First Boot and bsdwall Install


The first boot of an OpenBSD machine after installation, when that machine is "low-power" (i.e. 486 or low-end Pentium) takes a little patience.

After the blue-background hardware probe, the boot-up message will suddenly pause for a minute or four at messages about "generating RSA key" and "generating DSA key". If you have a 12MB 486 (or, god forbid, 8MB), the key generation may take 15 minutes or more. (Contrasts with a matter of seconds on a modern >gigahertz machine).

This only happens once! These keys are permanent identifiers for the machine in encrypted conversations, and only need to be generated once. Future boot-ups will only take a minute or two, depending on how ancient your firewall is.


Finally, you will be presented with a "welcome" paragraph and a:


line. You type "root" hit ENTER, then give the root password you chose during the install. Please don't have forgotten that! If you have, however, there is Help at the OpenBSD web site. For the truly faint of heart, here is a page that customizes those instructions to a bsdwall and makes them even simpler.

After you login, there will be various messages, then finally a simple prompt character:

Getting the bsdwall setup script

The one and only actual software product offered at this web site is the bsdwall setup script. It is a short program in "perl" a computer language that every OpenBSD machine supports right "out of the box". Even better, it is provided in a file called a "package" by BSD systems, which allows for automatic installation.

You get it from the web site, and install the program with a single command, typed at your "#" sign prompt:


Hit ENTER, and that's it. Wait a few moments for the download to take place, a few more for the install to be done. When it finishes, there's a message about it, and finally another "#".

To use the program, you don't have to reboot first, but to use it easily, you have to type this command at that next "#" prompt:
rehash (and hit ENTER).

The "rehash" command tells the system to add the new bsdwall script file to it's "quick lookup" directory of available commands. Once done, you can run the bsdwall script by just typing the name at the "#" promp. Typing the command alone just brings up the help page, as shown::

# bsdwall

bsdwall: A perl script that creates and administers a basic
         firewall that does NAT, filters incoming packets, and provides
         DHCP service to all machines "inside" the wall.
Usage:  bsdwall <command> [<option>

install [netwk] Installs files in /etc/bsdwall, copies them to /etc
                    Optional "netwk", i.e. "192.168.5" sets inside network
remove             Replaces the changed files in /etc/ with the originals
uninstall           Runs "remove" first, then deletes /etc/bsdwall entirely.
backup [name]   Backs up files from etc/ to etc/bsdwall/backup[_name]
restore [name]   Copies files from /etc/bsdwall/backup[_name] to /etc
open               Writes a new /etc/ipf.rules file to totally OPEN the wall
close              Writes a new /etc/ipf.rules file to totally CLOSE the wall
filter                Copies  /etc/bsdwall/ipf.rules to /etc, restarts filtering
watch              Monitors incoming packet-blocks logged to ipflog
web                Upon reboot, will run web server on inside network
noweb             Turns web server off again upon reboot
Response from the computer to the "bsdwall" command if used with with no parameters:
The "help" page.

The help page is to give enough description of each of the bsdwall commands to remind you what you can do with it. You can take two directions from this page:

Reference to all the bsdwall parameters


Use the "bsdwall install" command to turn your computer into a firewall (and more).