Re: pf block unwanted traffic
it isn't passed, it is blocked. not by a rule but by pf itself long before since the header length is invalid. and since there is no rule to refer to it refers to the default rule. * David Diggles da...@elven.com.au [2013-01-16 08:43]: Hello List, I just got a similar event in my pflog. Jan 16 16:08:02.435283 rule def/(short) pass in on pppoe0: 50.112.59.10.0 59.167.212.41.0: SFRWE [bad hdr length] I don't know what this is, or why it is passed. Can someone explain or attempt a guess at what this is? The intention of my pf.conf is to block all incoming by default on pppoe0. Am I doing something really stupid here? /etc/hostname.carp1 inet 172.75.100.1 255.255.255.0 172.25.101.255 balancing ip-stealth carpnodes 1:0,2:100 pass secret1 group dmz /etc/hostname.carp2 inet 172.25.100.1 255.255.255.0 172.25.100.255 balancing ip-stealth carpnodes 4:0,5:100 pass secret2 group lan /etc/hostname.em0 up mtu 1508 /etc/hostname.em1 inet 172.75.100.4 255.255.255.0 group dmz /etc/hostname.em2 inet 172.25.100.4 255.255.255.0 group lan /etc/hostname.pppoe0 inet 59.167.212.41 255.255.255.255 NONE mtu 1500 \ pppoedev em0 authproto pap \ authname pppoeuser authkey pppoepass up dest 0.0.0.1 !/sbin/route add default -ifp pppoe0 0.0.0.1 !/sbin/route add -inet6 default -ifp pppoe0 ::1 /etc/pf.conf #--- # defaults #--- table rfc1918 const { 192.168/16 172.16/12 10/8 } table dmz const { dmz:network } table lan const { lan:network } set loginterface egress set skip on lo block in quick on egress from rfc1918 antispoof log quick for { pppoe0 em0 } pass block quick on egress proto carp block quick on { egress dmz } inet6 block in log on { egress dmz } #--- # ack priority #--- match on egress inet proto tcp prio(1,7) #--- # sand blasting #--- match in on egress scrub (reassemble tcp) #match in on { egress dmz } scrub (reassemble tcp) #match on egress scrub (max-mss 1440) #--- # translation and redirections #--- match out on egress nat-to (egress) match in on { lan dmz } inet proto tcp to ! bincrow.net \ port www rdr-to localhost port 8080 match in on { lan dmz } inet proto tcp to bincrow.net \ port www rdr-to localhost match in on { lan dmz } inet to bincrow.net rdr-to localhost #--- # incoming port forwards #--- # torrent pass in on egress inet proto tcp to egress port 6881 rdr-to meile \ modulate state pass in on egress inet proto udp to egress port 6881 rdr-to meile \ keep state #--- # allow anyone to this #--- pass in on egress inet proto tcp from any to egress port www \ modulate state #--- # dns #--- table dns-white persist file /etc/pf/dns-white pass in on egress inet proto { tcp udp } from \ dns-white to egress port domain pass in on dmz inet proto { tcp udp } from \ dmz to dmz port domain #--- # ntp #--- pass in on dmz inet proto { tcp udp } from dmz \ to dmz port { daytime time ntp } #--- # ssh - whitelist, and rate limit overflows into blacklist #--- table ssh-black persist file /etc/pf/ssh-black table ssh-white persist file /etc/pf/ssh-white pass in log on { egress dmz } inet proto tcp from ssh-white to \ port ssh rdr-to localhost pass in log on { egress dmz } inet proto tcp from !ssh-black to \ port ssh rdr-to localhost keep state \ (max-src-conn-rate 1/30, overload ssh-black flush) #--- # imaps - whitelist, and rate limit overflows into blacklist #--- table imaps-black persist file /etc/pf/imaps-black table imaps-white persist file /etc/pf/imaps-white pass in log
Re: CARP compatibility between 5.1 and 5.2
R0me0 *** knight@gmail.com a écrit : Hello misc, I've a OpenBSD 5.1 in production and I will put another OpenBSD 5.2 and then configure CARP. will I have some compatibility issue ? Thanks in advanced Hi I have such à setup running surtout issue. Cheers Laurent
Re: new hardware
Laptop batteries area planned to have a 1-2 year life, and some times you get less some times you get more, I have one Thinkpad that the battery lasted about 6 months and wont hold a charge, I have another that is 5 years old. Yeah. It drives me mad. My thinkpad has 5 hours in console mode and about a half in xorg. From the very start I was not sure if that battery was correct. Since I started this thread, to report what decision I made: I will get small case, chieftec bt-02b-180, intel g550 and asus p8h61-m lx3 r2.0. I hope this will run 5.2 in graphical mode. Best regards Zoran
Re: Arpresolve route without link local address
Take a step back and ever disable PF or put pass keep state (e.g. simple rules) and see if you can reproduce this problem. //mxb On 14 jan 2013, at 21:38, Атанас Владимиров don.na...@gmail.com wrote: Hi, Today I upgraded to 11.01.2013 snapshot and I'm still get the same error. I have permanent static for my default route. [ns]~$ sudo /usr/sbin/arp -Ff /etc/ether.mac [ns]~$ cat /etc/ether.mac XX.XX.XX.33 00:50:45:5f:16:58 permanent [ns]~$ arp -a gw.xx.xx (XX.XX.XX.33) at 00:50:45:5f:16:58 on em0 permanent static After a while: [ns]~$ arp -a gw.xx.xx (XX.XX.XX.33) at 00:50:45:5f:16:58 on em0 the permanent static arp disappear. /var/log/messages: Jan 14 20:46:47 ns /bsd: arpresolve: XX.XX.7.33: route without link local address Jan 14 20:51:47 ns last message repeated 42 times /var/log/daemon: Jan 14 20:46:47 ns dhclient[2970]: DHCPREQUEST on em0 to XX.XX.7.1 port 67 Jan 14 20:46:47 ns dhclient[2970]: DHCPACK from XX.XX.7.33 (00:50:45:5f:16:58) Jan 14 20:46:47 ns dhclient[2970]: bound to XX.XX.7.48 -- renewal in 300 seconds. Here is my pf.conf [ns]~$ sudo cat /etc/pf.conf Macros ### ### Interfaces ### ExtIf =em0 IntIf =vlan41 Free =vlan81 pppx =192.168.3.0/25 lo0 =127.0.0.1 ### Hosts ### vl=192.168.1.2 jl=192.168.1.3 ve=192.168.1.4 ntp=192.168.1.5 sam=192.168.1.14 dpc11=192.168.1.11 ### Ports ### low_ports = 0:1024 hi_ports = 1025:65535 web = {20, 21, 22, 25, 80, 443, 3389, 5900, 6000, , 8080} ssh_extif = rdc = 3389 rdc_extif = 4900 squid = 8080 squid_extif = 443 vl_skype = 30001 jl_skype = 30002 ve_skype = 30003 vl_torrent= 30004 jl_torrent= 30005 ve_torrent= 30006 vl_hfs= 8081 ftp_proxy = 8021 symux = 2100 ftp = 21 vnc_ext = 59001 vnc_int = 5900 sftp = 2 l2tp = { 500, 1701, 4500 } trace = 33434:33498 ### Queues, States and Types ### IcmpType =icmp-type 8 code 0 SynState =flags S/SAFR synproxy state ### Tables ### table bgnets file /etc/bgnets table spamd-white persist table proxy-users persist { 188.254.185.154, 212.50.72.29, 85.217.136.0/21, \ 95.111.100.14, 212.233.176.65, 78.128.124.161, 190.32.172.28 } ## panama table isp persist { 94.26.7.32/27 } table BLOCK persist { 82.119.88.70 } Options ## ### Misc Options set block-policy drop set loginterface $ExtIf set skip on lo0 set optimization aggressive # set state-defaults pflow Queueing altq on $ExtIf bandwidth 100% hfsc queue { BG, INTER } queue INTER bandwidth 3% hfsc (upperlimit 2950Kb) \ { i_ack, i_dns, i_ntp, i_web, i_bulk, i_bittor } queue i_ack bandwidth 30% priority 8 qlimit 500 hfsc (realtime 30%) queue i_dns bandwidth 5% priority 7 qlimit 500 hfsc (realtime 10%) queue i_ntp bandwidth 10% priority 6 qlimit 500 hfsc (realtime 10%) queue i_web bandwidth 30% priority 5 qlimit 500 hfsc (realtime 20%) queue i_bulkbandwidth 19% priority 2 qlimit 500 hfsc (realtime 15%) queue i_bittor bandwidth 1% priority 0 qlimit 2000 hfsc (default, upperlimit 60%) queue BG bandwidth 30% hfsc (upperlimit 30Mb) \ { b_ack, b_dns, b_ntp, b_rdc, b_web, b_bulk, b_bittor } queue b_ack bandwidth 10% priority 8 qlimit 500 hfsc (realtime 10%) queue b_dns bandwidth 1% priority 7 qlimit 500 hfsc (realtime 1% ) queue b_ntp bandwidth 10% priority 7 qlimit 500 hfsc (realtime 1% ) queue b_rdc bandwidth 10% priority 6 qlimit 500 hfsc (realtime 10%) queue b_web bandwidth 30% priority 5 qlimit 500 hfsc (realtime 30%) queue b_bulkbandwidth 30% priority 4 qlimit 500 hfsc (realtime 10%) queue b_bittor bandwidth 1% priority 0 qlimit 500 hfsc (upperlimit 85%) Translation and Filtering ### ### BLOCK all in/out on all interfaces by default and log blocklog on $ExtIf block return log on $IntIf block return log on $Free block quick log on $ExtIf from BLOCK ### Network Address Translation (NAT with outgoing source port randomization) match out log on egress from (self) \ to any nat-to ($ExtIf:0) port 1024:65535 match out log on egress from !($ExtIf:0) \ to any nat-to ($ExtIf:0) port 1024:65535 ### NAT from IntIf to FreeWifi match out log on $Free from $IntIf:network \ to $Free:network nat-to ($Free:0) port 1024:65535 ### Packet normalization ( scrubbing ) match log on $ExtIf all scrub (random-id max-mss 1472) ### Ftp ( secure ftp proxy for LAN ) anchor ftp-proxy/* ### pppx pass log from $pppx ### $ExtIf inbound # npppd pass in
Re: OSPFD on a VLAN Trunk Interface
MJ(m...@sci.fi) on 2013.01.15 22:45:46 +0200: [...] 4) On box3, all routes show up with next-hop of 10.1.0.1 (vlan2 on box2), instead of the IP addresses of the respective vlan interfaces. I want the real gateways to show up as next-hops. [...] box 3 -- [root@box3 ~]# ospfctl s r Destination Nexthop Path TypeType CostUptime 10.0.0.1 10.1.0.1 Inter-Area Router20 01:45:09 10.0.0.2 10.1.0.1 Intra-Area Router10 03:28:33 10.0.0.0/21 10.1.0.1 Inter-Area Network 20 01:45:15 10.1.0.0/21 10.1.0.12 Intra-Area Network 10 03:28:38 0.0.0.0/010.1.0.1 Type 1 ext Network 120 01:45:09 10.1.8.0/22 10.1.0.1 Type 1 ext Network 110 03:28:33 10.1.12.0/22 10.1.0.1 Type 1 ext Network 110 03:28:33 10.1.16.0/22 10.1.0.1 Type 1 ext Network 110 03:28:33 10.1.32.0/22 10.1.0.1 Type 1 ext Network 110 03:28:33 10.1.48.0/21 10.1.0.1 Type 1 ext Network 110 03:28:33 10.1.56.0/21 10.1.0.1 Type 1 ext Network 110 03:28:33 10.1.64.0/21 10.1.0.1 Type 1 ext Network 110 03:28:33 10.1.72.0/22 10.1.0.1 Type 1 ext Network 110 03:28:33 10.1.76.0/22 10.1.0.1 Type 1 ext Network 110 03:28:33 10.1.80.0/21 10.1.0.1 Type 1 ext Network 110 03:28:33 10.1.88.0/21 10.1.0.1 Type 1 ext Network 110 03:28:33 10.100.103.0/24 10.1.0.1 Type 1 ext Network 110 03:28:33 192.168.1.0/24 10.1.0.1 Type 1 ext Network 110 03:28:33 Above: next-hop for 10.1.8.0/22 should be 10.1.8.1 (vlan3 interface on box2), and so forth. why? as far as i understand your config, box3 is connected to box2 via network 10.1.0.0/21. So it sees all those networks via nexthop 10.1.0.1 on box2. Nothing wrong with that.
Re: Running OpenBSD on Raspberry Pi
On Sat, Jan 12, 2013 at 4:59 AM, Patrick Wildt wrote: Hello, I'm currently working on porting OpenBSD to the Freescale i.MX6, an ARM Cortex-A9 (1-4 cores). It is already supporting USB and SDMMC, works like a charm. The i.MX6 itself got some interesting features like PCIe, SATA and Gigabit Ethernet. So, if 200$ don't sound too much, that might be an alternative. So, where is your diff? \Patrick http://boundarydevices.com/products/sabre-lite-imx6-sbc/ http://boundarydevices.com/products/nitrogen6x-board-imx6-arm-cortex-a9-sbc/ Regards, Doug.
OpenBGPd multiple local AS
Hello! I have public AS and address range, everything is Ok, but now I want to connect my routers via LAN and announce my public networks between them. So I need to configure private AS and peers, as I think: R1: AS 5 65006 # public ISP neighbor 1.1.1.1 { announce self remote-as 4 } # my private LAN peer neighbor 10.0.41.5 { announce self remote-as 65005 descr r2 } And R2 router: AS 5 65005 # public ISP neighbor 2.2.2.2 { announce self remote-as 2 } # my private LAN peer neighbor 10.0.41.6 { announce none remote-as 65006 descr r1 } But when I restart bgpd, I receive error: Last error: AS unacceptable I suppose I have to force announcement of private AS for my private peer, but didn't find how to do it in config file. --- Andrey