温室小花.技术.博客 --纯粹的unix技术博客 » openbsd unix

openbsd 4.5 livecd 试用心得

admin — Mon, 06 Jul 2009 16:09:24 +0000

昨天，无意在某个QQ群看到这条信息，有BSD fans 贴出一条openbsd live cd 的信息，列出OpenBSD 4.5 Live CD 的下载地址：ftp://bsd.pls.msu.edu/pub/livecd ，俺记得几年前，用过livecd 4.0 ，但由于没深入研究。所以印象不深。用了一两次就没再用。今天无意中看到这条信息。无意中又沟起俺对openbsd 的美好回忆。openbsd 是俺很喜欢的一种BSD系统。以前常用来作防火墙安全等研究。后来，就没再继续深入研究。今天又忽然心血来潮。想玩玩openbsd livecd .因为俺从openbsd3.8开始。就没怎样研究过openbsd 。今天，又忽然想玩一下。就在那个网站下载livecd .俺下载到是xfce桌面的livcd .gz 压缩版本。才几百M。不大。。。下载完。俺就习惯用winrar解压。用vmware来安装与尝试。安装很需利。livecd 正常启动。启动提示设置root 与普通user账户的密码。设置密码。然后会提示你是选择终端login模式，还是桌面图形模式。俺一开始。顺便按了回车，系统就默认用终端来lgoin 。login后，俺习惯打入：startx 启动桌面。发觉桌面是熟悉的xfce桌面。。俺动了动mouse，发觉mouse很不灵活。很艰难地右击一下，弹出常用菜单，然后选了setting中的mouse setting ，将mouse 的灵敏度调到最右边。也是最高的位置。但发觉mouse的灵敏度还是很低。。。俺没时间，也没耐心断续玩下去。就顺手打开一个终端。运行halt 关机了事。。。到了晚上。。俺想着，总不能就这样对openbsd livecd 说声再见，总要看看mouse 反应不够灵敏的问题出在哪里吧?那俺又再一次运行livecd .到了选择login模式，这次。俺是直接选了图形login模式，跟着。弹出一个图形login窗口，输入root账号与密码后。进入一个xfce桌面。俺动了动mouse，发觉这回mouse灵活很多，基本不影晌使用。。俺随便看看，发觉这些LIVECD 整合的软件比较少。除了一个firefox3.06外，其它都是桌面的基本设置。例如mouse ,keyborad等等。。俺打开firefox，想尝试打开网页。发现无法打开网页。随手打开一个终端，运行ifconfig .发觉没有自动获取到ip…俺了想想，想可能是openbsdlivecd 是用vmware安装的。而俺的winxp 是无线上网。而 vmware没有开发nat转换功能。所以。livecd 没有获得ip，并且将网络信号转换出去，所以无法上网。。。俺再四周看看。发觉这个xfce 桌面的openbsd4.5 livecd 整合的软件太少。没什么吸引力。就随手halt掉。就没再弄。。。

Openbsd 4.5 live cd 下载网址以及制作过程

admin — Sat, 04 Jul 2009 02:53:01 +0000

OpenBSD 4.5 Live CD

ftp://bsd.pls.msu.edu/pub/livecd

另符一篇livecd 的制作过程文章。仅作参考

OpenBSD LiveCD制作过程
刚开始接触OpenBSD时，我就很想使用OpenBSD LiveCD，但没找到。今年1月那时起就想

自己做一个LiveCD，一个新年一过，就将它放下，现在又重新开始制作，今天写这篇文章

只是我思路的一个开始，制作的LiveCD，还不完善，我会后续为其改进。

制作过程：
一、准备工作：
1、一个能运行OpenBSD系统的所需要的必备文件，这里我就没像一些mini LiveCD那样

对系统进行剔牛肉进行精减，只是将一个能运行的系统的所有文件进行备份。而且如果备份

的文件不大，那制作出的LiveCD就很小，我们就可以将这个备份的系统文件也一起放进CD

中，到时就可以用这个LiveCD安装系统，
2、 OpenBSD系统的源程序，我们在制作过程中需要编译光盘镜像。

二、将备份的系统文件解开到一个目录下，我将以这个目录作为LiveCD的根目录制作CD

，如/usr/live/。
三、将OpenBSD源程序解开到/usr/src下，然后：
1、安装必须的程序：
# cd /usr/src/distrib/crunch/crunchgen
#make; make install
#cd /usr/src/distrib/crunch/crunchide
#make; make install

2、定制内核
内核文件是/usr/src/sys/arch/i386/conf/RAMDISK_CD，我们需要对这个文件进行修改，其

中有三行最重要，一定不能少：
option MFS
option UNION
config bsd root on cd0a
LiveCD运行于MFS上，而且它的根目录在CD上。

还有其它一些选项如：
option SMALL_KERNEL
option NO_PROPLICE
option TIMEZONE=0
option DST=0
option RAMDISK_HOOKS
option MINIROOTSIZE=3560

需要将一些多余的东西删除，因此这个内核大小控制在2.88M以内，太大时会编译失败。我

的RAMDISK_CD是将/usr/src/sys/arch/i386/conf/GENERIC 和/usr/src/sys/conf/GENERIC

这两个文章合并然后去掉一些内容整理出来的。

3、编译内核
# cd /usr/src/distrib/i386/ramdisk_cd
#make
成功后会在目录下生成cdrom36.fs这个文件，我们将这个文件复制到制作LiveCD的目录

下/usr/live/。

四、修改/usr/live/etc中的各类文件
1、fstab

/dev/cd0a / cd9660 ro,noatime 0 0

swap /dev mfs rw,noatime,union,-s=16384 0 0

swap /tmp mfs rw,nodev,noexec,nosuid,noatime,-s=32768 0 0

swap /etc mfs rw,noatime,-s=16384 0 0

swap /var mfs rw,noatime,-s=16384 0 0

swap /home mfs rw,noatime,-s=16384 0 0

以前我没发现fstab的功能居然如此强大, 以为它只能mount已分好的挂载点, 原来它在光盘

系统中还可以在启动时自动挂载写入fstab中的mfs.

2、rc
OpenBSD启动时首先读取这个文件，如果找不到它就会读取根目录下的/.profile文件进

行初始配置。
修改/etc/rc文件, 三个地方修改

# $OpenBSD: rc,v 1.251 2004/08/21 08:17:28 hshoexer Exp $

# System startup script run by init on autoboot

# or after single-user.

# Output and error are redirected to console by init,

# and the console is the controlling terminal.

# Subroutines (have to come first).

# Strip comments (and leading/trailing whitespace if IFS is set)

# from a file and spew to stdout

stripcom() {

local _file=”$1″

local _line

{

while read _line ; do

_line=${_line%%#*} # strip comments

test -z “$_line” && continue

echo $_line

done

} < $_file

}

# End subroutines

stty status '^T'

# Set shell to ignore SIGINT (2), but not children;

# shell catches SIGQUIT (3) and returns to single user after fsck.

trap : 2

trap : 3 # shouldn't be needed

HOME=/; export HOME

PATH=/sbin:/bin:/usr/sbin:/usr/bin

export PATH

if [ $1x = shutdownx ]; then

dd if=/dev/urandom of=/var/db/host.random bs=1024 count=64 >;/dev/null

2>;&1

chmod 600 /var/db/host.random >;/dev/null 2>;&1

if [ $? -eq 0 -a -f /etc/rc.shutdown ]; then

echo /etc/rc.shutdown in progress…

. /etc/rc.shutdown

echo /etc/rc.shutdown complete.

# bring carp interfaces down gracefully

for hn in /etc/hostname.carp[0-9]*; do

# Strip off /etc/hostname. prefix

if=${hn#/etc/hostname.}

test “$if” = “carp[0-9]*” && continue

ifconfig $if >; /dev/null 2>;&1

if [ "$?" != "0" ]; then

ifconfig $if down

done

if [ "X${powerdown}" = X"YES" ]; then

exit 2

else

echo single user: not running /etc/rc.shutdown

exit 0

# Configure ccd devices.

if [ -f /etc/ccd.conf ]; then

ccdconfig -C

# Configure raid devices.

for dev in 0 1 2 3; do

if [ -f /etc/raid$dev.conf ]; then

raidctl -c /etc/raid$dev.conf raid$dev

done

# Check parity on raid devices.

raidctl -P all

swapctl -A -t blk

if [ -e /fastboot ]; then

echo “Fast boot: skipping disk checks.”

elif [ $1x = autobootx ]; then

echo “Automatic boot in progress: starting file system checks.”

# fsck –p 这一行要注释掉

case $? in

;;

exit 1

;;

echo “Rebooting…”

reboot

echo “Reboot failed; help!”

exit 1

;;

echo “Automatic file system check failed; help!”

exit 1

;;

12)

echo “Boot interrupted.”

exit 1

;;

130)

# interrupt before catcher installed

exit 1

;;

echo “Unknown error; help!”

exit 1

;;

esac

trap “echo ‘Boot interrupted.’; exit 1″ 3

umount -a >;/dev/null 2>;&1

mount -a -t nonfs

mount -uw / # root on nfs requires this, others aren’t hurt

rm -f /fastboot # XXX (root now writeable)

这里需要在/dev下建立三个设备点, 不然后一步tar出错, 系统启动时会问题多多

mknod /dev/stdout c 22 1

mknod /dev/stdin c 22 0

mknod /dev/stderr c 22 2

if [ -f /mfs/mfs.tgz ]; then

tar zxpf /mfs/mfs.tgz -C /

echo ‘Fixed up mfs from /mfs/mfs.tgz’

chmod 755 /dev /etc /var

chmod a+rwx,a+t /tmp

# set flags on ttys. (do early, in case they use tty for SLIP in netstart)

echo ‘setting tty flags’

ttyflags -a

if [ "X${pf}" != X"NO" ]; then

RULES=”block all”

RULES=”$RULES\npass on lo0″

RULES=”$RULES\npass in proto tcp from any to any port 22 keep state”

RULES=”$RULES\npass out proto { tcp, udp } from any to any port 53 keep

state”

RULES=”$RULES\npass out inet proto icmp all icmp-type echoreq keep

state”

RULES=”$RULES\npass out inet6 proto icmp6 all icmp6-type routersol”

RULES=”$RULES\npass in inet6 proto icmp6 all icmp6-type routeradv”

RULES=”$RULES\npass proto { pfsync, carp }”

case `sysctl vfs.mounts.nfs 2>;/dev/null` in

*[1-9]*)

# don’t kill NFS

RULES=”scrub in all no-df\n$RULES”

RULES=”$RULES\npass in proto udp from any port { 111, 2049 } to

any”

RULES=”$RULES\npass out proto udp from any to any port { 111,

2049 }”

;;

esac

echo $RULES | pfctl -f – -e

if [ -f /etc/sysctl.conf ]; then

(

# delete comments and blank lines

set — `stripcom /etc/sysctl.conf`

while [ $# -ge 1 ] ; do

sysctl $1

shift

done

)

# set hostname, turn on network

echo “Setting Network……” 修改这里, 加入我写的setnetwork脚本,

. /etc/setnetwork 这样网络设置在每台机上都可以重新设置而不是

更改文件.

3、上一步最后有一个setnetwork脚本，这一步写出。我的脚本编写不会，只好从其它地方

抄过来，有一些错误，需要请高手改写。这个文件有点大，贴在最后吧！

4、将一些网络配置的文件删除如：hosts, mygate等。上一步的network在启动时会生成这

些配置文件。

五、备份几个目录，在4.3 rc脚本中的MFS部分那个文件。
在/usr/live/ LiveCD根目录下建立文件夹：mfs 然后：
# tar cvzfp mfs/mfs.tgz dev etc home var

六、制作ISO镜像：
# cd /usr/live
# mkhybrid –b cdrom36.fs –c boot.catalog –R –v –o /usr/OpenBSD-LiveCD.iso

/usr/live

现在制作完成，你可以用虚拟机测试这个生成的ISO镜像。
参考网上许多文章, 这里就不一一列出来, 感谢那些大哥写出那么好的教程.

我现在还有几个问题需要解决，主要是MFS这方面的，另外shell脚本的错误也需要大家来解

决。
设置网络用的setnetwork脚本:
setnetwork：

#!/bin/sh

get_dkdevs() {

bsort `sed -ne “${MDDISKDEVS:-/^[sw]d[0-9][0-9]* /s/ .*//p}”

/var/run/dmesg.boot`

}

get_cddevs() {

bsort `sed -ne “${MDCDDEVS:-/^cd[0-9][0-9]* /s/ .*//p}”

/var/run/dmesg.boot`

}

get_ifdevs() {

ifconfig -a \

| egrep -v ‘^[[:space:]]|

(bridge|enc|gif|gre|lo|pflog|pfsync|ppp|sl|tun|vlan)[[:digit:]]+:’ \

| sed -ne ‘s/^$.*$:.*/\1/p’

}

askpass() {

set -o noglob

stty -echo

read resp?”$1 ”

stty echo

set +o noglob

echo

}

ask() {

local _question=$1 _default=$2

set -o noglob

while : ; do

echo -n “$_question ”

[[ -z $_default ]] || echo -n “[$_default] ”

read resp

case $resp in

!) echo “Type ‘exit’ to return to install.”

;;

!*) eval ${resp#?}

;;

*) : ${resp:=$_default}

break

;;

esac

done

set +o noglob

}

ask_until() {

resp=

while [[ -z $resp ]] ; do

ask “$1″ “$2″

done

}

ask_yn() {

local _q=$1 _a=${2:-no} _resp

typeset -l _resp

while : ; do

ask “$_q” “$_a”

_resp=$resp

case $_resp in

y|yes) resp=y ; return ;;

n|no) resp=n ; return ;;

esac

done

}

ask_which() {

local _name=$1 _query=$2 _devs=$3 _defdev=$4 _err=$5

set — $_devs

if [[ $# -lt 1 ]]; then

echo “${_err:=No ${_name}s found}.”

resp=done

return

: ${_defdev:=$1}

_devs=”$*”

while : ; do

ask “Available ${_name}s are: ${_devs}.\nWhich one ${_query}?

(or ‘done’)” “$_defdev”

[[ $resp == done ]] && break

if isin “$resp” $_devs; then

makedev $resp && break

else

echo “‘$resp’ is not a valid choice.”

done

}

isin() {

local _a=$1 _b

shift

for _b; do

[ "$_a" = "$_b" ] && return 0

done

return 1

}

addel() {

local _a=$1

shift

echo -n “$*”

isin “$_a” $* || echo -n ” $_a”

}

rmel() {

local _a=$1 _b

shift

for _b; do

[ "$_a" != "$_b" ] && echo -n “$_b ”

done

}

edit_tmp_file() {

local _file=$1

ask_yn “Edit $_file with $EDITOR?”

[[ $resp == y ]] && $EDITOR /tmp/$_file

}

manual_net_cfg() {

ask_yn “Do you want to do any manual network configuration?”

[[ $resp == y ]] && { echo “Type ‘exit’ to return to $MODE.” ; sh ; }

}

makedev() {

local _dev=$1 _node=/dev/r${1}c

if isin $_dev $IFDEVS || [[ -c $_node || -z ${_dev##+([0-9])} ]] ; then

return 0

if [[ ! -r /dev/MAKEDEV ]] ; then

echo “No /dev/MAKEDEV. Can’t create device nodes for ${_dev}.”

return 1

(cd /dev; sh MAKEDEV $_dev)

[[ -c $_node ]] || return 1

DEVSMADE=`addel $_dev $DEVSMADE`

}

addhostent() {

sed “/ $2\$/d” /etc/hosts >; /etc/hosts.new

mv /etc/hosts.new /etc/hosts

echo “$1 $2″ >;>; /etc/hosts

}

configure_ifs() {

local _IFDEVS=$IFDEVS _ifs _name _media _hn

while : ; do

ask_which “interface” “do you wish to initialize” “$_IFDEVS” \

“” “No more interfaces to initialize”

[[ $resp == done ]] && break

_ifs=$resp

_hn=/etc/hostname.$_ifs

ask “Symbolic (host) name for $_ifs?” “$(hostname -s)”

_name=$resp

_media=$(ifconfig -m $_ifs | grep “media “)

if [[ -n $_media ]]; then

cat << __EOT

The media options for $_ifs are currently

$(ifconfig -m $_ifs | sed -n '/supported/D;/media:/p')

__EOT

ask_yn "Do you want to change the media options?"

case $resp in

y) cat << __EOT

Supported media options for $_ifs are:

$_media

__EOT

ask "Media options for $_ifs?"

_media=$resp

ifconfig $_ifs $_media || return 1

;;

n) _media=

;;

esac

rm -f $_hn

v4_config "$_ifs" "$_media" "$_name" "$_hn"

[[ -f $_hn ]] && _IFDEVS=$(rmel "$_ifs" $_IFDEVS)

done

}

v4_info() {

ifconfig $1 inet | sed -n '

1s/.*

1s/.*<.*/DOWN/p

/inet/s/netmask//

/inet/s///p'

}

dhcp_request() {

local _ifs=$1 _hostname=$2

echo "initial-interval 1;" >; /etc/dhclient.conf

if [[ -n $_hostname ]]; then

echo “send host-name \”$_hostname\”;” >;>; /etc/dhclient.conf

echo “Issuing hostname-associated DHCP request for $_ifs.”

else

echo “Issuing free-roaming DHCP request for $_ifs.”

cat >;>; /etc/dhclient.conf << __EOT

request subnet-mask,

broadcast-address,

routers,

domain-name,

domain-name-servers,

host-name;

__EOT

cat >;>; /etc/resolv.conf.tail << __EOT

lookup file bind

__EOT

dhclient $_ifs

set -- $(v4_info $_ifs)

if [[ $1 == UP && $2 == "0.0.0.0" ]]; then

ifconfig $_ifs delete down

rm /etc/dhclient.conf /etc/resolv.conf.tail

return 1

# cp /etc/dhclient.conf /tmp/dhclient.conf

# cp /etc/resolv.conf.tail /tmp/resolv.conf.tail

return 0

}

v4_config() {

local _ifs=$1 _media=$2 _name=$3 _hn=$4 _prompt

set -- $(v4_info $_ifs)

if [[ -n $2 ]]; then

ifconfig $_ifs inet $2 delete

[[ $2 != "0.0.0.0" ]] && { _addr=$2; _mask=$3; }

[[ -x /sbin/dhclient ]] && _prompt=" or 'dhcp'"

_prompt="IPv4 address for $_ifs? (or 'none'$_prompt)"

ask_until "$_prompt" "$_addr"

case $resp in

none) ;;

dhcp) if [[ ! -x /sbin/dhclient ]]; then

echo "DHCP not possible - no /sbin/dhclient."

elif dhcp_request $_ifs "$_name" || dhcp_request $_ifs ; then

addhostent "127.0.0.1" "$_name"

echo "dhcp NONE NONE NONE $_media" >; $_hn

;;

*) _addr=$resp

ask_until “Netmask?” “${_mask:=255.255.255.0}”

if ifconfig $_ifs inet $_addr netmask $resp up ; then

addhostent “$_addr” “$_name”

echo “inet $_addr $resp NONE $_media” >; $_hn

;;

esac

}

v4_defroute() {

local _dr _prompt=” or ‘none’”

[[ -x /sbin/dhclient ]] && _prompt=”, ‘dhcp’$_prompt”

_prompt=”Default IPv4 route? (IPv4 address$_prompt)”

_dr=$(route -n show -inet | sed -ne ‘/^default */{s///; s/ .*//; p;}’)

[[ -f /tmp/dhclient.conf ]] && _dr=dhcp

while : ; do

ask_until “$_prompt” “$_dr”

case $resp in

none|dhcp) break ;;

esac

route delete -inet default >; /dev/null 2>;&1

route -n add -inet -host default “$resp” && { echo “$resp”

>;/etc/mygate ; break ; }

route -n add -inet -host default $_dr >;/dev/null 2>;&1

done

}

isalphanumeric() {

local _n=$1

while [[ ${#_n} -ne 0 ]]; do

case $_n in

[A-Za-z0-9]*) ;;

*) return 1;;

esac

_n=${_n#?}

done

return 0

}

enable_network() {

local _netfile

# for _netfile in hosts dhclient.conf resolv.conf resolv.conf.tail

protocols services; do

# if [ -f /mnt/etc/${_netfile} ]; then

# cp /mnt/etc/${_netfile} /etc/${_netfile}

# fi

# done

ifconfig lo0 inet 127.0.0.1

for hn in /etc/hostname.*; do

if=${hn#/etc/hostname.}

if ! isalphanumeric “$if”; then

continue

ifconfig $if >; /dev/null 2>;&1

if [ $? -ne 0 ]; then

continue

while :; do

if [ "$cmd2" ]; then

set — $cmd2

af=$1 name=$2 mask=$3 bcaddr=$4 ext1=$5 cmd2=

i=1; while [ i -lt 6 -a -n "$1" ]; do shift; let

i=i+1; done

ext2=”$@”

else

read af name mask bcaddr ext1 ext2 || break

case $af in

“#”*|”!”*|”bridge”|”"|”rtsol”)

continue

;;

“dhcp”) [ "$name" = "NONE" ] && name=

[ "$mask" = "NONE" ] && mask=

[ "$bcaddr" = "NONE" ] && bcaddr=

ifconfig $if $name $mask $bcaddr $ext1 $ext2

down

cmd=”dhclient $if”

;;

“up”)

cmd=”ifconfig $if $name $mask $bcaddr $ext1

$ext2 up”

;;

*) read dt dtaddr

if [ "$name" = "alias" ]; then

alias=$name

name=$mask

mask=$bcaddr

bcaddr=$ext1

ext1=$ext2

ext2=

else

alias=

cmd=”ifconfig $if $af $alias $name ”

case $dt in

dest) cmd=”$cmd $dtaddr”

;;

[a-z!]*)

cmd2=”$dt $dtaddr”

;;

esac

if [ ! -n "$name" ]; then

echo “/etc/hostname.$if: invalid network

configuration file”

return

case $af in

inet) [ "$mask" ] && cmd=”$cmd netmask $mask”

if [ "$bcaddr" -a "$bcaddr" != "NONE" ];

then

cmd=”$cmd broadcast $bcaddr”

[ "$alias" ] && rtcmd=”; route -qn add

-host $name 127.0.0.1″

;;

inet6)

continue

;;

*) cmd=”$cmd $mask $bcaddr”

esac

cmd=”$cmd $ext1 $ext2$rtcmd” rtcmd=

;;

esac

eval “$cmd”

done

if [ -f /etc/mygate ]; then

route delete default >;/dev/null 2>;&1

route -qn add -host default $(< /etc/mygate)

route -qn add -host `hostname` 127.0.0.1 >;/dev/null

route -qn add -net 127 127.0.0.1 -reject >;/dev/null

echo “Network interface configuration:”

ifconfig -am

route -n show

if [ -f /etc/resolv.conf ]; then

echo “\nResolver enabled.”

else

echo “\nResolver not enabled.”

}

get_fqdn() {

local _dn

_dn=$(hostname)

_dn=${_dn#$(hostname -s)}

_dn=${_dn#.}

echo “${_dn:=my.domain}”

}

donetconfig() {

local _dn _ns

configure_ifs

if [ -f /etc/resolv.conf.shadow ]; then

mv /etc/resolv.conf.shadow /etc/resolv.conf

_ns=$(sed -ne ‘/^nameserver /s///p’ /etc/resolv.conf)

_dn=$(sed -n \

-e ‘/^domain[[:space:]][[:space:]]*/{s///;s/\([^

[:space:]]*\).*$/\1/;h;}’ \

-e ‘/^search[[:space:]][[:space:]]*/{s///;s/\([^

[:space:]]*\).*$/\1/;h;}’ \

-e ‘${g;p;}’ /tmp/resolv.conf)

ask “DNS domain name? (e.g. ‘bar.com’)” “${_dn:=$(get_fqdn)}”

hostname “$(hostname -s).$resp”

ask “DNS nameserver? (IP address or ‘none’)” “${_ns:=none}”

if [[ $resp != none ]]; then

echo “lookup file bind” >; /etc/resolv.conf

for _ns in $resp; do

echo “nameserver $_ns” >;>; /etc/resolv.conf

done

ask_yn “Use the nameserver now?” yes

[[ $resp == y ]] && cp /etc/resolv.conf /etc/resolv.conf.shadow

[[ -n $(ifconfig -a | sed -ne '/[ ]inet .* broadcast /p’) ]] &&

v4_defroute

# edit_tmp_file hosts

# manual_net_cfg

}

IFDEVS=$(get_ifdevs)

MODE=OpenBSD-LiveCD

EDITOR=mg

ask_until “\nSystem hostname? (short form, e.g. ‘foo’)” “$(hostname -s)”

[[ ${resp%%.*} != $(hostname -s) ]] && hostname $resp

( cd /etc; rm -f host* my* resolv.* dhclient.* )

cat >; /etc/hosts << __EOT

::1 localhost

127.0.0.1 localhost

::1 $(hostname -s)

127.0.0.1 $(hostname -s)

__EOT

ask_yn "Configure the network?" yes

[[ $resp == y ]] && donetconfig

( cd /etc

hostname >; myname

_dn=$(get_fqdn)

while read _addr _hn _aliases; do

if [[ -n $_aliases || $_hn != ${_hn%%.*} || -z $_dn ]]; then

echo “$_addr $_hn $_aliases”

else

echo “$_addr $_hn.$_dn $_hn”

done < hosts >; hosts.new

mv hosts.new hosts

)

ask “HTTP/FTP proxy URL? (e.g. ‘http://proxy:8080′, or ‘none’)” \

“${ftp_proxy:-none}”

unset ftp_proxy http_proxy

[[ $resp == none ]] || export ftp_proxy=$resp http_proxy=$resp

OpenBSD.Nginx.MySQL.PHP环境搭建手册(网上转摘）

admin — Mon, 08 Jun 2009 14:32:00 +0000

很久没弄过OPENBSD，而且，听说现在的NGINX很红，性能比传统的APACHE要好很多倍，因而，一直想弄个NGINX服务器环境。加上，俺也想熟悉回OPENBSD，就想着弄个OPENBSD，NGINX，MYSQL，PHP的环境。。弄来玩玩，就当复习一下技术。出于习惯，俺还是在网上找了这篇文档。初步看过，好像写得不错，，就先弄过来，暂没时间实操过，待俺忙过这段时间。就再次重点研究一下俺熟悉而喜欢的UNIX服务器与数据库技术。。。

本手册以在OpenBSD 4.4环境下搭建Nginx、MySQL、PHP环境为例进行讲解。按照惯例，root权限。

=====================================================

一、OpenBSD的安装及注意事项
二、系统性能调优
Ⅰ、/etc/fstab调优
Ⅱ、/etc/sysctl.conf调优

三、O.N.M.P.软件环境的安装
四、Nginx配置
Ⅰ、Nginx配置文件的修改
Ⅱ、Nginx日志截断

五、MySQL与phpMyAdmin的配置
Ⅰ、MySQL的配置
Ⅱ、phpMyAdmin的配置

六、强化PHP的安全
七、强化SSH的安全
Ⅰ、SSH配置文件的修改
Ⅱ、使用KEY进行验证
Ⅲ、按需启动SSH
Ⅳ、一点安全小常识

八、启用Packet Filter防火墙
九、系统启动脚本的修改

=====================================================

一、OpenBSD的安装及注意事项

OpenBSD的安装这里就不多说了，主要是安装时系统组件的选择、分区和系统服务的部分。对于系统组件部分，作为生产系统来说，偶并不推荐安装comp44.tgz这个组件。因为comp44.tgz实际就是编译器，不装这个，可以在很大程度上避免安装一些非授权的软件，从而提高远程主机的安全性。如果真的需要安装什么软件，也可以在非重要的机器上进行编译，然后使用PSFTP等软件上传到远程主机上使用。关于PSFTP软件的使用，二楼有详细的介绍。

系统分区时，推荐将/usr、/usr/local、/var、/var/mysql、/var/mail、/var/log、/var/nginx等分区单独分出来，也就是说，进行比较细致的分区，防止某个目录中的文件膨胀占满整个分区导致的死锁等问题。假定你有一个80G的硬盘，一个分区示例在下面：

/ 200M
(swap) 1G
/tmp 200M
/usr 500M
/usr/local 200M
/var 100M
/var/mysql 10G
/var/mail 100M
/var/log 5G~10G
/home 200M
/var/nginx 剩余空间

至于系统服务部分，建议所有的服务都选择“n”，亦即不随系统启动。

二、系统性能调优

对于多核的机器，使用bsd.mp这个核心。

[Copy to clipboard] [ - ]CODE:
mv /bsd /obsd
mv /bsd.mp /bsd

Ⅰ、/etc/fstab调优

[Copy to clipboard] [ - ]CODE:
vi /etc/fstab

在文件系统描述符部分，加入”noatime”和”softdep”。示例如下：

QUOTE:
/dev/wd0a / ffs rw,noatime,softdep 1 1
/dev/wd0l /home ffs rw,nodev,nosuid,noatime,softdep 1 2
/dev/wd0d /tmp ffs rw,nodev,nosuid,noatime,softdep 1 2
/dev/wd0e /usr ffs rw,nodev,noatime,softdep 1 2
/dev/wd0f /usr/local ffs rw,nodev,noatime,softdep 1 2
/dev/wd0g /var ffs rw,nodev,nosuid,noatime,softdep 1 2
/dev/wd0i /var/log ffs rw,nodev,nosuid,noatime,softdep 1 2
/dev/wd0j /var/mail ffs rw,nodev,nosuid,noatime,softdep 1 2
/dev/wd0h /var/mysql ffs rw,nodev,nosuid,noatime,softdep 1 2
/dev/wd0k /var/nginx ffs rw,nodev,nosuid,noatime,softdep 1 2

友情提醒：softdep是一种非同步的文件系统，意外掉电可能造成数据的遗失/损坏，生产系统请谨慎使用！

改完后保存退出，reboot，看能不能正常启动。

一般情况下是没有问题的，个别机器或虚拟机可能会因为兼容性的缘故，无法启动。那么就把根目录的softdep拿掉，其他目录保留，仍然会有作用。

更多关于OpenBSD环境下磁盘性能调优的内容，请参看偶博客的文章，地址在下面：

http://blog.chinaunix.net/u2/81136/showart_1841280.html

Ⅱ、/etc/sysctl.conf调优

[Copy to clipboard] [ - ]CODE:
vi /etc/sysctl.conf

跳到最后，加入下面的内容：

QUOTE:
# 增大文件系统缓存到1M
kern.maxvnodes=131072

# 允许最多65536个进程
kern.maxproc=65536

# 同时最多打开65536个文件
kern.maxfiles=65536

# 并发连接最大65536
kern.somaxconn=65536

# 保留的最少连接数
kern.sominconn=256
kern.maxclusters=32768

# 增大TCP接收/发送缓存到64K
net.inet.tcp.recvspace=65536
net.inet.tcp.sendspace=65536

# 增大UDP接收/发送缓存到64K
net.inet.udp.recvspace=65536
net.inet.udp.sendspace=65536

注意：虚拟机测试只加最上面一行kern.maxvnodes=65536即可，其他的不必加了，否则会有各种问题。独立机器的可以加上。

保存退出，reboot。不能正常启动的就把除kern.maxvnodes以外的数字调小或者禁用再试。

三、OpenBSD.Nginx.MySQL.PHP软件环境的安装

OpenBSD环境下软件的安装是非常简单的，因为在官方的ftp中提供了已经编译好的二进制包，需要安装的软件都在ftp中，从ftp中安装即可。

小提示：如果你机器比较多，你可以把需要安装的软件包都down回来，其他机器再来这里安装，速度会非常快！

[Copy to clipboard] [ - ]CODE:
export PKG_PATH=ftp://ftp.openbsd.org/pub/OpenBSD/4.4/packages/i386/

pkg_add mysql-server php5-fastcgi php5-gd-5.2.6-no_x11 phpMyAdmin lighttpd-1.4.19p3 nginx pecl-APC

以偶的1M ADSL小水管为例，大约也就二十分钟左右就安装完毕了！真的是非常快！和其他系统的wget源码、./configure && make && make install…所需要的时间相比，效率是非常高！而且，由于OpenBSD默认采用比较高的安全策略，装上的环境安全性也比其他系统要高！

等所需的软件都安装完成后，按提示作链接并创建PHP临时工作目录：

QUOTE:
ln -s /var/www/conf/modules.sample/php5.conf /var/www/conf/modules
ln -fs /var/www/conf/php5.sample/apc.ini /var/www/conf/php5/apc.ini
ln -fs /var/www/conf/php5.sample/gd.ini /var/www/conf/php5/gd.ini
ln -fs /var/www/conf/php5.sample/mbstring.ini /var/www/conf/php5/mbstring.ini
ln -fs /var/www/conf/php5.sample/mcrypt.ini /var/www/conf/php5/mcrypt.ini
ln -fs /var/www/conf/php5.sample/mysql.ini /var/www/conf/php5/mysql.ini
mkdir /var/nginx/sesstmp
chmod 0777 /var/nginx/sesstmp

pkg_info检查一下系统中安装了些什么软件包：

可以看到，所需的软件包和依赖的包都安装好了！

四、Nginx配置

Ⅰ、Nginx配置文件的修改

修改nginx的默认配置文件：

[Copy to clipboard] [ - ]CODE:
vi /etc/nginx/nginx.conf

按下面的内容修改Nginx的配置文件。兰色表示需要手动修改的内容，红色表示增加的内容：

QUOTE:
#user nobody;

# 指定子进程数，酌情修改
worker_processes 4;

#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;

#pid logs/nginx.pid;

# 最多可打开文件数
worker_rlimit_nofile 8196;

events {
# 最大并发数
worker_connections 1024;
}

http {
include mime.types;
default_type application/octet-stream;

# 关掉错误日志
error_log /dev/null crit;
# 如果需要错误日志，就用下面这行替换上面这行
#error_log /var/log/nginx/error.log notice;

# 定义日志格式，对日志使用缓存，避免频繁的磁盘I/O操作
access_log /var/log/nginx/access.log combined buffer=1m;

sendfile on;
tcp_nopush on;
tcp_nodelay on;

keepalive_timeout 10;

# 对静态文件和可压缩文件启用压缩，以节约网络带宽，提高访问速度
gzip on;
gzip_min_length 1k;
gzip_buffers 4 8k;
gzip_http_version 1.1;
gzip_comp_level 3;
gzip_types text/html text/css text/xml text/plain application/x-javascript application/xml application/pdf application/x-perl application/x-tcl application/msword application/rtf application/vnd.ms-excel application/vnd.ms-powerpoint application/vnd.wap.xhtml+xml image/x-ms-bmp;
gzip_disable “MSIE [1-6] \.”;
gzip_vary on;

# 定义输出缓存大小
output_buffers 4 32k;

# 最大允许可上传文件大小
client_max_body_size 20m;

# 定义一个叫“myzone”的记录区，总容量为 10M
# 和下面的limit_conn一起限制单个IP的并发连接数为10
limit_zone myzone $binary_remote_addr 10m;

server {
listen 80;
server_name localhost;

location / {
root /var/nginx/html;
index index.php index.html index.htm;
limit_conn myzone 10;
}

error_page 500 502 503 504 /50x.html;

location = /50x.html {
root /var/nginx/html;
}

location ~ \.php$ {
root html;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /var/nginx/html$fastcgi_script_name;
include fastcgi_params;
}

# 在浏览器本地暂存图片和静态文件，不记录日志，以节约机器资源
location ~* \.(gif|png|jpg|jpeg|bmp|css|js|swf)$
{
root /var/nginx/html;
access_log off;
expires max;
}

# 在浏览器中输入http://xxx.xxx.xxx/status可以看到Nginx的运行信息
# 需要密码验证，不记录日志，限制IP访问
location ~ /status
{
auth_basic “O.N.M.P.”;
auth_basic_user_file password;
stub_status on;
access_log off;
allow 192.168.0.0/24;
deny all;
}
}

}

其他的部分请酌情修改。

运行下面的命令生成查看Nginx运行状态的密码文件：

[Copy to clipboard] [ - ]CODE:
htpasswd -c /etc/nginx/password webadmin

按提示输入两遍密码即可。

在查看status的时候，输入用户名webadmin（见上面这行）和密码就能够看到Nginx的运行数据了。

Nginx能够流行和它的高负载能力是分不开的，在追求性能表现的场合，推荐使用Nginx+PHP-fastcgi的组合以获得强健的性能表现。而对于那些重视安全性的场合来说，可能OpenBSD内核集成的Apache更合适。OpenBSD下搭建Apache、MySQL、PHP环境的详细内容请参见偶的另篇博文，地址在下面：（博客速度可能较慢，四楼有转帖）

http://blog.chinaunix.net/u2/81136/showart_1860332.html

当然，你也可以利用Nginx内置的负载均衡功能，在前端分配访问流量，后端由Apache来运行PHP环境。Nginx负载均衡的配置可以去Nginx的主页参看相关内容，地址：http://wiki.nginx.org/Main。

下面为一个Nginx负载均衡的示例：

QUOTE:
http {
upstream myproject {
ip_hash;
server 192.168.1.1:80;
server 192.168.1.2:80;
server 192.168.1.3:80;
server 192.168.1.4:80;
}

server {
listen 80;
server_name www.domain.com;
location / {
proxy_pass http://myproject;
}
}
}

网络拓扑示意图如下：

Ⅱ、Nginx日志截断

OpenBSD默认每天00:00会执行/etc/daily.local脚本中的内容，我们只需要把Nginx日志截断的命令加入到这个文件中即可。

[Copy to clipboard] [ - ]CODE:
vi /etc/daily.local

加入下面的内容：

QUOTE:
#!/bin/sh
# 对Nginx日志进行截断和压缩，以节约log分区空间
# 在张宴的基础上修改，感谢！
mkdir -p /var/log/nginx/$(date -d “yesterday” +”%Y”)/$(date -d “yesterday” +”%m”)/
mv /var/log/nginx/access.log /var/log/nginx/$(date -d “yesterday” +”%Y”)/$(date -d “yesterday” +”%m”)/access.$(date -d “yesterday” +”%Y%m%d”).log
kill -USR1 `cat /var/run/nginx.pid`
sleep 1
gzip /var/log/nginx/$(date -d “yesterday” +”%Y”)/$(date -d “yesterday” +”%m”)/access.$(date -d “yesterday” +”%Y%m%d”).log

保存退出，为/etc/daily.local加上执行权限：

[Copy to clipboard] [ - ]CODE:
chmod 0755 /etc/daily.local

其他需要每天运行的命令也都可以加在这个脚本里面，各位自行处理。

五、MySQL与phpMyAdmin的配置

Ⅰ、MySQL的配置

安全起见，MySQL需要运行在自己的daemon下：

[Copy to clipboard] [ - ]CODE:
vi /etc/login.conf

跳到最后，加入MySQL所需的修改：

QUOTE:
mysql:\
penfiles-cur=2048:\
penfiles-max=4096:\
:tc=daemon:

使修改生效：

[Copy to clipboard] [ - ]CODE:
cap_mkdb /etc/login.conf

初始化MySQL数据库：

[Copy to clipboard] [ - ]CODE:
/usr/local/bin/mysql_install_db

MySQL自带了几个配置文件，在/usr/local/share/mysql目录中，可以拷贝为/etc/my.cnf使用。关于MySQL的配置和优化等内容，可以自行Google，这里不再赘述。
MySQL安全须知
不要用root身份运行数据库或PHP应用。并且，最好是数据库名和数据库用户名不同，以提高安全性。

例如，域名为example.net，则数据库名设为abcxyz，数据库用户名设为xyzabc。总之，关联度越低越好，数据库名和数据库用户名越复杂越难猜测越好。

控制权限的分配，PHP应用仅给予必要的权限。

例如，安装/升级Discuz!和PHPWind论坛程序，仅需要下图所示的权限即可：

在安装/升级完毕后，还可以把CREATE、ALTER、DROP权限去掉，不会影响论坛程序的运行，而且提高了安全性！
Ⅱ、phpMyAdmin的配置

由于OpenBSD中的phpMyAdmin默认是安装在/var/www/phpMyAdmin目录中的，直接使用Nginx是无法访问的，我们需要把它拷贝到Nginx目录下，这样就可以通过浏览器来管理MySQL数据库了。

[Copy to clipboard] [ - ]CODE:
mkdir /var/nginx/html/pma/
cp -rf /var/www/phpMyAdmin/* /var/nginx/html/pma/

修改phpMyAdmin的配置文件，使之可用。

[Copy to clipboard] [ - ]CODE:
vi +17 /var/nginx/html/pma/config.inc.php

将下面这行修改成：

QUOTE:
$cfg['blowfish_secret'] = ‘a’; /* YOU MUST FILL IN THIS FOR COOKIE AUTH! */

（仅是加入了字母a而已）

保存退出。
小提示：
上面新建了/var/nginx/html/pma目录来保存phpMyAdmin的文件，目录名很简单。你可以用一个更复杂的目录名来代替，例如：pma2YAY5jRpfFfLXQVm这样的目录名，以防止黑客利用字典攻击等方法渗透你的phpMyAdmin！

你还可以在Nginx的配置文件中，将/var/nginx/html/pma配置成某个虚拟主机的根目录，并限定可以访问这个虚拟主机的IP。这样，就可以在很大程度上提高数据库的安全性了！一个配置示例在下面：

QUOTE:
location / {
allow 192.168.0.0/24;
deny all;
}

假如平时只是偶尔用到phpMyAdmin，你还可以在用完后删除/var/nginx/html/pma目录，需要用的时候再拷贝过去。

你还可以将以上方法结合起来灵活使用，既建立一个无法被猜测的目录名，又限制IP访问，这样你的系统被黑的机会就会小了很多！
六、强化PHP的安全

OpenBSD软件包中的PHP已经自带了suhosin这个补丁，可以在很大程度上提高PHP脚本的安全。本节主要讨论在php.ini文件中进行相关的设置，进一步提升安全性。具体来说，就是禁用某些危险函数和启用PHP安全模式。

偶一般是把对PHP的所有修改都放在一个单独的文件中进行，包括对PHP参数以及扩展模块的修改，都放在这个文件中一并处理，这样查找、修改和管理会方便许多：

[Copy to clipboard] [ - ]CODE:
vi /var/www/conf/php5/addphp.ini

加入下面的内容：

QUOTE:
; 禁止动态加载模块
enable_dl = Off

; 隐藏PHP信息
expose_php = Off

; 限定可访问目录
open_basedir = /var/nginx/html/

;设定session暂存目录
session.save_path=/var/nginx/sesstmp

; 设定PHP上传文件的临时目录
upload_tmp_dir=/var/nginx/tmp

; 禁用危险函数（注意下面的内容应该是一行，编排的原因分成了多行）
disable_functions = phpinfo,com,shell,exec,system,passthru,error_log,
stream_socket_server,putenv,ini_alter,ini_restore,ini_set,dl,openlog,
syslog,readlink,symlink,link,leak,fsockopen,pfsockopen,proc_open,
popepassthru,escapeshellcmd,escapeshellarg,chroot,scandir,
chgrp,chown,shell_exec,proc_get_status,popen,shmop_close,
shmop_delete,shmop_open,shmop_read,shmop_size,shmop_write

; 启用PHP的安全模式
; PHP在安全模式下运行是用性能换安全。据简单测试，性能下降到50%左右，各位请酌情使用
; 启用安全模式后，某些程序可能受到影响。例如，Discuz!将无法上传附件
safe_mode = On

; pecl-APC只使用16M的共享内存用以加速PHP程序的运行
apc.shm_size=16M

保存退出。
七、强化SSH的安全
Ⅰ、SSH配置文件的修改

[Copy to clipboard] [ - ]CODE:
vi /etc/ssh/sshd_config

跳到最后，加入下面的部分：

QUOTE:
# 使用高位端口，防止黑客扫描22端口。可选范围1024~65535，推荐32768~65535。
Port 58937

# 登录时间控制在30秒内
LoginGraceTime 30

# 不允许root远程直接登录
PermitRootLogin no
StrictModes yes

# 最多允许三次错误
MaxAuthTries 3

# 最多允许三个SSH线程
MaxSessions 3

# 使用SSH协议2
Protocol 2

# 不使用密码认证
PasswordAuthentication no

# 使用KEY的方式认证
PubkeyAuthentication yes

# KEY文件存放位置
AuthorizedKeysFile .ssh/authorized_keys

Ⅱ、使用KEY进行验证

下面以Windows环境下PuTTY为例讲解使用KEY验证的方法，Linux/UNIX下与此类似。

首先，从下面的网址下载PuTTY的安装包（Windows）：

http://the.earth.li/~sgtatham/putty/latest/x86/putty-0.60-installer.exe

下完后双击安装，不再赘述。这个软件包自带了下面几个非常实用的软件：

QUOTE:
PuTTYgen:生成KEY；

Pageant:管理KEY；

PuTTY:SSH客户端；

PSFTP:使用SSH上传/下载文件。

下面就来实例讲解用PuTTY的这几个软件对远程主机进行KEY认证和管理的方法。假设我们要在192.168.0.132这个远程主机上使用young_king这个用户名进行KEY认证和登录。
1.生成KEY

启动PuTTYgen，如下图：

在密钥长度栏输入想要的密钥长度，越大越安全。这里以最大的2048位为例，然后点“Generate”按钮，会开始生成KEY，生成过程中需要在下面的空白部分移动鼠标来生成随机数。

KEY生成完毕后，你可以输入一些标识信息，如下图：

还可以在下面的passphrase框内输入“保护码”，注意要输入两遍。“保护码”也就是密码的意思，用来保密私钥的，一定要记住这个哦！

都输入完毕后，点击下面的“Save public key”按钮保存公钥，如下图所示：

然后点击“Save private key”按钮保存私钥，如下图：

这个私钥最好不要保存在电脑上，我们把它拷贝到U盘上，随身带着，这就是我们的“KEY盘”。

要养成每月更换“保护码”的好习惯，更换“保护码”仍然要用到PuTTYgen这个软件，启动后点击“Load”，载入私钥，重新输入“保护码”，再确认一遍，然后点击“Save private key”保存即可！

2.启用KEY

上面生成了公钥和私钥，我们需要把公钥上传到远程主机的用户目录中，就要用到PSFTP这个软件了。启动它，如下图：

输入命令：open 192.168.0.132

接下来，PSFTP会列出远程主机上的RSA指纹以供识别，如下图：

这个指纹可以在远程主机上输入下面的命令查看：

[Copy to clipboard] [ - ]CODE:
ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key

请把这个指纹记在纸上，随身携带，和远程主机连接的时候就拿出来对比一下（这么做主要是为了防止连接被人劫持和指纹被伪造）。

如果上面PSFTP显示的指纹和远程主机上的不一致，那么毫无疑问是伪造的了，直接回车断开连接。如果相符，你可以输入“y”来保存这个指纹到本地计算机上（不推荐），或输入“n”只是这次连接使用。

随后PSFTP会让你输入登录用户名和密码，并自动进入该用户的根目录，如下图（以root为例）：

现在我们要把第一步生成的公钥上传到远程主机上（请把这个公钥复制到C:\Documents and Settings\Administrator目录先，如果你的Windows不是用Administrtor登录的，就替换成你登录用的用户名）。输入命令：put young_king，可以看到，公钥已经上传到/root目录了，见下图：

PuTTY生成的KEY并不能直接使用，需要转换一下。用PuTTY登录（此时上面修改的端口尚未启用，还是默认的22端口），以root身份执行：

[Copy to clipboard] [ - ]CODE:
ssh-keygen -X -f /root/young_king > /home/young_king/.ssh/authorized_keys

这就把公钥成功导入到young_king的目录中了，就可以被young_king这个用户使用了！

导入成功后，要删除多余的公钥：

[Copy to clipboard] [ - ]CODE:
rm /root/young_king

下面介绍几个PSFTP常用的命令：

QUOTE:
open xxx.xxx.xxx.xxx：打开远程主机（xxx.xxx.xxx.xxx为IP或域名）；

put xxxxxxxx：向远程主机上传文件（该文件需要事先拷贝到C:\Documents and Settings\Administrator目录）；

get xxxxxxxx：从远程主机下载文件（下载后保存在C:\Documents and Settings\Administrator目录）；

cd xxxxxx:进入远程主机的相应目录；

exit：退出PSFTP（也可以点右上角的叉关闭，不过不推荐这样做）。

更多的命令可以参看PuTTY的帮助文件，这个帮助写得不错。

3.使用KEY登录

我们上面虽然修改了SSH的配置文件（/etc/ssh/sshd_config），但还没有启用。输入下面的命令启用新的SSH配置，以便我们用KEY登录：

[Copy to clipboard] [ - ]CODE:
kill -HUP `cat /var/run/sshd.pid`

PuTTY提供了一个KEY的管理程序，上面已经提到，是Pageant，我们使用这个程序来进行KEY登录。

启动Pageant，它会自动缩小到任务栏的通知区域，右键单击，选择“Add key”，会弹出个对话框让我们选择。插入上面制作好的“KEY盘”，并选择保存的私钥，会弹出个对话框让我们输入“保护码”，如下图：

如果安装PuTTY时选择了让Pageant关联.ppk文件，则双击私钥可以自动启动Pageant。

输入在生成KEY时输入的“保护码”，私钥就被导入到Pageant中了。再右键单击任务栏通知区的Pageant图标，选择第一项“New session”，Pageant会自动启动PuTTY，等待输入远程主机的相关信息，如下图：

输入IP（或域名）和端口号，点击最下面的“Open”按钮，PuTTY就会登录远程主机了。和PSFTP类似，会弹出个对话框让你确认远程主机的RSA指纹，如下图。同理，指纹不同就表示连接被劫持或指纹被伪造，点“取消”断开连接；指纹相同就点“否”，不保存主机公钥到本地计算机。

随后会让你输入用户名，输入“young_king”，看看，自动就登录上去了！

前面更改SSH配置的时候，已经禁用了root远程登录和使用密码登录，只能使用KEY才能登录进系统。想要维护系统的时候，就用这个KEY登录，再su成root。而且，需要上传/下载文件的时候，就用PSFTP，所有的操作都在SSH连接下进行，还有KEY的保护，安全性不知道提升了多少倍！黑客想要破解真是难于上青天！
Ⅲ、按需启动SSH

我们只在必要的时候启动sshd服务，用完即停止，不给黑客扫描的机会。输入下面的命令：

[Copy to clipboard] [ - ]CODE:
crontab -e

跳到最后，输入下面的内容（中间的空白部分为Tab）：

QUOTE:
# 每天的10:30启动sshd服务
30 10 * * * /usr/sbin/sshd

# 10:35即停止sshd服务，也就是说，你只有五分钟的时间可以登录进系统
35 10 * * * kill `cat /var/run/sshd.pid`

保存退出。

上面的时间请酌情修改。sshd服务启动的时间尽量不要太长，5~10分钟应该够了！

Ⅳ、一点安全小常识
私钥请一定保存在安全的地方，不要保存在本地计算机上，并加上足够强度的“保护码”；

本地计算机不要保存远程主机的“指纹”，用一次确认一次（远程主机的指纹保存在注册表的HKEY_CURRENT_USER\Software\SimonTatham\PuTTY项下，可以手动删除）；

不要使用DSA密钥，据说有漏洞的；

不要在公用计算机上连接远程主机，有键盘记录器、木马什么的就麻烦了；

多个远程主机不要使用相同的公钥，最好是使用各自的公钥、私钥；

少用，最好是不用无线网络，加密强度太差，容易被破解；

M$系统下的病毒、木马太多了，推荐客户端转换到Linux/UNIX环境，安全性更高，而且仍然有PuTTY及工具可用；

注意清除本地机器上不必要保留的文件（例如私钥、公钥、主机RSA指纹、C:\Documents and Settings\Administrator目录下的文件等等）。

八、启用Packet Filter防火墙

Packet Filter是非常优秀的包过滤防火墙，OpenBSD核心已经集成了Packet Filter防火墙，不过默认并没有启用，下面我们来启用Packet Filter的强大功能！

[Copy to clipboard] [ - ]CODE:
vi /etc/pf.conf

跳到最后，加入下面的内容：

QUOTE:
# 宏定义
# 请把下面的fxp0换成你自己用的外网网卡，不知道的可以输入ifconfig查看
ext_if=”fxp0″

# 指定可以使用SSH登录的IP，支持CIDR
admin_add=”192.168.0.0/24″

# 指定SSH端口。
# 注意，如果在/etc/ssh/sshd_config文件中更改了SSH端口号，这里的也需要同样修改。否则连不上了不要怪偶没有提醒！
ssh_port=”58937″

# 维持一个持久的表，里面存放的是对本机发动DDoS攻击的IP
table persist

# 选项设定
set require-order yes
set block-policy drop
set optimization aggressive
set loginterface none
set skip on lo0

# TCP参数设定
set timeout {interval 3,frag 10}
set timeout {tcp.first 10,tcp.opening 2,tcp.established 600,tcp.closing 20,tcp.finwait 10,tcp.closed 10}

# UDP、ICMP及其它参数设定
set timeout {udp.first 20,udp.single 10,udp.multiple 10}
set timeout {icmp.first 10,icmp.error 5}
set timeout {other.first 20,other.single 10,other.multiple 20}
set timeout {adaptive.start 0,adaptive.end 0}

# 允许最多有65536个连接
set limit { states 65535, frags 200, src-nodes 65536, tables 65536, table-entries 1048576 }

# 包整形
scrub in all
scrub out all

# 阻止所有不匹配的包和从DDoS主机来的包
block quick from
block return
block in all
block out all

# 防止IP欺骗
antispoof quick for {lo0,$ext_if}

# 允许本机访问其他机器
pass out quick on $ext_if inet from $ext_if to any flags S/SA keep state

# 允许IPv4地址的客户机访问本地80（www）端口，发起过快连接（DDoS）的主机加入阻止列表。注意是一行，下同
pass in quick on $ext_if inet proto tcp from any to $ext_if port 80 flags S/SA synproxy state (source-track rule,max-src-nodes 200,max-src-states 100,max-src-conn 100,max-src-conn-rate 1000/10,overload flush global )

# 允许IPv6地址的客户机访问本地80（www）端口，发起过快连接（DDoS）的主机加入阻止列表
pass in quick on $ext_if inet6 proto tcp from any to $ext_if port 80 flags S/SA synproxy state (source-track rule,max-src-nodes 200,max-src-states 100,max-src-conn 100,max-src-conn-rate 1000/10,overload flush global )

# 允许管理IP远程连接本机SSH端口
pass in quick on $ext_if inet proto tcp from $admin_add to $ext_if port $ssh_port flags S/SA synproxy state

保存退出。

修改系统配置，使得开机启用PF防火墙：

[Copy to clipboard] [ - ]CODE:
vi /etc/rc.conf.local

跳到最后，加入下面这行：

QUOTE:
pf=YES

保存退出。

九、系统启动脚本的修改

修改系统启动脚本，使得MySQL、PHP(fastcgi)、Nginx可以在系统启动的时候自动启动，免去手动启动的麻烦。

[Copy to clipboard] [ - ]CODE:
vi /etc/rc.local

跳到最后，加入下面的内容：

QUOTE:
# 启动时校时。这行也可以加在/etc/daily.local文件的最前面，每天零点自动校时
rdate -n 210.72.145.44
# Start MySQL
if [ -x /usr/local/bin/mysqld_safe ] ; then
echo -n ‘Starting MySQL…’
su -c mysql root -c ‘/usr/local/bin/mysqld_safe >/dev/null 2>&1 &’
echo “DONE”
fi
# Start php-fastcgi
if [ -x /usr/local/bin/spawn-fcgi ] ; then
echo -n ‘Starting php-fastcgi…’
/usr/local/bin/spawn-fcgi -a 127.0.0.1 -p 9000 -C 6 -u www -f /usr/local/bin/php-fastcgi > /var/run/fcgi.pid
echo “DONE”
fi
# Start nginx
if [ -x /usr/local/sbin/nginx ] ; then
echo -n ‘Starting nginx…’
/usr/local/sbin/nginx
echo “DONE”
fi

保存退出。

reboot重启，启动后输入top看看，O.N.M.P.环境已经搭建好！

系统启动后，还要把MySQL自带的测试数据库和匿名用户删除，防止被黑客利用。

默认情况下，新安装的MySQL数据库，root密码为空！同样需要第一时间进行设置，方法见下图：

好了，至此，O.N.M.P.环境的搭建已经结束，剩下的就看各位自行发挥了！

写在最后

其实，系统的安全是个整体工程，并不是用上了OpenBSD这个最安全的操作系统就算万事OK，还有很多事情要做。

更多的是需要在日常工作中积累经验，多分析系统整体的运行情况，多关注网络安全方面的内容，这样才能尽可能的打造安全的运维环境。

本手册只是起到抛砖引玉的作用，希望能吸引更多的人来关注系统安全，希望有更多的人能用上OpenBSD这个主动安全的操作系统，希望能推动OpenBSD在国内的更多普及。如此，则幸甚！

unix常用指令及参数

admin — Wed, 08 Apr 2009 13:48:23 +0000

常用组合键
ctrl+h,backspace :删除前面的字符.
ctrl+u:删除一整行.
ctrl+c,del,break: 强行终止正在运行的程序.
ctrl+d:
常用指令
1.date:查看当前时间.
2.cal:查看某一个月的月历.
3.Finger 命令:显示一个用户的详细信息.
4.who命令:显示所有登陆用户.who an i
5.clear 命令:执行清屏动作.
6.echo 命令:将命令名后跟随的参数显示在屏幕echo hello

world
7.banner 命令:将命令名后跟的ACSSII字符串以大字的方式显

示在屏幕上banner hello
8.wc 命令:用于计算一个指定的文件中的行数单词及字符数:
格式wc[-c(计算字符的数目)] [-l(计算行的数目)] [-w(计算

单词的数目)] filename
9.passwd 命令,用于修改口令.
10.man 命令:联机手册
六.shell的基本功能:命令解释器,程序设计语言.
shell的退出命令.
1.exit 主要用于退出B_shell
2.logout 主要用于退出C_shell
3.ctrl+d 用于退出各类shell
第三章通信
内部通信
外部通信<1,电子邮件,2.即时通信
一.即时通讯
1.write 交谈命令 (半双工通信)
格式 write student1
ctrl+d 退出write
Write协议:消息发送结束用O(结束)
结束谈话用OO(结束并退出)
2.mesg 消息开关命令.用于查询和开关本终端的消息接收状态.
格式:mesg [-y] [-n]
$ mesg 查询本终端当前的消息接收状态
is y 可以接收消息
is n 拒绝接收消息
$ mesg n 设置关闭状态
$ mesg y 设置打开状态
3.talk 双向通信命令 (全双工方式)
4.wall 广播信息命令
二,电子邮件
$ mail username 发送邮件
$ mail 接收邮件
系统邮箱:在/usr/mail或/var/mail下,每个用户都有一个以其名字

命名的邮箱.例如:student8的系统邮箱可能为:/var/mail/student8
个人邮箱:个人邮箱通常为用户自己的主目录(home)下的mbox

文件.用户读过的邮件如果末删除或转存,则存放在个人邮箱中

.例如:student8的个人邮箱可能是:/home/student8/mbox
1.发送邮件:
$ mail student8
给多个用户发送邮件
a.$ mail student1 student2 student3 把用户列出来.
b.$ mail TEACHER TEACHER为用户组名,即向属于TEACHER

组所有用记发邮件.
c.$ alias usr_list student1 student2 student3给student1 student2

student3等多个名字建立一个部的别名usr_list,该别名只在本

shell中起作用,退出shell后无效.
$ mail usr_list
把已有的文件作为邮件发送给用户:
$ mail student8 < my_letter
发邮件给不存在的用户:
$ mail meizhegeren
mail命令本身能正常执行,由于无有效的接收方,所以系统把邮

件退回到用户主目录下dead.letter中.
2.接收邮件
不带参数输入mial表示读取邮件.此时已进入出境mail命令模式

下.
mail命令模式常用命令
如有下页则显示,否则退出mail.
p 显示本邮件信息
d 删除当前邮件
n 显示下一个邮件
q 退出 mail,把末删除的邮件保存到个人邮箱中.
R 回复邮件
! 执行shell命令.
? 显示mail的内部命令.
第四章文件系统
与目录相关的命令(pwd,cd,mkdir,rmdir,ls)
与文件相关的命令(cp,mv,ln,more,rm)
1.pwd 显示当前工作目录
2.cd 改变当前目录
3.mkdir 创建目录
格式 mkdir dir_name
4.rmdir 删除目录
格式 rmdir dir_name
a.只能是空目录.
b.有写的权限
一次操作多个目录
- p 选项.在当前目录下逐级创建目录,也可以逐级删除目录.
5.ls 显示目录
$ ls -a 显示所有文件(以点开头的文件名是隐藏文件)
$ ls -R 显示所有子目录的内容
$ ls – l 能得到目录中的文件的详细信息.
-:普通 d: 目录 c: 字符设备 b: 块设备 p:管道
$ ls – C 以多列的格式列表,按列排序.
$ ls – F 如果是目录,文件名后加/,如果是可执行文件,加*表示.
$ ls – m 按页宽列文件,以逗号分隔.
$ ls – p 如果是目录,文件名后加/
$ ls – r 以字母反序列表
$ ls – s 以文件块为单位显示文件大小
$ ls – x 以多列的格式列表,按行排序.
$ ls -G 以不同的颜色显示.
$ ls -lc 显示更新时间
$ ls -i inode序号将列在第一列
$ ls -lu 显示访问时间
$ ls -I 显示更改时间
6.touch 命令:作用是用来修改文件访问时间更改时间的.并可以

用来创建0字节长度的文件.
格式 touch 命令参数
7.cp 命令:复制文件
格式 cp source target
$ cp file1 file2 … Target-dir
$ cp -i 如果目标文件存在,请求确认
$ cp -r 复制目录到新的目录
8.mv 命令:移动文件或命名文件
格式:mv source target
9.ln 命令:ln命令的主要功能是给一个已经存在的文件再取一个

名字.新的文件名与原文件名可以在同一个目录下,也可以以在

不同的目录下,新老文件名代表同一个文件.
格式ln source-file target-file
作用:在现有的文件与新文件之间建立新链接,使一个文件具有

一个以上的名字.
显示文件内容命令
10.cat 命令:用来显示.创建或者合并文件
格式cat filename
11.more 命令:逐屏显示文件内容.翻屏时用键.
格式:$ more filename
12.rm 命令:删除文件(删除后无法恢复)
格式:$ rm file
$ rm file1 file2
$ rm -i 删除文件前,给出确认
$ rm -r 删除指定的目录及目录中的所有文件和子目录.即删除

整个目录结构.
13.lp 命令:打印命令
14.cut 命令:切取文件内容,用于切取文件中的列或字段.它把文

本文件中每一行的一部分显示输出.运行时必须指定功能选项.
- f 指定字段的位置
-c 指定列的位置
-d 指定字段分隔符,缺省的字段分隔符是制表符tab
15.paste 命令:连接文件.
作用:把文件一行接一行地连接在一起,或者把两个或多个文件

的域连到一个新文件里.
格式: $paste 选项参数
选项:-d 指定分隔符.默认是制表符
第五章文件权限
16.chmod 命令:修改文件权限,常用chmod命令修改文件(包括普

通,目录和设备)的访问权限,
格式: chmod pattern filename …
finename 为要修改的权限文件名.可以有多个.
pattern 为将改变成的权限,可以用两种形式表示:字母式和数字

形式.
a,字母形式(符号模式)
字母形式由用户类别(u,g,o). 如何改变(+,-)和权限(r,w,x)三部分

组成.
u:本用户g:同组用户o:其它用户. + :增加权限 -:删除权限
r:读w:写x:执行
例如:chmod u+x file1
chmod o-w file2 file3
chmod go+r file4
b, 数值形式
格式: chmod 777 file1
*新建文件或目录最大权限=状态掩码+新建文件或目录缺省

权限.此时unask为000
对一个新建的文件,umask值为022则指定该文件的权限为644:
对一个新建的目录,umask值为022则指定该目录的权限为755
17.sort 命令:作用在于将指定的文件中的文件进行排序,并把排

序的结果输出到指定的标准输出中.
格式:$srot [-t delimiter] [+field] [.column]][option]
选项: -d 以字典顺序进行排序
-
18.head 命令:用于查看一个文件.或多个文件的前面几行的内

容.
格式:$ head [-number_of_lines] file(s)
19.tail 命令:用于显示从指定行开始直到文件末尾的文件内容
格式;tail [-number_of_lines | +number_of_lines]file
20.tee 命令:在获得输入后,将把该输入数据送到两个地点:标准

输出和文件.
21.grep 命令: 用于选项定包含特定模式的文本行.
21.find 命令:在目录中递归地搜索包括有特定字符的文件名.
22.df 命令:磁盘空间监测命令.显示当前系统中各个逻辑磁盘

中空闲的磁盘块数和空闲的索引节点(即可建立的新文件数)
23.du 命令:查看磁盘使用情况统计,统计指定的目录及所有子

目录的磁盘使用情况,统计单位是磁盘块数.
选项:-a 显示所有文件及子目录
24.fsck 命令:文件系统管理:用于检测和修复文件文件的错误,
25.tar命令:文件存储与备份.该命令可以把文件系统中的一个

或一组文件打成一个文件包.存放到外存上或硬盘上文件系统

的其它地方.常用于多个文件(包括目录)的备份或转移.
格式: tar -cvf target file1 file2 file3 …把file1 file2 file3等文件备份到

档案文件target中.
tar -tvf target 检查档案文件target中包含的文件信息.
tar -xvf targer [file1] 从档案文件target中提取全部或file指定

的文件.
26.shutdown 命令:系统关机
选项:-h 完全关机
-r 关机并重新启动系统
time 关机时间,如17:30
message 关机前向所有已登陆用户发送消息
例如: shutdown -r now 现在关机重启.
27.crypt 文件加密命令:用于对文本文件进行加密和解密.以防

止文件内容泄密.
例如:$ crypt < file > file.cry 对file加密,结果保存在file.cry中.key:加

密口令
$ crypt aaa 对aaa.cry解密,结果保存到aaa中. key:

解密口令
附:$ vi -x file.cry 编辑一个加密后的文件
28.compress/uncompress 文件压缩和解压命令
格式:compress data_file 加压后自动在文件名后加一个.Z
umcompress abc.Z
29.at 定时执行任务:在指定的时间一次性执行规定的任务.
at 15:30 在15:30分执行
who >> userlist 把上机用户清单发到userlist
30,cron 系统定量执行任务:
31,crontab 任务描述文件的管理命令.

OpenBSD4.4下架设CS1.6服务器

admin — Mon, 06 Apr 2009 11:08:42 +0000

Setp 1：环境
1、操作系统OpenBSD4.4。
2、开启Linux支持
#mg /etc/sysctl.conf
去掉#kern.emul.linux=1前的#
#cd /usr/ports/emulators/redhat
#make install

Setp 2：下载所需软件
1：先到http://www.okgogogo.com/download/view.asp?id=393下载hlds_l_02162004.tar.gz
2：接下来下载NoSteamAuthEngines，这个是nosteam补丁：
wget http://www.cstrike.ro/cstrike_files/engine.v15.tgz

Setp 3：安装
#cd /var
#tar zxvf hlds_l_02162004.tar.gz

Setp 4：破解
#tar zxvf engine.tgz
#mv engine_amd.so hlds_l/
#mv engine_i486.so hlds_l/
#mv engine_i686.so hlds_l/

Setp 5：配置
#cd hlds_l
#mg cs
#!/bin/sh
./hlds_run -game cstrike -port 27015 -insecure -ip x.x.x.x +servercfgfile server2.cfg +maxplayers 32 +map de_dust2 -nojoy -noipx -nomaster +localinfo

Setp 6：server.cfg的设置(根据个人情况增添)
rcon_password “rconpassword”
// OP 密码
// “” 表示没有

hostname “CS1.6比赛专用服务器 #A01″
// 服务器名称

sv_region 4
// 服务器所在区域注册参数\r
// 255=全球
// 0=美国东部
// 1=美国西部
// 2=南美洲\r
// 3=欧洲
// 4=亚洲
// 5=澳洲
// 6=中东
// 7=非洲

sv_rcon_maxfailures 9999
// 输入OP密码错误次数上限
// 达到上限则封禁对方的IP

sv_rcon_banpenalty 5
// 封禁的时限单位分钟
// 0=永久

sv_maxupdaterate 30
// 服务器每秒更新最大频率\r
// 根据实际网络状况调节
// 默认=30
// 局域=101

sv_minupdaterate 20
// 服务器每秒更新最小频率\r

sv_unlag 1
// 玩家延时补偿
// 0=关闭
// 1=开启 (默认)

sv_maxunlag 0.5
// 延时补偿最大值默认 0.5
// 0.5=500毫秒 (默认)

sv_voiceenable 1
// 服务器是否允许麦克风语音通讯
// 0=禁止
// 1=允许 (默认)

sv_unlagsamples 1
// 延时补偿数据包平均采样数量\r
// 默认=1

sv_unlagpush 0
// 服务器推进延时补偿\r
// 0=关闭 (默认)
// 1=开启\r

mp_autokick 0
// 自动踢除不动的玩家\r
// 0=关闭
// 1=开启 (比赛默认)

mp_autocrosshair 0
// 自动瞄准
// 0=关闭 (默认)
// 1=开启\r

mp_autoteambalance 0
// 自动平衡双方人数
// 0=关闭 (比赛默认)
// 1=开启\r

mp_buytime 0.25
// 每回合购买武器装备时间单位分钟\r
// 比赛默认=0.25

mp_consistency 1
// 防止某些模型被更改\r
// 0=关闭
// 1=开启 (默认)

mp_c4timer 35
// C4爆炸倒计时单位秒
// 比赛默认=35

mp_decals 300
// 墙壁上的血花弹孔贴图细节数据传送(200-300)

mp_falldamage 1
// 高处落下伤害
// 0=关闭
// 1=开启 (默认)

mp_fadetoblack 0
// 死后黑屏
// 0=关闭 (默认)
// 1=开启\r

mp_flashlight 1
// 手电筒\r
// 0=禁止
// 1=允许 (默认)

mp_forcechasecam 2
// 死后跟随
// 0=所有玩家\r
// 1=仅队友\r
// 2=仅队友，主视角 (比赛默认)

mp_forcecamera 2
// 死后视角选择
// 0=全部视角
// 1=仅队友，全部视角
// 2=仅队友，主视角 (比赛默认)

mp_footsteps 1
// 脚步声\r
// 0=关闭
// 1=开启 (默认)

mp_fraglimit 0
//杀人数上限(1~n)，超过上限就换地图\r
// 0=关闭 (默认)

mp_freezetime 7
// 每回合开始冻结时间单位秒

mp_friendlyfire 1
// 友军伤害
// 0=关闭
// 1=开启 (默认)

mp_friendly_grenade_damage 1
// 友军手雷伤害
// 0=关闭
// 1=开启\r

mp_hostagepenalty 0
// 惩罚人质杀手\r
// 0=不惩罚 (默认)
// 1~N=人质被杀数量，超过则踢出该玩家\r

mp_limitteams 10
// 两队人数差异上限
// 超过此上限，新玩家只能当观察员\r
// 比赛默认=10

sv_logbans 1
// 服务器日志里记录Ban掉玩家的内容
// 0=不记录\r
// 1=记录

mp_logecho 1
// 将服务器日志反馈到控制台
// 0=关闭
// 1=开启\r

mp_logdetail 3
// 服务器日志里记录攻击信息
// 0=不记录任何信息\r
// 1=记录敌人攻击
// 2=记录队友攻击
// 3=记录所有攻击\r

mp_logfile 1
// 服务器记录日志为文件
// 0=不记录\r
// 1=记录

mp_logmessages 1
// 服务器日志里记录谈话内容
// 0=不记录\r
// 1=记录

mp_maxrounds 0
// 回合上限，达到此上限，自动重新载入新地图
// 0=无回合上限 (默认)

mp_playerid 0
// 当准星指向敌人或队友时，显示他们的名字\r
// 0=关闭 (比赛默认)
// 1=开启\r

mp_roundtime 1.75
// 每回合时限单位分钟\r

mp_timelimit 0
// 地图最大时限，达此时限，自动重新载入新地图
// 0=无时限\r

mp_tkpunish 0
// 惩罚队友杀手\r
// 0=关闭 (默认)
// 1=开启\r

mp_startmoney 800
// 第一回合开始金钱(800~16000)
// 加时赛=10000

mp_winlimit 0
// 一方最大胜利回合数，达到此数量，自动重新载入新地图
// 0=无限制 (默认)

sv_aim 0
// 自动瞄准
// 0=关闭 (默认)
// 1=开启\r

sv_airaccelerate 10
// 玩家在空中移动的速度
// 默认=10

sv_airmove 1
// 在空中移动&转向
// 0=禁止
// 1=允许(默认)

sv_allowdownload 1
// 客户端下载服务器资源
// 0=禁止
// 1=允许 (默认)

sv_allowupload 1
// 客户端上传自己的喷图
// 0=禁止
// 1=允许 (默认)

sv_alltalk 0
// 警匪通话
// 0=禁止 (默认)
// 1=允许

sv_proxies 1
// HLTV代理
// 0=禁止
// 1=允许 (默认)

sv_cheats 0
// 作弊模式
// 0=关闭 (默认)
// 1=开启\r

sv_clienttrace 1.0
// 客户端模型的范围框的尺寸
// 默认 1.0

sv_clipmode 0
// 锁定客户端快速模式\r
// 0=关闭(默认)
// 1=开启\r

sv_contact boezombie@gmail.com
// 服务器构建者的联系邮箱

sv_friction 4
// 地面摩擦力默认 4
// 数值越低，摩擦越小

sv_gravity 800
// 重力默认 800

sv_maxrate 25000
// 服务器最大传输速率 <0-25000>
// (服务器上传带宽 x 125) /服务器设定的最大人数 = 要设的值\r
// 0=无限制\r
// 局域=25000

sv_maxspeed 320
// 客户端最大移动速度

sv_minrate 0
// 服务器最小传输速率 <0-25000>
// sv_maxrate / 300 = 要设的值\r
// 0=无限制\r

sv_restartround 0
// 重新开始第一回合在n秒后

sv_restart 0
// 重新开始游戏在n秒后
// 作用等同于sv_restartround

sv_send_logos 1
// 客户端相互之间传送喷图\r
// 0=禁止
// 1=允许(同时确保sv_allowdownloads键值为1)

sv_sendvelocity 0
// 服务器混合物理运算，适用于较好配置的服务器\r
// 0=关闭
// 1=开启\r

sv_send_resources 1
// 自动向客户端传送地图关联的 & .res文件里包括的资源文件
// 0=关闭
// 1=开启(同时确保sv_allowdownload为1)

sv_stepsize 18
// 玩家的步伐距离\r
// 默认 18

sv_stopspeed 75
// 玩家停止移动时的速度默认 75

sv_timeout 65
// 客户端连接服务器超时的时限，达到时限则断开连接

sv_voicecodec voice_speex
// 语音通话解码
// voice_miles是HL引擎长期以来用的语音解码(默认)，占用带宽较大，为32kbps
// voice_speex是Valve新加入的解码，优于voice_miles，占用带宽较少，为2.4kbps至15.2kbps

sv_voicequality 5
// 客户端语音通话质量(确保sv_voicecodec voice_speex)
// 1=非常差………..占用带宽 2.4 kbps
// 2=差……………占用带宽 6.0 kbps
// 3=中等………….占用带宽 8.0 kbps
// 4=好……………占用带宽 11.2 kbps
// 5=非常清晰………占用带宽 15.2 kbps

allow_spectators 1
// 观察员模式\r
// 0=禁止
// 1=允许

decalfrequency 60
// 玩家喷图的时间间隔单位秒

edgefriction 2
// 玩家与玩家、墙壁、物体之间的摩擦
// 默认 2

host_framerate 0
// 与Demo录制有关
// 0 // n=0 为正常(默认)
// n>1 为快录\r

log on
// 开始记录日至\r

pausable 1
// 客户端暂停游戏\r
// 0=禁止
// 1=允许

mapcyclefile mapcycle.txt
// 地图循环列表所在的.txt文件
// *.txt = cstrike\*.txt文件

OpenBSD firewall using pf

admin — Mon, 23 Mar 2009 14:38:52 +0000

It is really easy to configure an OpenBSD gateway for a private network. Here are the following steps:

Lock down the box
Install second ethernet card in the OpenBSD box
Customize the kernel
Enable packet forwarding, dhcp, firewall and network address translation
Configure machines behind NAT
Familiarize with pf
Quality of Service (QoS)
References
Lock down the box
The first step to lock down the firewall box is to disable all unnecessary running services. Luckily, OpenBSD out of the box is really secure even with ident, comsat, daytime, time, rstatd and rusersd enabled in /etc/inetd.conf. Comment out mentioned services in /etc/inetd.conf and edit /etc/rc.conf and make sure portmap, sendmail and ntpd daemons are disabled as well. Don’t disable inetd as you will need it later for ftp-proxy.
check_quotas=NO
ntpd=NO
sendmail_flags=NO

sshd is enabled out of the box. If you don’t plan to use it, disable it with sshd_flags=NO
Once you disabled unnecessary services, go to unixcircle to remotely port scan your own box from the outside. Be careful when you do this behind a firewall box as the port scan script will scan the firewall instead. If you have another box, use nmap to scan the box from the inside.

Get the latest OpenBSD security patches and manually apply or download all the patches in one file or use AnonCVS to synchronize to stable release and build from source.

Make sure you check out the 3.2 stable branch with -rOPENBSD_3_2. Otherwise, you’re checking out the “current” branch instead.

Finally, readup on SANS’s The Twenty Most Critical Internet Security Vulnerabilities (Updated)

Install second Ethernet card in the OpenBSD box
Use any supported ethernet card for the second NIC in the OpenBSD machine. One card will be given a public IP address (assigned by your ISP or obtained dynamically, e.g., with DHCP) and the other will be given an IP address in a non-routable network. Your choices for private network addresses must come from one of these ranges (see RFC 1918):
10.0.0.1 – 10.255.255.254 netmask 255.0.0.0
172.16.0.1 – 172.31.255.254 netmask 255.240.0.0
192.168.0.1 – 192.168.255.254 netmask 255.255.0.0

Assume the first card is “ep”, create /etc/hostname.ep0 with the following x.x.x.x netmask x.x.x.x where x.x.x.x is what you choose above.
# First NIC – private
192.168.1.1 netmask 255.255.255.0 media 10baseT

And if you have a static IP address for the second NIC, you naturally need to have it configured as /etc/hostname.ep1 as well.
# Second NIC with public IP address
123.221.8.1 netmask 255.190.280.0 media 10baseT

Be sure to indicate a correct IP address and netmask for both interfaces. Once you have chosen a private network address range for your inside machines, stay with that same range.
Whatever address you choose for the first interface in the OpenBSD gateway becomes the default gateway IP address for all machines on the inside private network.

Customize the kernel
Compile the new kernel and remove any unwanted devices from the kernel.
Retrieve the kernel source and unpack it as:

# tar xzvf srcsys.tar.gz -C /usr
( kernel source unpacking output… )
…

Or use AnonCVS to get just the kernel source it:
# setenv CVSROOT anoncvs@anoncvs.ca.openbsd.org:/cvs
# cd /usr
# cvs -q get -rOPENBSD_3_2 -P src/sys
( checking out files output… )
…
# cd /sys/arch/i386/conf

I usually name the kernel to the machine hostname, but you can give it any name. Edit the kernel config file:
Remove any hardware related options that are not relevant to your machine. One way to find out what to keep is to consult the dmesg output and remove all the rest. For all available kernel options, refer to GENERIC in the same directory as your kernel file and /sys/conf/GENERIC or man options(4).

Save the kernel config file and then compile and install it:

# config firewall
# cd ../compile/firewall
# make depend; make
( kernel building output… )
…
# cp /bsd /bsd.old
# cp bsd /bsd
# reboot

This will retain the old kernel as /bsd.old just in case something has gone awry with the new one and the box doesn’t boot. If that happens you can type ‘bsd.old’ at the boot: prompt to boot the old kernel.
Enable packet forwarding, dhcp, firewall and network address translation
To enable packet forwarding uncomment the following line in /etc/sysctl.conf and for extra protection, enable encryption on swap pages:
net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of packets
vm.swapencrypt.enable=1 # 1=Encrypt pages that go to swap

To enable high performance data transfers on hosts according to Enabling High Performance Data Transfers on Hosts, add the following to /etc/sysctl.conf:
# 1. Path MTU discovery: enabled by default
# 2. TCP Extension (RFC1323): enabled by default
# 3. Increase TCP Window size for increase in network performance
net.inet.tcp.recvspace=65535
net.inet.tcp.sendspace=65535
# 4. SACK (RFC2018): enabled by default

And if you receive your routable address assignment dynamically through DHCP:
# echo dhcp > /etc/hostname.ep1

The dhcp server will assign the IP, netmask and default gateway for interface “ep1”. /etc/resolv.conf will be created with “search” and “nameservers” statements from the ISP.
Filter rule:

Starting with OpenBSD 3.2, filter and nat rules are combined into /etc/pf.conf. The order of /etc/pf.conf is really important and the format of /etc/pf.conf must follow this order:

1. Options
2. Scrub
3. NAT & RDR
4. Filter

If there are no filter rules, the default action is pass.

Network Address Translation rule:

For clients behind NAT to work, 1 NAT and 1 RDR rule is sufficient:

# NAT internal IP addresses of range 192.168.1.0/24 to external routable
# IP on ep1 interface
nat on ep1 from 192.168.1.0/24 to any -> ep1

# Translate outgoing ftp control connections to send them to localhost
# for proxying with ftp-proxy(8) running on port 8081
rdr on ep0 proto tcp from any to any port 21 -> 127.0.0.1 port 8081

ftp-proxy runs inside inetd, add the following line to /etc/inetd.conf in order for ftp clients behind NAT to work by going through ftp-proxy daemon:
127.0.0.1:8081 stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy

As a result, ftp port and port 8081 will be opened. ftp-proxy supports -w option which will use tcp_wrappers to control source ftp client as well as destination ftp server access control based on /etc/hosts.allow and /etc/hosts.deny. Assume source ftp client IP 192.168.1.2 doesn’t have permission to use ftp, a similar log entry in /var/log/messages when attempted to reach ftp.netbsd.org
Sep 14 15:55:38 firewall ftp-proxy[20970]: tcpwrappers rejected: 192.168.1.2 -> ftp.netbsd.org

An example of a working /etc/pf.conf

Transparent proxy:

If there’s a mail server as 192.168.1.2 and a DNS server as 192.168.1.3 inside the private network, use “rdr” to transparent proxying. Since NAT happens before “rdr”, a “pass in” is required in /etc/pf.conf for the translated packets to flow into the mail server and DNS server.

/etc/pf.conf:

# Redirect incoming smtp traffic to mail server behind NAT
rdr on ep1 proto tcp from any to 157.161.48.183/32 port 25 -> 192.168.1.2 port 25

# Redirect incoming domain traffic to DNS server behind NAT
rdr on ep1 proto { tcp,udp } from any to 157.161.48.183/32 port 53 -> 192.168.1.3 port 53

Finally, enable pf in /etc/rc.conf:
pf=YES # Packet filter / NAT / logging using pflogd

Configure machines behind NAT
All the machines on the private network should be configured to use the address of the private interface of the OpenBSD box as the default gateway. To set the internal boxes to the default OpenBSD gateway on various operating systems with IP address: 192.168.1.1
AIX: edit /etc/rc.net and add /usr/sbin/route add 192.168.1.1 gateway >> $LOGFILE 2>&1

FreeBSD: edit /etc/rc.conf and add defaultrouter=”192.168.1.1″
HP-UX: edit /etc/rc.config.d/netconf and add ROUTE_GATEWAY[0]=”192.168.1.1″
Linux Redhat: edit /etc/sysconfig/network and add GATEWAY=192.168.1.1
NetBSD: echo “192.168.1.1″ > /etc/mygate
OpenBSD: echo “192.168.1.1″ > /etc/mygate

Solaris: echo “192.168.1.1″ > /etc/defaultrouter
Win2k: Start-Settings->Control Panel->Network and Dial-up Connections->Local Area Network->
Properties->Internet Protocol (TCP/IP)->Default Gateway->192.168.1.1

If you don’t want to reboot to pick up the IP address for the default gateway, use “route” to manually add the default route.
AIX: route add 0 192.168.1.1

HP-UX: route add 192.168.1.1

FreeBSD,NetBSD,OpenBSD,Solaris: route add default 192.168.1.1

Linux Redhat: route add default gw 192.168.1.1

Familiarize with pf
Once your firewall is online, you should start reading pf.conf(5), nat.conf(5), ftp-proxy(8), pfctl(8), pf(4) and The OpenBSD Packet Filter HOWTO. Also consult IPFILTER-HOWTO since both pf and IP Filter have 90% identical syntax. One noticable difference is OpenBSD pf doesn’t support IP Filter “keep frags” syntax. The alternative is to use “scrub” statement.
Each time /etc/pf.conf or /etc/nat.conf are modified, you have to reload them using pfctl. Reloading these rules will flush all current active connections. Unlike IPFilter, pf needs to enable nat and pf rules manually.

Flush current nat rules & reload:

# /sbin/pfctl -F nat && /sbin/pfctl -N /etc/pf.conf

Flush current filter rules & reload:
# /sbin/pfctl -F rules && /sbin/pfctl -R /etc/pf.conf

Show filter information (statistics and counters):
# pfctl -s info

To display the current list of active MAP/Redirect filters and active sessions:
# /sbin/pfctl -s state

To find out the “hit” statistic for each individual rule in /etc/pf.conf:
# /sbin/pfctl -s rules -v

Watch port scans going by on the screen:
/var/log/pflog is a binary file generated by pflogd so you can’t just view it. Use tcpdump instead:

# tcpdump -i pflog0

Read the log for pf activities:

# tcpdump -n -e -ttt -r /var/log/pflog

Quality of Service (QoS)
Bandwidth limiting:
OpenBSD 3.2 has ALTQ integrated in the base system. The kernel generic kernel is also compiled with options ALTQ so you’re ready to use. Otherwise, download the latest KAME snap kit which has ALTQ bundle from: http://www.kame.net/retrieve.html

Now, to configure a token bucket regulator (tbrconfig) for the interface ep1 to rate limit the pipe from 100Mbps to 10Mbps for outgoing connection:

# tbrconfig ep1 10M auto
ep1: tokenrate 10.00M(bps) bucketsize 12.21K(bytes)
#

To remove the installed token bucket regulator on ep1:
# tbrconfig -d ep1
deleted token bucket regulator on ep1
#

Class-based queuing (CBQ):
From man options(4) description of CBQ:

CBQ achieves both partitioning and sharing of link bandwidth by hierarchically structured classes. Each class has its own queue and is assigned its share of bandwidth. A child class can borrow bandwidth from its parent class as long as excess bandwidth is available.

Here is an example of a working /etc/altq.conf. /etc/altq.conf is read by altqd so to enable it on startup, edit /etc/rc.conf and change altqd_flags=NO to altqd_flags=”". Or just manually start altqd. altqd won’t start if there are errors in /etc/altq.conf. Watch /var/log/messages for any information.

Here’s the class hierarchy: cbq.txt

#
# ep1: Interface to a 10M link
#
#
interface ep1 bandwidth 10M cbq
class cbq ep1 root NULL pbandwidth 100
#
# meta classes
#
class cbq ep1 ctl_class root pbandwidth 4 control
class cbq ep1 def_class root borrow pbandwidth 95 default
#
# Allocate bandwidth for:
# firstclass: 70%
# businessclass: 15%
# generalclass: 5%
#
class cbq ep1 firstclass def_class borrow pbandwidth 70
class cbq ep1 businessclass def_class borrow pbandwidth 15
class cbq ep1 generalclass def_class borrow pbandwidth 5
#
# Allocate bandwidth for firstclass (tcp) data classes:
# tcp: 28%
# smtp: 10%
# http: 30%
# dns: 2%
#
class cbq ep1 tcp firstclass borrow pbandwidth 28 red
filter ep1 tcp 0 0 0 0 6 # other tcp
class cbq ep1 smtp firstclass borrow pbandwidth 10 red
filter ep1 smtp 0 0 0 25 6 # smtp
filter ep1 smtp 0 25 0 0 6 # smtp
class cbq ep1 http firstclass borrow pbandwidth 30 red
filter ep1 http 0 0 0 80 6 # http
filter ep1 http 0 80 0 0 6 # http
class cbq ep1 dns firstclass borrow pbandwidth 2 red
filter ep1 dns 0 0 0 53 6 # dns
filter ep1 dns 0 53 0 0 6 # dns

#
# Allocate bandwidth for businessclass (udp) classes:
# udp: 10%
# dns: 5%
#
class cbq ep1 udp businessclass borrow pbandwidth 10 red
filter ep1 udp 0 0 0 0 17 # udp
class cbq ep1 dns businessclass borrow pbandwidth 5 red
filter ep1 dns 0 0 0 53 17 # dns
filter ep1 dns 0 53 0 0 17 # dns
#
# Allocate bandwidth for generalclass (icmp) classe:
# icmp: 5%
#
class cbq ep1 icmp generalclass borrow pbandwidth 5 red
filter ep1 icmp 0 0 0 0 1 # icmp

Now, run altqstat and monitor the bandwidth. You should see something similar here: cbq stat
Weighted Fair Queueing (WFQ):

To use weighted fair queueing, add the following to kernel file.

option ALTQ_WFQ

By default, WFQ allocates 256 queues and packets are mapped into one of the queues by hashing the destination address. So, packets for the same host will be put in the same queue.
To enable WFQ on interface “ep0″ and “ep1″, add the following lines to your altq.conf(5) and start altqd.

interface ep0 bandwidth 10M wfq
interface ep1 bandwidth 10M wfq

The following command can be used to monitor the wfq statistics.
altqstat -i ep1

You should see something similar:
% altqstat
altqstat: wfq on interface ep1
wfq on ep1: 256 queues are used

[QID] WEIGHT QSIZE(KB) SENT(pkts) (KB) DROP(pkts) (KB) bps
[ 141] 100 0 14 1 0 0 0.09K
[ 103] 100 0 2 0 0 0 0.09K
[ 131] 100 0 11 1 0 0 0
[ 155] 100 0 10 0 0 0 0
[ 124] 100 0 9 0 0 0 0
[ 184] 100 0 5 0 0 0 0
[ 12] 100 0 2 0 0 0 0
[ 0] 100 0 0 0 0 0 0
[ 1] 100 0 0 0 0 0 0
[ 2] 100 0 0 0 0 0 0

First-In First-Out Queueing (FIFOQ):
To use first-in first-out queueing, add the following to kernel file.

option ALTQ_FIFOQ

To enable FIFOQ on interface ep1, add the following line to your altq.conf(5) and start altqd.
interface ep1 bandwidth 10M fifoq

Run altqstat and you should see something similar:
% altqstat
altqstat: fifoq on interface ep1
q_len:0 q_limit:50 period:2
xmit:2 pkts (108 bytes) drop:0 pkts (0 bytes)
throughput: 0.17Kbps
q_len:0 q_limit:50 period:2
xmit:2 pkts (108 bytes) drop:0 pkts (0 bytes)
throughput: 0bps
…

Random Early Detection (RED):
Since RED is part of ALTQ, no kernel option is required.

To enable random early detection on interface ep1, add the following line to your altq.conf(5) and start altqd.

interface ep1 bandwidth 10M red

Run altqstat and you should see something similar:
% altqstat
altqstat: red on interface ep1
weight:512 inv_pmax:10 qthresh:(5,15)
q_len:0 (avg: 0.00), q_limit:60
xmit:1 pkts, drop:0 pkts (forced: 0, early: 0)
throughput: 0.09Kbps

weight:512 inv_pmax:10 qthresh:(5,15)
q_len:0 (avg: 0.00), q_limit:60
xmit:1 pkts, drop:0 pkts (forced: 0, early: 0)
throughput: 0bps
…

Diffserfv traffic conditioner (CDNR):
>From man options(4):

Traffic conditioners are components to meter, mark, or drop incoming packets according to some rules. As opposed to queueing disciplines, traffic conditioners handle incoming packets at an input interface.

To use conditioner to drop incoming packets from a particular IP address, add the following to kernel file.

option ALTQ_CDNR

To enable conditioner on interface ep1, add the following line to your altq.conf(5) and start altqd.
#
interface ep1
#
# Drop all packets coming in from 255.255.255.255 (ficticious)
#
conditioner ep1 dropper
filter ep1 dropper 0 0 255.255.255.255 0 0

Run altqstat to monitor the drop packets:
% altqstat
altqstat: cdnr on interface _fxp0
actions:
pass:471 drop:3 mark:0 next:0 return:0 none:0

actions:
pass:501 drop:3 mark:0 next:0 return:0 none:0
…

Priority Queueing (PRIQ):
>From man options(4):

PRIQ implements a simple priority-based queueing. A higher priority class is always served first.

High number has higher priority. Maximum value is 15 and minimum value is 0. Default is 0. A higher priority class is always served first in PRIQ. Priority must be unique for the interface.

To use priority queueing to prioritize based on type of packet, add the following to kernel file.

option ALTQ_PRIQ

To enable priority queueing on interface ep1, add the following line to your altq.conf(5) and start altqd.
#
# Prioritize based on protocol:
#
# tcp: high priority
# udp: medium priority
# icmp: low priority
# others: bottom priority
#
interface ep1 bandwidth 10M priq
#
class priq ep1 highest_class NULL priority 3
filter ep1 highest_class 0 0 0 0 6
class priq ep1 medium_class NULL priority 2
filter ep1 medium_class 0 0 0 0 17
class priq ep1 lowest_class NULL priority 1
filter ep1 lowest_class 0 0 0 0 1
class priq ep1 bottom_class NULL priority 0 default

% altqstat
altqstat: priq on interface ep1

ep1:
[highest_class] handle:0xe09fd0c0 pri:3
measured: 0.34Kbps qlen: 0 period:180
packets:180 (25637 bytes) drops:0
[medium_class] handle:0xe09f1d40 pri:2
measured: 0bps qlen: 0 period:25
packets:25 (1997 bytes) drops:0
[lowest_class] handle:0xe09fdcc0 pri:1
measured: 0bps qlen: 0 period:19
packets:19 (1862 bytes) drops:0
[bottom_class] handle:0xe09a4680 pri:0
measured: 0bps qlen: 0 period:0
packets:0 (0 bytes) drops:0
…

Introduction to OpenBSD Firewall/Gateway Unix Workstation

admin — Mon, 23 Mar 2009 14:34:10 +0000

Abstract
This is a quick tutorial on how to set up an OpenBSD 3.1 system. The first part covers setting up a firewall, NAT proxy, time and DHCP server on a system connected to the Internet via broadband like DSL or cable. The second part covers things that would be installed on a desktop machine: graphical window managers etc.

The reader is not expected to be a Unix expert (why would a Unix expert need this how-to?) — if you don’t understand something, or something looks intimidating, read on and come back to it. If something still doesn’t make sense, let me know.

I don’t cover what I consider “advanced” usage such as tracking -CURRENT or CVS snapshots. If you want to do that, I assume you know which FAQs to read!

This document may be freely reproduced and redistributed under the terms of the GNU Free Documentation License Version 1.1; with the invariant section being this entire document, with no Front-Cover Texts and no Back-Cover Texts.

In other words, if you want to copy this document in its entirety, feel free to do so; if you wish to modify it (as in providing a translation, or taking sections to include in other documents) please send me email. Needless to say, documents that this document links to will have their own copyrights.

New!
I have a shell script that sets up everything mentioned here. This is still experimental but if you try it, please let me know how it goes. Save this file to disk and run it by typing “sh config31-fw.sh”. (Doesn’t handle PPPoE [the beast].)

There is a new section called Tips and Stuff where I put things I’ve found or written that are useful sysadmin tools.

Introduction
Why OpenBSD? It’s simple and secure. Your firewall machine should not have lots of things installed on it; therefore no exotic hardware, graphical desktops, X11 servers etc. — put those on your desktop machine. A simpler system is more robust and more secure; this machine only offers SMTP (email), ssh, ping/traceroute and optionally HTTP (web) to the outside world. And since it’s running Unix, you can log in to it — securely — using ssh from anywhere on the Internet and make any changes you need to. (N.B.: never use telnet to connect to a machine over the Internet! Anyone can eavesdrop and grab important information like passwords. Only use ssh, which encrypts all communication so that eavesdroppers don’t get any information. And verify those key fingerprints or you leave yourself open to a man-in-the-middle attack. For information do a web search for public key cryptosystems; a good place to start is OpenSSH.)

The utility and security of having this kind of machine: a firewall protects your data and systems from the Big, Bad Internet. When the bad guys are out to vandalise machines on the Internet, MS-Windows machines of various kinds are prime targets because they suck. Er, I mean, Windows is really hard to secure. (Not that an incompetently run Unix machine is any better, of course.) When you dialled in on the phone, your machine was on the ‘net for brief periods; with DSL or cable it’s vulnerable all the time.

This document also describes how to set up an OpenBSD system as a Unix workstation. We will go over setting up X11 (the window system) etc. I assume that you will be using a different machine as your workstation. Important: Unix systems can be set up in various ways; I do things a certain way and that’s what this document will cover. Other people (wizards and newbies alike) may do things differently. In case it matters, I’ve been using Unix since 1982, have been a sysadmin on-and-off since 1986 (VAX/BSD, SunOS 4.x, Solaris 2.x, HP/UX, AT&T 3B5 SVR6 etc.) I’ve been a C programmer since the early 80s. Today I design and implement back-end network servers on Solaris.

This tutorial assumes that you have some familiarity with using Unix: what filenames look like, how to copy and edit files etc. There’s a decent Unix tutorial on the web. The most important command to remember is man (short for “manual”) — if I say something like “read the documentation for foobar it means you should type man foobar. One other piece of Unix argot: if you hear someone write select(2) it indicates that the manual for select is in section 2, i.e. you would read the manpage by typing man 2 select. You should also read the OpenBSD documentation: particularly the OpenBSD FAQ. Bookmark that link right now.

NAT (Network Address Translation) allows you to connect lots of PCs up to one network connection. When any of the machines inside the firewall wants to make a connection to some server out there on the internet, the firewall/NAT box intercepts that request, and sends the request off as though it came from the firewall/NAT machine. When the reply arrives, it is sent off to the machine that made the connection. Neither the server nor the machines on the inside know that all this is going on.

Aside: NAT is also called PAT, for “Port Address Translation.” Also, read this interesting article by HRH Prince Philip, Duke of Edinburgh, on setting up PAT and DHCP on Cisco routers. The whole routergod.com site features many celebrities offering helpful tips on various network issues.

Even if you don’t want plan on having more than one PC at home, NAT is useful, because it allows the machine running your firewall to be different from your main workstation. You probably want to install fancy hardware and software on your machine; but every additional package installed on a firewall makes it more vulnerable.

Network Address Translation (NAT)

Note: if you only have one machine on the “inside”, you don’t need an ethernet hub; use a crossover cable to connect the two machines directly. This also has the advantage that you can get a full-duplex connection between the machines (a hub only allows a half-duplex connection).

Note: you can buy little NAT/DHCP boxes from various manufacturers for about $150, but where’s the fun in that? Besides, who knows how strong the security is on those things. With OpenBSD you know you’re getting the best.

Building the machine
The machine itself: I prefer to build these machines up from individual components rather than buying a pre-made box. That way I can get name-brand supported components, and it works out slightly cheaper since I don’t have to get exotic video cards, sound cards, CD-ROM drives etc. (Not to mention a Fisher-Price operating system that you will be required to pay for.)

Can you build a PC? Well, no one showed me how, but I’ve managed to put together about 10 or so systems, so it can’t be that hard. If you’ve assembed anything with screwdrivers etc. you’ll be fine. There are numerous sites on the web that walk you through building a PC. Go do a Google search and read those. I especially like the one at Acme Labs by Jef Poskanzer. There’s also an excellent motherboard finder at Acme.

Caveat: specific recommendations will be outdated as soon as I write them! I like to use AMD CPUs because I believe Intel is evil and as far as possible I’d like to not buy their products. I’d get the current not-top-of-the-line CPU i.e. the one that costs about $50 and a compatible motherboard that costs in the range of $70. I stay away from integrated components because they’re usually garbage. (For a server that I don’t use directly I might get integrated video.) Spend about $30-50 on RAM, $30 on ethernet, $60 on an IDE disk, $30 for a case (with power supply). I usually find the best prices on components at Directron and CompuVest (warning: uses Java). These have both been non-sleazy (everything was as described in their catalog and shipping was prompt) in all my dealings with them — but let me know if you find any evidence of sleaziness.

All these components add up to around $300 — and that’s brand-new stuff. If you have any old components lying around, they will be fine. You don’t need a keyboard, mouse or monitor when the system is up and running — all maintenance on it can be done over the network. (While you’re installing the OS on the machine you will need to hook up a keyboard, monitor and CD-ROM drive to it, of course.)

While installing the system, I plug in a spare CD-ROM drive, keyboard and monitor. Change the BIOS settings so that the machine will boot without a keyboard etc. Boot off the OpenBSD 3.1 CD and install the system. All the hardware should be recognised without any problems. (The installation guide booklet that comes with the CDs is excellent.)

The easiest way to install OpenBSD is to buy the distribution on CDs. Although you can install it via the network, buying the CD will help make sure that the OpenBSD project will continue to improve and better the system. If you can afford an outlay of US$40, please buy the CDs from the OpenBSD ordering site.

When you’re installing OpenBSD, the installer program will ask you for disklabel information (partitions). On a Unix system, a group of files organised together is called a filesystem. The disk is partitioned into various pieces each of which will hold one filesystem. This is the filesystem breakup and partition sizes I’d use for a 12GB disk (if your disk is bigger, you can just increase the size of /var (for web files) or /home (for your personal files) — the system will be more than happy with these sizes for /, /tmp and /usr):

/dev/wd0a 100M /
/dev/wd0d 400M /tmp
/dev/wd0e 4GB /var
/dev/wd0g 2GB /usr
/dev/wd0h 5GB /home
(The convention is that a is always /, b is swap and c is the whole disk.) Your web files will live in /var, and your other files in /home.

This is all overkill; /usr only needs about 600M or so. Say pad it to 1GB. A 2GB disk would be plenty for the system, but if the cheapest disk you can get is 13GB….

Note for Unix newcomers: the disk is named /dev/wd0, and in this case it has 5 partitions with names /dev/wd0a, /dev/wd0d, /dev/wd0e, /dev/wd0g and /dev/wd0h. And the different partitions don’t get different “drive letters” as in some primitive operating systems; once the system is installed, it looks to the user that there is just one bunch of files; Unix will figure out the right thing to do. After the system has been installed and you’ve booted off the hard disk, log in and (this is important!) type man afterboot; it will remind of some things that you need to do to complete the installation — pick passwords, create user accounts, check network settings etc. Also, man hier will introduce you to the way the system is organised — which files live where. In fact, let me say that again:

After the first normal boot of the system, be sure to read these manpages:
$ man afterboot
$ man hier
Also run dmesg(8) to learn more about your hardware and the driver names that OpenBSD uses for them.

Which packages to install? A good starting point would be to accept the defaults. For a desktop system (workstation), you will want all the X11 packages also. I install everything.

There! And make sure you keep reading the manpages — OpenBSD manpages are a thing of beauty, complete, up-to-date and informative. And also read the OpenBSD FAQ on the web — much of this information is also found there.

Configuring the network
For my outside connection I have DSL and a static IP number (from Speakeasy — I recommend them over PacBell etc. — I’m so happy I switched). Other DSL options are PPPoE that PacBell likes to set people up with, or DHCP which is what you usually get over cable. A completely bogus DSL installation is the USB device they try to foist on customers with Windows. Danger, Will Robinson! They stink; they’re unsupported on any free O/S, and even on Windows they work about half the time.

In *BSD the network cards are named according to the driver used. For the Lite-On (DEC Tulip) cards, the driver is called dc, and the Intel EtherExpress Pro is fxp; so my two ethernet cards are dc0 and fxp0. (If you had two cards that both used the dc driver, they would be dc0 and dc1.) For the inside network I use the “private” (non-routable) IP numbers 192.168.1.* which will make the inward-facing network card 192.168.1.1. The OpenBSD initialization asks you for IP numbers for the two cards. Enter the appropriate ones – the IP number your ISP gave you for dc0, and 192.168.1.1 for fxp0. For PPPoE, the outside interface is tun0 and it will figure out its own IP address. If you’re supposed use DHCP on your DSL or cable connection, type in dhcp.

It is important to remember which network will be the outside and which the inside. If the two cards are identical, the easiest way is to look at the MAC number. Every ethernet card ever made has a unique ID called its MAC number. This will be printed on the card, usually as a sticker. When the kernel boots up, it will print the MAC numbers of each card it finds:

fxp0 at pci0 dev 9 function 0 “Intel 82557″ rev 0x0c: irq 11, address 00:02:b3:a0:3a:50
dc0 at pci0 dev 10 function 0 “Lite-On PNIC” rev 0×20: irq 10 address 00:a0:cc:55:ab:1c
So the card that has a MAC number ending ab1c is dc0; the other is fxp0. (If the two network cards you have are different types, as in this case, there’s no problem, of course. The kernel bootup messages is still be useful to tell you what names the system is using for them.)

(There’s some rule about where the cards are plugged in so which one gets number 0 and which no. 1, but I can never remember that.)

PPPoE
The beast! PPPoE is a pain in the ass but ISPs like it because it makes things simpler for them — they don’t have to maintain lists of IP numbers. Also, they can run a crappy service and keep dropping the connection and that’s ok, you’re expected to reconnect. It’s the Micros**t philosophy of “make something really crappy and expect people to just re-start the whole system a couple of times a day.” It’s a pain in the ass for us because its MTU is 1492 instead of 1500 which used to require changes on every machine inside the network — but now thanks to the “mssfixup” flag we don’t have to any more.

The files you will need to change for PPPoE all live in /etc/ppp/.

Configure system files
To set up the system, the files you will be editing are:/etc/rc.conf, /etc/myname, /etc/mygate, /etc/pf.conf, /etc/nat.conf, /etc/*.conf, /etc/hostname.interface, /var/named/*.

Edit /etc/rc.conf. On my servers I run SMTP, Apache, and ssh. In other words, from the outside it handles email, web acess and secure shell for remote logins. For convenience, on the inside I have a private name server (DNS) and NTP server for accurate time. To get sendmail, NTP, httpd, and NAT to work, these are the lines to change:

sendmail_flags=”-bd -q30m” # for normal use: “-bd -q30m”
named_flags=”" # for normal use: “”
ntpdate_flags=”put.server.here” # for normal use: NTP server; run before ntpd starts
httpd_flags=”" # for normal use: “” (or “-DSSL” after reading ssl(8))
dhcpd_flags=-q # for normal use: “-q”
pf=YES # Packet filter / NAT
ntpd=YES # run ntpd if it exists
pf_rules=/etc/pf.conf # Packet filter rules file
nat_rules=/etc/nat.conf # NAT rules file
Make sure that /etc/sysctl.conf has this line in it:

net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of packets
Get the names of NTP servers close to where you are and put that name in the ntpdate value. Here’s a list of public NTP servers.

Update ssh
Warning: ssh in OpenBSD 3.1 has a bug!
Upgrading openssh to 3.4 is strongly recommended. See the OpenSSH for OpenBSD page for details. In brief, you will download ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/openssh-3.4.tgz and execute the following steps (as root):

# cd /usr/src/usr.bin
# tar xvfz …/openssh-3.4.tgz
# cd ssh
# make obj
# make cleandir
# make depend
# make
# make install
# cp ssh_config sshd_config /etc/ssh
# mkdir /var/empty
Using vipw(8) you will add this line to your password file:

sshd:*:27:27::0:0:sshd privsep:/var/empty:/sbin/nologin
Then add this line to /etc/group:

sshd:*:27:
NAT and firewall rules
OpenBSD 3.1 has a new packet filter — 2.9 used ipf but 3.x has a re-written from scratch one called pf. The details are not important; pf config files are much simpler. I decided that my outside interface would be dc0, and the inside one fxp0. (If you’re using PPPoE, the outside interface will be tun0.) Firewall rules (they tell the gateway what kind of network traffic should be allowed into the internal network) live in /etc/pf.conf; NAT configuration is in /etc/nat.conf.

Here’s a sample /etc/pf.conf — very little is accessible from the outside, but machines on the inside can go out with no restrictions. In your files you’d replace dc0 and fxp0 with the names of your outward- and inward-facing ethernet cards, respectively.

#####################################################################
#
# IP packet filtering rules (firewall)
# Shamim Mohamed 3/2002

# See pf.conf(5) for syntax and examples

# If you change this file, run
# pfctl -R /etc/pf.conf
# to update kernel tables (also run “pfctl -e” if pf was not running)

# Network interfaces
internal = “fxp0″
external = “dc0″

# Services visible from the outside — remove any you’re not using
services = “{ ssh, http, https, smtp }”

# You shouldn’t need to change anything below this line
#####################################################################

# Non-routable IP numbers
nonroutable = “{ 192.168.0.0/16, 127.0.0.0/8, 172.16.0.0/12, 10.0.0.0/8,
0.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 204.152.64.0/23, 224.0.0.0/3,
255.255.255.255/32 }”

# All rules are “quick” so go strictly top to bottom

# Fix fragmented packets
scrub in all

# Don’t bug loopback
#
pass out quick on lo0 from any to any
pass in quick on lo0 from any to any

# Don’t bother the inside interface either
#
pass out quick on $internal from any to any
pass in quick on $internal from any to any

#####################################################################
#
# First, we deal with bogus packets.
#

# Block any inherently bad packets coming in from the outside world.
# These include ICMP redirect packets and IP fragments so short the
# filtering rules won’t be able to examine the whole UDP/TCP header.
#
block in log quick on $external inet proto icmp from any to any icmp-type redir

# Block any IP spoofing atempts. (Packets “from” non-routable
# addresses shouldn’t be coming in from the outside).
#
block in quick on $external from $nonroutable to any

# Don’t allow non-routable packets to leave our network
#
block out quick on $external from any to $nonroutable

#
#####################################################################

#####################################################################
#
# Now the normal filtering rules
#

# ICMP: allow incoming ping and traceroute only
#
pass in quick on $external inet proto icmp from any to any icmp-type { \
echorep, echoreq, timex, unreach }
block in log quick on $external inet proto icmp from any to any

# TCP: Allow ssh, smtp, http and https incoming. Only match
# SYN packets, and allow the state table to handle the rest of the
# connection.
#
pass in quick on $external inet proto tcp from any to any port $services flags S/SA keep state

# Of course we need to allow packets coming in as replies to our
# connections so we keep state. Strictly speaking, with packets
# coming from our network we don’t have to only match SYN, but
# what the hell.
#
pass out quick on $external inet proto tcp from any to any flags S/SA keep state
pass out quick on $external inet proto udp all keep state
pass out quick on $external inet proto icmp from any to any keep state

# End of rules. Block everything to all ports, all protocols and return
# RST (TCP) or ICMP/port-unreachable (UDP).
#
block return-rst in log quick on $external inet proto tcp from any to any
block return-icmp in log quick on $external inet proto udp from any to any
block in quick on $external all

#
# End of file
#
#####################################################################
Read the pf documentation and understand these rules.

This is the NAT config /etc/nat.conf — this allows machines on the inside network to transparently make connections to the outside world:

#####################################################################
#
# NAT rules
# Shamim Mohamed 3/2002

# See nat.conf(5) for syntax and examples

# replace dc0 with external interface name, 192.168.1.0/24 with internal
# network (if different)

# nat: packets going out through dc0 with source address 192.168.1.0/24 will
# get translated as coming from 12.34.56.78 (or whatever the external IP no.
# is). State is created for such packets, and incoming packets will be
# redirected to the internal address.

nat on dc0 from 192.168.1.0/24 to any -> dc0

# End of file
#####################################################################
The system should already have setup /etc/hostname.dc0 and /etc/hostname.fxp0 (or whatever your network device names are) for you. Each file will have the IP number and netmask. This is what these files would look like:

$ cat /etc/hostname.fxp0
inet 192.168.1.1 255.255.255.0 NONE
$ cat /etc/hostname.dc0
inet 123.45.67.89 255.255.255.0 NONE
(The $ is the prompt; cat types a file out to the output.) If you’re using DHCP, the outside interface’s hostname file will say dhcp.

Other important files are /etc/myname — your hostname — and /etc/mygate — your default gateway to the outside world (your ISP told you what this should be — it’s usually the same as your IP number except that the last number is replaced with a 1 or 254.)

PPPoe
If you have PPPoE (you unfortunate soul!) things are different. You shouldn’t have /etc/mygate; and the file describing the outside interface, /etc/hostname.dc0 in my example, will only have one word in it: up. This tells the system to bring up the interface at boot time, but to do nothing else — pppoe will do the rest.

The main file is /etc/ppp/ppp.conf and this is what it should look like:

default:
set log Phase Chat LCP IPCP CCP tun command
set redial 15 0
set reconnect 15 10000

pppoe:
set device “!/usr/sbin/pppoe -i dc0″
disable acfcomp protocomp
deny acfcomp
set mtu 1492
set speed sync
enable lqr
set lqrperiod 5
set cd 5
set dial
set login
set timeout 0
set authname login
set authkey password
enable dns
enable mssfixup
Use your login name and password where indicated. The “set device” line tells ppp which physical device to use to talk to the outside world. You also have to tell the system to start PPPoE at boot time. That can be done with this little snippet of shell script:

echo -n “Trying to establish PPPoE DSL”; ppp -ddial pppoe
for i in 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0; do
sleep 5
echo -n.$i”
if /usr/local/sbin/adsl-status>/dev/null; then
break
fi
done
echo
/usr/local/sbin/adsl-status
Where adsl-status is a little shell-script that tests to see whether the PPP link has come up properly:

#!/bin/sh

IP=$(/sbin/ifconfig tun0 | awk ‘/netmask/{print $2}’)

if [ -z "$IP" ]; then
echo “ADSL link is down.”
exit 1
else
echo “ADSL is up, IP address $IP”
exit 0
fi
Now the question is: where should we put the little loop that tries to get ppp going? The right place to put all these is in /etc/rc.local. However this has the drawback that the outside network hasn’t been initialised while the rest of the system is coming up, which causes some scary-looking error messages from NAT to be printed at boot time. So I do something a little un-kosher: I put the ppp initialisation in /etc/netstart right at the end:

…
echo -n ‘ ADSL… ‘; ; ppp -ddial pppoe
for i in 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0; do
sleep 5
echo -n.$i”
if /usr/local/sbin/adsl-status>/dev/null; then
break
fi
done
echo
/usr/local/sbin/adsl-status
Now remember that each time the PPP link goes up or down, the IPF and NAT rules must be re-done. The files /etc/ppp/ppp.linkup and /etc/ppp/linkdown are scripts that get run by ppp. Here’s /etc/ppp/ppp.linkup:

MYADDR:
! sh -c “/sbin/route del default”
! sh -c “/sbin/route add default HISADDR -mtu 1492″
! sh -c “/sbin/pfctl -F all -R /etc/pf.conf -N /etc/nat.conf -e”
! sh -c “/usr/local/sbin/ntpd -p /var/run/ntpd.pid”
And this is /etc/ppp/linkdown:

MYADDR:
! sh -c “/sbin/pfctl -F all -d”
Configuring email
Sendmail should have been setup automatically since you edited /etc/rc.conf but I’ve occasionally had to make one change in /etc/mail/sendmail.cf:

Djmy-domain-name.com
(If you don’t own a domain, or plan on having it point to your DSL machine, you don’t need sendmail.)

You should have a normal user account that you’re going to use (never log in as root! Always use su or sudo). Administrative email should be forwarded to you; if your normal username is zippy edit /etc/mail/aliases and make sure you make the appropriate lines look like this:

# Well-known aliases — these should be filled in!
root: zippy
manager: zippy
dumper: zippy
One thing you should consider is being an email handler for friends. My DSL service goes down too often — every few months. This is too unreliable for my tastes. What I do is collaborate with friends to accept and queue email for them, and they do the same for me. Example: for my domain foo.com the primary mail exchanger is gateway.foo.com, the OpenBSD firewall/gateway. A friend of mine has bar.com, and his email gateway is gateway.bar.com. I set up a secondary mail exchanger in my domain records as gateway.bar.com. If my DSL line gateway.foo.com goes down and someone out there wants to send email to me at foo.com, her machine will use gateway.bar.com instead and email will wait on that machine until my machine is back on the network. I want to perform the same service for my friend — if gateway.bar.com is down, I want people to be able to send my machine the email destined for bar.com and fubar.org (another friend’s domain). This goes in the file /etc/mail/relay-domains on my gateway box:

bar.com
fubar.org
Now the machine will accept email for my friends’ domains bar.com and fubar.org as well as for itself and forward their messages on. If the machine it’s trying to forward to is down, it will put them in the queue and keep re-trying for a while. (My friend at bar.com does similar things to his /etc/mail/relay-domains.)

Setting up DNS
You probably shouldn’t be running the primary DNS server for your domain on your DSL box; DSL may not be reliable enough for that. Get someone else to do it for you for free, like http://www.zoneedit.com/.

However, it is nice to have a local private DNS because lots of daemons (services that run in the background, like the web server) like to do reverse lookups of IP numbers, so we should have a DNS server for the private network. Also, this installation will give you a caching nameserver which should improve your browsing speed.

The files live in /var/named. Assuming your domain is called fake-domain.org, edit named.boot and add these lines:

primary fake-domain.org fake-domain.db
primary 1.168.192.in-addr.arpa fake-domain.rev

; your static IP number, reversed
primary 89.67.45.123.in-addr.arpa dsl.rev

; remember to add your ISP’s nameservers here!
forwarders 1.2.3.4 5.4.3.2
(Anything starting with a semicolon is a comment.) Here fakedomain.org can be a real domain you have or a fake; and instead of 89.67.45.123 use your static IP but reversed i.e. you would use that line if your IP number were 123.45.67.89. And change the IP numbers on the forwarders line to the nameservers your ISP told you to use.

There are three files you need to create. The first is /var/named/namedb/fake-domain.db:

@ IN SOA gateway.fake-domain.org. root.fake-domain.org.
(
14 ; Serial
10800 ; Refresh
3600 ; Retry
604800 ; Expire
86400 ) ; Minimum

IN NS gateway.fake-domain.org.

gateway IN A 192.168.1.1
libelle IN A 192.168.1.2
discus IN A 192.168.1.4
ventus IN A 192.168.1.3
wander IN A 192.168.1.5
brad IN A 192.168.1.12
jack IN A 192.168.1.13

; your static IP number
dsl IN A 123.45.67.89

www IN CNAME dsl
mail IN CNAME dsl
In this network, there are six machines on the inside and those are their names and IP Number assignments. The OpenBSD gateway machine is named “gateway”. Change these entries to names of the machines on your private network. You can give them any IP number that starts with 192.168.1. Of course if you have three machines on your network, there will only by three entries.)

This is the second file you need to create, /var/named/fake-domain.rev:

@ IN SOA gateway.fake-domain.org. root.fake-domain.org.
(
14 ; Serial
10800 ; Refresh
3600 ; Retry
604800 ; Expire
86400 ) ; Minimum

IN NS gateway.fake-domain.org.

1 IN PTR gateway.fake-domain.org.
2 IN PTR libelle.fake-domain.org
3 IN PTR ventus.fake-domain.org
4 IN PTR discus.fake-domain.org.
5 IN PTR wander.fake-domain.org.
12 IN PTR brad.fake-domain.org.
13 IN PTR jack.fake-domain.org.
(Those trailing dots are important.) And here’s the third, /var/named/namedb/dsl.rev:

@ IN SOA gateway.fake-domain.org. root.fake-domain.org.
(
14 ; Serial
10800 ; Refresh
3600 ; Retry
604800 ; Expire
86400 ) ; Minimum

IN NS gateway.fake-domain.org.

IN PTR dsl.fake-domain.org.
PPPoE
Yes, again more stupid special cases for PPPoE. For one thing, your IP address from the outside keeps changing so all the stuff about dsl.rev doesn’t apply. However, more important: you don’t know what your ISP’s DNS servers are! And they could change which machines you’re supposed to use each time you connect! What you have to do is: connect “by hand” one time, and see which DNS servers you got. After ppp.conf has been written, you can run ppp -ddial pppoe and pray. If all goes well, ifconfig tun0 should show you two lines:

$ /sbin/ifconfig tun0
tun0: flags=11 mtu 1492
inet 63.201.32.40 –> 63.201.39.254 netmask 0xff000000
That means everything worked. Now look at /etc/resolv.conf — there should be one or more lines in there that say which nameservers should be used. Put these IP numbers in the forwarders line in /var/named/named.boot.

One other wrinkle: the /etc/resolv.conf that ppp makes for you doesn’t know about your domain, or that you’re running a nameserver on your machine. To get around these problems, I created another file /etc/resolv.conf-working:

nameserver 192.168.1.1
lookup file bind
search fake-domain.org
In /etc/ppp/ppp.linkup I tell it to overwrite the created resolv.conf with this one:

! sh -c “cp /etc/resolv.conf-working /etc/resolv.conf”
(Add that to the end of the file that you’ve already created.) This allows all programs running on the machine to be able to use all the good things about a local caching nameserver — things like being able to refer to internal hosts by short name etc.

Other machines on the internal network
Go to the other machines on your network (the ones inside your firewall) and set them up with the static IP numbers you assigned above, e.g. the machine wander gets an IP number of 192.168.1.5. All the machines should use 192.168.1.1 for the gateway and use 192.168.1.1 for the DNS server. For more details on DNS, read the excellent O’Reilly book “DNS and BIND”; for more on setting up slightly more complex DNS servers than the one described here, go to the OpenBSD — DNS site maintained by Samiuela LV Taufa.

Setting up DHCP
Above in the DNS setup all internal machines are assigned their own IP numbers. Running DHCP allows guest machines to hook up to the network without fuss. Depending on your comfort level with setting up your other machines, you might also prefer to use DHCP over assigning static IPs.This is what /etc/dhcpd.conf should look like:

# $OpenBSD: dhcpd.conf,v 1.1 1998/08/19 04:25:45 form Exp $
#
# DHCP server options.
# See dhcpd.conf(5) and dhcpd(8) for more information.
#

# Network: 192.168.1.0/255.255.255.0
# Domain name: my.domain
# Name servers: 192.168.1.3 and 192.168.1.5
# Default router: 192.168.1.1
# Addresses: 192.168.1.32 — 192.168.1.127
#
shared-network LOCAL-NET {
option domain-name “fake-domain.org”;
option domain-name-servers 192.168.1.1;

subnet 192.168.1.0 netmask 255.255.255.0 {
option routers 192.168.1.1;

range 192.168.1.32 192.168.1.127;
}
}
This will allow up to 96 machines on your internal network, which should be more than sufficient. Create an empty temporary file for dhcpd to use:
# touch /var/db/dhcpd.leases
If you make any changes to this file, run dhcpd fxp0 (or whatever your inside network is). (Or you can reboot the machine — but that’s the Windows way, in the Unix world we prefer to never reboot any machines.)
Install “ports”
“Ports” is a *BSD term for a tree of Makefiles for all the software out there that’s not part of the standard install. I recommend this highly. It is on CD No. 3 of the OpenBSD 3.1 CD-ROM set as ports.tar.gz. Please read the Ports and Packages page on the OpenBSD web site. You install it by typing (as root)

# mount /dev/cd0a /mnt
# cd /usr
# tar xzf /mnt/ports.tar.gz
Once you’ve done this, if you want to install a package, you cd to the appropriate directory and simply type make all install — it will ftp the source from the appopriate site, handle all dependencies, apply any required patches, configure, build and install the tool.

How do you find the appropriate directory to go to? You can guess at where it might be (look around in /usr/ports to get an idea for the layout etc.). But remember: locate(1) is your friend.

If you have the disk space (about 500 MB), I strongly recommend that you install the source code to the system also. (The source is also on CD No. 3.)

# mount /dev/cd0a /mnt
# cd /usr/src
# tar xzf /mnt/src.tar.gz
Getting time from the Internet
Set up NTP so that your machine will always have accurate time. Pick two servers from the public NTP server list and make sure /etc/ntp.conf looks like this:

server ntp.server.first
server ntp.server.second
Since xntpd is not part of the standard install, you have to compile xntpd from source.

# cd /usr/ports/sysutils/xntpd
# make all install
The tools will be installed into /usr/local/sbin/ntpd.

Run ntpdate -b server where you pick a server from the list — this will perform a coarse adjustment of the system clock. The next time the machine reboots, it will sync your clock and record how much your clock drifts.

Setting up other hosts with NTP
On Unix hosts, use the appropriate NTP client; on Linux, it’s xntpd. Set them up to use 192.168.1.1 as the NTP server. On Windows, use AboutTime — a free NTP client. In its configuration make sure it uses only SNTP as the protocol, with 192.168.1.1 as the server. Put AboutTime in the Startup folder so it’s started automatically.

For more details, go to Robert Mooney’s OpenBSD NTP site.

Tips and Stuff
I have a useful shell script called pkg_install that’s a front-end to pkg_add — here’s an example of it being used:
# pkg_install tex
These files match:
gettext-0.10.40.tgz
jadetex-3.11.tgz
latex2html-97.1.tgz
php4-4.0.6p1-gettext-imap-mhash-no_x11-mcrypt-mysql.tgz
php4-4.0.6p1-gettext-imap-mhash-no_x11-mcrypt-postgresql.tgz
php4-4.0.6p1-gettext.tgz
teTeX_texmf-1.0.2.tgz
texi2html-1.64.tgz
textutils-2.0.tgz
# pkg_install -n 4 texi
Using ftp5.usa.openbsd.org/pub/OpenBSD
+ pkg_add -v ftp://ftp5.usa.openbsd.org/pub/OpenBSD/3.1/packages/i386//texi2html-1.64.tgz
Trying to fetch ftp://ftp5.usa.openbsd.org/pub/OpenBSD/3.1/packages/i386//texi2html-1.64.tgz.
Extracting from FTP connection into /var/tmp/instmp.BVMJM29414
>>> ftp -o — ftp://ftp5.usa.openbsd.org/pub/OpenBSD/3.1/packages/i386//texi2html-1.64.tgz
…
It has a list of all the pre-compiled packages that are available. You type in a string and it installs the package. If more than one name matches, it shows you their names. (It uses egrep(1) so you can use regular expressions.) Save it to /usr/local/bin. It handles dependencies by recursively installing them also.

New in this version is in -n flag. The script has a list of mirrors, and this option picks one of the mirrors. (Currently in progress: it needs bash, and it needs some error checking but it works.) Don’t forget to edit the file — read http://www.openbsd.org/ftp.html and choosea list of mirrors closest to you.

Setting up a CVS server
(This section is probably not of interest to most people; you only need this if you want to set up a cvs server so you can put files you’re working on under source control. So it’s a little terse too.)

The changes I made: added a user and group named cvs. All users of CVS should be in the cvs group. Create a directory for the repository: I put it in /var/cvsroot, you might put it in /home or wherever. This directory should be group writable (group cvs). Add a line to /etc/services:

cvspserver 2401/tcp # CVS pserver
Add this line to /etc/inetd.conf:
cvspserver stream tcp nowait root /usr/bin/cvs cvs -f –allow-root=/var/cvsroot -T /var/tmp pserver
The server uses /var/tmp as its temp directory instead of /tmp since my root partitions are small, but I always make /var large. Now run cvs init in the cvs repository and restart inetd. Voila! Import your directory of files from a client machine, using a pserver CVSROOT and cvs import.

When importing a large set of files, you might want to put a .cvswrappers file in the directory you’re importing so CVS won’t try to put RCS ID strings inside your JPEG files etc. The syntax is:

*.jpg -k ‘b’
*.png -k ‘b’
*.tgz -k ‘b’
Coming soon: using ssh for CVS_RSH.
Setting up X11
You did select the packages xbase, xshare, xfont, and xserv when you installed OpenBSD, I hope? If not, never fear; you can install them directly off the CD:

# mount /dev/cd0a /mnt
# cd /
# tar xzvpf /mnt/3.1/i386/xbase31.tgz
# tar xzvpf /mnt/3.1/i386/xserv31.tgz
# tar xzvpf /mnt/3.1/i386/xshare31.tgz
# tar xzvpf /mnt/3.1/i386/xfont31.tgz
etc. The X11 package for ix86 systems is called XFree86; visit their website for more information. Now run xf86cfg. (If the command is not found, you probably don’t have /usr/X11R6/bin in your PATH environment variable.) Of course this is not something you can do over a network login; you have to be sitting at the machine, with a monitor, keyboard and mouse actually plugged in. You should have your video card and monitor specs available. Follow the instructions to setup XFree86. More information is on the Configuring XFree86 page on the Xfree86 site.
Installing a Desktop
Many people also install a desktop suite such as KDE or Gnome. I prefer KDE of the two. There is nothing special about KDE (or Gnome); it’s just a set of packages to be installed. There are two versions of KDE available, KDE 2.2 and KDE 3.0. Decide which one you want to run, and install those packages. (KDE2 and KDE3 cannot co-exist on the same system.)

These are the KDE2 packages:

$ pkg_info -a | egrep kde
kdelibs-2.2.2 X11 toolkit, libraries
kdeartwork-2.2.2 X11 toolkit, additional artwork
kdegraphics-2.2.2 X11 toolkit, graphics applications
kdelibs-doc-2.2.2 X11 toolkit, libraries documentation
kdebase-2.2.2 X11 toolkit, basic applications
kdenetwork-2.2.2 X11 toolkit, network applications
kdetoys-2.2.2 some useless kde applications
And for KDE3, the corresponding packages are:
kdeaddons-3.0.tgz
kdeartwork-3.0.tgz
kdebase-3.0.tgz
kdeedu-3.0.tgz
kdegames-3.0.tgz
kdegraphics-3.0.tgz
kdelibs-3.0.tgz
kdenetwork-3.0.tgz
kdetoys-3.0.tgz
kdeutils-3.0.tgz
koffice-1.1.1-kde3.tgz
There are lots of I18N packages also, kde-i18n-*-3.0.tgz.
Display managers xdm and kdm
You may want to run a display manager like xdm or kdm. (A display manager is the program that gives you a graphical login display instead of a plain text message.) The config file for kdm is /usr/local/share/config/kdm/kdmrc; the xdm config file lives in /etc/X11/xdm/xdm-config. Edit /etc/rc.conf and set xdm_flags to an empty string (in quotes) to make xdm run on startup. (If you installed KDE, it will be kdm that’s started.) If you installed KDE3, add it to the list of available logins in kdmrc: in the [X-*-Greeter] section, look for the SessionTypes line and add “KDE3″ to the list.

Setting up XDMCP
If you have an X-Terminal (like the Sun Ray, or the ones NCD used to make) or run eXceed on Windows platforms, you may want to allow X11 logins to your OpenBSD machine from eXceed or the X-Terminal. The protocol that allows this is called XDMCP; to enable it: if using xdm, edit /etc/X11/xdm/Xaccess and remove the ‘#’ from the first column of this line:

#* #any host can get a login window
Note: we don’t allow any X11 or XDMCP messages to go across our firewall. Only hosts inside the firewall can get a login screen.
Also edit xdm-config and comment out this line by putting a ‘!’ character in the first column:

DisplayManager.requestPort: 0
If using kdm, edit /usr/local/share/config/kdm/kdmrc and look for the [Xdmcp] section. Uncomment lines so it looks like this:
[Xdmcp]
# Whether KDM should listen to XDMCP requests. Default is true.
Enable=true
# The UDP port KDM should listen on for XDMCP requests. Don’t change the 177.
Port=177
(followed by other stuff.)
Amusements
People like to do things like rip CDs to Ogg Vorbis or MP3 and listen to those files. I use grip as a front-end to rip music to Ogg Vorbis files, and xmms (package name xmms-vorbis) to listen to them. I use Gnu LilyPond and TeX/LaTeX (package teTeX_texmf) to typeset documents and music. The LaTeX files can be converted to HTML with latex2html. You can run Linux programs if you install the redhat_base, redhat_motif, and rpm packages. (The Linux version of Opera, the web browser, runs fine.)

Installing Cyrus IMAP and Postfix on OpenBSD

admin — Mon, 23 Mar 2009 14:26:48 +0000

Table of contents
Introduction
Installation

Prerequisites
libsasl2
imapd
postfix
Configuration

imapd
sieve
postfix
Maintenance

Creating mailboxes
Deleting mailboxes
Installing sieve scripts
Restarting cyrus
Trouble shooting
SASL authentication failure
Undefined constant: _PATH_BSHELL
Introduction
This document is a step by step instruction for installing a Cyrus IMAP Server to an OpenBSD 3.4 machine. I was setting up a mail server for the faerion.oss domain and I wanted to achieve:

Security.

I wanted to secure as much data transfers as possible. All services use transport level security (TLS). (On a slightly different note, I was surprised to know how many major mail servers use TLS for delivery.)

Authenticity.

Anonymous SMTP sessions should only allow sending messages to local recipients.

Consistency.

One source of authentication for both IMAP and SMTP servers. I decided to use SASL2 as the simplest available solution.

Things I could not accomplish in the described setup:

Virtual domains (authentication always fails in imapd). [hint]
Allow users to change passwords without my interaction.
These issues will be covered in a later edition of this document.

Installation
Prerequisites
The IMAP server will be running as user cyrus; create the user and the group.

Postfix will be running as user _postfix. The port created everything automatically, so nothing needs to be done.

The password database will be shared between postfix and imapd, so a group mail must be created and both users must be added to it.

It is not a good idea to build ports as root (though you will have to install them as root). It is best to make the whole ports tree gourp writable:

$ cd /usr
$ sudo chmod -R g+w ports
$ sudo chown -R root:wheel portsCyrus SASL Library
The library is in ports, so it is supposed to be installed relatively easy. However, the port for OpenBSD 3.4 is broken (“make install” is failing to install shared versions of authentication plugins). Updated the port to version 3.5, it will work on 3.4.

$ cd /usr/ports/security/cyrus-sasl2
$ cvs up -d:pserver:anoncvs@anoncvs.ca.openbsd.org:/cvs up -r OPENBSD_3_5
$ make
$ sudo make installCyrus IMAP Server
I was installing the latest available version, 2.2.3. I had to disable GSSAPI support until they fix it to compile on OpenBSD.

The following commands worked for me:

$ ftp ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/cyrus-imapd-2.2.3.tar.gz
$ tar xfz cyrus-imapd-2.2.3.tar.gz
$ cd cyrus-imapd-2.2.3
$ ./configure \
–with-openssl=/usr \
–with-cyrus-user=cyrus \
–with-cyrus-group=cyrus \
–with-notify=no \
–with-idle=idled \
–disable-cmulocal \
–disable-gssapi \
–with-sasl=/usr/local \
–with-bdb=/usr/local/BerkeleyDB.4.2 \
–with-bdb-incdir=/usr/local/BerkeleyDB.4.2/include
$ make
$ sudo make installPostfix
$ cd /usr/ports/mail/postfix/snapshot
$ export FLAVOR=”sasl2 tls”
$ make
$ sudo make install
$ export FLAVOR=
$ sudo /usr/local/sbin/postfix-enable — replace sendmail with postfixConfiguration
Configuring imapd
Create the master configuration file:

$ sudo cp master/conf/normal.conf /etc/cyrus.confEdite the file to disable pop3 and pop3s and enable idled (the latter is an extension that notifies connected clients about new mail so that they won’t have to periodically query the server; you definitely want this).

Create /etc/imapd.conf with the following content:

admins: cyradm
configdirectory: /var/imap
partition-default: /var/spool/imap
reject8bit: 1
rfc2046_strict: 1
virtdomains: no
sasl_pwcheck_method: auxprop
tls_cert_file: /var/imap/server.pem
tls_key_file: /var/imap/server.pemCreate directories specified in imapd.conf:

$ mkdir -m 750 /var/imap /var/spool/imap
$ sudo chown cyrus.cyrus /var/imap /var/spool/imap
$ sudo -u cyrus tools/mkimapCreate the certificate:

$ cd — home
$ openssl req -new -x509 -nodes -out server.pem \
-keyout server.pem -days 3650
$ sudo mv server.pem /var/imap/Add the following lines to /etc/rc.local:

if [ -x /usr/cyrus/bin/master ]; then
echo -n ‘ cyrus-imapd’
/usr/cyrus/bin/master -d >/dev/null 2>&1
fiStart the server:

$ sudo /usr/cyrus/bin/master -dMake sure it works:

$ telnet localhost. imap
Trying ::1…
Connected to localhost..
Escape character is ‘^]’.
* OK faerion.oss Cyrus IMAP4 v2.2.3 server ready
. logout
* BYE LOGOUT received
. OK Completed
Connection closed by foreign host.Good.

Create an email user account that will be used for administering the server:

$ sudo saslpasswd2 -c cyradm
Password:
Again (for verification):Make sure the server will be able to access the database:

$ sudo chown cyrus.mail /etc/sasldb2.dbTry to log in as user cyradm using the LOGIN method:

$ imtest -m login -a cyradm localhost.
S: * OK faerion.oss Cyrus IMAP4 v2.2.3 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+
MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME
UNSELECT CHILDREN MULTIAPPEND BINARY SORT
THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE
IDLE STARTTLS AUTH=OTP AUTH=GSSAPI AUTH=DIGEST-MD5
AUTH=CRAM-MD5 SASL-IR
S: C01 OK Completed
Please enter your password:
C: L01 LOGIN cyradm {4}
S: + go ahead
C:
S: L01 OK User logged in
Authenticated.
Security strength factor: 0
. logout
* BYE LOGOUT received
. OK Completed
Connection closed.Wonderful.

Configuring SIEVE
Sieve is server-side message filtering extension. It requires two additional directories:

$ sudo mkdir -m 750 /usr/sieve /var/sieve
$ sudo chown cyrus.cyrus /usr/sieve /var/sieveConfiguring Postfix
/etc/postfix/main.cf
Added my domains:

myhostname = faerion.oss
mydestination = $myhostname, faerion.ossChanged mailbox transport to cyrus:

mailbox_transport = cyrusEnabled SASL by adding the following to the end of the file:

smtpd_recipient_restrictions =
reject_non_fqdn_recipient,
permit_auth_destination,
permit_sasl_authenticated,
reject
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
/etc/postfix/master.cf
Corrected the path to the delivery agent (it was /cyrus/bin/deliver):

cyrus unix – n n – – pipe
user=cyrus argv=/usr/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
To use SASL, the following lines were added to /usr/local/lib/sasl2/smtpd.conf

Note: there were numerous “SASL authentication failure” warnings in /var/log/maillog which confused me at first; it came out to be normal because libsasl2 features several plugins, only one of which succeeds (sasldb), all other should fail.

pwcheck_method: auxprop
mech_list: crammd5 digestmd5 login plainI wanted to use a single certificate for both IMAP and SMTP (some email clients, like The Bat!, complain if different certificates are used):

$ sudo mkdir /etc/postfix/ssl
$ sudo cp /var/imap/server.pem /etc/postfix/ssl/Enabled TLS by adding the following lines to /etc/postfix/main.cf:

smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/server.pem
smtpd_tls_cert_file = /etc/postfix/ssl/server.pem
smtpd_tls_CAfile = /etc/postfix/ssl/server.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandomSince postfix runs chrooted by default, it needs a local copy of /etc/sasldb2.db. I made a hardlink, because /etc and /var are within one filesystem in my installation; you may need to copy the file (perhaps in a cron script) or unchroot the smtp service.

$ sudo mkdir /var/spool/postfix/etc
$ sudo ln /etc/sasldb2.db /var/spool/postfix/etc/sasldb2.dbTo make sure postfix starts with the system, the following lines were added to /etc/rc.local:

if [ -x /usr/sbin/postfix ]; then
echo -n ‘ postfix’
/usr/sbin/postfix start >/dev/null 2>&1
fiStarted the server:

$ sudo postfix startMaintenance
Creating mailboxes
$ sudo -u cyrus saslpasswd2 -c hex
Password:
Again (for verification):
$ cyradm -a login -u cyradm localhost.
IMAP Password:
localhost> createmailbox user.hex
localhost> quitDeleting mailboxes
$ sudo -u cyrus saslpasswd2 -d hex
$ cyradm -a login -u cyradm localhost.
IMAP Password:
localhost> setaclmailbox user.hex cyradm c
localhost> deletemailbox user.hex
localhost> quitInstalling sieve scripts
I created a temporary file called tosser, then I installed it for user hex:

$ sieveshell -u hex localhost.
connecting to localhost.
Please enter your password:
> put tosser
> activate tosser
> list
tosser <- active script
> quit
$ rm tosserHere is a self-explaining example of a sieve script. (I have found this script here and copied it just in case the original link dies.)

require “fileinto”;

if header :is “X-Mailinglist” “suse-linux” {
fileinto “INBOX.Listen.suse-linux”;
}
elsif header :contains “Mailing-List” “reiserfs” {
fileinto “INBOX.Listen.reiserfs”;
}
elsif address :contains :all ["to", "cc", "bcc"] “free-clim” {
fileinto “INBOX.Listen.free-clim”;
}
elsif header :contains “List-Id” “gnupg-users.gnupg.org” {
fileinto “INBOX.Listen.gnupg”;
}
elsif header :is “X-loop” “isdn4linux” {
fileinto “INBOX.Listen.isdn4linux”;
}
elsif header :contains “Mailing-list” “qmail-help@list.cr.yp.to” {
fileinto “INBOX.Listen.qmail”;
}
elsif allof (header :contains “Sender” “owner-info-cyrus@list”,
address :contains :localpart ["to", "cc", "bcc"] “info-cyrus”) {
fileinto “INBOX.Listen.info-cyrus”;
}
elsif header :contains “Sender” “ntbugtraq@listserv” {
fileinto “INBOX.Listen.ntbugtraq”;
}
elsif header :is “list-id” “” {
fileinto “INBOX.Listen.sieve”;
}
elsif header :contains “From” “securityportal-l@listserv.securityportal.com” {
fileinto “INBOX.Newsletter.securityportal”;
}
elsif address :contains :all ["from"] “newsletter@ebay” {
fileinto “INBOX.Newsletter.ebay”;
}
elsif address :contains :all ["to", "cc", "bcc"] “allegro-cl@cs.berkeley.edu” {
fileinto “INBOX.Listen.allegro-cl”;
}
elsif address :contains :all ["to", "cc", "bcc"] “plob@lisp.de” {
fileinto “INBOX.Listen.plob”;
}
else {
fileinto “INBOX”;
}Restarting cyrus
I needed to do the following after changing /etc/imapd.conf or /etc/cyrus.conf:

$ sudo kill `head -1 /var/run/cyrus-master.pid`
$ sudo /usr/cyrus/bin/master -dTrouble shooting
SASL authentication failure
This message in your mailer’s log file (usually /var/log/maillog) means that postfix could not verify the user name against userdb. Make sure that:

The userdb files are readable by postfix children processes.
The userdb files are in the right location. If you run postfix chrooted, make sure that you add passwords to the right copy which is inside the chroot jail.
Sometimes libsasl does not want to verify passwords if the domain name (“realm”) is not specified. Try logging in to the SMTP server using all available authentication data: username@domain.
These notes are not only applicable to the OpenBSD installation described by this document (and most of these errors are not likely to happen); they might be useful to people attempting to use this guide to set up a similar mail server on a different operating system.

Undefined constant: _PATH_BSHELL
This error may occur if you have nntpd installed, which also installs its own vision of system paths as /usr/local/include/paths.h. Remove this file and postfix should recompile smoothly.

Step-by-Step Guide to Building an OpenBSD PPPoE Gateway, with Firewall

admin — Mon, 23 Mar 2009 14:21:18 +0000

Introduction
Why would one install his own personal gateway to the Internet? Because it is quite easy to do. And also because it simply is the most reliable, safest way to connect machines to a dedicated xDSL modem. Moreover, we can stash a whole bunch of useful features in such a little box. Here is a list:

PPPoE Gateway
PPPoE is a curious beast forced down our throats by some DSL providers. On one side, it does not really break anything, has low overhead and allows you to change IP adresses very easily & quickly. On the other side, it sucks big time because it does add overhead to the IP packets, is proprietary, non-standard, forces you to change IP adresses unpredictably, and is unsupported in most operating systems. A good PPPoE gateway simply hides PPPoE from the machines on your internal network. It makes life much easier because you don’t have to install any special “access manager” software on your windoze boxen. They will just work (provided you set their IP address correctly).

Firewall
A firewall is quite mandatory for any machine directly connected to the Big Bad Internet. We want an industrial-strength stateful inspection firewall and this is what we’ll get.

NAT (Network Adress Translation)
The name seems complex, but it is really quite simple: this allows the gateway machine to act on the internet on behalf of all the machines located on the intranet (your internal home network). Even though you might have two, three or even ten computers on your local network, a NAT equipped gateway will hide them to outside observers. They will only see a single very busy machine, with a single IP address.

DNS (Domain Name Service) cache
Having your own DNS server will lower the latency of getting DNS translations for all the machines on your intranet. This will not really decrease the traffic on your DSL modem by a large percentage, but it will improve the quality of the “internet experience” on your local network.

Dynamic DNS tracker
Free dynamic DNS services are extremely useful to xDSL customers. They allow you to have your very own domain name, free of charge, which will follow in real-time your IP address changes. The catch is that the top-level part of your domain must be one of their supplied choices. They are not that bad, really… Personally, I use DYNDNS but any of the multiple free dynamic DNS providers out there will do just fine. Simply make sure they have a client “updater” which can compile and run under OpenBSD.

WEB server
Most ISP’s only allow a few megabytes of disk for web service. Moreover, they never give you direct access to the web logs. Having your own web server allows you the luxury of using all the disk space you want, plus the added advantage of complete control over the web service (cgi-bin) and its logs. Moreover, OpenBSD comes with a crypto-enabled version of Apache and all the tools you need to create RSA-keyed certificates.

Mail server
Have you ever wanted to create a temporary email address just to receive some password? Or simply wanted addresses tailored for specific domains of interest? These are only a few of the many advantages of having your own mail server.

NTP server
The Network Time Protocol allow you to synchronize the gateway’s clock to one of the numerous atomic time references available on the internet. Moreover, the same program is also used as a local time server, so that all your intranet machines can themselves synchronize their clocks to the gateway’s clock. NTP synchronizations are made in tiers, like this, in order to lower the burden on the public time servers.

This page is for all those of you who have are lucky enough to enjoy a dedicated xDSL connection and would like to have a small firewall installation. In my search for the holy grail, i found the answer to most of my wishes in the OpenBSD package. This step-by-step guide is a collection of notes taken while I was installing the thing. They are intended to help my friends do their own setups very quickly and easily, without having to bug me too much They should help you too.

Constructive comments can be sent there … Have fun and GOOD LUCK!

Getting some hardware
The first thing to think about when one embarks on the firewalling adventure is to establish on what hardware you are going to install the thing. This seems unimportant at first, but don’t forget that this box will be turned on 24/7, so the components you use must be reliable.

What are the minimum requirements? My system uses about 50% of its CPU to support Sympatico’s ADSL rate (around 900 kbps). It is built with the following components:

An ancient 486 motherboard (with an ISA bus) given to me by a friend (thanks Christian!). It runs at 66 MHz.
32 MB of brand new RAM i bought for it.
A 200 MB hard disk, which was dying after about 1 year of faithful use (it came with the motherboard). This disk was recently replaced with the cheapest brand new drive i could find. I didn’t know they still made those slow 3600 RPM drives Anyway, the old drive is kept as a kind of extreme emergency backup.
Two ISA-bus ethernet cards. I’ll talk more about this later.
A CD-ROM drive. Very optional, but can make life easier.
A “home” grade hub & cat5 cabling. This is not strictly necessary if you’ll have only one machine connected to your firewall: you can make do with a special “crossover” cat5 cable instead. The cable that comes with xDSL modems is usually (always?) a crossover cable. Anyway, for two or more machines, the hub is mandatory. Small hubs can be bought for a very reasonable price (~40$ cdn).
or
Alternatively, many older ethernet cards come with a BNC female connector. This can be used to connect the machines on your network with coax cables, without any hub. However, be warned that a 10base-2 network must follow certain rules if you want it to work flawlessly. Follow them.
This gives a good approximation of what you need. The MOST important part is the RAM. Make absolutely sure that whatever RAM you use is reliable. Old boxen were usually setup to run Windoze, and it was not a big deal if the machine had flaky RAM because of the way Windoze works…

OpenBSD (like any real OS out there) is much less tolerant of flaky RAM, because it actually uses all of it. It will crash quite quickly if your RAM is marginal, probably within 5-10 minutes. You have been warned.

Finally, the OpenBSD hardware list is there. Try to make sure that whatever hardware you use in your gateway box figures on that list. It’s a long list

The ethernet cards
There is a boring thing of which we must talk about here. You see, there are many kinds of ethernet cards, and you must make sure you have the right ones for your machine. If you have a PCI-based machine, then all is well. Whatever ethernet card you put in there will probably be supported by OpenBSD. However, you must be a bit more careful if you have an ISA-based machine.

It is most likely that your box will not have any ethernet cards to start with since most people did not have networks at home in the pre-historic era of 4 years ago. You need two cards. One will be connected to the DSL modem (the big, bad outerworld), while the other is connected to your internal network hub (your intranet). The gateway’s job will be to pass (or block) packets between those two network cards. For security, its very important that the outside world packets cannot reach directly any of the intranet machines. This is the reason why we use two ethernet cards: complete logical and electrical isolation. Why so much isolation? For example, if someone(s) were launching a full (distributed or not) denial of service attack on your gateway box, its internet-connected ethernet card would be extremely busy, but your intranet would see nothing of this. While any communication with the outside world would probably fail, at least your intranet machines would still be able to talk to each other.

ISA cards use dedicated I/O ports and IRQ’s in your machine. Those must be setup either with jumpers directly on the card, or with a special DOS program if the card is of the more recent “Plug & Play” type. This DOS program is always supplied with the card, when purchased brand new.

If your card is Plug&Play, you must disable the Plug&Play, and program specific I/O port and IRQ values with the setup software that comes with the card. Make sure that you program both cards with different sets of I/O ports and IRQs! Otherwise they will battle each other for cycles on the bus and the result will not be pretty. Once you have set the parameters on the card it will remember them and you don’t have to reprogram anything later on, even if the computer is turned off.

It is good at this point to know a few magic numbers:

Card Type I/O #1 IRQ #1 Mem #1 I/O #2 IRQ #2 Mem #2
NE2000 (ne) 0×240 9 — 0×300 10 —
SMC WD-8003 (we) 0×280 9 0xd0000 0×300 10 0xcc000

For example, i use two cards made by AOpen: the model ALN-101. They are Plug&Play and use the NE2000 chip. The first one is setup at I/O port 0×240, IRQ 9. It is known as “ne0″ in the GENERIC openBSD kernel. The second one is set at I/O port 0×300, IRQ 10. It is known as “ne1″. If the cards were programmed differently, the GENERIC kernel would not recognize them “out of the box” and you would have to re-configure the kernel. It can be done, but its much easier to setup the hardware once than re-configure the kernel every time it gets upgraded.

Some of you might have problems setting the card to an arbitrary combination of IO port and IRQ number. This is allright, just let the card decide what it wants and simply reconfigure your kernel to accomodate that. What is important is that both ethernet cards are not set to conflicting values. Otherwise, any combination that the cards like will be programmable in the kernel.

Last but not least: some cards can be used in the so-called “full-duplex” mode. Be aware that if you want to use an ethernet card in full-duplex, your hub must also be full-duplex, as well as the other ethernet cards in the system. A full-duplex hub is much more expensive and not necessary at all. Unless you know what you are doing, program your ethernet cards to use the half-duplex mode, otherwise it won’t play nice with the other components in your local network, including the xDSL modem
(注，这里需要说NE2000等旧款的基于486机的网卡也可以用，但现在这些网卡，其本难找，所以至少要用8139系列芯片的10-100M自适应的网卡来做应用）

The hard disk
The most secure storage medium is one which can’t be erased. Some firewalls actually use setups like this (with CD-ROMS) but we’ll build our firewall with a classic, writeable hard drive because:

We don’t need “Absolute Security”, do we? We can’t have it anyway
We want to use an “out-of-the-box” OpenBSD distro. This will make maintenance (security, patches, etc…) much easier.
Almost any hard disk out there will work OK, since 200 MB is a safe minimum size. The only thing you must remember is that this disk will run 24/7, so if you use an old drive, it will likely die relatively soon. The venerable drive my friend gave me lasted 6 months before i had to change it, YMMV.

No keyboard?
Of course you’ll need a keyboard… and a monitor too, but just for the installation. After the firewall is successfully installed, you will be able to talk to it through encrypted ssh connections over your internal network, so a keyboard & monitor will not be really useful at that point.

——————————————————————————–

Getting the software
We will be using OpenBSD. Why? Because it is the most secure freely available operating system out there. All the source code included in the mainstream distribution CD’s has been audited for years by the OpenBSD team, which is why sometimes an exploit published on BugTraq is found not to work on OpenBSD simply because the faulty code was already fixed months ago.

I strongly suggest you buy their CD-ROM kit as it comes with a set of very cool stickers… You can also download their stuff for free, of course, but you won’t have the stickers then

This Guide is written for OpenBSD 3.0.

The easiest way to install the software is to use a CD-ROM drive on your firewall box. If you don’t have that, you can do a network install with the “ftp” protocol, either directly to an outside OpenBSD mirror, or to one of your own internal machines equipped with an ftp server. Be aware that if your DSL provider forces you to use PPPoE (boooo!), then of course your link to the outside world will not be functional yet at installation time, which is one more reason to use the CD-ROM. If your machine can boot a CD-ROM, great! It will gladly boot the OpenBSD disc. Otherwise, simply create a boot diskette according to the README and boot that. This diskette is also your rescue disk, so don’t lose it.
——————————————————————————–

Installing OpenBSD
The installation of OpenBSD is very easy, once you have the right hardware, and the right answers to some of the questions. In the following steps, i’ll assume you can follow the instructions of the install program and focus only on the tricky little things you should know to make your life easier.

fdisk & disklabel
After you boot the installer, one of the very first things you’ll have to do is partition your disk. This is done with the “fdisk” and “disklabel” programs. The installer will ask you if you want to use the entire hard disk for OpenBSD. Answer No, even if it is not entirely true. If you say yes, the whole fdisk step will be bypassed, and you will not be able to change the default cylinder/head/sector configuration in order to boot off the hard disk without resorting to the silly “FDISK /MBR” DOS command which is a stupid solution to a stupid problem.
The default OpenBSD fdisk partition setup choice is in slot #3. If you want, you can move your OpenBSD partition in slot #0 with no ill effect.

Important: On some systems, to make sure your system boots off the hard disk, you must set the starting CHS (cylinder/head/sector) to C=0, H=0, S=1, because fdisk suggested an incorrect value for H in OpenBSD 2.7, and still does in 2.8 … If you use “1″, as it suggests, your system will not be able to boot from the hard disk.

After the disk is partitioned with fdisk, you use disklabel to further organize the partition. A label behaves like a traditional partition (as used in Linux, for example), except that you can put as many labels as you want in the single OpenBSD partition. This is useful.

On a fully partitioned system, the disk labels might look like this:

a: 2097648 0 4.2BSD 1024 8192 16 # / 1 GB
b: 262080 2097648 swap # SWAP 128 MB
c: 20015856 0 unused 0 0 # (whole disk) 10 GB
d: 2097648 2359728 4.2BSD 1024 8192 16 # /usr 1 GB
e: 2097648 4457376 4.2BSD 1024 8192 16 # /tmp 1 GB
f: 2097648 6555024 4.2BSD 1024 8192 16 # /var 1 GB
g: 4194288 8652672 4.2BSD 1024 8192 16 # /usr/local 2 GB
h: 7168896 12846960 4.2BSD 1024 8192 16 # /home 3 GB
On my firewall, i like to keep things simpler, so it goes like this:

# size offset fstype [fsize bsize cpg]
a: 18874800 0 4.2BSD 1024 8192 16 # (Cyl. 0 – 18724)
b: 1141056 18874800 swap # (Cyl. 18725 – 19856)
c: 20015856 0 unused 0 0 # (Cyl. 0 – 19856)As you see, the ‘c’ label is a placeholder for the whole disk, in all cases. Don’t delete or otherwise change this, or you’ll be in trouble.

One of the main disadvantages of having a single partition is that one could do bad things in such quantity that the log files would simply fill up the whole drive. OpenBSD doesn’t like it when all its disk space is full. You can guess the rest of the story. In practice, this is not an issue, since i monitor my log files daily, but it could be an issue for someone out there.

On a fully partitioned system, the “df” command says this, after the OS is installed, with its complete source trees:

Filesystem 1K-blocks Used Avail Capacity Mounted on
/dev/wd0a 1015269 25985 938521 3% /
/dev/wd0d 1015269 480284 484222 50% /usr
/dev/wd0e 1015269 1 964505 0% /tmp
/dev/wd0f 1015269 5141 959365 1% /var
/dev/wd0g 2030307 8698 1920094 0% /usr/local
/dev/wd0h 3470505 27 3296953 0% /home

On my system i have this:

Filesystem 1K-blocks Used Avail Capacity Mounted on
/dev/wd0a 9137589 503054 8177656 6% /

In this example, the full OpenBSD source tree is installed, which explains why the thing uses up about 500 MB. Without the source tree, you only need about 120 MB in there, but having the source tree allows you to make security patches as they are published. This is important and i’ll talk about it more later.

Active FTP
If you do an FTP install to a private FTP server, it might be necessary to use active FTP.

Crypto, SSL, etc…
The crytographic packages are included in the CD’s since release 2.9 of OpenBSD. They will be automatically installed.

UTC time zone
Keep your server in the UTC time zone. This way, your firewall logs will be timestamped in UTC time and it will be simpler to have them interpreted by the abuse@… services of ISP’s. Also, it is important to make sure the gateway is time-synchronized to one of the numerous public NTP servers out there, because having only an IP address is not enough to pin down internet abusers. In this age of dynamic IP allocations you need both IP address and exact time in order to positively identify the origin of an IP packet. Keep your gateway synchronized.
Why not GMT instead? Read all about it there.

Normally, the installer will ask you for a time zone at install time. If you want to change it later, simply make /etc/localtime point to /usr/share/zoneinfo/UTC with a soft link:

ln -s /usr/share/zoneinfo/UTC /etc/localtime

First Boot
reboot … did your machine boot correctly? If not, please consult the numerous FAQ’s available at the OpenBSD site. Are you sure you set H=0 in fdisk? By the way, if it doesn’t boot from hard disk, you can probably still force it by first booting the install diskette, and entering “boot wd0a:/bsd” at the initial prompt. You have about 5 seconds to make your mind, when you see this prompt, act swiftly.
On first boot, you will probably get a message like “ssh-keygen: generating new DSA host key…”, followed with an equivalent message for the RSA host key. They might take quite a long time on a 486 (5-10 minutes), so Don’t Panic! ™ , the machine is not crashed, and the boot process will eventually follow its course, given time. This will happen only on the first boot.

Kernel extra configuration
If, at this point, the kernel sees all you devices (including both ethernet cards), congratulations. If not, you can reconfigure the kernel without having to recompile it by simply using the config utility. Typically, you would copy your current kernel (the “/bsd” file) to an appropriate backup name (e.g. “/bsd.ORIGINAL”), and issue this command:

config -e -f /bsd
and make whatever changes you need. You should know what you’re doing in order to use this command without blowing your system up into tiny bits & pieces. Don’t forget to save your changes. If this modified kernel doesn’t work OK, just boot the “/bsd.ORIGINAL” kernel instead, and you will have another chance.

Sys control files
The services allowed by OpenBSD are configured by a couple of files in the /etc directory. Actually, this directory contains all the configuration files of OpenBSD, for your convenience, but this is something you’ll only appreciate later, when you become an experienced BSD maintainer… We’ll come back to that /etc directory quite often.
For now, just make sure that the following are enabled:

In the file /etc/sysctl.conf:
net.inet.ip.forwarding=1

and in /etc/rc.conf:
sendmail_flags=”-L sm-mta -bd -q30m”
named_flags=”"
httpd_flags=”-DSSL”

Important: If you plan to use PPPoE, don’t enable pf here because you want to start it in a controlled manner, after PPPoE is started. Enabling “pf” here would make it start at the very beginning of the boot process and this would not work.

PPP & PPPoE
Ahhhh… the Evil Beast. Installing a good, working PPP and PPPoE can be quite a tricky task. In OpenBSD 3.0, it is included and works well, once properly configured. This version of PPP supports the “mssfixup” instruction which magically allows you to avoid setting MTU’s at 1492 or less on all of your intranet’s machines. This is very recommended as it avoids a whole bunch of problems with Windows machines, internet appliances, etc…
Notice that there is an excellent Network FAQ available from the OpenBSD site. It contains a lot of information on what to do with those ethernet adapters.

The configuration file for ppp is in /etc/ppp/ppp.conf. Mine contains exactly this:

default:
set log Phase Chat IPCP CCP tun command
set redial 15 0
set reconnect 15 10000

pppoe:
set device “!/usr/sbin/pppoe -i ne0″
disable acfcomp protocomp
deny acfcomp
set mtu max 1492
set speed sync
enable lqr
set lqrperiod 5
set cd 5
set dial
set login
set timeout 0
set authname xxxxxxx
set authkey xxxxxx
add! default HISADDR
enable dns
enable mssfixupNotice how we specify the real network interface ne0 to pppoe (with double quotes), and that i use “max 1492″ for the MTU value, as suggested by many people. Also, no value is specified for the MRU, the PPP network address translation is not enabled, the magic “mssfixup” is enabled and i use the “add!” command instead of plain “add” (suggested by Chris Pockele).

Also notice that the authname and authkey fields don’t contain double-quote characters. You should put in there your own ISP identification and password. Some ISPs require authname to have a full identification (e.g. “username@sympatico.ca”), while other ISPs will want to have only “username” in the authname field. Experiment.

Robert Jameson (thanks Robert!) reports that some ISPs require you to specify the pppoe service you want. This is done on the “set device” line. For example:

set device “!/usr/sbin/pppoe -n Shasta_1 -i ne0″

VERY IMPORTANT!

For some reason, the routes setup automatically by ppp at linkup time were not correctly defined prior to OpenBSD version 3.0. The MTU’s were wrong, leading to all sorts of subtle problems. This is now fixed, and we can safely use the “add default HISADDR” command in the ppp config file, with no special route commands at all in the ppp.linkup file. The MTUs will be properly set to 1492 on all the routes which go through the external interface.

The command “netstat -rn” confirms this:

pcreal# netstat -rn
Routing tables

Internet:
Destination Gateway Flags Refs Use Mtu Interface
default 65.92.185.1 UGS 3 13423 1492 tun0
65.92.185.1 65.92.185.97 UH 1 0 1492 tun0
127.0.0.1 127.0.0.1 UH 1 1045 33224 lo0
192.168.1/24 link#2 UC 0 0 1500 ne1
192.168.1.1 0:e0:18:90:a7:c7 UHL 3 10475 1500 ne1
…

A friend from Australia (thanks Doug!) suggested i clarify the following points:

(1) The 64.229.x.x adresses will NOT be the same in your setup! Those are the adress blocks of my PPPoE service provider (Sympatico). Your own setup will use, most likely, different address blocks.

(2) The ppp daemon creates a virtual network interface (“tun0″) out of thin air. This virtual network interface is internally linked to the actual physical interface (“ne0″ in my system), but you will never have to deal directly with “ne0″ in your configuration files. For example, the firewall rules are written with the virtual “tun0″ interface, not the physical “ne0″ interface. In my setup, the internal interface is “ne1″, and the external interface is “tun0″. Here is Doug’s analogy with the Windows world:

“… think of the PPPoE adaptor like the dialup adaptor in a Windows
control panel. it doesn’t really exist but you gotta have it…”(3) The ppp daemon takes care of automatically assigning the name servers and the routes. Consequently, make sure there is no file “/etc/mygate”, and bear in mind that “/etc/resolv.conf” will be automatically generated as well, at connection time. This has the advantage that you don’t need to know anything about the details of your connection (name server adresses, etc…) to your ISP. Your user ID and password are sufficient, as the ppp daemon will negociate with the server and obtain the information it needs to open the connection.

(4) Since the ppp daemon will take are of the external network interface, you don’t need a “/etc/hostname.ne0″ file. However, you do need a file to describe your internal network interface (in my case, “ne1″):

pcreal# cat /etc/hostname.ne1
inet 192.168.1.2 255.255.255.0 NONENormally, this file should have been built by the setup program of OpenBSD, but if not, you must manually put it there and replace the “192.168.1.2″ with whatever address you want your gateway to have as seen from your internal network.

Another friend, from France (thanks Xavier!), sent me this ascii picture of the network connections:

| |
internet| ====> |DSL Modem| ====>|server|=====>|LAN (HUB)
| tun0 ne1 |
| =ne0 |

Note: I consider this PPP/PPPoE setup to be a work in progress. I continually discover new things about it… so, please bear with me and do send me your feedback about your own experience regarding PPP/PPPoE. It really is a pain, but apparently we will be stuck with it for a long long time, so we might as well learn how to tame the thing!

Second Boot
reboot … your machine should boot correctly. You won’t have internet access yet because the ppp program is not activated. If you want to try it out, just issue

ifconfig ne0 up
ppp -ddial pppoeand ping/telnet away. Don’t worry if you get “carrier settings ignored”, or “change route failed” messages. Be careful because at this point you have no firewall rules set, so you are very vulnerable. Also, make sure your xDSL modem is plugged in the correct ethernet card…

If all works well, then you should kill the “ppp” process. Only restart it when the firewall rules are in place.

The afterboot phase
Follow the instructions obtained by issuing the “man afterboot” command. Actually, quoting FAQ section 2.3, here is a list of the most useful man pages for new users:

* [15]afterboot(8) – things to check after the first complete boot
* [16]boot(8) – system boot strapping procedures
* [17]passwd.conf(5) – format of the password configuration file
* [18]adduser_proc(8) – procedure for adding new users
* [19]adduser(8) – command for adding new users
* [20]vipw(8) – edit the pass word file
* [21]man(1) – display the on-line manual pages
* [22]sendbug(1) – send a problem report (PR) about OpenBSD to a
central support site.
* [23]disklabel(8) – Read and write disk pack label.
* [24]ifconfig(8) – configure network interface parameters.
* [25]route(8) – manually manipulate the routing tables.
* [26]netstat(1) – show network status.
* [27]reboot, halt(8) – Stopping and restarting the system.
* [28]shutdown(8) – close down the system at a given time.
* [29]boot_config(8) – how to change kernel configuration at boot

One of the first things you should do at this point is to add an unprivileged user and make him member of the wheel group. This is because, for security reasons, it is never a good idea to log in directly as root. The preferred way to gain root privileges is to login as a wheel member, and then use the “su -” command to gain root privileges.

OpenBSD will not prevent you from logging in directly as root, but will warn you every time against doing it.

Have fun!

Firewall and NAT rule sets
This is a tricky one. Many people earn a good living just by knowing how to write firewall rule sets! Moreover, the whole packet filter and NAT code was completely rewritten from scratch in OpenBSD 3.0. It is now called “pf”, and is completely free of any external licensing strings so we will always have the latest, fully audited versions in future OpenBSD releases.
Here are my own pf rules, in all their glory. They were heavily influenced by the various man pages and HOW-TO’s pertaining to “pf”. Be aware that they might be either too restrictive, or not enough, depending on your context. My philosophy about this is to disallow everything by default, and only open whatever is known to be useful. This restrictive ruleset will prevent ftp from working correctly, from the firewall itself. However, the ftp proxy currently available will work correctly for client machines located on the intranet.

Don’t forget to send me your tips for better rules… Thanks!

/etc/nat.conf
nat on tun0 from 192.168.1.0/24 to any -> tun0
rdr on ne1 proto tcp from any to any port 21 -> 127.0.0.1 port 8081

/etc/pf.conf
#————————————————————————–
# PF ruleset, 11 dec. 2001
#
# Liberally adapted from the pf man page, the OpenBSD “Network How-To”,
# and my own rulesets.
#————————————————————————–

#————————————————————————–
# Definitions
Ext = “tun0″ # External interface
Int = “ne1″ # Internal interface
Loop = “lo0″ # Loopback interface
IntNet=”192.168.1.0/24″ # Internal network

NoRoute = “{ 127.0.0.1/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 255.255.255.255/32 }”

InServicesTCP = “{ ssh, smtp, auth, http, https, pop3 }”
#InServicesUDP = “{ domain }”
OutServicesTCP = “{ http, https, smtp, pop3, whois, domain, ssh, telnet, ftp, ftp-data, nntp, auth, ntp }”
OutServicesUDP = “{ ntp, domain }”

XMMS = “{ 6000, 7500, 8000, 8004, 8044, 8034, 8052, 8038, 8010, 8400, 8014, 8026, 8048, \
8002, 8024, 8028, 8080 }”
RealAudio = “{ 554, 7070, 8080 }”

#————————————————————————–
#————————————————————————–
# Clean up fragmented and abnormal packets
# By default in pf, packets which contain IP options are blocked. Good.
scrub in on { $Ext, $Int } all
#————————————————————————–

#————————————————————————-
# Defaults
# block and log everything
block out log on $Ext all
block in log on $Ext all
block return-rst out log on $Ext proto tcp all
block return-rst in log on $Ext proto tcp all
block return-icmp out log on $Ext proto udp all
block return-icmp in log on $Ext proto udp all

block in quick inet6 all
block out quick inet6 all
#————————————————————————-

#————————————————————————–
# loopback packets left unmolested
pass in quick on $Loop all
pass out quick on $Loop all
#————————————————————————–

#————————————————————————-
# Immediate blocks
# fuzz any ‘nmap’ attempt
block in log quick on $Ext inet proto tcp from any to any flags FUP/FUP
block in log quick on $Ext inet proto tcp from any to any flags SF/SFRA
block in log quick on $Ext inet proto tcp from any to any flags /SFRA

# don’t allow anyone to spoof non-routeable addresses
block in log quick on $Ext from $NoRoute to any
block out log quick on $Ext from any to $NoRoute

# silently drop broadcasts (cable modem noise)
block in quick on $Ext from any to 255.255.255.255
#————————————————————————-

#————————————————————————-
# PASS rules

# ALL — we don’t normally do that. For debugging only.
#pass out quick on $Ext all keep state

# pass in data mode connections for ftp-proxy running on this host.
pass in quick on $Ext inet proto tcp from any to any port > 49151 flags S/SA keep state

# ICMP
pass out quick on $Ext inet proto icmp all icmp-type 8 code 0 keep state
pass in log quick on $Ext inet proto icmp all icmp-type 8 code 0 keep state

# Services we provide to the outside world
#pass in quick on $Ext inet proto udp from any to any port $InServicesUDP keep state
pass in quick on $Ext inet proto tcp from any to any port $InServicesTCP flags S/SA keep state

# Standard services we want to access in the world
pass out quick on $Ext inet proto udp from any to any port $OutServicesUDP keep state
pass out quick on $Ext inet proto tcp from any to any port $OutServicesTCP flags S/SA modulate state

# Special services
pass out quick on $Ext inet proto tcp from any to any port $XMMS flags S/SA modulate state
pass out quick on $Ext inet proto tcp from any to any port $RealAudio flags S/SA modulate state
IMPORTANT: Note that the “rdr” rule in the NAT file refers to the INTERNAL network interface. Its purpose is to redirect all ftp-data requests from the intranet to be redirected to the ftp-proxy on the firewall. Then the ftp-proxy channels those into ports 49152-65535, and outputs them on the internet. This is why we have this hole in the firewall starting at port 49152. I know, it is in the IN direction, but that is how passive ftp works… It is quite a broken protocol.
That’s it! Nothing too painful, as you see. Since pf is a stateful inspection firewall, we can keep our ingress rules to a strict minimum. Notice the sheer elegance of the ruleset, with all services defined at once in a single IN or OUT rule.

One last thing: in order to automagically enable your firewall when the link comes up, you can put the following lines in the /etc/ppp/ppp.linkup file. Notice the extra space in front of each “!” character:

MYADDR:
! sh -c “/sbin/ifconfig pflog0 up”
! sh -c “/sbin/pfctl -e -l tun0 -F all -O aggressive -R /etc/pf.conf -N /etc/nat.conf”

The FTP proxy
If you want tight security, and no FTP available on your intranet, simply remove the hole at 49152, and the “rdr” command in the file “nat.conf”. However, if you want to be able to use FTP from the intranet, then you must keep those, as well as enable the “ftp-proxy” service in inetd. Simply add this line to inetd.conf :

8081 stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxyDon’t forget that you still won’t be able to do FTP’ing from the firewall itself, when the packet filtering is enabled. Hopefully, it is very easy to temporarily disable pf with the command “pfctl -d”, and later re-enable it with the command “pfctl -e”. This comes in handy when we install packages from ftp.openbsd.org with the command “pkg_add”.

We are confident that ftp-proxy will improve with time and eventually dynamically manipulate the state tables of the firewall in order to open/close needed connections on-the-fly.

Addinc stuff to /etc/rc.local
This is where our custom startup instructions go. Those things are started while the kernel is in secure level 1. If you need anything started in a lower security level, modify /etc/rc.securelevel instead. In order to start up PPPoE correctly, I added this at the end of my /etc/rc.local :

ifconfig ne0 up
route flush
ppp -ddial pppoe

This starts PPP, PPPoE, the firewall and the NAT translator (because the firewall and the NAT are started automatically in the ppp.linkup file). If you’re curious, you can reboot at this point, and confirm that you have a fully firewalled internet access:

pcreal# ifconfig -a
lo0: flags=8009 mtu 33224
inet6 fe80::1%lo0 prefixlen 64 scopeid 0×5
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
lo1: flags=8008 mtu 33224
ne0: flags=8863 mtu 1500
media: Ethernet autoselect (10baseT)
inet6 fe80::240:f4ff:fe2b:190d%ne0 prefixlen 64 scopeid 0×1
ne1: flags=8863 mtu 1500
media: Ethernet autoselect (10baseT)
inet 192.168.1.2 netmask 0xffffff00 broadcast 192.168.1.255
inet6 fe80::240:f4ff:fe2b:16b1%ne1 prefixlen 64 scopeid 0×2
pflog0: flags=141 mtu 33224
sl0: flags=c010 mtu 296
sl1: flags=c010 mtu 296
ppp0: flags=8010 mtu 1500
ppp1: flags=8010 mtu 1500
tun0: flags=8011 mtu 1492
inet 65.92.185.97 –> 65.92.185.1 netmask 0xffffffff
tun1: flags=10 mtu 3000
enc0: flags=0<> mtu 1536
bridge0: flags=0<> mtu 1500
bridge1: flags=0<> mtu 1500
vlan0: flags=0<> mtu 1500
vlan1: flags=0<> mtu 1500
gre0: flags=8010 mtu 1450
gif0: flags=8010 mtu 1280
gif1: flags=8010 mtu 1280
gif2: flags=8010 mtu 1280
gif3: flags=8010 mtu 1280

pcreal# pfctl -sr
@0 scrub in on ne1 all
@1 scrub in on tun0 all
@2 block out log on tun0 all
@3 block in log on tun0 all
@4 block return-rst out log on tun0 proto tcp all
@5 block return-rst in log on tun0 proto tcp all
@6 block return-icmp out log on tun0 proto udp all
@7 block return-icmp in log on tun0 proto udp all
@8 block in quick inet6 all
@9 block out quick inet6 all
@10 pass in quick on lo0 all
@11 pass out quick on lo0 all
@12 block in log quick on tun0 inet proto tcp all flags FPU/FPU
@13 block in log quick on tun0 inet proto tcp all flags FS/FSRA
@14 block in log quick on tun0 inet proto tcp all flags /FSRA
@15 block in log quick on tun0 inet from 255.255.255.255/32 to any
@16 block in log quick on tun0 inet from 10.0.0.0/8 to any
@17 block in log quick on tun0 inet from 172.16.0.0/12 to any
@18 block in log quick on tun0 inet from 192.168.0.0/16 to any
@19 block in log quick on tun0 inet from 127.0.0.1/8 to any
@20 block out log quick on tun0 inet from any to 255.255.255.255/32
@21 block out log quick on tun0 inet from any to 10.0.0.0/8
@22 block out log quick on tun0 inet from any to 172.16.0.0/12
@23 block out log quick on tun0 inet from any to 192.168.0.0/16
@24 block out log quick on tun0 inet from any to 127.0.0.1/8
@25 block in quick on tun0 inet from any to 255.255.255.255/32
@26 pass in quick on tun0 inet proto tcp from any to any port > 49151 flags S/SA keep state
@27 pass out quick on tun0 inet proto icmp all icmp-type echoreq code 0 keep state
@28 pass in log quick on tun0 inet proto icmp all icmp-type echoreq code 0 keep state
@29 pass in quick on tun0 inet proto tcp from any to any port = pop3 flags S/SA keep state
@30 pass in quick on tun0 inet proto tcp from any to any port = https flags S/SA keep state
@31 pass in quick on tun0 inet proto tcp from any to any port = www flags S/SA keep state
@32 pass in quick on tun0 inet proto tcp from any to any port = auth flags S/SA keep state
@33 pass in quick on tun0 inet proto tcp from any to any port = smtp flags S/SA keep state
@34 pass in quick on tun0 inet proto tcp from any to any port = ssh flags S/SA keep state
@35 pass out quick on tun0 inet proto udp from any to any port = domain keep state
@36 pass out quick on tun0 inet proto udp from any to any port = ntp keep state
@37 pass out quick on tun0 inet proto tcp from any to any port = ntp flags S/SA modulate state
@38 pass out quick on tun0 inet proto tcp from any to any port = auth flags S/SA modulate state
@39 pass out quick on tun0 inet proto tcp from any to any port = nntp flags S/SA modulate state
@40 pass out quick on tun0 inet proto tcp from any to any port = ftp-data flags S/SA modulate state
@41 pass out quick on tun0 inet proto tcp from any to any port = ftp flags S/SA modulate state
@42 pass out quick on tun0 inet proto tcp from any to any port = telnet flags S/SA modulate state
@43 pass out quick on tun0 inet proto tcp from any to any port = ssh flags S/SA modulate state
@44 pass out quick on tun0 inet proto tcp from any to any port = domain flags S/SA modulate state
@45 pass out quick on tun0 inet proto tcp from any to any port = whois flags S/SA modulate state
@46 pass out quick on tun0 inet proto tcp from any to any port = pop3 flags S/SA modulate state
@47 pass out quick on tun0 inet proto tcp from any to any port = smtp flags S/SA modulate state
@48 pass out quick on tun0 inet proto tcp from any to any port = https flags S/SA modulate state
@49 pass out quick on tun0 inet proto tcp from any to any port = www flags S/SA modulate state
…
@72 pass out quick on tun0 inet proto tcp from any to any port = 6000 flags S/SA modulate state
@73 pass out quick on tun0 inet proto tcp from any to any port = 8080 flags S/SA modulate state
@74 pass out quick on tun0 inet proto tcp from any to any port = 7070 flags S/SA modulate state
@75 pass out quick on tun0 inet proto tcp from any to any port = 554 flags S/SA modulate state

pflogd and tcpdump
With the new pf firewall code comes a new way to log firewalled packets and look at them. The log is actually taken care of by a separate daemon ( pflogd ) which should be started in “ppp.linkup” and killed in “ppp.linkdown”. This daemon puts its data in a special log file ( /var/log/pflog ) which is not directly human readable, for performance reasons. To get a dump of the file, simply issue the command “tcpdump -n -e -ttt -r /var/log/pflog”, or , if you want a real-time display of the logs, simply issue “tcpdump -n -e -ttt -i pflog0″.

The Dynamic DNS
Dynamic DNS is a wonderful thing. Basically, you just go to a dyndns provider like those nice people and 10 minutes later you have your very own domain, for free. In order to make that domain dynamically follow your IP address changes, you must use a special client program which must be called whenever your IP changes.

Until recently I liked ddup, but now i use ipcheck. The latter is truly compliant with all of dyndns’s client specification, and maintains its state automatically in system files. You will have to install the python package if you use “ipcheck”. Also, you’ll need your user ID and password from the dyndns provider.

One more advice: it is perfectly acceptable to have more than one domain pointing at the same IP address. Remember this when choosing one or more domain names…

Keeping your xDSL link alive 24/7
xDSL connections are very reliable, but ISP’s are not For many reasons unfathomable, you will sometimes lose your connection. There are many methods of re-establishing that connection automatically, and i’ll describe here the one i use.

The Method
Make sure you initialise ppp with the “-ddial” command, and NOT the “-background” command…

The automatic restart of the ppp link is handled by ppp itself (using the “-ddial” command), which is quite handy. This leaves us with the dyndns updates, which are performed intelligently by ipcheck.py . An easy way of doing it is to create an executable file named “do_ipcheck” which contains this:

#!/bin/sh
/usr/local/sbin/ipcheck.py -q -d /etc/ipcheck -i tun0 -w Username Password DomainName1,DomainName2with your own Username, Password and Domain names, of course. Then, all you have to do is to add the following line to crontab:

*/5 * * * * /usr/local/sbin/do_ipcheckAlso, don’t forget to create the directory /etc/ipcheck and make sure your /etc/ppp/ppp.linkup file looks like this:

MYADDR:
! sh -c “/sbin/ifconfig pflog0 up”
! sh -c “/sbin/pfctl -e -l tun0 -F all -O aggressive -R /etc/pf.conf -N /etc/nat.conf”
! sh -c “/usr/local/sbin/ResetNTP.sh”
!bg sh -c “/usr/local/sbin/do_ipcheck”
You can call “do_ipcheck” from “ppp.linkup” … however, you must use the special “!bg” construct, in order to instruct ppp to fork it in the background. Nasty stuff happens if you don’t use “!bg” here. Big thanks to Dan for this update!

This setup should garantee the proper restart of the firewall & ipnat each time the ppp link is brought up again.

Apache
Now would be a good time to install your htdocs directory. The way i like to do this is to mount a read-only NFS file system over the current htdocs. This is easily accomplished by adding a line like this to your /etc/fstab :

192.168.1.1:/usr/local/Apache/htdocs /var/www/htdocs nfs ro Moreover, the web logs are kept in /var/www/logs. Interesting stuff.

We are in full virus season and i’m sure your log files will fill up as fast as mine with useless garbage, once your Apache is up. In order to remove some clutter, you can filter out the virus attacks and channel them to a specialized attack_log file. Simply insert the following lines into your /var/www/conf/httpd.conf file:

SetEnvIf Request_URI “^/default.ida” attacks # For Code Red
SetEnvIf Request_URI “^/scripts” attacks # For nimda
SetEnvIf Request_URI “^/c/winnt” attacks # … ditto all the way down
SetEnvIf Request_URI “^/_mem_bin” attacks
SetEnvIf Request_URI “^/_vti_bin” attacks
SetEnvIf Request_URI “^/MSADC” attacks
SetEnvIf Request_URI “^/msadc” attacks
SetEnvIf Request_URI “^/d/winnt” attacks

CustomLog /var/www/logs/access_log combined env=!attacks
CustomLog /var/www/logs/attack_log combined env=attacks
This will send all virus-related requests to “attack_log”, while still logging other activities normally in access_log.

Named
Someone (Chavous P. Camp, thanks!) sent me advice on optimizing “named” for faster throughput. He recommends to add two lines to the “/var/named/named.boot” file:

options forward-only
forwarders ip.addresses.of.ISPs.nameservers.separated.by.spacesThis forces named to always use the same servers for dns. If your ISP’s servers are always on fixed IP adresses, then it works well. However, ISP’s who force you to use PPPoE will also sometimes change dynamically the DNS servers allocated to you (in “/etc/resolv.conf”, automatically created by ppp at startup). In that case, there is no garantee that the name servers you hardwire as forwarders will always be available.

Removing IPv6 related errors
The GENERIC OpenBSD kernel comes precompiled with IP v6 support. This is the reason why you might see many “/bsd: tun0: not multicast capable, IPv6 not enabled” error messages in your logs. Those messages are completely harmless and do not alter the performance of your system. However, should you want to get rid of them, you can simply remove IPv6 support from your kernel by modifying “/usr/src/sys/conf/GENERIC” and removing the “option INET6″ line. Then recompile your kernel in the usual way. Thanks Chavous for this info!

Setting permissions of scripts & config files
Another excellent suggestion from Chavous. Scripts and config files with passwords should have their permissions changed to 500 (for scripts) or 400 (for config files), for greater security. This includes “ppp.conf”, “do_ipcheck”, etc…

The NTP daemon
The ntpd daemon is not installed by default. However, you can download it as a package, and install it with the pkg_add command. Since you have internet connectivity by now, you can download & install it in a single command:

pkg_add ftp://ftp.openbsd.org/pub/OpenBSD/3.0/packages/i386/ntp-4.1.71.tgz Moreover, you will need a valid /etc/ntp.conf file:

pcreal# cat /etc/ntp.conf
server 128.100.102.201
driftfile /etc/ntp.driftFeel free to use any other atomic time server if you want. Also, the drift file will be created & maintained automagically.

Important tip from Chavous:
=========================================
I found my ntp server would refuse to synchronize after a reboot because it
had no route to the time server. This was, of course, because PPPoE is
loaded AFTER ntp, and sometimes the PPPoE negotiation after a reboot takes a
few seconds.

Anyway, here is something you might want to add as a suggestion:

Turn ntpd OFF in the rc.conf file
add this line to your ppp.linkup file – AFTER the firewall initialization

! sh -c “/etc/ppp/ResetNTP.sh”

That script should then contain:

#!/bin/sh
if [ -f /var/run/ntpd.pid ]; then
kill `cat /var/run/ntpd.pid`
rm -f /var/run/ntpd.pid
fi
/usr/local/sbin/ntpd -p /var/run/ntpd.pid

(as I have said before, remind your readers that this script is executed as
root and should therefore be chmod 444 or less)

This kills the NTP daemon (if it exists) and restarts it. On boot, it would
not be restarted, but what if the link went down for a while? The ntp daemon
would give up and stop sending queries because it couldn’t get a route to
host.

REALLY, the ntp daemon SHOULD NOT stop querying the server just because it
can’t get a route to the host, but it seems to be written as such now
anyway. I haven’t tested the ntp daemon over a long period of time (more
than about a day) so I don’t know if it just gives up for some arbitrarily
long period (MORE than a day) and then tries again. I seriously doubt it
does, because a day is a LONG time. This workaround isn’t ideal, because
for time consistency, one would want the time server to stay running at all
times. According to the ntpd documentation, ntpd tends to become more
accurate the longer it runs.

Chavous
=========================================

Sendmail
If you have followed all the steps of the recipe so far, your sendmail should be configured & ready to receive mail from the internet, however you should know a few more things about this. First, if you want your gateway to receive mail for more than one domain, you must make sure the all fully qualified domains are setup as aliases for your host in the file /etc/hosts.

The mail popper
All ingress mail is received & kept on the gateway untill some POP client on the intranet gets it. I use the “popa3d” server package because it is written with security in mind. It is now part of the main OpenBSD 3.0 distribution, so you don’t have to download it as a separate package. Simply enable it in the file /etc/inetd.conf and you should be up & running.

The installed packages
Just to do a quick check, here are the packages i have installed on my system:

pcreal# pkg_info
gmp-3.1.1 library for arbitrary precision arithmetic
python-2.1.1 interpreted object-oriented programming language
ntp-4.1.71 network time protocol implementation
libiconv-1.7 character set conversion library
gettext-0.10.40 GNU gettext
mhash-0.8.9 strong hash library
libtool-1.3.5p3 generic shared library support script
postgresql-7.1.3 PostgreSQL RDBMS
libmcrypt-2.4.15 interface to access block/stream encryption algorithms
c-client-4.40p1 University of Washington’s c-client mail access routines
php4-4.0.6p1-gettext-imap-mhash-no_x11-mcrypt-postgresql server-side HTML-embedded scripting language

The Secure Shell
The secure shell looks & feels exactly like telnet, except that all communication between the client and the server is encrypted. It is the only possible way to access your gateway, because the telnet daemon is disabled by default. Usage is very simple: just like telnet!

[real@pcreal Projects]$ ssh 192.168.1.2
real@192.168.1.2′s password:
Warning: Remote host denied X11 forwarding.
Last login: Sun Nov 5 12:58:08 2000 from 192.168.1.1
OpenBSD 2.7 (GENERIC) #1: Thu Nov 2 16:05:11 GMT 2000

pcreal:real {39}

Once you are logged in as an unprivileged user, member of the wheel group, you can use su to gain superuser privileges:

pcreal:real {39} su -
Password:
Terminal type? [nxterm]
pcreal#

The log files
There are many log files of high interest maintained automatically by your gateway. It is usually convenient to look at them with the “tail -f” command. The files i look at often are:

/var/log/messages
/var/log/maillog
/var/log/secure
/var/www/logs/access_log

Moreover, you can grab interesting info about the blocked packets on your firewall with the “ipmon” utility.

There are many other log files available for all kinds of things. Dig around to find more about them.

Installing IPSEC
Dave Cook has kindly provided us with a good description of how to install IPSEC on your OpenBSD boxen: file:///H:/OPENBSD/ipsec.pdf, in PDF (Acrobat) format. Be aware that it is a largish file (440K), and it might take some time for your Acrobat reader to load afterwards, so don’t hit the link repeatedly, it won’t make things load faster…

Apply the security patches!
Security patches are published there. APPLY THEM RELIGIOUSLY!
It is not really difficult, but you will need a copy of the complete, original source tree of the distribution. The compressed source archives are to be found with the distribution files. These are the 3.0 source files:

src.tar.gz 64447 Kb Tue May 1 16:18:00 2001 Unix Tape Archive
srcsys.tar.gz 13837 Kb Tue May 1 16:18:00 2001 Unix Tape ArchiveThey total about 80 MB. Once you have them, simply unpack them to ‘/usr/src’ and ‘/usr/src/sys’. The latter is the kernel proper.

Once you have your source tree, you can start downloading the patches, and apply them. Usually, all the currently published patches are availble in a single file. For 3.0, it is there. After that, simply watch the patch page from time to time, to keep updated.

Patches are either applied to an application (in ‘/usr/src’), or to the kernel ( in ‘/usr/src/sys’). Since all kernel patches should be installed, the thing i do is to apply all the kernel patches in one session, then i recompile my kernel once.

The applications you don’t use (e.g. ‘X11′, for example) don’t have to be patched & recompiled.

Reboot and enjoy!
You should be able to ssh into your new gateway from any machine on the intranet.

基于OpenBSD4.3 i386系统的JAVA编译及OpenFIRE&PostgreSQL应用

admin — Thu, 05 Mar 2009 05:46:01 +0000

• 前言
1 什么是
2 什么是PostgreSQL
• 一、安装JAVA环境
1 开启linux支持
2 增加数据和堆栈限额(官方建议非必须)
3 建立/etc/mk.conf
4 进入jdk目录开始编译安装
 a 编译安装jdk
 b 编译安装jre
 c 下载java编译所需文件
5 设置JAVA环境
 a 设置系统变量
 b 设置系统变量
 c 测试JAVA环境
• 二、安装PostgreSQL
1 安装数据库
2 建立数据库
 a 初始化数据库
 b 运行数据库
 c 建立新用户
 d 建立数据库
3 设置自动运行和关闭
 a 设置开机自动运行
 b 设置关机自动关闭
4 PostgreSQL 优化
 a 修改 /etc/sysctl.conf
 b 修改/etc/login.conf
 c 修改postgresql.conf文件
• 三、安装OpenFIRE
1 服务器端安装
 a 添加openfire系统用户
 b 解压openfire
 c 修改 openfire权限
 d 运行openfire
2 openfire服务配置
3 设置openfire自动运行和关闭
 a 设置开机自动运行
 b 设置关机自动关闭
• 四设置Spark
• 后记：

前言
1 什么是OpenFire
Openfire 采用Java开发的开源的实时协作（RTC）服务器,基于XMPP（Jabber）协议。
您可以使用它轻易的构建高效率的即时通信服务器.
Openfire安装和使用都非常简单，并利用Web进行管理。单台服务器可支持上万并发用户。
由于是采用开放的XMPP协议，您可以使用各种支持XMPP协议的IM客户端软件登陆服务
简单的说是类似MSN的实时通信系统
2 什么是PostgreSQL
PostgreSQL是以加州大学伯克利分校计算机系开发的 POSTGRES，版本 4.2为基础的对象关系型数据库管

理系统（ORDBMS）。
阅读指南：所有需要手工录入的部分都用加阴影的字符表示，需要特别注意的地方以【】字符加注.
【开始编译以前,请将ports升级到最新】
一、安装JAVA环境
1 开启linux支持
obsd支持【原生】的java运行环境，只在【编译】java的需要打开linux支持
sysctl kern.emul.linux=1
2 增加数据和堆栈限额(官方建议非必须)
如果编译的时候出现类似于”Could not reserve enough space for object heap”这类的错误,就应该增

加数据和堆栈的限额 ksh zsh bash环境(OB默认的就是ksh)
ulimit -dS 384*1024
ulimit -sS 8*1024
csh tcsh 环境
limit datasize 384m
limit stacksize 8m
本人在512M内存的电脑中编译的时候,没有做这一步,也很顺利的编译通过
3 建立/etc/mk.conf
java编译的时候需要检测/etc/mk.conf下有没有【ACCEPT_JRL_LICENSE=Yes】这个语句,没有的话会提示

错误,因此应当手工建立该文件
我的mk.conf是
DISTDIR=/files/dist
MASTER_SITE_OVERRIDE=ftp://ftp.freebsdchina.org/pub/OpenBSD/distfiles/${DIST_SUBDIR}/
PACKAGE_REPOSITORY=/files/packages
FETCH_CMD=/usr/local/bin/wget
ACCEPT_JRL_LICENSE=Yes
其中
DISTDIR是我指定的下载文件所在位置
PACKAGE_REPOSITORY是我指定的生成pkg的位置
只有【ACCEPT_JRL_LICENSE=Yes】是必须的
4 进入jdk目录开始编译安装
进入jdk的ports
cd /usr/ports/devel/jdk/1.7
a 编译安装jdk
JDK是java的开发环境
make install
b 编译安装jre
JRE是java的运行环境，如果不做开发，只是运行OpenFIRE的话，jre就足够
env SUBPACKAGE=-jre make install
c 下载java编译所需文件
编译java的所需的文件需要【手动复制】到DISTDIR指定的位置
默认是/usr/ports/distfiles
编译所需文件make运行以前会有提示显示编译所需java文件的位置和名称，按提示下载并复制就可以
如果缺少文件的话会有”Error code 1″的错误提示,编译所需下载的文件大概是
bsd-jdk15-patches-8.tar.bz2
bsd-jdk16-patches-3.tar.bz2
bsd-jdk16-patches-4.tar.bz2
javaPathHelper-0.3.tar.gz
jdk-1_5_0_14-fcs-bin-b03-jrl-05_oct_2007.jar
jdk-1_5_0_14-fcs-src-b03-jrl-05_oct_2007.jar
jdk-1_5_0_14-solaris-i586.tar.Z
jdk-6u3-fcs-bin-b05-jrl-24_sep_2007.jar
jdk-6u3-fcs-mozilla_headers-b05-unix-24_sep_2007.jar
jdk-6u3-fcs-src-b05-jrl-24_sep_2007.jar
jdk-7-icedtea-plugs-1.6.tar.gz
openjdk7-b24.tar.bz2
(本人下载这些文件用了半天的时间,确切需下载的文件记不清楚了,哪位朋友有完整的下载文件列表,请

帮忙订正) 编译及安装过程大概需要5个小时
5 设置JAVA环境
JAVA的环境可以通过系统变量和用户变量两种方法来设置
系统变量对整个系统中所有用户起作用,用户变量只对设置的用户起作用
文中以jre1.6为例,具体配置根据读者安装的java环境自行修改
a 设置系统变量
建立/etc/profile文件,加入

PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin:/usr/local/sbin:/usr/local/bin:/usr/local

/jre-1.6.0/bin
export PATH
export JAVA_HOME=/usr/local/jre-1.6.0
export CLASSPATH=:$JAVA_HOME/lib/dt.jar:$JAVA_HOME/lib/tools.jar
保存退出
b 设置系统变量
修改用户home目录里面的.profile文件,加入【】标示部分
PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin:/usr/local/sbin:/usr/local/bin:

【/usr/local/jre-1.6.0/bin】
export PATH
【export JAVA_HOME=/usr/local/jre-1.6.0】
【export CLASSPATH=:$JAVA_HOME/lib/dt.jar:$JAVA_HOME/lib/tools.jar】
: ${HOME=’/root’}
export HOME
umask 022
if [ -x /usr/bin/tset ]; then
eval `/usr/bin/tset -sQ \?$TERM`
fi
c 测试JAVA环境
重新登陆系统令设置的环境变量生效,输入
java -version
如果显示的是java相关版本信息,说明java已经生效,可以进行取消linux的支持,并进行下一步的安装
(注:本人编译的时候是按照1.7编译的,环境设置都正确,可是java提示错误,可能是ports的问题)
二、安装PostgreSQL
1 安装数据库
进入ports中postgresql，编译安装
cd /usr/ports/databases/postgresql
make install
提示完毕以后，pgsql的客户端已经安装完毕，pgsql的数据库端，需要手动安装
pkg已经在编译pgsql客户端的时候生成了，位置由mk.conf中PACKAGE_REPOSITORY字段定义
默认位置是/usr/ports/packages/i386/all/
cd /usr/ports/packages/i386/all/
pkg_add postgres*
2 建立数据库
a 初始化数据库
su – _postgresql
mkdir /var/postgresql/data
initdb -D /var/postgresql/data
b 运行数据库
postgres -D /var/postgresql/data
或者
pg_ctl -D /var/postgresql/data -l logfile start
如果没有提示错误，pgsql就已经运行了
c 建立新用户
建立超级用户
createuser 【-P】
Enter name of role to add: 【输入超级用户名】
Enter password for new role:【输入密码】
Enter it again:【确认密码】
Shall the new role be a superuser? (y/n)【 y】
d 建立数据库
createdb -O 【超级用户名】 -E UNICODE 【数据库名称】
3 设置自动运行和关闭
a 设置开机自动运行
在/etc/rc.local中加入
if [ -x /usr/local/bin/pg_ctl ]; then
echo -n ‘ postgresql’
su -l _postgresql -c “nohup /usr/local/bin/pg_ctl start \
-D /var/postgresql/data -l /var/postgresql/logfile \
-o ‘-D /var/postgresql/data’ >/dev/null”
fi
b 设置关机自动关闭
在/etc/rc.shutdown中加入
if [ -f /var/postgresql/data/postmaster.pid ]; then
su -l _postgresql -c “/usr/local/bin/pg_ctl stop -m fast \
-D /var/postgresql/data”
rm -f /var/postgresql/data/postmaster.pid
fi
4 PostgreSQL 优化
a 修改 /etc/sysctl.conf
编辑 /etc/sysctl.conf,加入以下内容
kern.seminfo.semmni=256
kern.seminfo.semmns=2048
kern.shminfo.shmmax=50331648
b 修改/etc/login.conf
编辑/etc/login.conf,加入以下内容
postgresql:\
penfiles-cur=768:\
:tc=daemon:
保存退出后，输入
cap_mkdb /etc/login.conf
重建login.conf.db文件
然后使用vipw或usermod修改postgresql
usermod -L postgresql 【postgresql系统用户名】
其中 -L 指定的是修改的用户的登陆类
c 修改postgresql.conf文件
切换成postgresql用户
su – _postgresql
修改/var/postgresql/data/postgresql.conf
将max_connections 修改成你需要的并发链接数值,默认是40
保存退出后,重启数据库,输入
pg_ctl -D /var/postgresql/data -l logfile restart
来重启整个数据库,或者输入
pg_ctl -D /var/postgresql/data -l logfile reload
来重新加载postgresql配置文件
三、安装OpenFIRE
OpenFIRE服务器端最新版本openfire_3_5_1下载
服务器端插件下载
1 服务器端安装
a 添加openfire系统用户
adduser
Enter username []: 【openfire用户名】
Enter full name []:
Enter shell csh ksh nologin sh [ksh]:【回车】
Uid [1000]:【回车】
Login group _openfire [_openfire]:【回车】
Login group is “_openfire”. Invite _openfire into other groups: guest no
[no]:【回车】
Login class authpf daemon default postgresql staff [daemon]:【回车】
Enter password []:【输入密码】
Enter password again []:【确认密码】
OK? (y/n) [y]: 【y】
Add another user? (y/n) [y]: 【n】
b 解压openfire
tar xzvf 你的openfire压缩包位置 -C /var
c 修改 openfire权限
cd /var
chown -R 【openfire用户名】:【openfire组名】 openfire/
d 运行openfire
su – 【openfire用户名】
/var/openfire/bin/openfire start
如果没有错误提示 top有java的进程,说明openfire启动正常
2 openfire服务配置
在浏览器中输入

http://服务器ip:9090

第一页Choose Language中选中中文(简体)
第二页服务器设置保持默认
第三页数据库设置选择标准数据库连接
第四页数据库设置 – 标准连接中需要设置以下项目
数据库驱动选项:【PostgreSQL】
JDBC 驱动程序类：【org.postgresql.Driver】
数据库 URL：jdbc:postgresql://【127.0.0.1】:5432/【数据库名称】
用户名：【超级用户名】
密码：【超级用户密码】
第五页特性设置初使设置
第六页管理员帐户设置管理员密码管理员账号为admin
安装完成
3 设置openfire自动运行和关闭
a 设置开机自动运行
在/etc/rc.local中启动postgresql字段后面加入
if [ -x /var/openfire/bin/openfire ]; then
echo -n ‘ openfire’
su -l _openfire -c “/var/openfire/bin/openfire start >/dev/null”
fi
b 设置关机自动关闭
在/etc/rc.shutdown中关闭postgresql字段前面加入
if [ -x /var/openfire/bin/openfire ]; then
su -l _openfire -c “/var/openfire/bin/openfire stop”
fi
四设置Spark
SparkWIN下客户端最新版本 2.5.8下载
程序安装完毕后
点击帐户来申请账号
服务器中填入OpenFIRE服务器所用ip
后记：

Comment by iopenbsd, Jun 22, 2008

http://download.java.net/tiger/

http://www.eyesbeyond.com/freebsddom/java/JDK15JRLConfirm.html|bsd-jdk15-patches-8.tar.bz2

http://www.eyesbeyond.com/freebsddom/java/JDK16JRLConfirm.html|bsd-jdk16-patches-3.tar.bz2

http://www.eyesbeyond.com/freebsddom/java/JDK16JRLConfirm.html|bsd-jdk16-patches-4.tar.bz2

http://www.java.net/download/jdk6/6u3/promoted/b05/jdk-6u3-fcs-bin-b05-jrl-

24_sep_2007.jar|jdk-6u3-fcs-bin-b05-jrl-24_sep_2007.jar

http://www.java.net/download/jdk6/6u3/promoted/b05/jdk-6u3-fcs-mozilla_headers-b05-unix-

24_sep_2007.jar|jdk-6u3-fcs-mozilla_headers-b05-unix-24_sep_2007.jar

http://www.java.net/download/jdk6/6u3/promoted/b05/jdk-6u3-fcs-src-b05-jrl-

24_sep_2007.jar|jdk-6u3-fcs-src-b05-jrl-24_sep_2007.jar

http://www.java.net/download/tiger/tiger_u14/jdk-1_5_0_14-fcs-bin-b03-jrl-

05_oct_2007.jar|jdk-1_5_0_14-fcs-bin-b03-jrl-05_oct_2007.jar

http://download.java.net/tiger/tiger_u14/jdk-1_5_0_14-fcs-src-b03-jrl-05_oct_2007.jar|jdk-

1_5_0_14-fcs-src-b03-jrl-05_oct_2007.jar http://download.java.net/tiger/tiger_u15/jdk-

1_5_0_15-fcs-src-b04-jrl-09_feb_2008.jar|jdk-1_5_0_15-fcs-src-b04-jrl-09_feb_2008.jar

http://java.sun.com/products/archive/j2se/5.0/index.html|jdk-1_5_0_14-solaris-i586.tar.Z

http://ftp.riken.jp/pub/OpenBSD/distfiles/javaPathHelper-0.3.tar.gz|javaPathHelper-

0.3.tar.gz http://ftp.riken.jp/pub/OpenBSD/distfiles/jdk-7-icedtea-plugs-1.6.tar.gz|jdk-7-

icedtea-plugs-1.6.tar.gz http://ftp.riken.jp/pub/OpenBSD/distfiles/openjdk7-

b24.tar.bz2|openjdk7-b24.tar.bz2 http://www.igniterealtime.org/downloads/download-

landing.jsp?file=openfire/openfire_src_3_5_2.tar.gz|openfire_src_3_5_2.tar.gz

在OpenBSD下，使用ADSL拨号上网和启动PF防火墙

admin — Thu, 05 Mar 2009 05:24:20 +0000

在OpenBSD下，使用ADSL拨号上网和启动PF防火墙
o 目标
o 什么是PF防火墙
o 注意事项
o 编辑配置文件
我拿OpenBSD当桌面系统，平时也不打开任何网络服务，使用ADSL拨号上网，只有一个调制解调器，没有路由器。
加上PF，挡住所有不请自来的流量。
目标
ADSL拨号配置文件，PF配置文件。
什么是PF防火墙
OpenBSD的内置防火墙，功能强大，是OpenBSD系统上进行TCP/IP流量过滤和网络地址转换的软件系统。
配置文件默认的位置在 /etc/pf.conf。
注意事项
内核编译选项必需有:
• seudo-device pf # packet filter
• seudo-device pflog # pf log if
• seudo-device tun # network tunneling over tty
设kern.securelevel最高为1，因为securelevel为2不可以手动刷新过滤规则。
编辑配置文件
vi /etc/ppp/ppp.conf
default:
set log Phase Chat LCP IPCP CCP tun command
set redial 15 0
set reconnect 15 10000

pppoe:
set device “!/usr/sbin/pppoe -i re0″ # re0: 使用的网卡
disable acfcomp protocomp
deny acfcomp
set mtu max 1492
set mru max 1492
set speed sync
set crtscts off
enable lqr
enable mssfixup
set lqrperiod 5
set cd 5
set dial
set login
set timeout 0
set authname xxxxxx # ADSL拨号帐号，xxx@163.gd
set authkey “xxxxxx” # ADSL拨号密码
# enable dns # 每次都修改/etc/resolv.conf
add! default HISADDR # 成为默认路由
设置开机自动拨号: vi /etc/rc.local:
echo ‘/etc/rc.local: connect to ADSL’
ppp -ddial pppoe # 拨号模式，掉线自动重拨
vi /etc/pf.conf
# Define interfaces
int_if = “re0″
ext_if = “tun0″

# RFC1918
priv_nets = “{ 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 }”

# Those wonderful scrubbing bubbles
scrub in all

# Filtering begins
block log all

# Local machine stuff
pass quick on lo0 all
pass in on $int_if from $int_if:network to any
pass out on $int_if from any to $int_if:network
block in quick on $ext_if from $priv_nets to any
block out quick on $ext_if from any to $priv_nets
antispoof log for { $int_if, $ext_if }

# Out to the internet
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp, esp } all keep state
设置拨号时启动PF: vi /etc/ppp/ppp.linkup:
MYADDR:
! sh -c “/sbin/ifconfig pflog0 up”
! sh -c “/sbin/pflogd”
! sh -c “/sbin/pfctl -e -F all -f /etc/pf.conf”
vi /etc/ppp/ppp.linkdown:
MYADDR:
! sh -c “/sbin/pfctl -d -F all”
! sh -c “kill $(cat /var/run/pflogd.pid)”
! sh -c “/sbin/ifconfig pflog0 down”
! sh -c “/sbin/route delete default”

nginx在openBSD下跑反向代理负载均衡

admin — Wed, 25 Feb 2009 12:47:03 +0000

1，本文的实验环境：
当时做完了OpenBSD+Nginx+php+mysql的实验，直接将该虚拟机克隆两份。如果对下文中的“二号机、三号机”配置有兴趣的可以看看那个帖
一号机，（192.168.118.135）将旧的和mysql/php有关系的nginx.conf干掉，重写nginx.conf。也就是说不启用php/mysql，只用本机的nginx做反向代理。
二号机，（192.168.118.136）保持着原有的架构，并在/var/nginx/html下面新建一个index.php页面，页面内容自定啦，但必须和下面的三号机有所区别。
三号机，（192.168.118.137）保持着原有的架构，并在/var/nginx/html下面新建一个index.php页面，页面内容自定啦，但必须和上面的二号机有所区别。
四号机，（192.168.118.132）以前做实验用过的一个redhat5的机器，是一个tomcat服务器，只装了jdk和tomcat并设置了环境变量。
客户机，本机是winxp，也是上面四个试验机的宿主机，改过了本机的hosts文件。C:\WINDOWS\system32\drivers\etc\hosts ，这个文件没后缀名，但可以用写字板或记事本打开。加入如下内容：
192.168.118.135 test1.com
192.168.118.135 test2.com
192.168.118.135 test3.com
也就是说，要把三个域名的IP都指到一号试验机上去。

3，首先启动二、三、四号机器，在测试机上打开这三台机器的web页面，确认各自的nginx、php、tomcat工作正常，其中二、三号机器是nginx+php,用的80端口，四号机器一个裸奔的tomcat，用的 8080端口。

4，如下是重写并可应用的一号机的nginx.conf文件。对部分内容我做了特殊标注，大部分配置可以参考本站关于nginx设定的一些文章。
cat /etc/nginx/nginx.conf
#user nobody;
worker_processes 1;

error_log /var/log/nginx/error.log crit;
pid /var/run/nginx.pid;
#这里的nginx是用OpenBSD自己pkg 包管理系统装上去的，所以log等信息位置和编译安装的不太一样。

worker_rlimit_nofile 51200;
events
{
use kqueue;
#epoll是linux最优模式，经实验，在openBSD下不可用这种模式。百度之发现有如下模式：
#
#nginx以module的方式提供了select语义的多种实现：poll devpoll epoll eventport kqueue rtsig后面4种，都是BSD/Linux为加速IO操作而提供的异步IO模型
#
#
worker_connections 51200;
}
http
{
include mime.types;
default_type application/octet-stream;
#charset gb2312;

server_names_hash_bucket_size 128;
client_header_buffer_size 32k;
large_client_header_buffers 4 32k;

sendfile on;
tcp_nopush on;
keepalive_timeout 3;
#为了做测试，故意把keepalive改小的，生产环境设置60s吧。
tcp_nodelay on;
#gzip on;
#gzip_min_length 1k;
#gzip_buffers 4 16k;
#gzip_http_version 1.0;
#gzip_comp_level 2;
#gzip_types text/plain application/x-javascript text/css application/xml;
#gzip_vary on;
upstream test1.com {
server 192.168.118.136:80;
server 192.168.118.137:80;

}

upstream test2.com {
server 192.168.118.136:80 weight=10;
server 192.168.118.137:80;
# weight是权重的意思，默认权重是1，

}

upstream test3.com
{
server 192.168.118.132:8080;

}

server {
listen 80;
server_name test1.com;
#这里的test1是监听的客户端访问的域名
location /{
proxy_pass http://test1.com;
#这里的test1是上文提到的upstream啦，别和客户访问的域名弄混。
proxy_set_header X-Real-IP $remote_addr;
}
}

server {
listen 80;
server_name test2.com;
location /{
proxy_pass http://test2.com;
proxy_set_header X-Real-IP $remote_addr;
}
}

server {
listen 80;
server_name test3.com;
location /{
proxy_pass http://test3.com;
proxy_set_header X-Real-IP $remote_addr;
}
}
_ ___________________________________________________
5，启动一号机的nginx，测试开始。
在本机访问http://test1.com/ http://test2.com/ http://test3.com/
请注意test1是否在二号、三号机之间不停切换？在上图中写到要让二号三号机上的index.php文件不太一样，就是为了区分两台web服务器的。如果不怎么切换，请考虑你的浏览器的缓存问题。如果还不切换，可以考虑down掉一台机器的nginx，看访问请求是否会转到另一台服务器上。
test2和test1的情况类似，只是test2做了权重设置，所以二号机应用的几率要比三号机大很多，如果总是轮不到三号机接任务，可以考虑更改权重实验一下，也可以考虑把二号机的nginx暂停一下。
test3的要求很简单，能转到四号机的8080端口，把tomcat的那个默认控制界面show出来就可以

在openBSD中运行外来软件

admin — Sat, 21 Feb 2009 04:19:48 +0000

在openBSD中运行外来软件

运行外来软件
————–

从传统观点来说，操作系统不得不为它们自己开发软件，而且很多的软件只能运行在它们被指定的平台上。许多人为某些平台编制了一些“业务交换软件”，使得一些软件也能在其它操作系统中运行，虽然有些潜在的问题存在。通过使用ABI，openBSD能让为某些操作系统开发的软件在自己的系统中运行。这通常是用来运行为Linux和FreeBSD设计的软件。

ABI（(Application Binary Interface）是核心的一部分，它用于为软件提供服务－－这包括声卡访问、读取文件、屏幕输出的－－这些软件运行所需的一切。对软件来说，ABI就是操作系统。依靠你的系统中对别的系统ABI的支持，你能够使得软件像运行在它本来的系统中一样运行。

openBSD中包括了支持运行Linux、FreeBSD、SVR4、SCO的ABI的模块。当你尝试运行Linux的软件时，核心能识别出它，并把这个软件教给响应的ABI来处理。

ABI的一大限制是：它只能处理与核心特征相关的问题，而不能摆脱硬件的限制。软件只能运行在与编译时所处的体系结构相同的环境中。你在i386版的openBSD中，运行为i368版的Solaris 2.6编译的软件，但是你不能在i386版的openBSD上，运行Sparc版的Solaris中的软件。

当然，软件不止对核心有依赖。软件还需要使用动态链接库。OpenBSD对Linux（/usr/ports/emulators/redhat）还有FreeBSD（/usr/ports/emulators/freebsd_lib）提供了动态链接库。因为BSD/OS、SVR4、还有SCO都是专利操作系统，openBSD不太容易为它们的共享库提供ports。你必须从响应的操作系统上获取链接库。如果你对怎样安装库文件感兴趣，请阅读compat_bsdos(8), compat_svr4(8),

and compat_ibcs2(8) 以获取细节。

在大多数情况下，Linux和FreeBSD的ABI能“正确的运行”，而且对于依赖它们的ports来说也足够可靠。例如：很少人使用Linux Netscape port，（它也能在openBSD上运行）。如果你正确的安装了共享库（shared libraries），那么使用ABI不需要配置。如果你使用ports安装了软件，你甚至可能已经不知不觉的使用了Linux mode。

依靠openBSD自身的软件和外来ABI的支持，openBSD能够广泛的支持许多软件packages。openBSD也包括了许多基本的UNIX软件，大它们多数都通过/etc中的文件进行配置。下一章将对其进行详细的解说。

＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝

原文：

Running Foreign Software
Traditionally, operating systems have had to have software written for them, and a piece of software would only run on the platform it was designed for. Many people have built a healthy business changing software for one platform so it will run on another operating system, a task filled with many potential problems. OpenBSD has the ability to run binaries built for certain other operating systems, however, through a process called ABI implementation. This is most commonly used for running software native to Linux and FreeBSD.

The ABI (Application Binary Interface) is the part of the kernel that provides services to programs, including everything from sound-card access to reading files to printing on the screen — all the things a program needs to run. As far as programs are concerned, the ABI is the operating system. By completely implementing the ABI from a different operating system on your native operating system, you can run non-native programs as if they were on their native platform.

The OpenBSD kernel includes modules that implement ABIs for Linux, FreeBSD, SVR4, SCO, and BSD/OS. When you attempt to run a Linux program, for example, the kernel picks out that the program is actually a Linux binary and directs it at the proper ABI.

One large limitation of ABI implementations is that they can only handle the kernel features, not the underlying hardware. A program only works if the binary is built for the same architecture that it is being run on. You can run a Solaris 2.6 binary built for an i386 system on OpenBSD running on i386, but you cannot run a Solaris Sparc binary on an i386 system.

Of course, programs require a little more than just a kernel to run on. They also require the dynamic libraries that they link against, if nothing else. OpenBSD provides these shared libraries for Linux (/usr/ports/emulators/ redhat) and FreeBSD (/usr/ports/emulators/freebsd_lib). Because BSD/OS, SVR4, and SCO are proprietary operating systems, the OpenBSD project cannot easily provide easy-to-install ports for their shared libraries. You must have access to the proper operating system to grab the libraries. If you’re interested in how to install these libraries see compat_bsdos(8), compat_svr4(8), and compat_ibcs2(8) for details.

In most cases, however, the Linux and FreeBSD ABIs “just work” and are reliable enough that many ports depend on them. Quite a few people use the Linux Netscape port, for example. Using an ABI implementation requires no configuration, once you have the shared libraries installed. If you install software from ports, you may be using Linux mode without even realizing it!

Between add-on native software and foreign ABI implementations, OpenBSD can support a wide variety of software packages. OpenBSD also includes a variety of basic UNIX software, most of it configured through files in /etc. We’ll look there in the next chapter.

How to patch your OpenBSD

admin — Thu, 05 Feb 2009 13:51:50 +0000

Every OS needs to be patched, even for OpenBSD, either for security reasons, reliability ones, bug fixes or new functions.

To patch OpenBSD, you need first to know whether there are any patches released/applicable for your version of release. For OpenBSd, there are two ways you can check if there are any patches available. First, and recommended, is to check the errata (http://www.openbsd.org/errata.html) page. Second is to subscribe to “announce ” and “security-announce” mailing lists. for more details on how, check OpenBSD web page or send a mail to majordomo@openbsd.org with subject “help”.

In OpenBSD, there are 3 ways to patch your system with all the patches.
1. upgrade your system to -current branch, since all patches and fixes are incorporated into -current.

This is not suitable for most users because of the ever-changing code for -current.

2. upgrade your system to -stable branch of your your release.

By doing this, you’ll need to fetch or update your source tree using the appropriate -stable branch, and recompile the kernel and userland files. While this is the easiest way and is OK for most users, it take quite a while to download source files and recompile the system, especially for these who has limited bandwidth to Internet.

3. Patch, compile and install individual impacted files.

This is what we will use for our example below. While this requires less bandwidth and typically less time than an entire cvs(1) checkout/update and source code compilation, this is sometimes the most difficult option, as there is no one universal set of instructions to follow. Sometimes you must patch, recompile and install one application, other times, you might have to recompile entire sections of the tree if the problem is in a library file.

Once you’ve identified the patch you need to apply to your system, here are the steps to follow:

++++++++++++++++++Following lines are from www.openbsd.org/faq/faq10.html:

Applying patches.

Patches for the OpenBSD Operating System are distributed as “Unified diffs”, which are text files that hold differences to the original source code. They are NOT distributed in binary form. This means that to patch your system you must have the source code from the RELEASE version of OpenBSD readily available. In general, you should have the entire source tree available. If you are running a release from official CDROM, the source trees are available on disk 3, they are also available as files from the FTP servers. We will assume you have the entire tree checked out.

For our example here, we will look at patch 001 for OpenBSD 3.6 dealing with the st(4) driver, which handles tape drives. Without this patch, recovering data from backups is quite difficult. People using a tape drive need this patch, however those without a tape drive may have no particular need to install it. Let’s look at the patch:

# more 001_st.patch
Apply by doing:
cd /usr/src
patch -p0 < 001_st.patch

Rebuild your kernel.

Index: sys/scsi/st.c
===================================================================
RCS file: /cvs/src/sys/scsi/st.c,v
retrieving revision 1.41
retrieving revision 1.41.2.1
diff -u -p -r1.41 -r1.41.2.1
--- sys/scsi/st.c 1 Aug 2004 23:01:06 -0000 1.41
+++ sys/scsi/st.c 2 Nov 2004 01:05:50 -0000 1.41.2.1
@@ -1815,7 +1815,7 @@ st_interpret_sense(xs)
u_int8_t skey = sense->flags & SSD_KEY;
int32_t info;

- if (((sense->flags & SDEV_OPEN) == 0) ||
+ if (((sc_link->flags & SDEV_OPEN) == 0) ||
(serr != 0×70 && serr != 0×71))
return (EJUSTRETURN); /* let the generic code handle it */

As you will note, the top of the patch includes brief instructions on applying it. We will assume you have put this patch into the /usr/src directory, in which case, the following steps are used:

# cd /usr/src
# patch -p0 < 001_st.patch
Hmm... Looks like a unified diff to me...
The text leading up to this was:
--------------------------
|Apply by doing:
| cd /usr/src
| patch -p0 < 001_st.patch
|
|Rebuild your kernel.
|
|Index: sys/scsi/st.c
|===================================================================
|RCS file: /cvs/src/sys/scsi/st.c,v
|retrieving revision 1.41
|retrieving revision 1.41.2.1
|diff -u -p -r1.41 -r1.41.2.1
|--- sys/scsi/st.c 1 Aug 2004 23:01:06 -0000 1.41
|+++ sys/scsi/st.c 2 Nov 2004 01:05:50 -0000 1.41.2.1
--------------------------
Patching file sys/scsi/st.c using Plan A...
Hunk #1 succeeded at 1815. <-- Look for this message!
done

Note the “Hunk #1 succeeded” message above. This indicates the patch was applied successfully. Many patches are more complex than this one, and will involve multiple hunks and multiple files, in which case, you should verify that all hunks succeeded on all files. If they did not, it normally means your source tree is not right, you didn’t follow instructions carefully, or your patch was mangled. Patches are very sensitive to “white space” — copying and pasting from your browser will often change tab characters into spaces or otherwise alter the white space of a file, making it not apply.

At this point, you can build the kernel as normal, install it and reboot the system.

Not all patches are for the kernel. In some cases, you will have to rebuild individual utilities. At other times, will require recompiling all utilities statically linked to a patched library. Follow the guidance in the header of the patch, and if uncertain, rebuild the entire system.

Patches that are irrelevant to your particular system need not be applied — usually.

OpenBSD内核编译和优化

admin — Sat, 27 Dec 2008 05:27:01 +0000

要编译内核，需要一套完整的syssrc包，这套东东可以通过CVS或FTP方式获得。

要通过CVS方式下载，在SHELL上打：

export CVS_RSH=”/usr/bin/ssh”
export CVSROOT=anoncvs@anoncvs1.usa.openbsd.org:/cvs
想用其它地方的服务器，请看完整的CVS服务器列表。

cd /usr && cvs checkout -z9 src/sys
要用FTP方式下载，请到：ftp://ftp.openbsd.org/pub/OpenBSD/2.7/srcsys.tar.gz

下载完后就可以把它放到/usr/src目录里，并解开：

cp srcsys.tar.gz /usr/src ; tar -xzvf /usr/src/srcsys.tar.gz

搞定了源代码，接下来就可以配置并编译内核了。OpenBSD的内核配置文件因为支持多平台，所以相应平台的配置
文件就存放在/usr/src/sys/arch/$ARCH/conf/里，这里的$ARCH就是你所用的平台名称。我们以i386为例介绍
对内核有优化作用的选项。

O 处理器及I/O部分有：

option I686_CPU
这个很简单，与FreeBSD一样
#option GPL_MATH_EMULATE
别把它打开除非你的机器老得连FPU都没有
option DUMMY_NOPS
把开机延迟关掉
option UVM
高级虚拟内存系统，在系统进行交换时提供速度所用
option MFS
这个也与FreeBSD含义一样，用于建立内存盘以提升数据访问速度
O 网络部分有：

option NMBCLUSTERS="8192"
与FreeBSD含义一样，提升高流量时的网络操作速度并提高内核稳定性。如流量低可用1024或2048
另外，把不需要的网卡设备都注释掉，这样可以减小内核容量提升启动速度。

O 磁盘设备部分有：

option BUFCACHEPERCENT=45
保留45%的系统内存作为文件系统的缓存，顾名思义，根据实际系统内存数来取值，推荐取低一些的值
另外，与网络部分一样，把不需要的磁盘设备(scsi、ide)都注释掉。

配完了内核，依次打：

cd /usr/src/sys/arch/$ARCH/conf ; config yourkernel
cd ../compile/yourkernel ; make depend && make
cp /bsd /bsd-old ; cp bsd /bsd
重启后就可以直接用刚才编译好的新内核了，如果它有任何问题，可以重启后在boot>的提示符上输入刚才换名的
旧内核，命令格式为：

boot> boot device:/kernelold
把device换成你存放旧内核的盘设备即可。顺便提一下，你可以在上述命令后加上一个-c选项进入User Kernel
Config界面，它提供与FreeBSD下一样的配置功能。

在OpenBSD 4.3环境下安装Ningx

admin — Wed, 17 Dec 2008 03:32:28 +0000

sudo pkg_add pcre

wget http://sysoev.ru/nginx/nginx-0.7.17.tar.gz

tar xzvf nginx-0.7.17.tar.gz

cd nginx-0.7.17.tar.gz

./configure

这步可以加入很多配置选项,详细的可以输入./configure –help查看,自行修改和设定.

下面这步比较关键:

vi +74 src/os/unix/ngx_posix_config.h

将这行中的malloc.h替换成stdlib.h

保存退出,执行:

make && make install

OK!

Nginx is on your OpenBSD server!!!!!!

如果按上面的步骤,安装后的nginx执行文件在/usr/local/nginx/sbin目录,配置文件在/usr/local/nginx/conf目录,自己根据需要去修改吧.

在 OpenBSD 4.4 上搭建中文语言环境

admin — Wed, 17 Dec 2008 03:18:34 +0000

• Scim 输入法
• gVim
• 在 ~/.xinitrc 文件中设置启动 GNOME
Scim
目前已经测试可以输入的程序有：
• gVim
• gEdit
• Pidgin
• Firefox 3
• Thunderbird 2
Scim 可以到它的官方网站下载。我个人使用拼音输入法，所以只需要安装两个文件： scim-1.4.x：核心程序；

scim-pinyin：输入法模块
输入法模块可以根据自己的需要进行安装。五笔输入法在 scim-tables 这个包里。
编译参数没有什么特别的，scim, scim-pinyin 都可以这样搞定：

# ./configure –prefix=/usr/local
# gmake install
这里必须用 gmake 来编译，依赖的包有： gmake libtool gettext libiconv gtk+2
编译安装好 scim, scim-pinyin 之后还需要让 GTK 程序能够找到这个输入法，需要执行以下命令：
# gtk-query-immodules-2.0 >/var/db/gtk-2.0/gtk.immodules
关于输入法方面的设置：
# File: ~/.xinitrc
export LC_CTYPE=zh_CN.GB18030

# 注意大小写
export XMODIFIERS=”@im=SCIM”
export XIM=scim
export XIM_PROGRAM=scim
export GTK_IM_MODULE=scim
export QT_IM_MODULE=scim

exec gnome-session # 启动 GNOME
#wmaker                    # 启动 WindowMaker
#fvwm                        # 启动 FVWM
#cwm                         # 启动 cwm。OpenBSD 4.2 自带的非常简单的 Window Manager
#startkde                   # 启动 KDE
#startxfce4                 # 启动 XFce4
很奇怪，Scim 不需要在 .xinitrc 里指定启动的程序，它会自动被调用。
gVim
gvim 必须将字符集设置为 utf-8 或 cp936（简体中文）才能使用 scim 正常输入中文，否则乱码：
#
# File: ~/.vimrc
#
#set encoding=cp936
set encoding=utf-8
set fileencoding=utf-8
set fileencodings=utf-8
Start GNOME
在 ~/.xinitrc 中必须这样写才能用 startx 命令启动，否则会报错（Failed to get dbus-daemon’s pid）：
exec dbus-launch gnome-session

Comment by No.0023, Yesterday (24 hours ago)
if [ -x /usr/local/bin/dbus-daemon ]; then
mkdir -p /var/run/dbus chmod 0755 /var/run/dbus chown dbus:dbus /var/run/dbus
/usr/local/bin/dbus-daemon –system
fi
俺是加了这段在/etc/rc.local里。～/.xinitrc 就gnome-session