AFTERBOOT(8)            NetBSD System Manager's Manual            AFTERBOOT(8)

     afterboot -- things to check after the first complete boot

   Starting Out
     This document attempts to list items for the system administrator to
     check and set up after the installation and first complete boot of the
     system.  The idea is to create a list of items that can be checked off so
     that you have a warm fuzzy feeling that something obvious has not been
     missed.  A basic knowledge of UNIX is assumed.

     Complete instructions for correcting and fixing items is not provided.
     There are manual pages and other methodologies available for doing that.
     For example, to view the man page for the ls(1) command, type:

           man 1 ls

     Administrators will rapidly become more familiar with NetBSD if they get
     used to using the manual pages.

   Security alerts
     By the time that you have installed your system, it is quite likely that
     bugs in the release have been found.  All significant and easily fixed
     problems will be reported at .:
     It is recommended that you check this page regularly.

     Additionally, you should set ``fetch_pkg_vulnerabilities=YES'' in
     /etc/daily.conf to allow your system to automatically update the local
     database of known vulnerable packages to the latest version available on-
     line.  The system will later check, on a daily basis, if any of your
     installed packages are vulnerable based on the contents of this database.
     See daily.conf(5) and security.conf(5) for more details.

     Login as ``root''.  You can do so on the console, or over the network
     using ssh(1).  If you have enabled the SSH daemon (see sshd(8)) and wish
     to allow root logins over the network, edit the /etc/ssh/sshd_config file
     and set ``PermitRootLogin'' to ``yes'' (see sshd_config(5)).  The default
     is to not permit root logins over the network after fresh install in

     Upon successful login on the console, you may see the message ``We
     recommend creating a non-root account...''.  For security reasons, it is
     bad practice to login as root during regular use and maintenance of the
     system.  In fact, the system will only let you login as root on a secure
     terminal.  By default, only the console is considered to be a secure ter-
     minal.  Instead, administrators are encouraged to add a ``regular'' user,
     add said user to the ``wheel'' group, then use the su(1) command when
     root privileges are required.  This process is described in more detail

   Root password
     Change the password for the root user.  (Note that throughout the docu-
     mentation, the term ``superuser'' is a synonym for the root user.)
     Choose a password that has numbers, digits, and special characters (not
     space) as well as from the upper and lower case alphabet.  Do not choose
     any word in any language.  It is common for an intruder to use dictionary
     attacks.  Type the command /usr/bin/passwd to change it.

     It is a good idea to always specify the full path name for both the
     passwd(1) and su(1) commands as this inhibits the possibility of files
     placed in your execution PATH for most shells.  Furthermore, the supe-
     ruser's PATH should never contain the current directory (``.'').

   System date
     Check the system date with the date(1) command.  If needed, change the
     date, and/or change the symbolic link of /etc/localtime to the correct
     time zone in the /usr/share/zoneinfo directory.


     date 200205101820
           Set the current date to May 10th, 2002 6:20pm.

     ln -fs /usr/share/zoneinfo/Europe/Helsinki /etc/localtime
           Set the time zone to Eastern Europe Summer Time.

   Console settings
     One of the first things you will likely need to do is to set up your key-
     board map (and maybe some other aspects about the system console).  To
     change your keyboard encoding, edit the ``encoding'' variable found in

     wscons.conf(5) contains more information about this file.

   Check hostname
     Use the hostname command to verify that the name of your machine is cor-
     rect.  See the man page for hostname(1) if it needs to be changed.  You
     will also need to change the contents of the ``hostname'' variable in
     /etc/rc.conf or edit the /etc/myname file to have it stick around for the
     next reboot.  Note that ``hostname'' is supposed include a domainname,
     and that this should not be confused with YP (NIS) domainname(1).  If you
     are using dhcpcd(8) to configure network interfaces, it might override
     these local hostname settings if your DHCP server specifies client's
     hostname with other network configurations.

   Verify network interface configuration
     The first thing to do is an ifconfig -a to see if the network interfaces
     are properly configured.  Correct by editing /etc/ifconfig.interface or
     the corresponding ``ifconfig_interface'' variable in rc.conf(5) (where
     interface is the interface name, e.g., ``le0'') and then using
     ifconfig(8) to manually configure it if you do not wish to reboot.

     Alternatively, you can configure interfaces automatically via DHCP with
     dhcpcd(8) if you have a DHCP server running somewhere on your network.
     To get dhcpcd(8) to start automatically on boot, you will need to have
     this line in /etc/rc.conf:


     See dhcpcd(8) and dhcpcd.conf(5) for more information on setting up a
     DHCP client.

     You can add new ``virtual interfaces'' by adding the required entries to
     /etc/ifconfig.interface.  Read the ifconfig.if(5) man page for more
     information on the format of /etc/ifconfig.interface files.  The loopback
     interface will look something like:

           lo0: flags=8009<UP,LOOPBACK,MULTICAST> mtu 32972
                   inet netmask 0xff000000
                   inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
                   inet6 ::1 prefixlen 128

     an Ethernet interface something like:

                   inet netmask 0xffffff00 broadcast
                   inet6 fe80::5ef0:f0f0%le0 prefixlen 64 scopeid 0x1

     and a PPP interface something like:

           ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST>
                   inet --> netmask 0xffff0000

     See mrouted(8) for instructions on configuring multicast routing.

   Check routing tables
     Issue a netstat -rn command.  The output will look something like:

           Routing tables

           Destination    Gateway           Flags  Refs     Use  Mtu  Interface
           default     UGS      0 11098028    -  le0
           127           UGRS     0        0    -  lo0
          UH       3       24    -  lo0
           192.168.4      link#1            UC       0        0    -  le0
    8:0:20:73:b8:4a   UHL      1     6707    -  le0
   0:60:3e:99:67:ea  UHL      1        0    -  le0

           Destination        Gateway       Flags  Refs  Use     Mtu  Interface
           ::/96              ::1           UGRS     0     0   32972  lo0 =>
           ::1                ::1           UH       4     0   32972  lo0
           ::ffff:  ::1           UGRS     0     0   32972  lo0
           fc80::/10          ::1           UGRS     0     0   32972  lo0
           fe80::/10          ::1           UGRS     0     0   32972  lo0
           fe80::%le0/64      link#1        UC       0     0    1500  le0
           fe80::%lo0/64      fe80::1%lo0   U        0     0   32972  lo0
           ff01::/32          ::1           U        0     0   32972  lo0
           ff02::%le0/32      link#1        UC       0     0    1500  le0
           ff02::%lo0/32      fe80::1%lo0   UC       0     0   32972  lo0

     The default gateway address is stored in the ``defaultroute'' variable in
     /etc/rc.conf, or in the file /etc/mygate.  If you need to edit this file,
     a painless way to reconfigure the network afterwards is to issue

           service network restart

     Or, you may prefer to manually configure using a series of route add and
     route delete commands (see route(8)).  If you run dhcpcd(8) you will have
     to kill it by running

           service dhcpcd stop

     before you flush the routes.

     If you wish to route packets between interfaces, add one or both of the
     following directives (depending on whether IPv4 or IPv6 routing is
     required) to /etc/sysctl.conf:


     As an alternative, compile a new kernel with the ``GATEWAY'' option.
     Packets are not forwarded by default, due to RFC requirements.

   Secure Shell (SSH)
     By default, all services are disabled in a fresh NetBSD installation, and
     SSH is no exception.  You may wish to enable it so you can remotely con-
     trol your system.  Set ``sshd=YES'' in /etc/rc.conf and then starting the
     server with the command

           service sshd start

     The first time the server is started, it will generate a new keypair,
     which will be stored inside the directory /etc/ssh.

   Host names and DNS
     The system resolves host names according the rules for hosts in the name
     service switch configuration at /etc/nsswitch.conf.  By default, it will
     query /etc/hosts first, and then the DNS resolver specified in

     If your network does not have a usable DNS resolver, e.g. one provided by
     DHCP, you can run a local caching recursive resolver by setting
     ``named=YES'' in /etc/rc.conf and either rebooting or running the follow-
     ing command:

           service named start

     named(8) is configured in /etc/named.conf by default to run as a local
     caching recursive resolver.  Then, to make the system use it, put the
     following in /etc/resolv.conf:


   Wireless networking
     You can scan for nearby wireless networks using:

           ifconfig iwm0 up list scan
           ifconfig iwm0 down

     To connect to a wireless network using WPA and DHCP:

           wpa_passphrase networkname password > /etc/wpa_supplicant.conf
           wpa_supplicant -i iwm0 -c /etc/wpa_supplicant.conf &
           dhcpcd iwm0

     To automatically connect at boot, add the following flags to

           wpa_supplicant_flags="-i iwm0 -c /etc/wpa_supplicant.conf"

   RPC-based network services
     Several services depend on the RPC portmapper rpcbind(8) - formerly known
     as portmap - being running for proper operation.  This includes YP (NIS)
     and NFS exports, among other services.  To get the RPC portmapper to
     start automatically on boot, you will need to have this line in


   YP (NIS) Setup
     Check the YP domain name with the domainname(1) command.  If necessary,
     correct it by editing the /etc/defaultdomain file or by setting the
     ``domainname'' variable in /etc/rc.conf.  The /etc/rc.d/network script
     reads this file on bootup to determine and set the domain name.  You may
     also set the running system's domain name with the domainname(1) command.
     To start YP client services, simply run ypbind, then perform the remain-
     ing YP activation as described in passwd(5) and group(5).

     In particular, to enable YP passwd support, you'll need to update
     /etc/nsswitch.conf to include ``nis'' for the ``passwd'' and ``group''
     entries.  A traditional way to accomplish the same thing is to add fol-
     lowing entry to local passwd database via vipw(8):


     Note this entry has to be the very last one.  This traditional way works
     with the default nsswitch.conf(5) setting of ``passwd'', which is

     There are many more YP man pages available to help you.  You can find
     more information by starting with nis(8).

   Check disk mounts
     Check that the disks are mounted correctly by comparing the /etc/fstab
     file against the output of the mount(8) and df(1) commands.  Example:

           # cat /etc/fstab
           /dev/sd0a / ffs     rw              1 1
           /dev/sd0b none swap sw
           /dev/sd0e /usr ffs  rw              1 2
           /dev/sd0f /var ffs  rw              1 3
           /dev/sd0g /tmp ffs  rw              1 4
           /dev/sd0h /home ffs rw              1 5

           # mount
           /dev/sd0a on / type ffs (local)
           /dev/sd0e on /usr type ffs (local)
           /dev/sd0f on /var type ffs (local)
           /dev/sd0g on /tmp type ffs (local)
           /dev/sd0h on /home type ffs (local)

           # df
           Filesystem  1024-blocks     Used    Avail Capacity  Mounted on
           /dev/sd0a         22311    14589     6606    69%    /
           /dev/sd0e        203399   150221    43008    78%    /usr
           /dev/sd0f         10447      682     9242     7%    /var
           /dev/sd0g         18823        2    17879     0%    /tmp
           /dev/sd0h          7519     5255     1888    74%    /home

           # pstat -s
           Device      512-blocks     Used    Avail Capacity  Priority
           /dev/sd0b       131072    84656    46416    65%    0

     Edit /etc/fstab and use the mount(8) and umount(8) commands as appropri-
     ate.  Refer to the above example and fstab(5) for information on the for-
     mat of this file.

     You may wish to do NFS mounts now too, or you can do them later.

   Concatenated disks (ccd)
     If you are using ccd(4) concatenated disks, edit /etc/ccd.conf.  You may
     wish to take a look to ccdconfig(8) for more information about this file.
     Use the ccdconfig -U command to unload and the ccdconfig -C command to
     create tables internal to the kernel for the concatenated disks.  You
     then mount(8), umount(8), and edit /etc/fstab as needed.

   Automounter daemon (AMD)
     To use the amd(8) automounter, create the /etc/amd directory, copy exam-
     ple config files from /usr/share/examples/amd to /etc/amd and customize
     them as needed.  Alternatively, you can get your maps with YP.

   Clock synchronization
     In order to make sure the system clock is synchronized to that of a pub-
     licly accessible NTP server, make sure that /etc/rc.conf contains the


     See date(1), ntpdate(8), ntpd(8), rdate(8), and timed(8) for more infor-
     mation on setting the system's date.

     The system should be usable now, but you may wish to do more customizing,
     such as adding users, etc.  Many of the following sections may be skipped
     if you are not using that package (for example, skip the Kerberos section
     if you won't be using Kerberos).  We suggest that you cd /etc and edit
     most of the files in that directory.

     Note that the /etc/motd file is modified by /etc/rc.d/motd whenever the
     system is booted.  To keep any custom message intact, ensure that you
     leave two blank lines at the top, or your message will be overwritten.

   Add new users
     To add new users and groups, there are useradd(8) and groupadd(8); see
     also user(8) for further programs for user and group manipulation.  You
     may use vipw(8) to add users to the /etc/passwd file and edit /etc/group
     by hand to add new groups.  The manual page for su(1), tells you to make
     sure to put people in the `wheel' group if they need root access (non-
     Kerberos).  For example:


     Follow instructions for kerberos(8) if using Kerberos for authentication.

   System boot scripts and /etc/rc.local
     /etc/rc and the /etc/rc.d/* scripts are invoked at boot time after single
     user mode has exited, and at shutdown.  The whole process is controlled
     by the master script /etc/rc.  This script should not be changed by

     The directory /etc/rc.d contains a series of scripts used at
     startup/shutdown, called by /etc/rc.  /etc/rc is in turn influenced by
     the configuration variables present in /etc/rc.conf.

     The script /etc/rc.local is run as the last thing during multiuser boot,
     and is provided to allow any other local hooks necessary for the system.

     To enable or disable various services on system startup, corresponding
     entries can be made in /etc/rc.conf.  You can take a look at
     /etc/defaults/rc.conf to see a list of default system variables, which
     you can override in /etc/rc.conf.  Note you are not supposed to change
     /etc/defaults/rc.conf directly, edit only /etc/rc.conf.  See rc.conf(5)
     for further information.

   X Display Manager
     If you've installed X, you may want to turn on xdm(1), the X Display Man-
     ager.  To do this, set ``xdm=YES'' in /etc/rc.conf.

     Edit /etc/printcap and /etc/hosts.lpd to get any printers set up.  Con-
     sult lpd(8) and printcap(5) if needed.

   Tighten up security
     In /etc/inetd.conf comment out any extra entries you do not need, and
     only add things that are really needed.  Note that by default all ser-
     vices are disabled for security reasons.

     If you are going to use Kerberos for authentication, see kerberos(8) and
     ``info heimdal'' for more information.  If you already have a Kerberos
     master, change directory to /etc/kerberosV and configure.  Remember to
     get a srvtab from the master so that the remote commands work.

   Mail Aliases
     Check /etc/mail/aliases and update appropriately if you want e-mail to be
     routed to non-local addresses or to different users.

     Run newaliases(1) after changes.

     NetBSD uses Postfix as its MTA.  Postfix is started by default, but its
     initial configuration does not cause it to listen on the network for
     incoming connections.  To configure Postfix, see /etc/postfix/ and
     /etc/postfix/  If you wish to use a different MTA (e.g., send-
     mail), install your MTA of choice and edit /etc/mailer.conf to point to
     the proper binaries.

   DHCP server
     If this is a DHCP server, edit /etc/dhcpd.conf and /etc/dhcpd.interfaces
     as needed.  You will have to make sure /etc/rc.conf has ``dhcpd=YES'' or
     run dhcpd(8) manually.

   Bootparam server
     If this is a Bootparam server, edit /etc/bootparams as needed.  You will
     have to turn it on in /etc/rc.conf by adding ``bootparamd=YES''.

   NFS server
     If this is an NFS server, make sure /etc/rc.conf has:


     Edit /etc/exports and get it correct.  After this, you can start the
     server by issuing:

           service rpcbind start
           service mountd start
           service nfsd start
     which will also start dependencies.

   HP remote boot server
     Edit /etc/rbootd.conf if needed for remote booting.  If you do not have
     HP computers doing remote booting, do not enable this.

   Daily, weekly, monthly scripts
     Look at and possibly edit the /etc/daily.conf, /etc/weekly.conf, and
     /etc/monthly.conf configuration files.  You can check which values you
     can set by looking to their matching files in /etc/defaults.  Your site
     specific things should go into /etc/daily.local, /etc/weekly.local, and

     These scripts have been limited so as to keep the system running without
     filling up disk space from normal running processes and database updates.
     (You probably do not need to understand them.)

   Other files in /etc
     Look at the other files in /etc and edit them as needed.  (Do not edit
     files ending in .db -- like pwd.db, spwd.db, nor localtime, nor rmt, nor
     any directories.)

   Crontab (background running processes)
     Check what is running by typing crontab -l as root and see if anything
     unexpected is present.  Do you need anything else?  Do you wish to change
     things?  For example, if you do not like root getting standard output of
     the daily scripts, and want only the security scripts that are mailed
     internally, you can type crontab -e and change some of the lines to read:

           30  1  *  *  *   /bin/sh /etc/daily 2>&1 > /var/log/daily.out
           30  3  *  *  6   /bin/sh /etc/weekly 2>&1 > /var/log/weekly.out
           30  5  1  *  *   /bin/sh /etc/monthly 2>&1 > /var/log/monthly.out

     See crontab(5).

   Next day cleanup
     After the first night's security run, change ownerships and permissions
     on files, directories, and devices; root should have received mail with
     subject: "<hostname> daily insecurity output.".  This mail contains a set
     of security recommendations, presented as a list looking like this:

                   permissions (0755, 0775)
                   user (0, 3)

     The best bet is to follow the advice in that list.  The recommended set-
     ting is the first item in parentheses, while the current setting is the
     second one.  This list is generated by mtree(8) using /etc/mtree/special.
     Use chmod(1), chgrp(1), and chown(8) as needed.

     Install your own packages.  The NetBSD packages collection, pkgsrc,
     includes a large set of third-party software.  A lot of it is available
     as binary packages that you can download from
     or a mirror, and install using pkg_add(1).  See
     and pkgsrc/doc/pkgsrc.txt for more details.

     Copy vendor binaries and install them.  You will need to install any
     shared libraries, etc.  (Hint: man -k compat to find out how to install
     and use compatibility mode.)

     There is also other third-party software that is available in source form
     only, either because it has not been ported to NetBSD yet, because
     licensing restrictions make binary redistribution impossible, or simply
     because you want to build your own binaries.  Sometimes checking the
     mailing lists for past problems that people have encountered will result
     in a fix posted.

   Check the running system
     You can use ps(1), netstat(1), and fstat(1) to check on running pro-
     cesses, network connections, and opened files, respectively.  Other tools
     you may find useful are systat(1) and top(1).

     Note: The standard NetBSD kernel configuration (GENERIC) is suitable for
     most purposes.

     First, review the system message buffer in /var/run/dmesg.boot and by
     using the dmesg(8) command to find out information on your system's
     devices as probed by the kernel at boot.  In particular, note which
     devices were not configured.  This information will prove useful when
     editing kernel configuration files.

     To compile a kernel inside a writable source tree, do the following:

           $ cd /usr/src/sys/arch/SOMEARCH/conf
           $ cp GENERIC SOMEFILE (only the first time)
           $ vi SOMEFILE (adapt to your needs)
           $ config SOMEFILE
           $ cd ../compile/SOMEFILE
           $ make depend
           $ make

     where SOMEARCH is the architecture (e.g., i386), and SOMEFILE should be a
     name indicative of a particular configuration (often that of the host-

     If you are building your kernel again, before you do a make you should do
     a make clean after making changes to your kernel options.

     After either of these two methods, you can place the new kernel (called
     netbsd) in / (i.e., /netbsd) by issuing make install and the system will
     boot it next time.  The old kernel is stored as /onetbsd so you can boot
     it in case of failure.

     If you are using toolchain to build your kernel, you will also need to
     build a new set of toolchain binaries.  You can do it by changing into
     /usr/src and issuing:

           $ cd /usr/src
           $ K=sys/arch/`uname -m`/conf
           $ cp $K/GENERIC $K/SOMEFILE
           $ vi $K/SOMEFILE (adapt to your needs)
           $ ./ tools
           $ ./ kernel=SOMEFILE

     At this point, the system should be fully configured to your liking.  It
     is now a good time to ensure that the system behaves according to its
     specifications and that it is stable on your hardware.  Please refer to
     tests(7) for details on how to do so.

     chgrp(1), chmod(1), config(1), crontab(1), date(1), df(1), domainname(1),
     fstat(1), hostname(1), make(1), man(1), netstat(1), newaliases(1),
     passwd(1), pkg_add(1), ps(1), ssh(1), su(1), systat(1), top(1), xdm(1),
     ccd(4), aliases(5), crontab(5), dhcpcd.conf(5), exports(5), fstab(5),
     group(5), hosts(5), ifconfig.if(5), mailer.conf(5), named.conf(5),
     nsswitch.conf(5), passwd(5), printcap(5), rc.conf(5), resolv.conf(5),
     sshd_config(5), wpa_supplicant.conf(5), wscons.conf(5), hier(7),
     hostname(7), pkgsrc(7), tests(7), amd(8), ccdconfig(8), chown(8),
     dhcpcd(8), dhcpd(8), dmesg(8), groupadd(8), ifconfig(8), inetd(8),
     kerberos(8), lpd(8), mount(8), mrouted(8), mtree(8), named(8), nis(8),
     ntpd(8), ntpdate(8), rbootd(8), rc(8), rdate(8), rmt(8), route(8),
     rpc.bootparamd(8), rpcbind(8), sshd(8), timed(8), umount(8), useradd(8),
     vipw(8), wpa_supplicant(8), yp(8), ypbind(8)

     This document first appeared in OpenBSD 2.2.  It has been adapted to
     NetBSD and first appeared in NetBSD 2.0.

NetBSD 8.1                    September 10, 2017                    NetBSD 8.1

You can also request any man page by name and (optionally) by section:


Use the DEFAULT collection to view manual pages for third-party software.

©1994 Man-cgi 1.15, Panagiotis Christias
©1996-2019 Modified for NetBSD by Kimmo Suominen