- A little network knowledge really does helptime:
One of our clients was having serious problems with installing and getting Microsoft Lync to work. The previous Support organisation spent a couple of months on the problem and gave up, but the user never gave up.
When we took on the contract to provide support, our support technicians could get the accounts to work outside the customers environment, and intermittently at the customers site.
Web Proxying Firewalls Solution After working with every possible iteration of installing, uninstalling, configuring the software, using separate desktops, different versions of Windows.
- Aggregating the BSD blogosphereAn another hurdle tumbles
Point your RSS Aggregator to AboutBSD and join the conversation, get some education on what’s happening in the BSD Community, more of them. Participate in the broader community. If you have no idea what I just said, then for BSD related information, book mark AboutBSD as a destination you need to visit on a regular basis.
Another one of those ‘artificial’ hurdles we of the SysAdmin priesthood place between ourselves and the unwashed masses is disappearing slowly, the locked foundary of information secured behind ’leet but arcane(sic) stores such as formal papers, printed books (what’s that?
- BSD Magazine for July is outBSD Magazine has grown from strength to strength with really well written, edited articles.
This month is dedicated to OpenBSD, what ever dedication means, but in essence you have some nice articles targetting OpenBSD specific installs.
Floppy Systems OpenBSD Mail Server It’s always good to get more documentation out there, maybe they can work together with the BSD Certification group aggregate where we can push all our documentation so that quality can be raised for everyone (writer and reader.
- Disk Utilisation i386 4.9Every now and then people ask how they should partition their hard disk, this doesn’t answer that question, but gives some view on how much disk space is used up on a bare system built for compiling OpenBSD from source.
Reference OpenBSD 4.9 i386, FAQ 5
The following is a summary of disk space used on a bare install built for and after compiling OpenBSD 4.9 i386. No packages installed.
- Enjoying the momentsSometimes the moments keep adding up
Enjoy it while it lasts.
We’ve got a number of upgrades going on, which means that since subtle changes are occurring, that we have to perform complete tests on these systems (i.e. not the hardware, but our software configurations.)
This week I’m building a tiny lab of six machines to test a roll out of OpenBSD 4.7 on one of our redundant (carp) firewalls. Since rule changes are really a good excuse to revisit how you’ve written your previous version, then it is a good time do a thorough review (test in and out activity etc.
- Ethicacy in Telephone Interview Answerstime:
Aka: Googling during a phone interview
This is tangentally relevant to OpenBSD, you can safely ignore it and you’re life will not have missed anything. Take the road less travelled.
Ethics and IT An example Ethical Dilemma How many bits in a mac address In Linux, what is the default signal sent by kill Of the ps output what is the label D for Summary Ethics and IT We continue to have some interesting discussions at work about the ethicacy of a lot of things we get around to in IT.
- Filter the Physical InterfaceNot that any of you would make such a disastrous error.
But, apparently you need to read documentation, and re-read it every once in a while, just in case you’ve forgotten why you previously made a decision.
Also known as, if you increase your management kung-fu, it may cost you in your technical ‘chops’
[FAQ: Packet Filter](http://www.openbsd.org/faq/pf/filter.html#intro Introduction)
Packet filtering is the selective passing or blocking of data packets as they pass through a network interface.
- Log Management can be toughGetting your logging strategy right, may not be a choice
For the umpteenth time one of our squid boxes went down due to the logs filling up all available disk space. As we have 3 sites, plus a special client access network, we have FOUR squid boxes that have been problematic for a long time.
The first major problem we had (it just seemed way too slow) was identified after trawling the logs to find the problem was always there, we need to fixup the number of available file descriptors.
- Mitigating against Denial of ServiceEventually had to get to the point of explicitly looking at potential denial of service attacks on the firewall.
For now we’ve implemented the following stratagem.
meter traffic and define what is abusive behaviour, for traffic classified as abusive, put these IP Addresses in a bucket/table drop any existing states from <abusive> users block any further connections from that IP Address At a later time, re-open connections from that IP Address Your mileage may vary, but since it took almost an hour to figure out how these things work, I’m putting it up here as a pointer to read the manuals with some clearer understanding.
- MX Proxy Extended, using Multiple InstancesI needed to add some more ‘security’ to our mail chain, which required adding more checking on the MX Proxy, which is our host that sits on the Internet ‘proxying’ mail traffic in and out of the organisation.
To improve our security profile, using our preferred Postfix, necessitates incoming mail be processed independently of outgoing mail.
Read more of what we were able to do in
MX Proxy Extended, using Multiple Instances
- Pimp the LearningSometimes things are just waay to interesting to way-it
More importantly, maybe I don’t actually know what it is I’m talking about, and some one out there can either learn more from my errors, or learn because of my errors.
This whole publishing process, of the OpenBSD notes is still not where it’s supposed to be, but the workflow is cleaning up nicely and in the meanwhile am learning quite a few things.
- Postfix smtp_tls_policy_maps fingerprintingIt bothered me enough that I need to record it, and hopefully the path to a solution that others will follow.
(delivery temporarily suspended: Server certificate not verified)
Lesson: Document things properly, especially if it’s something interesting, more so if the technology/thing you’re doing is normally not what you do, and it’s already taken you a long while to get it working properly in the first place.
Mind you, the above may be a difficult task when rushed to get a system out and the only way to confirm the installation is to break it apart and start from scratch
- Preparation Pays Off - Big timeOne of those days, when the disaster you didn’t want, barges through the door, but forward planning, preparations, testing gets you through the day. Also known as, we and our gweeky friends say “Ku-oool,” while the rest of the family say, “uhhh, ok, we’re happy for you.”
We could have had a major disaster (i.e. my day ruined, as opposed to things melting down) which were nicely averted because of (as said before.
- Secret Sauce, OpenBSD, NGinx and PHPtime:
I’ve been struggling with getting nginx and php to be friendly to each other in OpenBSD.
Read all the wonderful allocates for nginx and thought it was time to test the waters when OpenBSD embraced the web server by incorporating it into the Base build.
Successfully deployed html serving nginx, reverse proxy nginx, and now I really really need to get PHP hosting, and SSL hosting to work. All the documentation out there says it is sooo simple, but why haven’t I been able to do it for the 1st 3 tries?
- smtpd_recipient_restrictionsAnother case of trying to avoid the inevitable.
spamhaus.org and rfc-ignorant.org are an important part of your overall antispam arsenal. The only problem is that although many of these services are free, you do need to at least:
- SSH: What it takes to get your work doneMichael W Lucas’ book: SSH Mastery: OpenSSH, Putty, Tunnels and Keys.
Good enough that I avoided buying the book, even when it was released with funding support my favourite Open Source project (OpenBSD with OpenSSH.) Good enough that after recieving a blogger review copy the first thing I did was to hit the corporate buy button to order a legitimate print/e-book copy for my cohort, fellow sysadmin, users. Why?
I was under some insane self delusion that I didn’t want to be bound by the book’s research, so that I can ethically ‘document’ my own stumbles into SSH to share freely with others.
- TLS and PostfixUpgrading some of our Mail Servers to support for TLS (Transport Layer Security) in Postfix and apart from learning how to do it, also learned a key maxim of programmers (readily applicable to system administrators)
DO NOT PRE-OPTIMISE
Wasted two days of my life, with increased anxiety during the install, configuration process because I was trying to be too smart too early.
After a Duhhh moment, I went back to the very beginning of the install process, and did everything as per the known guides (without that little tweak I had preconceived, and the install worked in less than an 1 hour)
- Trawling the mail archive reduxThose yesterday instructions seemed so complete
Got a job ticket this week to trawl through 7 days of email, and pull out incoming mail for 7 mailboxes.
2 hours after set up and ready to trawl, the work was complete (with only 30 minutes of that time being actual work, the rest just hanging around for the computer(s) to do their stuff.
Unfortunately, it was 3 hours before I could get working because I forgot some fundamentals about procmail, that were presumed understood in the original documentation.
- Trawling the mail archivesA cheap archive is only as good as getting back information from that archive.
We built a Mail Archiving solution using a spare VM box, disk space, OpenBSD and Postfix, and Procmail. but it isn’t that useful if all you’re going to do is put to tape and tell everyone you have the archive.
How do you actually make use, trawl, the archives and retrieve information from the archive when users have a bad mail day and need to retrieve mail that you have hidden on that tape?
- TRUNKS calling out in AsteriskTrunk connections from your in house Asterisk box to a service provider seems to be black art. The instructions available on the ‘NET seem so simple, but why doesn’t it work for us?
What is a trunk? No, it isn’t something used for luggage on boat cruises.
A trunk is a physical path or link in a communications system that is designed to handle many transmissions simultaneously and that interconnects major switching centers or nodes.
- VOIP voice promptsYou have that spanking new PBX, Asterisk based for our environment, and you’ve discovered Voice Mail.
The Voice Prompt menu is key (*99 on my set up) customised voice message prompts are easy, Users can set up their own password Getting that info (Internal WIKI) out is a big win for your team There’s still a little manual work with setting up each voicemail box, and configuring voice mail to email.
- Watching over your wallAs networks continue to grow, sometimes against our wishes, sometimes with our full support, it becomes more important to get some overview of how and what is moving across your network(s.)
In the beginning, in a land far away, we only had a few machines wired up and life was simple.
Now, most of us have too many machines with an unknown quantity of malware pounding on them (and subsequently on your network.
- Why another road.When is the road less travelled, the better?
We move again to another system for pushing our diatribe to the world?
Why is there need for more options ? Some people enter a state of dysfunction when offered too many choices, others are dysfunctional because they crave the novelty and not the functionality
I’m finding some of these options just more and more fascinating to pursue ?
Strange, but these bouts of curiosity tend to be aligned with bouts of sleep deprivation and minor healt decline.