Pages: Welcome | Projects

Firewall and Lighttpd

Tags: [ bsd ] [ Hacking ] [ raspberry ]

More exploration notes for my freebsd on raspberry project.

Firewall configuration:

The configuration I need is quite simple. My raspberry has two network interfaces. One is "native" (the regular rj45) and the other consists in a USB-to-Ethernet adapter.

INET = "ue0"  # native interface, attached to the open internet
LAN = "ue1"   # adapter, attached to the home router

Even though I wouldn't mind exposing ssh, I don't have any good reason to do it. For the moment I'm home all day, so there's no need to reach it from outside. In future I'm thinking of exposing SSH as .onion hidden service in TOR.

I would like however to expose http/https:

INET_ports = "{ http https }"
LAN_ports = "{ ssh }"

And given those macros, the pf(4) configuration is simple:

block return all
pass out keep state
pass in on $LAN proto tcp to ( $LAN ) port $LAN_ports keep
pass in on $INET proto tcp to ( $INET ) port $INET_ports
keep state


As mentioned, my /etc/fstab looks like this:

/dev/ufs/rootfs   /       ufs     ro      1       1
/dev/msdosfs/MSDOSBOOT /boot/msdos msdosfs rw,noatime 0 0
tmpfs /tmp tmpfs rw,mode=1777,size=50m 0 0
/etc/pkg /var/db/pkg nullfs rw,late 0 0

Since / is mounted read-only, the system will automatically mount /var as tmpfs, and populate it by means of mtree(1) (this happens by means of /etc/rc.d/var).

The lighttpd web server (installed from pkg) relies on /var/log/lighttpd to exist. This is a bit of a problem, as the whole /var gets discarded upon reboot, so the service will fail miserably.

It is not trivially possible to change lighttpd's default logging directory (e.g. from /var/log/lighttpd to /var/log), because of permissions. /var/log/lighttpd belongs in fact to the www:www user/group. This is a well known problem in the world of software packaging.

A reliable solution consists in modifying /etc/mtree/BSD.var.dist and adding an entry for /var/log/lighttpd. Something along these lines:

    lighttpd uname=www gname=www mode=0775

See mtree(1) for details.

It is very important to do it correctly (especially the .. part), or you might end up connecting a serial cable to fix a broken bootstrap.