Krzysztof Burghardt’s blog » FreeBSD

FreeBSD with X.Org on QEMU

Krzysztof Burghardt — Fri, 27 Mar 2009 19:03:03 +0000

X.Org form ports works fine with cirrus driver, but starts in 800×600 only. Small tweak to configuration file is needed to run X in higher resolutions.

Install X.Org and drivers

First install xorg, xf86-video-cirrus and xf86-input-keyboard ports.

DBus and HAL

Installing DBus and HAL allow X Server to guess hardware configuration and work without any configuration file.

If your console get flooded by messages like this after enabling HAL:

acd0: FAILURE - unknown CMD (0x03) ILLEGAL REQUEST asc=0x20 ascq=0x00

disable CD-ROM polling in HAL with command:

# hal-disable-polling --device /dev/acd0

Automatically configured X-Window starts in resolution as small as 800×600.

Configuring X

Create xorg.conf.new skeleton with:

# X -configure

Tweak xorg.conf.new

Add those settings to get more then 800×600:

Section "Monitor"
HorizSync 31.5 - 48.5
VertRefresh 50.0 - 90.0
Option "DPMS"
EndSection

Section "Device"
Driver "cirrus"
EndSection

If you want to set specific resolution (1024×768 in this example) use:

Section "Screen"
DefaultDepth 16
SubSection "Display"
Depth 16
Modes "1024x768"
EndSubSection
EndSection

Testing X.Org setup

To test your setup run:

# X -config xorg.conf.new

Finally move xorg.conf.new to xorg.conf:

# mv xorg.conf.new /etc/X11/xorg.conf

Now X.Org is configured. Login as plain user and run startx to start X-Window session.

Multiple FreeBSD jails sharing one IP address

Krzysztof Burghardt — Sat, 10 Jan 2009 22:19:35 +0000

If you want to use multiple jails on FreeBSD with only one external IP addresses you may set up all jails on private addressed with little help of loopback interface, NAT and PF.

Networking

Each jail requires one IP address. First create lo1 loopback interface and assign IPs to it:

# ifconfig lo1 create
# ifconfig lo1 inet 10.0.0.1 netmask 255.255.255.0 alias
# ifconfig lo1 inet 10.0.0.2 netmask 255.255.255.0 alias
...

To make this permanent add following lines to /etc/rc.conf:

cloned_interfaces="lo1"
ifconfig_lo1="inet 10.0.0.254 netmask 255.255.255.0"
ifconfig_lo1_alias0="inet 10.0.0.1 netmask 255.255.255.0"
...

Now configure port redirection (forwarding) from your IP to your jails’s IPs. Here is my PF line (add it to /etc/pf.conf):

rdr on re0 proto tcp from any to ext._ip port http -> 10.0.0.1 port http
rdr on re0 proto tcp from any to ext._ip port ircd -> 10.0.0.2 port ircd
...

If jails need network access (e.g. to download ports) create NAT on your external network interface:

nat on re0 from lo1:network to any -> (re0)

Finally reload PF rules:

# pfctl -d
# pfctl -e -f /etc/pf.conf

Ezjail

Install ezjail from /usr/ports/sysutils/ezjail:

# cd /usr/ports/sysutils/ezjail
# make install clean

After ezjail installation create base jail. This jail is used as skeleton of all jails. Before creating base jail you need to have current FreeBSD sources in /usr/src. If you have built them add -i option to update command to prevent (re)building them:

# ezjail-admin update

Creating jails

When basejail is installed we are ready to create jails:

# ezjail-admin create -f default apachejail 10.0.0.1
# ezjail-admin create -f default ircjail 10.0.0.2

Deploying IPsec in small LAN in 3 easy steps

Krzysztof Burghardt — Mon, 03 Mar 2008 22:04:48 +0000

I think about installing IPsec on computers in my home LAN for some time. There are many configurations possible: tunnel mode, transport mode, peer-to-peer solution or star topology with single VPN hub. Also there are different IPsec implementations. KAME for *BSD, Openswan, strongSwan and Linux 2.6 PF_KEY implementation (which can be used with setkey and racoon or with OpenBSD’s isakmpd). Choosing one is not easy, but for me the simplest method was best. I choose Linux 2.6 PF_KEY with ipsec-tools and racoon for dynamic key exchange (now part of ipsec-tools). Its simple, easy to implement and… configuration files without any modification (except file paths) can be used also in FreeBSD (tested with 6.3-RELEASE).

Step 1. Use OpenVPN easyRSA to set up your own Certificate Authority, generate certificates and keys and sign them. You will need to create links to certificates and keys in form hash.(r)0. Use this command to compute hash:

# openssl x509 -hash -in keys/ca.crt

And then create links replacing question marks by hashes.

# ln -s ca.crt keys/????????.0
# ln -s crl.pem keys/????????.r0

Step 2. When you have all your certificates created you need only to do two more things. First create /etc/ipsec-tools.conf to set Security Policy Database (SPD):

#!/usr/sbin/setkey -f

## Flush the SAD and SPD

flush;
spdflush;

## SPDs for racoon

spdadd 192.168.1.0/24 192.168.1.0/24 any -P out ipsec esp/transport//use;
spdadd 192.168.1.0/24 192.168.1.0/24 any -P in ipsec esp/transport//use;

Step 3. And then configure racoon to negotiate and maintain Security Association Database (SAD). Racoon read configuration from /etc/racoon/racoon.conf:

path certificate "/etc/racoon/certs";

sainfo anonymous {
encryption_algorithm aes256,aes128,blowfish128,3des;
authentication_algorithm hmac_sha256,hmac_sha1,hmac_md5;
compression_algorithm deflate;
lifetime time 30 min;
}

remote anonymous {
exchange_mode main,aggressive;
lifetime time 60 min;
certificate_type x509 "host.crt" "host.key";
verify_cert on;
my_identifier asn1dn;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method rsasig;
dh_group modp1024;
}
}

Now (re)start setkey and racoon on all hosts in LAN. If everything is fine IPsec should be in use for all local connections.