|
|||
OpenBSD PXE boot and tftpd server setup
The following pxe-boot-prepare.sh script automates the manual steps to setup an OpenBSD box as tftpd(8) server for PXE network installs.
These steps are outlined in the OpenBSD FAQ entry 6.10 - How do I boot using PXE? (i386, amd64) The FAQ does not mention (yet) that besides an optional /etc/boot.conf the latest incarnations of the OpenBSD installer also try to retrieve an /etc/random.seed. This script generates such a file so the installer can use it. Features:
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump Last edited by J65nko; 25th December 2014 at 05:13 AM. |
|
|||
pxe-boot-prepare.sh script
The pxe-boot-prepare.sh script:
Code:
#!/bin/sh # (c) J65nko daemonforums.org # ISC license # # ---- prepare OpenBSD box as PXE boot server # See http://www.openbsd.org/faq/faq6.html#PXE for the details # If you use an 'install.conf' file for autoinstall(8) read that # man page for additional instructions on configuring the DHCP server if [ "$(id -u)" -ne 0 ]; then echo $0 error: Requires root privilege, sorry, bailing out .... exit 10 fi case "$1" in amd64 | i386 ) ARCH="$1" ;; * ) echo "$0 : Please specify architecture ('amd64' or 'i386')" exit 1 ;; esac # tftpboot is a dyslexic nightmare so we select another name here .... PXE_DIR=/pxe WEBDIR=/home/www/snapshots/${ARCH} COM_SPEED=19200 echo Creating ${PXE_DIR}/etc ... mkdir -p ${PXE_DIR}/etc # --- enable tftpd daemon in /etc/rc.conf.local FILE=/etc/rc.conf.local #FILE=$(basename $FILE) echo Checking for 'tftpd_flags' setting in "${FILE}" ... if grep 'tftpd_flags=' ${FILE} ; then echo Trivial File Protocol Daemon already mentioned in "${FILE}" echo So please check it .... else echo Updating ${FILE} to enable TFTP daemon.. cat <<-END >>${FILE} # --- $(date) --- #tftpd_flags=NO # for normal use: "[chroot dir] tftpd_flags=${PXE_DIR} END fi echo "Creating ${PXE_DIR}/etc/random.seed for bootloader ..." # -- code lifted from /etc/rc #dd if=/dev/random of=${PXE_DIR}/etc/random.seed bs=512 count=1 status=none dd if=/dev/random of=${PXE_DIR}/etc/random.seed bs=512 count=1 chmod 644 ${PXE_DIR}/etc/random.seed # See boot.conf(8) for the details FILE=${PXE_DIR}/etc/boot.conf #FILE=$(basename ${FILE}) echo Creating ${FILE} ... cat <<END >${FILE} time set image bsd.rd stty com0 ${COM_SPEED} set set tty com0 set END echo Deleting ${PXE_DIR}/INSTALL.\* ... rm -f ${PXE_DIR}/INSTALL.* echo Copying 'pxeboot', 'bsd.rd' and "INSTALL.${ARCH}" from ${WEBDIR} .... # INSTALL.${ARCH} is not needed for PXE booting # we use it only as indicator for architecture cp -p ${WEBDIR}/{pxeboot,bsd.rd,INSTALL.${ARCH}} ${PXE_DIR} # -- for autoinstall(8). Ssee NOTE at end of script # Not harmful if you don't use autoinstall echo "For autoinstall(8) creating symbolic link "${PXE_DIR}/auto_install" \ pointing to "${PXE_DIR}/pxeboot" ..." ln -sf pxeboot ${PXE_DIR}/auto_install cat <<END ------- contents of ${PXE_DIR} ----------- $(ls -lR ${PXE_DIR}) --- contents of ${PXE_DIR}/etc/boot.conf -- $(cat ${PXE_DIR}/etc/boot.conf) -------------------------------------- END cat <<END The tftpd program is located at $(which tftpd) Start it with: $(which tftpd) ${PXE_DIR} or sudo /etc/rc.d/tftpd start Then verify with "netstat" whether TFTP daemon is at port 69: $ netstat -an -f inet -p udp You should see something like this: Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) udp 0 0 *.69 *.* ----------------------------------------------------------------------------- ==== Output of "ps -aux | grep tftpd | grep -v grep": $(ps -aux | grep tftpd | grep -v grep) ==== Output of "netstat -an -f inet -p udp": $( netstat -an -f inet -p udp) ----------------------------------------------------------------------------- END # # NOTE FOR PF USERS # # --- pf firewall rules for tftpd server (here 192.168.222.20) # Like FTP, TFTP uses two communication channels. The command channel uses # destination port 69. The TFTP daemon listens on this port. # A separate data channel is used to to transfer data via UDP. The TFTPD server # and client negotiate the ports, and then the server initiates this channel. # (just like active FTP ). # # A) You need to allow incoming udp traffic to port 69, on which the tftpd server # listens: # # @39 pass in quick on egress inet proto udp from 192.168.222.0/24 to any port = 69 # [ Evaluations: 1662 Packets: 28 Bytes: 1369 States: 0 ] # [ Inserted: uid 0 pid 7938 State Creations: 20 ] # # B) For the data transfer outgoing UDP needs to be allowed # Here 192.168.222.230 is the TFTP client # # @32 pass out quick on egress inet proto udp from 192.168.222.20 to 192.168.222.230 # [ Evaluations: 26 Packets: 310754 Bytes: 89595798 States: 0 ] # # If the TFTPD server is behind a firewall, you can use tftp-proxy(8) # # From https://en.wikipedia.org/wiki/Trivial_File_Transfer_Protocol : # TFTP uses UDP as its transport protocol. A transfer request is # always initiated targeting port 69, but the data transfer ports are # chosen independently by the sender and receiver during the transfer # initialization. The ports are chosen at random according to the # parameters of the networking stack, typically from the range of # ephemeral ports. # ENDQUOTE # # On OpenBSD the ephemeral port range is defined # with the following sysctl settings: # # net.inet.ip.porthifirst=49152 # net.inet.ip.porthilast=65535 # # However with OpenBSD TFTPD this does not seem like the case. # At least from my experience with PXE booting OpenBSD virtual # guests under Linux Kernel-based Virtual Machine (KVM) as host # So I gave up specifying a port range and just use the IP address range. # # # QUOTE FROM autoinstall(8): # # On architectures where the 'filename' statement is used to provide the name # of the file to netboot it is necessary to create symbolic links called # 'auto_install' and 'auto_upgrade' that point to the expected boot program and # to change the value of the filename statement in the dhcpd.conf(5) file # to be 'auto_instal' or 'auto_upgrade'. # # Note that in these cases, the HTTP server and TFTP server must be on the # same machine. # END QUOTE # # DHCPD configuration example: # # host pxe-client { # hardware ethernet 52:54:00:aa:aa:01; # fixed-address 192.168.222.230; # #filename "pxeboot"; # filename "auto_install"; # next-server 192.168.222.20; # } # # --- end of script ---
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump Last edited by J65nko; 25th December 2014 at 05:56 AM. |
|
|||
Example output and Download link
Output when run:
Code:
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump Last edited by J65nko; 25th December 2014 at 05:53 AM. |
|
|||
Testing TFTPD with tcpdump
babab
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
Tags |
dhcp.conf, dhcpd, network boot, pxe boot |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
OpenBSD Multiple VPN Setup | Dr-D | OpenBSD Security | 10 | 7th April 2014 10:50 AM |
OpenBSD VPN Setup | Dr-D | OpenBSD Security | 2 | 4th April 2014 01:23 PM |
how setup arpwatch for OpenBSD | mfaridi | OpenBSD Packages and Ports | 1 | 11th December 2008 05:22 PM |
Freebsd server wont boot | rpadilla | FreeBSD General | 5 | 11th June 2008 04:09 PM |
Dual-boot laptop won't boot OpenBSD after upgrade to 4.3 | kbeaucha | OpenBSD Installation and Upgrading | 17 | 30th May 2008 02:40 PM |