by R.I. Pienaar | Jul 30, 2006 | Usefull Things
I’m in the middle of decomissioning some old sites and thought I’d post some info about our FreeBSD 4.x based firewalls that we were running.
Barry and Neil put these together when they were still with iTouch, they are FreeBSD machines running ipfw, modified natd, IPSec and jails for nameservers using bind. They’ve proven incredibly reliable more reliable than anything I’ve every seen before, first some uptimes:
4.3-RELEASE-p28 FreeBSD 4.3-RELEASE-p28 #0
8:56AM up 1175 days, 14:25, 1 user, load averages: 0.01, 0.00, 0.00
4.3-RELEASE FreeBSD 4.3-RELEASE #3: Thu Aug 9 08:24:10 SAST 2001
8:55AM up 1353 days, 13:07, 1 user, load averages: 0.07, 0.03, 0.00
4.3-RELEASE FreeBSD 4.3-RELEASE #3: Thu Aug 9 08:24:10 SAST 2001
8:57AM up 1636 days, 12:16, 2 users, load averages: 0.01, 0.02, 0.00
That last machine was put in the 2nd day I arrived in the UK almost 4.5 years ago now. There has been a few security issues since these were put in, the biggest were Bind issues and a IPSec issue, but none of them really huge deals for us due to the nature of these issues.
Some packet counts through their diverts:
11000 14873464727 9086343964578 divert 8668 ip from any to any via sf0
11010 2694675129 2230790516204 divert 8668 ip from any to any via sf2
11020 21332945704 16515209189995 divert 8668 ip from any to any via sf1
11030 2190579388 1838075424554 divert 8668 ip from any to any via em1
11040 31142270005 26337236597684 divert 8668 ip from any to any via sf3
11000 12363062208 6728197633745 divert 8668 ip from any to any via fxp0
11050 13585672383 7625773331834 divert 8668 ip from any to any via sf0
11075 1672241479 943217267415 divert 8668 ip from any to any via sf1
11000 9709855806 3616673887622 divert 8668 ip from any to any via fxp0
11010 15438460240 7026578427847 divert 8668 ip from any to any in recv sf0
11015 18623997883 6347362524481 divert 8668 ip from any to any out xmit sf0
11020 7574307452 2981257820300 divert 8668 ip from any to any in recv sf1
11025 6957613786 2361008898017 divert 8668 ip from any to any out xmit sf1
11030 5520959014 1551914815579 divert 8668 ip from any to any in recv sf2
11035 8724539029 2097991945468 divert 8668 ip from any to any out xmit sf2
11040 2988122935 604858451646 divert 8668 ip from any to any in recv sf3
11045 3930006137 632095496483 divert 8668 ip from any to any out xmit sf3
11050 3842161713 3177937890519 divert 8668 ip from any to any in recv fxp1
11055 4106903810 3282379599303 divert 8668 ip from any to any out xmit fxp1
These aren’t the bussiest machines by far, but they moved quite a bit of data, keep in mind these counters were probably reset quite a few times over the time to aid in debugging problems. One interface in the top bunch has done 23 TB.
I don’t really like these long uptime machines, they are a constant cause of worry for me, you dont know if all the configs were saved, you dont know if they’ll ever come up after a reboot etc, once you’ve gone over 500 days I think you’re pretty much at a point where rebooting machines becomes a bit of a worry to me, as these are/were firewalls the problem is much worse since the impact of them not booting or configs going missing would be massive, arranging downtime though isn’t always easy either, but I think worth the effort in hind sight.
by R.I. Pienaar | Jul 28, 2006 | Usefull Things
This morning came news of a remote exploitable vulnerability in Apache mod_rewrite, the exploit is pretty difficult and requires weird setups on your side, but you should be upgrading all your kit.
More info at Secunia
A vulnerability has been reported in Apache HTTP Server, which potentially can be exploited by malicious people to compromise a vulnerable system.
The vulnerability is caused by a off-by-one error in mod_rewrite and can be exploited to cause a one-byte buffer overflow.
Successful exploitation may crash the web server process or allow execution of arbitrary code.
by R.I. Pienaar | Jul 26, 2006 | Uncategorized
So world and dog is nagging on about Ubuntu, how great it is and how they are switching from <insert anything on the planet> to Ubuntu.
I happened to have a spare 300gig drive lying around so I gave 6.06 a go. My machine is over 2 years old, its practically from the ark, you’d expect things to Just Work.
After install, screen resolution is absolutely dismal, slow refresh rate and random crashes while trying to set to a better resolutoin. Already here you’ve lost a large chunk of users.
Anyway, so I go off looking on Google using Firefox, it opens up with the familiar look of Firefox complete with Mycroft search box, except the search box does nothing by default, you can type into it, hit enter but nothing happens, by default it doesn’t search, have to go fiddle with it to get it working.
Came across a post, that points to another post that points to Wiki for getting ATI cards going. I basically had to do this in a terminal:
sudo apt-get update
sudo apt-get install linux-restricted-modules-$(uname -r)
sudo apt-get install xorg-driver-fglrx
sudo depmod -a
sudo aticonfig --initial
sudo aticonfig --overlay-type=Xv
and then reboot.
Yes, this distro is going places if it can’t even support a crap old ATI Radeon card out of the box and require new users to do stuff in terminals just to get rid of a headache inducing low refresh rate.
Get Real, your grandmother is not going to do this. Give her a Mac and the thing just works.
by R.I. Pienaar | Jul 19, 2006 | Code
My previous homebrew backup system had a number of drawbacks, one of the biggest was that its daily emails were massive, listing all the files that was backed up.
With a lot of machines being backed up these mails can come to several MB per day but also general Human Nature means I just didn’t pay them enough attention. For instance, I would need to somehow notice if on a given day the tar died half way through by manual inspection, this was pretty useless.
Bacula provides good one-page job status emails on a daily basis but still I tend to not look at them as I will get about 20 of them a day, the ideal situation is to have it only mail you on errors and it does support this. There is one problem with this though, if anything prevents the mail from getting to you, or in-fact if the whole Director process dies and no backups get run at all you just wont know about it.
I’ve written a per-job monitoring solution that uses Bacula’s ability to run a script on the client after a successful backup has been run, it writes a small status file with a timestamp, this I pull into Net-SNMP and query over the network using Nagios.
Now if any of my jobs fail or if the whole backup system collapses Nagios will notify me via my already existing notification systems, email and SMS in my case. I will still get the Error mails from Bacula but I totally do not rely on them, they are merely there for information purposes so I can use them to quickly investigate a error once Nagios has alerted me.
I’ve documented this and put up the short scripts I use to achieve this, you can see this document in my wiki
by R.I. Pienaar | Jul 19, 2006 | Code
I’ve been using the Bacula client/server backup system for my backups. Bacula is on par with commercial client/server backup systems, central control, supports auto changers etc. It is a opensource system and available for Linux, FreeBSD, OS X, Windows etc.
The configuration is pretty complex though and while right now I have mine working I do not have guides written up about it really. I wanted to SSL enable my installation though to give me secure transfer between the various clients and the storage server but found the Bacula documentation on the subject woefully lacking.
I’ve written up a bit of info on my Wiki about getting SSL going on a Bacula installation, you need to first have a fully working Bacula setup before attempting this, as starting from a known working system and then systematically SSL enabling it will ease in debugging and possibly increase your understanding of what is going on.
The full Wiki document can be found here.
