Sunday, September 13, 2009

Online Backups with Backblaze: Does it work?

Just because disk space is getting cheap, don't think that storage is cheap. A referral from Slashdot to Backblaze's blog charted the situation out accurately. The cost of a petabyte of storage on raw SATA hard drives is $81,000. On Amazon and EMC, it's $2.8 million. If Backblaze really could create their own enterprise storage devices, then it would be possible to offer backups at $5/month for unlimited storage. Backblaze even offers a 15-day free trial, so I tried it, although I was skeptical.

Catches:
1) You need to use their client.
2) Their client doesn't run on Windows Server or Linux -- just WinXP, Vista, and Macintosh. (Even if you run the installer in XP compatible mode on Windows server, it still doesn't install.)
3) The $5/month is for one computer, not all the computers in my house.
4) rsync doens't work with Windows/samba shares. (You may, however, be able to get rsync to work to a Macintosh. I haven't tested yet.) (Update below: you can install an NFS server onto WindowsXP/Vista to get rsync to work, or you could do it from Windows via an SSH rsync script.)

Solution: I installed it on a Vista workstation, created a share, and copied the few things I really need backed up to it. I also wrote scripts to transfer my PBX backups to my backup and log host and then copy the files from the backup server to the windows share via smbclient. I'll skip the part about configuring password-less logins for SSH via ssh-keygen keys, as well as the kinit for logging into windows via smbclient. (I also never was able to mount.cifs via kinit, just smbclient.)

So what happened when I tried to back up 15 GB on my Vista box to Backblaze? Not much -- the files just transferred. iPod library -- check. Photos -- check. My mrtg indicated that bandwidth increased to about 310 kbps for four days. I was still able to make phone calls via my SIP trunk to vitelity with no problems. (g729 to my SIP provider and alaw to my friends' PBX servers via IPSec VPN.)

Bandwidth used:
`Weekly' Graph (30 Minute Average)
mrtgBackblaze.png

Max Average Current
In 501.9 kb/s (0.5%) 56.4 kb/s (0.1%) 47.9 kb/s (0.0%)
Out 1360.2 kb/s (1.4%) 168.6 kb/s (0.2%) 29.3 kb/s (0.0%)

Security comments: Backblaze says it encrypts files, but doesn't offer details on the algorithm or implementation. (e.g AES-CBC, etc.) Backblaze does offer you the option of using a private key, so that only you (assuming you don't forget the key) can access your files.

My advice: If it needs to stay secure, encrypt the files yourself before they hit the local hard disk. You can even do a loopback mount (Super-awesome tutorial there) to an AES-encrypted file on a samba share, and rsync will work, but the whole file will change, requiring it all to be sent to Backblaze.

Update: You can use rsync to get your Linux/BSD/Unix files over to your windows box, but you'll need to install an NFS Server on your windows box. You could also use Microsoft's Services for Unix, but it's easier just using the Allegro server.

Saturday, September 12, 2009

Running pfSense on a WatchGuard x700 firewall

The original Firebox X series is nearing its end of life, so I was able to purchase an x700 on eBay for a song. Watchguard is no longer providing updates for it as of October 2009, so you might start seeing more of them on eBay. The original Watchguard X-series consisted of the x500, x700, x1000, and x2500. Since they were software-upgradable, I am assuming the hardware for all is identical. (Warning: WatchGuard has many stickers on the box and more inside indicating that opening the box or removing any hardware voids the warranty.) Why would I buy an end-of-life firewall? Because it's great hardware to run pfSense, one of the best open-source firewall packages available.

WARNING: You should not pay more than $100 for the x500 through x2500. They're end-of-life. And don't let anyone confuse an even older, 2RU model, with the x-series.

What's the hardware? (Boot console text here, photos here.) It's a 1.2 GHz Celeron processor, 256 MB of PC133 RAM, a SanDisk 64MB "Industrial Grade" compact flash card, an Intel Motherboard with six RealTek (!) LAN ports. There's a serial port, two fans, a PCI slot, and a mini-PCI slot occupied by a SafeNet SafeXcel 1141 v.1.1 card. Unfortunately, the SafeXcel 1141 is not supported in FreeBSD even thought the boot shows that it found something. (Maybe OpenBSD...)

Just to be sure, I did the OpenSSL speed check from the Watchguard's console after I installed pfSense.

Firebox Xseries, SafeNet 1141 v1.1 installed:
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-128 cbc 26917.66k 27987.75k 28248.74k 28359.04k 28376.05k
aes-192 cbc 22900.88k 23917.93k 24122.93k 24210.67k 24213.70k
aes-256 cbc 20624.38k 21210.58k 21364.18k 21430.52k 21439.17k

Firebox Xseries, Safenet removed:
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-128 cbc 26924.00k 27986.35k 28249.58k 28358.33k 28374.19k
aes-192 cbc 22911.56k 23924.39k 24126.03k 24212.23k 24220.05k
aes-256 cbc 20624.28k 21211.41k 21360.39k 21429.22k 21439.88k

While there's no difference, it blows away my Alix 2d3 Board with the Soekris mini-PCI HiFn 7955 card. This is
what I'm currently running pfSense on. To be fair, it was still live and sending 310k/sec to Backblaze, but that's another story.

Alix board w/Soekris VPN Card:
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-128 cbc 5186.19k 5310.60k 5423.67k 5473.56k 5487.10k
aes-192 cbc 4548.62k 4671.94k 4780.79k 4802.54k 4801.88k
aes-256 cbc 4117.25k 4157.12k 4243.48k 4263.61k 4257.15k

Finally, some commentary on the original Watchguard Firebox series:
I used one of these at a former client's main site. The user interface was great, and it offered superb logging and even offered a realtime view of connections that I have seen no-one duplicate since. That much let me identify info leak attempts in real time, because I did not leave all outbound ports open.

However, Watchguard included the encryption acceleration hardware, but didn't let you use it without an additional licen$e. pfSense is free.

Sunday, September 6, 2009

Update -- Receiving HDTV signals in Washington, DC

I was disappointed with my reception using my old Radio Shack 15-1868 indoor rabbit-ears antenna. I didn't receive channel 66, and I wanted to at least see what was on channel 66. I received the three major networks and Fox fine, but none of the fringe-UHF stations the FCC said I should be able to receive at my location.

I bought another Radio Shack antenna -- this time the "Outdoor HTDV Antenna," SKU number 15-2152 with the last money left on my two-year-old Radio Shack gift card. Since it was a huge, 80-something-inch antenna, it must receive better, right? I mounted it in my attic, two floors above the indoor rabbit ears, and hooked it up via quad-shield RG58. Excitedly, I ran back down to my man-cave and scanned through the channels again.

At first, I lost channels 4, 26, and 32. After minor direction adjustments, I received all previous channels as well as 23 (analog), 25 (analog), 30, 47 and 66. While there's nothing I'm going to be watching on channel 66, I definitely receive more stations than before. Best of all, the new stations are free, so I'm one step closer to eliminating my cable bill.

If you can run a cable to your attic, and you have a traditional, non-steel roof (like the asphalt shingle here), then you can mount your antenna there. I'm not about to distract from the beauty of my Icom Discone mounted on my chimney with a cheap aluminum TV antenna. And that antenna is cheap and I got aluminum dust all over my hands assembling it. Since it's going to stay in a corner of my attic, I don't mind. If you're looking for the 15-2152 antenna on Radio Shack's site, it's gone. It was discontinued and cheap to buy.