Finally, there are a few things that I either forgot to do or that make life easier.
Setting up localtime By defaut, /etc/localtime is set to Alberta, where OpenBSD has its home. I need to set it to somewhere closer.
rm /etc/localtime; ln -s /usr/share/zoneinfo/US/Mountain /etc/localtime
Now date shows the correct time.
Blinkenlights I wrote a script to make the LEDs move back and forth. I start this at boot. (In an earlier version of the firewall, I edited /etc/rc to turn LEDs on when certain thresholds had been passed in the boot process. But now I don’t want to muck up /etc/rc so much.)
First of all, you need to allow the ports to be written before OpenBSD gets all secure on you. Edit /etc/rc.securelevel and add:
#
# Place local actions here.
#
echo -n 'enabling LED pins'
gpioctl -q /dev/gpio0 6 set out iout
gpioctl -q /dev/gpio0 25 set out iout
gpioctl -q /dev/gpio0 27 set out iout
I got these numbers from the Status LEDs section of the ALIX manual.
Then create /usr/local/bin/cylon:
#!/bin/ksh -
led3on(){
gpioctl -q /dev/gpio0 6 0
gpioctl -q /dev/gpio0 25 0
gpioctl -q /dev/gpio0 27 1
}
led2on(){
gpioctl -q /dev/gpio0 6 0
gpioctl -q /dev/gpio0 25 1
gpioctl -q /dev/gpio0 27 0
}
led1on(){
gpioctl -q /dev/gpio0 6 1
gpioctl -q /dev/gpio0 25 0
gpioctl -q /dev/gpio0 27 0
}
ledsoff(){
gpioctl -q /dev/gpio0 6 0
gpioctl -q /dev/gpio0 25 0
gpioctl -q /dev/gpio0 27 0
}
while [ true ] ; do
led1on
sleep 1
led2on
sleep 1
led3on
sleep 1
led2on
sleep 1
done
Finally, start it from /etc/rc.local:
# Add your local startup actions here.
echo -n 'cylon'
sh /usr/local/bin/cylon &
On reboot, yay, blinky! That at least tells you the kernel hasn’t crashed.
Reducing the mail Because flashrd is really OpenBSD, it sends mail more suited to a server than a firewall with limited disk.
First thing I noticed:
Running security(8):
Checking special files and directories.
Output format is:
filename:
criteria (shouldbe, reallyis)
etc/rc.conf.local:
permissions (0644, 0755)
I fixed that with a chmod 0644 /etc/rc.conf.local. So now /usr/libexec/security shows no problems. Good.
Once that’s done, make things complain less:
crontab -uroot -e
and comment out:
#30 1 * * * /bin/sh /etc/daily
#30 3 * * 6 /bin/sh /etc/weekly
This prevents the daily and weekly reports, leaving just the monthly one.
Next, I noticed that sendmail gets run from root’s crontab, so it doesn’t need to run at boot:
/etc/rc.conf:
sendmail_flags=NO # "-L sm-mta -C/etc/mail/localhost.cf -bd -q30m"
That should keep the thing running a little longer without running out of disk. Actually, /var/mail is on the MFS, so it will keep it from running out of ramdisk.
(This post is part of Building an ALIX firewall)