- 1 Document
- 2 Installing FreeBSD
- 3 Hardware
- 4 RANCID
Purpose and audience
This post aims to give a high-level introduction to the installation and configuration of FreeBSD and RANCID.
The tutorial is intended for newbies in the world of FreeBSD/RANCID.
I’m myself fairly new to FreeBSD, as the content of this post will reflect.
For my intallation I have choosen a very minimal configuration and it seems to work fine. If the server is supposed to perform several functions besides RANCID, you may want to scale accordingly.
And yes – this is a virtual machine. =)
CPU: Intel(R) Xeon(R) CPU X5650 @ 2.67GHz
Installation of FreeBSD
Just a quick tip before get started: When configuring usernames, hostnames, file names and the like – use ONLY lower case. The reason for this is that UNIX differentiate between, e.g., “Filename” and “filename”, whereas Microsoft consider them the same file. And by using only lower cases, you never run into such problems. =)
Now – onto the actual installation:
Fairly straight forward. I myself opted for installing SSH and NTP for remote management and time sync.
Although one thing to keep in mind is using FQDN as your hostname and configuring a DNS-server. RANCID uses sendmail to send you the configuration difference of your devices and sendmail require DNS to function properly.
Locking down any box, especially systems your are somewhat unfamiliar with, might be worthwhile to increase the overall security.
From the resources I’ve used, it seems the appropriate way to configure your ipfw ruleset, is by running a script which is defined in /etc/rc.conf.
Word of advice – before enabling the firewall and messing about, make sure the configuration file (/etc/ipfw.sh) is complete and that you have physical access to the server in case you lock yourself out. =)
Create the /etc/ipfw.sh. I used a sample script and edited for my own purpose. We will edit the file shortly.
chmod 700 /etc/ipfw.sh
Edit rc.conf to enable the FW and to instruct it to run the script
My complete etc/rc.conf now looks like this:
ifconfig_em0=” inet 184.108.40.206 netmask 255.255.255.0″
# Set dumpdev to “AUTO” to enable crash dumps, “NO” to disable
Edit the /etc/ipfw.sh-script with appropriate ruleset. I edited the sample configuration so it looks like this:
root@srv-rancid:/usr/home/rancid # cat /etc/ipfw.sh
# flush existing rules
ipfw -q flush
# allow established connections
ipfw -q add 1 check-state
# allow loopback traffic
ipfw -q add 2 allow all from any to any via lo0
# allow previously established TCP connections
ipfw -q add 3 allow tcp from any to any established
# public services inbound: 22/tcp (SSH)
ipfw -q add 100 set 1 allow tcp from any to 220.127.116.11 22 in setup keep-state
# allow all traffic going out
ipfw -q add 200 set 1 allow udp from 18.104.22.168 to any out keep-state
ipfw -q add 201 set 1 allow tcp from 22.214.171.124 to any out setup keep-state
# allow common ICMP types in and out
ipfw -q add 400 set 1 allow icmp from 126.96.36.199 to any icmptypes 0,3,8,11,12,13,14
ipfw -q add 401 set 1 allow icmp from any to 188.8.131.52 icmptypes 0,3,8,11,12,13,14
# deny everything else coming in
ipfw -q add 999 set 1 deny all from any to any
Handy commmands with regards to IPFW
/etc/rc.d/ipfw restart # Restarts the IPFW and loads the rule set from ipfw.sh
ipfw list # Lists IPFWs ruleset.
My complete ipfw ruleset looks like this:
root@srv-rancid:/usr/home/rancid # ipfw list
00002 allow ip from any to any via lo0
00003 allow tcp from any to any established
00100 allow tcp from any to 184.108.40.206 dst-port 22 in setup keep-state
00200 allow udp from 220.127.116.11 to any out keep-state
00201 allow tcp from 18.104.22.168 to any out setup keep-state
00400 allow icmp from 22.214.171.124 to any icmptypes 0,3,8,11,12,13,14
00401 allow icmp from any to 126.96.36.199 icmptypes 0,3,8,11,12,13,14
00999 deny ip from any to any
65535 deny ip from any to any
Appearantly you can not remove entry 65535 (not by the command ipfw -q flush anyway), so the script will include two rules denying all other traffic than those explicity allowed.
I still feel safer having the drop rule in the script file, rather than leaving it out.
Logging of firewall
Firewall logging is feasible for many installations, but I have choosen not to log anything in order to conserve hardware resources.
To enable firewall logging the /etc/rc.conf also needs the following parameter
Firewall rules with the “log” keyword will be written to syslog.
For more information on the matter I refer to the FreeBSD handbook: http://www.freebsd.org/doc/handbook/firewalls-ipfw.html
Plenty of information for you there. =)
Webmin is a webbased administration tool for unix-like systems. Although not covered here, I found it worthwhile to mention it in case you would like some graphical interface.
A quick google search of freebsd webmin produced several tutorials on the subject. =)
Introduction to RANCID
RANCID is a tool which runs various commands on your network equipment and keeps track of changes using CVS.
Personally I find RANCID very neat for two reasons;
- It provides historical records for changes to the network equipment
- It keeps an up-to-date configuration of your network equipment. And not only that, it also takes down information regarding software versions, hardware information (serial numbers, modules, etc), vlans and more.
Installation of RANCID was, to be honest, dead simple when I followed a guide I found online (see resouces further down) and since the authors steps worked quite brilliantly I’ll more or less repeat them here.
And I will repeat the tip I previously mentioned: When configuring usernames, hostnames, file names and the like – use ONLY lower case. The reason for this is that UNIX differentiate between “Filename” and “filename”, whereas Microsoft consider them the same file. And by using only lower cases, you never run into such problems. =)
Onwards to the steps!
1. Add a new user called rancid and add it to the wheel group. A membership in the wheel group allows you to execute the command “su” and obtain root privileges.
Issue the command and follow onscreen instructions
2. Update your port-collection, which essentially is the make files for various applications.
# portsnap fetch update
3. Install RANCID from the abeforementioned port-collections
# cd /usr/ports/net-mgmt/rancid/
make install clean
The installation did take quite some time for me, as it needed to download a truck load of different files.
During the installation of the different packages I left all choices in default.
4. Copy /usr/local/etc/rancid/rancid.conf.sample to /usr/local/etc/rancid/rancid.conf.
# cp /usr/local/etc/rancid/rancid.conf.sample /usr/local/etc/rancid/rancid.conf
5. Edit rancid.conf. Change and uncomment the following line.
You may choose a more granular approach if you have alot of devices. E.g. CiscoDevicesHQ and CiscoDevicesSateliteoffices.
But I will use one group for all my devices.
6. Login as user “rancid” and create the devices password file
$ touch /home/rancid/.cloginrc
Q: Am I going to store username and passwords in a plain text file?
A: Yes. Take appropriate steps in order to ensure the box is locked down as tight as possible. =)
7. Edit your .cloginrc – This file will include usernames, passwords and login methods for your equipment. I will try to explain how this works using my own file as an example.
$ vi /home/rancid/.cloginrc
add user 188.8.131.52 admin
add user 172.20.1.5 admin
add password 184.108.40.206 MyAdminPASSWORD MyEnablePASSWORD
add password 172.20.1.5 MyAdminPASSWORD MyEnablePASSWORD
add password * MyTelnetPassword MyEnablePassword
add method 220.127.116.11 ssh
add method 172.20.1.5 ssh
add method * telnet
I have a mixture of devices where I require SSH-login to some and telnet to others. In this example you will notice the following:
- I have added a username for two specific devices.
- I have added passwords for two specific devices.
- I have added passwords for all (asterisk) devices.
- I have added SSH as login method for two specific devices.
- I have added telnet as login method for all (asterisk) devices.
This means RANCID will log onto 172.20.1.8 and 172.20.1.5 using SSH with username admin and MyAdminPASSWORD, then getting to enable-mode using password MyEnablePASSWORD.
It also means all other devices will be logged onto using telnet with telnet-password MyTelnetPassword and then getting to enable-mode using password MyEnablePassword.
- The asterisk works as a wildcard, which means I could also write “add method 172.10.1.* ssh” if I wanted SSH as the login method for all switches on this particular network.
- You can also use hostnames rather than IP-addresses. This requires your network equipment to be present in DNS or manually configured in your RANCID servers “/etc/hosts”-file
I hope this was understandable. =)
8. Make the .cloginrc-file writable only by your rancid user
$ chmod 600 /home/rancid/.cloginrc
9. The installation may have created /usr/local/var/rancid/ directory. We want to remove that and re-create it with the user rancid.
In order to enable our rancid-user to create the directory, we will have to change the directory permissions as well
# rm –r /usr/local/var/rancid
# chmod 775 /usr/local/var
$ mkdir /usr/local/var/rancid
10. Now you will create the initial directory structure and then data directories
11. The structure should be in place with the group name you configured in step 5.
$ cd /usr/local/var/rancid/CiscoDevices
12. In this directory you should find a file called router.db – edit this file and enter your network devices.
As you may understand, the first parameter is the device IP/hostname, the second is which device type we are talking about and the third parameter defines wether the device is up or down and should be scanned.
13. Now we will configure some parameters with regards to e-mail – that is if you want the configuration changes sent to you and/or your IT-network e-mail.
Edit /etc/aliases and add your e-mail
# vi /etc/aliases
If you used a different group name (or several for that matter) you need to add those to the file.
14. Assuming you are running FreeBSD in default and therefore using sendmail, you now issue the follow command which moves/convertes/does something with /etc/aliases.
15. Run rancid again – as the user rancid. Do not run rancid as root.
If everything is ok, you should receive an e-mail shortly with configuration changes (which is the whole config as it will be the intial configuration).
Note: Because your rancid server will act as a SMTP-server, an entry for your server needs to be present on your DNS-server. I tried fooling it by editing /etc/hosts and so on, but landed squarely on using DNS rather than a hack.
16. Since everything went smoothly and you received an e-mail and the directories was populated with configuration files, you probably want RANCID to run automatically. Cron will aid you with this.
Configure cron with the rancid-user
$ crontab -e
1 * * * * /usr/local/bin/rancid-run
$ crontab -l
# Run config differ hourly
1 * * * * /usr/local/bin/rancid-run
I run RANCID hourly (note the 1 means one minute past every hour 22:01, 23:01) – you will only receive e-mail if there is a configuration change, so your inbox won’t be cluttered by RANCID. =)
Directories and files of particular interest
“CiscoDevices” is a parameter during installation, so if you use a different group name when configuring RANCID, the directory will also change accordingly.
# The flatfile where you enter the IP/hostname of network equipment you wish to backup
# Your network equipments initial configuration and subsequent changes
# Current configuration of your network equipment
# RANCID Log files
# Log file – sendmail
# Log file – cron
# Manually run RANCID
Guide to installing and configuring RANCID by Bruco: http://uberbruco.wordpress.com/2009/07/09/rancid-on-freebsd/
RANCID home page: http://www.shrubbery.net/rancid/
Hope this guide helps you getting started with your RANCID-installation!