Re: pf feature request
2009/7/29 irix i...@ukr.net: Hello Misc, This feature is not sheduling pure. At altq You can try to achieve, but altq is not designed for this (in altq will get all outbound traffic, but we do not need). This whole idea is to avoid queues and do not discard packets, but simply ask the party to send packets more slowly, When the flow rate exceeds the specified speed. But if the party does not respond to these requests with the traffic, nothing happens. He has already come and build it into the queue and dropat do not need. This similarity function ALTQ_CDNR, but it is unlike anything on coming traffic does not occur (in ALTQ_CDNR he was discarded and the built-in tcp flow rate decreases), I propose to do the same thing but without the dregs of packages, how would emulate overloading tcp, but without actual overload. Why? What's the use case? -HKS On Wed, Jul 29, 2009 at 10:41:59AM -0400, (private) HKS wrote: 2009/7/28 irix i...@ukr.net: Hello Misc, Maybe the public interested in the idea to add in the pf function query at slowing the transfer of data to tcp protocol ? To attempt to reduce the speed of the incoming flow without altq. This function is designed exclusively for the tcp protocol, and must work under the rfc. Can I suggest an example of rule pass in on $ ext_if proto tcp from $ inetrnet to any port ftp keep state tcprequester 5Mb When an incoming tcp stream reach in 5Mbit, pf starts to ask the remote side to reduce speed. But at the same time, no queues are not being built, and no packets are discarded. pf only generates requests to reduce the speed of the sending party. -- Best regards, irix mailto:i...@ukr.net diff? -HKS Could this not be done currently with altq? -- Best regards, irix mailto:i...@ukr.net
Re: pf feature request
2009/7/30 irix i...@ukr.net: Hello Misc, It was a great number of disputes about shaping the incoming flow. This function is a solution to this dispute, she realizes that may be implemented according to RFC. Well, sort of. Assuming for a second that this was magically implemented exactly as you see it, it would be a way to shape inbound TCP streams. Nothing more. All other protocols would be completely untouched, so this would only function as an easily bypassed administrative limit. And need it for example if you have a single ftp server and you want it to one of the ip on it to fill the data did not say faster than 2Mbit, and all the others at full speed. (without tunning ftpd) I assume you mean that you have an FTP server that permits upload, and you want to restrict upload from a given client IP to 2Mbit? This magic option would do the trick - for a single stream. What if they establish multiple streams? Unless you intended this to be an option restricting bandwidth aggregate across all states created by a given rule? Or you have a narrow channel, for example in 128Kbit, and you are one of the SMTP server attempts to transmit e-mail to 200 megabytes, with all your feed traffic taken from smtp server, but this feature you can ask the remote server to send you e-mail is slower to have been free of the canal and you can open a http page. Alternatively, you can assign traffic outbound from your firewall to your mail server to a 64kbps wide queue and let the endpoints do what they're supposed to do, rather than fucking with tcp proxying and congestion scaling on the router. In doing so, no shaping, and queuing is organized and not over the coming traffic no action is performed. This option is apply is only for tcp traffic, according to rfc. Which RFC are you referring to? I assume you're talking about modifying the congestion control options. This sounds simple. It's not. As one potential user, I don't see myself ever using this functionality since it is a) limited to TCP, b) trivial for a hostile user to work around, c) provides no functionality not already possible with altq. From what I've seen, it's also very unlikely for the developers to bother implementing something that they don't see an immediate use for or isn't thoroughly interesting to them. So far, your feature accomplishes nothing new and would probably require a serious amount of work.Without providing at least a solid explanation of what this gives you that altq does not, as well as a proof-of-concept code implementation, you're probably never going to see this. -HKS Why? What's the use case? -HKS -- Best regards, irix mailto:i...@ukr.net
Re: pf feature request
2009/7/28 irix i...@ukr.net: Hello Misc, Maybe the public interested in the idea to add in the pf function query at slowing the transfer of data to tcp protocol ? To attempt to reduce the speed of the incoming flow without altq. This function is designed exclusively for the tcp protocol, and must work under the rfc. Can I suggest an example of rule pass in on $ ext_if proto tcp from $ inetrnet to any port ftp keep state tcprequester 5Mb When an incoming tcp stream reach in 5Mbit, pf starts to ask the remote side to reduce speed. But at the same time, no queues are not being built, and no packets are discarded. pf only generates requests to reduce the speed of the sending party. -- Best regards, irix mailto:i...@ukr.net diff? -HKS
Re: About em (4)
On Wed, Jul 15, 2009 at 10:57 AM, Insan Praja SWinsan.pr...@gmail.com wrote: Hi, On Wed, 15 Jul 2009 08:38:23 +0700, bsd...@gmail.com bsd...@gmail.com wrote: Presumably this would have been removed from the manual page if the issue were fixed. OpenBSD is usually good about keeping the documentation up to date and matching the code it comes with. On the other hand, it's difficult to test without knowing what the issue actually is... All my routers use em (4). I'm planning to move my cores physical access to jumbo frames network. I hope it could fasten our network a little bit, so I need to know if this udp traffic on jumbo frames will be a problem. If anyone had any experience with udp traffic on an em (4) jumbo frame setting, I'd love to hear them. On Tue, Jul 14, 2009 at 12:22 AM, Insan Praja SWinsan.pr...@gmail.com wrote: Hi Misc@, From the em (4) man: BUGS There are known performance issues with this driver when running UDP traffic with Jumbo frames. Is this info still valid? Thanks, -- insandotpraja(at)gmaildotcom Thanks, Insan Praja -- insandotpraja(at)gmaildotcom No experience myself, but it's unusual for the man pages to be out of date. If it was fixed, the man page would have been updated. Test it yourself and see if the performance impact is going to be a problem in your network. -HKS
Re: Simple Gif or Gre Tunnel doesn't seem so simple...
On Mon, Jul 13, 2009 at 6:59 PM, Christopher Hiltonch...@vindaloo.com wrote: I'm trying to setup a gif or gre tunnel between two machines running OpenBSD 4.5. North is a soekris 5501 and south is a soekris 4511. Both are routers. North: LAN: 192.168.144.0/24 via 192.168.144.1 WAN: 10.0.2.1 South: LAN: 192.168.140.0/24 via 192.168.140.1 WAN: 172.16.34.57 I'm doing the following: North: # ifconfig gif0 create # ifconfig gif0 inet 172.17.0.1 172.17.0.2 netmask 255.255.255.0 \ tunnel 10.0.2.1 172.16.34.57 # route add -net 192.168.140.0/24 172.17.0.1 South: # ifconfig gif0 create # ifconfig gif0 inet 172.17.0.2 172.17.0.1 netmask 255.255.255.0 \ tunnel 172.16.34.57 10.0.2.1 # route add -net 192.168.144.0/24 172.17.0.2 I'm doing: # sysctl net.inet.etherip.allow=1 On both sides. I'm getting no joy getting packets through this tunnel. I am running pf on this configuration. According to the documentation the default encapsulation for the gif devices is protocol 97 etherip but when I tcpdump my external interfaces I'm seeing encapsulated packets with protocol 4 (ipencap) pass. So I've added the following rules to both pf.confs: pass in on $ext_if proto { ipencap, etherip } pass out on $ext_if proto { ipencap, etherip } Can anyone see anything obviously wrong or forgotten here? Or, does anyone have a simple gif tunnel setup that could maybe assist me? Thanks in advance, -- Chris ifconfigs, pf.conf, dmesg -HKS
Re: Winbind Samba on OpenBSD
On Wed, Jul 8, 2009 at 10:57 AM, Mike Erdelym...@erdelynet.com wrote: On Wed, Jul 08, 2009 at 11:32:46AM +0100, Edd Barrett wrote: On Tue, Jul 07, 2009 at 10:28:34AM -0400, Jason Beaudoin wrote: Did you have a look at www.kernel-panic.it ? There are some tutorials. yes, there's some helpful info for samba, but I haven't yet seen anything related to winbind.. unless my google foo needs some work. Winbind is a PAM plugin. OpenBSD does not use this mechanism. Winbind depends on the use of nsswitch.conf. I don't know if ypldap can be used to talk to AD? That's its purpose (to be used with LDAP) and Active Directory is a bastardized^wenhanced implementation of LDAP. Along with login-ldap, ypldap should give you the same functionality as winbind, afaik. But, winbind is useful with integrating Windows-based authentication with applications such as squid (but it's been years since I've done that). -ME The major advantage of Winbind is that it automagically enumerates your ADS users and binds them to UIDs on your *nix box. I've not worked with ypldap specifically, but IIRC it's going to require that the Win server have an NIS server aboard with UIDs already mapped. See http://www.microsoft.com/windowsserver2003/r2/unixinterop/default.mspx for info on the ADS NIS server. If you're just looking for authentication and don't mind creating the individual users on your OpenBSD system, just use Kerberos.It's a much simpler and resilient setup. -HKS
Re: Automated service/daemon management
On Tue, Jun 9, 2009 at 6:09 PM, patrick keshishianpkesh...@gmail.com wrote: On Tue, Jun 9, 2009 at 11:06 AM, (private) HKShks.priv...@gmail.com wrote: When my scripts install a package, they have to edit the monolithic /etc/rc.local in order to enable starting (rc.conf.local too, but that's a single line easily done with sed and checked with grep). Uninstalling a package is scarier since they're removing the parts of /etc/rc.local. Both of these rely on multi-line pattern matching and merging, which are imperfect sciences that wrack my nerves when they run automatically. The much larger problem, though, is with starting/stopping/restarting services. Say I add spamd as an enabled service on host1. For my scripts to start it properly, I have to replicate the code already in /etc/rc defining how spamd starts. This is prone to errors and runs the risk of breaking on upgrades. Restarting services that need more than a HUP is also a chore. As for stopping, some services like postgresql need some careful attention. This means replicating code from /etc/rc.shutdown. for ports you add to your system (such as postgresql) you can always use an external script for its start/stop and just add appropriate section to rc.local and rc.shutdown: --- e.g., --- rc.local # if [ -x /etc/rc.pgsql ] ; then /etc/rc.pgsql start ; fi rc.shutdown # ... if [ -x /etc/rc.pgsql ] ; then /etc/rc.pgsql stop ; fi next you need to write rc.pgsql that starts or stops postgresql based on $1 == start or == stop That should solve at least part of your problem. As for spamd enabling/disabling, just reboot that machine if you don't want to look through the rc script to figure out what you need run. --patrick Thanks to all for the suggestions. Right now the most convincing is the daemon tools suggestion - I'll dig into that and see if it suits my needs. I've resisted hacking rc.d and rcorder into my system mainly because I want to avoid recoding rc just to make a few things easier. There's a lot in OpenBSD's rc that doesn't translate directly into the rc.d type system, so it's not going to be a simple matter. That's a lot of work to avoid a lot of work, and I'm not sure which one really requires more. The other rc mods are interesting, and I'll look at using them if daemon tools doesn't do what I'm hoping. Thanks for the help. -HKS
Automated service/daemon management
As my environment grows, I'm automating more and more of my work (package installation, config file propagation, etc.) so I can keep up with it. The problem I'm running into with my OpenBSD boxes is with services/daemons. When my scripts install a package, they have to edit the monolithic /etc/rc.local in order to enable starting (rc.conf.local too, but that's a single line easily done with sed and checked with grep). Uninstalling a package is scarier since they're removing the parts of /etc/rc.local. Both of these rely on multi-line pattern matching and merging, which are imperfect sciences that wrack my nerves when they run automatically. The much larger problem, though, is with starting/stopping/restarting services. Say I add spamd as an enabled service on host1. For my scripts to start it properly, I have to replicate the code already in /etc/rc defining how spamd starts. This is prone to errors and runs the risk of breaking on upgrades. Restarting services that need more than a HUP is also a chore. As for stopping, some services like postgresql need some careful attention. This means replicating code from /etc/rc.shutdown. I've looked at adding some stupid delimiters to /etc/rc, /etc/rc.local, and /etc/rc.shutdown so I can just pull in the necessary chunks, but I'm wondering if there's anything available that's more elegant and won't break on every upgrade. Has anyone solved this problem on OpenBSD? -HKS
Re: Automated service/daemon management
On Tue, Jun 9, 2009 at 3:02 PM, Nick Hassernick.has...@gmail.com wrote: (private) HKS wrote: Has anyone solved this problem on OpenBSD? -HKS I have not yet, but I've been meaning to look into systems such as cfengine [1], puppet [2], chef [3], etc. I'd be interested in any experiences folks have with these types of systems and OpenBSD. Nick [1] http://www.cfengine.org/ [2] http://reductivelabs.com/products/puppet/ [3] http://wiki.opscode.com/display/chef/Home Puppet is the one I'm working with right now. It's great, but it doesn't solve the problems I outlined above. -HKS
Re: IPSEC'd states fail after upgrade to 4.5
On Sun, May 31, 2009 at 2:16 PM, (private) HKShks.priv...@gmail.com wrote: On Sun, May 31, 2009 at 1:58 PM, (private) HKS hks.priv...@gmail.com wrote: I have two networks: an office and a datacenter. The office has a single router (dmesg below) that I upgraded to 4.5 today. The datacenter has two routers running 4.4. The datacenter routers share a CARP address. The locations communicate over a gif tunnel protected by IPsec. After upgrading to 4.5 today, connections made across this tunnel are dropped after about 30 seconds. For instance, I ssh into a my datacenter backup server from my workstation. A state is created, traffic passes normally - until about 30 seconds later when the state is terminated. This does not happen for traffic passed out to the net outside this tunnel. The only weirdness I've been able to quantify is the state that is created: # pfctl -vvs state | grep -A 2 workstaiton | grep -A 2 server all tcp server:22 - workstation:2733 ESTABLISHED:ESTABLISHED [1948621377 + 65119] [2814490494 + 17520] age 00:00:27, expires in 23:59:43, 76:93 pkts, 5756:11189 bytes, rule 25 all tcp workstation:2733 - server:22 SYN_SENT:CLOSED [2814490494 + 4294964697] [0 + 65535] age 00:00:27, expires in 00:00:03, 76:0 pkts, 5756:0 bytes, rule 203 Once that SYN_SENT:CLOSED state's expiration counter reaches zero, my newly upgraded firewall starts blocking traffic from my workstation to the server. When pf debugging is set to misc, I get the following sort of message in my syslog (these were pulled from two different examples - the ports do match when it happens): May 31 12:05:47 router /bsd: pf: loose state match: TCP out wire: server:22 workstation:2105 stack: - [lo=1243591892 high=1243591894 win=65535 modulator=0] [lo=0 high=65535 win=1 modulator=0] 2:0 PA seq=1243591893 (1243591893) ack=0 len=28 ackskew=0 pkts=2:0 dir=out,fwd I'm at a loss. My pf.conf is pretty huge, so I inserted a pass quick from workstation to server at the top above my block log policy. Same thing. I'm not sure what else is even needed to troubleshoot this. Can anyone give me some ideas? -HKS OpenBSD 4.5 (GENERIC) #1749: Sat Feb 28 14:51:18 MST 2009 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Xeon(TM) CPU 2.80GHz (GenuineIntel 686-class) 2.80 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,CNXT-ID,CX16,xTPR real mem = 2146795520 (2047MB) avail mem = 2067582976 (1971MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 04/25/08, BIOS32 rev. 0 @ 0xffe90, SMBIOS rev. 2.3 @ 0xf9920 (87 entries) bios0: vendor Dell Computer Corporation version A07 date 04/25/2008 bios0: Dell Computer Corporation PowerEdge 2850 acpi0 at bios0: rev 0 acpi0: tables DSDT FACP APIC SPCR HPET MCFG acpi0: wakeup devices PCI0(S5) PALO(S5) PBLO(S5) VPR0(S5) PBHI(S5) VPR1(S5) PICH(S5) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 199MHz cpu at mainbus0: not configured ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins ioapic0: misconfigured as apic 0, remapped to apid 2 ioapic1 at mainbus0: apid 3 pa 0xfec8, version 20, 24 pins ioapic1: misconfigured as apic 0, remapped to apid 3 ioapic2 at mainbus0: apid 4 pa 0xfec83000, version 20, 24 pins ioapic2: misconfigured as apic 0, remapped to apid 4 ioapic3 at mainbus0: apid 5 pa 0xfec84000, version 20, 24 pins ioapic3: misconfigured as apic 0, remapped to apid 5 acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 1 (PALO) acpiprt2 at acpi0: bus 2 (DOBA) acpiprt3 at acpi0: bus 3 (DOBB) acpiprt4 at acpi0: bus 4 (PBLO) acpiprt5 at acpi0: bus 5 (PBHI) acpiprt6 at acpi0: bus 6 (PXB1) acpiprt7 at acpi0: bus 7 (PXB2) acpiprt8 at acpi0: bus 8 (VPR1) acpiprt9 at acpi0: bus 9 (PXC1) acpiprt10 at acpi0: bus 10 (PXC2) acpiprt11 at acpi0: bus 11 (PICH) acpicpu0 at acpi0 bios0: ROM list: 0xc/0xb000! 0xcb000/0x1000 0xcc000/0x1000 0xcd000/0x2200 0xec000/0x4000! ipmi at mainbus0 not configured pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 Intel E7520 Host rev 0x09 ppb0 at pci0 dev 2 function 0 Intel E7520 PCIE rev 0x09 pci1 at ppb0 bus 1 ppb1 at pci1 dev 0 function 0 Intel IOP332 PCIE-PCIX rev 0x06 pci2 at ppb1 bus 2 ami0 at pci2 dev 14 function 0 Dell PERC 4e/Di rev 0x06: apic 3 int 14 (irq 7) ami0: Dell 16d, 32b, FW 513O, BIOS vH418, 256MB RAM ami0: 2 channels, 0 FC loops, 1 logical drives scsibus0 at ami0: 40 targets sd0 at scsibus0 targ 0 lun 0: AMI, Host drive #00, SCSI2 0/direct fixed sd0: 139900MB, 512 bytes/sec, 286515200 sec total scsibus1 at ami0: 16 targets safte0 at scsibus1 targ 6 lun 0: PE/PV, 1x6 SCSI BP, 1.0 SCSI2 3/processor fixed scsibus2 at ami0: 16
PF dropping packets that match state
Yet another bizarre state problem that will probably turn out to be being somehow braindead. office - gw1 - (INTERNET) - gw2 - datacenter My office and datacenter routers talk via IPSEC encrypted gif tunnels. Most everything works. From any host on the office network, I can SSH to the internal interfaces on gw2. I cannot, however, SSH to the external interfaces (carp or physical). The traffic is routed properly, neatly traverses the gif tunnel and is accepted by gw2. The reply takes the same path but is blocked by gw1's default block policy. The state is created on gw1 as CLOSED:SYN_SENT: # pfctl -vvss | grep -A 2 host | grep -A 2 gw2 all tcp gw2:8022 - host:50831 CLOSED:SYN_SENT [0 + 1] [1095549348 + 2] age 00:00:02, expires in 00:01:58, 1:0 pkts, 60:0 bytes, rule 24 But the replies are rejected: # tcpdump -eeni pflog0 'host host' tcpdump: listening on pflog0, link-type PFLOG 10:05:30.836901 rule 0/(match) block in on gif0: gw2.8022 host.50831: R 0:0(0) ack 1095549349 win 0 (DF) 10:05:34.042631 rule 0/(match) block in on gif0: gw2.8022 host.50831: R 0:0(0) ack 1 win 0 (DF) 10:05:37.243616 rule 0/(match) block in on gif0: gw2.8022 host.50831: R 0:0(0) ack 1 win 0 (DF) 10:05:43.452693 rule 0/(match) block in on gif0: gw2.8022 host.50831: R 0:0(0) ack 1 win 0 (DF) To address any pf issues, I inserted a pass quick from host to gw2 at the top of my ruleset. Nothing. It works just fine to SSH from gw1 to gw2's external interface. What am I overlooking here? dmesg of 4.5 machine follows. -HKS OpenBSD 4.5 (GENERIC) #1749: Sat Feb 28 14:51:18 MST 2009 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Xeon(TM) CPU 2.80GHz (GenuineIntel 686-class) 2.80 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,CNXT-ID,CX16,xTPR real mem = 2146795520 (2047MB) avail mem = 2067582976 (1971MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 04/25/08, BIOS32 rev. 0 @ 0xffe90, SMBIOS rev. 2.3 @ 0xf9920 (87 entries) bios0: vendor Dell Computer Corporation version A07 date 04/25/2008 bios0: Dell Computer Corporation PowerEdge 2850 acpi0 at bios0: rev 0 acpi0: tables DSDT FACP APIC SPCR HPET MCFG acpi0: wakeup devices PCI0(S5) PALO(S5) PBLO(S5) VPR0(S5) PBHI(S5) VPR1(S5) PICH(S5) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 199MHz cpu at mainbus0: not configured ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins ioapic0: misconfigured as apic 0, remapped to apid 2 ioapic1 at mainbus0: apid 3 pa 0xfec8, version 20, 24 pins ioapic1: misconfigured as apic 0, remapped to apid 3 ioapic2 at mainbus0: apid 4 pa 0xfec83000, version 20, 24 pins ioapic2: misconfigured as apic 0, remapped to apid 4 ioapic3 at mainbus0: apid 5 pa 0xfec84000, version 20, 24 pins ioapic3: misconfigured as apic 0, remapped to apid 5 acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 1 (PALO) acpiprt2 at acpi0: bus 2 (DOBA) acpiprt3 at acpi0: bus 3 (DOBB) acpiprt4 at acpi0: bus 4 (PBLO) acpiprt5 at acpi0: bus 5 (PBHI) acpiprt6 at acpi0: bus 6 (PXB1) acpiprt7 at acpi0: bus 7 (PXB2) acpiprt8 at acpi0: bus 8 (VPR1) acpiprt9 at acpi0: bus 9 (PXC1) acpiprt10 at acpi0: bus 10 (PXC2) acpiprt11 at acpi0: bus 11 (PICH) acpicpu0 at acpi0 bios0: ROM list: 0xc/0xb000! 0xcb000/0x1000 0xcc000/0x1000 0xcd000/0x2200 0xec000/0x4000! ipmi at mainbus0 not configured pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 Intel E7520 Host rev 0x09 ppb0 at pci0 dev 2 function 0 Intel E7520 PCIE rev 0x09 pci1 at ppb0 bus 1 ppb1 at pci1 dev 0 function 0 Intel IOP332 PCIE-PCIX rev 0x06 pci2 at ppb1 bus 2 ami0 at pci2 dev 14 function 0 Dell PERC 4e/Di rev 0x06: apic 3 int 14 (irq 7) ami0: Dell 16d, 32b, FW 513O, BIOS vH418, 256MB RAM ami0: 2 channels, 0 FC loops, 1 logical drives scsibus0 at ami0: 40 targets sd0 at scsibus0 targ 0 lun 0: AMI, Host drive #00, SCSI2 0/direct fixed sd0: 139900MB, 512 bytes/sec, 286515200 sec total scsibus1 at ami0: 16 targets safte0 at scsibus1 targ 6 lun 0: PE/PV, 1x6 SCSI BP, 1.0 SCSI2 3/processor fixed scsibus2 at ami0: 16 targets ppb2 at pci1 dev 0 function 2 Intel IOP332 PCIE-PCIX rev 0x06 pci3 at ppb2 bus 3 ppb3 at pci0 dev 4 function 0 Intel E7520 PCIE rev 0x09 pci4 at ppb3 bus 4 ppb4 at pci0 dev 5 function 0 Intel E7520 PCIE rev 0x09 pci5 at ppb4 bus 5 ppb5 at pci5 dev 0 function 0 Intel PCIE-PCIE rev 0x09 pci6 at ppb5 bus 6 em0 at pci6 dev 7 function 0 Intel PRO/1000MT (82541GI) rev 0x05: apic 4 int 0 (irq 11), address 00:11:43:d9:17:36 ppb6 at pci5 dev 0 function 2 Intel PCIE-PCIE rev 0x09 pci7 at ppb6 bus 7 em1 at pci7 dev 8 function 0 Intel PRO/1000MT (82541GI) rev 0x05: apic 4 int 1 (irq 3), address 00:11:43:d9:17:37 ppb7 at pci0 dev 6 function 0 Intel E7520 PCIE rev 0x09 pci8 at ppb7 bus
Re: PF dropping packets that match state
On Wed, Jun 3, 2009 at 11:18 AM, (private) HKShks.priv...@gmail.com wrote: Yet another bizarre state problem that will probably turn out to be being somehow braindead. office - gw1 - (INTERNET) - gw2 - datacenter My office and datacenter routers talk via IPSEC encrypted gif tunnels. Most everything works. From any host on the office network, I can SSH to the internal interfaces on gw2. I cannot, however, SSH to the external interfaces (carp or physical). The traffic is routed properly, neatly traverses the gif tunnel and is accepted by gw2. The reply takes the same path but is blocked by gw1's default block policy. The state is created on gw1 as CLOSED:SYN_SENT: # pfctl -vvss | grep -A 2 host | grep -A 2 gw2 all tcp gw2:8022 - host:50831 CLOSED:SYN_SENT [0 + 1] [1095549348 + 2] age 00:00:02, expires in 00:01:58, 1:0 pkts, 60:0 bytes, rule 24 But the replies are rejected: # tcpdump -eeni pflog0 'host host' tcpdump: listening on pflog0, link-type PFLOG 10:05:30.836901 rule 0/(match) block in on gif0: gw2.8022 host.50831: R 0:0(0) ack 1095549349 win 0 (DF) 10:05:34.042631 rule 0/(match) block in on gif0: gw2.8022 host.50831: R 0:0(0) ack 1 win 0 (DF) 10:05:37.243616 rule 0/(match) block in on gif0: gw2.8022 host.50831: R 0:0(0) ack 1 win 0 (DF) 10:05:43.452693 rule 0/(match) block in on gif0: gw2.8022 host.50831: R 0:0(0) ack 1 win 0 (DF) To address any pf issues, I inserted a pass quick from host to gw2 at the top of my ruleset. Nothing. It works just fine to SSH from gw1 to gw2's external interface. What am I overlooking here? dmesg of 4.5 machine follows. -HKS OpenBSD 4.5 (GENERIC) #1749: Sat Feb 28 14:51:18 MST 2009 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Xeon(TM) CPU 2.80GHz (GenuineIntel 686-class) 2.80 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,CNXT-ID,CX16,xTPR real mem = 2146795520 (2047MB) avail mem = 2067582976 (1971MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 04/25/08, BIOS32 rev. 0 @ 0xffe90, SMBIOS rev. 2.3 @ 0xf9920 (87 entries) bios0: vendor Dell Computer Corporation version A07 date 04/25/2008 bios0: Dell Computer Corporation PowerEdge 2850 acpi0 at bios0: rev 0 acpi0: tables DSDT FACP APIC SPCR HPET MCFG acpi0: wakeup devices PCI0(S5) PALO(S5) PBLO(S5) VPR0(S5) PBHI(S5) VPR1(S5) PICH(S5) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 199MHz cpu at mainbus0: not configured ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins ioapic0: misconfigured as apic 0, remapped to apid 2 ioapic1 at mainbus0: apid 3 pa 0xfec8, version 20, 24 pins ioapic1: misconfigured as apic 0, remapped to apid 3 ioapic2 at mainbus0: apid 4 pa 0xfec83000, version 20, 24 pins ioapic2: misconfigured as apic 0, remapped to apid 4 ioapic3 at mainbus0: apid 5 pa 0xfec84000, version 20, 24 pins ioapic3: misconfigured as apic 0, remapped to apid 5 acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 1 (PALO) acpiprt2 at acpi0: bus 2 (DOBA) acpiprt3 at acpi0: bus 3 (DOBB) acpiprt4 at acpi0: bus 4 (PBLO) acpiprt5 at acpi0: bus 5 (PBHI) acpiprt6 at acpi0: bus 6 (PXB1) acpiprt7 at acpi0: bus 7 (PXB2) acpiprt8 at acpi0: bus 8 (VPR1) acpiprt9 at acpi0: bus 9 (PXC1) acpiprt10 at acpi0: bus 10 (PXC2) acpiprt11 at acpi0: bus 11 (PICH) acpicpu0 at acpi0 bios0: ROM list: 0xc/0xb000! 0xcb000/0x1000 0xcc000/0x1000 0xcd000/0x2200 0xec000/0x4000! ipmi at mainbus0 not configured pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 Intel E7520 Host rev 0x09 ppb0 at pci0 dev 2 function 0 Intel E7520 PCIE rev 0x09 pci1 at ppb0 bus 1 ppb1 at pci1 dev 0 function 0 Intel IOP332 PCIE-PCIX rev 0x06 pci2 at ppb1 bus 2 ami0 at pci2 dev 14 function 0 Dell PERC 4e/Di rev 0x06: apic 3 int 14 (irq 7) ami0: Dell 16d, 32b, FW 513O, BIOS vH418, 256MB RAM ami0: 2 channels, 0 FC loops, 1 logical drives scsibus0 at ami0: 40 targets sd0 at scsibus0 targ 0 lun 0: AMI, Host drive #00, SCSI2 0/direct fixed sd0: 139900MB, 512 bytes/sec, 286515200 sec total scsibus1 at ami0: 16 targets safte0 at scsibus1 targ 6 lun 0: PE/PV, 1x6 SCSI BP, 1.0 SCSI2 3/processor fixed scsibus2 at ami0: 16 targets ppb2 at pci1 dev 0 function 2 Intel IOP332 PCIE-PCIX rev 0x06 pci3 at ppb2 bus 3 ppb3 at pci0 dev 4 function 0 Intel E7520 PCIE rev 0x09 pci4 at ppb3 bus 4 ppb4 at pci0 dev 5 function 0 Intel E7520 PCIE rev 0x09 pci5 at ppb4 bus 5 ppb5 at pci5 dev 0 function 0 Intel PCIE-PCIE rev 0x09 pci6 at ppb5 bus 6 em0 at pci6 dev 7 function 0 Intel PRO/1000MT (82541GI) rev 0x05: apic 4 int 0 (irq 11), address 00:11:43:d9:17:36 ppb6 at pci5 dev 0 function 2 Intel PCIE-PCIE rev 0x09 pci7 at ppb6 bus 7 em1 at
IPSEC'd states fail after upgrade to 4.5
I have two networks: an office and a datacenter. The office has a single router (dmesg below) that I upgraded to 4.5 today. The datacenter has two routers running 4.4. The datacenter routers share a CARP address. The locations communicate over a gif tunnel protected by IPsec. After upgrading to 4.5 today, connections made across this tunnel are dropped after about 30 seconds. For instance, I ssh into a my datacenter backup server from my workstation. A state is created, traffic passes normally - until about 30 seconds later when the state is terminated. This does not happen for traffic passed out to the net outside this tunnel. The only weirdness I've been able to quantify is the state that is created: # pfctl -vvs state | grep -A 2 workstaiton | grep -A 2 server all tcp server:22 - workstation:2733 ESTABLISHED:ESTABLISHED [1948621377 + 65119] [2814490494 + 17520] age 00:00:27, expires in 23:59:43, 76:93 pkts, 5756:11189 bytes, rule 25 all tcp workstation:2733 - server:22 SYN_SENT:CLOSED [2814490494 + 4294964697] [0 + 65535] age 00:00:27, expires in 00:00:03, 76:0 pkts, 5756:0 bytes, rule 203 Once that SYN_SENT:CLOSED state's expiration counter reaches zero, my newly upgraded firewall starts blocking traffic from my workstation to the server. When pf debugging is set to misc, I get the following sort of message in my syslog (these were pulled from two different examples - the ports do match when it happens): May 31 12:05:47 router /bsd: pf: loose state match: TCP out wire: server:22 workstation:2105 stack: - [lo=1243591892 high=1243591894 win=65535 modulator=0] [lo=0 high=65535 win=1 modulator=0] 2:0 PA seq=1243591893 (1243591893) ack=0 len=28 ackskew=0 pkts=2:0 dir=out,fwd I'm at a loss. My pf.conf is pretty huge, so I inserted a pass quick from workstation to server at the top above my block log policy. Same thing. I'm not sure what else is even needed to troubleshoot this. Can anyone give me some ideas? -HKS OpenBSD 4.5 (GENERIC) #1749: Sat Feb 28 14:51:18 MST 2009 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Xeon(TM) CPU 2.80GHz (GenuineIntel 686-class) 2.80 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,CNXT-ID,CX16,xTPR real mem = 2146795520 (2047MB) avail mem = 2067582976 (1971MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 04/25/08, BIOS32 rev. 0 @ 0xffe90, SMBIOS rev. 2.3 @ 0xf9920 (87 entries) bios0: vendor Dell Computer Corporation version A07 date 04/25/2008 bios0: Dell Computer Corporation PowerEdge 2850 acpi0 at bios0: rev 0 acpi0: tables DSDT FACP APIC SPCR HPET MCFG acpi0: wakeup devices PCI0(S5) PALO(S5) PBLO(S5) VPR0(S5) PBHI(S5) VPR1(S5) PICH(S5) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 199MHz cpu at mainbus0: not configured ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins ioapic0: misconfigured as apic 0, remapped to apid 2 ioapic1 at mainbus0: apid 3 pa 0xfec8, version 20, 24 pins ioapic1: misconfigured as apic 0, remapped to apid 3 ioapic2 at mainbus0: apid 4 pa 0xfec83000, version 20, 24 pins ioapic2: misconfigured as apic 0, remapped to apid 4 ioapic3 at mainbus0: apid 5 pa 0xfec84000, version 20, 24 pins ioapic3: misconfigured as apic 0, remapped to apid 5 acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 1 (PALO) acpiprt2 at acpi0: bus 2 (DOBA) acpiprt3 at acpi0: bus 3 (DOBB) acpiprt4 at acpi0: bus 4 (PBLO) acpiprt5 at acpi0: bus 5 (PBHI) acpiprt6 at acpi0: bus 6 (PXB1) acpiprt7 at acpi0: bus 7 (PXB2) acpiprt8 at acpi0: bus 8 (VPR1) acpiprt9 at acpi0: bus 9 (PXC1) acpiprt10 at acpi0: bus 10 (PXC2) acpiprt11 at acpi0: bus 11 (PICH) acpicpu0 at acpi0 bios0: ROM list: 0xc/0xb000! 0xcb000/0x1000 0xcc000/0x1000 0xcd000/0x2200 0xec000/0x4000! ipmi at mainbus0 not configured pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 Intel E7520 Host rev 0x09 ppb0 at pci0 dev 2 function 0 Intel E7520 PCIE rev 0x09 pci1 at ppb0 bus 1 ppb1 at pci1 dev 0 function 0 Intel IOP332 PCIE-PCIX rev 0x06 pci2 at ppb1 bus 2 ami0 at pci2 dev 14 function 0 Dell PERC 4e/Di rev 0x06: apic 3 int 14 (irq 7) ami0: Dell 16d, 32b, FW 513O, BIOS vH418, 256MB RAM ami0: 2 channels, 0 FC loops, 1 logical drives scsibus0 at ami0: 40 targets sd0 at scsibus0 targ 0 lun 0: AMI, Host drive #00, SCSI2 0/direct fixed sd0: 139900MB, 512 bytes/sec, 286515200 sec total scsibus1 at ami0: 16 targets safte0 at scsibus1 targ 6 lun 0: PE/PV, 1x6 SCSI BP, 1.0 SCSI2 3/processor fixed scsibus2 at ami0: 16 targets ppb2 at pci1 dev 0 function 2 Intel IOP332 PCIE-PCIX rev 0x06 pci3 at ppb2 bus 3 ppb3 at pci0 dev 4 function 0 Intel E7520 PCIE rev 0x09 pci4 at ppb3 bus 4 ppb4 at pci0 dev 5 function 0 Intel E7520 PCIE rev 0x09 pci5 at ppb4 bus 5 ppb5
Re: IPSEC'd states fail after upgrade to 4.5
On Sun, May 31, 2009 at 1:58 PM, (private) HKS hks.priv...@gmail.com wrote: I have two networks: an office and a datacenter. The office has a single router (dmesg below) that I upgraded to 4.5 today. The datacenter has two routers running 4.4. The datacenter routers share a CARP address. The locations communicate over a gif tunnel protected by IPsec. After upgrading to 4.5 today, connections made across this tunnel are dropped after about 30 seconds. For instance, I ssh into a my datacenter backup server from my workstation. A state is created, traffic passes normally - until about 30 seconds later when the state is terminated. This does not happen for traffic passed out to the net outside this tunnel. The only weirdness I've been able to quantify is the state that is created: # pfctl -vvs state | grep -A 2 workstaiton | grep -A 2 server all tcp server:22 - workstation:2733 ESTABLISHED:ESTABLISHED [1948621377 + 65119] [2814490494 + 17520] age 00:00:27, expires in 23:59:43, 76:93 pkts, 5756:11189 bytes, rule 25 all tcp workstation:2733 - server:22 SYN_SENT:CLOSED [2814490494 + 4294964697] [0 + 65535] age 00:00:27, expires in 00:00:03, 76:0 pkts, 5756:0 bytes, rule 203 Once that SYN_SENT:CLOSED state's expiration counter reaches zero, my newly upgraded firewall starts blocking traffic from my workstation to the server. When pf debugging is set to misc, I get the following sort of message in my syslog (these were pulled from two different examples - the ports do match when it happens): May 31 12:05:47 router /bsd: pf: loose state match: TCP out wire: server:22 workstation:2105 stack: - [lo=1243591892 high=1243591894 win=65535 modulator=0] [lo=0 high=65535 win=1 modulator=0] 2:0 PA seq=1243591893 (1243591893) ack=0 len=28 ackskew=0 pkts=2:0 dir=out,fwd I'm at a loss. My pf.conf is pretty huge, so I inserted a pass quick from workstation to server at the top above my block log policy. Same thing. I'm not sure what else is even needed to troubleshoot this. Can anyone give me some ideas? -HKS OpenBSD 4.5 (GENERIC) #1749: Sat Feb 28 14:51:18 MST 2009 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Xeon(TM) CPU 2.80GHz (GenuineIntel 686-class) 2.80 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,CNXT-ID,CX16,xTPR real mem = 2146795520 (2047MB) avail mem = 2067582976 (1971MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 04/25/08, BIOS32 rev. 0 @ 0xffe90, SMBIOS rev. 2.3 @ 0xf9920 (87 entries) bios0: vendor Dell Computer Corporation version A07 date 04/25/2008 bios0: Dell Computer Corporation PowerEdge 2850 acpi0 at bios0: rev 0 acpi0: tables DSDT FACP APIC SPCR HPET MCFG acpi0: wakeup devices PCI0(S5) PALO(S5) PBLO(S5) VPR0(S5) PBHI(S5) VPR1(S5) PICH(S5) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 199MHz cpu at mainbus0: not configured ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins ioapic0: misconfigured as apic 0, remapped to apid 2 ioapic1 at mainbus0: apid 3 pa 0xfec8, version 20, 24 pins ioapic1: misconfigured as apic 0, remapped to apid 3 ioapic2 at mainbus0: apid 4 pa 0xfec83000, version 20, 24 pins ioapic2: misconfigured as apic 0, remapped to apid 4 ioapic3 at mainbus0: apid 5 pa 0xfec84000, version 20, 24 pins ioapic3: misconfigured as apic 0, remapped to apid 5 acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 1 (PALO) acpiprt2 at acpi0: bus 2 (DOBA) acpiprt3 at acpi0: bus 3 (DOBB) acpiprt4 at acpi0: bus 4 (PBLO) acpiprt5 at acpi0: bus 5 (PBHI) acpiprt6 at acpi0: bus 6 (PXB1) acpiprt7 at acpi0: bus 7 (PXB2) acpiprt8 at acpi0: bus 8 (VPR1) acpiprt9 at acpi0: bus 9 (PXC1) acpiprt10 at acpi0: bus 10 (PXC2) acpiprt11 at acpi0: bus 11 (PICH) acpicpu0 at acpi0 bios0: ROM list: 0xc/0xb000! 0xcb000/0x1000 0xcc000/0x1000 0xcd000/0x2200 0xec000/0x4000! ipmi at mainbus0 not configured pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 Intel E7520 Host rev 0x09 ppb0 at pci0 dev 2 function 0 Intel E7520 PCIE rev 0x09 pci1 at ppb0 bus 1 ppb1 at pci1 dev 0 function 0 Intel IOP332 PCIE-PCIX rev 0x06 pci2 at ppb1 bus 2 ami0 at pci2 dev 14 function 0 Dell PERC 4e/Di rev 0x06: apic 3 int 14 (irq 7) ami0: Dell 16d, 32b, FW 513O, BIOS vH418, 256MB RAM ami0: 2 channels, 0 FC loops, 1 logical drives scsibus0 at ami0: 40 targets sd0 at scsibus0 targ 0 lun 0: AMI, Host drive #00, SCSI2 0/direct fixed sd0: 139900MB, 512 bytes/sec, 286515200 sec total scsibus1 at ami0: 16 targets safte0 at scsibus1 targ 6 lun 0: PE/PV, 1x6 SCSI BP, 1.0 SCSI2 3/processor fixed scsibus2 at ami0: 16 targets ppb2 at pci1 dev 0 function 2 Intel IOP332 PCIE-PCIX rev 0x06 pci3
Re: pf, altq, packet rate
2009/5/27 irix i...@ukr.net: Hello Misc, since queueing only happens at output, that's going to be totally useless. it's not just a question of how altq distinguishes traffic, you're asking to totally change how altq works. Okey, i see. But I can not understand why you are sure that traffic can only outlet Shape , You can say that's silly to try to Shape traffic that came, but if it works it's worse than outgoing (if only for tcp) it is not stupid ? Assume that you are right and the traffic can Shape only outlet for what purpose then in other projects (freebsd, linux, netbsd) including the original altqd opportunity for shaping incoming traffic via CDNR has been included? This is not the presentation of claims or something else, I want to understand why you uperlis and do not want to see nothing else. What is uperlis? if you have some requirement for features that altq+pf doesn't have at the moment, you have a few choices: - use different software that already does what you want. - pay someone to code the features. - code the features yourself. (if you don't code, this will require learning how to do that first, obviously). I did. You did what? But it pains me to see the obvious defects in my favorite system, and complete indifference on the part of developers to the obvious defects. This is not a defect. Throttling inbound traffic is meaningless. The point of throttling traffic is to reduce load on network elements (links, routers, etc) and possibly enforce accounting policies. The traffic has already arrived at your router so it has already traversed the link and been processed by the network stack. You throttle what you can control - like the rate at which traffic from the world egresses the internal interface on your router on its way to the host you want throttled. but, unless you want to use altq on a server (rather than a router), there isn't really a problem with the queuing happening only on output. just give the queues on both interfaces the same name, then you can assign in both directions with a single rule. stupid example ruleset. not actually tested, but I have others like it, and it should be enough to give you the general idea. -- -- -- -- -- altq on bge0 cbq bandwidth 4000Kb queue { normal, slow, fast } altq on vlan5 cbq bandwidth 2Kb queue { normal, slow, fast } altq on vlan9 cbq bandwidth 1000Kb queue { normal, slow, fast } queue normal bandwidth 40% priority 4 cbq(default borrow) queue slow bandwidth 10% priority 1 queue fast bandwidth 50% priority 7 pass pass in proto icmp queue (slow) pass in proto tcp to port 22 queue (fast) -- -- -- -- -- (I think some people just look at a couple of example configs which use different queue names on interfaces and assume that it's necessary, but it isn't). Thanks, for this example. I did not know this. But under dynamic queues, I understand, the creation of a large number of dynamic patterns. For example creates template for the queue with an indication of the speed such as 512Kbit / s, and then creates template for the filter of which you can specify a subnet like 192.168.1.0/24 and this pattern break this subnet to the desired number of rules in this case, to 254, and under each This rule will create a dynamic part of the dynamic pattern of 512Kbit / s for each rule. What? -HKS -- Best regards, irix mailto:i...@ukr.net
Re: OpenNTPD warning
On Fri, May 22, 2009 at 10:05 AM, Jordi Espasa jordi.esp...@opengea.org wrote: Looks like you do not think at all. The reason was told to you, and you didn't ever tried to do something. You prefer to think instead of doing, aren't you? I've fixed the commented conf error already, but it seems that the FIRST warning I've commented in my INITIAL post is not related to this configuration mistake. Can you clarify what seems means? Did you fix the config file problem, restart ntpd, and see this issue recur? -HKS Looks like do you not read at all. Check the complete thread and think some seconds about your impoliteness. And.. speaking about doing something ?do you provide a public NTP server in your country? ?do you provide a public OpenBSD mirror in your country? Shame on you. -- Thanks, Jordi Espasa Clofent
Failing over all CARP interfaces
Host1 has three carp interfaces in Master state. I'd like to fail them all over to Backup at once without taking down any of the physical interfaces (that's how I'm connected to it). I have not found a way to do this. Enable net.inet.carp.preempt only fails the whole pile over on a downed physical interface. If I jack up advskew for carp1 it goes into Backup mode but carp2 and carp3 are still Masters. Is ifstated the accepted way to do this, or is there another avenue I'm overlooking? OpenBSD 4.5. Dmesg isn't really relevant, so I won't clog up the tubes with it. -HKS
Re: Failing over all CARP interfaces
On Thu, May 21, 2009 at 11:43 AM, Jason Dixon ja...@dixongroup.net wrote: On Thu, May 21, 2009 at 10:47:57AM -0400, (private) HKS wrote: Host1 has three carp interfaces in Master state. I'd like to fail them all over to Backup at once without taking down any of the physical interfaces (that's how I'm connected to it). I have not found a way to do this. Enable net.inet.carp.preempt only fails the whole pile over on a downed physical interface. If I jack up advskew for carp1 it goes into Backup mode but carp2 and carp3 are still Masters. Is ifstated the accepted way to do this, or is there another avenue I'm overlooking? Search for carpdemote in ifconfig(8). -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/ Thanks, that's what I needed. -HKS
Re: Kylin
2009/5/18 Toma Bodar tomas.bod...@gmail.com: Common,you think that big western companies which have support from western governments care about it?And please don't make white knight from western civilization.Everywhere are pros and cons.What type of copyright and intellectual property you think?Like Disney which have stories based on older stories,but he has law from government on it now so original makers has nothing and Disney takes all?And when end of this copyright is near some magic happen in government and Disney (and others) has next 20 or 50 years.Sounds very respectable for copyright and intellectual property of original authors ;-) Or maybe you think something like we have.When you create your own song and sing it to people somewhere outside of your flat you must pay to OSA(something like BSA terrorists,but local).WTH is that.Sounds really like care about my copyright - I must pay for my own song ;-) Informations are here for share and we can move forward thanks to them.If some idiot have patent on double-click then what?One developer must incorporated triple-click to his product,next four-click and so on?Sounds like history - Earth is just pancake and everyone who want to find another idea must use our idea or he will be killed and who use our idea without our licence will be killed too.Really we need those times back?? For Christ's sake, get off your fucking high horse. My quip was in response to your implication that China chose a BSD license because it fit better with their intentions than GPL or similar. As if they gave a shit. -HKS 2009/5/18 (private) HKS hks.priv...@gmail.com: 2009/5/17 Toma Bod ar tomas.bod...@gmail.com: I know,that's why they choose BSD-style licenced OS ;-) Yes, because China's respect for copyright and intellectual property is legendary. -HKS 2009/5/17 Cem Kayali cemkay...@eticaret.com.tr: Do you really think Chineese governmnt make source public? Not all of course ;) Regards, Jesus Sanchez, 05/17/09 20:58: TomC!E! BodEC!r escribiC3: After quick search on web it looks like it's based on FreeBSD 5.3 (initial version) with Windows like GUI.So it doesn't looks so secure now :-) But government agencies must have reason to receive money so why don't make wave about dangerous China with their new ultra-hyper-super secure system? Ofcourse that there can be interesting modifications.Maybe I will try it in Qemu :-) the chinese government really feels so vulnerable against U.S.? i mean, they say it like the WWIII will begin soon and we need to defend us on the cyberspace with our super-secure OS and after all they based it on FreeBSD? I'm a OpenBSD user and I really feel that I've enought privacy, don't need a super-secret-ultra-secure OS nor to say Made In China xD Dne 17. kvD ten 2009 19:28 TomC!E! BodEC!r tomas.bod...@gmail.com napsal(a): Everyone can try it http://www.honeytechblog.com/downlod-kylin-operating-system-by-chinaqingbo-wu / 2009/5/17 Duncan Patton a Campbell campb...@neotext.ca: I just noticed this: http://www.physorg.com/news161355225.html about a secure os that's been under development in China since around 2k and is now being deployed by the Chinese Gov. Interestingly, it is built for a hardened CPU that, I'd guess, lacks many of the advanced features of iNTel architecture cpus. Anybody have any more info on this? Thanks, Dhu
Re: Kylin
2009/5/17 Toma Bodar tomas.bod...@gmail.com: I know,that's why they choose BSD-style licenced OS ;-) Yes, because China's respect for copyright and intellectual property is legendary. -HKS 2009/5/17 Cem Kayali cemkay...@eticaret.com.tr: Do you really think Chineese governmnt make source public? Not all of course ;) Regards, Jesus Sanchez, 05/17/09 20:58: TomC!E! BodEC!r escribiC3: After quick search on web it looks like it's based on FreeBSD 5.3 (initial version) with Windows like GUI.So it doesn't looks so secure now :-) But government agencies must have reason to receive money so why don't make wave about dangerous China with their new ultra-hyper-super secure system? Ofcourse that there can be interesting modifications.Maybe I will try it in Qemu :-) the chinese government really feels so vulnerable against U.S.? i mean, they say it like the WWIII will begin soon and we need to defend us on the cyberspace with our super-secure OS and after all they based it on FreeBSD? I'm a OpenBSD user and I really feel that I've enought privacy, don't need a super-secret-ultra-secure OS nor to say Made In China xD Dne 17. kvD ten 2009 19:28 TomC!E! BodEC!r tomas.bod...@gmail.com napsal(a): Everyone can try it http://www.honeytechblog.com/downlod-kylin-operating-system-by-chinaqingbo-wu / 2009/5/17 Duncan Patton a Campbell campb...@neotext.ca: I just noticed this: http://www.physorg.com/news161355225.html about a secure os that's been under development in China since around 2k and is now being deployed by the Chinese Gov. Interestingly, it is built for a hardened CPU that, I'd guess, lacks many of the advanced features of iNTel architecture cpus. Anybody have any more info on this? Thanks, Dhu
Re: Relayd
On Thu, May 14, 2009 at 2:22 PM, Derek Buttineau de...@csolve.net wrote: I've been experimenting some with using relayd to load balance incoming smtp, pop3 and imap and it seems to work wonderfully with relays, unfortunately I cannot use redirects since I need to direct to different server pools depending on the originating source IP. The only thing preventing me from deploying this is I need the connections to be transparent. OpenBSD 4.4 introduced a transparent key word, but for the life of me I cannot get this to work. If configured as outlined in the man page, relayd fails to start complaining about an interface missing from the configuration. If an interface is specified, relayd starts but connections time out immediately: relay maildelivery, session 4 (1 active), 0, 66.159.122.2 - 10.10.19.4:25, connect timeout When I trace the packets, I can see the connection being made to 10.10.19.4, and a reply issued, but the time out still happens, so I'm at a complete loss. Has anyone been able to get transparent relays configured? I'd appreciate any help anyone can provide. On another note. One thing that would be nice to see in relayd is the ability to specify a source ip or table in the redirect definition as that would eliminate the need for a relay for this configuration. Thanks. -- Regards, Derek Buttineau Internet Systems Developer Compu-SOLVE Internet Services Compu-SOLVE Technologies, Inc Phone: 705-725-1212 x255 E-Mail: de...@csolve.net Need: relayd.conf, pf.conf, dmesg. -HKS
Re: No OS safe??
On Fri, May 8, 2009 at 11:33 AM, Bob Beck b...@openbsd.org wrote: http://www.cbc.ca/technology/story/2009/04/15/ibotnet-trojan.html It's a *botnet* guys, installed by *trojan* i.e. by tricking the stupid idiot at the keyboard into doing something retarded. The OS can be the most secure thing on the planet and if the person at the keyboard is stupid you'll still get pwned. Even OpenBSD is not secure against these sort of problems, because there is nothing preventing the unwashed masses from using it stupidly. (God, I said that on m...@.. that was a waste of bytes) Wait, so you're saying OpenBSD can't even protect me from myself? Also I left my laptop running OpenBSD on a table at Starbucks while I went to the bathroom and when I came back it was gone! So much for secure by default... -HKS
Re: [PF] Strange Blocks
On Sun, May 3, 2009 at 10:14 AM, dug d...@xgs-france.com wrote: Thans for your reply. Le 2 mai 09 ` 10:59, ropers a icrit : 2009/5/1 dug d...@xgs-france.com: 0 1 #Allow SMTP, HTTPS 2 pass quick proto tcp from any to {public-ip mail-server} port 25 3 pass quick proto tcp from any to {public-ip mail-server} port 443 4 pass quick proto tcp from {public-ip mail-server} port 25 to any 5 pass quick proto tcp from {public-ip mail-server} port 25 to any 6 pass quick proto tcp from any port 25 to {public-ip mail- server} 7 pass quick proto tcp from {public-ip mail-server} to any port 25 Line 4 and 5 are identical. Presumably you wanted to write port 443 in line 5? Ok. It's just a mistake rewriting the rule in the mail. In my pf.conf, it's set to port 443, not port 25. block in on em0: mail-server.59902 81.255.99.202.25: [|tcp] (ttl 63, id 14511, len 40) block in on em0: mail-server.59902 81.255.99.202.25: [|tcp] (ttl 63, id 40161, len 52) Not sure what's going on here; line 7 should match these. That's my problem and what I don't understand In a perfect world, my rule must match these packets But currently not. block in on em0: mail-server.25 81.28.185.240.1777: [|tcp] (ttl 63, id 4151, len 41) Not sure what's going on there; line 4 (and, currently, 5) should match these. Setting the rule pass quick from any to any at the beginning of my pf.conf file doesn't solve the problem. I always have block on these packets Logs of pftop tool : pfTop: Up Rule 1-55/71, View: rules, Cache: 1 RULE ACTION DIR LOG Q IF PRK PKTSBYTES STATES MAX INFO 0 Pass Any Q K 56069035 96 all flags S/SA 1 BlockAny Log44 1772 0 drop all This is the option in the pf.conf file : set block-policy drop set skip on {gif0} set loginterface $ext_if set limit { states 10, frags 5 } set optimization normal set state-policy if-bound Remove that last line and it should work. If not, send the output of pfctl -s rules. -HKS scrub all no-df random-id fragment reassemble Regards.
T1 card compatible with 4.4
I'm looking for a T1 card compatible with 4.4. There were a fair number of recommendations for Sangoma's a101 a few years ago, followed by threads describing major problems and Sangoma yanking support for OpenBSD. What alternatives work decently under OpenBSD? -HKS
Re: question about net.inet.carp.preempt
On Fri, Apr 24, 2009 at 3:32 AM, Imre Oolberg i...@auul.pri.ee wrote: Hallo! Thanks for the reply! I am also aware that one popular use of net.inet.carp.preempt is to control how the computer system as a whole reacts to errors like one physical interface goes dead. 'man carp' says about net.inet.carp.preempt: Allow virtual hosts to preempt each other. It is also used to failover carp interfaces as a group. When the option is enabled and one of the carp enabled physical interfaces goes down, advskew is changed to 240 on allcarp interfaces. See also the first example. Disabled by default. What i was interested in mainly this time is the so to say practical meaning of the first sentence, in case how pair of carp interfaces in a carp group behave while .carp.preempt is not set or is set. I decided to dig a little bit deeper because sometimes i cant predict events when i add another vlan and carp interface to the running system (master for that particular carp device appears on the wrong side etc). It could be easily said to me that if your are so interested use the source but i am sorri the source is not much help for me, i am more about just a user. Imre Manual failover is simplified: node1 is master with advskew 0 and node2 is backup with advskew 100 Without carp.preempt, you have to take the master down or (I haven't tested this) increase it's demotion counter. With carp.preempt, you can just change its advskew to 150 and watch node2 take over. -HKS
Re: pf.conf on bridge, rdr for spamd passing for two white tables?
On Sun, Apr 19, 2009 at 12:25 PM, ppruett-lists ppru...@webengr.com wrote: OKAY, transparent firewall, bridge, computer between world and rack of computers. That openbsd computer has two network cards and also has spamd with grey setup. I want to not only redirect smtp traffic not white for IP on bridge, but redirect smtp traffic not white that is going through it. Have two white tables in pf.conf, table mailself {192.168.1.251} table mywhitelist persist file /etc/mywhitelist table spamd-white persist I was using this, but it was only for self rdr pass inet proto tcp from mywhitelist to mailself port smtp - 127.0.0.1 port smtp rdr pass inet proto tcp from !spamd-white to mailself port smtp - 127.0.0.1 port spamd TRied THIS- but did not work: rdr pass inet proto tcp from { !spamd-white, !mywhitelist} to any port smtp - 127.0.0.1 port spamd See http://www.openbsd.org/faq/pf/macros.html Do I have to put mywhitelist into /var/db/spamdb say with a script using spamdb? then... rdr pass inet proto tcp from !spamd-white to any port smtp - 127.0.0.1 port spamd probably the better way to do it... Just unsure about ! No. no rdr proto tcp from {spamd-white, mywhitelist} to any port 25 rdr proto tcp to any port 25 - 127.0.0.1 port 8025 -HKS
Re: VLANs, bridge interface and PF
On Mon, Apr 6, 2009 at 2:27 PM, Chris Jones cjo...@gdisoftware.com wrote: Good morning folks, I am a little bit stumped with my firewall config and need some assistance. I have a Soekris net4501 with two interfaces connected. The sis1 interface is connected to my macbook and the sis2 interface (vlan trunk) is connected to my switch (see diagram below). I have a bridge interface (bridge0) with with vlan100, sis1 and ral0 as members. I assume this is the best way to have multiple physical interfaces in a vlan. .---. | | | macbook | .--.+ sis0.-+ |_| | | / \_\ | fw |+ sis1 +* | | 802.1q trunk.--. vlan99 (inet) !__!+ sis2 ++ | switch | +- | !__! +ral0 .. + || vlan100/ | server | * || !! With no rules loaded in PF everything works just fine. From my Macbook I am able to NAT outside the network and also access everything on vlan100. When I load the rules into PF I am unable to access the management IP on the switch or my server, both of which are in vlan100. It's obviously an issue with pf and the bridge interface, I just can't seem to figure it out (see config below). I appreciate any advice on this. Cheers, -Chris hostname.sis1 - up hostname.sis2 - up hostname.vlan99 --- dhcp NONE NONE NONE vlan 99 vlandev sis2 hostname.vlan100 inet 192.168.1.1 255.255.255.0 NONE vlan 100 vlandev sis2 bridgename.bridge0 -- add vlan100 add sis1 add ral0 up pf.conf --- # # Macros ext_if=vlan99 int_if=vlan100 int_bridge=bridge0 int_net=192.168.1.0/24 icmp_types=echoreq # # Options set block-policy return set loginterface $ext_if set skip on lo # # Traffic Normalization scrub in # # NAT Rules: rdr, nat, binat nat on $ext_if from !($ext_if) - ($ext_if:0) nat-anchor ftp-proxy/* rdr-anchor ftp-proxy/* rdr pass on $int_if proto tcp to port ftp - 127.0.0.1 port 8021 rdr on $ext_if inet proto tcp from any to ($ext_if) port 2121 \ - 192.168.1.200 port 21 rdr on $ext_if inet proto tcp from any to ($ext_if) port \ - 192.168.1.200 port 22 rdr on $ext_if inet proto tcp from any to ($ext_if) port 80 \ - 192.168.1.200 port 80 # # Filter Rules block in pass out anchor ftp-proxy/* antispoof quick for lo0 pass in log on $ext_if proto udp from any to ($ext_if:0) \ port {500, 4500} pass out log on $ext_if proto udp from ($ext_if:0) to any \ port {500, 4500} pass in log on $ext_if proto esp from any to ($ext_if:0) pass out log on $ext_if proto esp from ($ext_if:0) to any pass in log on enc0 proto ipencap from any to ($ext_if:0) \ keep state (if-bound) pass out log on enc0 proto ipencap from ($ext_if:0) to any \ keep state (if-bound) pass in on enc0 from 10.1.0.2/32 to any keep state (if-bound) pass out on enc0 from 192.168.1.0/24 to any keep state (if-bound) pass in inet proto icmp all icmp-type $icmp_types pass in log on $ext_if proto udp from any to port 1194 pass in log on $ext_if proto tcp to ($ext_if) port ssh pass in log on $ext_if proto tcp from any to 192.168.1.200 \ port 21 pass in log on $ext_if proto tcp from any to 192.168.1.200 \ port 22 pass in log on $ext_if proto tcp from any to 192.168.1.200 \ port 80 pass in log on $ext_if proto tcp to ($ext_if) port smtp pass out log on $ext_if proto tcp from ($ext_if) to port smtp pass quick on $int_if I don't know bridge interfaces, but for shits and giggles try adding: pass quick on $int_bridge -HKS
Re: Using 2 internet connections on OpenBSD Gateway
On Thu, Apr 2, 2009 at 4:52 AM, LeiV ventas_en_e...@terra.es wrote: Hi, I have a openbsd firewall/gateway and behind a webserver, users arrive to my webserver via 1 domain name, I have a cable connection 12Mbps down/500Kbps upthe down speed is OK I dont have so many incoming requests ...but the up speed is saturated easily with those requests as my pages have images, etc... I would like to add another internet connection to my openbsd box so I can increase my upstream bandwitch...it is possible? all my incoming requests will come with the same internet connection as I only have 1 domain namecan I send back the requested pages with both connections to use both upstream bandwitch ? is so, how can i do it ? any howto? Thanks -- View this message in context: http://n2.nabble.com/Using-2-internet-connections-on-OpenBSD-Gateway-tp257407 5p2574075.html Sent from the OpenBSD Misc mailing list archive at Nabble.com. In a nutshell, no you can't. Unless your ISP can bond a pair of connections to a single IP, or load balance incoming traffic over two IPs. Or if you want to do round-robin DNS load balancing (bad idea) so some incoming requests hit one IP, some hit the other. Or if you get your own AS and talk BGP with your providers. But you can't take requests in to one IP and send the reply out from another (think about state). A good ISP won't let you send traffic over their network from an IP they didn't assign you, so you can't spoof the from-address of the reply. So unless you're willing to do some heavy lifting on network configuration, no. Instead of mucking about with this, you're better off buying a decent VPS or dedicated server somewhere with a real network connection. -HKS
Re: Tape drive not detected on LSI 20320
On Thu, Mar 26, 2009 at 11:29 AM, (private) HKS hks.priv...@gmail.com wrote: OpenBSD 4.4 on a Dell Poweredge 2950. SCSI card is an LSI 20320, tape drive is Dell Powervault 124T (aka IBM Ultrium-TD3). The tape drive shows up in the card's BIOS, but dmesg sees it as a SCSI device with no drivers: # dmesg | grep mpi0 mpi0 at pci6 dev 8 function 0 Symbios Logic 53c1030 rev 0xc1: irq 6 scsibus0 at mpi0: 16 targets, initiator 7 mpi0: target 0 Sync at 40MHz width 8bit offset 127 QAS 0 DT 0 IU 0 # dmesg | grep scsibus0 scsibus0 at mpi0: 16 targets, initiator 7 uk0 at scsibus0 targ 0 lun 0: UTIMT3, 8P, SCSI3 1/sequential fixed This same drive worked on a Dell 2850 with an Adaptec 39160, but I have to move to the 2950 and it only has PCI-e slots. Using an example I don't fully understand from man 8 scsi, I can query the name of the device: # scsi -f /dev/uk0 -c 12 0 0 0 64 0 -i 0x64 s8 z8 z16 z4 IBM ULTRIUM-TD3 85P8 Any idea why this failing with one card and not the other? -HKS Appears to be some nuance with the LSI board. I bought an Adaptec 29320LPE and it works perfectly. -HKS OpenBSD 4.4 (GENERIC) #1021: Tue Aug 12 17:16:55 MDT 2008 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Xeon(R) CPU E5405 @ 2.00GHz (GenuineIntel 686-class) 2 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,TM2,CX16,xTPR real mem = 2142142464 (2042MB) avail mem = 2062938112 (1967MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 09/12/08, BIOS32 rev. 0 @ 0xffe90, SMBIOS rev. 2.5 @ 0x7fb9c000 (67 entries) bios0: vendor Dell Inc. version 2.5.0 date 09/12/2008 bios0: Dell Inc. PowerEdge 2950 acpi0 at bios0: rev 2 acpi0: tables DSDT FACP APIC SPCR HPET MCFG WD__ SLIC ERST HEST BERT EINJ TCPA acpi0: wakeup devices PCI0(S5) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 4 (PEX2) acpiprt2 at acpi0: bus 5 (UPST) acpiprt3 at acpi0: bus 6 (DWN1) acpiprt4 at acpi0: bus 8 (DWN2) acpiprt5 at acpi0: bus 1 (PEX3) acpiprt6 at acpi0: bus 0 (PE2P) acpiprt7 at acpi0: bus 11 (PEX4) acpiprt8 at acpi0: bus 13 (PEX6) acpiprt9 at acpi0: bus 2 (SBEX) acpiprt10 at acpi0: bus 15 (COMP) acpicpu0 at acpi0: C3 bios0: ROM list: 0xc/0x9000! 0xc9000/0x1000 0xca000/0x800 0xca800/0x1e00 0xcc800/0x5e00 0xec000/0x4000! ipmi at mainbus0 not configured cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 5000X Host rev 0x12 ppb0 at pci0 dev 2 function 0 Intel 5000 PCIE rev 0x12 pci1 at ppb0 bus 4 ppb1 at pci1 dev 0 function 0 Intel 6321ESB PCIE rev 0x01 pci2 at ppb1 bus 5 ppb2 at pci2 dev 0 function 0 Intel 6321ESB PCIE rev 0x01 pci3 at ppb2 bus 6 ppb3 at pci3 dev 0 function 0 ServerWorks PCIE-PCIX rev 0xc3 pci4 at ppb3 bus 7 bnx0 at pci4 dev 0 function 0 Broadcom BCM5708 rev 0x12: irq 5 ppb4 at pci2 dev 1 function 0 Intel 6321ESB PCIE rev 0x01: irq 5 pci5 at ppb4 bus 8 ppb5 at pci5 dev 0 function 0 PLX PEX 8114 rev 0xbc pci6 at ppb5 bus 9 mpi0 at pci6 dev 8 function 0 Symbios Logic 53c1030 rev 0xc1: irq 6 scsibus0 at mpi0: 16 targets, initiator 7 uk0 at scsibus0 targ 0 lun 0: UTIMT3, 8P, SCSI3 1/sequential fixed mpi0: target 0 Sync at 40MHz width 8bit offset 127 QAS 0 DT 0 IU 0 ppb6 at pci1 dev 0 function 3 Intel 6321ESB PCIE-PCIX rev 0x01 pci7 at ppb6 bus 10 ppb7 at pci0 dev 3 function 0 Intel 5000 PCIE rev 0x12 pci8 at ppb7 bus 1 mfi0 at pci8 dev 0 function 0 Symbios Logic SAS1078 rev 0x04: irq 5, Dell PERC 6/i integrated mfi0: logical drives 1, version 6.0.2-0002, 256MB RAM scsibus1 at mfi0: 1 targets, initiator 64 sd0 at scsibus1 targ 0 lun 0: DELL, PERC 6/i, 1.11 SCSI3 0/direct fixed sd0: 2859520MB, 44942 cyl, 511 head, 255 sec, 512 bytes/sec, 5856296960 sec total ppb8 at pci0 dev 4 function 0 Intel 5000 PCIE x8 rev 0x12 pci9 at ppb8 bus 11 ppb9 at pci0 dev 5 function 0 Intel 5000 PCIE rev 0x12 pci10 at ppb9 bus 12 ppb10 at pci0 dev 6 function 0 Intel 5000 PCIE x8 rev 0x12 pci11 at ppb10 bus 13 ppb11 at pci0 dev 7 function 0 Intel 5000 PCIE rev 0x12 pci12 at ppb11 bus 14 pchb1 at pci0 dev 16 function 0 Intel 5000 Error Reporting rev 0x12 pchb2 at pci0 dev 16 function 1 Intel 5000 Error Reporting rev 0x12 pchb3 at pci0 dev 16 function 2 Intel 5000 Error Reporting rev 0x12 pchb4 at pci0 dev 17 function 0 Intel 5000 Reserved rev 0x12 pchb5 at pci0 dev 19 function 0 Intel 5000 Reserved rev 0x12 pchb6 at pci0 dev 21 function 0 Intel 5000 FBD rev 0x12 pchb7 at pci0 dev 22 function 0 Intel 5000 FBD rev 0x12 ppb12 at pci0 dev 28 function 0 Intel 6321ESB PCIE rev 0x09 pci13 at ppb12 bus 2 ppb13 at pci13 dev 0 function 0 ServerWorks PCIE-PCIX rev 0xc3 pci14 at ppb13 bus 3 bnx1 at pci14 dev 0 function 0 Broadcom BCM5708 rev 0x12: irq 5 uhci0 at pci0 dev 29
Re: OpenBSD mta with postfix
On Fri, Mar 27, 2009 at 3:46 PM, John Brooks j...@day-light.com wrote: I've just received this response from a large corporate email system regarding their claim that emails sent to them are not getting through even though our logs contain acknowledgements of accepting the mail sent. In our mail logs: ... status=sent (250 Message accepted for delivery) Their response: ... my understanding of the firmname removed security policy is not to acknowledge mistakes in email addresses as a best practice defense against phishing and other types of email delivered attacks. Anybody run into this kind of logic before? -- John Brooks j...@day-light.com Idiocy. If a spammer/phisher even bothers looking at the return code, he'll only be looking for 5xx to remove broken accounts from his list. The use of botnets for spamming makes the cost of a few thousand false entries in this list negligible.The presence of bad addresses does not eliminate the presence of correct addresses. Why sacrifice usability for no additional security? -HKS
Tape drive not detected on LSI 20320
OpenBSD 4.4 on a Dell Poweredge 2950. SCSI card is an LSI 20320, tape drive is Dell Powervault 124T (aka IBM Ultrium-TD3). The tape drive shows up in the card's BIOS, but dmesg sees it as a SCSI device with no drivers: # dmesg | grep mpi0 mpi0 at pci6 dev 8 function 0 Symbios Logic 53c1030 rev 0xc1: irq 6 scsibus0 at mpi0: 16 targets, initiator 7 mpi0: target 0 Sync at 40MHz width 8bit offset 127 QAS 0 DT 0 IU 0 # dmesg | grep scsibus0 scsibus0 at mpi0: 16 targets, initiator 7 uk0 at scsibus0 targ 0 lun 0: UTIMT3, 8P, SCSI3 1/sequential fixed This same drive worked on a Dell 2850 with an Adaptec 39160, but I have to move to the 2950 and it only has PCI-e slots. Using an example I don't fully understand from man 8 scsi, I can query the name of the device: # scsi -f /dev/uk0 -c 12 0 0 0 64 0 -i 0x64 s8 z8 z16 z4 IBM ULTRIUM-TD3 85P8 Any idea why this failing with one card and not the other? -HKS OpenBSD 4.4 (GENERIC) #1021: Tue Aug 12 17:16:55 MDT 2008 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Xeon(R) CPU E5405 @ 2.00GHz (GenuineIntel 686-class) 2 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,TM2,CX16,xTPR real mem = 2142142464 (2042MB) avail mem = 2062938112 (1967MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 09/12/08, BIOS32 rev. 0 @ 0xffe90, SMBIOS rev. 2.5 @ 0x7fb9c000 (67 entries) bios0: vendor Dell Inc. version 2.5.0 date 09/12/2008 bios0: Dell Inc. PowerEdge 2950 acpi0 at bios0: rev 2 acpi0: tables DSDT FACP APIC SPCR HPET MCFG WD__ SLIC ERST HEST BERT EINJ TCPA acpi0: wakeup devices PCI0(S5) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 4 (PEX2) acpiprt2 at acpi0: bus 5 (UPST) acpiprt3 at acpi0: bus 6 (DWN1) acpiprt4 at acpi0: bus 8 (DWN2) acpiprt5 at acpi0: bus 1 (PEX3) acpiprt6 at acpi0: bus 0 (PE2P) acpiprt7 at acpi0: bus 11 (PEX4) acpiprt8 at acpi0: bus 13 (PEX6) acpiprt9 at acpi0: bus 2 (SBEX) acpiprt10 at acpi0: bus 15 (COMP) acpicpu0 at acpi0: C3 bios0: ROM list: 0xc/0x9000! 0xc9000/0x1000 0xca000/0x800 0xca800/0x1e00 0xcc800/0x5e00 0xec000/0x4000! ipmi at mainbus0 not configured cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 5000X Host rev 0x12 ppb0 at pci0 dev 2 function 0 Intel 5000 PCIE rev 0x12 pci1 at ppb0 bus 4 ppb1 at pci1 dev 0 function 0 Intel 6321ESB PCIE rev 0x01 pci2 at ppb1 bus 5 ppb2 at pci2 dev 0 function 0 Intel 6321ESB PCIE rev 0x01 pci3 at ppb2 bus 6 ppb3 at pci3 dev 0 function 0 ServerWorks PCIE-PCIX rev 0xc3 pci4 at ppb3 bus 7 bnx0 at pci4 dev 0 function 0 Broadcom BCM5708 rev 0x12: irq 5 ppb4 at pci2 dev 1 function 0 Intel 6321ESB PCIE rev 0x01: irq 5 pci5 at ppb4 bus 8 ppb5 at pci5 dev 0 function 0 PLX PEX 8114 rev 0xbc pci6 at ppb5 bus 9 mpi0 at pci6 dev 8 function 0 Symbios Logic 53c1030 rev 0xc1: irq 6 scsibus0 at mpi0: 16 targets, initiator 7 uk0 at scsibus0 targ 0 lun 0: UTIMT3, 8P, SCSI3 1/sequential fixed mpi0: target 0 Sync at 40MHz width 8bit offset 127 QAS 0 DT 0 IU 0 ppb6 at pci1 dev 0 function 3 Intel 6321ESB PCIE-PCIX rev 0x01 pci7 at ppb6 bus 10 ppb7 at pci0 dev 3 function 0 Intel 5000 PCIE rev 0x12 pci8 at ppb7 bus 1 mfi0 at pci8 dev 0 function 0 Symbios Logic SAS1078 rev 0x04: irq 5, Dell PERC 6/i integrated mfi0: logical drives 1, version 6.0.2-0002, 256MB RAM scsibus1 at mfi0: 1 targets, initiator 64 sd0 at scsibus1 targ 0 lun 0: DELL, PERC 6/i, 1.11 SCSI3 0/direct fixed sd0: 2859520MB, 44942 cyl, 511 head, 255 sec, 512 bytes/sec, 5856296960 sec total ppb8 at pci0 dev 4 function 0 Intel 5000 PCIE x8 rev 0x12 pci9 at ppb8 bus 11 ppb9 at pci0 dev 5 function 0 Intel 5000 PCIE rev 0x12 pci10 at ppb9 bus 12 ppb10 at pci0 dev 6 function 0 Intel 5000 PCIE x8 rev 0x12 pci11 at ppb10 bus 13 ppb11 at pci0 dev 7 function 0 Intel 5000 PCIE rev 0x12 pci12 at ppb11 bus 14 pchb1 at pci0 dev 16 function 0 Intel 5000 Error Reporting rev 0x12 pchb2 at pci0 dev 16 function 1 Intel 5000 Error Reporting rev 0x12 pchb3 at pci0 dev 16 function 2 Intel 5000 Error Reporting rev 0x12 pchb4 at pci0 dev 17 function 0 Intel 5000 Reserved rev 0x12 pchb5 at pci0 dev 19 function 0 Intel 5000 Reserved rev 0x12 pchb6 at pci0 dev 21 function 0 Intel 5000 FBD rev 0x12 pchb7 at pci0 dev 22 function 0 Intel 5000 FBD rev 0x12 ppb12 at pci0 dev 28 function 0 Intel 6321ESB PCIE rev 0x09 pci13 at ppb12 bus 2 ppb13 at pci13 dev 0 function 0 ServerWorks PCIE-PCIX rev 0xc3 pci14 at ppb13 bus 3 bnx1 at pci14 dev 0 function 0 Broadcom BCM5708 rev 0x12: irq 5 uhci0 at pci0 dev 29 function 0 Intel 6321ESB USB rev 0x09: irq 11 uhci1 at pci0 dev 29 function 1 Intel 6321ESB USB rev 0x09: irq 10 uhci2 at pci0 dev 29 function 2 Intel 6321ESB USB rev 0x09: irq 11 uhci3 at pci0 dev 29 function 3 Intel 6321ESB USB rev 0x09: irq 10 ehci0 at pci0 dev 29 function 7 Intel 6321ESB
Re: Quick question about an PF user's guide example
On Tue, Mar 10, 2009 at 9:16 PM, Leonardo Rodrigues leonardov...@gmail.com wrote: Hi everyone, I'm trying to build a PF / ALTQ ruleset that handles traffic between 3 internal interfaces and 1 external, so that the internal interfaces can have different priorities on the available bandwidth they can get from the external interface. I don't know if that's possible with only ALTQ rules, or if I'll have to use tagging, so I'm trying to understand some simple setups before. While reading the example #2 on the PF user's guide (http://www.openbsd.org/faq/pf/queueing.html#example2), I came across the following ruleset: boss = 192.168.0.200 ... altq on fxp0 cbq bandwidth 1.5Mb queue { std_ext, www_ext, boss_ext } ... queue boss_ext bandwidth 500Kb priority 3 cbq(borrow) ... # filter rules for fxp0 outbound pass out on fxp0 from $boss to any keep state queue boss_ext--- Where fxp0 is the external interface (internet). My question is about that last rule above. Assuming that NAT is working so that the boss is able to surf the web, and since NAT translations happen before the filtering rules, then the rule above shouldn't work... right? The fxp0 interface would be able to filter only on already translated addresses (its own address), and not on unstranslated addresses, like 192.168.200, which is the boss IP, on a different subnet. Would a rule like that work? No. Without looking at the actual example, I can say that your understanding of NAT/filter interaction is correct and this will not work. If that setup works, I might be able to implement my original idea, by doing something like: pass out on fxp0 from 192.168.0.5 to any keep state queue traffic1_ext pass out on fxp0 from 192.168.2.5 to any keep state queue traffic2_ext pass out on fxp0 from 192.168.5.5 to any keep state queue traffic3_ext Thanks for any ideas =) Leonardo Rodrigues Bear in mind that while a queue is applied to the egress interface, the classification of that traffic may take place on another interface. So you could do something more like this: pass from 192.168.0.5 to ! mynet keep state queue traffic1_ext Or use tagging to avoid maintaining a table of your own networks. -HKS
Re: System security question
On Sat, Feb 28, 2009 at 12:40 PM, Jean-Francois jfsimon1...@gmail.com wrote: Hi, And I totally agree with you, Mixing firewall services with services like Web or file/print services is a recipe for disaster. True since hacking the web server is entering the firewall itself. But the web server, httpd, is chrooted ... so why would there be a problem here ? Because security is never absolute. It is a matter of probabilities, measuring cost against risk, reducing possible attack vectors, and minimizing the effects of a successful attack. In practice, it means following redundant best practice with the assumption that there is a flaw in the system somewhere, so you're going to put as many layers of obstacles as possible between yourself and your attacker. A very simple example is host-based firewalls and network-based firewalls. You use both so that your attacker has that much more protection to wade through before actually getting to your important stuff. Maybe they'll get frustrated and move on. If nothing else, you'll have that much more time to notice the attack in progress. You could probably run your web and file server on your firewall and never have a security breach. Probably, because if you're running all that on the same machine, it's clear you're not a high profile target. The most you'll probably see is SSH brute force attacks and some clumsy attempts at SQL injection. But probably is cold comfort if someone exploits a flaw in your web app, gains a local shell (chrooted though it may be), and then leaps to one of your local machines. Or discovers a flaw in the chrooting system. Or finds an exploitable app available in the chroot. Or DOSs your firewall. Or just installs a little app there that adds your firewall/file/web server to their botnet. Or manages to force your internal interface into promiscuous mode. Or... Get the idea? Ultimately, it's up to you. Your firewall is there as a first-line of defense against malicious attacks. Opening additional attack vectors on this machine is a bad idea. Locating your most likely point of failure (your web app) on a machine with unrestricted access to your internal data is a bad idea. But if your data is worth less to you than a second old PC and a couple hours to setup 4.4 and PF, then by all means, run everything on the same box. -HKS
Re: NAT, Firewall pf
On Mon, Feb 23, 2009 at 11:47 PM, johan beisser j...@caustic.org wrote: Comments inline. On Feb 23, 2009, at 5:58 PM, Hilco Wijbenga wrote: Hi all, I've been trying to get a simple firewall system up-and-running in OpenBSD. I have The Book of PF and Secure Architectures with OpenBSD so I thought it would be very simple. Well, we're two weeks later now and still no firewall. :-) The pf rules I found in those books don't seem to work as I expected them to work. The PF FAQ and the man page for pf.conf(5) should cover everything you need. The books are a nice addition, though. Before I list my current pf.conf, let me give a few more details. My firewall will be running a few services for my network (DHCP, NTP, and DNS). I need to use NAT to get my own network Internet access. DHCP works. I seem to have managed to get DNS (maradns on lo0 and sk1) and ICMP working. So, you need to set net.inet.ip.forward to 1 to ensure packets go out. /etc/pf.conf 01 ext_if = sk0 02 int_if = sk1 03 localnet = $int_if:network 04 internet = $ext_if:network 05 udp_services = { domain, ntp } 06 icmp_types = { echoreq, unreach } 07 08 nat log on $ext_if from $localnet to any - ($ext_if) 09 10 block log all 11 12 pass quick inet proto { tcp, udp } from $internet to any port $udp_services 13 pass quick inet proto { tcp, udp } from $localnet to any port $udp_services 14 pass quick inet proto { tcp, udp } from $lo0:network to any port $udp_services 15 16 pass inet proto icmp all icmp-type $icmp_types 17 pass from { lo0, $localnet } to any keep state First, no traffic will go out with these rules as is. Unless states and flows match perfectly, it won't happen. Wrong. a. Why do I need 12? I had expected 13 (which I don't seem to need). Wouldn't 12 be for incoming requests from the Internet? I'm not sure what you're trying to do with 12 or 13. The ports (domain and ntp) will be the only traffic permitted to enter any interface on the firewall. Wrong. ICMP echoreq and unreachable are passed (16), as is all traffic of any kind from the localnet (17). b. Given that ping works from my network (so that presumably routing is okay), why doesn't anything else work? HTTP seems blocked by the firewall. Don't presume. Think. You're passing ICMP types inward (req, unreach). That's it. I suspect you're not passing that traffic outbound otherwise. Wrong. ICMP types are passed any direction. Traffic from localnet is unrestricted. c. How can I get pflog to flush immediately? I noticed I have to wait a minute or so before logged lines show up. What syntax are you using to monitor it? d. Any other pointers? Start over. I make no claims this works or will work for you. It's a simple rewrite of what you claimed to want (NAT for outbound traffic, for example). ext_if=sk0 int_if=sk1 udp_services={ domain, ntp} set skip on lo set block-policy return scrub in nat on $ext_if from $int_if:network to any -($ext_if) block log pass out quick from $int_if to $int_if:network pass out quick from $ext_if to any pass in quick on $ext_if proto {tcp, udp} from any to ($ext_if) port $udp_services pass in quick on $int_if from $int_if:network to any Go with Jason Dixon's ruleset unless you need to expose DNS and NTP on your gateway to the world. -HKS
Re: NAT, Firewall pf
On Mon, Feb 23, 2009 at 8:58 PM, Hilco Wijbenga hilco.wijbe...@gmail.com wrote: Hi all, I've been trying to get a simple firewall system up-and-running in OpenBSD. I have The Book of PF and Secure Architectures with OpenBSD so I thought it would be very simple. Well, we're two weeks later now and still no firewall. :-) The pf rules I found in those books don't seem to work as I expected them to work. Before I list my current pf.conf, let me give a few more details. My firewall will be running a few services for my network (DHCP, NTP, and DNS). I need to use NAT to get my own network Internet access. DHCP works. I seem to have managed to get DNS (maradns on lo0 and sk1) and ICMP working. /etc/pf.conf 01 ext_if = sk0 02 int_if = sk1 03 localnet = $int_if:network 04 internet = $ext_if:network 05 udp_services = { domain, ntp } 06 icmp_types = { echoreq, unreach } 07 08 nat log on $ext_if from $localnet to any - ($ext_if) 09 10 block log all 11 12 pass quick inet proto { tcp, udp } from $internet to any port $udp_services 13 pass quick inet proto { tcp, udp } from $localnet to any port $udp_services 14 pass quick inet proto { tcp, udp } from $lo0:network to any port $udp_services 15 16 pass inet proto icmp all icmp-type $icmp_types 17 pass from { lo0, $localnet } to any keep state a. Why do I need 12? I had expected 13 (which I don't seem to need). Wouldn't 12 be for incoming requests from the Internet? You need 12 because of 8. When you pass a DNS request out from your localnet, 13 pass it in on int_if, but then it's natted BEFORE traversing the egress PF rules. Jason Dixon's suggested rules bypass this by not blocking outbound traffic to begin with. b. Given that ping works from my network (so that presumably routing is okay), why doesn't anything else work? HTTP seems blocked by the firewall. Same NAT/PF issue as above. Your ICMP rule ignores source/destination addresses, so it's not affected. c. How can I get pflog to flush immediately? I noticed I have to wait a minute or so before logged lines show up. I think it's already been suggested, but if you want a live view, tcpdump -i pflog0 rather than tailing pflog. d. Any other pointers? Use Jason's suggested ruleset. Simpler is better. Cheers, Hilco -HKS
Re: routing problem
On Fri, Feb 20, 2009 at 6:34 AM, Federico deepb...@fastwebnet.it wrote: Hello all, I have a trouble with some routing-related that i can't figure out. I have this configuration: ** ***INTERNET*** ** | bnx1 | FIREWALL | bnx0 | DMZ (10.0.0.0/28) | bnx1 | PROXY | bnx0 | LAN (192.168.80.0/24) FIREWALL and PROXY are both OpenBSD machines. The bnx1 of the firewall is configured on a public subnet. A couple of machines in the DMZ are natted with public ip configured on the bnx1 of the firewall. For a particular reason, I have to route traffic from LAN to DMZ using the pubblic ip. I can't use a DNS based solution (like views). So, when I try to connect to a DMZ machine by using its pubblic (natted) ip, traffic is blocked at bnx0 of the firewall. With tcpdump I can see that bnx0 answers with a RST packet to the connection request coming from lan (and masked by PROXY). The only trick I found to make it works, is using redirect on PROXY, something like that: rdr on bnx1 from bnx0:network to $MyPublicIp - 10.0.0.2 This is the basic ruleset I'm using on FIREWALL: set skip on lo scrub in rdr pass on bnx1 proto tcp from any to $MyPublicIP port 80 - 10.0.0.2 block in log pass out pass in on bnx1 proto tcp from any to 10.0.0.2 port 80 flags S/SA synproxy state I didn't touch routes. Is there another way than using a set of rdr rules? Did I miss some man page? $MyPublicIP doesn't actually belong to your DMZ machine, so FIREWALL's route to that address (if it has one) is not what you're expecting. Your rdr on PROXY solves the problem. Use it or remove the need for it. -HKS
Re: A virus road map for GNOME and KDE?
On Fri, Feb 20, 2009 at 9:12 AM, Lars Noodin larsnoo...@openoffice.org wrote: Navan Carson wrote: ... The best way to accomplish what you seem to want, is to deny the message during the SMTP dialog. That way you don't create another tool for the Spammers. Of course that's best, but it also presumes a competent mail administrator. Rare as hen's teeth these days, compared to the number of mail servers or things that call themselves mail servers out there. Unless the autoresponder is misconfigured to make an infinite loop, its not going to be tool for spammers. Without it, the spam would be coming to your mailbox. With it, at worst, if the originating addressed is spoofed, then the autoresponder will be doing a favor to the real owner of the address by pointing out the problem so it can be addressed and solved. You might even add some explanation in the message about if you did not send this message, then ... Regards -Lars ...then? Spoofing is one of those things that can't really be fixed. Assuming your MTA is one of the few that actually enforces SPF, they could configure that and no longer get your autoreplies. That's it. And with the vast majority of other MTAs not supporting SPF, they're going to be getting plenty of back-scatter spam anyway. And since the implication is that you use this solution if your mail administrator is incompetent, it's doubtful they're enforcing SPF. Competent mail administrators these days do not fire off autoresponses to spammers. They assume that the From: address is bullshit. They assume that much of the time it will have broken MX records, which means you run the risk of clogging your system with deferred autoresponses to messages you didn't want in the first place. Block spam at the dialog level if possible. If it gets through, either dump it to /dev/null or report it to Spamcop and then dump it to /dev/null. -HKS
Re: bwi0
On Thu, Feb 19, 2009 at 10:42 AM, Michael bsd...@cableone.net wrote: I am trying (again) to get wireless working with OpenBSD 4.4. Following are /etc files and dmesg. With debug entered into my /etc/hostname.bwi0, I get sending probe_req ff:ff:ff:ff:ff:ff and then bwi0: no networksleeping Router is linksys wrt54g2 and card on laptop is broadcom 4318 11g. Router is set up for wpa wpa2. I can't get any type of connection at all. Hope the info helps. I've tried every item in /etc/hostname.bwi0, plus not using that file and just trying via ifconfig (as root) to set up connection with no luck. Here are the files: # ifconfig bwi0 bwi0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:16:ce:49:a8:e1 groups: wlan media: IEEE802.11 autoselect mode 11g (DS1 mode 11g) status: no network ieee80211: nwid chan 6 wpapsk 0xmynwkey wpaprotos wpa1,wpa2 wpaakms psk,802.1x wpaciphers tkip,ccmp wpagroupcipher tkip inet6 fe80::216:ceff:fe49:a8e1%bwi0 prefixlen 64 scopeid 0x2 /etc/hostname.bwi0 dhcp #dhcp NONE NONE NONE nwid mode 11g chan 6 #dhcp nwid nwkey 0xmynwkey #dhcp nwid wpa wpapsk 0xmynwkey chan 6 up #dhcp NONE NONE NONE chan 6 wpa wpapsk $(wpa-psk x) media autoselect mode 11g up debug #dhcp up chan 6 nwid wpa wpapsk $(wpa-psk ) debug /etc/mygate 192.168.1.1 ( I just tried with this set 3 or 4 times) dmesg OpenBSD 4.4-stable (GENERIC) #1: Mon Jan 19 16:25:07 MST 2009 r...@box.my.domain:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Mobile AMD Sempron(tm) Processor 3100+ (AuthenticAMD 686-class, 256KB L2 cache) 1.81 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3 cpu0: AMD erratum 89 present, BIOS upgrade may be required real mem = 468217856 (446MB) avail mem = 444178432 (423MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 02/20/06, BIOS32 rev. 0 @ 0xfd5f0, SMBIOS rev. 2.31 @ 0x1befb000 (24 entries) bios0: vendor Acer version 3A32 date 02/20/06 bios0: Acer, inc. Aspire 3000 acpi at bios0 function 0x0 not configured pcibios0 at bios0: rev 2.1 @ 0xfd5f0/0xa10 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdd30/160 (8 entries) pcibios0: PCI Interrupt Router at 000:02:0 (SiS 85C503 System rev 0x00) pcibios0: PCI bus #2 is the last bus bios0: ROM list: 0xc/0xc000 0xdc000/0x8000! cpu0 at mainbus0 cpu0: PowerNow! K8 1801 MHz: speeds: 1800 1600 800 MHz pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 SiS 760 PCI rev 0x03 ppb0 at pci0 dev 1 function 0 SiS 86C202 VGA rev 0x00 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 SiS 6330 VGA rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) agp0 at vga1: aperture at 0xe000, size 0x40 drm at vga1 unsupported pcib0 at pci0 dev 2 function 0 SiS 85C503 System rev 0x25 pciide0 at pci0 dev 2 function 5 SiS 5513 EIDE rev 0x00: 760: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: HTS541060G9AT00 wd0: 16-sector PIO, LBA48, 57231MB, 117210240 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets, initiator 7 cd0 at scsibus0 targ 0 lun 0: PHILIPS, CDRW/DVD SCB5265, TX07 ATAPI 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 SiS 7013 Modem rev 0xa0 at pci0 dev 2 function 6 not configured auich0 at pci0 dev 2 function 7 SiS 7012 AC97 rev 0xa0: irq 5, SiS7012 AC97 ac97: codec id 0x414c4770 (Avance Logic ALC203 rev 0) ac97: codec features headphone, 20 bit DAC, 18 bit ADC, No 3D Stereo audio0 at auich0 ohci0 at pci0 dev 3 function 0 SiS 5597/5598 USB rev 0x0f: irq 9, version 1.0, legacy support ohci1 at pci0 dev 3 function 1 SiS 5597/5598 USB rev 0x0f: irq 11, version 1.0, legacy support ehci0 at pci0 dev 3 function 2 SiS 7002 USB rev 0x00: irq 10 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 SiS EHCI root hub rev 2.00/1.00 addr 1 sis0 at pci0 dev 4 function 0 SiS 900 10/100BaseTX rev 0x91: irq 3, address 00:16:36:3c:14:4a rlphy0 at sis0 phy 13: RTL8201L 10/100 PHY, rev. 1 cbb0 at pci0 dev 6 function 0 TI PCI1510 CardBus rev 0x00: irq 3 bwi0 at pci0 dev 11 function 0 Broadcom BCM4318 rev 0x02: irq 4, address 00:16:ce:49:a8:e1 pchb1 at pci0 dev 24 function 0 AMD AMD64 0Fh HyperTransport rev 0x00 pchb2 at pci0 dev 24 function 1 AMD AMD64 0Fh Address Map rev 0x00 pchb3 at pci0 dev 24 function 2 AMD AMD64 0Fh DRAM Cfg rev 0x00 kate0 at pci0 dev 24 function 3 AMD AMD64 0Fh Misc Cfg rev 0x00 isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pms0 at pckbc0 (aux slot) pckbc0: using irq 12 for aux slot
Re: spamd whitelisting not working, sure i'm missing something
On Mon, Feb 16, 2009 at 2:29 PM, jmc j...@cosmicnetworks.net wrote: i'm trying to deal with mail providers like gmail that have pools of outgoing smtp servers that shuffle among them for mail delivery. in the case of gmail, i've taken the output of 'dig txt _spf.google.com. +short', parsed it appropriately, and added it to table spamd-mywhite. (in short, i write to /etc/mail/spamd-mywhite and then use pfctl to load up the table). relevant pf.conf snippet: table spamd-mywhite persist file /etc/mail/spamd-mywhite rdr pass inet proto tcp from spamd to any port smtp - 127.0.0.1 port spamd rdr pass inet proto tcp from !spamd-white to any port smtp - 127.0.0.1 port spamd rdr pass inet proto tcp from spamd-white to any port smtp - 127.0.0.1 port smtp rdr pass inet proto tcp from spamd-mywhite to any port smtp - 127.0.0.1 port smtp right now, my spamd is stuttering at some gmail addresses, which test positively that they are in spamd-mywhite, and thus i *believe* should be handed off directly to smtp given my rules. mail from sourceforge.com (_spf.sourceforge.com.), mail from facebook.com, and mail from nytimes.com all apparently worked OK, and don't get stuttered at. i'm running 4.4-STABLE, unmodified GENERIC kernel, FWIW. === j...@cosmicnetworks (ttyp3) ~ {2094} 0-- sudo /sbin/pfctl -T test -t spamd-mywhite 72.14.220.153 1/1 addresses match. === j...@cosmicnetworks (ttyp3) ~ {2095} 0-- sudo /sbin/pfctl -T test -t spamd-mywhite 209.85.218.176 1/1 addresses match. === j...@cosmicnetworks (ttyp3) ~ {2096} 0-- for brevity sake, i didn't include my entire pf.conf. if it would help, i can share. i just feel i'm missing something really simple and stupid here. --john table spamd-mywhite persist file /etc/mail/spamd-mywhite rdr pass inet proto tcp from spamd to any port smtp - 127.0.0.1 port spamd rdr pass inet proto tcp from spamd-mywhite to any port smtp - 127.0.0.1 port smtp rdr pass inet proto tcp from !spamd-white to any port smtp - 127.0.0.1 port spamd rdr pass inet proto tcp from spamd-white to any port smtp - 127.0.0.1 port smtp There you go. -HKS
Re: snmpd GET and GETNEXT against scalar OIDs
On Thu, Feb 12, 2009 at 8:29 AM, Ariane van der Steldt ari...@stack.nl wrote: On Tue, Feb 03, 2009 at 05:20:28PM -0500, (private) HKS wrote: I made the following bug report on 2009-01-08, but didn't get a PR number back. Did I botch this report, or does the bugs@ address require hands-on that this report simply hasn't gotten yet? Thanks for the clarification. PR's are assigned to bugs made using the sendbug program. I notice PR/6071 looks similar to yours, maybe that's the one you're looking for? -- Ariane Thanks for the response. Stuart Henderson replied off the list and pointed out that my formatting was broken. I resubmitted with sendbug -P and it looks like it's going through the proper channels now. -HKS
bnx(4) transmit slow
OpenBSD 4.4 on a Dell Poweredge 2950. When testing with FTP or a benchmarking app like iperf, bnx(4) transmitting is much slower than receiving. I can replicate this with multiple clients on different OSes and hardware platforms, but my Poweredge 2850 running 4.4 with em(4) interfaces is unaffected. I've tested this on three separate 2950s (each running 4.4) and all exhibit the same behavior. Has anyone else run into this? Numbers/ config/dmesg are below. -HKS iperf (rx) is with the bnx host running iperf -s and my test box running iperf -c 10.123.0.20. iperf (tx) is the inverse. FTP tests were conducted by getting (rx) and putting (tx) a 376MB ISO file. Numbers: --- iperf (rx): 878 Mbits/sec iperf (tx): 109 Mbits/sec --- ftp (rx): 393969664 bytes received in 4.40 seconds (85.29 MB/s) ftp (tx): 393969664 bytes sent in 25.43 seconds (14.78 MB/s) --- ifconfig: --- bnx0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:1e:c9:43:0e:d6 groups: egress media: Ethernet autoselect (1000baseT full-duplex,master) status: active inet 10.123.0.20 netmask 0xff00 broadcast 10.123.0.255 inet6 fe80::21e:c9ff:fe43:ed6%bnx0 prefixlen 64 scopeid 0x4 --- netstat -nI bnx0: --- NameMtu Network Address Ipkts IerrsOpkts Oerrs Colls bnx01500 Link 00:1e:c9:43:0e:d6 39134263 0 24382795 0 0 bnx01500 10.123.0/24 10.123.0.20 39134263 0 24382795 0 0 bnx01500 fe80::%bnx0 fe80::21e:c9ff:fe 39134263 0 24382795 0 0 --- sysctl variables: --- kern.maxclusters=131072 net.inet.tcp.recvspace=65536 net.inet.tcp.sendspace=65536 --- Dmesg: --- OpenBSD 4.4 (GENERIC) #1021: Tue Aug 12 17:16:55 MDT 2008 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Xeon(R) CPU E5405 @ 2.00GHz (GenuineIntel 686-class) 2 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,TM2,CX16,xTPR real mem = 2142142464 (2042MB) avail mem = 2062938112 (1967MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 02/05/08, BIOS32 rev. 0 @ 0xffe90, SMBIOS rev. 2.5 @ 0x7fb9c000 (66 entries) bios0: vendor Dell Inc. version 2.2.6 date 02/05/2008 bios0: Dell Inc. PowerEdge 2950 acpi0 at bios0: rev 2 acpi0: tables DSDT FACP APIC SPCR HPET MCFG WD__ SLIC ERST HEST BERT EINJ TCPA acpi0: wakeup devices PCI0(S5) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 4 (PEX2) acpiprt2 at acpi0: bus 5 (UPST) acpiprt3 at acpi0: bus 6 (DWN1) acpiprt4 at acpi0: bus 8 (DWN2) acpiprt5 at acpi0: bus 1 (PEX3) acpiprt6 at acpi0: bus 0 (PE2P) acpiprt7 at acpi0: bus 10 (PEX4) acpiprt8 at acpi0: bus 12 (PEX6) acpiprt9 at acpi0: bus 2 (SBEX) acpiprt10 at acpi0: bus 14 (COMP) acpicpu0 at acpi0: C3 bios0: ROM list: 0xc/0x9000! 0xc9000/0x1000 0xca000/0x1e00 0xcc000/0x5e00 0xec000/0x4000! ipmi at mainbus0 not configured cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 5000X Host rev 0x12 ppb0 at pci0 dev 2 function 0 Intel 5000 PCIE rev 0x12 pci1 at ppb0 bus 4 ppb1 at pci1 dev 0 function 0 Intel 6321ESB PCIE rev 0x01 pci2 at ppb1 bus 5 ppb2 at pci2 dev 0 function 0 Intel 6321ESB PCIE rev 0x01 pci3 at ppb2 bus 6 ppb3 at pci3 dev 0 function 0 ServerWorks PCIE-PCIX rev 0xc3 pci4 at ppb3 bus 7 bnx0 at pci4 dev 0 function 0 Broadcom BCM5708 rev 0x12: irq 5 ppb4 at pci2 dev 1 function 0 Intel 6321ESB PCIE rev 0x01: irq 5 pci5 at ppb4 bus 8 ppb5 at pci1 dev 0 function 3 Intel 6321ESB PCIE-PCIX rev 0x01 pci6 at ppb5 bus 9 ppb6 at pci0 dev 3 function 0 Intel 5000 PCIE rev 0x12 pci7 at ppb6 bus 1 mfi0 at pci7 dev 0 function 0 Symbios Logic SAS1078 rev 0x04: irq 5, Dell PERC 6/i integrated mfi0: logical drives 1, version 6.0.2-0002, 256MB RAM scsibus0 at mfi0: 1 targets, initiator 64 sd0 at scsibus0 targ 0 lun 0: DELL, PERC 6/i, 1.11 SCSI3 0/direct fixed sd0: 2859520MB, 44942 cyl, 511 head, 255 sec, 512 bytes/sec, 5856296960 sec total ppb7 at pci0 dev 4 function 0 Intel 5000 PCIE x8 rev 0x12 pci8 at ppb7 bus 10 ppb8 at pci0 dev 5 function 0 Intel 5000 PCIE rev 0x12 pci9 at ppb8 bus 11 ppb9 at pci0 dev 6 function 0 Intel 5000 PCIE x8 rev 0x12 pci10 at ppb9 bus 12 ppb10 at pci0 dev 7 function 0 Intel 5000 PCIE rev 0x12 pci11 at ppb10 bus 13 pchb1 at pci0 dev 16 function 0 Intel 5000 Error Reporting rev 0x12 pchb2 at pci0 dev 16 function 1 Intel 5000 Error Reporting rev 0x12 pchb3 at pci0 dev 16 function 2 Intel 5000 Error Reporting rev 0x12 pchb4 at pci0 dev 17 function 0 Intel 5000 Reserved rev 0x12 pchb5 at pci0 dev 19 function 0 Intel 5000 Reserved rev 0x12 pchb6 at pci0 dev 21 function 0 Intel 5000 FBD rev 0x12 pchb7 at pci0 dev 22 function 0 Intel 5000 FBD rev 0x12 ppb11 at pci0 dev 28 function 0 Intel 6321ESB PCIE rev 0x09 pci12 at ppb11 bus 2 ppb12 at pci12 dev 0
snmpd GET and GETNEXT against scalar OIDs
I made the following bug report on 2009-01-08, but didn't get a PR number back. Did I botch this report, or does the bugs@ address require hands-on that this report simply hasn't gotten yet? Thanks for the clarification. -HKS On Thu, Jan 8, 2009 at 3:52 PM, (private) HKS hks.priv...@gmail.com wrote: snmpd on OpenBSD 4.4 Stable, i386 architecture. This bug was found by the OpenNMS team [1]. They've invited you to contact them for more details if I'm unable to provide enough info. The snmpget and snmpgetnext commands used in examples below are from the Net SNMP 5.4.2.1 package on FreeBSD 7. Essentially, snmpd seems to regard OIDs without an instance identifier as equivalent to OIDs with an instance identifier of 0. SNMP GET requests against a scalar OID with no instance identifier results in the agent apparently interpolating the .0 instance identifier: # snmpget -On -v1 -c public openbsd-host .1.3.6.1.2.1.1.2 .1.3.6.1.2.1.1.2.0 = OID: .1.3.6.1.4.1.30155.23.1 The expected behavior (RFC 1157, 4.1.2, rule 1) is a noSuchName error since .1.3.6.1.2.1.1.2 has no exact match. In a similar vein, GETNEXT requests against a single-instance scalar OID without an instance identifier return the next OID as if the .0 identifier were originally requested. An example of OpenBSD's behavior: # snmpgetnext -On -v1 -c public openbsd-host .1.3.6.1.2.1.1.1 .1.3.6.1.2.1.1.2.0 = OID: .1.3.6.1.4.1.30155.23.1 # snmpgetnext -On -v1 -c public openbsd-host .1.3.6.1.2.1.1.1.0 .1.3.6.1.2.1.1.2.0 = OID: .1.3.6.1.4.1.30155.23.1 Lexically, however, .1.3.6.1.2.1.1.1 is followed by .1.3.6.1.2.1.1.1.0 - not .1.3.6.1.2.1.1.2.0. So the first request should have returned .1.3.6.1.2.1.1.1.0. The second was correct. An example of Net SNMP's lexically correct response: # snmpgetnext -On -v1 -c public netsnmp-host .1.3.6.1.2.1.1.1 .1.3.6.1.2.1.1.1.0 = STRING: FreeBSD netsnmp-host 7.0-RELEASE FreeBSD 7.0-RELEASE #0: Sun Feb 24 19:59:52 UTC 2008 r...@logan.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386 # snmpgetnext -On -v1 -c public netsnmp-host .1.3.6.1.2.1.1.1.0 .1.3.6.1.2.1.1.2.0 = OID: .1.3.6.1.4.1.8072.3.2.8 I hope that's clear. Please let me know if I can provide any further information. -HKS [1] - http://bugzilla.opennms.org/show_bug.cgi?id=2962 dmesg follows: -- OpenBSD 4.4-stable (GENERIC) #0: Wed Nov 19 12:00:19 EST 2008 r...@localhost:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Xeon(R) CPU 5110 @ 1.60GHz (GenuineIntel 686-class) 1.60 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,TM2,CX16,xTPR real mem = 2142142464 (2042MB) avail mem = 2062938112 (1967MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 02/05/08, BIOS32 rev. 0 @ 0xffe90, SMBIOS rev. 2.5 @ 0x7fb9c000 (66 entries) bios0: vendor Dell Inc. version 2.2.6 date 02/05/2008 bios0: Dell Inc. PowerEdge 2950 acpi0 at bios0: rev 2 acpi0: tables DSDT FACP APIC SPCR HPET MCFG WD__ SLIC ERST HEST BERT EINJ TCPA acpi0: wakeup devices PCI0(S5) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 4 (PEX2) acpiprt2 at acpi0: bus 5 (UPST) acpiprt3 at acpi0: bus 6 (DWN1) acpiprt4 at acpi0: bus 8 (DWN2) acpiprt5 at acpi0: bus 1 (PEX3) acpiprt6 at acpi0: bus 0 (PE2P) acpiprt7 at acpi0: bus 10 (PEX4) acpiprt8 at acpi0: bus 12 (PEX6) acpiprt9 at acpi0: bus 2 (SBEX) acpiprt10 at acpi0: bus 14 (COMP) acpicpu0 at acpi0: C3 bios0: ROM list: 0xc/0x9000! 0xc9000/0x1000 0xca000/0x1e00 0xcc000/0x5e00 0xec000/0x4000! ipmi at mainbus0 not configured cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 5000X Host rev 0x12 ppb0 at pci0 dev 2 function 0 Intel 5000 PCIE rev 0x12 pci1 at ppb0 bus 4 ppb1 at pci1 dev 0 function 0 Intel 6321ESB PCIE rev 0x01 pci2 at ppb1 bus 5 ppb2 at pci2 dev 0 function 0 Intel 6321ESB PCIE rev 0x01 pci3 at ppb2 bus 6 ppb3 at pci3 dev 0 function 0 ServerWorks PCIE-PCIX rev 0xc3 pci4 at ppb3 bus 7 bnx0 at pci4 dev 0 function 0 Broadcom BCM5708 rev 0x12: irq 5 ppb4 at pci2 dev 1 function 0 Intel 6321ESB PCIE rev 0x01: irq 5 pci5 at ppb4 bus 8 ppb5 at pci1 dev 0 function 3 Intel 6321ESB PCIE-PCIX rev 0x01 pci6 at ppb5 bus 9 ppb6 at pci0 dev 3 function 0 Intel 5000 PCIE rev 0x12 pci7 at ppb6 bus 1 mfi0 at pci7 dev 0 function 0 Symbios Logic SAS1078 rev 0x04: irq 5, Dell PERC 6/i integrated mfi0: logical drives 1, version 6.0.1-0080, 256MB RAM scsibus0 at mfi0: 1 targets, initiator 64 sd0 at scsibus0 targ 0 lun 0: DELL, PERC 6/i, 1.11 SCSI3 0/direct fixed sd0: 2859520MB, 44942 cyl, 511 head, 255 sec, 512 bytes/sec, 5856296960 sec total ppb7 at pci0 dev 4 function 0 Intel 5000 PCIE x8 rev 0x12 pci8 at ppb7 bus 10 ppb8 at pci0 dev 5 function 0 Intel 5000 PCIE rev 0x12 pci9 at ppb8 bus 11 ppb9 at pci0 dev 6
Re: Backup strategies
On Sat, Jan 31, 2009 at 6:17 PM, Jason Dixon ja...@dixongroup.net wrote: There have been plenty of comments about distributed rcs systems. I have no complaints there at all, but I wanted to mention Bacula as a solid backup software option. We use it for our production needs in the office and colocation facility and I use it at home for my personal stuff. Works very well and Mike Erdely has done an excellent job with the port (sysutils/bacula). -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/ I can (vehemently) second the Bacula recommendation for traditional archive-style backups. My reading of the OP's requirements seemed more along the lines of managing edits of the same files on multiple machines, with the possibility of rolling back to an older version if necessary. If I misread this and he's looking more for data preservation, I know of no more intuitive, self-managed, flexible backup system than Bacula. -HKS
Re: OSPFD carp interface flapping
On Fri, Jan 30, 2009 at 10:25 PM, askthel...@gmail.com wrote: OpenBSD 4.3 --release On our backup firewall: Jan 30 17:55:47 lynn ospfd[3389]: interface carp0 up Jan 30 17:55:47 lynn ospfd[3389]: interface carp0 down This is corresponding with an event on our ACTIVE host which is problematic to our VPN traffic Jan 30 17:55:47 susan sasyncd[31016]: net_ctl: got bad state MASTER from peer x.x.x.x # ospfctl show int (on backup host) Interface AddressState HelloTimer Linkstate Uptimenc ac carp0 x.x.x.x.254/21 DOWN 7101w3d0 backup 00:00:00 0 0 em0y.y.y.141/30 BCKUP 00:00:01 active 20w3d21h 1 1 em1z.z.z.92/28 OTHER 00:00:01 active 20w3d21h 3 2 # ospfctl show int (on active host) Interface AddressState HelloTimer Linkstate Uptimenc ac carp0 x.x.x.254/21 DOWN 7101w3d0 master 00:00:00 0 0 em0 y.y.y.142/30 DR 00:00:07 active 20w3d21h 1 1 em1 z.z.z.93/28 BCKUP 00:00:00 active 21w0d19h 3 3 Seems the carp0 interface on one of our firewalls that is in a BACKUP mode is regularly flapping. This just began happening within the last week or so and has become a reoccurring issue the past few days. Nothings been unplugged or reconfigured in months. Is this a bug, misconfiguration, failing switch, bad cable? Probably. With a dmesg and ifconfigs, someone might be able to narrow it down a bit. -HKS
Re: Backup strategies
On Sat, Jan 31, 2009 at 1:36 AM, Predrag Punosevac punoseva...@gmail.com wrote: Dear All, I am seeking advice about the backup strategies and possible use of CVS to accomplish this task. I happen to use 4-5 different computer on the daily basis for my work. I use my laptop, desktop, and a file server at work as well as my personal desktop and my wife's laptop at home. It is of paramount importance for me that my files are in sync on all 5 computers for two reasons. I want to start working always with the latest and most up to date version of files regardless of the computer which I am using. Secondly, if a HDD dies on one or even three-four computers at the same moment of time I will still have backup copy to recover the work. Up until now I have used the combination of tar, rarely dd, and my home brown scripts to accomplish above task. I would always start work by running the script which would pull up the tar files either from the file server of USB drive and untar them on my computer. After I finish work I would run the script to tar specific directory I was working on and push them back to file server and a USB drive. However it did happen to me that I forgot to run the script once or twice in the past which cause me great deal of frustration. Suddenly, I would have to different versions of the same file at two different computers and maybe the third older version on my file server. It also happen to me in the bast that I modify the files and I realized that modification sucked but I could not recover specific older version of particular file. I do periodically burn DVDs with entire home directory, date it and keep it on the shelf. Are there any advantages of using CVS over my present method or I am just hallucinating. It looks to me that CVS could help me utilize pull+push strategy for backing up the files but would give me advantage over the tar and dd by allowing me incremental updates as well as keeping the past snapshots of my work. I have seen a thread about 2-3 months ago on misc in which there was a similar question by a OpenBSD user who wanted to keep his /etc on his firewall machines up to date as well as back up configuration files in the case of the disaster by CVS. I am open for any suggestions but I do have a strong preference for the tools from the base of the system. I noticed couple ports with poor man tools for accomplishing above tasks. Thanks, Predrag Mercurial would suit you nicely. It's distributed version control. so you don't have to pull down the whole damn repository every time, it's got a solid merge engine, and you can revert to versions pretty easily. Simply clone the central repository onto each individual box, and at the beginning of work run an update. At the end, commit and push your changes back to central server. -HKS
Re: Backup strategies
On Sat, Jan 31, 2009 at 2:21 PM, punoseva...@gmail.com wrote: @-HKS Point taken about mercurial. I will experiment with it. How good is it with occasional image files? It is definitelly big plus that I can look changes I made either in papers I am writing or grades (.csv) of my student. It handles images just fine. I don't think it can store images by diff (might be wrong, it does that with plenty of other filetypes), but it certainly doesn't choke on them. -HKS
Re: ftp-proxy on a nat firewall
On Fri, Jan 30, 2009 at 5:41 AM, Camiel Dobbelaar c...@sentia.nl wrote: (private) HKS wrote: On Fri, Jan 23, 2009 at 3:06 PM, (private) HKS hks.priv...@gmail.com wrote: On Fri, Jan 23, 2009 at 8:49 AM, Daniel A. Ramaley daniel.rama...@drake.edu wrote: I've gotten a couple of off-list replies with suggestions to try. I greatly appreciate any ideas, but still have not had any luck so far. I've trimmed my ruleset and adjust some of it to be more permissive. Any ideas as to why ftp-proxy still doesn't work? ext_if = vr0 int_if = fxp0 icmp_types = { echoreq, unreach } # options set block-policy return set loginterface $ext_if set skip on lo # packet hygiene scrub in all fragment reassemble # nat nat on $ext_if from !($ext_if) - ($ext_if) nat-anchor ftp-proxy/* rdr-anchor ftp-proxy/* rdr pass on $int_if proto tcp to port ftp - 127.0.0.1 port 8021 # filter rules #block in all #block quick inet6 all anchor ftp-proxy/* pass out keep state pass out quick proto tcp from lo to any port ftp pass in inet proto icmp all icmp-type $icmp_types keep state #pass from !($ext_if) to any keep state pass from any to any keep state Running ftp-proxy with the args -r -d -D 6, can you do a packet capture when you run ls? You'll want to find all packets that involve the internal host, and all packets that involve your external destination, so you'll probably need to do two separate captures. This should at least give an idea of what's breaking. Something is definitely amiss. Does anybody have a working nat/ftp-proxy setup with 4.4? If so, can you post your rules and ftp-proxy flags? My 4.3 router is working fine, but when I try this on 4.4 I get some very weird behavior. The anchor rules and such are all inserted correctly and ftp-proxy -vv logs the following (munged for clarity) repeatedly until I kill the connection or it times out: 11:42:32.540840 rule 331.19328.1.0/(match) pass in on $ext_if: $server.20 $client_private.1830: S 67547520:67547520(0) win 16384 mss 1460,nop,nop,sackOK,nop,wscale 0,[|tcp] (DF) 11:42:32.540892 rule 331.19328.1.1/(match) pass out on $int_if: $server.20 $client_private.1830: S 67547520:67547520(0) win 16384 mss 1460,nop,nop,sackOK,nop,wscale 0,[|tcp] (DF) 11:42:32.540911 rule 331/(match) pass out on $ext_if: $ext_ip $server: icmp: host $ext_ip unreachable The second log entry refers to traffic that was supposedly passed, but my packet sniffer on $int_if never saw it (I tested with tcpdump filters 'host $client_private' and 'host $server'). The anchor information is in there: # pfctl -a ftp-proxy/19328.1 -s rules pass in log (all) quick inet proto tcp from $server to $client_private port = 1830 flags S/SA keep state (max 1) rtable 0 pass out log (all) quick inet proto tcp from $server to $client_private port = 1830 flags S/SA keep state (max 1) rtable 0 # pfctl -a ftp-proxy/19328.1 -s nat nat inet proto tcp from $server to $client_private port = 1830 rtable 0 - 129.128.5.191 port 20 rdr inet proto tcp from $server to $ext_ip port = 63607 rtable 0 - 10.2.0.13 port 1830 The only block in pf.conf is a block all at the top. Aside from a bunch of other pass statements, it looks very similar to what Daniel posted before. Running ftp-proxy with: ftp-proxy -r -dvvD 7 Can anyone else replicate this? Yes, I can reproduce it. It looks like '-r' is the culprit. That's an option I would not recommend anyway, except if you have hosts that really need it. Can you try again without -r ? Very little changed in ftp-proxy itself between 4.3 and 4.4 so I suspect the substantial changes in pf itself may have caused this to break. -- Cam Without -r things work just fine, but the shittiest ftp client I have to test this is Windows 2003's native. What clients are known to require the -r flag? -HKS
Re: ftp-proxy on a nat firewall
On Fri, Jan 30, 2009 at 10:47 AM, Camiel Dobbelaar c...@sentia.nl wrote: (private) HKS wrote: Without -r things work just fine, but the shittiest ftp client I have to test this is Windows 2003's native. What clients are known to require the -r flag? I think I implemented -r for someone with an old VMS system. Most FTP clients work fine, don't use -r unless you're sure you need it. Is there some documentation floating on the web that suggests -r? I think the manpage pretty much discourages usage: -r Rewrite sourceport to 20 in active mode to suit ancient clients that insist on this RFC property. -- Cam It's an attempt to preempt needless support calls for customers running some terribly outdated FTP client. -HKS
Re: ftp-proxy on a nat firewall
On Fri, Jan 23, 2009 at 3:06 PM, (private) HKS hks.priv...@gmail.com wrote: On Fri, Jan 23, 2009 at 8:49 AM, Daniel A. Ramaley daniel.rama...@drake.edu wrote: I've gotten a couple of off-list replies with suggestions to try. I greatly appreciate any ideas, but still have not had any luck so far. I've trimmed my ruleset and adjust some of it to be more permissive. Any ideas as to why ftp-proxy still doesn't work? ext_if = vr0 int_if = fxp0 icmp_types = { echoreq, unreach } # options set block-policy return set loginterface $ext_if set skip on lo # packet hygiene scrub in all fragment reassemble # nat nat on $ext_if from !($ext_if) - ($ext_if) nat-anchor ftp-proxy/* rdr-anchor ftp-proxy/* rdr pass on $int_if proto tcp to port ftp - 127.0.0.1 port 8021 # filter rules #block in all #block quick inet6 all anchor ftp-proxy/* pass out keep state pass out quick proto tcp from lo to any port ftp pass in inet proto icmp all icmp-type $icmp_types keep state #pass from !($ext_if) to any keep state pass from any to any keep state Running ftp-proxy with the args -r -d -D 6, can you do a packet capture when you run ls? You'll want to find all packets that involve the internal host, and all packets that involve your external destination, so you'll probably need to do two separate captures. This should at least give an idea of what's breaking. Something is definitely amiss. Does anybody have a working nat/ftp-proxy setup with 4.4? If so, can you post your rules and ftp-proxy flags? My 4.3 router is working fine, but when I try this on 4.4 I get some very weird behavior. The anchor rules and such are all inserted correctly and ftp-proxy -vv logs the following (munged for clarity) repeatedly until I kill the connection or it times out: 11:42:32.540840 rule 331.19328.1.0/(match) pass in on $ext_if: $server.20 $client_private.1830: S 67547520:67547520(0) win 16384 mss 1460,nop,nop,sackOK,nop,wscale 0,[|tcp] (DF) 11:42:32.540892 rule 331.19328.1.1/(match) pass out on $int_if: $server.20 $client_private.1830: S 67547520:67547520(0) win 16384 mss 1460,nop,nop,sackOK,nop,wscale 0,[|tcp] (DF) 11:42:32.540911 rule 331/(match) pass out on $ext_if: $ext_ip $server: icmp: host $ext_ip unreachable The second log entry refers to traffic that was supposedly passed, but my packet sniffer on $int_if never saw it (I tested with tcpdump filters 'host $client_private' and 'host $server'). The anchor information is in there: # pfctl -a ftp-proxy/19328.1 -s rules pass in log (all) quick inet proto tcp from $server to $client_private port = 1830 flags S/SA keep state (max 1) rtable 0 pass out log (all) quick inet proto tcp from $server to $client_private port = 1830 flags S/SA keep state (max 1) rtable 0 # pfctl -a ftp-proxy/19328.1 -s nat nat inet proto tcp from $server to $client_private port = 1830 rtable 0 - 129.128.5.191 port 20 rdr inet proto tcp from $server to $ext_ip port = 63607 rtable 0 - 10.2.0.13 port 1830 The only block in pf.conf is a block all at the top. Aside from a bunch of other pass statements, it looks very similar to what Daniel posted before. Running ftp-proxy with: ftp-proxy -r -dvvD 7 Can anyone else replicate this? -HKS
Re: Promiscuous interfaces forward multicast packets
On Fri, Jan 23, 2009 at 6:37 PM, Stuart Henderson s...@spacehopper.org wrote: In gmane.os.openbsd.misc, you wrote: Is this expected behavior? Should promiscuous mode affect the forwarding of multicast packets? it should not. please open a PR to make sure the right people see it, not everyone reads m...@. Thanks for the answer. I've sent the bug report to b...@openbsd.org. -HKS
Re: ftp-proxy on a nat firewall
On Fri, Jan 23, 2009 at 8:49 AM, Daniel A. Ramaley daniel.rama...@drake.edu wrote: I've gotten a couple of off-list replies with suggestions to try. I greatly appreciate any ideas, but still have not had any luck so far. I've trimmed my ruleset and adjust some of it to be more permissive. Any ideas as to why ftp-proxy still doesn't work? ext_if = vr0 int_if = fxp0 icmp_types = { echoreq, unreach } # options set block-policy return set loginterface $ext_if set skip on lo # packet hygiene scrub in all fragment reassemble # nat nat on $ext_if from !($ext_if) - ($ext_if) nat-anchor ftp-proxy/* rdr-anchor ftp-proxy/* rdr pass on $int_if proto tcp to port ftp - 127.0.0.1 port 8021 # filter rules #block in all #block quick inet6 all anchor ftp-proxy/* pass out keep state pass out quick proto tcp from lo to any port ftp pass in inet proto icmp all icmp-type $icmp_types keep state #pass from !($ext_if) to any keep state pass from any to any keep state Running ftp-proxy with the args -r -d -D 6, can you do a packet capture when you run ls? You'll want to find all packets that involve the internal host, and all packets that involve your external destination, so you'll probably need to do two separate captures. This should at least give an idea of what's breaking. -HKS
Promiscuous interfaces forward multicast packets
The short version: -- When an interface is put into promiscuous mode, inbound multicast traffic is forwarded according to the host's routing table regardless of net.inet.ip.mforwarding. Details: -- gw1 has vr0 (external) and vr1 (internal) gw2 has em0 (external) and em1 (internal) vr0 and em0 plug into a switch, which plugs into my provider vr1 and em1 plug into my internal switch. vr0 has carp1 running on top of it. em0 does not. The other interfaces do not have carp (yet). gw2 is new, and has a default route to my ISP. It does not have routes for all my internal networks. Some of those networks have a lot of multicast traffic. I placed em1 into promiscuous mode via tcpdump and crashed gw1. After testing for a while, I found that the machine was getting overwhelmed by cascading multicasts. Basically, it would fire a multicast out of vr1. em1 would catch it, but did not have a route to the destination IP. The multicast was forwarded out em0. vr0 catches it, and because it's in promiscuous mode, forwards it out vr1, feeding the loop. To give you an idea of scale, gw2 forwarded 107k multicast packets out em0 in the space of 15 seconds. Both machines have net.inet.ip.mforwarding set to 0 and net.inet.ip.forwarding set to 1. If I set net.inet.ip.forwarding to 0, the problem disappears. Likewise, if I blackhole all multicast traffic in question on gw2, things are fine. Is this expected behavior? Should promiscuous mode affect the forwarding of multicast packets? Thanks for the help. -HKS gw1 is a Soekris 5501 running 4.3 gw2 is a Dell Poweredge 2850 running 4.4 dmesg for gw2 follows. Let me know if you want dmesg for gw1. OpenBSD 4.4-stable (GENERIC) #0: Thu Jan 22 08:04:26 EST 2009 r...@gw2.local:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Xeon(TM) CPU 3.00GHz (GenuineIntel 686-class) 3 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,CNXT-ID,CX16,xTPR real mem = 2146795520 (2047MB) avail mem = 2067439616 (1971MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 09/22/05, BIOS32 rev. 0 @ 0xffe90, SMBIOS rev. 2.3 @ 0xf9920 (87 entries) bios0: vendor Dell Computer Corporation version A04 date 09/22/2005 bios0: Dell Computer Corporation PowerEdge 2850 acpi0 at bios0: rev 0 acpi0: tables DSDT FACP APIC SPCR HPET MCFG acpi0: wakeup devices PCI0(S5) PALO(S5) PBLO(S5) VPR0(S5) PBHI(S5) VPR1(S5) PICH(S5) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 1 (PALO) acpiprt2 at acpi0: bus 2 (DOBA) acpiprt3 at acpi0: bus 3 (DOBB) acpiprt4 at acpi0: bus 4 (PBLO) acpiprt5 at acpi0: bus 5 (PBHI) acpiprt6 at acpi0: bus 6 (PXB1) acpiprt7 at acpi0: bus 7 (PXB2) acpiprt8 at acpi0: bus 8 (VPR1) acpiprt9 at acpi0: bus 9 (PXC1) acpiprt10 at acpi0: bus 10 (PXC2) acpiprt11 at acpi0: bus 11 (PICH) acpicpu0 at acpi0 bios0: ROM list: 0xc/0xb000! 0xcb000/0x1000 0xcc000/0x1000 0xcd000/0x3c00 0xd1000/0x2200 0xd3800/0x600 0xec000/0x4000! ipmi at mainbus0 not configured cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel E7520 Host rev 0x09 ppb0 at pci0 dev 2 function 0 Intel E7520 PCIE rev 0x09 pci1 at ppb0 bus 1 ppb1 at pci1 dev 0 function 0 Intel IOP332 PCIE-PCIX rev 0x06 pci2 at ppb1 bus 2 ami0 at pci2 dev 14 function 0 Dell PERC 4e/Di rev 0x06: irq 7 ami0: Dell 16d, 32b, FW 521S, BIOS vH430, 256MB RAM ami0: 2 channels, 0 FC loops, 1 logical drives scsibus0 at ami0: 40 targets, initiator 40 sd0 at scsibus0 targ 0 lun 0: AMI, Host drive #00, SCSI2 0/direct fixed sd0: 139900MB, 17834 cyl, 255 head, 63 sec, 512 bytes/sec, 286515200 sec total scsibus1 at ami0: 16 targets, initiator 16 safte0 at scsibus1 targ 6 lun 0: PE/PV, 1x6 SCSI BP, 1.0 SCSI2 3/processor fixed scsibus2 at ami0: 16 targets, initiator 16 ppb2 at pci1 dev 0 function 2 Intel IOP332 PCIE-PCIX rev 0x06 pci3 at ppb2 bus 3 ppb3 at pci0 dev 4 function 0 Intel E7520 PCIE rev 0x09 pci4 at ppb3 bus 4 ppb4 at pci0 dev 5 function 0 Intel E7520 PCIE rev 0x09 pci5 at ppb4 bus 5 ppb5 at pci5 dev 0 function 0 Intel PCIE-PCIE rev 0x09 pci6 at ppb5 bus 6 em0 at pci6 dev 7 function 0 Intel PRO/1000MT (82541GI) rev 0x05: irq 11, address 00:14:22:17:d9:85 ppb6 at pci5 dev 0 function 2 Intel PCIE-PCIE rev 0x09 pci7 at ppb6 bus 7 em1 at pci7 dev 8 function 0 Intel PRO/1000MT (82541GI) rev 0x05: irq 3, address 00:14:22:17:d9:86 ppb7 at pci0 dev 6 function 0 Intel E7520 PCIE rev 0x09 pci8 at ppb7 bus 8 ppb8 at pci8 dev 0 function 0 Intel PCIE-PCIE rev 0x09 pci9 at ppb8 bus 9 re0 at pci9 dev 4 function 0 Realtek 8169 rev 0x10: RTL8169S (0x0400), irq 7, address 00:0f:b5:85:29:cc rgephy0 at re0 phy 7: RTL8169S/8110S PHY, rev. 0 ppb9 at pci8 dev 0 function 2 Intel PCIE-PCIE rev 0x09 pci10 at ppb9 bus 10 uhci0 at pci0 dev 29 function 0 Intel 82801EB/ER USB rev 0x02: irq 11 uhci1 at pci0 dev 29 function 1 Intel 82801EB/ER USB rev
Large disks on 4.4
I recently built out an OpenBSD backup server on a Dell 2950 with a 2.7TB RAID array, and I ran into some trouble with fdisk recognizing my disk. The geometries it reported were worth about 750GB. Attempting to change CHS geometry led to out of bounds errors. I did not mess with sector-only settings - I ran through the installation, as it was, leaving my huge partitions out. Once the machine was built, I used disklabel's b command to change the disk boundaries to the whole disk. Things are working just fine now, but is fdisk partitioning with sectors the Right way to do this? -HKS OpenBSD 4.4-stable (GENERIC) #0: Wed Nov 19 12:00:19 EST 2008 r...@backup.local:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Xeon(R) CPU 5110 @ 1.60GHz (GenuineIntel 686-class) 1.60 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,TM2,CX16,xTPR real mem = 2142142464 (2042MB) avail mem = 2062938112 (1967MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 02/05/08, BIOS32 rev. 0 @ 0xffe90, SMBIOS rev. 2.5 @ 0x7fb9c000 (66 entries) bios0: vendor Dell Inc. version 2.2.6 date 02/05/2008 bios0: Dell Inc. PowerEdge 2950 acpi0 at bios0: rev 2 acpi0: tables DSDT FACP APIC SPCR HPET MCFG WD__ SLIC ERST HEST BERT EINJ TCPA acpi0: wakeup devices PCI0(S5) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 4 (PEX2) acpiprt2 at acpi0: bus 5 (UPST) acpiprt3 at acpi0: bus 6 (DWN1) acpiprt4 at acpi0: bus 8 (DWN2) acpiprt5 at acpi0: bus 1 (PEX3) acpiprt6 at acpi0: bus 0 (PE2P) acpiprt7 at acpi0: bus 10 (PEX4) acpiprt8 at acpi0: bus 12 (PEX6) acpiprt9 at acpi0: bus 2 (SBEX) acpiprt10 at acpi0: bus 14 (COMP) acpicpu0 at acpi0: C3 bios0: ROM list: 0xc/0x9000! 0xc9000/0x1000 0xca000/0x1e00 0xcc000/0x5e00 0xec000/0x4000! ipmi at mainbus0 not configured cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 5000X Host rev 0x12 ppb0 at pci0 dev 2 function 0 Intel 5000 PCIE rev 0x12 pci1 at ppb0 bus 4 ppb1 at pci1 dev 0 function 0 Intel 6321ESB PCIE rev 0x01 pci2 at ppb1 bus 5 ppb2 at pci2 dev 0 function 0 Intel 6321ESB PCIE rev 0x01 pci3 at ppb2 bus 6 ppb3 at pci3 dev 0 function 0 ServerWorks PCIE-PCIX rev 0xc3 pci4 at ppb3 bus 7 bnx0 at pci4 dev 0 function 0 Broadcom BCM5708 rev 0x12: irq 5 ppb4 at pci2 dev 1 function 0 Intel 6321ESB PCIE rev 0x01: irq 5 pci5 at ppb4 bus 8 ppb5 at pci1 dev 0 function 3 Intel 6321ESB PCIE-PCIX rev 0x01 pci6 at ppb5 bus 9 ppb6 at pci0 dev 3 function 0 Intel 5000 PCIE rev 0x12 pci7 at ppb6 bus 1 mfi0 at pci7 dev 0 function 0 Symbios Logic SAS1078 rev 0x04: irq 5, Dell PERC 6/i integrated mfi0: logical drives 1, version 6.0.1-0080, 256MB RAM scsibus0 at mfi0: 1 targets, initiator 64 sd0 at scsibus0 targ 0 lun 0: DELL, PERC 6/i, 1.11 SCSI3 0/direct fixed sd0: 2859520MB, 44942 cyl, 511 head, 255 sec, 512 bytes/sec, 5856296960 sec total ppb7 at pci0 dev 4 function 0 Intel 5000 PCIE x8 rev 0x12 pci8 at ppb7 bus 10 ppb8 at pci0 dev 5 function 0 Intel 5000 PCIE rev 0x12 pci9 at ppb8 bus 11 ppb9 at pci0 dev 6 function 0 Intel 5000 PCIE x8 rev 0x12 pci10 at ppb9 bus 12 ppb10 at pci0 dev 7 function 0 Intel 5000 PCIE rev 0x12 pci11 at ppb10 bus 13 pchb1 at pci0 dev 16 function 0 Intel 5000 Error Reporting rev 0x12 pchb2 at pci0 dev 16 function 1 Intel 5000 Error Reporting rev 0x12 pchb3 at pci0 dev 16 function 2 Intel 5000 Error Reporting rev 0x12 pchb4 at pci0 dev 17 function 0 Intel 5000 Reserved rev 0x12 pchb5 at pci0 dev 19 function 0 Intel 5000 Reserved rev 0x12 pchb6 at pci0 dev 21 function 0 Intel 5000 FBD rev 0x12 pchb7 at pci0 dev 22 function 0 Intel 5000 FBD rev 0x12 ppb11 at pci0 dev 28 function 0 Intel 6321ESB PCIE rev 0x09 pci12 at ppb11 bus 2 ppb12 at pci12 dev 0 function 0 ServerWorks PCIE-PCIX rev 0xc3 pci13 at ppb12 bus 3 bnx1 at pci13 dev 0 function 0 Broadcom BCM5708 rev 0x12: irq 5 uhci0 at pci0 dev 29 function 0 Intel 6321ESB USB rev 0x09: irq 11 uhci1 at pci0 dev 29 function 1 Intel 6321ESB USB rev 0x09: irq 10 uhci2 at pci0 dev 29 function 2 Intel 6321ESB USB rev 0x09: irq 11 uhci3 at pci0 dev 29 function 3 Intel 6321ESB USB rev 0x09: irq 10 ehci0 at pci0 dev 29 function 7 Intel 6321ESB USB rev 0x09: irq 11 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1 ppb13 at pci0 dev 30 function 0 Intel 82801BA Hub-to-PCI rev 0xd9 pci14 at ppb13 bus 14 vga1 at pci14 dev 13 function 0 ATI ES1000 rev 0x02 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) drm at vga1 unsupported ichpcib0 at pci0 dev 31 function 0 Intel 6321ESB LPC rev 0x09: PM disabled pciide0 at pci0 dev 31 function 1 Intel 6321ESB IDE rev 0x09: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility atapiscsi0 at pciide0 channel 0 drive 0 scsibus1 at atapiscsi0: 2 targets,
Re: Logging interface state changes
On Fri, Nov 21, 2008 at 7:28 PM, Stuart Henderson [EMAIL PROTECTED] wrote: On 2008-11-21, (private) HKS [EMAIL PROTECTED] wrote: My current solution is an incredibly awkward ifstated.conf (pasted below). it's still a hack, but a little less awkward to run ospfd with all the interfaces set as passive which just happens to log this information.. Thanks for the recommendation, I'll look into that. -HKS
Re: Logging interface state changes
For anyone following this for their own purposes, the ifstated solution does not work. I was able to get it to log a few times in a VM environment, but on a live system neither manually bringing an interface up/down nor plugging/unplugging the ethernet cable is even noticed by ifstated (running -dvv). If I'm doing something wrong, please point it out to me. Next, I'll be toying with Stuart's suggestion of using ospfd with all interfaces set to passive. -HKS On Fri, Nov 21, 2008 at 5:26 PM, (private) HKS [EMAIL PROTECTED] wrote: On Fri, Nov 21, 2008 at 5:18 PM, (private) HKS [EMAIL PROTECTED] wrote: route monitor ? -- WBR, Pereresus ne Vlezaet Buggy That's an interesting tool, but it's not what I'm looking for. My current solution is an incredibly awkward ifstated.conf (pasted below). Is this really the best way to do it? I have no idea what's involved with logging interface state changes, but it's something that any router, firewall, or server needs. PCs are debatable, but I prefer that mine log it. I'd like to file a feature request but before I do, is there something I'm missing here? Is there a specific reason it was decided to keep this functionality out of the OS? -HKS - ifstated.conf: - # global config init-state main vr0_up = vr0.link.up state main { init { run } if $vr0_up || ! $vr0_up { logger ifstatus change. vr0 `ifconfig vr0 | grep status: | sed 's/^[[:space:]]//'`, vr1 `ifconfig vr1 | grep status: | sed 's/^[[:space:]]//'`, vr2 `ifconfig vr2 | grep status: | sed 's/^[[:space:]]//'`, vr1 `ifconfig vr3 | grep status: | sed 's/^[[:space:]]//'` } } Whoops, posted an ifstated.conf writeup that had incorrect syntax. Here's the correct version: init-state main vr0_up = vr0.link.up state main { init { run } if $vr0_up || ! $vr0_up { run logger \ifstatus change. vr0 `ifconfig vr0 | grep status: | sed 's/^[[:space:]]//'`, vr1 `ifconfig vr1 | grep status: | sed 's/^[[:space:]]//'`, vr2 `ifconfig vr2 | grep status: | sed 's/^[[:space:]]//'`, vr3 `ifconfig vr3 | grep status: | sed 's/^[[:space:]]//'`\ } }
Re: Logging interface state changes
route monitor ? -- WBR, Pereresus ne Vlezaet Buggy That's an interesting tool, but it's not what I'm looking for. My current solution is an incredibly awkward ifstated.conf (pasted below). Is this really the best way to do it? I have no idea what's involved with logging interface state changes, but it's something that any router, firewall, or server needs. PCs are debatable, but I prefer that mine log it. I'd like to file a feature request but before I do, is there something I'm missing here? Is there a specific reason it was decided to keep this functionality out of the OS? -HKS - ifstated.conf: - # global config init-state main vr0_up = vr0.link.up state main { init { run } if $vr0_up || ! $vr0_up { logger ifstatus change. vr0 `ifconfig vr0 | grep status: | sed 's/^[[:space:]]//'`, vr1 `ifconfig vr1 | grep status: | sed 's/^[[:space:]]//'`, vr2 `ifconfig vr2 | grep status: | sed 's/^[[:space:]]//'`, vr1 `ifconfig vr3 | grep status: | sed 's/^[[:space:]]//'` } }
Re: Logging interface state changes
On Fri, Nov 21, 2008 at 5:18 PM, (private) HKS [EMAIL PROTECTED] wrote: route monitor ? -- WBR, Pereresus ne Vlezaet Buggy That's an interesting tool, but it's not what I'm looking for. My current solution is an incredibly awkward ifstated.conf (pasted below). Is this really the best way to do it? I have no idea what's involved with logging interface state changes, but it's something that any router, firewall, or server needs. PCs are debatable, but I prefer that mine log it. I'd like to file a feature request but before I do, is there something I'm missing here? Is there a specific reason it was decided to keep this functionality out of the OS? -HKS - ifstated.conf: - # global config init-state main vr0_up = vr0.link.up state main { init { run } if $vr0_up || ! $vr0_up { logger ifstatus change. vr0 `ifconfig vr0 | grep status: | sed 's/^[[:space:]]//'`, vr1 `ifconfig vr1 | grep status: | sed 's/^[[:space:]]//'`, vr2 `ifconfig vr2 | grep status: | sed 's/^[[:space:]]//'`, vr1 `ifconfig vr3 | grep status: | sed 's/^[[:space:]]//'` } } Whoops, posted an ifstated.conf writeup that had incorrect syntax. Here's the correct version: init-state main vr0_up = vr0.link.up state main { init { run } if $vr0_up || ! $vr0_up { run logger \ifstatus change. vr0 `ifconfig vr0 | grep status: | sed 's/^[[:space:]]//'`, vr1 `ifconfig vr1 | grep status: | sed 's/^[[:space:]]//'`, vr2 `ifconfig vr2 | grep status: | sed 's/^[[:space:]]//'`, vr3 `ifconfig vr3 | grep status: | sed 's/^[[:space:]]//'`\ } }
Logging interface state changes
My apologies if this has already been addressed, but I couldn't find it in the man pages or mailing list archives. Is there a way to enable logging of network interface state changes on OpenBSD 4.3 or 4.4? This is mostly for forensic purposes - obviously I'll know if my firewall loses its ethernet connection, but if something starts flapping I'd like to be able to see it in my logs rather than trying to catch it in the act. My hosts are using mostly vic and vr drivers, and neither seems to care whether the debug option is enabled. Thanks for the help. dmesg for one of my Soekris (vr) boxes below. -HKS OpenBSD 4.3 (GENERIC) #698: Wed Mar 12 11:07:05 MDT 2008 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Geode(TM) Integrated Processor by AMD PCS (AuthenticAMD 586-class) 500 MHz cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX real mem = 536440832 (511MB) avail mem = 510664704 (487MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 20/70/03, BIOS32 rev. 0 @ 0xfac40 pcibios0 at bios0: rev 2.0 @ 0xf/0x1 pcibios0: pcibios_get_intr_routing - function not supported pcibios0: PCI IRQ Routing information unavailable. pcibios0: PCI bus #0 is the last bus bios0: ROM list: 0xc8000/0xa800 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 1 function 0 AMD Geode LX rev 0x31 glxsb0 at pci0 dev 1 function 2 AMD Geode LX Crypto rev 0x00: RNG AES vr0 at pci0 dev 6 function 0 VIA VT6105M RhineIII rev 0x96: irq 11, address 00:00:24:ca:3f:58 ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, model 0x0034 vr1 at pci0 dev 7 function 0 VIA VT6105M RhineIII rev 0x96: irq 5, address 00:00:24:ca:3f:59 ukphy1 at vr1 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, model 0x0034 vr2 at pci0 dev 8 function 0 VIA VT6105M RhineIII rev 0x96: irq 9, address 00:00:24:ca:3f:5a ukphy2 at vr2 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, model 0x0034 vr3 at pci0 dev 9 function 0 VIA VT6105M RhineIII rev 0x96: irq 12, address 00:00:24:ca:3f:5b ukphy3 at vr3 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, model 0x0034 glxpcib0 at pci0 dev 20 function 0 AMD CS5536 ISA rev 0x03: rev 0, 32-bit 3579545Hz timer, watchdog, gpio gpio0 at glxpcib0: 32 pins pciide0 at pci0 dev 20 function 2 AMD CS5536 IDE rev 0x01: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: SanDisk SDCFH-2048 wd0: 4-sector PIO, LBA, 1953MB, 4001760 sectors wd0(pciide0:0:0): using PIO mode 4, DMA mode 2 pciide0: channel 1 ignored (disabled) ohci0 at pci0 dev 21 function 0 AMD CS5536 USB rev 0x02: irq 15, version 1.0, legacy support ehci0 at pci0 dev 21 function 1 AMD CS5536 USB rev 0x02: irq 15 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 AMD EHCI root hub rev 2.00/1.00 addr 1 isa0 at glxpcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 nsclpcsio0 at isa0 port 0x2e/2: NSC PC87366 rev 9: GPIO VLM TMS gpio1 at nsclpcsio0: 29 pins npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pccom0: console pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo usb1 at ohci0: USB revision 1.0 uhub1 at usb1 AMD OHCI root hub rev 1.00/1.00 addr 1 biomask e5c5 netmask ffe5 ttymask ffe7 mtrr: K6-family MTRR support (2 registers) softraid0 at root root on wd0a swap on wd0b dump on wd0b
Re: Logging interface state changes
On Mon, Nov 17, 2008 at 12:49 PM, Daniel Melameth [EMAIL PROTECTED] wrote: On Mon, Nov 17, 2008 at 10:35 AM, (private) HKS [EMAIL PROTECTED] wrote: My apologies if this has already been addressed, but I couldn't find it in the man pages or mailing list archives. Is there a way to enable logging of network interface state changes on OpenBSD 4.3 or 4.4? This is mostly for forensic purposes - obviously I'll know if my firewall loses its ethernet connection, but if something starts flapping I'd like to be able to see it in my logs rather than trying to catch it in the act. man ifstated Thanks for the reference, that is definitely capable of doing what I want. Is there any way that I'm missing to enable logging with a generic statement, rather than configuring each interface individually? That will work, of course, but it's much less maintainable. -HKS
Re: openbsd fail2ban
If you're just tired of the noise, consider moving SSH to a different port. It provides no greater security but helps with some of the annoyance. -HKS On Thu, Nov 6, 2008 at 2:34 PM, Joachim Schipper [EMAIL PROTECTED] wrote: On Thu, Nov 06, 2008 at 05:33:41PM +, Charlie Clark wrote: I have noticed that people constantly try to brute force sshd on my openbsd box, on my server I use fail2ban to prevent this and wondered if there is a similar solution for openbsd. Yes, but why would you want to do that? It doesn't help in any real sense - weak passwords are still weak and may still fall to a distributed attack. and strong passwords or keys are pretty much impossible to guess anyway. Meanwhile, it's at least a little complex, takes some time to set up, and has nasty failure modes. Joachim
Possible bug in IPSec? (was Packets sent with wrong SPI)
A briefer summary of the problem: Router A has two interfaces: 10.123.0.46/24 and 10.100.0.1/16 Router B has one interface: 10.123.0.48/24 When using manual IPSec keying with a single flow between 10.123.0.46 and 10.123.0.48, it works fine. When I add a flow between 10.100.0.0/16 and 10.123.0.48, traffic from 10.123.0.46 to 10.123.0.48 is encoded with the wrong SPI. The reverse direction is fine. Config files and dmesg are below, in my original message. This appears to be a bug, but what additional information can I provide to help diagnose it? Can anyone else reproduce this? -HKS On Tue, Oct 21, 2008 at 3:13 PM, (private) HKS [EMAIL PROTECTED] wrote: OpenBSD 4.3. I'm trying to get a couple IPSec VPNs up and am running into increasingly bizarre behavior in my test environment. The current issue is that packets are being sent encoded with the wrong SPI. Router A has two interfaces: 10.123.0.46/24 and 10.100.0.1/16. Router B has one interface: 10.123.0.48/24. I can get A and B encrypting traffic between 10.123.0.46 and 10.123.0.48 with no problem, but when I add flows for 10.100.0.0/16 the SPIs start getting mixed up. Specifically, pings from 10.123.0.46 (A) to 10.123.0.48 (B) use the wrong SPII am using manual keying to eliminate isakmpd as a source of other issues (that were probably my fault somehow). The keys are the defaults included in the ipsec.conf example since this is a test environment. Here is router A's ipsec.conf: -- flow esp from 10.123.0.46 to 10.123.0.48 local 10.123.0.46 peer 10.123.0.48 type require esp tunnel from 10.123.0.46 to 10.123.0.48 spi 0x00010002:0x00020001 authkey 0x54f79f479a32814347bb768d3e01b2b58e49ce674ec6e2d327b63408c56ef4e8:0x7f48ee352c626cdc2a731b9d90bd63e29db2a9c683044b70b2f4441521b622d6 enckey 0xb341aa065c3850edd6a61e150d6a5fd3:0xf7795f6bdd697a43a4d28dcf1b79062d flow esp from 10.100.0.0/16 to 10.123.0.48 peer 10.123.0.48 type require esp tunnel from 10.100.0.0/16 to 10.123.0.48 spi 0x00010004:0x00040001 authkey 0x54f79f479a32814347bb768d3e01b2b58e49ce674ec6e2d327b63408c56ef4e8:0x7f48ee352c626cdc2a731b9d90bd63e29db2a9c683044b70b2f4441521b622d6 enckey 0xb341aa065c3850edd6a61e150d6a5fd3:0xf7795f6bdd697a43a4d28dcf1b79062d -- Output from router A's ipsecctl -sa looks like you would expect: -- FLOWS: flow esp in from 10.123.0.48 to 10.100.0.0/16 peer 10.123.0.48 type require flow esp out from 10.100.0.0/16 to 10.123.0.48 peer 10.123.0.48 type require flow esp in from 10.123.0.48 to 10.123.0.46 local 10.123.0.46 peer 10.123.0.48 type require flow esp out from 10.123.0.46 to 10.123.0.48 local 10.123.0.46 peer 10.123.0.48 type require SAD: esp tunnel from 10.123.0.46 to 10.123.0.48 spi 0x00010002 auth hmac-sha2-256 enc aes esp tunnel from 10.100.0.0 to 10.123.0.48 spi 0x00010004 auth hmac-sha2-256 enc aes esp tunnel from 10.123.0.48 to 10.123.0.46 spi 0x00020001 auth hmac-sha2-256 enc aes esp tunnel from 10.123.0.48 to 10.100.0.0 spi 0x00040001 auth hmac-sha2-256 enc aes -- Attempting to ping 10.123.0.48 from 10.123.0.46 gets no response, and tcpdump -i enc0 shows this: -- tcpdump: listening on enc0, link-type ENC 09:15:11.230658 (authentic,confidential): SPI 0x00010004: 10.123.0.46 10.123.0.48: icmp: echo request (encap) 09:15:12.240381 (authentic,confidential): SPI 0x00010004: 10.123.0.46 10.123.0.48: icmp: echo request (encap) 09:15:13.250028 (authentic,confidential): SPI 0x00010004: 10.123.0.46 10.123.0.48: icmp: echo request (encap) 09:15:14.260702 (authentic,confidential): SPI 0x00010004: 10.123.0.46 10.123.0.48: icmp: echo request (encap) -- Which is clearly the wrong SPI. If I try to ping in the reverse direction, B sends its packets with the correct SPI while the replies are encoded for 0x00010004. Removing the subnet lines from ipsec.conf corrects this issue. Is this a bug in IPsec or something I'm doing wrong? Thanks for the help. dmesg follows. -HKS OpenBSD 4.3 (GENERIC) #698: Wed Mar 12 11:07:05 MDT 2008 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Core(TM)2 Duo CPU E6550 @ 2.33GHz (GenuineIntel 686-class) 2.33 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,SSE3,DS-CPL real mem = 267939840 (255MB) avail mem = 251031552 (239MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 12/06/06, BIOS32 rev. 0 @ 0xfd880, SMBIOS rev. 2.31 @ 0xe0010 (45 entries) bios0: vendor Phoenix Technologies LTD version 6.00 date 12/06/2006 bios0: VMware, Inc. VMware Virtual Platform apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown acpi at bios0 function 0x0 not configured pcibios0 at bios0: rev 2.1 @ 0xfd880/0x780 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf30/176 (9 entries) pcibios0: PCI Interrupt Router at 000:07:0 (Intel 82371FB ISA rev 0x00) pcibios0: PCI bus #2 is the last bus bios0: ROM list: 0xc/0x8000 0xc8000/0x1000 0xc9000
Re: Packets sent with wrong SPI
What other information can I provide on this? -HKS On Tue, Oct 21, 2008 at 3:13 PM, (private) HKS [EMAIL PROTECTED] wrote: OpenBSD 4.3. I'm trying to get a couple IPSec VPNs up and am running into increasingly bizarre behavior in my test environment. The current issue is that packets are being sent encoded with the wrong SPI. Router A has two interfaces: 10.123.0.46/24 and 10.100.0.1/16. Router B has one interface: 10.123.0.48/24. I can get A and B encrypting traffic between 10.123.0.46 and 10.123.0.48 with no problem, but when I add flows for 10.100.0.0/16 the SPIs start getting mixed up. Specifically, pings from 10.123.0.46 (A) to 10.123.0.48 (B) use the wrong SPII am using manual keying to eliminate isakmpd as a source of other issues (that were probably my fault somehow). The keys are the defaults included in the ipsec.conf example since this is a test environment. Here is router A's ipsec.conf: -- flow esp from 10.123.0.46 to 10.123.0.48 local 10.123.0.46 peer 10.123.0.48 type require esp tunnel from 10.123.0.46 to 10.123.0.48 spi 0x00010002:0x00020001 authkey 0x54f79f479a32814347bb768d3e01b2b58e49ce674ec6e2d327b63408c56ef4e8:0x7f48ee352c626cdc2a731b9d90bd63e29db2a9c683044b70b2f4441521b622d6 enckey 0xb341aa065c3850edd6a61e150d6a5fd3:0xf7795f6bdd697a43a4d28dcf1b79062d flow esp from 10.100.0.0/16 to 10.123.0.48 peer 10.123.0.48 type require esp tunnel from 10.100.0.0/16 to 10.123.0.48 spi 0x00010004:0x00040001 authkey 0x54f79f479a32814347bb768d3e01b2b58e49ce674ec6e2d327b63408c56ef4e8:0x7f48ee352c626cdc2a731b9d90bd63e29db2a9c683044b70b2f4441521b622d6 enckey 0xb341aa065c3850edd6a61e150d6a5fd3:0xf7795f6bdd697a43a4d28dcf1b79062d -- Output from router A's ipsecctl -sa looks like you would expect: -- FLOWS: flow esp in from 10.123.0.48 to 10.100.0.0/16 peer 10.123.0.48 type require flow esp out from 10.100.0.0/16 to 10.123.0.48 peer 10.123.0.48 type require flow esp in from 10.123.0.48 to 10.123.0.46 local 10.123.0.46 peer 10.123.0.48 type require flow esp out from 10.123.0.46 to 10.123.0.48 local 10.123.0.46 peer 10.123.0.48 type require SAD: esp tunnel from 10.123.0.46 to 10.123.0.48 spi 0x00010002 auth hmac-sha2-256 enc aes esp tunnel from 10.100.0.0 to 10.123.0.48 spi 0x00010004 auth hmac-sha2-256 enc aes esp tunnel from 10.123.0.48 to 10.123.0.46 spi 0x00020001 auth hmac-sha2-256 enc aes esp tunnel from 10.123.0.48 to 10.100.0.0 spi 0x00040001 auth hmac-sha2-256 enc aes -- Attempting to ping 10.123.0.48 from 10.123.0.46 gets no response, and tcpdump -i enc0 shows this: -- tcpdump: listening on enc0, link-type ENC 09:15:11.230658 (authentic,confidential): SPI 0x00010004: 10.123.0.46 10.123.0.48: icmp: echo request (encap) 09:15:12.240381 (authentic,confidential): SPI 0x00010004: 10.123.0.46 10.123.0.48: icmp: echo request (encap) 09:15:13.250028 (authentic,confidential): SPI 0x00010004: 10.123.0.46 10.123.0.48: icmp: echo request (encap) 09:15:14.260702 (authentic,confidential): SPI 0x00010004: 10.123.0.46 10.123.0.48: icmp: echo request (encap) -- Which is clearly the wrong SPI. If I try to ping in the reverse direction, B sends its packets with the correct SPI while the replies are encoded for 0x00010004. Removing the subnet lines from ipsec.conf corrects this issue. Is this a bug in IPsec or something I'm doing wrong? Thanks for the help. dmesg follows. -HKS OpenBSD 4.3 (GENERIC) #698: Wed Mar 12 11:07:05 MDT 2008 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Core(TM)2 Duo CPU E6550 @ 2.33GHz (GenuineIntel 686-class) 2.33 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,SSE3,DS-CPL real mem = 267939840 (255MB) avail mem = 251031552 (239MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 12/06/06, BIOS32 rev. 0 @ 0xfd880, SMBIOS rev. 2.31 @ 0xe0010 (45 entries) bios0: vendor Phoenix Technologies LTD version 6.00 date 12/06/2006 bios0: VMware, Inc. VMware Virtual Platform apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown acpi at bios0 function 0x0 not configured pcibios0 at bios0: rev 2.1 @ 0xfd880/0x780 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf30/176 (9 entries) pcibios0: PCI Interrupt Router at 000:07:0 (Intel 82371FB ISA rev 0x00) pcibios0: PCI bus #2 is the last bus bios0: ROM list: 0xc/0x8000 0xc8000/0x1000 0xc9000/0x1000 0xdc000/0x4000! 0xe/0x4000! cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82443BX AGP rev 0x01 ppb0 at pci0 dev 1 function 0 Intel 82443BX AGP rev 0x01 pci1 at ppb0 bus 1 piixpcib0 at pci0 dev 7 function 0 Intel 82371AB PIIX4 ISA rev 0x08 pciide0 at pci0 dev 7 function 1 Intel 82371AB IDE rev 0x01: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: VMware Virtual IDE Hard Drive wd0: 64-sector
Packets sent with wrong SPI
OpenBSD 4.3. I'm trying to get a couple IPSec VPNs up and am running into increasingly bizarre behavior in my test environment. The current issue is that packets are being sent encoded with the wrong SPI. Router A has two interfaces: 10.123.0.46/24 and 10.100.0.1/16. Router B has one interface: 10.123.0.48/24. I can get A and B encrypting traffic between 10.123.0.46 and 10.123.0.48 with no problem, but when I add flows for 10.100.0.0/16 the SPIs start getting mixed up. Specifically, pings from 10.123.0.46 (A) to 10.123.0.48 (B) use the wrong SPII am using manual keying to eliminate isakmpd as a source of other issues (that were probably my fault somehow). The keys are the defaults included in the ipsec.conf example since this is a test environment. Here is router A's ipsec.conf: -- flow esp from 10.123.0.46 to 10.123.0.48 local 10.123.0.46 peer 10.123.0.48 type require esp tunnel from 10.123.0.46 to 10.123.0.48 spi 0x00010002:0x00020001 authkey 0x54f79f479a32814347bb768d3e01b2b58e49ce674ec6e2d327b63408c56ef4e8:0x7f48ee352c626cdc2a731b9d90bd63e29db2a9c683044b70b2f4441521b622d6 enckey 0xb341aa065c3850edd6a61e150d6a5fd3:0xf7795f6bdd697a43a4d28dcf1b79062d flow esp from 10.100.0.0/16 to 10.123.0.48 peer 10.123.0.48 type require esp tunnel from 10.100.0.0/16 to 10.123.0.48 spi 0x00010004:0x00040001 authkey 0x54f79f479a32814347bb768d3e01b2b58e49ce674ec6e2d327b63408c56ef4e8:0x7f48ee352c626cdc2a731b9d90bd63e29db2a9c683044b70b2f4441521b622d6 enckey 0xb341aa065c3850edd6a61e150d6a5fd3:0xf7795f6bdd697a43a4d28dcf1b79062d -- Output from router A's ipsecctl -sa looks like you would expect: -- FLOWS: flow esp in from 10.123.0.48 to 10.100.0.0/16 peer 10.123.0.48 type require flow esp out from 10.100.0.0/16 to 10.123.0.48 peer 10.123.0.48 type require flow esp in from 10.123.0.48 to 10.123.0.46 local 10.123.0.46 peer 10.123.0.48 type require flow esp out from 10.123.0.46 to 10.123.0.48 local 10.123.0.46 peer 10.123.0.48 type require SAD: esp tunnel from 10.123.0.46 to 10.123.0.48 spi 0x00010002 auth hmac-sha2-256 enc aes esp tunnel from 10.100.0.0 to 10.123.0.48 spi 0x00010004 auth hmac-sha2-256 enc aes esp tunnel from 10.123.0.48 to 10.123.0.46 spi 0x00020001 auth hmac-sha2-256 enc aes esp tunnel from 10.123.0.48 to 10.100.0.0 spi 0x00040001 auth hmac-sha2-256 enc aes -- Attempting to ping 10.123.0.48 from 10.123.0.46 gets no response, and tcpdump -i enc0 shows this: -- tcpdump: listening on enc0, link-type ENC 09:15:11.230658 (authentic,confidential): SPI 0x00010004: 10.123.0.46 10.123.0.48: icmp: echo request (encap) 09:15:12.240381 (authentic,confidential): SPI 0x00010004: 10.123.0.46 10.123.0.48: icmp: echo request (encap) 09:15:13.250028 (authentic,confidential): SPI 0x00010004: 10.123.0.46 10.123.0.48: icmp: echo request (encap) 09:15:14.260702 (authentic,confidential): SPI 0x00010004: 10.123.0.46 10.123.0.48: icmp: echo request (encap) -- Which is clearly the wrong SPI. If I try to ping in the reverse direction, B sends its packets with the correct SPI while the replies are encoded for 0x00010004. Removing the subnet lines from ipsec.conf corrects this issue. Is this a bug in IPsec or something I'm doing wrong? Thanks for the help. dmesg follows. -HKS OpenBSD 4.3 (GENERIC) #698: Wed Mar 12 11:07:05 MDT 2008 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Core(TM)2 Duo CPU E6550 @ 2.33GHz (GenuineIntel 686-class) 2.33 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,SSE3,DS-CPL real mem = 267939840 (255MB) avail mem = 251031552 (239MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 12/06/06, BIOS32 rev. 0 @ 0xfd880, SMBIOS rev. 2.31 @ 0xe0010 (45 entries) bios0: vendor Phoenix Technologies LTD version 6.00 date 12/06/2006 bios0: VMware, Inc. VMware Virtual Platform apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown acpi at bios0 function 0x0 not configured pcibios0 at bios0: rev 2.1 @ 0xfd880/0x780 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf30/176 (9 entries) pcibios0: PCI Interrupt Router at 000:07:0 (Intel 82371FB ISA rev 0x00) pcibios0: PCI bus #2 is the last bus bios0: ROM list: 0xc/0x8000 0xc8000/0x1000 0xc9000/0x1000 0xdc000/0x4000! 0xe/0x4000! cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82443BX AGP rev 0x01 ppb0 at pci0 dev 1 function 0 Intel 82443BX AGP rev 0x01 pci1 at ppb0 bus 1 piixpcib0 at pci0 dev 7 function 0 Intel 82371AB PIIX4 ISA rev 0x08 pciide0 at pci0 dev 7 function 1 Intel 82371AB IDE rev 0x01: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: VMware Virtual IDE Hard Drive wd0: 64-sector PIO, LBA, 8192MB, 16777216 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: HC2281Q, NCF700G, 1.01 SCSI0
Re: Packets sent with wrong SPI
On Tue, Oct 21, 2008 at 5:01 PM, Mitja Muenih [EMAIL PROTECTED] wrote: Can you try to explicitly bind ping to the right source address? Something like ping -I 10.123.0.46 10.123.0.48 Exact same result. -HKS
Re: pf - queue filter directive sticky?
imho normally this packet wouldn't be queued because the last count matches the packet so the last rule applies: This is what I assumed at first, but the stickiness of tags and the (seeming) logic of doing the same with queues made me second-guess myself. on the other hand: During the filtering component of pf.conf, the last referenced queue name is where any packets from pass rules will be queued... that means because of the sequential order that the packet should be queued imho. Is that the case, or does that mean that packets passed by a statement on an altq-enabled interface without an explicit queue name directive are automatically assigned to the last defined queue? My initial tests suggest that the queue statements are not sticky (ie, my initial rules would not have queued it in the tens queue), but I'm still not sure. -HKS
Re: pf - queue filter directive sticky?
from pf.conf man page: default Packets not matched by another queue are assigned to this one. Exactly one default queue is *required.* Thanks, I overlooked that a default queue was required. With that in mind, then, does this section of pf.conf(5) imply that the queue directive is sticky? During the filtering component of pf.conf, the last referenced queue name is where any packets from pass rules will be queued... Why you just not use quick in the first rule? pass in quick on $int_if from 10.0.0.1 queue tens pass in on $int_if This question is for clarity's sake: is the quick required? -HKS
pf - queue filter directive sticky?
If the following two rules apply to a given packet in the order shown, will the packet be queued? pass in on $int_if from 10.0.0.1 queue tens pass in on $int_if I've not been able to find a clear answer in pf.conf(5) or the online PF documentation. If I overlooked it, please let me know. Thanks in advance for the help. -HKS
Re: Patching a SSH 'Weakness'
Also, tab-completion won't work, top won't work, control characters won't work, vim won't work, etc etc... -HKS On Thu, Sep 11, 2008 at 4:00 AM, [EMAIL PROTECTED] wrote: Just off the top of my head (I have to check the SSH protocol yet): Why not encipher all accumulated keystrokes up to the Enter key as a block send them instead of sending each keystroke as it is typed? This shrouds the typist's characteristics. In addition, if the cipher is a block cipher, padding is added to make the number of bits a multiple of the block size. Mandatory padding with a nonce may help to shroud the number of keystrokes. The drawback is that the padding part could mean that we are no longer compatible with the SSH protocol.
Re: This is what Linus Torvalds calls openBSD crowd
++ -HKS Let me be the first to say-- Who cares? I may completely disagree with him, but I'm not going to invest in a flame fest over his comments. To each their own. --STeve Andre'
Re: [Samba] Re: Winbind syslog errors and Domain Local Groups
Ah, thanks, didn't even realize 3.0.31 had been released. I'll give that a try. -HKS On Tue, Jul 15, 2008 at 6:15 PM, Jeremy Allison [EMAIL PROTECTED] wrote: On Tue, Jul 15, 2008 at 06:12:41PM -0400, (private) HKS wrote: I was finally able to correct these errors by enabling Kerberos and changing the security model from domain to ads, but now I've run into the same problem reported here: http://www.usenet-forums.com/samba/394092-re-samba-accessing-member-server-prompts-credentials.html After about 5 minutes of uptime the winbind service throws several errors into syslog and nothing referencing it will work correctly until I restart it. The processes are still running. Jul 15 17:57:26 testbox winbindd[994]: [2008/07/15 17:57:26, 0] nsswitch/winbindd_dual.c:async_request_timeout_handler(182) Jul 15 17:57:26 testbox kernel: Jul 15 17:57:26 testbox winbindd[994]: [2008/07/15 17:57:26, 0] nsswitch/winbindd_dual.c:async_request_timeout_handler(182) Jul 15 17:57:26 testbox winbindd[994]: async_request_timeout_handler: child pid 992 is not responding. Closing connection to it. Jul 15 17:57:26 testbox kernel: Jul 15 17:57:26 testbox winbindd[994]: async_request_timeout_handler: child pid 992 is not responding. Closing connection to it. This is Samba 3.0.30 and Kerberos 5 running on FreeBSD 7.0. Can anyone help me out here? Known bug that was explicitly fixed in 3.0.31. Jeremy.
Re: sshd_config(5) PermitRootLogin yes
My 4.3 installs defaulted to PermitRootLogin yes after install. -HKS On Thu, Jul 10, 2008 at 10:35 AM, Brian A. Seklecki [EMAIL PROTECTED] wrote: Am I reading this right? http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config?rev=1.80content-type=text/x-cvsweb-markup I dont have a fresh install anywhere -- but I want to say that it doesnt default to PermitRootLogin yes after the install. I remember that I filed PRs with FreeBSD/NetBSD a few years ago to get this changed, but Redhat Support is giving some some noise about: Well the source vendor doesn't disable it by default ... ~BAS
Re: getpwnam_r() missing on OpenBSD 4.3
Backporting this is beyond my meager C abilities (and time to learn, at the moment). Running -current in our production environment is also impractical since we only use OpenBSD on mission-critical router/firewall/vpn boxes. However, I'll see about setting up a couple test boxes to make sure the software packages I'm looking at will work as expected come 4.4. Thanks anyhow for the help. -HKS On Wed, Jul 2, 2008 at 8:31 AM, Marc Espie [EMAIL PROTECTED] wrote: On Tue, Jul 01, 2008 at 11:04:21AM -0400, (private) HKS wrote: Let's hear it for my attention to detail. Does anybody happen to have a creative workaround for threaded applications requesting this call? I'm experimenting with changing the call to getpwnam(), but that's out of morbid curiosity rather than a real fix. Use current, that will also help the project, since we're happy to have more people testing stuff.
Re: Net-SNMP segfaults under OpenBSD 4.3
One further note, just in case someone else runs into a similar problem. Running net-snmp under the agentuser and agentgroup of _snmpd will work, but many of your MIBs will return null data (most notably, MIB-2 Interfaces) because the agent reads /dev/mem for that data. You'll see this kind of message in your log files if you compiled with debugging enabled: kvm_read(*, 1, 0x2beec61c, 4) = -1: invalid address (1) auto_nlist failed on ifnet at location 1 And a manual snmpwalk will return something like: $ snmpwalk -c public -v 1 10.0.0.1 interfaces IF-MIB::ifNumber.0 = INTEGER: 0 My workaround for this was to change the agentgroup to kmem (or whatever gid is associated with /dev/mem). It's not ideal since it has full read access to kernel memory, but it's better than running as root. -HKS On Fri, Jun 27, 2008 at 4:24 PM, (private) HKS [EMAIL PROTECTED] wrote: Thanks, took this route and things are working just fine now. -HKS On Fri, Jun 27, 2008 at 8:19 AM, Claer [EMAIL PROTECTED] wrote: On Fri, Jun 27 2008 at 13:12, Stephan A. Rickauer wrote: On Wed, 2008-06-25 at 11:17 -0400, (private) HKS wrote: In my quest for real SNMP monitoring of OpenBSD, I installed net-snmp-5.4.1p0 on an OpenBSD 4.3 box via packages. The executable segfaults every time I try to run it. This happens with or without command-line options, with my custom config file or the default config file. I've tested with two different machines, two different mirrors, and seen no change. I've not yet tried building net-snmp from the ports system, but that's my next step. Has anybody else run into this? I've seen this, too. But a package made out of the port will work. Repeatable also here. We built net-snmp package from ports. Claer
Re: getpwnam_r() missing on OpenBSD 4.3
Let's hear it for my attention to detail. Does anybody happen to have a creative workaround for threaded applications requesting this call? I'm experimenting with changing the call to getpwnam(), but that's out of morbid curiosity rather than a real fix. November 1 can't come soon enough ;) -HKS On Fri, Jun 27, 2008 at 9:20 PM, Marc Espie [EMAIL PROTECTED] wrote: On Fri, Jun 27, 2008 at 05:23:54PM -0400, (private) HKS wrote: Not sure if this is the right list for this question, so let me know if it needs to go somewhere else. My OpenBSD box is missing the getpwnam_r() function described in the getpwent(3) man page. At least, it's described at this URL: http://www.openbsd.org/cgi-bin/man.cgi?query=getpwnamapropos=0sektion=0manpath=OpenBSD+Currentarch=i386format=html ^^^ Have a closer look at that url. ;-)
Re: about dhcpd and carp device
Your carp interface won't be doing much for you if it doesn't have an IP address configured. You should be able to run dhcpd off carp1 without any trouble, though I can't speak from experience. -HKS On Mon, Jun 30, 2008 at 3:54 PM, Imre Oolberg [EMAIL PROTECTED] wrote: Hallo! I have been using for some time now carp failover and i am very content with it, thank you! I run some tests and i just wanted to confirm that in order to run dhcpd service one has to run it on a physical interface (which has ip address configured) like # dhcpd fxp0 and not on a carp device which in turn uses fxp0 like that, right? # dhcpd carp1 Best regards, Imre PS I learned from the archives that dhcp v.3 has so to say master and slave functionality but this is not an issue yet for me how to sync leases database and etc.
Re: Net-SNMP segfaults under OpenBSD 4.3
Thanks, took this route and things are working just fine now. -HKS On Fri, Jun 27, 2008 at 8:19 AM, Claer [EMAIL PROTECTED] wrote: On Fri, Jun 27 2008 at 13:12, Stephan A. Rickauer wrote: On Wed, 2008-06-25 at 11:17 -0400, (private) HKS wrote: In my quest for real SNMP monitoring of OpenBSD, I installed net-snmp-5.4.1p0 on an OpenBSD 4.3 box via packages. The executable segfaults every time I try to run it. This happens with or without command-line options, with my custom config file or the default config file. I've tested with two different machines, two different mirrors, and seen no change. I've not yet tried building net-snmp from the ports system, but that's my next step. Has anybody else run into this? I've seen this, too. But a package made out of the port will work. Repeatable also here. We built net-snmp package from ports. Claer
getpwnam_r() missing on OpenBSD 4.3
Not sure if this is the right list for this question, so let me know if it needs to go somewhere else. My OpenBSD box is missing the getpwnam_r() function described in the getpwent(3) man page. At least, it's described at this URL: http://www.openbsd.org/cgi-bin/man.cgi?query=getpwnamapropos=0sektion=0manpath=OpenBSD+Currentarch=i386format=html My man page doesn't have any reference to getpwnam_r() - only the non-threadsafe getpwnam(). Likewise with getpwuid_r(). I assume this isn't normal (correct me if I'm wrong), but this is happening on a generic installation. Is there something I need to do/undo to enable these functions? Thanks for the help. -HKS
Net-SNMP segfaults under OpenBSD 4.3
In my quest for real SNMP monitoring of OpenBSD, I installed net-snmp-5.4.1p0 on an OpenBSD 4.3 box via packages. The executable segfaults every time I try to run it. This happens with or without command-line options, with my custom config file or the default config file. I've tested with two different machines, two different mirrors, and seen no change. I've not yet tried building net-snmp from the ports system, but that's my next step. Has anybody else run into this? -HKS
Re: snmp MIB variables
Thanks, that clears up my confusion. -HKS On Tue, Jun 10, 2008 at 1:30 PM, Dustin Lundquist [EMAIL PROTECTED] wrote: HOST-RESOURCES-MIB was added after the 4.3 release: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/snmpd/mib.c#rev1.20 While not supported, I've had luck building snmpd from -current on 4.3 release. Dustin Lundquist (private) HKS wrote: Hello, Reyk Floeter mentioned in his ONLamp interview (link below) that snmpd currently supports most of the SNMPv1/v2c MIBs, IP-MIB, BRIDGE-MIB, HOST-RESOURCES-MIB, IF-MIB, and the OPENBSD-SENSORS-MIB http://www.onlamp.com/pub/a/bsd/2008/04/29/puffy-and-the-crytonauts-whats-new-in-openbsd-43.html I have a 4.3 installation that lacks the vast majority of these MIBs. The most relevant for me is HOST-RESOURCES-MIB - 1.3.6.1.2.1.25.1. # snmpctl -n show mib | grep 1.3.6.1.2.1.25.1 # Are these MIBs planned releases, or is my installation missing something? Thanks in advance for the help. -HKS
snmp MIB variables
Hello, Reyk Floeter mentioned in his ONLamp interview (link below) that snmpd currently supports most of the SNMPv1/v2c MIBs, IP-MIB, BRIDGE-MIB, HOST-RESOURCES-MIB, IF-MIB, and the OPENBSD-SENSORS-MIB http://www.onlamp.com/pub/a/bsd/2008/04/29/puffy-and-the-crytonauts-whats-new-in-openbsd-43.html I have a 4.3 installation that lacks the vast majority of these MIBs. The most relevant for me is HOST-RESOURCES-MIB - 1.3.6.1.2.1.25.1. # snmpctl -n show mib | grep 1.3.6.1.2.1.25.1 # Are these MIBs planned releases, or is my installation missing something? Thanks in advance for the help. -HKS