Assuming you have only one network interface that needs failover protection, the first thing you need to do on the gateway, host, and backup systems is create a carp0 interface. You can easily do this via the ifconfig program from the command line, but it's better to automatically create the interface at boot time. To do that you need to create an /etc/hostname.carp0 file on the primary host and put this into it: vhid 1 carpdev em0 pass yourpass 10.1.1.102 netmask 255.255.255.0 In the above example, the vhid parameter identifies the redundancy group. You can choose a number from 1 to 255, but 1 is easiest, especially if you have only one group of machines to protect. The carpdev parameter identifies the local network interface that needs failover protection. In essence you're providing failover for interfaces, which in turn provides failover for machines. In the example, em0 is the device node of the network interface; yours will almost certainly be different. The pass parameter defines a password, which is followed in in the example by yourpass. This is a password that must be in the configuration of every CARP- enabled machine in the group. 10.1.1.102 is the IP address that the primary and backup hosts will share. The netmask parameter defines the subnet mask of 255.255.255.0. Each backup machine in the group must have a similar but slightly different CARP configuration: vhid 1 carpdev rl0 pass yourpass 10.1.1.102 netmask 255.255.255.0 advskew 100 In this example, there are two differences. First, the carpdev variable is rl0 instead of em0 because the backup machine has a different network card that uses a different device node. If the two machines were physically identical, their interface nodes would match. Second, there is a new variable: advskew. This setting lags the backup machine's availability advertisement so that it is broadcast significantly less often than the primary host. This setting is what defines the primary and backup hosts; the machine with the lowest advskew is the one that gets the IP address. There is one more step to take to ensure that the primary host is the preferred machine. Add this line to your /etc/sysctl.conf file: net.inet.carp.preempt=1 This setting is also useful for machines that have multiple CARP interfaces, but that's getting a little too deep into theoretical CARP configuration. The above example is as basic a CARP scenario as I could think of, but your situation may very well require more customization, and there are a number of other settings that are not shown in the example here. See the CARP manpage for more details. 7.11. Basic Packet Filter Setup The OpenBSD kernel has a built-in Packet Filter (PF) that can restrict network traffic from a given interface to a given interface, essentially turning the kernel into a firewall. PF is enabled by default, but IP forwarding is not, so if you're building a firewall machine, the first thing you need to do to use PF is to turn this feature on. Edit /etc/sysctl.conf and add this line: net.inet.ip.forwarding=1 Then change the NO to a YES in this line in /etc/rc.conf: pf=NO PF is configured through the /etc/pf.conf file. The first section deals with macros, which are essentially variables that represent groups of interfaces or services. So if you were also using this machine as a router and wanted all outgoing interfaces to have the same rules, you would create a macro like this one: internal_if = "{ em0, rl0, rl1, ixp0 }" The four items in brackets represent network interface nodes. You can create as many macros as are useful to you. You're not limited to interfaces, either; you can use IP addresses, IP ranges, and service names from the /etc/services file. Next you're expected to write some filtering rules. The best place to get an idea for rules and rule syntax is to look in the "Filter Examples" section of the pf.conf manpage. Basically it goes something like this: block/allow service from interface/network to internal Where block blocks traffic and allow allows it; service refers to traffic coming in on a certain port; from interface/network specifies where the traffic is coming from; and to internal specifies the internal IP address, subnet mask, or interface that the traffic will be directed to (usually this is "any"). This is only a very basic explanation, and unfortunately there is no easy way to learn how to write PF rules (or rules for any other firewall with fine-grained control); you'll just have to move on the pf and pf.conf manpages from here. 7.12. Enabling and Configuring OpenNTPD The OpenBSD network time protocol daemon (OpenNTPD) is a cleanly designed, secure NTP daemon that is included in the base system by default. You can enable it through /etc/rc.conf by changing the NO to empty double quotes "" in this line: ntpd_flags=NO # for normal use: "" The configuration file is /etc/ntpd.conf, and all you really need to do in it is put some NTP server addresses in (the default setting is a pool of addresses, so you probably won't need to change it), and uncomment and configure the listen line if you want this machine to provide NTP service to your network. If you need a more advanced OpenNTPD configuration, see the ntpd.conf manpage. Chapter 8. Installing the Languages of the Web Compared to many other Unix-like operating systems, OpenBSD comes with very few development languages installed. Below are the processes for installing them and some of their most common add-on components. 8.1. Java The Java Development Kit is tricky to install because Sun Microsystems places so much restriction on distribution of the necessary JDK files (though Sun has announced that this is due to change soon, so this process may be completely different in OpenBSD 4.1 when it comes out in May of 2007). You can install the JDK from Ports, but you'll be asked to retrieve several files from the Web. In an effort to save you some time, the files for the JDK 1.5 (Java 5.0) are listed here (if you want to use 1.4.2 instead, just go to /usr/ports/devel/jdk/1.4/ and run make and follow the directions): From this address: http://wwws.sun.com/software/communitysource/j2se/java2/download.html you need these files:  jdk-1_5_0-src-scsl.zip  jdk-1_5_0-src-scsl.zip From this address: http://www.eyesbeyond.com/freebsddom/java/jdk15.html you need this file:  bsd-jdk15-patches-3.tar.bz2 From this address: http://java.sun.com/products/archive/j2se/5.0/index.html you need this file:  jdk-1_5_0-solaris-i586.tar.Z And from this address: http://www.apache.org/dist/xml/xalan-j/ you need this file:  xalan-j_2_7_0-bin.tar.gz All of the above-listed files need to be placed in the /usr/ports/distfiles directory. To install the JDK 1.5.0, go to /usr/ports/devel/jdk/1.5 and run this command: make install clean Or if you don't want a browser plug-in to be created, use the FLAVOR variable: FLAVOR=no_web make install clean Note that the AMD64 edition of OpenBSD does not yet support a Java browser plug-in. 8.2. PHP PHP versions 4 and 5 are both available through Ports in the /usr/ports/www/php4 and /usr/ports/www/php5 directories, respectively. The default settings are to make the PHP core and the mod_php Apache module, but none of the extra extensions, which can be seen in the /extensions/pkg directory within /usr/ports/www/php4 or /usr/ports/www/php5. Each extension has a DESCR- prefix in that directory; this is a text file that tells you about the package. Use the pkg_add command and replace the DESCR- with php4- or php5- to add an extension package, as in this example: pkg_add php5-mysqli Note that you will have to choose a PHP distribution: either the standard core or the hardened core. Edit the Makefile accordingly. By default, no php.ini configuration file is generated for you. The directory you want to put it in is /var/www/conf (unless you've changed your web root), and the example files are in /usr/local/share/examples/php5 (or php4 if you installed that instead). So copy over /usr/local/share/examples/php5/php.ini-recommended or php.ini-dist to /var/www/conf/php.ini and edit it according to your preference. Keep in mind that the PHP defaults are not generally desirable in a production environment, so the -recommended configuration file is probably a better starting point than -dist for most people. 8.3. Perl Perl 5.8.8 is included as part of the OpenBSD base system, so there's nothing more you have to do to start using it. If you need to install extra Perl modules, you'll find them through Ports in various directories, but mostly in /usr/ports/devel/ and /usr/ports/printalways with a p5- prefix. Apache-specific Perl modules (including mod_perl) are in /usr/ports/www. 8.4. Ruby . probably a better starting point than -dist for most people. 8.3. Perl Perl 5.8.8 is included as part of the OpenBSD base system, so there's nothing more you have to do to start using it.