IMO the IPCOP style firewall systems are only good for quite basic setups, mostly in the 'two nics, one external one internal' realm.
But if your firewalls need to have multiple nic's and such, running carp and pfsync, doing all sorts of funky stuff on each, then the web based things suck. The best ive seen is pfsense, but it still suffers from the whole concept of internal/external nic's instead of just letting me sort that shit out.
I use FreeBSD for all my firewalls now, with the exception of one pair of firewalls which I use openbsd with, only because obsd has the 'carpdev' option and FreeBSD does not, meaning I cant carp external IP addresses properly ( FreeBSD looks for the NIC with an IP on the same subnet as the desired carp IP ).
If you are looking after a semi complex network then IMO dont use IPCOP/Pfsense style setups, as nice as they may for some things.
Right now I am in the process of replacing 8 obsd firewalls with freebsd... turns out openbsd cant route at 100Mb/s on the hardware im using ( p2-400's with 256mb ram and fxp nic's ). The problem seemed to be with something in obsd its self... I could upload to the fw at full speed, copy from the firewall to other machines full speed, but could not go thru the firewall at full speed.
FBSD 6.1 on the exact same hardware is able to do 100Mb/s just fine, using the exact same pf rules and everything.
OBSD seems to have a lot of interesting things added on to it, but more and more im finding its kernel or drivers or some sort of low level thing seems to be letting it down.. it seems to just be slow and bizzare sometimes.
Ive got a number of systems with just 6gb or less of hdd space, and I have plenty of room to build the tree. You only need around 1500Mb spare on/usr.
And even if you use some sort of ancient hardware with really minimal hdd space, you can still build patches on another machine and install them. Perhaps have a look at http://openbsdbinpatch.sourceforge.net/
no pf logging to syslog in clear text format ( as opposed to tcpdump format ) no netbsd like/etc/rc.d/ system and there were a few other minor things I cant remember right now...
apart from that.. I really like the effort that goes into the security side of things, look at all the _foo user/groups grow from the privsep work, look at all the wee daemons and utils that pop up, like spamd, hotplugd, bgpd, ntpd.. and all while keeping it all clean and logical and ready for use.
Nice work obsd people. Must be about time to have a relaxing beverage or twelve:)
I was being nasty to an i386 netbsd 2.0F box the other night, by pulling out the ide cable to its hdd while it was up and running:)
Netbsd then put up some green text, with a few details and a mention of the hdd timing out. After I plugged the hdd back in, it carried on without any problems.
I done it a few times, and even pulled the cable out during a find/, and it did not die:)
The only way I manged to get it to crash was to unplug the ide cable and put it into another unrelated hdd... which made it go into ddb mode:)
I think the advantages of FreeBSD are drivers ( for newer toys ), speed, and that jail thing ( which I have not actually used ) which AFAIK lets you run a virtual machine chroot thing. Also, freebsd ( and netbsd ) have automagical update the ports/packages tools and things. On openbsd you need to pkg_delete them yourself.
Other than that, I think OpenBSD is the ticket. Lots of people seem to think OpenBsd is only a firewall OS... which is unfortunate. OpenBSD works fine as a standard server ( eg, web, dns, mail, ftp, samba, etc ). The security effort which goes into obsd is also a deeper than just things disabled by default, too.
Yeah going barefoot is kinda like going from a windows person to discovering linux/bsd for the first time:)
I found that to start with, moving around in bare feet can hurt the sole of the foot because the sole's skin has become so used to being in a shoe, and is soft and thin.
But the more frequently you travel around in bare feet, the more your feet and legs adapt. After a while walking/running in bare feet becomes quite enojyable, because it has you think about where you are going and on which surface.
Perhaps if you could try walking/jogging/running on a treadmill... or thin grass ( eg, lawn or sports feild or such kind of grassy area )...
IMO the best way to run is in bare feet, ie, no shoes. That probably sounds stupid to most people, but when your feet are bare, you get lots of feedback and built in reflexes from the nerves in your feet.
One importaint peice of feedback you get, is to NOT LAND ON YOUR HEELS. Your legs and feet are not designed for you land on your heels ( but shoe companys and podaitrists would like you to think so ). Instead, bare feet teaches you to land on the your forefoot ( eg, the area around the balls of your feet, just behind your toes ).
A forefoot strike has advantages over a heel strike, In breif;
Much less chance of injury ( eg shin splints, runners knee, etc ). However, during the first two weeks of learning to run with a proper forefoot strike style, I had sore calf musles. This was the 'numb, lactic acid, ive done more than I am used to' type soreness. This is something your calfs get used to quickly, just like how your biceps grow if you do bicep curls. The main reason for less inury is because the energy absorbed from each foot landing is stored/absorbed into muscles, rather than being driven up thru your bones and joints ( eg, ankle, knee, hip, and back ) as the case with heel strikes.
It stores energy form the landing, and releases it as your body moves over your foot plant.
It allows you to run with minimal vertial motion in the torso area, if your knees are bent when your foot touches the ground. As the body goes over the footplant, the leg straigtens, which keeps the torso in the same vertial position.
And as a result, you end up running very efficently. One obvious thing about running properly ( with a forefoot strike ) is that you become very very quiet, eg, almost completely silent in the feet department, quite the opposite of the comparitive racket most runners make with the enourmous heel striking boots.
Anyway, I think that the best running shoe is one which is simply like a protective layer of skin over your foot, IE, as close to running in bare feet as possible.
And the best way to run is in bare feet, but in rare cases ( or when your just starting out ), bare feet is not always practical ( eg, sharp gravel, areas that are likely to have hidden sharp things ), but 80% of places I find I can run barefoot with no problems.
If you have injurys / problems with running, then perhaps have a look at www.runningbarefoot.org or www.posetech.com, and learn how to run properly ( with a forefoot strike style ), and do not rely on shoes to do the running for you.
I just recently started setting up some virtual hosting, and for mail I used netbsd, qmail and spamassasin 2.90 ( both of which are new to me ) and it's all working great now. It has taken me around 5 light days to get each working how I want it to.
Netbsd qmail and spamasassin are excellent; Give them a try if you have not already:)
Slashdot Mirror
IMO the IPCOP style firewall systems are only good for quite basic setups, mostly in the 'two nics, one external one internal' realm.
But if your firewalls need to have multiple nic's and such, running carp and pfsync, doing all sorts of funky stuff on each, then the web based things suck. The best ive seen is pfsense, but it still suffers from the whole concept of internal/external nic's instead of just letting me sort that shit out.
I use FreeBSD for all my firewalls now, with the exception of one pair of firewalls which I use openbsd with, only because obsd has the 'carpdev' option and FreeBSD does not, meaning I cant carp external IP addresses properly ( FreeBSD looks for the NIC with an IP on the same subnet as the desired carp IP ).
If you are looking after a semi complex network then IMO dont use IPCOP/Pfsense style setups, as nice as they may for some things.
Oh and "turns out openbsd cant route at 100Mb/s on the hardware im using" means speeds of around 300-500 Kilobytes per second transfers.
Right now I am in the process of replacing 8 obsd firewalls with freebsd... turns out openbsd cant route at 100Mb/s on the hardware im using ( p2-400's with 256mb ram and fxp nic's ). The problem seemed to be with something in obsd its self... I could upload to the fw at full speed, copy from the firewall to other machines full speed, but could not go thru the firewall at full speed.
FBSD 6.1 on the exact same hardware is able to do 100Mb/s just fine, using the exact same pf rules and everything.
OBSD seems to have a lot of interesting things added on to it, but more and more im finding its kernel or drivers or some sort of low level thing seems to be letting it down.. it seems to just be slow and bizzare sometimes.
"Whats more if you keep it up to date, weekly builds, then you shouldn't have any more trouble then any other distro."
Are you serious? WEEKLY builds? And thats not already a lot more trouble than any other distro?
So the openbsd developers dont seem to mind the compilers and src in their OS, but a guy in a book thinks its bad without explaining why?
If a box is compromised, then its comprimsed. That a compiler is not installed on the system is not going to help that, is it?
Care to explain how, exactly?
Yeah I noticed the 'I dont want to maintain a build machine part' after I posted. But why not GCC? What is so wrong with that?
What a load of bollocks?
/usr.
Ive got a number of systems with just 6gb or less of hdd space, and I have plenty of room to build the tree. You only need around 1500Mb spare on
And even if you use some sort of ancient hardware with really minimal hdd space, you can still build patches on another machine and install them. Perhaps have a look at http://openbsdbinpatch.sourceforge.net/
atp-get dist-upgrade. Upgrades all the other body parts too.
All sorts of tricks and tips and new programs and scripts and ideas can be passed around and shared.
Two of most my favourate OS released in close proximity to each other. Yay :)
Anyone else here find they often switch back and forth between BSD's ?
There are few things a dont like about openbsd;
/etc/rc.d/ system
:)
no pf logging to syslog in clear text format ( as opposed to tcpdump format )
no netbsd like
and there were a few other minor things I cant remember right now...
apart from that.. I really like the effort that goes into the security side of things, look at all the _foo user/groups grow from the privsep work, look at all the wee daemons and utils that pop up, like spamd, hotplugd, bgpd, ntpd.. and all while keeping it all clean and logical and ready for use.
Nice work obsd people. Must be about time to have a relaxing beverage or twelve
I was being nasty to an i386 netbsd 2.0F box the other night, by pulling out the ide cable to its hdd while it was up and running :)
/, and it did not die :)
:)
:)
Netbsd then put up some green text, with a few details and a mention of the hdd timing out. After I plugged the hdd back in, it carried on without any problems.
I done it a few times, and even pulled the cable out during a find
The only way I manged to get it to crash was to unplug the ide cable and put it into another unrelated hdd... which made it go into ddb mode
Pretty damn stable IMO
#include "imo.h"
I think the advantages of FreeBSD are drivers ( for newer toys ), speed, and that jail thing ( which I have not actually used ) which AFAIK lets you run a virtual machine chroot thing. Also, freebsd ( and netbsd ) have automagical update the ports/packages tools and things. On openbsd you need to pkg_delete them yourself.
Other than that, I think OpenBSD is the ticket. Lots of people seem to think OpenBsd is only a firewall OS... which is unfortunate. OpenBSD works fine as a standard server ( eg, web, dns, mail, ftp, samba, etc ). The security effort which goes into obsd is also a deeper than just things disabled by default, too.
Yeah going barefoot is kinda like going from a windows person to discovering linux/bsd for the first time :)
I found that to start with, moving around in bare feet can hurt the sole of the foot because the sole's skin has become so used to being in a shoe, and is soft and thin.
But the more frequently you travel around in bare feet, the more your feet and legs adapt. After a while walking/running in bare feet becomes quite enojyable, because it has you think about where you are going and on which surface.
Perhaps if you could try walking/jogging/running on a treadmill... or thin grass ( eg, lawn or sports feild or such kind of grassy area )...
IMO the best way to run is in bare feet, ie, no shoes. That probably sounds stupid to most people, but when your feet are bare, you get lots of feedback and built in reflexes from the nerves in your feet.
One importaint peice of feedback you get, is to NOT LAND ON YOUR HEELS. Your legs and feet are not designed for you land on your heels ( but shoe companys and podaitrists would like you to think so ). Instead, bare feet teaches you to land on the your forefoot ( eg, the area around the balls of your feet, just behind your toes ).
A forefoot strike has advantages over a heel strike, In breif;
Much less chance of injury ( eg shin splints, runners knee, etc ). However, during the first two weeks of learning to run with a proper forefoot strike style, I had sore calf musles. This was the 'numb, lactic acid, ive done more than I am used to' type soreness. This is something your calfs get used to quickly, just like how your biceps grow if you do bicep curls. The main reason for less inury is because the energy absorbed from each foot landing is stored/absorbed into muscles, rather than being driven up thru your bones and joints ( eg, ankle, knee, hip, and back ) as the case with heel strikes.
It stores energy form the landing, and releases it as your body moves over your foot plant.
It allows you to run with minimal vertial motion in the torso area, if your knees are bent when your foot touches the ground. As the body goes over the footplant, the leg straigtens, which keeps the torso in the same vertial position.
And as a result, you end up running very efficently. One obvious thing about running properly ( with a forefoot strike ) is that you become very very quiet, eg, almost completely silent in the feet department, quite the opposite of the comparitive racket most runners make with the enourmous heel striking boots.
Anyway, I think that the best running shoe is one which is simply like a protective layer of skin over your foot, IE, as close to running in bare feet as possible.
And the best way to run is in bare feet, but in rare cases ( or when your just starting out ), bare feet is not always practical ( eg, sharp gravel, areas that are likely to have hidden sharp things ), but 80% of places I find I can run barefoot with no problems.
If you have injurys / problems with running, then perhaps have a look at www.runningbarefoot.org or www.posetech.com, and learn how to run properly ( with a forefoot strike style ), and do not rely on shoes to do the running for you.
If you want to stay on the old pkgsrc tree and receive importaint fixes only ( eg, security bug fixes ), then use the 'pkgsrc-2003Q4' cvs tag :)
I just recently started setting up some virtual hosting, and for mail I used netbsd, qmail and spamassasin 2.90 ( both of which are new to me ) and it's all working great now. It has taken me around 5 light days to get each working how I want it to.
:)
Netbsd qmail and spamasassin are excellent; Give them a try if you have not already
What are you on about?
But unless one really needs something special out of FreeBSD ( eg, SMP ) why not start with OpenBSD?
/me likes OpenBSD :)
OpenBSD's security is alot more than just services disabled by default, and is usefull well beyond a firewall.
September of 2002? Cmon.
Yep, FreeBSD owns for smooth multitaskng :)
Its also a lot cleaner then Linux, and as you mention, the licence is much more free and proper.
The GNU licence its self is bloated.
* it's coordinates would be sane by default
* it would weigh less ( no needless bloat )
* via propolice, buffer overflows ( explosion of rocket fuel ) would be far less likely to result in a rooted rocket
Ive just completed a 3.2 -> 3.3 upgrade from source. Things went pretty smoothly.
/path/to/program/binary | grep stack_smash
:)
To test that your stack protection has been compiled into binarys, do this:
strings
You should a line like this this ( and perhaps others ):
__stack_smash_handler
Yay for OpenBSD
Oh :D Thanks guys, That is very usefull information :)