#jessie — Public Fediverse posts

https://www.europesays.com/es/527830/ Regresan Woody, Buzz y Jessie, pero su histórico director se despide: todo sobre Toy Story 5 #adios #AndrewStanton #Animación #BuzzLightyear #Cine #Entertainment #Entretenimiento #ES #España #Film #Jessie #Movies #Pixar #rex #Spain #ToyStory #woody

One year ago today I posted this miniature Toy Story photo I created using real figures, lighting and miniature sets. I digitally added the lights to Buzz's wings the rest is all real.

#toystory #miniatures #photography #creativephotography #visualart #buzzlightyeat #jessie #pixar #toyphotography

https://www.europesays.com/it/398983/ Jessie Buckley, trionfatrice agli Oscar: in «Hamnet» perde un figlio, nella vita reale lo celebra #agnes #altra #AltraSera #attrice #AttriceProtagonista #buckley #cose #dedicare #DedicarePremio #desiderio #donne #Entertainment #figlia #figlio #hamnet #incredibile #Intrattenimento #IT #Italia #Italy #jessie #JessieBuckley #madre #mamma #marito #maternità #oscar #premio #protagonista

⭕Marche pour #Quentin à #Lyon #Jessie, étudiante : "Ce n'est pas une marche pour un jeune homme décédé, la preuve en est, ses parents ne sont pas là aujourd'hui et ont condamné la récupération politique. Son décès est récupéré par l'extrême droite."

RE: https://bsky.app/profile/did:plc:2cte4wipyk47qjujtxrskqcx/post/3mff2uk7ia32f

Dave Randolph, creator of PrintedSolid has resigned from its CEO position and departed. Prusa is now taking the lead.

Dave, if you read here, thank you very much for all the great and hard work. Thank you for having trusted my project and sold many Bear frame kits. I wish you all the best for the next steps 💫

More info: https://techhub.social/@fabbaloo/116046895268921557

#printedsolid #jessie #filament #3dprinting #prusa #bear #bearupgrade @printedsolid

Devuan – Debian Without Systemd
https://www.devuan.org/
#ycombinator #debian #jessie #ascii #beowulf #chimaera #daedalus #excalibur #fork #devuan #sysvinit #openrc #systemd #freedom #init_freedom #sysadmin #gnu #linux #distribution #open_source #free_software #compatibility #portable #embedded #minimal #compact

SONG OF THE WEEK “A Place Across the Sky” https://johnnyjblairsingeratlarge.bandcamp.com/track/a-place-across-the-sky

#sky #johnnyjblair #mikeroe #michaelroe #jessie #puppy #childlike #discovery #alexanderkey #cslewis #spacetrilogy #beachboys #moodyblues #10cc #surfrock #spacerock #seventysevens

SONG OF THE WEEK “A Place Across the Sky” https://johnnyjblairsingeratlarge.bandcamp.com/track/a-place-across-the-sky

#sky #johnnyjblair #mikeroe #michaelroe #jessie #puppy #childlike #discovery #alexanderkey #cslewis #spacetrilogy #beachboys #moodyblues #10cc #surfrock #spacerock #seventysevens

NFL world reacts to upset victory https://www.rawchili.com/nfl/642798/ #American #AmericanFootball #Angeles #Atlanta #AtlantaFalcons #Bates #Bijan #BijanRobinson #Falcons #Football #Hub #iii #Jessie #JessieBatesIII #Los #LosAngeles #LosAngelesRams #LosAngeles #LosAngelesRams #matthew #MatthewStafford #McVay #National #NationalSports #Neutral #news #NFL #NFLHub #Overall #OverallNeutral #OverallPositive #Positive #Rams #robinson #Sean #SeanMcVay #Sports #SportsNews #stafford

NFL world reacts to upset victory https://www.rawchili.com/nfl/642798/ #American #AmericanFootball #Angeles #Atlanta #AtlantaFalcons #Bates #Bijan #BijanRobinson #Falcons #Football #Hub #iii #Jessie #JessieBatesIII #Los #LosAngeles #LosAngelesRams #LosAngeles #LosAngelesRams #matthew #MatthewStafford #McVay #National #NationalSports #Neutral #news #NFL #NFLHub #Overall #OverallNeutral #OverallPositive #Positive #Rams #robinson #Sean #SeanMcVay #Sports #SportsNews #stafford

Bengals coaches rally around embattled starter before free agency

Al Golden with the heavy praise Monday of Geno Stone: “The succes…
#NFL #CincinnatiBengals #Cincinnati #Bengals #Al #AlGolden #American #AmericanFootball #Bates #battle #Burrow #Football #Geno #GenoStone #Golden #Hub #iii #Jessie #JessieBatesIII #Joe #JoeBurrow #Jordan #JordanBattle #matthew #matthewstafford #Negative #news #NFLHub #Overall #OverallNegative #Sports #SportsNews #stafford #Stone
https://www.rawchili.com/nfl/639270/

Bengals coaches rally around embattled starter before free agency https://www.rawchili.com/nfl/639270/ #Al #AlGolden #American #AmericanFootball #Bates #battle #Bengals #Burrow #Cincinnati #CincinnatiBengals #CincinnatiBengals #Football #Geno #GenoStone #Golden #Hub #iii #Jessie #JessieBatesIII #Joe #JoeBurrow #Jordan #JordanBattle #matthew #MatthewStafford #Negative #news #NFL #NFLHub #Overall #OverallNegative #Sports #SportsNews #stafford #Stone

Trey McBride’s record-setting streak ends vs. Falcons https://www.rawchili.com/nfl/618822/ #American #AmericanFootball #Arizona #ArizonaCardinals #Atlanta #AtlantaFalcons #AtlantaFalcons #Bates #Cardinals #Carolina #CarolinaPanthers #elijah #ElijahHiggins #Falcons #Football #Higgins #Hub #iii #Jessie #JessieBatesIII #McBride #National #NationalSports #Neutral #news #NFL #NFLHub #Overall #OverallNeutral #Panthers #Sports #SportsNews #Trey #TreyMcBride

Trey McBride’s record-setting streak ends vs. Falcons https://www.rawchili.com/nfl/618822/ #American #AmericanFootball #Arizona #ArizonaCardinals #Atlanta #AtlantaFalcons #AtlantaFalcons #Bates #Cardinals #Carolina #CarolinaPanthers #elijah #ElijahHiggins #Falcons #Football #Higgins #Hub #iii #Jessie #JessieBatesIII #McBride #National #NationalSports #Neutral #news #NFL #NFLHub #Overall #OverallNeutral #Panthers #Sports #SportsNews #Trey #TreyMcBride

Does anyone still remember #Paw? Somewhere between #Helmet and #Nirvana, they rocked pretty hard. I had lost sight of them, and it took days before I remembered their name again. At the moment, I'm drawn back to the #moshpits of the #90s. #music #alternative #rock #metal #grunge #jessie

Paw - Jessie (HQ)

SONG OF THE WEEK “A Place Across the Sky” https://johnnyjblairsingeratlarge.bandcamp.com/track/a-place-across-the-sky

#sky #johnnyjblair #mikeroe #michaelroe #jessie #puppy #childlike #discovery #alexanderkey #cslewis #spacetrilogy #beachboys #moodyblues #10cc #surfrock #spacerock #seventysevens

SONG OF THE WEEK “A Place Across the Sky” https://johnnyjblairsingeratlarge.bandcamp.com/track/a-place-across-the-sky

#sky #johnnyjblair #mikeroe #michaelroe #jessie #puppy #childlike #discovery #alexanderkey #cslewis #spacetrilogy #beachboys #moodyblues #10cc #surfrock #spacerock #seventysevens

Дістав з загашників #RasberryPi2, який купляв дуже давно. Він вийшов у 2015 році та все ще працює. Оновив на ньому систему до #buster (була #jessie), але працює усе дуже повільно. Думав підняти на ньому #HomeAssistant для свого розумного будинку, але він працює тільки на 4 чи 5 версії Pi.
Що робити з ним корисного ще не придумав ;-)

Perché Woody torna nella casa di Bonnie in Toy Story 5: Disney chiarisce il motivo del suo ritorno

https://web.brid.gy/r/https://www.galaxyaddicted.it/2025/11/toy-story-5-ritorno-woody-bonnie-lilypad/

Did Jessie change his name by proxy? If you understand this than you are either old or into politics or US presidents. Which one are you?

#Jessie #TTMO #OhWhereOhWhere #Regan #PresidentRegan #NaturalReader

So far my main desktop running #KDE on #Wayland is highly unstable under #Debian #Trixie. There were always glitches under Bookworm but things are less stable than before. I suspect that the box which started life on #Jessie may have reached the end of the upgrade cycle. Just too many old things lying about, and a clean install and fresh user profile may be in order.

Systems started Bookworm and hardly used upgraded perfectly.

I will be buying a new desktop next year anyway...

Next version of #Debian - 13/#Trixie is releasing on 9th August. We have two release parties lined up in India - one in Delhi NCR and another in Hyderabad.
https://wiki.debian.org/ReleasePartyTrixie

Would you like to organize one near you? It is basically to hang out with other #FreeSoftware community members and sharing snacks or just talk. You can help new people with Debian installation too.

Eight years ago for #jessie release, we hosted 16 parties across Kerala ! https://wiki.debian.org/ReleasePartyJessie#ReleasePartyJessie.2FIndia.2FKerala.India:_Kerala Join and help beat it

New video! https://youtu.be/b6YpCHPYQJA?si=QsUSxhIS5zVo96Nj #puppy #dogtricks #dogs #Jessie #robinmackey #timstone #khatchaturian #sabredance #johnnyjblair

New video! https://youtu.be/b6YpCHPYQJA?si=QsUSxhIS5zVo96Nj #puppy #dogtricks #dogs #Jessie #robinmackey #timstone #khatchaturian #sabredance #johnnyjblair

New video! https://youtu.be/b6YpCHPYQJA?si=QsUSxhIS5zVo96Nj #puppy #dogtricks #dogs #Jessie #robinmackey #timstone #khatchaturian #sabredance #johnnyjblair

New video! https://youtu.be/b6YpCHPYQJA?si=QsUSxhIS5zVo96Nj #puppy #dogtricks #dogs #Jessie #robinmackey #timstone #khatchaturian #sabredance #johnnyjblair

New video! https://youtu.be/b6YpCHPYQJA?si=QsUSxhIS5zVo96Nj #puppy #dogtricks #dogs #Jessie #robinmackey #timstone #khatchaturian #sabredance #johnnyjblair

The security support for Debian "Jessie", provided by Freexian, under the ELTS service has reached its end-of-life on June 30, 2025.
https://www.freexian.com/lts/extended/updates/ela-1477-1-jessie-elts/

If you are still using Jessie, it's now the time to upgrade to a release currently receiving security support from Debian / supported under LTS/ELTS services offered by Freexian.

#Jessie #LTS #EOL#ELTS

Jessie J diagnosticada con cáncer de mama 'temprano' #cáncer #con #diagnosticada #Jessie #mamá #temprano #ButterWord #Spanish_News Comenta tu opinión 👇
https://butterword.com/jessie-j-diagnosticada-con-cancer-de-mama-temprano/?feed_id=25004&_unique_id=683fe0ecb97c9

Freexian offers Extended LTS (#ELTS) service which extends Debian's security support period up to 10 years.

In 2024, with #Debian 10 having reached its end-of-life on June 30th on the Debian side, #Freexian added Debian 10 to the set of ELTS releases that we are maintaining.

Debian 10 #buster is joining Debian 8 #jessie (still supported for 1 year) and Debian 9 #stretch (still supported for 3 years).

You can find more details by reading our blog post - https://www.freexian.com/blog/extended-lts-for-debian-10/

𝗩𝗼𝗼𝗿 𝗝𝗲𝘀𝘀𝗶𝗲 𝘃𝗼𝗲𝗹𝘁 𝗱𝗲 𝗣𝗿𝗶𝗱𝗲 𝗮𝗹𝘀 '𝗻 𝘁𝗲𝗻𝘁𝗼𝗼𝗻𝘀𝘁𝗲𝗹𝗹𝗶𝗻𝗴 𝘃𝗮𝗻 𝗮𝗹𝗹𝗲 𝘁𝗲𝗹𝗲𝘂𝗿𝘀𝘁𝗲𝗹𝗹𝗶𝗻𝗴𝗲𝗻: '𝗔𝗹 𝗺𝗶𝗷𝗻 𝗲𝘅𝗲𝗻 𝗼𝗽 éé𝗻 𝗽𝗹𝗲𝗶𝗻'

Iedere week delen we een openhartige en goudeerlijke liefdesles van een lezer. Omdat de liefde alleen maar mooier wordt als je deelt. Jessie (49) gaat dit jaar niet naar de Pride in Amsterdam, ook al is het haar feestje....

https://www.rtl.nl/lifestyle/artikel/5462905/liefdesles-jessie-pride-voelt-als-tentoonstelling-alle-teleurstellingen

#Jessie #Pride #teleurstellingen

@debian: Oh, indeed, most time in the past decade we needed a bit more than two years for a #Debian release. But #Debian12 #Bookworm is the first #DebianRelease since #Debian8 #Jessie which took less than two years: https://wiki.debian.org/DebianReleases#Production_Releases

#ReleasingDebianBookworm

Wir haben hier noch einen #Debian 8 #Jessie System mit einem #Asterisk laufen, das aber ein paar Probleme macht. Upgrade schlug wegen einiger alten Probleme fehl, daher mal von Grund auf mit Debian #Bullseye neu installiert, was aber einige Anpassungen der bisherigen Konfiguration nach sich zog. 3 Stunden später kann ich sagen - alles läuft wieder 🤗 #computerkram

I was going to make myself a slice of toast. I put the bread in the toaster and went off to do something. I was going to toast it when I came back. However when I returned my very greedy cat Jessie and taken it out of the toaster and was doing this
Anyone want a cat?

#Cats #CatsOfMastodon #catsofmasto #Jessie

I like polls, so here's one asking what everyone thinks is the Best Final Fantasy VII Remake Lady?

💐 🍹 ✴️ 🍕

https://fineartamerica.com/featured/aerith-and-tifa-and-yuffie-maax.html

https://www.reddit.com/r/FinalFantasy/comments/gauru9/tifa_x_aerith_x_jessie_art_by_leirixart/

#FinalFantasy #FinalFantasyVII #Aerith #Tifa #Yuffie #Jessie

Jessie from Pokémon
I wanted to do a wallpaper series but somehow I just did like three. Does that already count as series?

#Jessie #Pokémon #Pokemon #PokeArt #Art #MastoArt #DigitalArt #TeamRocket

yeah wtf,
it seems like #debian #jessie just decided to shit itself if you are running #vmware as hypervisor and VMXNET 3 , change to E1000 does solve the issue

Logging to persistent tmpfs on Raspbian “jessie”

At the end of Using a Raspberry Pi 2 Model B as a router/firewall for the home LAN I wrote that I decided not to put /var/log into tmpfs, because:

1. I wanted the logs to be persistent
2. I thought that the wear would result in less and less of the sd card to become available (and 16GB for logs should last a loong time)

As it turned out the sd card died after one month.

I don’t know if the cause was excessive logging, the use of ntopng (which did write quite a lot, both in the number of files, the number of files, and in the total storage used, which was approximately 0,5GB after 30 days of uptime) or simply a bad sd card.

However, going forward with a new sd card, I’ve done the following:

1. Removed ntopng
2. Put /var/log on tmpfs (limited to 100MB in size), synced to a backing store on the sd card using rsync

For setting up the logging I found some existing web pages that took me part of the way, but not all the way:

• Raspberry Pi: Extending the life of the SD card (this is where I got the fstab line from)
• Observium persistent ramdisk (this is where I got the script and the crontab settings from)
• Setting up overlayFS on Raspberry Pi (this is the where I got the systemctl command to set up the init.d script, as well as the script headers to make it work)
• How does systemd use /etc/init.d scripts? (more information about how systemd uses /init.d scripts)

Here is what I did:

1. Logged in as root and did everything below as root
2. Edited /etc/fstab and added the following line:

   tmpfs    /var/log    tmpfs    defaults,noatime,nosuid,mode=0755,size=100m    0 0

3. Created an /etc/init.d/ramdiskvarlog file with the following contents

   #!/bin/sh### BEGIN INIT INFO# Provides:          ramdiskvarlog# Required-Start:    $local_fs $time# X-Stop-After:      $time# Required-Start:    $local_fs $time# Required-Stop:     $local_fs# Default-Start:     S# Default-Stop:      0 1 6# Short-Description: Restore to and save logs from tmpfs filesystem# Description:       Restore to and save logs from tmpfs filesystem### END INIT INFO# /etc/init.d/ramdiskvarlog#case "$1" in  start)    echo "Copying files to ramdisk"    rsync -av /var/backup/log/ /var/log/    echo [`date +"%Y-%m-%d %H:%M"`] Ramdisk Synched from HD >> /var/log/ramdisk_sync.log    ;;  sync)    echo "Synching files from ramdisk to Harddisk"    echo [`date +"%Y-%m-%d %H:%M"`] Ramdisk Synched to HD >> /var/log/ramdisk_sync.log    rsync -avy --delete --recursive --force /var/log/ /var/backup/log/    ;;  stop)    echo "Synching logfiles from ramdisk to Harddisk"    echo [`date +"%Y-%m-%d %H:%M"`] Ramdisk Synched to HD >> /var/log/ramdisk_sync.log    rsync -av --delete --recursive --force /var/log/ /var/backup/log/    ;;  *)    echo "Usage: /etc/init.d/ramdisk {start|stop|sync}"    exit 1    ;;esacexit 0

4. Made /etc/init.d/ramdiskvarlog executable:

   chmod +x /etc/init.d/ramdiskvarlog

5. Created a directory to store the logs persistently, and populated it initially with the contents of the existing /var/log with the following command line commands :

   mkdir -p /var/backup/log/etc/init.d/ramdiskvarlog sync

6. Made the /etc/init.d/ramdiskvarlog script be run at boot time and during orderly shutdown with the following command line command

   systemctl enable ramdiskvarlog

7. Made the /etc/init.d/ramdiskvarlog script copy the contents of /var/log to the sd card once every 24 hours
   1. At the command line gave the command

      crontab -e

   2. In the editor that opened on the crontab, added a line with the following contents

      2 7 * * * /etc/init.d/ramdiskvarlog sync >> /dev/null 2>&1

8. Created a test file with “touch /var/log/test.log”, rebooted the raspberry pi with “sync; reboot”, and then:
   1. Checked with the mount command that /var/log was on tmpfs, found the following line in the output, which meant that /var/log was on tmpfs

      tmpfs on /var/log type tmpfs (rw,nosuid,noatime,size=102400k,mode=755)

   2. Checked that the /var/log/test.log file was present (and the file was present, which meant that it had been synced to persistent storage on shutdown and restored on boot)

After completing the setup, I popped the sd card out and put it into a card reader on a debian desktop computer. Then I made an image of the working sd card, so that if/when the sd card dies, getting a working router again should be as quick as just dd’ing the image to a new sd card and then switching sd card on the raspberry Pi.

Lesson learned!

#jessie #logging #persistentRamdisk #raspbian #raspbian8 #raspbianJessie #rsync #tmpfs

Using a Raspberry Pi 2 Model B as a router/firewall for the home LAN

Since 1999 I have been using a 1996 vintage DEC PII desktop as the router/firewall between the internet and my home network.  The DEC computer came to me with Win95 (or possibly Win98) in 1998, got SuSE linux and started its mission as router and firewall (and CUPS server, and IMAP server, and various other server stuff). When upgrading the SuSE installation to a newer version went south, it spent a while running ThomasEz’s floppyfw, until I used a floppy net install to install debian potato, immediately switched it to debian testing, until debian woody arrived, when it was moved to debian stable, and then I just kept running “apt-get dist-upgrade” until I finally had it running debian 8 “jessie” on june 6 in 2015.

The old DEC desktop has survived its maker company, survived lightning strikes that have sent the power supplies and/or main boards of other computers on the same LAN into continously beeping mode (i.e. broken). However, in December 2015 it started acting up, and crashing with irregular intervals (sometimes two weeks, sometimes one day).

So… the time for a replacement would have to be not too far ahead. The question was what to replace it with?

The simplest solution would be to just get a wireless router with a cabled switch. But that would mean:

• No possibilities for SSH or mosh into the home LAN
• No ntop
• No support for netboot and TFTP in the home LAN
• Limited, cumbersome and inflexible firewall setup

My requirements were:

• Cheap
• Two wired NICs
• The ability to run debian
• Preferrably fanless
• Compact

ThomasEz immediately suggested using a raspberry pi with two NICs, but I thought that would be too puny, and I investigated alternatives like Shuttle Barebone DS57U but I found that the raspberry pi alternative was so cheap, I might as well order one.

And then it turned out to be so simple to set up so I had it up and running before I really had decided on anything, so now the r-pi is what I have.

This is what I ordered:

• Raspberry Pi 2 Model B Starter Kit
• TP-Link UE300 USB 3.0 to GbE Adapter (it was listed as being supported out of the box on raspberry pi)

Here’s what I did:

1. Downloaded the Raspbian Jessie Lite image to a debian jessie computer and unpacked it into the /tmp directory
2. Plugged an USB SD card reader into the debian computer, and followed the instructions in Installing operating system images on Linux 
3. I plugged the cheapest USB keyboard I could get from my local teknikmagasinet store into one of the USB port, yanked the HDMI cable from the DVD player and plugged the r-pi into the TV, plugged a network cable into the local LAN, and plugged in the power… and the raspberry pi booted quickly into the familiar debian login
4. I logged in with the built-in “pi” user with password “raspberry”, and created my own user with the following command line command:

   adduser sb

   the changed the password of the root user and removed the pi user

5. I copied in a public ssh keys from my other computers, and put them into the ~/.ssh/authorized_keys file and then opened /etc/ssh/sshd_conf in a text editor and modified it in the following way:
   1. Disabled root login by changing

      PermitRootLogin without-password

      to

      PermitRootLogin no

   2. Disabled password login by changing

      #PasswordAuthentication yes

      to

      PasswordAuthentication no

      (removed the comment and changed “yes” to “no”)

6. Edited /etc/hostname to change the name from the default “raspberrypi” to “ocon”
7. Rebooted the pi to check the startup state of the ssh daemon and ssh’d in
8. Resized the disk to fill the entire SD card:
   1. Typed the command

      raspi-config

   2. Selected

      1 Expand Filesystem            Ensures that all of the SD card storage is available to the OS

      and got the response

      Root partition has been resized.The filesystem will be enlarged upon the next reboot

   3. Rebooted the system to get the full 16GB in the file system
9. Updated the system by giving the following command line commands:

   apt-get updateapt-get dist-upgrade

   (the “update” command updates the local package database against the package servers. The “dist-upgrade” command upgrades all packages that have a newer version, and the required dependencies)

10. Installed some useful software:
    1. GNU emacs (my favorite text editor)

       apt-get install emacs

    2. mosh

       apt-get install mosh

    3. git (I’ve got my home directory versioned in git)

       apt-get install git

    4. rcs (I use it to version control operating system configuration files)

       apt-get install rcs

11. I cloned my home directory in git and created a new branch (I have a different branch for each computer)
12. I set the built-in NIC permanently as eth0:

    export INTERFACE=eth0export MATCHADDR=`ip addr show $INTERFACE | grep ether | awk '{print $2}'`/lib/udev/write_net_rules

13. I added configuration for a second NIC by adding the following to /etc/network/interfaces:

14. # The internal network cardallow-hotplug eth1iface eth1 inet static   address 10.10.10.1   netmask 255.255.255.0

15. I plugged in the USB NIC to have it appear, and then made the USB NIC permanently eth1 with the following command line commands:

    export INTERFACE=eth1export MATCHADDR=`ip addr show $INTERFACE | grep ether | awk '{print $2}'`/lib/udev/write_net_rules

16. Installed dnsmasq

    apt-get install dnsmasq

17. Edited /etc/dnsmasq.conf to make dnsmasq respond to DHCP requests on eth1:
    1. Removed the comment in front of

       #interface=

       and set “eth1” as the value:

       interface=eth1

    2. Uncommented the domain directive

       #domain=thekelleys.org.uk

       and changed it to my domain

       domain=hjemme.lan

    3. Uncommented the dhcp-range directive

       #dhcp-range=192.168.0.50,192.168.0.150,12h

       and changed it to a 10.10.10.* range with a 5h lease on the addresses

       # Our HOME LAN 5h lease timedhcp-range=10.10.10.6,10.10.10.40,5h

18. Opened the /etc/hosts file in a text editor and added the raspberry pi itself, to so that DNS lookups of the raspberry pi will work in a LAN where the raspberry pi is handling the DHCP requests (dnsmasq will handle DNS requests for the IP addresses it has given DHCP leases to, as well as what it finds in the hosts file.  The rest is delegated to the upstream DNS server)

    127.0.0.1       localhost::1             localhost ip6-localhost ip6-loopbackff02::1         ip6-allnodesff02::2         ip6-allrouters127.0.1.1       ocon# local hosts10.10.10.1  hjemme ocon hjemme.hjemme.lan ocon.hjemme.lan

19. Edited the /etc/sysctl.conf file to set up IPv4 routing in the linux kernel, removed the comment in front of the net.ipv4.ip_forward line:

    # Uncomment the next line to enable packet forwarding for IPv4net.ipv4.ip_forward=1

20. ferm is a utility that makes it easy to set the routing and firewall rules at boot time
    1. Installed ferm using apt-get from a command line:

       apt-get install ferm

    2. Modified the /etc/ferm/ferm.conf file to allow everything inside t oroute out, but only allow ssh in

       @def $DEV_WORLD = eth0;@def $DEV_PRIVATE = eth1;def $NET_PRIVATE = 10.10.10.0/24;table filter {    chain INPUT {        policy DROP;        # connection tracking        mod state state INVALID DROP;        mod state state (ESTABLISHED RELATED) ACCEPT;        # allow local packet        interface lo ACCEPT;        # allow private net        interface $DEV_PRIVATE ACCEPT;        # respond to ping        proto icmp ACCEPT;        # allow IPsec        proto udp dport 500 ACCEPT;        proto (esp ah) ACCEPT;        # allow SSH connections        proto tcp dport ssh ACCEPT;    }    chain OUTPUT {        policy ACCEPT;        # connection tracking        #mod state state INVALID DROP;        mod state state (ESTABLISHED RELATED) ACCEPT;    }    chain FORWARD {        policy DROP;        # connection tracking        mod state state INVALID DROP;        mod state state (ESTABLISHED RELATED) ACCEPT;        # connections from the internal net to the internet or        # to other internal nets are allowed        interface $DEV_PRIVATE ACCEPT;        # the rest is dropped by the above policy    }}table nat {    chain POSTROUTING {        # masquerade private IP addresses        saddr $NET_PRIVATE outerface $DEV_WORLD MASQUERADE;    }}

21. The version of ferm in “jessie” doesn’t start at boot, because “jessie” dropped SYSV init in favour of systemd, and the version of ferm in “jessie” doesn’t have a systemd configuration, so I needed to manually download and install the version of ferm from debian testing (I downloaded from regular debian, since ferm doesn’t have anything platform specific):

    cd /tmpwget http://ftp.no.debian.org/debian/pool/main/f/ferm/ferm_2.2-5_all.debdpkg --install /tmp/ferm_2.2-5_all.deb

22. fail2ban monitors log files of daemons and adjust the firewall rules to temporary ban hosts it suspects of intrusion attempts. The debian (and raspbian) version of fail2ban will out of the box scan the logs for ssh intrusion attempts, so no configuration is necessary
23. To have an easy way of monitoring the network traffic in and out of the home LAN, I installed ntop ng

    apt-get install ntopng

    after the installation it is possible to monitor the network traffic by accessing http://ocon.hjemme.lan:3000 (the interesting traffic will be seen after selecting eth1)

24. The Network Time Protocol is how computers stay in sync, installing the ntp package will make the gateway keep network time, a

    apt-get install ntp

25. Opened the /etc/ntp.conf file in a text editor, and modified it to provide an NTP deamon for the home LAN, uncommented the “broadcast” line and modified the network match to match the 10.10.10.* network:

    # If you want to provide time to your local subnet, change the next line.# (Again, the address is an example only.)broadcast 10.10.10.255

26. Installed the apticron utility to make sure that the APT database is updated daily with new candidates for update

    apt-get install apticron

The original plan was to run the raspberry pi headless, but since I had an old VGA only LCD display for the old DEC computer I might as well hook it up the raspberry pi, together with the cheap USB keyboard used for setup.

I bought an HDMI to VGA converter with the manufacturer id VLMP34900W0.20. I plugged it in between the display and the raspberry-pi the display stayed black.  I edited the /boot/config.txt file, removing the comment in front of the hdmi_safe line:

# uncomment if you get no picture on HDMI for a default "safe" modehdmi_safe=1

I rebooted the raspberry pi, and this time the LCD displayed showed the boot messages as well as a normal console login prompt.

And this is where the current state is. One initial concern was flash wear on the SD card, which doesn’t have the wear leveling features of a “real” SSD, so I had some plans on making the /var/log use tmpfs.

But I decided not to, since having real persistent logs is a useful thing for a gateway, and since 16GB is actually an awful lot of data if all you do is to write textual files. And ff the SD card wears out I’ll just by a new SD card, and make a new system. Since I now know how, this shouldn’t take long

#debian #dnsmasq #fail2ban #ferm #firewall #ipMasquerading #jessie #mosh #ntop #raspbian #raspbian8 #raspbianJessie #router #ssh

Using a Raspberry Pi 2 Model B as a router/firewall for the home LAN

Since 1999 I have been using a 1996 vintage DEC PII desktop as the router/firewall between the internet and my home network.  The DEC computer came to me with Win95 (or possibly Win98) in 1998, got SuSE linux and started its mission as router and firewall (and CUPS server, and IMAP server, and various other server stuff). When upgrading the SuSE installation to a newer version went south, it spent a while running ThomasEz’s floppyfw, until I used a floppy net install to install debian potato, immediately switched it to debian testing, until debian woody arrived, when it was moved to debian stable, and then I just kept running “apt-get dist-upgrade” until I finally had it running debian 8 “jessie” on june 6 in 2015.

The old DEC desktop has survived its maker company, survived lightning strikes that have sent the power supplies and/or main boards of other computers on the same LAN into continously beeping mode (i.e. broken). However, in December 2015 it started acting up, and crashing with irregular intervals (sometimes two weeks, sometimes one day).

So… the time for a replacement would have to be not too far ahead. The question was what to replace it with?

The simplest solution would be to just get a wireless router with a cabled switch. But that would mean:

• No possibilities for SSH or mosh into the home LAN
• No ntop
• No support for netboot and TFTP in the home LAN
• Limited, cumbersome and inflexible firewall setup

My requirements were:

• Cheap
• Two wired NICs
• The ability to run debian
• Preferrably fanless
• Compact

ThomasEz immediately suggested using a raspberry pi with two NICs, but I thought that would be too puny, and I investigated alternatives like Shuttle Barebone DS57U but I found that the raspberry pi alternative was so cheap, I might as well order one.

And then it turned out to be so simple to set up so I had it up and running before I really had decided on anything, so now the r-pi is what I have.

This is what I ordered:

• Raspberry Pi 2 Model B Starter Kit
• TP-Link UE300 USB 3.0 to GbE Adapter (it was listed as being supported out of the box on raspberry pi)

Here’s what I did:

1. Downloaded the Raspbian Jessie Lite image to a debian jessie computer and unpacked it into the /tmp directory
2. Plugged an USB SD card reader into the debian computer, and followed the instructions in Installing operating system images on Linux 
3. I plugged the cheapest USB keyboard I could get from my local teknikmagasinet store into one of the USB port, yanked the HDMI cable from the DVD player and plugged the r-pi into the TV, plugged a network cable into the local LAN, and plugged in the power… and the raspberry pi booted quickly into the familiar debian login
4. I logged in with the built-in “pi” user with password “raspberry”, and created my own user with the following command line command:

   adduser sb

   the changed the password of the root user and removed the pi user

5. I copied in a public ssh keys from my other computers, and put them into the ~/.ssh/authorized_keys file and then opened /etc/ssh/sshd_conf in a text editor and modified it in the following way:
   1. Disabled root login by changing

      PermitRootLogin without-password

      to

      PermitRootLogin no

   2. Disabled password login by changing

      #PasswordAuthentication yes

      to

      PasswordAuthentication no

      (removed the comment and changed “yes” to “no”)

6. Edited /etc/hostname to change the name from the default “raspberrypi” to “ocon”
7. Rebooted the pi to check the startup state of the ssh daemon and ssh’d in
8. Resized the disk to fill the entire SD card:
   1. Typed the command

      raspi-config

   2. Selected

      1 Expand Filesystem            Ensures that all of the SD card storage is available to the OS

      and got the response

      Root partition has been resized.The filesystem will be enlarged upon the next reboot

   3. Rebooted the system to get the full 16GB in the file system
9. Updated the system by giving the following command line commands:

   apt-get updateapt-get dist-upgrade

   (the “update” command updates the local package database against the package servers. The “dist-upgrade” command upgrades all packages that have a newer version, and the required dependencies)

10. Installed some useful software:
    1. GNU emacs (my favorite text editor)

       apt-get install emacs

    2. mosh

       apt-get install mosh

    3. git (I’ve got my home directory versioned in git)

       apt-get install git

    4. rcs (I use it to version control operating system configuration files)

       apt-get install rcs

11. I cloned my home directory in git and created a new branch (I have a different branch for each computer)
12. I set the built-in NIC permanently as eth0:

    export INTERFACE=eth0export MATCHADDR=`ip addr show $INTERFACE | grep ether | awk '{print $2}'`/lib/udev/write_net_rules

13. I added configuration for a second NIC by adding the following to /etc/network/interfaces:

14. # The internal network cardallow-hotplug eth1iface eth1 inet static   address 10.10.10.1   netmask 255.255.255.0

15. I plugged in the USB NIC to have it appear, and then made the USB NIC permanently eth1 with the following command line commands:

    export INTERFACE=eth1export MATCHADDR=`ip addr show $INTERFACE | grep ether | awk '{print $2}'`/lib/udev/write_net_rules

16. Installed dnsmasq

    apt-get install dnsmasq

17. Edited /etc/dnsmasq.conf to make dnsmasq respond to DHCP requests on eth1:
    1. Removed the comment in front of

       #interface=

       and set “eth1” as the value:

       interface=eth1

    2. Uncommented the domain directive

       #domain=thekelleys.org.uk

       and changed it to my domain

       domain=hjemme.lan

    3. Uncommented the dhcp-range directive

       #dhcp-range=192.168.0.50,192.168.0.150,12h

       and changed it to a 10.10.10.* range with a 5h lease on the addresses

       # Our HOME LAN 5h lease timedhcp-range=10.10.10.6,10.10.10.40,5h

18. Opened the /etc/hosts file in a text editor and added the raspberry pi itself, to so that DNS lookups of the raspberry pi will work in a LAN where the raspberry pi is handling the DHCP requests (dnsmasq will handle DNS requests for the IP addresses it has given DHCP leases to, as well as what it finds in the hosts file.  The rest is delegated to the upstream DNS server)

    127.0.0.1       localhost::1             localhost ip6-localhost ip6-loopbackff02::1         ip6-allnodesff02::2         ip6-allrouters127.0.1.1       ocon# local hosts10.10.10.1  hjemme ocon hjemme.hjemme.lan ocon.hjemme.lan

19. Edited the /etc/sysctl.conf file to set up IPv4 routing in the linux kernel, removed the comment in front of the net.ipv4.ip_forward line:

    # Uncomment the next line to enable packet forwarding for IPv4net.ipv4.ip_forward=1

20. ferm is a utility that makes it easy to set the routing and firewall rules at boot time
    1. Installed ferm using apt-get from a command line:

       apt-get install ferm

    2. Modified the /etc/ferm/ferm.conf file to allow everything inside t oroute out, but only allow ssh in

       @def $DEV_WORLD = eth0;@def $DEV_PRIVATE = eth1;def $NET_PRIVATE = 10.10.10.0/24;table filter {    chain INPUT {        policy DROP;        # connection tracking        mod state state INVALID DROP;        mod state state (ESTABLISHED RELATED) ACCEPT;        # allow local packet        interface lo ACCEPT;        # allow private net        interface $DEV_PRIVATE ACCEPT;        # respond to ping        proto icmp ACCEPT;        # allow IPsec        proto udp dport 500 ACCEPT;        proto (esp ah) ACCEPT;        # allow SSH connections        proto tcp dport ssh ACCEPT;    }    chain OUTPUT {        policy ACCEPT;        # connection tracking        #mod state state INVALID DROP;        mod state state (ESTABLISHED RELATED) ACCEPT;    }    chain FORWARD {        policy DROP;        # connection tracking        mod state state INVALID DROP;        mod state state (ESTABLISHED RELATED) ACCEPT;        # connections from the internal net to the internet or        # to other internal nets are allowed        interface $DEV_PRIVATE ACCEPT;        # the rest is dropped by the above policy    }}table nat {    chain POSTROUTING {        # masquerade private IP addresses        saddr $NET_PRIVATE outerface $DEV_WORLD MASQUERADE;    }}

21. The version of ferm in “jessie” doesn’t start at boot, because “jessie” dropped SYSV init in favour of systemd, and the version of ferm in “jessie” doesn’t have a systemd configuration, so I needed to manually download and install the version of ferm from debian testing (I downloaded from regular debian, since ferm doesn’t have anything platform specific):

    cd /tmpwget http://ftp.no.debian.org/debian/pool/main/f/ferm/ferm_2.2-5_all.debdpkg --install /tmp/ferm_2.2-5_all.deb

22. fail2ban monitors log files of daemons and adjust the firewall rules to temporary ban hosts it suspects of intrusion attempts. The debian (and raspbian) version of fail2ban will out of the box scan the logs for ssh intrusion attempts, so no configuration is necessary
23. To have an easy way of monitoring the network traffic in and out of the home LAN, I installed ntop ng

    apt-get install ntopng

    after the installation it is possible to monitor the network traffic by accessing http://ocon.hjemme.lan:3000 (the interesting traffic will be seen after selecting eth1)

24. The Network Time Protocol is how computers stay in sync, installing the ntp package will make the gateway keep network time, a

    apt-get install ntp

25. Opened the /etc/ntp.conf file in a text editor, and modified it to provide an NTP deamon for the home LAN, uncommented the “broadcast” line and modified the network match to match the 10.10.10.* network:

    # If you want to provide time to your local subnet, change the next line.# (Again, the address is an example only.)broadcast 10.10.10.255

26. Installed the apticron utility to make sure that the APT database is updated daily with new candidates for update

    apt-get install apticron

The original plan was to run the raspberry pi headless, but since I had an old VGA only LCD display for the old DEC computer I might as well hook it up the raspberry pi, together with the cheap USB keyboard used for setup.

I bought an HDMI to VGA converter with the manufacturer id VLMP34900W0.20. I plugged it in between the display and the raspberry-pi the display stayed black.  I edited the /boot/config.txt file, removing the comment in front of the hdmi_safe line:

# uncomment if you get no picture on HDMI for a default "safe" modehdmi_safe=1

I rebooted the raspberry pi, and this time the LCD displayed showed the boot messages as well as a normal console login prompt.

And this is where the current state is. One initial concern was flash wear on the SD card, which doesn’t have the wear leveling features of a “real” SSD, so I had some plans on making the /var/log use tmpfs.

But I decided not to, since having real persistent logs is a useful thing for a gateway, and since 16GB is actually an awful lot of data if all you do is to write textual files. And ff the SD card wears out I’ll just by a new SD card, and make a new system. Since I now know how, this shouldn’t take long

#debian #dnsmasq #fail2ban #ferm #firewall #ipMasquerading #jessie #mosh #ntop #raspbian #raspbian8 #raspbianJessie #router #ssh

Using a Raspberry Pi 2 Model B as a router/firewall for the home LAN

Since 1999 I have been using a 1996 vintage DEC PII desktop as the router/firewall between the internet and my home network.  The DEC computer came to me with Win95 (or possibly Win98) in 1998, got SuSE linux and started its mission as router and firewall (and CUPS server, and IMAP server, and various other server stuff). When upgrading the SuSE installation to a newer version went south, it spent a while running ThomasEz’s floppyfw, until I used a floppy net install to install debian potato, immediately switched it to debian testing, until debian woody arrived, when it was moved to debian stable, and then I just kept running “apt-get dist-upgrade” until I finally had it running debian 8 “jessie” on june 6 in 2015.

The old DEC desktop has survived its maker company, survived lightning strikes that have sent the power supplies and/or main boards of other computers on the same LAN into continously beeping mode (i.e. broken). However, in December 2015 it started acting up, and crashing with irregular intervals (sometimes two weeks, sometimes one day).

So… the time for a replacement would have to be not too far ahead. The question was what to replace it with?

The simplest solution would be to just get a wireless router with a cabled switch. But that would mean:

• No possibilities for SSH or mosh into the home LAN
• No ntop
• No support for netboot and TFTP in the home LAN
• Limited, cumbersome and inflexible firewall setup

My requirements were:

• Cheap
• Two wired NICs
• The ability to run debian
• Preferrably fanless
• Compact

ThomasEz immediately suggested using a raspberry pi with two NICs, but I thought that would be too puny, and I investigated alternatives like Shuttle Barebone DS57U but I found that the raspberry pi alternative was so cheap, I might as well order one.

And then it turned out to be so simple to set up so I had it up and running before I really had decided on anything, so now the r-pi is what I have.

This is what I ordered:

• Raspberry Pi 2 Model B Starter Kit
• TP-Link UE300 USB 3.0 to GbE Adapter (it was listed as being supported out of the box on raspberry pi)

Here’s what I did:

1. Downloaded the Raspbian Jessie Lite image to a debian jessie computer and unpacked it into the /tmp directory
2. Plugged an USB SD card reader into the debian computer, and followed the instructions in Installing operating system images on Linux 
3. I plugged the cheapest USB keyboard I could get from my local teknikmagasinet store into one of the USB port, yanked the HDMI cable from the DVD player and plugged the r-pi into the TV, plugged a network cable into the local LAN, and plugged in the power… and the raspberry pi booted quickly into the familiar debian login
4. I logged in with the built-in “pi” user with password “raspberry”, and created my own user with the following command line command:

   adduser sb

   the changed the password of the root user and removed the pi user

5. I copied in a public ssh keys from my other computers, and put them into the ~/.ssh/authorized_keys file and then opened /etc/ssh/sshd_conf in a text editor and modified it in the following way:
   1. Disabled root login by changing

      PermitRootLogin without-password

      to

      PermitRootLogin no

   2. Disabled password login by changing

      #PasswordAuthentication yes

      to

      PasswordAuthentication no

      (removed the comment and changed “yes” to “no”)

6. Edited /etc/hostname to change the name from the default “raspberrypi” to “ocon”
7. Rebooted the pi to check the startup state of the ssh daemon and ssh’d in
8. Resized the disk to fill the entire SD card:
   1. Typed the command

      raspi-config

   2. Selected

      1 Expand Filesystem            Ensures that all of the SD card storage is available to the OS

      and got the response

      Root partition has been resized.The filesystem will be enlarged upon the next reboot

   3. Rebooted the system to get the full 16GB in the file system
9. Updated the system by giving the following command line commands:

   apt-get updateapt-get dist-upgrade

   (the “update” command updates the local package database against the package servers. The “dist-upgrade” command upgrades all packages that have a newer version, and the required dependencies)

10. Installed some useful software:
    1. GNU emacs (my favorite text editor)

       apt-get install emacs

    2. mosh

       apt-get install mosh

    3. git (I’ve got my home directory versioned in git)

       apt-get install git

    4. rcs (I use it to version control operating system configuration files)

       apt-get install rcs

11. I cloned my home directory in git and created a new branch (I have a different branch for each computer)
12. I set the built-in NIC permanently as eth0:

    export INTERFACE=eth0export MATCHADDR=`ip addr show $INTERFACE | grep ether | awk '{print $2}'`/lib/udev/write_net_rules

13. I added configuration for a second NIC by adding the following to /etc/network/interfaces:

14. # The internal network cardallow-hotplug eth1iface eth1 inet static   address 10.10.10.1   netmask 255.255.255.0

15. I plugged in the USB NIC to have it appear, and then made the USB NIC permanently eth1 with the following command line commands:

    export INTERFACE=eth1export MATCHADDR=`ip addr show $INTERFACE | grep ether | awk '{print $2}'`/lib/udev/write_net_rules

16. Installed dnsmasq

    apt-get install dnsmasq

17. Edited /etc/dnsmasq.conf to make dnsmasq respond to DHCP requests on eth1:
    1. Removed the comment in front of

       #interface=

       and set “eth1” as the value:

       interface=eth1

    2. Uncommented the domain directive

       #domain=thekelleys.org.uk

       and changed it to my domain

       domain=hjemme.lan

    3. Uncommented the dhcp-range directive

       #dhcp-range=192.168.0.50,192.168.0.150,12h

       and changed it to a 10.10.10.* range with a 5h lease on the addresses

       # Our HOME LAN 5h lease timedhcp-range=10.10.10.6,10.10.10.40,5h

18. Opened the /etc/hosts file in a text editor and added the raspberry pi itself, to so that DNS lookups of the raspberry pi will work in a LAN where the raspberry pi is handling the DHCP requests (dnsmasq will handle DNS requests for the IP addresses it has given DHCP leases to, as well as what it finds in the hosts file.  The rest is delegated to the upstream DNS server)

    127.0.0.1       localhost::1             localhost ip6-localhost ip6-loopbackff02::1         ip6-allnodesff02::2         ip6-allrouters127.0.1.1       ocon# local hosts10.10.10.1  hjemme ocon hjemme.hjemme.lan ocon.hjemme.lan

19. Edited the /etc/sysctl.conf file to set up IPv4 routing in the linux kernel, removed the comment in front of the net.ipv4.ip_forward line:

    # Uncomment the next line to enable packet forwarding for IPv4net.ipv4.ip_forward=1

20. ferm is a utility that makes it easy to set the routing and firewall rules at boot time
    1. Installed ferm using apt-get from a command line:

       apt-get install ferm

    2. Modified the /etc/ferm/ferm.conf file to allow everything inside t oroute out, but only allow ssh in

       @def $DEV_WORLD = eth0;@def $DEV_PRIVATE = eth1;def $NET_PRIVATE = 10.10.10.0/24;table filter {    chain INPUT {        policy DROP;        # connection tracking        mod state state INVALID DROP;        mod state state (ESTABLISHED RELATED) ACCEPT;        # allow local packet        interface lo ACCEPT;        # allow private net        interface $DEV_PRIVATE ACCEPT;        # respond to ping        proto icmp ACCEPT;        # allow IPsec        proto udp dport 500 ACCEPT;        proto (esp ah) ACCEPT;        # allow SSH connections        proto tcp dport ssh ACCEPT;    }    chain OUTPUT {        policy ACCEPT;        # connection tracking        #mod state state INVALID DROP;        mod state state (ESTABLISHED RELATED) ACCEPT;    }    chain FORWARD {        policy DROP;        # connection tracking        mod state state INVALID DROP;        mod state state (ESTABLISHED RELATED) ACCEPT;        # connections from the internal net to the internet or        # to other internal nets are allowed        interface $DEV_PRIVATE ACCEPT;        # the rest is dropped by the above policy    }}table nat {    chain POSTROUTING {        # masquerade private IP addresses        saddr $NET_PRIVATE outerface $DEV_WORLD MASQUERADE;    }}

21. The version of ferm in “jessie” doesn’t start at boot, because “jessie” dropped SYSV init in favour of systemd, and the version of ferm in “jessie” doesn’t have a systemd configuration, so I needed to manually download and install the version of ferm from debian testing (I downloaded from regular debian, since ferm doesn’t have anything platform specific):

    cd /tmpwget http://ftp.no.debian.org/debian/pool/main/f/ferm/ferm_2.2-5_all.debdpkg --install /tmp/ferm_2.2-5_all.deb

22. fail2ban monitors log files of daemons and adjust the firewall rules to temporary ban hosts it suspects of intrusion attempts. The debian (and raspbian) version of fail2ban will out of the box scan the logs for ssh intrusion attempts, so no configuration is necessary
23. To have an easy way of monitoring the network traffic in and out of the home LAN, I installed ntop ng

    apt-get install ntopng

    after the installation it is possible to monitor the network traffic by accessing http://ocon.hjemme.lan:3000 (the interesting traffic will be seen after selecting eth1)

24. The Network Time Protocol is how computers stay in sync, installing the ntp package will make the gateway keep network time, a

    apt-get install ntp

25. Opened the /etc/ntp.conf file in a text editor, and modified it to provide an NTP deamon for the home LAN, uncommented the “broadcast” line and modified the network match to match the 10.10.10.* network:

    # If you want to provide time to your local subnet, change the next line.# (Again, the address is an example only.)broadcast 10.10.10.255

26. Installed the apticron utility to make sure that the APT database is updated daily with new candidates for update

    apt-get install apticron

The original plan was to run the raspberry pi headless, but since I had an old VGA only LCD display for the old DEC computer I might as well hook it up the raspberry pi, together with the cheap USB keyboard used for setup.

I bought an HDMI to VGA converter with the manufacturer id VLMP34900W0.20. I plugged it in between the display and the raspberry-pi the display stayed black.  I edited the /boot/config.txt file, removing the comment in front of the hdmi_safe line:

# uncomment if you get no picture on HDMI for a default "safe" modehdmi_safe=1

I rebooted the raspberry pi, and this time the LCD displayed showed the boot messages as well as a normal console login prompt.

And this is where the current state is. One initial concern was flash wear on the SD card, which doesn’t have the wear leveling features of a “real” SSD, so I had some plans on making the /var/log use tmpfs.

But I decided not to, since having real persistent logs is a useful thing for a gateway, and since 16GB is actually an awful lot of data if all you do is to write textual files. And ff the SD card wears out I’ll just by a new SD card, and make a new system. Since I now know how, this shouldn’t take long

#debian #dnsmasq #fail2ban #ferm #firewall #ipMasquerading #jessie #mosh #ntop #raspbian #raspbian8 #raspbianJessie #router #ssh

Using a Raspberry Pi 2 Model B as a router/firewall for the home LAN

Since 1999 I have been using a 1996 vintage DEC PII desktop as the router/firewall between the internet and my home network.  The DEC computer came to me with Win95 (or possibly Win98) in 1998, got SuSE linux and started its mission as router and firewall (and CUPS server, and IMAP server, and various other server stuff). When upgrading the SuSE installation to a newer version went south, it spent a while running ThomasEz’s floppyfw, until I used a floppy net install to install debian potato, immediately switched it to debian testing, until debian woody arrived, when it was moved to debian stable, and then I just kept running “apt-get dist-upgrade” until I finally had it running debian 8 “jessie” on june 6 in 2015.

The old DEC desktop has survived its maker company, survived lightning strikes that have sent the power supplies and/or main boards of other computers on the same LAN into continously beeping mode (i.e. broken). However, in December 2015 it started acting up, and crashing with irregular intervals (sometimes two weeks, sometimes one day).

So… the time for a replacement would have to be not too far ahead. The question was what to replace it with?

The simplest solution would be to just get a wireless router with a cabled switch. But that would mean:

• No possibilities for SSH or mosh into the home LAN
• No ntop
• No support for netboot and TFTP in the home LAN
• Limited, cumbersome and inflexible firewall setup

My requirements were:

• Cheap
• Two wired NICs
• The ability to run debian
• Preferrably fanless
• Compact

ThomasEz immediately suggested using a raspberry pi with two NICs, but I thought that would be too puny, and I investigated alternatives like Shuttle Barebone DS57U but I found that the raspberry pi alternative was so cheap, I might as well order one.

And then it turned out to be so simple to set up so I had it up and running before I really had decided on anything, so now the r-pi is what I have.

This is what I ordered:

• Raspberry Pi 2 Model B Starter Kit
• TP-Link UE300 USB 3.0 to GbE Adapter (it was listed as being supported out of the box on raspberry pi)

Here’s what I did:

1. Downloaded the Raspbian Jessie Lite image to a debian jessie computer and unpacked it into the /tmp directory
2. Plugged an USB SD card reader into the debian computer, and followed the instructions in Installing operating system images on Linux 
3. I plugged the cheapest USB keyboard I could get from my local teknikmagasinet store into one of the USB port, yanked the HDMI cable from the DVD player and plugged the r-pi into the TV, plugged a network cable into the local LAN, and plugged in the power… and the raspberry pi booted quickly into the familiar debian login
4. I logged in with the built-in “pi” user with password “raspberry”, and created my own user with the following command line command:

   adduser sb

   the changed the password of the root user and removed the pi user

5. I copied in a public ssh keys from my other computers, and put them into the ~/.ssh/authorized_keys file and then opened /etc/ssh/sshd_conf in a text editor and modified it in the following way:
   1. Disabled root login by changing

      PermitRootLogin without-password

      to

      PermitRootLogin no

   2. Disabled password login by changing

      #PasswordAuthentication yes

      to

      PasswordAuthentication no

      (removed the comment and changed “yes” to “no”)

6. Edited /etc/hostname to change the name from the default “raspberrypi” to “ocon”
7. Rebooted the pi to check the startup state of the ssh daemon and ssh’d in
8. Resized the disk to fill the entire SD card:
   1. Typed the command

      raspi-config

   2. Selected

      1 Expand Filesystem            Ensures that all of the SD card storage is available to the OS

      and got the response

      Root partition has been resized.The filesystem will be enlarged upon the next reboot

   3. Rebooted the system to get the full 16GB in the file system
9. Updated the system by giving the following command line commands:

   apt-get updateapt-get dist-upgrade

   (the “update” command updates the local package database against the package servers. The “dist-upgrade” command upgrades all packages that have a newer version, and the required dependencies)

10. Installed some useful software:
    1. GNU emacs (my favorite text editor)

       apt-get install emacs

    2. mosh

       apt-get install mosh

    3. git (I’ve got my home directory versioned in git)

       apt-get install git

    4. rcs (I use it to version control operating system configuration files)

       apt-get install rcs

11. I cloned my home directory in git and created a new branch (I have a different branch for each computer)
12. I set the built-in NIC permanently as eth0:

    export INTERFACE=eth0export MATCHADDR=`ip addr show $INTERFACE | grep ether | awk '{print $2}'`/lib/udev/write_net_rules

13. I added configuration for a second NIC by adding the following to /etc/network/interfaces:

14. # The internal network cardallow-hotplug eth1iface eth1 inet static   address 10.10.10.1   netmask 255.255.255.0

15. I plugged in the USB NIC to have it appear, and then made the USB NIC permanently eth1 with the following command line commands:

    export INTERFACE=eth1export MATCHADDR=`ip addr show $INTERFACE | grep ether | awk '{print $2}'`/lib/udev/write_net_rules

16. Installed dnsmasq

    apt-get install dnsmasq

17. Edited /etc/dnsmasq.conf to make dnsmasq respond to DHCP requests on eth1:
    1. Removed the comment in front of

       #interface=

       and set “eth1” as the value:

       interface=eth1

    2. Uncommented the domain directive

       #domain=thekelleys.org.uk

       and changed it to my domain

       domain=hjemme.lan

    3. Uncommented the dhcp-range directive

       #dhcp-range=192.168.0.50,192.168.0.150,12h

       and changed it to a 10.10.10.* range with a 5h lease on the addresses

       # Our HOME LAN 5h lease timedhcp-range=10.10.10.6,10.10.10.40,5h

18. Opened the /etc/hosts file in a text editor and added the raspberry pi itself, to so that DNS lookups of the raspberry pi will work in a LAN where the raspberry pi is handling the DHCP requests (dnsmasq will handle DNS requests for the IP addresses it has given DHCP leases to, as well as what it finds in the hosts file.  The rest is delegated to the upstream DNS server)

    127.0.0.1       localhost::1             localhost ip6-localhost ip6-loopbackff02::1         ip6-allnodesff02::2         ip6-allrouters127.0.1.1       ocon# local hosts10.10.10.1  hjemme ocon hjemme.hjemme.lan ocon.hjemme.lan

19. Edited the /etc/sysctl.conf file to set up IPv4 routing in the linux kernel, removed the comment in front of the net.ipv4.ip_forward line:

    # Uncomment the next line to enable packet forwarding for IPv4net.ipv4.ip_forward=1

20. ferm is a utility that makes it easy to set the routing and firewall rules at boot time
    1. Installed ferm using apt-get from a command line:

       apt-get install ferm

    2. Modified the /etc/ferm/ferm.conf file to allow everything inside t oroute out, but only allow ssh in

       @def $DEV_WORLD = eth0;@def $DEV_PRIVATE = eth1;def $NET_PRIVATE = 10.10.10.0/24;table filter {    chain INPUT {        policy DROP;        # connection tracking        mod state state INVALID DROP;        mod state state (ESTABLISHED RELATED) ACCEPT;        # allow local packet        interface lo ACCEPT;        # allow private net        interface $DEV_PRIVATE ACCEPT;        # respond to ping        proto icmp ACCEPT;        # allow IPsec        proto udp dport 500 ACCEPT;        proto (esp ah) ACCEPT;        # allow SSH connections        proto tcp dport ssh ACCEPT;    }    chain OUTPUT {        policy ACCEPT;        # connection tracking        #mod state state INVALID DROP;        mod state state (ESTABLISHED RELATED) ACCEPT;    }    chain FORWARD {        policy DROP;        # connection tracking        mod state state INVALID DROP;        mod state state (ESTABLISHED RELATED) ACCEPT;        # connections from the internal net to the internet or        # to other internal nets are allowed        interface $DEV_PRIVATE ACCEPT;        # the rest is dropped by the above policy    }}table nat {    chain POSTROUTING {        # masquerade private IP addresses        saddr $NET_PRIVATE outerface $DEV_WORLD MASQUERADE;    }}

21. The version of ferm in “jessie” doesn’t start at boot, because “jessie” dropped SYSV init in favour of systemd, and the version of ferm in “jessie” doesn’t have a systemd configuration, so I needed to manually download and install the version of ferm from debian testing (I downloaded from regular debian, since ferm doesn’t have anything platform specific):

    cd /tmpwget http://ftp.no.debian.org/debian/pool/main/f/ferm/ferm_2.2-5_all.debdpkg --install /tmp/ferm_2.2-5_all.deb

22. fail2ban monitors log files of daemons and adjust the firewall rules to temporary ban hosts it suspects of intrusion attempts. The debian (and raspbian) version of fail2ban will out of the box scan the logs for ssh intrusion attempts, so no configuration is necessary
23. To have an easy way of monitoring the network traffic in and out of the home LAN, I installed ntop ng

    apt-get install ntopng

    after the installation it is possible to monitor the network traffic by accessing http://ocon.hjemme.lan:3000 (the interesting traffic will be seen after selecting eth1)

24. The Network Time Protocol is how computers stay in sync, installing the ntp package will make the gateway keep network time, a

    apt-get install ntp

25. Opened the /etc/ntp.conf file in a text editor, and modified it to provide an NTP deamon for the home LAN, uncommented the “broadcast” line and modified the network match to match the 10.10.10.* network:

    # If you want to provide time to your local subnet, change the next line.# (Again, the address is an example only.)broadcast 10.10.10.255

26. Installed the apticron utility to make sure that the APT database is updated daily with new candidates for update

    apt-get install apticron

The original plan was to run the raspberry pi headless, but since I had an old VGA only LCD display for the old DEC computer I might as well hook it up the raspberry pi, together with the cheap USB keyboard used for setup.

I bought an HDMI to VGA converter with the manufacturer id VLMP34900W0.20. I plugged it in between the display and the raspberry-pi the display stayed black.  I edited the /boot/config.txt file, removing the comment in front of the hdmi_safe line:

# uncomment if you get no picture on HDMI for a default "safe" modehdmi_safe=1

I rebooted the raspberry pi, and this time the LCD displayed showed the boot messages as well as a normal console login prompt.

And this is where the current state is. One initial concern was flash wear on the SD card, which doesn’t have the wear leveling features of a “real” SSD, so I had some plans on making the /var/log use tmpfs.

But I decided not to, since having real persistent logs is a useful thing for a gateway, and since 16GB is actually an awful lot of data if all you do is to write textual files. And ff the SD card wears out I’ll just by a new SD card, and make a new system. Since I now know how, this shouldn’t take long

#debian #dnsmasq #fail2ban #ferm #firewall #ipMasquerading #jessie #mosh #ntop #raspbian #raspbian8 #raspbianJessie #router #ssh

Using a Raspberry Pi 2 Model B as a router/firewall for the home LAN

Since 1999 I have been using a 1996 vintage DEC PII desktop as the router/firewall between the internet and my home network.  The DEC computer came to me with Win95 (or possibly Win98) in 1998, got SuSE linux and started its mission as router and firewall (and CUPS server, and IMAP server, and various other server stuff). When upgrading the SuSE installation to a newer version went south, it spent a while running ThomasEz’s floppyfw, until I used a floppy net install to install debian potato, immediately switched it to debian testing, until debian woody arrived, when it was moved to debian stable, and then I just kept running “apt-get dist-upgrade” until I finally had it running debian 8 “jessie” on june 6 in 2015.

The old DEC desktop has survived its maker company, survived lightning strikes that have sent the power supplies and/or main boards of other computers on the same LAN into continously beeping mode (i.e. broken). However, in December 2015 it started acting up, and crashing with irregular intervals (sometimes two weeks, sometimes one day).

So… the time for a replacement would have to be not too far ahead. The question was what to replace it with?

The simplest solution would be to just get a wireless router with a cabled switch. But that would mean:

• No possibilities for SSH or mosh into the home LAN
• No ntop
• No support for netboot and TFTP in the home LAN
• Limited, cumbersome and inflexible firewall setup

My requirements were:

• Cheap
• Two wired NICs
• The ability to run debian
• Preferrably fanless
• Compact

ThomasEz immediately suggested using a raspberry pi with two NICs, but I thought that would be too puny, and I investigated alternatives like Shuttle Barebone DS57U but I found that the raspberry pi alternative was so cheap, I might as well order one.

And then it turned out to be so simple to set up so I had it up and running before I really had decided on anything, so now the r-pi is what I have.

This is what I ordered:

• Raspberry Pi 2 Model B Starter Kit
• TP-Link UE300 USB 3.0 to GbE Adapter (it was listed as being supported out of the box on raspberry pi)

Here’s what I did:

1. Downloaded the Raspbian Jessie Lite image to a debian jessie computer and unpacked it into the /tmp directory
2. Plugged an USB SD card reader into the debian computer, and followed the instructions in Installing operating system images on Linux 
3. I plugged the cheapest USB keyboard I could get from my local teknikmagasinet store into one of the USB port, yanked the HDMI cable from the DVD player and plugged the r-pi into the TV, plugged a network cable into the local LAN, and plugged in the power… and the raspberry pi booted quickly into the familiar debian login
4. I logged in with the built-in “pi” user with password “raspberry”, and created my own user with the following command line command:

   adduser sb

   the changed the password of the root user and removed the pi user

5. I copied in a public ssh keys from my other computers, and put them into the ~/.ssh/authorized_keys file and then opened /etc/ssh/sshd_conf in a text editor and modified it in the following way:
   1. Disabled root login by changing

      PermitRootLogin without-password

      to

      PermitRootLogin no

   2. Disabled password login by changing

      #PasswordAuthentication yes

      to

      PasswordAuthentication no

      (removed the comment and changed “yes” to “no”)

6. Edited /etc/hostname to change the name from the default “raspberrypi” to “ocon”
7. Rebooted the pi to check the startup state of the ssh daemon and ssh’d in
8. Resized the disk to fill the entire SD card:
   1. Typed the command

      raspi-config

   2. Selected

      1 Expand Filesystem            Ensures that all of the SD card storage is available to the OS

      and got the response

      Root partition has been resized.The filesystem will be enlarged upon the next reboot

   3. Rebooted the system to get the full 16GB in the file system
9. Updated the system by giving the following command line commands:

   apt-get updateapt-get dist-upgrade

   (the “update” command updates the local package database against the package servers. The “dist-upgrade” command upgrades all packages that have a newer version, and the required dependencies)

10. Installed some useful software:
    1. GNU emacs (my favorite text editor)

       apt-get install emacs

    2. mosh

       apt-get install mosh

    3. git (I’ve got my home directory versioned in git)

       apt-get install git

    4. rcs (I use it to version control operating system configuration files)

       apt-get install rcs

11. I cloned my home directory in git and created a new branch (I have a different branch for each computer)
12. I set the built-in NIC permanently as eth0:

    export INTERFACE=eth0export MATCHADDR=`ip addr show $INTERFACE | grep ether | awk '{print $2}'`/lib/udev/write_net_rules

13. I added configuration for a second NIC by adding the following to /etc/network/interfaces:

14. # The internal network cardallow-hotplug eth1iface eth1 inet static   address 10.10.10.1   netmask 255.255.255.0

15. I plugged in the USB NIC to have it appear, and then made the USB NIC permanently eth1 with the following command line commands:

    export INTERFACE=eth1export MATCHADDR=`ip addr show $INTERFACE | grep ether | awk '{print $2}'`/lib/udev/write_net_rules

16. Installed dnsmasq

    apt-get install dnsmasq

17. Edited /etc/dnsmasq.conf to make dnsmasq respond to DHCP requests on eth1:
    1. Removed the comment in front of

       #interface=

       and set “eth1” as the value:

       interface=eth1

    2. Uncommented the domain directive

       #domain=thekelleys.org.uk

       and changed it to my domain

       domain=hjemme.lan

    3. Uncommented the dhcp-range directive

       #dhcp-range=192.168.0.50,192.168.0.150,12h

       and changed it to a 10.10.10.* range with a 5h lease on the addresses

       # Our HOME LAN 5h lease timedhcp-range=10.10.10.6,10.10.10.40,5h

18. Opened the /etc/hosts file in a text editor and added the raspberry pi itself, to so that DNS lookups of the raspberry pi will work in a LAN where the raspberry pi is handling the DHCP requests (dnsmasq will handle DNS requests for the IP addresses it has given DHCP leases to, as well as what it finds in the hosts file.  The rest is delegated to the upstream DNS server)

    127.0.0.1       localhost::1             localhost ip6-localhost ip6-loopbackff02::1         ip6-allnodesff02::2         ip6-allrouters127.0.1.1       ocon# local hosts10.10.10.1  hjemme ocon hjemme.hjemme.lan ocon.hjemme.lan

19. Edited the /etc/sysctl.conf file to set up IPv4 routing in the linux kernel, removed the comment in front of the net.ipv4.ip_forward line:

    # Uncomment the next line to enable packet forwarding for IPv4net.ipv4.ip_forward=1

20. ferm is a utility that makes it easy to set the routing and firewall rules at boot time
    1. Installed ferm using apt-get from a command line:

       apt-get install ferm

    2. Modified the /etc/ferm/ferm.conf file to allow everything inside t oroute out, but only allow ssh in

       @def $DEV_WORLD = eth0;@def $DEV_PRIVATE = eth1;def $NET_PRIVATE = 10.10.10.0/24;table filter {    chain INPUT {        policy DROP;        # connection tracking        mod state state INVALID DROP;        mod state state (ESTABLISHED RELATED) ACCEPT;        # allow local packet        interface lo ACCEPT;        # allow private net        interface $DEV_PRIVATE ACCEPT;        # respond to ping        proto icmp ACCEPT;        # allow IPsec        proto udp dport 500 ACCEPT;        proto (esp ah) ACCEPT;        # allow SSH connections        proto tcp dport ssh ACCEPT;    }    chain OUTPUT {        policy ACCEPT;        # connection tracking        #mod state state INVALID DROP;        mod state state (ESTABLISHED RELATED) ACCEPT;    }    chain FORWARD {        policy DROP;        # connection tracking        mod state state INVALID DROP;        mod state state (ESTABLISHED RELATED) ACCEPT;        # connections from the internal net to the internet or        # to other internal nets are allowed        interface $DEV_PRIVATE ACCEPT;        # the rest is dropped by the above policy    }}table nat {    chain POSTROUTING {        # masquerade private IP addresses        saddr $NET_PRIVATE outerface $DEV_WORLD MASQUERADE;    }}

21. The version of ferm in “jessie” doesn’t start at boot, because “jessie” dropped SYSV init in favour of systemd, and the version of ferm in “jessie” doesn’t have a systemd configuration, so I needed to manually download and install the version of ferm from debian testing (I downloaded from regular debian, since ferm doesn’t have anything platform specific):

    cd /tmpwget http://ftp.no.debian.org/debian/pool/main/f/ferm/ferm_2.2-5_all.debdpkg --install /tmp/ferm_2.2-5_all.deb

22. fail2ban monitors log files of daemons and adjust the firewall rules to temporary ban hosts it suspects of intrusion attempts. The debian (and raspbian) version of fail2ban will out of the box scan the logs for ssh intrusion attempts, so no configuration is necessary
23. To have an easy way of monitoring the network traffic in and out of the home LAN, I installed ntop ng

    apt-get install ntopng

    after the installation it is possible to monitor the network traffic by accessing http://ocon.hjemme.lan:3000 (the interesting traffic will be seen after selecting eth1)

24. The Network Time Protocol is how computers stay in sync, installing the ntp package will make the gateway keep network time, a

    apt-get install ntp

25. Opened the /etc/ntp.conf file in a text editor, and modified it to provide an NTP deamon for the home LAN, uncommented the “broadcast” line and modified the network match to match the 10.10.10.* network:

    # If you want to provide time to your local subnet, change the next line.# (Again, the address is an example only.)broadcast 10.10.10.255

26. Installed the apticron utility to make sure that the APT database is updated daily with new candidates for update

    apt-get install apticron

The original plan was to run the raspberry pi headless, but since I had an old VGA only LCD display for the old DEC computer I might as well hook it up the raspberry pi, together with the cheap USB keyboard used for setup.

I bought an HDMI to VGA converter with the manufacturer id VLMP34900W0.20. I plugged it in between the display and the raspberry-pi the display stayed black.  I edited the /boot/config.txt file, removing the comment in front of the hdmi_safe line:

# uncomment if you get no picture on HDMI for a default "safe" modehdmi_safe=1

I rebooted the raspberry pi, and this time the LCD displayed showed the boot messages as well as a normal console login prompt.

And this is where the current state is. One initial concern was flash wear on the SD card, which doesn’t have the wear leveling features of a “real” SSD, so I had some plans on making the /var/log use tmpfs.

But I decided not to, since having real persistent logs is a useful thing for a gateway, and since 16GB is actually an awful lot of data if all you do is to write textual files. And ff the SD card wears out I’ll just by a new SD card, and make a new system. Since I now know how, this shouldn’t take long

#debian #dnsmasq #fail2ban #ferm #firewall #ipMasquerading #jessie #mosh #ntop #raspbian #raspbian8 #raspbianJessie #router #ssh