NetBSDFreeBSDOpenBSDDragonFlyBSD

OpenBSD

OpenBSD is a UNIX-like operating system, forked from NetBSD in 1995 by Theo de Raadt. Designed to be secure by default, OpenBSD includes notable security features such as unveil and pledge, which help enforce application security policies and restrict system resource access.

Objectives of this document

Get an overview of OpenBSD, starting with version 7.5:

Context

Installation release (7.5)

ISO: https://cdn.openbsd.org/pub/OpenBSD/7.5/amd64/install75.iso (603 MB)

Installation Note

Shutdown the box

Type:halt -p

Configuring the network

The hostname

Apply the new name (obsd.lab.local) editing the file /etc/myname :obsd.lab.local

Apply now:hostname -s obsd.lab.local

For a Static IP Address (IP: 192.168.1.26)

Set the static IP address modifying the file /etc/hostname.hvn0 :inet 192.168.1.26 255.255.255.0

Set the gateway IP address modifying the file /etc/mygate :192.168.1.1

Resolving DNS, change the file /etc/resolv.conf:nameserver 8.8.8.8
nameserver 8.8.4.4
lookup file bind

Restart the network stack to apply the changes:sh /etc/netstart hvn0

DHCP Configuration:

Let's change the file /etc/hostname.hvn0 :inet autoconf

Then, remove the old IP address:ifconfig hvn0 delete 192.168.1.26
rm /etc/mygate
route flush

Get the new IP address:dhcpleasectl hvn0


Don't forget to change your /etc/hosts file.

Finally, check the result with: ifconfig hvn0

You can also check your Internet connection with: ping yahoo.fr

Adding a User

You can interactively use the command:adduser

The hard way:

To add a user named admin:useradd -m admin

Allow admin to use su for administration:usermod -G wheel admin

Assign a password to admin:passwd admin


Check the results with: id admin

You can now use ssh to administrate the box remotely:ssh admin@IP_ADDRESS

Sudo?

OpenBSD does not include sudo by default. However, you can install it using:pkg_add sudo

OpenBSD comes with doas as an alternative. To use doassomething, configure the file /etc/doas.conf by referring to the man pages for doas.conf(5) and doas(1), or use the example at /etc/examples/doas.conf.

Installing nginx

While OpenBSD includes httpd by default, this tutorial will focus on installing Nginx to demonstrate how to install a package in OpenBSD.

Let's install nginx:pkg_add nginx

You can read the documentation at: /usr/local/share/doc/pkg-readmes/nginx

The configuration file is here: /etc/nginx/nginx.conf

No need to tune it. It is enough for our test.

By default nginx is chrooted in /var/www, and the default root web directory is /var/www/htdocs.

Configuring Daemons

Enable nginx at startup:rcctl enable nginx

Start nginx: rcctl start nginx

Creating an HTML File

cd /var/www/htdocs
echo '<h1>It works!</h1>' > index.html

You can now browse the test page from another computer by navigating to http://<IP_ADDRESS>.

Configuring the Firewall

OpenBSD uses Packet Filter (PF) for firewalling.

It is enabled by default.

Change the file /etc/pf.conf (allow only ping/ssh/www from anywhere):set skip on lo
block log all
pass in on egress inet proto icmp all icmp-type echoreq
pass in on egress inet proto tcp from any to any port {ssh, www}
pass out

Let's load the new PF rules!pfctl -f /etc/pf.conf


ActionCommand
Check the rules syntaxpfctl -nf /etc/pf.conf
Apply new rulespfctl -f /etc/pf.conf
View active rulespfctl -s rules
Flush current rulespfctl -F rules
Disable PFpfctl -d
Enable PFpfctl -e
Check logstcpdump -nettti pflog0

Updating the System

Use simply syspatch to update the userland/kernel and pkg_add -u to update binary packages.

You can see the patches at https://www.openbsd.org/errata.html.

Upgrading OpenBSD

To upgrade from version 7.5 to 7.6:

Read: https://www.openbsd.org/faq/upgrade76.html

Run sysupgrade, the program will download all the install sets, verify their signatures, and reboot to perform the upgrade automatically. In some cases, configuration files cannot be modified automatically, you need to run sysmerge to check and perform these configuration changes.


Finish up by upgrading the packages using pkg_add -u.

Oh, don't forget to update the userland/kernel for this version (7.4):syspatch

You can check your version, using: uname -a

Disk usage (sample)

Type: df -hThe results:Filesystem Size Used Avail Capacity Mounted on
/dev/sd0a 902M 123M 735M 15% /
/dev/sd0e 826M 20.0K 785M 1% /home
/dev/sd0d 2.9G 1.8G 1017M 64% /usr

What else?

The kernel: /bsd

Hypervisor: vmm(4)

Default MTA: OpenSMTPD

Pros vs. Cons

Pros

Cons

You can read more on OpenBSD, 👉 https://www.openbsdjumpstart.org

Last update: 2024/08/03

Click to top.