Setting up a NetBSD system

what version?

do you want to use binary packages or build those from the pkgsrc tree? If you want binary you may have to check online whether there are builds for the latest release OR NOT. To me it looks like not only the MAJOR release version matters, but also the MINOR. For example mail/alpine did not run on 7.1.2 although it was built for 7.0 ( not found).

in case you want the latest release no matter what, that is fine,

cd /usr/
ls -lhF | grep pkgsrc
tar xzf pkgsrc.tar.gz
cd /usr/pkgsrc/bootstrap/

network setup on serial console

assuming a blind install, you now need to choose your shell,

chpass -s /bin/ksh root
useradd -D -s /bin/ksh

setup network,

ifconfig -a
cd /etc
vi ifconfig.NETIF
#inet IP/PREFIX up
vi mygate
vi myname
cp -pi hosts hosts.dist
vi hosts
vi /etc/resolv.conf # new file
service network restart

setup the SSH daemon,

cd /etc/
cp -pi rc.conf rc.conf.dist
vi rc.conf


cd /etc/ssh/
cp -pi sshd_config sshd_config.dist
vi sshd_config

Port XXX
AllowGroups wheel
PermitRootLogin without-password
PasswordAuthentication no

/etc/rc.d/sshd start

make it accessible from your workstation,

mkdir ~/.ssh/
chmod 700 ~/.ssh/
cd ~/.ssh/
vi authorized_keys

#cat ~/.ssh/
##cat ~/.ssh/

chmod 600 authorized_keys

now check that your server is reachable remotely and finally exit the serial console,


now remotely

define your timezone,

ll /etc/localtime
ln -sf ../usr/share/zoneinfo/Europe/Moscow /etc/localtime
#ln -sf ../usr/share/zoneinfo/Europe/Paris /etc/localtime

remove skeletons for FTP users,

ls -alhF /etc/skel.dist/
mv /etc/skel/ /etc/skel.dist/
mkdir /etc/skel/

note. NetBSD complains if non existing /etc/skel/.

tweak your administration env,

cp -pi /etc/profile /etc/profile.dist
vi /etc/profile

export ENV=/etc/shrc

some handy aliases to add into the existing case condition,

cp -pi /etc/shrc /etc/shrc.dist
vi /etc/shrc

export PATH=/usr/local/bin:/usr/local/sbin:/usr/pkg/bin:/usr/pkg/sbin:/bin:/sbin:/usr/bin:/usr/sbin:$HOME/bin
export PASSIVE_FTP=yes

case "$-" in *i*)
    #export PKG_PATH="$(uname -s)/$(uname -m)/$(uname -r|cut -f '12' -d.)/All/"
    export PKG_PATH=""
    [[ -z $HOST ]] && HOST=`uname -n`
    (( `id -u` == 0 )) && PS1='${HOST%%\.*}# ' || PS1='${HOST%%\.*}> '
    set -o emacs
    ( set -o tabcomplete 2>/dev/null ) && set -o tabcomplete
    bind -m '^L'='clear^M'
    alias ll='ls -alhF'
        alias l='ls -altrhF'
    #alias cp='cp -i'
    #alias mv='mv -i'
    #alias rm='rm -i'
    alias reboot='echo THIS IS NOT A GNU SYSTEM, use shutdown -r now'
    alias halt='echo THIS IS NOT A GNU SYSTEM, use shutdown -h or -p now'
    alias netstata='netstat -an -f inet -f inet6'
    alias runq='postfix flush'

    . /etc/profile
#. /etc/shrc

install a few packages (list here),

pkg_add \
    alpine \
    curl \
    e2fsprogs \
    git \
    iftop \
    iperf3 \
    lftp \
    lynx \
    mc \
    netcat \
    nmap \
    pwgen \
    screen \
    tmux \
    trafshow \
    vim \



disable atrun, new log every day and enable the monthly cron job for root,

crontab -e

setup the outgoing messages,

cd /etc/postfix/
mv -i
sed '/^[[:space:]]*#/d; /^[[:space:]]*$/d' >

eventually define a smarthost,

relayhost = SMARTHOST

and fix your origin so the bounces are also sent to your MX (assuming you have setup an FQDN in /etc/myname, otherwise fix with myhostname = or mydomain =),

mydomain = YOUR_DOMAIN
myorigin = $mydomain

service postfix restart

and setup an email alias for root,

vi /etc/mail/aliases

root:       REAL_EMAIL

tail -F /var/log/maillog &
date | mailx -s `hostname` root

enable package daily audits,

cd ~/
ftp -a
rm -f pkg-vulnerabilities

cat /usr/pkg/etc/audit-packages.conf
mkdir -p /usr/pkg/etc/
cat > /usr/pkg/etc/audit-packages.conf <<-EOF

pkg_admin fetch-pkg-vulnerabilities
pkg_admin audit

cat >> /etc/daily.conf <<-EOF

which pkg_admin
crontab -e

#NOT piping to mailx nor redirecting to /dev/null
0 3 * * * /usr/sbin/pkg_admin fetch-pkg-vulnerabilities
9 3 * * * /usr/sbin/pkg_admin audit
#0 3 * * * /usr/pkg/sbin/pkg_admin fetch-pkg-vulnerabilities
#9 3 * * * /usr/pkg/sbin/pkg_admin audit

not needed for xen guests (clock synced with dom0)

setup ntp,

mv -i /etc/ntp.conf /etc/ntp.conf.dist
sed '/^$/d;/^#/d;' /etc/ntp.conf.dist > /etc/ntp.conf
vi /etc/ntp.conf



vi /etc/rc.conf

ntpdate=yes ntpdate_flags="-u -b -s"
ntpd=yes    ntpd_flags=""

grep ^server /etc/ntp.conf
ntpdate -u ...
service ntpd start
ntpq -p

Note. the ntpdate service looks at ^server into /etc/ntp.conf at boot time.


for easy troubleshooting (revert back to the defaults for production), setup syslog daemon,

cp -pi /etc/syslog.conf /etc/syslog.conf.dist                     
vi /etc/syslog.conf

#*.info;auth,authpriv,cron,ftp,kern,lpr,mail.none       /var/log/messages
#kern.debug                                             /var/log/messages
*.*     /var/log/messages

service syslogd restart