Moving from userland natd to kernel mode nat

For many many years, I’ve been happily running ppp, ipfw and natd on my FreeBSD router, starting in the early days with ppp -nat before needing more refined control and moving to userland natd.

Then I learned about kernel mode nat in ipfw2 so I thought I’d give that a go.

What had to be done:
Adding the following to the kernel config:
options LIBALIAS
If you don’t want to use a custom kernel, (and from looking at the rc.d script) you should be able to set firewall_nat_enable=”YES” in /etc/rc.conf and the correct module will be loaded on boot.

add 50 divert natd all from any to any via tun0
from /etc/rc.firewall.script
nat 1 config if tun0 log unreg_only
add 50 nat 1 ip4 from any to any via tun0
to /etc/rc.firewall.script

If you are using an Open or Client firewall, you can set:
in /etc/rc.conf
And don’t forget to set:
natd_enable=”NO” in /etc/rc.conf if you’re switching from userland natd.

That’s got it working just as ipfw+natd used to, the stability/speed tests and real world usage remains to be seen …

Fun with maildrop

Whilst I’m awaiting the resurrection of my /home drive I’ve had to resort to collecting my mail and storing it under a temporary account.

I decided to make a few changes to skynet based on the fact my spambayes db was stored on /home along with my .procmailrc so SpamAssassin was integrated with sendmail and maildrop was set as the system-wide LDA.

Here is a fun line from my new (and still developing) .mailfilter file.
if ( /^List-Id:.+\<freebsd-(.*)\.freebsd\.org\>$/ )

Which automatically puts FreeBSD mailing list items in to their own folder.

To clear up what was in my ever growing Inbox, it was a simple case of running

for file in *; do cat $file | maildrop; done in a copy of ~/Mail/cur

Whilst its not quite as defined as my old .procmailrc I think I may like maildrop …

New skynet feature.

A new feature has been added to Skynet today, a self-managed service monitor.

The script is provided below and is free for use on a beerware license.

As usual its FreeBSD only.




. /etc/rc.subr
load_rc_config ‘XXX’

unset local_rc

servers=$(rcorder -s nostart ${local_rc} 2>/dev/null)

check_pid () {
if [ -z “$6” ]
# no 6th paramater, assume not running
return 0
return $(ps -ax ${pid} | grep ${pid} | wc -l)
for server in ${servers}
check_pid $(${prefix}${server} status)
if [ ${?} -eq 0 ]
${prefix}${server} start > /dev/null 2>&1

eduroam + wpa_supplicant (+freebsd!) = success!

The title says it all really, but here are the gritty details:

pairwise=CCMP TKIP

ifconfig_ndis0=”DHCP WPA”

http_proxy=; export http_proxy
ftp_proxy=; export ftp_proxy
Your wireless card may not be ndis0, and the other system config bits of rc.conf have been left out for conciseness.

You may also want to add the proxy info from /etc/profile to your other system-wide shell configs, but I’m a basher.

All the pieces have arrived …

Now I just need to fit them together.

What we now have is: the usb->serial adapter
the null modem cable
a shiney new 5 port switch
a shiney new ups (i know that wasn’t mentioned anywhere earlier, but it’ll make sense!)

debian-armel recognises the usb->serial adapter, so now what is needed is to find the optimal speed (probably 192,000) to use for console access TO skynet. This will probably involve de-tangling the conflicting and seemingly out of date information in the FreeBSD handbook on how to rebuild the bootblocks and kernel to run at the higher speed.

After that there is the test to see if the Netgear DM111 ADSL2+ Modem, FreeBSD + ng_pppoe and the pppoe implementation for deb-armel (anyone know?) can all work together over the new switch.
(Before anyone says anything, I’m not going to run two pppoe sessions at the same time, this is purely a hardware level test to see if it can be done as part of the failover)

After that, pretty much all that remains is the heartbeat fail-over (probably over tcp/ip rather than serial, not ideal but since the lan segment that is in use contains only Skynet, Junior and DM111 it shouldn’t result in false alerts).

Also, the UPS arrangement will be shuffled around, moving all the low-power devices (DM111, Junior, WPN802, FS116 (okay that makes me look like a netgear whore :-\ which i am!)) to one UPS and keeping skynet isolated on another. This should extend the amount of service life in the event of power-outages.
Depending on the management capabilities of the new UPS (its still in the shipping box in the boot of the car currently) Some trickery with NUT may also be possible… we shall see.

Its going to be a fun weekend!

Junior – The Slug

After battling with a dodgy USB flash drive, Junior is now alive and squirming.

Whilst the entire system is not yet up and running, Junior is in the stages of being pre-configured for its final task.

The linux of choice was debian-armel
The packages being installed are thttpd and heartbeat, as well as any other packages that are dependencies.

Whilst I await other hardware required for this endeavour (notably a hub to sit between the ADSL modem and Skynet + Junior and the USB serial adapter) there is not much testing I can do, but hopefully it’ll all work when its eventually all plugged together.

More details to follow …

Like the beating heart of a slug

Following a disk failure in skynet earlier today, I am embarking on a new project …

The ingredients are:
1 slug (LinkSys NSLU 2 for those wondering)
1 USB -> RS232 adapter
1 Null Modem Cable
1 Skynet

The end result will hopefully be:
A Debian (? probably debian) powered NSLU2 running a lan based heart-beat check with skynet which, when the heart-beat fails will take over the PPPoE session so that a static page of “He’s done it again, hang on folks” can be displayed as well as providing ssh access from the outside world to Skynet via Sluggy and the serial console provided by the usb->rs232+null modem.

Thats the plan at least …

Oh What a tangled web I weave …

In responce to numerous (one, if we’re counting) requests, the
Aberddu Webmail is now accessible using
your prefered imaps client.

To access simple set up a new account which points at* using a SSL
connection (thats just SSL, not TLS, TLS if available and no secure authentication) and
login using your full Aberddu e-mail address and the usual password.

*That is not a deliberate mistake, that is supposed to read*

For the dry techincal details, read on …

In responce to numerous (one, if we’re counting) requests, the
Aberddu Webmail is now accessible using
your prefered imaps client.

To access simple set up a new account which points at using a SSL
connection (thats just SSL, not TLS, TLS if available and no secure authentication) and
login using your full Aberddu e-mail address and the usual password.
The outgoing (smtp) server is set ‘use username and password’ (these are the same as the one you log in with above) and use secure connection TLS.

For users on the Aberystwyth University network, you will probably need to request the
following ports opened in the firewall 465, 993