NetBSD PXE boot install (without NFS)

Posted on January 17, 2007 by jeff

This was tested on NetBSD 3.99.16, however the instructions should apply to other versions as well. I have attempted to flag steps where you may run into version incompatabilities with “Version Note”.

To PXEboot install NetBSD we will first need to configure a tftp server. You will need to insure that tftp is uncommented from inetd.conf and that inetd is enabled to run.

/etc/inetd.conf

  tftp dgram udp wait root /usr/libexec/tftpd tftpd -l  -s /tftpboot

/etc/rc.conf

  inetd=YES

Then we will need to create the /tftpboot directory and populate it. You will need the pxeboot_ia32.bin file (included in base.tgz) and the netbsd-INSTALL kernel.

Note: The installboot command is only necessary if you’re booting via a serial console (i.e. a Soekris box) as is the case in this paper.
Version Note: In the event you will need serial console support older versions of installboot may not support writing to pxeboot_ia32.bin, you will need to extract or build pxeboot_ia32_com0.bin.

  # cd /root
  # mkdir -p /tftpboot
  # gunzip netbsd-INSTALL.gz
  # cp netbsd-INSTALL /tftpboot
  # tar -zf base.tgz -x ./usr/mdec/pxeboot_ia32.bin
  # cd usr/mdec
  # installboot -e -o console=com0,speed=19200 pxeboot_ia32.bin
  # cp pxeboot_ia32.bin /tftpboot

Next you will need to configure dhcpd, and ensure it is enabled to run. You must configure dhcpd to serve pxeboot_ia32.bin.
Continue reading

Posted in NetBSD, Papers, System Administration | 6 Comments

Securing Wireless Communications with IPSec

Posted on January 17, 2007 by jeff

This paper attempts to explain how to configure racoon/ipsec-tools to encrypt wireless communications.

Our example does not cover how to configure the wireless gateway as an access point, it assumes that there is a configured wireless access point plugged into one of the nics of the gateway. Our example also assumes the client and gateway are both NetBSD, however the procedures are nearly the same for FreeBSD and MacOSX as well.

For our example, assume the gateway is 10.0.0.1 and the wireless client is 10.0.0.50.

You need to ensure that IPSec is enabled in your kernel. If it is not you should add/uncomment the following lines to your kernel config and recompile the kernel. Recompiling your kernel is outside the scope of this document.

Note: IPSEC_DEBUG is not required, but should you have to troubleshoot any failures, it will be most useful

  [...]
  options IPSEC
  options IPSEC_ESP
  options IPSEC_DEBUG
  [...]

Next you will need to configure the ipsec rules, these rules are placed in /etc/ipsec.conf.
Continue reading

Posted in DragonFlyBSD, FreeBSD, NetBSD, Networking, Papers, Security | Leave a comment

Configuring CGD with two-factor authentication on NetBSD

Posted on January 17, 2007 by jeff

This was tested on NetBSD 3.99.16, however the instructions should be applicable to any version with cgd support

Note:In my example, we will be using a vnode disk, the vnd specific steps may be omitted if not applicable.

First, you will need to have pseudo-device cgd compiled into the kernel.

  pseudo-device  cgd             4       # cryptographic disk devices

Now, let us begin by generating a 50 meg file that will become our crypto disk.

  # dd if=/dev/zero of=encrypted.img bs=1m count=50
  50+0 records in
  50+0 records out
  52428800 bytes transferred in 0.623 secs (84155377 bytes/sec)

Now that we have our 50 meg file, map it to a vnode disk, vnd0 is used throughout our example.

  # vnconfig vnd0 encrypted.img

Continue reading

Posted in NetBSD, Papers, Security | Leave a comment