ONLamp.com    
 Published on ONLamp.com (http://www.onlamp.com/)
 See this if you're having trouble printing code examples


OpenBSD Explained

Introduction to OpenBSD Networking

06/13/2000

In today's Internet-centric computing world, networking components are a paramount feature of any system worth its salt. Easily falling into that category, OpenBSD contains strong network code and configuration interfaces which, with a little research and learning, can be put to powerful use. This series of articles aims to illustrate that with practical examples and direct application to real-world situations.

In contrast to its sysv counterparts like Linux, OpenBSD has a very different way of controlling network interfaces and setting parameters. Other competing systems commonly use menu-based or graphical configuration utilities to make the administrator's life easier. OpenBSD chooses to stray from this, instead focusing their efforts on the functionality and correctness of its networking components. The example being used here is the setup of a gateway machine with one PPP interface and one Ethernet interface.

Interface control

The first thing you'll want to do when configuring an OpenBSD machine to participate on a network is set basic parameters on the network interfaces. First, using an Ethernet interface (in this case a Sun workstation) called le0:

# ifconfig le0 192.168.0.1 up netmask 255.255.255.0

A breakdown of this syntax:

To display the results of this, issue the command:

# ifconfig -a

This will display all network interface configuration/status information.

Once interface parameters have been set, the system stores them automatically. Some other parameters such as static default routes and interface IP addresses can be stored in /etc/mygate and /etc/hostname.interface respictively in a simple format:


# /etc/mygate
203.25.128.33
# /etc/hostname.ep0
inet 210.8.218.252 255.255.255.248 NONE

Althought ifconfig is the primary tool for interface control and manipulation, checking status is more commonly done using netstat (Network Statistics Utility). Simply running the command:

# netstat

will produce a list of active TCP connections. Running the command:

# netstat -i

will provide a slightly more usable listing of interface information, which will look roughly like:

Listing of netstat -i command.

This shows the network statistics both for the overall interface and with openbsd.org, with which it has been in frequent communication. It is interesting to note that this method of configuration and network diagnostics differs only very slightly from that of Linux and other systems, but their users will primarily set this information using linuxconf, YaST, or other point-and-click tools.

WAN interface control

As a truly Internetworked operating system, OpenBSD has the functionality to control your network's WAN interface(s) and act as a router. However, support for things like frame relay and DDS is nonexistent and ISDN support is very limited. The majority of people using OpenBSD on a WAN implement PPP over an analogue modem. OpenBSD has stepped up from using the raw pppd (Point to Point Protocol Daemon) to control PPP, having developed a userland interface called simply ppp. The ppp utility is controlled by the file /etc/ppp/ppp.conf. Some examples:

default:
# The default section of ppp.conf contains 
# some simple global options.
set log Phase Chat LCP IPCP CCP tun command
set device /dev/tty00
# Tells ppp the modem is connected to tty00 (com1)
set speed 38400
# Modem's maximum connection baud is 38400
myisp:
# This section contains values specific 
# to the connection you're
using.
set phone 96724222
# Dial 96724222 to connect.
set login
set authname myusername
set authkey mypassword
# Login using pap/chap as myusername/mypassword
add default HISADDR
# Set the upstream machine as the defaultroute

With this configuration in place, invoking ppp to dial is as simple as running:

# ppp -ddial myisp

 

Routing

The final stage in setting up a machine to act as a small network gateway is to implement the routing. Most commonly in this situation you would have internal addresses on the inside of the gateway and use network address translation (NAT) to perform the gatewaying. This will be discussed in a later installment; here we only cover basic routing. OpenBSD uses the standard Unix routing tool route. Syntax differs slightly from other systems, but the premise remains the same. To print your existing routing table, issue the command:

# route -n show

The -n flag tells route not to try to perform any hostname lookups and to use IP addresses only, with show telling it to print the routing table. The output for this example should look roughly like:

Destination   Gateway          Flags
default       203.25.128.33	   UG
192.168.0.0   link#1           U
192.168.0.5   0:20:af:5c:4a:f3 UH

The first line shows the default gateway (the other end of the PPP link) as being 203.25.128.33. The second line is for the internal address range of 192.168.0.1 to go through link#1 (le0). The third line is for 192.168.0.5, a frequently used workstation. In this case, our OpenBSD machine has mapped the MAC address of the workstation directly for faster routing. Let us assume we want to add the address range of 192.168.1.* to the network. The 192.168.0.* and 192.168.1.* machines do not need to talk to each other, but they both need to talk to the server. They are all physically cabled on the same network. First, you would add a virtual interface so that le0 had both the addresses 192.168.0.1 and 192.168.1.1. This is done by editing /etc/ifaliases to contain the line:

le0 192.168.1.1 255.255.255.0

Secondly, add the route for the 192.168.1.1 range by issuing the command:

# route add 192.168.1.0 192.168.1.1

A simple breakdown of this command:

This all in place, you should have a nice secure OpenBSD gateway to the Internet. The majority of people are using Linux FreeBSD and Windows NT for this kind of application, but, as has been demonstrated, it's not difficult to produce a gateway using OpenBSD that will run on nearly any hardware and provide superior security and unprecedented reliability.

David Jorm has been involved with open source and security projects for several years, originally with OpenBSD and Debian GNU/Linux, now with the development team at wiretapped.net.


Discuss this article in the Operating Systems Forum.

Return to the BSD DevCenter.

 

Copyright © 2009 O'Reilly Media, Inc.