Michael W. Lucas's Blog, page 85

I now have all the reviewers I can manage, and am not looking for more. I'd make an exception if you're, say, an OpenSSH or PuTTY developer, but other than I'm not accepting any more. I'd like to thank everyone who has volunteered to review this book.

I won't put any system on the Internet without some sort of packet filter or firewall. Especially not a file server containing important data. While I have a FreeNAS 8 box, it doesn't come with a firewall. FreeBSD includes three firewalls, IPFW, IPF, and PF. Any one of these would do, but I'm most comfortable with PF, so I decided to add PF to my FreeNAS install.

This will not add a firewall to the GUI. You must manage your rules remotely. The FreeNAS backup will not back up your rules. The...

The boss snagged an Intel SS4200 NAS as part of the corporate "redundant array of inexpensive crap" strategy. Basically, it's a small, headless amd64 machine with 512MB RAM, four SATA ports, plus eSATA and USB. Add four 1TB hard drives, and you have a decent small storage device. I decided to try FreeNAS 8, so I could get ZFS, NFS, and iSCSI.

FreeNAS 8 installs on a USB drive. I got a 2GB USB from Micro Center checkout counter, and escaped the store without purchasing anything else.

Start by...

I have about half of the OpenSSH book written. I can start getting feedback on the manuscript. If you're interested in providing feedback, first read the review process article on my web site.

If you're still interested after reading that article, send me an email with the subject "OpenSSH review" and tell me that a) you won't share the review manuscript, and b) why you'd be a good reviewer. I can only manage so many reviewers, so I try to pick readers of every experience level. My email...

I've received quite a few questions about how I do community-based tech reviews on forthcoming books, as well as offers for one or both of the projects I have underway. I've put up a public Web page about the process I follow. I expect to request community reviewers for one book later this week.

Realistically, my brain is limited. I can only manage about 20 prepub reviewers for a given project. I choose the best people from the pool of volunteers.

I hope that all of them will return useful...

I have an OpenBSD 4.9/i386 desktop sitting naked on the Internet, and found people poking at my TCP ports. While PF is enabled by default, it's configured to permit everything except remote X11. I need a policy that will block incoming traffic from everywhere except a few key IP addresses, while allowing me to make any outbound connections I desire.

mgmt="{192.0.2.0/24, 192.168.8.0/24}"
set skip on lo
block
pass proto icmp
pass from $mgmt to self
pass from self to any
block in on ! lo0 proto tcp to...

One of the advantages of writing books is that you must double-check everything you thought you knew about a topic. PuTTY is probably the most widely deployed SSH client in the world. I've used it for years. It's good software. (I also use the OpenSSH client, of course.)

To my surprise, PuTTY accepts both version 1 and 2 of the SSH protocol. It prefers version 2, but will accept 1.

Version 1 of the SSH protocol has irremediable problems. If a client accepts SSHv1, an attacker can intercept a...

I have a problem with Absolute OpenBSD, 2nd edition. It's too big. The outline is 26 chapters. This brings the book close to 300,000 words, well over a thousand pages. I don't want to write books that I don't like. I don't like huge books that I cannot comfortably read in the bathtub.

One component of OpenBSD is OpenSSH. People have written books about OpenSSH, but they contain more information than most people need. (Not all, but most.) I write for the most common user, which means that...

I need a window manager that doesn't take up desktop space with lots of icons and permits me to work without removing my hands from the keyboard. (I do use the mouse, mind you, but I don't want to be required to use the mouse for routine tasks.) I've used cwm on OpenBSD as my window manager for about a year, and it's fulfilled my needs perfectly well.

I have made some changes. cwm is very easy to modify via the .cwmrc file. Here's mine, with comments interspersed to show why I've made these...

Here's an iptables ruleset for a VoIP server with a Web interface. The goals are to allow management hosts to communicate with them freely, allow VoIP and HTTP(S) from the public, and drop everything else. It's designed to be used as /etc/iptables.rules, and loaded with

# iptables-restore < /etc/iptables.rules

In Linux, you're supposed to adjust the firewall at the command line. This implies an ability to retain the firewall ruleset in your head, as well as an ability to type correctly...