On 16 Feb 2008, at 19:26, Douglas A. Tutty wrote:
On Sat, Feb 16, 2008 at 06:29:30PM -0900, Siraaj Khandkar wrote:
On 16 Feb 2008, at 05:10, Douglas A. Tutty wrote:
This stopped working when the box couldn't upgrade from Sarge to
Etch
because libc6 kept killing itself. I did the drive shell-game from
another computer to get Etch on it only to find out that etch was
way to
slow to be useful. So now on the old box I use OpenBSD and it is
quite
zippy again.
I hope I won't have to resort to that, as I love apt too much :-)
I'm want to use this box as a gateway, and I'm somewhat split between
Debian and pfSense ( http://www.pfsense.com/ ), but leanning heavily
towards Debian, again, because of apt.
If it is only as a firewall then everything you need is in OpenBSD
base
with no extra packages required. Their most secure, most up-to-
date is
always -current and there are automatic snapshots of it. So, if you
keep /home on its own partition and copy your configs from /etc/
there,
if a security fix comes out (rarely for base) instead of compiling the
fix, you just download a new snapshot and install it. Its different
than apt but doesn't take any more time and, as will debian, if the
kernel changes the only downtime is a reboot.
I don't know pfsense but my guess would be that it uses OpenBSD's pf
(packet filter). However, check to see what code auditing is done by
pfsense. Packets have to traverse the kernel. Think how many kernel
updates Debian has had in, say, the last six months. How many has
pfsense? How many patches for OpenBSD -stable (6-month release
cycle)?
http://www.pfsense.com/
Your guess is correct. It is based on m0n0wall, which is a very
interesting system - it is based on completely striped-down FreeBSD
4, stores all the system configs in a single XML file, and uses PHP
for bootup scripts... I've been using it in production for about 6
months now, and it is quite robust and stable. Now, pfSense takes
m0n0wall as a base, but uses FreeBSD 6 kernel, and OpenBSD's pf, AND
implements package management on top of that, and this package
management feature is the main thing that attracts me to it, as I
want to use this box as an all-in-one experimental gateway - router,
firewall, DNS (caching, and local authoritative), DHCP, http caching,
traffic shaping. Being that I plan to add/remove experimental
packages somewhat often, I heavily favor binary packages, Debian
being the best at that, AND also considering that I expect this box
to do a lot of things at once - performance benchmarks from Scalable
Networking raise a concern or two.
http://bulk.fefe.de/scalable-networking.pdf
If your box also has a card reader, there's the neat trick of putting
the OS on a CF card (with some ram fs overlays). Upgrading is
making a
new cf card, power off, swap cards, power on, done. There are scripts
available to automate all but the manual swaping of cards.
Actually, if
the box has two CF card slots, there are scripts to allow
downloading an
updated image to the inactive CF card, reboot to the new card, run
self-diagnostics to ensure that the box is doing everything it should,
with an automatic reboot to the old card if something is wrong. There
are some very creative people over there.
No, unfortunately no CF cards on this box :-(
Good luck.
Doug.
Thanks :-)
--
Siraaj Khandkar
Ron Paul - Hope for America
http://www.ronpaul2008.com/
http://www.youtube.com/results?search_query=Ron+Paul&search=Search
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
