Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Firewall Failover With pfsync And CARP

timothy posted more than 10 years ago | from the careful-acronym-arrangment dept.

Operating Systems 60

Daniel Hartmeier writes "OpenBSD developer Ryan McBride explains the new firewall redundancy features in the upcoming OpenBSD 3.5 release in his article Firewall Failover with pfsync and CARP. CARP (Common Address Redundancy Protocol) is a free alternative to the patent-encumbered VRRP, responsible for electing masters in a firewall cluster, while pfsync syncronizes packet filter state information among nodes. The combination allows to replace single-point-of-failure firewalls with clusters of two (or more) nodes, which continue to filter ongoing and new connections when nodes fail. Additional features like arpbalance allow one to share a single IP address for multiple servers, transparently balancing load among them, and adapting to servers failing. Pre-order for OpenBSD 3.5 has started, CDs will ship May 1st."

cancel ×

60 comments

Sorry! There are no comments related to the filter you selected.

That's really cool (2, Informative)

Anonymous Coward | more than 10 years ago | (#8713264)

I think my office implemented such functionality for like $120k, and it doesn't even work too well.

Re:That's really cool (3, Informative)

hdw (564237) | more than 10 years ago | (#8717488)

Yup, we have something like that too.

Except that our 50.000USD firewall solution fails to handle state sync (they've got problems enough with rules sync) and the the failover works so bad that the dudes that run it have failed over to manual fail over :)

I've been _soo_ tempted to suggest to replace the all the gunk with OpenBSD, since it has all the stuff we need, and it works ...

And it is a little bit cheaper. // hdw

Re: FreeBSD's burocracy? (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#8726935)

FreeBSD-5.2.1 is evil-ment very *BAD*.

Just, when i was installing it on my Pentium 200 MHz, 48MiB RAM, it never did end the installation because it was installing at rate 9 KB per second!!!.

Why 9 KiB/s?
I don't know why, but i did a # top and i did see that the CPU was 90% idle and 10% running of cpio, gzip and others programs.

Why 90% cpu-idle for the slower and slower installation?
I don't know why, i believe that FreeBSD's president is hurting us and he wants money with worse and worse code.

open4free

HSRP (3, Interesting)

bolix (201977) | more than 10 years ago | (#8713503)

I love sniffing the Cisco equivalent to CARP. Lots of HSRP calls to 224.0.0.224 with no security built in. A simple ARP poison will fuck the switch. More advanced attack methods can be found c/o Phenolit [phenoelit.de]

Re:HSRP (0)

Anonymous Coward | more than 10 years ago | (#8721298)

Isn't there a way to tell a Cisco router that more than one MAC/IP combo can't occupy the ARP table? I always thought that there is a way around the Ettercap type of Man-In-The-Middle, switched net attack used via ARP poisoning. Info would be appreciated...

Re:HSRP (1)

bolix (201977) | more than 10 years ago | (#8815655)

Absolutely. Multiple mac addresses will cause the switch to fault.... to a default HUB state. At which point any protection afforded by switched port isolation is meaningless.

Redundancy IS bad. (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#8713506)

At least in *BSD. Just think of the smell !

OpenBSD does it again! (-1, Redundant)

Anonymous Coward | more than 10 years ago | (#8713949)

Oh, the beauty of OpenBSD! Sweet stuff OpenBSD...

I wonder... (2, Interesting)

Yarn (75) | more than 10 years ago | (#8714065)

What hardware would I need to do this on my 1000SX uplink. Admittedly, I've only peaked at 80Mbit/s so far, but I think even handling that will take some beefy hardware.

Re:I wonder... (5, Informative)

dhartmei (664843) | more than 10 years ago | (#8717259)

Filtering ordinary traffic (not extreme test-cases of minimal packets, average number of packets/connection) statefully at 100Mbps doesn't require much hardware. Even little Soekris boxes (embedded 486 133MHz) can do that.

For Gbps, the limiting factor is the NIC and its driver. Some cards/drivers are reported to reach more than 70% of the maximum throughput. The reason they don't (yet) go further is not packet filtering, though.

If you want specific names/models, the mailing list archives contain the reports.

Re:I wonder... (5, Informative)

hdw (564237) | more than 10 years ago | (#8717364)

I'm running an OpenBSD 3.4 firewall on a PII-400 with a 100Mb/s Internet feed.

And I know that I've reached over 40Mb/s without any sign of problem with the firewall.

So unless you're running lots of IpSec stuff or have a high rate of connects I don't think the firewall (or OpenBSD) will be the problem.

I think the selecting a good NIC is more important. // hdw

Re:I wonder... (1)

peripatetic_bum (211859) | more than 10 years ago | (#8719013)

I wonder how a "little" p2 can filter 40MB/s of packets. when it seems like the same p2 will bog down in other stuff (im not talking about a gui)

can you explain this?

Thanks

Re:I wonder... (4, Insightful)

Homology (639438) | more than 10 years ago | (#8719127)

I wonder how a "little" p2 can filter 40MB/s of packets. when it seems like the same p2 will bog down in other stuff (im not talking about a gui)

can you explain this?

The grandparent wrote 40Mb/s, like in 40 mega bit, and a PII can handle this. However, you should have a good NIC and not one of those pisspor Realtek that offloads the work to the CPU.

Re:I wonder... (2, Interesting)

hdw (564237) | more than 10 years ago | (#8719399)

yup, I can.

First of all, I said Mb, not MB, call me conservative but I'm used to count bandwidth in bits, not bytes.

Second, as I stated, check your NIC and the drivers.
It means a lot when it comes to network handling.

(I remember how out old VAX 11/785 reacted when it shared an non-switched net with 2 sparc servers, the poor VAX was down on it's knees just by trying to ignore the traffic :)).

And as a wider note, the performance of a system isn't only down to processor speed. There's tons of parameters, both hard and soft, that come into play.

Figuring out _what_ parameter to fiddle with is regarded as voodoo :)

/ hdw

ps
No, I'm no speed guru, neither did I wave a dead chicken and dance backwards while installing that firewall.
I asked for a raw Internet feed to the labnet, and at that time we didn't have anything less then 100Mb/s to hand out. And the server played it nice.
ds.

Will this help... (-1, Troll)

Anonymous Coward | more than 10 years ago | (#8714157)

Will this help me close off access to this always-open, always-sniffed, always-0wn3d port [goatse.cx] ?

Mailto link? (0, Offtopic)

duffbeer703 (177751) | more than 10 years ago | (#8714526)

Why would a /. editor include a mailto link to an OpenBSD developer in a story?

The poor bastard is going to be flooded with spam ad crap now.

Re:Mailto link? (0)

Anonymous Coward | more than 10 years ago | (#8715367)

Why would a /. editor include a mailto link to an OpenBSD developer in a story?

Look at the state of the comments in the BSD section of Slashdot.
Take note of the recent poll that identifies BSD as a 'hobby' OS.
Now ask yourself that question again.

Re:Mailto link? (0, Flamebait)

DashEvil (645963) | more than 10 years ago | (#8721332)

*BSD is dead!#%!#%#!#%!

...and I'm a necrophiliac.

Re:Mailto link? (5, Insightful)

dhartmei (664843) | more than 10 years ago | (#8717190)

@openbsd.org addresses are already readily available for harvesters through cvsweb, mailing list archives and usenet gates, putting one in a /. posting couldn't make things any worse.

The upside is that after a certain amount of spam received, people get really good at filtering it. That's where the motivation behind some of the anti-spam features in OpenBSD comes from, I guess :)

Re:Mailto link? (0, Troll)

SillyNickName4me (760022) | more than 10 years ago | (#8718754)

I'd say they come mainly from Theo wanting them due to all the fan mail he receives ;P

Re:Mailto link? (1)

Shurhaian (743684) | more than 10 years ago | (#8721880)

Maybe that caution in the spam-armour munging should be taken into account, hm? After all, if you spam the developers, they'll have brand new samples with which to test their anti-spam routines... get THEM fed up with spam and they're right at the source! Larger projects would take a little longer to have that effect(though, since nobody in their right mind likes spam, those larger projects have more people to work on it, too; that could be seen as good or bad, depending).

Spam an ordinary person until they're saturated, and you won't get through to that person. Spam the devs for a system that works well on servers, and none of the customers of those servers will get your spam anymore, either...

Ryan McBride? (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8715374)

Any relation to Darl?

Picture of CARP hardware used by BSD (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8716520)

I found an interesting picture of the CARP hardware they're using for this here [colorado.edu] .

MOD UP: BEST ANTI-BSD TROLL EVER (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8721611)

NETCRAFT NOW CONFIRMS: *BSD IS DYING (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8716644)

Netcraft now confirms: *BSD is dying.

Yet another crippling bombshell hit the beleaguered *BSD community when recently IDC confirmed that *BSD accounts for less than a fraction of 1 percent of all servers. Coming on the heels of the latest Netcraft survey which plainly states that *BSD has lost more market share, this news serves to reinforce what we've known all along. *BSD is collapsing in complete disarray, as further exemplified by failing dead last [samag.org] in the recent Sys Admin comprehensive networking test.

You don't need to be a Kreskin [amdest.com] to predict *BSD's future. The hand writing is on the wall: *BSD faces a bleak future. In fact there won't be any future at all for *BSD because *BSD is dying. Things are looking very bad for *BSD. As many of us are already aware, *BSD continues to lose market share. Red ink flows like a river of blood. FreeBSD is the most endangered of them all, having lost 93% of its core developers.

Let's keep to the facts and look at the numbers.

OpenBSD leader Theo states that there are 7000 users of OpenBSD. How many users of NetBSD are there? Let's see. The number of OpenBSD versus NetBSD posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 NetBSD users. BSD/OS posts on Usenet are about half of the volume of NetBSD posts. Therefore there are about 700 users of BSD/OS. A recent article put FreeBSD at about 80 percent of the *BSD market. Therefore there are (7000+1400+700)*4 = 36400 FreeBSD users. This is consistent with the number of FreeBSD Usenet posts.

Due to the troubles of Walnut Creek, abysmal sales and so on, FreeBSD went out of business and was taken over by BSDI who sell another troubled OS. Now BSDI is also dead, its corpse turned over to yet another charnel house. All major surveys show that *BSD has steadily declined in market share. *BSD is very sick and its long term survival prospects are very dim. If *BSD is to survive at all it will be among OS hobbyist dabblers. *BSD continues to decay. Nothing short of a miracle could save it at this point in time. For all practical purposes, *BSD is dead.

Fact: *BSD is dead

This is awesome (0)

Anonymous Coward | more than 10 years ago | (#8716684)

But, how can I loadbalance/failover a postgresql using openbsd?

Re:This is awesome (5, Informative)

dhartmei (664843) | more than 10 years ago | (#8717545)

What CARP/pfsync does is transparent balancing on IP level. Each client connection is redirected to an arbitrary available server. This works for applications where each server can independantly handle a client request, like serving stateless HTTP or DNS from multiple servers.

For SQL, clustering is much more involved. One client might insert data that must propagate to the other server, or locks across all servers must be obtained, etc. This cannot be done transparently on IP level, the servers themselves must support it.

Search for replication, clustering or redundancy together with postgresql, you'll find erserver [erserver.com] etc. Except for very special cases (like read-only databases), this way beyond IP level packet filtering ;)

Re:This is awesome (1)

afekz (693107) | more than 10 years ago | (#8745709)

You say CARP/pfsync does transparent balancing on IP level.

You mean to say CARP, period.

pfsync is for synchronizing firewall state tables.

Sad. (4, Insightful)

MisterP (156738) | more than 10 years ago | (#8718621)

It's kinda of sad that something this cool gets so little discussion on a site like Slashdot. I guess it will be news when CARP gets ported to linux and iptables gets ip state sync'ing across hosts.

Re:Sad. (4, Informative)

hdw (564237) | more than 10 years ago | (#8719505)

Userland CARP is already ported to Linux.

http://www.ucarp.org

/ hdw

Re:Sad. (1)

SoundGuy666 (467270) | more than 10 years ago | (#8736187)

Unfortunately, UCARP has not (yet?) implemented one of the most desirable features (to me) of OpenBSD's CARP - Arpbalance. I guess this would require kernel level changes though.

I'm a firewall admin amongst other things.. (2, Insightful)

harikiri (211017) | more than 10 years ago | (#8721426)

...and this looks really attractive to me. Our environment comprises of Nokia IPSO-based firewalls running Checkpoint, so I'm very familiar with VRRP.

However, as excellent as this looks, I can only shudder in horror at the thought of migrating any of our existing rulesets across to openbsd/pf, let alone distributed management of policies across several 'clusters' of firewalls we have.

Yes my friends. I'm asking for a GUI. FW Builder [fwbuilder.org] is a good start, but it still needs work (porting to Windows would be a good start). Migration tools from Checkpoint (or other commercial firewalls) would be another good addition.

PS, I ask for Windows support not for my sake, but so that my co-workers would be able to use it. However, this criticism is levelled at FW Builder.

OpenBSD/pf/CARP has provided a brilliant technical starting block, but it needs these additional tools to make inroads into enterprise organisations.

Re:I'm a firewall admin amongst other things.. (0)

Anonymous Coward | more than 10 years ago | (#8721683)

However, as excellent as this looks, I can only shudder in horror at the thought of migrating any of our existing rulesets across to openbsd/pf, let alone distributed management of policies across several 'clusters' of firewalls we have.

Yes my friends. I'm asking for a GUI.

In two paragraphs, you request some decent mechanism for management of distributed firewalls and then ask for a GUI!

PF is not hard to understand and distributing common rules and specific rules is super easy and secure, with tools that come with a default install of OpenBSD (scp).

If you need a GUI and FW admin is your day job, I have to wonder why you're bothering with FW admin.

PS, I ask for Windows support not for my sake, but so that my co-workers would be able to use it.

Staff who are uncomfortable with IP should not be touching any corporate firewalls. Those who are comfortable, should have no problem with pf.conf once they have read PF docco.

OpenBSD/pf/CARP has provided a brilliant technical starting block, but it needs these additional tools to make inroads into enterprise organisations.

Any enterprise which hires network or firewall admin staff who can't understand pf.conf after reading the fine docco, needs to look into why their hiring policies are such a failure, so as to allow them to hire a fraud.

Re:I'm a firewall admin amongst other things.. (4, Informative)

harikiri (211017) | more than 10 years ago | (#8721876)

I'm very aware that I could put together my own 'deployment' script with a combination of ssh/scp and rsync.

If you need a GUI and FW admin is your day job, I have to wonder why you're bothering with FW admin.

I do not need a GUI. My colleagues do not need one either (we previously used PIX... shudder). But when you start dealing with a large number of firewalls (we have over 25 deployed), and not simply firewall rules, but NAT, PAT, authentication and VPN's - having a GUI frontend that ties all that information up together and provides it in an easy to manage way, is a lot better than grepping and trawling through long configuration files to make additions or changes.

Yes any capable firewall admin should be able to implement rules once they read documentation for ipfilter/iptables/pf/ipfw/etc - but they shouldn't necessarily have to. The people I work with aren't stupid, they just don't want to have to work at the command-line across multiple systems to implement a single rule.

Re:I'm a firewall admin amongst other things.. (1)

shurdeek (571257) | more than 9 years ago | (#8724254)

What you describe as deficiencies aren't caused by lack of GUI, but by lack of automation. While I admit that e.g. iptables per se doesn't have an automation tool, it still can be automatized without a GUI.

Re:I'm a firewall admin amongst other things.. (1)

Bensmum (766488) | more than 9 years ago | (#8725752)

So what you're saying is "I don't want to do my job, cause that's too much work."? Seriously, if you can't be bothered to read the documentation, and learn to use a piece of software, then don't use it. If you had bothered to read some pf docs, you'd realize a GUI isn't going to help you. PF has literally the easiest to use, most helpful syntax around, and if you have a long pf.conf, then you are doing something wrong, it supports variables and macro expansion. The default config file has all sorts of commented out examples for you so you can't forget the syntax. There is absolutely no benefit to a GUI at all, its as easy to configure as it can possibly be. Adding another service to potentially be exploited, allowing remote administration of fw rules is not a smart move for a device who's sole purpose is security. What an arrogant attitude, "sure, I could read the docs and learn to use the software that is securing our network, but I shouldn't have to. It should just magically work on its own.". If you don't spend the time reading the docs, you will likely impliment incorrect or at least inefficient rulesets using a gui tool anyways. Does your boss realize that you don't think learning to use the tools protecting his company is worth your time?

Re:I'm a firewall admin amongst other things.. (4, Insightful)

sirket (60694) | more than 10 years ago | (#8732143)

There is absolutely no benefit to a GUI at all

This is a idotic comment. I've been a firewall admin for years. I admin CheckPoint, PIX, NetScreen, ipfw, ipf, and pf firewalls.

Have you ever tried to configure a fully meshed VPN topology between 30 sites by hand? Are you really going to sit there and write 900 rules by hand and expect to do it without making a mistake?

What about defining a group of objects on one firewall (say a cluster of web servers) and then going to implement a rule on a different firewall that uses that web server group? With a central GUI, you can define the object once and not worry about changing it in 5 places or making a mistake when you copy it over to another firewall. (Yes this can be done with scripts but if you are going to write a whole management interface, why not stick a GUI on top of it to make browsing rules easier?)

What about when you need to print out the rule sets for a compliance officer or your CEO?

What about when you have have 25 firewalls and you forgot to backup the rule set on a firewall that just died. Wouldn't it be nice to have a management box with all the rule sets stored locally?

There are about 50 good reasons to have a GUI and very few reasons not to have one. As long as you can configure the boxes from the command line and the GUI doesn't generate gibberish rules, then it is an excellent addition to a great firewall package.

-sirket

Re:I'm a firewall admin amongst other things.. (0, Troll)

Bensmum (766488) | more than 10 years ago | (#8733045)

And none of the reasons you provide have anything to do with GUI. All of the things you are talking about are already dealt with by existing tools that any remotely competant admin already uses for their servers.

You think apache isn't as good as IIS because they don't have a GUI too? Oh, wait, there are *THOUSANDS* of tools to manage, edit, and distribute text based config files. Its no more difficult to admin dozens of firewalls than it is to admin dozens of webservers.

Learn to do your job instead of trying to pretend you need something else to be able to do it. There are plenty of existing tools out there, if you seriously aren't happy with any of them, then maybe you should do your part and write whatever tool you need.

Re:I'm a firewall admin amongst other things.. (1, Insightful)

sirket (60694) | more than 10 years ago | (#8734149)

Perhaps you should to do your job instead of bitching on Slashdot. Maybe you've heard the expression "A picture is worth a thousand words?"

GUI's can convey more information in less time and do so more accurately than a text based rule set can. If used correctly, it is a valuable asset.

You think apache isn't as good as IIS because they don't have a GUI too? Oh, wait, there are *THOUSANDS* of tools to manage, edit, and distribute text based config files. Its no more difficult to admin dozens of firewalls than it is to admin dozens of webservers.

Yeah because web servers and firewalls have lots of things in common. I am constantly making changes to my web server configuration (hasn't changed in over a year) whereas I am never asked to change my firewall configuration (3 times this week by one customer). You may be so arrogant as to believe you never make a mistake. I am not so deluded. I write my rule sets using the config files and I use the GUI to verify the changes. Other times I use the GUI to lay the groundwork for a more complex rule set and then I edit the resulting rules by hand to get exactly what I want. Ever try writing CheckPoint rules without the editor? I use to do it all the time but I always checked them with the GUI to be sure they were right.

No one here is talking about creating your typical useless Windows GUI. Ever use the Borderware firewall GUI? It was a masterpiece.

A GUI editor is a tool, and when used right it makes you more efficient. I can't help it if you have your head so far up your ass you can't recognize a good thing when you see it.

-sirket

Re:I'm a firewall admin amongst other things.. (2, Insightful)

Bensmum (766488) | more than 10 years ago | (#8737172)

I don't recognize a good thing because its not a good thing. This isn't a difficult concept. Just because you make the claim that a GUI is somehow required and you can't function without one doesn't make it so. If you insist on claiming that open source firewall solutions aren't good enough because they don't provide a GUI, how about you back it up with some facts, instead of just insulting the people who are giving you this stuff *for free*. Talk about a "world owes me" attitude.

And its not that I am so arrogant that I never make a mistake, its that I *test* changes to see if they work, the new rulest is applied for 30 seconds to see if it works, and automatically reverted to the old rule set after that. If it did work, I update it for real. A GUI isn't going to help with this.

Re:I'm a firewall admin amongst other things.. (2, Insightful)

sirket (60694) | more than 10 years ago | (#8732318)

So what you're saying is "I don't want to do my job, cause that's too much work."?

No. What he is saying is that unlike you, he is not an idiot. He recognizes how easy it is to make a typo when you have to enter the same rule and object definition on 25 firewalls. He recognizes the security advantages of a simple clean way to view firewall rules to help avoid a mistake in the ruleset.

The biggest information security threat to any company is the arrogance of its admins. Instead of bitching about a GUI a good firewall admin would welcome additional tools to help manage his or her firewalls. As long as the GUI doesn't stop you from editing rules by hand, why not make use of its ability to display your rules in a different way?

-sirket

Reading isn't that hard. (2, Insightful)

Bensmum (766488) | more than 10 years ago | (#8732965)

Seriously, aren't listening. You don't have to enter the same rule and object definitions over and over, that's exactly what I am saying. You make a single template, and then any firewall from there is just changing some variables like $ext_if or $local_net. Plus there are lots of things you don't have to do with pf, like making a whole set of rules to stop spoofing, with pf you can just do antispoof on $ext_if. I am not complaining about a GUI tool, I am saying the parent poster is dumb for complaining about the lack of a GUI, when he hasn't even bothered to learn how the thing works, to see if he even needs one.

Re:Reading isn't that hard. (2, Insightful)

sirket (60694) | more than 10 years ago | (#8734193)

You're assuming I want a simple rule set that can be templated. That isn't how most firewalls work. They share objects, but rarely do they share rules. Can this be done through macros and from the command line? Of course it can. The problem is that when you are updating your firewall during the 1 hour 3 am maintenance window it is easy to make a mistake that you just overlook because you've been staring at rule sets all day. Different data representations (A GUI) are critical to making sure that you understand exactly what your rule set is doing. A GUI is also useful for building intial rule sets and for prototyping changes. Finally, a GUI prevents you from making a typo (at least in terms of syntax). It's not a big deal if you verify your rule sets each time (good advice no matter what) but a GUI won't let you make these mistakes in the first place.

As long as the GUI doesn't prevent you from editing the raw rules, then it should be a welcome addition to any admins toolkit.

I am saying the parent poster is dumb for complaining about the lack of a GUI, when he hasn't even bothered to learn how the thing works, to see if he even needs one.

You don't know anything about the parent poster. You've never met him and you don't know what he or she knows and doesn't know. For all you know you've been insulting Bill Cheswick. Or perhaps he is just one of the many overworked admins out there who would like to see a tool that would make his job just a tiny bit quicker so that he can go home on time and actually see his family before sunset.

-sirket

Re:Reading isn't that hard. (1)

Bensmum (766488) | more than 10 years ago | (#8762048)

I am not assuming anything, seriously, spend some time learning about PF, you don't realize just how huge a difference it makes to your rulesets. We're talking 1100 rules in ipf -> 85 rules in pf. And the only kind of typos GUIs prevent are the same ones pf prevents. If you try to add a rule with a typo in the syntax it will say so. The kind of typo that's a problem is typos in the IPs, which GUIs can't prevent either. I know they are complaing about not having a GUI, when they have never put in the time to learn what they are complaining about. Speaking as someone who has to admin ~600 machines, there's nothing special about being an overworked admin, and its no excuse to whine about something people are giving you for free, when you don't even know anything about it. "PF sucks cause they don't give me a GUI!" is an astoundingly stupid statement if you've never even used pf. Without understanding the tool, you are in no position to say what flaws it has or what other things need added. Try it out for a couple months and then talk.

Re:Reading isn't that hard. (1)

harikiri (211017) | more than 10 years ago | (#8734472)

If you read above, I was complaining about the lack of a windows port for FW Builder (see link above), because this would encourage more enterprises to consider an openbsd pf/carp solution.

When I speak to my colleagues about open source programs, their first questions are on - how easy is it to manage, and how easy is it to deploy. For something that requires configuration changes multiple times a day on multiple servers, responding that "you manage it from the command line" is not a valid option.

This is why I felt I had scored a major coup in getting internal support for deploying snort in our environment - because distributed management could be handled by IDS Policy Manager [activeworx.com] (free), and viewing/analysing alerts could be handled through ACID [sourceforge.net] . Both functions (management and analysis of events) could have been done at the command-line, but the ability to do them via a centralised application and a web server meant that less time would be spent performing routine tasks - and secured management (boss) support.

Re:I'm a firewall admin amongst other things.. (2, Insightful)

hdw (564237) | more than 10 years ago | (#8723010)

PF is not hard to understand and distributing common rules and specific rules is super easy and secure, with tools that come with a default install of OpenBSD (scp).

I have no problem understanding pf rules or distribution via scp (or cvs, works very well).

But it's not about understanding pf rules, it's about keeping track of, often hairy, network and system topology, of various security policies and in many cases a horde of users that need authentication (and that forget their PINs, break their tokens, move between sites ...).
All perfectly possible to handle by editing the rules by hand and push out with scp but only together with hordes others docs keeping track of all the needed fluff.
Then add that changes to the ruleset should be fully traceable and often have to pass thru several pairs of hands and eyes before we even reach the firewall admin. So we really need something easier to the eye than pf rules.

A good, database driven, firewall admin GUI is a very good thing, and it a vital part of enterprise security.

Any enterprise which hires network or firewall admin staff who can't understand pf.conf after reading the fine docco, needs to look into why their hiring policies are such a failure, so as to allow them to hire a fraud.

Oh, come on, step down to the land of the living.

People get shifted around at every reorganisation, suddenly all security is in one global department, 6 months later it's back to the local sites, then it's outsourced, then it's insourced again and 'firewall admins' aren't just carefully selected high profile security pros, they come from all over the place.

// hdw
ps.
I think I'll go back and look one of my old projects again, OpenBSD/pf/altq/carp is really getting ready for primetime.
ds.

Conterpoint: Cisco PIX (3, Informative)

^BR (37824) | more than 9 years ago | (#8726091)

Cisco PIXes are configured the old way thru SSH (ok, there's a Web interface, never heard of anyone using it) and they sell pretty well. Cisco do have a (laughable) management solution that includes a GUI but almost nobody use it as it plain sucks (simply installing it is a nightmare, plen,ty of dependencies...). The nice thing is that it provides a nice market for third party solutions to do that job...

So having a GUI is not a prerequisite for enterprise acceptance. Even if being Cisco sure helps...

Re:Conterpoint: Cisco PIX (2, Interesting)

sirket (60694) | more than 10 years ago | (#8732203)

I configure PIX's all day long and I love the simplicity of a PIX config file. That said, Cisco has been losing market share for years because they don't have a GUI. Ever try to set up a ton of VPN's through the command line? Doable? Certainly. Fun? Not a chance.

-sirket

Re:Conterpoint: Cisco PIX (1)

subzerorz (769341) | more than 10 years ago | (#8802783)

Cisco PIX's GUI interface is actually very user friendly. It's a big improvement especially for Day to day administration.

Re:I'm a firewall admin amongst other things.. (1)

_termx23 (217902) | more than 10 years ago | (#8745578)

If you want to run FWBuilder on Windows, install Cygwin/X. SSH to the firewall (with X11 forwarding turned on) and you are in business. I bet you could set this up with keys etc to the point that you could double click an icon on the Windows desktop and Firewall Builder would display in the Cygwin/X window.

A clue for the "BSD is dying" trolls. (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8721451)

From Improving [net-security.org]
Passive Packet Capture: Beyond Device Polling.

"Linux, a very popular OS used for running network appliances,
performs very poorly with respect to other OSs used in the same
test"
(FreeBSD and Win2k).

"The Linux kernel module is almost as fast as the userspace
FreeBSD application".


Percentage of packets captured (in user space), using device polling, at
80,000 packets per second? Linux 5.6%, FreeBSD 99.9%. Linux manages
99.5% only using a kernel module.

SO LINUX MUST GO TO KERNEL SPACE TO ALMOST BE AS FAST AS FREEBSD
WITHIN USER SPACE!


Maybe if you BSD is dying trolls stopped crapping on here about BSD
dying and instead actually learned a language apt for your OS of choice,
you might actually be able to bring Linux up to "dead status" with the
BSD's.

But wait, it gets worse! While trying to capture packets from a
DoS application, Linux could only manage capture rates of 0.8% in user
space and 9.7% in kernel space, while FreeBSD managed 74.7% in user
space!


"FreeBSD performs much better than Linux"

"it is obvious that a vanilla FreeBSD systems is much more
efficient than a vanilla Linux system when used for packet
capture."

YBHT YHL HAND (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8722306)

no one actually believes the crap that they post.

they just do it to piss people like you off into posting this garbage.

why is this so hard for you people to understand? you are just feeding them! they will now post more because of you. if you had just shut up, they would stop because they have no point in posting if no one is going to reply.

Re:YBHT YHL HAND (-1, Troll)

Anonymous Coward | more than 10 years ago | (#8722512)

why is this so hard for you people to understand? you are just feeding them! they will now post more because of you.

Yes! YES! Post more trollbait! My THROBBING PENIS anticipates more bites! I am SPEWING CUM as we speak! *BSD IS DYING!

WARNING: *BSD SECURITY ALERT (-1, Troll)

Anonymous Coward | more than 9 years ago | (#8726568)

CERT SecAD NBSD4536A746
Advisory: Olfactory disturbance during *BSD use
Affected: NetBSD all versions
FreeBSD all versions
OpenBSD all versions
Description: The dead corpse of a *BSD operating system emits a foul, disgusting smell which reduces the productivity of the users.
Recommended activities: - use nose plugs
- removal of *BSD operating system, replace with Linux or Windows XP

CARP also works on Linux, NetBSD and OpenBSD 3.5 (3, Informative)

chrysalis (50680) | more than 10 years ago | (#8723519)

Try UCARP [ucarp.org] a portable userland implementation.

Re:CARP also works on Linux, NetBSD and OpenBSD 3. (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#8728560)

try not being so fucking redundant. you BSDtard

Re:CARP also works on Linux, NetBSD and OpenBSD 3. (1)

Lennie (16154) | more than 10 years ago | (#8830109)

However there is no pfsync (or similair) for netfilter (if you'd like to have failover-firewalls).

But supposedly it doesn't matter, because netfilter doesn't have TCP window tracking.

And because existing connections are considered new by netfilter, it should work in theory (if you allow new connections, for all the established-connections).

Balancing won't work however, because UCARP doesn't do that, if I understand it correctly.

As there is no replication, rules should be replicated an other way (something like rules from LDAP for example would be a usefull way).

CARP/pf song for 3.5 Release (5, Interesting)

RupertJ (520598) | more than 9 years ago | (#8724084)

In keeping with OpenBSD's promo songs, the 3.5 release features a Monty Python-style sketch and song about CARP/pf and VRRP etc. Very funny stuff indeed. Lyrics and links to download the songs in MP3/OGG format at http://www.openbsd.org/lyrics.html [openbsd.org]

Interview with Ryan McBride (3, Informative)

dhartmei (664843) | more than 10 years ago | (#8790764)

Jeremy Andrews from kerneltrap.org has just published an Interview with Ryan McBride [kerneltrap.org] , which makes for an excellent read on CARP and pfsync.

Anti-censorship post (0)

Anonymous Coward | more than 10 years ago | (#8858015)

Some trolls told me the other day that Slashdot deletes posts scored 0 or -1 after a while. I don't know if I believe them, because trolls tend to lie a lot, but I have decided to repost all of this story's comments just in case. Usually, in the BSD section, it's the most important comments that get modded down.

That's really cool (Score:2, Informative)
by Anonymous Coward on Tuesday March 30, @10:09AM (#8713264)
I think my office implemented such functionality for like $120k, and it doesn't even work too well.
[ Reply to This ]
Re:That's really cool by hdw (Score:3) Tuesday March 30, @03:33PM
Re: FreeBSD's burocracy? by Anonymous Coward (Score:-1) Wednesday March 31, @01:55PM

HSRP (Score:4, Interesting)
by bolix (201977) on Tuesday March 30, @10:30AM (#8713503)
(http://attrition.org | Last Journal: Thursday November 28, @01:43PM)
I love sniffing the Cisco equivalent to CARP. Lots of HSRP calls to 224.0.0.224 with no security built in. A simple ARP poison will fuck the switch. More advanced attack methods can be found c/o Phenolit [phenoelit.de]
[ Reply to This ]
Re:HSRP by Anonymous Coward Tuesday March 30, @09:53PM
Re:HSRP by bolix (Score:2) Friday April 09, @11:18AM

Redundancy IS bad. (Score:-1, Flamebait)
by Anonymous Coward on Tuesday March 30, @10:30AM (#8713506)
At least in *BSD. Just think of the smell !
[ Reply to This ]

OpenBSD does it again! (Score:-1, Redundant)
by Anonymous Coward on Tuesday March 30, @11:12AM (#8713949)
Oh, the beauty of OpenBSD! Sweet stuff OpenBSD...
[ Reply to This ]

I wonder... (Score:3, Interesting)
by Yarn (75) on Tuesday March 30, @11:23AM (#8714065)
(http://www.yarn.org.uk/)
What hardware would I need to do this on my 1000SX uplink. Admittedly, I've only peaked at 80Mbit/s so far, but I think even handling that will take some beefy hardware.
[ Reply to This ]
Re:I wonder... (Score:5, Informative)
by dhartmei (664843) on Tuesday March 30, @03:18PM (#8717259)
(http://www.benzedrine.cx/)
Filtering ordinary traffic (not extreme test-cases of minimal packets, average number of packets/connection) statefully at 100Mbps doesn't require much hardware. Even little Soekris boxes (embedded 486 133MHz) can do that.
For Gbps, the limiting factor is the NIC and its driver. Some cards/drivers are reported to reach more than 70% of the maximum throughput. The reason they don't (yet) go further is not packet filtering, though.

If you want specific names/models, the mailing list archives contain the reports.

[ Reply to This | Parent ]

Re:I wonder... (Score:5, Informative)
by hdw (564237) on Tuesday March 30, @03:23PM (#8717364)
I'm running an OpenBSD 3.4 firewall on a PII-400 with a 100Mb/s Internet feed.

And I know that I've reached over 40Mb/s without any sign of problem with the firewall.

So unless you're running lots of IpSec stuff or have a high rate of connects I don't think the firewall (or OpenBSD) will be the problem.

I think the selecting a good NIC is more important. // hdw
[ Reply to This | Parent ]

Re:I wonder... by peripatetic_bum (Score:1) Tuesday March 30, @05:46PM
Re:I wonder... (Score:5, Insightful)
by Homology (639438) on Tuesday March 30, @05:54PM (#8719127)
I wonder how a "little" p2 can filter 40MB/s of packets. when it seems like the same p2 will bog down in other stuff (im not talking about a gui)
can you explain this?

The grandparent wrote 40Mb/s, like in 40 mega bit, and a PII can handle this. However, you should have a good NIC and not one of those pisspor Realtek that offloads the work to the CPU.

[ Reply to This | Parent ]

Re:I wonder... by hdw (Score:2) Tuesday March 30, @06:20PM

Will this help... (Score:-1, Troll)
by Anonymous Coward on Tuesday March 30, @11:32AM (#8714157)
Will this help me close off access to this always-open, always-sniffed, always-0wn3d port [goatse.cx]?
[ Reply to This ]

Mailto link? (Score:1, Offtopic)
by duffbeer703 (177751) * on Tuesday March 30, @12:00PM (#8714526)
Why would a /. editor include a mailto link to an OpenBSD developer in a story?

The poor bastard is going to be flooded with spam ad crap now.
[ Reply to This ]
Re:Mailto link? by Anonymous Coward Tuesday March 30, @01:05PM
Re:Mailto link? by DashEvil Tuesday March 30, @09:58PM
Re:Mailto link? (Score:5, Insightful)
by dhartmei (664843) on Tuesday March 30, @03:11PM (#8717190)
(http://www.benzedrine.cx/)
@openbsd. org addresses are already readily available for harvesters through cvsweb, mailing list archives and usenet gates, putting one in a /. posting couldn't make things any worse.
The upside is that after a certain amount of spam received, people get really good at filtering it. That's where the motivation behind some of the anti-spam features in OpenBSD comes from, I guess :)

[ Reply to This | Parent ]

Re:Mailto link? by SillyNickName4me (Score:1) Tuesday March 30, @05:24PM
Re:Mailto link? by Shurhaian (Score:1) Tuesday March 30, @11:30PM

Ryan McBride? (Score:-1, Offtopic)
by Anonymous Coward on Tuesday March 30, @01:06PM (#8715374)
Any relation to Darl?
[ Reply to This ]

Picture of CARP hardware used by BSD (Score:-1, Offtopic)
by Anonymous Coward on Tuesday March 30, @02:20PM (#8716520)
I found an interesting picture of the CARP hardware they're using for this here [colorado.edu].
[ Reply to This ]
MOD UP: BEST ANTI-BSD TROLL EVER by Anonymous Coward (Score:-1) Tuesday March 30, @10:40PM

NETCRAFT NOW CONFIRMS: *BSD IS DYING (Score:-1, Offtopic)
by Anonymous Coward on Tuesday March 30, @02:30PM (#8716644)
Netcraft now confirms: *BSD is dying.

Yet another crippling bombshell hit the beleaguered *BSD community when recently IDC confirmed that *BSD accounts for less than a fraction of 1 percent of all servers. Coming on the heels of the latest Netcraft survey which plainly states that *BSD has lost more market share, this news serves to reinforce what we've known all along. *BSD is collapsing in complete disarray, as further exemplified by failing dead last [samag.org] in the recent Sys Admin comprehensive networking test.

You don't need to be a Kreskin [amdest.com] to predict *BSD's future. The hand writing is on the wall: *BSD faces a bleak future. In fact there won't be any future at all for *BSD because *BSD is dying. Things are looking very bad for *BSD. As many of us are already aware, *BSD continues to lose market share. Red ink flows like a river of blood. FreeBSD is the most endangered of them all, having lost 93% of its core developers.

Let's keep to the facts and look at the numbers.

OpenBSD leader Theo states that there are 7000 users of OpenBSD. How many users of NetBSD are there? Let's see. The number of OpenBSD versus NetBSD posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 NetBSD users. BSD/OS posts on Usenet are about half of the volume of NetBSD posts. Therefore there are about 700 users of BSD/OS. A recent article put FreeBSD at about 80 percent of the *BSD market. Therefore there are (7000+1400+700)*4 = 36400 FreeBSD users. This is consistent with the number of FreeBSD Usenet posts.

Due to the troubles of Walnut Creek, abysmal sales and so on, FreeBSD went out of business and was taken over by BSDI who sell another troubled OS. Now BSDI is also dead, its corpse turned over to yet another charnel house. All major surveys show that *BSD has steadily declined in market share. *BSD is very sick and its long term survival prospects are very dim. If *BSD is to survive at all it will be among OS hobbyist dabblers. *BSD continues to decay. Nothing short of a miracle could save it at this point in time. For all practical purposes, *BSD is dead.

Fact: *BSD is dead
[ Reply to This ]

This is awesome (Score:0)
by Anonymous Coward on Tuesday March 30, @02:32PM (#8716684)
But, how can I loadbalance/failover a postgresql using openbsd?

[ Reply to This ]
Re:This is awesome (Score:5, Informative)
by dhartmei (664843) on Tuesday March 30, @03:37PM (#8717545)
(http://www.benzedrine.cx/)
What CARP/pfsync does is transparent balancing on IP level. Each client connection is redirected to an arbitrary available server. This works for applications where each server can independantly handle a client request, like serving stateless HTTP or DNS from multiple servers.
For SQL, clustering is much more involved. One client might insert data that must propagate to the other server, or locks across all servers must be obtained, etc. This cannot be done transparently on IP level, the servers themselves must support it.

Search for replication, clustering or redundancy together with postgresql, you'll find erserver [erserver.com] etc. Except for very special cases (like read-only databases), this way beyond IP level packet filtering ;)

[ Reply to This | Parent ]

Re:This is awesome by afekz (Score:1) Friday April 02, @09:05AM

Sad. (Score:5, Insightful)
by MisterP (156738) * on Tuesday March 30, @05:13PM (#8718621)
It's kinda of sad that something this cool gets so little discussion on a site like Slashdot. I guess it will be news when CARP gets ported to linux and iptables gets ip state sync'ing across hosts.

[ Reply to This ]
Re:Sad. (Score:4, Informative)
by hdw (564237) on Tuesday March 30, @06:27PM (#8719505)
Userland CARP is already ported to Linux.

http://www.ucarp.org

/ hdw
[ Reply to This | Parent ]

Re:Sad. by SoundGuy666 (Score:1) Thursday April 01, @10:28AM

I'm a firewall admin amongst other things.. (Score:3, Insightful)
by harikiri (211017) on Tuesday March 30, @10:12PM (#8721426)
(http://mod3.net/~ncb/blog/) ...and this looks really attractive to me. Our environment comprises of Nokia IPSO-based firewalls running Checkpoint, so I'm very familiar with VRRP.
However, as excellent as this looks, I can only shudder in horror at the thought of migrating any of our existing rulesets across to openbsd/pf, let alone distributed management of policies across several 'clusters' of firewalls we have.

Yes my friends. I'm asking for a GUI. FW Builder [fwbuilder.org] is a good start, but it still needs work (porting to Windows would be a good start). Migration tools from Checkpoint (or other commercial firewalls) would be another good addition.

PS, I ask for Windows support not for my sake, but so that my co-workers would be able to use it. However, this criticism is levelled at FW Builder.

OpenBSD/pf/CARP has provided a brilliant technical starting block, but it needs these additional tools to make inroads into enterprise organisations.

[ Reply to This ]
Re:I'm a firewall admin amongst other things.. by Anonymous Coward Tuesday March 30, @10:53PM
Re:I'm a firewall admin amongst other things.. (Score:5, Informative)
by harikiri (211017) on Tuesday March 30, @11:29PM (#8721876)
(http://mod3.net/~ncb/blog/)
I'm very aware that I could put together my own 'deployment' script with a combination of ssh/scp and rsync.
If you need a GUI and FW admin is your day job, I have to wonder why you're bothering with FW admin.

I do not need a GUI. My colleagues do not need one either (we previously used PIX... shudder). But when you start dealing with a large number of firewalls (we have over 25 deployed), and not simply firewall rules, but NAT, PAT, authentication and VPN's - having a GUI frontend that ties all that information up together and provides it in an easy to manage way, is a lot better than grepping and trawling through long configuration files to make additions or changes.

Yes any capable firewall admin should be able to implement rules once they read documentation for ipfilter/iptables/pf/ipfw/etc - but they shouldn't necessarily have to. The people I work with aren't stupid, they just don't want to have to work at the command-line across multiple systems to implement a single rule.

[ Reply to This | Parent ]

Re:I'm a firewall admin amongst other things.. by shurdeek (Score:1) Wednesday March 31, @09:04AM
Re:I'm a firewall admin amongst other things.. by Bensmum (Score:1) Wednesday March 31, @12:12PM
Re:I'm a firewall admin amongst other things.. (Score:5, Insightful)
by sirket (60694) on Wednesday March 31, @09:26PM (#8732143)
There is absolutely no benefit to a GUI at all

This is a idotic comment. I've been a firewall admin for years. I admin CheckPoint, PIX, NetScreen, ipfw, ipf, and pf firewalls.

Have you ever tried to configure a fully meshed VPN topology between 30 sites by hand? Are you really going to sit there and write 900 rules by hand and expect to do it without making a mistake?

What about defining a group of objects on one firewall (say a cluster of web servers) and then going to implement a rule on a different firewall that uses that web server group? With a central GUI, you can define the object once and not worry about changing it in 5 places or making a mistake when you copy it over to another firewall. (Yes this can be done with scripts but if you are going to write a whole management interface, why not stick a GUI on top of it to make browsing rules easier?)

What about when you need to print out the rule sets for a compliance officer or your CEO?

What about when you have have 25 firewalls and you forgot to backup the rule set on a firewall that just died. Wouldn't it be nice to have a management box with all the rule sets stored locally?

There are about 50 good reasons to have a GUI and very few reasons not to have one. As long as you can configure the boxes from the command line and the GUI doesn't generate gibberish rules, then it is an excellent addition to a great firewall package.

-sirket
[ Reply to This | Parent ]

Re:I'm a firewall admin amongst other things.. by Bensmum Wednesday March 31, @10:50PM
Re:I'm a firewall admin amongst other things.. by sirket (Score:2) Thursday April 01, @02:06AM
Re:I'm a firewall admin amongst other things.. by Bensmum (Score:2) Thursday April 01, @11:55AM
Re:I'm a firewall admin amongst other things.. by sirket (Score:3) Wednesday March 31, @09:38PM
Reading isn't that hard. by Bensmum (Score:2) Wednesday March 31, @10:42PM
Re:Reading isn't that hard. by sirket (Score:3) Thursday April 01, @02:17AM
Re:Reading isn't that hard. by harikiri (Score:2) Thursday April 01, @03:10AM
Re:Reading isn't that hard. by Bensmum (Score:1) Sunday April 04, @01:03PM
Re:I'm a firewall admin amongst other things.. by hdw (Score:2) Wednesday March 31, @03:00AM
Conterpoint: Cisco PIX (Score:4, Informative)
by ^BR (37824) on Wednesday March 31, @12:45PM (#8726091)
Cisco PIXes are configured the old way thru SSH (ok, there's a Web interface, never heard of anyone using it) and they sell pretty well. Cisco do have a (laughable) management solution that includes a GUI but almost nobody use it as it plain sucks (simply installing it is a nightmare, plen,ty of dependencies...). The nice thing is that it provides a nice market for third party solutions to do that job...

So having a GUI is not a prerequisite for enterprise acceptance. Even if being Cisco sure helps...

[ Reply to This | Parent ]

Re:Conterpoint: Cisco PIX by sirket (Score:3) Wednesday March 31, @09:29PM
Re:Conterpoint: Cisco PIX by subzerorz (Score:1) Thursday April 08, @09:50AM
Re:I'm a firewall admin amongst other things.. by _termx23 (Score:1) Friday April 02, @08:28AM

A clue for the "BSD is dying" trolls. (Score:-1, Offtopic)
by Anonymous Coward on Tuesday March 30, @10:15PM (#8721451)
From Improving [net-security.org]
Passive Packet Capture: Beyond Device Polling.

"Linux, a very popular OS used for running network appliances,
performs very poorly with respect to other OSs used in the same
test" (FreeBSD and Win2k).

"The Linux kernel module is almost as fast as the userspace
FreeBSD application".

Percentage of packets captured (in user space), using device polling, at
80,000 packets per second? Linux 5.6%, FreeBSD 99.9%. Linux manages
99.5% only using a kernel module.

SO LINUX MUST GO TO KERNEL SPACE TO ALMOST BE AS FAST AS FREEBSD
WITHIN USER SPACE!

Maybe if you BSD is dying trolls stopped crapping on here about BSD
dying and instead actually learned a language apt for your OS of choice,
you might actually be able to bring Linux up to "dead status" with the
BSD's.

But wait, it gets worse! While trying to capture packets from a
DoS application, Linux could only manage capture rates of 0.8% in user
space and 9.7% in kernel space, while FreeBSD managed 74.7% in user
space!

"FreeBSD performs much better than Linux"

"it is obvious that a vanilla FreeBSD systems is much more
efficient than a vanilla Linux system when used for packet
capture."
[ Reply to This ]
YBHT YHL HAND by Anonymous Coward (Score:-1) Wednesday March 31, @12:51AM
Re:YBHT YHL HAND by Anonymous Coward (Score:-1) Wednesday March 31, @01:20AM
WARNING: *BSD SECURITY ALERT by Anonymous Coward (Score:-1) Wednesday March 31, @01:27PM

CARP also works on Linux, NetBSD and OpenBSD 3.5 (Score:4, Informative)
by chrysalis (50680) on Wednesday March 31, @05:27AM (#8723519)
(http://www.pureftpd.org/)
Try UCARP [ucarp.org] a portable userland implementation.

[ Reply to This ]
Re:CARP also works on Linux, NetBSD and OpenBSD 3. by Anonymous Coward (Score:-1) Wednesday March 31, @04:11PM
Re:CARP also works on Linux, NetBSD and OpenBSD 3. by Lennie (Score:2) Sunday April 11, @10:20AM

CARP/pf song for 3.5 Release (Score:5, Interesting)
by RupertJ (520598) on Wednesday March 31, @08:28AM (#8724084)
In keeping with OpenBSD's promo songs, the 3.5 release features a Monty Python-style sketch and song about CARP/pf and VRRP etc. Very funny stuff indeed. Lyrics and links to download the songs in MP3/OGG format at http://www.openbsd.org/lyrics.html [openbsd.org]
[ Reply to This ]

Interview with Ryan McBride (Score:3, Informative)
by dhartmei (664843) on Wednesday April 07, @08:11AM (#8790764)
(http://www.benzedrine.cx/)
Jeremy Andrews from kerneltrap.org has just published an Interview with Ryan McBride [kerneltrap.org], which makes for an excellent read on CARP and pfsync.
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>