NVITA.ORG News

FreeBSD Wi-Fi Open Access Content Filter

2010-03-06T08:23:18-05:00

CLICK PLAY TO LISTEN TO PODCAST1.MP3

ipfw is a FreeBSD IP packet filter and traffic accounting control program. With ipfw, it is possible to assemble a tranparent proxy for Wi-Fi. The transparent proxy can send moderated content to remote clients with content filtering software. A WiFi hotspot open access Control Filter is made up of five or maybe six parts. The access point with crossover cable and network card; ipfw squid, dansguardian, ISC dhcpd, and ISC bind. You would need a client to access the hotspot, but nothing is stopping you from waiting for client machines to connect. For example you could provide anonymous internet access to a nighborhood, a resturant & bar, an apartment building, cafe or whatever you like; the distance an access point can cover is fairly large.

Bind and dhcpd is the most widely used software on the internet, an both are fairly difficult to configure correctly; but we'll use a few shortcuts and some good luck. First we need some inexpensive hardware. A Wireless - G router, an extra network card and a crossover cable. If you use a router, chances are you will get a broader wireless area connection. Most network cards are supported by the hardware compatiblity list, if your card is not; it is recommended that you get one that is on the harware compatiblity list.

Firmly seat the network card, and connect an rj-45 crossover cable directly to the router. Boot normally, if the card is on the harware compatibility list, it will be available to ifconfig.

Type:

ifconfig

fxp0: flags=8843 metric 0 mtu 1500
        options=9
        ether 00:90:27:ac:85:d4
        inet 10.1.10.172 netmask 0xffffff00 broadcast 10.1.10.255
        media: Ethernet autoselect (100baseTX )
        status: active
xl0: flags=8843 metric 0 mtu 1500
        options=9
        ether 00:04:76:e8:99:3c
fxp1: flags=8843 metric 0 mtu 1500
        options=9
        ether 00:90:27:ac:90:85
        inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
        media: Ethernet autoselect (100baseTX)
        status: active
plip0: flags=108810 metric 0 mtu 1500
lo0: flags=8049 metric 0 mtu 16384
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
        inet6 ::1 prefixlen 128
        inet 127.0.0.1 netmask 0xff000000

Above, xl0 is the unconfigured device:

vi /etc/rc.conf

Strike the ESC key

:ins

ifconfig_xl0="inet 172.16.0.1 netmask 255.255.255.0"

Strike CRTL-C

Strike the ESC key

:wq!

Next compile the kernel with ip options. Make a copy of the GENERIC kernel and add these lines
to the GENERIC file in /usr/src/sys/i386/conf/

cp /usr/src/sys/i386/conf/GENERIC /usr/src/sys/i386/conf/SQUIRREL

vi /usr/src/sys/i386/conf/SQUIRREL

options IPFIREWALL

options IPDIVERT
options IPFIREWALL_DEFAULT_TO_ACCEPT

options IPFIREWALL_VERBOSE
options IPFIREWALL_FORWARD

2. Change to the /usr/src directory:

cd /usr/src

3. Compile the kernel:

make buildkernel KERNCONF=SQUIRREL

While the kernel is compiling, do not interrupt the terminal

You can stop this process at anytime by pressing CTRL-C

Building a new kernel takes about two hours to complete with a quad 533mhz pentium III Xeon server. Don't give up even though the terminal may look like it has stopped.

4. Install the new kernel:

make installkernel KERNCONF=SQUIRREL

Now edit the file /etc/rc.firewall

Add to the SIMPLE section:

${fwcmd} 1001 fwd 127.0.0.1,8080 tcp from any to any 80 in recv xl0

${fwcmd} add allow tcp from any to any in via fxp1
${fwcmd} add allow tcp from any to any in via fxp0
${fwcmd} add deny log tcp from 172.16.0.0/24 to 172.16.0.1

${fwcmd} add deny log tcp from 172.16.0.0/24 to 192.168.0.0/24
${fwcmd} add deny log tcp from 172.16.0.0/24 to 10.1.10.0/24

${fwcmd} add allow udp from 0.0.0.0 68 to 255.255.255.255 dst-port 67 out
${fwcmd} add allow udp from any 67 to me dst-port 68 in
${fwcmd} add allow udp from any 67 to 255.255.255.255 dst-port 68 in
${fwcmd} add allow icmp from any to any icmptypes 8
${fwcmd} add allow icmp from any to any icmptypes 3,4,11

This means add rule number 1001 and forward ALL tcp packets; port 80 to 127.0.0.1 port 8080 on the third interface, xl0. Allow tcp packets to pass on fxp1 and fxp0. Since the server is public, Deny and log anything from 172.16.0.0/24 to the server at 172.168.0.1. Anything to the internal network is non-routable or not on the same network segment as the crossover cable to the network card but if you're also using natd to forward internet access, they will pass to the internal segment. The two following rules prevent anything passing to the xl0 interface. Next, uncomment allow dchp and imcp under the simple section of rc.firewall or add the five next rules to rc.firewall.

Now all packets that are destined for port 80 are transparently passed to port 8080 the proxy port.

shutdown -r now

There are several different content filtering software packages though dansguardian is free to use. However first we need a caching proxy server to pass information to the content filtering software. Squid is a web cache server and is easy to install if access control lists are used correctly.

Get the latest version of squid here:

http://www.squid-cache.org/Versions/

type:

gunzip squid*.tar.gz

tar -xvf squid*.tar

cd squid-3.0.STABLE24

./configure --enable-ipfw-transparent

gmake

make install

After squid is installed it can be found in /usr/local/squid. First we need to edit a file named squid.conf:

vi /usr/local/squid/etc/squid.conf

Squid conf is a huge configuration file, go to around line 1000:

Strike the ESC key

:set nu

Strike the ESC key

:879

Strike the ESC key

:ins

http_port 3128 transparent

Strike CRTL-C

Delete the previous http_port directive by alligning the cursor with the arrow keys.

Strike the ESC key

:del

Now edit the access control lists, since squid is usually behind a firewall firstly, we will use open directives:

Strike the ESC key

:592

Strike the ESC key

:ins

acl localnet src 127.0.0.0/8

Strike CRTL-C

Scroll down to # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

Add:

Strike the ESC key

:ins

http_access allow localnet
http_access allow localhost
http_access allow to_localhost
http_access allow all

Strike CRTL-C

Strike the ESC key

:wq!

Now that the squid portion of the installation is complete, we can install dansguardian. The latest version can be found at http://www.dansguardian.com unzip and install:

type:

gunzip dansguardian*.tar.gz

tar -xvf dansguardian*.tar

cd dansguardian-2.10.1.1

./configure

gmake

make install

There is one option with dansguardian to change the warnings template. The warnings template can be used once dansguardian is restarted.

/usr/local/share/dansguardian/languages/ukenglish/template.html

Now type:

/usr/local/squid/sbin/squid
/usr/local/sbin/dansguardian

To configure a Wi-Fi windows workstation to use a NATD FIREWALL, follow these instructions:

Left click "My Network Places" on the Windows workstation "desktop" such that it appears to turn BLUE in color. Next, right click the highlighted area. A "drop down menu" will appear.

Left click "Properties"

Next, Left click "Local Area Connection" such that it appears to turn BLUE in color. Next, right click the highlighted area. A "drop down menu" will appear.

Left click "Properties"

A "Dialogue" Box will appear:

Left click "Internet Protocol TCP/IP" such that it appears to turn BLUE in color. Next, right click the properties box. A "Dialogue box" will appear.

        Click obtain an IP address automatically, click Obtain DNS server address automatically and click ok. Then click apply, ok.

The next part of the project is to install a dhcp server and a dns server on the gateway machine 172.16.0.1; or xl0. Download, unzip, make and install from http://www.isc.org

vi /usr/local/etc/dhcpd.conf

Strike the ESC key

:ins

option domain-name "nvita.org";
option domain-name-servers 172.16.0.1;

default-lease-time 86400;
max-lease-time 86400;

authoritative;
ddns-update-style none;

subnet 172.16.0.0 netmask 255.255.255.0 {
    range 172.16.0.5 172.16.0.250;
    option routers 172.16.0.1;
}

Strike CRTL-C

:wq!

Start the DCHP server on xl0:

/usr/local/etc/rc.d/isc-dhcpd start

or

dhcpd xl0

and if for some reason you decide to download the beta:

dhcpd -d -f xl0

Type

vi /var/named/etc/namedb/named.conf

Strike the ESC key

:ins

acl clients {
        localnets;
        ::1;
};

options {
        version "";     // remove this to allow version queries

        listen-on    { any; };
        listen-on-v6 { any; };

        allow-recursion { clients; };
};

logging {
        category lame-servers { null; };
};

// Standard zones
//
zone "." {
        type hint;
        file "standard/root.hint";
};

zone "localhost" {
        type master;
        file "standard/localhost";
        allow-transfer { localhost; };
};

zone "127.in-addr.arpa" {
        type master;
        file "standard/loopback";
        allow-transfer { localhost; };
};

zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" {
        type master;
        file "standard/loopback6.arpa";
        allow-transfer { localhost; };
};

zone "com" {
        type delegation-only;
};

zone "net" {
        type delegation-only;
};

Strike CRTL-C

:wq!

mkdir standard

cd standard

Type

vi /var/named/etc/namedb/standard/root.hint

Strike the ESC key

:ins

.                        3600000 IN NS    A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET.      3600000      A     198.41.0.4
;
; formerly NS1.ISI.EDU
;
.                        3600000      NS    B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET.      3600000      A     192.228.79.201
;
; formerly C.PSI.NET
;
.                        3600000      NS    C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET.      3600000      A     192.33.4.12
;
; formerly TERP.UMD.EDU
;
.                        3600000      NS    D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET.      3600000      A     128.8.10.90
;
; formerly NS.NASA.GOV
;
.                        3600000      NS    E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET.      3600000      A     192.203.230.10
;
; formerly NS.ISC.ORG
;
.                        3600000      NS    F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET.      3600000      A     192.5.5.241
;
; formerly NS.NIC.DDN.MIL
;
.                        3600000      NS    G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET.      3600000      A     192.112.36.4
;
; formerly AOS.ARL.ARMY.MIL
;
.                        3600000      NS    H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET.      3600000      A     128.63.2.53
;
; formerly NIC.NORDU.NET
;
.                        3600000      NS    I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET.      3600000      A     192.36.148.17
;
; operated by VeriSign, Inc.
;
.                        3600000      NS    J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET.      3600000      A     192.58.128.30
;
; operated by RIPE NCC
;
.                        3600000      NS    K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET.      3600000      A     193.0.14.129
;
; operated by ICANN
;
.                        3600000      NS    L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET.      3600000      A     198.32.64.12
;
; operated by WIDE
;
.                        3600000      NS    M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET.      3600000      A     202.12.27.33
; End of File

Strike CRTL-C

:wq!

Start the DNS server:

named

Although quite complicated, fxp1 operates without any restrictions, whereas xl0 has a content filter and cannot access the internal network other than the DNS server and the DHCP server, but can access any other server on the internet by squid and dansguardian!

HOWEVER:

Wireless access is limited. You probably also need one of these to cover at least 2 miles:

2.4 Ghz Hi-Gain 15dBi Outdoor Omni-Directional Antenna

Advanced Excel Programming

2010-01-09T16:05:09.453-05:00

Microsoft excel is a useful tool to calculate figures automatically using your own spreadsheet. There is however, a flip side.

How to start:

=IF(ISBLANK(H14),"",IF(H14=E4,"YES",IF(H14>E4,"No, Register reports the cash is over","No, Register reports the cash is short")))

This formula reads:

If cell H14 is blank then nothing; If cell H14 equals cell E4 then write YES and If cell H14 is greater than cell E4 write "No, Register reports the cash is over", if cell H14 is less than E4 write "No, Register reports the cash is short"

Here is something a little more simple:

=IF(AND(ISBLANK(E6),ISBLANK(G6)),"",G6-E6)

If both E6 and G6 are blank then nothing, if not subtract the contents of G6 from E6.

You can even link one spreadsheet to another and display it's data:

=SUM('Petty Cash Register'!E6:'Petty Cash Register'!E27)

Download this example Free: smallbusiness.xls

Please send questions and an email to mkearney@nvita.org to un-protect the spreadsheet. Start working on your own ledger today.

The calculated risk of cryptography

2009-08-24T01:54:07.765-04:00

Applications of cryptography include ATM cards, computer passwords, and electronic commerce. Modern cryptography can encrypt portions of a computer hard disk, an entire hard disk or several hard disks with the use of cryptographic software. What is the purpose of cryptography?

The Internet Society has used a short form to describe a much larger matrices, what is now called the internet. The "Galactic Network" as ^[1]J.C.R. Licklider used the term at ARPA in 1963, addresses his colleagues; "Members and Affiliates of the Intergalactic Computer Network".^[2]

Encrypting your computer hardware gives you the authority to freely exchange information, while not breaking any laws related to developer software, peer to peer networks or similar reciprocation. While all to perscriptive in nature, hard disk encryption gives also gives you the right to be responsible for yourself.

http://www.killdisk.com or Active@ KillDisk conforms to US Department of Defense clearing and sanitizing standard DoD 5220.22-M. When purchasing a new or used hard drive or installing a new system, it is highly recomended that this type of software is used first to ensure the integrity of the new system.

HaDES (Short for Hard Disk Encryption System) is an enterprise level open source hard disk encryption tool, which enhances TrueCrypt by adding functionality that enables TrueCrypt for enterprise use, including multi user capability and recovery. HaDES can be downloaded from:

http://sourceforge.net/projects/hadeshdencrypt/files/

HaDES installs easily and works efficiently without any extra strain on the system, if not actually contributing DoD 5220.22-M

Equipment Rollout

2009-02-21T16:30:09.125-05:00

Equipment upgrades are completed every so many years as older computers are replaced with newer ones. Is there a science to this? Used equipment resale tells the hard truth with no warranty expressed or implied. Either way the human element can not be replaced. Some organizations hold to one policy while others lean to another. For example there are organizations where no software is installed other than the computer's operating system. Other organizations cater to demands that the human element can only deliver. Still other organizations simply stand and deliver while others repair and replace.

What is the best way to rollout computers? Disk imaging. What about the disk image? The disk image should incorporate all the programs and all the settings necessary to successfully deliver a viable tool to the user. For example, a DHCP server would be necessary to use because multiple disk images cannot incorporate a unique internet address or computer name. Further, A WINS server would be necessary to tune the new NetBIOS broadcasts although the WINS server does not have the ability to change the computer name or IP address. This goes on and on depending on the scope and the depth of the organization.

Because Microsoft wizards vary, depending upon the operating system, method of cloning, and method of changing what is called an "SID"; refer to the Microsoft document Do Not Disk Duplicate Installed Versions of Windows (Article ID 162001) for more detailed information.

There are many ways of incomparably changing the SID however the easiest way is to do this is with variable login script software with Microsoft Package Manager. From Legal studies for example, when the matrices is put to use, wherein the technician has installed the software on a time clock; output is more precise and errors are simplified. The used equipment can then be sold at resale. In the end, http://www.pcretro.com has won the day once more with used equipment available for sale that might otherwise not be available, for what ever reason.

Microsoft Internet Cafe

2009-02-21T15:16:42.656-05:00

Microsoft has made many milestones with the personal computer, including making access to the internet an easy thing to do. Not including dial up access, new affordable internet access has made it possible to access the internet at high speed. Where faster internet access is desirable for groups of computers and internet server computers, the asymmetrical subscriber line was capable of T-1 speeds available to educational and scientific organizations. Since the asymmetrical subscriber line, new methods of delivering a signal through whatever means possible including electrical power it's self, has made internet access even faster, comparable to a digital trunk line or fiber optic system. Cable internet access, or a signal through coaxial cable already laid throughout thousands of rural homes is very enumerative. But what about internet access on the go, downtown in the fast moving city next to local shops and restaurants?

Microsoft has an easy solution, Microsoft Proxy server. Microsoft proxy server includes a client which can enumerate any internet program with no special settings through modifying the Microsoft Windows TCP/IP stack to access Microsoft Proxy Server connected to any internet connection. Why use Microsoft Proxy server? Users have their own way of using Microsoft Windows every time that they have an opportunity to use it. This does not mean it is predictable, but inevitable that Windows will incorporate the users every move. Doing this does not make it easier for someone else to use the same computer. Microsoft Policy editor includes a number of features that are unlocked with the use of a Microsoft Windows Server. For example, there are extra rules not included with the Policy editor available to a Server computer. Microsoft Proxy Server can also run on the same Microsoft Windows Server computer. An administrator can then implement a Policy detail which would access an ideal settings stored on the server and made available to every client computer at the same time, every time.

However, this is not to say that Windows is imperfect. More recently, the most valuable way to deliver public internet access with windows computers is to erase every move the previous user has made by loading the desktop computer from an image every time a public user logs off the computer. This way, public users can install software, send email, tinker with settings and even be destructive without changing the image which is loaded by the server. Users are free to use Windows any way that they so desire.

Although it would seem that Windows has lost the battle, they haven't lost the War; yet.

Your Local Express Station

2009-02-06T21:09:16.968-05:00

The Nations highways spread vastly over the United States, along the bi-ways and rural highways are small signs pointing the way to the local library. In recent years there has been an addition to the books and periodicals found there. Inside every library is a computer that can be used by anyone who signs up to use it. Other computers require either a temporary access code or a library card to access them.

Different states have different computers to use. For example in Texas, there are privacy guards installed on the computer monitor. Privacy guards are a sun-visor like pane of glass fitted to the monitor to prevent wondering eyes. Although the computer user is able to view the monitor, other computer users nearby can not. In other states, such as Arizona, computers are out of date and require a little time and patients. In Nevada, computers use firewalls that do not allow the use of any type of communications software. However, most states allow the use of IRC.

Internet Relay Chat is a form of real-time Internet chat or synchronous conferencing. It is mainly designed for group communication in discussion forums called channels, but also allows one-to-one communication via private message, as well as chat and data transfers via Direct Client-to-Client.

The Internet opens ancient doors to forgotten lands in far away places. At the Department of Commerce, the Office of the Chief Information Officer (OCIO) and the Beuaro of Indian Affairs work diligently with The Department of the Interior to resolve information technology issues. However, that doesn’t stop you from calling New York City from New Mexico. But this isn’t any normal way of calling New York City. Internet Relay Chat uses thousands of computers that connect to one another instantaneously every hour of the day. Chances are if you decided to call New York City with your Internet Relay Chat program from a library in New Mexico, Internet Relay Chat users in New York City would know more about you than you do. Collectively, the more current information that is available to scientists allows them to draw their own conclusions more decisively.

You can quickly find out that you’re never alone where ever you may be. Ask the IRC a question. You may find that you never left the library. The easy answer could be Internet Relay Chat. But that doesn’t answer the question. Every library has an express station. The most striking feature of a library's computer resources is the computer security structure.

Some libraries use a shell program that works with the standard shell program, Windows explorer. Windows explorer is what you see when you turn on your Windows computer. Windows explorer is a graphical interface used to moves files, copy files and run software programs. For instance the library system in Las Vegas, Nevada takes advantage of Windows Explorer solely by the use of the Windows policy editor. Found more often, the library system in Huston, Texas uses a program designed to interact with Windows explorer by granting access to patrons that have a library card or temporary access code. Although policy editor can do all of these things, software designed by private companies make changes directly to the Windows registry. However, this does not mean security measures have been put in place by the library's computer network. For example in a local suburb of Huston Texas, there are no network security restrictions, yet in downtown Huston, Texas; access to the internet is restricted by the computer network and further restricted by the use of a proxy server. Proxy servers only access internet resources they are designed to access. Observing this scenario, it would seem that local governments do not have a hand in the direct designation of public computer access at all and there does not seem to be an official consortium of Library Computer Equipment policy. There are express stations everywhere. It is also true that libraries need money to stay open to the public. A library is an excellent resource for the good and many people devote their time to worthy causes not including the computer resources.

After all it was George Washington who said:

"The unity of Government, which constitutes you one people, is also now dear to you. It is justly so; for it is a main pillar in the edifice of your real independence, the support of your tranquility at home, your peace abroad; of your safety; of your prosperity; of that very Liberty, which you so highly prize"

The easy answer here is to leave the express station the way you found it, at your local library!

NetBSD Mail Server

2009-01-10T04:38:10.625-05:00

CLICK PLAY TO LISTEN TO THE PODCAST

The NetBSD project is a good place to start when looking for a mail server. Straight forward and precise, NetBSD can power some of the largest networks on the internet. To install NetBSD, follow the easy to understand installation wizard. There are several differences found in NetBSD than FreeBSD or OpenBSD.

Simply add these configuration settings to the rc.conf file in /etc

rc_configured=YES
ifconfig_fxp0=192.168.0.10/24
ifconfig_fxp1=10.1.10.100/24
sshd=YES
hostname=mail.nvita.org
sendmail_enable=yes
defaultroute=10.1.10.1
samba=YES
smbd=YES
nmbd=YES

As you can you see here, ifconfig_fxp1 incorporates the input "inet" and "netmask" but in IP notation, where the subnet mask is abriviated. These provisions are an example of how NetBSD is a viable network operating system. For example, make sure the correct default route is listed correctly. To list the correct default route, make sure the entry coresponds to the interface that will answer internet data.

If your internet service provider includes equipment which assigns a dynamic ipaddress, update the address:

dhclient fxp1

Change the new address in /etc/rc.conf

Next, install the post-fix mail system. Run the following commands:

pkg_add ftp://ftp.netbsd.org/pub/NetBSD/packages/current-packages/NetBSD-4.0/i386/All/postfix-2.6.20080903.tgz

Find the correct postfix configuration file with the find command:

find / -name "master.cf"

/usr/share/examples/postfix/master.cf
/usr/pkg/share/examples/postfix/master.cf
/usr/pkg/etc/postfix/master.cf
/usr/local/sbin/master.cf
/var/db/pkg.refcount/files/usr/pkg/etc/postfix/master.cf
/etc/postfix/master.cf

The default configuration file that postfix will use is located in the /etc directory. The master.cf configuration file determines what network interfaces to use. Here, we would like to use all the available interfaces such that users are able to send mail on the internal network as well as the external network:

vi /etc/postfix/master.cf

Press the ESC key

Type :ins

Type: smtp inet n - n - - smtpd

Strike CTRL - C

Press the ESC key

Type: wq!

Next modify the main.cf file in the /etc directory:

Type vi /etc/postfix/main.cf

Press the ESC key

Type :ins

Type:

myhostname = mail.nvita.org
inet_interfaces = mail.nvita.org
mydomain = nvita.org
myorigin = mail.nvita.org
virtual_alias_maps= hash:/etc/postfix/virtual
virtual_alias_domains = nvita.org, inverselog.com, giantfood.nl
mynetworks = 192.168.0.0/24, 127.0.0.0/8, 10.1.10.0/24

Strike the ENTER key

Strike CTRL - C

Press the ESC key

Type :wq!

Next, create the file /etc/postfix/virtual:

Type vi /etc/postfix/virtual

Press the ESC key

Type :ins

@nvita.org squirrel
mkearney@nvita.org squirrel

Strike the ENTER key

Strike CTRL - C

Press the ESC key

Type :wq!

Now create the virtual user database used by the postfix deamon:

postmap virtual

Next, add new users to the system, since you don't want to use the root account for your daily work (yes, we're serious about that!). NetBSD offers the useradd(8) utility to create user accounts. Accounts that can su(1) to root are required to be in the "wheel" group. This can be done when the account is created by specifying a secondary group:

useradd -m -G wheel squirrel

passwd squirrel

Start the postfix server:

/etc/rc.d/postfix start

Now the SMTP server should respond to quires. You can check the status of the process by using the netstat command:

netstat -a

tcp 0 0 mail.smtp *.* LISTEN
tcp 0 0 mail.smtp *.* LISTEN
tcp 0 0 localhost.smtp *.* LISTEN

If the server does not respond to your configuration, most likely you have added addtional perameters to the configuration file. If this configuration is modified for any reason, postfix will fail.

Next install a POP deamon to check the virtual mailboxes:

pkg_add -R ftp://ftp.netbsd.org/pub/NetBSD/packages/current-packages/NetBSD-4.0/i386/All/dovecot-1.1.6.tgz

Find the correct dovecot configuration with the find command:

find / -name "dovecot.conf"

/usr/pkg/etc/dovecot.conf
/var/db/pkg.refcount/files/usr/pkg/etc/dovecot.conf

The default configuration file that postfix will use is located in the /usr/pkg/etc/ directory. The dovecot.conf configuration file determines what network interfaces to use. Here, we would like to use all the available interfaces such that users are able to retrive mail on the internal network as well as the external network:

vi /usr/pkg/etc/dovecot.conf

Press the ESC key

Type :ins

protocol pop3 {
listen = *:110
}

disable_plaintext_auth = no

Strike the ENTER key

Strike CTRL - C

Press the ESC key

Type :wq!

Start the POP deamon:

dovecot start

If you would like to add additional users, use the useradd utility:

useradd -m -G wheel mkearney

passwd mkearney

Then modify the /etc/postfix/virtual file and create the database once more:

postmap virtual

Make sure your DNS server is setup correctly to direct mail to your new server. Zoneedit.com makes this easy:

Now you can configure a client e-mail program to use the new mail server. Microsoft Outlook is a fairly good client and is easy to setup.

Click Tools, Options:

Click Mail Setup, Email Accounts

Click New

Click Next and enter the account information:

Click Next

Click Next

Click Finish, Close, OK

The NetBSD mail server is now ready to send and recive mail either from the local system or Workstation clients. NetBSD is a reliable cost effective alternative operating system that can handle thousands of users. Sometimes it is more adventageous to use the Microsoft Exchange Server and use the NetBSD server as a relay host.

Exchange server is a convient mail server to use with the Microsoft Office system. It has a number of features unavailable to other mail clients and is easy to manage. For instance with Exchange server, you can backup and retrieve individual email messages from the server. However this convienince does not go without a price. Exchange server is a volitle liability that has many security flaws and is unstable within the scope of the public. It can be rendered useless in a matter of minutes and the responsiblity for an entire organization could fall on the administrator. With NetBSD and Postfix, it is possible to use Exchange server as a viable mail server.

To configure postfix to use exchange server,

Type vi /etc/postfix/main.cf

Press the ESC key

Type :ins

Type:

myhostname = mail.nvita.org
inet_interfaces = 192.168.0.10, 10.1.10.100
mydomain = nvita.org
myorigin = mail.nvita.org
relay_recipient_maps = hash:/etc/postfix/exchange
transport_maps = hash:/etc/postfix/transport
relay_domains = nvita.org, inverselog.com, giantfood.nl
mynetworks = 192.168.0.0/24, 127.0.0.0/8, 10.1.10.0/24

Strike the ENTER key

Strike CTRL - C

Press the ESC key

Type :wq!

virtual_alias_maps and virtual_alias_domains are removed. Comment them out with the pound sign:

#virtual_alias_maps= hash:/etc/postfix/virtual
#virtual_alias_domains = nvita.org, inverselog.com, giantfood.nl

inet_interfaces lists numeric ip addresses. To effect, the Postfix deamon cannot communicate across multiple interfaces if they are not specified.

Next, create the file /etc/postfix/exchange:

Type vi /etc/postfix/exchange

Press the ESC key

Type :ins

mkearney@nvita.org OK

Strike the ENTER key

Strike CTRL - C

Press the ESC key

Type :wq!

Now create the exchange user database used by the postfix deamon:

postmap /etc/postfix/exchange

Next, create the file /etc/postfix/transport:

Type vi /etc/postfix/transport

Press the ESC key

Type :ins

* smtp:squirrelserver.nvita.org

Strike the ENTER key

Strike CTRL - C

Press the ESC key

Type :wq!

Now create the transport relay database used by the postfix deamon:

postmap /etc/postfix/transport

Install Exchange Server. These settings set the Receive Connector to relay mail from the NetBSD server:

Set-ReceiveConnector -Identity "Default squirrelserver" -PermissionGroups "AnonymousUsers"

Get-ReceiveConnector "Default SQUIRRELSERVER" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON " -ExtendedRights "ms-Exch-SMTP-Accept-Any-Recipient"

Start the server. The postfix server also includes a simple mail que, which can store mail messages in the event that the Exchange server should fail. Exchange server fails and does not keep mail messages when there is not enough disk space. For example, the latest version of Exchange Server keeps 8 gigabytes of log files over a very short period of time. Acting as a backup and a go between; the postfix mail que will be delivered to the exchange server and to all Microsoft Office clients connected to the server immediately with the command:

/etc/rc.d/postfix start

Note that postfix will deny connections to the mail server if the ip address listening on the connection is not listed in "mynetworks" For example your external ip address!

More notes: Using software programs like DSPAM and Spamassasin, the NetBSD server can catch some spam emails but not all of them:

[Postfix] (LMTP) -> [DSPAM] [Postfix] -> [Microsoft Exchange] { Delivery }
|___ (SMTP Reinjection) ____|

However, it's more effective to keep your hand on the delete button.

NetBSD is a reliable operating system that is particularly useful for mail servers and other internetwork software programs, with these precise configuration settings you can implement internet and intranet mail in a few hours.

FreeBSD 7.0

2008-09-15T20:29:31.781-04:00

FreeBSD Network Address Translation DMZ

With FreeBSD, a NATD DMZ Firewall is within arms reach. FreeBSD is a free open source operating system for many different types of new or old computer equipment. It is highly configurable and easy to learn.

FreeBSD® is an advanced operating system for x86 compatible (including Pentium® and Athlon™), amd64 compatible (including Opteron™, Athlon™64, and EM64T), UltraSPARC®, IA-64, PC-98 and ARM architectures. It is derived from BSD, the version of UNIX® developed at the University of California, Berkeley. First, burn a copy of FreeBSD on a CD-ROM. The FreeBSD CD-ROM is bootable.

http://www.freebsd.org/where.html

In computer networking, Network Address Translation (NAT, also known as Network Masquerading, Native Address Translation or IP Masquerading) is a technique of transceiving network traffic through a router that involves re-writing the source and/or destination IP addresses and usually also the TCP/UDP port numbers of IP packets as they pass through. Checksums (both IP and TCP/UDP) must also be rewritten to take account of the changes. Most systems using NAT do so in order to enable multiple hosts on a private network to access the Internet using a single public IP address.

A NATD DMZ Firewall is noteworthy because it filters all the dangerous traffic from the internet into something a private network can understand. A DMZ also acts as a gateway to the internet for all machines on a private network.

To get started, install two RJ-45 network cards. Then connect a CAT-5 cable from the RJ-45 port on the first Ethernet device to a HUB. Then connect a CAT-5 cable to the second Ethernet device and connect the other end of the cable to a ethernet cable modem or a DSL modem. This device is thereby isolated from the HUB. Then connect any workstations or additional servers to the hub.

First using the installation CD, follow all the instructions. Don't give yourself a headache worrying about how to partition the hard drives. Simply delete all the slices by selecting them with arrow keys and deleting them with the "D" key. Press the "A" key to auto select the correct partition information and then press the "Q" key. The same goes for the disk structure. Press the "A" key to autoselect the correct information then press the "Q" key to save the information. The install program will then write to the partiton and copy all the data from CD-ROM to the hard disk.

Next, the installation program will ask you a few questions. Do not enable the first ethernet device or configure it to use DHCP. Select yes to enable the second ethernet device.

ENTER 192.168.0.1

would you like to configure this machine as a network gateway?>

YES

would you like to enable SSH login?

YES

do you want to have anonymous FTP access to this machine?

YES

Create a welcome message file for anoymous FTP users?

NO

Would you like to add linux binary compatablity?

YES

Like the address on your house, painted on your curb or on your mailbox; the standard protocol called TCP/IP uses a simple sequence of instructions that are simply on or off to identify a subset of secondary instructions. This matrices of 1's and 0's as a whole or in part is indicative of it's self. The mailman delivers the mail; the fire department can see your address clearly on the curb.

The "binary" (1's and 0's on or off) bits are broken into a matrices of four octets (1 octet = 8 bits). An IP address is interpreted by computers in dotted decimal format (like, 192.168.0.1). Each octet is delimited by a period (dot). The decimal value of each octet ranges from 0 to 255 or 00000000 - 11111111 in binary numbers that altogether has a value of 8 bits.

Let's say the first bit of an octet holds a value of 1 (on). The next bit in the octet matrices holds a value of 0 (off). The next holds a value of 0 (on). The next holds a value of 1(off). The next holds a value of 0(on). The next holds a value of 1(on). The next holds a value of 0(off). The last bit holds a value of 1 (on).

If all the binary bits of an octet matrices were a 1 (on), the decimal equivalent would be 255 as shown here:

1 1 1 1 1 1 1 1
128 64 32 16 8 4 2 1 (128+64+32+16+8+4+2+1=255)

More simply, the 8 bits of the binary number 10101010 (on|off|on|off|on|off|on|off) converts to the decimal number 170.

1 1 1 1 1 1 1 1 (on|on|on|on|on|on|on|on) converts to the decimal number 255

There are 8 bits in any given octet matrices.

This is an IP address in binary and that same IP address in decimal

170. 255. 255. 255 (decimal)

10101010.11111111.11111111.11111111 (binary)

For example, 10.1.23.19 is cited by Cisco Systems.

In 1996; TCP/IP oddly RESERVED a subset of binary numbers for a internal network. How or why?

"The Internet Engineering Taskforce" Contractors Request for Comments (RFC)

#1918

"With the proliferation of TCP/IP technology worldwide, including outside the internet itself, an increasing number of non-connected enterprises use this technology and its addressing capabilities for a sole intra-enterprise communications, without any intention to ever directly connect to other enterprises or the internet itself"

Operating a network is in fact indicative of it's self and the use of your own equipment communicating with TCP/IP subsequently will not acknowlege as a part or in whole the subset of equipment in places around the world.

Here is an input vector:

192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

I like 192.168.0.0 because it looks classy. The 0 means all 255 addresses. We used one of them, 192.168.0.1; Although you can also use:

10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)

A "/16" means it has more addresses to use than "/8" or "/12"; Yes I would like 1 bushel of crabs for my party. What!? they're not in season? Your catch didn't have enough regulation coke can sized keepers? You can find out the hard way that BLUE CRABS can be bought by the Chesapeake Bay, Maryland and Virginia; dungenous crabs can be bought in Seattle and are shipped worldwide; Alaskan king crabs can be bought in Alaska by the boat load and are also shipped world wide.

After entering the IP address of the second ethernet device, Select yes to use the server as a router/gateway, Select yes to enable SSH logins, and select yes to add a user. Add a user but DO NOT assign this user to any groups. Use all the default information.

Reboot.

Next, this is the most important step. If this step is not completed, older system hardware and some new hardware cannot parse data to the console correctly, especially under heavy loads and will fail. Configure the system from the console to allow you to log in as root so you can cut-and-paste with SSH.

Login as root and change to the /etc directory. Using your favorite editor, edit the group file.

Login: root
Password: *******

You should see "#"; a pound sign. The pound sign means you are logged in as root.
cd /etc

vi group

The Vi editor is easiest to use despite what you may have heard about UNIX text editors; everything is contingent upon a command line that is similar to the Shell you may be using.

Strike the ESC key:

then press the colon ":" key. This will give a command line.

Type $ ENTER

This will take you to the end of the file.

Strike the ESC key:

Then press the colon ":" key again.

Type /wheel ENTER

This will find the nearest instance of "wheel" relative to the blinking cursor position.

Strike the ESC key:

Now position the blinking cursor with the arrow keys just below the word "wheel".

Type :ins ENTER

Keep your eyes on "wheel:*:0:root" and type the same thing but add ,someuser such that you will now see:

:ins
Entering ex input mode.

wheel:*:0:root,someuser

Now strike CTRL-C

Observe what happened to the text with the Vi editor. If you make a mistake, position the blinking cursor at the beginning of the line and Strike the ESC key again.

Strike the ENTER key

Type :del

Try Again.

If a program tells you that there is an error in it, it will also tell you the line number. To go to a line:

Strike the ESC key

Type :123

This will take you to line 123

Now Save the file and exit.

Strike the ESC key.

Type :wq!

Take note that the file already has a name. And altogether you would have typed the sequence:

vi group ESC : /wheel ENTER ESC :ins ENTER wheel:*:0:root,someuser CTRL-C ESC :wq!

Your server is a delicate computational matrices that accepts input in a variety of ways. The most advantageous way to ensure the integrity of ALL of that data is to manually type and input every command and or command structure.

For example; when saving a Microsoft file by the integrated samba program, every return carriage is marked with a ^M when the ACII standard text file is viewed by your UNIX system. Although it is possible to use the CRTL-INS SHIFT-INS convention along with sub sequential standardized programming conventions; windows libraries bottlenecks and avoiding ^M's in Microsoft files altogether; the data that makes up that simple convenience is incorporated into the running system.

Taking a step further reveals striking results.

You may see: "The connection was refused when attempting to contact 0"

It all depends on where zero is. No closer to solving why there is a ^M; taking a closer look at this algebraic equation might give a little better understanding of what is happening:

(x - 3)(x - 3) = 0

f(x) = (x - 3)(x - 3)

The figure to the right plots -x along side a curiosity similar to crop circles or ^M's:

Applied, Zero minus zero is zero. If x were a zero the equation would read:>

0 multiplied by it's self is zero, zero multiplied by -3 is zero. -3 multiplied by zero is 0 and -3 multiplied by -3 is 9. 9 is equal to zero. Theoretically, now we are sure the equation, lets 9 equal to zero, because the of the inequality. However, the answer to the above equation is three, letting x equal the order of operations in standard form, then using the quadratic formula. Here are the results of some experiments with data mining where >>f(x) = -x following this kind of logic:>

http://search.netscape.com/search/search?&fromPage=NS8BrowserRoll&query=1%3B21479003

http://search.netscape.com/search/search?&fromPage=NS8BrowserRoll&query=16660284

I like the picture on the cup to the right:

http://www.pbase.com/hreinnp/image/16660284

To be fairly certain data is not garbage; like that, cut and paste data into a terminal emulator with the vi editor using the keys, CTRL-INS highlighting the text such that it is blue ... or black ... and pressing the SHIFT-INS keys. Save the file and use the "cat" command to view the data again. Now cut and paste this data into your application.

Next, after the group file has been edited to include the new user, remotely login with SSH using the new user you created with the installation program.

You can now connect to the FreeBSD server from your windows workstation by using a SSH2 program like Secure CRT.

To Pre-configure a windows workstation to use a NATD FIREWALL, follow these instructions:

Left click "My Network Places" on the Windows workstation "desktop" such that it appears to turn BLUE in color. Next, right click the highlighted area. A "drop down menu" will appear.

Left click "Properties"

Next, Left click "Local Area Connection" such that it appears to turn BLUE in color. Next, right click the highlighted area. A "drop down menu" will appear.

Left click "Properties"

A "Dialogue" Box will appear:

Left click "Internet Protocol TCP/IP" such that it appears to turn BLUE in color. Next, right click the properties box. A "Dialogue box" will appear.

Next, the following decimal notated "fields" are variable elements within the subset of a function where ƒ(x) = the subsequent matrices of 1's and 0's that make up communication elements between a Windows Workstation and the FreeBSD DMZ are determined.

Next; make up an "IP Address"; It could be any address... really; but I like 192.168.0.0 because it looks classy. Addresses other than:

192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)

are said to be "non-routable"; the internet service provider is obviously not going to GIVE you an IP address that is whole or in part the internet; ideally we must get to the internet.

Enter 192.168.0.2

Next; enter a "Subnet Mask" A subnet mask divides the matrices into sections. LOL The Subnet Mask 255.255.255.0 includes the available addresses to immediate affect.

Enter 255.255.255.0

Why is there a Default Gateway Entry? A default gateway will tell you precisely how to get to the next hop. In this case the FreeBSD DMZ is the default gateway. The only difference is the FreeBSD DMZ stays put.

In the FreeBSD console type:

ifconfig fxp1

fxp1: flags=8843 mtu 1500
options=8
inet6 fe80::290:27ff:feac:9085%fxp1 prefixlen 64 scopeid 0x2
inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
ether 00:90:27:ac:90:85
media: Ethernet autoselect (100baseTX)
status: active

The section "inet" is the default gateway.

Enter 192.168.0.1

The next "field" is "Preferred DNS Server" now this is very dangerous.

Given that when information is contrived, it is again whole or in part, indigent; indicative of self loathing. What information do we have about DNS servers?

Do you remember the Internet Service Provider's Instructions? What were they? What will they be?

Enter 68.87.73.242

Click the OK button

Click the Close Button

Now use a windows program like Secure CRT to access the SU program to login to the root account which will enable you to parse all data correctly.

su -l root

You should see "#"; a pound sign. The pound sign means you are logged in as root.

There are several ways to make a working NATD firewall but so far I have only been able to do it one way:

Make a copy of the GENERIC kernel and add these lines
to the GENERIC file in /usr/src/sys/i386/conf/

cp /usr/src/sys/i386/conf/GENERIC /usr/src/sys/i386/conf/SQUIRREL

vi /usr/src/sys/i386/conf/SQUIRREL

options IPFIREWALL

options IPDIVERT
options IPFIREWALL_DEFAULT_TO_ACCEPT

options IPFIREWALL_VERBOSE
options IPFIREWALL_FORWARD

2. Change to the /usr/src directory:

cd /usr/src

3. Compile the kernel:

make buildkernel KERNCONF=SQUIRREL

While the kernel is compiling, do not interrupt the terminal

You can stop this process at anytime by pressing CTRL-C

Building a new kernel takes about two hours to complete with a quad 533mhz pentium III Xeon server. Don't give up even though the terminal may look like it has stopped.

4. Install the new kernel:

make installkernel KERNCONF=SQUIRREL

The new kernel should auto recognize ALL of the hardware
devices on the working system, including multiple network
cards. Connect to the internet however you connect to it
through the first Ethernet device.

If you run into problems, remember ISP's use DHCP to assign
new network addresses to customers unless you request a
static IP.

1. first set up the DNS servers:

edit or create the file /etc/resolv.conf :

vi /etc/resolv.conf

search hsd1.va.comcast.net.
nameserver 68.87.73.242
nameserver 68.87.71.226

2. Use the ISP's windows software to register a new account like Comcast; this step is IMPERATIVE. For instance the Comcast cable modem switched network is FULL of windows computers and will not understand what you are doing at all; including but not limited to the help-desk technicians. If you are unsure about anything!; ask the representative to GUIDE you through the WINDOWS installation regardless. Make sure you follow ALL of their instructions to the LETTER.

Then disconnect and change your network cards physical address to your windows machine:

START->RUN->"CMD"

C:\ipconfig /all

Physical Address. . . . . . . . . : 00-08-74-15-61-07

Write this address, 00-08-74-15-61-07 down somewhere

Now edit the file /etc/rc.conf

vi /etc/rc.conf

ADD ALL THESE LINES AND REMOVE DUPLICATE ENTRIES IN THIS EXACT ORDER:

ifconfig_fxp0="DHCP"
gateway_enable="YES"
firewall_enable="YES"
firewall_type="SIMPLE"
natd_enable="YES"
alias_address="76.111.89.19"
natd_interface="fxp0"
hostname="freebsd.nvita.org"
ifconfig_fxp1="inet 192.168.0.1 netmask 255.255.255.0"
inetd_enable="YES"
linux_enable="YES"
sshd_enable="YES"
tcp_extensions="YES"
lpd_enable="YES"
natd_flags="-f /etc/natd.conf"
usbd_enable="YES"

Now that these services are registered to start at boot up
reboot the FreeBSD computer; It won't know what vectors to use until it is rebooted:

Press CTRL-ALT-DELETE if you're still a windows person

OR

If I have thoroughly persuaded you type:

shutdown now

Press the ENTER key

#

Press the off button on the console

3. When the computer is rebooted log in as root and manually request a DHCP lease from the ISP and check connectivity using lynx

Whooo @@!...

Physical Address. . . . . . . . . : 00-08-74-15-61-07

Did you get that from the ISP??

Now type:

ipfw -f flush

ifconfig fxp0 ether 00:08:74:15:61:07

dhclient fxp0

DHCPDISCOVER on fxp0 to 255.255.255.255 port 67 interval 4
DHCPDISCOVER on fxp0 to 255.255.255.255 port 67 interval 8
DHCPOFFER from 10.240.217.1
DHCPREQUEST on fxp0 to 255.255.255.255 port 67
DHCPACK from 10.240.217.1
bound to 76.111.89.19 -- renewal in 102668 seconds.

Now edit the file /etc/rc.firewall and input the new data into the integrated firewall sub-script. Find and replace the following lines under the SIMPLE section defined in rc.conf with the new data:

# set these to your outside interface network and netmask and ip
oif="fxp0"
onet="76.111.89.0"
omask="255.255.255.0"
oip="76.111.89.19"

# set these to your inside interface network and netmask and ip
iif="fxp1"
inet="192.168.0.0"
imask="255.255.255.0"
iip="192.168.0.1"

setup_loopback

This file is somewhat complex and difficult to read. rc.firewall is the built-in configurable firewall script included with the FreeBSD distribution. According to the entries made in order in rc.conf; rc.firewall will load entries into a program called ipfw. ipfw is the FreeBSD firewall control program. The previous modifications listed are the only necessary modifications to be made to the file so long as rc.conf is edited with the changes listed in order above. This is fairly exclusive, not many operating systems can do this straight away. The following example makes a working packet stateful firewall that forwards requests on the external interface to several machines on a internal interface. Enter the following in the SIMPLE section of /etc/rc.firewall:

# Allow access to our WWW
${fwcmd} add pass tcp from any to ${oip} 21 setup
${fwcmd} add pass tcp from any to ${oip} 22 setup
${fwcmd} add pass tcp from any to ${oip} 80 setup
${fwcmd} add pass tcp from any to ${oip} 87 setup
${fwcmd} add pass tcp from any to ${oip} 88 setup
${fwcmd} add pass tcp from any to ${oip} 8080 setup
${fwcmd} add pass tcp from any to ${oip} 31337 setup
${fwcmd} add fwd 192.168.0.3,87 tcp from ${oip} to any 87
${fwcmd} add fwd 192.168.0.6,80 tcp from ${oip} to any 88
${fwcmd} add fwd 192.168.0.3,80 tcp from ${oip} to any 31337

#Deny SMB shares and printer on external interface
${fwcmd} add deny tcp from any to ${oip} 139 in
${fwcmd} add deny tcp from any to ${oip} 445 in
${fwcmd} add deny tcp from any to ${oip} 515 in

Next it is very likely that once you have requested the DHCP lease address from the internet service provider's DHCP pool, that you will receive the same address issued to your MAC address:

00:08:74:15:61:07

Again please do not bother the internet service provider with extraneous information they do not understand; and their computers do not understand. Complete the windows installation FIRST; and every time you have a problem connecting.

Next test connectivity with the lynx web-browser. The lynx web-browser is not included by default. Use the pkg_add utility to install it from a remote source now that internet service is running via fxp0:

Type pkg_add -r lynx

Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-7.0-release/Latest/lynx.tbz... Done.

Type lynx http://www.google.com

You should see a webpage:

Web Images Maps News Shopping Gmail more v Video Groups Books Scholar Finance Blogs
YouTube Calendar Photos Documents Reader
even more »

iGoogle | Sign in

Google

_______________________________________________________
Google Search I'm Feeling Lucky Advanced Search
Preferences
Language Tools

Advertising Programs - Business Solutions - About Google

©2008 Google

Now, the next step is tricky. We have to get natd to initialize on the interface by doing a DHCP request before it does anything else. The request will fail at boot time but the setup will not.

edit /etc/rc.conf one more time but add the following entry at the very top:

ifconfig_fxp0="ether 00:08:74:15:61:07"

If natd fails for ANY reason it will not re-intialize. Add to but do not take away from it. Write an empty file
vi /etc/natd.conf ESC wq!
There are no logs.

Next issue the shutdown command from the SSH terminal but this time add the -r or reboot flag.

shutdown -r now

When the server reboots issue the following commands one more time:

ifconfig fxp0 ether 00:08:74:15:61:07

dhclient fxp0

Check connectivity using the lynx browser. You should now see a webpage without using the ipfw -f flush command. This means natd has been parsed correctly.

The Client Server Model is simple. Don't make things hard on yourself.

There is a Client; and a Server ... I am talking to you; you are talking to me; now you are talking to me and I am listening. Talking at the same time is not productive at all. LOL

Each Server PROGRAM uses a "kernel" or matrices of data that in turn uses a language to communicate to the Client PROGRAM. That's it.. nothing special; CTRL-C

The most common language is TCP/IP; TCP/IP protocol uses what are called PORTS to accommodate 44529 Server PROGRAMS on any given KERNEL.

Each server program that has a running corresponding TCP/IP port can be viewed with the command:

netstat -a

Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 squirrel.squirre.8649 192.168.0.6.4505 TIME_WAIT
tcp4 0 0 squirrel.squirre.8649 192.168.0.6.4501 TIME_WAIT
tcp4 0 0 squirrel.squirre.8649 192.168.0.6.4497 TIME_WAIT
tcp4 0 0 squirrel.squirre.8649 192.168.0.6.4493 TIME_WAIT
tcp4 0 0 squirrel.squirre.8649 192.168.0.6.4489 TIME_WAIT
tcp4 0 0 squirrel.squirre.ssh 192.168.0.2.1261 ESTABLISHED
tcp4 0 0 squirrel.squirre.netbi 192.168.0.2.1030 ESTABLISHED
tcp4 0 0 *.ftp *.* LISTEN
tcp4 0 0 *.* *.* CLOSED
tcp46 0 0 *.http *.* LISTEN

This output details the gmond client on port 8649; the ssh server, the netbios SMB server (samba), the FTP server, and the Apache http server. Port nothing is closed. Standardized ports list their names instead of the port number. For example, ssh is port 22, netbios is port 139, ftp is port 21, and http is port 80

Each server program is also assigned a process ID. This process ID makes it easy for the Administrator to stop and start server and client programs. You can view all the processes running on the FreeBSD server by using the top program.

top

PID USERNAME THR PRI NICE SIZE RES STATE TIME WCPU COMMAND
64397 mysql 4 20 0 42548K 20396K kserel 42:36 0.00% mysqld

282 root 1 96 0 2488K 1972K select 36:40 0.00% natd

In this example, 64397 is the "mysql" PID and 282 is the "natd" PID

Press CTRL-C to exit the TOP program.

Server programs usually include startup and stop scripts. Each startup and stop script not incorporated by the FreeBSD server can be started at boot time by using astart.sh.

find / -name "astart.sh"

vi /usr/local/etc/rc.d/astart.sh
kldload accf_http
mount -t linprocfs linprocfs /compat/linux/proc
/usr/local/share/mysql/mysql.server
/usr/local/apache2/bin/apachectl start
/usr/local/sbin/apache-tomcat-6.0.18/bin/startup.sh
/usr/local/samba/sbin/smbd
/usr/local/samba/sbin/nmbd
/usr/local/bin/tor --runasdaemon 1
/usr/local/sbin/ganglia_gmond/ganglia-3.1.0/gmond/gmond --conf /usr/local/sbin/ganglia_gmond/ganglia-3.1.0/gmond/gmond.conf

To start a server process, use it's control script. To stop a server process, use that very same control script.

For example to start a samba server:

/usr/local/etc/rc.d/samba.sh.sample start

To stop the samba server:

/usr/local/etc/rc.d/samba.sh.sample stop

To stop an internal process that does not incorporate a control script, view the output of the top program and issue the command:

kill -TERM processid

For example:

kill -TERM 64397

Some programs neither have a control script nor a PID that is listed by the top program. In this case, find the standardized .pid file created by the program that you want to stop. The .pid file only contains a PID number.

find / -name "*.pid"

/usr/local/sbin/ezbounce/ezbounce-1.04c/ezbounce.pid
/usr/local/sbin/mysql-5.0.51a-freebsd6.0-i386/data/c-98-204-175-23.hsd1.va.comcast.net.pid
/usr/local/apache2/logs/httpd.pid
/var/run/natd.pid
/var/run/devd.pid
/var/run/syslog.pid
/var/run/sshd.pid
/var/run/tor/tor.pid
/var/run/cron.pid
/var/run/smbd.pid
/var/run/nmbd.pid
/var/run/rinetd.pid

cat /usr/local/sbin/ezbounce/ezbounce-1.04c/ezbounce.pid

33047

kill -TERM 33047

rm -rf /usr/local/sbin/ezbounce/ezbounce-1.04c/ezbounce.pid

The process is started by it's execution and is terminated by the kernel level command "kill"

While you are logged on as the root, you can create additional users. Create a user name "squirrel". Optionally, this username can be the source directory for server programs like the samba SMB server.

Type in a console:

adduser

Username: squirrel

After each entry is complete press the ENTER key. The default entry is the ENTER key.

Full name: squirrel

Uid (Leave empty for default):

Login group [squirrel]:

Login group is squirrel. Invite squirrel into other groups? []:
Login class [default]:
Shell (sh csh tcsh nologin) [sh]:
Home directory [/home/squirrel]:
Use password-based authentication? [yes]:
Use an empty password? (yes/no) [no]:
Use a random password? (yes/no) [no]:
Enter password: password
Enter password again: password
Lock out the account after creation? [no]:
Username : squirrel

Password : *****

Full Name : squirrel

Uid : 1005
Class :
Groups : squirrel
Home : /home/squirrel

Shell : /bin/sh
Locked : no
OK? (yes/no): yes
adduser: INFO: Successfully added (squirrel) to the user database.
Add another user? (yes/no): no
Goodbye!

to login as "squirrel" Type:

su -l squirrel

Login as root again:

su -l root

FreeBSD incorporates a "SMB" server that like windows; takes hours of deduction to make it work efficiently as an "Active Directory". Input vectors and other factors contribute to a working Active Directory matrices. Ideally, eliminating SMB netbios broadcasts with a WINS server will drastically improve the efficiency of a small or very large network because every Windows user believe it or not; makes a netbios broadcast at polled intervals adding each new vector to the local or switched traffic.

To install the latest version of samba:

Type cd /usr/local/sbin/

Type lynx http://us3.samba.org/samba/ftp/stable/

Scroll down to the latest version. They are not listed in order by the latest version but by the version number from greatest, latest; least, older.

Select the latest version number in .tar.gz format

Press the enter button

Press the D key

Press the down arrow key to "Save to disk"

Press the enter key

Press the enter key

Press CTRL-C to exit the lynx program

Exiting via interrupt: 2 ...

gunzip samba-NN.tar.gz

Where NN equals the version number of the file name

tar -xvf samba-NN.tar

Go to the newly created directory

cd samba-NN

Go to the source directory

cd source

Compile samba:

./configure

make

make install

The newer version of samba does not include a default configuration file. The server(s) will look for the configuration file in:

/usr/local/samba/lib/smb.conf

Add all these lines to create a simple share level file server:

vi /usr/local/samba/lib/smb.conf

[global]
interfaces = fxp1, 192.168.0.1/255.255.255.0
workgroup = WSQUIRRELSERVER
load printers = yes
log file = /var/log/log.%m
max log size = 50
security = share
SO_RCVBUF=8192

SO_SNDBUF=8192
socket options = TCP_NODELAY

[homes]
comment = Home Directories
browseable = yes
writeable = yes

[printers]
comment = All Printers
path = /var/spool/samba
browseable = yes
guest ok = no
writeable = no
printable = yes

[squirrel]
comment = Webserver
public = yes
browseable = yes
writeable = yes
printable = no
path = /usr/home/squirrel

The /usr/home/squirrel directory is the home directory of the user squirrel on the FreeBSD server.

Next make sure you are logged in as root and assign the top level directory specified in the path directive of smb.conf to the nobody group
the "." means the top level directory

cd /usr/home/squirrel

chown nobody .

dr-xr-xr-x 5 nobody operator 512 Mar 14 2007 .
drwxr-xr-x 4 root wheel 512 Mar 1 2007 ..

assign the secondary dir ".." to root.wheel

chown root ..

chgrp wheel ..

Now the user squirrel has access to his or her files via the Samba SMB share level server.

Next create the "pub" directory

mkdir /usr/home/squirrel/pub

chown nobody /usr/home/squirrel/pub

The pub directory will store all of the user ~squirrel 's web server documents.

The nobody group does not exist so no one has rights to write to it but the samba server.

Start the samba server:

/usr/local/samba/sbin/smbd
/usr/local/samba/sbin/nmbd

Now that the samba server is complete; you can configure the client workstations:

Left click "My Computer" on the Windows workstation "desktop" such that it appears to turn BLUE in color. Next, right click the highlighted area. A "drop down menu" will appear.

Left click "Map Network Drive"

A "Dialogue" Box will appear:

Left click the check box "Reconnect at logon"

A check mark will appear.

Next, click the "Browse.." button

A dialogue box will appear:

Double click "Microsoft Windows Network" such that it appears to turn BLUE in color and expands into directory tree.

Netbios broadcasts are turned on by default and the "Microsoft Windows Network" will expand into a directory tree that includes the SMB broadcast messages made by the samba server. The first 14 characters of the name specified in /etc/rc.conf will determine the name the samba includes in SMB broadcast messages.

/usr/local/etc/smb.conf specifies the name of the share windows computers will read. The name of the share we would like to access is "pub" a subfolder of the "squirrel" share specified in "/usr/local/etc/smb.conf"

Left click "pub" such that it appears to turn BLUE in color.

Click the "OK" button.

Click "Finish"

Windows will now display the contents of the samba share as a network drive.

Double left click "My Computer" on the windows desktop. You should see:

Now you have successfully configured your windows workstation!

You can now connect to the FreeBSD server from your windows workstation by using a SSH2 program like Secure CRT and access network data from a windows worksation easily.

What about a .com or a domain?

Visit:

http://www.e3internet.com/

There you can buy a domain name that is updated by the .root DNS servers

http://www.godady.com

Specializes in inexpensive domain names.

http://www.zoneedit.com/signup.html?

Sign up for free to use their DNS servers to direct a domain like giantfood.nl to a cable modem

ROOT SERVERS NET

IP ADDRESS <--->DNS SERVER<----> IP ADDRESS

Since it's impractical and not conical to use numbers to remember your favorite internet computer; domain names are names; furthermore remembering numbers and numerology is drastically different than phonetics. Microsoft.com is a domain. The difference is that there is a UNIVERSAL _root_servers RECORD which must be maintained and that is where the fee is involved; fees are different depending upon their schedule of services. This initial fee; for instance; the figure $5.95 /yr makes up any number of centralized services by the domain name solicitor to sell the computer name to you and successfully stay in contact with the universal world wide ROOT SERVERS NET. Obviously they are redundant; but having run a DNS server myself; it begins to cache the records it does have until it is restarted; then they are erased. How do you prove this? Run the command:

tcpdump -i fxp0 -nN -vvv -xX -s 1500 port 53 > dns_server

Very strange... If the output is compared and contrasted over several days you can conclude the "bind" DNS server while staying in contact with other DNS servers is DRASTICALLY more efficient.

It is therefore more advantageous to use a DNS server that has been sitting somewhere for years making billions of queries. However; recently, Network Solutions has made it nearly impossible to register your own DNS server. It used to be listed there in the automated forms; but is no longer there:

For instance: inverselog.com would be registered initially with the ROOT servers net by internic; then subsequent records held by network solutions would forward requests to your DNS server ns1.inverselog.com. The ns1.inverselog.com record would cache requests between you and network solutions and network solutions would cache requests with ROOT servers net and you could use ns1.inverselog.com and ns2.inverselog.com to register as many domain names as you want. So who runs ROOT servers net?

Aberdeen man!

Anyway, with a cable modem you still don't get a REVERSE delegation unless you need one; that's where it gets military; I guess it's ok with the TV. Oddly, if you have a dialup modem you can get a reverse DNS delegation. For instance all the requests sent to any other server on the internet will know that you ARE

giantfood.nl;

in this case with the cable modem YOU ARE

c-69-140-254-181.hsd1.va.comcast.net

Type ifconfig fxp0

fxp0: flags=8843 mtu 1500
options=8
inet6 fe80::290:27ff:feac:85d4%fxp0 prefixlen 64 scopeid 0x1
inet 98.218.14.92 netmask 0xffffff00 broadcast 255.255.255.255
ether 00:08:74:15:61:07
media: Ethernet autoselect (100baseTX )
status: active

"98.218.14.92"

I told E3 internet who keeps up with incendiary .nl and .de domain name servers that my primary and secondary DNS servers are with free service, zoneedit.com

Next an exclusive UNIX program called Apache can serve as a "web server" The Apache webserver is exclusive because it can host what are called "Virtual Hosts" and "Proxy URL's"

The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows NT. The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards.

Next, it is also advantageous to take advantage of Personal home Page, and HTML-embedded scripting language. (PHP) Along with the Apache project, it was originally designed for simple home page development. PHP has evolved to become and extended scripting language more capable than CGI (Common Gateway Interface) and SSI (Server Side Includes).

Thousands of Scripts can be downloaded from around the entire world which includes any number of complex program structures.

Collectively, you can design a PHP "script" which will leave you awestruck.

"Hot Scripts" is an excellent resource for many different kinds of PHP scripts.

http://www.hotscripts.com/PHP/Scripts_and_Programs/index.html

The Apache web server project has a contingency to become not only a server program that replies favorably to countless client software programs called web-browsers; but a project that delivers enhanced features. One of those features is the ability to use a secondary computer program to generate additional content. PHP uses the "DSO" "module" a module is a flexible internal function of the Apache web server. CGI (Common Gateway Interface) uses the PERL program (Practical Extraction and Reporting Language). Both CGI and PHP can be used concurrently on a Apache web server.

In 1989, Tim Berners-Lee proposed to his employer CERN (European Organization for Nuclear Research) a new project, which had the goal of easing the exchange of information between scientists by using a hypertext system.

A Web-Server or "hypertext system", although inherently indicative of it's self; allows scientists to draw their own conclusions more decisively. Wiki-pedia is an excellent example collection of current encylopedia aritcles that are published on the world wide web from thousands of contirbutors.

Copyrights by Wiki-pedia and Cisco Systems and this Web-server are all a subset of nvita.org. Tim Berners-Lee and CERN; are a subset of Wiki-pedia. In grade school, it is generally known that copyrighted material from a text book or any other source whether it's copyrighted or not is to be summarized and or paraphrased to demonstrate a degree of comprehension. In this case however, things can become somatic and it is important to be decisive and move forward quickly. For example, in many movies people are thrown through glass windows. That's not real glass, it's glass made of sugar that can be easily broken right? Analysis and deduction IS complicated and in some cases carries with it serious consquences and sacrifices. If you have dedicated yourself to staring in an action film where you have been thrown through glass made of sugar, chances are you would remember it. Can you avoid being thrown through a real glass window by being thrown through a window made of sugar? You and I know; not she and he ... LOL

First download and unzip the latest version of Apache:

Type in a console:

cd /usr/local/sbin/

lynx http://httpd.apache.org/download.cgi

or lynx (press the G key) http://httpd.apache.org/download.cgi

Press the down arrow key to "httpd-2.2.8.tar.gz"

Press the enter button

Press the D key

Press the down arrow key to "Save to disk"

Press the enter key

Press the enter key

Press CTRL-C to exit the lynx program

Exiting via interrupt: 2 ...

gunzip httpd-2_0_NN.tar.gz

Where NN equals the version number of the file name

tar -xvf httpd-2_0_NN.tar

Type in a console:

lynx http://www.php.net/downloads.php

Press the "Y" key to allow all cookies

Press the down arrow key to select the latest version in tar.gz format:

Complete Source Code

PHP 5.2.5 (tar.gz)

Press the enter key

Press the down arrow key to select a download mirror:

us.php.net

Press the enter key

Press the down arrow key to "Save to disk"

Press the enter key

Press the enter key

Press CTRL-C to exit the lynx program

Exiting via interrupt: 2 ...

Type where NN equals the version number of the file name

gunzip php-NN.tar.gz

tar -xvf php-NN.tar

The Apache web server can load secure socket layer encryption as part of the 2.0 release, independent of what are called loadable modules. In order to use SSL, the --enable-ssl flag must be specified at the FreeBSD configure command line. This will comple apache webserver with SSL. Loading the kernel with special arguments separate in features to the arrangement or order of reference specified by Apache in relation to the system kernel are null.

Type in a console where NN equals the version of the file:

cd httpd-2_0_NN

./configure --enable-so --enable-ssl

make all

make install

Next start the apache webserver:

/usr/local/apache2/bin/apachectl start

Next test the new server with the lynx browser:

lynx http://127.0.0.1

You should see "it worked" if it worked.

Press CRTL-C

Next stop the apache webserver:

/usr/local/apache2/bin/apachectl stop

Next it also advantageous to take advantage of the MySQL server. The SQL server project is related to the PHP project in so much they work closely together in many different ways. Primarily, MySQL is offered under license with no cost. Like any project, improvements are always made and are released accordingly. However, it's development can be linked all the way back to IBM in 1975. Using MySQL is frustrating and tedious, therefore it is tailored by many different operating system kernels as part of a new release.

Now, if you want to buy a pair of pants with a straight leg and no cuffs; buy a pair of DOCKERS . For example, it would be difficult to explain to the salesman that you want to buy pants with no alterations.

A 30-day evaluation version of MySQL server is free to download from the official MySQL website.

To install MySQL on FreeBSD; use the FreeBSD pgk_add command. pkg_delete deletes a package. pkg_add is also somewhat frustrating to use because if the kernel were updated, the correct repository is used automatically. However, if the FreeBSD kernel is outdated it will use an outdated source.

In a terminal .. type pkg_add -r mysql

Error: FTP Unable to get ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-6.1-release/Latest/mysql.tbz: File unavailable (e.g., file not found, no access)

pkg_add: unable to fetch 'ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-6.1-release/Latest/mysql.tbz' by URL

Where's that mysql server?

Try:

ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-6-stable/All/mysql-server-4.0.27.tbz

First you must determine how many I nodes are free. I-nodes create directory entries on a disk partition; just like it is necessary to make sure a network cable is seated securely; a power cord is plugged into the power source firmly; (unplugging a power cord and plugging it back into THE power grid) or the RJ-45 wall plate has a connection to the local hub.

Type: df -hi

Filesystem iused ifree %iused Mounted on
/dev/aacd0s1a 4483 61307 7% /

devfs 0 0 100% /dev

/dev/aacd0s1e 3848 61942 6% /tmp

/dev/aacd0s1f 306459 2378467 11% /usr

/dev/aacd0s1d 282621 1 100% /var

The default is to create an inode for every (4 * frag-size) bytes of data space. If fewer inodes are desired, a larger number should be used; to create more inodes a smaller number should be given. One inode is required for each distinct file, so this value effectively specifies the average file size on the file system.

You can see by the output of df we have only 1 I-node free on the /var file system. It is easy to say that we can agree and never change; but it far better to know that we have lived than never loved.

The matrices reads; /var has only one inode free.

Type cd /var

mkdir shoes

/var: create/symlink failed, no inodes free

You can use google to find out what that means:

http://www.google.com/search?hl=en&q=%2Fvar%3A+create%2Fsymlink+failed%2C+no+inodes+free&btnG=Google+Search

The FIRST listing tells us more information about i-nodes:

http://lists.freebsd.org/pipermail/freebsd-questions/2004-May/045547.html

"Short-term, the solution is to delete some files off your /var partition."

Type ls -la /var/spool/clientmqueue

drwxrwx--- 2 smmsp smmsp 264 May 22 20:56 /var/spool/clientmqueue

How do you reproduce that entry if you delete it?

Try google:

http://www.google.com/search?hl=en&q=chmod+drwxrwx---&btnG=Google+Search

http://forums.macosxhints.com/archive/index.php/t-3359.html

"Whoops, sheer laziness and cut and paste got the best of me. Yes, my perms are thus:

drwxrwx--- 2 smmsp smmsp 264 May 22 20:56 /var/spool/clientmqueue

I figured that this:

"sendmail must be a set-group-ID (default group: smmsp, recommended
gid: 25) program to allow for queueing mail in a group-writable
directory"

meant that the perms on sendmail should be:

-r-xr-sr-x

not

-r-sr-xr-x

in order to be able to write to a group writable dir. Of course, I've done 'sudo chmod g-w /' anyway. Ow this unix 'ease of configuring' is making my head hurt. Ok, I ain't touchin nuthin, (until I do some post graduate studies in computer science and am able to understand the sendmail.org page) since sendmail is working. Thanks for the warning"

Now that we have a better idea of what to do about it:

Type rm -rf /var/spool/clientmqueue

Type vi /var/spool/clientmqueue

Press the ESC key

Type :wq!

Type chmod -r-xr-sr-x /var/spool/clientmqueue

Type chown smmsp /var/spool/clientmqueue

Type chgrp smmsp /var/spool/clientmqueue

df -hi

Filesystem iused ifree %iused Mounted on
/dev/aacd0s1a 4483 61307 7% /

devfs 0 0 100% /dev

/dev/aacd0s1e 3848 61942 6% /tmp

/dev/aacd0s1f 306459 2378467 11% /usr

/dev/aacd0s1d 217794 64828 77% /var

64,827 i-nodes were used for the data file clientmqueue; clientmqueue is a data file ....

Now that they are free type:

pkg_add -r ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-6-stable/All/mysql-server-4.0.27.tbz

Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-6-stable/All/mysql-server-4.0.27.tbz... Done.
Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-6-stable/All/mysql-client-4.0.27.tbz... Done.
mysql:*:1004:
You already have a group "mysql", so I will use it.
mysql:*:1004:1004::0:0:MySQL Server:/home/mysql:/bin/sh
You already have a user "mysql", so I will use it.
Mysql is now installed correctly.

Now we can complete the PHP portion of the installation. PHP has a secondary libarary that can draw pictures in gif, jpeg, png and xpm formats dynamically. This project called "GD" is important to a large majority of different PHP scripts. GD can create dynamic images; images that do not need to be created by a secondary graphical interface program, but a few instructions to the FreeBSD kernel using the PHP language. PHP is not a standard access nomenclature like dynamic link libraries are to windows (.DLL) and many times will fail for one reason or another. Not very much attention is given to it's limits. Like any library; GD is difficult to install and anything more than installing GD as far as PHP goes is extremely difficult. To get a head start by installing the GD library, there are pre-requisites:

Type where NN equals the version number of the file name:

cd /usr/local/sbin/

ftp ftp://ftp.uu.net/graphics/jpeg/jpegsrc.v6b.tar.gz

gunzip jpegsrc.v6b.tar.gz

tar -xvf jpegsrc.v6b.tar

cd jpeg-6b

./configure --enable-shared

make all

make install

cd /usr/local/sbin

lynx http://prdownloads.sourceforge.net/libpng/libpng-1.2.26.tar.gz?download

gunzip libpng-1.2.26.tar.gz

tar -xvf libpng-1.2.26.tar

cd libpng-1.2.26

./configure

make all

make install

cd /usr/local/sbin

ftp ftp://metalab.unc.edu/pub/Linux/libs/X/libXpm-4.7.tar.gz

gunzip libXpm-4.7.tar.gz

tar -xvf libXpm-4.7.tar

cd xpm-3.4g

xmkmf

make Makefiles

make includes

make depend

make

make install

cd /usr/local/sbin

lynx http://download.savannah.gnu.org/releases/freetype/freetype-2.3.5.tar.gz

guznip freetype-2.3.5.tar.gz

tar -xvf freetype-2.3.5.tar

cd freetype-2.3.5

./configure

make all

make install

Now that all font libraries and additional libraries for different types of images have been installed; the GD project can be installed:

cd /usr/local/sbin

lynx http://www.libgd.org/releases/gd-2.0.35.tar.gz

gunzip gd-2.0.35.tar.gz

tar -xvf gd-2.0.35.tar

cd gd-2.0.35

./configure

After running the configure script you should see the following:

** Configuration summary for gd 2.0.34:

Support for PNG library: yes
Support for JPEG library: yes
Support for Freetype 2.x library: yes
Support for Fontconfig library: yes
Support for Xpm library: yes
Support for pthreads: yes

make all

make install

cd /usr/local/sbin

Type where NN equals the version number of the file name:

cd php-NN

Configure scripts have many options, most of those options can be found by scrolling through a .configure file.

ON ONE LINE type the following:

./configure --with-apxs2=/usr/local/apache2/bin/apxs --with-mysql --with-gd=/usr/local

--enable-gd-native-ttf --with-jpeg-dir=/usr/local/lib --with-zlib-dir=/usr/local/lib --with-png-dir=/usr/local/lib --with-xpm-dir=/usr/local/lib --with-freetype-dir=/usr/local/lib

make all

make install

As you can see here, PHP has incorporated some of the GD project into it's release version. Although it was orignially named "GIF draw" the project is part of the PHP project which in turn is part of the C programming language developed in 1972 by Dennis Ritchie at the Bell Telephone Laboratories for use with the Unix operating system. C has since spread to many other platforms including FreeBSD.

Your PHP installation is now complete.

Next, To use a webserver on an internal network with one IP address, there must be a catalyist to process the http request by the external firewall. The Apache webserver has a module to process a "Virtual Host" and a internal "Proxy"

To compile a PROXY module, "axps" from the inital unziped tarball directory will allow you to do this:

mod_proxy.so requires TWO source files:

cp /usr/local/sbin/httpd-2.2.8/modules/proxy/mod_proxy.c /usr/local/apache2/modules/mod_proxy.c

cp /usr/local/sbin/httpd-2.2.8/modules/proxy/proxy_util.c /usr/local/apache2/modules/proxy_util.c

Set the $apachehome directory so that the .c sourcefiles (independant of any local ./configure) do not need to be modifiled:

set apachehome=/usr/local/apache2/

Compile with axps:

$apachehome/bin/apxs -i -a -c /usr/local/apache2/modules/*proxy*.c

Compile these additional modules with axps:

cp /usr/local/sbin/httpd-2.2.8/modules/proxy/mod_proxy_http.c /usr/local/apache2/modules/mod_proxy_http.c

/usr/local/apache2/bin/apxs -i -a -c /usr/local/apache2/modules/mod_proxy_http.c

cp /usr/local/sbin/httpd-2.2.8/modules/filters/mod_deflate.c /usr/local/apache2/modules/mod_deflate.c

/usr/local/apache2/bin/apxs -i -a -c /usr/local/apache2/modules/mod_deflate.c

cp /usr/local/sbin/httpd-2.2.8/modules/metadata/mod_headers.c /usr/local/apache2/modules/mod_headers.c

/usr/local/apache2/bin/apxs -i -a -c /usr/local/apache2/modules/mod_headers.c

Now add these entries into httpd.conf and remove any duplicate entries:

LoadModule php5_module modules/libphp5.so
LoadModule proxy_module modules/mod_proxy.so
LoadFile /usr/lib/libz.so
AddOutputFilterByType DEFLATE application/x-javascript text/javascript text/css
LoadModule deflate_module modules/mod_deflate.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule headers_module modules/mod_headers.so

AddType application/x-httpd-php .php .phtml
AddType application/x-httpd-php-source .phps
AddType image/gif .gif .GIF
AddType image/ief .ief
AddType image/jpeg .jpeg .jpg .jpe .JPG
AddType image/tiff .tiff .tif
AddType image/png .png .PNG

IfModule dir_module

DirectoryIndex index.html index.php

/IfModule

Directory /usr/local/apache2/icons/

Options Indexes MultiViews
AllowOverride None
Order allow,deny
Allow from all
Directory

Alias /icons/ "/usr/local/apache2/icons/"
AddType application/x-httpd-php .php .phtml
AddType application/x-httpd-php-source .phps
AddType image/gif .gif .GIF
AddType image/ief .ief
AddType image/jpeg .jpeg .jpg .jpe .JPG
AddType image/tiff .tiff .tif
AddType image/png .png .PNG

IndexOptions FancyIndexing +VersionSort

AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip

AddIconByType (TXT,/icons/text.gif) text/*
AddIconByType (IMG,/icons/image2.gif) image/*
AddIconByType (SND,/icons/sound2.gif) audio/*
AddIconByType (VID,/icons/movie.gif) video/*

AddIcon /icons/binary.gif .bin .exe
AddIcon /icons/binhex.gif .hqx
AddIcon /icons/tar.gif .tar
AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
AddIcon /icons/a.gif .ps .ai .eps
AddIcon /icons/layout.gif .html .shtml .htm .pdf
AddIcon /icons/text.gif .txt
AddIcon /icons/c.gif .c
AddIcon /icons/p.gif .pl .py
AddIcon /icons/f.gif .for
AddIcon /icons/dvi.gif .dvi
AddIcon /icons/uuencoded.gif .uu
AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
AddIcon /icons/tex.gif .tex
AddIcon /icons/bomb.gif core

AddIcon /icons/back.gif ..
AddIcon /icons/hand.right.gif README
AddIcon /icons/folder.gif ^^DIRECTORY^^
AddIcon /icons/blank.gif ^^BLANKICON^^

DefaultIcon /icons/unknown.gif

ReadmeName README.html
HeaderName HEADER.html
IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t

DocumentRoot /usr/local/apache2/htdocs
ProxyPass /novell/ http://192.168.0.6:80/web/
ProxyPassReverse /novell/ http://www.nvita.org:88/

Directory /usr/home/squirrel/pub/cgi-bin/

Options None
Order allow,deny
Allow from all
/Directory

ScriptAlias /cgi-bin/ "/usr/home/squirrel/pub/cgi-bin/"

NameVirtualHost *:80

The following entries are example entries:

VirtualHost *:80

ServerName 76.111.89.19
DocumentRoot "/usr/home/squirrel/pub"
Alias /space "/usr/home/squirrel/incomming"
AccessFileName .htaccess
/VirtualHost

VirtualHost *:80

ServerName c-76-111-89-19.hsd1.va.comcast.net
DocumentRoot "/usr/home/squirrel/pub"
Alias /space "/usr/home/squirrel/incomming"
AccessFileName .htaccess
/VirtualHost

VirtualHost *:80

ServerName www.inverselog.com
ServerAlias inverselog.com *.inverselog.com
DocumentRoot "/usr/home/squirrel/pub/blog/cmsmadesimple"
UseCanonicalName On
ProxyVia Off
ProxyPass /cpu/ http://192.168.0.6:80/web/
ProxyPassReverse /cpu/ http://www.inverselog.com:88/
AccessFileName .htaccess
/VirtualHost

VirtualHost *:80

ServerName www.giantfood.nl
ServerAlias giantfood.nl *.giantfood.nl
UseCanonicalName On
ProxyVia Off
ProxyPass / http://192.168.0.3:80/
ProxyPassReverse / http://giantfood.nl:31337/
/VirtualHost

VirtualHost *:80

ServerName www.nvita.org
ServerAlias nvita.org *.nvita.org
UseCanonicalName On
ProxyVia Off
ProxyPass / http://192.168.0.3:87/
ProxyPassReverse / http://www.nvita.org:87/
/VirtualHost

Then you can start apache with the command:

kldload accf_http (the build reports an error if this command is
not issued)

/usr/local/sbin/apache2/bin/apachectl start

In this senerio, Apache 2 acts as a PHP MySQL enabled websever using a virtual host that forwards requests to a Microsoft Internet Information Server on an internal network. An article is also published about Internet Information Server on this website for more information.

Now you can take advantage of PHP and download some scripts. For example download and install the CMS made simple project. CMS made simple includes a content management system with user rights so friends and colleagues can edit selected pages directly on the website. The package is free and includes optional features as well as various themes.

cd /usr/home/squirrel/pub/blog

lynx http://dev.cmsmadesimple.org/frs/download.php/1928/cmsmadesimple-1.2.4.tar.gz

gunzip cmsmadesimple-1.2.4.tar.gz

tar -xvf cmsmadesimple-1.2.4.tar

Prepare MySQL server for first use:

/usr/local/bin/mysql_install_db

chown mysql /var/db/mysql/mysql
chown mysql /var/db/mysql/mysql/.
chown mysql /var/db/mysql/mysql/..
chown mysql /var/db/mysql/mysql/*

Start MySQL server:

/usr/local/share/mysql/mysql.server

Deny access to MySQL from external interface:

ipfw add deny tcp from any to 76.111.89.19 3306 in

Add the entry to /etc/rc.firewall:

${fwcmd} add deny tcp from any to ${oip} 3306 in

Set the root MySQL password:

mysqladmin -u root password yourpassword

Login to the MySQL server:

mysql -u root -p

Create a new database for CMS made simple:

mysql> create database inverselog;
mysql> grant usage on inverselog.* to root@localhost;
mysql> grant select, insert,delete on inverselog.* to root@localhost;
mysql> exit

Next to install a php project, it usually will use a php install page, just direct a browser to the install page to get started.

http://www.inverselog.com/install.php

Note that the lynx browser does not support dynamic html, just use your windows terminal.

FreeBSD has what's called a FTP Server. An FTP server allows files to be transfered from one computer to another on the internet. To configure FreeBSD to use an FTP server it must be enabled in the file /etc/inetd.conf

Type vi /etc/inetd.conf

Press the ESC key

:ins

ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l

Press CTRL-C

Press the ESC key

:wq!

In the initial installation program, setup asked if anonymous access is allowed. This is an internal function that isolates the "ftp" user from the rest of the FreeBSD file structure. You may want to greet your visitors with a message to their client program.

Type vi /etc/ftpwelcome

Press the ESC key

:ins

Welcome to NVITA.ORG Northern Virginia Information Technology Association. Please upload to the "incomming" directory. All files will be made available to the public via http://www.nvita.org/space/

Press CTRL-C

:wq!

Next although the FTP server can send files, ideally it should receive and store data too. However, it is fairly difficult to manage who is to delete such and such file and upload such and such file on a computer. Since there is no convention to manage this a simple rule system is put in place. In the following instance, everyone has the right to upload any file of any size and download any file of any size provided that they use the "incoming" directory. It is impossible to circumvent this convention because at any one time, everyone uses it.

The "incoming" directory can also be found on servers which store and forward developer software.

Ideally, you can also create a membership system that will allow registered users to freely upload and download with their own user names.

Create the incomming directory for the FreeBSD ftp server. This is not something to do in general, but they are specific instructions for FreeBSD.

cd /var
rm -rf ftp
ln -s /usr/home/squirrel ftp
mkdir /usr/home/squirrel/incoming/

Create the etc directory.

mkdir /usr/home/squirrel/etc/

Isolate the etc directory from the ftp user.

chgrp wheel /usr/home/squirrel/etc/

Incorporate the ftp user into the Anonoymous filesystem.

chown root /usr/home/squirrel/incoming/
chgrp ftp /usr/home/squirrel/incoming/
chown root /usr/home/squirrel/incoming/..
chgrp ftp /usr/home/squirrel/incoming/..
chmod 5777 /usr/home/squirrel/incoming/

chgrp wheel /usr/home/squirrel

The operator group has access to the FTP server but the operator group does not have access to nobody.

drwxr-xr-x 5 root wheel 512 Apr 8 22:14 .
drwxr-xr-x 3 root wheel 512 Apr 6 17:50 ..
-rw-r--r-- 1 squirrel squirrel 751 Apr 6 17:50 .cshrc
-rw-r--r-- 1 squirrel squirrel 248 Apr 6 17:50 .login
-rw-r--r-- 1 squirrel squirrel 158 Apr 6 17:50 .login_conf
-rw------- 1 squirrel squirrel 373 Apr 6 17:50 .mail_aliases
-rw-r--r-- 1 squirrel squirrel 331 Apr 6 17:50 .mailrc
-rw-r--r-- 1 squirrel squirrel 766 Apr 6 17:50 .profile
-rw------- 1 squirrel squirrel 276 Apr 6 17:50 .rhosts
-rw-r--r-- 1 squirrel squirrel 975 Apr 6 17:50 .shrc
drwxr-xr-x 2 root wheel 512 Apr 8 22:14 etc
drwsrwxrwt 2 root ftp 512 Apr 8 22:09 incoming
drwxr-xr-x 8 nobody squirrel 2560 Apr 8 20:17 pub

An anonymous user can thereby upload to the incomming directory. Although the anonymous user cannot delete a file; only add to the incoming directory.

For example; the directory "????¤??3??§??" cannot be read by the FreeBSD DMZ nor can the Apache webserver read the file. This file structure was created by a windows program called "Grims Ping". http://grimsping.cjb.net/ A windows FTP client can also read the file placed on the webserver. Although it may be interesting to collect these files and or file structures; they can only be read by Windows computers. This resembles the behavior of waterboarding. Waterboarding is strictly taboo and is soley at the discresion of the FreeBSD administrator. For example you may find ethnic groups to be closely knit communities. China town, the diamond district, etc.

The FTP server can be STOPPED altogether by removing the entry in inetd.conf:

vi /etc/inetd.conf

Position the blinking cursor with the arrow keys at the begining of the line:

ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l

Press the ESC key

:del

Press the ESC key

:ins

#ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l

Press CRTL-C

Press the ESC key

:wq!

/usr/src/etc/rc.d/inetd stop

To start the FTP server type in a console:

/usr/src/etc/rc.d/inetd start

These settings are ideal for IRC users because every time you part or leave a channel the IRC server identifies your address to everyone in the channel. They can then visit your FTP server or your HTTP server.

Here is a greeting page I designed for users specified by IP address in httpd.conf. Click the following link to see my greeting page:

http://173.10.132.234

ServerName 173.10.132.234

DocumentRoot "/usr/home/squirrel/pub"
AccessFileName .htaccess

Since this address is tipically variable, or dynamic it must be updated every time a new IP address is issued.

Out of the thousands of programs for FreeBSD, If you want to IRC from your cell phone affordably; the Apache tomcat server, which is closely related to many of the "Java" based programs that run on Cell Phones, is simple to install.

First you need to download the Java SE JRE; or Java Standard Edtition; Java Runtime Environment.

Type cd /usr/ports/distfiles/

lynx http://java.sun.com/javase/downloads/ea.jsp

Choose the distribution for the linux platform and save it in the /usr/ports/distfiles/ directory of your FreeBSD computer.

FreeBSD can run programs designed to work with Linux. The linux program ldd included with FreeBSD can tell you what dependancies are needed to run a linux program configured to run in the FreeBSD Linux subsystem.

Extract the files:

Type ./*.bin

A bin file will extract it's self and begin to install the software contained inside of it.

Now use ldd to determine if the linux excuteable "java" is configured to run correctly on your FreeBSD system:

ldd /usr/ports/distfiles/jre1.6.0_10/bin/java

/usr/ports/distfiles/jre1.6.0_10/bin/java:
libpthread.so.0 => /lib/obsolete/linuxthreads/libpthread.so.0 (0x2806f000)
libjli.so => /lib/libjli.so (0x280c3000)
libdl.so.2 => /lib/libdl.so.2 (0x280cc000)
libc.so.6 => /lib/obsolete/linuxthreads/libc.so.6 (0x280d0000)
/lib/ld-linux.so.2 (0x28052000)

It looks like everything here is ok. However the recent release jre1.6.0_10, does not extract the library libjli.so to the /lib directory of FreeBSD. Use a good policy similar to the FTP server by adding to, but not taking away from the running system. Create an -addtional- symbolic link to this file in the /lib directory. In this particular example, FreeBSD has created the Linux Subsystem, the program "Java" has interpreted what files are needed from the Linux Subsystem:

find / -name "libc.so.6"

/usr/compat/linux/lib/libc.so.6

ldd /usr/ports/distfiles/jre1.6.0_10/bin/java

/usr/local/sbin/jre1.6.0_07/bin/java:
libpthread.so.0 => /lib/obsolete/linuxthreads/libpthread.so.0 (0x2806f000)
libjli.so => /lib/libjli.so (0x280c3000)
libdl.so.2 => /lib/libdl.so.2 (0x280cc000)
libc.so.6 => /lib/libc.so.6 (0x280d0000)
/lib/ld-linux.so.2 (0x28052000)

The output of ldd is an odd thing, it may be part of the FreeBSD runtime linker, or may be something else entirely:

ls -la /lib/libc.so.6

ls: libc.so.6: No such file or directory

Although ldd lists libraries required, it does not however compute the difference in terms. Instead, we return to our matrices of data once again, and add too but not take away from it's contents:

ln -s /usr/compat/linux/lib/libc.so.6 /lib/libc.so.6

..... continued ....

Now test the java executable:

./java -version

Java HotSpot(TM) Client VM warning: Can't detect initial thread stack location - find_vma failed
java version "1.6.0_07"
Java(TM) SE Runtime Environment (build 1.6.0_07-b06)
Java HotSpot(TM) Client VM (build 10.0-b23, mixed mode)

The java program also requires the linux proc file system:

mount -t linprocfs linprocfs /compat/linux/proc

Now that the JRE has been installed just download apache tomcat unzip it, and run it.

Type lynx http://tomcat.apache.org/download-60.cgi

In catalina.sh, just put the following entry at the top:

JAVA_HOME=/usr/ports/distfiles/jre1.6.0_10

Next, by default with no other modifications, tomcat will start correctly.

Type /usr/local/sbin/tomcat/apache-tomcat-6.0.10/bin/startup.sh

Sometimes the java run time build becomes volatile and does not agree with the operating system kernel. To create a control, files must be removed and then replaced.

Now check if Apache tomcat has access to the external interface:

ipfw list

You should see:

02400 allow tcp from any to 76.111.89.19 dst-port 8080 setup

If you don't see a similar entry type:

ipfw add allow tcp from any to 76.111.89.19 dst-port 8080 setup

Add this entry to /etc/rc.firewall

${fwcmd} add allow tcp from any to ${oip} dst-port 8080 setup

lynx http://127.0.0.1:8080

Another exclusive UNIX project is the TOR onion router. This will allow you to maintain anonymity in IRC sessions and or Internet data with other servers. It is easy to install but it has dependancies.

config.c is missing a semicolon character

run it:

/usr/local/bin/tor --runasdaemon 1

you have to create the tor config file in the specific directory

vi /usr/local/etc/tor/torrc

edit these lines:

RunAsDaemon 1
PidFile /var/run/tor/tor.pid

Then when the server is running it will connect to a pool of anonymous servers that act as gateways to any other place on the internet, such that the server reciving the connection request is doing so by the use of one of the servers in the pool; thus creating anonymity. Interestingly enough; these packets are not passed; but recreated by the TOR Server; like the food maker on StarTrek. Configure a client program like, Internet explorer or MirC or Firefox to use the TOR server under the "proxy" configuration section. The port the new TOR server will respond to is port 9050.

To get another tor server; server.. just kill the tor process by finding out what it's process ID is in the "top" program

top

PID USERNAME THR PRI NICE SIZE RES STATE TIME WCPU COMMAND
64397 mysql 4 20 0 42548K 20396K kserel 42:36 0.00% mysqld

282 root 1 96 0 2488K 1972K select 36:40 0.00% natd

in this example, 64397 is the "mysql" PID and 282 is the "natd" PID

Press CTRL-C to exit the TOP program.

then you will have to erase the pid file created independently by the TOR daemon (/var/run/tor/tor.pid) The pid file will also tell you what the process ID is:

cat /var/run/tor/tor.pid

kill -TERM PROCESSID

To remove any microsoft entries from the use of your new Samba file server, type in the vi editor:

g/^M/s/// (the ctrl-m has to be entered with the key strokes CTRL-V followed by CTRL-M)

FreeBSD is a very viable cost effective solution to implement on a small or large scale and can be implemented in a few hours with new or used equipment. FreeBSD is particularly useful when large scale network deployments require licensing and or very high overhead costs to deploy. Monitoring a test FreeBSD server for two years, FreeBSD has proven it's reliability. However, the only bottleneck seems to lie with the Internet service provider used, where the Internet IP address has changed. If the IP address is changed "dynamically" there is less cost associated with maintaining the Internet Service Provider's equipment. Further, internet service providers also save time and money by typically blocking inbound and outbound access to SMTP service and even in some cases, a local carrier such as COX Cable in Fairfax County, Virginia USA; will block HTTP service Outbound. There are however several inexspensive "business" internet services reserved, which provide a static IP and other sophisticated automated services at your request. Although you don't really need any of those things, when dealing with computer equipment, it is good policy to always make sure you do things by the book. I recommend FreeBSD without any reservations.