FreeBSD: MBMon – CPU Temperature Monitor

Compile mbmon from ports: ports/sysutils/mbmon

Loading process in background mode with tcp output (/etc/rc.conf):

# Mbmon
mbmon_enable=”YES”
mbmon_port=”12999″

Starting process:

/usr/local/etc/rc.d/mbmon start

Testing:

~$ telnet localhost 12999
Trying ::1…
Trying 127.0.0.1…
Connected to localhost.
Escape character is ‘^]’.

Temp.= 254.0, 38.0, 201.0; Rot.= 135000, 0, 0
Vcore = 1.36, 1.82; Volt. = 3.31, 5.11, 2.31, -14.19, -6.12
Connection closed by foreign host.

Manual mode:

~$ mbmon -A 1

-A -> Check using all supported mode by mbmon
1 -> Sleep 1 sec

FreeBSD: Setting up CPU speed

Powerd settings (/etc/rc.conf):

# Powerd
powerd_enable=”YES”
powerd_flags=”-a adp -b adp -i 50 -r 75 -p 250″

Starting the process:

/etc/rc.d/powerd start

Parameters:

-a apd -> Operation mode while on AC power (adaptive)
-b apd -> Operation mode while on battery power (adaptive)
-i 50 -> Specifies the CPU load percent level when adaptive mode should begin to degrade performance to save power
-r 75 -> Specifies the CPU load percent level where adaptive mode should consider the CPU running and increase performance
-p 250 -> Specifies a different polling interval (in milliseconds) for AC line state and system idle levels

Others:
-m <freq> -> Minimum frequence reached by processor
-M <freq> -> Maximum frequence reached by processor
-n <op_mode> -> Used when the AC line is unknown

FreeBSD: Wired and Wireless router with transparent Bridge

Setting up a router with wired and wireless interfaces (WPA2 – TKIP/AES auth) and transparent bridge, turning it the same lan.

I’m using FreeBSD 8.2 on tests.

Scheme:

ADSL <—> FreeBSD <—> Lan (wired/wireless)

Kernel config:

device ral # Chipset Ralink – RT2560, RT2561S, RT2661
device ralfw
device wlan  # 802.11 support
device wlan_ccmp # 802.11 CCMP support
device wlan_xauth # 802.11 WPA support
device wlan_amrr # Adaptive Multi-Rate Retry
device firmware # firmware assist module
device bridge

Interfaces settings (/etc/rc.conf):

# Ethernet
ifconfig_re0=”DHCP media 100BaseTX mediaopt full-duplex”
ifconfig_rl0=”ether f6:4c:a3:09:d9:e6 media 100BaseTX mediaopt full-duplex”
ifconfig_ral0=”ether f6:4c:a3:09:d9:e6″

# Wlan
wlans_ral0=”wlan0″
create_args_wlan0=”wlanmode hostap”
ifconfig_wlan0=”ether f6:4c:a3:09:d9:e6 protmode rtscts fragthreshold 2346 bintval 1000 dtimperiod 15 apbridge mode 11g ssid BLOCKED channel 6″

# Bridge (with Spaning Tree Protocol)
cloned_interfaces=”bridge0″
ifconfig_bridge0=”ether f6:4c:a3:09:d9:e6 addm rl0 addm wlan0 stp rl0 stp wlan0″
ifconfig_bridge0_alias0=”inet 192.168.2.1 netmask 255.255.255.0″

# Hostapd – WPA/WPA2 authenticator for WiFi lan
hostapd_enable=”YES”

# Gateway
gateway_enable=”YES”

NOTE: I used the same MAC on all interfaces.

WPA/WPA2 auth settings (/etc/hostapd.conf):

interface=wlan0
driver=bsd
logger_syslog=-1
logger_syslog_level=0
logger_stdout=-1
logger_stdout_level=0
debug=3
dump_file=/tmp/hostapd.dump
ctrl_interface=/var/run/hostapd
ctrl_interface_group=wheel
ssid=BLOCKED
macaddr_acl=0
auth_algs=1
ieee8021x=0
wpa=2 # 1 – WPA / 2 – WPA2
wpa_passphrase=otengio1234
wpa_key_mgmt=WPA-PSK
## TKIP or AES
wpa_pairwise=CCMP TKIP

System settings (/etc/sysctl.conf):

net.link.bridge.pfil_bridge=1 # Packet filter on the bridge interface
net.link.bridge.log_stp=1 # Log STP state changes
net.link.bridge.pfil_onlyip=0 # Only pass IP packets when pfil is enabled
net.link.bridge.pfil_local_phys=0 # Packet filter on the physical interface for locally destined packets
net.link.bridge.pfil_member=1 # Packet filter on the member interface

Now you can set the firewall rules on bridge interface, and BE HAPPY!

Using Lighttpd as Web Server on FreeBSD

Installing httpd from ports:

~# cd /usr/ports/www/lighttpd/
~# make install && make clean

Configuring /usr/local/etc/lighttpd.conf:

server.modules = (
“mod_access”,
“mod_auth”,
“mod_status”,
“mod_accesslog”

)
server.document-root = “/usr/local/www/data/”
server.errorlog = “/var/lighttpd/log/lighttpd.error.log”
index-file.names = ( “index.php”, “index.html”,
“index.htm”, “default.htm” )
server.event-handler = “freebsd-kqueue” # needed on OS X
mimetype.assign = (
“.pdf” => “application/pdf”,
“.sig” => “application/pgp-signature”,
“.spl” => “application/futuresplash”,
“.class” => “application/octet-stream”,
“.ps” => “application/postscript”,
“.torrent” => “application/x-bittorrent”,
“.dvi” => “application/x-dvi”,
“.gz” => “application/x-gzip”,
“.pac” => “application/x-ns-proxy-autoconfig”,
“.swf” => “application/x-shockwave-flash”,
“.tar.gz” => “application/x-tgz”,
“.tgz” => “application/x-tgz”,
“.tar” => “application/x-tar”,
“.zip” => “application/zip”,
“.mp3″ => “audio/mpeg”,
“.m3u” => “audio/x-mpegurl”,
“.wma” => “audio/x-ms-wma”,
“.wax” => “audio/x-ms-wax”,
“.ogg” => “application/ogg”,
“.wav” => “audio/x-wav”,
“.gif” => “image/gif”,
“.jpg” => “image/jpeg”,
“.jpeg” => “image/jpeg”,
“.png” => “image/png”,
“.xbm” => “image/x-xbitmap”,
“.xpm” => “image/x-xpixmap”,
“.xwd” => “image/x-xwindowdump”,
“.css” => “text/css”,
“.html” => “text/html”,
“.htm” => “text/html”,
“.js” => “text/javascript”,
“.asc” => “text/plain”,
“.c” => “text/plain”,
“.cpp” => “text/plain”,
“.log” => “text/plain”,
“.conf” => “text/plain”,
“.text” => “text/plain”,
“.txt” => “text/plain”,
“.dtd” => “text/xml”,
“.xml” => “text/xml”,
“.mpeg” => “video/mpeg”,
“.mpg” => “video/mpeg”,
“.mov” => “video/quicktime”,
“.qt” => “video/quicktime”,
“.avi” => “video/x-msvideo”,
“.asf” => “video/x-ms-asf”,
“.asx” => “video/x-ms-asf”,
“.wmv” => “video/x-ms-wmv”,
“.bz2″ => “application/x-bzip”,
“.tbz” => “application/x-bzip-compressed-tar”,
“.tar.bz2″ => “application/x-bzip-compressed-tar”
)
accesslog.filename = “/var/lighttpd/log/lighttpd.access.log”
url.access-deny = ( “~”, “.inc”, “Filmes” )
$HTTP["url"] =~ “\.pdf$” {
server.range-requests = “disable”
}
static-file.exclude-extensions = ( “.php”, “.pl”, “.fcgi” )
server.port = 80
server.pid-file = “/var/run/lighttpd.pid”
dir-listing.activate = “enable”
server.username = “www”
server.groupname = “www”
$HTTP["host"] =~ “^.*$” {
server.document-root = “/usr/home/www/public_html/”
url.access-deny = ( “~”, “.inc”, “Filmes” )
$HTTP["url"] =~ “/sarg” {
dir-listing.activate = “disable”
}
$HTTP["url"] =~ “/server-*” {
status.status-url = “/server-status”
status.config-url = “/server-config”
## auth.backend should be htdigest, htpasswd, plain or ldap
# htdigest format – “user:Personal Directory:2686e356efa71a1e93a8b6b00e938e81b”
# use ‘./htdigest -c passwordfile realm username’ # -c needed to create a new file
#
## plain format – “user:passwd”
#
## htpasswd format – “user:78a6sd786asd78″
# use ‘./htpasswd -c passwordfile username password’ # -c needed to create a new file
auth.backend = “htdigest”
auth.backend.htdigest.userfile = “/usr/home/www/.htdigest”
auth.backend.htpasswd.userfile = “/usr/home/www/.htplain”
auth.require = ( “” =>
(
## method should be plain or digest
# digest – md5 auth
# plain – plain auth
“method” => “digest”,
“realm” => “Personal Directory”,
“require” => “valid-user”
)
)
}
$HTTP["url"] =~ “^/personal/” {
auth.debug = 2
dir-listing.activate = “enable”
auth.backend = “htdigest”
auth.backend.htdigest.userfile = “/usr/home/www/.htdigest”
auth.backend.htpasswd.userfile = “/usr/home/www/.htplain”
auth.require = ( “” =>
(
“method” => “digest”,
“realm” => “Personal Directory”,
“require” => “valid-user”
)
)
}
}

Using PF as Firewall on FreeBSD

Recompile the kernel with PF support:

device          pf
device          pflog

Editing pf.conf file:

# Variables
ext_if=”rl0″
int_if=”vr0″
port_tcp_out_to_in=”{ 22, 88, 143, 6891, 6892, 6893 }”
port_udp_out_to_in=”{ 53 }”

#Options
set timeout { interval 10, frag 30 }
set timeout { tcp.first 30, tcp.opening 120, tcp.established 86400 }
set timeout { tcp.closing 30, tcp.finwait 15, tcp.closed 15 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 10000, frags 5000 }
set loginterface none
set optimization normal
set block-policy drop
set require-order yes
set fingerprints “/etc/pf.os”

# Packages normalization
scrub in all

# Nat / Binat / Redirects
binat on $int_if from 192.168.2.2 to any -> 200.xxx.xxx.xx
nat on $ext_if from 192.168.2.0/24 to any -> ($ext_if) # or 200.xxx.xxx.xx
rdr on $int_if proto tcp from 192.168.2.0/24 to any port 80 -> 127.0.0.1 port 3128

# Rules
block in log all
pass out on $ext_if proto { tcp, udp, icmp } all keep state
pass on lo0 from 127.0.0.1 to 127.0.0.1
pass on vr0 from 192.168.2.0/24 to 192.168.2.0/24 keep state
pass in  on $ext_if proto tcp from any to ($ext_if) port $port_tcp_out_to_in keep state
pass in on $ext_if proto udp from any to ($ext_if) port $port_udp_out_to_in keep state

Loading PF rules:

~# pfctl -f /etc/pf.conf

Edit /etc/rc.conf to start PF on boot:

pf_enable=”YES” # Set to YES to enable packet filter (pf)
pf_rules=”/etc/pf.conf” # rules definition file for pf
pf_program=”/sbin/pfctl” # where the pfctl program lives
pf_flags=”" # additional flags for pfctl
pflog_enable=”YES”
pflog_logfile=”/var/log/pflog” # where pflogd should store the logfile
pflog_program=”/sbin/pflogd” # where the pflogd program lives
pflog_flags=”" # additional flags for pflogd

FreeBSD UFS Snapshot

Creating a simple file to show how it works:

~# echo “test 1″ > /tmp/test.txt

Setting a directory where will be save the snapshot:

~# mkdir /tmp/.snap

Creating the snapshot:

~# mount -u -o snapshot /tmp/.snap/snap_1 /tmp
~# ls -l /tmp/.snap/snap_1

Changing the content of file:

~# echo “test 2″ > /tmp/test.txt
~# ls -l /tmp/test.txt

Mounting the Snapshot:

~# mdconfig -a -t vnode -u 1
~# mount -o ro /dev/md1 /mnt/
~# ls -l /mnt/test.txt /tmp/test.txt

Showing the content of files:

~# cat /mnt/test.txt /tmp/test.txt
test 1
test 2

Finalizing:

~# umount /mnt
~# mdconfig -d -u 1
~# rm /tmp/.snap/snap_1

Yes, It really works!

Working With Jail On FreeBSD

We can use Jail to make virtual environment as virtual mail server and/or virtual web server.

Well, lets make it works…


We need create the environment:

~# mkdir /jail/jail01

Compiling the binary of the base system:

~# cd /usr/src
~# make buildworld

installing the binaries:

~# make installworld DESTDIR=”/jail/jail01″

Configure “/etc/rc.conf”:

jail_enable=”YES”
jail_list=”jail01″
jail_jail01_rootdir=”/jail/jail01″
jail_jail01_hostname=”jail01.domain”
jail_jail01_ip=”192.168.1.100″
jail_jail01_interface=”fxp0″
jail_jail01_exec_start=”/bin/sh /etc/rc”
jail_jail01_exec_stop=”/bin/sh /etc/rc.shutdown”
jail_jail01_devfs_enable=”YES”
jail_jail01_fdescfs_enable=”YES”
jail_jail01_procfs_enable=”YES”
jail_jail01_mount_enable=”YES”
jail_jail01_devfs_ruleset=”ruleset_name”
jail_jail01_flags=”-l -U root”

Starting the jail manually:

~# jail /jail/jail01 jail01.domain 192.168.1.100 /bin/sh /bin/rc

If all occour well a shell will be started from jail.


can also start the jail using…

~# /etc/rc.d/jail start jail01

stopping…

~# /etc/rc.d/jail stop jail01

Well I think is it.

Working with GEOM

[ original font: http://www.fug.com.br/content/view/119/60/ ]

What’s GEOM? Is a framework where it works between kernel and disks, and it manage the input and output data on disks. It’s on level of kernel and act as a manager interface of data on disks to kernel, thus the GEOM is transparent to file system.

The GEOM manipulate geometry, RAID and protection, using until criptografy on the disks.

Functions:

GELI – To cryptography data using AES, Blowfish or 3DES. [see geli(8)]

GCONCAT – To concat disks in raw mode building a big disk. [see gconcat(8)]

GSTRIP – To concat disks in balanced mode building a big disk. [see gstrip(8)]

GMIRROR – Creating a mirror to other disk or slice. [see gmirror(8)]

GRAID3 – Building a RAID in mode 3 using “n” disks to concat and 1 to spare disk (parity bit). [see graid3(8)]

GSHSEC – Share the secret with other disk, without some these disks it doesn’t work. [see gshsec(8)]

GGATEC and GGATED – share devices into the network. [see ggatec(8) and ggated(8)]

[NOT COMPLETED]

Transparent Firewall With Redundant Bridge

Creating a transparent firewall with redundant bridge using bridge+pf+pfsync

were used OpenBSD 4.2 on test

Using 4 network interfaces:

fxp0 = internal net
fxp1 (bridge0) = input traffic general
fxp2 (bridge0) = output traffic general
fxp3 = PFSync

MACHINE 1

Configuring the internal net interface:

# vi /etc/hostname.fxp0
inet 172.16.0.1 255.255.255.0 172.16.0.255 description “Internal Link”

Configuring the bridge (input/output) interface:

# vi /etc/hostname.fxp1
media 100baseTX mediaopt full-duplex
up

# vi /etc/hostname.fxp2
media 100baseTX mediaopt full-duplex
up

# vi /etc/bridgename.bridge0
add fxp1
add fxp2
up

Doing the same on another machine changing only the ips:

MACHINE 2

Configuring the internal net interface:

# vi /etc/hostname.fxp0
inet 172.16.0.2 255.255.255.0 172.16.0.255 description “Internal Link”

Configuring the bridge (input/output) interface:

# vi /etc/hostname.fxp1
media 100baseTX mediaopt full-duplex
up

# vi /etc/hostname.fxp2
media 100baseTX mediaopt full-duplex
up

# vi /etc/bridgename.bridge0
add fxp1
add fxp2
up