Re: might be slightly OT: `probability in PF'
Henning Brauer wrote: * jmc j...@cosmicnetworks.net [2009-03-11 15:05]: so anyway, how are _you_ using probability? it's high on my list of useless features in pf I'd rather remove. if anybody is actually using it, I'd like to hear about it. I'm a little late to this one, but I've been using it for testing VPN links and web applications over lossy connections. It's also useful for doing things to test the resiliency of VOIP setups as well. -JCB
Re: might be slightly OT: `probability in PF'
On Mon, 23 Mar 2009 09:27:48 +0100 Stephan A. Rickauer stephan.ricka...@startek.ch wrote: On Sat, 2009-03-21 at 12:14 +0100, Henning Brauer wrote: * jmc j...@cosmicnetworks.net [2009-03-11 15:05]: so anyway, how are _you_ using probability? it's high on my list of useless features in pf I'd rather remove. if anybody is actually using it, I'd like to hear about it. Once in a while a re-spot this 'feature' in the man pages and find it very cool. But then I can't come up with any idea of how to use it sanely. Could that be a case of 'uselessness'? ;) (never had to simulate bad lines so far, have enough of real ones) Using pf's 'probability' feature to simulate bad lines is creative and *might* be useful for the most simplistic types of testing, but it is really the wrong way to preform a this type of testing. The right way to simulate bad lines is to use (expensive) equipment designed to inject various types of errors/conditions into the line in known and measured way (www.spirent.com), and then use more (expensive) equipment to detect the errors on the other end (TTC/Acterna/JDSU). Anything less, and you're only guessing. With probability, there is a remote chance you'll either inject no errors at all, or conversely, only inject errors. It's not a good chance, but it's still a chance, so you really don't know what you're testing, and worse, there's no way to repeat your results. -- J.C. Roberts
Re: might be slightly OT: `probability in PF'
On Sat, 2009-03-21 at 12:14 +0100, Henning Brauer wrote: * jmc j...@cosmicnetworks.net [2009-03-11 15:05]: so anyway, how are _you_ using probability? it's high on my list of useless features in pf I'd rather remove. if anybody is actually using it, I'd like to hear about it. Once in a while a re-spot this 'feature' in the man pages and find it very cool. But then I can't come up with any idea of how to use it sanely. Could that be a case of 'uselessness'? ;) (never had to simulate bad lines so far, have enough of real ones)
Re: might be slightly OT: `probability in PF'
On Mon, Mar 23, 2009 at 4:27 PM, Stephan A. Rickauer stephan.ricka...@startek.ch wrote: On Sat, 2009-03-21 at 12:14 +0100, Henning Brauer wrote: * jmc j...@cosmicnetworks.net [2009-03-11 15:05]: so anyway, how are _you_ using probability? it's high on my list of useless features in pf I'd rather remove. if anybody is actually using it, I'd like to hear about it. Once in a while a re-spot this 'feature' in the man pages and find it very cool. But then I can't come up with any idea of how to use it sanely. Could that be a case of 'uselessness'? ;) (never had to simulate bad lines so far, have enough of real ones) Artur's use of throwing a spanner into the works of anybody who has been blacklisted seems like a very good use case. I would use it that way too. As opposed to outright blocking (100%), or outright dropping, it makes it harder for them to think that they have been found out. If you drop or block outright, that just means that they will simply jump onto another different ip. I imagine they would call up their own ISP, do network troubleshooting, blah blah, before they conclude that it is you that is really causing the problem. -jf -- In the meantime, here is your PSA: It's so hard to write a graphics driver that open-sourcing it would not help. -- Andrew Fear, Software Product Manager, NVIDIA Corporation http://kerneltrap.org/node/7228
Re: might be slightly OT: `probability in PF'
* jmc j...@cosmicnetworks.net [2009-03-11 15:05]: so anyway, how are _you_ using probability? it's high on my list of useless features in pf I'd rather remove. if anybody is actually using it, I'd like to hear about it. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: might be slightly OT: `probability in PF'
On Sat, Mar 21, 2009 at 12:14:44PM +0100, Henning Brauer wrote: so anyway, how are _you_ using probability? it's high on my list of useless features in pf I'd rather remove. if anybody is actually using it, I'd like to hear about it. I used it once about two years ago, to simulate a bad line (testing some weird file transfer software at $CUSTOMER). It was fun, but I wouldn't have missed the feature if it weren't there. Ciao, Kili -- Fall is my favorite season in Los Angeles, watching the birds change color and fall from the trees. -- David Letterman
Re: might be slightly OT: `probability in PF'
Henning Brauer wrote: * jmc j...@cosmicnetworks.net [2009-03-11 15:05]: so anyway, how are _you_ using probability? it's high on my list of useless features in pf I'd rather remove. if anybody is actually using it, I'd like to hear about it. PF is one of the main factors for me to use OpenBSD, but since I do little routing with it, I myself have not yet a use for probability. However, I also use only a small fraction of PF's capabilities. I'm training up others to take over these machines so in some months maybe they will have found a use. Regards -Lars
Re: might be slightly OT: `probability in PF'
jmc j...@cosmicnetworks.net writes: block in log quick on $ext_if from openproxies to any probability 90% is because it seems a little bofh-ly to me. and i guess it borders on security-through obscurity, which of course it not really security at all. but it seems a bit more sinister than just outright blocking, which kinda makes me snicker a bit. make the experience painful enough that they just go away. Just as a side-track, nothing to do with pf, I've done a similar thing with a service I'm running. Instead of blocking the bad guys outright, we have a blacklist of people who get randomized results from the application. Not very much, but enough to confuse the hell out of any automated scripts they were using to mess with us and instead of being able to automatically discover that they've been blacklisted, they have to manually verify everything. Blocking tells the bad guys that they should switch their proxy. Pretending to work while giving wrong results gives them real manual work to do. //art
Re: might be slightly OT: `probability in PF'
--- Artur Grabowski [Fri, Mar 13, 2009 at 01:13:10PM +0100]: --- jmc j...@cosmicnetworks.net writes: block in log quick on $ext_if from openproxies to any probability 90% is because it seems a little bofh-ly to me. and i guess it borders on security-through obscurity, which of course it not really security at all. but it seems a bit more sinister than just outright blocking, which kinda makes me snicker a bit. make the experience painful enough that they just go away. Just as a side-track, nothing to do with pf, I've done a similar thing with a service I'm running. Instead of blocking the bad guys outright, we have a blacklist of people who get randomized results from the application. Not very much, but enough to confuse the hell out of any now that is pure wretched evil, Art. but i love it!
might be slightly OT: `probability in PF'
i say this might be slightly OT because i am asking more of a philosophical question, not a technical one. the excellent documentation has given me all i need to know about the probability directive. thanks, devs, for that. quick story: i have a couple dozen websites spread across two OpenBSD/base apache machines. one of my clients runs a web-based forum that's experienced a bit of trouble recently with previously banned users registering multiple accounts through open proxies and causing problems (just open proxies, not tor exit nodes). the mods have quelled the activity for now, but i'm thinking of ways to help them in the future. i use sensible max-src-conn and max-src-conn-rate to be sure to DoS attacks won't cause httpd to knock down my server, but this is a solution to a different problem in my eyes---this is just trying to be a good sysadmin. i have grepped through the logs of other clients, and i don't see any evidence of any traffic from the lists of open proxies i've compiled, so i don't think this would have un-intended effects on them. the only reason i guess that i'm cautious about just getting a list of known open proxies, creating a pf table and running with something like: block in log quick on $ext_if from openproxies to any probability 90% is because it seems a little bofh-ly to me. and i guess it borders on security-through obscurity, which of course it not really security at all. but it seems a bit more sinister than just outright blocking, which kinda makes me snicker a bit. make the experience painful enough that they just go away. and i suppose i've just been dying to find a use for the probability directive. so anyway, how are _you_ using probability? does this seem inline with what it was designed for? how, if at all, do you deal with open proxies? you can respond off-list if this is really too OT for m...@. and i'm not afraid to be told this is the stupidest. idea. ever. if that's what you think. i'm also open to other ideas. thanks and cheers!
Re: might be slightly OT: `probability in PF'
On Wed, Mar 11, 2009 at 10:01 PM, jmc j...@cosmicnetworks.net wrote: i say this might be slightly OT because i am asking more of a philosophical question, not a technical one. the excellent documentation has given me all i need to know about the probability directive. thanks, devs, for that. (just as a hint to the rest who are considering whether to read through) doesnt sound philosophical to me! quick story: i have a couple dozen websites spread across two OpenBSD/base apache machines. one of my clients runs a web-based forum that's experienced a bit of trouble recently with previously banned users registering multiple accounts through open proxies and causing problems (just open proxies, not tor exit nodes). the mods have quelled the activity for now, but i'm thinking of ways to help them in the future. i use sensible max-src-conn and max-src-conn-rate to be sure to DoS attacks won't cause httpd to knock down my server, but this is a solution to a different problem in my eyes---this is just trying to be a good sysadmin. i have grepped through the logs of other clients, and i don't see any evidence of any traffic from the lists of open proxies i've compiled, so i don't think this would have un-intended effects on them. dont see any evidence of *legit* traffic from the list of open proxies you've compiled, u mean. the only reason i guess that i'm cautious about just getting a list of known open proxies, creating a pf table and running with something like: block in log quick on $ext_if from openproxies to any probability 90% is because it seems a little bofh-ly to me. and i guess it borders on security-through obscurity, which of course it not really security at all. obscurity may not be true security, - but combined with security, it helps! but it seems a bit more sinister than just outright blocking, which kinda makes me snicker a bit. make the experience painful enough that they just go away. which is good, dont u think? ;) and i suppose i've just been dying to find a use for the probability directive. so anyway, how are _you_ using probability? does this seem inline with what it was designed for? how, if at all, do you deal with open proxies? you can respond off-list if this is really too OT for m...@. and i'm not afraid to be told this is the stupidest. idea. ever. if that's what you think. i'm also open to other ideas. no, it's not (the stupidest idea ever). I think it's good, in fact. Frustrates, confuses, and throws a wrench in the works of the low life and low intelligence scum. -jf -- In the meantime, here is your PSA: It's so hard to write a graphics driver that open-sourcing it would not help. -- Andrew Fear, Software Product Manager, NVIDIA Corporation http://kerneltrap.org/node/7228
Re: might be slightly OT: `probability in PF'
--- Jeffrey 'jf' Lim [Wed, Mar 11, 2009 at 10:09:19PM +0800]: --- On Wed, Mar 11, 2009 at 10:01 PM, jmc j...@cosmicnetworks.net wrote: i say this might be slightly OT because i am asking more of a philosophical question, not a technical one. the excellent documentation has given me all i need to know about the probability directive. thanks, devs, for that. (just as a hint to the rest who are considering whether to read through) doesnt sound philosophical to me! OK, cool. i framed it that way because i didn't want to come across as someone who was asking the list to do my thinking for me. as i suspect lots of misc@ readers do, i come from the ``be liberal in what you accept, conservative in what you send'' school. true the Big Bad Internet has and continues to change rapidly, but i personally still see value in that axiom. outside of the gift from ghod that is spamd(8), this will be the biggest divergence from that axiom that i think i have done in my years as a sys admin. i have grepped through the logs of other clients, and i don't see any evidence of any traffic from the lists of open proxies i've compiled, so i don't think this would have un-intended effects on them. dont see any evidence of *legit* traffic from the list of open proxies you've compiled, u mean. yes, that is what i mean. i also haven't figured out if it's even feasible to keep up with what i'm sure is a rapidly-changing list of open proxies on a daily basis. but that's a sys admin problem, and i'll ask for help on that separately if/when i need it. the lists that i've compiled thus far are from disparate sources, and will require a bit of work to get everything in order. thanks again!