Charles Gardner’s Effective IT Blog

I just upgraded the main perl port on a FreeBSD box from 5.8.8 to 5.8.9 and a perl based service promptly died, complaining of problems locating dependencies.  D’Oh!!  That’s not good.

After a bit of crunching away I found that each perl module port (each p5-* port) needed a ‘make deinstall && make reinstall’ to align with the new perl version.  The only bugger is that this machine has 54 p5-* ports installed.  Now I’m basically lazy so I wanted a better way than manually reinstalling each port or even writiing a script to handle these specific ports.

Thankfully a little deeper google exercise turned up pearl-after-upgrade.  From the man page:

The standard procedure after a perl port (either lang/perl5 or lang/perl5.8) upgrade is to basically reinstall all other packages that depend on perl. This is always a painful exercise. The perl-after-upgrade utility makes this process mostly unnecessary.

The tool goes through the list of installed packages, looks for those that depend on perl, moves files around, modifies shebang lines in those scripts in which it is necessary to do so, tries its best to adjust dynamically linked binaries that link with libperl.so in the old path, and updates the package database.

Brilliant!! Just what I was looking for.

I ran perl-after-upgrade followed by perl-after-upgrade -f, and it did all the heavy lifting of getting things straight.  Just for good measure I ran a rebuild on mimedefang (portmaster mimedefang), and it was back off to the races for that system.

So I must say….  perl-after-upgrade is your friend!

FreeBSD, Is Your Friend

FreeBSD 6.3 has been released, so I want to start by upgrading one of my test machines from 6.2 to 6.3. To accomplish this, I followed the directions from Daemonic Dispatches.

• mkdir /root/freebsd-update
• cd /root/freebsd-update
• fetch http://www.daemonology.net/freebsd-update/freebsd-update-upgrade.tgz
• fetch http://www.daemonology.net/freebsd-update/freebsd-update-upgrade.tgz.asc
• gpg –verify freebsd-update-upgrade.tgz.asc freebsd-update-upgrade.tgz
• tar -xzf freebsd-update-upgrade.tgz
• sh freebsd-update.sh -f freebsd-update.conf -r 6.3-RELEASE upgrade
• yes to “Does this look reasonable?
• sh freebsd-update.sh -f freebsd-update.conf install
• init 6
• sh freebsd-update.sh -f freebsd-update.conf install
• init 6

That was painless enough to be very, very encouraging to me. Now I’ll have to go hit a loaded box and see how well it works….

FreeBSD

It’s happened. I looked around yesterday and realized I’ve switched from Linux to FreeBSD. I didn’t wake up one morning and decide to switch. It just seems that as projects came up I would find some compelling reason to choose FreeBSD over Linux. Now that I look around, I see the pattern. It wasn’t purposeful, but I’m happy with where it’s going.

You need to understand that I started using Linux about eight years ago and got serious with it over the last five years or so. Actually I have my friend Todd to thank for turning me on to Linux as part of his infatuation with integration. It started off innocently enough with some Linux firewalls (the LRP project to be exact) that I could make work, but it was still mostly black magic. Over time I got to using Sendmail, iptables/Shorewall, Samba, LAMP, and all manner of Linux goodness.

By this time I was settled in with SuSE as a distro of choice. SuSE was running in my office, most of my cilents in some fashion, and in my data center rack. Life was good. Then Novell entered the picture. They bought SuSE up, and as usual sucked the life out of something good. Dang. Actually it took a couple of releases before the fears were confirmed and I left SuSE. Over time I played around with a list of distros that I liked for some reasons and hated for others. Nothing ever seemed to fit well for the many scenarios I had used SuSE for.

Over the last couple years I’ve been reading Richard Bejtlich’s TaoSecurity blog, and his general endorsement of FreeBSD interested me. Then, my friend Todd pointed out pfSense, a BSD based firewall distribution running pf. After running shorewall on Linux hosts, pfSense was somewhat constrictive though. The logical extension was running pf directly on FreeBSD, and now my firewalls and many of my customers’ firewalls are on FreeBSD.

So now I am running FreeBSD on as many hosts as Linux, and I expect to convert most of what remains to FreeBSD as boxes age out. As a matter of fact, one of my next project will be to replace my office Samba server with new hardware running FreeBSD and Samba.

So far I like what I’ve learned, and I can foresee using FreeBSD as an OS of choice for quite some time.

FreeBSD, pfSense

So, I turned off the default “allow all to anywhere” LAN rule on my office firewall this afternoon and then created individual rules for the required/applicable ports and protocols. So far, it works great.

This is a good test of the Outbound traffic restrictions mentioned in the PCI DSS. Once I get everything “nailed down”, I should be able to translate what I’ve done here to the “live” cardholder data environment.

Here’s what I have so far:

• 22 TCP
• 53 TCP/UDP
• 80 TCP
• 123 TCP/UDP
• 443 TCP
• GRE
• 1723 TCP
• 3389 TCP
• Block and Log everything else

With the last rule of Block and Log everything, it’s pretty cool to see what’s going on on my LAN segment!

Firewalls, PCI, pfSense

OK, back at it again. Got sendmail and mimedefang installed.

Notes:

• Gotta copy /usr/local/etc/rc.d/mimedefang.sh-dist to /usr/local/etc/rc.d/mimedefang.sh
• Generate a new sendmail.cf
• Go to /etc/mail
• Issue a ‘make’
• Edit hostname.mc file

divert(-1)
#
# The best documentation for this .mc file is:
# /usr/share/sendmail/cf/README or
# /usr/src/contrib/sendmail/cf/README
#

divert(0)
VERSIONID(`$FreeBSD: src/etc/sendmail/freebsd.mc,v 1.30.2.2 2006/08/23 03:31:00 gshapiro Exp $’)
OSTYPE(freebsd6)
DOMAIN(generic)

define(`confCW_FILE’, `-o /etc/mail/local-host-names’)
define(`confBIND_OPTS’, `WorkAroundBrokenAAAA’)
define(`confNO_RCPT_ACTION’, `add-to-undisclosed’)
define(`confPRIVACY_FLAGS’, `authwarnings,noexpn,novrfy’)

define(`confMAX_HEADERS_LENGTH’, `32768′)dnl
define(`confBAD_RCPT_THROTTLE’, `3′)dnl
define(`confMAX_RCPTS_PER_MESSAGE’, ‘50′)dnl
define(`confTRUSTED_USER’, `mailnull’)dnl
define(`confMAX_MESSAGE_SIZE’, 204800000)dnl
dnl TIMEOUT settings – Bat book 24.9.109
define(`confTO_INITIAL’, `2m’)dnl
define(`confTO_CONNECT’, `2m’)dnl
define(`confTO_ICONNECT’, `30s’)dnl
define(`confTO_HELO’, `2m’)dnl
define(`confTO_MAIL’, `5m’)dnl
define(`confTO_RCPT’, `15m’)dnl
define(`confTO_DATAINIT’, `2m’)dnl
define(`confTO_DATABLOCK’, `5m’)dnl
define(`confTO_DATAFINAL’, `30m’)dnl
define(`confTO_RSET’, `5m’)dnl
define(`confTO_QUIT’, `2m’)dnl
define(`confTO_MISC’, `2m’)dnl
define(`confTO_COMMAND’, `5m’)dnl
define(`MILTER’, `1′)dnl
define(`confMILTER_LOG_LEVEL’, `9′)dnl

FEATURE(access_db, `hash -o -T /etc/mail/access’)
FEATURE(blacklist_recipients)
FEATURE(local_lmtp)
FEATURE(mailertable, `hash -o /etc/mail/mailertable’)
FEATURE(virtusertable, `hash -o /etc/mail/virtusertable’)

FEATURE(`redirect’)dnl
FEATURE(`use_cw_file’)dnl
FEATURE(`always_add_domain’)dnl
FEATURE(`smrsh’, `/usr/sbin/smrsh’)dnl
MAIL_FILTER(`mimedefang’, `S=local:/var/spool/MIMEDefang/mimedefang.sock, F=T, T=C:15m;S:4m;R:4m;E:10m’)dnl
define(`confINPUT_MAIL_FILTERS’, `mimedefang’)dnl

DAEMON_OPTIONS(`Name=IPv4, Family=inet’)

MAILER(local)
MAILER(smtp)

FreeBSD, MIMEDefang

First stab at MIMEDefang on a FreeBSD box. The server is an older Dell PowerEdge 2650 that was loaded with base FreeBSD 6.1 about two months ago. I just updated to FreeBSD 6.2-RELEASE yesterday without a hitch. Also, ports are up to date and portupgrade was run.
The following sources were used for information:

• MIMEDefang HOWTO
• Notes on Installing MIMEDefang from the FreeBSD Ports Collection

My process:

• Install Perl
• cd /usr/ports/perl5.8
• make
• make install
• Received error that perl-5.8.8 was already installed (oops)
• make clean
• Sendmail is installed
• Version 8.13.8
• Verify that milter support is compiled
• sendmail -Ac -d0.1 -bv root
• Install ClamAV
• Version 0.88.7
• cd /usr/ports/security/clamav
• make
• make install
• Error message that clam was already installed
• make deinstall
• make reinstall
• Install MIMEDefang
• Version 2.58
• cd /usr/ports/mail/mimedefang
• make
• Error again

Basically, I’ve hosed this up by doing some binary package installation previously, it would appear. Brain fade.

What now? Flatten the box? Looks like I installed clam, mysql, perl, and mimedefang previously.

No, apparently this isn’t all that bad. Think I’ll just work with what’s there for now.

Dell PE 2650, FreeBSD, MIMEDefang

I was listening to a PSW podcast from last January (post-ShmooCon) when they interviewed Richard Bejtlich.

They asked about FreeBSD, and he referenced this post on some advantages of FreeBSD and BSD in general.

FreeBSD