ONLamp.com    
 Published on ONLamp.com (http://www.onlamp.com/)
 See this if you're having trouble printing code examples


Building an OpenBSD Live CD

by Kevin Lo
07/14/2005

I recently taught an OpenBSD system administration course for schoolteachers who were interested in maintaining, configuring, and tuning an OpenBSD system in a networked environment. I decided to use a Live CD to teach that course, so that the students wouldn't need to install anything. They didn't even need a hard disk to run OpenBSD out of the box on their PCs! The Live CD I made focused on security, network management tools, the Firefox web browser, and so on.

This article describes the process I used to create a Live CD based on OpenBSD/i386 3.7-current. It should be no problem with 3.7-release either.

Getting Started

Before you start, you need the following:

Construct the System

The first step is to fetch the -current source code. See 5.3.3--Fetching the appropriate source code in the OpenBSD FAQ.

Next, create a /livecd directory in which to keep the CD's contents. Make three backup directories in /livecd:

$ mkdir -p /livecd/backups/{var,etc,dev}

Then, tar up the whole system you want on the final system, and untar it into the /livecd directory (or copy it, directories and all, as you prefer). Copy your /var and /etc directories to /livecd/backups/{var,etc}:

# cp -pR /var /livecd/backups/var
# cp -pR /etc /livecd/backups/etc
# cp -pR /dev/MAKEDEV /livecd/backups/dev

This gives the Live CD its skeleton of files and directories. The next step is to configure the bootable kernel. In the /usr/src/sys/arch/i386/conf directory, move RAMDISK_CD to RAMDISK_CD.OLD, and copy the kernel config file GENERIC to RAMDISK_CD. Then edit the file. Comment out the line containing config bsd swap generic and add the following lines:

option         RAMDISK_HOOKS
option         MINIROOTSIZE=3800
config          bsd root on cd0a

You can also download an example RAMDISK_CD config file. This sets up a ramdisk and allows the root of the system to be on the CD.

With this in place, you'll receive an error message when adding DDB support and friends. To fix it, apply this Makefile.in diff to /usr/src/distrib/i386/common/Makefile.inc:

--- src/distrib/i386/common/Makefile.inc.orig	Thu Mar  3 09:16:02 2005
+++ src/distrib/i386/common/Makefile.inc	Thu Mar  3 09:16:32 2005
@@ -33,8 +33,7 @@
 	newfs -m 0 -o space -i 524288 -c 80 ${VND_RDEV}
 	mount ${VND_DEV} ${MOUNT_POINT}
 	cp ${BOOT} ${.OBJDIR}/boot
-	strip ${.OBJDIR}/boot
-	strip -R .comment ${.OBJDIR}/boot
+	strip -s -R .comment -K cngetc ${.OBJDIR}/boot
 	dd if=${.OBJDIR}/boot of=${MOUNT_POINT}/boot bs=512
 	dd if=bsd.gz of=${MOUNT_POINT}/bsd bs=512
 	/usr/mdec/installboot -v ${MOUNT_POINT}/boot \
@@ -54,8 +53,7 @@
 
 bsd.gz: bsd.rd
 	cp bsd.rd bsd.strip
-	strip bsd.strip
-	strip -R .comment bsd.strip
+	strip -s -R .comment -K cngetc bsd.strip
 	gzip -c9 bsd.strip > bsd.gz
 
 bsd.rd:	${IMAGE} bsd rdsetroot

Apply it with:

# cd /usr
# patch -p0 < patch-Makefile.in

Next, install the crunch package, which helps create crunched binaries for use on boot, install, and fixit floppies. This allows you to fit more on the CD:

# cd /usr/src/distrib/crunch && make && make install

Finally, build the CD by doing a make in the /usr/src/distrib/i386/ramdisk_cd directory:

# cd /usr/src/distrib/i386/ramdisk_cd && make

In the /usr/src/distrib/i386/ramdisk_cd directory, copy the two files bsd and cdrom36.fs to the /livecd directory.

Modify /livecd/etc/{fstab,rc} and /livecd/backups/etc/{fstab,rc} to make booting work right.

Next, edit the CD version of /livecd/etc/rc and /livecd/etc/fstab to mount the appropriate filesystems, and include cd. Finally, edit the backup version of /livecd/backups/etc/rc and /livecd/backups/etc/fstab to include the CD and memory filesystems.

There are three directories (/var, /tmp, and /etc) that need to be writable, so the CD mounts them as memory filesystems (using mfs).

Make the ISO Image

In the /livecd directory, run the following all on one command line:

# mkisofs -b cdrom36.fs -c boot.catalog -R -v -o /tmp/livecd.iso /livecd

After another wait, you'll have a burnable ISO image waiting for you as /tmp/livecd.iso.

Burn the CD

Use cdrecord to burn the ISO image to CD:

# cdrecord -v speed=24 dev=/dev/rcd0c -data /tmp/livecd.iso

OpenBSD Live CD Firewall

I've been using an OpenBSD Live CD for NAT/firewall at school for a while now. The setup is actually quite simple. My internal and external network interfaces are fxp0 and fxp1, respectively. To active PF, and have it start automatically on boot-up, edit /etc/rc.conf.local file and add the line pf=YES.

To enable IP forwarding, make sure that net.inet.ip.forwarding=1 is in /etc/sysctl.conf.

Finally, put your NAT/firewall rules in /etc/pf.conf:

int_if = "fxp0"
ext_if = "fxp1"

tcp_services = "{ 22, 113 }"
icmp_types = "echoreq"

priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
          
# options
set block-policy return
set loginterface $ext_if

# scrub
scrub in all

# nat/rdr
nat on $ext_if from $int_if:network to any -> ($ext_if)
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 \
   port 8021

# filter rules
block all

pass quick on lo0 all

# provide unrestricted Internet access to internal computers
block drop in  quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets

# allow the following incoming traffic to the firewall
pass in on $ext_if inet proto tcp from any to ($ext_if) \
   port $tcp_services flags S/SA keep state

pass in inet proto icmp all icmp-type $icmp_types keep state

pass in  on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state

pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state

These rules NAT all traffic from the internal network to the external network and redirect all internal traffic to port 21 (FTP) to port 8021 on the gateway. They also protect against unwanted external traffic coming in, while allowing unrestricted traffic from outgoing internal traffic. It's a good starting place for secure access that you can modify as you need.

Best yet, it's on a CD, so I can have it with me wherever I go.

Resources

Kevin Lo is an OpenBSD developer and a teacher at Kaiping Vocational School.

Mastering FreeBSD and OpenBSD Security

Related Reading

Mastering FreeBSD and OpenBSD Security
By Yanek Korff, Paco Hope, Bruce Potter

Return to the BSD DevCenter.

Copyright © 2009 O'Reilly Media, Inc.