Final cleanup for the ALIX firewall

Finally, there are a few things that I either forgot to do or that make life easier.

Setting up localtime
By defaut, /etc/localtime is set to Alberta, where OpenBSD has its home. I need to set it to somewhere closer.

rm /etc/localtime; ln -s /usr/share/zoneinfo/US/Mountain /etc/localtime

Now date shows the correct time.

I wrote a script to make the LEDs move back and forth. I start this at boot. (In an earlier version of the firewall, I edited /etc/rc to turn LEDs on when certain thresholds had been passed in the boot process. But now I don’t want to muck up /etc/rc so much.)

First of all, you need to allow the ports to be written before OpenBSD gets all secure on you. Edit /etc/rc.securelevel and add:

# Place local actions here.
echo -n 'enabling LED pins'
gpioctl -q /dev/gpio0 6 set out iout
gpioctl -q /dev/gpio0 25 set out iout
gpioctl -q /dev/gpio0 27 set out iout

I got these numbers from the Status LEDs section of the ALIX manual.

Then create /usr/local/bin/cylon:

#!/bin/ksh -

gpioctl -q /dev/gpio0 6 0
gpioctl -q /dev/gpio0 25 0
gpioctl -q /dev/gpio0 27 1

gpioctl -q /dev/gpio0 6 0
gpioctl -q /dev/gpio0 25 1
gpioctl -q /dev/gpio0 27 0

gpioctl -q /dev/gpio0 6 1
gpioctl -q /dev/gpio0 25 0
gpioctl -q /dev/gpio0 27 0

gpioctl -q /dev/gpio0 6 0
gpioctl -q /dev/gpio0 25 0
gpioctl -q /dev/gpio0 27 0

while [ true ] ; do
 sleep 1
 sleep 1
 sleep 1
 sleep 1

Finally, start it from /etc/rc.local:

# Add your local startup actions here.
echo -n 'cylon'
sh /usr/local/bin/cylon &

On reboot, yay, blinky! That at least tells you the kernel hasn’t crashed.

Reducing the mail
Because flashrd is really OpenBSD, it sends mail more suited to a server than a firewall with limited disk.

First thing I noticed:

Running security(8):

Checking special files and directories.
Output format is:
                criteria (shouldbe, reallyis)
        permissions (0644, 0755)

I fixed that with a chmod 0644 /etc/rc.conf.local. So now /usr/libexec/security shows no problems. Good.

Once that’s done, make things complain less:

crontab -uroot -e

and comment out:

#30     1       *       *       *       /bin/sh /etc/daily
#30     3       *       *       6       /bin/sh /etc/weekly

This prevents the daily and weekly reports, leaving just the monthly one.

Next, I noticed that sendmail gets run from root’s crontab, so it doesn’t need to run at boot:


sendmail_flags=NO       # "-L sm-mta -C/etc/mail/ -bd -q30m"

That should keep the thing running a little longer without running out of disk. Actually, /var/mail is on the MFS, so it will keep it from running out of ramdisk.

(This post is part of Building an ALIX firewall)

2 Responses to Final cleanup for the ALIX firewall

  1. […] Final cleanup for the ALIX firewall […]

  2. Thierry says:

    It could be interesting to keep the daily report for some of the maintenance verifications it performs, but less verbose. As an alternative to commenting it out, you could create an /etc/daily.local file and simply put ‘VERBOSESTATUS=0’ in it.

    As indicated in the ‘daily’ man page: “VERBOSESTATUS: If set to 0, df(1), dump(8), and netstat(1) are skipped. Consequently, if none of the other commands produce any output, no mail will be sent to root”

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: