Installing Linux binary compatability on pfsense

rnsc · May 22, 2010, 4:55 PM

I would like to run a Linux package on pfsense, but because pfsense is stripped down, it does not have the linux kernel module and probably other things I have not found yet.

Could someone kick-start me by telling me what packages I need to install to get the linux compatibility stuff going?

Also, how do I find packages, and what are the steps to install.

I gather "pkg_add -r packagename", but being a freebsd newbie, I expect that there are probably other things I am missing.

Thank you.

EddieA · May 22, 2010, 6:23 PM

I'm also fairly new to freeBSD, so I can't really help with how to add the Linux compatibility stuff to pfSense.

But, even if you did, I don't think it would work, because you can't compile the Linux packages on pfSense, as there's no environment set up to do that.

Maybe if you had a second "native" freeBSD system, at the same level as pfSense, you could compile them there, and then ship over the binaries.

Cheers.

kpa · May 22, 2010, 6:27 PM

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/linuxemu.html.

rnsc · May 23, 2010, 12:47 AM

EddieA, the Linux package I need to run comes in binary. I expect Linux emulation to work fine (I hope!) if I can get it configured. That's what it does - it runs Linux binaries on FreeBSD. Refer to the link my next respondent pointed me to.

rnsc · May 23, 2010, 12:59 AM

@kpa:

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/linuxemu.html.

KPA, Thank you, I am hoping that I am blind. Please hold my hand a little here… I have been over and over that document. It seems to assume that stuff is present that I cannot find on my pfsense installation (1.2.3), and does not tell where to get them. Of course their audience is someone using a standard FreeBSD install, and pfsense is not a full install.

Specifically, "find . -name "linux" does not turn up any linux.ko or anything related. Other kernel modules seem to be in /boot/loader, but nothing there about linux.

/etc/rc.conf does not exist either, but I assume that this is because there was nothing to put in it, and I could just create it.

Can you give me any other pointers?

Cry Havok · May 23, 2010, 10:08 AM

I'm pretty sure if you search the forum you'll find a few threads on the subject ;)

You'll need to identify the base version of FreeBSD your pfSense install uses (type uname -a on the command line). Then, download and install that version of FreeBSD, possibly into a virtual machine. Extract the required kernel modules and copy them across to pfSense, making the changes to rc.conf shown in that guide. Then follow the guide, safe in the knowledge that you've reduced the security of your firewall.

rnsc · May 23, 2010, 1:13 PM

Cry Havok, Thank you, I will try that and see where it leads.

Regarding reduced security, indeed every capability or package enabled reduces security, including squid which appears to be common. I have found that using black/white lists is not a serviceable solution for my needs. On one end it lets through sites that have "Pictures of N.k.d T.e.e.n G.!.r.l.s", and on the other end it blocks content hosts used by clearly above reproach non-profit organizations, many corporations, and even Amazon because they also host pornography. I cannot allow an "Adult" category, yet I want to buy from Amazon and visit other web sites. After fiddling with the controls systematically, the sweetest spot I found is bitter on both ends - it both lets through bad stuff and blocks harmless stuff, and significant amounts, all because of these sites that host content for others.

My dangerous program is safesquid, which is a commercial package that I am glad to pay for to have filtering that is effective. At least I hope it will be effective, since it analyses the text. They also have a picture analyser claimed to be 85% effective for the stuff that slips through the text analysis. It should not inherently be any more a security risk than squid, although being a different program it will of course have different bugs.

Thanks for the help, and please watch for more questions after I start down this path (I need to dig up another machine).

Everyone picks their poison, balancing the risks and advantages. I hope that this note makes it clear why people ask for DansGuardian or (less commonly) safesquid. Block lists are a loose-loose proposition.

Cry Havok · May 23, 2010, 3:02 PM

I'm glad to see you're one of the few who understand the risks and tradeoffs - sadly so few people do and just want to turn their firewall into a general purpose machine without thinking ;)

Don't forget you can use VMWare Workstation free for 30 days, VMWare Server is free and Sun (now Oracle) VirtualBox is free for non-commercial use. All of those will avoid the need for another box and you can even test your changes to pfSense in a VM.

rnsc · May 24, 2010, 2:39 PM

I am not what is now called an "IT Professional", but I am an engineer and have dabbled on the administrative side of UN*X since Bell Labs released version 6. So while I don't know the specifics, once I have them I generally can extrapolate what to do with them.

Regarding a VM, that is very tempting, but I had a bad experience with VMWare (They trashed my machine and I had to restore from backup). I am partial to virtual box having used both QEMU and vBox, but they do not support FreeBSD as a host. It also seems like a step away from rock-solid reliability and security to have a firewall in a virtual machine, though I am sure one can convince one's self that it is OK. I hope to have pfsense as my base system, it has a Linux emulator, which is exactly what I need! My only compromise will be the unique set of issues that safesquid brings with it - a trade vs. squid and squidguard issues.

Please check out the thread under "Port-forwarding LAN:X to LAN:Y" (Corrected, used to say "General Questions") about Port Forwarding LAN:Port_X to LAN:Port_Y. This is my alternate path, but I really don't want a second box running. Makes noise, uses electrons. But if I cannot get this emulator going, I may have little choice.

By the way, I got linux.ko off of the 7.2 LiveCD (/boot/kernel/linux.ko). I hope it is all I need.

Cry Havok · May 23, 2010, 7:33 PM

I've been using VMWare Workstation since V3 without problems and VirtualBox for the last 6 months or so without problems. According to VirtualBox's own documentation, FreeBSD works. I've never (yet) had either trash a system.

I certainly wouldn't run it live in a VM, but using that for testing and development makes sense to me.

Good luck!

danswartz · May 24, 2010, 2:22 AM

I can confirm freebsd 8.0 works under virtualbox.

rnsc · May 24, 2010, 2:40 PM

danswartz: Thank you, but I need virtual box to run under FreeBSD (FreeBSD is the bare-metal OS, running vBox on top, then Linux in the vBox). Any information on this?

Cry Havok · May 24, 2010, 2:53 PM

http://www.freebsd.org/doc/en/books/handbook/virtualization-host.html (aka yes).

rnsc · May 24, 2010, 3:22 PM

Cry Havok (& interested):

When I create /etc/rc.conf and put in linux_enable="YES" specified in the FreeBSD Handbook, not only does it not function, but the /etc/rc.conf file disappears when I boot. Same for /etc/rc.conf.local . I assume (wild guess) that this is some kind of pfsense security feature.

Instead I added: to /boot/loader.conf.local :
verbose_loading="YES"
linux_load="YES"
linprocfs_load="YES"
linux_enable="YES"

and this worked.

Notice that I also added procfs. Although I don't know / think that it is needed for safesquid. For procfs one also has to add a line to /etc/fstab:
linproc /compat/linux/proc linprocfs rw 0 0
and
mkdir /compat/linux/proc

If the linux binaries to be run require a 2.6 kernel, one must also add a line to /etc/sysctl.conf documenting the version that the emulation emulates:
compat.linux.osrelease=2.6.16
Otherwise it reports 2.4.something.

After reboot things can be checked:

kldstat
ls /compat/linux/proc
sysctl compat.linux.osrelease

Also fished /usr/bin/brandelf off of the 7.2 LiveCD image and put it in /usr/bin

Also, the FreeBSD "Chapter 10 Linux Binary Compatibility" section 10.2.1.2 "Installing Libraries Manually" mentions the "runtime linker", but does not say where to get it. On an Ubuntu/Debian system it was in /lib/ld-linux.so* and /lib/ld*.so (Installed in /compat/linux/lib along with the other required shared libraries).

That's all for now. I am trying to avoid installing an entire linux_base, as I assume that other stuff that I don't need may reduce the integrity or security of my firewall. Please correct me if you think this is wrong.

Also, I wonder if the linux_base would catch all the little things like I list above. I assume that it assumes a standard FreeBSD installation, not a PFSense!

Any comments, warnings, correction, pointers very gratefully accepted!

rnsc · May 24, 2010, 3:28 PM

Cray Havok: Re: Virtual Box port, thank you. If all else fails, read the directions. There are just so many directions! I did google and search on freebsd.org quite a while and came up dry. I wonder what I did wrong…

Cry Havok · May 24, 2010, 4:21 PM

You probably started with something more complex than "freebsd virtualbox" ;)