CVS 是 Concurrent Version System（并行版本系统）的缩写，用于版本管理。在多人团队开发中的作用更加明显。CVS 的基本工作思路是这样的：在一台服务器上建立一个仓库，仓库里可以存放许多不同项目的源程序。由仓库管理员统一管理这些源程序。这样，就好象只有一个人在 修改文件一样。避免冲突。每个用户在使用仓库之前，首先要把仓库里的项目文件下载到本地。用户做的任何修改首先都是在本地进行，然后用 cvs 命令进行提交，由 cvs 仓库管理员统一 修改。这样就可以做到跟踪文件变化，冲突控制等等。 　　由于CVS是建立在在原先 Unix 体系里很成熟的 SCCS 和 RCS 的基础上，所以CVS多是Linux（UNIX）系统中所使用，本文中服务器端设置也是以Linux为例。 　　一、CVS服务器的安装 　　首先确认系统中是否安装CVS服务： 　　[root@localhost /]# rpm -qa|grep cvs cvs-1.11.2-cvshome.7x.1 　　如果命令输出类似于上面的输出则说明系统已经安装有cvs，否则就需要从安装光盘中安装cvs的rpm包，或者到http://www.cvshome.org下载。 　　1、建立 CVSROOT 　　目录，因为这里涉及到用户对CVSROOT里的文件读写的权限问题，所以比较简单的方法是建立一个组，然后再建立一个属于该组的帐户，而且以后有读写权限的用户都要属于该组。假设我们建一个组叫cvs，用户名是cvsroot。建组和用户的命令如下 #groupadd cvs #adduser cvsroot 　　生成的用户宿主目录在/home/cvsroot（根据自己的系统调整） 　　2、用cvsroot 用户登陆，修改 /home/cvsroot （CVSROOT）的权限，赋与同组人有读写的权限：　 　　$chmod 771 . （或者770应该也可以） 　　注意：这一部分工作是按照文档说明做的，是否一定需要这样没有试验，我会在做试验后在以后版本的教程说得仔细一点。如果您有这方面的经验请提供给我，谢谢。 　　3、建立CVS仓库，（仍然是 cvsroot 用户），用下面命令： 　　$cvs -d /home/cvsroot init 　　4、以root身份登陆，修改 /etc/inetd.conf（使用 xinetd 的系统没有此文件）和 /etc/services 　　如果用的是 inetd 的系统，在 /etc/inetd.conf 里加入： 　　 　　cvsserver　 stream tcp nowait root /usr/bin/cvs cvs -f –allow-root=/home/cvsroot pserver 　　说明：上面的行是单独一整行，/usr/bin/cvs 应该是你的cvs版本的命令路径，请根据自己的系统调整．/home/cvsroot是你建立的CVSROOT的路径，也请根据上面建立目录的部分的内容做调整。 　　如果是使用 [...]]]>

CVS 是 Concurrent Version System（并行版本系统）的缩写，用于版本管理。在多人团队开发中的作用更加明显。CVS 的基本工作思路是这样的：在一台服务器上建立一个仓库，仓库里可以存放许多不同项目的源程序。由仓库管理员统一管理这些源程序。这样，就好象只有一个人在 修改文件一样。避免冲突。每个用户在使用仓库之前，首先要把仓库里的项目文件下载到本地。用户做的任何修改首先都是在本地进行，然后用 cvs 命令进行提交，由 cvs 仓库管理员统一 修改。这样就可以做到跟踪文件变化，冲突控制等等。
　　由于CVS是建立在在原先 Unix 体系里很成熟的 SCCS 和 RCS 的基础上，所以CVS多是Linux（UNIX）系统中所使用，本文中服务器端设置也是以Linux为例。
　　一、CVS服务器的安装
　　首先确认系统中是否安装CVS服务：
　　[root@localhost /]# rpm -qa|grep cvs
cvs-1.11.2-cvshome.7x.1
　　如果命令输出类似于上面的输出则说明系统已经安装有cvs，否则就需要从安装光盘中安装cvs的rpm包，或者到http://www.cvshome.org下载。
　　1、建立 CVSROOT
　　目录，因为这里涉及到用户对CVSROOT里的文件读写的权限问题，所以比较简单的方法是建立一个组，然后再建立一个属于该组的帐户，而且以后有读写权限的用户都要属于该组。假设我们建一个组叫cvs，用户名是cvsroot。建组和用户的命令如下
#groupadd cvs
#adduser cvsroot
　　生成的用户宿主目录在/home/cvsroot（根据自己的系统调整）
　　2、用cvsroot 用户登陆，修改 /home/cvsroot （CVSROOT）的权限，赋与同组人有读写的权限：　
　　$chmod 771 . （或者770应该也可以）
　　注意：这一部分工作是按照文档说明做的，是否一定需要这样没有试验，我会在做试验后在以后版本的教程说得仔细一点。如果您有这方面的经验请提供给我，谢谢。
　　3、建立CVS仓库，（仍然是 cvsroot 用户），用下面命令：
　　$cvs -d /home/cvsroot init
　　4、以root身份登陆，修改 /etc/inetd.conf（使用 xinetd 的系统没有此文件）和 /etc/services
　　如果用的是 inetd 的系统，在 /etc/inetd.conf 里加入：
　　
　　cvsserver　 stream tcp nowait root /usr/bin/cvs cvs -f –allow-root=/home/cvsroot pserver
　　说明：上面的行是单独一整行，/usr/bin/cvs 应该是你的cvs版本的命令路径，请根据自己的系统调整．/home/cvsroot是你建立的CVSROOT的路径，也请根据上面建立目录的部分的内容做调整。
　　如果是使用 xinetd 的系统，需要在 /etc/xinetd.d/ 目录下创建文件 cvspserver（此名字可以自己定义），内容如下：
　　# default: on
　　# description: The cvs server sessions;
　　service cvsserver
　　{
　　socket_type = stream
　　wait = no
　　user = root
　　server = /usr/bin/cvs
　　server_args = -f –allow-root=/cvsroot pserver
　　log_on_failure += USERID
　　only_from = 192.168.0.0/24
　　}
　　其中only_from是用来限制访问的，可以根据实际情况不要或者修改。修改该文件权限：
　　# chmod 644 cvspserver
　　在/etc/services里加入：
　　cvsserver 2401/tcp
　　说明：cvsserver 是任意的名称，但是不能和已有的服务重名，也要和上面修改 /etc/inetd.conf 那行的第一项一致。
　　5、添加可以使用 CVS 服务的用户到 cvs 组：
　　以 root 身份修改 /etc/group，把需要使用 CVS 的用户名加到 cvs 组里，比如我想让用户 laser 和gumpwu 能够使用 CVS 服务，那么修改以后的 /etc/group 应该有下面这样一行：
　　cvs:x:105:laser,gumpwu
　　在你的系统上GID可能不是105，没有关系。主要是要把laser和gumpwu用逗号分隔开写在最后一个冒号后面。当然，象RedHat等分发版有类似linuxconf这样的工具的话，用工具做这件事会更简单些。
　　6、重起inetd使修改生效：
　　#killall -HUP inetd
　　如果使用的是 xinetd 的系统：

　　# /etc/rc.d/init.d/xined restart
然后察看cvs服务器是否已经运行：
[root@localhost /]# netstat -lnp|grep 2401
　　tcp 0 0 0.0.0.0:2401 0.0.0.0:* LISTEN 1041/xinetd
则说明cvs服务器已经运行。

　　二、管理CVS服务器
　　服务器可以用，现在大家最关心的就是如何管理服务器，比如，我想让一些人有读和/或写 CVS 仓库的权限，但是不想给它系统权限怎么办呢？
　　不难，在 cvs 管理员用户（在我这里是 cvsroot 用户）的家目录里有一个 CVSROOT 目录，这个目录里有三个配置文件，passwd, readers, writers，我们可以通过设置这三个文件来配置 CVS 服务器，下面分别介绍这几个文件的作用：
　　passwd：cvs 用户的用户列表文件，它的格式很象 shadow 文件：
　　{cvs 用户名}:[加密的口令]:[等效系统用户名]
　　如果你希望一个用户只是 cvs 用户，而不是系统用户，那么你就要设置这个文件，刚刚安装完之后这个文件可能不存在，你需要以 cvs 管理员用户手工创建，当然要按照上面格式，第二个字段是该用户的加密口令，就是用 crypt (3)加密的，你可以自己写一个程序来做加密，也可以用我介绍的偷懒的方法：先创建一个系统用户，名字和 cvs 用户一样，口令就是准备给它的 cvs 用户口令，创建完之后从 /etc/shadow 把该用户第二个字段拷贝过来，然后再把这个用户删除。这个方法对付数量少的用户比较方便，人一多就不合适，而且还有冲突条件(race condition)的安全隐患，还要 root 权限，实在不怎么样。不过权益之计而已。写一个小程序并不难，可以到 linuxforum 的编程版搜索一下，有个朋友已经写一个贴在上面。
　　第三个字段就是等效系统用户名，实际上就是赋与一个 cvs 用户一个等效的系统用户的权限，看下面的例子你就明白它的功能。
　　readers：有 cvs 读权限的用户列表文件。就是一个一维列表。在这个文件中的用户对 cvs只有读权限。
　　writers：有 cvs 写权限的用户的列表文件。和 readers 一样，是一个一维列表。在这个文件中的用户对 cvs 有写权限。
　　上面三个文件在缺省安装的时候可能都不存在，需要我们自己创建，好吧，现在还是让我们用一个例子来教学吧。假设我们有下面几个用户需要使用 cvs：
　　laser, gumpwu, henry, betty, anonymous。
　　其中 laser 和 gumpwu 是系统用户，而 henry, betty, anonymous 我们都不想给系统用户权限，并且 betty 和 anonymous 都是只读用户，而且 anonymous 更是连口令都没有。那么好，我们先做一些准备工作，先创建一个 cvspub 用户，这个用户的责任是代表所有非系统用户的 cvs 用户读写 cvs 仓库。
　　#adduser
　　…
　　然后编辑 /etc/group，令 cvspub 用户在 cvs 组里，同时把其它有系统用户权限的用户加到 cvs 组里。（见上文）
　　然后编辑 cvs 管理员家目录里 CVSROOT/passwd 文件，加入下面几行：
　　laser:$xxefajfka;faffa33:cvspub
　　gumpwu:$ajfaal;323r0ofeeanv:cvspub
　　henry:$fajkdpaieje:cvspub
　　betty:fjkal;ffjieinfn/:cvspub
　　anonymous::cvspub
　　注意：上面的第二个字段（分隔符为 :）是密文口令，你要用程序或者用我的土办法生成。
　　编辑 readers 文件，加入下面几行：
　　anonymous
　　betty
　　编辑 writers 文件，加入下面几行：
　　laser
　　gumpwu
　　henry
　　注意：writers中的用户不能在readers中，要不然不能上传更新文件。

　　对于使用CVS的用户要修改它的环境变量，例如laser用户的环境变量，打开/home/laser（laser的宿主目录）下的.bash_profile文件，加入
　　CVSROOT=/home/cvsroot
　　export CVSROOT
　　用laser登陆就可以建立CVS项目，如果要root使用，可以修改/etc/profile文件。

　　现在我们各项都设置好，那么怎么用呢，我在这里写一个最简单的（估计也是最常用的）命令介绍：
　　首先，建立一个新的CVS项目，一般我们都已经有一些项目文件，这样我们可以用下面步骤生成一个新的CVS项目：
　　进入到你的已有项目的目录，比如叫 cvstest：
　　$cd cvstest
　　运行命令：
　　$cvs import -m “this is a cvstest project” cvstest v_0_0_1 start
　　说明：import 是cvs的命令之一，表示向cvs仓库输入项目文件。 -m参数后面的字串是描述文本，随便写些有意义的东西，如果不加 -m 参数，那么cvs会自动运行一个编辑器（一般是vi，但是可以通过修改环境变量EDITOR来改成你喜欢用的编辑器。）让你输入信息，cvstest 是项目名称（实际上是仓库名，在CVS服务器上会存储在以这个名字命名的仓库里。）
v_0_0_1是这个分支的总标记。没啥用（或曰不常用。）
start 是每次 import 标识文件的输入层次的标记，没啥用。
这样我们就建立一个CVS仓库。
　　建立CVS仓库的文件夹应该是“干净”的文件夹，即只包括源码文件和描述的文件加，而不应该包括编译过的文件代码等！
　　三、使用CVS
　　winCVS是一个很好的CVS客户端软件，在http://cnpack.cosoft.org.cn/down/wincvsdailyguide.pdf可以下载到这个软件的使用手册。这里不在赘述。
　　四、用CVS管理项目
　　本人正在一加公司从事该公司ERP项目的开发，在没有使用CVS的时候，多次出现由于不同的开发人员修改同一程序，而导致程序错误，解决版本控制问题迫在眉睫。
　　由于这个项目采用Linux平台下JAVA开发，使用的开发工具Jbulider是支持CVS进行项目管理的，作为主程序员，我决定采用CVS进行版本控制，首先参照上文在Linux服务器上建立CVS服务，然后我把我本地的工程文件传至服务器。
　　例如：我的工程文件在F:\ERP下，我把ERP下的erp.jpx文件、defaultroot文件夹和src文件夹上传至服务器/usr/local/erp下，然后登陆Linux服务器，登陆的用户是CVS的用户，其环境变量要正确（我的用户名为admin）
　　#cd /usr/local/erp
　　#cvs import -m “this is a ERP project” erp v_0_0_1 start
　　这样名为erp的CVS仓库就建立。
　　之后开发小组的成员可以用winCVS把该项目下载到本地：
　　打开winCVS
　　点击工具栏Create -> Create a new repository… 弹出窗口
　　在Grenral中
　　Enter the CVSROOT填写admin@192.168.1.9:/home/cvsroot 其中admin是cvs的用户，在本例中admin也是linux的系统用户，192.168.1.9是服务器的地址，/home/cvsroot是 CVS的主目录，参考上文。
　　Authentication中选择”passwd file on the cvs server”
　　Use version中选择cvs 1.10 (Standard)
　　其它项默认即可。
　　确认后，点工具栏Admin –> Login… 会提示输入密码，输入密码后，看看winCvs的状态栏。如果提示
　　*****CVS exited normally with code 0*****
　　表示登录正常。
　　点击工具栏Create –> Checkout module…弹出对话框，其中的Checkout settings项中
　　Enter the module name and path on the server 填写erp，即我们建立的名为erp的CVS仓库
　　Local folder to checkout to 选择要下载到本地的目录，我选F:\myerp
　　其它项目可以默认，确定后就可以下载到本地，在F:\myerp\下会有一个erp文件夹，其文件结构和F:\erp下的文件结构是一样的。
　　用Jbulider打开F:\myerp\erp\下的erp.jpx文件，这个工程文件就可以使用。
　　在Jbuilder的工具栏Team –> Select Project VCS 弹出对话框，选择CVS
　　对于你要进行修改的文件，在Project View中点中该文件，然后点右键，探出快捷菜单，选择CVS –> CVS Edit “xxxx.java（文件名）”
　　第一次使用可能会提示CVS服务器的密码。
　　在修改之前还要选择CVS –> Update “xxxx.java（文件名）”
　　修改之后选择CVS –> Commit “xxxx.java（文件名）”
　　这样，修改的文件就保存到CVS服务器，Update的目的是下载、比较文件。每次在修改之前都Update，保持最新版本。
　　CVS在项目管理使用中确实起到良好的效果，仔细研究CVS的命令，可以更好的发挥CVS在版本控制上的能力。

Abstract This is a quick tutorial on how to set up an OpenBSD 3.1 system. The first part covers setting up a firewall, NAT proxy, time and DHCP server on a system connected to the Internet via broadband like DSL or cable. The second part covers things that would be installed on [...]]]> Abstract
This is a quick tutorial on how to set up an OpenBSD 3.1 system. The first part covers setting up a firewall, NAT proxy, time and DHCP server on a system connected to the Internet via broadband like DSL or cable. The second part covers things that would be installed on a desktop machine: graphical window managers etc.

The reader is not expected to be a Unix expert (why would a Unix expert need this how-to?) — if you don’t understand something, or something looks intimidating, read on and come back to it. If something still doesn’t make sense, let me know.

I don’t cover what I consider “advanced” usage such as tracking -CURRENT or CVS snapshots. If you want to do that, I assume you know which FAQs to read!

This document may be freely reproduced and redistributed under the terms of the GNU Free Documentation License Version 1.1; with the invariant section being this entire document, with no Front-Cover Texts and no Back-Cover Texts.

In other words, if you want to copy this document in its entirety, feel free to do so; if you wish to modify it (as in providing a translation, or taking sections to include in other documents) please send me email. Needless to say, documents that this document links to will have their own copyrights.

New!
I have a shell script that sets up everything mentioned here. This is still experimental but if you try it, please let me know how it goes. Save this file to disk and run it by typing “sh config31-fw.sh”. (Doesn’t handle PPPoE [the beast].)

There is a new section called Tips and Stuff where I put things I’ve found or written that are useful sysadmin tools.

Introduction
Why OpenBSD? It’s simple and secure. Your firewall machine should not have lots of things installed on it; therefore no exotic hardware, graphical desktops, X11 servers etc. — put those on your desktop machine. A simpler system is more robust and more secure; this machine only offers SMTP (email), ssh, ping/traceroute and optionally HTTP (web) to the outside world. And since it’s running Unix, you can log in to it — securely — using ssh from anywhere on the Internet and make any changes you need to. (N.B.: never use telnet to connect to a machine over the Internet! Anyone can eavesdrop and grab important information like passwords. Only use ssh, which encrypts all communication so that eavesdroppers don’t get any information. And verify those key fingerprints or you leave yourself open to a man-in-the-middle attack. For information do a web search for public key cryptosystems; a good place to start is OpenSSH.)

The utility and security of having this kind of machine: a firewall protects your data and systems from the Big, Bad Internet. When the bad guys are out to vandalise machines on the Internet, MS-Windows machines of various kinds are prime targets because they suck. Er, I mean, Windows is really hard to secure. (Not that an incompetently run Unix machine is any better, of course.) When you dialled in on the phone, your machine was on the ‘net for brief periods; with DSL or cable it’s vulnerable all the time.

This document also describes how to set up an OpenBSD system as a Unix workstation. We will go over setting up X11 (the window system) etc. I assume that you will be using a different machine as your workstation. Important: Unix systems can be set up in various ways; I do things a certain way and that’s what this document will cover. Other people (wizards and newbies alike) may do things differently. In case it matters, I’ve been using Unix since 1982, have been a sysadmin on-and-off since 1986 (VAX/BSD, SunOS 4.x, Solaris 2.x, HP/UX, AT&T 3B5 SVR6 etc.) I’ve been a C programmer since the early 80s. Today I design and implement back-end network servers on Solaris.

This tutorial assumes that you have some familiarity with using Unix: what filenames look like, how to copy and edit files etc. There’s a decent Unix tutorial on the web. The most important command to remember is man (short for “manual”) — if I say something like “read the documentation for foobar it means you should type man foobar. One other piece of Unix argot: if you hear someone write select(2) it indicates that the manual for select is in section 2, i.e. you would read the manpage by typing man 2 select. You should also read the OpenBSD documentation: particularly the OpenBSD FAQ. Bookmark that link right now.

NAT (Network Address Translation) allows you to connect lots of PCs up to one network connection. When any of the machines inside the firewall wants to make a connection to some server out there on the internet, the firewall/NAT box intercepts that request, and sends the request off as though it came from the firewall/NAT machine. When the reply arrives, it is sent off to the machine that made the connection. Neither the server nor the machines on the inside know that all this is going on.

Aside: NAT is also called PAT, for “Port Address Translation.” Also, read this interesting article by HRH Prince Philip, Duke of Edinburgh, on setting up PAT and DHCP on Cisco routers. The whole routergod.com site features many celebrities offering helpful tips on various network issues.

Even if you don’t want plan on having more than one PC at home, NAT is useful, because it allows the machine running your firewall to be different from your main workstation. You probably want to install fancy hardware and software on your machine; but every additional package installed on a firewall makes it more vulnerable.

Network Address Translation (NAT)

Note: if you only have one machine on the “inside”, you don’t need an ethernet hub; use a crossover cable to connect the two machines directly. This also has the advantage that you can get a full-duplex connection between the machines (a hub only allows a half-duplex connection).

Note: you can buy little NAT/DHCP boxes from various manufacturers for about $150, but where’s the fun in that? Besides, who knows how strong the security is on those things. With OpenBSD you know you’re getting the best.

Building the machine
The machine itself: I prefer to build these machines up from individual components rather than buying a pre-made box. That way I can get name-brand supported components, and it works out slightly cheaper since I don’t have to get exotic video cards, sound cards, CD-ROM drives etc. (Not to mention a Fisher-Price operating system that you will be required to pay for.)

Can you build a PC? Well, no one showed me how, but I’ve managed to put together about 10 or so systems, so it can’t be that hard. If you’ve assembed anything with screwdrivers etc. you’ll be fine. There are numerous sites on the web that walk you through building a PC. Go do a Google search and read those. I especially like the one at Acme Labs by Jef Poskanzer. There’s also an excellent motherboard finder at Acme.

Caveat: specific recommendations will be outdated as soon as I write them! I like to use AMD CPUs because I believe Intel is evil and as far as possible I’d like to not buy their products. I’d get the current not-top-of-the-line CPU i.e. the one that costs about $50 and a compatible motherboard that costs in the range of $70. I stay away from integrated components because they’re usually garbage. (For a server that I don’t use directly I might get integrated video.) Spend about $30-50 on RAM, $30 on ethernet, $60 on an IDE disk, $30 for a case (with power supply). I usually find the best prices on components at Directron and CompuVest (warning: uses Java). These have both been non-sleazy (everything was as described in their catalog and shipping was prompt) in all my dealings with them — but let me know if you find any evidence of sleaziness.

All these components add up to around $300 — and that’s brand-new stuff. If you have any old components lying around, they will be fine. You don’t need a keyboard, mouse or monitor when the system is up and running — all maintenance on it can be done over the network. (While you’re installing the OS on the machine you will need to hook up a keyboard, monitor and CD-ROM drive to it, of course.)

While installing the system, I plug in a spare CD-ROM drive, keyboard and monitor. Change the BIOS settings so that the machine will boot without a keyboard etc. Boot off the OpenBSD 3.1 CD and install the system. All the hardware should be recognised without any problems. (The installation guide booklet that comes with the CDs is excellent.)

The easiest way to install OpenBSD is to buy the distribution on CDs. Although you can install it via the network, buying the CD will help make sure that the OpenBSD project will continue to improve and better the system. If you can afford an outlay of US$40, please buy the CDs from the OpenBSD ordering site.

When you’re installing OpenBSD, the installer program will ask you for disklabel information (partitions). On a Unix system, a group of files organised together is called a filesystem. The disk is partitioned into various pieces each of which will hold one filesystem. This is the filesystem breakup and partition sizes I’d use for a 12GB disk (if your disk is bigger, you can just increase the size of /var (for web files) or /home (for your personal files) — the system will be more than happy with these sizes for /, /tmp and /usr):

/dev/wd0a 100M /
/dev/wd0d 400M /tmp
/dev/wd0e 4GB /var
/dev/wd0g 2GB /usr
/dev/wd0h 5GB /home
(The convention is that a is always /, b is swap and c is the whole disk.) Your web files will live in /var, and your other files in /home.

This is all overkill; /usr only needs about 600M or so. Say pad it to 1GB. A 2GB disk would be plenty for the system, but if the cheapest disk you can get is 13GB….

Note for Unix newcomers: the disk is named /dev/wd0, and in this case it has 5 partitions with names /dev/wd0a, /dev/wd0d, /dev/wd0e, /dev/wd0g and /dev/wd0h. And the different partitions don’t get different “drive letters” as in some primitive operating systems; once the system is installed, it looks to the user that there is just one bunch of files; Unix will figure out the right thing to do. After the system has been installed and you’ve booted off the hard disk, log in and (this is important!) type man afterboot; it will remind of some things that you need to do to complete the installation — pick passwords, create user accounts, check network settings etc. Also, man hier will introduce you to the way the system is organised — which files live where. In fact, let me say that again:

After the first normal boot of the system, be sure to read these manpages:
$ man afterboot
$ man hier
Also run dmesg(8) to learn more about your hardware and the driver names that OpenBSD uses for them.

Which packages to install? A good starting point would be to accept the defaults. For a desktop system (workstation), you will want all the X11 packages also. I install everything.

There! And make sure you keep reading the manpages — OpenBSD manpages are a thing of beauty, complete, up-to-date and informative. And also read the OpenBSD FAQ on the web — much of this information is also found there.

Configuring the network
For my outside connection I have DSL and a static IP number (from Speakeasy — I recommend them over PacBell etc. — I’m so happy I switched). Other DSL options are PPPoE that PacBell likes to set people up with, or DHCP which is what you usually get over cable. A completely bogus DSL installation is the USB device they try to foist on customers with Windows. Danger, Will Robinson! They stink; they’re unsupported on any free O/S, and even on Windows they work about half the time.

In *BSD the network cards are named according to the driver used. For the Lite-On (DEC Tulip) cards, the driver is called dc, and the Intel EtherExpress Pro is fxp; so my two ethernet cards are dc0 and fxp0. (If you had two cards that both used the dc driver, they would be dc0 and dc1.) For the inside network I use the “private” (non-routable) IP numbers 192.168.1.* which will make the inward-facing network card 192.168.1.1. The OpenBSD initialization asks you for IP numbers for the two cards. Enter the appropriate ones – the IP number your ISP gave you for dc0, and 192.168.1.1 for fxp0. For PPPoE, the outside interface is tun0 and it will figure out its own IP address. If you’re supposed use DHCP on your DSL or cable connection, type in dhcp.

It is important to remember which network will be the outside and which the inside. If the two cards are identical, the easiest way is to look at the MAC number. Every ethernet card ever made has a unique ID called its MAC number. This will be printed on the card, usually as a sticker. When the kernel boots up, it will print the MAC numbers of each card it finds:

fxp0 at pci0 dev 9 function 0 “Intel 82557″ rev 0x0c: irq 11, address 00:02:b3:a0:3a:50
dc0 at pci0 dev 10 function 0 “Lite-On PNIC” rev 0×20: irq 10 address 00:a0:cc:55:ab:1c
So the card that has a MAC number ending ab1c is dc0; the other is fxp0. (If the two network cards you have are different types, as in this case, there’s no problem, of course. The kernel bootup messages is still be useful to tell you what names the system is using for them.)

(There’s some rule about where the cards are plugged in so which one gets number 0 and which no. 1, but I can never remember that.)

PPPoE
The beast! PPPoE is a pain in the ass but ISPs like it because it makes things simpler for them — they don’t have to maintain lists of IP numbers. Also, they can run a crappy service and keep dropping the connection and that’s ok, you’re expected to reconnect. It’s the Micros**t philosophy of “make something really crappy and expect people to just re-start the whole system a couple of times a day.” It’s a pain in the ass for us because its MTU is 1492 instead of 1500 which used to require changes on every machine inside the network — but now thanks to the “mssfixup” flag we don’t have to any more.

The files you will need to change for PPPoE all live in /etc/ppp/.

Configure system files
To set up the system, the files you will be editing are:/etc/rc.conf, /etc/myname, /etc/mygate, /etc/pf.conf, /etc/nat.conf, /etc/*.conf, /etc/hostname.interface, /var/named/*.

Edit /etc/rc.conf. On my servers I run SMTP, Apache, and ssh. In other words, from the outside it handles email, web acess and secure shell for remote logins. For convenience, on the inside I have a private name server (DNS) and NTP server for accurate time. To get sendmail, NTP, httpd, and NAT to work, these are the lines to change:

sendmail_flags=”-bd -q30m” # for normal use: “-bd -q30m”
named_flags=”" # for normal use: “”
ntpdate_flags=”put.server.here” # for normal use: NTP server; run before ntpd starts
httpd_flags=”" # for normal use: “” (or “-DSSL” after reading ssl(8))
dhcpd_flags=-q # for normal use: “-q”
pf=YES # Packet filter / NAT
ntpd=YES # run ntpd if it exists
pf_rules=/etc/pf.conf # Packet filter rules file
nat_rules=/etc/nat.conf # NAT rules file
Make sure that /etc/sysctl.conf has this line in it:

net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of packets
Get the names of NTP servers close to where you are and put that name in the ntpdate value. Here’s a list of public NTP servers.

Update ssh
Warning: ssh in OpenBSD 3.1 has a bug!
Upgrading openssh to 3.4 is strongly recommended. See the OpenSSH for OpenBSD page for details. In brief, you will download ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/openssh-3.4.tgz and execute the following steps (as root):

# cd /usr/src/usr.bin
# tar xvfz …/openssh-3.4.tgz
# cd ssh
# make obj
# make cleandir
# make depend
# make
# make install
# cp ssh_config sshd_config /etc/ssh
# mkdir /var/empty
Using vipw(8) you will add this line to your password file:

sshd:*:27:27::0:0:sshd privsep:/var/empty:/sbin/nologin
Then add this line to /etc/group:

sshd:*:27:
NAT and firewall rules
OpenBSD 3.1 has a new packet filter — 2.9 used ipf but 3.x has a re-written from scratch one called pf. The details are not important; pf config files are much simpler. I decided that my outside interface would be dc0, and the inside one fxp0. (If you’re using PPPoE, the outside interface will be tun0.) Firewall rules (they tell the gateway what kind of network traffic should be allowed into the internal network) live in /etc/pf.conf; NAT configuration is in /etc/nat.conf.

Here’s a sample /etc/pf.conf — very little is accessible from the outside, but machines on the inside can go out with no restrictions. In your files you’d replace dc0 and fxp0 with the names of your outward- and inward-facing ethernet cards, respectively.

#####################################################################
#
# IP packet filtering rules (firewall)
# Shamim Mohamed 3/2002

# See pf.conf(5) for syntax and examples

# If you change this file, run
# pfctl -R /etc/pf.conf
# to update kernel tables (also run “pfctl -e” if pf was not running)

# Network interfaces
internal = “fxp0″
external = “dc0″

# Services visible from the outside — remove any you’re not using
services = “{ ssh, http, https, smtp }”

# You shouldn’t need to change anything below this line
#####################################################################

# Non-routable IP numbers
nonroutable = “{ 192.168.0.0/16, 127.0.0.0/8, 172.16.0.0/12, 10.0.0.0/8,
0.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 204.152.64.0/23, 224.0.0.0/3,
255.255.255.255/32 }”

# All rules are “quick” so go strictly top to bottom

# Fix fragmented packets
scrub in all

# Don’t bug loopback
#
pass out quick on lo0 from any to any
pass in quick on lo0 from any to any

# Don’t bother the inside interface either
#
pass out quick on $internal from any to any
pass in quick on $internal from any to any

#####################################################################
#
# First, we deal with bogus packets.
#

# Block any inherently bad packets coming in from the outside world.
# These include ICMP redirect packets and IP fragments so short the
# filtering rules won’t be able to examine the whole UDP/TCP header.
#
block in log quick on $external inet proto icmp from any to any icmp-type redir

# Block any IP spoofing atempts. (Packets “from” non-routable
# addresses shouldn’t be coming in from the outside).
#
block in quick on $external from $nonroutable to any

# Don’t allow non-routable packets to leave our network
#
block out quick on $external from any to $nonroutable

#
#####################################################################

#####################################################################
#
# Now the normal filtering rules
#

# ICMP: allow incoming ping and traceroute only
#
pass in quick on $external inet proto icmp from any to any icmp-type { \
echorep, echoreq, timex, unreach }
block in log quick on $external inet proto icmp from any to any

# TCP: Allow ssh, smtp, http and https incoming. Only match
# SYN packets, and allow the state table to handle the rest of the
# connection.
#
pass in quick on $external inet proto tcp from any to any port $services flags S/SA keep state

# Of course we need to allow packets coming in as replies to our
# connections so we keep state. Strictly speaking, with packets
# coming from our network we don’t have to only match SYN, but
# what the hell.
#
pass out quick on $external inet proto tcp from any to any flags S/SA keep state
pass out quick on $external inet proto udp all keep state
pass out quick on $external inet proto icmp from any to any keep state

# End of rules. Block everything to all ports, all protocols and return
# RST (TCP) or ICMP/port-unreachable (UDP).
#
block return-rst in log quick on $external inet proto tcp from any to any
block return-icmp in log quick on $external inet proto udp from any to any
block in quick on $external all

#
# End of file
#
#####################################################################
Read the pf documentation and understand these rules.

This is the NAT config /etc/nat.conf — this allows machines on the inside network to transparently make connections to the outside world:

#####################################################################
#
# NAT rules
# Shamim Mohamed 3/2002

# See nat.conf(5) for syntax and examples

# replace dc0 with external interface name, 192.168.1.0/24 with internal
# network (if different)

# nat: packets going out through dc0 with source address 192.168.1.0/24 will
# get translated as coming from 12.34.56.78 (or whatever the external IP no.
# is). State is created for such packets, and incoming packets will be
# redirected to the internal address.

nat on dc0 from 192.168.1.0/24 to any -> dc0

# End of file
#####################################################################
The system should already have setup /etc/hostname.dc0 and /etc/hostname.fxp0 (or whatever your network device names are) for you. Each file will have the IP number and netmask. This is what these files would look like:

$ cat /etc/hostname.fxp0
inet 192.168.1.1 255.255.255.0 NONE
$ cat /etc/hostname.dc0
inet 123.45.67.89 255.255.255.0 NONE
(The $ is the prompt; cat types a file out to the output.) If you’re using DHCP, the outside interface’s hostname file will say dhcp.

Other important files are /etc/myname — your hostname — and /etc/mygate — your default gateway to the outside world (your ISP told you what this should be — it’s usually the same as your IP number except that the last number is replaced with a 1 or 254.)

PPPoe
If you have PPPoE (you unfortunate soul!) things are different. You shouldn’t have /etc/mygate; and the file describing the outside interface, /etc/hostname.dc0 in my example, will only have one word in it: up. This tells the system to bring up the interface at boot time, but to do nothing else — pppoe will do the rest.

The main file is /etc/ppp/ppp.conf and this is what it should look like:

default:
set log Phase Chat LCP IPCP CCP tun command
set redial 15 0
set reconnect 15 10000

pppoe:
set device “!/usr/sbin/pppoe -i dc0″
disable acfcomp protocomp
deny acfcomp
set mtu 1492
set speed sync
enable lqr
set lqrperiod 5
set cd 5
set dial
set login
set timeout 0
set authname login
set authkey password
enable dns
enable mssfixup
Use your login name and password where indicated. The “set device” line tells ppp which physical device to use to talk to the outside world. You also have to tell the system to start PPPoE at boot time. That can be done with this little snippet of shell script:

echo -n “Trying to establish PPPoE DSL”; ppp -ddial pppoe
for i in 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0; do
sleep 5
echo -n.$i”
if /usr/local/sbin/adsl-status>/dev/null; then
break
fi
done
echo
/usr/local/sbin/adsl-status
Where adsl-status is a little shell-script that tests to see whether the PPP link has come up properly:

#!/bin/sh

IP=$(/sbin/ifconfig tun0 | awk ‘/netmask/{print $2}’)

if [ -z "$IP" ]; then
echo “ADSL link is down.”
exit 1
else
echo “ADSL is up, IP address $IP”
exit 0
fi
Now the question is: where should we put the little loop that tries to get ppp going? The right place to put all these is in /etc/rc.local. However this has the drawback that the outside network hasn’t been initialised while the rest of the system is coming up, which causes some scary-looking error messages from NAT to be printed at boot time. So I do something a little un-kosher: I put the ppp initialisation in /etc/netstart right at the end:

…
echo -n ‘ ADSL… ‘; ; ppp -ddial pppoe
for i in 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0; do
sleep 5
echo -n.$i”
if /usr/local/sbin/adsl-status>/dev/null; then
break
fi
done
echo
/usr/local/sbin/adsl-status
Now remember that each time the PPP link goes up or down, the IPF and NAT rules must be re-done. The files /etc/ppp/ppp.linkup and /etc/ppp/linkdown are scripts that get run by ppp. Here’s /etc/ppp/ppp.linkup:

MYADDR:
! sh -c “/sbin/route del default”
! sh -c “/sbin/route add default HISADDR -mtu 1492″
! sh -c “/sbin/pfctl -F all -R /etc/pf.conf -N /etc/nat.conf -e”
! sh -c “/usr/local/sbin/ntpd -p /var/run/ntpd.pid”
And this is /etc/ppp/linkdown:

MYADDR:
! sh -c “/sbin/pfctl -F all -d”
Configuring email
Sendmail should have been setup automatically since you edited /etc/rc.conf but I’ve occasionally had to make one change in /etc/mail/sendmail.cf:

Djmy-domain-name.com
(If you don’t own a domain, or plan on having it point to your DSL machine, you don’t need sendmail.)

You should have a normal user account that you’re going to use (never log in as root! Always use su or sudo). Administrative email should be forwarded to you; if your normal username is zippy edit /etc/mail/aliases and make sure you make the appropriate lines look like this:

# Well-known aliases — these should be filled in!
root: zippy
manager: zippy
dumper: zippy
One thing you should consider is being an email handler for friends. My DSL service goes down too often — every few months. This is too unreliable for my tastes. What I do is collaborate with friends to accept and queue email for them, and they do the same for me. Example: for my domain foo.com the primary mail exchanger is gateway.foo.com, the OpenBSD firewall/gateway. A friend of mine has bar.com, and his email gateway is gateway.bar.com. I set up a secondary mail exchanger in my domain records as gateway.bar.com. If my DSL line gateway.foo.com goes down and someone out there wants to send email to me at foo.com, her machine will use gateway.bar.com instead and email will wait on that machine until my machine is back on the network. I want to perform the same service for my friend — if gateway.bar.com is down, I want people to be able to send my machine the email destined for bar.com and fubar.org (another friend’s domain). This goes in the file /etc/mail/relay-domains on my gateway box:

bar.com
fubar.org
Now the machine will accept email for my friends’ domains bar.com and fubar.org as well as for itself and forward their messages on. If the machine it’s trying to forward to is down, it will put them in the queue and keep re-trying for a while. (My friend at bar.com does similar things to his /etc/mail/relay-domains.)

Setting up DNS
You probably shouldn’t be running the primary DNS server for your domain on your DSL box; DSL may not be reliable enough for that. Get someone else to do it for you for free, like http://www.zoneedit.com/.

However, it is nice to have a local private DNS because lots of daemons (services that run in the background, like the web server) like to do reverse lookups of IP numbers, so we should have a DNS server for the private network. Also, this installation will give you a caching nameserver which should improve your browsing speed.

The files live in /var/named. Assuming your domain is called fake-domain.org, edit named.boot and add these lines:

primary fake-domain.org fake-domain.db
primary 1.168.192.in-addr.arpa fake-domain.rev

; your static IP number, reversed
primary 89.67.45.123.in-addr.arpa dsl.rev

; remember to add your ISP’s nameservers here!
forwarders 1.2.3.4 5.4.3.2
(Anything starting with a semicolon is a comment.) Here fakedomain.org can be a real domain you have or a fake; and instead of 89.67.45.123 use your static IP but reversed i.e. you would use that line if your IP number were 123.45.67.89. And change the IP numbers on the forwarders line to the nameservers your ISP told you to use.

There are three files you need to create. The first is /var/named/namedb/fake-domain.db:

@ IN SOA gateway.fake-domain.org. root.fake-domain.org.
(
14 ; Serial
10800 ; Refresh
3600 ; Retry
604800 ; Expire
86400 ) ; Minimum

IN NS gateway.fake-domain.org.

gateway IN A 192.168.1.1
libelle IN A 192.168.1.2
discus IN A 192.168.1.4
ventus IN A 192.168.1.3
wander IN A 192.168.1.5
brad IN A 192.168.1.12
jack IN A 192.168.1.13

; your static IP number
dsl IN A 123.45.67.89

www IN CNAME dsl
mail IN CNAME dsl
In this network, there are six machines on the inside and those are their names and IP Number assignments. The OpenBSD gateway machine is named “gateway”. Change these entries to names of the machines on your private network. You can give them any IP number that starts with 192.168.1. Of course if you have three machines on your network, there will only by three entries.)

This is the second file you need to create, /var/named/fake-domain.rev:

@ IN SOA gateway.fake-domain.org. root.fake-domain.org.
(
14 ; Serial
10800 ; Refresh
3600 ; Retry
604800 ; Expire
86400 ) ; Minimum

IN NS gateway.fake-domain.org.

1 IN PTR gateway.fake-domain.org.
2 IN PTR libelle.fake-domain.org
3 IN PTR ventus.fake-domain.org
4 IN PTR discus.fake-domain.org.
5 IN PTR wander.fake-domain.org.
12 IN PTR brad.fake-domain.org.
13 IN PTR jack.fake-domain.org.
(Those trailing dots are important.) And here’s the third, /var/named/namedb/dsl.rev:

@ IN SOA gateway.fake-domain.org. root.fake-domain.org.
(
14 ; Serial
10800 ; Refresh
3600 ; Retry
604800 ; Expire
86400 ) ; Minimum

IN NS gateway.fake-domain.org.

IN PTR dsl.fake-domain.org.
PPPoE
Yes, again more stupid special cases for PPPoE. For one thing, your IP address from the outside keeps changing so all the stuff about dsl.rev doesn’t apply. However, more important: you don’t know what your ISP’s DNS servers are! And they could change which machines you’re supposed to use each time you connect! What you have to do is: connect “by hand” one time, and see which DNS servers you got. After ppp.conf has been written, you can run ppp -ddial pppoe and pray. If all goes well, ifconfig tun0 should show you two lines:

$ /sbin/ifconfig tun0
tun0: flags=11 mtu 1492
inet 63.201.32.40 –> 63.201.39.254 netmask 0xff000000
That means everything worked. Now look at /etc/resolv.conf — there should be one or more lines in there that say which nameservers should be used. Put these IP numbers in the forwarders line in /var/named/named.boot.

One other wrinkle: the /etc/resolv.conf that ppp makes for you doesn’t know about your domain, or that you’re running a nameserver on your machine. To get around these problems, I created another file /etc/resolv.conf-working:

nameserver 192.168.1.1
lookup file bind
search fake-domain.org
In /etc/ppp/ppp.linkup I tell it to overwrite the created resolv.conf with this one:

! sh -c “cp /etc/resolv.conf-working /etc/resolv.conf”
(Add that to the end of the file that you’ve already created.) This allows all programs running on the machine to be able to use all the good things about a local caching nameserver — things like being able to refer to internal hosts by short name etc.

Other machines on the internal network
Go to the other machines on your network (the ones inside your firewall) and set them up with the static IP numbers you assigned above, e.g. the machine wander gets an IP number of 192.168.1.5. All the machines should use 192.168.1.1 for the gateway and use 192.168.1.1 for the DNS server. For more details on DNS, read the excellent O’Reilly book “DNS and BIND”; for more on setting up slightly more complex DNS servers than the one described here, go to the OpenBSD — DNS site maintained by Samiuela LV Taufa.

Setting up DHCP
Above in the DNS setup all internal machines are assigned their own IP numbers. Running DHCP allows guest machines to hook up to the network without fuss. Depending on your comfort level with setting up your other machines, you might also prefer to use DHCP over assigning static IPs.This is what /etc/dhcpd.conf should look like:

# $OpenBSD: dhcpd.conf,v 1.1 1998/08/19 04:25:45 form Exp $
#
# DHCP server options.
# See dhcpd.conf(5) and dhcpd(8) for more information.
#

# Network: 192.168.1.0/255.255.255.0
# Domain name: my.domain
# Name servers: 192.168.1.3 and 192.168.1.5
# Default router: 192.168.1.1
# Addresses: 192.168.1.32 — 192.168.1.127
#
shared-network LOCAL-NET {
option domain-name “fake-domain.org”;
option domain-name-servers 192.168.1.1;

subnet 192.168.1.0 netmask 255.255.255.0 {
option routers 192.168.1.1;

range 192.168.1.32 192.168.1.127;
}
}
This will allow up to 96 machines on your internal network, which should be more than sufficient. Create an empty temporary file for dhcpd to use:
# touch /var/db/dhcpd.leases
If you make any changes to this file, run dhcpd fxp0 (or whatever your inside network is). (Or you can reboot the machine — but that’s the Windows way, in the Unix world we prefer to never reboot any machines.)
Install “ports”
“Ports” is a *BSD term for a tree of Makefiles for all the software out there that’s not part of the standard install. I recommend this highly. It is on CD No. 3 of the OpenBSD 3.1 CD-ROM set as ports.tar.gz. Please read the Ports and Packages page on the OpenBSD web site. You install it by typing (as root)

# mount /dev/cd0a /mnt
# cd /usr
# tar xzf /mnt/ports.tar.gz
Once you’ve done this, if you want to install a package, you cd to the appropriate directory and simply type make all install — it will ftp the source from the appopriate site, handle all dependencies, apply any required patches, configure, build and install the tool.

How do you find the appropriate directory to go to? You can guess at where it might be (look around in /usr/ports to get an idea for the layout etc.). But remember: locate(1) is your friend.

If you have the disk space (about 500 MB), I strongly recommend that you install the source code to the system also. (The source is also on CD No. 3.)

# mount /dev/cd0a /mnt
# cd /usr/src
# tar xzf /mnt/src.tar.gz
Getting time from the Internet
Set up NTP so that your machine will always have accurate time. Pick two servers from the public NTP server list and make sure /etc/ntp.conf looks like this:

server ntp.server.first
server ntp.server.second
Since xntpd is not part of the standard install, you have to compile xntpd from source.

# cd /usr/ports/sysutils/xntpd
# make all install
The tools will be installed into /usr/local/sbin/ntpd.

Run ntpdate -b server where you pick a server from the list — this will perform a coarse adjustment of the system clock. The next time the machine reboots, it will sync your clock and record how much your clock drifts.

Setting up other hosts with NTP
On Unix hosts, use the appropriate NTP client; on Linux, it’s xntpd. Set them up to use 192.168.1.1 as the NTP server. On Windows, use AboutTime — a free NTP client. In its configuration make sure it uses only SNTP as the protocol, with 192.168.1.1 as the server. Put AboutTime in the Startup folder so it’s started automatically.

For more details, go to Robert Mooney’s OpenBSD NTP site.

Tips and Stuff
I have a useful shell script called pkg_install that’s a front-end to pkg_add — here’s an example of it being used:
# pkg_install tex
These files match:
gettext-0.10.40.tgz
jadetex-3.11.tgz
latex2html-97.1.tgz
php4-4.0.6p1-gettext-imap-mhash-no_x11-mcrypt-mysql.tgz
php4-4.0.6p1-gettext-imap-mhash-no_x11-mcrypt-postgresql.tgz
php4-4.0.6p1-gettext.tgz
teTeX_texmf-1.0.2.tgz
texi2html-1.64.tgz
textutils-2.0.tgz
# pkg_install -n 4 texi
Using ftp5.usa.openbsd.org/pub/OpenBSD
+ pkg_add -v ftp://ftp5.usa.openbsd.org/pub/OpenBSD/3.1/packages/i386//texi2html-1.64.tgz
Trying to fetch ftp://ftp5.usa.openbsd.org/pub/OpenBSD/3.1/packages/i386//texi2html-1.64.tgz.
Extracting from FTP connection into /var/tmp/instmp.BVMJM29414
>>> ftp -o — ftp://ftp5.usa.openbsd.org/pub/OpenBSD/3.1/packages/i386//texi2html-1.64.tgz
…
It has a list of all the pre-compiled packages that are available. You type in a string and it installs the package. If more than one name matches, it shows you their names. (It uses egrep(1) so you can use regular expressions.) Save it to /usr/local/bin. It handles dependencies by recursively installing them also.

New in this version is in -n flag. The script has a list of mirrors, and this option picks one of the mirrors. (Currently in progress: it needs bash, and it needs some error checking but it works.) Don’t forget to edit the file — read http://www.openbsd.org/ftp.html and choosea list of mirrors closest to you.

Setting up a CVS server
(This section is probably not of interest to most people; you only need this if you want to set up a cvs server so you can put files you’re working on under source control. So it’s a little terse too.)

The changes I made: added a user and group named cvs. All users of CVS should be in the cvs group. Create a directory for the repository: I put it in /var/cvsroot, you might put it in /home or wherever. This directory should be group writable (group cvs). Add a line to /etc/services:

cvspserver 2401/tcp # CVS pserver
Add this line to /etc/inetd.conf:
cvspserver stream tcp nowait root /usr/bin/cvs cvs -f –allow-root=/var/cvsroot -T /var/tmp pserver
The server uses /var/tmp as its temp directory instead of /tmp since my root partitions are small, but I always make /var large. Now run cvs init in the cvs repository and restart inetd. Voila! Import your directory of files from a client machine, using a pserver CVSROOT and cvs import.

When importing a large set of files, you might want to put a .cvswrappers file in the directory you’re importing so CVS won’t try to put RCS ID strings inside your JPEG files etc. The syntax is:

*.jpg -k ‘b’
*.png -k ‘b’
*.tgz -k ‘b’
Coming soon: using ssh for CVS_RSH.
Setting up X11
You did select the packages xbase, xshare, xfont, and xserv when you installed OpenBSD, I hope? If not, never fear; you can install them directly off the CD:

# mount /dev/cd0a /mnt
# cd /
# tar xzvpf /mnt/3.1/i386/xbase31.tgz
# tar xzvpf /mnt/3.1/i386/xserv31.tgz
# tar xzvpf /mnt/3.1/i386/xshare31.tgz
# tar xzvpf /mnt/3.1/i386/xfont31.tgz
etc. The X11 package for ix86 systems is called XFree86; visit their website for more information. Now run xf86cfg. (If the command is not found, you probably don’t have /usr/X11R6/bin in your PATH environment variable.) Of course this is not something you can do over a network login; you have to be sitting at the machine, with a monitor, keyboard and mouse actually plugged in. You should have your video card and monitor specs available. Follow the instructions to setup XFree86. More information is on the Configuring XFree86 page on the Xfree86 site.
Installing a Desktop
Many people also install a desktop suite such as KDE or Gnome. I prefer KDE of the two. There is nothing special about KDE (or Gnome); it’s just a set of packages to be installed. There are two versions of KDE available, KDE 2.2 and KDE 3.0. Decide which one you want to run, and install those packages. (KDE2 and KDE3 cannot co-exist on the same system.)

These are the KDE2 packages:

$ pkg_info -a | egrep kde
kdelibs-2.2.2 X11 toolkit, libraries
kdeartwork-2.2.2 X11 toolkit, additional artwork
kdegraphics-2.2.2 X11 toolkit, graphics applications
kdelibs-doc-2.2.2 X11 toolkit, libraries documentation
kdebase-2.2.2 X11 toolkit, basic applications
kdenetwork-2.2.2 X11 toolkit, network applications
kdetoys-2.2.2 some useless kde applications
And for KDE3, the corresponding packages are:
kdeaddons-3.0.tgz
kdeartwork-3.0.tgz
kdebase-3.0.tgz
kdeedu-3.0.tgz
kdegames-3.0.tgz
kdegraphics-3.0.tgz
kdelibs-3.0.tgz
kdenetwork-3.0.tgz
kdetoys-3.0.tgz
kdeutils-3.0.tgz
koffice-1.1.1-kde3.tgz
There are lots of I18N packages also, kde-i18n-*-3.0.tgz.
Display managers xdm and kdm
You may want to run a display manager like xdm or kdm. (A display manager is the program that gives you a graphical login display instead of a plain text message.) The config file for kdm is /usr/local/share/config/kdm/kdmrc; the xdm config file lives in /etc/X11/xdm/xdm-config. Edit /etc/rc.conf and set xdm_flags to an empty string (in quotes) to make xdm run on startup. (If you installed KDE, it will be kdm that’s started.) If you installed KDE3, add it to the list of available logins in kdmrc: in the [X-*-Greeter] section, look for the SessionTypes line and add “KDE3″ to the list.

Setting up XDMCP
If you have an X-Terminal (like the Sun Ray, or the ones NCD used to make) or run eXceed on Windows platforms, you may want to allow X11 logins to your OpenBSD machine from eXceed or the X-Terminal. The protocol that allows this is called XDMCP; to enable it: if using xdm, edit /etc/X11/xdm/Xaccess and remove the ‘#’ from the first column of this line:

#* #any host can get a login window
Note: we don’t allow any X11 or XDMCP messages to go across our firewall. Only hosts inside the firewall can get a login screen.
Also edit xdm-config and comment out this line by putting a ‘!’ character in the first column:

DisplayManager.requestPort: 0
If using kdm, edit /usr/local/share/config/kdm/kdmrc and look for the [Xdmcp] section. Uncomment lines so it looks like this:
[Xdmcp]
# Whether KDM should listen to XDMCP requests. Default is true.
Enable=true
# The UDP port KDM should listen on for XDMCP requests. Don’t change the 177.
Port=177
(followed by other stuff.)
Amusements
People like to do things like rip CDs to Ogg Vorbis or MP3 and listen to those files. I use grip as a front-end to rip music to Ogg Vorbis files, and xmms (package name xmms-vorbis) to listen to them. I use Gnu LilyPond and TeX/LaTeX (package teTeX_texmf) to typeset documents and music. The LaTeX files can be converted to HTML with latex2html. You can run Linux programs if you install the redhat_base, redhat_motif, and rpm packages. (The Linux version of Opera, the web browser, runs fine.)