Building an OpenBSD Gateway - Part 1 (Page 1 of 1)
Written by
HE PingPing
Posted on: Nov 19, 2008 at 07:41am
Section:
Tutorials
Printer Friendly Version
Legacy URL
A gateway is a piece of equipment that performs various networking functions, like filtering IP packets ('firewalling'), Network Address Translation ('NAT'), routing of IP packets across one or more networks ('routing'), and serving up IP addresses to clients attached to the network ('DHCP'). Quite often gateways are called 'routers', although as we've just seen, gateways do more than just route network traffic.
“I've already got a Router, why should I build another?” That's a good question and one that can only be answered based on what your needs and wants are. If you're happy with the level of functionality you receive from your current router, then you can stop reading now if you like. However, if you want to crank up your gateway's functionality and security by astronomic proportions, then this tutorial is for you.
"But why OpenBSD?" Truth be told, there are many operating systems you could use as a gateway. Most will do the job and most can be 'hardened' to provide very secure installs – provided you know what you're doing. With OpenBSD, however, you don't need to be an expert in computer security to have a hardened install. The base install is already hardened. The OpenBSD developers spend a lot of time auditing code. Hardware design errors aside, most security 'vulnerabilities' come down to poor software design or poor software implementation, ie. bugs. A security bug is just a software bug that can be exploited to have unintended consequences. The classic 'buffer overflow' attack is simply an exploit of the original programmer's failure to ensure the data input by the user does not exceed the size of the buffer as defined in his C/C++ code. Rigorous auditing of code, like the OpenBSD project does, ensures that such bugs are corrected so that the OpenBSD package of an application has these bugs removed. However, it needs to be understood that not all packages that run on OpenBSD undergo such rigorous audits. The Base install of OpenBSD gives the user this assurance. Installing software from the Ports collection may represent an increased risk. I say 'may' because it presupposes there are bugs remaining that can be exploited. OpenBSD typically ports older, mature applications which are more likely to have had their bugs 'ironed out' than the latest version of an application. This, of course, may have a negative impact on functionality and while OpenBSD can be used as a desktop OS, you'll soon find that it's better as a server. Others may disagree, it's just my opinion and you can have yours.
OpenBSD includes numerous other checks and balances that can stop an exploit in its tracks. Enforcing 'least privilege', chroot jails, no dynamic loading of kernel modules, random process IDs, and encrypted swap partitions are just a few examples of why OpenBSD has the enviable record of only two remote exploits in the base install over the past 10 years. You can read more here: http://www.openbsd.org/security.html. Simply put, OpenBSD's security record is 'stellar' in comparison to other operating systems. A gateway built using OpenBSD – providing you don't screw up the configuration – offers the strongest protection you can get against the hostile environment of the world wild web. And it's free.
Enough of the soft sell. Let's move on to actually installing it.
STEP 1: Obtain the .iso image and burn it to CD
There are many ways you can install OpenBSD to your PC's hard drive. We're going to use the simplest (and most popular) method – burning an .iso image to CD. We'll be installing OpenBSD 4.4 and, specifically, the RELEASE branch. After you've worked your way through this tutorial you may want to consider switching to the STABLE branch. It's easily done and will take around 3+ hours (including compiling time) to complete the process. Refer to Section 5 of the FAQ ( http://www.openbsd.org/faq/ ) for further details.
To get a copy of the 4.4-RELEASE .iso image we need to download it from one of the mirror sites listed at http://www.openbsd.org/ftp.html. You can use any of the mirror lists if you like, but we'll be using the HTTP list in this tutorial. That said, we're going to need an FTP mirror address later on in this tutorial so note down an FTP address as well. From the HTTP list, locate the mirror closest to you but DO NOT CHOOSE ANY USA SITES. The US Government prohibits the export of cryptography and this means all copies of OpenBSD available from US mirrors are stripped of OpenBSD's cryptographic security goodness. We want our gateway to be as secure as possible so choose a non-US mirror site.
We'll have to do some navigation to locate our .iso image and the one we want is /4.4/i386/install44.iso. Download this image and check its md5sum by running:
md5sum install44.iso <ENTER>
and comparing the output with the corresponding details in the /4.4/i386/MD5 file. If everything is okay, burn it to CD using your favourite CD burning software (mine's K3B) and then reboot from the newly burned CD.
STEP 2: OpenBSD's Text-based Installer
When you reboot from the CD, you'll see something similar to the following output on your screen:
...
Boot from CD : CD-ROM: 9F
Loading /4.4/I386/CDBOOT
probing: pc0 com0 com1 apm mem[640K 478M a20=on]
disk: fd0 hd0+ cd0
>> OpenBSD/i386 CDBOOT 2.02
boot>
booting cd0a:/4.4/i386/bsd.rd: 5155412*
with a spinning cursor (the '*' above). The cursor will continue to spin for a few minutes while the installer loads into memory. Then, a whole bunch of kernel output will cause our screen to scroll as the kernel detects our hardware. We can view this output later using the 'dmesg' command. After the screen has stopped scrolling, we're greeted with the words:
erase ^?, werase ^W, kill ^U, intr ^C, status ^T
(I)nstall, (U)pgrade or (S)hell?
Press 'I' and then hit <ENTER> to begin the installation process.
Setting Your Terminal and Keyboard Layout
We're now asked what type of terminal (emulator) we want to use, with the default value shown in square brackets [vt220]. Unless you know you want something else, we'll just hit <ENTER> to accept the default. Next, we need to map our keyboard. The default assumes a US keyboard so you can just hit <ENTER> if that suits and move on. If you want a different keyboard layout, press 'L' and hit <ENTER> to see the list of available keymaps. I have a UK keyboard so I type:
uk <ENTER>
Having selected our keyboard layout, we are now reminded that before we go any further we should have backed up any data we wanted to as the install process will wipe our hard drive. Pretty standard stuff and typing 'yes' <ENTER> leads us to a given (and very short) list of available disks on which to install OpenBSD. Again, the default value is square-bracketed which, in my case, is [wd0]. This is the one I want so I just hit <ENTER>. If you want to use something else, then now's your chance to specify it.
Partitioning the Hard Drive
Next, we're asked if we want to use all of the the disk for the install. Unless you have reasons otherwise, type 'yes' and hit <ENTER>. Now we've dropped in to the label editor. The lable editor is OpenBSD's equivalent of fdisk in GNU/Linux in that we use it to specifying our partitions. Type 'p' and press <ENTER>. We now see a a solitary 'c:' partition representing the whole of the disk. In OpenBSD we need to create (at least) a root partition and a swap partition. In OpenBSD, the root partition (/) is always partition 'a:' and the swap space is always partition 'b:'. We can also specify separate partitions for /usr, /home, /var, et. al. on 'e:', 'f:', etc. However, we're going to keep things simple and just have the basic root and swap partitions. Now comes the tricky bit. Grab a calculator and a pen and paper as it's time to do some basic arithmetic.
My drive has a 'size' of 8023617 (sectors). I saw this in the output from typing 'p' (above). Each sector is 512B, making my hard drive 4108091904B (8023617 x 512B). In fact, it's actually 4108124160B in size but the first 63 sectors (32256B) are reserved for the partition table and master boot record. I'm using a 4GB compact flash card with a CF-IDE adapter for my install, hence the relatively low sector count. My machine also has 512MB of RAM, which is overkill for its future deployment as a dedicated gateway. Therefore, it's unlikely I'll ever need to use any swap space but, nonetheless, I'm going to set up a small (128MB = 262144 sectors of 512B each) swap partition. Partition 'b:' (swap) needs to finish at sector 8023680 (8023617 + 63) and start some 262144 sectors prior, ie. 7761536. Therefore, my root partition needs to finish at 7761536 and start at 63, giving me 7761473 sectors of usable space for the filesystem. In summary, my partition table is going to look like:
mount sector sector
partition point offset end sectors Bytes MB
a / 63 7761536 7761473 3973874176 3790
b swap 7761536 8023680 262144 134217728 128
To create my root partition I simply type 'a' (for 'add partition') and press <ENTER> at the prompt. It gives me a default partition of 'a' which I accept by hitting <ENTER>. The default offset of [63] is correct so I simply hit <ENTER> again. For size, I enter 7761473. Keep the filesystem type as the default 4.2BSD and specify the mount point as '/' by typing '/' and then pressing <ENTER>. If we now type 'p' and hit <ENTER> we'll get a screen print of our updated partition plan. To create the swap partition we repeat the process, starting with 'a' <ENTER> to add another partition. We now see the default partition value has changed to 'b'. Accepting this, we see the offset has also changed. In my case, it's 7761536 (see my calculations above). Depending on the size of your hard drive and your calculations, yours may be different. If it's the correct value, accept it ( <ENTER> ) and also accept the subsequent size ( <ENTER> ) and the default FS type of 'swap' ( <ENTER> ). Another print of the planned partition table ( 'p' <ENTER> ) and we should see everything is as we wanted. To write the changes and quit the label editor, type 'q' and press <ENTER>. Hit <ENTER> at the prompt to write the new label and you'll be greeted with a warning about destroying all existing data on the partitions. That's fine, so we just type 'yes' and press <ENTER> and the partition table is written.
Setting the Hostname
Next, we're asked for our hostname. Since this will be a gateway box, type 'gateway' <ENTER> and move on to configuring the network.
Configuring the Interface(s)
At this point, we need to make sure our hardware is connected to the internet (ie. plugged into your existing home ADSL modem/router). Once it's plugged in hit <ENTER> when asked if we want to 'Configure the network?' and we see a list of the available interfaces. Depending upon your hardware you may have more than one. I don't I just have 'vr0'. We'll need at least two interfaces for our gateway so I'll be adding a PCMCIA/Cardbus ethernet card later on, to be used for my second interface. For now, vr0 is the ethernet interface on my motherboard. If your ethernet controller chip is from VIA, yours will also be vr0. If it's from Realtek it'll be re0. Intel is fxp0 and Ralink is ral0. The differences in names aren't important, you just need to make sure you configure the interface that's actually connected to the internet otherwise you'll be pulling your hair out wondering why things aren't working.
Once we've figured out which interface we want to configure, enter it at the prompt or hit <ENTER> to accept the default if that suits. Then just accept the default value for the Symbolic (host) name for the interface by hitting <ENTER>. There's no need to change the media options unless you know what you're doing. Next, accept DHCP for IPv4 configuration. We can always change this latter if we have a static IP. In fact, I do and I will be showing you how to when it comes to setting up the Firewall. After hitting <ENTER> to accept DHCP, the installer will run dhclient and we see the familiar discover-offer-request-acknowledge DHCP magic execute on our screen. Once this has settled, the installer shows us the IPv4 address the interface has been given by the DHCP server. In my case, it's 192.168.0.3. Yours is possibly 192.168.0.2 (I've got one other machine on my network which is using 192.168.0.2). Next you'll be asked if you want to configure an IPv6 address for the interface. Unless you specifically want to use Ipv6 (we don't), just hit <ENTER> to accept the default [none].
For your DNS domain name, input this if you are configuring a static IP address. If you're using DHCP then just accept the default (which was given by the DHCP server). Go ahead and use the nameserver now; using the default IPv4 route [dhcp]. You don't want to edit hosts with ed, and you don't want to do any manual network configuration.
Setting Root's Password
Enter your password for root. Pick a good one as a secure password for root is fundamental to good security.
Installing the Binaries
Now its time to actually let the installer install the OpenBSD binary packages ('the sets') to our hard disk. The location of the sets is the CD so we accept the default [cd] by hitting <ENTER>. Unless you've got more than one CD/DVD drive attached to your PC you can accept the default drive [cd0]. We should now hear the drive crank up and we're prompted for the pathname to the sets. Again, accept the default [4.4/i386]. We're now presented with a list of 'sets' with an X marked in square brackets representing those to be installed. Our gateway is going to be command line only so we don't need to add anything to what the defaults are already showing us. However, we can delete the game44.tgz set as we won't be needing games on our gateway. To do this type '-game44.tgz' and press <ENTER>. We'll now see the list updated showing the game44.tgz as no longer having an 'X' marked next to it. Type 'done' and press <ENTER> and then accept the [yes] default when asked if you're ready to install the sets. The installer will now install OpenBSD to your hard drive. As we're doing a command line only install the install will only take a few (<5) minutes. Next, we're once again asked where the location of the sets is. This is just in case we want to install some other stuff that may be on a separate CD. This is really for advanced users who have done so many installs that they've created their own custom installs and need this functionality. We don't, so we can type 'done' and press <ENTER>.
Choosing to Autostart the SSH and NTP Daemons at Boot
We're now asked if we want to start the SSH daemon by default. Accept the default [yes] as we're going to want to have the ability to SSH into our gateway from another machine and there's really no point saying 'no' to this. Next, we're asked if we want to enable the network time protocol daemon (ntpd) by default. Here, I like to say 'yes' as I like my logs to have the correct date and time on them. Enabling any services (incl. the SSH daemon for that matter) to run by default is a security risk and you'll need to decide if the risk is worth the benefit. These prompts are just another example of OpenBSD's proactive security approach – you have to acknowledge the security risk before anything is enabled. If you've said 'yes' to the ntpd then you can accept the default NTP server unless you want to specify your own.
Saying No to X Windows
We don't expect to run the X Window System. We don't need to change the default console to com0, either.
Setting the Time Zone
Next, you'll need to specify your timezone. Mine is Europe/London but you can use '?' to list those available. If you get it wrong, don't worry, you can always change it later on.
Making the Device Nodes
The installer will now make the device nodes (the /dev/ nodes) after which you'll be congratulated and greeted by a # (root) prompt. Now, take the CD out of the optical drive.
STEP 3: Reboot
At the abovementioned # prompt, type 'reboot' and hit <ENTER> to reboot into your OpenBSD install. Congratulations, you've just installed OpenBSD.
|
Average vistor rating: 3.8 out of 5 (8 total votes) | |
|
Latest Articles
Upcoming Shows and Cons
Announcements
There are no current announcements.
How often do you change distros?
Latest Releases
(courtesy of Distrowatch)
More
|
