Soekris 5501 Revisited: OpenBSD4.4
Prev Part IX.  OpenBSD  Next

Soekris 5501 Revisited: OpenBSD4.4

Jurjen Bokma

December 2008

I reinstall the Soekris 5501 done in Conference under Docker, this time with different partitioning, and a newer version of OpenBSD: 4.4. This time, we partition differently, to this effect:

df -h
Filesystem     Size    Used   Avail Capacity  Mounted on
/dev/wd0a      148M   29.7M    110M    21%    /
/dev/wd0e      123M    2.0K    117M     0%    /home
/dev/wd0d      984M    382M    553M    41%    /usr
/dev/wd0f      2.3G    2.9M    2.1G     0%    /var

We pick up the routine at the Conference under Docker and replace it here...

  1. Edit /etc/fstab to contain: 

    /dev/wd0a / ffs rw 1 1
/dev/wd0e /home ffs rw,nodev,nosuid 1 2
/dev/wd0d /usr ffs rw,nodev 1 2
/dev/wd0f /var ffs rw,nodev,nosuid 1 2
swap /tmp mfs -s=128000,rw,nodev,nosuid 0 0

    Now say mount -a. The command df -h should now give something along the lines of:

    # df -h
    Filesystem     Size    Used   Avail Capacity  Mounted on
    /dev/wd0a      148M   29.7M    110M    21%    /
    /dev/wd0e      123M    2.0K    117M     0%    /home
    /dev/wd0d      984M    382M    553M    41%    /usr
    /dev/wd0f      2.3G    2.9M    2.1G     0%    /var
    mfs:2675      60.5M    1.0K   57.4M     0%    /tmp

  2. adduser username

  3. visudo 

    <snip>
Defaults !lecture,!insults
username ALL=(ALL) SETENV: ALL

  4. Put in ~/.profile a stanza: 

    PKG_PATH=ftp://osis.service.rug.nl/pub/os/bsd/openbsd/4.4/packages/i386/
export PKG_PATH

    and resource the profile: . ~/.profile


  5. pkg_add isc-dhcp-server-3.1.0
    pkg_add syslog-ng

  6. /etc/hostname.vr0: 

    dhcp NONE NONE NONE

    /etc/hostname.vr1: 

    dhcp NONE NONE NONE

    /etc/hostname.vr2 

    inet 10.0.30.1 255.255.255.0 NONE

    /etc/hostname.vr3 

    inet 10.0.14.1 255.255.255.0 NONE

  7. In /etc/ssh/sshd_config add some lines: 

    ListenAddress 192.168.5.4
ListenAddress 10.0.5.1

Procedure 58.  Enable the DHCP daemon

  2. scp root@buildbox:/root/dhcp-4.1.0-compiled.tgz ./
    tar zxvf dhcp-4.1.0-compiled.tgz
    sudo su -
    ln -s /home/ordinaryuser/dhcp-4.1.0 ./
    cd dhcp-4.1.0
    make install

    [Warning]Warning

    As before, the path from where make install is run on the target machine must be identical to the path where make is run on the build machine.

  3. Steal or create a suitable DHCP config, create the leases database, and start the daemon, running in the foreground, logging to stdout, with config in /etc/dhcp3/dhcpd.conf, and listening on (e.g.) vr0:

    touch /var/db/dhcpd.leases
    dhcpd -f -d -cf /etc/dhcp3/dhcpd.conf if0 if1 etc.


  4. # create a directory for vnode disks and a mount point for the DHCP vnode disk
    sudo mkdir -p /var/fs /var/
    # create a 16MB file to form the DHCP vnode disk
    sudo dd if=/dev/zero of=/var/fs/dhcpdfs bs=1024 count=16310
    # associate the (existing) special device /dev/vnd0c with the file /var/fs/dhcpdfs
    sudo vnconfig -c -v /dev/svnd0c /var/fs/dhcpdfs
    # put a filesystem on the _raw_ device
    sudo newfs /dev/rsvnd0c
    # mount the block device on the directory
    sudo mount -o rw,softdep,nosuid /dev/svnd0c /var/dhcpd/

    # create the necessary directories in the chroot jail
    sudo mkdir -p /var/dhcpd/dev /var/dhcpd/etc /var/dhcpd/var/run /var/dhcpd/var/db
    # put proper ownership and permissions on the dirs
    sudo chgrp _dhcp /var/dhcpd/var/run /var/dhcpd/var/db/
    sudo chmod 0775 /var/dhcpd/var/run/ /var/dhcpd/var/db

    # Put the lease file in the jail and link it back to the real world
    sudo touch  /var/dhcpd/var/db/dhcpd.leases
    sudo chown _dhcp /var/dhcpd/var/db/dhcpd.leases
    sudo chmod 0755 /var/dhcpd/var/db/dhcpd.leases
    sudo ln -sf /var/dhcpd/var/db/dhcpd.leases /var/db/dhcpd.leases

    # create PF interface devices that dhcpd (well, at least the OpenBSD patched version) uses
    # create one interface for each shared-network statement in the dhcpd.conf
    BPFMAJ="`ls -l /dev/bpf0 | awk '{ print $5; }' | sed -e 's/,//g'`"
    export BPFMAJ
    cd /var/dhcpd/dev
    sudo mknod -m 0600 bpf0 c $BPFMAJ 0
    sudo mknod -m 0600 bpf1 c $BPFMAJ 1
    sudo mknod -m 0600 bpf1 c $BPFMAJ 2
    sudo mknod -m 0600 bpf1 c $BPFMAJ 3
    sudo mknod -m 0600 bpf1 c $BPFMAJ 4
    sudo mknod -m 0600 bpf1 c $BPFMAJ 5

    # move the dhcpd.conf to the jail, and link back to it from the real world
    sudo mv /etc/dhcpd.conf /etc/dhcpd.conf.starters
    sudo cp /etc/dhcpd.conf.starters /var/dhcpd/etc/dhcpd.conf
    sudo ln -s /var/dhcpd/etc/dhcpd.conf /etc/dhcpd.conf

  5. sudo /usr/sbin/dhcpd -f -d -cf /etc/dhcpd.conf -user _dhcp -group _dhcp -chroot /var/dhcpd vr2 vr3 sis0 sis1\

  6. Put the following sections in their respective files:

    /etc/rc.local: 

    # no use even starting if executable missing or flags not set
if [ -x /usr/sbin/dhcpd -a "X${dhcpd_flags}" != X"NO" ]; then
    # if there is a jail, use it
    if [ -f /var/fs/dhcpdfs ] ; then
        if vnconfig -c /dev/svnd0c /var/fs/dhcpdfs ; then
            if fsck -p /dev/svnd0c ; then
                if mount -o rw,softdep,nosuid /dev/svnd0c /var/dhcpd ; then
                    if [ "X${dhcpd_leases}" != "X" ]; then
                        touch "${dhcpd_leases}"
                    else
                        touch /var/db/dhcpd.leases
                    fi

                    if [ -f /etc/dhcpd.interfaces ]; then
                        dhcpd_ifs=`awk -F\# '{ print $1; }' < /etc/dhcpd.interfaces`
                    fi

                    echo -n ' dhcpd (v4.1)(chrooted)';
                    /usr/sbin/dhcpd ${dhcpd_flags} ${dhcpd_ifs}
                fi
            fi
        fi
    else
        if [ "X${dhcpd_leases}" != "X" ]; then
            touch "${dhcpd_leases}"
        else
            touch /var/db/dhcpd.leases
        fi

        if [ -f /etc/dhcpd.interfaces ]; then
            dhcpd_ifs=`awk -F\# '{ print $1; }' < /etc/dhcpd.interfaces`
        fi

        echo -n ' dhcpd (v4.1)(not chrooted)';
        /usr/local/sbin/dhcpd ${dhcpd_flags} ${dhcpd_ifs}
    fi
else
    echo "not starting DHCP daemon: executable missing or no parameters set"
fi

    /etc/rc.conf.local: 

    dhcpdv3_flags="-cf /etc/dhcpd.conf -user _dhcp -group _dhcp -chroot /var/dhcpd -q"
dhcpdv3_leases="/var/dhcpd/var/db/dhcpd.leases"

    /etc/dhcpd.interfaces: 

    vr2
vr3
sis0
sis1

  7. ps axu|grep dhcpd

    _dhcp    23450  0.0  0.2  2696   976 ??  Is     4:35PM    0:00.01 /usr/sbin/dhcpd -cf /etc/dhcpd.conf -user _dhcp -group _dhcp -chroot /var/dhcpd -q vr2 vr

Procedure 59.  Enabling BIND

  1. Put in /etc/rc.conf.local: 

    named_flags='-4'

  2. Edit /var/named/etc/named.conf to your tastes.

Procedure 60.  Enabling PF (and having it do something useful)

  1. Enable PF: pfctl -ef /etc/pf.conf

    To enable it from boot, in /etc/rc.conf.local, put: 

    pf=YES
pf_rules=/etc/pf.conf

  2. In /etc/sysctl.conf uncomment: 

    net.inet.ip.forwarding=1        # 1=Permit forwarding (routing) of IPv4 packets
net.inet.ip.mforwarding=1       # 1=Permit forwarding (routing) of IPv4 multicast packets

  3. In /etc/inetd.conf, uncomment or add: 

    #127.0.0.1/6969  dgram   tcp     wait    root    /usr/libexec/tftp-proxy tftp-proxy -v
127.0.0.1/6969  dgram   udp     wait    root    /usr/libexec/tftp-proxy tftp-proxy -v

    in /etc/pf.conf: 

    # NAT
nat on $wan_if from $datanet to any -> ($wan_if:0)
no nat on $wan_if to port tftp
nat-anchor "tftp-proxy/*"
rdr-anchor "tftp-proxy/*"
rdr on $datanet_if proto udp from $datanet to any port tftp -> 127.0.0.1 port 6969

# for now
pass all

#
anchor "tftp-proxy/*"

    [Note]Note

    At this point, tftp from $datanet will work, but only if we have proper routing, which means a default route must be added by hand, since the router is acting as the DHCP server already, and doesn't use DHCP on the WAN interface yet. This will be corrected later on, when the $wan_if uses DHCP and adds a default route when it comes up.