Well both USB and Bluetooth are designed to link gadgets to a central unit of some kind. It's never intented to be a networking solution.
It is possible to expand the setup by switching roles (one uber brain gives commands to 3 others, these then switch to master and talks to 3 more each. But it would be a painful setup.
However, the designers seems to have understood that issue too. Port 4 doubles as a 921.6 Kbit/s RS485 link, multidrop, see http://www-p-net.org/
Ao the hardware is there, and the firmware is upgradeable (and replaceable) it's just up to what people want, and can code.
But what bugs me is that this review, like many others, claim that the sound sensor can react to tunes and melodies.
But all documentation states that it only measures sound pressure. So it can react to a loud sound, or series of them, like hand claps, but that's it.
Makes you wonder why reviews claim functions not supported by the docs.// hdw
Erh, last time I checked the local store there where loads of Technic kits. From simple gadgets to gargantuan trucks (actually, everytime I see a new one I check to see if there's any funky bits I want).
And even pure 'bits' boxes, with axels, joints, beams gears and stuff.
There was nothing in my RIS kit that I didn't already have (except for the pbrick and sensors of course).
And since studded beams and unstudded beams work perfect together, they also work perfect with every other brick (ok, I've never found any use for BURPS) I don't see the issue.
Even wierd ball joint stuff from Slizers/Throwbots and Bionicle comes in handy when building robot overlords.
The first gadget I hacked up when I got my Vision Command was a defense turret that fired Slizer disks at anyone entering it's zone, and even adjusting trajectory based on feedback from the vision Command software.// hdw
Port 4 can also function as a bi-directional multidrop RS485 high speed link (well 921.6 Kbit/s at least).
So expanders and multiplexers like the ones we've seen for the RCX is included in their plans. If noone else start to build and sell them first:)// hdw
I don't find it that hard, most daemons have little need for full access to the file system.
Named, dhcpd, ntpd and such mainly need access to their files and a syslog socket.
The main headaches comes with cgi and/or serverside scripting for the web.
But a small validating app, linked static and communticating with the main app via an af_unix socket still feels better than letting the entire httpd roam free.
But then, I'm quite paraniod by both habit and trade. I like chroot jails because they I feel that they give me smaller blocks of software to bother about at the time.
Had my trade been to chunk out working software, filling all the specs the customer expects, on time and on budget, my feeling would most likely be different.
As it is now I almost feel some perverse joy in dealing with the jails:)// hdw
It's not only that stuff is turned off, their default configs are also as secure as possible.
Privilege separation and chroot jails added in more and more daemons and tools. Apache chrooted in default config.
And yes, the kernel is most likely harder too.
The dogmatic 'free, functional and secure' has that function. It also means that OpenBSD will always lag behind in features and support for new gadgets.
I find it highly annoying from time to time, having to deal with all chroot jails and shit when coding.
and as with packet vs circuit switched, both models have their uses.
The central hub model is better when it's comes to fuel, noise and environment impact.
The PP model is better when it comes to time and flexibility.
Hub carries a heftier initial investment.
PP carries a higher operational cost.
Both have strengths and weaknesses, and one will not mean the end of the other, both have their uses and their markets.
If you go from a location within car/bus/train range of a major airport to another location a continent and/or ocean away within car/bus/train range from a major airport, PP makes sense.
Like NY - Los angeles.
But if you want to go between two locations not within car/bus/train range of a major airport you'll have to change planes anyway, so Hub makes sense.
Like Riga/Latvia - Madison/WI/USA.
Amen to that.
Two junkboxes, an SS10/30 that happened to have a quad-ethernet and a P200 with 4 cheap PCI NICs.
Both with OpenBSD with pf, pfsync and carp.
Wlan AP connected to DMZ allowing only IpSec traffic.
Internal server with samba/nfs, Clamd and Squid.
All internal boxes get their virus scanned mail from the server, all http access thru squid (with filtering for annoying ads and crap).
All MS boxes also have updated Norton Antivirus and of course Firefox/Thunderbird.
And Daddy gets a good nights sleep, every night:) // hdw
1. "if you're not willing to help fix it then you shouldn't complain about it."
The line and attitude do exist, but to my experience it's often in response
to people that ask "why does not include features from Software Y?".
And the answer is "because noone has implemented it".
It doesn't automaticly mean "fix it yourself", discussing the issue, hiring a coder, promoting the feature, there's many ways to get it fixed.
Also, if you put the same question to the company behind a 'closed' software they'll most likely say "we'll put it on the list for possible inclusion in the next release" or "you can have it as module, for just $X.XX extra".
So even if it's not "do it yourself or shut up", it's darn close.
2. "Open Source software allows you to get under the hood and fix problems"
You've missed the key word, "allows", it doesn't say "requires".
It not only allows you to do it, it allows anyone to do it, and it allows anyone
to share the fix.
If it's closed source you're in the hands of the company/developer and there's n
othing you can do except whining or dragging them to court.
3. "All software should be free"
You still seem to mix up "free as is speech" and "free as in beer".
Nothing stops you from writing a piece of software and sell it.
If someone would write an Open Source version allowing anyone to use it for free and people stop paying for your version, then your version ain't worth the money.
Like many developers (and software companies) you assume that the 'value' of the software is the cost it took to develop, which is false.
The value of any software is the value it provides for it's users.
And more important, most software (except games) doesn't actually 'produce' anything, they add value by increasing the productivity of someone/something using the software.
But all software has a value, most likely a different value for different users.
If the value of the software exceeds the cost of the software, it's a good software, and the better value vs cost ratio you get, the better the software.
And the famous Commoditization of Software doesn't mean that developers doesn't get payed, it means that a large number of users have found that they all have a common interest in a piece of software, and that the users, as a group, will add the
resources needed.
If a company decides that they will use an opensource/free software for business
critical operations they will make sure that they have the resources needed to do so, either with in-house developers or by buying the service.
And with the fixes done they can decide if they want to keep the fix in-house, or if they'll release it (and cash in some karma).
But it's always about value and cost, if you can provide better value for lower cost, you win, otherwise, you lose.
And that's not an effect of free software, it's an effect of a free market economy.
We've always had the choice, buy shrinkwrapped, pay a developer or develop it in house (or yourself). What free software has added is the community effect, a group of users with similar requirements pool resources to develop the software.
It doesn't replace the previous three, it just add a new model. And ruled by the market economy, the model that provides the most bang for the buck, in a particular setting, wins.
4. "Open Source software is always better than closed, proprietary software".
I agree, it isn't always better, it just adds another model, sometimes it's better (more valuable), some times it's not.
5. "Scratching the personal itch"
Yes, it's not only a good way, it's the best way.
It's called "based on requirement". It doesn't have to be the invidual developer
s itch, it can just as well be the one who funds the developer's itch.
You seem to envision all free soft developers as student or kids sitting in their parents' basement. Wrong, many are being
A 'software' firewall residing on the PC in question does have several merits.
It can check which software is trying to open the connection and filter on application instead of filtering on port and/or adress alone.
It's also simpler to implement since it's just a piece of software to load.
But it also requires the user to accept or reject applications requesting access (and knowing users, they will just click accept all the time).
It is also possible for malware to trick or disable it.
The 'hardware' firewall (on a dedicated box, router or modem) is of course much safer but it has several limitations.
The biggest is the challenge to write and maintain the ruleset.
I'm using the hardware version, blocking all outgoing traffic except from a dedicated proxy and configuring the PCs behind to use the proxies for mail and web.
But my kids aren't old enough to want to play multiplayer games and other stuff that most people sooner or later want to.
And it also requires me to maintain the filterlist in the proxy.
So, no, there's no simple fix I'm afraid.
(Yes, I assume that everyone blocks incoming traffic with a NAT box or such.)
I've got some 233MHz laptops that works just like wonder.
One is dead silent, always on, network monitor (running tkined/scotty).
Another is my SMS/Voice gateway.
A third (which is actually a P90) is my wireless Mud client.
So don't say that slow old laptops are useless, just because you can't play the lastest games on 'em. //hdw
Well how's justice in the Americas these days?
Or in Asia?
Wouldn't it be more correct to to ask about the state of justice in Nigeria, since that's where this is taking place?
Nigeria is after free elections in 2003 nominally a democracy with a solid justice system, but still suffering from a long time under military rule and rampaging corruption.
If you rtfa you'd see that several of the people arrested are highranking officials.
But the note that one of them died in prison makes you ponder.
But bottom line, don't ask about Africa if you mean Nigeria, just as you don't ask about the Americas if you mean Nicaragua.
PF is not hard to understand and distributing common rules and specific rules is super easy and secure, with tools that come with a default install of OpenBSD (scp).
I have no problem understanding pf rules or distribution via scp (or cvs, works very well).
But it's not about understanding pf rules, it's about keeping track of, often hairy, network and system topology, of various security policies and in many cases a horde of users that need authentication (and that forget their PINs, break their tokens, move between sites...).
All perfectly possible to handle by editing the rules by hand and push out with scp but only together with hordes others docs keeping track of all the needed fluff.
Then add that changes to the ruleset should be fully traceable and often have to pass thru several pairs of hands and eyes before we even reach the firewall admin. So we really need something easier to the eye than pf rules.
A good, database driven, firewall admin GUI is a very good thing, and it a vital part of enterprise security.
Any enterprise which hires network or firewall admin staff who can't understand pf.conf after reading the fine docco, needs to look into why their hiring policies are such a failure, so as to allow them to hire a fraud.
Oh, come on, step down to the land of the living.
People get shifted around at every reorganisation, suddenly all security is in one global department, 6 months later it's back to the local sites, then it's outsourced, then it's insourced again and 'firewall admins' aren't just carefully selected high profile security pros, they come from all over the place.
// hdw
ps.
I think I'll go back and look one of my old projects again, OpenBSD/pf/altq/carp is really getting ready for primetime.
ds.
First of all, I said Mb, not MB, call me conservative but I'm used to count bandwidth in bits, not bytes.
Second, as I stated, check your NIC and the drivers. It means a lot when it comes to network handling.
(I remember how out old VAX 11/785 reacted when it shared an non-switched net with 2 sparc servers, the poor VAX was down on it's knees just by trying to ignore the traffic:)).
And as a wider note, the performance of a system isn't only down to processor speed. There's tons of parameters, both hard and soft, that come into play.
Figuring out _what_ parameter to fiddle with is regarded as voodoo:)
/ hdw
ps No, I'm no speed guru, neither did I wave a dead chicken and dance backwards while installing that firewall. I asked for a raw Internet feed to the labnet, and at that time we didn't have anything less then 100Mb/s to hand out. And the server played it nice. ds.
Except that our 50.000USD firewall solution fails to handle state sync (they've got problems enough with rules sync) and the the failover works so bad that the dudes that run it have failed over to manual fail over:)
I've been _soo_ tempted to suggest to replace the all the gunk with OpenBSD, since it has all the stuff we need, and it works...
If you want a certain feature then you either code it, or pay someone to code it. Wishing doesn't produce better software.
Sure, you can contact the developer(s) and say "wouldn't it be nice if..." but don't whine if she/he says "sure, when/if I get the time and/or resources".
If you don't like that answer then either provide the resources or pay for commercial software.
Uh?
The bug I create by switching an option in a config file from on to off?
The point of having options in the config file is that you're supposed to config the kernel to your needs.
Switching unused options off is careful consideration. // hdw
Every added feature adds risk for bugs.
If I don't use a feature I turn it off.
In this case I know that I'm not using IPv6, but there might very well be IPv6 traffic around my firewalls.
Even if noone can connect over IPv6, it doesn't mean that IPv6 packets will not be processed by my kernel.
Can you really say that disabling IPv6 support in the kernel does not affect security?
The code standard in OpenBSD is very high, but it's not bug free. And a bug in disabled code is a bug that can't bite me.
And I don't 'gank' anything out, I use the configuration file exactly as it's supposed to be used.
Everytime there's a new release I reinstall my build server, then I go over rc.conf, sysctl.conf and kernel conf adding the options I need, removing the stuff I don't need and build my internal release. // hdw
Removing unused features/services/functions does add to your overall security and system stability.
If you don't use IPv6 then taking it out of your kernel is a good move.
But I agree to a point, just rampaging thru you kernel config removing fluff isn't security.
Done in a sane way it's an addition to security and stability. // hdw
It is sad to see one weak password responsible for such a breach.
Eh? Why is everyone talking about a weak password?
The article says sniffed password.
I assume that they're not using cleartext password authentication which means that it wasn't sniffed on the wire, it's was sniffed on a (compromised) box the some user used to log in.
And if the clientbox is compromised it doesn't matter if you use password or a passphrased key.
Even keeping your key on something removable (like an USB keychain) doesn't help you, the cracker can easily snarf both key and passphrase:(
The only way to bypass that would be an external pinpad style device.
I've put networked computers in the kid's rooms since they turned 3.
Now they're 6, 7 and 8 and handles their computers with ease and creates less hassles for admin/dad to solve than the people at the office.
Well, it can get a bit noisy when they're playing Lemmings Paintball, XPilot or Tank and yelling at each other but that's about it.
But, of course, locked in behind a firewall and filtering proxy.
The filter proxy runs on whitelist, when they hit a blocked site they get the chance to request it opened (by clicking a link).
I'll then screen the site and add it to the list.
Being that young I'm not overly bothered over sites with 'hot' content, but I'm bothered with malware sites (including spyware) and wierd chat sites.
And yes, I do get a log of mail messages (to,from,date) once a week.
A little messy to set up and admin but it let's the kids use their computers as a normal part of life, playing games, using the net, sharing data over the LAN and upgrading their antivirus (and bitch about the fascist admin, just like most users;)).
The only issue is that they can't play some of the head-to-head webgames due to the firewall (and some NAT issues).
Well Gator/Claria can be compared with TV commercials.
TV programs are either payed directly by the customers suscribing to the channel (or pay per view) or indirectly by showing commercials.
Just as some software are payed directly by the user or indirectly by showing commercial (pop-ups, banners et al).
And just as the TV networks handle the commercials and pay out money to whoever produced the TV program, there's companies handling computer commercials handing out money to whoever produced the computer software.
So far it's not a problem, I can chose to install 'AD-ware' programs because I don't want to pay for it. Just as I can chose to watch movies on channel 3, with annoying ads every 20 minutes, because I don't wanna pay for a movie channel without ads.
The real problem with Gator/Claria (and many others) is that they show ads all the time, not just when I use the software that they're supposed to pay for.
And worse, the software that's payed for by the ads don't really tell me what I'm installing. Instead they say "with this software you get this wonderful extra tool/helper for free" and not "you've chosen to install the 'adware' version of this software, this means that we will install a piece of software that (when it works correctly) will monitor your surfing habits and pop up commercials tailored after your habits."
What the 'extra' software really do is usually tucked deep in some 40 page fine print EULA, if mentioned at all.
Ok, there are exceptions, where they actually tell you, but they're _very_ rare.
If Gator/Claria stated what they're up to when the software installed it wouldn't be spyware.
BSD box (a PIII 800 w/512 Megs of RAM) for about 20 minutes now while it attempts to copy a 17 Meg file from one folder on the hard drive to another folder.
I just wanted to point out that it most likely wasn't the OS that was his problem.
And yes neatly stacked data, and I wouldn't get even close to such write speed, I barely reach it with reads.
raider:videos {102} dd if=apa.mpg of=/dev/null
1418269+0 records in
1418269+0 records out
726153728 bytes transferred in 14.513 secs (50033719 bytes/sec)
On the other hand, this system would cost 500 USD if built today;)
But 20+ minutes for 17 Megs? I'd say something is badly wrong.
And I don't think it's the OS.
My 486 DX2/66 copies 17 Megs in less than 30 seconds (and it's running OpenBSD).
Slashdot Mirror
Well both USB and Bluetooth are designed to link gadgets to a central unit of some kind.
// hdw
It's never intented to be a networking solution.
It is possible to expand the setup by switching roles (one uber brain gives commands to 3 others, these then switch to master and talks to 3 more each.
But it would be a painful setup.
However, the designers seems to have understood that issue too.
Port 4 doubles as a 921.6 Kbit/s RS485 link, multidrop, see http://www-p-net.org/
Ao the hardware is there, and the firmware is upgradeable (and replaceable) it's just up to what people want, and can code.
But what bugs me is that this review, like many others, claim that the sound sensor can react to tunes and melodies.
But all documentation states that it only measures sound pressure.
So it can react to a loud sound, or series of them, like hand claps, but that's it.
Makes you wonder why reviews claim functions not supported by the docs.
Erh, last time I checked the local store there where loads of Technic kits. From simple gadgets to gargantuan trucks (actually, everytime I see a new one I check to see if there's any funky bits I want).
// hdw
And even pure 'bits' boxes, with axels, joints, beams gears and stuff.
There was nothing in my RIS kit that I didn't already have (except for the pbrick and sensors of course).
And since studded beams and unstudded beams work perfect together, they also work perfect with every other brick (ok, I've never found any use for BURPS) I don't see the issue.
Even wierd ball joint stuff from Slizers/Throwbots and Bionicle comes in handy when building robot overlords.
The first gadget I hacked up when I got my Vision Command was a defense turret that fired Slizer disks at anyone entering it's zone, and even adjusting trajectory based on feedback from the vision Command software.
Check the NXT HDK, page 8.
:) // hdw
Port 4 can also function as a bi-directional multidrop RS485 high speed link (well 921.6 Kbit/s at least).
So expanders and multiplexers like the ones we've seen for the RCX is included in their plans. If noone else start to build and sell them first
I don't find it that hard, most daemons have little need for full access to the file system.
:) // hdw
Named, dhcpd, ntpd and such mainly need access to their files and a syslog socket.
The main headaches comes with cgi and/or serverside scripting for the web.
But a small validating app, linked static and communticating with the main app via an af_unix socket still feels better than letting the entire httpd roam free.
But then, I'm quite paraniod by both habit and trade.
I like chroot jails because they I feel that they give me smaller blocks of software to bother about at the time.
Had my trade been to chunk out working software, filling all the specs the customer expects, on time and on budget, my feeling would most likely be different.
As it is now I almost feel some perverse joy in dealing with the jails
It's not only that stuff is turned off, their default configs are also as secure as possible.
// hdw
Privilege separation and chroot jails added in more and more daemons and tools.
Apache chrooted in default config.
And yes, the kernel is most likely harder too.
The dogmatic 'free, functional and secure' has that function. It also means that OpenBSD will always lag behind in features and support for new gadgets.
I find it highly annoying from time to time, having to deal with all chroot jails and shit when coding.
But in the end I think it's worth it.
and as with packet vs circuit switched, both models have their uses.
The central hub model is better when it's comes to fuel, noise and environment impact.
The PP model is better when it comes to time and flexibility.
Hub carries a heftier initial investment.
PP carries a higher operational cost.
Both have strengths and weaknesses, and one will not mean the end of the other, both have their uses and their markets.
If you go from a location within car/bus/train range of a major airport to another location a continent and/or ocean away within car/bus/train range from a major airport, PP makes sense.
Like NY - Los angeles.
But if you want to go between two locations not within car/bus/train range of a major airport you'll have to change planes anyway, so Hub makes sense.
Like Riga/Latvia - Madison/WI/USA.
Is there any accessible source to the statement that Tim Patterson had access to the CP/M source?
As opposed to implementing the CP/M API from the official programmer's reference.
Amen to that.
:)
// hdw
Two junkboxes, an SS10/30 that happened to have a quad-ethernet and a P200 with 4 cheap PCI NICs.
Both with OpenBSD with pf, pfsync and carp.
Wlan AP connected to DMZ allowing only IpSec traffic.
Internal server with samba/nfs, Clamd and Squid.
All internal boxes get their virus scanned mail from the server, all http access thru squid (with filtering for annoying ads and crap).
All MS boxes also have updated Norton Antivirus and of course Firefox/Thunderbird.
And Daddy gets a good nights sleep, every night
1. "if you're not willing to help fix it then you shouldn't complain about it."
The line and attitude do exist, but to my experience it's often in response to people that ask "why does not include features from Software Y?".
And the answer is "because noone has implemented it".
It doesn't automaticly mean "fix it yourself", discussing the issue, hiring a coder, promoting the feature, there's many ways to get it fixed.
Also, if you put the same question to the company behind a 'closed' software they'll most likely say "we'll put it on the list for possible inclusion in the next release" or "you can have it as module, for just $X.XX extra".
So even if it's not "do it yourself or shut up", it's darn close.
2. "Open Source software allows you to get under the hood and fix problems"
You've missed the key word, "allows", it doesn't say "requires".
It not only allows you to do it, it allows anyone to do it, and it allows anyone to share the fix.
If it's closed source you're in the hands of the company/developer and there's n othing you can do except whining or dragging them to court.
3. "All software should be free"
You still seem to mix up "free as is speech" and "free as in beer".
Nothing stops you from writing a piece of software and sell it.
If someone would write an Open Source version allowing anyone to use it for free and people stop paying for your version, then your version ain't worth the money.
Like many developers (and software companies) you assume that the 'value' of the software is the cost it took to develop, which is false.
The value of any software is the value it provides for it's users.
And more important, most software (except games) doesn't actually 'produce' anything, they add value by increasing the productivity of someone/something using the software.
But all software has a value, most likely a different value for different users. If the value of the software exceeds the cost of the software, it's a good software, and the better value vs cost ratio you get, the better the software.
And the famous Commoditization of Software doesn't mean that developers doesn't get payed, it means that a large number of users have found that they all have a common interest in a piece of software, and that the users, as a group, will add the resources needed.
If a company decides that they will use an opensource/free software for business critical operations they will make sure that they have the resources needed to do so, either with in-house developers or by buying the service.
And with the fixes done they can decide if they want to keep the fix in-house, or if they'll release it (and cash in some karma).
But it's always about value and cost, if you can provide better value for lower cost, you win, otherwise, you lose.
And that's not an effect of free software, it's an effect of a free market economy.
We've always had the choice, buy shrinkwrapped, pay a developer or develop it in house (or yourself). What free software has added is the community effect, a group of users with similar requirements pool resources to develop the software.
It doesn't replace the previous three, it just add a new model. And ruled by the market economy, the model that provides the most bang for the buck, in a particular setting, wins.
4. "Open Source software is always better than closed, proprietary software".
I agree, it isn't always better, it just adds another model, sometimes it's better (more valuable), some times it's not.
5. "Scratching the personal itch"
Yes, it's not only a good way, it's the best way.
It's called "based on requirement". It doesn't have to be the invidual developer s itch, it can just as well be the one who funds the developer's itch.
You seem to envision all free soft developers as student or kids sitting in their parents' basement. Wrong, many are being
Well yes and no.
// hdw
A 'software' firewall residing on the PC in question does have several merits.
It can check which software is trying to open the connection and filter on application instead of filtering on port and/or adress alone.
It's also simpler to implement since it's just a piece of software to load.
But it also requires the user to accept or reject applications requesting access (and knowing users, they will just click accept all the time).
It is also possible for malware to trick or disable it.
The 'hardware' firewall (on a dedicated box, router or modem) is of course much safer but it has several limitations.
The biggest is the challenge to write and maintain the ruleset.
I'm using the hardware version, blocking all outgoing traffic except from a dedicated proxy and configuring the PCs behind to use the proxies for mail and web.
But my kids aren't old enough to want to play multiplayer games and other stuff that most people sooner or later want to.
And it also requires me to maintain the filterlist in the proxy.
So, no, there's no simple fix I'm afraid.
(Yes, I assume that everyone blocks incoming traffic with a NAT box or such.)
I've got some 233MHz laptops that works just like wonder.
//hdw
One is dead silent, always on, network monitor (running tkined/scotty).
Another is my SMS/Voice gateway.
A third (which is actually a P90) is my wireless Mud client.
So don't say that slow old laptops are useless, just because you can't play the lastest games on 'em.
Well how's justice in the Americas these days?
Or in Asia?
Wouldn't it be more correct to to ask about the state of justice in Nigeria, since that's where this is taking place?
Nigeria is after free elections in 2003 nominally a democracy with a solid justice system, but still suffering from a long time under military rule and rampaging corruption.
If you rtfa you'd see that several of the people arrested are highranking officials.
But the note that one of them died in prison makes you ponder.
But bottom line, don't ask about Africa if you mean Nigeria, just as you don't ask about the Americas if you mean Nicaragua.
PF is not hard to understand and distributing common rules and specific rules is super easy and secure, with tools that come with a default install of OpenBSD (scp).
...).
// hdw
I have no problem understanding pf rules or distribution via scp (or cvs, works very well).
But it's not about understanding pf rules, it's about keeping track of, often hairy, network and system topology, of various security policies and in many cases a horde of users that need authentication (and that forget their PINs, break their tokens, move between sites
All perfectly possible to handle by editing the rules by hand and push out with scp but only together with hordes others docs keeping track of all the needed fluff.
Then add that changes to the ruleset should be fully traceable and often have to pass thru several pairs of hands and eyes before we even reach the firewall admin. So we really need something easier to the eye than pf rules.
A good, database driven, firewall admin GUI is a very good thing, and it a vital part of enterprise security.
Any enterprise which hires network or firewall admin staff who can't understand pf.conf after reading the fine docco, needs to look into why their hiring policies are such a failure, so as to allow them to hire a fraud.
Oh, come on, step down to the land of the living.
People get shifted around at every reorganisation, suddenly all security is in one global department, 6 months later it's back to the local sites, then it's outsourced, then it's insourced again and 'firewall admins' aren't just carefully selected high profile security pros, they come from all over the place.
ps.
I think I'll go back and look one of my old projects again, OpenBSD/pf/altq/carp is really getting ready for primetime.
ds.
Userland CARP is already ported to Linux.
http://www.ucarp.org
/ hdw
yup, I can.
:)).
:)
First of all, I said Mb, not MB, call me conservative but I'm used to count bandwidth in bits, not bytes.
Second, as I stated, check your NIC and the drivers.
It means a lot when it comes to network handling.
(I remember how out old VAX 11/785 reacted when it shared an non-switched net with 2 sparc servers, the poor VAX was down on it's knees just by trying to ignore the traffic
And as a wider note, the performance of a system isn't only down to processor speed. There's tons of parameters, both hard and soft, that come into play.
Figuring out _what_ parameter to fiddle with is regarded as voodoo
/ hdw
ps
No, I'm no speed guru, neither did I wave a dead chicken and dance backwards while installing that firewall.
I asked for a raw Internet feed to the labnet, and at that time we didn't have anything less then 100Mb/s to hand out. And the server played it nice.
ds.
Yup, we have something like that too.
:)
...
// hdw
Except that our 50.000USD firewall solution fails to handle state sync (they've got problems enough with rules sync) and the the failover works so bad that the dudes that run it have failed over to manual fail over
I've been _soo_ tempted to suggest to replace the all the gunk with OpenBSD, since it has all the stuff we need, and it works
And it is a little bit cheaper.
I'm running an OpenBSD 3.4 firewall on a PII-400 with a 100Mb/s Internet feed.
// hdw
And I know that I've reached over 40Mb/s without any sign of problem with the firewall.
So unless you're running lots of IpSec stuff or have a high rate of connects I don't think the firewall (or OpenBSD) will be the problem.
I think the selecting a good NIC is more important.
Yes they may.
..." but don't whine if she/he says "sure, when/if I get the time and/or resources".
But why should anyone listen?
If you want a certain feature then you either code it, or pay someone to code it. Wishing doesn't produce better software.
Sure, you can contact the developer(s) and say "wouldn't it be nice if
If you don't like that answer then either provide the resources or pay for commercial software.
Uh?
// hdw
The bug I create by switching an option in a config file from on to off?
The point of having options in the config file is that you're supposed to config the kernel to your needs.
Switching unused options off is careful consideration.
Every added feature adds risk for bugs.
// hdw
If I don't use a feature I turn it off.
In this case I know that I'm not using IPv6, but there might very well be IPv6 traffic around my firewalls.
Even if noone can connect over IPv6, it doesn't mean that IPv6 packets will not be processed by my kernel.
Can you really say that disabling IPv6 support in the kernel does not affect security?
The code standard in OpenBSD is very high, but it's not bug free. And a bug in disabled code is a bug that can't bite me.
And I don't 'gank' anything out, I use the configuration file exactly as it's supposed to be used.
Everytime there's a new release I reinstall my build server, then I go over rc.conf, sysctl.conf and kernel conf adding the options I need, removing the stuff I don't need and build my internal release.
I beg to differ.
// hdw
Removing unused features/services/functions does add to your overall security and system stability.
If you don't use IPv6 then taking it out of your kernel is a good move.
But I agree to a point, just rampaging thru you kernel config removing fluff isn't security.
Done in a sane way it's an addition to security and stability.
It is sad to see one weak password responsible for such a breach.
:(
//hdw
Eh? Why is everyone talking about a weak password?
The article says sniffed password.
I assume that they're not using cleartext password authentication which means that it wasn't sniffed on the wire, it's was sniffed on a (compromised) box the some user used to log in.
And if the clientbox is compromised it doesn't matter if you use password or a passphrased key.
Even keeping your key on something removable (like an USB keychain) doesn't help you, the cracker can easily snarf both key and passphrase
The only way to bypass that would be an external pinpad style device.
I've put networked computers in the kid's rooms since they turned 3.
;)).
Now they're 6, 7 and 8 and handles their computers with ease and creates less hassles for admin/dad to solve than the people at the office.
Well, it can get a bit noisy when they're playing Lemmings Paintball, XPilot or Tank and yelling at each other but that's about it.
But, of course, locked in behind a firewall and filtering proxy.
The filter proxy runs on whitelist, when they hit a blocked site they get the chance to request it opened (by clicking a link).
I'll then screen the site and add it to the list.
Being that young I'm not overly bothered over sites with 'hot' content, but I'm bothered with malware sites (including spyware) and wierd chat sites.
And yes, I do get a log of mail messages (to,from,date) once a week.
A little messy to set up and admin but it let's the kids use their computers as a normal part of life, playing games, using the net, sharing data over the LAN and upgrading their antivirus (and bitch about the fascist admin, just like most users
The only issue is that they can't play some of the head-to-head webgames due to the firewall (and some NAT issues).
Well Gator/Claria can be compared with TV commercials.
TV programs are either payed directly by the customers suscribing to the channel (or pay per view) or indirectly by showing commercials.
Just as some software are payed directly by the user or indirectly by showing commercial (pop-ups, banners et al).
And just as the TV networks handle the commercials and pay out money to whoever produced the TV program, there's companies handling computer commercials handing out money to whoever produced the computer software.
So far it's not a problem, I can chose to install 'AD-ware' programs because I don't want to pay for it. Just as I can chose to watch movies on channel 3, with annoying ads every 20 minutes, because I don't wanna pay for a movie channel without ads.
The real problem with Gator/Claria (and many others) is that they show ads all the time, not just when I use the software that they're supposed to pay for.
And worse, the software that's payed for by the ads don't really tell me what I'm installing.
Instead they say "with this software you get this wonderful extra tool/helper for free" and not "you've chosen to install the 'adware' version of this software, this means that we will install a piece of software that (when it works correctly) will monitor your surfing habits and pop up commercials tailored after your habits."
What the 'extra' software really do is usually tucked deep in some 40 page fine print EULA, if mentioned at all.
Ok, there are exceptions, where they actually tell you, but they're _very_ rare.
If Gator/Claria stated what they're up to when the software installed it wouldn't be spyware.
But they don't, so it is, now sue me.
I just wanted to point out that it most likely wasn't the OS that was his problem.
And yes neatly stacked data, and I wouldn't get even close to such write speed, I barely reach it with reads.
On the other hand, this system would cost 500 USD if built today
But 20+ minutes for 17 Megs? I'd say something is badly wrong.
And I don't think it's the OS.
My 486 DX2/66 copies 17 Megs in less than 30 seconds (and it's running OpenBSD).