Re: i386 -current Sloppy source-track Breaks?
Hi Misc@, I noticed that this ICMP traffic always gets a bad checksum leaving the router. sample: on routerA(accessRouter) $ ping 203.190.abc.xyz PING 203.190.abc.xyz: 56 data bytes 64 bytes from 203.190.abc.xyz: icmp_seq=0 ttl=58 time=6.215 ms 64 bytes from 203.190.abc.xyz: icmp_seq=42 ttl=58 time=6.604 ms 64 bytes from 203.190.abc.xyz: icmp_seq=72 ttl=58 time=5.823 ms On the routerB (edgeRouter) --- $sudo tcpdump -entvi pflog0 action pass and icmp and host 203.190.abc.xyz rule 119/(match) [uid 0, pid 14104] pass in on vlan11: abc.def.ghi.198 203.190.abc.xyz: icmp: echo request (id:285b seq:0) (ttl 254, id 59391, len 84) rule 157/(match) [uid 0, pid 14104] pass out on vlan97: abc.def.ghi.198 203.190.abc.xyz: icmp: echo request (id:285b seq:0) (ttl 253, id 59391, len 84, bad cksum 899d!) Thanks. Insan Praja On Thu, 17 May 2012 03:11:33 +0700, Insan Praja SW insan.pr...@gmail.com wrote: Hi Misc@, I was upgrading my 5.0 i386 -stable to 5.1 i386 -stable. We use ECMP using ospfd, and asymmetric routing with bgpd. Strangely, keep state (sloppy source-track) flags any can't no longer pass icmp traffic. Traceroute, browsing etc works, though. Then, I decided to upgrade it to -current, which, doesn't seem solve the problem. This; pass in quick log on $core_if\ inet proto icmp to public_ip tag PING\ keep state (sloppy source-track global) flags any\ queue (CoreUp_icmp CoreUp_ack) pass in quick log on $core_if\ inet proto udp to public_ip port 33433 33626 tag PING\ keep state (sloppy source-track global) flags any\ queue (CoreUp_icmp CoreUp_ack) pass out quick log on $core_if\ inet tagged PING\ keep state (sloppy source-track global) flags any\ queue CoreUp_icmp pass out quick log on $core_if\ inet proto icmp from self\ keep state (sloppy source-track global) flags any\ queue CoreUp_icmp pass out quick log on $core_if\ inet proto udp from self to any port 33433 33626\ keep state (sloppy source-track global) flags any\ queue CoreUp_icmp pass in quick log on $serv_if\ inet proto icmp from public_ip\ keep state (sloppy source-track global) flags any\ queue ServDn_icmp tag PING pass in quick log on $serv_if\ inet proto udp to any port 33433 33626\ keep state (sloppy source-track global) flags any\ queue ServDn_icmp tag PING pass out quick log on $serv_if\ inet tagged PING\ keep state (sloppy source-track global) flags any\ queue ServDn_icmp pass out quick log on $serv_if\ inet proto icmp\ keep state (sloppy source-track global) flags any\ queue ServDn_icmp pass out quick log on $serv_if\ inet proto udp to any port 33433 33626\ keep state (sloppy source-track global) flags any\ queue ServDn_icmp Doesn't behave consistently. Some hosts/packets gets block, some get through, randomly. Thanks, Insan Praja SW DMESG (identical machines): OpenBSD 5.1-current (GENERIC.MP) #0: Thu May 17 01:18:14 WIT 2012 r...@greenrouter-jkt02.mygreenlinks.net:/usr/src/sys/arch/i386/compile/GENERIC.MP RTC BIOS diagnostic error 3 cpu0: Intel(R) Pentium(R) D CPU 3.00GHz (GenuineIntel 686-class) 3.01 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,NXE,LONG,SSE3,MWAIT,DS-CPL,EST,CNXT-ID,CX16,xTPR,PDCM,LAHF real mem = 2142687232 (2043MB) avail mem = 2096836608 (1999MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 03/26/07, SMBIOS rev. 2.4 @ 0x7fbe4000 (43 entries) bios0: vendor Intel Corporation version S3000.86B.02.00.0054.061120091710 date 06/11/2009 bios0: Intel S3000AH acpi0 at bios0: rev 2 acpi0: sleep states S0 S1 S4 S5 acpi0: tables DSDT SLIC FACP APIC WDDT HPET MCFG ASF! SSDT SSDT SSDT SSDT SSDT HEST BERT ERST EINJ acpi0: wakeup devices SLPB(S4) P32_(S4) UAR1(S1) PEX4(S4) PEX5(S4) UHC1(S1) UHC2(S1) UHC3(S1) UHC4(S1) EHCI(S1) AC9M(S4) AZAL(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 199MHz cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Pentium(R) D CPU 3.00GHz (GenuineIntel 686-class) 3 GHz cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,NXE,LONG,SSE3,MWAIT,DS-CPL,EST,CNXT-ID,CX16,xTPR,PDCM,LAHF ioapic0 at mainbus0: apid 5 pa 0xfec0, version 20, 24 pins ioapic0: misconfigured as apic 0, remapped to apid 5
Re: Load balancing and fail-over
Route lookups are based on the *destination* address not the source address, you could add a route for a certain destination via a certain interface to send packets out that way. Hmm. that sounds good to me. Since I have 2 interfaces for 2 different WAN connections. It is possible to add route to a certain destination ip address in /etc/hostname.em0 and /etc/hostname.em1 files and make permanent in this way. /etc/hostname.em0 inet 192.168.10.6 255.255.255.0 !route add -host 173.194.38.184 192.168.10.5 !route add -mpath default 192.168.10.5 /etc/hostname.em1 inet 192.168.20.6 255.255.255.0 !route add -host 173.194.38.191 192.168.20.5 !route add -mpath default 192.168.20.5 Then, a shell script in crontab can ping those destination ip addresses and see if they are UP or DOWN. ( ifstated also can do it. But, I will have to understand its behaviour ) When , both are up Up, nothing is DONE and when one fails remove that -mpath default route In this manner, When one link goes down, all traffic will go via the available link. That is what I am looking for. I think I am right. I am right ain't I? Then, I will have to discuss this below rule as well. pass in on $int_if from $lan_net \ route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } \ round-robin When one link goes DOWN, Will all the traffic go via the available link ? Does the above rule do this duty? I think I am getting closer to achieve the goal. Hi, Stuart Henderson, Many thanks to your effort that put forth me to go ahead, Hope to hear from ALL. -- Thank you Indunil Jayasooriya
Re: Watchdog timeout reset in 5.1 on intel nic:s
On Fri, May 11, 2012 at 09:13:30AM -0400, Simon Perreault wrote: On 2012-05-11 04:15, Garry Dolley wrote: I now have an amd64 test VM set up, where I installed stock 5.0. I ran a lot of traffic over em0 without any timeouts. That's expected. 5.0 has been running without issue for me for a long time. I also have been trying several -current kernels. As of: OpenBSD 5.1-current (GENERIC) #205: Wed Mar 28 21:40:45 MDT 2012 I don't see any em0 timeouts. I will continue to try newer ones and report back here... Why not just test 5.1? Problems have been reported against 5.1, not -current. One post by maxim reported the problem on 5.0, so I was being thorough. Starting with 5.0, and going up... I am going to try a 5.1 stock install tonight and work up to -current. -- Garry Dolley ARP Networks, Inc. | http://www.arpnetworks.com | (818) 206-0181 Data center, VPS, and IP Transit solutions Member Los Angeles County REACT, Unit 336 | WQGK336 Blog http://scie.nti.st
Re: Load balancing and fail-over
On 2012/05/17 13:20, Indunil Jayasooriya wrote: Route lookups are based on the *destination* address not the source address, you could add a route for a certain destination via a certain interface to send packets out that way. Hmm. that sounds good to me. Since I have 2 interfaces for 2 different WAN connections. It is possible to add route to a certain destination ip address in /etc/hostname.em0 and /etc/hostname.em1 files and make permanent in this way. /etc/hostname.em0 inet 192.168.10.6 255.255.255.0 !route add -host 173.194.38.184 192.168.10.5 !route add -mpath default 192.168.10.5 /etc/hostname.em1 inet 192.168.20.6 255.255.255.0 !route add -host 173.194.38.191 192.168.20.5 !route add -mpath default 192.168.20.5 Then, a shell script in crontab can ping those destination ip addresses and see if they are UP or DOWN. ( ifstated also can do it. But, I will have to understand its behaviour ) When , both are up Up, nothing is DONE and when one fails remove that -mpath default route In this manner, When one link goes down, all traffic will go via the available link. That is what I am looking for. I think I am right. I am right ain't I? Yes I think this is what you're looking for. Then, I will have to discuss this below rule as well. pass in on $int_if from $lan_net \ route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } \ round-robin When one link goes DOWN, Will all the traffic go via the available link ? Does the above rule do this duty? No, your script or ifstated config will need to adjust this rule, you can do this by using a macro to write the rule, something like this: GATEWAYS=1.1.1.1@em0 2.2.2.2@em1 pass in on $int_if from $lan_net route-to { $GATEWAYS } This helps because you can override the macro on the pfctl command line, so you can use something like to reload the ruleset with your choice of gateway: pfctl -D GATEWAYS=1.1.1.1@em0 -f /etc/pf.conf pfctl -D GATEWAYS=2.2.2.2@em1 -f /etc/pf.conf pfctl -D GATEWAYS=1.1.1.1@em0 2.2.2.2@em1 -f /etc/pf.conf While you're testing, use pfctl -v ... if you would like to check how the parsed rules look. I think I am getting closer to achieve the goal. Hi, Stuart Henderson, Many thanks to your effort that put forth me to go ahead, Hope to hear from ALL. -- Thank you Indunil Jayasooriya
Re: trunk0 with dual stack
Thank you very much for explanations. It works very good. Thank you, Bogdan From: Stuart Henderson s...@spacehopper.org To: misc@openbsd.org Sent: Wednesday, May 16, 2012 6:08 PM Subject: Re: trunk0 with dual stack On 2012-05-16, Bogdan Andu bo...@yahoo.com wrote: It is possible to build an interface aggregation on dual stack systems? Of course, trunk works just the same as a standard interface in this respect. /etc/hostname.trunk0 such that it will look like this: trunkproto failover trunkport bge0 trunkport bge1 192.168.18.133 netmask 255.255.255.0 inet6 2e03:5a80:0:4::133 prefixlen 64 prefixlen 64 is default, no need to include it, and inet6 goes on the same line as the address. I'd use something like this trunkproto failover trunkport bge0 trunkport bge1 inet 192.168.18.133 255.255.255.0 inet6 2e03:5a80:0:4::133 ! route add -inet6 default2e03:5a80:0:4::1 just add 2e03:5a80:0:4::1 to /etc/mygate
Re: Load balancing and fail-over
hi why you not try the relayd way ? look at http://gouloum.fr/doc/multilink.html the part with relayd holger On 2012/05/17 13:20, Indunil Jayasooriya wrote: Route lookups are based on the *destination* address not the source address, you could add a route for a certain destination via a certain interface to send packets out that way. Hmm. that sounds good to me. Since I have 2 interfaces for 2 different WAN connections. It is possible to add route to a certain destination ip address in /etc/hostname.em0 and /etc/hostname.em1 files and make permanent in this way. /etc/hostname.em0 inet 192.168.10.6 255.255.255.0 !route add -host 173.194.38.184 192.168.10.5 !route add -mpath default 192.168.10.5 /etc/hostname.em1 inet 192.168.20.6 255.255.255.0 !route add -host 173.194.38.191 192.168.20.5 !route add -mpath default 192.168.20.5 Then, a shell script in crontab can ping those destination ip addresses and see if they are UP or DOWN. ( ifstated also can do it. But, I will have to understand its behaviour ) When , both are up Up, nothing is DONE and when one fails remove that -mpath default route In this manner, When one link goes down, all traffic will go via the available link. That is what I am looking for. I think I am right. I am right ain't I? Yes I think this is what you're looking for. Then, I will have to discuss this below rule as well. pass in on $int_if from $lan_net \ route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } \ round-robin When one link goes DOWN, Will all the traffic go via the available link ? Does the above rule do this duty? No, your script or ifstated config will need to adjust this rule, you can do this by using a macro to write the rule, something like this: GATEWAYS=1.1.1.1@em0 2.2.2.2@em1 pass in on $int_if from $lan_net route-to { $GATEWAYS } This helps because you can override the macro on the pfctl command line, so you can use something like to reload the ruleset with your choice of gateway: pfctl -D GATEWAYS=1.1.1.1@em0 -f /etc/pf.conf pfctl -D GATEWAYS=2.2.2.2@em1 -f /etc/pf.conf pfctl -D GATEWAYS=1.1.1.1@em0 2.2.2.2@em1 -f /etc/pf.conf While you're testing, use pfctl -v ... if you would like to check how the parsed rules look. I think I am getting closer to achieve the goal. Hi, Stuart Henderson, Many thanks to your effort that put forth me to go ahead, Hope to hear from ALL. -- Thank you Indunil Jayasooriya
Re: Load balancing and fail-over
why you not try the relayd way ? look at http://gouloum.fr/doc/multilink.html the part with relayd holger On 2012/05/17 13:20, Indunil Jayasooriya wrote: Route lookups are based on the *destination* address not the source address, you could add a route for a certain destination via a certain interface to send packets out that way. Hmm. that sounds good to me. Since I have 2 interfaces for 2 different WAN connections. It is possible to add route to a certain destination ip address in /etc/hostname.em0 and /etc/hostname.em1 files and make permanent in this way. /etc/hostname.em0 inet 192.168.10.6 255.255.255.0 !route add -host 173.194.38.184 192.168.10.5 !route add -mpath default 192.168.10.5 /etc/hostname.em1 inet 192.168.20.6 255.255.255.0 !route add -host 173.194.38.191 192.168.20.5 !route add -mpath default 192.168.20.5 Then, a shell script in crontab can ping those destination ip addresses and see if they are UP or DOWN. ( ifstated also can do it. But, I will have to understand its behaviour ) When , both are up Up, nothing is DONE and when one fails remove that -mpath default route In this manner, When one link goes down, all traffic will go via the available link. That is what I am looking for. I think I am right. I am right ain't I? Yes I think this is what you're looking for. Then, I will have to discuss this below rule as well. pass in on $int_if from $lan_net \ route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } \ round-robin When one link goes DOWN, Will all the traffic go via the available link ? Does the above rule do this duty? No, your script or ifstated config will need to adjust this rule, you can do this by using a macro to write the rule, something like this: GATEWAYS=1.1.1.1@em0 2.2.2.2@em1 pass in on $int_if from $lan_net route-to { $GATEWAYS } This helps because you can override the macro on the pfctl command line, so you can use something like to reload the ruleset with your choice of gateway: pfctl -D GATEWAYS=1.1.1.1@em0 -f /etc/pf.conf pfctl -D GATEWAYS=2.2.2.2@em1 -f /etc/pf.conf pfctl -D GATEWAYS=1.1.1.1@em0 2.2.2.2@em1 -f /etc/pf.conf While you're testing, use pfctl -v ... if you would like to check how the parsed rules look. I think I am getting closer to achieve the goal. Hi, Stuart Henderson, Many thanks to your effort that put forth me to go ahead, Hope to hear from ALL. -- Thank you Indunil Jayasooriya -- Thank you Indunil Jayasooriya
Re: Watchdog timeout reset in 5.1 on intel nic:s
On Fri, May 11, 2012 at 09:13:30AM -0400, Simon Perreault wrote: On 2012-05-11 04:15, Garry Dolley wrote: I now have an amd64 test VM set up, where I installed stock 5.0. I ran a lot of traffic over em0 without any timeouts. That's expected. 5.0 has been running without issue for me for a long time. I also have been trying several -current kernels. As of: OpenBSD 5.1-current (GENERIC) #205: Wed Mar 28 21:40:45 MDT 2012 I don't see any em0 timeouts. I will continue to try newer ones and report back here... Why not just test 5.1? Problems have been reported against 5.1, not -current. I now have a stock 5.1 test VM set up. OpenBSD 5.1 (GENERIC) #181: Sun Feb 12 09:35:53 MST 2012 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC I don't see any timeouts. I grabbed the ports tree via curl several times and have been slaving away at it over SSH. I don't notice anything wrong. So, perhaps this issue does not appear in stock 5.1, but in a newer kernel. I'll try something newer soon... -- Garry Dolley ARP Networks, Inc. | http://www.arpnetworks.com | (818) 206-0181 Data center, VPS, and IP Transit solutions Member Los Angeles County REACT, Unit 336 | WQGK336 Blog http://scie.nti.st
Re: Load balancing and fail-over
why you not try the relayd way ? look at http://gouloum.fr/doc/multilink.html the part with relayd I found that URL yesterday, I will have to learn it. I just try to do it with a shell script. anyway, Thanks a lot. -- Thank you Indunil Jayasooriya
Re: Load balancing and fail-over
No, your script or ifstated config will need to adjust this rule, you can do this by using a macro to write the rule, something like this: GATEWAYS=1.1.1.1@em0 2.2.2.2@em1 pass in on $int_if from $lan_net route-to { $GATEWAYS } This helps because you can override the macro on the pfctl command line, so you can use something like to reload the ruleset with your choice of gateway: pfctl -D GATEWAYS=1.1.1.1@em0 -f /etc/pf.conf pfctl -D GATEWAYS=2.2.2.2@em1 -f /etc/pf.conf pfctl -D GATEWAYS=1.1.1.1@em0 2.2.2.2@em1 -f /etc/pf.conf While you're testing, use pfctl -v ... if you would like to check how the parsed rules look. Thanks once again for your introduction. I wrote a shell script, pls see below in /etc/pf.conf . I have the below variable GATEWAYS=1.1.1.1@em0 2.2.2.2@em1 Now, This is the script. #Checking WAN1 ping -q -c 3 -i 2 -w 3 -I 1.1.1.5 173.194.38.191 /dev/null 21 VARWAN1=$(echo $?) #Checking WAN2 ping -q -c 3 -i 2 -w 3 -I 2.2.2.5 173.194.38.184 /dev/null 21 VARWAN2=$(echo $?) if [ ${VARWAN1} = 0 ] [ ${VARWAN2} = 0 ]; then echo Both links are UP route add -mpath default 1.1.1.1 route add -mpath default 2.2.2.2 pfctl -D GATEWAYS=1.1.1.1@em0 2.2.2.2@em1 -f /etc/pf.conf elif [ ${VARWAN1} != 0 ] [ ${VARWAN2} != 0 ]; then echo Both links are DOWN route add -mpath default 1.1.1.1 route add -mpath default 2.2.2.2 pfctl -D GATEWAYS=1.1.1.1@em0 2.2.2.2@em1 -f /etc/pf.conf elif [ ${VARWAN1} != 0 ] ; then echo WAN1 is DOWN route add -mpath default 2.2.2.2 route delete -mpath default 1.1.1.1 pfctl -D GATEWAYS=2.2.2.2@em1 -f /etc/pf.conf elif [ ${VARWAN2} != 0 ] ; then echo WAN2 is DOWN route add -mpath default 1.1.1.1 route delete -mpath default 2.2.2.2 pfctl -D GATEWAYS=1.1.1.1@em0 -f /etc/pf.conf fi Pls NOTE - Section2 ( i.e , when BOTH links are DOWN, No internet at ALL. So Just behave as BOTH links are UP. It does NOT matter for me ) I think that traffic routes as I expected. I will have to test it. Now, the interesting thing is this ( Taken from openbsd website) # keep https traffic on a single connection; some web applications, # especially secure ones, don't allow it to change mid-session pass in on $int_if proto tcp from $lan_net to port https \ route-to ($ext_if1 $ext_gw1) When both links are UP and WAN1 is UP https traffic will go via WAN1 When, WAN1 goes down, https should go via WAN2 I think If I add another variable to /etc/pf.conf, I will be able to achieve it too. ONEWAYHTTPS=1.1.1.1@em0 pass in on $int_if proto tcp from $lan_net to port https \ route-to { $ONEWAYHTTPS } and use this below while WAN1 goes DOWN pfctl -D ONEWAYHTTPS=2.2.2.2@em1 -f /etc/pf.conf Is it allringt ? I think a few miles left for me to reach the goal. If you can give an example it is worth millions time. Your comments are welcome... -- Thank you Indunil Jayasooriya
Re: Watchdog timeout reset in 5.1 on intel nic:s
On Thu, May 17, 2012 at 03:19:07AM -0700, Garry Dolley wrote: On Fri, May 11, 2012 at 09:13:30AM -0400, Simon Perreault wrote: On 2012-05-11 04:15, Garry Dolley wrote: I now have an amd64 test VM set up, where I installed stock 5.0. I ran a lot of traffic over em0 without any timeouts. That's expected. 5.0 has been running without issue for me for a long time. I also have been trying several -current kernels. As of: OpenBSD 5.1-current (GENERIC) #205: Wed Mar 28 21:40:45 MDT 2012 I don't see any em0 timeouts. I will continue to try newer ones and report back here... Why not just test 5.1? Problems have been reported against 5.1, not -current. I now have a stock 5.1 test VM set up. OpenBSD 5.1 (GENERIC) #181: Sun Feb 12 09:35:53 MST 2012 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC I don't see any timeouts. I grabbed the ports tree via curl several times and have been slaving away at it over SSH. I don't notice anything wrong. So, perhaps this issue does not appear in stock 5.1, but in a newer kernel. I'll try something newer soon... I have tried the following newer kernels: bsd.20120330 bsd.20120419 bsd.20120427 bsd.20120516 I still can't reproduce the problem. I have disabled mpbios on all these kernels, forgot to mention that. I will leave this be for now; will pick it up again if any new information should arise. -- Garry Dolley ARP Networks, Inc. | http://www.arpnetworks.com | (818) 206-0181 Data center, VPS, and IP Transit solutions Member Los Angeles County REACT, Unit 336 | WQGK336 Blog http://scie.nti.st
IPs in the facebook.com domain accessing OpenSBD firewall
Hi, This traffic is blocked on the external interface of the firewall. May 17 11:34:56.013614 rule 7/(match) block in on em1: 66.220.151.124.47369 xxx.yyy.ddd.zzz.53: 58106 NS? . (19) May 17 11:34:56.763086 rule 7/(match) block in on em1: 66.220.151.124.47369 xxx.yyy.ddd.zzz.53: 58107 NS? . (19) May 17 11:34:57.513318 rule 7/(match) block in on em1: 66.220.151.124.47369 xxx.yyy.ddd.zzz.53: 58108 NS? . (19) May 17 11:45:37.720155 rule 7/(match) block in on em1: 69.171.243.241 xxx.yyy.ddd.zzz: icmp: echo request May 17 11:45:39.213492 rule 7/(match) block in on em1: 69.171.243.241.52370 xxx.yyy.ddd.zzz.53: 33246 NS? . (19) May 17 11:49:39.746886 rule 7/(match) block in on em1: 69.171.228.232 xxx.yyy.ddd.zzz: icmp: echo request May 17 11:49:41.242588 rule 7/(match) block in on em1: 69.171.228.232.59470 xxx.yyy.ddd.zzz.53: 33554 NS? . (19) xxx.yyy.ddd.zzz is our firewall IP 66.220.151.124, 69.171.243.241, 69.171.228.232 are IPs from facebook.com domain as ip2location reports. Why should facebook servers access my firewall? They ping my firewall and try to use our internal DNS server DNS server which is not mentioned in any public NS record? I wonder if these machines in the facebook.com domain are infected with some malware bots? Oris it part of their security checks or something? Any body any idea? Thanks Siju
Re: greylisting and blacklisting rules in pf.conf
ager39...@mypacks.net writes: What rules should I have in pf.conf for both greylisting and blacklisting? I'd like to blacklist those site that got spam through the greylisting. Unless you explicitly start spamd in blacklisting-only mode, it will greylist. The spamd related rules I have in a typical pf.conf are table spamd-white persist table nospamd persist file /etc/mail/nospamd pass in log on egress proto tcp to port smtp rdr-to 127.0.0.1 port spamd queue spamd pass in log on egress proto tcp from nospamd to port smtp pass in log on egress proto tcp from spamd-white to port smtp pass out log on egress proto tcp to port smtp it's possible you will find my tutorial and slides over at http://home.nuug.no/~peter/pf/ helpful, and you'll find some spamd-related field notes via the blogspot link in my .signature - P -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: IPs in the facebook.com domain accessing OpenSBD firewall
Most likely that someone posted a link to a resource in your domain, and your DNS appears to be an authoritative for that zone. Sounds quite realistic. There on facebook might be some kind of parser trying to retreive a preview for the link or something similar... Anyway, have a look at the DNS server's logs - what exactly do they whant from you? =) .. or Zuckerberg must become bored to death =) 17.05.2012 15:50, Siju George P=P0P?P8QP0P;: Why should facebook servers access my firewall? -- Best regards, Pavel Shvagirev skype: pavel.shvagirev
Re: IPs in the facebook.com domain accessing OpenSBD firewall
I wonder if these machines in the facebook.com domain are infected with some malware bots? Facebook *is* a malware bot:) Let the request through and log what it tries to do next, this could be quite a story. -- p
Re: IPs in the facebook.com domain accessing OpenSBD firewall
Didn't take into account that you do not publish the DNS. That fact makes my assumption wrong. Really, go and log the requests! =) 17.05.2012 15:50, Siju George P=P0P?P8QP0P;: This traffic is blocked on the external interface of the firewall. -- Best regards, Pavel Shvagirev skype: pavel.shvagirev
Re: IPs in the facebook.com domain accessing OpenSBD firewall
http://meetings.ripe.net/ripe-52/presentations/ripe52-plenary-dnsamp.pdf
Unuseful error message in BIND 9.4.2-P2
I am putting up OpenBSD 5.1 for the first time and I am getting May 17 11:36:59 mail named[6539]: starting BIND 9.4.2-P2 May 17 11:37:00 mail named[6539]: command channel listening on 127.0.0.1#953 May 17 11:37:00 mail named[6539]: running May 17 11:37:00 mail named[6539]: /usr/src/usr.sbin/bind/lib/isc/unix/socket.c:1218: unexpected error: May 17 11:37:00 mail named[6539]: internal_send: 192.168.209.2#53: Message too long May 17 11:37:00 mail named[6539]: /usr/src/usr.sbin/bind/lib/isc/unix/errno2result.c:111: unexpected error: May 17 11:37:00 mail named[6539]: unable to convert errno to isc_result: 40: Message too long May 17 11:37:00 mail named[6539]: zone 254.168.192.IN-ADDR.ARPA/IN: expired May 17 11:37:00 mail named[6539]: zone xxx.xxx/IN: expired May 17 11:37:00 mail named[6539]: /usr/src/usr.sbin/bind/lib/isc/unix/socket.c:1218: unexpected error: May 17 11:37:00 mail named[6539]: internal_send: 192.168.209.2#53: Message too long May 17 11:37:00 mail named[6539]: /usr/src/usr.sbin/bind/lib/isc/unix/errno2result.c:111: unexpected error: May 17 11:37:00 mail named[6539]: unable to convert errno to isc_result: 40: Message too long I have hid the domain name with xxx.xxx. I am building the system as a firewall and the eithernet card with sub network 192.168.209/24 has nothing plugged in. I expect the error will go away the master dns server does actually exist.
Re: authorized_keys and security(8)
Hi Chris, Chris Cappuccio wrote on Thu, May 03, 2012 at 09:31:55PM -0700: Mike Erdely [m...@erdelynet.com] wrote: FYI: For a test, I added foo with useradd(8) and bar with adduser(8): # grep -E (foo|bar) /etc/master.passwd foo:*:1002:1002::0:0::/home/foo:/bin/ksh bar:*:1003:1003::0:0:bar:/home/bar:/bin/ksh Looks like useradd does the right thing and adduser does not. When did thirteen asterisks start to mean anything different than the single traditional asterisk? On March 31, 1992, when Keith Bostic first implemented counting the characters in the password hash field in in etc/security SCCS diff 5.14. Here is Keith's original implementation: echo Checking for turned-off accounts with valid shells: awk -F: length(\$2) != 13 \$10 ~ /.*sh$/ \ { print \user \ \$1 \ account turned off with valid shell.\ } \ /etc/master.passwd Yours, Ingo
Re: update http://www.openbsdsupport.org/
Hi, Daniel, maybe you should pass over natural instinct of being associated with a good thing and change the domain name and the layout of the site. As it is now, it will look like OpenBSD mantained site for a beginner. Just a tought, nothing personal.
Re: update http://www.openbsdsupport.org/
Le 2012-05-17 22:41, Mihai Popescu a C)critB : Hi, Daniel, maybe you should pass over natural instinct of being associated with a good thing and change the domain name and the layout of the site. As it is now, it will look like OpenBSD mantained site for a beginner. Just a tought, nothing personal. The domain name and layout, i think it's good. Only the content need to be updated. -- wesley
Les nouvelles / Chien A Plumes - 2.3.4.5 Aout - LANGRES
FESTIVAL LE CHIEN A PLUMES /// 2.3.4.5 AOUT 2012 LANGRES - Lac de Villegusien - 52 QUOI DE NEUF ?? Au chien ` plumes ... _ ___ GROUNDATION REJOINT LA PROGRAMMATION DU JEUDI 2 AOUT !! Les californiens sont de passage en haute Marne et feront tout natuellement halte le jeudi 2 aout en ouverture du festival avec ZEBDA et la FANFARE EN PETARD !! _ ___ ??? ;) LA SURPRISE DU DIMANCHE!! La tjte d'affiche du dimanche sera divoilie le 29 juin !! Une belle surprise Rock qui fera plaisir ` beaucoup ... Restez aux aguets !! _ ___ LES FORFAITS 3 JOURS ET 4 JOURS EN PROMO !! Profitez jusqu'au 10 juin des forfaits promo !! Vous connaissez la programmation ... Alors protitez de ces tarifs dans les reseaux FNAC ou TICKETNET !! _ ___ LE NOUVEAU SITE INTERNET A DECOUVRIR !! Toute ( ou presque) la programmation ` dicouvrir en ditail sur le Site INTERNET du Chien !! www.chienaplumes.fr _ ___ LES SPECTACLES DE RUES POINTENT LE NEZ !! Le cirque, la peinture, le graff, et un groupe en quadriphonie seront au Rendez-Vous On vous en dis plus bienttt _ ___ TOUTE LA PROG :) Jeudi 2 Ao{t ZEBDA (Chanson Festives Fr) / GROUNDATION (Reggae - USA) / LA FANFARE EN PETARD (fanfare Hip Hop) Vend 3 Ao{t ALBOROSIE (reggae - Italie) / CARMEN MARIA VEGA (Rock - Fr) / BEAT ASSAILANT (hip hop Soul Us/Fr) / BOUSSAI (Reggae - FR) ANDREAS ET NICOLAS (Chanson - Fr) / KELE KELE (Afro Beat - Fr) / CATS ON TREES (Trip Hop Rock - Fr) / LA VILLA GINETTE (cHANSON - Fr) Sam 4 Aout H F THIEFAINE (Chanson - Fr) / ORELSAN(Hip Hop - Fr) / THE BLACK SEEDS (Reggae New Zeland) / THE EXCITEMENTS (Rock Esp) / MILANGA (DubNTranse - Fr) / MILA MARINA (trip Hop - Fr) / MRS GOOD (Folk - Fr) TREMPLIN (Surprise) Dim 5 aout ? ;)( Surprise) / LE PEUPLE DE L HERBE (Groovy - Fr) / NNEKA (reggae Soul hip hop - All) / LE PIED DE LA POMPE (Chanson Fr) / Feat Guizmo (Tryo) + Zeitoun ( La Rue Ketanou) + Alee/ SLOW JOE (Rock - Fr) THE AERIAL (pop - Fr) / TOURNEE GENERALE (Chanson - Fr) www.chienaplumes.fr Profitez d'un forfait 4 jours ou 3 jours Promo jusqu'au 10 juin. ( Dans la limite des places disponibles) RESERVATION CONSEILLEE Veuillez me retirer de votre liste de diffusion [demime 1.01d removed an attachment of type image/jpeg which had a name of BANNIEREDALYMOTION.jpg] [demime 1.01d removed an attachment of type image/jpeg which had a name of groundation_petite.jpg] [demime 1.01d removed an attachment of type image/jpeg which had a name of masque.jpg] [demime 1.01d removed an attachment of type image/jpeg which had a name of forfait1.jpg] [demime 1.01d removed an attachment of type image/jpeg which had a name of site.jpg] [demime 1.01d removed an attachment of type image/jpeg which had a name of cirque.jpg] [demime 1.01d removed an attachment of type image/jpeg which had a name of fnaclogo.jpg] [demime 1.01d removed an attachment of type image/png which had a name of logo_ticketnet.png]
PHP APC installation problem on OBSD 5.0
Hi all, I am trying to install the APC extension for PHP on my OBSD server. Steps taken: pkg_add pecl-APC-3.1.7p0.tgz which works fine When I use pkg_info to check, it tells me to create a symbolic link from /etc/php-${PV}.sample/${MODULE_NAME}.ini to /etc/php-${PV}/${MODULE_NAME}.ini however, there is no ini file installed in the .sample directory. Using pkg_info with the -L option lists an apc.so file in /usr/local/lib/php-5.2/modules/apc.so, but the PHP version I'm using is 5.3. Therefore I copied the apc.so file to /usr/local/lib/php-5.3/modules but I am not sure that's the right thing to do. I have created a phpinfo page and it tells me that the ini files parsed contain (among others) /etc/php-5.3/apc.ini so that looks ok. My /etc/php-5.3/apc.ini file contains just three lines: extension=apc.so apc.enabled=1 apc.shm_size=30 As I understand it, my phpinfo page should list a distinct apc section in which its settings are listed. This is not the case. Please help me getting APC set up, as I am stuck at this point. If you need any configuration file contents or log files, just let me know. Thanks in advance, hiro
Re: Re : Error while copying data from another disk
cp: /mnt/oldhome/xxx/Virtualisation/QEmu/FreeBSD/doc/doc.gd: Bad file descriptor Why are you usign cp? Why don't you dump | restore?
carp mixed states
hi still looking for an answer to the following question hi all have configured two firewalls with carp i have connectivity to the internet and the firewalls failover properly. when i check the carp states of each firewall the slave reports that its wan connection is in the master state the same as the master firewall while the slave carp lan connection is in the backup state. is this normal or should both carps be in backup for the slave ? shadrock master firewall /etc/hostname.carp1 inet 10.5.5.1 255.255.255.0 10.5.5.255 vhid 1 carpdev em1 pass pass1 /etc/hostname.carp2 inet 192.168.5.1 255.255.255.0 192.168.5.255 vhid 2 carpdev em0 pass pass2 /etc/hostname.em0 inet 192.168.5.2 255.255.255.0 /etc/hostname.em1 inet 10.5.5.2 255.255.255.0 NONE /etc/hostname.bge0 inet 172.16.0.2 255.255.255.0 NONE /etc/hostname.pfsync0 up syncdev bge0 ifconfig -a lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33196 priority: 0 groups: lo inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 inet 127.0.0.1 netmask 0xff00 bge0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:18:8b:60:7b:06 priority: 0 media: Ethernet autoselect (1000baseT full-duplex,master,rxpause,txpause) status: active inet 172.16.0.2 netmask 0xff00 broadcast 172.16.0.255 inet6 fe80::218:8bff:fe60:7b06%bge0 prefixlen 64 scopeid 0x1 em0: flags=8b43UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST mtu 1500 lladdr 00:04:23:df:6b:a4 priority: 0 groups: egress media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause) status: active inet 192.168.5.2 netmask 0xff00 broadcast 192.168.5.255 inet6 fe80::204:23ff:fedf:6ba4%em0 prefixlen 64 scopeid 0x2 em1: flags=8b43UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST mtu 1500 lladdr 00:04:23:df:6b:a5 priority: 0 media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause) status: active inet 10.5.5.2 netmask 0xff00 broadcast 10.5.5.255 inet6 fe80::204:23ff:fedf:6ba5%em1 prefixlen 64 scopeid 0x3 enc0: flags=41UP,RUNNING priority: 0 groups: enc status: active pfsync0: flags=41UP,RUNNING mtu 1500 priority: 0 pfsync: syncdev: bge0 maxupd: 128 defer: off groups: carp pfsync pflog0: flags=141UP,RUNNING,PROMISC mtu 33196 priority: 0 groups: pflog carp1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:5e:00:01:01 priority: 0 carp: MASTER carpdev em1 vhid 1 advbase 1 advskew 0 groups: carp status: master inet6 fe80::200:5eff:fe00:101%carp1 prefixlen 64 scopeid 0x6 inet 10.5.5.1 netmask 0xff00 broadcast 10.5.5.255 carp2: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:5e:00:01:02 priority: 0 carp: MASTER carpdev em0 vhid 2 advbase 1 advskew 0 groups: carp status: master inet6 fe80::200:5eff:fe00:102%carp2 prefixlen 64 scopeid 0x7 inet 192.168.5.1 netmask 0xff00 broadcast 192.168.5.255 slave firewall /etc/hostname.carp1 inet 10.5.5.1 255.255.255.0 10.5.5.255 vhid 1 carpdev em1 advskew 100 pass pass1 /etc/hostname.carp2 inet 192.168.5.1 255.255.255.0 192.168.5.255 vhid 2 carpdev em0 advskew 100 pass pass2 /etc/hostname.em0 inet 192.168.5.3 255.255.255.0 /etc/hostname.em1 inet 10.5.5.3 255.255.255.0 NONE /etc/hostname.bge0 inet 172.16.0.3 255.255.255.0 NONE /etc/hostname.pfsync0 up syncdev bge0 ifconfig -a lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33196 priority: 0 groups: lo inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 inet 127.0.0.1 netmask 0xff00 bge0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:18:8b:6c:4e:85 priority: 0 media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause) status: active inet 172.16.0.3 netmask 0xff00 broadcast 172.16.0.255 inet6 fe80::218:8bff:fe6c:4e85%bge0 prefixlen 64 scopeid 0x1 em0: flags=8b43UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST mtu 1500 lladdr 00:04:23:e3:c7:92 priority: 0 groups: egress media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause) status: active inet 192.168.5.3 netmask 0xff00 broadcast 192.168.5.255 inet6 fe80::204:23ff:fee3:c792%em0 prefixlen 64 scopeid 0x2 em1: flags=8b43UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST mtu 1500 lladdr 00:04:23:e3:c7:93 priority: 0 media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause) status: active
5.1 is shipping = maybe a little relaxing time for The Man
May 19: Happy Birthday, Theo! *** NOTE *** Please DO NOT CC me. I am subscribed to the list. Mail to the sender address that does not originate at the list server is tarpitted. The reply-to: address is provided for those who feel compelled to reply off list. Thankyou. Rod/ --- This life is not the real thing. It is not even in Beta. If it was, then OpenBSD would already have a man page for it.
Re: IPs in the facebook.com domain accessing OpenSBD firewall
On Thu, May 17, 2012 at 7:31 PM, Jonathan Gray j...@jsg.id.au wrote: http://meetings.ripe.net/ripe-52/presentations/ripe52-plenary-dnsamp.pdf Thankyou so much :-) Siju