L2TP\IPsec with npppd through PF firewall
Hello, I'm currently discovering NPPPD daemon and L2TP\Ipsec VPN. My VPN server is in a DMZ an run with OpenBSD 5.3. Client (192.168.1.137) - (192.168.1.233) OBSD FW (192.168.21.233) - VPN (192.168.21.14) I correctly configured NPPPD and IPsec to let my client connect directly to the VPN server (Windows configuration VPN Server : 192.168.21.14) with an according PF configuration. But after, my VPN will not be available from the Internet, so i tried to configure my FW and PF to redirect incomming L2TP/Ipsec request on 192.168.1.233 to my VPN server with these rules : *#pass in log on $lan0_if proto esp from 192.168.1.137 to 192.168.21.14* *pass in log on $lan0_if proto esp from 192.168.1.137 to ($lan0_if) rdr-to 192.168.21.14* * * *#pass in log on $lan0_if proto udp from 192.168.1.137 to 192.168.21.14 port 500 * *pass in log on $lan0_if proto udp from 192.168.1.137 to ($lan0_if) port 500 rdr-to 192.168.21.14* * * *#pass in log on $lan0_if proto udp from 192.168.1.137 to 192.168.21.14 port 1701 * *pass in log on $lan0_if proto udp from 192.168.1.137 to ($lan0_if) port 1701 rdr-to 192.168.21.14* * * *#pass in log on $lan0_if proto udp from 192.168.1.137 to 192.168.21.14 port 4500 * *pass in log on $lan0_if proto udp from 192.168.1.137 to ($lan0_if) port 4500 rdr-to 192.168.21.14* Seemingly, the first phase succeed but the second failed. The VPN server try to respond to the FW and not the client : VPN server's /var/log/messages : *vpn isakmpd[15046]: isakmpd: phase 1 done (as responder): initiator id 192.168.1.137, responder id 192.168.21.14, src: 192.168.21.14 dst: 192.168.1.137* *vpn isakmpd[15046]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 192.168.1.137, responder id 192.168.1.233* *vpn isakmpd[15046]: dropped message from 192.168.1.137 port 4500 due to notification type INVALID_ID_INFORMATION* *vpn isakmpd[15046]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 192.168.1.137, responder id 192.168.1.233* *vpn isakmpd[15046]: dropped message from 192.168.1.137 port 4500 due to notification type INVALID_ID_INFORMATION* *vpn isakmpd[15046]: isakmpd: Peer 192.168.1.137 made us delete live SA peer-default for proto 1, initiator id: 192.168.1.137, responder id: 192.168.21.14* You can find my npppd configuration below : *authentication LOCAL type local {* *users-file /etc/npppd/npppd-users* *}* *#authentication RADIUS type radius {* *# authentication-server {* *# address 192.168.0.1 secret hogehoge* *# }* *# accounting-server {* *# address 192.168.0.1 secret hogehoge* *# }* *#}* * * *tunnel L2TP_ipv4 protocol l2tp {* *listen on 0.0.0.0* *# l2tp-require-ipsec yes* *l2tp-accept-dialin yes* *authentication-method mschapv2 * * * *}* * * *ipcp IPCP {* *pool-address 192.168.20.1-192.168.20.254* *dns-servers 192.168.21.16 8.8.8.8* *}* * * *# use pppx(4) interface. use an interface per a ppp session.* *interface pppx0 address 192.168.20.1 ipcp IPCP* *bind tunnel from L2TP_ipv4 authenticated by LOCAL to pppx0* Did i forgot to configure something ? Regards, -- *Bastien CERIANI*
Re: L2TP\IPsec with npppd through PF firewall
Why don't you run npppd directly on OBSD FW (192.168.21.233) ? On 25 apr 2013, at 09:49, Bastien Ceriani bastien.ceri...@bulkypix.com wrote: Hello, I'm currently discovering NPPPD daemon and L2TP\Ipsec VPN. My VPN server is in a DMZ an run with OpenBSD 5.3. Client (192.168.1.137) - (192.168.1.233) OBSD FW (192.168.21.233) - VPN (192.168.21.14) I correctly configured NPPPD and IPsec to let my client connect directly to the VPN server (Windows configuration VPN Server : 192.168.21.14) with an according PF configuration. But after, my VPN will not be available from the Internet, so i tried to configure my FW and PF to redirect incomming L2TP/Ipsec request on 192.168.1.233 to my VPN server with these rules : *#pass in log on $lan0_if proto esp from 192.168.1.137 to 192.168.21.14* *pass in log on $lan0_if proto esp from 192.168.1.137 to ($lan0_if) rdr-to 192.168.21.14* * * *#pass in log on $lan0_if proto udp from 192.168.1.137 to 192.168.21.14 port 500 * *pass in log on $lan0_if proto udp from 192.168.1.137 to ($lan0_if) port 500 rdr-to 192.168.21.14* * * *#pass in log on $lan0_if proto udp from 192.168.1.137 to 192.168.21.14 port 1701 * *pass in log on $lan0_if proto udp from 192.168.1.137 to ($lan0_if) port 1701 rdr-to 192.168.21.14* * * *#pass in log on $lan0_if proto udp from 192.168.1.137 to 192.168.21.14 port 4500 * *pass in log on $lan0_if proto udp from 192.168.1.137 to ($lan0_if) port 4500 rdr-to 192.168.21.14* Seemingly, the first phase succeed but the second failed. The VPN server try to respond to the FW and not the client : VPN server's /var/log/messages : *vpn isakmpd[15046]: isakmpd: phase 1 done (as responder): initiator id 192.168.1.137, responder id 192.168.21.14, src: 192.168.21.14 dst: 192.168.1.137* *vpn isakmpd[15046]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 192.168.1.137, responder id 192.168.1.233* *vpn isakmpd[15046]: dropped message from 192.168.1.137 port 4500 due to notification type INVALID_ID_INFORMATION* *vpn isakmpd[15046]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 192.168.1.137, responder id 192.168.1.233* *vpn isakmpd[15046]: dropped message from 192.168.1.137 port 4500 due to notification type INVALID_ID_INFORMATION* *vpn isakmpd[15046]: isakmpd: Peer 192.168.1.137 made us delete live SA peer-default for proto 1, initiator id: 192.168.1.137, responder id: 192.168.21.14* You can find my npppd configuration below : *authentication LOCAL type local {* *users-file /etc/npppd/npppd-users* *}* *#authentication RADIUS type radius {* *# authentication-server {* *# address 192.168.0.1 secret hogehoge* *# }* *# accounting-server {* *# address 192.168.0.1 secret hogehoge* *# }* *#}* * * *tunnel L2TP_ipv4 protocol l2tp {* *listen on 0.0.0.0* *# l2tp-require-ipsec yes* *l2tp-accept-dialin yes* *authentication-method mschapv2 * * * *}* * * *ipcp IPCP {* *pool-address 192.168.20.1-192.168.20.254* *dns-servers 192.168.21.16 8.8.8.8* *}* * * *# use pppx(4) interface. use an interface per a ppp session.* *interface pppx0 address 192.168.20.1 ipcp IPCP* *bind tunnel from L2TP_ipv4 authenticated by LOCAL to pppx0* Did i forgot to configure something ? Regards, -- *Bastien CERIANI*
Re: OpenBSD, ipsec and sasyncd issue
mxb - my em's not have any ip only inside hostname.emX up my advskew is 100 on backup node 2013/4/24 mxb m...@alumni.chalmers.se Then there is also a question regarding how quick your CARP will fail over, eg. what is your advskew on the backup node? On 24 apr 2013, at 22:30, mxb m...@alumni.chalmers.se wrote: I'd start by looking at sasyncd and if it actually works. If it works 'netstat -rn' should show flows at the end of its output on the backup node. Encap: Source Port DestinationPort Proto SA(Address/Proto/Type/Direction) flows should be printed here Next thing is to 'tcpdump -i em0 port 500' while your VPN endpoints do initial handshake and check their IP-adresses. Are you sure your carp0 IP is talking and NOT em0 IP? I'd also force isakmpd to bind to specific IP (/etc/isakmpd/isakmpd.conf): [General] Listen-on= your carp0 IP goes here DPD-check-interval= 60 Default-phase-1-lifetime= 3600,360:86400 Default-phase-2-lifetime= 1200,160:86400 If you do above you might need to specify srcid in your ipsec.conf: local_gw=your carp0 IP goes here ike active esp main quick .. srcid $local_gw //mxb On 24 apr 2013, at 20:33, R0me0 *** knight@gmail.com wrote: Hello misc, A couple of days, I'm fighting with OpenBSD+Ipsec+sasyncd. I searching at google and misc, read the man pages and I do a review of configurations many times to do work something that apparently is very very simple. my simple pf.conf on both firewalls in HA ( OpenBSD 5.2 and tests with OpenBSD current too ) match out on em0 from 10.50.60.0/24 nat-to (carp0:0) pass log ipsec.conf ( both firewalls in HA) ( local 10.10.20.29 is address of carp0 ) ike esp from 10.50.60.0/24 to 192.168.12.0/24 local 10.10.20.29 \ peer 10.15.1.33 main auth hmac-sha2-256 enc blowfish \ quick auth hmac-sha2-256 enc blowfish psk 'sapeca' sasyncd.conf ( firewall Master ) network 10.20.30.0/30 on interface dedicate to firewalls comunicate between self interface carp0 group carp listen on 10.20.30.1 inet peer 10.20.30.2 sharedkey 0x1aab92f9e646be974301b4ed107d3ad39794ce0e7426bc462bad3eb5de979ae5 sasyncd.conf ( firewall slave ) interface carp0 group carp listen on 10.20.30.2 inet peer 10.20.30.1 sharedkey 0x1aab92f9e646be974301b4ed107d3ad39794ce0e7426bc462bad3eb5de979ae5 ip forward and carp preempt enabled on both firewalls steps to initiate on both firewalls isakmpd -K -S ipsecctl -f /etc/ipsec.conf sasyncd other openbsd peer without HA ( OpenBSD 5.2 ) ike esp from 192.168.12.0/24 to 10.50.60.0/24 local 10.15.1.33 peer 10.10.20.29 \ main auth hmac-sha2-256 enc blowfish \ quick auth hmac-sha2-256 enc blowfish \ psk 'sapeca' Alright, Let me explain what is ocurring: VPN work perfectly, I access other resources behind 10.15.1.33 peer, and in OpenBSD slave I see SA'S syncronized from the Master ( ipsecctl -sa ) if I force a FailOver ( OpenBSD Master ) with: ifconfig -g carp carpdemote 10 Another Node assume, connections continues working perfectly ( example download of OpenBSD ISO, continue beautifull :) ) but: ipsec VPN not , it freezes and take between 25s to 30s to vpn reestablish connection and if I move the service again to old OpenBSD master ( ifconfig -g carp -carpdemote 10) VPN freezes completely and not back, I need kill isakmpd and start again I expected it to be transparent like as beautifull failover and without IPSEC disruption. In my configuration, Am I doing something wrong ? Am I forgeting something ? Please, someone can put me on correctly way ? Regards,
OpenBSD freeze after DRM changes
Hi misc@, after one of the screenshots that include the DRM changes, my laptop began to freeze after the first boot. Sometimes it freezes at Pentium Pro MTRR support, but most of the times it freezes no more than 1 minute after login. After reboot, the system runs rock solid. dmesg and pcidump included below. Anyone experiencing the same? Thank you. dmesg: OpenBSD 5.3-current (GENERIC.MP) #103: Wed Apr 24 09:33:02 MDT 2013 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 3168403456 (3021MB) avail mem = 3076415488 (2933MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.5 @ 0xfc480 (33 entries) bios0: vendor American Megatrends Inc. version 200.T02 date 10/26/2010 bios0: POSITIVO POSITIVO MOBILE acpi0 at bios0: rev 2 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP APIC MCFG SLIC ECDT DBGP BOOT OEMB HPET GSCI ATKG SSDT acpi0: wakeup devices USB0(S3) USB1(S3) USB2(S3) USB5(S3) EUSB(S3) USB3(S3) USB4(S3) USB6(S3) USBE(S3) HDAC(S3) P0P1(S4) P0P2(S3) P0P3(S3) WLAN(S3) P0P4(S3) P0P7(S4) GLAN(S4) P0P8(S3) SLPB(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Pentium(R) Dual-Core CPU T4500 @ 2.30GHz, 2640.43 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,EST,TM2,SSSE3,CX16,xTPR,PDCM,XSAVE,NXE,LONG,LAHF,PERF cpu0: 1MB 64b/line 4-way L2 cache cpu0: apic clock running at 200MHz cpu1 at mainbus0: apid 1 (application processor) cpu1: Pentium(R) Dual-Core CPU T4500 @ 2.30GHz, 2200.08 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,EST,TM2,SSSE3,CX16,xTPR,PDCM,XSAVE,NXE,LONG,LAHF,PERF cpu1: 1MB 64b/line 4-way L2 cache ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins acpimcfg0 at acpi0 addr 0xe000, bus 0-255 acpiec0 at acpi0 acpihpet0 at acpi0: 14318179 Hz acpi0: unable to load \\_SB_.PCI0._INI.USBT acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus -1 (P0P1) acpiprt2 at acpi0: bus 1 (P0P2) acpiprt3 at acpi0: bus 2 (P0P3) acpiprt4 at acpi0: bus 3 (P0P4) acpiprt5 at acpi0: bus 5 (P0P7) acpicpu0 at acpi0: C2, C1, PSS acpicpu1 at acpi0: C2, C1, PSS acpitz0 at acpi0: critical temperature is 110 degC acpiac0 at acpi0: AC unit in unknown state acpibat0 at acpi0: BAT0 not present acpiasus at acpi0 not configured acpibtn0 at acpi0: SLPB acpibtn1 at acpi0: LID_ cpu0: Enhanced SpeedStep 2640 MHz: speeds: 2300, 1600, 1200 MHz pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 Intel GM45 Host rev 0x09 vga1 at pci0 dev 2 function 0 Intel GM45 Video rev 0x09 intagp0 at vga1 agp0 at intagp0: aperture at 0xd000, size 0x1000 inteldrm0 at vga1 drm0 at inteldrm0 inteldrm0: 1366x768 wsdisplay0 at vga1 mux 1: console (std, vt100 emulation) wsdisplay0: screen 1-5 added (std, vt100 emulation) Intel GM45 Video rev 0x09 at pci0 dev 2 function 1 not configured uhci0 at pci0 dev 26 function 0 Intel 82801I USB rev 0x03: apic 2 int 16 uhci1 at pci0 dev 26 function 1 Intel 82801I USB rev 0x03: apic 2 int 17 uhci2 at pci0 dev 26 function 2 Intel 82801I USB rev 0x03: apic 2 int 19 ehci0 at pci0 dev 26 function 7 Intel 82801I USB rev 0x03: apic 2 int 18 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1 azalia0 at pci0 dev 27 function 0 Intel 82801I HD Audio rev 0x03: msi azalia0: codecs: Realtek ALC269, Intel/0x2802, using Realtek ALC269 audio0 at azalia0 ppb0 at pci0 dev 28 function 0 Intel 82801I PCIE rev 0x03: msi pci1 at ppb0 bus 1 ppb1 at pci0 dev 28 function 1 Intel 82801I PCIE rev 0x03: msi pci2 at ppb1 bus 2 athn0 at pci2 dev 0 function 0 Atheros AR2427 rev 0x01: apic 2 int 17 athn0: AR9285 rev 2 (1T1R), ROM rev 13, address 48:5d:60:a2:e0:6a ppb2 at pci0 dev 28 function 2 Intel 82801I PCIE rev 0x03: msi pci3 at ppb2 bus 3 ppb3 at pci0 dev 28 function 5 Intel 82801I PCIE rev 0x03: msi pci4 at ppb3 bus 5 re0 at pci4 dev 0 function 0 Realtek 8168 rev 0x03: RTL8168D/8111D (0x2800), apic 2 int 17, address e0:69:95:a1:cb:1b rgephy0 at re0 phy 7: RTL8169S/8110S PHY, rev. 2 uhci3 at pci0 dev 29 function 0 Intel 82801I USB rev 0x03: apic 2 int 23 uhci4 at pci0 dev 29 function 1 Intel 82801I USB rev 0x03: apic 2 int 19 uhci5 at pci0 dev 29 function 2 Intel 82801I USB rev 0x03: apic 2 int 18 ehci1 at pci0 dev 29 function 7 Intel 82801I USB rev 0x03: apic 2 int 23 usb1 at ehci1: USB revision 2.0 uhub1 at usb1 Intel EHCI root hub rev 2.00/1.00 addr 1 ppb4 at pci0 dev 30 function 0 Intel 82801BAM Hub-to-PCI rev 0x93 pci5 at ppb4 bus 6 pcib0 at pci0 dev 31 function 0 Intel 82801IBM LPC rev 0x03 ahci0 at pci0 dev 31 function 2 Intel 82801I AHCI rev 0x03: msi, AHCI 1.2 scsibus0 at ahci0: 32 targets sd0 at scsibus0 targ 0 lun 0: ATA, TOSHIBA MK3265GS, GJ00 SCSI3 0/direct fixed naa.5393138822a0 sd0: 305245MB, 512 bytes/sector, 625142448
Re: OpenBSD, ipsec and sasyncd issue
According to the carp(4): Assume that host A is the preferred master and 192.168.1.x/24 is configured on one physical interface and 192.168.2.y/24 on another. This is the setup for host A: Eg, this means that you have to configure em0 with IP, if em0 is physical NIC used for carp0. On 25 apr 2013, at 13:16, R0me0 *** knight@gmail.com wrote: mxb - my em's not have any ip only inside hostname.emX up my advskew is 100 on backup node 2013/4/24 mxb m...@alumni.chalmers.se Then there is also a question regarding how quick your CARP will fail over, eg. what is your advskew on the backup node? On 24 apr 2013, at 22:30, mxb m...@alumni.chalmers.se wrote: I'd start by looking at sasyncd and if it actually works. If it works 'netstat -rn' should show flows at the end of its output on the backup node. Encap: Source Port DestinationPort Proto SA(Address/Proto/Type/Direction) flows should be printed here Next thing is to 'tcpdump -i em0 port 500' while your VPN endpoints do initial handshake and check their IP-adresses. Are you sure your carp0 IP is talking and NOT em0 IP? I'd also force isakmpd to bind to specific IP (/etc/isakmpd/isakmpd.conf): [General] Listen-on= your carp0 IP goes here DPD-check-interval= 60 Default-phase-1-lifetime= 3600,360:86400 Default-phase-2-lifetime= 1200,160:86400 If you do above you might need to specify srcid in your ipsec.conf: local_gw=your carp0 IP goes here ike active esp main quick .. srcid $local_gw //mxb On 24 apr 2013, at 20:33, R0me0 *** knight@gmail.com wrote: Hello misc, A couple of days, I'm fighting with OpenBSD+Ipsec+sasyncd. I searching at google and misc, read the man pages and I do a review of configurations many times to do work something that apparently is very very simple. my simple pf.conf on both firewalls in HA ( OpenBSD 5.2 and tests with OpenBSD current too ) match out on em0 from 10.50.60.0/24 nat-to (carp0:0) pass log ipsec.conf ( both firewalls in HA) ( local 10.10.20.29 is address of carp0 ) ike esp from 10.50.60.0/24 to 192.168.12.0/24 local 10.10.20.29 \ peer 10.15.1.33 main auth hmac-sha2-256 enc blowfish \ quick auth hmac-sha2-256 enc blowfish psk 'sapeca' sasyncd.conf ( firewall Master ) network 10.20.30.0/30 on interface dedicate to firewalls comunicate between self interface carp0 group carp listen on 10.20.30.1 inet peer 10.20.30.2 sharedkey 0x1aab92f9e646be974301b4ed107d3ad39794ce0e7426bc462bad3eb5de979ae5 sasyncd.conf ( firewall slave ) interface carp0 group carp listen on 10.20.30.2 inet peer 10.20.30.1 sharedkey 0x1aab92f9e646be974301b4ed107d3ad39794ce0e7426bc462bad3eb5de979ae5 ip forward and carp preempt enabled on both firewalls steps to initiate on both firewalls isakmpd -K -S ipsecctl -f /etc/ipsec.conf sasyncd other openbsd peer without HA ( OpenBSD 5.2 ) ike esp from 192.168.12.0/24 to 10.50.60.0/24 local 10.15.1.33 peer 10.10.20.29 \ main auth hmac-sha2-256 enc blowfish \ quick auth hmac-sha2-256 enc blowfish \ psk 'sapeca' Alright, Let me explain what is ocurring: VPN work perfectly, I access other resources behind 10.15.1.33 peer, and in OpenBSD slave I see SA'S syncronized from the Master ( ipsecctl -sa ) if I force a FailOver ( OpenBSD Master ) with: ifconfig -g carp carpdemote 10 Another Node assume, connections continues working perfectly ( example download of OpenBSD ISO, continue beautifull :) ) but: ipsec VPN not , it freezes and take between 25s to 30s to vpn reestablish connection and if I move the service again to old OpenBSD master ( ifconfig -g carp -carpdemote 10) VPN freezes completely and not back, I need kill isakmpd and start again I expected it to be transparent like as beautifull failover and without IPSEC disruption. In my configuration, Am I doing something wrong ? Am I forgeting something ? Please, someone can put me on correctly way ? Regards,
Re: L2TP\IPsec with npppd through PF firewall
Hi, My boss asked me to do like that. But VPN requests will not decrease router performances ? On Thu, Apr 25, 2013 at 11:54 AM, mxb m...@alumni.chalmers.se wrote: Why don't you run npppd directly on OBSD FW (192.168.21.233) ?
Re: OpenBSD, ipsec and sasyncd issue
I think that this is not needed :) 2013/4/25 mxb m...@alumni.chalmers.se According to the carp(4): Assume that host A is the preferred master and 192.168.1.x/24 is configured on one physical interface and 192.168.2.y/24 on another. This is the setup for host A: Eg, this means that you have to configure em0 with IP, if em0 is physical NIC used for carp0. On 25 apr 2013, at 13:16, R0me0 *** knight@gmail.com wrote: mxb - my em's not have any ip only inside hostname.emX up my advskew is 100 on backup node 2013/4/24 mxb m...@alumni.chalmers.se Then there is also a question regarding how quick your CARP will fail over, eg. what is your advskew on the backup node? On 24 apr 2013, at 22:30, mxb m...@alumni.chalmers.se wrote: I'd start by looking at sasyncd and if it actually works. If it works 'netstat -rn' should show flows at the end of its output on the backup node. Encap: Source Port DestinationPort Proto SA(Address/Proto/Type/Direction) flows should be printed here Next thing is to 'tcpdump -i em0 port 500' while your VPN endpoints do initial handshake and check their IP-adresses. Are you sure your carp0 IP is talking and NOT em0 IP? I'd also force isakmpd to bind to specific IP (/etc/isakmpd/isakmpd.conf): [General] Listen-on= your carp0 IP goes here DPD-check-interval= 60 Default-phase-1-lifetime= 3600,360:86400 Default-phase-2-lifetime= 1200,160:86400 If you do above you might need to specify srcid in your ipsec.conf: local_gw=your carp0 IP goes here ike active esp main quick .. srcid $local_gw //mxb On 24 apr 2013, at 20:33, R0me0 *** knight@gmail.com wrote: Hello misc, A couple of days, I'm fighting with OpenBSD+Ipsec+sasyncd. I searching at google and misc, read the man pages and I do a review of configurations many times to do work something that apparently is very very simple. my simple pf.conf on both firewalls in HA ( OpenBSD 5.2 and tests with OpenBSD current too ) match out on em0 from 10.50.60.0/24 nat-to (carp0:0) pass log ipsec.conf ( both firewalls in HA) ( local 10.10.20.29 is address of carp0 ) ike esp from 10.50.60.0/24 to 192.168.12.0/24 local 10.10.20.29 \ peer 10.15.1.33 main auth hmac-sha2-256 enc blowfish \ quick auth hmac-sha2-256 enc blowfish psk 'sapeca' sasyncd.conf ( firewall Master ) network 10.20.30.0/30 on interface dedicate to firewalls comunicate between self interface carp0 group carp listen on 10.20.30.1 inet peer 10.20.30.2 sharedkey 0x1aab92f9e646be974301b4ed107d3ad39794ce0e7426bc462bad3eb5de979ae5 sasyncd.conf ( firewall slave ) interface carp0 group carp listen on 10.20.30.2 inet peer 10.20.30.1 sharedkey 0x1aab92f9e646be974301b4ed107d3ad39794ce0e7426bc462bad3eb5de979ae5 ip forward and carp preempt enabled on both firewalls steps to initiate on both firewalls isakmpd -K -S ipsecctl -f /etc/ipsec.conf sasyncd other openbsd peer without HA ( OpenBSD 5.2 ) ike esp from 192.168.12.0/24 to 10.50.60.0/24 local 10.15.1.33 peer 10.10.20.29 \ main auth hmac-sha2-256 enc blowfish \ quick auth hmac-sha2-256 enc blowfish \ psk 'sapeca' Alright, Let me explain what is ocurring: VPN work perfectly, I access other resources behind 10.15.1.33 peer, and in OpenBSD slave I see SA'S syncronized from the Master ( ipsecctl -sa ) if I force a FailOver ( OpenBSD Master ) with: ifconfig -g carp carpdemote 10 Another Node assume, connections continues working perfectly ( example download of OpenBSD ISO, continue beautifull :) ) but: ipsec VPN not , it freezes and take between 25s to 30s to vpn reestablish connection and if I move the service again to old OpenBSD master ( ifconfig -g carp -carpdemote 10) VPN freezes completely and not back, I need kill isakmpd and start again I expected it to be transparent like as beautifull failover and without IPSEC disruption. In my configuration, Am I doing something wrong ? Am I forgeting something ? Please, someone can put me on correctly way ? Regards,
Re: L2TP\IPsec with npppd through PF firewall
Depends on hardware you are using and configuration. Use weaker crypto if you can. Like aes128 instead of aes256 and hmac-md5 instead of sha1 in ipsec.conf. Or maybe use aggressive instead of main in ipsec.conf too. To run npppd on top of 192.168.21.233 will make your life easier. On 25 apr 2013, at 14:36, Bastien Ceriani bastien.ceri...@bulkypix.com wrote: Hi, My boss asked me to do like that. But VPN requests will not decrease router performances ? On Thu, Apr 25, 2013 at 11:54 AM, mxb m...@alumni.chalmers.se wrote: Why don't you run npppd directly on OBSD FW (192.168.21.233) ?
Re: OpenBSD, ipsec and sasyncd issue
This might be the case, but man page does not states so :) On 25 apr 2013, at 14:42, R0me0 *** knight@gmail.com wrote: I think that this is not needed :) 2013/4/25 mxb m...@alumni.chalmers.se According to the carp(4): Assume that host A is the preferred master and 192.168.1.x/24 is configured on one physical interface and 192.168.2.y/24 on another. This is the setup for host A: Eg, this means that you have to configure em0 with IP, if em0 is physical NIC used for carp0. On 25 apr 2013, at 13:16, R0me0 *** knight@gmail.com wrote: mxb - my em's not have any ip only inside hostname.emX up my advskew is 100 on backup node 2013/4/24 mxb m...@alumni.chalmers.se Then there is also a question regarding how quick your CARP will fail over, eg. what is your advskew on the backup node? On 24 apr 2013, at 22:30, mxb m...@alumni.chalmers.se wrote: I'd start by looking at sasyncd and if it actually works. If it works 'netstat -rn' should show flows at the end of its output on the backup node. Encap: Source Port DestinationPort Proto SA(Address/Proto/Type/Direction) flows should be printed here Next thing is to 'tcpdump -i em0 port 500' while your VPN endpoints do initial handshake and check their IP-adresses. Are you sure your carp0 IP is talking and NOT em0 IP? I'd also force isakmpd to bind to specific IP (/etc/isakmpd/isakmpd.conf): [General] Listen-on= your carp0 IP goes here DPD-check-interval= 60 Default-phase-1-lifetime= 3600,360:86400 Default-phase-2-lifetime= 1200,160:86400 If you do above you might need to specify srcid in your ipsec.conf: local_gw=your carp0 IP goes here ike active esp main quick .. srcid $local_gw //mxb On 24 apr 2013, at 20:33, R0me0 *** knight@gmail.com wrote: Hello misc, A couple of days, I'm fighting with OpenBSD+Ipsec+sasyncd. I searching at google and misc, read the man pages and I do a review of configurations many times to do work something that apparently is very very simple. my simple pf.conf on both firewalls in HA ( OpenBSD 5.2 and tests with OpenBSD current too ) match out on em0 from 10.50.60.0/24 nat-to (carp0:0) pass log ipsec.conf ( both firewalls in HA) ( local 10.10.20.29 is address of carp0 ) ike esp from 10.50.60.0/24 to 192.168.12.0/24 local 10.10.20.29 \ peer 10.15.1.33 main auth hmac-sha2-256 enc blowfish \ quick auth hmac-sha2-256 enc blowfish psk 'sapeca' sasyncd.conf ( firewall Master ) network 10.20.30.0/30 on interface dedicate to firewalls comunicate between self interface carp0 group carp listen on 10.20.30.1 inet peer 10.20.30.2 sharedkey 0x1aab92f9e646be974301b4ed107d3ad39794ce0e7426bc462bad3eb5de979ae5 sasyncd.conf ( firewall slave ) interface carp0 group carp listen on 10.20.30.2 inet peer 10.20.30.1 sharedkey 0x1aab92f9e646be974301b4ed107d3ad39794ce0e7426bc462bad3eb5de979ae5 ip forward and carp preempt enabled on both firewalls steps to initiate on both firewalls isakmpd -K -S ipsecctl -f /etc/ipsec.conf sasyncd other openbsd peer without HA ( OpenBSD 5.2 ) ike esp from 192.168.12.0/24 to 10.50.60.0/24 local 10.15.1.33 peer 10.10.20.29 \ main auth hmac-sha2-256 enc blowfish \ quick auth hmac-sha2-256 enc blowfish \ psk 'sapeca' Alright, Let me explain what is ocurring: VPN work perfectly, I access other resources behind 10.15.1.33 peer, and in OpenBSD slave I see SA'S syncronized from the Master ( ipsecctl -sa ) if I force a FailOver ( OpenBSD Master ) with: ifconfig -g carp carpdemote 10 Another Node assume, connections continues working perfectly ( example download of OpenBSD ISO, continue beautifull :) ) but: ipsec VPN not , it freezes and take between 25s to 30s to vpn reestablish connection and if I move the service again to old OpenBSD master ( ifconfig -g carp -carpdemote 10) VPN freezes completely and not back, I need kill isakmpd and start again I expected it to be transparent like as beautifull failover and without IPSEC disruption. In my configuration, Am I doing something wrong ? Am I forgeting something ? Please, someone can put me on correctly way ? Regards,
Re: L2TP\IPsec with npppd through PF firewall
Well, our router are not powerful xD I will speak to my boss about this solution but it would be wonderful if I could make it works as I/he want :( Thx ! On Thu, Apr 25, 2013 at 2:47 PM, mxb m...@alumni.chalmers.se wrote: Depends on hardware you are using and configuration. Use weaker crypto if you can. Like aes128 instead of aes256 and hmac-md5 instead of sha1 in ipsec.conf. Or maybe use aggressive instead of main in ipsec.conf too. To run npppd on top of 192.168.21.233 will make your life easier. On 25 apr 2013, at 14:36, Bastien Ceriani bastien.ceri...@bulkypix.com wrote: Hi, My boss asked me to do like that. But VPN requests will not decrease router performances ? On Thu, Apr 25, 2013 at 11:54 AM, mxb m...@alumni.chalmers.se wrote: Why don't you run npppd directly on OBSD FW (192.168.21.233) ? -- *Bastien CERIANI* *Administrateur Systèmes et Réseau* * *tel : +33 (1) 34 65 93 34 6 Avenue de Sceaux 78000 VERSAILLES -FRANCE
hplib (cups) - device open error
Have tried as many workarounds as I can think of for the following but getting nowhere: # Apr 25 13:44:29 stable-8 hp[22206]: prnt/backend/hp.c 745: ERROR: open device failed stat=12: hp:/usb/psc_1200_series?serial=HU44HGQ7JPT0 Has anyone any ideas how to get around this? Thanks,
Re: faxing
First thanks for the help Second I am not going to start implementing a FAX solution until I get 5.3 and even then it will take me some time since this is volunteer work and I have to find time. I will probably get to it in mid-May. I will first try hylafax with T38modem. If that fails try with IAXmodem and in turn if that fails then with a Cisco PAP2T. I will report on my success or failure.
seeking: xrandr magic
I have a laptop. I have a VGA monitor. I want to use them together. The native panel (LVDS1) is 1600x900. The monitor (VGA1) is 1920x1080 and sits to the right of my laptop. intel graphics, amd64 -current. When I start X, by default I have a mirrored display of 1024x768. I want 1600x900 on the LCD, 1920x1080 on the monitor, and for the desktop to extend from the latop to the right onto the monitor. I would also like for my fonts to have somewhat predictable sizes and not engage in crazy dpi hijinks. To accomplish this, I have found some combination of the following xrandr commands works: xrandr --auto xrandr -s 1600x900 xrandr --output LVDS1 -s 1600x900 xrandr --output VGA1 -s 1920x1080 xrandr --output VGA1 --right-of LVDS1 xrandr --dpi 96 The problem is that running these commands in any particular order doesn't always work. I have to run random permutations of them until everything is correct. Sometimes the commands do nothing, sometimes the monitor just goes blank, sometimes the command does exactly what I want it to do. Is there a single command I can put in .xinitrc? A single correct sequence of commands?
Re: openbsd+ldap+qmail: a nightmare
* Friedrich Locke friedrich.lo...@gmail.com [2013-01-14 17:15]: i have been walking around and now i need to get qmail+ldap+openbsd working. that works just fine, to the extend the openldap pig can work fine. I am still running the older openldap-server (openldap-server-2.3.43p10) since the 2.4 one is even worse and removed the only reliable backend, ldbm. once our own ldapd has replication support I should be able to get rid of openldap eventually... -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
setting resource limits error message
Hi all, I installed a snapshot last night on our server at work and since then I'm getting an error whenever a user logs in over ssh. 013-04-25 13:40:37.284728500 auth.info: sshd[222]: Accepted publickey for jross from 10.16.31.10 port 51645 ssh2 2013-04-25 13:40:37.289644500 user.err: Apr 25 13:40:37 sshd: postgresql: setting resource limit openfiles: Invalid argument The postgresql section of my login.conf is: # For PostgreSQL Database # postgresql:\ :maxproc-max=1024:\ :maxproc-cur=512:\ :openfiles-cur=1536:\ :datasize-max=1024M:\ :datasize-cur=256M:\ :stacksize-cur=16M: Is 1536 now too many openfiles? I dropped openfiles-cur to 768 as suggested in the pkg_readme and the error has stopped. I'm sure I had a reason for doubling it way back when because this is a pretty busy postgresql server. Didn't see anything in the FAQ or in a google search for this error. Thanks, Jeff Ross
Re: setting resource limits error message
On Thu, Apr 25, 2013 at 1:05 PM, Jeff Ross jr...@wykids.org wrote: I installed a snapshot last night on our server at work and since then I'm getting an error whenever a user logs in over ssh. 013-04-25 13:40:37.284728500 auth.info: sshd[222]: Accepted publickey for jross from 10.16.31.10 port 51645 ssh2 2013-04-25 13:40:37.289644500 user.err: Apr 25 13:40:37 sshd: postgresql: setting resource limit openfiles: Invalid argument The postgresql section of my login.conf is: # For PostgreSQL Database # postgresql:\ :maxproc-max=1024:\ :maxproc-cur=512:\ :openfiles-cur=1536:\ ... Is 1536 now too many openfiles? No. The problem is that you can't set the '-cur' value to greater than the '-max' value, which defaults to 1024. If you want to set both to that same higher value, then say openfiles=1536. Otherwise, add another line to set 'openfiles-max' to whatever larger value you desire. Philip Guenther
Re: setting resource limits error message
On 4/25/13 2:43 PM, Philip Guenther wrote: On Thu, Apr 25, 2013 at 1:05 PM, Jeff Ross jr...@wykids.org wrote: I installed a snapshot last night on our server at work and since then I'm getting an error whenever a user logs in over ssh. 013-04-25 13:40:37.284728500 auth.info: sshd[222]: Accepted publickey for jross from 10.16.31.10 port 51645 ssh2 2013-04-25 13:40:37.289644500 user.err: Apr 25 13:40:37 sshd: postgresql: setting resource limit openfiles: Invalid argument The postgresql section of my login.conf is: # For PostgreSQL Database # postgresql:\ :maxproc-max=1024:\ :maxproc-cur=512:\ :openfiles-cur=1536:\ ... Is 1536 now too many openfiles? No. The problem is that you can't set the '-cur' value to greater than the '-max' value, which defaults to 1024. If you want to set both to that same higher value, then say openfiles=1536. Otherwise, add another line to set 'openfiles-max' to whatever larger value you desire. Philip Guenther Ah--that makes perfect sense! Thanks Philip!
Re: seeking: xrandr magic
On 04/25/13 21:56, Ted Unangst wrote: I have a laptop. I have a VGA monitor. I want to use them together. The native panel (LVDS1) is 1600x900. The monitor (VGA1) is 1920x1080 and sits to the right of my laptop. intel graphics, amd64 -current. When I start X, by default I have a mirrored display of 1024x768. I want 1600x900 on the LCD, 1920x1080 on the monitor, and for the desktop to extend from the latop to the right onto the monitor. I would also like for my fonts to have somewhat predictable sizes and not engage in crazy dpi hijinks. To accomplish this, I have found some combination of the following xrandr commands works: xrandr --auto xrandr -s 1600x900 xrandr --output LVDS1 -s 1600x900 xrandr --output VGA1 -s 1920x1080 xrandr --output VGA1 --right-of LVDS1 xrandr --dpi 96 The problem is that running these commands in any particular order doesn't always work. I have to run random permutations of them until everything is correct. Sometimes the commands do nothing, sometimes the monitor just goes blank, sometimes the command does exactly what I want it to do. Is there a single command I can put in .xinitrc? A single correct sequence of commands? It's been a while since I had dual screens set up, but my script basically did sth like: xrandr --output VGA1 --auto xrandr --output LVDS1 --auto xrandr --output VGA1 --right-of LVDS1 Don't know if issues can be related to specific hardware or if any recent changes would make it not work though. /Alexander
Re: seeking: xrandr magic
On Thu, Apr 25, 2013 at 11:17:26PM +0200, Alexander Hall wrote: On 04/25/13 21:56, Ted Unangst wrote: I have a laptop. I have a VGA monitor. I want to use them together. The native panel (LVDS1) is 1600x900. The monitor (VGA1) is 1920x1080 and sits to the right of my laptop. intel graphics, amd64 -current. When I start X, by default I have a mirrored display of 1024x768. I want 1600x900 on the LCD, 1920x1080 on the monitor, and for the desktop to extend from the latop to the right onto the monitor. I would also like for my fonts to have somewhat predictable sizes and not engage in crazy dpi hijinks. To accomplish this, I have found some combination of the following xrandr commands works: xrandr --auto xrandr -s 1600x900 xrandr --output LVDS1 -s 1600x900 xrandr --output VGA1 -s 1920x1080 xrandr --output VGA1 --right-of LVDS1 xrandr --dpi 96 The problem is that running these commands in any particular order doesn't always work. I have to run random permutations of them until everything is correct. Sometimes the commands do nothing, sometimes the monitor just goes blank, sometimes the command does exactly what I want it to do. Is there a single command I can put in .xinitrc? A single correct sequence of commands? It's been a while since I had dual screens set up, but my script basically did sth like: xrandr --output VGA1 --auto xrandr --output LVDS1 --auto xrandr --output VGA1 --right-of LVDS1 Don't know if issues can be related to specific hardware or if any recent changes would make it not work though. /Alexander First line on my .xinitrc: xrandr --output LVDS1 --auto --output VGA1 --auto --right-of LVDS1 Adding --verbose (outside .xinitrc, especially) might also give some insight on what's going on/wrong... Zé --
OT : different output compiler:
Hi folks! I am compiling an ansi c source code and depending on the compiler version i get error messages or not. With the following environment : lion# ./mkasd * Generating config ... * Building lib ... * Creating directories ... * Building bin ... main.c: In function `main': main.c:38: warning: `l' might be used uninitialized in this function * Building sbin ... * Building dmn ... * Done. lion# gcc --version gcc (GCC) 3.3.5 (propolice) Copyright (C) 2003 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. lion# uname -a OpenBSD lion.my.domain 4.5 GENERIC#1749 i386 lion# But in an environment like this: sioux@gustav$ uname -a gcc --version OpenBSD gustav.cpd.ufv.br 5.2 GENERIC.MP#368 amd64 gcc (GCC) 4.2.1 20070719 Copyright (C) 2007 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. sioux@gustav$ I got no error message: why ? The source code for the file is: http://sioux.geekisp.com/main.c Thanks for your help.
Re: OT : different output compiler:
On Thu, Apr 25, 2013 at 21:17, Friedrich Locke wrote: Hi folks! I am compiling an ansi c source code and depending on the compiler version i get error messages or not. Different compilers are different? gcc fixed something. or they broke something. either way, they changed something and now it's different.
Re: seeking: xrandr magic
On Thu, Apr 25, 2013 at 03:56:50PM -0400, Ted Unangst wrote: I have a laptop. I have a VGA monitor. I want to use them together. The native panel (LVDS1) is 1600x900. The monitor (VGA1) is 1920x1080 and sits to the right of my laptop. intel graphics, amd64 -current. When I start X, by default I have a mirrored display of 1024x768. I want 1600x900 on the LCD, 1920x1080 on the monitor, and for the desktop to extend from the latop to the right onto the monitor. I would also like for my fonts to have somewhat predictable sizes and not engage in crazy dpi hijinks. To accomplish this, I have found some combination of the following xrandr commands works: xrandr --auto xrandr -s 1600x900 xrandr --output LVDS1 -s 1600x900 xrandr --output VGA1 -s 1920x1080 xrandr --output VGA1 --right-of LVDS1 xrandr --dpi 96 The problem is that running these commands in any particular order doesn't always work. I have to run random permutations of them until everything is correct. Sometimes the commands do nothing, sometimes the monitor just goes blank, sometimes the command does exactly what I want it to do. Is there a single command I can put in .xinitrc? A single correct sequence of commands? I've never used xrandr. My working configuration for dual monitor setup consists of the following house of cards in xorg.conf. I say house of cards since I'm not sure why it works in the first place and because I definitely do not dare to touch it to find out. Section ServerLayout Screen 0 Screen0 0 0 Screen 1 Screen1 RightOf Screen0 EndSection Section Monitor Identifier Eizo DisplaySize 408 306# mm Option PreferredMode 1600x1200 EndSection Section Monitor Identifier Dell DisplaySize 359 287# mm Option PreferredMode 1280x1024 Option RightOf Eizo EndSection Section Device Identifier Card0 Driver radeon BusID PCI:1:0:0 Option monitor-DVI-1 eizo Option monitor-DVI-0 dell EndSection Section Device Identifier Card1 Driver vesa BusID PCI:1:0:0 Option monitor-DVI-1 eizo Option monitor-DVI-0 dell EndSection Section Screen Identifier Screen0 Device Card0 MonitorEizo DefaultDepth24 SubSection Display Viewport 0 0 Depth 24 Modes 1600x1200 EndSubSection EndSection Section Screen Identifier Screen1 Device Card1 MonitorDell DefaultDepth24 SubSection Display Viewport 0 0 Depth 24 Modes 1280x1024 EndSubSection EndSection (Irrelevant lines left out.)
PF blocking something it seems it shouldn't
My pflog interface shows something being blocked that simply shouldn't be blocked as far as I understand my pf rules... 11:35:40.461658 rule 6/(match) block in on fxp0: 10.0.0.4.40926 141.101.113.245.443: FP 0:253(253) ack 1 win 2540 nop,nop,timestamp 3483320 114932434 (DF) My pf.conf... menger:root # cat /etc/pf.conf # $OpenBSD: pf.conf,v 1.50 2011/04/28 00:19:42 mikeb Exp $ # # See pf.conf(5) for syntax and examples. # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1 # in /etc/sysctl.conf if packets are to be forwarded between interfaces. #interfaces int_if=fxp0 ext_if=pppoe0 #networks local_net=10.0.0.0/8 #hosts menger=10.0.0.1 murphy=10.0.0.2 fekete=10.0.0.3 #host port forwarding murphy_ports = { 8333 } fekete_ports = { 17001, 39191, 5938, } #other tcp_services={ 22 } icmp_types=echoreq #queue ports ssh_ports = { 22, } im_ports = { 1863, 5190, 5222 } game_ports = { 27000:27050, 4380 } altq on $ext_if cbq bandwidth 375Kb queue { std, ssh_im, dns, game } queue std on $ext_if bandwidth 100Kb cbq(default borrow) queue ssh_im on $ext_if bandwidth 50Kb priority 3 cbq(red) queue dns on $ext_if bandwidth 25Kb priority 4 queue game on $ext_if bandwidth 200Kb priority 5 cbq(red) altq on $int_if cbq bandwidth 100Mb queue { lan, int } queue lan on $int_ifbandwidth 92Mb cbq(default) queue int on $int_ifbandwidth 7500Kb { std, ssh_im, dns, game } queue std on $int_if bandwidth 6500Kb cbq(borrow) queue ssh_im on $int_ifbandwidth 200Kb priority 4 queue dns on $int_if bandwidth 200Kb priority 5 queue game on $int_if bandwidth 600Kb priority 6 cbq(red) set skip on lo # this is the squid proxy line pass in quick on $int_if inet proto tcp to port http divert-to 127.0.0.1 port 3128 # filter rules and anchor for ftp-proxy(8) anchor ftp-proxy/* pass in quick on $int_if inet proto tcp to port ftp divert-to 127.0.0.1 port 8021 #nat rule for all interfaces match out on egress inet from !(egress:network) to any nat-to (egress:0) pass# to establish keep-state # By default, do not permit remote connections to X11 block in on ! lo0 proto tcp to port 6000:6010 block in log #RULE 6 pass out quick match inet proto { tcp udp } queue(std) match inet proto { tcp udp } to port domain queue dns match inet proto tcp to port $ssh_ports queue(std, ssh_im) match inet proto tcp to port $im_ports queue(ssh_im) match inet proto udp to port $game_ports queue game match inet from $menger queue lan match inet to $menger queue lan antispoof quick for { lo $int_if } pass in on egress inet proto tcp from any to (egress) \ port $tcp_services #FTP pass in on $ext_if proto tcp to port 21 pass in on $ext_if proto tcp to port 49151 #nat port redirects #pass in on egress inet proto tcp to (egress) port 80 rdr-to $comp3 pass in on egress inet proto { tcp udp } to (egress) port $murphy_ports rdr-to $murphy pass in on egress inet proto { tcp udp } to (egress) port $fekete_ports rdr-to $fekete pass in inet proto icmp all icmp-type $icmp_types pass in on $int_if -- www.johntate.org