Makefile.feld/2021-07-15T00:00:00-05:00Allowing Third Party Transceivers2021-07-15T00:00:00-05:002021-07-15T00:00:00-05:00feldtag:None,2021-07-15:/posts/2021/07/allowing-third-party-transceivers/<p>Here is how you enable use of third party or unsupported
transceivers such as SFP / SFP+ fiber optics on e.g., Juniper's JunOS and Cisco
IOS.</p>
<p>Juniper:</p>
<div class="highlight"><pre><span></span><code>set chassis allow-other-transceivers
</code></pre></div>
<p>Cisco:</p>
<div class="highlight"><pre><span></span><code>service unsupported-transceiver
</code></pre></div>
<p>HP/Aruba:</p>
<div class="highlight"><pre><span></span><code>allow-unsupported-transceiver
</code></pre></div>
<p>Dell:</p>
<div class="highlight"><pre><span></span><code>allow unsupported-transceiver
</code></pre></div>
<p>Arista:</p>
<div class="highlight"><pre><span></span><code>Arista Networks EOS shell
[admin@localhost ~]$ touch /mnt/flash/enable3px …</code></pre></div><p>Here is how you enable use of third party or unsupported
transceivers such as SFP / SFP+ fiber optics on e.g., Juniper's JunOS and Cisco
IOS.</p>
<p>Juniper:</p>
<div class="highlight"><pre><span></span><code>set chassis allow-other-transceivers
</code></pre></div>
<p>Cisco:</p>
<div class="highlight"><pre><span></span><code>service unsupported-transceiver
</code></pre></div>
<p>HP/Aruba:</p>
<div class="highlight"><pre><span></span><code>allow-unsupported-transceiver
</code></pre></div>
<p>Dell:</p>
<div class="highlight"><pre><span></span><code>allow unsupported-transceiver
</code></pre></div>
<p>Arista:</p>
<div class="highlight"><pre><span></span><code>Arista Networks EOS shell
[admin@localhost ~]$ touch /mnt/flash/enable3px
[admin@localhost ~]$ sudo reboot
</code></pre></div>
<p>This is something seasoned network engineers know about, but there's no
reason why this should be kept secret.</p>
<p>I will add more when I learn of them.</p>
<p><em>Last Updated 2024-01-04</em></p>iPhone 11 Pro Has Broken Exif Orientation Data2019-10-11T00:00:00-05:002019-10-11T00:00:00-05:00feldtag:None,2019-10-11:/posts/2019/10/iphone-11-pro-has-broken-exif-orientation-data/<p>I have the new iPhone 11 Pro. It's a great camera. Turns out all of the
photos I've taken so far have had incorrect EXIF Orientation data. This
really sucks. I've confirmed the same issue happens on my wife's phone.</p>
<p>It's shocking that this has not been noticed by Apple …</p><p>I have the new iPhone 11 Pro. It's a great camera. Turns out all of the
photos I've taken so far have had incorrect EXIF Orientation data. This
really sucks. I've confirmed the same issue happens on my wife's phone.</p>
<p>It's shocking that this has not been noticed by Apple before the phone
was released to the public. Have any photographers actually examined the
images they shot on this phone?</p>
<p>Here's an example image (JPEG format, for non-Apple folks and Safari won't even load HEIF images):</p>
<p><img alt="Photo" src="/posts/2019/10/iphone-11-pro-has-broken-exif-orientation-data/IMG_0543.jpeg"></p>
<p>Here's the data dumped by <strong>exiftool</strong>:</p>
<div class="highlight"><pre><span></span><code>ExifTool Version Number : 11.69
File Name : IMG_0543.heic
Directory : .
File Size : 1728 kB
File Modification Date/Time : 2019:10:09 13:15:19-05:00
File Access Date/Time : 2019:10:11 13:36:55-05:00
File Inode Change Date/Time : 2019:10:11 13:36:03-05:00
File Permissions : rw-------
File Type : HEIC
File Type Extension : heic
MIME Type : image/heic
Major Brand : High Efficiency Image Format HEVC still image (.HEIC)
Minor Version : 0.0.0
Compatible Brands : mif1, miaf, MiHB, heic
Handler Type : Picture
Primary Item Reference : 49
Exif Byte Order : Big-endian (Motorola, MM)
Make : Apple
Camera Model Name : iPhone 11 Pro
Orientation : Rotate 90 CW 👈👈🚨🚨🚨🚨🚨
X Resolution : 72
Y Resolution : 72
Resolution Unit : inches
Software : 13.1.2
Modify Date : 2019:10:02 19:19:06
Y Cb Cr Positioning : Centered
Exposure Time : 1/15
F Number : 1.8
Exposure Program : Program AE
ISO : 1600
Exif Version : 0231
Date/Time Original : 2019:10:02 19:19:06
Create Date : 2019:10:02 19:19:06
Offset Time : -05:00
Offset Time Original : -05:00
Offset Time Digitized : -05:00
Components Configuration : Y, Cb, Cr, -
Shutter Speed Value : 1/15
Aperture Value : 1.8
Brightness Value : -3.833215521
Exposure Compensation : +0.0156
Metering Mode : Multi-segment
Flash : Off, Did not fire
Focal Length : 4.2 mm
Subject Area : 2002 1505 2213 1324
Run Time Flags : Valid
Run Time Value : 7694890327000
Run Time Scale : 1000000000
Run Time Epoch : 0
Acceleration Vector : 0.09105698762 -0.9248749617 -0.3692156373
Sub Sec Time Original : 313
Sub Sec Time Digitized : 313
Flashpix Version : 0100
Color Space : Uncalibrated
Exif Image Width : 4032
Exif Image Height : 3024
Sensing Method : One-chip color area
Scene Type : Directly photographed
Exposure Mode : Auto
White Balance : Auto
Focal Length In 35mm Format : 26 mm
Scene Capture Type : Standard
Lens Info : 1.539999962-6mm f/1.8-2.4
Lens Make : Apple
Lens Model : iPhone 11 Pro back triple camera 4.25mm f/1.8
Profile CMM Type : Apple Computer Inc.
Profile Version : 4.0.0
Profile Class : Display Device Profile
Color Space Data : RGB
Profile Connection Space : XYZ
Profile Date Time : 2017:07:07 13:22:32
Profile File Signature : acsp
Primary Platform : Apple Computer Inc.
CMM Flags : Not Embedded, Independent
Device Manufacturer : Apple Computer Inc.
Device Model :
Device Attributes : Reflective, Glossy, Positive, Color
Rendering Intent : Perceptual
Connection Space Illuminant : 0.9642 1 0.82491
Profile Creator : Apple Computer Inc.
Profile ID : ca1a9582257f104d389913d5d1ea1582
Profile Description : Display P3
Profile Copyright : Copyright Apple Inc., 2017
Media White Point : 0.95045 1 1.08905
Red Matrix Column : 0.51512 0.2412 -0.00105
Green Matrix Column : 0.29198 0.69225 0.04189
Blue Matrix Column : 0.1571 0.06657 0.78407
Red Tone Reproduction Curve : (Binary data 32 bytes, use -b option to extract)
Chromatic Adaptation : 1.04788 0.02292 -0.0502 0.02959 0.99048 -0.01706 -0.00923 0.01508 0.75168
Blue Tone Reproduction Curve : (Binary data 32 bytes, use -b option to extract)
Green Tone Reproduction Curve : (Binary data 32 bytes, use -b option to extract)
HEVC Configuration Version : 1
General Profile Space : Conforming
General Tier Flag : Main Tier
General Profile IDC : Main Still Picture Profile
Gen Profile Compatibility Flags : Main Still Picture, Main 10, Main
Constraint Indicator Flags : 176 0 0 0 0 0
General Level IDC : 90 (level 3.0)
Min Spatial Segmentation IDC : 0
Parallelism Type : 0
Chroma Format : 4:2:0
Bit Depth Luma : 8
Bit Depth Chroma : 8
Average Frame Rate : 0
Constant Frame Rate : Unknown
Num Temporal Layers : 1
Temporal ID Nested : No
Image Width : 4032
Image Height : 3024
Image Spatial Extent : 4032x3024
Rotation : 270
Image Pixel Depth : 8 8 8
Movie Data Size : 1765488
Movie Data Offset : 4362
Run Time Since Power Up : 2:08:15
Aperture : 1.8
Image Size : 4032x3024
Megapixels : 12.2
Scale Factor To 35 mm Equivalent: 6.1
Shutter Speed : 1/15
Create Date : 2019:10:02 19:19:06.313-05:00
Date/Time Original : 2019:10:02 19:19:06.313-05:00
Modify Date : 2019:10:02 19:19:06-05:00
Circle Of Confusion : 0.005 mm
Field Of View : 69.4 deg
Focal Length : 4.2 mm (35 mm equivalent: 26.0 mm)
Hyperfocal Distance : 2.04 m
Light Value : 1.6
</code></pre></div>
<p><em>Note, I have Location data turned off for my camera, so no GPS related stuff in here.</em></p>
<p>And here's what ViewExif on iOS shows, which agrees:</p>
<p><img alt="Photo" src="/posts/2019/10/iphone-11-pro-has-broken-exif-orientation-data/viewexif.jpg"></p>
<p>Can someone please beg Apple to fix this? Completely unacceptable for this to
let slip into production.</p>Percona Toolkit Information Disclosure Vulnerability2018-08-09T00:00:00-05:002018-08-09T00:00:00-05:00feldtag:None,2018-08-09:/posts/2018/08/percona-toolkit-information-disclosure-vulnerability/<p>Percona includes an information disclosure vulnerability in the form of
a "version check" feature in many of their products. Every time you run
a database backup with <em>xtrabackup</em> or use any of the Percona Toolkit
scripts the following information is collected and posted to
https://v.percona.com:</p>
<ul>
<li>OS Platform …</li></ul><p>Percona includes an information disclosure vulnerability in the form of
a "version check" feature in many of their products. Every time you run
a database backup with <em>xtrabackup</em> or use any of the Percona Toolkit
scripts the following information is collected and posted to
https://v.percona.com:</p>
<ul>
<li>OS Platform and Version</li>
<li>Perl version and version of modules</li>
<li>MySQL database version</li>
<li>Hostname of your server, obfuscated with md5_hex()</li>
<li>Presumably your IP address, visible in the logs</li>
</ul>
<p>You can find where it was added to xtrabackup with
<a href="https://github.com/percona/percona-xtrabackup/commit/615a44a86009449a0b8acd77e59b7b5b20dab4ab">this</a> commit.
This same code is duplicated throughout the Percona Toolkit scripts.</p>
<p><strong>CVE-2014-2029</strong> was the first CVE for this functionality which was
regarding the ability for an attacker to MITM the connection and through
injection achieve command execution. Later, <strong>CVE-2015-1027</strong> was
assigned as the fix of adding HTTPS was susceptible to a downgrade
attack. At this time the "feature" that could allow command execution
was already removed, but the information leakage was still present.</p>
<p><em>Nobody seemed to care that Percona was collecting this data, however.</em></p>
<p>I've contacted the Percona security team and requested that this feature
be removed in its entirety. I'm already working on patches to rip it out
of the ports/packages on FreeBSD, but you are vulnerable on other
platforms. The only available workaround is to ensure that you pass
<strong>--no-version-check</strong> to these utilities to disable this functionality,
but most people will not see this blog post or be aware of the data
collection being taken place.</p>
<p>Originally the intention of this functionality was to inform the user of
available software updates and discover if there are known
vulnerabilities in your MySQL software, but that doesn't explain why
this information is POSTed to their server. It's simply unacceptable.</p>vBulletin cannot login without "Remember Me"2018-07-25T00:00:00-05:002018-07-25T00:00:00-05:00feldtag:None,2018-07-25:/posts/2018/07/vbulletin-cannot-login-without-remember-me/<p>If you happen to run a vBulletin forum and hit an issue where you cannot
login to the site without first selecting the "Remember Me" checkbox,
would you happen to be on CloudFlare or be using a reverse proxy? Make
sure for CloudFlare you have the list of their upstream …</p><p>If you happen to run a vBulletin forum and hit an issue where you cannot
login to the site without first selecting the "Remember Me" checkbox,
would you happen to be on CloudFlare or be using a reverse proxy? Make
sure for CloudFlare you have the list of their upstream proxy IPs up to
date or your REMOTE_ADDR of the client IP might not be getting set
correctly.</p>
<p>You can find the latest list of CloudFlare proxy IPs here:</p>
<p><a href="https://www.cloudflare.com/ips-v4">https://www.cloudflare.com/ips-v4</a></p>
<p><a href="https://www.cloudflare.com/ips-v6">https://www.cloudflare.com/ips-v6</a></p>
<p>Do not trust the sample configs found on the CloudFlare site. They are
almost always out of date.</p>Git Is Not Revision Control2018-01-21T00:00:00-06:002018-01-21T00:00:00-06:00feldtag:None,2018-01-21:/posts/2018/01/git-is-not-revision-control/<p>Git has always rubbed me the wrong way. The ability to rewrite history
and not tracking file renames are a few of the reasons it has turned me
sour, not to mention the awful inconsistent UX as brilliantly mocked
in <a href="http://stevelosh.com/blog/2013/04/git-koans/">Git Koans</a>. I'm not
objective enough to come up with …</p><p>Git has always rubbed me the wrong way. The ability to rewrite history
and not tracking file renames are a few of the reasons it has turned me
sour, not to mention the awful inconsistent UX as brilliantly mocked
in <a href="http://stevelosh.com/blog/2013/04/git-koans/">Git Koans</a>. I'm not
objective enough to come up with a solid case against git as a revision control
system which is why this FreeBSD developer email from <em>phk</em> resonated
with me enough that I flagged it and re-read it many times over the last
year.</p>
<p>There was an internal discussion about the possible merits of switching
to git to increase user contributions. This was his brilliant response,
published with his permission:</p>
<pre>
On Sun, Feb 26, 2017, at 14:59, Poul-Henning Kamp wrote:
It is fundamentally wrong to ask "SVN or Git ?"
SVN is obviously a Version Control System, it has all the classic
attributes of one, including such crucial elements as progressing
version number a definitive timeline and imutability.
Git is clearly not a VCS, and it has never tried to be one, and
people calling it one doesn't change that.
The absense of a progressing version number and lack of a definitive
timeline, not to mention all the many "unnatural acts" you can do
to a git repo are sufficient arguments to settle this point.
No, Git is something else, it is a colaboration tool.
Git is a tool which allows people and projects to manage, modify,
fork and merge the many different views, instances, variations and
modifications of a work in progress across barriers of distrust.
The crucial word there was "many different", which is the exact
opposite of what a VCS strives for.
A lot of the features Git provides, features which are what makes
it great as a colaboration tool, flies in the face or or directly
invalidates the guarantees you normally expect from a VCS, most
notably progression of time & version, immutability and consistency
of view.
But in many cases Git is an adequate substitute for a VCS, you just
have to augment it with an out-of-band definition of which tree is
the 'definitive', and settle who gets to define what 'a version'
means. This is why github exists in the first place.
In FreeBSD we have insisted on "proper version control" from
day one, 23 years ago, and while it is a decision we should
revisit periodically, everytime it has come up, it has been
overwhelmingly confirmed as "the way we do things here".
And this this thread, which is far from our first on the subject,
fails to converge: One side desires better colaboration tools and
the other side is not willing to give up good old-fashioned version
control to get it, both parties failing to realize that neither SVN
nor Git will ever be able to do both, because the requirements are
fundamentally different and in conflict with each other.
So the task at hand, if there still is one, is to ask how we can
make it easier to use Git as a colaboration tool for our committers
and down-stream users.
Poul-Henning
PS: A good place to start would be to "bless" the github mirror
and make sure the pull requests there get dealt with:
https://github.com/freebsd/freebsd/pulls
--
Poul-Henning Kamp | UNIX since Zilog Zeus 3.20
phk@nospamplz | TCP/IP since RFC 956
FreeBSD committer | BSD since 4.3-tahoe
Never attribute to malice what can adequately be explained by incompetence.
</pre>
<p>I originally intended to cite specific points made in this email but honestly
it's too good to not publish in its entirety. It's impossible to refute
this line of reasoning in my opinion.</p>Book Review: Altered Carbon2017-12-06T00:00:00-06:002017-12-06T00:00:00-06:00feldtag:None,2017-12-06:/posts/2017/12/book-review-altered-carbon/<h2>Title: Altered Carbon</h2>
<h2>Author: Morgan K. Richard</h2>
<hr>
<p>Takeshi Kovacs is brought to earth in a sleeve he doesn't own. His
reputation precedes him, and he has been offered a reward for solving
the murder of Laurens Bancroft which local authorities ruled a suicide...</p>
<p>This book explores some provocative aspects of …</p><h2>Title: Altered Carbon</h2>
<h2>Author: Morgan K. Richard</h2>
<hr>
<p>Takeshi Kovacs is brought to earth in a sleeve he doesn't own. His
reputation precedes him, and he has been offered a reward for solving
the murder of Laurens Bancroft which local authorities ruled a suicide...</p>
<p>This book explores some provocative aspects of a world where
consciousness can be downloaded into a computer for later retrieval:</p>
<ul>
<li>
<p>There seems to be an increase in violence when the human body itself
has no value.</p>
</li>
<li>
<p>Catholics still exist and appear to be the major religion remaining on
Earth, but they don't believe in reincarnation so they do not allow
being revived after death. This makes them easy targets as their crimes
go unsolved.</p>
</li>
<li>
<p>Nobody spends time in prison, but instead are stored "on the stack"
for long periods of time as a punishment. If they or their families
cannot afford to pay for storage of their bodies the prison/storage
facility can sell the body to someone else for their use. Waking up 200
years in the future is thought to be punishment enough as you are
helpless and you don't know anyone anymore; friends and family lost to
the sands of time. For-profit prisons, anyone?</p>
</li>
<li>
<p>Rich people can afford to live forever: they just change bodies when
convenient and can pay for regular backups.</p>
</li>
<li>
<p>You can travel across the world (and the galaxy) by being send via
"needlecast" which is some sort of network transmission of your
consciousness into a new sleeve.</p>
</li>
<li>
<p>Videoconference meetings are now worse than ever: it's basically VR.</p>
</li>
</ul>
<p>I could go on, but this book is heavy. It was hard to put down and I
cannot wait for the Netflix show. I will definitely be reading the
other books in this series.</p>Book Review: Invasive2017-05-07T00:00:00-05:002017-05-07T00:00:00-05:00feldtag:None,2017-05-07:/posts/2017/05/book-review-invasive/<h2>Title: Invasive</h2>
<h2>Author: Chuck Wendig</h2>
<hr>
<p><strong>This is a backdated review</strong></p>
<p>Set in the same universe as <em>Zeroes</em>, Invasive explores the possible
consequences of research into genetically altered insects (ants). We are
already doing this with mosquitoes to try to stop the spread of infectious disease,
so this technology is with …</p><h2>Title: Invasive</h2>
<h2>Author: Chuck Wendig</h2>
<hr>
<p><strong>This is a backdated review</strong></p>
<p>Set in the same universe as <em>Zeroes</em>, Invasive explores the possible
consequences of research into genetically altered insects (ants). We are
already doing this with mosquitoes to try to stop the spread of infectious disease,
so this technology is with our grasp. The story keeps you interested
through the end, but there was a level of predictability to some
aspects. The world envisoned by Chuck is far too close to
reality for comfort and I surely hope we don't end up with weaponized
insects in a terror attack or a military conflict. The consequences
would be unimaginble... If the combination of scifi/tech and insects
piques your interest you should definitely pick this up.</p>FreeBSD Remote Serial Console Access With Dell and Cisco Servers2017-05-01T00:00:00-05:002017-05-01T00:00:00-05:00feldtag:None,2017-05-01:/posts/2017/05/freebsd-remote-serial-console-access-with-dell-and-cisco-servers/<p>I have become allergic to Java. It seems every time I need to access a
server console my system is throwing fits about Java security. I've
spent hours trying to fix a Java issue which was preventing me from
fixing a server I needed console access to. I will show …</p><p>I have become allergic to Java. It seems every time I need to access a
server console my system is throwing fits about Java security. I've
spent hours trying to fix a Java issue which was preventing me from
fixing a server I needed console access to. I will show you how to
end this madness.</p>
<h2>FreeBSD</h2>
<p>You should always enable the serial console on your servers. You never
know when you will need it, and it is a prerequisite for this exercise.
On FreeBSD you will want to do the following:</p>
<p><strong>/boot/loader.conf:</strong></p>
<div class="highlight"><pre><span></span><code>boot_multicons="YES"
boot_serial="YES"
comconsole_speed="115200"
console="comconsole,vidconsole"
</code></pre></div>
<p>Enable ttyu0 always by changing <em>onifconsole</em> to <em>on</em> in <strong>/etc/ttys:</strong></p>
<div class="highlight"><pre><span></span><code>ttyu0 "/usr/libexec/getty 3wire" vt100 on secure
</code></pre></div>
<p>On releases before 10.3-RELEASE you also change std.9600 to std.115200 as
3wire is not available:</p>
<div class="highlight"><pre><span></span><code>ttyu0 "/usr/libexec/getty std.115200" vt100 on secure
</code></pre></div>
<p>When complete you will need to enable it with <strong>kill -HUP 1</strong>.
You can find more details on this in the <a href="https://www.freebsd.org/doc/handbook/serialconsole-setup.html">FreeBSD handbook</a>.</p>
<h2>Dell DRAC</h2>
<p>On Dell servers you will need to enable the serial console in the BIOS.
If you have multiple serial ports the following configuration should
allow both the physical and virtual serial ports to function as
intended. Here is a screenshot of my BIOS settings:</p>
<p><img alt="Photo" src="/posts/2017/05/freebsd-remote-serial-console-access-with-dell-and-cisco-servers/dell_bios.jpg"></p>
<p>You will also want to enable IPMI. This can be done in the DRAC settings
on boot in the following screenshot, or you can SSH to the DRAC console
and enable it there with the rest of the settings.</p>
<p><img alt="Photo" src="/posts/2017/05/freebsd-remote-serial-console-access-with-dell-and-cisco-servers/dell_drac.jpg"></p>
<p>To finish the setup we SSH to the DRAC console and run the following
commands:</p>
<div class="highlight"><pre><span></span><code># The DRAC shell is usually prefixed with something like /admin1-> but
# I will not print it here so you can easily copy/paste this
racadm config -g cfgSerial -o cfgSerialBaudRate 115200
racadm config -g cfgSerial -o cfgSerialCom2RedirEnable 1
racadm config -g cfgSerial -o cfgSerialSshEnable 1
racadm config -g cfgIpmiSol -o cfgIpmiSolEnable 1
racadm config -g cfgIpmiSol -o cfgIpmiSolBaudRate 115200
racadm config -g cfgIpmiLan -o cfgIpmiLanEnable 1
</code></pre></div>
<p>There are settings to limit DRAC network access (HTTPS, SSH, IPMI)
to a specific subnet, but I strongly suggest you do not place your DRAC
on the internet and protect it with a real firewall. It would be
reasonable to enable this bruteforce protection if you wish to do so.
The following blocks for 5 minutes after 5 failed attempts:</p>
<div class="highlight"><pre><span></span><code>racadm config -g cfgRacTuning -o cfgRacTuneIpBlkEnable 1
racadm config -g cfgRacTuning -o cfgRacTuneIpBlkFailCount 5
racadm config -g cfgRacTuning -o cfgRacTuneIpBlkFailWindow 60
racadm config -g cfgRacTuning -o cfgRacTuneIpBlkPenaltyTime 300
</code></pre></div>
<p>Now you have remote access to your server without Java. You can access
it with one of the following:</p>
<p><strong>ssh:</strong></p>
<div class="highlight"><pre><span></span><code>$ ssh root@1.2.3.4
/admin1-> console com2
</code></pre></div>
<p><strong>ipmi:</strong></p>
<div class="highlight"><pre><span></span><code>$ ipmitool -I lanplus -U root -H 1.2.3.4 sol activate
</code></pre></div>
<p>Both of these will render best if your terminal window is 80x24.</p>
<h2>Cisco CIMC</h2>
<p>Assuming you've already provisioned an IP address for your Cisco CIMC
and it is accessible on the network you can simply ssh into the CIMC and
run the following commands:</p>
<div class="highlight"><pre><span></span><code>cisco-cimc# scope sol
cisco-cimc /sol # set baud-rate 115200
cisco-cimc /sol *# set enabled yes
cisco-cimc /sol *# commit
show
cisco-cimc /sol # show
Enabled Baud Rate(bps)
------- ---------------
yes 115200
cisco-cimc# top
cisco-cimc# scope ipmi
cisco-cimc /ipmi # set enabled yes
cisco-cimc /ipmi *# commit
cisco-cimc /ipmi # show
Enabled Encryption Key Privilege Level Limit
------- ---------------------------------------- ---------------------
yes 0000000000000000000000000000000000000000 admin
db02-ipmi /ipmi #
</code></pre></div>
<p>Or for your copy/paste speedrun:</p>
<div class="highlight"><pre><span></span><code>scope sol
set baud-rate 115200
set enabled yes
top
scope ipmi
set enabled yes
commit
</code></pre></div>
<p>Now you can connect to the serial console by one of the following:</p>
<p><strong>ssh:</strong></p>
<div class="highlight"><pre><span></span><code>$ ssh admin@1.2.3.4
cisco-cimc# connect host
</code></pre></div>
<p><strong>ipmi:</strong></p>
<div class="highlight"><pre><span></span><code>$ ipmitool -I lanplus -U admin -H 1.2.3.4 sol activate
</code></pre></div>
<p>The Cisco CIMC also allows you to mount remote media from a fileshare or
HTTP/HTTPS URL which is fantastic for troubleshooting. :-)</p>Using FreeBSD as a Time Capsule for OSX2016-12-19T00:00:00-06:002016-12-19T00:00:00-06:00feldtag:None,2016-12-19:/posts/2016/12/using-freebsd-as-a-time-capsule-for-osx/<p>I've had both a coworker and a FreeBSD developer ask me recently how to
use FreeBSD as a Time Capsule for Time Machine from OSX. There are a lot
of tutorials out there and most of them are non-functional. This is
possibly the simplest guide that is known to be …</p><p>I've had both a coworker and a FreeBSD developer ask me recently how to
use FreeBSD as a Time Capsule for Time Machine from OSX. There are a lot
of tutorials out there and most of them are non-functional. This is
possibly the simplest guide that is known to be working. It uses local unix
account authentication for the shares over AFP, and of course it's backed
by ZFS.</p>
<div class="highlight"><pre><span></span><code>pkg install netatalk3 avahi-app
</code></pre></div>
<p><strong>/usr/local/etc/afp.conf</strong>:</p>
<div class="highlight"><pre><span></span><code>[Global]
vol preset = default_for_all_vol
log file = /var/log/netatalk.log
hosts allow = 172.16.1.0/24 2001:470:1f11:1e8::/64
mimic model = TimeCapsule6,116
[default_for_all_vol]
#file perm = 0640
#directory perm = 0750
cnid scheme = dbd
#ea = none|auto|sys
ea = ad
[backup-mark]
path = /local/timecapsule/mark
valid users = feld
time machine = yes
</code></pre></div>
<p><strong>/usr/local/etc/avahi/services/afp.service</strong>:</p>
<div class="highlight"><pre><span></span><code><?xml version="1.0" standalone='no'?><!--*-nxml-*-->
<!DOCTYPE service-group SYSTEM "avahi-service.dtd">
<service-group>
<name replace-wildcards="yes">%h</name>
<service>
<type>_afpovertcp._tcp</type>
<port>548</port>
</service>
</service-group>
</code></pre></div>
<p><strong>/etc/rc.conf</strong>:</p>
<div class="highlight"><pre><span></span><code># time machine
dbus_enable="YES"
netatalk_enable="YES"
afpd_enable="YES"
cnid_metad_enable="YES"
avahi_daemon_enable="YES"
</code></pre></div>
<p>I'm aware Apple is moving away from AFP to SMB, but I haven't
investigated what it would take to make this work with Samba instead of
Netatalk.</p>Generating DDNS TSIG Keys for BIND2016-12-15T00:00:00-06:002016-12-15T00:00:00-06:00feldtag:None,2016-12-15:/posts/2016/12/generating-ddns-tsig-keys-for-bind/<p>The tutorials on how to generate TSIG keys for BIND DDNS updates suck. It
would also be tedious if tasked to generate several. I'm not sure why ISC has
not produced a standalone script or utility to make this easier as
nobody should have to piece it together by hand …</p><p>The tutorials on how to generate TSIG keys for BIND DDNS updates suck. It
would also be tedious if tasked to generate several. I'm not sure why ISC has
not produced a standalone script or utility to make this easier as
nobody should have to piece it together by hand.</p>
<p>I was attempting to explain to a coworker how to generate his key and
when I couldn't find an easier way I decided to just write something
myself. So here you go, a terrible perl script to produce HMAC-SHA256
TSIG keys. Go hog wild.</p>
<div class="highlight"><pre><span></span><code>#!/usr/local/bin/perl -w
# This script is overkill, but at least it's easier than
# explaining to people how to use ddns-keygen
use warnings;
use strict;
use Digest::SHA qw(hmac_sha256_base64);
use Bytes::Random::Secure qw(random_bytes);
# As these are one-offs and we don't need a reusable secret key, we make
# both the key and the data random. 512 bytes of entropy ought to be
# enough for everybody...
my $data = random_bytes(512);
my $key = random_bytes(512);
my $digest = hmac_sha256_base64( $data, $key );
# Fix padding of Base64 digests
while ( length($digest) % 4 ) {
$digest .= '=';
}
print qq[
key "changeme" {
algorithm hmac-sha256;
secret "$digest";
};
];
</code></pre></div>
<p>With slightly more effort you could make the TSIG key format
configurable as well as allow you to provide a key name as flags.</p>Speeding up MySQL Import on FreeBSD2016-09-28T00:00:00-05:002016-09-28T00:00:00-05:00feldtag:None,2016-09-28:/posts/2016/09/speeding-up-mysql-import-on-freebsd/<p>I was recently tasked with rebuilding a readonly slave database server
which only slaves a couple of the available databases. The backup/dump
is straightforward and fast, but the restore was being excruciatingly
slow. I didn't want to wait a week for this thing to finish, so I had to …</p><p>I was recently tasked with rebuilding a readonly slave database server
which only slaves a couple of the available databases. The backup/dump
is straightforward and fast, but the restore was being excruciatingly
slow. I didn't want to wait a week for this thing to finish, so I had to
compile a list of optimizations that would speed up the process. This is
the best way to do it on FreeBSD, assuming you're working with InnoDB.
Additional optimizations may be required if you're using a different
database engine.</p>
<p>Please note this is assuming no other databases are running on this
MySQL instance. Some of these are rather dangerous and you wouldn't want
to put other live data at risk.</p>
<p><strong>my.cnf</strong>:</p>
<div class="highlight"><pre><span></span><code>innodb_buffer_pool_size = 38G # roughly 70-80% of your available memory
innodb_flush_method = O_DIRECT
sync_binlog = 0 # Don't keep this permanently
innodb_flush_log_at_trx_commit = 0 # Don't keep this permanently
innodb_log_file_size = 1G
innodb_log_buffer_size = 256M
innodb_write_io_threads = 16
</code></pre></div>
<p><strong>/etc/rc.conf</strong>:</p>
<div class="highlight"><pre><span></span><code># Only use this during imports
mysql_args="--innodb-doublewrite=0"
</code></pre></div>
<p>The actual import command in use:</p>
<div class="highlight"><pre><span></span><code># cat dump.sql.gz | { echo "set sql_log_bin=0; set autocommit=0; set
unique_checks=0; set foreign_key_checks=0;"; zcat; } | mysql -u root -p
</code></pre></div>
<p>And now I've gone from a tens of MBs imported per minute to
several GBs imported per minute.</p>Monitoring FreeBSD Base System Vulnerabilities with pkg audit2016-08-12T00:00:00-05:002016-08-12T00:00:00-05:00feldtag:None,2016-08-12:/posts/2016/08/monitoring-freebsd-base-system-vulnerabilities-with-pkg-audit/<p>The FreeBSD base system has been difficult to monitor for published
vulnerabilities for a long time. This will improve when we
achieve a packaged base system, but that leaves users of currently
supported <em>-RELEASE</em> systems without a standardized option. </p>
<p>The <strong>freebsd-version(1)</strong> utility has existed since FreeBSD 10.0. This …</p><p>The FreeBSD base system has been difficult to monitor for published
vulnerabilities for a long time. This will improve when we
achieve a packaged base system, but that leaves users of currently
supported <em>-RELEASE</em> systems without a standardized option. </p>
<p>The <strong>freebsd-version(1)</strong> utility has existed since FreeBSD 10.0. This
script is capable of correctly identifying the version of the FreeBSD
kernel and the FreeBSD base system. It is an important step forward in
helping users be confident in identifying the FreeBSD system's patch
level.</p>
<p>I do not like reinventing the wheel, and it occurred to me that for a
long time the FreeBSD SA announcements were properly documented in
vuxml. This provided an opportunity and scratched an itch I had at work,
so here goes nothing:</p>
<p>I am presenting here a useful albeit unsupported method of monitoring
FreeBSD for base system vulnerabilities via <strong>pkg(8)</strong> utilizing entries
in the vuxml database.</p>
<p>The <strong>pkg(8)</strong> utility as you probably know can check your system for known
vulnerable packages. It does this with the <em>pkg audit</em> command.
Additionally you can pass any package name and version string as an
argument and it will check the database for results. It is possible to
check your system against the vuxml database by converting the
<strong>freebsd-version(1)</strong> output to the correct string and passing it to <em>pkg
audit</em>.</p>
<p>Example of checking the base system (note, this is <em>/bin/sh</em> syntax):</p>
<div class="highlight"><pre><span></span><code>$ freebsd-version -u
10.3-RELEASE-p2
$ pkg audit $(freebsd-version -u | sed 's,^,FreeBSD-,;s,-RELEASE-p,_,;s,-RELEASE$,,')
FreeBSD-10.3_2 is vulnerable:
FreeBSD -- Multiple vulnerabilities of ntp
CVE: CVE-2016-4957
CVE: CVE-2016-4956
CVE: CVE-2016-4955
CVE: CVE-2016-4954
CVE: CVE-2016-4953
WWW:
https://vuxml.FreeBSD.org/freebsd/7cfcea05-600a-11e6-a6c3-14dae9d210b8.html
FreeBSD-10.3_2 is vulnerable:
libarchive -- multiple vulnerabilities
CVE: CVE-2015-2304
CVE: CVE-2013-0211
WWW:
https://vuxml.FreeBSD.org/freebsd/7c63775e-be31-11e5-b5fe-002590263bf5.html
FreeBSD-10.3_2 is vulnerable:
FreeBSD -- Heap vulnerability in bspatch
CVE: CVE-2014-9862
WWW:
https://vuxml.FreeBSD.org/freebsd/7d4f4955-600a-11e6-a6c3-14dae9d210b8.html
</code></pre></div>
<p>Now we have results for the base system! Let's check the kernel:</p>
<div class="highlight"><pre><span></span><code>$ pkg audit $(freebsd-version -k | sed 's,^,FreeBSD-kernel-,;s,-RELEASE-p,_,;s,-RELEASE$,,')
FreeBSD-kernel-10.3_2 is vulnerable:
FreeBSD -- Buffer overflow in keyboard driver
CVE: CVE-2016-1886
WWW:
https://vuxml.FreeBSD.org/freebsd/7bbc0e8c-600a-11e6-a6c3-14dae9d210b8.html
FreeBSD-kernel-10.3_2 is vulnerable:
FreeBSD -- Kernel stack disclosure in 4.3BSD compatibility layer
WWW:
https://vuxml.FreeBSD.org/freebsd/7cad4795-600a-11e6-a6c3-14dae9d210b8.html
FreeBSD-kernel-10.3_2 is vulnerable:
FreeBSD -- Kernel stack disclosure in Linux compatibility layer
WWW:
https://vuxml.FreeBSD.org/freebsd/7c5d64dd-600a-11e6-a6c3-14dae9d210b8.html
FreeBSD-kernel-10.3_2 is vulnerable:
FreeBSD -- Incorrect argument handling in sendmsg(2)
CVE: CVE-2016-1887
WWW:
https://vuxml.FreeBSD.org/freebsd/7c0bac69-600a-11e6-a6c3-14dae9d210b8.html
</code></pre></div>
<p>The results speak for themselves.</p>
<p>I have recently finished adding all missing entries to the vuxml
database that affect -RELEASE systems since 2013. This covers the tail
end of 8.x, much of 9.x, and bleeds into the 10.x RELEASE lifetime.
Systems older are End of Life and never supported the FreeBSD <strong>pkg(8)</strong>
utility anyway, so I have not put in the effort to search out those
missing entries. This method is useful on FreeBSD systems that do not
have the <strong>freebsd-version(1)</strong> utility, but you will not have a reliable
method to get the version of the FreeBSD base system. You can pull the
kernel version from <strong>uname(1)</strong>, but you will have to devise your own
method of keeping track of the base system version. Beware of the
leopard, etc.</p>
<p>I hope you find this a valuable method for discovering vulnerabilities
affecting your servers and help you assess risk and plan patch
management. Please remember this is not endorsed by secteam and is
liable to be full of errors or out of date. I suggest using this
as a compliment to your other monitoring practices. Moving forward I hope
to better coordinate with secteam to ensure we have new FreeBSD SA's
entered in the vuxml database in a timely manner.</p>
<p>This post originally appeared on the <a href="https://lists.freebsd.org/pipermail/freebsd-questions/2016-August/273034.html"><em>freebsd-questions</em></a>
mailing list and has been lightly edited.</p>Java KVM Troubles on OSX2016-06-30T00:00:00-05:002016-06-30T00:00:00-05:00feldtag:None,2016-06-30:/posts/2016/06/java-kvm-troubles-on-osx/<p>I was having troubles on OSX getting access to the KVM at work which is
a Dell KVM 4322DS. The connection errors from Java about security
settings were not resolved by whitelisting the site in the Java console.
Turns out newer Java disables some SSL/TLS algorithms and settings that …</p><p>I was having troubles on OSX getting access to the KVM at work which is
a Dell KVM 4322DS. The connection errors from Java about security
settings were not resolved by whitelisting the site in the Java console.
Turns out newer Java disables some SSL/TLS algorithms and settings that
break the connectivity (rightfully so). Unfortunately not even a fully
patched KVM fixes this, and people still need to access KVMs, so a
workaround is needed.</p>
<p>After some Googling I came across some information that you need to edit
the <strong>java.security</strong> file and change <strong>jdk.tls.algorithms.disabled</strong>. On
OSX this file is at:</p>
<div class="highlight"><pre><span></span><code>/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/security/java.security
</code></pre></div>
<p>The setting originally looks like this:</p>
<div class="highlight"><pre><span></span><code>jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768
</code></pre></div>
<p>I had to remove the "DH keySize < 768" to make this KVM work, but YMMV.</p>Book Review: Zeroes2016-02-28T00:00:00-06:002016-02-28T00:00:00-06:00feldtag:None,2016-02-28:/posts/2016/02/book-review-zeroes/<h2>Title: Zeroes</h2>
<h2>Author: Chuck Wendig</h2>
<hr>
<p><strong>This is a backdated review</strong></p>
<p>A young, spunky group of kids land themselves in hot water with a
government agency and are tasked to work^HHHhack for The Man. Weaponized
artificial intelligence? Yes please. This was a fun read all the way
through the end …</p><h2>Title: Zeroes</h2>
<h2>Author: Chuck Wendig</h2>
<hr>
<p><strong>This is a backdated review</strong></p>
<p>A young, spunky group of kids land themselves in hot water with a
government agency and are tasked to work^HHHhack for The Man. Weaponized
artificial intelligence? Yes please. This was a fun read all the way
through the end.</p>Fixing Time Machine / Netatalk (error (null))2016-02-19T00:00:00-06:002016-02-19T00:00:00-06:00feldtag:None,2016-02-19:/posts/2016/02/fixing-time-machine-netatalk-error-null/<p>Recently I was setting up a new Time Machine backup on my wife's MacBook
so it would use my FreeBSD/ZFS server. My own personal MacBook was
already backing up to it successfully and has been for quite some time.
When I attempted to start a new backup to the …</p><p>Recently I was setting up a new Time Machine backup on my wife's MacBook
so it would use my FreeBSD/ZFS server. My own personal MacBook was
already backing up to it successfully and has been for quite some time.
When I attempted to start a new backup to the server I received
a strange error after a few minutes:</p>
<div class="highlight"><pre><span></span><code>The backup disk image "/Volumes/backup/Michelle's MacBook.sparsebundle" could not be accessed (error (null)).
</code></pre></div>
<p>After digging through the OSX system logs I also found these entries:</p>
<div class="highlight"><pre><span></span><code>Feb 12 07:29:54 Michelles-Macbook com.apple.backupd[12798]: Attempting to soft mount network destination URL: afp://shell@skeletor._afpovertcp._tcp.local/backup
Feb 12 07:29:55 Michelles-Macbook com.apple.backupd[12798]: Mounted network destination at mount point: /Volumes/backup using URL: afp://shell@skeletor._afpovertcp._tc
p.local/backup
Feb 12 07:29:57 Michelles-Macbook com.apple.backupd[12798]: Network destination already mounted at: /Volumes/backup
Feb 12 07:30:25 Michelles-Macbook com.apple.backupd[12798]: Creating disk image /Volumes/backup/Michelle's Macbook.sparsebundle
Feb 12 07:30:44 Michelles-Macbook com.apple.backupd[12798]: error processing extended attributes: Input/output error
Feb 12 07:30:44 Michelles-Macbook com.apple.backupd[12798]: Error moving disk image from /var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T/com.apple.backupd.syLaqH/Michelle's Macbook.tmp.sparsebundle to /Volume
s/backup/Michelle's Macbook.sparsebundle - Error Domain=NSCocoaErrorDomain Code=512 "“Michelle's Macbook.tmp” couldn’t be moved to “backup”." UserInfo={NSDestinationFilePath=/Volumes/backup/Michelle's Macbook.
tmp, NSUserStringVariant=Move, NSFilePath=/var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T/com.apple.backupd.syLaqH/Michelle's Macbook.tmp.sparsebundle, NSUnderlyingError=0x7fc1a9529660 {Error Domain=NSCocoaEr
rorDomain Code=512 "“0” couldn’t be copied to “bands”." UserInfo={NSSourceFilePathErrorKey=/var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T/com.apple.backupd.syLaqH/Michelle's Macbook.tmp.sparsebundle/bands/0,
NSUserStringVariant=(
), NSDestinationFilePath=/Volumes/backup/Michelle's Macbook.tmp/bands/0, NSFilePath=/var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T/com.apple.backupd.syLaqH/Michelle's Macbook.tmp.sparsebundle/bands/0
, NSUnderlyingError=0x7fc1a954d2e0 {Error Domain=NSPOSIXErrorDomain Code=5 "Input/output error"}}}}
Feb 12 07:30:44 Michelles-Macbook com.apple.backupd[12798]: Failed to create disk image /Volumes/backup/Michelle's Macbook.sparsebundle, status: 512
Feb 12 07:30:44 Michelles-Macbook com.apple.backupd[12798]: Network destination already mounted at: /Volumes/backup
Feb 12 07:30:44 Michelles-Macbook com.apple.backupd[12798]: Backup failed with error 20: 20
Feb 12 07:30:45 Michelles-Macbook com.apple.backupd[12798]: statfs call failed, error: 2 No such file or directory
Feb 12 07:30:45 Michelles-Macbook com.apple.backupd[12798]: Ejected Time Machine network volume.
</code></pre></div>
<p>I managed to recreate the issue by going into <strong>/var/folders/zz</strong> on the MacBook and finding a file with extended attributes. When attempting to <em>cp</em> it to <strong>/Volumes/backup</strong>, the location where the Time Machine backups are supposed to go, it produced an error which was easy and quick to reproduce. I investigated the netatalk documentation and found that the <strong>ea</strong> setting was <strong>auto</strong> by default. This was not sufficient. The fix was to edit the <strong>afp.conf</strong> and add the following:</p>
<div class="highlight"><pre><span></span><code>[default_for_all_vol]
ea = ad
</code></pre></div>
<p>After restarting the netatalk services I was able to successfully <em>cp</em> the file manually from the MacBook to my server which was the first indication that this problem was solved. The next attempt of a Time Machine backup was successful. Mystery solved.</p>Mono's DNS is broken2015-12-18T00:00:00-06:002015-12-18T00:00:00-06:00feldtag:None,2015-12-18:/posts/2015/12/monos-dns-is-broken/<p>I recently started playing around with <a href="https://sonarr.tv">Sonarr</a> by
porting it to FreeBSD. It's a pretty well designed app -- I'm not aware
of an alternative with such a well thought-out interface and deep
integration into the other programs it communicates with. I've never run
program via mono before, so I was …</p><p>I recently started playing around with <a href="https://sonarr.tv">Sonarr</a> by
porting it to FreeBSD. It's a pretty well designed app -- I'm not aware
of an alternative with such a well thought-out interface and deep
integration into the other programs it communicates with. I've never run
program via mono before, so I was pleasantly surprised it seemed to be
"just working".</p>
<p>However, I was checking out their forums when I stumbled upon <a href="https://forums.sonarr.tv/t/sonarr-is-moving-to-a-new-server/8202">this
post</a>
indicating a mono bug regarding DNS:</p>
<div class="highlight"><pre><span></span><code>How does this affect me?
This depends on which platform your running Sonarr on, for Windows users
this should be pretty seamless, the DNS records will be updated and
Sonarr will start using the new server automatically, for non-windows
users Sonarr will still point to the old server until sonarr is
restarted (this is due to a mono bug that caches dns records for the
life of the app).
</code></pre></div>
<p>Wow, that seemed weird. Sure enough, after some research I found that
mono is stupid enough to have a <a href="http://opensimulator.org/mantis/view.php?id=7566">functional DNS implementation</a>
but is not used by the ServicePointManager, a class that manages web
requests. Instead, this moronic code caches DNS requests <em>forever</em>. Boy,
that sure makes the concept of a cross-platform .NET/mono software that
interacts with the internet a waste of time.</p>
<p>Last I checked when I talked to the Sonarr developers they are about a
month in on this IP change and there are still many thousands of Sonarr
installations trying to communicate with their old server they're trying
to retire. Ridiculous.</p>
<p>I've actually found there's a patch in the mono codebase that fixes this
problem, but it was never merged to the 4.2 branch; instead, it is
rotting in master waiting for the next big cut which could be... well,
who knows how long? <em>sigh</em></p>
<p>If you want to help me badger them into fixing this problem, go leave
some comments <a href="https://github.com/mono/mono/commit/932359f3d627da13408350b1172ceb63c30f6327">here</a>.</p>
<p>How any software can exist this long without having a properly
functional DNS implementation for when you actually interact with the
internet is quite an achivement. But fear not, Java did this too through
JDK 1.5!</p>
<p>Lets hope that Microsoft's open source .NET implementation is
successful. At least that way you'll (hopefully) get an identical
experience across platforms.</p>Routing a FreeBSD Jail through OpenVPN2015-06-30T00:00:00-05:002015-06-30T00:00:00-05:00feldtag:None,2015-06-30:/posts/2015/06/routing-a-freebsd-jail-through-openvpn/<p>I decided I wanted to concoct a solution where I could force all
applications in a jail or jails through a VPN connection without
affecting the internet connectivity of other daemons on the system.
After some headbanging I was able to make this work. The OS version
being used in …</p><p>I decided I wanted to concoct a solution where I could force all
applications in a jail or jails through a VPN connection without
affecting the internet connectivity of other daemons on the system.
After some headbanging I was able to make this work. The OS version
being used in this example is 10.1-RELEASE.</p>
<p>This post assumes you know how to setup an OpenVPN client & server as
well as being familiar with jails.</p>
<p><strong>Enable multiple routing tables</strong></p>
<p>Multiple routing tables (fibs) are available out of the box these days
but require you define them on boot. I only need two fibs, one for the
system and one used by this jail. As many jails/applications as you want
can share a fib; you don't need to make a new one for each new setup.</p>
<p><em>/boot/loader.conf</em></p>
<div class="highlight"><pre><span></span><code>net.fibs=2
</code></pre></div>
<p><strong>Set the default route for the fib</strong></p>
<p>My OpenVPN setup handles redirecting the default gateway and adding
routes to the client's routing table upon connection. In order for this
to work successfully it needs to detect a default route. Here's the
proper syntax so it starts on boot:</p>
<p><em>/etc/rc.conf</em></p>
<div class="highlight"><pre><span></span><code>static_routes="vpn"
route_vpn="default 172.16.1.1 -fib 1"
</code></pre></div>
<p>Let's get the OpenVPN client running. This OpenVPN client exists outside
the jail. This is required because you cannot alter routing tables from
within a jail.</p>
<p>When starting the OpenVPN client you will need to execute it via
<strong>setfib</strong> so it is operating under the correct routing table. The
<em>openvpn-client</em> doesn't daemonize, so I'll let you solve that whichever
way you prefer. I have mine running under <strong>daemontools</strong> to keep it
alive.</p>
<div class="highlight"><pre><span></span><code>server# setfib -F 1 /usr/local/sbin/openvpn-client /usr/local/etc/openvpn.conf
</code></pre></div>
<p>My OpenVPN client provisions static IPs for each new client, so the IP
address is not going to change. I believe this is standard behavior for
OpenVPN, but you may want to consult their docs if you run into issues.</p>
<p>The jail's IP address needs to be our end of the OpenVPN tunnel.</p>
<p><em>/etc/jail.conf</em></p>
<div class="highlight"><pre><span></span><code>vpnjail {
host.hostname = "vpnjail";
ip4.addr = "10.8.0.14";
exec.fib = 1;
allow.raw_sockets;
}
</code></pre></div>
<p><em>edit: if your IP is dynamically allocated by your VPN provider, use
ip4.addr = inherit;</em></p>
<p>Now when you start the jail it will use the new fib.</p>
<p>Please note if you use <strong>jexec</strong> to enter the jail you will be tricked
into executing everything with the wrong fib! This is not well
documented behavior. When the jail is launched and things automatically
start they will use the correct fib, but if you jexec into the jail and
run things from the shell it will <em>not</em> use the correct fib unless you
<strong>setfib -F1 jexec</strong> when entering the jail!</p>
<p>When in doubt, check your fib with <strong>sysctl net.my_fibnum</strong> !</p>
<p>At this point you should have a fully functional FreeBSD jail with all
network connectivity being pushed over the VPN.</p>
<p>You may be asking why I didn't bother using a VNET jail with its own
network stack and run the <em>openvpn-client</em> within the jail, too. The
reason is that I want the network connectivity to completely fail if the
vpn goes down. I do not want any chance of the traffic leaking. You may
be able to do a VNET jail and solve this problem with some firewall
rules, but that is additional complexity I did not want to introduce to
this environment.</p>
<p>Stay safe :-)</p>Braindead FreeBSD Backups with Tarsnap and ACTS2015-05-14T00:00:00-05:002015-05-14T00:00:00-05:00feldtag:None,2015-05-14:/posts/2015/05/braindead-freebsd-backups-with-tarsnap-and-acts/<p>Before I start this simple blog post you should be aware that:</p>
<ul>
<li><a href="http://www.tarsnap.com/index.html">Tarsnap</a> is the best *nix backup service that exists.</li>
<li>You need to buy the <a href="http://amzn.com/0692400206">Tarsnap Mastery</a> book by <a href="https://twitter.com/mwlauthor">@mwl</a> because it's <em>so</em> good.</li>
</ul>
<p>Now that has been said, let's start with the super basics. Do you know Tarsnap …</p><p>Before I start this simple blog post you should be aware that:</p>
<ul>
<li><a href="http://www.tarsnap.com/index.html">Tarsnap</a> is the best *nix backup service that exists.</li>
<li>You need to buy the <a href="http://amzn.com/0692400206">Tarsnap Mastery</a> book by <a href="https://twitter.com/mwlauthor">@mwl</a> because it's <em>so</em> good.</li>
</ul>
<p>Now that has been said, let's start with the super basics. Do you know Tarsnap is? <em>No</em>? Ok, let's get you started.</p>
<ol>
<li>
<p>Install <a href="https://github.com/alexjurkiewicz/acts">ACTS</a> and tarsnap.</p>
<div class="highlight"><pre><span></span><code># pkg install acts
</code></pre></div>
<p>or</p>
<div class="highlight"><pre><span></span><code># cd /usr/ports/sysutils/acts && make install clean
</code></pre></div>
</li>
<li>
<p>Go <a href="https://www.tarsnap.com/account.html">sign up</a> for an account and deposit $5.</p>
</li>
<li>
<p>Generate a key for backup. The key is specific to this machine. Give the machine parameter a name that is recognizable to you.</p>
<div class="highlight"><pre><span></span><code># tarsnap-keygen --keyfile /root/tarsnap.key --user you@yours.com --machine your.machine.com
Enter tarsnap account password:
</code></pre></div>
</li>
<li>
<p>Backup <strong>/root/tarsnap.key</strong>. I'll wait for you to put a copy somewhere safe. Put it in your Keypass, 1Password,
print it off and put it in a safe, or whatever you normally do here. (You do keep a copy of these important things in <strong>meatspace</strong>, <em>right</em>?)</p>
</li>
<li>
<p>Configure what you want it to backup. Here's one of mine:</p>
<div class="highlight"><pre><span></span><code># vi /usr/local/etc/acts.conf
backuptargets="etc home root usr/local/etc usr/local/www"
</code></pre></div>
</li>
<li>
<p>Setup a cron entry so this happens daily.</p>
<div class="highlight"><pre><span></span><code>15 23 * * * root /usr/local/bin/acts
</code></pre></div>
</li>
<li>
<p>Run your first backup.</p>
<div class="highlight"><pre><span></span><code># acts
Creating yearly backup
Backing up etc...
Backing up home...
Backing up root...
Backing up usr/local/etc...
Backing up usr/local/www
acts run took 23 seconds
</code></pre></div>
</li>
</ol>
<p>Ok, whew, that was easy. Now you have a yearly backup. Next run it will generate a monthly, then start doing dailys.</p>
<p>At this point you're done. Your data is safely backed up and even <strong>deduplicated</strong>. </p>
<p>Want to make a key that can only be used to do backups but cannot be used to delete them?
How about advanced techniques for data restoration? Passphrase protecting keys? Curious about implementing more
advanced backup strategies? You could read the man pages and scrape the internet for tips, or you can just buy the <a href="http://amzn.com/0692400206">book</a>
that has already done all the hard work for you.</p>
<p>Now go on with your life. Your data is safe from even the NSA.</p>IPv6 via 6rd on FreeBSD2015-02-04T00:00:00-06:002015-02-04T00:00:00-06:00feldtag:None,2015-02-04:/posts/2015/02/ipv6-via-6rd-on-freebsd/<p>My ISP is Charter and they support <a href="http://www.myaccount.charter.com/customers/Support.aspx?SupportArticleID=2665">6rd for IPv6.</a>
Unfortunately 6rd support
does not exist in the <strong>stf(4)</strong> driver in FreeBSD yet. There is a
work-in-progress implementation available from hrs in ports,
<em>net/stf-6rd-kmod</em>. However, I haven't found very good documentation on
exactly how to use it so …</p><p>My ISP is Charter and they support <a href="http://www.myaccount.charter.com/customers/Support.aspx?SupportArticleID=2665">6rd for IPv6.</a>
Unfortunately 6rd support
does not exist in the <strong>stf(4)</strong> driver in FreeBSD yet. There is a
work-in-progress implementation available from hrs in ports,
<em>net/stf-6rd-kmod</em>. However, I haven't found very good documentation on
exactly how to use it so at the suggestion of nathanw I have
impelemented 6rd via a regular <strong>gif(4)</strong> tunnel.</p>
<p>The configuration in rc.conf looks like below. Just replace the
variables with the real IP addresses for your environment:</p>
<div class="highlight"><pre><span></span><code> cloned_interfaces="gif0"
ipv6_activate_all_interfaces="YES"
ifconfig_gif0="tunnel $MYIPv4 $THEIRIPv4"
ifconfig_gif0_ipv6="inet6 alias $MYIPv6 $THEIRIPv6 prefixlen 128"
ipv6_defaultrouter="$THEIRIPv6 -mtu 1280"
</code></pre></div>
<p>There is one main limitation because it's using a <em>gif(4)</em> tunnel and not
speaking the complete 6rd RFC: you can't contact other IPv6
addresses that are also using this 6rd service.</p>
<p>If you don't care about the capability to contact other users on your
ISP also using the 6rd tunnel you will not notice any problems.</p>
<p>Note: I'm setting the default route to an MTU of 1280 because of the
behavior of IPv6 tunnels and common issues with PMTU. I suggest you do
the same for an optimal experience.</p>BSD License Audit2014-12-22T00:00:00-06:002014-12-22T00:00:00-06:00feldtag:None,2014-12-22:/posts/2014/12/bsd-license-audit/<p>I recently did an audit of the "BSD" licenses in the FreeBSD ports
tree. This pertains strictly to those defined as <em>LICENSE=BSD</em> which
could be one of several licenses. It was an extremely tedious process
manually verifying the license of each port, and except for a dozen which
are …</p><p>I recently did an audit of the "BSD" licenses in the FreeBSD ports
tree. This pertains strictly to those defined as <em>LICENSE=BSD</em> which
could be one of several licenses. It was an extremely tedious process
manually verifying the license of each port, and except for a dozen which
are not identifiable or waiting for email responses from the authors it
has been completed successfully.</p>
<h2>Things I've learned:</h2>
<ul>
<li>
<p>Lots of people don't understand open source licenses and incorrectly
label their own license. BSD == MIT, etc.</p>
</li>
<li>
<p>Services like pypi don't get any more granular than "BSD" which made
this audit frustrating and perpetuates the idea that there is a single "BSD"
license. Go look in <strong>PKG-INFO</strong> files -- just says <em>License: BSD</em>.</p>
</li>
<li>
<p>Developers have this fantastic idea where they say "This project is
under the BSD license" and then never point the enduser to any license
text <strong>anywhere</strong>.</p>
</li>
<li>
<p>Many people are leaving their <strong>LICENSE</strong> or <strong>COPYING</strong> files out of their
release tarballs -- incredibly daft of them.</p>
</li>
<li>
<p>BSD community members seem to know when you author software you license
files not an entire projects, and put the license in the header of every
source file. (Thanks!)</p>
</li>
<li>
<p>Some people think they can just <a href="http://repoze.org/license.html">edit standard licenses</a> because they're
smarter than the lawyers who helped develop these licenses and cause
unnecessary work to myself and others. (<a href="http://old.zope.org/Resources/License/ZPL-2.1">ZPL2.1</a> with a clause cut out)</p>
</li>
<li>
<p>There are far too many variants of the <a href="https://fedoraproject.org/wiki/Licensing:MIT?rd=Licensing/MIT">MIT license</a>.</p>
</li>
<li>
<p>OpenBSD actually uses the <a href="http://en.wikipedia.org/wiki/ISC_license">ISCL license</a>, not a classic BSD license.
(Don't worry, it's just shorter)</p>
</li>
<li>
<p>Even Debian can make <a href="http://metadata.ftp-master.debian.org/changelogs//main/p/python-repoze.who/python-repoze.who_1.0.18-1_copyright">mistakes</a>.
(That's not a GPLv3 license.)</p>
</li>
<li>
<p>Tons of copies of the BSD 3-CLAUSE out there that have clauses numbered <strong>1.</strong>, <strong>2.</strong>, and <strong>4.</strong>. Makes
me chuckle every time I see it.</p>
</li>
<li>
<p>An unofficial BSD 1-CLAUSE is floating out there <a href="https://github.com/iegor/kdesktop/blob/master/kdeadmin/secpolicy/pamview.h">in use by a few projects</a> which indicates
the author only cares about its source distribution and not the
binary...</p>
</li>
<li>
<p>The Sendmail license had an older variant that implied that you have
to fly to California to defend yourself if you violate it.</p>
</li>
<li>
<p>Never trust the license of a package. If you're a vendor you better
verify it by hand before selling your product.</p>
</li>
</ul>
<h2>Results:</h2>
<div class="highlight"><pre><span></span><code> 1 ART20
1 BSD1
1 BSD2 BSD3 ART10
1 BSD2 MIT
1 BSD3 TclTk
1 CC
1 CPL
1 GPLv2 BSD3CLAUSE BSD4CLAUSE
1 GPLv2 ISCL
1 GPLv3
1 PHP202
1 PHP30
1 Sendmail
1 ZPL21
2 BSD2 BSD3
2 BSD3 MIT
2 REPOZE -- ZPL21 modified
4 GPLv2
4 TclTk
5 CUSTOM
8 BSD4
17 ISCL
24 MIT
62 BSD2
148 BSD3
</code></pre></div>
<p>This isn't 100% accurate either as sometimes there were ports which had
multiple licenses defined and I only fixed and noted the "BSD" one.
However, those that have multiple licenses listed were instances that I
discovered that the project didn't fit strictly under one license.</p>
<p><a href="https://docs.google.com/spreadsheets/d/1ooPkgcAKkQdsulPeamFslkRWX5jYhGL5mJskx9IfBXY/edit#gid=0">What a nightmare.</a></p>Outlook-compatible WebDav with Nginx2014-11-10T00:00:00-06:002014-11-10T00:00:00-06:00feldtag:None,2014-11-10:/posts/2014/11/outlook-compatible-webdav-with-nginx/<p>Microsoft Outlook has a Publish Online feature for sharing specific calendar
information by publishing iCal files to WebDav. I don't use Apache on my personal
servers, so here's how to configure it on Nginx.</p>
<p>You first need to ensure that you have both Nginx WebDav modules installed. They
are called …</p><p>Microsoft Outlook has a Publish Online feature for sharing specific calendar
information by publishing iCal files to WebDav. I don't use Apache on my personal
servers, so here's how to configure it on Nginx.</p>
<p>You first need to ensure that you have both Nginx WebDav modules installed. They
are called <strong>http_webdav</strong> and <strong>webdav_ext</strong>. You need the <strong>webdav_ext</strong> as
Outlook attempts some specific functions that are provided by this
module. Other calendar clients may not have the same requirements.</p>
<p>After you have both of these installed you can configure your
webdav share like this:</p>
<div class="highlight"><pre><span></span><code>server {
listen 80;
listen [::]:80;
server_name cal.yourdomain.com;
root /usr/local/www/caldav;
location / {
dav_methods PUT DELETE MKCOL COPY MOVE;
dav_ext_methods PROPFIND OPTIONS;
create_full_put_path on;
dav_access user:rw group:rw all:r;
}
}
</code></pre></div>
<p>You should probably secure this with SSL and possibly password protect your
webdav share. Using the <strong>limit_except</strong> Nginx
feature you could be clever and allow read access from everyone but
prevent publishing without a password. This will prevent your server
from being a target for public file storage. :-)</p>
<div class="highlight"><pre><span></span><code> limit_except GET {
auth_basic "Restricted for authorized users!";
auth_basic_user_file /usr/local/etc/nginx/htpasswd;
}
</code></pre></div>Setting up Xymon with Nginx2014-11-06T00:00:00-06:002014-11-06T00:00:00-06:00feldtag:None,2014-11-06:/posts/2014/11/setting-up-xymon-with-nginx/<p>Xymon has been a favorite monitoring tool of mine for quite some time
now largely due to its simplicity and flexibility. However, I despise
running Apache unless absoultely neccessary. Previous attempts at
getting Nginx and Xymon to play nice were not successful without some
lazy hacks, but I finally sat …</p><p>Xymon has been a favorite monitoring tool of mine for quite some time
now largely due to its simplicity and flexibility. However, I despise
running Apache unless absoultely neccessary. Previous attempts at
getting Nginx and Xymon to play nice were not successful without some
lazy hacks, but I finally sat down and made it work as cleanly as
possible. See the below Nginx config. You may have to make minor
adjustments if you're not on FreeBSD.</p>
<div class="highlight"><pre><span></span><code>server {
listen 80;
listen [::]:80;
server_name xymon.feld.me;
index index.html;
root /usr/local/www/xymon/server/www;
location /xymon/ {
alias /usr/local/www/xymon/server/www/;
}
location /cgi-bin/ {
alias /usr/local/www/xymon/cgi-bin/;
}
location /cgi-secure/ {
alias /usr/local/www/xymon/cgi-secure/;
}
location ~ ^/.*\.sh$ {
gzip off;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT /usr/local/www/xymon/;
fastcgi_param REMOTE_USER $remote_user;
include fastcgi_params;
fastcgi_pass unix:/var/run/fcgiwrap/fcgiwrap.sock;
}
}
</code></pre></div>
<p>Upstream Xymon supplies an Apache configuration that aliases <strong>/xymon-cgi/</strong>
to <strong>/cgi-bin/</strong> and <strong>/xymon-seccgi/</strong> to <strong>/cgi-secure/</strong>. Due to the way that
Nginx handles aliases and fastcgi <em>SCRIPT_NAME</em> we don't have much
choice here. We're just going to use them exactly as they're
named on the filesystem and adjust Xymon to play along.</p>
<p>Change the following in your <strong>xymonserver.cfg</strong>:</p>
<div class="highlight"><pre><span></span><code>XYMONSERVERCGIURL="/cgi-bin"
XYMONSERVERSECURECGIURL="/cgi-secure"
</code></pre></div>
<p>Now you should have a fully functional Xymon interface served by Nginx.
I strongly suggest you protect the Xymon interface or at least the
<strong>/cgi-secure/</strong> with a password, though. I'll leave that up to the reader.</p>Kindly Subverting POODLE2014-10-15T00:00:00-05:002014-10-15T00:00:00-05:00feldtag:None,2014-10-15:/posts/2014/10/kindly-subverting-poodle/<p>Let's pretend for a moment you live in a world where you need to protect
your customers from POODLE without completely breaking access for IE6
users. Scary errors or a complete failure to connect to the server are
not options. Well then, this blog post is for you!</p>
<p>This solution …</p><p>Let's pretend for a moment you live in a world where you need to protect
your customers from POODLE without completely breaking access for IE6
users. Scary errors or a complete failure to connect to the server are
not options. Well then, this blog post is for you!</p>
<p>This solution varies based on where SSL is being terminated. If it's
on Apache or Nginx this is easy. If you have a different webserver or
hardware load balancers you might have to investigate on your own. You
should be able to apply these same techniques. If not, I suggest
<em>upgrading</em> your infrastructure to something more modern. :-)</p>
<p>Keep in mind this will likely cause you to fail some audits. However,
with proof of your configuration you could contest the failure and
(hopefully) win. I wouldn't run this permanently either. Maybe a month or
two until your customers get a clue.</p>
<p>Note: In these examples I redirect the end user to Microsoft's Windows
XP End of Support page which has a lot of good information, but you
might want to redirect the user to a company-branded page with your own
message.</p>
<p><strong>Apache:</strong></p>
<div class="highlight"><pre><span></span><code>RewriteCond %{SSL_PROTOCOL} = SSLv3
RewriteRule .* http://windows.microsoft.com/en-us/windows/end-support-help [R=302,L]
</code></pre></div>
<p><strong>Nginx:</strong></p>
<div class="highlight"><pre><span></span><code>if ($ssl_protocol = SSLv3)
{
return 302 http://windows.microsoft.com/en-us/windows/end-support-help ;
}
</code></pre></div>
<p><strong>Cisco ACE:</strong></p>
<p>You can't actually do this on the Cisco ACE, but it appears you could tell
it to add a header and then you could watch for this header on the
backend webservers and do a redirect similar to what we're doing above.
I don't know the full syntax for the ACE but digging through the manual
I found this gem:</p>
<div class="highlight"><pre><span></span><code>ssl header-insert session Protocol-Version
</code></pre></div>
<p>The Cisco ACE only has the values <em>TLSv1</em> and <em>SSLv3</em> for <strong>Protocol-Version</strong>,
so the following should work for Apache:</p>
<div class="highlight"><pre><span></span><code>RewriteCond %{HTTP:Protocol-Version} = SSLv3
RewriteRule .* http://windows.microsoft.com/en-us/windows/end-support-help [R=302,L]
</code></pre></div>
<p>And there you have it. You can inform your customers without sacrificing
their security. The worst case scenario is a bad guy sniffs the traffic
and captures a redirect. On a side note, this would also be a clever way
to detect and inform of an SSL Downgrade attack...</p>
<p>Have fun!</p>
<p>Edit: Make sure you use 302 redirects so they aren't permanently cached by clients...</p>pfSense On Citrix XenServer2014-07-07T00:00:00-05:002014-07-07T00:00:00-05:00feldtag:None,2014-07-07:/posts/2014/07/pfsense-on-citrix-xenserver/<p>pfSense 2.2 snapshots are now based on FreeBSD 10 which means that
support for Xen is built into the GENERIC kernel. This means
virtualizing pfSense is very easy. If you install pfSense on Citrix
XenServer it will not let you live migrate the VM to another host unless
the …</p><p>pfSense 2.2 snapshots are now based on FreeBSD 10 which means that
support for Xen is built into the GENERIC kernel. This means
virtualizing pfSense is very easy. If you install pfSense on Citrix
XenServer it will not let you live migrate the VM to another host unless
the Xen Tools are installed. Fortunately, there's an easy fix for that!</p>
<p><strong>Step 1</strong>: Install the tools.
If you haven't installed the pkg utility yet it will automatically fetch
that first.</p>
<div class="highlight"><pre><span></span><code># pkg install xe-guest-utilities
</code></pre></div>
<p><strong>Step 2</strong>: Enable it to start on boot.</p>
<p>Unfortunately pfSense has largely diverged from FreeBSD and won't run
the rc scripts unless they end in <strong>.sh</strong>. We can fix this with a
symlink. These two commands will enable it to run on boot.</p>
<div class="highlight"><pre><span></span><code># echo "xenguest_enable=\"YES\"" >> /etc/rc.conf.local
# ln -s /usr/local/etc/rc.d/xenguest /usr/local/etc/rc.d/xenguest.sh
</code></pre></div>
<p><strong>Step 3</strong>: Start the service manually or reboot.</p>
<div class="highlight"><pre><span></span><code># service xenguest start
</code></pre></div>
<p>Ta-da! Fully functional Xen Tools on your virtualized pfSense firewall.</p>
<p>Note: If you happen to read this the day I wrote this you may find the
memory reporting is broken and every few minutes some errors scroll on
the console:</p>
<div class="highlight"><pre><span></span><code>bc: cannot find dc: No such file or directory
bc: cannot find dc: No such file or directory
bc: cannot find dc: No such file or directory
bc: cannot find dc: No such file or directory
bc: cannot find dc: No such file or directory
</code></pre></div>
<p>You can hand-patch or just wait a week until the FreeBSD repo has xe-guest-utilties 6.0.2_3 or later.</p>
<div class="highlight"><pre><span></span><code><span class="gh">diff --git a/src/sbin/xe-update-guest-attrs b/src/sbin/xe-update-guest-attrs</span>
<span class="gh">index 981f62f..44a0c63 100755</span>
<span class="gd">--- a/src/sbin/xe-update-guest-attrs</span>
<span class="gi">+++ b/src/sbin/xe-update-guest-attrs</span>
<span class="gu">@@ -129,11 +129,11 @@ done</span>
<span class="w"> </span>if [ $MEMORY_MODE -eq 1 ] ; then
<span class="w"> </span> # calc memory... used http://www.cyberciti.biz/files/scripts/freebsd-memory.pl.txt as guide
<span class="w"> </span> pagesize=$(sysctl hw.pagesize | cut -d ':' -f2)
<span class="gd">- memtotal=$(echo "$(sysctl hw.physmem | cut -d ':' -f2) / 1024" | bc)</span>
<span class="gd">- meminactive=$(echo "$(sysctl vm.stats.vm.v_inactive_count | cut -d ':' -f2) * $pagesize / 1024" | bc)</span>
<span class="gd">- memcache=$(echo "$(sysctl vm.stats.vm.v_cache_count | cut -d ':' -f2) * $pagesize / 1024" | bc)</span>
<span class="gd">- memfree=$(echo "$(sysctl vm.stats.vm.v_free_count | cut -d ':' -f2) * $pagesize / 1024" | bc)</span>
<span class="gd">- memavail=$(echo "$meminactive + $memcache + $memfree" | bc)</span>
<span class="gi">+ memtotal=$(let "$(sysctl hw.physmem | cut -d ':' -f2) / 1024")</span>
<span class="gi">+ meminactive=$(let "$(sysctl vm.stats.vm.v_inactive_count | cut -d ':' -f2) * $pagesize / 1024")</span>
<span class="gi">+ memcache=$(let "$(sysctl vm.stats.vm.v_cache_count | cut -d ':' -f2) * $pagesize / 1024")</span>
<span class="gi">+ memfree=$(let "$(sysctl vm.stats.vm.v_free_count | cut -d ':' -f2) * $pagesize / 1024")</span>
<span class="gi">+ memavail=$(let "$meminactive + $memcache + $memfree")</span>
<span class="w"> </span> # we're using memavail as "free" for now
<span class="w"> </span> xenstore_write_cached "data/meminfo_total" "$memtotal"
</code></pre></div>
<p>It's really just changing the <em>echo</em> through <em>bc</em> into a POSIX sh <em>let</em>.</p>Archiveopteryx: The IMAP Server You Always Wanted2014-07-06T00:00:00-05:002014-07-06T00:00:00-05:00feldtag:None,2014-07-06:/posts/2014/07/archiveopteryx-the-imap-server-you-always-wanted/<p><a href="http://aox.org">Archiveopteryx</a> (aox) is a highly
scalable PostgreSQL-backed IMAP/POP server. As described on its website:</p>
<blockquote>
<p>Archiveopteryx is an Internet mail server, optimised to support
long-term archival storage. It seeks to make it practical not only to
manage large archives, but to use the information therein on a daily
basis instead …</p></blockquote><p><a href="http://aox.org">Archiveopteryx</a> (aox) is a highly
scalable PostgreSQL-backed IMAP/POP server. As described on its website:</p>
<blockquote>
<p>Archiveopteryx is an Internet mail server, optimised to support
long-term archival storage. It seeks to make it practical not only to
manage large archives, but to use the information therein on a daily
basis instead of relegating it to offline storage.</p>
</blockquote>
<p>and</p>
<blockquote>
<p>Archiveopteryx is designed to impose no limits on the size or usage of
the archive to the extent of the server hardware's capabilities.</p>
</blockquote>
<p>With aox it's possible to have millions of mail in an IMAP folder
without experiencing performance issues. My own Postgres configuration
is moderately tuned and performs spectacularly. The fact that the mail
is in a database means large operations such as marking many thousands
of mail as <em>read</em> or moving to different IMAP folders is a very fast and
inexpensive operation.</p>
<p>Notable features:</p>
<ul>
<li>Automatic deduplication</li>
<li>Retention: Specify which messages must be deleted/retained, including
by search.</li>
<li>Undelete: Search for accidentally deleted messages and recover them.</li>
<li>Export: Search for messages and export them.</li>
<li>Easy backup: just a SQL dump!</li>
<li>LDAP authentication</li>
<li>Bleeding edge RFC suppport -- many new IMAP features land here first!</li>
</ul>
<p>For those curious how this compares to DBMail read
<a href="http://archiveopteryx.org/faq/mailstore#dbmail">here</a>.</p>
<p>One thing to note about aox is the goal of "long-term archival storage".
Aox intends for you to be able to read your email with a mail client
written 20 years from now. Your mail will be safely stored and RFC
compliant. Mail clients of the future should not have to implement
thousands of quirks and workarounds to deal with malformed messages from
poorly written mail clients of old. This means that your mail in some
circumstances may be modified to be standards compliant: headers changed
slightly, encoding fixed, etc. This will not be noticable when read
unless it happens on a PGP-Signed mail in which case it could break the
signature. I occasionally see this happen, but it's not been a major
concern of mine. If this doesn't worry you, forge ahead!</p>
<h2>Installation & Setup</h2>
<p>On FreeBSD:</p>
<div class="highlight"><pre><span></span><code># pkg install archiveopteryx
</code></pre></div>
<p>We will now initiate the installer. If the Postgres server is local, the
use of the <em>pgsql</em> user will initiate the aox database and accounts. If
the database is not local I will leave it as an excercise to the reader
to permit remote database access by the installer to create the required
accounts and database.</p>
<p><strong>Make sure the citext extension is available.</strong></p>
<p>On FreeBSD this is in the postgresql93-contrib package for Postgres 9.3 servers.</p>
<div class="highlight"><pre><span></span><code># /usr/local/libexec/aox/installer
Connecting to Postgres server /tmp/.s.PGSQL.5432 as Unix user pgsql.
Creating the 'aox' PostgreSQL user.
Creating the 'aoxsuper' PostgreSQL user.
Creating the 'archiveopteryx' database.
Adding citext to the 'archiveopteryx' database.
Loading the database schema.
SET
SET
CREATE TABLE
INSERT 0 1
CREATE EXTENSION
CREATE TABLE
CREATE INDEX
CREATE FUNCTION
(yadda yadda this goes on for a bit)
...
Granting database privileges.
Generating default /usr/local/etc/archiveopteryx/archiveopteryx.conf
Generating default /usr/local/etc/archiveopteryx/aoxsuper.conf
Setting ownership and permissions on
/usr/local/etc/archiveopteryx/archiveopteryx.conf
Done.
</code></pre></div>
<p>Add to <strong>/etc/rc.conf</strong>:</p>
<div class="highlight"><pre><span></span><code>archiveopteryx_enable="YES"
</code></pre></div>
<p>Let's start it up and create a user.
This will add a user and prompt for the password. The username can be
anything you want, or the email address if that's more convenient. </p>
<div class="highlight"><pre><span></span><code># service archiveopteryx start
# aox add user -p <username> <email-address>
</code></pre></div>
<p>You may want to use your own SSL/TLS key. Concat the certificate, key,
and chain into a single file and add an entry to
<strong>/usr/local/etc/archiveopteryx/archiveopteryx.conf</strong>:</p>
<div class="highlight"><pre><span></span><code>tls-certificate = /usr/local/etc/archiveopteryx/yourcert.pem
</code></pre></div>
<p>Restart the service and you're ready to connect your mail client,
webmail, etc to the server and start using it! </p>
<p>Again, the other intracacies of email hosting are left as an exercise to
the user: LMTP delivery from your favorite MTA, spam filtering, valid
matching A and PTR records, SPF, DKIM, etc.</p>
<p>I guarantee this setup is easier than competing IMAP servers with
significantly less confusing knobs to turn.</p>
<h2>Other tips</h2>
<p>Import mail from mbox or maildir with:</p>
<div class="highlight"><pre><span></span><code># aox import
</code></pre></div>
<p>Importing lots of mail? Turning off the SQL index might help speed
things up:</p>
<div class="highlight"><pre><span></span><code># aox tune database mostly-writing
</code></pre></div>
<p>Turn it back on when finished (be patient!):</p>
<div class="highlight"><pre><span></span><code># aox tune database mostly-reading
</code></pre></div>
<p>A nightly cron will clean up the database by removing emails that have
expired beyond the configured <em>undelete-time</em>:</p>
<div class="highlight"><pre><span></span><code>0 0 * * * root /usr/local/bin/aox vacuum
</code></pre></div>
<p>Don't care about enforcing IMAP Quotas? Turn them off in
<strong>archiveopteryx.conf</strong>; they're expensive:</p>
<div class="highlight"><pre><span></span><code>use-imap-quota = off
</code></pre></div>
<p>The official aox releases are rare. The authors are do a full audit of
the codebase each release which takes significant time. Following <a href="https://github.com/aox/aox">git</a>
is encouraged if you need a certain bugfix or feature. The following
IMAP features missed the <strong>3.2.0</strong> release because their reliability couldn't
be vetted in time:</p>
<div class="highlight"><pre><span></span><code>THREAD=ORDEREDSUBJECT
THREAD=REFS
THREAD=REFERENCES
</code></pre></div>
<p>Their absence means you won't see mail threads in webmail clients like
Roundcube but it's easy to
<a href="https://github.com/aox/aox/commit/296f82cf011cb630863fe9a5673276e19edafae9">patch</a>
<a href="https://github.com/aox/aox/commit/e3d9d866f3cde4b1e23d3c99889cf2b7f4d3a076">them</a>
back in.</p>SSH Two Factor Authentication on FreeBSD2014-07-02T00:00:00-05:002014-07-02T00:00:00-05:00feldtag:None,2014-07-02:/posts/2014/07/ssh-two-factor-authentication-on-freebsd/<p>Setting up two factor auth for SSH on FreeBSD is actually quite simple.
This can be achieved with minimal effort via the
<strong>security/pam_google_authenticator</strong> port.</p>
<div class="highlight"><pre><span></span><code># pkg install pam_google_authenticator
</code></pre></div>
<p>Edit <strong>/etc/pam.d/sshd</strong> and add the following line at the top of the list:</p>
<div class="highlight"><pre><span></span><code>auth required /usr/local/lib/pam_google_authenticator …</code></pre></div><p>Setting up two factor auth for SSH on FreeBSD is actually quite simple.
This can be achieved with minimal effort via the
<strong>security/pam_google_authenticator</strong> port.</p>
<div class="highlight"><pre><span></span><code># pkg install pam_google_authenticator
</code></pre></div>
<p>Edit <strong>/etc/pam.d/sshd</strong> and add the following line at the top of the list:</p>
<div class="highlight"><pre><span></span><code>auth required /usr/local/lib/pam_google_authenticator.so
</code></pre></div>
<p>Now each user has to generate their two factor authentication with the
<em>google-authenticator</em> commmand if they want to login via ssh with a password.
If they have an SSH key it will bypass the need for the two factor
authentication. Here's an example of the process:</p>
<div class="highlight"><pre><span></span><code>$ google-authenticator
Do you want authentication tokens to be time-based (y/n) y
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/feld@my.server.name%3Fsecret%3DXD2SJCBPO2NAMGTS
Your new secret key is: XD2SJCBPO2NAMGTS
Your verification code is 666608
Your emergency scratch codes are:
83144609
39391374
49272727
99788106
18387881
Do you want me to update your "/home/feld/.google_authenticator" file (y/n) y
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y
If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) n
</code></pre></div>
<p>See, easy!</p>FreeBSD Poudriere Cheat Sheet2014-06-21T00:00:00-05:002014-06-21T00:00:00-05:00feldtag:None,2014-06-21:/posts/2014/06/freebsd-poudriere-cheat-sheet/<p>On FreeBSD <strong>poudriere</strong> is now the best way to maintain your software from
the ports tree. It provides a cleanroom build environment and your
packages will always be built properly. Manual installation and
<strong>portmaster</strong> are certainly still viable, but they should be handled with
care by advanced users. For those …</p><p>On FreeBSD <strong>poudriere</strong> is now the best way to maintain your software from
the ports tree. It provides a cleanroom build environment and your
packages will always be built properly. Manual installation and
<strong>portmaster</strong> are certainly still viable, but they should be handled with
care by advanced users. For those who cannot use the public FreeBSD
pkg repository, here's a quick rundown on maintaining your own.</p>
<p>Install poudriere. At this time I recommend <em>poudriere</em> from
packages or your own ports tree.</p>
<div class="highlight"><pre><span></span><code># cd /usr/ports/ports-mgmt/poudriere
# make install clean
</code></pre></div>
<p>Edit poudriere.conf to your own liking.</p>
<div class="highlight"><pre><span></span><code># vi /usr/local/etc/poudriere.conf
</code></pre></div>
<p>Create a build jail. If you want to target FreeBSD 10.1 amd64:</p>
<div class="highlight"><pre><span></span><code># poudriere jail -c -j 101amd64 -v 10.1-RELEASE -a amd64
</code></pre></div>
<p>Create the poudriere ports tree. I recommend following svn.</p>
<div class="highlight"><pre><span></span><code># poudriere ports -c -m svn+http
</code></pre></div>
<p>Generate a list of packages you'd like to build and put them in a text file.
I prefer to call mine <em>origins.txt</em>.</p>
<div class="highlight"><pre><span></span><code>audio/beets
audio/murmur
comms/minicom
comms/picocom
... etc
</code></pre></div>
<p>Set the build options for your build environment and ports. Edit <strong><em>/usr/local/etc/poudriere.d/make.conf</em></strong></p>
<div class="highlight"><pre><span></span><code>DEFAULT_VERSIONS= mysql=5.5 pgsql=9.3 php=5
# custom options
accessibility_redshift_SET= GNOME GUI
audio_beets_SET= BEATPORT CHROMA DISCOGS FFMPEG
audio_murmur_UNSET= ICE
... etc
</code></pre></div>
<p>Setup the web interface for poudriere. I use nginx, so here's my vhost config:</p>
<div class="highlight"><pre><span></span><code>server {
listen 1.2.3.4:80;
server_name pkg.feld.me;
root /usr/local/share/poudriere/html;
# Allow caching static resources
location ~* ^.+\.(jpg|jpeg|gif|png|ico|svg|woff|css|js|html)$ {
add_header Cache-Control "public";
expires 2d;
}
location /data {
alias /usr/local/poudriere/data/logs/bulk;
# Allow caching dynamic files but ensure they get rechecked
location ~* ^.+\.(log|txz|tbz|bz2|gz)$ {
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
}
# Don't log json requests as they come in frequently and ensure
# caching works as expected
location ~* ^.+\.(json)$ {
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
access_log off;
log_not_found off;
}
# Allow indexing only in log dirs
location ~ /data/?.*/(logs|latest-per-pkg)/ {
autoindex on;
}
break;
}
location /repo {
alias /usr/local/poudriere/data/packages;
}
}
</code></pre></div>
<p>The clients will be fetching from <em>http://pkg.feld.me/repo/${ABI}/</em>.
${ABI} will expand to <strong><em>FreeBSD:10:amd64</em></strong>. You cannot use <strong><em>FreeBSD:10:amd64</em></strong>
as a build jail name because of the colons, so make a symlink so this
just works automagically.</p>
<div class="highlight"><pre><span></span><code># cd /usr/local/poudriere/data/packages
# ln -s 101amd64-default FreeBSD:10:amd64
</code></pre></div>
<p>Setup a build script to update ports, clean poudriere package repo for
unused packages, and build your list of packages:</p>
<pre>
#!/bin/sh
poudiere ports -u
poudriere pkgclean -y -j 101amd64 -f /path/to/origins.txt
poudriere bulk -j 101amd64 -f /path/to/origins.txt
</pre>
<p>Do your first build run!</p>
<div class="highlight"><pre><span></span><code># poudriere bulk -j 101amd64 -f /path/to/origins.txt
</code></pre></div>
<p>Now, your jails or servers can use your package repository. Until the release of <em>pkg
1.3.0</em> I recommend you do not attempt to mix package repositories as it will not work
as expected. On the clients/servers/jails you can use these two config files to activate
your repo and disable the official FreeBSD repo:</p>
<p><strong><em>/usr/local/etc/pkg/repos/feld.me.conf</em></strong></p>
<pre>
feld: {
url: "http://pkg.feld.me/repo/${ABI}/",
mirror_type: "a",
enabled: yes
}
</pre>
<p><strong><em>/usr/local/etc/pkg/repos/freebsd.conf</em></strong></p>
<pre>
FreeBSD: {
enabled: no
}
</pre>
<p>Now on your clients you can install packages with <strong><em>pkg</em></strong>. If you have additional needs
such as signing your repository or different repositories with their own specific
global options (sets) check the poudriere man page -- it's all there!</p>
<p><strong><em>04/09/2015: Updated to reflect some more recent changes</em></strong></p>New Blog: Pelican2014-06-03T00:00:00-05:002014-06-03T00:00:00-05:00feldtag:None,2014-06-03:/posts/2014/06/new-blog-pelican/<p>I've never been into blogging. I did a few articles for a friend on
<a href="http://timedoctor.org">Timedoctor.org</a> but never made time to write about stuff I'm working on.
I most recently had my blog on Tumblr but I only wrote two articles and
then gave up because remembering to log into …</p><p>I've never been into blogging. I did a few articles for a friend on
<a href="http://timedoctor.org">Timedoctor.org</a> but never made time to write about stuff I'm working on.
I most recently had my blog on Tumblr but I only wrote two articles and
then gave up because remembering to log into Tumblr was inconvenient.
I'm quite regularly shelled into my server so maybe I can jot down
useful information and publish it on here.</p>
<p>We'll see how this works out.</p>
<p>Check out <a href="http://blog.getpelican.com/">Pelican</a> if you want something lightweight for your blog.</p>Denon E400 firmware update loop2014-03-17T00:00:00-05:002014-03-17T00:00:00-05:00feldtag:None,2014-03-17:/posts/2014/03/denon-e400-firmware-update-loop/<p>My Denon E400 is a nice AVR, but for some reason fails to do firmware
updates if plugged in to my Ubiquiti Toughswitch. If I attempt an update
it fails to connect to the server for some strange reason and gets stuck
in an update loop with an error on …</p><p>My Denon E400 is a nice AVR, but for some reason fails to do firmware
updates if plugged in to my Ubiquiti Toughswitch. If I attempt an update
it fails to connect to the server for some strange reason and gets stuck
in an update loop with an error on the display that looks like</p>
<p><strong>ConnectionFailed10e</strong></p>
<p>The fix is to do a Network Card reset, which on this model happens to
also be a microprocessor reset. Unfortunately you will be stuck with
factory defaults, and this model doesn't seem to let you do a
backup/restore of settings. </p>
<p><em>sigh</em></p>
<p>Anyway, the trick is to power off the device and hold down</p>
<p><strong>[SOURCE SELECT]</strong>, <strong>[->]</strong> and <strong>[ZONE2 ON/OFF]</strong></p>
<p>while powering on until the display starts blinking for a few seconds.
For the record, the regular microprocessor reset is holding down <em>both</em> of
the <strong>SOURCE SELECT</strong> buttons while powering on and wait for the display to
blink a few times.</p>
<hr>
<p>Update, 2/19/15:</p>
<p>My friend has an AVR X4000 and he needed to do the same after trying to
update while plugged into a Ubiquiti. He called Denon and his reset
sequence was the following:</p>
<ul>
<li>Hold down the up and down buttons and power button simultaneously</li>
<li>Let the screen flash 5 times</li>
<li>Release</li>
<li>Navigate to the Setup Menu with your remote and then exit</li>
</ul>Dell Optiplex 390 keyboard bug2013-08-27T00:00:00-05:002013-08-27T00:00:00-05:00feldtag:None,2013-08-27:/posts/2013/08/optiplex-390-usb-issues/<p>I have a Dell Optiplex 390 at work and I've had a strange keyboard issue
I couldn't explain: my USB keyboard simply refused to work until my OS
was up and running. Whether it be Windows, Linux, or FreeBSD -- no
keyboard functionality until the kernel had initialized the USB devices …</p><p>I have a Dell Optiplex 390 at work and I've had a strange keyboard issue
I couldn't explain: my USB keyboard simply refused to work until my OS
was up and running. Whether it be Windows, Linux, or FreeBSD -- no
keyboard functionality until the kernel had initialized the USB devices.</p>
<p>My keyboard is an Adesso MKB-135B -- a nice keyboard with Cherry MX Blue
switches. My coworker with the same computer has the same issue with his
Logitech somethingorother. I'd always have to pull out Dell keyboard if
I needed to modify BIOS settings or do something in GRUB / BSD loader.
It was quite annoying. I'd tried several BIOS updates with no luck, but
recently I was annoyed by this bug again and checked for another BIOS
update.</p>
<p>Good news to anyone googling this: as it turns out the latest BIOS
update -- A10 -- actually fixes this issue!</p>
<p>My theory is that this bug is a power issue -- it wasn't putting out
enough power for these keyboards. I never bothered trying to verify it,
but maybe someone out there will.</p>
<p>edit: This did fix the USB-on-boot problem, but I have since had problems
where I come into work in the morning and my keyboard won't work.
Unplug, replug -- no go. Try different keyboard and it works. Plug my
original keyboard to any other computer and it works. Very strange; the
only fix is a power cycle. I've updated to BIOS A11 which I hope will
fix this issue.</p>