Install PFSense on a Digital Ocean Droplet

This article is a rewrite of the following Original and Updated Version only with a few thoughts and observations added.

The technique described here may or may not work on other cloud/vps providers, it is imperative that you have some kind of console access so you can follow the pfsense installation steps.

Start by logging in your Digital Ocean Dashboard then create a new droplet, it actually doesn’t matter the size of the droplet but it ideally it you should enable the following options:
1) Select FreeBSD 11.X, the exact version probably doesn’t matter 11.x or 12.x are fine
2) Enable “Private Networking”, it will be nicer in the long term when you setup a VPN then you’ll be able to access your DigitalOcean VMs like a big LAN.
3) Enable “IPv6”, because ipv6 its the future, better start adapting now rather than later.

While your VPS is starting, go to the pfsense download site https://www.pfsense.org/download/

The image that you need is ‘AMD64 (64-bit)’, ‘USB Memstick Installer’ and ‘VGA’ , find the download link ( there are many ways ) you will need this link on your VPS next

First log in to your VPS and write down the network information, this will come in handy when you are configuring your pfsense install for the first time, you can do it with the “ifconfig” command, write down the “hwaddr” “inet” and “inet6” information so you can use it later.

After taking notes, change user to root then run the next commands, you can substitute the DOWNURL variable to the link you found of the pfsense mirror


DOWNURL="https://nyifiles.pfsense.org/mirror/downloads/pfSense-CE-memstick-2.4.4-RELEASE-p1-amd64.img.gz"
cd /tmp
curl -O ${DOWNURL}
swapoff -a
sysctl kern.geom.debugflags=0x10
gunzip pfSense-CE-memstick-2.4.4-RELEASE-p1-amd64.img.gz
dd if=pfSense-CE-memstick-2.4.4-RELEASE-p1-amd64.img of=/dev/vtbd0
reboot

If all went well, log in to your droplet console, you should see a pfsense install starting

Sources:

https://www.pickysysadmin.ca/2019/04/19/how-to-install-pfsense-in-digitalocean/
and https://squigly.blogspot.com/2018/02/running-pfsense-on-digitalocean-droplet.html

Shell Script to get the network list by domain name

If you followed my guide HERE and HERE you might be wondering if there is no easier/more automated way of doing it, and in fact there is a simple script that you could build.


#!/bin/bash
if [ "$#" -eq 0 ]; then
  echo "Usage: ./${0}  [v4|v6]"
  exit 1
fi

FILTER="route"
if [ "$#" -eq 2 ]; then
  if [ "$2" == "v4" ]
  then
     FILTER="route:"
  fi
  if [ "$2" == "v6" ]
     then
         FILTER="route6:"
  fi
fi

WHOISSERVER="whois.radb.net"
IPN=$(dig +short $1 | head -1)
ASN=$( whois -h ${WHOISSERVER} ${IPN} | grep -i origin | tr -s " " | cut -d " " -f2)
for i in $ASN; do
  whois -h ${WHOISSERVER} -- "-i origin ${i}" | grep ^${FILTER} | tr -s " " | cut -d " " -f2-
done

 
While this script is handy and it’s nice to know the networks of the large players of the internet, you shouldn’t be too trigger happy with its output, for example if you attempt to block just the domain “example.com” this way you would block a WHOLE LOT more than you are expecting,the primary goal of this script not to be an input for iptables but to be a guide of which networks belongs to whom.
 

Bonus:

You can make the list shorter by aggregating smaller networks in a bigger CIDR, for example “192.168.0.0/24” and “192.168.1.0/24” could be expressed as “192.168.0.0/23”
HERE you can find a python script that accept as input a list of networks, all you need to do is pipe the output of the script above in this script and you’ll get an optimized list.
an example to get a nice list of CIDRs of the facebook network.


./getnetworks.sh facebook.com | aggregate6

It should output the following as of 2019-11-02:


31.13.24.0/21
31.13.64.0/18
45.64.40.0/22
66.220.144.0/20
69.63.176.0/20
69.171.224.0/19
74.119.76.0/22
102.132.96.0/20
103.4.96.0/22
129.134.0.0/16
157.240.0.0/16
173.252.64.0/18
179.60.192.0/22
185.60.216.0/22
199.201.64.0/22
204.15.20.0/22
2401:db00::/32
2620:0:1c00::/40
2803:6080::/32
2a03:2880::/32
2a03:2887:ff34::/48

Sources:

https://stackoverflow.com/questions/11164672/list-of-ip-space-used-by-facebook
https://gist.github.com/normoes/829d65866c8bf6d32b13f020479b172b
https://developers.facebook.com/docs/sharing/webmasters/crawler
https://github.com/job/aggregate6

Get AS(Autonomous System) Number By domain name

If you followed my last post HERE you might be wondering “That’s great and all, but how do I find the AS number in the first place?”.

If you are running Linux it’s easy:

First install dig and whois:

If you are using Centos/Fedora:


yum install bind-utils whois -y

 
In case you are using Debian/Ubuntu:


apt install dnsutils whois -y

 
After that to get the IP number associated with the domain.


dig +short facebook.com | head -1

 
The output should be an IP address in example:


31.13.91.36

 
With the IP address in hand to get the ASN you just need to run:


whois -h whois.radb.net '31.13.91.36' | grep -i origin | tr -s " " | cut -d " " -f2

 
Voila the output should be the AS number(s)


AS32934

 
And with most things on the internet these lists are not static so you should build a script to update them from time to time.

Sources:

https://stackoverflow.com/questions/11164672/list-of-ip-space-used-by-facebook
https://gist.github.com/normoes/829d65866c8bf6d32b13f020479b172b
https://developers.facebook.com/docs/sharing/webmasters/crawler

Get IP address Space By AS(Autonomous System) Number

Sometimes you need to get all possible address blocks of a network but most of the time there is no easy way to figure it out, looking at you Facebook and Google, but fear not sysadmin we have one handy trick up in our sleeve, by using whois with the AS number of the company we can build this kind of list.
 
We’ll use Facebook(AS32934) as an example, but it should work for any Autonomous System.


whois -h whois.radb.net -- "-i origin AS32934" | grep ^route | tr -s " " | cut -d " " -f2-

Continue reading “Get IP address Space By AS(Autonomous System) Number”

Centos 7 with IPV6 at Server4You

As of 2019-10-01, the hosting company server4you.com doesn’t support IPv6, but if you want to test IPv6 or support your IPv6 capable clients there are still a few tricks you can try.
A good way is to use a broker to create a 6in4 tunnel with your IPv4 to the IPv6 enabled internet.

***** Disclaimer *****
 
This guide DOES NOT WORK if you are using their offerings of the vServer family because it’s powered by OpenVZ, but it will work perfectly with the VDS family powered by KVM or with their dedicated servers.
This is NOT a “true” IPv6 solution as you will use a tunnel broker to make a 6in4 tunnel, but it gets the job done for most workloads.
 
***** End Of Disclaimer *****
 
You start by creating an account at Hurricane Electric and then creating a tunnel there pointing to your server IP address, you should preferably choose a tunnel server that is near your server but this is not strictly necessary.
Continue reading “Centos 7 with IPV6 at Server4You”

Zombasite error while loading shared libraries: libpng12.so.0

If you are trying to run Zombasite GoG Version and the game is not starting properly what you can do to try and debug the issue is to run in in a terminal and see the output.


~/GOG\ Games/Zombasite/start.sh

 
If you get de following output:


Running Zombasite
./Zombasite: error while loading shared libraries: libpng12.so.0:
 cannot open shared object file: No such file or directory


 
This output means you are missing at least libpng12.
Continue reading “Zombasite error while loading shared libraries: libpng12.so.0”

Install proxmox 6.0 on top of Debian Buster

This is mostly a copy&paste of the article about installing Proxmox 5.X on top of Debian Stretch, but with the links and repositories updated to the new Debian Buster and Proxmox 6.X

The default proxmox installation ISO is notably minimalist, and one way to be able to do simple customization and have a little bit more flexibility to for example choose the partition layout or use an encrypted LVM is to first make a basic Debian installation and then upgrade it to a full blown Proxmox Installation.

This process is simple, fast and is described in detail at the official proxmox wiki here

But here is the tl;dr version with a few extras and useful modifications from the original article:

Start by making a minimal installation of Debian 10,ie. at the software selection screen check only “SSH server” and “standard system utilities”.
After installation boot to your new Debian machine and be sure that you can resolve the host-name of your machine, the command bellow must return an IP address that is not ‘127.0.0.1’.
This step is important because Proxmox expect to have a “real”( non localhost) IP or else the installation of the package ‘proxmox-ve’ will fail during post-install.
Continue reading “Install proxmox 6.0 on top of Debian Buster”

RIP Sound Card Audio in Linux

Sometimes you need a quick and dirty way of ripping the audio of your sound card, in Linux you can easily do it with the following script:


#!/bin/bash
set -x
WAV="$1"
if [ -z "$WAV" ]; then
    echo "Usage: $0 OUTPUT.WAV" >&2
    exit 1
fi
rm -f "$WAV"

# Get sink monitor:
MONITOR=$(pactl list | egrep -A2 '^(\*\*\* )?Source #' | \
    grep 'Name: .*\.monitor$' | awk '{print $NF}' | tail -n1)
echo "set-source-mute ${MONITOR} false" | pacmd >/dev/null

# Record it raw, and convert to a wav
echo "Recording to $WAV ..."
echo "Close this window to stop"
parec -d "$MONITOR" | sox -t raw -b 16 -e signed -c 2 -r 44100 - "$WAV"

 
Store it somewhere in your PATH, and when you need to record the audio just use it as:


./soundRipper.sh output.wav

 
If you don’t want to store wave files you can convert it as shown HERE

Sources:

https://outflux.net/blog/archives/2009/04/19/recording-from-pulseaudio/
https://www.pantz.org/software/alsa/recording_sound_from_your_web_browser_using_linux.html

Reload HAProxy Without connection loss

Bellow is a quick and dirty script to reload haproxy without dropping connections, just fill the correct values at lines 2,3,4 and 5 and you a probably good2go
 
The script is really simple, after you plug the values for the variables the execution can be sumarized in this steps:
1) Create the PID directory in case it doesn’t exists
2) Checks to see if it found a valid configuration file
3a) if the configuration is valid look for another haproxy running and send it a signal to stop, while starting a new haproxy
3b) abort the restart and print the errors found on the config file
 

#!/bin/bash
CFG_FILE="/etc/haproxy/haproxy.cfg"
HAPROXYBIN=$(which haproxy)
PIDDIR="/var/run/haproxy/"
PIDFILE=${PIDDIR}"haproxy.pid"

[ ! -d ${PIDDIR} ] && mkdir -p ${PIDDIR}


# Check if the configuration is valid
${HAPROXYBIN} -c -f ${CFG_FILE} | tail -1 | grep "Configuration file is valid" -q
VALID=$?
if [[ ${VALID} == 0 ]];then
    echo "Found a Valid Configuration file, reloading HAProxy"
    ${HAPROXYBIN} -f ${CFG_FILE} -p ${PIDFILE} -sf $(cat ${PIDFILE})
else
    echo "Invalid Configuration file"
    ${HAPROXYBIN} -c -f ${CFG_FILE}
fi

Convert wav files to mp3

When you want to convert a wave file to MP3, one of the simplest ways you’ll find is by using ffmpeg.

If you use Debian, you can install it with:

apt install ffmpeg

 
If you use Centos you can install it following this steps:

sudo rpm -v --import http://li.nux.ro/download/nux/RPM-GPG-KEY-nux.ro
wget http://li.nux.ro/download/nux/dextop/el7/x86_64/nux-dextop-release-0-5.el7.nux.noarch.rpm
yum localinstall nux-dextop-release-0-5.el7.nux.noarch.rpm -y 
yum update
yum install ffmpeg -y

 
After that, you just need to specify the files input and output names

ffmpeg -i input.wav -acodec mp3 -ab 256k output.mp3

 

Sources:

https://lonewolfonline.net/convert-wav-mp3-linux/
https://linuxadmin.io/install-ffmpeg-on-centos-7/