bsd.m3th.org
Yet another *nix admin blog

The link aggregation and link failover interface, lagg(4) device, first appeared in FreeBSD 6.3. It as the name suggested allows aggregation of multiple network interfaces as one virtual lagg(4) interface for the purpose of providing fault-tolerance and high-speed links. The driver currently supports the aggregation protocols such as failover, fec, lacp, loadbalance, roundrobin, and none by detecting child interface link state.

This is useful in large enterprise environment. Nonetheless, you can use it to set up roaming between wired and wireless network. The lagg(4) manpage provides simple example. However, it states that

WPA security does not currently work correctly with a wireless interface added to the lagg port.

Well, it is easy to overcome the issue by use of wpa_supplicant(8). Just set up /etc/wpa_supplicant.conf as normal. Please refer to wpa_supplicant.conf manpage for detailed setup. Here is my example.

/etc/wpa_supplicant.conf :-

ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel
ap_scan=1
network={
       ssid="MY_WPA_WIFI"
       scan_ssid=1
       key_mgmt=WPA-PSK
       psk="verysecretpassword"
}

/etc/rc.conf :-

ifconfig_nfe0="DHCP"
ifconfig_ndis0="WPA DHCP"
cloned_interfaces="lagg0"
ifconfig_lagg0="laggproto failover laggport ndis0 laggport nfe0 DHCP"

Relevant ifconfig output :-

ndis0: flags=8843 metric 0 mtu 1500
        ether 00:1a:73:73:92:34
        media: IEEE 802.11 Wireless Ethernet autoselect
        status: associated
        ssid "MY_WPA_WIFI" channel 1 (2412 Mhz 11b)
        authmode OPEN privacy OFF bmiss 7 scanvalid 60 roaming MANUAL
        bintval 0
        lagg: laggdev lagg0
nfe0: flags=8843 metric 0 mtu 1500
        options=8
        ether 00:1a:73:73:92:34
        media: Ethernet autoselect (none)
        status: no carrier
        lagg: laggdev lagg0
lagg0: flags=8843 metric 0 mtu 1500
        ether 00:1a:73:73:92:34
        inet 192.168.1.5 netmask 0xffffff00 broadcast 192.168.1.255
        media: Ethernet autoselect
        status: active
        laggproto failover
        laggport: nfe0 flags=0<>
        laggport: ndis0 flags=5
tun0: flags=8010 metric 0 mtu 1500

It is that easy. Your laptop will auto roam between wired and wireless connection.

NetBSD 5.0 released and I have downloaded iso for i386 and amd64 arch. If you are staying in Malaysia, you can leech from my site.

http://ms.shit.la/netbsd/i386cd-5.0.iso
http://ms.shit.la/netbsd/i386cd-5.0.iso.MD5
http://ms.shit.la/netbsd/i386cd-5.0.iso.SHA1

http://ms.shit.la/netbsd/amd64cd-5.0.iso
http://ms.shit.la/netbsd/amd64cd-5.0.iso.MD5
http://ms.shit.la/netbsd/amd64cd-5.0.iso.SHA1

Quite often, most of us download files from file-hosting sites like Rapidshare, Megaupload, Ziddu, kewlshare, Badongo and etc. You are probably annoyed and sick of restriction, time wait, captcha enforced by these service providers. To avoid all those and have a hassle free download, you could probably subscribe to their service. Here is another alternative. Let this shinny little piece of java software manages it for you. Take a peek at FreeRapid downloader.

There are currently 79 file hosting sites supported and it works on Windows, Mac, Linux, BSD and other Unix-variants. Sweet!!!! Just what I needed. For FreeBSD, you need diablo-jdk (I have tested with diablo-jdk-1.6.0.07.02_4). Just download the package, unzip and run frd.sh. If you jre is not defined in $PATH environment, you have to edit frd.sh to have for example

PATH=/usr/local/diablo-jdk1.6.0/jre/bin:$PATH

Screenshot

A list of sites that are currently supported (not a complete listing)
* Rapidshare.com (+ premium)
* MegaUpload.com
* Megarotic.com and Sexuploader.com
* NetLoad.in
* MediaFire.com
* FileFactory.com
* Filebase.to
* Uploaded.to
* DepositFiles.com
* Share-online.biz
* Egoshare.com
* Easy-share.com
* Letibit.net
* XtraUpload.de
* Shareator.com
* Kewlshare.com
* SaveFile.com
* Ziddu.com
* 4shared.com
* Load.to
* UploadBox.com
* UGotFile.com new
* NetGull.com new
* Plunder.com new
* FileUpload.net new
* WebShare.net
* FileSend.net
* 2Shared.com
* Uploading.com
* Yourfiles.biz
* Ultrashare.net
* SendSpace.com
* Wiiupload.com
* Badongo.com new
* Hotfile.com new
* WikiUpload.com new
* DataUp.de new
* Rapidshare.de
* Uppit.com
* FileFlyer.com
* BitRoad.net
* Jandown.com
* iFile.it
* Iskladka.cz
* HellShare.com (+full)
* QuickShare.cz
* Uloz.to
* Sdilej.cz new
* Uloz.cz
* Share-rapid.com
* Nahraj.cz
* FlyShare.cz
* Edisk.cz
* Bagruj.cz
* LeteckaPosta.cz
* CZShare.com free (+profi)
* Subory.sk
* Upnito.sk
* CobraShare.sk
* Ulozisko.sk
* Stream.cz (video)
* O2MusicStream.cz (video) new
* YouTube.com (video)new
* Usercash.com (crypter)
* Tinyurl.com (crypter)
* Linkbucks.com (crypter)
* RSMonkey.com (crypter)new
* Radikal.ru (crypter)
* Paid4share.com (crypter) new

Previously, I posted write-up on glusterfs on FreeBSD clusters. Here the installment on round-robin web proxy part. In my configuration, nginx is running as front-end and apache is the back-end. Both boxes have same configuration on nginx and apache. Nginx SSL cert and key should be the same as well (with same common name i.e. www.yourdomain.com).

APACHE
I will skip most of the apache installation part as it is too common and easy to set up. The basic requirement for apache is to run with SSL on port 8443. Please take note that mod_rpaf is required for apache to capture the real IP address of the visitors. Install it from /usr/ports/www/mod_rpaf2. Then add these lines to your httpd.conf.

LoadModule rpaf_module       libexec/apache22/mod_rpaf.so

<IfModule rpaf_module>
RPAFEnable On
RPAFsethostname On
RPAFproxy_ips 192.168.100.82 192.168.100.84
</IfModule>

Note:
IP address for node 1 = 192.168.100.82
IP address for node 2 = 192.168.100.84

NGINX (engine X)
Installation of nginx is fairly simple under FreeBSD as the ports is complete (no messy manual patching and stuff). Just run the installation with this command. But take note that you need these two options: HTTP_SSL_MODULE and HTTP_UPSTREAM_FAIR. Yes, you need them.

cd /usr/ports/www/nginx && make install

The configuration file, nginx.conf, is relatively easy to understand if you are fimilar with lighttpd or apache mod_proxy. The following is an example of nginx config file. Remember, use with care because YMMV.

user  www;
worker_processes  4;

events {
    worker_connections  4096;
}                            

http {
    include       /usr/local/etc/nginx/mime.types;
    default_type  application/octet-stream;
    sendfile        on;
    keepalive_timeout  5;
    gzip  on;
    upstream backend_servers {
        fair;
        server 192.168.100.82:8443;
        server 192.168.100.84:8443;
    }                                                 

    server {
        listen   80 default;
        server_name  _;
        server_name_in_redirect  off;
        access_log /var/log/nginx-access.log;
        error_log /var/log/nginx-error.log;
        location / {
                proxy_pass https://backend_servers;
                proxy_set_header   Host             $host;
                proxy_set_header   X-Real-IP        $remote_addr;
                proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
                proxy_connect_timeout      5;
                proxy_send_timeout         5;
                proxy_read_timeout         5;
        }
    }                                                                              

    server {
        listen       443 default;
        server_name  _;
        server_name_in_redirect  off;
        access_log /var/log/nginx-ssl-access.log;
        error_log /var/log/nginx-ssl-error.log;
        ssl                  on;
        ssl_certificate      /etc/ssl/certs/nginx-cert.pem;
        ssl_certificate_key  /etc/ssl/keys/nginx-key.pem;
        ssl_session_timeout  5m;

        ssl_protocols  SSLv2 SSLv3 TLSv1;
        ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
        ssl_prefer_server_ciphers   on;

        location / {
                proxy_pass https://backend_servers;
                proxy_set_header   Host             $host;
                proxy_set_header   X-Real-IP        $remote_addr;
                proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
                proxy_connect_timeout      5;
                proxy_send_timeout         5;
                proxy_read_timeout         5;
        }
    }
}

Vhost is managed by apache httpd. Thus these lines are needed in nginx.conf.

server_name  _;
server_name_in_redirect  off;

For SSL cert and key generation, please refer to previous post, glusterfs on FreeBSD. That’s it.

UPDATE : Check out recent committed /usr/ports/www/spawn-fcgi/, it comes with a better spawn-fcgi rc.d script. Please use the script from the post. However, the spawn-fcgi.sh provided does not have option to run via unix socket. I have submitted the patch.

Few days ago, I posted a write-up, FreeBSD : php-cgi spawn-fcgi rc.d script for nginx, on running php-cgi on port 8888. But how do I run it via unix socket? It is trivial with spawn-fcgi rc.d script. Just add the flags to /etc/rc.conf

spawnfcgi_flags="-s /tmp/php-fastcgi.socket -u www -g www -f /usr/local/bin/php-cgi"

Next, replace the line

fastcgi_pass 127.0.0.1:8888;

with this

fastcgi_pass unix:/tmp/php-fastcgi.socket;

Lastly restart both php-cgi and nginx:

/usr/local/etc/rc.d/spawnfcgi restart && /usr/local/etc/rc.d/nginx restart

That’s all. You have your php-cgi on unix socket.

I have been working on parallel round-robin web clusters (is this the right term?) using 2 x FreeBSD 7.1 AMD64 boxes, nginx (patched with fair upstream), apache + php (backend), glusterfs, tinydns (sitting on another box, a name server, for round robin A record) and mysql multi-master replication. The setup is mainly making use of round-robin replication concept. Although I have yet fully hammered the configuration, it was pretty impressive and secure.

Glusterfs and mysql replicate with SSL. Nginx with SSL. These, however, are slightly at the expense of CPU and performance. I can live it that though.

The write-up of the setup is in progress as I am quite tied up with my day job, HeX project and glusterfs 2.0 ports for FreeBSD. Hopefully, I can manage the time well to complete all these. Nevertheless, here is partial (optional) write-up for glusterfs replication with SSL.

Note: server1 and server2 denote the FreeBSD clusters.

1) Installing required software
Most of the software except glusterfs (not in the freebsd ports as of this posting) is available via the FreeBSD ports. I’m aware of that TimurBakeyev is working on glusterfs ports.

# cd /usr/ports/security/stunnel && make install clean

2) Creating SSL certs (on either of the box)
Generally, it is easier to manage all certs/keys generation on a single box and duplicate required certs to the rest of the boxes. But YMMV. Commonly, cacert.pem and cert/key generated are copied.

2.1) For the impatient
Just create the certificate in 1 liner. Remember to modify the content of “-subj”.

# openssl req -new -outform PEM -out /etc/ssl/stunnel-cert.pem -newkey rsa:1024 \
-nodes -keyout /etc/ssl/private/stunnel-key.pem -keyform PEM -days 3650 -x509 -subj \
'/C=ur country code/ST=ur state/L=ur location/CN=ur server common name/O=ur org/OU=ur org unit'

2.2) For the patient
Creating necessary directories for ssl with the following commands.

# mkdir /etc/ssl/newcerts
# mkdir /etc/ssl/private
# echo '01' >/etc/ssl/serial
# touch /etc/ssl/index.txt

Next, let’s generate a CA. You will be prompted with questions of your country, state, location etc and password for the CA key.

# openssl req -new -x509 -extensions v3_ca -keyout /etc/ssl/private/cakey.pem \
-out /etc/ssl/cacert.pem -days 3650 -config /etc/ssl/openssl.cnf

Generating a cert request for stunnel

# openssl req -outform PEM -out /etc/ssl/server-req.pem -newkey rsa:1024 -nodes \
-keyout /etc/ssl/private/stunnel-key.pem -keyform PEM -days 3650 -subj \
'/C=ur country code/ST=ur state/L=ur location/CN=ur server common name/O=ur org/OU=ur org unit'

Lastly using the CA key to sign the cert.

# openssl ca -in /etc/ssl/stunnel-req.pem -notext -out /etc/ssl/stunnel-cert.pem

3) Modifying stunnel rc.d for stunnel running client mode
The rc.d startup for stunnel is meant for running either server or client mode only. I need both modes here. Thus, a quick replication of stunnel rc.d to run another client mode instance of stunnel. I named it /usr/local/etc/rc.d/stunnelc.

#!/bin/sh
#
# $FreeBSD: ports/security/stunnel/files/stunnel.in,v 1.9 2008/01/26 14:18:12 roam Exp $
#

# PROVIDE: stunnelc
# REQUIRE: NETWORKING SERVERS
# BEFORE: DAEMON glusterfs
# KEYWORD: shutdown

#
# Add some of the following variables to /etc/rc.conf to configure stunnel:
# stunnelc_enable (bool):        Set to "NO" by default.
#                               Set it to "YES" to enable stunnel.
# stunnelc_config (str):         Default "/usr/local/etc/stunnel/stunnel-client.conf"
#                               Set it to the full path to the config file
#                               that stunnel will use during the automated
#                               start-up.
# stunnelc_pidfile (str):        Default "/var/tmp/stunnel/stunnel-client.pid"
#                               Set it to the value of 'pid' in
#                               the stunnel.conf file.
#

. /etc/rc.subr

name="stunnelc"
rcvar=`set_rcvar`

load_rc_config $name

: ${stunnelc_enable="NO"}
: ${stunnelc_config="/usr/local/etc/stunnel/stunnel-client.conf"}
: ${stunnelc_pidfile="/var/tmp/stunnel/stunnel-client.pid"}
procname="/usr/local/bin/stunnel"
command="/usr/local/bin/stunnel"
command_args=${stunnelc_config}
pidfile=${stunnelc_pidfile}

required_files="${stunnelc_config}"

run_rc_command "$1"

4) glusterfs vol configuration
In this setup, glusterfsd is listening on lo0 127.0.0.1 port 6996 and stunnel server listening on em0 (net facing nic) port 8996. Stunnel client, on the other hand, is listening on 127.0.0.1 port 7996, forwarding to remote host on port 8996. Glusterfs client mount volume which is on 127.0.0.1 port 6996 and 7996 (which is tunneled to port 8996 of remote host). Refer to the configurations below:-

i) stunnel-server.conf.

[glusterfsd]
accept = 8996
connect = 127.0.0.1:6996

ii) stunnel-client.conf.

[glusterfs]
accept = 127.0.0.1:7996
connect = server2:8996

Auth login was used due to privileged port ceiling of 1024 imposed by auth addr method. Auth login method care less about privileged port ceiling.

Please refer to
http://www.gluster.org/docs/index.php/GlusterFS_Encrypted_network
http://www.gluster.org/docs/index.php/Translators_v2.0#auth.login

As I’m still working on glusterfs 2.0 ports, you can use the rc.d scripts that I have completed glusterfs and glusterfsd.

APPENDIX

Configuration files on server1

I) /etc/rc.conf

fusefs_enable="YES"
glusterfsd_enable="YES"
glusterfs_enable="YES"
glusterfs_mount="/usr/home/www"
stunnel_enable="YES"
stunnel_config="/usr/local/etc/stunnel/stunnel-server.conf"
stunnel_pidfile="/var/tmp/stunnel/stunnel-server.pid"
stunnelc_enable="YES"
stunnelc_config="/usr/local/etc/stunnel/stunnel-client.conf"
stunnelc_pidfile="/var/tmp/stunnel/stunnel-client.pid"

II) Stunnel configuration for glusterfsd (/usr/local/etc/stunnel/stunnel-server.conf)

cert = /etc/ssl/stunnel-cert.pem
key = /etc/ssl/private/stunnel-key.pem

sslVersion = SSLv3

chroot = /var/tmp/stunnel
setuid = stunnel
setgid = stunnel
; PID is created inside chroot jail
pid = /stunnel-server.pid

socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
CAfile = /etc/ssl/cacert.pem

output = /var/log/stunnel.log

[glusterfsd]
accept = 8996
connect = 127.0.0.1:6996

III) Stunnel configuration for glusterfs (/usr/local/etc/stunnel/stunnel-client.conf)

cert = /etc/ssl/stunnel-cert.pem
key = /etc/ssl/private/stunnel-key.pem

sslVersion = SSLv3

chroot = /var/tmp/stunnel
setuid = stunnel
setgid = stunnel
; PID is created inside chroot jail
pid = /stunnel-client.pid

socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
CAfile = /etc/ssl/cacert.pem
output = /var/log/stunnelc.log
client = yes

[glusterfs]
accept = 127.0.0.1:7996
connect = server2:8996

IV) Glusterfs client configuration (/usr/local/etc/glusterfs/glusterfs.vol)

volume remote1
  type protocol/client
  option transport-type tcp
  option remote-host 127.0.0.1
  option remote-port 6996
  option remote-subvolume brick
end-volume

volume remote2
  type protocol/client
  option transport-type tcp
  option remote-host 127.0.0.1
  option remote-port 7996
  option username yourusername
  option password yourpassword
  option remote-subvolume brick
end-volume

volume replicate
  type cluster/replicate
  subvolumes remote1 remote2
end-volume

volume writebehind
  type performance/write-behind
  option block-size 128KB
  option cache-size 1MB
  subvolumes replicate
end-volume

volume cache
  type performance/io-cache
  option cache-size 512MB
  subvolumes writebehind
end-volume

V) Glusterfs server configuration (/usr/local/etc/glusterfs/glusterfsd.vol)

volume posix
  type storage/posix
  option directory /usr/home/www-shared
end-volume

volume locks
  type features/locks
  subvolumes posix
end-volume

volume brick
  type performance/io-threads
  option thread-count 8
  subvolumes locks
end-volume

volume server
  type protocol/server
  option transport-type tcp
  option transport.socket.bind-address 127.0.0.1
  option auth.addr.brick.allow 127.0.0.1
  option auth.login.brick.allow yourusername
  option auth.login.yourusername.password yourpassword
  subvolumes brick
end-volume

I was busy working on glusterfs ports for FreeBSD. Still some issues to be ironed out before it can be submitted to the upstream. At same the time, I set up web servers running nginx with php5 via fastcgi. FreeBSD doesn’t have rc.d script to trigger spawn-fcgi process. So I wrote a quick one. Below is the script.

#!/bin/sh
#
# $FreeBSD$
#
# PROVIDE: spawnfcgi
# REQUIRE: DAEMON
# BEFORE:  nginx
# KEYWORD: shutdown
#
# Add the following lines to /etc/rc.conf to enable spawnfcgi:
# spawnfcgi_enable (bool):    Set it to "YES" to enable spawnfcgi.
#                             Default is "NO".
# spawnfcgi_flags  (str):     Default is "-a 127.0.0.1 -p 8888 -u www -g www -f /usr/local/bin/php-cgi".
#

. /etc/rc.subr

name="spawnfcgi"
rcvar=${name}_enable

load_rc_config $name

spawnfcgi_enable=${spawnfcgi_enable:-"NO"}
spawnfcgi_flags=${spawnfcgi_flags:-"-a 127.0.0.1 -p 8888 -u www -g www -f /usr/local/bin/php-cgi"}
spawnfcgi_pidfile="/var/run/${name}.pid"
procname="/usr/local/bin/php-cgi"
pidfile=${spawnfcgi_pidfile}
command=/usr/local/bin/spawn-fcgi
command_args="${spawnfcgi_flags} -P ${spawnfcgi_pidfile}"

run_rc_command "$1"

Note: spawn-fcgi is part of lighttpd.

Just add spawnfcgi_enable=”YES” to /etc/rc.conf to enable it. As this is just a simple script, not all option is stated. You can add/overwrite options via spawnfcgi_flags. Do check the option available via /usr/local/bin/spawn-fcgi -h

For nginx part, just add these lines to your server directive.

location ~ \.php$ {
    fastcgi_pass   127.0.0.1:8888;
    fastcgi_index  index.php;
    fastcgi_param   SCRIPT_FILENAME /path/to/the/phpscript/$fastcgi_script_name;
    include         fastcgi_params;
}

It was a great night to meet and greet the Honeynet members from around the globe. There was an ice-breaking session for the members to socialize with other chapter members. I met lot of them notably Lance Spitzner (Chicago chapter), Sju Usken, Tor Skaar and Einar Oftedal (Norwegian chapter), Jamie Riden (UK chapter), Williams (Global chapter), Cecil Su, Eugeue Teo and Nicolas Collerty (SG Chapter), Peter Cheung and Roland Cheung (HK Chapter), Eugene Yeh (Taiwan Chapter), Adil Wahid (.my CERT chapter), Jianwei Zhuge (Chinese chapter), Felix Ledner (Giraffe chapter) and many others that I probably missed out. Nice ambiance, good food and great companions (All geeks gathered around). What can I ask for more? Highly intoxicated by alcohol, off for a good night sleep is good for me. There are still nice talks to attend to tomorrow. ;P

I frequently use m0n0wall for quick and easy deployment of firewall. However, it is kind of troublesome to dd the m0n0wall image from another computer. Idea of creating this liveCD installer was originated from Chris Buechler m0n0wall live installer. Since 2005, there has been no updated release of m0n0wall live installer. Thus, I decided to create my own.

m0n0live Installer
The m0n0live Installer CD is a FreeBSD 7.1 based liveCD built with FreeSBIE toolkits. It includes the m0n0wall 1.235, 1.3b15 images under /usr/m0n0 and /usr/m0n0/1.3b. You can grab a copy of m0n0live installer iso (42MB in size) from the link below:-

http://my.rawpacket.org/m0n0live-i386-0.1.iso
http://my.rawpacket.org/m0n0live-i386-0.1.iso.md5
http://my.rawpacket.org/m0n0live-i386-0.1.iso.sha256

Burn the iso onto CD after you have obtained the iso file above. Do verify the iso with md5/sha256 provided to ensure that your download is completed correctly. If you are not familiar with burning an iso image, please refer to CD burning software documentation before you proceed. Never burn this iso file as a single file on a data CD. After you have successfully burned the iso image to CD, boot up the designated device with the bootable CD that you have created.

No login required, just read and follow the instructions displayed on the screen. Enjoy!

Just a short post to help a friend of mine spreading words around.

Express your love to your love ones on this Valentine’s Day with roses and chocolates!!

Red roses proclaim “I Love You.”

They are the ultimate symbol of romantic love and enduring passion.
And of course the heart shape chocolate, represents your heart to your loved ones!!

Now ROSESCHOC brings to you good quality branded chocolate and imported big roses to your love one.
We also provide delivery service to the locations below. ( refer to the payment mode below).
Early birds can enjoy our promotion that upto 20% DISCOUNT.
Please do not hesitate and ORDER now.

1. YOU ARE THE ONE (single stalk and chocolate):
RM12 (for * early birds)

2. YOU-N-ME (3 stalks and chocolate): RM30 (for * early birds)

3. I LOVE YOU (3 stalks and chocolate):
RM35 (for * early birds)

4. CONTACT US FOR CUSTOMIZE PACKAGES SUCH AS HALF DOZEN AND 1 DOZEN

Payment mode:
(1) Maybank2u(acc will be provided later) or
(2) COD around Puchong, Subang, PJ, Kelana, Cyberjaya, Serdang, Sunway (in Malaysia)
Delivery can be made with minimal charges. Please contact us for further details

* Early birds promo will be until 8th February 2009. For early birds please Maybank2u the payment to us before 9th February 2009 to confirm your order. Thank you.

For any inquiries do not hesitate to contact us at roseschoc@gmail.com
For further info, please log on to our website http://roseschoc.blogspot.com

With our’s love,
ROSESCHOC ( Malaysia )