Kernel 2.6.28 Notes and Upgrade to Ext4
Normally you don’t update the kernel at every release unless hardware doesn’t work as expected or you really need the slight performance enhancements you may get from new kernel technologies. But… if you have a new module you need to add you may as-well.
A great site that posts about kernel upgrades is kernel newbies, you’ll need to understand the options for updating and while you’re at it you can upgrade to ext4 – don’t worry, it’s easy.
Dog the Kernel
So you don’t download upteen kernel source between kernel update you may as well just unmask the version you need:
echo “sys-kernel/gentoo-sources-2.6.28″ >> /etc/portage/package.unmask
To have /usr/src/linux link to your the new kernel sources:
Emerge it:
cd /usr/src/linux
cp /usr/src/linux-2.6.27-r2/.config .
make oldconfig
Here’s a few options answers:
If you want to find out if you BIOS is corrupted or if someone has been tampering with it:
X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK=y
2.6.28 can also Reserve low 64k of ram on AMI/Phoenix BIOS’s that as some developer that I lost a link to said, “This might as well solve a wide range of suspend/resume breakages under Linux.”
LRU List Y
Write ELF core dumps with partial segments N
Distrubuted Switch Architecture N
Phonet (for cellular phones) N
Integrated Circuits No
Voltage and Current Regulator Support No # Could be useful on laptops
PID device support No
# Say Y here if you have a PID-compliant device and wish to enable force feedback for it. Microsoft Sidewinder Force Feedback 2 is one of such devices.
Load all HID drivers… Yes
Extended 4 (ext4) filesystem (EXT4-FS) Y
Enable ext4dev compatibility N
Ext4 extended attributes (EXT4_FS_XATTR) N
RCU N
CRC32C hardware acceleration N
People may have heard about the new GEM Memory Manager for GPU memory that can help improve draw-speeds dramtically. GEM is a modern GPU memory manager and is already built into the kernel so it doesn’t need configuring. Only the intel 915 driver has this support yet but others will eventually follow.
Now build and install the kernel:
Edit /boot/grub/grub.conf to add the new kernel:
root (hd0, e.g 4)
kernel /boot/vmlinuz-2.6.28-gentoo-r2 root=/dev/
Rebuild the driver packages that attach to the kernel (tell me if has to be done after reinstalling, cause I forgot to do it :) ):
module-rebuild populate
module-rebuild rebuild
Upgrading to Ext4
Ext4 is the evolution of ext3 and provides tons of enhancements. Ext4 looks to be a real good modern filesystem. Linux is good.
Edit /etc/fstab and change filesystems from ext3 to ext4.
If you have a seperate boot partition, it’s best to leave it as ext2 or ext3. If /boot is part of your root filesystem, you’ll need to install a patched version of grub that understands ext4. In Gentoo versions of grub greater than 0.97-r9 have the patch built-in.
Or whatever you hard-disk is.
Next you’ll need to boot from an installCD as converting partitions should not be done on mounted media. I used the Sabayon DVD. This step take like a nanosecond.
And you’ll need to fsck to fix the nodes.
All is good in the world. Adio!
Installing OpenBSD 4.4
Following the ‘not enough time on my hands’ FreeBSD dive with a Power Mac, I decided to continue on BSD tourbus to OpenBSD. A good friend recommended it to me in the middle of my FreeBSD install and I’d of like to heard about it alot sooner. OpenBSD turned out to be a really great os, particularly for a router/firewall. I now have OpenBSD running successfully and it’s running good. The install does take a bit of work but the results are b-e-a-utiful.
OpenBSD is a shootoff of NetBSD (Berkly Software Distribution) that focuses on security – the code that is in OpenBSD is carefully audited. This guide will walk you through a basic install of OpenBSD (a few parts are macppc specific) and adds parts if you’d like to make OpenBSD a router.
Dual Boot MacOS?
The OpenBSD installer only has support for fdisk and not mac-fdisk so if you plan to dual-boot MacOS you should partition either with mac-fdisk (see the FreeBSD install link above), or with a Mac OS util like Disk Setup. Create one partition for Mac OS and another for OpenBSD. However, this install focuses on a whole disk install of OpenBSD.
Beginning with the installer
You might want to use OpenBSD’s Installation Guide as a companion guide along with this.
Put in the CD on a mac – you’ll have to start the cd from the Open Firmware prompt. Hold (Apple + option + O + F). at boot and at the OF prompt, type:
The release cd will allow you to install, upgrade or use the shell:
You will now initialize the disk(s) that OpenBSD will use. To enable all available security features you should configure the disk(s) to allow the creation of separate filesystems for /, /tmp, /var, /usr, and /home.
Available disks are: wd0 sd0.
wd0
wd0 must be partitioned using an HFS or an MBR partition table. If you plan to dual-boot MacOS use HFS, otherwise choose MBR.
MBR
Which one is the root disk (or ‘done’) [done] [wd0]
wd0
Do you want to use *all* of wd0 for OpenBSD? [no] y
Creating Master Boot Record (MBR)…done
/dev/rwd01
If you say no, you will be taken to fdisk where all you’ll be able to do is to type and label partitions. OpenBSD uses a two layer disk partitioning system: ‘fdisk’ and ‘disklabel’. If you are using the whole disk fdisk will be automatically configured.
‘disklabel’ is a tool to create partitions.
> p g
# size offset fstype [fsize bsize cpg]
c: 9.6G 0.0G unused 0 0
i: 0.0G 0.0G MSDOS
> a a # add ‘a’ partition
offset: [3024] <enter>
size: [20062224] 3.5g
FS type: [4.2BSD] <enter>
mount point: [none] /
> a b
offset: [17829504] <enter>
size: [2235744] 1.1g
FS type: [swap] <enter>
> a d
<enter>
3.0g
<enter>
/usr
> a e
<enter>
1.0g
<enter>
/tmp
> a f
<enter>
<enter> # to end of drive
<enter>
/var
> p g
OpenBSD area: 0.0G-9.6G; size 9.6G; free: 0.0G
# size offset fstype [fsize bsize cpg]
a: 3.5G 0.0G 4.2BSD 2048 16384 1 # /
b: 1.1G 3.5G swap
c: 9.6G 0.0G unused 0 0
d: 3.0G 4.6G 4.2BSD 2048 16384 1 # /usr
e: 1.0G 7.6G 4.2BSD 2048 16384 1 # /tmp
f: 1.0G 8.6G 4.2BSD 2048 16384 1 # /var
i: 0.0G 0.0G MSDOS
> w # write
> q # quit
Mount point for wd0d (size=3072Mbytes)? (or ‘none’ or ‘done’) [/usr] <enter>
Mount point for wd0e (size=4097144k)? (or ‘none’ or ‘done’) [/tmp] <enter>
Mount point for wd0f (size=6291432k)? (or ‘none’ or ‘done’) [/var] <enter>
Mount point for wd0d (size=3072Mbytes)? (or ‘none’ or ‘done’) [/usr] done
No label changes.
Available disks are: sd0.
Which one do you wish to initialize? (or ‘done’) [done] done
The next step *DESTROYS* all existing data on the partition!
Are you really sure that you’re ready to proceed? [no] y
System hostname (short form, e.g. ‘foo’): dirk-pmac
Configure the network? [yes] <enter>
You’ll be shown available Network Interface Cards (NIC)s. If you’re building a router, you’ll have two. The first one will get it’s address via the ISP DHCP server. On the second one assign a LAN address like 192.168.111.7.
If you choose dhcp, OpenBSD install will try to get a lease from the DHCP server. I didn’t bother connecting the cables because InstallerCD’s are notably insecure and the installer doesn’t need it anyway.
Enter your Domain Name Servers (separated by a space) and password for root account. Choose your install sets, the defaults will give you a basic system.
sshd yes
ntpd yes
ntp server us.pool.ntp.org
Change the default console to com0? [no] <enter>
Enter timezone, and then your done with the basics.
Afterboot Tasks
Reboot and start the Open Firmware prompt and boot OpenBSD by:
There are a few tasks that need to be done to finish the install following the afterboot manpage.
errata check.
If a reliability or security issue effects you, you will have to patch your system – a detailed proposition which I will detail in another post.
check ‘date’, ‘hostname’, networking will be done in a bit.
Add new user
Enter your default shell: csh ksh nologin sh [ksh]: <enter>
# Default login class defines allocation of system-resources, and
# environment setup.
Default login class: authpf daemon default staff [default]: <enter>
Enter your default HOME partition: [/home]: <enter>
Copy dotfiles from: /etc/skel no [/etc/skel]: <enter>
Send message from file: /etc/adduser.message no [no]: <enter>
Prompt for passwords by default (y/n) [y]: <enter>
Default encryption method for passwords: auto blowfish des md5 old [auto]: <enter>
Don’t worry about mistakes. There will be a chance later to correct any input.
Enter username []: Dirkgen2ly
Enter full name []: Dirk Gently
Enter bash csh ksh nologin sh [ksh]: <enter>
Uid [1000]: 1222
Login group Dirkgen2ly [Dirkgen2ly]: <enter>
# Add to wheel group to allow ’su’ to root.
Login group is “Dirkgen2ly”. Invite into other groups: guest no
[no]: wheel
Login class authpf daemon default staff [default]: <enter>
Enter password []:
Enter password again []:
Configuring sendmail
Set-mailserver aliases in /etc/mail/aliases:
root: root
manager: root
dumper: root
Run ‘newaliases’ to update sendmail aliases.
A sendmail-configuration file will need to be built, from papamike:
Sendmail configuration files are built with a macro-processor. A macro-processor is basically a program that scans text looking for defined symbols, which it replaces by other text — or other symbols. The one used with Sendmail is called m4… So m4 inputs a macro configuration file, with extension .mc, and outputs a sendmail configuration file to standard output. Typically we redirect this output to a file, with extension .cf
Luckily there are some examples. If not planning to use sendmail externally (i.e. to the internet) use openbsd-localhost.cf.
m4 /usr/share/sendmail/m4/cf.m4 /usr/share/sendmail/cf/localhost.mc > /etc/mail/localhost.cf
Then test it:
^C
A valid config will give no output. Now tell the the sendmail daemon to load the configuration file at boot in /etc/rc.conf.local:
The -C/ is necessary, it’s not a typo.
Daily, weekly, monthly scripts
Run the daily and weekly scripts to make sure they run alright.
sh /etc/weekly
Rebuilding locate database:
Not installing locate database; zero size
Try “vi /var/db/locate.database“, put a space in, save it “:x”, and run the weekly script again.
Tighten up security
Covered below.
File Systems
OpenBSD doesn’t have a journaled file-system, meaning that you could lose critical disk data in event of a crash. Rather OpenBSD has incorporated soft updates a userland program that performs a likewise task that also improves disk performance by utilizing a cache. Adding the softdep option to each ffs partition in /etc/fstab will enable soft updates at next boot.
# cat /etc/fstab
/dev/wd0a / ffs rw,softdep 1 1
/dev/wd0e /tmp ffs rw,softdep,nodev,noexec,nosuid 1 2
/dev/wd0d /usr ffs rw,softdep,nodev 1 2
/dev/wd0f /var ffs rw,softdep,nodev,nosuid 1 2
/dev/cd0c /cdrom cd9660 ro,noauto 0 0
CD/DVD define mount point
echo “/dev/cd0c /cdrom cd9660 ro,noauto 0 0″ >> /etc/fstab
Networking
Following the Network FAQ. The installer will have created /etc/hostname.<NIC> for each device you have. Make sure they are correct:
For a router, ip-forwarding will need to be enabled in /etc/sysctl.conf:
Enter your DNS servers in /etc/dhclient.conf:
domain-name-servers, host-name;
supersede domain-name-servers <domain-name-server1>, <domain-name-server2>;
If you are planning to be testing a firewall and disconnecting your internet-connection from time to time, its good to up dhclients timeout. ‘dhclient’ rechecks it’s connection to the DHCP server on an exponential scale if it is unable to locate it it will take down the WAN NIC. Add to dhclient.conf and get larger timeouts as time goes by:
retry 216000;
link-timeout 216000;
To be able to connect the LAN PC to the network this guide uses dnsmasq (a good solution for small networks) but first it is a good idea to setup firewall and close unused ports.
Enabling a Firewall
Building a firewall is a necessary evil, even on the most secure of systems networking will be the greatest security-hole. Here are a few tips for working with PF:
Enable PF at Boot:
‘ftp-proxy’ will need to be enabled to ftp past a firewall, first enable it at boot:
Enable ftp-proxy in the NAT section of your pf.conf:
rdr-anchor “ftp-proxy/*”
rdr on $LAN_NIC proto tcp from any to any port 21 -> 127.0.0.1 port $FTPPORT
And in the filter section, anchor ftp and allow pass out:
pass out quick on $WAN_NIC proto tcp from $WAN_NIC to any port {20,21} flags S/AUPRFS modulate state
Another good idea is when writing block-rules to log them to be able to test the firewall and to see if there are any attempts to attack the firewall:
To check your PF configuration for errors, run:
A couple other commands:
pfctl -d # Disable PF
pfctl -f /etc/pf.conf # load the rules
pfctl -sn # Show the current NAT rules
pfctl -sr # Show the current filter rules
pfctl -ss # Show the current state table
pfctl -si # Show filter stats and counters
pfctl -sa # Show EVERYTHING it can show
pfctl -F all # Flush all rules, nat, states, options, tables
To test the firewall in real time, run ‘pflogd’ then:
To have pflog load at boot:
You may have to reboot to have pflog0 show up in ifconfig. Now that the firewall is up you can start (or restart) the network:
Adding a Package
OpenBSD has two ways to add software: package and ports. Packages are pre-built binaries that can be downloaded and quickly installed onto your system and are the recommended way to add software to your system. OpenBSD also has a port system that contains information necessary to build packages and their dependencies from source.
OpenBSD has many prebuilt packages for a number of different architectures. Find a nearby mirror and add it to ~/.profile:
Those are back ticks BTW. `uname -r` adds your release version of OpenBSD you are using and `machine -a` will be your architecture. To source (reload) your .profile so the variable is known to the korn shell:
Then add a package:
A couple other package commands:
pkg_delete -n # Delete applications and their dependencies.
Configure the LAN
Now that you can add a package you can add dnsmasq and get your router going. It is possible to define a static-route and not to have to use a DHCP server to define an address and route, but using a DHCP server makes the job tons easier. dnsmasq is a great lightweight application that will provide a route to and from the LAN machine. dnsmasq is also provides a DNS cacher to make resolving of domain names very very fast.
If planning on creating a LAN of > 50 machines you should use the pre-installed dhcpd.
Edit /etc/dnsmasq.conf:
interface=<your-router-LAN-NIC>
# dnsmasq will open TCP port 53 and UDP port 67 to world
# tohelp with dynamic interfaces. dnsmasq will discard
#requests to them, but I like better not to have these
#ports open and let the kernel handle it.
bind-interfaces
# Dynamic range of IPs to make available
dhcp-range=192.168.111.50,192.168.111.100,12h
# If you’d like to have a static ip, bind the LAN computers
# NIC MAC address
dhcp-host=aa:bb:cc:dd:ee:ff,192.168.111.22
dhclient.conf will need to be edited again to know that dnsmasq is handing dns requests. Redirect dhclient to localhost and dnsmasq will take it from there.
domain-name-servers, host-name;
supersede domain-name-servers 127.0.0.1, <dns1>, <dns2>;
dhclient by default appends to /etc/resolv.conf details to use the pre-installed BIND name server assuming people are going to use it. BIND isn’t enabled by default and since dnsmasq is handling this, comment out “lookup file bind” in /etc/resolv.conf.tail and restart the network:
cat /etc/resolv.conf
search eau.wi.charter.com
nameserver 127.0.0.1
nameserver 208.67.222.222
nameserver 208.67.222.222
#lookup file bind
Now you can start dnsmasq:
To load at boot put in rc.local:
if [ -x /usr/local/sbin/dnsmasq ]; then
echo -n ‘ dnsmasq’; /usr/local/sbin/dnsmasq
fi
To have your LAN computer connect to your router set it to dhcp and connect.
Test DNS caching:
Do it again and you’ll notice a faster lookup.
NTP
Many NTP configurations default to pool.ntp.org which is great for a whole list to choose from from the entire world, but it’s better to use something local ;). Add to /etc/ntpd.conf:
Because ntpd slowly adjusts the clock if it’s off you can add to crontab entry to get it fixed daily:
32 1 * * * ntpd -s
Securing the Network
A good firewall will close ports but some applications may try to open them again. Best to close any ports you don’t need. Run netstat and get a good idea of what’s open:
Shows open ports:
TCP – 13 37 22 113
UDP – 514
To find out what these ports do:
daytime, time, ssh, auth, and syslog (udp). You can find more infomation about the port (like the program that opened it) with:
Most people don’t use daytime, time, auth anymore and can be safely disabled in /etc/rc.conf.local:
The Syslog port can not be turned off in inetd. It is invoked in rc.conf with no “-u” flag meaning that it is listening on UDP port 514 but that incoming packets are ignored, it is only used to send. You’ll will also see a couple ports open for tcp6 (ipv6) like ::1.587 or ::1.25 these are loopbacks (local) for ipv6 and will be secure from the outside world.
Using nmap is an ever more reliable way to test for open ports. Now that the firewall is up, you might want to add nmap and test it.
SSH Daemon
SSH opens port 22 to world by default, If you don’t plan on accessing from outside you can bind it to your LAN computer in /etc/ssh/sshd_config:
Also root login is a bad idea, since the regular user is able to su this is a good idea to define:
Add a key so trusted computers can connect:
Use a password that is not your login password. Name the output something useful like powermac-dsa-key. These keys by default are generated into the local ~/.ssh/ directory but belong in the accessee’s ~/.ssh directory. Move them to the LAN computer ~/.ssh to be a trusted computer.
/etc/resolv.conf. When Domain Name Server isn’t setup yet or a DNS hangs, ssh will hang at “debug1: SSH2_MSG_SERVICE_ACCEPT received” you will have to wait about a minute until ssh decides no DNS can be reached.Wrap-up
That should get you a good start.
FreeBSD 7.1 Install on a PowerPC
I had tried FreeBSD on an x86 machine about eight years ago and really liked it: good install, nice tools, excellent documentation. FreeBSD is the glitter of the BSD’s for it’s x86 centrality. So when I heard that FreeBSD was available for PowerPC’s I decided right away to try. Ok, it’s been a couple years, but I haven’t been in these circles lately. This is a guide to getting started on FreeBSD with the PowerPC differences being noted.
Read the whole guide before deciding to commit to FreeBSD. FreeBSD is still a newcomer to the PPC world and requires a good amount of attention. Or you might just want to help it out anyway.
Here are some Things You Just Learn As You Go
-
Always check the hardware compatibility list, and the architecture faq. I missed this second one which told me alot too late.
-
Check and see if the if the packages you need are supported for your platform. This is FreeBSD’s fault there is no mention about the ports which I’ll get to later.
-
Take the time and try to get to know someone in the ircchannel. No offense to the guys are #freebsd (a couple were very very helpful) but for the most part they are busy developing or working and they knew do book-loads of documentation for handbook and don’t want to repeat themselves.
-
Take your time with it. I thought coming from Linux I’d feel right at home but some tools are completely different – even versions of tools you have in Linux work slightly different.
The BSD that’s Right For You
Before you get into one BSD, all three are pretty unique, make sure you choose the right one. I got this great detail from jdbaker’s page (it’s several years old) but details it nicely.
FreeBSD
…the one with the most bells and whistles is FreeBSD… FreeBSD has the largest development team, the largest user base, the largest number of ported applications, and the largest collection of active e-mail lists. It also has the best documentation… FreeBSD is extremely easy to install directly via an Internet connection.
FreeBSD currently runs on Intel-compatible 32-bit processors (including the AMD Athlon) and on the DEC Alpha processor (now out of production), and is being ported to Itanium, AMD’s x86-64 (Opteron/Sledgehammer), PowerPC, and Sparc64. While porting the operating system helps to flush out subtle bugs, portability is not FreeBSD’s specialty– it’s primarily of interest to owners of Intel-compatible hardware.
OpenBSD: Rock Solid Security, Fanatical Attention to Detail
OpenBSD is the perfectionist’s version of BSD. Almost Spartan compared to the others, it installs with many features intentionally disabled to avoid potential security holes. Its highly focused development team is constantly tweaking, critiquing, and auditing every line of the code, and their commitment to excellence shows in the operating system’s track record…
OpenBSD requires more technical knowledge and skill to use effectively than FreeBSD, and therefore is not the best choice for beginners… OpenBSD is available and actively developed for a wide range of hardware platforms, from x86 to Mac to Sun. It does not, however, cover as many platforms as does NetBSD…
NetBSD: Now playing everywhere
NetBSD is the portability champ of the BSDs, running on everything from generic x86 boxes to exotic hardware such as the BeBox and the Sega Dreamcast…. Keeping the operating system portable means keeping the code clean, and so the other BSDs often borrow code from NetBSD…
FreeBSD Beginning
FreeBSD can be downloaded and put on a cd:
FreeBSD’s PowerPC installer has limited support for partitioning a disk. I discovered it was easiest to use mac-fdisk. I booted up my Gentoo Minimal InstallCD and partitioned on a 10G disk as:
partition2 /usr 3.0G
partition3 / 4.3G
partition4 /tmp 500M
partition5 /var 700M
mac-fdisk:
c # create partition
1p # 1st partition…
1100M
swap # name of partition
c
2p
3G
usr
c
3p
4500M
root
c
4p
500M
tmp
c
5p
var
I bobbed a bit from the FreeBSD recommendations. They recommended most the disk space should go to /usr and very little to root. I planned to do back ups to / though and made it bigger, but /usr may not have been big enough – /usr can fill up really fast with packages and the ports tree. If building a mail-server /var should be much larger and closer to the top.
Beginning Install
On older Newworld Power Macs the cd will not boot by holding down C, rather it has to be invoked from Open Firmware. Hold down Apple+Option+O+F at boot and type in this to boot the CD.
The FreeBSD Handbook is excellent documentation so I’ll just give a quick glance here and note differences in the PPC installer.
The arrow keys, space, and tab will navigate through the installer, read the quick start guide and other docs – they’re not that big.
Options
NFS Secure yes, DHCP yes PCCard NO, set ftp username and password, /usr/bin/vi, media type CD.
Don’t worry if you forget anything you can latter enter sysinstall from disk and add what you need in configure post install.
Beginner Install Notes
Theres no console keymap selector yet but USB keyboards are supported. The disk editor is a trimmed down version of the one in the install guide, but with the disk already partitioned Iwas able to apply partitions to mount points. There’s also no boot manager setup and we’ll have to use Open Firmware again later to boot the new install.
When it come to Distribution types choose Kern-Developer so that the ports tree is added as well as the kernel sources (a custom kernel will likely have to be built). Now you will have to wait a bit as the files get loaded to disk.
Configuring Network
A few network questions will be asked: DHCP, Gateway (for use as a network route which is what I’m doing), NO to inetd (very very insecure)… Don’t bother connecting to the network now as the install has no firewall and wouldn’t be secure. Besides with no packages available (besides the CD ones) it doesn’t do any good at this stage anyway.
No systemconsole settings or timezone. When you exit you’ll be asked to use UTC or local time. If this is the only OS you install on this machine choose UTC.
No Linux Compatibility or Mouse Settings. You’ll now get a message, “Unable to target packages/INDEX file from the selectedmedia” because you’re not connected to the internet but I doubt it would work even if you were.
Setup other users, When you get to “Visit the general configuration menu for a chance to set any last options?” I said yes and added ntpdate.
First Boot
Grehan said this the best:
Here’s the rub: OpenFirmware doesn’t understand UFS2. It does understand iso9660 and HFS+, so the loader must live on a disk/partition of that type. So, you can…:
Define your own / hard-disk parition.
FreeBSD Details
Alot of utilities in FreeBSD match those in Linux but at times provide a slight different flavor.
/etc/rc.conf is a general one-in-all configuration file for FreeBSD. rc.conf will have options to start services, configure network cards… /etc/inetd.conf will allow connections on ports and pass control of the connection to whichever program is listed.
Getting Hardware Working
During the boot process you may see that FreeBSD sees a device but will tell you (no driver attached). If you missed the boot up messages, you can look at them with:
FreeBSD will only load what it’s told to or what is built into the kernel. If your devices are on the hardware supported list then your device must be a module that was not loaded. Look in /usr/src/sys/conf/NOTES or better /usr/src/sys/<yourarch>/conf/NOTES and discover what the modules name is. Then locate the <module>.ko file:
The realtek chip I have on my network card wasn’t automatically loaded. To load a module:
kldstat will show loaded modules. Also check dmesg to see if it loaded correctly. To have it load permanently on boot add it to /boot/loader.conf (this file may have to be created).
re_load=”YES”
You can see helpful examples of loader.conf stuff in /usr/share/examples/bootforth/ and “man loader.conf”.
*_type Defines the module’s type. If none is given, it defaults
*_flags Defines options to pass onto the module
Networking/Firewall/Kernel
Ok, thats long in tooth, I’ll try to make this next part more down to earth.
I don’t do anything without first creating a firewall to protect the pc and to build a firewall a kernel has to be compiled with support for it. When building a custom kernel you can also add any drivers you need and remove the ones you don’t for a leaner kernel.
FreeBSD provides three different firewalls, from the FreeBSD mailling list:
In my option the PF firewall has the easiest to use rule set and built in table functions for automated black listing attacking IP address. Its major weakness is it has very poorly designed logging function that results in very cumbersome usage.
IPFilter comes next. It has easy logging and rules usage. It lacks the auto black listing table building of PF. These two firewalls were ported to FreeBSD from other Unix flavored operating systems. Both have teams supporting and maintaining them.
The final firewall is IPFW that is the first firewall included in FreeBSD many years ago and was developed by the FreeBSD team. IPFW also lacks the auto black listing table building of PF, and its nated rules are much harder to get working using all stateful rules…
PF was originally designed as replacement for Darren Reed’s IPFilter, from which it derives much of its rule syntax. PF looks to be becoming the defacto firewall for FreeBSD and is listed first in the documentation.
Kernel Build
PF by FreeBSD 7.1 isn’t built into the kernel so a custom kernel will need to be built. If you never compiled you own kernel before, don’t fret, if you know your hardware it’s realatively simple. There’s a configuration file where you enable any hardware and options:
cp GENERIC POWERMACG4
vi POWERMACG4
/usr/src/sys/conf/NOTES will better describe the drivers and options available but it’s best not to add drivers/options from it as they are probably not supported in the PowerPC kernel yet. Also look at at “man <driver>” for more details about drivers and what other driver/options they depend on.
I uncommented the realtek-driver and took out a couple drivers I didn’t need:
device miibus
Here are the other options I did. I passed safe-cflags for this particular Power Mac in CONF_CFLAGS. Though the kernel doesn’t support altivec, GCC (the compiler) does, which will help build the kernel quicker. I also had to tolerate denying strict aliasing (which is normally a good idea to leave in) because the pf driver and a couple others refused to build with strict aliasing:
cpu OEA
ident POWERMACG4
maxusers 0 # Auto sizing of memory tables
makeoptions CONF_CFLAGS=”-mcpu=7400 -O2 -pipe -maltivec -mabi=altivec -fno-strict-aliasing”
makeoptions KERNEL=POWERMACG4
All other modules, drivers should be left in unless you know what you’re doing. The 7.1 powerpc kernel is still relatively young and the kernel config has all the options it needs or are available, tinkering too much will likely only bring problems.
Now build your kernel and install it:
make buildkernel KERNCONF=POWERMACG4
make installkernel KERNCONF=POWERMACG4
If there is an error in your config gcc will recognize it and exit defining the config file followed by the line in doesn’t understand: .../usr/src/sys/powerpc/conf/POWERMACG4:7
Or it will tell you options that are not allowed. “installkernel” will transfer your kernel to the boot directory and have it load automatically at boot.
Before you reboot your computer you may as well set up your firewall so that it will load at boot and you can get on the network.
Firewall Bricks
The rc.conf file will need to be edited so that PF will be loaded at boot:
pf_rules=”/etc/pf.conf” # rules definition file for pf
pf_flags=”" # additional flags for pfctl startup
pflog_enable=”YES” # start pflogd
pflog_logfile=”/var/log/pflog” # where pflogd should store the logfile
pflog_flags=”" # additional flags for pflogd
Most times when you see an “*_enable” listing in rc.conf, it is a daemon and can manually started (e.g. /etc/rc.d/pf start) or else the system will need to be restarted for the daemon to load.
Rules Building
The /etc/pf.conf file is the configuration file for the firewall. All rules for the firewall are put here. PF goes by the policy of “last match win”. That means that is a ruleset has a rule to “block all” before a rule allowing traffic that traffic will be allowed.
A few things to watch for when doing rules:
- “Last match wins” except for “quick” which disables any further rule processing for that packet.
- Alot of people use the policy: allow all out and filter in. This is good in most cases.
- ORDER is very very important. A missed placed rule, option, table, queing will not allow PF to load.
I’m not going to give my firewall out (it’s not there yet) but here’s a template to follow (NIC’s) can be found out with ifconfig:
# Firewall for router with two NIC’s (Network Cards)
# http://bash.cyberciti.biz/firewall/pf-ipv6-ipv4-firewall-for-freebsd-openbsd-netbsd/
# http://www.openbsd.org/faq/pf
#
# ! PF on FreeBSD 7.1 (OpenBSD 4.1) !
#
################ FreeBSD pf.conf ##########################
# Required order: options, normalization, queueing, translation, filtering.
# Note: translation rules are first match while filter rules are last match.
################ Macros ###################################
# — List Variables (Macros) —
# Define Network Interface Cards (NIC)s.
WAN_NIC=”<YOURNIC>”
LAN_NIC=”<YOUROTHERNIC>”
# Define LAN Address(s)
MYNAME-PC=”192.168.2.10″
# Ports to open for network services
# ssh, https, smtp nix, www, pop3, auth, ftp, sftp, imap
# auth, domain, ftp, imap, imaps, https, pop3, pop3s, ntp, sftp, smtp, spamd
# ssh, www
#TCP_SERVICES = “{ ftp, ftp-data, https, www }”
TCP_SERVICES = “{ domain, ftp, ftp-data, https, www }”
UDP_SERVICES = “{ domain, ntp }”
# Pings Allowed
# ping options: echorep – echo reply, echoreq – echo request,
# unreach, unreachable, timex…
# DNS server will need at least echoreq
#ICMP_TYPES = “echoreq, unreach”
ICMP_TYPES=”echoreq”
# — Tables —
# table define for all subnets and ips to block
# add ips and subnets to /etc/pf-nat-home-blocked.conf
table <blockedip> persist file “/etc/pfblocked.conf”
# — Options —
# Default response for block filter rules and turns on statistics logging.
set block-policy drop
set loginterface $WAN_NIC
set require-order yes
# Aggresively expire connections, reduce memory at cost of dropping idle
set optimization aggressive
# — Traffic Normalization —
# Normalization – reassemble packets and resolve or reduce traffic
# ambiguities. Also helps with troublesome SYN/FIN packets.
scrub in all
# — Traffic Shaping (Queing) —
# — Translation Rules (NAT) —
# — Filter Rules —
# last match wins (except quick)
# Antispoof
antispoof log quick for lo0 inet
# — Block –
# Block all incoming
block in all
# — Allow TCP –
# — Allow UDP –
To check your PF configuration for errors, run:
Setup Networking
To setup your NIC in rc.conf:
ifconfig_<LAN NIC>=”inet 192.168.1.222 netmask 255.255.255.0″
Your hostname will need to be set too. The best I could figure it is look in your Windows, Mac, Linux(/etc/resolve.con), Networking program and look for search address. On Linux it came before the DNS servers and looked like: lookup.isp.domain.com.
Replace search with the hostname you want to call your pc.
Reboot
Reboot your computer add you network cable and if all goes well, you have a new kernel load with firewall as a bonus. If it doesn’t just go back and select and select the old kernel (kernel.old) in Open Firmware.
A Few PF Commands
pfctl -e # Enable PF – required won’t do it starting init
pfctl -d # Disable PF
pfctl -sn # Show the current NAT rules
pfctl -sr # Show the current filter rules
pfctl -ss # Show the current state table
pfctl -si # Show filter stats and counters
pfctl -sa # Show EVERYTHING it can show
pfctl -F all # Flush all rules, nat, states, options, tables:
tcpdump -n -e -ttt -i pflog0 # Watch pf logs in real time
Compiler Details
Now that network is going you can begin adding packages to FreeBSD. The first program to add is a lightweight DNS server so I can connect to the LAN, but before doing that the compiler needs to be setup.
Because we have to use the ports collection to add packages the compiler needs to be set up to compile them. With the compiler setup then we’ll compile cvsup to update the ports tree.
I built my make.conf with known compiler flags for the Power MAC G4 processor for optimized builds and added the CVSup flags that will tell cvsup how to work:
CHOST=”powerpc-unknown-linux-gnu”
CFLAGS=”-mcpu=7400 -O2 -pipe -maltivec -mabi=altivec”
CXXFLAGS=”${CFLAGS}”
# CVSup options
SUP_UPDATE=yes
SUP= /usr/local/bin/cvsup
SUPFLAGS= -g -L 2
SUPHOST= cvsup4.us.freebsd.org
SUPFILE= /usr/share/examples/cvsup/standard-supfile
PORTSSUPFILE= /usr/share/examples/cvsup/ports-supfile
Package Compile
If we were on a system supporting pre-build packages, adding a package would be easy:
However, since PPC users don’t have a package repository packages must be built with source-code. If you didn’t add the ports collection, go back into sysintall (in configuration) and install it now. You might also want to choose a nearby FTP (in Options). The ports tree will likely need to be updated the best way to do this is with cvsup. Cvsup will need to be installed first:
make install distclean clean
‘distclean‘ removes the downloaded source file and ‘clean‘ removes the compiling files.
Each time you update the ports tree make sure you run ‘make index’ to build an index file.
make index
Give yourself some time as this process can take awhile.
About updating grom Matthew on the FreeBSD mailing list:
…recommended (if you choose this route) that the first port
you install should be sysutils/portupgrade, then use portupgrade to
install everything else.
portsdb -U will update the ports tree and make an index (though cvsup is supposed to be faster).
Other FreeBSD Utils
pkg_delete <package-name-version> # To delete a package
portsclean -CD # To delete the downloaded sources
portupgrade <package-name-version> # To upgrade a port use
# To compare the installed package with the one in the ports tree:
pkg_version <package>
To find a port with it’s information:
make search name=lsof
make search key=string # searches names, comments, descriptions, and dependencies.
ports-mgmt/portaudit which will automatically check all installed applications for known vulnerabilities; a check will be also performed before any port build.
Send a BugReport
DHCP
To be able to connect the LAN to the internet defining static-routes turned out to be a humungous task, so I decided to install a DNS server on the Network Router to define routes for me rather trying to manually define them.
FreeBSD by default installs BIND the well-known industry-standard of name servers. BIND is powerful and robust but is overkill for a Network Router serving one or two machines and a pc that only as 512 of memory.
Adieu
I really like FreeBSD and I wanted to build it. I’m done a backup and haven’t made up my mind to what I’m going to do. For now I just need to find out how to get a network router up and running.
Resources
There’s alot of attribution going out. To the guys at #freenode, thanks understanding my Linux-presupposition. And to JohnBlue in the FreeBSD forums when I made things tougher than they needed to be. A big thanks to cyberciti who had a lot of good tips on configuring FreeBSD. And anyone elses wikis, blogs that Iread. FreeBSD makes me want to get an x86. :)
