I actually set up pfSense months ago and it’s been running flawlessly since then. pfSense is a router distribution of FreeBSD. I’ve always considered FreeBSD a robust and well-performing server platform, and want to see how well it performs as a router.
First I’ll give you a quick look at my current virtualbox test lab:

I’ve been a huge FreeBSD user/admin for years, both at work and at home and haven’t had the chance to take a look at a FreeBSD-based router/firewall platform.

So we start creating the vm (remember the last post I aliased VBoxManage to vboxmanage -q (for quiet) to make it easier):

vboxmanage createhd --filename /storage/bangel/vbox-disks/router2.vdi --size 2048 --format VDI --variant standard
vboxmanage createvm --name router2 --ostype FreeBSD --register

I know I created a 2gig disk, but the actual pfSense install only ended up requiring 230 MB for the base system and I gave it 128 Megs for swap. If you plan on installing additional software or features, the space could come in handy. For example, web proxy/cache or NIDS logging.

Next I’m going to assign RAM, a VRDP port, both IDE and SATA storage controllers, then attach my media. Remember that currently, virtual DVD drives can only be attached to IDE Controllers.

vboxmanage modifyvm router2 --memory 128 --vrdp on --vrdpport 3395
vboxmanage storagectl router2 --add sata --name "SATA Controller 1"
vboxmanage storageattach router2 --storagectl "SATA Controller 1" --port 0 --device 0 --type hdd --medium /storage/bangel/vbox-disks/router2.vdi
vboxmanage storagectl router2 --add ide --name "IDE Controller 1"
vboxmanage storageattach router2 --storagectl "IDE Controller 1" --port 0 --device 0 --type dvddrive --medium /storage/bangel/isos/pfSense-1.2.3-RELEASE-LiveCD-Installer.iso

Now I typo’d the last command about three times. Don’t be discouraged if you do the same thing or have to run ‘vboxmanage modifyvm’ and get the list of options. I still have to do that sometimes. It takes a lot of practice to become proficient with the virtualbox command line utilities.

So next let’s setup the network cards. When you create a new virtual machine, VBox defaults to a specific NIC depending on OS. For FreeBSD, we get the Intel(R) PRO/1000 Gigabit Ethernet adapter, which has a great driver and is well-supported. Here we setup the second NIC, set them to “intnet” and then give names to the two “intnets” . When you assign names to the internal network VBox creates virtual switches and “plugs in” your NICs. Notice that our two interfaces are plugged into different switches. Remember this is a router.

vboxmanage modifyvm router2 --nictype2 82540EM
vboxmanage modifyvm router2 --nic1 intnet
vboxmanage modifyvm router2 --nic2 intnet
vboxmanage modifyvm router2 --intnet1 internal-network
vboxmanage modifyvm router2 --intnet2 core-network

Make sure to run ‘vboxmanage showvminfo <yourvmname>” and note the NIC 1 and NIC 2 lines. Document the MAC addresses and which virtual switch (intnet) they are assigned to. Go ahead and start up the new VM to begin pfSense installation. I use ‘VBoxHeadless -s router2′ then connect via RDP. Make sure to set your LAN address to something on your network for now, the pfSense default firewall settings only allow access to the web interface from the LAN interface. After installation I added a pf rule to allow it from any interface; since this is all internal, there are no security concerns. I also enabled SSHD. All the normal commands from FreeBSD are available in console and I find it makes troubleshooting easier.

Once installation is complete, I shut off the VM and change remove the ISO from the boot list:

vboxmanage controlvm router2 poweroff
vboxmanage modifyvm router2 --boot2 none

Now we can make copies of the VDI file either manually or with VirtualBox’s clonehd function.

So yesterday I decided to setup a test lab to play with Windows 2008 Server. Microsoft has announced the retirement of mainstream 2003 support , which is happening this July. I was able to download a licensed ISO of the 64-bit Windows 2008 Server from MSDN Academic Alliance, which includedStandard, Enterprise, and Datacenter editions (and 3 other install options that were just “server core” — I don’t know the differences).

My host machine is Ubuntu Linux 9.10, AMD quad-core, 3.5G of DDDR3 ram. I have two 160GB SATA disks in a non-RAID configuration. I know it’s far from ideal but I try to split VM’s between these drives to help I/O performance. I am using Virtualbox 3.1.6, non OSE. I’ve been using the command line tools to manage my VM’s lately. It can seem daunting at first (it was for me) but you will soon become accustomed to the syntax. Read the rest of this entry »

Good article in the LA Times business section today – Online, your life is searchable. It’s good to see this issue getting a larger exposure. From the article:

Online information about consumers comes from several sources. Public records such as campaign contributions, property sales and court cases are increasingly posted on the Internet. At the same time, marketers are collecting information about consumers’ Web browsing and buying habits. And then there are the thousands of online communities such as Facebook and Twitter, where users supply the personal information themselves.

There is a great (if not really long) article by Simson Garfinkel over at the Technology Review discussing our privacy and the need to be vigilant and proactive. Privacy by inaction doesn’t cut it in our digital age. Keeping your head low won’t keep your name or picture out of the massive government and private-sector databases. We need to be more vocal and more active in protecting ourserlves and our data.

Garfinkel concludes that what is necessary is an “online passport”: A global, ubiquitous electronic-identification system, backed by business and government alike. Currently there are a myriad of systems to verify our online personas: your banks each have one, every e-mail account you use is different, any company you do business with online and your facebook and myspace. Now each of these systems is designed and implemented in different ways by different people and contain their own strengths and weaknesses. While I see the benefits of a single, well-designed and strong authentication system, I also see it’s drawbacks. It creates a single point of failure. Sure we can pass laws protecting it and standards for auditing it. But what happens when an attacker gets a hold of your credential? Instead of just having access to one account, he has access to all of them. Because now every government office and online retailer trusts that single system, and nothing is ever 100% secure.

Anyway, it’s a good read and contains a good discussion of the legal history of privacy and how it’s evolving and will continue to evolve. Discussion is what we need; a solution to the privacy problem will not be a quick and easy fix. Read the full thing here.

Related Blogs

• Related Blogs on Anonymity
• Right of a blogger’s anonymity: a selection of views | Journalism …
• Local SA meeting busted, anonymity destroyed. « Trudging the …
• Nightjack: the cloak of anonymity and the mankini of hypocrisy …

• Related Blogs on Privacy
• Privacy Lives » Blog Archive » Events of Interest: Fordham …
• Google and Personal Privacy – Is it really that bad? You Decide …
• Blue Herald » Blog Archive » Goodbye Privacy

• Related Blogs on Security
• Security and Hacking: Reporting Cyber Crime | The Blog Herald

A while ago my colleague blogged about the importance of secret questions in keeping your online accounts safe. We came to the conclusion that security questions, in many implementations, can actually decrease your overall level of security. Security questions are a secondary means of authentication used when the primary method fails. So when you forget your webmail password, you’ll be asked a pre-arranged secret question that you must answer to reset your password and regain access to your account. During the presidential election last year, VP candidate Sarah Palin’s Yahoo email was hacked, because of weak secret questions and a little googling. A paper was published recently with some hard data, it can be downloaded here, and makes for an interesting read.

From the abstract:

All four of the most popular webmail providers — AOL, Google, Microsoft, and Yahoo! — rely on personal questions as the secondary authentication secrets used to reset account passwords. The security of these questions has received limited formal scrutiny, almost all of which predates webmail. We ran a user study to measure the reliability and security of the questions used by all four webmail providers. We asked participants to answer these questions and then asked their acquaintances to guess their answers. Acquaintance with whom participants reported being unwilling to share their webmail passwords were able to guess 17% of their answers. Participants forgot 20% of their own answers within six months. What’s more, 13% of answers could be guessed within five attempts by guessing the most popular answers of other participants, though this weakness is partially attributable to the geographic homogeneity of our participant pool.

Read the rest of this entry »