Book Review: Implementing Cisco IOS Network Security (IINS)

March 20th, 2012

So I wrote up a review on the Cisco Press self-study guide for the 640-553 exam which I finished readuing this weekend & while double checking things I noticed that the 640-554 exam topics has already been announced last month with the self-study guide for 640-554 due to be published at the end of August, the new exams will follow on from the 1st of October.
The new book will again be authored by Catherine Paquet so I’m curious how much new content there will be in the new revision.

There are seven chapters in the current 640-553 book

  • Introduction to Network Security Principles
  • Perimeter Security
  • Network Security Using Cisco IOS Firewalls
  • Fundamentals of Cryptography
  • Site-to-Site VPNs
  • Network Security Using Cisco IOS IPS
  • LAN, SAN, Voice, and Endpoint Security Overview

    • Chapter 1, “Introduction to Network Security Principles” was the most tedious of the seven to read, a long drawn out chapter covering ethics, risk analysis, lots of charts, graphs & cost figures (I managed to get through the chapter by thinking of brass eye every time I came across one), marketing info on Ciscos “self-defending network” & buried amongst all that was some introductory info to different types of attack.

    Chapter 2, “Perimeter Security” covers getting setup (ACS Server on Windows, logging, AAA, views) more product line info & navigating SDM.

    Chapter 3, “Network Security Using Cisco IOS Firewalls” covers the fundamentals of firewalls, quiet a large portion of the chapter is on ACLs & configuring them which didn’t make sense as this is covered on ICND2, followed by a shorter section on configuring the zone based firewall via SDM & the firewall wizard.

    Chapter 4, “Fundamentals of Cryptography” was a good but contained some mistakes, like “DES is considered trustworthy” & “Cryptography researchers have scrutinized DES for nearly 35 years and have found no significant flaws”. These statements are wrong, the DES Cracker proved it in the late 90′s or perhaps this is what they were refering to by “because DES is based on simple mathematical functions, it can easily be implemented and accelerated in hardware”.

    Chapter 5, “Site-to-Site VPNs” was enjoyable & lead on from the foundation laid in the previous chapter, setup was also covered from the console this time.

    Chapter 6, “Network Security Using Cisco IOS IPS” covers the fundamentals on the theory side, how to configure it via SDM & more product intro. This chapter is available as a free sample for download.

    Chapter 7, “LAN, SAN, Voice, and Endpoint Security Overview” was 50/50, I enjoyed the SAN section because it was new to me, so there was new information to learn, the endpoint security section covered various attacks & vulnerabilities mixed up with product line info, the voice section was brief covering fundamentals, threats & defence, I didn’t find it very interesting. The chapter finished up with mitigating L2 attacks.

    I didn’t particularly enjoy this book, the first three chapters were pretty tedious to read but it got better in the later ones, overall it lacked flow & felt thrown together.
    It was also disappointing to see the use of TFTP being encouraged in a security book
    “The system that you choose should support TFTP to make it easy to transfer any resulting configuration files to the router” &
    “The added layer of MD5 protection is useful in environments in which the password crosses the network or is stored on a TFTP server”.
    The book is a combination of marketing material on the product line, some technical theory & mainly instructions to navigate the SDM though the console is covered here & there (main focus is SDM but that looks to change for the new exam to CPP).
    As self-study guides go I thought it was better than Stephen McQuerrys 2 books for the R&S CCNA. I’m looking forward to seeing how the CCNA Security book is, I really enjoyed reading Odoms CCNA books & though I’ve not read any of Kevin Wallaces books before, I found the video content he’s published on youtube very good so I’m looking forward to reading his book to prepare for the 640-553 exam.
    If the exam certification guides are generally on parr with Odoms books then in the future I think I will skip the self-study guides & move straight on to the exam certification guides.

    Tags: , , , ,
    Posted in General | No Comments »

    Juniper SRX & FreeBSD/mips

    March 18th, 2012

    I didn’t realise the Juniper SRX line (at least the 100) was based on a MIPS SoC made by OCTEON.

    CPU in a SRX100b
    OCTEON CN5020-SCP pass 1.1, Core clock: 500 MHz, DDR clock: 266MHz (532 Mhz data rate)

    dmesg from SRX100

    Thinking about it now, I now understand why Juniper contributed the code back up to FreeBSD back in 2007 & as I search around for reference material to link to in this blog post the pieces are falling into place.
    An announcement was made at the start of month that DTrace had been ported to FreeBSD/MIPS by Oleksandr Tymoshenko.
    What this will mean is that when the code makes it back into a Junos release you will have the ability to get near realtime answers of what is going on your router or firewall for example using the network provider & it’ll be safe to run in production because DTrace is designed not to be harmful, something which Cisco doesn’t do & use of debug commands is discouraged on production systems because they are considered harmful.

    If you’ve never played with DTrace & have a Mac, its available on all system running Leopard & above, see this article on getting started
    Its available in Solaris (& derivatives) which is also where it originates from & on FreeBSD but system has to be rebuilt to enable support, see the wiki article for details.

    Tags: , , , , , ,
    Posted in FreeBSD | No Comments »

    Building the MSP430 openchronos firmware on FreeBSD

    February 13th, 2012

    There are two openchronos projects, there’s the original OpenChronos project & the continuation openchronos project.
    The openchronos code has a few modifications which are not upstream in poelzi’s OpenChronos repo, most importantly the changes to build under mspgcc 4, I was unable to build under mspgcc 3 as support for some versions of the MSP430 were missing, this may just be an issue specific to version currently in FreeBSD ports tree however.
    To build the openchronos firmware on FreeBSD you’ll need the following ports installed:
    devel/git
    devel/msp430-libc
    lang/python/
    At the config stage of msp430-libc leave the “Use new msp430-gcc4 compiler” option left on & build.
    Once everything is installed clone the repo listed on the openchronos website with git.
    The config process for openchronos uses python & depends on the locale to be defined correctly, otherwise running gmake config on the shell will cause an error such as:
    UnicodeEncodeError: 'ascii' codec can't encode character u'\u2503' in position 20: ordinal not in range(128)2
    Defining LC_CTYPE with the appropriate UTF-8 encoding for your locale resolvers this, run locale -a for a list of supported types which you can declare.
    Once that’s defined, running gmake config should show the configuration script, if you’re still receiving errors you may want to run gmake clean & try again.
    You need to check the frequency setting is correct depending on the model of watch you bought.
    Now save your configuration & run gmake to compile the code.
    If you’re unable to compile the image successfully as the image generated is too large (see the problems section of README) either set “Metric only code” option in configure or try this patch which reduces the size of the image (Thanks to Andrey Ulanov for the pointer).
    If build completes successfully, you’ll have two files in the build directory named eZChronos.elf & eZChronos.txt.
    At this point I cheated & used Windows to flash the watch wirelessly.
    Set the watch in rFbSL mode & run the Chronos data logger app, go to the wireless update tab, point it to the txt files & press “Update Watch”
    A counter should show up to display the progress on the watch.
    Once the flash is complete, all the elements on the LCD display should switch on

    Tags: , , , , ,
    Posted in FreeBSD | No Comments »

    Rearranging the keys on Apple keyboards to the Dvorak layout

    February 9th, 2012

    I’ve been using the dvorak for just under 8 months now according to the date (17/6/2011) on the printout I have pinned on my wall of the US Dvorak keyboard layout from Wikipedia.
    Its been ok-ish so far, I’m used to the layout now but still prone to making mistakes, my main gripe with it is the position of the W & V keys, one slip of the finger when pasting something & you lose what you’re doing because you’ve just closed the window instead, this has happened on several occasion, usually when working remotely via an SSH session. It’s ok apart from that, just need to focus on keeping my hands still on the correct keys & letting the fingers do the work rather than move my hands around the keyboard.
    Scrolling through the Dvorak simplified keyboard article on wikipedia, I saw a pair photos in the Mac OS section of a cordless keyboard & iBook with rearranged keys in a Dvorak layout.
    I had assumed it wasn’t do-able & not looked into it further but a quick search showed it was pretty easy as this video shows.
    To remove the keys from your keyboard just pull the top of the key to unclip & slide down to release, within a couple a minutes my cordless keyboard looked like this

    Putting the keys back was pretty straight forward & went seamlessly, sliding the keys up to place into position & pushing down to clip into place, within a couple of minutes my keyboard looked like this

    As this was easy & quick to do, I assumed the keyboard on my Macbook Pro would also be the same, so began pulling the keys off, most of the keys on the centre 2 rows came off without any problems but then I reached the right hand side of the keyboard & found keys which took a bit more persuasion to unclip & it was downhill from there.

    I managed to pull most of plastic clip out of the pin sockets which are used to levy them, this took a bit of fidding to get back in but I managed to do it without breaking anything which was good but as I was a little rough handed on couple of them, I managed to pull the rubber spring off the face plate :(

    Fortunately, putting the keys back on again wasn’t too much hassle, the two keys which had their spring come off initially missed key strokes but seem ok now (the spring needs to reseat into a better position?)

    I’d like to make this change on my ThinkPad keyboard too but the keys which fit around the TrackPoint have different shapes to the rest of the keys.

    Tags: , , , ,
    Posted in General | No Comments »

    L2TP/IPsec VPN clients unable to authenticate after 10.7.3 update

    February 2nd, 2012

    If you’re finding users are unable to dial-in via L2TP/IPsec VPN after upgrading Lion Server to 10.7.3 then check /var/log/ppp/vpnd.log
    If you’re seeing DSAuth plugin: Failed to retrieve MPPE encryption keys from the password server: errno -14484, ctxt 4 logged on dial-in attempts then you’ll need to adjust your password policy.
    There is an Apple support article HT4748 which covers how to make this change.
    Thanks to the user bobgeo on the Apple discussion forums for the pointer.

    Tags: , , ,
    Posted in OS X | No Comments »

    Running nwdiag on Mac OS X

    January 31st, 2012

    nwdiag is a tool written in python for generating network diagrams from text files, rack diagrams can also be built using the bundled rackdiag utility.
    nwdiag requires PIL built with freetype2 support, if this is missing you’ll receive the following error when you try to generate a diagram:
    ERROR: The _imagingft C module is not installed.

    Following the instructions in the README file included with PIL, once the build process completes you’ll receive a summary:
    PIL 1.1.7 SETUP SUMMARY
    --------------------------------------------------------------------
    version 1.1.7
    platform darwin 2.7.1 (r271:86832, Jul 31 2011, 19:30:53)
    [GCC 4.2.1 (Based on Apple Inc. build 5658) (LLVM build 2335.15.00)]
    --------------------------------------------------------------------
    --- TKINTER support available
    *** JPEG support not available
    --- ZLIB (PNG/ZIP) support available
    *** FREETYPE2 support not available
    *** LITTLECMS support not available
    --------------------------------------------------------------------

    It appears that freetype2 support is not built by default & I wasn’t paying enough attention so I missed the notice following the summary
    To add a missing option, make sure you have the required
    library, and set the corresponding ROOT variable in the
    setup.py script.    .
    After a brief search I came across this blog post which covered how to define the paths for the freetype library & header files.
    Setting FREETYPE_ROOT in setup_site.py to
    FREETYPE_ROOT = "/usr/X11/lib", "/usr/X11/include"
    solved the problem & the summary listed --- FREETYPE2 support available when I reran the build process.
    After that everything worked fine, the following config generated the image at the bottom of the page:
    nwdiag {
    inet [shape = cloud];
    inet -- router;
    router;
    network office {
    router;
    "Mail server";
    "Web server";
    }
    }
    Network diagram generated using nwdiag

    The project is still in its infancy and there are features missing for implementing common elements from a cisco discipline (like representing etherchannel) but it’s promising as you can put a simple diagram together very quickly.

    Tags: , , , ,
    Posted in OS X | No Comments »

    Connecting to shared calendars on ical server using the Lightning extension for Thunderbird

    January 19th, 2012

    To access a shared resource/location calendar on a iCal server from the Lightning extension for you’ll need the GUID for the calendar you wish to access, see my previous post on how to obtain it.

    Once you’ve obtained the GUID, construct a url using the following convention (assuming you’re connecting to the server via SSL)
    https://yourserver.somewhere.local:8443/calendars/__uids__/your-shared-cal-guid/calendar/
    Switch to Thunderbird, go to File > New > Calendar…
    Select “On the Network” from the wizard & press continue
    Select “CalDAV” as the format & for the location specify the URL you constructed using the convention above & press continue.
    Once you’ve specify a name for the shared calendar & pressed continue you should have access to the shared calendar.

    Tags: , , , , ,
    Posted in OS X | No Comments »

    Connecting to shared calendars on ical server using an iPhone

    January 18th, 2012

    To access the shared resource/location calendar on a iCal server from an iPhone via the caldav protocol you’ll need the GUID of the shared calendar.

    First, find the GUID of calendar on the server using the calendarserver_manage_principals command, eg
    sudo calendarserver_manage_principals --search shared
    1 matches found:

    your shared cal (Resource)
    GUID: 6x3331a8-as12-ea2x-4ou1-ndeb3ct4wa686
    Record name(s): 6x3331a8-as12-ea2x-4ou1-ndeb3ct4wa686

    Then on the iPhone (assuming the device is unmanaged), create a new CalDAV calendar account & fill in the correct server, username & password field & hit next.
    Assuming everything went ok, you should be back on the “Mail, Contacts, Calendars” page, select the new calendar you just created & advanced settings.
    Edit the “Account URL”, replacing the UID on the end of the url with the GUID of the shared calendar you noted down on the first step.
    eg:
    https://username@yourserver.somewhere.local:8443/principals/__uids__/6x3331a8-as12-ea2x-4ou1-ndeb3ct4wa686

    Tags: , , , , ,
    Posted in OS X | 1 Comment »

    CUPS generates “Internal server error” when visiting administration page

    January 18th, 2012

    It seems that Mac OS Lion server (10.7.0) may have been released with a broken CUPS configuration. Visiting http://localhost:631/admin would generate an “Internal server error”, this seems to be addressed in newer builds (my Macbook Pro which was install from a 10.7.2 image does not exhibit the problem yet a customers server which came bundled with 10.7.0 (upgraded to 10.7.1 > 10.7.2) does).
    To resolve the issue sudo cupsctl --debug-logging
    Then switch off the debug logging with sudo cupsctl --no-debug-logging

    I suspect the problem is due to a missing directory because comparing the default, previous & current revisions of the /etc/cups/cupsd.conf did not show anything that could cause problems.
    I’d also go far as to say that you don’t need to turn on debug logging in-order to resolve this issue, it can be any of the options that can be set via cupsctl as it checks the configuration of the system, this is just a theory as I was unable to dig further because I was on a production system. Resetting the printing system did not solve the issue when attempted previously.

    Tags: , , ,
    Posted in OS X | 4 Comments »

    More on the ThinkPad X61s

    August 20th, 2011

    I came across a couple of bits of information which are useful if your looking to improve performance on your ThinkPad.
    First thing is though the X61s is specced as a system only capable of running 4GB of RAM, it can in fact take up to 8GB using 2x 4GB PC2-5300 or 6400 sodimms, Its can be quiet an expensive upgrade but very useful if you’re taking advantage of the VT extension on your CPU.
    Second thing is the ICH8M chipset actually supports SATA II at 3Gbps but is soft locked in the bios to 1.5Gbps, this is a big difference in terms of performance, there is lots of information/rants/flames regarding the matter as it seems other vendors implemented the same restriction (completely missed this), it appears that there is a negotiation problem between the ICH8M chipset & marvel PATA to SATA bridges, this post provides a good summary of the situation & what changes are required to a bios image, but theres no need to get your hands dirty, there are modified bios images available from a couple of sources, I used the image available on the same forum, there are images available for other ThinkPads too, covering the X300, T61, T61p, R61 & R61e.

    dmesg snippet from FreeBSD 9.0 before

    ahci0: port 0x1c30-0x1c37,0x1c24-0x1c27,0x1c28-0x1c2f,0x1c20-0x1c23,0x1c00-0x1c1f mem 0xf8426000-0xf84267ff irq 16 at device 31.2 on pci0
    ahci0: attempting to allocate 1 MSI vectors (4 supported)
    msi: routing MSI IRQ 258 to local APIC 0 vector 58
    ahci0: using IRQ 258 for MSI
    ahci0: AHCI v1.10 with 3 1.5Gbps ports, Port Multiplier not supported
    ahci0: Caps: 64bit NCQ SNTF ALP AL CLO 1.5Gbps PMD SSC PSC 32cmd CCC 3ports
    ahci0: Caps2:

    & after

    ahci0: port 0x1c30-0x1c37,0x1c24-0x1c27,0x1c28-0x1c2f,0x1c20-0x1c23,0x1c00-0x1c1f mem 0xf8426000-0xf84267ff irq 16 at device 31.2 on pci0
    ahci0: attempting to allocate 1 MSI vectors (4 supported)
    msi: routing MSI IRQ 258 to local APIC 0 vector 58
    ahci0: using IRQ 258 for MSI
    ahci0: AHCI v1.10 with 3 3Gbps ports, Port Multiplier not supported
    ahci0: Caps: 64bit NCQ SNTF ALP AL CLO 3Gbps PMD SSC PSC 32cmd CCC 3ports
    ahci0: Caps2:

    My MacBookPro3,1 is also locked to 1.5Gbps but there doesn’t seem to be any solution at the moment due to the signed firmware images.

    Intel ICH8-M AHCI:

    Vendor: Intel
    Product: ICH8-M AHCI
    Link Speed: 1.5 Gigabit
    Negotiated Link Speed: 1.5 Gigabit
    Description: AHCI Version 1.10 Supported

    Tags: , , ,
    Posted in General | 4 Comments »

    Beginning LaTeX – Typesetting the OpenBSD FAQ

    May 30th, 2011

    I attended a one day training course held by the UK TUG back in July of last year which introduced beginners to LaTeX.
    It was relatively simple to get up & running & we were able to put together basic documents with ease after a little practice.
    Slides from the course
    Handout from the course
    To apply what I’d learnt on the course I decided to typeset the OpenBSD FAQ to get me on my way with LaTeX as the official PDF available for download appears to be generated using a pdf printer from the website which is great (links & chapters are there & working) but I don’t think it look that great.
    A beautiful OS deserves beautiful documentation! :)
    So I had a brief attempt at it the days proceeding the course & got side tracked after doing the very basics on the first 4 chapters. Nearly a year on, I thought I’d have another stab at it.
    The tex files are in a Mercurial repo & there’s a PDF too :)
    I’ve managed to get 10 of the 15 sections from the faq into tex files so far, with basic formatting applied to text, but there are lots to do yet e.g links, tidying up formatting, setting a typographical convention & applying it consistently.

    Tags: ,
    Posted in OpenBSD | 2 Comments »

    ThinkPad X61s

    April 20th, 2011

    I couldn’t justify spending £1400+ on a built to order MacBook Air with 4GB of RAM, I settled on what has turned out to be a mint condition X61s with 8 cell battery & still under warranty for £172.98.
    I’m really pleased with it so far but it’s still no MacBook Air (I went into the Apple store to double check) :)
    Though they’re both “ultraportable laptops” they both scratch a totally different itch for me, the macbook is a sleek, tightly integrated with Mac OS, the ThinkPad is an extendible machine which is far more accommodating to various operating systems.
    The reason I was looking to move to an ultraportable was so I have something I can with me at all times (obviously) which was to replace my back breaking 17″ MacBook Pro with the ability to run multiple operating systems with ease.
    I was able to successfully multi-boot MacOS, FreeBSD & OpenBSD on my MacBook Pro using the gtpsync tool from rEFIT but support for the hardware wasn’t great e.g as It had an nVidia graphics card there was no resume support on OpenBSD, power management didn’t really work under FreeBSD either If I remember right & having a single mouse button meant it was a pain to use X, having to use workarounds with the eject button on the keyboard to emulate right clicks.
    The 11″ MacBook Air seemed like the perfect machine for me, but the whole sealed unit really grinds my gears, it’s not that I wanted to take a screw driver to it but I’d like to have the option to extend the system at a later date instead of having to decide on the system configuration which would be set in stone, requiring a new system if I wanted to expand, the ram being the most important thing, buy it with 4GB of ram or be stuck with 2GB. Though 2GB is fine for OS X alone, it really doesn’t cut it when you’re multi tasking with iChat, Terminal.app, iTunes, Thunderbird, Safari, Omniweb or Opera. These are the apps which are usually always open on my system & my 2007 Mac Mini really struggled with this work load with 2GB or RAM, grinding to a halt regularly as the system swapped furiously, moving to 3GB gave the machine a new lease of life & stopped this behaviour, I would hate to be in the same position with a new system so the BTO Air was the only option for me.
    I would also be stuck with another nVidia based system if I went for the Macbook Air which means I would still have problems with sleep & X acceleration so the second hand Thinkpad X61s with the intel chipset was the way to go.
    The machine is currently multi-booting OpenBSD-CURRENT, FreeBSD-CURRENT & OpenIndiana 148a development build quiet happily.
    The system works a treat under OpenBSD, sleep support is still not there in FreeBSD 9.0-CURRENT but I suspect that may just be a bug in acpi_ibm(4). I was hoping to be running Schillix on this system but was unable to get the system to boot after install, I suspect a change in device paths between booting from the optical drive in the ultrabase & hard disk is the cause but didn’t look into it in-depth settling for OpenIndiana after trying Solaris 11 express (which freaked out after the rwn driver was installed) while I work through the DTrace book , though I’ve compiled in dtrace support for FreeBSD & it’s there out of the box on MacOS X most of the examples in the book don’t work as covered in the book on these platforms.

    Hardware wise I ditched the supplied intel wireless card & installed a AzureWave AW-NE766 Ralink chipset wireless card. The ThinkPads check minipci-e & wireless usb devices against a device id whitelist in the bios & if not listed the system presents a “1802: Unauthorized network card is plugged in – Power off and remove the miniPCI card” error & refuses to boot. Reflashing the bios with a modified bios image by someone called Zender turns this off & allows the system to boot without any problems.

    All in all a great system which is cheaper than a netbook, far superior in build & spec but inferior to a MacBook Air in some ways :)

    OpenBSD 4.8 dmesg
    FreeBSD 9.0-CURRENT dmesg

    Tags: , , , , ,
    Posted in General | 2 Comments »

    Unable to transfer voice memos from iPhone

    March 31st, 2011

    I made a few recordings on my iPhone using the Voice Memos app but out of the three recordings I was only able to transfer one of them successfully into iTunes.
    The way it’s meant to work is, if you connect your iPhone to your machine & select Music > Sync Music & tick the Include voice memos then when you sync your phone, your recordings should show up in a playlist in iTunes named Voice Memos.
    Assuming your files have been processed correctly that is!

    What happens is when you record your voice memos, they are saved as quicktime .mov files, then the app converts these to .m4a files afterwards. If you’re unlucky & this conversion process is interrupted e.g in my case I made these recordings on a iPhone 3G which meant no multitasking, switching out to another app meant that I was left with an incomplete m4a file which would never play or get imported, at the time I assumed this was due to the fact that the recording was too long for the iPhone but now that I’ve upgraded to the iPhone 4 & still experiencing the same problem I decided to look further.
    I downloaded a demo version of PhoneView which gives you access to the files stored on your phone & fired it up, selecting the Voice Memos folder I could see my recordings which I selected & hit the “Copy From iPhone” button.
    The file which transfered succesfully into iTunes previously played without a hitch, but the other two still wouldn’t play though file(1) reported all three files as:
    ISO Media, MPEG v4 system, iTunes AAC-LC
    Looking at the preferences for PhoneView I enabled “Advanced disk mode” to see if I could dig a little deeper
    Advanced Disk Mode

    After enabling this & selecting the Disk folder on the top left hand side I was given access to the filesystem on the phone, selecting the Recordings folder I could see .mov files of the two recordings which I couldn’t get to play so I copied them out & gave them a try in quicktime, these turned out to be the intact recordings.
    View of the iPhone filesystem via advanced disk mode

    Deleting the .m4a versions & reopening the Voice Memo.app restarted the conversion process again.
    Voice Memos.app processing recording, converting from mov to m4a file

    Tags: , , , , ,
    Posted in OS X | 4 Comments »

    Building & administering jails on FreeBSD, Part 1

    June 21st, 2010

    The FreeBSD jail(8) manpage & Chapter 15 of the FreeBSD handbook do a great job of explaining jails & helping you get on your way with creating jails, this post builds on that information, covering alternative methods for getting your jails installed & adding what’s not covered already such as maintenance of jails (patching to be specific) & version upgrades.

    • Part 1 (this post :) ) will cover alternative install methods & jail maintenance
    • Part 2 (not yet published) will cover upgrading to a new version FreeBSD

    Once completed the information from these posts will be submitted for inclusion in the handbook.

    So lets begin, when creating a “complete” jail you have two options for the source of the userland, compile from source code or use the prebuilt binaries from install media, both the jail manpage & handbook cover building from source code, we wont go over it again here.

    One thing worth mentioning though is if you want to build from source code, create a src.conf file & disable items which are not required, this should speed up the time required to build world & reduce the amount of disk space used by jails.

    Here are two sample src.conf files, which disable building items such as firewalls (no use unless you’re using vimage), acpi or documentation:
    Sample src.conf #1
    Sample src.conf #2

    To install the userland from installation media
    first create the root directory for the jail, eg
    mkdir -p /usr/jails/mynewjail
    set the $DESTDIR variable to this location
    if using sh
    export DESTDIR=/usr/jails/mynewjail
    if using csh/tcsh
    setenv DESTDIR /usr/jails/mynewjail
    mount the media (using the 8.0-RELEASE cd 1 iso in this example)
    mount -t cd9660 /dev/`mdconfig -f /some/path/to/8.0-RELEASE-i386-disc1.iso` /mnt

    Extract the binaries from the tar balls on the install media into your declared destination, realistically, you’ll only need to extract base, but you can do a complete install if you wish to.
    To install just base:
    cd /mnt/8.0-RELEASE/base; ./install.sh

    You are about to extract the base distribution into /usr/jails/mynewjail – are you SURE
    you want to do this over your installed system (y/n)?

    To install everything but kernel:
    if using sh
    cd /mnt/8.0-RELEASE; for dir in base catpages dict doc games info manpages ports; do (cd $dir ; ./install.sh) ; done
    if using csh/tcsh
    foreach dir ( base catpages dict doc games info manpages ports )
    cd /mnt/8.0-RELEASE/$dir; ./install.sh
    end

    All configuration steps from here on to get up and running are as specified in the jail man page & handbook.

    Keeping jails up to date with patches
    On a host with default settings the freebsd-update(8) tool doesn’t work as
    chflags(1) is not permitted in a jail, set sysctl security.jail.chflags_allowed to 1 to allow it & freebsd-update can be used.
    The other option is to patch the userland manually from the host OS. All the needs to be done is the $DESTDIR has to be passed to the make install command eg.
    In section 2b of the FreeBSD-SA-10:04.jail advisory you’re told to
    # make obj && make depend && make && make install
    after patching, instead you would issue
    # make obj && make depend && make && make install DESTDIR=/usr/jails/mynewjail

    Tags: , ,
    Posted in FreeBSD | No Comments »

    OpenNMS-dev port for FreeBSD

    June 9th, 2010

    I’ve created a new FreeBSD port for installing releases from the unstable branch of OpenNMS.
    This port suffers from the same issue as the stable port

    You can grab the port here

    9/6/10
    Initial port, installs version 1.7.92

    6/11/10
    Update to version 1.9.2

    25/4/11
    I’ve setup a temporary mercurial repository with all version of the port in the repo to make moving forward easier (I say the repo is temporary as I intend to host my own instance of mercurial & to push out to git & bitbucket as well).

    26/4/11
    Update to version 1.9.7

    17/5/11
    Update to version 1.9.8
    With this release, OpenNMS switched to the new JNA Pinger The JNA Pinger assumes IPv6 is enabled by default & if not doesn’t fail gracefully, this will cause problems if you’re running OpenNMS in a jail from example & you’ve not assigned the jail an IPv6 address, you can keep with the progress of this issue in NMS-4673
    PR’s have been raised to update JICMP, JRRD & iplike to the latest versions in ports, see PR #’s 156785 156786 157120

    11/08/11
    Update to version 1.9.90

    17/11/11
    Update to version 1.9.93

    Tags: , , ,
    Posted in FreeBSD | No Comments »

    Configuring OpenSolaris with IPv6 connectivity

    May 27th, 2010

    To configure OpenSolaris to use IPv6 NDP (neighbour discovery protocol) create an empty file named in the following convention:
    /etc/hostname6.interface#:#
    first hash being the interface number & the second being a user defined number for a logical interface
    eg
    /etc/hostname6.e1000g0:1

    If you’re having DNS resolution issues, do
    cp /etc/nsswitch.dns /etc/nsswitch.conf

    To configure OpenSolaris to use a static IPv6 address
    create a file using the same convention as mentioned during the NDP stage above & inside it add
    addif ipv6address/mask up
    eg
    addif 2a01:300:200::1/64 up

    To configure your default IPv6 router on OpenSolaris
    create a file named /etc/defaultrouter6 & add the ip address inside

    The instructions above make the changes persist across reboots, if you’d like to make changes to a current session, the configuring an IPv6 network section of the IP services Solaris administration guide is a handy reference.
    These instructions should also apply to Solaris as well though I haven’t tested it.
    The source of information for this article was the IPv6hostsolaris wiki article.

    Tags: , ,
    Posted in SPARC / Solaris / OpenSolaris | No Comments »

    Running rndc without specifying a port on Mac OS X

    April 11th, 2010

    The stock BIND config on Mac OS X (both client & server versions) is set to listen on TCP port 54 for control commands via rndc(8), the rndc utility however doesn’t have a config file, so it defaults to using TCP port 953, this mean it has to be invoked with -p 54 to work properly, to rectify the issue create /etc/rndc.conf & add the following to it
    include "/etc/rndc.key";
    options {
    default-key "rndc-key";
    default-server 127.0.0.1;
    default-port 54;
    };

    Tags: , ,
    Posted in OS X | 1 Comment »

    IPlike port for FreeBSD

    January 5th, 2010

    As part of getting OpenNMS on FreeBSD via ports I’ve created a port for the IPLIKE which is a C implementation of the iplike stored procedure that’s used by OpenNMS.
    You can download a copy of the port here

    If I haven’t heard any bad reports by the end of the week, I will raise a PR to have it added to ports.

    ports/142581 was commited earlier today

    iplike commit message on freshports.org

    The port can be found at databases/iplike, please update your ports

    Tags: , ,
    Posted in FreeBSD | No Comments »

    OpenNMS port for FreeBSD

    January 27th, 2009

    The port is for the current stable version, v1.6.2. It is in its very early stages, there are still some issues which need to be ironed out:

    * The port will install just fine except that it complains about some files listed in the pkg-plist which are not there, well they are there but the files named are dynamically generated everytime a build is attempted (jetty-webapps & webapps cache files) so this will need to be fixed.

    * As there are issues with these filenames in the pkg-plist, make package fails.

    * A problems with the jicmp dependency, it fails to detect that jicmp is installed & attempts to build & install it no-matter what & obviously fails if it is.

    All previous issues with the port listed above have been resolved, the port now just needs to be tested before submission for inclusion in ports.

    You can grab the port here

    11/5/09
    Port updated to version 1.6.4, use the link above to fetch a new copy of the port.
    There is an issue with the packing list as it currently doesn’t take into account new files that are created from things such as availability reports, which means when you come to remove the package some files are left behind as well as empty directories, this will be solved in the next revision when I’ll separate out the location the data resides from the binary & config files.

    17/5/09
    Port updated to version 1.6.5, again use the link above to fetch a new copy of the port.
    The issue with the packing list still existed in this version.

    3/8/09
    Updated the packing list so that it now includes some files which I missed before.
    There are issues with the packing list which still need to be resolved.

    5/1/10
    Updated the port to 1.6.8, if you have a previous version of the port installed, backup your opennms directory before doing the upgrade as files will be removed.
    I have a been working on separating the config files, logs & rrd data from the libraries & binaries etc, the OpenNMS build mechanism has support for this, allowing one to pass -Dinstall.etc.dir=/confdir/opennms-data/etc -Dopennms.home=/opt/opennms -Dinstall.logs.dir=/var/log to build.sh
    Unfortunately the source code doesn’t, there are 2 major hurdles which need be passed before this will work correctly
    1) some files ignore some of the variables passed to build.sh, most important one being install.etc.dir, see bug report
    2) source files are hardcoded to look for files/directories under $opennms.home eg the etc directory.
    I have a whole bunch of diffs which I need to go over again as I’ve hit a wall, I would’ve included the patches with this update but, all the diffs manage to do is break things, so I removed them from this version.
    The port now use openjdk as it doesn’t suffer from the SIGSEGV issue experienced by some, including myself, a workaround if you want to remain with diablo or sunjdk is to disable IPv6 support in the JDK. You will also need to remove the if condition from the OpenNMS port Makefile aswell.
    I’ve also created a seperate port for iplike here

    18/3/10
    Thanks to David Okeby for updating the port to version 1.6.9 & sharing a link in the comments section below, I’ve mirrored a copy of the port on this site & updated the download link, the original had resource files inside which I’ve removed.

    6/4/10
    Updated to version 1.6.10, as mentioned before, backup your opennms directory before upgrading to prevent data loss.

    9/6/10
    Update to version 1.8.0, the port now requires openjdk 1.6 to run

    1/10/10
    Update to version 1.8.5

    24/04/11
    I’ve setup a temporary mercurial repository with all version of the port in the repo to make moving forward easier (I say the repo is temporary as I intend to host my own instance of mercurial & to push out to git & bitbucket as well).

    26/4/11
    Update to version 1.8.11

    17/5/11
    Update to version 1.8.12
    PR’s have been raised to update JICMP, JRRD & iplike to the latest versions in ports, see PR #’s 156785 156786 157120

    11/08/11
    Update to version 1.8.13

    17/11/11
    Update to version 1.8.16

    18/04/12
    Update to version 1.10.1

    Tags: , ,
    Posted in FreeBSD | 57 Comments »

    USB & Firewire support for NetBSD/cobalt 4.0

    October 15th, 2008

    The GENERIC kernel for NetBSD/cobalt 4.0 does not support USB or Firewire out of the box, I’ve created a set of patches (sourced from various threads on port-cobalt@) to add support.
    You can grab the patches here
    Once you have built & installed your new kernel, you will need to make a new MAKEDEV script.
    cd /usr/src/etc
    make MAKEDEV
    & place the new copy of the script in /dev
    then generate the device files for the newly supported devices by running
    sh MAKEDEV usbs
    I’ve successfully used 5 rs232 > USB on my Qube2 via a PCI ALi chipset USB & Firewire card on NetBSD 4.0.
    ohci0 at pci0 dev 10 function 0: Acer Labs M5237 USB 1.1 Host Controller (rev. 0x03)
    ohci0: interrupting at irq 9
    ohci0: OHCI version 1.0, legacy support
    usb0 at ohci0: USB revision 1.0
    uhub0 at usb0
    uhub0: Acer Labs OHCI root hub, class 9/0, rev 1.00/1.00, addr 1
    uhub0: 2 ports with 2 removable, self powered
    ohci1 at pci0 dev 10 function 1: Acer Labs M5237 USB 1.1 Host Controller (rev. 0x03)
    ohci1: interrupting at irq 9
    ohci1: OHCI version 1.0, legacy support
    usb1 at ohci1: USB revision 1.0
    uhub1 at usb1
    uhub1: Acer Labs OHCI root hub, class 9/0, rev 1.00/1.00, addr 1
    uhub1: 2 ports with 2 removable, self powered
    ohci2 at pci0 dev 10 function 2: Acer Labs M5237 USB 1.1 Host Controller (rev. 0x03)
    ohci2: interrupting at irq 9
    ohci2: OHCI version 1.0, legacy support
    usb2 at ohci2: USB revision 1.0
    uhub2 at usb2
    uhub2: Acer Labs OHCI root hub, class 9/0, rev 1.00/1.00, addr 1
    uhub2: 2 ports with 2 removable, self powered
    ehci0 at pci0 dev 10 function 3: Acer Labs M5239 USB 2.0 Host Controller (rev. 0x01)
    ehci0: interrupting at irq 9
    ehci0: BIOS has given up ownership
    ehci0: EHCI version 1.0
    ehci0: companion controllers, 2 ports each: ohci0 ohci1 ohci2
    usb3 at ehci0: USB revision 2.0
    uhub3 at usb3
    uhub3: Acer Labs EHCI root hub, class 9/0, rev 2.00/1.00, addr 1
    uhub3: 6 ports with 6 removable, self powered
    fwohci0 at pci0 dev 10 function 4: Acer Labs product 0x5253 (rev. 0x00)
    fwohci0: interrupting at irq 9
    fwohci0: OHCI version 1.10 (ROM=1)
    fwohci0: No. of Isochronous channels is 4.
    fwohci0: EUI64 00:90:e6:xx:xx:xx:xx:xx
    fwohci0: Phy 1394a available S400, 2 ports.
    fwohci0: Link S400, max_rec 2048 bytes.
    ieee1394if0 at fwohci0: IEEE1394 bus
    fwip0 at ieee1394if0: IP over IEEE1394
    fwohci0: Initiate bus reset
    uplcom0 at uhub4 port 1
    uplcom0: Prolific Technology Inc. USB-Serial Controller, rev 1.10/3.00, addr 3
    ucom0 at uplcom0
    uplcom1 at uhub4 port 2
    uplcom1: Prolific Technology Inc. USB-Serial Controller, rev 1.10/3.00, addr 4
    ucom1 at uplcom1
    uplcom2 at uhub4 port 3
    uplcom2: Prolific Technology Inc. USB-Serial Controller, rev 1.10/3.00, addr 5
    ucom2 at uplcom2
    uplcom3 at uhub4 port 4
    uplcom3: Prolific Technology Inc. USB-Serial Controller, rev 1.10/3.00, addr 6
    ucom3 at uplcom3
    uplcom4 at uhub0 port 2
    uplcom4: Prolific Technology Inc. USB-Serial Controller, rev 1.10/3.00, addr 7
    ucom4 at uplcom4

    Tags: ,
    Posted in NetBSD | No Comments »

    « Older Entries