Overview # The Z shell, abbreviated zsh, is a Unix shell that functions as both an interactive command interpreter and a scripting language. It is compatible with the Bourne shell while providing advanced features such as programmable completion, extended globbing, and flexible prompt customization. This chapter describes how to install zsh on OpenBSD, set it as the login shell, and perform initial configuration. A login shell is the command interpreter that starts when a user logs in to the ...| OpenBSD Handbook
Synopsis # This chapter introduces the OpenBSD operating system. It provides an overview of the project’s origins, its guiding principles, development practices, licensing approach, and areas of technical focus. Readers will gain a foundational understanding of the system and its goals before proceeding to installation and configuration topics. Historical Background # OpenBSD began in 1995 as a fork of NetBSD. The project was founded by Theo de Raadt after his departure from the NetBSD core...| OpenBSD Handbook
Synopsis # This chapter provides a comprehensive guide to installing the OpenBSD operating system. It covers obtaining and preparing installation media, pre-installation tasks, running the installer, post-installation configuration, and advanced installation options including unattended and stateless deployments. Obtaining Installation Media # Official OpenBSD installation images are distributed via the OpenBSD mirror network. The master list of mirrors is maintained at: https://www.openbsd.o...| OpenBSD Handbook
Synopsis # The X Window System (commonly known as X11) provides the graphical user interface framework used on OpenBSD. It supports a wide range of graphics hardware, input devices, and window managers. X11 is integrated into the base system through specific file sets. This chapter covers the installation, configuration, and operation of X, including session management with xenodm(1) and startx(1), user session setup, desktop environments, font and input configuration, hardware support via dr...| OpenBSD Handbook
Synopsis # OpenBSD provides a flexible and secure framework for configuring and managing network interfaces. This chapter explains how to configure both wired and wireless networking, IPv4 and IPv6 addressing, DNS resolution, routing, network bridges and trunks, and includes diagnostic tools and secure practices. All configuration is done through OpenBSD-native files and utilities such as ifconfig(8), hostname.if(5), dhclient(8), and pf(4). Network Interface Basics # Each network interface is...| OpenBSD Handbook
Synopsis # This chapter describes building a two-node OpenBSD firewall or gateway cluster with carp(4) virtual IPs, pfsync(4) state replication, and optional service failover using relayd(8) . It provides canonical configurations for inside and outside virtual IPs (VIPs), a dedicated state-sync network, and safe failover behavior. Use this pattern whenever an outage of a single gateway or firewall would impact production traffic. Packet filtering is configured in pf.conf(5) and managed at run...| OpenBSD Handbook
General PFCTL Commands # CommandDescription pfctl -dDisable packet-filtering pfctl -eEnable packet-filtering pfctl -qRun quietly pfctl -vRun more verbose than normal pfctl -v -vRun even more verbose Loading PF Rules # CommandDescription pfctl -f /etc/pf.confLoad /etc/pf.conf pfctl -n -f /etc/pf.confTest the rules (parse /etc/pf.conf but don’t load it) pfctl -R -f /etc/pf.confLoad only the FILTER rules pfctl -N -f /etc/pf.confLoad only the NAT rules pfctl -O -f /etc/pf.confLoad only the OPTI...| OpenBSD Handbook
Overview # This chapter describes how to deploy WordPress on OpenBSD using the base web server httpd(8) , PHP-FPM from packages, and MariaDB from packages. OpenBSD runs the web server in a chroot(2) at /var/www, so name resolution and interprocess communication must work from within that environment. All commands assume the root shell (#). Replace versioned paths for PHP as appropriate for the installed package set. Preparation: Name Resolution in the httpd Chroot # Ensure that processes runn...| OpenBSD Handbook
Synopsis # System configuration in OpenBSD relies on a small set of well-defined utilities and text files located in /etc. Settings can be applied at runtime using tools like sysctl, wsconsctl, and rcctl, or persisted across reboots in files such as /etc/sysctl.conf, /etc/wsconsctl.conf, and /etc/rc.conf.local. In addition, system maintenance includes managing service behavior, login environment limits, bootloader parameters, root mail notifications, and scheduled updates. Kernel Parameters w...| OpenBSD Handbook
Introduction # In addition to the main ruleset, PF can also evaluate sub-rulesets. Since sub-rulesets can be manipulated on the fly by using pfctl, they provide a convenient way of dynamically altering an active ruleset. Whereas a table is used to hold a dynamic list of addresses, a sub-ruleset is used to hold a dynamic set of rules. A sub-ruleset is attached to the main ruleset by using an ‘anchor’.| OpenBSD Handbook
Synopsis # This chapter provides canonical, production-focused patterns for running BGP on OpenBSD using the base system daemon bgpd(8) . It covers configuration in bgpd.conf(5) , runtime operations with bgpctl(8) , service control via rcctl(8) , and optional origin validation with rpki-client(8) . These patterns apply to external peering, multi-provider edges, iBGP within a site or POP, and policy expression with communities and local preference. Design Considerations # Policy-first. Default...| OpenBSD Handbook
Introduction # Packet filtering is the selective passing or blocking of data packets as they pass through a network interface. The criteria that pf uses when inspecting packets are based on the Layer 3 IPv4 and IPv6 and Layer 4 TCP, UDP, ICMP, and ICMPv6 headers. The most often used criteria are source and destination address, source and destination port, and protocol.| OpenBSD Handbook
Introduction # When you have NAT running in your office, you have the entire internet available to all your machines. What if you have a machine behind the NAT gateway that needs to be accessed from outside? This is where redirection comes in. Redirection allows incoming traffic to be sent to a machine behind the NAT gateway.| OpenBSD Handbook
Lists # A list allows the specification of multiple similar criteria within a rule. For example, multiple protocols, port numbers, addresses, etc. So, instead of writing one filter rule for each IP address that needs to be blocked, one rule can be written by specifying the IP addresses in a list. Lists are defined by specifying items within ‘{ }’ brackets.| OpenBSD Handbook
Introduction # An address pool is a supply of two or more addresses whose use is shared among a group of users. It can be specified as the target address in ’nat-to’, ‘rdr-to’,‘route-to’, ‘reply-to’ and ‘dup-to’ filter options.| OpenBSD Handbook
Introduction # When a packet is logged by PF, a copy of the packet header is sent to a pflog interface along with some additional data such as the interface the packet was transiting, the action that PF took (pass or block), etc. The pflog interface allows user-space applications to receive PF’s logging data from the kernel. If PF is enabled when the system is booted, the pflogd daemon is started. By default, pflogd listens on the ‘pflog0’ interface and writes all logged data to the ‘...| OpenBSD Handbook
Introduction # Network Address Translation (NAT) is a way to map an entire network (or networks) to a single IP address. NAT is necessary when the number of IP addresses assigned to you by your Internet Service Provider is less than the total number of computers that you wish to provide internet access for. NAT is described in RFC 1631 .| OpenBSD Handbook
Runtime Options # Options are used to control PF’s operation. Options are specified in ‘pf.conf’ using the ‘set’ directive.| OpenBSD Handbook
Introduction # Packet tagging is a way of marking packets with an internal identifier that can later be used in filter and translation rule criteria. With tagging, it’s possible to do such things as create “trusts” between interfaces and determine if packets have been processed by translation rules. It’s also possible to move away from rule-based filtering and to start doing policy-based filtering.| OpenBSD Handbook
Overview # This chapter describes how to configure OpenBSD as a small router and firewall using two network interfaces: one WAN interface that connects to the Internet service provider and one LAN interface that connects to the local network. The configuration enables IPv4 forwarding, network address translation (NAT), stateful firewalling, IPv4 address assignment with DHCP, and local DNS caching. A router forwards IP packets between networks. A firewall enforces a policy controlling which pa...| OpenBSD Handbook
Synopsis # This chapter shows how to operate an OpenBSD edge with two or more upstream providers. It covers outbound policy using route-to, symmetric return paths with reply-to, per-interface NAT, and inbound publishing of services on multiple providers. Configuration lives in pf.conf(5) and is managed with pfctl(8) . Interface attributes are managed with ifconfig(8) . Where automated failover is required, integrate link and reachability checks with ifstated(8) . Use this pattern when you mus...| OpenBSD Handbook
Introduction # PF offers many ways in which a ruleset can be simplified. Some good examples are by using macros and lists . In addition, the ruleset language, or grammar, also offers some shortcuts for making a ruleset simpler. As a general rule of thumb, the simpler a ruleset is, the easier it is to understand and to maintain.| OpenBSD Handbook
Introduction # A table is used to hold a group of IPv4 and/or IPv6 addresses. Lookups against a table are very fast and consume less memory and processor time than lists . For this reason, a table is ideal for holding a large group of addresses as the lookup time on a table holding 50,000 addresses is only slightly more than for one holding 50 addresses. Tables can be used in the following ways:| OpenBSD Handbook
Synopsis # Install ssh-audit with pkg_add(1) . Run ssh-audit against the target to inventory supported algorithms. Constrain key exchange, host-key, and MAC algorithms in sshd_config(5) . Validate configuration with sshd(8) and restart via rcctl(8) . Re-run ssh-audit to confirm the intended policy. Optionally remove small Diffie–Hellman moduli per moduli(5) . Optionally rotate host keys with ssh-keygen(1) . Overview # This chapter describes how to assess and harden an OpenSSH server on Open...| OpenBSD Handbook
Synopsis # This chapter introduces fundamental concepts and administrative tools in OpenBSD. It explains how to manage users and groups, control file permissions, configure shell environments, manipulate processes, manage services, and handle installed software. The chapter also describes important conventions and outlines key security design principles unique to OpenBSD. User and Group Management # User and group accounts in OpenBSD define access control boundaries for system resources and s...| OpenBSD Handbook
Synopsis # This chapter covers site-to-site virtual private networks (VPNs) and host-to-host cryptographic tunnels on OpenBSD. It focuses on IKEv2 using the base system iked(8) and the kernel IPsec stack ipsec(4) , with practical patterns for NAT traversal, selector design, and observability. It also shows a minimal pattern for WireGuard-style tunnels with the in-kernel interface wg(4) . Runtime management uses ikectl(8) , packet filtering is handled by pf.conf(5) and pfctl(8) , and link insp...| OpenBSD Handbook
Synopsis # This chapter covers lightweight, in-base tunneling mechanisms for pragmatic overlays and migrations: gif(4) (generic IP-in-IP), gre(4) (Generic Routing Encapsulation), and etherip(4) (Layer-2 Ethernet over IP). These interfaces interoperate well with non-OpenBSD devices and are suitable when cryptography is not required, when you must carry non-IP protocols (GRE), or when you must extend L2 domains (EtherIP). Boot-time configuration uses hostname.if(5) ; runtime management uses ifc...| OpenBSD Handbook
Synopsis # This chapter offers a detailed guide to managing software on OpenBSD, focusing on installing and maintaining pre-built packages with pkg_* utilities and building custom applications from the Ports Collection using ports(7). It also covers adding file sets after installation. Overview # OpenBSD provides two primary methods for installing software: pre-compiled binary packages and building from source using the Ports Collection. Packages are convenient, fast to install, and receive t...| OpenBSD Handbook
Synopsis # This chapter describes operating IPv6 at scale on OpenBSD: interface addressing, Router Advertisements (RA), Neighbor Discovery (ND), upstream integration, and production guardrails. It uses the in-base router advertisement daemon rad(8) with configuration in rad.conf(5) , client autoconfiguration with slaacd(8) , ND inspection via ndp(8) , interface management with ifconfig(8) , and packet filtering in pf.conf(5) applied by pfctl(8) . Use these patterns for campus segments, data-c...| OpenBSD Handbook
Virtualization is a technique that allows for the creation of isolated environments, called virtual machines (VMs), where software can run as if it were operating on a physical machine. This enables the sharing of physical resources among multiple virtual instances, each behaving as an independent system. OpenBSD provides a lightweight and secure approach to virtualization through the vmm(4) subsystem. OpenBSD’s Approach to Virtualization # OpenBSD’s native virtualization support is cente...| OpenBSD Handbook
Synopsis # This chapter shows how to classify and shape traffic with PF queues to protect latency-sensitive flows and to manage bulk transfers. Queue configuration and assignment are defined in pf.conf(5) and managed at runtime with pfctl(8) . Live inspection uses systat(1) and targeted captures with tcpdump(8) . Use these patterns to provide predictable latency for interactive protocols while keeping link utilization high. Design Considerations # Shape egress, not ingress. Shaping controls t...| OpenBSD Handbook
Synopsis # This chapter describes deploying Multiprotocol Label Switching (MPLS) on OpenBSD with the in-base Label Distribution Protocol daemon ldpd(8) . It covers enabling MPLS on interfaces with ifconfig(8) , core label switching using LDP as signaled by ldpd.conf(5) , Layer-3 MPLS VPNs using the Provider Edge interface mpe(4) with bgpd.conf(5) , and Layer-2 VPLS pseudowires with mpw(4) . Use LDP for simple, interoperable label distribution across an IGP domain; apply BGP-based VPNs where y...| OpenBSD Handbook
Synopsis # This chapter describes building reliable, scalable network services on OpenBSD: authoritative DNS with nsd(8) configured via nsd.conf(5) , validating recursive DNS with unbound(8) configured via unbound.conf(5) , IPv4 address allocation with dhcpd(8) configured via dhcpd.conf(5) , and time services with ntpd(8) configured via ntpd.conf(5) . Service lifecycle management uses rcctl(8) . Packet filtering allowances live in pf.conf(5) and are applied with pfctl(8) . Use these patterns ...| OpenBSD Handbook
Synopsis # This chapter presents canonical networking patterns for OpenBSD virtualization with vmd(8) and vmctl(8) : Layer-2 bridging with bridge(4) , routed segments using vether(4) , and per-VM segmentation with pf.conf(5) anchors. Virtual NICs use tap(4) . Configuration for the hypervisor lives in vm.conf(5) . Use these patterns to attach guests to existing VLANs, to provide isolated routed networks with NAT, and to enforce least-privilege network policies per VM.| OpenBSD Handbook
Synopsis # This chapter describes how to configure and use graphical environments on OpenBSD. It covers lightweight window managers, full desktop environments, graphical login managers, and common tools required to support a complete desktop experience. Basic configuration of the X Window System, including input devices and graphics hardware, is described in the X11 chapter and is assumed to be already completed. Window Managers # A window manager (WM) controls the placement, appearance, and ...| OpenBSD Handbook
Synopsis # This chapter presents practical patterns for scaling Layer-2 and Layer-3 design on OpenBSD: VLAN planning with vlan(4) , routed access (SVI-style interfaces) using ifconfig(8) and hostname.if(5) , first-hop redundancy with carp(4) , and anycast service placement (static ECMP or BGP-based; see OpenBGPD). Use these patterns to bound failure domains, simplify operations, and provide deterministic paths for clients and services. Design Considerations # VLAN strategy. Allocate one VLAN ...| OpenBSD Handbook
Synopsis # This chapter provides operational observability patterns for OpenBSD firewalls and routers: packet-filter logging via pflog(4) and pflogd(8) , flow export with pflow(4) to external collectors (NetFlow v5/v9 and, where supported by your release, IPFIX), system and service telemetry with snmpd(8) , and central log shipping with syslogd(8) configured through syslog.conf(5) . Verification relies on pfctl(8) , tcpdump(8) , and systat(1) . Use these patterns to produce actionable signals...| OpenBSD Handbook
Synopsis # This chapter provides hardened defaults and safe operating procedures for OpenBSD network systems. It covers anti-spoofing and reverse-path filtering in pf.conf(5) , disciplined rule rollouts with pfctl(8) , minimal-access administration with doas.conf(5) , secure management-plane exposure via sshd_config(5) , secret file hygiene for daemons (for example, iked.conf(5) ), and patching with syspatch(8) ). It emphasizes predictable change, roll-back paths, and audit-ready configuratio...| OpenBSD Handbook
This cheatsheet summarizes common OpenBSD administration tasks with concise commands. Commands use $ for the unprivileged user and # for the superuser. Use doas(1) to escalate privileges and configure it via doas.conf(5) . Privilege escalation # First-time setup from the documented example: $ doas cp /etc/examples/doas.conf /etc/doas.conf # seed config from example Grant cached auth for wheel: permit persist keepenv :wheel Test: $ doas id # run a simple command via doas Packages # Package too...| OpenBSD Handbook
Synopsis # This chapter assembles end-to-end reference designs built from components covered earlier. It presents three canonical patterns: Redundant Internet Edge with carp(4) , pfsync(4) , per-uplink NAT and policy routing in pf.conf(5) , managed by pfctl(8) . Campus/Branch Routed Access using VLAN SVIs, Router Advertisements with rad(8) , internal recursion via unbound(8) , authoritative zones with nsd(8) , and DHCP with dhcpd(8) . Regional POP with either an MPLS LDP core via ldpd(8) and ...| OpenBSD Handbook
This quickstart introduces Linux administrators to OpenBSD by mapping familiar concepts to OpenBSD tooling and conventions. It highlights practical differences; it is not an exhaustive comparison nor a discussion of philosophy. The guide assumes OpenBSD is already installed and you have command-line access. For installation, see the site’s installation chapter. Shells # The default shell for both root and regular users is the Korn shell, ksh(1) . Its command language is a superset of the tr...| OpenBSD Handbook
Synopsis # This chapter provides deterministic troubleshooting playbooks for common production faults: High Availability (HA) role flaps, asymmetric paths at multi-WAN edges, tunnel MTU black holes, IPv6 Neighbor Discovery (ND) and Router Advertisement (RA) problems, and practical Quality-of-Service (QoS) verification. Each playbook uses base tools only: packet filter policy in pf.conf(5) inspected with pfctl(8) , interfaces via ifconfig(8) , live captures with tcpdump(8) , system controls wi...| OpenBSD Handbook
This quickstart introduces FreeBSD administrators to OpenBSD by mapping familiar concepts to OpenBSD tooling and conventions. It highlights practical differences; it is not an exhaustive comparison nor a discussion of philosophy. The guide assumes OpenBSD 7.7 is already installed and you have command-line access. Shells # On OpenBSD, the default shell for both root and regular users is the Korn shell, ksh(1) . This differs from FreeBSD, where the root account defaults to tcsh. OpenBSD’s ksh...| OpenBSD Handbook
This quickstart introduces macOS administrators to OpenBSD 7.7 by mapping familiar concepts to OpenBSD tooling and conventions. It highlights practical differences; it is not an exhaustive comparison nor a discussion of philosophy. The guide assumes OpenBSD is already installed and you have command-line access. Shells # On OpenBSD, the default shell for both root and regular users is the Korn shell, ksh(1) . On modern macOS systems, new user accounts default to zsh. OpenBSD’s ksh(1) impleme...| OpenBSD Handbook
Synopsis # sshd is the OpenSSH daemon that accepts incoming SSH connections and provides encrypted remote shell access and secure file transfer. On OpenBSD, sshd is part of the base system and is enabled by default after installation. Typical uses include secure administration, file transfer via sftp(1) and scp(1), remote command execution, and secure tunneling. For service control, use rcctl(8) . For configuration, edit sshd_config(5) . The daemon benefits from pledge(2) , unveil(2) , and ne...| OpenBSD Handbook
Synopsis # IPv6 addressing on OpenBSD is typically handled using Stateless Address Autoconfiguration (SLAAC) rather than DHCPv6. The rtadvd(8) daemon provides Router Advertisements (RA) that clients such as slaacd(8) use to self-configure IPv6 addresses and routes without requiring a central DHCPv6 server. In contrast with IPv4, where DHCP is nearly always used for address configuration, OpenBSD’s base system intentionally omits DHCPv6 server functionality. A lightweight DHCPv6 server is av...| OpenBSD Handbook
Synopsis # Dynamic Host Configuration Protocol (DHCP) allows systems on a network to automatically obtain IPv4 addresses and associated configuration information such as DNS resolvers and default gateways. OpenBSD provides native support for both DHCP clients and servers for IPv4. For IPv6 address configuration, OpenBSD uses SLAAC (Stateless Address Autoconfiguration) with slaacd(8) rather than DHCPv6. This chapter describes how to configure both the DHCP client and server for IPv4 in OpenBSD...| OpenBSD Handbook
Synopsis # OpenBSD provides native support for Stateless Address Autoconfiguration (SLAAC), as described in RFC 4862 . SLAAC allows IPv6 hosts to configure their addresses automatically based on Router Advertisements (RA) sent by local routers. This mechanism avoids the need for a centralized DHCPv6 infrastructure and is the default method for client-side IPv6 configuration in OpenBSD. The slaacd(8) daemon is responsible for receiving these advertisements and configuring IPv6 addresses, route...| OpenBSD Handbook
Synopsis # The syslogd(8) daemon is responsible for collecting and distributing log messages from the OpenBSD system and its services. It listens for log entries from the kernel and user processes via the syslog(3) interface and routes them according to rules defined in the configuration file /etc/syslog.conf. By default, syslogd writes messages to text files in /var/log/. It can also forward messages to remote log hosts using UDP or TLS-encrypted TCP. On OpenBSD, syslogd runs with strict pri...| OpenBSD Handbook
Synopsis # OpenSMTPD is the default mail transfer agent (MTA) in OpenBSD. It is implemented as the smtpd(8) daemon and designed to be secure, simple, and suitable for many use cases including local delivery, relaying, authenticated submission, and receiving mail for virtual domains. This chapter describes how to configure smtpd(8) for common and advanced scenarios, including TLS, filtering, and support for additional modules via opensmtpd-extras. Features # Secure by default, with privilege s...| OpenBSD Handbook
Synopsis # Accurate system time is essential for logging, cryptographic protocols, file timestamps, and consistent operation of distributed systems. OpenBSD includes a secure, minimalist NTP daemon, ntpd(8), in the base system. This service allows the system clock to be synchronized with remote time servers and, optionally, to provide time synchronization to other systems. This chapter describes how to configure ntpd(8) for typical client use and for serving time to a local network.| OpenBSD Handbook
Synopsis # Postfix is a full-featured mail transfer agent (MTA) known for its performance, ease of configuration, and strong focus on security. It is available as a package on OpenBSD and can be used as a drop-in replacement for the default smtpd(8) daemon when more advanced capabilities are required, such as compatibility with complex mail environments, detailed policy controls, or extensive logging. This chapter provides a detailed guide to installing and configuring Postfix on OpenBSD, inc...| OpenBSD Handbook
Synopsis # unbound(8) is a validating, recursive, caching DNS resolver included in the OpenBSD base system. It is enabled by default for local name resolution and is well-suited for both workstations and server environments. Unbound prioritizes simplicity, security, and performance, supporting features such as DNSSEC validation, local zones, and DNS-over-TLS. This chapter describes how to configure and manage unbound(8) on OpenBSD, including advanced options for DNS privacy and local network ...| OpenBSD Handbook
Synopsis # OpenBSD includes full support for the File Transfer Protocol (FTP), including both a command-line client (ftp(1)) and a simple, secure FTP server (ftpd(8)). While FTP is largely replaced by secure alternatives such as sftp (via sshd) and httpd for file downloads, it remains useful for compatibility with legacy systems, automation tasks, and minimal environments. This chapter documents the use of both the FTP client and server on OpenBSD. It also compares FTP to its alternatives, de...| OpenBSD Handbook
Synopsis # rsync is a fast and versatile file-copying tool used to synchronize files and directories between local and remote systems. It performs delta-based file transfers, making it especially efficient for backups and large data synchronization tasks. Though not included in the OpenBSD base system, rsync is available via packages and integrates well with ssh(1) for secure transport. This chapter documents the installation, configuration, and usage of rsync on OpenBSD in both client and se...| OpenBSD Handbook
Synopsis # NFS (Network File System) is a distributed file system protocol supported in the OpenBSD base system. It allows one system to share directories with others across a network. Clients can mount these shared directories and use them as if they were part of the local filesystem. This chapter documents NFS usage on OpenBSD, covering both server and client roles, daemon management, security options, and best practices for deployment.| OpenBSD Handbook
Synopsis # Exim is a highly configurable mail transfer agent (MTA) designed for Unix systems. Originally developed at the University of Cambridge, it offers a rich feature set and fine-grained control over mail routing, rewriting, and authentication. Exim is well suited to complex mail environments requiring deep customization. This chapter explains how to install and configure Exim on OpenBSD, covering use cases including local delivery, TLS encryption, relay via a smarthost, and basic conte...| OpenBSD Handbook
Synopsis # nsd(8) is a high-performance authoritative-only DNS server developed by NLnet Labs. It is included in the OpenBSD base system and is designed to serve DNS zones securely and efficiently without supporting recursive queries. Unlike unbound(8), which performs DNS resolution for clients, nsd(8) answers queries about domains it is explicitly configured to serve. This chapter describes the configuration and management of nsd(8) on OpenBSD for serving DNS zones to the public or within in...| OpenBSD Handbook
Synopsis # Rspamd is a fast, modular, and extensible spam filtering system designed to process large volumes of email efficiently. It evaluates messages using a variety of methods including regular expressions, statistical analysis, SPF/DKIM/DMARC checks, and URL reputation. Rspamd supports integration with MTAs such as smtpd(8), Postfix, and Exim via the milter protocol or by using proxy workers. This chapter describes the installation and configuration of Rspamd on OpenBSD, focusing on its ...| OpenBSD Handbook
Synopsis # Samba is a suite of programs that implements the SMB (Server Message Block) protocol and its modern extension, CIFS (Common Internet File System). It allows Unix systems to share files and printers with Windows clients, and vice versa. Samba can function as a standalone file server, a member of a Windows domain, or as an Active Directory domain controller (though the latter roles are less common on OpenBSD).| OpenBSD Handbook
Synopsis # YP (Yellow Pages), also known as NIS (Network Information Service), is a simple protocol for sharing configuration databases such as user accounts, group memberships, and hostnames across a trusted local network. OpenBSD includes support for both YP servers and clients in the base system. YP is not the same as LDAP, and it is important to distinguish them: YP is an older, RPC-based system developed by Sun Microsystems. LDAP (Lightweight Directory Access Protocol) is a modern, exten...| OpenBSD Handbook
Synopsis # LDAP (Lightweight Directory Access Protocol) is a flexible, network-accessible directory service widely used to centralize identity, authentication, and configuration information. It supports fine-grained access control, encrypted transport, and extensible schemas. It is important to clarify that LDAP is not the same as YP (NIS): YP is an older, SunRPC-based protocol included in the OpenBSD base system. LDAP is an extensible, industry-standard protocol (RFC 4511), designed to opera...| OpenBSD Handbook
Synopsis # ProFTPD is a highly configurable and standards-compliant FTP server that supports features such as virtual hosts, TLS encryption, chrooted sessions, anonymous and authenticated access, and integration with external user databases. Unlike OpenBSD’s built-in ftpd(8), which provides a minimal and secure FTP service, ProFTPD is available via packages and is suitable for administrators needing more advanced features or compatibility with legacy FTP clients. This chapter explains how t...| OpenBSD Handbook
Synopsis # vsftpd (Very Secure FTP Daemon) is a minimal, high-performance FTP server with a strong focus on security. It is commonly used in environments where low resource usage and correctness are more important than flexibility. Unlike ProFTPD, vsftpd does not support extensive module systems or virtual user databases natively. However, it provides a simple, robust FTP service that supports: Passive and active FTP modes Anonymous and local user logins Chrooting users FTPS encryption vsftpd...| OpenBSD Handbook
Synopsis # SNMP (Simple Network Management Protocol) is a protocol used to monitor and manage devices on a network. It allows external systems to query information such as interface status, uptime, system description, and resource usage. OpenBSD includes a native SNMP daemon, snmpd(8), in the base system. It provides read-only SNMPv1 and SNMPv2c service suitable for secure local and remote monitoring. An alternative implementation, Net-SNMP, is available via packages and offers SNMPv3, write ...| OpenBSD Handbook
Synopsis # TFTP (Trivial File Transfer Protocol) is a lightweight, UDP-based file transfer protocol used in scenarios such as network boot (PXE), firmware loading, and simple device provisioning. OpenBSD includes the standard tftpd(8) daemon and tftp(1) client in the base system. TFTP supports only basic file reads and writes with minimal overhead. It lacks authentication and encryption, so it must be used in trusted or isolated environments only. This chapter covers setup and usage of TFTP o...| OpenBSD Handbook
Synopsis # The Apache HTTP Server is one of the most widely used web servers in the world. It offers a powerful configuration system, dynamic module loading, robust virtual hosting, authentication features, TLS support, and compatibility with CGI and scripting environments such as PHP. Apache is not included in the OpenBSD base system. It is available as a package under the name www/apache. Web Server History on OpenBSD # Historically, OpenBSD shipped with Apache 1.3 as the default web server...| OpenBSD Handbook
Synopsis # nginx is a high-performance HTTP server and reverse proxy known for its efficiency, low memory footprint, and rich feature set. It supports static content, TLS, FastCGI and SCGI backends, reverse proxying, load balancing, and basic authentication. nginx is not included in the OpenBSD base system, but is available via packages. Web Server History on OpenBSD # OpenBSD historically shipped with Apache 1.3 in base, which was removed due to complexity and security concerns. For a brief ...| OpenBSD Handbook
Synopsis # httpd(8) is OpenBSD’s native web server daemon. It is simple and security-focused, runs in a chroot(2) to /var/www by default, serves static content, and dispatches dynamic requests to FastCGI backends. TLS is built in and integrates with acme-client(1) for automated certificate management. Web Server History on OpenBSD # OpenBSD initially shipped with Apache 1.3, transitioned briefly to nginx (OpenBSD 5.6–5.8), and since OpenBSD 5.9 has included the current, native httpd(8) in...| OpenBSD Handbook
Synopsis # relayd(8) is OpenBSD’s native application-layer proxy and filtering daemon. It supports: Reverse proxying (HTTP/HTTPS) TLS termination with optional re-encryption HTTP/HTTPS load balancing with active health checks Layer 7 filtering, header rewriting, and redirection relayd is included in the OpenBSD base system and integrates tightly with pf(4) and httpd(8). It is configured via /etc/relayd.conf. Use relayd when you need to expose HTTP or HTTPS services securely, filter traffic ...| OpenBSD Handbook
Synopsis # This chapter explains how to configure and use audio and video hardware under OpenBSD, manage sound devices using the base system’s sndio(7) framework, and install multimedia applications such as video players, editors, and streaming tools from packages. It also documents webcam usage, ripping and transcoding media, home media sharing via DLNA, and game or screen broadcasting to services such as Twitch or YouTube. Audio Subsystem # Sound Hardware Support # OpenBSD supports variou...| OpenBSD Handbook
Synopsis # OpenBSD supports both the traditional BSD printing system (lpd) and the more feature-rich CUPS (Common UNIX Printing System). This chapter describes how to configure local and network printers, install printer drivers and filters, print to PDF, and configure an OpenBSD system as a print server. Overview of Printing in OpenBSD # The base system includes lpd(8), a lightweight line printer daemon that handles print spooling and basic filtering. More complex setups, such as those requi...| OpenBSD Handbook
Synopsis # OpenBSD provides a consistent and secure framework for managing disks, partitions, file systems, and advanced storage options such as encryption and software RAID. This chapter describes how to detect new disks, initialize them with an appropriate partitioning scheme (MBR or GPT), define disklabel partitions, create and mount file systems, and ensure proper boot-time configuration with /etc/fstab. It also covers removable media, file system checks, and the use of disk monitoring to...| OpenBSD Handbook
Synopsis # Maintaining an OpenBSD system involves several distinct tasks: applying binary patches to the base system, updating installed packages, upgrading to a new release, and optionally tracking the development branch (-current). OpenBSD provides a set of reliable, clearly defined tools for each of these operations. This chapter describes the procedures for: Applying base system security and stability patches using syspatch(8) Upgrading installed packages with pkg_add -u Applying firmware...| OpenBSD Handbook
Synopsis # Localization refers to the configuration of system behavior to support regional language, character encoding, date formats, and input settings. While OpenBSD uses US English and POSIX standards by default, it supports localization through environment variables, UTF-8 character sets, alternate keymaps, and timezone settings. This chapter explains how to: Set language and locale preferences via LANG and LC_* variables Enable UTF-8 character encoding in the base system Configure timez...| OpenBSD Handbook
Synopsis # This chapter documents the current status of Linux binary compatibility on OpenBSD. It describes the historical linux(4) subsystem that once enabled Linux ELF binary execution, the reasons for its removal, and modern alternatives for accessing Linux-only software, including virtualization, remote execution, and native packaging. Historical Note # OpenBSD previously supported partial Linux compatibility through the linux(4) kernel subsystem. This layer enabled execution of select Li...| OpenBSD Handbook
Synopsis # This chapter describes the current state of Windows compatibility on OpenBSD. Wine is not available on OpenBSD due to architectural, security, and kernel-related incompatibilities. This chapter explains why Wine has not been successfully ported, documents past efforts, and offers practical alternatives such as virtualization, remote access, and native software. Wine and OpenBSD # Wine (Wine Is Not an Emulator) is a compatibility layer that allows execution of Microsoft Windows appl...| OpenBSD Handbook
Synopsis # This chapter describes a curated selection of games available on OpenBSD, categorized into terminal-based and graphical titles. While OpenBSD does not prioritize gaming performance, it supports a variety of games through its ports and packages system, including strategy, simulation, roguelike, and emulated titles. This chapter also includes installation examples, system requirements, and performance notes. Terminal and Text‑Based Games # The OpenBSD ports tree includes many games...| OpenBSD Handbook
Synopsis # MariaDB is an open source relational database system that is a drop-in replacement for MySQL. It is used for structured data storage and access by web applications, scripts, and services. MariaDB provides SQL-based access to tabular data, user privilege management, replication, and ACID compliance. MariaDB is available on OpenBSD via the ports and packages system and is the recommended way to deploy a MySQL-compatible server. Why MySQL Is Not Included # OpenBSD does not include Ora...| OpenBSD Handbook
Synopsis # PostgreSQL is a robust, open-source relational database management system (RDBMS) known for its standards compliance, extensibility, and strong consistency guarantees. It is widely used in applications that require reliable transactional data storage, structured queries via SQL, and advanced data types or functions. PostgreSQL is available via OpenBSD’s package system and integrates with rcctl(8) for service management. It supports local Unix socket connections, TCP networking, T...| OpenBSD Handbook
Synopsis # Redis is an in-memory key-value store designed for high performance, low latency, and a wide range of data structures such as strings, hashes, sets, sorted sets, and streams. It supports optional disk persistence, replication, and Lua scripting. Redis is commonly used for caching, messaging, job queues, and ephemeral data storage. Redis is not included in the OpenBSD base system, but is available via packages. The Redis server runs as a daemon (redis-server) and is managed with rcc...| OpenBSD Handbook
Synopsis # memcached is a high-performance in-memory key-value store used primarily for caching data to reduce database load and latency in dynamic web applications. It provides a simple TCP protocol for setting and retrieving short-lived values and is often used by frameworks like Django, Rails, and PHP. memcached is available on OpenBSD via packages and integrates with rcctl(8) for service management. Unlike Redis, memcached is not persistent and supports only very simple key-value operations.| OpenBSD Handbook
Synopsis # RabbitMQ is a message broker that implements the AMQP (Advanced Message Queuing Protocol). It is used to decouple services and distribute tasks using queues, topics, and publish-subscribe mechanisms. RabbitMQ supports persistent queues, acknowledgements, clustering, TLS encryption, and various plugins including web-based management. RabbitMQ is available on OpenBSD via the packages system. It runs on top of the Erlang runtime and communicates over TCP (AMQP by default on port 5672,...| OpenBSD Handbook
Synopsis # OpenBSD follows a straightforward, well-documented boot process designed for reliability, clarity, and security. The boot mechanism consists of several distinct stages that begin with firmware (such as BIOS or UEFI) and conclude with the system transitioning to multi-user mode after executing startup scripts. This chapter describes each stage, including bootloaders, kernel initialization, and early userland processes. Boot Stages Overview # The boot process on OpenBSD systems typic...| OpenBSD Handbook
If you are not redirected, click here.| OpenBSD Handbook
If you are not redirected, click here.| OpenBSD Handbook
If you are not redirected, click here.| OpenBSD Handbook
If you are not redirected, click here.| OpenBSD Handbook
If you are not redirected, click here.| OpenBSD Handbook
If you are not redirected, click here.| OpenBSD Handbook
If you are not redirected, click here.| OpenBSD Handbook
If you are not redirected, click here.| OpenBSD Handbook
If you are not redirected, click here.| OpenBSD Handbook
If you are not redirected, click here.| OpenBSD Handbook
If you are not redirected, click here.| OpenBSD Handbook
If you are not redirected, click here.| OpenBSD Handbook
If you are not redirected, click here.| OpenBSD Handbook
If you are not redirected, click here.| OpenBSD Handbook
If you are not redirected, click here.| OpenBSD Handbook
Task-oriented, administrator-focused guidance for installing, securing, and operating OpenBSD: PF firewall, httpd, networking, storage, upgrades, and everyday administration.| OpenBSD Handbook