Building an OpenBSD Live CD

Listen Print Discuss

Building an OpenBSD Live CD
Pages: 1, 2

Make the ISO Image

In the /livecd directory, run the following all on one command line:

# mkisofs -b cdrom36.fs -c boot.catalog -R -v -o /tmp/livecd.iso /livecd

After another wait, you'll have a burnable ISO image waiting for you as /tmp/livecd.iso.

Burn the CD

Use cdrecord to burn the ISO image to CD:

# cdrecord -v speed=24 dev=/dev/rcd0c -data /tmp/livecd.iso

OpenBSD Live CD Firewall

I've been using an OpenBSD Live CD for NAT/firewall at school for a while now. The setup is actually quite simple. My internal and external network interfaces are fxp0 and fxp1, respectively. To active PF, and have it start automatically on boot-up, edit /etc/rc.conf.local file and add the line pf=YES.

To enable IP forwarding, make sure that net.inet.ip.forwarding=1 is in /etc/sysctl.conf.

Finally, put your NAT/firewall rules in /etc/pf.conf:

int_if = "fxp0"
ext_if = "fxp1"

tcp_services = "{ 22, 113 }"
icmp_types = "echoreq"

priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
          
# options
set block-policy return
set loginterface $ext_if

# scrub
scrub in all

# nat/rdr
nat on $ext_if from $int_if:network to any -> ($ext_if)
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 \
   port 8021

# filter rules
block all

pass quick on lo0 all

# provide unrestricted Internet access to internal computers
block drop in  quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets

# allow the following incoming traffic to the firewall
pass in on $ext_if inet proto tcp from any to ($ext_if) \
   port $tcp_services flags S/SA keep state

pass in inet proto icmp all icmp-type $icmp_types keep state

pass in  on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state

pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state

These rules NAT all traffic from the internal network to the external network and redirect all internal traffic to port 21 (FTP) to port 8021 on the gateway. They also protect against unwanted external traffic coming in, while allowing unrestricted traffic from outgoing internal traffic. It's a good starting place for secure access that you can modify as you need.

Best yet, it's on a CD, so I can have it with me wherever I go.

Resources

Kevin Lo is an OpenBSD developer and a teacher at Kaiping Vocational School.

Return to the BSD DevCenter.

What's on your live CD?
You must be logged in to the O'Reilly Network to post a talkback.

Showing messages 1 through 7 of 7.

pxe booting openbsd live cd
2007-02-12 23:36:15 pankajTakawale [Reply | View]

Can you please discuss the steps for pxe-booting the openbsd live cd please?

Basically I want to customize bsd.rd (mr.fs) to modify init scripts & inject custom application/ libraries such as libc etc.

Pankaj.

Makefile.inc problem
2006-05-17 07:43:54 Fler [Reply | View]

Hi!
I'm not well in programming so I got problem with this patch.
#patch -pO < Makefile.in gives to me: Hmm... Looks like a undefined diff to me... The text leading up to this was: ---------------------------- |--- src/distrib/i386/common/Makefile.inc.orig Thu Mar 3 09:16:02 2005 |+++ src/distrib/i386/common/Makefile.inc Thu Mar 3 09:16:02 2005 ---------------------------- Patching file src/distrib/i386/common/Makefile.inc using Plan A... Hunk #1 failed at 33. Hunk #1 failed at 53. 2 out of 2 hunks failed--saving rejects to src/distrib/i386/common/Makefile.inc.rej done
Why is this patch necessary, what is he doing?
Can anyone help me? How shoul be writen this patch for newest 3.8?

Makefile.inc problem
2007-10-09 10:41:13 VVPointer [Reply | View]

It's adding the kernel debugger which is useful when the operating system panics and somebody asks you obtain a stack trace.

Hint for 3.8-current (20060124)
2006-01-24 15:27:01 rzoch [Reply | View]

(before # cd /usr/src/distrib/i386/ramdisk_cd && make)

# cd /usr/src/distrib/special/libstubs/ && make && make install

# cd /usr/src/distrib/i386/ramdisk_cd && make

what defines "system"?
2005-10-04 10:37:49 -dgm- [Reply | View]

can someone explain/define what the author means when he writes 'copy the whole system' or words to that effect? in the paragraph following the instruction to download the OpenBSD sources.

thx

what defines "system"?
2007-10-09 10:25:35 VVPointer [Reply | View]

If by copy you meant in
Then, tar up the whole system you want on the final system, and untar it into the /livecd directory (or copy it, directories and all, as you prefer).
there is a clue in the next sentence
Copy your /var and /etc directories to /livecd/backups/{var,etc}

That means duplicate the parts of the currently running system, starting at the root of your file syste, /, that you are using to build the LiveCD in the /livecd directory tree.

For example

cp -pR /etc /livecd as well as other cp commands

or

tar -cf /tmp/mytarfile /

Small typo...
2005-07-15 00:39:52 Piranha [Reply | View]

Nothing major, but when you mention moving your RAMDISK_CD to .old, you say under the directory "/usr/src/sys/arch/i386/" when it should really be under "/usr/src/sys/arch/i386/conf". Again, nothing major, but would help out some people who are new to this sort of thing.

Hope that helps,
-P-

Make the ISO Image

Burn the CD

OpenBSD Live CD Firewall

Resources

Sponsored Resources