How to Install and Run Shadowsocks On FreeBSD?

Shadowsocks client and server are cross-platform and you can run them on windows with few clicks so we cover the FreeBSD.

Install shadowsocks with PKG
To install Shadowsocks-libdev issue this command:
# pkg install shadowsocks-libev
To run your FreeBSD server issue command:
# ss-server -s “your server valid ip” -p 1080 -k “password” -m aes-256-cfb -a nobody -u &
-s: host name or IP address of your remote server
-p: port number of your remote server
-k: password of your remote server
-m: encryption method
There are another ciphers you can use with -m :
aes-128-gcm, aes-192-gcm, aes-256-gcm, aes-128-cfb, aes-192-cfb, aes-256-cfb, aes-128-ctr, aes-192 ctr, aes-256-ctr, camellia-128-cfb, camellia-192-cfb, camellia-256-cfb, bf-cfb, chacha20-ietf-poly1305, xchacha20-ietf-poly1305, salsa20, chacha20 and chacha20-ietf. The default cipher is rc4-md5.
Tip: Encryption on Both sides must be the same.
-a: run as another user
-u: enable UDP relay
Install shadowsocks with PIP
If you got some errors it’s also possible to use PIP application. PIP is for installing and managing Python packages.
# pkg install py27-pip
# pip install shadowsocks
# ssserver -p 1080 -k “password” -m aes-256-cfb –user nobody -d start
You can stop this service by:
# ssserver -d stop
Connect To Shadowsocks Server From FreeBSD Terminal
As we mentioned before shadowsocks client also supports windows.
First, you need to install Shadowsocks-libdev on your client:
# pkg install shadowsocks-libev
On your FreeBSD client issue this:
# ss-local -s “your server valid IP” -p 1080 -l 9090 -m aes-256-cfb -k “password”

Shadowsocks will listen on port 9090, then you set this port on your browser or any other application that supports socks5.

You can get full edition at:

Running Windows 2012-R2 under Bhyve

  1. Install FreeBSD 11.0-RC2
    You can also install FreeBSD 11.0-RC1 or any latest builds.
  2. Retrieve the firmware binary
    We must install “bhyve-firmware”.the best way to achieve this goal is to install with the port mechanism. this process is very time-consuming and needs very user-interaction but with some tricks, we do it very easy:
    #cd /usr/ports/sysutils/bhyve-firmware
    # make install clean -DBATCH
    -DBATCH force port building process to not prompt you for confirmation and do it automatically.
  3. Hypervisor, Network and Storage Preparation
    # kldload vmm
    this command will load bhyve kernel module or driver.
    # ifconfig tap0 create up
    this command creates a new interface and makes it up.
    # ifconfig bridge0 create up
    this command also creates a bridge and make it up and ready.
    # ifconfig bridge0 addm em0
    this command adds em0(network interface) to bridge0
    # ifconfig bridge0 addm tap0
    this command add tap0 to bridge0.
    # truncate -s 50G disk.img
    this command create a file with 50GB size.
  4. Boot a Virtual Machine
    # bhyve -c 2 -m 4G -w -H \
    -s 0,hostbridge \
    -s 3,ahci-cd,/path/to/windows-2012R2.iso \
    -s 4,ahci-hd,disk.img \
    -s 5,virtio-net,tap0 \
    -s 29,fbuf,tcp=,w=800,h=600,wait \
    -s 30,xhci,tablet \
    -s 31,lpc -l com1,stdio \
    -l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI.fd \
    this command make a virtual machine(vm0) with 2 cores CPU and with a display resolution of 800 by 600 that can be accessed via VNC at:
    The fbuf wait parameter instructs bhyve to only boot upon the initiation of a VNC connection, simplifying the installation of operating systems that require immediate keyboard input. This can be removed for post-installation use.
    The xhci, tablet parameter provides precise cursor synchronization when using VNC, but is not supported by FreeBSD.
    Desktop versions of Microsoft Windows require the presence of a CD/DVD device, which can be an empty file created with touch(1).
    -H Yield the virtual CPU thread when an HLT instruction is detected. If this option is not specified, virtual CPUs will use 100% of a host CPU.
    -w Ignore accesses to unimplemented Model Specific Registers (MSRs). This is intended for debugging purposes.
  5. Connect to VM with VNC client
    # vncviewer
    in VNC Client screen you can see what happening also mouse are supported. I prefer to use “tightvnc”.my hypervisor IP is “” and I have a DHCP on my network so windows get the IP address automatically.
  6. Setup Process
    setup process needs to restart VM.after each restart you must run it again until the setup completion.
  7. Virtio is a virtualization standard for network and disk device drivers where just the guest’s device driver “knows” it is running in a virtual environment and cooperates with the hypervisor. This enables guests to get high-performance network and disk operations and gives most of the performance benefits of paravirtualization.
    virtio can be downloaded from the below link:
  8. Setup NIC Driver
    after first login you must to shut down the VM and issue this command:
    # bhyvectl –destroy –vm=vm0
    # bhyve -c 2 -m 4G -w -H \
    -s 0,hostbridge \
    -s 3,ahci-cd,/path/to/virtio-win-0.1.118.iso \
    -s 4,ahci-hd,disk.img \
    -s 5,virtio-net,tap0 \
    -s 29,fbuf,tcp=,w=800,h=600,wait \
    -s 30,xhci,tablet \
    -s 31,lpc -l com1,stdio \
    -l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI.fd \
    after login to your desktop you can easily find proper driver and install it.then you can set IP and connect to your VM with remote desktop client.rdp is much faster than vnc.

You can get full edition at:

OPNsense installation on Bhyve

OPNsense requirements:
Minimum required RAM is 1 GB
Minimum recommended virtual disk size of 8GB

  1. Install FreeBSD 11.0
    You can also install FreeBSD 11.0 or any latest builds.
  2. Retrieve the firmware binary
    We must install “bhyve-firmware”.the best way to achieve this goal is to install with the port mechanism. this process is very time-consuming and needs very user-interaction but with some tricks, we do it very easy:
    # cd /usr/ports/sysutils/bhyve-firmware
    # make install clean -DBATCH
    -DBATCH force port building process to not prompt you for confirmation and do it automatically.
  3. Hypervisor, Network and Storage Preparation
    # kldload vmm
    this command will load bhyve kernel module or driver.
    # ifconfig tap0 create up
    this command creates a new interface and makes it up.
    # ifconfig bridge0 create up
    this command also creates a bridge and make it up and ready.
    # ifconfig bridge0 addm em0
    this command add em0(network interface) to bridge0
    # ifconfig bridge0 addm tap0
    this command add tap0 to bridge0.
    # truncate -s 50G OPNsense.img
    this command creates a file with 50GB size.
  4. Prepare OPNsense ISO
    # fetch
    # bunzip2 OPNsense-17.1-OpenSSL-cdrom-amd64.iso.bz2
  5. Boot a Virtual Machine
    # bhyve -c 2 -m 4G -w -H \
    -s 0,hostbridge \
    -s 3,ahci-cd,OPNsense-17.1-OpenSSL-cdrom-amd64.iso \
    -s 4,ahci-hd,OPNsense.img \
    -s 5,virtio-net,tap0 \
    -s 29,fbuf,tcp=,w=800,h=600,wait \
    -s 30,xhci,tablet \
    -s 31,lpc -l com1,stdio \
    -l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI.fd \
    this command make a virtual machine(vm0) with 2 cores CPU and with a display resolution of 800 by 600 that can be accessed via VNC at:
    The fbuf wait parameter instructs bhyve to only boot upon the initiation of a VNC connection, simplifying the installation of operating systems that require immediate keyboard input. This can be removed for post-installation use.
    The xhci, tablet parameter provides precise cursor synchronization when using VNC, but is not supported by FreeBSD.
    -H Yield the virtual CPU thread when an HLT instruction is detected. If this option is not specified, virtual CPUs will use 100% of a host CPU.
    -w Ignore accesses to unimplemented Model Specific Registers (MSRs). This is intended for debugging purposes.
  6. Connect to VM with VNC client
    # vncviewer
    in VNC Client screen you can see what happening also mouse are supported.I prefer to use “tightvnc”.my hypervisor IP is “”.
  7. Installation process
  8. Configure console - The default configuration should be fine for most occasions.
  9. Select task - The Quick/Easy Install option should be fine for most occasions. For installations on embedded systems or systems with minimal disk space choose Custom Installation and do not create a swap slice. Continue with default settings.
  10. Are you SURE? - When proceeding OPNsense will be installed on the first hard disk in the system.
  11. Reboot - The system is now installed and needs to be rebooted to continue with the configuration.
    You can get full edition at:

Elastix On Bhyve

Bhyve Preparation and Elastix Installation
Elastix requirements:

Minimum required RAM is 2 GB.
The minimum recommended virtual disk size of 30GB.

  1. Install FreeBSD 11.0
    You can also install FreeBSD 11.0 or any latest builds.
  2. Install Grub-emu loader for Bhyve
    We must install the “grub2-bhyve” port. This process is very time-consuming and needs user-interaction. But with some tricks, we can do it very easily:
    # cd /usr/ports/sysutils/grub2-bhyve
    # make install clean -DBATCH
    -DBATCH force port building process to not prompt you for confirmation and do it automatically.
  3. Hypervisor, Network and Storage Preparation
    # kldload vmm
    this command will load Bhyve kernel module or driver.
    # ifconfig tap0 create up
    this command creates a new interface and brings it up.
    # ifconfig bridge0 create up
    this command also creates a bridge and makes it up and ready.
    # ifconfig bridge0 addm em0
    this command adds em0(network interface) to bridge0
    # ifconfig bridge0 addm tap0
    this command adds tap0 to bridge0.
    # truncate -s 30G elastix.img
    this command creates a file with 30GB size.
  4. Prepare Elastix ISO
    #mv Elastix-2.5.0-STABLE-x86_64-bin-08may2015.iso elastix.iso
    Create a that grub will use to map the virtual devices to the files on the host system:
    # touch
    # echo “(hd0) /root/elastix.img” >>
    # echo “(cd0) /root/elastix.iso” >>
  5. Boot Elastix Virtual Machine
    # grub-bhyve -m -r cd0 -M 2048 elastix
    grub> linux (cd0)/isolinux/vmlinuz
    grub> initrd (cd0)/isolinux/initrd.img
    grub> boot
    # bhyve -A -H -P -s 0:0,hostbridge -s 1:0,lpc -s 2:0,virtio-net,tap0 -s 3:0,virtio-blk,elastix.img -s 4:0,ahci-cd,elastix.iso
    -l com1,stdio -c 2 -m 2048M elastix
    this command makes a virtual machine(elastix) with 2 cores CPU and 2G of ram.
    -H Yield the virtual CPU thread when an HLT instruction is detected. If this option is not specified, virtual CPUs will use
    100% of a host CPU.
    -A Generate ACPI tables that required foramd64 guests.
    -P Force the guest virtual CPU to exit when a PAUSE instruction is detected.
    other parameters define CDROM and HDD.
  6. Elastix installation
    You can install Elastix with the GUI wizard.

Elastix First Boot
After the installation of Elastix, the system will request a reboot. This reboot causes Bhyve to exit.
Issue these commands to boot Elastix again:
#bhyvectl –destroy –vm=elastix
#grub-bhyve -m -r hd0,msdos1 -M 2048M elastix
linux (hd0,msdos1)/vmlinuz-2.6.18-371.1.2.el5 root=/dev/mapper/VolGroup00-LogVol00
initrd (hd0,msdos1)/initrd-2.6.18-371.1.2.el5.img
#bhyve -A -H -P -s 0:0,hostbridge -s 1:0,lpc -s 2:0,virtio-net,tap0 -s 3:0,virtio-blk,elastix.img -l com1,stdio -c 2 -m 2048M elastix
Secret Sauce
As you can see, Elastix will boot and welcome will show us the IP address of Elastix web gui .However, this address doesn’t work (I gave elastix Why?
IPTables (the Linux firewall) is running and you must stop it to communicate with Apache. So, issue the following command:
#service iptables stop
You can also create an iptables rule to bypass any port but in the virtual infrastructure, it’s better to use host firewalling and disable any guest firewall.
Now you can see the Elastix web GUI but something’s still wrong. Elastix doesn’t allow changing of the configuration.this is because of SELinux.
Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including the United States Department of Defense–style mandatory access controls (MAC).
SELinux is a set of kernel modifications and user-space tools that have been added to various Linux distributions. Its architecture strives to separate enforcement of security decisions from the security policy itself and streamlines the volume of software charged with security policy enforcement.
We have two solutions to this:
1. Completely turning off SELinux
at /etc/selinux/config. You need to change the SELINUX option to disabled like so:


2. Configuring SELinux to log warnings instead of block
at /etc/selinux/config. You need to change the SELINUX option to permissive like so:


and then issue this:

#setenforce 0

And it’s done, Elastix is now up and running.
Make Config Persistence
1. Create a file and name it vml:
#touch vml
2. Open vml with ee and Paste these commands to vml:

. /etc/rc.subr
load_rc_config $name
: ${vml_enable:=no}
: ${vml_msg="Nothing started."}
    kldload vmm
    ifconfig tap0 create up
    ifconfig bridge0 create up
    ifconfig bridge0 addm em0
    ifconfig bridge0 addm tap0  
run_rc_command "$1"

3. Copy vm to /etc/rc.d
#cp vml /etc/rc.d/
4. Make it executable
#chmod +x /etc/rc.d/vml
5. Add vml script to /etc/rc.conf
#echo ‘vml_enable=”YES”’ >> /etc/rc.conf
So after rebooting the host machine,vml script will initiate Bhyve config.
You can get full edition at:

GUI Programming in FreeBSD with Perl/Tk

What is Perl?
Perl officially stands for Practical Extraction and Report Language.
Perl was originally developed by Larry Wall in 1987 as a general-purpose Unix scripting language to make report processing was optimized for scanning arbitrary text files, extracting information from those text files, and printing reports based on that information. It’s widely used for everything from quick “one-liners” to full-scale application development. Its general-purpose programming facilities support procedural, functional, and object-oriented programming paradigms, making Perl a comfortable language for any purpose.
What is CPAN?
The Comprehensive Perl Archive Network (CPAN) is a repository of over 250,000 software modules and accompanying documentation for 39,000 distributions, written in the Perl programming language by over 12,000 contributors.
You can easily add a new library to Perl with cpan that going to make programming easier.
How to deal with CPAN in FreeBSD 11?
cpanminus is Perl extension to get, unpack, build, and install modules from install cpanminus issue this commands:
#pkg install p5-App-cpanminus
after that, you can install CPAN module with cpanm command.

What is TK?
The Perl/Tk module, also known as pTk or ptk, is a Perl module designed to create widgets and other commonly used graphical objects to form a graphical user interface (GUI). Using the module to create a GUI enhances the look and feel of a program and helps the end-user navigate through the program and its functions. One major advantage of using the Perl/Tk module is that the resulting application can be cross-platform, meaning the same GUI application can be used on UNIX®, Linux®, Macintosh, Microsoft® Windows®, or any other operating system that has Perl and the Perl/Tk module installed.
Install Tk On FreeBSD
Installation process is very straightforwad and fast and cpanm will take care of everythings.just issue this command:
#cpanm Tk
and Tk is installed successfully.
Create First GUI Application
It’s time to write first gui program in Perl/Tk or PTk .create a file named, and enter the following text in the file :
#!/usr/bin/perl -w
#this is bsdmag ptk tutorial
use Tk;
use strict;
my $mw = MainWindow->new;
$mw->Label(-text => ‘bsdmag’)->pack();
$mw->Button(-text => “Exit”, -command =>sub{exit})->pack();

You can get full edition at:

SSH Hardening with Google Authenticator and OpenPAM

What is Google Authenticator?
The Google Authenticator project includes implementations of one-time passcode generators for several mobile platforms, as well as a pluggable authentication module (PAM).
Google Authenticator uses the Time-based One-time Password Algorithm (TOTP) which means taking advantage of a key and time to make a secret six-digit code. In addition to your password, you’ll also need this code to the login. the point is you don’t need the internet and all you need is synchronized time. this technique called 2-Step Verification.
Two-Factor Authentication Varieties
Two-factor authentication (also known as 2FA) is a method of confirming a user’s claimed identity by utilizing a combination of two different components. Two-factor authentication is a type of multi-factor authentication.
There are two types of 2FA:

  1. Time-based One-time Password (TOTP)
    this verification code generated by your phone app, a dedicated hardware device, or sent to you via SMS. In this article, we talk about google authenticator(phone app)
    In TOTP you are not the only one that accesses to private key and client and server both have access to it.both know how to create verification code from it.all we have is a compare and this process causes security issues.
  2. Universal Second Factor (U2F)
    U2F is an open authentication standard that enables internet users to securely access any number of online services, with one single device, instantly and with no drivers, or client software needed.U2F was created by Google and Yubico, and support from NXP, with the vision to take strong public key crypto to the mass market. U2F uses public key cryptography to verify your identity. In contrast with TOTP, you are the only one to know the private key.
    Basically, there are two active companies that utilized U2P, SatoshiLabs, and Yubico.
    SatoshiLabs is a security hardware and software company. All of its projects are related to Bitcoin. It was founded in 2013 and it is headquartered in Prague, Czech Republic. Trezor is U2F bitcoin wallet made by SatoshiLabs.
    Yubico is a private company that founded in 2007 with offices in Palo Alto, Seattle, and StockholmYubikey is USB U2F Token that made by Yubico.
    You can easily compare these two, but the comparison is not a good idea.because it depends on the situation.
    Sometimes you can’t just add a device to your pc google authenticator is your choice.
    U2F is not this article subject and we can cover it later.

What Is Pluggable Authentication Modules(PAM)?
The Pluggable Authentication Modules (PAM) library is a generalized API for authentication-related services which allows a system administrator to add new authentication methods simply by installing new PAM modules and to modify authentication policies by editing configuration files.
PAM was defined and developed in 1995 by Vipin Samar and Charlie Lai of Sun Microsystems and has not changed much since. In 1997, the Open Group published the X/Open Single Sign-on (XSSO) preliminary specification, which standardized the PAM API and added extensions for single (or rather integrated) sign-on. At the time of this writing, this specification has not yet been adopted as a standard.
In PAM parlance, the application that uses PAM to authenticate a user is the server and is identified for configuration purposes by a service name, which is often (but not necessarily) the program name.
The user requesting authentication is called the applicant, while the user (usually, root) charged with verifying his identity and granting him the requested credentials is called the arbitrator. The sequence of operations the server goes through to authenticate a user and perform whatever task he requested is a PAM transaction; the context within which the server performs the requested task is called a session.
The functionality embodied by PAM is divided into six primitives grouped into four facilities: authentication, account management, session management, and password management.
PAM Varieties
There are three common types of PAM:

  1. Linux-PAM: Linux-PAM used by almost every Linux distributions but Linux-PAM is BSD License!!!
  2. OpenPAM: OpenPAM is a BSD-licensed implementation of PAM used by FreeBSD, NetBSD, DragonFly BSD and OS X (starting with Snow Leopard), and offered as an alternative to Linux PAM in certain Linux distributions.
    OpenPAM was developed for the FreeBSD Project by Dag-Erling Smørgrav and NAI Labs, the Security Research Division of Network Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 (“CBOSS”), as part of the DARPA CHATS research program.
  3. Java™ PAM or JPam: PAM is basically a standard authentication module supporting Linux and UNIX. JPam acts as a bridge between the Java part and the usual PAM. JPam enables the use of PAM modules or facilities (like auth, account, passwd, session, etc.)
  4. SolarisPAM: SolarisPAM used by the Solaris operating system.

How To Add An Extra Layer Of Authentication To FreeBSD With OpenPAM?
OpenPAM was developed for the FreeBSD. “/etc/pam.d/” contains configuration files for the Pluggable Authentication Modules(PAM)library. Each file details the module chain for a single service and must be named after that service. If no configuration file is found for a particular service, the /etc/pam.d/other is used instead. If that file does not exist, /etc/pam.conf is searched for entries matching the specified service or, failing that, the “other” service.
How To Add 2FA On SSH?

  1. First of all, you have to install a google-authenticator.
    #pkg install pam_google_authenticator
  2. Install QR encoder for ease of use.
    #pkg install libqrencode
    QR code (Quick Response Code) is a type of matrix barcode (or two-dimensional barcode) first designed for the automotive industry in Japan. A barcode is a machine-readable optical label that contains information about the item to which it is attached. With QR codes you can easily transfer your authentication key to your smartphone.
  3. Then you have to edit /etc/pam.d/sshd and add the following line to auth section:
    auth required /usr/local/lib/
  4. Create a new user called “Sara” to test google-authenticator:
    #adduser Sara
    #pw useradd -n Sara -s /bin/sh -m
  5. Now you can easily run google authenticator and simulate a full login to “Sara” username.
    #su – Sara -c google-authenticator
    You can now see your QR code on the screen. with the “Authenticator” android app scan this code and get your verification code on your smartphone.
    google authenticator will ask you a couple of questions:
    Do you want authentication tokens to be time-based (y/n)
    Do you want me to update your “/root/.google_authenticator” file (y/n)
    your chances to notice or even prevent man-in-the-middle attacks (y/n)
    size of 1:30min to about 4min. Do you want to do so (y/n)
    Do you want to enable rate-limiting (y/n)
    you can answer all those questions with “y”.
    By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, it has been allowed an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default If the computer that you are logging into isn’t hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s.
  6. You must to edit SSH Service configuration file (/etc/ssh/sshd_config)and add these lines for specific user 2fa authentication:
    Match User Sara
    AuthenticationMethods keyboard-interactive
  7. restart SSH Service:
    #service sshd restart

if the user we named it “Sara” create an ssh connection, she will be asked for 2 factors:

  1. Password
  2. Verification code

There are also other varieties but it’s not recommended to use:

  1. public key + password + verification code
  2. public key + verification code, without password

You can get full edition at:

Build FreeBSD 12 For RaspberryPi 3 With Crochet

  1. You need to get the latest Source-Tree with subversion:
    #pkg install subversion
    #svn co /usr/src
    Subversion is a version control system, which allows you to keep old versions of files and directories (usually source code), keep a log of who, when, and why changes occurred, etc., like CVS, RCS or SCCS. Subversion keeps a single copy of the master sources. This copy is called the source repository, it contains all the information to permit extracting previous versions of those files at any time.
    If something goes wrong and you must to it again first issue this command:
    #svn cleanup /usr/src/
  2. Now it’s time to get Crochet to build our image:
    #pkg install git-2.13.0
    #git clone
  3. Select which board you want to build for:
    #cd crocket
    uncomment this line 38 and exit:
    board_setup RaspberryPi3
  4. Build the image:
    #pkg install u-boot-rpi3-2017.01
    Cross-build U-Boot loader for RPi3
    Das U-Boot (subtitled “the Universal Boot Loader” and often shortened to U-Boot) is an open-source, primary boot loader used in embedded devices to package the instructions to boot the device’s operating system kernel. It is available for a number of computer architectures, including 68k, ARM, AVR32, Blackfin, MicroBlaze, MIPS, Nios, SuperH, PPC, RISC-V, and x86.
    U-boot-rpi3 is a Cross-build U-Boot loader for Rpi3.
    #./ -c
    The build process depends on your CPU speed but in general needs a lot of time.

You can get full edition at:

FreeBSD Desktop With Xfce, SLiM, And i3lock

Many people looking for a lightweight, fast and stable desktop environment but fully functional how-to is so rare.
In this article a functional how-to consist of 3 elements will be cover:
1. desktop environment
2. desktop manager(login manager)
3. desktop locker

How To Install Xfce ?
To install the Xfce package:
# pkg install xfce
Alternatively, to build the port:
# cd /usr/ports/x11-wm/xfce4
# make install clean
Unlike GNOME or KDE, Xfce does not provide its own login manager. In order to start SliM login manager, add its entry to ~/.xinitrc:
# echo “exec /usr/local/bin/startxfce4 –with-ck-launch” > ~/.xinitrc

How To Install SLiM ?
In order to install SliM issue these command:
# pkg install slim
add these lines to /etc/rc.conf to load SliM at boot:
or you can alternatively issue these commands:
# sysrc dbus_enable=”YES”
# sysrc hald_enable=”YES”
# sysrc slim_enable=”YES”

How To Install i3lock ?
i3lock installation is very easy:
# pkg install i3lock

You can get full edition at:

FreeBSD Port-Knocking

Changing the port numbers is not a proper security policy. Changing the port numbers and services is a common mistake. Hackers going to find out what you hiding by just a simple port scanner and it takes about 2 minutes, nothing more. Nmap will take care of this process and it’s over.

Install Port-Knocking Client/Server
There is a flexible port-knocking server and client. You can easily install it by the port tree or pkg:
# cd /usr/ports/security/knock
# make install clean rehash
Tip: issue above commands on both client and server.
This port consists of two apps:
1. knockd
port-knocking server
2. knock
port-knocking client
Configure Port-Knocking Server
To configure knockd service you have to edit knockd.conf. So first create a conf file from the sample and then add configurations:
# cp /usr/local/etc/knockd.conf.sample /usr/local/etc/knockd.conf
# ee /usr/local/etc/knockd.conf
contents of knockd.conf:
logfile = /var/log/knockd.log
interface = re0
sequence = 7000,8000,9000
seq_timeout = 5
command = /sbin/ipfw -q add 00100 pass proto tcp src-ip %IP% dst-port 22
tcpflags = syn
sequence = 9000,8000,7000
seq_timeout = 5
command = /sbin/ipfw -q delete 00100 pass proto tcp src-ip %IP% dst-port 22
tcpflags = syn
as you can see there is 3 sections and many directives. Option section that is dedicated to interface name and log file. Other 2 sections are for executing command by custom sequence of ports within 5 seconds that has syn flag.
The first command adds a rule number 00100 to ipfw that allows connection to ssh port by IP address of who knocked successfully.
The second command deletes previous rule. But you can execute any command.
One of the most important directives is One_Time_Sequences. You can add this directive by:
One_Time_Sequences = /path/to/one_time_sequences_file
The file containing the one-time sequences to be used. Instead of using a fixed sequence, knockd will read the sequence to be used from that file. After each successful knock attempt, this sequence will be disabled by writing a ‘#’ character at the first position of the line containing the used sequence. That used sequence will then be replaced by the next valid sequence from the file.
Also TCPFlags directive can be these values:
TCPFlags = fin|syn|rst|psh|ack|urg
When using TCP flags, knockd will IGNORE TCP packets that don’t match the flags. This is different than the normal behavior, where an incorrect packet would invalidate the entire knock, forcing the client to start over. Using “TCPFlags = syn” is useful if you are testing over an SSH connection, as the ssh traffic will usually interfere with (and thus invalidate) the knock. Separate multiple flags with commas (eg, TCPFlags = syn,ack,urg). Flags can be explicitly excluded by a “!” (eg,TCPFlags = syn,!ack).
On your server issue this to run port-knocking server:
# knockd
On your client issue this:
# knock “server IP” 7000 8000 9000
Replace “server IP” with your servers IP.

There are other ways to do port-knocking:
1. Nmap
The nmap is a Network exploration tool and security/port scanner but you issue this command to port-knocking:
# for x in 7000 8000 9000; do nmap -Pn –host_timeout 201 –max-retries 0 -p $x “server IP”; done

  1. Netcat
    The NC (or netcat) utility is used for just about anything under the sun involving TCP, UDP, or UNIX domain sockets. It can open TCP connections, send UDP packets, listen on arbitrary TCP and UDP ports, do port scanning, and deal with both IPv4 and IPv6.

And can do the same thing with:

# nc -z “server IP” 1000 2000 3000

You can get full edition at:

Military Grade Data Wiping In FreeBSD With BCWipe

What Is Data Wiping
Data wiping is the process of overwriting data on the magnetic hard disk, SSD or USB flash by using zeros and ones on the whole disk or a specific zone. As a result, no one can’t recover sensitive data and disk is still usable.
1. Software-based wiping
this type of wiping can be carried out by software installed on.
2. Hardware-based wiping
this type of wiping needs some external device that responsible for.
Data wiping is not files deletion, which only removes direct pointers to the data and makes the data recovery possible with common software tools. Unlike degaussing and physical destruction, which render the storage media unusable, data wiping removes all information while leaving the disk operable. Data erasure may not work completely on flash-based media, such as Solid State Drives and USB Flash Drives, as these devices can store remnant data which is inaccessible to the wiping technique, and data can be retrieved from the individual flash memory chips inside the device.
Wiping software uses many techniques to ensure data is not recoverable like:
1. German BCI/VSITR 7-pass wiping
2. U.S. DoD 5220.22M 7-pass extended character rotation wiping with last pass verification
3. U.S. DoE 3-pass wiping
4. 35-pass Peter Gutmann’s wiping
5. 7-pass Bruce Schneier’s wiping
6. 1-pass wiping by zeroes
What Is BCWipe
BCWipe securely erases data from magnetic and solid-state memory. BCWipe repeatedly overwrites special patterns to the files or free space to be destroyed. In normal mode, 35 passes are used (of which 8 are random). Patterns used were recommended in an article by Peter Gutmann entitled “Secure Deletion of Data from Magnetic and Solid-State Memory”. In quick mode, U.S. DoD(Department of Defence) 5220.22-M standard is used with 7 pass wiping. In custom mode, U.S. DoD 5220.22-M standard is used with user-defined number of passes.
How To Install BCWipe
BCWipe is available on the FreeBSD ports tree and you can install it easily.
# make -C /usr/ports/security/bcwipe install clean
Or you can install BCWipe with PKG mechanism:
# pkg install bcwipe
How To Install BCWipe With Multithreaded Mode Enabled
BCWipe has no compile option through FreeBSD port mechanism but in instead you can rebuild BCWipe with multithreading mode option :
# cd /usr/ports/security/bcwipe/
# make fetch extract
# cd work/bcwipe-1.9-9/
# ./configure –enable-pthreads
# make install clean
BCWipe Advanced Features
Bcwipe has very useful features that make the wiping process more suitable.
Wait delay seconds between wiping passes. Modern enterprise-level storage systems (NAS, disk arrays etc.) employ powerful caches. To avoid undesirable caching effects BCWipe allows the user to insert an adjustable delay between wiping passes. Please note that when wiping with a delay between passes disk space is freed after the last pass.
-B Disable direct IO mode when wiping block devices
Wipe and verify block devices in multi-thread mode. BCWipe runs threads worker threads. Useful for wiping multiple disk volumes.
-S (wipe file slack)
Wipe files slack. File slack is the disk space from the end of a file till the end of the last cluster used by that file. A cluster is a minimal portion of the disk space used by the file system.
-s Use ISAAC random number generator by Bob Jenkins
The default is SHA-1 (Secure Hash Algorithm). ISAAC is random faster than SHA-1.
-F (wipe free space) Wipe free space on the specified filesystem.
-b (block device) Wipe contents of block devices

BCWipe In Action
In this section, we describe a real scenario with BCWipe.
Issue this command to get more information about BCWipe:
# bcwipe
Tip: in a real-world scenario, people want to wipe out free space on whole mounted disks ( / ) but this command must be issued with caution.
Wipe free space:
# bcwipe -F /mnt/
This command will wipe out free space on /mnt/ path or whole mounted disks on this path.
# bcwipe -Fv -mt /mnt/
wipe out free space on /mnt/ directory with 1-pass in verbose mode.
-mt refer to 1-pass.
Wipe specific file:
# bcwipe -v -mz
This command wipe “” file with 1-pass wiping by zeroes in verbose mode.
# bcwipe -Fv -mg -t 5 /mnt/
This command wipes free space on /mnt/ directory with 35-pass Peter Gutmann’s scheme by 5 threads in verbose mode.
Wipe specific folder:
# bcwipe -rv /tmp/
This command wipes/tmp/ directory recursively with Peter Gutmann’s scheme in verbose mode.
Wipe block device:
# bcwipe -v -mz -t2 -b /dev/da0
This command wipe /dev/da0 (USB flash) with 2 threads by 1-pass zeroes in verbose mode.
The point is, USB flash is not mounted and all of the data will be destroyed.

You can get full edition at:

Real-time Distributed Messaging On FreeBSD With NSQ

How To Install NSQ?
Install NSQ by port mechanism:
# cd /usr/ports/net/nsq
# make install clean
Install NSQ by package manager:
# pkg install nsq
Create Local NSQ Cluster
The following commands run a small NSQ cluster on your local machine and send messages and archiving messages to disk.
issue nsqlookupd:
# nsqlookupd
in another shell, start nsqd:
# nsqd –lookupd-tcp-address=
in another shell, start nsqadmin:
# nsqadmin –lookupd-http-address=
publish an initial message (creates the topic in the cluster, too):
# curl -d ‘BSDMAG MSG 1’ ‘

when you send a message to a topic for the first time, a topic will be created.
-d (HTTP) Sends the specified data in a POST request to the HTTP server, in the same way, that a browser does when a user has filled in an HTML form and presses the submit button.
finally, in another shell, start nsq_to_file:
# nsq_to_file –topic= bsdmag –output-dir=/tmp –lookupd-http-address=
nsq_to_file acts as a client and copy messages from memory to disk.
publish more messages to nsqd:
# curl -d ‘BSDMAG MSG 2’ ‘
# curl -d ‘BSDMAG MSG 3’ ‘
to verify things worked as expected, in a web browser open to view the nsqadmin UI and see statistics. Also, check the contents of the log files (test.*.log) written to /tmp.
The important lesson here is that nsq_to_file (the client) is not explicitly told where the test topic is produced, it retrieves this information from nsqlookupd and, despite the timing of the connection, no messages are lost.

You can get full edition at:

Mongoose Embedded Web Server On FreeBSD

Install mongoose from the ports mechanism:
# cd /usr/ports/www/mongoose
# make install clean
Install mongoose with the package manager:
# pkg install mongoose
You can start mongoose at boot time by:
# sysrc mongoose_enable=”YES”
If you restart your machine mongoose web server will serve “/var” as an HTTP file sharing on port 8080. You can see the contents of /var by browsing 127.0.01:8080:
# curl
And just to make sure that mongoose is up and running issue this command:
# /usr/local/etc/rc.d/mongoose status
Output is:
mongoose is running as pid 4218.
Or you can find it by listening port:
# sockstat -4l
Output is:
root mongoose 4218 5 tcp4 *:8080 :
mongoose does not detach from the terminal and uses the current working directory as the web root, unless -r option is specified. It is possible to specify multiple ports to listen on. For example, to make mongoose listen on HTTP port 80 and HTTPS port 443, one should start it as:
mongoose -s cert.pem -p 80,443s
Unlike other web servers, mongoose does not require CGI scripts to be put in a special directory. CGI scripts can be placed anywhere.

Disable Directory Listing
You can disable directory listing by typing the following:
# mongoose -listening_port -enable_directory_listing no
Log Access To Website
This command will log all access to log.txt at the same path as index.html:
# mongoose -listening_port -access_log_file log.txt
Logs are like this: - - [19/Nov/2017:20:37:49 +0330] “GET / HTTP/1.1” 304 0 - “Mozilla/5.0 (X11; FreeBSD amd64; rv:56.0) Gecko/20100101 Firefox/56.0”
How To Secure Mongoose Web Server ?
There are so many tunning we can add to mongoose but four of them are necessary:
1. Change running user to www
mongoose -listening_port -access_log_file log.txt -run_as_user www
if mongoose crash only mongoose will go down not all server.
2. Change www permissions to proper value
chmod -R -w /usr/local/www
this command will remove write permission so hacker can’t run shell on your server.
3. Change www folder owner
chown -R www:www /usr/local/www
only www can add or remove content to this folder.
4. Access Control List
mongoose -listening_port -run_as_user www -access_control_list -,+
this command runs mongoose on port 80 and denies connections from everywhere, except for
Tip: we can’t call this firewall but you can do some tricks.

You can get full edition at:

Bitcoin Full Node on FreeBSD

What is a Full Node?
A full node is a client that fully validates transactions and blocks. Full nodes also help the network by accepting transactions and blocks from other full nodes, validating those transactions and blocks, and then relaying them to further full nodes.
Many people and organizations volunteer to run full nodes using spare computing and bandwidth resources.
What is a Bitcoind?
bitcoind is a Bitcoin client under the MIT license in 32-bit and 64-bit versions for Windows, GNU/Linux-based OSes, Mac OS X, OpenBSD, and FreeBSD as well.
How To Start Bitcoind To Be Full Node?
Install bitcoind by PKG:
#pkg install bitcoin-daemon
Install bitcoind by source:
#tar xzvf v0.14.2-uasfsegwit1.0.tar.gz
#cd bitcoin-0.14.2-uasfsegwit1.0

Install dependencies:
#pkg install autoconf automake
libtool pkgconf boost-libs openssl
libevent gmake
Then config builds and installs Bitcoind:

#./configure –without-gui

Since we are on the command line, GUI is not required and –without-gui will disable it:

#gmake install

Start Bitcoind client and wait for full-sync with other nodes:
#bitcoind -daemon
bitcoind will download a database that is about 150GB. You can check your node status by clicking on this URL:

You can get full edition at:

Distributed Version Control With Raspberrypi3, Fossil, and FreeBSD

How to Install Fossil?
Fossil package is about 1 MB and you can install it easily:
#pkg install fossil
There are no dependencies and because of that, it’s suitable for RPI3 or any other low-spec computer.
Starting a New Project with Fossil

Let’s create a new repository called bsdmag:
#fossil init bsdmag
The command above will return something like this:
project-id: af7d78e8d0d1347cdb7d45e1f4573b9c8185c17a
server-id: 16cee8655038eef551c101354e227d65c0b88d00
admin-user: root (initial password is “c341da”)

When you create a new repository, you usually want to do some local configuration. This is easily accomplished using the web-server that is built into the fossil.
Fossil can act as a stand-alone web server using one of these commands:
#fossil server repository-filename

#fossil UI repository-filename

#fossil UI bsdmag

The UI command is intended for accessing the web interface from a local desktop. The UI command binds to the loopback IP address only (and thus makes the web interface visible only on the local machine) and it automatically starts your web browser pointing at the server. For cross-machine collaboration, use the server command, which binds on all IP addresses and does not try to start a web browser.
#fossil server bsdmag –port 80
And you can configure your new repository using the Fossil UI in your browser.
Manage Fossil By Using The CLI
There are some tasks you can not do it through the web interface. Like how to reset root password or converting git repository to fossil-scm compatible repository. All you need is root access.
You can list all fossil commands by:
#fossil -help -a
List Repository Users
To list all bsdmag repository users issue this command:
#fossil user list -R bsdmag
Create a New User
Sometimes it’s easier to create a user from CLI:
Reset Password
The forgotten root password is a nightmare but you can change root or any users password by:
#fossil user password USERNAME PASSWORD
Covert Git to Fossil
To import a Git repository into Fossil, issue these commands :
#cd git-repo
#git fast-export –all | fossil import –git new-repo.fossil

You can get full edition at:

Robust and Minimal, Yet Functional Mail Server With FreeBSD, Sendmail, and Dovecot

Many people think running functional Mail-Server is a complicated process and we need a script to do that. Also, there are numerous blogs talking about Sendmail complicatedness and many other rumors.
As a matter of fact, neither running a Mail-Server nor working with Sendmail is painful. The point is as you dig deeper into concepts it might be confusing so we keep things practical.
To running a FreeBSD Mail-Server you need:
1. FreeBSD host with static IP
It can be VPS or anything like that.
2. A domain with MX record
A mail exchanger record (MX record) is a type of record in the Domain Name System that specifies a mail server responsible for accepting mail, prioritize mail delivery if multiple mail servers are available.
3. Sendmail
Sendmail is the default MTA(message transfer agent) installed with FreeBSD. It accepts mail from and delivers it to the appropriate mail host.
4. Dovecot
Dovecot is an open-source IMAP and POP3 server for UNIX-like operating systems. It’s fast and secure. IMAP and POP3 let you send and receive mail from your desktop with your favorite mail client.
5. Thunderbird
Thunderbird is our client. It can send and receive mail.
6. SSL key.
To ensure the connection is secured we need SSL key

Sendmail Configuration
By default Sendmail listen on localhost or so you can’t receive mails from outside but you can force it to listen on all interfaces:
#sockstat -4l
Output is:
root sendmail 6895 4 tcp4 *:25 :
Add these lines to your “/etc/rc.conf”:
sendmail_submit_flags=”-L sm-mta -bd -q30m -ODaemonPortOptions=Addr=”
Then restart Sendmail:
#service sendmail restart
So Sendmail can now listen on any.
We want to everyone can send mail to this Mail-Server :
Add this line to “/etc/mail/access”
* ok

If you have multiple domains you can route one mail account to another. We have and so we add this line to “/etc/mail/virtusertable” :

We want to restrict our Mail-Server sender to custom IPs or TLDs so only these IPs or TLDs can send mail.
Add these lines to “/etc/mail/relay-domains” :
“your client IP”

Or you can add it by TLDs:

Issue these commands to update Sendmail database:

#makemap hash /etc/mail/virtusertable.db < /etc/mail/virtusertable
#makemap hash /etc/mail/access.db < /etc/mail/access
#service sendmail restart

You can get full edition at:

Caddy Web Server On FreeBSD

Caddy is an open-source, middleware, secure, HTTP/2-enabled webserver written in Go programming language that has been created in 2015. Caddy configuration and initiation is so simple and clear. Caddy lets you create an HTTPS-enabled website in 5 seconds. Beside of this ease of use, the SSL certificate costs you nothing.
Caddy supports HTTP/2 and automatic TLS encryption. HTTP/2 is an HTTP protocol successor that can load websites faster.
Caddy automatically gets an SSL key and then serves your website securely. Caddy integrated with Let’sEncrypt, a certificate authority that provides free TLS/SSL certificates.
Caddy supports a variety of Web technologies and is available as statically-compiled binaries for Windows, Mac, Linux, Android, and BSD operating systems on i386, amd64, and ARM architectures.
A variety of web site technologies can be served by Caddy, which can also act as a reverse proxy and load balancer. Most of Caddy’s features are implemented as middleware and exposed through directives in the Caddyfile (a text file used to configure Caddy).
Caddy is not vulnerable to a number of widespread CVEs including Heart-bleed, DROWN, POODLE, and BEAST. In addition, Caddy uses TLS_FALLBACK_SCSV to prevent protocol downgrade attacks.

Caddy Features:

• HTTP/2 enabled
• OCSP Stapling
• Virtual hosting 
• Native IPv4 and IPv6 support
• Serve static files
• Graceful restart/reload
• Reverse proxy
• Load balancing with health checks
• FastCGI proxy
• Templates
• Markdown rendering
• CGI via WebSockets
• Gzip compression
• Basic access authentication
• URL rewriting
• Redirects
• File browsing
• Access, error, and process logs
• QUIC Support

How to Install Caddy in FreeBSD 11.1?
To install caddy all you have to do is:
#pkg install caddy
You can simply issue “caddy -h” to get how to use caddy:
#caddy -h
Agree to the CA’s Subscriber Agreement
-ca string
URL to certificate authority’s ACME server directory (default ““)
-catimeout duration
Default ACME CA HTTP timeout
-conf string
Caddyfile to load (default “Caddyfile”)
-cpu string
CPU cap (default “100%”)
Disable the ACME HTTP challenge
Disable the ACME TLS-SNI challenge
-email string
Default ACME CA account email address
-grace duration
The maximum duration of graceful shutdown (default 5s)
-host stringDefault host
-http-port string
Default port to use for HTTP (default “80”)
Use HTTP/2 (default true)
-https-port string
Default port to use for HTTPS (default “443”)
-log string
Process log file
-pidfile string
The path to writing the pid file
List installed plugins
-port string
Default port (default “2015”)
Use experimental QUIC
Quiet mode (no initialization output)
-revoke string
The hostname for which to revoke the certificate
-root string
The root path of the default site (default “.”)
-type string
Type of server to run (default “HTTP”)
Parse the Caddyfile but do not start the server
Show version
Caddy Configuration
First, we create a directory and name it caddy:
#mkdir caddy
Then copy your index.html into it:
#cp index.html ./caddy/index.html
Then go to this directory and issue caddy command:
#caddy -host -cpu 50% -log log.txt -agree
Activating privacy features… done.
Then we can open “” in the browser. The point is caddy automatically activate SSL key.

You can get full edition at:

Practical ZFS On FreeBSD

FreeBSD supports ZFS natively and all you have do is to add this line to “/etc/rc.conf” manually:
Or with:
#echo ‘zfs_enable=”YES”’ >> /etc/rc.conf

Then start the service:
#service zfs start
A minimum of 4GB of RAM is required for comfortable usage, but individual workloads can vary widely.

Create First ZFS Pool
ZFS can work directly with device node but you can also create your own disk with truncate:

#truncate -s 2G disk_1
#truncate -s 2G disk_2
#truncate -s 2G disk_3
#truncate -s 2G disk_4
Then create your own pool and name it storage:
#zpool create storage /root/disk_1 /root/disk_2 /root/disk_3 /root/disk_4
#zpool list
As you can see we have 7.94G storage. this pool is not taking advantage of any ZFS features. To create a dataset on this pool with compression enabled:
Compression Prperty
#zfs create storage/myfolder
#zfs set compression=gzip storage/myfolder
It is now possible to see the data and space utilization by issuing df:
storage 7.7G 23K 7.7G 0% /storage
storage/myfolder 7.7G 23K 7.7G 0% /storage/myfolder
you can disable compression by:
#zfs set compression=off storage/myfolder

Copies Property
If you something important you can keep more copies of it:

#zfs create storage/archive
#zfs set copies=2 storage/archive

To destroy the file systems and then destroy the pool as it is no longer needed:
#zfs destroy storage/myfolder
#zfs destroy storage/archive
#zpool destroy storage

zpool set autoexpand=on mypool

RaidZ, Snapshot, and Rollback

A variation on RAID-5 that allows for better distribution of parity and eliminates the “RAID-5” write hole (in which data and parity become inconsistent after a power loss). Data and parity are striped across all disks within a raidz group.

Try creating a file system snapshot which can be rolled back later:
#zfs snapshot storage/myfolder@now
You can restore to the created snapshot with:

#zfs rollback storage/myfolder@now
Also, you can list all ZFS datasets and snapshots:
#zfs list -t all

You can get full edition at:


It’s really up to you. Many people not really sure about choosing between DAS(Block-Level directly), NAS(File-Level over the network) and SAN(Block-Level over the network). it’s not the space you need. The important questions are:

    1. What is your storage expansion policy?

If you have the possibility to expand your storage locally and have a linear expansion ratio, it means you have suitable time and resources to prepare your storage, so you can use DAS, NAS, SAN or mix them as you want. But if you can’t estimate growth ratio and it’s not linear, it’s better to choose something over the network, like NAS or SAN.

    2. What is your backup policy?

There are 3 types of backup. Full, Incremental and Differential.
Incremental back up only the changed data, since the last full or incremental backup and differential back up only the changed data, since the last full backup. Incremental backup is most suitable for network-enabled like NAS or SAN because of needed network bandwidth.

    3. What is your access policy?

If you have to write at the same time in the same area, NAS is required because block-level access can corrupt your data.

FreeBSD iSCSI Target
FreeBSD, manage the iSCSI with a configuration file located in /etc/ctl.conf. add a line to /etc/rc.conf to make sure the ctld daemon is automatically started at boot, and then start the daemon.
# sysrc ctld_enable=YES
This is a sample of ctl.conf :
portal-group pg0 {
discovery-auth-group no-authentication

portal-group pg1 {
discovery-auth-group no-authentication

auth-group ag0 {
chap iscsi1 iscsi0pass123456

auth-group ag1 {
chap iscsi2 iscsi1pass123456

target {
auth-group ag0
portal-group pg0
lun 0 {
path /dev/zvol/storage/iscsi_0
size 10G

target {
auth-group ag1
portal-group pg1
lun 1 {
path /dev/zvol/storage/iscsi_1
size 10G

This config file mainly includes three sections:

1. Portal-groups

which contains network settings like discovery, listening IP and port.

2. Auth-group

which contains the authentication method, user, and password.

3. Target

which contains portal-group, auth-group and LUN(logical unit number).
LUN defines the path and size of allocation plus other options.

Since we have two interfaces with and IP addresses and want to both of them simultaneously so we created two portal-group that need no password to discover on the client-side.

Then we created two auth-group with usernames and passwords. This authentication method is CHAP (Challenge-Handshake Authentication Protocol). CHAP means password never use directly and instead client and server use challenge message and one-way hash to verify authentication.
This modular config file lets you separate network aspects from others and you can manage easily.
Then the point is password must be 8 digits at least.

Then start ctld by:
# service ctld start
iSCSI target will listen on port 2360 and everything is on order but if you change this config file later then just issue this command:
# service ctld reload

You can get full edition at:

enter image description here