BSD

OpnSense & ACME & NSUpdate (bind9 journal problem)

Posted on by clucas

If you need to use ACME plugin to register certificate (by using nsupdate (RFC2136)), you could be faced on the problem below

Nov  6 07:58:24 Sagitarius named[121]: client @0x7f68640c70d0 10.20.3.1#50544/key opnsense: signer "opnsense" approved
Nov  6 07:58:24 Sagitarius named[121]: client @0x7f68640c70d0 10.20.3.1#50544/key opnsense: updating zone 'clucas.fr/IN': adding an RR at '_acme-challenge.cloud-home.clucas.fr' TXT "-_UEEMEIYvUxwoHWhBbdxiSzil62dgNoHCBfZJCzIiE"
Nov  6 07:58:24 Sagitarius named[121]: /etc/bind/clucas.fr.zone.jnl: create: permission denied
Nov  6 07:58:24 Sagitarius named[121]: client @0x7f68640c70d0 10.20.3.1#50544/key opnsense: updating zone 'clucas.fr/IN': error: journal open failed: unexpected error

You can try to ‘touch’ this file, here “clucas.fr.zone.jnl”. Even if you change owner, permission (even 777), you will not ble able to make it work. You will be face this time on :

Nov  6 11:55:25 Sagitarius named[121]: client @0x7f68640d5860 10.20.3.1#59062/key opnsense: signer "opnsense" approved
Nov  6 11:55:25 Sagitarius named[121]: client @0x7f68640d5860 10.20.3.1#59062/key opnsense: updating zone 'clucas.fr/IN': adding an RR at '_acme-challenge.cloud-home.clucas.fr' TXT "eOTvsiOSI0I0eenYb2hfiD0KAAf2kXSPZjDo_5IY1yQ"
Nov  6 11:55:25 Sagitarius named[121]: client @0x7f68640d5860 10.20.3.1#59062/key opnsense: updating zone 'clucas.fr/IN': error: journal open failed: no more

I have read lot of blog posts, reddit post, and so on. The only solution I found is to change directory of journal file by means if :

include "/etc/bind/keys/opnsense.key";
[...]
zone "clucas.fr" {
       type master;
       file "/etc/bind/clucas.fr.zone";
       journal "/var/lib/bind/clucas.fr.jnl";
       also-notify { 217.169.242.186 port 53; 51.222.24.32 port 53; };
       allow-transfer { 217.169.242.186; 51.222.24.32;};
       notify yes;
       allow-update {
              key "opnsense";
       };
};

From an OpnSense point of view you will be have something like this :

  1. A Let’s Encrypt account in my case ;
  2. A challenge type : configured to use NSUPDATE ;
  3. A certificate generated by using the two above ;

 

In my case, even if as you could probably have seen I have a master bind9 and this one notify two slaves bind9 server, I have configured a 5 minutes (300 seconds) sleep time to be sure DNS propagation is OK.

 

 

When you will (re)cert you will normally see this :

Proxmox and replacing disk in ZFS pool

Posted on by clucas

For one time this blog post will not be around Telecom and Cisco/Juniper/Nokia or something like this.

Just to keep in mind how to replace a faulty device in a ZFS pool.

I have :

root@pve:~# zpool status -x
root@pve:~#  zpool status
  pool: pve-zfs
 state: DEGRADED
status: One or more devices could not be used because the label is missing or
        invalid.  Sufficient replicas exist for the pool to continue
        functioning in a degraded state.
action: Replace the device using 'zpool replace'.
   see: http://zfsonlinux.org/msg/ZFS-8000-4J
  scan: resilvered 41.9M in 0 days 00:00:11 with 0 errors on Sun Jul 24 13:38:51 2022
config:

        NAME                        STATE     READ WRITE CKSUM
        pve-zfs                     DEGRADED     0     0     0
          mirror-0                  DEGRADED     0     0     0
            wwn-0x50014ee267b78b52  ONLINE       0     0     0
            2534239155907356895     FAULTED      0     0     0  was /dev/sdb1
          mirror-1                  ONLINE       0     0     0
            wwn-0x50014ee267b63342  ONLINE       0     0     0
            wwn-0x50014ee2bd0cf6b4  ONLINE       0     0     0

errors: No known data errors

But how to replace this faulty device when all the howto on the net talk about replace/make offline the old disk… But in my situation I have made an RMA on the disk and don’t have mind to make the faulty device offline.

Nevertheless, I have replaced my 2TB disk with a new one, such as :
But If I made :

root@pve:~# zpool replace pve-zfs   2534239155907356895  ata-WDC_WD20EFRX-68EUZN0_WD-WCC4M1EUJ8KN
invalid vdev specification
use '-f' to override the following errors:
/dev/disk/by-id/ata-WDC_WD20EFRX-68EUZN0_WD-WCC4M1EUJ8KN-part1 contains a filesystem of type 'ntfs'

After make a little apt-get install parted :

root@pve:~# parted /dev/sda
GNU Parted 3.2
Using /dev/sda
Welcome to GNU Parted! Type 'help' to view a list of commands.
(parted) print                                                            
Model: ATA WDC WD20EFRX-68E (scsi)
Disk /dev/sda: 2000GB
Sector size (logical/physical): 512B/4096B
Partition Table: msdos
Disk Flags: 

Number  Start   End     Size    Type     File system  Flags
 1      1049kB  2000GB  2000GB  primary  ntfs

(parted) rm 1                                                             
(parted) print                                                            
Model: ATA WDC WD20EFRX-68E (scsi)
Disk /dev/sda: 2000GB
Sector size (logical/physical): 512B/4096B
Partition Table: msdos
Disk Flags: 

Number  Start  End  Size  Type  File system  Flags

(parted) mklabel GPT                                                      
Warning: The existing disk label on /dev/sda will be destroyed and all data on this disk will be lost. Do you want to continue?
Yes/No? Yes                                                               
(parted) q                                                                
Information: You may need to update /etc/fstab.

root@pve:~#

So :

root@pve:~# zpool replace pve-zfs   2534239155907356895  ata-WDC_WD20EFRX-68EUZN0_WD-WCC4M1EUJ8KN
root@pve:~# zpool status -x
  pool: pve-zfs
 state: DEGRADED
status: One or more devices is currently being resilvered.  The pool will
        continue to function, possibly in a degraded state.
action: Wait for the resilver to complete.
  scan: resilver in progress since Sun Jul 24 14:23:11 2022
        10.5G scanned at 716M/s, 4.04G issued at 276M/s, 450G total
        0B resilvered, 0.90% done, 0 days 00:27:37 to go
config:

        NAME                                            STATE     READ WRITE CKSUM
        pve-zfs                                         DEGRADED     0     0     0
          mirror-0                                      DEGRADED     0     0     0
            wwn-0x50014ee267b78b52                      ONLINE       0     0     0
            replacing-1                                 DEGRADED     0     0     0
              2534239155907356895                       FAULTED      0     0     0  was /dev/sdb1
              ata-WDC_WD20EFRX-68EUZN0_WD-WCC4M1EUJ8KN  ONLINE       0     0     0
          mirror-1                                      ONLINE       0     0     0
            wwn-0x50014ee267b63342                      ONLINE       0     0     0
            wwn-0x50014ee2bd0cf6b4                      ONLINE       0     0     0

errors: No known data errors
root@pve:~#

How I get the new device name :

root@pve:~# ls -l /dev/disk/by-id | grep J8KN
lrwxrwxrwx 1 root root  9 Jul 24 14:23 ata-WDC_WD20EFRX-68EUZN0_WD-WCC4M1EUJ8KN -> ../../sda
lrwxrwxrwx 1 root root 10 Jul 24 14:23 ata-WDC_WD20EFRX-68EUZN0_WD-WCC4M1EUJ8KN-part1 -> ../../sda1
lrwxrwxrwx 1 root root 10 Jul 24 14:23 ata-WDC_WD20EFRX-68EUZN0_WD-WCC4M1EUJ8KN-part9 -> ../../sda9
root@pve:~#

Where “J8KN” is a pattern of the Serial Number you can pick on the new disk.

Bind9 as master DNS server, NSD as backup with TSIG.

Posted on by clucas

Perhaps it seems easy for you, but it was not for me at begining even if I am running bind9 master/bind9 slave already.

We will begin with TSIG key, on your master DNS server :

root@Sagitarius:~# tsig-keygen mykey > /etc/bind/keys/mykey.key
root@Sagitarius:~# cat /etc/bind/keys/mykey.key
key "mykey" {
        algorithm hmac-sha256;
        secret "+OyXk+FYgsnE6Lei59Qi2LPsctRHPaqcYRpftG4YXKk=";
};
root@Sagitarius:~#

Now we will configure this on my “named.conf.local” file as :

root@Sagitarius:/etc/bind# cat named.conf.local 
[...]
//On indique la clé à utiliser et son algorithme de chiffrement
include "/etc/bind/keys/mykey.key";

//On indique l'adresse IP du serveur "Esclave"
server 192.168.1.81
{
        keys { mykey; };
};
[...]
zone "my-blah-zone.fr" {
       type master;
       file "/etc/bind/my-blah-zone.fr.zone";
       allow-transfer { 192.168.1.81; key mykey; };
       notify yes;
};
[...]

Ok. last command :

root@Sagitarius:~# rndc reload
root@Sagitarius:~#

Ok good, now let’s see how it is configured on NSD host.
It’s really easy :

clucas@slave:/etc/nsd$ cat /etc/nsd/nsd.conf.d/secondaries/my-blah-zone.fr.conf 
key:
  name: "mykey"
  algorithm: hmac-sha256
  secret: "+OyXk+FYgsnE6Lei59Qi2LPsctRHPaqcYRpftG4YXKk="


zone:
        # this server is secondary,  is master.
        name: my-blah-zone.fr
        allow-notify: 192.168.1.43 mykey
        request-xfr:  192.168.1.43 mykey

Now :

nsd-checkconf /etc/nsd/nsd.conf
nsd-control reload
nsd-control status

It seems easy, but I have take long time to see that all these items bellow must be identical :

  • name of the key
  • algorithm
  • secret

Easy as hell !

PS : All this can be controlled by Ansible, but it is another story.

FreeBSD, xrdp and Lumina-desktop

Posted on by clucas

Hey girls and guys,

A little post to give you some news about my fails and tries with FreeBSD. I have had tried to install a little FreeBSD-13, xrdp and Lumina-desktop on my proxmox to test.

As done for other things installed :

pkg install xrdp lumina

It was so easy and quick …

FRR Routing v8.0 is out and happy to see SR

Posted on by clucas

Hey,

For (perhaps) futur projet I read different documentations around Bird, FRR Routing, … and I am really happy to see in FRR Routing v8.0 the new ‘pathd‘ daemon, which implement SR (Segment Routing). It is really cool to see this.

There is others new feature which have been implemented in this release and are major IMHO.

  • TI-LFA for OSPF and IS-IS (great too for SR) ;
  • VRF for OSPFv3 ;
  • EVPN full-implementation.

It is really great work !!!

More information there : https://frrouting.org/release/8.0/

See you soon 🙂

FreeBSD and fail2ban

Posted on by clucas

Hey,

To go on configuring my FreeBSD server, I install my traditionnal package : “fail2ban”. By the way with Linux distro, apt install fail2ban is enough.

Not now 😀

You must add :

root@pluton:/usr/local/etc/fail2ban/jail.d# cat ssh-ipfw.local 
[ssh-ipfw]
enabled = true
filter = sshd
action = ipfw[name=SSH, port=ssh, protocol=tcp]
logpath = /var/log/auth.log
findtime = 600
maxretry = 3
bantime = 3600
root@pluton:/usr/local/etc/fail2ban/jail.d#

And edit action file so that “localhost” is your public IP :

root@pluton:/usr/local/etc/fail2ban/action.d# cat ipfw.conf 
# Fail2Ban configuration file
#
# Author: Nick Munger
# Modified by: Cyril Jaquier
#
#
[...]
# Option:  localhost
# Notes.:  the local IP address of the network interface
# Values:  IP
#
localhost = <YOUR_PUBLIC_IP_ADDRESS>


# Option:  blocktype
# Notes.:  How to block the traffic. Use a action from man 5 ipfw
#          Common values: deny, unreach port, reset
# Values:  STRING
#
blocktype = unreach port
root@pluton:/usr/local/etc/fail2ban/action.d#

Blog, bsd, apache2, certbot and fun

Posted on by clucas

It was long time ago I used a FreeBSD system. I was really impressed by the way it great evolved. It is easy to add package due to “pkg” tool and “portsnap”.

After :

pkg install apache24 mysql57-server mod_php73 php73-mysqli php73-xml php73-hash php73-gd php73-curl php73-tokenizer php73-zlib php73-zip

I have a really fast install of an HTTP server as I can do with “apt-get”.

I have needed to load some modules by editiing /usr/local/etc/apache24/httpd.conf such as : 

[...]
LoadModule rewrite_module libexec/apache24/mod_rewrite.so
LoadModule php7_module libexec/apache24/libphp7.so
LoadModule ssl_module libexec/apache24/mod_ssl.so
[...]

Some more work width certbot for Let’s Encrypt SSL certificate :

root@ns326804:/usr/ports/security/py-certbot # make install clean
root@ns326804:/usr/ports/security/py-certbot-apache # make install clean
root@ns326804:/usr/ports/security/py-certbot # rehash

I can now install my SSL certificates with :

certbot --apache -d clucas.fr
certbot install --cert-name www.clucas.fr
certbot install --cert-name blog.clucas.fr

I have moved my SQL data to my fresh FreeBSD install and try yo access my blog (it is using wordpress)… It was a FAIL. It lacks some PHP module : 

pkg install php73-json php73-filter php73-ctype

It was some tips. I have not listed all the tasks I have done but only the one I think which can give you some information. By the way I was really pleased to move some of my contents on this fresh-installed FreeBSD server. Lot of fun to do this.

And Voilà you can read this blog’s post now 🙂

July 15, 2021 01:35pm :

Update : Don’t forget to add AllowOverride on your data directory so that mod_rewrite can do his job correctly such as :

    <Directory "/usr/local/www/apache24/data/blog.clucas.fr">
        AllowOverride All
    </Directory>

Long long time ago, blog and FreeBSD…

Posted on by clucas

It was a long long timeago I wrote here. ot of things happens to me but I don’t think it is the time and place to explain it.

This post is about a new experience to me : hosting this blog on FreeBSD machine. I am in love with BSD but don’t use it everyday. Networking&Telco is not an professional area where you can use it or your employer allow you to use it. Damn Windows, Teams, … and his egemony.

I will move this blog from Debian to FreeBSD server. I think it will lot of fun. If I have FreeBSD’s tips or remarks I will post it here. By the way I am currently studying for Cisco’s CCNP SPCOR (350-501) exam. Either I will try to give me a kick in the ass to post more technical posts.

Have fun 🙂

bwping patch (catching signals)

Posted on by clucas 
diff -urpN bwping/bwping.c bwping-patched/bwping.c
--- bwping/bwping.c     2012-10-11 19:23:17.000000000 +0200
+++ bwping-patched/bwping.c     2017-04-20 09:06:23.449540033 +0200
@@ -26,6 +26,7 @@
 #include 
 #include 
 #include 
+#include 
 
 #ifdef __CYGWIN__
 #include "cygwin.h"
@@ -224,21 +225,39 @@ static int recv_ping (int sock, int iden
         return 0;
     }
 }
+unsigned int   transmitted_number, received_number;
+unsigned long  int received_volume;
+struct timeval begin, end;
+
+void sig_handler(int signo)
+{
+       if (signo == SIGUSR1) {
+                printf("Total: pkts sent/rcvd: %u/%u, volume rcvd: %lu bytes, time: %d sec, speed: %lu kbps, rtt min/max/average: %llu/%llu/%llu ms\n",
+                               transmitted_number, received_number, received_volume, (int)(end.tv_sec - begin.tv_sec),
+                               end.tv_sec - begin.tv_sec?((received_volume / (end.tv_sec - begin.tv_sec)) * 8) / 1000:(received_volume * 8) / 1000,
+                               min_rtt==DEF_MIN_RTT?0:min_rtt, max_rtt, average_rtt);
+               exit(255);
+       }
+}
 
 int main (int argc, char **argv)
 {
     int                    sock, exitval, ch, ident, finish, pktburst, i, n;
-    unsigned int           bufsize, tos, transmitted_number, received_number;
-    unsigned long int      kbps, pktsize, volume, rperiod, received_volume;
+    unsigned int           bufsize, tos;
+    unsigned long int      kbps, pktsize, volume, rperiod;
     unsigned long long int min_interval, interval, current_interval, integral_error;
     char                   *ep, *bind_addr, *target;
     fd_set                 fds;
     struct sockaddr_in     bind_to, to;
     struct hostent         *hp;
-    struct timeval         begin, end, report, start, now, seltimeout;
+    struct timeval         report, start, now, seltimeout;
 
     sock = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP);
 
+       if (signal(SIGUSR1, sig_handler) == SIG_ERR)
+               printf("\ncan't catch SIGUSR1\n");
+
+
     if (sock==-1) {
         perror("bwping: socket(AF_INET, SOCK_RAW, IPPROTO_ICMP) failed");

Download : patch-bwping-sig.diff