OpenBSD and readonly FileSystems v1.1

This is my experience in transforming an OpenBSD firewall in a machine with all filesystems mounted readonly, so, in case of power failure, at the next start, the machine is ready to serve your LAN without errors regarding filesystem integrity, like a commercial modem or firewall.

It's possibile to use a Compact Flash drive instead of an Hard Disk!

The machine will use a memory filesystem for all the read/write activities.

Before starting to work, you need the bsd.rd file. When you are ready, reboot.

The first step is to boot with the ramdisk. So:

boot wd0a:/bsd.rd

When the kernel is loaded and ask you what to do, press S to run the shell.

Now you need to mount all bsd partitions of the system in /mnt. For example, in my machine I have only / and /usr. So I:

mount /dev/wd0a /mnt
mount /dev/wd0d /mnt/usr

Now, we chroot in the real / with:

/mnt/usr/sbin/chroot /mnt

and export some shell variables to use correctly the system:

export TERM=vt220
export HOME=/

Now we can start modify /etc/fstab.

vi /etc/fstab

The first thing to do is add the line:

swap /mfs mfs rw,nosuid,noatime,-P=/skel,-s=XXX 0 0

and switch all bsd partitions to readonly (ro).

For example, this is my fstab:

/dev/wd0a / ffs ro,softdep 1 1
swap /mfs mfs rw,nosuid,-P=/skel,-s=102400 0 0
/dev/wd0d /usr ffs ro,nodev,softdep 1 2

The -s=XXX is the number of the 512-byte blocks that the memory filesystem should contain. In my fstab (((102400 * 512)/1024)/1024) = 50 MB.

Now, we have to make the directory that will stay in RAM. I choose the /mfs directory. You can use what you like, but remember to update the fstab and change all the links!

mkdir /mfs

Now, we have written in fstab that the content of /skel (-P=/skel) directory must be copied in /mfs at boot. So, now, all the files will be stored in /skel. Start doing:

mkdir /skel
mkdir /skel/dev

The first step is to move all ptyp* and ttyp* files from /dev to /skel/dev

This is needed because, when we will use ssh to access the machine remotely, the system must change owner and permission of these files. Putting them in the /mfs/dev directory that is in ram (and is read/write), and making a simbolic link, will solve all problems.

mv /dev/ptyp* /dev/ttyp* /skel/dev/

Now we can make the rights link, but first we make a symbolic link to the real path:

cd /mfs
ln -s /skel/dev/ .

And then:

cd /dev/
for i in /mfs/dev/* ; do ln -s $i . ; done

Now we can delete the /mfs/dev link:

rm -rf /mfs/dev

Now that the devices are ok, we must move the /root directory:

mv /root /skel/
cd /
ln -s /mfs/root .

The /tmp directory will be in a readonly filesystem, so we can't use it. We have to make another tmp directory in /skel called tmp2 and make a symlink. The name tmp2 is choosen because in /var there is another tmp directory. We need both, so one must be called differently.

mv /tmp /skel/tmp2
ln -s /mfs/tmp2 /tmp

Move these dirs in /skel:

/var/backups
/var/cron
/var/db
/var/empty
/var/log
/var/mail
/var/msgs
/var/named
/var/run
/var/spool
/var/tmp

and make a symlink in /var for each one:

ln -s /mfs/backups /var
ln -s /mfs/cron /var
ln -s /mfs/db /var
ln -s /mfs/empty /var
...

Now the system is perfect and it will be ready to serve you.

One last note: if you plan to acces the system with the keyboard, please comment all lines in /etc/fbtab or you will get stupid errors every time you log. (the system try to change owner and permissions of the keyboard device but that file is on a readonly filesystem.)

Fonera+ impressions

I'm a FON beta tester and some days ago I received the new Fonera+ in test. These are my impressions.

The new Fonera+ model number is FON2201. This version has changed the old logo "Movimiento FON" with a cleaner "FON spot".

The new model is bigger than the previous Fonera as it possible to see:

FON engineers included new things on the board: an internal antenna (bottom left), another ethernet port (the black one) and a new LED.

I searched the serial console on the new Fonera+ board, and I found only 4 pins... I tried to connected my serial adapter and I get the output:

+Ethernet eth0: MAC address XX:XX:XX:XX:XX:XX
IP: 192.168.1.1/255.255.255.0, Gateway: 0.0.0.0
Default server: 192.168.1.254

RedBoot(tm) bootstrap and debug environment [ROMRAM]
OpenWrt certified release, version 1.1 - built 22:32:28, May  7 2007

Copyright (C) 2000, 2001, 2002, 2003, 2004 Red Hat, Inc.

Board: FON 2201
RAM: 0x80000000-0x81000000, [0x80040290-0x80fe1000] available
FLASH: 0xa8000000 - 0xa87f0000, 128 blocks of 0x00010000 bytes each.
== Executing boot script in 2.000 seconds - enter ^C to abort
RedBoot> fis load -b 0x80100000 loader
RedBoot>  go 0x80100000
Failsafe loader v0.2

Looking for board config data... found at offset 0xa87f0000
Reset button GPIO: 6
Reading flash from 0xa8040000 to 0xa825b989... done.
Verifying CRC... OK - 0xa7a3c6df
Uncompressing Linux... Ok, booting the kernel.
[sighandler]: No more events to be processed, quitting.
[cleanup]: Waiting for children.
[cleanup]: All children terminated.
Unlocking rootfs ...
Could not open mtd device: rootfs
switching to jffs2
init started:  BusyBox v1.4.1 (2007-06-08 12:11:45 UTC) multi-call binary
: ifconfig: SIOCSIFADDR: No such device

: ifconfig: SIOCSIFADDR: No such device

: udhcpc (v1.4.1) started

: Sending discover...

: Sending select for 192.168.0.2...

: Lease of 192.168.0.2 obtained, lease time 43200

: deleting routers

: adding router 192.168.0.1

: adding dns 192.168.0.1

: udhcpc (v1.4.1) started

: Sending discover...

: Sending select for 192.168.0.2...

: Lease of 192.168.0.2 obtained, lease time 43200

: deleting routers

: adding router 192.168.0.1

: adding dns 192.168.0.1

: runlevel -> 1

: enqueued

: killall: watch_chilli: no process killed

: ERROR: chillispot is not running

: fonsmcd successfully started

: 36524 00146.187  164591.0     61.0  242031896628819.0  72097.8         0

: 56 15 * * * /bin/thinclient cron

: 51 15 * * * ntpclient -s -h ntp-1.cso.uiuc.edu

There isn't a "Press enter to activate this console" like in the previous model.
I think FON decided to use the serial console only for getting the output from the device to avoid that people can easily manipulate the Fonera+.

The firmware revision of this Fonera+ is 1.1.0 r2. Like the new Fonera firmware version, is not possible to specify a custom DNS in the configuration.

The only way to use a local DNS, or a custom one, is modify the filtering rules of the gateway witch the Fonera+ is attached.
At home I have an OpenBSD gateway that serve also as DNS caching server.
I succedeed to use my DNS server with this filtering rule in the gateway: "all traffic that came from the Fonera+ and is directed to any machine port domain, has to be redirected to my dns server":

rdr on $int_if proto { tcp, udp } from $fonera to any port domain -> \
        ($int_if) port domain

I think is still possible to use the Kolofonium hack, redirecting all dns queries from fonera to the right DNS server.... I haven't tried and I'm not interested in.

I noticed that Fonera+ still NAT all traffic. From a gateway perspective, both the private and the public traffic come from Fonera+ IP. I would have liked to see that Fonera+ bridged the private network with the network it has attached, and NAT the public one... but I think that this function will never be implemented in the official firmware.

That's all folks!

Linux Fax Server

Post in corso di modifica...

Ultimamente mi sono ritrovato ad aiutare un amico nella creazione di una Linux Box che doveva fungere da server FAX con modem pci interno.

La configurazione software di base era: Linux CentOS + HylaFAX

Devo dire che l'installazione di HylaFAX non è stata così difficile. Il punto più tosto è stato capire come veniva gestita la configurazione e come configurare il modem pci interno.

Per alcuni motivi il modem interno pci scelto è stato un modello con chipset conexant. Siamo stati obbligati a dover acquistare il driver per linux per circa 20$ per poterlo usare come FAX.

Al termine dell'installazione di HylaFAX è stato necessario lanciare il comando "faxsetup" il quale faceva alcune domande su alcuni aspetti del server, e creava tutte le cartelle ed i files necessari. Al termine veniva chiesto se si voleva configurare il modem.

Se si rispondeva con "yes" partiva la procedura di configurazione automatica del modem, altrimenti si poteva ottenere lo stesso risultato manualmente lanciando il comando "faxaddmodem"

Una volta terminate tutte le configurazioni, sono stati create i due files in "/etc/hylafax/etc/" "config.$nome" e "FIFO.$nome", dove $nome è il nome del device Es: config.modem

E' possibile modificare manualmente il file config.$nome per variare alcune opzioni.

Consiglio di non rilanciare "faxaddmodem"!!!

Fatto questo, è consigliabile usare faxgetty per configurare automaticamente il modem. Si apra /etc/inittab e si aggiunga la riga: t2:23:respawn:/usr/local/sbin/faxgetty nome_device

Ora il server è pronto a mandare i fax. Se non si vogliono riceve fax, impostare nella configurazione del modem RingsBeforeAnswer a 0.