OpenBSD 3.0 Installation Guide
This is an old guide written near OpenBSD 3.0 release for an old employer. As I found that those in my forum circles at the time absolutely loved it, I decided to keep a copy.
This has been used on more modern versions of OpenBSD. A complete overhaul and validation is in due order, yes. The document will be updated to reflect the updated status.
Credits go to the OpenBSD team for granting permission for duplication of the manuals and guides on the OpenBSD.org website. Thanks to GnuVince and Ashcrow for quick and accurate technical support on the pf.conf file. I originally wrote this paper for the IT department at my company I work for since any server needs to be well documented on at least how to get it up and going in case a drive needs to be dropped in, brand new, with no data backup available. So some points may not need to be made, but are. I omitted the how-to-use-vi section, what does 'ls' do, etc, etc.... Feel free to email me at :: schotty@schotty.com for any questions or comments. You may freely distribute the information within, but if you rebrand and modify, let me know so any of the changes dont point back at me. On to the fun .......
Table of contents 1 Obtaining OpenBSD media 2 Installing OpenBSD 2.1 Prepareing the boot floppy 2.2 Booting the floppy 2.3 Creating BSD and swap partition(s) 2.4 Verifying mount points and formatting partitions 2.5 Setting up NIC adapter(s) 2.6 Installation media 2.7 Choosing installation packages and finishing the install. 2.8 Timezone settings 2.9 Finishing it all up 3 Configuring OpenBSD 3.1 /etc/sysctl.conf 3.2 /etc/rc.conf 3.3 /etc/nat.conf 3.4 /etc/resolv.conf 3.5 /etc/hostname.XxYyZz files 3.6 /etc/pf.conf 3.7 Starting the NAT service and firewall
1. Obtaining OpenBSD The method that I used was the FTP floppy method. This entails going to www.openbsd.org and retrieving the boot disc floppy image, writing the image to a blank floppy and booting off the floppy to install via FTP. The other, and just as simple method is to use a CD-ROM. Both will do the job just as easily.
2. Installing OpenBSD
Since I used the FTP Floppy method, I will detail that. The slight variations are obvious and will be noted as I remember them.
2.1 -- Prepare the boot floppy
Grab the floppy image and utility to write the image to a floppy from www.openbsd.org.
Floppy Image (ftp://ftp.openbsd.org/pub/OpenBSD/3.0/i386/floppy30.fs) -- The floppy disk image of the OpenBSD Installer
FDImage (ftp://ftp.openbsd.org/pub/OpenBSD/3.0/tools/fdimage.exe) -- Writes the floppy image to a floppy disk.
C:\fdimage floppy30.fs a:
2.2 Booting the floppy
After the boot image is written, you may boot the target machine off the floppy. The boot process is not fast. We are compressing a rather large amount of data onto a small space and thus the decompression may be cumbersome. But after the boot process starts, the speed is rather quick and responsive.
When prompted for the install type,
(I)nstall, (U)pgrade or (S)hell? i
you most likely will want a fresh install -- reslicing and reformatting.
Press 'I' and hit enter.
Welcome to the OpenBSD/i386 3.0 installation program.
This program is designed to help you put OpenBSD on your disk in a simple and
rational way.
As with anything which modifies your disk's contents, this program can cause
SIGNIFICANT data loss, and you are advised to make sure your data is backed
up before beginning the installation process.
Default answers are displayed in brackets after the questions. You can hit
Control-C at any time to quit, but if you do so at a prompt, you may have
to hit return. Also, quitting in the middle of installation may leave your
system in an inconsistent state. If you hit Control-C and restart the
install, the install program will remember many of your old answers.
You can run a shell command at any prompt via '!foo'
or escape to a shell by simply typing '!'.
Specify terminal type [vt220]:
Hit enter, for the vt220 terminal mode
The installation program needs to know which disk to consider the root disk.
Note the unit number may be different than the unit number you used in the
boot program (especially on a PC with multiple disk controllers).
Available disks are:
sd0
Which disk is the root disk? [sd0]
Do you want to use the *entire* disk for OpenBSD? [no]
Hit enter, to use sd0 as the root disk
Choose yes for using all of the root disk.
2.3 Creating BSD and swap partion(s)
Inside the BIOS 'A6' ('OpenBSD') partition you just created, there resides an
OpenBSD partition table which defines how this BIOS partition is to be split
up. This table declares the offsets and sizes of your / partition, your swap
space, and any other partitions you might create. (NOTE: The OpenBSD disk
label offsets are absolute, ie. relative to the start of the disk... NOT
relative to the start of the BIOS 'A6' partition).
disklabel: no disk label
WARNING: Disk sd0 has no label. You will be creating a new one.
If this disk is shared with other operating systems, those operating systems
should have a BIOS partition entry that spans the space they occupy completely.
For safety, also make sure all OpenBSD file systems are within the offset and
size specified in the 'A6' BIOS partition table. (By default, the disklabel
editor will try to enforce this). If you are unsure of how to use multiple
partitions properly (ie. separating /, /usr, /tmp, /var, /usr/local, and other
things) just split the space into a root and swap partition for now.
#using MBR partition 3: type A6 off 63 (0x3f) size 16450497 (0xfb03c1)
Treating sectors 63-80041248 as the OpenBSD portion of the disk.
You can use the 'b' command to change this.
Initial label editor (enter '?' for help at any prompt)
> ?
Here is the BSD version of fdisk. Here is a simple list of commands to use to get around in this tool.
Available commands:
p [unit] - print label.
M - show entire OpenBSD man page for disklabel.
e - edit drive parameters.
a [part] - add new partition.
b - set OpenBSD disk boundaries.
c [part] - change partition size.
d [part] - delete partition.
g [d|b] - Use [d]isk or [b]ios geometry.
m [part] - modify existing partition.
n [part] - set the mount point for a partition.
r - recalculate free space.
u - undo last change.
s [path] - save label to file.
w - write label to disk.
q - quit and save changes.
x - exit without saving changes.
X - toggle expert mode.
? [cmnd] - this message or command specific help.
Numeric parameters may use suffixes to indicate units:
'b' for bytes, 'c' for cylinders, 'k' for kilobytes, 'm' for megabytes,
'g' for gigabytes or no suffix for sectors (usually 512 bytes).
Non-sector units will be rounded to the nearest cylinder.
Entering '?' at most prompts will give you (simple) context sensitive help.
I used the following list of commands to get the drive sliced properly -- a root ( / ), swap, and var (/var) slices were used.
d a
d b
d d
d e
a a
for offset
3903401 for size
[4.2BSD] slice type
/ Mount point
a b
for offset
256000 for size
for swap
a d
for offset
for size
for BSD slice type
/var for mount point
This should have your slices setup. A p should correct any doubts.
Type w and then q to write table and quit fdisk.
2.4 Verifying mount points and formatting partitions
Next, BSD will need to format and verify thje mount points of each partition.
You will now have the opportunity to enter filesystem information for sd0.
You will be prompted for the mount point (full path, including the prepending
'/' character) for each BSD partition on wd0. Enter "none" to skip a
partition or "done" when you are finished.
The following partitions will be used for the root filesystem and swap:
sd0a /
sd0b swap
Mount point for wd0d (size=82152k) [/tmp, RET, none, or done]?
Now you can select another disk to initialize. (Do not re-select a disk
you have already entered information for). Available disks are:
sd0
Which one? [done]
You have configured the following devices and mount points:
sd0a /
sd0d /tmp
sd0e /var
============================================================
The next step will overwrite any existing data on:
sd0a sd0d sd0e
Are you really sure that you're ready to proceed? [n] y
Creating filesystems...
Warning: 64 sector(s) in last cylinder unallocated
/dev/rsd0a: 164240 sectors in 163 cylinders of 16 tracks, 63 sectors
80.2MB in 11 cyl groups (16 c/g, 7.88MB/g, 1920 i/g)
/dev/rsd0d: 164304 sectors in 163 cylinders of 16 tracks, 63 sectors
80.2MB in 11 cyl groups (16 c/g, 7.88MB/g, 1920 i/g)
/dev/rsd0e: 164304 sectors in 163 cylinders of 16 tracks, 63 sectors
80.2MB in 11 cyl groups (16 c/g, 7.88MB/g, 1920 i/g)
Very self-explanatory, however as not very common, one issue I ran into was the mount point subroutine not terminating properly and requiring a done to get it to stop. As you can see above, once tell it the mount points are correct, you can continue on to the actual format of the partition. A few minutes will pass as it checks for bad blocks and formats.
2.5 Setting up NIC adapter(s)
Here we can setup any NIC adapters that may be already present. This is not mandatory at this point, and can be done later. It would be advisable however, to do it now if you are unconfortable using vi. Simply follow the instructions. First we need to enter in our hostname and domainname. In this case I used sample5.sample.com as our host/domain name.
You will now be given the opportunity to configure the network. This will be
useful if you need to transfer the installation sets via FTP, HTTP, or NFS.
Even if you choose not to transfer installation sets that way, this information
will be preserved and copied into the new root filesystem.
Configure the network [y]
Enter system hostname (short form): [] sample5
Enter DNS domain name: [] sample.com
If you have any devices being configured by a DHCP server
it is recommended that you do not enter a default route or
any name servers.
Here we can now setup the IP and subnet of each adapter. Choose one adapter and follow the prompts and give it the appropriate information needed. To give a NIC adapter DHCP enter dhcp at the IP prompt.
You may configure the following network interfaces (the interfaces
marked with [X] have been successfully configured):
[ ] ne3
[ ] xl0
[ ] ne4
Configure which interface? (or, enter 'done') [ne3]
IP address (or 'dhcp') ? [] 192.168.254.2
Symbolic (host) name? [sample5]
Netmask ? [255.255.255.0]
Your use of the network interface may require non-default
media directives. The default media is:
media: Ethernet autoselect (100baseTX full-duplex)
This is a list of supported media:
media autoselect
media 100baseTX mediaopt full-duplex
media 100baseTX
media 10baseT mediaopt full-duplex
media 10baseT
If the default is not satisfactory, and you wish to use another
media, copy that line from above (e.g. "media 100baseTX")
Media directives? []
After all of the NIC adapters have been configured, tell it done and you will drop to the next section
You may configure the following network interfaces (the interfaces
marked with [X] have been successfully configured):
[X] ne3
[X] xl0
[X] ne4
Configure which interface? (or, enter 'done') [done]
2.6 Installation media
This section will allow you to tell the OpenBSD installer where to get the install packages. We also assign the root password in this part too (some packages need root proveldges to run). There is also the option for installing X, tell it no. We do not require that at all. Providing there is a need, it can be installed later.
You will now be given the opportunity to escape to the command shell to do
any additional network configuration you may need. This may include adding
additional routes, if needed. In addition, you might take this opportunity
to redo the default route in the event that it failed above.
Escape to shell? [n]
/dev/wd0a on /mnt type ffs (rw, asynchronous, local)
/dev/wd0d on /mnt/tmp type ffs (rw, asynchronous, local)
/dev/wd0e on /mnt/var type ffs (rw, asynchronous, local)
/dev/wd0g on /mnt/usr type ffs (rw, asynchronous, local)
/dev/wd0h on /mnt/home type ffs (rw, asynchronous, local)
We must give the root account a password here. To keep things simple, unless otherwise stated use the administrative account that is used on the other systems to keep uniformity.
Please enter the initial password that the root account will have.
Password (will not echo):
Password (again):
Here is the X Window GUI option. We do not need this at this time.
Do you expect to run the X Window System? [y]
It is now time to extract the installation sets onto the hard disk. Make sure
the sets are either on a local device (i.e. tape, CD-ROM) or on a network
server. You will have the chance to repeat this step or to extract sets from
several places, so you don't have to try to load all the sets in one try and
can recover from some errors.
Install from (f)tp, (h)ttp, (t)ape, (C)D-ROM, (N)FS or local (d)isk?
After selecting the media it will either move to the next section, or as in our case, go to the ftp selection screen. There were no screenshots available but the process is simple
[none] proxy server
[n] active FTP
[y] List FTP servers
As the list of FTP servers pop up, press space to paginate and note some FTP servers that are close by. As of the time of my installation 63 (Chicago) and 75 (Madison) were the two of the clsoest fastest servers.
[#of choice] selects the FTP
[enter] accepts FTP
[enter] accepts default FTP directory path (%99.9999 good idea)
[enter] Anonymous FTP
2.7 Choosing installation packages and finishing the install.
Now we must select the packages. The packages are as follows :
You will now be asked for files to extract. In addition to the
files listed in the selector you may enter any file located in
/mnt2//3.0/i386. You can also enter 'all' to install all the standard
sets, or 'list' to list the files available in /mnt2//3.0/i386.
When you are done selecting files, enter 'done'.
Some of these sets are required for your install and some are optional --
You will want at least the base and bsd sets.
Consult the installation notes if you are not sure which sets are required!
The following sets are available for extraction.
Enter filename, `list', `all', or `done'.
You may de-select a set by prepending a '-' to its name.
[X] base30.tgz
[X] etc30.tgz
[X] misc30.tgz
[X] comp30.tgz
[X] man30.tgz
[ ] game30.tgz
[ ] xbase30.tgz
[ ] xshare30.tgz
[ ] xfont30.tgz
[ ] xserv30.tgz
[X] bsd
File name? []
We need to tell it what packages to use. Select jsut the packages marked above.
base30.tgz Has the base OpenBSD system Required
etc30.tgz Has all the files in /etc Required
comp30.tz Has the compiler and its tools, libs. Recommended
man30.tgz Holds man pages Recommended
misc30.tgz Holds misc info, setup docs Optional
game30.tgz Has the games for OpenBSD Optional
xbase30.tgz Has the base install for X11 Optional
xfont30.tgz Holds X11's font server and fonts Optional
xserv30.tgz Has X11's X servers Optional
xshare30.tgz Has manpages, locale settings, includes, etc for X Optional
bsd This is the Kernel. Required
To add a package, type +packagename* , and conversely, to remove a selected package type -packagename*
[done] To go download packages
/3.0/i386/base30.tgz:
100% |**************************************************| 21192 KB 00:00 ETA
/3.0/i386/etc30.tgz:
100% |**************************************************| 987 KB 00:00 ETA
/3.0/i386/man30.tgz:
100% |**************************************************| 4957 KB 00:00 ETA
/3.0/i386/bsd:
100% |**************************************************| 3053 KB 00:00 ETA
/3.0/i386/misc30.tgz:
100% |**************************************************| 1644 KB 00:00 ETA
/3.0/i386/comp30.tgz:
100% |**************************************************| 14406 KB 00:00 ETA
Extract more sets? [n]
2.8 Timezone settings
Now we get to down and dirty with the timezone settings.
Copying fstab, hostname.fxp0, hosts, myname, mygate, resolv.conf, ...done.
...
...
What timezone are you in? [`?' for list] [GMT] ?
Africa/ Chile/ GB-Eire Israel NZ-CHAT Turkey
America/ Cuba GMT Jamaica Navajo UCT
Antarctica/ EET GMT+0 Japan PRC US/
Arctic/ EST GMT-0 Kwajalein PST8PDT UTC
Asia/ EST5EDT GMT0 Libya Pacific/ Universal
Atlantic/ Egypt Greenwich MET Poland W-SU
Australia/ Eire HST MST Portugal WET
Brazil/ Etc/ Hongkong MST7MDT ROC Zulu
CET Europe/ Iceland Mexico/ ROK posixrules
CST6CDT Factory Indian/ Mideast/ Singapore
Canada/ GB Iran NZ SystemV/
We want to use CST6CDT
What timezone are you in? [`?' for list] [GMT] CST6CDT
You have selected timezone "CST6CDT".
Installing timezone link.
2.9 Finishing it all up
Now the system is getting setup with all of the /dev entries and such. That is pretty much the last thing that is done to install OpenBSD.
Making all device nodes (by running /dev/MAKEDEV all) ...... done.
Installing boot block...
boot: /mnt/boot
proto: /usr/mdec/biosboot
device: /dev/rwd0c
/usr/mdec/biosboot: entry point 0
proto bootblock size 512
room for 12 filesystem blocks at 0x16f
Will load 7 blocks of size 8192 each.
Using disk geometry of 63 sectors and 255 heads.
0: 20 @(0 108 44) (6847-6866)
1: 63 @(0 109 1) (6867-6929)
2: 13 @(0 110 1) (6930-6942)
3: 5 @(0 9 59) (625-629)
4: 11 @(0 10 1) (630-640)
/mnt/boot: 5 entries total
using MBR partition 3: type 166 (0xa6) offset 63 (0x3f)
Enabling machdep.allowaperture. Read xf86(4) for more information.
Unmounting filesystems... /mnt/home /mnt/usr /mnt/var /mnt/tmp /mnt ... Done.
Done.
CONGRATULATIONS! You have successfully installed OpenBSD! To boot the
installed system, enter halt at the command prompt. Once the system has
halted, reset the machine and boot from the disk.
Now that the system is all setup, remove the CDROM or boot floppy and type :
#reboot
And the system will reboot.
Section 3 -- Configuring OpenBSD
3.1 /etc/sysctl.conf
This file controls the some kernel options. We need to uncomment a particular line:
#net.inet.ip.forwarding=1
to
net.inet.ip.forwarding=1
Now we have IP forwarding enabled the next time we reboot.
3.2 /etc/rc.conf
This file handles the runlevel controls. We need to enable pf , the firewall/port forwarding application. We do this by changing a particular line:
pf=NO
to (and note case sensitivity again)
pf=YES
Save and exit. Now pf will start on every boot, without any intervention.
3.3 /etc/nat.conf
This is the NAT rule file. The NAT (Network Address Translation) table gets built here.
A sample file will be as such :
#Declare some variables for ease of use
SBC="ne3"
MCLEOUD="xl0"
LAN="206.190.6.0/24"
#Allow LAN to talk to SBC router
nat on ne4 from any to 192.168.254.254 -> $SBC
#Set basic NAT to occur on MCLeoud DSL line.
nat on $MCLEOUD from $LAN to any -> $MCLEOUD
rdr on ne3 proto tcp from any to 192.168.254.3 port 22 -> 206.190.6.222 port 22
3.4 /etc/resolv.conf
This file holds the information for your network in regards to DNS resolution A simple /etc/resolv.conf file will have just two or three lines, one for the search order and one or two for nameservers. Take a look at the example file, the one I used when setting up the gateway initially:
search amervoice.com #Our domain
nameserver 206.141.239.126 #SBC Primary DNS
nameserver 206.141.251.2 #SBC Secondary DNS
nameserver 192.168.254.254 #SBC Router (for backup reasons)
nameserver 192.168.253.254 #McCleoud Router (for backup reasons)
3.5 /etc/hostname.XxYyZz files
These files are the network settings for our NIC adapters. Each file will be called hostname.. For example if you have a ne3 NIC device, the file will be /etc/hostname.ne3. Each file will have one line telling ifconfig how to bring your ethernet card up during boot.
A simple /etc/hostname file will be as follows
inet 192.168.254.121 255.255.255.0 NONE
The format is essentially as follows:
inet Type of driver to use
192.168.254.121 IP address of adpater
255.255.255.0 Subnetmask of adapter
NONE Broadcast settings
In this example, the NIC adapter will be set to 192.168.254.121/24. Simple, eh?
3.6 /etc/pf.conf
This is the firewall script that will allow, block, and log any packet that you wish. It can be by IP, packet type (ICMP, UDP, TCP), port, or TCP request type (ACK, SYN, etc). Here is the firewall script that I currently have enabled.
#Setup a variable for who IS allowed to go online
FullInternetIPs="{206.190.6.3/32,206.190.6.8/32,206.190.6.11/32,206.190.6.32/32,
206.190.6.56/32,206.190.6.111/32,206.190.6.211/32,206.190.6.222/32,206.190.6.243
/32,206.190.6.247/32,206.190.6.249/32}"
WAN="xl0"
LAN="ne4"
#MAPQUEST="{64.12.37.89/32,64.12.51.56/32,64.12.37.57/32,64.12.184.89/32,64.12.1
84.121/32,64.12.174.153/32,64.12.174.185/32,152.163.226.25/32,152.163.26.89/32,1
52.163.226.57/32,152.163.226.121/32,152.163.226.153/32,152.163.226.185/32,205.18
8.65.57/32,205.188.165.121/32,205.188.165.185/32,205.188.165.249/32,64.12.184.57
/32,64.12.184.25/32}"
MAPBLAST="{165.193.102.140/32,165.193.19.12/32}"
SBC="{209.184.193.164/32,216.239.51.101/32}"
DNS="{206.141.239.126/32,206.141.251.2/32,209.253.113.118/32,209.253.113.2/32}"
LONG_DISTANCE="{209.25.87.227/32,216.47.168.105/32}"
#Default Rules
pass out quick on $LAN all
pass in quick on $LAN from any to 206.190.6.222/32
pass in quick on $LAN from $FullInternetIPs to any
pass in quick on $LAN from any to $SBC
pass in quick on $LAN from any to $DNS
pass in quick on $LAN from any to $MAPBLAST
pass in quick on $LAN from any to $LONG_DISTANCE
pass in quick on ne3 proto tcp from any to any port 22
block in log on $LAN all
3.7 Starting the NAT service and firewall
At the command line typ the following commands :
pfctl -R /etc/pf.conf #Adds firewall rules
pfctl -N /etc/nat.conf #Adds NAT rules
pfctl -e #Starts pf
Providing that there were no errors in the .conf files, the programs will start quietly and return back to the command prompt. If you see errors, it will tell you the .conf file that has the error. Then you must correct the .conf file and reload that file into pf, and restart pf.
After pf has successfully started you can go to a workstation, make sure that the Default Gateway and DNS Server are set to the LAN port of sample5. Then make usre that there are no proxy settings and the MS-Proxy is off. You, should be able to browse outside (providing you didnt forbid that in your NAT/firewall rules) and ping outside the LAN.