Re: Please it is urgent: new OpenBSD 4.1 crash
carlopmart wrote: Stuart Henderson wrote: On 2007/07/20 13:20, carlopmart wrote: Stuart Henderson wrote: On 2007/07/20 11:02, carlopmart wrote: This is my third post about problems with OpenBSD 4.1 during last two months ... Yes, and someone replied with a PR (5508) they'd opened about it. It's fixed already - src/sys/net/if_pfsync.c 1.83. Maybe the question to ask is can this be imported to -stable... Sorry but it isn't the same bug. Bug 5508 it is about pfsync bug, and this crash doesn't it ... hmm, ok, but you said it's the third post, which (at least to me) implies that it's the third post about the same problem... Yes sorry, second post about this problem ... I write another post about bug 5508, total: three ... With OpenBSD 4.0 on the same servers all works ok ... I don't understand it... Please, any hints about this?? -- CL Martinez carlopmart {at} gmail {d0t} com
Re: Use certificate subjec/ASN1 t in ipsec.conf ?
Hello thanx for the swift reply Now i've read through the isakmpd.conf and keynote manpages, but, honestly, I still don't know how to get this working. Here's the isakmpd.conf I came up with: KeyNote-Version: 2 Authenticator: POLICY Licensees: DN:/C=CH/O=My Org/CN=My Org's CA Cert Subject Conditions: app_domain == IPsec policy doi == ipsec - true; KeyNote-Version: 2 Authenticator: DN:/C=CH/O=My Org/CN=My Org's CA Cert Subject Licensees: /C=CH/CN=John Doe/[EMAIL PROTECTED]/O=My Org Conditions: remote_id_type ==ASN1 DN remote_id == /C=CH/CN=John Doe/[EMAIL PROTECTED]/O=My Org - true; The last assertion is to be repeated for every allowed client with the according subject. Additionally, I removed the reference to the client in ipsec.conf: ike passive esp tunnel from any to 192.168.0/24 srcid gate.my.domain ike passive esp tunnel from 192.168.0/24 to any srcid gate.my.domain But still, no joy. Just to make sure that I don't head off in the wrong direction: Is this basically how it's supposed to work? And could I additionally still use the dstid USER_FQDN in ipsec.conf? Because I'd very much like to tag the packets from each user-session and have user-based rules in pf.conf. thx /markus Hans-Joerg Hoexer wrote: Hi, the Subject Alternative Name of your certificate will be used as phase 2 IDs, ie. that's what is sent. If you want to use the Subject Canonical Name, you have to additionlly provide an isakmpd.policy file and you have to run isakmpd without the -K option. See isakpmd.policy(5). On Fri, Jul 20, 2007 at 07:09:18PM +0200, Markus Wernig wrote: Hi all I'm setting up a OBSD 4.1 ipsec gateway, against which users will authenticate using x509 certificates. They all use personal certificates (key usage: digSig), which contains their user name and Email in the subject. I need to authenticate them by the whole subject, but can't seem to find out how.
Re: Use certificate subjec/ASN1 t in ipsec.conf ?
s/isakmpd.conf/isakmpd.policy/g typo /m Markus Wernig wrote: Hello thanx for the swift reply Now i've read through the isakmpd.conf and keynote manpages, but, honestly, I still don't know how to get this working. Here's the isakmpd.conf I came up with: KeyNote-Version: 2 Authenticator: POLICY Licensees: DN:/C=CH/O=My Org/CN=My Org's CA Cert Subject Conditions: app_domain == IPsec policy doi == ipsec - true; KeyNote-Version: 2 Authenticator: DN:/C=CH/O=My Org/CN=My Org's CA Cert Subject Licensees: /C=CH/CN=John Doe/[EMAIL PROTECTED]/O=My Org Conditions: remote_id_type ==ASN1 DN remote_id == /C=CH/CN=John Doe/[EMAIL PROTECTED]/O=My Org - true; The last assertion is to be repeated for every allowed client with the according subject. Additionally, I removed the reference to the client in ipsec.conf: ike passive esp tunnel from any to 192.168.0/24 srcid gate.my.domain ike passive esp tunnel from 192.168.0/24 to any srcid gate.my.domain But still, no joy. Just to make sure that I don't head off in the wrong direction: Is this basically how it's supposed to work? And could I additionally still use the dstid USER_FQDN in ipsec.conf? Because I'd very much like to tag the packets from each user-session and have user-based rules in pf.conf. thx /markus Hans-Joerg Hoexer wrote: Hi, the Subject Alternative Name of your certificate will be used as phase 2 IDs, ie. that's what is sent. If you want to use the Subject Canonical Name, you have to additionlly provide an isakmpd.policy file and you have to run isakmpd without the -K option. See isakpmd.policy(5). On Fri, Jul 20, 2007 at 07:09:18PM +0200, Markus Wernig wrote: Hi all I'm setting up a OBSD 4.1 ipsec gateway, against which users will authenticate using x509 certificates. They all use personal certificates (key usage: digSig), which contains their user name and Email in the subject. I need to authenticate them by the whole subject, but can't seem to find out how.
sparcstation 5 for the taking in SF Bay Area
I've some old Sun SPARC equipment that must go. There are two conditions for the taking, though: 1) You must take all of it 2) I'm not going to ship it (I'm in the SF bay area) Even though I won't ship it, it is currently boxed for shipment in two boxes: #1: 25 x 25 x 21 inches, 57 lbs #2: 21 x 21 x 19 inches, maybe 30 lbs (forgot to weigh it) If you want it and you are not local you can schedule a pick-up with your favorite carrier on your dime. What I've got: * Sparcstation 5/110 with 96M ram, 8G disk, TGX (cgsix 1152x900) It's old enough that the idrom battery is dead, requiring a boot disk or boot cdrom command at the OK prompt to get it going * Solaris 1.1.2 AKA Sunos 4.1.4 CD * 611 enclosere with DDS2 tape drive * 411 enclosure with ST-150 tape drive * 411 enclosure with toshiba cd drive plus 2 CD carriers SCSI target switch not connected, drive coded for target 6 * No name disk enclosure with Seagate ST12400N 2G drive * Andataco disk enclosure with Seagate ST31200NH 1G drive * Various SCSI cables and terminators * Sun parallel - centronics cable for printer Front view: http://www.snafu.org/pics/misc/p-20061126-2056-2214.jpg Rear view: http://www.snafu.org/pics/misc/p-20061126-2056-2215.jpg (Pics snapped before it was boxed for shipping) No monitor. No keyboard. Nothing on the disks. The system works well enough to let me boot a bsd.rd from the CD and wipe all the disks. The DDS2 tape drive and the cables might be worth something. Taking the rest of the stuff is the price you'll have to pay to get it :-) // marc
Re: fsck Segmentation fault on 4.1
Well it seems that more people are having this same error , i found this guy in Brazil who hasn't reported it but mentioned it in a forum http://www.bsdforums.org/forums/showthread.php?p=265260 read at the end. I think it would be a good idea to put the patch in the stable branch Regards, Marcos - Original Message - From: Otto Moerbeek [EMAIL PROTECTED] To: Marcos Laufer [EMAIL PROTECTED] Cc: misc@openbsd.org Sent: Friday, July 20, 2007 4:02 PM Subject: Re: fsck Segmentation fault on 4.1 On Fri, 20 Jul 2007, Marcos Laufer wrote: Will this be moved to -stable, or is it an uncommon thing ? It's not very common, but the impact is pretty high. So once some more test reports are coming in, we'll consider it. -Otto - Original Message - From: Otto Moerbeek [EMAIL PROTECTED] To: Marcos Laufer [EMAIL PROTECTED] Cc: misc@openbsd.org Sent: Thursday, July 19, 2007 3:09 PM Subject: Re: fsck Segmentation fault on 4.1 On Fri, 13 Jul 2007, Otto Moerbeek wrote: On Fri, 13 Jul 2007, Marcos Laufer wrote: Otto , This is the error i get: It starts booting , and it starts fsck , it fails with /dev/rwd0e and rwd0h, (i could see once that when it finished it says:) fsck_ffs in free(): error: free_page: pointer to wrong page fsck: /dev/rwd0h: Abort trap I reboot it again many times and that did not show again i try to fsck manually like this as you say and i get: # ulimit -d unlimited # fsck -y /dev/rwd0e INCONSISTENT CGSIZE=16384 FIX? yes * * Last mounted on /usr * * Phase 1- Check Blocks and Sizes * * Phase 2 - Check pathnames * * Phase 3 - Check Conectivity * * Phase 4 - Check Reference Counts * * Phase 5 - Check Cyl Groups CANNOT READ: BLK 64 CONTINUE? yes fsck: /dev/rwd0e: Segmentation Fault This is not an out of memory situation. It looks like fsck_ffs has problems getting data from your disk, probably because of hardware failure or bad cabling. Sometimes it detects it cannot read the data (the CANNOT READ: BLK 64 case), but it is possible it gets corrupted data in other cases. Sadly, this can cause fsck_ffs to do the wrong thing and access wrong memory and corrupt it's internal data. During the last year I've fixed some stuff in this area, but there still remains cases that can go wrong. I misdiagnosed the problem. In the meantime I got another report with a dd of the partition which enabled me to diagnose the problem and make a fix for 4.1. Please test and report back. I'll be on vacation from Saturday, so it would be nice if you can answer before that. Anobody else seeing INCONSISTENT CGSIZE messages should try this as well. NOTE: this diff only applies to 4.1. Current does not have the problem, due to a corrected CGSIZE macro. -Otto Index: setup.c === RCS file: /cvs/src/sbin/fsck_ffs/setup.c,v retrieving revision 1.29 diff -u -p -r1.29 setup.c --- setup.c 16 Feb 2007 08:34:29 - 1.29 +++ setup.c 19 Jul 2007 18:02:36 - @@ -336,6 +336,7 @@ setup(char *dev) sbdirty(); dirty(asblk); } +#if 0 if (sblock.fs_cgsize != fragroundup(sblock, CGSIZE(sblock))) { pwarn(INCONSISTENT CGSIZE=%d\n, sblock.fs_cgsize); sblock.fs_cgsize = fragroundup(sblock, CGSIZE(sblock)); @@ -346,6 +347,7 @@ setup(char *dev) dirty(asblk); } } +#endif if (INOPB(sblock) != sblock.fs_bsize / sizeof(struct ufs1_dinode)) { pwarn(INCONSISTENT INOPB=%d\n, INOPB(sblock)); sblock.fs_inopb = sblock.fs_bsize / sizeof(struct ufs1_dinode);
trunk + loadbalance
Hi all, i'm trying to test the trunk driver, in the man (4) trunk i read about failover, roundrobin and loadbalance. i connected 2 NIC's on host A, and im trying to test all from a host B. Failover works fine, roundrobin works (i think) because it changes between 2 NIC's. But, i don't know how to test the loadbalance feature really. i read: loadbalance Balances outgoing traffic across the active ports based on hashed protocol header information and accepts incoming traffic from any active port. The hash includes the Ether- net source and destination address, and, if available, the VLAN tag, and the IP source and destination address. What hashed protocol means exactly?, how can i test the loadbalance of trunk? i try with http,ftp traffic from differents hosts, but i does not work. Any idea? Thanks for reply. -- Fernando Quintero Ingeniero Electrsnico
Re: trunk + loadbalance
What hashed protocol means exactly?, how can i test the loadbalance of trunk? From Wikipedia: A hash function [1] is a reproducible method of turning some kind of data into a (relatively) small number that may serve as a digital fingerprint of the data. So the packets get their fingerprint taken, depending if the fingerprint follows into the A catgeory or B category it would get routed to NIC A or NIC B. You could try spoofing the MAC address to see if that toggled the category. As you are probably noticing all traffic is getting sent to the same NIC because it's hash value (aka fingerprint) doesn't change. Hopefully this explanation was accurate and useful. I'm not really an expert and have never used trunk but I think I know what is meant in this case. Cheers, James
Re: Non critical but weird pf and openvpn problem
Update. With help from the mailing list, both of my problems have been solved. The first problem was the same as the original poster. To reiterate, the problems were: 1. On startup, pf would not allow any packets through on tun0. Thus openvpn would not work. The temporary fix was to ssh in and run pfctl -f /etc/pf.conf 2. After running pfctl -f /etc/pf.conf, openvpn would only work if pass in on $int_if from 10.8.0.0/24 to any was in the pf.conf file. The solution was twofold. First, remove the two lines from my pf.conf file (listed at the bottom): set skip on { lo, tun0 } pass in on $int_if from 10.8.0.0/24 The second part of the solution was to add after block in: pass quick on { lo, tun0 } This fixed both problems. I hope this works for the original poster as well. I guess set skip doesn't work for tun0. On Fri, 20 Jul 2007 09:12:20 -0700 [EMAIL PROTECTED] wrote: Here are my pf rules: ext_if=fxp0 int_if=ath0 set skip on { lo, tun0 } set block-policy return scrub in nat-anchor ftp-proxy/* rdr-anchor ftp-proxy/* nat on $ext_if from !($ext_if) - ($ext_if:0) rdr pass on $int_if proto tcp to port ftp - 127.0.0.1 port 8021 anchor ftp-proxy/* block in antispoof quick for { lo, $int_if, tun0 } pass in on $int_if proto tcp from 10.1.1.2 to 10.1.1.1 port ssh pass in proto icmp pass in on $int_if from 10.8.0.0/24 to any pass in on $int_if proto udp from 10.1.1.2 to 10.1.1.1 port 1194 pass out