Log In
Or create an account ->
Imperial Library
Home
About
News
Upload
Forum
Help
Login/SignUp
Index
Absolute OpenBSD
Advance Praise for Absolute OpenBSD, 2nd Edition
Dedication
About the Author
About the Technical Reviewer
Foreword
Acknowledgments
Introduction
What Is Security?
What Is BSD?
The BSD License
AT&T vs. the World
The Birth of OpenBSD
The OpenBSD Community
OpenBSD Users
OpenBSD Contributors
OpenBSD Committers
OpenBSD Coordinator
OpenBSD’s Strengths
Portability
Power
Documentation
Free
Correctness
Security
OpenBSD and Your Security
OpenBSD’s Uses
Desktop
Server
Network Management
About This Book
Contents Overview
1. Getting Additional Help
OpenBSD’s Support Model
The Code Is Fine. What’s Wrong with You?
Sources of Information
Man Pages
Manual Sections
Viewing Man Pages
Finding Man Pages
Overlapping Man Page Names
Man Page Contents
Man Pages on the Web
The OpenBSD Website
Mirrors
The OpenBSD FAQ
Non-Project Websites
OpenBSD Mailing Lists
Unofficial Mailing Lists
Read-Only Mailing Lists
Using OpenBSD Problem-Solving Resources
Using the OpenBSD Website
Using Man Pages
Using Internet Searches
Using Mailing Lists
Creating a Good Help Request
How to Be Ignored
Sending Your Email
Responding to Email
2. Installation Preparations
OpenBSD Hardware
Supported Hardware
Proprietary Hardware, Blobs, and Firmware
Processors
Memory (RAM)
Hard Drives
Virtualization
Multiple Operating Systems
Getting OpenBSD
Official CDs
Internet Downloads
Mirror Site Layout
Release Directories
Boot Media
Choosing Install Media
Local Installation Servers
File Sets
Partitioning
Standard OpenBSD Partitions
Root Partition
Swap Space
/tmp Directory
/var Partition
/usr Partition
/usr/X11R6 Partition
/usr/local Partition
/usr/src Partition
/usr/obj Partition
/home Partition
Creating Other Partitions
Partition Filesystems
Multiple Hard Drives
Understanding Partitions
MBR Partitions
Disklabel Partitions
Understanding Disklabels
Sectors and Lies
Sectors and Disklabels
Other Information
3. Installation Walk-Through
Hardware Setup
BIOS Configuration
Making Boot Media
Making Boot Floppies
Creating Floppies on Unix-like Systems
Creating Floppies on Microsoft Systems
Making Boot CDs
Installing OpenBSD
Running the Installation Program
Multiple Network Cards
Setting Up Services and the First User
Setting the Time Zone
Setting Up the Disk
Choosing File Sets
Finishing the Installation
Custom Disk Layout
Viewing Disklabels
Deleting Partitions
Erasing Existing Disklabels
Creating Disklabel Partitions
Writing the New Disklabel
Adding More Disks
Advanced Disklabel Commands
Changing Basic Drive Parameters
Modifying Existing Partitions
Entering Expert Mode
Getting More Help
4. Post-Install Setup
First Steps
Checking the System Errata
Setting the Root Password
Software Configuration
Time and Date
Setting the Time Zone
Setting the Date and Time
Setting the Time with ntpd(8)
Setting the Date Manually
Hostname
Networking
Configuring Ethernet Interfaces
Static IP Addresses
Dynamic Configuration
Setting a Default Gateway
Setting Name Service Servers
Mail Aliases and Status Mail
Keyboard Mapping
Installing Ports and Source Code
Booting to a Graphic Console
Onward!
5. The Boot Process
Power-On and the Boot Loader
Booting in Single-User Mode
Mounting Disks in Single-User Mode
Starting the Network in Single-User Mode
Booting an Alternate Kernel
Booting a Different Kernel File
Booting from an Alternate Hard Disk
Finding the Disk
Finding the Partition
Booting the Kernel
Making Boot Loader Settings Permanent
Serial Consoles
Other Platform Serial Consoles
Serial Console Physical Setup
Serial Console Configuration
Configuring the Serial Console Client
Setting Up the Serial Console
Testing the Serial Configuration
Changing the Serial Console Speed
Changing the Client Serial Port
Serial Logins
Multiuser Startup
Startup System Scripts
The /etc/rc Script
The /etc/rc.conf Script
The /etc/rc.conf.local Script
The /etc/netstart Script
The /etc/rc.securelevel Script
The /etc/rc.local Script
The /etc/rc.shutdown Script
The /etc/rc.firsttime Script
The /etc/fastboot Script
The /etc/rc.d Directory
Software Startup Scripts
Third-Party rc.d Scripts
Force-Starting Software
6. User Management
The Root Account
Adding Users
Adding Users Interactively
Configuring adduser
Creating User Accounts
Adding Users Noninteractively
Groups in Batch Mode
Passwords and Batch Mode
Other Batch Mode Options
User Account Restrictions
Removing User Accounts
Editing User Accounts
Login Classes
Login Class Definitions
Changing login.conf
Legal Values for login.conf Variables
Setting Resource Limits
Modifying the Shell Environment
Password and Login Options
Changing Authentication Methods
Using Login Classes for RADIUS Authentication
Unprivileged User Accounts
The nobody Account
_username
Creating Unprivileged Users
7. Root, and How to Avoid It
The Root Password
Using Groups
The /etc/group File
Creating Groups
Groups, Unprivileged Users, and Group Permissions
Hiding Root with sudo
Why Use sudo?
sudo Disadvantages
An Overview of the sudo Software
The visudo(8) Command
The /etc/sudoers File
Multiple Entries in a sudoers Field
Running Commands As Non-root Users
Long Lines
/etc/sudoers Aliases
User Aliases
Run as Aliases
Host Aliases
Command Aliases
Using Aliases in /etc/sudoers
Nesting Aliases
Alias Naming Conventions
Changing sudo’s Default Behavior
Overriding Defaults per Host
Overriding Defaults per User
Overriding Defaults per Command
Overriding Defaults per Run As
sudo and the Environment
Using sudo
sudo Password Caching
Running Commands Under sudo
Running Commands as Other Users
sudoedit
The Biggest sudo Mistake: Exclusions
sudo Logs
8. Disks and Filesystems
Device Nodes
Raw and Block Devices
Block Devices
Raw Devices
Choosing Your Mode
Device Attachment vs. Device Name
DUIDs and /etc/fstab
MBR Partitions and fdisk(8)
Viewing MBR Partitions
Adding and Removing Partitions
Making a Partition Bootable
Exiting fdisk
Labeling Disks
Viewing Labels
Creating Disklabel Partitions
Backing Up and Restoring Disklabels
The Fast File System
FFS Versions
Blocks, Fragments, and Inodes
Blocks
Inodes
Superblocks
Creating FFS Filesystems
FFS Mount Options
Mount Options and /etc/fstab
Read-Only Mounts
Read-Write Mounts
Synchronous Mounts
Asynchronous Mounts
Soft Update Mounts
“Don’t Track Access Time” Mounts
No Device Nodes Permitted Mount
Execution Forbidden Mounts
setuid Forbidden
Do Not Automatically Mount This Filesystem
Filesystem Integrity
Running fsck
Blindly Trusting fsck
What’s Currently Mounted?
Mounting and Unmounting Partitions
Mounting Standard Filesystems
Mounting at Nonstandard Locations
Unmounting Partitions
Mounting with Options
How Full Is That Partition?
What’s All That Stuff?
Setting $BLOCKSIZE
Adding New Hard Disks
Creating an MBR Partition
Creating a Disklabel
Moving Partitions
Adding New Filesystems
Stackable Mounts
9. More Filesystems
Backing Up to the /altroot Partition
Memory Filesystems
Creating MFS Partitions
Mounting an MFS at Boot
Foreign Filesystems
Inodes vs. Vnodes
Common Foreign Filesystems
MS-DOS
NTFS
ext2fs
CD
Foreign Filesystem Ownership
Removable Media
Mounting Filesystem Images
Attaching Vnode Devices to Disk Images
Detaching Vnode Devices from Images
Basic NFS Setup
The OpenBSD NFS Server
Exporting Filesystems
Read-Only Mounts
NFS and Users
Permitted Clients
Multiple Exports for One Partition
NFS Clients
Software RAID
RAID Types
Preparing Disks for softraid
Creating softraid Devices
softraid Status
Identifying Failed softraid Volumes
Rebuilding Failed softraid Volumes
Deleting softraid Devices
Reusing softraid Disks
Booting from a softraid Device
Encrypted Disk Partitions
Creating Encrypted Partitions
Using Encrypted Partitions
Automatic Decryption
10. Securing Your System
Who Is the Enemy?
Script Kiddies
Botnets
Disaffected Users
Skilled Attackers
OpenBSD Security Announcements
OpenBSD Memory Protection
W^X
.rodata Segments
Guard Pages
Address Space Layout Randomization
ProPolice
And More!
File Flags
File Flag Types
Setting, Viewing, and Removing File Flags
Securelevels
Setting the System Securelevel
Securelevel Definitions
Securelevel -1
Securelevel 0
Securelevel 1
Securelevel 2
What Securelevel Do You Need?
Securelevel Weaknesses
Keeping Secure
11. Overview of TCP/IP
Network Layers
The Physical Layer
The Datalink Layer
The Network Layer
The Transport Layer
Applications
The Life and Times of a Network Request
Network Stacks
IPv4 Addresses and Subnets
Calculating a Decimal IPv4 Netmask
Viewing IPv4 Addresses
Unusable IPv4 Addresses
Special IPv4 Addresses
Localhost
Private Networks
IPv4 Addressing Pitfalls
IPv6 Addresses and Subnets
IPv6 Basics
Understanding IPv6 Addresses
Viewing IPv6 Addresses
IPv6 Subnets
Special IPv6 Addresses
localhost
Link Local Addresses
Assigning IPv6 Addresses
Remedial TCP/IP
ICMP
UDP
TCP
How Protocols Fit Together
Transport Protocol Ports
Reserved Ports
Which Ports Are Open?
Using netstat
Using fstat
IP Routing
IPv4 Routed Network Example
Managing Routing with route(8)
Viewing Routes
Route Flags
Adding Routes
Deleting Routes
12. Connecting to the Network
DNS Resolution
The /etc/resolv.conf File
Default Search Domains
Using Domain and Search
Name Servers
Lookup Order
Preferred IP Protocol
The /etc/hosts File
Resolver vs. Dynamic Configuration
Ethernet
Protocol and Hardware
IPv4 and ARP
IPv6 and Neighbor Discovery
Speed and Duplex
Configuring Ethernet
Using ifconfig(8)
Adding an IP Address
Removing IP Addresses
Multiple IP Addresses on One Ethernet Card
Configuring Default Routes
Using Dynamic Configuration
Configuring the Network at Boot
Trunking
Link Aggregation Protocols
Trunk Configuration
Trunks at Boot
VLANs
Configuring Switches
Configuring VLAN Devices
Configuring VLANs at Boot
IPv6 Over Tunnels
13. Software Management
Making Software
Source Code and Software
The Ports and Packages System
Using Packages
Package Files and $PKG_PATH
Finding Packages
Finding Packages on the Command Line
Finding Packages on the Web
Installing Packages
Which Files Are Installed?
Verbose Installation
Ambiguous Packages
Identifying Where Files Originate
Uninstalling Packages
Package Limitations
Using Ports
The Ports Tree
Secondary Ports
Read-Only Ports Tree
Finding Software
The Ports Index
Finding by Keyword
Finding via SQL
Building Ports
What a Port Installation Does
Port Build Stages
The make fetch Stage
The make checksum Stage
The make prepare Stage
The make extract Stage
The make patch Stage
The make configure Stage
The make build Stage
The make fake Stage
The make package Stage
The make install Stage
The make clean Stage
Customizing Ports
Local Distfile Mirrors
Preferred Collection Mirrors
Fallback Mirrors
Primary Mirror
Flavors
Building a Flavored Port
Flavors and Dependencies
Building Multiple Flavors
Uninstalling and Reinstalling Flavored Ports
Subpackages
Packages and rc.d Scripts
14. Everything /etc
/etc Across Unix Variants
The /etc Files
/etc/adduser.conf
/etc/amd
/etc/authpf
/etc/bgpd.conf
/etc/boot.conf
/etc/changelist
/etc/chio.conf
/etc/csh.*
/etc/daily and /etc/daily.local
/etc/dhclient.conf
/etc/dhcpd.conf
/etc/disklabels/
/etc/disktab
/etc/dumpdates
/etc/dvmrpd.conf
/etc/exports
/etc/fbtab
/etc/firmware
/etc/fonts/
/etc/fstab
/etc/ftpchroot
/etc/ftpusers
/etc/gettytab
/etc/group
/etc/hostapd.conf
/etc/hostname.*
/etc/hosts
/etc/hosts.equiv
/etc/hosts.lpd
/etc/hotplug/
/etc/ifstated.conf
/etc/iked/, /etc/iked.conf, /etc/ipsec.conf, and /etc/isakmpd
/etc/inetd.conf
/etc/kbdtype
/etc/kerberosV/
/etc/ksh.kshrc
/etc/ldap/ and /etc/ldapd.conf
/etc/localtime
/etc/locate.rc
/etc/login.conf
/etc/lynx.cfg
/etc/magic
/etc/mail/
/etc/mail.rc
/etc/mailer.conf
/etc/man.conf
Adding to the Search Index
Adding to Man Page Directories
Displaying Man Pages
Defining Man Sections
/etc/master.passwd, /etc/passwd, /etc/spwd.db, and /etc/pwd.db
Editing /etc/master.passwd
Controlling Account Information Access
/etc/master.passwd Fields
/etc/mixerctl.conf
/etc/mk.conf
/etc/moduli
/etc/monthly and /etc/monthly.local
/etc/motd
/etc/mrouted.conf
/etc/mtree/
/etc/mygate
/etc/myname
/etc/netstart
/etc/networks
/etc/newsyslog.conf
/etc/nginx/
/etc/nsd.conf
/etc/ntpd.conf
/etc/ospf6d.conf and /etc/ospfd.conf
/etc/pf.conf and /etc/pf.os
/etc/ppp/
/etc/printcap
/etc/protocols
/etc/rbootd.conf
/etc/rc.*
/etc/relayd.conf
/etc/remote
/etc/resolv.conf and /etc/resolv.conf.tail
/etc/ripd.conf
/etc/rmt
/etc/rpc
/etc/sasyncd.conf
/etc/sensorsd.conf
/etc/services
/etc/shells
/etc/skel/
/etc/sliphome/
/etc/snmpd.conf
/etc/ssh/
/etc/ssl/
/etc/sudoers
/etc/sysctl.conf
/etc/syslog.conf
/etc/systrace/
/etc/termcap
/etc/ttys
Terminal Types
Configuring Terminals
Making /etc/ttys Changes Take Effect
/etc/weekly and /etc/weekly.local
/etc/wsconsctl.conf
/etc/X11
/etc/ypldap.conf
15. System Maintenance
Scheduled Tasks
Daily Maintenance
Security Checks
Vital File Backup and Testing
Adding Vital Files
Filesystem Integrity Checks
Copying Files with rdist
Silencing /etc/daily
Weekly Maintenance
Monthly Maintenance
Custom Maintenance Scripts
System Logs
Facilities
Priority
Sorting Messages via syslogd(8)
Wildcards
Excluding Information
Combining Facilities
Marking Time
Local Facilities
Selecting by Program Name
Log Actions
Logging to Files
Logging to a Program
Notifying Users
Logging to a Remote Host
Customizing syslogd
Adding Extra Log Sockets
Listening to the Network
Syslog and Embedded Systems
Log File Maintenance
newsyslog.conf Fields
Log File
Owner
Permissions
Count
Size
Time
Flags
Monitoring Logs
Adding a PID File
Signal Name
Command to Execute
System Time
Configuring ntpd(8)
Time Redundancy
Time Sources
Serving Time
Using ntpd(8)
Hardware Sensors
Device Drivers
Sensor Configuration
Sensor Types
Settings in sensorsd.conf
Sensors Triggering Action
16. Network Servers
The inetd Small-Server Handler
Configuring inetd
Restricting Incoming Connections
The lpd Printing Daemon
The DHCP Server dhcpd
How DHCP Works
Configuring dhcpd(8)
Static IP Address Assignments
Enabling dhcpd
dhcpd and Firewalls
The TFTP Daemon tftpd
Specifying a tftpd Directory
tftpd and Files
tftpd Logging
Testing the TFTP Server
The SNMP Agent snmpd
SNMP MIBs
MIB References
MIB Definitions
SNMP Security
Configuring snmpd
Debugging snmpd
Getting snmpd Information
The PF SNMP MIB
Sensors
Interface Memory
CARP
Other MIBs
The SSH Server sshd
Disabling sshd
SSH Host Keys
sshd Network Options
chrooting Users
Choosing the Directory
Populating the chroot
chrooting Specific Users
17. Desktop OpenBSD
Configuring Your Console with wscons
Screen Blanking
Setting wscons Variables at Boot
Running Virtual Terminals with tmux
The tmux Status Bar and Window Names
tmux Commands and Window Management
Changing the Current Window
Renaming Windows
Terminating Windows
Getting Online Help
Disconnecting, Reconnecting, and Managing Sessions
Using tmux Commands
Setting tmux Options
Configuring tmux
Setting Up X
Configuring X
Starting X Manually
Booting into X
Emulating a Three-Button Mouse
Using the cwm Window Manager
Configuring cwm
Modifier Keys
Choosing a New Window Manager
Binding a Key Sequence to a Command
Creating cwm Windows
Managing Windows
Locking the Screen
Connecting to Other Machines with SSH
Creating an Application Menu
Using Keyboard Navigation
Decorating cwm
Unmapping and Remapping Keys
18. Kernel Configuration
What Is the Kernel?
Kernel Messages
Startup Messages
Device Attachments
Connections and Numbering
Using dmassage to View Installed Devices
Viewing and Adjusting Sysctls
Sysctl MIBs
Viewing Sysctls
Changing Sysctl Values
Types of Sysctl Values
Numerical Sysctls
Word Sysctls
Table Sysctls
Setting Sysctls at Boot
Altering the Kernel with config(8)
Making a Backup of the Default Kernel
Device Drivers and the Kernel
Enabling Drivers
Editing the Kernel with config
Using the help and list Commands
Finding and Enabling Devices
Changing Kernel Constants
Completing Configuration
Installing Your Edited Kernel
Boot-Time Kernel Configuration
19. Building Custom Kernels
Kernel Cautions
Don’t Build Custom Kernels
Why Build Custom Kernels?
Problems Building Custom Kernels
Problems Running Custom Kernels
Preparing for Kernel Customization
Kernel Configuration
Configuration Entries
Options
Device Drivers
Pseudo-Devices
Keywords
Configuring GENERIC
Machine-Independent Configuration
Machine-Dependent Configuration
Your Kernel Configuration
Minor Changes
Removing Options
Removing Devices
Wholesale Butchery
Stripping Down the Kernel
Gutting the Kernel
Testing Your Kernel Configuration with config(8)
Orphaned Devices
Bogus Hardware
Building a Kernel
Kernel Build Errors
Installing Your Kernel
Identifying the Running Kernel
20. Upgrading
Why Upgrade?
OpenBSD Versions
OpenBSD-current
OpenBSD Snapshots
OpenBSD Releases
OpenBSD-stable
Which Version Should You Use?
The OpenBSD Upgrade Process
Following the Upgrade Guide
Install Programs
Remove Programs and Files
Prepare Package Upgrades
System Configuration
Customizing Upgrades
Upgrading from Official Media
Upgrading Over the Network
Choosing File Sets
Updating /etc
Mounting Filesystems
Using sysmerge(8) to Compare /etc Files
Easy sysmerge Updates
sysmerge and Edited Files
Finishing sysmerge
Updating Installed Packages
Updating the Package Repository
Using the Upgrade Command
Package Options
Package Messages
Why Build Your Own OpenBSD?
Preparations for Building Your Own OpenBSD
Preparing the Base Operating System
Getting Source Code
Updating Source Code
Source Code Repositories and Tags
CVS Mirrors
Updating to -stable
Updating to -current
Building OpenBSD-stable
Upgrading the Kernel
Building the Userland
Building Xenocara
Building a Release
Bundling the Base System
Bundling Xenocara
Indexing the Release
Using the Release
Building OpenBSD-current
Following -current
Merging /etc
Upgrading Ports
21. Packet Filtering
Firewalls
Enabling and Configuring PF
Packet-Filtering Basics
Packet-Filtering Concepts
Stateful Inspection
Packet Reassembly
Default Accept vs. Default Deny
“My Network Can Do No Wrong”
What Packet Filtering Doesn’t Do
PF Components
Packet Filter Control and Configuration
Interface Groups
PF Configuration
Filtering Rules
Default Permit or Default Deny
Packet Pattern Matching
Direction
Interface Matching
Address Families
Network Protocol
Source and Destination Address
Source and Destination Variants
Interface Main Address
Source and Destination Port
A Complete Ruleset
Activating Rules
Viewing Active Rules
Filtering Rules and the State Table
TCP States
UDP States
ICMP States
Packet Filtering with Lists and Macros
Using Lists
Using Macros
A Common Error: List Exclusions and Negations
Sanitizing Traffic
Illegal Packets
Packet Reassembly
Packet Modification
Blocking Spoofed Packets
PF Options
The set block-policy Option
The set limit Option
frags Limit
The src-nodes Limit
The states Limit
The tables and table-entries Limits
Setting Limits
The set optimization Option
The set skip Option
22. Advanced PF
Packet Filtering with Tables
Defining Tables
Using Tables
Viewing Tables
Searching Tables
Changing Tables
Tables and Automation
Using NAT
Private NAT Addresses
Configuring NAT
How NAT Works
Multiple or Specific Public Addresses
Bidirectional NAT
Bidirectional NAT and Security
Packet Filtering, Bidirectional NAT, and Rule Order
Redirection
Multiple Addresses and Interface Groups
Port Manipulation and Ranges
Transparent Interception
Anchors
Adding Rules to Anchors
Anchor Rules from Files
Anchor Rules in pf.conf
Anchor Rules via pfctl
Viewing and Flushing Anchors
Conditional Filtering
Nested Anchors: /*
FTP and PF
Configuring ftp-proxy(8)
PF Configuration and the FTP Proxy
Bandwidth Management
Queues for Bandwidth Management
Parent Queue Definitions
Child Queue Definitions
Queue Options
Default
Random Early Detection
Explicit Congestion Notification
borrow
A CBQ Ruleset
Assigning Traffic to Queues
Using the match Keyword
Viewing Queues
PF Edges
Using Include Files
Skipping Matches with quick
Logging PF
Reading PF Logs
Real-Time Log Access
Filtering tcpdump
Ruleset Tracing
23. Customizing OpenBSD
Virtualizing OpenBSD
Diskless Installation
Diskless Hardware
DHCP Server Setup
Per-Host or Per-Network Configuration
Per-Network Configuration
Per-Machine Configuration
TFTP Server Setup
Completing Diskless Installation
Running Diskless
Using rarpd(8) for Reverse ARP
Running bootparamd(8)
Setting Up the NFS Root Directory
Exporting the Root Directory
Populating the Diskless Userland
Power On!
USB Installation Media
Using a Virtual Machine
Running a Diskless Installation
Converting ISO Images
Customizing OpenBSD Installations
Custom File Sets
Post-Install Shell Scripts
Customizing Upgrades
A. Afterword
Index
About the Author
Copyright
← Prev
Back
Next →
← Prev
Back
Next →