Using OpenBSD 2.9
As A
Firewall/Gateway for Home DSL or Cable

Shamim Mohamed

Abstract

This is a quick tutorial on how to set up an OpenBSD 2.9 system to run as a firewall, NAT proxy, time and DHCP server on a system connected to the Internet via broadband like DSL or cable.

Caveat: There may be instances of hyperbole and irony (perhaps even syncopy) in this document. Brush up your critical reasoning.

New!

I have a shell script that sets up everything mentioned here. This is still experimental but if you try it, please let me know how it goes. Save this file to disk and run it by typing "sh config-fw.sh".

Introduction

Why OpenBSD? It's simple and secure. Your firewall machine should not have lots of things installed on it; therefore no exotic hardware, graphical desktops, X11 servers etc. - put those on your desktop machine. A simpler system is more robust and more secure; this machine only offers SMTP (email), ssh, ping/traceroute and optionally HTTP (web) to the outside world. And since it's running Unix, you can log in to it - securely - using ssh from anywhere on the Internet and make any changes you need to. (N.B.: never use telnet to connect to a machine over the Internet! Anyone can eavesdrop and grab important information like passwords. Only use ssh, which encrypts all communication so that eavesdroppers don't get any information.)

The utility and security of having this kind of machine: a firewall protects your data and systems from the Big, Bad Internet. When the bad guys are out to vandalise machines on the Internet, MS-Windows machines of various kinds are prime targets because they suck. Er, I mean, Windows is really hard to secure. (Not that an incompetently run Unix machine is any better, of course.) When you dialled in on the phone, your machine was on the 'net for brief periods; with DSL or cable it's vulnerable all the time.

This tutorial assumes that you have some familiarity with using Unix: what filenames look like, how to copy and edit files etc. There's a decent Unix tutorial on the web. The most important command to remember is man (short for "manual") - if I say something like "read the documentation for foobar it means you should type man foobar. One other piece of Unix argot: if you hear someone write select(2) it indicates that the manual for select is in section 2, i.e. you would read the manpage by typing man 2 select.

NAT allows you to connect lots of PCs up to one network connection. When any of the machines wants to make a connection to some server out there, the NAT box intercepts that request, and sends the request off as though it came from the NAT machine. When the reply arrives, it is sent off to the machine that made the connection. Neither the server nor the machines on the inside know that all this is going on.

Aside: NAT is also called PAT, for "Port Address Translation." Also, read this interesting article by HRH Prince Philip, Duke of Edinburgh, on setting up PAT and DHCP on Cisco routers. The whole routergod.com site features many celebrities offering helpful tips on various network issues. Even if you don't want plan on having more than one PC at home, NAT is useful, because it allows the machine running your firewall to be different from your main workstation. You probably want to install fancy hardware and software on your machine; but every additional package installed on a firewall makes it more vulnerable.


 
Network Address Translation (NAT)

Note: if you only have one machine on the "inside", you don't need an ethernet hub; use a crossover cable to connect the two machines directly. This also has the advantage that you can get a full-duplex connection between the machines (a hub only allows a half-duplex connection).

Note: you can buy little NAT/DHCP boxes from various manufacturers for about $150, but where's the fun in that? Besides, who knows how strong the security is on those things. With OpenBSD you know you're getting the best.

Building the machine

The machine itself: I prefer to build these machines up from individual components rather than buying a pre-made box. That way I can get name-brand supported components, and it works out slightly cheaper since I don't have to get exotic video cards, sound cards, CD-ROM drives etc. (Not to mention a Fisher-Price operating system that you will be required to pay for.)

Can you build a PC? Well, no one showed me how, but I've managed to put together about 10 or so systems, so it can't be that hard. If you've assembed anything with screwdrivers etc. you'll be fine. There are numerous sites on the web that walk you through building a PC. Go do a Google search and read those. I especially like the one at Acme Labs by Jef Poskanzer. There's also an excellent motherboard finder at Acme.

Caveat: specific recommendations will be outdated as soon as I write them! I like to use AMD CPUs because I believe Intel is evil and as far as possible I'd like to not buy their products. I'd get the current not-top-of-the-line CPU i.e. the one that costs about $50 and a compatible motherboard that costs in the range of $70. I stay away from integrated components because they're usually garbage. (For a server that I don't use directly I might get integrated video.) Spend about $30-50 on RAM, $30 on ethernet, $60 on an IDE disk, $30 for a case (with power supply). I usually find the best prices on components at Directron and CompuVest. These have both been non-sleazy (everything was as described in their catalog and shipping was prompt) in all my dealings with them -- but let me know if you find any evidence of sleaziness.

All these components add up to around $300 - and that's brand-new stuff. If you have any old components lying around, they will be fine. You don't need a keyboard, mouse or monitor when the system is up and running - all maintenance on it can be done over the network. (While you're installing the OS on the machine you will need to hook up a keyboard, monitor and CD-ROM drive to it, of course.)

While installing the system, I plug in a spare CD-ROM drive, keyboard and monitor. Change the BIOS settings so that the machine will boot without a keyboard etc. Boot off the OpenBSD 2.9 CD and install the system. All the hardware should be recognised without any problems. (The installation guide booklet that comes with the CDs is excellent.)

The easiest way to install OpenBSD is to buy the distribution on CDs. Although you can install it via the network, buying the CD will help make sure that the OpenBSD project will continue to improve and better the system. If you can afford an outlay of US$30, please buy the CDs from the OpenBSD ordering site.

When you're installing OpenBSD, the installer program will ask you for disklabel information (partitions). On a Unix system, a group of files organised together is called a filesystem. The disk is partitioned into various pieces each of which will hold one filesystem. This is the filesystem breakup and partition sizes I'd use for a 12GB disk:

/dev/wd0a      100M	/
/dev/wd0d      400M	/tmp
/dev/wd0e      4GB	/var
/dev/wd0g      2GB	/usr
/dev/wd0h      5GB	/home
    

(The convention is that a is always /, b is swap and c is the whole disk.) Your web files will live in /var, and other files in /home.

This is all overkill; /usr only needs about 600M or so. Say pad it to 1GB. A 2GB disk would be plenty for the system, but if the cheapest disk you can get is 13GB....

Note for Unix newcomers: the disk is named /dev/wd0, and in this case it has 5 partitions with names /dev/wd0a, /dev/wd0d, /dev/wd0e, /dev/wd0g and /dev/wd0h. And the different partitions don't get different "drive letters" as in some primitive operating systems; once the system is installed, it looks to the user that there is just one bunch of files; Unix will figure out the right thing to do. After the system has been installed and you've booted off the hard disk, log in and (this is important!) type man afterboot; it will remind of some things that you need to do to complete the installation - pick passwords, create user accounts, check network settings etc. Also, man hier will introduce you to the way the system is organised - which files live where. In fact, let me say that again:

After the first normal boot of the system, be sure to read these manpages:
$  man afterboot
$  man hier
      

There! And make sure you keep reading the manpages - OpenBSD manpages are a thing of beauty, complete, up-to-date and informative. And also read the OpenBSD FAQ on the web -- much of this information is also found there.

Configuring the network

For my outside connection I have DSL and a static IP number (from Speakeasy - I recommend them over PacBell etc. - I'm so happy I switched). Other DSL options are PPPoE that PacBell likes to set people up with, or DHCP which is what you usually get over cable. A completely bogus DSL installation is the USB device they try to foist on customers with Windows. Danger, Will Robinson! They stink; they're unsupported on any free O/S, and even on Windows they work about half the time.

In *BSD the network cards are named according to the driver used. For the D-Link cards, the driver is called rl, so my two ethernet cards are rl0 and rl1. For the inside network I use the "private" (non-routable) IP numbers 192.168.1.* which will make the inward-facing network card 192.168.1.1. The OpenBSD initialization asks you for IP numbers for the two cards. Enter the appropriate ones - the IP number your ISP gave you for rl0, and 192.168.1.1 for rl1. For PPPoE, the outside interface is tun0 and it will figure out its own IP address. If you're supposed use DHCP on your DSL or cable connection, type in dhcp.

It is important to remember which network will be the outside and which the inside. If the two cards are identical, the easiest way is to look at the MAC number. Every ethernet card ever made has a unique ID called its MAC number. This will be printed on the card, usually as a sticker. When the kernel boots up, it will print the MAC numbers of each card it finds:

rl0 at pci0 dev 9 function 0 "Realtek 8139" rev 0x10: irq 11 address 00:50:ba:44:ab:1c
rl1 at pci0 dev 10 function 0 "Realtek 8139" rev 0x10: irq 10 address 00:50:ba:44:9c:3e 
    

So the card that has a MAC number ending ab1c is rl0; the other is rl1. (If the two network cards you have are different types, there's no problem, of course. The kernel bootup messages will still be useful to tell you what names the system is using for them.)

(There's some rule about where the cards are plugged in so which one gets number 0 and which no. 1, but I can never remember that.)

PPPoE

The beast! PPPoE is a pain in the ass but ISPs like it because it makes things simpler for them - they don't have to maintain lists of IP numbers. Also, they can run a crappy service and keep dropping the connection and that's ok, you're expected to reconnect. It's the Micros**t philosophy of "make something really crappy and expect people to just re-start the whole system a couple of times a day." It's a pain in the ass for us because its MTU is 1492 instead of 1500 which used to require changes on every machine inside the network - but now thanks to the "mssfixup" flag we don't have to any more.

The files you will need to change for PPPoE all live in /etc/ppp/.

Configure system files

To set up the system, the files you will be editing are:/etc/rc.conf, /etc/myname, /etc/mygate, /etc/ipf.rules, /etc/ipnat.rules, /etc/*.conf, /etc/hostname.interface, /var/named/*.

Edit /etc/rc.conf. On my servers I run SMTP, Apache, and ssh. In other words, from the outside it handles email, web acess and secure shell for remote logins. For convenience, on the inside I have a private name server (DNS) and NTP server for accurate time. To get sendmail, NTP, httpd, and NAT to work, these are the lines to change:

sendmail_flags="-bd -q30m"      # for normal use: "-bd -q30m"
named_flags=""                  # for normal use: ""
ntpdate_flags="put.server.here" # for normal use: NTP server; run before ntpd starts
httpd_flags=""                  # for normal use: "" (or "-DSSL" after reading ssl(8))
dhcpd_flags=-q                  # for normal use: "-q"
ipfilter=YES
ipnat=YES                       # for "YES" ipfilter must also be "YES" 
ntpd=YES                        # run ntpd if it exists       
    
Make sure that /etc/sysctl.conf has this line in it:
net.inet.ip.forwarding=1        # 1=Permit forwarding (routing) of packets
    
Get the names of NTP servers close to where you are and put that name in the ntpdate value. Here's a list of public NTP servers.

NAT and firewall rules

I decided that my outside interface would be rl0, and the inside one rl1. (If you're using PPPoE, the outside interface will be tun0.) Firewall rules (they tell the gateway what kind of network traffic should be allowed into the internal network) live in /etc/ipf.rules; NAT configuration is in /etc/ipnat.rules.

Here's a sample /etc/ipf.rules - very little is accessible from the outside, but machines on the inside can go out with no restrictions. In your files you'd replace rl0 and rl1 with the names of your outward- and inward-facing ethernet cards, respectively.

#####################################################################
#
# IP packet filtering rules (firewall)
# Shamim Mohamed 3/2001
 
# If you change this file, run
#    ipf -Fa -f /etc/ipf.rules
# to update kernel tables
 
# All rules are "quick" so go strictly top to bottom
 
#  Don't bug loopback
#
pass out quick on lo0
pass in quick on lo0
 
#  Don't bother the inside interface either
#
pass out quick on rl1
pass in quick on rl1
 
#####################################################################
#
#  First, we deal with bogus packets.
#
 
#  Block any inherently bad packets coming in from the outside world.
#  These include ICMP redirect packets and IP fragments so short the
#  filtering rules won't be able to examine the whole UDP/TCP header.
#
block in log quick on rl0 proto icmp from any to any icmp-type redir
block in log quick on rl0 proto tcp/udp all with short
 
#  Block any IP spoofing atempts.  (Packets "from" non-routable
#  addresses shouldn't be coming in from the outside).
#
block in quick on rl0 from 192.168.0.0/16 to any
block in quick on rl0 from 127.0.0.0/8    to any
block in quick on rl0 from 172.16.0.0/12  to any
block in quick on rl0 from 10.0.0.0/8     to any
block in quick on rl0 from 0.0.0.0/8      to any
block in quick on rl0 from 169.254.0.0/16 to any
block in quick on rl0 from 192.0.2.0/24   to any
block in quick on rl0 from 204.152.64.0/23 to any
block in quick on rl0 from 224.0.0.0/3    to any
block in quick on rl0 from 255.255.255.255/32 to any
 
#  Kill all source-routed packets
#
block in quick on rl0 all with opt lsrr
block in quick on rl0 all with opt ssrr
 
#  Don't allow non-routable packets to leave our network
#
block out quick on rl0 from any to 192.168.0.0/16
block out quick on rl0 from any to 127.0.0.0/8
block out quick on rl0 from any to 172.16.0.0/12
block out quick on rl0 from any to 10.0.0.0/8
block out quick on rl0 from any to 0.0.0.0/8
block out quick on rl0 from any to 169.254.0.0/16
block out quick on rl0 from any to 192.0.2.0/24
block out quick on rl0 from any to 204.152.64.0/23
block out quick on rl0 from any to 224.0.0.0/3
block out quick on rl0 from any to 255.255.255.255/32
 
#
#####################################################################
 
 
#####################################################################
#
#  Now the normal filtering rules
#
 
#  ICMP: allow incoming ping and traceroute only
#
pass in quick on rl0 proto icmp from any to any icmp-type echorep
pass in quick on rl0 proto icmp from any to any icmp-type echo
pass in quick on rl0 proto icmp from any to any icmp-type timex
pass in quick on rl0 proto icmp from any to any icmp-type unreach
block in log quick on rl0 proto icmp from any to any
 
#  TCP: Allow ssh, smtp, http and https incoming. Only match
#  SYN packets, and allow the state table to handle the rest of the
#  connection.
#
pass in quick on rl0 proto tcp from any to any port = ssh   flags S keep frags keep state
# If you're not running sendmail, comment this out
pass in quick on rl0 proto tcp from any to any port = smtp  flags S keep frags keep state
# If you're not running Apache, comment the next two rules out
pass in quick on rl0 proto tcp from any to any port = http  flags S keep frags keep state
# If you're not using SSL with Apache (for https), comment this out
pass in quick on rl0 proto tcp from any to any port = https flags S keep frags keep state
 
#  UDP: reject all UDP from the outside. The raudio proxy will
#  insert temporary entries into the table when it sees PNA
#  connections.
 
#  Of course we need to allow packets coming in as replies to our
#  connections so we keep state. Strictly speaking, with packets
#  coming from our network we don't have to only match SYN,
#  and it's rather unlikely that there will be any fragments. But
#  what the hell.
#
pass out quick on rl0 proto tcp  from any to any flags S keep frags keep state
pass out quick on rl0 proto udp  from any to any keep state
pass out quick on rl0 proto icmp from any to any keep state
 
#  End of rules. Block everything to all ports, all protocols and return
#  RST (TCP) or ICMP/port-unreachable (UDP). Don't forget to rewrite the
#  source address of the "port unreachable" message, hence -as-dest
#
block return-rst in log quick on rl0 proto tcp from any to any
block return-icmp-as-dest in log quick on rl0 proto udp from any to any
block in quick all
 
#
#  End of file
#
#####################################################################
    
Read the ipfilter documentation and understand these rules.

This is the NAT config /etc/ipnat.rules - this allows machines on the inside network to transparently make connections to the outside world (including active ftp and RealAudio PNA via UDP):

#####################################################################
#
# NAT rules, along with application proxies (ftp, real audio)
# Shamim Mohamed 3/2001
 
# If you edit this file, run
#    ipnat -CF -f /etc/ipnat.rules
# to update kernel tables
 
# If the address of the outbound interface might change (DHCP lease
# expiry, ppp re-connect) run ipf -y to update the address of rl0 on
# all rules!

#####################################################################
 
# Application level proxies (must be done before rewriting source
# addresses, since ipnat is first-match)
 
# ftp - for active connections
map rl0 192.168.1.0/24 -> rl0/32 proxy port ftp ftp/tcp
 
# RealAudio
map rl0 192.168.1.0/24 -> rl0/32 proxy port 7070 raudio/tcp
map rl0 192.168.1.0/24 -> rl0/32 proxy port  554 raudio/tcp

#####################################################################
# 
# Okay! Now we're ready to do the core of the packet rewriting.
# Rewrite dest and source; allocate a new src port between 10000 and 20000
#
map rl0 192.168.1.0/24 -> rl0/32 portmap tcp/udp 10000:20000
 
# Allow anything else (ICMP and others) to go through
#
map rl0 192.168.1.0/24 -> rl0/32

#
# End of file
#
#####################################################################
    
(The RealAudio UDP proxy doesn't work yet - watch this space.)

The system should already have setup /etc/hostname.rl0 and /etc/hostname.rl1 (or whatever your network device names are) for you. Each file will have the IP number and netmask. This is what these files would look like:

 
bash-2.04$ cat /etc/hostname.rl1
inet 192.168.1.1 0xffffff00 NONE 
bash-2.04$ cat /etc/hostname.rl0
inet 123.45.67.89 0xffffff00 NONE
    
(The bash-2.04$ is the prompt; cat types a file out to the output.) If you're using DHCP, the outside interface's hostname file will say dhcp.

Other important files are /etc/myname - your hostname - and /etc/mygate - your default gateway to the outside world (your ISP told you what this should be - it's usually the same as your IP number except that the last number is replaced with a 1 or 254.)

PPPoe

If you have PPPoE (you unfortunate soul!) things are different. You shouldn't have /etc/mygate; and the file describing the outside interface, /etc/hostname.rl0 in my example, will only have one word in it: up. This tells the system to bring up the interface at boot time, but to do nothing else - pppoe will do the rest.

The main file is /etc/ppp/ppp.conf and this is what it should look like:

default:
 set log Phase Chat LCP IPCP CCP tun command
 set redial 15 0
 set reconnect 15 10000

pppoe:
 set device "!/usr/sbin/pppoe -i rl0"
 disable acfcomp protocomp
 deny acfcomp
 set mtu 1492
 set speed sync
 enable lqr
 set lqrperiod 5
 set cd 5
 set dial
 set login
 set timeout 0
 set authname login
 set authkey password
 enable dns
 enable mssfixup
    
Use your login name and password where indicated. The "set device" line tells ppp which physical device to use to talk to the outside world. You also have to tell the system to start PPPoE at boot time. That can be done with this little snippet of shell script:
echo -n "Trying to establish PPPoE DSL"; ppp -ddial pppoe
for i in 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0; do
    sleep 5
    echo -n.$i"
    if /usr/local/sbin/adsl-status>/dev/null; then
        break
    fi
done
echo
/usr/local/sbin/adsl-status
    
Where adsl-status is a little shell-script that tests to see whether the PPP link has come up properly:
#!/bin/sh
 
IP=$(/sbin/ifconfig tun0 | awk '/netmask/{print $4}')
 
if [ -z "$IP" ]; then
   echo "ADSL link is down."
   exit 1
else
   echo "ADSL is up, IP address $IP"
   exit 0
fi
    
Now the question is: where should we put the little loop that tries to get ppp going? The right place to put all these is in /etc/rc.local. However this has the drawback that the outside network hasn't been initialised while the rest of the system is coming up, which causes some scary-looking error messages from NAT to be printed at boot time. So I do something a little un-kosher: I put the ppp initialisation in /etc/netstart towards the end, just before NAT is configured:
...
echo -n ' ADSL... '; ; ppp -ddial pppoe 
for i in 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0; do
    sleep 5
    echo -n.$i"
    if /usr/local/sbin/adsl-status>/dev/null; then
        break
    fi
done
echo
/usr/local/sbin/adsl-status

# Configure NAT after configuring network interfaces
if [ "${ipnat}" = "YES" -a "${ipfilter}" = "YES" -a -f "${ipnat_rules}" ]; then
...
    
Now remember that each time the PPP link goes up or down, the IPF and NAT rules must be re-done. The files /etc/ppp/ppp.linkup and /etc/ppp/linkdown are scripts that get run by ppp. Here's /etc/ppp/ppp.linkup:
MYADDR:
 ! sh -c "/sbin/route del default"
 ! sh -c "/sbin/route add default HISADDR -mtu 1492"
 ! sh -c "/sbin/ipf -Fs -FS -Fa -f  /etc/ipf.rules"
 ! sh -c "/sbin/ipnat -CF -f /etc/ipnat.rules"
 ! sh -c "/usr/local/sbin/xntpd -p /var/run/ntpd.pid"
    
And this is /etc/ppp/linkdown:
MYADDR:
 ! sh -c "/sbin/ipnat -CF"
 ! sh -c "/sbin/ipf -Fa"
    

Configuring email

Sendmail should have been setup automatically since you edited /etc/rc.conf but I've occasionally had to make one change in /etc/mail/sendmail.cf:

 
Djmy-domain-name.com
    
(If you don't own a domain, or plan on having it point to your DSL machine, you don't need sendmail.)

You should have a normal user account that you're going to use (never log in as root! Always use su or sudo). Administrative email should be forwarded to you; if your normal username is zippy edit /etc/mail/aliases and make sure you make the appropriate lines look like this:

# Well-known aliases -- these should be filled in!
root: zippy
manager: zippy
dumper: zippy
    
One thing you should consider is being an email handler for friends. My DSL service goes down too often -- every few months. This is too unreliable for my tastes. What I do is collaborate with friends to accept and queue email for them, and they do the same for me. For my domain foo.com the primary mail exchanger is gateway.foo.com, the OpenBSD firewall/gateway. But a secondary mail exchanger (which someone out there on the network will use if my DSL is down) will be gateway.bar.com, and email will wait on that site until my machine is back on the network. I want to perform the same service for my friend - if gateway.bar.com is down, I want people to be able to send my machine the email destined for bar.com. This goes in the file /etc/mail/relay-domains:
bar.com
fubar.org
    
Now the machine will accept email for bar.com and fubar.org as well as for itself and then forward the messages on. If the machine it's trying to forward to is down, it will put them in the queue and keep re-trying for a while.

Setting up DNS

You probably shouldn't be running the primary DNS server for your domain on your DSL box; DSL may not be reliable enough for that. Get someone else to do it for you for free, like www.zoneedit.com.

However, it is nice to have a local private DNS because lots of daemons (services that run in the background, like the web server) like to do reverse lookups of IP numbers, so we should have a DNS server for the private network. Also, this installation will give you a caching nameserver which should improve your browsing speed.

The files live in /var/named. Edit named.boot and add these lines:


primary fake-domain.org                     fake-domain.db
primary 1.168.192.in-addr.arpa          fake-domain.rev
 
; your static IP number, reversed
primary 89.67.45.123.in-addr.arpa      dsl.rev

; remember to add your nameservers here!
forwarders			1.2.3.4 5.4.3.2
    
(Anything starting with a semicolon is a comment.) Here fakedomain.org can be a real domain you have or a fake; and instead of 89.67.45.123 use your static IP but reversed i.e. you would use that line if your IP number were 123.45.67.89. And change the IP numbers on the forwarders line to the nameservers your ISP told you to use.

Other files you need are /var/named/namedb/fake-domain.db:

@       IN      SOA     gateway.fake-domain.org.     root.fake-domain.org.
(
                                14      ; Serial
                                10800   ; Refresh
                                3600    ; Retry
                                604800  ; Expire
                                86400 ) ; Minimum
 
        IN      NS      gateway.fake-domain.org.
 
 
gateway IN      A       192.168.1.1
libelle IN      A       192.168.1.2
discus  IN      A       192.168.1.4
ventus  IN      A       192.168.1.3
wander  IN      A       192.168.1.5
brad    IN      A       192.168.1.12
jack    IN      A       192.168.1.13

; your static IP number
dsl     IN      A       123.45.67.89
 
www     IN      CNAME   dsl
mail    IN      CNAME   gateway
gateway IN      CNAME   gateway
 
    
In this network, there are six machines on the inside and those are their names and IP Number assignments. The OpenBSD gateway machine is named "gateway". Change these entries to names of the machines on your private network. You can give them any IP number that starts with 192.168.1. Of course if you have three machines on your network, there will only by three entries.)

This is /var/named/fake-domain.rev:

@       IN      SOA     gateway.fake-domain.org.     root.fake-domain.org.
(
                                14      ; Serial
                                10800   ; Refresh
                                3600    ; Retry
                                604800  ; Expire
                                86400 ) ; Minimum
 
        IN      NS      gateway.fake-domain.org.
 
 
1       IN      PTR     gateway.fake-domain.org.
2       IN      PTR     libelle.fake-domain.org
3       IN      PTR     ventus.fake-domain.org
4       IN      PTR     discus.fake-domain.org.
5       IN      PTR     wander.fake-domain.org.
12      IN      PTR     brad.fake-domain.org.
13      IN      PTR     jack.fake-domain.org.
    
(Those trailing dots are important.) And here's /var/named/namedb/dsl.rev:
@       IN      SOA     gateway.fake-domain.org.     root.fake-domain.org.
(
                                14      ; Serial
                                10800   ; Refresh
                                3600    ; Retry
                                604800  ; Expire
                                86400 ) ; Minimum
 
        IN      NS      gateway.fake-domain.org.
 
 
        IN      PTR     dsl.fake-domain.org.
    

PPPoE

Yes, again more stupid special cases for PPPoE. For one thing, your IP address from the outside keeps changing so all the stuff about dsl.rev doesn't apply. However, more important: you don't know what your ISP's DNS servers are! And they could change which machines you're supposed to use each time you connect! What you have to do is: connect "by hand" one time, and see which DNS servers you got. After ppp.conf has been written, you can run ppp -ddial pppoe and pray. If all goes well, ifconfig tun0 should show you two lines:
$  /sbin/ifconfig tun0
tun0: flags=11 mtu 1492
        inet 63.201.32.40 --> 63.201.39.254 netmask 0xff000000
    
That means everything worked. Now look at /etc/resolv.conf - there should be one or more lines in there that say which nameservers should be used. Put these IP numbers in the forwarders line in /var/named/named.boot. One other wrinkle: the /etc/resolv.conf that ppp makes for you doesn't know about your domain, or that you're running a nameserver on your machine. To get around these problems, I created another file /etc/resolv.conf-working:
nameserver 192.168.1.1
lookup file bind
search fake-domain.org
    
In /etc/ppp/ppp.linkup I tell it to overwrite the created resolv.conf with this one:
 ! sh -c "cp /etc/resolv.conf-working /etc/resolv.conf"
    
(Add that to the end of the file that you've already created.) This allows all programs running on the machine to be able to use all the good things about a local caching nameserver - things like being able to refer to internal hosts by short name etc.

Other machines on the network

Go to the other machines on your network and set them up with the static IP numbers you assigned above, e.g. the machine wander gets an IP number of 192.168.1.5. All the machines should use 192.168.1.1 for the gateway and use 192.168.1.1 for the DNS server. For more details on DNS, read the excellent O'Reilly book "DNS and BIND"; for more on setting up slightly more complex DNS servers than the one described here, go to the OpenBSD - DNS site maintained by Samiuela LV Taufa.

Setting up DHCP

Above in the DNS setup all internal machines are assigned their own IP numbers. Running DHCP allows guest machines to hook up to the network without fuss. Depending on your comfort level with setting up your other machines, you might also prefer to use DHCP over assigning static IPs.This is what /etc/dhcpd.conf should look like:

#       $OpenBSD: dhcpd.conf,v 1.1 1998/08/19 04:25:45 form Exp $
#
# DHCP server options.
# See dhcpd.conf(5) and dhcpd(8) for more information.
#
 
# Network:              192.168.1.0/255.255.255.0
# Domain name:          my.domain
# Name servers:         192.168.1.3 and 192.168.1.5
# Default router:       192.168.1.1
# Addresses:            192.168.1.32 - 192.168.1.127
#
shared-network LOCAL-NET {
        option  domain-name "fake-domain.org";
        option  domain-name-servers 192.168.1.1;
 
        subnet 192.168.1.0 netmask 255.255.255.0 {
                option routers 192.168.1.1;
 
                range 192.168.1.32 192.168.1.127;
        }
} 
    
This will allow up to 96 machines on your internal network, which should be more than sufficient. Create an empty temporary file for dhcpd to use:
bash-2.04# touch /var/db/dhcpd.leases
    
If you make any changes to this file, run dhcpd rl1 (or whatever your inside network is). (Or you can reboot the machine - but that's the Windows way, in the Unix world we prefer to never reboot any machines.)

Install "ports"

"Ports" is a *BSD term for a tree of Makefiles for all the software out there that's not part of the standard install. I recommend this highly. It is on CD No. 2 of the OpenBSD 2.9 CD-ROM set as ports.tar.gz. Please read the Ports and Packages page on the OpenBSD web site. You install it by typing (as root)

bash-2.04#  mount /dev/cd0a /mnt
bash-2.04#  cd /usr
bash-2.04#  tar xzf /mnt/ports.tar.gz
    
Once you've done this, if you want to install a package, you cd to the appropriate directory and simply type make all install - it will ftp the source from the appopriate site, handle all dependencies, apply any required patches, configure, build and install the tool.

Getting time from the Internet

Set up NTP so that your machine will always have accurate time. Pick two servers from the public NTP server list and make sure /etc/ntp.conf looks like this:

server ntp.server.first
server ntp.server.second
    
Since xntpd is not part of the standard install, you have to compile xntpd from source.
bash-2.04#  cd /usr/ports/sysutils/xntpd
bash-2.04#  make all install
    
The tools will be installed into /usr/local/sbin/ntpd.

Run ntpdate -b server where you pick a server from the list - this will perform a coarse adjustment of the system clock. The next time the machine reboots, it will sync your clock and record how much your clock drifts.

Setting up other hosts with NTP

On Unix hosts, use the appropriate NTP client; on Linux, it's xntpd. Set them up to use 192.168.1.1 as the NTP server. On Windows, use AboutTime - a free NTP client. In its configuration make it uses only SNTP as the protocol, with 192.168.1.1 as the server. Put AboutTime in the Startup folder so it's started automatically. For more details, go to Robert Mooney's OpenBSD NTP site.

References

Glossary

(Coming soon.)

 

© 2001 Shamim Mohamed
Last modified: Thu Apr 18 20:09:09 PDT 2002