Re: beginner, intermediate, and advanced scripting
Thank you for your responses. Sorry I could not reply sooner since I went to work before I posted this e-mail. Anyway, I might have missed it, but did anyone recommend a book regarding scripting for BSD with perl? I think were getting a little bit off topic in the last few posts... =) Eugene
Re: openning ports on internal machines to the internet (pf.conf)
Thank you for your comments.
George
On Sunday 15 May 2005 00:57, Arnaud Bergeron wrote:
Sorry if this seems a bit out of order, because I commented as it came to
me.
On 5/13/05, GV [EMAIL PROTECTED] wrote:
Hi,
I have following LAN configuration:
[ COMP_1 ] ... [ COMP_n ]
|| ADSL
---+--+-+--- int_if [ OpenBSD ] ext_if ( Internet
)
comp_1 ... comp_n are running a web base application and a number of
ports on each machine have to be accessible from the internet.
I have the following pf.conf file which doesn't seem to work apart from
the redirection to port 80!:
--
ext_if=vr0
int_if=rl0
tcp_services = { 80, 20, 21, 22, 25, 110, 113 }
cam_services = { 5000, 6000, 6001, 6002, 6005 }
icmp_types = echoreq
priv_nets = { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }
cam1 = 192.168.1.33
set block-policy return
set loginterface $ext_if
scrub in all
You should change this :
nat on $ext_if from $int_if:network to any - $ext_if
to this:
nat on $ext_if from $int_if:network to any - ($ext_if)
rdr on $int_if proto tcp from any to any port 21 - 127.0.0.1 port 8021
rdr pass on $ext_if proto tcp from any to any port 8000 - $cam1 port 80
block all
block in log all
pass quick on lo0 all
block drop in quick on $ext_if from $priv_nets to any
I think this line can cause problems as packets are blocked before
they get nated.
(I am not 100% sure on this one.)
block drop out quick on $ext_if from any to $priv_nets
pass in on $ext_if inet proto tcp from any to ($ext_if) \
port $tcp_services flags S/SA keep state
Non-paranoid rule:
pass in on $ext_if proto tcp from any to any port $tcp_services flags
S/SA keep state
or modulate state at thge end.
pass in on $ext_if proto tcp from any to $cam1 port $cam_services keep
state
If you want to redirect traffic to those ports ($cam_services) to the
host cam1, this won't work. Use:
rdr on $ext_if proto tcp form any to any port $cam_services - $cam1
Otherwise delete this rule as traffic destined to $cam1 will never
arrive on $ext_if.
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state
As a general rule, you don't need to be that paranoid about packet
passing rules something like :
pass on $int_if from any to any keep state
will do the job. Of course, if you loose sleep over security you can
always keep the ones you have.
pass out on $ext_if proto tcp all modulate state flags S/SA
Same as above. There is no real need for flags S/SA on this rule
unless your sleep hours require this.
pass out on $ext_if proto { udp, icmp } all keep state
--
Thanks for your help
George
Re: beginner, intermediate, and advanced scripting
On Sat, 14 May 2005 23:39:11 -0700, Eugene Hercun [EMAIL PROTECTED] wrote: Thank you for your responses. Sorry I could not reply sooner since I went to work before I posted this e-mail. Anyway, I might have missed it, but did anyone recommend a book regarding scripting for BSD with perl? I think were getting a little bit off topic in the last few posts... =) Eugene Well, what else would you expect considering your post itself is actually off topic for this list... ;-) I own over fifty different types of hammers and each has a particular use for which is was designed. Though most of them could drive a nail into a piece of wood, some are better suited for that particular task than others. In the end, what makes a good hammer comes down to the task you will preform, the time you'll invest in completing it and the time invested by others who must maintain your work. When you're just starting out, it may seem like a waste of ether to watch two knowledgable guys like Jason and Adam debate fine points, but knowing those fine points will serve you well in making your own decisions. There are a lot of ways to drive a nail and what works best for *you* will take some experimentation on your part. As for learning perl, RTFM. Once you get through the basic documentation provided with perl, start reading other peoples code and the free tutorials available on the web, then finally move onto reading the books. The O'Reilly Perl Bookshelf is a good place to start and a good value for the money if you insist on buying books. http://www.oreilly.com/catalog/perlcdbs4/ Also, finding the right resources, mailing lists, web boards and the like will definitely help a lot more than the OpenBSD lists. A good place to find such things for perl is at the monastery http://www.perlmonks.com As for getting started: http://www.perlmonks.com/?node=Tutorials#perlstart Since you want to know why some people claim perl is a good scripting language, there is only one single viable reason for the claim; the reason is because you can write scripts with it. Obviously, the same is true about many other languages. The term good is subjective and always an invitation for debate. As for general advice on learning perl, I can think of two things: (1) Though it didn't exist when I learned perl, IMHO, the best advice for a novice is to always put use strict in your scripts. The flexibility of perl gives you enough rope to build a bridge across a chasm or to quickly hang yourself and every one you know. Putting use strict in your code will not prevent the latter but it can help you avoid some of the less than obvious programming mistakes. (2) Use the long form syntax in your code until you get really familiar with the language. Like all languages that offer a short form syntax, perl code written for brevity just looks like line noise to the unindoctrinated. Knowing both/all long and short forms is important but which works best for *you* is your own decision. JCR
Re: beginner, intermediate, and advanced scripting
On 2005-05-14 23:39:11 -0700, Eugene Hercun wrote: Thank you for your responses. Sorry I could not reply sooner since I went to work before I posted this e-mail. Anyway, I might have missed it, but did anyone recommend a book regarding scripting for BSD with perl? You don't need that. Perl scripting is pretty much the same on any Unix-like OS. You even have a decent chance of writing something portable to Windows if you want, and remember, Mac OS X is also very Unix-like nowadays. But Learning Perl is good, especially if you don't know any--or very little--programming before you start reading it. I think were getting a little bit off topic in the last few posts... =) Interesting nonetheless. :-) Have a nice day Morten -- http://m.mongers.org/weblog/ __END__
Re: beginner, intermediate, and advanced scripting
On Sun, May 15, 2005 at 12:49:34AM -0400, Adam wrote: First of all, that's not a benefit. In most languages you can have optional arguments to functions, without forcing all functions to take only a single array of scalar variables. You know, maybe you should read perl documentation. In perl you can have optional arguments to functions. This happened a few years ago. This is called prototypes, and it works just fine. In fact, perl is now very close to Common Lisp in that respect. This prototype stuff means you can very much write subs with all the syntax of the core stuff, and people use it all the time.
Re: exposing an internal server to the Internet
I would use OpenBSD's transparent bridging feature with (optionally) pf filtering. Mario. Hi, I have a situation where an internal (located in a LAN and behind a OpenBSD firewall/NAT) has to be fully exposed to the Internet! What's the best way to acieve that? Thanks George
Re: beginner, intermediate, and advanced scripting
On Sun, 15 May 2005 05:32:07 -0500, [EMAIL PROTECTED] wrote: To add to your excellent analogy with hammers, Do you drive across town to get that one best hammer to drive one nail? Oddly enough there are times when it's actually worth the effort to go across town to pick up a hammer better suited for the particular job of driving a single nail but equally, as you've implied, there are other times when you're better off just using the hammer you happen to have with you. If that single nail has any chance of being something that must be maintained by someone else or has any chance of growing into something larger, you really don't want some wise ass like me coding the darn thing in a language like whitespace or brainf*ck for the fun of it. Of course, the real problem is at the start you just never know what the initial code might eventually become... OT. I use PHP, I like PHP. Perl Monks: PHP - it's training wheels without the bike -- Randal L. Schwartz Pretty accurate. (But imagine PHP if perl didn't exist;) Keep away from people who try to belittle your ambitions. Small people always do that, but the really great make you feel that you, too, can become great. - Mark Twain Hmmm... since I already shaved my head tonight, it's a little late for Occams' Razor, none the less, just follow the money. Randy Schwartz is in the *BUSINESS* of promoting perl, so such statements are to his financial advantage. Language zealots more often than not have financial incentives for promoting their views. Some sell books, others sell their services and still others want their existing skills to seem valuable to potential employers. Everybody's got to eat, so you can't call the biased (self) promotion entirely bad and realistically, it's unavoidable. I can not even mention OpenBSD without in some strange way promoting the value of my own (limited) ability to use it. As long as you recognize the agenda being pushed, you can draw your own unbiased conclusions. Sure, perl has it's place in the world but so does PHP, PDP-11 assembly and the countless other languages out there. Just because I happen to own the 40 pound maul of a PDP-11 Assembly Language Manual does not mean the poor bastard that will be asked to maintain my code is going have the same hammers that I have. The choice of language is only part of the answer, since then you must answer the questions of syntax and style; the syntax and style I prefer to use in *my* C code may make it easier for *me* to work on it but there are countless people out there which prefer some other syntax and style which would make it easier for them to understand and work on the code. There are people with particular, peculiar and very strong opinions about the best syntax to use within a single language such as case/switch, goto and other legal statements. The issues of style, spacing and formatting are equally fraught with strong opinions of the best way to do it. Kind of brings to mind a joke; A Britt, a Scotsman, an Aussie, a Texan, a New Yorker and a Californian were sitting in a bar... -None of them could understand what the others were saying. (But imagine PHP if perl didn't exist;) As for what PHP would become if it was the only language on the planet that people used and improved, the answer depends on which language zealot you happen to ask. I'm quite sure Paul Graham would very happily tell you all the logical reasons why the end result would eventually be a dialect of LISP. ;-) JCR
Re: LSI MegaRAID 150-4 (a.k.a. LSI/Symbios 523)
On Wednesday 04 May 2005 20.41, Rogier Krieger wrote: Just a happy user report. Hopefully, this is of use for those searching the archives. As it seems, the LSI Logic MegaRAID SATA 150-4 seems another name for the LSI/Symbios 523 listed in the HCL. For completeness, I attached a dmesg output below. The card is currently sitting in a 32bit slot and appears to work fine. Performance on 3.6 (i386) is fine, although -current provided better throughput for me. Given the work done on ami(4) (see the CVS logs), this is hardly surprising. The only problem I encountered was easily solved. At first the card was much slower in transfers (both under 3.6 and -current) than a regular drive (by a factor 20). As it turned out, write caching was not enabled on all of the physical drives in the array due to a firmware bug. Although checking (and correcting) the write cache settings on the drives solved this problem, it is also possible to upgrade the firmware on the card (presently 713N). It seems there are still cards on the market with older firmwares in them as I bought my cards a few weeks ago (having 713G in them). As soon as I can get my hands on an Opterons, I'll try out amd64 with it (in a 64bit slot). Cheers, Rogier OpenBSD 3.6 (GENERIC) #59: Fri Sep 17 12:32:57 MDT 2004 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Celeron(R) CPU 2.40GHz (GenuineIntel 686-class) 2.40 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFL USH,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,PNI,MWAIT,CNXT-ID real mem = 534548480 (522020K) avail mem = 480858112 (469588K) using 4278 buffers containing 26828800 bytes (26200K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(00) BIOS, date 09/29/04, BIOS32 rev. 0 @ 0xf0010 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf3d00/224 (12 entries) pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82801EB/ER LPC rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0xa200! 0xca800/0x2200 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82865G/PE/P CPU-I/0-1 rev 0x02 vga1 at pci0 dev 2 function 0 Intel 82865G Video rev 0x02: aperture at 0xf000, size 0x800 wsdisplay0 at vga1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) uhci0 at pci0 dev 29 function 0 Intel 82801EB/ER USB rev 0x02: irq 11 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1 at pci0 dev 29 function 1 Intel 82801EB/ER USB rev 0x02: irq 5 usb1 at uhci1: USB revision 1.0 uhub1 at usb1 uhub1: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered uhci2 at pci0 dev 29 function 2 Intel 82801EB/ER USB rev 0x02: irq 10 usb2 at uhci2: USB revision 1.0 uhub2 at usb2 uhub2: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub2: 2 ports with 2 removable, self powered uhci3 at pci0 dev 29 function 3 Intel 82801EB/ER USB rev 0x02: irq 11 usb3 at uhci3: USB revision 1.0 uhub3 at usb3 uhub3: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub3: 2 ports with 2 removable, self powered ehci0 at pci0 dev 29 function 7 Intel 82801EB/ER USB rev 0x02: irq 9 ehci0: EHCI version 1.0 ehci0: companion controllers, 2 ports each: uhci0 uhci1 uhci2 uhci3 usb4 at ehci0: USB revision 2.0 uhub4 at usb4 uhub4: Intel EHCI root hub, class 9/0, rev 2.00/1.00, addr 1 uhub4: 8 ports with 8 removable, self powered ppb0 at pci0 dev 30 function 0 Intel 82801BA AGP rev 0xc2 pci1 at ppb0 bus 1 ami0 at pci1 dev 1 function 0 Symbios Logic MegaRAID rev 0x01: irq 10 LSI 523/64b/lhc ami0: FW 713N, BIOS vG119, 64MB RAM ami0: 1 channels, 0 FC loops, 1 logical drives scsibus0 at ami0: 40 targets sd0 at scsibus0 targ 0 lun 0: AMI, Host drive #00, SCSI2 0/direct fixed sd0: 455808MB, 58107 cyl, 255 head, 63 sec, 512 bytes/sec, 933494784 sec total hifn0 at pci1 dev 2 function 0 Hifn 7955/7954 rev 0x00: LZS 3DES ARC4 MD5 SHA1 RNG AES PK, 32KB dram, irq 3 fxp0 at pci1 dev 8 function 0 Intel PRO/100 VE rev 0x01: irq 11, address 00:11:11:9d:0a:de inphy0 at fxp0 phy 1: i82562ET 10/100 media interface, rev. 0 ichpcib0 at pci0 dev 31 function 0 Intel 82801EB/ER LPC rev 0x02 pciide0 at pci0 dev 31 function 1 Intel 82801EB/ER IDE rev 0x02: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility atapiscsi0 at pciide0 channel 0 drive 0 scsibus1 at atapiscsi0: 2 targets cd0 at scsibus1 targ 0 lun 0: PHILIPS, CDD3610 CD-R/RW, 3.01 SCSI0 5/cdrom removable cd0(pciide0:0:0): using PIO mode 0, DMA mode 1 wd0 at pciide0 channel 1 drive 0: QUANTUM FIREBALL ST3.2A wd0: 16-sector PIO, LBA, 3079MB, 6306048 sectors
Re: exposing an internal server to the Internet
If I understand you correctly, what you are asking for requires an external IP for each of the internal servers. After that it is just a matter of forwarding all ports from an external ip to an internal one, applying firewall rules either on the gateway/router box or on the internal server. Andreas On Sun, 2005-05-15 at 11:05 +0200, GV wrote: I apologize for the confusion but didn't realize that my question wasn't clear enough! Well, the whole story was to have a server in the LAN (actually a range of servers!) where only NAT and no firewall had to be enabled. Users from Internet should have full access to all the ports of these servers! Probably, from a design point of view, I had to create a separate LAN (an extra NIC on my OpenBSD box) and connect all these 'weird' machines to this subnet? In any case I would like to thank the people in the list who took the time to correct my faulty rdr rule in the pf.conf. George On Saturday 14 May 2005 23:42, Jason Dixon wrote: On May 14, 2005, at 5:25 PM, GV wrote: Hi, I have a situation where an internal (located in a LAN and behind a OpenBSD firewall/NAT) has to be fully exposed to the Internet! What's the best way to acieve that? Sorry, your question makes no sense. What are you trying to achieve? Are you asking about the filtering done on the firewall? Tightening down the users and/or services on the server? Please don't make us guess. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: beginner, intermediate, and advanced scripting
I'm quite sure Paul Graham would very happily tell you all the logical reasons why the end result would eventually be a dialect of LISP. ;-) And perl is a dialect of LISP, isn't it? :-/ -- Joel Rees (A FORTH dreamer, imprisoned in a Java world)
Re: fdisk and disklabel C/H/S
Mikhail Malamud wrote: This blows because I am porting a legacy application from an MVS system. This application accesses two sequential datasets - flat files that are over 10GBs. Since both files have to be accessed at the same time, I was hoping to put them on different platters to avoid disk contention - two processes attempting to read from the same or near cyclinder groups but since like you say all heads are linked together, this wont do much good. Yeah, pretty much your best bet would be to put each file on its own spindle. Using a RAID controller with a lot of cache may solve the problem for you too, depending on the DB usage pattern. I know when setting up a large MS SQL server, best practice is to put each log file on its own set of spindles, usually mirrored. Since SQL logs just append to the end of the file, essentially the heads just sequentially move to the next track. If your project is big enough, you could use SAN or NAS disk, 64gb of disk cache should give you pretty good performance for two 10gb files.
Re: beginner, intermediate, and advanced scripting
On Mon, 16 May 2005 01:13:03 +0900, Joel Rees [EMAIL PROTECTED] wrote: I'm quite sure Paul Graham would very happily tell you all the logical reasons why the end result would eventually be a dialect of LISP. ;-) And perl is a dialect of LISP, isn't it? :-/ I would bet said self proclaimed expert would say the current perl is still lacking in some essential way but still insist that sooner or later it *MUST* become LISP to be any good and of course, the same is true for all programming languages. I'm really not sure what I find more disturbing; the fact someone is crazy enough to publicly proclaim such things or the fact there's a chance he may actually be right. - Joel Rees (A FORTH dreamer, imprisoned in a Java world) You need to start using FIFTH, preferably filled with single malt. It works a lot better for dreaming than Java. JCR
Re: LSI MegaRAID 150-4 (a.k.a. LSI/Symbios 523)
Alexander Hall wrote: So they work well in 32-bit PCI slots as well? I thought (for no other than visual reasons) that they required a 64-bit slot. We were thinking about byuing one for our ISP1100 (somewhat old, but stable), which has no 64-bit PCI slot. Do you know if there is anything special to think about or will it work with just about any 32-bit PCI slot? I've rarely had problems using a 64-bit card in a 32-bit slot, as long as the card would physically fit without shorting the exposed card edge. The one time I did have a problem, I think it was a problem between the card, the motherboard and OpenBSD; the card worked fine in another 32-bit PCI system under some kind of Linux, as well as Windows.
Re: beginner, intermediate, and advanced scripting
On May 15, 2005, at 2:30 PM, Adam wrote: I never said otherwise. I said you can have optional args in lots of other languages too, as Jason seemed to think @_ allows optional args, while languages using named args don't. What I was saying is that in almost every Perl program I've written or read, it's unnecessary. Because @_ can accept any number of objects of any type, you can pass in whatever you want (scalar, arrayref, hashref, etc) as long as the function understands how to handle the null arguments. I can understand why named args are beneficial to you, but I hardly see the lack of them in Perl as the inefficiency you claim it to be. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: beginner, intermediate, and advanced scripting
Big rule of scripting: More work gets done by writing code than by arguing about scripting languages. Pick a language. Learn it. Work with it. Implement some tasks in it. If you are satisfied with it, good. If not, try some other language. You ain't marrying it, if it doesn't work out, move on. Besides, you should have a few languages under your belt... You aren't going to reach perfection. Arguing about it is pointless. A good programmer can produce a better app on a bad language than a poor programmer can produce on a great language. Effort spent trying to find the perfect language would be better spent improving your skills on any language. in short: ENOUGH, m'kay? Nick.
RE: Re: beginner, intermediate, and advanced scripting
Are you saying that instead of distinguishing between foo and my foo, the distinction should be between everybody's foo and foo for some spelling of everybody's ? - --- Original Message --- - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sun, 15 May 2005 14:43:00 On Mon, 16 May 2005 01:05:28 +0900 Joel Rees [EMAIL PROTECTED] wrote: The bug/feature is that you can't declare variables unless you declare them either local (which is usually not what you want) or my (which _is_ what you usually want). The buggy aspects of this feature are mostly relieved by use strict and other pragma. (Do NOT forget to use strict !) I am not commenting on any buggy aspects of this feature, I am commenting on this feature itself. Use strict doesn't change the scoping rules of perl, having to use my at all is the problem, its backwards and stupid when variables should be assumed to be lexical scope. Perl also provides for passing parameters as a hash instead of an array. The good part of that is that if you pass red, green, and blue, you don't have to remember whether red, green, or blue came first in the list. The bad part of this is left as an exercise for the reader. (I'd give an example, but my head is so full of Java these days I couldn't guarantee getting the syntax right.) You don't have to remember the order that args are passed with normal languages where functions take named args either. With perl you can only pass an array as a reference, if you want a second array you have to copy the one passed as a reference manually in the sub. Not exactly true, although getting the hang of passing arrays can take some time. (And reading code that does it the right way can be something of an adventure, especially for programmers who are mostly experienced in descendants of Algol.) I'm no perl expert, I'm just going by the perl documentation here where it says that you can only pass arrays and hashes as references. Then you need to make a new copy of that array or hash yourself inside the sub if you don't want to be changing the original one. I'm not saying its that big a deal, its just inflexible and a waste of programmer time. course, if all you want is an array of args, languages that let you declare arguments to functions can give you that just fine. Perl is all about being flexible and saving programmer time, yet something basic like functions is implimented in an inflexible way that requires programmers to spend extra time checking args. Declaring args is both more flexible, and a time saver. Not true. The problem is not inflexibility, but once again too much flexibity. Of the several ways to solve the problems of passing parameters in perl, the one that is closest to traditional procedure parameter lists is perhaps a bit too spare in its requirements. Yes true, you can handle every arg passing situation perl is capable of in a language using named args, as well as situations perl doesn't handle without you doing it yourself in the first couple lines of your sub. Therefore named args is more flexible, and saves programmer time. Notice that perl 6 is supposed to be fixing some of this stuff, so its obviously not just me that thinks there's problems here. Adam
Re: Machine performance
Steve Shockley [EMAIL PROTECTED] wrote: What's the biggest bottleneck when compiling the ports tree? CPU. Disk is not a big contributor, unless you are building on something really slow like a laptop disk. Would compiling ports actually use four processors? Not by default, no. However, Nikolay's distributed package builder (infrastructure/build/dpb) can parallelize a bulk build over several CPUs and machines. -- Christian naddy Weisgerber [EMAIL PROTECTED]
Re: exposing an internal server to the Internet
On May 15, 2005, at 5:10 PM, Jason Dixon wrote: On May 15, 2005, at 4:11 PM, GV wrote: not really. Actually I would like to avoid that. I rather wanted to have one external IP address and different ports on this address should redirect to different internal machines! Ok, let's nip this in the bud once and for all. You just want to use binat and then allow all traffic to that host. Example where $internal_host is the IP address of your internal server, and $external_host is the external IP address you wish to map to the internal server. internal_host = 10.0.0.2 external_host = 60.10.10.2 binat on $ext_if from $internal_host to any - $external_host pass quick on $ext_if from any to $internal_host pass quick on $int_if from $internal_host to any FYI, I didn't bother to keep state on those since you don't want to filter anything going to the host. If that changes, you'll want to start tracking state, flags, etc. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: exposing an internal server to the Internet [SOLVED]
YES! That was the problem! Thanks a lot! George On Sunday 15 May 2005 01:02, Arnaud Bergeron wrote: On 5/14/05, GV [EMAIL PROTECTED] wrote: no, I don't need any port of that machine to be exposed to the Internet. Only a certain range. I tried the following: -- nat on $ext_if from $int_if:network to any - $ext_if rdr on $int_if proto tcp from any to any port 21 - 127.0.0.1 port 8021 rdr pass on $ext_if proto tcp from any to any port 8000 - $cam1 port 80 rdr pass on $int_if proto tcp from $cam1 to any - $ext_if -- The last rule is the culprit. Traffic simply gets blocked by the ISP's router because cam1 haves an internal IP adress. The nat rule should take care of the traffic from cam1 (if it is on $int_if:network) If you want certain ports to be redirected to an internal machine: rdr on $ext_if from any to any port $ports_to_redirect - $internal_machine does the job. I do get access to the internal ($cam1) port 80 but no response back from the other ports this machine is using! Is like an one-way communication! If you say that I will need to alias another ip to your obsd box and binat traffic destined to that address you mean a public IP address? Thanks On Sunday 15 May 2005 00:05, Abraham Al-Saleh wrote: Do you need every port on the mail server to be exposed to the internet? that's how I originally interpreted your question. If you only need mail server ports, then use the rdr statement, which you can again read about in the pf.conf man page. Otherwise, you will need to alias another ip to your obsd box and binat traffic destined to that address to your mail server. On 5/14/05, GV [EMAIL PROTECTED] wrote: thanks for your prompt reply. I do agree with you but when reading the manual concerning binat it says: ..Connections from the Internet to the external address will be translated to the internal address.. which means that ANY connection from the Internet will be translated/redirected to this specific server which actually discharges my whole LAN? To be more specific, I first tried the following configuration: -- binat on $ext_if from $cam1 to any - $ext_if nat on $ext_if from $int_if:network to any - $ext_if -- and couldn't ssh my server any more cause my connection was automatically redirected to port 22 of the internal machine where no sshd was running!!! I think that I misunderstood binat but couldn't find any detailed docs or examples how to use it. If you have time to provide me some directions to this? Thanks for your support George On Saturday 14 May 2005 23:46, Abraham Al-Saleh wrote: Use binat. From man (5) pf.conf: binat A binat rule specifies a bidirectional mapping between an external IP netblock and an internal IP netblock. read the pf.conf manual page for more information. On 5/14/05, GV [EMAIL PROTECTED] wrote: Hi, I have a situation where an internal (located in a LAN and behind a OpenBSD firewall/NAT) has to be fully exposed to the Internet! What's the best way to acieve that? Thanks George
Re: horizontal scaling of spamd
Hi Phillip, My situation, at this point is hypothetical, though based on reality in carrier grade messaging systems. I have been building and implementing large scale systems for many years, so I have had time thinking small, which can be good and bad. :) I understand your setup, makes perfect sense, two boxes, one primary, one secondary (preferably off site), in case something goes wrong with the first. I got the having logging on both boxes. What I don't get is how you got spamd to pickup the white listed entries on both boxes? AFAIK spamd does not look at the logs, simply puts entries in, does not read them. I think I would want grey listed tuples included as well. If behind the primary MX were say 3 boxes and the load balancer was not always directing the sending MTA to the same box running spamd, the sending MTA could get delayed for a very long time. While load balancers have persistence, those usually have a timeout period, which MTA retries will probably exceed. As it is with a single box running spamd a new sending MTA will get delayed by an hour. The first connection attempt gets the sender grey listed. The next attempt has to wait 30 minutes, per the RFCs, and at least 25 minutes per the default of spamd grey listing. The third attempt would be about 60 minutes after the first attempt, or even later. Depends upon the sending MTA and its behavior of retries. The minimum by RFCs would be 60 minutes, but certainly could be longer. Some MTAs will extend the time between retry attempts after successive failures. I know spamd is very light weight, but a single box is a SPOF and I don't like those. :) Even two boxes with pf, pfsync, and carp would still not replicate the contents of /var/db/spamd. Unless I'm missing something with respect to the way pf, pfsync, carp, and spamd integrate. I have not taken the time to actually setup such an environment and test. If I am wrong and this would work, then maybe someone can point out to me why. Regards, Chad
Re: beginner, intermediate, and advanced scripting
Are you saying that instead of distinguishing between foo and my foo, the distinction should be between everybody's foo and foo for some spelling of everybody's As Nick points out, I've been feeding the flames when I should be doing other things. I'm going to try one last time to offer a word to the wise, and then shut up. use strict alters the semantics of the scoping rules in a key point. Without strict, my and local simply hide the name global scope for a name, which is handy, but leaves you susceptible to forgetting to scope a variable. Forgetting to scope a variable means you have unintended side-effects. That's a bad thing. With strict, the interpreter complains if you use a variable without declaring its scope. Problem fixed, for most purposes, though not for all people. Similarly with the argument passing argument. If prototypes are not sufficient, and if the explicit move from the argument array to local variables hides, rather than reveals, semantics for you, then perl gives you one more option in passing a hash instead of an array. Many find that option too verbose. Many find it far more explicit. What you have is evidence that the language is evolving naturally. There's More Than One Way To Do It. Whether that's a good thing or a bad thing is another flame war, and I'm not interested. If pointing out that the warts have workarounds, and that the workarounds are not useless to some people is being too forgiving, well, I've lost interest in that,. too. But if you learn perl strictly from things you see on the web, you get stuck thinking it does things only the wrong way. For further discussion, perlmonks and perl.org. I'm out of this one. -- Joel Rees Getting involved in the neighbor's family squabbles is dangerous. But if the abusive partner has a habit of shooting through his/her roof, the guy who lives upstairs is in a bit of a catch-22.
smtp-milter problem
I'm having a funny problem with smtp-milter. It has to do with sendmail running kicking off every 30 minutes (I think) and flushing the queue anyway here is what shows up in the logs... May 14 10:30:01 maildev sm-mta[3232]: j4EHU1fL003232: from=, size=110771, class=0, nrcpts=1, msgid=[EMAIL PROTECTED], proto=ESMTP, daemon=MTA, [EMAIL PROTECTED] [127.0.0.1] May 14 10:30:01 maildev sm-mta[3232]: j4EHU1fL003232: Milter add: header: X-SMTP-Vilter-Version: 1.1.8 May 14 10:30:01 maildev sm-mta[3232]: j4EHU1fL003232: Milter add: header: X-SMTP-Vilter-Virus-Backend: clamd May 14 10:30:01 maildev sm-mta[3232]: j4EHU1fL003232: Milter add: header: X-SMTP-Vilter-Status: clean May 14 10:30:01 maildev sm-mta[3232]: j4EHU1fL003232: Milter add: header: X-SMTP-Vilter-clamd-Virus-Status: clean May 14 10:30:11 maildev sm-mta[3232]: j4EHU1fL003232: Milter (smtp-vilter): timeout before data read May 14 10:30:11 maildev sm-mta[3232]: j4EHU1fL003232: Milter (smtp-vilter): timeout before data read May 14 10:30:11 maildev sm-mta[3232]: j4EHU1fL003232: Milter (smtp-vilter): timeout before data read May 14 10:30:11 maildev sm-mta[3232]: j4EHU1fL003232: Milter (smtp-vilter): to error state May 14 10:30:11 maildev sm-mta[3232]: j4EHU1fL003232: Milter: data, reject=451 4.3.2 Please try again later May 14 10:30:11 maildev sm-mta[3232]: j4EHU1fL003232: to=[EMAIL PROTECTED], delay=00:00:10, pri=140771, stat=Please try again later May 14 10:30:11 maildev sm-msp-queue[1433]: j4ED01SF028079: to=postmaster, delay=04:29:59, xdelay=00:00:10, mailer=relay, pri=950060, relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0, stat=Deferred: 451 4.3.2 Please try again later May 14 10:30:11 maildev sm-mta[3232]: j4EHU1fN003232: Milter: from=, reject=451 4.3.2 Please try again later May 14 10:30:11 maildev sm-msp-queue[1433]: j4E9012F031383: to=root, delay=08:30:00, xdelay=00:00:00, mailer=relay, pri=1668215, relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0, stat=Deferred: 451 4.3.2 Please try again later May 14 10:30:11 maildev sm-mta[3232]: j4EHU1fN003232: from=, size=108908, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, [EMAIL PROTECTED] [127.0.0.1] There is a message originating from ??? every 30 minutes, not sure what this is. Local mail that I send from root doesn't seem to have a problem, nor does mail routed through the box. But this shows up in the log files every 30 minutes. I have another server that this is a clone of that doesn't exhibit this behavior. This server does have clamav and Spamassassin attached to the milter and OpenBSD spamd is also running. The other server has a faster processor and is the prototype for the clone which was built via a CD install. My guess is that I have a permissions problem somewhwere but maybe this 366 MHZ pentium III is a little too slow? Any suggestions or pointers would be much appreciated.
kernelized pppoe in 3.7
With the upcoming 3.7 release, I took a look at the -current manpage for pppoe(4). It looks straight-forward enough once you have things set up, but I didn't see answers to two things on my mind... 1. Will users be able to use it during floppy installs, or will an intermediate device (cdrom, nfs, or the modem/router boxes many american telcos are selling to new subscribers) still be required? 2. Will hostname.pppoe be able to handle special cases like Jens' # character in the username without any special devices, will quotes (single, double, or otherwise) handle it, or will those people need to rely on the userland driver for the moment?
Re: well that does it
On 5/15/05, Theo de Raadt [EMAIL PROTECTED] wrote: Asked directly if they thought they could defend their reverse engineering of for instance the Atheros HAL. The answer as I heard it was Laws don't apply to us. Oh, please. I was there, and I believe everyone's answer was 'Stop trolling you damn trolling troll, this is a *technical* conference'. Man, what a flamebait that was. At least I had a bit of fun watching Henning and Beck rip our beloved Mr. Kamp a new one. Reyk's talk was very enlightening.
Trotz Stellenabbau
Thank you for sending an e-mail message to [EMAIL PROTECTED] However, this is not a monitored e-mail address. Sign in to your Hotmail account and click Help for the most up-to-date information on this issue as well as recent customer questions. If you need more assistance, you can contact us through Help, and we'll respond within one business day. Having problems signing in? If you need to retrieve or reset your password, add or update your alternate e-mail address, or change your secret question, go to: https://memberservices.passport.net/ Click Help for the most up-to-date information on each of these tasks. NOTE: You will need to provide the same answers to the account profile questions as you entered when you signed up for your Hotmail account. You will also need to provide the same answer to your secret question that you created during the sign-up process. Note: We recommend you change your Secret Question and Answer when you update your password. This improves the security on your account. Your secret question allows only you to retrieve your password online if you ever forget it. If you are using a non-English version of Hotmail, your password, like your sign-in name, must be typed in Standard English-based text. Warning: To help protect your personal information, a Hotmail employee will never ask you for your current password, either by phone or e-mail. Hotmail requires your password only when you sign in to your account and even then, your password is not displayed on screen. If you receive a message that asks for your current password, please forward it to [EMAIL PROTECTED] immediately and do not respond to the message. Never share your password or secret question and answer with anyone else. And change your password and secret question regularly to increase the security of your account. For help with other MSN products or services, go to http://support.msn.com/contactus.aspx. Please note that you will not receive a reply if you respond directly to this message.
Re: well that does it
Joel Dinel wrote: On 5/15/05, Theo de Raadt [EMAIL PROTECTED] wrote: Asked directly if they thought they could defend their reverse engineering of for instance the Atheros HAL. The answer as I heard it was Laws don't apply to us. Oh, please. I was there, and I believe everyone's answer was 'Stop trolling you damn trolling troll, this is a *technical* conference'. Man, what a flamebait that was. At least I had a bit of fun watching Henning and Beck rip our beloved Mr. Kamp a new one. Reyk's talk was very enlightening. I was there also, the ass munch attended an Openbsd forum was the express intent of causing problems, agenda firmly in place before he arrived. My only regret was the bus that drove by missed him. Humpa!
