Problem
Create an invisible firewall.

Solution
OpenBSD and its packet filter are free and have a good history of tight security.

Introduction

Difference in OpenBSD releases

PF in OpenBSD has gone through a history of changes. OpenBSD through version 2.9 had IPF, written by Darren Reed. One day Darren made some confusion on the OpenBSD mailing lists about the licensing of his IPF software in operating systems. The OpenBSD authors didn't like it and someone decided they would make their own packet filter, just for OpenBSD. The packet filter candidate from Daniel Hartmeier was released on http://www.benzedrine.cx/pf.html and was accepted by the core developers into the OpenBSD kernel. The official release of PF was in OpenBSD 3.0. Between the 3.0 release and 3.2, PF stayed relatively unchanged.

The addition of PF made the rulesets from IPF incompatible with those from IPF. In other words, rules from OpenBSD 2.9 or before won't work with PF on a OpenBSD 3.0 or newer machine. Also note that PF started getting a large clump of changes in OpenBSD 3.3, where the kernel developers decided to merge ALTQ (traffic shaping) and PF so the packet filter could also do traffic shaping. I'd link to ALTQ docs, but by the time I wrote this, they had already started being merged in the snapshot sources of OpenBSD with the PF documentation.

Preparation

Methods

There are two ways you can get an install started, by CD or Floppy. I'll assume that since you're using OpenBSD, you want something free, so that rules out the possibility that you bought a OpenBSD release CD from the website, even though you should have.

Floppy Method

Download rawrite. The link, unless dead, should go to a rawrite for windows that has a GUI. All other versions you'll find on the internet work with a DOS prompt. Whether from a DOS window or a GUI, you'll need a copy of rawrite to write a copy of the boot image (OpenBSD 3.2 link) to a floppy disk. Open rawrite and write the floppy32.fs file to the floppy disk.

Notice other releases will have floppy image filenames that match the version release. For example, OpenBSD 3.3 will have a floppy33.fs.

The aforesaid will cover most hardware configurations. If you know you have some weird hardware in the machine you're going to be installing OpenBSD on, there are actually two other floppy images with different hardware support. From the documentation:


• floppy32.fs (Desktop PC) supports many PCI and ISA NICs, IDE and simple SCSI adapters and some PCMCIA support.
• floppyB32.fs (Servers) supports many RAID controllers, and some of the less common SCSI adapters. However, support for many standard SCSI adapters and many EISA and ISA NICS has been removed.
• floppyC32.fs (Laptops) supports the Cardbus and PCMCIA devices found in many laptops.

In almost all cases, you'll want the link above.

CD-R(W) method

This method will require you to download the install files before installation. Using Bulletproof FTP or CuteFTP might be a good idea here. What you will want is to create a directory called "3.2", or whatever version number you download and go to the version directory for that release of OpenBSD. For version 3.2, that would be ftp://ftp.openbsd.org/pub/OpenBSD/3.2/. Don't forget OpenBSD has many FTP mirrors such as ftp://ftp.usa.openbsd.org/pub/OpenBSD/3.2/

Here is the directory structure of the files you need to download.

  c:\openbsd
    3.2/
    	ANNOUNCEMENT
        ftplist
        ports.tar.gz
        HARDWARE
        PACKAGES
        i386/
            base32.tgz
            bsd
            bsd.rd
            cdrom32.fs
            CKSUM
            comp32.tgz
            etc32.tgz
            floppy32.fs
            floppyB32.fs
            floppyC32.fs
            game32.tgz
            index.txt
            install.ata
            install.chs
            install.dbr
            install.i386
            install.linux
            install.mbr
            install.os2br
            install.pt
            man32.tgz
            MD5
            misc32.tgz
            xbase32.tgz
            xfont32.tgz
            xserv32.tgz
            xshare32.tgz
        PORTS
        README
        src.tar.gz
        srcsys.tar.gz
  

Again, note that if you are installing OpenBSD 3.3 or newer, the filenames won't end with 32, but rather 33 or 34, and so on.

The same tools that you can use on Linux or BSD are available in Windows to make ISO files. OpenBSD doesn't release ISO files to OpenBSD because they need CD sales to support the full time developers. Thanks to official Windows ports of

mkisofs

, just grab a copy of cdrtools from the official cdrecord website. Sometimes the windows binaries of cdrtools get moved on the ftp server, so you might have to hunt around.

Extract the cdrtools files to

c:\cdrtools

.

Then here's what you need to do to make the ISO file:

  Start menu > Run...
  (run `command` for Win95\98\ME or `cmd` for NT\2k\XP)

  cd c:\
  cd openbsd
  c:\cdrtools\mkisofs
    -v
    -r
    -T
    -l
    -L
    -J
    -V "OpenBSD3.2"
    -b 3.2/I386/cdrom32.fs
    -c boot.catalog
    -o c:/OpenBSD3.2.iso
    -A "OpenBSD 3.2 Install"
    .
  

The period at the end is necessary.

When the ISO is done, use Roxio Easy CD Creator 5 or your favorite burning program to burn it. If you don't have it, cdrecord is in the cdrtools distribution. I haven't tried it, but mkisofs works, so cdrecord probably does too. Documentation is all over the internet for cdrecord.

Install OpenBSD

From here, it is only better to refer you to the official installation document. It is well written and should get you through the installation process, whether you bought a CD, created one, or made a floppy.

Install Notes

• If you did the floppy install, during the install, you'll have the option to get the installation files from FTP and that is what you will do.
• To make an invisible firewall, you might ask yourself how it will be invisible if you have to configure a network device during the install. Don't worry about that now. Configure a device because we will need it both to grab operating system updates and to have an interface to use to get updates later if needed. You should have three interfaces in your machine for this document. Two will be invisible, and one will be for administration. Just configure one device during install, and leave the other two alone. If you want to configure all of them, you can do that too, because later, they will just be re-configured to be invisible.
• However you partition your drive, it is a good idea to leave 2gb for the

  /usr

  partition.
• When you're done with the install, type "reboot".
• When the system comes back up to a login prompt, the administrator account is "root" and the password is whatever you set during the installation.
• Configuring your machine with DHCP will be fine for the start. Later in this document will be instructions on how to set a static IP address. If you already know what static IP address you will use, go ahead and set it.
• The network interface cards in the machine are numbered. For example, the a 3com NIC will use the

  xl

  kernel driver. The card furthest from the CPU is card 0, and each card closer increments by one, so if you have 4 NICs, the one closest to the CPU would be xl3.
• This tutorial assumes you use 3com 905 NIC. Other network cards will have other kernel driver names in the kernel. When you start up your system, you can do

  
            # dmesg > dmesg
            # grep -e "..:..:..:..:.." dmesg
            # rm dmesg
           

  and the resulting lines should show the NICs, starting with the kernel driver and ending with the adapter MAC address.
• If you're a Windows user and don't have much experience with BSD or Linux, creating a swap partition is mandatory. It is where all the extra memory processes go when you run out of RAM and is the equivalent of the Windows pagefile. Making it at least twice the size of the amount of space you have in RAM is good.

Update to -stable

Why, why and where

Although OpenBSD has a better than average record of remote and local security vulnerabilities, sometimes someone still discovers a flaw. The OpenBSD errata page is usually updated with patches for vulnerabilities or stability flaws. For purposes of explaining how to do an operating system upgrade, we'll skip the method that would use the src.tar.gz and srcsys.tar.gz files from the OpenBSD install tree. If you want to use the src.tar.gz and srcsys.tar.gz files, the patch branches page provides some information and links to get started in that direction.

Method 1a: Installing kernel and system binary sources from CD

If you have the official CD, you will only have one src.tar.gz file which contains srcsys.tar.gz.

   # mkdir /usr/src
   # mount /dev/cd0a /mnt
   # cd /mnt
   # cp src.tar.gz srcsys.tar.gz /usr/src
   # cd /usr/src
   # tar -xzf src.tar.gz
   # tar -xzf srcsys.tar.gz

Method 2a: Installing kernel and system binary sources from FTP

If you have src.tar.gz and srcsys.tar.gz

   # mkdir /usr/src
   # mount /dev/cd0a /mnt
   # cd /mnt
   # cp src.tar.gz srcsys.tar.gz /usr/src
   # cd /usr/src
   # tar -xzf src.tar.gz
   # tar -xzf srcsys.tar.gz

Parts 1b and 2b: Updating kernel and system binary sources from CVS

You must update your kernel and system sources if you installed them from the release tar files to patch security holes and fix reliability problems.

   # cd /usr
   # cvs -d anoncvs@anoncvs1.usa.openbsd.org:/cvs -q up -rOPENBSD_3_2 -Pd src
  

During this process, it might look like your system stalled out downloading updates. Most likely it hasn't. The CVS process must still check each file in the source tree to make sure it matches the server. By doing the tar file first and then CVS, you save having to download each individual file and instead just check against a CVS version number. Files that have security updates will have a newer CVS version than the copy on your machine. When the cvs command sees the version difference, it will patch the file on your system to match the one on the server.

Method 3: Downloading kernel and system binary sources from CVS

Don't do this step if you already did the stuff above with the tar files. This method will download the contents of src.tar.gz and srcsys.tar.gz and put them in /usr/src for you complete with up-to-date patches.

   # cd /usr
   # cvs -d anoncvs@anoncvs1.usa.openbsd.org:/cvs -q get -rOPENBSD_3_2 -P src
  

Say yes when it wants to confirm the SSH fingerprint. Note the OPENBSD_3_2 corresponds to the version number. OpenBSD 3.0 would have OPENBSD_3_0 for downloading the stable kernel source. Downloading with CVS will take a while, so while you wait, you can get started on downloading ports.

Try hitting

CTRL+ALT+F2

. You didn't just log out, you switched to another console. Log in again on the second console. You can switch back to the original console by hitting

CTRL+ALT+F1

. You can use consoles with the F1, F2, F3, F4, and F6 keys. The other function keys are reserved by the operating system for other background tasks. Now you can multitask.

Install Ports

What are they?

Ports are specially packaged software editions for OpenBSD. They are maintained especially for OpenBSD and available from most OpenBSD regional mirrors. Often ports are created when software packages don't compile by default on OpenBSD. The port maintainers massage the source code of the software to make it work with OpenBSD. In some cases, they even make security audits to make the source more secure.

Method 1: Downloading ports from CVS

If you're already downloading the kernel and system sources, don't forget you can hit

CTRL+ALT+F2

and download ports in the second terminal.

   # cd /usr
   # setenv CVSROOT anoncvs@anoncvs1.usa.openbsd.org:/cvs
   # cvs -d $CVSROOT -q get -rOPENBSD_3_2 -P ports

It is also possible to download ports that correspond to the major OpenBSD version release. In most cases, there is no reason to do so because the most recent imports to the CVS server will likely have security updates to software packages since the major release of OpenBSD, therefore the

-rOPENBSD_3_2

option was left off of the example.

Even if you're on a T1, downloading sources and ports will take a while. Get up and strech. Get something to drink. Go to the bathroom. Make some phone calls. Check your email. You're cheering for src to finish first because that's what you'll need to work with first.

Method 2: Install ports from CD

This is often the choice if you already have ports.tar.gz downloaded and don't want to wait for it again. If you have the official CD from openbsd.org, ports.tar.gz is on the last CD. If you created your own cd, you know where it is.

   # mount /dev/cd0a /mnt
   # cd /mnt/3.2
   # cp ports.tar.gz /usr
   # cd /usr
   # tar -xzf ports.tar.gz

Method 3: Ports from FTP

   # cd /usr
   # lynx ftp://ftp.openbsd.org/pub/OpenBSD/3.2/ports.tar.gz
   # tar -xzf ports.tar.gz

lynx will ask you some questions. The sequence of answers is 'D' for download, '[enter]' to save to disk, '[enter]' again to accept the default filename, 'q' to quit, and 'y' to say you really want to quit.

Updating packages

No matter which method you used to istall, there are some packages you will probably want to update individually. Since the OpenBSD 3.2 release, MySQL has has some security patch releases and Snort has had a new release with a newer rule parsing method. If you already set the CVSROOT and haven't rebooted, you don't have to set it again until you reboot.

   # cd /usr
   # setenv CVSROOT anoncvs@anoncvs1.usa.openbsd.org:/cvs
   # cvs -d $CVSROOT -q up -Pd ports/net/snort
   # cvs -d $CVSROOT -q up -Pd ports/databases/mysql

Updating the system kernel, binaries, and libraries

You need to update the system kernel. Don't skip this part. You need to compile your updated kernel source and compile your system binaries and libraries again before moving on. Don't skip steps. Why? Any programs from this point that you compile against security vulnerable kernel hooks or system libraries could have the vulnerabilities linger even after you compile a new kernel, binaries, and libraries. Compile the kernel, reboot, and recompile the system files.

Compile a new kernel

   # cd /usr/src/sys/arch/i386/conf
   # config GENERIC
   # cd ../compile/GENERIC
   # make depend && make
      (this step will take a while)
   # cp /bsd /bsd.old
   # cp bsd /

Then reboot. You must reboot before moving on to make use of the newly patched kernel.

   # shutdown -r now

The -r is for reboot. If you want to shutdown a machine, use -h for halt.

Compile new system files (binaries and libraries)

    # cd /usr/src
    # rm -r /usr/obj/*
    # make obj && make build

You're recompiling everything installed on your system except your kernel, which you already did. This process will take a long time on an old machine. Rebooting when you're done isn't mandatory, but you should do it for good measure.

Download, compile, and install software from ports

The cool thing about using ports is that with one command, all the downloading, compiling, patching, installing, and cleanup is done with one command and is specifically tailored for OpenBSD. If you watch the installation, it also downloads all the libraries and dependencies that the programs you're installing might have.

Installing text editor (nano)

OpenBSD, and most other BSD and Linux operating systems come with VI as their default editor, however VI has a big learning curve. If you're feeling confident with your Google skills, learning VI will benefit you in the long run.

Since VI has a big learning curve and you probably just want to get the system up, nano is a much simpler text editor which will give you the basic file editing funcitonality you'll need to get the job done.

   # cd /usr/ports/editors/nano
   # make install clean

OpenBSD won't pick up the nano installation right away. It is not in the path. What that means is until you restart, you'll have to type the full path to the nano executable. You make the choice. Reboot or just type the full file path until the next reboot. You won't have to edit files for a bit, so it can wait.

Compile and install Snort

The snort intrusion detection system is available in ports. Here we will be adding a "FLAVOR" to the snort installation which changes the default install options. Normally snort writes all the intrusion hits to files, but we're going to want them stored in a MySQL database. If you're curious about the options available for snort install, you can do this:

   # cd /usr/ports/net/snort
   # make show VARNAME=FLAVORS

The documentation for snort will explain better what each option does. This is merely an installation guide. For the purposes of this installation, do the following:

   # cd /usr/ports/net/snort
   # env FLAVOR="mysql flexresp" make install

If you sit and watch the installation process, you will notice that MySQL will also automagicly download, get patched, configure, compile, and install. For your information, since the OpenBSD 3.2 release, MySQL has released new versions of MySQL that fix security vulnerabilties. This should not be a problem for an invisible firewall because nobody should have rights to either use the MySQL console client or connect to the MySQL socket. This will be discussed later in this paper.

Install PHP

If you are experienced with using the FLAVORS environment variable, you can alter the PHP install to cut install time. An example FLAVOR is shown. It excludes most of the extensions from the PHP install so you have a shorter install time and don't install a lot of software you won't use.

   # cd /usr/ports/graphics/jpeg
   # make install clean
   # cd /usr/ports/graphics/gd
   # make install clean
   # cd /usr/ports/www/php4/core
   # make install clean
   # /usr/local/sbin/phpxs -s
   # cp /usr/local/share/doc/php4/php.ini-recommended /var/www/conf/php.ini
   # cd ../extensions
   # env FLAVOR="no_x11 no_bz2 no_curl no_dba no_dbase no_domxml no_filepro \
    no_gmp no_imap no_ldap no_mcrypt no_mhash no_ncurses no_odbc no_pdf \
    no_pgsql no_shmop no_snmp no_sybase_ct no_xml no_xslt" make install clean
   # cd ../pear
   # make install clean

As you can see, we're leaving out a lot of the functions of PHP, but we don't need them. All that should be left are the MySQL database and GD graphic library extensions. You still need to actually install them:

   # cd /usr/ports/packages/i386/www
   # pkg_add php4-mysql*
   # /usr/local/sbin/phpxs -a mysql
   # pkg_add php4-gd*
   # /usr/local/sbin/phpxs -a gd

Configure PHP

Now configure Apache to parse files ending with ".php" using the PHP extension.

   # cd /var/www/conf
   # /usr/local/bin/nano httpd.conf

If you have rebooted your machine since you installed nano, you can do this:

   # cd /var/www/conf
   # nano httpd.conf

Use the CTRL+W function to find "index.html". Add index.php and index.php3 to the DirectoryIndex line to make it look like:

  #
  # DirectoryIndex: Name of the file or files to use as a pre-written html
  # directory index. Separate multiple entries with spaces.
  #
  DirectoryIndex index.php index.html index.php3

Then use the CTRL+W function to find "x-httpd-php". You'll need to uncomment the two lines it finds and alter them. They should look like:

  # For example, the PHP3 module (not part of the Apache distribution)
  # will typically use:
  #
  AddType application/x-httpd-php .php .php3 .phtml
  AddType application/x-httpd-php-source .phps

If you can't find those lines in your httpd.conf file, look harder or just add the lines as you see them above. If there are other file extensions you want to be parsed by the PHP engine, you can add them to the first AddType line too if you want. Some people add .html to obscure the engines running their website. This can be inefficient if you also have a many regular html files that do not contain PHP which will require PHP to examine the files anyway.

Save your httpd.conf with CTRL+X and follow the prompts.

Now it might be nice to test your PHP installation. I delete all the default Apache documents in the web root directory. You can skip that if you want.

   # cd /var/www/htdocs
   # rm -fr *
   # /usr/local/bin/nano phpinfo.php

You're creating a file named phpinfo.php. In it, you want to put:

<?php phpinfo(); ?>

Save it and test it:

   # apachectl start
   # lynx localhost/phpinfo.php

If you see a page that has a bunch of information about PHP, all went well. If you see just phpinfo(); then you messed up somewhere. Go back and make sure you did everything. This won't prevent you from installing Snort, but it will definately keep ACID from working, which is one of the best Snort log HTTP-based viewers.

Setup Apache SSL

OpenBSD ships with an SSL-ready httpd and RSA libraries. For use with httpd(8), you must first have a certificate created. This will be kept in /etc/ssl/ with the corresponding key in /etc/ssl/private/. The steps shown here are taken in part from the ssl(8) man page. Refer to it for further information. This FAQ entry only outlines how to create an RSA certificate for web servers, not a DSA server certificate. To find out how to do so, please refer to the ssl(8) man page.

To start off, you need to create your server key and certificate using OpenSSL:

   # openssl genrsa -out /etc/ssl/private/server.key 1024

The next step is to generate a Certificate Signing Request which is used to get a Certifying Authority (CA) to sign your certificate. To do this use the command:

   # openssl req -new -key /etc/ssl/private/server.key -out /etc/ssl/private/server.csr

This server.csr file can then be given to Certifying Authority who will sign the key. One such CA is Thawte Certification which you can reach at http://www.thawte.com/. Thawte can currently sign RSA keys for you. A procedure is being worked out to allow for DSA keys.

If you cannot afford this, or just want to sign the certificate yourself, you can use the following.

   # openssl x509 -req -days 365 -in /etc/ssl/private/server.csr \
        -signkey /etc/ssl/private/server.key -out /etc/ssl/server.crt

With /etc/ssl/server.crt and /etc/ssl/private/server.key in place, you should be able to start httpd(8) with the -DSSL flag (see the section about rc(8) in this faq), enabling https transactions with your machine on port 443.

See 10.7

Start Apache on boot

   # cd /etc
   # /usr/local/bin/nano rc.conf

Change httpd_flags from NO to "-u -DSSL". Add the quotes too. Be careful about the comment at the end of the line (# for normal use...) spilling over to the next line. That is bad. If it does, either get it all on one line again or delete the comment. Hit CTRL+X to save the file.

/var/www

. The -DSSL tells Apache to start up with SSL. A later section will discuss SSL. If you know you just want to run regular HTTP services through port 80 and don't want SSL through 443, you can leave off the -DSSL and skip the Apache SSL configuration.

Finishing MySQL Install

Check /etc/rc.conf to make sure that the following line is at the bottom:

local_rcconf="/etc/rc.conf.local"

   # cat /etc/rc.conf

The line should be there, but if for some reason it isn't, add it with nano.

/etc/rc.conf.local

should not exist. If it does or if it doesn't, do exit nano and do the following:

   # echo "mysql=YES" >> /etc/rc.conf.local

Using

echo

is just shorthand so you don't have to use an editor to edit a file. If the file doesn't exist, it will be created. If it does exist,

mysql=YES

will be appended to it. You can use

cat

to verify the contents of

/etc/rc.conf.local

.

cat

is a tool that can be used to output a file right to the screen.

   # cat /etc/rc.conf.local

MySQL isn't done installing. Go back to ports.

   # cd /usr/ports/databases/p5-DBD-Msql-Mysql
   # make install clean
   # cd /usr/ports/packages/i386/databases
   # pkg_add mysql-server*

Next you need to move the configuration file for MySQL to

/etc

. In

/usr/local/share/mysql

look at the files

my-small.cnf

,

my-medium.cnf

,

my-large.cnf

, and

my-huge.cnf

.

my-medium.cnf

is good for most server configurations.

   # cd /usr/local/share/mysql
   # cp my-medium.cnf /etc/my.cnf
   # /usr/local/bin/nano /etc/my.cnf

We're almost done with MySQL. Edit /etc/rc.conf and change

shlib_dirs= # extra directories for 
ldconfig

at the bottom of the file to read like this:

   # shlib_dirs="/usr/local/lib/mysql"

Or if you know you have multiple directories:

   # shlib_dirs="/usr/local/lib/{mysql,libmcrypt}"

Make sure the (# extra directories...) comment doesn't spill over to the next line. The following will add execute permissions to the file that starts mysql.

   # mkdir /var/run/mysql
   # chown mysql /var/run/mysql
   # chmod 755 /usr/local/share/mysql/mysql.server

If

/var/run/mysql

exists already, that's good. If it doesn't exist it'll be created. Either way, it should be there. Add this to the bottom of

/etc/rc.local

:

   if [ X"${mysql}" == X"YES" -a -x /usr/local/bin/safe_mysqld ]; then
	echo -n " mysqld"; /usr/local/share/mysql/mysql.server start
	/bin/sleep 1
   fi

This will start MySQL when you boot your server. Now might be a good time to reboot if you're curious to see if everything will crash and burn. If you don't want to reboot, you can do this:

   # /usr/local/share/mysql/mysql.server start
   # /usr/local/bin/mysql -u root

The second line will try to connect to MySQL. You can either connect or you can't. A connection is good. The password is blank if you did not set it before. Type

exit

to get out of mysql. When you reboot, you should see

mysqld

in the local daemons list just before logon. Now might be a good time to change the default root password to your MySQL server:

   # /usr/local/bin/mysqladmin -u root -p password 'new-password'

If it's a single user machine and you properly deny outside connections to MySQL, you might be fine leaving the root password blank. Later in this tutorial, we will configure the server to not accept connections on on the MySQL socket from anywhere other than localhost.

If you think you know what you're doing, now might be a good time to stop mysqld and move /var/mysql to another drive if you've got a multiple drive system. For example, you might have created a /misc partition during installation on a second hard drive. Then you could move /var/mysql to it and edit the datadir var in /usr/local/share/mysql/mysql.server and /etc/my.cnf to point to the new db storage directory.

Snort

Snort is a free intrusion detection system.

Configure Snort

Now you need to configure MySQL to have a user and table to store Snort alerts:

   # mysqladmin -u root -p create snort
   # mysqladmin -u root -p create snort_archive
   # mysql -u root -p

If you didn't set a password before, when it asks for a password, hit enter. At the mysql prompt, type

   mysql> grant all on snort.* to snort@localhost identified by 'snort';
   mysql> grant all on snort_archive.* to snort@localhost identified by 'snort';
   mysql> exit

snort

will be the password in the quotes.

snort.*

says all tables in the snort database.

snort@localhost

says the snort user can only connect from localhost. Now add a system user for snort.

   # groupadd snort
   # adduser -batch snort snort -shell /bin/nologin -home /home

Since this is the first time for you to create a user on the system, it will ask you for default values for accounts. Just hit enter to all of them to accept the set defaults in brackets.

   # mkdir /var/log/snort
   # chown snort /var/log/snort

We will start Snort a lot like we started MySQL:

   # echo "snort=YES" >> /etc/rc.conf.local
   # /usr/local/bin/nano /etc/rc.local

Now you will need to decide which interfaces in your machine will do what. Pick the one that will be on the inside of the firewall. In the example machine, we have one administration NIC with an IP address assigned, and two more, one for the outside of the firewall and one for the inside. For the sake of this example, xl1 will be the interface on the inside of the firewall. Add this to the bottom of your

rc.local

.

   if [ X"${snort}" == X"YES" -a -x /usr/local/bin/snort ]; then
	echo -n " snort"; /usr/local/bin/snort -D -d -c /etc/snort/snort.conf -u snort -g snort -i xl1
   fi

The

echo

line will be longer than the screen, so get it to fit on one line when it spills over to the next. If you are using VI, you don't have to worry about things like that, because when you edit a file with VI and a line spills over, it does a wordwrap instead of a line break like nano. Also note the

-i xl1

which corresponds to the interface on the inside of the firewall. Then we can import the Snort database information into MySQL:

   # cd /usr/ports/net/snort
   # mysql -u snort -p snort < /usr/ports/net/snort/w-snort-*/snort-*/contrib/create_mysql
   # make clean

If you had done a

make install clean

or

make clean

for snort already, you can do a

make extract

to get the sources you'll need to import the tables you need into mysql. There are a lot of rules files in

/usr/local/share/examples/snort

. We should put them in a different directory.

   # mkdir /etc/snort
   # cd /usr/local/share/examples/snort
   # cp -r * /etc/snort

Then go to the

/etc/snort

and edit snort.conf. The file will explain what variables do what. Defaults will probably work if you're scared to change the file. The only thing you absolutely have to change is find the mysql log line, uncomment it, and change the login information for each of the variables on the line, otherwise you won't be able to view the snort logs from ACID.

To log to MySQL for ACID, you will need to find the database section, uncomment the line for MySQL in

snort.conf

, and change the connection details. Just make sure you read the whole configuration file.



Update Snort rules

   # mkdir /usr/local/src
   # cd /usr/local/src
   # lynx http://www.snort.org/dl/rules/snortrules-stable.tar.gz
   # tar -xzvf snortrules-stable.tar.gz
   # cp -r rules /etc/snort
   # cd /etc/snort/rules
   # mv * ..
   # cd ..
   # mv *.rules rules

Now you must go back to

/etc/snort

and edit snort.conf to add the additional rules files that aren't in the distribution and point the rules location to

/etc/snort/rules

Create firewall network

If you want a NAT configuration, you'll need a LAN IP for an interface on the inside of the network. Choose a network device not in use. We'll assume that xl0 right now is configured with an external world address. Edit hostname.xl1. Nano and vi will create it if it's not there already. Put this line in it:

   inet 10.0.0.250 255.255.0.0 NONE

To create IP aliases for the same network interface, the file would look like:

   inet 10.0.0.250 255.255.0.0 NONE
   inet alias 10.0.0.1 255.255.0.0 NONE
   inet alias 10.0.1.250 255.255.0.0 NONE
   inet alias 10.0.2.250 255.255.0.0 NONE
   inet alias 10.0.3.250 255.255.0.0 NONE
   inet alias 10.0.4.250 255.255.0.0 NONE

If you don't want to reboot now, you can configure the network device with the

ifconfig

command.

   # ifconfig xl1 inet 10.0.0.250 netmask 255.255.0.0
   # ifconfig xl1 inet alias 10.0.0.1.250 netmask 255.255.0.0

After you reboot, the hostname.xxx file will automaticly do ifconfig for you.

The other choice is creating an invisible passthru firewall. Either way, if you want extra interfaces to go to the internal network interface and have them bridged together, you'll need to create invisible interface configurations for the other NICs.

   # ifconfig xl2 up
   # echo "up" > /etc/hostname.xl2

Make sure you don't create a hostname file for the wrong interface. If you echo "up" to the interface hostname file you're using to get on the internet, you won't be able to get on the internet until you go back and replace up with the correct internet configuration. The interface you should have configured by default during the install was

xl0



While you're at it, now is a good time to add the second invisible interface for the firewall.

   # ifconfig xl3 up
   # echo "up" > /etc/hostname.xl3

Now you can bridge them together. Your bridge configuration will list all the network interfaces for your internal network. For an invisible firewall, that should be two interfaces. For a NAT machine, the PCI slot number is the limit. Create /etc/bridgename.bridge0

   add xl1
   add xl2
   add xl3
   add xl4
   blocknonip xl1
   blocknonip xl2
   blocknonip xl3
   blocknonip xl4
   up

Again, if you don't want to reboot right now, you can use the

brconfig

command to manually create the bridge:

   # brconfig bridge0 add xl1
   # brconfig bridge0 add xl2
   # brconfig bridge0 add xl3
   # brconfig bridge0 add xl4
   # brconfig bridge0 blocknonip xl1
   # brconfig bridge0 blocknonip xl2
   # brconfig bridge0 blocknonip xl3
   # brconfig bridge0 blocknonip xl4      
   # brconfig bridge0 up

Start Snort

You won't have to do this all the time because the editing you did to rc.local with a similar line should start Snort automagicly on boot. This will get snort running now just to make sure it runs.

   # /usr/local/bin/snort -D -d -c /etc/snort/snort.conf -u snort -g snort -i xl1

You'll either get a "Snort running" message, or a "FATAL ERROR". The errors are quite informational and usually tell you, you have a file in the wrong place if you get one. Get

/etc/snort/snort.conf

to sync with where files are in the

/etc/snort

directory if you have an error. If it says it needs a file, but you don't know where to find it

   # find / -name "filename" -print

should spit it out on the screen if it exists. It's a console Find File equivilent from Windows. You can add asterisks for wildcards if you feel the need.

Install ADODB database abstraction

   # mkdir /usr/local/src
   # cd /usr/local/src
   # lynx http://php.weblogs.com/ADODB
   [ download file here and exit lynx ]
   # tar -xzf adodb*.tgz

Install PHPlot graphing scripts

   # cd /usr/local/src
   # lynx http://www.phplot.com
   [ download file here and exit lynx ]
   # tar -xzf phplot-*.tar.gz
   # lynx http://www.aditus.nu/jpgraph/jpdownload.php
   [ download file here and exit lynx ]
   # tar -xzf jpgraph-*.tar.gz

Install ACID

   # cd /usr/local/src
   # lynx http://www.andrew.cmu.edu/~rdanyliw/snort/snortacid.html
   [ download file here and exit lynx ]
   # tar -xzf acid*.tgz
   # mkdir /var/www/phplibs
   # mv adodb /var/www/phplibs
   # mv jpgraph-x.xx /var/www/phplibs/jpgraph
   # mv phplot-x.x.x /var/www/phplibs/phplot
   # mv acid /var/www/htdocs
   # cd /var/www/htdocs/acid
   # nano acid_conf.php

Now edit acid_conf.php to point

$DBlib_path

to

/var/www/phplibs/adodb

, change the logon information for MySQL to use

snort

as the user and password with for the

snort

and

snort_archive

databases, and set

$ChartLib_path

to

/var/www/phplibs/phplot

.

Now you'll probably want to put a password on the access to Apache. Edit /var/www/conf/httpd.conf, find the directory directive for /var/www/htdocs and change AllowOverride from None to All. This will allow us to use .htaccess files to change permissions of directories in the Apache web directory. An .htaccess file in a directory provides specific instructions for permissions to that specific directory. In this example, we will create an .htaccess file in the root directory, thereby blocking off all unauthorized access.



   # htpasswd -c /var/www/passwd administrator

Then create the file /var/www/htdocs/.htaccess

   AuthUserFile /var/www/passwd
   AuthName "firewall"
   AuthType Basic
   
   
   require valid-user
   

Clear console on logout

Clearing the console isn't nessesary to get your firewall up and running, but it does add an extra layer of security to sensitive information you might enter in the console. When you log out, it will automaticly clear away for you. To do this you must add a line in

/etc/gettytab

. Change the current section:

   P|Pc|Pc console:\
        :np:sp#9600:

adding the line ":cl=\E[H\E[2J:" at the end, so that it ends up looking like this:

   P|Pc|Pc console:\
        :np:sp#9600:\
	:cl=\E[H\E[2J:

Changes will be immediate. Next time you log out, the console will clear. You can get the same result by typing

clear

at the prompt, but who wants to remember to do that every time.

Lockdown single user mode

One element of security often overlooked is physical security. The OpenBSD developers built a "feature" into OpenBSD called single user mode. Single user mode allows you, if you are at the keyboard, to boot into the system to do recovery or diagnostic work. Under normal circumstances, booting into single user mode gives you automatic root access, without asking for a password. Single user mode is also often used for password recovery when nobody can remember the root password. You can make single user mode ask for the root password.

Edit

/etc/ttys

to change the current line:

   console "/usr/libexec/getty Pc"     vt220   off secure

to insecure

   console "/usr/libexec/getty Pc"     vt220   off insecure

Deny remote root login

Root has the power to do anything to a system. Here we'll add a user that has very little power to change files on the system.

   # adduser

If you decided not to install Snort, the

adduser

command will ask for default user account values. Just hit enter to accept each of the default values in brackets. Then follow the prompts to create a user.

   Use option "-silent" if you don't want to see all warnings and questions.
   
   Reading /etc/shells
   Check /etc/master.passwd
   Check /etc/group
   
   Ok, let's go.
   Don't worry about mistakes. I will give you the chance later to correct any input.
   Enter username [a-z0-9_-]: administrator
   Enter full name []: administrator
   Enter shell csh ksh nologin sh [sh]: csh
   Uid [1002]: [ENTER]
   Login group administrator [administrator]: [ENTER]
   Login group is "administrator". Invite administrator into other groups: guest no [no]: wheel
   Enter password []: ********
   Enter password again []: ********
   
   Name:     administrator
   Password: ****
   Fullname: administrator
   Uid:      1002
   Gid:      1002
   Groups:   administrator wheel
   HOME:     /home/administrator
   Shell:    /bin/sh
   OK? (y/n) [y]: [ENTER]
   Added user "administrator
   Copy files from /etc/skel to /home/administrator
   Add another user? (y/n) [y]: n
   Goodbye!
   #

Don't make the administrator password the same as the root password. If someone compromised the system, was able to read /etc/passwd and noticed that the administrator password hash is the same as the root password, you're double login protection is wasted. If you're already familiar with a particular shell, you can pick something other than csh. Default is sh, but root's default is csh.

Edit

/etc/ssh/sshd_config

and change

   #PermitRootLogin yes

to

   PermitRootLogin no

Now that you can no longer log in as root remotely, when you log in as administrator over ssh, you'll have to use the

su

command to become a super user. It will ask you for a password. When it does, type in the root password and you will be root. This is only possible because when you created the administrator user, you added them to the wheel group, which is where super users go. Only users in the wheel group can become a super user from

su

. When you're done being a super user, type

exit

to become a regular user again. The

su

will make a log of when and where someone becomes a super user.

Configuring the firewall

Remember, this section was written for OpenBSD 3.3. These rules might work on other OpenBSD installations >=3.0, however that doesn't mean that they're right.

Enable IP forwarding

Edit

/etc/sysctl.conf

. Uncomment

net.inet.ip.forwarding=1

. While you're in there, you could uncomment

vm.swapencrypt.enable=1

.

Create invisible interfaces

For this example,

xl0

is our administration interface, which will have an IP assigned and firewall rules to allow only SSH and HTTPS connections. The invisible interfaces are

xl1

,

xl2

, and

xl3

.

There are some fine details of creating a bridge between network interfaces for a firewall.
Rule 1: Always filter on one interface.
Rule 2: Don't filter on the other interfaces.

Remember, the computer doesn't know which interface leads to the internet and which goes to a crossover cable for a server. When you bridge interfaces, you are essentially creating one virtual interface.

See the Create invisible interface section for the invisible device configuration.

You also want to bridge those interfaces to make a connection between them. Create a file in

/etc

named

bridgename.bridge0

. Add the following to it and save.

   add xl1
   add xl2
   add xl3
   up

You can lock things down even tighter. Type

man brconfig

at a prompt to get the manual for the bridge software. Some options might be to consider making the bridge

   add xl1
   add xl2
   add xl3
   blocknonip xl1
   blocknonip xl2
   blocknonip xl3
   rule pass in on xl3 dst 00:BB:A0:33:3A:D1
   rule pass out on xl3 src 00:BB:A0:33:3A:D1
   rule block in on xl3
   rule block out on xl3
   up

What the rules have done is block all traffic that's not associated with the computer behind the firewall that has the MAC address of 00:BB:A0:33:3A:D1. If it either isn't headed to or from the machine with 00:BB:A0:33:3A:D1, it won't get passed. If you decide to use bridge rules with MAC addresses, you'll have to maintain a current ruleset of MACs, otherwise don't use bridge rules at all. Note:Experience has shown this author that MAC filtering in this style is not 100% good 100% of the time. If you decide you want MAC address filtering, make sure you test a lot. Merely adding the interfaces should be enough for most firewalling situations.

Note that the packet filter reads traffic on the IP level. In other words, it won't filter traffic based on MACs, just source and destination IPs by port number and traffic type. The bridge is the only place to filter by MAC and the packet filter is the only place to filter by IP.

Configure static network interface

If you already configured the administration static IP you want during the OS install, you can skip this section.

To switch from DHCP to static or to fix a mess-up if you echoed "up" into the wrong hostname file, you need to edit the hostname.if file for the interface you're using. In the example, the contents of

/etc/hostname.xl0

should be

   dhcp NONE NONE NONE

for a DHCP environment. To change it to static, change it to match

   echo "inet 192.168.0.200 255.255.255.0 NONE" > /etc/hostname.xl0

Note that the hostname.if file doesn't contain the gateway IP. That is stored in a different file.

   echo "192.168.0.1" > /etc/mygate

To activate the gateway address, you'll have to restart. There are ways to activate it otherwise, but saying to restart is much simpler. You can do the research if you don't want to reboot.

Setting up the packet filter (PF)

First turn PF on. Edit

/etc/rc.conf

.

   PF=YES

and then turn PF on without having to reboot.

   # pfctl -e

You will not get enough information about packet filtering from this tutorial to be well versed. Minimally, you need to read these two documents and understand them or you're wasting your time with this firewall.


• pfctl(8)
• pf.conf(5)

You can type

   # man pfctl

or

   # man pf.conf

to get the manual for the packet filter right from your machine. To exit the man pages viewer, hit the "q" key or scroll all the way down to the end of the document. Page Down will get you there faster.

Here is a ruleset you might use to start an invisible passthru firewall. It uses the slower bracketed blocks of IPs that expand into separate rules to check against incoming and outgoing traffic.

#############################
# /etc/pf.conf
# David Norman, OpenBSD 3.2
#############################

#############################
# Begin Ruleset
#############################

external="xl1"
admin="xl0"

# not routable
# spaces before brackets required
#
spoofed="{ 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, \
            224.0.0.0/4, 240.0.0.0/5, 127.0.0.1/8 }"


# IP blocks ripped from http://www.sentry.net/~obsid/
#
reserved="{ 0.0.0.0/8, 1.0.0.0/8, 2.0.0.0/8, 5.0.0.0/8, \
             23.0.0.0/8, 27.0.0.0/8, 31.0.0.0/8, \
             36.0.0.0/8, 37.0.0.0/8, 39.0.0.0/8, 41.0.0.0/8, \
             42.0.0.0/8, 58.0.0.0/8, 59.0.0.0/8, \
             60.0.0.0/8, 69.0.0.0/8, 70.0.0.0/8, \
             71.0.0.0/8, 72.0.0.0/8, 73.0.0.0/8, 74.0.0.0/8, \
             75.0.0.0/8, 76.0.0.0/8, 77.0.0.0/8, 78.0.0.0/8, \
             79.0.0.0/8, 80.0.0.0/8, 81.0.0.0/8, 82.0.0.0/8, \
             83.0.0.0/8, 84.0.0.0/8, 85.0.0.0/8, 86.0.0.0/8, \
             87.0.0.0/8, 88.0.0.0/8, 89.0.0.0/8, 90.0.0.0/8, \
             91.0.0.0/8, 92.0.0.0/8, 93.0.0.0/8, 94.0.0.0/8, \
             95.0.0.0/8, 96.0.0.0/8, 97.0.0.0/8, 98.0.0.0/8, \
             99.0.0.0/8, 100.0.0.0/8, 101.0.0.0/8, 102.0.0.0/8, \
             103.0.0.0/8, 104.0.0.0/8, 105.0.0.0/8, 106.0.0.0/8, \
             107.0.0.0/8, 108.0.0.0/8, 109.0.0.0/8, 110.0.0.0/8, \
             111.0.0.0/8, 112.0.0.0/8, 113.0.0.0/8, 114.0.0.0/8, \
             115.0.0.0/8, 116.0.0.0/8, 117.0.0.0/8, 118.0.0.0/8, \
             119.0.0.0/8, 120.0.0.0/8, 121.0.0.0/8, 122.0.0.0/8, \
             123.0.0.0/8, 124.0.0.0/8, 125.0.0.0/8, 126.0.0.0/8, \
             127.0.0.0/8, 197.0.0.0/8, 201.0.0.0/8, 219.0.0.0/8, \
             220.0.0.0/8, 221.0.0.0/8, 222.0.0.0/8, 223.0.0.0/8, \
             240.0.0.0/8, 241.0.0.0/8, 242.0.0.0/8, 243.0.0.0/8, \
             244.0.0.0/8, 245.0.0.0/8, 246.0.0.0/8, 247.0.0.0/8, \
             248.0.0.0/8, 249.0.0.0/8, 250.0.0.0/8, 251.0.0.0/8, \
             252.0.0.0/8, 253.0.0.0/8, 254.0.0.0/8, 255.0.0.0/8 }"

uttnet="{ 198.213.56.0/24, 198.213.57.0/24, 198.213.58.0/24, \
             198.213.59.0/24, 206.76.228.0/24, 206.76.229.0/24, \
             204.158.4.0/24 }"

scrub in on $external all

# Loopback device rules
pass out quick on lo0 all keep state
pass in quick on lo0 all keep state

block in on { $external, $admin } all

## Comment this out if you're using LAN IPs
block in from no-route to any

## good rule but also dangerously strict and needs IP in place of ($external)
# block out quick on $external ! from ($external) to any

block in quick on { $external, $admin } inet from $spoofed to any
block in quick on { $external, $admin } inet from $reserved to any

pass in quick on $admin inet proto tcp from $uttnet to { 198.213.57.12/32 } port { 22, 443 } keep state

pass out quick proto tcp all flags S/SA keep state
pass out quick proto udp all keep state
pass in quick on $external inet proto tcp from any to { 198.213.57.6/32, 206.76.228.42/32 } port 80
pass in quick on $external inet proto icmp all icmp-type 8 code 0 keep state
pass out quick on $external inet proto icmp all icmp-type 8 code 0 keep state

Here is a newer ruleset that uses tables for blocks of IPs. PF takes as long to look up an address in a table with 5 addresses as it does with a table full of 100,000 addresses.

#############################
# /etc/pf.conf
# Academic Computing Services
# OpenBSD 3.3 PF ruleset
#############################

# reload rules with `pfctl -f /etc/pf.conf`
# rc.conf should take over after you change it there and reboot

ExtIF="xl3"
IntIF="xl1"
ExtIP="198.213.57.7"

# not routable
# spaces before brackets required
#
table <spoofed> const { 10/8, 172.16/12, 192.168/16, \
            224/4, 240/5, 127.0.0.1/8 }

# IP blocks ripped from http://www.sentry.net/~obsid/
#
table <reserved> const { 0/8, 1/8, 2/8, 5/8, \
             23/8, 27/8, 31/8, \
             36/8, 37/8, 39/8, 41/8, \
             42/8, 58/8, 59/8, \
             60/8, 69/8, 70/8, \
             71/8, 72/8, 73/8, 74/8, \
             75/8, 76/8, 77/8, 78/8, \
             79/8, 80/8, 81/8, 82/8, \
             83/8, 84/8, 85/8, 86/8, \
             87/8, 88/8, 89/8, 90/8, \
             91/8, 92/8, 93/8, 94/8, \
             95/8, 96/8, 97/8, 98/8, \
             99/8, 100/8, 101/8, 102/8, \
             103/8, 104/8, 105/8, 106/8, \
             107/8, 108/8, 109/8, 110/8, \
             111/8, 112/8, 113/8, 114/8, \
             115/8, 116/8, 117/8, 118/8, \
             119/8, 120/8, 121/8, 122/8, \
             123/8, 124/8, 125/8, 126/8, \
             127/8, 197/8, 201/8, 219/8, \
             220/8, 221/8, 222/8, 223/8, \
             240/8, 241/8, 242/8, 243/8, \
             244/8, 245/8, 246/8, 247/8, \
             248/8, 249/8, 250/8, 251/8, \
             252/8, 253/8, 254/8, 255/8 }

#set loginterface xl1
set optimization conservative

scrub in on $ExtIF all

nat on $ExtIF from 10/8 to any -> $ExtIP

# Loopback device rules
pass out quick on lo0 all
pass in quick on lo0 all

# Default block everything
block in on $ExtIF inet all
block in on $IntIF inet from any to $IntIF 
antispoof for lo0
# Editor note: antispoof here on OBSD 3.2 kills talking btwn bridged interfaces
#antispoof for { $ExtIF, $IntIF } inet
# so I came up with a looser rule:
block in on ! xl3 inet from 10.0.0.250/32 to any

# silently drop UDP broadcasts
#
block in quick on $ExtIF inet proto udp from any to 255.255.255.255/32

# Block any IP spoofing attempts. (Packets "from" our network
# shouldn't be coming from the outside).
#
block in quick on $ExtIF inet from  to any

# Block all reserved private IP addresses.
#
block in quick on $ExtIF inet from <reserved> to any

# Outgoing Windows networking won't work stable over NAT
#
# rules not working?
block out quick on $ExtIF inet proto tcp from any to any port { 135, 137 >< 139, 445 }
block out quick on $ExtIF inet proto udp from any to any port { 135, 137 >< 139, 445 }

## start letting some stuff through
#
#  remote administration
pass in quick on $ExtIF inet proto tcp from { 206.76.228.0/24, 198.213.57.0/24, 198.213.58.0/24, 205.165.41.0/24 } to $ExtIP/32 port { ssh, https } flags S/SA modulate state

# pings
pass in quick on { $ExtIF, $IntIF } inet proto icmp all icmp-type 8 code 0 keep state
# dhcp and ntp
pass in quick on $ExtIF inet proto udp from 10/8 to any port { 68, 123 } keep state

# Let traffic in and out
pass out quick on $ExtIF inet proto tcp all flags S/SA keep state
pass out quick on $ExtIF inet proto udp all keep state

## Let pings out and back
#
pass in quick on { $ExtIF, $IntIF } inet proto icmp all icmp-type 8 code 0 keep state
pass out quick on { $ExtIF, $IntIF } inet proto icmp all icmp-type 8 code 0 keep state

Transparent Squid

   # cd /usr/ports/www/squid
   # env FLAVOR="transparent" make install clean
   # /usr/local/sbin/squid -z

Before running

squid -z

, you might want to edit the default configuration in

/etc/squid

. The cache directories will be created with

squid -z

so if you want your cache in a different directory than

/var/squid/cache

or if you want to put your cache on a RAID striped device for extra speed, you'll want to edit some of the default options in

/etc/squid

.

Setting up BIND (or other DNS) is a good idea for local DNS resolution.

NTP (Network Time Protocol) daemon

Installing NTPd allows your machine to check with atomic clock servers for the correct time.

   # cd /usr/ports/net/ntp/stable
   # make install clean
   # echo "0" > /etc/ntp.drift

Then create

/etc/ntp.conf

with the following contents.

   server 139.78.100.163 prefer minpoll 9 maxpoll 13
   server 128.194.254.9
   server 129.7.1.66
   server 131.107.1.10
   
   driftfile /etc/ntp.drift

Optionally, you can add

restrict 10.0.0.0 mask 255.255.0.0 nomodify nopeer

to the bottom of the

ntp.conf

file. If you want to let NTP through the firewall, it is port 123/udp.

Symon

Symon is a system monitor that lets you view the status of the CPU, memory, PF, NICs, and misc services running on the system. It uses PHP and a combination of a server (symux) and monitor that reports to the server (symon). It stores the data in a special type of database for continuous data collection called rrdtool.

   # cd /usr/ports/sysutils/symon

Versions of Symon 2.60 and before have an installation bug that doesn't install all the PHP scripts that are needed for viewing services from Apache, so this will bypass some of the post-installation instructions to do some manual configuration. Symon 2.61 should have a fix to the installation bug.

Edit

/usr/ports/sysutils/symon/Makefile

. Since you have already custom installed PHP, you don't want the Symon install to do the generic one again. Change

   WEB_RUNDEPENDS=     rrd:rrdtool-*:net/rrdtool php:php4->=4.2.3:www/php4/core

to

   WEB_RUNDEPENDS=     rrd:rrdtool-*:net/rrdtool

And then also change

   RUN_DEPENDS=     rrd:rrdtool-*:net/rrdtool  php:php4->=4.2.3:www/php4/core

to

   RUN_DEPENDS=     rrd:rrdtool-*:net/rrdtool

Then you can do

   # make install
   # cd w-symon-2.60/symon/symon2web
   # rm Makefile
   # mkdir /var/www/htdocs/symon
   # chmod 444 /var/www/htdocs/symon/*
   # cd /usr/ports/sysutils/symon
   # make clean
   # cd /usr/ports/packages/i386/sysutils
   # pkg_add symon-2.60.tgz
   # cd /usr/local/share/symon
   # ./c_smrrds.sh cpu0
   # ./c_smrrds.sh pf
   # ./c_smrrds.sh mem
   # ./c_smrrds.sh bridge0
   # ./c_smrrds.sh lo0
   # ./c_smrrds.sh xl0
   # ./c_smrrds.sh xl1
   # ./c_smrrds.sh xl2
   # ./c_smrrds.sh xl3
   # ./c_smrrds.sh xl4
  do this if you have an ata drive # ./c_smrrds.sh wd0
  do this if you have a scsi drive # ./c_smrrds.sh sd0
   # ./c_smrrds.sh debug
   # ./c_smrrds.sh proc_httpd
   # ./c_smrrds.sh proc_snort
   # ./c_smrrds.sh proc_sshd
   # ./c_smrrds.sh proc_mysqld
   # mkdir /var/symon
   # mkdir /var/symon/localhost
   # mv *.rrd /var/symon/localhost
   # cd /var/www/htdocs/symon

Most installations will give you an error at the end of the make. Everything actually compiled correctly. Edit

/var/www/htdocs/symon/datasources.inc

and change the $symon2web variable to

/var/symon

.

Then there are a few finishing touches to configure and start the monitor. Create

/etc/symon.conf

. The contents should be similar to the following:

   monitor { cpu(0),  mem, pf,  if(xl0), if(xl1),
	  if(lo0), if(xl2), io(wd0), debug,
          if(bridge0), proc(httpd), proc(sshd),
	  proc(snort), proc(mysqld)}  
		stream to 127.0.0.1 2100

Then create a configuration for the monitor server as

/etc/symux.conf

:

   mux 127.0.0.1 2100

   source 127.0.0.1 {
	accept { cpu(0), mem, pf, if(xl0), if(xl1),
	         if(lo0), io(wd0), if(xl2),  debug,
                 if(bridge0), proc(httpd), proc(sshd),
		 proc(snort), proc(mysqld)}

	datadir "/var/symon/localhost"
   }

Then set some permissions on them. While not required, setting the permissions to 444 makes the file only have read permissions, no write or execute.

   # chmod 444 /etc/symon.conf
   # chmod 444 /etc/symux.conf

To start them, symux (the server) goes first so when the monitor (symon) starts, it has a server to send data to.

   # /usr/local/libexec/symux
   # /usr/local/libexec/symon

Edit

/etc/rc.local

and add this at the bottom:

   if [ -x /usr/local/libexec/symux ]; then
	echo -n ' symux';	/usr/local/libexec/symux
   fi

   if [ -x /usr/local/libexec/symon ]; then
	echo -n ' symon';	/usr/local/libexec/symon
   fi

Additional Notes

• pftop
• df -h
• fewer httpd children
• winscp