Afenioux's Blog page - 3am; darkness; Maintenance window closing. Safety net: rollback.

FreeBsd Crypto

Written by Arnaud 04 march 2016 no comments

There are several way to make some crypto :

- To create encrypted image jails, use the -c switch and either pass bde or eli and follow the instructions on screen:
ezjail-admin create -c eli -i 16G example.com 10.0.0.3

Also note, that crypto jails would block the boot process (unless the passphrase is provided via a file or some fetch magic via stdin). So they are being marked as attachblocking and not started during boot time. You need to start them using ezjail-admin startcrypto.

Further reading : http://erdgeist.org/arts/software/ezjail/

- you can use gbde or geli to encrypt partition : https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/disks-encrypt...

- You can also mount an image file (vnode) that you have prepared to be an encrypted filesystem.

Creation of the image :

dd if=/dev/zero of=/path/to/your/image.file bs=1M count=xxx
mdconfig -at vnode -f /path/to/your/image.file
geli init /dev/md0
geli attach /dev/md0
newfs /dev/md0.eli

Attach/mount the encrypted image :

mdconfig -at vnode -f /path/to/your/image.file
geli attach /dev/md0
mount -o noatime /dev/md0.eli /dir/to/mount/under

Further reading : http://erdgeist.org/arts/software/ezjail/

Route Servers @FRnOG25

Written by Arnaud 13 november 2015 no comments

This is a very short (10-15 minutes) I made (in French) at FRnOG25 in Paris in November 2015.

Topic is about Route Servers at IXP (features, securities, filtering).

http://www.afenioux.fr/doc/presentations/FRnOG25-2015.pdf

RIPE Atlas/RIS at FranceIX GM 2015

Written by Arnaud 18 september 2015 no comments

Here is the presentation I made at FranceIX General Meeting 2015, about the Ripe Atlas Anchor and the RIS collector we have set up in France :

http://www.afenioux.fr/doc/presentations/FranceIX-GM-2015.pdf

My presentation at #AfPIF15

Written by Arnaud 27 august 2015 no comments

I made this presentation the 27 August 2015 in Maputo during the AfPIF : www.internetsociety.org/afpif-2015/

This presentation is about Interconnecting two IXP togethers (Internet Exchange Points). It covers the mains goals, pros & cons and 2 different technical ways of interconnection.

link : http://www.afenioux.fr/doc/presentations/AfPIF-2015-EN.pdf

IS-IS tuning

Written by Arnaud 03 july 2015 no comments

Here is a sample configuration of ISIS for Cisco routers. This example is a level2 only zone (like a backbone area 0 in OSPF).

Note : Loopback addresses are (or should be) always configured with /32 netmask.
It's a good practice to dedicate a contiguous range for all your loopback addresses, this range is most of time the first of your supernet (i.e. your "big" network allocation), or the one with a zero.

Let's begin to create an loopback interface and annonce this IP (In this example we will use the first /24 of our "big" range for loopbacks) :

interface Loopback100 ip address 10.0.0.1 255.255.255.255 ip router isis

We configure the physical interface, annonce the connected range in ISIS and lower hello interval to 1 second: interface gi0/0/0
ip address 10.10.10.8 255.255.255.252 ip router isis isis network point-to-point isis metric 20 level-2 isis hello-interval 1

And finally the configuration of the protocol :
router isis log-adjacency-changes no hello padding spf-interval 1 1 100 lsp-gen-interval 1 1 100 is-type level-2-only metric-style wide level-2 net 49.0000.0000.0008.00 passive-interface loopback 100

Each node in ISIS must have a different "net" (= ID), it's a good practice to begin with 49 and end with 00 (see links below).
It is really important to lower sfp-interval to get a faster convergence (~1sec) , lsp-gen-interval helps also but only a few compared to sfp-interval.
Padding is useless (come on, MTU to 9000 for everybody!), so we deactivate it. And we don't need to generate hello packets on the loopback interface, never.

Here are a few commands really important to troubleshoot :
sh isis neighbors sh isis database sh isis topology sh ip route isis

And if you need to announce/originate a default route (make sure your routeur knows how to reach "THE Internet", blackhole spotted otherwise) :
router isis default-information originate always

I definitelly recommand reading :
https://rekrowten.wordpress.com/2014/01/27/learn-is-is-spf-prc-and-lsp-timers-optimisation-part-17/
and, if you have a lot of time, and some Juniper knowledge, is wonderful post :
https://inetzero.com/isis-training-and-junos-configuratio/

OpenBGPd

Written by Arnaud 13 june 2015 no comments

pkg install openbgpd touch /usr/local/etc/bgpd.conf chmod 0600 /usr/local/etc/bgpd.conf

echo 'bgpd_flags=""' >> /etc/rc.conf

edit your config :
vi /usr/local/etc/bgpd.conf

service bgpd start

Some useful commands :

List the sessions and states :
bgpctl show summary

Detailed informations on your neighbors:
bgpctl show neighbor

Your configured/announced net :
bgpctl show network

List of routes for a prefix:
bgpctl show rib <network> all

FreeBSD10 Ezjail and OpenVPN

Written by Arnaud 13 february 2015 no comments

WARNING : This is probably a bad idea to use OpenVPN in a Jail (you will lose *a lot* of time to configure it) but it work's.

I really recommand to read the sources a the bottom of this articles, they were great help.

First things, prepare the host :

ifconfig tun create echo 'cloned_interfaces="tun0"' >> /etc/rc.conf

Create you Jail (eg named openvpn) with ezjail (cf my previous posts) and change some settings in /usr/local/etc/ezjail/openvpn (you MUST use ifconfig, *_ip_multi0 is NOT supported) :

#export jail_services_devfs_ruleset="devfsrules_jail" export jail_services_devfs_ruleset="5" export jail_services_exec_prestart0="/sbin/ifconfig tun0 inet 192.168.40.1/32 192.168.40.2" export jail_services_exec_prestart1="/sbin/route add -net 192.168.40.0/24 192.168.40.2"

This is what you should put in /etc/devfs.rules in order to allow openVPN to bind on tun interface :

# Rules for jail <VPN>
[devfsrules_jail_openvpn=5]
add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login
add path tun0 unhide

If you have a Warning like this in /var/log/messages :

WARNING: devfs_init_rulesets: could not read rules from /etc/devfs.rules

You sould try to copy the default file, and then clean it and copy only your few lines again (yes, it worked for me...)

cp /etc/defaults/devfs.rules /etc/devfs.rules echo '' > /etc/devfs.rules

Now you can start the Jail and install OpenVPN in the jail

ezjail-admin start openvpn ezjail-admin console openvpn pkg install openvpn

Here is the config I made for the OpenVPN server in the jail /usr/local/etc/openvpn/openvpn.conf (the 2 last lines are really important):

port 1194 proto udp dev tun ca /etc/ssl/CA/cacert.pem cert /etc/ssl/CA/certs/srv.crt key /etc/ssl/CA/certs/srv.key crl-verify /etc/ssl/CA/crls/crl.pem dh /etc/ssl/CA/certs/dh2048.pem server 192.168.40.0 255.255.255.0 ifconfig-pool-persist ipp.txt keepalive 10 120 cipher BF-CBC comp-lzo user nobody group nobody persist-key persist-tun status openvpn-status.log verb 3 mute 20 push "redirect-gateway def1" push "dhcp-option DNS 208.67.222.222"
# needed in jail ifconfig-noexec route-noexec

I have followed this french page in order to setup SSL and OpenVPN : http://blog.nicolargo.com/2009/04/installation-dun-serveur-vpn-sous-free...

Enable OpenVPN at boot in the jail (no, you dont need to enable, neither set, the gateway in the jail) :

echo 'openvpn_enabled="YES"' >> /etc/rc.conf

From the host, you can now restart the jail, check that the tun interface of YOUR host (NOT THE JAIL) has the IP, verify OpenVPN is listening :
ezjail-admin restart openvpn ifconfig tun0 sockstat -4

BTW, did you remember to redirrct UDP port 1194 to the jail, like I explained in my previons ticket? If yes, did you thought to enable NAT for VPN IP? change your /etc/rc.conf and reload conf (with pfctl -vf /etc/pf.conf) :
rdr on em0 proto udp to port 1194 -> 10.11.12.1 port 1194 nat on em0 from lo1:network -> (em0) nat on em0 from 192.168.40.0/24 -> (em0)

If you have some troubles getting an IP on the tun interface, you may (but should not need) try to :

sysrc devfs_load_rulesets=YES ; service devfs restart ; ezjail-admin restart echo 'devfs_load_rulesets="YES"' >> /etc/rc.conf

Sources : https://forums.freebsd.org/threads/openvpn-server-in-jail-using-a-tun-de...
https://github.com/junovitch/my-freebsd-build/blob/master/openvpn-jail-H...
https://forums.freebsd.org/threads/freebsd-update-9-2-10-ezjail-config.4...

FreeBSD Jails

Written by Arnaud 10 february 2015 no comments

We will use ezjail to make it easier :

pkg install ezjail ezjail-admin install
service ezjail start

Create your first jail and connect to it (we will NAT the jail in this example):

ezjail-admin create myjailname 'lo1|10.11.12.1' ezjail-admin start myjailname ezjail-admin list ezjail-admin console myjailname

Allow raw sockets (needed for ping, but not recommanded) by editing /usr/local/etc/ezjail/myjailname:

export jail_myjailname_parameters="allow.raw_sockets=1"

Enable features on skeleton of jails :

echo sshd_enable="YES" >> /usr/jails/newjail/etc/rc.conf

Enable NAT and port redirection in /etc/pf.conf:

ext_if = "em0"
int_if = "lo1"
rdr on $ext_if proto udp to port 1194 -> 10.11.12.1 port 1194
nat on $ext_if from $int_if:network -> ($ext_if)

Start PF and Check/Load PF config :

service pf onestart
pfctl -vf /etc/pf.conf
pfctl -e

Enable at startup in /etc/rc.conf :

gateway_enable="YES" pf_enable="YES" pf_rules="/etc/pf.conf" ezjail_enable="YES"

more about PF : https://www.freebsd.org/doc/handbook/firewalls-pf.html

more about ezjail : https://www.freebsd.org/doc/handbook/jails-ezjail.html