Archives for posts with tag: BSD


Excellent laptop for having a wireless chip which is compatible with stock Debian and FreeBSD installation! This is one of the first hardware I have come across where the OS detected the wireless chip during installation.

Next, I used UEFI based dual boot installation and had to manually add the Debian entry in the BIOS setup. FreeBSD EFI partition got detected out of the box, sweet!

The hardware list from lspci on Debian:

00:00.0 Host bridge: Intel Corporation Broadwell-U Host Bridge -OPI (rev 09)
00:02.0 VGA compatible controller: Intel Corporation Broadwell-U Integrated Graphics (rev 09)
00:03.0 Audio device: Intel Corporation Broadwell-U Audio Controller (rev 09)
00:04.0 Signal processing controller: Intel Corporation Broadwell-U Camarillo Device (rev 09)
00:14.0 USB controller: Intel Corporation Wildcat Point-LP USB xHCI Controller (rev 03)
00:16.0 Communication controller: Intel Corporation Wildcat Point-LP MEI Controller #1 (rev 03)
00:19.0 Ethernet controller: Intel Corporation Ethernet Connection (3) I218-LM (rev 03)
00:1b.0 Audio device: Intel Corporation Wildcat Point-LP High Definition Audio Controller (rev 03)
00:1c.0 PCI bridge: Intel Corporation Wildcat Point-LP PCI Express Root Port #1 (rev e3)
00:1c.3 PCI bridge: Intel Corporation Wildcat Point-LP PCI Express Root Port #4 (rev e3)
00:1c.4 PCI bridge: Intel Corporation Wildcat Point-LP PCI Express Root Port #5 (rev e3)
00:1d.0 USB controller: Intel Corporation Wildcat Point-LP USB EHCI Controller (rev 03)
00:1f.0 ISA bridge: Intel Corporation Wildcat Point-LP LPC Controller (rev 03)
00:1f.2 SATA controller: Intel Corporation Wildcat Point-LP SATA Controller [AHCI Mode] (rev 03)
00:1f.3 SMBus: Intel Corporation Wildcat Point-LP SMBus Controller (rev 03)
01:00.0 SD Host controller: O2 Micro, Inc. SD/MMC Card Reader Controller (rev 01)
02:00.0 Network controller: Qualcomm Atheros QCA9565 / AR9565 Wireless Network Adapter (rev 01)


On Debian everything works fine, but you might want to remove the intel xorg driver(xserver-xorg-video-intel), as that is for hardware older than 2007, with the old driver installed the graphics were not that smooth and the CPU utilization increased.

Other than this I was unable to suspend to RAM when HT was disabled. Enabling HT in BIOS would solve this.

On FreeBSD, the integrated GPU is not yet supported :(, so just command line for now).

Will consider Dell again for my computing.


Install Redmine, Apache, MySQL, and the passenger module(rubygem-passenger).

# pkg install redmine apache24 mysql56-server mysql56-client rubygem-passenger

Things to note about locations where we will place files and edit them:

Installation directory of Redmine:


Redmine Config directory:


Apache virtualhost directory:


Next start MySQL :

# service mysql-server onestart

Create the necessary DB, user for Redmine and grant privileges:

CREATE USER 'redmine'@'localhost' IDENTIFIED BY 'my_password';
GRANT ALL PRIVILEGES ON redmine.* TO 'redmine'@'localhost';

In the above commands change the password, database name, and user name for your setup.

DB Data load:

Load DB dump data from taken from old Redmine instance to the new as root user:

# mysql -u REDMINE_USER -p < DB_DUMP_FILENAME_here.sql

You might need to add the line “USE REDMINE_DB_NAME;” to the .sql file, like for the above one “USE redmine;” to the top of the .sql dump file as the script might not have statement to select what DB to populate.

Redmine configuration:

Copy old database.yaml file and change adapter type to ‘mysql2’ from ‘mysql’, under config directory of Redmine.
Copy the old configuration.yaml file under config directory of Redmine.
Copy the attachments directory(named files) from old installation to new installation directory.

After above ran follow below guide to upgrade the DB schema, generate new session token, etc.

Apache virtual hosts configuration:

I followed the message posted when the passenger module got installed.

Copy the following under a any file ending with extension .conf, like redmine.conf under Apache Includes directory:

#Redirect all http requests to https

<VirtualHost *:80>
        Redirect /   <= Replace with FQDN or the IP address of your server/service.

#Enable server to listen on TCP port 443
Listen 443

<VirtualHost *:443>

        #Load SSL module and enable SSL using certificates
        LoadModule ssl_module libexec/apache24/
        SSLEngine on
        SSLCertificateFile "/usr/local/etc/apache24/FQDN_NAME.crt"
        SSLCertificateKeyFile "/usr/local/etc/apache24/FQDN_NAME.key"

        #Load Passenger module and point to Ruby and Gems
        LoadModule passenger_module /usr/local/lib/ruby/gems/2.2/gems/passenger-5.0.28/buildout/apache2/mod_passenger.s
        PassengerRoot /usr/local/lib/ruby/gems/2.2/gems/passenger-5.0.28
        PassengerRuby /usr/local/bin/ruby22

    # This is the passenger config
    RailsEnv production
    PassengerDefaultUser www
    DocumentRoot /usr/local/www/redmine/public/
    <Directory "/usr/local/www/redmine/public/">
        Allow from all
        Options -MultiViews
        Require all granted

Finally run the mysql_secure_installation script to disable remote root user login.
Start Apache process and add it and MySQL services in /etc/rc.conf file to start at boot time:

service apache24 onestart

sysrc mysql_enable="YES"
sysrc apache24_enable="YES

This will ensure that Redmine starts up during boot, when Apache and MySQL are running.

I faced an issue where the email notifications were not working, for this check the configuration.yaml file for issues with the Redmine wiki, in my case the file from previous installation had incorrect settings.

You want to download an application/game package for your FreeBSD PC, without internet it is hard on *BSD or, GNU/Linux unless you have the software on discs.

This made me to resolve to write a basic shell script to download a package and its dependencies for a FreeBSD 10 machine. As this is the OS I am using day to day.

However, when I started dwelling deeper I noticed FreeBSD’s pkg already had it covered!  🙂

You need following:

  1. A FreeBSD PC which is connected to internet, the architecture must match that of the target where you want to install the packages.
  2. pkg installed on this internet machine running FreeBSD.
  3. root privileges on this machine
  4.  A storage medium to transfer packages from this machine to another.


With above ready you can then use the following command to download a package and its dependencies.

# mkdir /root/off-pac

# pkg fetch   -d -o  /root/off-pac   vlc

Updating FreeBSD repository catalogue…
FreeBSD repository is up-to-date.
All repositories are up-to-date.
The following packages will be fetched:

New packages to be FETCHED:




libdvbpsi-1.2.0 (0.09% of 118 MiB: 104 KiB)
opus-1.1.1_1 (0.20% of 118 MiB: 243 KiB)

The process will require 118 MiB more space.
118 MiB to be downloaded.

Proceed with fetching packages? [y/N]:

That is it!

This will download all packages necessary to install vlc. Now you  need to transfer the directory /root/off-pac to your storage medium and install the application on your FreeBSD PC which is not connected to internet.

This is easier than I was expecting, I wonder what I can do for Debian similarly.

Update[10 March 2016]:

There is a gotcha which I had not covered as I had not faced it ;), the default FreeBSD repository is pointed to the quarterly release branch, that is applications are updated once in three months or so.

But as the RELEASE disc comes with a fixed package set, using applications from the quarterly can cause issues, especially with the dependencies. It is better to stick to the RELEASE repository.

In my example I had tried this on FreeBSD RELEASE 10.2, but some of the libraries were old by the time I started downloading packages from the official quarterly repository.

This is simple to solve as pkg in FreeBSD supports configuring and use of multiple repositories.

How to configure this:

Find out the release URI for the FreeBSD version you want packages for by visiting

In my case the OS was 64 bit and RELEASE 10.2, so I noted the following URI:

Copy the default pkg repository at /etc/pkg/FreeBSD.conf config to /usr/local/etc/pkg/repos/r102.conf

I choose r102.conf, it could be any arbitrary name. But must end with .conf! Choose something meaningful 🙂

cp /etc/pkg/FreeBSD.conf /usr/local/etc/pkg/repos/r102.conf

Now edit the r102.conf file replace the url variable and it would look something like this:

r102: {
url: “pkg+${ABI}/release_2“,
enabled: true,
signature_type: “fingerprints”,
fingerprints: “/usr/share/keys/pkg”,
mirror_type: “srv”

Refresh the repository cache:

pkg update

You can now install applications from this repository:

pkg install-r r102 vlc

Now to fetch packages from this repository, use the -r switch, like:

pkg fetch   -d -o  /root/off-pac  -r r102  vlc

What this does is it downloads vlc from the repository configured in r102. The packages downloaded like this should be compatible with the libraries you might have installed using the RELEASE disc.

Continuing with the previous blog where we learned how to create a Jail on FreeBSD 10 without internet, here we will see two ways to provide internet access to the Jail one using PF(employing the NAT feature) and another where we piggy back a host interface(FreeBSD aliases the interface).


First the easy one(without NAT):

This is easy, while creating a Jail just use the host network interface and select an available IP from the same subnet as the host is on. Following is a logical representation of our setup.

Logical diagram of what we will achieve.

To start with, first determine the interface you want to use:


Sample output:

em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
ether 08:00:27:57:37:49
inet6 fe80::a00:27ff:fe57:3749%em0 prefixlen 64 scopeid 0x1
inet netmask 0xffffff00 broadcast

ether 08:00:27:63:4f:4b
inet netmask 0xffffff00 broadcast
inet netmask 0xffffffff broadcast vhid 1
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active

On my PC em0 is the interface I would like to place my jail, as that is connected to internet.

So create a jail like:

# ezjail-admin create YOUR-jail-name ‘em0|

By default ping is disabled on Jails, try using telnet to connect to one of the public websites.

In the following example I am sending a GET request on on TCP:80(http) from the Jail, after getting its IP address:

# ezjail-admin console your-jail-name

Jail shell> host has address mail is handled by 10

Jail shell> telnet 80
Connected to
Escape character is ‘^]’.
<title>302 Found</title>
<p>The document has moved <a href=””>here</a&gt;.</p>
<address>Apache/2.4.7 Server at Port 80</address>
Connection closed by foreign host.

It works! 🙂

You can now install applications from internet and further configure the Jail, but first add a nameserver by creating a new /etc/resolv.conf 😉


We can extend on this method to attach multiple IP addresses of different networks to the jail.


Let say you want to use both em0 and em1 with different IP addresses:

ezjail-admin create YOUR-jail-name ‘em0|,em1|

This attaches two new IP address to the respective interfaces and the Jail becomes accessible from both subnets(,

The above methods works if you have spare IP addresses, what if you have limited IP addresses and/or you want to isolate the Jails on a separate subnet?

Well that is when NAT comes into picture.

Read more about it at wikipedia =>

Internet connectivity for Jails with NAT(using PF):

NAT is useful when you want to isolate the jails/hosts completely on a private subnet.
And/or, you have limited public IP addresses and want to share it among different Jails.

By following this guide you will achieve something like below:







In the above diagram the Jails are restricted to subnet, they cannot reach other networks on their own. In order to reach internet(or other subnets) we NAT the outgoing connection using the host as the gateway, which causes the outgoing connections to appear as originating from the host. For hosts on subnets 10. and 192. if a jail contacts them then the connection appears to come and respectively which is not their actual IP address!

First we need to prepare the host to act as a gateway and as router which NATs the connections(firewall/packet filtering is optional).

Enable the host system to act as a gateway:

# sysctl net.inet.ip.forwarding=1

To forward IPv6 traffic, use:

# sysctl net.inet6.ip6.forwarding=1

To enable these settings at system boot(and make them permanent), add the following to /etc/rc.conf:

gateway_enable=”YES” #for ipv4
ipv6_gateway_enable=”YES” #for ipv6

Now we create a cloned interface which the jails will user and later enable NAT using PF.

Clone the loopback interface on which the jails will communicate:

In /etc/rc.conf add:


Then on the host:

# service netif cloneup

If no error is shown then lo1 is created, if you would like to confirm, run ifconfig on host.

Next create a jail with this new interface and an IP address:

# ezjail-admin create your-jail ‘lo1|

Start the Jail:

# ezjail-admin onestart your-jail

If no errors are shown, your-jail is running attached to lo1, check using ifconfig:

lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
inet netmask 0xffffffff

However, this jail cannot reach internet, the final step is to enable NAT. I am using PF here as it is very easy to configure, configuring IPFW for NAT with stateful filtering is hard.

To enable PF add following in /etc/rc.conf:


There are bunch of other things you can enable, refer the manual for these, I am trying to keep this how to simple. 😉

Next run:

# service pf start

By default PF reads the filtering rules and configuration from /etc/pf.conf. We will be making the bare minimum changes required for NAT here.

For my environment I had to add following in /etc/pf.conf:

#Declare the interfaces, Public IP, private subnet,
EXT_IF0 = “em0”
EXT_IF1 = “em1″

nat pass on $EXT_IF1 from $NET_JAIL to any -> $LAN_IP
nat pass on $EXT_IF0 from $NET_JAIL to any -> $IP_PUB

#### end of pf.conf ####

To make it easy to make further changes we first declare the interfaces, IP addresses the host is on($IP_PUB, $LAN_IP) and the network jails are on(NET_JAIL), you can limit NET_JAIL to a single Jail IP by using /32 as the routing prefix, like

Next we have written the NAT rules, which direct PF to NAT(and pass) any packet arriving from jail network($NET_JAIL) on either of interfaces($EXT_IF0, $EXT_IF1) depending upon the destination to either the LAN($LAN_IP) or the internet($IP_PUB). PF maintains the state of the connections and the reply packets are routed back to the jails appropriately.

Done! The network diagram looks something like this:


Refer the PF manual if you want to use more advanced features. Enjoy jailing the daemons!

A BSD Jail is a container which provides isolated environment for applications to run. Ezjail simplifies the process of installing and managing Jails.

Most of the posts on ezjail focus on downloading a FreeBSD basejail/template from internet.

I was curious on how can I use what is with me – a DVD .iso image of FreeBSD 10.2 RELEASE. Turns out it is not that hard and ezjail does support this.

This post is aimed to help users who are on a low bandwidth link or lack internet connectivity. I have used version 10.2 here, this might not work with earlier releases, and the following commands are executed as root user.

In the end we will have something like:

Logical diagram of what we will achieve.

Logical diagram of what we will achieve.

The diagram is a logical representation of what we will get.

Now to start with, after installing FreeBSD(ZFS recommended for production servers), and installing ezjail from the FreeBSD repo(  (in case you lack internet, you can download the ezjail package) mount the CD/DVD .iso image you have:

# mount -t cd9660 /dev/cd0 /media/optical/


# mount_cd9660 /dev/cd0 /media/optical/

/dev/cd0 is for both CD or a DVD. You may have to create the optical/ directory under /media or /mnt.

If  there were no error messages then the disc was mounted.

Execute following to verify:

# mount
/dev/cd0 2.6G 2.6G 0B 100% /media/optical


# df
/dev/cd0 2675856 2675856 0 100% /media/optical

The FreeBSD distribution which contains the base OS(in file base.txz) is  under usr/freebsd-dist on the optical media.

root@Zfreebsd:/media/optical/usr/freebsd-dist # ls
MANIFEST base.txz doc.txz games.txz kernel.txz lib32.txz ports.txz src.txz

root@Zfreebsd:/media/optical/usr/freebsd-dist # pwd

Supply the above (absolute/full) path to ezjail-admin to create a basejail:

# ezjail-admin install-h file:///media/optical/usr/freebsd-dist

This will extract and install a base jail necessary to create other jails, to install man pages supply (-m):

# ezjail-admin install -m-h file:///media/optical/usr/freebsd-dist
146888 blocks
Note: a non-standard /etc/make.conf was copied to the template jail in order to get the ports collection running inside jails.

After this you can see the base jail created by ezjail under /usr/jails:

# ls -l /usr/jails/
total 18
drwxr-xr-x   9 root  wheel   9 Dec 12 15:28 basejail
drwxr-xr-x   3 root  wheel   3 Dec 12 15:28 flavours
drwxr-xr-x  12 root  wheel  22 Dec 12 15:28 newjail

You environment is now ready to create jails using this base jail.

Optional, update the basejail to latest patches:

# ezjail-admin update  -u

Creating a test jail

# ezjail-admin create testjail1 ’em0|′
6287 blocks
Warning: Some services already seem to be listening on all IP, (including
This may cause some confusion, here they are:
root     ntpd       655   20 udp6   *:123                 *:*
root     ntpd       655   21 udp4   *:123                 *:*
root     syslogd    493   6  udp6   *:514                 *:*
root     syslogd    493   7  udp4   *:514                 *:*

To resolve the warning shown we need to limit what these services can listen on the host.

For ntpd it is difficult to do this, so either install net/openntpd or disable it in /etc/rc.conf:

#sysrc ntpd_enable=”NO”


# service ntpd onestop


For syslod there are flags to pass which will will bind it to the host address:
In /etc/rc.conf

syslogd_flags=”-s -b″
#-s causes it to be in secure mode, -b to bind it to
#an address

Restart syslogd:

# service syslogd restart

Also change ssh configuration to listen only one select IP addresses:


Restart SSH after checking for errors:

# sshd -t

# service sshd restart


Now start the jail you created:

# ezjail-admin start testjail1

# ezjail-admin list

Get a shell in your new jail with the:

# ezjail-admin console testjail1

You can now install applications inside the jail. It is just like another FreeBSD machine.
Optional, To allow ping from inside jail:
You need to change settings on your host and on the jail.

On host:

# sysctl security.jail.allow_raw_sockets=1

For setting it permanently, modify /etc/sysctl.conf.

For the Jail on host:
Edit the ezjail config of the jail on the host:
For me it is /usr/local/etc/ezjail/testjail1, add following:

export jail_testjail1_parameters=”allow.raw_sockets”


export jail_testjail1_parameters=”allow.raw_sockets=1″

To make this effective restart jail from the host:

# ezjail-admin restart testjail1

You can ping the jail from the host, and if the jail was assigned an IP address on the same subnet as other machines on the network, you can ping this IP from the machines.

In the next post I will detail on how to provide NAT connections to the jails, NAT is required to provide internet access the jails and redirection to provide access to external world to the service running on your jail.


Just a list of ideas for securing the servers.

I try to make sure that the first line of defense is not breached, if the attacker can breach that, then he is determined and can overcome any other defense you may have. Most of the “spray and pray” attacks on the internet are not that complicated and kiddies try to attack the nodes which do not patch known vulnerabilities or lack basic protection, like having easy to guess passwords.

Another point to be aware is that the more restrictive security measures we have(SELinux, etc), it may work against us, when we try to troubleshoot, implement a feature, or some software might not work etc.

Only you can decide what level of protection you need and what is at stake. Following are the absolute minimum which are highly effective, use other software(IDS, HIDS) on top of this if you can afford to spend time and effort

* Keep the server patched at regular intervals, like weekly/bi-weekly. This is very important, helps to plug any application level vulnerabilities.

* Setup a firewall allowing access to ports that are needed, like TCP:80/443 for HTTP/s, UDP:53 for DNS, etc.

* Do a netstat query on the node to check if any other services are active, either disable them permanently using /etc/rc.conf on BSD, chkconfig on CentOS, update-rc.d on Debian. Reboot the node and check whether they are disabled.

* Do not expose database services over public internet, restrict them to local network, or better yet to restrict which local IPs can connect.

* SSH access can be limited to a particular network/subnet/IP at firewall level, like only from company network, admin team, etc.

* Prefer to have non root based SSH login and then user using sudo/doas to perform actions which require root privileges.

* If direct root based SSH is required, then set “PermitRootLogin without-password” in sshd_config and restart the SSH daemon, this ensures that users having a key can connect as root. Also make sure select people have key to login as root, it makes them responsible, accountable.

* If you want to monitor the login attempts, health, use something like logwatch.

* If password based authentication is necessary to be exposed to public(which is not recommended) use a tool like fail2ban or SSHGuard. This delays the brute force attack. If the incorrect attempts are indefinitely blocked along with password expiration(+ password complexity like diceware) then brute attacks can be stopped.  As this involves many variables which can go wrong this is not recommended.

* Do not block ping unless you have experienced flood attacks, ping is necessary to troubleshoot.

The aim of having security measure is to frustrate a prospective attacker to give up, not frustrate the Admin. 😉

The other day(some months ago!) I had a task to store old Apache logs instead of discarding them.

Logrotate is a utility to rotate logs in a manageable size.  Depending upon the options logs can be rotated at a fixed interval on size, age of log, etc

There were two options:

  1. Either increase the old log retention period in logrotate
  2. Copy the logs to a separate location and archive them, with the default log retention period which removes old log files

In the first option the default log directory will get cluttered because of old logs, in the second option, however, the directory stays neat and you have a different location where you would be dumping old logs.

In this post I will be editing file under /etc/logrotate.d/httpd, I won’t be modifying the default settings in /etc/logrotate.conf, which is recommended.

Contents of /etc/logrotate.conf:


# see "man logrotate" for details
 # rotate log files weekly

# keep 4 weeks worth of backlogs
 rotate 4

# create new (empty) log files after rotating old ones

# use date as a suffix of the rotated file

# uncomment this if you want your log files compressed

# RPM packages drop log rotation information into this directory
 include /etc/logrotate.d

# no packages own wtmp and btmp -- we'll rotate them here
 /var/log/wtmp {
 create 0664 root utmp
 minsize 1M
 rotate 1

/var/log/btmp {
 create 0600 root utmp
 rotate 1



And the default contents of /etc/logrotate.d/httpd:


/var/log/httpd/*log {
 /sbin/service httpd reload > /dev/null 2>/dev/null || true


After modification the file will be:


/var/log/httpd/*log {
 /sbin/service httpd reload > /dev/null 2>/dev/null || true
 /usr/bin/rsync -a /var/log/httpd/* /srv/backup/
  /usr/bin/rsync -a /var/log/httpd/* /srv/backup/


As you can see, I have used rsync to move the files, using rsync is necessary as this will skip overwriting the files which were already copied.