Hi all. Happy New Year!
A friend of mine asked me to build him a small router/firewall for his home business. We talked about his needs and we decided that rather than using an ageing 486 server he wanted to buy a new Soekris 4501 with the vpn accelerator. I have most of everything he wanted setup in a custom flashdist config - pftop, pstree, ifstat, stunnel, snmpd (read-only), authpf, and syslog-ng. And I verified that the config would work.
One of the things he did ask for specifically, was web monitoring. I thought I'd put pfstat out there, but it requires apache, which is not part of the flashdist small config. Can anyone tell me what binaries, and libs i'd need to get apache, (plus a few other things - jpg, and and gd, etc.) onto a soekris box, using flashdist, or some other method? By the way I am using a 128m compact flash card, perhaps I should be using a mini-hd? I know that Elmore has a bunch of Soekri running around on his net, I really like to know how you do your monitoring, and if you are running apache on them.

Just install the ports, then read the PKG-PLIST files and see what files you need. Copy the files to your soekris build dir, and then modify the flashsmall.txt file to add those files.

Thanks.

Just install the ports, then read the PKG-PLIST files and see what files you need. Copy the files to your soekris build dir, and then modify the flashsmall.txt file to add those files.

On my build box (follows -STABLE) I do a make package. Then fetch the package from /usr/ports/packages move it to a temp directory extract it grab only what I need, then I make SURE to run an ldd against any binaries, so I have all of the depends, then I install on my Soekris boxes.

That's the procedure for boxes in production anyways. I of course have several Soekris boxes around to test on as I have close to 50 in production. ;)

Elmore, could you explain a bit more on using ldd to see your needs libs? Kind of n00bified when it comes to that. Be nice to get a few apps working on the 4801s. :icon_smil

I don;t know what you want me to explain here. ldd <binary file> compare dependencies with what's in flashsmall.

You could roll this into a script automagically adding dependencies something similar to what William Yang did a while back:



cp flashsmall.txt tmpfile.txt
( cd / ; ldd `egrep -v /usr/lib flashsmall.txt` 2>/dev/null ) | \
grep /usr/lib | \
sed -e 's/^[^\-]*-/-/g' \
-e 's/^.*=> /\./g' \
-e 's/ .*$//g' | \
sort -u >> tmpfile.txt



does that help at all?

Yes, helps a ton. Thanks a lot! Maybe now I can get samba working on one.

Ok, all the libs are in place, and so far so good for some apps. Unfortunatly, with snort, I'm not havign much luck with the libpcre.so.0.1 lib. If I do a ldd on the Soekris for snort, I get a "can't load library 'libpcre.so.0.1'". What has me stumped is that it fails on an exit status 4. The ldd man page only shows 3 (0-2). If I do a ldd on that lib (I know it's not meant for that, but you know, S's&G's) I get an exit status 4 on the Soekris, and a exit status 1 on the build box (since it's not suppose to be used for libs). Obviously, I'm missing something, but what?

build snort as a static binary

Ok. Well, I feel like a total n00b now. lol. Looked for any way to build it static to no avail. The FAQ, and PORTS(7) only discuss static beign used for shells. When doing a 'make show=FLAVORS` I'm only seeing `postgresql mysql smbalert flexresp` as my flavors. Of course I tried to run (even though it wasnt' a flavor):

env FLAVOR="static" make package

It built the package and all, but doesn't look like ti was done static, or I just don't know how to tell. This brings me to another question, how can you tell? If you do it right, will it append static to the package name like others?

Thats a good question Kernel Killer. I guess if you do a ldd on the binary no dependencies should show up.

That's kind of what I was thinking, and the executable still has dynamic links, but never hurts to verify. :)

Use the file(1) command against the snort binary (binaries?) to see if it's static or not.

If the port doesn't specifically support creating a static binary, modify the LDFLAGS env var to contain "-static" during compilation. You should be able to manually hack the port's Makefile for that. Eg: add

LDFLAGS+= -static

before the

.include <bsd.port.post.mk>

line.

Ok, gave that a shot. Here's what I did:

There wasn't a ".include <bsd.port.post.mk>" in the Makefile, so I added the LDFLAGS line in the flexresp flavor if statement, and then ran:

env FLAVOR="flexresp" make package

After it was all said and done, I extracted the snort exec, and ran file on it:

# file snort
snort: ELF 32-bit LSB executable, Intel 80386, version 1, for OpenBSD, dynamically linked (uses shared libs), stripped

:confused:

lappy# setenv CFLAGS -static
lappy# printenv
MACHTYPE=i386
USER=root
MAIL=/var/mail/root
SHLVL=1
VENDOR=intel
HOME=/root
PAGER=more
GROUP=wheel
LOGNAME=root
BLOCKSIZE=K
TERM=Eterm
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bin:/usr/X11R6/bin:/root/bin
DISPLAY=:0.0
DESKTOP_STARTUP_ID=E_START|2
XAUTHORITY=/root/.Xauthority
HOST=lappy.angelica.com
SHELL=/bin/csh
RESTART=1
OSTYPE=FreeBSD
PWD=/root/snort-2.4.3
FTP_PASSIVE_MODE=YES
HOSTTYPE=FreeBSD
EDITOR=vi
IFS=

ETERM_THEME_ROOT=/usr/X11R6/share/Eterm/themes/Eterm
COLORFGBG=7;default;0
WINDOWID=10485822
COLORTERM=Eterm
COLORTERM_BCE=Eterm
ETERM_VERSION=0.9.3
CFLAGS=-static
lappy# ./configure
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for gawk... no
checking for mawk... no
checking for nawk... nawk
checking whether make sets $(MAKE)... yes
checking whether to enable maintainer-specific portions of Makefiles... no
checking for style of include used by make... GNU
checking for gcc... gcc
checking for C compiler default output... a.out
checking whether the C compiler works... yes
checking whether we are cross compiling... no
checking for suffix of executables...
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ANSI C... none needed
checking dependency style of gcc... gcc3
checking for gcc option to accept ANSI C... none needed
checking for ranlib... ranlib
checking for gcc... (cached) gcc
checking whether we are using the GNU C compiler... (cached) yes
checking whether gcc accepts -g... (cached) yes
checking for gcc option to accept ANSI C... (cached) none needed
checking dependency style of gcc... (cached) gcc3
checking build system type... i386-unknown-freebsd6.0
checking host system type... i386-unknown-freebsd6.0
checking whether byte ordering is bigendian... no
checking for sparc alignment... no
checking how to run the C preprocessor... gcc -E
checking for egrep... grep -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking for strings.h... (cached) yes
checking for string.h... (cached) yes
checking for stdlib.h... (cached) yes
checking for unistd.h... (cached) yes
checking sys/sockio.h usability... yes
checking sys/sockio.h presence... yeschecking for sys/sockio.h... yes
checking paths.h usability... yes
checking paths.h presence... yes
checking for paths.h... yes
checking for inet_ntoa in -lnsl... no
checking for socket in -lsocket... no
checking whether printf must be declared... no
checking whether fprintf must be declared... no
checking whether syslog must be declared... no
checking whether puts must be declared... no
checking whether fputs must be declared... no
checking whether fputc must be declared... no
checking whether fopen must be declared... no
checking whether fclose must be declared... no
checking whether fwrite must be declared... no
checking whether fflush must be declared... no
checking whether getopt must be declared... no
checking whether bzero must be declared... no
checking whether bcopy must be declared... no
checking whether memset must be declared... no
checking whether strtol must be declared... no
checking whether strcasecmp must be declared... no
checking whether strncasecmp must be declared... no
checking whether strerror must be declared... no
checking whether perror must be declared... no
checking whether socket must be declared... no
checking whether sendto must be declared... no
checking whether vsnprintf must be declared... no
checking whether snprintf must be declared... no
checking whether strtoul must be declared... no
checking for snprintf... yes
checking for strlcpy... yes
checking for strlcat... yes
checking for strerror... yes
checking for __FUNCTION__... yes
checking for floor in -lm... yes
checking for pcap_datalink in -lpcap... yes
checking pcre.h usability... yes
checking pcre.h presence... yes
checking for pcre.h... yes
checking for pcre_compile in -lpcre... yes
checking for u_int8_t... yes
checking for u_int16_t... yes
checking for u_int32_t... yes
checking for a BSD-compatible install... /usr/bin/install -c
configure: creating ./config.status
config.status: creating Makefile
config.status: creating src/Makefile
config.status: creating src/sfutil/Makefile
config.status: creating src/detection-plugins/Makefile
config.status: creating src/output-plugins/Makefile
config.status: creating src/preprocessors/Makefile
config.status: creating src/preprocessors/HttpInspect/Makefile
config.status: creating src/preprocessors/HttpInspect/include/Makefile
config.status: creating src/preprocessors/HttpInspect/utils/Makefile
config.status: creating src/preprocessors/HttpInspect/anomaly_detection/Makefile
config.status: creating src/preprocessors/HttpInspect/client/Makefile
config.status: creating src/preprocessors/HttpInspect/event_output/Makefile
config.status: creating src/preprocessors/HttpInspect/mode_inspection/Makefile
config.status: creating src/preprocessors/HttpInspect/normalization/Makefile
config.status: creating src/preprocessors/HttpInspect/server/Makefile
config.status: creating src/preprocessors/HttpInspect/session_inspection/Makefile
config.status: creating src/preprocessors/HttpInspect/user_interface/Makefile
config.status: creating src/preprocessors/flow/Makefile
config.status: creating src/preprocessors/flow/int-snort/Makefile
config.status: creating src/preprocessors/flow/portscan/Makefile
config.status: creating src/parser/Makefile
config.status: creating doc/Makefile
config.status: creating contrib/Makefile
config.status: creating schemas/Makefile
config.status: creating rpm/Makefile
config.status: creating m4/Makefile
config.status: creating etc/Makefile
config.status: creating templates/Makefile
config.status: creating src/win32/Makefile
config.status: creating config.h
config.status: config.h is unchanged
config.status: executing depfiles commands
lappy# make
make all-recursive
Making all in src
Making all in sfutil
*snip*
**compiling**
*snip*
Making all in doc
Making all in etc
Making all in templates
Making all in contrib
Making all in schemas
Making all in rpm
Making all in m4
lappy# cd src
lappy# file snort
snort: ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD), statically linked, not stripped
lappy#

KK, Elmore's way should (obviously does) work fine. I was assuming you were building from a port and that the OpenBSD port looked very much like the FreeBSD one; perhaps assuming too much. You can prolly stick the LDFLAGS+=-static line in almost anywhere near the end of the port Makefile. Did you do a "make clean" first?

*BSD ports makefiles are pretty high-tech. :-) I've dinked around with them for hours sometimes trying to get just the right effect. Sometimes you need to dive into the port source tree itself (eg work/snort-x.y) and do what Elmore suggested so you can eliminate the ports makefiles as a source of trouble.

So you are compilng on FreeBSD and extracting on OpenBSD? I guess that would make sense being that their aren't dynamic.

Thanks a ton Elmore, and BMW. BMW, yes, I was trying to compile in the OBSD ports tree. I'll try after an extract, and forget the base Makefile. I moved that line in various places, but didn't have any luck. I think I'm just going to play around a bit with what you all have shown me. Too mcuh fun, and I can see a huge increase in benefits from it all. I really should look at developer's ports readme, and try to grasp as much as possible when dealing with the ports, Makefiles, and structures. For the time being, I'll probably try to do exactly what BMW said, and go into the work dir after an extract, and poke aornd there. No sense installing it when its going to another box.

Thanks again to all of you. I'll keep posting as I progress. :biggrin:

Well sweet. Good to see somethign good coming out of this day. Did a 'make extract' in the OBSD snort port, went into the work dir, and did like Elmore did. Dropped in on the Soekris, and all is good. :)

TY ALL!

Ok. More progress. Just wanted to document for other readers. I went to make a snort binary with flexresp enabled, and realized that the Open ports only had libnet 1.1, but snort requires libnet 1.02a. So I had to install snort with the "flexresp" FLAVOR, and then have the libs and includes for the correct libnet. After that I had to make a link to the libnet-config-1.0 executable as /usr/local/bin/libnet-config. After that, I went back to the snort port, and ran make clean, and then make extract. Then I went into the work directory, and ran:

./cofigure --enable-flexresp \
--with-libnet-includes=/usr/local/include/libnet-1.0 \
--with-libnet-libraries=/usr/local/lib/libnet-1.0

A quick make after that, and all was good.