bsd – Page 22 – Michael W Lucas

November 10, 2011November 10, 2011

FreeBSD 9 PF macro & table changes

I secure my BSD servers with PF. In FreeBSD 9, PF has been updated to the same version as in OpenBSD 4.5.

I use lists in my PF configuration, as shown in this /etc/pf.conf snippet:

mgmt_hosts="{ 10.0.1.0/24, 172.19.8.0/24}" ... pass in on $ext_if from $mgmt_hosts ...
When I have new management hosts, I add their IP address or subnets to the mgmt_hosts list. When PF reads this configuration file, every place that a rule references the list, an additional rule is created for each member of the list. Here, every subnet in the mgmt_hosts list gets a “pass in” rule. When I list these rules on a running FreeBSD 8 host, they’ll look something like this:

# pfctl -sr ... pass in on em0 inet from 10.0.1.0/24 to any flags S/SA keep state pass in on em0 inet from 172.19.8.0/24 to any flags S/SA keep state ...

Very useful for maintaining a readable rule file.

I updated a host to FreeBSD 9, and saw the following in my rules.

# pfctl -sr ... pass in on vr0 inet from <__automatic_4c6aed29_0> to any flags S/SA keep state ...

Wait a minute. What is this __automatic crap? And where are my management hosts?

This version of PF automatically converts lists to tables. If you have a big rule set, using a table makes the rules shown by pfctl more readable. (I seem to recall that tables perform better than lists, but I can’t find a reference for that, so take that with a grain of sand.)

You can name tables, but tables created by PF have a name that starts with __automatic. To view all the tables, run:

# pfctl -sT __automatic_4c6aed29_0 #

To see the hosts in this table, use pfctl’s -t and -T flags.

# pfctl -t __automatic_4c6aed29_0 -T show 10.0.1.0/24 172.19.8.0/24 #

Wow. This works, but it doesn’t look like fun. If I have to routinely type __automatic_4c6aed29_0, I will increase my subvocalized swearing by at least ten percent. But it does not interrupt service. Old rule sets continue to work. (I don’t mind needing to update my rules with a new OS version, but I need to know about it beforehand rather than just blindly updating.)

To make my life easier I can convert my PF rules to use tables instead of lists. Here’s the same pf.conf using a table instead of a list.

table <mgmt_hosts> const {10.0.1.0/24, 172.19.8.0/24} ... pass in on $ext_if from <mgmt_hosts> ...

Unlike a list, a table is explicitly declared as a table. The name always appears in angle brackets.

I use the const keyword to tell PF that the contents of this table cannot be changed at the command line. PF tables can be adjusted at the command line without reloading the rules, which is a handy feature for, say, automatically blocking port scanners, feeding IDS data to your firewall, or DOSing yourself.

When I look at my parsed rules now, I’ll see:

# pfctl -sr ... pass in on vr0 from <mgmt_hosts> to any flags S/SA keep state ...

I can now read my rules more easily.

(Bootnote: OpenBSD just came out with 5.0, so FreeBSD 9 is five versions behind. OpenBSD PF develops quickly. But thirty-month-old PF is better than a lot of other firewall software.)

October 26, 2011

Installing a DragonFly BSD Jail

I’m installing a jail on a freshly upgraded DragonFly BSD 2.13-DEVELOPMENT box. There’s instructions in the DragonFly manual, and on the Web site. They’re fine as far as they go, but to make the jail truly useful you need to do a little more.

Before starting, decide some important facts about your jail.

Root directory for the jail filesystem

IP address used by the jail

hostname of your jail

My jail hostname will be mwltest4, on the IP 192.0.2.9, in the directory /jail/mwltest4.

A jail requires exclusive use of a single IP address. That IP must be bound to the server as an alias. Make an appropriate alias entry in /etc/rc.conf. Note that an alias needs an all-ones netmask. While we’re there, enable jails and tell the host server that we’re building the jail mwltest4.

ifconfig_em0_alias0="inet 192.0.2.9 netmask 255.255.255.255" jail_enable="YES" jail_list="mwltest4"

rc.conf also needs entries for each jail, so that the various jail management utilities can find and configure the jail.

jail_mwltest4_rootdir="/jail/mwltest4" jail_mwltest4_hostname="mwltest4" jail_mwltest4_ip="192.0.2.9"

Start by seeing what network ports your server listens on. I’ve removed all of the entries with remote addresses, because those are live network sessions; I’m only interested in what ports the server is listening on.

# sockstat -4 USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS ... root sendmail 670 4 tcp4 127.0.0.1:25 *:* root sshd 656 5 tcp4 *:22 *:*

Any entry where the local address is an asterisk followed by a colon and a port number will be a problem. We need to bind those daemons to the server’s main IP address. In this example, the only problem daemon is SSH. Bind SSH to a single IP address with a ListenAddress directive in /etc/ssh/sshd_config.

ListenAddress 192.0.2.8

Run /etc/rc.d/sshd restart, and sshd will bind only to the specified IP.

I want my jails on their own filesystem, so I create a new HAMMER PFS and a directory for this particular jail.

# hammer pfs-master /jail Creating PFS #9 succeeded! /jail sync-beg-tid=0x0000000000000001 sync-end-tid=0x00000001068ea510 shared-uuid=34cc9fbe-ffc2-11e0-9527-010c29ce51d2 unique-uuid=34cc9fdd-ffc2-11e0-9527-010c29ce51d2 label="" prune-min=00:00:00 operating as a MASTER snapshots directory defaults to /var/hammer/

# mkdir /jail/mwltest4

Now install the userland, exactly as per the jail instructions.

# setenv D /jail/mwltest4 # cd /usr/src/ # make installworld DESTDIR=$D

Go get more caffiene. By the time you return you should see:
===> etc ===> etc/sendmail install -o root -g wheel -m 644 /usr/src/Makefile_upgrade.inc /jail/mwltest4/etc/upgrade/ #

It finished successfully. Now install /etc.

# cd etc/ # make distribution DESTDIR=$D -DNO_MAKEDEV_RUN

Now mount a device filesystem for the jail.

# cd $D # ln -sf dev/null kernel # mount_devfs $D/dev

Edit /etc/fstab to have the host mount the jail devfs whenever the system starts.

devfs /jail/mwltest4/dev devfs rw 0 0

Our jail should be ready. Start it in single-user mode.

# jail /jail/mwltest4/ mwltest4 127.0.0.1,192.0.2.9 /bin/sh # uname -a DragonFly mwltest4 2.13-DEVELOPMENT DragonFly v2.13.0.49.gf6ce8-DEVELOPMENT #0: Tue Oct 18 10:51:40 EDT 2011 mwlucas@mwltest2.blackhelicopters.org:/usr/obj/usr/src/sys/GENERIC i386 #
Before starting your jail in multiuser mode

enable SSH

configure /etc/resolv.conf

set a root password

and add a user

As I use LDAP for central account administration, but the jail isn’t yet LDAPilated, I manually set my new user ID to be identical to that on the host, and I add that account to the wheel group. Also modify /etc/ssh/sshd_config to listen only to the jail’s IP address. (While this isn’t strictly necessary, it will simplify managing the host server.)

On the host, with my unprivileged account, I run:

$ cp -rp .ssh /jail/mwltest4/usr/home/mwlucas/ $ cp .cshrc /jail/mwltest4/usr/home/mwlucas/

My jail account now has my authorized_keys file and my SSH configuration, with correct permissions, along with my preferred shell environment.

Start the jail in multiuser mode:

# /etc/rc.d/jail start mwltest4 Configuring jails:. Starting jails: mwltest4. #

I can now SSH to the jail, become root, and install pkgsrc.

# cd /usr/src # make pkgsrc-create If problems occur you may have to rm -rf pkgsrc and try again.


mkdir -p /usr/pkgsrc

cd /usr/pkgsrc && git init

git: not found

*** Error code 127

Stop in /usr.

Crap. The DragonFly install installs git via package as part of the OS install. git is used for installing pkgsrc. You use pkgsrc to install git. How can we bootstrap git? pkg_radd lets you install remote packages, but it is built on pkg_add, part of pkgsrc.

Find a FTP server (or mount an ISO) with the version of the scmgit package that runs on your host server. I would up getting the scmgit-base-1.7.4.1 package from the 2011Q1 pkgsrc. This is the same package that was originally installed on my DragonFly machine, and it still runs on the DragonFly installed on this host, so it should be okay.

# pkg_add -f -P /jail/mwltest4/ ftp://ftp.allbsd.org/pub/DragonFly/packages/i386/DragonFly-2.10/pkgsrc-2011Q1/devel/scmgit-base-1.7.4.1.tgz pkg_add: Warning: package `scmgit-base-1.7.4.1' was built for a platform: pkg_add: DragonFly/i386 2.10.0 (pkg) vs. DragonFly/i386 2.13 (this host) pkg_add: Warning: package `p5-Error-0.17016nb1' was built for a platform: pkg_add: DragonFly/i386 2.10.0 (pkg) vs. DragonFly/i386 2.13 (this host) ...

You’ll see many more warnings. The package wants to install TK and Python, but those packages are not available on this particula FTP server. But the -f flag means “Go ahead and install even if some dependencies are missing.” I use the -P to assign the package a new installation root directory in my jail’s root.

Do I like these errors? No. But if I can install a working git, I can install pkgsrc and build a current package with all the dependencies. Log back into the jail and see if it works.

# cd /usr # make pkgsrc-create If problems occur you may have to rm -rf pkgsrc and try again.

mkdir -p /usr/pkgsrc cd /usr/pkgsrc && git init warning: templates not found /usr/pkg/share/git-core/templates Initialized empty Git repository in /usr/pkgsrc/.git/ ...

Wait a while, and you’ll have a working pkgsrc tree. From here, you can bootstrap pkgsrc:

# cd /usr/pkgsrc/bootstrap # ./bootstrap # ./cleanup

This gets you /usr/pkg/sbin/pkg_add.

At this point, I consider my jail complete. While it doesn’t have all the third-party programs I need, I can now easily install them from within the jail, either from pkgsrc or with pkg_radd.

October 19, 2011

Upgrading DragonFly BSD

I have two DragonFly BSD boxes that I want to upgrade to the latest rev. At the moment, they’re running:

$ uname -a
DragonFly screw.lodden.com 2.10-RELEASE DragonFly v2.10.1.1.gf7ba0-RELEASE #1: Mon Apr 25 19:48:10 UTC 2011 root@pkgbox32.dragonflybsd.org:/usr/obj/usr/src/sys/GENERIC i386

Unlike most other BSDs, DragonFly uses git for source code management. DragonFly provides make wrappers to git updates, however. If you don’t have the source code already installed, get it with:

$ cd /usr $ make src-create
mkdir -p /usr/src
cd /usr/src && git init
Initialized empty Git repository in /usr/src/.git/
cd /usr/src && git remote add origin git://git.dragonflybsd.org/dragonfly.git
…

Walk away for a little while, and you’ll come back to see:

... Checking out files: 100% (31175/31175), done. Already on 'master' cd /usr/src && git pull Already up-to-date. $

This will get you the latest DragonFly BSD source code.

Before going any further, look at /usr/src/UPDATING. This contains warnings and instructions for avoiding bumps in the upgrade process. For example, as I write this the post-2.10 UPDATING notes list several ISA-only device drivers that have been removed from the system. If I was running on an ISA system, I’d care about that. But I’m not, so I don’t. On to building the system!

$ cd /usr/src $ make buildworld

Once your world is built, follow up with:
$ make kernel $ make installworld

Those of us from other BSDs would expect an etcmerge or mergemaster here, but DragonFly replaces that with:

$ make upgrade
The make upgrade process is much faster and less interactive than any merge tool.

After this is done, reboot. Log back in and you’ll find:

$ uname -a
DragonFly mwltest2.lodden.com 2.13-DEVELOPMENT DragonFly v2.13.0.49.gf6ce8-DEVELOPMENT #0: Tue Oct 18 10:51:40 EDT 2011 mwlucas@mwltest2.lodden.com:/usr/obj/usr/src/sys/GENERIC i386

We’re running.

My next task is to build a few jails and make them usable. But that’s for another post.

September 27, 2011

sudo environment purging and OpenSSH

I recommend using sudo for privileged access to systems. I also recommend requiring keys for SSH authentication, with agent forwarding to trusted systems. The default settings in these two programs collide head-on when you become superuser via sudo and want to copy files from one server to another with scp or sftp.

If you’re using an SSH agent, your environment contains the location of your authentication socket.

# env | grep SSH SSH_CLIENT=192.0.2.2 51502 22 SSH_CONNECTION=192.0.2.2 51502 198.0.2.10 22 SSH_TTY=/dev/pts/1 SSH_AUTH_SOCK=/tmp/ssh-aJpJNwwOTk/agent.35699 #

When you copy files with scp(1) or sftp(1), the client checks for a SSH authentication socket. If the client doesn’t find one, and the user account doesn’t have a private key on this system, and the remote server doesn’t support password auth, the client will not be able to log in.

All as you would expect, right? But like any good firewall, sudo(8) removes all environment variables not explicitly permitted. To see what sudo(8) does to your environment, as well as all of sudo’s other settings, become root and run sudo -V.
# sudo -V Sudo version 1.6.9p20

Sudoers path: /usr/local/etc/sudoers Authentication methods: 'pam' Syslog facility if syslog is being used for logging: local2 ... Environment variables to check for sanity: TERM LINGUAS LC_* LANGUAGE LANG COLORTERM Environment variables to remove: RUBYOPT RUBYLIB PYTHONINSPECT ... Environment variables to preserve: XAUTHORIZATION XAUTHORITY TZ PS2 PS1 PATH ...

sudo sanity-checks some environment variables, deliberately strips others, and explicitly preserves a few.

To use agent forwarding for SSH authentication while running as root, add the SSH environment variables to sudo’s configuration. While I could restrict this by groups, I’ll make this a default setting. Call up visudo and add a new default.

Defaults env_keep += "SSH_CLIENT SSH_CONNECTION SSH_TTY SSH_AUTH_SOCK"

Exit superuser, use sudo to become superuser again, and your environment will retain your SSH environment.

While sudo can preserve any environment variables you wish, sudo strips the environment for very good reasons. Don’t retain environment variables unless you’re sure what they will do. And don’t retain easily-abused environment variables, such as LD_PRELOAD. If the superuser needs dangerous environment variables, put them in a separate configuration file and source that file after becoming superuser.

September 26, 2011September 27, 2011

DragonFly BSD Introduction

As a long-time IT guy, I’ve grown accustomed to randomly discovering that the boss has purchased some new toy and wants me to put it into production. Usually, both the application and the underlying platform are completely incompatible with everything else we have. This demonstrates that one can grow accustomed to anything. This job is a little different, though. I came into the office to find that Fearless Leader installed a pair of new Dragonfly BSD machines and left me a shopping list of stuff I was to accomplish on them.

As surprises go, it could be a lot worse.

Why did Fearless Leader do this? As so much in this field, it started with annoyance — specifically, annoyance at ZFS requiring gigs and gigs of RAM for deduplication, even on OpenSolaris. HAMMER promised snapshots with more modest equipment requirements. This should help us sync different multiple servers.

For the most part, Dragonfly is configured just like any other BSD. I thought it might be worth giving a quick run-through on how to start with Dragonfly, however. Besides, this is the most interesting thing I’ve done for a while. (Debugging multicast on Ubiquiti radios is both tedious and unproductive).

First, let’s get these machines properly on the network. DHCP is fine for an install, but a server needs a static address. Dragonfly is based on the tail end of FreeBSD 4, also known as “what Lucas wrote his first tech book about,” so the configuration is fairly familiar. In /etc/rc.conf, add:

hostname="red.example.com" ifconfig_em0="inet 192.0.2.151 netmask 255.255.255.128" defaultrouter="192.0.2.129"

Reboot, and the network still works.

One thing we noticed right away is that Dragonfly’s SSH server ships with passwords disabled. You must use public key auth or explicitly enable password auth. This presents a certain chicken-and-egg annoyance for us, because we distribute our public keys and our accounts via LDAP. When you install a Dragonfly machine, I suggest copying your authorized_keys file to the server before leaving the console.

Now I need to install a whole bunch of software, such as text editors, a SNMP agent, and so on. Some of these programs will work as needed when installed from packages, but some will require special builds. I’ll start with the special builds. Dragonfly uses pkgsrc, NetBSD’s cross-platform ports project. I like a lot of things about pkgsrc, most obviously that it installs software in /usr/pkg. Install pkgsrc on your machine like so.

# cd /usr/ # make pkgsrc-create

This downloads and installs the current pkgsrc tree. When complete, you can go to the package’s build directory and do the usual BSD-style bmake all install clean to install the package. (Note that you need bmake, not make.)

If you’re happy with precompiled binary packages, just use pkg_radd.

# pkg_radd net-snmp
Wait a moment, and the package is installed from the remote FTP server.

Both precompiled packages and packages you compile put their configuration information in /usr/pkg/etc.

Other things I noticed:

Dragonfly has its own NTP daemon, dntpd. Enable it with dntpd_enable=YES in /etc/rc.conf. When you start dntpd, it forcibly syncs the clock if necessary.

Like FreeBSD, Dragonfly supports three firewall programs: ipfilter, IPFW, and PF. As of this time, PF is based on OpenBSD 4.4.

Dragonfly still mounts /proc by default.

Both Fearless Leader and I noticed that Dragonfly feels fast. This is a purely subjective statement, but both of the new machines feel very responsive. I look forward to seeing how much our typical load slows them down.

UPDATE: Hello, Reddit’s Teeming Hordes! I’m not sure why this blurb on my intro to Dragonfly was worthy of sharing, but never let it be said that I’m a churlish host.

August 25, 2011

Book updates, August 2011

I completed a first draft of the OpenSSH book last night around 10:30PM EDT. It’s out for tech edit now. At this point, I’m going systematically through the tech edits and making sure I’ve corrected the earlier chapters. After that, the manuscript goes to copyediting. Once copyedit is complete, I’ll release the ebook and start contracting out the POD version.

I normally write both nonfiction and fiction simultaneously. When I get frustrated with one project, I switch to the other. The context switch clears my brain. When I return to the vexing project, I can approach the problem fresh and work through it quickly.

I decided to do two nonfiction projects simultaneously this summer. In retrospect, this was a mistake. When I got frustrated with one project, I switched to the other… and found myself still frustrated. Perhaps I can do two nonfiction projects simultaneously, but OpenSSH and OpenBSD have a lot in common. One is just a subset of the other. My frustrations would probably be reduced if I knew what I was doing, but if I knew what I was doing, I wouldn’t write the book.

Lesson learned. If I want to write two nonfiction books simultaneously, they must be wildly diverse.

The OpenBSD book has therefore moved slowly. It’s further complicated by moving over the next couple weeks. I’ll be full-out cranking on the OpenBSD book this fall, however.

I predicted that the OpenSSH book would be 30,000 words. The first draft came in at 29,977 words. I am amazed; usually my books come in at 25-50% over the predicted word count. Perhaps I’m learning. But I’m probably just lucky.

August 8, 2011

How to Lose your Job with SSH, part 2

Like last week’s How to Lose your Job with SSH, Part 1, a less dramatic title for this would be Dynamic Port Forwarding with SSH, but that’s dreadfully dull.

Many corporations try to tightly secure their network. Connections to the outside world are strictly limited. If you have a single open TCP/IP port to the outside world, however, you can leverage this into blanket Internet access by using your SSH client as a SOCKS proxy. This is called dynamic forwarding.

SOCKS is a generic TCP/IP proxy. SOCKS tunnels arbitrary protocols, as long as the client program supports SOCKS. Many clients, including the major Web browsers, do.

To do this, you would SSH from your client on the protected network to a server on the public Internet. The client opens a SOCKS proxy on a TCP port on the local machine. When a client connects to this proxy, the traffic is forwarded across the Internet to the SSH server. The SSH server processes the request and feeds the data back to you. It’s not a terribly fast proxy, but it is encrypted and it will bypass the corporate firewall and Web proxies.

Use the -D flag to tell the OpenSSH client to use dynamic port forwarding. (You can do the same thing with PuTTY, but that’s a separate walk-through.)

$ ssh -D localaddress:localport hostname
If you don’t specify a local IP, the client automatically binds to 127.0.0.1.

Here, I open a dynamic proxy on port 9999 to the server pride.blackhelicopters.org

$ ssh -D 9999 pride.blackhelicopters.org

Leaving the SSH session up, now go to the Web browser on the local machine. Somewhere in the browser preferences you’ll find a place for proxy servers. Tell your browser it has a proxy at 127.0.0.1 on port 9999. Save the settings and start browsing the Internet. Your Web browsing will be slow, but it’ll get you on the Internet.

If I list a network-facing IP on my client, anyone who can connect to that port on the client can use my proxy.

$ ssh -D 10.10.10.105:9999 pride.blackhelicopters.org
This is, of course, a violation of the security policy at these security-sensitive companies. Doing it will get you fired.

As a network administrator responsible for such an environment, what can you do about this?

If you run an external SSH server that your users need to log into, disable SSH forwarding with the AllowTcpForwarding option in sshd_config.

Watch your traffic. See how much traffic various protocols use on your network. This will not only help you catch SSH tunnels, it will help you catch any other sort of tunnel. You must know what is normal before you can catch strangeness, however.

You could forbid external SSH, and only permit protocols that can be proxies, such as Telnet.

You can set up a legitimate SOCKS server, with logging, and require all traffic pass through it. Anyone tunneling large amounts of traffic through the server will stand out in the logs.

Most of these solutions require the network administrator to know what happens on his network. You must have basic network awareness, in advance, or you’ll never find these people.

And if you’re an end-user who creates his own SOCKS proxy in such an environment, gets caught, and gets fired for it, do let me know. I can always use a good laugh at someone else’s expense.

August 2, 2011February 5, 2015

How to Lose your Job with SSH, part 1

A less sensational title for this post would have been “SSH Remote Forwarding,” but that’s not nearly as fun.

I used to be responsible for one of the few entry points into a global network. The company had actual manufacturing secrets — their products included various machines of war. We had internal firewalls to protect sites from each other, even when the site didn’t have Internet access. All Internet connections had to go through proxies. We did not allow external DNS to reach the desktop. If you typed ping google.com on your desktop, you’d get a “host unknown” error. The company had invested in VPN technology that blocked all but approved clients, and only permitted clients on the approved list if they were running the approved anti-virus scanners and other security software.

I was frequently asked to open direct Internal access for random applications. Most of these requests were rejected unless the user could explain what they wanted and why it was business-critical. Some of the people who asked were technically literate, and became indignant when I rejected their request for outbound SSH to external servers or equipment. After all, SSH is “Secure Shell.” It says secure RIGHT IN THE NAME. They just want to check their personal email. How could I possibly reject this eminently sensible request?

I’ve since had left this job, but I’ve had the same discussion more than once afterwards.

Most SSH users have no idea of SSH’s flexibility. Arbitrary SSH connections are a nightmare for maintaining any sort of secure information perimeter. Remote port forwarding is one reason why.

When most people mention SSH port forwarding, they’re thinking of local port forwarding. You forward a TCP port on your client to a TCP port on the SSH server. This lets you, say, tunnel SMTP inside SSH, so your client can relay mail through your server without any complicated Sendmail rules.

Remote forwarding lets you do the reverse: forward a TCP port on the SSH server to a TCP port on the SSH client.

Suppose I permit a user to SSH to an external server. The desktop is behind a NAT. There are no port mappings from the NAT to the desktop; it has the same connectivity you might give a secretary, except for the outbound SSH access to a single host. That user sets up remote port forwarding from a TCP port attached to the server’s public IP to the client’s SSH daemon. I’m using an OpenBSD desktop, but you can get SSH clients for most other operating systems, including Windows. I’m using OpenSSH, of course, but most clients (including PuTTY) does remote port forwarding.

To do remote port forwarding in OpenSSH, run:

$ ssh -R remoteIP:remoteport:localIP:localport hostname

If you don’t specify an IP address to attach to the SSH server, the server attaches to 127.0.0.1. (You can also skip the first colon in this case.)

My desktop runs sshd. I want to attach port 2222 on the SSH server pride.blackhelicopters.org to port 22 on my SSH client using remote port forwarding.

client$ ssh -R 2222:localhost:22 pride

I leave this connection up and go home. Perhaps I run top in the command window, to prevent the SSH session from timing out at the corporate firewall. Now at home, I log into the SSH server and run:

pride$ ssh -p 2222 localhost

My SSH request to the local machine will get tunneled inside the existing SSH connection out of the network. I will get a logon prompt for my client inside the secure network. When I can access one supposedly secure machine, I can start ripping data out of the local file servers and maybe even access other internal sites. All of the trouble the company expended to prevent unauthorized access is now moot.

If you attach the remote port forwarding to the server’s public IP, then anyone on the Internet can attack your desktop’s SSH daemon. People are attacking SSH servers, even on odd ports.

Of course, remote port forwarding in this environment would violate company policy. If caught, you’d lose your job. But to catch this abuse, the network administrator would need to realize that large data transfers were taking place in off hours over these limited-use channels. You could, say, use flow analysis to write automated reports that notice and alarm when large amounts of traffic pass over these “rarely-used” channels. You’d have to be a real bastard to think of that. But the reports are easy to write, and the look on the abuser’s face when you confront them with graphs and numbers is priceless.

The point is, the next time your employer’s network administrator rejects your sensible request for SSH access to your home server, don’t be too hard on the poor slob.

Want more SSH fun? Check out the book recommended by the OpenSSH project, SSH Mastery.

July 22, 2011

creating FreeNAS 8 iSCSI target

I didn’t find an up-to-date tutorial on how to set up a FreeNAS 8 iSCSI target, so I took notes as I set one up. Figuring this out by brute force is fairly straightforward: just keep adding iSCSI stuff until you can actually discover iSCSI targets. But for those of you who value your time, here’s how you do it.

1) Go to services, enable iscsi. Under iSCSI, choose Target Global Configuration. In Discovery Auth Method choose CHAP. Leave all other settings unchanged

2) It seems that FreeNAS doesn’t yet let you export a whole drive via iSCSI; you must create an extent. Under iSCSI, select Extents, then Add Extent. Name your extent, give it a path, and set a size.

3) On the Target Global Configuration, on the “authentication” tab, create an iSCSI user and assign it a secret

4) You need an iSCSI Portal. Click the Portals tab. This is where you define the iSCSI target. The default is to listen for iSCSI connections on all IP addresses, on port 3260. If you have multiple IP addresses, and want separate portals for each, be more specific.

5) You must authorize initiators. Choose “Authorized Initiator,” then “Add Authorized Initiator.” List the IP subnet of your initiators under Authorized Network.

6) Go to the Targets tab. Add a target.

Give the target a name and and an alias.

The type will be “disk.”

flags read-write

portal group ID is the number of the portal (probably 1)

initiator group ID is the number of the authorized initiators you created (probably 1)

Set auth method to CHAP

authentication group number from the user you created (also probably 1)

7) Under “Associated Targets,” attach the extent to the target.

Now go to your iSCSI initiator and log in.

To create new iSCSI targets, create a device extent, add a target for that extent, and attach the extent to the target.

June 27, 2011

add PF to FreeNAS 8

I won’t put any system on the Internet without some sort of packet filter or firewall. Especially not a file server containing important data. While I have a FreeNAS 8 box, it doesn’t come with a firewall. FreeBSD includes three firewalls, IPFW, IPF, and PF. Any one of these would do, but I’m most comfortable with PF, so I decided to add PF to my FreeNAS install.

This will not add a firewall to the GUI. You must manage your rules remotely. The FreeNAS backup will not back up your rules. The good news is, once your firewall works the rules don’t change very frequently.

First, get the appropriate kernel module. You’ll need the ISO for the version of FreeBSD that your FreeNAS is based on. FreeNAS 8.0 is based on FreeBSD 8.2. I’m running the amd64 version of FreeNAS, so I need the amd64 version of FreeBSD 8.2. The version must match as exactly as possible: your 8-stable amd64 desktop might work, but it might make your FreeNAS box crash and die.

Mount the ISO.

$ mdconfig -a -t vnode -f $HOME/FreeBSD-8.2-RELEASE-amd64-livefs.iso md0 $ mount -t cd9660 /dev/md0 /mnt

I previously installed FreeNAS on a 2GB USB stick. For this process, I shut down my FreeNAS box and mounted the USB drive on my FreeBSD machine. You could work directly on the FreeNAS image and re-install it on the USB drive, or even work directly on the live FreeNAS box. I’m assuming you’re working on a USB stick.

$ mount /dev/da0s1 /mnt

Start by getting the PF kernel module from the ISO onto your USB drive.

$ cp /media/boot/kernel/pf.ko /mnt/boot/kernel/

Now for the tricky bit. FreeNAS is based on the FreeBSD diskless system. (Obligatory plug: I did half a chapter on diskless operation in Absolute FreeBSD.) It uses the /conf directory to create a series of memory-based filesystem overlays, creating a MFS /tmp, /etc, and so on. This means that any changes you make to, say, /etc/pf.conf will not survive a reboot. You must edit the original versions of these files, in /conf/base/etc.

In /conf/base/etc/rc.conf, add

pf_enable=YES

Put your pf.conf in the same directory. Configuring PF is left as an exercise for the reader.

Any firewall changes made to a running system must appear in /etc/pf.conf and in /conf/base/etc/pf.conf. I suggest changing the base file, and copying changes to /etc.