Well, I’ve tried Statiked, Octopress and Pelican… and I’m back to wordpress.
DNS records updated, pardon the broken links and such while I clear out the cobwebs.
- Just added the Magic Anti-Spam Firewall rule: Block inbound email if it comes from a Windows box. I have high hopes for this one…
- OSX VPN working
- Still working on VPN setup for iPhone and iPad based on this tutorial.
- Added packet shaping for BitTorrent and it made an enormous difference. You can’t even tell a transfer is happening now! Perfect.
It’s great. I continue to wish I’d gotten it sooner.
My previous firewall was the Cisco/Linksys RV042, a entry-level business unit that worked quite well for years here.
There were a few things I wanted that the RV042 couldn’t do:
- Better handling of bit torrent. Nothing better for ISOs! The RV042 choked under, I think, large numbers of open TCP connections. Hard to tell if the limitation was CPU or memory or what, which leads to…
- Better instrumentation, visibility and metrics. I want to be able to see how it’s performing and if I’m up against limits
- Better filtering and traffic handling.
- Stretch goal: Block all inbound mail connections from any machine running MS Windows. Invariable botnet spam, and one of the niftier tricks possible with OpenBSD and pf.
- Turn-key-grade. I’ve less time to DIY these days, so I needed something good to go out of the box.
Running pfsense 2.0, the new firewall is superb beyond my expectations. The web-based GUI is fantastic, the 500Mhz CPU and 256MB of memory handle more traffic quite ably, and the sheer depth of functionality present is almost daunting. This wee beastie is astounding. Here are some bits I’ve liked so far:
- RRD graphs for CPU, memory, TCP state tables, rules traffic, etc, etc. Updated via AJAX, no less.
- Nice dashboard showing status and traffic at a glance.
- It ships with nanoBSD installed twice, two partitions on the 4GB compact flash card. The idea is that, if you hose the firewall, you can boot into the second partition and be back up quickly. Haven’t tried that, but I love the no-moving-parts flash storage.
- The 2D3 version gives me an extra ethernet port, for later expansion.
- I got the HiFn crypto accelerator, which can do 35MB/sec of AES128.
- Good support for Apple – OpenVPN for laptops, and IPsec for iDevices.
- Nice list subscriptions, so I’ve subscribed to IP-based blacklists for compromised hosts, ad servers, spammers and the link.
- Transparent HTTP filtering with squid and squid guard. I could also use this for caching if I wanted, but for now it’s an easy way to block domains like 2o7.net and the like.
So here are some RRD graphs for a monster bit torrent test, around 200-400 peers.
TCP states, peaking around 3,000:
Traffic: Red is upload, set to a 2.0 sharing ratio:
The important one, CPU usage:
So, roughly speaking, the 20Mbit peak took about half the CPU with the current minimal rules and fire walling. That’s not astounding, but I suspect and hope that I can tune it better. Next up, I’m going to try the packet shaping to see what effect that has. Right now, ICMP goes to hell:
I’ve done a simple test with the OpenVPN, which works though I had to buy the Viscosity app to make it work. ($5). Need to get iOS working and see how well that works, that’ll be nice to have for the trip to PyCon in March.
Here’s a shot of the web interface:
(Yep, I named it ‘fratboy.’ My old firewall was ‘nail.’ The theme is ‘things that get hammered.’ I still think it’s funny.)
Other things to look forward to:
- Full IPv6 support (Hi, BenC!)
- Operating-system-based filtering
- Adding a 2-line LCD screen, I want a traffic barograph, and the 2D3 has a serial port I can use.
Overall? For $300 it’s a bit steep, but frankly I now regret having bought two RV042s; shoulda gone here years ago. It out-features commercial routers up to two or three thousand bucks, and does so with silence and ~4 watts of power. Yay!
My Netgate 2D3 arrived and is installed – more on this later, it’s a nano-BSD box, no moving parts, 2-3W power and full pf onboard with awesome web GUI, hardware (HiFN) crypto accelerator, and tons of capacity to do filtering, packet scrubbing and much much more.
I am in heaven. Highly recommended.
Amazing beef. This was a rare treat, a full scale home BBQ at the home of Natalia’s parents.
Check out this home grilling setup: coals on the left, 5 feet or so of grilling area.
Now I’m all hungry again.
Buenos Aires, 2007.
Deck of the USS Midway:
Also from the Japan trip, their famous bullet train or shinkansen. Check out the Victorian-looking high voltage link between the cars:
This is one seriously badass looking machine.
Love the red eyes.
Traveling on it is revelatory; it’s worlds better than short-hop flights even before you factor in the idiocy of ‘airline security.’ Why oh why can the USA not get high speed passenger rail?