Archive

Archive for the ‘[EN] Tech’ Category

Zabbix Agent plugin available for OPNsense

July 10th, 2017 No comments

OPNsense received a new plugin some weeks ago: It allows you to configure Zabbix Agent from the OPNsense WebGUI. Enabling this powerful monitoring agent takes only a few seconds:

 

It’s also possible to customize Zabbix Agent according to your needs, for example several features can be enabled or disabled:

Categories: [EN] Tech Tags: ,

Let’s Encrypt plugin available for OPNsense

July 6th, 2017 No comments

A Let’s Encrypt plugin for OPNsense was released back in january. It enables you to configure Let’s Encrypt SSL certificates from within the OPNsense WebGUI:

Not only is it one of the most comfortable ways to get free SSL certificates, it also integrates nicely with the HAProxy plugin for OPNsense:

The Let’s Encrypt plugin will automatically extend the HAProxy configuration and it will even verify that nothing was deleted and adds missing configuration items for you.

Don’t want to use HTTP-01 validation? Not an issue! The plugin supports a large number of DNS providers and services:

Naturally all SSL certificates are automatically imported into OPNsense’s certificate manager and may be used in multiple plugins and applications.

The awesome OPNsense users helped to iron out a few bugs and the plugin is mature enough for use in production environments. Of course, the plugin follows OPNsense security principles: ACME challenges are handled by a dedicated web service – the OPNsene GUI is never exposed to the
internet.

HAProxy plugin available for OPNsense

May 25th, 2016 No comments

OPNsense, the open source firewall, just received it’s own HAProxy plugin, a GUI for the popular HAProxy load balancer. And today’s release of OPNsense 16.1.15 included the first batch of bugfixes and improvements.

While OPNsense already includes a load balancer based on OpenBSD’s relayd, the new HAProxy plugin allows for far more complex configurations and has a superior feature-set. HAProxy’s features include SSL offloading, Lua scripting, extensive header manipulation and many more. It’s known for being a very fast and reliable solution.

The new HAProxy plugin integrates nicely with the OPNsense GUI and makes it easy to build complex HAProxy configurations:
338f5aca-04f9-11e6-807e-6d2626c2e481

42832df4-04f9-11e6-87a6-5b5cb9f218c2

555dbab6-04f9-11e6-8b22-779b0f47471a

The development was sponsored by markt.de. You can find the original pull request along with some additional information here. Please submit bug reports and feature requests on GitHub.

Categories: [EN] Tech Tags: , , ,

Windows 10: Get the free upgrade with “incompatible” hardware

January 21st, 2016 No comments

Microsoft is still offering a free upgrade to Windows 10 for users of Windows 7 and Windows 8. But if you have an old computer, the Windows 10 upgrade assistant may inform you that your computer is not compatible with Windows 10. This will make the free upgrade impossible, right? No.

The following example will tell you how to get the free upgrade to Windows 10 if you have the incompatible ATI Radeon Xpress 1200 graphics card installed. But in general this procedure should work for other so-called “incompatible” hardware too.

The key is that Microsoft recently allowed to use a Windows 7 or Windows 8 product key to install Windows 10. But you need a recent ISO image of Windows 10 for this to work.

So let’s get started:

  1. Download Windows 10 Version 1511 (64-bit) from Microsoft
  2. Burn the ISO image to a DVD (it’s always good to have a proper installation media)
  3. Start your computer with the Windows 10 Version 1511 DVD
  4. Choose to upgrade your current installation to Windows 10
  5. Enter your Windows 7 or Windows 8 product key and complete the upgrade procedure
  6. (OPTIONAL) After completing the upgrade to Windows 10, check if the license is already activated

The following steps depend on your hardware. This is how to make the ATI Xpress 1200 graphics card run on Windows 10:

  1. Download the working driver for your ATI Xpress 1200 graphics card (Catalyst 9.2 for Windows Vista):
  2. Install the graphics driver, but be sure to not install “Catalyst Control Center” (it’s not compatible, really); it should instantly switch to the appropiate screen resolution.

Gratulations! You’ve just upgraded your incompatible computer to Windows 10 for free.

Categories: [EN] Tech Tags: , ,

You should try OPNsense, a pfSense fork

January 13th, 2015 No comments

OPNsense® is a fork of pfSense®, the popular open-source firewall. Deciso founded the OPNsense project with emphasis on community and openness. Their mission statement sums it up quite nicely:

Give users, developers and businesses a friendly, stable and transparent environment.
Make OPNsense the most widely used open source security platform.

OPNsense 15.1 is the first release by the OPNsense project. It offers noticable enhancements:

  • New and much improvement WebGUI
  • Whole codebase is under simple 2-clause BSD license
  • Based on FreeBSD 10.0 (VirtIO support, improved Hardware support, etc.)
  • Obsoletes legacy packages in favor of pkg(ng)

You can download it here. You may report bugs and request features on GitHub. Of course, there are also several mailing lists and a forum available.

OPNsenseOPNsense logo and navbar

Categories: [EN] Tech Tags: , , ,

Upgrading FreeBSD 9.2 to 10.1 fails

November 28th, 2014 No comments

The other day I was upgrading an old FreeBSD 9.2 node to the recently released FreeBSD 10.1. This is a rather easy task, thanks to the freebsd-update(8) utility. Well, this time it failed while trying to update the userland components:

# freebsd-update install
Installing updates…ln: ///usr/lib/private/libheimipcc.so: No such file or directory
install: ///usr/lib/private/libheimipcc.so.11: No such file or directory
ln: ///usr/lib/private/libheimipcs.so: No such file or directory
install: ///usr/lib/private/libheimipcs.so.11: No such file or directory
ln: ///usr/lib/private/libldns.so: No such file or directory
install: ///usr/lib/private/libldns.so.5: No such file or directory
ln: ///usr/lib/private/libssh.so: No such file or directory
install: ///usr/lib/private/libssh.so.5: No such file or directory
ln: ///usr/lib/private/libucl.so: No such file or directory
install: ///usr/lib/private/libucl.so.1: No such file or directory
ln: ///usr/lib/private/libunbound.so: No such file or directory
install: ///usr/lib/private/libunbound.so.5: No such file or directory
ln: ///usr/lib/private/libyaml.so: No such file or directory
install: ///usr/lib/private/libyaml.so.1: No such file or directory

Actually it didn’t really “fail”. Besides these obvious errors it still exited with code 0. But some libraries which are required by sshd and pkg were missing. The reason for this failure is rather simple: The directory /usr/lib/private is missing from FreeBSD 9.2, but freebsd-update assumes that this directory already exists. Unfortunately this directory wasn’t introduced until FreeBSD 9.3.

A quick fix is to create the missing directory prior to running freebsd-update. I guess more people will come across this issue since FreeBSD 9.2 is nearing it’s end-of-life date.

Categories: [EN] Tech Tags: , , ,

pfSense: Unattended installation with Foreman

September 4th, 2014 No comments

As you may know, Foreman is probably the lifecycle management tool for virtual and physical servers. And it already supports a rather large number of different operating systems. Lately it got support to provision FreeBSD servers and this brought up the idea to add support for pfSense firewalls as well.

First of all: This project was a success. It is now possible to automatically deploy pfSense with Foreman. I’ve created a small video to showcase the deployment of pfSense using Foreman:

The video may not be very entertaining, but it should give you an impression on how the unattended installation works (even if you don’t know Foreman yet).

You can download the required Foreman templates from Github. You may also want to have a look at the Foreman Documentation to find out how to add these templates to your instance of Foreman.

What are the benefits?
– do fully unattended installations of pfSense
– in conjunction with Puppet it allows you to automate basically every task (full lifecycle management)
– choose from different versions of pfSense according to your needs

How does it work?
– it assumes you want to use The Foreman to provision your servers
– it assumes that pfSense can be automatically provisioned similar to FreeBSD
– on top of that assumption it’s basically a set of patches for the pfSense Installer
– it assumes you want to use Puppet with pfSense

Feedback or contributions? Please use the Github issue tracker.

Automatically update pfSense firewalls (with puppet)

July 14th, 2014 No comments

Updating pfSense firewalls is easy and stable thanks to its proven upgrade mechanisms. So why should I use the WebGUI to update every pfSense firewall manually? If you have multiple pfSense firewalls and a working test environment, there is no reason to avoid automatic updates.

I’ve extracted a portion of the pfSense firmware upgrade code and put together a small PHP script. This makes it possible to automatically update pfSense. In combination with puppet you need just one line to enable automatic updates:

class { 'pfsense_autoupdate': }

Now your pfSense firewall will check hourly for new versions and install it (almost) instantly. If you want more control you can specify any of the optional parameters:

class { 'pfsense_autoupdate':
  major_updates => false,
  update_hours => ['22-23', '2-4', 6],
  update_weekdays => ['6-7'],
  random_sleep => false,
  firmware_url => 'http://example.com/pfsense/firmware/',
  sig_verification => false,
  quiet => true,
}

You may download the PHP script and puppet module from puppet forge. Additionally you may want to check out the project page on github. Note that you need the puppet agent for pfSense and my pfSense provider collection for this to work.

Prepare pfSense for RANCID (with puppet)

July 14th, 2014 No comments

pfSense is a great firewall and RANCID is a good choice for regular configuration backups. Sounds like a good team? It is! And it has been for years. But configuring pfSense for RANCID can be a pain. I wrote a puppet module to make it easier. You may download it from puppet forge.

Now configuring pfSense for RANCID is quite simple:

class { 'pfsense_rancid':
  password => '$1$dSJImFph$GvZ7.1UbuWu.Yb8etC0re.',
}

I’ve added some optional parameters to make it suitable for most environments:

class { 'pfsense_rancid':
  username       => 'backupuser',
  password       => '$1$dSJImFph$GvZ7.1UbuWu.Yb8etC0re.',
  authorizedkeys => [
    'ssh-rsa AAAAksdjfkjsdhfkjhsdfkjhkjhkjhkj user1@example.com',
    'ssh-rsa AAAAksdjfkjsdhfkjhsdfkjhkjhkjhkj user2@example.com',
  ],
  diskusage      => false,
}

Note that you need the puppet agent for pfSense and my pfSense provider collection for this to work.

Categories: [EN] Tech Tags: , ,

pfSense user/group management with puppet

July 14th, 2014 No comments

3jel8jjmxg

Categories: [EN] Tech Tags: , , , , ,
css.php