Installing Linux binary compatability on pfsense
-
Cry Havok, Thank you, I will try that and see where it leads.
Regarding reduced security, indeed every capability or package enabled reduces security, including squid which appears to be common. I have found that using black/white lists is not a serviceable solution for my needs. On one end it lets through sites that have "Pictures of N.k.d T.e.e.n G.!.r.l.s", and on the other end it blocks content hosts used by clearly above reproach non-profit organizations, many corporations, and even Amazon because they also host pornography. I cannot allow an "Adult" category, yet I want to buy from Amazon and visit other web sites. After fiddling with the controls systematically, the sweetest spot I found is bitter on both ends - it both lets through bad stuff and blocks harmless stuff, and significant amounts, all because of these sites that host content for others.
My dangerous program is safesquid, which is a commercial package that I am glad to pay for to have filtering that is effective. At least I hope it will be effective, since it analyses the text. They also have a picture analyser claimed to be 85% effective for the stuff that slips through the text analysis. It should not inherently be any more a security risk than squid, although being a different program it will of course have different bugs.
Thanks for the help, and please watch for more questions after I start down this path (I need to dig up another machine).
Everyone picks their poison, balancing the risks and advantages. I hope that this note makes it clear why people ask for DansGuardian or (less commonly) safesquid. Block lists are a loose-loose proposition.
-
I'm glad to see you're one of the few who understand the risks and tradeoffs - sadly so few people do and just want to turn their firewall into a general purpose machine without thinking ;)
Don't forget you can use VMWare Workstation free for 30 days, VMWare Server is free and Sun (now Oracle) VirtualBox is free for non-commercial use. All of those will avoid the need for another box and you can even test your changes to pfSense in a VM.
-
I am not what is now called an "IT Professional", but I am an engineer and have dabbled on the administrative side of UN*X since Bell Labs released version 6. So while I don't know the specifics, once I have them I generally can extrapolate what to do with them.
Regarding a VM, that is very tempting, but I had a bad experience with VMWare (They trashed my machine and I had to restore from backup). I am partial to virtual box having used both QEMU and vBox, but they do not support FreeBSD as a host. It also seems like a step away from rock-solid reliability and security to have a firewall in a virtual machine, though I am sure one can convince one's self that it is OK. I hope to have pfsense as my base system, it has a Linux emulator, which is exactly what I need! My only compromise will be the unique set of issues that safesquid brings with it - a trade vs. squid and squidguard issues.
Please check out the thread under "Port-forwarding LAN:X to LAN:Y" (Corrected, used to say "General Questions") about Port Forwarding LAN:Port_X to LAN:Port_Y. This is my alternate path, but I really don't want a second box running. Makes noise, uses electrons. But if I cannot get this emulator going, I may have little choice.
By the way, I got linux.ko off of the 7.2 LiveCD (/boot/kernel/linux.ko). I hope it is all I need.
-
I've been using VMWare Workstation since V3 without problems and VirtualBox for the last 6 months or so without problems. According to VirtualBox's own documentation, FreeBSD works. I've never (yet) had either trash a system.
I certainly wouldn't run it live in a VM, but using that for testing and development makes sense to me.
Good luck!
-
I can confirm freebsd 8.0 works under virtualbox.
-
danswartz: Thank you, but I need virtual box to run under FreeBSD (FreeBSD is the bare-metal OS, running vBox on top, then Linux in the vBox). Any information on this?
-
http://www.freebsd.org/doc/en/books/handbook/virtualization-host.html (aka yes).
-
Cry Havok (& interested):
When I create /etc/rc.conf and put in linux_enable="YES" specified in the FreeBSD Handbook, not only does it not function, but the /etc/rc.conf file disappears when I boot. Same for /etc/rc.conf.local . I assume (wild guess) that this is some kind of pfsense security feature.
Instead I added: to /boot/loader.conf.local :
verbose_loading="YES"
linux_load="YES"
linprocfs_load="YES"
linux_enable="YES"and this worked.
Notice that I also added procfs. Although I don't know / think that it is needed for safesquid. For procfs one also has to add a line to /etc/fstab:
linproc /compat/linux/proc linprocfs rw 0 0
and
mkdir /compat/linux/procIf the linux binaries to be run require a 2.6 kernel, one must also add a line to /etc/sysctl.conf documenting the version that the emulation emulates:
compat.linux.osrelease=2.6.16
Otherwise it reports 2.4.something.After reboot things can be checked:
kldstat
ls /compat/linux/proc
sysctl compat.linux.osreleaseAlso fished /usr/bin/brandelf off of the 7.2 LiveCD image and put it in /usr/bin
Also, the FreeBSD "Chapter 10 Linux Binary Compatibility" section 10.2.1.2 "Installing Libraries Manually" mentions the "runtime linker", but does not say where to get it. On an Ubuntu/Debian system it was in /lib/ld-linux.so* and /lib/ld*.so (Installed in /compat/linux/lib along with the other required shared libraries).
That's all for now. I am trying to avoid installing an entire linux_base, as I assume that other stuff that I don't need may reduce the integrity or security of my firewall. Please correct me if you think this is wrong.
Also, I wonder if the linux_base would catch all the little things like I list above. I assume that it assumes a standard FreeBSD installation, not a PFSense!
Any comments, warnings, correction, pointers very gratefully accepted!
-
Cray Havok: Re: Virtual Box port, thank you. If all else fails, read the directions. There are just so many directions! I did google and search on freebsd.org quite a while and came up dry. I wonder what I did wrong…
-
You probably started with something more complex than "freebsd virtualbox" ;)
