Our Twinguard was supposed to come with pfw pre-installed but when plug in my firewall and access it using the IP I had assigned to the adapter, all I get is the FreeBSD Apache placeholder web page.
eRacks Forums » support
What's the process for running this pfw
(22 posts)-
Posted 2 years ago #
-
Hey, thanks for posting! Someone will get back to you shortly! Thanks again!
Posted 2 years ago # -
Ok thanks. Looks like I'm going to make these forums active!
Posted 2 years ago # -
pfw is normally installed under the /var/www/htdocs/pfw directory, as I recall. Have you tried http://your-server-or-ip-address/pfw ?
What does the command:
ls -l /var/www/htdocs/show?
Also, what about:
ls -l /var/www/?
Posted 2 years ago # -
in /htdocs/ it lists a bunch of gifs and jpg files.
However, in /var/www/ I see pfw. Ah ha!
Still, if I have the firewall plugged in, I configure the ip adress for the network card and put in the browser the IP, I get that Apache page. If I put /pfw at the end, it doesn't do anything.
Posted 2 years ago # -
try https://yourserver/pfw (note the 's' in https)!
Also, please note the pfw howto posting in our howto forum - this has configuration helpful hints and tips for Apache, as well.
Posted 2 years ago # -
thanks,
I ran through the pfw setup that you posted (very informative) and I thought I got everything. However, when I type in https://myserver/pfw, I get a certificate error, I continue anyway, and then I get a 403 forbidden, I don't have permission to access pfw on this server.
Possible that I missed something in the setup? I will go back and check.
Posted 2 years ago # -
Nevermind.. I got it to work! Whew!
Not sure which part fixed it, but I went back and realized that when I edited the sudoers file, I put in
www ALL = NOPASSWD: /var/www/pfw/bin/" >>/etc/sudoers
instead of:
www ALL = NOPASSWD: /var/www/pfw/bin*
Plus, I re-set my pfw directory /var/www/pfw/web in the httpd.conf file to allow from my pc's IP address.
Also, not sure if this made a difference either, but I put https://myserver/php/ with the final slash and that's when it worked.
question:
1. In the httpd.conf file, if I set it to allow from my gateway, say, 172.20.255.1, will it allow every pc on my network to access it?
Posted 2 years ago # -
Posted 2 years ago #
-
So the pfw keeps becoming unresponsive after a few minutes of bumping around.
I set my re0 network interface to:
ifconfig re0 172.20.255.16 netmask 255.255.0.0
and modified to hostname.re0 file to reflect these same numbers, with a broadcast that is the same as the .16 ip address.
so that it would be on our network.
I followed these instructions, and I made notes in CAPS what I had done:
OpenBSD 4.1 pfw howto
So, something I’ve been meaning to do for a while is put together a cookbook for this - here goes.
1. Log in as root.
2. Set up your environment for installing packages from the web:export PKG_PATH=http://mirror.planetunix.net/pub/OpenBSD/4.1/packages/i386/
Note that you should substitute your closest mirror (and possibly other machine architecture) in the above. YMMV.
A couple of other mirrors that I use:
http://openbsd.mirrors.tds.net/pub/OpenBSD/4.1/packages/i386/
ftp://rt.fm/pub/OpenBSD/4.1/packages/i386/ (Gotta love the domain name!)
3. Install some necessary packages:pkg_add mc bash wget
You may add your own favorite choices here - curl, links, zsh, joe, nano, etc.
4. set up bash (or your personal favorite) as your shell:chsh -s bash
5. Remove the annoying “Terminal Type? [xterm]” query from the login sequence, by editing your dot-profile (/root/.profile) and commenting out or deleting the last three lines:
# if [ -x /usr/bin/tset ]; then
# eval [...]
# fi6. Reboot and re-login as root. You should now have a bash shell prompt. - I DIDN'T DO ALL THIS. I THINK IT'S OKAY.
Download the latest pfw and unpack it into /var/www/:
wget http://www.allard.nu/pfw/download/pfw-latest.tgz
cd /var/www/
tar zxvf /root/pfw-latest.tgz7. Now add the php5 and sqlite packages:
export PKG_PATH=http://mirror.planetunix.net/pub/OpenBSD/4.1/packages/i386/
pkg_add php5-core sqlite php5-sqliteThis will give you further instructions on checking the installation, and setting up PHP, SQLite, and Apache:
8. PHP setup and checking:
Copy the recommended PHP configuration file into the Apache configuration directory:cp /usr/local/share/examples/php5/php.ini-recommended /var/www/conf/php.ini
- I DIDN'T DO THIS EITHER BECAUSE I UNDERSTAND THAT PFW WAS INSTALLED BEFORE IT WAS SHIPPED.
Test that PHP has the SQLite module installed:
php -i | grep -i sqlite
This should show various SQLite parameters, etc.
Enable the php5 aqnd php5-sqlite modules with:
/usr/local/sbin/phpxs -s
/usr/local/sbin/phpxs -a sqliteThese should return with no errors.
- I RAN THESE STEPS, I GOT NO ERRORS
9. Boot setup
Change to the /etc directory and edit your rc.conf using vi (or your favorite text editor) to allow non-chrooted Apache:cd /etc
vi rc.confAnd change the line that says:
httpd_flags=NO # for normal use: “” (or “-DSSL” after reading ssl(8))
to
httpd_flags=”-u” # for normal use: “” (or “-DSSL” after reading ssl(8))
- I DID THIS, CHANGED NO TO "-u"
10. SQLite setup and directory permission settings
Change to the pfw directory and initialize SQLite:cd /var/www/pfw
sqlite conf/config.db < docs/sql/sqlite.sql
chown -R www:www confWHEN I PERFORMED THIS STEP, IT TOLD ME COLUMN NAME WAS NOT UNIQUE, AND THE VALUES ALREADY EXISTED, SO I ASSUME THIS STEP WAS ALREADY DONE.
11. Apache setup and config:
Edit your Apache configuration file:cd /var/www/conf/
vi httpd.confand do three things:
To enable parsing of PHP scripts, find the following line and uncomment it:
AddType application/x-httpd-php .php
- LINE WAS ALREADY UNCOMMENTED
To enable .php files to be execute by Apache’s PHP module, add index.php to the DirectoryIndex setting, so it looks something like this:
DirectoryIndex index.html index.php
- THIS WAS ALREADY DONE
Finally, add the pfw directory and alias:
Alias /pfw “/var/www/pfw/web/”
<Directory “/var/www/pfw/web”>
AllowOverride None
Order allow,deny
Allow from 127.0.0.1 10.1
</Directory>Note that the “10.1″ is for testing on our own internal network - you will want to either add your own internal network here, or set up some other form of security, directory-based, or otherwise. Security considerations are beyond the scope of this cookbook, although there are resources listed below that can help you set this up.
- I ADDED THE ALIAS LINE, AND PUT "172.20.255" IN THE "Allow from" LINE
12. Sudo setup:
Allow the pfw binaries to have the proper security with sudo - the preferred method is to use the visudo command, and add the following line to the text of the /etc/sudoers file:www ALL = NOPASSWD: /var/www/pfw/bin/*
- I ENTERED VISUDO, AND THIS LINE WAS ALREADY CONFIGURED
The non-preferred way, because it’s dangerous, and easy to typo somthing and render your sudo unusable, is to simply concatenate it to the end of the /etc/sudoers file manually:
echo www ALL = NOPASSWD: /var/www/pfw/bin/* >>/etc/sudoers
NOTE WELL: there are TWO greater-thans! using only one will remove your sudoers file!
13. Reboot and try it out!
lynx 127.0.0.1/pfw
After allowing cookies (all), you should be able to surf to the various links and see the pfw pages, albeit in text mode.
------------------------------------------
Now, after rebooting, I was able to access the pfw interface for a few minutes,and then it became unresponsive. When I go to the fw, I can still use the terminal.
This morning, it is giving me an error:
TWIN1 /bsd: re0: Can't map mbuf (error 22)
and the link light on the network adapter is blinking really fast.
Posted 2 years ago # -
Ken,
This looks like an old post (as of 10/19/07) from some time ago - your replacement was shipped to you with pfw preinstalled (and no CARP, per our discussion).
Posted 2 years ago # -
Ok, that's fine. But it was having the same issues when I got it back. First, I had to change the ip on re0 to fit my network so I could access it. Then I could not access it when I input the Ip address into my browser. So I went back to your cookbook and above are the steps I went through. Your instructions, with what I did noted in CAPS. I was able to access pfw after that, but it became unresponsive after a few minutes. And the link light on the nic is blinking very fast and on the OpenBSD terminal, it reports "re0: can't map mbuf (error 22)"
Posted 2 years ago # -
Ken,
We replaced both the motherboards, reinstalled OpenBSD with pfw from the Allard.nu ISO/CD, and ran our complete battery of tests on both systems, and they passed flawlessly - we were also able to access pfw as well, with no problems.
It would of course be expected that you had to configure it for your IP address, as it was a brand new installation.
But pfw was preinstalled and tested, so you should not have had ay need to do the above steps, and in fact, the steps above may have damaged the existing installation, since it was already installed.
I would hope that reapplying the database load script, as you indicate you have done, above, wouldn't do any damage, but I cannot guarantee it - it might have.
But the problem and symptoms you describe sounds like issues with your network itself - perhaps something is causing a packet storm or broadcast storm?
Errors such as the mbuf errors you describe, as well as the rapidly-blinking light, tend to point to
an overwhelming amount of traffic flooding your network.Have you done a network trace, or other diagnostics? A tcpdump, perhaps?
Which cables are plugged in, and to which ports on which systems?
What is your "broadcast address" configured to, exactly?
Posted 2 years ago # -
As I stated before, I am plugged into only one NIC - re0. That's it.
Also, the settings that I input were from your cookbook, and if you see anything in there that looks bad, I will gladly change it.
I have the current firewall monitor up, and it gives me a bandwidth meter. At it's highest point, sending traffic was at 400kbps and receiving traffic was at about 700kbps. That isn't that much traffic at all.
Posted 2 years ago # -
What is your broadcast address?
Posted 2 years ago # -
It is broadcasting the same as the IP: 172.20.255.16.
I think that the problem is on our network however. I pulled it off our network and connected my PC directly to it, and it worked fine. My "uneducated" guess is that our current FW saw something being transmitted by the Twinguard fw and locked it up. I don't really know how, and there's nothing in the logs, but still when it was taken off the network it behaved fine.
My concern is when I get this thing back on the network and take the other firewalls off, will it do it again?
Well, either way it works to this point. Next I will have questions about setting up rules on pfw
Posted 2 years ago # -
Your broadcast address is always the inverse of your netmask applied to your IP - in other words, if you have a /24, with a netmask of 255.255.255.0, and an IP of 1.2.3.4, your broadcast address should be 1.2.3.255 - the same IP with a /16 (a netmask of 255.255.0.0) would have a broadcast address of 1.2.255.255.
- Machines on the same network, but with mismatched netmasks, may not communicate correctly even though they appear to be on the same network. Especially with hubs and switches involved, which can get confused more easily because of this.
- incorrectly configured broadcast addresses can cause strange and unpredictable responses, and interact poorly with routers, filters, hubs, switches, firewalls, and other networking hardware.
Posted 2 years ago # -
When I type in ifconfig re0, it told me my broadcast was 172.20.255.255
Posted 2 years ago # -
Right - if you set the IP and netmask, it will set the broadcast for you.
But remember, this netmask (a /16) should match all the other systems on the same LAN!
Posted 2 years ago # -
I changed it because I thought I read somewhere that the broadcast would just be what that adapter was seen at for identification. I changed it in the hostname.re0 file, and rebooted.
It had the unresponsive behavior regardless of the broadcast ID, however.
Posted 2 years ago # -
So I will change the broadcast back to 172.20.255.255
Posted 2 years ago # -
... and everything on the LAN, both the 172.20.255 and the 172.20.1 have the same netmasks.
Posted 2 years ago #
Reply
You must log in to post.