Re: Bug OpenBGPD, IPv6 peer gets cleared, never gets up again

[Claudio Jeker]

On Tue, Mar 10, 2009 at 02:46:56PM +0100, Arnoud Vermeer wrote:
 Hi,
 
 Elisa and I were looking at the production-pilot logs last night and 
 noticed the following:
 

I finally found some time to look into this and your dumps. The problem is
actually with withdraws that are still totaly fucked up. So the following
diff should fix this issue -- beforehands we just never managed to
correctly withdraw IPv6 prefixes.

This diff fixes two bugs and makes bgpd do the same paranoic checking as
juniper and bails out if there is crap after an empty update.
With this I can correctly withdraw IPv6 prefixes.
-- 
:wq Claudio

Index: rde.c
===
RCS file: /cvs/src/usr.sbin/bgpd/rde.c,v
retrieving revision 1.235
diff -u -p -r1.235 rde.c
--- rde.c   13 Jan 2009 21:35:16 -  1.235
+++ rde.c   11 Mar 2009 02:28:44 -
@@ -856,8 +856,16 @@ rde_update_dispatch(struct imsg *imsg)
prefix_remove(peer, prefix, prefixlen, F_ORIGINAL);
}
 
-   if (attrpath_len == 0) /* 0 = no NLRI information in this message */
+   if (attrpath_len == 0) {
+   /* 0 = no NLRI information in this message */
+   if (nlri_len != 0) {
+   /* crap at end of update which should not be there */
+   rde_update_err(peer, ERR_UPDATE,
+   ERR_UPD_ATTRLIST, NULL, 0);
+   return (-1);
+   }
return (0);
+   }
 
/* withdraw MP_UNREACH_NLRI if available */
if (mpa.unreach_len != 0) {
Index: rde_update.c
===
RCS file: /cvs/src/usr.sbin/bgpd/rde_update.c,v
retrieving revision 1.64
diff -u -p -r1.64 rde_update.c
--- rde_update.c13 Jan 2009 21:35:16 -  1.64
+++ rde_update.c11 Mar 2009 01:56:54 -
@@ -917,13 +917,7 @@ up_dump_mp_unreach(u_char *buf, u_int16_
return (NULL);
 
datalen += 3;   /* afi + safi */
-   if (datalen  255) {
-   attrlen += 2 + datalen;
-   flags |= ATTR_EXTLEN;
-   } else {
-   attrlen += 1 + datalen;
-   buf++;
-   }
+
/* prepend header, need to do it reverse */
/* safi  afi */
buf[--wpos] = SAFI_UNICAST;
@@ -933,11 +927,15 @@ up_dump_mp_unreach(u_char *buf, u_int16_
 
/* attribute length */
if (datalen  255) {
+   attrlen += 2 + datalen;
+   flags |= ATTR_EXTLEN;
wpos -= sizeof(u_int16_t);
tmp = htons(datalen);
memcpy(buf + wpos, tmp, sizeof(u_int16_t));
-   } else
+   } else {
+   attrlen += 1 + datalen;
buf[--wpos] = (u_char)datalen;
+   }
 
/* mp attribute */
buf[--wpos] = (u_char)ATTR_MP_UNREACH_NLRI;
@@ -958,7 +956,7 @@ up_dump_mp_unreach(u_char *buf, u_int16_
/* total length includes the two 2-bytes length fields. */
*len = attrlen + 2 * sizeof(u_int16_t);
 
-   return (buf);
+   return (buf + wpos);
 }
 
 u_char *

Re: halt -p does not powerdown ThinkPad X200 under 4.5beta

[Adam Emanuel]

Linux  Windows halts successfully on HP Pavilion dv6312, while FreeBSD
sometimes fails the same as OpenBSD. OpenSolaris rarely fails.

On Tue, Mar 10, 2009 at 7:09 PM, Thomas Pfaff tpf...@tp76.info wrote:

 On Tue, 10 Mar 2009 17:49:52 +0100
 Thomas Pfaff tpf...@tp76.info wrote:

  On Tue, 10 Mar 2009 11:04:46 -0500
  Marco Peereboom sl...@peereboom.us wrote:
   On Tue, Mar 10, 2009 at 04:30:39PM +0100, Thomas Pfaff wrote:
Ubuntu 8.04 (Linux 2.6.24-19) powers down my system just fine
with halt -p (see previous post for details).
  
   Alrighty I'll look at that code (ugh!).
 
  While we're at it, I just brought up another system and halt -p
  does not work here either.  Stuck at Attempting to power down...

 Disabling apm made the system power off and then it attempted to
 start up again, but the screen was blank and nothing was happening.
 The lights where on, but there was nobody home, so to speak.

  I can try installing NetBSD and see if it works there.  Might
  be less painful to look through their code than Linux ;-)

 NetBSD 4.0/i386 shuts down just fine with halt -p on this machine.

  OpenBSD 4.5 (GENERIC) #1749: Sat Feb 28 14:51:18 MST 2009
  dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
  cpu0: AMD Athlon(tm) XP 1800+ (AuthenticAMD 686-class, 256KB L2 cache)
 1.53 GHz
  cpu0:
 FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE
  real mem  = 267939840 (255MB)
  avail mem = 250789888 (239MB)
 [...]

Nginx: filedescriptors, users and login.conf confusion

[Matt]

Hello,

I've been running Nginx with php-fastcgi and am sometimes experiencing 
the 'too many files open' error messages.
Investigating the solution I am confused about which user (or userclass 
in login.conf)  I should give more filedescriptors.


Setup (single machine)

- Nginx deamon running as 'www'
- Apache running as 'www' also (overlapping doc root)

-Several php-fastcgi processes (Nginx w. Lighttp's spawn-fcgi) running 
as actual users.

These actual users have a nologin class and can only use chrooted SFTP.

I'm kinda lost on which user / which (new) login.conf class I should 
give more filedescriptors.

Or how to find out which particular users/deamon needs them.

Any advice is appreciated.

Thanks!

Re: OpenBSD 4.4 amd64 bsd.mp can't detect 16GB memory

[Remco]

Prakshep Dineshchandra Patel wrote:

 Hi every one,
 
 I have installed OpenBSD 4.4  amd64 on   Dell PowerEdge 1950 which
 contain 16GB of ram.
 
 As in that kernel 'BigMem' is already set to 1. But during boot time I
 can see 4GB instead of 16GB ram.
 
 When I use 'Top' command it will shows around 8GB ram.
 
 Any suggestions from any one how to solve this problem?


I'm afraid I can't solve your problem but the following information might be
useful:


- the actual data of things you see

You make some claims on things you see, but you don't show the actual data.


- output of the boot loader's 'probing' line

The boot loader prints something like:
Loading...
probing: pc0 com0 ... mem[... a20=on]

If I'm not mistaken the mem[... a20=on] part shows the sizes of the memory
blocks detected by querying the BIOS. Adding up these sizes should give an
idea of how much memory is reported to the OS by the BIOS.


- output of 'dmesg |grep mem'
Something like:
real mem = ??? (???MB)
avail mem = ??? (???MB)
spdmem0 at iic0 addr 0x50: ???

This should give an idea of how much memory the OS is actually using.
It may also print spdmem entries giving an idea of what memory is physically
installed/detected.

mismatch output net-snmp -current

[Agung T. Apriyanto]

i found mismatch output from snmpwalk in -current net-snmp, sample bellow

r...@cadangan[patches]# snmpwalk -v 1 -c public localhost .1.3.6.1.2.1.4.20.1.2
IP-MIB::ipAdEntIfIndex.10.100.0.1 = INTEGER: 1
IP-MIB::ipAdEntIfIndex.10.100.66.1 = INTEGER: 5
IP-MIB::ipAdEntIfIndex.10.100.67.1 = INTEGER: 6
IP-MIB::ipAdEntIfIndex.10.100.68.1 = INTEGER: 7
IP-MIB::ipAdEntIfIndex.10.100.69.1 = INTEGER: 8
IP-MIB::ipAdEntIfIndex.58.145.172.241 = INTEGER: 2
IP-MIB::ipAdEntIfIndex.127.0.0.1 = INTEGER: 4

r...@cadangan[patches]# snmpwalk -v 1 -c public localhost .1.3.6.1.2.1.2.2.1.3
IF-MIB::ifType.1 = INTEGER: softwareLoopback(24)
IF-MIB::ifType.2 = INTEGER: ethernetCsmacd(6)
IF-MIB::ifType.3 = INTEGER: ethernetCsmacd(6)
IF-MIB::ifType.4 = INTEGER: 244
IF-MIB::ifType.5 = INTEGER: ethernetCsmacd(6)
IF-MIB::ifType.6 = INTEGER: ethernetCsmacd(6)
IF-MIB::ifType.7 = INTEGER: ethernetCsmacd(6)
IF-MIB::ifType.8 = INTEGER: ethernetCsmacd(6)
IF-MIB::ifType.9 = INTEGER: 245

interface index 5,6,7,8 have the right ip, but there's a mismatch at
index 1, 2 and 4 of IP-MIB.

any of you have the same problems ?

regards,
-Agung

Re: x11 problems with lenovo w500

[Didier Wiroth]

 pcidump -xx output for both cases. normally the more interesting result
 anyway.
 
 oh, and the data you're passing on not to be MIME attached, the list
 strips those.

Ok, here we are:
http://www.wiroth.net/error/x11/pcidump-xx.working
http://www.wiroth.net/error/x11/pcidump-xx.NOT.working

Thanks for helping!
Didier

OpenSSH release CDS

[patric conant]

I've repeatedly been in a position where we weren't making direct use
of OpenBSD, but were using OpenSSH, and if there were a recurring cost
associated with it (like purchasing a semi-annual CD) it would have
been relatively painless to get a rubber stamp approval of such a
cost, whereas purchasing an OS we weren't using would've been a much
more difficult sell. Since there is already regular ssh art, (that
could be used for the next several releases), how much further
effort/money would it take to release OpenSSH on CD? Also of the
people on misc@ how many would think they'd have an easier time
convincing bosses/clients/others to buy a single CD for say $25 then
they would getting an OS purchased. Just a thought, for these trying
economic times and whatnot.

-- 
 /\ASCII Ribbon Campaign
 \ /Respect for low technology.
 X Keep e-mail messages readable by any computer system.
 / \Keep it ASCII.

Re: Bug OpenBGPD, IPv6 peer gets cleared, never gets up again

[Arnoud Vermeer]

Hi,

The patch is working. I have patched both the local testing setup and 
the production pilot. I tcpdumped the interface and got a nice IPv6 
withdraw-packet:

No. TimeSourceDestination   Protocol 
Info
 101 27.955719   2001:db8:1::a500:6777:1 2001:db8:1::a506:5506:1 
BGP  UPDATE Message

Frame 101 (112 bytes on wire, 112 bytes captured)
Ethernet II, Src: DellComp_8d:1a:c2 (00:06:5b:8d:1a:c2), Dst: 
FoundryN_9f:c5:ae (00:12:f2:9f:c5:ae)
Internet Protocol Version 6
Transmission Control Protocol, Src Port: bgp (179), Dst Port: 8172 
(8172), Seq: 227, Ack: 155, Len: 38
Border Gateway Protocol
 UPDATE Message
 Marker: 16 bytes
 Length: 38 bytes
 Type: UPDATE Message (2)
 Unfeasible routes length: 0 bytes
 Total path attribute length: 15 bytes
 Path attributes
 MP_UNREACH_NLRI (15 bytes)
 Flags: 0x80 (Optional, Non-transitive, Complete)
 Type code: MP_UNREACH_NLRI (15)
 Length: 12 bytes
 Address family: IPv6 (2)
 Subsequent address family identifier: Unicast (1)
 Withdrawn routes (9 bytes)
 2001:db8:97::/64

  00 12 f2 9f c5 ae 00 06 5b 8d 1a c2 86 dd 60 09   [.`.
0010  97 b5 00 3a 06 01 20 01 0d b8 00 01 00 00 00 00   ...:.. .
0020  a5 00 67 77 00 01 20 01 0d b8 00 01 00 00 00 00   ..gw.. .
0030  a5 06 55 06 00 01 00 b3 1f ec ad 53 e5 05 42 31   ..US..B1
0040  1a e0 50 18 43 80 a9 dd 00 00 ff ff ff ff ff ff   ..P.C...
0050  ff ff ff ff ff ff ff ff ff ff 00 26 02 00 00 00   ...
0060  0f 80 0f 0c 00 02 01 40 20 01 0d b8 00 97 00 00   ...@ ...

Thanks for the patch!

Arnoud Vermeer

On 3/11/09 10:11 AM, Claudio Jeker wrote:
 On Tue, Mar 10, 2009 at 02:46:56PM +0100, Arnoud Vermeer wrote:

 Hi,

 Elisa and I were looking at the production-pilot logs last night and
 noticed the following:

  

 I finally found some time to look into this and your dumps. The problem is
 actually with withdraws that are still totaly fucked up. So the following
 diff should fix this issue -- beforehands we just never managed to
 correctly withdraw IPv6 prefixes.

 This diff fixes two bugs and makes bgpd do the same paranoic checking as
 juniper and bails out if there is crap after an empty update.
 With this I can correctly withdraw IPv6 prefixes.

might be slightly OT: `probability in PF'

[jmc]

i say this might be slightly OT because i am asking more of a
philosophical question, not a technical one. the excellent documentation
has given me all i need to know about the probability directive. thanks,
devs, for that.

quick story: i have a couple dozen websites spread across two
OpenBSD/base apache machines. one of my clients runs a web-based forum
that's experienced a bit of trouble recently with previously banned
users registering multiple accounts through open proxies and causing
problems (just open proxies, not tor exit nodes). the mods have quelled
the activity for now, but i'm thinking of ways to help them in the
future. i use sensible max-src-conn and max-src-conn-rate to be sure to
DoS attacks won't cause httpd to knock down my server, but this is a
solution to a different problem in my eyes---this is just trying to be a
good sysadmin.

i have grepped through the logs of other clients, and i don't see any
evidence of any traffic from the lists of open proxies i've compiled, so
i don't think this would have un-intended effects on them.

the only reason i guess that i'm cautious about just getting a list of
known open proxies, creating a pf table and running with something like:

block in log quick on $ext_if from openproxies to any probability 90%

is because it seems a little bofh-ly to me. and i guess it borders on
security-through obscurity, which of course it not really security at
all. but it seems a bit more sinister than just outright blocking, which
kinda makes me snicker a bit. make the experience painful enough that
they just go away.

and i suppose i've just been dying to find a use for the probability
directive.

so anyway, how are _you_ using probability? does this seem inline with
what it was designed for? how, if at all, do you deal with open proxies?
you can respond off-list if this is really too OT for m...@. and i'm not
afraid to be told this is the stupidest. idea. ever. if that's what you
think. i'm also open to other ideas.

thanks and cheers!

Re: OpenSSH release CDS

[Kevin Wilcox]

2009/3/11 patric conant mirage.comput...@gmail.com:

 I've repeatedly been in a position where we weren't making direct use
 of OpenBSD, but were using OpenSSH, and if there were a recurring cost
 associated with it (like purchasing a semi-annual CD) it would have
 been relatively painless to get a rubber stamp approval of such a
 cost, whereas purchasing an OS we weren't using would've been a much
 more difficult sell. Since there is already regular ssh art, (that
 could be used for the next several releases), how much further
 effort/money would it take to release OpenSSH on CD? Also of the
 people on misc@ how many would think they'd have an easier time
 convincing bosses/clients/others to buy a single CD for say $25 then
 they would getting an OS purchased. Just a thought, for these trying
 economic times and whatnot.

I can't speak for the devs, Theo, @misc or anyone except myself and my
personal experiences with having a custom CD created but I'd bet my
experiences aren't too different from what Theo and the core team have
to deal with.

When we looked into it for something else, we had to order a set
number before anyone would even agree to print/press/package. All of
that gets paid out of pocket with the hopes that you can move the
product. If it doesn't sell in a reasonable time then it has suddenly
become outdated and an unnecessary waste if your sales do not cover at
least the physical costs and the man-hours of effort put into it.

Colour me skeptical or pessimistic but I'd wager it's Just Not Worth
It to package/print/sell OpenSSH discs. You can always donate to the
project, though. Methods of payment are available at

http://www.openssh.org/donations.html
http://openbsd.org/donations.html

kmw

-- 
Far better is it to dare mighty things, to win glorious triumphs, even
if chequered by failure, than to take rank with those poor spirits who
neither enjoy much nor suffer much, because they live in the grey
twilight that knows not victory or defeat.

Re: Quick question about an PF user's guide example

[(private) HKS]

On Tue, Mar 10, 2009 at 9:16 PM, Leonardo Rodrigues
leonardov...@gmail.com wrote:
 Hi everyone,

 I'm trying to build a PF / ALTQ ruleset that handles traffic between 3
 internal interfaces and 1 external, so that the internal interfaces
 can have different priorities on the available bandwidth they can get
 from the external interface. I don't know if that's possible with only
 ALTQ rules, or if I'll have to use tagging, so I'm trying to
 understand some simple setups before.

 While reading the example #2 on the PF user's guide
 (http://www.openbsd.org/faq/pf/queueing.html#example2), I came across
 the following ruleset:


 boss  = 192.168.0.200
 ...
 altq on fxp0 cbq bandwidth 1.5Mb queue { std_ext, www_ext, boss_ext }
 ...
 queue boss_ext   bandwidth 500Kb priority 3 cbq(borrow)
 ...
 # filter rules for fxp0 outbound
 pass out on fxp0 from $boss to any keep state queue boss_ext---


 Where fxp0 is the external interface (internet). My question is about
 that last rule above. Assuming that NAT is working so that the boss
 is able to surf the web, and since NAT translations happen before the
 filtering rules, then the rule above shouldn't work... right? The fxp0
 interface would be able to filter only on already translated addresses
 (its own address), and not on unstranslated addresses, like
 192.168.200, which is the boss IP, on a different subnet. Would a
 rule like that work?

No. Without looking at the actual example, I can say that your
understanding of NAT/filter interaction is correct and this will not
work.


 If that setup works, I might be able to implement my original idea, by
 doing something like:
 pass out on fxp0 from 192.168.0.5 to any keep state queue traffic1_ext
 pass out on fxp0 from 192.168.2.5 to any keep state queue traffic2_ext
 pass out on fxp0 from 192.168.5.5 to any keep state queue traffic3_ext

 Thanks for any ideas =)

 Leonardo Rodrigues

Bear in mind that while a queue is applied to the egress interface,
the classification of that traffic may take place on another
interface. So you could do something more like this:

pass from 192.168.0.5 to ! mynet keep state queue traffic1_ext

Or use tagging to avoid maintaining a table of your own networks.

-HKS

Re: might be slightly OT: `probability in PF'

[Jeffrey 'jf' Lim]

On Wed, Mar 11, 2009 at 10:01 PM, jmc j...@cosmicnetworks.net wrote:
 i say this might be slightly OT because i am asking more of a
 philosophical question, not a technical one. the excellent documentation
 has given me all i need to know about the probability directive. thanks,
 devs, for that.


(just as a hint to the rest who are considering whether to read
through) doesnt sound philosophical to me!


 quick story: i have a couple dozen websites spread across two
 OpenBSD/base apache machines. one of my clients runs a web-based forum
 that's experienced a bit of trouble recently with previously banned
 users registering multiple accounts through open proxies and causing
 problems (just open proxies, not tor exit nodes). the mods have quelled
 the activity for now, but i'm thinking of ways to help them in the
 future. i use sensible max-src-conn and max-src-conn-rate to be sure to
 DoS attacks won't cause httpd to knock down my server, but this is a
 solution to a different problem in my eyes---this is just trying to be a
 good sysadmin.

 i have grepped through the logs of other clients, and i don't see any
 evidence of any traffic from the lists of open proxies i've compiled, so
 i don't think this would have un-intended effects on them.


dont see any evidence of *legit* traffic from the list of open proxies
you've compiled, u mean.


 the only reason i guess that i'm cautious about just getting a list of
 known open proxies, creating a pf table and running with something like:

 block in log quick on $ext_if from openproxies to any probability 90%

 is because it seems a little bofh-ly to me. and i guess it borders on
 security-through obscurity, which of course it not really security at
 all.

obscurity may not be true security, - but combined with security, it helps!


 but it seems a bit more sinister than just outright blocking, which
 kinda makes me snicker a bit. make the experience painful enough that
 they just go away.


which is good, dont u think? ;)


 and i suppose i've just been dying to find a use for the probability
 directive.

 so anyway, how are _you_ using probability? does this seem inline with
 what it was designed for? how, if at all, do you deal with open proxies?
 you can respond off-list if this is really too OT for m...@. and i'm not
 afraid to be told this is the stupidest. idea. ever. if that's what you
 think. i'm also open to other ideas.


no, it's not (the stupidest idea ever). I think it's good, in fact.
Frustrates, confuses, and throws a wrench in the works of the low life
and low intelligence scum.

-jf

--
In the meantime, here is your PSA:
It's so hard to write a graphics driver that open-sourcing it would not help.
-- Andrew Fear, Software Product Manager, NVIDIA Corporation
http://kerneltrap.org/node/7228

Re: might be slightly OT: `probability in PF'

[jmc]

--- Jeffrey 'jf' Lim [Wed, Mar 11, 2009 at 10:09:19PM +0800]: --- 
 On Wed, Mar 11, 2009 at 10:01 PM, jmc j...@cosmicnetworks.net wrote:
  i say this might be slightly OT because i am asking more of a
  philosophical question, not a technical one. the excellent documentation
  has given me all i need to know about the probability directive. thanks,
  devs, for that.
 
 
 (just as a hint to the rest who are considering whether to read
 through) doesnt sound philosophical to me!

OK, cool. i framed it that way because i didn't want to come across as
someone who was asking the list to do my thinking for me. as i suspect
lots of misc@ readers do, i come from the ``be liberal in what you
accept, conservative in what you send'' school. true the Big Bad
Internet has and continues to change rapidly, but i personally still see
value in that axiom. outside of the gift from ghod that is spamd(8),
this will be the biggest divergence from that axiom that i think i have
done in my years as a sys admin.

  i have grepped through the logs of other clients, and i don't see any
  evidence of any traffic from the lists of open proxies i've compiled, so
  i don't think this would have un-intended effects on them.
 
 
 dont see any evidence of *legit* traffic from the list of open proxies
 you've compiled, u mean.

yes, that is what i mean. i also haven't figured out if it's even
feasible to keep up with what i'm sure is a rapidly-changing list of
open proxies on a daily basis. but that's a sys admin problem, and i'll
ask for help on that separately if/when i need it.

the lists that i've compiled thus far are from disparate sources, and
will require a bit of work to get everything in order.

thanks again!

Re: Nginx: filedescriptors, users and login.conf confusion

[Darrin Chandler]

Matt,

On Wed, Mar 11, 2009 at 11:42:54AM +0100, Matt wrote:
 I've been running Nginx with php-fastcgi and am sometimes experiencing
 the 'too many files open' error messages.
 Investigating the solution I am confused about which user (or userclass
 in login.conf)  I should give more filedescriptors.

 Setup (single machine)

 - Nginx deamon running as 'www'

If nginx is running as 'www' then you're building your own nginx rather
than using the package? If so, then nginx is starting however you tell
it, and without details it's impossible to say.

 - Apache running as 'www' also (overlapping doc root)

 -Several php-fastcgi processes (Nginx w. Lighttp's spawn-fcgi) running
 as actual users.
 These actual users have a nologin class and can only use chrooted SFTP.

 I'm kinda lost on which user / which (new) login.conf class I should
 give more filedescriptors.
 Or how to find out which particular users/deamon needs them.

You can specify a the login class you desire when starting a daemon. See
su(1), specifically the '-c login-class' option. A common practice is to
copy the 'daemon' class to a new login.conf entry named whatever you
like, start your daemon using that class, then tweak as desired.

For lots of details about doing that, search the archives for 'mysql'
and 'login.conf'...

--
Darrin Chandler|  Phoenix BSD User Group  |  MetaBUG
dwchand...@stilyagin.com   |  http://phxbug.org/  |  http://metabug.org/
http://www.stilyagin.com/  |  Daemons in the Desert   |  Global BUG
Federation

[demime 1.01d removed an attachment of type application/pgp-signature]

Ramifications of blocking SYN+FIN TCP packets

[Stuart VanZee]

I understand that this might annoy a few of you, If it does
please accept my apologies.

The place I work is required to have an external security scan
from time to time and the latest scan says that we have failed
because the firewall responded to a TCP packet that has the SYN
and FIN flags set.  I know that OpenBSD isn't vulnerable to the
exploits that use this:

http://www.kb.cert.org/vuls/id/IAFY-5F8RWP

However, I don't see any reason to respond to a packet with SYN
and FIN set, AND, a firewall rule that drops said TCP packets
would fix the fact that we are now non compliant as far as
the security scan goes.  I think a pf rule such as:

block drop in quick proto tcp all flags SF/SF

would do it.

Does anyone see a way that this would come back to bite me on
the ass later?

Stuart van Zee
stua...@datalinesys.com

Sage advise requested... fire retardant underwear in place...

Re: How to break the httpd's 4G file size limit?

[Daniel A. Ramaley]

On 2009-03-10 at 14:34:30, you wrote:
I want to set up the web server to share file, but i know apache-1.3.x
(which is openbsd default httpd) had the 4G file size limit, can i
 break this limit?

I don't know the correct answer to this question, but i thought of a 
possible work-around in the event the answer is no.

Could you write a CGI program that serves the file? I don't know where 
Apache's 4 GB limit is. But if the limitation is in how Apache accesses 
the filesystem and not in how it manages network connections, then 
maybe a program that is capable of reading large files could get around 
the limit. This would most likely require mangling the URLs to the 
large files to really point to the program, unless you can do some 
mod_rewrite magic.


Dan RamaleyDial Center 118, Drake University
Network Programmer/Analyst 2407 Carpenter Ave
+1 515 271-4540Des Moines IA 50311 USA

Re: Ramifications of blocking SYN+FIN TCP packets

[Jason Dixon]

On Wed, Mar 11, 2009 at 10:42:38AM -0400, Stuart VanZee wrote:
 I understand that this might annoy a few of you, If it does
 please accept my apologies.
 
 The place I work is required to have an external security scan
 from time to time and the latest scan says that we have failed
 because the firewall responded to a TCP packet that has the SYN
 and FIN flags set.  I know that OpenBSD isn't vulnerable to the
 exploits that use this:
 
 http://www.kb.cert.org/vuls/id/IAFY-5F8RWP
 
 However, I don't see any reason to respond to a packet with SYN
 and FIN set, AND, a firewall rule that drops said TCP packets
 would fix the fact that we are now non compliant as far as
 the security scan goes.  I think a pf rule such as:
 
 block drop in quick proto tcp all flags SF/SF
 
 would do it.
 
 Does anyone see a way that this would come back to bite me on
 the ass later?

S/SAFR

I just had to deal with this on our customer's PCI scan.  Don't argue
with the logic, just do it.  :)

-- 
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/

Re: Ramifications of blocking SYN+FIN TCP packets

[Jason Dixon]

On Wed, Mar 11, 2009 at 10:54:18AM -0400, Jason Dixon wrote:
 On Wed, Mar 11, 2009 at 10:42:38AM -0400, Stuart VanZee wrote:
  I understand that this might annoy a few of you, If it does
  please accept my apologies.
  
  The place I work is required to have an external security scan
  from time to time and the latest scan says that we have failed
  because the firewall responded to a TCP packet that has the SYN
  and FIN flags set.  I know that OpenBSD isn't vulnerable to the
  exploits that use this:
  
  http://www.kb.cert.org/vuls/id/IAFY-5F8RWP
  
  However, I don't see any reason to respond to a packet with SYN
  and FIN set, AND, a firewall rule that drops said TCP packets
  would fix the fact that we are now non compliant as far as
  the security scan goes.  I think a pf rule such as:
  
  block drop in quick proto tcp all flags SF/SF
  
  would do it.
  
  Does anyone see a way that this would come back to bite me on
  the ass later?
 
 S/SAFR
 
 I just had to deal with this on our customer's PCI scan.  Don't argue
 with the logic, just do it.  :)

I should clarify, you want to use the above flags on your pass rule.
Don't bother with a block rule matching on flags.

-- 
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/

Re: How to break the httpd's 4G file size limit?

[Alexey Suslikov]

Daniel A. Ramaley wrote:

 On 2009-03-10 at 14:34:30, you wrote:
 I want to set up the web server to share file, but i know apache-1.3.x
 (which is openbsd default httpd) had the 4G file size limit, can i
  break this limit?

 I don't know the correct answer to this question, but i thought of a
 possible work-around in the event the answer is no.

 Could you write a CGI program that serves the file? I don't know where
 Apache's 4 GB limit is. But if the limitation is in how Apache accesses
 the filesystem and not in how it manages network connections, then
 maybe a program that is capable of reading large files could get around
 the limit. This would most likely require mangling the URLs to the
 large files to really point to the program, unless you can do some

The limitation is 2Gb on 32-bit platforms because of off_t (man lseek).

Stock ftpd also has mentioned limitation (try to REST a file beyond 2Gb
offset).

Using any 64-bit platform will solve the problem due to bigger off_t, but
if it's not a case, one can use Apache 2.2.x from ports.

Alexey

Re: How to break the httpd's 4G file size limit?

[Alexander Yurchenko]

On Wed, Mar 11, 2009 at 05:37:14PM +0200, Alexey Suslikov wrote:
 The limitation is 2Gb on 32-bit platforms because of off_t (man lseek).

huh?

[gra...@nohead tmp]$ cat x.c  
#include sys/types.h
#include stdio.h

int main(void)
{
printf(size of off_t is %u bits\n, 8 * sizeof(off_t));
}
[gra...@nohead tmp]$ cc x.c   
[gra...@nohead tmp]$ ./a.out   
size of off_t is 64 bits
[gra...@nohead tmp]$ arch -s  
i386

 
 Stock ftpd also has mentioned limitation (try to REST a file beyond 2Gb
 offset).
 
 Using any 64-bit platform will solve the problem due to bigger off_t, but
 if it's not a case, one can use Apache 2.2.x from ports.
 
 Alexey

-- 
   Alexander Yurchenko

Re: How to break the httpd's 4G file size limit?

[Otto Moerbeek]

On Wed, Mar 11, 2009 at 05:37:14PM +0200, Alexey Suslikov wrote:

 Daniel A. Ramaley wrote:
 
  On 2009-03-10 at 14:34:30, you wrote:
  I want to set up the web server to share file, but i know apache-1.3.x
  (which is openbsd default httpd) had the 4G file size limit, can i
   break this limit?
 
  I don't know the correct answer to this question, but i thought of a
  possible work-around in the event the answer is no.
 
  Could you write a CGI program that serves the file? I don't know where
  Apache's 4 GB limit is. But if the limitation is in how Apache accesses
  the filesystem and not in how it manages network connections, then
  maybe a program that is capable of reading large files could get around
  the limit. This would most likely require mangling the URLs to the
  large files to really point to the program, unless you can do some
 
 The limitation is 2Gb on 32-bit platforms because of off_t (man lseek).
 
 Stock ftpd also has mentioned limitation (try to REST a file beyond 2Gb
 offset).
 
 Using any 64-bit platform will solve the problem due to bigger off_t, but
 if it's not a case, one can use Apache 2.2.x from ports.
 
 Alexey

This is not correct. off_t is 64-bit on all platforms.

-Otto

Re: How to break the httpd's 4G file size limit?

[Ted Unangst]

On Wed, Mar 11, 2009 at 11:37 AM, Alexey Suslikov
alexey.susli...@gmail.com wrote:
 The limitation is 2Gb on 32-bit platforms because of off_t (man lseek).

off_t is always 64-bit.

 Stock ftpd also has mentioned limitation (try to REST a file beyond 2Gb
 offset).

 Using any 64-bit platform will solve the problem due to bigger off_t, but
 if it's not a case, one can use Apache 2.2.x from ports.

If using a 64-bit machine fixes it, then the type in question is not off_t.

Re: How to break the httpd's 4G file size limit?

[Alexey Suslikov]

On Wed, Mar 11, 2009 at 17:56, Ted Unangst ted.unan...@gmail.com wrote:
 On Wed, Mar 11, 2009 at 11:37 AM, Alexey Suslikov
 alexey.susli...@gmail.com wrote:
 The limitation is 2Gb on 32-bit platforms because of off_t (man lseek).

 off_t is always 64-bit.

 Stock ftpd also has mentioned limitation (try to REST a file beyond 2Gb
 offset).

 Using any 64-bit platform will solve the problem due to bigger off_t, but
 if it's not a case, one can use Apache 2.2.x from ports.

 If using a 64-bit machine fixes it, then the type in question is not off_t.


Maybe you should try to transfer (using stock httpd) at least 3Gb file
on i386?

Also, I have the following in my archives:

-- Forwarded message --
From: Marc Balmer m...@msys.ch
Date: Fri, Jun 20, 2008 at 11:09
Subject: Re: Apache doesn't handle files 2Gb properly
To: Alexey Suslikov alexey.susli...@gmail.com
Cc: Marc Balmer mbal...@openbsd.org, Jason McIntyre j...@openbsd.org

* Alexey Suslikov wrote:
 Hello Marc, Jason.

 Can you comment on this issue?

 http://marc.info/?t=121379382200010r=1w=2

 Maybe it is a good idea to warn note about long files
 on 32-bit platform to httpd man page or/and FAQ?

no.  fix the problem, diffs are welcome ;)

maybe, if I find time, I look into this myself.

- Marc

Re: How to break the httpd's 4G file size limit?

[Otto Moerbeek]

On Wed, Mar 11, 2009 at 06:48:49PM +0300, Alexander Yurchenko wrote:

 On Wed, Mar 11, 2009 at 05:37:14PM +0200, Alexey Suslikov wrote:
  The limitation is 2Gb on 32-bit platforms because of off_t (man lseek).
 
 huh?
 
 [gra...@nohead tmp]$ cat x.c  
 #include sys/types.h
 #include stdio.h
 
 int main(void)
 {
 printf(size of off_t is %u bits\n, 8 * sizeof(off_t));
 }
 [gra...@nohead tmp]$ cc x.c   
 [gra...@nohead tmp]$ ./a.out  
  
 size of off_t is 64 bits
 [gra...@nohead tmp]$ arch -s  
 i386

This code is not portable.  sizeof returns a size_t, which is 64 bits
on 64-bits platforms. Better use %zu. 

-Otto

Re: How long it should take for a fsck to check a 300GB hdd?

[Schöberle Dániel]

dmesg as promised:

OpenBSD 4.4-stable (SQUID_DISKD) #9: Sat Jan 10 19:27:35 CET 2009
r...@pegasus.plan9.homeunix.net:/usr/src/sys/arch/i386/compile/SQUID_DISK
D
cpu0: AMD Sempron(tm) Processor LE-1150 (AuthenticAMD 686-class, 256KB L2
cach
e) 2.01 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CF
LUSH,MMX,FXSR,SSE,SSE2,SSE3,CX16
real mem  = 1003974656 (957MB)
avail mem = 962015232 (917MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 02/01/08, BIOS32 rev. 0 @ 0xfb7c0,
SMBIOS
rev. 2.4 @ 0xf0100 (46 entries)
bios0: vendor Award Software International, Inc. version F1 date 02/01/2008
bios0: Gigabyte Technology Co., Ltd. GA-MA74GM-S2H
apm at bios0 function 0x15 not configured
acpi0 at bios0: rev 0
acpi0: tables DSDT FACP SSDT HPET MCFG APIC
acpi0: wakeup devices USB0(S3) USB1(S3) USB2(S3) USB3(S3) USB4(S3) USB5(S3)
USB6
(S3) SBAZ(S4) P2P_(S5) PCE2(S4) PCE3(S4) PCE4(S4) PCE5(S4) PCE6(S4) PCE7(S4)
PCE
8(S4) PS2K(S5) PCI0(S5)
acpitimer0 at acpi0: 3579545 Hz, 32 bits
acpihpet0 at acpi0: 14318180 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 200MHz
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 21, 24 pins
ioapic0: misconfigured as apic 4, remapped to apid 2
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 3 (P2P_)
acpiprt2 at acpi0: bus -1 (PCE2)
acpiprt3 at acpi0: bus -1 (PCE3)
acpiprt4 at acpi0: bus -1 (PCE4)
acpiprt5 at acpi0: bus -1 (PCE5)
acpiprt6 at acpi0: bus 2 (PCE6)
acpiprt7 at acpi0: bus -1 (PCE7)
acpiprt8 at acpi0: bus -1 (PCE8)
acpiprt9 at acpi0: bus 1 (AGP_)
acpicpu0 at acpi0: PSS
acpibtn0 at acpi0: PWRB
bios0: ROM list: 0xc/0xd600 0xd/0x1a00
cpu0: PowerNow! K8 2010 MHz: speeds: 2000 1800 1000 MHz
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 ATI RS740 Host rev 0x00
ppb0 at pci0 dev 1 function 0 ATI RS690 PCIE rev 0x00
pci1 at ppb0 bus 1
vga1 at pci1 dev 5 function 0 ATI Radeon 2100 rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
drm at vga1 unsupported
ppb1 at pci0 dev 6 function 0 ATI RS690 PCIE rev 0x00
pci2 at ppb1 bus 2
re0 at pci2 dev 0 function 0 Realtek 8168 rev 0x02: RTL8168C/8111C (0x3c00),
a
pic 2 int 18 (irq 10), address 00:1f:d0:5a:41:fa
rgephy0 at re0 phy 7: RTL8169S/8110S PHY, rev. 2
ahci0 at pci0 dev 17 function 0 ATI IXPx00 SATA rev 0x00: apic 2 int 22 (irq
1
1), AHCI 1.1
scsibus0 at ahci0: 32 targets, initiator 32
sd0 at scsibus0 targ 0 lun 0: ATA, HITACHI HUA7210S, GKAO SCSI3 0/direct
fixed
sd0: 953868MB, 121601 cyl, 255 head, 63 sec, 512 bytes/sec, 1953523055 sec
total
sd1 at scsibus0 targ 1 lun 0: ATA, HITACHI HUA7210S, GKAO SCSI3 0/direct
fixed
sd1: 953869MB, 121601 cyl, 255 head, 63 sec, 512 bytes/sec, 1953525168 sec
total
sd2 at scsibus0 targ 2 lun 0: ATA, HDS725050KLA360, K2AO SCSI3 0/direct
fixed
sd2: 476938MB, 60801 cyl, 255 head, 63 sec, 512 bytes/sec, 976771055 sec
total
sd3 at scsibus0 targ 3 lun 0: ATA, Hitachi HDT72505, V56O SCSI3 0/direct
fixed
sd3: 476938MB, 60801 cyl, 255 head, 63 sec, 512 bytes/sec, 976771055 sec
total
sd4 at scsibus0 targ 4 lun 0: ATA, WDC WD10EACS-00D, 01.0 SCSI3 0/direct
fixed
sd4: 953869MB, 121601 cyl, 255 head, 63 sec, 512 bytes/sec, 1953525168 sec
total
ohci0 at pci0 dev 18 function 0 ATI IXP700 USB rev 0x00: apic 2 int 16 (irq
3)
, version 1.0, legacy support
ohci1 at pci0 dev 18 function 1 ATI IXP700 USB rev 0x00: apic 2 int 16 (irq
3)
, version 1.0, legacy support
ehci0 at pci0 dev 18 function 2 ATI IXP700 USB2 rev 0x00: apic 2 int 17 (irq
7
)
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 ATI EHCI root hub rev 2.00/1.00 addr 1
ohci2 at pci0 dev 19 function 0 ATI IXP700 USB rev 0x00: apic 2 int 18 (irq
10
), version 1.0, legacy support
ohci3 at pci0 dev 19 function 1 ATI IXP700 USB rev 0x00: apic 2 int 18 (irq
10
), version 1.0, legacy support
ehci1 at pci0 dev 19 function 2 ATI IXP700 USB2 rev 0x00: apic 2 int 19 (irq
5
)
usb1 at ehci1: USB revision 2.0
uhub1 at usb1 ATI EHCI root hub rev 2.00/1.00 addr 1
piixpm0 at pci0 dev 20 function 0 ATI IXPx00 SMBus rev 0x3a: SMI
iic0 at piixpm0
spdmem0 at iic0 addr 0x50: 1GB DDR2 SDRAM non-parity PC2-6400CL5
pciide0 at pci0 dev 20 function 1 ATI IXP700 IDE rev 0x00: DMA, channel 0
conf
igured to compatibility, channel 1 configured to compatibility
pcib0 at pci0 dev 20 function 3 ATI IXP700 ISA rev 0x00
ppb2 at pci0 dev 20 function 4 ATI IXP600 PCI rev 0x00
pci3 at ppb2 bus 3
ohci4 at pci0 dev 20 function 5 ATI IXP700 USB rev 0x00: apic 2 int 18 (irq
10
), version 1.0, legacy support
pchb1 at pci0 dev 24 function 0 AMD AMD64 0Fh HyperTransport rev 0x00
pchb2 at pci0 dev 24 function 1 AMD AMD64 0Fh Address Map rev 0x00
pchb3 at pci0 dev 24 function 2 AMD AMD64 0Fh DRAM Cfg rev 0x00
kate0 at pci0 dev 24 function 3 AMD AMD64 0Fh Misc Cfg rev 0x00: core rev
DH-G
1
usb2 at ohci0: USB revision 1.0
uhub2 at usb2 ATI OHCI root hub rev 1.00/1.00 addr 1
usb3 

Re: mouse cursor is gone after running xorgconfig with nv driver

[Daniel Bolgheroni]

On Tue, 10 Mar 2009, microlaser wrote:

 Hi, I am running openbsd 4.4 on an amd64 with the nv driver, with an nvidia
 gforce 6200.  I used xorgconfig to reconfigure x and now the mouse cursor is
 gone.  anyone have any idea how to get it back?  Thanks

I don't know how your mouse gone. As you said, you reconfigured Xorg, 
and the problem must be there. Also, you just told your problem, but 
gives no more information to help people help you, like (at least) 
/var/log/Xorg.0.log.

I have a problem that my mouse too: the pointer often go away. But it 
has not to do with configuration. The pointer simply disappear, and even 
restarting Xorg get it back.

--
Daniel Bolgheroni m...@dbolgheroni.eng.br
FEI - Faculdade de Engenharia Industrial
http://www.dbolgheroni.eng.br/mykey

ASCII ribbon campaign ( )
 against HTML e-mail   X
  / \

Re: Nginx: filedescriptors, users and login.conf confusion

[Matt]

If nginx is running as 'www' then you're building your own nginx rather
than using the package? If so, then nginx is starting however you tell
it, and without details it's impossible to say.
  


It's installed through package and I use a startup as adviced in 
/etc/rc.local.

However the 'user' in the nginx.conf is set to 'www'.

Thanks for the pointers - I will add a daemon class to login.conf.
Like with the MySQL examples [1] should I restart nginx through a 
shellscript as well ?

(Per documentation it is adviced to restart nginx with 'kill -HUP pid')

Thanks,
Matt


[1] http://openbsdsupport.org/mysql.htm#/etc/rc.local

Re: Ramifications of blocking SYN+FIN TCP packets

[Jason Dixon]

On Wed, Mar 11, 2009 at 01:04:34PM -0400, David Goldsmith wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 Jason Dixon wrote:
  
  S/SAFR
  
  I just had to deal with this on our customer's PCI scan.  Don't argue
  with the logic, just do it.  :)
 
 Let me guess -- TrustKeeper?  We just had to deal with this as well.
 Submit an appeal and they should accept it.

Yup.
 
 The flags S/SAFR will work unless you are being a good little pf admin
 and also scrubbing all the traffic.  The problem is pf considers SYN-RST
 packets to be illegal and drops them (good) but only considers SYN-FIN
 packets to be ambiguous and so it normalizes them and clears the FIN
 bit (in this case for the PCI scan - bad) Then your server behind the
 firewall received what it thinks is a nice clean SYN packet and it sends
 back SYN-ACK.

Yes, we have our own reasons not to scrub there.  Well, *someone* has
their reasons.  I have to deal with those reasons.  ;)

-- 
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/

Re: How to break the httpd's 4G file size limit?

[Ted Unangst]

On Wed, Mar 11, 2009 at 12:01 PM, Alexey Suslikov
alexey.susli...@gmail.com wrote:
 On Wed, Mar 11, 2009 at 17:56, Ted Unangst ted.unan...@gmail.com wrote:
 If using a 64-bit machine fixes it, then the type in question is not off_t.


 Maybe you should try to transfer (using stock httpd) at least 3Gb file
 on i386?

I didn't say it wasn't a problem, I said your diagnosis was incorrect.

 Also, I have the following in my archives:

 http://marc.info/?t=121379382200010r=1w=2

from that very thread, the problem is using long *instead* of off_t.
Using off_t would fix the problem.

http://marc.info/?l=openbsd-bugsm=121379609212212w=2

Re: Nginx: filedescriptors, users and login.conf confusion

[Darrin Chandler]

On Wed, Mar 11, 2009 at 06:01:31PM +0100, Matt wrote:
 If nginx is running as 'www' then you're building your own nginx rather
 than using the package? If so, then nginx is starting however you tell
 it, and without details it's impossible to say.


 It's installed through package and I use a startup as adviced in
 /etc/rc.local.
 However the 'user' in the nginx.conf is set to 'www'.

Ah, ok.

 Thanks for the pointers - I will add a daemon class to login.conf.

There's already a daemon class in the stock login.conf. You can play
with that or copy it to a new one for www, nginx, or whatever you like.
Then change your rc.local to use su -c class.

 Like with the MySQL examples [1] should I restart nginx through a
 shellscript as well ?
 (Per documentation it is adviced to restart nginx with 'kill -HUP pid')

'kill -HUP pid' will not work for this. You kill need to 'kill pid' to
terminate it completely, then start it fresh. Otherwise the new login
class will not be applied. If you do that with a script or by hand is up
to you.

--
Darrin Chandler|  Phoenix BSD User Group  |  MetaBUG
dwchand...@stilyagin.com   |  http://phxbug.org/  |  http://metabug.org/
http://www.stilyagin.com/  |  Daemons in the Desert   |  Global BUG
Federation

[demime 1.01d removed an attachment of type application/pgp-signature]

Re: How to break the httpd's 4G file size limit?

[Alexey Suslikov]

On Wed, Mar 11, 2009 at 19:11, Ted Unangst ted.unan...@gmail.com wrote:
 On Wed, Mar 11, 2009 at 12:01 PM, Alexey Suslikov
 alexey.susli...@gmail.com wrote:
 On Wed, Mar 11, 2009 at 17:56, Ted Unangst ted.unan...@gmail.com wrote:
 If using a 64-bit machine fixes it, then the type in question is not off_t.


 Maybe you should try to transfer (using stock httpd) at least 3Gb file
 on i386?

 I didn't say it wasn't a problem, I said your diagnosis was incorrect.

 Also, I have the following in my archives:

 http://marc.info/?t=121379382200010r=1w=2

 from that very thread, the problem is using long *instead* of off_t.
 Using off_t would fix the problem.

 http://marc.info/?l=openbsd-bugsm=121379609212212w=2


I can't recall exact code from httpd, but how about libexec/ftpd:

...
extern  off_t restart_point;
...
if (restart_point) {
if (type == TYPE_A) {
off_t i, n;
int c;

n = restart_point;
i = 0;
while (i++  n) {
if ((c = getc(fin)) == EOF) {
if (ferror(fin)) {
perror_reply(550, name);
goto done;
} else
break;
}
if (c == '\n')
i++;
}
} else if (lseek(fileno(fin), restart_point, SEEK_SET)  0) {
perror_reply(550, name);
goto done;
}
}
...

Above code effectively results in inability to REST beyond 2Gb on
i386 however sequential read from position 0 will be ok.

Alexey

openbsd - microsoft vpn interoperability

[Juan Miscaro]

Hi everyone.  A web search only picked up antiquated information on
this one.  I'm talking about setting up a network to network VPN
between Microsoft and OpenBSD gateways.  I'm here asking for comments
on what people are actually doing and hopefully with pros and cons
included.  So which solution?  OpenVPN or native IPSEC (isakmpd)?  The
OpenBSD side will be running 4.5.  At this time I'm not sure what will
be on the other end but I know it is currently managing tunnels with
other MS-based products.  Thanks in advance to any responders.

--
jm

Re: How to break the httpd's 4G file size limit?

[Ted Unangst]

On Wed, Mar 11, 2009 at 1:21 PM, Alexey Suslikov
alexey.susli...@gmail.com wrote:
 I can't recall exact code from httpd, but how about libexec/ftpd:

 ...
 extern  off_t restart_point;
 ...

you're looking at the wrong code.

ftpcmd.y: restart_point = $4; /* XXX $4 is only int */

Re: vic(4) on amd64

[Josh Archambault]

I see that the vic(4) driver is still not in amd64/conf/GENERIC. Has
anyone any recent experience with this driver+platform, or know whether
its absence reflects a known problem or just lack of testing?

For the record, it works fine for me on an i386 guest on ESXi 3.5 U3,
with adaptor type flexible.


I'm fairly confident that using anything other than the default e1000
network device with 64-bit guests is discouraged by VMWare.  At the very
least, e1000 is what new 64-bit guests default to, and I've personally
had plenty of success using the em driver with all sorts of 64-bit
*BSD guests in this configuration.

-J

Re: openbsd - microsoft vpn interoperability

[Lars Noodén]

Juan Miscaro wrote:
 ... I'm here asking for comments
 on what people are actually doing and hopefully with pros and cons
 included.  So which solution?  OpenVPN or native IPSEC (isakmpd)?  ...

MS products are not really designed for interoperability, rather the
opposite.  So you may wish to reconsider parts of the design to avoid
'native' components of that platform.

The choices appear to be SSL or IPSEC,
http://www.vpnc.org/vpn-standards.html


-Lars

4.4 on ESXi 3.5 (was: vic(4) on amd64)

[dtalk]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Josh Archambault wrote:

I'm fairly confident that using anything other than the default e1000 
network device with 64-bit guests is discouraged by VMWare.


It would appear that you're correct.  Though the documentation does not 
make that clear, I do find this point made in their forums.


At the very least, e1000 is what new 64-bit guests default to, and I've 
personally had plenty of success using the em driver with all sorts 
of 64-bit *BSD guests in this configuration.


Likewise, I'm using the e1000 with em, and it's fine.  There is known to 
be a non-trivial difference in measured (though not necessarily 
real-world) performance between vmxnet and e1000 on 32 bit guests, so 
all else being equal, one would naturally prefer vmxnet.  I didn't 
realize that this did not necessarily generalize to 64 bit guests. 
Thanks for bringing that to my attention.


In other news, for the benefit of anyone else using this combination of 
OS and hypervisor:


I discovered a severe performance problem, wherein an OpenBSD guest 
would run fine for some period of hours, and then become horribly bogged 
down during disk operations, to the point of unusability.  This was true 
even when the guest was nearly idle and the VM host had abundant 
uncommitted resources, and was equally true on 32 bit and 64 bit OpenBSD 
guests.


This was a showstopper, but the problem appears to have been resolved 
by lying to the hypervisor.  Since I told it that the guest was Red Hat 
Enterprise Linux 64 bit, instead of Other 64 bit, the problem has so 
far not recurred.


Cheers -d

- --
David Talkington
dt...@drizzle.com
- --
PGP key: http://www.flyingjoke.org/keys/801E3976.asc
iQEcBAEBAgAGBQJJuAquAAoJEO7jL1CAHjl2WTAH/R4SndPEO7Rsn3PhbTm+GsWo
vGMo45ZKgxOhuz4eLQVBQvqC46ON7aISshXTly8zGzumEbi2rFbHdFT91A+02Et7
NvURrLv0mMgt38jwsE68NX/dfOfI7ycoNylI9Yi52+dh6d7ldidlV7LCWN6TxLB9
iMouIlUTHu+I/3rtlWYGIQHa0Myvgtb7yKED6npvwEAU70UwQ3xIEP+aRRD2rzVp
BfHRWjuJGj/2RKmvy31sgh6VNRckM5NWaXByJNsNdtE2bEqNI2/Fy1dOzvkYUs9Z
k5sjUAZXWJ9r66kMWiSs7k8bqtRICcyiVsnNPQAt50gB8sQBdGlHlU0tiXt0YZg=
=QiyD
-END PGP SIGNATURE-

Re: openbsd - microsoft vpn interoperability

[Juan Miscaro]

2009/3/11 Lars NoodC)n l...@umich.edu:
 Juan Miscaro wrote:
 ... I'm here asking for comments
 on what people are actually doing and hopefully with pros and cons
 included. B So which solution? B OpenVPN or native IPSEC (isakmpd)? B ...

 MS products are not really designed for interoperability, rather the
 opposite. B So you may wish to reconsider parts of the design to avoid
 'native' components of that platform.

 The choices appear to be SSL or IPSEC,
 B  B  B  B http://www.vpnc.org/vpn-standards.html


 -Lars


Thanks.  Yeah, I am going to push to have an OpenBSD portal installed
on the remote end.  Thing is, how am I going to get it installed?

--
jm

Re: openbsd - microsoft vpn interoperability

[Lars Noodén]

Juan Miscaro wrote:
 Thanks.  Yeah, I am going to push to have an OpenBSD portal installed
 on the remote end.  Thing is, how am I going to get it installed?

http://openvpn.net/index.php/downloads.html
http://openvpn.net/howto.html#startup

http://www.openbsd.org/4.4_packages/i386/openvpn-2.1rc7.tgz-long.html

Or is it a question of physical access?

-Lars

Re: NFS or SAMBA ?

[Shagbag OpenBSD]

2009/3/9 Henning Brauer lists-open...@bsws.de

 * Guillermo Bernaldo de Quiros Maraver debug...@gmail.com [2009-02-13
 21:06]:
  if you have a shared network between WINDOWS and OpenBSD i recommend
  Samba if not, NFS 
 
  NFS = Insecure 
  SAMBA = Have a problems, but, it's more secure.

 that is the most ridiculous bullshit I have ever read here in some time.

 --
 Henning Brauer, h...@bsws.de, henn...@openbsd.org
 BS Web Services, http://bsws.de
 Full-Service ISP - Secure Hosting, Mail and DNS Services
 Dedicated Servers, Rootservers, Application Hosting - Hamburg  Amsterdam


that is the most entertaining flame I have ever read here in some time. LOL!
I'm loving your aggression man. ^_^

How to mount samba shares in OpenBSD?

[Shagbag OpenBSD]

'running 4.4-RELEASE here.
I've got SAMBA running on my Chuck Norris/kick-ass OpenWrt file server but I
want to mount those shares onto my OpenBSD laptop.
I've read the smbclient man page and I've googled.
Is sharity-light the only (client) option?

Re: Nginx: filedescriptors, users and login.conf confusion

[Daniel Ouellet]

Matt wrote:

If nginx is running as 'www' then you're building your own nginx rather
than using the package? If so, then nginx is starting however you tell
it, and without details it's impossible to say.
  


It's installed through package and I use a startup as adviced in 
/etc/rc.local.

However the 'user' in the nginx.conf is set to 'www'.

Thanks for the pointers - I will add a daemon class to login.conf.
Like with the MySQL examples [1] should I restart nginx through a 
shellscript as well ?

(Per documentation it is adviced to restart nginx with 'kill -HUP pid')


The kill -HUP will just read the configuration again. I could be wrong 
here, but as I stated on the faq as well, Remember, if you don't do 
this, it will use the default class! Same if you restart MySQL manually! 
Class are read and use on login the class is process only at login, so 
you will need to totally kill the daemon and restarted with the class as 
you saw in the example and adjust it for your needs obviously.


su -c _mysql root -c '/usr/local/bin/mysqld_safe '  /dev/null  echo 
-n ' mysql'




Thanks,
Matt


[1] http://openbsdsupport.org/mysql.htm#/etc/rc.local


That remind me that I should update it for 4.5 as well.

Daniel

Re: openbsd - microsoft vpn interoperability

[Juan Miscaro]

2009/3/11 Lars NoodC)n l...@umich.edu:
 Juan Miscaro wrote:
 Thanks. B Yeah, I am going to push to have an OpenBSD portal installed
 on the remote end. B Thing is, how am I going to get it installed?

 http://openvpn.net/index.php/downloads.html
 http://openvpn.net/howto.html#startup

 http://www.openbsd.org/4.4_packages/i386/openvpn-2.1rc7.tgz-long.html

 Or is it a question of physical access?

 -Lars


Right, physically install the machine.

--
jm

Re: How to mount samba shares in OpenBSD?

[Diana Eichert]

On Wed, 11 Mar 2009, Shagbag OpenBSD wrote:


'running 4.4-RELEASE here.
I've got SAMBA running on my Chuck Norris/kick-ass OpenWrt file server but I
want to mount those shares onto my OpenBSD laptop.
I've read the smbclient man page and I've googled.
Is sharity-light the only (client) option?


Since your itsy bitty OpenWrt server is so kick-ass I recommend
you run NFS.  Or is it not kick-ass enough to run NFS?

Oh, yeah, sharity-light is it for SMB shares.

diana

Re: IP aliases: how many in one server with OpenBSD 4.4? Is it possible to change the limit?

[Henning Brauer]

* Alvaro Mantilla Gimenez alv...@dydnetworks.com [2009-02-19 02:52]:
 Anyways, the question is still valid: how many IP aliases we can reach in
 an OpenBSD system? which is the limit?

in theory, there is none but memory.

in practice, it is a simple linked list, so things get slower at some
point.

-- 
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg  Amsterdam

strange load values

[Gabri Mate]

Hey there!

I have a Compaq DL580 G1 with 4x700Mhz PIII, 2GB RAM, 2x36GB U320 SCSI
on a HP SmartArray 5300 with 64MB BBU.
It's a general purpose 'hobby' server. The average concurrent
connections are 20-30, mostly resolv queries for bind. The load is
always aroun 1.0 and frequenlty jumps up to 2. Is this normal for
OpenBSD 4.4 on a machine like this?

OpenBSD 4.4 (GENERIC.MP) #0: Sat Dec  6 13:06:44 CET 2008
/usr/src/sys/arch/i386/compile/GENERIC.MP
cpu0: Intel Pentium III Xeon (GenuineIntel 686-class) 702 MHz
cpu0:

FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE
real mem  = 2147037184 (2047MB)
avail mem = 2067615744 (1971MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 12/31/99, BIOS32 rev. 0 @
0xf, SMBIOS rev. 2.3 @ 0xe6000 (57 entries)
bios0: vendor Compaq version P20 date 12/17/2002
bios0: Compaq ProLiant DL580
acpi0 at bios0: rev 0, can't enable ACPI
bios0: ROM list: 0xc/0x8000 0xc8000/0x4000! 0xcc000/0x1800
0xcd800/0x4000 0xe8000/0x6000 0xee000/0x2000!
mainbus0: Intel MP Specification (Version 1.4)
cpu0 at mainbus0: apid 3 (boot processor)
cpu0: apic clock running at 100MHz
cpu1 at mainbus0: apid 0 (application processor)
cpu1: Intel Pentium III Xeon (GenuineIntel 686-class) 702 MHz
cpu1:

FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE
cpu2 at mainbus0: apid 1 (application processor)
cpu2: Intel Pentium III Xeon (GenuineIntel 686-class) 702 MHz
cpu2:

FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE
cpu3 at mainbus0: apid 2 (application processor)
cpu3: Intel Pentium III Xeon (GenuineIntel 686-class) 702 MHz
cpu3:

FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE
mainbus0: bus 0 is type PCI   
mainbus0: bus 2 is type PCI   
mainbus0: bus 7 is type PCI   
mainbus0: bus 15 is type ISA   
ioapic0 at mainbus0: apid 8 pa 0xfec0, version 11, 35 pins
ioapic0: misconfigured as apic 0, remapped to apid 8
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 ServerWorks CNB20HE Host rev 0x23
pci1 at pchb0 bus 2
Compaq PCI Hotplug rev 0x12 at pci1 dev 5 function 0 not
configured
pchb1 at pci0 dev 0 function 1 ServerWorks CNB20HE Host rev 0x01
pchb2 at pci0 dev 0 function 2 ServerWorks CNB20HE Host rev 0x01
pchb3 at pci0 dev 0 function 3 ServerWorks CNB20HE Host rev 0x01
pci2 at pchb3 bus 7
Compaq PCI Hotplug rev 0x12 at pci2 dev 5 function 0 not
configured
ciss0 at pci2 dev 7 function 0 Compaq Smart Array 5300 rev.2 rev
0x02: apic 8 int 11 (irq 11)
ciss0: 1 LD, HW rev 0, FW 3.40/3.40
scsibus0 at ciss0: 1 targets, initiator 1
sd0 at scsibus0 targ 0 lun 0: COMPAQ, LOGICAL VOLUME, 3.40 SCSI0
0/direct fixed
sd0: 34727MB, 4427 cyl, 255 head, 63 sec, 512 bytes/sec, 71122560
sec total
Compaq Netelligent ASMC rev 0x00 at pci0 dev 3 function 0 not
configured
cac0 at pci0 dev 4 function 0 Symbios Logic 53c1510 rev 0x02: apic
8 int 5 (irq 5), Integrated Array
cac0: no volumes defined
vga1 at pci0 dev 5 function 0 ATI Mach64 GV rev 0x7a
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
drm at vga1 unsupported
fxp0 at pci0 dev 7 function 0 Intel 8255x rev 0x08, i82559: apic 8
int 3 (irq 3), address 00:02:a5:3f:e0:ea
inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 4
piixpm0 at pci0 dev 15 function 0 ServerWorks OSB4 rev 0x51: SMBus
disabled
pciide0 at pci0 dev 15 function 1 ServerWorks OSB4 IDE rev 0x00:
DMA
atapiscsi0 at pciide0 channel 0 drive 0
scsibus1 at atapiscsi0: 2 targets, initiator 7
cd0 at scsibus1 targ 0 lun 0: COMPAQ, CD-224E, 9.0C ATAPI 5/cdrom
removable
cd0(pciide0:0:0): using PIO mode 4, DMA mode 2
isa0 at mainbus0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pmsi0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pmsi0 mux 0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: PC speaker
spkr0 at pcppi0
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
mtrr: Pentium Pro MTRR support
softraid0 at root
root on sd0a swap on sd0b dump on sd0b
-- 
Gabri Mate

Re: 4.4 on ESXi 3.5 (was: vic(4) on amd64)

[Guilherme Malschitzky Schroeder]

On Wed, Mar 11, 2009 at 4:02 PM,  dt...@drizzle.com wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 Josh Archambault wrote:

 I'm fairly confident that using anything other than the default e1000
 network device with 64-bit guests is discouraged by VMWare.

 It would appear that you're correct.  Though the documentation does not
make
 that clear, I do find this point made in their forums.

 At the very least, e1000 is what new 64-bit guests default to, and I've
 personally had plenty of success using the em driver with all sorts of
 64-bit *BSD guests in this configuration.

 Likewise, I'm using the e1000 with em, and it's fine.  There is known to be
 a non-trivial difference in measured (though not necessarily real-world)
 performance between vmxnet and e1000 on 32 bit guests, so all else being
 equal, one would naturally prefer vmxnet.  I didn't realize that this did
 not necessarily generalize to 64 bit guests. Thanks for bringing that to my
 attention.

 In other news, for the benefit of anyone else using this combination of OS
 and hypervisor:

 I discovered a severe performance problem, wherein an OpenBSD guest would
 run fine for some period of hours, and then become horribly bogged down
 during disk operations, to the point of unusability.  This was true even
 when the guest was nearly idle and the VM host had abundant uncommitted
 resources, and was equally true on 32 bit and 64 bit OpenBSD guests.

 This was a showstopper, but the problem appears to have been resolved by
 lying to the hypervisor.  Since I told it that the guest was Red Hat
 Enterprise Linux 64 bit, instead of Other 64 bit, the problem has so far
 not recurred.

 Cheers -d

 - --
 David Talkington
 dt...@drizzle.com
 - --
 PGP key: http://www.flyingjoke.org/keys/801E3976.asc
 iQEcBAEBAgAGBQJJuAquAAoJEO7jL1CAHjl2WTAH/R4SndPEO7Rsn3PhbTm+GsWo
 vGMo45ZKgxOhuz4eLQVBQvqC46ON7aISshXTly8zGzumEbi2rFbHdFT91A+02Et7
 NvURrLv0mMgt38jwsE68NX/dfOfI7ycoNylI9Yi52+dh6d7ldidlV7LCWN6TxLB9
 iMouIlUTHu+I/3rtlWYGIQHa0Myvgtb7yKED6npvwEAU70UwQ3xIEP+aRRD2rzVp
 BfHRWjuJGj/2RKmvy31sgh6VNRckM5NWaXByJNsNdtE2bEqNI2/Fy1dOzvkYUs9Z
 k5sjUAZXWJ9r66kMWiSs7k8bqtRICcyiVsnNPQAt50gB8sQBdGlHlU0tiXt0YZg=
 =QiyD
 -END PGP SIGNATURE-




Hi.

Just to share my experience, i have been running OpenBSD 4.3/i386 and
now 4.4/i386 for a while in VMware ESX 3.5 and it runs fine. I didn't
have any stability problem with it, but the disk I/O operations are
just too slow. To unpack ports.tar.gz for example, it took about 8
minutes. But, as the machine doesn't do much disk I/O, it's fine.The
network performance i didn't measure too, but for normal usage it's
ok and didn't get any timeout from the card. I'm using softdep and
noatime, to increase the I/O performance a little bit:

/dev/sd0a on / type ffs (local, noatime, softdep)
/dev/sd0d on /var type ffs (local, noatime, nodev, nosuid, softdep)

Here's a dmesg:

OpenBSD 4.4 (GENERIC.MP) #2: Mon Nov 10 16:19:31 BRST 2008
r...@kyubi.openbsd-sp.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
cpu0: Intel(R) Xeon(R) CPU E5335 @ 2.00GHz (GenuineIntel 686-class) 2 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,SSE3
real mem  = 2146988032 (2047MB)
avail mem = 2067566592 (1971MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 01/30/08, BIOS32 rev. 0 @
0xfd880, SMBIOS rev. 2.31 @ 0xe0010 (45 entries)
bios0: vendor Phoenix Technologies LTD version 6.00 date 01/30/2008
bios0: VMware, Inc. VMware Virtual Platform
acpi0 at bios0: rev 0
acpi0: tables DSDT FACP APIC BOOT
acpi0: wakeup devices USB_(S1)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 65MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Xeon(R) CPU E5335 @ 2.00GHz (GenuineIntel 686-class) 2 GHz
cpu1:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,SSE3
cpu2 at mainbus0: apid 2 (application processor)
cpu2: Intel(R) Xeon(R) CPU E5335 @ 2.00GHz (GenuineIntel 686-class) 2 GHz
cpu2:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,SSE3
cpu3 at mainbus0: apid 3 (application processor)
cpu3: Intel(R) Xeon(R) CPU E5335 @ 2.00GHz (GenuineIntel 686-class) 2 GHz
cpu3:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,SSE3
ioapic0 at mainbus0: apid 4 pa 0xfec0, version 11, 24 pins
acpiprt0 at acpi0: bus 0 (PCI0)
acpicpu0 at acpi0
acpicpu1 at acpi0
acpicpu2 at acpi0
acpicpu3 at acpi0
acpibat0 at acpi0: BAT1 not present
acpibat1 at acpi0: BAT2 not present
acpiac0 at acpi0: AC unit online
bios0: ROM list: 0xc/0x8000 0xc8000/0x1e00! 0xca000/0x1000
0xdc000/0x4000! 0xe/0x4000!
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 Intel 82443BX AGP rev 0x01

Re: gem0 on Sun V120 goes dead in a few minutes with gem0: device timeout error on bsd 4.5, but works without issue on bsd.mp 4.5.

[Daniel Ouellet]

Daniel Ouellet wrote:

Hi,

With the 4.5 kernel on Sun V120, the Ethernet interface will go dead 
after a few minutes. May be 5 to 15 minutes. No consistence yet that I 
can see. When this happened, all access to the server is gone and no 
ping reply as well. The only way is to log via the console and simply do:


ifconfig gem0 down

ifconfig gem0 up

And then you are good for a few more minutes.

The only thing I see is in the logs message like this:

gem0: device timeout

However these were present in 4.4 as well, however, never did the 
connection was totally lost, meaning, may be there was a dead time and 
came back, can say for sure, but never the less the same server run for 
months without issue what so ever in doing it's thing.


Install with 4.5 now have this lost of connectivity.

I tried also the bsd.mp to see if that was different.

So far no issue what so ever, nor is there any time out warning in the 
logs and it's now being operating for 3 hours.

Small update on this.

Same thing happen on the mp kernel, but just way later.

Same error in the logs and instead of being a few minutes, it lasted 19 
hours.


gem0: device timeout
# uptime
 4:26PM  up 19:22, 1 user, load averages: 0.17, 0.12, 0.22

label rule on pf

[x03]

Hello,
Is possible 'label' the matched rule in pf log?
Im having this:

Mar 11 20:50:57.307005 rule 0/(match) rdr in on fxp1: 
209.85.220.166.57173  127.0.0.1.25: [|tcp] (DF)
Mar 11 20:54:13.568475 rule 0/(match) rdr in on fxp1: 
81.92.222.103.52011  127.0.0.1.25: [|tcp] (DF)


I need (if exist) something more 'readable'. Someone know if is it possible?

tks a lot

Re: Quick question about an PF user's guide example

[ropers]

2009/3/11 Leonardo Rodrigues leonardov...@gmail.com:
 Hi everyone,

 I'm trying to build a PF / ALTQ ruleset that handles traffic between 3
 internal interfaces and 1 external, so that the internal interfaces
 can have different priorities on the available bandwidth they can get
 from the external interface. I don't know if that's possible with only
 ALTQ rules, or if I'll have to use tagging, so I'm trying to
 understand some simple setups before.

 While reading the example #2 on the PF user's guide
 (http://www.openbsd.org/faq/pf/queueing.html#example2), I came across
 the following ruleset:


 boss  = 192.168.0.200
 ...
 altq on fxp0 cbq bandwidth 1.5Mb queue { std_ext, www_ext, boss_ext }
 ...
 queue boss_ext   bandwidth 500Kb priority 3 cbq(borrow)
 ...
 # filter rules for fxp0 outbound
 pass out on fxp0 from $boss to any keep state queue boss_ext---


 Where fxp0 is the external interface (internet). My question is about
 that last rule above. Assuming that NAT is working so that the boss
 is able to surf the web, and since NAT translations happen before the
 filtering rules, then the rule above shouldn't work... right? The fxp0
 interface would be able to filter only on already translated addresses
 (its own address), and not on unstranslated addresses, like
 192.168.200, which is the boss IP, on a different subnet. Would a
 rule like that work?

Well, the FAQ there also says:

 Note that only the pf.conf directives that apply directly to the above
policy are present; nat, rdr, options, etc., are not shown.

Without that crucial bit of info --whether NAT is actually being done
in this scenario-- it's not quite right to characterize this rule as
incorrect (not that you'd said that either). Correct me if I'm
wrong, but I'd imagine the rule would work if no NAT was being done.
I'm thus not sure if or how this part of the FAQ could be improved
(but, at the peril of coming across as snarky, I'm sure Nick would
welcome your diffs ;).

No offense, and kind regards, :)
--ropers

Re: OpenBGP 4.3/4.4 Gotchas

[Henning Brauer]

* Dan Carley dan.car...@gmail.com [2009-02-20 14:47]:
 This behaviour was thankfully not replicated with 4.4 in the lab, so we'll
 be upgrading promptly. But we were having issues with our 4.4 peers keeping
 sessions open to each other. This was resolved with r1.13 of bgpd/timer.c.
 I'm curious though whether this will make it into the 4.4 errata as a
 reliability fix?

it is in 4.4-stable

-- 
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg  Amsterdam

Un site internet pour votre bien immobilier pour misc de openbsd.org

[ymmoo.com]

Content-Transfer-Encoding: 8bit

Bonjour,

Vendre ou louer un bien immobilier nest pas facile et peut couter rapidement 
tres cher en petites annonces qui ne restent visibles quune ou deux semaines 
avant de devoir payer a nouveau.

Mais comment se distinguer de la masse dannonces en 4 ou 5 lignes et une ou 
deux petites photos ?

Comment votre acheteur ou votre loueur peut-il savoir que vous proposez un bien 
sil na pas lu le journal au moment ou vous avez passe votre annonce ?
La reponse a toutes ces questions est simple : pratiquement toutes les 
personnes qui cherchent a acheter ou louer un bien consultent internet. Et tous 
passent necessairement par google, yahoo ou msn.

Mais pour cela, il faut avoir un site internet, avec une veritable adresse web, 
pour se faire referencer sur les moteurs de recherche.

Cest pourquoi ymmoo vous propose un logiciel de creation automatique de site 
web specialement concu pour limmobilier pour 49 euro; seulement. 

Avec ymmoo vous pouvez creer votre site, decrire completement votre bien 
immobilier, en ajoutant toutes les photos que vous desirez, piece par piece, 
sans limitation.

Cest tres facile, il ny a pas de connaissance specifique a avoir en 
informatique, toute la partie technique se fait automatiquement, vous avez 
juste a cliquer sur le bouton + creer votre site ; et votre site est en ligne 
avec ladresse internet que vous avez choisie.

Ensuite, vous pouvez referencer votre veritable site internet sur les moteurs 
de recherche. Le referencement sur internet, cest gratuit, cest sans limite 
de duree et cest la seule veritable garantie defficacite.

Avec le logiciel nous vous fournissons les 400 plus importants moteurs de 
recherche et annuaires de France sur lesquels vous pouvez proposer gratuitement 
le lien vers votre site: dont bien sur google, yahoo et msn.
  
  
Retrouvez le descriptif complet de notre logiciel sur www.ymmoo.com .
  


Pierre Mensat
 
 

Ps : pour ne plus recevoir dinformation de notre part, cliquez sur 
http://www.emailing-box.info/scripts/desincrire.php?client 
=misc*openbsd.orgsourcemail=abfdkjhf2585

Re: IP aliases: how many in one server with OpenBSD 4.4? Is it possible to change the limit?

[Claudio Jeker]

On Wed, Mar 11, 2009 at 08:54:42PM +0100, Henning Brauer wrote:
 * Alvaro Mantilla Gimenez alv...@dydnetworks.com [2009-02-19 02:52]:
  Anyways, the question is still valid: how many IP aliases we can reach in
  an OpenBSD system? which is the limit?
 
 in theory, there is none but memory.
 
 in practice, it is a simple linked list, so things get slower at some
 point.
 

Also check the lo(4) link1 flag for mass IP aliases. Note: currently works
only with IPv4 (but I have a diff somewhere for the v6 case).

-- 
:wq Claudio

Re: Cardbus stops working after repeated card insertions

[Jeremy O'Brien]

As a note, this is running on a Thinkpad X31.

compaq sun drive caddies / sleds / trays for developers

[Kevin Smith]

Hello developers...


I have several SCSI drive carriers/trays/caddys/caddies/sleds (whatever else
you'd like to call 'em) I'd like to offer up for any developer who wants 'em
for the bargain price of free if anyone has a need for such creatures.


There are:

6 x 104663-001 80-pin SCSI Compaq sleds/trays

9 x Sun 80-pin SCSI sleds/trays  for the SPARCstation 5 (and similar)


If anyone is interested, please let me know, and I'll get them out the door
to you (postage paid) asap.


Kevin

Setting up a bidirectional (1:1) firewall

[Sam Carleton]

In my small company, we already have a SonicWALL firewall that handles all
the workstation traffic to the Internet.  We have an block of public IP
Addresses, but the SonicWALL only allows us to make use of two of them.  I
am trying to setup a OpenBSD machine as a firewall for the rest of the IP
addresses.

I have the machine setup so that it has two NIC's.  The external NIC has all
the IP addresses we want to use right now aliases to it.  The only question
now is how to setup the firewall for the 1:1 mapping.  I tried to put
something together but it simply does not work, I am clueless at why.  Any
suggestions are very helpful.  Here is what I have tried:

#$OpenBSD: pf.conf,v 1.37 2008/05/09 06:04:08 reyk Exp $
#
# See pf.conf(5) for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.

ext_if=dc0
int_if=xl0

tcp_services={22, 113}
icmp_types=echoreq

ccdemo_ext = xxx.xxx.xxx.214
ccdemo_int = 172.16.2.10

###set skip on lo
scrub in all

#nat on $ext_if from !($ext_if) - ($ext_if:0)
binat on $ext_if from $ccdemo_int to any - $ccdemo_ext

block in
pass out keep state

antispoof quick for { lo $int_if }

pass in quick on $ext_if inet proto tcp from any to ($ext_if) port
$tcp_services flags S/SA keep state
#pass in quick on $ext_if proto tcp from any to $ccdemo_int ports https
flags S/SA synproxy state
pass in on $ext_if proto tcp from any to $ccdemo_int
pass in quick on $int_if

Re: Quick question about an PF user's guide example

[Leonardo Rodrigues]

 Note that only the pf.conf directives that apply directly to the above policy 
 are present; nat, rdr, options, etc., are not shown.

Yeah, I noticed that too =) But I don't know if that setup would work
without NAT enabled. But then, I'm no network expert...

 Bear in mind that while a queue is applied to the egress interface,
 the classification of that traffic may take place on another
 interface. So you could do something more like this:

 pass from 192.168.0.5 to ! mynet keep state queue traffic1_ext

I considered trying that, but I think that queueing only the egress
interface wouldn't solve my problem. Since my link to the internet is
an ADSL line, 1Mb downstream and 512Kb upstream, I think that the only
sane way to queue both up and down bandwidth would be to set up altq
on the egress interface (for queueing uploads) and another altq on the
internal interface (for queueing downloads). The big problem here is
that I have _three_ internal interfaces that must share the internet
link.

I considered setting a hard limit on each internal interface (33%
each), but that can't be, since I need them to borrow available
bandwidth and have different priorities on downloading via the
external interface.

Does anyone has any ideas on how to accomplish such a setup?

Leonardo Rodrigues

Re: 4.4 on ESXi 3.5 (was: vic(4) on amd64)

[SJP Lists]

2009/3/12  dt...@drizzle.com:

 I discovered a severe performance problem, wherein an OpenBSD guest would
 run fine for some period of hours, and then become horribly bogged down
 during disk operations, to the point of unusability.  This was true even
 when the guest was nearly idle and the VM host had abundant uncommitted
 resources, and was equally true on 32 bit and 64 bit OpenBSD guests.

 This was a showstopper, but the problem appears to have been resolved by
 lying to the hypervisor.  Since I told it that the guest was Red Hat
 Enterprise Linux 64 bit, instead of Other 64 bit, the problem has so far
 not recurred.

Thanks David,

I came across this problem a few days ago and have yet to get back
looking at it.

So I'm glad for this tip!


Shane

Re: PF Seems To Reload Its Default Rules Unexpectedly

[Hilco Wijbenga]

It happened again...

2009/3/9 J.C. Roberts list-...@designtools.org:
 As for whether or not the assigned IP address you get from your ISP via
 DHCP will become a problem really depends on the netmask and default
 route they give you along with the IP.

 If your internal network is 192.168.151.*
 And your ISP gives you 192.168.1.* with a netmask of 255.255.0.0
 then you're officially hosed. The provided netmask means your internal
 network is *within* the range of your external network. bad juju!

 That netmask would give you the range 192.168.0.0 - 192.168.255.255 on
 your external interface, and hence, overlapping your internal network.

The netmask is 192.168.1.255 so I should be okay there.

 When using Point to Point Protocol (PPP, PPPoE, and similar), it can get
 far more confusing. Take a look at the following:

No PPP or PPPoE, just simple DHCP.

 None the less, the safest thing you can do is use an obtuse private
 network range for your internal LAN.

I guess it would be a good idea to do that then anyway.

 If I was able to 'keep state' every time I 'pass out' drinking would be
 far more enjoyable. Though I can't do it, pf can, and does it by
 default, but it seems I've digressed. Additionally, you need to be very
 careful when using the quick keyword since it intentionally short
 circuits your rule evaluation.

 B  B  B  B ext_if = sk0
 B  B  B  B int_if = sk1
 B  B  B  B set skip on lo
 B  B  B  B scrub in

 B  B  B  B nat on $ext_if from !($ext_if) -) ($ext_if:0)

 B  B  B  B block in log
 B  B  B  B pass out
 B  B  B  B antispoof quick for { lo $int_if }
 B  B  B  B pass quick on $int_if no state


 On the last line, you do not necessarily need the 'no state' (but it
 eliminates collecting pointless state entries) and you don't need the
 'quick' since it's the last rule evaluated (but you might follow this
 with other rules).

I'll see if simplifying the rules helps.

 If during a DHCP (re)assignment the DHCP server sends an ICMP Echo
 Request packet (Type 8), and you're blocking the packet but due
 to your block-policy replying with ICMP Destination Unreachable packet
 (Type 3), strange things might occur.

The problem is definitely with DHCP assigning a new IP address. I
checked and (as everybody here was already expecting) pf is still
using the same rules as before.

So apparently using ($ext_if) isn't working properly. I need to reload
pf.conf for the firewall to work again. I'll see if changing the
return policy makes any difference.

Cheers,
Hilco

Re: OpenSSH release CDS

[David Schulz]

Well i think it is not a bad Idea; purchasing a superb remote administration
software on a CD for 25USD or whatever sounds easy to sell; though i think
its true, it will be a lot of work and trouble to get those CD's and
Packaging Artwork and everything in low enough Quantities, and then turn it
over fast enough; Maybe though a Custom Build cheap enough USB Stick which
gets loaded with the newest stable Version could be send out together with
some Stickers or so. Who knows, just a thought to get more money to the
Project.

On Wed, Mar 11, 2009 at 10:07:21AM -0400, Kevin Wilcox wrote:
 2009/3/11 patric conant mirage.comput...@gmail.com:
 
  I've repeatedly been in a position where we weren't making direct use
  of OpenBSD, but were using OpenSSH, and if there were a recurring cost
  associated with it (like purchasing a semi-annual CD) it would have
  been relatively painless to get a rubber stamp approval of such a
  cost, whereas purchasing an OS we weren't using would've been a much
  more difficult sell. Since there is already regular ssh art, (that
  could be used for the next several releases), how much further
  effort/money would it take to release OpenSSH on CD? Also of the
  people on misc@ how many would think they'd have an easier time
  convincing bosses/clients/others to buy a single CD for say $25 then
  they would getting an OS purchased. Just a thought, for these trying
  economic times and whatnot.
 
 I can't speak for the devs, Theo, @misc or anyone except myself and my
 personal experiences with having a custom CD created but I'd bet my
 experiences aren't too different from what Theo and the core team have
 to deal with.
 
 When we looked into it for something else, we had to order a set
 number before anyone would even agree to print/press/package. All of
 that gets paid out of pocket with the hopes that you can move the
 product. If it doesn't sell in a reasonable time then it has suddenly
 become outdated and an unnecessary waste if your sales do not cover at
 least the physical costs and the man-hours of effort put into it.
 
 Colour me skeptical or pessimistic but I'd wager it's Just Not Worth
 It to package/print/sell OpenSSH discs. You can always donate to the
 project, though. Methods of payment are available at
 
 http://www.openssh.org/donations.html
 http://openbsd.org/donations.html
 
 kmw
 
 -- 
 Far better is it to dare mighty things, to win glorious triumphs, even
 if chequered by failure, than to take rank with those poor spirits who
 neither enjoy much nor suffer much, because they live in the grey
 twilight that knows not victory or defeat.