My firewall has been running OpenBSD 3.2 for a very, very long time. It’s been extremely stable, attached to an Uninterruptible Power Supply (UPS), and keeping my computers safe and free from the latest worms people worry about on a seemingly weekly basis. Really, it’s been almost maintenance-free. I’ve really enjoyed it.
It’s running on an old Pentium Pro 200MHz with 64 Megabytes of RAM. Donated to me by American Investment Bank, this old box was, literally, headed out the door for the junk pile when I interposed and asked if I could rescue it from that ignoble fate.
The things I like about it?
- It’s extremely quiet, since the processor only uses a heat sink, and not a fan. There’s a fan on the power supply, but I seriously think this little box could do without any fans and still keep a reasonable temperature.
- It’s kind of large-ish, but very empty, and sits next to my entertainment center on top of the UPS that keeps the power supply to it stable.
- It doesn’t have a reset switch, and I can cover the power switch with duct tape to prevent 2-year-old fingers from exploring.
- Running BSD on it is a joy. For most of what I need it for, it’s more than fast enough, and OpenBSD (unlike the Linux kernel) avoids paging things to swap if possible. This means that, I can come back to it after a few days of not using it, and log in quickly. On some of my Linux hosts, if I haven’t shelled in for a while, they take a while paging back in the stuff the computer hasn’t used in a while before giving me a chance to log in.
Anyway, I finally decided it was time to upgrade the old girl again. She was running an old version of OpenSSH, that, while not vulnerable (since OpenBSD wasn’t vulnerable to a recent OpenSSH exploit), was a target for automated attacks to just keep trying. I got sick of it. And I wanted to start over fresh, have a chance to remember what it was like to configure an OpenBSD system from scratch again.
So I swapped in a relatively new hard drive left over from my recent upgrade of my home studio workstation, and began the CD-ROM install. I chose to go ahead and install everything. In OpenBSD, this means (oh, the horror!) that the install is close to 400 megabytes. For EVERYTHING. Compare that to RedHat, where an “everything” install clocks in at about 6 gigabytes.
I chose a relatively sensible (from a security perspective) partitioning scheme: a 4 GB / (root) partition, 4 GB /var (people can DOS your box by filling up log files), and really big /home. I thought about doing a /usr/local partition (for those ports and packages you know), but the only real advantage I see there is that you can mount that partition read-only to prevent people running custom binaries. Given that I’m the only user of the system, and that if an attacker chose to, he could just umount /usr/local and remount it read-write if he were able to get in anyway, I thought it was of dubious benefit.
I did flag /var and /home noexec, and / will be mounted read-only (which includes /usr/local) once I’m done installing packages, so it’s all good.
Anyway, back to the topic at hand. I ran into an incredibly annoying behavior: My OpenBSD firewall would keep just disappearing on me. I mean, one minute, I’m surfing the ‘net with impunity, the next, I can’t resolve hostnames, can’t ping it or anything past it… gah, annoying. Went a whole day today without being able to check on it, because it was down.
And my kids were ticked 🙂 “Dad, I couldn’t Google all day!” “Dad, I couldn’t visit Barbie.com!” “Dad, why wasn’t my email working?” “Dad, what happened to barnson.org today?”
You get the idea.
Well, after much Googling, thinking, and checking for flags, I finally figured out the solution from this cryptic man page entry for apmd:
If the -a flag is specified, any BIOS-initiated suspend or standby re-quests are ignored if the system is connected to line current and not running from batteries (user requests are still honored).
That was my problem: though I wasn’t loading the APM (Advanced Power Management) daemon, the BIOS of the box was sending standby requests which the operating system was honoring: turning off the monitor, slowing down the CPU, turning off the hard disk, but most importantly:
Shutting down the network interface cards
I can deal with a machine being slightly non-responsive when I first connect (after all, it’s little better than a dumb router with a really secure operating system), but when the NICs shut down, it’s useless. So I edited /etc/rc.conf.local, adding this line:
# MattB: “-a” causes apm to ignore standby events.
apmd_flags=”-a” # for normal use: “”
I fired up apmd with “-a” manually from the command line, and it seems to be behaving now. But I keep getting this message in the log file now, hundreds of times:
Jun 24 18:15:40 monica /bsd: apm0: APM set power state: parameter out of range (10)
Guess that will be the next thing to figure out. The long-term solution is probably to go into the BIOS of this decrepit old system and change the power management setting.
The problem?
This is one of those ancient Compaq systems where the BIOS menus are stored on the hard drive, rather than being a chip on the board.
I nuked the first hard drive when I installed OpenBSD.
The joys of computing!
Possible solution?
Setting machdep.apmwarn=0 in /etc/sysctl.conf (or, in my case, since I hate rebooting, doing that and then running “sysctl -w machdep.apmwarn=0” manually) seems to retard the errors. But I still get some weird hesitations now in my shell sessions, though network throughput seems unaffected.
The long-term solution is probably to disable APM in my kernel and rebuild it. It would be my first time rebuilding the kernel for OpenBSD, and I can add it to my list of kernel’s I’ve compiled: HP-UX, Linux, and BSDI so far. Whee.
—
Matthew P. Barnson
Kernel changes…
Much better solution: modify the running kernel’s configuration, and write it back to the boot kernel. Turn off APM (who wants it on a firewall, anyway? Well, it would be nice to have the hard drive turn itself off after no usage for a while, and also good to have the CPU slow down when not in use… Anyway, here’s how to do it:
Now you should be able to do and see this:
Hesitations and hiccups gone!
—
Matthew P. Barnson
apm update?
hi. i have nearly the exact same configuration that you have, except that my Compaq OpenBSD is running 3.7 and is my fileserver, not firewall. I was wondering if you found a way to have the APM turn off the hard drive and/or CPU and yet make it wake for use when accessed over the network? thanks.
Unfortunately…
Unfortunately, I dispensed with my old PPro200 firewall after several years of use. I enjoyed it, but I found that a little Linksys WRT54G router did the job equally well for what I wanted (with a modified firmware, of course), and I could use my Mac via port-forwarding for SSH access to my network when I wanted.
Alas, I cannot answer your question as I no longer own the computer in question. Given that a brand-new PC of dramatically better specifications can be had for under $200 today, I figured it cost me more in power than it was worth. It served well, but, as with all my computer hardware, suffered an ignoble end.
On the plus side, I saved a bundle on my new Dell laptop. I can’t say I’m displeased with the change 🙂
—
Matthew P. Barnson
apm update?
i have a very similar setup to you, with a compaq OpenBSD 3.7 running as my internal fileserver. i’m trying to avoid the problem you mentioned, the powering down of the machine every 10 minutes, and yet keep the ability to reduce power to the hard drive and cpu. have you come up with any better solution than disabling apm from the kernel?
any new options?
i have a very similar setup to you, with a compaq OpenBSD 3.7 running as my internal fileserver. i’m trying to avoid the problem you mentioned, the powering down of the machine every 10 minutes, and yet keep the ability to reduce power to the hard drive and cpu. have you come up with any better solution than disabling apm from the kernel?