SSL catch-22 on using custom FreeBSD package repository

Found myself in a Catch-22 situation. Since our package server is using SSL certicates by Let’s Encrypt which are not trusted by default in FreeBSD base system, causing error:

# pkg install vim-console
Updating custom repository catalogue…

Certificate verification failed for /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

34404218008:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/s3_clnt.c:1269:
...
Unable to update repository custom

Error updating repositories!

Normally the solution would be to install security/ca_root_nns. How-ever this fails since certificate cannot be trusted. To overwrite temporary disable the SSL validation ones to ensure the package get installed:

# env SSL_NO_VERIFY_PEER=1 pkg install ca_root_nss

One last remark; make sure the connection itself is not tampered while installing this package. Since you briefly expose a vector of attack, due to the disabling of the SSL verification. To circumvent this; 1) manually download the package 2) scp the package and 3) install it.

IPFW NAT and FWD combined

For the past year using (kernel) NAT together with FWD rules in ipfw has walked across my brain more often than I like to admit. But everytime I was not able to grab the concept sufficiently to get it right and make them work together. Finally today in the train, trying all sorts of combinations, pondering why it still did not work, I finally got it: If I cannot make the rules on the NAT and FWD match, I should match first, use skipto and then apply NAT and FWD to all traffic that passes in that block of firewall rules!

Example:

# NAT and forward both need to process the same packets
ipfw -q disable one_pass
ipfw -q -f flush
ipfw -q nat 123 config if em1
ipfw -q add skipto 1000 all from any to not 192.168.1.0/24
ipfw -q add skipto 65534 all from any to any
ipfw -q add 1000 nat 1 all from any to any
ipfw -q add 1100 fwd 192.168.178.1 all from any to any

where 192.168.178.1 is the gateway on em1. Now, this recipe is still missing the inbound NAT, performance considerations due to applying NAT multiple times on the packet, and probably much more, but the basic nut on how to format the ipfw ruleset has been cracked. The roost has left the nest. Policy Based Routing, here we come!

Note: after disabling ‘nat’ rules are no longer terminating the rule set, but ‘fwd’ rules are!

EuroBSDCon 2013

EuroBSDCon mascot

Smiling and helpful as usual, your BSD daemon

And there it was! All geeks unite! BSD lovers from all over Europe and the rest of the world gathered in Malta to discuss what was going on in the world of FreeBSD, NetBSD, and OpenBSD. The talks where better than ever (only 42 out of 75 submissions made it into the 3 tracks on 2 days).

Most impressive for me was the number of people using NanoBSD as a tool to provide their server, embedded systems, and node installations. But also in-depth discussions of fundamental issues like 64-bit time_t, security technologies, and performance enhancement). And of course the fun talks by the BSD veterans McKusick and phk. All in all a good BSDCOn. See you next year!

EuroBSDCon

Van 18-10 t/m 22-10 was de jaarlijkse European BSD Conference, in Warsaw, PL. 200 mensen betrokken bij en gebruikers van de verschillende BSD smaken kwamen bijeen om ideeën uit te wisselen, cursussen te volgen en meer te leren over FreeBSD, NetBSD, OpenBSD, DragonFly BSD, etc. AnyWi maakt op veel machines gebruik van FreeBSD en is als src committer ook betrokken bij de verdere ontwikkeling daarvan.

Tijdens de conferentie waren er volop mogelijkheden om on-the-spot bugs op te lossen, met gelijkgezinden oplossingen voor prangende vragen te bespreken, of gewoon bij te praten en ideeën op te doen.

Meer informatie: http://2012.eurobsdcon.org