Re: i386 -current Sloppy source-track Breaks?

2012-05-17 Thread Insan Praja SW 

Hi Misc@,

I noticed that this ICMP traffic always gets a bad checksum leaving the  
router.


sample:

on routerA(accessRouter)

$ ping 203.190.abc.xyz
PING 203.190.abc.xyz: 56 data bytes
64 bytes from 203.190.abc.xyz: icmp_seq=0 ttl=58 time=6.215 ms
64 bytes from 203.190.abc.xyz: icmp_seq=42 ttl=58 time=6.604 ms
64 bytes from 203.190.abc.xyz: icmp_seq=72 ttl=58 time=5.823 ms

On the routerB (edgeRouter)
---
$sudo tcpdump -entvi pflog0 action pass and icmp and host 203.190.abc.xyz
rule 119/(match) [uid 0, pid 14104] pass in on vlan11: abc.def.ghi.198   
203.190.abc.xyz: icmp: echo request (id:285b seq:0) (ttl 254, id 59391,  
len 84)
rule 157/(match) [uid 0, pid 14104] pass out on vlan97: abc.def.ghi.198   
203.190.abc.xyz: icmp: echo request (id:285b seq:0) (ttl 253, id 59391,  
len 84, bad cksum 899d!)



Thanks.


Insan Praja

On Thu, 17 May 2012 03:11:33 +0700, Insan Praja SW insan.pr...@gmail.com  
wrote:



Hi Misc@,

I was upgrading my 5.0 i386 -stable to 5.1 i386 -stable. We use ECMP  
using ospfd, and asymmetric routing with bgpd. Strangely, keep state  
(sloppy source-track) flags any can't no longer pass icmp traffic.  
Traceroute, browsing etc works, though. Then, I decided to upgrade it to  
-current, which, doesn't seem solve the problem.


This;

pass in quick log on $core_if\
 inet proto icmp to public_ip tag PING\
 keep state (sloppy source-track global) flags any\
 queue (CoreUp_icmp CoreUp_ack)
pass in quick log on $core_if\
 inet proto udp to public_ip port 33433  33626 tag PING\
 keep state (sloppy source-track global) flags any\
 queue (CoreUp_icmp CoreUp_ack)

pass out quick log on $core_if\
 inet tagged PING\
 keep state (sloppy source-track global) flags any\
 queue CoreUp_icmp
pass out quick log on $core_if\
 inet proto icmp from self\
 keep state (sloppy source-track global) flags any\
 queue CoreUp_icmp
pass out quick log on $core_if\
 inet proto udp from self to any port 33433  33626\
 keep state (sloppy source-track global) flags any\
 queue CoreUp_icmp

pass in quick log on $serv_if\
 inet proto icmp from public_ip\
 keep state (sloppy source-track global) flags any\
 queue ServDn_icmp tag PING
pass in quick log on $serv_if\
 inet proto udp to any port 33433  33626\
 keep state (sloppy source-track global) flags any\
 queue ServDn_icmp tag PING

pass out quick log on $serv_if\
 inet tagged PING\
 keep state (sloppy source-track global) flags any\
 queue ServDn_icmp
pass out quick log on $serv_if\
 inet proto icmp\
 keep state (sloppy source-track global) flags any\
 queue ServDn_icmp
pass out quick log on $serv_if\
 inet proto udp to any port 33433  33626\
 keep state (sloppy source-track global) flags any\
 queue ServDn_icmp


Doesn't behave consistently. Some hosts/packets gets block, some get  
through, randomly.


Thanks,


Insan Praja SW


DMESG (identical machines):
OpenBSD 5.1-current (GENERIC.MP) #0: Thu May 17 01:18:14 WIT 2012
 
r...@greenrouter-jkt02.mygreenlinks.net:/usr/src/sys/arch/i386/compile/GENERIC.MP
RTC BIOS diagnostic error 3
cpu0: Intel(R) Pentium(R) D CPU 3.00GHz (GenuineIntel 686-class) 3.01  
GHz
cpu0:  
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,NXE,LONG,SSE3,MWAIT,DS-CPL,EST,CNXT-ID,CX16,xTPR,PDCM,LAHF

real mem  = 2142687232 (2043MB)
avail mem = 2096836608 (1999MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 03/26/07, SMBIOS rev. 2.4 @  
0x7fbe4000 (43 entries)
bios0: vendor Intel Corporation version  
S3000.86B.02.00.0054.061120091710 date 06/11/2009

bios0: Intel S3000AH
acpi0 at bios0: rev 2
acpi0: sleep states S0 S1 S4 S5
acpi0: tables DSDT SLIC FACP APIC WDDT HPET MCFG ASF! SSDT SSDT SSDT  
SSDT SSDT HEST BERT ERST EINJ
acpi0: wakeup devices SLPB(S4) P32_(S4) UAR1(S1) PEX4(S4) PEX5(S4)  
UHC1(S1) UHC2(S1) UHC3(S1) UHC4(S1) EHCI(S1) AC9M(S4) AZAL(S4)

acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 199MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Pentium(R) D CPU 3.00GHz (GenuineIntel 686-class) 3 GHz
cpu1:  
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,NXE,LONG,SSE3,MWAIT,DS-CPL,EST,CNXT-ID,CX16,xTPR,PDCM,LAHF

ioapic0 at mainbus0: apid 5 pa 0xfec0, version 20, 24 pins
ioapic0: misconfigured as apic 0, remapped to apid 5

Re: Load balancing and fail-over

2012-05-17 Thread Indunil Jayasooriya 
 Route lookups are based on the *destination* address not the source
 address, you could add a route for a certain destination via a
 certain interface to send packets out that way.

 Hmm. that sounds good to me. Since I have 2 interfaces for 2 different WAN
connections.  It is possible to add route to a certain destination ip
address in /etc/hostname.em0 and /etc/hostname.em1 files and make permanent
in this way.


/etc/hostname.em0

inet 192.168.10.6 255.255.255.0
!route add -host 173.194.38.184 192.168.10.5
!route add -mpath default 192.168.10.5


/etc/hostname.em1

inet 192.168.20.6 255.255.255.0
!route add -host 173.194.38.191 192.168.20.5
!route add -mpath default  192.168.20.5


Then, a shell script in crontab can ping those destination ip addresses
and see if they are UP or DOWN. ( ifstated also can do it. But, I will have
to understand its behaviour )


When , both are up Up, nothing is DONE  and when one fails remove that
-mpath default route

In this manner, When one link goes down, all traffic will go via the
available link.

That is what I am looking for. I think I am right.

I am right ain't I?


Then, I will have to discuss this below rule as well.

pass in on $int_if from $lan_net \
route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } \
round-robin


When one link goes DOWN, Will all the traffic go via the available link ?

Does the above rule do this duty?


I think I am getting closer to achieve the goal.

Hi, Stuart Henderson, Many thanks to  your effort that put forth me to go
ahead,


Hope to hear from ALL.






-- 
Thank you
Indunil Jayasooriya

Re: Watchdog timeout reset in 5.1 on intel nic:s

2012-05-17 Thread Garry Dolley 
On Fri, May 11, 2012 at 09:13:30AM -0400, Simon Perreault wrote:
 On 2012-05-11 04:15, Garry Dolley wrote:
 I now have an amd64 test VM set up, where I installed stock 5.0.

 I ran a lot of traffic over em0 without any timeouts.

 That's expected. 5.0 has been running without issue for me for a long time.

 I also have been trying several -current kernels.

 As of:

OpenBSD 5.1-current (GENERIC) #205: Wed Mar 28 21:40:45 MDT 2012

 I don't see any em0 timeouts.

 I will continue to try newer ones and report back here...

 Why not just test 5.1? Problems have been reported against 5.1, not 
 -current.

One post by maxim reported the problem on 5.0, so I was being
thorough.  Starting with 5.0, and going up...

I am going to try a 5.1 stock install tonight and work up to
-current.

-- 
Garry Dolley
ARP Networks, Inc. | http://www.arpnetworks.com | (818) 206-0181
Data center, VPS, and IP Transit solutions
Member Los Angeles County REACT, Unit 336 | WQGK336
Blog http://scie.nti.st

Re: Load balancing and fail-over

2012-05-17 Thread Stuart Henderson 
On 2012/05/17 13:20, Indunil Jayasooriya wrote:


 Route lookups are based on the *destination* address not the source
 address, you could add a route for a certain destination via a
 certain interface to send packets out that way.


 Hmm. that sounds good to me. Since I have 2 interfaces for 2 different
 WAN connections.  It is possible to add route to a certain destination
 ip address in /etc/hostname.em0 and /etc/hostname.em1 files and make
 permanent in this way.


 /etc/hostname.em0

 inet 192.168.10.6 255.255.255.0
 !route add -host 173.194.38.184 192.168.10.5
 !route add -mpath default 192.168.10.5


 /etc/hostname.em1

 inet 192.168.20.6 255.255.255.0
 !route add -host 173.194.38.191 192.168.20.5
 !route add -mpath default  192.168.20.5


 Then, a shell script in crontab can ping those destination ip
 addresses  and see if they are UP or DOWN. ( ifstated also can do it.
 But, I will have to understand its behaviour )


 When , both are up Up, nothing is DONE  and when one fails remove that
 -mpath default route

 In this manner, When one link goes down, all traffic will go via the
 available link.

 That is what I am looking for. I think I am right.

 I am right ain't I?

Yes I think this is what you're looking for.


 Then, I will have to discuss this below rule as well.


 pass in on $int_if from $lan_net \
 route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } \
 round-robin


 When one link goes DOWN, Will all the traffic go via the available link
 ?

 Does the above rule do this duty?

No, your script or ifstated config will need to adjust this rule,
you can do this by using a macro to write the rule, something like this:

GATEWAYS=1.1.1.1@em0 2.2.2.2@em1
pass in on $int_if from $lan_net route-to { $GATEWAYS }

This helps because you can override the macro on the pfctl command line,
so you can use something like to reload the ruleset with your choice
of gateway:

pfctl -D GATEWAYS=1.1.1.1@em0 -f /etc/pf.conf
pfctl -D GATEWAYS=2.2.2.2@em1 -f /etc/pf.conf
pfctl -D GATEWAYS=1.1.1.1@em0 2.2.2.2@em1 -f /etc/pf.conf

While you're testing, use pfctl -v ... if you would like to check
how the parsed rules look.


 I think I am getting closer to achieve the goal.

 Hi, Stuart Henderson, Many thanks to  your effort that put forth me to
 go ahead,


 Hope to hear from ALL.
  






 --
 Thank you
 Indunil Jayasooriya

Re: trunk0 with dual stack

2012-05-17 Thread Bogdan Andu 
Thank you very much for explanations.

It works very good.

Thank you,

Bogdan

 From: Stuart Henderson s...@spacehopper.org
To: misc@openbsd.org 
Sent: Wednesday, May 16, 2012 6:08 PM
Subject: Re:
trunk0 with dual stack
 
On 2012-05-16, Bogdan Andu bo...@yahoo.com wrote:

It is possible to build an interface aggregation on dual stack
 systems?

Of
course, trunk works just the same as a standard interface in this
respect.


/etc/hostname.trunk0 such that it will look like this:
 trunkproto failover

trunkport bge0 trunkport bge1 192.168.18.133 netmask 255.255.255.0
 inet6

2e03:5a80:0:4::133 prefixlen 64

prefixlen 64 is default, no need to include
it, and inet6 goes on the
same line as the address.  I'd use something like
this

trunkproto failover
trunkport bge0 trunkport bge1
inet 192.168.18.133
255.255.255.0
inet6 2e03:5a80:0:4::133


 ! route add -inet6
default2e03:5a80:0:4::1

just add 2e03:5a80:0:4::1 to /etc/mygate

Re: Load balancing and fail-over

2012-05-17 Thread Holger Glaess 
hi

why you not try the relayd way ?
look at
http://gouloum.fr/doc/multilink.html

the part with relayd

holger

 On 2012/05/17 13:20, Indunil Jayasooriya wrote:


 Route lookups are based on the *destination* address not the source
 address, you could add a route for a certain destination via a
 certain interface to send packets out that way.


 Hmm. that sounds good to me. Since I have 2 interfaces for 2 different
 WAN connections.  It is possible to add route to a certain destination
 ip address in /etc/hostname.em0 and /etc/hostname.em1 files and make
 permanent in this way.


 /etc/hostname.em0

 inet 192.168.10.6 255.255.255.0
 !route add -host 173.194.38.184 192.168.10.5
 !route add -mpath default 192.168.10.5


 /etc/hostname.em1

 inet 192.168.20.6 255.255.255.0
 !route add -host 173.194.38.191 192.168.20.5
 !route add -mpath default  192.168.20.5


 Then, a shell script in crontab can ping those destination ip
 addresses  and see if they are UP or DOWN. ( ifstated also can do it.
 But, I will have to understand its behaviour )


 When , both are up Up, nothing is DONE  and when one fails remove that
 -mpath default route

 In this manner, When one link goes down, all traffic will go via the
 available link.

 That is what I am looking for. I think I am right.

 I am right ain't I?

 Yes I think this is what you're looking for.


 Then, I will have to discuss this below rule as well.


 pass in on $int_if from $lan_net \
 route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } \
 round-robin


 When one link goes DOWN, Will all the traffic go via the available link
 ?

 Does the above rule do this duty?

 No, your script or ifstated config will need to adjust this rule,
 you can do this by using a macro to write the rule, something like this:

 GATEWAYS=1.1.1.1@em0 2.2.2.2@em1
 pass in on $int_if from $lan_net route-to { $GATEWAYS }

 This helps because you can override the macro on the pfctl command line,
 so you can use something like to reload the ruleset with your choice
 of gateway:

 pfctl -D GATEWAYS=1.1.1.1@em0 -f /etc/pf.conf
 pfctl -D GATEWAYS=2.2.2.2@em1 -f /etc/pf.conf
 pfctl -D GATEWAYS=1.1.1.1@em0 2.2.2.2@em1 -f /etc/pf.conf

 While you're testing, use pfctl -v ... if you would like to check
 how the parsed rules look.


 I think I am getting closer to achieve the goal.

 Hi, Stuart Henderson, Many thanks to  your effort that put forth me to
 go ahead,


 Hope to hear from ALL.







 --
 Thank you
 Indunil Jayasooriya

Re: Load balancing and fail-over

2012-05-17 Thread Indunil Jayasooriya 
 why you not try the relayd way ?
 look at
 http://gouloum.fr/doc/multilink.html

 the part with relayd








 holger

  On 2012/05/17 13:20, Indunil Jayasooriya wrote:
 
 
  Route lookups are based on the *destination* address not the source
  address, you could add a route for a certain destination via a
  certain interface to send packets out that way.
 
 
  Hmm. that sounds good to me. Since I have 2 interfaces for 2 different
  WAN connections.  It is possible to add route to a certain destination
  ip address in /etc/hostname.em0 and /etc/hostname.em1 files and make
  permanent in this way.
 
 
  /etc/hostname.em0
 
  inet 192.168.10.6 255.255.255.0
  !route add -host 173.194.38.184 192.168.10.5
  !route add -mpath default 192.168.10.5
 
 
  /etc/hostname.em1
 
  inet 192.168.20.6 255.255.255.0
  !route add -host 173.194.38.191 192.168.20.5
  !route add -mpath default  192.168.20.5
 
 
  Then, a shell script in crontab can ping those destination ip
  addresses  and see if they are UP or DOWN. ( ifstated also can do it.
  But, I will have to understand its behaviour )
 
 
  When , both are up Up, nothing is DONE  and when one fails remove that
  -mpath default route
 
  In this manner, When one link goes down, all traffic will go via the
  available link.
 
  That is what I am looking for. I think I am right.
 
  I am right ain't I?
 
  Yes I think this is what you're looking for.
 
 
  Then, I will have to discuss this below rule as well.
 
 
  pass in on $int_if from $lan_net \
  route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } \
  round-robin
 
 
  When one link goes DOWN, Will all the traffic go via the available link
  ?
 
  Does the above rule do this duty?
 
  No, your script or ifstated config will need to adjust this rule,
  you can do this by using a macro to write the rule, something like this:
 
  GATEWAYS=1.1.1.1@em0 2.2.2.2@em1
  pass in on $int_if from $lan_net route-to { $GATEWAYS }
 
  This helps because you can override the macro on the pfctl command line,
  so you can use something like to reload the ruleset with your choice
  of gateway:
 
  pfctl -D GATEWAYS=1.1.1.1@em0 -f /etc/pf.conf
  pfctl -D GATEWAYS=2.2.2.2@em1 -f /etc/pf.conf
  pfctl -D GATEWAYS=1.1.1.1@em0 2.2.2.2@em1 -f /etc/pf.conf
 
  While you're testing, use pfctl -v ... if you would like to check
  how the parsed rules look.
 
 
  I think I am getting closer to achieve the goal.
 
  Hi, Stuart Henderson, Many thanks to  your effort that put forth me to
  go ahead,
 
 
  Hope to hear from ALL.
 
 
 
 
 
 
 
  --
  Thank you
  Indunil Jayasooriya




-- 
Thank you
Indunil Jayasooriya

Re: Watchdog timeout reset in 5.1 on intel nic:s

2012-05-17 Thread Garry Dolley 
On Fri, May 11, 2012 at 09:13:30AM -0400, Simon Perreault wrote:
 On 2012-05-11 04:15, Garry Dolley wrote:
 I now have an amd64 test VM set up, where I installed stock 5.0.

 I ran a lot of traffic over em0 without any timeouts.

 That's expected. 5.0 has been running without issue for me for a long time.

 I also have been trying several -current kernels.

 As of:

OpenBSD 5.1-current (GENERIC) #205: Wed Mar 28 21:40:45 MDT 2012

 I don't see any em0 timeouts.

 I will continue to try newer ones and report back here...

 Why not just test 5.1? Problems have been reported against 5.1, not 
 -current.

I now have a stock 5.1 test VM set up.

  OpenBSD 5.1 (GENERIC) #181: Sun Feb 12 09:35:53 MST 2012
  dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC

I don't see any timeouts.  I grabbed the ports tree via curl several
times and have been slaving away at it over SSH.  I don't notice
anything wrong.

So, perhaps this issue does not appear in stock 5.1, but in a newer
kernel.  I'll try something newer soon...

-- 
Garry Dolley
ARP Networks, Inc. | http://www.arpnetworks.com | (818) 206-0181
Data center, VPS, and IP Transit solutions
Member Los Angeles County REACT, Unit 336 | WQGK336
Blog http://scie.nti.st

Re: Load balancing and fail-over

2012-05-17 Thread Indunil Jayasooriya 
 why you not try the relayd way ?
 look at
 http://gouloum.fr/doc/multilink.html

 the part with relayd





  I found that URL  yesterday, I will have to learn it. I just try to
do it with a shell script.


anyway, Thanks a  lot.








-- 
Thank you
Indunil Jayasooriya

Re: Load balancing and fail-over

2012-05-17 Thread Indunil Jayasooriya 
 No, your script or ifstated config will need to adjust this rule,
 you can do this by using a macro to write the rule, something like this:

 GATEWAYS=1.1.1.1@em0 2.2.2.2@em1
 pass in on $int_if from $lan_net route-to { $GATEWAYS }

 This helps because you can override the macro on the pfctl command line,
 so you can use something like to reload the ruleset with your choice
 of gateway:

 pfctl -D GATEWAYS=1.1.1.1@em0 -f /etc/pf.conf
 pfctl -D GATEWAYS=2.2.2.2@em1 -f /etc/pf.conf
 pfctl -D GATEWAYS=1.1.1.1@em0 2.2.2.2@em1 -f /etc/pf.conf

 While you're testing, use pfctl -v ... if you would like to check
 how the parsed rules look.




Thanks once again for your introduction. I wrote a shell script, pls
see below

in /etc/pf.conf . I have the below variable

GATEWAYS=1.1.1.1@em0 2.2.2.2@em1


Now, This is the script.


#Checking WAN1
ping -q -c 3 -i 2 -w 3 -I 1.1.1.5 173.194.38.191  /dev/null 21
VARWAN1=$(echo $?)

#Checking WAN2
ping -q -c 3 -i 2 -w 3 -I 2.2.2.5 173.194.38.184  /dev/null 21
VARWAN2=$(echo $?)

if [ ${VARWAN1} = 0 ]  [ ${VARWAN2} = 0 ]; then
echo Both links are UP
route add -mpath default 1.1.1.1
route add -mpath default 2.2.2.2
pfctl -D GATEWAYS=1.1.1.1@em0 2.2.2.2@em1 -f /etc/pf.conf

elif [ ${VARWAN1} != 0 ]  [ ${VARWAN2} != 0 ]; then
echo Both links are DOWN 
route add -mpath default 1.1.1.1
route add -mpath default 2.2.2.2
pfctl -D GATEWAYS=1.1.1.1@em0 2.2.2.2@em1 -f /etc/pf.conf

elif [ ${VARWAN1} != 0 ] ; then
echo WAN1 is DOWN
route add -mpath default 2.2.2.2
route delete -mpath default 1.1.1.1
pfctl -D GATEWAYS=2.2.2.2@em1 -f /etc/pf.conf

elif [ ${VARWAN2} != 0 ] ; then
echo WAN2 is DOWN
route add -mpath default 1.1.1.1
route delete -mpath default 2.2.2.2
pfctl -D GATEWAYS=1.1.1.1@em0 -f /etc/pf.conf
fi



Pls NOTE - Section2 ( i.e , when BOTH links are DOWN, No internet at ALL.
So Just behave as BOTH links are UP. It does NOT matter for me )

I think that traffic routes as I expected. I will have to test it.


Now, the interesting thing is this ( Taken from openbsd website)

#  keep https traffic on a single connection; some web applications,
#  especially secure ones, don't allow it to change mid-session
pass in on $int_if proto tcp from $lan_net to port https \
route-to ($ext_if1 $ext_gw1)


When both links are UP and WAN1 is UP https traffic will go via WAN1
When, WAN1 goes down, https should go via WAN2

  I think If I add another variable to /etc/pf.conf, I will be able to
achieve it too.


ONEWAYHTTPS=1.1.1.1@em0

pass in on $int_if proto tcp from $lan_net to port https \
route-to { $ONEWAYHTTPS }


and use this below while WAN1 goes DOWN

pfctl -D ONEWAYHTTPS=2.2.2.2@em1 -f /etc/pf.conf


Is it allringt ?

I think a few miles left for me to reach the goal.

If you can give an example it is worth millions time.


Your comments are welcome...






-- 
Thank you
Indunil Jayasooriya

Re: Watchdog timeout reset in 5.1 on intel nic:s

2012-05-17 Thread Garry Dolley 
On Thu, May 17, 2012 at 03:19:07AM -0700, Garry Dolley wrote:
 On Fri, May 11, 2012 at 09:13:30AM -0400, Simon Perreault wrote:
  On 2012-05-11 04:15, Garry Dolley wrote:
  I now have an amd64 test VM set up, where I installed stock 5.0.
 
  I ran a lot of traffic over em0 without any timeouts.
 
  That's expected. 5.0 has been running without issue for me for a long time.
 
  I also have been trying several -current kernels.
 
  As of:
 
 OpenBSD 5.1-current (GENERIC) #205: Wed Mar 28 21:40:45 MDT 2012
 
  I don't see any em0 timeouts.
 
  I will continue to try newer ones and report back here...
 
  Why not just test 5.1? Problems have been reported against 5.1, not 
  -current.
 
 I now have a stock 5.1 test VM set up.
 
   OpenBSD 5.1 (GENERIC) #181: Sun Feb 12 09:35:53 MST 2012
   dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC
 
 I don't see any timeouts.  I grabbed the ports tree via curl several
 times and have been slaving away at it over SSH.  I don't notice
 anything wrong.
 
 So, perhaps this issue does not appear in stock 5.1, but in a newer
 kernel.  I'll try something newer soon...

I have tried the following newer kernels:

bsd.20120330
bsd.20120419
bsd.20120427
bsd.20120516

I still can't reproduce the problem.

I have disabled mpbios on all these kernels, forgot to mention that.

I will leave this be for now; will pick it up again if any new
information should arise.

-- 
Garry Dolley
ARP Networks, Inc. | http://www.arpnetworks.com | (818) 206-0181
Data center, VPS, and IP Transit solutions
Member Los Angeles County REACT, Unit 336 | WQGK336
Blog http://scie.nti.st

IPs in the facebook.com domain accessing OpenSBD firewall

2012-05-17 Thread Siju George 
Hi,

This traffic is blocked on the external interface of the firewall.

May 17 11:34:56.013614 rule 7/(match) block in on em1:
66.220.151.124.47369  xxx.yyy.ddd.zzz.53: 58106 NS? . (19)
May 17 11:34:56.763086 rule 7/(match) block in on em1:
66.220.151.124.47369  xxx.yyy.ddd.zzz.53: 58107 NS? . (19)
May 17 11:34:57.513318 rule 7/(match) block in on em1:
66.220.151.124.47369  xxx.yyy.ddd.zzz.53: 58108 NS? . (19)

May 17 11:45:37.720155 rule 7/(match) block in on em1: 69.171.243.241
 xxx.yyy.ddd.zzz: icmp: echo request
May 17 11:45:39.213492 rule 7/(match) block in on em1:
69.171.243.241.52370  xxx.yyy.ddd.zzz.53: 33246 NS? . (19)

May 17 11:49:39.746886 rule 7/(match) block in on em1: 69.171.228.232
 xxx.yyy.ddd.zzz: icmp: echo request
May 17 11:49:41.242588 rule 7/(match) block in on em1:
69.171.228.232.59470  xxx.yyy.ddd.zzz.53: 33554 NS? . (19)

xxx.yyy.ddd.zzz  is our firewall IP

66.220.151.124, 69.171.243.241, 69.171.228.232 are IPs from
facebook.com domain as ip2location reports.


Why should facebook servers access my firewall?
They ping my firewall and try to use our internal DNS server DNS
server which is not mentioned in any public NS record?
I wonder if these machines in the facebook.com domain are infected
with some malware bots?
Oris it part of their security checks or something? Any body any idea?

Thanks

Siju

Re: greylisting and blacklisting rules in pf.conf

2012-05-17 Thread Peter N. M. Hansteen 
ager39...@mypacks.net writes:

 What rules should I have in pf.conf for both greylisting and
 blacklisting? I'd like to blacklist those site that got spam through
 the greylisting.

Unless you explicitly start spamd in blacklisting-only mode, it will
greylist.  

The spamd related rules I have in a typical pf.conf are

table spamd-white persist
table nospamd persist file /etc/mail/nospamd

pass in log on egress proto tcp to port smtp rdr-to 127.0.0.1 port spamd queue 
spamd
pass in log on egress proto tcp from nospamd to port smtp
pass in log on egress proto tcp from spamd-white to port smtp
pass out log on egress proto tcp to port smtp

it's possible you will find my tutorial and slides over at
http://home.nuug.no/~peter/pf/ helpful, and you'll find some
spamd-related field notes via the blogspot link in my .signature

- P

-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
Remember to set the evil bit on all malicious network traffic
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: IPs in the facebook.com domain accessing OpenSBD firewall

2012-05-17 Thread Pavel Shvagirev 
Most likely that someone posted a link to a resource in your domain, and
your DNS appears to be an authoritative for that zone. Sounds quite
realistic. There on facebook might be some kind of parser trying to
retreive a preview for the link or something similar...

Anyway, have a look at the DNS server's logs - what exactly do they
whant from you? =)

.. or Zuckerberg must become bored to death =)


17.05.2012 15:50, Siju George P=P0P?P8QP0P;:
 Why should facebook servers access my firewall?

-- 
Best regards,
Pavel Shvagirev
skype: pavel.shvagirev

Re: IPs in the facebook.com domain accessing OpenSBD firewall

2012-05-17 Thread Peter Laufenberg 
I wonder if these machines in the facebook.com domain are infected
with some malware bots?

Facebook *is* a malware bot:)

Let the request through and log what it tries to do next, this could be quite a 
story.

-- p

Re: IPs in the facebook.com domain accessing OpenSBD firewall

2012-05-17 Thread Pavel Shvagirev 
Didn't take into account that you do not publish the DNS. That fact
makes my assumption wrong.
Really, go and log the requests! =)

17.05.2012 15:50, Siju George P=P0P?P8QP0P;:
 This traffic is blocked on the external interface of the firewall.

-- 
Best regards,
Pavel Shvagirev
skype: pavel.shvagirev

Re: IPs in the facebook.com domain accessing OpenSBD firewall

2012-05-17 Thread Jonathan Gray 
http://meetings.ripe.net/ripe-52/presentations/ripe52-plenary-dnsamp.pdf

Unuseful error message in BIND 9.4.2-P2

2012-05-17 Thread Peter Fraser 
I am putting up OpenBSD 5.1 for the first time and I am getting

May 17 11:36:59 mail named[6539]: starting BIND 9.4.2-P2
May 17 11:37:00 mail named[6539]: command channel listening on 127.0.0.1#953
May 17 11:37:00 mail named[6539]: running
May 17 11:37:00 mail named[6539]:
/usr/src/usr.sbin/bind/lib/isc/unix/socket.c:1218: unexpected error:
May 17 11:37:00 mail named[6539]: internal_send: 192.168.209.2#53: Message too
long
May 17 11:37:00 mail named[6539]:
/usr/src/usr.sbin/bind/lib/isc/unix/errno2result.c:111: unexpected error:
May 17 11:37:00 mail named[6539]: unable to convert errno to isc_result: 40:
Message too long
May 17 11:37:00 mail named[6539]: zone 254.168.192.IN-ADDR.ARPA/IN: expired
May 17 11:37:00 mail named[6539]: zone xxx.xxx/IN: expired
May 17 11:37:00 mail named[6539]:
/usr/src/usr.sbin/bind/lib/isc/unix/socket.c:1218: unexpected error:
May 17 11:37:00 mail named[6539]: internal_send: 192.168.209.2#53: Message too
long
May 17 11:37:00 mail named[6539]:
/usr/src/usr.sbin/bind/lib/isc/unix/errno2result.c:111: unexpected error:
May 17 11:37:00 mail named[6539]: unable to convert errno to isc_result: 40:
Message too long

I have hid the domain name with xxx.xxx.
I am building the system as a firewall and the eithernet card with sub network
192.168.209/24 has nothing plugged in.

I expect the error will go away the master dns server does actually exist.

Re: authorized_keys and security(8)

2012-05-17 Thread Ingo Schwarze 
Hi Chris,

Chris Cappuccio wrote on Thu, May 03, 2012 at 09:31:55PM -0700:
 Mike Erdely [m...@erdelynet.com] wrote:

 FYI: For a test, I added foo with useradd(8) and bar with adduser(8):
 # grep -E (foo|bar) /etc/master.passwd
 foo:*:1002:1002::0:0::/home/foo:/bin/ksh
 bar:*:1003:1003::0:0:bar:/home/bar:/bin/ksh
 
 Looks like useradd does the right thing and adduser does not.

 When did thirteen asterisks start to mean anything different
 than the single traditional asterisk?

On March 31, 1992, when Keith Bostic first implemented
counting the characters in the password hash field in 
in etc/security SCCS diff 5.14.

Here is Keith's original implementation:

  echo Checking for turned-off accounts with valid shells:
  awk -F: length(\$2) != 13  \$10 ~ /.*sh$/ \
  { print \user \ \$1 \ account turned off with valid shell.\ } \
  /etc/master.passwd

Yours,
  Ingo

Re: update http://www.openbsdsupport.org/

2012-05-17 Thread Mihai Popescu 
Hi,

Daniel, maybe you should pass over natural instinct of being
associated with a good thing and change the domain name and the layout
of the site. As it is now, it will look like OpenBSD mantained site
for a beginner.
Just a tought, nothing personal.

Re: update http://www.openbsdsupport.org/

2012-05-17 Thread Wesley 

Le 2012-05-17 22:41, Mihai Popescu a C)critB :

Hi,

Daniel, maybe you should pass over natural instinct of being
associated with a good thing and change the domain name and the 
layout

of the site. As it is now, it will look like OpenBSD mantained site
for a beginner.
Just a tought, nothing personal.


The domain name and layout, i think it's good.
Only the content need to be updated.

--
wesley

Les nouvelles / Chien A Plumes - 2.3.4.5 Aout - LANGRES

2012-05-17 Thread Le Chien à Plumes 
FESTIVAL LE CHIEN A PLUMES   /// 2.3.4.5 AOUT 2012

 LANGRES - Lac de Villegusien - 52



QUOI DE NEUF  ??  Au chien ` plumes  ...

_
___





GROUNDATION REJOINT LA PROGRAMMATION DU JEUDI 2 AOUT !!

Les californiens sont de passage en haute Marne et feront tout natuellement
halte le jeudi 2 aout

en ouverture du festival avec ZEBDA et la  FANFARE EN PETARD !!



_
___





??? ;) LA SURPRISE DU DIMANCHE!!

La tjte d'affiche du dimanche sera divoilie le 29 juin !! Une belle surprise
Rock qui fera plaisir ` beaucoup ...

Restez aux aguets !!



_
___





LES FORFAITS 3 JOURS ET 4 JOURS EN PROMO !!

Profitez jusqu'au 10 juin des forfaits promo !! Vous connaissez la
programmation ...

Alors protitez de ces tarifs dans les reseaux FNAC ou TICKETNET !!



_
___





LE NOUVEAU SITE INTERNET A DECOUVRIR !!



Toute ( ou presque) la programmation ` dicouvrir en ditail sur le Site
INTERNET du Chien !!

www.chienaplumes.fr



_
___



LES SPECTACLES DE RUES POINTENT LE NEZ !!

Le cirque, la peinture, le graff, et un groupe en quadriphonie seront au
Rendez-Vous

On vous en dis plus bienttt 



_
___



TOUTE LA PROG :)

Jeudi 2 Ao{t

ZEBDA (Chanson Festives  Fr) /  GROUNDATION (Reggae - USA) / LA FANFARE EN
PETARD  (fanfare Hip Hop)



Vend 3 Ao{t

ALBOROSIE   (reggae - Italie) / CARMEN MARIA VEGA  (Rock - Fr) / BEAT
ASSAILANT   (hip hop Soul  Us/Fr) /

BOUSSAI   (Reggae - FR) ANDREAS ET NICOLAS   (Chanson - Fr) / KELE KELE
(Afro Beat - Fr) /

CATS ON TREES   (Trip Hop  Rock - Fr) / LA VILLA GINETTE   (cHANSON - Fr)



Sam 4 Aout

H F THIEFAINE   (Chanson - Fr) / ORELSAN(Hip Hop - Fr) / THE BLACK SEEDS
(Reggae  New Zeland) /

THE EXCITEMENTS   (Rock  Esp) / MILANGA   (DubNTranse - Fr) / MILA MARINA
(trip Hop - Fr) /

MRS GOOD   (Folk - Fr) TREMPLIN   (Surprise)



Dim 5 aout

?   ;)( Surprise) / LE PEUPLE DE L HERBE (Groovy - Fr) / NNEKA
(reggae Soul hip hop - All) /

LE PIED DE LA POMPE (Chanson  Fr) / Feat Guizmo (Tryo) + Zeitoun ( La Rue
Ketanou) + Alee/

 SLOW JOE   (Rock - Fr) THE AERIAL   (pop - Fr) / TOURNEE GENERALE (Chanson -
Fr)



www.chienaplumes.fr

Profitez d'un forfait 4 jours ou 3 jours Promo  jusqu'au 10 juin. ( Dans la
limite des places disponibles)

RESERVATION CONSEILLEE





Veuillez me retirer de votre liste de diffusion

[demime 1.01d removed an attachment of type image/jpeg which had a name of 
BANNIEREDALYMOTION.jpg]

[demime 1.01d removed an attachment of type image/jpeg which had a name of 
groundation_petite.jpg]

[demime 1.01d removed an attachment of type image/jpeg which had a name of 
masque.jpg]

[demime 1.01d removed an attachment of type image/jpeg which had a name of 
forfait1.jpg]

[demime 1.01d removed an attachment of type image/jpeg which had a name of 
site.jpg]

[demime 1.01d removed an attachment of type image/jpeg which had a name of 
cirque.jpg]

[demime 1.01d removed an attachment of type image/jpeg which had a name of 
fnaclogo.jpg]

[demime 1.01d removed an attachment of type image/png which had a name of 
logo_ticketnet.png]

PHP APC installation problem on OBSD 5.0

2012-05-17 Thread Hiro Protagonist 
Hi all,

I am trying to install the APC extension for PHP on my OBSD server.
Steps taken: pkg_add pecl-APC-3.1.7p0.tgz which works fine
When I use pkg_info to check, it tells me to create a symbolic link
from /etc/php-${PV}.sample/${MODULE_NAME}.ini to
/etc/php-${PV}/${MODULE_NAME}.ini however, there is no ini file
installed in the .sample directory.
Using pkg_info with the -L option lists an apc.so file in
/usr/local/lib/php-5.2/modules/apc.so, but the PHP version I'm using
is 5.3. Therefore I copied the apc.so file to
/usr/local/lib/php-5.3/modules but I am not sure that's the right
thing to do.
I have created a phpinfo page and it tells me that the ini files
parsed contain (among others) /etc/php-5.3/apc.ini so that looks ok.
My /etc/php-5.3/apc.ini file contains just three lines:
extension=apc.so
apc.enabled=1
apc.shm_size=30
As I understand it, my phpinfo page should list a distinct apc
section in which its settings are listed. This is not the case. Please
help me getting APC set up, as I am stuck at this point. If you need
any configuration file contents or log files, just let me know.

Thanks in advance,
hiro

Re: Re : Error while copying data from another disk

2012-05-17 Thread Jan Stary 
 cp: /mnt/oldhome/xxx/Virtualisation/QEmu/FreeBSD/doc/doc.gd:
 Bad file descriptor

Why are you usign cp? Why don't you dump | restore?

carp mixed states

2012-05-17 Thread shadrock 

hi
still looking for an answer to the following question

hi all
have configured two firewalls with carp
i have connectivity to the internet and the firewalls failover properly.
when i check the carp states of each firewall the slave reports that its
wan connection is in the master state the same as the master firewall
while the slave carp lan connection is in the backup state.
is this normal or should both carps be in backup for the slave ?
shadrock


master firewall
/etc/hostname.carp1
inet 10.5.5.1 255.255.255.0 10.5.5.255 vhid 1 carpdev em1 pass pass1

/etc/hostname.carp2
inet 192.168.5.1 255.255.255.0 192.168.5.255 vhid 2 carpdev em0 pass pass2

/etc/hostname.em0
inet 192.168.5.2 255.255.255.0

/etc/hostname.em1
inet 10.5.5.2 255.255.255.0 NONE

/etc/hostname.bge0
inet 172.16.0.2 255.255.255.0 NONE

/etc/hostname.pfsync0
up syncdev bge0


ifconfig -a

lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST  mtu 33196
  priority: 0
  groups: lo
  inet6 ::1 prefixlen 128
  inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
  inet 127.0.0.1 netmask 0xff00
bge0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST  mtu 1500
  lladdr 00:18:8b:60:7b:06
  priority: 0
  media: Ethernet autoselect (1000baseT
full-duplex,master,rxpause,txpause)
  status: active
  inet 172.16.0.2 netmask 0xff00 broadcast 172.16.0.255
  inet6 fe80::218:8bff:fe60:7b06%bge0 prefixlen 64 scopeid 0x1
em0: flags=8b43UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST
mtu 1500
  lladdr 00:04:23:df:6b:a4
  priority: 0
  groups: egress
  media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause)
  status: active
  inet 192.168.5.2 netmask 0xff00 broadcast 192.168.5.255
  inet6 fe80::204:23ff:fedf:6ba4%em0 prefixlen 64 scopeid 0x2
em1: flags=8b43UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST
mtu 1500
  lladdr 00:04:23:df:6b:a5
  priority: 0
  media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
  status: active
  inet 10.5.5.2 netmask 0xff00 broadcast 10.5.5.255
  inet6 fe80::204:23ff:fedf:6ba5%em1 prefixlen 64 scopeid 0x3
enc0: flags=41UP,RUNNING
  priority: 0
  groups: enc
  status: active
pfsync0: flags=41UP,RUNNING  mtu 1500
  priority: 0
  pfsync: syncdev: bge0 maxupd: 128 defer: off
  groups: carp pfsync
pflog0: flags=141UP,RUNNING,PROMISC  mtu 33196
  priority: 0
  groups: pflog
carp1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST  mtu 1500
  lladdr 00:00:5e:00:01:01
  priority: 0
  carp: MASTER carpdev em1 vhid 1 advbase 1 advskew 0
  groups: carp
  status: master
  inet6 fe80::200:5eff:fe00:101%carp1 prefixlen 64 scopeid 0x6
  inet 10.5.5.1 netmask 0xff00 broadcast 10.5.5.255
carp2: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST  mtu 1500
  lladdr 00:00:5e:00:01:02
  priority: 0
  carp: MASTER carpdev em0 vhid 2 advbase 1 advskew 0
  groups: carp
  status: master
  inet6 fe80::200:5eff:fe00:102%carp2 prefixlen 64 scopeid 0x7
  inet 192.168.5.1 netmask 0xff00 broadcast 192.168.5.255


slave firewall

/etc/hostname.carp1
inet 10.5.5.1 255.255.255.0 10.5.5.255 vhid 1 carpdev em1 advskew 100
pass pass1

/etc/hostname.carp2
inet 192.168.5.1 255.255.255.0 192.168.5.255 vhid 2 carpdev em0 advskew
100 pass pass2

/etc/hostname.em0
inet 192.168.5.3 255.255.255.0

/etc/hostname.em1
inet 10.5.5.3 255.255.255.0 NONE

/etc/hostname.bge0
inet 172.16.0.3 255.255.255.0 NONE

/etc/hostname.pfsync0
up syncdev bge0


ifconfig -a

lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST  mtu 33196
  priority: 0
  groups: lo
  inet6 ::1 prefixlen 128
  inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
  inet 127.0.0.1 netmask 0xff00
bge0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST  mtu 1500
  lladdr 00:18:8b:6c:4e:85
  priority: 0
  media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
  status: active
  inet 172.16.0.3 netmask 0xff00 broadcast 172.16.0.255
  inet6 fe80::218:8bff:fe6c:4e85%bge0 prefixlen 64 scopeid 0x1
em0: flags=8b43UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST
mtu 1500
  lladdr 00:04:23:e3:c7:92
  priority: 0
  groups: egress
  media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause)
  status: active
  inet 192.168.5.3 netmask 0xff00 broadcast 192.168.5.255
  inet6 fe80::204:23ff:fee3:c792%em0 prefixlen 64 scopeid 0x2
em1: flags=8b43UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST
mtu 1500
  lladdr 00:04:23:e3:c7:93
  priority: 0
  media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
  status: active

5.1 is shipping = maybe a little relaxing time for The Man

2012-05-17 Thread Rod Whitworth 
May 19: Happy Birthday, Theo!
*** NOTE *** Please DO NOT CC me. I am subscribed to the list.
Mail to the sender address that does not originate at the list server is 
tarpitted. The reply-to: address is provided for those who feel compelled to 
reply off list. Thankyou.

Rod/
---
This life is not the real thing.
It is not even in Beta.
If it was, then OpenBSD would already have a man page for it.

Re: IPs in the facebook.com domain accessing OpenSBD firewall

2012-05-17 Thread Siju George 
On Thu, May 17, 2012 at 7:31 PM, Jonathan Gray j...@jsg.id.au wrote:
 http://meetings.ripe.net/ripe-52/presentations/ripe52-plenary-dnsamp.pdf


Thankyou so much :-)

Siju