dnalounge update

New DNA Update in which the disasterous computer saga continues.

7 Responses:

  1. ioerror says:

    FreeBSD has a great firewalling system, if you want to use bsd to do something I would reccomend it.

    However I don't really see the problem with linux and the 2.4.x series.
    If you want to have a firewall up and running with linux in about 30 minutes you can just use shorewall. Really easy to configure and it is highly extensive, proxy arp, portforwarding, SNAT, DNAT, traffic shaping, reg ex support (I haven't used this but I hear its possible) and all sorts of stuff.

    Also: I heard through the grapevine that OpenBSD has a remote root holes in its tcp stack (but who the fuck am i?).

    • jwz says:

      However I don't really see the problem with linux and the 2.4.x series.

      The problem is, after they made me rewrite my rules for the third time, I said "fuck this, never again."

      • ioerror says:

        What about the kernel option that allows for ipmasqadmin/ipchains compatibility?
        I haven't used them but I assume that would allow you to use your old rulesets with the "new" netfilter.

        Have you tried that?

        If you have to rewrite them again (for freebsd or your other choices) why not just use a cisco router?

        I mean it's time or money right?

        It all relates back to your quote of "Linux is only free if your time is worth nothing."

    • evan says:

      I second the shorewall recommendation. You write your firewall terms in a higher-level config file and it handles the details.

  2. el_olvidado says:

    sadly i think i know the guy with the glitter afro wig. was the wig orange?
    the colo i work at is located at 555 Howard St...i don't know exactly united layer is but maybe we can help.

  3. moof says:

    Use `ipf -Fs` to flush the state table. `ipf -Fa` might also help. You may also wish to restart ipf with something along the lines of `ifconfig fxp1 down; ipf -D; ipf -E; ipf -Fa -f /etc/ipf.conf; ifconfig fxp1` (assuming fxp1 is your outside interface.)

    Alternately, with the source tree you have around, you can modify sys/netinet/ip_state.h (assuming OpenBSD hasn't buggered up the includes) IPSTATE_SIZE and IPSTATE_MAX to be larger. (Note that they have both be prime numbers, or else the hashing tables get hosed.)

    • kfringe says:

      Unfortunately, 'ipf -Fs' won't cut it. He's dealing with an overload of established connections, so he'd need to give it an 'ipf -FS'. That would also manage to roach the state he actually has, triggering alarms, etc., and generally causing hair loss.

      The good news, though, is that Darren made a concession to user friendliness by letting you define those variables instead of making you edit the source. Wheee!

      Of course, that still means compiling on a wheezing pentium of uncertain lineage because of some silly religious objection making this another sysctl knob. Fortunately, there are beefier net and freebsd machines available.