It’s been a while since we’ve updated our OpenBSD notes, but hopefully that trend will disappear for the next couple of years.

I’ve got a proper job again, unfortunately that long-term vacation, retirement plan in Tonga finally came to end with the old guy needing company and the kids getting to the point where ya gotta just deal with it.

Part of the new job includes maintaining quite a number of OpenBSD machines, whittling away the other Unix boxes, and training other System Administrators on how this BSD stuff works. Great opportunity for not just updating the old, decaying notes, but seriously looking at revamping fixing them so they have some other purpose.

Some of the updates include:

- whittling away the straight html and looking at creating the core notes using markdown or rst as the markup languages (should significantly simplify the updating process for the notes.)

- new: OpenVPN Server/Client, WAN

- new: Redundant/High Availability Firewalls using CARP

- new: Mail Proxy using Postfix

- new: diagnostics, testing pages

- new: planning, auditing your user accounts

- updates: samba, postfix, mail server testing

Hope it’s useful somewhere, out there.

Can’t leave things alone, and have to piece together a little disinformation of my own.

US needs 'digital warfare force'

The US has set up specialised detachments dealing with IT problems

The head of America's National Security Agency says that America needs to build a digital warfare force for the future, according to reports.

Lt Gen Keith Alexander, who also heads the Pentagon's new Cyber Command, outlined his views in a report for the House Armed Services subcommittee.

In it, he stated that the US needed to reorganise its offensive and defensive cyber operations.

So, the land of the brave and the dead buffaloes, that have openly broken all forms of international law through kidnapping individuals, revoking life, liberty and the pursuit of anything to various groups and individuals in pursuit of “the American Way” is going to expect you and me to believe that all those spy satellites and telecommunication eavesdropping services do not already put them well ahead of every body else on invading not only their own Citizen’s privacy but everyone elses?

Please, …

The worrying problem is the apathy for the real loss of your privacy.

People didn’t move to encrypting their email when they all knew that the US was eaves dropping, now we people’s whole lives on the Internet being assessed and reviewed by the US machine. They’ve been tapping Australian international phone traffic since Woomera, and who knows whether the Australian Government is turning a co-operative blind eye for spying on Australian citizens internal communications.

I wonder what will finally take us over the edge for end-to-end encrypted communications (e.g. email, phone, web browsing, et. al.)

Encrypting your email is so easy these days, but it’s really hard to communicate in an encrypted manner because people find it too ‘difficult’ to use the additional tools to provide this encryption.

Woo hoo, built my first box in aeons.

Been playing with various bits and pieces at work trying to piece together at least another functional box. Sometime later we decided that we needed a new box and we would look at reusing as many components from the trash pile I was playing with.

Unfortunately, bits and pieces of the trash pile was working, but together there was no ensemble. We decided to get new bits for the parts that looked like were dead and yesterday was my turn to put the bits together (and pray I don’t fry anything.)

I think the last time I actually had to put a box together from scratch was back in 1998? As I recall we had a bum machine at QSC and had to get the motherboard from Australia(?) Ever since then I’ve basically had some under my wings that I told to read the Taiwanese documentation and cable the box together. Of course that was an experience in itself in finding ports not working because they just weren’t wired up.

Anyhow, a relative newbie and not wanting to ever open this box again I made sure every lose wire got plugged into something even if there was no likelihood that it would ever get used. Double checked the bits I couldn’t figure out with our resident hardware dude, crossed my fingers and pushed 240v into the machine.

Poof, no-sound, nothing! Woo hooo, go software dude. In the distant pass, when computers don’t power up, and you’re somewhat certain that the power supply works fine, pull the PCI boards out and see what happens. So, pulled out a few boards and voila machine sings beautifully.

That wasn’t too bad, now was it?

I'm kind of promoting that people don't use passwords for their connections, but to use keys instead ?

Environment:

Windows XP Desktop want to connect securely -to-
Unix Server running OpenSSH (e.g. Linux, BSD)

Why?

The primary rationale for promoting the use of keys amongst friends is the susceptibility of people to create less than 12 character passwords and easily fall into the habit of reusing or choosing simple passwords, which invariably increases the possibility that a hacker can automate an attack to get into your system.

By using keys, which are significantly more difficult to whack, you not only offer a higher level of security, but you can now use seriously difficult to crack passwords.

Rolled out my first load-balanced service today and OpenBSD just makes the whole thing so much simpler. I wanted to spread the load of sending/receiving email between to Mail Servers (MX) primarily so if either machine fails, the service is not disrupted and I have time to ‘fix’ replace the broken machine.

Requirement

Due to compliance requirements to ‘eliminate’ Single Points of Failure I’m required to put up warm backups or services for most of our company servers.

Having a ‘warm’ backup server (that sits around powered on, doing nothing but waiting to be pushed into production) is such a waste of resources, so we wanted to put anything that’s a backup into ‘live’ systems.

There are many advantages to having a live failover instead of a warm backup, and suffice it to say OpenBSD gives us different ‘simple’ to configure options. Two solutions released ‘out-of-the-box’ with the base OS are:

• carp, and
• relayd

CARP

We use CARP on our firewalls, which essentially means that you have two machines set up to handle the work of a single machine. In a firewall situation, CARP provides instant failover from one host to the other in the event one of the machines fail.

For example, machine 1 as MASTER handles all traffic but also pushes needed information to machine 2 so that if machine 1 blows up, the backup machine #2 can take over the work without any users noticing the change.

CARP allows multiple servers to share the same ‘face’/IP so external hosts see only one machine although 2 or more machines may be behind the CARP configuration.

Major/Minor requirement: All hosts support CARP.

RELAYD

relayd takes advantage of OpenBSD’s firewall facilities so the firewall can act as a gateway between the ‘world’ and your disparate servers.

For example: use relayd infront of 10 web servers, so users always see the same IP.

Nice things about relayd.

1. Target Servers do not have to be OpenBSD boxes, and don’t even have to be running exactly the same thing.
   1. One of our future goals is to provide seamless load balancing for a few Windows Hosted servers.
2. Low overhead
3. Relayd monitors the target servers to make sure they are up before forwarding connections to them.
4. Relayd configuration rules are nice and simple, with simple default examples.

Read It, Learn It, Live It, Love It.

Avoided it for a couple of hours, but after looking it up it wasn’t that hard after all.

Summary:

I needed to connect to a client’s broadband modem to do some maintenance. Unfortunately we’ve set the client up such that administrating the modem is only possible ‘from inside’ the client’s side of the cable modem.

The 2nd problem is that the modem is administered through a web interface so the question is, how can I securely get Internet Explorer to connect through a machine on the inside back to this modem ?

In fact, only one machine on the network can access the modem.

I was side-tracked with another problem using tunnels, but the solution for this particular scenario was relatively simple.

ssh –L local-port:modem-ip:modem-port internal-host

local-port is the port on my local machine that I will point the browser to (for example: http://localhost:local-port)

modem-ip is the IP address for the modem, from the internal-host. For example, a non-routeable/private IP address such as 172.16.11.1.

modem-port. The port on the modem where the web interface is listening. For example 80 or 443

internal-host is the Host inside the network to which I can jump to from the outside (usually a machine with a public-ip)

ssh –L 4321:172.16.11.1:80 host.example.org

I can access the modem by starting up Internet Explorer and using the address http://localhost:4321

ssh –L 4322:172.16.11.1:443 host.example.org

I can now access the SSL secured interface by using the address https://localhost:4322

Using the above scenario you can supposedly daisy-chain (connect from one server to the next) by having multiple terminals making one link to the next.

There’s also some ssh fu where you can chain from one machine to the next to the next on a single command-line, but we’ll leave that for another day.

Had my first session of validating firewall rules on Monday and Tuesday, wohooo that’s an experience. My previous installations were of small systems, so I have previous experience in ‘drafting’ the firewall rules, putting it in and letting it go live. Testing and validating the firewall essentially meant sitting there in front of the firewall server and watching traffic, tweaking issues as they became known.

Firewalls are the quality of the walls between buildings. The higher grade your firewall, the higher probability your building isn’t going to burn down, should the building next door go up in flames.

The quality of the construction material of your firewall is just part of the toolkit for minimising danger to your building, you also need to ensure that there’s no open passage for the fire to enter your building while avoiding your firewall barrier. One building that went up in flames had a decent firewall, but they had large ventilation shafts between the building and the next building, leading directly to highly combustible material. Fire from the adjoining building spread into our building through the ventilation shafts and the building came down, while the firewall held firm.

The burnt building looked like the aftermath of a bombing, the inside collapsed in soot while the firewall stood alone.

Lesson 1: Physical firewalls have the same limitations as their electronic / communications firewall counter-parts. They are only as good as the material their built with, and the ventilation shafts between your side of the firewall and the next.

Unless you want to burn your firewall to test it, the general idea is to test the materials and the process of producing your firewall.

With our computer firewall firewall, we have existing best practise procedures for designing and building the firewall, and we’re now in the stage of testing the “ventilation” shafts built into our firewalls to validate whether the rules we’ve set up for what to allow in and out through the ventilation shafts behave as we expect.

I haven’t heard of any automated tools for doing the testing, so if you’ve heard of one please do tell us.

At the moment the process of testing the open ventilation shafts (in computer speak “open ports”) is to set up a simulated network on either side of our firewall and generate network traffic trying to get through the firewall in both directions. Unfortunately, the generated cannot be purely random, each “open port” or “potentially open port” has to have a specific test.

Unless you have the money, you can’t really duplicate your live network in this test environment, so you end up spending a lot of time doing the network configuration dance, continuously readjusting your various test machines to simulate other machines and providing different services as well as simulating trying to get through the firewall to the other side.

Lesson 2: You really want a set of command-line tools for doing this. Windows greater user-feedback (GUI?) is nice, but it can really use up your time when things don’t work as expected (and how often is that the truth in a test environment.)

This is when it’s good to have several machines on an independent set of networks (i.e. at minimum you’re testing the firewall with two networks) but just as importantly several monitors, keyboards, and a cool smooth swivel chair to spin around in.

Don’t bother doing this using terminal/ssh connections, that is just a recipe for frustration and avoiding configuration options you need to consider (because often enough changes you need to do will throw you out of your terminal/ssh session)

Lesson 3: Physical hardware is way cooler than the virtual world on its own.

Most of what we tested only needed testing a direct connection to the server, but our last test before quitting for the day last night was to test whether a connection from a connection would go through on a virtual connection (VPN.) Woo hoo, that wasn’t easy, but it wasn’t as hard as initially expected (since we’d done similar stuff previously.)

If you’ve got almost the cash, where you can’t afford a full simulated network, but can afford a good size beefy duo of machines for either side of the simulated network, then you would probably go with using a network of virtual machines on either side of your firewall. Now, that would be way cool, but I don’t think my laptop is beefy enough (yet)

Oh yeah, my preferred firewall ? OpenBSD with PF, of course. For user VPNs, I’m doing pretty good with installing OpenVPN.

Arrggghh, ya gotta hate those install moments that just fails because a 'package' doesn't exist, but the 'package' isn't really a package, and there's not much documentation on the web to help us out (i.e. minimise thinking)

OpenBSD 4.3 has the fontconfig libraries as part of the xbase, so you have to install it as part of the full install, or after installing your box to extract the files.

Thunderbird 2.0.0.X

Problem:

Printing email messages results in getting half-a-page of mail header information, before the actual message content. This is ugly as well as wasting paper and ink.

Summary:

For the past couple of months I've been having this problem with Thunderbird 2.0.0.X (5-pre at the moment) whereby printing mail messages means that I always get a print of mail envelope headers which can be very long (nearly half-a-page for some messages.) I couldn't find anything in the print-options to turn the thing off and have been looking at different options for the past month.

Today, I finally hit upon: mail.show_headers default integer 2

[enigmail: userprefs]

Replacement of Mozilla's show all headers (because the original value is overriden)
user_pref("extensions.enigmail.show_headers",1);
JS: Both mail.show_headers and extensions.enigmail.show_headers control the viewing of the headers (normal=1 / all=2).
As Enigmail needs to see all headers, it sets mail.show_headers to 2 and stores the desired view in extensions.enigmail.show_headers.
The default is derived from the setting of mail.show_headers.

Of course, once you know where the 'problem' is, it becomes easier to find the 'solution.'

Unfortunately, the printing process doesn't have a separate setting (to allow you to differentiate what you get on screen as opposed to what you get out the printer.) The solution to my printing problem is:

Set mail.show_headers to "1" (without the quotes)

But what happens to my enigmail now?