This article describes how to get Qemu running on FreeBSD 7.0 using network address translation (NAT). I’ll assume bge0 as external network interface; replace it with your interface (e.g. re0 or wpi0). Using NAT is actually the only way to get internet connectivity via a wireless network from the guests. I’ll use 192.168.3.0/24 as a local network for all qemu instances and run the NAT gateway and DNS server on 192.168.3.1.

Installing Qemu

Install the ports qemu and kqemu-kmod from /usr/ports/emulators. Don’t forget to configure the qemu port with the kqemu kernel module accelerator, otherwise performance will not be optimal.

Host Configuration

To /boot/loader.conf add:

aio_load="YES"
kqemu_load="YES"

To /etc/rc.conf add:

cloned_interfaces="tap0"
ifconfig_tap0="inet 192.168.3.1 netmask 255.255.255.0 up"
gateway_enable="YES"
firewall_enable="YES"
firewall_type="OPEN"
natd_enable="YES"
natd_interface="bge0"
natd_flags="-same_ports"
named_enable="YES"
pf_enable="NO"

To /etc/sysctl.conf add:

net.link.tap.user_open=1

To /etc/devfs.rules add (also make sure that the user running qemu is part of group wheel):

add path 'tap*' mode 660

To /etc/namedb/named.conf add:

listen-on { 192.168.3.1; };

Now reboot.

Starting Qemu

Take a look at the man page for qemu for more options. For example to boot a DragonFly ISO image use:

qemu -m 256 -localtime -cdrom LATEST-Devel.iso \
     -net nic -net tap,ifname=tap0,script=no

For Windows XP I prefer:

qemu -m 512 -localtime -usb -std-vga -hda $IMG \
     -soundhw es1370 \
     -name WindowsXP \
     -net nic -net tap,ifname=tap0,script=no

The -snapshot option is also very useful, especially for Windows.

Configuring the Guest

Once your guest system is up and running you have to configure it’s network settings, so that you can connect to the internet. In case of BSD add the following two lines to /etc/rc.conf:

defaultrouter="192.168.3.1"
ifconfig_ed0="inet 192.168.3.2"

And for /etc/resolv.conf use:

nameserver 192.168.3.1

Voila!

Last week I installed FreeBSD 7.0-RC2. Now that FreeBSD 7.0-RELEASE is available, I tried to update using freebsd-update:

freebsd-update -r 7.0-RELEASE upgrade
freebsd-update install
reboot

But I always got error message during “install” like:

chflags: ///etc/mail/freebsd.cf: Operation not supported

So maybe it only occurs if you’ve installed FreeBSD on a ZFS filesystem, which doesn’t possibly support those file flags like noschg. The simple solution to overcome this was:

mv /bin/chflags /bin/chflags.old
cat > /bin/chflags
#!/bin/sh
/bin/chflags.old $@
exit 0
^D
chmod +x /bin/chflags

After that I retried:

freebsd-update install
reboot

And it works!

This night we have to shutdown our server due to some work done in our data center. Now this breaks our wonderful uptime:

core# uptime
 1:47AM  up 264 days,  8:19, 1 user, load averages: 0.00, 0.02, 0.00

And that would be even more if I wouldn't type too quickly, sometimes ;-)

How to copy the files of a hard-disk from one computer to another, across a network, without loosing file attributes? That’s kind of easy using pax and ssh (pax is probably only available on BSD. cpio on others will do fine, too):

cd directory/to/copy
pax -w -x sv4crc . |
  ssh root@remotehost "cd directory/to/copy/into && pax -r -p e"

You should use "root", to maintain correct ownership of files. Use format sv4crc, as most other formats are limited to a path-length of 255.

To double-check that all files were transfered correctly, make use of mtree:

cd directory/to/copy
mtree -c -k md5digest -p . |
  ssh root@remotehost "cd directory/to/copy/into && mtree -k md5digest -p ."

If there’s no output, everything is OKAY!

I got my external USB-connected 300 GB Seagate harddisk today. The first thing I tried was to install FreeBSD 6.0 Beta-1 on it. I quickly recognized that my BIOS would not recognize the USB-connected harddisk to boot from. After some research I found this workaround:

1. Boot from FreeBSD 6.0 CD-ROM.
2. Escape to the boot loader and type set boot_askname.
3. At the "mountroot>" prompt type ufs:da0s1a

And voila, it boots from the root partition of the first slice of da0. Note that the kernel will be loaded from the CD-ROM and not from the USB harddisk.

Today, I ported Algae, a programming language for numerical analysis, and submitted it to the FreeBSD ports collection.

As it was my first FreeBSD port (I submitted several NetBSD ports in the past), it took me about two hours to make it perfect. But the next time it will require no more than 15 minutes, as it’s really simple, once you’ve got the idea.

Now you can install it by simply typing:

portinstall algae

Or if you haven’t installed portinstall (BTW it’s written in Ruby):

cd /usr/ports/math/algae
make && make install && make clean

Here’s the problem report:

www.freebsd.org/cgi/query-pr.cgi?pr=ports/52397

It is extremely dangerous to play with firewall, as it might happen, that you are not able to access your computer anymore, if for example the wrong rule at the wrong place has a syntax error, or your ruleset is simply wrong. The first time I wrote an IPFilter configuration file, I really locked myself out (all except SSH still worked, but that was enough to press the reset button).

So here is a tip to prevent locking yourself out:

At first edit /etc/rc.conf and disable the firewall by setting firewall_enable="NO" (do not forget to reverse this step later).

Next, open up two ssh sessions and become root user. Now, before you change your rules, type at the other terminal:

sleep 100 && reboot

Then apply the firewall rules (ipfw flush && ipfw /etc/ipfw.rules). If you’ve not locked yourself out, you can simply abort the "software watchdog timer" by typing Ctrl-C, whereas in the case you’ve locked yourself out, the computer will reboot after 100 seconds and as we’ve disabled the firewall in rc.conf, after reboot it will be open up for you again.

Security Announchements

Subscribe to FreeBSD-security-notifications@FreeBSD.org

Make System Files Unchangable

Make kernel and /bin unchangeable:

chflags schg /kernel
chflags -R schg /bin
chflags -R schg /modules

To undo use noschg instead schg.

Even root cannot delete / modify them (when in securelevel >= 2). So be careful to not make your rc.conf files unchangable, unless you exactly know what you do.

To display file flags use ls -lo.

Securelevels

Level -1:

no restrictions

Level 1:

• Cannot load / unload kernel modules
• Disabled /dev/mem etc.
• no access to raw devices
• no X windows

Level 2:

Same as level 1 plus the following:

• cannot write diretly to mounted / unmounted filesystems
• cannot alter system time by more than 1 second

Level 3

Same as level 2 plus the following:

• cannot modify ipfw rules.

Conclusion

As long as you’re not modifying your firewall rules very often, run Securelevel 3, otherwise go with Securelevel 2. On my private co-location server, I’m running Securelevel 2, as I need to modify firewall rules from time to time (e.g. enable another port for a user).