Soekris 5501 Revisited: OpenBSD4.4

Jurjen Bokma

December 2008


I reinstall the Soekris 5501 done in , this time with different partitioning, and a newer version of OpenBSD: 4.4. This time, we partition differently, to this effect:

df -h
Filesystem     Size    Used   Avail Capacity  Mounted on
/dev/wd0a      148M   29.7M    110M    21%    /
/dev/wd0e      123M    2.0K    117M     0%    /home
/dev/wd0d      984M    382M    553M    41%    /usr
/dev/wd0f      2.3G    2.9M    2.1G     0%    /var

We pick up the routine at the and replace it here...

  1. Edit /etc/fstab to contain:

    /dev/wd0a / ffs rw 1 1
    /dev/wd0e /home ffs rw,nodev,nosuid 1 2
    /dev/wd0d /usr ffs rw,nodev 1 2
    /dev/wd0f /var ffs rw,nodev,nosuid 1 2
    swap /tmp mfs -s=128000,rw,nodev,nosuid 0 0
    	

    Now say mount -a. The command df -h should now give something along the lines of:

    # df -h
    Filesystem     Size    Used   Avail Capacity  Mounted on
    /dev/wd0a      148M   29.7M    110M    21%    /
    /dev/wd0e      123M    2.0K    117M     0%    /home
    /dev/wd0d      984M    382M    553M    41%    /usr
    /dev/wd0f      2.3G    2.9M    2.1G     0%    /var
    mfs:2675      60.5M    1.0K   57.4M     0%    /tmp

  2. adduser username

  3. visudo

    <snip>
    Defaults !lecture,!insults
    username ALL=(ALL) SETENV: ALL
    	

  4. Put in ~/.profile a stanza:

    PKG_PATH=ftp://osis.service.rug.nl/pub/os/bsd/openbsd/4.4/packages/i386/
    export PKG_PATH
    	

    and resource the profile: . ~/.profile

  5. /etc/hostname.vr0:

    dhcp NONE NONE NONE
    	

    /etc/hostname.vr1:

    dhcp NONE NONE NONE
    	

    /etc/hostname.vr2

    inet 10.0.30.1 255.255.255.0 NONE
    	

    /etc/hostname.vr3

    inet 10.0.14.1 255.255.255.0 NONE
    	

  6. In /etc/ssh/sshd_config add some lines:

    ListenAddress 192.168.5.4
    ListenAddress 10.0.5.1
    	

Procedure 52.  Enable the DHCP daemon
  1. scp root@buildbox:/root/dhcp-4.1.0-compiled.tgz ./
    tar zxvf dhcp-4.1.0-compiled.tgz
    sudo su -
    ln -s /home/ordinaryuser/dhcp-4.1.0 ./
    cd dhcp-4.1.0
    make install

    [Warning]Warning

    As before, the path from where make install is run on the target machine must be identical to the path where make is run on the build machine.

  2. Steal or create a suitable DHCP config, create the leases database, and start the daemon, running in the foreground, logging to stdout, with config in /etc/dhcp3/dhcpd.conf, and listening on (e.g.) vr0:

    touch /var/db/dhcpd.leases
    dhcpd -f -d -cf /etc/dhcp3/dhcpd.conf if0 if1 etc.


  3. # create a directory for vnode disks and a mount point for the DHCP vnode disk
    sudo mkdir -p /var/fs /var/
    # create a 16MB file to form the DHCP vnode disk
    sudo dd if=/dev/zero of=/var/fs/dhcpdfs bs=1024 count=16310
    # associate the (existing) special device /dev/vnd0c with the file /var/fs/dhcpdfs
    sudo vnconfig -c -v /dev/svnd0c /var/fs/dhcpdfs
    # put a filesystem on the _raw_ device
    sudo newfs /dev/rsvnd0c
    # mount the block device on the directory
    sudo mount -o rw,softdep,nosuid /dev/svnd0c /var/dhcpd/

    # create the necessary directories in the chroot jail
    sudo mkdir -p /var/dhcpd/dev /var/dhcpd/etc /var/dhcpd/var/run /var/dhcpd/var/db
    # put proper ownership and permissions on the dirs
    sudo chgrp _dhcp /var/dhcpd/var/run /var/dhcpd/var/db/
    sudo chmod 0775 /var/dhcpd/var/run/ /var/dhcpd/var/db

    # Put the lease file in the jail and link it back to the real world
    sudo touch  /var/dhcpd/var/db/dhcpd.leases
    sudo chown _dhcp /var/dhcpd/var/db/dhcpd.leases
    sudo chmod 0755 /var/dhcpd/var/db/dhcpd.leases
    sudo ln -sf /var/dhcpd/var/db/dhcpd.leases /var/db/dhcpd.leases

    # create PF interface devices that dhcpd (well, at least the OpenBSD patched version) uses
    # create one interface for each shared-network statement in the dhcpd.conf
    BPFMAJ="`ls -l /dev/bpf0 | awk '{ print $5; }' | sed -e 's/,//g'`"
    export BPFMAJ
    cd /var/dhcpd/dev
    sudo mknod -m 0600 bpf0 c $BPFMAJ 0
    sudo mknod -m 0600 bpf1 c $BPFMAJ 1
    sudo mknod -m 0600 bpf1 c $BPFMAJ 2
    sudo mknod -m 0600 bpf1 c $BPFMAJ 3
    sudo mknod -m 0600 bpf1 c $BPFMAJ 4
    sudo mknod -m 0600 bpf1 c $BPFMAJ 5

    # move the dhcpd.conf to the jail, and link back to it from the real world
    sudo mv /etc/dhcpd.conf /etc/dhcpd.conf.starters
    sudo cp /etc/dhcpd.conf.starters /var/dhcpd/etc/dhcpd.conf
    sudo ln -s /var/dhcpd/etc/dhcpd.conf /etc/dhcpd.conf

  4. sudo /usr/sbin/dhcpd -f -d -cf /etc/dhcpd.conf -user _dhcp -group _dhcp -chroot /var/dhcpd vr2 vr3 sis0 sis1\

  5. Put the following sections in their respective files:

    /etc/rc.local:

    # no use even starting if executable missing or flags not set
    if [ -x /usr/sbin/dhcpd -a "X${dhcpd_flags}" != X"NO" ]; then
        # if there is a jail, use it
        if [ -f /var/fs/dhcpdfs ] ; then
            if vnconfig -c /dev/svnd0c /var/fs/dhcpdfs ; then
                if fsck -p /dev/svnd0c ; then
                    if mount -o rw,softdep,nosuid /dev/svnd0c /var/dhcpd ; then
                        if [ "X${dhcpd_leases}" != "X" ]; then
                            touch "${dhcpd_leases}"
                        else
                            touch /var/db/dhcpd.leases
                        fi
    
                        if [ -f /etc/dhcpd.interfaces ]; then
                            dhcpd_ifs=`awk -F\# '{ print $1; }' < /etc/dhcpd.interfaces`
                        fi
    
                        echo -n ' dhcpd (v4.1)(chrooted)';
                        /usr/sbin/dhcpd ${dhcpd_flags} ${dhcpd_ifs}
                    fi
                fi
            fi
        else
            if [ "X${dhcpd_leases}" != "X" ]; then
                touch "${dhcpd_leases}"
            else
                touch /var/db/dhcpd.leases
            fi
    
            if [ -f /etc/dhcpd.interfaces ]; then
                dhcpd_ifs=`awk -F\# '{ print $1; }' < /etc/dhcpd.interfaces`
            fi
    
            echo -n ' dhcpd (v4.1)(not chrooted)';
            /usr/local/sbin/dhcpd ${dhcpd_flags} ${dhcpd_ifs}
        fi
    else
        echo "not starting DHCP daemon: executable missing or no parameters set"
    fi
    	

    /etc/rc.conf.local:

    dhcpdv3_flags="-cf /etc/dhcpd.conf -user _dhcp -group _dhcp -chroot /var/dhcpd -q"
    dhcpdv3_leases="/var/dhcpd/var/db/dhcpd.leases"
    	

    /etc/dhcpd.interfaces:

    vr2
    vr3
    sis0
    sis1
    	

  6. ps axu|grep dhcpd

    _dhcp    23450  0.0  0.2  2696   976 ??  Is     4:35PM    0:00.01 /usr/sbin/dhcpd -cf /etc/dhcpd.conf -user _dhcp -group _dhcp -chroot /var/dhcpd -q vr2 vr

Procedure 53.  Enabling BIND
  1. Put in /etc/rc.conf.local:

    named_flags='-4'
    	

  2. Edit /var/named/etc/named.conf to your tastes.

Procedure 54.  Enabling PF (and having it do something useful)
  1. Enable PF: pfctl -ef /etc/pf.conf

    To enable it from boot, in /etc/rc.conf.local, put:

    pf=YES
    pf_rules=/etc/pf.conf
    	

  2. In /etc/sysctl.conf uncomment:

    net.inet.ip.forwarding=1        # 1=Permit forwarding (routing) of IPv4 packets
    net.inet.ip.mforwarding=1       # 1=Permit forwarding (routing) of IPv4 multicast packets
    	

  3. In /etc/inetd.conf, uncomment or add:

    #127.0.0.1/6969  dgram   tcp     wait    root    /usr/libexec/tftp-proxy tftp-proxy -v
    127.0.0.1/6969  dgram   udp     wait    root    /usr/libexec/tftp-proxy tftp-proxy -v
    	

    in /etc/pf.conf:

    # NAT
    nat on $wan_if from $datanet to any -> ($wan_if:0)
    no nat on $wan_if to port tftp
    nat-anchor "tftp-proxy/*"
    rdr-anchor "tftp-proxy/*"
    rdr on $datanet_if proto udp from $datanet to any port tftp -> 127.0.0.1 port 6969
    
    # for now
    pass all
    
    #
    anchor "tftp-proxy/*"
    	

    [Note]Note

    At this point, tftp from $datanet will work, but only if we have proper routing, which means a default route must be added by hand, since the router is acting as the DHCP server already, and doesn't use DHCP on the WAN interface yet. This will be corrected later on, when the $wan_if uses DHCP and adds a default route when it comes up.