ServerAdmins.NET » freebsd

SSH timeouts suck.

chrism — Wed, 22 Feb 2012 02:03:39 +0000

So if you’re ever connected to a remote machine (or several), and you frequently see this message after you walk away from your term for a bit…

Write failed: Broken pipe

Do this from the machine you’re connecting from. SSHD for Macs/Linux boxes should all have this file. Windows, I’m not so much sure on.

(if not root already)
sudo echo "ServerAliveInterval 5" >> /etc/ssh_config

Or just open it up in your favorite text editor, save and call it good.

What’s happening here is that somewhere between you and your destination, there’s a long enough of a timeout happening that you hit SSHs internal timeout. This line just forces your SSH client to send a keepalive pulse fairly regularly to the endpoint.

Anyway, dumb quick fix to what ails so many of is.

A Basic IPFW firewall HowTo for FreeBSD…

chrism — Fri, 19 Feb 2010 01:42:27 +0000

Of all the different OS’s and the multitude of firewall implementations for each, my favorite has to be FreeBSD’s IPFW ruleset. It’s powerful, super efficient, and most of all, *EASY* to read!

So I’m just going to paste a sample firewall below, notate it heavily for you, and show you how to get it enabled.

For newer FreeBSD builds, it’s enough to add firewall_enable="YES" to your /etc/rc.conf file and reboot. This will load all the necessary kernel modules, and get you in shape. You should know that by default FreeBSD defaults to a ‘default deny’ policy. This is *VERY* important to know. What it means is that by default, your server isn’t going to open up any ports. You *WILL* be locked out if you do not have a firewall in place. Don’t say I didn’t warn you!

So, with that being said, let’s get our firewall in built and in place, and then we’ll go about adding in the necessary options to ensure it comes up properly on boot. It should noted here that you can build in a “Default to accept” option into the kernel or “firewall_type=”open” to the /etc/rc.conf to start up wide open. This is the suggested practice as the chances are, you’re not close enough to your server to console it.

Let’s get our basic firewall going. We’re going to open up 22 for SSH, 80 for web traffic, 25 for SMTP and 110/143 for POP3/IMAP mail. The syntax is simple enough you should be able to customize it for your own needs, but always make sure your SSH port is accessible. Also if you run SSH on an alternative port, you should modify that here. You don’t want to lock yourself out now, do you?

So go ahead, login as root to your server, open up your text editor of choice. For the purpose of this post, I’m going to assume you’re creating the file /etc/firewall.sh. If not, modify where appropriate. You should also make sure this file is executable by root, otherwise it won’t fire off properly on reboot.

#!/bin/sh


set -e
#First, let's clear out any chance of conflicting with other FreeBSD firewall configurations

# and make sure we're starting from a fresh slate.
/sbin/sysctl net.inet.ip.forwarding=0 >/dev/null

/sbin/ipfw -q list >/dev/null 2>&1 || /sbin/kldload ipfw

(/sbin/ipf -D) >/dev/null 2>&1 || true

(/sbin/kldunload ipl) >/dev/null 2>&1 || true

(/sbin/pfctl -d) >/dev/null 2>&1 || true

(/sbin/kldunload pf) >/dev/null 2>&1 || true

/sbin/ipfw -q /dev/stdin < < EOF

flush

delete set 31
#Open up our Loopback device.  There's almost never any reason to filter this.

add allow ip from any to any via lo0
#Allow checking/maintenance of stateful rulesets

add check-state
#Kill off any active/open sessions, pre-fw init.  We do this

#to ensure that any connection to unauthorized ports is dealt with

#and that all connections adhere to the policy...
add reset tcp from any to any established
    ##########################

## Add Inbound Service Allowances ##

    ##########################

#Port 80: www

add allow tcp from any to me 80 setup in

#Port 22: SSH - Stateful connection (it's going to maintain a connection, not come and go)

add allow tcp from any to me 22 setup in keep-state
#Port 21, and 30000-50000, FTP and Passive port rolloff.

add allow tcp from any to me 21 setup in

add allow tcp from any to me 30000-50000 setup in keep-state
#Port 53: DNS

add allow udp from any to me 53 in 
#Port 25, 110, 143.  SMTP, POP3 and IMAP

add allow tcp from any to me 25 in

add allow tcp from any to me 110 in

add allow tcp from any to me 143 in
#ICMP/ping requests should be allowed through, fun stuff happens

#if you don't allow this.  (see ptmu)

add icmp from any to me icmptypes 8 in
 #################################

## Lets Deny some Packets. WOOOT ##

 #################################
#These rules denies everything else, not explicitly listed above

add deny tcp from any to me setup in

add deny ip from any to me in
 ##################

## Outbound Ahoy! ##

 ##################
#Wide open outbound filtering.  You could modify this section to default to deny

#And then allow specific ports out.  I'm not going to do that here, but you should

#be able to figure it out.  
add allow tcp from me to any setup out keep-state

add allow ip from me to any out keep-state
 ###########################

## Last chain to make sure ##

 ###########################
#One more time, just to be positive...

add deny tcp from any to any setup

add deny ip from any to any

enable firewall

EOF
#I set this because the default FreeBSD behavior is to keep a table open

#for a session for 1 hour.  That's a LONG time on a production server.  We

#Go for 10 mins here, but could be lowered drastically.
#Set TTL on Dynamic Rules to 10 Mins.  Formerly 1 hour.

/sbin/sysctl net.inet.ip.fw.dyn_ack_lifetime=600 >/dev/null

Done!

Save your /etc/firewall.sh file, then make sure permissions are right on it…

chmod 755 /etc/firewall.sh && chown root:wheel /etc/firewall.sh

Open up your handy text editor again, and add the following lines to /etc/rc.conf at the bottom.

firewall_enable="YES" firewall_script="/etc/firewall.sh"

Done!

Please keep in mind that if you set “firewall_type=open” above, it may overrule this firewall_script variable, so it should be removed.

Congrats, reboot and enjoy your new firewall.

If this is something you’re interested in, leave a comment and let me know how and I can write a few more articles on more complex configurations quite easily.

Updating the FreeBSD Ports tree, easily…

chrism — Thu, 28 Jan 2010 01:18:00 +0000

I’m feeling a bit lazy tonight, and wanted to get an update here, so for a bit I’ll show you a handy little tool to update your ports tree on FreeBSD. After that, I’ll show you the ugly, old method.

Quick and easy…

Newer versions of FreeBSD come equipped with the ‘portsnap’ utility. This, makes it *VERY* simple to update your ports tree.

For your first run, do this…
portsnap fetch && portsnap extract

This is going to grab a snapshot of the current ports tree, and simply extract it over your new tree, replacing *everything* as it goes. You should only run the ‘extract’ command the first time you run portsnap.

After that, you’ll want to run the following for any further updates…

portsnap fetch && portsnap update

Not only is this much quicker, it doesn’t overwrite everything.

If you want to use this in a cron’d task, you should use the ‘portsnap cron 1′ command. It should be noted the number appended to the end of this is the number in seconds that portsnap will randomize the start of the app from. For example, if you say ‘cron 2000′, portsnap will kick off *sometime* in the next 2000 seconds. The reasoning for this is for larger serverfarms. If you’re running that in cron on all of them and give portsnap a large window, it will keep them all from starting at the same time, loading the BSD servers and abusing your bandwidth. I used 1 in the command above as I wasn’t really looking to use that. Keep in mind this will only fetch the updates, you still need to update the tree afterwords…

A cron entry for this would look something like the following…

0 3 * * * root /usr/sbin/portsnap cron && /usr/sbin/portsnap update

So for normal, day to day operation once you’ve initialized your ports tree the following is what you’ll want to use and update.

/usr/sbin/portsnap fetch && /usr/sbin/portsnap update

Now, if you don’t have portsnap, you should use the following method to update your ports tree. We’re going to go oldschool with cvsup here.

Edit: From reader Bazzoola points out that this is outdated and antiquated and well, he’s 100% right. Any current installations of FreeBSD should have the portsnap utility installed so this shouldn’t be necessary. Consider it here for the sake of memories.

First of all, let’s find our fastest cvsup mirror…

[root@R34 ~]# cd /usr/ports/sysutils/fastest_cvsup/ [root@R34 /usr/ports/sysutils/fastest_cvsup]# make && make install

This is going to install the ‘fastest_cvsup’ port… Afterwords, for the US locale, you can run the following to find your fastest cvsup mirror…

[root@R34 /usr/ports/sysutils/fastest_cvsup]# fastest_cvsup -c us >> Querying servers in countries: us --> Connecting to cvsup.us.freebsd.org [72.233.193.64]... - server replied: ! Access limit exceeded; try again later - time taken: 69.51 ms --> Connecting to cvsup2.us.freebsd.org [130.94.149.166]... - server replied: OK 17 0 SNAP_16_1h CVSup server ready - time taken: 27.19 ms --> Connecting to cvsup3.us.freebsd.org [128.31.0.28]... - server replied: ! Access denied - time taken: 31.65 ms --> Connecting to cvsup4.us.freebsd.org [149.20.64.73]... - server replied: OK 17 0 SNAP_16_1h CVSup server ready - time taken: 55.77 ms --> Connecting to cvsup5.us.freebsd.org [208.83.20.166]... - server replied: OK 17 0 SNAP_16_1h CVSup server ready - time taken: 36.99 ms --> Connecting to cvsup6.us.freebsd.org [64.202.113.190]... * error: connect: Invalid argument --> Connecting to cvsup7.us.freebsd.org [64.215.216.140]... - server replied: OK 17 0 SNAP_16_1h CVSup server ready - time taken: 26.64 ms --> Connecting to cvsup8.us.freebsd.org [216.165.129.134]... - server replied: OK 17 0 SNAP_16_1h CVSup server ready - time taken: 6.23 ms --> Connecting to cvsup9.us.freebsd.org [128.205.32.21]... - server replied: OK 17 0 SNAP_16_1h CVSup server ready - time taken: 26.28 ms --> Connecting to cvsup10.us.freebsd.org [69.147.83.48]... - server replied: OK 17 0 SNAP_16_1h CVSup server ready - time taken: 54.01 ms --> Connecting to cvsup11.us.freebsd.org [63.87.62.77]... - server replied: OK 17 0 SNAP_16_1h CVSup server ready - time taken: 35.11 ms --> Connecting to cvsup12.us.freebsd.org [128.205.32.24]... - server replied: OK 17 0 SNAP_16_1h CVSup server ready - time taken: 26.86 ms --> Connecting to cvsup13.us.freebsd.org [128.205.32.24]... - server replied: OK 17 0 SNAP_16_1h CVSup server ready - time taken: 26.54 ms --> Connecting to cvsup14.us.freebsd.org [216.87.78.137]... - server replied: OK 17 0 SNAP_16_1h CVSup server ready - time taken: 34.63 ms --> Connecting to cvsup15.us.freebsd.org [35.9.37.225]... - server replied: OK 17 0 SNAP_16_1h CVSup server ready - time taken: 23.49 ms --> Connecting to cvsup16.us.freebsd.org [128.143.108.35]... - server replied: OK 17 0 SNAP_16_1h CVSup server ready - time taken: 23.47 ms --> Connecting to cvsup17.us.freebsd.org [65.212.71.21]... - server replied: OK 17 0 SNAP_16_1h CVSup server ready - time taken: 35.93 ms --> Connecting to cvsup18.us.freebsd.org [128.205.32.84]... - server replied: OK 17 0 SNAP_16_1h CVSup server ready - time taken: 3026.06 ms

>> Speed Daemons: - 1st: cvsup8.us.freebsd.org 6.23 ms - 2st: cvsup16.us.freebsd.org 23.47 ms - 3st: cvsup15.us.freebsd.org 23.49 ms [root@R34 /usr/ports/sysutils/fastest_cvsup]#

Cvsup8 it is!

So now, let’s get our ports-supfile in place…

cp /usr/share/examples/cvsup/ports-supfile /root/

Now edit /root/ports-supfile and look for the following line…

*default host=CHANGE_THIS.FreeBSD.org

And modify it to read…
*default host=csup8.freebsd.org

Now, run the following to get *everything* up to date…

cvsup -g -L 2 /root/ports-supfile

Voila, you have an updated ports tree.