OpenBSD 3.0 Installation Guide

This is an old guide written near OpenBSD 3.0 release for an old employer. As I found that those in my forum circles at the time absolutely loved it, I decided to keep a copy.

This has been used on more modern versions of OpenBSD. A complete overhaul and validation is in due order, yes. The document will be updated to reflect the updated status.

Credits go to the OpenBSD team for granting permission for duplication of the manuals and guides on the OpenBSD.org website. Thanks to GnuVince and Ashcrow for quick and accurate technical support on the pf.conf file. I originally wrote this paper for the IT department at my company I work for since any server needs to be well documented on at least how to get it up and going in case a drive needs to be dropped in, brand new, with no data backup available. So some points may not need to be made, but are. I omitted the how-to-use-vi section, what does 'ls' do, etc, etc....
Feel free to email me at :: schotty@schotty.com for any questions or comments. You may freely distribute the information within, but if you rebrand and modify, let me know so any of the changes dont point back at me. On to the fun .......
Table of contents


1 Obtaining OpenBSD media

2 Installing OpenBSD

2.1 Prepareing the boot floppy

2.2 Booting the floppy

2.3 Creating BSD and swap partition(s)

2.4 Verifying mount points and formatting partitions

2.5 Setting up NIC adapter(s)

2.6 Installation media

2.7 Choosing installation packages and finishing the install.

2.8 Timezone settings

2.9 Finishing it all up


3 Configuring OpenBSD

3.1 /etc/sysctl.conf

3.2 /etc/rc.conf

3.3 /etc/nat.conf

3.4 /etc/resolv.conf

3.5 /etc/hostname.XxYyZz files

3.6 /etc/pf.conf

3.7 Starting the NAT service and firewall

1. Obtaining OpenBSD

The method that I used was the FTP floppy method. This entails going to www.openbsd.org and retrieving the boot disc floppy image, writing the image to a blank floppy and booting off the floppy to install via FTP.

The other, and just as simple method is to use a CD-ROM. Both will do the job just as easily.
2. Installing OpenBSD

Since I used the FTP Floppy method, I will detail that. The slight variations are obvious and will be noted as I remember them.

2.1 -- Prepare the boot floppy

Grab the floppy image and utility to write the image to a floppy from www.openbsd.org.

Floppy Image (ftp://ftp.openbsd.org/pub/OpenBSD/3.0/i386/floppy30.fs) -- The floppy disk image of the OpenBSD Installer

FDImage (ftp://ftp.openbsd.org/pub/OpenBSD/3.0/tools/fdimage.exe) -- Writes the floppy image to a floppy disk.

C:\fdimage floppy30.fs a:

2.2 Booting the floppy

After the boot image is written, you may boot the target machine off the floppy. The boot process is not fast. We are compressing a rather large amount of data onto a small space and thus the decompression may be cumbersome. But after the boot process starts, the speed is rather quick and responsive.

When prompted for the install type,

(I)nstall, (U)pgrade or (S)hell? i

you most likely will want a fresh install -- reslicing and reformatting.

Press 'I' and hit enter.

Welcome to the OpenBSD/i386 3.0 installation program.

This program is designed to help you put OpenBSD on your disk in a simple and

rational way.

As with anything which modifies your disk's contents, this program can cause

SIGNIFICANT data loss, and you are advised to make sure your data is backed

up before beginning the installation process.

Default answers are displayed in brackets after the questions. You can hit

Control-C at any time to quit, but if you do so at a prompt, you may have

to hit return. Also, quitting in the middle of installation may leave your

system in an inconsistent state. If you hit Control-C and restart the

install, the install program will remember many of your old answers.

You can run a shell command at any prompt via '!foo'

or escape to a shell by simply typing '!'.

Specify terminal type [vt220]:

Hit enter, for the vt220 terminal mode

The installation program needs to know which disk to consider the root disk.

Note the unit number may be different than the unit number you used in the

boot program (especially on a PC with multiple disk controllers).

Available disks are:

sd0

Which disk is the root disk? [sd0]

Do you want to use the *entire* disk for OpenBSD? [no]

Hit enter, to use sd0 as the root disk

Choose yes for using all of the root disk.

2.3 Creating BSD and swap partion(s)

Inside the BIOS 'A6' ('OpenBSD') partition you just created, there resides an

OpenBSD partition table which defines how this BIOS partition is to be split

up. This table declares the offsets and sizes of your / partition, your swap

space, and any other partitions you might create. (NOTE: The OpenBSD disk

label offsets are absolute, ie. relative to the start of the disk... NOT

relative to the start of the BIOS 'A6' partition).

disklabel: no disk label

WARNING: Disk sd0 has no label. You will be creating a new one.

If this disk is shared with other operating systems, those operating systems

should have a BIOS partition entry that spans the space they occupy completely.

For safety, also make sure all OpenBSD file systems are within the offset and

size specified in the 'A6' BIOS partition table. (By default, the disklabel

editor will try to enforce this). If you are unsure of how to use multiple

partitions properly (ie. separating /, /usr, /tmp, /var, /usr/local, and other

things) just split the space into a root and swap partition for now.

#using MBR partition 3: type A6 off 63 (0x3f) size 16450497 (0xfb03c1)

Treating sectors 63-80041248 as the OpenBSD portion of the disk.

You can use the 'b' command to change this.

Initial label editor (enter '?' for help at any prompt)

> ?

Here is the BSD version of fdisk. Here is a simple list of commands to use to get around in this tool.

Available commands:

p [unit] - print label.

M - show entire OpenBSD man page for disklabel.

e - edit drive parameters.

a [part] - add new partition.

b - set OpenBSD disk boundaries.

c [part] - change partition size.

d [part] - delete partition.

g [d|b] - Use [d]isk or [b]ios geometry.

m [part] - modify existing partition.

n [part] - set the mount point for a partition.

r - recalculate free space.

u - undo last change.

s [path] - save label to file.

w - write label to disk.

q - quit and save changes.

x - exit without saving changes.

X - toggle expert mode.

? [cmnd] - this message or command specific help.

Numeric parameters may use suffixes to indicate units:

'b' for bytes, 'c' for cylinders, 'k' for kilobytes, 'm' for megabytes,

'g' for gigabytes or no suffix for sectors (usually 512 bytes).

Non-sector units will be rounded to the nearest cylinder.

Entering '?' at most prompts will give you (simple) context sensitive help.

I used the following list of commands to get the drive sliced properly -- a root ( / ), swap, and var (/var) slices were used.

d a

d b

d d

d e

a a

for offset

3903401 for size

[4.2BSD] slice type

/ Mount point

a b

for offset

256000 for size

for swap

a d

for offset

for size

for BSD slice type

/var for mount point

This should have your slices setup. A p should correct any doubts.

Type w and then q to write table and quit fdisk.

2.4 Verifying mount points and formatting partitions

Next, BSD will need to format and verify thje mount points of each partition.

You will now have the opportunity to enter filesystem information for sd0.

You will be prompted for the mount point (full path, including the prepending

'/' character) for each BSD partition on wd0. Enter "none" to skip a

partition or "done" when you are finished.

The following partitions will be used for the root filesystem and swap:

sd0a /

sd0b swap

Mount point for wd0d (size=82152k) [/tmp, RET, none, or done]?

Now you can select another disk to initialize. (Do not re-select a disk

you have already entered information for). Available disks are:

sd0

Which one? [done]

You have configured the following devices and mount points:

sd0a /

sd0d /tmp

sd0e /var

============================================================

The next step will overwrite any existing data on:

sd0a sd0d sd0e

Are you really sure that you're ready to proceed? [n] y

Creating filesystems...

Warning: 64 sector(s) in last cylinder unallocated

/dev/rsd0a: 164240 sectors in 163 cylinders of 16 tracks, 63 sectors

80.2MB in 11 cyl groups (16 c/g, 7.88MB/g, 1920 i/g)

/dev/rsd0d: 164304 sectors in 163 cylinders of 16 tracks, 63 sectors

80.2MB in 11 cyl groups (16 c/g, 7.88MB/g, 1920 i/g)

/dev/rsd0e: 164304 sectors in 163 cylinders of 16 tracks, 63 sectors

80.2MB in 11 cyl groups (16 c/g, 7.88MB/g, 1920 i/g)

Very self-explanatory, however as not very common, one issue I ran into was the mount point subroutine not terminating properly and requiring a done to get it to stop. As you can see above, once tell it the mount points are correct, you can continue on to the actual format of the partition. A few minutes will pass as it checks for bad blocks and formats.

2.5 Setting up NIC adapter(s)

Here we can setup any NIC adapters that may be already present. This is not mandatory at this point, and can be done later. It would be advisable however, to do it now if you are unconfortable using vi. Simply follow the instructions. First we need to enter in our hostname and domainname. In this case I used sample5.sample.com as our host/domain name.

You will now be given the opportunity to configure the network. This will be

useful if you need to transfer the installation sets via FTP, HTTP, or NFS.

Even if you choose not to transfer installation sets that way, this information

will be preserved and copied into the new root filesystem.

Configure the network [y]

Enter system hostname (short form): [] sample5

Enter DNS domain name: [] sample.com

If you have any devices being configured by a DHCP server

it is recommended that you do not enter a default route or

any name servers.

Here we can now setup the IP and subnet of each adapter. Choose one adapter and follow the prompts and give it the appropriate information needed. To give a NIC adapter DHCP enter dhcp at the IP prompt.

You may configure the following network interfaces (the interfaces

marked with [X] have been successfully configured):

[ ] ne3

[ ] xl0

[ ] ne4

Configure which interface? (or, enter 'done') [ne3]

IP address (or 'dhcp') ? [] 192.168.254.2

Symbolic (host) name? [sample5]

Netmask ? [255.255.255.0]

Your use of the network interface may require non-default

media directives. The default media is:

media: Ethernet autoselect (100baseTX full-duplex)

This is a list of supported media:

media autoselect

media 100baseTX mediaopt full-duplex

media 100baseTX

media 10baseT mediaopt full-duplex

media 10baseT

If the default is not satisfactory, and you wish to use another

media, copy that line from above (e.g. "media 100baseTX")

Media directives? []

After all of the NIC adapters have been configured, tell it done and you will drop to the next section

You may configure the following network interfaces (the interfaces

marked with [X] have been successfully configured):

[X] ne3

[X] xl0

[X] ne4

Configure which interface? (or, enter 'done') [done]

2.6 Installation media

This section will allow you to tell the OpenBSD installer where to get the install packages. We also assign the root password in this part too (some packages need root proveldges to run). There is also the option for installing X, tell it no. We do not require that at all. Providing there is a need, it can be installed later.

You will now be given the opportunity to escape to the command shell to do

any additional network configuration you may need. This may include adding

additional routes, if needed. In addition, you might take this opportunity

to redo the default route in the event that it failed above.

Escape to shell? [n]

/dev/wd0a on /mnt type ffs (rw, asynchronous, local)

/dev/wd0d on /mnt/tmp type ffs (rw, asynchronous, local)

/dev/wd0e on /mnt/var type ffs (rw, asynchronous, local)

/dev/wd0g on /mnt/usr type ffs (rw, asynchronous, local)

/dev/wd0h on /mnt/home type ffs (rw, asynchronous, local)

We must give the root account a password here. To keep things simple, unless otherwise stated use the administrative account that is used on the other systems to keep uniformity.

Please enter the initial password that the root account will have.

Password (will not echo):

Password (again):

Here is the X Window GUI option. We do not need this at this time.

Do you expect to run the X Window System? [y]

It is now time to extract the installation sets onto the hard disk. Make sure

the sets are either on a local device (i.e. tape, CD-ROM) or on a network

server. You will have the chance to repeat this step or to extract sets from

several places, so you don't have to try to load all the sets in one try and

can recover from some errors.

Install from (f)tp, (h)ttp, (t)ape, (C)D-ROM, (N)FS or local (d)isk?

After selecting the media it will either move to the next section, or as in our case, go to the ftp selection screen. There were no screenshots available but the process is simple

[none] proxy server

[n] active FTP

[y] List FTP servers

As the list of FTP servers pop up, press space to paginate and note some FTP servers that are close by. As of the time of my installation 63 (Chicago) and 75 (Madison) were the two of the clsoest fastest servers.

[#of choice] selects the FTP

[enter] accepts FTP

[enter] accepts default FTP directory path (%99.9999 good idea)

[enter] Anonymous FTP

2.7 Choosing installation packages and finishing the install.

Now we must select the packages. The packages are as follows :

You will now be asked for files to extract. In addition to the

files listed in the selector you may enter any file located in

/mnt2//3.0/i386. You can also enter 'all' to install all the standard

sets, or 'list' to list the files available in /mnt2//3.0/i386.

When you are done selecting files, enter 'done'.

Some of these sets are required for your install and some are optional --

You will want at least the base and bsd sets.

Consult the installation notes if you are not sure which sets are required!

The following sets are available for extraction.

Enter filename, `list', `all', or `done'.

You may de-select a set by prepending a '-' to its name.

[X] base30.tgz

[X] etc30.tgz

[X] misc30.tgz

[X] comp30.tgz

[X] man30.tgz

[ ] game30.tgz

[ ] xbase30.tgz

[ ] xshare30.tgz

[ ] xfont30.tgz

[ ] xserv30.tgz

[X] bsd

File name? []

We need to tell it what packages to use. Select jsut the packages marked above.

base30.tgz Has the base OpenBSD system Required

etc30.tgz Has all the files in /etc Required

comp30.tz Has the compiler and its tools, libs. Recommended

man30.tgz Holds man pages Recommended

misc30.tgz Holds misc info, setup docs Optional

game30.tgz Has the games for OpenBSD Optional

xbase30.tgz Has the base install for X11 Optional

xfont30.tgz Holds X11's font server and fonts Optional

xserv30.tgz Has X11's X servers Optional

xshare30.tgz Has manpages, locale settings, includes, etc for X Optional

bsd This is the Kernel. Required

To add a package, type +packagename* , and conversely, to remove a selected package type -packagename*

[done] To go download packages

/3.0/i386/base30.tgz:

100% |**************************************************| 21192 KB 00:00 ETA

/3.0/i386/etc30.tgz:

100% |**************************************************| 987 KB 00:00 ETA

/3.0/i386/man30.tgz:

100% |**************************************************| 4957 KB 00:00 ETA

/3.0/i386/bsd:

100% |**************************************************| 3053 KB 00:00 ETA

/3.0/i386/misc30.tgz:

100% |**************************************************| 1644 KB 00:00 ETA

/3.0/i386/comp30.tgz:

100% |**************************************************| 14406 KB 00:00 ETA

Extract more sets? [n]

2.8 Timezone settings

Now we get to down and dirty with the timezone settings.

Copying fstab, hostname.fxp0, hosts, myname, mygate, resolv.conf, ...done.

...

...

What timezone are you in? [`?' for list] [GMT] ?

Africa/ Chile/ GB-Eire Israel NZ-CHAT Turkey

America/ Cuba GMT Jamaica Navajo UCT

Antarctica/ EET GMT+0 Japan PRC US/

Arctic/ EST GMT-0 Kwajalein PST8PDT UTC

Asia/ EST5EDT GMT0 Libya Pacific/ Universal

Atlantic/ Egypt Greenwich MET Poland W-SU

Australia/ Eire HST MST Portugal WET

Brazil/ Etc/ Hongkong MST7MDT ROC Zulu

CET Europe/ Iceland Mexico/ ROK posixrules

CST6CDT Factory Indian/ Mideast/ Singapore

Canada/ GB Iran NZ SystemV/

We want to use CST6CDT

What timezone are you in? [`?' for list] [GMT] CST6CDT

You have selected timezone "CST6CDT".

Installing timezone link.

2.9 Finishing it all up

Now the system is getting setup with all of the /dev entries and such. That is pretty much the last thing that is done to install OpenBSD.

Making all device nodes (by running /dev/MAKEDEV all) ...... done.

Installing boot block...

boot: /mnt/boot

proto: /usr/mdec/biosboot

device: /dev/rwd0c

/usr/mdec/biosboot: entry point 0

proto bootblock size 512

room for 12 filesystem blocks at 0x16f

Will load 7 blocks of size 8192 each.

Using disk geometry of 63 sectors and 255 heads.

0: 20 @(0 108 44) (6847-6866)

1: 63 @(0 109 1) (6867-6929)

2: 13 @(0 110 1) (6930-6942)

3: 5 @(0 9 59) (625-629)

4: 11 @(0 10 1) (630-640)

/mnt/boot: 5 entries total

using MBR partition 3: type 166 (0xa6) offset 63 (0x3f)

Enabling machdep.allowaperture. Read xf86(4) for more information.

Unmounting filesystems... /mnt/home /mnt/usr /mnt/var /mnt/tmp /mnt ... Done.

Done.

CONGRATULATIONS! You have successfully installed OpenBSD! To boot the

installed system, enter halt at the command prompt. Once the system has

halted, reset the machine and boot from the disk.

Now that the system is all setup, remove the CDROM or boot floppy and type :

#reboot

And the system will reboot.
Section 3 -- Configuring OpenBSD

3.1 /etc/sysctl.conf

This file controls the some kernel options. We need to uncomment a particular line:

#net.inet.ip.forwarding=1

to

net.inet.ip.forwarding=1

Now we have IP forwarding enabled the next time we reboot.

3.2 /etc/rc.conf

This file handles the runlevel controls. We need to enable pf , the firewall/port forwarding application. We do this by changing a particular line:

pf=NO

to (and note case sensitivity again)

pf=YES

Save and exit. Now pf will start on every boot, without any intervention.

3.3 /etc/nat.conf

This is the NAT rule file. The NAT (Network Address Translation) table gets built here.

A sample file will be as such :

#Declare some variables for ease of use

SBC="ne3"

MCLEOUD="xl0"

LAN="206.190.6.0/24"

#Allow LAN to talk to SBC router

nat on ne4 from any to 192.168.254.254 -> $SBC

#Set basic NAT to occur on MCLeoud DSL line.

nat on $MCLEOUD from $LAN to any -> $MCLEOUD

rdr on ne3 proto tcp from any to 192.168.254.3 port 22 -> 206.190.6.222 port 22

3.4 /etc/resolv.conf

This file holds the information for your network in regards to DNS resolution A simple /etc/resolv.conf file will have just two or three lines, one for the search order and one or two for nameservers. Take a look at the example file, the one I used when setting up the gateway initially:

search amervoice.com #Our domain

nameserver 206.141.239.126 #SBC Primary DNS

nameserver 206.141.251.2 #SBC Secondary DNS

nameserver 192.168.254.254 #SBC Router (for backup reasons)

nameserver 192.168.253.254 #McCleoud Router (for backup reasons)

3.5 /etc/hostname.XxYyZz files

These files are the network settings for our NIC adapters. Each file will be called hostname.. For example if you have a ne3 NIC device, the file will be /etc/hostname.ne3. Each file will have one line telling ifconfig how to bring your ethernet card up during boot.

A simple /etc/hostname file will be as follows

inet 192.168.254.121 255.255.255.0 NONE

The format is essentially as follows:

inet Type of driver to use

192.168.254.121 IP address of adpater

255.255.255.0 Subnetmask of adapter

NONE Broadcast settings

In this example, the NIC adapter will be set to 192.168.254.121/24. Simple, eh?

3.6 /etc/pf.conf

This is the firewall script that will allow, block, and log any packet that you wish. It can be by IP, packet type (ICMP, UDP, TCP), port, or TCP request type (ACK, SYN, etc). Here is the firewall script that I currently have enabled.

#Setup a variable for who IS allowed to go online

FullInternetIPs="{206.190.6.3/32,206.190.6.8/32,206.190.6.11/32,206.190.6.32/32,

206.190.6.56/32,206.190.6.111/32,206.190.6.211/32,206.190.6.222/32,206.190.6.243

/32,206.190.6.247/32,206.190.6.249/32}"

WAN="xl0"

LAN="ne4"

#MAPQUEST="{64.12.37.89/32,64.12.51.56/32,64.12.37.57/32,64.12.184.89/32,64.12.1

84.121/32,64.12.174.153/32,64.12.174.185/32,152.163.226.25/32,152.163.26.89/32,1

52.163.226.57/32,152.163.226.121/32,152.163.226.153/32,152.163.226.185/32,205.18

8.65.57/32,205.188.165.121/32,205.188.165.185/32,205.188.165.249/32,64.12.184.57

/32,64.12.184.25/32}"

MAPBLAST="{165.193.102.140/32,165.193.19.12/32}"

SBC="{209.184.193.164/32,216.239.51.101/32}"

DNS="{206.141.239.126/32,206.141.251.2/32,209.253.113.118/32,209.253.113.2/32}"

LONG_DISTANCE="{209.25.87.227/32,216.47.168.105/32}"

#Default Rules

pass out quick on $LAN all

pass in quick on $LAN from any to 206.190.6.222/32

pass in quick on $LAN from $FullInternetIPs to any

pass in quick on $LAN from any to $SBC

pass in quick on $LAN from any to $DNS

pass in quick on $LAN from any to $MAPBLAST

pass in quick on $LAN from any to $LONG_DISTANCE

pass in quick on ne3 proto tcp from any to any port 22

block in log on $LAN all

3.7 Starting the NAT service and firewall

At the command line typ the following commands :

pfctl -R /etc/pf.conf #Adds firewall rules

pfctl -N /etc/nat.conf #Adds NAT rules

pfctl -e #Starts pf

Providing that there were no errors in the .conf files, the programs will start quietly and return back to the command prompt. If you see errors, it will tell you the .conf file that has the error. Then you must correct the .conf file and reload that file into pf, and restart pf.

After pf has successfully started you can go to a workstation, make sure that the Default Gateway and DNS Server are set to the LAN port of sample5. Then make usre that there are no proxy settings and the MS-Proxy is off. You, should be able to browse outside (providing you didnt forbid that in your NAT/firewall rules) and ping outside the LAN.