Re: Hardware recommendations for compact 1U firewall

[Philipp Buehler]

Am 17.12.2016 02:32 schrieb Predrag Punosevac:

SYS-5018A-FTN4 are really nice boxes. This one has 16GB of RAM and was


btw.. just got SYS-1028R-WMRT and the dual I350 isnt "supported", likely 
because of the weird PPB/riser.


--
pb

Re: Hardware recommendations for compact 1U firewall

[Stefan Sperling]

On Sat, Dec 17, 2016 at 01:08:50PM +1100, Damian McGuckin wrote:
> Assuming traffic going between say 'vr0' and 'vr1', will it a Net5501
> board sustain 100Mbps?

I doubt it would. One limiting factor being the number of packets per second.
At some point the packets-per-second rate will trigger livelock countermeasures
which deliberately slow things down to prevent an interrupt storm from locking
up the system.

You could do some measurements with tcpbench(1) to find exact figures.
Make sure to test several sizes of packets, since smaller packets trigger
more interrupts per second.

Re: Hardware recommendations for compact 1U firewall

[Nick Holland]

On 12/14/16 20:39, Aaron Mason wrote:
> All
> 
> I'm looking for a 1U appliance that I can re-purpose into a firewall
> using OpenBSD.  I've tried the near-free method by using an old Lacie
> Ethernet Disk appliance I had lying around, but it turns out the
> onboard SATA chipset is toast on this particular unit (it freezes at
> CDBOOT when it detects hard drives and the BIOS freezes when I set it
> to IDE mode with drives attached, plus it only has one onboard NIC and
> one PCI slot, so I can't install another SATA card without removing
> the other NIC I installed), so I'm looking for other options that fit
> a limited budget.

heh.  Little secret: if you look in many data centers, you will find
lots of 1U boxes with various titles -- security appliances, load
balancing devices, etc.  A lot of them, under the covers, are just PCs.
And a lot of data centers have 'em rotting on the racks after they have
been turned off and replaced, but no motivation to remove them.

Just cleaned out some stuff from one of our data centers -- we had a
three authentication devices and a couple "security appliances" that all
turned out to have the same SuperMicro board on them...some with Pentium
D, others with P4s...but both could pump a lot of packets through
gigabit NICs (two on board).  The security appliances were kinda cool in
that they have a LCD screen that looks like it could be accessed through
a USB serial port (better yet, when you powered up the box, the LCD
panel put up an advertisement, not for the security appliance maker, but
for the LCD panel...including a website.  Bet there are docs there! :)
(I once programmed the LCD panel of a Novell server to say, "WINDOWS
SUCKS".  Wasn't noticed for years, but when it was, my name was quickly
assumed as being responsible)

We also had a couple odd little "load balancers" -- five NIC ports.  My
coworkers were skeptical about it being a standard PC under the cover.
Haven't tried to boot OpenBSD on them yet, but turns out the thing has a
128M SATA DiskOnModule (flash memory on a SATA board), a 1G CF card, and
a SATA hard disk in the box.  Again, all in one U.

And I'll admit there's a certain fun in bringing up another OS on
something like that.  And I HAVE to at least try to bring up OpenBSD on
them...so I can wipe the media before the hw is disposed of.  (Company
policy says "overwrite entire disk with random data", who's got the
fastest random number generator in town?  OpenBSD, of course!)

Nick.

Re: Hardware recommendations for compact 1U firewall

[Damian McGuckin]

While everybody is talking about hardware, I noticed that some of you
have flicked your Soekris Net 5501 boards.

We are upgrading from 20Mbps links to 100Mbps links and as a result of 
this discussion, I am wondering whether it would be a wise move on or part 
to consider replacing them. Rock solid little units.


What is the max throughput people have seen on these?

Assuming traffic going between say 'vr0' and 'vr1', will it a Net5501
board sustain 100Mbps?

Thanks - Damian

Re: Hardware recommendations for compact 1U firewall

[Predrag Punosevac]

Hrvoje Popovski wrote:
> 
> On 15.12.2016. 12:30, Stuart Henderson wrote:
> > If you want to cut down on weight+noise at the expense of more cost
> > and a less powerful cpu, maybe APU2 in a 1U case or something like
> > supermicro SYS-5018A-FTN4.
> 
> has anyone dmesg from SYS-5018A-FTN4 box? i'm interesting in intel qat
> 
> thank you ...

SYS-5018A-FTN4 are really nice boxes. This one has 16GB of RAM and was
hosting half-dozen of Jail instances on the top of ZFS mirror. Please
see the dmesg bellow. I just got another 16 GB of RAM. You can put up to
64 GB of RAM but it is not cheap due to the size of modules. I am
planning to migrate services to OpenBSD as I am in the process of
purging FreeBSD from our organization. Currently we have 3
SYS-5018A-FTN4 and buying more


This is my favorite Ebay seller and they have lots of nice network
equipment for home, small, and large business. 

http://stores.ebay.com/MITXPC/


Best,
Predrag

Copyright (c) 1992-2016 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD is a registered trademark of The FreeBSD Foundation.
FreeBSD 10.3-RELEASE-p5 #0: Thu Jun 30 03:52:15 UTC 2016
r...@amd64-builder.pcbsd.org:/usr/obj/usr/src/sys/GENERIC amd64
FreeBSD clang version 3.4.1 (tags/RELEASE_34/dot1-final 208032) 20140512
VT(vga): resolution 640x480
KLD file ipmi.ko is missing dependencies
CPU: Intel(R) Atom(TM) CPU  C2758  @ 2.40GHz (2400.06-MHz K8-class CPU)
  Origin="GenuineIntel"  Id=0x406d8  Family=0x6  Model=0x4d  Stepping=8
  
Features=0xbfebfbff
  
Features2=0x43d8e3bf
  AMD Features=0x28100800
  AMD Features2=0x101
  Structured Extended Features=0x2282
  VT-x: PAT,HLT,MTF,PAUSE,EPT,UG,VPID
  TSC: P-state invariant, performance statistics
real memory  = 19327352832 (18432 MB)
avail memory = 16525938688 (15760 MB)
Event timer "LAPIC" quality 600
ACPI APIC Table: 
FreeBSD/SMP: Multiprocessor System Detected: 8 CPUs
FreeBSD/SMP: 1 package(s) x 8 core(s)
 cpu0 (BSP): APIC ID:  0
 cpu1 (AP): APIC ID:  2
 cpu2 (AP): APIC ID:  4
 cpu3 (AP): APIC ID:  6
 cpu4 (AP): APIC ID:  8
 cpu5 (AP): APIC ID: 10
 cpu6 (AP): APIC ID: 12
 cpu7 (AP): APIC ID: 14
random:  initialized
ioapic0  irqs 0-23 on motherboard
module_register_init: MOD_LOAD (vesa, 0x80dc6500, 0) error 19
kbd1 at kbdmux0
cryptosoft0:  on motherboard
aesni0:  on motherboard
acpi0:  on motherboard
acpi0: Power Button (fixed)
cpu0:  on acpi0
cpu1:  on acpi0
cpu2:  on acpi0
cpu3:  on acpi0
cpu4:  on acpi0
cpu5:  on acpi0
cpu6:  on acpi0
cpu7:  on acpi0
hpet0:  iomem 0xfed0-0xfed003ff on acpi0
Timecounter "HPET" frequency 14318180 Hz quality 950
Event timer "HPET" frequency 14318180 Hz quality 350
Event timer "HPET1" frequency 14318180 Hz quality 340
Event timer "HPET2" frequency 14318180 Hz quality 340
atrtc0:  port 0x70-0x77 irq 8 on acpi0
atrtc0: Warning: Couldn't map I/O.
Event timer "RTC" frequency 32768 Hz quality 0
attimer0:  port 0x40-0x43,0x50-0x53 irq 0 on acpi0
Timecounter "i8254" frequency 1193182 Hz quality 0
Event timer "i8254" frequency 1193182 Hz quality 100
Timecounter "ACPI-safe" frequency 3579545 Hz quality 850
acpi_timer0: <24-bit timer at 3.579545MHz> port 0x408-0x40b on acpi0
pcib0:  port 0xcf8-0xcff on acpi0
pci0:  on pcib0
pcib1:  mem 0xdf2e-0xdf2f irq 16 at device 1.0 on 
pci0
pci1:  on pcib1
pcib2:  at device 0.0 on pci1
pci2:  on pcib2
vgapci0:  port 0xd000-0xd07f mem 
0xde00-0xdeff,0xdf00-0xdf01 irq 16 at device 0.0 on pci2
vgapci0: Boot video device
pcib3:  mem 0xdf2c-0xdf2d irq 16 at device 2.0 on 
pci0
pci3:  on pcib3
xhci0:  mem 0xdf10-0xdf101fff irq 17 at 
device 0.0 on pci3
xhci0: 64 bytes context size, 32-bit DMA
usbus0 on xhci0
pcib4:  mem 0xdf2a-0xdf2b irq 20 at device 3.0 on 
pci0
pci4:  on pcib4
pci0:  at device 11.0 (no driver attached)
pci0:  at device 15.0 (no driver attached)
igb0:  port 
0xe080-0xe09f mem 0xdf26-0xdf27,0xdf30c000-0xdf30 irq 20 at device 
20.0 on pci0
igb0: Using MSIX interrupts with 9 vectors
igb0: Ethernet address: 0c:c4:7a:68:c9:08
igb0: Bound queue 0 to cpu 0
igb0: Bound queue 1 to cpu 1
igb0: Bound queue 2 to cpu 2
igb0: Bound queue 3 to cpu 3
igb0: Bound queue 4 to cpu 4
igb0: Bound queue 5 to cpu 5
igb0: Bound queue 6 to cpu 6
igb0: Bound queue 7 to cpu 7
igb1:  port 
0xe060-0xe07f mem 0xdf24-0xdf25,0xdf308000-0xdf30bfff irq 21 at device 
20.1 on pci0
igb1: Using MSIX interrupts with 9 vectors
igb1: Ethernet address: 0c:c4:7a:68:c9:09
igb1: Bound queue 0 to cpu 0
igb1: Bound queue 1 to cpu 1
igb1: Bound queue 2 to cpu 2
igb1: Bound queue 3 to cpu 3
igb1: Bound queue 4 to cpu 4
igb1: Bound queue 5 to cpu 5
igb1: Bound queue 6 to cpu 6
igb1: Bound queue 7 to cpu 7
igb2:  port 
0xe040-0xe05f mem 0xdf22-0xdf23,0xdf304000-0xdf307fff irq 22 at device 
20.2 on pci0
igb2: Using MSIX interrupts with 9 vectors
igb2: Ethernet address: 0c:c4:7a:68:c9:0a
igb2: Bound 

Re: Theo de Raadt and official developers of OpenBSD, please follow the "heart of the letters"!

[Vivek Vinod]

You know, I can't code. 

So I've learned to shut the fuck up.

Sent from my BlackBerry 10 smartphone.
  Original Message  
From: SOUL_OF_ROOT 55
Sent: Friday 16 December 2016 22:42
To: misc@openbsd.org
Subject: Theo de Raadt and official developers of OpenBSD, please follow the
"heart of the letters"!

Theo de Raadt and official developers of OpenBSD, please follow the "heart
of the letters"!

What is up with some free software providers?! They say "Here's something
free! Oh wait, I changed my mind."

David Dawes worked for years with a team of developers to make a free
X11 distribution for us to use, called XFree86, 98% of which was based on
entirely free code from MIT. Suddenly, one day, he decided that we must
give him more credit (ie. advertise his name) or stop using it. Within
about 4 months every project had told him to get stuffed, and the community
has created a replacement effort. Now his team cannot even keep their web
pages up to date...

OpenBSD was the first operating system to integrate a packet filter,
and it was the ipf codebase from Darren Reed that we chose. But a few years
later he told us that we were not free to make changes to the code. So we
deleted ipf, and our new packet filter far exceeds the capabilities of the
one he wrote. And other projects are switching too...

The Apache group started from the humble beginnings of just being 'a
patchy' set of changes to a completely free web server of dubious quality.
But the years have changed them, and what they supply is now quite
non-free... released under a license so entangled in legalese that we have
absolutely no doubt that there are encumbrances hidden within. Legal terms
protect. Who are they protecting? Not your freedom.

reference: https://www.openbsd.org/lyrics.html#36

What are the others groups who have made this Free-to-Non-Free transition
before and after the existence of OpenBSD?

Re: Hardware recommendations for compact 1U firewall

[gwes]

On 12/15/16 12:07, Ryan Freeman wrote:

On Thu, Dec 15, 2016 at 11:30:31AM +, Stuart Henderson wrote:

On 2016-12-15, Aaron Mason  wrote:

All

I'm looking for a 1U appliance that I can re-purpose into a firewall
using OpenBSD.  I've tried the near-free method by using an old Lacie
Ethernet Disk appliance I had lying around, but it turns out the
onboard SATA chipset is toast on this particular unit (it freezes at
CDBOOT when it detects hard drives and the BIOS freezes when I set it
to IDE mode with drives attached, plus it only has one onboard NIC and
one PCI slot, so I can't install another SATA card without removing
the other NIC I installed), so I'm looking for other options that fit
a limited budget.

The most important criteria are that it must be 1U and it must fit
within a 420mm (~16.5") space (for reasons I will explain below).  I
have a couple of Sun Netra X1s that meet the need, but I can't push
more than ~60mbps over the onboard FE ports and they run quite hot to
the point of causing kernel panics.


Can you get anything in your price range with a single NIC and USB?
The axe driver seems to work pretty well. I bought a USB GE nic
for under $30 US. It seems to work well on a USB extension cord.
That's what I use for my firewall machine. I haven't tried very hard
but I know it can transfer over 100mb/sec.

Geoff Steckel

Theo de Raadt and official developers of OpenBSD, please follow the "heart of the letters"!

[SOUL_OF_ROOT 55]

Theo de Raadt and official developers of OpenBSD, please follow the "heart
of the letters"!

What is up with some free software providers?! They say "Here's something
free! Oh wait, I changed my mind."

David Dawes worked for years with a team of developers to make a free
X11 distribution for us to use, called XFree86, 98% of which was based on
entirely free code from MIT. Suddenly, one day, he decided that we must
give him more credit (ie. advertise his name) or stop using it. Within
about 4 months every project had told him to get stuffed, and the community
has created a replacement effort. Now his team cannot even keep their web
pages up to date...

OpenBSD was the first operating system to integrate a packet filter,
and it was the ipf codebase from Darren Reed that we chose. But a few years
later he told us that we were not free to make changes to the code. So we
deleted ipf, and our new packet filter far exceeds the capabilities of the
one he wrote. And other projects are switching too...

The Apache group started from the humble beginnings of just being 'a
patchy' set of changes to a completely free web server of dubious quality.
But the years have changed them, and what they supply is now quite
non-free... released under a license so entangled in legalese that we have
absolutely no doubt that there are encumbrances hidden within. Legal terms
protect. Who are they protecting? Not your freedom.

reference: https://www.openbsd.org/lyrics.html#36

What are the others groups who have made this Free-to-Non-Free transition
before and after the existence of OpenBSD?

spamd and network whitelisting

[Clint Pachl]

I would like to share my 45-day experience with running spamd and my 
observations and how I'm allowing mail from SMTP clusters to bypass 
spamd. Feedback and discussion would be greatly appreciated.


I have two domains that I have been using for my businesses: one is 13 
years old and the other is 8 years old. I have never had a spam problem 
until about six months ago. In October I was getting about 100-200 spams 
per day per domain. The spam rate was increasing from month to month. 
All mail was going directly to my OpenSMTPd. I was not using filtering 
of any kind so the signal-to-noise was very low, and frustrating.


So I read the spamd and related man pages and enabled spamd on my 
firewall on November 1. I was astonished! I literally got 6 spam emails 
that first week for both domains!


However, the big problem was, I also wasn't getting legitimate business 
emails that were sent from SMTP clusters/pools. After studying my logs, 
tweaking spamd(8) flags, looking to external solutions (DNSBL, SPF, 
reverse IP verification), I had some observations and discovered some 
patterns. Here's the solution I'd like to share:


I wrote two very small scripts: spamd-dnsbl and spamclusterd. These 
scripts work together to keep spam to a minimum while passing all 
legitimate email (in my case so far).


1) spamd-dnsbl: Queries a DNSBL using the IPs in spamdb(8). If an IP is 
on a black list it is added as a TRAPPED entry in the spamdb. The script 
only checks IPs which have been added since last run. Currently, only 
the zen.spamhaus.org DNSBL is queried because I found it to be the most 
true of all those listed at 
http://en.wikipedia.org/wiki/Comparison_of_DNS_blacklists. 
Alternatively, multiple DNSBLs could be queried and the results could be 
used in aggregate to determine spam status, thus promoted to TRAPPED.


2) spamclusterd: Queries spamdb(8) for networks to whitelist, which it 
adds to a pf table that bypasses spamd. So before this script gets 
carried away allowing IP blocks to bypass spamd, the spamdb(8) is first 
pruned of spammers using the spamd-dnsbl script.


I've only been running this setup for about 30 days, but I haven't 
missed an email yet; plus spam is still about 1 per day across both 
domains. I receive emails from all the common SMTP clusters, such as 
Gmail, Microsoft (hotmail.com, outlook.com, msn.com, etc.), and Yahoo 
but also US government agencies such as, mail.mil, usmc.mil, uscg.mil, 
irs.gov, etc.


I noticed a pattern of commonalities of these legitimate sending clusters:

1. The envelope's from and to addresses are identical across tuples.

2. The HELOs are very similar, with the TLD from each tuple almost 
certainly the same.


3. They make multiple attempts from different IP addresses, however, the 
IPs differ only by a few bits. (Caveat: I'm only using IPv4)


These 3 points are the basis of spamclusterd. How it works is, if two or 
more GREY tuples with matching "to" and "from" addresses, HELOs with 
matching TLDs, and IPs with matching network bits (/24), then add the 
/24 network to the spamd-cluster table in pf, which bypasses spamd.


I was going to get fancy and do an SPF lookup and try to determine the 
exact network to whitelist, but simply whitelisting a 256 IP block seems 
good enough. Once in awhile the subsequent client IP will be outside 
this block, but the /24 seems to work better than 90% of the time.


Currently, just two client IPs from the same /24 network is enough to 
get that network whitelisted, which seems like a low bar. However, with 
the prior DNSBL pruning, this seems sufficient for now.


## Some other observations ##

Spammers, even if sending from the same IP or IP network and regardless 
of the
TO address, tend to randomize the FROM and/or HELO. Therefore, in the 
case of my spamclusterd script, whitelisting a spammer is less likely 
when ensuring both HELO and FROM match for multiple tuples. These IPs 
will then continue to deal with spamd, and it's business as usual.


I initially tried setting 1 minute passtime and 12 hour greyexp times 
for spamd (i.e. -G 1:12:864) in hopes to eventually whitelist a client 
IP, originating from a cluster, that has reattempted within that large 
window. However, in my first week, I missed a couple of Gmails which 
resent for 5+ days and ultimately failed to deliver. What was 
interesting was one of the Google server IPs retried after 12 hours and 
3 minutes, just missing the grey window, while others retried after 24 
hours. I now set -G 1:10:1080.


It seems safe to assume a spammer if reverse IP lookup returns NXDOMAIN 
and IP
is on at least 1 reputable DNSBL or lookup returns SERVFAIL after two 
attempts.


Using SPF seems unreliable as of 11/22/16. Tested SPF on hundreds of IPs 
in spamdb using the ruby spf gem. More than half the IPs did not specify 
SPF or it failed in some

way.

If the envelope's "from" is our domain (i.e., to and from addresses are 
the same domain), it is definitely a spamm

httpd weirdness ("connection max request body")

[Farid Joubbi]

Hello,

I noticed a weird thing which I can not explain.
To me it feels like a bug with httpd, or some feature that I have
misunderstood.

I have a server running 6.0 -stable.
It runs httpd with both the roundcube and owncloud ports.
The server has only one NIC with only one public IP address.

Sometimes owncloud did not sync some files that I tried to sync with the
client.
It was always the same files that failed, but I was not able to see a
pattern of which files failed.

I noticed lines like this in /var/www/logs/access.log for the failed files:
mail.example.se 6.6.6.6 - - [16/Dec/2016:11:17:25 +0100] "PUT
/owncloud/remote.php/webdav/ebooks/A%2520Planet%2520of%2520Viruses.epub
HTTP/1.1" 413 0

The strange thing with this log entry is that the owncloud client syncs to
the address https://cloud.example.se/owncloud but the log entry states
mail.example.se
All the succesfully synced files had status 2xx with the correct
cloud.exampe.se address.

mail.example.se is the address to roundcube.
cloud.example.se is the address to owncloud.
HTTP response code 413 is entity too large.

I added
connection max request body 10737418240
to mail.example.se in httpd.conf, and the problem went away.
I already had that line for cloud.example.se since before.

Now this:
# grep Viruses.epub /var/www/logs/access.log
mail.example.se 6.6.6.6 - - [16/Dec/2016:11:17:25 +0100] "PUT
/owncloud/remote.php/webdav/ebooks/A%2520Planet%2520of%2520Viruses.epub
HTTP/1.1" 413 0
mail.example.se 6.6.6.6 - - [16/Dec/2016:11:17:26 +0100] "PUT
/owncloud/remote.php/webdav/ebooks/A%2520Planet%2520of%2520Viruses.epub
HTTP/1.1" 413 0
mail.example.se 6.6.6.6 - - [16/Dec/2016:11:17:26 +0100] "PUT
/owncloud/remote.php/webdav/ebooks/A%2520Planet%2520of%2520Viruses.epub
HTTP/1.1" 413 0
cloud.example.se 6.6.6.6 - - [16/Dec/2016:12:05:07 +0100] "PUT
/owncloud/remote.php/webdav/ebooks/A%20Planet%20of%20Viruses.epub HTTP/1.1"
201 0
#

So the last log entry shows the successful sync with the correct FQDN and
the same IP address as with the wrong FQDN earlier.
I would have expected this line to have the same wrong FQDN since all I did
was to change the "connection max request body" for the wrong FQDN.

Now my questions.
Why did owncloud sync some files to mail.example.se instead of
cloud.example.se?
Why does it work as supposed to after me raising the file upload limit for
mail.example.se?
Is it possible to have different "connection max request body" for the
different servers?
Am I doing something wrong in httpd.conf?

Here is my httpd.conf:
# cat /etc/httpd.conf


# $OpenBSD: httpd.conf,v 1.14 2015/02/04 08:39:35 florian Exp $

#
# Macros
#
ext_addr="*"

#
# Global Options
#
# prefork 3

#
# Servers
#


# Include MIME types instead of the built-in ones
types {
include "/usr/share/misc/mime.types"
#   include "/var/www/etc/mime.types"
}
server "mail.example.se" {
listen on * tls port 443
root "/roundcubemail"
directory index index.php

location "*.php" {
fastcgi socket "/run/php-fpm.sock"
}
tls certificate "/etc/ssl/acme/fullchain.pem"
tls key "/etc/ssl/acme/private/privkey.pem"
# Set max upload size to 10GiB (in bytes)
connection max request body 10737418240 #This line was added to
solve this particular problem, even though the problem has nothing to do
with roundcubemail.

}

server "server.example.se" {
listen on * tls port 443
root "/htdocs"
tls certificate "/etc/ssl/acme/fullchain.pem"
tls key "/etc/ssl/acme/private/privkey.pem"
}


server "cloud.example.se" {
listen on * tls port 443

# Set max upload size to 10GiB (in bytes)
connection max request body 10737418240

# First deny access to the specified files
location "/db_structure.xml" { block }
location "/.ht*" { block }
location "/README"   { block }
location "/data*"{ block }
location "/config*"  { block }

location "/*.php*" {
root { "/owncloud", strip 1 }
fastcgi socket "/run/php-fpm.sock"
}

location "/*" {
root { "/owncloud", strip 1 }
}
tls certificate "/etc/ssl/acme/fullchain.pem"
tls key "/etc/ssl/acme/private/privkey.pem"

}
server "default" {
listen on * port 80

location "/.well-known/acme-challenge/*" {
root "/acme"
root strip 2
}
}


NOTE I have censored the IP addresses and the domain names.

Thanks in advance!

Re: OpenBSD green computing tips

[Boudewijn Dijkstra]

- adaptive fan speed (??)


Can often be set to "auto" in BIOS.


- lcd (??)


wsdisplay(4) WSDISPLAYIO_PARAM_BACKLIGHT


- cdrom (??)


Unplug it?


- hard-drives (??)


atactl(8) or use solid-state.


- usb (??)


Unplug it?


- 802.11 power-saving (??)


Don't transmit packets.


- vmd (suspending/hibernation for vms?)


Does vmctl stop not do what you want?


What are your experience with decreasing energy usage
of OpenBSD boxes - laptops but also home-servers.


Two tips:
* only decrease energy usage when it's worth it
* use modern but modest hardware.



--
Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/