Re: network performance problems
On Wed, Feb 17, 2010 at 03:35:24AM +0200, Kapetanakis Giannis wrote: > On 17/02/10 03:16, FRLinux wrote: > > >Mmmh, you picked my interest here. You mentioned your cisco 6500 but I > >guess you are going to use only gigabit NICs, so you have no need on > >the 10gb range? Just asking, not trying to start a war :) > > > >Cheers, > >Steph > > ps. the cisco crawled when I enabled IOS firewall features (statefull). > Firewall interface == $35K come one now... Too much money! > The 6500 and 7600 cisco systems are not able to do stateful firewalling in HW and have also issues with stuff like netflow exports. Unless you buy the super expensive line cards. Even the big SUP boards come with a tiny CPU running at the speed of a loongson -- those can be killed with a few Mbps of multicast traffic. -- :wq Claudio
Re: network performance problems
On Wed, Feb 17, 2010 at 01:47:48AM +, FRLinux wrote: > On Wed, Feb 17, 2010 at 1:35 AM, Kapetanakis Giannis > wrote: > > b) 10G Xenpack for C6500 costs around $25K if I'm not wrong. > > Err, the backplane cost us about 10.000 euros for the card and 2500 > euros per xenpack, and we have 4. So that sounds about right :) > You can get ix(4) with sfp+ interface that are 600E per dual port card and about the same for SR optics modules and direct attached cables are way cheaper. You can get a hell of a system for 20'000 Euros and that's just the interface card of a 6500 and does not include the SUP and the chassis. Sure the 6500 use HW for the switching but they suck at anything more complex. > > If future demands for more than 1G I will probably bond 1G cards (cheap > > solution) or buy a new L2 10G switch to do the link as well as xenpacks for > > the cisco. > > Bonding is not aggregating... > > Steph > -- :wq Claudio
Re: PF log parser and dynamic PF rules...
On 17 feb 2010, at 02.07, Randal L. Schwartz wrote: >> "Paul" == Paul de Weerd writes: > > Paul> Jeez... As an asker, you don't really get to decide how or what other > Paul> people answer, or if they even answer at all. > > As I snipped off a Usenet group once: > >Get real! This is a discussion group, not a helpdesk. You post >something -- we discuss its implications. If the discussion happens >to answer a question you've asked, that's incidental. If you post a >question that implies that you've got a problem finding answers to >trivial questions in the manual, then it is perfectly reasonable for >us to discuss how to do that. > > -- > Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 > http://www.stonehenge.com/merlyn/> > Smalltalk/Perl/Unix consulting, Technical writing, Comedy, etc. etc. > See http://methodsandmessages.vox.com/ for Smalltalk and Seaside discussion I have been on this list for many years. Sometimes asking and sometimes helping others. you are wrong http://www.openbsd.org/mail.html --snip-- User questions and answers, general questions --snip-- Answer correctly or don't answer at all. A winning concept in real life as well. ^d Regards /Per-Olov -- GPG keyID: 5231C0C4 GPG fingerprint: B232 3E1A F5AB 5E10 7561 6739 766E D29D 5231 C0C4 GPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x766ED29D5231C0C4
Disfruta el Paraiso en Veracruz
En caso de no poder ver correctamente este correo favor de dar haga clic aqum Le interesa recibir nuestros email? Al mencionar este mail en su reservacisn, dos desayunos Americanos diarios para adultos GRATIS 20% de descuento en alimentos y bebidas. Frente al World Trade Center y Plaza Amiricas en Boca del Rmo, Veracruz. Reserve al: 01 229 923 0700 ext-501 01 800 715 4818 o vma email a www.playaparaiso.com.mx playapara...@playaparaiso.com.mx No aplica en puentes, vacaciones o dmas festivos Este mensaje fue enviado para informacisn de nuestras promociones. No pretendemos saturar su correo ni causarle molestias. Este mensaje de correo electrsnico no se considera "SPAM", ya que cumple con lo establecido en el capmtulo VIII BIS de los lineamientos sobre comercio electrsnico publicados por la PROFECO, ademas de contener instrucciones y una forma electrsnica para notificar y solicitar la cancelacisn de su envmo y no continuar recibiindolo. Si no desea recibir en un futuro estos mensajes favor de hacer clic en ( unsuscr...@pqstravel.com ) y sera removido de nuestra lista en 72 horas. Si desea informacisn sobre nuestros servicios, contactennos a even...@playaparaiso.com.mx
Re: VLANs and security (was:network performance problems)
--- On Tue, 2/16/10, Corey wrote: > From: Corey > Subject: VLANs and security (was:network performance problems) > To: misc@openbsd.org > Received: Tuesday, February 16, 2010, 8:54 PM > >>I did put all interfaces > (in,out,pfsync,management) through VLANs in msk0 > > Throwing out a topic for discussion...I have seen a couple > of posts on here regarding use of VLANs to segregate traffic > that I would usually use separate interfaces for. I am > just curious what the thoughts of the list are on this > practice. I haven't ever set up VLANs on anything > large or serious, and do not claim to know the security > implications, other than switch/interface misconfiguration > possibly getting one into trouble, and awareness of (but no > experience with) tools like dsniff. > > There is quite a bit of stuff out there on Google, of > course, but I trust this list more :^) > > Thanks in advance. We use VLANs quite extensively and are now looking at deploying VRF-ish solutions for the campus. We still use multiple interfaces in order to spread the interrupt load for really busy VLANs. Security is not really a factor in VLANs, as they don't provide any inherent increase in security. Misconfigurations would equate to the same compromises really. --- James A. Peltier james_a_pelt...@yahoo.ca __ Looking for the perfect gift? Give the gift of Flickr! http://www.flickr.com/gift/
Re: VLANs and security (was:network performance problems)
Just remember that "VLAN separation" is a misnomer. The VLAN tag is inserted in the Ethernet Frame, http://upload.wikimedia.org/wikipedia/commons/2/23/TCPIP_802.1Q.jpg There isn't anything magical about an 802.1q tag. It is possible to overload a switches CAM table which effectively turns them into hubs. Most modern day switches have enough memory allocated to the CAM table, search for "cam table overflow" for more info. diana
Seminars in Beirut-Lebanon
Newsletter Lebanonwww.gmtdc.com Dear Sir/Madam, Our company GMTDC "General Management Training and Development Consultant" is organizing the following seminars in Beirut-Lebanon: Upcoming Seminars in Lebanon Description Start Date End Date February, 2010 Time Management16/2/201017/2/2010 Negotiation Skills16/2/201017/2/2010 Professional Project Management23/2/201025/2/2010 Team Building23/2/201024/2/2010 March, 2010 Fundamentals of Fundraising2/3/20104/3/2010 Real Estate Investment, Development, Purchasing, Contract & Leasing Analysis2/3/20104/3/2010 Professional Quality Control Program9/3/2010113/2010 Strategic Thinking9/3/2010103/2010 Building Information Modeling (BIM) with Revit. Architecture16/3/201020/3/2010 Financing for non-Financials16/3/201017/3/2010 Stress Management16/3/201017/3/2010 Hands-on Business Writing & Report Writing23/3/201024/3/2010 Recruitment Techniques23/3/201024/3/2010 April, 2010 Project Feasibility Study30/3/20101/4/2010 Presentation & Speaking Skills30/3/201031/3/2010 Project Manager Skills6/4/20108/4/2010 Create and Write your Marketing Plan6/4/20108/4/2010 Implementation of ISO 9001-200813/4/201015/4/2010 Training the Trainer13/4/201015/4/2010 Professional Procurement Management20/4/201022/4/2010 Leadership Skills Development20/4/201022/4/2010 Implementation of ISO 9001-200827/4/201029/4/2010 Training the Trainer27/4/201029/4/2010 May, 2010 Total Quality Management for Engineering4/5/20106/5/2010 The Complete HR Cycle4/5/20106/5/2010 Advanced Selling Techniques11/5/201013/5/2010 Managing People11/5/201013/5/2010 Tel: 961-1-736813E-mail:mailto:g...@gmtcc.com Web page : http://www.gmtdc.com/regis...@gmtdc.com Business DevelopmentGeneral ManagementHealth,Safty and legislationHuman Resources Management Leadership and ManagementOperations ManagementPersonal SkillsProject Management Purchasing ProcurementSales And MarketingSelling And Sales ManagementWriting & Speaking Quality ManagementRegister NowJoin USSeminars Calendar
Re: VLANs and security
On 17/02/10 03:54, Corey wrote: >>I did put all interfaces (in,out,pfsync,management) through VLANs in msk0 Throwing out a topic for discussion...I have seen a couple of posts on here regarding use of VLANs to segregate traffic that I would usually use separate interfaces for. I am just curious what the thoughts of the list are on this practice. I haven't ever set up VLANs on anything large or serious, and do not claim to know the security implications, other than switch/interface misconfiguration possibly getting one into trouble, and awareness of (but no experience with) tools like dsniff. There is quite a bit of stuff out there on Google, of course, but I trust this list more :^) Thanks in advance. VLANs are a cool solution. Make sure you restrict access to those VLANs to only the ports that should have access. Also read about 802.1Q since it is the standard way of doing it. Giannis ps. I'm wondering if it's better for the traffic to come and go on the same card or maybe better to interrupt another card as well...
Re: VLANs and security (was:network performance problems)
On 17/02/2010, at 12:12 PM, Jason Dixon wrote: > On Tue, Feb 16, 2010 at 07:54:47PM -0600, Corey wrote: >> >> Throwing out a topic for discussion...I have seen a couple of posts on >> here regarding use of VLANs to segregate traffic that I would usually >> use separate interfaces for. I am just curious what the thoughts of the >> list are on this practice. I haven't ever set up VLANs on anything >> large or serious, and do not claim to know the security implications, >> other than switch/interface misconfiguration possibly getting one into >> trouble, and awareness of (but no experience with) tools like dsniff. > > They're fine if you know how to use them properly. I use them all the > time in "heavy" production (whatever the fuck that means). ;-) me too. i put pfsync on its own physical interface, absolutely everything else goes over vlans on a separate nic. dlg
Re: network performance problems
On Wed, Feb 17, 2010 at 1:52 AM, Kapetanakis Giannis wrote: > Did you put any openbsd in front/behind that Cisco? > Bandwidth? packets/sec? What kind of server? I do, but it is used as a backup, so i am not looking for performance but rather as a slower replacement able to run (openbsd 4.5 as 4.6+ fails to boot properly on this server type IBM x336 series) filter (pf), route (openbgpd) traffic from one site to other internals plus internet. Cheers, Steph
Re: VLANs and security (was:network performance problems)
On Tue, Feb 16, 2010 at 07:54:47PM -0600, Corey wrote: > > Throwing out a topic for discussion...I have seen a couple of posts on > here regarding use of VLANs to segregate traffic that I would usually > use separate interfaces for. I am just curious what the thoughts of the > list are on this practice. I haven't ever set up VLANs on anything > large or serious, and do not claim to know the security implications, > other than switch/interface misconfiguration possibly getting one into > trouble, and awareness of (but no experience with) tools like dsniff. They're fine if you know how to use them properly. I use them all the time in "heavy" production (whatever the fuck that means). ;-) -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: Apache Firefox and Ogg Theora (Byte-range requests)
On 2010-02-16, trustlevel-...@yahoo.co.uk wrote: > I've seen examples of earlier versions than Apache 1.3.29 said to be working > with byte-range requests, has anyone got the byte range requests to work with > openbsd without using php code or know how this can be done or if it works by > default. sorry, it's broken, maybe someone who uses base httpd and has some spare time might like to look into fixing it... http://permalink.gmane.org/gmane.os.openbsd.misc/169541
VLANs and security (was:network performance problems)
>>I did put all interfaces (in,out,pfsync,management) through VLANs in msk0 Throwing out a topic for discussion...I have seen a couple of posts on here regarding use of VLANs to segregate traffic that I would usually use separate interfaces for. I am just curious what the thoughts of the list are on this practice. I haven't ever set up VLANs on anything large or serious, and do not claim to know the security implications, other than switch/interface misconfiguration possibly getting one into trouble, and awareness of (but no experience with) tools like dsniff. There is quite a bit of stuff out there on Google, of course, but I trust this list more :^) Thanks in advance.
Re: network performance problems
On Wed, Feb 17, 2010 at 1:35 AM, Kapetanakis Giannis wrote: > b) 10G Xenpack for C6500 costs around $25K if I'm not wrong. Err, the backplane cost us about 10.000 euros for the card and 2500 euros per xenpack, and we have 4. So that sounds about right :) > If future demands for more than 1G I will probably bond 1G cards (cheap > solution) or buy a new L2 10G switch to do the link as well as xenpacks for > the cisco. Bonding is not aggregating... Steph
Re: network performance problems
On 17/02/10 03:47, FRLinux wrote: Err, the backplane cost us about 10.000 euros for the card and 2500 euros per xenpack, and we have 4. So that sounds about right :) If future demands for more than 1G I will probably bond 1G cards (cheap solution) or buy a new L2 10G switch to do the link as well as xenpacks for the cisco. Bonding is not aggregating... Steph Did you put any openbsd in front/behind that Cisco? Bandwidth? packets/sec? What kind of server? Giannis
Re: network performance problems
On 17/02/10 03:16, FRLinux wrote: Mmmh, you picked my interest here. You mentioned your cisco 6500 but I guess you are going to use only gigabit NICs, so you have no need on the 10gb range? Just asking, not trying to start a war :) Cheers, Steph :) Well not at them moment. 10G is a thought but: a) my campus uplink does not give me 10G right now, only 1G b) 10G Xenpack for C6500 costs around $25K if I'm not wrong. c) The obsds will not be in front. L2 outer link will stay in Cisco (I have 24 interfaces there). 2 obsd will be connected on Cisco, filter traffic and forward back to cisco for inter-vlan routing. The obsd will carp my outer IP and the link to Cisco. If future demands for more than 1G I will probably bond 1G cards (cheap solution) or buy a new L2 10G switch to do the link as well as xenpacks for the cisco. best regards, Giannis ps. the cisco crawled when I enabled IOS firewall features (statefull). Firewall interface == $35K come one now... Too much money!
Re: network performance problems
On Wed, Feb 17, 2010 at 12:43 AM, Kapetanakis Giannis wrote: > perfectly ok for my test case. I'm pretty sure that with Intel network > controllers the setup will rock and beat the hell out of my Cisco 6500 with > the features of pf. Mmmh, you picked my interest here. You mentioned your cisco 6500 but I guess you are going to use only gigabit NICs, so you have no need on the 10gb range? Just asking, not trying to start a war :) Cheers, Steph
Order to Au.........
Hello, My name is John Freeman from John freeman pty ltd,i will like to purchase some order from your store to our store here, but before i proceed to advise the needed items,i will like to confirm the terms of payment you accept either Visa or Master card, and if you do ship to Australia as well,urgent response needed from you asap,so i can forward you my order list. Waiting to read from you soon. Regards. John Freeman. JOHN FREEMAN PTY LIMITED. 64 Spray St, Elwood, Melbourne TEL : (61) 3 9531 4400 E-mail: johnfreemanpty...@gmail.com
Re: PF log parser and dynamic PF rules...
> "Paul" == Paul de Weerd writes: Paul> Jeez... As an asker, you don't really get to decide how or what other Paul> people answer, or if they even answer at all. As I snipped off a Usenet group once: Get real! This is a discussion group, not a helpdesk. You post something -- we discuss its implications. If the discussion happens to answer a question you've asked, that's incidental. If you post a question that implies that you've got a problem finding answers to trivial questions in the manual, then it is perfectly reasonable for us to discuss how to do that. -- Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 http://www.stonehenge.com/merlyn/> Smalltalk/Perl/Unix consulting, Technical writing, Comedy, etc. etc. See http://methodsandmessages.vox.com/ for Smalltalk and Seaside discussion
Re: network performance problems
On 16/02/10 11:41, Jordi Espasa Clofent wrote: As Claudio has pointed you out, try (if you can) a better driver em(4) on good Intel hardware NICs. I use simple Supermicro hardware with Intel NIC PCI-E and em(4) an I move around 400/500MBps without any problem. Claudio was right. Upgrading the system to 4.7-current did make a huge difference on msk(4). This is a test active-active external firewall and unfortunately I don't have spare em(4) cards. The DLINKs-sk(4) I tried were worse than the onboard Realtec. An Intel controller will be included in my next order. I did put all interfaces (in,out,pfsync,management) through VLANs in msk0 and I'm routing at 400-600 Mbps (wget, iperf test traffic). This is perfectly ok for my test case. I'm pretty sure that with Intel network controllers the setup will rock and beat the hell out of my Cisco 6500 with the features of pf. Thanks all, Giannis
Re: PF log parser and dynamic PF rules...
On Wed, Feb 17, 2010 at 12:40:02AM +0100, Per-Olov Sj?holm wrote: | Amazing that so many people in this forum cannot read and therefor answer to B | when I ask for A. It's amazing that you get so much free (and good, imo) advice and then not only completely ignore it, but even go out of your way to ridicule the poeple spending their time to try and help you. Please, ask for C on this list again. I hope enough people remember the gratitude you showed to *NOT* give you an answer to C *or* D. Jeez... As an asker, you don't really get to decide how or what other people answer, or if they even answer at all. If you don't like the replies you get, maybe you shouldn't be asking questions in the first place - people here try to give sane advice, not hold your hand while you try to shoot yourself in the foot. And I'll be explicit : the people replying decide wether they consider what you're doing is shooting yourself in the foot or not; if you want to debate their considerations (better to ignore replies you do not consider useful and draw your own conclusions when you're left with nothing), you probably want to do that off-list. Paul 'WEiRD' de Weerd -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: PF log parser and dynamic PF rules...
On 16 feb 2010, at 17.17, Eugene Yunak wrote: > 2010/2/16 Per-Olov Sjvholm : >> Hi "misc" >> >> I am looking for a tool use as a trigger for dynamically open PF ports from >> certain IP:s. >> >> I will access non critical info but want at least a port knocker as security. >> >> If I access an IP on my DMZ that is not in use on a port that is fake I want >> to dynamically add a PF rule for a totally different purpose. Let's say I >> access http://1.2.3.4:45321 which is blocked and logged in PF, what is the >> easiest way to create a trigger from the PF log or the PF log device? >> >> A cron job with grep in the PF log and then run pfctl to add the rule is from >> many points of view a bad choice... I don't want to dig through the PF log as >> it can be huge, and I don't want to use a cron job as it takes to long.. >> >> Any suggestions appreciated. >> >> >> Thanks in advance >> /Per-Olov >> > > As many people have already suggested to you in this thread, you are > doing it wrong. But if you _really_ want to do it that way, then > probably you can simplify your configuration a bit. > > You can use "log (to pflog10)" to have a separate pflog device with > only log entries about port-knocking attempts. Then you can have a > small shellscript reading from tcpdump pflog10 in a cycle and adding > IP addresses to a table of hosts with permitted access to your rss > feed. This is much simpler and quicker than a cron job with full pflog > parser. > > I would strongly encourage you to use per-user http authentication > instead. Most rss readers i encountered actually _do_ support it, as > they are all based on standard libraries, so you can just give them > http://user:p...@host/path/file.rss url if they don't have a separate > "authentication" field. > > -- > The best the little guy can do is what > the little guy does right Hi Eugene Thanks. As this is a test shoot only I will go for something home made in C to feed a table for now. And I _really_ want to do it this way as it's a test. a future production environment could maybe be totally different, who knows I have done security analysis since early -90 and asked a simple question to this forum. When people does not know, they just mess up the thread with garbage. If only more people were like you Eugene. That is point out your opinion AND a way to do it. Not just the first. The opinion can be right, but also wrong as everything must be set in its correct context. Also, a security tradeoff can be rated differently by different people. Amazing that so many people in this forum cannot read and therefor answer to B when I ask for A. /Per-Olov -- GPG keyID: 5231C0C4 GPG fingerprint: B232 3E1A F5AB 5E10 7561 6739 766E D29D 5231 C0C4 GPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x766ED29D5231C0C4
I'd like to review your resume
Greetings from TunaRez! How Did We Get Your Information? You first contacted TunaRez on through our listing on a Job Board. At that time you completed a profile stating you were looking for a position with a salary of 60k+. Get Your FREE Resume Evaluation Go TO http://www.tunarez.com/resumeeval.asp?AD=1056&HDL= THEY'RE TALKING ABOUT TUNAREZ Re: Professional resume writing service? Posted by Rachel, July 2009 at www.teachers.net "Check out tunarez.com. best "unknown" resume service out there - located in Illinois. IT experts but produce great resumes for everyone. Seen some great teacher resume they did for friends." Verify at: http://teachers.net/states/il/topic1510/7.03.09.22.12.58.html"; Resume Writing Services Posted by Joel on Software, March 2005 at www.joelonsoftware.com "I used TunaRez and was very happy with the job they did for me. Their version of my resume got me a lot more callbacks and interviews than my own did." Verify at: http://discuss.joelonsoftware.com/default.asp?biz.5.102707.2 More below ... * AFRAID TO START LOOKING FOR A JOB? * ALREADY LOOKING WITH FEW RESULTS? * CONCERNED YOU'LL HAVE TO LOWER YOUR SALARY JUST TO GET ANY JOB? * WORRIED YOU COULD LOSE YOUR JOB & WANT TO BE READY - JUST IN CASE? * NEED TO KEEP YOUR JOB AFTER A MERGER? DOES YOUR RESUME BRING OUT THE REAL YOU? I can't tell you how many times a day I read a dry, boring, "just the facts" resume and am then amazed at how dynamic and interesting the client is on the phone. The resume just doesn't represent the person I'm talking to at the other end of the line. It's frustrating to think of the number of employers - desperate for high-quality employees - who pass them by because of weak, off-base resumes. And yet, candidates are often perplexed why with excellent skills and a solid background no one is responding to their outreach efforts. Hiring Managers tell us most candidates do a terrible job of marketing themselves. And in tough times, this is deadly - knocking a candidate out again and again when they are actually very qualified for positions. Worst of all, most candidates are completely unaware of what motivates a Hiring Manager to contact them. I WISH I'D STARTED SOONER. That's what most clients tell me. The best time to create a powerful resume is now! There's no need to wait until you've lost your job and have to pinch every penny. No one deserves that kind of pressure. A powerful, motivating resume is the closest you can get to having "career insurance". I'M CARRIE TEAGER, A SENIOR RESUME COACH WITH TUNAREZ.COM. It's been a while since you last contacted TunaRez for job search advice. (Hopefully, your position and salary have improved since then -- if not, we can help.) I just wanted to touch base to see how your career is progressing. If you're considering a new job search this is a great time for a professional review of your resume. THE "PEACE OF MIND" RESUME 74% OF OUR CLIENTS ARE EMPLOYED WHEN THEY SEEK OUR SERVICES. If you're ready to start searching right now, then we can be with you through each stage with our 123GetHired Program. However, if you're not ready yet but want to be prepared -- just in case -- the "Peace of Mind" Resume is for you. With this service, we prepare your resume now with your current position/skills and when you need to look for a job in the future we'll quickly update your resume with any new skills so you can respond rapidly. FREE RESUME EVALUATION As a professional courtesy, I would like to offer you a free written evaluation of your CURRENT resume to reintroduce our services. You will receive your evaluation within 2 days. Just go to http://www.tunarez.com/resumeeval.asp?AD=1056&HDL= or reply to this e-mail WITH YOUR CURRENT RESUME, your target position, salary and employment status. THE JOB SEARCH EXPERTS We've lived and breathed the Hiring industry -- working closely with Hiring Managers for 15+ years makes a difference. We don't guess at what Hiring Managers want to see -- we get direct feedback from real employers all the time. TunaRez actually evolved from a software consulting firm -- the business of hiring and getting people hired -- and we use our "insider insight" to assist job seekers facing a completely employer-driven market. This commitment, focus and expertise show in how we uniquely support each and every client -- and in the results we produce. RAVE REVIEWS
Re: PF log parser and dynamic PF rules...
2010/2/16 Per-Olov SjC6holm : > Hi "misc" > > I am looking for a tool use as a trigger for dynamically open PF ports from > certain IP:s. > > I will access non critical info but want at least a port knocker as security. > > If I access an IP on my DMZ that is not in use on a port that is fake I want > to dynamically add a PF rule for a totally different purpose. Let's say I > access http://1.2.3.4:45321 which is blocked and logged in PF, what is the > easiest way to create a trigger from the PF log or the PF log device? > > A cron job with grep in the PF log and then run pfctl to add the rule is from > many points of view a bad choice... I don't want to dig through the PF log as > it can be huge, and I don't want to use a cron job as it takes to long.. > > Any suggestions appreciated. > > > Thanks in advance > /Per-Olov > As many people have already suggested to you in this thread, you are doing it wrong. But if you _really_ want to do it that way, then probably you can simplify your configuration a bit. You can use "log (to pflog10)" to have a separate pflog device with only log entries about port-knocking attempts. Then you can have a small shellscript reading from tcpdump pflog10 in a cycle and adding IP addresses to a table of hosts with permitted access to your rss feed. This is much simpler and quicker than a cron job with full pflog parser. I would strongly encourage you to use per-user http authentication instead. Most rss readers i encountered actually _do_ support it, as they are all based on standard libraries, so you can just give them http://user:p...@host/path/file.rss url if they don't have a separate "authentication" field. -- The best the little guy can do is what the little guy does right
SOFTWARE ENGINEER: PHP IS THE KEY HERE
SOFTWARE ENGINEER: PHP IS THE KEY HERE...EVERYTHING ELSE IS OPTIONAL AND YOU WILL COME TO WORK WITH---LOCATION: BURLINGTON TO WALTHAM PHP is the key. Will be building API's for use internally and by external folks. Key Responsibility Areas/Activities: * Web development engineer for Media & Games R&D organization * Participates in functional specification, design, and feature integration * Works closely with team members and management to ensure that business strategic objectives are met with the proposed architectural solutions * Writes and maintains service application front end frameworks, Javascript, CSS, libraries and documentation * Works closely with PHP front end development, contributing where necessary * Helps define test plans and documentation in conjunction with QA analysts Individual Requirements: Typical candidate has 6-9 years relevant internet development experience. Key contributor or recognized specialist in many or all of the following areas desired: * Expert on front-end web using AJAX, JSON, HTML, CSS, XML. Demonstrated ability to identify and troubleshoot performance issues, code refactoring, optimization, XSS exploits and more. Experience with Ruby and the RoR framework or Python with Django desirable. * Strong experience in server-side programming with PHP 5 using the Zend Framework and JavaScript (JSON and JQuery experience a must). Proven ability to prototype and implement optimization techniques for a large scale media service (100 million plus unique monthly visitors. * Mobile web (XHTML-MP, WAP, etc) development experience, particularly with Nokia S40, S60, and Opera Mini browsers highly desired * Experience in creating and integrating with SOAP/REST based web services. Knowledge of ATOM, JSON, RSS, GDATA, Microformats, etc protocol formats a plus. * Understands I18N and L10N issues in globally targeted websites, particularly for multibyte languages (Traditional and Simplified Chinese, Japanese, Russian, etc and of course Finnish) * Experience with CDNs (Akamai, Limelight, etc) and related services (EDGE computing, ESI, etc) highly desirable * Domain space expertise in media or social networking a plus * Excellent understanding of Agile development methods, particularly SCRUM and Test Driven Development. Proven ability to work in distributed teams desirable. * Prior experience building platform/service technologies a plus * B.S./B.A. in Computer Science or related technical field (M.S./PH.D a plus) * Excellent verbal and written English communications skills Minimum Requirements Include: 5+ years experience as a SQL Server and/or Oracle Database Administrator supporting enterprise class database environments. 3+ years Transact SQL and/or PL/SQL development (procedures, triggers, constraints, managing referential integrity, functions, etc.) Understanding of complex, distributed, highly transactional database systems Experience supporting distributed databases in a multi-server/multi-location environment Strong performance and tuning skills Proven experience utilizing/supporting database internals--query processing, indexing, access methods, caching, transaction processing, replication, storage, partitioning, and clustering. Data Transformation Services (DTS) Working knowledge of SQL Server and Oracle security features Experience with .NET and XML Programming a plus Ability to work independently or within a team Strong distributed systems architectural skills Education: Advanced degree in Computer Science or related discipline Microsoft SQL Server or Oracle DBA Certification a plus If you or someone you may know believes you or they are ready for this kind of intellectual challenge, please reply with your resume. Scott McKearney www.keyrequirements.com sc...@mckearney.net
Apache Firefox and Ogg Theora (Byte-range requests)
Hi, The Question first (may save time) I've seen examples of earlier versions than Apache 1.3.29 said to be working with byte-range requests, has anyone got the byte range requests to work with openbsd without using php code or know how this can be done or if it works by default. The Story I've had some problems with my web host or rather they have had problems (ssl key stuck and ssh has been disabled for over a month now???) and so have been creating an image for a dedicated web server with the default apache 1.3 to give me more control and security. Everything was going well and I was about to move onto performance testing and pf optimisation. I then found that my .ogv video files were causing a connection loop even when loaded via a direct url. This doesn't happen in firefox 3.1b3 but does in firefox >3.5 alphas. In firefox 3.1b3 the seeking didn't work but the video played. The mimetype is being provided by apache. Ogg video also works in Opera 10.50 beta, probably because it's not fully implemented as per the w3c recommendations yet as I would guess for firefox 3.1b3. I've since learned via sniffing, curl and the http headers that byte-range requests are being ignored (hence no seeking) and the whole file delivered via a 200 response rather than the portion requested via a 206 response as works with the same httpd.conf configuration on Linux Apache 1.3. After investigating if any packets being dropped were the cause due to wireshark indicating dropped packets (just wireshark I think with looped connections (1000s of packets in seconds)) and giving the message tcp segment of a reassembled pdu, I tried running curl on the loopback of the openbsd box and reviewing the apache config and the source code (a little) and also network settings but without any luck in getting byte-range requests to work. It looks like I may have to drop support of native firefox video, something I have great support for with the security nightmare of flash. I could also try apache2 which I would rather not as I have read the openbsd apache is heavily modified and audited and ports well tested and ready to go. The Question (Again) I've seen examples of earlier versions than Apache 1.3.29 said to be working with byte-range requests, has anyone got the byte range requests to work with openbsd without using php code or know how this can be done or if it works by default. Byte-range support can be tested with the following, if you have curl installed and apache enabled or know of openbsd served websites. /usr/local/bin/curl --range 3-5 http://www.openbsd1.3server.org/filelargethan5bytes > /dev/null Output = received 3 bytes /usr/local/bin/curl --range 5-800 http://www.openbsd1.3server.org/filelargethan800bytes > /dev/null Output = received 796 bytes Thanks for any help KeV == After an exploit in smoothwall and a mountain of Livecd's and pdfs, an install of netbsd and trustix, I was finally stunned by Openbsd (a real element) and rarely look back.
SR SOFTWARE ENGINEER: C# Winforms
SQl Server DBA JOB LOCATION: WALTHAM Job Description: The Production DBA is part of the Support Services team that provides technical support and consultation to managed hosting and licensed customers. The databases in these environments are complex, distributed, highly transactional database systems. The person in this position will be required to support the team in their analysis of SQL Server and Oracle databases, as it relates to database performance, query tuning, indexing, transactional processing best practices, replication, and monitoring for future growth needs. This team supports clients 7x24 for critical system needs so there is a need for the Production DBA to be on-call for database related critical issues. This position requires a self-motivated individual who can work well as part of a team as well as independently. Must have excellent interpersonal skills, be able to work in a high pressure environment, and have excellent relationship management skills and communication skills. Minimum Requirements Include: 5+ years experience as a SQL Server and/or Oracle Database Administrator supporting enterprise class database environments. 3+ years Transact SQL and/or PL/SQL development (procedures, triggers, constraints, managing referential integrity, functions, etc.) Understanding of complex, distributed, highly transactional database systems Experience supporting distributed databases in a multi-server/multi-location environment Strong performance and tuning skills Proven experience utilizing/supporting database internals--query processing, indexing, access methods, caching, transaction processing, replication, storage, partitioning, and clustering. Data Transformation Services (DTS) Working knowledge of SQL Server and Oracle security features Experience with .NET and XML Programming a plus Ability to work independently or within a team Strong distributed systems architectural skills Education: Advanced degree in Computer Science or related discipline Microsoft SQL Server or Oracle DBA Certification a plus Contact: sc...@mckearney.net www.keyrequirements.com * Database Developers - Woburn, MA Client company is a growing and stable direct marketing company with expertise high conversion rates for their customers and best-in-class marketing solutions. They seek to hire a number of experienced Database Developers for their rapidly growing team. Candidates must be highly motivated with a desire to regularly learn new skills. Qualifications: * 2-7+ years database development experience * Extract, transformation and load (ETL) applications (DataStage Enterprise Edition preferred) Expertise in Unix/Linux operating systems, C/C++ or Java programming, PERL, shell scripting. * Strong knowledge of relational database concepts, SQL and data modeling techniques. * Netezza experience is a plus. Oracle experience is a plus. * Data hygiene and merge/purge applications is a plus (Firstlogic preferred) * Experience developing marketing and/or financial applications desirable * Demonstrated team experience in a matrix organization structure * Professional demeanor and good verbal and written skills * Bachelor Degree in computer science or equivalent experience required Candidates must have current work authorization in the US. This client will not sponsor visa candidates. Candidates should be from the Boston area. ** If you or someone you may know believes you or they are ready for this kind of intellectual challenge, please reply with your resume. Scott McKearney www.keyrequirements.com sc...@mckearney.net
Re: PF log parser and dynamic PF rules...
On Tue, Feb 16, 2010 at 12:27 PM, Per-Olov SjC6holm wrote: There is no authentication available in most RSS clients. If it was, i would > of course prefer or at least consider that. I am not that stupid you know. > > https://example.com/feed.php?user=floort&passwd=SUPERSECRET Every feed reader i know of can handle a url like this. It's probably more secure and easier to implement than port-knocking. And I wouldn't want to be the one who has to explain port-knocking to all your customers and tell them they have to do this every time their feed needs to refresh. Floor -- Floor Terra www: http://brobding.mine.nu/
Re: PF log parser and dynamic PF rules...
> So if anybody can come up with a better approach I will be very happy. You've already been told, by multiple people, that a better approach is to use the things that are available to you via the rich possibilities of HTTP to solve this problem. Sometimes, you're the lone genius who is misunderstood in his own time, who future generations will admire for his foresight. Most of the time, though, you're just Doing It Wrong(tm).
current kernel configuration in softraid system.
Hello. I'm using OpenBSD 4.6. I've made the following steps: - Installed the system, so wd0 and wd1 both has disklabels: # size offset fstype [fsize bsize cpg] a: 1060227 63 4.2BSD 2048 16384 1 b: 1060290 1060290 swap c: 312579695 0 unused d: 310456125 2120580 RAID - rebuilt the kernel, so it now supports raid-frame technology. - successfuly rebooted and worked well in software raid (mirror) with my own kernel /bsd. I've named the config RAID.MP Then I decided to decompile some devices (audio etc) and recompiled kernel again. I did install it on old roots (wd0a/bsd and wd1a/bsd) and rebooted well again. The config now is RAID.SMP The only question now is: where kernel configuration is now could be located? My new raid root contains raid0/usr/src/sys, but it is GENERIC My old root contains wd0a/usr/src/sys, but it is RAID.MP the difference between RAID.MP and RAID.SMP is absence of audio devices and pcmcia and therefore i can say, that /usr/src/sys didn't update Is it possible to get configuration for current kernel in other ways? Thank you. -- (o_ - Dzmitry Stremkouski. //\ - cel: +7 (916) 090-85-68 V_/_- web: http://mitroko.com
Re: Jacek Books
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 J.C. Roberts wrote: > Stop bitching and think. > > 1.) You do not have a name. You only have an email address. > > 2.) If your email address really indicates your location, then you are > on a tiny island *EAST* of Madagascar in the Indian ocean. > > 3.) Although the island or Reunion is technically part of France, and > hence technically part of the EU, most people believe GMT +0400 is > outside of the EU. > > To put it bluntly, this is the very first time I have *EVER* seen the > ".re" ccTLD being used. > > Jacek is a good guy, but considering the above, most people selling > goods on the Internet would expect a scam. Your order probably got > caught up by automated scam filters in the order processing system > (e.g. an EU credit card being used with a seemingly non-EU shipping > address). This is unfortunate, but for you, it's a fact of life. > I've had a PayPal account for over 10 years, and in that time I have purchased electronic media, like *.pdf files, which is what Jacek is selling, quite a few times. The payment arrives in the seller's PayPal account, and after a few days (as opposed to a few months, as appears to be the case in this situation) there is zero chance of the funds being unavailable to the seller. Usually, professional sellers of electronic media have the process automated, sending an email to the purchaser, containing the URL for download, and a unique login key/password, which is good for a limited amount of time. Jacek may be a good guy, and suspecting a scam is a sensible strategy, but a responsible seller, who had received payment, would be wise to see that his/her paying customers were well taken care of. I sell artwork on my dotcom domain, which is a physical entity, as opposed to electronic media, and which requires shipping, as opposed to electronic delivery. I receive both genuine and scam requests for purchase. It's pretty easy to tell one from the other. - -- - -wittig http://www.robertwittig.com/ http://robertwittig.net/ http://robertwittig.org/ . Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org/ iQEVAwUBS3p6EP9qkhAVPSgqAQKU8wf/aoQqvkmyoFU19XG2ROlnEt2UNH3s8577 kQIMkSvBWtWCsx6YQBTTjBXdK2oDNuUxXiEcCykj4VpwqAW45AgqHs87cl+qHMTx 3N7zbVbuFt+BS2wxnbdx1GwbsVQm04xpiN1vTYVFVhWmSpfb+mKtXVI1c2KlQmfD NxVrMhzgmfh4MlbJZ+qQQOjBP56O8fmRQkBEhF6cAO6BFuC8Gd0R+qvayelCq0q+ gBtWP7EhL1un9q3bjhWVFhSnSErHL0Ng4CO7fpQwSP4DcgST8hDzkbv70VxeyE6R UODRxZbDHHSCa0XBjpe+mSFy1UamM+AeyEQgf1px8xPCFF9AcQ42WA== =SgM2 -END PGP SIGNATURE-
Re: PF log parser and dynamic PF rules...
Per-Olov Sjvholm writes: > we have to use something that works from all places. The content is > not a secret, but something you have to pay a little for. So... not > critical. Being the lazy git that I am, I could imagine that simply generating a sufficiently obfuscated set of file or directory names to put in the URL, likely a per user basis, would achieve roughly what you are talking about. Not exactly rocket science, but then neither are the other options. I fully understand the desire to write a PF log parser, though :) -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: PF log parser and dynamic PF rules...
On 16 feb 2010, at 12.06, Peter N. M. Hansteen wrote: > Per-Olov Sjvholm writes: > >> None said anything about a password.. From where did you get that? I don't >> have a plain text password. > > A port knocking sequence is for most purposes a password, encoded in a > 16 bit alphabet. That's it - port numbers run from 0 through 64k, > although the practical range for portknocking purposes would likely > exclude the more commonly used ones, mainly in the lower parts. > > I've been in the process of almost getting around to writing an > article about how this limits the usefulness of portknocking as a > security measure, there's always the question of round tuits. > keywords: is your password more secure if it's stored as unicode?, the > well known password guessing botnets, and so forth. > > The question of proporitonality, as in the importance of your data vs > the strength of your security measures is certainly relevant, but you > should also take into consideration how much complexity any given > security measure adds to your setup versus the actual gain in security. > Hm. There might actually be an article in there. > > - P > -- > Peter N. M. Hansteen, member of the first RFC 1149 implementation team > http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ > "Remember to set the evil bit on all malicious network traffic" > delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. > We want to lock RSS to our own clients floating around in cyberspace. As there is not widely spread with authentication in RSS clients, authentication is not usable. Therefor we have to come up with a different approach. As we want you use Igoogle and phones etc we have to use something that works from all places. The content is not a secret, but something you have to pay a little for. So... not critical. Or course you could authenticate with a web browser and then trigger to open in PF. Probably a little better than just the access to a dummy IP on a dummy port. But still not as good as I would like. SSH and authpf is as far as I know now not possible as the SSH client will freeze in the Iphone (which is widely used here) when going into background and swtiching to the RSS client. So if anybody can come up with a better approach I will be very happy. Otherwise I have to create my pflog device parser myself as obviously none in this forum have seen anything similar. Thanks Per-Olov -- GPG keyID: 5231C0C4 GPG fingerprint: B232 3E1A F5AB 5E10 7561 6739 766E D29D 5231 C0C4 GPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x766ED29D5231C0C4
Re: PF log parser and dynamic PF rules...
On Tue, Feb 16, 2010 at 12:27:44PM +0100, Per-Olov Sj?holm wrote: > > On 16 feb 2010, at 12.07, Bret S. Lambert wrote: > > > On Tue, Feb 16, 2010 at 11:44:12AM +0100, Per-Olov Sj?holm wrote: > >> See my post to Peter H. You obviously have not worked with security > > > > Why? Because I'm unwilling to endorse your preferred approach? > > > >> and the tradeoffs you _always_ have to make. > > > > Yes, you make tradeoffs, but you're asking for obscurity, not security. > > It's a very important distinction to make, which you don't seem to be > > doing. > > > >> If you don't have anything to come up with, don't bother to post. > > > > Okay, I'll bite: > > > > You're trying to solve this at the wrong layer. > > > > You're trying to use IP obfuscation. > > > > You should be looking for HTTP authentication instead. > > > There is no authentication available in most RSS clients. No, but web servers don't run on crippled os'es (for certain values of "crippled"), and are able to do thing with URLs that level3 things can't. Floor had a good suggestion about adding something to the URL which would then be acted upon by the RSS feed server to determine if the feed should be served. Since the solution you propose is no less secure, just require that a "?user=NOTABOT" or some such be appended. You're still looking at the wrong layer to solve this problem. > If it was, i would of course prefer or at least consider that. You haven't looked at this problem hard enough, then. > I am not that stupid you know. Why, oh why, dear lord, do you tempt me with such softballs?
Re: PF log parser and dynamic PF rules...
On 16 feb 2010, at 12.07, Bret S. Lambert wrote: > On Tue, Feb 16, 2010 at 11:44:12AM +0100, Per-Olov Sj?holm wrote: >> See my post to Peter H. You obviously have not worked with security > > Why? Because I'm unwilling to endorse your preferred approach? > >> and the tradeoffs you _always_ have to make. > > Yes, you make tradeoffs, but you're asking for obscurity, not security. > It's a very important distinction to make, which you don't seem to be > doing. > >> If you don't have anything to come up with, don't bother to post. > > Okay, I'll bite: > > You're trying to solve this at the wrong layer. > > You're trying to use IP obfuscation. > > You should be looking for HTTP authentication instead. There is no authentication available in most RSS clients. If it was, i would of course prefer or at least consider that. I am not that stupid you know. /Per-Olov -- GPG keyID: 5231C0C4 GPG fingerprint: B232 3E1A F5AB 5E10 7561 6739 766E D29D 5231 C0C4 GPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x766ED29D5231C0C4
Re: PF log parser and dynamic PF rules...
On 16 feb 2010, at 11.57, Stuart Henderson wrote: > On 2010-02-16, Per-Olov Sj?holm wrote: >> The reason is to use and RSS reader that cannot autenticate. I want some sort >> of security for it even though it's not critical. > > https://some.host/super-sekrit-password-here/feed.rss gives more > security than trying to use a web browser (which is highly likely > to be proxied and logged by the carrier) as a port-knocking client. that could be better... right.. > > And with port-knocking, how do you even know the subsequent > connection will be (natted to the same source address || coming > from the same http proxy)? > I know it does from phones connecting thought the operators own network (at least in sweden) and home broadband connected computers. But i don't from stationary computers not sitting at home. /Per-Olov -- GPG keyID: 5231C0C4 GPG fingerprint: B232 3E1A F5AB 5E10 7561 6739 766E D29D 5231 C0C4 GPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x766ED29D5231C0C4
Re: Jacek Books
On 16 February 2010 19:34, Otto Moerbeek wrote: > On Tue, Feb 16, 2010 at 07:06:32PM +1100, SJP Lists wrote: > >> On 16 February 2010 06:33, wrote: >> >> > If you want i can send you my Paypal receipts to prove it. I never received >> > the books. >> > It is a swindle ! nothing else ... >> >> I have been waiting too. But I have heard people speak of Jacek being >> ill a few times over the years, to the point that his publications get >> delayed. Leading me to think that he has something more serious than >> a cold. >> >> I'm concerned about his health first and foremost. I'm looking >> forward to the book but I don't want it hurried if the cost is his >> health. > > I agree that it is not good to pay and not receive anything. So you > dispute the deal via the proper channels to get your stuff or your > money back. > > Breaking copyright law to get your goods is not the right way. I agree. But for the record, I personally never suggested or supported the idea that copyright infringement is a solution to this problem. In fact, I have worked in landmark copyright cases for one of the Worlds most successful IP lawyers (and continue to do so). Including tendering evidence to court as a witness and being cross examined. So for many reasons, I wouldn't dare. Shane
Re: PF log parser and dynamic PF rules...
On 16 feb 2010, at 12.06, Lars Nooden wrote: > Per-Olov Sjvholm wrote: >> ...Or did miss something here? > > You missed quite a lot. I would recommend looking up the following > before aggravating a larger public: > client - server architecture > client application > server (daemon) > rss > ssh > http, https > mod_auth_* > > > Write back in a few days after you have more details about your project. > Speculation is not fun. > > Regards, > /Lars > You did now answer how to use authpf from an Iphone as you suggested as the process will freeze when going into background. It will freeze or not freeze. It's not any speculation, right? I assume fugu or cyberduck as you suggested are dead ends with authpf /Per-Olov
Re: PF log parser and dynamic PF rules...
Per-Olov Sjvholm wrote: > ...Or did miss something here? You missed quite a lot. I would recommend looking up the following before aggravating a larger public: client - server architecture client application server (daemon) rss ssh http, https mod_auth_* Write back in a few days after you have more details about your project. Speculation is not fun. Regards, /Lars
Re: PF log parser and dynamic PF rules...
Per-Olov Sjvholm writes: > None said anything about a password.. From where did you get that? I don't > have a plain text password. A port knocking sequence is for most purposes a password, encoded in a 16 bit alphabet. That's it - port numbers run from 0 through 64k, although the practical range for portknocking purposes would likely exclude the more commonly used ones, mainly in the lower parts. I've been in the process of almost getting around to writing an article about how this limits the usefulness of portknocking as a security measure, there's always the question of round tuits. keywords: is your password more secure if it's stored as unicode?, the well known password guessing botnets, and so forth. The question of proporitonality, as in the importance of your data vs the strength of your security measures is certainly relevant, but you should also take into consideration how much complexity any given security measure adds to your setup versus the actual gain in security. Hm. There might actually be an article in there. - P -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: PF log parser and dynamic PF rules...
On Tue, Feb 16, 2010 at 11:44:12AM +0100, Per-Olov Sj?holm wrote: > See my post to Peter H. You obviously have not worked with security Why? Because I'm unwilling to endorse your preferred approach? > and the tradeoffs you _always_ have to make. Yes, you make tradeoffs, but you're asking for obscurity, not security. It's a very important distinction to make, which you don't seem to be doing. > If you don't have anything to come up with, don't bother to post. Okay, I'll bite: You're trying to solve this at the wrong layer. You're trying to use IP obfuscation. You should be looking for HTTP authentication instead.
Re: PF log parser and dynamic PF rules...
Just put your data on some funny port, then? Or give it a long and hard to guess name, that might actually have sufficient entropy to be any use. A less-than-16-bit "random" port is rather easy to guess. And, if you really want to do port blocking, read the pf man page. It is possible with a rule that adds IPs to tables. Perhaps after more than one knock for "added security..." In any case, I really don't see a need for OpenBSD to support these kinds of silly things, the people who really want to do them can find their own ways.
Re: PF log parser and dynamic PF rules...
Hi again Lars... And important addition below On 16 feb 2010, at 11.44, Lars Nooden wrote: > Per-Olov Sjvholm wrote: >> On 16 feb 2010, at 11.11, Lars Nooden wrote: >> >>> http://rsug.itd.umich.edu/software/fugu/ >> >> >> Noop. Can't see that these will work and all phones and computers >> seamlessly with ease of use for the users. > > You appear to have asked about clients for the iphone, not all phones. > Fugu and cyberduck are very easy to use. But the SSH session will freeze when you switch to the RSS client that is the main purpose to use, right? This as the Iphone is not multi tasking with third party applications. Then it's not usable without a jail brake of all company IPhones... Or did miss something here? /Per-Olov > >> The reason for the post was just to see if there is already any tools >> for this purpose, which is to have log trigger in PF logfile or its >> pflog0 device. > > authpf then. > > Note pf.conf allows you to apply filters to groups of users. See the > 'group' parameter about 17% of the way down through pf.conf(5) > > Something like this: > pass in log (to pflog2) group phoners > > /Lars
Re: PF log parser and dynamic PF rules...
On 2010-02-16, Per-Olov Sj?holm wrote: > The reason is to use and RSS reader that cannot autenticate. I want some sort > of security for it even though it's not critical. https://some.host/super-sekrit-password-here/feed.rss gives more security than trying to use a web browser (which is highly likely to be proxied and logged by the carrier) as a port-knocking client. And with port-knocking, how do you even know the subsequent connection will be (natted to the same source address || coming from the same http proxy)?
Re: PF log parser and dynamic PF rules...
On 16 feb 2010, at 11.35, Bret S. Lambert wrote: > On Tue, Feb 16, 2010 at 11:28:28AM +0100, Per-Olov Sj?holm wrote: >> >> On 16 feb 2010, at 11.17, Bret S. Lambert wrote: >> > There is a way to do port knocking in pf without any external help. Maybe > you can figure it out. I will not give more hints since port knocking is a > dumb idea better spend your time reading on authpf(8). > > -- > :wq Claudio > How do you use authpf from a IPhone or similar... The reason is to use and RSS reader that cannot autenticate. I want some sort >>> >>> An RSS reader that can't authenticate, but can ping a series of TCP/IP ports? >> >> Where did you get that from? I didn't say it could... No but all devices with an RSS client, even phones, have a web browser that can have a bookmarked IP and obscure port. >>> of security for it even though it's not critical. Therefor I want to just have >>> >>> That word you keep using...I don't think it means what you think it means. >>> Unless you've got a mechanism to randomize the ports on every port-knocking >>> attempt, you're essentially using a plaintext password on the internet. >>> >> >> None said anything about a password.. From where did you get that? > > I said that you're *essentially* using a plaintext password, not that > you're *actually* using a plaintext password. My meaning was that you're > effectively using a security model that's been known to be bad for as > long as I've been in the tech industry. > >> forcing the clients to first open their browser and access a >> specific IP and a specific port. > > Yes, because those are impossible for an attacker to guess. > >> But again, the data is not that critical. > > Then why care about "security" at all? > >> And it's not likely they will guess the link. > > Congratulations; I'm actually at a loss for words after reading that. See my post to Peter H. You obviously have not worked with security and the tradeoffs you _always_ have to make. If you don't have anything to come up with, don't bother to post. /Per-Olov
Re: PF log parser and dynamic PF rules...
Per-Olov Sjvholm wrote: > On 16 feb 2010, at 11.11, Lars Nooden wrote: > >> http://rsug.itd.umich.edu/software/fugu/ > > > Noop. Can't see that these will work and all phones and computers > seamlessly with ease of use for the users. You appear to have asked about clients for the iphone, not all phones. Fugu and cyberduck are very easy to use. > The reason for the post was just to see if there is already any tools > for this purpose, which is to have log trigger in PF logfile or its > pflog0 device. authpf then. Note pf.conf allows you to apply filters to groups of users. See the 'group' parameter about 17% of the way down through pf.conf(5) Something like this: pass in log (to pflog2) group phoners /Lars
Re: PF log parser and dynamic PF rules...
On 16 feb 2010, at 11.44, Lars Nooden wrote: > Per-Olov Sjvholm wrote: >> On 16 feb 2010, at 11.11, Lars Nooden wrote: >> >>> http://rsug.itd.umich.edu/software/fugu/ >> >> >> Noop. Can't see that these will work and all phones and computers >> seamlessly with ease of use for the users. > > You appear to have asked about clients for the iphone, not all phones. > Fugu and cyberduck are very easy to use. My mistake. Sorry! It must be a solution for _any_ RSS client and a web browser. > >> The reason for the post was just to see if there is already any tools >> for this purpose, which is to have log trigger in PF logfile or its >> pflog0 device. > > authpf then. > > Note pf.conf allows you to apply filters to groups of users. See the > 'group' parameter about 17% of the way down through pf.conf(5) > > Something like this: > pass in log (to pflog2) group phoners > > /Lars Yes, I have used that a few years ago. It's nice but is not doable on all clients. But maybe I could set an SSH capable client as a company requirement. Of course I agree it's a better solution if I only could limit the phones to the ones that can use an SSH client. /Per-Olov -- GPG keyID: 5231C0C4 GPG fingerprint: B232 3E1A F5AB 5E10 7561 6739 766E D29D 5231 C0C4 GPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x766ED29D5231C0C4
Re: PF log parser and dynamic PF rules...
On Tue, Feb 16, 2010 at 11:28:28AM +0100, Per-Olov Sj?holm wrote: > > On 16 feb 2010, at 11.17, Bret S. Lambert wrote: > > >>> There is a way to do port knocking in pf without any external help. Maybe > >>> you can figure it out. I will not give more hints since port knocking is a > >>> dumb idea better spend your time reading on authpf(8). > >>> > >>> -- > >>> :wq Claudio > >>> > >> > >> How do you use authpf from a IPhone or similar... > >> > >> The reason is to use and RSS reader that cannot autenticate. I want some > >> sort > > > > An RSS reader that can't authenticate, but can ping a series of TCP/IP > > ports? > > Where did you get that from? I didn't say it could... No but all devices with > an RSS client, even phones, have a web browser that can have a bookmarked IP > and obscure port. > > > >> of security for it even though it's not critical. Therefor I want to just > >> have > > > > That word you keep using...I don't think it means what you think it means. > > Unless you've got a mechanism to randomize the ports on every port-knocking > > attempt, you're essentially using a plaintext password on the internet. > > > > None said anything about a password.. From where did you get that? I said that you're *essentially* using a plaintext password, not that you're *actually* using a plaintext password. My meaning was that you're effectively using a security model that's been known to be bad for as long as I've been in the tech industry. > forcing the clients to first open their browser and access a > specific IP and a specific port. Yes, because those are impossible for an attacker to guess. > But again, the data is not that critical. Then why care about "security" at all? > And it's not likely they will guess the link. Congratulations; I'm actually at a loss for words after reading that.
offre
My name is Jean Pierre HONVI. I am a French citizen. I am a producer with a farm revised edition of 1000 hectares Binin.Avec this surface, I am the biggest producer of this pays.J can 'therefore produce food products such as: lemon, pineapple, cashew nuts and much more. After production of food, I exported to African countries. I happen to cover them so the afrique.Mais this time I wish I could expand my coverage area in the country Notament occidentaux.Je am looking for anyone serious inviting to become a partner cooperation.Celui it will undertake to receive full containers of these food products for their disposal in the country. After a total delivery of the goods, it will arrange its percentage and sent the rest to cooperation.Veuillez contact us at:honvijeanpie...@yahoo.fr
Re: PF log parser and dynamic PF rules...
On 16 feb 2010, at 11.17, Peter N. M. Hansteen wrote: > Per-Olov Sjvholm writes: > >> How do you use authpf from a IPhone or similar... > > There are ssh clients for iphones, just look in the app store. The > one i ended up installing has gone up in price it seems to (shock, > horror) NOK 35 (about USD 6), but I see one at NOK 6 (about a dollar). > > And of course for obscurity, you can set up the sshd on a non-standard > port. > > Then again, Claudio's comment happens to be true, and now I guess some > kid will actually figure it out, implement and write a HOWTO. Good > thing I wasn't eating or drinking anything. Writing a HOWTO for what? Don't get it... I have been working with security on several platforms since 1990. Have been on OpenBSD since 2.6. You of all Peter should know that it's always a tradeoff between security, ease of use and the importance of the content. I have done that tradeoff and therefor come up with this solution. I can build my own code for this, but posted to see if there was already something built. Claudios comment is not relevant. See reply to Bret S Lambert /Per-Olov > > grmpf, > Peter > -- > Peter N. M. Hansteen, member of the first RFC 1149 implementation team > http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ > "Remember to set the evil bit on all malicious network traffic" > delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: PF log parser and dynamic PF rules...
On 16 feb 2010, at 11.17, Bret S. Lambert wrote: >>> There is a way to do port knocking in pf without any external help. Maybe >>> you can figure it out. I will not give more hints since port knocking is a >>> dumb idea better spend your time reading on authpf(8). >>> >>> -- >>> :wq Claudio >>> >> >> How do you use authpf from a IPhone or similar... >> >> The reason is to use and RSS reader that cannot autenticate. I want some sort > > An RSS reader that can't authenticate, but can ping a series of TCP/IP ports? Where did you get that from? I didn't say it could... No but all devices with an RSS client, even phones, have a web browser that can have a bookmarked IP and obscure port. > >> of security for it even though it's not critical. Therefor I want to just have > > That word you keep using...I don't think it means what you think it means. > Unless you've got a mechanism to randomize the ports on every port-knocking > attempt, you're essentially using a plaintext password on the internet. > None said anything about a password.. From where did you get that? I don't have a plain text password. I don't even have a password at all as RSS readers with auth in not widely spread at all. So I don't have any auth... Just access through IP. My data is not that critical, but as said I want to limit access a little bit by forcing the clients to first open their browser and access a specific IP and a specific port. Then the PF should trig on that block in PF and open from the client IP to the RSS server. Of course a client can sit behind NAT and therefor give access to many computers. But again, the data is not that critical. And it's not likely they will guess the link. /Per-Olov -- GPG keyID: 5231C0C4 GPG fingerprint: B232 3E1A F5AB 5E10 7561 6739 766E D29D 5231 C0C4 GPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x766ED29D5231C0C4
Re: PF log parser and dynamic PF rules...
> > There is a way to do port knocking in pf without any external help. Maybe > > you can figure it out. I will not give more hints since port knocking is a > > dumb idea better spend your time reading on authpf(8). > > > > -- > > :wq Claudio > > > > How do you use authpf from a IPhone or similar... > > The reason is to use and RSS reader that cannot autenticate. I want some sort An RSS reader that can't authenticate, but can ping a series of TCP/IP ports? > of security for it even though it's not critical. Therefor I want to just have That word you keep using...I don't think it means what you think it means. Unless you've got a mechanism to randomize the ports on every port-knocking attempt, you're essentially using a plaintext password on the internet.
Re: PF log parser and dynamic PF rules...
On 16 feb 2010, at 11.11, Lars Nooden wrote: > http://rsug.itd.umich.edu/software/fugu/ Noop. Can't see that these will work and all phones and computers seamlessly with ease of use for the users. The reason for the post was just to see if there is already any tools for this purpose, which is to have log trigger in PF logfile or its pflog0 device. /Per-Olov
Re: PF log parser and dynamic PF rules...
Per-Olov Sjvholm writes: > How do you use authpf from a IPhone or similar... There are ssh clients for iphones, just look in the app store. The one i ended up installing has gone up in price it seems to (shock, horror) NOK 35 (about USD 6), but I see one at NOK 6 (about a dollar). And of course for obscurity, you can set up the sshd on a non-standard port. Then again, Claudio's comment happens to be true, and now I guess some kid will actually figure it out, implement and write a HOWTO. Good thing I wasn't eating or drinking anything. grmpf, Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: PF log parser and dynamic PF rules...
On 16 feb 2010, at 11.04, Floor Terra wrote: > Why not require a authentication token in the url? > > On 16 Feb 2010 10:59, "Per-Olov SjC6holm" wrote: > > On 16 feb 2010, at 10.40, Claudio Jeker wrote: > >> On Tue, Feb 16, 2010 at 10:22:04AM +0100, Per-Olov... > How do you use authpf from a IPhone or similar... > > The reason is to use and RSS reader that cannot autenticate. I want some > sort > of security for it even though it's not critical. Therefor I want to just > have > trigger in the PF log. To try to find an SSH client to use authpf for all > RSS > client capable phones is not an option. > > > /Per-Olov > Yes that is better, but then I have to check web server logs, enable relayd or so. Maybe that will be the next step after this. But still... as I _test_ I just want to check PF blocks as a port knocker. /Per-Olov
Re: PF log parser and dynamic PF rules...
Per-Olov SjC6holm wrote: > How do you use authpf from a IPhone or similar... Probably Fugu or Cyberduck or, if you can get a shell, plain openssh, as Fugu is a UI for the client. http://rsug.itd.umich.edu/software/fugu/ http://cyberduck.ch/ /Lars
Re: PF log parser and dynamic PF rules...
Why not require a authentication token in the url? On 16 Feb 2010 10:59, "Per-Olov SjC6holm" wrote: On 16 feb 2010, at 10.40, Claudio Jeker wrote: > On Tue, Feb 16, 2010 at 10:22:04AM +0100, Per-Olov... How do you use authpf from a IPhone or similar... The reason is to use and RSS reader that cannot autenticate. I want some sort of security for it even though it's not critical. Therefor I want to just have trigger in the PF log. To try to find an SSH client to use authpf for all RSS client capable phones is not an option. /Per-Olov
Re: PF log parser and dynamic PF rules...
On 16 feb 2010, at 10.40, Claudio Jeker wrote: > On Tue, Feb 16, 2010 at 10:22:04AM +0100, Per-Olov Sjvholm wrote: >> Hi "misc" >> >> I am looking for a tool to use as a trigger for dynamically open PF ports from >> certain IP:s. >> >> I will access non critical info but want at least a port knocker as security. >> >> If I access an IP on my DMZ that is not in use on a port that is fake I want >> to dynamically add a PF rule for a totally different purpose. Let's say I >> access http://1.2.3.4:45321 which is blocked and logged in PF, what is the >> easiest way to create a trigger from the PF log or the PF log device? >> >> A cron job with grep in the PF log and then run pfctl to add the rule is from >> many points of view a bad choice... I don't want to dig through the PF log as >> it can be huge, and I don't want to use a cron job as it takes to long.. >> > > There is a way to do port knocking in pf without any external help. Maybe > you can figure it out. I will not give more hints since port knocking is a > dumb idea better spend your time reading on authpf(8). > > -- > :wq Claudio > How do you use authpf from a IPhone or similar... The reason is to use and RSS reader that cannot autenticate. I want some sort of security for it even though it's not critical. Therefor I want to just have trigger in the PF log. To try to find an SSH client to use authpf for all RSS client capable phones is not an option. /Per-Olov
Split by CUE
Hi, What tools do you use to split .wav (.flac, .ape, etc) by CUE sheet? Stas
Re: network performance problems
On 02/13/2010 04:44 PM, Kapetanakis Giannis wrote: I did a binary upgrade to latest snapshot and followed -current. I've seen huge improvement on server-client performance on the msk0 (internal side) but packet forwarding didn't change at all. 4.6-release: server max in: 300Mbps server max out: 760Mbps forwarding max: 400 Mbps 4.7-current server max in: 800Mbps (almost 3 times up) server max out: 650Mbps (this went down) forwarding max: 400Mbps (same) The errors on the msk0 also gone away. I guess the external NIC (re0) is having the problem now. It's a )$#$&%!! realtec. I'll try the DLINKs and report. As Claudio has pointed you out, try (if you can) a better driver em(4) on good Intel hardware NICs. I use simple Supermicro hardware with Intel NIC PCI-E and em(4) an I move around 400/500MBps without any problem.
Re: PF log parser and dynamic PF rules...
On Tue, Feb 16, 2010 at 10:22:04AM +0100, Per-Olov Sjvholm wrote: > Hi "misc" > > I am looking for a tool to use as a trigger for dynamically open PF ports from > certain IP:s. > > I will access non critical info but want at least a port knocker as security. > > If I access an IP on my DMZ that is not in use on a port that is fake I want > to dynamically add a PF rule for a totally different purpose. Let's say I > access http://1.2.3.4:45321 which is blocked and logged in PF, what is the > easiest way to create a trigger from the PF log or the PF log device? > > A cron job with grep in the PF log and then run pfctl to add the rule is from > many points of view a bad choice... I don't want to dig through the PF log as > it can be huge, and I don't want to use a cron job as it takes to long.. > There is a way to do port knocking in pf without any external help. Maybe you can figure it out. I will not give more hints since port knocking is a dumb idea better spend your time reading on authpf(8). -- :wq Claudio
Re: PF log parser and dynamic PF rules...
On Tue, Feb 16, 2010 at 10:22:04AM +0100, Per-Olov Sj?holm wrote: > Hi "misc" > > I am looking for a tool to use as a trigger for dynamically open PF ports from > certain IP:s. > > I will access non critical info but want at least a port knocker as security. > > If I access an IP on my DMZ that is not in use on a port that is fake I want > to dynamically add a PF rule for a totally different purpose. Let's say I > access http://1.2.3.4:45321 which is blocked and logged in PF, what is the > easiest way to create a trigger from the PF log or the PF log device? > > A cron job with grep in the PF log and then run pfctl to add the rule is from > many points of view a bad choice... I don't want to dig through the PF log as > it can be huge, and I don't want to use a cron job as it takes to long.. > > Any suggestions appreciated. > Seriously, though: Why are you so interested in reimplementing authpf, but doing it badly? > > Thanks in advance > /Per-Olov
Re: PF log parser and dynamic PF rules...
> I will access non critical info but want at least a port knocker as security. s/security/inappropriate self-touching/
PF log parser and dynamic PF rules...
Hi "misc" I am looking for a tool to use as a trigger for dynamically open PF ports from certain IP:s. I will access non critical info but want at least a port knocker as security. If I access an IP on my DMZ that is not in use on a port that is fake I want to dynamically add a PF rule for a totally different purpose. Let's say I access http://1.2.3.4:45321 which is blocked and logged in PF, what is the easiest way to create a trigger from the PF log or the PF log device? A cron job with grep in the PF log and then run pfctl to add the rule is from many points of view a bad choice... I don't want to dig through the PF log as it can be huge, and I don't want to use a cron job as it takes to long.. Any suggestions appreciated. Thanks in advance /Per-Olov
Re: Jacek Books
On Tue, Feb 16, 2010 at 07:06:32PM +1100, SJP Lists wrote: > On 16 February 2010 06:33, wrote: > > > If you want i can send you my Paypal receipts to prove it. I never received > > the books. > > It is a swindle ! nothing else ... > > I have been waiting too. But I have heard people speak of Jacek being > ill a few times over the years, to the point that his publications get > delayed. Leading me to think that he has something more serious than > a cold. > > I'm concerned about his health first and foremost. I'm looking > forward to the book but I don't want it hurried if the cost is his > health. I agree that it is not good to pay and not receive anything. So you dispute the deal via the proper channels to get your stuff or your money back. Breaking copyright law to get your goods is not the right way. -Otto
Re: Jacek Books
On 16 February 2010 06:33, wrote: > If you want i can send you my Paypal receipts to prove it. I never received > the books. > It is a swindle ! nothing else ... I have been waiting too. But I have heard people speak of Jacek being ill a few times over the years, to the point that his publications get delayed. Leading me to think that he has something more serious than a cold. I'm concerned about his health first and foremost. I'm looking forward to the book but I don't want it hurried if the cost is his health. Shane