Re: Routing between spokes - recent best practices?
On Dec 4, 2007, at 12:14 AM, visc wrote: So, my question is this - what are the current best practices for setting up a hub and spoke topology using OpenBSD, allowing for traffic to securely flow from Branch to Branch on occasion without using a full mesh topology. If it's at all possible... (network description below) At this point IMHO branch-to-branch is avoided not for security reasons but for administrative reasons. It is a pain in the ass to configure each branch to establish a VPN to any other branch. It's easy to tell each branch router if you want to talk to BRANCHX, talk to CENTRALOFFICE first. If you have more than a handful of branches it is very annoying to tell each router if you want to talk to BRACHA, talk to A; if you want to talk to BRANCHB, talk to B; etc. The primary advantage of the star or branch-to-central topology was the difficulty of someone putting a man-in-the-middle of a leased line. But now leased lines are expensive. VPNs and direct Internet connections are cheap so it makes much more sense to put in the pain- in-the-ass effort to connect everyone in your Intranet via VPNs/IPSEC and get rid of your leased lines. If you only have enough budget to move a few this year you analyze which few cross-talk the most and configure them for mesh and leave the rest as star. This is not true if you asked an auditor, however. It is much easier to put a network sensor down in a star topology and get most of the network traffic than it is for a mesh network. If you want to be able to buy one device and know for sure that everyone is going through it you probably need a star topology and a heavy hand on the branch routers. -- Freedom, truth, love, beauty. John Rodenbiker
Re: C++ Book
Danny wrote: Good Day, My apologies if this question has been asked a million times before. I want to know if there is a good book out there to learn C++ on UNIX/Linux. Check out this thread on Slashdot: http://books.slashdot.org/comments.pl?threshold=4mode=nestedcommentsort=0op=Changesid=151935 In particular, I think the comment from foo fighter is what you're looking for: http://books.slashdot.org/comments.pl?sid=151935cid=12761859 As with anything on Slashdot, keep your wits about you with a healthy dose of skepticism. -- Freedom, truth, love, beauty. John Rodenbiker [EMAIL PROTECTED]
Re: ThinkPad T41p suspend is fine from console, hangs from X
On Jun 12, 2007, at 2:28 AM, Jonathan Thornburg wrote: In message http://marc.info/?l=openbsd-miscm=118157353605570w=1 I wrote # I have a problem with suspend-to-RAM on an IBM/Lenovo ThinkPad T41p # running OpenBSD 4.1-stable. Basically, suspend-to-RAM works fine if # I'm not running X, but hangs the system if I'm running X. My basic # question is, has anyone gotten suspend-to-RAM to work while X is # running on a T41p, and if so, how did you do it? I think I may have experienced the same problem as you on my ThinkPad R40 and ThinkPad X24. When you say your system hangs, does your screen go blank except for a blinking cursor in the top-left corner? I run into this all the time when the BIOS is set to put the computer to sleep when the lid is closed and I'm running X (or KDE or Gnome or whatever on X) My extensive searching the web leads me to believe it's a driver issue. I come to this conclusion because I have seen many, many reports of identical symptoms on various Linux boards where the solution has been to update nvidia or ati drivers and the problem disappears. Unfortunately, I am not a skilled enough coder, nor do I have the time, to learn the inner workings of X and OpenBSD display drivers to properly diagnose and solve the problem. :( My solution has been to disable the setting in the BIOS that puts the computer sleep when I close the lid. -- Freedom, truth, love, beauty. John Rodenbiker [EMAIL PROTECTED]
Re: How much time to 'master' OpenBSD
On Jun 8, 2007, at 5:58 AM, Pieter Verberne wrote: Hi there OpenBSD users, I wonder how much time it took for the average person to 'master' OpenBSD or a similar OS. About 10 years through deliberate practice, just like any other complex area of study. See The Role of Deliberate Practice in the Acquisition of Expert Performance by Ericsson, et al. http://projects.ict.usc.edu/itw/gel/EricssonDeliberatePracticePR93.pdf Choice quote: Our review has also shown that the maximal level of performance for individuals in a given domain is not attained automatically as function of extended experience, but the level of performance can be increased even by highly experienced individuals as a result ofdeliberate efforts to improve. Hence, stable levels of performance after extended experience are not rigidly limited by unmodifiable, possibly innate, factors, but can be further increased by deliberate efforts. We have shown that expert performance is acquired slowly over a very long time as a result of practice and that the highest levels of performance and achievement appear to require at least around 10 years of intense prior preparation. The areas of study particular to mastering systems administration haven't changed much over the decades, just the particulars. I think the table of contents and bibliography of _Essential System Administration_ by Frisch is a good introduction to the topics. http://www.oreilly.com/catalog/esa3/toc.html Others mentioned BSDCertification.org which also has a pretty comprehensive list areas of study. http://www.bsdcertification.org/downloads/ pr_20051005_certreq_bsda_en_en.pdf -- Freedom, truth, love, beauty. John Rodenbiker [EMAIL PROTECTED]
Re: smtp auth + greylisting
You should not have to touch every end user workstation to make such a simple config change. Windows, Outlook, and Active Directory can be controlled via scripting. (Yes, I'm going out on a limb and guessing you're in the 90% of businesses that run all three for end users and their workstations.) OS X, Mail, and Entourage can also be remotely controlled and scripted. I'm not familiar with other mail clients to speak about their capabilities. Though, obviously, nix-based setups are typically scriptable. It has been a long time since I've had to directly support end users and their workstations, so you'll have to do your own homework on how to do this. I only know you can do it. Aside: Anytime you, as a sysadmin, consider touching every end user workstation something has gone very, very wrong. Either you need to bone-up on administration best practice or get/learn better tools or both. I hope this helps. -- Freedom, Truth, Love, Beauty. John Rodenbiker [EMAIL PROTECTED] On May 22, 2007, at 4:19 PM, Stephen Schaff wrote: That's a really good point. However we have about 200 users we'd have to get to switch their mail settings - 99% of don't know what mail settings are of course. Changing ports could prove very painful. I will definitely consider it though, given how painful email is without greylisting. Best Regards, Stephen On 22-May-07, at 3:10 PM, Bob Beck wrote: Trust me - bit the bullet and change to 587/465 anyway. we had to for road warriors because 25 is blocked in so many places anyway from walkups. You're better just getting your users to switch. * Chad M Stewart [EMAIL PROTECTED] [2007-05-22 12:46]: Since having users change their settings can be problematic in many environments, instead change the MX record. This way you can implement spamd right away and your users will not have to change anything. Though I would suggest moving the users to 587/465 in the future so that they don't get burned at places like hotels that redirect outbound port 25 traffic to a local SMTP proxy, that won't have a clue how to authenticate the user anyways. -Chad -- #!/usr/bin/perl if ((not 0 not 1) != (! 0 ! 1)) { print Larry and Tom must smoke some really primo stuff...\n; }