More exploration notes for my freebsd on raspberry project.
Firewall configuration:
The configuration I need is quite simple. My raspberry has two network interfaces. One is "native" (the regular rj45) and the other consists in a USB-to-Ethernet adapter.
INET = "ue0" # native interface, attached to the open internet
LAN = "ue1" # adapter, attached to the home router
Even though I wouldn't mind exposing ssh, I don't have any
good reason to do it. For the moment I'm home all day, so
there's no need to reach it from outside. In future I'm
thinking of exposing SSH as .onion hidden service in TOR.
I would like however to expose http/https:
INET_ports = "{ http https }"
LAN_ports = "{ ssh }"
And given those macros, the pf(4) configuration is simple:
block return all
pass out keep state
pass in on $LAN proto tcp to ( $LAN ) port $LAN_ports keep
state
pass in on $INET proto tcp to ( $INET ) port $INET_ports
keep state
Lighttpd
As mentioned, my /etc/fstab looks like this:
/dev/ufs/rootfs / ufs ro 1 1
/dev/msdosfs/MSDOSBOOT /boot/msdos msdosfs rw,noatime 0 0
tmpfs /tmp tmpfs rw,mode=1777,size=50m 0 0
/etc/pkg /var/db/pkg nullfs rw,late 0 0
Since / is mounted read-only, the system will
automatically mount /var as tmpfs, and populate it by
means of mtree(1) (this happens by means of
/etc/rc.d/var).
The lighttpd web server (installed from pkg) relies on
/var/log/lighttpd to exist. This is a bit of a problem,
as the whole /var gets discarded upon reboot, so the
service will fail miserably.
It is not trivially possible to change lighttpd's default
logging directory (e.g. from /var/log/lighttpd to
/var/log), because of permissions. /var/log/lighttpd
belongs in fact to the www:www user/group. This is a well
known problem in the world of software packaging.
A reliable solution consists in modifying
/etc/mtree/BSD.var.dist and adding an entry for
/var/log/lighttpd. Something along these lines:
log
lighttpd uname=www gname=www mode=0775
..
..
See mtree(1) for details.
It is very important to do it correctly (especially the
.. part), or you might end up connecting a serial cable to
fix a broken bootstrap.