# general help needed..



## tig (Sep 24, 2012)

Hello,

I am new to these forums and this operating system.  And in dire need of a friend that knows it. I am a Microsoft network admin (roughly 9 years in the industry), and recently hired by a company to help maintain their network.  they have the typical 2008 AD domain, with exchange, and sql, and terminal servers which I am great with.  However the previous network admin who I am filling in for (left without notice - not available for questions) also set up a FreeBSD server as our sort of gateway device?.  This server seems to be acting as our network proxy server, our email filtering service, our vpn connectivity point/certificate generator, and most likely our network firewall.. which basically means everything depends on it and I know nothing about the thing...

I have been reading through the guides, managed to get access to it, created a new admin user account and added myself to the oddly named root group..  The server is really pretty neat.. considering all that it does it barely uses any resources and has been doing a great job.. however it does not have a gui, at least not that I have noticed.. (startx at prompt reports command not found), and I do not want to start installing xorg since the box has very limited hardware resources and the last thing I want to do is slow it down in anyway..

I have some clues as to whats running on it.. their is a booklet here detailing Packet Filter (PF) configuration, and Nat configurations.. but the pfctl commands do not work for me.. 

I seem to be just stuck at a servername# prompt.. the only command that has been semi useful has been netstat.. where i recieved the ip address of one of the interfaces on the box.. but there really should be 2.. is there an easier way to view ip configuration status?

or is there a easy way to identify what programs are running/being used by the system..

anyway.. someone please reach out to me here i'm in deep waters with out a raft


----------



## wblock@ (Sep 25, 2012)

Don't log in as a root user unless necessary, like when changing settings.

Look at /etc/rc.conf to get an idea of what is running:
`% less /etc/rc.conf`

Do you have a full backup?  How recent is it?


----------



## SirDice (Sep 25, 2012)

If it's been there a while you might want to check the version too. It maybe too old and unsupported. Not something you want to have protecting your network.

[cmd=]uname -a[/cmd] This will tell you the version.


----------



## mamalos (Sep 25, 2012)

What wblock is suggesting you will show you what services are running when the system has started. If your system is old enough, some services may not be shown in /etc/rc.conf and can be "found" by listing the contents of /usr/local/etc/rc.d/ folder by running:

`$ ls /usr/local/etc/rc.d`

Moreover, you can see what "packages/programs" have been installed on your system, by listing the contents of the folder /var/db/pkg using the ls(1) command described above.

Generally, since you'll be administering this network, you should consider reading a few stuff with respect to FreeBSD, because if something fails or if someone asks you to change configuration settings you'll have a hard time concluding your job. You can start by taking a quick glimpse at the FreeBSD handbook. Then, this forum is a great source of solving specific issues.

Good luck.


----------



## mamalos (Sep 25, 2012)

Ah,

and with respect with your network configuration settings:

`$ ifconfig -a`

shows you all available network interfaces followed by their settings.

`$ netstat -rn`

informs you about your routing table.

`# sockstat -4l`

shows which IPv4 services are running and on which ports.

`$ ps auxww`

shows you the processes that are currently running.

Since you're connected directly on your server, sometimes you'll need to redirect the output to a pager-program like less(1) by using the following syntax:

`$ ps auxww | less`

This way, you can use the arrow keys to scroll through the contents and view all of the command's output. Another way to do this, without using an additional command + output redirection, would be to press the ScrollLock button, and then use the arrow keys again. When finished reading, you should press ScrollLock button again so as to be able to continue giving commands.

Lastly, depending on the configuration of your server, as a normal user (admin as you said, who should be a member of *wheel* group and not *root* group) you may not be able to "see content running from other users", so for all commands described above you may have to be logged in as root in order to see the real status of your server.


----------



## akil (Sep 25, 2012)

Hi,

To see all enabled services you can check by execute below command:
`# services -e`
Results should match to the enabled services in /etc/rc.conf

Do you know any reasons why pfctl doesn't work for you? maybe try this `# pfctl -sa`

For other firewalls, please try one of below:
`# ipfw list`
`# ipfstat`

For additional security you can check
`# sysctl -a`
and for bootup process with additional possible settings:
`# cat /boot/loader.conf`

You should not install XOrg on your server, because it may affect security. Accordingly, there is no way to bypass huge amount of documents which are mandatory to start working with complex settings, I assume. For safety, good idea would be to use port scanner like nmap on both sides to see if there is something hidden and not yet discovered (scanning all interfaces from localhost is also good idea). Please consider to check inetd services and other stuff:
`# cat /etc/inetd.conf`
And cron:
`# cat /etc/crontab`
`# find /var/cron`

Good luck.


----------



## wblock@ (Sep 25, 2012)

mamalos said:
			
		

> Moreover, you can see what "packages/programs" have been installed on your system, by listing the contents of the folder /var/db/pkg using the ls(1) command described above.



pkg_info(1) is a bit more informative, showing descriptions:
`% pkg_info | less`


----------



## tig (Sep 25, 2012)

Wow this is great guys, thank you very much.. 

All of our servers are virtual on a vmware box, there is a script running thats backing up everything to a tape drive that needs to be switched every week. I know this because as backup admin I am recieving a daily email indicating incremental backup of 'servername' has completed successfully to a tape (which needs to be switched on the 30th). The backup report appears to be generated by a program called bacula.  Which I can now see is a program on this FreeBSD server. This server seems to be the heart of this entire network.

We are running FreeBSD version 8.2 with the following software currently running:

```
sshd_enable
apache22_enable 
samba_enable 
squid_enable
ntpd_enable
ntdate_enable/flags
syslogd_enable/flags
postgresq1_enable/flags
bacula_sd_enable
bacula_dir_enable
bacula_fd_enable
htcacheclean
```
When I type *pfctl -sa* I recieve error: 

```
/dev/pf: No such file or directory
```

When I type *ipfw list* I recieve:

```
ipfw: getsockopt(ip_FW_GET): Protocol not available
```

When I type *ipfstat* I recieve:

```
open(IPSTATE_NAME): No such file or directory
```

When using *pkg_info | less* I cannot find pfctl(8) in the package list.

ifconfig(8) only reports 1 ipv4 address, and what seems to be a point-to-point connection plip0.

I guess there are a few things I need to figure out now. 

1) How do I configure/view settings of bacula
2) I have a job in my que to configure a computer for my boss, it needs vpn access to our network. I assume SSL, so it needs a certificate. I have a note from the previous admin that indicates "need to generate a certificate using create_certsh script on the FreeBSD server before vpn will work. How to do this I have no idea. just typing create_certsh does not work.
3) this server appears to be running www/apache22. I have to figure out what webpages are on it.

4) the proxy server on our network is 192.168.1.1/8080. When I ping this it diverts to ip 192.168.1.254.  I thought this was the FreeBSD server, but now I see the ip is 192.168.1.4 according to ifconfig(8). If PF is not installed I believe that something else is acting as a proxy. My problem is, all I can do with ip 192.168.1.254 is ping it. It does not accept http or terminal connections. So I don't even know what it is. I assumed it was this server but now. I guess it must be something else. Looking over my DNS logs I see the computer name of .254 is different from the FreeBSD. this is good, ish I guess. I hoped it was not providing us with mail/web filtering it would be a pain to configure with its command prompt. But thanks for all your help guys. I wouldn't have gotten to this point without you.


----------



## SirDice (Sep 25, 2012)

tig said:
			
		

> When using *pkg_info | less* I cannot find pfctl(8) in the package list.


That's because it's part of the base OS, not a port/package.


----------



## BlueCoder (Sep 25, 2012)

*Suggestions*

Everyone has already responded on the basics such as pkg_info(1) and rc.conf so I'll continue with specific strategy.

You have been an admin for 9 years and you need a GUI? Shame. BSD and Linux boxes are required learning for every modern sysadmin. Juniper routers use a customized version of FreeBSD so it's command line is so worth knowing.

Requisition about $500 from your company if they don't have a couple spare computers. On Ebay or Craigslist buy a couple old computers and a couple extra network cards. Don't install xorg on any of the machines; you're a sysadmin and you don't need it; you're not playing games on the machine. Time to learn FreeBSD. Replicate everything the other guy did on one your learning boxes. Switch it with the production box after hours and do testing. Take copious notes along the way. When all is said and done and the box you configured has an up time of two months you will have a spare box to swap at a moments notice for this critical computer. Now notice I had you get 2 spares? Well the second spare is for your own development purposes so that you can play with FreeBSD itself before you put things into production. So you have development/new-production/old-production with you swapping the network wires with the old/new.

Six months later get a couple more spare boxes for Linux and get a comparable setup to your FreeBSD box on Linux. FreeBSD is better but you still need to know your way around a couple Linux distributions. Again don't bother installing a GUI; you're a sysadmin. The less you have installed on a computer the less can go wrong and less likely it can be hacked.

Learn sh and python scripting.

One year from now you'll wonder how you ever lasted this long without Unix.


----------



## tig (Sep 25, 2012)

Just a bit of an update. Apparently I have a few BSD servers in my network, just no one knew about them except the guy that left. :S 

.254 is a pfsense proxy/firewall server device from soekris. It's great though, it has an https interface I can log into to configure nat/proxy/firewall settings. /phew.. 

.4 is caching off that, I found the user manual for bacula. I'll be going through it as soon as I have a chance. 

I am still a bit stuck on certificates for our openvpn, but I am trying a few things here, I'll get back to you guys if I continue to have trouble. Or have a specific question.

But thanks again for all of your help. Really all these tips helped a lot.


----------



## gkontos (Sep 25, 2012)

Clearly you lack the knowledge of administering this box. If you have mentioned that to your boss before they hire you then you have nothing to be afraid of so take it easy.

What you need to do is more simple than you imagine.

*Identify your network*


Get NMAP and scan your network (do it off hours preferably). This will help you discover the OS and the services.
Discover which box is your gateway. (tracert in windows) I believe that you might find more FreeBSD servers.
Discover which box is doing the NAT. This box will most definitely be your VPN server and firewall also. 
Scan your network from the Internet. This will help you identify what sort of VPN service you are using.

Post your findings and you will get more help. One step at a time.


----------



## tig (Sep 26, 2012)

Yeah, the trouble is the employer here did not know what his network had or needed when the previous network admin suddenly left. The last he knew it was a windows based network but he hasn't worked with it for roughly 10 years. He hired me knowing that I could handle the windows side of the network, but I do not believe he was aware of how much his network now depends on these FreeBSD servers.

I only started this week. So I am just learning the network, a lot of my confusion here is due to misinformation given by the current staff. For example I was told there was one linux server, so I assumed all the extra services on the network were being run by it. It was only through connecting to it that I found out it was FreeBSD. It was only through the manual and the comments above that I was able to access it and find out what was on it. Which lead me to track down the other services. And other FreeBSD boxes. Which I have a good understanding of now. I hope. Unless there is another running in the alberta office. I will deal with that later.

Right now my priority is with openvpn, because I have a group of computers here that need to be configured for end users. They need openvpn ssl connections to access our network. I have a note from the previous admin here on how to configure it. It indicates "need to generate a certificate using create-certsh script on OCS server". For me OCS means Office communications server, but we do not have such a thing in our office, even if we did it does not generate certificates. We do have one FreeBSD server called OCS-SVR1, I assume the script is somewhere on that server, but I am not sure how to find it. This FreeBSD server is not our main firewall/gateway though, that is a different FreeBSD server called sentry1. 

My employer would like these computers configured by the end of the week. He is aware that I do not have FreeBSD experience but may not understand how makes setting up computers that need vpn difficult for me.  

I guess, worst case scenario I can just set up rras on a windows server. May not be as safe or secure as using installed certificates but it will work.

I wonder, is there a search function in FreeBSD for me to find a script file called 'create-certsh'?

I tried:

```
locate create-certsh
find / -name create-cersh
```
Both commands brings me back to "ocs-srv1#" prompt. And do not display any results.

I have the config folder of openvpn, with our domain certificate, I just need the create-certsh to generate a 'personal information exchange' cert per user.  I believe this script where ever it is can do that. I am open to any other ideas if you guys have any?


----------



## tig (Sep 26, 2012)

sry, the freebsd server called sentry1 is our NAT/gateway.  The network really is not that large, there are only around 35 users.. I didn't think i needed nmap.. I thought this was going to be an easy contract.. Didn't expect the previous admin to have a hosting solution set up in the server room.. we have 35 users and almost 10 servers.. :S


----------



## gkontos (Sep 26, 2012)

Try playing a bit with the words:

[CMD=""]#locate create-certsh[/CMD]
...
[CMD=""]#locate create-cert.sh[/CMD]
...
[CMD=""]#locate create[/CMD]
...

It should be somewhere there...


----------



## tig (Sep 26, 2012)

you are a life saver! you are right, it was create-cert.sh.. I thought maybe i was using locate incorrectly..

located in:
/usr/home/username/scripts/create-cert.sh
and
/usr/local/sbin/create-cert.sh

ok, so now that I know where it is, is there anyway i can view it, with say a notepad of some sort?

or i guess i could just run it.. hopefully script asks for a username, and save destination..

to run it would I just need to type something like:
sh /usr/home/username/scripts/create-cert.sh


----------



## tig (Sep 26, 2012)

also, is there any way I can list off everything in those folders.. like a dir command in windows?


----------



## gkontos (Sep 26, 2012)

[CMD=""]# less /usr/local/sbin/create-cert.sh[/CMD]

ls() is the equivalent to dir in windows.


----------



## tig (Sep 26, 2012)

tig said:
			
		

> also, is there any way I can list off everything in those folders.. like a dir command in windows?



nevermind I got it.. ls command.. 

I ran the script, it works, and is saving to a default location.. now i wonder, is there an easy way to copy a script off and send it to say.. a network share?


----------



## break19 (Sep 26, 2012)

yes, sh <scriptname> will launch the script

cat <scriptname> will con<cat>entate the script to.. standard output if none is given.. basically it will print the file.  you can also use less/more/most to print the file to standard out.. You can also use one of the base editors: vi, and ee. If you've never used vi, I would learn how to use it before trying to edit files with it.  It can be confusing to "fresh users" so to speak.


----------



## tig (Sep 26, 2012)

alright, I have the certificate file I needed.  But now i need to get it off of this server.

It does not matter how, I just need to get it off.  My trouble is that the server is on a vmware virtual machine.. and the option to connect/disconnect a USB drive is not available (grey'd out), although I can connect a cd rom.. or an iso file on my local machine.. but I can not figure out how to copy to those locations.

Is there a simple email client on this operating system.. or an easy way to map a directory to a windows network share.. \\computer\share?

or any other really easy way to get a 4kb file off this computer..


----------



## freethread (Sep 26, 2012)

In the shell configuration file you can alias commands to Windows equivalent. The shell configuration file is .cshrc for tcsh/csh, I guess it's .bashrc for bash.
In tcsh/csh:

```
alias dir ls
alias copy cp
alias del rm
alias md mkdir
alias rd rmdir
```
my dir alias is

```
alias dir 'ls -lohAFGH -D "%Y.%m.%d %H:%M"'
```

the command man give help on something, i.e. for ls command help run
[CMD=">"]man ls[/CMD]

I recommend to reading manual page of the shell you are using and for sh shell, they are long reading but helps a lot.

If ghostscript is installed you can use this shell script to convert man pages in PDF files for reading in a pdf viewer, if it's not installed better to learn the basic system commands before to install ports on production machines, expecially if it's a servers.


```
[B]man2pdf[/B]
#!/bin/sh
if [ $# -eq 1 ]; then
    man -t $1 | ps2pdf - ./$1.pdf
elif [ $# -eq 2 ]; then
    man -t $1 $2 | ps2pdf - ./$2.$1.pdf
else
    echo "usage:"
    echo "    man2pdf [mansection] manpage"
fi
```


----------



## gkontos (Sep 26, 2012)

Copy the certificate to the home directory that you have created for your username. Assuming your username is tig:
[CMD=""]# cp <file> /home/tig[/CMD]
From a windows SFTP client (FileZilla) establish a SFTP session to the server using your username and password.
Retrieve the file.


----------



## tig (Sep 26, 2012)

thanks guys I got it.. sftp didn't quite work.. it would not accept my login credentials.. but it gave me the idea to use my ftp server, and the other comment with man for help lead me to man ftp.. soon enough I was transferring like a pro..

tested the certificate and it all works.. so i am good to go.. well except for a lot of reading, maybe setting up my own bsd server out of spare parts I have here for experience/testing.. but yea i am good.. stress levels dropping 

thanks again


----------



## gkontos (Sep 26, 2012)

tig said:
			
		

> tested the certificate and it all works.. so i am good to go.. well except for a lot of reading, maybe setting up my own bsd server out of spare parts I have here for experience/testing.. but yea i am good.. stress levels dropping
> 
> thanks again



I am really glad that you managed to sort this out somehow. I know from personal experience that the stress levels can rise up very fast in these situations.

It is always good to learn something new. And as you can see there is a lot of help available in the BSD community.


----------



## drhowarddrfine (Sep 27, 2012)

Next step: call them directories, not folders.


----------

