OpenBSD has a reputation for high security and difficult operating systems for new user. But, some orginsations are using OpenBSD for everything including firewall, servers and desktop computers. This is quite impressive, from the article:

So our paid job is hacking on and deploying, maintaining, supporting… OpenBSD installations. We are also required to hack on things that can be merged back into OpenBSD itself and when it’s not possible, then we change what we did so that it can be. Of course some developments are very specific to what we do and have no place in the project’s CVS tree.

So, amongst other services, we set up and maintain several 100% OpenBSD-based infrastructures (going from the entry site firewall to the secretary’s workstation) and this is what I’m going to talk about here.

As a side note, it is important to know that we are working exclusively for Fortune 500 companies (each operating in totally different and unrelated sectors).

Read more: A Puffy in the corporate aquarium.

OpenBSD 4.6 has been released and available for download from the official website. OpenBSD is well known for record of more than ten years with only two remote holes in the default install. The OpenBSD is widely known for the quality open source code and documentation, uncompromising position on software licensing, and focus on security and code correctness.
[continue reading…]

Here I present an abbreviated explanation of the process of creating firewall and cluster objects. More detailed step-by-step guides are available in sections “Firewall Object” and “Cluster Object” of the Firewall Builder Users Guide.
[continue reading…]

This article continues mini-series started with the post Introduction to Firewall Builder 4.0. This article is also available as a section in the “Firewall Builder Cookbook” chapter of Firewall Builder Users Guide 4.0.

Firewall Builder 4.0 is currently in beta testing phase. If you find it interesting after reading this post, please download and try it out. Source code archives, binary deb and rpm packages for popular Linux distributions and commercially distributed Windows and Mac OS X packages are available for download here.

In this post I demonstrate how Firewall Builder can be used to generate firewall configuration for a clustered web server with multiple virtual IP addresses. The firewall is running on each web server in the cluster. This example assumes the cluster is built with heartbeat using “old” style configuration files, but which high availability software is used to build the cluster is not really essential. I start with the setup that consists of two identical servers running Linux but in the end of the article I am going to demonstrate how this configuration can be converted to OpenBSD with CARP.
[continue reading…]

Lets see how much effort it is going to take to convert this configuration to entirely different firewall platform – PF on OpenBSD. There are different ways to do this. I could make a copy of each member firewall (linux-test-1 and linux-test-2), set platform and host OS in the copy to PF and OpenBSD and then create new cluster object. This would be a sensible way because it preserves old objects which helps to roll back in case something does not work out. However, to make the explanation shorter, I am going to make the changes in place by modifying existing objects.
[continue reading…]

Now that all objects are ready and heartbeat is configured on the machines, we can move on and build some firewall rules. Since this is a cluster configuration, all rules go into the rule set objects that belong to the cluster rather than its member firewalls.
[continue reading…]

Linux and other Unix-like operating systems use the term “swap” to describe both the act of moving memory pages between RAM and disk and the region of a disk the pages are stored on. It is common to use a whole partition of a hard disk for swapping. However, with the 2.6 Linux kernel, swap files are just as fast as swap partitions. Now, many admins (both Windows and Linux/UNIX) follow an old rule of thumb that your swap partition should be twice the size of your main system RAM. Let us say I’ve 32GB RAM, should I set swap space to 64 GB? Is 64 GB of swap space required? How big should your Linux / UNIX swap space be?
[continue reading…]

I have already written about tentakel tool and shell script hack to run a single command on multiple Linux / UNIX / BSD server. This is useful to save time and run UNIX commands on multiple machines. Linux.com has published an article about a new and better tool called pssh:

Recently I come across a nice little nifty tool called pssh to run a single command on multiple Linux / UNIX / BSD servers. You can easily increase your productivy with this SSH tool.

If you want to increase your productivity with SSH, you can try a tool that lets you run commands on more than one remote machine at the same time. Parallel ssh, Cluster SSH, and ClusterIt let you specify commands in a single terminal window and send them to a collection of remote machines where they can be executed.

Read more about pssh here.

OpenBSD 4.4 has been released and available for download (jump to download link ) from official project website. OpenBSD is often the first to add new security tools to make it harder to break, developers have also carefully read through the programming code to check for mistakes more than once. OpenBSD is also used for protecting networking using its pf firewall.

What’s new in OpenBSD 4.4

• A new tool sysmerge(8), derived from the old mergemaster port, makes it easier to merge configuration files changes during an upgrade.
• Fully support OpenBSD inside extended partitions on i386 and amd64.
• During installation ‘dhcp’ is now the initial default answer during network configuration.
  OpenSSH 5.1
• New experimental fingerprint ASCII art visualisation system for easier verification of remote keys. Added chroot(2) support for sshd(8).
• Added an extended test mode (-T) to sshd(8).
• Make ssh(1) support negation of groups in a “Match group” block.
• Over 5205 ports, minor robustness improvements in package tools.
• See all new features here.

OpenBSD 4.4 Download

You can grab OpenBSD ISO and boot files from the FTP server or mirror machines.

OpenBSD download: OpenBSD 4.4 CD ISO download

• Click here to grab OpenBSD 4.4 32bit CD ISO image ( 216M) [ master mirror ]
• Click here to grab OpenBSD 4.4 64bit CD ISO image ( 216M) [ master mirror ]

OpenBSD 4.4 Download Mirrors

• Please see ftp / http mirror download page and release page for further information.