Re: Please it is urgent: new OpenBSD 4.1 crash

[carlopmart]

carlopmart wrote:

Stuart Henderson wrote:

On 2007/07/20 13:20, carlopmart wrote:

Stuart Henderson wrote:

On 2007/07/20 11:02, carlopmart wrote:
 This is my third post about problems with OpenBSD 4.1 during last 
two months ...

Yes, and someone replied with a PR (5508) they'd opened about it.
It's fixed already - src/sys/net/if_pfsync.c 1.83.
Maybe the question to ask is can this be imported to -stable...
Sorry but it isn't the same bug. Bug 5508 it is about pfsync bug, and 
this crash doesn't it ...


hmm, ok, but you said it's the third post, which (at least to me)
implies that it's the third post about the same problem...



Yes sorry, second post about this problem ... I write another post about 
bug 5508, total: three ... With OpenBSD 4.0 on the same servers all 
works ok ... I don't understand it...



Please, any hints about this??

--
CL Martinez
carlopmart {at} gmail {d0t} com

Re: Use certificate subjec/ASN1 t in ipsec.conf ?

[Markus Wernig]

Hello  thanx for the swift reply

Now i've read through the isakmpd.conf and keynote manpages, but,
honestly, I still don't know how to get this working.

Here's the isakmpd.conf I came up with:

KeyNote-Version: 2
Authenticator: POLICY
Licensees: DN:/C=CH/O=My Org/CN=My Org's CA Cert Subject
Conditions: app_domain == IPsec policy 
  doi == ipsec - true;

KeyNote-Version: 2
Authenticator: DN:/C=CH/O=My Org/CN=My Org's CA Cert Subject
Licensees: /C=CH/CN=John Doe/[EMAIL PROTECTED]/O=My Org
Conditions: remote_id_type ==ASN1 DN 
  remote_id == /C=CH/CN=John Doe/[EMAIL PROTECTED]/O=My Org - true;

The last assertion is to be repeated for every allowed client with the
according subject.

Additionally, I removed the reference to the client in ipsec.conf:

ike passive esp tunnel from any to 192.168.0/24 srcid gate.my.domain
ike passive esp tunnel from 192.168.0/24 to any srcid gate.my.domain

But still, no joy.

Just to make sure that I don't head off in the wrong direction: Is this
basically how it's supposed to work? And could I additionally still use
the dstid USER_FQDN in ipsec.conf? Because I'd very much like to tag the
packets from each user-session and have user-based rules in pf.conf.

thx /markus

Hans-Joerg Hoexer wrote:
 Hi,
 
 the Subject Alternative Name of your certificate will be used as phase 2
 IDs, ie. that's what is sent.  If you want to use the Subject Canonical
 Name, you have to additionlly provide an isakmpd.policy file and you have
 to run isakmpd without the -K option.  See isakpmd.policy(5).
 
 On Fri, Jul 20, 2007 at 07:09:18PM +0200, Markus Wernig wrote:
 Hi all

 I'm setting up a OBSD 4.1 ipsec gateway, against which users will 
 authenticate using x509 certificates. They all use personal certificates 
 (key usage: digSig), which contains their user name and Email in the 
 subject. I need to authenticate them by the whole subject, but can't 
 seem to find out how.

Re: Use certificate subjec/ASN1 t in ipsec.conf ?

[Markus Wernig]

s/isakmpd.conf/isakmpd.policy/g

typo
/m

Markus Wernig wrote:
 Hello  thanx for the swift reply
 
 Now i've read through the isakmpd.conf and keynote manpages, but,
 honestly, I still don't know how to get this working.
 
 Here's the isakmpd.conf I came up with:
 
 KeyNote-Version: 2
 Authenticator: POLICY
 Licensees: DN:/C=CH/O=My Org/CN=My Org's CA Cert Subject
 Conditions: app_domain == IPsec policy 
   doi == ipsec - true;
 
 KeyNote-Version: 2
 Authenticator: DN:/C=CH/O=My Org/CN=My Org's CA Cert Subject
 Licensees: /C=CH/CN=John Doe/[EMAIL PROTECTED]/O=My Org
 Conditions: remote_id_type ==ASN1 DN 
   remote_id == /C=CH/CN=John Doe/[EMAIL PROTECTED]/O=My Org - true;
 
 The last assertion is to be repeated for every allowed client with the
 according subject.
 
 Additionally, I removed the reference to the client in ipsec.conf:
 
 ike passive esp tunnel from any to 192.168.0/24 srcid gate.my.domain
 ike passive esp tunnel from 192.168.0/24 to any srcid gate.my.domain
 
 But still, no joy.
 
 Just to make sure that I don't head off in the wrong direction: Is this
 basically how it's supposed to work? And could I additionally still use
 the dstid USER_FQDN in ipsec.conf? Because I'd very much like to tag the
 packets from each user-session and have user-based rules in pf.conf.
 
 thx /markus
 
 Hans-Joerg Hoexer wrote:
 Hi,

 the Subject Alternative Name of your certificate will be used as phase 2
 IDs, ie. that's what is sent.  If you want to use the Subject Canonical
 Name, you have to additionlly provide an isakmpd.policy file and you have
 to run isakmpd without the -K option.  See isakpmd.policy(5).

 On Fri, Jul 20, 2007 at 07:09:18PM +0200, Markus Wernig wrote:
 Hi all

 I'm setting up a OBSD 4.1 ipsec gateway, against which users will 
 authenticate using x509 certificates. They all use personal certificates 
 (key usage: digSig), which contains their user name and Email in the 
 subject. I need to authenticate them by the whole subject, but can't 
 seem to find out how.

sparcstation 5 for the taking in SF Bay Area

[Marco S Hyman]

I've some old Sun SPARC equipment that must go.  There are two
conditions for the taking, though:

1) You must take all of it
2) I'm not going to ship it (I'm in the SF bay area)
   Even though I won't ship it, it is currently boxed for shipment
   in two boxes: #1: 25 x 25 x 21 inches, 57 lbs
 #2: 21 x 21 x 19 inches, maybe 30 lbs (forgot to weigh it)
   If you want it and you are not local you can schedule a pick-up
   with your favorite carrier on your dime.

What I've got:
 
* Sparcstation 5/110 with 96M ram, 8G disk, TGX (cgsix 1152x900)
  It's old enough that the idrom battery is dead, requiring a
  boot disk or boot cdrom command at the OK prompt to get it going
* Solaris 1.1.2 AKA Sunos 4.1.4 CD
* 611 enclosere with DDS2 tape drive
* 411 enclosure with ST-150 tape drive
* 411 enclosure with toshiba cd drive plus 2 CD carriers
  SCSI target switch not connected, drive coded for target 6
* No name disk enclosure with Seagate ST12400N 2G drive
* Andataco disk enclosure with Seagate ST31200NH 1G drive
* Various SCSI cables and terminators
* Sun parallel - centronics cable for printer

Front view: http://www.snafu.org/pics/misc/p-20061126-2056-2214.jpg
Rear view:  http://www.snafu.org/pics/misc/p-20061126-2056-2215.jpg
(Pics snapped before it was boxed for shipping)
 
No monitor.  No keyboard.  Nothing on the disks.  The system works
well enough to let me boot a bsd.rd from the CD and wipe all the
disks.
 
The DDS2 tape drive and the cables might be worth something.
Taking the rest of the stuff is the price you'll have to pay
to get it :-)

// marc

Re: fsck Segmentation fault on 4.1

[Marcos Laufer]

Well it seems that more people are having this same error , i found this guy
in
Brazil who hasn't reported it but mentioned it in a forum
http://www.bsdforums.org/forums/showthread.php?p=265260
read at the end.
I think it would be a good idea to put the patch in the stable branch

Regards,
Marcos

- Original Message - 
From: Otto Moerbeek [EMAIL PROTECTED]
To: Marcos Laufer [EMAIL PROTECTED]
Cc: misc@openbsd.org
Sent: Friday, July 20, 2007 4:02 PM
Subject: Re: fsck Segmentation fault on 4.1


On Fri, 20 Jul 2007, Marcos Laufer wrote:

 Will this be moved to -stable, or is it an uncommon thing ?

It's not very common, but the impact is pretty high. So once some more
test reports are coming in, we'll consider it.

-Otto


 - Original Message - 
 From: Otto Moerbeek [EMAIL PROTECTED]
 To: Marcos Laufer [EMAIL PROTECTED]
 Cc: misc@openbsd.org
 Sent: Thursday, July 19, 2007 3:09 PM
 Subject: Re: fsck Segmentation fault on 4.1


 On Fri, 13 Jul 2007, Otto Moerbeek wrote:

  On Fri, 13 Jul 2007, Marcos Laufer wrote:
 
   Otto ,
  
   This is the error i get:
   It starts booting , and it starts fsck , it fails with /dev/rwd0e and
rwd0h,
  
   (i could see once that when it finished it says:)
   fsck_ffs in free():  error: free_page: pointer to wrong page
   fsck: /dev/rwd0h: Abort trap
  
   I reboot it again many times and that did not show again
  
  
   i try to fsck manually like this as you say and i get:
  
   # ulimit -d unlimited
   # fsck -y /dev/rwd0e
  
   INCONSISTENT CGSIZE=16384
  
   FIX? yes
  
   * * Last mounted on /usr
   * * Phase 1- Check Blocks and Sizes
   * * Phase 2 - Check pathnames
   * * Phase 3 - Check Conectivity
   * * Phase 4 - Check Reference Counts
   * * Phase 5 - Check Cyl Groups
  
   CANNOT READ: BLK 64
  
   CONTINUE? yes
  
   fsck: /dev/rwd0e: Segmentation Fault
 
  This is not an out of memory situation.
 
  It looks like fsck_ffs has problems getting data from your disk,
  probably because of hardware failure or bad cabling.  Sometimes it
  detects it cannot read the data (the CANNOT READ: BLK 64 case), but it
  is possible it gets corrupted data in other cases.
 
  Sadly, this can cause fsck_ffs to do the wrong thing and access wrong
  memory and corrupt it's internal data. During the last year I've fixed
  some stuff in this area, but there still remains cases that can go
  wrong.

 I misdiagnosed the problem. In the meantime I got another report with
 a dd of the partition which enabled me to diagnose the problem and
 make a fix for 4.1. Please test and report back. I'll be on vacation
 from Saturday, so it would be nice if you can answer before that.

 Anobody else seeing INCONSISTENT CGSIZE messages should try this as well.

 NOTE: this diff only applies to 4.1. Current does not have the
 problem, due to a corrected CGSIZE macro.

 -Otto

 Index: setup.c
 ===
 RCS file: /cvs/src/sbin/fsck_ffs/setup.c,v
 retrieving revision 1.29
 diff -u -p -r1.29 setup.c
 --- setup.c 16 Feb 2007 08:34:29 - 1.29
 +++ setup.c 19 Jul 2007 18:02:36 -
 @@ -336,6 +336,7 @@ setup(char *dev)
   sbdirty();
   dirty(asblk);
   }
 +#if 0
   if (sblock.fs_cgsize != fragroundup(sblock, CGSIZE(sblock))) {
   pwarn(INCONSISTENT CGSIZE=%d\n, sblock.fs_cgsize);
   sblock.fs_cgsize = fragroundup(sblock, CGSIZE(sblock));
 @@ -346,6 +347,7 @@ setup(char *dev)
   dirty(asblk);
   }
   }
 +#endif
   if (INOPB(sblock) != sblock.fs_bsize / sizeof(struct ufs1_dinode)) {
   pwarn(INCONSISTENT INOPB=%d\n, INOPB(sblock));
   sblock.fs_inopb = sblock.fs_bsize / sizeof(struct ufs1_dinode);

trunk + loadbalance

[Fernando Quintero]

Hi all, i'm trying to test the trunk driver, in the man (4) trunk i read
about failover, roundrobin and loadbalance.
i connected 2 NIC's on host A, and im trying to test all from a host B.
Failover works fine, roundrobin works (i think) because it changes between 2
NIC's.

But, i don't know how to test the loadbalance feature really. i read:

loadbalance  Balances outgoing traffic across the active ports based on
  hashed protocol header information and accepts incoming
  traffic from any active port.  The hash includes the
Ether-
  net source and destination address, and, if available, the
  VLAN tag, and the IP source and destination address.

What hashed protocol means exactly?, how can i test the loadbalance of
trunk?
i try with http,ftp traffic from differents hosts, but i does not work.
Any idea?

Thanks for reply.

--
Fernando Quintero
Ingeniero Electrsnico

Re: trunk + loadbalance

[Jamex Reynolds]

 What hashed protocol means exactly?, how can i
test the loadbalance of  trunk?

From Wikipedia:

A hash function [1] is a reproducible method of
turning some kind of data into a (relatively) small
number that may serve as a digital fingerprint of
the data.

So the packets get their fingerprint taken, depending
if the fingerprint follows into the A catgeory or
B category it would get routed to NIC A or NIC
B.

You could try spoofing the MAC address to see if
that toggled the category. As you are probably noticing
all traffic is getting sent to the same NIC because
it's hash value (aka fingerprint) doesn't change.

Hopefully this explanation was accurate and useful. 
I'm not really an expert and have never used trunk but
I think I know what is meant in this case.

Cheers,
James

Re: Non critical but weird pf and openvpn problem

[a666]

Update.  With help from the mailing list, both of my problems have 
been solved.  The first problem was the same as the original 
poster.  To reiterate, the problems were:

1. On startup, pf would not allow any packets through on tun0.  
Thus openvpn would not work.  The temporary fix was to ssh in and 
run pfctl -f /etc/pf.conf

2. After running pfctl -f /etc/pf.conf, openvpn would only work 
if pass in on $int_if from 10.8.0.0/24 to any was in the pf.conf 
file.

The solution was twofold.  First, remove the two lines from my 
pf.conf file (listed at the bottom):

set skip on { lo, tun0 }
pass in on $int_if from 10.8.0.0/24

The second part of the solution was to add after block in:

pass quick on { lo, tun0 }

This fixed both problems.  I hope this works for the original 
poster as well.  I guess set skip doesn't work for tun0.

On Fri, 20 Jul 2007 09:12:20 -0700 [EMAIL PROTECTED] wrote:
Here are my pf rules:

ext_if=fxp0
int_if=ath0

set skip on { lo, tun0 }
set block-policy return

scrub in

nat-anchor ftp-proxy/*
rdr-anchor ftp-proxy/*
nat on $ext_if from !($ext_if) - ($ext_if:0)
rdr pass on $int_if proto tcp to port ftp - 127.0.0.1 port 8021

anchor ftp-proxy/*
block in

antispoof quick for { lo, $int_if, tun0 }

pass in on $int_if proto tcp from 10.1.1.2 to 10.1.1.1 port ssh
pass in proto icmp
pass in on $int_if from 10.8.0.0/24 to any
pass in on $int_if proto udp from 10.1.1.2 to 10.1.1.1 port 1194
pass out