From Nerdica Wiki
Jump to: navigation, search

Packet Filter


Real-time display of Packet Filter Logs:

sudo tcpdump -n -e -ttt -i pflog0 src host not and dst port not 6882


Update/replace a table:

sudo pfctl -t retards -T replace -f /etc/pf.d/tables/blacklist.txt

Display a table called 'retards':

pfctl -t retards -T show

Show the current state table:

sudo pfctl -s state

sudo pfctl -ss

Configuration Files

Load a Packet Filter configuration file:

pfctl -f /etc/pf.conf

Parse a configuration file but do not load it:

pfctl -nf /etc/pf.conf

Load only the NAT rules from the file:

pfctl -Nf /etc/pf.conf

Load only the filter rules from the file:

pfctl -Rf /etc/pf.conf

Show states

Show the current NAT rules:

pfctl -sn

Show current filter rules:

pfctl -sr

Show filter stats and counters:

pfctl -si

Show everything it can show:

pfctl -sa

Updating OpenBSD Via Source

Grab source from CVS

First Time

For -current:

cd /usr
cvs -qd get -P src

For -stable:

cd /usr
cvs -qd get -rOPENBSD_5_2 -P src


For -current:

cd /usr/src
cvs -q up -Pd

For -stable:

cd /usr/src
cvs -q up -rOPENBSD_5_2 -Pd

Rebuilding the Kernel

# cd /usr/src/sys/arch/i386/conf
# /usr/sbin/config GENERIC
# cd /usr/src/sys/arch/i386/compile/GENERIC
# make clean && make depend && make

Rebooting with the new kernel

# cd /usr/src/sys/arch/i386/compile/GENERIC
# make install          (Safely install new kernel)
# reboot

Rebuilding the userland binaries

# rm -rf /usr/obj/*
# cd /usr/src
# make obj
# cd /usr/src/etc && env DESTDIR=/ make distrib-dirs
# cd /usr/src
# make build

Updating Ports Via CVS

First Time

For -current:

# cd /usr
# cvs -qd get -P ports

For -stable:

# cd /usr
# cvs -qd get -rOPENBSD_5_2 -P ports


For -current:

# cd /usr/ports
# cvs -q up -Pd

For -stable:

# cd /usr/ports
# cvs -q up -rOPENBSD_5_2 -Pd


Making a release

Read [1]

Define our DESTDIR and RELEASEDIR environment variables:

# export DESTDIR=/usr/dest
# export RELEASEDIR=/usr/rel

We now clear the DESTDIR and create the directories if needed:

# test -d ${DESTDIR} && mv ${DESTDIR} ${DESTDIR}.old && rm -rf ${DESTDIR}.old &
# mkdir -p ${DESTDIR} ${RELEASEDIR}

RELEASEDIR does not normally need to be empty before starting the release process, however, if there are changes in the release files or their names, old files may be left laying around. You may wish to also erase this directory before starting.

We now make the release itself:

# cd /usr/src/etc
# make release

After the release is made, it is a good idea to check the release to make sure the tar files are matching what is in the DESTDIR. The output of this step should be very minimal.

# cd /usr/src/distrib/sets
# sh checkflist

You now have complete and checked release file sets in the RELEASEDIR. These files can now be used to install or upgrade OpenBSD on other machines. The authoritative instructions on making a release are in release(8).

Note: if you wish to distribute the resultant files by HTTP for use by the upgrade or install scripts, you will need to add an "index.txt" file, which contains the list of all the files in your newly created release.

# /bin/ls -1 >index.txt

Once you have the complete release made, you can use those files for a standard install or upgrade on another machine, or if updating a machine to a new -stable, simply unpack the tar files in the root directory of the target machine.

Making X

Starting with v7, X switched to "modular build" system, splitting the source tree into more than three hundred more-or-less independent packages. To simplify life for OpenBSD users, a "meta-build" called Xenocara was developed. This system "converts" X back into one big tree to be built in one process. As an added bonus, this build process is much more similar to the build process used by the rest of OpenBSD than the previous versions were.

The official instructions for building X exist in your machine's /usr/xenocara/README file and in release(8).

Getting source code

The "usual" location for the xenocara source tree is /usr/xenocara, and the source is stored in the xenocara module in CVS. So, the checkout process is this:

$ cd /usr
$ cvs checkout -P xenocara

Building Xenocara

For building the standard xenocara tree as supported by OpenBSD, no external tools are needed.

# cd /usr/xenocara
# rm -rf /usr/xobj/*
# make bootstrap
# make obj
# make build

If you wish to make actual modifications to the source code, you will probably need to add several packages. Details are in the /usr/xenocara/README file. Making a release

This is similar to the main system release process. After successfully building X, you will define a DESTDIR and RELEASEDIR, with the same purposes as above. The RELEASEDIR can be the same directory as the main system RELEASEDIR, but DESTDIR will be erased and rebuilt in this process. If done carefully, this is not a problem, but using a separate DESTDIR may be "safer". For this example, we will use a DESTDIR and RELEASEDIR of /usr/dest and /usr/rel, respectively. This must be done after the above build process.

# export DESTDIR=/usr/dest
# export RELEASEDIR=/usr/rel
# test -d ${DESTDIR} && mv ${DESTDIR} ${DESTDIR}- && \
     rm -rf ${DESTDIR}- &
# mkdir -p ${DESTDIR} ${RELEASEDIR}
# make release

When this process is completed, you will have a set of release files in the $RELEASEDIR.

Hardware Sensors

Check hardware sensors

# sysctl -a | grep "hw.sensors"