Re: Pflow granularity
Hello, Many thanks for the idea, I didn't knew about softflowd. But I wonder if it is production ready : * It seems there are no new developments : https://code.google.com/p/softflowd/source/list * The TODO list is quite long, and has not moved since 2007. * The counters are not 64 bit, thus flows are limited to 2 Gb * There is no multiple interface support, all flows are exported with IfIndex 0 I am testing it anyway, it gives me correct graphs with -t maxlife=60. It's really sad that pflow doesn't have such an option, it would be perfect. -- Cordialement, Pierre BARDOU -Message d'origine- De : Andy [mailto:a...@brandwatch.com] Envoyé : lundi 2 juin 2014 18:01 À : BARDOU Pierre Cc : misc@openbsd.org Objet : Re: Pflow granularity I think you might have to try softflowd instead of the built-in sflowd.. These guys had the same problem and moved to softflowd to allow them to analyse DDOS traffic with netflow.. https://ripe68.ripe.net/presentations/276-DDoS.pdf Cheers, Andy. On Mon 02 Jun 2014 14:38:33 BST, BARDOU Pierre wrote: Hello, I sat up NetFlow reporting on a PF firewall, but there seems to be a flaw in the implementation : only global statistics about the flow are given (start time, end time, IP/port source, IP/port dest, bits in both ways, ...). So as an example if somebody establishes an sftp connexion, downloads a file @10 Mbps for 2 mins, then waits 2 min and ends the connexion, all I will see in the netflow report is a 5 Mbps flow, and I will never know that my 10 Mbps link was saturated. I saw questions about this were already posted on misc@ : http://openbsd.7691.n7.nabble.com/pflow-packets-before-state-expires-t d233952.html Some diff were even posted : http://marc.info/?l=openbsd-miscm=124661838923498w=2 But it seems they never made their way to the base system. Is there any way to break-up long flows in fragments, like the Cisco command ip flow-cache timeout active does ? -- Cordialement, Pierre BARDOU Ingénieur réseau - P2I Infrastructure 05 67 69 71 84 MiPih 12, rue Michel Labrousse - BP93668 31036 TOULOUSE Cedex 1 www.mipih.fr Avant d'imprimer cet e-mail, pensons à l'environnement
bash(1) 'read -n 1' in ksh(1)?
Hello, In my attempts to write a simple script that lets the user select options with a single key stroke I found no other way than to use bash and its built-in read command with -n 1. I am looking for a way to do this in ksh(1). Any ideas? Please... Some snippets from the bash(1) man page: read [-ers] [-a aname] [-d delim] [-i text] [-n nchars] [-N nchars] [-p prompt] [-t timeout] [-u fd] [name ...] One line is read from the standard input, or from the file [...] -n nchars read returns after reading nchars characters rather than waiting for a complete line of input, but honor a delimiter if fewer than nchars characters are read before the delimiter. Thanks in advance, Marcus
Re: bash(1) 'read -n 1' in ksh(1)?
On 6/4/14, Marcus MERIGHI mcmer-open...@tor.at wrote: Hello, In my attempts to write a simple script that lets the user select options with a single key stroke I found no other way than to use bash and its built-in read command with -n 1. I am looking for a way to do this in ksh(1). Any ideas? Please... maybe something like this: --- 8 --- #!/bin/sh # TODO handle signals! stty -icanon # ask question echo 1. Sing a song. echo 2. Read a book. echo 3. Go to sleep. echo -n Make a choice: # read answer ans=`dd count=1 2/dev/null` # TODO validation # print answer echo echo ans=$ans # reset stty icanon --- 8 --- --patrick Some snippets from the bash(1) man page: read [-ers] [-a aname] [-d delim] [-i text] [-n nchars] [-N nchars] [-p prompt] [-t timeout] [-u fd] [name ...] One line is read from the standard input, or from the file [...] -n nchars read returns after reading nchars characters rather than waiting for a complete line of input, but honor a delimiter if fewer than nchars characters are read before the delimiter. Thanks in advance, Marcus
Unable to stop nfsen
# ps -ax |grep nfsen | grep -v grep 16371 ?? I 0:27.89 /usr/local/bin/nfcapd -w -D -p -u _nfcapd -g www -B 20 -S 1 -P /var/db/nfsen/r 1333 ?? Is 2:17.70 perl: /usr/local/bin/nfsend-comm (perl) 6030 ?? Is 63:05.79 /usr/bin/perl -w /usr/local/bin/nfsend 19674 ?? I 0:00.01 /usr/local/bin/nfexpire -Y -p -e /var/db/nfsen/profiles-data/./live -w 90 -s 1073741824 # /etc/rc.d/nfsen stop ..long time here.. nfsen(failed) # grep nf /var/log/daemon Jun 4 13:13:06 gw nfcapd[16371]: ioctl(F_WRLCK) error in nfstatfile.c line 338: Interrupted system call Jun 4 13:13:06 gw nfcapd[16371]: Terminating nfcapd. # ps -ax |grep nfsen | grep -v grep 1333 ?? Is 2:17.82 perl: /usr/local/bin/nfsend-comm (perl) 6030 ?? Is 63:05.79 /usr/bin/perl -w /usr/local/bin/nfsend 19674 ?? I 0:00.01 /usr/local/bin/nfexpire -Y -p -e /var/db/nfsen/profiles-data/./live -w 90 -s 1073741824 What should I do to stop or restart it?
Re: OpenBSD proxy aka. port forwarding
Em 04-06-2014 02:52, Predrag Punosevac escreveu: Correct! X2Go servers (30 of them) run on Linux computing nodes which are accessible only via OpenBSD ssh gateway. Figured. I am going to answer my own question. I have not been able to use OpenBSD shell gateway as a proxy from the X2Go client probably due to the fact that only root can do forwarding on privilaged ports. However combining ssh -L 8080:x2goserver.int.mydomain.org:22 shell.mydomain.org With editing /etc/ssh/sshd_config GSSAPIAuthentication yes AllowAgentForwarding yes AllowTcpForwarding yes X11Forwarding yes And pointing x2go client on my local machine to localhost:8080 I had no problem running MATLAB on the remote computing node and having it GUI displayed locally on my desktop. In this case, you only need to allow tcp forwarding, since that is the only thing you're doing when logging into the OpenBSD machine. You might want to take a look at the chroot functionalities of the openssh server, I don't think it's a good idea to allow this many users with unrestricted shell access in your OpenBSD machine. Also, I believe that in your case, a VPN would make your life much simpler. Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC
Re: OpenBSD proxy aka. port forwarding
Em 04-06-2014 10:29, Predrag Punosevac escreveu: I was not able to connect to X2Go server without GSSAPIAuthentication yes I can send you the picture of error from x2go client via private e-mail if you want. I don't doubt you. And its not that you can't connect. I had this problem in the past, the connection will appear to hang and it might be well more than a minute before you have a shell on the machine. Try logging in with ssh -vvv and see what happens. But this is an issue with your ssh clients (assuming linux clients here), rather than your OpenBSD openssh server. You could try the following configuration in your ssh clients: Host * GSSAPIAuthentication no Why? This OpenBSD machine serves no other purposes but to be shell gateway. What will happen if it gets hacked? What happens when any other machine gets hacked. Nothing more, nothing less. Giving your users shell access, even when they don't have root access, you are opening yourself to bugs that aren't otherwise exploitable. So, in this case, there is little you can do, just always follow openbsd stable and keep your environment as clean as possible. Well then I am already in trouble because probably my computing nodes and my users which I am trying to protect are hacked. As somebody who is maintaining OpenVPN server and 20 or so clients on our LAB remote location I am intimately familiar how simple is VPN solution. The Lab exists to serve the needs of people who have access to shell gateway machine no the other way around. There are lots of options for simplifying OpenVPN deploying. You could generate a windows installer with the users certificates, or, you could drop certs altogether and use only user/pass authentication. Or use the same certs for every user in combination with user/pass. Also, you don't need necessarily to use OpenVPN. There is the l2tp/ipsec option, plain ipsec and (argh) pptp. Depending on which operating system your clients are using, they can have all of these vpn options already installed with it. Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC
Re: Contributing to OpenBSD documentation
On 2014-06-03, Enric Morales li...@enric.me wrote: Hi Mark, Anders, On 03 Jun 2014 12:40, Marc Espie wrote: Find stuff that doesn't work properly and figure out what's going on. Even without code, complete *reproduceable* bug reports are invaluable resources. (hint: anything that dumps cores is a bug). I too was trying to find areas where I can help. The first one was buying a couple of T-shirts (i just received an opensource-ami and a wireframe blowfish) but thanks to your message, Mark, I'll send some core dumps I had lying around. Specifically, firefox and some other apps were coredumping quite often (not sure the coredumps can be tied to OpenBSD, though), but I'll surely keep an eye on that. sending core dumps isn't going to help anything .. using them with gdb on your own system to get additional information to help track down bugs is helpful (getting a backtrace is a good start), delving deeper needs a bit more programming knowledge but it's actually quite easy to get started, at least with bugs in simpler programs. What is much more helpful is working out what conditions trigger the crash and writing them up so that somebody else can replicate it...
Re: ftp.fr mirror is going down
The ftp.fr mirror is going down for an undefined period of time (could be forever). Please migrate to another mirror for the time being. Hi. So, ftp.fr should be back in about 10 days in full shape on a much much better hardware for a long time hopefully ;-) Sorry for the inconvenience. -- Antoine
Re: Pflow granularity
On 2014-06-02, Andy a...@brandwatch.com wrote: I think you might have to try softflowd instead of the built-in sflowd.. These guys had the same problem and moved to softflowd to allow them to analyse DDOS traffic with netflow.. https://ripe68.ripe.net/presentations/276-DDoS.pdf see also the video from UKNOF28, though my understanding was that a big part of the reason for softflowd was to capture stats from blocked packets.
Re: OpenBSD proxy aka. port forwarding
Em 04-06-2014 12:36, sven falempin escreveu: On Wed, Jun 4, 2014 at 9:47 AM, Giancarlo Razzolini grazzol...@gmail.com wrote: Em 04-06-2014 10:29, Predrag Punosevac escreveu: I was not able to connect to X2Go server without GSSAPIAuthentication yes I can send you the picture of error from x2go client via private e-mail if you want. I don't doubt you. And its not that you can't connect. I had this problem in the past, the connection will appear to hang and it might be well more than a minute before you have a shell on the machine. Try logging in with ssh -vvv and see what happens. But this is an issue with your ssh clients (assuming linux clients here), rather than your OpenBSD openssh server. You could try the following configuration in your ssh clients: Host * GSSAPIAuthentication no Why? This OpenBSD machine serves no other purposes but to be shell gateway. What will happen if it gets hacked? What happens when any other machine gets hacked. Nothing more, nothing less. Giving your users shell access, even when they don't have root access, you are opening yourself to bugs that aren't otherwise exploitable. So, in this case, there is little you can do, just always follow openbsd stable and keep your environment as clean as possible. Well then I am already in trouble because probably my computing nodes and my users which I am trying to protect are hacked. As somebody who is maintaining OpenVPN server and 20 or so clients on our LAB remote location I am intimately familiar how simple is VPN solution. The Lab exists to serve the needs of people who have access to shell gateway machine no the other way around. There are lots of options for simplifying OpenVPN deploying. You could generate a windows installer with the users certificates, or, you could drop certs altogether and use only user/pass authentication. Or use the same certs for every user in combination with user/pass. Also, you don't need necessarily to use OpenVPN. There is the l2tp/ipsec option, plain ipsec and (argh) pptp. Depending on which operating system your clients are using, they can have all of these vpn options already installed with it. Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC +giancarlo if you have an OpenBSD setup that provide an ipsec vpn working for windows AND ipad AND android I would really be listenning carefully how you perform that. I don't know about windows clients, been a long time since I ever used windows that wasn't on a virtual machine for only one specific purpose. But, with npppd I did had a vpn setup with pptp that worked both on ios and on android. I believe that with l2tp/ipsec it would be relatively simple as well to implement working on both, also. But, since Apple approved the OpenVPN iOS client, I've been using only this, for my VPN needs. Predrag, I really believe that you should take a look at relayd(8). It does what you want with the plus of nothing needing to give your users a shell on the machine. Another plus is the possibility of redirecting your clients to their respective nodes, without the need for them to selecting the node beforehand, and also with failover and round robing capabilities. Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC
CPU power consumption on thinkpad x201 on openbsd current
I'm trying to migrate from Linux to Openbsd on my laptop (thinkpad x201). The first problem that i came across was that the Cpu fanspeed was running constantly at 3500RPM. After the acpithinkpad.c patch from jcs (and i modified to make it work on the openbsd-current(link: http://exclude.se/patch/jcs_mod_by_js.diff) Another thing that i noticed is that the battery lifetime is really bad. In Linux i get around ~5,5 hours. In OpenBSD i get around 2 hours. when i ran : sysctl hw.sensors | grep -i consumption. the output of the cpu was 6W. in Linux it's around 1,5W. with: apmd -C and apmd -L it's the same. dmesg: http://exclude.se/openbsd/dmesg.txt Is there anyway to fix this? Regards Johan Svensson
Re: Multi-VRF bgpd (no MPLS)
BARDOU Pierre bardou.p at mipih.fr writes: ... I'm running into the same thing with bgp. I also tried ospf6d, which seemed to get stuck in init, but never fully joined. Did you ever come across a solution?
Re: CPU power consumption on thinkpad x201 on openbsd current
On 06/04/14 17:08, Johan Svensson wrote: I'm trying to migrate from Linux to Openbsd on my laptop (thinkpad x201). The first problem that i came across was that the Cpu fanspeed was running constantly at 3500RPM. After the acpithinkpad.c patch from jcs (and i modified to make it work on the openbsd-current(link: http://exclude.se/patch/jcs_mod_by_js.diff) Another thing that i noticed is that the battery lifetime is really bad. In Linux i get around ~5,5 hours. In OpenBSD i get around 2 hours. when i ran : sysctl hw.sensors | grep -i consumption. the output of the cpu was 6W. in Linux it's around 1,5W. with: apmd -C and apmd -L it's the same. dmesg: http://exclude.se/openbsd/dmesg.txt Is there anyway to fix this? Regards Johan Svensson Take a look at hw.setperf in sysctl. I think you are running at the maximum cpu speed? On my 2.8GHz W500 I can run at 800, 1600, 2133 and 2801. 800MHz makes a huge difference. You have to try different values for setperf to see what happens. sysctl will also tell you the speed in hw.cpuspeed. --STeve Andre'