Contributed by grey on from the way too many questions at once dept.
We're currently trying to set up a transparent firewall with PF on OpenBSD 3.5, and have almost gotten it working, except we can't get FTP working properly no matter what we do.
We have a large block of IPs that have FTP servers of various types (Microsoft, Gene6, VSFTP, ProFTPD, etc) and thus, making server changes is not really possible. Whatever changes are made have to be by the firewall or by the client.
We have this right now:
rdr on $EXT proto tcp from any to any port 21 -> <ipgroup> port 21
rdr on $EXT proto tcp from any to any port 20 -> <ipgroup> port 20
We can connect to FTP servers behind the firewall and log in, but after that, we get 425 errors stating a loss of connection.
Can anybody help us please? What are we missing?
Trying to deal with higher layer protocols with a layer2 firewalling bridge seems like it might be asking for trouble, still I seem to recall Lucent offering a plan9/Inferno OS based l2 filtering firewall that I think may have supported ftp. I've looked around and haven't turned anything up but perhaps one of our readers has some creative ideas that would make this work with a protocol which can be cumbersome to deal with even when keeping in mind with standard layer3 caveats with pf(4) and ftp-proxy(8).
Is anyone working or planning to work on ACPI on OpenBSD?
my notePC is ACPI compliant one, I wish I can "sleep" instead of "shutdown" it.
searching with keywords "ACPI" and "OpenBSD", I found
there was a discussion on misc@ November 2003.
people talked mainly on Intel ACPI-CA;
which FreeBSD start importing, and
Intel's licence may be a problem.
now NetBSD implements ACPI,
I don't know whether they import from some project or
write code from scratch.
I suppose the right after the release of 3.6 is the good time to start implementing new functionalities.
I seem to recall that a developer was taking another stab at this quite recently, but I am unaware of a timeline or how well the effort might be going. (Developer's name withheld in case I completely got acronyms mixed up and don't want to cause unneeded grief --grey).
I'm looking for a proof of concept "chroot" sftp solution:
the goal: a "webspace" user are able to manage this "webspace" via scp/sftp but only his "webspace"...
So far I've only found something along these lines:
An OpenBSD systrace() style jail for sftp.
CHRSH (a port form freebsd).
A chroot jail wrapper for ordinary Unix shells
So I'm asking for any opinions or best practices.
Some other directions I might offer would be restricted SCPonly shells e.g.: rssh and scponly, and you may want to look into a systraced shell, such as stsh as worked on by Jose Nazario since I'm not aware of any recent revisions of the version which Dug Song introduced.
I'm planning on building an OpenBSD firewall came accross this recently :drool:. This combined with the next gen VIA C5J Esther Processor (it will have on-die security and performance features that include support for execution (NX) protection, SHA Hashing, RSA encryption, AES encryption, and a HW RNG), can become the ultimate CARP enabled OpenBSD Firewall into a 1U rackmount case. Hopefully the C5Js motherboards will come with dual GigE and PCI-Express.
Now that I have all of you drooling, a question for the audience... What do you guys use for your current high bandwidth firewall needs? What do you recommend for firewall hardware that will be able to handle GigE bandwidth?Personally I'm awfully tempted by some of the upcoming AMD64 based motherboards, and Intel makes a quad gigE card that doesn't look too shabby. That said, those are not yet released, or not too widespread products, so what do some of our readers use for gigE pf installations?
The OpenBSD project offers much in the way of cool merchandise - t-shirts, posters etc, but I would like to see a few more items. I own most of the t-shirts already, and am interested in offering different designs. I particularly like the Puffy from release 3.1.
What are the rules on using the artwork? Is it BSD licensed like the rest? Can I create derivative works and make my own shirt designs? I will of course be donating the profit from the sale to the project, with my time and effort in the design/procurement of the new gear as a donation (inspired by Jason Dixon's idea). I have also noted other comments on undeadly where folks are interested in branded but more subdued polo style shirts.
Thoughts and feedback appreciated.
You may want to start by culling through the mailing list archives, where I'm sure one could turn up many great ideas. However, keep in mind it's rare that people actually put action to words, which is what can make all the difference. I kept this question in the queue in hopes that more people might be inspired to act than just exchange thoughts.
And finally anonymous asks:
I'm thrilled that OpenBSD is starting to look more and more like a Cisco killer, what with CARP and advanced packet filtering features. Supposedly, even multipath routing is supported now (although I don't know anyone who's using it). I have a question for OpenBSD folks: are there any plans to implement any kind of bandwidth aggregation features? What standards currently exist for bandwidth aggregation, and what do developers think about their suitability (from both licensing and technical perspectives)?
Digging through the mailing list archives turns up some discussions of 802.3ad, but apropos on the term doesn't seem to yield any mention in the man pages. It sounds like it may be a case where the project will need some support for specific development efforts towards implementing this.
(Comments are closed)