Re: Route-to with a dynamic 'next hop'
Ok I got it working. Here is what I did Enabled multipath routing (sysctl) Added the relayd anchor to pf.conf Created a relayd.conf with this in it gw1=fxp0 gw2=fxp1 table gateways { $gw1 ip ttl 1, $gw2 ip ttl 1 } router uplinks { route 0.0.0.0/0 forward to gateways check icmp } Started relayd Reloaded pf.conf I then could see with 'relayctl show summary' my two gateways and their 'up' status as well as the default route to each with 'route show'. When I 'ifconfig down' one interface, 'relayctl show summary' showed it as down and then default route to it was removed automatically. Awesomeness. -Original Message- From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of Justin Mayes Sent: Wednesday, October 8, 2014 10:56 PM To: misc@openbsd.org Subject: Re: Route-to with a dynamic 'next hop' I just watched Reyk's youtube. I'm going with relayd. I can see the 'routers' section in the man page for relayd to do what I want. http://www.youtube.com/watch?v=JtMxGslqGbM -Original Message- From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of Justin Mayes Sent: Wednesday, October 8, 2014 10:04 PM To: misc@openbsd.org Subject: Route-to with a dynamic 'next hop' Greetings all - I have 2 internet connections. One of them is static IP, one is dynamic. I want to use both of them on my gateway. From the man pages and other docs I see the use of route-to in the pf.conf including the 'next-hop' that it requires. This is easy enough. Problem is that the next hop is hard coded IP in all examples. I need that next hop to get updated when my one WAN DHCP link is updated. I know about if:peer, if:broadcast, if:network ect but there is no if:gateway. Seems like you could have used dhclient-script to adjust pf config when ip changed but dhclient-script has been removed. I also read that relayd has become the best option to accomplish this uplink load balancing in current versions of OpenBSD. I wanted to check with you all to make sure I'm not missing something basic with the load balanced uplink scenario in OpenBSD. As always, comments and suggestions are much appreciated. J
rc.conf issue on upgrade from 5.5 to 5.6
Hi, I was just testing upgrades prior to the 5.6 release and noticed items in the rc.conf.local were being ignored. A bit of digging, I noticed, rc.subr had some changes and more importantly there were quite a few changes to rc.conf. Cutting to the chase, replacing rc.conf from the upgraded 5.5 machine with the 5.6_BASE fixed the issue and items were being picked up in the rc.conf.local again. Just thought I would point it out as rc.conf isn't replaced when using the upgrade feature in the 5.6 release. Cheers, Jason.
Re: Securing communications with OpenBSD
On Tue, 7 Oct 2014 07:08:54 + C. L. Martinez carlopm...@gmail.com wrote: On Mon, Oct 6, 2014 at 11:52 PM, Duncan Patton a Campbell campb...@neotext.ca wrote: The most basic consideration in computer security has nothing to do with technology and computers. Do the people you need to keep out of the know need to know enough to come and break legs? If so, don't bother encrypting. They may not just break legs. Dhu On Mon, 06 Oct 2014 13:48:33 -0600 chester.t.fi...@hushmail.com wrote: Very true, filling your subterranean data server with angry hornets certainly seems like a good idea but it's really not, most AC maintenance contractors will charge you extra (usually per sting!). Chester T. Field And remember when I left all the meat out because I saw Mr. David Lynch “I’m on TV” do it, and he got on TV from doin’ it, and I did it and didn’t get on TV from doin’ it? - Gandhi On 10/6/2014 at 1:37 PM, Matti Karnaattu mkarnaa...@gmail.com wrote: Yes, my goal is to secure the infrastructure as much as possible. I don't know details but it sounds overly complex. And complexity may cause other issues, without any benefit for security. Example, you don't have to encrypt your whole hard disk if the hard disk is located in guarded bunker. But if you do that, it will increase security in theory but that may cause service outtage if you have to always locally type your crypt password if machine crashes. I would put this effort to ease maintainability, ease monitoring, use stateful firewall, deploy honeypot etc. and avoid complexity. Thanks guys for your answers. I know it: our it sec. dept. adds a complexity to our infrastructure, but they are determined to do so. Searching via google I found this: http://www.safenet-inc.com/data-encryption/ HSM: hardware security modules ... But exists another problem. If I would like to use some SSL/TLS or IPSec based solution, how can I authenticate these servers between them without compromise host security?? Any ideas?? Is man 8 iked what you are looking for? Dhu -- Ne obliviscaris, vix ea nostra voco.
Re: Securing communications with OpenBSD
On Thu, Oct 9, 2014 at 7:21 AM, Duncan Patton a Campbell campb...@neotext.ca wrote: On Tue, 7 Oct 2014 07:08:54 + C. L. Martinez carlopm...@gmail.com wrote: On Mon, Oct 6, 2014 at 11:52 PM, Duncan Patton a Campbell campb...@neotext.ca wrote: The most basic consideration in computer security has nothing to do with technology and computers. Do the people you need to keep out of the know need to know enough to come and break legs? If so, don't bother encrypting. They may not just break legs. Dhu On Mon, 06 Oct 2014 13:48:33 -0600 chester.t.fi...@hushmail.com wrote: Very true, filling your subterranean data server with angry hornets certainly seems like a good idea but it's really not, most AC maintenance contractors will charge you extra (usually per sting!). Chester T. Field And remember when I left all the meat out because I saw Mr. David Lynch “I’m on TV” do it, and he got on TV from doin’ it, and I did it and didn’t get on TV from doin’ it? - Gandhi On 10/6/2014 at 1:37 PM, Matti Karnaattu mkarnaa...@gmail.com wrote: Yes, my goal is to secure the infrastructure as much as possible. I don't know details but it sounds overly complex. And complexity may cause other issues, without any benefit for security. Example, you don't have to encrypt your whole hard disk if the hard disk is located in guarded bunker. But if you do that, it will increase security in theory but that may cause service outtage if you have to always locally type your crypt password if machine crashes. I would put this effort to ease maintainability, ease monitoring, use stateful firewall, deploy honeypot etc. and avoid complexity. Thanks guys for your answers. I know it: our it sec. dept. adds a complexity to our infrastructure, but they are determined to do so. Searching via google I found this: http://www.safenet-inc.com/data-encryption/ HSM: hardware security modules ... But exists another problem. If I would like to use some SSL/TLS or IPSec based solution, how can I authenticate these servers between them without compromise host security?? Any ideas?? Is man 8 iked what you are looking for? Dhu Uhmm . .. I don't understand your question Duncan... To use IPsec is a possibility.
Re: smtpd smarthost ISP config
On 08/10/14 04:05 PM, admin wrote: Hello Current Sep 25 i386: I want to use shawmail.vc.shawcable.net as smarthost, and i tried smtp:// tls+auth:// and the others with failing results. What could be wrong? Thanks. -- # $OpenBSD: smtpd.conf,v 1.7 2014/03/12 18:21:34 tedu Exp $ # This is the smtpd server system-wide configuration file. # See smtpd.conf(5) for more information. # To accept external mail, replace with: listen on all # #listen on lo0 #listen on rl0 listen on all table aliases db:/etc/mail/aliases.db # Uncomment the following to accept external mail for domain example.org # accept from any for domain example.ca alias aliases deliver to mbox accept for local alias aliases deliver to mbox accept from local for any relay via smtp://shawmail.vc.shawcable.net OK, it is working now! I did 2 things: 1. rebooted the system 2. cleaned the queue.
Re: combination of ssh port fowarding and pf redirection
On 08-10-2014 18:25, stan wrote: Anyone have any sugestions as to how to make this work? Did you try the suggestion I gave you off list, of making two ssh connections? Also, you could provide more details of your setup? Both your e-mails trying to explain it, were confusing. I think I understood what you want, but I'm not sure. Cheers [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
Route-to dynamic next hop
I have 2 internet connections. One of them is static IP, one is dynamic. I want to use both of them on my gateway. From the man pages and other docs I see the use of route-to in the pf.conf including the 'next-hop' that it requires. This is easy enough. Problem is that the next hop is hard coded IP in all examples. I need that next hop to get updated when my one WAN DHCP link is updated. I know about if:peer, if:broadcast, if:network ect but there is no if:gateway. Seems like you could have used dhclient-script to adjust pf config when ip changed but dhclient-script has been removed. It also seems like relayd has become the best option to accomplish this uplink load balancing. I just wanted to check with you all to make sure I'm not missing something basic with the load balanced uplink scenario in OpenBSD. As always, comments and suggestions are much appreciated. J
Re: Route-to with a dynamic 'next hop'
On 09-10-2014 02:58, Justin Mayes wrote: Ok I got it working. Here is what I did Enabled multipath routing (sysctl) Added the relayd anchor to pf.conf Created a relayd.conf with this in it gw1=fxp0 gw2=fxp1 table gateways { $gw1 ip ttl 1, $gw2 ip ttl 1 } router uplinks { route 0.0.0.0/0 forward to gateways check icmp } Started relayd Reloaded pf.conf I then could see with 'relayctl show summary' my two gateways and their 'up' status as well as the default route to each with 'route show'. When I 'ifconfig down' one interface, 'relayctl show summary' showed it as down and then default route to it was removed automatically. Awesomeness. -Original Message- From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of Justin Mayes Sent: Wednesday, October 8, 2014 10:56 PM To: misc@openbsd.org Subject: Re: Route-to with a dynamic 'next hop' I just watched Reyk's youtube. I'm going with relayd. I can see the 'routers' section in the man page for relayd to do what I want. http://www.youtube.com/watch?v=JtMxGslqGbM -Original Message- From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of Justin Mayes Sent: Wednesday, October 8, 2014 10:04 PM To: misc@openbsd.org Subject: Route-to with a dynamic 'next hop' Greetings all - I have 2 internet connections. One of them is static IP, one is dynamic. I want to use both of them on my gateway. From the man pages and other docs I see the use of route-to in the pf.conf including the 'next-hop' that it requires. This is easy enough. Problem is that the next hop is hard coded IP in all examples. I need that next hop to get updated when my one WAN DHCP link is updated. I know about if:peer, if:broadcast, if:network ect but there is no if:gateway. Seems like you could have used dhclient-script to adjust pf config when ip changed but dhclient-script has been removed. I also read that relayd has become the best option to accomplish this uplink load balancing in current versions of OpenBSD. I wanted to check with you all to make sure I'm not missing something basic with the load balanced uplink scenario in OpenBSD. As always, comments and suggestions are much appreciated. J There is no need to use relayd. Plain pf rules would do the trick, even on you dynamic interface. The relayd conf you made will only detect failure at the LAN network level. It will not detect internet failure. For that you would need to add another checks through icmp to ping external ip addresses. Or a check script. There is also the option of using ifstated. As, for the rules part you could use the route-to direct to the interface. Cheers [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
Re: Route-to with a dynamic 'next hop'
I did notice the problem with only detecting a LAN failure and was looking at a better monitor. If I just used plain PF rules what would I use for the next-hop parameter to the route-to command? This IP is dynamic. -Original Message- From: Giancarlo Razzolini [mailto:grazzol...@gmail.com] Sent: Thursday, October 9, 2014 7:26 AM To: Justin Mayes; misc@openbsd.org Subject: Re: Route-to with a dynamic 'next hop' On 09-10-2014 02:58, Justin Mayes wrote: Ok I got it working. Here is what I did Enabled multipath routing (sysctl) Added the relayd anchor to pf.conf Created a relayd.conf with this in it gw1=fxp0 gw2=fxp1 table gateways { $gw1 ip ttl 1, $gw2 ip ttl 1 } router uplinks { route 0.0.0.0/0 forward to gateways check icmp } Started relayd Reloaded pf.conf I then could see with 'relayctl show summary' my two gateways and their 'up' status as well as the default route to each with 'route show'. When I 'ifconfig down' one interface, 'relayctl show summary' showed it as down and then default route to it was removed automatically. Awesomeness. -Original Message- From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of Justin Mayes Sent: Wednesday, October 8, 2014 10:56 PM To: misc@openbsd.org Subject: Re: Route-to with a dynamic 'next hop' I just watched Reyk's youtube. I'm going with relayd. I can see the 'routers' section in the man page for relayd to do what I want. http://www.youtube.com/watch?v=JtMxGslqGbM -Original Message- From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of Justin Mayes Sent: Wednesday, October 8, 2014 10:04 PM To: misc@openbsd.org Subject: Route-to with a dynamic 'next hop' Greetings all - I have 2 internet connections. One of them is static IP, one is dynamic. I want to use both of them on my gateway. From the man pages and other docs I see the use of route-to in the pf.conf including the 'next-hop' that it requires. This is easy enough. Problem is that the next hop is hard coded IP in all examples. I need that next hop to get updated when my one WAN DHCP link is updated. I know about if:peer, if:broadcast, if:network ect but there is no if:gateway. Seems like you could have used dhclient-script to adjust pf config when ip changed but dhclient-script has been removed. I also read that relayd has become the best option to accomplish this uplink load balancing in current versions of OpenBSD. I wanted to check with you all to make sure I'm not missing something basic with the load balanced uplink scenario in OpenBSD. As always, comments and suggestions are much appreciated. J There is no need to use relayd. Plain pf rules would do the trick, even on you dynamic interface. The relayd conf you made will only detect failure at the LAN network level. It will not detect internet failure. For that you would need to add another checks through icmp to ping external ip addresses. Or a check script. There is also the option of using ifstated. As, for the rules part you could use the route-to direct to the interface. Cheers
Re: Route-to with a dynamic 'next hop'
On 09-10-2014 10:16, Justin Mayes wrote: I did notice the problem with only detecting a LAN failure and was looking at a better monitor. If I just used plain PF rules what would I use for the next-hop parameter to the route-to command? This IP is dynamic. There is no next-hop. Just make your rule point to the interface. route-to (if). You can also make it route-to if. In either cases, you'd be better off using ifstated/relayd with anchors to dynamicaly change your rules, in case of link failures. Also, if possible, use snmp to query your modems/routers to determine the internet link availability. Cheers [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
Connection drop (i.e. IRC) caused by pf/pfsync/carp/...?
Hello We have a somewhat curious issue and run out of ideas ;) We do not have a trigger to reproduce the issue, but we for example see some IRC disconnects from users behind our firewall. What we have: - two HP Proliant DL360 G5 with Broadcom BCM5708 NICs, 2GB RAM, Intel Xeon E5335@2.0GHz - OpenBSD 5.5 - trunk between the two NICs - 13 VLANs interfaces with carp failover - one VLAN for pfsync - ospfd and ospf6d - approx. 200Mbit/s of traffic - the initial pfysnc takes quite long (~1h) The setup looks like this (not sure if relevant): - both servers have a failover trunk with two interfaces - all traffic including pfsync is sent over this trunk - the problem also occurs, if we disable one box What happens/what we tried: The main issue is, that we occasionally see broken SSH connections and quite a lot of broken IRC connections during the day. It looks a bit like the problem happens more in the evening - however we do not see a correlation with the amount of traffic or number of connections. As a first reaction we updated to the latest stable OpenBSD release which didn't solve the issue. Afterwards we replaced the onboard Broadcom NIC with a PCIe Intel 82576 (em driver) card, however this card seems to cause some new issues - i.e. we see quite some input (rx) errors using netstat -i. Because we don't see such errors using the Broadcom NICs we decided to not investigate this issue any further and switch back to the Broadcom setup. Besides those steps we also disabled one of the boxes by stopping ospf and removing the carp interfaces - however, the disconnects didn't go away. Furthermore we also checked if any state-tables are overflowing and we didn't find any suspicious kernel messages either. We have quite a similar setup which doesn't show those issues - however we don't have the same amount of traffic over those systems. I uploaded some information about the system to this place: * sysctl -a http://dpaste.com/08VBA93 * pfctl (w/o rules and states) http://dpaste.com/2BBJG5P Feel free to ask for more if needed. Long story short; do you have any hints or ideas where we could look next? Did you ever see such a problem in an other setup? At least to me, it looks like long-during sessions (like IRC) are somehow affected - does this ring some bells? I appreciate any hints and hope that I didn't miss any important information - otherwise feel free to bug me. Thanks in advance and have a nice day! Kind regards, Nicolas
Re: Connection drop (i.e. IRC) caused by pf/pfsync/carp/...?
I can confirm that we've seen this with any long running TCP connections in environments where pf was literally only sampling packets for pflow (not even actually firewalling.) Removing pf from the equation fixed the problem right up. 5.5 current was what I was running at the time. On 10/9/2014 午後 10:52, Nicolas Christener wrote: Hello We have a somewhat curious issue and run out of ideas ;) We do not have a trigger to reproduce the issue, but we for example see some IRC disconnects from users behind our firewall. What we have: - two HP Proliant DL360 G5 with Broadcom BCM5708 NICs, 2GB RAM, Intel Xeon E5335@2.0GHz - OpenBSD 5.5 - trunk between the two NICs - 13 VLANs interfaces with carp failover - one VLAN for pfsync - ospfd and ospf6d - approx. 200Mbit/s of traffic - the initial pfysnc takes quite long (~1h) The setup looks like this (not sure if relevant): - both servers have a failover trunk with two interfaces - all traffic including pfsync is sent over this trunk - the problem also occurs, if we disable one box What happens/what we tried: The main issue is, that we occasionally see broken SSH connections and quite a lot of broken IRC connections during the day. It looks a bit like the problem happens more in the evening - however we do not see a correlation with the amount of traffic or number of connections. As a first reaction we updated to the latest stable OpenBSD release which didn't solve the issue. Afterwards we replaced the onboard Broadcom NIC with a PCIe Intel 82576 (em driver) card, however this card seems to cause some new issues - i.e. we see quite some input (rx) errors using netstat -i. Because we don't see such errors using the Broadcom NICs we decided to not investigate this issue any further and switch back to the Broadcom setup. Besides those steps we also disabled one of the boxes by stopping ospf and removing the carp interfaces - however, the disconnects didn't go away. Furthermore we also checked if any state-tables are overflowing and we didn't find any suspicious kernel messages either. We have quite a similar setup which doesn't show those issues - however we don't have the same amount of traffic over those systems. I uploaded some information about the system to this place: * sysctl -a http://dpaste.com/08VBA93 * pfctl (w/o rules and states) http://dpaste.com/2BBJG5P Feel free to ask for more if needed. Long story short; do you have any hints or ideas where we could look next? Did you ever see such a problem in an other setup? At least to me, it looks like long-during sessions (like IRC) are somehow affected - does this ring some bells? I appreciate any hints and hope that I didn't miss any important information - otherwise feel free to bug me. Thanks in advance and have a nice day! Kind regards, Nicolas
Re: Route-to with a dynamic 'next hop'
My understanding of route-to is that if the destination is not on same network as the 'route-to' interface, you need the second 'next hop' parameter. All examples I was seeing show pf.conf this way. Is that not right? I will test with just the interface name. -Original Message- From: Giancarlo Razzolini [mailto:grazzol...@gmail.com] Sent: Thursday, October 9, 2014 8:52 AM To: Justin Mayes; misc@openbsd.org Subject: Re: Route-to with a dynamic 'next hop' On 09-10-2014 10:16, Justin Mayes wrote: I did notice the problem with only detecting a LAN failure and was looking at a better monitor. If I just used plain PF rules what would I use for the next-hop parameter to the route-to command? This IP is dynamic. There is no next-hop. Just make your rule point to the interface. route-to (if). You can also make it route-to if. In either cases, you'd be better off using ifstated/relayd with anchors to dynamicaly change your rules, in case of link failures. Also, if possible, use snmp to query your modems/routers to determine the internet link availability. Cheers
Re: Route-to with a dynamic 'next hop'
In Reyk's presentation he talks about this (http://www.youtube.com/watch?v=JtMxGslqGbM) @ 19:30 and describes the 'link balancer' functionality of relayd intended to do exactly what I want. It appears to work as described. In the presentation Reyk says relayd will check for upstream router availability but the conf example just pings the interface it appears. Sorry for all the babble but I am away from the location where I have 2 internet connections so I cannot test this stuff right now as I normally would. -Original Message- From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of Justin Mayes Sent: Thursday, October 9, 2014 9:05 AM To: grazzol...@gmail.com; misc@openbsd.org Subject: Re: Route-to with a dynamic 'next hop' My understanding of route-to is that if the destination is not on same network as the 'route-to' interface, you need the second 'next hop' parameter. All examples I was seeing show pf.conf this way. Is that not right? I will test with just the interface name. -Original Message- From: Giancarlo Razzolini [mailto:grazzol...@gmail.com] Sent: Thursday, October 9, 2014 8:52 AM To: Justin Mayes; misc@openbsd.org Subject: Re: Route-to with a dynamic 'next hop' On 09-10-2014 10:16, Justin Mayes wrote: I did notice the problem with only detecting a LAN failure and was looking at a better monitor. If I just used plain PF rules what would I use for the next-hop parameter to the route-to command? This IP is dynamic. There is no next-hop. Just make your rule point to the interface. route-to (if). You can also make it route-to if. In either cases, you'd be better off using ifstated/relayd with anchors to dynamicaly change your rules, in case of link failures. Also, if possible, use snmp to query your modems/routers to determine the internet link availability. Cheers
Re: Securing communications with OpenBSD
On Thu, 9 Oct 2014 08:15:22 + C. L. Martinez carlopm...@gmail.com wrote: On Thu, Oct 9, 2014 at 7:21 AM, Duncan Patton a Campbell campb...@neotext.ca wrote: On Tue, 7 Oct 2014 07:08:54 + C. L. Martinez carlopm...@gmail.com wrote: On Mon, Oct 6, 2014 at 11:52 PM, Duncan Patton a Campbell campb...@neotext.ca wrote: The most basic consideration in computer security has nothing to do with technology and computers. Do the people you need to keep out of the know need to know enough to come and break legs? If so, don't bother encrypting. They may not just break legs. Dhu On Mon, 06 Oct 2014 13:48:33 -0600 chester.t.fi...@hushmail.com wrote: Very true, filling your subterranean data server with angry hornets certainly seems like a good idea but it's really not, most AC maintenance contractors will charge you extra (usually per sting!). Chester T. Field And remember when I left all the meat out because I saw Mr. David Lynch “I’m on TV” do it, and he got on TV from doin’ it, and I did it and didn’t get on TV from doin’ it? - Gandhi On 10/6/2014 at 1:37 PM, Matti Karnaattu mkarnaa...@gmail.com wrote: Yes, my goal is to secure the infrastructure as much as possible. I don't know details but it sounds overly complex. And complexity may cause other issues, without any benefit for security. Example, you don't have to encrypt your whole hard disk if the hard disk is located in guarded bunker. But if you do that, it will increase security in theory but that may cause service outtage if you have to always locally type your crypt password if machine crashes. I would put this effort to ease maintainability, ease monitoring, use stateful firewall, deploy honeypot etc. and avoid complexity. Thanks guys for your answers. I know it: our it sec. dept. adds a complexity to our infrastructure, but they are determined to do so. Searching via google I found this: http://www.safenet-inc.com/data-encryption/ HSM: hardware security modules ... But exists another problem. If I would like to use some SSL/TLS or IPSec based solution, how can I authenticate these servers between them without compromise host security?? Any ideas?? Is man 8 iked what you are looking for? Dhu Uhmm . .. I don't understand your question Duncan... To use IPsec is a possibility. Possibly 'cause I don't understand yours. You want to authenticate servers without compromise host security which to me implies the use of something like iked, the Internet Key Exchange (IKEv2) daemon, which performs mutual authentication and which establishes and maintains IPsec flows and security associations (SAs) between the two peers. You don't need iked to run something like ipsec. You can exhange the keys some different way like, say multiple redundant one time pads and courriers (for the truly 'noidal). Dhu -- Ne obliviscaris, vix ea nostra voco.
Re: Route-to with a dynamic 'next hop'
On 09-10-2014 11:23, Justin Mayes wrote: In Reyk's presentation he talks about this (http://www.youtube.com/watch?v=JtMxGslqGbM) @ 19:30 and describes the 'link balancer' functionality of relayd intended to do exactly what I want. It appears to work as described. In the presentation Reyk says relayd will check for upstream router availability but the conf example just pings the interface it appears. Sorry for all the babble but I am away from the location where I have 2 internet connections so I cannot test this stuff right now as I normally would. Link balancer doesn't mean link failover. Also, with multipath you already have your links balanced, provided they have the same route priority. You can extend the relayd funcionality through the use of scripts and achieve link failover. But, in this case, I believe that a state machine, such as ifstated, is better suited for the job. Also, it has network interface failure detection for free, withouth the need for icmp checks. Take a look at it and see if helps in your case. I've been using for years to balance/failover mulltiple links (not just two) with no issue. Of course it will have to interact with you pf rules, mostly through the use of anchors. Cheers [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
Re: Firewall: Where is the bottleneck?
Hi, Just so I understand what you have done, PRIQ is not the same as queuing. You can set a simple prio on a rule like; pass proto tcp from $left to $right set prio (1,4) But this doesn't manage the situations where you have lots of different types/profiles of traffic on your network. For example you might have some big file transfers going on which can be delayed and can have a high latency but high throughput, alongside your control/real-time protocols which need low latency etc. Generally in this situation just using prio won't always be enough and your file transfers will still swamp your Interactive SSH or VNC connections etc.. So we do something like this; altq on $if_trunk1 bandwidth 4294Mb hfsc queue { _wan } oldqueue _wan on $if_trunk1 bandwidth 4290Mb priority 15 hfsc(linkshare 4290Mb, upperlimit 4290Mb) { _wan_rt, _wan_int, _wan_pri, _wan_vpn, _wan_web, _wan_dflt, _wan_bulk } oldqueue _wan_rt on $if_trunk1 bandwidth 20% priority 7 qlimit 50 hfsc(realtime(20%, 5000, 10%), linkshare 20%) oldqueue _wan_int on $if_trunk1 bandwidth 10% priority 5 qlimit 100 hfsc(realtime 5%, linkshare 10%) oldqueue _wan_pri on $if_trunk1 bandwidth 10% priority 4 qlimit 100 hfsc(realtime(15%, 2000, 5%), linkshare 10%) oldqueue _wan_vpn on $if_trunk1 bandwidth 30% priority 3 qlimit 300 hfsc(realtime(15%, 2000, 5%), linkshare 30%) oldqueue _wan_web on $if_trunk1 bandwidth 10% priority 2 qlimit 300 hfsc(realtime(10%, 3000, 5%), linkshare 10%) oldqueue _wan_dflt on $if_trunk1 bandwidth 15% priority 1 qlimit 100 hfsc(realtime(10%, 5000, 5%), linkshare 15%, ecn, default) oldqueue _wan_bulk on $if_trunk1 bandwidth 5% priority 0 qlimit 100 hfsc(linkshare 5%, upperlimit 30%, ecn, red) altq on $if_trunk2 bandwidth 4294Mb hfsc queue { _wan } oldqueue _wan on $if_trunk2 bandwidth 4290Mb priority 15 hfsc(linkshare 4290Mb, upperlimit 4290Mb) { _wan_rt, _wan_int, _wan_pri, _wan_vpn, _wan_web, _wan_dflt, _wan_bulk } oldqueue _wan_rt on $if_trunk2 bandwidth 20% priority 7 qlimit 50 hfsc(realtime(20%, 5000, 10%), linkshare 20%) oldqueue _wan_int on $if_trunk2 bandwidth 10% priority 5 qlimit 100 hfsc(realtime 5%, linkshare 10%) oldqueue _wan_pri on $if_trunk2 bandwidth 10% priority 4 qlimit 100 hfsc(realtime(15%, 2000, 5%), linkshare 10%) oldqueue _wan_vpn on $if_trunk2 bandwidth 30% priority 3 qlimit 300 hfsc(realtime(15%, 2000, 5%), linkshare 30%) oldqueue _wan_web on $if_trunk2 bandwidth 10% priority 2 qlimit 300 hfsc(realtime(10%, 3000, 5%), linkshare 10%) oldqueue _wan_dflt on $if_trunk2 bandwidth 15% priority 1 qlimit 100 hfsc(realtime(10%, 5000, 5%), linkshare 15%, ecn, default) oldqueue _wan_bulk on $if_trunk2 bandwidth 5% priority 0 qlimit 100 hfsc(linkshare 5%, upperlimit 30%, ecn, red) pass quick proto { tcp, udp } from { (vlan1:network) } to { (vlan234:network) } port { 4569, 5060, 1:2 } queue _wan_rt set prio 7 pass quick proto { tcp, udp } from { (vlan1:network) } to { (vlan234:network) } port { 53, 123, 5900 } queue _wan_pri set prio 4 pass quick proto { tcp } from { (vlan1:network) } to { (vlan234:network) } port { 80, 443 } queue (_wan_web,_wan_pri) set prio (2,4) pass quick proto { tcp } from { (vlan1:network) } to { (vlan234:network) } port { ssh } queue (_wan_bulk,_wan_int) set prio (0,5) . . All the other rules needing higher priority than the rest . pass quick proto { tcp, udp, icmp } from { (vlan1:network) } to { (vlan234:network) } queue (_wan_bulk,_wan_pri) set prio (0,4) NB; This is the old syntax for queues and I strongly recommend reading the 3rd edition of The book of PF (A must read for *anyone* new or old to OpenBSD and PF) :) and using the new syntax The rule I use is that whenever one queue starts to get used too much and their is more than one type of traffic in a queue (here in this example I have DNS, NTP and VNC in the same queue) and if they start to affect eachother, its time to split the traffic out into further separate queues. So here you would split VNC into its own queue to stop VNC swamping the DNS queries :) The priority in these queues is not the same as PRIO. These priority values don't have much impact *apparently* compared the the queues themselves (I just understand these to be CPU or bucket scheduling or something), but I've never understood how true that is, so I just set them to be the same number as the desired relative PRIO as that seems sensible. Last but NOT least; the PRIO value gets copied into the VLAN's CoS header! :) So if you use VLANs like we do here on our trunks, the different packets will end up as frames with the prio copied in meaning your switches can then also maintain the layer 3 QoS in the layer 2 CoS... Amazing stuff :) Good luck Andrew Lemin *** looking forward to 64bit queues! :) *** On 08/10/14 20:49, jum...@yahoo.de wrote: Hi Andy, This morning I have added
Re: Connection drop (i.e. IRC) caused by pf/pfsync/carp/...?
I have seen this when the allowed number or states is too low and PF clears the idle states too early.. See http://www.openbsd.org/faq/pf/options.html; set optimization/option/ Good luck, Andy. On 09/10/14 14:58, Paul S. wrote: I can confirm that we've seen this with any long running TCP connections in environments where pf was literally only sampling packets for pflow (not even actually firewalling.) Removing pf from the equation fixed the problem right up. 5.5 current was what I was running at the time. On 10/9/2014 åå¾ 10:52, Nicolas Christener wrote: Hello We have a somewhat curious issue and run out of ideas ;) We do not have a trigger to reproduce the issue, but we for example see some IRC disconnects from users behind our firewall. What we have: - two HP Proliant DL360 G5 with Broadcom BCM5708 NICs, 2GB RAM, Intel Xeon E5335@2.0GHz - OpenBSD 5.5 - trunk between the two NICs - 13 VLANs interfaces with carp failover - one VLAN for pfsync - ospfd and ospf6d - approx. 200Mbit/s of traffic - the initial pfysnc takes quite long (~1h) The setup looks like this (not sure if relevant): - both servers have a failover trunk with two interfaces - all traffic including pfsync is sent over this trunk - the problem also occurs, if we disable one box What happens/what we tried: The main issue is, that we occasionally see broken SSH connections and quite a lot of broken IRC connections during the day. It looks a bit like the problem happens more in the evening - however we do not see a correlation with the amount of traffic or number of connections. As a first reaction we updated to the latest stable OpenBSD release which didn't solve the issue. Afterwards we replaced the onboard Broadcom NIC with a PCIe Intel 82576 (em driver) card, however this card seems to cause some new issues - i.e. we see quite some input (rx) errors using netstat -i. Because we don't see such errors using the Broadcom NICs we decided to not investigate this issue any further and switch back to the Broadcom setup. Besides those steps we also disabled one of the boxes by stopping ospf and removing the carp interfaces - however, the disconnects didn't go away. Furthermore we also checked if any state-tables are overflowing and we didn't find any suspicious kernel messages either. We have quite a similar setup which doesn't show those issues - however we don't have the same amount of traffic over those systems. I uploaded some information about the system to this place: * sysctl -a http://dpaste.com/08VBA93 * pfctl (w/o rules and states) http://dpaste.com/2BBJG5P Feel free to ask for more if needed. Long story short; do you have any hints or ideas where we could look next? Did you ever see such a problem in an other setup? At least to me, it looks like long-during sessions (like IRC) are somehow affected - does this ring some bells? I appreciate any hints and hope that I didn't miss any important information - otherwise feel free to bug me. Thanks in advance and have a nice day! Kind regards, Nicolas
Changing root password from stdin value
Hello, I'm trying to get some scripts working which would take a password from stdin and set it for root. In Linux passwd --stdin is used, in FreeBSD pw mod user root -h 0. How would I do this in OpenBSD? Thanks, Lucian -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro
Re: Changing root password from stdin value
On Thu, Oct 09, 2014 at 06:22:05PM +0100, Nux! wrote: Hello, I'm trying to get some scripts working which would take a password from stdin and set it for root. In Linux passwd --stdin is used, in FreeBSD pw mod user root -h 0. How would I do this in OpenBSD? Thanks, Lucian Hi, You could use encrypt(1) + usermod(1). encrypt will encrypt passwords from the command line or standard input. usermod will accept an already-encrypted password. -- Sébastien Marie
Re: Changing root password from stdin value
Thanks, that worked great! Lucian -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro - Original Message - From: Sébastien Marie semarie-open...@latrappe.fr To: Nux! n...@li.nux.ro Cc: misc@openbsd.org Sent: Thursday, 9 October, 2014 18:48:54 Subject: Re: Changing root password from stdin value On Thu, Oct 09, 2014 at 06:22:05PM +0100, Nux! wrote: Hello, I'm trying to get some scripts working which would take a password from stdin and set it for root. In Linux passwd --stdin is used, in FreeBSD pw mod user root -h 0. How would I do this in OpenBSD? Thanks, Lucian Hi, You could use encrypt(1) + usermod(1). encrypt will encrypt passwords from the command line or standard input. usermod will accept an already-encrypted password. -- Sébastien Marie
openbsd sysprep?
Hi, I'm trying to build a Cloudstack OpenBSD template and I need to do a bit of cleaning up on it before I let people use it. Besides changing the password, wiping the shell history, ssh keys, random seed and /var/log stuff, what else should I be doing to trigger a more unique installation? Lucian -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro
Re: Question re dhclient.conf
On Mon, 29 Sep 2014 10:24:44 -0400 Jiri B ji...@devio.us wrote: On Mon, Sep 29, 2014 at 08:03:14AM -0600, Duncan Patton a Campbell wrote: My purpose here is to allow dynamic dns updates via nsupdate from a dhcp clients where addresses are subject to change. I have a solution that will remain stable so long as the !command hook in hostname.if remains stable. This is not as good as the dhclient.conf script interface as it can't exclude calls that don't change the interface, but hey... # more /etc/hostname.nfe0 dhcp !/usr/local/sbin/dydns.sh $if This is executed only during boot or explicitly via netstart. So you believe your IP won't be changed by DHCP. j. For the use that I wanted it is sufficient: code to park on a remote box that may be connected (manually) for occasional maintenance. If it's reasonable from other perspectives I think it would be good to reinclude the external command option in dhclient.conf. Otherwise monitoring the dhcp lease with the -L flag I had not thought of but does provide the necessary trigger to update dns. Thanks, Dhu -- Ne obliviscaris, vix ea nostra voco.
Re: Changing root password from stdin value
On 10/09/14 13:21, Nux! wrote: Hello, I'm trying to get some scripts working which would take a password from stdin and set it for root. In Linux passwd --stdin is used, in FreeBSD pw mod user root -h 0. How would I do this in OpenBSD? Thanks, Lucian in addition to the already provided tip... consider this: Disable root password logins completely. Change the (encrypted) password to something nonsense or one or 13 *s, and use either sudo or SSH keys to get root acceess. This has the added advantages of no one having extra access by having root pw, no need to share/distribute root pw, etc. And unlike a number of other Unixes, this works very nicely. Nick.
Which is the better way to use softraid?
Hello It seems I will be moving on up, and replacing an old P4 (that I pulled out of the trash and have been using with openbsd as a mail server and such) with a much newer/fancier computer. I was reading about softraid, and saw the suggestions about using softraid and altroot. I understand that raid is not a panacea; but, I am planning on taking advantage of it. So, when I look at the FAQ, it says (in crude summary): use fdisk to make openbsd partitions; then, use disklabel and make partitions for softraid; then use bioctl to assemble then softraid; then use disklabel to create partition/s in the created softraid volume. Seems easy enough. Now, if there are going to be multiple partitions for the install (e.g. /home, /var, etc.), my questions is, which is better: A: Is it better to make larger initial partitions for raid assembly, and then use disklable to create multiple partitions within that one softraid volume (i.e.: one big softraid volume sd0, broken up into sd0a, sd0b, sd0c...)? B: Is it better to make several smaller install partitions, and then assemble multiple softraid volumes, and then use disklable to place only one (or two?) system partitions in each softraid volume (i.e.: multiple softraids like sd0, sd1, sd2..., each with only one partition like sd0a, sd1a, sd2a...)? C: Or, does it not matter? My limited (ok, non-existent) knowledge and/or understanding of disk I/O makes it impossible for me to being to even guess what may be best. Thanks Ted
rrdtool troubles after 5.4-5.5 upgrade
As required for the upgrade I exported all my rrd's and they appear correct, but when I performed a 'restore' on the upgraded 5.5 system the dates appeared to become advanced by 136 years. These are for Cacti and interestingly, cacti shows graphs for the old data, but not for data collected after the upgrade. The rrd's are being updated, but with a recent date. --5.4 EXPORTED RRD- !-- Round Robin Archives -- rra cf AVERAGE /cf pdp_per_row 1 /pdp_per_row !-- 300 seconds -- params xff 5.00e-01 /xff /params cdp_prep ds primary_value 6.0147896722e+02 /primary_value secondary_value NaN /secondary_value value NaN /value unknown_datapoints 0 /unknown_datapoints /ds ds primary_value 2.1042432308e+02 /primary_value secondary_value NaN /secondary_value value NaN /value unknown_datapoints 0 /unknown_datapoints /ds /cdp_prep database !-- 2014-10-07 06:50:00 EDT / 1412679000 -- rowv 1.6942546263e+02 /vv 1.0782825095e+02 /v/row !-- 2014-10-07 06:55:00 EDT / 1412679300 -- rowv 1.3230701552e+02 /vv 8.5905507986e+01 /v/row !-- 2014-10-07 07:00:00 EDT / 1412679600 -- rowv 1.5090053841e+03 /vv 5.1040593693e+02 /v/row !-- 2014-10-07 07:05:00 EDT / 1412679900 -- rowv 4.3326648631e+02 /vv 1.7794450478e+02 /v/row !-- 2014-10-07 07:10:00 EDT / 1412680200 -- rowv 5.0533918152e+01 /vv 6.0539432673e+01 /v/row !-- 2014-10-07 07:15:00 EDT / 1412680500 -- rowv 6.0977588814e+01 /vv 6.1744402908e+01 /v/row !-- 2014-10-07 07:20:00 EDT / 1412680800 -- rowv 5.0497766741e+01 /vv 8.6521608203e+01 /v/row !-- 2014-10-07 07:25:00 EDT / 1412681100 -- rowv 5.586560e+01 /vv 6.660450e+01 /v/row !-- 2014-10-07 07:30:00 EDT / 1412681400 -- rowv 4.1272303359e+01 /vv 5.2785814360e+01 /v/row --5.5 RESTORED then EXPORTED RRD- !-- Round Robin Archives -- rra cfAVERAGE/cf pdp_per_row1/pdp_per_row !-- 300 seconds -- params xff5.00e-01/xff /params cdp_prep ds primary_value6.0147896722e+02/primary_value secondary_valueNaN/secondary_value valueNaN/value unknown_datapoints0/unknown_datapoints /ds ds primary_value2.1042432308e+02/primary_value secondary_valueNaN/secondary_value valueNaN/value unknown_datapoints0/unknown_datapoints /ds /cdp_prep database !-- 2150-11-13 12:18:16 EST / 5707646296 -- rowv1.6942546263e+02/vv1.0782825095e+02/v/row !-- 2150-11-13 12:23:16 EST / 5707646596 -- rowv1.3230701552e+02/vv8.5905507986e+01/v/row !-- 2150-11-13 12:28:16 EST / 5707646896 -- rowv1.5090053841e+03/vv5.1040593693e+02/v/row !-- 2150-11-13 12:33:16 EST / 5707647196 -- rowv4.3326648631e+02/vv1.7794450478e+02/v/row !-- 2150-11-13 12:38:16 EST / 5707647496 -- rowv5.0533918152e+01/vv6.0539432673e+01/v/row !-- 2150-11-13 12:43:16 EST / 5707647796 -- rowv6.0977588814e+01/vv6.1744402908e+01/v/row !-- 2150-11-13 12:48:16 EST / 5707648096 -- rowv5.0497766741e+01/vv8.6521608203e+01/v/row !-- 2150-11-13 12:53:16 EST / 5707648396 -- rowv5.586560e+01/vv6.660450e+01/v/row -Steve S.
Re: Which is the better way to use softraid?
On 10/09/14 14:24, t...@wynnychenko.com wrote: ... Now, if there are going to be multiple partitions for the install (e.g. /home, /var, etc.), my questions is, which is better: A: Is it better to make larger initial partitions for raid assembly, and then use disklable to create multiple partitions within that one softraid volume (i.e.: one big softraid volume sd0, broken up into sd0a, sd0b, sd0c...)? YES B: Is it better to make several smaller install partitions, and then assemble multiple softraid volumes, and then use disklable to place only one (or two?) system partitions in each softraid volume (i.e.: multiple softraids like sd0, sd1, sd2..., each with only one partition like sd0a, sd1a, sd2a...)? NO! NO! NO! (generally :) C: Or, does it not matter? My limited (ok, non-existent) knowledge and/or understanding of disk I/O makes it impossible for me to being to even guess what may be best. it matters. :) The point of RAID isn't just to build the array, but to maintain it, including replacing failed elements. So, you replace a failed disk and restart the mirroring process. If you have one softraid volume, you just start it and let it go. If you have multiple softraid volumes, you will have to rebuild each. So, you have to either do them sequentially or at the same time. Sequentially requires watching for one remirror to finish before starting the next, so you have to be hovering over the server. So why not just start them all at the same time? If on different physical disks, sure, go for it. But on one disk? you will end up with some horrific thrashing of the heads as it mirrors a block here and another block over there. Your rebuild time may be 20x to 100x as slow as doing one volume at a time, your disks will make unpleasant noises, and you may just break your remaining disk before the rebuild is complete. Remirroring a 2T disk may take more than a day...so twenty times as long is bad, one hundred times as long is a complete disaster. Should you need to be FSCK'ing a disk while a rebuild is happening (you want to avoid this, really) things can get really really slow. Nick.
Re: Changing root password from stdin value
On Thu, Oct 09, 2014 at 02:23:54PM -0400, Nick Holland wrote: On 10/09/14 13:21, Nux! wrote: Hello, I'm trying to get some scripts working which would take a password from stdin and set it for root. In Linux passwd --stdin is used, in FreeBSD pw mod user root -h 0. How would I do this in OpenBSD? Thanks, Lucian in addition to the already provided tip... consider this: Disable root password logins completely. Change the (encrypted) password to something nonsense or one or 13 *s, and use either sudo or SSH keys to get root acceess. This has the added advantages of no one having extra access by having root pw, no need to share/distribute root pw, etc. And unlike a number of other Unixes, this works very nicely. Ubuntu-style? :)