daemonhorn

PfSense Air-gapped configuration

In certain environments, it is useful to have a router and firewall between two private vlans. When the WAN interface of PfSense is not able to access the internet (e.g. DNS Resolution, Update Checks, etc.) it can become sluggish to boot and configure. This guide attempts to capture configuration knobs that can improve the usability in these environments, and was written with PfSense CE 2.7.2 configuration as a baseline.

TODO

• Finish Documentation
• tcpdump -nn -i XXX pfsense at steady state air-gapped {for em0 (WAN), em1 (LAN), lo0 (loopback)} Loopback will show you all of the items that would have being queried via root.hints or other pfsense internals. Start with udp port 53 capture filter to look for DNS traffic.
• tcpdump pfsense at boot with WAN interface to look for extra ntp, dns, http, tls packets

Install

Installation from the PfSense CE ISO file can easily be done in these environments. Download the ISO from mirror (to avoid creatin

daemonhorn

Overview

This guide covers using both PIV smartcard and FIDO2 features of your Yubikey, SoloKey(v2), and Windows Hello for SSH authentication in a secure and portable manner. FIDO2 support works with YubiKey, SoloKey(v2), and Windows Hello(biometric:face, biometric:fingerprint, secure-element/pin) with OpenSSH as a relatively new feature which requires updated client and server versions. PIV support has been around with PKCS#11 for many years in the OpenSSH codebase, and is considered a more stable and ubiquitous solution when an applicable PKCS#11 library is available for your platform.

Windows Yubikey for ssh via PIV

Example below assumes that you have a piv key already generated in a yubikey slot the way you want. If you need to generate a new one, read the excellent documentation here: https://developers.yubico.com/PIV/Guides/SSH_with_PIV_and_PKCS11.html and https://support.yubico.com/hc/en-us/articles/360021606180-Using-YubiKey-PIV-with-Windows-native-SSH-client

• This explains basic configurati

daemonhorn

Overview

How to configure FreeBSD and applicable applications to work with Yubikey for authentication. This serves as my work-in-progress documentation of the configuration knobs needed to make this work properly.

• FreeBSD ssh with piv smartcard slot on Yubikey (pkcs11 via libykcs11.so)
• FreeBSD ssh with fido support on Yubikey
• FreeBSD Firefox/Chromium with fido + webauthn support on Yubikey
• FreeBSD local console and gdm authentication using pam on Yubikey
• FreeBSD official YubiKey tools

Latest Tested FreeBSD versions

• FreeBSD 13.2 Testing (Aug 2023)
• FreeBSD stable/13 Testing (Aug 2023) with OpenSSH_9.3p2

daemonhorn

Cloudflare WARP tunnel via Wireguard client

This example provides a simple configuration for a Debian client to have a Cloudflare tunnel while not installing the official Cloudflare WARP client. Note: Tunnel transport outbound to engage.cloudlflare.com on udp/2408 is default, with a dynamic listening udp port and a fwmark for packet matching by wireguard. Any applicable firewall rules may need to be adjusted.

• Top-level GitHub project to convert cloudflare endpoint to generic wireguard configuration file: https://github.com/ViRb3/wgcf

Install dependancies

sudo apt install openresolv wireguard-tools golang git

Get the latest client from Github and build using go

git clone https://github.com/ViRb3/wgcf.git

daemonhorn

Yubikey 5 Win 10 20H2 x64 Pro PIV EFS Setup

Overview

PIV on Yubikey can be utilized for SSH authentication, Windows OS login authentication, NTFS Encrypted File System (EFS) support, Bitlocker and other use cases. The examples below are using self-signed certificates and keys generated on the Yubikey secure element, but can be customized for an enterprise environment with a root CA/intermediate CA and trusted certificate chains as needed. Note: While using a CA allows for easier scalable management, this also increases the required ring of trust, and thus can potentially decrease security if not managed properly.

Requires: Windows 10 Pro (20H2 used in the document, but will work on earlier versions of Pro), Yubikey 4 or 5 security token.

PIV References: NIST: https://csrc.nist.gov/publications/detail/sp/800-73/4/final Yubico PIV Setup: https://developers.yubico.com/PIV/Guides/Device_setup.html

daemonhorn

Socks5 proxy using Microsocks and Stunnel on FreeBSD

Configuration information for the Microsocks package on FreeBSD as the existing documentation does not give sufficient details to create a secure configuration flexible enough to use for various use cases. See https://github.com/rofl0r/microsocks for the latest source code and wiki documentation. Note: The user authentication method supported by Microsocks is only plaintext, and is not protected by any layer of encryption. Please be hyper aware and use other layers of protection to secure your socks5 endpoint. (Firewall + TLS encryption with client authentication using something like stunnel).

• If you want an easy way of doing this, just look at ssh -D localhost:1080 <user@host> instead since SSH provides a native Socks5 tunnel with encryption.
• You can also use stunnel in socks5 protocol mode without Microsocks since it has native support for protocol = socks. See stunnel documentation here: https://www.stunnel.org/static/stunnel

daemonhorn

Overview

I want to forget about differences between my Linux machines (running bash), and my BSD machines (running tcsh), and have user-friendly cli experience. The knobs below will cause bash/readline/less to behave more like tcsh defaults.

1. Searching through history with filters

echo '"\e[B": history-search-forward' >>~/.inputrc
echo '"\e[A": history-search-backward' >>~/.inputrc

2. Pager re-init and thus manpages causing screen to clear on quit

daemonhorn

Overview

This is my notes from configuring a functional FreeBSD 13/14 (started with 13.1-RELEASE and moved to stable/14 branch) on my Dell Precision 7550 Laptop with Dell Thunderbolt 3 Dock.

What works out of the box

1. Install from 14-Beta5 release memstick image worked great with UEFI (Secure Boot disabled), and boot config in BIOS/UEFI setup for AHCI access (NOT Intel Raid) to nvme drives.
2. iwl Wi-Fi card from Intel, no issues as long as I don't try to change regulatory domain from defaults. WPA2 authentication worked as I expected, WPA3 is not there yet in the FreeBSD 802.11 stack.

iwlwifi0@pci0:0:20:3:	class=0x028000 rev=0x00 hdr=0x00 vendor=0x8086 device=0x06f0 subvendor=0x8086 subdevice=0x4070
    vendor     = 'Intel Corporation'
 device = 'Comet Lake PCH CNVi WiFi'

daemonhorn

Intro

This Quickstart receipe for Qemu assumes a recent FreeBSD release (stable/13 or newer), and provides an example configuration for running arm64 (aarch64) FreeBSD guest on an amd64 FreeBSD Host. Concepts can be applied to other architectures as desired, but syntax and capabilities will vary.

• Dependancies
• Getting Started
• Example Qemu guest startup script

Dependancies

• Install qemu pkg install qemu or pkg instal qemu-nox11. Latest pre-built package release as of this writeup is 8.1.0
• Sufficient disk space (50+GB) on a mounted FreeBSD Host disk (e.g.: /qemu-data in this example)

daemonhorn

FreeBSD Ports

Some random FreeBSD Ports information for future me

Configuration file: /etc/make.conf

• Add BATCH=YES to prevent questions and dialog4ports(1) from slowing you down.

Ports make targets from man ports(7)

• config to force a configuration display/choice (even if BATCH=YES has been defined)
• fetch and fetch-recursive to download the source packages if not cached
• install and reinstall to install and force-reinstall the port and register with package database
• deinstall to uninstall/remove the port and de-register from package database
• build-depends-list, run-depends-list, all-depends-list to just list the names of the dependancies