Re: pf feature request

[(private) HKS]

2009/7/29 irix i...@ukr.net:
 Hello Misc,

 This feature is not sheduling pure. At altq You can try to achieve, but altq
is not designed for this (in altq will get all outbound traffic, but we do not
need).
 This  whole  idea  is  to avoid queues and do not discard packets, but
 simply  ask  the  party  to  send  packets  more slowly, When the flow rate
exceeds the specified speed.

 But if the party does not respond to these requests with the traffic,
nothing happens.
 He has already come and build it into the queue and dropat do not need.
 This similarity function ALTQ_CDNR, but it is unlike anything on coming
traffic does not occur (in ALTQ_CDNR he was discarded and the built-in tcp
flow rate decreases),
 I propose to do the same thing but without the dregs of packages, how would
emulate overloading tcp,
 but without actual overload.

Why? What's the use case?

-HKS




  On Wed, Jul 29, 2009 at 10:41:59AM -0400, (private) HKS wrote:
 2009/7/28 irix i...@ukr.net:
  Hello Misc,
 
   Maybe the public interested in the idea to add in the pf function
   query at slowing the transfer of data to tcp protocol ?
   To attempt to reduce the speed of the incoming flow without altq.
   This function is designed exclusively for the tcp protocol, and must
work
 under the rfc.
 
   Can I suggest an example of rule
 
   pass in on $ ext_if proto tcp from $ inetrnet to any port ftp keep
state
 tcprequester 5Mb
 
   When an incoming tcp stream reach in 5Mbit, pf starts to ask the remote
 side to reduce speed.
   But at the same time, no queues are not being built, and no packets are
 discarded.
   pf only generates requests to reduce the speed of the sending party.
 
  --
  Best regards,
   irix  mailto:i...@ukr.net
 
 

 diff?

 -HKS
 Could this not be done currently with altq?




 --
 Best regards,
  irix  mailto:i...@ukr.net

Re: pf feature request

[(private) HKS]

2009/7/30 irix i...@ukr.net:
 Hello Misc,

 It was a great number of disputes about shaping the incoming flow. This
function is a solution to this dispute,
  she realizes that may be implemented according to RFC.

Well, sort of. Assuming for a second that this was magically
implemented exactly as you see it, it would be a way to shape inbound
TCP streams. Nothing more. All other protocols would be completely
untouched, so this would only function as an easily bypassed
administrative limit.


 And need it for example if you have a single ftp server and you want it to
one of the ip on it to fill the data did not say
  faster than 2Mbit, and all the others at full speed. (without tunning
 ftpd)

I assume you mean that you have an FTP server that permits upload, and
you want to restrict upload from a given client IP to 2Mbit? This
magic option would do the trick - for a single stream. What if they
establish multiple streams? Unless you intended this to be an option
restricting bandwidth aggregate across all states created by a given
rule?

 Or you have a narrow channel, for example in 128Kbit, and you are one of the
SMTP server attempts to transmit e-mail to 200 megabytes,
 with all your feed traffic taken from smtp server, but this feature you can
ask the remote server to send you e-mail is slower to have
 been free of the canal and you can open a http page.

Alternatively, you can assign traffic outbound from your firewall to
your mail server to a 64kbps wide queue and let the endpoints do what
they're supposed to do, rather than fucking with tcp proxying and
congestion scaling on the router.

 In doing so, no shaping, and queuing is organized and not over the coming
traffic no action is performed.
 This option is apply is only for tcp traffic, according to rfc.

Which RFC are you referring to?

I assume you're talking about modifying the congestion control
options. This sounds simple. It's not.

As one potential user, I don't see myself ever using this
functionality since it is a) limited to TCP, b) trivial for a hostile
user to work around, c) provides no functionality not already possible
with altq.

From what I've seen, it's also very unlikely for the developers to
bother implementing something that they don't see an immediate use for
or isn't thoroughly interesting to them. So far, your feature
accomplishes nothing new and would probably require a serious amount
of work.Without providing at least a solid explanation of what this
gives you that altq does not, as well as a proof-of-concept code
implementation, you're probably never going to see this.

-HKS




 Why? What's the use case?

 -HKS


 --
 Best regards,
  irix  mailto:i...@ukr.net

Re: pf feature request

[(private) HKS]

2009/7/28 irix i...@ukr.net:
 Hello Misc,

  Maybe the public interested in the idea to add in the pf function
  query at slowing the transfer of data to tcp protocol ?
  To attempt to reduce the speed of the incoming flow without altq.
  This function is designed exclusively for the tcp protocol, and must work
under the rfc.

  Can I suggest an example of rule

  pass in on $ ext_if proto tcp from $ inetrnet to any port ftp keep state
tcprequester 5Mb

  When an incoming tcp stream reach in 5Mbit, pf starts to ask the remote
side to reduce speed.
  But at the same time, no queues are not being built, and no packets are
discarded.
  pf only generates requests to reduce the speed of the sending party.

 --
 Best regards,
  irix  mailto:i...@ukr.net



diff?

-HKS

Re: About em (4)

[(private) HKS]

On Wed, Jul 15, 2009 at 10:57 AM, Insan Praja SWinsan.pr...@gmail.com
wrote:
 Hi,

 On Wed, 15 Jul 2009 08:38:23 +0700, bsd...@gmail.com bsd...@gmail.com
 wrote:

 Presumably this would have been removed from the manual page if the
 issue were fixed.  OpenBSD is usually good about keeping the
 documentation up to date and matching the code it comes with.  On the
 other hand, it's difficult to test without knowing what the issue
 actually is...


 All my routers use em (4). I'm planning to move my cores physical access to
 jumbo frames network. I hope it could fasten our network a little bit, so I
 need to know if this udp traffic on jumbo frames will be a problem. If
 anyone had any experience with udp traffic on an em (4) jumbo frame
setting,
 I'd love to hear them.


 On Tue, Jul 14, 2009 at 12:22 AM, Insan Praja SWinsan.pr...@gmail.com
 wrote:

 Hi Misc@,
 From the em (4) man:
 BUGS
There are known performance issues with this driver when running UDP
traffic with Jumbo frames.

 Is this info still valid?
 Thanks,

 --
 insandotpraja(at)gmaildotcom



 Thanks,


 Insan Praja
 --
 insandotpraja(at)gmaildotcom



No experience myself, but it's unusual for the man pages to be out of
date. If it was fixed, the man page would have been updated.

Test it yourself and see if the performance impact is going to be a
problem in your network.

-HKS

Re: Simple Gif or Gre Tunnel doesn't seem so simple...

[(private) HKS]

On Mon, Jul 13, 2009 at 6:59 PM, Christopher Hiltonch...@vindaloo.com
wrote:
 I'm trying to setup a gif or gre tunnel between two machines running
OpenBSD
 4.5. North is a soekris 5501 and south is a soekris 4511. Both are routers.

 North:

 LAN: 192.168.144.0/24 via 192.168.144.1
 WAN: 10.0.2.1

 South:

 LAN: 192.168.140.0/24 via 192.168.140.1
 WAN: 172.16.34.57

 I'm doing the following:

 North:

 # ifconfig gif0 create
 # ifconfig gif0 inet 172.17.0.1 172.17.0.2 netmask 255.255.255.0 \
 tunnel 10.0.2.1 172.16.34.57
 # route add -net 192.168.140.0/24 172.17.0.1

 South:

 # ifconfig gif0 create
 # ifconfig gif0 inet 172.17.0.2 172.17.0.1 netmask 255.255.255.0 \
 tunnel 172.16.34.57 10.0.2.1
 # route add -net 192.168.144.0/24 172.17.0.2

 I'm doing:

 # sysctl net.inet.etherip.allow=1

 On both sides.

 I'm getting no joy getting packets through this tunnel. I am running pf on
 this configuration. According to the documentation the default
encapsulation
 for the gif devices is protocol 97 etherip but when I tcpdump my external
 interfaces I'm seeing encapsulated packets with protocol 4 (ipencap) pass.
 So I've added the following rules to both pf.confs:

 pass in on $ext_if proto { ipencap, etherip }
 pass out on $ext_if proto { ipencap, etherip }

 Can anyone see anything obviously wrong or forgotten here? Or, does anyone
 have a simple gif tunnel setup that could maybe assist me?

 Thanks in advance,

 -- Chris



ifconfigs, pf.conf, dmesg

-HKS

Re: Winbind Samba on OpenBSD

[(private) HKS]

On Wed, Jul 8, 2009 at 10:57 AM, Mike Erdelym...@erdelynet.com wrote:
 On Wed, Jul 08, 2009 at 11:32:46AM +0100, Edd Barrett wrote:
 On Tue, Jul 07, 2009 at 10:28:34AM -0400, Jason Beaudoin wrote:
Did you have a look at www.kernel-panic.it ? There are some
tutorials.
 
  yes, there's some helpful info for samba, but I haven't yet seen
anything
  related to winbind.. unless my google foo needs some work.

 Winbind is a PAM plugin. OpenBSD does not use this mechanism.

 Winbind depends on the use of nsswitch.conf.

 I don't know if ypldap can be used to talk to AD?

 That's its purpose (to be used with LDAP) and Active Directory is a
 bastardized^wenhanced implementation of LDAP.

 Along with login-ldap, ypldap should give you the same functionality as
 winbind, afaik.  But, winbind is useful with integrating Windows-based
 authentication with applications such as squid (but it's been years
 since I've done that).

 -ME



The major advantage of Winbind is that it automagically enumerates
your ADS users and binds them to UIDs on your *nix box. I've not
worked with ypldap specifically, but IIRC it's going to require that
the Win server have an NIS server aboard with UIDs already mapped. See
http://www.microsoft.com/windowsserver2003/r2/unixinterop/default.mspx
for info on the ADS NIS server.

If you're just looking for authentication and don't mind creating the
individual users on your OpenBSD system, just use Kerberos.It's a much
simpler and resilient setup.

-HKS

Re: Automated service/daemon management

[(private) HKS]

On Tue, Jun 9, 2009 at 6:09 PM, patrick keshishianpkesh...@gmail.com wrote:
 On Tue, Jun 9, 2009 at 11:06 AM, (private) HKShks.priv...@gmail.com wrote:
 When my scripts install a package, they have to edit the monolithic
 /etc/rc.local in order to enable starting (rc.conf.local too, but
 that's a single line easily done with sed and checked with grep).
 Uninstalling a package is scarier since they're removing the parts of
 /etc/rc.local. Both of these rely on multi-line pattern matching and
 merging, which are imperfect sciences that wrack my nerves when they
 run automatically.

 The much larger problem, though, is with starting/stopping/restarting
 services. Say I add spamd as an enabled service on host1. For my
 scripts to start it properly, I have to replicate the code already in
 /etc/rc defining how spamd starts. This is prone to errors and runs
 the risk of breaking on upgrades. Restarting services that need more
 than a HUP is also a chore. As for stopping, some services like
 postgresql need some careful attention. This means replicating code
 from /etc/rc.shutdown.

 for ports you add to your system (such as postgresql) you can always
 use an external script for its start/stop and just add appropriate
 section to rc.local and rc.shutdown:

 --- e.g., ---
 rc.local
 # 
 if [ -x /etc/rc.pgsql ] ; then /etc/rc.pgsql start ; fi

 rc.shutdown
 # ...
 if [ -x /etc/rc.pgsql ] ; then /etc/rc.pgsql stop ; fi

 next you need to write rc.pgsql that starts or stops postgresql based
 on $1 == start or == stop

 That should solve at least part of your problem.

 As for spamd enabling/disabling, just reboot that machine if you don't
 want to look through the rc script to figure out what you need run.

 --patrick


Thanks to all for the suggestions.

Right now the most convincing is the daemon tools suggestion - I'll
dig into that and see if it suits my needs.

I've resisted hacking rc.d and rcorder into my system mainly because I
want to avoid recoding rc just to make a few things easier. There's a
lot in OpenBSD's rc that doesn't translate directly into the rc.d type
system, so it's not going to be a simple matter. That's a lot of work
to avoid a lot of work, and I'm not sure which one really requires
more.

The other rc mods are interesting, and I'll look at using them if
daemon tools doesn't do what I'm hoping.

Thanks for the help.

-HKS

Automated service/daemon management

[(private) HKS]

As my environment grows, I'm automating more and more of my work
(package installation, config file propagation, etc.) so I can keep up
with it. The problem I'm running into with my OpenBSD boxes is with
services/daemons.

When my scripts install a package, they have to edit the monolithic
/etc/rc.local in order to enable starting (rc.conf.local too, but
that's a single line easily done with sed and checked with grep).
Uninstalling a package is scarier since they're removing the parts of
/etc/rc.local. Both of these rely on multi-line pattern matching and
merging, which are imperfect sciences that wrack my nerves when they
run automatically.

The much larger problem, though, is with starting/stopping/restarting
services. Say I add spamd as an enabled service on host1. For my
scripts to start it properly, I have to replicate the code already in
/etc/rc defining how spamd starts. This is prone to errors and runs
the risk of breaking on upgrades. Restarting services that need more
than a HUP is also a chore. As for stopping, some services like
postgresql need some careful attention. This means replicating code
from /etc/rc.shutdown.

I've looked at adding some stupid delimiters to /etc/rc,
/etc/rc.local, and /etc/rc.shutdown so I can just pull in the
necessary chunks, but I'm wondering if there's anything available
that's more elegant and won't break on every upgrade.

Has anyone solved this problem on OpenBSD?

-HKS

Re: Automated service/daemon management

[(private) HKS]

On Tue, Jun 9, 2009 at 3:02 PM, Nick Hassernick.has...@gmail.com wrote:
 (private) HKS wrote:
 Has anyone solved this problem on OpenBSD?

 -HKS


 I have not yet, but I've been meaning to look into systems such as
 cfengine [1], puppet [2], chef [3], etc.

 I'd be interested in any experiences folks have with these types of
 systems and OpenBSD.

 Nick

 [1] http://www.cfengine.org/
 [2] http://reductivelabs.com/products/puppet/
 [3] http://wiki.opscode.com/display/chef/Home


Puppet is the one I'm working with right now. It's great, but it
doesn't solve the problems I outlined above.

-HKS

Re: IPSEC'd states fail after upgrade to 4.5

[(private) HKS]

On Sun, May 31, 2009 at 2:16 PM, (private) HKShks.priv...@gmail.com wrote:
 On Sun, May 31, 2009 at 1:58 PM, (private) HKS hks.priv...@gmail.com
wrote:
 I have two networks: an office and a datacenter. The office has a
 single router (dmesg below) that I upgraded to 4.5 today. The
 datacenter has two routers running 4.4. The datacenter routers share a
 CARP address. The locations communicate over a gif tunnel protected by
 IPsec.

 After upgrading to 4.5 today, connections made across this tunnel are
 dropped after about 30 seconds.

 For instance, I ssh into a my datacenter backup server from my
 workstation. A state is created, traffic passes normally - until about
 30 seconds later when the state is terminated. This does not happen
 for traffic passed out to the net outside this tunnel.

 The only weirdness I've been able to quantify is the state that is
created:

 # pfctl -vvs state | grep -A 2 workstaiton | grep -A 2 server
 all tcp server:22 - workstation:2733   ESTABLISHED:ESTABLISHED
   [1948621377 + 65119]  [2814490494 + 17520]
   age 00:00:27, expires in 23:59:43, 76:93 pkts, 5756:11189 bytes, rule 25
 all tcp workstation:2733 - server:22   SYN_SENT:CLOSED
   [2814490494 + 4294964697]  [0 + 65535]
   age 00:00:27, expires in 00:00:03, 76:0 pkts, 5756:0 bytes, rule 203

 Once that SYN_SENT:CLOSED state's expiration counter reaches zero, my
 newly upgraded firewall starts blocking traffic from my workstation to
 the server.

 When pf debugging is set to misc, I get the following sort of message
 in my syslog (these were pulled from two different examples - the
 ports do match when it happens):

 May 31 12:05:47 router /bsd: pf: loose state match: TCP out wire:
 server:22 workstation:2105 stack: - [lo=1243591892 high=1243591894
 win=65535 modulator=0] [lo=0 high=65535 win=1 modulator=0] 2:0 PA
 seq=1243591893 (1243591893) ack=0 len=28 ackskew=0 pkts=2:0
 dir=out,fwd

 I'm at a loss. My pf.conf is pretty huge, so I inserted a pass quick
 from workstation to server at the top above my block log
 policy. Same thing.

 I'm not sure what else is even needed to troubleshoot this. Can anyone
 give me some ideas?

 -HKS


 OpenBSD 4.5 (GENERIC) #1749: Sat Feb 28 14:51:18 MST 2009
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
 cpu0: Intel(R) Xeon(TM) CPU 2.80GHz (GenuineIntel 686-class) 2.80 GHz
 cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,CNXT-ID,CX16,xTPR
 real mem  = 2146795520 (2047MB)
 avail mem = 2067582976 (1971MB)
 mainbus0 at root
 bios0 at mainbus0: AT/286+ BIOS, date 04/25/08, BIOS32 rev. 0 @
 0xffe90, SMBIOS rev. 2.3 @ 0xf9920 (87 entries)
 bios0: vendor Dell Computer Corporation version A07 date 04/25/2008
 bios0: Dell Computer Corporation PowerEdge 2850
 acpi0 at bios0: rev 0
 acpi0: tables DSDT FACP APIC SPCR HPET MCFG
 acpi0: wakeup devices PCI0(S5) PALO(S5) PBLO(S5) VPR0(S5) PBHI(S5)
 VPR1(S5) PICH(S5)
 acpitimer0 at acpi0: 3579545 Hz, 24 bits
 acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
 cpu0 at mainbus0: apid 0 (boot processor)
 cpu0: apic clock running at 199MHz
 cpu at mainbus0: not configured
 ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins
 ioapic0: misconfigured as apic 0, remapped to apid 2
 ioapic1 at mainbus0: apid 3 pa 0xfec8, version 20, 24 pins
 ioapic1: misconfigured as apic 0, remapped to apid 3
 ioapic2 at mainbus0: apid 4 pa 0xfec83000, version 20, 24 pins
 ioapic2: misconfigured as apic 0, remapped to apid 4
 ioapic3 at mainbus0: apid 5 pa 0xfec84000, version 20, 24 pins
 ioapic3: misconfigured as apic 0, remapped to apid 5
 acpihpet0 at acpi0: 14318179 Hz
 acpiprt0 at acpi0: bus 0 (PCI0)
 acpiprt1 at acpi0: bus 1 (PALO)
 acpiprt2 at acpi0: bus 2 (DOBA)
 acpiprt3 at acpi0: bus 3 (DOBB)
 acpiprt4 at acpi0: bus 4 (PBLO)
 acpiprt5 at acpi0: bus 5 (PBHI)
 acpiprt6 at acpi0: bus 6 (PXB1)
 acpiprt7 at acpi0: bus 7 (PXB2)
 acpiprt8 at acpi0: bus 8 (VPR1)
 acpiprt9 at acpi0: bus 9 (PXC1)
 acpiprt10 at acpi0: bus 10 (PXC2)
 acpiprt11 at acpi0: bus 11 (PICH)
 acpicpu0 at acpi0
 bios0: ROM list: 0xc/0xb000! 0xcb000/0x1000 0xcc000/0x1000
 0xcd000/0x2200 0xec000/0x4000!
 ipmi at mainbus0 not configured
 pci0 at mainbus0 bus 0: configuration mode 1 (bios)
 pchb0 at pci0 dev 0 function 0 Intel E7520 Host rev 0x09
 ppb0 at pci0 dev 2 function 0 Intel E7520 PCIE rev 0x09
 pci1 at ppb0 bus 1
 ppb1 at pci1 dev 0 function 0 Intel IOP332 PCIE-PCIX rev 0x06
 pci2 at ppb1 bus 2
 ami0 at pci2 dev 14 function 0 Dell PERC 4e/Di rev 0x06: apic 3 int 14
(irq 7)
 ami0: Dell 16d, 32b, FW 513O, BIOS vH418, 256MB RAM
 ami0: 2 channels, 0 FC loops, 1 logical drives
 scsibus0 at ami0: 40 targets
 sd0 at scsibus0 targ 0 lun 0: AMI, Host drive #00,  SCSI2 0/direct fixed
 sd0: 139900MB, 512 bytes/sec, 286515200 sec total
 scsibus1 at ami0: 16 targets
 safte0 at scsibus1 targ 6 lun 0: PE/PV, 1x6 SCSI BP, 1.0 SCSI2
 3/processor fixed
 scsibus2 at ami0: 16

PF dropping packets that match state

[(private) HKS]

Yet another bizarre state problem that will probably turn out to be
being somehow braindead.

office - gw1 - (INTERNET) - gw2 - datacenter

My office and datacenter routers talk via IPSEC encrypted gif tunnels.
Most everything works.

From any host on the office network, I can SSH to the internal
interfaces on gw2. I cannot, however, SSH to the external interfaces
(carp or physical). The traffic is routed properly, neatly traverses
the gif tunnel and is accepted by gw2. The reply takes the same path
but is blocked by gw1's default block policy.

The state is created on gw1 as CLOSED:SYN_SENT:
# pfctl -vvss | grep -A 2 host | grep -A 2 gw2
all tcp gw2:8022 - host:50831   CLOSED:SYN_SENT
   [0 + 1]  [1095549348 + 2]
   age 00:00:02, expires in 00:01:58, 1:0 pkts, 60:0 bytes, rule 24

But the replies are rejected:
# tcpdump -eeni pflog0 'host host'
tcpdump: listening on pflog0, link-type PFLOG
10:05:30.836901 rule 0/(match) block in on gif0: gw2.8022 
host.50831: R 0:0(0) ack 1095549349 win 0 (DF)
10:05:34.042631 rule 0/(match) block in on gif0: gw2.8022 
host.50831: R 0:0(0) ack 1 win 0 (DF)
10:05:37.243616 rule 0/(match) block in on gif0: gw2.8022 
host.50831: R 0:0(0) ack 1 win 0 (DF)
10:05:43.452693 rule 0/(match) block in on gif0: gw2.8022 
host.50831: R 0:0(0) ack 1 win 0 (DF)

To address any pf issues, I inserted a pass quick from host to
gw2 at the top of my ruleset. Nothing. It works just fine to SSH
from gw1 to gw2's external interface.

What am I overlooking here?

dmesg of 4.5 machine follows.

-HKS

OpenBSD 4.5 (GENERIC) #1749: Sat Feb 28 14:51:18 MST 2009
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Xeon(TM) CPU 2.80GHz (GenuineIntel 686-class) 2.80 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,CNXT-ID,CX16,xTPR
real mem  = 2146795520 (2047MB)
avail mem = 2067582976 (1971MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 04/25/08, BIOS32 rev. 0 @
0xffe90, SMBIOS rev. 2.3 @ 0xf9920 (87 entries)
bios0: vendor Dell Computer Corporation version A07 date 04/25/2008
bios0: Dell Computer Corporation PowerEdge 2850
acpi0 at bios0: rev 0
acpi0: tables DSDT FACP APIC SPCR HPET MCFG
acpi0: wakeup devices PCI0(S5) PALO(S5) PBLO(S5) VPR0(S5) PBHI(S5)
VPR1(S5) PICH(S5)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 199MHz
cpu at mainbus0: not configured
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins
ioapic0: misconfigured as apic 0, remapped to apid 2
ioapic1 at mainbus0: apid 3 pa 0xfec8, version 20, 24 pins
ioapic1: misconfigured as apic 0, remapped to apid 3
ioapic2 at mainbus0: apid 4 pa 0xfec83000, version 20, 24 pins
ioapic2: misconfigured as apic 0, remapped to apid 4
ioapic3 at mainbus0: apid 5 pa 0xfec84000, version 20, 24 pins
ioapic3: misconfigured as apic 0, remapped to apid 5
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (PALO)
acpiprt2 at acpi0: bus 2 (DOBA)
acpiprt3 at acpi0: bus 3 (DOBB)
acpiprt4 at acpi0: bus 4 (PBLO)
acpiprt5 at acpi0: bus 5 (PBHI)
acpiprt6 at acpi0: bus 6 (PXB1)
acpiprt7 at acpi0: bus 7 (PXB2)
acpiprt8 at acpi0: bus 8 (VPR1)
acpiprt9 at acpi0: bus 9 (PXC1)
acpiprt10 at acpi0: bus 10 (PXC2)
acpiprt11 at acpi0: bus 11 (PICH)
acpicpu0 at acpi0
bios0: ROM list: 0xc/0xb000! 0xcb000/0x1000 0xcc000/0x1000
0xcd000/0x2200 0xec000/0x4000!
ipmi at mainbus0 not configured
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 Intel E7520 Host rev 0x09
ppb0 at pci0 dev 2 function 0 Intel E7520 PCIE rev 0x09
pci1 at ppb0 bus 1
ppb1 at pci1 dev 0 function 0 Intel IOP332 PCIE-PCIX rev 0x06
pci2 at ppb1 bus 2
ami0 at pci2 dev 14 function 0 Dell PERC 4e/Di rev 0x06: apic 3 int 14 (irq 7)
ami0: Dell 16d, 32b, FW 513O, BIOS vH418, 256MB RAM
ami0: 2 channels, 0 FC loops, 1 logical drives
scsibus0 at ami0: 40 targets
sd0 at scsibus0 targ 0 lun 0: AMI, Host drive #00,  SCSI2 0/direct fixed
sd0: 139900MB, 512 bytes/sec, 286515200 sec total
scsibus1 at ami0: 16 targets
safte0 at scsibus1 targ 6 lun 0: PE/PV, 1x6 SCSI BP, 1.0 SCSI2
3/processor fixed
scsibus2 at ami0: 16 targets
ppb2 at pci1 dev 0 function 2 Intel IOP332 PCIE-PCIX rev 0x06
pci3 at ppb2 bus 3
ppb3 at pci0 dev 4 function 0 Intel E7520 PCIE rev 0x09
pci4 at ppb3 bus 4
ppb4 at pci0 dev 5 function 0 Intel E7520 PCIE rev 0x09
pci5 at ppb4 bus 5
ppb5 at pci5 dev 0 function 0 Intel PCIE-PCIE rev 0x09
pci6 at ppb5 bus 6
em0 at pci6 dev 7 function 0 Intel PRO/1000MT (82541GI) rev 0x05:
apic 4 int 0 (irq 11), address 00:11:43:d9:17:36
ppb6 at pci5 dev 0 function 2 Intel PCIE-PCIE rev 0x09
pci7 at ppb6 bus 7
em1 at pci7 dev 8 function 0 Intel PRO/1000MT (82541GI) rev 0x05:
apic 4 int 1 (irq 3), address 00:11:43:d9:17:37
ppb7 at pci0 dev 6 function 0 Intel E7520 PCIE rev 0x09
pci8 at ppb7 bus 

Re: PF dropping packets that match state

[(private) HKS]

On Wed, Jun 3, 2009 at 11:18 AM, (private) HKShks.priv...@gmail.com wrote:
 Yet another bizarre state problem that will probably turn out to be
 being somehow braindead.

 office - gw1 - (INTERNET) - gw2 - datacenter

 My office and datacenter routers talk via IPSEC encrypted gif tunnels.
 Most everything works.

 From any host on the office network, I can SSH to the internal
 interfaces on gw2. I cannot, however, SSH to the external interfaces
 (carp or physical). The traffic is routed properly, neatly traverses
 the gif tunnel and is accepted by gw2. The reply takes the same path
 but is blocked by gw1's default block policy.

 The state is created on gw1 as CLOSED:SYN_SENT:
 # pfctl -vvss | grep -A 2 host | grep -A 2 gw2
 all tcp gw2:8022 - host:50831   CLOSED:SYN_SENT
   [0 + 1]  [1095549348 + 2]
   age 00:00:02, expires in 00:01:58, 1:0 pkts, 60:0 bytes, rule 24

 But the replies are rejected:
 # tcpdump -eeni pflog0 'host host'
 tcpdump: listening on pflog0, link-type PFLOG
 10:05:30.836901 rule 0/(match) block in on gif0: gw2.8022 
 host.50831: R 0:0(0) ack 1095549349 win 0 (DF)
 10:05:34.042631 rule 0/(match) block in on gif0: gw2.8022 
 host.50831: R 0:0(0) ack 1 win 0 (DF)
 10:05:37.243616 rule 0/(match) block in on gif0: gw2.8022 
 host.50831: R 0:0(0) ack 1 win 0 (DF)
 10:05:43.452693 rule 0/(match) block in on gif0: gw2.8022 
 host.50831: R 0:0(0) ack 1 win 0 (DF)

 To address any pf issues, I inserted a pass quick from host to
 gw2 at the top of my ruleset. Nothing. It works just fine to SSH
 from gw1 to gw2's external interface.

 What am I overlooking here?

 dmesg of 4.5 machine follows.

 -HKS

 OpenBSD 4.5 (GENERIC) #1749: Sat Feb 28 14:51:18 MST 2009
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
 cpu0: Intel(R) Xeon(TM) CPU 2.80GHz (GenuineIntel 686-class) 2.80 GHz
 cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,CNXT-ID,CX16,xTPR
 real mem  = 2146795520 (2047MB)
 avail mem = 2067582976 (1971MB)
 mainbus0 at root
 bios0 at mainbus0: AT/286+ BIOS, date 04/25/08, BIOS32 rev. 0 @
 0xffe90, SMBIOS rev. 2.3 @ 0xf9920 (87 entries)
 bios0: vendor Dell Computer Corporation version A07 date 04/25/2008
 bios0: Dell Computer Corporation PowerEdge 2850
 acpi0 at bios0: rev 0
 acpi0: tables DSDT FACP APIC SPCR HPET MCFG
 acpi0: wakeup devices PCI0(S5) PALO(S5) PBLO(S5) VPR0(S5) PBHI(S5)
 VPR1(S5) PICH(S5)
 acpitimer0 at acpi0: 3579545 Hz, 24 bits
 acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
 cpu0 at mainbus0: apid 0 (boot processor)
 cpu0: apic clock running at 199MHz
 cpu at mainbus0: not configured
 ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins
 ioapic0: misconfigured as apic 0, remapped to apid 2
 ioapic1 at mainbus0: apid 3 pa 0xfec8, version 20, 24 pins
 ioapic1: misconfigured as apic 0, remapped to apid 3
 ioapic2 at mainbus0: apid 4 pa 0xfec83000, version 20, 24 pins
 ioapic2: misconfigured as apic 0, remapped to apid 4
 ioapic3 at mainbus0: apid 5 pa 0xfec84000, version 20, 24 pins
 ioapic3: misconfigured as apic 0, remapped to apid 5
 acpihpet0 at acpi0: 14318179 Hz
 acpiprt0 at acpi0: bus 0 (PCI0)
 acpiprt1 at acpi0: bus 1 (PALO)
 acpiprt2 at acpi0: bus 2 (DOBA)
 acpiprt3 at acpi0: bus 3 (DOBB)
 acpiprt4 at acpi0: bus 4 (PBLO)
 acpiprt5 at acpi0: bus 5 (PBHI)
 acpiprt6 at acpi0: bus 6 (PXB1)
 acpiprt7 at acpi0: bus 7 (PXB2)
 acpiprt8 at acpi0: bus 8 (VPR1)
 acpiprt9 at acpi0: bus 9 (PXC1)
 acpiprt10 at acpi0: bus 10 (PXC2)
 acpiprt11 at acpi0: bus 11 (PICH)
 acpicpu0 at acpi0
 bios0: ROM list: 0xc/0xb000! 0xcb000/0x1000 0xcc000/0x1000
 0xcd000/0x2200 0xec000/0x4000!
 ipmi at mainbus0 not configured
 pci0 at mainbus0 bus 0: configuration mode 1 (bios)
 pchb0 at pci0 dev 0 function 0 Intel E7520 Host rev 0x09
 ppb0 at pci0 dev 2 function 0 Intel E7520 PCIE rev 0x09
 pci1 at ppb0 bus 1
 ppb1 at pci1 dev 0 function 0 Intel IOP332 PCIE-PCIX rev 0x06
 pci2 at ppb1 bus 2
 ami0 at pci2 dev 14 function 0 Dell PERC 4e/Di rev 0x06: apic 3 int 14
(irq 7)
 ami0: Dell 16d, 32b, FW 513O, BIOS vH418, 256MB RAM
 ami0: 2 channels, 0 FC loops, 1 logical drives
 scsibus0 at ami0: 40 targets
 sd0 at scsibus0 targ 0 lun 0: AMI, Host drive #00,  SCSI2 0/direct fixed
 sd0: 139900MB, 512 bytes/sec, 286515200 sec total
 scsibus1 at ami0: 16 targets
 safte0 at scsibus1 targ 6 lun 0: PE/PV, 1x6 SCSI BP, 1.0 SCSI2
 3/processor fixed
 scsibus2 at ami0: 16 targets
 ppb2 at pci1 dev 0 function 2 Intel IOP332 PCIE-PCIX rev 0x06
 pci3 at ppb2 bus 3
 ppb3 at pci0 dev 4 function 0 Intel E7520 PCIE rev 0x09
 pci4 at ppb3 bus 4
 ppb4 at pci0 dev 5 function 0 Intel E7520 PCIE rev 0x09
 pci5 at ppb4 bus 5
 ppb5 at pci5 dev 0 function 0 Intel PCIE-PCIE rev 0x09
 pci6 at ppb5 bus 6
 em0 at pci6 dev 7 function 0 Intel PRO/1000MT (82541GI) rev 0x05:
 apic 4 int 0 (irq 11), address 00:11:43:d9:17:36
 ppb6 at pci5 dev 0 function 2 Intel PCIE-PCIE rev 0x09
 pci7 at ppb6 bus 7
 em1 at 

IPSEC'd states fail after upgrade to 4.5

[(private) HKS]

I have two networks: an office and a datacenter. The office has a
single router (dmesg below) that I upgraded to 4.5 today. The
datacenter has two routers running 4.4. The datacenter routers share a
CARP address. The locations communicate over a gif tunnel protected by
IPsec.

After upgrading to 4.5 today, connections made across this tunnel are
dropped after about 30 seconds.

For instance, I ssh into a my datacenter backup server from my
workstation. A state is created, traffic passes normally - until about
30 seconds later when the state is terminated. This does not happen
for traffic passed out to the net outside this tunnel.

The only weirdness I've been able to quantify is the state that is created:

# pfctl -vvs state | grep -A 2 workstaiton | grep -A 2 server
all tcp server:22 - workstation:2733   ESTABLISHED:ESTABLISHED
   [1948621377 + 65119]  [2814490494 + 17520]
   age 00:00:27, expires in 23:59:43, 76:93 pkts, 5756:11189 bytes, rule 25
all tcp workstation:2733 - server:22   SYN_SENT:CLOSED
   [2814490494 + 4294964697]  [0 + 65535]
   age 00:00:27, expires in 00:00:03, 76:0 pkts, 5756:0 bytes, rule 203

Once that SYN_SENT:CLOSED state's expiration counter reaches zero, my
newly upgraded firewall starts blocking traffic from my workstation to
the server.

When pf debugging is set to misc, I get the following sort of message
in my syslog (these were pulled from two different examples - the
ports do match when it happens):

May 31 12:05:47 router /bsd: pf: loose state match: TCP out wire:
server:22 workstation:2105 stack: - [lo=1243591892 high=1243591894
win=65535 modulator=0] [lo=0 high=65535 win=1 modulator=0] 2:0 PA
seq=1243591893 (1243591893) ack=0 len=28 ackskew=0 pkts=2:0
dir=out,fwd

I'm at a loss. My pf.conf is pretty huge, so I inserted a pass quick
from workstation to server at the top above my block log
policy. Same thing.

I'm not sure what else is even needed to troubleshoot this. Can anyone
give me some ideas?

-HKS


OpenBSD 4.5 (GENERIC) #1749: Sat Feb 28 14:51:18 MST 2009
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Xeon(TM) CPU 2.80GHz (GenuineIntel 686-class) 2.80 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,CNXT-ID,CX16,xTPR
real mem  = 2146795520 (2047MB)
avail mem = 2067582976 (1971MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 04/25/08, BIOS32 rev. 0 @
0xffe90, SMBIOS rev. 2.3 @ 0xf9920 (87 entries)
bios0: vendor Dell Computer Corporation version A07 date 04/25/2008
bios0: Dell Computer Corporation PowerEdge 2850
acpi0 at bios0: rev 0
acpi0: tables DSDT FACP APIC SPCR HPET MCFG
acpi0: wakeup devices PCI0(S5) PALO(S5) PBLO(S5) VPR0(S5) PBHI(S5)
VPR1(S5) PICH(S5)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 199MHz
cpu at mainbus0: not configured
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins
ioapic0: misconfigured as apic 0, remapped to apid 2
ioapic1 at mainbus0: apid 3 pa 0xfec8, version 20, 24 pins
ioapic1: misconfigured as apic 0, remapped to apid 3
ioapic2 at mainbus0: apid 4 pa 0xfec83000, version 20, 24 pins
ioapic2: misconfigured as apic 0, remapped to apid 4
ioapic3 at mainbus0: apid 5 pa 0xfec84000, version 20, 24 pins
ioapic3: misconfigured as apic 0, remapped to apid 5
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (PALO)
acpiprt2 at acpi0: bus 2 (DOBA)
acpiprt3 at acpi0: bus 3 (DOBB)
acpiprt4 at acpi0: bus 4 (PBLO)
acpiprt5 at acpi0: bus 5 (PBHI)
acpiprt6 at acpi0: bus 6 (PXB1)
acpiprt7 at acpi0: bus 7 (PXB2)
acpiprt8 at acpi0: bus 8 (VPR1)
acpiprt9 at acpi0: bus 9 (PXC1)
acpiprt10 at acpi0: bus 10 (PXC2)
acpiprt11 at acpi0: bus 11 (PICH)
acpicpu0 at acpi0
bios0: ROM list: 0xc/0xb000! 0xcb000/0x1000 0xcc000/0x1000
0xcd000/0x2200 0xec000/0x4000!
ipmi at mainbus0 not configured
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 Intel E7520 Host rev 0x09
ppb0 at pci0 dev 2 function 0 Intel E7520 PCIE rev 0x09
pci1 at ppb0 bus 1
ppb1 at pci1 dev 0 function 0 Intel IOP332 PCIE-PCIX rev 0x06
pci2 at ppb1 bus 2
ami0 at pci2 dev 14 function 0 Dell PERC 4e/Di rev 0x06: apic 3 int 14 (irq 7)
ami0: Dell 16d, 32b, FW 513O, BIOS vH418, 256MB RAM
ami0: 2 channels, 0 FC loops, 1 logical drives
scsibus0 at ami0: 40 targets
sd0 at scsibus0 targ 0 lun 0: AMI, Host drive #00,  SCSI2 0/direct fixed
sd0: 139900MB, 512 bytes/sec, 286515200 sec total
scsibus1 at ami0: 16 targets
safte0 at scsibus1 targ 6 lun 0: PE/PV, 1x6 SCSI BP, 1.0 SCSI2
3/processor fixed
scsibus2 at ami0: 16 targets
ppb2 at pci1 dev 0 function 2 Intel IOP332 PCIE-PCIX rev 0x06
pci3 at ppb2 bus 3
ppb3 at pci0 dev 4 function 0 Intel E7520 PCIE rev 0x09
pci4 at ppb3 bus 4
ppb4 at pci0 dev 5 function 0 Intel E7520 PCIE rev 0x09
pci5 at ppb4 bus 5
ppb5 

Re: IPSEC'd states fail after upgrade to 4.5

[(private) HKS]

On Sun, May 31, 2009 at 1:58 PM, (private) HKS hks.priv...@gmail.com wrote:
 I have two networks: an office and a datacenter. The office has a
 single router (dmesg below) that I upgraded to 4.5 today. The
 datacenter has two routers running 4.4. The datacenter routers share a
 CARP address. The locations communicate over a gif tunnel protected by
 IPsec.

 After upgrading to 4.5 today, connections made across this tunnel are
 dropped after about 30 seconds.

 For instance, I ssh into a my datacenter backup server from my
 workstation. A state is created, traffic passes normally - until about
 30 seconds later when the state is terminated. This does not happen
 for traffic passed out to the net outside this tunnel.

 The only weirdness I've been able to quantify is the state that is created:

 # pfctl -vvs state | grep -A 2 workstaiton | grep -A 2 server
 all tcp server:22 - workstation:2733   ESTABLISHED:ESTABLISHED
   [1948621377 + 65119]  [2814490494 + 17520]
   age 00:00:27, expires in 23:59:43, 76:93 pkts, 5756:11189 bytes, rule 25
 all tcp workstation:2733 - server:22   SYN_SENT:CLOSED
   [2814490494 + 4294964697]  [0 + 65535]
   age 00:00:27, expires in 00:00:03, 76:0 pkts, 5756:0 bytes, rule 203

 Once that SYN_SENT:CLOSED state's expiration counter reaches zero, my
 newly upgraded firewall starts blocking traffic from my workstation to
 the server.

 When pf debugging is set to misc, I get the following sort of message
 in my syslog (these were pulled from two different examples - the
 ports do match when it happens):

 May 31 12:05:47 router /bsd: pf: loose state match: TCP out wire:
 server:22 workstation:2105 stack: - [lo=1243591892 high=1243591894
 win=65535 modulator=0] [lo=0 high=65535 win=1 modulator=0] 2:0 PA
 seq=1243591893 (1243591893) ack=0 len=28 ackskew=0 pkts=2:0
 dir=out,fwd

 I'm at a loss. My pf.conf is pretty huge, so I inserted a pass quick
 from workstation to server at the top above my block log
 policy. Same thing.

 I'm not sure what else is even needed to troubleshoot this. Can anyone
 give me some ideas?

 -HKS


 OpenBSD 4.5 (GENERIC) #1749: Sat Feb 28 14:51:18 MST 2009
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
 cpu0: Intel(R) Xeon(TM) CPU 2.80GHz (GenuineIntel 686-class) 2.80 GHz
 cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,CNXT-ID,CX16,xTPR
 real mem  = 2146795520 (2047MB)
 avail mem = 2067582976 (1971MB)
 mainbus0 at root
 bios0 at mainbus0: AT/286+ BIOS, date 04/25/08, BIOS32 rev. 0 @
 0xffe90, SMBIOS rev. 2.3 @ 0xf9920 (87 entries)
 bios0: vendor Dell Computer Corporation version A07 date 04/25/2008
 bios0: Dell Computer Corporation PowerEdge 2850
 acpi0 at bios0: rev 0
 acpi0: tables DSDT FACP APIC SPCR HPET MCFG
 acpi0: wakeup devices PCI0(S5) PALO(S5) PBLO(S5) VPR0(S5) PBHI(S5)
 VPR1(S5) PICH(S5)
 acpitimer0 at acpi0: 3579545 Hz, 24 bits
 acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
 cpu0 at mainbus0: apid 0 (boot processor)
 cpu0: apic clock running at 199MHz
 cpu at mainbus0: not configured
 ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins
 ioapic0: misconfigured as apic 0, remapped to apid 2
 ioapic1 at mainbus0: apid 3 pa 0xfec8, version 20, 24 pins
 ioapic1: misconfigured as apic 0, remapped to apid 3
 ioapic2 at mainbus0: apid 4 pa 0xfec83000, version 20, 24 pins
 ioapic2: misconfigured as apic 0, remapped to apid 4
 ioapic3 at mainbus0: apid 5 pa 0xfec84000, version 20, 24 pins
 ioapic3: misconfigured as apic 0, remapped to apid 5
 acpihpet0 at acpi0: 14318179 Hz
 acpiprt0 at acpi0: bus 0 (PCI0)
 acpiprt1 at acpi0: bus 1 (PALO)
 acpiprt2 at acpi0: bus 2 (DOBA)
 acpiprt3 at acpi0: bus 3 (DOBB)
 acpiprt4 at acpi0: bus 4 (PBLO)
 acpiprt5 at acpi0: bus 5 (PBHI)
 acpiprt6 at acpi0: bus 6 (PXB1)
 acpiprt7 at acpi0: bus 7 (PXB2)
 acpiprt8 at acpi0: bus 8 (VPR1)
 acpiprt9 at acpi0: bus 9 (PXC1)
 acpiprt10 at acpi0: bus 10 (PXC2)
 acpiprt11 at acpi0: bus 11 (PICH)
 acpicpu0 at acpi0
 bios0: ROM list: 0xc/0xb000! 0xcb000/0x1000 0xcc000/0x1000
 0xcd000/0x2200 0xec000/0x4000!
 ipmi at mainbus0 not configured
 pci0 at mainbus0 bus 0: configuration mode 1 (bios)
 pchb0 at pci0 dev 0 function 0 Intel E7520 Host rev 0x09
 ppb0 at pci0 dev 2 function 0 Intel E7520 PCIE rev 0x09
 pci1 at ppb0 bus 1
 ppb1 at pci1 dev 0 function 0 Intel IOP332 PCIE-PCIX rev 0x06
 pci2 at ppb1 bus 2
 ami0 at pci2 dev 14 function 0 Dell PERC 4e/Di rev 0x06: apic 3 int 14
(irq 7)
 ami0: Dell 16d, 32b, FW 513O, BIOS vH418, 256MB RAM
 ami0: 2 channels, 0 FC loops, 1 logical drives
 scsibus0 at ami0: 40 targets
 sd0 at scsibus0 targ 0 lun 0: AMI, Host drive #00,  SCSI2 0/direct fixed
 sd0: 139900MB, 512 bytes/sec, 286515200 sec total
 scsibus1 at ami0: 16 targets
 safte0 at scsibus1 targ 6 lun 0: PE/PV, 1x6 SCSI BP, 1.0 SCSI2
 3/processor fixed
 scsibus2 at ami0: 16 targets
 ppb2 at pci1 dev 0 function 2 Intel IOP332 PCIE-PCIX rev 0x06
 pci3

Re: pf, altq, packet rate

[(private) HKS]

2009/5/27 irix i...@ukr.net:
 Hello Misc,

 since queueing only happens at output, that's going to be totally
 useless. it's not just a question of how altq distinguishes traffic,
 you're asking to totally change how altq works.

 Okey,  i  see.  But I can not understand why you are sure that traffic
 can only outlet Shape , You can say that's silly to try to Shape traffic
that came,
 but  if  it works it's worse than outgoing (if only for tcp) it is not
 stupid ?

 Assume that you are right and the traffic can Shape only outlet for what
purpose then in other projects (freebsd, linux, netbsd)
 including  the original altqd opportunity for shaping incoming traffic
 via CDNR has been included?

 This is not the presentation of claims or something else, I want to
understand why you uperlis and
 do not want to see nothing else.

What is uperlis?


 if you have some requirement for features that altq+pf doesn't have
 at the moment, you have a few choices:

 - use different software that already does what you want.

 - pay someone to code the features.

 - code the features yourself. (if you don't code, this will require
 learning how to do that first, obviously).

 I did.

You did what?

 But it pains me to see the obvious defects in my favorite system,
 and complete indifference on the part of developers to the obvious defects.

This is not a defect. Throttling inbound traffic is meaningless. The
point of throttling traffic is to reduce load on network elements
(links, routers, etc) and possibly enforce accounting policies. The
traffic has already arrived at your router so it has already traversed
the link and been processed by the network stack. You throttle what
you can control - like the rate at which traffic from the world
egresses the internal interface on your router on its way to the host
you want throttled.


 but, unless you want to use altq on a server (rather than a router),
 there isn't really a problem with the queuing happening only on output.
 just give the queues on both interfaces the same name, then you can
 assign in both directions with a single rule.

 stupid example ruleset. not actually tested, but I have others like
 it, and it should be enough to give you the general idea.

 -- -- -- -- --
 altq on bge0 cbq bandwidth 4000Kb queue { normal, slow, fast }
 altq on vlan5 cbq bandwidth 2Kb queue { normal, slow, fast }
 altq on vlan9 cbq bandwidth 1000Kb queue { normal, slow, fast }

 queue normal bandwidth 40% priority 4 cbq(default borrow)
 queue slow bandwidth 10% priority 1
 queue fast bandwidth 50% priority 7

 pass
 pass in proto icmp queue (slow)
 pass in proto tcp to port 22 queue (fast)
 -- -- -- -- --

 (I think some people just look at a couple of example configs which
 use different queue names on interfaces and assume that it's necessary,
 but it isn't).

 Thanks, for this example. I did not know this.

 But under dynamic queues, I understand, the creation of a large number of
dynamic patterns.
 For example creates template for the queue with an indication of the speed
such as 512Kbit / s,
 and then creates template for the filter of which you can
 specify a subnet like 192.168.1.0/24 and this pattern break this subnet to
the desired number of rules in this case,
 to 254, and under each This rule will create a dynamic part of the dynamic
pattern of 512Kbit / s for each rule.

What?

-HKS


 --
 Best regards,
  irix  mailto:i...@ukr.net

Re: OpenNTPD warning

[(private) HKS]

On Fri, May 22, 2009 at 10:05 AM, Jordi Espasa jordi.esp...@opengea.org wrote:
 Looks like you do not think at all. The reason was told to you, and you
 didn't ever tried to do something. You prefer to think instead of doing,
 aren't you?

 I've fixed the commented conf error already, but it seems that the FIRST
 warning I've commented in my INITIAL post is not related to this
 configuration mistake.

Can you clarify what seems means? Did you fix the config file
problem, restart ntpd, and see this issue recur?

-HKS




 Looks like do you not read at all. Check the complete thread and think some
 seconds about your impoliteness.

 And.. speaking about doing something

 ?do you provide a public NTP server in your country?
 ?do you provide a public OpenBSD mirror in your country?

 Shame on you.

 --
 Thanks,
 Jordi Espasa Clofent

Failing over all CARP interfaces

[(private) HKS]

Host1 has three carp interfaces in Master state. I'd like to fail them
all over to Backup at once without taking down any of the physical
interfaces (that's how I'm connected to it).

I have not found a way to do this. Enable net.inet.carp.preempt only
fails the whole pile over on a downed physical interface. If I jack up
advskew for carp1 it goes into Backup mode but carp2 and carp3 are
still Masters.

Is ifstated the accepted way to do this, or is there another avenue
I'm overlooking?

OpenBSD 4.5. Dmesg isn't really relevant, so I won't clog up the tubes with it.

-HKS

Re: Failing over all CARP interfaces

[(private) HKS]

On Thu, May 21, 2009 at 11:43 AM, Jason Dixon ja...@dixongroup.net wrote:
 On Thu, May 21, 2009 at 10:47:57AM -0400, (private) HKS wrote:
 Host1 has three carp interfaces in Master state. I'd like to fail them
 all over to Backup at once without taking down any of the physical
 interfaces (that's how I'm connected to it).

 I have not found a way to do this. Enable net.inet.carp.preempt only
 fails the whole pile over on a downed physical interface. If I jack up
 advskew for carp1 it goes into Backup mode but carp2 and carp3 are
 still Masters.

 Is ifstated the accepted way to do this, or is there another avenue
 I'm overlooking?

 Search for carpdemote in ifconfig(8).

 --
 Jason Dixon
 DixonGroup Consulting
 http://www.dixongroup.net/


Thanks, that's what I needed.

-HKS

Re: Kylin

[(private) HKS]

2009/5/18 Toma Bodar tomas.bod...@gmail.com:
 Common,you think that big western companies which have support from
 western governments care about it?And please don't make white knight
 from western civilization.Everywhere are pros and cons.What type of
 copyright and intellectual property you think?Like Disney which have
 stories based on older stories,but he has law from government on it
 now so original makers has nothing and Disney takes all?And when end
 of this copyright is near some magic happen in government and Disney
 (and others) has next 20 or 50 years.Sounds very respectable for
 copyright and intellectual property of original authors ;-)

 Or maybe you think something like we have.When you create your own
 song and sing it to people somewhere outside of your flat you must pay
 to OSA(something like BSA terrorists,but local).WTH is that.Sounds
 really like care about my copyright - I must pay for my own song ;-)

 Informations are here for share and we can move forward thanks to
 them.If some idiot have patent on double-click then what?One developer
 must incorporated triple-click to his product,next four-click and so
 on?Sounds like history - Earth is just pancake and everyone who want
 to find another idea must use our idea or he will be killed and who
 use our idea without our licence will be killed too.Really we need
 those times back??

For Christ's sake, get off your fucking high horse. My quip was in
response to your implication that China chose a BSD license because it
fit better with their intentions than GPL or similar. As if they gave
a shit.

-HKS



 2009/5/18 (private) HKS hks.priv...@gmail.com:
 2009/5/17 Toma  Bod ar tomas.bod...@gmail.com:
 I know,that's why they choose BSD-style licenced OS ;-)

 Yes, because China's respect for copyright and intellectual property
 is legendary.

 -HKS


 2009/5/17 Cem Kayali cemkay...@eticaret.com.tr:

 Do you really think Chineese governmnt make source public? Not all of
 course
 ;)

 Regards,




 Jesus Sanchez, 05/17/09 20:58:

 TomC!E! BodEC!r escribiC3:

 After quick search on web it looks like it's based on FreeBSD 5.3
 (initial version) with Windows like GUI.So it doesn't looks so secure
 now :-) But government agencies must have reason to receive money so
 why don't make wave about dangerous China with their new
 ultra-hyper-super secure system? Ofcourse that there can be
 interesting modifications.Maybe I will try it in Qemu :-)


 the chinese government really feels so vulnerable against U.S.?
 i mean, they say it like the WWIII will begin soon and we need
 to defend us on the cyberspace with our super-secure OS

 and after all they based it on FreeBSD? I'm a OpenBSD user and
 I really feel that I've enought privacy, don't need a
 super-secret-ultra-secure OS
 nor to say Made In China xD


 Dne 17. kvD ten 2009 19:28 TomC!E! BodEC!r tomas.bod...@gmail.com
 napsal(a):


 Everyone can try it






http://www.honeytechblog.com/downlod-kylin-operating-system-by-chinaqingbo-wu
 /


 2009/5/17 Duncan Patton a Campbell campb...@neotext.ca:


 I just noticed this:

 http://www.physorg.com/news161355225.html

 about a secure os that's been under
 development in China since around 2k
 and is now being deployed by the Chinese
 Gov.

 Interestingly, it is built for a hardened
 CPU that, I'd guess, lacks many of the advanced
 features of iNTel architecture cpus.

 Anybody have any more info on this?

 Thanks,

 Dhu

Re: Kylin

[(private) HKS]

2009/5/17 Toma Bodar tomas.bod...@gmail.com:
 I know,that's why they choose BSD-style licenced OS ;-)

Yes, because China's respect for copyright and intellectual property
is legendary.

-HKS


 2009/5/17 Cem Kayali cemkay...@eticaret.com.tr:

 Do you really think Chineese governmnt make source public? Not all of
course
 ;)

 Regards,




 Jesus Sanchez, 05/17/09 20:58:

 TomC!E! BodEC!r escribiC3:

 After quick search on web it looks like it's based on FreeBSD 5.3
 (initial version) with Windows like GUI.So it doesn't looks so secure
 now :-) But government agencies must have reason to receive money so
 why don't make wave about dangerous China with their new
 ultra-hyper-super secure system? Ofcourse that there can be
 interesting modifications.Maybe I will try it in Qemu :-)


 the chinese government really feels so vulnerable against U.S.?
 i mean, they say it like the WWIII will begin soon and we need
 to defend us on the cyberspace with our super-secure OS

 and after all they based it on FreeBSD? I'm a OpenBSD user and
 I really feel that I've enought privacy, don't need a
 super-secret-ultra-secure OS
 nor to say Made In China xD


 Dne 17. kvD ten 2009 19:28 TomC!E! BodEC!r tomas.bod...@gmail.com
 napsal(a):


 Everyone can try it





http://www.honeytechblog.com/downlod-kylin-operating-system-by-chinaqingbo-wu
 /


 2009/5/17 Duncan Patton a Campbell campb...@neotext.ca:


 I just noticed this:

 http://www.physorg.com/news161355225.html

 about a secure os that's been under
 development in China since around 2k
 and is now being deployed by the Chinese
 Gov.

 Interestingly, it is built for a hardened
 CPU that, I'd guess, lacks many of the advanced
 features of iNTel architecture cpus.

 Anybody have any more info on this?

 Thanks,

 Dhu

Re: Relayd

[(private) HKS]

On Thu, May 14, 2009 at 2:22 PM, Derek Buttineau de...@csolve.net wrote:
 I've been experimenting some with using relayd to load balance
 incoming smtp, pop3 and imap and it seems to work wonderfully with
 relays, unfortunately I cannot use redirects since I need to direct to
 different server pools depending on the originating source IP.  The
 only thing preventing me from deploying this is I need the connections
 to be transparent.

 OpenBSD 4.4 introduced a transparent key word, but for the life of me
 I cannot get this to work.  If configured as outlined in the man page,
 relayd fails to start complaining about an interface missing from the
 configuration.  If an interface is specified, relayd starts but
 connections time out immediately:

 relay maildelivery, session 4 (1 active), 0, 66.159.122.2 -
 10.10.19.4:25, connect timeout

 When I  trace the packets, I can see the connection being made to
 10.10.19.4, and a reply issued, but the time out still happens, so I'm
 at a complete loss.  Has anyone been able to get transparent relays
 configured?  I'd appreciate any help anyone can provide.

 On another note.  One thing that would be nice to see in relayd is the
 ability to specify a source ip or table in the redirect definition as
 that would eliminate the need for a relay for this configuration.

 Thanks.

 --
 Regards,

 Derek Buttineau
 Internet Systems Developer
 Compu-SOLVE Internet Services
 Compu-SOLVE Technologies, Inc

 Phone:  705-725-1212 x255
 E-Mail:  de...@csolve.net



Need: relayd.conf, pf.conf, dmesg.

-HKS

Re: No OS safe??

[(private) HKS]

On Fri, May 8, 2009 at 11:33 AM, Bob Beck b...@openbsd.org wrote:
  http://www.cbc.ca/technology/story/2009/04/15/ibotnet-trojan.html

 It's a *botnet* guys, installed by *trojan* i.e. by tricking the stupid
idiot
 at the keyboard into doing something retarded.  The OS can be the most
 secure thing on the planet and if the person at the keyboard is stupid
 you'll still get pwned. Even OpenBSD is not secure against these sort
 of problems, because there is nothing preventing the unwashed masses from
 using it stupidly. (God, I said that on m...@.. that was a waste of bytes)



Wait, so you're saying OpenBSD can't even protect me from myself?

Also I left my laptop running OpenBSD on a table at Starbucks while I
went to the bathroom and when I came back it was gone!

So much for secure by default...

-HKS

Re: [PF] Strange Blocks

[(private) HKS]

On Sun, May 3, 2009 at 10:14 AM, dug d...@xgs-france.com wrote:
 Thans for your reply.

 Le 2 mai 09 ` 10:59, ropers a icrit :

 2009/5/1 dug d...@xgs-france.com:
 0
 1 #Allow SMTP, HTTPS
 2 pass quick proto tcp from any to {public-ip mail-server} port
 25
 3 pass quick proto tcp from any to {public-ip mail-server} port
 443
 4 pass quick proto tcp from {public-ip mail-server} port 25 to
 any
 5 pass quick proto tcp from {public-ip mail-server} port 25 to
 any
 6 pass quick proto tcp from any port 25 to {public-ip mail-
 server}
 7 pass quick proto tcp from {public-ip mail-server}  to any
 port 25

 Line 4 and 5 are identical. Presumably you wanted to write port 443
 in line 5?

 Ok. It's just a mistake rewriting the rule in the mail.
 In my pf.conf, it's set to port 443, not port 25.


 block in on em0: mail-server.59902  81.255.99.202.25: [|tcp] (ttl
 63, id
 14511, len 40)

 block in on em0: mail-server.59902  81.255.99.202.25: [|tcp] (ttl
 63, id
 40161, len 52)


 Not sure what's going on here; line 7 should match these.

 That's my problem and what I don't understand 
 In a perfect world, my rule must match these packets  But
 currently not.


 block in on em0: mail-server.25  81.28.185.240.1777: [|tcp] (ttl
 63, id
 4151, len 41)


 Not sure what's going on there; line 4 (and, currently, 5) should
 match these.

 Setting the rule pass quick from any to any at the beginning of my
 pf.conf file doesn't solve the problem.
 I always have block on these packets 

 Logs of pftop tool :

 pfTop: Up Rule 1-55/71, View: rules, Cache: 1

 RULE  ACTION   DIR LOG Q IF PRK PKTSBYTES
 STATES   MAX INFO
   0  Pass Any Q  K  56069035
 96   all  flags S/SA
   1  BlockAny Log44 1772
 0   drop all


 This is the option in the pf.conf file :

 set block-policy drop
 set skip on {gif0}
 set loginterface $ext_if
 set limit { states 10, frags 5 }
 set optimization normal
 set state-policy if-bound

Remove that last line and it should work.

If not, send the output of pfctl -s rules.

-HKS



 scrub all no-df random-id fragment reassemble

 Regards.

T1 card compatible with 4.4

[(private) HKS]

I'm looking for a T1 card compatible with 4.4.

There were a fair number of recommendations for Sangoma's a101 a few
years ago, followed by threads describing major problems and Sangoma
yanking support for OpenBSD. What alternatives work decently under
OpenBSD?

-HKS

Re: question about net.inet.carp.preempt

[(private) HKS]

On Fri, Apr 24, 2009 at 3:32 AM, Imre Oolberg i...@auul.pri.ee wrote:
 Hallo!

 Thanks for the reply! I am also aware that one popular use of
 net.inet.carp.preempt is to control how the computer system as a whole
 reacts to errors like one physical interface goes dead.

 'man carp' says about net.inet.carp.preempt:

 Allow virtual hosts to preempt each other. It is also used to failover carp
 interfaces as a group.  When the option is enabled and one of the carp
 enabled physical interfaces goes down, advskew is changed to 240 on allcarp
 interfaces.  See also the first example. Disabled by default.

 What i was interested in mainly this time is the so to say practical
meaning
 of the first sentence, in case how pair of carp interfaces in a carp group
 behave while .carp.preempt is not set or is set.

 I decided to dig a little bit deeper because sometimes i cant predict
events
 when i add another vlan and carp interface to the running system (master
for
 that particular carp device appears on the wrong side etc). It could be
 easily said to me that if your are so interested use the source but i am
 sorri the source is not much help for me, i am more about just a user.


 Imre


Manual failover is simplified:

node1 is master with advskew 0 and node2 is backup with advskew 100

Without carp.preempt, you have to take the master down or (I haven't
tested this) increase it's demotion counter. With carp.preempt, you
can just change its advskew to 150 and watch node2 take over.

-HKS

Re: pf.conf on bridge, rdr for spamd passing for two white tables?

[(private) HKS]

On Sun, Apr 19, 2009 at 12:25 PM, ppruett-lists ppru...@webengr.com wrote:
 OKAY,

 transparent firewall, bridge, computer between world and rack of computers.
 That openbsd computer has two network cards and also has spamd
 with grey setup.

 I want to not only redirect smtp traffic not white for IP on bridge,
 but redirect smtp traffic not white that is going through it.


 Have two white tables in pf.conf,
 table mailself {192.168.1.251}
 table mywhitelist persist file /etc/mywhitelist
 table spamd-white persist


 I was using this, but it was only for self
 rdr pass inet proto tcp from mywhitelist to mailself port smtp -
 127.0.0.1 port smtp
 rdr pass inet proto tcp from !spamd-white to mailself port smtp -
 127.0.0.1 port spamd



 TRied THIS- but did not work:

 rdr pass inet proto tcp from { !spamd-white, !mywhitelist} to any port
 smtp - 127.0.0.1 port spamd


See http://www.openbsd.org/faq/pf/macros.html


 Do I have to put mywhitelist into /var/db/spamdb  say with a script using
 spamdb?
 then...
 rdr pass inet proto tcp from !spamd-white to any port smtp - 127.0.0.1
 port spamd


 probably the better way to do it...  Just unsure about !



No.

no rdr proto tcp from {spamd-white, mywhitelist} to any port 25
rdr proto tcp to any port 25 - 127.0.0.1 port 8025

-HKS

Re: VLANs, bridge interface and PF

[(private) HKS]

On Mon, Apr 6, 2009 at 2:27 PM, Chris Jones cjo...@gdisoftware.com wrote:
 Good morning folks,

 I am a little bit stumped with my firewall config and need some
 assistance. I have a Soekris net4501 with two interfaces connected. The
 sis1 interface is connected to my macbook and the sis2 interface (vlan
 trunk) is connected to my switch (see diagram below). I have a bridge
 interface (bridge0) with with vlan100, sis1 and ral0 as members. I
 assume this is the best way to have multiple physical interfaces in a vlan.

   .---.
  | |
  | macbook |
 .--.+ sis0.-+ |_|
 |  | / \_\
 |  fw  |+ sis1 +*
 |  |  802.1q trunk.--.  vlan99 (inet)
 !__!+ sis2 ++ |  switch  | +-
| !__!
+ral0 ..   +
  ||   vlan100/
  | server | *
  ||
  !!

 With no rules loaded in PF everything works just fine. From my Macbook I
 am able to NAT outside the network and also access everything on
 vlan100. When I load the rules into PF I am unable to access the
 management IP on the switch or my server, both of which are in vlan100.
 It's obviously an issue with pf and the bridge interface, I just can't
 seem to figure it out (see config below).

 I appreciate any advice on this.

 Cheers,
 -Chris


 hostname.sis1
 -

 up

 hostname.sis2
 -

 up

 hostname.vlan99
 ---

 dhcp NONE NONE NONE vlan 99 vlandev sis2

 hostname.vlan100
 

 inet 192.168.1.1 255.255.255.0 NONE vlan 100 vlandev sis2

 bridgename.bridge0
 --

 add vlan100
 add sis1
 add ral0
 up

 pf.conf
 ---

 #
 # Macros

 ext_if=vlan99
 int_if=vlan100
 int_bridge=bridge0

 int_net=192.168.1.0/24

 icmp_types=echoreq

 #
 # Options

 set block-policy return
 set loginterface $ext_if
 set skip on lo

 #
 # Traffic Normalization

 scrub in

 #
 # NAT Rules: rdr, nat, binat

 nat on $ext_if from !($ext_if) - ($ext_if:0)
 nat-anchor ftp-proxy/*
 rdr-anchor ftp-proxy/*

 rdr pass on $int_if proto tcp to port ftp - 127.0.0.1 port 8021
 rdr on $ext_if inet proto tcp from any to ($ext_if) port 2121 \
- 192.168.1.200 port 21
 rdr on $ext_if inet proto tcp from any to ($ext_if) port  \
- 192.168.1.200 port 22
 rdr on $ext_if inet proto tcp from any to ($ext_if) port 80 \
- 192.168.1.200 port 80


 #
 # Filter Rules

 block in

 pass out

 anchor ftp-proxy/*

 antispoof quick for lo0

 pass  in log on $ext_if proto udp from any to ($ext_if:0) \
port {500, 4500}
 pass out log on $ext_if proto udp from ($ext_if:0) to any \
port {500, 4500}

 pass  in log on $ext_if proto esp from any to ($ext_if:0)
 pass out log on $ext_if proto esp from ($ext_if:0) to any

 pass  in log on enc0 proto ipencap from any to ($ext_if:0) \
keep state (if-bound)
 pass out log on enc0 proto ipencap from ($ext_if:0) to any \
keep state (if-bound)

 pass  in on enc0 from 10.1.0.2/32 to any keep state (if-bound)
 pass out on enc0 from 192.168.1.0/24 to any keep state (if-bound)

 pass in inet proto icmp all icmp-type $icmp_types

 pass in  log on $ext_if proto udp from any to port 1194
 pass in  log on $ext_if proto tcp to ($ext_if) port ssh
 pass in  log on $ext_if proto tcp from any to 192.168.1.200 \
port 21
 pass in  log on $ext_if proto tcp from any to 192.168.1.200 \
port 22
 pass in  log on $ext_if proto tcp from any to 192.168.1.200 \
port 80
 pass in  log on $ext_if proto tcp to ($ext_if) port smtp
 pass out log on $ext_if proto tcp from ($ext_if) to port smtp

 pass quick on $int_if


I don't know bridge interfaces, but for shits and giggles try adding:

pass quick on $int_bridge

-HKS

Re: Using 2 internet connections on OpenBSD Gateway

[(private) HKS]

On Thu, Apr 2, 2009 at 4:52 AM, LeiV ventas_en_e...@terra.es wrote:
 Hi,
 I have a openbsd firewall/gateway and behind a webserver, users arrive to my
webserver via 1 domain name, I have a cable connection 12Mbps down/500Kbps
upthe down speed is OK I dont have so many incoming requests ...but the up
speed is saturated easily with those requests as my pages have images, etc...
 I would like to add another internet connection to my openbsd box so I can
increase my upstream bandwitch...it is possible? all my incoming requests will
come with the same internet connection as I only have 1 domain namecan I
send back the requested pages with both connections to use both upstream
bandwitch ? is so, how can i do it ? any howto?

 Thanks

 --
 View this message in context:
http://n2.nabble.com/Using-2-internet-connections-on-OpenBSD-Gateway-tp257407
5p2574075.html
 Sent from the OpenBSD Misc mailing list archive at Nabble.com.


In a nutshell, no you can't.

Unless your ISP can bond a pair of connections to a single IP, or load
balance incoming traffic over two IPs. Or if you want to do
round-robin DNS load balancing (bad idea) so some incoming requests
hit one IP, some hit the other. Or if you get your own AS and talk BGP
with your providers.

But you can't take requests in to one IP and send the reply out from
another (think about state). A good ISP won't let you send traffic
over their network from an IP they didn't assign you, so you can't
spoof the from-address of the reply.

So unless you're willing to do some heavy lifting on network configuration,
no.

Instead of mucking about with this, you're better off buying a decent
VPS or dedicated server somewhere with a real network connection.

-HKS

Re: Tape drive not detected on LSI 20320

[(private) HKS]

On Thu, Mar 26, 2009 at 11:29 AM, (private) HKS hks.priv...@gmail.com
wrote:
 OpenBSD 4.4 on a Dell Poweredge 2950. SCSI card is an LSI 20320, tape
 drive is Dell Powervault 124T (aka IBM Ultrium-TD3).

 The tape drive shows up in the card's BIOS, but dmesg sees it as a
 SCSI device with no drivers:
 
 # dmesg | grep mpi0
 mpi0 at pci6 dev 8 function 0 Symbios Logic 53c1030 rev 0xc1: irq 6
 scsibus0 at mpi0: 16 targets, initiator 7
 mpi0: target 0 Sync at 40MHz width 8bit offset 127 QAS 0 DT 0 IU 0
 # dmesg | grep scsibus0
 scsibus0 at mpi0: 16 targets, initiator 7
 uk0 at scsibus0 targ 0 lun 0: UTIMT3, 8P,  SCSI3 1/sequential fixed
 

 This same drive worked on a Dell 2850 with an Adaptec 39160, but I
 have to move to the 2950 and it only has PCI-e slots. Using an example
 I don't fully understand from man 8 scsi, I can query the name of the
 device:
 
 # scsi -f /dev/uk0 -c 12 0 0 0 64 0 -i 0x64 s8 z8 z16 z4
 IBM ULTRIUM-TD3 85P8
 

 Any idea why this failing with one card and not the other?

 -HKS

Appears to be some nuance with the LSI board. I bought an Adaptec
29320LPE and it works perfectly.

-HKS





 OpenBSD 4.4 (GENERIC) #1021: Tue Aug 12 17:16:55 MDT 2008
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
 cpu0: Intel(R) Xeon(R) CPU E5405 @ 2.00GHz (GenuineIntel 686-class) 2 GHz
 cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,TM2,CX16,xTPR
 real mem  = 2142142464 (2042MB)
 avail mem = 2062938112 (1967MB)
 mainbus0 at root
 bios0 at mainbus0: AT/286+ BIOS, date 09/12/08, BIOS32 rev. 0 @
 0xffe90, SMBIOS rev. 2.5 @ 0x7fb9c000 (67 entries)
 bios0: vendor Dell Inc. version 2.5.0 date 09/12/2008
 bios0: Dell Inc. PowerEdge 2950
 acpi0 at bios0: rev 2
 acpi0: tables DSDT FACP APIC SPCR HPET MCFG WD__ SLIC ERST HEST BERT EINJ
TCPA
 acpi0: wakeup devices PCI0(S5)
 acpitimer0 at acpi0: 3579545 Hz, 24 bits
 acpihpet0 at acpi0: 14318179 Hz
 acpiprt0 at acpi0: bus 0 (PCI0)
 acpiprt1 at acpi0: bus 4 (PEX2)
 acpiprt2 at acpi0: bus 5 (UPST)
 acpiprt3 at acpi0: bus 6 (DWN1)
 acpiprt4 at acpi0: bus 8 (DWN2)
 acpiprt5 at acpi0: bus 1 (PEX3)
 acpiprt6 at acpi0: bus 0 (PE2P)
 acpiprt7 at acpi0: bus 11 (PEX4)
 acpiprt8 at acpi0: bus 13 (PEX6)
 acpiprt9 at acpi0: bus 2 (SBEX)
 acpiprt10 at acpi0: bus 15 (COMP)
 acpicpu0 at acpi0: C3
 bios0: ROM list: 0xc/0x9000! 0xc9000/0x1000 0xca000/0x800
 0xca800/0x1e00 0xcc800/0x5e00 0xec000/0x4000!
 ipmi at mainbus0 not configured
 cpu0 at mainbus0
 pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
 pchb0 at pci0 dev 0 function 0 Intel 5000X Host rev 0x12
 ppb0 at pci0 dev 2 function 0 Intel 5000 PCIE rev 0x12
 pci1 at ppb0 bus 4
 ppb1 at pci1 dev 0 function 0 Intel 6321ESB PCIE rev 0x01
 pci2 at ppb1 bus 5
 ppb2 at pci2 dev 0 function 0 Intel 6321ESB PCIE rev 0x01
 pci3 at ppb2 bus 6
 ppb3 at pci3 dev 0 function 0 ServerWorks PCIE-PCIX rev 0xc3
 pci4 at ppb3 bus 7
 bnx0 at pci4 dev 0 function 0 Broadcom BCM5708 rev 0x12: irq 5
 ppb4 at pci2 dev 1 function 0 Intel 6321ESB PCIE rev 0x01: irq 5
 pci5 at ppb4 bus 8
 ppb5 at pci5 dev 0 function 0 PLX PEX 8114 rev 0xbc
 pci6 at ppb5 bus 9
 mpi0 at pci6 dev 8 function 0 Symbios Logic 53c1030 rev 0xc1: irq 6
 scsibus0 at mpi0: 16 targets, initiator 7
 uk0 at scsibus0 targ 0 lun 0: UTIMT3, 8P,  SCSI3 1/sequential fixed
 mpi0: target 0 Sync at 40MHz width 8bit offset 127 QAS 0 DT 0 IU 0
 ppb6 at pci1 dev 0 function 3 Intel 6321ESB PCIE-PCIX rev 0x01
 pci7 at ppb6 bus 10
 ppb7 at pci0 dev 3 function 0 Intel 5000 PCIE rev 0x12
 pci8 at ppb7 bus 1
 mfi0 at pci8 dev 0 function 0 Symbios Logic SAS1078 rev 0x04: irq 5,
 Dell PERC 6/i integrated
 mfi0: logical drives 1, version 6.0.2-0002, 256MB RAM
 scsibus1 at mfi0: 1 targets, initiator 64
 sd0 at scsibus1 targ 0 lun 0: DELL, PERC 6/i, 1.11 SCSI3 0/direct fixed
 sd0: 2859520MB, 44942 cyl, 511 head, 255 sec, 512 bytes/sec,
 5856296960 sec total
 ppb8 at pci0 dev 4 function 0 Intel 5000 PCIE x8 rev 0x12
 pci9 at ppb8 bus 11
 ppb9 at pci0 dev 5 function 0 Intel 5000 PCIE rev 0x12
 pci10 at ppb9 bus 12
 ppb10 at pci0 dev 6 function 0 Intel 5000 PCIE x8 rev 0x12
 pci11 at ppb10 bus 13
 ppb11 at pci0 dev 7 function 0 Intel 5000 PCIE rev 0x12
 pci12 at ppb11 bus 14
 pchb1 at pci0 dev 16 function 0 Intel 5000 Error Reporting rev 0x12
 pchb2 at pci0 dev 16 function 1 Intel 5000 Error Reporting rev 0x12
 pchb3 at pci0 dev 16 function 2 Intel 5000 Error Reporting rev 0x12
 pchb4 at pci0 dev 17 function 0 Intel 5000 Reserved rev 0x12
 pchb5 at pci0 dev 19 function 0 Intel 5000 Reserved rev 0x12
 pchb6 at pci0 dev 21 function 0 Intel 5000 FBD rev 0x12
 pchb7 at pci0 dev 22 function 0 Intel 5000 FBD rev 0x12
 ppb12 at pci0 dev 28 function 0 Intel 6321ESB PCIE rev 0x09
 pci13 at ppb12 bus 2
 ppb13 at pci13 dev 0 function 0 ServerWorks PCIE-PCIX rev 0xc3
 pci14 at ppb13 bus 3
 bnx1 at pci14 dev 0 function 0 Broadcom BCM5708 rev 0x12: irq 5
 uhci0 at pci0 dev 29

Re: OpenBSD mta with postfix

[(private) HKS]

On Fri, Mar 27, 2009 at 3:46 PM, John Brooks j...@day-light.com wrote:
 I've just received this response from a large corporate email
 system regarding their claim that emails sent to them are not
 getting through even though our logs contain acknowledgements
 of accepting the mail sent.

 In our mail logs:
 ... status=sent (250 Message accepted for delivery)


 Their response:
 ... my understanding of the firmname removed security policy
 is not to acknowledge mistakes in email addresses as a best
 practice defense against phishing and other types of email
 delivered attacks.

 Anybody run into this kind of logic before?


 --
 John Brooks
 j...@day-light.com


Idiocy. If a spammer/phisher even bothers looking at the return code,
he'll only be looking for 5xx to remove broken accounts from his list.
The use of botnets for spamming makes the cost of a few thousand false
entries in this list negligible.The presence of bad addresses does not
eliminate the presence of correct addresses.

Why sacrifice usability for no additional security?

-HKS

Tape drive not detected on LSI 20320

[(private) HKS]

OpenBSD 4.4 on a Dell Poweredge 2950. SCSI card is an LSI 20320, tape
drive is Dell Powervault 124T (aka IBM Ultrium-TD3).

The tape drive shows up in the card's BIOS, but dmesg sees it as a
SCSI device with no drivers:

# dmesg | grep mpi0
mpi0 at pci6 dev 8 function 0 Symbios Logic 53c1030 rev 0xc1: irq 6
scsibus0 at mpi0: 16 targets, initiator 7
mpi0: target 0 Sync at 40MHz width 8bit offset 127 QAS 0 DT 0 IU 0
# dmesg | grep scsibus0
scsibus0 at mpi0: 16 targets, initiator 7
uk0 at scsibus0 targ 0 lun 0: UTIMT3, 8P,  SCSI3 1/sequential fixed


This same drive worked on a Dell 2850 with an Adaptec 39160, but I
have to move to the 2950 and it only has PCI-e slots. Using an example
I don't fully understand from man 8 scsi, I can query the name of the
device:

# scsi -f /dev/uk0 -c 12 0 0 0 64 0 -i 0x64 s8 z8 z16 z4
IBM ULTRIUM-TD3 85P8


Any idea why this failing with one card and not the other?

-HKS



OpenBSD 4.4 (GENERIC) #1021: Tue Aug 12 17:16:55 MDT 2008
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Xeon(R) CPU E5405 @ 2.00GHz (GenuineIntel 686-class) 2 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,TM2,CX16,xTPR
real mem  = 2142142464 (2042MB)
avail mem = 2062938112 (1967MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 09/12/08, BIOS32 rev. 0 @
0xffe90, SMBIOS rev. 2.5 @ 0x7fb9c000 (67 entries)
bios0: vendor Dell Inc. version 2.5.0 date 09/12/2008
bios0: Dell Inc. PowerEdge 2950
acpi0 at bios0: rev 2
acpi0: tables DSDT FACP APIC SPCR HPET MCFG WD__ SLIC ERST HEST BERT EINJ TCPA
acpi0: wakeup devices PCI0(S5)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 4 (PEX2)
acpiprt2 at acpi0: bus 5 (UPST)
acpiprt3 at acpi0: bus 6 (DWN1)
acpiprt4 at acpi0: bus 8 (DWN2)
acpiprt5 at acpi0: bus 1 (PEX3)
acpiprt6 at acpi0: bus 0 (PE2P)
acpiprt7 at acpi0: bus 11 (PEX4)
acpiprt8 at acpi0: bus 13 (PEX6)
acpiprt9 at acpi0: bus 2 (SBEX)
acpiprt10 at acpi0: bus 15 (COMP)
acpicpu0 at acpi0: C3
bios0: ROM list: 0xc/0x9000! 0xc9000/0x1000 0xca000/0x800
0xca800/0x1e00 0xcc800/0x5e00 0xec000/0x4000!
ipmi at mainbus0 not configured
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 Intel 5000X Host rev 0x12
ppb0 at pci0 dev 2 function 0 Intel 5000 PCIE rev 0x12
pci1 at ppb0 bus 4
ppb1 at pci1 dev 0 function 0 Intel 6321ESB PCIE rev 0x01
pci2 at ppb1 bus 5
ppb2 at pci2 dev 0 function 0 Intel 6321ESB PCIE rev 0x01
pci3 at ppb2 bus 6
ppb3 at pci3 dev 0 function 0 ServerWorks PCIE-PCIX rev 0xc3
pci4 at ppb3 bus 7
bnx0 at pci4 dev 0 function 0 Broadcom BCM5708 rev 0x12: irq 5
ppb4 at pci2 dev 1 function 0 Intel 6321ESB PCIE rev 0x01: irq 5
pci5 at ppb4 bus 8
ppb5 at pci5 dev 0 function 0 PLX PEX 8114 rev 0xbc
pci6 at ppb5 bus 9
mpi0 at pci6 dev 8 function 0 Symbios Logic 53c1030 rev 0xc1: irq 6
scsibus0 at mpi0: 16 targets, initiator 7
uk0 at scsibus0 targ 0 lun 0: UTIMT3, 8P,  SCSI3 1/sequential fixed
mpi0: target 0 Sync at 40MHz width 8bit offset 127 QAS 0 DT 0 IU 0
ppb6 at pci1 dev 0 function 3 Intel 6321ESB PCIE-PCIX rev 0x01
pci7 at ppb6 bus 10
ppb7 at pci0 dev 3 function 0 Intel 5000 PCIE rev 0x12
pci8 at ppb7 bus 1
mfi0 at pci8 dev 0 function 0 Symbios Logic SAS1078 rev 0x04: irq 5,
Dell PERC 6/i integrated
mfi0: logical drives 1, version 6.0.2-0002, 256MB RAM
scsibus1 at mfi0: 1 targets, initiator 64
sd0 at scsibus1 targ 0 lun 0: DELL, PERC 6/i, 1.11 SCSI3 0/direct fixed
sd0: 2859520MB, 44942 cyl, 511 head, 255 sec, 512 bytes/sec,
5856296960 sec total
ppb8 at pci0 dev 4 function 0 Intel 5000 PCIE x8 rev 0x12
pci9 at ppb8 bus 11
ppb9 at pci0 dev 5 function 0 Intel 5000 PCIE rev 0x12
pci10 at ppb9 bus 12
ppb10 at pci0 dev 6 function 0 Intel 5000 PCIE x8 rev 0x12
pci11 at ppb10 bus 13
ppb11 at pci0 dev 7 function 0 Intel 5000 PCIE rev 0x12
pci12 at ppb11 bus 14
pchb1 at pci0 dev 16 function 0 Intel 5000 Error Reporting rev 0x12
pchb2 at pci0 dev 16 function 1 Intel 5000 Error Reporting rev 0x12
pchb3 at pci0 dev 16 function 2 Intel 5000 Error Reporting rev 0x12
pchb4 at pci0 dev 17 function 0 Intel 5000 Reserved rev 0x12
pchb5 at pci0 dev 19 function 0 Intel 5000 Reserved rev 0x12
pchb6 at pci0 dev 21 function 0 Intel 5000 FBD rev 0x12
pchb7 at pci0 dev 22 function 0 Intel 5000 FBD rev 0x12
ppb12 at pci0 dev 28 function 0 Intel 6321ESB PCIE rev 0x09
pci13 at ppb12 bus 2
ppb13 at pci13 dev 0 function 0 ServerWorks PCIE-PCIX rev 0xc3
pci14 at ppb13 bus 3
bnx1 at pci14 dev 0 function 0 Broadcom BCM5708 rev 0x12: irq 5
uhci0 at pci0 dev 29 function 0 Intel 6321ESB USB rev 0x09: irq 11
uhci1 at pci0 dev 29 function 1 Intel 6321ESB USB rev 0x09: irq 10
uhci2 at pci0 dev 29 function 2 Intel 6321ESB USB rev 0x09: irq 11
uhci3 at pci0 dev 29 function 3 Intel 6321ESB USB rev 0x09: irq 10
ehci0 at pci0 dev 29 function 7 Intel 6321ESB 

Re: Quick question about an PF user's guide example

[(private) HKS]

On Tue, Mar 10, 2009 at 9:16 PM, Leonardo Rodrigues
leonardov...@gmail.com wrote:
 Hi everyone,

 I'm trying to build a PF / ALTQ ruleset that handles traffic between 3
 internal interfaces and 1 external, so that the internal interfaces
 can have different priorities on the available bandwidth they can get
 from the external interface. I don't know if that's possible with only
 ALTQ rules, or if I'll have to use tagging, so I'm trying to
 understand some simple setups before.

 While reading the example #2 on the PF user's guide
 (http://www.openbsd.org/faq/pf/queueing.html#example2), I came across
 the following ruleset:


 boss  = 192.168.0.200
 ...
 altq on fxp0 cbq bandwidth 1.5Mb queue { std_ext, www_ext, boss_ext }
 ...
 queue boss_ext   bandwidth 500Kb priority 3 cbq(borrow)
 ...
 # filter rules for fxp0 outbound
 pass out on fxp0 from $boss to any keep state queue boss_ext---


 Where fxp0 is the external interface (internet). My question is about
 that last rule above. Assuming that NAT is working so that the boss
 is able to surf the web, and since NAT translations happen before the
 filtering rules, then the rule above shouldn't work... right? The fxp0
 interface would be able to filter only on already translated addresses
 (its own address), and not on unstranslated addresses, like
 192.168.200, which is the boss IP, on a different subnet. Would a
 rule like that work?

No. Without looking at the actual example, I can say that your
understanding of NAT/filter interaction is correct and this will not
work.


 If that setup works, I might be able to implement my original idea, by
 doing something like:
 pass out on fxp0 from 192.168.0.5 to any keep state queue traffic1_ext
 pass out on fxp0 from 192.168.2.5 to any keep state queue traffic2_ext
 pass out on fxp0 from 192.168.5.5 to any keep state queue traffic3_ext

 Thanks for any ideas =)

 Leonardo Rodrigues

Bear in mind that while a queue is applied to the egress interface,
the classification of that traffic may take place on another
interface. So you could do something more like this:

pass from 192.168.0.5 to ! mynet keep state queue traffic1_ext

Or use tagging to avoid maintaining a table of your own networks.

-HKS

Re: System security question

[(private) HKS]

On Sat, Feb 28, 2009 at 12:40 PM, Jean-Francois jfsimon1...@gmail.com wrote:
 Hi,
 And I totally agree with you, Mixing firewall services with services
 like Web or file/print services is a recipe for disaster.

 True since hacking the web server is entering the firewall itself.
 But the web server, httpd, is chrooted ... so why would there be a
 problem here ?

Because security is never absolute. It is a matter of probabilities,
measuring cost against risk, reducing possible attack vectors, and
minimizing the effects of a successful attack. In practice, it means
following redundant best practice with the assumption that there is a
flaw in the system somewhere, so you're going to put as many layers of
obstacles as possible between yourself and your attacker. A very
simple example is host-based firewalls and network-based firewalls.
You use both so that your attacker has that much more protection to
wade through before actually getting to your important stuff. Maybe
they'll get frustrated and move on. If nothing else, you'll have that
much more time to notice the attack in progress.

You could probably run your web and file server on your firewall and
never have a security breach. Probably, because if you're running all
that on the same machine, it's clear you're not a high profile target.
The most you'll probably see is SSH brute force attacks and some
clumsy attempts at SQL injection. But probably is cold comfort if
someone exploits a flaw in your web app, gains a local shell (chrooted
though it may be), and then leaps to one of your local machines. Or
discovers a flaw in the chrooting system. Or finds an exploitable app
available in the chroot. Or DOSs your firewall. Or just installs a
little app there that adds your firewall/file/web server to their
botnet. Or manages to force your internal interface into promiscuous
mode. Or...

Get the idea? Ultimately, it's up to you. Your firewall is there as a
first-line of defense against malicious attacks. Opening additional
attack vectors on this machine is a bad idea. Locating your most
likely point of failure (your web app) on a machine with unrestricted
access to your internal data is a bad idea. But if your data is worth
less to you than a second old PC and a couple hours to setup 4.4 and
PF, then by all means, run everything on the same box.

-HKS

Re: NAT, Firewall pf

[(private) HKS]

On Mon, Feb 23, 2009 at 11:47 PM, johan beisser j...@caustic.org wrote:
 Comments inline.

 On Feb 23, 2009, at 5:58 PM, Hilco Wijbenga wrote:

 Hi all,

 I've been trying to get a simple firewall system up-and-running in
 OpenBSD. I have The Book of PF and Secure Architectures
 with OpenBSD so I thought it would be very simple. Well, we're two
 weeks later now and still no firewall. :-) The pf rules I found in
 those books don't seem to work as I expected them to work.

 The PF FAQ and the man page for pf.conf(5) should cover everything you need.
 The books are a nice addition, though.

 Before I list my current pf.conf, let me give a few more details. My
 firewall will be running a few services for my network (DHCP, NTP, and
 DNS). I need to use NAT to get my own network Internet access. DHCP
 works. I seem to have managed to get DNS (maradns on lo0 and sk1) and
 ICMP working.

 So, you need to set net.inet.ip.forward to 1 to ensure packets go out.

 /etc/pf.conf
 01 ext_if = sk0
 02 int_if = sk1
 03 localnet = $int_if:network
 04 internet = $ext_if:network
 05 udp_services = { domain, ntp }
 06 icmp_types = { echoreq, unreach }
 07
 08 nat log on $ext_if from $localnet to any - ($ext_if)
 09
 10 block log all
 11
 12 pass quick inet proto { tcp, udp } from $internet to any port
 $udp_services
 13 pass quick inet proto { tcp, udp } from $localnet to any port
 $udp_services
 14 pass quick inet proto { tcp, udp } from $lo0:network to any port
 $udp_services
 15
 16 pass inet proto icmp all icmp-type $icmp_types
 17 pass from { lo0, $localnet } to any keep state

 First, no traffic will go out with these rules as is. Unless states and
 flows match perfectly, it won't happen.

Wrong.


 a. Why do I need 12? I had expected 13 (which I don't seem to need).
 Wouldn't 12 be for incoming requests from the Internet?

 I'm not sure what you're trying to do with 12 or 13. The ports (domain and
 ntp) will be the only traffic permitted to enter any interface on the
 firewall.

Wrong. ICMP echoreq and unreachable are passed (16), as is all traffic
of any kind from the localnet (17).


 b. Given that ping works from my network (so that presumably routing
 is okay), why doesn't anything else work? HTTP seems blocked by the
 firewall.

 Don't presume. Think. You're passing ICMP types inward (req, unreach).
 That's it. I suspect you're not passing that traffic outbound otherwise.

Wrong. ICMP types are passed any direction. Traffic from localnet is
unrestricted.


 c. How can I get pflog to flush immediately? I noticed I have to wait
 a minute or so before logged lines show up.

 What syntax are you using to monitor it?

 d. Any other pointers?

 Start over.

 I make no claims this works or will work for you. It's a simple rewrite of
 what you claimed to want (NAT for outbound traffic, for example).

 ext_if=sk0
 int_if=sk1
 udp_services={ domain, ntp}

 set skip on lo
 set block-policy return
 scrub in

 nat on $ext_if from $int_if:network to any -($ext_if)
 block log

 pass out quick from $int_if to $int_if:network
 pass out quick from $ext_if to any

 pass in quick on $ext_if proto {tcp, udp} from any to ($ext_if) port
 $udp_services
 pass in quick on $int_if from $int_if:network to any



Go with Jason Dixon's ruleset unless you need to expose DNS and NTP on
your gateway to the world.

-HKS

Re: NAT, Firewall pf

[(private) HKS]

On Mon, Feb 23, 2009 at 8:58 PM, Hilco Wijbenga
hilco.wijbe...@gmail.com wrote:
 Hi all,

 I've been trying to get a simple firewall system up-and-running in
 OpenBSD. I have The Book of PF and Secure Architectures
 with OpenBSD so I thought it would be very simple. Well, we're two
 weeks later now and still no firewall. :-) The pf rules I found in
 those books don't seem to work as I expected them to work.

 Before I list my current pf.conf, let me give a few more details. My
 firewall will be running a few services for my network (DHCP, NTP, and
 DNS). I need to use NAT to get my own network Internet access. DHCP
 works. I seem to have managed to get DNS (maradns on lo0 and sk1) and
 ICMP working.

 /etc/pf.conf
 01 ext_if = sk0
 02 int_if = sk1
 03 localnet = $int_if:network
 04 internet = $ext_if:network
 05 udp_services = { domain, ntp }
 06 icmp_types = { echoreq, unreach }
 07
 08 nat log on $ext_if from $localnet to any - ($ext_if)
 09
 10 block log all
 11
 12 pass quick inet proto { tcp, udp } from $internet to any port $udp_services
 13 pass quick inet proto { tcp, udp } from $localnet to any port $udp_services
 14 pass quick inet proto { tcp, udp } from $lo0:network to any port
 $udp_services
 15
 16 pass inet proto icmp all icmp-type $icmp_types
 17 pass from { lo0, $localnet } to any keep state

 a. Why do I need 12? I had expected 13 (which I don't seem to need).
 Wouldn't 12 be for incoming requests from the Internet?

You need 12 because of 8. When you pass a DNS request out from your
localnet, 13 pass it in on int_if, but then it's natted BEFORE
traversing the egress PF rules. Jason Dixon's suggested rules bypass
this by not blocking outbound traffic to begin with.

 b. Given that ping works from my network (so that presumably routing
 is okay), why doesn't anything else work? HTTP seems blocked by the
 firewall.

Same NAT/PF issue as above. Your ICMP rule ignores source/destination
addresses, so it's not affected.

 c. How can I get pflog to flush immediately? I noticed I have to wait
 a minute or so before logged lines show up.

I think it's already been suggested, but if you want a live view,
tcpdump -i pflog0 rather than tailing pflog.

 d. Any other pointers?

Use Jason's suggested ruleset. Simpler is better.


 Cheers,
 Hilco



-HKS

Re: routing problem

[(private) HKS]

On Fri, Feb 20, 2009 at 6:34 AM, Federico deepb...@fastwebnet.it wrote:
 Hello all,

 I have a trouble with some routing-related that i can't figure out.

 I have this configuration:


 **
 ***INTERNET***
 **
 |
bnx1
 | FIREWALL |
bnx0
 |
DMZ (10.0.0.0/28)
 |
bnx1
 |  PROXY  |
bnx0
 |
LAN (192.168.80.0/24)



 FIREWALL and PROXY are both OpenBSD machines.

 The bnx1 of the firewall is configured on a public subnet.

 A couple of machines in the DMZ are natted with public ip configured on
 the bnx1 of the firewall.

 For a particular reason, I have to route traffic from LAN to DMZ using
 the pubblic ip. I can't use a DNS based solution (like views). So, when
 I try to connect to a DMZ machine by using its pubblic (natted) ip,
 traffic is blocked at bnx0 of the firewall.

 With tcpdump I can see that bnx0 answers with a RST packet to the
 connection request coming from lan (and masked by PROXY).

 The only trick I found to make it works, is using redirect on PROXY,
 something like that:

 rdr on bnx1 from bnx0:network to $MyPublicIp - 10.0.0.2

 This is the basic ruleset I'm using on FIREWALL:

 set skip on lo
 scrub in
 rdr pass on bnx1 proto tcp from any to $MyPublicIP port 80 - 10.0.0.2
 block in log
 pass out
 pass in on bnx1 proto tcp from any to 10.0.0.2 port 80 flags S/SA
 synproxy state

 I didn't touch routes.

 Is there another way than using a set of rdr rules? Did I miss some man
 page?


$MyPublicIP doesn't actually belong to your DMZ machine, so FIREWALL's
route to that address (if it has one) is not what you're expecting.

Your rdr on PROXY solves the problem. Use it or remove the need for it.

-HKS

Re: A virus road map for GNOME and KDE?

[(private) HKS]

On Fri, Feb 20, 2009 at 9:12 AM, Lars Noodin larsnoo...@openoffice.org
wrote:
 Navan Carson wrote:
 ... The best way to accomplish what you seem to want, is to deny the
 message during the SMTP dialog. That way you don't create another
 tool for the Spammers.

 Of course that's best, but it also presumes a competent mail
 administrator.  Rare as hen's teeth these days, compared to the number
 of mail servers or things that call themselves mail servers out there.

 Unless the autoresponder is misconfigured to make an infinite loop, its
 not going to be tool for spammers.  Without it, the spam would be coming
 to your mailbox.

 With it, at worst, if the originating addressed is spoofed, then the
 autoresponder will be doing a favor to the real owner of the address by
 pointing out the problem so it can be addressed and solved.  You might
 even add some explanation in the message about if you did not send this
 message, then ...

 Regards
 -Lars



...then? Spoofing is one of those things that can't really be fixed.
Assuming your MTA is one of the few that actually enforces SPF, they
could configure that and no longer get your autoreplies. That's it.
And with the vast majority of other MTAs not supporting SPF, they're
going to be getting plenty of back-scatter spam anyway. And since the
implication is that you use this solution if your mail administrator
is incompetent, it's doubtful they're enforcing SPF.

Competent mail administrators these days do not fire off autoresponses
to spammers. They assume that the From: address is bullshit. They
assume that much of the time it will have broken MX records, which
means you run the risk of clogging your system with deferred
autoresponses to messages you didn't want in the first place.

Block spam at the dialog level if possible. If it gets through, either
dump it to /dev/null or report it to Spamcop and then dump it to
/dev/null.

-HKS

Re: bwi0

[(private) HKS]

On Thu, Feb 19, 2009 at 10:42 AM, Michael bsd...@cableone.net wrote:
 I am trying (again) to get wireless working with OpenBSD 4.4. Following are 
 /etc files and dmesg.
 With debug entered into my /etc/hostname.bwi0, I get sending probe_req 
 ff:ff:ff:ff:ff:ff and then bwi0: no networksleeping
 Router is linksys wrt54g2 and card on laptop is broadcom 4318 11g. Router is 
 set up for wpa wpa2.
 I can't get any type of connection at all.
 Hope the info helps. I've tried every item in /etc/hostname.bwi0, plus not 
 using that file and just trying via ifconfig (as root) to set up connection 
 with no luck.

 Here are the files:

 # ifconfig bwi0
 bwi0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:16:ce:49:a8:e1
groups: wlan
media: IEEE802.11 autoselect mode 11g (DS1 mode 11g)
status: no network
ieee80211: nwid  chan 6 wpapsk 0xmynwkey wpaprotos wpa1,wpa2 
 wpaakms psk,802.1x wpaciphers tkip,ccmp wpagroupcipher tkip
inet6 fe80::216:ceff:fe49:a8e1%bwi0 prefixlen 64 scopeid 0x2

 /etc/hostname.bwi0
 dhcp
 #dhcp NONE NONE NONE nwid  mode 11g chan 6
 #dhcp nwid  nwkey 0xmynwkey
 #dhcp nwid  wpa wpapsk 0xmynwkey chan 6 up
 #dhcp NONE NONE NONE chan 6 wpa wpapsk $(wpa-psk  x) media autoselect 
 mode 11g up debug
 #dhcp up chan 6 nwid  wpa wpapsk $(wpa-psk  ) debug

 /etc/mygate
 192.168.1.1 ( I just tried with this set 3 or 4 times)

 dmesg
 OpenBSD 4.4-stable (GENERIC) #1: Mon Jan 19 16:25:07 MST 2009
r...@box.my.domain:/usr/src/sys/arch/i386/compile/GENERIC
 cpu0: Mobile AMD Sempron(tm) Processor 3100+ (AuthenticAMD 686-class, 256KB 
 L2 cache) 1.81 GHz
 cpu0: 
 FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3
 cpu0: AMD erratum 89 present, BIOS upgrade may be required
 real mem  = 468217856 (446MB)
 avail mem = 444178432 (423MB)
 mainbus0 at root
 bios0 at mainbus0: AT/286+ BIOS, date 02/20/06, BIOS32 rev. 0 @ 0xfd5f0, 
 SMBIOS rev. 2.31 @ 0x1befb000 (24 entries)
 bios0: vendor Acer version 3A32 date 02/20/06
 bios0: Acer, inc. Aspire 3000
 acpi at bios0 function 0x0 not configured
 pcibios0 at bios0: rev 2.1 @ 0xfd5f0/0xa10
 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdd30/160 (8 entries)
 pcibios0: PCI Interrupt Router at 000:02:0 (SiS 85C503 System rev 0x00)
 pcibios0: PCI bus #2 is the last bus
 bios0: ROM list: 0xc/0xc000 0xdc000/0x8000!
 cpu0 at mainbus0
 cpu0: PowerNow! K8 1801 MHz: speeds: 1800 1600 800 MHz
 pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
 pchb0 at pci0 dev 0 function 0 SiS 760 PCI rev 0x03
 ppb0 at pci0 dev 1 function 0 SiS 86C202 VGA rev 0x00
 pci1 at ppb0 bus 1
 vga1 at pci1 dev 0 function 0 SiS 6330 VGA rev 0x00
 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
 wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
 agp0 at vga1: aperture at 0xe000, size 0x40
 drm at vga1 unsupported
 pcib0 at pci0 dev 2 function 0 SiS 85C503 System rev 0x25
 pciide0 at pci0 dev 2 function 5 SiS 5513 EIDE rev 0x00: 760: DMA, channel 
 0 configured to compatibility, channel 1 configured to compatibility
 wd0 at pciide0 channel 0 drive 0: HTS541060G9AT00
 wd0: 16-sector PIO, LBA48, 57231MB, 117210240 sectors
 wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
 atapiscsi0 at pciide0 channel 1 drive 0
 scsibus0 at atapiscsi0: 2 targets, initiator 7
 cd0 at scsibus0 targ 0 lun 0: PHILIPS, CDRW/DVD SCB5265, TX07 ATAPI 5/cdrom 
 removable
 cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
 SiS 7013 Modem rev 0xa0 at pci0 dev 2 function 6 not configured
 auich0 at pci0 dev 2 function 7 SiS 7012 AC97 rev 0xa0: irq 5, SiS7012 AC97
 ac97: codec id 0x414c4770 (Avance Logic ALC203 rev 0)
 ac97: codec features headphone, 20 bit DAC, 18 bit ADC, No 3D Stereo
 audio0 at auich0
 ohci0 at pci0 dev 3 function 0 SiS 5597/5598 USB rev 0x0f: irq 9, version 
 1.0, legacy support
 ohci1 at pci0 dev 3 function 1 SiS 5597/5598 USB rev 0x0f: irq 11, version 
 1.0, legacy support
 ehci0 at pci0 dev 3 function 2 SiS 7002 USB rev 0x00: irq 10
 usb0 at ehci0: USB revision 2.0
 uhub0 at usb0 SiS EHCI root hub rev 2.00/1.00 addr 1
 sis0 at pci0 dev 4 function 0 SiS 900 10/100BaseTX rev 0x91: irq 3, address 
 00:16:36:3c:14:4a
 rlphy0 at sis0 phy 13: RTL8201L 10/100 PHY, rev. 1
 cbb0 at pci0 dev 6 function 0 TI PCI1510 CardBus rev 0x00: irq 3
 bwi0 at pci0 dev 11 function 0 Broadcom BCM4318 rev 0x02: irq 4, address 
 00:16:ce:49:a8:e1
 pchb1 at pci0 dev 24 function 0 AMD AMD64 0Fh HyperTransport rev 0x00
 pchb2 at pci0 dev 24 function 1 AMD AMD64 0Fh Address Map rev 0x00
 pchb3 at pci0 dev 24 function 2 AMD AMD64 0Fh DRAM Cfg rev 0x00
 kate0 at pci0 dev 24 function 3 AMD AMD64 0Fh Misc Cfg rev 0x00
 isa0 at pcib0
 isadma0 at isa0
 pckbc0 at isa0 port 0x60/5
 pckbd0 at pckbc0 (kbd slot)
 pckbc0: using irq 1 for kbd slot
 wskbd0 at pckbd0: console keyboard, using wsdisplay0
 pms0 at pckbc0 (aux slot)
 pckbc0: using irq 12 for aux slot
 

Re: spamd whitelisting not working, sure i'm missing something

[(private) HKS]

On Mon, Feb 16, 2009 at 2:29 PM, jmc j...@cosmicnetworks.net wrote:
 i'm trying to deal with mail providers like gmail that have pools of
 outgoing smtp servers that shuffle among them for mail delivery.

 in the case of gmail, i've taken the output of 'dig txt _spf.google.com.
 +short', parsed it appropriately, and added it to table spamd-mywhite.
 (in short, i write to /etc/mail/spamd-mywhite and then use pfctl to load
 up the table).

 relevant pf.conf snippet:

 table spamd-mywhite persist file /etc/mail/spamd-mywhite

 rdr pass inet proto tcp from spamd to any port smtp - 127.0.0.1 port spamd
 rdr pass inet proto tcp from !spamd-white to any port smtp - 127.0.0.1 
 port spamd
 rdr pass inet proto tcp from spamd-white to any port smtp - 127.0.0.1 port 
 smtp
 rdr pass inet proto tcp from spamd-mywhite to any port smtp - 127.0.0.1 
 port smtp

 right now, my spamd is stuttering at some gmail addresses, which test
 positively that they are in spamd-mywhite, and thus i *believe* should
 be handed off directly to smtp given my rules. mail from sourceforge.com
 (_spf.sourceforge.com.), mail from facebook.com, and mail from
 nytimes.com all apparently worked OK, and don't get stuttered at. i'm
 running 4.4-STABLE, unmodified GENERIC kernel, FWIW.

 === j...@cosmicnetworks (ttyp3) ~ {2094} 0-- sudo /sbin/pfctl -T test -t 
 spamd-mywhite 72.14.220.153
 1/1 addresses match.
 === j...@cosmicnetworks (ttyp3) ~ {2095} 0-- sudo /sbin/pfctl -T test -t 
 spamd-mywhite 209.85.218.176
 1/1 addresses match.
 === j...@cosmicnetworks (ttyp3) ~ {2096} 0--

 for brevity sake, i didn't include my entire pf.conf. if it would help,
 i can share. i just feel i'm missing something really simple and stupid
 here.

 --john




table spamd-mywhite persist file /etc/mail/spamd-mywhite

rdr pass inet proto tcp from spamd to any port smtp - 127.0.0.1 port spamd
rdr pass inet proto tcp from spamd-mywhite to any port smtp -
127.0.0.1 port smtp
rdr pass inet proto tcp from !spamd-white to any port smtp -
127.0.0.1 port spamd
rdr pass inet proto tcp from spamd-white to any port smtp -
127.0.0.1 port smtp


There you go.

-HKS

Re: snmpd GET and GETNEXT against scalar OIDs

[(private) HKS]

On Thu, Feb 12, 2009 at 8:29 AM, Ariane van der Steldt ari...@stack.nl wrote:
 On Tue, Feb 03, 2009 at 05:20:28PM -0500, (private) HKS wrote:
 I made the following bug report on 2009-01-08, but didn't get a PR
 number back. Did I botch this report, or does the bugs@ address
 require hands-on that this report simply hasn't gotten yet?

 Thanks for the clarification.

 PR's are assigned to bugs made using the sendbug program.
 I notice PR/6071 looks similar to yours, maybe that's the one you're
 looking for?

 --
 Ariane


Thanks for the response. Stuart Henderson replied off the list and
pointed out that my formatting was broken. I resubmitted with sendbug
-P and it looks like it's going through the proper channels now.

-HKS

bnx(4) transmit slow

[(private) HKS]

OpenBSD 4.4 on a Dell Poweredge 2950.

When testing with FTP or a benchmarking app like iperf, bnx(4)
transmitting is much slower than receiving. I can replicate this with
multiple clients on different OSes and hardware platforms, but my
Poweredge 2850 running 4.4 with em(4) interfaces is unaffected.

I've tested this on three separate 2950s (each running 4.4) and all
exhibit the same behavior. Has anyone else run into this? Numbers/
config/dmesg are below.

-HKS



iperf (rx) is with the bnx host running iperf -s and my test box
running iperf -c 10.123.0.20. iperf (tx) is the inverse. FTP tests
were conducted by getting (rx) and putting (tx) a 376MB ISO file.

Numbers:
---
iperf (rx): 878 Mbits/sec
iperf (tx): 109 Mbits/sec
---
ftp (rx): 393969664 bytes received in 4.40 seconds (85.29 MB/s)
ftp (tx): 393969664 bytes sent in 25.43 seconds (14.78 MB/s)
---


ifconfig:
---
bnx0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:1e:c9:43:0e:d6
groups: egress
media: Ethernet autoselect (1000baseT full-duplex,master)
status: active
inet 10.123.0.20 netmask 0xff00 broadcast 10.123.0.255
inet6 fe80::21e:c9ff:fe43:ed6%bnx0 prefixlen 64 scopeid 0x4
---


netstat -nI bnx0:
---
NameMtu   Network Address  Ipkts IerrsOpkts Oerrs Colls
bnx01500  Link  00:1e:c9:43:0e:d6 39134263 0 24382795 0 0
bnx01500  10.123.0/24 10.123.0.20   39134263 0 24382795 0 0
bnx01500  fe80::%bnx0 fe80::21e:c9ff:fe 39134263 0 24382795 0 0
---


sysctl variables:
---
kern.maxclusters=131072
net.inet.tcp.recvspace=65536
net.inet.tcp.sendspace=65536
---






Dmesg:
---
OpenBSD 4.4 (GENERIC) #1021: Tue Aug 12 17:16:55 MDT 2008
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Xeon(R) CPU E5405 @ 2.00GHz (GenuineIntel 686-class) 2 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,TM2,CX16,xTPR
real mem  = 2142142464 (2042MB)
avail mem = 2062938112 (1967MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 02/05/08, BIOS32 rev. 0 @
0xffe90, SMBIOS rev. 2.5 @ 0x7fb9c000 (66 entries)
bios0: vendor Dell Inc. version 2.2.6 date 02/05/2008
bios0: Dell Inc. PowerEdge 2950
acpi0 at bios0: rev 2
acpi0: tables DSDT FACP APIC SPCR HPET MCFG WD__ SLIC ERST HEST BERT EINJ TCPA
acpi0: wakeup devices PCI0(S5)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 4 (PEX2)
acpiprt2 at acpi0: bus 5 (UPST)
acpiprt3 at acpi0: bus 6 (DWN1)
acpiprt4 at acpi0: bus 8 (DWN2)
acpiprt5 at acpi0: bus 1 (PEX3)
acpiprt6 at acpi0: bus 0 (PE2P)
acpiprt7 at acpi0: bus 10 (PEX4)
acpiprt8 at acpi0: bus 12 (PEX6)
acpiprt9 at acpi0: bus 2 (SBEX)
acpiprt10 at acpi0: bus 14 (COMP)
acpicpu0 at acpi0: C3
bios0: ROM list: 0xc/0x9000! 0xc9000/0x1000 0xca000/0x1e00
0xcc000/0x5e00 0xec000/0x4000!
ipmi at mainbus0 not configured
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 Intel 5000X Host rev 0x12
ppb0 at pci0 dev 2 function 0 Intel 5000 PCIE rev 0x12
pci1 at ppb0 bus 4
ppb1 at pci1 dev 0 function 0 Intel 6321ESB PCIE rev 0x01
pci2 at ppb1 bus 5
ppb2 at pci2 dev 0 function 0 Intel 6321ESB PCIE rev 0x01
pci3 at ppb2 bus 6
ppb3 at pci3 dev 0 function 0 ServerWorks PCIE-PCIX rev 0xc3
pci4 at ppb3 bus 7
bnx0 at pci4 dev 0 function 0 Broadcom BCM5708 rev 0x12: irq 5
ppb4 at pci2 dev 1 function 0 Intel 6321ESB PCIE rev 0x01: irq 5
pci5 at ppb4 bus 8
ppb5 at pci1 dev 0 function 3 Intel 6321ESB PCIE-PCIX rev 0x01
pci6 at ppb5 bus 9
ppb6 at pci0 dev 3 function 0 Intel 5000 PCIE rev 0x12
pci7 at ppb6 bus 1
mfi0 at pci7 dev 0 function 0 Symbios Logic SAS1078 rev 0x04: irq 5,
Dell PERC 6/i integrated
mfi0: logical drives 1, version 6.0.2-0002, 256MB RAM
scsibus0 at mfi0: 1 targets, initiator 64
sd0 at scsibus0 targ 0 lun 0: DELL, PERC 6/i, 1.11 SCSI3 0/direct fixed
sd0: 2859520MB, 44942 cyl, 511 head, 255 sec, 512 bytes/sec,
5856296960 sec total
ppb7 at pci0 dev 4 function 0 Intel 5000 PCIE x8 rev 0x12
pci8 at ppb7 bus 10
ppb8 at pci0 dev 5 function 0 Intel 5000 PCIE rev 0x12
pci9 at ppb8 bus 11
ppb9 at pci0 dev 6 function 0 Intel 5000 PCIE x8 rev 0x12
pci10 at ppb9 bus 12
ppb10 at pci0 dev 7 function 0 Intel 5000 PCIE rev 0x12
pci11 at ppb10 bus 13
pchb1 at pci0 dev 16 function 0 Intel 5000 Error Reporting rev 0x12
pchb2 at pci0 dev 16 function 1 Intel 5000 Error Reporting rev 0x12
pchb3 at pci0 dev 16 function 2 Intel 5000 Error Reporting rev 0x12
pchb4 at pci0 dev 17 function 0 Intel 5000 Reserved rev 0x12
pchb5 at pci0 dev 19 function 0 Intel 5000 Reserved rev 0x12
pchb6 at pci0 dev 21 function 0 Intel 5000 FBD rev 0x12
pchb7 at pci0 dev 22 function 0 Intel 5000 FBD rev 0x12
ppb11 at pci0 dev 28 function 0 Intel 6321ESB PCIE rev 0x09
pci12 at ppb11 bus 2
ppb12 at pci12 dev 0 

snmpd GET and GETNEXT against scalar OIDs

[(private) HKS]

I made the following bug report on 2009-01-08, but didn't get a PR
number back. Did I botch this report, or does the bugs@ address
require hands-on that this report simply hasn't gotten yet?

Thanks for the clarification.

-HKS

On Thu, Jan 8, 2009 at 3:52 PM, (private) HKS hks.priv...@gmail.com wrote:
 snmpd on OpenBSD 4.4 Stable, i386 architecture.

 This bug was found by the OpenNMS team [1]. They've invited you to
 contact them for more
 details if I'm unable to provide enough info. The snmpget and
 snmpgetnext commands used
 in examples below are from the Net SNMP 5.4.2.1 package on FreeBSD 7.

 Essentially, snmpd seems to regard OIDs without an instance identifier
 as equivalent to
 OIDs with an instance identifier of 0.

 SNMP GET requests against a scalar OID with no instance identifier
 results in the agent
 apparently interpolating the .0 instance identifier:

 # snmpget -On -v1 -c public openbsd-host .1.3.6.1.2.1.1.2
 .1.3.6.1.2.1.1.2.0 = OID: .1.3.6.1.4.1.30155.23.1


 The expected behavior (RFC 1157, 4.1.2, rule 1) is a noSuchName error
 since .1.3.6.1.2.1.1.2
 has no exact match.

 In a similar vein, GETNEXT requests against a single-instance scalar
 OID without an instance
 identifier return the next OID as if the .0 identifier were originally
 requested. An example of
 OpenBSD's behavior:

 # snmpgetnext -On -v1 -c public openbsd-host .1.3.6.1.2.1.1.1
 .1.3.6.1.2.1.1.2.0 = OID: .1.3.6.1.4.1.30155.23.1
 # snmpgetnext -On -v1 -c public openbsd-host .1.3.6.1.2.1.1.1.0
 .1.3.6.1.2.1.1.2.0 = OID: .1.3.6.1.4.1.30155.23.1


 Lexically, however, .1.3.6.1.2.1.1.1 is followed by .1.3.6.1.2.1.1.1.0
 - not .1.3.6.1.2.1.1.2.0. So the
 first request should have returned .1.3.6.1.2.1.1.1.0. The second was correct.

 An example of Net SNMP's lexically correct response:

 # snmpgetnext -On -v1 -c public netsnmp-host .1.3.6.1.2.1.1.1
 .1.3.6.1.2.1.1.1.0 = STRING: FreeBSD netsnmp-host 7.0-RELEASE FreeBSD
 7.0-RELEASE #0: Sun Feb 24 19:59:52 UTC 2008
 r...@logan.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386
 # snmpgetnext -On -v1 -c public netsnmp-host .1.3.6.1.2.1.1.1.0
 .1.3.6.1.2.1.1.2.0 = OID: .1.3.6.1.4.1.8072.3.2.8


 I hope that's clear. Please let me know if I can provide any further
 information.

 -HKS


 [1] - http://bugzilla.opennms.org/show_bug.cgi?id=2962

 dmesg follows:
 --
 OpenBSD 4.4-stable (GENERIC) #0: Wed Nov 19 12:00:19 EST 2008
r...@localhost:/usr/src/sys/arch/i386/compile/GENERIC
 cpu0: Intel(R) Xeon(R) CPU 5110 @ 1.60GHz (GenuineIntel 686-class) 1.60 GHz
 cpu0: 
 FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,TM2,CX16,xTPR
 real mem  = 2142142464 (2042MB)
 avail mem = 2062938112 (1967MB)
 mainbus0 at root
 bios0 at mainbus0: AT/286+ BIOS, date 02/05/08, BIOS32 rev. 0 @
 0xffe90, SMBIOS rev. 2.5 @ 0x7fb9c000 (66 entries)
 bios0: vendor Dell Inc. version 2.2.6 date 02/05/2008
 bios0: Dell Inc. PowerEdge 2950
 acpi0 at bios0: rev 2
 acpi0: tables DSDT FACP APIC SPCR HPET MCFG WD__ SLIC ERST HEST BERT EINJ TCPA
 acpi0: wakeup devices PCI0(S5)
 acpitimer0 at acpi0: 3579545 Hz, 24 bits
 acpihpet0 at acpi0: 14318179 Hz
 acpiprt0 at acpi0: bus 0 (PCI0)
 acpiprt1 at acpi0: bus 4 (PEX2)
 acpiprt2 at acpi0: bus 5 (UPST)
 acpiprt3 at acpi0: bus 6 (DWN1)
 acpiprt4 at acpi0: bus 8 (DWN2)
 acpiprt5 at acpi0: bus 1 (PEX3)
 acpiprt6 at acpi0: bus 0 (PE2P)
 acpiprt7 at acpi0: bus 10 (PEX4)
 acpiprt8 at acpi0: bus 12 (PEX6)
 acpiprt9 at acpi0: bus 2 (SBEX)
 acpiprt10 at acpi0: bus 14 (COMP)
 acpicpu0 at acpi0: C3
 bios0: ROM list: 0xc/0x9000! 0xc9000/0x1000 0xca000/0x1e00
 0xcc000/0x5e00 0xec000/0x4000!
 ipmi at mainbus0 not configured
 cpu0 at mainbus0
 pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
 pchb0 at pci0 dev 0 function 0 Intel 5000X Host rev 0x12
 ppb0 at pci0 dev 2 function 0 Intel 5000 PCIE rev 0x12
 pci1 at ppb0 bus 4
 ppb1 at pci1 dev 0 function 0 Intel 6321ESB PCIE rev 0x01
 pci2 at ppb1 bus 5
 ppb2 at pci2 dev 0 function 0 Intel 6321ESB PCIE rev 0x01
 pci3 at ppb2 bus 6
 ppb3 at pci3 dev 0 function 0 ServerWorks PCIE-PCIX rev 0xc3
 pci4 at ppb3 bus 7
 bnx0 at pci4 dev 0 function 0 Broadcom BCM5708 rev 0x12: irq 5
 ppb4 at pci2 dev 1 function 0 Intel 6321ESB PCIE rev 0x01: irq 5
 pci5 at ppb4 bus 8
 ppb5 at pci1 dev 0 function 3 Intel 6321ESB PCIE-PCIX rev 0x01
 pci6 at ppb5 bus 9
 ppb6 at pci0 dev 3 function 0 Intel 5000 PCIE rev 0x12
 pci7 at ppb6 bus 1
 mfi0 at pci7 dev 0 function 0 Symbios Logic SAS1078 rev 0x04: irq 5,
 Dell PERC 6/i integrated
 mfi0: logical drives 1, version 6.0.1-0080, 256MB RAM
 scsibus0 at mfi0: 1 targets, initiator 64
 sd0 at scsibus0 targ 0 lun 0: DELL, PERC 6/i, 1.11 SCSI3 0/direct fixed
 sd0: 2859520MB, 44942 cyl, 511 head, 255 sec, 512 bytes/sec,
 5856296960 sec total
 ppb7 at pci0 dev 4 function 0 Intel 5000 PCIE x8 rev 0x12
 pci8 at ppb7 bus 10
 ppb8 at pci0 dev 5 function 0 Intel 5000 PCIE rev 0x12
 pci9 at ppb8 bus 11
 ppb9 at pci0 dev 6

Re: Backup strategies

[(private) HKS]

On Sat, Jan 31, 2009 at 6:17 PM, Jason Dixon ja...@dixongroup.net wrote:
 There have been plenty of comments about distributed rcs systems.  I
 have no complaints there at all, but I wanted to mention Bacula as a
 solid backup software option.  We use it for our production needs in the
 office and colocation facility and I use it at home for my personal
 stuff.  Works very well and Mike Erdely has done an excellent job with
 the port (sysutils/bacula).

 --
 Jason Dixon
 DixonGroup Consulting
 http://www.dixongroup.net/



I can (vehemently) second the Bacula recommendation for traditional
archive-style backups.

My reading of the OP's requirements seemed more along the lines of
managing edits of the same files on multiple machines, with the
possibility of rolling back to an older version if necessary. If I
misread this and he's looking more for data preservation, I know of no
more intuitive, self-managed, flexible backup system than Bacula.

-HKS

Re: OSPFD carp interface flapping

[(private) HKS]

On Fri, Jan 30, 2009 at 10:25 PM,  askthel...@gmail.com wrote:
 OpenBSD 4.3 --release

 On our backup firewall:

 Jan 30 17:55:47 lynn ospfd[3389]: interface carp0 up
 Jan 30 17:55:47 lynn ospfd[3389]: interface carp0 down

 This is corresponding with an event on our ACTIVE host which is problematic
 to our VPN traffic
 Jan 30 17:55:47 susan sasyncd[31016]: net_ctl: got bad state MASTER from
 peer x.x.x.x

 # ospfctl show int (on backup host)
 Interface   AddressState  HelloTimer Linkstate  Uptimenc  ac
 carp0   x.x.x.x.254/21   DOWN   7101w3d0   backup 00:00:00   0   0
 em0y.y.y.141/30  BCKUP  00:00:01   active 20w3d21h   1   1
 em1z.z.z.92/28   OTHER  00:00:01   active 20w3d21h   3   2

 # ospfctl show int (on active host)
 Interface   AddressState  HelloTimer Linkstate  Uptimenc  ac
 carp0   x.x.x.254/21   DOWN   7101w3d0   master 00:00:00   0   0
 em0 y.y.y.142/30  DR 00:00:07   active 20w3d21h   1   1
 em1 z.z.z.93/28   BCKUP  00:00:00   active 21w0d19h   3   3


 Seems the carp0 interface on one of our firewalls that is in a BACKUP mode
 is regularly flapping. This just began happening within the last week or so
 and has become a reoccurring issue the past few days. Nothings been
 unplugged or reconfigured in months. Is this a bug, misconfiguration,
 failing switch, bad cable?

Probably. With a dmesg and ifconfigs, someone might be able to narrow
it down a bit.

-HKS

Re: Backup strategies

[(private) HKS]

On Sat, Jan 31, 2009 at 1:36 AM, Predrag Punosevac
punoseva...@gmail.com wrote:
 Dear All,

 I am seeking advice about the backup strategies and possible use
 of CVS to accomplish this task.

 I happen to use 4-5 different computer on the daily basis for my work.
 I use my laptop, desktop, and a file server at work as well as my personal
 desktop and my wife's laptop at home.
 It is of paramount importance for me that my files are in sync on all
 5 computers
 for two reasons. I want to start working always with the latest and
 most up to date version of files regardless of the computer which I am using.
 Secondly, if a HDD dies on one or even three-four computers at the same moment
 of time I will still have backup copy to recover the work.

 Up until now I have used the combination of tar, rarely dd, and my
 home brown scripts
 to accomplish above task. I would always start work by running the
 script which would
 pull up the tar files either from the file server of USB drive and
 untar them on my computer.
  After I finish work I would run the script to tar specific directory
 I was working on  and push
 them back to file server and a USB drive.

 However it did happen to me that I forgot to run the script once or
 twice in the past which
 cause me great deal of frustration. Suddenly, I would have to
 different versions of the
 same file at two different computers and maybe the third older version
 on my file server.
 It also happen to me in the bast that I modify the files and I
 realized that modification
 sucked but I could not recover specific older version of particular file.
 I do periodically burn DVDs with entire home directory, date it and
 keep it on the shelf.

 Are there any advantages of using CVS over my present method or I am
 just hallucinating.
 It looks to me that CVS could help me utilize pull+push strategy for
 backing up the files but
 would give me advantage over the tar and dd by allowing me incremental
 updates as well as
 keeping the past snapshots of my work.

 I have seen a thread about 2-3 months ago on misc in which there was a
 similar question
 by a OpenBSD user who wanted to keep his /etc on his firewall machines
 up to date as
 well as back up configuration files in the case of the disaster by CVS.

 I am open for any suggestions but I do have a strong preference for
 the tools from the base
 of the system. I noticed couple ports with poor man tools for
 accomplishing above tasks.

 Thanks,
 Predrag




Mercurial would suit you nicely. It's distributed version control. so
you don't have to pull down the whole damn repository every time, it's
got a solid merge engine, and you can revert to versions pretty
easily. Simply clone the central repository onto each individual box,
and at the beginning of work run an update. At the end, commit and
push your changes back to central server.

-HKS

Re: Backup strategies

[(private) HKS]

On Sat, Jan 31, 2009 at 2:21 PM,  punoseva...@gmail.com wrote:
 @-HKS
 Point taken about mercurial. I will experiment with it. How good
 is it with occasional image files? It is definitelly big plus that I can
 look changes I made either in papers I am writing or grades (.csv) of
 my student.


It handles images just fine. I don't think it can store images by diff
(might be wrong, it does that with plenty of other filetypes), but it
certainly doesn't choke on them.

-HKS

Re: ftp-proxy on a nat firewall

[(private) HKS]

On Fri, Jan 30, 2009 at 5:41 AM, Camiel Dobbelaar c...@sentia.nl wrote:
 (private) HKS wrote:
 On Fri, Jan 23, 2009 at 3:06 PM, (private) HKS hks.priv...@gmail.com wrote:
 On Fri, Jan 23, 2009 at 8:49 AM, Daniel A. Ramaley
 daniel.rama...@drake.edu wrote:
 I've gotten a couple of off-list replies with suggestions to try. I
 greatly appreciate any ideas, but still have not had any luck so far.
 I've trimmed my ruleset and adjust some of it to be more permissive.
 Any ideas as to why ftp-proxy still doesn't work?



 ext_if = vr0
 int_if = fxp0

 icmp_types = { echoreq, unreach }

 # options
 set block-policy return
 set loginterface $ext_if
 set skip on lo

 # packet hygiene
 scrub in all fragment reassemble

 # nat
 nat on $ext_if from !($ext_if) - ($ext_if)
 nat-anchor ftp-proxy/*
 rdr-anchor ftp-proxy/*
 rdr pass on $int_if proto tcp to port ftp - 127.0.0.1 port 8021

 # filter rules
 #block in all
 #block quick inet6 all
 anchor ftp-proxy/*
 pass out keep state

 pass out quick proto tcp from lo to any port ftp

 pass in inet proto icmp all icmp-type $icmp_types keep state
 #pass from !($ext_if) to any keep state
 pass from any to any keep state

 Running ftp-proxy with the args -r -d -D 6, can you do a packet
 capture when you run ls? You'll want to find all packets that involve
 the internal host, and all packets that involve your external
 destination, so you'll probably need to do two separate captures. This
 should at least give an idea of what's breaking.



 Something is definitely amiss. Does anybody have a working
 nat/ftp-proxy setup with 4.4? If so, can you post your rules and
 ftp-proxy flags?

 My 4.3 router is working fine, but when I try this on 4.4 I get some
 very weird behavior. The anchor rules and such are all inserted
 correctly and ftp-proxy -vv logs the following (munged for clarity)
 repeatedly until I kill the connection or it times out:

 11:42:32.540840 rule 331.19328.1.0/(match) pass in on $ext_if:
 $server.20  $client_private.1830: S 67547520:67547520(0) win 16384
 mss 1460,nop,nop,sackOK,nop,wscale 0,[|tcp] (DF)
 11:42:32.540892 rule 331.19328.1.1/(match) pass out on $int_if:
 $server.20  $client_private.1830: S 67547520:67547520(0) win 16384
 mss 1460,nop,nop,sackOK,nop,wscale 0,[|tcp] (DF)
 11:42:32.540911 rule 331/(match) pass out on $ext_if: $ext_ip 
 $server: icmp: host $ext_ip unreachable


 The second log entry refers to traffic that was supposedly passed, but
 my packet sniffer on $int_if never saw it (I tested with tcpdump
 filters 'host $client_private' and 'host $server'). The anchor
 information is in there:

 # pfctl -a ftp-proxy/19328.1 -s rules
 pass in log (all) quick inet proto tcp from $server to $client_private
 port = 1830 flags S/SA keep state (max 1) rtable 0
 pass out log (all) quick inet proto tcp from $server to
 $client_private port = 1830 flags S/SA keep state (max 1) rtable 0
 # pfctl -a ftp-proxy/19328.1 -s nat
 nat inet proto tcp from $server to $client_private port = 1830 rtable
 0 - 129.128.5.191 port 20
 rdr inet proto tcp from $server to $ext_ip port = 63607 rtable 0 -
 10.2.0.13 port 1830


 The only block in pf.conf is a block all at the top. Aside from a
 bunch of other pass statements, it looks very similar to what Daniel
 posted before.

 Running ftp-proxy with: ftp-proxy -r -dvvD 7

 Can anyone else replicate this?

 Yes, I can reproduce it.  It looks like '-r' is the culprit.

 That's an option I would not recommend anyway, except if you have hosts
 that really need it.  Can you try again without -r ?

 Very little changed in ftp-proxy itself between 4.3 and 4.4 so I suspect
 the substantial changes in pf itself may have caused this to break.

 --
 Cam


Without -r things work just fine, but the shittiest ftp client I have
to test this is Windows 2003's native. What clients are known to
require the -r flag?

-HKS

Re: ftp-proxy on a nat firewall

[(private) HKS]

On Fri, Jan 30, 2009 at 10:47 AM, Camiel Dobbelaar c...@sentia.nl wrote:
 (private) HKS wrote:
 Without -r things work just fine, but the shittiest ftp client I have
 to test this is Windows 2003's native. What clients are known to
 require the -r flag?

 I think I implemented -r for someone with an old VMS system.

 Most FTP clients work fine, don't use -r unless you're sure you need it.

 Is there some documentation floating on the web that suggests -r?  I
 think the manpage pretty much discourages usage:

 -r  Rewrite sourceport to 20 in active mode to suit ancient clients
 that insist on this RFC property.

 --
 Cam


It's an attempt to preempt needless support calls for customers
running some terribly outdated FTP client.

-HKS

Re: ftp-proxy on a nat firewall

[(private) HKS]

On Fri, Jan 23, 2009 at 3:06 PM, (private) HKS hks.priv...@gmail.com wrote:
 On Fri, Jan 23, 2009 at 8:49 AM, Daniel A. Ramaley
 daniel.rama...@drake.edu wrote:
 I've gotten a couple of off-list replies with suggestions to try. I
 greatly appreciate any ideas, but still have not had any luck so far.
 I've trimmed my ruleset and adjust some of it to be more permissive.
 Any ideas as to why ftp-proxy still doesn't work?



 ext_if = vr0
 int_if = fxp0

 icmp_types = { echoreq, unreach }

 # options
 set block-policy return
 set loginterface $ext_if
 set skip on lo

 # packet hygiene
 scrub in all fragment reassemble

 # nat
 nat on $ext_if from !($ext_if) - ($ext_if)
 nat-anchor ftp-proxy/*
 rdr-anchor ftp-proxy/*
 rdr pass on $int_if proto tcp to port ftp - 127.0.0.1 port 8021

 # filter rules
 #block in all
 #block quick inet6 all
 anchor ftp-proxy/*
 pass out keep state

 pass out quick proto tcp from lo to any port ftp

 pass in inet proto icmp all icmp-type $icmp_types keep state
 #pass from !($ext_if) to any keep state
 pass from any to any keep state


 Running ftp-proxy with the args -r -d -D 6, can you do a packet
 capture when you run ls? You'll want to find all packets that involve
 the internal host, and all packets that involve your external
 destination, so you'll probably need to do two separate captures. This
 should at least give an idea of what's breaking.



Something is definitely amiss. Does anybody have a working
nat/ftp-proxy setup with 4.4? If so, can you post your rules and
ftp-proxy flags?

My 4.3 router is working fine, but when I try this on 4.4 I get some
very weird behavior. The anchor rules and such are all inserted
correctly and ftp-proxy -vv logs the following (munged for clarity)
repeatedly until I kill the connection or it times out:

11:42:32.540840 rule 331.19328.1.0/(match) pass in on $ext_if:
$server.20  $client_private.1830: S 67547520:67547520(0) win 16384
mss 1460,nop,nop,sackOK,nop,wscale 0,[|tcp] (DF)
11:42:32.540892 rule 331.19328.1.1/(match) pass out on $int_if:
$server.20  $client_private.1830: S 67547520:67547520(0) win 16384
mss 1460,nop,nop,sackOK,nop,wscale 0,[|tcp] (DF)
11:42:32.540911 rule 331/(match) pass out on $ext_if: $ext_ip 
$server: icmp: host $ext_ip unreachable


The second log entry refers to traffic that was supposedly passed, but
my packet sniffer on $int_if never saw it (I tested with tcpdump
filters 'host $client_private' and 'host $server'). The anchor
information is in there:

# pfctl -a ftp-proxy/19328.1 -s rules
pass in log (all) quick inet proto tcp from $server to $client_private
port = 1830 flags S/SA keep state (max 1) rtable 0
pass out log (all) quick inet proto tcp from $server to
$client_private port = 1830 flags S/SA keep state (max 1) rtable 0
# pfctl -a ftp-proxy/19328.1 -s nat
nat inet proto tcp from $server to $client_private port = 1830 rtable
0 - 129.128.5.191 port 20
rdr inet proto tcp from $server to $ext_ip port = 63607 rtable 0 -
10.2.0.13 port 1830


The only block in pf.conf is a block all at the top. Aside from a
bunch of other pass statements, it looks very similar to what Daniel
posted before.

Running ftp-proxy with: ftp-proxy -r -dvvD 7

Can anyone else replicate this?

-HKS

Re: Promiscuous interfaces forward multicast packets

[(private) HKS]

On Fri, Jan 23, 2009 at 6:37 PM, Stuart Henderson s...@spacehopper.org wrote:
 In gmane.os.openbsd.misc, you wrote:
 Is this expected behavior? Should promiscuous mode affect the
 forwarding of multicast packets?

 it should not.

 please open a PR to make sure the right people see it,
 not everyone reads m...@.



Thanks for the answer. I've sent the bug report to b...@openbsd.org.

-HKS

Re: ftp-proxy on a nat firewall

[(private) HKS]

On Fri, Jan 23, 2009 at 8:49 AM, Daniel A. Ramaley
daniel.rama...@drake.edu wrote:
 I've gotten a couple of off-list replies with suggestions to try. I
 greatly appreciate any ideas, but still have not had any luck so far.
 I've trimmed my ruleset and adjust some of it to be more permissive.
 Any ideas as to why ftp-proxy still doesn't work?



 ext_if = vr0
 int_if = fxp0

 icmp_types = { echoreq, unreach }

 # options
 set block-policy return
 set loginterface $ext_if
 set skip on lo

 # packet hygiene
 scrub in all fragment reassemble

 # nat
 nat on $ext_if from !($ext_if) - ($ext_if)
 nat-anchor ftp-proxy/*
 rdr-anchor ftp-proxy/*
 rdr pass on $int_if proto tcp to port ftp - 127.0.0.1 port 8021

 # filter rules
 #block in all
 #block quick inet6 all
 anchor ftp-proxy/*
 pass out keep state

 pass out quick proto tcp from lo to any port ftp

 pass in inet proto icmp all icmp-type $icmp_types keep state
 #pass from !($ext_if) to any keep state
 pass from any to any keep state


Running ftp-proxy with the args -r -d -D 6, can you do a packet
capture when you run ls? You'll want to find all packets that involve
the internal host, and all packets that involve your external
destination, so you'll probably need to do two separate captures. This
should at least give an idea of what's breaking.

-HKS

Promiscuous interfaces forward multicast packets

[(private) HKS]

The short version:
--
When an interface is put into promiscuous mode, inbound multicast
traffic is forwarded according to the host's routing table regardless
of net.inet.ip.mforwarding.


Details:
--
gw1 has vr0 (external) and vr1 (internal)
gw2 has em0 (external) and em1 (internal)

vr0 and em0 plug into a switch, which plugs into my provider

vr1 and em1 plug into my internal switch.

vr0 has carp1 running on top of it. em0 does not. The other interfaces
do not have carp (yet).

gw2 is new, and has a default route to my ISP. It does not have routes
for all my internal networks. Some of those networks have a lot of
multicast traffic. I placed em1 into promiscuous mode via tcpdump and
crashed gw1. After testing for a while, I found that the machine was
getting overwhelmed by cascading multicasts. Basically, it would fire
a multicast out of vr1. em1 would catch it, but did not have a route
to the destination IP. The multicast was forwarded out em0. vr0
catches it, and because it's in promiscuous mode, forwards it out vr1,
feeding the loop. To give you an idea of scale, gw2 forwarded 107k
multicast packets out em0 in the space of 15 seconds.

Both machines have net.inet.ip.mforwarding set to 0 and
net.inet.ip.forwarding set to 1. If I set net.inet.ip.forwarding to 0,
the problem disappears. Likewise, if I blackhole all multicast traffic
in question on gw2, things are fine.

Is this expected behavior? Should promiscuous mode affect the
forwarding of multicast packets?

Thanks for the help.

-HKS



gw1 is a Soekris 5501 running 4.3
gw2 is a Dell Poweredge 2850 running 4.4

dmesg for gw2 follows. Let me know if you want dmesg for gw1.

OpenBSD 4.4-stable (GENERIC) #0: Thu Jan 22 08:04:26 EST 2009
r...@gw2.local:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Xeon(TM) CPU 3.00GHz (GenuineIntel 686-class) 3 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,CNXT-ID,CX16,xTPR
real mem  = 2146795520 (2047MB)
avail mem = 2067439616 (1971MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 09/22/05, BIOS32 rev. 0 @
0xffe90, SMBIOS rev. 2.3 @ 0xf9920 (87 entries)
bios0: vendor Dell Computer Corporation version A04 date 09/22/2005
bios0: Dell Computer Corporation PowerEdge 2850
acpi0 at bios0: rev 0
acpi0: tables DSDT FACP APIC SPCR HPET MCFG
acpi0: wakeup devices PCI0(S5) PALO(S5) PBLO(S5) VPR0(S5) PBHI(S5)
VPR1(S5) PICH(S5)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (PALO)
acpiprt2 at acpi0: bus 2 (DOBA)
acpiprt3 at acpi0: bus 3 (DOBB)
acpiprt4 at acpi0: bus 4 (PBLO)
acpiprt5 at acpi0: bus 5 (PBHI)
acpiprt6 at acpi0: bus 6 (PXB1)
acpiprt7 at acpi0: bus 7 (PXB2)
acpiprt8 at acpi0: bus 8 (VPR1)
acpiprt9 at acpi0: bus 9 (PXC1)
acpiprt10 at acpi0: bus 10 (PXC2)
acpiprt11 at acpi0: bus 11 (PICH)
acpicpu0 at acpi0
bios0: ROM list: 0xc/0xb000! 0xcb000/0x1000 0xcc000/0x1000
0xcd000/0x3c00 0xd1000/0x2200 0xd3800/0x600 0xec000/0x4000!
ipmi at mainbus0 not configured
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 Intel E7520 Host rev 0x09
ppb0 at pci0 dev 2 function 0 Intel E7520 PCIE rev 0x09
pci1 at ppb0 bus 1
ppb1 at pci1 dev 0 function 0 Intel IOP332 PCIE-PCIX rev 0x06
pci2 at ppb1 bus 2
ami0 at pci2 dev 14 function 0 Dell PERC 4e/Di rev 0x06: irq 7
ami0: Dell 16d, 32b, FW 521S, BIOS vH430, 256MB RAM
ami0: 2 channels, 0 FC loops, 1 logical drives
scsibus0 at ami0: 40 targets, initiator 40
sd0 at scsibus0 targ 0 lun 0: AMI, Host drive #00,  SCSI2 0/direct fixed
sd0: 139900MB, 17834 cyl, 255 head, 63 sec, 512 bytes/sec, 286515200 sec total
scsibus1 at ami0: 16 targets, initiator 16
safte0 at scsibus1 targ 6 lun 0: PE/PV, 1x6 SCSI BP, 1.0 SCSI2
3/processor fixed
scsibus2 at ami0: 16 targets, initiator 16
ppb2 at pci1 dev 0 function 2 Intel IOP332 PCIE-PCIX rev 0x06
pci3 at ppb2 bus 3
ppb3 at pci0 dev 4 function 0 Intel E7520 PCIE rev 0x09
pci4 at ppb3 bus 4
ppb4 at pci0 dev 5 function 0 Intel E7520 PCIE rev 0x09
pci5 at ppb4 bus 5
ppb5 at pci5 dev 0 function 0 Intel PCIE-PCIE rev 0x09
pci6 at ppb5 bus 6
em0 at pci6 dev 7 function 0 Intel PRO/1000MT (82541GI) rev 0x05:
irq 11, address 00:14:22:17:d9:85
ppb6 at pci5 dev 0 function 2 Intel PCIE-PCIE rev 0x09
pci7 at ppb6 bus 7
em1 at pci7 dev 8 function 0 Intel PRO/1000MT (82541GI) rev 0x05:
irq 3, address 00:14:22:17:d9:86
ppb7 at pci0 dev 6 function 0 Intel E7520 PCIE rev 0x09
pci8 at ppb7 bus 8
ppb8 at pci8 dev 0 function 0 Intel PCIE-PCIE rev 0x09
pci9 at ppb8 bus 9
re0 at pci9 dev 4 function 0 Realtek 8169 rev 0x10: RTL8169S
(0x0400), irq 7, address 00:0f:b5:85:29:cc
rgephy0 at re0 phy 7: RTL8169S/8110S PHY, rev. 0
ppb9 at pci8 dev 0 function 2 Intel PCIE-PCIE rev 0x09
pci10 at ppb9 bus 10
uhci0 at pci0 dev 29 function 0 Intel 82801EB/ER USB rev 0x02: irq 11
uhci1 at pci0 dev 29 function 1 Intel 82801EB/ER USB rev 

Large disks on 4.4

[(private) HKS]

I recently built out an OpenBSD backup server on a Dell 2950
with a 2.7TB RAID array, and I ran into some trouble with fdisk
recognizing my disk. The geometries it reported were worth
about 750GB. Attempting to change CHS geometry led to out
of bounds errors. I did not mess with sector-only settings - I
ran through the installation, as it was, leaving my huge partitions
out. Once the machine was built, I used disklabel's b
command to change the disk boundaries to the whole disk.

Things are working just fine now, but is fdisk partitioning with
sectors the Right way to do this?

-HKS


OpenBSD 4.4-stable (GENERIC) #0: Wed Nov 19 12:00:19 EST 2008
r...@backup.local:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Xeon(R) CPU 5110 @ 1.60GHz (GenuineIntel 686-class) 1.60 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,TM2,CX16,xTPR
real mem  = 2142142464 (2042MB)
avail mem = 2062938112 (1967MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 02/05/08, BIOS32 rev. 0 @
0xffe90, SMBIOS rev. 2.5 @ 0x7fb9c000 (66 entries)
bios0: vendor Dell Inc. version 2.2.6 date 02/05/2008
bios0: Dell Inc. PowerEdge 2950
acpi0 at bios0: rev 2
acpi0: tables DSDT FACP APIC SPCR HPET MCFG WD__ SLIC ERST HEST BERT EINJ TCPA
acpi0: wakeup devices PCI0(S5)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 4 (PEX2)
acpiprt2 at acpi0: bus 5 (UPST)
acpiprt3 at acpi0: bus 6 (DWN1)
acpiprt4 at acpi0: bus 8 (DWN2)
acpiprt5 at acpi0: bus 1 (PEX3)
acpiprt6 at acpi0: bus 0 (PE2P)
acpiprt7 at acpi0: bus 10 (PEX4)
acpiprt8 at acpi0: bus 12 (PEX6)
acpiprt9 at acpi0: bus 2 (SBEX)
acpiprt10 at acpi0: bus 14 (COMP)
acpicpu0 at acpi0: C3
bios0: ROM list: 0xc/0x9000! 0xc9000/0x1000 0xca000/0x1e00
0xcc000/0x5e00 0xec000/0x4000!
ipmi at mainbus0 not configured
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 Intel 5000X Host rev 0x12
ppb0 at pci0 dev 2 function 0 Intel 5000 PCIE rev 0x12
pci1 at ppb0 bus 4
ppb1 at pci1 dev 0 function 0 Intel 6321ESB PCIE rev 0x01
pci2 at ppb1 bus 5
ppb2 at pci2 dev 0 function 0 Intel 6321ESB PCIE rev 0x01
pci3 at ppb2 bus 6
ppb3 at pci3 dev 0 function 0 ServerWorks PCIE-PCIX rev 0xc3
pci4 at ppb3 bus 7
bnx0 at pci4 dev 0 function 0 Broadcom BCM5708 rev 0x12: irq 5
ppb4 at pci2 dev 1 function 0 Intel 6321ESB PCIE rev 0x01: irq 5
pci5 at ppb4 bus 8
ppb5 at pci1 dev 0 function 3 Intel 6321ESB PCIE-PCIX rev 0x01
pci6 at ppb5 bus 9
ppb6 at pci0 dev 3 function 0 Intel 5000 PCIE rev 0x12
pci7 at ppb6 bus 1
mfi0 at pci7 dev 0 function 0 Symbios Logic SAS1078 rev 0x04: irq 5,
Dell PERC 6/i integrated
mfi0: logical drives 1, version 6.0.1-0080, 256MB RAM
scsibus0 at mfi0: 1 targets, initiator 64
sd0 at scsibus0 targ 0 lun 0: DELL, PERC 6/i, 1.11 SCSI3 0/direct fixed
sd0: 2859520MB, 44942 cyl, 511 head, 255 sec, 512 bytes/sec,
5856296960 sec total
ppb7 at pci0 dev 4 function 0 Intel 5000 PCIE x8 rev 0x12
pci8 at ppb7 bus 10
ppb8 at pci0 dev 5 function 0 Intel 5000 PCIE rev 0x12
pci9 at ppb8 bus 11
ppb9 at pci0 dev 6 function 0 Intel 5000 PCIE x8 rev 0x12
pci10 at ppb9 bus 12
ppb10 at pci0 dev 7 function 0 Intel 5000 PCIE rev 0x12
pci11 at ppb10 bus 13
pchb1 at pci0 dev 16 function 0 Intel 5000 Error Reporting rev 0x12
pchb2 at pci0 dev 16 function 1 Intel 5000 Error Reporting rev 0x12
pchb3 at pci0 dev 16 function 2 Intel 5000 Error Reporting rev 0x12
pchb4 at pci0 dev 17 function 0 Intel 5000 Reserved rev 0x12
pchb5 at pci0 dev 19 function 0 Intel 5000 Reserved rev 0x12
pchb6 at pci0 dev 21 function 0 Intel 5000 FBD rev 0x12
pchb7 at pci0 dev 22 function 0 Intel 5000 FBD rev 0x12
ppb11 at pci0 dev 28 function 0 Intel 6321ESB PCIE rev 0x09
pci12 at ppb11 bus 2
ppb12 at pci12 dev 0 function 0 ServerWorks PCIE-PCIX rev 0xc3
pci13 at ppb12 bus 3
bnx1 at pci13 dev 0 function 0 Broadcom BCM5708 rev 0x12: irq 5
uhci0 at pci0 dev 29 function 0 Intel 6321ESB USB rev 0x09: irq 11
uhci1 at pci0 dev 29 function 1 Intel 6321ESB USB rev 0x09: irq 10
uhci2 at pci0 dev 29 function 2 Intel 6321ESB USB rev 0x09: irq 11
uhci3 at pci0 dev 29 function 3 Intel 6321ESB USB rev 0x09: irq 10
ehci0 at pci0 dev 29 function 7 Intel 6321ESB USB rev 0x09: irq 11
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1
ppb13 at pci0 dev 30 function 0 Intel 82801BA Hub-to-PCI rev 0xd9
pci14 at ppb13 bus 14
vga1 at pci14 dev 13 function 0 ATI ES1000 rev 0x02
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
drm at vga1 unsupported
ichpcib0 at pci0 dev 31 function 0 Intel 6321ESB LPC rev 0x09: PM disabled
pciide0 at pci0 dev 31 function 1 Intel 6321ESB IDE rev 0x09: DMA,
channel 0 configured to compatibility, channel 1 configured to
compatibility
atapiscsi0 at pciide0 channel 0 drive 0
scsibus1 at atapiscsi0: 2 targets, 

Re: Logging interface state changes

[(private) HKS]

On Fri, Nov 21, 2008 at 7:28 PM, Stuart Henderson [EMAIL PROTECTED] wrote:
 On 2008-11-21, (private) HKS [EMAIL PROTECTED] wrote:
 My current solution is an incredibly awkward ifstated.conf (pasted below).

 it's still a hack, but a little less awkward to run ospfd
 with all the interfaces set as passive which just happens to
 log this information..



Thanks for the recommendation, I'll look into that.

-HKS

Re: Logging interface state changes

[(private) HKS]

For anyone following this for their own purposes, the ifstated
solution does not work. I was able to get it to log a few times in a
VM environment, but on a live system neither manually bringing an
interface up/down nor plugging/unplugging the ethernet cable is even
noticed by ifstated (running -dvv). If I'm doing something wrong,
please point it out to me.

Next, I'll be toying with Stuart's suggestion of using ospfd with all
interfaces set to passive.

-HKS

On Fri, Nov 21, 2008 at 5:26 PM, (private) HKS [EMAIL PROTECTED] wrote:
 On Fri, Nov 21, 2008 at 5:18 PM, (private) HKS [EMAIL PROTECTED] wrote:
 route monitor ?

 --
  WBR,
Pereresus ne Vlezaet Buggy

 That's an interesting tool, but it's not what I'm looking for.

 My current solution is an incredibly awkward ifstated.conf (pasted below).

 Is this really the best way to do it? I have no idea what's involved
 with logging interface state changes, but it's something that any
 router, firewall, or server needs. PCs are debatable, but I prefer
 that mine log it. I'd like to file a feature request but before I do,
 is there something I'm missing here? Is there a specific reason it was
 decided to keep this functionality out of the OS?

 -HKS

 -
 ifstated.conf:
 -

 # global config
 init-state main
 vr0_up = vr0.link.up

 state main {
  init {
run 
  }

  if $vr0_up || ! $vr0_up {
logger ifstatus change. vr0 `ifconfig vr0 | grep status: | sed
 's/^[[:space:]]//'`, vr1 `ifconfig vr1 | grep status: | sed
 's/^[[:space:]]//'`, vr2 `ifconfig vr2 | grep status: | sed
 's/^[[:space:]]//'`, vr1 `ifconfig vr3 | grep status: | sed
 's/^[[:space:]]//'`
  }
 }


 Whoops, posted an ifstated.conf writeup that had incorrect syntax.
 Here's the correct version:

 init-state main
 vr0_up = vr0.link.up

 state main {
init {
run 
}
if $vr0_up || ! $vr0_up {
run logger \ifstatus change. vr0 `ifconfig vr0 |
 grep status: | sed 's/^[[:space:]]//'`, vr1 `ifconfig vr1 | grep
 status: | sed 's/^[[:space:]]//'`, vr2 `ifconfig vr2 | grep status: |
 sed 's/^[[:space:]]//'`, vr3 `ifconfig vr3 | grep status: | sed
 's/^[[:space:]]//'`\
}
 }

Re: Logging interface state changes

[(private) HKS]

 route monitor ?

 --
  WBR,
Pereresus ne Vlezaet Buggy

That's an interesting tool, but it's not what I'm looking for.

My current solution is an incredibly awkward ifstated.conf (pasted below).

Is this really the best way to do it? I have no idea what's involved
with logging interface state changes, but it's something that any
router, firewall, or server needs. PCs are debatable, but I prefer
that mine log it. I'd like to file a feature request but before I do,
is there something I'm missing here? Is there a specific reason it was
decided to keep this functionality out of the OS?

-HKS

-
ifstated.conf:
-

# global config
init-state main
vr0_up = vr0.link.up

state main {
  init {
run 
  }

  if $vr0_up || ! $vr0_up {
logger ifstatus change. vr0 `ifconfig vr0 | grep status: | sed
's/^[[:space:]]//'`, vr1 `ifconfig vr1 | grep status: | sed
's/^[[:space:]]//'`, vr2 `ifconfig vr2 | grep status: | sed
's/^[[:space:]]//'`, vr1 `ifconfig vr3 | grep status: | sed
's/^[[:space:]]//'`
  }
}

Re: Logging interface state changes

[(private) HKS]

On Fri, Nov 21, 2008 at 5:18 PM, (private) HKS [EMAIL PROTECTED] wrote:
 route monitor ?

 --
  WBR,
Pereresus ne Vlezaet Buggy

 That's an interesting tool, but it's not what I'm looking for.

 My current solution is an incredibly awkward ifstated.conf (pasted below).

 Is this really the best way to do it? I have no idea what's involved
 with logging interface state changes, but it's something that any
 router, firewall, or server needs. PCs are debatable, but I prefer
 that mine log it. I'd like to file a feature request but before I do,
 is there something I'm missing here? Is there a specific reason it was
 decided to keep this functionality out of the OS?

 -HKS

 -
 ifstated.conf:
 -

 # global config
 init-state main
 vr0_up = vr0.link.up

 state main {
  init {
run 
  }

  if $vr0_up || ! $vr0_up {
logger ifstatus change. vr0 `ifconfig vr0 | grep status: | sed
 's/^[[:space:]]//'`, vr1 `ifconfig vr1 | grep status: | sed
 's/^[[:space:]]//'`, vr2 `ifconfig vr2 | grep status: | sed
 's/^[[:space:]]//'`, vr1 `ifconfig vr3 | grep status: | sed
 's/^[[:space:]]//'`
  }
 }


Whoops, posted an ifstated.conf writeup that had incorrect syntax.
Here's the correct version:

init-state main
vr0_up = vr0.link.up

state main {
init {
run 
}
if $vr0_up || ! $vr0_up {
run logger \ifstatus change. vr0 `ifconfig vr0 |
grep status: | sed 's/^[[:space:]]//'`, vr1 `ifconfig vr1 | grep
status: | sed 's/^[[:space:]]//'`, vr2 `ifconfig vr2 | grep status: |
sed 's/^[[:space:]]//'`, vr3 `ifconfig vr3 | grep status: | sed
's/^[[:space:]]//'`\
}
}

Logging interface state changes

[(private) HKS]

My apologies if this has already been addressed, but I couldn't find
it in the man pages or mailing list archives.

Is there a way to enable logging of network interface state changes on
OpenBSD 4.3 or 4.4? This is mostly for forensic purposes - obviously
I'll know if my firewall loses its ethernet connection, but if
something starts flapping I'd like to be able to see it in my logs
rather than trying to catch it in the act.

My hosts are using mostly vic and vr drivers, and neither seems to
care whether the debug option is enabled.

Thanks for the help. dmesg for one of my Soekris (vr) boxes below.

-HKS



OpenBSD 4.3 (GENERIC) #698: Wed Mar 12 11:07:05 MDT 2008
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Geode(TM) Integrated Processor by AMD PCS (AuthenticAMD
586-class) 500 MHz
cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX
real mem  = 536440832 (511MB)
avail mem = 510664704 (487MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 20/70/03, BIOS32 rev. 0 @ 0xfac40
pcibios0 at bios0: rev 2.0 @ 0xf/0x1
pcibios0: pcibios_get_intr_routing - function not supported
pcibios0: PCI IRQ Routing information unavailable.
pcibios0: PCI bus #0 is the last bus
bios0: ROM list: 0xc8000/0xa800
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 1 function 0 AMD Geode LX rev 0x31
glxsb0 at pci0 dev 1 function 2 AMD Geode LX Crypto rev 0x00: RNG AES
vr0 at pci0 dev 6 function 0 VIA VT6105M RhineIII rev 0x96: irq 11,
address 00:00:24:ca:3f:58
ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
0x004063, model 0x0034
vr1 at pci0 dev 7 function 0 VIA VT6105M RhineIII rev 0x96: irq 5,
address 00:00:24:ca:3f:59
ukphy1 at vr1 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
0x004063, model 0x0034
vr2 at pci0 dev 8 function 0 VIA VT6105M RhineIII rev 0x96: irq 9,
address 00:00:24:ca:3f:5a
ukphy2 at vr2 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
0x004063, model 0x0034
vr3 at pci0 dev 9 function 0 VIA VT6105M RhineIII rev 0x96: irq 12,
address 00:00:24:ca:3f:5b
ukphy3 at vr3 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
0x004063, model 0x0034
glxpcib0 at pci0 dev 20 function 0 AMD CS5536 ISA rev 0x03: rev 0,
32-bit 3579545Hz timer, watchdog, gpio
gpio0 at glxpcib0: 32 pins
pciide0 at pci0 dev 20 function 2 AMD CS5536 IDE rev 0x01: DMA,
channel 0 wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: SanDisk SDCFH-2048
wd0: 4-sector PIO, LBA, 1953MB, 4001760 sectors
wd0(pciide0:0:0): using PIO mode 4, DMA mode 2
pciide0: channel 1 ignored (disabled)
ohci0 at pci0 dev 21 function 0 AMD CS5536 USB rev 0x02: irq 15,
version 1.0, legacy support
ehci0 at pci0 dev 21 function 1 AMD CS5536 USB rev 0x02: irq 15
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 AMD EHCI root hub rev 2.00/1.00 addr 1
isa0 at glxpcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard
pcppi0 at isa0 port 0x61
midi0 at pcppi0: PC speaker
spkr0 at pcppi0
nsclpcsio0 at isa0 port 0x2e/2: NSC PC87366 rev 9: GPIO VLM TMS
gpio1 at nsclpcsio0: 29 pins
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom0: console
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
usb1 at ohci0: USB revision 1.0
uhub1 at usb1 AMD OHCI root hub rev 1.00/1.00 addr 1
biomask e5c5 netmask ffe5 ttymask ffe7
mtrr: K6-family MTRR support (2 registers)
softraid0 at root
root on wd0a swap on wd0b dump on wd0b

Re: Logging interface state changes

[(private) HKS]

On Mon, Nov 17, 2008 at 12:49 PM, Daniel Melameth [EMAIL PROTECTED] wrote:
 On Mon, Nov 17, 2008 at 10:35 AM, (private) HKS [EMAIL PROTECTED] wrote:
 My apologies if this has already been addressed, but I couldn't find
 it in the man pages or mailing list archives.

 Is there a way to enable logging of network interface state changes on
 OpenBSD 4.3 or 4.4? This is mostly for forensic purposes - obviously
 I'll know if my firewall loses its ethernet connection, but if
 something starts flapping I'd like to be able to see it in my logs
 rather than trying to catch it in the act.

 man ifstated



Thanks for the reference, that is definitely capable of doing what I
want. Is there any way that I'm missing to enable logging with a
generic statement, rather than configuring each interface
individually? That will work, of course, but it's much less
maintainable.

-HKS

Re: openbsd fail2ban

[(private) HKS]

If you're just tired of the noise, consider moving SSH to a different
port. It provides no greater security but helps with some of the
annoyance.

-HKS

On Thu, Nov 6, 2008 at 2:34 PM, Joachim Schipper
[EMAIL PROTECTED] wrote:
 On Thu, Nov 06, 2008 at 05:33:41PM +, Charlie Clark wrote:
 I have noticed that people constantly try to brute force sshd on my
 openbsd box, on my server I use fail2ban to prevent this and wondered if
 there is a similar solution for openbsd.

 Yes, but why would you want to do that? It doesn't help in any real
 sense - weak passwords are still weak and may still fall to a
 distributed attack. and strong passwords or keys are pretty much
 impossible to guess anyway.

 Meanwhile, it's at least a little complex, takes some time to set up,
 and has nasty failure modes.

Joachim

Possible bug in IPSec? (was Packets sent with wrong SPI)

[(private) HKS]

A briefer summary of the problem:

Router A has two interfaces: 10.123.0.46/24 and 10.100.0.1/16
Router B has one interface: 10.123.0.48/24

When using manual IPSec keying with a single flow between 10.123.0.46
and 10.123.0.48, it works fine.

When I add a flow between 10.100.0.0/16 and 10.123.0.48, traffic from
10.123.0.46 to 10.123.0.48 is encoded with the wrong SPI. The reverse
direction is fine.

Config files and dmesg are below, in my original message.

This appears to be a bug, but what additional information can I
provide to help diagnose it? Can anyone else reproduce this?

-HKS



On Tue, Oct 21, 2008 at 3:13 PM, (private) HKS [EMAIL PROTECTED] wrote:
 OpenBSD 4.3.

 I'm trying to get a couple IPSec VPNs up and am running into
 increasingly bizarre behavior in my test environment. The current
 issue is that packets are being sent encoded with the wrong SPI.

 Router A has two interfaces: 10.123.0.46/24 and 10.100.0.1/16.
 Router B has one interface: 10.123.0.48/24.

 I can get A and B encrypting traffic between 10.123.0.46 and
 10.123.0.48 with no problem, but when I add flows for 10.100.0.0/16
 the SPIs start getting mixed up. Specifically, pings from 10.123.0.46
 (A) to 10.123.0.48 (B) use the wrong SPII am using manual keying to
 eliminate isakmpd as a source of other issues (that were probably my
 fault somehow). The keys are the defaults included in the ipsec.conf
 example since this is a test environment.

 Here is router A's ipsec.conf:
 --
 flow esp from 10.123.0.46 to 10.123.0.48 local 10.123.0.46 peer
 10.123.0.48 type require
 esp tunnel from 10.123.0.46 to 10.123.0.48 spi 0x00010002:0x00020001
 authkey 
 0x54f79f479a32814347bb768d3e01b2b58e49ce674ec6e2d327b63408c56ef4e8:0x7f48ee352c626cdc2a731b9d90bd63e29db2a9c683044b70b2f4441521b622d6
 enckey 0xb341aa065c3850edd6a61e150d6a5fd3:0xf7795f6bdd697a43a4d28dcf1b79062d

 flow esp from 10.100.0.0/16 to 10.123.0.48 peer 10.123.0.48 type require
 esp tunnel from 10.100.0.0/16 to 10.123.0.48 spi 0x00010004:0x00040001
 authkey 
 0x54f79f479a32814347bb768d3e01b2b58e49ce674ec6e2d327b63408c56ef4e8:0x7f48ee352c626cdc2a731b9d90bd63e29db2a9c683044b70b2f4441521b622d6
 enckey 0xb341aa065c3850edd6a61e150d6a5fd3:0xf7795f6bdd697a43a4d28dcf1b79062d
 --

 Output from router A's ipsecctl -sa looks like you would expect:
 --
 FLOWS:
 flow esp in from 10.123.0.48 to 10.100.0.0/16 peer 10.123.0.48 type require
 flow esp out from 10.100.0.0/16 to 10.123.0.48 peer 10.123.0.48 type require
 flow esp in from 10.123.0.48 to 10.123.0.46 local 10.123.0.46 peer
 10.123.0.48 type require
 flow esp out from 10.123.0.46 to 10.123.0.48 local 10.123.0.46 peer
 10.123.0.48 type require

 SAD:
 esp tunnel from 10.123.0.46 to 10.123.0.48 spi 0x00010002 auth
 hmac-sha2-256 enc aes
 esp tunnel from 10.100.0.0 to 10.123.0.48 spi 0x00010004 auth
 hmac-sha2-256 enc aes
 esp tunnel from 10.123.0.48 to 10.123.0.46 spi 0x00020001 auth
 hmac-sha2-256 enc aes
 esp tunnel from 10.123.0.48 to 10.100.0.0 spi 0x00040001 auth
 hmac-sha2-256 enc aes
 --

 Attempting to ping 10.123.0.48 from 10.123.0.46 gets no response, and
 tcpdump -i enc0 shows this:
 --
 tcpdump: listening on enc0, link-type ENC
 09:15:11.230658 (authentic,confidential): SPI 0x00010004: 10.123.0.46
 10.123.0.48: icmp: echo request (encap)
 09:15:12.240381 (authentic,confidential): SPI 0x00010004: 10.123.0.46
 10.123.0.48: icmp: echo request (encap)
 09:15:13.250028 (authentic,confidential): SPI 0x00010004: 10.123.0.46
 10.123.0.48: icmp: echo request (encap)
 09:15:14.260702 (authentic,confidential): SPI 0x00010004: 10.123.0.46
 10.123.0.48: icmp: echo request (encap)
 --

 Which is clearly the wrong SPI. If I try to ping in the reverse
 direction, B sends its packets with the correct SPI while the replies
 are encoded for 0x00010004. Removing the subnet lines from ipsec.conf
 corrects this issue.

 Is this a bug in IPsec or something I'm doing wrong?

 Thanks for the help. dmesg follows.

 -HKS


 OpenBSD 4.3 (GENERIC) #698: Wed Mar 12 11:07:05 MDT 2008
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
 cpu0: Intel(R) Core(TM)2 Duo CPU E6550 @ 2.33GHz (GenuineIntel
 686-class) 2.33 GHz
 cpu0: 
 FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,SSE3,DS-CPL
 real mem  = 267939840 (255MB)
 avail mem = 251031552 (239MB)
 mainbus0 at root
 bios0 at mainbus0: AT/286+ BIOS, date 12/06/06, BIOS32 rev. 0 @
 0xfd880, SMBIOS rev. 2.31 @ 0xe0010 (45 entries)
 bios0: vendor Phoenix Technologies LTD version 6.00 date 12/06/2006
 bios0: VMware, Inc. VMware Virtual Platform
 apm0 at bios0: Power Management spec V1.2
 apm0: AC on, battery charge unknown
 acpi at bios0 function 0x0 not configured
 pcibios0 at bios0: rev 2.1 @ 0xfd880/0x780
 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf30/176 (9 entries)
 pcibios0: PCI Interrupt Router at 000:07:0 (Intel 82371FB ISA rev 0x00)
 pcibios0: PCI bus #2 is the last bus
 bios0: ROM list: 0xc/0x8000 0xc8000/0x1000 0xc9000

Re: Packets sent with wrong SPI

[(private) HKS]

What other information can I provide on this?

-HKS

On Tue, Oct 21, 2008 at 3:13 PM, (private) HKS [EMAIL PROTECTED] wrote:
 OpenBSD 4.3.

 I'm trying to get a couple IPSec VPNs up and am running into
 increasingly bizarre behavior in my test environment. The current
 issue is that packets are being sent encoded with the wrong SPI.

 Router A has two interfaces: 10.123.0.46/24 and 10.100.0.1/16.
 Router B has one interface: 10.123.0.48/24.

 I can get A and B encrypting traffic between 10.123.0.46 and
 10.123.0.48 with no problem, but when I add flows for 10.100.0.0/16
 the SPIs start getting mixed up. Specifically, pings from 10.123.0.46
 (A) to 10.123.0.48 (B) use the wrong SPII am using manual keying to
 eliminate isakmpd as a source of other issues (that were probably my
 fault somehow). The keys are the defaults included in the ipsec.conf
 example since this is a test environment.

 Here is router A's ipsec.conf:
 --
 flow esp from 10.123.0.46 to 10.123.0.48 local 10.123.0.46 peer
 10.123.0.48 type require
 esp tunnel from 10.123.0.46 to 10.123.0.48 spi 0x00010002:0x00020001
 authkey 
 0x54f79f479a32814347bb768d3e01b2b58e49ce674ec6e2d327b63408c56ef4e8:0x7f48ee352c626cdc2a731b9d90bd63e29db2a9c683044b70b2f4441521b622d6
 enckey 0xb341aa065c3850edd6a61e150d6a5fd3:0xf7795f6bdd697a43a4d28dcf1b79062d

 flow esp from 10.100.0.0/16 to 10.123.0.48 peer 10.123.0.48 type require
 esp tunnel from 10.100.0.0/16 to 10.123.0.48 spi 0x00010004:0x00040001
 authkey 
 0x54f79f479a32814347bb768d3e01b2b58e49ce674ec6e2d327b63408c56ef4e8:0x7f48ee352c626cdc2a731b9d90bd63e29db2a9c683044b70b2f4441521b622d6
 enckey 0xb341aa065c3850edd6a61e150d6a5fd3:0xf7795f6bdd697a43a4d28dcf1b79062d
 --

 Output from router A's ipsecctl -sa looks like you would expect:
 --
 FLOWS:
 flow esp in from 10.123.0.48 to 10.100.0.0/16 peer 10.123.0.48 type require
 flow esp out from 10.100.0.0/16 to 10.123.0.48 peer 10.123.0.48 type require
 flow esp in from 10.123.0.48 to 10.123.0.46 local 10.123.0.46 peer
 10.123.0.48 type require
 flow esp out from 10.123.0.46 to 10.123.0.48 local 10.123.0.46 peer
 10.123.0.48 type require

 SAD:
 esp tunnel from 10.123.0.46 to 10.123.0.48 spi 0x00010002 auth
 hmac-sha2-256 enc aes
 esp tunnel from 10.100.0.0 to 10.123.0.48 spi 0x00010004 auth
 hmac-sha2-256 enc aes
 esp tunnel from 10.123.0.48 to 10.123.0.46 spi 0x00020001 auth
 hmac-sha2-256 enc aes
 esp tunnel from 10.123.0.48 to 10.100.0.0 spi 0x00040001 auth
 hmac-sha2-256 enc aes
 --

 Attempting to ping 10.123.0.48 from 10.123.0.46 gets no response, and
 tcpdump -i enc0 shows this:
 --
 tcpdump: listening on enc0, link-type ENC
 09:15:11.230658 (authentic,confidential): SPI 0x00010004: 10.123.0.46
 10.123.0.48: icmp: echo request (encap)
 09:15:12.240381 (authentic,confidential): SPI 0x00010004: 10.123.0.46
 10.123.0.48: icmp: echo request (encap)
 09:15:13.250028 (authentic,confidential): SPI 0x00010004: 10.123.0.46
 10.123.0.48: icmp: echo request (encap)
 09:15:14.260702 (authentic,confidential): SPI 0x00010004: 10.123.0.46
 10.123.0.48: icmp: echo request (encap)
 --

 Which is clearly the wrong SPI. If I try to ping in the reverse
 direction, B sends its packets with the correct SPI while the replies
 are encoded for 0x00010004. Removing the subnet lines from ipsec.conf
 corrects this issue.

 Is this a bug in IPsec or something I'm doing wrong?

 Thanks for the help. dmesg follows.

 -HKS


 OpenBSD 4.3 (GENERIC) #698: Wed Mar 12 11:07:05 MDT 2008
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
 cpu0: Intel(R) Core(TM)2 Duo CPU E6550 @ 2.33GHz (GenuineIntel
 686-class) 2.33 GHz
 cpu0: 
 FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,SSE3,DS-CPL
 real mem  = 267939840 (255MB)
 avail mem = 251031552 (239MB)
 mainbus0 at root
 bios0 at mainbus0: AT/286+ BIOS, date 12/06/06, BIOS32 rev. 0 @
 0xfd880, SMBIOS rev. 2.31 @ 0xe0010 (45 entries)
 bios0: vendor Phoenix Technologies LTD version 6.00 date 12/06/2006
 bios0: VMware, Inc. VMware Virtual Platform
 apm0 at bios0: Power Management spec V1.2
 apm0: AC on, battery charge unknown
 acpi at bios0 function 0x0 not configured
 pcibios0 at bios0: rev 2.1 @ 0xfd880/0x780
 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf30/176 (9 entries)
 pcibios0: PCI Interrupt Router at 000:07:0 (Intel 82371FB ISA rev 0x00)
 pcibios0: PCI bus #2 is the last bus
 bios0: ROM list: 0xc/0x8000 0xc8000/0x1000 0xc9000/0x1000
 0xdc000/0x4000! 0xe/0x4000!
 cpu0 at mainbus0
 pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
 pchb0 at pci0 dev 0 function 0 Intel 82443BX AGP rev 0x01
 ppb0 at pci0 dev 1 function 0 Intel 82443BX AGP rev 0x01
 pci1 at ppb0 bus 1
 piixpcib0 at pci0 dev 7 function 0 Intel 82371AB PIIX4 ISA rev 0x08
 pciide0 at pci0 dev 7 function 1 Intel 82371AB IDE rev 0x01: DMA,
 channel 0 configured to compatibility, channel 1 configured to
 compatibility
 wd0 at pciide0 channel 0 drive 0: VMware Virtual IDE Hard Drive
 wd0: 64-sector

Packets sent with wrong SPI

[(private) HKS]

OpenBSD 4.3.

I'm trying to get a couple IPSec VPNs up and am running into
increasingly bizarre behavior in my test environment. The current
issue is that packets are being sent encoded with the wrong SPI.

Router A has two interfaces: 10.123.0.46/24 and 10.100.0.1/16.
Router B has one interface: 10.123.0.48/24.

I can get A and B encrypting traffic between 10.123.0.46 and
10.123.0.48 with no problem, but when I add flows for 10.100.0.0/16
the SPIs start getting mixed up. Specifically, pings from 10.123.0.46
(A) to 10.123.0.48 (B) use the wrong SPII am using manual keying to
eliminate isakmpd as a source of other issues (that were probably my
fault somehow). The keys are the defaults included in the ipsec.conf
example since this is a test environment.

Here is router A's ipsec.conf:
--
flow esp from 10.123.0.46 to 10.123.0.48 local 10.123.0.46 peer
10.123.0.48 type require
esp tunnel from 10.123.0.46 to 10.123.0.48 spi 0x00010002:0x00020001
authkey 
0x54f79f479a32814347bb768d3e01b2b58e49ce674ec6e2d327b63408c56ef4e8:0x7f48ee352c626cdc2a731b9d90bd63e29db2a9c683044b70b2f4441521b622d6
enckey 0xb341aa065c3850edd6a61e150d6a5fd3:0xf7795f6bdd697a43a4d28dcf1b79062d

flow esp from 10.100.0.0/16 to 10.123.0.48 peer 10.123.0.48 type require
esp tunnel from 10.100.0.0/16 to 10.123.0.48 spi 0x00010004:0x00040001
authkey 
0x54f79f479a32814347bb768d3e01b2b58e49ce674ec6e2d327b63408c56ef4e8:0x7f48ee352c626cdc2a731b9d90bd63e29db2a9c683044b70b2f4441521b622d6
enckey 0xb341aa065c3850edd6a61e150d6a5fd3:0xf7795f6bdd697a43a4d28dcf1b79062d
--

Output from router A's ipsecctl -sa looks like you would expect:
--
FLOWS:
flow esp in from 10.123.0.48 to 10.100.0.0/16 peer 10.123.0.48 type require
flow esp out from 10.100.0.0/16 to 10.123.0.48 peer 10.123.0.48 type require
flow esp in from 10.123.0.48 to 10.123.0.46 local 10.123.0.46 peer
10.123.0.48 type require
flow esp out from 10.123.0.46 to 10.123.0.48 local 10.123.0.46 peer
10.123.0.48 type require

SAD:
esp tunnel from 10.123.0.46 to 10.123.0.48 spi 0x00010002 auth
hmac-sha2-256 enc aes
esp tunnel from 10.100.0.0 to 10.123.0.48 spi 0x00010004 auth
hmac-sha2-256 enc aes
esp tunnel from 10.123.0.48 to 10.123.0.46 spi 0x00020001 auth
hmac-sha2-256 enc aes
esp tunnel from 10.123.0.48 to 10.100.0.0 spi 0x00040001 auth
hmac-sha2-256 enc aes
--

Attempting to ping 10.123.0.48 from 10.123.0.46 gets no response, and
tcpdump -i enc0 shows this:
--
tcpdump: listening on enc0, link-type ENC
09:15:11.230658 (authentic,confidential): SPI 0x00010004: 10.123.0.46
 10.123.0.48: icmp: echo request (encap)
09:15:12.240381 (authentic,confidential): SPI 0x00010004: 10.123.0.46
 10.123.0.48: icmp: echo request (encap)
09:15:13.250028 (authentic,confidential): SPI 0x00010004: 10.123.0.46
 10.123.0.48: icmp: echo request (encap)
09:15:14.260702 (authentic,confidential): SPI 0x00010004: 10.123.0.46
 10.123.0.48: icmp: echo request (encap)
--

Which is clearly the wrong SPI. If I try to ping in the reverse
direction, B sends its packets with the correct SPI while the replies
are encoded for 0x00010004. Removing the subnet lines from ipsec.conf
corrects this issue.

Is this a bug in IPsec or something I'm doing wrong?

Thanks for the help. dmesg follows.

-HKS


OpenBSD 4.3 (GENERIC) #698: Wed Mar 12 11:07:05 MDT 2008
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Core(TM)2 Duo CPU E6550 @ 2.33GHz (GenuineIntel
686-class) 2.33 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,SSE3,DS-CPL
real mem  = 267939840 (255MB)
avail mem = 251031552 (239MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 12/06/06, BIOS32 rev. 0 @
0xfd880, SMBIOS rev. 2.31 @ 0xe0010 (45 entries)
bios0: vendor Phoenix Technologies LTD version 6.00 date 12/06/2006
bios0: VMware, Inc. VMware Virtual Platform
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
acpi at bios0 function 0x0 not configured
pcibios0 at bios0: rev 2.1 @ 0xfd880/0x780
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf30/176 (9 entries)
pcibios0: PCI Interrupt Router at 000:07:0 (Intel 82371FB ISA rev 0x00)
pcibios0: PCI bus #2 is the last bus
bios0: ROM list: 0xc/0x8000 0xc8000/0x1000 0xc9000/0x1000
0xdc000/0x4000! 0xe/0x4000!
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 Intel 82443BX AGP rev 0x01
ppb0 at pci0 dev 1 function 0 Intel 82443BX AGP rev 0x01
pci1 at ppb0 bus 1
piixpcib0 at pci0 dev 7 function 0 Intel 82371AB PIIX4 ISA rev 0x08
pciide0 at pci0 dev 7 function 1 Intel 82371AB IDE rev 0x01: DMA,
channel 0 configured to compatibility, channel 1 configured to
compatibility
wd0 at pciide0 channel 0 drive 0: VMware Virtual IDE Hard Drive
wd0: 64-sector PIO, LBA, 8192MB, 16777216 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: HC2281Q, NCF700G, 1.01 SCSI0 

Re: Packets sent with wrong SPI

[(private) HKS]

On Tue, Oct 21, 2008 at 5:01 PM, Mitja Muenih [EMAIL PROTECTED] wrote:
 Can you try to explicitly bind ping to the right source address?

 Something like

 ping -I 10.123.0.46 10.123.0.48


Exact same result.

-HKS

Re: pf - queue filter directive sticky?

[(private) HKS]

 imho normally this packet wouldn't be queued because the last count
 matches the packet so the last rule applies:

This is what I assumed at first, but the stickiness of tags and the
(seeming) logic of doing the same with queues made me second-guess
myself.


 on the other hand:

 During the filtering component of pf.conf, the last referenced
 queue name is where any packets from pass rules will be queued...

 that means because of the sequential order that the packet should be
 queued imho.

Is that the case, or does that mean that packets passed by a statement
on an altq-enabled interface without an explicit queue name
directive are automatically assigned to the last defined queue?

My initial tests suggest that the queue statements are not sticky (ie,
my initial rules would not have queued it in the tens queue), but
I'm still not sure.

-HKS

Re: pf - queue filter directive sticky?

[(private) HKS]

 from pf.conf man page:

 default Packets not matched by another queue are assigned to this
 one.  Exactly one default queue is *required.*


Thanks, I overlooked that a default queue was required. With that in
mind, then, does this section of pf.conf(5) imply that the queue
directive is sticky?
During the filtering component of pf.conf, the last referenced queue
name is where any packets from pass rules will be queued...


 Why you just not use quick in the first rule?

 pass in quick on $int_if from 10.0.0.1 queue tens

 pass in on $int_if

This question is for clarity's sake: is the quick required?

-HKS

pf - queue filter directive sticky?

[(private) HKS]

If the following two rules apply to a given packet in the order shown,
will the packet be queued?

pass in on $int_if from 10.0.0.1 queue tens
pass in on $int_if

I've not been able to find a clear answer in pf.conf(5) or the online
PF documentation. If I overlooked it, please let me know. Thanks in
advance for the help.

-HKS

Re: Patching a SSH 'Weakness'

[(private) HKS]

Also, tab-completion won't work, top won't work, control characters
won't work, vim won't work, etc etc...

-HKS

On Thu, Sep 11, 2008 at 4:00 AM,  [EMAIL PROTECTED] wrote:
 Just off the top of my head (I have to check the SSH protocol yet): Why not 
 encipher all accumulated keystrokes up to the Enter key as a block send 
 them instead of sending each keystroke as it is typed? This shrouds the 
 typist's characteristics.
 In addition, if the cipher is a block cipher, padding is added to make the 
 number of bits a multiple of the block size. Mandatory padding with a nonce 
 may help to shroud the number of keystrokes.
 The drawback is that the padding part could mean that we are no longer 
 compatible with the SSH protocol.

Re: This is what Linus Torvalds calls openBSD crowd

[(private) HKS]

++

-HKS

 Let me be the first to say--

   Who cares?

 I may completely disagree with him, but I'm not going to invest in a
 flame fest over his comments.

 To each their own.

 --STeve Andre'

Re: [Samba] Re: Winbind syslog errors and Domain Local Groups

[(private) HKS]

Ah, thanks, didn't even realize 3.0.31 had been released. I'll give that a try.

-HKS

On Tue, Jul 15, 2008 at 6:15 PM, Jeremy Allison [EMAIL PROTECTED] wrote:
 On Tue, Jul 15, 2008 at 06:12:41PM -0400, (private) HKS wrote:
 I was finally able to correct these errors by enabling Kerberos
 and changing the security model from domain to ads, but now
 I've run into the same problem reported here:
 http://www.usenet-forums.com/samba/394092-re-samba-accessing-member-server-prompts-credentials.html

 After about 5 minutes of uptime the winbind service throws
 several errors into syslog and nothing referencing it will work
 correctly until I restart it. The processes are still running.

 Jul 15 17:57:26 testbox winbindd[994]: [2008/07/15 17:57:26, 0]
 nsswitch/winbindd_dual.c:async_request_timeout_handler(182)
 Jul 15 17:57:26 testbox kernel: Jul 15 17:57:26 testbox winbindd[994]:
 [2008/07/15 17:57:26, 0]
 nsswitch/winbindd_dual.c:async_request_timeout_handler(182)
 Jul 15 17:57:26 testbox winbindd[994]:
 async_request_timeout_handler: child pid 992 is not responding.
 Closing connection to it.
 Jul 15 17:57:26 testbox kernel: Jul 15 17:57:26 testbox winbindd[994]:
   async_request_timeout_handler: child pid 992 is not responding.
 Closing connection to it.

 This is Samba 3.0.30 and Kerberos 5 running on FreeBSD 7.0.

 Can anyone help me out here?

 Known bug that was explicitly fixed in 3.0.31.

 Jeremy.

Re: sshd_config(5) PermitRootLogin yes

[(private) HKS]

My 4.3 installs defaulted to PermitRootLogin yes after install.
-HKS

On Thu, Jul 10, 2008 at 10:35 AM, Brian A. Seklecki
[EMAIL PROTECTED] wrote:
 Am I reading this right?

 http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config?rev=1.80content-type=text/x-cvsweb-markup

 I dont have a fresh install anywhere -- but I want to say that it doesnt
 default to PermitRootLogin yes after the install.

 I remember that I filed PRs with FreeBSD/NetBSD a few years ago to get this
 changed, but Redhat Support is giving some some noise about:

 Well the source vendor doesn't disable it by default ...

 ~BAS

Re: getpwnam_r() missing on OpenBSD 4.3

[(private) HKS]

Backporting this is beyond my meager C abilities (and time to learn,
at the moment).

Running -current in our production environment is also impractical
since we only use OpenBSD on mission-critical router/firewall/vpn
boxes. However, I'll see about setting up a couple test boxes to make
sure the software packages I'm looking at will work as expected come
4.4.

Thanks anyhow for the help.

-HKS


On Wed, Jul 2, 2008 at 8:31 AM, Marc Espie [EMAIL PROTECTED] wrote:
 On Tue, Jul 01, 2008 at 11:04:21AM -0400, (private) HKS wrote:
 Let's hear it for my attention to detail.

 Does anybody happen to have a creative workaround for
 threaded applications requesting this call? I'm experimenting
 with changing the call to getpwnam(), but that's out of morbid
 curiosity rather than a real fix.

 Use current, that will also help the project, since we're happy to
 have more people testing stuff.

Re: Net-SNMP segfaults under OpenBSD 4.3

[(private) HKS]

One further note, just in case someone else runs into a similar problem.

Running net-snmp under the agentuser and agentgroup of _snmpd will
work, but many of your MIBs will return null data (most notably, MIB-2
Interfaces) because the agent reads /dev/mem for that data. You'll see
this kind of message in your log files if you compiled with debugging
enabled:

kvm_read(*, 1, 0x2beec61c, 4) = -1: invalid address (1)
auto_nlist failed on ifnet at location 1

And a manual snmpwalk will return something like:

$ snmpwalk -c public -v 1 10.0.0.1 interfaces
IF-MIB::ifNumber.0 = INTEGER: 0

My workaround for this was to change the agentgroup to kmem (or
whatever gid is associated with /dev/mem). It's not ideal since it has
full read access to kernel memory, but it's better than running as
root.

-HKS

On Fri, Jun 27, 2008 at 4:24 PM, (private) HKS [EMAIL PROTECTED] wrote:
 Thanks, took this route and things are working just fine now.
 -HKS

 On Fri, Jun 27, 2008 at 8:19 AM, Claer [EMAIL PROTECTED] wrote:
 On Fri, Jun 27 2008 at 13:12, Stephan A. Rickauer wrote:
 On Wed, 2008-06-25 at 11:17 -0400, (private) HKS wrote:
  In my quest for real SNMP monitoring of OpenBSD, I installed 
  net-snmp-5.4.1p0
  on an OpenBSD 4.3 box via packages. The executable segfaults every time I 
  try
  to run it. This happens with or without command-line options, with my 
  custom
  config file or the default config file. I've tested with two different
  machines, two
  different mirrors, and seen no change.
 
  I've not yet tried building net-snmp from the ports system, but that's
  my next step.
 
  Has anybody else run into this?

 I've seen this, too. But a package made out of the port will work.

 Repeatable also here. We built net-snmp package from ports.

 Claer

Re: getpwnam_r() missing on OpenBSD 4.3

[(private) HKS]

Let's hear it for my attention to detail.

Does anybody happen to have a creative workaround for
threaded applications requesting this call? I'm experimenting
with changing the call to getpwnam(), but that's out of morbid
curiosity rather than a real fix.

November 1 can't come soon enough ;)

-HKS

On Fri, Jun 27, 2008 at 9:20 PM, Marc Espie [EMAIL PROTECTED] wrote:
 On Fri, Jun 27, 2008 at 05:23:54PM -0400, (private) HKS wrote:
 Not sure if this is the right list for this question, so let me know
 if it needs to go
 somewhere else.

 My OpenBSD box is missing the getpwnam_r() function described in the
 getpwent(3)
 man page. At least, it's described at this URL:
 http://www.openbsd.org/cgi-bin/man.cgi?query=getpwnamapropos=0sektion=0manpath=OpenBSD+Currentarch=i386format=html
^^^

 Have a closer look at that url. ;-)

Re: about dhcpd and carp device

[(private) HKS]

Your carp interface won't be doing much for you if it doesn't have an
IP address configured.

You should be able to run dhcpd off carp1 without any trouble, though
I can't speak from experience.

-HKS


On Mon, Jun 30, 2008 at 3:54 PM, Imre Oolberg [EMAIL PROTECTED] wrote:
 Hallo!

 I have been using for some time now carp failover and i am very content with
 it, thank you!

 I run some tests and i just wanted to confirm that in order to run dhcpd
 service one has to run it on a physical interface (which has ip address
 configured) like

 # dhcpd fxp0

 and not on a carp device which in turn uses fxp0 like that, right?

 # dhcpd carp1


 Best regards,

 Imre

 PS I learned from the archives that dhcp v.3 has so to say master and slave
 functionality but this is not an issue yet for me how to sync leases
 database and etc.

Re: Net-SNMP segfaults under OpenBSD 4.3

[(private) HKS]

Thanks, took this route and things are working just fine now.
-HKS

On Fri, Jun 27, 2008 at 8:19 AM, Claer [EMAIL PROTECTED] wrote:
 On Fri, Jun 27 2008 at 13:12, Stephan A. Rickauer wrote:
 On Wed, 2008-06-25 at 11:17 -0400, (private) HKS wrote:
  In my quest for real SNMP monitoring of OpenBSD, I installed 
  net-snmp-5.4.1p0
  on an OpenBSD 4.3 box via packages. The executable segfaults every time I 
  try
  to run it. This happens with or without command-line options, with my 
  custom
  config file or the default config file. I've tested with two different
  machines, two
  different mirrors, and seen no change.
 
  I've not yet tried building net-snmp from the ports system, but that's
  my next step.
 
  Has anybody else run into this?

 I've seen this, too. But a package made out of the port will work.

 Repeatable also here. We built net-snmp package from ports.

 Claer

getpwnam_r() missing on OpenBSD 4.3

[(private) HKS]

Not sure if this is the right list for this question, so let me know
if it needs to go
somewhere else.

My OpenBSD box is missing the getpwnam_r() function described in the
getpwent(3)
man page. At least, it's described at this URL:
http://www.openbsd.org/cgi-bin/man.cgi?query=getpwnamapropos=0sektion=0manpath=OpenBSD+Currentarch=i386format=html

My man page doesn't have any reference to getpwnam_r() - only the non-threadsafe
getpwnam(). Likewise with getpwuid_r(). I assume this isn't normal
(correct me if I'm
wrong), but this is happening on a generic installation. Is there
something I need to
do/undo to enable these functions?

Thanks for the help.
-HKS

Net-SNMP segfaults under OpenBSD 4.3

[(private) HKS]

In my quest for real SNMP monitoring of OpenBSD, I installed net-snmp-5.4.1p0
on an OpenBSD 4.3 box via packages. The executable segfaults every time I try
to run it. This happens with or without command-line options, with my custom
config file or the default config file. I've tested with two different
machines, two
different mirrors, and seen no change.

I've not yet tried building net-snmp from the ports system, but that's
my next step.

Has anybody else run into this?

-HKS

Re: snmp MIB variables

[(private) HKS]

Thanks, that clears up my confusion.
-HKS

On Tue, Jun 10, 2008 at 1:30 PM, Dustin Lundquist [EMAIL PROTECTED]
wrote:

 HOST-RESOURCES-MIB was added after the 4.3 release:
 http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/snmpd/mib.c#rev1.20
 While not supported, I've had luck building snmpd from -current on 4.3
 release.


 Dustin Lundquist



 (private) HKS wrote:

 Hello,

 Reyk Floeter mentioned in his ONLamp interview (link below) that snmpd
 currently
 supports
 most of the SNMPv1/v2c MIBs, IP-MIB, BRIDGE-MIB, HOST-RESOURCES-MIB,
 IF-MIB,
 and
 the OPENBSD-SENSORS-MIB


 http://www.onlamp.com/pub/a/bsd/2008/04/29/puffy-and-the-crytonauts-whats-new-in-openbsd-43.html

 I have a 4.3 installation that lacks the vast majority of these MIBs. The
 most relevant for me is
 HOST-RESOURCES-MIB - 1.3.6.1.2.1.25.1.

 # snmpctl -n show mib | grep 1.3.6.1.2.1.25.1
 #

 Are these MIBs planned releases, or is my installation missing something?

 Thanks in advance for the help.
 -HKS

snmp MIB variables

[(private) HKS]

Hello,

Reyk Floeter mentioned in his ONLamp interview (link below) that snmpd
currently
supports
most of the SNMPv1/v2c MIBs, IP-MIB, BRIDGE-MIB, HOST-RESOURCES-MIB, IF-MIB,
and
the OPENBSD-SENSORS-MIB

http://www.onlamp.com/pub/a/bsd/2008/04/29/puffy-and-the-crytonauts-whats-new-in-openbsd-43.html

I have a 4.3 installation that lacks the vast majority of these MIBs. The
most relevant for me is
HOST-RESOURCES-MIB - 1.3.6.1.2.1.25.1.

# snmpctl -n show mib | grep 1.3.6.1.2.1.25.1
#

Are these MIBs planned releases, or is my installation missing something?

Thanks in advance for the help.
-HKS