes = 524288 1024 bytes/sector
58 |
Chapter 3: Installing OpenBSD |
|
|
/tmp = 2GB = 2048MB = 2048 ´ 1024 ´ 1024 bytes = 2097152 1024 bytes/sector
/usr = 1GB = 1024MB = 1024 ´ 1024 ´ 1024 bytes = 1048576 1024 bytes/sector
/usr/local = 1GB = 1024MB = 1024 ´ 1024 ´ 1024 bytes = 1048576 1024 bytes/sector
/var = 1GB = 1024MB = 1024 ´ 1024 ´ 1024 bytes = 1048576 1024 bytes/sector
/var/log = 1GB = 1024MB = 1024 ´ 1024 ´ 1024 bytes = 1048576 1024 bytes/sector
/var/mail = 256MB = 256 ´ 1024 ´ 1024 bytes = 262144 1024 bytes/sector
These values are not set in stone and, depending on your particular system conŒguration and needs, you may run out of space in one of these partitions or have plenty of free space lying unused. How can you Œnd out just how big each partition ought to be? Start with the above template and install all software that you will use on the Œrewall. Use du(8) to Œnd out how much space is left in each partition, e.g.: du -k /usr/local shows the number of kilobytes used in /usr/local. When one of the partitions is Œlled above 75% of its total capacity, it might be a good idea to reinstall the system and adjust the size of that partition at the cost of another one that is Œlled well under its total capacity. If it is still too tight, you might consider moving the swap partition to another disk. Another good candidate for relocation is /var/log. In either case, make sure that the second disk is plugged into a separate controller or the overall disk performance will decrease.
Partition Œlesystem type. For all non-swap partitions that value should be 4.2BSD. For swap partitions, use swap.
Mount point. The main (root) partition must be mounted under /, the swap partition does not have a mount point. When you plan to add additional partitions, their mount points are full paths that point to the directories that will be assigned to them. For example, if you are creating a separate partition for /usr/local, its mount point will be /usr/local.
Section 3.5: Installing OpenBSD |
59 |
|
|
You can check what partitions you created with the p command. When you are happy with your choices, use the q command. To prevent accidental damage, the installation script will ask you to conŒrm your choices:
> q
Write new label?: [y] y
The root filesystem will be mounted on wd0a. wd0b will be used for swap space
Done - no available disks found.
You have configured the following partitions and mount points:
wd0a /
You can now start formatting the disk. The time it takes to Œnish this operation is directly proportional to the disk's capacity. Type y and hit the Enter/Return key. The disk starts spinning and you can make yourself a cup of tea and relax, you are getting close to having a fresh copy of OpenBSD to play with.
When all goes well, you should see the installation procedure ask you for the host name. Type it in and hit the Enter/Return key:
System hostname? (short form, e.g. 'foo') firewall
Next, you will be asked if you want to conŒgure network services. You can skip that stage and do it later (see Chapter 4, ConŒguring OpenBSD), but if you do that you will not be able to install OpenBSD over the network and no FTP, HTTP, or NFS installation methods will be available.
If you decide to conŒgure the network, type y and hit the Enter/Return key:
Configure the network? [y] y
The next piece of information that you see on screen should be the list of available interfaces:
Available interfaces are: rl0 rl1
60 |
Chapter 3: Installing OpenBSD |
|
|
The example on the previous page shows two interface cards, if you have more cards installed, but they are not recognized, you may need to conŒgure them later on. Or, you could try alternative boot •oppies with support for Gigabit Ethernet or PCMCIA cards, if that's what you are using.
Next, you need to tell the installation script which interface you wish to initialize. The order in which you initialize multiple interfaces does not matter as long as you conŒgure them with proper settings that match the physical network layout:
Which one do you wish to initialize? (or 'done') [rl0] rl0
The next step is symbolic name assignment. The installation procedure suggest the host name you used earlier, but you can change it now or later (the information you enter here will be stored in /etc/hosts, all you have to do is edit it:
Symbolic (host) name for rl0? [firewall] firewall
Next, you may set optional parameters for the interfaces. In the example below, the script is asking which type of media will be used to transmit packets (twisted pair, thin coaxial cable, or autoselectŠthe card will determine this automatically):
The default media for rl0 is
media: Ethernet autoselect (none) Do you want to change the default media? [n]
It is usually OK to accept the default values, but when you run into trouble and you don't know which parameters are applicable to your card or what they mean, check the online OpenBSD man pages (the URL was given earlier in this chapter). It is possible to change these parameters later, they are stored in the hostname.* Œles, e.g. the hostname Œle for the rl0 interface is /etc/hostname.rl0. For more information refer to Chapter 4, ConŒguring OpenBSD.
In the next step, you must assign a valid IP address to the interface, or you may type dhcp if you want the DHCP (see dhcp(8)) server on your network to assign the address automatically. It is not a good idea to assign the address of the Œrewall via DHCP, so either use a legal public IP address
Section 3.5: Installing OpenBSD |
61 |
|
|
that you own, or use one of the private IP addresses (see Table 2.1). The address can be an IPv4 or an IPv6 number. After that, you will need to type in the netmask (see Chapter 5, /etc/pf.conf):
IP address for rl0 (or 'dhcp') 192.168.255.10
...
Netmask? [255.255.255.0]
The information you enter here will be stored in /etc/hostname.* and /etc/hosts, and can be changed afterwards.
After all interfaces have been conŒgured, you should see these messages:
Done - no available interfaces found.
...
DNS domain name? (e.g. 'bar.com') [my.domain] example.com
You may now supply the DNS domain name for the Œrewall host (you can change it later, it is stored in /etc/hosts). This part may be omitted, if you do not have your own domain, or when you plan to conŒgure your Œrewall as a bridge, in which case it will not matter as such hosts are invisible. It is OK to just hit the Enter/Return key at this point or use any name you like as long as it doesn't clash with the host or domain names used on your network or on the external networks.
Next, you will be asked to supply the address of the DNS name server on your network. If the machine you are installing OpenBSD on will act as a basic Œrewall or a bridge, it will not need to use a DNS server, but there are exception: you need to use a DNS server, if you want to install OpenBSD over a network, but don't know the IP addresses of FTP, HTTP, or NFS servers you will use for that purpose. When OpenBSD is stored on your own internal servers, use the address of your local DNS server; when you install OpenBSD from an external server, like one of the public FTP mirrors, use the address of your ISP's DNS server.
DNS name server? (IP address or 'none') [none] 192.168.1.1
Whatever DNS information you supply here will be saved in /etc/resolv.conf. You can then enable access to the DNS server:
Use the nameserver now? [y] y
62 |
Chapter 3: Installing OpenBSD |
|
|
Once you are done with the DNS server conŒguration, you need to add the default route (the address of the default gateway that the Œrewall will send packets to). If you want that to be set up via DHCP, enter dhcp. Another option is to leave that information out, in which case you should type none. That last choice will not let you install OpenBSD over the network from external networks. You can later add the gateway's address to
/etc/mygate:
Default route? (IP address, 'dhcp' or 'none') 192.168.255.3
Once you are done, you'll be given a chance to edit network information with ed(1). You probably don't want to do it, so hit the Enter/Return key and proceed with the installation leaving changes to the network conŒguration until later:
Edit hosts with ed? [n] n
...
Do you want to do any manual network configuration? [n] n
You are getting close to the start of the system installation stage, and now is time to set the superuser (root) account password:
Password for root account? (will not echo)
Password for root account? (again)
The password must be given twice. Once that is done, you can begin the installation of the operating system components. The installation program will give you several choices of software locations:
Sets can be located on a (m)ounted
filesystem, a (c)drom, (d)isk, or (t)ape device; or a (f)tp, (n)fs or (h)ttp server.
Where are the install sets? (or 'done')
Choose the option that best matches your setup. The following discussion focuses on the installation over HTTP, which is a popular choice for machines without a CD-ROM drive. The FTP or NFS installation procedures are similar and will not be covered here to save space.
Section 3.5: Installing OpenBSD |
63 |
|
|
What you need to begin is an HTTP server that stores the following OpenBSD 3.4 Œles for your hardware platform:
bsd bsd.rd
base34.tgz
etc34.tgz
comp34.tgz
man34.tgz
game34.tgz
The server itself does not need to be running OpenBSD, of course. All you need to make it work is place the Œles listed above in a publicly accessible directory and that that Œrewall host can connect to the server.
The Œrst question that you will have to answer is the one about the address of the HTTP proxy. When there is no proxy to go through, type none and hit the Enter/Return:
HTTP/FTP proxy URL? (e.g. 'http://proxy:8080', or 'none') [none] none
Then, you will be given a chance to see a list of HTTP servers on the Internet that you can use to install the system from. This will be a slow option, a local HTTP server is both more convenient and faster. If you want to see the list of available HTTP server that store OpenBSD binaries, type y, otherwise type n to use another, local or external HTTP server of your choice (you'll have to know its IP address):
Do you want to see a list of potential http servers? [n] n
Hit the Enter/Return key. Another parameter is the HTTP server's IP address:
Server IP address, or hostname? [192.168.255.1] 192.168.255.7
Finally, you need to supply the directory in which the Œles are residing, e.g.:
Server directory? [/] /openbsd/i386/
64 |
Chapter 3: Installing OpenBSD |
|
|
After you hit the Enter/Return key, you'll see a list of packages, some of which are optional, others essential. (This is the place where you will Œnally arrive at no matter which installation method you choose.) Selected packages are marked with x. To select/deselect a package type its name and hit the Enter/Return key. Only the most essential packages have been selected below, but if it is the Œrst time you ar installing OpenBSD, you should add man34.tgz:
[x] bsd
[ ] bsd.rd
[x] base34.tgz [x] etc34.tgz [ ] comp34.tgz [ ] man34.tgz [ ] game34.tgz
After all is done, answer y to the following question:
Ready to install sets? [y] y
Answer n to the question about running the X Windows System. Running it on a Œrewall machine is not a good idea, unless you are planning to conŒgure your OpenBSD workstation as a bastion host (see Chapter 2, Firewall Designs):
Do you expect to run the X Window System? [y] n
...
Saving configuration files...done.
...
Generating initial host.random file...done.
The last stage in the installation process is setting the local time zone:
What timezone are you in? ('?' for list) [US/Pacific]
...
Setting local time zone to 'NZ'...done.
...
Making all device nodes...done.
...
CONGRATULATIONS! ...
Section 3.6: Securing Your Firewall Hardware |
65 |
|
|
After all is done, you will be able to restart the system:
# halt
Then, restart the system with Ctrl+Alt+Del or a hardware reset button.
3.6 Securing Your Firewall Hardware
Remember that what is convenient during installation, is also yet another way for someone unauthorized to mess with your computer, so make sure you disable booting from all external storage devices except the hard disk.
Don't forget to protect access to BIOS settings with a password. If your computer's BIOS does not allow it, power your computer down after installing OpenBSD and disconnect or completely remove •oppy disk drives, CD-ROMs and other devices that can be used to boot your computer using software other than what you installed.
66