Securing FreeBSD with Ansible

My preferred server OS is FreeBSD. Each time I install it, I have to go through numerous steps to secure it. So, to avoid that effort, and to make sure I get it right each time, I’ve created an Ansible playbook to automate the entire process. You can learn about it here. Some of the tasks it completes include: Disclaimer: fbsd-secured is provided as-is. fbsd-secured is intended as an example of configurations which may, or may not, improve the security posture of FreeBSD systems. The author does not accept any responsibility for damages caused by the use of these configurations. Any user using these configuration should do their own research and must take full accountability for potential risk and/or damages resulting from using them

FreeBSD on AWS with Ansible

I often have a need for a fresh FreeBSD install, to host a server, or perhaps just experiment with. My usual solution is FreeBSD jails. However, I’ve recently gotten interested in Ansible and AWS. There are quite a few advantages to installing infra with AWS, however the one I’m most interested in is automating the simple stuff and getting it right the first time. For example, remembering to: Add the service accounts Ensure that all files are added by the right accounts Add startup and shutdown scripts Configure pf Ensure logging is “just right” AWS also has the notable advantage that with VPC, I can configure not only the OS and applications, but build infra. With the help of these two pages (1,2) I’ve been able to provision a simple FreeBSD-12 host, in a VPC. Code is here.

FreeBSD Jail filesystems

I’ve been using FreeBSD jails for a while, and was looking for a simple way to create jail filesystems.   After some reading, I came up with this simple script which creates full FreeBSD filesystems.   The filesystem can then be used via jail.conf. #!/bin/bash JAILNAME=$1 echo “kjail “$1 JAIL_HOME=/tank/kjail/ FTP= # # get packages # if [ ! -f $JAIL_HOME/packages/doc.txz ]; then         wget $FTP/doc.txz -O $JAIL_HOME/packages/doc.txz         wget $FTP/base.txz -O $JAIL_HOME/packages/base.txz         wget $FTP/kernel.txz -O $JAIL_HOME/packages/kernel.txz         wget $FTP/lib32.txz -O $JAIL_HOME/packages/lib32.txz fi # # make jail # mkdir -p $JAIL_HOME/$JAILNAME tar zxvf $JAIL_HOME/packages/doc.txz -C $JAIL_HOME/$JAILNAME tar zxvf $JAIL_HOME/packages/base.txz -C $JAIL_HOME/$JAILNAME tar zxvf $JAIL_HOME/packages/kernel.txz -C $JAIL_HOME/$JAILNAME tar zxvf $JAIL_HOME/packages/lib32.txz -C $JAIL_HOME/$JAILNAME  

IPSec VPNs with pfsense

I’ve been trying forever to get a mobile IPSec connection up between my OS X laptop and pfsense.   Finally, thanks to this outstanding blog post, it works.  I’m especially excited that it works with the default OS X and Android VPN clients. My pfsense config closely mirrors the one specified by Mike Murray pfsense Phase 1 Key Exchange version: Auto Internet Protocol: V4 Interface: <my ISP> Authentication Method: Mutual PSK + Xauth Negotiation Mode: Aggressive My identifier: My IP Address Peer identifier Distinguished Name: <my vpn name> Pre-Shared Key: <my key> Encryption Algorithm: AES 256 Hash Algorithm: SHA1 DH Group: 2 Lifetime (Seconds): 28800 Disable rekey: unchecked Responder Only: checked NAT Traversal: Forced Dead Peer Detection: checked Delay: 10 Max failures: 5 Phase 2 Mode Tunnel: IPv4 Local Network Network: NAT/BINAT translation: None Protocol: ESP Encryption Algorithms: AES Auto Hash Algorithms: SHA1 PFS key: group off Lifetime: 3600 Mobile Cilents IKE Extensions: checked User Authentication: Local Database Group Authentication: system Virtual Address Pool: checked. / 27 Virtual IPv6 Address Pool: unchecked Network List: unchecked Save Xauth Password checked DNS Default Domain: checked  khubla.local Split DNS unchecked DNS Servers checked WINS Servers: unchecked Phase2 PFS Group: unchecked Login Banner unchecked OS X Add VPN and choose VPN Type “Cisco IPSEC”.  Use the Group Name specified in Phase 1 “Peer identifier Distinguished Name” Android Add VPN and choose “IPSec VPN with pre-shared keys and XAuth authentication”.     Use the IPSEC Identifier specified in Phase 1 “Peer identifier Distinguished Name”

Configuring the FreeBSD automounter

I have a number of disks in my FreeBSD box which exist only as backups of data.  I prefer that they not be mounted all the time, but instead mounted on use.  They are 2x internal SATA disks and an external USB3 disk.   This blog post explains how they are set up to auto-mount. Firstly, my /etc/fstab entry for these disks looks like this: /dev/ada5p1     /mnt/backup1    ufs     rw,noauto,noexec,nosuid,late            0       0 /dev/ada6p1     /mnt/backup2    ufs     rw,noauto,noexec,nosuid,late            0       0 /dev/da0p1      /mnt/usb1       ufs     rw,noauto,noexec,nosuid,late            0       0 All three disks are ufs, and noauto. Next, my /etc/amd.conf [ global ] restart_mounts =   yes unmount_on_exit=  yes and my # $FreeBSD: releng/10.3/etc/ 164015 2006-11-06 01:42:11Z obrien $ # *               opts:=rw,grpid,resvport,vers=3,proto=tcp,nosuid,nodev localhost            type:=auto;fs:=${map};pref:=${key}/ localhost/backup1      type:=program;fs:=/mnt/backup1;\                         mount:=”/sbin/mount mount /mnt/backup1″;\                         unmount:=”/sbin/umount umount /mnt/backup1″ localhost/backup2      type:=program;fs:=/mnt/backup2;\                         mount:=”/sbin/mount mount /mnt/backup2″;\                         unmount:=”/sbin/umount umount /mnt/backup2″ localhost/usb1      type:=program;fs:=/mnt/usb1;\                         mount:=”/sbin/mount mount /mnt/usb1″;\                         unmount:=”/sbin/umount umount /mnt/usb1″ In /etc/rc.conf, we need to start amd, and the portmapper: portmap_enable=”YES” portmap_flags=”-h″ amd_enable=”YES” amd_flags=”-a /.amd_mnt -l /var/log/amd /host /etc/”

Print-to-Folder on FreeBSD

Some printers, like the one I have (HP 8600 Pro), have “Print-to-Folder” capability.   Unfortunately, I have no Windows server, only a FreeBSD box to print to.  I can mount folders from the FreeBSD box on my MacBook.. if I can get files to scan there.   So, to do that, I need a Samba on my FreeBSD box.  To install SMB on FreeBSD: pkg install samba36 Then, I need a smb.conf in /usr/local/etc, that exports a folder, like this: [global] workgroup = khubla.local server string = Samba Server security = user hosts allow = 192.168.77. max log size = 50 passdb backend = smbpasswd domain master = yes ; wins support = yes [public] comment = Public path = /tank/home/public/public/ public = yes writable = yes printable = no So, this will expose a SMB share at smb://bernice/public.  Next I need a user account.  Firstly, a FreeBSD account: pw useradd -n hpprinter -s /bin/csh -m passwd hpprinter Then the samba account smbpasswd -a hpprinter Finally, start samba service samba onestart  I can now configure the share in the printer.  The UNC path is: \\bernice.khubla.local\public

Bare Metal coding on FreeBSD

I recently got interested in the technical details of how ARM OS’s work, so I decided to try my hand at writing a simple one.  This blog post is not about the OS itself, but about setting up the development environment. In my case, I’m developing in a terminal session, on FreeBSD 10 on an AMD-64 host, so I’ll need to cross-compile all my code.  Luckily, the ports tree includes gcc-arm-embedded a port of the launchpad ARM cross tools.  It’s easy to install: pkg install gcc-arm-embedded This package includes all the tools which are needed: -rwxr-xr-x 1 root wheel 711488 Oct 3 11:17 arm-none-eabi-addr2line -rwxr-xr-x 2 root wheel 740040 Oct 3 11:17 arm-none-eabi-ar -rwxr-xr-x 2 root wheel 1298680 Oct 3 11:17 arm-none-eabi-as -rwxr-xr-x 2 root wheel 620816 Oct 3 11:17 arm-none-eabi-c++ -rwxr-xr-x 1 root wheel 710528 Oct 3 11:17 arm-none-eabi-c++filt -rwxr-xr-x 1 root wheel 620608 Oct 3 11:17 arm-none-eabi-cpp -rwxr-xr-x 1 root wheel 29416 Oct 3 11:17 arm-none-eabi-elfedit -rwxr-xr-x 2 root wheel 620816 Oct 3 11:17 arm-none-eabi-g++ -rwxr-xr-x 2 root wheel 620608 Oct 3 11:17 arm-none-eabi-gcc -rwxr-xr-x 2 root wheel 620608 Oct 3 11:17 arm-none-eabi-gcc-4.8.4 -rwxr-xr-x 1 root wheel 24480 Oct 3 11:17 arm-none-eabi-gcc-ar -rwxr-xr-x 1 root wheel 24448 Oct 3 11:17 arm-none-eabi-gcc-nm -rwxr-xr-x 1 root wheel 24448 Oct 3 11:17 arm-none-eabi-gcc-ranlib -rwxr-xr-x 1 root wheel 271072 Oct 3 11:17 arm-none-eabi-gcov -rwxr-xr-x 1 root wheel 3992568 Oct 3 11:17 arm-none-eabi-gdb -rwxr-xr-x 1 root wheel 776672 Oct 3 11:17 arm-none-eabi-gprof -rwxr-xr-x 4 root wheel 1025912 Oct 3 11:17 arm-none-eabi-ld -rwxr-xr-x 4 root wheel 1025912 Oct 3 11:17 arm-none-eabi-ld.bfd -rwxr-xr-x 2 root wheel 722928 Oct 3 11:17 arm-none-eabi-nm -rwxr-xr-x 2 root wheel 906848 Oct 3 11:17 arm-none-eabi-objcopy -rwxr-xr-x 2 root wheel 1123424 Oct 3 11:17 arm-none-eabi-objdump -rwxr-xr-x 2 root wheel 740056 Oct 3 11:17 arm-none-eabi-ranlib -rwxr-xr-x 1 root wheel 365208 Oct 3 11:17 arm-none-eabi-readelf -rwxr-xr-x 1 root wheel 712976 Oct 3 11:17 arm-none-eabi-size -rwxr-xr-x 1 root wheel 712080 Oct 3 11:17 arm-none-eabi-strings -rwxr-xr-x 2 root wheel 906864 Oct 3 11:17 arm-none-eabi-strip Additionally, an ARM simulator such as QEMU will be needed.  FreeBSD also include that port: pkg install qemu-devel I can easily use BSD Make, however I prefer GNU Make, so I’ve installed that too pkg install gmake With these tools installed, I have enough to cross-compile ARM assembler and C code, link it, and run it in QEMU and debug with GDB.