• IPAM Freeware Download – "This IP address management freeware is a complete solution with the complete feature set of the Infoblox IP address manager, including Smart Folders, Network Map (with subnet management) and leading IPv6 capabilities."
• Failover with ISC DHCP – "Starting with version 3.0, the ISC DHCP server offered failover capabilities that allow network administrators to offer a more robust DHCP service. A failover setup requires a little care, but it’s fairly straightforward to implement."
• ratproxy – Project Hosting on Google Code – "A semi-automated, largely passive web application security audit tool, optimized for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex web 2.0 environments."
• BigAdmin Feature Article: Patching Best Practices for the Solaris 10 OS (With Sam the Sysadmin) – "This Solaris 10 Patching Best Practices Course Reference Guide is a supplement to the web-based training course WS-2700-S10: Solaris 10 Patching Best Practices. The guide presents the key concepts of the course but it does not contain all the content presented in the course itself. The guide is intended to be used as a reference and refresher after having completed the online course."
• vCenter Client Shortcuts – Keyboard shortcuts for the VMware vCenter (formerly Virtual Infrastructure) Client.
• DMZ Virtualization with VMware Infrastructure – "As virtualization of network DMZs becomes more common, demand is increasing for information to help network security professionals understand and mitigate the risks associated with this practice. This paper provides detailed descriptions of three different virtualized DMZ configurations and identifies best practice approaches that enable secure deployment."

# spamdb | grep WHITE | egrep '\|69\.6\.' | \
cut -f 2 -d '|' | xargs -L 1 spamdb -d

sudo pfctl -n -f /etc/pf.conf
sudo pfctl -n -v -f /etc/pf.conf

The second pfctl command displays the rules you’ve created; however, it can be easy to miss a syntax error warning in the verbosity – the first command will make it easy to spot those.

You can test the ruleset by having a second, completely open firewall ruleset that you can revert to called pf.conf-open containing just:

pass all

Then do the following, as root:

pfctl -f /etc/pf.conf; sleep 90; pfctl -f /etc/pf-open.conf

When you’re ready to reload the ruleset permanently, use the FreeBSD start/stop script:

sudo /etc/rc.d/pf reload

Running a chrooted BIND server within a FreeBSD jail requires mounting its devfs outside of the jail; this document provides an RCng start stop script to do that.

Attempting to start BIND using the stock RCng script in a FreeBSD jail results in the following error:

> sudo /etc/rc.d/named start
mount_devfs: Operation not permitted
/etc/rc.d/named: WARNING: devfs_domount(): Unable to mount devfs on /var/named/dev
devfs rule: ioctl DEVFSIO_RAPPLY: Operation not permitted
devfs rule: ioctl DEVFSIO_RAPPLY: Operation not permitted
Starting named.

The reason for this is that you are unable to mount and manipulate the devfs for the chroot within the jail itself; it must be done in the parent of the jail. To do this at boot, the script below can be used.

#!/bin/sh

# PROVIDE: jailedchrootdevfs
# REQUIRE: rcconf mountcritremote
# BEFORE: jail
# KEYWORD: nojail

. /etc/rc.subr

name="jailed-chroot-devfs"
start_cmd='start'
stop_cmd=':'
#rc_debug=1

jailed_named_chrootdir='/u1/jail/192.168.1.234/var/named'
start()
{
umount ${jailed_named_chrootdir}/dev 2>/dev/null
devfs_domount ${jailed_named_chrootdir}/dev devfsrules_hide_all
devfs -m ${jailed_named_chrootdir}/dev rule apply path null unhide
devfs -m ${jailed_named_chrootdir}/dev rule apply path random unhide
}

load_rc_config $name
run_rc_command "$1"

Next, within the jail, edit /etc/rc.d/named to comment out the equivalent lines to those above, found within the chroot_autoupdate() function:

*** named Thu Feb 23 12:34:41 2006
--- ../../../../../etc/rc.d/named Thu Nov 3 00:12:06 2005
***************
*** 58,67 ****

# Mount a devfs in the chroot directory if needed
#
! #umount ${named_chrootdir}/dev 2>/dev/null
! #devfs_domount ${named_chrootdir}/dev devfsrules_hide_all
! #devfs -m ${named_chrootdir}/dev rule apply path null unhide
! #devfs -m ${named_chrootdir}/dev rule apply path random unhide

# Copy local timezone information if it is not up to date.
#
--- 58,67 ----

# Mount a devfs in the chroot directory if needed
#
! umount ${named_chrootdir}/dev 2>/dev/null
! devfs_domount ${named_chrootdir}/dev devfsrules_hide_all
! devfs -m ${named_chrootdir}/dev rule apply path null unhide
! devfs -m ${named_chrootdir}/dev rule apply path random unhide

# Copy local timezone information if it is not up to date.
#

Notes on the RCng script:

• Specifiying that the RCng script run BEFORE: jail ensures that the directory is mounted before the jail starts up, and starts its BIND process.
• The devfs commands in start() are adapted from the /etc/rc.d/namedscript.
• /etc/rc.subr contains the devfs_domount subroutine; load_rc_config $name is required to load the devfs variables it needs to work.

Other notes:

• You will need to set the security.jail.allow_raw_sockets sysctl to 1 to allow named to open a UDP socket.