The primary purpose of this is to get OpenBSD installed. Really, this is much more straightforward than it used to be. Our install will focus on getting a transparent firewall ready, and the decisions that we make will be with that in mind. I know that I said that the install process has been made easier, but it still is fairly complicated, especially if you are not used to it. I will walk you though all the responses that you need. To build and OpenBSD transparent firewall you will need the following.
- Internet Access - to read this guide!
- A computer to dedicate to it
- At least 2 ethernet interfaces, 3 preferred.
- CD Burner and blank CD
First you need to get OpenBSD. In all likelihood you will want the i386 flavor of the latest version, which at the time of writing is 4.7. Download the install47.iso and burn it to your CD. Excellent, you now have the media you need.
Next, put in the CD and boot to it. It doesn’t particularly matter if you have wiped your hard drive before hand, the install process will certainly do some of that for you. Now the first thing that you are prompted with, after you see the screen scroll by as it detects your hardware is this, with your response in bold:
(I)nstall, (U)pgrade or (S)hell? I Choose your keyboard layout: [Enter] System hostname? (short form, e.g. foo) awesome_fw
All of these are fairly self explanatory. You can name your system whatever you want, I certainly won’t stop you. Now we get to some more critical stuff, networking. I am going to assume that you have 3 interfaces, this works best if you do. If you don’t, don’t sweat it! Just substitute the name of one of your interfaces here, and I will tell you when you will need to make other adjustments later in the guide. My interfaces will be names vr0, vr1, and vr2. I plan on making vr0 and vr1 into a bridge (later), with vr2 as a management interface. So I configure it now like this. Please configure at least one of your interfaces at this point, using these steps, even if you only have 2! We will change its configuration later. You need to do this in order to have access to the Internet and install some extra packages later.
Available network interfaces are: vr0 vr1 vr2 Which one would you like to configure? [vr0] vr2 IPv4 address for vr2? (or 'dhcp' or 'none') [dhcp] dhcp
We have now told OpenBSD to configure the interface using DHCP. As this is the case for the vast majority of people, I have said this. Obviously if you’re network doesn’t support DHCP (you will probably know this), then enter the IP you wish to use. There should be some text scrolling to the effect that there was an offer of an address which the dhclient accepted. Now it will ask you about IPv6, which has been supported for awhile in OpenBSD. Just answer none.
IPv6 address for [vr2] (or 'rtsol' or 'none') [none] none
Now it will ask if you want to configure any other interfaces. We don’t at this point.
Available network interfaces are: vr0 vr1 vr2
Which one would you like to configure? done...
Do you want to do any manual network configuration? [no] no
Now we are through for the moment with networking. It is time to setup your root account. Remember, do not forget this password, it is your link to the computer! Enter it at the following prompt, keeping in mind that the entry will not be visible on the screen:
Password for root account? (will not echo) s3curem3!
Please don’t use that password. It will ask you to repeat it, to ensure that there is no mistake. After that it will want to know if you want to start a few services by default. Since I am planning to manage this headless via ssh (without a monitor) then I answer yes to the first, and no to the second. We certainly don’t need X-Windows, not with Commad-Fu at our disposal!:
Start sshd(8) by default? [yes] yes Start ntpd(8) by default? [no] no
Do you expect to run the X Window System? [yes] no
Now lets follow the prompts to setup a user. Enter your own information here, I provide answers only as a template:
Setup a user? (enter a lower-case login name, or 'no') [no] bob Full user name for bob? [bob] Enter Password for bob account? (will not echo) S{_}p3Rbob
Password for bob account? (again) Since you set up a user, disable sshd(8) logins to root? [yes] yes
And with that we have setup our new user, and disabled root logins via ssh. I am so happy. Now there is a quick question about your timezone, mine is US/Central, but you may have to hit the ? to get yours:
What timezone are you in? (? for list) [US/Central] US/Central
Alright, it is time to setup your hard disk. Since we are planning on using this as a dedicated firewall, we will use the whole disk. My disk is called wd0, yours may be something else.
Available disks are: wd0Which one is the root disk? (or 'done') [wd0] wd0
Use (W)hole disk or (E)dit the MBR? [whole] whole
Now it will scroll out a suggested partitioning scheme. Usually you can just accept the defaults here. If you want to get fancy, remember the c: represents the entire drive. We will just use the defaults here:
Use (A)uto layout, (E)dit auto layout, or create (C)ustom layout? [a] a
It will print some cylinder information and then we are into installing the sets. We want to get the sets that we need, without getting a bunch of stuff on there that we don’t need. What I propose here is a lean version, of course, you can install everything, the rest of the guide will still function.
Let's install the sets!
Location of the sets? [cd] cdAvailable CD-ROMs are: cd0
Which one contains the install media? (or 'done') [cd0] cd0
Pathname to the sets? (or 'done') [4.7/i386] Enter
Now it should scroll by you to show which sets will be installed by default. We of course, want to modify those. The … represent the same prompt, we have to remove everything that we don’t want!
Set name(s)? (or 'abort' or 'done') -misc47.tgz... -comp47.tgz
... -game47.tgz
... -xbase47.tgz
... -xetc47.tgz
... -xshare47.tgz
... -xfont47.tgz
... -xserv47.tgz
... done
It will now load the sets specified. For various reasons, it asks about the sets again.
Location of the set(s)? done
It will now scroll some stuff and the end with Congratulations! You have installed! or something like that. It drops you to a prompt were all you have to enter is reboot, and you will reboot into your newly setup system! Make sure that you remove your install media from the CD drive, otherwise you may be left wondering what happened! Now that you have your new system, there is still a ton to do before you have a firewall up and humming. However, the first steps have been taken! Feel free to play around with your new system, configuring the prompt and such, while you wait for the next post in the series, on configuring your system for a firewall.
