Rolled out my first load-balanced service today and OpenBSD just makes the whole thing so much simpler. I wanted to spread the load of sending/receiving email between to Mail Servers (MX) primarily so if either machine fails, the service is not disrupted and I have time to ‘fix’ replace the broken machine.

Requirement

Due to compliance requirements to ‘eliminate’ Single Points of Failure I’m required to put up warm backups or services for most of our company servers.

Having a ‘warm’ backup server (that sits around powered on, doing nothing but waiting to be pushed into production) is such a waste of resources, so we wanted to put anything that’s a backup into ‘live’ systems.

There are many advantages to having a live failover instead of a warm backup, and suffice it to say OpenBSD gives us different ‘simple’ to configure options. Two solutions released ‘out-of-the-box’ with the base OS are:

• carp, and
• relayd

CARP

We use CARP on our firewalls, which essentially means that you have two machines set up to handle the work of a single machine. In a firewall situation, CARP provides instant failover from one host to the other in the event one of the machines fail.

For example, machine 1 as MASTER handles all traffic but also pushes needed information to machine 2 so that if machine 1 blows up, the backup machine #2 can take over the work without any users noticing the change.

CARP allows multiple servers to share the same ‘face’/IP so external hosts see only one machine although 2 or more machines may be behind the CARP configuration.

Major/Minor requirement: All hosts support CARP.

RELAYD

relayd takes advantage of OpenBSD’s firewall facilities so the firewall can act as a gateway between the ‘world’ and your disparate servers.

For example: use relayd infront of 10 web servers, so users always see the same IP.

Nice things about relayd.

1. Target Servers do not have to be OpenBSD boxes, and don’t even have to be running exactly the same thing.
   1. One of our future goals is to provide seamless load balancing for a few Windows Hosted servers.
2. Low overhead
3. Relayd monitors the target servers to make sure they are up before forwarding connections to them.
4. Relayd configuration rules are nice and simple, with simple default examples.

Read It, Learn It, Live It, Love It.

Can’t leave things alone, and have to piece together a little disinformation of my own.

US needs 'digital warfare force'

The US has set up specialised detachments dealing with IT problems

The head of America's National Security Agency says that America needs to build a digital warfare force for the future, according to reports.

Lt Gen Keith Alexander, who also heads the Pentagon's new Cyber Command, outlined his views in a report for the House Armed Services subcommittee.

In it, he stated that the US needed to reorganise its offensive and defensive cyber operations.

So, the land of the brave and the dead buffaloes, that have openly broken all forms of international law through kidnapping individuals, revoking life, liberty and the pursuit of anything to various groups and individuals in pursuit of “the American Way” is going to expect you and me to believe that all those spy satellites and telecommunication eavesdropping services do not already put them well ahead of every body else on invading not only their own Citizen’s privacy but everyone elses?

Please, …

The worrying problem is the apathy for the real loss of your privacy.

People didn’t move to encrypting their email when they all knew that the US was eaves dropping, now we people’s whole lives on the Internet being assessed and reviewed by the US machine. They’ve been tapping Australian international phone traffic since Woomera, and who knows whether the Australian Government is turning a co-operative blind eye for spying on Australian citizens internal communications.

I wonder what will finally take us over the edge for end-to-end encrypted communications (e.g. email, phone, web browsing, et. al.)

Encrypting your email is so easy these days, but it’s really hard to communicate in an encrypted manner because people find it too ‘difficult’ to use the additional tools to provide this encryption.

Woo hoo, built my first box in aeons.

Been playing with various bits and pieces at work trying to piece together at least another functional box. Sometime later we decided that we needed a new box and we would look at reusing as many components from the trash pile I was playing with.

Unfortunately, bits and pieces of the trash pile was working, but together there was no ensemble. We decided to get new bits for the parts that looked like were dead and yesterday was my turn to put the bits together (and pray I don’t fry anything.)

I think the last time I actually had to put a box together from scratch was back in 1998? As I recall we had a bum machine at QSC and had to get the motherboard from Australia(?) Ever since then I’ve basically had some under my wings that I told to read the Taiwanese documentation and cable the box together. Of course that was an experience in itself in finding ports not working because they just weren’t wired up.

Anyhow, a relative newbie and not wanting to ever open this box again I made sure every lose wire got plugged into something even if there was no likelihood that it would ever get used. Double checked the bits I couldn’t figure out with our resident hardware dude, crossed my fingers and pushed 240v into the machine.

Poof, no-sound, nothing! Woo hooo, go software dude. In the distant pass, when computers don’t power up, and you’re somewhat certain that the power supply works fine, pull the PCI boards out and see what happens. So, pulled out a few boards and voila machine sings beautifully.

That wasn’t too bad, now was it?