Posted by: jasonk2600 | January 13, 2010

FreeBSD DHCP Server


This post will describe the steps necessary to configure the ISC DHCP Server under FreeBSD for a simple local area network (LAN).


Install the ISC DHCP Server v3.1 from the FreeBSD ports collection.  NOTE: The default port configuration options are acceptable.

# cd /usr/ports/net/isc-dhcp31-server
# make config
# make install clean
# rehash



Create the /usr/local/etc/dhcpd.conf configuration file for the ISC DHCP Server and set the following global settings for the server. NOTE: The following will configure the ISC DHCP Server to be the main authoritative DHCP server for the LAN. Use your local domain name and DNS server addresses.

option domain-name "";
option domain-name-server,;

default-lease-time 600;
max-lease-time 7200;


ddns-update-style none;

log-facility local7;


Next, configure network settings and IP addresses range from your local network for the DHCP server to serve. These settings are appended to the end of the /usr/local/etc/dhcpd.conf configuration file.

subnet netmask {
  # Assign addresses from to
  # Parent domain name for all hosts on LAN.
  option domain-name "";
  # DNS server for hosts on LAN.
  option domain-name-servers;
  # Default route for hosts on LAN.
  option routers;
  default-lease-time 600;
  max-lease-time 7200;


In addition to defining the network settings and IP addresses for hosts on the local network, you can also specify a static IP address to be assigned to a specific host by following the example below. These settings are appended to the end of the /usr/local/etc/dhcpd.conf configuration file.

host ns1 {
  # MAC address of the host to receive this static IP address.
  hardware ethernet 80:00:07:26:c0:a5;
  # Static IP address to assign to this host.
  option domain-name "";
  option domain-name-servers;
  option routers;
  default-lease-time 600;
  max-lease-time 7200;


Enable the ISC DHCP Server to automatically start and system boot and start it for the first time.

# echo 'dhcpd_enable="YES"' >> /etc/rc.conf
# /usr/local/etc/rc.d/isc-dhcpd start



To text the newly configured DHCP server, configure a client system on the local network to automatically obtain an IP address.  The client should automatically obtain an IP address from the IP address range you specified above along with the other network settings specified.  If the client fails to obtain an IP address, check /var/log/messages for any error messages and ensure that the ISC DHCP Server is the only DHCP server running on the local network.



Posted by: jasonk2600 | January 12, 2010

News: BackTrack Linux 4 Released

The final release of BackTrack Linux has been released and is available for download.  Follow the link below to download.

From the BackTrack Linux Web site:

“…the highest rated and acclaimed Linux security distribution to date.  BackTrack is a Linux-based penetration testing arsenal that aids security professionals in the ability to perform assessments in a purely native environment dedicated to hacking.  Regardless if you’re making BackTrack your primary operating system, booting from a LiveDVD, or using your favorite thumbdrive, BackTrack has been customized down to every package, kernel configuration, script and patch solely for the purpose of the penetration tester.”


Posted by: jasonk2600 | January 11, 2010

Installing PostgreSQL on FreeBSD


This post will describe the steps required to complete the initial configuration of the PostgreSQL DBMS on a system running FreeBSD.  Configuring the basic configuration of PostgreSQL and creating an initial super-user will be covered; performance tuning, database administration, and Structured Query Language (SQL) will not be covered in this post.


Configure and install the PostgreSQL v8.4.x DBMS from the ports collection.  The default port configuration will work just fine, although you may consider enabling the OPTIMIZED_CFLAGS option for better performance.

# cd /usr/ports/databases/postgresql84-server
# make config
# make install clean



Enable PostgreSQL to start at system boot in /etc/rc.conf.

# echo 'postgresql_enable="YES"' >> /etc/rc.conf


Initialize the PostgreSQL database cluster for the first time.  NOTE: The following command will create the initial database cluster in the /usr/local/pgsql/data directory by default.

# /usr/local/etc/rc.d/postgresql initdb
/usr/local/etc/rc.d/postgresql initdb
The files belonging to this database system will be owned by user "pgsql".
This user must also own the server process.

The database cluster will be initialized with locale C.
The default text search configuration will be set to "english".

fixing permissions on existing directory /usr/local/pgsql/data ... ok
creating subdirectories ... ok
selecting default max_connections ... 40
selecting default shared_buffers ... 28MB
creating configuration files ... ok
creating template1 database in /usr/local/pgsql/data/base/1 ... ok
initializing pg_authid ... ok
initializing dependencies ... ok
creating system views ... ok
loading system objects' descriptions ... ok
creating conversions ... ok
creating dictionaries ... ok
setting privileges on built-in objects ... ok
creating information schema ... ok
vacuuming database template1 ... ok
copying template1 to template0 ... ok
copying template1 to postgres ... ok

WARNING: enabling "trust" authentication for local connections
You can change this by editing pg_hba.conf or using the -A option the
next time you run initdb.

Success. You can now start the database server using:

    /usr/local/bin/postgres -D /usr/local/pgsql/data
    /usr/local/bin/pg_ctl -D /usr/local/pgsql/data -l logfile start


Configure PostgreSQL to listen for database connections on all system IP addresses by adding the following line to /usr/local/pgsql/data/postgresql.conf.

listen_addresses = '*'


Configure PostgreSQL to use password hash authentication for all hosts and users connecting from the local network by adding the following line to the /usr/local/pgsql/data/pg_hba.conf file. NOTE: Replace with your own network.

host  all  all  md5


Start the PostgreSQL DBMS for the first time and add a new super-user (with database and role creation rights) by executing the following commands.

# /usr/local/etc/rc.d/postgresql start
# su pgsql
$ createuser -sdrP username
Enter password for new role: ******
Enter it again: ******

$ exit



The PostgreSQL DBMS should now be up and running with the newly created super-user. Using a PostgreSQL client, such as pgadmin3 connect to the PostgreSQL server from another system using the username and password of the role previously created. New database schemas, roles, procedures, etc can now be created using the super-user.



Posted by: jasonk2600 | January 10, 2010

Simple FreeBSD Firewall and Router


This post will explain the basic steps necessary to configure a FreeBSD system to perform the roles of a firewall and router.  It is assumed that the FreeBSD system is up and running with two NICs installed.  OpenBSD’s Packet Filter (PF) firewall package will be used to perform the firewalling, Network Address Translation (NAT), and routing services.


PF must be compiled into the FreeBSD kernel.  If you have not already done so, download the FreeBSD system source code to the /usr/src directory.  Create a custom kernel configuration based upon the default GENERIC kernel configuration.

# cd /usr/src/sys/i386/conf


Modify the CUSTOM kernel configuration file to reflect the following settings.

cpu  I686_CPU
ident  CUSTOM

options  ALTQ
options  ALTQ_CBQ
options  ALTQ_RED
options  ALTQ_RIO
options  ALTQ_HFSC
options  ALTQ_PRIQ
options  ALTQ_NOPCC

device  pf
device  pflog
device  pfsync


Compile and install the newly configured CUSTOM kernel. Reboot the system once installation of the kernel has been completed.

# cd /usr/src
# make buildkernel KERNCONF=CUSTOM
[ ... Lots of Output ... ]
# make installkernel KERNCONF=CUSTOM
[ ... Lots of Output ... ]
# shutdown -r now



Enable the PF firewall software to start at system boot by adding the following to the /etc/rc.conf file.



Create the PF ruleset in /etc/pf.conf. The following sample ruleset will provide Network Address Translation (NAT), protects against attacks based on the incorrect handling of packet fragments, defends against spoofed IP addresses, allows any internal system to access the outside, and blocks access to the internal systems from the outside. Be sure to set the ext_if and int_if variables to the name of your system’s external (connected to the Internet) and internal (connected to your LAN) NICs. For more information on creating more complex PF rulesets refer to "The Book of PF", available here.

ext_if = "ath0"
int_if = "fxp0"
localnet = $int_if:network

nat on $ext_if from $localnet to any -> ($ext_if)

block all

scrub in all
antispoof for $ext_if
antispoof for $int_if

pass from { lo0, $localnet } to any keep state


Reboot the system to activate PF and the new ruleset. Once the system has rebooted, check PF’s statistics to verify that PF is handling network traffic.

# pfctl -s info
Status: Enabled for 0 days 00:17:04      Debug: Urgent

State Table                     Total             Rate
  current entries                   0
  searches                       2800            2.7/s
  inserts                           0            0.0/s
  removals                          0            0.0/s
  match                          2800            2.7/s
  bad-offset                        0            0.0/s
  fragment                          0            0.0/s
  short                             0            0.0/s
  normalize                         0            0.0/s
  memory                            0            0.0/s
  bad-timestamp                     0            0.0/s
  congestion                        0            0.0/s
  ip-option                        12            0.0/s
  proto-cksum                       0            0.0/s
  state-mismatch                    0            0.0/s
  state-insert                      0            0.0/s
  state-limit                       0            0.0/s
  src-limit                         0            0.0/s
  synproxy                          0            0.0/s




Posted by: jasonk2600 | January 9, 2010

Quickie HowTo: Wireless Access in FreeBSD 8


This quickie howto will describe how to configure a system running FreeBSD 8.x with a wireless NIC to connect to a WiFi Access Point (AP) using WPA-PSK security (the most common WiFi configuration).  Wireless NICs that utilize the Atheros chipset are by far the most common WiFi NICs and the follow instructions assume that the Wireless NIC has already been physically installed in the FreeBSD system.


All of the necessary drivers and utilities to use wireless access are already included as part of the basic FreeBSD installation.  The first step is to configure all the necessary drivers to load automatically at system boot.  Add the following lines to the /boot/loader.conf boot loader configuration file.



Next, modify /etc/rc.conf to configure FreeBSD to use the wireless NIC with WPA security enabled.

Wireless NIC with a static IP address:

ifconfig_wlan0="WPA inet netmask"


Wireless NIC using DHCP:

ifconfig_wlan0="WPA DHCP"


Finally, configure FreeBSD to connect to your wireless access point (identified by SSID) using the access point’s Pre-Shared Key (a.k.a. password).  Add these settings to /etc/wpa_supplicant.conf, the FreeBSD WPA configuration file.




Reboot the system for the new settings to take effect. The wireless NIC will now automatically connect to your wireless access point at system boot. To verify connectivity, login and ping another host. If there seems to be no network connectivity, check the configuration of the wireless NIC using the ifconfig utility. ifconfig should show that the wireless NIC is connected to the wireless access point using WPA.

# ifconfig -a
wlan0: flags=8843 metric 0 mtu 1500
  ether 00:11:aa:22:bb:11
  inet netmask 0xffffff00 broadcast
  media: IEEE 802.11 Wireless Ethernet OFDM/54Mbps mode 11g
  status: associated
  ssid YourAPssid channel 1 (2412 Mhz 11g) bssid 00:18:dd:55:bb:22
  regdomain FCC indoor ecm authmode WPA privacy ON deftxkey UNDEF
  TKIP 2:128-bit TKIP 3:128-bit txpower 21 bmiss 7 scanvalid 450 bgscan
  bgscanintvl 300 bgscanidle 250 roam:rssi 7 roam:rate 5 protmode CTS
  wme burst roaming MANUAL





« Newer Posts - Older Posts »