shellshock on my systems - no real worries

To determine if your Linux or Unix system is vulnerable, from a command line, type something like this:

env x=’() { :;}; echo vulnerable’ bash -c “echo this is a test”

If the system is vulnerable, the output will be:

vulnerable
this is a test

An unaffected (or patched) system will output:

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x’
this is a test

or it will say that bash is not present or something else, you figure it out :)

So what about my systems? Here's the list:

• pfSense firewall 2.1.4-RELEASE (amd64), built on Fri Jun 20 12:59:50 EDT 2014, FreeBSD 8.3-RELEASE-p16 : not vulnerable, bash is not there by default :) check /etc/shells if you have it installed
• FreeNAS home server FreeNAS-9.2.1.7-RELEASE-x64 (fdbe9a0), FreeBSD 9.2-RELEASE-p10 #0 r262572+4fb5adc: Wed Aug  6 17:07:16 PDT 2014 : bash present by defeult, system vulnerable, checked jails, bash not present, will wait for the fix in next version, there's good comment on this at the end of this discussion :)
• Mac Darwin Kernel Version 13.3.0: Tue Jun  3 21:27:35 PDT 2014; root:xnu-2422.110.17~1/RELEASE_X86_64 x86_64 : vulnerable, (I think) I haven't played with enabling/opening things, so will be waiting on Apple :)
• Hackintosh Darwin Kernel Version 13.3.0: Tue Jun  3 21:27:35 PDT 2014; root:xnu-2422.110.17~1/RELEASE_X86_64 x86_64 : vulnerable, (I know) I haven't played with enabling/opening things, so will be waiting on Apple
• XBMC based HTPC on Ubuntu 14.04.1 LTS, Linux ___ 3.11.0-13-generic #20-Ubuntu SMP Wed Oct 23 07:38:26 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux : not vulnerable
• I haven't hacked into my TV and I won't :)

Good luck to you all!

retired my cisco linksys e3000 as router/firewall, moved to pfSense

For some time I felt like my home Cisco Linksys e3000 wireless router was not able to perform according to requirements of today's traffic at home. There are four of us, everybody use Internet, we have 20+ devices with IP address, so it could be quite normal that signs of overload appeared more and more often. Slowness sometimes, sometimes router even hung.

Historically, I tried out dd-wrt project, which has great functionality, but stability of the router brought me back to default Cisco firmware. Recently even default firmware was not good enough.

One of the steps I've taken already was switching DHCP and DNS servers off and giving those functions to a Raspberry Pi. But that was more because I wanted to try out Pi :)

I've been thinking about a change to more powerful router, but somehow took a look at my "server room" wall, where one of two Intel Atom D525MW boards hung without a proper job and decided to take a look at what opensource is doing in router / firewall space.

Does this wiring look ok? No way...

I found very nice review by David Pavlina which led me to choose between pfSense and Sophos UTM Home Edition (scroll down a bit). pfSense looked better to me just for one reason: it's not limited version of commercial SW like Sophos. So let's try it.

First of all I was quite excited because it was first time I was going to try something that is based on FreeBSD project. And I have to say that first impression - install - was very good. I'll see later what it takes to do basic OS things there.

Install of pfSense is quite straightforward and easy.

Initially I tried to put it on USB stick, but I gave it up after several iterations of failed formatting and partitioning... Or should I say: slicing? :D As I had spare SSD on shelf I decided that USB I will try some other time.

Initial config is trivial. Basically, you just need to notice NIC names and feed those back to pfSense as you decide on WAN and LAN side. Autodiscovery didn't work for me, but who cares when manual one is so easy, right?

Connected to webConfigurator interface, nice one. I took a look at menu and saw there all I could imagine I would need from home firewall/router. Except for QoS, but then googled that this is named Traffic Shaping here and and decided to go further with it.

I put in basic things like hostname, domain, etc, switched off DHCP and DNS for now, checked that firewall is on (I have to say "once more", because during install pfSense told that it will be on) and get to putting actual wires into NIC's. 

NB It is always interesting to come up with a new hostname. I will not publish actual one, but my thinking came out of this terrible animal, watch out for:

Regal horned lizard (Phrynosoma solare)

It took me some time to redo wiring, now it looks even more terrible than previously, but this absolutely is a matter of the another project :) Plus, switching my e3000 to "just wireless access point" also took a few hard resets because it kept becoming unavailable after I assigned it a "normal" IP to it. Obviously, didn't want to give up being router and firewall :D

So, here I am, typing this blog in the new network :)

Now, just switch DHCP and DNS servers from Raspberry Pi to new server. DHCP works like out-of-the-box :) DNS forwarder (the same dnsmasq actually) doesn't want to resolve FDQN for some reason :( But this shouldn't be a big problem, I just need to get to be used to the new one. And DNS is one of the most weird-built things in IT as you all know - already or just now.