Re: [Question] Building whitelists so that spamd greylisting can work without users perceiving delivery delays...
On 3/28/2013 10:52 AM, Sarah Caswell wrote: Hi all, I had a question about greylisting (with spamd) in production. I've successfully run spamd on firewalls (as a frontend to either barracuda or SpamAssassin) and have really liked the reduction in SPAM volume. Unfortunately my employer's wife does not like the delays that this introduces into our mail delivery, since she uses email for quick turn-around communication. The main problem occurs with senders like Gmail, yahoo, hotmail, etc. ...i.e. all the senders that have large farms of smtp servers from which they can retry delivery after initial greylisting delay. I know this means I'm not doing proper whitelisting of those major sender domains, but I'm at a loss on how to best construct and maintain such a whitelist. Are there any up-to-date lists that already track the MTAs of these large mail providers? Or will this mostly be a DIY effort on my part? Any thoughts/insights/experiences would be greatly appreciated. :-) Sarah Hi, Years ago I was faced with the same frustration on my own system. I ended up writing a shell/awk script that I run 2x a day. Basically, you build up a list of "trusted" hosts and whitelist them. Whenever I got delayed mail that I noticed, I would add the hostname to the "trusted" list and my script would automatically whitelist them the next time it ran (or when I ran it manually). It may not be perfect, but it's worked flawlessly for probably 4 years now. It's designed to work with sites that use "spf" records, and it doesn't know about ip6, not an issue in my case If you are interested in my script, feel free to contact me off list The output for google.com is: #--- # google.com #--- # Got 5 elements in [v=spf1 include:_spf.google.com ip4:216.73.93.70/31 ip4:216.73.93.72/31 ~all] # queueing for spf lookup: [_spf.google.com] 216.73.93.70/31 216.73.93.72/31 # == # Recursing for additional spf records # == #--- # _spf.google.com #--- # Got 5 elements in [v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ?all ] # queueing for spf lookup: [_netblocks.google.com] # queueing for spf lookup: [_netblocks2.google.com] # queueing for spf lookup: [_netblocks3.google.com] # == # Recursing for additional spf records # == #--- # _netblocks.google.com #--- # Got 12 elements in [v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/ 17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ip4:173.194.0.0/16 ?all] 216.239.32.0/19 64.233.160.0/19 66.249.80.0/20 72.14.192.0/18 209.85.128.0/17 66.102.0.0/20 74.125.0.0/16 64.18.0.0/20 207.126.144.0/20 173.194.0.0/16 #--- # _netblocks2.google.com #--- # Got 8 elements in [v=spf1 ip6:2001:4860:4000::/36 ip6:2404:6800:4000::/36 ip6:2607:f8b0:4000::/36 ip6:2800:3f0:4000::/36 i p6:2a00:1450:4000::/36 ip6:2c0f:fb50:4000::/36 ?all] # UNKNOWN: [ip6:2001:4860:4000::/36] # UNKNOWN: [ip6:2404:6800:4000::/36] # UNKNOWN: [ip6:2607:f8b0:4000::/36] # UNKNOWN: [ip6:2800:3f0:4000::/36] # UNKNOWN: [ip6:2a00:1450:4000::/36] # UNKNOWN: [ip6:2c0f:fb50:4000::/36] #--- # _netblocks3.google.com #--- # Got 2 elements in [v=spf1 ?all] # Returning from recursion # Returning from recursion
Re: OpenBSD as NAS
I did this on a similar hardware (Atom d525 + 4G + 100M LAN + 1 SATA2 drive) a few weeks ago with OpenBSD AMD64 snapshot, but now I switched to Ubuntu due to file copy performance issue. I can get around 10MB/s on OpenBSD, but around 20MB/s with Ubuntu on the same hardware. One major difference here: my NAS is not for disaster, it's simply for file sharing. All data is back'ed up somewhere else. It's also my wireless AP, btw. I'll be glad to know if there is any tips/advices to get better file copy speed on a OpenBSD NAS. On Thu, Mar 28, 2013 at 11:03 PM, Jan Lambertz wrote: > Hi there, > to be prepared for storage desaster i am planning to upgrade my home > box.itis a intel atom d525 with 2gig mem. Im planning to build up a > small raid 10 > with standard sata 5.25 inch drives. 1000 mbit lan. This storage will > mainly be used for samba shares, backups and nfs shares. Of course i want > massive performance. What du you suggest ? > Change cpu > Change filesystem (os) > Parameters ? > Do something other ? > Any experiences in read /write speed of this hardware ?
Re: ftp(1) errors on an HTTPS url
Stuart Henderson spacehopper.org> writes: > On 2012-11-18, Rodolfo Gouveia cosmico.net> wrote: > > On Fri, Nov 16, 2012 at 08:23:40PM +, Rodolfo Gouveia wrote: > >> Hello, > >> It seems that https://www.prelude-ids.org doesn't play well with > >> the ftp(1). > > One thing I noticed is that if I connect with openssl s_client and > make a GET or HEAD request using the HOST header, this server does a > renegotiation. [...] Found another site hitting this; https://issues.asterisk.org/. Just like prelude-ids.org, this one renegotiates as soon as you send a GET/HEAD with a HOST header. $ openssl s_client -connect issues.asterisk.org:443 [...] Start Time: 1364503452 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate) --- GET /jira/ HTTP/1.0 HOST: issues.asterisk.org depth=1 C = US, O = "GeoTrust, Inc.", CN = RapidSSL CA verify error:num=20:unable to get local issuer certificate verify return:0 read R BLOCK HTTP/1.1 302 Moved Temporarily Date: Thu, 28 Mar 2013 20:44:18 GMT [...] Responses to "ftp -o- https://issues.asterisk.org/jira/browse/ASTERISK-21207"; vary between ftp: Improper response from issues.asterisk.org Segmentation fault (core dumped) ftp: Error retrieving file: Inc.1^T0^R^F<...bunch of data from the new cert..>
EuroBSDcon 2013 Call for Proposals
EuroBSDcon 2013: September 26-29 in Malta = EuroBSDcon is the European technical conference for users and developers of BSD-based systems. The conference will take place on Thursday, September 26 through Sunday, September 29 at the Hilton http://goo.gl/maps/hnACd in St. Julian's, Malta (tutorials on Thursday and Friday, talks on Saturday and Sunday). Call for Proposals -- The EuroBSDcon program committee is inviting BSD developers and users to submit innovative and original talk proposals not previously presented at other European conferences. Topics of interest to the conference include, but are not limited to applications, architecture, implementation, performance and security of BSD-based operating systems, as well as topics concerning the economic or organizational aspects of BSD use. Presentations are expected to be 45 minutes and are to be delivered in English. Call for Tutorial Proposals --- The EuroBSDcon program committee is also inviting qualified practitioners in their field to submit proposals for half or full day tutorials on topics relevant to development, implementation and use of BSD-based systems. Half-day tutorials are expected to be 2.5 to 3 hours and full-day tutorials 5 to 6 hours. Tutorials are held in English. Submissions --- Proposals should be sent by email to . They should contain a short and concise text description in about 100 words The submission should also include a short CV of the speaker and an estimate of the expected travel expenses. Please submit each proposal as a separate email. Important dates --- The EuroBSDcon program committee is accepting talk and tutorial proposals until Monday, May 25 2013. Other important dates will be announced soon the conference website http://2013.EuroBSDcon.org/.
Re: ftp-proxy(8) and ftpd(8) on the same host
On cs, márc 28, 2013 at 08:11:07 +0100, Camiel Dobbelaar wrote: > It does not work on the same server. > > You might try rules with "user _ftp" in pf.conf. > On cs, márc 28, 2013 at 10:14:15 +, Alexey E. Suslikov wrote: > Camiel Dobbelaar sentia.nl> writes: > > > It does not work on the same server. > > There was an attempt to handle such a things > > http://article.gmane.org/gmane.os.openbsd.tech/23343/ Thanks guys, I went with the username based pf rule, it was a good call, I didn't remember this pf parameter, but it fit well with this setup. I only have to keep the username list up-to-date, which is not much of a burden, really. Thanks again, Daniel -- LÉVAI Dániel PGP key ID = 0x83B63A8F Key fingerprint = DBEC C66B A47A DFA2 792D 650C C69B BE4C 83B6 3A8F
Re: [Question] Building whitelists so that spamd greylisting can work without users perceiving delivery delays...
Sarah Caswell writes: > The main problem occurs with senders like Gmail, yahoo, hotmail, > etc. ...i.e. all the senders that have large farms of smtp servers > from which they can retry delivery after initial greylisting delay. > > I know this means I'm not doing proper whitelisting of those major > sender domains, but I'm at a loss on how to best construct and > maintain such a whitelist. > > Are there any up-to-date lists that already track the MTAs of these large > mail providers? I think you would need to construct it by hand. I very occasionally update my /etc/mail/nospamd, and then mostly by looking for relevant domains' published spf records. for example for gmail, [Thu Mar 28 18:49:27] peter@deeperthought:~$ host -ttxt gmail.com gmail.com descriptive text "v=spf1 redirect=_spf.google.com" [Thu Mar 28 18:49:37] peter@deeperthought:~$ host -ttxt _spf.google.com _spf.google.com descriptive text "v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ?all" [Thu Mar 28 18:52:02] peter@deeperthought:~$ for foo in _netblocks.google.com _netblocks2.google.com _netblocks3.google.com ; do host -ttxt $foo ; done _netblocks.google.com descriptive text "v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ip4:173.194.0.0/16 ?all" _netblocks2.google.com descriptive text "v=spf1 ip6:2001:4860:4000::/36 ip6:2404:6800:4000::/36 ip6:2607:f8b0:4000::/36 ip6:2800:3f0:4000::/36 ip6:2a00:1450:4000::/36 ip6:2c0f:fb50:4000::/36 ?all" _netblocks3.google.com descriptive text "v=spf1 ?all" and so forth. Not all domains publish SPF, and you may need to work around a certain bitrot factor. And spend some time poring over your spamd log to weed out the non-obvius ones. Then again, I just decided to share mine, which is the product of just the process I've described. It's up at http://www.bsdly.net/~peter/nospamd free to use, corrections welcome (will be rewarded with a personal thank you message ;)). - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
[Question] Building whitelists so that spamd greylisting can work without users perceiving delivery delays...
Hi all, I had a question about greylisting (with spamd) in production. I've successfully run spamd on firewalls (as a frontend to either barracuda or SpamAssassin) and have really liked the reduction in SPAM volume. Unfortunately my employer's wife does not like the delays that this introduces into our mail delivery, since she uses email for quick turn-around communication. The main problem occurs with senders like Gmail, yahoo, hotmail, etc. ...i.e. all the senders that have large farms of smtp servers from which they can retry delivery after initial greylisting delay. I know this means I'm not doing proper whitelisting of those major sender domains, but I'm at a loss on how to best construct and maintain such a whitelist. Are there any up-to-date lists that already track the MTAs of these large mail providers? Or will this mostly be a DIY effort on my part? Any thoughts/insights/experiences would be greatly appreciated. :-) Sarah -- "To speak another language is to possess another soul" - Charlemagne
Re: OpenBSD as NAS
> to be prepared for storage desaster i am planning to upgrade my home > box.itis a intel atom d525 with 2gig mem. Im planning to build up a > small raid 10 > with standard sata 5.25 inch drives. 1000 mbit lan. This storage will > mainly be used for samba shares, backups and nfs shares. Of course i want > massive performance. What du you suggest ? Since you posted on openbsd list, I suppose you wonna use openbsd. You seem to be not shy of spending some bucks on the security of the content, so there is ano- ther option to look for: http://www.qnap.com/useng/index.php?lang=en-us&sn=862&c=355&sc=526&t=694&n=12501 Personally, I'd go after cheaper solution in the same tribe. Some older model, if available. If you build your own box, that might prove itself better. I always do it. The very question is to find proper applications to fulfil your needs. Best regards Zoran
delete-old
Those who also update FreeBSD machines from source may know "make delete-old", which offers to delete obsolete files and directories. Here's the same as a shell script. 8< #!/bin/sh ARCH=$(uname -m) BASE=-rOPENBSD_5_3_BASE list=$( cd /usr/src/distrib/sets/lists && cvs -Rq diff -u ${BASE} */mi */md.${ARCH} | sed -n 's:^-\./:/:p' ) files= libs= dirs= while read file; do if [ -f "$file" -o -h "$file" ]; then case $file in *.so.[0-9].[0-9] | \ *.so.[0-9].[0-9][0-9] | \ *.so.[0-9][0-9].[0-9] | \ *.so.[0-9][0-9].[0-9][0-9] ) if [ -z "$libs" ]; then libs=$file else libs="$libs $file" fi ;; *) if [ -z "$files" ]; then files=$file else files="$files $file" fi ;; esac elif [ -d "$file" ]; then if [ -z "$dirs" ]; then dirs=$file else dirs="$dirs $file" fi fi done <>> Removing old files" if [ -n "$files" ]; then exec 3>&0 while read file; do rm -i "$file" <&3 done <<-EOF $files EOF fi } delete-old-libs() { echo ">>> Removing old libraries" if [ -n "$libs" ]; then exec 3>&0 while read file; do rm -i "$file" <&3 done <<-EOF $libs EOF fi } delete-old-dirs() { echo ">>> Removing old directories" if [ -n "$dirs" ]; then while read file; do rmdir "$file" && echo "$file" done <<-EOF $dirs EOF fi } delete-old-files delete-old-libs delete-old-dirs >8 -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: newline characters in kernel messages
new patch below On 09:03 Thu 28 Mar , Alexander Hall wrote: > On 03/28/13 08:27, Sergey Bronnikov wrote: > >please commit > > > >On 17:20 Sat 23 Mar , Sergey Bronnikov wrote: > >>Hi > >> > >>I have found that several kernel messages doesn't contain newline character. > >>Patches attached. > > For the record, that patch sure looks reversed... Eh, and redundant. :-) > > Preferrably, use `cvs diff -uNp`. > > /Alexander Index: sys/arch/amd64/amd64/acpi_machdep.c === RCS file: /cvs/src/sys/arch/amd64/amd64/acpi_machdep.c,v retrieving revision 1.52 diff -u -p -u -p -r1.52 acpi_machdep.c --- sys/arch/amd64/amd64/acpi_machdep.c 27 Nov 2012 17:38:45 - 1.52 +++ sys/arch/amd64/amd64/acpi_machdep.c 28 Mar 2013 15:28:49 - @@ -300,7 +300,7 @@ acpi_sleep_cpu(struct acpi_softc *sc, in if (state == ACPI_STATE_S4) { uvm_pmr_zero_everything(); if (hibernate_suspend()) { - printf("%s: hibernate_suspend failed", + printf("%s: hibernate_suspend failed\n", DEVNAME(sc)); hibernate_free(); uvm_pmr_dirty_everything(); @@ -318,7 +318,7 @@ acpi_sleep_cpu(struct acpi_softc *sc, in boothowto &= ~RB_POWERDOWN; acpi_sleep_pm(sc, state); - printf("%s: acpi_sleep_pm failed", DEVNAME(sc)); + printf("%s: acpi_sleep_pm failed\n", DEVNAME(sc)); return (ECANCELED); } /* Resume path */ Index: sys/arch/i386/i386/acpi_machdep.c === RCS file: /cvs/src/sys/arch/i386/i386/acpi_machdep.c,v retrieving revision 1.46 diff -u -p -u -p -r1.46 acpi_machdep.c --- sys/arch/i386/i386/acpi_machdep.c 27 Nov 2012 17:38:45 - 1.46 +++ sys/arch/i386/i386/acpi_machdep.c 28 Mar 2013 15:30:51 - @@ -325,7 +325,7 @@ acpi_sleep_cpu(struct acpi_softc *sc, in if (state == ACPI_STATE_S4) { uvm_pmr_zero_everything(); if (hibernate_suspend()) { - printf("%s: hibernate_suspend failed", + printf("%s: hibernate_suspend failed\n", DEVNAME(sc)); hibernate_free(); uvm_pmr_dirty_everything(); @@ -343,7 +343,7 @@ acpi_sleep_cpu(struct acpi_softc *sc, in boothowto &= ~RB_POWERDOWN; acpi_sleep_pm(sc, state); - printf("%s: acpi_sleep_pm failed", DEVNAME(sc)); + printf("%s: acpi_sleep_pm failed\n", DEVNAME(sc)); return (ECANCELED); } /* Resume path */ -- sergeyb@ Index: sys/arch/amd64/amd64/acpi_machdep.c === RCS file: /cvs/src/sys/arch/amd64/amd64/acpi_machdep.c,v retrieving revision 1.52 diff -u -p -u -p -r1.52 acpi_machdep.c --- sys/arch/amd64/amd64/acpi_machdep.c 27 Nov 2012 17:38:45 - 1.52 +++ sys/arch/amd64/amd64/acpi_machdep.c 28 Mar 2013 15:28:49 - @@ -300,7 +300,7 @@ acpi_sleep_cpu(struct acpi_softc *sc, in if (state == ACPI_STATE_S4) { uvm_pmr_zero_everything(); if (hibernate_suspend()) { - printf("%s: hibernate_suspend failed", + printf("%s: hibernate_suspend failed\n", DEVNAME(sc)); hibernate_free(); uvm_pmr_dirty_everything(); @@ -318,7 +318,7 @@ acpi_sleep_cpu(struct acpi_softc *sc, in boothowto &= ~RB_POWERDOWN; acpi_sleep_pm(sc, state); - printf("%s: acpi_sleep_pm failed", DEVNAME(sc)); + printf("%s: acpi_sleep_pm failed\n", DEVNAME(sc)); return (ECANCELED); } /* Resume path */ Index: sys/arch/i386/i386/acpi_machdep.c === RCS file: /cvs/src/sys/arch/i386/i386/acpi_machdep.c,v retrieving revision 1.46 diff -u -p -u -p -r1.46 acpi_machdep.c --- sys/arch/i386/i386/acpi_machdep.c 27 Nov 2012 17:38:45 - 1.46 +++ sys/arch/i386/i386/acpi_machdep.c 28 Mar 2013 15:30:51 - @@ -325,7 +325,7 @@ acpi_sleep_cpu(struct acpi_softc *sc, in if (state == ACPI_STATE_S4) { uvm_pmr_zero_everything(); if (hibernate_suspend()) { - printf("%s: hibernate_suspend failed", + printf("%s: hibernate_suspend failed\n", DEVNAME(sc)); hibernate_free();
OpenBSD as NAS
Hi there, to be prepared for storage desaster i am planning to upgrade my home box.itis a intel atom d525 with 2gig mem. Im planning to build up a small raid 10 with standard sata 5.25 inch drives. 1000 mbit lan. This storage will mainly be used for samba shares, backups and nfs shares. Of course i want massive performance. What du you suggest ? Change cpu Change filesystem (os) Parameters ? Do something other ? Any experiences in read /write speed of this hardware ?
Re: Spamassassin fails to start after upgrade to latest snapshot
.. Thu 28.Mar'13 at 14:01:10 +0100 Remco ... > James Griffin wrote: > > > Hi > > > > Basically, as the subject says: I upgraded to the latest snapshot and now > > spamassassin fails start. > > > > This is the error out when I try to start it from the command-line: [snip] > > Cheers, Jamie. > > > > > > Maybe you're bitten by the perl update as described in > http://www.openbsd.org/faq/current.html. Yes, looks like it. I'll just wait for the updates then. Cheers Remco. -- James Griffin: jmz at kontrol.kode5.net jmzgriffin at gmail.com A4B9 E875 A18C 6E11 F46D B788 BEE6 1251 1D31 DC38
Re: Spamassassin fails to start after upgrade to latest snapshot
James Griffin wrote: > Hi > > Basically, as the subject says: I upgraded to the latest snapshot and now > spamassassin fails start. > > This is the error out when I try to start it from the command-line: > > > Bad arg length for NetAddr::IP::Util::mask4to6, length is 128, should be > 32 at /usr/local/libdata/perl5/site_perl/amd64-openbsd/NetAddr/IP/Lite.pm > line 625. Compilation failed in require at > /usr/local/libdata/perl5/site_perl/amd64-openbsd/NetAddr/IP.pm line 7. > BEGIN failed--compilation aborted at > /usr/local/libdata/perl5/site_perl/amd64-openbsd/NetAddr/IP.pm line 7. > Compilation failed in require at > /usr/local/libdata/perl5/site_perl/Mail/SpamAssassin/NetSet.pm line 25. > BEGIN failed--compilation aborted at > /usr/local/libdata/perl5/site_perl/Mail/SpamAssassin/NetSet.pm line 25. > Compilation failed in require at > /usr/local/libdata/perl5/site_perl/Mail/SpamAssassin/Conf.pm line 86. > BEGIN failed--compilation aborted at > /usr/local/libdata/perl5/site_perl/Mail/SpamAssassin/Conf.pm line 86. > Compilation failed in require at > /usr/local/libdata/perl5/site_perl/Mail/SpamAssassin.pm line 71. BEGIN > failed--compilation aborted at > /usr/local/libdata/perl5/site_perl/Mail/SpamAssassin.pm line 71. > Compilation failed in require at /usr/local/bin/spamassassin line 80. > BEGIN failed--compilation aborted at /usr/local/bin/spamassassin line 80. > > Not sure exactly what the problem is. Has anyone else seen this and does > anyone know what I can do to fix it? > > Cheers, Jamie. > > Maybe you're bitten by the perl update as described in http://www.openbsd.org/faq/current.html.
Spamassassin fails to start after upgrade to latest snapshot
Hi Basically, as the subject says: I upgraded to the latest snapshot and now spamassassin fails start. This is the error out when I try to start it from the command-line: Bad arg length for NetAddr::IP::Util::mask4to6, length is 128, should be 32 at /usr/local/libdata/perl5/site_perl/amd64-openbsd/NetAddr/IP/Lite.pm line 625. Compilation failed in require at /usr/local/libdata/perl5/site_perl/amd64-openbsd/NetAddr/IP.pm line 7. BEGIN failed--compilation aborted at /usr/local/libdata/perl5/site_perl/amd64-openbsd/NetAddr/IP.pm line 7. Compilation failed in require at /usr/local/libdata/perl5/site_perl/Mail/SpamAssassin/NetSet.pm line 25. BEGIN failed--compilation aborted at /usr/local/libdata/perl5/site_perl/Mail/SpamAssassin/NetSet.pm line 25. Compilation failed in require at /usr/local/libdata/perl5/site_perl/Mail/SpamAssassin/Conf.pm line 86. BEGIN failed--compilation aborted at /usr/local/libdata/perl5/site_perl/Mail/SpamAssassin/Conf.pm line 86. Compilation failed in require at /usr/local/libdata/perl5/site_perl/Mail/SpamAssassin.pm line 71. BEGIN failed--compilation aborted at /usr/local/libdata/perl5/site_perl/Mail/SpamAssassin.pm line 71. Compilation failed in require at /usr/local/bin/spamassassin line 80. BEGIN failed--compilation aborted at /usr/local/bin/spamassassin line 80. Not sure exactly what the problem is. Has anyone else seen this and does anyone know what I can do to fix it? Cheers, Jamie. -- James Griffin: jmz at kontrol.kode5.net jmzgriffin at gmail.com A4B9 E875 A18C 6E11 F46D B788 BEE6 1251 1D31 DC38
Re: bad rule, or special filtering needed for bootp packets?
Le Wed, 27 Mar 2013 19:28:08 -0700, David Ruggiero a écrit : > Thanks! No, it didn't occur to me, so very appreciated. I didn't > remember that you could do that form of the table command to show > explicit members in a list, so that's also really helpful. > > FWIW, though..I would not have expected that pf would silently > drop - without any warning message or complaint - an address > explicitly stated as being a member of a constant table definition. > Even that address. You're right that (at least in hindsight) > 0.0.0.0/mask might be treated differently - maybe it uses it as a > marker for an empty slot or the like? But regardless of that, I > would (a) expect that fact to be documented (if it is, I missed it), > and (b) expect that the pf parser would say something as it was > throwing it away (at least a warning message about "unparseable > address at line XX - ignored" or the like). For it to just drop it on > the floor and say nothing at all seems - well, kind of non-pf-ish. > > Perhaps worth a documentation patch, if not an actual code patch. Well, even if 0.0.0.0/32 is not included in the table, your table should match any address (at least 0.0.0.0/32). Because !192.168.5.128/25 OR !192.168.10.128/25 OR !192.168.99.128/25 is always true. int_net = "192.168.5.128/25" wls_net = "192.168.10.128/25" ptr_net = "192.168.99.128/25" table const { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, !$int_net, !$wls_net, !$ptr_net, 169.254.0.0/16, 127.0.0.0/8, 192.0.2.0/24, 0.0.0.0/32, 240.0.0.0/4, 255.255.255.255/32 } I'm wrong? Why 0.0.0.0 does not match this table? I would be happy to know the behavior, because my "pfulator"(*) does not work as PF for this. Thanks, regards. (*) https://groupes.renater.fr/wiki/jtacl/index
Re: ftp-proxy(8) and ftpd(8) on the same host
Camiel Dobbelaar sentia.nl> writes: > It does not work on the same server. There was an attempt to handle such a things http://article.gmane.org/gmane.os.openbsd.tech/23343/
CARP active-active with OSPF on top of gif
Hello list, Anyone have a good advise on the ? I currently have SiteA and SiteB with two OpenBSD machines on each end in active-active setup. I also have OSPF on top of gif(on top of IPSec) from each node and crossover between nodes. fw1.siteAfw1.siteB fw2.siteA fw2.siteB fw1.siteA fw2.siteA. I occasionally experience "breakdowns" on site-to-site links. It looks like ospfd stops talking on gif, but gifs are up and I'm able to ping each peer. ipsecctl shows that tunnels are up and I can confirm this via tcpdump. "pass on enc0 keep state (if-bound)" should not let unencrypted traffic to escape anyway. My goal with this setup is to have redundancy and let OSPF to decide routing path. So the priority is not set in ospfd.conf. area 0.0.0.0 { # siteA-siteB interface gif0 { metric 10 } # crossover interface trunk0 { metric 5 } #LAN interface carp1 { passive } # ANYCAST interface lo1 { metric 5 } } pfsync0: flags=41 mtu 1500 priority: 0 pfsync: syncdev: trunk0 maxupd: 128 defer: on groups: carp pfsync //mxb
Re: newline characters in kernel messages
If your aim is to introduce newline characters, you got ur patch wrong (reversed!) -jf On Thu, Mar 28, 2013 at 3:27 PM, Sergey Bronnikov wrote: > please commit > > On 17:20 Sat 23 Mar , Sergey Bronnikov wrote: >> Hi >> >> I have found that several kernel messages doesn't contain newline character. >> Patches attached. >> >> -- >> sergeyb@ > >> --- arch/i386/i386/acpi_machdep.c Sat Mar 23 16:59:09 2013 >> +++ arch/i386/i386/acpi_machdep.c_Sat Mar 23 16:58:48 2013 >> @@ -325,7 +325,7 @@ acpi_sleep_cpu(struct acpi_softc *sc, int state) >> if (state == ACPI_STATE_S4) { >> uvm_pmr_zero_everything(); >> if (hibernate_suspend()) { >> - printf("%s: hibernate_suspend failed\n", >> + printf("%s: hibernate_suspend failed", >> DEVNAME(sc)); >> hibernate_free(); >> uvm_pmr_dirty_everything(); >> @@ -343,7 +343,7 @@ acpi_sleep_cpu(struct acpi_softc *sc, int state) >> boothowto &= ~RB_POWERDOWN; >> >> acpi_sleep_pm(sc, state); >> - printf("%s: acpi_sleep_pm failed\n", DEVNAME(sc)); >> + printf("%s: acpi_sleep_pm failed", DEVNAME(sc)); >> return (ECANCELED); >> } >> /* Resume path */ > >> --- arch/i386/i386/acpi_machdep.c Sat Mar 23 16:59:09 2013 >> +++ arch/i386/i386/acpi_machdep.c_Sat Mar 23 16:58:48 2013 >> @@ -325,7 +325,7 @@ acpi_sleep_cpu(struct acpi_softc *sc, int state) >> if (state == ACPI_STATE_S4) { >> uvm_pmr_zero_everything(); >> if (hibernate_suspend()) { >> - printf("%s: hibernate_suspend failed\n", >> + printf("%s: hibernate_suspend failed", >> DEVNAME(sc)); >> hibernate_free(); >> uvm_pmr_dirty_everything(); >> @@ -343,7 +343,7 @@ acpi_sleep_cpu(struct acpi_softc *sc, int state) >> boothowto &= ~RB_POWERDOWN; >> >> acpi_sleep_pm(sc, state); >> - printf("%s: acpi_sleep_pm failed\n", DEVNAME(sc)); >> + printf("%s: acpi_sleep_pm failed", DEVNAME(sc)); >> return (ECANCELED); >> } >> /* Resume path */ > > > -- > sergeyb@
Re: newline characters in kernel messages
On 03/28/13 08:27, Sergey Bronnikov wrote: please commit On 17:20 Sat 23 Mar , Sergey Bronnikov wrote: Hi I have found that several kernel messages doesn't contain newline character. Patches attached. For the record, that patch sure looks reversed... Eh, and redundant. :-) Preferrably, use `cvs diff -uNp`. /Alexander -- sergeyb@ --- arch/i386/i386/acpi_machdep.c Sat Mar 23 16:59:09 2013 +++ arch/i386/i386/acpi_machdep.c_ Sat Mar 23 16:58:48 2013 @@ -325,7 +325,7 @@ acpi_sleep_cpu(struct acpi_softc *sc, int state) if (state == ACPI_STATE_S4) { uvm_pmr_zero_everything(); if (hibernate_suspend()) { - printf("%s: hibernate_suspend failed\n", + printf("%s: hibernate_suspend failed", DEVNAME(sc)); hibernate_free(); uvm_pmr_dirty_everything(); @@ -343,7 +343,7 @@ acpi_sleep_cpu(struct acpi_softc *sc, int state) boothowto &= ~RB_POWERDOWN; acpi_sleep_pm(sc, state); - printf("%s: acpi_sleep_pm failed\n", DEVNAME(sc)); + printf("%s: acpi_sleep_pm failed", DEVNAME(sc)); return (ECANCELED); } /* Resume path */ --- arch/i386/i386/acpi_machdep.c Sat Mar 23 16:59:09 2013 +++ arch/i386/i386/acpi_machdep.c_ Sat Mar 23 16:58:48 2013 @@ -325,7 +325,7 @@ acpi_sleep_cpu(struct acpi_softc *sc, int state) if (state == ACPI_STATE_S4) { uvm_pmr_zero_everything(); if (hibernate_suspend()) { - printf("%s: hibernate_suspend failed\n", + printf("%s: hibernate_suspend failed", DEVNAME(sc)); hibernate_free(); uvm_pmr_dirty_everything(); @@ -343,7 +343,7 @@ acpi_sleep_cpu(struct acpi_softc *sc, int state) boothowto &= ~RB_POWERDOWN; acpi_sleep_pm(sc, state); - printf("%s: acpi_sleep_pm failed\n", DEVNAME(sc)); + printf("%s: acpi_sleep_pm failed", DEVNAME(sc)); return (ECANCELED); } /* Resume path */
Re: newline characters in kernel messages
please commit On 17:20 Sat 23 Mar , Sergey Bronnikov wrote: > Hi > > I have found that several kernel messages doesn't contain newline character. > Patches attached. > > -- > sergeyb@ > --- arch/i386/i386/acpi_machdep.c Sat Mar 23 16:59:09 2013 > +++ arch/i386/i386/acpi_machdep.c_Sat Mar 23 16:58:48 2013 > @@ -325,7 +325,7 @@ acpi_sleep_cpu(struct acpi_softc *sc, int state) > if (state == ACPI_STATE_S4) { > uvm_pmr_zero_everything(); > if (hibernate_suspend()) { > - printf("%s: hibernate_suspend failed\n", > + printf("%s: hibernate_suspend failed", > DEVNAME(sc)); > hibernate_free(); > uvm_pmr_dirty_everything(); > @@ -343,7 +343,7 @@ acpi_sleep_cpu(struct acpi_softc *sc, int state) > boothowto &= ~RB_POWERDOWN; > > acpi_sleep_pm(sc, state); > - printf("%s: acpi_sleep_pm failed\n", DEVNAME(sc)); > + printf("%s: acpi_sleep_pm failed", DEVNAME(sc)); > return (ECANCELED); > } > /* Resume path */ > --- arch/i386/i386/acpi_machdep.c Sat Mar 23 16:59:09 2013 > +++ arch/i386/i386/acpi_machdep.c_Sat Mar 23 16:58:48 2013 > @@ -325,7 +325,7 @@ acpi_sleep_cpu(struct acpi_softc *sc, int state) > if (state == ACPI_STATE_S4) { > uvm_pmr_zero_everything(); > if (hibernate_suspend()) { > - printf("%s: hibernate_suspend failed\n", > + printf("%s: hibernate_suspend failed", > DEVNAME(sc)); > hibernate_free(); > uvm_pmr_dirty_everything(); > @@ -343,7 +343,7 @@ acpi_sleep_cpu(struct acpi_softc *sc, int state) > boothowto &= ~RB_POWERDOWN; > > acpi_sleep_pm(sc, state); > - printf("%s: acpi_sleep_pm failed\n", DEVNAME(sc)); > + printf("%s: acpi_sleep_pm failed", DEVNAME(sc)); > return (ECANCELED); > } > /* Resume path */ -- sergeyb@
Re: ftp-proxy(8) and ftpd(8) on the same host
On 3/27/13 4:14 PM, LEVAI Daniel wrote: On 5.2-stable, I'm trying to setup the stock ftpd(8) on a machine where the incoming traffic is not allowed arbitrarily above net.inet.ip.porthifirst, and the clients wish to use passive mode data connections. I thought I could use ftp-proxy(8) to append a pass in rule to the ftp-proxy anchor every time the client issues a PASV command, allowing the passive inbound data connection from the client to the server. I'm running ftp-proxy(8) and ftpd(8) like this: /usr/sbin/ftp-proxy -D 7 -b -p -R 127.0.0.1 -P 21 /usr/libexec/ftpd -D -A -ll -4 -n -W -u 027 -d [-P] # I've tried with and without -P It does not work on the same server. You might try rules with "user _ftp" in pf.conf.