Re: Can't get carp to fail over all interfaces with pfsync

2009-11-10 Thread Mikel Lindsaar 
On Tue, Nov 10, 2009 at 7:25 PM, Otto Moerbeek o...@drijf.net wrote:

 On Tue, Nov 10, 2009 at 06:36:24PM +1100, Mikel Lindsaar wrote:

   Shouldn't you run different vhid ID of carp on different carp instance.
   Here you have Carp0 and carp 1 both running with vhid 1, so how will
 the
   system see them as different one?
 
  Initially I had them running as different VHIDs.  carp0 was vhid 1 and
 carp1
  was vhid 2, however, this did not work either... plus I would get unknown
  vhid errors in the netstat -s -p pfsync output if I had different vhids.
 
  Mikel

 Then you did something else wrong, like forgetting to change them on
 both hosts. Different carp interfaces should have different vhids.
 Also, a common error is to have (slightly) different ip's, netmasks or
 aliases on the the carp interfaces for the two hosts.


Not disputing the fact that I have done something wrong, but perhaps my
reply should have been more succinct, in that:

I tried with different VHIDs and the error was the same, ie, CARP still
worked, however it did not increase the advskew on all carp interfaces on
the same host when one carp interface was taken off line preventing the
backup firewall from preempting all interfaces.

To clarify, CARP is working in terms of redundancy, what does not seem to be
working is the preempting of the primary firewall interfaces by the backup
firewall should _one_ of the primary interfaces be taken off line.

I returned the interfaces to carp0 = VHID 1 and carp1 = VHID 2 on both
firewalls... still the same preempting problem.

Mikel

Re: Can't get carp to fail over all interfaces with pfsync

2009-11-10 Thread Mikel Lindsaar 
On Tue, Nov 10, 2009 at 8:09 PM, Camiel Dobbelaar c...@sentia.nl wrote:

  To clarify, CARP is working in terms of redundancy, what does not seem to
 be
  working is the preempting of the primary firewall interfaces by the
 backup
  firewall should _one_ of the primary interfaces be taken off line



 Use carpdemote.  (man ifconfig and see also /etc/rc)


Yes, that works.  I think the FAQ needs updating then.

This part specifically does not seem correct:

http://www.openbsd.org/faq/pf/carp.html#forcefail

If you take the physical interface down with ifconfig, then pfsync will take
all the other carp interfaces and take them off line.  If you take a carp
interface off line, then pfsync will not take the other carp interfaces off
line.

To clarify.

Primary firewall with two carp interfaces.  Backup firewall with the same
two carp interfaces.

If you do:

Primrary Firewall
# ifconfig carp1 down

then the result is:

Primary Firewall:
carp0 MASTER
carp1 INIT

Backup Firewall:
carp0 BACKUP
carp1 MASTER

And no traffic flows.


If you do:

Primrary Firewall
# ifconfig vr1 down   (vr1 is the interface carp1 is on)

then the result is:

Primary Firewall:
carp0 BACKUP
carp1 INIT

Backup Firewall:
carp0 MASTER
carp1 MASTER


So that works as expected.

I will write a change for the FAQ.

Mikel

Can't get carp to fail over all interfaces with pfsync

2009-11-09 Thread Mikel Lindsaar 
Hi list,

So googled, went through http://www.openbsd.org/faq/pf/carp.html a few times
as well as the archives including one large thread which seemed to deal with
this exact issue, but the solution was setting the VHID to the same on all
carp interfaces (which I have already tried), and I can't see where I am
screwing up.

CARP works, in terms of if I take one router down, the other router becomes
master and when the first router comes back online, it preempts the master
role back to itself.  This is expected behaviour and works fine, I can
reboot routers with impunity.

What is not working, is if I stand on the master firewall, and ifconfig
carp0 down, then the carp0 goes into INIT, and the backup firewall carp0
goes into MASTER, however, the primary firewall carp1 still stays MASTER and
the backup carp1 stays as BACKUP.  As a consequence, traffic does not flow
across the routers as you end up with:

FW1 CARP0 - INIT
FW1 CARP1 - MASTER

FW2 CARP0 - MASTER
FW2 CARP1 - BACKUP

If I then ifconfig carp1 down on the master firewall I get:

FW1 CARP0 - INIT
FW1 CARP1 - INIT

FW2 CARP0 - MASTER
FW2 CARP1 - MASTER

And traffic flows again.

This seems contrary to http://www.openbsd.org/faq/pf/carp.html which states
if you init one interface, then all carp interfaces on that redundancy group
will advertise an infinite advskew.

I have a pair of Soekris Net5501 routers with the following setup:

+| WAN/Internet |+
||
  |vr0| |vr0|
 +-+  +-+
 | fw1 |-vr3--vr3-| fw2 |
 +-+  +-+
||
 |trunk1| |trunk1|
||
 ---+---Shared LAN---+---

Trunk1 on both routers are two NICs (vr1  vr2) bonded in a trunk group

Both routers are running 4.6 GENERIC#58 i386

On both firewalls, in pf.conf there is:

# Top of pf.conf is:
pfsync_if=vr3
carp_ext_if=carp0
carp_int_if=carp1
carpdevs={ vr0 vr1 vr2 carp0_ext_if carp1_ext_if }
# .. skip tables, rdr, nat etc ...
#near the top of the ruleset is:
set skip on lo
set skip on $pfsync_if
pass quick on $carpdevs proto carp


On both firewalls sysctl for carp is:

 $ sysctl | grep carp
net.inet.carp.allow=1
net.inet.carp.preempt=1
net.inet.carp.log=2



FW1 hostname.if files are:

 $ cat /etc/hostname.carp0

inet 192.168.167.54 255.255.255.248 192.168.167.55 vhid 1 advskew 0 pass
password
 $ cat /etc/hostname.carp1
inet 192.168.110.254 255.255.255.224 192.168.110.255 vhid 1 advskew 0 pass
password
 $ cat /etc/hostname.pfsync0

up syncdev vr3
 $ cat /etc/hostname.vr0
inet 192.168.167.52 255.255.255.248 NONE
 $ cat /etc/hostname.vr1
up
 $ cat /etc/hostname.vr2
up
 $ cat /etc/hostname.vr3
inet 172.16.0.1 255.255.255.252 NONE



FW2 hostname.if files are:

 $ cat /etc/hostname.carp0

inet 192.168.167.54 255.255.255.248 192.168.167.55 vhid 1 advskew 128
pass password
 $ cat /etc/hostname.carp1
inet 192.168.110.254 255.255.255.224 192.168.110.255 vhid 1 advskew 128
pass password
 $ cat /etc/hostname.pfsync0

up syncdev vr3
 $ cat /etc/hostname.vr0
inet 192.168.167.53 255.255.255.248
 $ cat /etc/hostname.vr1
up
 $ cat /etc/hostname.vr2
up
 $ cat /etc/hostname.vr3
inet 172.16.0.2 255.255.255.252 NONE



Netstat Returns:

fw1 $ netstat -s -p carp
carp:
34 packets received (IPv4)
0 packets received (IPv6)
0 packets discarded for bad interface
0 packets discarded for wrong TTL
0 packets shorter than header
0 discarded for bad checksums
0 discarded packets with a bad version
0 discarded because packet too short
0 discarded for bad authentication
0 discarded for unknown vhid
0 discarded because of a bad address list
580 packets sent (IPv4)
0 packets sent (IPv6)
0 send failed due to mbuf memory error
2 transitions to master

fw1 $ netstat -s -p pfsync
pfsync:
378 packets received (IPv4)
0 packets received (IPv6)
0 packets discarded for bad interface
0 packets discarded for bad ttl
0 packets shorter than header
0 packets discarded for bad version
0 packets discarded for bad HMAC
0 packets discarded for bad action
0 packets discarded for short packet
0 states discarded for bad values
0 stale states
290 failed state lookup/inserts
488 packets sent (IPv4)
0 packets sent (IPv6)
0 send failed due to mbuf memory error
0 send error


fw2 $ netstat -s -p carp
carp:
799 packets received (IPv4)
0 packets received (IPv6)
0 packets discarded for bad interface
0 packets discarded for wrong TTL
0 packets shorter

Re: Can't get carp to fail over all interfaces with pfsync

2009-11-09 Thread Mikel Lindsaar 
On Tue, Nov 10, 2009 at 5:37 PM, Daniel Ouellet dan...@presscom.net wrote:

 FW1 hostname.if files are:

  $ cat /etc/hostname.carp0

 inet 192.168.167.54 255.255.255.248 192.168.167.55 vhid 1 advskew 0 pass
 password
  $ cat /etc/hostname.carp1
 inet 192.168.110.254 255.255.255.224 192.168.110.255 vhid 1 advskew 0 pass
 password
  $ cat /etc/hostname.pfsync0


 Shouldn't you run different vhid ID of carp on different carp instance.
 Here you have Carp0 and carp 1 both running with vhid 1, so how will the
 system see them as different one?


Initially I had them running as different VHIDs.  carp0 was vhid 1 and carp1
was vhid 2, however, this did not work either... plus I would get unknown
vhid errors in the netstat -s -p pfsync output if I had different vhids.

Mikel

HP DL360 Fan Control

2009-09-26 Thread Mikel Lindsaar 
I am looking at working out how to control the fans in a HP DL360.

Right now, the fans start low, but if the room gets warm, they go to
high (Boeing 747) volume, and the only way to put them back down to
low, is a reboot, PITA.

It looks like the HP website mentions OS specific system health
drivers, which doesn't help too much as it is for Windows and
precompiled.

Does anyone have any idea on where to start?  I am willing to dive
into the source, but have never hacked on OpenBSD or an OS before, and
not sure where to begin.  I am willing to learn and have a system I
can crash with abandon.  Or even if there is a budding hacker out
there, I can provide access to a freshly formatted box.

Mikel

Re: HP DL360 Fan Control

2009-09-26 Thread Mikel Lindsaar 
 You could start here: http://people.freebsd.org/~jcagle/#ilo
 You could try to fiddle with the Web-based iLO (configure the 3rd ethernet
 port in the setup) and connect with a web browser...

I'll check that out, but from memory, couldn't find that setting last
time I looked.

 BTW, HP (proliant?) DL360, which Generation? (Just curious)

HP DL360 G3

I work for a non profit and we have about 10 of these reconditioned.
They do the job very well and are quite speedy for what we need...
just very noisy, especially when they don't shut up :)

Mikel

On 4.4, ls /path/tabtab apparently hanging disk subsystem

2009-05-03 Thread Mikel Lindsaar 
Hi all,

I have two HP DL380 G3 servers with two 36Gb SAS drives on it in a
hardware RAID 1 mirror using the inbuilt raid controller.

When I do an ls /path/filetabtab to get a possible match list, the
server disk subsystem hangs.

If I do ls /dev/tabtab it always hangs, keyboard does not
respond, can not ctrl-c or crtl-alt-del.  Have to cold reboot system.

The systems otherwise work fine except I have some problems using the
com port.  Which leads me to think it might be some sort of IRQ
conflict in the system, but can't see what it might be.

The server will continue to route traffic over the network cards and
PF continues to function, however, the only way to regain control of
the system is by a full reboot.

I have done this from both remote console and on the system console
with the same consequences.

These are both production systems and so my testing has been sporadic.

FWIW i have two other systems running OpenBSD 4.3 and I have never had
this problem.

Googling did not turn up any results.

Any ideas?

Mikel

$ dmesg
OpenBSD 4.4 (GENERIC) #1021: Tue Aug 12 17:16:55 MDT 2008
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Xeon(TM) CPU 2.80GHz (GenuineIntel 686-class) 2.79 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID,xTPR
real mem  = 1073287168 (1023MB)
avail mem = 1029394432 (981MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 12/31/99, BIOS32 rev. 0 @
0xf, SMBIOS rev. 2.3 @ 0xec000 (49 entries)
bios0: vendor HP version P29 date 03/25/2003
bios0: HP ProLiant DL380 G3
acpi0 at bios0: rev 0
acpi0: tables DSDT FACP APIC SPCR
acpi0: wakeup devices
acpitimer0 at acpi0: 3579545 Hz, 32 bits
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (PCI1)
acpiprt2 at acpi0: bus 2 (PCI2)
acpiprt3 at acpi0: bus 3 (PCI3)
acpiprt4 at acpi0: bus 6 (PCI4)
acpicpu0 at acpi0
acpitz0 at acpi0: critical temperature 31 degC
bios0: ROM list: 0xc/0x8000 0xc8000/0x4000 0xee000/0x2000!
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 ServerWorks CMIC-WS Host (GC-LE) rev 0x13
pchb1 at pci0 dev 0 function 1 ServerWorks CMIC-WS Host (GC-LE) rev 0x00
pci1 at pchb1 bus 3
pchb2 at pci0 dev 0 function 2 ServerWorks CMIC-LE rev 0x00
pci2 at pchb2 bus 1
ciss0 at pci2 dev 3 function 0 Compaq Smart Array 5i/532 rev.2 rev
0x01: irq 10
ciss0: 1 LD, HW rev 1, FW 2.76/2.76
scsibus0 at ciss0: 1 targets, initiator 1
sd0 at scsibus0 targ 0 lun 0: COMPAQ, LOGICAL VOLUME, 2.76 SCSI2
0/direct fixed
sd0: 34727MB, 4427 cyl, 255 head, 63 sec, 512 bytes/sec, 71122560 sec total
vga1 at pci0 dev 3 function 0 ATI Rage XL rev 0x27
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
drm at vga1 unsupported
Compaq iLO rev 0x01 at pci0 dev 4 function 0 not configured
Compaq iLO rev 0x01 at pci0 dev 4 function 2 not configured
piixpm0 at pci0 dev 15 function 0 ServerWorks CSB5 rev 0x93: polling
iic0 at piixpm0
spdmem0 at iic0 addr 0x51: 256MB DDR SDRAM registered ECC PC2100CL2.5
spdmem1 at iic0 addr 0x52: 256MB DDR SDRAM registered ECC PC2100CL2.5
spdmem2 at iic0 addr 0x53: 256MB DDR SDRAM registered ECC PC2100CL2.5
spdmem3 at iic0 addr 0x54: 256MB DDR SDRAM registered ECC PC2100CL2.5
pciide0 at pci0 dev 15 function 1 ServerWorks CSB5 IDE rev 0x93: DMA
atapiscsi0 at pciide0 channel 0 drive 0
scsibus1 at atapiscsi0: 2 targets, initiator 7
cd0 at scsibus1 targ 0 lun 0: Compaq, DVD-ROM DV28EB01, D.2F ATAPI
5/cdrom removable
cd0(pciide0:0:0): using PIO mode 4, DMA mode 2
ohci0 at pci0 dev 15 function 2 ServerWorks OSB4/CSB5 USB rev 0x05:
couldn't establish interrupt at irq 15
pchb3 at pci0 dev 15 function 3 ServerWorks CSB5 LPC rev 0x00
pchb4 at pci0 dev 16 function 0 ServerWorks CIOB-X2 PCIX rev 0x05
pchb5 at pci0 dev 16 function 2 ServerWorks CIOB-X2 PCIX rev 0x05
pci3 at pchb5 bus 6
em0 at pci3 dev 2 function 0 Intel PRO/1000MT (82546GB) rev 0x03:
irq 7, address 00:12:79:9e:1a:8a
em1 at pci3 dev 2 function 1 Intel PRO/1000MT (82546GB) rev 0x03:
irq 11, address 00:12:79:9e:1a:8b
Compaq PCI Hotplug rev 0x14 at pci3 dev 30 function 0 not configured
pchb6 at pci0 dev 17 function 0 ServerWorks CIOB-X2 PCIX rev 0x05
pchb7 at pci0 dev 17 function 2 ServerWorks CIOB-X2 PCIX rev 0x05
pci4 at pchb7 bus 2
bge0 at pci4 dev 1 function 0 Broadcom BCM5703X rev 0x02, BCM5703 A2
(0x1002): irq 7, address 00:0b:cd:2a:3a:51
brgphy0 at bge0 phy 1: BCM5703 10/100/1000baseT PHY, rev. 2
bge1 at pci4 dev 2 function 0 Broadcom BCM5703X rev 0x02, BCM5703 A2
(0x1002): irq 11, address 00:0b:cd:2a:3a:50
brgphy1 at bge1 phy 1: BCM5703 10/100/1000baseT PHY, rev. 2
isa0 at mainbus0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
pckbc0: using irq

spamd handling multiple sending servers

2009-03-23 Thread Mikel Lindsaar 
Hi all,

New user to spamd, love it.

In getting our low traffic email server running, the first thing I
noticed while following the logs that sites like gmail et al will
retry a message from a different host.  Sometimes gmail will send
once, try again very soon again from the same host and then queue it,
but the queued email might be sent by a different server.

I understand that spamd is tracking messages based on sender, receiver
and IP address, and then this can cause the problem.

Has anyone looked at using the message ID in deciding to whitelist a
host?  ie, track the hosts by IP address, but if a previously
greylisted host has sent message id 1234 and another host tries to
redeliver 1234 within the passtime requirements, whitelist both?

Obviously it would be an optional flag, but it seems the likely hood
of some spam bot being able to guess the message id and who has just
sent you a message to bypass this would be low.

Open to ideas and if it is already on the cards great, if not, willing
to look into the source myself.

Mikel

heartbeating Carp ?

2009-02-24 Thread Mikel Lindsaar 
Hi all,

I have a pair of firewalls using carp between them in front of some
servers.  Works really nice.

Today, however, I got an edge case on the firewalls.

Firewall one was not accessible, and I couldn't access any firewall behind it.

Getting into firewall 2 directly, I found that firewall 1 internal
interface was up, but the external was unreachable.  I checked the
carp interfaces and found that firewall 2 was advertising as a master
on the external interface, but as a backup on the internal interface.

sshing over to firewall 1 on the dedicated cross over carp link, I
found that firewall 1 was also advertising master on the external
interface and master on the internal interface.

Firewall 1 could not ping past it's external interface, though the
network layer was up.

Due to this, carp on Firewall 1 did not think it was down, and so,
seemed to be ignoring the pre-emption being attempted by firewall 2.
So I ended up having packets going into firewall 2, but then trying to
get out through firewall 1.

Both firewalls have the preempt option set in sysctl.conf

Manually failing firewall 1 did the trick and firewall 2 took over
master on external and internal and all is good now.  We are still
resolving why firewall 1 can't get out to the Internet, might be a
specific routing or acl problem on the switch it is connected to,
might be a hardware problem, not sure yet.

However, the question I have is how do others deal with this?

I was thinking a cron entry that periodically checks for connectivity
both ways and sets the carp state to backup if the checks fail, but
this sounds a bit off the cuff and hackish and could be prone to a
race condition or ending up setting BOTH firewalls to backup at the
same time... not so good I am thinking.

So needed is some sort of heartbeat.  In this case, Carp didn't see
anything wrong (interface was up, link was good, traffic being
received... just no route anywhere and every packet sent got
blackholed).

A bit of googling around didn't turn up anything obvious.

Any ideas?

Mikel

Re: [OT] soekris4801: CF and hard disk ?

2008-11-25 Thread Mikel Lindsaar 
On Wed, Nov 26, 2008 at 8:27 AM, jul [EMAIL PROTECTED] wrote:

 is it possible to have both Compact Flash and Hard disk in this soekris
 at the same time?


Yes.

Here is my dmesg for a net5501

I don't recall doing anything special.  But I do think I installed OpenBSD
on the sandisk first, then plugged in the HDD.  Don't know if this actually
affected anything.  Either way, I have two of these running in production,
so I doubt it was a fluke :)

Mikel


OpenBSD 4.3 (GENERIC) #698: Wed Mar 12 11:07:05 MDT 2008
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Geode(TM) Integrated Processor by AMD PCS (AuthenticAMD 586-class)
500 MHz
cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX
real mem  = 536440832 (511MB)
avail mem = 510664704 (487MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 20/70/03, BIOS32 rev. 0 @ 0xfac40
pcibios0 at bios0: rev 2.0 @ 0xf/0x1
pcibios0: pcibios_get_intr_routing - function not supported
pcibios0: PCI IRQ Routing information unavailable.
pcibios0: PCI bus #0 is the last bus
bios0: ROM list: 0xc8000/0xa800
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 1 function 0 AMD Geode LX rev 0x30
glxsb0 at pci0 dev 1 function 2 AMD Geode LX Crypto rev 0x00: RNG AES
vr0 at pci0 dev 6 function 0 VIA VT6105M RhineIII rev 0x96: irq 11,
address 00:00:24:c9:a8:b8
ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
0x004063, model 0x0034
vr1 at pci0 dev 7 function 0 VIA VT6105M RhineIII rev 0x96: irq 5, address
00:00:24:c9:a8:b9
ukphy1 at vr1 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
0x004063, model 0x0034
vr2 at pci0 dev 8 function 0 VIA VT6105M RhineIII rev 0x96: irq 9, address
00:00:24:c9:a8:ba
ukphy2 at vr2 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
0x004063, model 0x0034
vr3 at pci0 dev 9 function 0 VIA VT6105M RhineIII rev 0x96: irq 12,
address 00:00:24:c9:a8:bb
ukphy3 at vr3 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
0x004063, model 0x0034
glxpcib0 at pci0 dev 20 function 0 AMD CS5536 ISA rev 0x03: rev 0, 32-bit
3579545Hz timer, watchdog, gpio
gpio0 at glxpcib0: 32 pins
pciide0 at pci0 dev 20 function 2 AMD CS5536 IDE rev 0x01: DMA, channel 0
wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: SanDisk SDCFH-1024
wd0: 4-sector PIO, LBA, 977MB, 2001888 sectors
wd1 at pciide0 channel 0 drive 1: ST9250827AS
wd1: 16-sector PIO, LBA48, 238475MB, 488397168 sectors
wd0(pciide0:0:0): using PIO mode 4, DMA mode 2
wd1(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 ignored (disabled)
ohci0 at pci0 dev 21 function 0 AMD CS5536 USB rev 0x02: irq 15, version
1.0, legacy support
ehci0 at pci0 dev 21 function 1 AMD CS5536 USB rev 0x02: irq 15
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 AMD EHCI root hub rev 2.00/1.00 addr 1
isa0 at glxpcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard
pcppi0 at isa0 port 0x61
midi0 at pcppi0: PC speaker
spkr0 at pcppi0
nsclpcsio0 at isa0 port 0x2e/2: NSC PC87366 rev 10: GPIO VLM TMS
gpio1 at nsclpcsio0: 29 pins
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom0: console
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
usb1 at ohci0: USB revision 1.0
uhub1 at usb1 AMD OHCI root hub rev 1.00/1.00 addr 1
biomask e5c5 netmask ffe5 ttymask ffe7
mtrr: K6-family MTRR support (2 registers)
uplcom0 at uhub1 port 1 Prolific Technology Inc. USB-Serial Controller rev
1.10/3.00 addr 2
ucom0 at uplcom0
softraid0 at root
root on wd0a swap on wd0b dump on wd0b

Re: PF and the old SIP issue

2008-11-19 Thread Mikel Lindsaar 
On Thu, Nov 20, 2008 at 1:44 AM, marrandy [EMAIL PROTECTED]wrote:

 On Wednesday 19 November 2008 09:07:31 you wrote:
   OpenBSD PF firewall consisting of ext, DMZ, internal/private
 interfaces.
   VOIP server sitting in the DMZ.
   Multiple (pick any number, 5, 10, 100) SIP phones in the private LAN.
   Multiple mobile (pick any number, 5, 10, 100) SIP phones anywhere in
 the
   USA. (NOTE: Mobile means they are carried and plugged in anywhere, but
   are programmed with the static IP gateway address.
  
   How would you create a working pf.conf file so everything  'just
 works'.
 Sounds like a lot of work.  I need to go and hit the asterisk list.

 I'll let you know if I find anything out.


FWIW I run about 8 asterisk servers behind openbsd firewalls.  I have found
the most non-problematic way to run them has been by using the asterisk
servers as a SIP proxy for your SIP clients and making sure that canreinvite
in asterisk is turned off, this increases your load on the asterisk server,
but I haven't found that to be a real problem.

Your external SIP clients are going to have to connect to something.  You
need to define what you want to say are valid RTP ports, it's usually in
the 1-2 range, but you need to set this up on your asterisk server
appropriately.

Then on the firewall, using rdr rules you can redirect incomming SIP and RTP
ports to your asterisk box internally.

Outgoing from the asterisk server is usually a no brainer, you might want to
set pf to be conservative on reclaiming idle states though, I've found on
occasion a disconnected sip line as all the activity happens on the RTP
side.

You'll need incomming redirections on your SIP from your sip provider, or if
you can, use IAX2, it handles firewalls much more gracefully.

Something like authpf can be used to open up the allow rules on the
redirect.  Or you could use VPNs and make the external sip clients appear
on your internal network avoiding the whole redirect problem all together.
 Though you would want to test this for phone quality.  I haven't tried this
myself, but can't see why it wouldn't work.

YMMV and of course... tweak it to your own requirements.

Mikel

Re: Multipath to CISCO

2008-11-05 Thread Mikel Lindsaar 
On Wed, Nov 5, 2008 at 2:11 PM, Jussi Peltola [EMAIL PROTECTED] wrote:

  The other option I believe would be using PF to round robin the packets
 on
  both destinations using route-to rules.  Would this work?

 Why wouldn't it?


Not that I can think of, I guess that is why I am emailing the list :)

Just more wondering if anyone has had experience on this specifically.

 I'm really trying to avoid having to buy an 1841.  Don't have the budget
 or
  inclination to spend that much money for a little green box when I think
 my
  OpenBSD box can handle it.

 If you have two ethernets and you want to round-robin, trunk(4) might
 work too.


Yeah, that would work I guess, if I could get the modems into bridge mode
and then talk directly to the central cisco. not a bad idea.

-- 
http://lindsaar.net/
Rails, RSpec and Life blog

Re: Multipath to CISCO

2008-11-05 Thread Mikel Lindsaar 
On Thu, Nov 6, 2008 at 5:45 AM, andrew fresh [EMAIL PROTECTED] wrote:

 On Wed, Nov 05, 2008 at 09:40:02AM +, Stuart Henderson wrote:
  On 2008-11-05, Mikel Lindsaar [EMAIL PROTECTED] wrote:
   The other option I believe would be using PF to round robin the packets
 on
   both destinations using route-to rules.  Would this work?
  it should, but you might need to make the rules stateless (no state).
 It works, and you do.

SNIP EXAMPLE


Thanks heaps Andrew.
Mikel

-- 
http://lindsaar.net/
Rails, RSpec and Life blog

Multipath to CISCO

2008-11-04 Thread Mikel Lindsaar 
Hi all,
I am trying to get 4mb/s of IAX2 voice traffic to a single VOIP provider
using an IAX2 trunk down here in Australia.  One of the options we have is
getting a 4mb SHDSL connection with an ISP.  The ISP usually want to install
a CISCO 1841 with two WIC1-SHDSL cards at a lease rate of $2,400 per annum.

I don't want to spend that much money on a router, especially one that I
won't own at the end.  Unfortunately purchasing a $4,500 router is not
really an option right now.

So I spoke with the ISP and they are willing to help me work out a more cost
effective solution.

The plan is to terminate two SHDSL connections on two separate SHDSL
ethernet modems, which will just forward the packets to the other end.  The
network between the OpenBSD box and the modems will be a publicly routeable
/29.

The ISP will then round robin the packets down to me, and I want to round
robin the packets back to them.

After reading http://www.openbsd.org/faq/faq6.html it looks that equal cost
routing will not do what I want as it looks like each destination is mapped
to one possible route out of a pool, which I believe means I'll only ever
get 2mb/s per VOIP peer I connect to.

The other option I believe would be using PF to round robin the packets on
both destinations using route-to rules.  Would this work?

At the ISP end we will be terminating into the back of a CISCO.  The ISP is
willing to work out what we need to make it work.

I'm really trying to avoid having to buy an 1841.  Don't have the budget or
inclination to spend that much money for a little green box when I think my
OpenBSD box can handle it.

Has anyone done something like this?  Any pointers?

Thanks

Mikel

Re: newbie network segment routing query

2008-11-04 Thread Mikel Lindsaar 
On Wed, Nov 5, 2008 at 3:16 AM, John . [EMAIL PROTECTED] wrote:

 fxp0 to the speedtouch

fxp1 for a network that I want to be unfiltered, in other words, real
 IPs (wired)
 fxp2 the top usable real IP - this I want to nat behind, it is for wireless
 fxp3 is unused.

 Is this a DMZ for fxp1? I don't need this traffic to be processed by
 the openbsd box, I just want it to go down the right interface. From
 what I've read, a DMZ involves some queuing/processing. Not sure if my
 nomenclature is right for what I'm describing. Is there a howto for
 what I'm trying to do? Do I have to split the /28?


Basically you need to make a bridge between fxp0 and fxp1.  I do this exact
setup in one of our locations.

The basic steps run like this:

1) Put one address from the /28 on the Speedtouch ethernet interface.
2) Put one address from the /28 on the OpenBSD box
3) Disable pf (pfctl -d)
4) Make sure you can ping the speedtouch and get out to the Internet.
5) Setup a bridge on fxp0 to fxp1 per the OpenBSD FAQ
6) Setup a computer on the fxp1 network and give it an IP from the /28
7) Make the default gateway on the computer on the fxp1 network equal the
speed touch IP address
8) Make sure you can get out to the Internet on the computer on the fxp1
network.
9) Open your pf.conf file and add 'skip on fxp0 fxp1' for now
10) Put pass all in your pf.conf for now
11) Enable pf and make sure you can still ping the internet from your
OpenBSD box and the computer on your network
12) Setup NAT on fxp2 per the FAQs
13) Setup a computer on the fxp2 network and make sure you can ping and get
out to the internet
14) Go back through your pf.conf and put in the firewall rules you need.

Hope that helps.

Mikel

-- 
http://lindsaar.net/
Rails, RSpec and Life blog

Re: Sensor data and RAID notifications help wanted

2008-11-02 Thread Mikel Lindsaar 
On Sun, Nov 2, 2008 at 3:28 PM, Mikel Lindsaar [EMAIL PROTECTED] wrote:
 2008/11/2 Constantine A. Murenin [EMAIL PROTECTED]:
 Have you tried
 enabling ipmi (boot -c   enable ipmi   quit)? It is disabled mostly
 due to some problems with IBM servers, AFAIK...

 Thank you very much!  This handled it!

For googles sake, here is a write up on how to enable it step by step...

http://www.lindsaar.net/2008/11/1/openbsd-raid-and-temp-sensors-on-hp-proliant-dl-360-and-380-series

-- 
http://lindsaar.net/
Rails, RSpec and Life blog

Re: OpenBSD 4.4 released, Nov 1. Enjoy!

2008-11-01 Thread Mikel Lindsaar 
On Sat, Nov 1, 2008 at 6:11 PM, my mail [EMAIL PROTECTED] wrote:
 --- On Fri, 10/31/08, Theo de Raadt [EMAIL PROTECTED] wrote:
 We are pleased to announce the official release of OpenBSD
 4.4.

Thanks again for your work Theo et all...

Sensor data and RAID notifications help wanted

2008-11-01 Thread Mikel Lindsaar 
Hi all,

I want to help get the HP Proliant sensors working with OpenBSD.

I work with several non-profit organizations and so, as a group, we
have gotten some HP Proliant G3 servers.  12 of them.  They are nice
and cheap (being 2 years old) and have proven to be quite a reliable
unit so far.  We have OpenBSD on 6 of these.

However, I can't get much data out of them.  The two scary things that
I want to handle is getting temperature data of the system and also
alerts / notifications of failing RAID sets.

I have two units that are not being used right now (one DL360 G3 and
one DL380 G3) and I could put both of these on the Internet with an
ILO connection to it (provides console access and ability to reboot
the unit remotely, access the BIOS etc) with OpenBSD 4.4 on it if
anyone is interested in playing with it to help get this implemented.
I would love to help and if a developer feels like diving in and doing
some work on it, I should be able to gather some funds or goods
together to help pay for the trouble.

The servers and myself are in Sydney Australia FWIW.

From what I know, there are hpasm drivers for FreeBSD available that
might be able to be ported across.  The FreeBSD RAID drivers do detect
RAID set changes in the units and log to syslog these changes which I
can capture and raise SNMP traps with.  This might be a good place to
start.

However, unfortunately, my knowledge of C is no where near the
ballpark of coding system drivers, though I would love to learn.

If anyone is interested, please email me on or off list.  Your choice.

Mikel Lindsaar

Re: Sensor data and RAID notifications help wanted

2008-11-01 Thread Mikel Lindsaar 
2008/11/2 Constantine A. Murenin [EMAIL PROTECTED]:
 Have you tried
 enabling ipmi (boot -c   enable ipmi   quit)? It is disabled mostly
 due to some problems with IBM servers, AFAIK...

Thank you very much!  This handled it!

Mikel

How to debug IPSec and PF problem

2008-10-29 Thread Mikel Lindsaar 
Hi all,

I've got a VPN running between two networks. Works fine for basically
everything and very easy to setup, kudos to the guys that worked on
ipsecctl and isakmpd.

I have one problem though that I am trying to debug.

Network looks like this:

192.168.11.250# Asterisk1
 |
 |
192.168.11.1# OpenBSD1 4.3
 |
 | # VPN
 |
192.168.4.1  # OpenBSD2 4.3
 |
 |
192.168.4.250   # Asterisk2

Firstly, I can ssh from any box to any box over the VPN.  This works
fine.  So the basic VPN is functional.

Secondly, 192.168.4.1 has several different routes out of it and a
fairly complex setup in pf.conf and this is what I think I have
misconfigured.

I am trying to setup an IAX2 (port 4569) from asterisk1 to asterisk2.

The traffic is running and I get the traffic flowing from one end to
the other, but return traffic is getting blocked or misrouted.

Tcpdump on 192.168.4.250 eth0 I see the packets from 192.168.11.250
arriving and packets from 192.168.4.250 leaving.

Tcpdump on 192.168.4.1 enc0 I see the packets from 192.168.11.250
arriving and packets from 192.168.4.250 leaving.

Tcpdump on 192.168.11.1 enc0 I only see the 192.168.11.250 packets.

Tcpdump on 192.168.11.250 eth0 I only see the 192.168.11.250 packets.

I have disabled any firewalls on both asterisk boxes, but this makes no change.

Disabling pf on the 192.168.11.1 box makes no change.

I can't disable pf on 192.168.4.1 right now (could schedule a time later)

I believe the problem is somewhere in 192.168.4.1's pf.conf or route table.

Now, I know this email contains no where near all the data needed to
debug this by someone on list, but I want to work it out myself and I
have a few questions.

1) Is the ipsec tunnel just treated like a standard interface by PF?

2) how and when does the ipsec tunnel grab packets to send through the
tunnel?  I can't see any route entries or the like.  I assume it
attaches somehow the same way PF does and intercepts packets.

And probably most importantly:

3) What is the best way to find what rule in PF is matching the IAX
UDP packet stream?  I'm not getting anywhere with eyeballing it.

If I can find how the packet is moving through the stack, I am sure I
can fix the darn thing.

Thanks

Mikel

Re: How to debug IPSec and PF problem

2008-10-29 Thread Mikel Lindsaar 
On Wed, Oct 29, 2008 at 8:06 PM, Christoph Leser [EMAIL PROTECTED] wrote:
 On Wed, 29 Oct 2008 17:01:21 +1100, Mikel Lindsaar wrote:
 I've got a VPN running between two networks. Works fine for
 basically
 If so why would traffic from one LAN host at the 192.168.4.
 end be any different to the others? There is nothing magic
 about asterisk.
 3. tcpdump on the other interfaces of your bsd boxed might help to discover
 the missing packets ( if, as Rod suspects, they are just routed into the cloud

OK, turns out the problem was a state entry.

I did pfctl -k 0.0.0.0/0 -k 192.168.11.250 and all was good.

Thanks for your pointers though.

Mikel

Management of HP Proliant DL and BL Series

2008-10-29 Thread Mikel Lindsaar 
I've got a few (10) HP DL and BL servers running OpenBSD.

These are spread out over several sites and run our firewalls and
monitoring servers.

Trying to find the best way to monitor them for drive, psu failures etc.

Has anyone had any success along this line?

Looking at the various sites, the best option seems to be trying to
get the HP Linux health drivers working to generate traps, but don't
know if trying to do this is pie in the sky.

What tools / options would you recommend?

Mikel

Re: Shutdown with the power button

2008-10-17 Thread Mikel Lindsaar 
On Thu, Oct 16, 2008 at 11:54 PM,  [EMAIL PROTECTED] wrote:
 On Thu, Oct 16, 2008 at 11:30:02PM +1100, Mikel Lindsaar wrote:
 Hmm... here is the dmesg then any ideas?
 looks like you're missing an acpibtn (man acpibtn).

Thanks Peter, that is the case and it looks like the why on the problem.

Any pointers on how to get it enabled?

Looking through the BIOS settings, there isn't an APM section at all
that I can see, this is a 1RU server, so that doesn't really surprise
me.

Mikel

Shutdown with the power button

2008-10-16 Thread Mikel Lindsaar 
Hi list,

Wondering if anyone knows how (or if it is possible) to be able to
gracefully power down an OpenBSD box by hitting the power button on
the server.

Useful when you need someone to power down a system (like in a power
failure situation) but there is no console attached.

FreeBSD and linux provide what I am talking about, hit the power
button and it looks like the equiv of a halt -p - But I don't want to
use linux or FreeBSD on these firewall boxes.

Not something I would use very often, but two nights ago really needed
it.  The OpenBSD box ended up having a hard power switch off instead
of a clean shutdown.

The server in question is a HP DL 360.

Thanks,

Mikel

Re: Shutdown with the power button

2008-10-16 Thread Mikel Lindsaar 
On Thu, Oct 16, 2008 at 11:22 PM, Gregory Edigarov
[EMAIL PROTECTED] wrote:
 Mikel Lindsaar wrote:
 Wondering if anyone knows how (or if it is possible) to be able to
 gracefully power down an OpenBSD box by hitting the power button on
 the server.
 Mine does clean  shutdown on power button just from the box

Hmm... here is the dmesg then any ideas?



OpenBSD 4.3 (GENERIC) #698: Wed Mar 12 11:07:05 MDT 2008
   [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Xeon(TM) CPU 3.06GHz (GenuineIntel 686-class) 3.07 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID,xTPR
real mem  = 2147028992 (2047MB)
avail mem = 2068054016 (1972MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 12/31/99, BIOS32 rev. 0 @
0xf, SMBIOS rev. 2.3 @ 0xec000 (42 entries)
bios0: vendor HP version P31 date 03/03/2005
bios0: HP ProLiant DL360 G3
acpi0 at bios0: rev 0
acpi0: tables DSDT FACP APIC SPCR
acpi0: wakeup devices
acpitimer0 at acpi0: 3579545 Hz, 32 bits
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (PCI1)
acpiprt2 at acpi0: bus 4 (PCI2)
acpicpu0 at acpi0
acpitz0 at acpi0: critical temperature 31 degC
bios0: ROM list: 0xc/0x8000 0xc8000/0x4000 0xee000/0x2000!
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 ServerWorks CNB20-HE Host (GC-LE) rev 0x31
pchb1 at pci0 dev 0 function 1 ServerWorks CNB20-HE Host (GC-LE) rev 0x00
pchb2 at pci0 dev 0 function 2 ServerWorks CNB20-HE Host (GC-LE) rev 0x00
pci1 at pchb2 bus 1
em0 at pci1 dev 1 function 0 Intel PRO/1000MT (82546EB) rev 0x01:
irq 15, address 00:04:23:c8:03:f6
em1 at pci1 dev 1 function 1 Intel PRO/1000MT (82546EB) rev 0x01:
irq 11, address 00:04:23:c8:03:f7
bge0 at pci1 dev 2 function 0 Broadcom BCM5703X rev 0x02, BCM5703 A2
(0x1002): irq 11, address 00:0b:cd:83:67:89
brgphy0 at bge0 phy 1: BCM5703 10/100/1000baseT PHY, rev. 2
vga1 at pci0 dev 3 function 0 ATI Rage XL rev 0x27
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
ciss0 at pci0 dev 4 function 0 Compaq Smart Array 5i/532 rev.2 rev 0x01: irq 3
ciss0: 1 LD, HW rev 1, FW 2.76/2.76
scsibus0 at ciss0: 1 targets
sd0 at scsibus0 targ 0 lun 0: COMPAQ, LOGICAL VOLUME, 2.76 SCSI2
0/direct fixed
sd0: 34727MB, 4427 cyl, 255 head, 63 sec, 512 bytes/sec, 71122560 sec total
Compaq iLO rev 0x01 at pci0 dev 5 function 0 not configured
Compaq iLO rev 0x01 at pci0 dev 5 function 2 not configured
piixpm0 at pci0 dev 15 function 0 ServerWorks CSB5 rev 0x93: polling
iic0 at piixpm0
spdmem0 at iic0 addr 0x50: 512MB DDR SDRAM registered ECC PC2300CL2.5
spdmem1 at iic0 addr 0x52: 512MB DDR SDRAM registered ECC PC2100CL2.5
spdmem2 at iic0 addr 0x54: 512MB DDR SDRAM registered ECC PC2100CL2.5
spdmem3 at iic0 addr 0x56: 512MB DDR SDRAM registered ECC PC2100CL2.5
pciide0 at pci0 dev 15 function 1 ServerWorks CSB5 IDE rev 0x93: DMA
atapiscsi0 at pciide0 channel 0 drive 0
scsibus1 at atapiscsi0: 2 targets
cd0 at scsibus1 targ 0 lun 0: COMPAQ, CRN-8245B, 2.19 SCSI0 5/cdrom removable
cd0(pciide0:0:0): using PIO mode 4, DMA mode 2
pciide0: no compatibility interrupt for use by channel 1
ohci0 at pci0 dev 15 function 2 ServerWorks OSB4/CSB5 USB rev 0x05:
irq 10, version 1.0, legacy support
pchb3 at pci0 dev 15 function 3 ServerWorks CSB5 LPC rev 0x00
pchb4 at pci0 dev 17 function 0 ServerWorks CIOB-X2 PCIX rev 0x05
pchb5 at pci0 dev 17 function 2 ServerWorks CIOB-X2 PCIX rev 0x05
pci2 at pchb5 bus 4
bge1 at pci2 dev 2 function 0 Broadcom BCM5703X rev 0x02, BCM5703 A2
(0x1002): irq 15, address 00:0b:cd:83:67:ab
brgphy1 at bge1 phy 1: BCM5703 10/100/1000baseT PHY, rev. 2
usb0 at ohci0: USB revision 1.0
uhub0 at usb0 ServerWorks OHCI root hub rev 1.00/1.00 addr 1
isa0 at mainbus0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pmsi0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pmsi0 mux 0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: PC speaker
spkr0 at pcppi0
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
biomask 65ed netmask eded ttymask ffef
mtrr: Pentium Pro MTRR support
softraid0 at root
root on sd0a swap on sd0b dump on sd0b

PF rule evaluation

2008-08-24 Thread Mikel Lindsaar 
Hello list,

I have purchased and read the book of PF (good book by the way) as
well as the man pages, and I have a question that I have not been able
to find a definitive answer on:

Does PF only evaluate every packet against the ruleset once on all
interfaces, or does it evaluate once for each interface?

What I mean is, does a matching pass quick rule on one interface (say
$int_if) then also guarantee egress on another interface that has a
block rule?

Per pf.conf(5):

 For each packet processed by the packet filter, the filter rules are
 evaluated in sequential order, from first to last.  The last matching
 rule decides what action is taken.  If no rule matches the packet, the
 default action is to pass the packet.

 .

 If a packet matches a rule which has the quick option set, this
 rule is considered the last matching rule, and evaluation of subse-
 quent rules is skipped.

But this only says 'for each packet processed' not how many times it
may or may not process that packet. I assume it does it just once, but
I have been wrong before :)

For a contrived example:

1 pass in quick on $int_if route-to ($ext_if, $ext_gw) from any to any
2 block out quick on $ext_if from any to any

Given a packet comming in on $int_if, rule(1) matches so rule(2) would
not be evaluated.
Given a packet originating from localhost, rule(1) does not match so
rule(2) would be matched.

Am I correct on this understanding?


Mikel

Re: PF rule evaluation

2008-08-24 Thread Mikel Lindsaar 
On Mon, Aug 25, 2008 at 11:33 AM, Aaron Stellman [EMAIL PROTECTED] wrote:
 On Mon, Aug 25, 2008 at 11:05:38AM +1000, Mikel Lindsaar wrote:
 I have purchased and read the book of PF (good book by the way) as
 well as the man pages, and I have a question that I have not been able
 to find a definitive answer on:

 Does PF only evaluate every packet against the ruleset once on all
 interfaces, or does it evaluate once for each interface?

 If you default action is `block' and you want to allow a packet to be
 routed through 2 interfaces on a multihomed box, you'd need two rules:
 1st rule to allow packet `in' on the first interface
 2nd rule to allow packet `out' from the second interface

 I hope this answers your question.

Thanks for your answer.  That mostly answers it.  Might be a good
thing to modify the man page on the quick keyword...

So instead of this in pf.conf(5):

 quick
   If a packet matches a rule which has the quick option set, this
   rule is considered the last matching rule, and evaluation of subse-
   quent rules is skipped.

We should change it to something like this: ?

 quick
   If a packet matches a rule which has the quick option set, this
   rule is considered the last matching rule, and evaluation of subse-
   quent rules is skipped.  Note, if the rule using the quick directive
   states a specific interface, then using quick on a packet does not
   guarantee that the packet will make it through the rule set of a
   different interface.  If using quick on a specific
interface, then you
   will need additional rules on other interfaces to approve
or block the
   packet.  If you want a packet to be globally affected as the last
   matching rule, then be sure not to specify an interface when using
   the quick directive.

Although it is a bit wordy, is that the correct idea?

If that is the case, then this shows a perfect use of the tagging
features of PF.  I could tag a packet as 'approved' and then do pass
quick on the other interfaces for these packets.

Mikel

4.3 Install HP BL10eG2 Blade - panic: revarp failed, error=51

2008-05-01 Thread Mikel Lindsaar 
I had OpenBSD 4.2 Running on these blades, installed via PXE fine.

Seems though, in running the 4.3 pxeboot and kernel, it dies on trying
to send RARP packets out?

Anyone have some ideas on how to get this to install?

Boot sequence and then DMESG attached (with PS and TRACE) at the end.

===

 OpenBSD/i386 PXEBOOT 2.02
switching console to com0
 OpenBSD/i386 PXEBOOT 2.02
com0: changing speed to 115200 baud in 5 seconds, change your terminal to match!

com0: 115200 baud
boot boot tftp:/bsd
booting tftp:/bsd: 5913424+1004644 [52+306864+287943]=0x72a4d4
entry point at 0x200120
   #
[ using 595232 bytes of bsd ELF symbol table ]
Copyright (c) 1982, 1986, 1989, 1991, 1993
The Regents of the University of California.  All rights reserved.
Copyright (c) 1995-2008 OpenBSD. All rights reserved.  http://www.OpenBSD.org

OpenBSD 4.3 (GENERIC) #698: Wed Mar 12 11:07:05 MDT 2008
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Pentium(R) M processor 1000MHz (GenuineIntel 686-class) 1 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,TM,SBF,EST,TM2
real mem  = 1073287168 (1023MB)
avail mem = 1029779456 (982MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 12/31/99, BIOS32 rev. 0 @
0xf, SMBIOS rev. 2.3 @ 0xec000 (29 entries)
bios0: vendor HP version I07 date 06/10/2003
bios0: HP ProLiant BL10e G2
acpi0 at bios0: rev 0
acpi0: tables DSDT FACP SPCR
acpi0: wakeup devices
acpitimer0 at acpi0: 3579545 Hz, 32 bits
acpiprt0 at acpi0: bus 0 (PCI0)
acpicpu0 at acpi0
acpitz0 at acpi0: critical temperature 31 degC
acpibtn0 at acpi0: PBTN
bios0: ROM list: 0xc/0x8000 0xc8000/0x1800 0xe/0x8000!
cpu0 at mainbus0
cpu0: Enhanced SpeedStep 1000 MHz (1004 mV): speeds: 1000, 900, 800, 600 MHz
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 ServerWorks GCNB-LE Host rev 0x32
pchb1 at pci0 dev 0 function 1 ServerWorks GCNB-LE Host rev 0x00
Compaq Netelligent ASMC rev 0x00 at pci0 dev 1 function 0 not configured
vga1 at pci0 dev 2 function 0 ATI Rage XL rev 0x27
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
fxp0 at pci0 dev 3 function 0 Intel 8255x rev 0x08, i82559: irq 7,
address 00:0b:cd:d2:f0:b5
inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 4
fxp1 at pci0 dev 4 function 0 Intel 8255x rev 0x08, i82559: irq 10,
address 00:0b:cd:d2:f0:b4
inphy1 at fxp1 phy 1: i82555 10/100 PHY, rev. 4
piixpm0 at pci0 dev 15 function 0 ServerWorks CSB6 rev 0xa0: polling
iic0 at piixpm0
spdmem0 at iic0 addr 0x51: 512MB DDR SDRAM registered ECC PC2300CL2.5
spdmem1 at iic0 addr 0x52: 512MB DDR SDRAM registered ECC PC2100CL2.5
pciide0 at pci0 dev 15 function 1 ServerWorks CSB6 RAID/IDE rev 0xa0: DMA
wd0 at pciide0 channel 0 drive 0: HITACHI_DK23FB-40
wd0: 16-sector PIO, LBA, 38154MB, 78140160 sectors
wd0(pciide0:0:0): using PIO mode 4, DMA mode 2, Ultra-DMA mode 5
ohci0 at pci0 dev 15 function 2 ServerWorks CSB6 USB rev 0x05: irq
11, version 1.0, legacy support
pchb2 at pci0 dev 15 function 3 ServerWorks GCLE-2 Host rev 0x00
usb0 at ohci0: USB revision 1.0
uhub0 at usb0 ServerWorks OHCI root hub rev 1.00/1.00 addr 1
isa0 at mainbus0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: PC speaker
spkr0 at pcppi0
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom0: console
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
biomask f965 netmask fde5 ttymask ffe7
mtrr: Pentium Pro MTRR support
softraid0 at root
PXE boot MAC address 00:0b:cd:d2:f0:b5, interface fxp0
nfs_boot: using interface fxp0, with revarp  bootparams
fxp0: error 5, could not read firmware fxp-d101ma
panic: revarp failed, error=51
Stopped at  Debugger+0x4:   leave
RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS PANIC!
DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT INFORMATION!

ddb ps
   PID   PPID   PGRPUID  S   FLAGS  WAIT  COMMAND
 8  0  0  0  30x100200  pftm  pfpurge
 7  0  0  0  30x100200  usbtskusbtask
 6  0  0  0  30x100200  usbevtusb0
 5  0  0  0  30x100200  acpi_idle acpi0
 4  0  0  0  30x100200  bored syswq
 3  0  0  0  30x100200idle0
 2  0  0  0  30x100200  kmalloc   kmthread
 1  0  0  0  3   0  initexec  swapper
*0 -1  0  0  7 0x80200swapper

ddb trace
Debugger(d1985040,d092cca4,d092ccd8,33,d092ccf0) at Debugger+0x4

Re: [SOLVED] 4.3 Install HP BL10eG2 Blade - panic: revarp failed, error=51

2008-05-01 Thread Mikel Lindsaar 
On Thu, May 1, 2008 at 8:32 PM, Stuart Henderson [EMAIL PROTECTED] wrote:
 On 2008-05-01, Mikel Lindsaar [EMAIL PROTECTED] wrote:
   I had OpenBSD 4.2 Running on these blades, installed via PXE fine.
   Seems though, in running the 4.3 pxeboot and kernel, it dies on trying
   to send RARP packets out?
   boot boot tftp:/bsd
  Did you actually mean to boot bsd.rd?

Well, actually, I used bsd to boot install 4.2 OpenBSD onto these
blades.  About half an hour ago, I thought I would try bsd.rd and it
worked fine.  Misread the FAQ.

Thanks for the pointer though!

Mikel

Re: Apache VirtualHost permissions

2008-04-17 Thread Mikel Lindsaar 
On Fri, Apr 18, 2008 at 7:37 AM, David Newman [EMAIL PROTECTED] wrote:
  but I'm confused about the 'chown nobody:www' part. I don't get how
  users would be able to upload files with those permissions.

Depends.

If they are uploading via a web interface, then you need your web
server to be able to write to the file system not the user.  In this
case it would be up to your web interface to work out if they have
access to different files or not.

One of the other ways is letting them FTP into the box the files the
need.  In this case, simply FTP chrooting them to their home directory
(see /etc/ftpchroot ) and then having this directory accessible read
only by your web server would be fine.  In which case the permissions
would be user_name:www

Make sense?

Mikel

Re: 4.3 song and lyrics and commentary

2008-04-12 Thread Mikel Lindsaar 
On Sat, Apr 12, 2008 at 4:03 PM, Pau [EMAIL PROTECTED] wrote:
 are the pictures real??

Isn't it amazing what you can do with some free time and some photo
editing tools?

Mikel

Re: carp and STP and layer2 security

2008-04-11 Thread Mikel Lindsaar 
On Fri, Apr 11, 2008 at 10:04 PM, Henning Brauer [EMAIL PROTECTED] wrote:
 i have finally taken the time to quickly write up what you need to do
  on your switches when using carp and/or STP. comments welcome.

  http://bulabula.org/carp-and-stp-meet-switch-security.html

Short and sharp, thanks.

Mikel

4.2 still has X tree dependency?

2008-03-30 Thread Mikel Lindsaar 
I am running 4.1 on several servers, one thing I found was the
surprise on needing the X package to install some of the non x-windows
ports due to dependencies within that tree.  I think it was for the
graphics libraries, either way, I installed the x packages and all is
well.

But I remember reading in a FAQ or release notes somewhere that this
was a mistake and would be fixed in the next version of OpenBSD (ie,
remove the dependency on the x-windows system for these libraries).

I am about to install a bunch of 4.2 servers, is this dependency fixed
in 4.2?  Or is that a 4.3 target?

Regards

Mikel

PCI ADSL Card on OpenBSD

2008-01-26 Thread Mikel Lindsaar 
I have been googling around and found various answers, but some of
them conflict and so I wanted to ask the list:

What PCI ADSL card do you use in your OpenBSD box?

The use case will be a rack mounted firewall (thus the wish for a PCI
card to sit inside the server) handling an ADSL connection for backup
access and bulk traffic.  The card and drivers need to be reliable and
just handle the line as this will be the backup way in.

Preferably I want a card that is going to do the ADSL protocol layer
itself and not hand anything off to the CPU which will be handling a
transparent firewall.

Should be able to support PPPoE, ADSL2+ would be good to have, though
plain v1 ADSL is also fine if the driver / card combination is more
robust.

Regards

Mikel

Best way to automate administration of multiple servers

2007-11-14 Thread Mikel Lindsaar 
Hello all,

I've been googling around for some answers and I thought I would ask
the list as well.

In the past I have used different compters for different tasks.  I
would have many different installs of OpenBSD on many different
platforms.

However, i am moving some stuff into a data center and am getting a
blade server with 10 blades (up to 20 total).  I have been playing
with this and it is running great, but as each blade has exactly the
same specs (same drive, ram, processor etc) I was wondering about
improving my skills on handling a lot of identical computers on the
administration side.

There are basically three types of blade, database, app server and
front end world facing (proxy, mail, dns).

I want to automate handling them as much as possible and would like
some list suggestions on reading materials, software, or web howtos.

Examples of what I am after:

1) Create images or post install diffs so that if I need to add a
blade to expand, I put it in, connect via the console, install via PXE
and then download the diff - I know you can do this wth the post
install scrips in OpenBSD's install script, but any real world use of
this, things to avoid or good things to do?

2) Keeping 10 - 20 copies of OpenBSD up to the latest patch levels
without having to do more than trial on one (for each type) and then
for the rest type something as trivial as /bin/sh -x update.sh
rotating through the servers and testing as you go?  I can see myself
spending two days a month otherwise doing upgrades on all the servers.

3) Guides on how to manage the logs of this many servers.  Any
experiences with splunk on this sort of environment, other options?

4) Anything else I should think about / avoid?

I know this is a bit of a broad ranging question, but I am looking for
general gaps in my sys admin knowledge at the moment so I apologise
for any vagueness.

Regards

Mikel

OK... I broke something - can't load library 'libpcre.so.1.0'

2007-11-06 Thread Mikel Lindsaar 
Hello list :)

I was getting ImageMagick working with Rails on OpenBSD and was
running into problems.

In the process of installing it, somehow I nuked the libpcre library.

I went into /usr/ports/devel/pcre/ and did a make clean, make, make install.

However I am still getting the error.

I tried doing an ldconfig -R (not sure if this was needed or not) but no change.

I am getting the can't find the library libpcre errors when I try to
start postfix or bash.

libpcre.so.1.0 is in the /usr/local/lib/ directory.

What do I have to do to get everything to see the library again?

Thanks guys.

Mikel

TLS/FTP via OpenBSD NAT

2007-10-12 Thread Mikel Lindsaar 
Hello all,

I have a few OpenBSD servers faithfully running NAT in various spots.

One of these firewalls is doing VERY simple NAT on an interface,
almost a cut and past from the PF pages (only really the IP addresses
got changed).

However, the client wants to be able to connect to an FTP server that
is using TLS.

My first thought of this was you can't.  however, I was quickly
disabused of this idea by connecting to their server using the program
they use (FileZilla) within a Windows XP instance running inside
Parrallels through a Netlink ADSL modem.  That is two sets of
translation happening!

This got me confused as everything I have read about TLS says this
can't be done.  At least not with NAT.

So I am wondering if anyone has had any experience with this and can
point me in the right direction?

The only way I can think that the Netlink is doing it is by doing some
sort of Dynamic IP Address forwarding (setting up some rule that just
dumps all traffic directly...) but I don't know.

Regards


Mikel