Архивы: freebsd

Установка StrongSwan на FreeBSD c максимальной совместимостью IKEv2

DisclaimerСтатья не более чем заметка для самого себя. Вопросы Почему Фря, почему Strongswan – не обсуждаются.

Что такое IPSec\IKEv2 гугль знает все. В данной конфигурации strongswan мы получаем максимальную совместимость со всеми платформами IOS/Mac OS/Windows/Android без установки сторонних приложений и клиентов.

Уточню, я уже использую сертификаты LetsEncrypt c Apache/Nginx/Postfix/Dovecote поэтому буду использовать их с StrongSwan.

pkg install strongswan

в /etc/rc.conf добавляем

strongswan_enable="YES"
#
gateway_enable="YES"

создаем симлинки на существующие сертификаты letsencrypt

cd /usr/local/etc/ipsec.d/cacerts
ln -sf /usr/local/etc/letsencrypt/live/site.com/chain.pem chain.pem
cd ../certs/
ln -sf /usr/local/etc/letsencrypt/live/site.com/fullchain.pem fullchain.pem
cd /usr/local/etc/ipsec.d/private
ln -sf /usr/local/etc/letsencrypt/live/site.com/privkey.pem privkey.pem

приводим файл /usr/local/etc/ipsec.conf к виду

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
# strictcrlpolicy=yes
# uniqueids = no
charondebug = ike 3, cfg 3

conn %default
dpdaction=clear
dpddelay=35s
dpdtimeout=2000s

fragmentation=yes
rekey=no
keyexchange=ikev2
auto=add
reauth=no
compress=yes

left=%any
leftsubnet=0.0.0.0/0
leftcert=fullchain.pem
leftfirewall=yes
leftsendcert=always

right=%any
rightsourceip=192.168.103.0/24
rightdns=213.133.98.98,213.133.99.99,213.133.100.100

eap_identity=%identity

# IKEv2
conn IPSec-IKEv2
keyexchange=ikev2
auto=add

# BlackBerry, Windows, Android
conn IPSec-IKEv2-EAP
also="IPSec-IKEv2"
rightauth=eap-mschapv2

# macOS, iOS
conn IKEv2-MSCHAPv2-Apple
also="IPSec-IKEv2"
rightauth=eap-mschapv2
leftid=mx2.sat-expert.com

# Android IPsec Hybrid RSA
conn IKEv1-Xauth
keyexchange=ikev1
rightauth=xauth
auto=add

ipsec.secrets к виду

root@mx2/usr/local/etc> cat ipsec.secrets
# filename of private key located in /usr/local/etc/ipsec.d/private/
: RSA privkey.pem

# syntax is `username : EAP "plaintextpassword"`
usr1 : EAP "password1"
usr2 : EAP "password2"
usr3 : EAP "password3"
#user2 : XAUTH "password2"
root@mx2/usr/local/etc>

в правила pf добавляем правила нат-а для впн подсети

table <it> persist { 192.168.103.0/24 }
ext_if="em0"
nat on $ext_if inet from <it> to any port != smtp -> ($ext_if)

на фв не забываем открыть UDP порты 500/4500

запускаем strongswan и смотрим что у нас происходит

ipsec start –nofork

Пока можем настроить удаленный клиент.

Пример для IOS

Пример для Mac OS

пробуем коннектится удаленным клиентом. если все нормально – запускаем strongswan как сервис.

service strongswan start

в противном случае смотрим лог и пользуемся tcpdump

Удачи 🙂

Лег диск в рейде на hetzner

В очередной раз. С момента прошлой замены прошло 224 дня.

camcontrol devlist

&lt;ST3750528AS CC46&gt; at scbus0 target 0 lun 0 (ada0,pass0)
&lt;WDC WD7500AALX-009BA0 15.01H15&gt; at scbus1 target 0 lun 0 (ada1,pass1)

root@mx1/root&gt; ls /dev/ada?
/dev/ada0 /dev/ada1

root@mx1/root&gt; gmirror status
Name Status Components
mirror/gm0 DEGRADED ada1s1 (ACTIVE)
root@mx1/root&gt;

битый диск прожил 23757 hours (989 days + 21 hours). ну что ж…

[su_spoiler]

root@mx1/usr/home/vvs>
root@mx1/usr/home/vvs> /usr/local/sbin/smartctl -a /dev/ada0
smartctl 6.4 2015-06-04 r4109 [FreeBSD 9.3-STABLE amd64] (local build)
Copyright (C) 2002-15, Bruce Allen, Christian Franke, www.smartmontools.org

=== START OF INFORMATION SECTION ===
Model Family: Western Digital Blue
Device Model: WDC WD7500AALX-009BA0
Serial Number: WD-WCATR7461233
LU WWN Device Id: 5 0014ee 25b4c70ec
Firmware Version: 15.01H15
User Capacity: 750 156 374 016 bytes [750 GB]
Sector Size: 512 bytes logical/physical
Device is: In smartctl database [for details use: -P show]
ATA Version is: ATA8-ACS (minor revision not indicated)
SATA Version is: SATA 3.0, 6.0 Gb/s (current: 3.0 Gb/s)
Local Time is: Tue Jul 28 10:03:05 2015 EEST
SMART support is: Available - device has SMART capability.
SMART support is: Enabled

=== START OF READ SMART DATA SECTION ===
SMART overall-health self-assessment test result: PASSED

General SMART Values:
Offline data collection status: (0x82) Offline data collection activity
was completed without error.
Auto Offline Data Collection: Enabled.
Self-test execution status: ( 0) The previous self-test routine completed
without error or no self-test has ever
been run.
Total time to complete Offline
data collection: (11100) seconds.
Offline data collection
capabilities: (0x7b) SMART execute Offline immediate.
Auto Offline data collection on/off support.
Suspend Offline collection upon new
command.
Offline surface scan supported.
Self-test supported.
Conveyance Self-test supported.
Selective Self-test supported.
SMART capabilities: (0x0003) Saves SMART data before entering
power-saving mode.
Supports SMART auto save timer.
Error logging capability: (0x01) Error logging supported.
General Purpose Logging supported.
Short self-test routine
recommended polling time: ( 2) minutes.
Extended self-test routine
recommended polling time: ( 130) minutes.
Conveyance self-test routine
recommended polling time: ( 5) minutes.
SCT capabilities: (0x3037) SCT Status supported.
SCT Feature Control supported.
SCT Data Table supported.

SMART Attributes Data Structure revision number: 16
Vendor Specific SMART Attributes with Thresholds:
ID# ATTRIBUTE_NAME FLAG VALUE WORST THRESH TYPE UPDATED WHEN_FAILED RAW_VALUE
1 Raw_Read_Error_Rate 0x002f 200 200 051 Pre-fail Always - 0
3 Spin_Up_Time 0x0027 199 178 021 Pre-fail Always - 3050
4 Start_Stop_Count 0x0032 100 100 000 Old_age Always - 31
5 Reallocated_Sector_Ct 0x0033 200 200 140 Pre-fail Always - 0
7 Seek_Error_Rate 0x002e 100 253 000 Old_age Always - 0
9 Power_On_Hours 0x0032 070 070 000 Old_age Always - 22524
10 Spin_Retry_Count 0x0032 100 253 000 Old_age Always - 0
11 Calibration_Retry_Count 0x0032 100 253 000 Old_age Always - 0
12 Power_Cycle_Count 0x0032 100 100 000 Old_age Always - 28
192 Power-Off_Retract_Count 0x0032 200 200 000 Old_age Always - 24
193 Load_Cycle_Count 0x0032 200 200 000 Old_age Always - 6
194 Temperature_Celsius 0x0022 107 090 000 Old_age Always - 40
196 Reallocated_Event_Count 0x0032 200 200 000 Old_age Always - 0
197 Current_Pending_Sector 0x0032 200 200 000 Old_age Always - 0
198 Offline_Uncorrectable 0x0030 200 200 000 Old_age Offline - 0
199 UDMA_CRC_Error_Count 0x0032 200 200 000 Old_age Always - 0
200 Multi_Zone_Error_Rate 0x0008 200 200 000 Old_age Offline - 0

SMART Error Log Version: 1
No Errors Logged

SMART Self-test log structure revision number 1
Num Test_Description Status Remaining LifeTime(hours) LBA_of_first_error
# 1 Extended offline Completed without error 00% 22513 -
# 2 Extended offline Completed without error 00% 22506 -
# 3 Extended offline Completed without error 00% 21234 -
# 4 Extended offline Completed without error 00% 21160 -
# 5 Extended offline Completed without error 00% 17275 -
# 6 Extended offline Completed without error 00% 17249 -
# 7 Extended offline Completed without error 00% 12639 -
# 8 Extended offline Completed without error 00% 11053 -

SMART Selective self-test log data structure revision number 1
SPAN MIN_LBA MAX_LBA CURRENT_TEST_STATUS
1 0 0 Not_testing
2 0 0 Not_testing
3 0 0 Not_testing
4 0 0 Not_testing
5 0 0 Not_testing
Selective self-test flags (0x0):
After scanning selected spans, do NOT read-scan remainder of disk.
If Selective self-test is pending on power-up, resume after 0 minute delay.

root@mx1/usr/home/vvs>

[/su_spoiler]

[su_spoiler]

root@mx1/usr/home/vvs>
root@mx1/usr/home/vvs> /usr/local/sbin/smartctl -a /dev/ada0
smartctl 6.4 2015-06-04 r4109 [FreeBSD 9.3-STABLE amd64] (local build)
Copyright (C) 2002-15, Bruce Allen, Christian Franke, www.smartmontools.org

=== START OF INFORMATION SECTION ===
Model Family: Western Digital Blue
Device Model: WDC WD7500AALX-009BA0
Serial Number: WD-WCATR7461233
LU WWN Device Id: 5 0014ee 25b4c70ec
Firmware Version: 15.01H15
User Capacity: 750 156 374 016 bytes [750 GB]
Sector Size: 512 bytes logical/physical
Device is: In smartctl database [for details use: -P show]
ATA Version is: ATA8-ACS (minor revision not indicated)
SATA Version is: SATA 3.0, 6.0 Gb/s (current: 3.0 Gb/s)
Local Time is: Tue Jul 28 10:03:05 2015 EEST
SMART support is: Available - device has SMART capability.
SMART support is: Enabled

=== START OF READ SMART DATA SECTION ===
SMART overall-health self-assessment test result: PASSED

General SMART Values:
Offline data collection status: (0x82) Offline data collection activity
was completed without error.
Auto Offline Data Collection: Enabled.
Self-test execution status: ( 0) The previous self-test routine completed
without error or no self-test has ever
been run.
Total time to complete Offline
data collection: (11100) seconds.
Offline data collection
capabilities: (0x7b) SMART execute Offline immediate.
Auto Offline data collection on/off support.
Suspend Offline collection upon new
command.
Offline surface scan supported.
Self-test supported.
Conveyance Self-test supported.
Selective Self-test supported.
SMART capabilities: (0x0003) Saves SMART data before entering
power-saving mode.
Supports SMART auto save timer.
Error logging capability: (0x01) Error logging supported.
General Purpose Logging supported.
Short self-test routine
recommended polling time: ( 2) minutes.
Extended self-test routine
recommended polling time: ( 130) minutes.
Conveyance self-test routine
recommended polling time: ( 5) minutes.
SCT capabilities: (0x3037) SCT Status supported.
SCT Feature Control supported.
SCT Data Table supported.

SMART Attributes Data Structure revision number: 16
Vendor Specific SMART Attributes with Thresholds:
ID# ATTRIBUTE_NAME FLAG VALUE WORST THRESH TYPE UPDATED WHEN_FAILED RAW_VALUE
1 Raw_Read_Error_Rate 0x002f 200 200 051 Pre-fail Always - 0
3 Spin_Up_Time 0x0027 199 178 021 Pre-fail Always - 3050
4 Start_Stop_Count 0x0032 100 100 000 Old_age Always - 31
5 Reallocated_Sector_Ct 0x0033 200 200 140 Pre-fail Always - 0
7 Seek_Error_Rate 0x002e 100 253 000 Old_age Always - 0
9 Power_On_Hours 0x0032 070 070 000 Old_age Always - 22524
10 Spin_Retry_Count 0x0032 100 253 000 Old_age Always - 0
11 Calibration_Retry_Count 0x0032 100 253 000 Old_age Always - 0
12 Power_Cycle_Count 0x0032 100 100 000 Old_age Always - 28
192 Power-Off_Retract_Count 0x0032 200 200 000 Old_age Always - 24
193 Load_Cycle_Count 0x0032 200 200 000 Old_age Always - 6
194 Temperature_Celsius 0x0022 107 090 000 Old_age Always - 40
196 Reallocated_Event_Count 0x0032 200 200 000 Old_age Always - 0
197 Current_Pending_Sector 0x0032 200 200 000 Old_age Always - 0
198 Offline_Uncorrectable 0x0030 200 200 000 Old_age Offline - 0
199 UDMA_CRC_Error_Count 0x0032 200 200 000 Old_age Always - 0
200 Multi_Zone_Error_Rate 0x0008 200 200 000 Old_age Offline - 0

SMART Error Log Version: 1
No Errors Logged

SMART Self-test log structure revision number 1
Num Test_Description Status Remaining LifeTime(hours) LBA_of_first_error
# 1 Extended offline Completed without error 00% 22513 -
# 2 Extended offline Completed without error 00% 22506 -
# 3 Extended offline Completed without error 00% 21234 -
# 4 Extended offline Completed without error 00% 21160 -
# 5 Extended offline Completed without error 00% 17275 -
# 6 Extended offline Completed without error 00% 17249 -
# 7 Extended offline Completed without error 00% 12639 -
# 8 Extended offline Completed without error 00% 11053 -

SMART Selective self-test log data structure revision number 1
SPAN MIN_LBA MAX_LBA CURRENT_TEST_STATUS
1 0 0 Not_testing
2 0 0 Not_testing
3 0 0 Not_testing
4 0 0 Not_testing
5 0 0 Not_testing
Selective self-test flags (0x0):
After scanning selected spans, do NOT read-scan remainder of disk.
If Selective self-test is pending on power-up, resume after 0 minute delay.

root@mx1/usr/home/vvs>

[/su_spoiler]

разбираем gmirror

gmirror forget gm0

и пишем письмо в поддержку.
Good day.
We are experiencing problems with the hard drive Seagate Barracuda w serial number 9VP2SZL7.
It is subject to physical change. Kindly requested to replace the drive as quickly as possible.

Please don’t take any other actions except HDD replacement – don’t install recoverty image, etc.

Thanks in advance!

ну что я могу сказать – заменили за пол часа.
после замены

[su_spoiler]

root@mx1/usr/home/vvs>
root@mx1/usr/home/vvs> /usr/local/sbin/smartctl -a /dev/ada0
smartctl 6.4 2015-06-04 r4109 [FreeBSD 9.3-STABLE amd64] (local build)
Copyright (C) 2002-15, Bruce Allen, Christian Franke, www.smartmontools.org

=== START OF INFORMATION SECTION ===
Model Family: Western Digital Blue
Device Model: WDC WD7500AALX-009BA0
Serial Number: WD-WCATR7461233
LU WWN Device Id: 5 0014ee 25b4c70ec
Firmware Version: 15.01H15
User Capacity: 750 156 374 016 bytes [750 GB]
Sector Size: 512 bytes logical/physical
Device is: In smartctl database [for details use: -P show]
ATA Version is: ATA8-ACS (minor revision not indicated)
SATA Version is: SATA 3.0, 6.0 Gb/s (current: 3.0 Gb/s)
Local Time is: Tue Jul 28 10:03:05 2015 EEST
SMART support is: Available - device has SMART capability.
SMART support is: Enabled

=== START OF READ SMART DATA SECTION ===
SMART overall-health self-assessment test result: PASSED

General SMART Values:
Offline data collection status: (0x82) Offline data collection activity
was completed without error.
Auto Offline Data Collection: Enabled.
Self-test execution status: ( 0) The previous self-test routine completed
without error or no self-test has ever
been run.
Total time to complete Offline
data collection: (11100) seconds.
Offline data collection
capabilities: (0x7b) SMART execute Offline immediate.
Auto Offline data collection on/off support.
Suspend Offline collection upon new
command.
Offline surface scan supported.
Self-test supported.
Conveyance Self-test supported.
Selective Self-test supported.
SMART capabilities: (0x0003) Saves SMART data before entering
power-saving mode.
Supports SMART auto save timer.
Error logging capability: (0x01) Error logging supported.
General Purpose Logging supported.
Short self-test routine
recommended polling time: ( 2) minutes.
Extended self-test routine
recommended polling time: ( 130) minutes.
Conveyance self-test routine
recommended polling time: ( 5) minutes.
SCT capabilities: (0x3037) SCT Status supported.
SCT Feature Control supported.
SCT Data Table supported.

SMART Attributes Data Structure revision number: 16
Vendor Specific SMART Attributes with Thresholds:
ID# ATTRIBUTE_NAME FLAG VALUE WORST THRESH TYPE UPDATED WHEN_FAILED RAW_VALUE
1 Raw_Read_Error_Rate 0x002f 200 200 051 Pre-fail Always - 0
3 Spin_Up_Time 0x0027 199 178 021 Pre-fail Always - 3050
4 Start_Stop_Count 0x0032 100 100 000 Old_age Always - 31
5 Reallocated_Sector_Ct 0x0033 200 200 140 Pre-fail Always - 0
7 Seek_Error_Rate 0x002e 100 253 000 Old_age Always - 0
9 Power_On_Hours 0x0032 070 070 000 Old_age Always - 22524
10 Spin_Retry_Count 0x0032 100 253 000 Old_age Always - 0
11 Calibration_Retry_Count 0x0032 100 253 000 Old_age Always - 0
12 Power_Cycle_Count 0x0032 100 100 000 Old_age Always - 28
192 Power-Off_Retract_Count 0x0032 200 200 000 Old_age Always - 24
193 Load_Cycle_Count 0x0032 200 200 000 Old_age Always - 6
194 Temperature_Celsius 0x0022 107 090 000 Old_age Always - 40
196 Reallocated_Event_Count 0x0032 200 200 000 Old_age Always - 0
197 Current_Pending_Sector 0x0032 200 200 000 Old_age Always - 0
198 Offline_Uncorrectable 0x0030 200 200 000 Old_age Offline - 0
199 UDMA_CRC_Error_Count 0x0032 200 200 000 Old_age Always - 0
200 Multi_Zone_Error_Rate 0x0008 200 200 000 Old_age Offline - 0

SMART Error Log Version: 1
No Errors Logged

SMART Self-test log structure revision number 1
Num Test_Description Status Remaining LifeTime(hours) LBA_of_first_error
# 1 Extended offline Completed without error 00% 22513 -
# 2 Extended offline Completed without error 00% 22506 -
# 3 Extended offline Completed without error 00% 21234 -
# 4 Extended offline Completed without error 00% 21160 -
# 5 Extended offline Completed without error 00% 17275 -
# 6 Extended offline Completed without error 00% 17249 -
# 7 Extended offline Completed without error 00% 12639 -
# 8 Extended offline Completed without error 00% 11053 -

SMART Selective self-test log data structure revision number 1
SPAN MIN_LBA MAX_LBA CURRENT_TEST_STATUS
1 0 0 Not_testing
2 0 0 Not_testing
3 0 0 Not_testing
4 0 0 Not_testing
5 0 0 Not_testing
Selective self-test flags (0x0):
After scanning selected spans, do NOT read-scan remainder of disk.
If Selective self-test is pending on power-up, resume after 0 minute delay.

root@mx1/usr/home/vvs>

[/su_spoiler]
диск впердолили такой же старый. за новый просят 41 ойро.

9 Power_On_Hours 0x0032 070 070 000 Old_age Always – 22524

попробуем сколько протянет этот диск.

вставляем его в gmirror и ждем конца синхронизации …

root@mx1/usr/home/vvs&gt; gmirror insert gm0 /dev/ada0

root@mx1/usr/home/vvs&gt; gmirror status
Name Status Components
mirror/gm0 DEGRADED ada1s1 (ACTIVE)
ada0 (SYNCHRONIZING, 0%)
root@mx1/usr/home/vvs&gt;

freebsd, php, extensions.ini

cat /usr/local/etc/php/extensions.ini | sort > /usr/local/etc/php/extensions.ini_new

cp /usr/local/etc/php/extensions.ini_new /usr/local/etc/php/extensions.ini

apachectl restart

еще можно переносить в самый конец

extension=mysql.so
extension=mysqli.so
extension=imap.so
extension=sockets.so
extension=memcache.so

 

Настройка Mac OS клиента для работы с удаленным BOINC клиентом.

ЧАСТЬ 1 – Настройка BOINC на FreeBSD

ЧАСТЬ 2 – Вступаем в World Community Grid

ЧАСТЬ 3 – Регистрация пользователя, выбор заданий, настройка BOINC для World Community Grid

Часть 4 – Настраиваем удаленный мониторинг/управление своим BOINC клиентом.

Под макось разработан прекрасный BOINC клиент-сервер. Качаем его ТУТ

теперь указываем только наши параметры подключение

и видим статистику нашего удаленного сервера

Надеюсь что эти статьи помогут или просто заинтересуют того кто их прочитает и мы все вместе сможем сделать этот мир лучше 🙂

Настраиваем удаленный мониторинг/управление своим BOINC клиентом.

ЧАСТЬ 1 – Настройка BOINC на FreeBSD

ЧАСТЬ 2 – Вступаем в World Community Grid

ЧАСТЬ 3 – Регистрация пользователя, выбор заданий, настройка BOINC для World Community Grid

Так как я писал что клиент на сервере у меня собран без всяких фронтэндов а понаблюдать за ним хочется то можно использовать возможности удаленного управления клиентом.

(К чести разработчиков BOINC клиента хочу сказать что работает он как часики. во всяком случае пока.)

со стороны сервера. правим
[cce lang=bash]
root@mx1/usr/local/var/db/boinc> vim /usr/local/etc/rc.d/boinc
[/cce]

правим строчку стартовых параметров клиента на:

boinc_flags=”–allow_remote_gui_rpc –dir ${boinc_home}”

по умолчанию boinc слушает команды на порту 31416

[cce lang=bash]

root@mx1/usr/local/var/db/boinc> sockstat | grep 31416
boinc boinc_clie 38832 5 tcp4 *:31416 *:*
[/cce]

добавляем правило в fw открывающее этот порт в мир.

[cce]
/sbin/ipfw add 00273 allow tcp from any to me dst-port 1043, 31416
[/cce]

вроде порт 1043 ему тоже нужен но я не проверял зачем.

теперь надо в настройках boinc разрешить входящие соединения и задать пароль для удаленного управления.

[cce]

root@mx1/usr/local/var/db/boinc> cat remote_hosts.cfg
193.37.XXX.XXX
root@mx1/usr/local/var/db/boinc>

root@mx1/usr/local/var/db/boinc> cat gui_rpc_auth.cfg
cfXXXXXXXXXXXXXXXXXXXX4df7
root@mx1/usr/local/var/db/boinc>

[/cce]

remote_hosts.cfg – сюда айпишник с которого можно управлять boinc-ом
gui_rpc_auth.cfg – пароль для входящих соединений

не забываем после всего перезапустить наш boinc

/usr/local/etc/rc.d/boinc restart

усе! можно проверять!

используем screen

screen -a -O пустили
^a+c – новый экран
^a+n – переключится (next)
^a+p – назад (prev.)
^a+d – detach
screen -rd – вернуться

сегодня при помощи Сани Коваленко был произведен апдейт фри

с моей 7.0 CURRENT на
[root@mx1]/etc/ssh: uname -a
FreeBSD mx1.sat-expert.com 7.1-RELEASE-p5 FreeBSD 7.1-RELEASE-p5 #0: Mon Apr 27 12:23:40 EEST 2009 root@mx1.sat-expert.com:/usr/obj/usr/src/sys/GER i386
[root@mx1]/etc/ssh:

все прошло вроде без сучка и задоринки. Саня сделал мне mergemaster всего. все вроде в порядке.

reconfiguring freebsd ports

# cd /usr/ports/www/apache22
# make rmconfig
Читать далее »

update freebsd

RELENG_7_1
Читать далее »