I recently taught an OpenBSD system administration course for schoolteachers who were interested in maintaining, configuring, and tuning an OpenBSD system in a networked environment. I decided to use a Live CD to teach that course, so that the students wouldn't need to install anything. They didn't even need a hard disk to run OpenBSD out of the box on their PCs! The Live CD I made focused on security, network management tools, the Firefox web browser, and so on.
This article describes the process I used to create a Live CD based on OpenBSD/i386 3.7-current. It should be no problem with 3.7-release either.
Before you start, you need the following:
The first step is to fetch the -current source code. See 5.3.3--Fetching the appropriate source code in the OpenBSD FAQ.
Next, create a /livecd directory in which to keep the CD's contents. Make three backup directories in /livecd:
$ mkdir -p /livecd/backups/{var,etc,dev}Then, tar up the whole system you want on the final system, and untar it into the /livecd directory (or copy it, directories and all, as you prefer). Copy your /var and /etc directories to /livecd/backups/{var,etc}:
# cp -pR /var /livecd/backups/var
# cp -pR /etc /livecd/backups/etc
# cp -pR /dev/MAKEDEV /livecd/backups/devThis gives the Live CD its skeleton of files and directories. The next
step is to configure the bootable kernel. In the
/usr/src/sys/arch/i386/conf directory, move RAMDISK_CD to
RAMDISK_CD.OLD, and copy the kernel config file GENERIC to
RAMDISK_CD. Then edit the file. Comment out the line containing
config bsd swap generic and add the following lines:
option RAMDISK_HOOKS
option MINIROOTSIZE=3800
config bsd root on cd0aYou can also download an example RAMDISK_CD config file. This sets up a ramdisk and allows the root of the system to be on the CD.
With this in place, you'll receive an error message when adding DDB support and friends. To fix it, apply this Makefile.in diff to /usr/src/distrib/i386/common/Makefile.inc:
--- src/distrib/i386/common/Makefile.inc.orig Thu Mar 3 09:16:02 2005
+++ src/distrib/i386/common/Makefile.inc Thu Mar 3 09:16:32 2005
@@ -33,8 +33,7 @@
newfs -m 0 -o space -i 524288 -c 80 ${VND_RDEV}
mount ${VND_DEV} ${MOUNT_POINT}
cp ${BOOT} ${.OBJDIR}/boot
- strip ${.OBJDIR}/boot
- strip -R .comment ${.OBJDIR}/boot
+ strip -s -R .comment -K cngetc ${.OBJDIR}/boot
dd if=${.OBJDIR}/boot of=${MOUNT_POINT}/boot bs=512
dd if=bsd.gz of=${MOUNT_POINT}/bsd bs=512
/usr/mdec/installboot -v ${MOUNT_POINT}/boot \
@@ -54,8 +53,7 @@
bsd.gz: bsd.rd
cp bsd.rd bsd.strip
- strip bsd.strip
- strip -R .comment bsd.strip
+ strip -s -R .comment -K cngetc bsd.strip
gzip -c9 bsd.strip > bsd.gz
bsd.rd: ${IMAGE} bsd rdsetrootApply it with:
# cd /usr
# patch -p0 < patch-Makefile.inNext, install the crunch package, which helps create crunched
binaries for use on boot, install, and fixit floppies. This allows you to fit
more on the CD:
# cd /usr/src/distrib/crunch && make && make installFinally, build the CD by doing a make in the
/usr/src/distrib/i386/ramdisk_cd directory:
# cd /usr/src/distrib/i386/ramdisk_cd && makeIn the /usr/src/distrib/i386/ramdisk_cd directory, copy the two files bsd and cdrom36.fs to the /livecd directory.
Modify /livecd/etc/{fstab,rc} and /livecd/backups/etc/{fstab,rc} to make booting work right.
Next, edit the CD version of /livecd/etc/rc and
/livecd/etc/fstab to mount the appropriate
filesystems, and include cd. Finally, edit the backup version of
/livecd/backups/etc/rc and /livecd/backups/etc/fstab to include the CD and
memory filesystems.
There are three directories (/var, /tmp, and
/etc) that need to be writable, so the CD mounts them as memory
filesystems (using mfs).
|
In the /livecd directory, run the following all on one command line:
# mkisofs -b cdrom36.fs -c boot.catalog -R -v -o /tmp/livecd.iso /livecdAfter another wait, you'll have a burnable ISO image waiting for you as /tmp/livecd.iso.
Use cdrecord to burn the ISO image to CD:
# cdrecord -v speed=24 dev=/dev/rcd0c -data /tmp/livecd.isoI've been using an OpenBSD Live CD for NAT/firewall at school for a while
now. The setup is actually quite simple. My internal and external network
interfaces are fxp0 and fxp1, respectively. To
active PF, and have it start automatically on boot-up, edit
/etc/rc.conf.local file and add the line pf=YES.
To enable IP forwarding, make sure that
net.inet.ip.forwarding=1 is in /etc/sysctl.conf.
Finally, put your NAT/firewall rules in /etc/pf.conf:
int_if = "fxp0"
ext_if = "fxp1"
tcp_services = "{ 22, 113 }"
icmp_types = "echoreq"
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
# options
set block-policy return
set loginterface $ext_if
# scrub
scrub in all
# nat/rdr
nat on $ext_if from $int_if:network to any -> ($ext_if)
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 \
port 8021
# filter rules
block all
pass quick on lo0 all
# provide unrestricted Internet access to internal computers
block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets
# allow the following incoming traffic to the firewall
pass in on $ext_if inet proto tcp from any to ($ext_if) \
port $tcp_services flags S/SA keep state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep stateThese rules NAT all traffic from the internal network to the external network and redirect all internal traffic to port 21 (FTP) to port 8021 on the gateway. They also protect against unwanted external traffic coming in, while allowing unrestricted traffic from outgoing internal traffic. It's a good starting place for secure access that you can modify as you need.
Best yet, it's on a CD, so I can have it with me wherever I go.
Kevin Lo is an OpenBSD developer and a teacher at Kaiping Vocational School.
|
Related Reading Mastering FreeBSD and OpenBSD Security |
Return to the BSD DevCenter.
Copyright © 2007 O'Reilly Media, Inc.