BSDA (BSD Associate )

Bl8ckr0uter

Anyone thinking about doing this one? I work with PFsense daily and I am somewhat comfortable with it. I know PFsense is FreeBSD based but is not really the same. At 75 bucks it is very affordable. I know it would be a big resume builder but it might be interesting.


I am looking at taking it during the Ohio Linux Fest (assuming they offer it again this year). Any one in the area thinking of going?

Certification Exams | Ohio LinuxFest 2011

it_consultant

If you are one of the 6 or 7 people in the world that can work on BSD UNIX then good on you!

veritas_libertas

I think you would be better of going down the LPIC path. I doubt many here have even heard of it. If you company reimburses certs than that is an entirely different story altogether...

RobertKaucher

Bl8ckr0uter wrote: »

Anyone thinking about doing this one? I work with PFsense daily and I am somewhat comfortable with it. I know PFsense is FreeBSD based but is not really the same. At 75 bucks it is very affordable. I know it would be a big resume builder but it might be interesting.


I am looking at taking it during the Ohio Linux Fest (assuming they offer it again this year). Any one in the area thinking of going?

Certification Exams | Ohio LinuxFest 2011

What's the deal with their offering of the LPI exams?

Bl8ckr0uter

veritas_libertas wrote: »

I think you would be better of going down the LPIC path. I doubt many here have even heard of it. If you company reimburses certs than that is an entirely different story altogether...

I was thinking about doing the bsda in addition to not instead of the LPIC.

RobertKaucher wrote: »

What's the deal with their offering of the LPI exams?

Its like 50 bucks off regular price. What I don't know is if I can actually register for both or do I have to have part one passed in order to register for part two.

Are you thinking about doing the LPIC-1? It would be cool to have a "local" study buddy lol.

wastedtime

I don't know much about the certification but I have been using FreeBSD for the last 4-5 months and loving it. I have only had a few minor issues with it. I have been using it has a IDS with some inline firewall capabilities through bridged interfaces. Here is my current uptime (last downtime was due to power):

9:07PM up 92 days, 11:08, 1 user, load averages: 0.00, 0.00, 0.00

Bl8ckr0uter

wastedtime wrote: »

I don't know much about the certification but I have been using FreeBSD for the last 4-5 months and loving it. I have only had a few minor issues with it. I have been using it has a IDS with some inline firewall capabilities through bridged interfaces. Here is my current uptime (last downtime was due to power):

9:07PM up 92 days, 11:08, 1 user, load averages: 0.00, 0.00, 0.00

Awesome. Have you messed around with any of the others BSDs? I downloaded free, open, net and dragonfly last night.

Forsaken_GA

it_consultant wrote: »

If you are one of the 6 or 7 people in the world that can work on BSD UNIX then good on you!

that's not really fair. FreeBSD is quite popular, there's just no huge commerical offering liek you have with Red Hat or Suse, so it's not quite as publicized. OpenBSD is also quite popular, especially as a firewall. It's actually what I'm running as my ssh jump box, it's the only box that is both, open to the outside world, and can reach every other device on my network, simply because I have enough faith in the fact that it doesn't have any remote exploitation bugs. I've also been known to use it as a reverse proxy for external connections into my internal network.

pfsense is wonderful, I love it, though once you start putting some serious traffic through it, you need to think about moving to a better platform.

NetBSD used to be quite popular for embedded devices as well, you can get NetBSD to run on virtually anything. A friend of mine recent acquired an old DEC Alpha, and Net was the only thing he could to actually boot on it.

So BSD has it's place. If it's got one major strike against it, it's that it's package management isn't anywhere near as polished as that of the major linux distributions, but I've found pkg_* and the ports collection to work just fine once you get over the learning curve of dealing with them.

Bl8ckr0uter

Forsaken_GA wrote: »

pfsense is wonderful, I love it, though once you start putting some serious traffic through it, you need to think about moving to a better platform.

Just curious but do you have an estimate as far as how much traffic you can put on it before it starts to choke (PPS or bandwidth)? When you say a "better" platform, do you mean a pure freebsd with pf or something vendor based? As far as "free" firewalls are concerned, I like PFsense the best (so far). I think tha addons are awesome. There is a decent community and I think the package management is awesome (NMAP on a firewall is just awesome, seriously).


I am migrating one of our sites from an old cisco router to a pfsense box (when I found out this thing could do ROAS/Intervlan traffic I literally screamed yes (that's what she said). I was very shocked).

I have been playing with the snort package and country blocking at home (and at work) and it has worked great.

wastedtime

I originally tried to get OpenBSD installed once but it didn't like the VIA C7 setup I had for some reason. I have heard good things about PCBSD though.

Here in a few weeks I was going to try an upgrade to the system I have now. I will make a post of it when I am done.

Forsaken did this go anywhere? Or was he just trying to make news?
Report of FBI back door roils OpenBSD community | Privacy Inc. - CNET News

Forsaken_GA

Bl8ckr0uter wrote: »

Just curious but do you have an estimate as far as how much traffic you can put on it before it starts to choke (PPS or bandwidth)? When you say a "better" platform, do you mean a pure freebsd with pf or something vendor based? As far as "free" firewalls are concerned, I like PFsense the best (so far). I think tha addons are awesome. There is a decent community and I think the package management is awesome (NMAP on a firewall is just awesome, seriously).

It all depend on the hardware you throw at it. If you don't give it enough proc or memory, it'll start to choke fairly early, and like any other software based firewall, the more services you enable, the more of an effect it has on your throughput. I've had small pfsense boxes choke near the 100 mb boundary, but if you give it enough proc and memory, you can get alot closer to the gigabit boundary. We had to retire our pfsense firewalls last year because they were getting enough traffic through them to the point where it was causing routing instability (they were participating in OSPF), to the point where they were becoming single points of failure at the sites where they were deployed. Having it cause flaps in OSPF was bad juju. We had to move to a hardware accelerated solution.

Forsaken_GA

wastedtime wrote: »

I originally tried to get OpenBSD installed once but it didn't like the VIA C7 setup I had for some reason. I have heard good things about PCBSD though.

Here in a few weeks I was going to try an upgrade to the system I have now. I will make a post of it when I am done.

Forsaken did this go anywhere? Or was he just trying to make news?
Report of FBI back door roils OpenBSD community | Privacy Inc. - CNET News

Near as I could tell, it all panned out to be BS. The 'facts' that were reported were shaky at best, and a code audit turned up nothing. So either it's a really well hidden backdoor, but I think it's more likely that someone was looking for their 15 minutes. The OpenBSD guys have always been very very open and direct when it comes to vulnerability disclosure.

Bl8ckr0uter

Forsaken_GA wrote: »

It all depend on the hardware you throw at it. If you don't give it enough proc or memory, it'll start to choke fairly early, and like any other software based firewall, the more services you enable, the more of an effect it has on your throughput. I've had small pfsense boxes choke near the 100 mb boundary, but if you give it enough proc and memory, you can get alot closer to the gigabit boundary. We had to retire our pfsense firewalls last year because they were getting enough traffic through them to the point where it was causing routing instability (they were participating in OSPF), to the point where they were becoming single points of failure at the sites where they were deployed. Having it cause flaps in OSPF was bad juju. We had to move to a hardware accelerated solution.

Good to know. I won't say our exact specs but they are waaay overkill for bsd. Basically the proc never goes over 2-10 percent used. Since we are getting a new WAN circuit which will multiply our current bandwidth by a factor of 5 (yes I said 5) I was planning ahead. Have you dealt with the QoS any? How about the load balancing? I have no way to test the load balancing at home or at work and I just want to hear from someone who has actually done it that it works ok.

Forsaken_GA

Bl8ckr0uter wrote: »

Good to know. I won't say our exact specs but they are waaay overkill for bsd. Basically the proc never goes over 2-10 percent used. Since we are getting a new WAN circuit which will multiply our current bandwidth by a factor of 5 (yes I said 5) I was planning ahead. Have you dealt with the QoS any? How about the load balancing? I have no way to test the load balancing at home or at work and I just want to hear from someone who has actually done it that it works ok.

Load balancing works fine. We actually used it as a cheap form of NAT. (just define a balance for one external VIP to point to a single internal IP). That actually really screwed with me at first, because when I was troubleshooting, I was like 'wtf man, this public isn't defined on this server, and I can't find a configuration for it anywhere in NAT, but it works!'

I haven't screwed with the QoS at all, we have plenty of internal bandwidth, and our voice traffic wasn't carried through those firewalls.

You want to see pfsense choke though, have it handle the traffic for a busy torrent on a high bandwith connection, and just watch your state table slots evaporate

Bl8ckr0uter

Forsaken_GA wrote: »

Load balancing works fine. We actually used it as a cheap form of NAT. (just define a balance for one external VIP to point to a single internal IP). That actually really screwed with me at first, because when I was troubleshooting, I was like 'wtf man, this public isn't defined on this server, and I can't find a configuration for it anywhere in NAT, but it works!'

I haven't screwed with the QoS at all, we have plenty of internal bandwidth, and our voice traffic wasn't carried through those firewalls.

You know this might sound dumb (and a bit dangerous) but I really just want to implement QoS just for the sake of doing it lol. JK but in all honestly we will have a ton of bandwidth. I do have a plan for slicing some of that out *

*I just read in my network warrior book that QoS doesn't limit bandwidth, it guarentees it. That kind of blew my mind.

Forsaken_GA wrote: »

You want to see pfsense choke though, have it handle the traffic for a busy torrent on a high bandwith connection, and just watch your state table slots evaporate

Oh if only I hadn't blocked all torrents long ago lol.

Forsaken_GA

Bl8ckr0uter wrote: »

You know this might sound dumb (and a bit dangerous) but I really just want to implement QoS just for the sake of doing it lol. JK but in all honestly we will have a ton of bandwidth. I do have a plan for slicing some of that out *

*I just read in my network warrior book that QoS doesn't limit bandwidth, it guarentees it. That kind of blew my mind.

That's true. It guarantees bandwidth. At the cost of other traffic. Bandwidth being a finite pool, in order to guarantee performance for a specific class of traffic, you have to make other traffic suffer. As much as I love GAD and Network Warrior, if you want the skinny on QoS, read the Odom Cisco Press book. I consider it a bible.

QoS is fun to play with. I do have to deal with it on the WAN side, but the first time you deploy it, you're going to screw it up You're going to forget about some essential traffic (*coughsqlcough*), or you're going to realize that your assumptions as to what ports a given application uses is incorrect, or something else. I regard it as something of a black art, as you have to keep an eye on your traffic flows and tweak them accordingly. But screwing up in a QoS deployment is a good way to bring your network to it's knees.

If you're going to deploy QoS in a production network, do yourself a favor - educate yourself thoroughly on netflow.

These books help mightly (read the No Starch Press book first, the Cisco Press one is good information, but very heavy and very dry. I sincerely wish I'd read the No Starch book first, as it would have been a better primer, but you should read the Cisco Press one as well for a thorough education)

Network Management: Accounting and Performance Strategies
Network Flow Analysis | No Starch Press

Once you know what you're doing with Netflow, deploy it, and let it run for at least a few weeks (I'd suggest at least a month) so you can learn what's actually going on in your network, and what traffic you need to account for, what traffic you need to prioritize, and what traffic you need to punish with extreme prejudice.

Even if you don't deploy QoS, learn Netflow anyway. It's one of the single best tools in a network engineers arsenal.