Re: Hardware recommendations for compact 1U firewall
Am 17.12.2016 02:32 schrieb Predrag Punosevac: SYS-5018A-FTN4 are really nice boxes. This one has 16GB of RAM and was btw.. just got SYS-1028R-WMRT and the dual I350 isnt "supported", likely because of the weird PPB/riser. -- pb
Re: Hardware recommendations for compact 1U firewall
On Sat, Dec 17, 2016 at 01:08:50PM +1100, Damian McGuckin wrote: > Assuming traffic going between say 'vr0' and 'vr1', will it a Net5501 > board sustain 100Mbps? I doubt it would. One limiting factor being the number of packets per second. At some point the packets-per-second rate will trigger livelock countermeasures which deliberately slow things down to prevent an interrupt storm from locking up the system. You could do some measurements with tcpbench(1) to find exact figures. Make sure to test several sizes of packets, since smaller packets trigger more interrupts per second.
Re: Hardware recommendations for compact 1U firewall
On 12/14/16 20:39, Aaron Mason wrote: > All > > I'm looking for a 1U appliance that I can re-purpose into a firewall > using OpenBSD. I've tried the near-free method by using an old Lacie > Ethernet Disk appliance I had lying around, but it turns out the > onboard SATA chipset is toast on this particular unit (it freezes at > CDBOOT when it detects hard drives and the BIOS freezes when I set it > to IDE mode with drives attached, plus it only has one onboard NIC and > one PCI slot, so I can't install another SATA card without removing > the other NIC I installed), so I'm looking for other options that fit > a limited budget. heh. Little secret: if you look in many data centers, you will find lots of 1U boxes with various titles -- security appliances, load balancing devices, etc. A lot of them, under the covers, are just PCs. And a lot of data centers have 'em rotting on the racks after they have been turned off and replaced, but no motivation to remove them. Just cleaned out some stuff from one of our data centers -- we had a three authentication devices and a couple "security appliances" that all turned out to have the same SuperMicro board on them...some with Pentium D, others with P4s...but both could pump a lot of packets through gigabit NICs (two on board). The security appliances were kinda cool in that they have a LCD screen that looks like it could be accessed through a USB serial port (better yet, when you powered up the box, the LCD panel put up an advertisement, not for the security appliance maker, but for the LCD panel...including a website. Bet there are docs there! :) (I once programmed the LCD panel of a Novell server to say, "WINDOWS SUCKS". Wasn't noticed for years, but when it was, my name was quickly assumed as being responsible) We also had a couple odd little "load balancers" -- five NIC ports. My coworkers were skeptical about it being a standard PC under the cover. Haven't tried to boot OpenBSD on them yet, but turns out the thing has a 128M SATA DiskOnModule (flash memory on a SATA board), a 1G CF card, and a SATA hard disk in the box. Again, all in one U. And I'll admit there's a certain fun in bringing up another OS on something like that. And I HAVE to at least try to bring up OpenBSD on them...so I can wipe the media before the hw is disposed of. (Company policy says "overwrite entire disk with random data", who's got the fastest random number generator in town? OpenBSD, of course!) Nick.
Re: Hardware recommendations for compact 1U firewall
While everybody is talking about hardware, I noticed that some of you have flicked your Soekris Net 5501 boards. We are upgrading from 20Mbps links to 100Mbps links and as a result of this discussion, I am wondering whether it would be a wise move on or part to consider replacing them. Rock solid little units. What is the max throughput people have seen on these? Assuming traffic going between say 'vr0' and 'vr1', will it a Net5501 board sustain 100Mbps? Thanks - Damian
Re: Hardware recommendations for compact 1U firewall
Hrvoje Popovski wrote: > > On 15.12.2016. 12:30, Stuart Henderson wrote: > > If you want to cut down on weight+noise at the expense of more cost > > and a less powerful cpu, maybe APU2 in a 1U case or something like > > supermicro SYS-5018A-FTN4. > > has anyone dmesg from SYS-5018A-FTN4 box? i'm interesting in intel qat > > thank you ... SYS-5018A-FTN4 are really nice boxes. This one has 16GB of RAM and was hosting half-dozen of Jail instances on the top of ZFS mirror. Please see the dmesg bellow. I just got another 16 GB of RAM. You can put up to 64 GB of RAM but it is not cheap due to the size of modules. I am planning to migrate services to OpenBSD as I am in the process of purging FreeBSD from our organization. Currently we have 3 SYS-5018A-FTN4 and buying more This is my favorite Ebay seller and they have lots of nice network equipment for home, small, and large business. http://stores.ebay.com/MITXPC/ Best, Predrag Copyright (c) 1992-2016 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD is a registered trademark of The FreeBSD Foundation. FreeBSD 10.3-RELEASE-p5 #0: Thu Jun 30 03:52:15 UTC 2016 r...@amd64-builder.pcbsd.org:/usr/obj/usr/src/sys/GENERIC amd64 FreeBSD clang version 3.4.1 (tags/RELEASE_34/dot1-final 208032) 20140512 VT(vga): resolution 640x480 KLD file ipmi.ko is missing dependencies CPU: Intel(R) Atom(TM) CPU C2758 @ 2.40GHz (2400.06-MHz K8-class CPU) Origin="GenuineIntel" Id=0x406d8 Family=0x6 Model=0x4d Stepping=8 Features=0xbfebfbff Features2=0x43d8e3bf AMD Features=0x28100800 AMD Features2=0x101 Structured Extended Features=0x2282 VT-x: PAT,HLT,MTF,PAUSE,EPT,UG,VPID TSC: P-state invariant, performance statistics real memory = 19327352832 (18432 MB) avail memory = 16525938688 (15760 MB) Event timer "LAPIC" quality 600 ACPI APIC Table: FreeBSD/SMP: Multiprocessor System Detected: 8 CPUs FreeBSD/SMP: 1 package(s) x 8 core(s) cpu0 (BSP): APIC ID: 0 cpu1 (AP): APIC ID: 2 cpu2 (AP): APIC ID: 4 cpu3 (AP): APIC ID: 6 cpu4 (AP): APIC ID: 8 cpu5 (AP): APIC ID: 10 cpu6 (AP): APIC ID: 12 cpu7 (AP): APIC ID: 14 random: initialized ioapic0 irqs 0-23 on motherboard module_register_init: MOD_LOAD (vesa, 0x80dc6500, 0) error 19 kbd1 at kbdmux0 cryptosoft0: on motherboard aesni0: on motherboard acpi0: on motherboard acpi0: Power Button (fixed) cpu0: on acpi0 cpu1: on acpi0 cpu2: on acpi0 cpu3: on acpi0 cpu4: on acpi0 cpu5: on acpi0 cpu6: on acpi0 cpu7: on acpi0 hpet0: iomem 0xfed0-0xfed003ff on acpi0 Timecounter "HPET" frequency 14318180 Hz quality 950 Event timer "HPET" frequency 14318180 Hz quality 350 Event timer "HPET1" frequency 14318180 Hz quality 340 Event timer "HPET2" frequency 14318180 Hz quality 340 atrtc0: port 0x70-0x77 irq 8 on acpi0 atrtc0: Warning: Couldn't map I/O. Event timer "RTC" frequency 32768 Hz quality 0 attimer0: port 0x40-0x43,0x50-0x53 irq 0 on acpi0 Timecounter "i8254" frequency 1193182 Hz quality 0 Event timer "i8254" frequency 1193182 Hz quality 100 Timecounter "ACPI-safe" frequency 3579545 Hz quality 850 acpi_timer0: <24-bit timer at 3.579545MHz> port 0x408-0x40b on acpi0 pcib0: port 0xcf8-0xcff on acpi0 pci0: on pcib0 pcib1: mem 0xdf2e-0xdf2f irq 16 at device 1.0 on pci0 pci1: on pcib1 pcib2: at device 0.0 on pci1 pci2: on pcib2 vgapci0: port 0xd000-0xd07f mem 0xde00-0xdeff,0xdf00-0xdf01 irq 16 at device 0.0 on pci2 vgapci0: Boot video device pcib3: mem 0xdf2c-0xdf2d irq 16 at device 2.0 on pci0 pci3: on pcib3 xhci0: mem 0xdf10-0xdf101fff irq 17 at device 0.0 on pci3 xhci0: 64 bytes context size, 32-bit DMA usbus0 on xhci0 pcib4: mem 0xdf2a-0xdf2b irq 20 at device 3.0 on pci0 pci4: on pcib4 pci0: at device 11.0 (no driver attached) pci0: at device 15.0 (no driver attached) igb0: port 0xe080-0xe09f mem 0xdf26-0xdf27,0xdf30c000-0xdf30 irq 20 at device 20.0 on pci0 igb0: Using MSIX interrupts with 9 vectors igb0: Ethernet address: 0c:c4:7a:68:c9:08 igb0: Bound queue 0 to cpu 0 igb0: Bound queue 1 to cpu 1 igb0: Bound queue 2 to cpu 2 igb0: Bound queue 3 to cpu 3 igb0: Bound queue 4 to cpu 4 igb0: Bound queue 5 to cpu 5 igb0: Bound queue 6 to cpu 6 igb0: Bound queue 7 to cpu 7 igb1: port 0xe060-0xe07f mem 0xdf24-0xdf25,0xdf308000-0xdf30bfff irq 21 at device 20.1 on pci0 igb1: Using MSIX interrupts with 9 vectors igb1: Ethernet address: 0c:c4:7a:68:c9:09 igb1: Bound queue 0 to cpu 0 igb1: Bound queue 1 to cpu 1 igb1: Bound queue 2 to cpu 2 igb1: Bound queue 3 to cpu 3 igb1: Bound queue 4 to cpu 4 igb1: Bound queue 5 to cpu 5 igb1: Bound queue 6 to cpu 6 igb1: Bound queue 7 to cpu 7 igb2: port 0xe040-0xe05f mem 0xdf22-0xdf23,0xdf304000-0xdf307fff irq 22 at device 20.2 on pci0 igb2: Using MSIX interrupts with 9 vectors igb2: Ethernet address: 0c:c4:7a:68:c9:0a igb2: Bound
Re: Theo de Raadt and official developers of OpenBSD, please follow the "heart of the letters"!
You know, I can't code. So I've learned to shut the fuck up. Sent from my BlackBerry 10 smartphone. Original Message From: SOUL_OF_ROOT 55 Sent: Friday 16 December 2016 22:42 To: misc@openbsd.org Subject: Theo de Raadt and official developers of OpenBSD, please follow the "heart of the letters"! Theo de Raadt and official developers of OpenBSD, please follow the "heart of the letters"! What is up with some free software providers?! They say "Here's something free! Oh wait, I changed my mind." David Dawes worked for years with a team of developers to make a free X11 distribution for us to use, called XFree86, 98% of which was based on entirely free code from MIT. Suddenly, one day, he decided that we must give him more credit (ie. advertise his name) or stop using it. Within about 4 months every project had told him to get stuffed, and the community has created a replacement effort. Now his team cannot even keep their web pages up to date... OpenBSD was the first operating system to integrate a packet filter, and it was the ipf codebase from Darren Reed that we chose. But a few years later he told us that we were not free to make changes to the code. So we deleted ipf, and our new packet filter far exceeds the capabilities of the one he wrote. And other projects are switching too... The Apache group started from the humble beginnings of just being 'a patchy' set of changes to a completely free web server of dubious quality. But the years have changed them, and what they supply is now quite non-free... released under a license so entangled in legalese that we have absolutely no doubt that there are encumbrances hidden within. Legal terms protect. Who are they protecting? Not your freedom. reference: https://www.openbsd.org/lyrics.html#36 What are the others groups who have made this Free-to-Non-Free transition before and after the existence of OpenBSD?
Re: Hardware recommendations for compact 1U firewall
On 12/15/16 12:07, Ryan Freeman wrote: On Thu, Dec 15, 2016 at 11:30:31AM +, Stuart Henderson wrote: On 2016-12-15, Aaron Mason wrote: All I'm looking for a 1U appliance that I can re-purpose into a firewall using OpenBSD. I've tried the near-free method by using an old Lacie Ethernet Disk appliance I had lying around, but it turns out the onboard SATA chipset is toast on this particular unit (it freezes at CDBOOT when it detects hard drives and the BIOS freezes when I set it to IDE mode with drives attached, plus it only has one onboard NIC and one PCI slot, so I can't install another SATA card without removing the other NIC I installed), so I'm looking for other options that fit a limited budget. The most important criteria are that it must be 1U and it must fit within a 420mm (~16.5") space (for reasons I will explain below). I have a couple of Sun Netra X1s that meet the need, but I can't push more than ~60mbps over the onboard FE ports and they run quite hot to the point of causing kernel panics. Can you get anything in your price range with a single NIC and USB? The axe driver seems to work pretty well. I bought a USB GE nic for under $30 US. It seems to work well on a USB extension cord. That's what I use for my firewall machine. I haven't tried very hard but I know it can transfer over 100mb/sec. Geoff Steckel
Theo de Raadt and official developers of OpenBSD, please follow the "heart of the letters"!
Theo de Raadt and official developers of OpenBSD, please follow the "heart of the letters"! What is up with some free software providers?! They say "Here's something free! Oh wait, I changed my mind." David Dawes worked for years with a team of developers to make a free X11 distribution for us to use, called XFree86, 98% of which was based on entirely free code from MIT. Suddenly, one day, he decided that we must give him more credit (ie. advertise his name) or stop using it. Within about 4 months every project had told him to get stuffed, and the community has created a replacement effort. Now his team cannot even keep their web pages up to date... OpenBSD was the first operating system to integrate a packet filter, and it was the ipf codebase from Darren Reed that we chose. But a few years later he told us that we were not free to make changes to the code. So we deleted ipf, and our new packet filter far exceeds the capabilities of the one he wrote. And other projects are switching too... The Apache group started from the humble beginnings of just being 'a patchy' set of changes to a completely free web server of dubious quality. But the years have changed them, and what they supply is now quite non-free... released under a license so entangled in legalese that we have absolutely no doubt that there are encumbrances hidden within. Legal terms protect. Who are they protecting? Not your freedom. reference: https://www.openbsd.org/lyrics.html#36 What are the others groups who have made this Free-to-Non-Free transition before and after the existence of OpenBSD?
spamd and network whitelisting
I would like to share my 45-day experience with running spamd and my observations and how I'm allowing mail from SMTP clusters to bypass spamd. Feedback and discussion would be greatly appreciated. I have two domains that I have been using for my businesses: one is 13 years old and the other is 8 years old. I have never had a spam problem until about six months ago. In October I was getting about 100-200 spams per day per domain. The spam rate was increasing from month to month. All mail was going directly to my OpenSMTPd. I was not using filtering of any kind so the signal-to-noise was very low, and frustrating. So I read the spamd and related man pages and enabled spamd on my firewall on November 1. I was astonished! I literally got 6 spam emails that first week for both domains! However, the big problem was, I also wasn't getting legitimate business emails that were sent from SMTP clusters/pools. After studying my logs, tweaking spamd(8) flags, looking to external solutions (DNSBL, SPF, reverse IP verification), I had some observations and discovered some patterns. Here's the solution I'd like to share: I wrote two very small scripts: spamd-dnsbl and spamclusterd. These scripts work together to keep spam to a minimum while passing all legitimate email (in my case so far). 1) spamd-dnsbl: Queries a DNSBL using the IPs in spamdb(8). If an IP is on a black list it is added as a TRAPPED entry in the spamdb. The script only checks IPs which have been added since last run. Currently, only the zen.spamhaus.org DNSBL is queried because I found it to be the most true of all those listed at http://en.wikipedia.org/wiki/Comparison_of_DNS_blacklists. Alternatively, multiple DNSBLs could be queried and the results could be used in aggregate to determine spam status, thus promoted to TRAPPED. 2) spamclusterd: Queries spamdb(8) for networks to whitelist, which it adds to a pf table that bypasses spamd. So before this script gets carried away allowing IP blocks to bypass spamd, the spamdb(8) is first pruned of spammers using the spamd-dnsbl script. I've only been running this setup for about 30 days, but I haven't missed an email yet; plus spam is still about 1 per day across both domains. I receive emails from all the common SMTP clusters, such as Gmail, Microsoft (hotmail.com, outlook.com, msn.com, etc.), and Yahoo but also US government agencies such as, mail.mil, usmc.mil, uscg.mil, irs.gov, etc. I noticed a pattern of commonalities of these legitimate sending clusters: 1. The envelope's from and to addresses are identical across tuples. 2. The HELOs are very similar, with the TLD from each tuple almost certainly the same. 3. They make multiple attempts from different IP addresses, however, the IPs differ only by a few bits. (Caveat: I'm only using IPv4) These 3 points are the basis of spamclusterd. How it works is, if two or more GREY tuples with matching "to" and "from" addresses, HELOs with matching TLDs, and IPs with matching network bits (/24), then add the /24 network to the spamd-cluster table in pf, which bypasses spamd. I was going to get fancy and do an SPF lookup and try to determine the exact network to whitelist, but simply whitelisting a 256 IP block seems good enough. Once in awhile the subsequent client IP will be outside this block, but the /24 seems to work better than 90% of the time. Currently, just two client IPs from the same /24 network is enough to get that network whitelisted, which seems like a low bar. However, with the prior DNSBL pruning, this seems sufficient for now. ## Some other observations ## Spammers, even if sending from the same IP or IP network and regardless of the TO address, tend to randomize the FROM and/or HELO. Therefore, in the case of my spamclusterd script, whitelisting a spammer is less likely when ensuring both HELO and FROM match for multiple tuples. These IPs will then continue to deal with spamd, and it's business as usual. I initially tried setting 1 minute passtime and 12 hour greyexp times for spamd (i.e. -G 1:12:864) in hopes to eventually whitelist a client IP, originating from a cluster, that has reattempted within that large window. However, in my first week, I missed a couple of Gmails which resent for 5+ days and ultimately failed to deliver. What was interesting was one of the Google server IPs retried after 12 hours and 3 minutes, just missing the grey window, while others retried after 24 hours. I now set -G 1:10:1080. It seems safe to assume a spammer if reverse IP lookup returns NXDOMAIN and IP is on at least 1 reputable DNSBL or lookup returns SERVFAIL after two attempts. Using SPF seems unreliable as of 11/22/16. Tested SPF on hundreds of IPs in spamdb using the ruby spf gem. More than half the IPs did not specify SPF or it failed in some way. If the envelope's "from" is our domain (i.e., to and from addresses are the same domain), it is definitely a spamm
httpd weirdness ("connection max request body")
Hello, I noticed a weird thing which I can not explain. To me it feels like a bug with httpd, or some feature that I have misunderstood. I have a server running 6.0 -stable. It runs httpd with both the roundcube and owncloud ports. The server has only one NIC with only one public IP address. Sometimes owncloud did not sync some files that I tried to sync with the client. It was always the same files that failed, but I was not able to see a pattern of which files failed. I noticed lines like this in /var/www/logs/access.log for the failed files: mail.example.se 6.6.6.6 - - [16/Dec/2016:11:17:25 +0100] "PUT /owncloud/remote.php/webdav/ebooks/A%2520Planet%2520of%2520Viruses.epub HTTP/1.1" 413 0 The strange thing with this log entry is that the owncloud client syncs to the address https://cloud.example.se/owncloud but the log entry states mail.example.se All the succesfully synced files had status 2xx with the correct cloud.exampe.se address. mail.example.se is the address to roundcube. cloud.example.se is the address to owncloud. HTTP response code 413 is entity too large. I added connection max request body 10737418240 to mail.example.se in httpd.conf, and the problem went away. I already had that line for cloud.example.se since before. Now this: # grep Viruses.epub /var/www/logs/access.log mail.example.se 6.6.6.6 - - [16/Dec/2016:11:17:25 +0100] "PUT /owncloud/remote.php/webdav/ebooks/A%2520Planet%2520of%2520Viruses.epub HTTP/1.1" 413 0 mail.example.se 6.6.6.6 - - [16/Dec/2016:11:17:26 +0100] "PUT /owncloud/remote.php/webdav/ebooks/A%2520Planet%2520of%2520Viruses.epub HTTP/1.1" 413 0 mail.example.se 6.6.6.6 - - [16/Dec/2016:11:17:26 +0100] "PUT /owncloud/remote.php/webdav/ebooks/A%2520Planet%2520of%2520Viruses.epub HTTP/1.1" 413 0 cloud.example.se 6.6.6.6 - - [16/Dec/2016:12:05:07 +0100] "PUT /owncloud/remote.php/webdav/ebooks/A%20Planet%20of%20Viruses.epub HTTP/1.1" 201 0 # So the last log entry shows the successful sync with the correct FQDN and the same IP address as with the wrong FQDN earlier. I would have expected this line to have the same wrong FQDN since all I did was to change the "connection max request body" for the wrong FQDN. Now my questions. Why did owncloud sync some files to mail.example.se instead of cloud.example.se? Why does it work as supposed to after me raising the file upload limit for mail.example.se? Is it possible to have different "connection max request body" for the different servers? Am I doing something wrong in httpd.conf? Here is my httpd.conf: # cat /etc/httpd.conf # $OpenBSD: httpd.conf,v 1.14 2015/02/04 08:39:35 florian Exp $ # # Macros # ext_addr="*" # # Global Options # # prefork 3 # # Servers # # Include MIME types instead of the built-in ones types { include "/usr/share/misc/mime.types" # include "/var/www/etc/mime.types" } server "mail.example.se" { listen on * tls port 443 root "/roundcubemail" directory index index.php location "*.php" { fastcgi socket "/run/php-fpm.sock" } tls certificate "/etc/ssl/acme/fullchain.pem" tls key "/etc/ssl/acme/private/privkey.pem" # Set max upload size to 10GiB (in bytes) connection max request body 10737418240 #This line was added to solve this particular problem, even though the problem has nothing to do with roundcubemail. } server "server.example.se" { listen on * tls port 443 root "/htdocs" tls certificate "/etc/ssl/acme/fullchain.pem" tls key "/etc/ssl/acme/private/privkey.pem" } server "cloud.example.se" { listen on * tls port 443 # Set max upload size to 10GiB (in bytes) connection max request body 10737418240 # First deny access to the specified files location "/db_structure.xml" { block } location "/.ht*" { block } location "/README" { block } location "/data*"{ block } location "/config*" { block } location "/*.php*" { root { "/owncloud", strip 1 } fastcgi socket "/run/php-fpm.sock" } location "/*" { root { "/owncloud", strip 1 } } tls certificate "/etc/ssl/acme/fullchain.pem" tls key "/etc/ssl/acme/private/privkey.pem" } server "default" { listen on * port 80 location "/.well-known/acme-challenge/*" { root "/acme" root strip 2 } } NOTE I have censored the IP addresses and the domain names. Thanks in advance!
Re: OpenBSD green computing tips
- adaptive fan speed (??) Can often be set to "auto" in BIOS. - lcd (??) wsdisplay(4) WSDISPLAYIO_PARAM_BACKLIGHT - cdrom (??) Unplug it? - hard-drives (??) atactl(8) or use solid-state. - usb (??) Unplug it? - 802.11 power-saving (??) Don't transmit packets. - vmd (suspending/hibernation for vms?) Does vmctl stop not do what you want? What are your experience with decreasing energy usage of OpenBSD boxes - laptops but also home-servers. Two tips: * only decrease energy usage when it's worth it * use modern but modest hardware. -- Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/