Building a Virtual Sandbox (Part II) – Initial Server/Workstation

This first system will have several duties:

  • Workstation
  • Git Server
  • Ansible
  • DNS
  • and possibly other services as we move along.

For this system, we’re using Ubuntu 20.04 Desktop.  The settings used for this systems is 2G memory, 20G disk with the basic workstation install. We’ll give this an IP of, and place it on the internal network we configured in the prior article.  The hostname is “ubuntu-ws”.  I’ll also create the user “mascio” as an administrative user. Don’t forget to boot the OpenBSD firewall from earlier.

Why is a CentOS/RedHat guy choosing Ubuntu? Several reasons: (1) with the recent shakeup of CentOS, CentOS 8 may not work well for me in the long run, (2) I get plenty of CentOS practice at work. Don’t worry there will be plenty of other CentOS stuff here over time. I’m not leaving CentOS/RedHat. Refreshing skills and knowledge from time to time is a good idea.

And just because I like the functionality better, let’s install aptitude:

sudo apt-get install aptitude

Let’s start by installing Ansible:

sudo aptitude update
sudo aptitude upgrade -y
sudo aptitude install openssh-server net-tools sshpass tree python python-pip python-setuptools ansible -y

We’ll come back to configuring Ansible.

Since I’ve already decided the Ansible playbooks need to be under source code control, we’ll install git and GitLab:

sudo aptitude install -y git-all curl openssh-server ca-certificates tzdata postfix mailutils
curl | sudo bash

Since this is a lab, and the external infrastructure is not yet in place, use “Local only” for your Postfix configuration. If you have a smart host or other infrastructure in place, configure as you see fit.

And now bind:

sudo aptitude install bind9 bind9utils bind9-doc

We should be done with installing for now. Let’s get bind set up. Since we’re not using IPv6 and only IPv4, let’s set it to only serve only the latter:

sudo vi /etc/default/named

And add “-4” to the OPTIONS line:

OPTIONS="-u bind -4"

Now restart bind:

systemctl restart bind9

Normally, you would set up your trusted hosts here, but we only have a primary right now, so we’ll come back to that step later when we have servers to worry about.

Now, we need to add some extra lines to /etc/bind/named.conf.options:

options {
        directory "/var/cache/bind";

        recursion yes;                 # enables resursive queries
        #allow-recursion { trusted; };  # allows recursive queries from "trusted" clients
        listen-on {; };   # private IP address - listen on private network only
        allow-transfer { none; };      # disable zone transfers by default

        forwarders {

Next, edit /etc/named.conf.local and adjust domain/IP as necessary:

zone "" {
        type master;
        file "/etc/bind/zones/"; # zone file path
        #allow-transfer {; }; # secondary private IP address - place holder

zone "" {
    type master;
    file "/etc/bind/zones/db.10.13.13";  # subnet
     #allow-transfer {; }; # secondary private IP address - place holder

Now that, we have the zones defined, both forward and reverse, let’s create the data files needed:

sudo mkdir /etc/bind/zones

Edit /etc/bind/zones/ and add:

$TTL    300
@       IN      SOA     localhost. (
                       20122400         ; Serial
                            300         ; Refresh
                            300         ; Retry
                            300         ; Expire
                            300)       ; Negative Cache TTL

; name servers - NS records
                       IN      NS

; name server A records  IN      A

; host A records   IN      A   IN      A

A quick note on my serial value, it is in the format of YYMMDDHHmm. So this reads I updated on Dec 24, 2020, once. Also, all of my values are small, which for a lab is probably OK, but for Internet production usage, you’ll want to adjust those for performance.

Edit /etc/bind/zones/db.10.13.13 and add:

$TTL    300
@       IN      SOA     localhost. (
                       20122400         ; Serial
                            300         ; Refresh
                            300         ; Retry
                            300         ; Expire
                            300 )       ; Negative Cache TTL

; name servers
      IN      NS

; PTR Records
10   IN      PTR    ;
;10   IN      PTR    ;

And to be sure everything is good, run:

sudo named-checkconf

If all is well, restart BIND:

sudo systemctl restart bind9

Archaeological find

I was going through some of my old files, and found my copies of the Free Software Sticker Book, Volumes I-III.  These are from the 2006-2007 time frame.  I can’t find them anywhere else, so I’m posting them here for your enjoyment.  The author, Javier A. Albusac Jiménez and his contributors created a nice piece of work, so here they are, resurrected from my archives.


Short sweet and too the point.

Thanks to my manager at work, I learned about SSHFS a couple months or so back. So, I decided I wanted it on my “lab” machine, since I found it pretty useful. After some poking around, I found I needed to enable the EPEL repo on my CentOS machine. The write up at:, is a bit dated. I needed to use a slightly newer version of the repo. The command I used to install/enable the repo was:

rpm -Uvh

After that, it was straight forward.

  1. Install it: yum install fuse sshfs
  2. Enable it: modprobe fuse
  3. Check it was there: lsmod | grep fuse
  4. and make it permanant: echo "modprobe fuse" >> /etc/rc.local

The syntax to mount something is:

sshfs user@remotehost:/remotedirectory /localmountpoint

For example:

sshfs mascio@ /mnt/repos

If you are going to do a lot of this, I recommend setting up SSH keys so you do not need to keep entering your password. Of course, if you use no passwords on your private key, you’d better fiercely protect it!

Building a Virtual Sandbox (Part I) – Firewall/Router

Updated: 12/20/2020

To start with, it is nice to have a network of virtual machines that can be standalone or have Internet connectivity, as needed.  So, to start, I’ll with my run down of a great article from The Helpful Hacker website “A simple OpenBSD Router for your Virtual Machines”

You ask, “Why yet another technology?”.  It’s simple.  Not really, with this article, it’s really simple to get a router rolling for my purposes.  I’ll be exploring router/firewalls in CentOS and Ubuntu later, but for today: OpenBSD – quick and dirty. (

And because I like to work downstairs near my beautiful wife ( and, most of this will be done in VirtualBox ( on a Windows notebook.

Some assumptions:

  1. You are familiar with VirtualBox
  2. You have some basic system administration skills
  3. You know an editor, like ‘vi’ or ‘nano’.  I’ll be using ‘vi’ for all my examples.

This will be short on theory, and mostly “here’s what you need to do”.  If you want more theory, for now, I’d recommend hit Google, or send me a note.  Let’s get started.  Download VirtualBox and install it on your favorite workstation.  Next, go to OpenBSD and download the install68.iso (or the current release) from one of the mirrors.

First, let’s create our internal network.  Under File>Preferences>Network, add a new Host-only network.  Update the settings to have the following parameters:

  1. Adaptor Tab:
    1. Check Configure Adapter Manually
    2. IPv4 Address:
    3. IPv4 Network Mask:
  2. DHCP Server
    1. Enable Server
    2. Server Address:
    3. Server Mask:
    4. Lower Address Bound:
    5. Upper Address Bound:

From here, we’ll pretty much follow The Helpful Hacker article with some minor changes, and then wrap up with some networking in preparation for our sandbox.

Create a new machine:

  1. Name:
  2. Type: BSD
  3. Version: OpenBSD (64 bit)

Couple of notes here.  Unless needed, I’ll be creating all my virtual machines (VMs) as 64-bit machines.  My hostnames either follow martial arts, location, or other random name, for memory purposes.   For particular tasks, I’ll use canonical names (CNAMES) to assign services (WWW, MAIL, IMAP, etc) to a host.  This also allows me to move a service to a different server and not have to rename the server.  From my years in the field, this is particularly useful in server migrations or upgrades.

Through out this exercise, so there will be different subnets.  This first one is ‘’.  I’m working on my notebook that generally lives in the dining room.  Well, in the dining room, living room, dinette, kitchen, general mobile, but I had to pick one, so ‘dining’ works.  I could bridge my various VirtualBox networks in to one, but I have additional plans that we’ll eventually get to.

Host parameters:

  1. Memory: 64 M
  2. Disk: New VDI disk, Dynamically allocated, 16G

Leave the first network adaptor as a NAT.   Add a second adaptor, enable it, and attach it to the Host-only Adaptor.

Now, attach the OpenBSD ISO to the CD/DVD Drive and start the machine.

  1. (I)nstall
  2. “default” keyboard
  3. Hostname: torii
  4. Configure em0
  5. IPv4 Address: dhcp
  6. IPv6 Address: none
  7. Choose “done” for network configuration.
  8. Choose a root password
  9. Start sshd by default: yes
  10. Start ntpd by default; yes
  11. Use default NTP server
  12. No to X windows
  13. No additional users
  14. I’m in US/Central timezone, but choose the appropriate one for you.
  15. Choose disk wd0 for the root disk
  16. Use DUIDs
  17. Use the (W)hole disk
  18. (A)uto layout
  19. Location of sets: cd
  20. Install media: cd0
  21. Pathname: 5.4/amd64
  22. Deselect the Xwindows sets: -x*
  23. Deselect the games: -g*
  24. And “done”
  25. When the sets load, choose “done”
  26. Set the time

And you are done!  “Halt –p” the machine, unmount the disk, restart and log in as root.

Few more things, and we’ll be done:

  1. echo dhcp > /etc/hostname.em0
  2. echo “” > /etc/hostname.em1
  3. echo “nameserver” > /etc/resolv.conf
  4. sh /etc/netstart
  5. edit /etc/sysctl.conf, and uncomment net.inet.ip.forwarding and set to 1 (Permit forwarding of IPv4 packets)
  6. edit /etc/rc.conf and set pf=YES (enable pf firewall)
  7. edit /etc/pf.conf and add to the end: “pass out on em0 from em1:network to any nat-to (em0)”
  8. reboot

And you’re done.

If you want more details on the last steps, read the article at:

For our purposes, the first step of our sandbox is done.

Next up will be the first workstation/server.  It will perform double duty as my initial configuration server and workstation.  Later, the services that don’t make sense to be on this host will get migrated off.