Difference between revisions of "Skeleton files"

From securityrouter.org, an OpenBSD-based firewall
Jump to: navigation, search
(List of skeleton files)
 
(11 intermediate revisions by 2 users not shown)
Line 14: Line 14:
 
# Create the file <tt>/cfg/skel/sshd_config</tt> by
 
# Create the file <tt>/cfg/skel/sshd_config</tt> by
 
#* Either, log in using SSH, and edit the file using your favorite editor (<tt>vi</tt>?)
 
#* Either, log in using SSH, and edit the file using your favorite editor (<tt>vi</tt>?)
#* Or, create the file on your computer, and upload it using SCP
+
#* Or, create the file on your computer, and upload it using <tt>scp</tt>
  
 
== List of skeleton files ==
 
== List of skeleton files ==
 
These are the supported skeleton files, that will be used if existing.
 
These are the supported skeleton files, that will be used if existing.
 
{| class="wikitable"
 
{| class="wikitable"
! File !! Description || Format
+
! File !! Description || Format || Auto-created
 
|-
 
|-
| <tt>/cfg/skel/httpd.conf</tt> || Configuration for the HTTP server || Apache's <tt>httpd</tt>
+
| <tt>/cfg/skel/rc.local</tt> || Boot script || Shell script || No
 
|-
 
|-
| <tt>/cfg/skel/sshd_config</tt>|| Configuration for the SSH server || OpenSSH's <tt>sshd</tt>  
+
| <tt>/cfg/skel/httpd.conf</tt> || Configuration for the HTTP server || Apache's <tt>[http://www.openbsd.org/cgi-bin/man.cgi?query=httpd httpd]</tt> || No
 
|-
 
|-
| <tt>/cfg/skel/ssh_host_ecdsa_key</tt> || Elliptic curve DSA key for the SSH server, automatically created || PEM
+
| <tt>/cfg/skel/dhcpd.conf</tt> || Configuration for the DHCP server || OpenBSD's <tt>[http://www.openbsd.org/cgi-bin/man.cgi?query=dhcpd.conf dhcpd]</tt> || No
 
|-
 
|-
| <tt>/cfg/skel/ssh_host_dsa_key</tt> || DSA key for the SSH server, automatically created || PEM
+
| <tt>/cfg/skel/sshd_config</tt>|| Configuration for the SSH server || OpenSSH's <tt>[http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config sshd]</tt> || No
 
|-
 
|-
| <tt>/cfg/skel/ssh_host_rsa_key</tt> || RSA key for the SSH server, automatically created || PEM
+
| <tt>/cfg/skel/ssh/ssh_host_ecdsa_key</tt> || Elliptic curve DSA key for the SSH server, automatically created || PEM || Yes
 
|-
 
|-
| <tt>/cfg/skel/httpd_key</tt> || RSA key for the HTTP server, automatically created || PEM
+
| <tt>/cfg/skel/ssh/ssh_host_dsa_key</tt> || DSA key for the SSH server, automatically created || PEM || Yes
 
|-
 
|-
| <tt>/cfg/skel/httpd_crt</tt> || X.509 certificate for the HTTP server, automatically created || PEM
+
| <tt>/cfg/skel/ssh/ssh_host_rsa_key</tt> || RSA key for the SSH server, automatically created || PEM || Yes
 
|-
 
|-
| <tt>/cfg/skel/isakmpd_key</tt> || RSA key for the IKEv1 server, automatically created || PEM
+
| <tt>/cfg/skel/ssl/private/server.key</tt> || RSA key for the HTTPS server, automatically created || PEM || Yes
 
|-
 
|-
| <tt>/cfg/skel/isakmpd_pub</tt> || Public RSA key for the IKEv1 server, automatically created || PEM
+
| <tt>/cfg/skel/ssl/private/</tt>''address''<tt>.key</tt> || RSA key for a load balancer relay listening on ''address''  || PEM || Yes
 
|-
 
|-
| <tt>/cfg/skel/iked_key</tt> || RSA key for the IKEv2 server, automatically created || PEM
+
| <tt>/cfg/skel/ssl/server.crt</tt> || X.509 certificate for the HTTPS server, automatically created || PEM || Yes
 +
|-
 +
| <tt>/cfg/skel/ssl/</tt>''address''<tt>.crt</tt> || X.509 certificate for a load balancer relay listening on ''address''  || PEM || Yes
 +
|-
 +
| <tt>/cfg/skel/isakmpd/private/local.key</tt> || RSA key for the IKEv1 server, automatically created || PEM || Yes
 +
|-
 +
| <tt>/cfg/skel/isakmpd/local.pub</tt> || Public RSA key for the IKEv1 server, automatically created || PEM || Yes
 +
|-
 +
| <tt>/cfg/skel/iked/private/local.key</tt> || RSA key for the IKEv2 server, automatically created || PEM || Yes
 +
|-
 +
| <tt>/cfg/skel/iked/local.pub</tt> || Public RSA key for the IKEv2 server, automatically created || PEM || Yes
 
|}
 
|}
 +
 +
== Custom skeleton files ==
 +
You can make any files persistent between reboots and updates by placing them on the '''/cfg''' partition, and copying them on boot. To have your own <tt>newsyslog.conf</tt>, run
 +
cp /etc/newsyslog.conf /cfg/newsyslog.conf                # copy the original file
 +
vi /cfg/newsyslog.conf                                    # do your editing
 +
echo "cp /cfg/newsyslog.conf /etc/" >> /cfg/skel/rc.local # make it persistent on boot

Latest revision as of 09:06, 20 June 2018

The appliance's configuration is normally defined only by it's configuration file. It's however possible to edit parameters not available in the configuration file by creating so-called skeleton files.

Consider for example the SSH server. It is started by setting

admin@fw1.halon.se# set system { ssh-server

in the configuration. It can be configured by adding attributes, such as setting

admin@fw1.halon.se# set system { ssh-server { port 22
admin@fw1.halon.se# set system { ssh-server { listen-address 10.0.0.1

UNIX administrators may guess that the SSH server is in fact OpenSSH's sshd, and that even more advanced configuration should be possible. Yes, indeed.

Adding skeleton files

Follow these steps to create a skeleton configuration file for the SSH server.

  1. Activate root access if not already activated
  2. Create the file /cfg/skel/sshd_config by
    • Either, log in using SSH, and edit the file using your favorite editor (vi?)
    • Or, create the file on your computer, and upload it using scp

List of skeleton files

These are the supported skeleton files, that will be used if existing.

File Description  Format  Auto-created
/cfg/skel/rc.local Boot script Shell script No
/cfg/skel/httpd.conf Configuration for the HTTP server Apache's httpd No
/cfg/skel/dhcpd.conf Configuration for the DHCP server OpenBSD's dhcpd No
/cfg/skel/sshd_config Configuration for the SSH server OpenSSH's sshd No
/cfg/skel/ssh/ssh_host_ecdsa_key Elliptic curve DSA key for the SSH server, automatically created PEM Yes
/cfg/skel/ssh/ssh_host_dsa_key DSA key for the SSH server, automatically created PEM Yes
/cfg/skel/ssh/ssh_host_rsa_key RSA key for the SSH server, automatically created PEM Yes
/cfg/skel/ssl/private/server.key RSA key for the HTTPS server, automatically created PEM Yes
/cfg/skel/ssl/private/address.key RSA key for a load balancer relay listening on address PEM Yes
/cfg/skel/ssl/server.crt X.509 certificate for the HTTPS server, automatically created PEM Yes
/cfg/skel/ssl/address.crt X.509 certificate for a load balancer relay listening on address PEM Yes
/cfg/skel/isakmpd/private/local.key RSA key for the IKEv1 server, automatically created PEM Yes
/cfg/skel/isakmpd/local.pub Public RSA key for the IKEv1 server, automatically created PEM Yes
/cfg/skel/iked/private/local.key RSA key for the IKEv2 server, automatically created PEM Yes
/cfg/skel/iked/local.pub Public RSA key for the IKEv2 server, automatically created PEM Yes

Custom skeleton files

You can make any files persistent between reboots and updates by placing them on the /cfg partition, and copying them on boot. To have your own newsyslog.conf, run

cp /etc/newsyslog.conf /cfg/newsyslog.conf                # copy the original file
vi /cfg/newsyslog.conf                                    # do your editing
echo "cp /cfg/newsyslog.conf /etc/" >> /cfg/skel/rc.local # make it persistent on boot