Re: Sudo YPLDAP

[uw]

Am Thu, 22 Jan 2009 14:04:00 +1100
schrieb Gavin Norman gav...@rcservices.com.au:

 Greetings,
 
 Anyone had any luck getting sudo working with YPLDAP/LDAP?
 
 Regards.

You don't need ypldap. This is a LDAP-to-NIS server which provides NIS
maps for users and groups so You can fetch passwd/groups from LDAP via
'NIS'.

I suggest to simply compile sudo from src with ldap after installing
openldap, see README.LDAP in src.

Regards Uwe

Re: Router ping one way only

[duxbuz]

Still no joy with this issue.

I was asked to try:

Try this,
.
Go the the ubuntu machine (network 192...) and listen to icmp packets in
the interface connected to the 172... network.

Then get a machine from network 172... and try to ping it.

You did a tcpdump on the pf pseudo-interface before but you're problem
doesn't seem to be routing and or pf filter rules.

If you see ICMP requests coming from another ip, you have a nat in between
and that would justify your one way ping.

I got these results from this:

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

08:30:28.359774 IP pupil-laptop.local.ssh  172.16.0.6.49797: P
1505958084:15059   
58280(196) ack 379641432 win 566

08:30:28.361092 IP pupil-laptop.local.50398  212.23.3.100.domain: 33472+
PTR? 6   
.0.16.172.in-addr.arpa. (41)

08:30:28.361960 IP 172.16.0.6.49797  pupil-laptop.local.ssh: . ack 196 win
66

08:30:28.375114 IP pupil-laptop.local  172.168.0.6: ICMP echo request, id
4893, seq 5,
length 64

08:30:29.375137 IP pupil-laptop.local  172.168.0.6: ICMP echo request, id
4893, seq 6,
length 64

08:30:30.375146 IP pupil-laptop.local  172.168.0.6: ICMP echo request, id
4893, seq 7,
length 64

08:30:31.375134 IP pupil-laptop.local  172.168.0.6: ICMP echo request, id
4893, seq 8,
length 64

08:30:32.375144 IP pupil-laptop.local  172.168.0.6: ICMP echo request, id
4893, seq 9,
length 64

08:30:33.359178 IP pupil-laptop.local.50845  212.23.6.100.domain: 33472+
PTR? 6   
.0.16.172.in-addr.arpa. (41)

08:30:33.375117 IP pupil-laptop.local  172.168.0.6: ICMP echo request, id
4893, seq
10, length 64

08:30:34.375156 IP pupil-laptop.local  172.168.0.6: ICMP echo request, id
4893,

 

Does this look irregular? 





Martin Toft-2 wrote:
 
 What happens when you ping from the OpenBSD router? Does any of the
 other equipment reply?
 
 The Ubuntu machine's firewall settings can be seen by running 'sudo
 iptables -L -v -n'. Are you sure it doesn't block incoming ICMP
 requests?
 
 Martin
 
 
 

-- 
View this message in context: 
http://www.nabble.com/Router-ping-one-way-only-tp21569634p21600393.html
Sent from the openbsd user - misc mailing list archive at Nabble.com.

Re: OpenBSD 4.4 pf+vlan+bridge problem

[Imre Oolberg]

Hi!


Wouldn't it be better to not use the bridge and use (multicast-)routing
and pf to solve your problem?


Multicast routing with dvrmpd is tested with pf, does not work. the
same thing happens, if streamX is allowed to pass out on vlanX and
streamY is allowed to pass out on vlanY, result is pretty similar:
vlanX outputs both streams (streamX, streamY) and the same thing with
vlanY. pf is not 100% percent multicast compat.?


Since these days i tried out anyway how multicast routing is and decided 
to set up also similar configuration as described in the beginning of 
this thread assuming for pf multicast traffic is no different from any 
other 'ordinary' traffic.


I believe the reason why with a rule like this

pass out quick on vlan1101 proto udp from any to 239.16.1.1

you see the same traffic on every interface which is set up to multicast 
is because how pf decides to pass packets. Default state-policy is 
floating and it means that decision to pass traffic is based on packet's 
direction and src and dst ip and ports and not on what interface packet 
leaves (or enters). Normally this is ok and as i understand this 
approach for example saves memory not to keep information which excact 
interface is used for passing. But problem arises with multicast traffic 
as src ja dst addresses and ports are the same. I tried and adding 'keep 
state (if-bound)' seems to solve the problem.



Imre

Actually i experimented with tags, something like this

..
pass in quick on $if_onelan inet to 239.x.x.x keep state (if-bound) tag MC
pass out quick on $if_otherlan keep state (if-bound) tagged MC
...

Re: net5501 crypto driver

[Christoph Leser]

Yes, I can confirm that glxsb.c 1.15 works fine with 4.4. stable.
Now AES 256 works again.

Thanks

 -Urspr|ngliche Nachricht-
 Von: Markus Friedl [mailto:markus.r.fri...@arcor.de]
 Gesendet: Dienstag, 20. Januar 2009 13:53
 An: Christoph Leser
 Cc: misc@openbsd.org
 Betreff: Re: net5501 crypto driver


 1.15 should just work fine in stable.

 -m

 On Tue, Jan 20, 2009 at 12:19:34PM +0100, Christoph Leser wrote:
  As described in
  http://kerneltrap.org/mailarchive/openbsd-misc/2008/9/22/3364064
  there is a problem with the driver for the AMD Geode LX series
  processor security block for openBSD 4.4 ( glxsb.c ).
 
  This has been fixed in version 1.15 of this file, but this
 fix has not
  been committed to 4.4. stable ( still on 1.14 ).
 
  Is it ok to use 1.15 with 4.4 stable or do I have to switch
 to current
  inorder to use this patch.
 
  Regards
 
  Christoph

Re: Sudo YPLDAP

[Gavin Norman]

I'm aware of that, but sudo whinges about uid x not being in /etc/passwd
if they are from ypldap.

Regards.
--
Gavin Norman
IT Manager
RC Services Vic
M: +614 0935 4020
E: gav...@rcservices.com.au

Re: now OT Re: Virtualization, OpenBSD as host

[Diana Eichert]

On Thu, 22 Jan 2009, Josh wrote:


I am in the process of building NetBSD dom0 machines after having
problems with trying to get linux to work beyond a snails pace on the
hardware we have.

I just used the howto provided here:
http://www.netbsd.org/ports/xen/howto.html

Only issue from that was grub did not boot the xen.gz kernel, but just
gunzip it and alter grubs menu.lst to suit.


First, this isn't a NetBSD mail list, so we've definitely veered off
topic for the list.

How well does PF run for you?

diana

Apache file upload

[pcnicolas]

Hi

I need a very simple web page to upload files on my Apache web server.
I found some cgi script like this one  
http://www.raditha.com/megaupload/ but I always face internal server  
error message.


Did anyone done some like that ?

Thanks

rfc1918

[Steve Laurie]

Hi all,

I was wondering if someone could tell me why there's a need to write
a rule to block addresses that come under the private address space if
these addresses aren't routable over the Internet?

Cheers,
Steve

-- 
I like Linux. I used it to download OpenBSD!!!

pf.conf and tags

[Steve Laurie]

Hello all (again),

I was wondering if someone could tell me if using tags in pf.conf makes
anything better apart from setting up trusts between interfaces etc.

Basically, what I'm trying to ask is how can I make pf faster?  What is
important? More RAM? Faster CPU? Using tags? A smaller rule file? Using
architecture other than x86? 

I've got a Sun Microsystems Ultra 5 270MHz 64bit CPU with 128MB of RAM.
Would that be better than the 1GHz 1024MB RAM x86 bitsa I'm using at the
moment?

top shows the machine is only using around 70MB. What would you consider
as the optimum configuration for a machine built with pf in mind?


Also, is it wrong to allow everything out of your network? I'm only
allowing HTTP/S, SMTP, FTP... the usual suspects but I'm blocking every
other unnecessary port in and out of the int_if, ext_if and dmz_if. I
bought a book once that talked about, My network can do no harm and
ever since then, I've blocked all that's not needed. Is this an overkill
that could be chocking my performance since if you were to print my
rules out, the paper would go from here to China and back?

Cheers, 
Steve Laurie

-- 
Windows constantly reminds me of my daughter - 
Honest Daddy, I wasn't doing anything and it just broke!

Re: rfc1918

[- Tethys]

On Thu, Jan 22, 2009 at 1:37 PM, Steve Laurie st...@foo-unix.org wrote:

 I was wondering if someone could tell me why there's a need to write
 a rule to block addresses that come under the private address space if
 these addresses aren't routable over the Internet?

An RFC that says they shouldn't be routeable over the Internet doesn't
mean that they aren't. I've seen plenty of cases where a misconfigured
router has sent RFC1918 packets out onto the net. Blocking them at
your border is cheap, so it makes sense to do so.

Tet

-- 
Perl is like vise grips. You can do anything with it but it is the
wrong tool for every job. -- Bruce Eckel

Re: Apache file upload

[Vadim Zhukov]

On 22 January 2009 c. 16:26:08 pcnico...@freesurf.fr wrote:
 Hi

 I need a very simple web page to upload files on my Apache web server.
 I found some cgi script like this one
 http://www.raditha.com/megaupload/ but I always face internal server
 error message.

Did you look at the logs in /var/www/logs?

 Did anyone done some like that ?

See the code at the end of letter. I'm using such page myself,
secured by HTTP authorization, so there are not so many security
and reliability checks in the code. You need to install
php5-core package, of course.

--
  WBR,
Pereresus ne Vlezaet Buggy


?php
// $Id$
?
!DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.01//EN
   http://www.w3.org/TR/html4/strict.dtd;
html
head
  titleFile download page/title
/head
body
  h1File uploading/h1
?php
if (count($_FILES)  0  $_FILES['userfile']['tmp_name'] != '' 
is_uploaded_file($_FILES['userfile']['tmp_name'])) {
$basename = basename($_FILES['userfile']['name']);
$t = time();
$newname = '/upl/files/'.$t.'_'.$basename;
if (rename($_FILES['userfile']['tmp_name'], $newname)) {
chmod($newname, 0644);
echo 'pFile strong'.htmlspecialchars($basename).
'/strong uploaded successfully!/p';
$linkpath = '/dnl/auto/'.$t.'_'.$basename;
if (link($newname, '/htdocs'.$linkpath)) {
$url = 'http://'.$_SERVER['SERVER_NAME'].$linkpath;
echo 'pFile can be downloaded via link: a 
target=_blank href='.

htmlspecialchars($url).''.htmlspecialchars($url).'/a/p';
} else {
$linkFailed = 1;
echo 'pFor downloading the file please ask the 
administrator./p';
}
} else {
echo 'pSorry, server error occured. Please try again 
later./p';
}

require 'Net/SMTP.php';

$host = 'mail.my.domain';
$subj = Subject: New file uploaded\r\n;
$body = New file\r\n$basename\r\n.
can be found in /upl/files/ directory.\r\n;
if (isset($renameFailed))
$body .= ERROR: failed to move uploaded file\r\n;
if (isset($linkFailed))
$body .= WARNING: failed to create hard link in 
/htdocs/dnl/auto\r\n;

if (($smtp = new Net_SMTP($host))) {
if (!PEAR::isError($smtp-connect())) {
if (!PEAR::isError($smtp-mailFrom('w...@my.domain'))) {
if (!PEAR::isError($smtp-rcptTo('ad...@my.domain'))) {
$smtp-data($subj . \r\n . $body);
}
}
$smtp-disconnect();
}
}

}
?

p
form method=post enctype=multipart/form-data
 label for=userfileFile:/label
 input name=userfile type=file id=userfile
 input type=submit value=Upload /
/form
/p

  /body
/html
--
  Best wishes,
Vadim Zhukov

Re: pf.conf and tags

[SJP Lists]

Hi Steve,

2009/1/23 Steve Laurie st...@foo-unix.org:

 I've got a Sun Microsystems Ultra 5 270MHz 64bit CPU with 128MB of RAM.
 Would that be better than the 1GHz 1024MB RAM x86 bitsa I'm using at the
 moment?

I'd be surprised if that U5 was faster than the 1GHz x86.

Back with OpenBSD 3.7 or so, I found with Ultra 5's that those which
had the lower sized L2 cache, were a lot slower than those with the
2MB L2 cache.

Direct crossover connection: 94.1 Mbits/sec (end-point directly to
end-point).
360MHz in the Ultra 5 (256k L2):   pf OFF: 67.2 Mbits/sec   pf ON:
47.3 Mbits/sec.
333MHz in the Ultra 5 (2M L2):   pf OFF: 77.0 Mbits/sec   pf ON: 74.0 Mbits/sec.

The 270MHz UltraSPARC in your Ultra 5 probably has 256k of L2 cache,
so I think you'll get a speed penalty due to cycle speed and the small
L2 cache size.

Although lots of pf performance gains have been made since then and I
don't know if any of them would have made the L2 difference less
dramatic.


Shane

Re: rfc1918

[Pereresus ne Vlezaet Buggy]

On 22 January 2009 c. 16:37:52 Steve Laurie wrote:
 Hi all,

 I was wondering if someone could tell me why there's a need to write
 a rule to block addresses that come under the private address space if
 these addresses aren't routable over the Internet?

- Home Internet provider give you public IP but their internal network is
still one of described in RFC 1918;
- OpenBSD machine is bridging some traffic;
- etc.

And when you set up such rule you can control flow of matched packets
(tag them, label them, etc); otherwise you cannot.

--
  WBR,
Pereresus ne Vlezaet Buggy

Re: pf.conf and tags

[Stuart Henderson]

On 2009-01-22, Steve Laurie st...@foo-unix.org wrote:
 Basically, what I'm trying to ask is how can I make pf faster?  What is
 important? More RAM? Faster CPU? Using tags? A smaller rule file? Using
 architecture other than x86? 

Is it currently too slow for you?

 I've got a Sun Microsystems Ultra 5 270MHz 64bit CPU with 128MB of RAM.
 Would that be better than the 1GHz 1024MB RAM x86 bitsa I'm using at the
 moment?

Unlikely.

Looking at a dmesg might give some things to suggest.

Re: rfc1918

[Stuart Henderson]

On 2009-01-22, Steve Laurie st...@foo-unix.org wrote:
 Hi all,

 I was wondering if someone could tell me why there's a need to write
 a rule to block addresses that come under the private address space if
 these addresses aren't routable over the Internet?

They don't usually appear in full internet routing tables, but that's
not always the case, sometimes they do show up.

And even if you can't send packets _to_ them, they can still be used
as a source address on malicious packets, a lot of providers don't do
BCP38 ingress filtering.

Re: Sending email in Apache chroot?

[Sunnz]

2009/1/21 Sunnz sun...@gmail.com:
 So in summary, the following was done:

 - Setup sendmail such as the sendmail that came with OpenBSD or use
 some other agent like Postfix such that you can do a `dmesg | mail -s
 Sony VAIO 505R laptop, apm works OK dm...@openbsd.org` on the
 command line.

 - Install femail-chroot from package, this places a binary called
 femail in /var/www/bin/

 - Change sendmain_path in php.ini. This defaults to sendmail -t -i.
 Change it to /bin/femail -t -i

 - cp /bin/ksh /var/www/bin/; cp /bin/sh /var/www/bin/;
 femail itself does not use or need sh. whatever invokes it might need
 it., Henning Brauer.


Oh I almost forgot, need resolv.conf in /var/www/etc as well.

Cheers.

Re: rfc1918

[_azure]

Stevoid wrote:

 I was wondering if someone could tell me why there's a need to write
 a rule to block addresses that come under the private address space if
 these addresses aren't routable over the Internet?

If you have a cable modem, run tcpdump on your ext_if for a few minutes
some time.


_azure
-- 
View this message in context: 
http://www.nabble.com/rfc1918-tp21604345p21608318.html
Sent from the openbsd user - misc mailing list archive at Nabble.com.

trying to install LPRng

[Michael]

I am running 4.4 and tried to install LPRng:
uname: OpenBSD getlost.my.domain 4.4 GENERIC#0 i386

When I type sudo pkg_add LPRng, I get the following:
parsing LPRng-3.8.21p2
Can't install LPRng-3.8.21p2: lib not found c.43.0
c.43.0: partial match in /usr/lib: major=48, minor=0 (bad major)
Can't install LPRng-3.8.21p2: lib not found crypto.13.0
crypto.13.0: partial match in /usr/lib: major=14, minor=0 (bad major)
found libspec ssl.11.0 in /usr/lib
found libspec util.11.0 in /usr/lib

I don't know what crypto is so I tried installing cryptokit. (at least I
tried even though that didn't help.
Tried google, but got only 1 hit and it was in Chinese, and then the
translation timed out.

What do I install now?

Thanks.

Re: trying to install LPRng

[Stuart Henderson]

On 2009-01-22, Michael ber...@opensuse.us wrote:
 I am running 4.4 and tried to install LPRng:
 uname: OpenBSD getlost.my.domain 4.4 GENERIC#0 i386

 When I type sudo pkg_add LPRng, I get the following:
 parsing LPRng-3.8.21p2
 Can't install LPRng-3.8.21p2: lib not found c.43.0
 c.43.0: partial match in /usr/lib: major=48, minor=0 (bad major)
 Can't install LPRng-3.8.21p2: lib not found crypto.13.0
 crypto.13.0: partial match in /usr/lib: major=14, minor=0 (bad major)
 found libspec ssl.11.0 in /usr/lib
 found libspec util.11.0 in /usr/lib

 I don't know what crypto is so I tried installing cryptokit. (at least I
 tried even though that didn't help.
 Tried google, but got only 1 hit and it was in Chinese, and then the
 translation timed out.

 What do I install now?

You need to update your PKG_PATH, it currently has 4.3 in.
e.g. PKG_PATH=ftp://some.mirror/pub/OpenBSD/`uname -r`/packages/`arch -s`/

Re: rfc1918

[Dave K]

On Thu, Jan 22, 2009 at 8:37 AM, Steve Laurie st...@foo-unix.org wrote:

 I was wondering if someone could tell me why there's a need to write
 a rule to block addresses that come under the private address space if
 these addresses aren't routable over the Internet?

Even if they aren't routed over the Internet, they may well be present
within the local network environment provided by your ISP.  The
miscreant next door is just as dangerous (potentially) as the
miscreant on the other side of the planet.

Besides, it's a cheap bit of protection, so why not do it?

-- 
Dave K
Unix Systems  Network Administrator
Mount Laurel NJ

Re: trying to install LPRng

[Michael]

On Thu, Jan 22, 2009 at 10:08 AM, Stuart Henderson s...@spacehopper.orgwrote:

 On 2009-01-22, Michael ber...@opensuse.us wrote:
  I am running 4.4 and tried to install LPRng:
  uname: OpenBSD getlost.my.domain 4.4 GENERIC#0 i386
 
  When I type sudo pkg_add LPRng, I get the following:
  parsing LPRng-3.8.21p2
  Can't install LPRng-3.8.21p2: lib not found c.43.0
  c.43.0: partial match in /usr/lib: major=48, minor=0 (bad major)
  Can't install LPRng-3.8.21p2: lib not found crypto.13.0
  crypto.13.0: partial match in /usr/lib: major=14, minor=0 (bad major)
  found libspec ssl.11.0 in /usr/lib
  found libspec util.11.0 in /usr/lib
 
  I don't know what crypto is so I tried installing cryptokit. (at least I
  tried even though that didn't help.
  Tried google, but got only 1 hit and it was in Chinese, and then the
  translation timed out.
 
  What do I install now?

 You need to update your PKG_PATH, it currently has 4.3 in.
 e.g. 
 PKG_PATH=ftp://some.mirror/pub/OpenBSD/`unameftp://some.mirror/pub/OpenBSD/%60uname-r`/packages/`arch
  -s`/

 Guess I'm confused. Here is my .profile :
$ more
.profile

# $OpenBSD: dot.profile,v 1.4 2005/02/16 06:56:57 matthieu Exp $
#
# sh/ksh initialization

PATH=$HOME/bin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/X11R6/bin:/usr/local/bin:/usr/local/sbin:/usr/games:.
export PATH HOME TERM
export PKG_PATH=ftp://rt.fm/pub/OpenBSD/4.4/packages/i386/

Thanks for your help.

Find - Sillyness

[Morris, Roy]

I know this is more of a general 'huh' kind of thing, but I figured someone
could kick start my brain for me. Anyone know why this doesn't work? It
appears to find the files ok but the -exec part thinks it can't?


spider:/var/log# find . -name daemon.*.gz -exec echo {} \;
find: echo ./daemon.2.gz: No such file or directory
find: echo ./daemon.1.gz: No such file or directory
find: echo ./daemon.5.gz: No such file or directory
find: echo ./daemon.4.gz: No such file or directory
find: echo ./daemon.3.gz: No such file or directory
find: echo ./daemon.0.gz: No such file or directory

Re: Find - Sillyness

[Chris Kuethe]

do you have any programs called echo ./daemon.2.gz?

you want -exec echo {} \;

On Thu, Jan 22, 2009 at 12:54 PM, Morris, Roy
rmor...@internetsecure.com wrote:
 I know this is more of a general 'huh' kind of thing, but I figured someone
 could kick start my brain for me. Anyone know why this doesn't work? It
 appears to find the files ok but the -exec part thinks it can't?


 spider:/var/log# find . -name daemon.*.gz -exec echo {} \;
 find: echo ./daemon.2.gz: No such file or directory
 find: echo ./daemon.1.gz: No such file or directory
 find: echo ./daemon.5.gz: No such file or directory
 find: echo ./daemon.4.gz: No such file or directory
 find: echo ./daemon.3.gz: No such file or directory
 find: echo ./daemon.0.gz: No such file or directory





-- 
GDB has a 'break' feature; why doesn't it have 'fix' too?

Re: Find - Sillyness

[Daniel A. Ramaley]

Remove the quotes from echo {}. The No such file or directory error 
is because find cannot run a program named echo ./daemon.2.gz. Remove 
the quotes and it will try to run echo with an argument 
of daemon.2.gz.

On Thursday January 22 2009 13:54, you wrote:
I know this is more of a general 'huh' kind of thing, but I figured
 someone could kick start my brain for me. Anyone know why this
 doesn't work? It appears to find the files ok but the -exec part
 thinks it can't?


spider:/var/log# find . -name daemon.*.gz -exec echo {} \;
find: echo ./daemon.2.gz: No such file or directory
find: echo ./daemon.1.gz: No such file or directory
find: echo ./daemon.5.gz: No such file or directory
find: echo ./daemon.4.gz: No such file or directory
find: echo ./daemon.3.gz: No such file or directory
find: echo ./daemon.0.gz: No such file or directory

-- 

Dan RamaleyDial Center 118, Drake University
Network Programmer/Analyst 2407 Carpenter Ave
+1 515 271-4540Des Moines IA 50311 USA

Re: Find - Sillyness

[John Jackson]

On Thu, Jan 22, 2009 at 02:54:21PM -0500, Morris, Roy wrote:
 I know this is more of a general 'huh' kind of thing, but I figured someone
 could kick start my brain for me. Anyone know why this doesn't work? It
 appears to find the files ok but the -exec part thinks it can't?
 
 
 spider:/var/log# find . -name daemon.*.gz -exec echo {} \;
 find: echo ./daemon.2.gz: No such file or directory
 find: echo ./daemon.1.gz: No such file or directory
 find: echo ./daemon.5.gz: No such file or directory
 find: echo ./daemon.4.gz: No such file or directory
 find: echo ./daemon.3.gz: No such file or directory
 find: echo ./daemon.0.gz: No such file or directory
 

Try:

find . -name daemon.*.gz -exec echo {} \;

without the double quotes after exec.

John

Re: Find - Sillyness

[System Administrator]

On 22 Jan 2009 at 14:54, Morris, Roy wrote:

 I know this is more of a general 'huh' kind of thing, but I figured someone
 could kick start my brain for me. Anyone know why this doesn't work? It
 appears to find the files ok but the -exec part thinks it can't?
 
 
 spider:/var/log# find . -name daemon.*.gz -exec echo {} \;
 find: echo ./daemon.2.gz: No such file or directory
 find: echo ./daemon.1.gz: No such file or directory
 find: echo ./daemon.5.gz: No such file or directory
 find: echo ./daemon.4.gz: No such file or directory
 find: echo ./daemon.3.gz: No such file or directory
 find: echo ./daemon.0.gz: No such file or directory
 
 

specifying echo {} -- i.e. putting both `words' in the same set of 
quotes -- you made it a single token as far as the find command is 
concerned, which is what it passes to the exec call.

getting random icmp host unreachable messages while accessing host from behind nat with 4.4 amd64

[Imre Oolberg]

Hi!

I have following problem with my OpenBSD amd64 version firewall and 
would be very thankful if you can help me with it.


Quite accidentally my collegue discovered that while he is accessing 
content over http from behind natting firewall he doest get it every 
time. And it happens seemengly randomly, say about ten times per 300 
attempts (vise versa firewall is working all right and also with 
routing). I tested it on living firewall and confirmed it and after that 
i set up other computers dedicated to test this case more throughly.


This is my test setup

http server  em1 firewall bge0 --- mgm computer
server   10.0.5.2 -- 192.168.2.38
172.16.0.12| em0
   |
   |
   |
computer accessing http server (10.0.6.242)

firewall has following addresses

em0 - 10.0.6.248
em1 - 172.16.0.78
bge0 - 10.0.5.7

mgm computer actually is 192.168.2.38, a hop away.

I used 4.4 amd64 system with latest kernel patches (and userspace 
patches between them) but i also tried original 4.4 kernel, results seem 
to be the same. dmesg and full pfctl -sa are included in the end of this 
letter.


rules on the firewall are no more no less like this

# pfctl -sn
nat on em1 inet all tagged ICMP_TEST - 172.16.0.78
# pfctl -sr
block drop log all
pass in quick on bge0 inet from 192.168.2.0/24 to 10.0.5.7 flags S/SA 
keep state (tcp.established 1064000)
pass in quick on bge0 inet from 10.0.5.0/24 to 10.0.5.7 flags S/SA keep 
state (tcp.established 1064000)
pass in quick on em0 inet proto tcp from 10.0.6.242 to 172.16.0.12 port 
= www flags S/SA keep state tag ICMP_TEST

pass out quick on em1 all flags S/SA keep state tagged ICMP_TEST


Here is my testing.

I access http in this manner (after fresh reboot)

$ for i in `seq 1 300`; do wget http://172.16.0.12/README?count=$i; -O 
- 1dhs.$i.log; done


and the results are like this, i.e. this time five responses are not 
succeeding


$ find . -size 0
./dhs.251.log
./dhs.171.log
./dhs.179.log
./dhs.188.log
./dhs.149.log

while listening on firewall on em0 for icmp i get

# tcpdump -nettti em0 icmp
Jan 22 21:06:45.787661 00:04:23:09:14:30 70:10:00:00:62:42 0800 70: 
10.0.6.248  10.0.6.242: icmp: host 172.16.0.12 unreachable
Jan 22 21:06:45.995783 00:04:23:09:14:30 70:10:00:00:62:42 0800 70: 
10.0.6.248  10.0.6.242: icmp: host 172.16.0.12 unreachable
Jan 22 21:06:46.067863 00:04:23:09:14:30 70:10:00:00:62:42 0800 70: 
10.0.6.248  10.0.6.242: icmp: host 172.16.0.12 unreachable
Jan 22 21:06:46.150686 00:04:23:09:14:30 70:10:00:00:62:42 0800 70: 
10.0.6.248  10.0.6.242: icmp: host 172.16.0.12 unreachable
Jan 22 21:06:46.765440 00:04:23:09:14:30 70:10:00:00:62:42 0800 70: 
10.0.6.248  10.0.6.242: icmp: host 172.16.0.12 unreachable


It may also be essential to say that there does not appear anything 
relevant (on this network there are other traffic as well to be honest) 
in  pflog.


I also saved all traffic on both relevant firewall interfaces during 
test and followed it and tcpdump shows that during connection failure


1. http client sends syn packet which do not get to the other side of 
firewall

2. firewall answers this with icmp host unreachable message
3. wget saves zero result
4. client then sends out next syn which gets properly served

In the end i tested removing nat and it worked well i.e. without errors 
(16k of queries).


I also tested the same thing with OpenBSD 4.3 and i did work for 24k 
queries all right (didnt try longer).


If someone could please confirm whether this holds true generally on 
amd64 and i386 (havent tried it yet) platform or it still is some kind 
of specific combination of my computer and networking hardware, skills 
and luck.



Best regards
Imre

OpenBSD 4.4 (GENERIC) #1562: Tue Aug 12 17:15:53 MDT 2008
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC
real mem = 1060478976 (1011MB)
avail mem = 1029427200 (981MB)
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.3 @ 0xec000 (73 entries)
bios0: vendor HP version P54 date 02/14/2006
bios0: HP ProLiant DL360 G4p
acpi0 at bios0: rev 2
acpi0: tables DSDT FACP SPCR MCFG APIC SSDT
acpi0: wakeup devices
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpiprt0 at acpi0: bus 1 (IP2P)
acpiprt1 at acpi0: bus 2 (ICHR)
acpiprt2 at acpi0: bus 7 (PCXA)
acpiprt3 at acpi0: bus 10 (PCXB)
acpiprt4 at acpi0: bus 6 (PTB0)
acpiprt5 at acpi0: bus 13 (PTA0)
acpiprt6 at acpi0: bus 3 (PTC0)
acpiprt7 at acpi0: bus 0 (PCI0)
acpicpu0 at acpi0
acpitz0 at acpi0: critical temperature 31 degC
cpu0 at mainbus0: (uniprocessor)
cpu0: Intel(R) Xeon(TM) CPU 3.60GHz, 3600.60 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,EST,T

M2,CNXT-ID,CX16,xTPR,LONG
cpu0: 2MB 64b/line 8-way L2 cache
pci0 at mainbus0 bus 0: configuration mode 1
pchb0 at pci0 dev 0 function 0 Intel E7520 Host rev 0x0c
ppb0 at pci0 dev 2 

Re: trying to install LPRng

[Tom Rosso]

 I am running 4.4 and tried to install LPRng:
 uname: OpenBSD getlost.my.domain 4.4 GENERIC#0 i386

 When I type sudo pkg_add LPRng, I get the following:
 parsing LPRng-3.8.21p2
 Can't install LPRng-3.8.21p2: lib not found c.43.0
 c.43.0: partial match in /usr/lib: major=48, minor=0 (bad major)
 Can't install LPRng-3.8.21p2: lib not found crypto.13.0
 crypto.13.0: partial match in /usr/lib: major=14, minor=0 (bad major)
 found libspec ssl.11.0 in /usr/lib
 found libspec util.11.0 in /usr/lib


Your $PKG_PATH is wrong.  It is downloading packages for a previous
version of OpenBSD, rather than 4.4.

Accessing PostgreSQL using LedgerSMB with chrooted Apache

[Chris Bennett]

I can get LedgerSMB to work fine with httpd -u,
but can't it to work correctly with Apache chrooted.

I've added a tmp dir to chroot, imported the files from
/usr/lib /usr/local/lib

tried moving socket into chroot.

No luck. Seems to connect OK with PSQL, but database
creation is failing to work properly.

Not sure what to try next.

Re: trying to install LPRng

[Michael]

On Thu, Jan 22, 2009 at 10:22 AM, Michael ber...@opensuse.us wrote:



 On Thu, Jan 22, 2009 at 10:08 AM, Stuart Henderson 
 s...@spacehopper.orgwrote:

 On 2009-01-22, Michael ber...@opensuse.us wrote:
  I am running 4.4 and tried to install LPRng:
  uname: OpenBSD getlost.my.domain 4.4 GENERIC#0 i386
 
  When I type sudo pkg_add LPRng, I get the following:
  parsing LPRng-3.8.21p2
  Can't install LPRng-3.8.21p2: lib not found c.43.0
  c.43.0: partial match in /usr/lib: major=48, minor=0 (bad major)
  Can't install LPRng-3.8.21p2: lib not found crypto.13.0
  crypto.13.0: partial match in /usr/lib: major=14, minor=0 (bad major)
  found libspec ssl.11.0 in /usr/lib
  found libspec util.11.0 in /usr/lib
 
  I don't know what crypto is so I tried installing cryptokit. (at least I
  tried even though that didn't help.
  Tried google, but got only 1 hit and it was in Chinese, and then the
  translation timed out.
 
  What do I install now?

 You need to update your PKG_PATH, it currently has 4.3 in.
 e.g. 
 PKG_PATH=ftp://some.mirror/pub/OpenBSD/`unameftp://some.mirror/pub/OpenBSD/%60uname-r`/packages/`arch
  -s`/

 Guess I'm confused. Here is my .profile :
 $ more
 .profile

 # $OpenBSD: dot.profile,v 1.4 2005/02/16 06:56:57 matthieu Exp $
 #
 # sh/ksh initialization


 PATH=$HOME/bin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/X11R6/bin:/usr/local/bin:/usr/local/sbin:/usr/games:.
 export PATH HOME TERM
 export PKG_PATH=ftp://rt.fm/pub/OpenBSD/4.4/packages/i386/

 Thanks for your help.


Got LPRng installed. Sorry for the noise. Ran pkg_add as root rather than
sudo.

Re: Accessing PostgreSQL using LedgerSMB with chrooted Apache

[Aaron Poffenberger]

You might try connecting via tcp/ip rather than Unix sockets. I haven't 
used LedgerSMB but I do use phpPgAdmin under chrooted Apache over 
tcp/ip. (Same thing with phpMysqlAdmin.)


I tried getting phpMysqlAdmin to run over Unix sockets and that was an 
exercise in frustration. Tcp/ip is the way to go with chrooted Apache, 
though I'd be happy to learn how otherwise.


Make sure you have /var/postgres/data/pg_hba.conf configured to allow 
connections over tcp/ip for localhost addresses. I think it does by 
default but review the section at the bottom of the file to be sure.


--Aaron

On Jan 22, 2009, at 16:06, Chris Bennett wrote:


I can get LedgerSMB to work fine with httpd -u,
but can't it to work correctly with Apache chrooted.

I've added a tmp dir to chroot, imported the files from
/usr/lib /usr/local/lib

tried moving socket into chroot.

No luck. Seems to connect OK with PSQL, but database
creation is failing to work properly.

Not sure what to try next.

hoststated on OpenBSD

[Beavis]

Greetings List,

   I would like to ask some folks here regarding hoststated is it
still available for OpenBSD? All i got through google is
http://cvs.openbsd.org/papers/eurobsdcon07/pyr-loadbalancing/

I'm looking for a tool that would be able me to setup OpenBSD as a
High-availability appliance where i place behind it win or *nix
webservers and have them load-balance through it. I know that pf(4)
would be able to aid me on this but getting info for hoststated would
really help me a lot.


any help would be appreciated.

-b

Re: hoststated on OpenBSD

[Chris Kuethe]

http://marc.info/?l=openbsd-announcem=120959605703777w=2

it was renamed to relayd

On Thu, Jan 22, 2009 at 5:09 PM, Beavis pfu...@gmail.com wrote:
 Greetings List,

   I would like to ask some folks here regarding hoststated is it
 still available for OpenBSD? All i got through google is
 http://cvs.openbsd.org/papers/eurobsdcon07/pyr-loadbalancing/

 I'm looking for a tool that would be able me to setup OpenBSD as a
 High-availability appliance where i place behind it win or *nix
 webservers and have them load-balance through it. I know that pf(4)
 would be able to aid me on this but getting info for hoststated would
 really help me a lot.


 any help would be appreciated.

 -b





-- 
GDB has a 'break' feature; why doesn't it have 'fix' too?

Re: hoststated on OpenBSD

[Beavis]

thank you all for the pointers.

On Thu, Jan 22, 2009 at 6:19 PM, Chris Kuethe chris.kue...@gmail.com wrote:
 http://marc.info/?l=openbsd-announcem=120959605703777w=2

 it was renamed to relayd

 On Thu, Jan 22, 2009 at 5:09 PM, Beavis pfu...@gmail.com wrote:
 Greetings List,

   I would like to ask some folks here regarding hoststated is it
 still available for OpenBSD? All i got through google is
 http://cvs.openbsd.org/papers/eurobsdcon07/pyr-loadbalancing/

 I'm looking for a tool that would be able me to setup OpenBSD as a
 High-availability appliance where i place behind it win or *nix
 webservers and have them load-balance through it. I know that pf(4)
 would be able to aid me on this but getting info for hoststated would
 really help me a lot.


 any help would be appreciated.

 -b





 --
 GDB has a 'break' feature; why doesn't it have 'fix' too?

Re: Accessing PostgreSQL using LedgerSMB with chrooted Apache

[Markus Hennecke]

On Thu, 22 Jan 2009, Aaron Poffenberger wrote:

You might try connecting via tcp/ip rather than Unix sockets. I haven't used 
LedgerSMB but I do use phpPgAdmin under chrooted Apache over tcp/ip. (Same 
thing with phpMysqlAdmin.)


I tried getting phpMysqlAdmin to run over Unix sockets and that was an 
exercise in frustration. Tcp/ip is the way to go with chrooted Apache, though 
I'd be happy to learn how otherwise.


Make sure you have /var/postgres/data/pg_hba.conf configured to allow 
connections over tcp/ip for localhost addresses. I think it does by default 
but review the section at the bottom of the file to be sure.


And you should be using 127.0.0.1 for the cgi and not localhost. This is a 
perfect way to shoot yourself in the foot if the resolver is not

available. BTDT.

Kind regards,
  Markus