tag:blogger.com,1999:blog-4088979.post113897659699277446..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: Dangers of Tracking FreeBSD STABLERichard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger13125tag:blogger.com,1999:blog-4088979.post-1150714581379197762006-06-19T06:56:00.000-04:002006-06-19T06:56:00.000-04:00Make that the ng_tag module at http://antigreen.or...Make that the ng_tag module at http://antigreen.org/vadim/freebsd/ng_tag<BR/><BR/>ipp2p is (much) less cpu load than you'd think, even with its need for the CONNTRACK modules etal..Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1150714248287052122006-06-19T06:50:00.000-04:002006-06-19T06:50:00.000-04:00You guys need ipp2p from www.ipp2p.orgSure, it's L...You guys need ipp2p from www.ipp2p.org<BR/>Sure, it's Loonix not FreeBSD, but it's an easy build, install & config on 2.6.12 or higher kernels..<BR/>(ipp2p is a kernel & iptables module that allows you to mark most P2P connections/sessions. It works "a trick" to allow you to mark, classify & ratelimit most modern P2P protocols!<BR/><BR/>I've also read of the ng_p2p netgraph module for FreeBSD, but I don't think it's anywhere near as good as ipp2p currently is..Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1139010525931557222006-02-03T18:48:00.000-05:002006-02-03T18:48:00.000-05:00greg,Yes it's doable but not dynamic and when you ...greg,<BR/>Yes it's doable but not dynamic and when you have such dynamic traffic like P2P you're not shaping/blocking everything.<BR/>Take for example ICQ: block the default ICQ ports,start a network capture and you'll see it try to go out through 21, 23, 80, 8080, 3128, etc. Identify it by packet pattern and you'll get it always (depending on protocol).<BR/>Of course as like snort a realtime packet parser is a cpu hog and depending on the scenario, mostly pps or bandwith this can be very dificult to apply.Joao Barroshttps://www.blogger.com/profile/05205997730968637492noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1139005905390615012006-02-03T17:31:00.000-05:002006-02-03T17:31:00.000-05:00Thanks for the comments. It sounds like FreeBSD i...Thanks for the comments. It sounds like FreeBSD is the best way to get started, with OpenBSD something to keep as an option where necessary. Now if I just had more free time...Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1139005337615925072006-02-03T17:22:00.000-05:002006-02-03T17:22:00.000-05:00Joao,I am curious as to why you'd need an external...Joao,<BR/><BR/>I am curious as to why you'd need an external module to packet shape p2p ? <BR/><BR/>I havent had much difficulty tagging and massaging p2p traffic using ALTQ here. <BR/><BR/>Joe, <BR/><BR/>I can recommend adding <BR/><BR/><A HREF="http://pgl.yoyo.org/adservers/formats.php" REL="nofollow">Ad blocking with Bind</A><BR/><BR/>to your internal dns. Speeds up surfing a lot<BR/><BR/><BR/><BR/>gregAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1139002370238117632006-02-03T16:32:00.000-05:002006-02-03T16:32:00.000-05:00Chris, I use both FreeBSD and OpenBSD, similar to ...Chris, <BR/><BR/>I use both FreeBSD and OpenBSD, similar to the way Richard does. For an all round server, FreeBSD and the various ports tools are great.<BR/><BR/>I leave firewalling and VPN'ing to my OpenBSD boxes. You can also run snort on them, but you have to do a manual install of snort and any tools you want. However, setting up a bonded interface when using taps is a piece of cake on OpenBSD. FreeBSD is a little more work. <BR/><BR/>PF rocks btw. So does having a transparent squid proxy and a chrooted bind (caching dns for internal users).Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1138994916164000402006-02-03T14:28:00.000-05:002006-02-03T14:28:00.000-05:00Pat,I resent the use of the Type-R logo to make fu...Pat,<BR/><BR/>I resent the use of the Type-R logo to make fun of someone. What's wrong with my CTR? ;)<BR/><BR/>http://www.civictype-r.co.uk/gallery.htmJoao Barroshttps://www.blogger.com/profile/05205997730968637492noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1138992617816797742006-02-03T13:50:00.000-05:002006-02-03T13:50:00.000-05:00Most of my hardware is really old and I prefer not...<I>Most of my hardware is really old and I prefer not to spend a lot of time recompiling from source.</I><BR/><BR/>Apparently you don't know the benefits of compiling from source: http://funroll-loops.org/<BR/><BR/>PatAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1138991823178331042006-02-03T13:37:00.000-05:002006-02-03T13:37:00.000-05:00I didn't mention that at one point I couldn't get ...I didn't mention that at one point I couldn't get the kernel to boot... I had to recover from that as well!Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1138991727089504862006-02-03T13:35:00.000-05:002006-02-03T13:35:00.000-05:00Richard, better not having the kernel compile than...Richard, better not having the kernel compile than not booting or deadlocks ;)<BR/><BR/>For a generic server/router I would choose FreeBSD over OpenBSD or in Chris case where you'll find FreeBSD a more welcoming enviroment for first time users.<BR/><BR/>I agree with greg, pf is way more friendly than iptables.<BR/>One thing I miss from iptables: a p2p module where you can discard or tag packets. Imagine ALTQ on it ;)Joao Barroshttps://www.blogger.com/profile/05205997730968637492noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1138987295366526932006-02-03T12:21:00.000-05:002006-02-03T12:21:00.000-05:00Having had my 1st exposure to PF through OpenBSD, ...Having had my 1st exposure to PF through OpenBSD, I migrated over to FreeBSD once it became a standard part of the system as of 5.x <BR/><BR/>FBSD and the ports system make it a lot easier to maintain than OBSD. <BR/><BR/>I've deployed into production use both on custom systems for clients and as part of self contained solutions using PFSense. <BR/><BR/>Regardless of platform, PF is a joy to work on and maintain compared to iptables. <BR/><BR/><BR/>gregAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1138985663523076862006-02-03T11:54:00.000-05:002006-02-03T11:54:00.000-05:00Hi Chris,It depends on your needs. As a general-p...Hi Chris,<BR/><BR/>It depends on your needs. As a general-purpose server with a huge array of applications in the ports tree (14,000+), I like FreeBSD. For a single-purpose system with a high level of Internet exposure or responsibility (like a firewall), I like OpenBSD. The good news is that trying both costs zero money.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1138979281610857792006-02-03T10:08:00.000-05:002006-02-03T10:08:00.000-05:00Out of curiosity, what do you think about using Fr...Out of curiosity, what do you think about using FreeBSD vs. OpenBSD? I've been interested in looking at BSD as an alternative (especially to learn pf, which I understand is superior to iptables). As a longtime Linux user, I'm told that FreeBSD would be the OS to try. As a security professional, OpenBSD does seem to have a great track record. Obviously you use FreeBSD, and as you are one of my most respected mentors in InfoSec (Marcus Ranum also comes to mind), I'm just curious as to why you use that over OpenBSD.Anonymousnoreply@blogger.com