If it were mine to do, I'd put a dedicated PC with lots of RAM in it in place as the firewall host, and on it I'd run a stripped Linux with shorewall from a bootable CD. The only hard drive in the box would not be bootable, and would be used for no purpose other than to contain the shorewall configuration.
More secure but with a greater PITA factor would be to remove the hard drive, and run the whole shebang from the CD. The PITA factor comes from having to burn a new CD every time you want to twiddle the firewall rules.
Debian's releases are always done when they're done. If you want sarge, install sarge -- I've been using it for many moons on production systems. The occasional breakage is still less than what some other distributions shove out the door in their production releases.
I seem to recall a breakage some time ago... think think think... it was a naming conflict between djbdns and the Courier MTA both wanting to install some support program or other. It was an easy enough fix. Other than that, I've had no trouble out of it in either server or workstation usage.
I've been using sarge for quite a while now, and on production machines, too. I keep a local workstation as the crash test dummy, upgrading it first just in case there's a problem that I don't want to add to the production machines -- I haven't encountered any show stoppers in almost a year now. I don't even have any woody boxes any more.
Yes, the security updates are a mite slower to get into testing, but usually only by a few hours or a day.
It works fine. I like it. I'm just sitting up here on my mountain being happy.
Hmmmm... "scalable, secure, accesses data of a variety of types, sends instructions across the network, maintains transactional integrity, and more in perl." No worries. Specify the app and pay my fees, and I'll deliver that sucker to ya -- it's what I do every day anyway.
And it would be better if you didn't try to maintain it, because you obviously do not know much at all about perl.
"Besides that you'd have to start from scratch and create a bunch of library code before you could even think of starting." Bzzzt. Wrong answer. CPAN provides modules (libraries) for just about anything you might imagine, for free. Just fire up your favorite CPAN interface and tell it which modules you'd like to install, and then start writing code. Nuthin' to it but to do it.
AGVS (Automatic Guided Vehicle Systems) have been in use in factories, hospitals, prisons, jails, mail rooms, etc. for a long time. The last real job I had (prior to becoming self employed) was as Service Manager for a robotics company that built AGVS with capacities ranging from 50lbs. to 6000lbs. and carried everything from the mundane mail and laundry to (exciting stuff!) explosives, and in one installation, people. Inmates, in fact, from the jail to the courthouse and back via an underground tunnel. Get busted, ride a robot!
One client company who shall remain nameless (hint: starts with an "I" and ends with "ntel") had problems with jealous employees sabotaging and abusing the AGV's in their factories, believing that they were replacing human workers. Maybe they did replace human workers, maybe they were responsible for keeping more jobs in the US than would have been offshored without them. I dunno.
Those AGV's all had voices, and were polite. If you were detected on or near the (buried) guidepath, the vehicle would slow and politely say, "Excuse me." If you didn't step away, the vehicle would stop and repeat "excuse me" every so often until you did. (It was comical to encounter a stalled machine asking a cardboard box to move.) Once you moved, it would say, "Thank you" and proceed on its way. Upon arriving at a destination where it expected human interaction, it would stop and say, "Hello."
We built AGV's that could open and close doors, ride elevators, and accept their marching orders via wireless LAN or manual entry. The more complex installations had central controllers that could dispatch a vehicle from anywhere in the facility to anywhere else, tell it what to do at each stop along the way, route them on alternate paths to avoid congestion, etc. They were adept at avoiding collisions with other vehicles, and taking themselves out of service as they neared battery depletion -- when they'd seek an opportunity charger and put themselves on charge. Fun stuff.
The mail delivery vehicle in our factory received far less maintenance than it ought to have, and sometimes wandered into a wall, where it would patiently ask, "excuse me", until it was rescued. So I named it Harvey (because it was a Wallbanger). One of our more powerful machines, during prototype testing, moved Harvey's favorite wall by several inches -- I wonder if they were involved in some kind of conspiracy.
That company, Apogee Robotics, ceased operations ten years ago and certainly wasn't without competition. This stuff ain't news!
Honestly, the first time I read Cormack's paper I stopped partway through because his findings didn't jive with my own experience. I've applied no scientific method to debunk his findings, and I don't care to -- I have other demands for my time.
I use and recommend DSPAM. Many of the accounts that are aggregated in my inbox have been exposed on the web and in Usenet for several years, so my spam load is probably about as high as anyone else's. No comparison testing analysis can change the fact that my inbox sees at most two spams per month (on a maturely trained DSPAM installation) and maybe one false positive every six weeks or so. DSPAM isn't the only tool in the box, but it's the only content filter, and it does what it's supposed to do.
If JZ got a little too personal in his rebuttal, I'll forgive him for it. I'd like to think that if I were in his shoes I'd show a bit more tact and restraint, but there's a pretty good chance that I wouldn't. I get all kinds of defensive about the work I've put my passion into, and can't really blame anyone else for doing the same.
I've been using DSPAM for nearly a year now, and it's just kept on getting better. I can't imagine life without it now.
I have 17 DNS-based blacklists in front of it, because I would rather block the messages at the network interface than filter them with my own resources, but those that slip through don't stand much of a chance of reaching my inbox. I have had my current email address out there on the web and in Usenet for six years, so I see a lot of junk -- DSPAM stops all but one or two per month. SpamAssassin can't even come close to that.
A *lawyer* wants to give *cops* more "tools" with which they can achieve a higher arrest rate, and give prosecutors a higher conviction rate?
Back up the boat, boys, the anchor's fallen off.
The US already has the highest incarceration rate in the world, with 701 prisoners per 100,000 citizens. The Russian Federation is a distant second place, with 584 per 100k. (Source: International Centre for Prison Studies.) We're standing silently by, watching as our civil rights and protections are being stripped away at an alarming rate. The Fourth Amendment is being all but repealed... and some bozo lawyer in The People's Republic of California wants to make it still easier to put more of us behind bars?
There seems to be some flawed notion that law enforcement is failing in this country -- the fact is that the violent crime rate has been falling for several years. It's not because we have incarcerated so many, but simple demographics: The number of males in the more crime-prone age group has decreased.
That hasn't been my experience, in nearly a year of using DSPAM. If the technique worked with DSPAM (as it does for SpamAssassin), I'd be seeing a lot more of the junk in my inbox. I'm not.
I'm actually surprised on those one or two occasions per month when I find spam in my inbox.
If George Jetson puttered by in his space car, he's puke on the windshield upon seeing that hideous abortion of architecture. WTF were they thinking when they approved that monstrosity?
Back in the 1960's, the US in fact did deploy a phased array radar in Northwest Florida, the AN/FPS-85, and used it to track objects in space. In 1975, with a software upgrade, it took on the additional role of detecting Sea-Launch Ballistic Missiles. Being south-facing, the intent was to catch those coming from any Soviet subs that might be hiding south of Cuba.
Additional phased array radars, AN/FPS-115's, were built in California (Beale AFB) and Massachusetts (Otis AFB) expressly for the purpose of missile warning. Later, another was built along the Gulf Coast to take over the AN/FPS-85's missile warning role, leaving the old beast to its original task, tracking satellites and space junk. The radar that took over the FPS-85's missile warning role has since been decommissioned.
Yes, I voted. Yes, I was informed about the issues and candidates. Yes, I know who my reps are and what they stand for. Yes, I give to organizations that support my beliefs. No, I don't give money to politicians. They're all far wealthier than I.
The senator who bothers to respond to my letters, Wayne Allard (R-CO) responds by telling me that his votes are in Amerika's best interests, and my opinion is wrong. The others don't respond in any way. And I'm one who writes at least a letter a month to each of 'em.
Put your fantasy version of How Things Work back in the toy box, pal. It ain't so.
As a guy who gets Joe-Jobbed every six weeks or so because I'm only mildly vocal about being anti-spam, I have to ask: What happens if everybody doesn't do it? The vocal few are going to be punished by the spambags.
Don't get me wrong, I don't think we oughta let the bastards win any victory, even the smallest. I believe that the best thing we can do is to convince those within our sphere of influence that there is NEVER a legitimate reason to respond to a spammer.
It's always been a problem trying to read from a filehandle that is not open, just as it's always been a problem trying to fill a glass at a tap that's not open.
Doesn't everyone who's been at this for more than a month or two check the return value of open() before trying to read the filehandle?
Here is a site linking to a patch for dnscache users. I'd prefer a hack along the lines of what [groan] ISC has implemented, but if verislime were to delegate and then spoof, ISC's hack would stop working, while the dnscache patch would simply require a bit of administwiddling and then keep right on working.
I suspect that a thorough analysis of the proposed scheme would conclude that it could not work if it were widely adopted. It's silly to create a system in which a relatively small, expected but undesired input triggers a relatively large burden on network resources.
Oh, wait... that's called a distributed denial of service attack. Someone already thought it up!
In the country where I live there is a general rule for farm animals, the farmer is not responsible for fencing them in, it is your job to fence them out.
Convention, law, or just hearsay, that's a fundamentally flawed situation. I should not be forced to expend my resources to protect my lettuce from your sheep -- the cost of keeping your sheep should be entirely borne by you.
Of course I will fence in my lettuce so it doesn't go wandering onto your property, and to keep the wild critters from it. But, the wild critters, were they nibbling on my buttercrunch, would be fair game.
The referenced article is 100% fluff. It's purely crap, too. The current state of the art is NOT the stuff of television's battling shoeboxes, as the author seems to envision it.
This is easy enough to do. Check out my top level index (the one above this article) -- there's an email address there that delivers, and adds the delivering server to my local blacklist. It contains the harvester's (or other visitor's) email address, cheesily encoded.
Ya know what I've found? The harvester bots are almost all running on cable modems. They use them for a while, then throw them away. And they rarely, very rarely, send spam from the same host that's out harvesting. In my experience, the harvester runs on a cable modem in the US, and the spam comes from overseas, or an open relay on some network unrelated to that of the harvester.
Want to get your SMTP server blocklisted in my network? Send mail to the email address at the top of this message.;-) But if you really want to email me, my user name in my domain is the same as my user name here. Nuthin' to it.
And not so creative ways to identify harvesters is not news.
Slashdot Mirror
More secure but with a greater PITA factor would be to remove the hard drive, and run the whole shebang from the CD. The PITA factor comes from having to burn a new CD every time you want to twiddle the firewall rules.
The security updates aren't as "timely" but they do show up.
Debian's releases are always done when they're done. If you want sarge, install sarge -- I've been using it for many moons on production systems. The occasional breakage is still less than what some other distributions shove out the door in their production releases.
I seem to recall a breakage some time ago... think think think... it was a naming conflict between djbdns and the Courier MTA both wanting to install some support program or other. It was an easy enough fix. Other than that, I've had no trouble out of it in either server or workstation usage.
I take it you've never heard of RHSBL's, which consider domain names instead of IP addresses. Try googling. They're out there.
I've been using sarge for quite a while now, and on production machines, too. I keep a local workstation as the crash test dummy, upgrading it first just in case there's a problem that I don't want to add to the production machines -- I haven't encountered any show stoppers in almost a year now. I don't even have any woody boxes any more.
Yes, the security updates are a mite slower to get into testing, but usually only by a few hours or a day.
It works fine. I like it. I'm just sitting up here on my mountain being happy.
Hmmmm... "scalable, secure, accesses data of a variety of types, sends instructions across the network, maintains transactional integrity, and more in perl." No worries. Specify the app and pay my fees, and I'll deliver that sucker to ya -- it's what I do every day anyway.
And it would be better if you didn't try to maintain it, because you obviously do not know much at all about perl.
"Besides that you'd have to start from scratch and create a bunch of library code before you could even think of starting." Bzzzt. Wrong answer. CPAN provides modules (libraries) for just about anything you might imagine, for free. Just fire up your favorite CPAN interface and tell it which modules you'd like to install, and then start writing code. Nuthin' to it but to do it.
Next!
AGVS (Automatic Guided Vehicle Systems) have been in use in factories, hospitals, prisons, jails, mail rooms, etc. for a long time. The last real job I had (prior to becoming self employed) was as Service Manager for a robotics company that built AGVS with capacities ranging from 50lbs. to 6000lbs. and carried everything from the mundane mail and laundry to (exciting stuff!) explosives, and in one installation, people. Inmates, in fact, from the jail to the courthouse and back via an underground tunnel. Get busted, ride a robot!
One client company who shall remain nameless (hint: starts with an "I" and ends with "ntel") had problems with jealous employees sabotaging and abusing the AGV's in their factories, believing that they were replacing human workers. Maybe they did replace human workers, maybe they were responsible for keeping more jobs in the US than would have been offshored without them. I dunno.
Those AGV's all had voices, and were polite. If you were detected on or near the (buried) guidepath, the vehicle would slow and politely say, "Excuse me." If you didn't step away, the vehicle would stop and repeat "excuse me" every so often until you did. (It was comical to encounter a stalled machine asking a cardboard box to move.) Once you moved, it would say, "Thank you" and proceed on its way. Upon arriving at a destination where it expected human interaction, it would stop and say, "Hello."
We built AGV's that could open and close doors, ride elevators, and accept their marching orders via wireless LAN or manual entry. The more complex installations had central controllers that could dispatch a vehicle from anywhere in the facility to anywhere else, tell it what to do at each stop along the way, route them on alternate paths to avoid congestion, etc. They were adept at avoiding collisions with other vehicles, and taking themselves out of service as they neared battery depletion -- when they'd seek an opportunity charger and put themselves on charge. Fun stuff.
The mail delivery vehicle in our factory received far less maintenance than it ought to have, and sometimes wandered into a wall, where it would patiently ask, "excuse me", until it was rescued. So I named it Harvey (because it was a Wallbanger). One of our more powerful machines, during prototype testing, moved Harvey's favorite wall by several inches -- I wonder if they were involved in some kind of conspiracy.
That company, Apogee Robotics, ceased operations ten years ago and certainly wasn't without competition. This stuff ain't news!
The only three magazines that come here are the above, but we're going to let OG go because it's become 99% fluff.
There go my geek points. Now I'll never get that secret decoder ring/USB MP3 player. Damn!
Honestly, the first time I read Cormack's paper I stopped partway through because his findings didn't jive with my own experience. I've applied no scientific method to debunk his findings, and I don't care to -- I have other demands for my time.
I use and recommend DSPAM. Many of the accounts that are aggregated in my inbox have been exposed on the web and in Usenet for several years, so my spam load is probably about as high as anyone else's. No comparison testing analysis can change the fact that my inbox sees at most two spams per month (on a maturely trained DSPAM installation) and maybe one false positive every six weeks or so. DSPAM isn't the only tool in the box, but it's the only content filter, and it does what it's supposed to do.
If JZ got a little too personal in his rebuttal, I'll forgive him for it. I'd like to think that if I were in his shoes I'd show a bit more tact and restraint, but there's a pretty good chance that I wouldn't. I get all kinds of defensive about the work I've put my passion into, and can't really blame anyone else for doing the same.
I've been using DSPAM for nearly a year now, and it's just kept on getting better. I can't imagine life without it now.
I have 17 DNS-based blacklists in front of it, because I would rather block the messages at the network interface than filter them with my own resources, but those that slip through don't stand much of a chance of reaching my inbox. I have had my current email address out there on the web and in Usenet for six years, so I see a lot of junk -- DSPAM stops all but one or two per month. SpamAssassin can't even come close to that.
So, you're saying that the Ninth Amendment has been repealed?
Back up the boat, boys, the anchor's fallen off.
The US already has the highest incarceration rate in the world, with 701 prisoners per 100,000 citizens. The Russian Federation is a distant second place, with 584 per 100k. (Source: International Centre for Prison Studies.) We're standing silently by, watching as our civil rights and protections are being stripped away at an alarming rate. The Fourth Amendment is being all but repealed... and some bozo lawyer in The People's Republic of California wants to make it still easier to put more of us behind bars?
There seems to be some flawed notion that law enforcement is failing in this country -- the fact is that the violent crime rate has been falling for several years. It's not because we have incarcerated so many, but simple demographics: The number of males in the more crime-prone age group has decreased.
Using DSPAM, you can forward the spam as an attachment and it'll find the headers it's added in the attachment.
That hasn't been my experience, in nearly a year of using DSPAM. If the technique worked with DSPAM (as it does for SpamAssassin), I'd be seeing a lot more of the junk in my inbox. I'm not.
I'm actually surprised on those one or two occasions per month when I find spam in my inbox.
If George Jetson puttered by in his space car, he's puke on the windshield upon seeing that hideous abortion of architecture. WTF were they thinking when they approved that monstrosity?
I have been using DSPAM for many moons now, and not even one of the messages of the kind you refer to has made it into my inbox.
Additional phased array radars, AN/FPS-115's, were built in California (Beale AFB) and Massachusetts (Otis AFB) expressly for the purpose of missile warning. Later, another was built along the Gulf Coast to take over the AN/FPS-85's missile warning role, leaving the old beast to its original task, tracking satellites and space junk. The radar that took over the FPS-85's missile warning role has since been decommissioned.
Yes, I voted. Yes, I was informed about the issues and candidates. Yes, I know who my reps are and what they stand for. Yes, I give to organizations that support my beliefs. No, I don't give money to politicians. They're all far wealthier than I.
The senator who bothers to respond to my letters, Wayne Allard (R-CO) responds by telling me that his votes are in Amerika's best interests, and my opinion is wrong. The others don't respond in any way. And I'm one who writes at least a letter a month to each of 'em.
Put your fantasy version of How Things Work back in the toy box, pal. It ain't so.
As a guy who gets Joe-Jobbed every six weeks or so because I'm only mildly vocal about being anti-spam, I have to ask: What happens if everybody doesn't do it? The vocal few are going to be punished by the spambags.
Don't get me wrong, I don't think we oughta let the bastards win any victory, even the smallest. I believe that the best thing we can do is to convince those within our sphere of influence that there is NEVER a legitimate reason to respond to a spammer.
It's always been a problem trying to read from a filehandle that is not open, just as it's always been a problem trying to fill a glass at a tap that's not open.
Doesn't everyone who's been at this for more than a month or two check the return value of open() before trying to read the filehandle?
Patch 'em up and move 'em out...
I suspect that a thorough analysis of the proposed scheme would conclude that it could not work if it were widely adopted. It's silly to create a system in which a relatively small, expected but undesired input triggers a relatively large burden on network resources.
Oh, wait... that's called a distributed denial of service attack. Someone already thought it up!
Convention, law, or just hearsay, that's a fundamentally flawed situation. I should not be forced to expend my resources to protect my lettuce from your sheep -- the cost of keeping your sheep should be entirely borne by you.
Of course I will fence in my lettuce so it doesn't go wandering onto your property, and to keep the wild critters from it. But, the wild critters, were they nibbling on my buttercrunch, would be fair game.
The referenced article is 100% fluff. It's purely crap, too. The current state of the art is NOT the stuff of television's battling shoeboxes, as the author seems to envision it.
This is easy enough to do. Check out my top level index (the one above this article) -- there's an email address there that delivers, and adds the delivering server to my local blacklist. It contains the harvester's (or other visitor's) email address, cheesily encoded.
;-) But if you really want to email me, my user name in my domain is the same as my user name here. Nuthin' to it.
Ya know what I've found? The harvester bots are almost all running on cable modems. They use them for a while, then throw them away. And they rarely, very rarely, send spam from the same host that's out harvesting. In my experience, the harvester runs on a cable modem in the US, and the spam comes from overseas, or an open relay on some network unrelated to that of the harvester.
Want to get your SMTP server blocklisted in my network? Send mail to the email address at the top of this message.
And not so creative ways to identify harvesters is not news.