Security Engineering for Linux Users

This is one way die-hard Linux users can find out what the word "engineering" really means. They can learn about OpenBSD without rebooting either their machines, or their minds.

First read the man pages. OpenBSD man pages aren't documentation, they're literature, so you need to see them nicely formatted. Get the source from a mirror, e.g.

mkdir ~/openbsd && cd ~/openbsd

wget http://mirrors.ucr.ac.cr/OpenBSD/5.5/src.tar.gz

wget http://mirrors.ucr.ac.cr/OpenBSD/5.5/sys.tar.gz

tar xzf src.tar.gz &&  tar xzf sys.tar.gz

Then put this shell script in a place where it's runnable:

#! /bin/sh
MP=$HOME/openbsd
FP=$(find $MP/. -name $2.$1)
if test -n "$FP" -a -f $FP ; then
   if test -f /tmp/$2.$1.pdf ; then
      echo "Done!"
   else
      man -Tps $FP | ps2pdf - /tmp/$2.$1.pdf 2> /dev/null
   fi
   evince /tmp/$2.$1.pdf &
else
   echo "error: file $2.$1 does not exist."
fi

Now when you want to see a page, type something like

bsdman 5 pf.conf

Use QEMU to run OpenBSD virtual machines.  You can download QEMU source and build it with commads like:

wget http://wiki.qemu-project.org/download/qemu-2.1.2.tar.bz2

tar xjf qemu-2.1.2.tar.bz2 && cd qemu-2.1.2

./configure --enable-gtk --with-gtkabi=3.0 --prefix=$HOME/usr --extra-ldflags=-Wl,-R,$HOME/usr/lib --extra-cflags=-I$HOME/usr/include

make && make install

This assumes you have things like gtk-3.0 and glib-3.0 installed in ~/usr, and that this is where you want qemu installed too.

If you're doing this on a machine or user account you care about, then you will want to check the signatures, and you will want to try and find out what they should be. Obviously there's no point checking the signatures if you got them from the same place as the code!

Get an install ISO image from one of the mirrors, e.g.:

wget ftp://mirrors.ucr.ac.cr/OpenBSD/5.5/i386/install55.iso

The same point we made above about checking signatures applies here too, of course. Now make a disk image to install onto:

qemu-img create -f qcow2 openbsd.img 4G

Now create some ifup scripts to start and stop the tunnel devices. The first is to handle the general case. Put this in /etc/qemu-ifup

#! /bin/sh

addr=192.168.$2.1
mask=255.255.255.0

if test -z "$1" ; then
   echo qemu-ifup: error: no interface given
   exit 1
fi

ifconfig $1 inet $addr netmask $mask

And the second is the one to take the i/f down, put it in /etc/qemu-ifdown:

#! /bin/sh
exit 0

Then do special cases, I have three, change the final n to one of 1..N for N guest VMs, call them /etc/qemun-ifup where n is one of 1...N:

#! /bin/sh
/etc/qemu-ifup $1 n

Then make them executable (assuming they're the only files in /etc that are called qemu*

chmod +x /etc/qemu*

Now install a standard OpenBSD on the image:

$HOME/usr/bin/qemu-system-i386 -hda openbsd.img -boot d -m 128 -cdrom install55.iso -net tap,vlan=0,script=/etc/qemu1-ifup -net nic

Set up the i/f em0 as 192.168.1.0/24 and give it IP address (fixed) 192.168.1.2

Then shut down the VM properly (using /sbin/halt) and make N copies of the openbsd.img file called openbsdn.img, where n is one of 1...N.

Now make a script startbsd with this in it:

#! /bin/sh
if test ! -p $HOME/.cua01.$1 ; then
   mkfifo -m u=rw,go= $HOME/.cua01.$1
fi
sudo /bin/sh -c "echo 1 >/proc/sys/net/ipv4/ip_forward"
sudo $HOME/usr/bin/qemu-system-i386 \
   -runas $USER -hda openbsd$1.img -boot c -m 128 -name guest$1 \
   -net tap,vlan=0,script=/etc/qemu$1-ifup \
   -net nic \
   -chardev pipe,id=com1,path=$HOME/.cua01.$1 \
   -device isa-serial,chardev=com1,irq=3,iobase=0x2f8 \
   -daemonize

Now you should be able to launch N instances with

./startbsd n

and customize them by setting the interfaces to be started with /etc/hostname.em0 containing

inet 192.168.n.2 255.255.255.0

where again n is one of 1...N.