Enterprise Unix Roundup: Parsing the Numbers Page 2

By Amy Newman (Send Email)
Posted Feb 24, 2006


Main     In Other News     Elsewhere in the Corral     Tips of the Trade

In Other News

» A new DHCP client is being planned for the 2.6.17 Linux kernel. With this release, DHCP, whose function is to assign dynamic IP addresses to user connections, will automatically recognize when a Linux user has disconnected from a particular DHCP server and will look for a new connection.

The 2.6.17 kernel will be particularly accommodating to this feature, as it contains technology that will make it inherently easier to deal with disconnection/reconnection events, which are common for notebook users traveling between networks or roaming hotspots and WLANs. Current DHCP clients on Linux do not recognize such temporary disconnections.

» It's official: GNOME 2.14 is scheduled to hit the shelves March 15. The release will boast new features, more polish, and bolstered performance. The GNOME Project has the specifics.

» We're not sure exactly what IBM has up its sleeve, but its latest subpoena was interesting enough to jolt us out of a SCO-related stupor.

The discovery phase deepened in the SCO v. IBM trial this week, with IBM demanding every communication between SCO and Microsoft, Sun, Hewlett Packard, and Baystar Capital (quick refresher: that's the investment company initially funding the IP campaign) dating back to McBride's ascent.

Big Blue is specifically on the hunt for communication related to "claims relating to Allegedly Misused Material" and is seeking e-mail messages, IM chats, and phone logs, as well as details of contracts between SCO and the four subpoenaed companies. IBM also wants to know the details of Microsoft's, HP's, and Sun's Unix licensing agreements, including royalty schedules.

This is not a fishing exhibition but rather a quest for a needle in a haystack. At the heart of IBM's search is communication between Microsoft CEO Steve Ballmer and McBride discussing SCO's rights to the Unix operating system.

The Register reports, and our ears are certainly perked.

» It's been a tough week for Mac fans. On the heels of last week's point release, Mac OS X 10.4.5 was privy to three new worms, one of which was deemed "extremely critical" by Secunia. The security firm claims it is the result of flaw in how OS X 10.4.5 handles file association meta data found in ZIP archives. Arbitrary commands could potentially be executed automatically via Apple's Safari Web browser from a malicious site.

Some in the Mac community are more concerned than others. If the hyperbolic nature of some reports is making your head spin, we recommend giving this blog entry at least a skim.

As of Thursday afternoon, however, the vulnerability remained unpatched.

Elsewhere in the Corral

Recent relevant articles about enterprise Unix

  • If you've ever experienced the joy of rebooting a multi-homed Linux server, only to have the network interface come up in a different order with different names assigned by the kernel, then Enterprise Networking Planet's tutorial on how to Nail Down Network Interface Names with ifrename may solve your perplexity.

  • Weighing Linux desktop options? Linux Planet takes Xandros Desktop OS 3.0.2 out for a spin.

  • No longer going the way of the dinosaur, mainframes have found a solid and growing niche. This week's Hardware Today column on ServerWatch looks at what their future holds.

Tips of the Trade

Admins looking for a strong packet-filtering firewall should give pf a try. pf runs on FreeBSD, OpenBSD, and NetBSD. All three of the BSDs are known for stability, reliability, and easy system maintenance, and any of them will make a good strong configurable firewall/gateway system.

If you're familiar with netfilter/iptables, pf will be easy to pick up. It has features not found in iptables, like built-in methods for vexing both spammers and brute-force login attacks. pf's configuration files are clean and well-organized, and have not yet fallen victim to the iptables affliction of differing implementations. /etc/pf.conf is the main configuration file, and it contains these sections:

#############################################
# macro definitions

#############################################
# options: "set"

#############################################
# scrub rules: "scrub"

#############################################
# NAT rules: "rdr", "nat", "binat"

#############################################
# filtering rules: "antispoof", "block", "pass"

All sections are not required, but they must follow this order, because the later sections rely on the previous ones.

pf comes with optimization options, so you can tailor your firewall for best performance:

default
normal: same as default
high-latency: satellite and other high-latency links
satellite: same as high-latency
aggressive: idle connections ar expired earlier, to use less memory and CPU cycles
conservative: greater reliability, with possible increased memory usage and CPU cycles

These options probably won't make much difference on an ordinary business connection, but very busy or satellite connections will perform noticeably better.

pf's spammer-vexer is fun and effective. It operates from two tables: a whitelist and a blacklist. Create your own whitelist, to make sure wanted mail gets through, and use whatever blacklist you favor. Then use a ruleset like this:

table persist
table persist file "/var/mail/whitelist.txt"
rdr pass on $wan_if inet proto tcp from to
{ $wan_if, $lan_if:network } port smtp -> 127.0.0.1 port 25
rdr pass on $wan_if inet proto tcp from ! to
{ $wan_if, $lan_if:network } port smtp -> 127.0.0.1 port 25

This sends whitelisted mail directly to port 25, or whatever port is preferred. Blacklisted mail is processed in a mode that handles SMTP traffic one byte at a time. This acts like a tarpit, holding the connection open for as long as possible, which delays the offending sender from delivering more of its spew. A poorly configured server can be held up for hours, with a significant cost in terms of bandwidth and system resources.

pf comes with all the BSDs. Firewalling with OpenBSD's PF packet filter is an excellent introduction.

Carla Schroder writes the Tips of the Trade section of Enterprise Unix Roundup. She also appears on Enterprise Networking Planet and Linux Planet, covering Linux from the desktop to the server room. She is the author of the Linux Cookbook and the upcoming "Linux Networking Cookbook."

>> To Main

Page 2 of 2


Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.