Last modified by Yu Pang Law on 2022/12/14 10:31

Reference for past research

Jan 24 2023

Compiling Custom Kernel

  1. Update FreeBSD to latest patch
    freebsd-update fetch
    freebsd-update install
  2. Install git
    pkg install git
  3. Updating source file
    git clone -o freebsd /usr/src
    cd /usr/src
    git checkout stable/13
  4. prepare custom kernel file
    mkdir /root/kernels
    cd /usr/src/sys/amd64/conf
    cp GENERIC /root/kernels/MYKERNEL
    ln -s /root/kernels/MYKERNEL

    depends on your CPU architecture, config file location may be different. For usual, Intel/AMD CPU, it will be amd64

  5. add/remove options in the MYKERNEL file
  6. Compile and install MYKERNEL, then reboot
    cd /usr/src
    make buildkernel KERNCONF=MYKERNEL
    make installkernel KERNCONF=MYKERNEL
  7. Check if MYKERNEL is installed correctly
    uname -a
    If correct, it should show MYKERNEL

Jan 02 2023

Configuring Unbound for whole network

  1. Install and config unbound as usual. For basic, remote set up check unbound remote resolver setup
  2. Install bgpq4
  3. Generate prefix list filter for your AS or AS SET
    bgpq4 -4A -h -F 'access-control: %n/%l allow\n' AS-SET > /usr/local/etc/unbound/prefix.txt
  4. Edit unbound.conf, under server:, add
    include: /usr/local/etc/unbound/prefix.txt
  5. Set up cron job to update prefix list and restart unbound periodically

CloudFlare Add new domain (DNS only)

  1. 登入CloudFlare 帐号, 点击添加站点
  2. 输入域名, 点击"添加站点"
  3. 点选"Free", 然后点击"继续"
  4. 等待"快速扫瞄"完成
  5. 删掉没用的DNS记录, 确认DNS 记录没错误, 关停代理状态. 然后点击"继续"
    注意DNS 记录的*, 代表所有子域名
  6. 记录CloudFlare"名称服务器". 然后点击"完全, 检查名称服务器"
  7. 点击"以后完成"

Dec 14 2022

Drupal Update with Drush

  1. cd to Drupal installation Directory
  1. Backup Drupal
    drush archive-dump
  2. Check Drupal Update and get the list of modules that have update
    drush ups
    1. Set Drupal Website to maintenance mode
    drush sset system.maintenance_mode 1
    1. Clear Drupal Cache
    drush cr
    1. Update Drupal and press "Y" when asked
    drush up drupal
    1. Update Drupal Database
    drush updb
    1. Update Drupal modules
    drush up XXXX XXXX
    where XXXX is the module name (the string inside the bracket in step 2)

    1. Set Drupal Website back to live mode
    drush sset system.maintenance_mode 0
    1. Clear Drupal Cache Again
    drush cr

Dec 14 2022

Running Custom php script within Drupal Directory

By default, Drupal will not allow running of any other PHP scripts within Drupal directory. It will return "403 Forbidden", if anybody trying to access the PHP scripts.

To by pass this constraint, we will need to add 2 lines in .htaccess.htaccess is in Drupal root directory.

  1. Open .htaccess with a text editor
  1. Find the section below:
      RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_URI} !=/favicon.ico
    RewriteRule ^ index.php [L]

      Before RewriteRule, add
    RewriteCond %{REQUEST_URI} !script
    where "script" is the directory name or file name of your custom php script.

 3. Find the section below:
  RewriteCond %{REQUEST_URI} !/core/[^/]*\.php$
RewriteCond %{REQUEST_URI} !/core/modules/system/tests/https?.php
RewriteCond %{REQUEST_URI} !/core/modules/statistics/statistics.php$
RewriteRule "^(.+/.*|autoload)\.php($|/)" - [F]

  Before RewriteRule, add
RewriteCond %{REQUEST_URI} !script
where "script" is the directory name or file name of your custom php script.

4. Save the file and exit.

5. You will need to add the lines back every time you upgrade Drupal.

What does the changes mean?

RewriteCond means the condition for the RewriteRule to execute.

So, by adding a "RewriteCond %{REQUEST_URI} !script", we add a new condition that tells the web server to skip this rule, if the URI has the word "script" in it. So, the "script" directory or file will no longer be managed by Drupal.

See how it works:

*not Drupal anymore

Dec 14 2022

Cacti Graph no data randomly for some graphs



Data Collector reachs max run time (polling interval). Remaining SNMP data will not be collected.


1. Use spine instead of cmd.php

2. Increase "Processes" and "Threads" setting under "Data Collection" --> "Data Collectors"

Recommend Setting for

"Processes" = 2 * no. Of Cores available

"Threads" = 10 - 15

Dec 14 2022

Common Fastnetmon Command

commitUpdate Changes
show hostgroup <name>List hostgroup <name>, if there is no <name>, List all hostgroups available
set hostgroup <name> ban_for_bandwidth <enable/disable>enable/ disable IP blackhole for hostgroup <name>
set hostgroup <name> networks <XXX.XXX.XXX.0/XX>Add IP prefix to hostgroup <name>
set hostgroup <name> threshold XXXset bandwidth thresold for hostgroup <name>
show blackhole <XXX.XXX.XXX.XXX>list blackhole <XXX.XXX.XXX.XXX>. If no IP provided, list all blackholed IPs
set blackhole <XXX.XXX.XXX.XXX>manual add blackhole IP
delete blackhole <ID-string>Delete blackhole with blackhole ID. Blackhole ID can be found by "show blackhole"
show ip_hostgroup <XXX.XXX.XXX.XXX>Find the hostgroup that the IP belongs to

set bgp <bgp_name>

set bgp <bgp_name> local_asn <XXXXX>

set bgp <bgp_name> remote_as <XXXXX>

set bgp <bgp_name> local_address <XXXXX>

set bgp <bgp_name> remote_address <XXXXX>

set bgp <bgp_name> multihop <enable/disable>

set bgp <bgp_name> ipv4_unicast <enable/disable>

set bgp <bgp_name> active <enable/disable>

Add a new BGP connection. Can be used to advertise blackhole and also receiving routes.

Dec 14 2022

Using FreeRadius for Supermicro IPMI

  1. Create a new FreeRadius Virtual site for Supermicro IPMI (without enabling SQL support)

FreeRadius With SQL

  1. Edit /usr/local/etc/raddb/dictionary and add a new attribute
    ATTRIBUTE IPMI-radius  26 octets
    3. Edit /usr/local/etc/raddb/policy.d/foo and add
    foo {
         update reply {
           # Vendor-Specific = "H=4"
           &Attr-26 = 0x483D34

    0x483D34 is Hex Code for String "H=4"

If you need other type of permission (e.g. H=3) just change the string to hex code.

  1. Edit /usr/local/etc/raddb/users and add the following user
    ipmiAdmin Cleartext-Password := "Any-password"
              IPMI-radius += "0x483d34"

    You can replace ipmiAdmin and authorization type.
  1. Restart FreeRadius
  1. Login to Supermicro IPMI and enable Radius support.

Dec 14 2022

Install OpenVPN on FreeBSD system

  1. Update Port Collection
    portsnap fetch update
    if it is the first time,
    portsnap fetch extract
  2. Install OpenSSL
    cd /usr/ports/security/openssl
    make install clean
  3. Edit /etc/make.conf, and add
  4. Install OpenVPN, easyrsa
    cd /usr/ports/security/easy-rsa
    make install clean
    cd /usr/ports/security/openvpn
    make install clean
  5. Create Configuration directory and copy sample configuration file
    mkdir -p /usr/local/etc/openvpn/easy-rsa
    mkdir /usr/local/etc/openvpn/server
    cp /usr/local/share/examples/openvpn/sample-config-files/server.conf /usr/local/etc/openvpn/server/
    cp -r /usr/local/share/easy-rsa/* /usr/local/etc/openvpn/easy-rsa/
  6. Edit  /usr/local/etc/openvpn/easy-rsa/vars and set your information for SSL
    set_var EASYRSA_REQ_COUNTRY     "HK"
    set_var EASYRSA_REQ_PROVINCE    "Kowloon"
    set_var EASYRSA_REQ_CITY        "San Po Kong"
    set_var EASYRSA_REQ_ORG         "Laws Cloud Infrastructure Limited"
    set_var EASYRSA_REQ_EMAIL       ""
    set_var EASYRSA_REQ_OU          "VPN Department"
    set_var EASYRSA_KEY_SIZE 2048
    set_var EASYRSA_CA_EXPIRE 3650
    set_var EASYRSA_CERT_EXPIRE 3650
  7. Initialize PKI
    cd /usr/local/etc/openvpn/easy-rsa
    sh ./easyrsa.real init-pki
  8. Build CA Certificate, key, certificate file
    sh ./easyrsa.real build-ca
    sh ./easyrsa.real build-server-full server nopass
    sh ./easyrsa.real build-client-full client nopass
    sh ./easyrsa.real gen-dh
    openvpn --genkey --secret /usr/local/etc/openvpn/easy-rsa/pki/ta.key
    cp -r /usr/local/etc/openvpn/easy-rsa/pki/{ca.crt,dh.pem,ta.key,issued,private} /usr/local/etc/openvpn/server/
  1. Edit /usr/local/etc/openvpn/server/server.conf
    port 1194
    proto udp
    dev tun
    ca /usr/local/etc/openvpn/server/ca.crt
    cert /usr/local/etc/openvpn/server/issued/server.crt
    key /usr/local/etc/openvpn/server/private/server.key  # This file should be kept secret
    dh /usr/local/etc/openvpn/server/dh.pem
    topology subnet
    ifconfig-pool-persist ipp.txt
    push "redirect-gateway def1 bypass-dhcp"
    push "dhcp-option DNS"
    push "dhcp-option DNS"
    keepalive 10 120
    tls-auth /usr/local/etc/openvpn/server/ta.key 0 # This file is secret
    cipher AES-256-CBC
    compress lz4-v2
    push "compress lz4-v2"
    max-clients 100
    user nobody
    group nobody
    status /var/log/openvpn/openvpn-status.log
    log-append  /var/log/openvpn/openvpn.log
    verb 3
    explicit-exit-notify 1
    auth sha512
    remote-cert-tls client
  2. Create log directory
    mkdir /var/log/openvpn/
  3. Edit /etc/rc.conf and enable OpenVPN
    natd_flags="-dynamic -m"

      **em1 is the outgoing network adapter. If you are not sure, check the line that bind your IP
    ifconfig_em1="inet netmask"
    Network adapter name is the string after ifconfig_ (and before = )
  1. Set up client ovpn profile
    dev tun
    proto udp
    remote IP-address-of-your-VPN 1194
    resolv-retry infinite
    dhcp-option DNS
    user nobody
    group nogroup
    key-direction 1
    tls-auth ta.key 1
    verb 3
    auth SHA512
    remote-cert-tls server
    content of /usr/local/etc/openvpn/server/ca.crt
    content of /usr/local/etc/openvpn/server/issued/client.crt
    content of /usr/local/etc/openvpn/server/private/client.key
    content of /usr/local/etc/openvpn/server/ta.key
    key-direction 1

Optional: (Enable Radius Authen)

  1. Install OpenVPN Radius Plugin
    cd /usr/ports/security/openvpn-auth-radius
    make install clean
  2. Copy Sample plugin configure to OpenVPN configuration directory
    cp /usr/local/share/examples/openvpn-auth-radius/radiusplugin.cnf /usr/local/etc/openvpn/server
  3. Edit /usr/local/etc/openvpn/server/radiusplugin.cnf. Find OpenVPNConfig and set to
    and bottom, find server { and change the port, IP and secret phase to
     # The UDP port for radius accounting.
     # The UDP port for radius authentication.
     # The name or ip address of the radius server.
     # How many times should the plugin send the if there is no response?
     # How long should the plugin wait for a response?
     # The shared secret.
  4. Edit Openvpn config file (server.conf). Add the following to the end of file
    plugin /usr/local/lib/ /usr/local/etc/openvpn/server/radiusplugin.cnf
  5. Edit Client ovpn file and add the following line

Dec 14 2022

FreeRadius enable Virtual site with SQL

  1. Create MySQL/ Postgresql Database and user
  2. import FreeRadius database schema in
  3. edit sql configuration file and fill in database details

     server = "hostname-here"
     port = 3306
     login = "database-login-here"
     password = "password-here"
     radius_db = "database-name-here"
  4. if more than one database (for different application), copy the whole section, add an instance name and change the database details:
    sql {
    sql instance1 {
  5. copy "default" configuration file to "virtual1" (or any name)
  6. Edit "virtual1" file. and make the following changes
    1. Change the virtual site name:
      server default {
      server virtual1 {
    2. Change the port number
      port = 55555
    3. enable sql,
      find the following line
      #      sql
      and change to
      "instance1" is the sql instance name added in step 4
  7. Add a client for this virtual host
    client your-device {
           ipaddr =
           secret = secretPhrase
           virtual_server = virtual1

    your-device is profile name

ipaddr is IP address (or IP address range) for your device(s). If more than 1, need to use "|" to separate
secret is the passphrase to use the radius service
virtual_server is the virtual site name used in step 5.

  1. add user into the database
    insert into radusergroup (username, groupname, priority) VALUES ('username','groupname', 1);
    insert into radcheck (username, attribute, op, value) VALUES ('username', 'Cleartext-Password', ':=', 'password');
    9. Restart radiusd
Created by Yu Pang Law on 2005/01/28 23:50
Copyrighted by