I woke up this morning with the sun out shining in.

[reddragdiva]

It's approaching time to do yet another reinstall of FreeBSD on red, my desktop — I hardly actually sit at it any more (my laptop is so nice), and besides FreeBSD 5.x sucks, too many ports don't work on FreeBSD 4.x any more and I want to try FreeBSD 6, just because.

I have a static IP here, so it's time to set up some outside services. I need to make it SSHable from outside (possibly to only one proxy account which can then su to my real account) and run some sort of web proxy service on it via https (for my convenience). Is there a suitable program for the latter? I might also allow external file access (to media files, etc.) for friends I make something available to. It's also our household media box. I'm also not sure whether to put external portal functions on the same box as my personal stuff or set up another box here as the external portal box.

I'll probably keep running X on it so that I can have Xchat running on it 24/7 (and VNC to it from the laptop) and so that Xscreensaver can continue to amuse arkady when she stays over, and put my 19" IBM flat panel to good use. ("Yes, I installed X specifically to run Xscreensaver.")

Any other ideas or hints and tips on wacky things one can do with a static IP? I also get seven more static IPs just by asking.

Comments

[zey.livejournal.com]

run some sort of web proxy service on it via https (for my convenience). Is there a suitable program for the latter?

Squid (http://www.squid-cache.org/).

[dan-lane.livejournal.com]

Back when I lived at Cowshave with Reagan and co I had a machine that just sat there running X and piping the output of uk_goffs to Xscreensaver's phosphor

[loosechanj.livejournal.com]

I'm debating on whether to try out 6 or just stick with 5.x for the time being. I wasn't paying attention, the 6.0 betas snuck up on me. And what, may I ask, is wrong with bitchx/irssi/et al and screen? Seems like that'd be a lot less chatty.

[mstevens.livejournal.com]

What's new in FreeBSD 6? I've been looking for a good description but not found anything yet.

I've had fairly good results with 5.x so far.

[koresh.livejournal.com]

Since there is no release yet, there is no comprehensive list yet (they may do some last minute chucking out even). But most of the projects mentioned in the last quarterly status report (http://www.freebsd.org/news/status/report-mar-2005-june-2005.html) should be visible, as should several of the FreeBSD Summer-of-Code (http://wikitest.freebsd.org/moin.cgi/SummerOfCode2005) projects. Unfortunately the list of unresolved issues (http://www.freebsd.org/releases/6.0R/todo.html) for 6.0 is also still quite long (although there is more 'work in progress' than this page mentions).

I've had good results with 5.x and 6.x on my desktops. But unfortunately we ran in to some big showstoppers that keep us from using FreeBSD 5.x on production servers: several of these won't even get fixed in 5.x - but hopefully they will be tracked down soon in 6.x. My colleague made a list (http://www.stack.nl/~marcolz/FreeBSD/showstoppers.html). So for now, we're still stuck with 4.x there.

[http://users.livejournal.com/_nicolai_/]

The obvious web proxy is squid, which will do anything you ever wanted to do with a web proxy.
However, there's also tinyproxy, which is a lot smaller.
Squid will do authenticated proxy over https, as I understand, which you might find useful :)

[hirez.livejournal.com]

I know what I'd like, which was something that came to me mid-campsite at WTH: A proxy to do https for the sites that don't.

The webmail does https, so I wasn't too concerned about looking at that in an environment where I knew people would be sniffing traffic. However, something like LJ doesn't. Well, it does for its login if you must, and one can cheerfully argue that there's not much point, but even so...

[Note to self: http://www.apsis.ch/pound/]

[http://users.livejournal.com/_nicolai_/]

Other things to do: have an IP address which runs ssh listening on all the well-known ports, so that if you are behind an irritating firewall that only permits a few ports, or that requries the use of a proxy, you can still get out.

[koresh.livejournal.com]

Many firewalls will allow random data on the https port, so just an sshd there will get you far. If you need to go through a real proxy, have a look at httptunnel which allows you to tunnel ssh (or other data) over http.

[http://users.livejournal.com/_nicolai_/]

Indeed - also, the ssh "ProxyCommand" option has potential.

Some firewall admins will also allow connections straight out to prt 21 for FTP, and so on, but yes, the https port is the one you can usually get somewhere on.

[kineticfactory.livejournal.com]

You may want to look at setting up some form of port-knocking around your ssh server, just in case a zero-day SSH exploit emerges.

[sweh.livejournal.com]

For a proxy I use "tinyproxy". I only have it accepting requests from my local network (and firewalled from the net) so I tunnel ssh connections when I need to access the proxy. Side benefit: I can reprogram my Linksys router via its web interface when using the proxy :-)

I run ssh and proxy in a Linux vserver (cf BSD jail) so any leaks won't give access to other services. Once I've logged in to the vserver then I can ssh to the host/other machines.

I also run my uucp/mail service in another vserver for seperation.

Router port forwarding lets me do this even with just the 1 IP address.

[blarglefiend.livejournal.com]

If the proxy isn't so much for caching, check out Privoxy. I run that on the iMac and make it available to everything inside my LAN. Am just using the default configuration which does a pretty good job of stripping out ads.

[blarglefiend.livejournal.com]

Oh, and of course you could run a BOFHnet node...