Just for the records. The Alix2c1 board is from PC Engines, 3 LAN, 1 miniPCI, a 433 MHz AMD Geode LX700 with 128 MB DDR DRAM, CompactFlash socket (see http://pcengines.ch/alix2c1.htm).
In short, I upgraded the BIOS, performed a PXE boot, did a normal install, configured afterwards the RAM-disk for /var and /tmp and made / readonly. Works great, thanks.. and BTW, Recurring PayPal Donations is a good idea. Now the longer story. The boards (two of them) are used for NAT, firewall, DNS, FTP-proxy and Spamd frontend for a mailserver that is behind the firewall. Its a small network for about 10 users. For bios upgrade, I used a ready-to-run freedos image from a korean host, http://210.109.84.3/download/freedos_alixupdate_16.img which I wrote with dd onto a 1GB CF card (using a PCMCIA adapter). You have to link the serial ports of your computer with the alix board using a nullmodem (crossover) serial cable. I use Linux as main OS and used minicom as terminal. Default settings for the Alix board are 38400-8-N-1. the serial port on my machine is /dev/ttyS0. For PXE boot you need some entries in /etc/dhcpd.conf: allow bootp; subnet 192.168.0.0 netmask 255.255.255.0 { range 192.168.0.200 192.168.0.250; default-lease-time 14400; max-lease-time 172800; next-server 192.168.0.10; # this is my machine filename "pxeboot"; } Put these files to the tftpboot directory: bsd.rd pxeboot etc/boot.conf # cat boot.conf set tty com0 stty com0 38400 boot bsd.rd Now I performed a normal 4.2 install with following deviations: - I cleared all partitions and created only wd0a using the whole disk. - No swap. - I left out comp42.tgz. - I had to add xbase42.tgz because of expiretable-0.6 (will change in 4.3). Next time I would make two partitions, one for installation, and a larger one so that I can store updated image files there, boot bsd.rd and copy the image over the primary partition... After installation comes: # /mnt/usr/sbin/chroot /mnt We need /tmp, /var and /dev writeable, but this would destroy the CompactFlash card. We move those three directories to a memory based file system that will be populated during startup. # mkdir /proto # cp -rp /var /proto/var # mkdir /proto/dev # cp /dev/MAKEDEV /proto/dev # cd /proto/dev # ./MAKEDEV all # rm -rf /tmp # ln -s /var/tmp /tmp Now i'm not quite sure whether the MAKEDEV worked out of the box; i think i had to reboot because I got lots of error messages. Lots of configuration work needs to be done: This sets the boot console to the serial port: # cat /etc/boot.conf set tty com0 stty com0 38400 Minicom only supports VT102: # cat /etc/ttys tty00 "/usr/libexec/getty std.38400" vt102 on secure # cat /etc/fstab /dev/wd0a / ffs ro,noatime 1 1 swap /var mfs rw,-P=/ptype/var,-s=65536,noexec,nosuid,nodev 0 0 swap /dev mfs rw,-P=/ptype/dev,-s=4096,-i=128,noexec,nosuid 0 0 # cat /etc/rc.conf (only changes, YMMV:) named_flags="" ntpd_flags="" spamd_flags="" spamlogd_flags="-i pflog0" ftpproxy_flags="" Be careful not to set the ntpd-flags to "-s", in my tests, when the internet was not connected, ntpd would hang completely. I use rdate for that, see later. I added a single line in /etc/rc: mount -a -t nonfs,vnd mount -uw / # root on nfs requires this, others aren't hurt rm -f /fastboot # XXX (root now writeable) + sleep 1 # wait until mfs is populated # cat /etc/rc.conf.local expiretable=YES # cat /etc/rc.local echo -n 'rdate ' rdate -ncv pool.ntp.org if [ X"${expiretable}" == X"YES" ]; then echo -n 'expiretable ' /usr/local/sbin/expiretable -v -d -t 2h bruteforce fi Now something completely different, the packet filtering. The Mailserver sits in the local LAN and is protected by the firewall and spamd. I installed there the open source edition of zimbra.com, so there are plenty of ports redirected to the webserver. Aside from that, I decided to block SSH brute force attempts, but set it to tight - I locked myself out for 2 hours because I initiated several scp commands to fast... For the automatic unlocking to work, you need "expiretable-0.6". Additionally, I have a whitelist with IP addresses of known mail servers located in /var/db/whitelist. # cat /etc/pf.conf WORLD="vr2" LAN="vr0" IPEXT="a.b.c.d" IPINT="192.168.0.0/24" MAIL="192.168.0.104" MAILPTS=" { www, pop3, auth, https, pop3s, 7071 } " table <rfc1918> persist { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 224.0.0.0/5, 169.254.0.0/16 } table <whitelist> persist file "/var/db/whitelist" table <spamd> persist table <spamd-white> persist table <bruteforce> persist set loginterface $WORLD set limit table-entries 350000 scrub on $WORLD all fragment reassemble random-id reassemble tcp nat-anchor "ftp-proxy/*" nat on $WORLD from $IPINT to any -> $IPEXT rdr-anchor "ftp-proxy/*" rdr pass on $LAN proto tcp from $IPINT to any port 21 -> 127.0.0.1 port 8021 # -------- mail server and spamd rdr pass on $WORLD proto tcp from <whitelist> to $WORLD port smtp -> $MAIL port smtp rdr pass on $WORLD proto tcp from <spamd-white> to $WORLD port smtp -> $MAIL port smtp rdr pass on $WORLD proto tcp from <spamd> to $WORLD port smtp -> 127.0.0.1 port spamd rdr pass on $WORLD proto tcp from !<spamd-white> to $WORLD port smtp -> 127.0.0.1 port spamd rdr pass on $WORLD proto tcp from any to $WORLD port $MAILPTS -> $MAIL # --------- add the rules for FTP proxy anchor "ftp-proxy/*" # -------- allow everything to go out pass quick on $LAN all block return in quick on $WORLD inet from <rfc1918> to any block return in quick on $WORLD inet proto tcp from <bruteforce> to any port 22 block return in on $WORLD inet all # -------- logging pflog0, used by spamdlogd pass in log quick on $WORLD inet proto tcp from any to $MAIL port smtp keep state pass out log quick on $WORLD inet proto tcp from $MAIL to any port smtp keep state pass out on $WORLD keep state # -------- SSH brute force handling pass in quick on $WORLD inet proto tcp from any to any port 22 flags S/SA keep state \ (max-src-conn 5, max-src-conn-rate 3/30, overload <bruteforce> flush global) # -------- allow DNS queries pass in quick on $WORLD inet proto { udp, tcp } from any to $IPEXT port { domain, ntp } keep state pass in quick on $WORLD inet proto icmp all keep state Okay these are very basic settings. I later had a problem with one of my users that was used to send his mail using the server as relay. Spamd doesn't recognise SMTP AUTH commands, so I punched another hole into the firewall to allow him to bypass the spamd and connect to port 25 of the mailserver directly. Now again to our file system. I don't want to loose my changes when the power is lost (which happenes rather seldom here in Europe), so I copy them back every reboot and every week. # cat /root/upvar #!/bin/sh mount -uw / /usr/local/bin/rsync -rlptgouv --delete --exclude-from=/root/upvarex /var/ /ptype/var/ mount -ur / # cat /root/upvarex *~ tmp run # cat /etc/weekly.local #!/bin/sh /root/upvar # cat /etc/rc.shutdown powerdown=NO # set to YES for powerdown /root/upvar Call the spamd-setup not at full hours: # crontab -e 33 * * * * /usr/libexec/spamd-setup Furthermore changes in: newsyslog.conf sysctl.conf resolv.conf spamd.conf named.conf # dmesg OpenBSD 4.2 (GENERIC) #375: Tue Aug 28 10:38:44 MDT 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Geode(TM) Integrated Processor by AMD PCS ("AuthenticAMD" 586-class) 432 MHz cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX real mem = 133791744 (127MB) avail mem = 121741312 (116MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 12/10/07, BIOS32 rev. 0 @ 0xfceb2 pcibios0 at bios0: rev 2.1 @ 0xf0000/0x10000 pcibios0: pcibios_get_intr_routing - function not supported pcibios0: PCI IRQ Routing information unavailable. pcibios0: PCI bus #0 is the last bus bios0: ROM list: 0xe0000/0xa800 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 1 function 0 "AMD Geode LX" rev 0x31 glxsb0 at pci0 dev 1 function 2 "AMD Geode LX Crypto" rev 0x00: RNG AES vr0 at pci0 dev 9 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 10, address 00:0d:b9:13:04:90 ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, model 0x0034 vr1 at pci0 dev 10 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 11, address 00:0d:b9:13:04:91 ukphy1 at vr1 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, model 0x0034 vr2 at pci0 dev 11 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 12, address 00:0d:b9:13:04:92 ukphy2 at vr2 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, model 0x0034 pcib0 at pci0 dev 15 function 0 "AMD CS5536 ISA" rev 0x03 pciide0 at pci0 dev 15 function 2 "AMD CS5536 IDE" rev 0x01: DMA, channel 0 wired to compatibility, channel 1 wired to com patibility wd0 at pciide0 channel 0 drive 0: <CF 1GB> wd0: 1-sector PIO, LBA, 967MB, 1981728 sectors wd0(pciide0:0:0): using PIO mode 4, DMA mode 2 pciide0: channel 1 ignored (disabled) ohci0 at pci0 dev 15 function 4 "AMD CS5536 USB" rev 0x02: irq 15, version 1.0, legacy support ehci0 at pci0 dev 15 function 5 "AMD CS5536 USB" rev 0x02: irq 15 usb0 at ehci0: USB revision 2.0 uhub0 at usb0: AMD EHCI root hub, rev 2.00/1.00, addr 1 isa0 at pcib0 isadma0 at isa0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: <PC speaker> spkr0 at pcppi0 npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pccom0: console usb1 at ohci0: USB revision 1.0 uhub1 at usb1: AMD OHCI root hub, rev 1.00/1.00, addr 1 biomask e3ef netmask ffef ttymask ffef pctr: user-level cycle counter enabled mtrr: K6-family MTRR support (2 registers) nvram: invalid checksum dkcsum: wd0 matches BIOS drive 0x80 root on wd0a swap on wd0b dump on wd0b clock: unknown CMOS layout # top -d 1 -b load averages: 0.54, 0.25, 0.13 18:33:57 27 processes: 26 idle, 1 on processor CPU states: 0.5% user, 0.0% nice, 0.1% system, 0.3% interrupt, 99.1% idle Memory: Real: 36M/63M act/tot Free: 56M Swap: 0K/0K used/tot PID USERNAME PRI NICE SIZE RES STATE WAIT TIME CPU COMMAND 1132 _spamd 2 0 15M 16M sleep select 7:01 1.76% spamd 9053 named 2 0 4916K 5456K sleep select 1:03 0.39% named 9127 _spamd 10 0 9824K 1244K idle nanosle 0:28 0.00% spamd 12747 _pflogd 4 0 716K 332K sleep bpf 0:08 0.00% pflogd 8602 _spamd 4 0 416K 704K sleep bpf 0:08 0.00% spamlogd 24570 _syslogd 2 0 396K 928K sleep poll 0:03 0.00% syslogd 2323 _spamd -6 0 9680K 992K sleep piperd 0:02 0.00% spamd 9020 proxy 2 0 456K 876K sleep kqread 0:01 0.00% ftp-proxy 6106 root 2 0 628K 1500K idle kqread 0:01 0.00% master 14150 root 10 0 33M 5216K sleep mfsidl 0:01 0.00% mount_mfs 25856 _postfix 2 0 652K 1556K idle kqread 0:01 0.00% qmgr 3119 _ntp 2 0 464K 756K idle poll 0:00 0.00% ntpd 19279 root 2 0 644K 920K idle select 0:00 0.00% cron 8075 root 2 0 3336K 2380K sleep select 0:00 0.00% sshd 1221 root 2 0 616K 1212K idle select 0:00 0.00% sshd 8392 root 10 0 904K 1760K sleep wait 0:00 0.00% bash 1001 _postfix 2 0 596K 1496K idle kqread 0:00 0.00% pickup 8853 root 2 0 320K 808K idle netio 0:00 0.00% syslogd Cheers, Klaus :)
