Re: Home WiFi Router with pfSense or m0n0wall?
On Mon, 22 Apr 2013 14:25:30 -0400 Michael Powell wrote: > Most consider the answer to use WPA2, which I do use too. Many think > it is 'virtually' unbreakable, but this really is not true; it just > takes longer. I've done WPA2 keys in as little as 2-3 hours before. Are you saying that any WPA2 key can be cracked or or you simply referring to weak keys? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
multipath to long ?
seems im having issues with an enclousure using multipath to drives. Any ideas? its FreeBSD 9.1 with 4 LSI controllers and 36 disks make_dev_physpath_alias: WARNING - Unable to alias multipath/SATA_LUN14 to enc@n5000ed572eeae5bd/type@0/slot@4/elmdesc@ArrayDevice03/multipath/SATA_LUN14 - path too long make_dev_physpath_alias: WARNING - Unable to alias multipath/SATA_LUN04 to enc@n5000ed572eeae5bd/type@0/slot@2/elmdesc@ArrayDevice01/multipath/SATA_LUN04 - path too long make_dev_physpath_alias: WARNING - Unable to alias multipath/SATA_LUN18 to enc@n5000ed572eea93bd/type@0/slot@4/elmdesc@ArrayDevice03/multipath/SATA_LUN18 - path too long make_dev_physpath_alias: WARNING - Unable to alias multipath/SATA_LUN15 to enc@n5000ed572a8548bd/type@0/slot@4/elmdesc@ArrayDevice03/multipath/SATA_LUN15 - path too long ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Home WiFi Router with pfSense or m0n0wall?
Alejandro Imass wrote: > On Mon, Apr 22, 2013 at 3:45 PM, Michael Powell > wrote: >> Alejandro Imass wrote: >> >>> [...] >>> Really these WEP/WPA2 protocols are not providing the level of protection that is truly necessary in this modern day. You can keep out script kiddies and people who don't have skill, but people who know what they are doing are only slowed down. >>> >>> Thanks for the detailed explanation! So, are there ways to run a >>> secure WiFi network? It would seem that in my case I have neighbours >>> that know what they're doing so should I just forget about WiFi go >>> back to UTP? >>> >> >> We use 802.1x auth on our switch (and other hardwares) ports at work and >> this utilizes a Radius server. At work we are mostly a $MS WinderZ shop, >> but with Enterprise grade access points (we have Aruba's), EAP, and >> Radius we > [...] >> >> This email is already getting a trifle long, so suffice to say if you >> really need the best security on a home ISP router the best you can do is >> turn off the radio and use Ethernet and UTP. This returns to the original >> focus of your question in that the firewall would be the point of >> contention and not the cracking of WEP/WPA2 auth keys. What I was wanting >> to point out to you originally is that changing the firewall is a >> separate issue from the cracking of Wifi auth keys. >> > > I absolutely got that but I was assuming that a pre-packaged WiFi > router with pfSense or m0n0wall would have a more secure wireless > hardware and software as well. Now I see the problem is more complex > and that the wireless part is vulnerable regardless. So if by cracking > the wireless part they can spoof the mac addresses of authorized > equipment, what other methods could a BSD-based firewall use to > prevent the cracker from penetrating or using the network beyond the > WiFi layer? From your response it seems very little or nothing > really... > Yes - unfortunately this is about the state of things. Not a whole lot you're going to do to improve the consumer grade home router. There are some hardware specific firmware projects that I've never played with such as: http://www.dd-wrt.com/site/index The pre-packaged home equipment is relatively cheap when compared against the top of the line enterprise-grade commercial products. Most are some form of embedded Linux. For example, the MI424WR-Rev3 I have here is busybox ( http://www.busybox.net/ ). If you turn on remote management and telnet into it you get a busybox prompt! With a busybox shell and all busybox commands. The firewall many of these embedded Linux things are using is iptables2, the standard linux firewall package. What I was pondering is some form of L2TP tunnel, or some other form of IPSEC tunnel to form some kind of VPN like communication between the client and the wifi. Just never have begun to find the time to get anywhere with the idea. But basically it would resemble a VPN that only accepts connection from a tunnel endpoint client and not pass any traffic from any other client lacking this VPN-like endpoint. I think such a thing is very possible and have read some articles by people who have done very similar sounding things. Indeed, this is what SSL-VPN providers do via a subscription service so people surfing at open wifi coffee shops tunnel through the local open wifi and setup an encrypted VPN tunnel. Just not enough time in the day. I know it's do-able, just never have found the time to properly approach it. -Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Home WiFi Router with pfSense or m0n0wall?
On Mon, Apr 22, 2013 at 3:45 PM, Michael Powell wrote: > Alejandro Imass wrote: > >> [...] >> >>> Really these WEP/WPA2 protocols are not providing the level of protection >>> that is truly necessary in this modern day. You can keep out script >>> kiddies and people who don't have skill, but people who know what they >>> are doing are only slowed down. >>> >> >> Thanks for the detailed explanation! So, are there ways to run a >> secure WiFi network? It would seem that in my case I have neighbours >> that know what they're doing so should I just forget about WiFi go >> back to UTP? >> > > We use 802.1x auth on our switch (and other hardwares) ports at work and > this utilizes a Radius server. At work we are mostly a $MS WinderZ shop, but > with Enterprise grade access points (we have Aruba's), EAP, and Radius we [...] > > This email is already getting a trifle long, so suffice to say if you really > need the best security on a home ISP router the best you can do is turn off > the radio and use Ethernet and UTP. This returns to the original focus of > your question in that the firewall would be the point of contention and not > the cracking of WEP/WPA2 auth keys. What I was wanting to point out to you > originally is that changing the firewall is a separate issue from the > cracking of Wifi auth keys. > I absolutely got that but I was assuming that a pre-packaged WiFi router with pfSense or m0n0wall would have a more secure wireless hardware and software as well. Now I see the problem is more complex and that the wireless part is vulnerable regardless. So if by cracking the wireless part they can spoof the mac addresses of authorized equipment, what other methods could a BSD-based firewall use to prevent the cracker from penetrating or using the network beyond the WiFi layer? From your response it seems very little or nothing really... Thanks again for your detailed answers! -- Alejandro Imass ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Home WiFi Router with pfSense or m0n0wall?
Alejandro Imass wrote: > [...] > >> Really these WEP/WPA2 protocols are not providing the level of protection >> that is truly necessary in this modern day. You can keep out script >> kiddies and people who don't have skill, but people who know what they >> are doing are only slowed down. >> > > Thanks for the detailed explanation! So, are there ways to run a > secure WiFi network? It would seem that in my case I have neighbours > that know what they're doing so should I just forget about WiFi go > back to UTP? > We use 802.1x auth on our switch (and other hardwares) ports at work and this utilizes a Radius server. At work we are mostly a $MS WinderZ shop, but with Enterprise grade access points (we have Aruba's), EAP, and Radius we can extend our network Kerberos out through the wifi realm. Without going into details ( way too much/many for the scope here) I basically have an almost completely locked network which just won't allow a device on it that it doesn't recognize. It is a pain, and not perfect either by any stretch. I have more problems with printers as a result than anything else. I do have to keep an open Internet access for visitors to use, but it is separated from our main network with no path between the two. :-) This does provide better security when compared to what consumers are running at home. It is much more complex and requires expensive equipment. And even still, a really high-grade Uber hacker might still find a way in. We hire pen-tester companies about once a year, and while they haven't found any glaring holes there are some "grey" areas that we wonder if a really motivated Uber hacker spent enough time on... I have entertained on and off the idea of getting a wifi card for my FreeBSD gateway/firewall box at home to see if I could come up with something more resembling something like we have at work. It probably wouldn't be as involved, but I do think (FreeBSD as a very _capable_ and flexible OS) something could be designed that would inherently be somewhat more secure than what I see in the basic ISP home router. I have Verizon's FIOS here with an Actiontec MI424WR-Rev 3 router and I think I could do better. The alternate provider here is Comcast which mostly seems to be using Motorola Surfboard routers, but the bottom line is I don't have any problem cracking any of them. This email is already getting a trifle long, so suffice to say if you really need the best security on a home ISP router the best you can do is turn off the radio and use Ethernet and UTP. This returns to the original focus of your question in that the firewall would be the point of contention and not the cracking of WEP/WPA2 auth keys. What I was wanting to point out to you originally is that changing the firewall is a separate issue from the cracking of Wifi auth keys. -Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Home WiFi Router with pfSense or m0n0wall?
On Mon, Apr 22, 2013 at 2:25 PM, Michael Powell wrote: > Alejandro Imass wrote: > >> On Sun, Apr 21, 2013 at 9:52 AM, Michael Powell >> wrote: >>> Alejandro Imass wrote: >>> Hi, [...] > Really these WEP/WPA2 protocols are not providing the level of protection > that is truly necessary in this modern day. You can keep out script kiddies > and people who don't have skill, but people who know what they are doing are > only slowed down. > Thanks for the detailed explanation! So, are there ways to run a secure WiFi network? It would seem that in my case I have neighbours that know what they're doing so should I just forget about WiFi go back to UTP? Thanks, -- Alejandro Imass ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Home WiFi Router with pfSense or m0n0wall?
Alejandro Imass wrote: > On Sun, Apr 21, 2013 at 9:52 AM, Michael Powell > wrote: >> Alejandro Imass wrote: >> >>> Hi, >>> >>> I'm looking to replace the piece of crap 2wire WiFi router that gets >>> crakced every other day for something with pfSense or m0n0wall >> >> Not sure what you mean by 'cracked' here. If you are meaning that someone >> is using aircrack-ng to break your Wifi authentication key a firewall >> won't do much to stop this. >> > > I use mac address authentication plus wpa2 psk and yet they are still > able to connect so it seems that 2Wire's routers are an insecure piece > of crap and they are full of holes and back-doors. Just google 2wire > vulnerabilities or take a look at this video > http://www.youtube.com/watch?v=yTtQGPdSIfM With Kismet able to place a wifi unit into monitor mode you can quickly get a list of everything in the vicinity, including all the MAC addresses of devices connecting the various access points. You can then clone your unit's MAC address to match one in the list. Even though I do use it, MAC access lists are very easy to get around and will only stop those who do not know how to do this. Even in passive mode, without using active attack to speed things up I can crack a WEP key in 45 minutes easily. Doing this passively doesn't expose you. The time it takes depends on how busy the access point is. An active attack can break WEP in 2-3 minutes, or less. I've seen it done between a minute and a minute and a half. Most consider the answer to use WPA2, which I do use too. Many think it is 'virtually' unbreakable, but this really is not true; it just takes longer. I've done WPA2 keys in as little as 2-3 hours before. > Look at how many ISPs world-wide use 2wire. Makes you wonder if ISPs > use these crappy routers on purpose to get some more revenue from cap > overruns. > Really these WEP/WPA2 protocols are not providing the level of protection that is truly necessary in this modern day. You can keep out script kiddies and people who don't have skill, but people who know what they are doing are only slowed down. The ISPs are seemingly more interested and concerned with protecting Big Media Content's DRM schemes. They have a monetary stake as they move in the direction of deals with 'Big Media', less so the incentive to do more for their retail Internet-access customer. And don't even me started on the advertising industry run-amok. :-) -Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Home WiFi Router with pfSense or m0n0wall?
On Sun, Apr 21, 2013 at 9:52 AM, Michael Powell wrote: > Alejandro Imass wrote: > >> Hi, >> >> I'm looking to replace the piece of crap 2wire WiFi router that gets >> crakced every other day for something with pfSense or m0n0wall > > Not sure what you mean by 'cracked' here. If you are meaning that someone is > using aircrack-ng to break your Wifi authentication key a firewall won't do > much to stop this. > I use mac address authentication plus wpa2 psk and yet they are still able to connect so it seems that 2Wire's routers are an insecure piece of crap and they are full of holes and back-doors. Just google 2wire vulnerabilities or take a look at this video http://www.youtube.com/watch?v=yTtQGPdSIfM Look at how many ISPs world-wide use 2wire. Makes you wonder if ISPs use these crappy routers on purpose to get some more revenue from cap overruns. Cheers, -- Alejandro Imass ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
jail(8) vimage epair bridge
Hello questions list I am using jail(8) trying to get a functional vimage environment on my 9.1-RELEASE system. My PC only has a single real NIC facing the public internet. My goal is to be able to have multiple vimage jails, each with their own epairXa epairXb and bridgeX where the "X" is the jails JID number all having their traffic passing through the single rl0 real interface. The vnet.start script shown below handles this nicely. The problem is after the first vimage jail is started the rl0 interface gets marked as busy when the second vimage jail is started. How do I get all vnet jails to pass through the real rl0 interface? Thanks for you help # /root >cat /etc/jail.conf vimage33 { host.hostname = "vimage33"; path= "/usr/jails/vimage33"; mount.fstab = "/usr/local/etc/fstab/vimage33"; exec.start = "/bin/sh /etc/rc"; exec.stop = "/bin/sh /etc/rc.shutdown"; exec.consolelog = "/var/log/vimage33.console.log"; devfs_ruleset = "4"; allow.mount.devfs; vnet; exec.poststart="vnet.start vimage33 rl0"; exec.prestop="vnet.stop vimage33"; } # /root >cat /usr/local/bin/vnet.start #!/bin/sh jailname=$1 nicname=$2 jid=`jls -j ${jailname} jid` if [ "${jid}" -gt "100" ]; then echo " " echo "The JID value is greater then 100." echo "You must shutdown the host and reboot" echo "to zero out the JID counter and recover" echo "the lost memory from stopping vimage jails." echo " " exit 2 fi ifconfig bridge${jid} create > /dev/null 2> /dev/null ifconfig bridge${jid} 10.${jid}.0.1 ifconfig bridge${jid} up ifconfig epair${jid} create > /dev/null 2> /dev/null ifconfig bridge${jid} addm ${nicname} addm epair${jid}a ifconfig epair${jid}a up ifconfig epair${jid}b vnet ${jid} jexec ${jailname} ifconfig epair${jid}b 10.${jid}.0.2 jexec ${jailname} route add default 10.${jid}.0.1 > /dev/null 2> /dev/null jexec ${jailname} ifconfig lo0 127.0.0.1 # Display the hosts network view before starting any vnet jails # /root >ifconfig rl0: flags=8843 metric 0 mtu options=2008 ether 00:0c:6e:09:8b:74 inet 10.0.10.5 netmask 0xfff8 broadcast 10.0.10.7 nd6 options=29 media: Ethernet autoselect (100baseTX ) status: active plip0: flags=8810 metric 0 mtu 1500 nd6 options=29 lo0: flags=8049 metric 0 mtu 16384 options=63 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7 inet 127.0.0.1 netmask 0xff00 nd6 options=21 # Start the first vnet jail # /root >jail -f /etc/jail.conf -c vimage33 vimage33: created bridge1: Ethernet address: 02:8f:94:84:0c:02 epair1a: Ethernet address: 02:c0:a4:00:0b:0a epair1b: Ethernet address: 02:c0:a4:00:0c:0b # /root >jls JID IP Address Hostname Path 1 - vimage33 /usr/jails/vimage33 # Lets display the hosts network after the first vnet jail has started # /root >ifconfig rl0: flags=8943 metric 0 options=2008 ether 00:0c:6e:09:8b:74 inet 10.0.10.5 netmask 0xfff8 broadcast 10.0.10.7 nd6 options=29 media: Ethernet autoselect (100baseTX ) status: active plip0: flags=8810 metric 0 mtu 1500 nd6 options=29 lo0: flags=8049 metric 0 mtu 16384 options=63 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7 inet 127.0.0.1 netmask 0xff00 nd6 options=21 bridge1: flags=8843 metric 0 mtu ether 02:8f:94:84:0c:01 inet 10.1.0.1 netmask 0xff00 broadcast 10.255.255.255 nd6 options=21 id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200 root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 member: epair1a flags=143 ifmaxaddr 0 port 9 priority 128 path cost 14183 member: rl0 flags=143 ifmaxaddr 0 port 5 priority 128 path cost 20 epair1a: flags=8943 options=8 ether 02:c0:a4:00:09:0a inet6 fe80::c0:a4ff:fe00:90a%epair1a prefixlen 64 scopeid 0x9 nd6 options=21 media: Ethernet 10Gbase-T (10Gbase-T ) status: active # Login to the vnet jail and display the jails view of the network # /root >jexec vimage33 tcsh vimage33 / >ifconfig lo0: flags=8049 metric 0 mtu 16384 options=63 inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 nd6 options=21 epair1b: flags=8843 metric 0 options=8 ether 02:c0:a4:00:0a:0b inet 10.1.0.2 netmask 0xff00 broadcast 10.255.255.255 inet6 fe80::c0:a4ff:fe00:a0b%epair1b prefixlen 64 scopeid 0x2 nd6 options=21 media: Ethernet 10Gbase-T (10Gbase-T ) status: active # Yes the vnet jail can reach the public netw
Re: Virtual Box on FreeBSD Server
I use Virtualbox and FreeBSD 9, or 10 as the base OS and the windows 2003server, 2008 server, running in the virtualbox, My cpu is an AMD8120 8cores with 16GB of memory, the filesystem is in ZFS, I put 2Gb for each windows, and the system runs confortable with 20 users in each windows machine.. (total of 40 users) The boot (cold boot) for the 2003 server (32 bits) is about 10 seconds with an drive of 20GB and another of 400GB (in the virtualbox...) the NIC is configure with bridge, the FreeBSD gives address via dhcp server... both windows run with VboxHeadless and are both enable terminal servers Runs like a charm... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re-installing a system on a new LUN while system is up and running
Hello, I have an 7.4 system that I wish to update to 9.1 - It is a live mail server with couple of 100's persons on it. This system is deployed on an Intel modular which allows me to connect any LUN to this device. My idea was to create a new LUN and connect It to my system, then deploy the 9.1 version of the system on It, migrate the data on it and then reboot the system with everything updated, up and running… Is this feasible ? How do I have to proceed to do this ? How do I specify the target for the system to be deployed on the other pool of disks not on the live system ? When I reboot, how will I specify the new LUN as being the target system ? How do I recompile userland on the new system ? Is there a way to do that while running 7.4 (and specifying 9.1 binaries / architecture as target) ? Do you think this is the right solution to update my system with a minimum downtime or would your rather suggest the more classical way of doing things ? Thx. «?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§ Your provider of OpenSource Appliances www.osnet.eu «?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§ PGP ID --> 0x1BA3C2FD ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"