Chapter 5. Activating Services

Table of Contents

5.1. Introduction
5.2. Turning on IP Forwarding
5.3. /etc/defaults/rc.conf and /etc/rc.conf
5.3.1. What we need in /etc/rc.conf
5.4. Activating the Services
5.4.1. Starting Services "by hand"

5.1. Introduction

At this point, in theory, we are ready to start everything up. All of the services we will need running are:

  • ipfilter

  • ipnat

  • ipmon

  • sshd

Additionally, we need to make sure that ip forwarding is enabled in the kernel.

5.2. Turning on IP Forwarding

To turn on IP forwarding use the sysctl facility:

sysctl -w net.inet.ip.forwarding=1

To have it turned on at bootup append the following text to /etc/sysctl.conf:

net.inet.ip.forwarding=1

5.3. /etc/defaults/rc.conf and /etc/rc.conf

NetBSD's default rc settings are all kept in /etc/defaults/rc.conf. To make upgrades safer, override settings in /etc/rc.conf instead of /etc/defaults/rc.conf.

5.3.1. What we need in /etc/rc.conf

Basically, we can yank the contents of /etc/defaults/rc.conf and drop them right into /etc/rc.conf:

# cat /etc/defaults/rc.conf >>/etc/rc.conf
# vi /etc/rc.conf

Note the double ">" here to avoid overwriting the contents of /etc/rc.conf as shipped! Here is what /etc/rc.conf would look like after editing:

#
# see rc.conf(5) for more information.
#
# Use program=YES to enable program, NO to disable it. program_flags are
# passed to the program on the command line.
#

# Load the defaults in from /etc/defaults/rc.conf (if it's readable).
# These can be overridden below.
#
if [ -r /etc/defaults/rc.conf ]; then
	. /etc/defaults/rc.conf
fi

# If this is not set to YES, the system will drop into single-user mode.
#
rc_configured=YES

# Add local overrides below
#
ipfilter=YES
ipnat=YES
ipmon=YES	ipmon_flags="-sn"
sshd=YES

On i386 (PC) systems you will also see the wscons framework enabled:

wscons=YES

5.4. Activating the Services

Next we have to activate the services, we can do this one of two ways:

  1. reboot the system

  2. start using the rc scripts by hand

I prefer doing the latter first just to make sure everything is setup right, then I do a reboot to make sure all of the services will start up properly during the bootup sequence.

5.4.1. Starting Services "by hand"

To start any service it is quite simple:

# /etc/rc.d/[service_name] start

Additionally, a service may be stopped:

# /etc/rc.d/[service_name] stop

or restarted:

# /etc/rc.d/[service_name] restart

So for this firewall, here is the order we need to start the services:

# /etc/rc.d/sshd start
# /etc/rc.d/ipfilter start
# /etc/rc.d/ipnat start
# /etc/rc.d/ipmon start

In reality, when sshd and ipmon start is arbitrary, however, ipfilter must be enabled before ipnat.