What pathname should FreeBSD choose for the "internationalization" ports.

Earlier this morning I had an idea to propose an online poll after following a discussion on the freebsd-ports mailing list about what to name the new category for internationalization ports.

Here are the results so far...

Website Polls Powered By MicroPoll

Voting goes through Saturday 8am PDT.

Book Review: Mastering FreeBSD and OpenBSD Security

Mastering FreeBSD and OpenBSD Security by Yanek Korff

My review

rating: 4 of 5 stars
It was about what I expected. The sections on pf and osiris were the most interesting. It's due for another revision. There was no mention of portaudit or vuxml, which any FreeBSD user should know about. The was also no mention of IPF which surprised me - only ipfw and pf were discussed. There was no mention of monowall or pfSense which are based on FreeBSD.


View all my reviews.

VuXML wizard

I'm putting the finishing touches on my FreeBSD VuXML generation wizard. It's sort of like VuXML for dummies, in that you can enter the relevant information into a HTML form and get the raw XML data for entry into /usr/ports/security/vuxml/vuln.xml or just as an attachment to send-pr.

Example process flow...

1. Identify a valid vulnerability report from some source ... (freshports is your friend here as it will help identify the exact FreeBSD port name and whether the vulnerability has already been reported.

2. Complete the form

3. Save the resulting XML, for example /tmp/portname.vuxml

4. send-pr -a /tmp/portname.vuxml

5. Complete the problem report and send.

I'm also considering an option to have the submission sent to me (or some sort of queue) instead of just producing the raw output, that way it can find it's way to the vuxml input stream with even less effort.

Convert Tivo shows to iPod & iTunes using open source

I've been working on this lately and finally have most of the wrinkles ironed out. It would be nice to have it windowless but that is still required for the first and last steps. Here is how I do it.

1. Install Tivo Desktop and transfer shows to local computer. Move the file(s) from "My Tivo Recordings" into V:\video\fromtivo

2. On franco (my FreeBSD file server) run tivodecode -m 1234567890 -o outfile.mpg "Some Title.tivo"
This produces the MPEG video. Note that the aspect looks funky in totem a.k.a. Movie Player but it gets fixed in next step.

3. On monk (my Ubuntu laptop), run winff
. Add the .mpg file created in step 2. Specify output for iPod and Xvid 4:3. Click options and specify 320x240 in the size. Specify /share2/video/4itunes as the output folder.

4. Back in iTunes, import the resulting outfile.mp4 file and copy to iPod.

To make things like this easier I run a file server (franco) with NFS and Samba. Video files are shared across the network from the /share2/video mount point on Linux which is same as V:\ drive mapping on the windows desktops.

Thinking through how this could be windowsless: run galleon for transferring the .tivo files down and run iTunes from wine.

FreeBSD port audio/firefly released, supercedes mt-daapd

Finally got this pushed out, the successor to audio/mt-daapd although it still looks quite the same in many respects, e.g. binary is still mt-daapd and such.

However this new incarnation is based on the much more recent svn releases which bundles in support for OGG Vorbis (.ogg) and FLAC transcoding which is great if you chose, like me, to encode your digital audio in those alternative formats. Nearly 90% of my collection is in ogg vorbis.

Links:

• http://www.freshports.org/audio/firefly/
  
• http://conshell.net/wiki/index.php/User:Fostermarkd/Firefly
  

Future plans: Notifying Last.fm (a.k.a audioscrobbling) on listen, making it an non-default OPTION on build.

portaudit and vuxml

I really like portaudit, a FreeBSD app that you can install to notify you when vulnerabilities appear in your installed ports. It pulls down a database of vulnerabilities (much ClamAV does or other virus scanners pull down virus signatures) and compares that to the versions of the packages you have installed.

The vulnerabilities identified by portaudit via vuxml is built by volunteer submission, so users submit patches to /usr/ports/security/vuxml/vuln.xml to describe newly-discovered vulnerabilities. So I consider this a negative in a way since vulnerabilities are frequently falling through the cracks. Can port-maintainers be held responsible for updating vuxml when their ports are listed? I think this would be a reasonable compromise.

Otherwise we need a delegation of responsibilities to ensure vulns DON'T fall through the cracks. Perhaps a team of volunteers who focus on CVEs, non-CVEs (e.g. SecurityFocus or FrSIRT but not CVE-listed) and strictly vendor identified vulns would be able to provide better coverage.

There's also the learning curve of generating vuxml entries, which I describe here. The process is a bit cumbersome and could use some help, so I've begun working on a "wizard" HTML form for vuxml submission (Note:non-functioning as of yet) which could make this a little easier esp. for newbies.

I'd also love to see portaudit ported to Linux distros (both RPM and DEB) as it should be fairly easy to do.

pfSense and CARP on vmware-server

Before I forget, I wanted to document the necessary details for getting CARP to work on pfSense running under vmware-server 1.0.7. IT IS BROKEN by default, because the vmnet driver does not recognize the (emulated) MAC address used by CARP (and VRRP): 00-00-5E-00-01-XX

The symptom is that the carp0 interface appears but cannot be communicate, and failover does not happen. Reason being, the vmnet driver is silently dropping the packets on the floor!

To get it working requires a patch (on the host) to vmnet-only/driver.c and recompile.

Here is the patch for vmware-server-1.0.7 for Linux. Save it into /tmp/driver.c.patch

--- vmnet-only/driver.c.orig 2008-10-08 15:37:23.000000000 -0500
+++ vmnet-only/driver.c 2008-10-08 15:44:50.000000000 -0500
@@ -1284,6 +1284,9 @@
 
    return ((flags & IFF_PROMISC) || MAC_EQ(destAddr, ifAddr) || 
     ((flags & IFF_BROADCAST) && MAC_EQ(destAddr, broadcast)) || 
+  ((destAddr[0] == 0) && (destAddr[1] == 0) &&
+   (destAddr[2] == 0x5e) && (destAddr[3] == 0) &&
+   (destAddr[4] == 1)) ||
     ((destAddr[0] & 0x1) && (flags & IFF_ALLMULTI || 
       (flags & IFF_MULTICAST && 
        VNetMulticastFilter(destAddr, ladrf)))));

The file is a little hard to find, being hidden in a vmnet.tar below /usr/lib/vmware/modules/source/ ...

cd /usr/lib/vmware/modules/source
tar xvf vmnet.tar
patch < /tmp/driver.c.patch
tar cvf vmnet.tar vmnet-only
vmware-config.pl

Then, choose the option to recompile the kernel drivers, specifically vmnet.

The one other addl. need (I'm not 100% sure on this) is that it may be necessary to allow promiscous on the ethernet device, in the .vmx file...

ethernet0.nopromisc = "false"

References...

• VRRP & CARP with VMware Server
  
• CARP problem with VMWare Server
  

libmap.conf to the rescue!

Tonight I found myself tripped up by the dreaded "shared object not found" message on my FreeBSD server 'sonar'. See, I upgraded from 6.3-REL to 7.0-REL recently and in doing so, broke probably every port that had been installed prior. In this instance, my nagios plugin(s) were not working.

root@sonar:/tmp>/usr/local/libexec/nagios/check_smtp -H sonar
/libexec/ld-elf.so.1: Shared object "libssl.so.4" not found, required by "check_smtp"

Here's the deal, whenever FreeBSD releases a new version they bump the library version numbers as a matter of course. So there may be little to no fundamental difference between libcrypto.so.4 libcrypto.so.5. Or maybe there is. That's why this is risky... but what have I got to lose?

Cut to the chase... if ldd /path/to/binary reveals one or more libraries that aren't found, it can be time for entries in /etc/libmap.conf (instead of the safer/slower choice of rebuilding the port providing said binary).

/usr/local/libexec/nagios/check_smtp:
        libssl.so.4 => not found (0x0)
        libcrypto.so.4 => not found (0x0)
        libintl.so.8 => /usr/local/lib/libintl.so.8 (0x40746000)
        libiconv.so.3 => /usr/local/lib/libiconv.so.3 (0x40852000)
        libc.so.6 => not found (0x0)
        libc.so.7 => /lib/libc.so.7 (0x40956000)

By using `locate libssl.so` and variants I was able to see that the libraries were in fact available, only the versions had been incremented. Here are the libmap.conf entries I created.

libssl.so.4     libssl.so.5
libcrypto.so.4  libcrypto.so.5
libc.so.6       libc.so.7

Now my program is fixed.

root@sonar:/tmp>/usr/local/libexec/nagios/check_smtp -H sonar
SMTP OK - 0.072 sec. response time|time=0.071886s;;;0.000000

dh params for pfSense

Random tip #1.

pfSense has openvpn capability. You can provide SSL CA and server certificate + key.
It also wants the Diffie Helman (DH) parameters. Generating these is described by the openvpn documentation as running ./build-dh script.

Not really an option within pfSense. So you need the "other" command that works on pfSense.

Here's what I did.
1. SSH to pfsense system (ssh admin@pfsense)
2. Choose 8) Shell from menu
3. Run # openssl dhparam -out dh1024.pem 1024
4. cat dh1024.pem
5. Paste contents into pfsense web form.

Here is what the parameters should look like.
-----BEGIN DH PARAMETERS-----
MIGHAoGBAJe656S7xrtxwiQbL/hQ6POKhywl8avqLw2ZxMux5YsQnEQJIHr0sCm1
...RANDOM GIBBERISH...
k963XupLUOCM893va70qdpCjEZFapXZsm7nlFfsDMafOWFRyyY4bAgEC
-----END DH PARAMETERS-----

The Best of FreeBSD Basics

I'm excited to get my hands on the recently published The Best of FreeBSD Basics by Dru Lavigne. I very much enjoyed her previous book BSD Hacks. The publisher Jeremy Reed is also a friend and I commend his efforts.

Richard Bejtlich gave it a nice review, which is a good sign.

Of course I've got to finish Absolute FreeBSD 2nd Edition first.

Long live FIGlet

Nice & succinct write up on how to modify the logo graphic shown at the FreeBSD bootup. I was once again reminded of figlet which is a wonderful utility to convert text into ascii art...

> figlist | head -12
Default font: standard
Font directory: /usr/local/share/figlet
Figlet fonts in this directory:
banner
big
block
bubble
digital
ivrit
lean
mini
mnemonic
...


> figlet -f mini 'Franco'
 _
|_.__.._  _ _
| |(_|| |(_(_)

> figlet -f shadow 'Franco'
 ____|
 |    __| _` | __ \   __|  _ \
 __| |   (   | |   | (    (   |
_|  _|  \__,_|_|  _|\___|\___/

Doing the portaudit dance

First off, just let me say I love portaudit, the FreeBSD port you can install which will notify you whenever security vulnerabilities are discovered with your installed ports/packages.

Well, today in my usual "security run output" e-mail that my FreeBSD servers send me was this:

Checking for packages with security vulnerabilities:

Affected package: rsync-2.6.9
Type of problem: rsync -- off by one stack overflow.
Reference: http://www.FreeBSD.org/ports/portaudit/af8e3a0c-5009-11dc-8a43-003048705d5a.html

Great - I hopped on the box and, knowing also that the myupdate script had brought my ports tree up-to-date the night before... I just ran portmaster rsync and was asked do I want to upgrade rsync-2.6.9.

So I said yes and portmaster began the upgrade to 2.6.9_1. Only momentarily I was interrupted with the fatal error echoing the message above except for 2.6.9_1.

What was happening? I will tell you.

portaudit periodically downloads a local copy of the portaudit database. The copy on my local filesystem was from the day before, which must have not had the updated known-good version specified. After running portaudit -Fa I was able to update the rsync port.

The -F flag forces portaudit to fetch a fresh copy of the vulnerability (XML) database.

This would be something to know for handling quick fixes to freshly released & patched vulnerabilities.

FreeBSD port security/xca-0.6.3 update

After many weeks of (re)compiling and code wrangling, followed by 5 weeks of waiting for someone to commit, it is finally here!

http://www.freshports.org/security/xca/

Thanks to everyone who helped, you know who you are!

For the rest of you who are in a position to manage certificates for your organization/company/school, xca is an excellent GUI to manage the CA generation and functions of CSR import, certificate signing and CRL generation. We've used it for 2 years at the Port and has worked out really well. Please try it out and show your support.

FreeBSD re-supported in VMware ESX server

Just discovered that the latest 2.5.x release of Vmware's ESX server supports FreeBSD after dropping support in some of the earlier releases.

This is great!

However it is also a bittersweet circumstance, in that the version they choose to support is on a very short leash. Support for 4.11-RELEASE by the FreeBSD team is due to expire in just a few months (Jan '07). Hopefully VMware will recognize the situation for what it is and get the 6.x series into a supported state. 6.x is the horse they should be riding at this point.

References:
http://www.vmware.com/support/esx25/doc/releasenotes_esx254.html
http://lists.freebsd.org/pipermail/freebsd-security/2006-October/004045.html

New version of FreeBSD myupdate script

This new version 1.2 has the following changes.
1. The script no longer echos unless there is something important to know
2. It is quieter by using -L0 arg to cvsup instead of -L2
3. It copys/checks /usr/src/UPDATING.last to decide whether to build world & build kernel

This new version should be more friendly to run from cron - since it will only produce output if a make buildworld buildkernel was deemed necessary. It you are like me, reducing the S/N ratio of automated email messages has become a daily endeavour.