Basic OpenBSD Installation
Starting the Install / Partitioning
These instructions have been updated to cover OpenBSD 2.9. No
install prompt changes were noticed between 2.9 and 3.0, except
version related numbers. If however, in a 3.0 install, no DNS
server is provided or the DNS server is not used during the install,
network configuration files are not properly set up. Either not
having or not using a DNS server during the install appears to
create conditions that prevent Sendmail from delivering even the
local mail that is the installation default. This is discussed more
fully under network configuration and a tentative fix is discussed
sendmail on the page that
I would not do the work described on the following pages on an older
version of OpenBSD. As a practical matter, you're likely to get a
more secure system with much less work from a default install of the
current system than trying to harden an older version. Once a new
version becomes available, apply the suggestions from these pages,
to the new version even if these pages are not yet updated.
As a point of reference, all the OpenBSD systems I've built, have
been OpenBSD 2.6, 2.7 , 2.8, 2.9, and 3.0 on PIII 500 and Celeron
533, generic white box clones. They have all been IDE only, with
one or two 10/100 network cards. These are not anyone's idea of
contemporary server hardware but they are more than adequate for
firewalls and web servers connected by a T1 or SDSL line. Unless
such a web server does a huge amount of disk intensive database type
access building dynamic pages, a T1 line will be saturated before
the IDE interface and the CPU is very unlikely to be the limiting
resource. The only steps that are hardware specific are some kernel
options disabled when building a custom kernel. Most of my computer
cases now have removeable hard drive bays that let me swap hard
disks in a few seconds. Depending on what's where, I typically have
three to six working OpenBSD systems and have long since lost track
of how many installs I've done. Most have applied the techniques
described in these pages in varying degrees.
When you have a computer that is ready for OpenBSD, put the OpenBSD
boot / install floppy and the install CD ROM in their drives and
boot from the floppy. The official CD ROM is bootable if your PC's
bios supports it. If you need help creating a boot floppy see
OpenBSD install floppies.
The first prompt is for "(I)nstall, (U)pgrade, (S)hell?". We are
only doing installs so type 'i' and press Enter. You're then
prompted for terminal type and root disk. I've always used the
defaults. When prompted "Do you want to use the entire hard disk
for OpenBSD? [no]" change the default no to yes, i.e., type a 'y'
and press enter. Hardening as described here is labor intensive.
Though it's desirable to harden any system connected to the
Internet, the measures described are excessive for anything but a
full time Internet server. Full time Internet servers are not
built on dual boot systems.
Your first significant choices come when you get the > prompt
of the disk partitioning program. At the > prompt type a 'p'.
(Press Enter after each of the commands shown here and don't type
the quotes.) You will see the current partioning information. If
no partition information has been entered, you will see a c
partition with the total disk size. The c partition is reserved.
To add a partition type 'a' and the letter for the partition.
Typically you will start with the 'a' partition so type 'a a' at the
> prompt. This will become wd0a on an IDE drive or /dev/wd0a. A
SCSI disk will be sd0a or /dev/sd0a. The root partition ("/") is
normally mounted on wd0a. If you create separate partitions for the
major file systems, the basic OpenBSD 2.9 install places less than
20MB in the root partition so it can be quite small. With today's
huge hard disks, I typically make partitions at least two to four
times the minimum necessary size.
After entering the "a a" you will get a series of prompts. I
normally use all defaults except mount point and partition size.
As I said, / is normally mounted on wd0a. If you want a 64MB
partition you can type '64m' or '64M' as the size. You could
allocate nearly the entire hard disk to /. Though this is very
flexible, it's not considered good practice as it increases the
risk of filesystem damage and makes it harder to recover the
system if there is filesystem damage. Using a single large
partition also limits the mount options that can be applied
to different areas. Mount options that may enhance security
are discussed later.
The b partition is normally the swap partition. After typing "a
b" you only need to give the partition size as the b partition
defaults to the swap type. Typically this is at least as large
as physical memory; I normally make swap partitions twice the
memory size if that is practical.
If you try "a c" you'll get an error message. Continue with 'd'
which will become wd0d or /dev/wd0d (or sd0d for SCSI disks). I
typically create file systems for /home, /tmp, /usr and /var. This
leaves /bin, /dev, /etc, /root and /sbin in / and these are included
in the under 20MB size for the root partition. If you're going to
add a lot of third party programs a /usr/local might be a useful
additional partition. If you use the partitions suggested here,
/home and /tmp will be empty, /usr will be close to 120MB and /var
will start with several megabytes at the completion of the basic
install. The system (kernel) source code will add somewhat less
than 70MB to /usr/src/sys if a custom kernel is to be built. This
can be reduced by about 30MB by removing source not applicable to
your platform from the /usr/src/sys/arch directory.
Since /var gets system log files and certain automated backups
provided by OpenBSD it can grow quickly. I also typically add a
significant number of custom logs and online backups in /var/local.
/var is normally my largest partition. I like a large (2GB or more
depending on available disk space) /tmp partition for work space for
occasional full system backups and other big temporary files. Since
/var will be my largest file system and I have in the past, used all
space not already allocated to other partitions, I do /var last and
take the default size which is all the remaining disk space.
Partition letters do not need to be allocated sequentially or
contiguously. Recently I've gotten huge (to me) 40GB disks and
switched /var and /tmp around and sometimes not partitioned all the
You can try to anticipate your system disk usage and allocate all
your available disk space or you can leave some unpartitioned.
Unfortunately, you cannot add space to a partition once it's
created. You can add new partitions with mount points inside of
an existing file system. For example, suppose /usr is filling up
and much of this is in /usr/local. You could tar /usr/local,
erase the contents of /usr/local, create a new partition with a
mount point of /usr/local and restore the contents from the tar.
/usr would have back the space erased from /usr/local and the new
/usr/local would be whatever the new partition size was.
Until recently, I've prefered to allocate all available disk space.
If you get it wrong, all is not lost. If you follow the procedures
described later, you will create a CD-R disk that will serve as an
install / recovery disk. This can be used to restore the finished
system configuration over a disk that you repartition after you
learn how disk use is actually growing. At today's prices, having at
least one CD-R drive available in any business and most homes, makes
As disk prices have plummeted and drive sizes climed, the smallest
disk I can buy today is much larger than I need. If a system crashes
when it reboots, the system will check the integrity of filesystems
that were mounted and writeable at the time of the crash. This time
increases as the filesystem size increases. If a disk is much larger
than you need, it might be better to leave a large unpartioned area
for future use and to save time on these rare forced reboots.
(Even if OpenBSD is very stable, and it is, hardware and electicity
both fail and UPSs run out of battery power.)
When you are done with partitioning, you can save your changes
and exit with a "q". I feel safer first writing the changes with
a "w" followed by "q" though the "w" should not be necessary.
If the system has been previously installed with a recent OpenBSD
system and the partition sizes are satisfactory, it is not
necessary to make changes. Previous partitioning choices can be
viewed with the "p" command. You will need to know which
partitions go with which mount points.
If you need to make changes, you can delete partitions with "d"
and the partition letter. Previously, I often deleted all the
partitions, except c which the system won't let you delete, and
started over. Recent installs have been over previous OpenBSD
systems with satisfactory partition sizes. On these, I've simply
accepted the existing partitions.
It should be possible to delete and reallocate adjacent
partitions. Once you've deleted all existing partitions, the
process is the same as partitioning a new hard disk.
When you exit the partitioning program, normally the / and swap
partitions are set with / on wd0a and swap on wd0b but you will
be prompted to confirm the other partitions and their mount
points. If you have assigned all partitions and mount points,
you should see normally see the 'wd0d' partition defaulted to the
mount point you gave it. If so, you can just type 'done'.
If you have used pre-existing partitions and did not explicitly
assign mount points to each partition, you must specify the mount
points at this time. When all partitions have been assigned mount
points, the program will cycle back to the first partition. When
you see the first partition, typically 'wd0d' with the correct
mount point, you can type 'done' or press Enter several times to
cycle through the partitions again to review your choices. When
you're satisfied, type 'done' to continue.
You will then get an additional prompt to confirm that you are
done with the current disk. If you have only one disk, press
Enter in response to "Which one? [done]". The next prompt warns
that existing data will be overwritten. Respond to "Are you
really sure that you're ready to proceed? [n]" with a 'y' when
you do wish to continue. The filesystems will be created.
Network configuration follows the disk formatting. You need
host and domain names. Unless you're building a bridging
firewall, you'll also need IP address, network mask, default
route and default DNS server. After entering the host and domain
names, the install process will show the recognized network
interfaces with the first being the default selection.
The first prompt for a network card is the IP address or dhcp. A
server such as we're building won't use DHCP; it needs to be
found at a constant location. You need an IP address. After the
IP address, there is a prompt for a symbolic host name which will
be defaulted to the host name already provided. Next you enter
netmask and then the available media options are shown.
Until recently I've always used the default media option.
Starting with 2.9, I've run into repeated situations where my
standard network card, a Netgear FA310TX, won't work reliably
without specifying the correct media options. If you know from
the list of options that the default is wrong, then change it.
For example, if you have a 10/100 card but connect to a 10-BaseT
hub or are using CAT 3 cabling, you may want to force the card
to operate at 10 Mbps, especially if the card has had difficulty
auto sensing what it is connected to. If you have multiple
cards, the install defaults to done after the first. You have to
explicitly provide the second device name (from the displayed
list) to configure the second card.
There is some performance overhead of auto sensing modes but
forcing the wrong media settings will be a lot worse. Be
espcially careful if you have a mixture of different speed
equipiment such as 10mbps and 10/100mbps and the same machine
might get connected to different equipment or has multiple NICs
connected to different speed equipment. While just about all
NICs, hubs and switches today are 10/100 (or faster), the
Ehthernet connection on DSL routers and cable modems is typically
10mbps. Specifying 10baseT where the connected equipment is
10/100 will obviously waste most of the available bandwidth but
specifying 100baseTX where connected equipment is 10mbps may
freeze the connection. I have an old 10mbps hub that I use
purely for testing some network and firewall configurations. If I
connect a cable from a card that is set at 100baseTX to this hub,
the collision light goes solid and cards on other machines
connnected to this hub start reporting timeouts.
Even worse, is improperly setting "mediaopt full-duplex". If a NIC
or hub is not explicitly labeled full duplex, assume that it's not.
My 10/100 NICs are but my 10/100 hubs are not. I mistakenly set
some cards as full-duplex. You get no errors or messages and things
seem to work. You can ping and ssh to systems and things seem
normal. You know something is wrong when you transfer a large file
and the speed is about that of 56Kbps modem. Because 56K is fast
enough for ssh and small file transfers and the condition may have
existed for some time, it can be difficult to reconcile the
obviously too slow large file transfer with the fact that all
connections over the same path are too slow.
Next are prompts for default route and DNS server and normally
you'll need both. If you are building a bridged firewall you
don't need (or want) either. A bridged firewall won't be talking
to the outside world, at least not as a typical UNIX server. If
you're installing a routing firewall then you will need all the
network information including IP addresses and netmasks for each
network card. You may need to subnet, in which case you may be
using a different netmask than provided by your ISP.
Starting in OpenBSD 3.0, if you don't provide a DNS server the hosts
file will be setup without a domain name even though you provided
one and no resolv.conf file will be created. If you provide but
choose not to use the DNS lookup when prompted, resolv.conf will be
created but the hosts file will be set up without a domain. Either
prevents sendmail from delivering local e-mail. The fix is discussed
in "Removing Unneeded Services" when
sendmail is discussed.
Linux and OpenBSD Firewalls by Wes Sonnenreich and Tom
Yates was the best source for the information on OpenBSD firewall
and router network setup. It also briefly covers hardening an
OpenBSD system. This book has some very practical information
that I haven't found elsewhere but is sometimes written in an
annoying, juvenile tone.
With IP Tables replacing ipchains as the Linux firewall in the
2.4 Linux kernel (Red Hat 7) and with IP Filter being removed
from OpenBSD immediately after the release of 2.9 (June 2001) due
to licensing issues, Building Linux and OpenBSD Firewalls
has for many purposes become instantly obsolete. If you have
really immediate needs, i.e. are installing OpenBSD from 2.9 or
earlier official CD ROMs or are more concerned with firewall
routing issues than firewall rule sets, the book still has some
value. Otherwise wait until a new edition covers the new firewall
I strongly disagree with Sonnenreich and Yates' comments on
bridged firewalls. They dismiss bridged firewalls as a not
recommended, advanced topic beyond the scope of the book. With
the limited number of IP addresses I have, I could not have my
LAN and a firewall without bridging; bridging seems simpler than
routing to me. A bridging firewall cannot provide Network
Address Translation (NAT or masquerading in Linux terms) but also
does not require any IP addresses. Without IP addresses, a
bridged firewall cannot be remotely managed but also cannot be
attacked via the network.
There is a have your cake and eat it too trick, that can be used
on a bridged firewall. One of the NICs, usually the inside one,
can have a non routeable IP address, such as 10.11.12.1. One or
more local computers can also have 10.11.12.0/24 addresses, in
addition to their standard IP address and thus access the
firewall via the network for management. In this configuration,
there is no way an outside attacker can touch the firewall
without getting through the firewall, cracking one of the
management computers and then attacking the firewall from the
Also the O'Reilly
Internet Firewalls, Second Edition has a long chapter on
hardening UNIX "bastion hosts" as they call a hardened system and
one on Windows NT/2000 as well. The two books and these web
pages cover some common ground but there are different emphases
and points of view in each.
After providing the name server IP address, you will be asked
"Would you like to use the name server now?[y]" Change the default
response to 'n' if you are not connected to the network
(suggested for maximum security). If you don't use a name server,
you will be given an opportunity to manually edit the host table.
The instructions suggest you may want to edit the host table to
provide the name of an NFS or FTP server from which you will be
installing. Then there is an "Escape to shell?[n]" prompt; accept
Next, you'll be asked to type and retype the root password. This
should be a good password, not subject to dictionary or common
password list attacks. See password.pl for sample,
program generated, good passwords. Next is a prompt asking if you
will be using the X Window System. Change the default 'y' to 'n'.
The stripped server we're building will be reduced to the bare
essentials necessary to run the required services only.
Minimal Software Install
You are then prompted for the type of install. You can install
via FTP, HTTP, tape, CD-ROM, NFS or local disk. The FTP and HTTP
options are for fast Internet connections and will install
directly from one of the OpenBSD mirrors. These instructions
assume a CD ROM install. The
Installation Guide for 2.8 - 3.0 doesn't seem to have the
instructions for the other types of media. The large (100K)
INSTALL.i386 file in the 3.0/i386 directory of OpenBSD mirror
sites has rather complete instructions for installing by means
other than CD, somewhat over halfway down in the file. After
typing "c" for a CD ROM install, confirm the install CD ROM
drive. You will then be prompted for the install directory. The
default (on Intel architecture) is /3.0/i386. If your install
files are in another directory relative to the CD ROM root, you
will need to provide that directory. The prompt wording suggests
that the leading slash should not be included. The default does
include the leading slash and it works with the leading slash.
A list of install files is then displayed. base29.tgz,
etc29.tgz, man29.tgz and bsd are pre-checked. In 3.0 the names
are the same but each "29" has become a "30". Type 'comp29.tgz'
or 'comp30.tgz' to install the GNU C, C++, and Fortran compilers
and other development tools. You'll need the C compiler to build
the custom kernel described later. Having the compilers is also
handy for adding software for which source code but not OpenBSD
packages is available. You don't need to install the comp install
set if you don't plan to build a custom kernel or add other
software from source code. If you follow the file removal step
described later, the compilers will be removed before
finishing the system.
Don't install the X Window components. Servers such as we're
setting up may go for days at a time with no one logged in and
aren't intended to be easy to use interactively. Actually, for
many purposes, if you know what you are doing, the command line
is at least arguably easier than GUI interfaces.
After confirming that you're "Ready to extract the selected file
sets?[y]", the selected software will be installed. A progress
report is displayed for each install set. I've seen an install
stop working and display a "stalled" error message on a few
occasions. At least once, pressing Enter got it started again. A
Ctrl+C will drop you out of the install process and you'll have
to start over. If you do have to start over, it's not necessary
to repeat the partitioning. Just assign each partition to a mount
At the completion of the install, you will be prompted (defaulted
to "n") if you wish to install additional sets. Following
version 2.7, a prompt related to SSL encryption was removed as
the patents expired and SSL is now included in the base install.
A time zone prompt is last. The installation makes all device
nodes, creates the /boot file and does some other final
installation. If everything has gone as expected the install
CONGRATULATIONS! You have successfully installed OpenBSD!
To boot the installed system, enter halt at the command prompt.
Once the system has halted, reset the machine and boot from the disk.
Two messages appear after you type 'halt', saying
syncing disks... done
The operating system has halted.
Type any key to reboot the system.
If the floppy is still in the drive, remove it before the system
Top of Page -
Copyright © 2000 - 2012 by George Shaffer. This material may be
distributed only subject to the terms and conditions set forth in
These terms are subject to change. Distribution is subject to
the current terms, or at the choice of the distributor, those
in an earlier, digitally signed electronic copy of
http://GeodSoft.com/terms.htm (or terms.pl) from the time of the distribution.
Distribution of substantively modified versions of GeodSoft content is
prohibited without the explicit written permission of George Shaffer.
Distribution of the work or derivatives of the work, in whole
or in part, for commercial purposes is prohibited unless prior
written permission is obtained from George Shaffer. Distribution in
accordance with these terms, for unrestricted and
uncompensated public access, non profit, or
internal company use is allowed.