OpenBSD Jumpstart: Learn to Tame OpenBSD Quickly

131 点作者 fcambus超过 9 年前

9 条评论

jlgaddis超过 9 年前

I played with OpenBSD many, many years ago (when I had much more free time) but then didn't touch it for years.After hearing about JETPLOW [0], I decided to replace the Cisco ASA that I had been using for my (fiber) Internet connection at home with an open-source router/firewall.I had a RouterMaxx 1106 [1] (PDF) laying around so I decided to put OpenBSD on it and use that. In short order, I built an OpenBSD virtual machine, used flashrd [2] to build an OpenBSD image I could put on a CompactFlash card, and had it up and running.It just works.About two years later, it's still humming along nicely. The only downtime that I've had is when I upgraded to a new OpenBSD version. I could've minimized somewhat but I use a new CF card every time.Nowadays, I've also got a dedicated laptop running OpenBSD that I use solely for "security critical" stuff for $work. A separate machine stands in between the Internet and our MX hosts and runs OpenBSD's spamd [3] to help keep spam out of our users' mailboxes (N.B.: the number of messages hitting out Barracuda dropped by ~70%, with zero complaints received from any of our users).In addition, we're just beginning a project to basically rebuild our entire server infrastructure and we'll be using OpenBSD for certain functions: remote access (OpenVPN), SSH jump hosts, possibly authoritative DNS, etc.I'm a firm believer in using "the best tool for the job". Most of our servers will be running FreeBSD, but OpenBSD definitely has its place in our environment.[0]: <a href="https://nsa.gov1.info/dni/nsa-ant-catalog/firewalls/" rel="nofollow">https://nsa.gov1.info/dni/nsa-ant-catalog/firewalls/</a>[1]: <a href="http://www.balticnetworks.com/docs/routermaxx%206%20port.pdf" rel="nofollow">http://www.balticnetworks.com/docs/routermaxx%206%20port.pdf</a>[2]: <a href="http://www.nmedia.net/flashrd/" rel="nofollow">http://www.nmedia.net/flashrd/</a>[3]: <a href="http://www.openbsd.org/spamd/" rel="nofollow">http://www.openbsd.org/spamd/</a>

nalck超过 9 年前

This is quite the handy resource! Great idea and well done. OpenBSD is really quite friendly, just need to be comfortable with reading man pages and Unix basics.A tip for first-timers: perform the installation with an Ethernet internet connection. On my laptop, wireless firmware was installed and configured automagically on first boot. After that it's all gravy.

评论 #10796517 未加载

评论 #10795480 未加载

评论 #10795505 未加载

SwellJoe超过 9 年前

I've never seriously used any BSD, but I do have to admit I like that things don't change for the sake of change, as seems to happen on Linux every couple of years. With OpenBSD, docs from 10 years ago are generally workable, because nothing on the user side has changed. That's got some definite benefits. I've been using Linux as my primary OS for 20 years, as of this year (which is, coincidentally about as long as OpenBSD has been around), and I don't feel significantly more "on top of" the OS than I did 10 or even 15 years ago. On many fronts, I'm further behind, because I have so much less free time, and there's so much more to a Linux system. And, so much has changed.That said, there's a bunch of trade-offs. Virtualization on OpenBSD is, as far as I can tell, effectively a non-starter for any major project (i.e. those with many VMs, a virtual network, virtual disks, etc.). Containers seem to not exist, at all, though I found some historic mentions of jail-based options.It seems like a perfect candidate for a VM or container guest OS, due to security focus, small size, simple deployment, etc. But, you then have to have two sets of skills: Managing your guest operating system, and managing your host operating system. Since Linux is the strongest container or VM hosting OS on the server (this was once debatable when Solaris Zones was new and Linux was still somewhat immature on the container front, but I don't think anyone would make the case that Linux isn't the obvious choice for hosting VMs or containers in most deployments today), and Linux is pretty far away from OpenBSD, you've got two pretty widely divergent skill sets needed.Nonetheless, every time I read about OpenBSD, I feel a strong urge to give it a try. It seems extremely elegant in the way old UNIX systems were elegant. It appeals to me on a lot of fronts. Also, the code and documentation are extremely readable, in ways I've rarely seen elsewhere (FreeBSD also meets this description, but it's so much bigger it can still be daunting).I wonder if anyone is working on a Zones port to any BSD? OpenBSD with a convincing container or virtualization story would be a tipping point for me, in terms of being willing to put in the effort to learn it and use it.

评论 #10796584 未加载

评论 #10795795 未加载

评论 #10795792 未加载

评论 #10795833 未加载

评论 #10796549 未加载

mozumder超过 9 年前

How does networking speed compare to FreeBSD and Linux?If I were to make an REST API server, that serves 10,000 requests per second per core, which OS should I use?

评论 #10796972 未加载

评论 #10797297 未加载

评论 #10796289 未加载

评论 #10796425 未加载

blue1超过 9 年前

I've been using OpenBSD on my firewall for ages, but the fact that patches are only distributed in source form is a giant giant hassle. I understand the reasons for that but it's a level of inconvenience that I find unbearable today. On Debian it's just "apt-get upgrade". On OpenBSD it's so more difficult that I usually end just not patching it at all.

评论 #10797468 未加载

评论 #10797629 未加载

ksec超过 9 年前

There are different FreeBSD flavours such as PC-BSD which solely focus on PC Desktop usage.I wonder why there are any similar initiative for OpenBSD? I am sure OpenBSD is great fit for Server and Internet based Appliance where security is a prime concern, and doesn't require PC desktop support.

unixhero超过 9 年前

This is great.

wila超过 9 年前

Very nice, here's the plain text version instead of slide format.Learn to tame OpenBSD quickly.December 24, 2015HistoryForked from NetBSD. Theo De Raadt is the founder and leader of the OpenBSD project. The first OpenBSD release (1.1/CVS) appear on October 18, 1995.Why use OpenBSD ?<pre><code> UNIX-like Get the last version of OpenSSH, OpenSMTPD, OpenNTPD, OpenBGPD, OpenOSPFD, LibreSSL Get the last PF (Packet Filter) features Security focused Operating System Thorough documentation Cryptography </code></pre> Forked from NetBSD. Theo De Raadt is the founder and leader of the OpenBSD project. The first OpenBSD release (1.1/CVS) appear on October 18, 1995.OpenBSD Version numbers<pre><code> Six month release cycle New release is incremented by 0.1 </code></pre> OpenBSD's Flavors<pre><code> -release: The version of OpenBSD shipped every six months -current: Development just after the release -stable: Release, plus patches (support ~ 1 year) </code></pre> InstallationReally simple, ready in 5 minutes (KISS).Get more information: <a href="http://www.openbsd.org/faq/faq4.html" rel="nofollow">http://www.openbsd.org/faq/faq4.html</a>Networking (Files)<pre><code> File Contain /etc/myname Default hostname. /etc/hostname.if Configuration for each network interface, for example: /etc/hostname.bge0 /etc/mygate Default gateway. /etc/resolv.conf Resolver (DNS). /etc/hosts Known hosts on the network. </code></pre> Networking<pre><code> # See available network cards: /sbin/ifconfig # Restart networking service: /bin/sh /etc/netstart # Set DHCP for 're0' interface, on the fly: /sbin/dhclient re0 </code></pre> Networking (Routing)<pre><code> # Show the routing table (ipv4): /usr/bin/netstat -rnf inet # Show the routing table (ipv6): /usr/bin/netstat -rnf inet6 # Delete all gateway entries from the routing table: /sbin/route -n flush </code></pre> Networking (set at startup)Example 1: configure static IP address for re0.<pre><code> ## file: /etc/hostname.re0 inet 192.168.0.58 255.255.255.0 # For more information, read the manual: hostname.if(5) </code></pre> Don't forget to run 'sh /etc/netstart re0' to apply changes to running system.Example 2: configure DHCP for bge0.<pre><code> ## file: /etc/hostname.bge0 dhcp # For more information, read the manual: hostname.if(5) </code></pre> Don't forget to run 'sh /etc/netstart bge0' to apply changes to running system.Example 3: configure wireless.<pre><code> ## file: /etc/hostname.iwn0 nwid ACCESS_POINT_NAME wpakey THE_SECRET_KEY dhcp # For more information, read the manual: hostname.if(5) </code></pre> Don't forget to run 'sh /etc/netstart iwn0' to apply changes to running system.PF (Packet Filter)<pre><code> Ruleset: /etc/pf.conf </code></pre> Useful commands.<pre><code> # Disable PF /sbin/pfctl -d # Enable PF and load the rules /sbin/pfctl -ef /etc/pf.conf # Just load the rules (apply changes) /sbin/pfctl -f /etc/pf.conf # View the loaded rules /sbin/pfctl -s rules </code></pre> For more information, read the manual: pfctl(8)Pf ruleset sample<pre><code> ## file: /etc/pf.conf # Protect a laptop (allow only ping/ssh from anywhere) set skip on lo set fingerprints "/dev/null" block log all pass in on egress inet proto icmp all icmp-type echoreq pass in on egress inet proto tcp from any to any port ssh pass out # For more information, read the manual: pf.conf(5) </code></pre> Debug PF with tcpdump(8)<pre><code> /usr/sbin/tcpdump -nettti pflog0 </code></pre> Manage usersManually<pre><code> /usr/sbin/user [add|del|info|mod] user_name </code></pre> The interactive way<pre><code> # Add users /usr/sbin/adduser # Remove users /usr/sbin/rmuser </code></pre> For more information, read the manual: adduser(8)Manage Groups<pre><code> File: /etc/group /usr/sbin/group [add|del|info|mod] group_name </code></pre> Members in 'wheel' group can use su(1) to become 'root'.For more information, read the manual: group(8,5)sudo replaced with doas(1)<pre><code> ## file: /etc/doas.conf # Permit the user 'Marc' to reboot the box permit nopass marc as root cmd reboot </code></pre> Marc can now reboot the box:<pre><code> $ doas reboot </code></pre> For more information, read the manual: doas.conf(5)Install Packages<pre><code> export PKG_PATH=http://ftp.openbsd.org/pub/OpenBSD/5.8/packages/amd64/ # OR use 'installpath' variable in /etc/pkg.conf: installpath=http://ftp2.fr.openbsd.org/pub/OpenBSD/%c/packages/%a/ # Add sudo package /usr/sbin/pkg_add sudo </code></pre> Some packages provide configuration and other information in a file located in '/usr/local/share/doc/pkg-readmes'.For more information, read the manual: pkg.conf(5)Packages<pre><code> # List packages installed /usr/sbin/pkg_info # View install-message for a specific package /usr/sbin/pkg_info -M package_name # Remove a Package /usr/sbin/pkg_delete package_name # Delete unused dependencies /usr/sbin/pkg_delete -a </code></pre> For more information, read the manual: packages(7)Install non-free firmware packages<pre><code> /usr/sbin/fw_update </code></pre> Firmware is downloaded from release-specific directories at: <a href="http://firmware.openbsd.org/firmware/" rel="nofollow">http://firmware.openbsd.org/firmware/</a>Manage daemons, services<pre><code> File: /etc/rc.conf.local /usr/sbin/rcctl [enable|disable|start|stop|reload|restart] daemon_name # Examples /usr/sbin/rcctl enable ipsec /usr/sbin/rcctl enable isakmpd /usr/sbin/rcctl set isakmpd flags -K /usr/sbin/rcctl start isakmpd </code></pre> For more information, read the manual: rcctl(8)Run a script at startup<pre><code> File: /etc/rc.local </code></pre> For more information, read the manual: rc.local(8)Update OpenBSDAny security or reliability fixes can be found at: <a href="http://www.openbsd.org/errata.html" rel="nofollow">http://www.openbsd.org/errata.html</a>You can also use the openup tool from M:tierUpgrade OpenBSDTo upgrade 5.6 to 5.8, you need to follow instructions:<a href="http://www.openbsd.org/faq/upgrade57.html" rel="nofollow">http://www.openbsd.org/faq/upgrade57.html</a> & <a href="http://www.openbsd.org/faq/upgrade58.html" rel="nofollow">http://www.openbsd.org/faq/upgrade58.html</a>OpenBSD Filesystem<pre><code> The most important: / Root directory. /home User home directories. /root Default home directory for the superuser. /mnt A temporary mount point. /etc System configuration files and scripts. /etc/examples Example configuration files for base system daemons. /etc/skel (dot) files for new accounts. /etc/signify Key files used for signify(1). /tmp Cleaned after a reboot. /var/tmp Symbolic link to the system /tmp. /var/log Log files. /var/run pid, socket files, utmp, dmesg.boot /var/db Database files. /var/www Configuration files for httpd(8). /usr/local Used for third packages installed. /usr/src BSD and/or local source files. </code></pre> For more information, read the manual: hier(7)OpenBSD Kernels<pre><code> /bsd Pure kernel executable (the operating system loaded into memory at boot-time). /bsd.mp Pure kernel executable for multiprocessor machines. /bsd.rd Installation kernel. The built-in RAM disk contains utilities which can be run without an external file system, so this kernel is useful for limited system maintenance too. </code></pre> Tune the system<pre><code> sysctl(8) get or set kernel state config(8) modify a kernel </code></pre> Need more help ?<pre><code> FAQ: http://www.openbsd.org/faq/ Manual page: afterboot(8) Mailing list: misc@ </code></pre> Presentations & Papers<pre><code> http://www.openbsd.org/papers/ </code></pre> Supporting OpenBSD<pre><code> Donations [1] OpenBSD Foundation [2] OpenBSD Store [3] </code></pre> Thank you. Feedback: contact@[1] <a href="http://www.openbsd.org/donations.html" rel="nofollow">http://www.openbsd.org/donations.html</a>[2] <a href="http://www.openbsdfoundation.org/" rel="nofollow">http://www.openbsdfoundation.org/</a>[3] <a href="http://www.openbsdstore.com/" rel="nofollow">http://www.openbsdstore.com/</a>

digitalzombie超过 9 年前

Slide 3:> Get the last PF (Packet Filter) featureslast -> latest

评论 #10799935 未加载