/etc
.
Typically, these settings are initially configured during the
installation process.
fxp0 at pci0 dev 10 function 0 "Intel 82557" rev 0x0c: irq 5, address 00:02:b3:2b:10:f7 inphy0 at fxp0 phy 1: i82555 10/100 media interface, rev. 4This device uses the fxp(4) driver and is assigned the number 0 here.
The ifconfig(8) utility will show what network interfaces have been identified on a system.
$ ifconfig lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33200 index 3 priority 0 llprio 3 groups: lo inet 127.0.0.1 netmask 0xff000000 fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr 00:02:b3:2b:10:f7 index 1 priority 0 llprio 3 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 10.0.0.38 netmask 0xffffff00 broadcast 10.0.0.255 enc0: flags=0<> index 2 priority 0 llprio 3 groups: enc status: active pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33200 index 4 priority 0 llprio 3 groups: pflogThis sample shows only one physical Ethernet interface:
fxp0
.
An IP is configured on it, hence the values
inet 10.0.0.38 netmask 0xffffff00 broadcast 10.0.0.255
.
The UP
and RUNNING
flags are also set on it.
The netstart(8) script configures
network interfaces at boot time using
hostname.if(5) files, where
"if" is replaced by the full name of each interface.
The example above would use the file /etc/hostname.fxp0
, containing
the following options:
inet 10.0.0.38 255.255.255.0This
hostname.fxp0
file also has an interactive equivalent:
# ifconfig fxp0 10.0.0.38 255.255.255.0Several other interfaces come enabled by default. These are virtual interfaces that serve various functions. The following manual pages describe them:
create
subcommand.
/etc/myname
and /etc/mygate
files are read by the
netstart(8) script.
Both of these files consist of a single line, specifying the fully qualified
domain name of the system and the address of the gateway host, respectively.
The /etc/mygate
file need not exist on all systems.
See myname(5) for more details.
$ cat /etc/resolv.conf search example.com nameserver 125.2.3.4 nameserver 125.2.3.5 lookup file bindHere the default domain name will be
example.com
, there will
be two name servers (125.2.3.4
and 125.2.3.5
)
and the hosts(5) file will be
consulted before the name servers.
# sh /etc/netstartA few warnings may be produced when running this script if the interfaces have already been configured. Use ifconfig(8) to make sure the interfaces were set up correctly.
Even though it's possible to completely reconfigure networking on a running OpenBSD system, a reboot is recommended after any significant changes.
$ netstat -rn Routing tables Internet: Destination Gateway Flags Refs Use Mtu Prio Iface default 10.0.0.1 UGS 4 16 - 12 fxp0 224/4 127.0.0.1 URS 0 0 32768 8 lo0 127/8 127.0.0.1 UGRS 0 0 32768 8 lo0 127.0.0.1 127.0.0.1 UH 2 15 32768 1 lo0 10.0.0/24 link#1 UC 1 4 - 4 fxp0 10.0.0.1 aa:0:4:0:81:d UHL 1 11 - 1 fxp0 10.0.0.38 127.0.0.1 UGHS 0 0 - 1 lo0 $ route show Routing tables Internet: Destination Gateway Flags Refs Use Mtu Prio Iface default 10.0.0.1 UGS 4 16 - 12 fxp0 base-address.mcast localhost URS 0 0 32768 8 lo0 loopback localhost UGRS 0 0 32768 8 lo0 localhost localhost UH 2 15 32768 1 lo0 10.0.0/24 link#1 UC 1 4 - 4 fxp0 10.0.0.1 aa:0:4:0:81:d UHL 1 11 - 1 fxp0 10.0.0.38 localhost UGHS 0 0 - 1 lo0
In this example, two aliases are added to the interface dc0
,
which was configured as 192.168.0.2
with a netmask of
255.255.255.0
.
$ cat /etc/hostname.dc0 inet 192.168.0.2 255.255.255.0 inet alias 192.168.0.3 255.255.255.255 inet alias 192.168.0.4 255.255.255.255Once this file has been created, run netstart or reboot. To view all aliases, use
ifconfig -A
.
inet autoconfOpenBSD will gather its IP address, default gateway, and DNS servers from the DHCP server at startup time. Other options can be specified in dhcpleased.conf(5).
To get an IP via DHCP from the command line, run:
# ifconfig xl0 inet autoconfReplace
xl0
with the interface name.
# rcctl enable dhcpdOn the next boot, dhcpd will run and attach to all NICs that have valid configurations in dhcpd.conf(5). Individual interfaces may be specified instead by naming them explicitly:
# rcctl set dhcpd flags em1 em2An example
/etc/dhcpd.conf
file might look like this:
# Home subnet 192.168.1.0 netmask 255.255.255.0 { option domain-name-servers 192.168.1.2; option routers 192.168.1.1; range 192.168.1.3 192.168.1.50; } # Guests subnet 172.16.0.0 netmask 255.255.255.0 { option domain-name-servers 1.2.3.4, 5.6.7.8; option routers 172.16.0.1; range 172.16.0.2 172.16.0.254; }There are two subnets in this example: a home network and a guest network. Clients will automatically be given an IP address and pointed to the gateway and DNS servers specified in their respective sections of the config file. See dhcp-options(5) for more options.
The following cards support Host-based Access Point (HostAP) mode, permitting them to be used as a wireless access point:
media
subcommand shows media capabilities of network interfaces.
For wireless devices, it displays supported 802.11a/b/g/n media modes and the
supported operating modes (hostap
, ibss
,
monitor
).
For example, to see media capabilities of interface ath0
, run:
$ ifconfig ath0 mediaFirmware files acquired with fw_update(8) may be needed in order to use certain wireless cards. Some manufacturers refuse to allow free distribution of their firmware, so it can't be included with OpenBSD.
Another option to consider: use a conventional NIC and an external bridging wireless access point for the OpenBSD-based firewall.
An example of a hostname.if(5) file for a wireless client might be:
nwid puffyuberalles wpakey passwordhere inet autoconfOr, for multiple access points:
join home-net wpakey passwordhere join work-net wpakey passwordhere join cafe-wifi inet autoconfNote that
inet autoconf
should be after the other configuration
lines, as the network adapter will not be able to send a DHCP request until
it is configured.
To do this, we first activate the two physical ports, then assign them to
trunk0
.
# echo up > /etc/hostname.bge0The wireless interface, however, needs a bit more configuration. It will need to attach to our wireless WPA-protected network:
$ cat /etc/hostname.iwn0 nwid puffynet wpakey mysecretkey upNow, our trunk interface is defined like this:
$ cat /etc/hostname.trunk0 trunkproto failover trunkport bge0 trunkport iwn0 inet autoconfThe trunk is set up in
failover
mode,
so either interface can be used.
If both are available, it will prefer the bge0
port,
since that is the first one added to the trunk device.
vr0
through vr3
.
We want to bridge vr1
, vr2
and vr3
together, leaving out vr0
for the uplink.
We also want to serve IP addresses through DHCP over the bridged interfaces.
Being a DHCP server and an uplink router, the box needs to have an IP address
on the bridged network.
It is not possible to assign an IP address directly to a bridge interface. The IP address should be added to one of the member interfaces, but we cannot use a physical interface as the link might be down, in which case the address would not be reachable. Fortunately, there is the vether(4) (virtual Ethernet) driver that can be used for this purpose. We will add it to the bridge, assign the IP address to it and make dhcpd(8) listen there.
vr1
, vr2
and vr3
interfaces as up:
# echo up > /etc/hostname.vr1 # echo up > /etc/hostname.vr2 # echo up > /etc/hostname.vr3Then create the
vether0
configuration:
# echo 'inet 192.168.1.1 255.255.255.0 192.168.1.255' > /etc/hostname.vether0Configure the bridge interface to contain all the above interfaces:
$ cat /etc/hostname.bridge0 add vether0 add vr1 add vr2 add vr3 upAnd finally we make the DHCP daemon listen on the
vether0
interface:
# rcctl set dhcpd flags vether0And finally, reboot the system.
blocknonip
option of
ifconfig(8) or in
hostname.bridge0,
non-IP traffic (such as IPX or NETBEUI) can be prevented from slipping
around the filters.
This may be important in some situations, but be aware that
bridges work for all kinds of traffic, not just IP.
0.0.0.0/0
.
When the kernel is doing a route lookup to determine where to send packets
destined to that network, it can choose from any of the equal-cost routes.
In most scenarios, multipath routing is used to provide redundant uplink
connections, e.g., redundant connections to the internet.
The route(8) command is used to
add/change/delete routes in the routing table.
The -mpath
argument is used when adding multipath routes.
# route add -mpath default 10.130.128.1 # route add -mpath default 10.132.0.1Verify the routes:
# netstat -rnf inet | grep default default 10.130.128.1 UGS 2 134 - fxp1 default 10.132.0.1 UGS 0 172 - fxp2In this example we can see that one default route points to
10.130.128.1
, which is accessible via the fxp1
interface, and the other points to 10.132.0.1
, which is accessible
via fxp2
.
Since the mygate(5) file does not
yet support multipath default routes, the above commands should be added to the
bottom of the hostname.if(5)
files for the fxp1
and fxp2
interfaces.
The /etc/mygate
file should then be deleted.
$ tail -1 /etc/hostname.fxp1 !route add -mpath default 10.130.128.1 $ tail -1 /etc/hostname.fxp2 !route add -mpath default 10.132.0.1Lastly, don't forget to activate the use of multipath routes by enabling the proper sysctl(8) variable.
# sysctl net.inet.ip.multipath=1 # sysctl net.inet6.ip6.multipath=1Be sure to edit sysctl.conf(5) to make the changes permanent.
Now try a traceroute to different destinations. The kernel will load balance the traffic over each multipath route.
# traceroute -n 154.11.0.4 traceroute to 154.11.0.4 (154.11.0.4), 64 hops max, 60 byte packets 1 10.130.128.1 19.337 ms 18.194 ms 18.849 ms 2 154.11.95.170 17.642 ms 18.176 ms 17.731 ms 3 154.11.5.33 110.486 ms 19.478 ms 100.949 ms 4 154.11.0.4 32.772 ms 33.534 ms 32.835 ms # traceroute -n 154.11.0.5 traceroute to 154.11.0.5 (154.11.0.5), 64 hops max, 60 byte packets 1 10.132.0.1 14.175 ms 14.503 ms 14.58 ms 2 154.11.95.38 13.664 ms 13.962 ms 13.445 ms 3 208.38.16.151 13.964 ms 13.347 ms 13.788 ms 4 154.11.0.5 30.177 ms 30.95 ms 30.593 msFor more information about how the route is chosen, please refer to RFC2992, "Analysis of an Equal-Cost Multi-Path Algorithm".
It's worth noting that if an interface used by a multipath route goes down (i.e., loses carrier), the kernel will still try to forward packets using the route that points to that interface. This traffic will of course be blackholed and end up going nowhere. It's highly recommended to use ifstated(8) to check for unavailable interfaces and adjust the routing table accordingly.
This section will go through the steps for a simple NFS setup. The example details a server on a LAN, with clients accessing NFS on the LAN. It does not cover securing NFS.
# rcctl enable portmap mountd nfsdThen configure the list of filesystems that will be made available.
In this example, we have a server with the IP address 10.0.0.1
.
This server will be serving NFS only to clients within its own subnet.
This is configured in the following
exports(5) file:
$ cat /etc/exports /docs -alldirs -ro -network=10.0.0 -mask=255.255.255.0The local filesystem
/docs
will be made available via NFS.
The -alldirs
option specifies that clients will be able to mount at
any point under /docs
as well as /docs
itself.
The -ro
option specifies that clients will only be granted
read-only access.
The last two arguments specify that only clients within the
10.0.0.0
network using a netmask of 255.255.255.0
will be authorized to mount this filesystem.
Now start the server-related services:
# rcctl start portmap mountd nfsdIf changes are made to
/etc/exports
while NFS is already running,
mountd must be made aware of this.
# rcctl reload mountd
To mount the /docs
filesystem on host 10.0.0.1
to local filesystem /mnt
, run:
# mount -t nfs 10.0.0.1:/docs /mntTo have that filesystem mounted at boot, append a line to fstab(5) like so:
# echo '10.0.0.1:/docs /mnt nfs ro,nodev,nosuid 0 0' >> /etc/fstabIt is important to use
0 0
at the end of this line so that
the computer does not try to fsck(8)
the NFS filesystem on boot.
When accessing an NFS mount as the root user, the server automatically maps
root's access to username nobody
and group nobody
.
This is important to know when considering file permissions.
For example, take a file with these permissions:
-rw------- 1 root wheel 0 Dec 31 03:00 _daily.B20143If this file was on an NFS share and the root user tried to access this file from the NFS client, access would be denied.
The user and group that root are mapped to are configurable via the exports(5) file on the NFS server.
$ rpcinfo -p 10.0.0.1 program vers proto port 100000 2 tcp 111 portmapper 100000 2 udp 111 portmapper 100005 1 udp 633 mountd 100005 3 udp 633 mountd 100005 1 tcp 916 mountd 100005 3 tcp 916 mountd 100003 2 udp 2049 nfs 100003 3 udp 2049 nfs 100003 2 tcp 2049 nfs 100003 3 tcp 2049 nfsThere are a few utilities that allow an administrator to see what is happening with NFS, such as showmount(8) and nfsstat(1).