Posted by Jonathan
At least if you ordered the pre-release…
My OpenBSD 4.1 CD set and T-shirts arrived today.
The lyrics and the 4.1 song (MP3 4.1MB / OGG 8.3MB) are already up.
The offical release will be at the beginning of May but you can order OpenBSD 4.1 today.
A list of changes between OpenBSD 4.0 and 4.1 can be found here. One very nice addition in my opinion is hoststated(8), a host status daemon that can be used with PF to manage load-balanced servers and remove servers from the pool if they do not serve a HTTP page or your specific monitor script fails.
This is a very interesting for people like me who use OpenBSD firewalls in front of Rails applications. With OpenBSD/PF/pfsync/hoststated you can very easily have redundant firewalls load-balance your Apaches and automatically exclude a host that is down for whatever reason.
Posted by Jonathan
I got a new toy from eBay. A nice firewall with 4 Ethernet ports, 1GHz VIA C3, 256MB RAM and 40GB HDD for 90 €. And even the case looks good.
I installed OpenBSD 3.7 on it and upgraded to STABLE by using CVS to upgrade to the tag OPENBSD_3_7 and compiling the userland and the kernel. Because the box has no CD-ROM drive I started with refreshing my PXE/NETBOOT knowledge. But then the pragmatic, lazy guy in me won and I just connected the IDE cable to another PC and installed OpenBSD through it.
I will use this box to play with CARP, pfsync and the new sasyncd.
Posted by Jonathan
Henning Brauer, OpenBSD developer and developer of OpenBGPD, commited interface groups to OpenBSDs firewall PF together with Ryan McBride.
He explained it in a mail to misc@openbsd.org:
An interface group, is, well, a group of interfaces (surprised, anyone?). Interfaces can join and leave interface groups any time, and can be member in an arbitary number of groups. The join and leave is done via ifconfig:
ifconfig sk1 group dmz
makes sk1 join the group dmz, and
ifconfig sk1 -group dmz
removes sk1 from that group again. A group is removed when it does not have any members any more and pf does not refer to it.
A rule matching an interface group will be applied to all interfaces in the group. With interface groups you can make your ruleset completely independent of your hardware and dynamically join interfaces and have rules (without reloading the ruleset) apply to them.
Also dynamic IP address expansion like in (tun0) works for interface groups. If you have all interfaces facing your customers in the customer group, this works:
block in on egress from (customer:network)
egress is here a dynamically created group for all interfaces that IPv4 and IPv6 default routes points to. This is very useful for situations where the interface with the default route is changing like while using a notebook with wlan and wire. egress will expant to wi0 or e.g. sis0, always using the right interface (the one with the default route).
See Hennings mail for details of his wonderful feature. He also wrote another mail in which he describes his trip to Canada on which he coded this feature with Ryan.
