12-Oct-2002 (Sat)
Wherein the disasterous computer saga continues.

Making fun of some hair-splitting from one of the promoters, tonight the staff has been joking over the radios, ``Hey, is the house music getting deeper? Over.''

But I think really it's just that the people are getting shallower.

So, computer hell continues: the ever-generous Mal has been spending days here sweating out half his weight in fluids while tinkering with my firewall, and has determined that what's going on is that the state table in the firewall keeps filling up, causing no end of trouble. And since I'm running OpenBSD 2.8 with ipf, there's no way to increase the size of that table without rebuilding the kernel. (Ease of configurability being a sign of weakness to these people.) And rebuilding/upgrading the kernel is a sketchy proposition since that release of the OS has been disavowed for quite some time. Those of you who have been following along for a while may recall that the thing that made me switch from Linux to OpenBSD for the firewall in the first place was the pathetic state of affairs in the Linux world with respect to networking: basically, the motto of that group seemed to be, ``your security is our learning experience!'' Every release of Linux came with a rewritten-from-scratch firewall system, with incompatible config files: so every time you upgraded, you got to rewrite your rules. YAY. So I switched to OpenBSD, because they weren't playing those games, and generally seemed to take the whole thing more seriously.

So what happens? Six months after I start using OpenBSD (the OS whose motto is now `` 0  days without an on-site injury'') , some ego battle or other caused Theo to switch to a new, incompatible firewall package. YAY.

So maybe next I'll switch to FreeBSD or something, since apparently they still use ipf. (Hey, so does MacOS X...)

Oh, but it gets better.

The other end of the club's T1 circuit is in above.net in San Jose, and I just found out that above.net is closing the facility we're in at the end of the month. So, if I don't find a way to get a new T1 by November 1st, we're totally offline. Dead in the water. My understanding is that it's impossible to get a T1 that quickly, and so, we're totally fucked. It's made even worse by the fact that we have our current T1 with XO, who went bankrupt several months ago, which means there are probably like five people total still working there. This is a state of affairs that tends to not make a company be terribly responsive.

It may be -- and this is truly frightening -- that our best hope may be to find a way to get a line-of-sight wireless link to our ISP's colo facility downtown. And since there probably tall buildings in the way, we'd end up bouncing off of Twin Peaks or something.

But more likely, we're just totally screwed and will be offline for a month or more. YAY.

Good lord, someone just came in wearing a giant glitter clown afro wig. I remain amazed by the depths to which this club sinks.

7 Responses:

  1. ioerror says:

    FreeBSD has a great firewalling system, if you want to use bsd to do something I would reccomend it.

    However I don't really see the problem with linux and the 2.4.x series.
    If you want to have a firewall up and running with linux in about 30 minutes you can just use shorewall. Really easy to configure and it is highly extensive, proxy arp, portforwarding, SNAT, DNAT, traffic shaping, reg ex support (I haven't used this but I hear its possible) and all sorts of stuff.

    Also: I heard through the grapevine that OpenBSD has a remote root holes in its tcp stack (but who the fuck am i?).

    • jwz says:

      However I don't really see the problem with linux and the 2.4.x series.

      The problem is, after they made me rewrite my rules for the third time, I said "fuck this, never again."

      • ioerror says:

        What about the kernel option that allows for ipmasqadmin/ipchains compatibility?
        I haven't used them but I assume that would allow you to use your old rulesets with the "new" netfilter.

        Have you tried that?

        If you have to rewrite them again (for freebsd or your other choices) why not just use a cisco router?

        I mean it's time or money right?

        It all relates back to your quote of "Linux is only free if your time is worth nothing."

    • evan says:

      I second the shorewall recommendation. You write your firewall terms in a higher-level config file and it handles the details.

  2. el_olvidado says:

    sadly i think i know the guy with the glitter afro wig. was the wig orange?
    the colo i work at is located at 555 Howard St...i don't know exactly united layer is but maybe we can help.

  3. moof says:

    Use `ipf -Fs` to flush the state table. `ipf -Fa` might also help. You may also wish to restart ipf with something along the lines of `ifconfig fxp1 down; ipf -D; ipf -E; ipf -Fa -f /etc/ipf.conf; ifconfig fxp1` (assuming fxp1 is your outside interface.)

    Alternately, with the source tree you have around, you can modify sys/netinet/ip_state.h (assuming OpenBSD hasn't buggered up the includes) IPSTATE_SIZE and IPSTATE_MAX to be larger. (Note that they have both be prime numbers, or else the hashing tables get hosed.)

    • kfringe says:

      Unfortunately, 'ipf -Fs' won't cut it. He's dealing with an overload of established connections, so he'd need to give it an 'ipf -FS'. That would also manage to roach the state he actually has, triggering alarms, etc., and generally causing hair loss.

      The good news, though, is that Darren made a concession to user friendliness by letting you define those variables instead of making you edit the source. Wheee!

      Of course, that still means compiling on a wheezing pentium of uncertain lineage because of some silly religious objection making this another sysctl knob. Fortunately, there are beefier net and freebsd machines available.