Don’t know if anyone other than staff reads this, but here are some plans anyway for those who may be interested:

• Upgrade filter to OpenBSD 3.9 and work out any inconsistencies


• Install new dual port Intel PRO/1000MT NIC


• Upgrade servers to FreeBSD 6.1 and make further use of OpenBSD 3.7’s great pf stateful functionality


• Clean up web page hierarchy


• Investigate further backup options (dump/restore, third party solutions)


• Inform students about using mail.restek.wwu.edu as an SMTP relay


• LDAP reorganization

That is just a few of the things I have had planned for a while.

These issues are becoming ridiculously irritating. Not only is PHP/Apache consistently complaining about being unable to connect to the database server, but I haven’t been unable to find out why yet. I do not see any limits being hit. Admittedly, we do a lot of work which requires a database connection, and some will inevitably fail, but something else is going on here.

Not only is MySQL a problem, but LDAP is being unreliable too. Once again, most of the time it works…but sometimes it doesn’t. And it’s one thing when someone has to type a password twice, but when LDAP lookups fail, Qmail experiences problems delivering mail and that is unacceptable.

As if those issues were not annoying enough, the primary firewall went to hell the other day and had to be taken out of the group manually. Faulty NIC? Who knows.

So which is more predictable now…nature or technology?

This isn’t related to any of those, but this new wordpress (and by new I mean 2.0) interface is neat.

This evening I finished setting up my secure wireless access point in my room. I kept forgetting my laptop battery charger in the office…and as nice as this laptop is, it doesn’t have unlimited life.

The idea behind authpf and OpenVPN is neat. authpf is responsible for modifying rules in pf, allowing traffic to pass once a user authenticates via SSH for example. It is really simple in that you only need to use chsh or similar so that a user’s shell is /usr/sbin/authpf instead of something like bash/ksh. Once they log in, authpf is called as their shell and it adds them to a table, by default and you can use that table to selectively pass traffic.

The second component is OpenVPN:

“OpenVPN is a full-featured SSL VPN solution which can accomodate a wide range of configurations, including remote access, site-to-site VPNs, WiFi security, and enterprise-scale remote access solutions with load balancing, failover, and fine-grained access-controls.”

It is useful because it’s responsible for encrypting traffic between the access point (in this case, a desktop running OpenBSD 3.8-stable) and my laptop (running Gentoo Linux). authpf is nice, but it obviously doesn’t encrypt traffic.

To make a long story short, I have the following:

polaris is the Access Point running OpenBSD 3.8-stable

algernon is the laptop running Gentoo Linux

• (polaris tun0) 10.8.0.1 < --> 10.8.0.2 (algernon tun0)


• main private interface eth1 on algernon


• ral0 on polaris: wireless interface


• rl0 on polaris: public interface (NAT)

When I want to use the laptop in another room, I simply login to polaris wirelessly with my special user who has an SSH key set up and authpf as a shell:

kian@algernon ~ $ ssh kian_authpf@polaris
Last login: Thu Apr  6 02:46:29 2006 from ff.xx.yy.zz

##################################
##
##      Welcome to Polaris
##
##################################

Hello kian_authpf. You are authenticated from host "ff.xx.yy.zz"

This tells pf on polaris to allow me to connect to the OpenVPN daemon. I start up the OpenVPN daemon on algernon which also makes the default route tun0 so that all traffic is passed through the encrypted tunnel. pf on polaris also has a rule in place to NAT the traffic from the wireless LAN. When I’m done working, I simply close the SSH session and authpf will remove the corresponding entry from the table.

I really like effective solutions such as this.