[prev in list] [next in list] [prev in thread] [next in thread]
List: openbsd-misc
Subject: OpenBSD 4.2 with ftp-proxy, named, spamd on Alix2c1 board (+dmesg)
From: Klaus Botschen <klaus () bksys ! com>
Date: 2008-02-20 18:13:04
Message-ID: 200802201913.04168.klaus () bksys ! com
[Download RAW message or body]
Just for the records.
The Alix2c1 board is from PC Engines, 3 LAN, 1 miniPCI,
a 433 MHz AMD Geode LX700 with 128 MB DDR DRAM,
CompactFlash socket (see http://pcengines.ch/alix2c1.htm).
In short, I upgraded the BIOS, performed a PXE boot,
did a normal install, configured afterwards the RAM-disk
for /var and /tmp and made / readonly.
Works great, thanks.. and BTW, Recurring PayPal Donations is a
good idea.
Now the longer story.
The boards (two of them) are used for NAT, firewall, DNS, FTP-proxy and
Spamd frontend for a mailserver that is behind the firewall. Its a small
network for about 10 users.
For bios upgrade, I used a ready-to-run freedos image from a korean host,
http://210.109.84.3/download/freedos_alixupdate_16.img
which I wrote with dd onto a 1GB CF card (using a PCMCIA adapter).
You have to link the serial ports of your computer with the alix board
using a nullmodem (crossover) serial cable. I use Linux as main OS
and used minicom as terminal. Default settings for the Alix board
are 38400-8-N-1. the serial port on my machine is /dev/ttyS0.
For PXE boot you need some entries in /etc/dhcpd.conf:
allow bootp;
subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.200 192.168.0.250;
default-lease-time 14400;
max-lease-time 172800;
next-server 192.168.0.10; # this is my machine
filename "pxeboot";
}
Put these files to the tftpboot directory:
bsd.rd
pxeboot
etc/boot.conf
# cat boot.conf
set tty com0
stty com0 38400
boot bsd.rd
Now I performed a normal 4.2 install with following deviations:
- I cleared all partitions and created only wd0a using the whole disk.
- No swap.
- I left out comp42.tgz.
- I had to add xbase42.tgz because of expiretable-0.6 (will change in 4.3).
Next time I would make two partitions, one for installation,
and a larger one so that I can store updated image files there,
boot bsd.rd and copy the image over the primary partition...
After installation comes:
# /mnt/usr/sbin/chroot /mnt
We need /tmp, /var and /dev writeable, but this would destroy the
CompactFlash card. We move those three directories to a memory
based file system that will be populated during startup.
# mkdir /proto
# cp -rp /var /proto/var
# mkdir /proto/dev
# cp /dev/MAKEDEV /proto/dev
# cd /proto/dev
# ./MAKEDEV all
# rm -rf /tmp
# ln -s /var/tmp /tmp
Now i'm not quite sure whether the MAKEDEV worked out of the box;
i think i had to reboot because I got lots of error messages.
Lots of configuration work needs to be done:
This sets the boot console to the serial port:
# cat /etc/boot.conf
set tty com0
stty com0 38400
Minicom only supports VT102:
# cat /etc/ttys
tty00 "/usr/libexec/getty std.38400" vt102 on secure
# cat /etc/fstab
/dev/wd0a / ffs ro,noatime 1 1
swap /var mfs rw,-P=/ptype/var,-s=65536,noexec,nosuid,nodev 0 0
swap /dev mfs rw,-P=/ptype/dev,-s=4096,-i=128,noexec,nosuid 0 0
# cat /etc/rc.conf (only changes, YMMV:)
named_flags=""
ntpd_flags=""
spamd_flags=""
spamlogd_flags="-i pflog0"
ftpproxy_flags=""
Be careful not to set the ntpd-flags to "-s", in my tests, when the
internet was not connected, ntpd would hang completely.
I use rdate for that, see later.
I added a single line in /etc/rc:
mount -a -t nonfs,vnd
mount -uw / # root on nfs requires this, others aren't hurt
rm -f /fastboot # XXX (root now writeable)
+ sleep 1 # wait until mfs is populated
# cat /etc/rc.conf.local
expiretable=YES
# cat /etc/rc.local
echo -n 'rdate '
rdate -ncv pool.ntp.org
if [ X"${expiretable}" == X"YES" ]; then
echo -n 'expiretable '
/usr/local/sbin/expiretable -v -d -t 2h bruteforce
fi
Now something completely different, the packet filtering.
The Mailserver sits in the local LAN and is protected by the firewall and spamd.
I installed there the open source edition of zimbra.com, so there are plenty of ports
redirected to the webserver.
Aside from that, I decided to block SSH brute force attempts, but set it to tight -
I locked myself out for 2 hours because I initiated several scp commands to fast...
For the automatic unlocking to work, you need "expiretable-0.6".
Additionally, I have a whitelist with IP addresses of known mail servers
located in /var/db/whitelist.
# cat /etc/pf.conf
WORLD="vr2"
LAN="vr0"
IPEXT="a.b.c.d"
IPINT="192.168.0.0/24"
MAIL="192.168.0.104"
MAILPTS=" { www, pop3, auth, https, pop3s, 7071 } "
table <rfc1918> persist { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 224.0.0.0/5, \
169.254.0.0/16 } table <whitelist> persist file "/var/db/whitelist"
table <spamd> persist
table <spamd-white> persist
table <bruteforce> persist
set loginterface $WORLD
set limit table-entries 350000
scrub on $WORLD all fragment reassemble random-id reassemble tcp
nat-anchor "ftp-proxy/*"
nat on $WORLD from $IPINT to any -> $IPEXT
rdr-anchor "ftp-proxy/*"
rdr pass on $LAN proto tcp from $IPINT to any port 21 -> 127.0.0.1 port 8021
# -------- mail server and spamd
rdr pass on $WORLD proto tcp from <whitelist> to $WORLD port smtp -> $MAIL port smtp
rdr pass on $WORLD proto tcp from <spamd-white> to $WORLD port smtp -> $MAIL port \
smtp rdr pass on $WORLD proto tcp from <spamd> to $WORLD port smtp -> 127.0.0.1 port \
spamd rdr pass on $WORLD proto tcp from !<spamd-white> to $WORLD port smtp -> \
127.0.0.1 port spamd rdr pass on $WORLD proto tcp from any to $WORLD port $MAILPTS -> \
$MAIL # --------- add the rules for FTP proxy
anchor "ftp-proxy/*"
# -------- allow everything to go out
pass quick on $LAN all
block return in quick on $WORLD inet from <rfc1918> to any
block return in quick on $WORLD inet proto tcp from <bruteforce> to any port 22
block return in on $WORLD inet all
# -------- logging pflog0, used by spamdlogd
pass in log quick on $WORLD inet proto tcp from any to $MAIL port smtp keep state
pass out log quick on $WORLD inet proto tcp from $MAIL to any port smtp keep state
pass out on $WORLD keep state
# -------- SSH brute force handling
pass in quick on $WORLD inet proto tcp from any to any port 22 flags S/SA keep state \
\
(max-src-conn 5, max-src-conn-rate 3/30, overload <bruteforce> flush global)
# -------- allow DNS queries
pass in quick on $WORLD inet proto { udp, tcp } from any to $IPEXT port { domain, ntp \
} keep state pass in quick on $WORLD inet proto icmp all keep state
Okay these are very basic settings. I later had a problem with one of my
users that was used to send his mail using the server as relay. Spamd
doesn't recognise SMTP AUTH commands, so I punched another hole
into the firewall to allow him to bypass the spamd and connect to port 25
of the mailserver directly.
Now again to our file system. I don't want to loose my changes when the
power is lost (which happenes rather seldom here in Europe), so I copy
them back every reboot and every week.
# cat /root/upvar
#!/bin/sh
mount -uw /
/usr/local/bin/rsync -rlptgouv --delete --exclude-from=/root/upvarex /var/ \
/ptype/var/ mount -ur /
# cat /root/upvarex
*~
tmp
run
# cat /etc/weekly.local
#!/bin/sh
/root/upvar
# cat /etc/rc.shutdown
powerdown=NO # set to YES for powerdown
/root/upvar
Call the spamd-setup not at full hours:
# crontab -e
33 * * * * /usr/libexec/spamd-setup
Furthermore changes in:
newsyslog.conf
sysctl.conf
resolv.conf
spamd.conf
named.conf
# dmesg
OpenBSD 4.2 (GENERIC) #375: Tue Aug 28 10:38:44 MDT 2007
deraadt@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Geode(TM) Integrated Processor by AMD PCS ("AuthenticAMD" 586-class) 432 MHz
cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX
real mem = 133791744 (127MB)
avail mem = 121741312 (116MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 12/10/07, BIOS32 rev. 0 @ 0xfceb2
pcibios0 at bios0: rev 2.1 @ 0xf0000/0x10000
pcibios0: pcibios_get_intr_routing - function not supported
pcibios0: PCI IRQ Routing information unavailable.
pcibios0: PCI bus #0 is the last bus
bios0: ROM list: 0xe0000/0xa800
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 1 function 0 "AMD Geode LX" rev 0x31
glxsb0 at pci0 dev 1 function 2 "AMD Geode LX Crypto" rev 0x00: RNG AES
vr0 at pci0 dev 9 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 10, address \
00:0d:b9:13:04:90 ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 3: \
OUI 0x004063, model 0x0034 vr1 at pci0 dev 10 function 0 "VIA VT6105M RhineIII" rev \
0x96: irq 11, address 00:0d:b9:13:04:91 ukphy1 at vr1 phy 1: Generic IEEE 802.3u \
media interface, rev. 3: OUI 0x004063, model 0x0034 vr2 at pci0 dev 11 function 0 \
"VIA VT6105M RhineIII" rev 0x96: irq 12, address 00:0d:b9:13:04:92 ukphy2 at vr2 phy \
1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, model 0x0034 pcib0 at \
pci0 dev 15 function 0 "AMD CS5536 ISA" rev 0x03 pciide0 at pci0 dev 15 function 2 \
"AMD CS5536 IDE" rev 0x01: DMA, channel 0 wired to compatibility, channel 1 wired to \
com patibility
wd0 at pciide0 channel 0 drive 0: <CF 1GB>
wd0: 1-sector PIO, LBA, 967MB, 1981728 sectors
wd0(pciide0:0:0): using PIO mode 4, DMA mode 2
pciide0: channel 1 ignored (disabled)
ohci0 at pci0 dev 15 function 4 "AMD CS5536 USB" rev 0x02: irq 15, version 1.0, \
legacy support ehci0 at pci0 dev 15 function 5 "AMD CS5536 USB" rev 0x02: irq 15
usb0 at ehci0: USB revision 2.0
uhub0 at usb0: AMD EHCI root hub, rev 2.00/1.00, addr 1
isa0 at pcib0
isadma0 at isa0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: <PC speaker>
spkr0 at pcppi0
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom0: console
usb1 at ohci0: USB revision 1.0
uhub1 at usb1: AMD OHCI root hub, rev 1.00/1.00, addr 1
biomask e3ef netmask ffef ttymask ffef
pctr: user-level cycle counter enabled
mtrr: K6-family MTRR support (2 registers)
nvram: invalid checksum
dkcsum: wd0 matches BIOS drive 0x80
root on wd0a swap on wd0b dump on wd0b
clock: unknown CMOS layout
# top -d 1 -b \
load averages: 0.54, 0.25, 0.13 18:33:57
27 processes: 26 idle, 1 on processor
CPU states: 0.5% user, 0.0% nice, 0.1% system, 0.3% interrupt, 99.1% idle
Memory: Real: 36M/63M act/tot Free: 56M Swap: 0K/0K used/tot
PID USERNAME PRI NICE SIZE RES STATE WAIT TIME CPU COMMAND
1132 _spamd 2 0 15M 16M sleep select 7:01 1.76% spamd
9053 named 2 0 4916K 5456K sleep select 1:03 0.39% named
9127 _spamd 10 0 9824K 1244K idle nanosle 0:28 0.00% spamd
12747 _pflogd 4 0 716K 332K sleep bpf 0:08 0.00% pflogd
8602 _spamd 4 0 416K 704K sleep bpf 0:08 0.00% spamlogd
24570 _syslogd 2 0 396K 928K sleep poll 0:03 0.00% syslogd
2323 _spamd -6 0 9680K 992K sleep piperd 0:02 0.00% spamd
9020 proxy 2 0 456K 876K sleep kqread 0:01 0.00% ftp-proxy
6106 root 2 0 628K 1500K idle kqread 0:01 0.00% master
14150 root 10 0 33M 5216K sleep mfsidl 0:01 0.00% mount_mfs
25856 _postfix 2 0 652K 1556K idle kqread 0:01 0.00% qmgr
3119 _ntp 2 0 464K 756K idle poll 0:00 0.00% ntpd
19279 root 2 0 644K 920K idle select 0:00 0.00% cron
8075 root 2 0 3336K 2380K sleep select 0:00 0.00% sshd
1221 root 2 0 616K 1212K idle select 0:00 0.00% sshd
8392 root 10 0 904K 1760K sleep wait 0:00 0.00% bash
1001 _postfix 2 0 596K 1496K idle kqread 0:00 0.00% pickup
8853 root 2 0 320K 808K idle netio 0:00 0.00% syslogd
Cheers,
Klaus
> )
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic