But that changed a little while ago, so I've decided to write about it and share my insights and gained knowledge about this subject. So this blog post is about implementing an internet facing firewall using FreeBSD IPFW!
If you run a FreeBSD system, you want to run it healthy you want to keep it up to date. A system in this case can be a physical system, a virtual machine or even a jail. And keeping it up to date means not only implementing newer versions of the Operating System and or packages, because of i.e. increased functionality, but also keep track of vulnerabilities of both and patch them when necessary. Thi s is vulnerability management!
But this is not as easy as it sounds! It involves identifying, classifying, prioritizing and mitigating the vulnerabilities, which can be a complex and difficult process!
Software inventory is one of the 20 CIS Controls.
Up to recently I was not doing software inventory (and control) for the SoCruel.NU platform. The platform is (almost) completely based on FreeBSD and all hosts (physical, virtual, laptop) are managed with SaltStack, so it would be nic e if these can be used for this purpose. And it can!
Inventory and control of your IT hardware and software based assets is one of the basic processes you must have in place managing and securing an IT infrastructure properly. Rumble is a network asset discovery tool and as of 2 June 2020 it is also available on FreeBSD!
I was looking for a solution to increase the availability of my public websites. gdnsd is an authoritative-only name server. The initial ‘g’ stands for geographic, as gdnsd offers a plugin system for geographic (or other sorts of) balancing, redirection, and service-state-concious failover.
Ihis post explains how gdnsd is implemented at SoCruel.NU to achieve the availability goals.
A FreeBSD based file server is part of the SoCruel.NU infrastructure for some time now. All the devices accessing the file server have anti-virus software installed and configured. But the file server itself has not. So I decided to install and configure ClamAV on this file server.
Open source solutions to check syslog log messages exist, such as Logcheck or Logwatch. Although these are not to difficult to implement and maintain, I still found these to much. So I went for my own home grown solution to check the syslog messages of the SoCruel.NU central log host. And the solution presented in this blog post works pretty well for me!
syslog-ng is the Swiss army knife of log management. You can collect logs from any source, process them in real time and deliver them to wide range of destinations. It allows you to flexibly collect, parse, classify, rewrite and correlate logs from across your infrastructure. This is why syslog-ng is the perfect solution for the central log host of my (mainly) FreeBSD based infrastructure.
The FreeBSD handbook describes an IPSec VPN tunnel between 2 FreeBSD hosts (see IPSec section). But it is also possible to have multiple, 2 or more, IPSec VPN tunnels created and running on a FreeBSD host.
How to implement and configure this is described in this post.
I wrote an article about capture session data with Argus on FreeBSD for the BSD Mag back in 2012. BSD Mag does not publish new (BSD) magazines anymore, unfortunately. You can find the issue with my article here.
This post summarizes my article and continues with more advanced queries on the captured session data!
Most SoCruel internal web sites are configured with TLS using a private Certificate Authority (CA). These websites are also accessed by local FreeBSD systems. So these systems must have the SoCruel private CA certificate installed. This post explains how to do this on FreeBSD.
So find a summary of my EuroBSDcon 2018 in this post.
How to show the
uptime of a FreeBSD system? When was the last reboot? These questions are answered in this blog post. Sometimes you just want to know for how long your system has been running. FreeBSD provides some tools to get you this info. These are presented in this blog post.
SaltStack is one of the many system and configuration management solutions which is available for FreeBSD. It is used at SoCruel.NU for both implementation and management! The basics of SaltStack on FreeBSD are discussed in this blog post.
The tutorials didn't fit my agenda unfortunately, as they were very interesting (especially the BGP one). But nontheless I went to see 2 full days of nice talks in the city centre of Paris! Here is a summary of the talks I went to see.
One of the main important tasks of a FreeBSD system administrator is keeping the applications running on it up to date. SoCruel.NU uses Nagios to monitor its FreeBSD systems (see also the How to manage a FreeBSD infrastructure blog post).
One of the main important tasks of a FreeBSD system administrator is keeping the FreeBSD systems up to date. SoCruel.NU uses Nagios to monitor its FreeBSD systems (see also the How to manage a FreeBSD infrastructure blog post).
Unbound (and ldns) are part of the FreeBSD for a while now. See the announcement from Dag-Erling Smørgrav. With ldns also came the new DNS lookup tool drill. drill provides the same functionality as dig.
How to use drill is shown in this post wih examples.
One of the first things to take care of in a network is making sure that your infrastructure equipment like servers, routers, etc., run all the same time. The Network Time Protocol was developed for this specific purpose. FreeBSD has several ways of dealing with time and time synchronization. One way is using the OpenNTPD server which is based on requirements which I very much like.
But what if your infrastructure has more than 10 FreeBSD systems? Then things can get more complicated and time consuming if you just stick with the standard tools. I manage more than 20 FreeBSD systems just in my spare time. To keep these systems up and running smoothly and securely I have to be smart and efficient.
The FreeBSD ecosystem has the right tools to do this! And these will be discussed in this post.