In today's Internet-centric computing world, networking components are a paramount feature of any system worth its salt. Easily falling into that category, OpenBSD contains strong network code and configuration interfaces which, with a little research and learning, can be put to powerful use. This series of articles aims to illustrate that with practical examples and direct application to real-world situations.
In contrast to its sysv counterparts like Linux, OpenBSD has a very different way of controlling network interfaces and setting parameters. Other competing systems commonly use menu-based or graphical configuration utilities to make the administrator's life easier. OpenBSD chooses to stray from this, instead focusing their efforts on the functionality and correctness of its networking components. The example being used here is the setup of a gateway machine with one PPP interface and one Ethernet interface.
The first thing you'll want to do when configuring an OpenBSD machine to participate on a network is set basic parameters on the network interfaces. First, using an Ethernet interface (in this case a Sun workstation) called le0:
# ifconfig le0 192.168.0.1 up netmask 255.255.255.0
A breakdown of this syntax:
ifconfig- Interface Config utility
le0- The network interface in question
192.168.0.1- The interface's IP address
up- Whether to raise the interface (up) or drop it (down)
netmask 255.255.255.0- The interface's netmask
To display the results of this, issue the command:
# ifconfig -a
This will display all network interface configuration/status information.
Once interface parameters have been set, the system stores them
automatically. Some other parameters such as static default routes and
interface IP addresses can be stored in
/etc/hostname.interface respictively in a simple format:
# /etc/mygate 188.8.131.52 # /etc/hostname.ep0 inet 184.108.40.206 255.255.255.248 NONE
Althought ifconfig is the primary tool for interface control and
manipulation, checking status is more commonly done using
(Network Statistics Utility). Simply running the command:
will produce a list of active TCP connections. Running the command:
# netstat -i
will provide a slightly more usable listing of interface information, which will look roughly like:
This shows the network statistics both for the overall interface and with openbsd.org, with which it has been in frequent communication. It is interesting to note that this method of configuration and network diagnostics differs only very slightly from that of Linux and other systems, but their users will primarily set this information using linuxconf, YaST, or other point-and-click tools.
As a truly Internetworked operating system, OpenBSD has the functionality to control your network's WAN interface(s) and act as a router. However, support for things like frame relay and DDS is nonexistent and ISDN support is very limited. The majority of people using OpenBSD on a WAN implement PPP over an analogue modem. OpenBSD has stepped up from using the raw pppd (Point to Point Protocol Daemon) to control PPP, having developed a userland interface called simply ppp. The ppp utility is controlled by the file /etc/ppp/ppp.conf. Some examples:
default: # The default section of ppp.conf contains # some simple global options. set log Phase Chat LCP IPCP CCP tun command set device /dev/tty00 # Tells ppp the modem is connected to tty00 (com1) set speed 38400 # Modem's maximum connection baud is 38400 myisp: # This section contains values specific # to the connection you're using. set phone 96724222 # Dial 96724222 to connect. set login set authname myusername set authkey mypassword # Login using pap/chap as myusername/mypassword add default HISADDR # Set the upstream machine as the defaultroute
With this configuration in place, invoking ppp to dial is as simple as running:
# ppp -ddial myisp
The final stage in setting up a machine to act as a small network
gateway is to implement the routing. Most commonly in this situation
you would have internal addresses on the inside of the gateway and use
network address translation (NAT) to perform the gatewaying. This will be discussed in a later
installment; here we only cover basic routing.
OpenBSD uses the standard Unix routing tool
route. Syntax differs
slightly from other systems, but the premise remains the same. To
print your existing routing table, issue the command:
# route -n show
-n flag tells route not to try to perform any hostname lookups
and to use IP addresses only, with
show telling it to print the routing
table. The output for this example should look roughly like:
Destination Gateway Flags default 220.127.116.11 UG 192.168.0.0 link#1 U 192.168.0.5 0:20:af:5c:4a:f3 UH
The first line shows the default gateway (the other end of the PPP
link) as being 18.104.22.168. The second line is for the internal
address range of 192.168.0.1 to go through link#1 (le0). The third
line is for 192.168.0.5, a frequently used workstation. In this case,
our OpenBSD machine has mapped the MAC address of the workstation
directly for faster routing. Let us assume we want to add the address
range of 192.168.1.* to the network. The 192.168.0.* and 192.168.1.*
machines do not need to talk to each other, but they both need to talk
to the server. They are all physically cabled on the same
network. First, you would add a virtual interface so that le0 had both
the addresses 192.168.0.1 and 192.168.1.1. This is done by editing
/etc/ifaliases to contain the line:
le0 192.168.1.1 255.255.255.0
Secondly, add the route for the 192.168.1.1 range by issuing the command:
# route add 192.168.1.0 192.168.1.1
A simple breakdown of this command:
route- route utility
add- add a route to the table
192.168.1.0- target address range
192.168.1.1- IP to use as a gateway (in this case, a local one)
This all in place, you should have a nice secure OpenBSD gateway to the Internet. The majority of people are using Linux FreeBSD and Windows NT for this kind of application, but, as has been demonstrated, it's not difficult to produce a gateway using OpenBSD that will run on nearly any hardware and provide superior security and unprecedented reliability.
David Jorm has been involved with open source and security projects for several years, originally with OpenBSD and Debian GNU/Linux, now with the development team at wiretapped.net.
Discuss this article in the Operating Systems Forum.
Return to the BSD DevCenter.
Copyright © 2009 O'Reilly Media, Inc.