Andrew's Memory Blog 
Andrew keeps track of things he's done, mostly technical. 
A description in Header.astro
Back to blog
4 min read

Installing OpenBSD 7.4 for a Firewall

#firewall
#network
#openbsd
#quietpc
Table of Contents

Installing OpenBSD 7.4 was pretty simple. I followed the OpenBSD installation guide and used dd on a Linux box to write install74.img to a USB stick. Don’t use the .iso, it doesn’t boot. Then I booted off the USB stick. (You don’t have to disable UEFI.) I used a standard layout

A picture of Puffy, the OpenBSD puffer fish logo

At the time I wondered if I should install all the packages or not. I decided that maintenance would be simpler if I just went for everything, so I added all the packages including X. That turned out to be the right decision.

I used a relatively standard partitioning scheme, although I think I bumped up a few of the sizes. I probably should have bumped up X11R6 more, right now it’s at 41%:

/dev/sd0a      986M    /
/dev/sd0l      295G    /home
/dev/sd0d      291M    /tmp
/dev/sd0f      5.8G    /usr
/dev/sd0g      986M    /usr/X11R6
/dev/sd0h     19.4G    /usr/local
/dev/sd0k      5.8G    /usr/obj
/dev/sd0j      2.9G    /usr/src
/dev/sd0e     34.4G    /var

Set up doas

After installing, I set up doas ‘cause I like seatbelts:

$ su
# vi /etc/doas.conf
permit persist andrewmemory as root
permit persist keepenv root as root

Install patches and packages

After that I installed patches:

$ doas syspatch
$ doas shutdown -r now

Next I installed a few useful packages:

$ doas pkg_add -i emacs mutt firefox wget

I picked the -no_x11 version for emacs, and the normal (not gpge, not sasl, not slang) version for mutt. I’m not going to be mailing to the world from this box, just looking at local emails. I also installed Firefox, which turned out to be another good idea. It’s a lot easier to search for doc on the firewall box itself than to ssh in.

Set up mfs for /tmp

Finally, I’m paranoid about wearing out my SSD, so I set up /tmp to be mfs in /etc/fstab using the useful instructions from Solene Rapenne:

$ doas vi /etc/fstab
#f1ea06b71e2dca43.d /tmp ffs rw,nodev,nosuid 1 2
swap /tmp mfs rw,nodev,nosuid,-s=300m 0 0

… and I had to boot to single-user mode to fix up permissions for /tmp:

$ doas umount /tmp
$ doas chmod 1777 /tmp
$ doas mount /tmp

Apparently tmpfs has been removed because it’s not supported, so mfs it is. I’ve got plenty of RAM for a /tmp file system, but I have delusions of putting most of /var in its own mfs file system, so I restricted /tmp to 300M.

Once that was done, I could log into a few other machines on my network to establish fingerprints for them. I also tested X by running startx, and then firefox, and it worked.

There were some noisy beeps

By default, OpenBSD rings the bell when you mistype certain things. That was annoying other people in the house, so I had to shut those up. That took two things. In ~/.login I added:

/sbin/wsconsctl keyboard.bell.volume=0

Then, I created ~/.xsession and added:

/usr/X11R6/bin/xset b off

This post is part of a series on [setting up an OpenBSD 7.4 firewall device](/blog/2023-10-15 23:45:00 GMT-7-setting-up-an-openbsd-7-4-firewall-device).

Setting up an OpenBSD 7.4 Firewall Device
Buying new hardware for an OpenBSD firewall