Littlefield, Tyler
2016-05-19 01:15:00 UTC
All,
I have a few questions I was hoping to pose here for some advice.
First, my networking solution is a bit odd on my home system. I have
everything running through the bridge interface, then I add igb0 and
tap0 to that interface to be bridged. My firewall accepts inbound
connections and my vms can connect outbound and receive connections on
their own addresses. I have two issues: first, my jails on the host
system are unable to receive inbound connections. Second, my bridge
does not come up after a reboot. I can log in and initialize the
interface via console, but I'd rather not have to do this manually.
Below is the rc.conf as well as the pf.conf for the system:
Finally my last question, although this could be a bit much. I am at
this point managing numerous FreeBSD systems. Rather than have to sift
through the logs every day for 5 systems and growing (which I don't
have time for), I'd like to do a few things:
First, I'm curious what all of you prefer for health monitoring. I was
looking at Nagios, but if there's something else I'm all ears.
Second, I need a solution that will allow me to monitor logs for
anything out of the oardenary (if this is possible) and notify me,
rather than sending the daily logs every day.
Third, I need to know when updates are available to BSD and when
packages are vulnorable.
Along with this, I'd also be interested in knowing how people tend to
deploy multiple systems with extensive reconfiguration. The base of my
systems look mostly the same, so I was hoping there might be a good
way to do this.
Thanks for the help and your time, I greatly appreciate it.
Thanks,
Ty
*rc.conf:
iocage_enable="YES"
hostname="giraffe"
sendmail_enable="NONE"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
gateway_enable="yes"
cloned_interfaces="lo1 tap0 bridge0"
ipv4_addrs_lo1="192.168.0.1-9/29"
ifconfig_igb0="up"
ifconfig_bridge0="addm igb0 addm tap0 inet 10.21.96.200 netmask
0xffffff00 up"
defaultrouter="10.21.96.254"
sshd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
zfs_enable="YES"
syslogd_flags="-c -ss"
pf_enable="YES"
pflog_enable="YES"
pf.conf:
if="bridge0"
addr="10.21.96.200"
samba_addr="192.168.0.2"
dlna_addr="192.168.0.3"
unbound_addr="192.168.0.4"
#port groupings
tcp_services="{53 netbios-ns netbios-dgm netbios-ssn microsoft-ds 22}"
udp_services="{53 netbios-ns netbios-dgm netbios-ssn microsoft-ds}"
samba_services="{netbios-dgm netbios-ns netbios-ssn microsoft-ds}"
set skip on lo
set loginterface $if
scrub in all
#allow jails through
nat on $if inet from $samba_addr to any tag jail_samba -> $addr
nat on $if inet from $dlna_addr to any tag jail_dlna -> $addr
nat on $if inet from $unbound_addr to any tag jail_unbound -> $addr
#portforward to jails.
#unbound
rdr pass on $if proto tcp from any to any port 53 -> $unbound_addr
rdr pass on $if proto udp from any to any port 53 -> $unbound_addr
#samba
rdr pass on $if proto tcp from any to any port $samba_services ->
$samba_addr
rdr pass on $if proto udp from any to any port $samba_services ->
$samba_addr
#rules
pass quick on lo1
pass from $if to any keep state
#default policy: deny
antispoof quick for { $if lo }
block in all
#accept TCP ports.
pass in on $if proto tcp from any to any port $tcp_services
pass in on $if proto tcp from any to any port 4000
pass in on $if proto udp from any to any port $udp_services
- --
Take care,
Ty
Twitter: @sorressean
Web: https://tysdomain.com
Pubkey: https://tysdomain.com/files/pubkey.asc
I have a few questions I was hoping to pose here for some advice.
First, my networking solution is a bit odd on my home system. I have
everything running through the bridge interface, then I add igb0 and
tap0 to that interface to be bridged. My firewall accepts inbound
connections and my vms can connect outbound and receive connections on
their own addresses. I have two issues: first, my jails on the host
system are unable to receive inbound connections. Second, my bridge
does not come up after a reboot. I can log in and initialize the
interface via console, but I'd rather not have to do this manually.
Below is the rc.conf as well as the pf.conf for the system:
Finally my last question, although this could be a bit much. I am at
this point managing numerous FreeBSD systems. Rather than have to sift
through the logs every day for 5 systems and growing (which I don't
have time for), I'd like to do a few things:
First, I'm curious what all of you prefer for health monitoring. I was
looking at Nagios, but if there's something else I'm all ears.
Second, I need a solution that will allow me to monitor logs for
anything out of the oardenary (if this is possible) and notify me,
rather than sending the daily logs every day.
Third, I need to know when updates are available to BSD and when
packages are vulnorable.
Along with this, I'd also be interested in knowing how people tend to
deploy multiple systems with extensive reconfiguration. The base of my
systems look mostly the same, so I was hoping there might be a good
way to do this.
Thanks for the help and your time, I greatly appreciate it.
Thanks,
Ty
*rc.conf:
iocage_enable="YES"
hostname="giraffe"
sendmail_enable="NONE"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
gateway_enable="yes"
cloned_interfaces="lo1 tap0 bridge0"
ipv4_addrs_lo1="192.168.0.1-9/29"
ifconfig_igb0="up"
ifconfig_bridge0="addm igb0 addm tap0 inet 10.21.96.200 netmask
0xffffff00 up"
defaultrouter="10.21.96.254"
sshd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
zfs_enable="YES"
syslogd_flags="-c -ss"
pf_enable="YES"
pflog_enable="YES"
pf.conf:
if="bridge0"
addr="10.21.96.200"
samba_addr="192.168.0.2"
dlna_addr="192.168.0.3"
unbound_addr="192.168.0.4"
#port groupings
tcp_services="{53 netbios-ns netbios-dgm netbios-ssn microsoft-ds 22}"
udp_services="{53 netbios-ns netbios-dgm netbios-ssn microsoft-ds}"
samba_services="{netbios-dgm netbios-ns netbios-ssn microsoft-ds}"
set skip on lo
set loginterface $if
scrub in all
#allow jails through
nat on $if inet from $samba_addr to any tag jail_samba -> $addr
nat on $if inet from $dlna_addr to any tag jail_dlna -> $addr
nat on $if inet from $unbound_addr to any tag jail_unbound -> $addr
#portforward to jails.
#unbound
rdr pass on $if proto tcp from any to any port 53 -> $unbound_addr
rdr pass on $if proto udp from any to any port 53 -> $unbound_addr
#samba
rdr pass on $if proto tcp from any to any port $samba_services ->
$samba_addr
rdr pass on $if proto udp from any to any port $samba_services ->
$samba_addr
#rules
pass quick on lo1
pass from $if to any keep state
#default policy: deny
antispoof quick for { $if lo }
block in all
#accept TCP ports.
pass in on $if proto tcp from any to any port $tcp_services
pass in on $if proto tcp from any to any port 4000
pass in on $if proto udp from any to any port $udp_services
- --
Take care,
Ty
Twitter: @sorressean
Web: https://tysdomain.com
Pubkey: https://tysdomain.com/files/pubkey.asc