This is more a personal reminder than anything else. Also this expects an installation following this guide.

• stop netbox: rcctl stop netbox
• upgrade source: cd /var/www/netbox && git pull
• checkout 3.0.10: git checkout v3.0.10
• adjust upgrade.sh:

  diff --git a/upgrade.sh b/upgrade.sh
  index 67b8aaa89..0d694daf3 100755
  --- a/upgrade.sh
  +++ b/upgrade.sh
  @@ -7,7 +7,7 @@
   # Python 3.7 or later.
   #  
   #   cd "$(dirname "$0")"
   #   -VIRTUALENV="$(pwd -P)/venv"
   #   +VIRTUALENV="$(pwd -P)/env"
   #    PYTHON="${PYTHON:-python3}"
   #     
   #      # Remove the existing virtual environment (if any)
   #      @@ -20,7 +20,7 @@ else
   #       fi
   #        
   #         # Create a new virtual environment
   #         -COMMAND="${PYTHON} -m venv ${VIRTUALENV}"
   #         +COMMAND="virtualenv --system-site-packages ${VIRTUALENV}"
   #          echo "Creating a new virtual environment at ${VIRTUALENV}..."
   #           eval $COMMAND || {
   #              echo "--------------------------------------------------------------------"
  

• run upgrade script: bash upgrade.sh
• start the service: rcctl start netbox

Ever since dywis0r made me aware of netbox I was planning on getting my hands dirty with it. But only after looking loads of videos on the topic and after being `forced’ to use it at work has I been able to finally get enough momentum going to start the journey for myself.

At the beginning of it lay another topic I was successfully procrastinating since a very long time: a suffiently detailed network diagram which was both useful and pleasing to the eye. Being interested especially in isometric network diagrams I started working on that very foundation for better documentation of my home network. A journey which led me down a rabbit hole at which’s bottom I found inkscape to be the best tool available for my different needs. It’s not the most effective tool for drawing a network diagram but I had a nice produce after a steep learning curve. But this is another story.

Back to the topic at hand. After drawing the diagram and cleaning up my network from countless redesigns leaving artifacts of me learning and labbing at home I started on working on netbox. After some further research I found what I think to be a good starting point over at Jasper’s blog. I used it as a skeletton but wanted to

1. use relayd(8) instead of nginx for redirecting static content elsewhere
2. use httpd(8) instead of nginx to serve static content
3. use rc(8) instead of supervisord

in large parts due to the software already laying around and the target system already had httpd running. The architecture will more or less look like this:

Other than that you get same as with Jasper’s setup:

The following documents the steps needed to setup NetBox on OpenBSD. I am running NetBox on a PC Engines APU which holds up fairly well and I have since migrated my own setup from RackTables to NetBox, primarily because of the API functionality NetBox offers which allows for integration with SaltStack. But more on that some other …

Update: Added some remarks about what DNS RPZ actually is, what my objective is and what the outcome will be.

A friend of mine and I tried to play w/ RPZ and knot yesterday and gravely failed. The fact that knot as well as RPZ had been new to us didn’t help. Discussing the failure later that night I remembered that I was already doing something similar at home for adblocking at the DNS level instead of every application on every client. In some way this is also DNS RPZ.

DNS RPZ is something that could be described as DNS firewalling and is described by wikipedia as follows:

Domain Name Service Response Policy Zones (DNS RPZ) is a method that allows a nameserver administrator to overlay custom information on top of the global DNS to provide alternate responses to queries. It is currently implemented in the ISC BIND nameserver (9.8 or later). Another generic name for the DNS RPZ functionality is “DNS firewall”.

My main objective is to block ad networks and malware sites (e.g. command and control) on the DNS level for all devices without them having to install adblockers or stuff. So if someone tries to access a blacklisted site, say domain.tld the client will get a NXDOMAIN as an answer instead of the real IP address. As I can’t keep up with the domains I also want to leverage some of the OSINT feeds available. Currently I have roughly 16k domains blacklisted.

So today I was incorporating some of my OSINT and PF work into my DNS setup at home. Just as a quick primer: I am using OpenBSD as the OS, unbound(8) as recursor and rcs(1) for local and simple version control. Nothing mentioned here is specific to OpenBSD besides the ftp(1) command that I use to fetch the feeds and the location of the files.

Setting up unbound

Setup is pretty simple, just add the following line to /var/unbound/etc/unbound.conf within the server: section of the file:

include: /var/unbound/zones/rpz

Then setup /var/unbound/zones/rpz w/ additional includes, e.g.

include: …

There’s one thing that I am really missing under OpenBSD, a network manager which seemlessly handles running around with my laptop. So my main itches to scratch are doing magic things at boot and resume so I don’t have to bother with fiddling with hostname.if(5) ever.

My first take on tackling that problem actually was working ok’ish but depended on sqlite3 and after sqlite3 left base the solution started to annoy me everytime I moved to a current snapshot and sqlite3 stoppped working or was unavailable from within bsd.rd.

So I started to look around what other people did to get rid of those problems which led me to netctl. I like that netctl is nothing but a shell script. I dislike that it didn’t work at boot time.

As my first take already worked at boot time, reducing my hostname.if(5) to being only 2 lines:

up
!/etc/netmanager \$if

I decided to rewrite the script, reusing chunks of netstart(8) in order to keep the fileformat in a well-known format. /etc/netmanager basically searches below /etc/hostname.d for a file matching the given – or autodetected – network ID to connect to. So without further ado here it is:

#!/bin/sh -

# parse_hn_line() and ifstart() are taken from /etc/netstart revision 1.195 with
# some small additions (basically addition of $_nwid and the removal of unneeded routines)

set +o sh

usage() {
	cat <<EOF >&2
usage: /etc/netmanager [<nwid>] <if>
	<nwid>	network to connect to
	<if>	interface to connect

netmanager searches for <nwid>.nwid in /etc/hostname.d, parses the file and
feeds ifconfig(8) accordingly. <nwid>.nwid has the same format as hostname.if(5).

If no <nwid> has been given netmanager issues a scan for access points and
searches for a matching <nwid>.nwid file.
EOF
	exit 2
}

# Parse and "unpack" a hostname.if(5) line given as positional parameters.
# Fill the _cmds array with the resulting interface configuration commands. …

I came up with the idea to utilize Open Source Threat Feeds, or OSINT on my private setup and quickly cooked up the shell script below in a rough, first try. The funny thing is that I more or less instantantly got hits from the 5346 IP addresses in the table:

@0 block drop log quick from <pf_osint:5346> to any
  [ Evaluations: 502       Packets: 20        Bytes: 800         States: 0     ]
  [ Inserted: uid 0 pid 68515 State Creations: 0     ]

🧐. The script is currently designed to run every 3 hours and to remove all IP addresses which had been added to the table after a day. I am not too happy about some of the parts right now, first of all: I’d like to seperate download and parsing out to a non-privileged process and feed one large junk of data to pfctl(8).

This will give me the flexibility to replace the table with the new values so I can act fast not only on additions but also on deletions from the list. No need to keep out somebody longer than neccessary.

Not sure on how to attack the first part. A shell script would be easier and faster to create. Privsep could be handled by doas for the part needing higher privileges and allow me to handle everything in a single script.

But as a start I am going to keep the script as is and see how it’s going to work out for me. So without further ado, here’s the script:

printf "zeustracker.abuse.ch badips "
ftp  -VMo- https://zeustracker.abuse.ch/blocklist.php?download=badips | \
        egrep "^([0-9]{1,3}\.){3}[0-9]{1,3}$" | \
        pfctl -t pf_osint -T add -f -

printf "feodotracker.abuse.ch ipblocklist "
ftp  -VMo- https://feodotracker.abuse.ch/blocklist/?download=ipblocklist | \
        egrep "^([0-9]{1,3}\.){3}[0-9]{1,3}$" | \
        pfctl -t pf_osint -T add -f -

printf "ransomwaretracker.abuse.ch "
ftp -VMo- https://ransomwaretracker.abuse.ch/feeds/csv/ | \
        egrep -o '([1-9]{1,3}\.){3}[1-9]{1,3}[^/"]*' | \
        tr '|' …