NetBSD Security Processes and Services: Activating Services

• Turning on IP Forwarding
• /etc/defaults/rc.conf and /etc/rc.conf
• Activating the Services

At this point, in theory, we are ready to start everything up. All of the services we will need running are:

• ipfilter
• ipnat
• ipmon
• sshd

Additionally, we need to make sure that ip forwarding is enabled in the kernel.

Turning on IP Forwarding (top)

To turn on IP forwarding use the sysctl facility:

sysctl -w net.inet.ip.forwarding=1

To have it turned on at bootup append the following text to /etc/sysctl.conf:

net.inet.ip.forwarding=1

/etc/defaults/rc.conf and /etc/rc.conf (top)

NetBSD's default rc settings are all kept in /etc/defaults/rc.conf. To make upgrades safer, override settings in /etc/rc.conf instead of /etc/defaults/rc.conf.

What we need in /etc/rc.conf

Basically, we can yank the contents of /etc/defaults/rc.conf and drop them right into /etc/rc.conf:

# cat /etc/defaults/rc.conf >>/etc/rc.conf
# vi /etc/rc.conf

Note the double ">" here to avoid overwriting the contents of /etc/rc.conf as shipped! Here is what /etc/rc.conf would look like after editing:

#
# see rc.conf(5) for more information.
#
# Use program=YES to enable program, NO to disable it. program_flags are
# passed to the program on the command line.
#

# Load the defaults in from /etc/defaults/rc.conf (if it's readable).
# These can be overridden below.
#
if [ -r /etc/defaults/rc.conf ]; then
	. /etc/defaults/rc.conf
fi

# If this is not set to YES, the system will drop into single-user mode.
#
rc_configured=YES

# Add local overrides below
#
ipfilter=YES
ipnat=YES
ipmon=YES	ipmon_flags="-sn"
sshd=YES

On i386 (PC) systems you will also see the wscons framework enabled:

wscons=YES

Activating the Services (top)

Next we have to activate the services, we can do this one of two ways:

1. reboot the system
2. start using the rc scripts by hand

I prefer doing the latter first just to make sure everything is setup right, then I do a reboot to make sure all of the services will start up properly during the bootup sequence.

Starting Services "by hand"

To start any service it is quite simple:

# /etc/rc.d/[service_name] start

Additionally, a service may be stopped:

# /etc/rc.d/[service_name] stop

or restarted:

# /etc/rc.d/[service_name] restart

So for this firewall, here is the order we need to start the services:

# /etc/rc.d/sshd start
# /etc/rc.d/ipfilter start
# /etc/rc.d/ipnat start
# /etc/rc.d/ipmon start

In reality, when sshd and ipmon start is arbitrary, however, ipfilter must be enabled before ipnat.

Home page

Documentation top level