From pete at nomadlogic.org Mon Jun 4 13:29:49 2012 From: pete at nomadlogic.org (Pete Wright) Date: Mon, 04 Jun 2012 10:29:49 -0700 Subject: [nycbug-talk] Velocity Conference Message-ID: <4FCCF08D.1000303@nomadlogic.org> http://velocityconf.com/velocity2012 Are NycBUG'ers attending this? I see that Jan is giving a talk that I'm really looking forward to: http://velocityconf.com/velocity2012/public/schedule/detail/23358 If any other people are attending let me know :) -pete -- Pete Wright pete at nomadlogic.org www.nomadlogic.org From george at ceetonetechnology.com Wed Jun 6 12:48:40 2012 From: george at ceetonetechnology.com (George Rosamond) Date: Wed, 06 Jun 2012 12:48:40 -0400 Subject: [nycbug-talk] Hifn card Message-ID: <4FCF89E8.6070604@ceetonetechnology.com> Wondering about others' experiences with Hifn card on FreeBSD. Looking for something not too expensive, mostly for SSL/TLS acceleration. Have used padlock(4) and glxsb(4), the later on Alix boards. Went through the hifn(4) man page, but would love to hear about experiences, not read about them. g From george at ceetonetechnology.com Wed Jun 6 12:58:53 2012 From: george at ceetonetechnology.com (George Rosamond) Date: Wed, 06 Jun 2012 12:58:53 -0400 Subject: [nycbug-talk] Hifn card In-Reply-To: <4FCF89E8.6070604@ceetonetechnology.com> References: <4FCF89E8.6070604@ceetonetechnology.com> Message-ID: <4FCF8C4D.9050202@ceetonetechnology.com> On 06/06/12 12:48, George Rosamond wrote: > Wondering about others' experiences with Hifn card on FreeBSD. > > Looking for something not too expensive, mostly for SSL/TLS acceleration. > > Have used padlock(4) and glxsb(4), the later on Alix boards. > > Went through the hifn(4) man page, but would love to hear about > experiences, not read about them. Well still curious to hear about others' experiences, but it seems for what I need, CPU matters more, in that there will be lots of little work, not some big fat work :) g From ike at blackskyresearch.net Wed Jun 6 14:06:47 2012 From: ike at blackskyresearch.net (Isaac Levy) Date: Wed, 6 Jun 2012 14:06:47 -0400 Subject: [nycbug-talk] Hifn card In-Reply-To: <4FCF8C4D.9050202@ceetonetechnology.com> References: <4FCF89E8.6070604@ceetonetechnology.com> <4FCF8C4D.9050202@ceetonetechnology.com> Message-ID: <201206061807.q56I73e1008622@rs139.luxsci.com> Hi George, On Jun 6, 2012, at 12:58 PM, George Rosamond wrote: > On 06/06/12 12:48, George Rosamond wrote: >> Wondering about others' experiences with Hifn card on FreeBSD. >> >> Looking for something not too expensive, mostly for SSL/TLS acceleration. >> >> Have used padlock(4) and glxsb(4), the later on Alix boards. >> >> Went through the hifn(4) man page, but would love to hear about >> experiences, not read about them. > > Well still curious to hear about others' experiences, but it seems for what I need, CPU matters more, in that there will be lots of little work, not some big fat work :) > > g 2 things worth less than .02?: 1) Depends on your use, CPU has blown away what the little hifn cards can push. (I have a 4 year old story about pulling them out of Soekris 5501's and getting measured 3-5x throughput increase for IPSEC VPN's- no kidding. [was PFSense 1.2, which was of course, FreeBSD 7.x based]) Interrupts and data throughput to the card were killing network IO, and the CPU totally smoked the accelerator on it's own. Stats fuzzy, never looked back after pulling the cards. 2) Hardware crypto is difficult to resolve when some aspect of it is compromised, (implementation, fundamental protocol or cypher cracks, etc?). Nothing seems really confirmed, but the hifn chip was implicated in the 2010 OpenBSD IPSEC "FBI-backdoor" fiasco, of the huge lists of notes, here's Gregory Perry's dense explanation: http://seclists.org/fulldisclosure/2010/Dec/441 I'm of course not capable of proving/disproving this situation, however, it's totally the worst-case nightmare for any security hardware that isn't trivially interchangeable, (cost, tech, manufacturing time to response, etc?) Best, .ike From gnn at neville-neil.com Wed Jun 6 14:20:50 2012 From: gnn at neville-neil.com (George Neville-Neil) Date: Wed, 6 Jun 2012 14:20:50 -0400 Subject: [nycbug-talk] Hifn card In-Reply-To: <201206061807.q56I73e1008622@rs139.luxsci.com> References: <4FCF89E8.6070604@ceetonetechnology.com> <4FCF8C4D.9050202@ceetonetechnology.com> <201206061807.q56I73e1008622@rs139.luxsci.com> Message-ID: <0428E8FD-F8FF-4C72-A2E5-E3CA2871C203@neville-neil.com> On Jun 6, 2012, at 14:06 , Isaac Levy wrote: > Hi George, > > On Jun 6, 2012, at 12:58 PM, George Rosamond wrote: >> On 06/06/12 12:48, George Rosamond wrote: >>> Wondering about others' experiences with Hifn card on FreeBSD. >>> >>> Looking for something not too expensive, mostly for SSL/TLS acceleration. >>> >>> Have used padlock(4) and glxsb(4), the later on Alix boards. >>> >>> Went through the hifn(4) man page, but would love to hear about >>> experiences, not read about them. >> >> Well still curious to hear about others' experiences, but it seems for what I need, CPU matters more, in that there will be lots of little work, not some big fat work :) >> >> g > > 2 things worth less than .02?: > > 1) Depends on your use, CPU has blown away what the little hifn cards can push. > (I have a 4 year old story about pulling them out of Soekris 5501's and getting measured 3-5x throughput increase for IPSEC VPN's- no kidding. [was PFSense 1.2, which was of course, FreeBSD 7.x based]) Interrupts and data throughput to the card were killing network IO, and the CPU totally smoked the accelerator on it's own. Stats fuzzy, never looked back after pulling the cards. > At the moment this is what I'd expect. Unless you're on something with low power, like an old Soekris, then your CPU is probably fine. More interesting is if people start doing crypto on GPU, but I'm not going to even think about that. Best, George From ike at blackskyresearch.net Wed Jun 6 15:08:01 2012 From: ike at blackskyresearch.net (Isaac Levy) Date: Wed, 6 Jun 2012 15:08:01 -0400 Subject: [nycbug-talk] Hifn card In-Reply-To: <0428E8FD-F8FF-4C72-A2E5-E3CA2871C203@neville-neil.com> References: <4FCF89E8.6070604@ceetonetechnology.com> <4FCF8C4D.9050202@ceetonetechnology.com> <201206061807.q56I73e1008622@rs139.luxsci.com> <0428E8FD-F8FF-4C72-A2E5-E3CA2871C203@neville-neil.com> Message-ID: <201206061908.q56J87ka020674@rs139.luxsci.com> On Jun 6, 2012, at 2:20 PM, George Neville-Neil wrote: > On Jun 6, 2012, at 14:06 , Isaac Levy wrote: >> Hi George, >> >> On Jun 6, 2012, at 12:58 PM, George Rosamond wrote: >>> On 06/06/12 12:48, George Rosamond wrote: >>>> Wondering about others' experiences with Hifn card on FreeBSD. >>>> >>>> Looking for something not too expensive, mostly for SSL/TLS acceleration. >>>> >>>> Have used padlock(4) and glxsb(4), the later on Alix boards. >>>> >>>> Went through the hifn(4) man page, but would love to hear about >>>> experiences, not read about them. >>> >>> Well still curious to hear about others' experiences, but it seems for what I need, CPU matters more, in that there will be lots of little work, not some big fat work :) >>> >>> g >> >> 2 things worth less than .02?: >> >> 1) Depends on your use, CPU has blown away what the little hifn cards can push. >> (I have a 4 year old story about pulling them out of Soekris 5501's and getting measured 3-5x throughput increase for IPSEC VPN's- no kidding. [was PFSense 1.2, which was of course, FreeBSD 7.x based]) Interrupts and data throughput to the card were killing network IO, and the CPU totally smoked the accelerator on it's own. Stats fuzzy, never looked back after pulling the cards. >> > > At the moment this is what I'd expect. Unless you're on something with low power, like an old > Soekris, then your CPU is probably fine. > > More interesting is if people start doing crypto on GPU, but I'm not going to even think about that. Ha! Or CPU architecture could simply take those cues and start changing again altogether? (I'm over-simplifying things, but isn't it about time?) "Yeah. RISC is good." Rocket- .ike From alex at pilosoft.com Wed Jun 6 13:52:13 2012 From: alex at pilosoft.com (Alex Pilosov) Date: Wed, 6 Jun 2012 13:52:13 -0400 (EDT) Subject: [nycbug-talk] Hifn card In-Reply-To: <4FCF8C4D.9050202@ceetonetechnology.com> Message-ID: fyi, not sure if it helps anyone, i do have a few cavium cn1230 cards, free to a good home. no idea if its supported in fbsd. -alex On Wed, 6 Jun 2012, George Rosamond wrote: > On 06/06/12 12:48, George Rosamond wrote: > > Wondering about others' experiences with Hifn card on FreeBSD. > > > > Looking for something not too expensive, mostly for SSL/TLS acceleration. > > > > Have used padlock(4) and glxsb(4), the later on Alix boards. > > > > Went through the hifn(4) man page, but would love to hear about > > experiences, not read about them. > > Well still curious to hear about others' experiences, but it seems for > what I need, CPU matters more, in that there will be lots of little > work, not some big fat work :) > > g > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > From okan at demirmen.com Wed Jun 6 15:27:49 2012 From: okan at demirmen.com (Okan Demirmen) Date: Wed, 6 Jun 2012 15:27:49 -0400 Subject: [nycbug-talk] Hifn card In-Reply-To: <4FCF8C4D.9050202@ceetonetechnology.com> References: <4FCF89E8.6070604@ceetonetechnology.com> <4FCF8C4D.9050202@ceetonetechnology.com> Message-ID: <20120606192749.GC31024@clam.khaoz.org> On Wed 2012.06.06 at 12:58 -0400, George Rosamond wrote: > On 06/06/12 12:48, George Rosamond wrote: > >Wondering about others' experiences with Hifn card on FreeBSD. > > > >Looking for something not too expensive, mostly for SSL/TLS acceleration. > > > >Have used padlock(4) and glxsb(4), the later on Alix boards. > > > >Went through the hifn(4) man page, but would love to hear about > >experiences, not read about them. > > Well still curious to hear about others' experiences, but it seems > for what I need, CPU matters more, in that there will be lots of > little work, not some big fat work :) Save your money for something else. From bonsaime at gmail.com Wed Jun 6 15:35:34 2012 From: bonsaime at gmail.com (Jesse Callaway) Date: Wed, 6 Jun 2012 15:35:34 -0400 Subject: [nycbug-talk] Hifn card In-Reply-To: <4FCF8C4D.9050202@ceetonetechnology.com> References: <4FCF89E8.6070604@ceetonetechnology.com> <4FCF8C4D.9050202@ceetonetechnology.com> Message-ID: I didn't reply because I had no numbers to relate, but the newer Intel chips have at least AES acceleration baked in. On Jun 6, 2012 1:00 PM, "George Rosamond" wrote: > On 06/06/12 12:48, George Rosamond wrote: > >> Wondering about others' experiences with Hifn card on FreeBSD. >> >> Looking for something not too expensive, mostly for SSL/TLS acceleration. >> >> Have used padlock(4) and glxsb(4), the later on Alix boards. >> >> Went through the hifn(4) man page, but would love to hear about >> experiences, not read about them. >> > > Well still curious to hear about others' experiences, but it seems for > what I need, CPU matters more, in that there will be lots of little work, > not some big fat work :) > > g > ______________________________**_________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/**mailman/listinfo/talk > -------------- next part -------------- An HTML attachment was scrubbed... URL: From pete at nomadlogic.org Wed Jun 6 17:19:58 2012 From: pete at nomadlogic.org (Pete Wright) Date: Wed, 6 Jun 2012 14:19:58 -0700 Subject: [nycbug-talk] Hifn card In-Reply-To: References: <4FCF89E8.6070604@ceetonetechnology.com> <4FCF8C4D.9050202@ceetonetechnology.com> Message-ID: <20120606211956.GA56335@arp.nomadlogic.org> On Wed, Jun 06, 2012 at 03:35:34PM -0400, Jesse Callaway wrote: > I didn't reply because I had no numbers to relate, but the newer Intel > chips have at least AES acceleration baked in. heh - awesome, never noticed that: http://en.wikipedia.org/wiki/AES_instruction_set aesni(4) freebsd opencrypto driver support as well... -p -- Pete Wright pete at nomadlogic.org From pete at nomadlogic.org Wed Jun 6 18:47:00 2012 From: pete at nomadlogic.org (Pete Wright) Date: Wed, 6 Jun 2012 15:47:00 -0700 Subject: [nycbug-talk] Netflix CDN Appliance Message-ID: <20120606224658.GB56335@arp.nomadlogic.org> This is pretty interesting - netflix CDN appliance based on FreeBSD-9.0 and nginx: https://signup.netflix.com/openconnect https://signup.netflix.com/openconnect/software I heard a bit about this from an netflix'er (netflix'ian?) a little while back and it sounded pretty great. Glad to see they moved forward with it, after the boondongle a year back or so. -p -- Pete Wright pete at nomadlogic.org From akosela at andykosela.com Wed Jun 6 18:52:38 2012 From: akosela at andykosela.com (Andy Kosela) Date: Thu, 7 Jun 2012 00:52:38 +0200 Subject: [nycbug-talk] Netflix CDN Appliance In-Reply-To: <20120606224658.GB56335@arp.nomadlogic.org> References: <20120606224658.GB56335@arp.nomadlogic.org> Message-ID: On Thu, Jun 7, 2012 at 12:47 AM, Pete Wright wrote: > This is pretty interesting - netflix CDN appliance based on FreeBSD-9.0 > and nginx: > > https://signup.netflix.com/openconnect > https://signup.netflix.com/openconnect/software > > > I heard a bit about this from an netflix'er (netflix'ian?) a little > while back and it sounded pretty great. ?Glad to see they moved forward > with it, after the boondongle a year back or so. > Yeah, FreeBSD and nginx make a powerful combo. I'm glad they use it. --Andy From ike at blackskyresearch.net Thu Jun 7 07:59:47 2012 From: ike at blackskyresearch.net (Isaac Levy) Date: Thu, 7 Jun 2012 07:59:47 -0400 Subject: [nycbug-talk] UNIX Trivia Questions Message-ID: <201206071200.q57C03l8002631@rs139.luxsci.com> Hi All, For the record, here's the UNIX trivia questions from last night: Who wrote the first Unix screen editor? irons Who bought the first commercial Unix license? rand Who bought the first Unix license? columbia What does FUBAR mean? failed unibus address register Best, .ike From crossd at gmail.com Thu Jun 7 08:10:02 2012 From: crossd at gmail.com (Dan Cross) Date: Thu, 7 Jun 2012 08:10:02 -0400 Subject: [nycbug-talk] UNIX Trivia Questions In-Reply-To: <201206071200.q57C03l8002631@rs139.luxsci.com> References: <201206071200.q57C03l8002631@rs139.luxsci.com> Message-ID: On Thu, Jun 7, 2012 at 7:59 AM, Isaac Levy wrote: > Hi All, > > For the record, here's the UNIX trivia questions from last night: > > Who wrote the first Unix screen editor? > ? ? ? ?irons > > Who bought the first commercial Unix license? > ? ? ? ?rand > > Who bought the first Unix license? > ? ? ? ?columbia > > What does FUBAR mean? > ? ? ? ?failed unibus address register This last one, at least, isn't completely true: 'FUBAR' definitely predates the advent of Unix, and comes from military slang. In good military fashion, it is an acronym that stands for, "Fucked Up Beyond All Recognition." It is often paired with its other military cousin, 'SNAFU': "Situation Normal: All Fucked Up." I'm not saying that Rob Pike was wrong when he put those questions together, but that one is certainly ambiguous. - Dan C. From ike at blackskyresearch.net Thu Jun 7 08:52:01 2012 From: ike at blackskyresearch.net (Isaac Levy) Date: Thu, 7 Jun 2012 08:52:01 -0400 Subject: [nycbug-talk] UNIX Trivia Questions In-Reply-To: References: <201206071200.q57C03l8002631@rs139.luxsci.com> Message-ID: <201206071253.q57Cr4ms004180@rs139.luxsci.com> On Jun 7, 2012, at 8:10 AM, Dan Cross wrote: > On Thu, Jun 7, 2012 at 7:59 AM, Isaac Levy wrote: >> Hi All, >> >> For the record, here's the UNIX trivia questions from last night: >> >> Who wrote the first Unix screen editor? >> irons >> >> Who bought the first commercial Unix license? >> rand >> >> Who bought the first Unix license? >> columbia >> >> What does FUBAR mean? >> failed unibus address register > > This last one, at least, isn't completely true: 'FUBAR' definitely > predates the advent of Unix, and comes from military slang. In good > military fashion, it is an acronym that stands for, "Fucked Up Beyond > All Recognition." It is often paired with its other military cousin, > 'SNAFU': "Situation Normal: All Fucked Up." > > I'm not saying that Rob Pike was wrong when he put those questions > together, but that one is certainly ambiguous. > > - Dan C. Agreed, next time I'll re-phrase it with context, e.g.: What does FUBAR mean to PDP-11 users? failed unibus address register Best, .ike From george at ceetonetechnology.com Thu Jun 7 09:08:48 2012 From: george at ceetonetechnology.com (George Rosamond) Date: Thu, 07 Jun 2012 09:08:48 -0400 Subject: [nycbug-talk] Hifn card In-Reply-To: <20120606211956.GA56335@arp.nomadlogic.org> References: <4FCF89E8.6070604@ceetonetechnology.com> <4FCF8C4D.9050202@ceetonetechnology.com> <20120606211956.GA56335@arp.nomadlogic.org> Message-ID: <4FD0A7E0.5050201@ceetonetechnology.com> On 06/06/12 17:19, Pete Wright wrote: > On Wed, Jun 06, 2012 at 03:35:34PM -0400, Jesse Callaway wrote: >> I didn't reply because I had no numbers to relate, but the newer Intel >> chips have at least AES acceleration baked in. > > heh - awesome, never noticed that: > http://en.wikipedia.org/wiki/AES_instruction_set > > aesni(4) freebsd opencrypto driver support as well... Thanks JC. Before that post, I found that some of the new SuperMicro boards have that chip, and are shipping next week. So the whole crypto accelerator card issue becomes even more irrelevant. g From billtotman at billtotman.com Thu Jun 7 09:10:52 2012 From: billtotman at billtotman.com (Bill Totman) Date: Thu, 7 Jun 2012 09:10:52 -0400 Subject: [nycbug-talk] UNIX Trivia Questions In-Reply-To: References: <201206071200.q57C03l8002631@rs139.luxsci.com> Message-ID: On Thu, Jun 7, 2012 at 8:10 AM, Dan Cross wrote: > On Thu, Jun 7, 2012 at 7:59 AM, Isaac Levy wrote: >> Hi All, >> >> For the record, here's the UNIX trivia questions from last night: >> >> Who wrote the first Unix screen editor? >> ? ? ? ?irons >> >> Who bought the first commercial Unix license? >> ? ? ? ?rand >> >> Who bought the first Unix license? >> ? ? ? ?columbia >> >> What does FUBAR mean? >> ? ? ? ?failed unibus address register > > This last one, at least, isn't completely true: 'FUBAR' definitely > predates the advent of Unix, and comes from military slang. ?In good > military fashion, it is an acronym that stands for, "Fucked Up Beyond > All Recognition." ?It is often paired with its other military cousin, > 'SNAFU': "Situation Normal: All Fucked Up." > > I'm not saying that Rob Pike was wrong when he put those questions > together, but that one is certainly ambiguous. > > ? ? ? ?- Dan C. > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk I'm sure it was a double entendre by Pike... like the silly joke whose punchline is: "Big gloves and big shoes." -bt From nikolai at fetissov.org Sun Jun 10 22:10:03 2012 From: nikolai at fetissov.org (Nikolai Fetissov) Date: Sun, 10 Jun 2012 22:10:03 -0400 Subject: [nycbug-talk] June 2012 meeting audio Message-ID: <0d130f65c393b4f8e4ad06a045fffbc8.squirrel@geekisp.com> Folks, Audio recording of PCS presentation by GNN is online at: http://www.fetissov.org/public/nycbug/nycbug-06-06-12.mp3 Apologies for the delay. Cheers, -- Nikolai From george at ceetonetechnology.com Sun Jun 10 22:37:41 2012 From: george at ceetonetechnology.com (George Rosamond) Date: Sun, 10 Jun 2012 22:37:41 -0400 Subject: [nycbug-talk] June 2012 meeting audio In-Reply-To: <0d130f65c393b4f8e4ad06a045fffbc8.squirrel@geekisp.com> References: <0d130f65c393b4f8e4ad06a045fffbc8.squirrel@geekisp.com> Message-ID: <4FD559F5.9040600@ceetonetechnology.com> On 06/10/12 22:10, Nikolai Fetissov wrote: > Folks, > > Audio recording of PCS presentation by GNN is online at: > http://www.fetissov.org/public/nycbug/nycbug-06-06-12.mp3 > > Apologies for the delay. > Cheers, > -- As always, thanks a million Nikolai. g From josh at rivels.org Fri Jun 15 09:46:45 2012 From: josh at rivels.org (Josh Rivel) Date: Fri, 15 Jun 2012 09:46:45 -0400 Subject: [nycbug-talk] OpenBSD pf "bakeoff" Message-ID: So after badgering my manager nonstop about how great OpenBSD with pf is, he's letting me do a "bakeoff" of two identical boxes - one will be running OpenBSD 5.1 w/pf, and the other a popular commercial firewall software. I probably will not be starting this project until first week in July, but wanted to get some tips (feel free to contact me off list if you don't think it's appropriate) of any custom tuning or deployment tips and tricks for enterprise wide OpenBSD/pf deployments, management of the policies, etc. I really want OpenBSD to win :) Thanks in advance. Josh From zippy1981 at gmail.com Fri Jun 15 09:54:27 2012 From: zippy1981 at gmail.com (Justin Dearing) Date: Fri, 15 Jun 2012 09:54:27 -0400 Subject: [nycbug-talk] OpenBSD pf "bakeoff" In-Reply-To: References: Message-ID: What is the objective of "winning"? Is he just going to throw a pen test at it? Do you get multiple runs of this pentest? Is there an attempt to overwhelm the firewall with legitimate traffic to measure maximum load? On Fri, Jun 15, 2012 at 9:46 AM, Josh Rivel wrote: > So after badgering my manager nonstop about how great OpenBSD with pf > is, he's letting me do a "bakeoff" of two identical boxes - one will > be running OpenBSD 5.1 w/pf, and the other a popular commercial > firewall software. > I probably will not be starting this project until first week in July, > but wanted to get some tips (feel free to contact me off list if you > don't think it's appropriate) of any custom tuning or deployment tips > and tricks for enterprise wide OpenBSD/pf deployments, management of > the policies, etc. > I really want OpenBSD to win :) > Thanks in advance. > Josh > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > -------------- next part -------------- An HTML attachment was scrubbed... URL: From josh at rivels.org Fri Jun 15 10:14:58 2012 From: josh at rivels.org (Josh Rivel) Date: Fri, 15 Jun 2012 10:14:58 -0400 Subject: [nycbug-talk] OpenBSD pf "bakeoff" In-Reply-To: References: Message-ID: Hello, On Fri, Jun 15, 2012 at 9:54 AM, Justin Dearing wrote: > What is the objective of "winning"? Is he just going to throw a pen test at > it? Do you get multiple runs of this pentest? Is there an attempt to > overwhelm the firewall with legitimate traffic to measure maximum load? Sorry, I should have clarified. We don't have a firm test plan in place, but it will be to use some sort of traffic-generating device (Ixia/SmartBits/etc.) to see how the various firewalls handle the load being thrown at them, packet per second, number of connections, bandwidth, etc. The initial test will be done using 1gb fiber interfaces, but in production we have lots of firewalls with 10gb connections. And yes, we can run the test as many times as we want (within reason). I will be doing the testing myself. It's not a pentest as in a "let see who can break into the firewall" type of thing. Josh From mark.saad at ymail.com Fri Jun 15 10:47:09 2012 From: mark.saad at ymail.com (Mark Saad) Date: Fri, 15 Jun 2012 10:47:09 -0400 Subject: [nycbug-talk] Rackmount eSATA Enclosures Message-ID: Hi Talk Has anyone had any experience with this drive shelf in FreeBSD Sans Digital Rackmount eSATA External Hard Drive Enclosure ER104CT http://amzn.com/B00365DWBK I want to get one and I am open to other options. -- Mark Saad | mark.saad at ymail.com From ike at blackskyresearch.net Fri Jun 15 11:06:59 2012 From: ike at blackskyresearch.net (Isaac Levy) Date: Fri, 15 Jun 2012 11:06:59 -0400 Subject: [nycbug-talk] OpenBSD pf "bakeoff" In-Reply-To: References: Message-ID: <1339772822-7451682.3597716.fq5FF6xm9031230@rs139.luxsci.com> Wow, On Jun 15, 2012, at 9:46 AM, Josh Rivel wrote: > So after badgering my manager nonstop about how great OpenBSD with pf > is, he's letting me do a "bakeoff" of two identical boxes - one will > be running OpenBSD 5.1 w/pf, and the other a popular commercial > firewall software. Holy moses that's cool. > I probably will not be starting this project until first week in July, > but wanted to get some tips (feel free to contact me off list if you > don't think it's appropriate) of any custom tuning or deployment tips > and tricks for enterprise wide OpenBSD/pf deployments, management of > the policies, etc. > I really want OpenBSD to win :) Well, there goes the scientific method ;) > Thanks in advance. > Josh One sideshow-ish note which I hope helps: I'd crib from PFSense (yes, I know that sounds awful to any OpenBSD user, my apologies), but their stock system tuning is thoughtful, in particular, the network i/o sysctls. Groking the intention of the sysctl tuning may be a great thing to skim through. https://github.com/bsdperimeter/pfsense Best, .ike From josh at rivels.org Fri Jun 15 11:17:43 2012 From: josh at rivels.org (Josh Rivel) Date: Fri, 15 Jun 2012 11:17:43 -0400 Subject: [nycbug-talk] OpenBSD pf "bakeoff" In-Reply-To: <1339772822-7451682.3597716.fq5FF6xm9031230@rs139.luxsci.com> References: <1339772822-7451682.3597716.fq5FF6xm9031230@rs139.luxsci.com> Message-ID: .ike- On Fri, Jun 15, 2012 at 11:06 AM, Isaac Levy wrote: > Wow, > > On Jun 15, 2012, at 9:46 AM, Josh Rivel wrote: > >> So after badgering my manager nonstop about how great OpenBSD with pf >> is, he's letting me do a "bakeoff" of two identical boxes - one will >> be running OpenBSD 5.1 w/pf, and the other a popular commercial >> firewall software. > > Holy moses that's cool. Indeed :) >> I probably will not be starting this project until first week in July, >> but wanted to get some tips (feel free to contact me off list if you >> don't think it's appropriate) of any custom tuning or deployment tips >> and tricks for enterprise wide OpenBSD/pf deployments, management of >> the policies, etc. >> I really want OpenBSD to win :) > > Well, there goes the scientific method ;) Hahahahaha. Well of course I want OpenBSD to win, but if it doesn't, it doesn't.... I will be impartial during my testing, and will *not* skew the test results! > One sideshow-ish note which I hope helps: > > I'd crib from PFSense (yes, I know that sounds awful to any OpenBSD user, my apologies), but their stock system tuning is thoughtful, in particular, the network i/o sysctls. ?Groking the intention of the sysctl tuning may be a great thing to skim through. > > https://github.com/bsdperimeter/pfsense Awesome - thanks as always for the useful tips .ike! Josh From jhellenthal at dataix.net Fri Jun 15 11:21:55 2012 From: jhellenthal at dataix.net (Jason Hellenthal) Date: Fri, 15 Jun 2012 11:21:55 -0400 Subject: [nycbug-talk] OpenBSD pf "bakeoff" In-Reply-To: References: Message-ID: <20120615152155.GA16658@DataIX.net> If I might say, you should give [1] a few once overs to build up a ruleset that will wind up pretty close to the commercial system and you will be less likely to miss rules that your corporate firewall solution implements with toggle switches and short command lines. You might possibly be able to import your existing corporate ruleset for a quick start. Once you have a ruleset can go back through it to minimize the rules into a smaller set using macros, tables and such. 1). http://www.fwbuilder.org/ On Fri, Jun 15, 2012 at 09:46:45AM -0400, Josh Rivel wrote: > So after badgering my manager nonstop about how great OpenBSD with pf > is, he's letting me do a "bakeoff" of two identical boxes - one will > be running OpenBSD 5.1 w/pf, and the other a popular commercial > firewall software. > I probably will not be starting this project until first week in July, > but wanted to get some tips (feel free to contact me off list if you > don't think it's appropriate) of any custom tuning or deployment tips > and tricks for enterprise wide OpenBSD/pf deployments, management of > the policies, etc. > I really want OpenBSD to win :) > Thanks in advance. > Josh > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk -- - (2^(N-1)) From josh at rivels.org Fri Jun 15 11:25:48 2012 From: josh at rivels.org (Josh Rivel) Date: Fri, 15 Jun 2012 11:25:48 -0400 Subject: [nycbug-talk] OpenBSD pf "bakeoff" In-Reply-To: <20120615152155.GA16658@DataIX.net> References: <20120615152155.GA16658@DataIX.net> Message-ID: Jason, On Fri, Jun 15, 2012 at 11:21 AM, Jason Hellenthal wrote: > > If I might say, you should give [1] a few once overs to build up a > ruleset that will wind up pretty close to the commercial system and you > will be less likely to miss rules that your corporate firewall solution > implements with toggle switches and short command lines. You might > possibly be able to import your existing corporate ruleset for a quick > start. > > Once you have a ruleset can go back through it to minimize the rules > into a smaller set using macros, tables and such. > > 1). http://www.fwbuilder.org/ Thanks, I will definitely take a look at this. I think initially we will just use a "any any allow" rule to test straight throughput, I need to sort out the details with my manager as to what exactly he wants me to test. Might setup a rule like "allow port 80 from * to webserver" or something and see how much HTTP traffic we can slam at the webserver. Don't know, but this should be interesting to say the least! Josh From ike at blackskyresearch.net Fri Jun 15 13:38:06 2012 From: ike at blackskyresearch.net (Isaac Levy) Date: Fri, 15 Jun 2012 13:38:06 -0400 Subject: [nycbug-talk] Rackmount eSATA Enclosures In-Reply-To: References: Message-ID: <1339781944-3139778.10851392.fq5FHc6dL026361@rs139.luxsci.com> Hi Mark, I've used the Sans Digital enclosures, but not rackmount stuff. I've used the non-raid variants of this at home, http://www.amazon.com/Sans-Digital-TowerRAID-TR5M-BP-Enclosure/dp/B003X0BJB8/ref=sr_1_5?s=electronics&ie=UTF8&qid=1339775278&sr=1-5 This stuff looks kindof cheap, this rackmount box could be awesome- or could end up being terrible waste of time. -- BIG WARNING: The Sans-Digital stuff with various hardware RAID options are absolute trash, friends have bought those with terrible results- (even when not using the HW raid features). CHEAP CAN BE AWESOME: The stuff I've used, (over USB- with FreeBSD and MacOSX), has been as good as USB is? slow and adequately reliable for Tb+ green/slow/cheap drives. I've even toyed/tested them with ZFS volumes, however, the speed of the single bus from the device makes them terrible for any actual ZRAID pool use- (unless I guess you split spools across multiple containers, which gets silly for me to live with- e.g. "which drive is in which sled?" hyjinks). A single slow drive as a ZFS pool works just great, (with all the other ZFS features), and for 2-3tb slow/cheap drives, it's far more pleasant to live with than UFS- (formatting takes *forever* with UFS here, for starters...) I really love their little enclosures as simple, slow cheap SATA drive sleds. Hope that helps- Best, .ike On Jun 15, 2012, at 10:47 AM, Mark Saad wrote: > Hi Talk > Has anyone had any experience with this drive shelf in FreeBSD > > Sans Digital Rackmount eSATA External Hard Drive Enclosure ER104CT > > http://amzn.com/B00365DWBK > > I want to get one and I am open to other options. > > -- > > Mark Saad | mark.saad at ymail.com > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > From jonathan at kc8onw.net Fri Jun 15 18:36:02 2012 From: jonathan at kc8onw.net (Jonathan) Date: Fri, 15 Jun 2012 18:36:02 -0400 Subject: [nycbug-talk] Rackmount eSATA Enclosures In-Reply-To: References: Message-ID: <4FDBB8D2.7090201@kc8onw.net> On 6/15/2012 10:47 AM, Mark Saad wrote: > Hi Talk > Has anyone had any experience with this drive shelf in FreeBSD > Sans Digital Rackmount eSATA External Hard Drive Enclosure ER104CT > http://amzn.com/B00365DWBK > I want to get one and I am open to other options. If you're buying this for a business I would have to say stay away from it. A 1 year warranty does not inspire confidence and they don't specify the SATA controller so it's likely a Silicon Image controller; supposedly they have gotten better but they used to be extremely buggy and unreliable. The drive caddies also don't appear to have any kind of vibration isolation either, it looks like bare metal all the way which can cause problems. If you're buying it for personal use it might work out okay. I have a couple of cheap 5 in 3 tower enclosures that have worked okay in my home tower but they are SATA pass-through not expander and I drive them through an LSI SAS card. I have a piece of paper wedged next to one of the drives because it vibrates and tends to get kinda noisy but ZFS has saved my data every time so far. 5 drive failures in 5 years out of a set of 10 disks, no data loss yet :) Jonathan Stewart From brett.mahar at gmx.com Fri Jun 15 20:14:47 2012 From: brett.mahar at gmx.com (Brett) Date: Sat, 16 Jun 2012 10:14:47 +1000 Subject: [nycbug-talk] OpenBSD pf "bakeoff" In-Reply-To: References: Message-ID: <20120616101447.659d47059974d01dc6a74ba0@gmx.com> > So after badgering my manager nonstop about how great OpenBSD with pf > is, he's letting me do a "bakeoff" of two identical boxes - one will > be running OpenBSD 5.1 w/pf, and the other a popular commercial > firewall software. > Josh > A couple of things I could think of that would be interesting to compare: 1. This from the default pf.conf file: #For example, the following rules will protect the webserver against hosts #making more than 100 connections in 10 seconds. block quick from pass in on $ext_if proto tcp to $webserver port www keep state \ (max-src-conn-rate 100/10, overload flush global) 2. Filtering by OS fingerprinting (eg simulating a Love Bug type virus coming from windows machines - how well do the various firewalls cope with slowing this traffic down to a crawl and letting non-windows-originating traffic through). Cheers, Brett. From brian.gupta at gmail.com Sun Jun 17 20:34:06 2012 From: brian.gupta at gmail.com (Brian Gupta) Date: Sun, 17 Jun 2012 20:34:06 -0400 Subject: [nycbug-talk] Looking for a networking freelancer who is fairly proficient with pfsense. Message-ID: The work is initially tilted towards onsite work, and as things are properly setup, I envision it moving to largely offsite/remote work. Ideally the person would have experience with HA pfense multisite configs, pfsense intersite vpn tunneling (including the HA failover of said tunnels), as well as most of psfsense's standard features, including network performance monitoring and firewall rules. We do have a pfsense support contract though, so if there are some gaps, and you are confident that you can pick things up quickly, we can work things out. There is an existing setup, but some of the pieces are incomplete, implemented incorrectly, and/or can use more cleanup/enhancement. In addition knowing Netgear, and Sonicwall would be helpful. (Have more than one client we support local networking needs.) The best contact info for me is brian.gupta at brandorr.com. Thanks, Brian - Brian Gupta New York City user groups calendar: http://nyc.brandorr.com/ From jpb at jimby.name Mon Jun 18 14:08:07 2012 From: jpb at jimby.name (Jim B.) Date: Mon, 18 Jun 2012 14:08:07 -0400 Subject: [nycbug-talk] OpenBSD pf "bakeoff" In-Reply-To: References: Message-ID: <20120618180807.GA99781@jimby.name> * Josh Rivel [2012-06-15 09:48]: > So after badgering my manager nonstop about how great OpenBSD with pf > is, he's letting me do a "bakeoff" of two identical boxes - one will > be running OpenBSD 5.1 w/pf, and the other a popular commercial > firewall software. > I probably will not be starting this project until first week in July, > but wanted to get some tips (feel free to contact me off list if you > don't think it's appropriate) of any custom tuning or deployment tips > and tricks for enterprise wide OpenBSD/pf deployments, management of > the policies, etc. > I really want OpenBSD to win :) > Thanks in advance. > Josh My $0.02 - Congrats that you've got your manager to consider a bakeoff. However, keep in mind that there are other elements to consider for him/her to authorize pf in the enterprise. A feature set comparison will allow your manager to determine what things are covered / not covered by pf. For instance, pf does not (to my knowledge) perform various forms of "deep packet inspection" (DPI), also known as "Layer 7" inspection. Spend some time researching the feature set of your current firewall and compare how pf does/does not handle each feature. Ask yourself how the things that are not covered by pf will get handled. Another consideration is support. pf, just like any other product will need support. In fact, some companiies prohibit kit from being deployed unless there is a support contract. Look to identify what organization will support pf and try to determine what a support contract will include and how much it will cost. Support contracts usually specify Service Level Agreements (SLA) definitions and timeframes so be sure to identify all SLA requirement from your company and if your support organization can meet all of them. Training is another issue that will undoubtedly arise. Sure, you are the local pf guru right now. That's fine. But try to look at this from your managers perspective. He/she needs to ensure that pf knowledge and training is available from the support organization. How much will training cost? Is training available on-site, or remote? How many people will need such training? All these are important considerations for your manager's budget. In summary, try to think more from a business perspective. pf will succeed on technical merits (in most cases). Your job is to ensure that both the technical *and business elements* are covered, not just the technical. Good luck! Jim B. From billtotman at billtotman.com Mon Jun 18 14:19:53 2012 From: billtotman at billtotman.com (Bill Totman) Date: Mon, 18 Jun 2012 14:19:53 -0400 Subject: [nycbug-talk] OpenBSD pf "bakeoff" In-Reply-To: <20120618180807.GA99781@jimby.name> References: <20120618180807.GA99781@jimby.name> Message-ID: On Mon, Jun 18, 2012 at 2:08 PM, Jim B. wrote: > * Josh Rivel [2012-06-15 09:48]: > > Another consideration is support. ?pf, just like any other product > will need support. ?In fact, some companiies prohibit kit from being > deployed unless there is a support contract. ?Look to identify what > organization will support pf and try to determine what a support > contract will include and how much it will cost. ?Support contracts > usually specify Service Level Agreements (SLA) definitions and timeframes > so be sure to identify all SLA requirement from your company and if > your support organization can meet all of them. > Another thing to consider is your own skill (and training others therein) at troubleshooting pf: firewalls are usually guilty until proven innocent when it comes to hiccups in the network/Internet access. -bt From josh at rivels.org Tue Jun 19 09:30:18 2012 From: josh at rivels.org (Josh Rivel) Date: Tue, 19 Jun 2012 09:30:18 -0400 Subject: [nycbug-talk] OpenBSD pf "bakeoff" In-Reply-To: References: <20120618180807.GA99781@jimby.name> Message-ID: On Mon, Jun 18, 2012 at 2:19 PM, Bill Totman wrote: > On Mon, Jun 18, 2012 at 2:08 PM, Jim B. wrote: >> * Josh Rivel [2012-06-15 09:48]: > > > >> >> Another consideration is support. ?pf, just like any other product >> will need support. ?In fact, some companiies prohibit kit from being >> deployed unless there is a support contract. ?Look to identify what >> organization will support pf and try to determine what a support >> contract will include and how much it will cost. ?Support contracts >> usually specify Service Level Agreements (SLA) definitions and timeframes >> so be sure to identify all SLA requirement from your company and if >> your support organization can meet all of them. >> > > > > Another thing to consider is your own skill (and training others > therein) at troubleshooting pf: firewalls are usually guilty until > proven innocent when it comes to hiccups in the network/Internet > access. > > -bt Yep, this is true, and the firewalls here are blamed for just about everything, even if they aren't in the path of the machines in question.... Good point, and well taken, thanks. Josh From mark.saad at ymail.com Thu Jun 21 15:20:09 2012 From: mark.saad at ymail.com (Mark Saad) Date: Thu, 21 Jun 2012 15:20:09 -0400 Subject: [nycbug-talk] pcs issues Message-ID: All I was testing out some of the examples from the pcs talk last month, and I am running into some errors. I wanted to see if anyone could shed some light on this. Here is what I did root at nymirror1:/usr/local/share/examples/pcs # python ddos_analyze.py -f /usr/local/pcap-logs/26-nybweb1.pcap -m 25 -s 255.255.255.0 -n 10.12.13.0 Traceback (most recent call last): File "ddos_analyze.py", line 105, in main() File "ddos_analyze.py", line 87, in main if (ip.src & mask) != network: File "/usr/local/lib/python2.7/site-packages/pcs/__init__.py", line 1061, in __getattribute__ return object.__getattribute__(self, name) AttributeError: 'arp' object has no attribute 'src' I am using python 2.7.3, I had the same results with 2.6.6, on FreeBSD 9-STABLE amd64 . The pcap file was created this way tcpdump -i igb1 -s 1500 -w /usr/local/pcap-logs/26-nybweb1.pcap I am using py-pcs 0.6 I also tried 0.7 and had the same results. What am I doing wrong here ? -- Mark Saad | mark.saad at ymail.com From nikolai at fetissov.org Thu Jun 21 15:36:24 2012 From: nikolai at fetissov.org (Nikolai Fetissov) Date: Thu, 21 Jun 2012 15:36:24 -0400 Subject: [nycbug-talk] pcs issues In-Reply-To: References: Message-ID: <252fa51bcfec82c192d5c81c06e31091.squirrel@www.geekisp.com> > All > I was testing out some of the examples from the pcs talk last month, > and I am running into some errors. I wanted to see if anyone could > shed some light on this. > > Here is what I did > > > root at nymirror1:/usr/local/share/examples/pcs # python ddos_analyze.py > -f /usr/local/pcap-logs/26-nybweb1.pcap -m 25 -s 255.255.255.0 -n > 10.12.13.0 > Traceback (most recent call last): > File "ddos_analyze.py", line 105, in > main() > File "ddos_analyze.py", line 87, in main > if (ip.src & mask) != network: > File "/usr/local/lib/python2.7/site-packages/pcs/__init__.py", line > 1061, in __getattribute__ > return object.__getattribute__(self, name) > AttributeError: 'arp' object has no attribute 'src' > > > I am using python 2.7.3, I had the same results with 2.6.6, on > FreeBSD 9-STABLE amd64 . > > > The pcap file was created this way > > tcpdump -i igb1 -s 1500 -w /usr/local/pcap-logs/26-nybweb1.pcap > Restict the capture with "proto ip"? -- Nikolai From gnn at neville-neil.com Thu Jun 21 16:10:15 2012 From: gnn at neville-neil.com (George Neville-Neil) Date: Thu, 21 Jun 2012 16:10:15 -0400 Subject: [nycbug-talk] pcs issues In-Reply-To: <252fa51bcfec82c192d5c81c06e31091.squirrel@www.geekisp.com> References: <252fa51bcfec82c192d5c81c06e31091.squirrel@www.geekisp.com> Message-ID: On Jun 21, 2012, at 15:36 , Nikolai Fetissov wrote: >> All >> I was testing out some of the examples from the pcs talk last month, >> and I am running into some errors. I wanted to see if anyone could >> shed some light on this. >> >> Here is what I did >> >> >> root at nymirror1:/usr/local/share/examples/pcs # python ddos_analyze.py >> -f /usr/local/pcap-logs/26-nybweb1.pcap -m 25 -s 255.255.255.0 -n >> 10.12.13.0 >> Traceback (most recent call last): >> File "ddos_analyze.py", line 105, in >> main() >> File "ddos_analyze.py", line 87, in main >> if (ip.src & mask) != network: >> File "/usr/local/lib/python2.7/site-packages/pcs/__init__.py", line >> 1061, in __getattribute__ >> return object.__getattribute__(self, name) >> AttributeError: 'arp' object has no attribute 'src' >> >> >> I am using python 2.7.3, I had the same results with 2.6.6, on >> FreeBSD 9-STABLE amd64 . >> >> >> The pcap file was created this way >> >> tcpdump -i igb1 -s 1500 -w /usr/local/pcap-logs/26-nybweb1.pcap >> > > Restict the capture with "proto ip"? Yup, that works, or you can do hack the code to ignore anything not ip: if type(packet.data) != ipv4: continue Since these are all objects you can do object type comparisons. Best, George From mark.saad at ymail.com Thu Jun 21 17:32:19 2012 From: mark.saad at ymail.com (Mark Saad) Date: Thu, 21 Jun 2012 17:32:19 -0400 Subject: [nycbug-talk] pcs issues In-Reply-To: References: <252fa51bcfec82c192d5c81c06e31091.squirrel@www.geekisp.com> Message-ID: On Thu, Jun 21, 2012 at 5:29 PM, Mark Saad wrote: > On Thu, Jun 21, 2012 at 4:10 PM, George Neville-Neil > wrote: >> >> On Jun 21, 2012, at 15:36 , Nikolai Fetissov wrote: >> >>>> All >>>> I was testing out some of the examples from the pcs talk last month, >>>> and I am running into some errors. I wanted to see if anyone could >>>> shed some light on this. >>>> >>>> Here is what I did >>>> >>>> >>>> root at nymirror1:/usr/local/share/examples/pcs # python ddos_analyze.py >>>> -f /usr/local/pcap-logs/26-nybweb1.pcap -m 25 -s 255.255.255.0 -n >>>> 10.12.13.0 >>>> Traceback (most recent call last): >>>> ?File "ddos_analyze.py", line 105, in >>>> ? ?main() >>>> ?File "ddos_analyze.py", line 87, in main >>>> ? ?if (ip.src & mask) != network: >>>> ?File "/usr/local/lib/python2.7/site-packages/pcs/__init__.py", line >>>> 1061, in __getattribute__ >>>> ? ?return object.__getattribute__(self, name) >>>> AttributeError: 'arp' object has no attribute 'src' >>>> >>>> >>>> I am using python 2.7.3, ?I had the same results with 2.6.6, ?on >>>> FreeBSD 9-STABLE amd64 . >>>> >>>> >>>> The pcap file was created this way >>>> >>>> tcpdump -i igb1 -s 1500 -w /usr/local/pcap-logs/26-nybweb1.pcap >>>> >>> >>> Restict the capture with "proto ip"? >> >> Yup, that works, or you can do hack the code to ignore anything not ip: >> >> if type(packet.data) != ipv4: >> ? ? ? ?continue >> >> Since these are all objects you can do object type comparisons. >> >> Best, >> George >> >> _______________________________________________ >> talk mailing list >> talk at lists.nycbug.org >> http://lists.nycbug.org/mailman/listinfo/talk > > That worked ?george, also it appears that the script bombs out if you > tell it to show you the top N hosts in a pcap if there are only hosts in the pcap file. ?That was part of my issue. > > > > > -- > mark saad | nonesuch at longcount.org That worked George, also it appears that the script bombs out if you tell it to show you the top N hosts in a pcap if there are only References: <252fa51bcfec82c192d5c81c06e31091.squirrel@www.geekisp.com> Message-ID: <0029ECB4-3A11-40C6-BAA6-C88E6DA3AA92@neville-neil.com> On Jun 21, 2012, at 17:29 , Mark Saad wrote: > That worked george, also it appears that the script bombs out if you > tell it to show you the top N hosts in a pcap if there are only hosts in the pcap file. That was part of my issue. OK. BTW There is a bug tracker on the sf site, and anyone is welcome to shoot me patches as they come up. Best, George From bonsaime at gmail.com Thu Jun 21 19:30:23 2012 From: bonsaime at gmail.com (Jesse Callaway) Date: Thu, 21 Jun 2012 18:30:23 -0500 Subject: [nycbug-talk] pcs issues In-Reply-To: References: <252fa51bcfec82c192d5c81c06e31091.squirrel@www.geekisp.com> Message-ID: On Jun 21, 2012 5:33 PM, "Mark Saad" wrote: > > On Thu, Jun 21, 2012 at 5:29 PM, Mark Saad wrote: > > On Thu, Jun 21, 2012 at 4:10 PM, George Neville-Neil > > wrote: > >> > >> On Jun 21, 2012, at 15:36 , Nikolai Fetissov wrote: > >> > >>>> All > >>>> I was testing out some of the examples from the pcs talk last month, > >>>> and I am running into some errors. I wanted to see if anyone could > >>>> shed some light on this. > >>>> > >>>> Here is what I did > >>>> > >>>> > >>>> root at nymirror1:/usr/local/share/examples/pcs # python ddos_analyze.py > >>>> -f /usr/local/pcap-logs/26-nybweb1.pcap -m 25 -s 255.255.255.0 -n > >>>> 10.12.13.0 > >>>> Traceback (most recent call last): > >>>> File "ddos_analyze.py", line 105, in > >>>> main() > >>>> File "ddos_analyze.py", line 87, in main > >>>> if (ip.src & mask) != network: > >>>> File "/usr/local/lib/python2.7/site-packages/pcs/__init__.py", line > >>>> 1061, in __getattribute__ > >>>> return object.__getattribute__(self, name) > >>>> AttributeError: 'arp' object has no attribute 'src' > >>>> > >>>> > >>>> I am using python 2.7.3, I had the same results with 2.6.6, on > >>>> FreeBSD 9-STABLE amd64 . > >>>> > >>>> > >>>> The pcap file was created this way > >>>> > >>>> tcpdump -i igb1 -s 1500 -w /usr/local/pcap-logs/26-nybweb1.pcap > >>>> > >>> > >>> Restict the capture with "proto ip"? > >> > >> Yup, that works, or you can do hack the code to ignore anything not ip: > >> > >> if type(packet.data) != ipv4: > >> continue > >> > >> Since these are all objects you can do object type comparisons. > >> > >> Best, > >> George > >> > >> _______________________________________________ > >> talk mailing list > >> talk at lists.nycbug.org > >> http://lists.nycbug.org/mailman/listinfo/talk > > > > That worked george, also it appears that the script bombs out if you > > tell it to show you the top N hosts in a pcap if there are only > hosts in the pcap file. That was part of my issue. > > > > > > > > > > -- > > mark saad | nonesuch at longcount.org > > > > That worked George, also it appears that the script bombs out if you > tell it to show you the top N hosts in a pcap if there are only hosts in the pcap file. That was part of my issue. > > -- > > Mark Saad | mark.saad at ymail.com > > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk Glad it worked out! Just wanted to put in my favorite snaplen option. Setting it to -s0 is my favorite both because its shorter to type and it grabs the whole frame no matter what. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ike at blackskyresearch.net Wed Jun 27 11:08:46 2012 From: ike at blackskyresearch.net (Isaac Levy) Date: Wed, 27 Jun 2012 11:08:46 -0400 Subject: [nycbug-talk] ZFS on Linux (?) Message-ID: <1340809743-9400475.24055827.fq5RF8k5w021351@rs139.luxsci.com> Hi All, Perhaps of interest: Of all the Linux distributions, ZFS lighting on Ubuntu? http://www.phoronix.com/scan.php?page=article&item=linux_zfs_june2012&num=1 Hrm? Best, .ike