diff options
Diffstat (limited to 'content/software')
-rw-r--r-- | content/software/OpenBSD_firewall.md | 222 | ||||
-rw-r--r-- | content/software/_index.md | 6 | ||||
-rw-r--r-- | content/software/linux_packaging.md | 5 | ||||
-rw-r--r-- | content/software/luceneanalyzer.md | 5 | ||||
-rw-r--r-- | content/software/minilinux.md | 6 | ||||
-rw-r--r-- | content/software/nagios_plugin_curl.md | 14 | ||||
-rw-r--r-- | content/software/pgfuse.md | 66 | ||||
-rw-r--r-- | content/software/sqlitexx.md | 19 |
8 files changed, 328 insertions, 15 deletions
diff --git a/content/software/OpenBSD_firewall.md b/content/software/OpenBSD_firewall.md new file mode 100644 index 0000000..baa9794 --- /dev/null +++ b/content/software/OpenBSD_firewall.md @@ -0,0 +1,222 @@ ++++ +title = "OpenBSD-Firewall" +description = "OpenBSD firewall via scripts" ++++ + +## History + +Earlier versions of this project were used at Eurospider by Mihai Barbos (https://github.com/mbarbos) +to build corporate-style firewalls with Portwell hardware. + +It ran on a Soekris net6501 for 4 years. + +Newer versions run on a Network LES of Thomas Krenn now. + +I merely collected the ideas and updated them to new versions of OpenBSD and cleaned up the repository a little bit. :-) + +And I'm using it at home on an Alix 2D.13. + +## Git + +Further development happens on git://git.andreasbaumann.cc/OpenBSD-firewall.git +or http://git.andreasbaumann.cc/cgit/OpenBSD-firewall/. + +## Install + +Check disk geometry of flash with: + + disklabel wd0 + +Adapt disk geometry in hardware/[machine]/flash_params. + +Run 'build.sh [machine] [flash_profile]', e.g. + + build.sh firewall-test firewall-test + +Transfer image to flash: + + dd if=[machine].img of=/dev/wd0c + +or remotely (after booting from floppy dongle or from hard disk): + + dd if=[machine].img | ssh [machine] "dd of=/dev/wd1c" + +## Directory layout + +- build.sh: central build script +- doc: various documentation +- template: common files with variables being substituted and then copied to the image +- config: machine-specific configuration (e.g. pf.conf) +- hardware: flash disk geometry for specific machines + +## News + +14.4.2024: + + updated to OpenBSD 7.5 + +19.10.2023: + + updated to OpenBSD 7.4 + +20.4.2023: + + updated to OpenBSD 7.3 + +22.10.2022: + + updated to OpenBSD 7.2 + +1.5.2022: + + updated to OpenBSD 7.1 + +24.10.2021: + + updated to OpenBSD 7.0 + +3.6.2021: + + updated to OpenBSD 6.9 + +22.10.2020: + + updated to OpenBSD 6.8 + +5.6.2020: + + updated to OpenBSD 6.7 + +20.10.2019: + + updated to OpenBSD 6.6 + +11.05.2019: + + updated to OpenBSD 6.5 + +28.10.2018: + + updated to OpenBSD 6.4 + +06.05.2018: + + moved repository from Github to a local repository. + +15.04.2018: + + updated to OpenBSD 6.3 + +19.10.2017: + + updated to OpenBSD 6.2 + +14.4.2017: + + updated to OpenBSD 6.1 + +18.9.2016: + + updated to OpenBSD 6.0 + +15.7.2016: + + updated to OpenBSD 5.9 + +17.1.2016: + + updated to OpenBSD 5.8 + example shows how to use two nsd's and one unbound to replace a split horizon configuration formerly done with bind views + +## Roadmap + +- update to new versions of OpenBSD as they come along +- improve update process, preferably an in-situ update via TFTP +- deal with logging + - sensord + - remote syslog +- various playgrounds + - ospf, pfsync, carp + - automatic acme and relayd certificate renewal for HTTPS relaying + +## Other Embedded OpenBSD projects + +Possible small OpenBSD makers (low level): + +- CompactBSD: http://compactbsd.sourceforge.net/, back in 2002, looks like OpenBSD 3.x was the last version tested +- Flashboot: http://www.mindrot.org/projects/flashboot/ +- Flashrd/Flashdist: + - http://www.nmedia.net/flashrd/rlsnotes.html + - https://github.com/yellowman/flashrd/ + - http://www.nmedia.net/~chris/soekris/: original page which has gone, flashdist is the older version of flashrd. The EIT firewalls where based on early scripts of Chris Cappuccio (early flashdist) +- Bowlfish: + - http://www.kernel-panic.it/software/bowlfish/: latest version 2.1 seems a little bit old (11.4.2013). The description about Embedded OpenBSD is very worthy to read, gives quite some insights how it works. + sort of a normal BSD install, not really automatic + seems to be for OpenBSD 4.9, not for 5.x ./install[332]: /usr/mdec/installboot: not found some files in etc missing + - Soekris256: http://256.com/gray/docs/soekris_openbsd_diskless/ + +more high-level: + +- http://opensoekris.sourceforge.net/ +- http://compactbsd.sourceforge.net/ + +others: + +- https://andrewmemory.wordpress.com/tag/flashrd/ +- http://www.onlamp.com/pub/a/bsd/2004/03/11/Big_Scary_Daemons.html +- http://glozer.net/soekris/cf-install.html +- http://verb.bz/2011/06/12/openbsd-embedded-router/ + +## Hardware + +At Eurospider we had Portwell NAR-2054 (3 and 5 ethernet port versions), +some have VGA ports and USBs, others only COMs, so make sure we always +get boot output on COM. + +It ran on a Soekris net6501 for 4 years, then the Soekris died. + +Newer versions run on a Network LES of Thomas Krenn now. + +At home I'm running it on an ALIX.2D13 with 3 LAN ports and a WLAN card. + +## VirtualBox build and test + +Create a VMDK wrapper for the disk image built with 'build.sh firewall-test': + + VBoxManage internalcommands createrawvmdk -filename firewall-test.vmdk -rawdisk firewall-test.image + +Copy firewall-test.image from OpenBSD machine to the machine running Virtualbox. + +Use COM1 and /tmp/serial, host pipe, create pipe in VirtualBox, then: + + socat unix-connect:/tmp/serial stdio,raw,echo=0,icanon=0 + +The network devices is 'em0' not 'reX' on VirtualBox (as opposed to the real box, at the time of writting there is no Realtek ethernet card emulated in VirtualBox). +Troubleshooting +DMA issues + +If you get something like + + pciide0:0:0: bus-master DMA error: missing interrupt, status=0x21 + +then change the access mode from DMA to PIO x See man wd(4) for the values of flags + + config -e -o /bsd.new /bsd + + UKC> change wd + change (y/n) ? y + channel [-1] ? -1 + flags [0] ? 0xff0 + UKC> quit + + mv -f /bsd.new /bsd + +## Links to guides and documentation + +- Manpages of OpenBSD +- http://home.nuug.no/~peter/pf/en/long-firewall.html and his "Book of PF". +- limit handling in production (connection states): http://www.skeptech.org/blog/2013/01/15/pf-limits-in-openbsd/ + +## Other projects + +http://securityrouter.org, OpenBSD-based, free and commercial versions available, has a GUI diff --git a/content/software/_index.md b/content/software/_index.md index 040c967..cf5a707 100644 --- a/content/software/_index.md +++ b/content/software/_index.md @@ -11,10 +11,10 @@ title = "Software" ## C -* [pguse](https://github.com/andreasbaumann/pgfuse): a +* [PgFuse](/software/pgfuse): a [FUSE](http://fuse.sourceforge.net) filsystem for the [PostgreSQL](http://www.postgresql.org/) database. -* [cssh](https://github.com/andreasbaumann/cssh): a small parallel SSH +* [cssh](http://git.andreasbaumann.cc/cgit/cssh/): a small parallel SSH client for copying and executing commands to a cluster of machines. ## C++ @@ -30,5 +30,7 @@ title = "Software" ## Administration +* [OpenBSD-firewall](/software/openbsd_firewall): a set of scripts + for building a small OpenBSD firewall appliance * [Nagios libcurl plugin](/software/nagios_plugin_curl): a [Nagios](http://www.nagios.org) plugin replacing check_http diff --git a/content/software/linux_packaging.md b/content/software/linux_packaging.md index 64b182a..805aa2c 100644 --- a/content/software/linux_packaging.md +++ b/content/software/linux_packaging.md @@ -20,7 +20,10 @@ I stopped to maintain the CRUX packages. I'm still maintaing some ARCH Linux packages, mainly things I need for personal hacking. -See my [ARCH packages](http://aur.archlinux.org/packages.php?SeB=m&K=andreas_baumann). +See my [ARCH packages](https://aur.archlinux.org/packages?O=0&SeB=M&K=andreas_baumann&outdated=&SB=p&SO=d&PP=50). + +I'm also taking part in the [Archlinux32](https://www.archlinux32.org) project, +an effort to keep 32-bit Intel alive for Archlinux. I'm also trying to play with a [minimalistic Linux](/software/minilinux). A little bit extreme maybe, but given the current CoreOS maybe also not. :-) diff --git a/content/software/luceneanalyzer.md b/content/software/luceneanalyzer.md index 0728969..f59aa28 100644 --- a/content/software/luceneanalyzer.md +++ b/content/software/luceneanalyzer.md @@ -69,6 +69,7 @@ text va902b 9[1] text valueselect 7[1] ``` -A Git repository is accessible at **git://github.com/andreasbaumann/LuceneAnalyzer.git** (or at [https://github.com/andreasbaumann/LuceneAnalyzer/](https://github.com/andreasbaumann/LuceneAnalyzer/)) +A Git repository is accessible at **git://git.andreasbaumann.cc/LuceneAnalyzer.git** (or at +http://git.andreasbaumann.cc/cgit/LuceneAnalyzer/ ) -In case of questions, contact me at <mail at andreasbaumann dot cc>. +In case of questions, contact me via email. diff --git a/content/software/minilinux.md b/content/software/minilinux.md index b89c644..fa8239d 100644 --- a/content/software/minilinux.md +++ b/content/software/minilinux.md @@ -32,7 +32,7 @@ qemu -hda minilinux.img [view demo session](/minilinux/minilinux.avi) A Git repository is accessible at -**git://github.com/andreasbaumann/minilinux.git** -(or at [https://github.com/andreasbaumann/minilinux/](https://github.com/andreasbaumann/minilinux/)) +**git://git.andreasbaumann.cc/minilinux.git** +(or at http://git.andreasbaumann.cc/cgit/minilinux/) -In case of questions, contact me at **mail at andreasbaumann dot cc**. +In case of questions, contact me via email. diff --git a/content/software/nagios_plugin_curl.md b/content/software/nagios_plugin_curl.md index 92cbe42..1867b9f 100644 --- a/content/software/nagios_plugin_curl.md +++ b/content/software/nagios_plugin_curl.md @@ -3,11 +3,15 @@ title = "Nagios Curl Plugin" description = "a [Nagios](http://www.nagios.org) plugin replacing check_http" +++ -In my job I'm sometimes the deputy of the system administrator. -Using nagios/zabbix/SNMP for monitoring I needed a decent plugin -for Nagios to do HTTP alive checks. The standard one had some problems +In my job I'm taking care of a monitoring system using nagios. +For monitoring web sites I needed a decent plugin for Nagios to do +HTTP(s) alive checks. The standard 'check_http' plugin had some problems mainly with chunked transfer encoding, thus I hacked a plugin using the excellent [libCurl library](http://curl.haxx.se). -The development area is accessible at: -[https://github.com/andreasbaumann/nagios-plugin-curl](https://github.com/andreasbaumann/nagios-plugin-curl). +Further development goes on as 'check_curl' in +[monitoring-plugins](https://github.com/monitoring-plugins/monitoring-plugins). +If you want help out testing or developing it should happen there. + +An old archived version of the plugin can be found at +http://git.andreasbaumann.cc/cgit/nagios-plugin-curl/. diff --git a/content/software/pgfuse.md b/content/software/pgfuse.md new file mode 100644 index 0000000..3b848bd --- /dev/null +++ b/content/software/pgfuse.md @@ -0,0 +1,66 @@ ++++ +title = "PgFuse" +description = "FUSE filesystem for PostgreSQL" ++++ + +## Purpose + +Store files and their metadata completely in a PostgreSQL database. +Expose a standard file system with the help of the FUSE API. + +## Requirements + +- PostgreSQL 8.4 or newer +- FUSE 2.6 or newer + +## History + +Yes, I know what happens if you store files in a database (in respect to +drop of efficiency and incremental backups for instance). :-) + +Nevertheless, there are special situations, where a filesystem in a database +is useful. With FUSE this is also rather simple to write. + +The reason I wrote one was a project with lots of data on a ReiserFS (at +least in 2001, this was), which was more or less immutable and should be +efficiently stored away (almost in an archive mode). Backup is no issue +here (as the files are more or less static after an initial load), +but space efficiency is an issue. + +Most other projects try to map an existing database structure somehow as +files. This here should strictly deal withs files/dirs as the only +available model. + +## Other projects + +### Pgfs: + +Stores a filesystem in Postgres, exposes it as a NFS server, rather old +and I was unable to find the sources. + +### mysqlfs + +The blueprint I used and got inspired from. Does exactly the same for +the MySQL database. + + Also the block splitting algorithm I used more or less from this project. + +### libsqlfs + +The same for storing files in a Sqlite database. + +### curlftpfs + +Blueprint for some debugging code. + +## References + +- http://www.postgresql.org/docs/ +- http://fuse.sourceforge.net/ + +A Git repository is accessible at +**git://git.andreasbaumann.cc/pgfuse.git** +(or at http://git.andreasbaumann.cc/cgit/pgfuse/) + +In case of questions, if you want to supply a patch or if you +want to collaborate on the project contact me via email. diff --git a/content/software/sqlitexx.md b/content/software/sqlitexx.md index 5801ffd..6272359 100644 --- a/content/software/sqlitexx.md +++ b/content/software/sqlitexx.md @@ -3,7 +3,22 @@ title = "C++ Sqlite interface" description = "a C++ library for [sqlite3](http://www.sqlite.org) following ideas of [libpqxx](http://pqxx.org/)" +++ +### Description + I saw libpqxx some time ago, the defacto standard C++ API for Postgresql and was really impressed. Not finding one for Sqlite I decided to write -one. My efforts are accessible at -[http://wiki.github.com/andreasbaumann/sqlitexx/](http://wiki.github.com/andreasbaumann/sqlitexx/). +one. My efforts are accessible at http://git.andreasbaumann.cc/cgit/sqlitexx/. + +Current state is work-in-progress. Basic functionality is available as: + +- simple connections +- basic transactions +- prepared statements +- result sets +- support for int, double, text types + +My apologies for my C++-style (it’s the first thing I write) and also my apologies to the libpqxx developers if I copied ideas and code from their project.. +Download + +Release 0.0.5 is available at http://www.andreasbaumann.cc/sqlitexx/sqlitexx-0.0.5.tar.gz. + |