Re: How many IPs can I block before taking a performance hit?
So here is a related question - I want to implement something like what some of you folks seem to have in place with dynamically updated blacklists and reloading pf on the fly. With a redundant pair of firewalls should I be doing this on the MASTER only? I'm just wondering about reloading pf on the BACKUP and because state tables are synced is there going to be any kind of negative effect on MASTER in terms of performance or even the fact that MASTER will be doing the reload at the same time. It is relatively easy to detect whether or not I am MASTER and then only do that if so. Should I be doing that or will it matter?
Re: How many IPs can I block before taking a performance hit?
Wow over 160 MILLION (yes I screamed that) IPs! How much RAM is in your system? On Wed, Aug 12, 2020 at 10:26 AM infoomatic wrote: > > We have ~30,000 entries in our table blocking networks and > single ip addresses, all in all at the moment exactly 169,471,974 hosts > being blocked. No idea what your criteria is for "performance impact", > but we have no issues. > > > On 12.08.20 14:11, Alan McKay wrote: > > Hey folks, > > > > This is one that is difficult to test in a test environment. > > > > I've got OpenBSD 6.5 on a relatively new pair of servers each with 8G RAM. > > > > With some scripting I'm looking at feeding block IPs to the firewalls > > to block bad-guys in near real time, but in theory if we got attacked > > by a bot net or something like that, it could result in a few thousand > > IPs being blocked. Possibly even 10s of thousands. > > > > Are there any real-world data out there on how big of a block list we > > can handle without impacting performance? > > > > We're doing the standard /etc/blacklist to load a table and then have > > a block on the table right at the top of the ruleset. > > > > thanks, > > -Alan > > > -- "You should sit in nature for 20 minutes a day. Unless you are busy, then you should sit for an hour" - Zen Proverb
How many IPs can I block before taking a performance hit?
Hey folks, This is one that is difficult to test in a test environment. I've got OpenBSD 6.5 on a relatively new pair of servers each with 8G RAM. With some scripting I'm looking at feeding block IPs to the firewalls to block bad-guys in near real time, but in theory if we got attacked by a bot net or something like that, it could result in a few thousand IPs being blocked. Possibly even 10s of thousands. Are there any real-world data out there on how big of a block list we can handle without impacting performance? We're doing the standard /etc/blacklist to load a table and then have a block on the table right at the top of the ruleset. thanks, -Alan -- "You should sit in nature for 20 minutes a day. Unless you are busy, then you should sit for an hour" - Zen Proverb
Way to find most active IPs for rate limiting with pf
So I want to implement rate limiting, and to determine a reasonable rate based on current traffic patterns I'd like to be able to figure out which source IPs are generating the most connections and at what rate. Is there a way to do that? -- "You should sit in nature for 20 minutes a day. Unless you are busy, then you should sit for an hour" - Zen Proverb
/usr/bin/false issue (was: relayd flapping)
OK this is interesting, and the only thing I can think of is that it is a hardware issue that is starting to manifest itself in this odd way. This relates to my email earlier today about relayd. Because of the odd way we use relayd with "/usr/bin/false" as the "check", we decided to just run some tests with /usr/bin/false. We ran it in a loop timing the execution each time. As it turns out, normally it is instantaneous (time of 0) but everyone once in a while it take 700ms or up to 2000ms. We tried the same with /usr/bin/true and see the same behavior. The only thing I can think of at this point is that it must be a HW issue starting to manifest itself. Any other ideas? -- "You should sit in nature for 20 minutes a day. Unless you are busy, then you should sit for an hour" - Zen Proverb
Re: 5.5 odd issue with relayd flapping
Yes, upgrading is on our to-do list. But it will be a few months before we can do that.
5.5 odd issue with relayd flapping
Hi folks, I have googled this and found something similar back here : https://www.mail-archive.com/misc@openbsd.org/msg77218.html There are a couple of threads but everything seems to say it was a known issue that was fixed post 5.2. But I have an extra oddity to add to it as you will see from my relayd config. These systems have been running fine for almost 2 years now (653 day uptime!) with no issues, then last week one of my environments started throwing these sorts of errors about every hour: relayd[PID]: host , check script (Xms), state up -> down, availability x.y% relayd[PID]: host , check script (Xms), state down -> up, availability x.y% The check is against an LDAP server, but here is the funny business we have going because it is not really checking the LDAP We have primary and backup LDAPs defined like this : table { 10.x.y.1 retry 1 } table disable { 10.x.y.2 retry 1 } [...] redirect ourldap { listen on $ldap_addr port $ldap_port interface $relayd_int tag relayd session timeout 86400 forward to check script "/usr/bin/false" forward to check script "/usr/bin/false" } I know this seems odd but basically as far as relayd is concerned there is never an issue whatsoever with its check. We do this because we have another script which runs that will cut over between the LDAPs if there is an issue. We basically use relayd to handle the firewall rules for us. (Earlier versions of this check found that relayd was not able to properly cut over the LDAPs on its own - it took several minutes to do so ) We checked the local NICs for errors (netstat -I) and there was nothing. We checked the switch for errors, and again nothing. Oh one more thing - this is a redundant pair of firewalls and we only see this on the backup firewall, not the master. And it is in our DR facility which really does not see any traffic. We have the exact same configuration in production which is extremely active, and we do not see the issue there. thanks, -Alan -- "You should sit in nature for 20 minutes a day. Unless you are busy, then you should sit for an hour" - Zen Proverb
Re: Small FW boxes for CORP use (was: T40E APU?)
On Fri, Mar 11, 2016 at 4:36 PM, Josh Grossewrote: > 100Mbit? You could go even smaller, such as the PCEngines Alix > platform. They are 32-bit (i386) only, however. > > Each NIC is able to sustain 70-80 Mbps, in my experience. Do those have 4 NICs? Ideally I'd like to get a redundant pair of FWs in 1U. But I need 4 NICs on each as a bare min. -- "You should sit in nature for 20 minutes a day. Unless you are busy, then you should sit for an hour" - Zen Proverb
Re: Small FW boxes for CORP use (was: T40E APU?)
On Fri, Mar 11, 2016 at 4:09 PM, Brandon Vincentwrote: > If you have a pair setup for redundancy, it really comes down to the > expected network utilization. What sort of network are we talking > about? Well I guess I'd place them according to their capability. Could I put them on a 100Mbit link to the world? Would they handle that? -- "You should sit in nature for 20 minutes a day. Unless you are busy, then you should sit for an hour" - Zen Proverb
Small FW boxes for CORP use (was: T40E APU?)
On Mon, Mar 7, 2016 at 3:37 PM, Chris Cappucciowrote: > > Nope. You might want a Supermicro X11SBA-LN4F or maybe Netgate's > RCC-VE 2440 if you need 4 ports. Opinions on using either of those as a redundant pair for corporate use? -- "You should sit in nature for 20 minutes a day. Unless you are busy, then you should sit for an hour" - Zen Proverb
Re: OpenBSD on AMD Embedded G-Series T40E APU?
Next question ... do they make them with 4 or more NIC ports? I only see them with 3 ports on that site.
OpenBSD on AMD Embedded G-Series T40E APU?
Hey folks, The website does not seem to have a lot of info on what CPUs are supported. I'm looking at this box for a home firewall with OpenBSD http://www.corpshadow.biz/bizstore/apu1d-red-combo-kit-p-345.html?cPath=51 thanks, -Alan -- "You should sit in nature for 20 minutes a day. Unless you are busy, then you should sit for an hour" - Zen Proverb
implementing circular queue for tcpdump logging
Hi folks, Something I've done on other platforms e.g on a firewall is have tcpdump running and logging to disk. You know ahead of time how much disk space to allocate to this task, and there are command line options on tcpdump that you can adjust to accomplish this. So it will always occupy that known amount of space, and you know that you have the last X hours of traffic logged. Basically use the option to change to a new log file as soon as it hits size X, combined with the option to limit the number of log files to Y. Has anyone done something like this with OpenBSD? I don't see anything obvious and was wondering what others might have done to accomplish this. Perhaps some kind of wrapper script ... thanks, -Alan -- "You should sit in nature for 20 minutes a day. Unless you are busy, then you should sit for an hour" - Zen Proverb
Re: implementing circular queue for tcpdump logging
On Thu, Jan 28, 2016 at 10:31 AM, sven falempinwrote: > syslog has memory buffer that rotates. (:name:size) > pflogd can log, tcpump | logger is you want something else > > problem solved. Thanks. I should have thought of pflogd! Looks like a modification of the standard OpenBSD technique to shoot that into syslog will work. -- "You should sit in nature for 20 minutes a day. Unless you are busy, then you should sit for an hour" - Zen Proverb
Re: Munich BSD meetup
Na und? Wie war das Bier? Das wolle man mal wissen! Etwas Dunkles ausgetrunken?
ntpd.conf - add ability to read servers from an include file?
Hey folks, Would anyone else see value in this? Basically for the sake of automated deployments it would be nice / clean to be able to do : includeservers /path/to/file And then read them all from the file. And the same file would be used as a table in pf.conf for NTP FW rules. One server per line. This would make initial deployments easier to automate (no need to programmatically alter the config file), and then if you need to change your NTP servers post-deployment it is cleaner as well with less chance of human error. i.e. changing pf.conf is riskier than changing ntpd.conf Thoughts? -Alan -- Don't eat anything you've ever seen advertised on TV - Michael Pollan, author of In Defense of Food
Re: Mapping pf syslog rule numbers to lines in pf.conf
On Mon, Jan 26, 2015 at 3:47 PM, James Shupe jsh...@hermetek.com wrote: pfctl -sr -R rulenum Further details can be found in the man page. Oh man that was way too easy! Anyone in Ottawa is welcome to come by and give me 10 lashes ... ( hangs head in shame ) THanks. I was trying to search through the man page but the work rule occurs quite a few times ;-) -- Don't eat anything you've ever seen advertised on TV - Michael Pollan, author of In Defense of Food
Mapping pf syslog rule numbers to lines in pf.conf
Hey folks, This one seems to be difficult to google - not coming up with much. I have some firewall blocks I want to investigate and of course they are reported as matching a specific rule number - but I am not sure how to map that back to a line in my pf.conf Could someone enlighten me? thanks, -Alan -- Don't eat anything you've ever seen advertised on TV - Michael Pollan, author of In Defense of Food
Re: Hannover BSD meetup
Time it with CeBit and everyone will have a reason to come from afar :-)
1U / 2 Computers? For redundant FW pair
I know that Supermicro has some interesting side-by-sides starting at 2U, but I'm not aware of anything in 1U. Basically I'd like to have my redundant FW pairs take up less rack space. I guess another option would be half-width 1U if anything like that exists, and install a rack shelf. -- Don't eat anything you've ever seen advertised on TV - Michael Pollan, author of In Defense of Food
Re: 1U / 2 Computers? For redundant FW pair
On Wed, Jan 21, 2015 at 8:05 AM, Ganguin Michel michel.gang...@nagra.com wrote: in 1U (another one goes up to 8 systems in 2U, twin3): http://www.supermicro.nl/products/nfo/1UTwin.cfm Oh they do have them ... I checked a while back and could have sworn the Twins only started at 2U However they share some stuff: OK maybe that's why I discounted them back then. -- Don't eat anything you've ever seen advertised on TV - Michael Pollan, author of In Defense of Food
building ntop from ports with -w enabled
Hey folks, I install ntop from ports and try to run it with -w and it tells me it is disabled due to security reasons. (1) I'd like to read more on those reasons, and (2) I'd like to enable that feature anyway at very least in my test setup to evaluate while also reading up on (1). Is there any way to do that from ports or will I need to build from scratch? thanks, -Alan -- Don't eat anything you've ever seen advertised on TV - Michael Pollan, author of In Defense of Food
Re: Crash cart console adapters compatible with OpenBSD?
On Fri, Jan 16, 2015 at 1:38 PM, Devin Reade g...@gno.org wrote: Well, in an attempt to dig myself out of the hole, the OP *did* say, or in a pinch, Linux ... That I did :-) -- Don't eat anything you've ever seen advertised on TV - Michael Pollan, author of In Defense of Food
Crash cart console adapters compatible with OpenBSD?
Hey folks, I'm looking for something like this that I can plug into a network debugging laptop to get console access to servers in a rack. Ideally the laptop would run OpenBSD or in a pinch Linux. The comments section of this page says there is required software and that it stopped working when upgrading from Ubuntu 12.04 to 14.04. That suggests to me this would not work with OpenBSD http://ca.startech.com/Server-Management/KVM-Switches/Portable-USB-PS-2-KVM-Console-Adapter-for-Notebook-PCs~NOTECONS01 Can anyone suggest something similar that would? thanks, -Alan -- Don't eat anything you've ever seen advertised on TV - Michael Pollan, author of In Defense of Food
Re: Crash cart console adapters compatible with OpenBSD?
On Thu, Jan 15, 2015 at 1:22 PM, Jon Simola jsim...@gmail.com wrote: To explain better, this would be in a private /30 network just so you can VNC from laptop to the KVM. OK that might work -- Don't eat anything you've ever seen advertised on TV - Michael Pollan, author of In Defense of Food
Re: Crash cart console adapters compatible with OpenBSD?
This one seems reasonable so I will get one in to try out. http://www.newegg.ca/Product/Product.aspx?Item=9SIA5SC1VA2702cm_re=lantronix_spider-_-9SIA5SC1VA2702-_-Product The only downside I see is that a laptop will have only 1 NIC and so I won't have both a console and network connection at the same time. I guess I could also get a USB NIC adapter for a 2nd NIC.
Re: mouse spontaneously detaches in console
We've been having a similar issue with keyboards on 5.1 with no X, and when we upgraded to 5.5 recently we seem to still have it. All HP hardware about 3 years old. You have to unplug the keyboard and plug it into a different port, then return it back to the original to get it back. Sometimes you have to walk around to the other side of the rack to do it. Very frustrating ... After the holidays I'll get a dmesg with more details
Re: OpenBSD embedded? (was: OpenBSD 5.6-current on ASUS Chromebox)
On Thu, Dec 4, 2014 at 1:15 AM, Vivek Vinod vi...@icanconnect.com wrote: We have been using Mikrotik routerboards since 7 years Huh? With OpenBSD on them? -- Don't eat anything you've ever seen advertised on TV - Michael Pollan, author of In Defense of Food
OpenBSD embedded? (was: OpenBSD 5.6-current on ASUS Chromebox)
This is very interesting - I've been looking at various small boxes like this to use as a home firewall. The only problem is that not many of them have 2 NICs, and the ones that do are very expensive (higher end Zotac) Does anyone know of a similar device with 2 NICs that might be suitable as a home firewall? What about one of the Open Firmware firewalls like ASUS? Is there an OpenBSD load for those? Instead of Tomato or the likes ...
Re: OpenBSD embedded? (was: OpenBSD 5.6-current on ASUS Chromebox)
On Wed, Dec 3, 2014 at 4:54 PM, Mikkel C. Simonsen m...@post5.tele.dk wrote: As I have written many times - used thin clients are available in huge numbers as scrap. Many of them have a PCI or PCIe slot, so adding a second NIC is easy. I often use thin clients with a Compaq 2- or 4-port NIC. Total cost about 15-20 euros. That's interesting - what soft of brand name or product name would I search for? I'm not really familiar with any thin clients -- Don't eat anything you've ever seen advertised on TV - Michael Pollan, author of In Defense of Food
Re: OpenBSD embedded? (was: OpenBSD 5.6-current on ASUS Chromebox)
I see one of these on my local kijiji but can't tell whether or not it has a PCI slot. It is not on the hardware list of that parkytowers site http://h10010.www1.hp.com/wwpc/us/en/sm/WF06a/12454-12454-321959-338927-5112717-5295294.html?dnr=2
Re: ifstated intermittant flapping after 5.1 to 5.5 upgrade
We believe we've found it - the internet-facing NIC had a minor configuration change as well, as part of the upgrade. It was no longer explicitly being set in full duplex mode, and as it turns out it was coming up in half-duplex. Now we play the waiting game to see whether we are right :-)
ifstated intermittant flapping after 5.1 to 5.5 upgrade
Hi folks, After a 5.1 to 5.5 upgrade on a redundant firewall pair, every once in a while my FW2 (backup) promotes itself and then immediately demotes itself again. Which I find very odd because it is doing so based on pinging its peer every 10 seconds, and so the value of that boolean should only change after 10 seconds, no? I cannot find anything else going on in other log files around the same time that would help explain this. From my /var/log/daemon : Nov 15 17:55:25 my-hostname ifstated[28981]: changing state to promoted Nov 15 17:55:25 my-hostname ifstated[28981]: changing state to backup Nov 16 21:43:07 my-hostname ifstated[28981]: changing state to promoted Nov 16 21:43:07 my-hostname ifstated[28981]: changing state to backup Nov 18 11:44:38 my-hostname ifstated[28981]: changing state to promoted Nov 18 11:44:38 my-hostname ifstated[28981]: changing state to backup Nov 19 07:44:27 my-hostname ifstated[28981]: changing state to promoted Nov 19 07:44:27 my-hostname ifstated[28981]: changing state to backup Ifstated.conf has changed very little since before the upgrade - a few minor tweaks and that is it. And what is triggering the flap is this piece of code : These are the internal and external interfaces. The first IP is the front door. The second one is an internal IP - the stuff I am protecting. This is happening in 3 different environments all with carbon-copy configs peer = '( ping -q -c 1 -w 1 10.1.1.1 /dev/null 21 every 10 \ ping -q -c 1 -w 1 10.20.1.1 /dev/null 21 every 10)' snip--- if ! $peer { if $carp_ready { if $local { if $relayd { set-state promoted } } } } And here is the whole ifstated.conf - with some added debug statements to try to help me get to the bottom of this. init-state backup carp_ready = ( (! carp0.link.unknown) (! carp1.link.unknown) (! carp5.link.unknown) (! carp20.link.unknown) (! carp25.link.unknown) (! carp30.link.unknown) ) local = '( ping -q -c 1 -w 1 10.1.1.2 /dev/null 21 every 10 \ ping -q -c 1 -w 1 10.20.1.2 /dev/null 21 every 10)' # changed this to determine which one was not pinging # peer = '( ping -q -c 1 -w 1 10.1.1.1 /dev/null 21 every 10 \ # ping -q -c 1 -w 1 10.20.1.1 /dev/null 21 every 10)' peer1 = '( ping -q -c 1 -w 1 10.1.1.1 /dev/null 21 every 10)' peer2 = '( ping -q -c 1 -w 1 10.20.1.1 /dev/null 21 every 10)' # If relayd fails, we will not be promoted. relayd = '( pgrep relayd | wc -l | grep 8 every 10 )' state backup { init { run echo \$(date +\%Y-%M-%d %H:%M:%S\) starting up\ /var/log/ifstated run ifconfig carp0 advskew 100 run ifconfig carp1 advskew 100 run ifconfig carp5 advskew 100 run ifconfig carp20 advskew 100 run ifconfig carp25 advskew 100 run ifconfig carp30 advskew 100 run sleep 60 } # these debugging statements are new to help get to the bottom of it if ! $peer1 { run echo \$(date +\%Y-%M-%d %H:%M:%S\) peer1 no good\ /var/log/ifstated } if ! $peer2 { run echo \$(date +\%Y-%M-%d %H:%M:%S\) peer2 no good\ /var/log/ifstated } if ! $carp_ready { run echo \$(date +\%Y-%M-%d %H:%M:%S\) carp_ready no good\ /var/log/ifstated } if ! $local { run echo \$(date +\%Y-%M-%d %H:%M:%S\) local no good\ /var/log/ifstated } if ! $relayd { run echo \$(date +\%Y-%M-%d %H:%M:%S\) relayd no good\ /var/log/ifstated } if ( ! $peer1 ) || ( ! $peer2 ) { if $carp_ready { if $local { if $relayd { set-state promoted } } } } } state promoted { init { run ifconfig carp0 advskew 10 run ifconfig carp1 advskew 10 run ifconfig carp5 advskew 10 run ifconfig carp20 advskew 10 run ifconfig carp25 advskew 10 run ifconfig carp30 advskew 10 } if ( $peer1 ) ( $peer2 ) { set-state backup } } -- Don't eat anything you've ever seen advertised on TV - Michael Pollan, author of In Defense of Food
Re: ifstated intermittant flapping after 5.1 to 5.5 upgrade
On Thu, Nov 20, 2014 at 3:57 PM, Alan McKay alan.mc...@gmail.com wrote: peer1 = '( ping -q -c 1 -w 1 10.1.1.1 /dev/null 21 every 10)' peer2 = '( ping -q -c 1 -w 1 10.20.1.1 /dev/null 21 every 10)' At present I am thinking that my problem would go away if I changed my pings to -c 3 -w 3 instead of 1s, but it was never a problem before the upgrade so I'm a big baffled. I would hate to fix that and thereby mask some other issue. -- Don't eat anything you've ever seen advertised on TV - Michael Pollan, author of In Defense of Food
Input from upgrade script overwrites files in site55-hostname.tgz
Hi folks, Maybe this is by design but it seems odd to me. I have a site55-hostname.tgz file with all of my local customizations, and it installs great over http. However, /etc/mygate ends up being based on the input I provided during the upgrade script. And /etc/hostname.bnx3 as well (install took place through bnx3, I did not configure any other interface during the install). Both of these files are in site55-hostname.tgz and those files are what I want used in my final system. I would expect site55-hostname.tgz to be untarred last and would expect the mygate and hostname.bnx3 found therein to be what I end up with after booting, but that is not the case. I work around the issue with some fancy footwork in a post-install script I've provided, but it seems to me to be something that should not have to be worked around. Is there a rational for this? thanks, -Alan -- Don't eat anything you've ever seen advertised on TV - Michael Pollan, author of In Defense of Food
Re: Logging Password change attempts
Take the original passwd command and rename it to passwd.orig and rename your script into its place (without the .sh ending) and have your script call passwd.orig. Still not perfect since someone who knows the difference can still call the orig directly. The alternative would be to dig into the source code of passwd itself, and submit a patch to do what you want to do.That would be the cleanest solution.
Re: relayd question - from the man page
Anyone? Anyone? Buehler? On Fri, Oct 17, 2014 at 9:41 AM, Alan McKay alan.mc...@gmail.com wrote: Hi folks, The manpage for relayd.conf has this basic construct in it a couple of times : table service { 192.168.1.1, 192.168.1.2, 192.168.2.3 } table fallback disable { 10.1.5.1 retry 2 } redirect www { listen on www.example.com port 80 forward to service check http / code 200 forward to fallback check http / code 200 } And also has this to say about the disable attribute. disable The redirection is initially disabled. It can be later enabled through relayctl(8). What I don't understand from the given examples is how fallback above is getting re-enabled. It starts out with the table disabled - I get that. But then within the redirect we are basically saying (correct me if I am wrong) always use service unless it is not availble, in which case use fallback But I don't see anywhere that fallback was re-enabled so how can it be used? And I search through the manpage and don't see any mention of this. Does it automatically get re-enabled within the redirect - forward? And if that is the case, what was the point of starting it disabled in the first place? thanks, -Alan -- Don't eat anything you've ever seen advertised on TV - Michael Pollan, author of In Defense of Food -- Don't eat anything you've ever seen advertised on TV - Michael Pollan, author of In Defense of Food
Re: relayd question - from the man page
On Tue, Oct 21, 2014 at 1:25 PM, System Administrator ad...@bitwise.net wrote: The answer to your question is right there in the very manpage paragraph you quoted below. Yes, I should have clarified that I did see that. (That is why I quoted it) It just does not seem to make a lot of sense that one would have to manually intervene in order to cut over to the fallback. So I guess that is my question behind my question. Why start the fallback table as disabled? Would it not make a lot more sense to start it enabled so if service was down it would automatically cut over to fallback without manual intervention? Or is there somehow a danger that it will go to fallback when service is not down? Is that why fallback is started disabled? -- Don't eat anything you've ever seen advertised on TV - Michael Pollan, author of In Defense of Food
relayd question - from the man page
Hi folks, The manpage for relayd.conf has this basic construct in it a couple of times : table service { 192.168.1.1, 192.168.1.2, 192.168.2.3 } table fallback disable { 10.1.5.1 retry 2 } redirect www { listen on www.example.com port 80 forward to service check http / code 200 forward to fallback check http / code 200 } And also has this to say about the disable attribute. disable The redirection is initially disabled. It can be later enabled through relayctl(8). What I don't understand from the given examples is how fallback above is getting re-enabled. It starts out with the table disabled - I get that. But then within the redirect we are basically saying (correct me if I am wrong) always use service unless it is not availble, in which case use fallback But I don't see anywhere that fallback was re-enabled so how can it be used? And I search through the manpage and don't see any mention of this. Does it automatically get re-enabled within the redirect - forward? And if that is the case, what was the point of starting it disabled in the first place? thanks, -Alan -- Don't eat anything you've ever seen advertised on TV - Michael Pollan, author of In Defense of Food
Re: carp not reverting to master
On Wed, Oct 15, 2014 at 2:13 PM, Marko Cupać marko.cu...@mimar.rs wrote: Oct 14 15:21:19 bgp1 /bsd: carp2: state transition: MASTER - BACKUP Oct 14 15:21:19 bgp1 /bsd: carp1: state transition: MASTER - BACKUP Oct 14 15:21:22 bgp1 /bsd: carp1: state transition: BACKUP - MASTER Oct 14 15:21:22 bgp1 /bsd: carp2: state transition: BACKUP - MASTER Oct 14 15:22:52 bgp1 /bsd: carp2: state transition: MASTER - BACKUP Oct 14 15:22:52 bgp1 /bsd: carp1: state transition: MASTER - BACKUP Oct 14 15:22:53 bgp1 /bsd: carp3: state transition: MASTER - BACKUP Oct 14 15:23:02 bgp1 /bsd: carp3: state transition: BACKUP - MASTER Oct 14 15:23:03 bgp1 /bsd: carp1: state transition: BACKUP - MASTER Oct 14 15:23:03 bgp1 /bsd: carp2: state transition: BACKUP - MASTER This looks to me like you have flapping taking place because of your ifstated configuration. Something is wrong with /etc/ifstated.conf on one end or the other. -- “Don't eat anything you've ever seen advertised on TV” - Michael Pollan, author of In Defense of Food
Where is the 'tar' source code?
Hey folks, I'm experiencing some really bizarre behavior with tar when trying to pass it a list of files with the -I option, and I want to look at the source code but alas it is not in the tree that I can find. Yet the machine having the issue was built on this very same build machine. I'd expect it to be here : root@openbsd-build32 /usr/src # which tar /bin/tar root@openbsd-build32 /usr/src/bin # ls CVS chio date echo kill md5 pax rmstty Makefile chmod ddedksh mkdir psrmail sync Makefile.inc cpdfexpr ln mtpwd rmdir systrace cat csh domainnamehostname ls mvrcp sleep test root@openbsd-build32 /usr/src # find . -name tar thanks, -Alan -- Don't eat anything you've ever seen advertised on TV - Michael Pollan, author of In Defense of Food
Re: Where is the 'tar' source code?
Aha, should have figured to look for a link! Anyway, I solved my problem without looking at source code. There was a blank line in the file I was using with -I, and that caused tar/pax to barf.
Re: rc.conf issue on upgrade from 5.5 to 5.6
On Fri, Oct 10, 2014 at 5:35 PM, Stuart Henderson s...@spacehopper.org wrote: Yep. You *have* to run sysmerge for this upgrade or you will have broken rc scripts. Note to self ... -- Don't eat anything you've ever seen advertised on TV - Michael Pollan, author of In Defense of Food
Re: Securing communications with OpenBSD
On Mon, Oct 6, 2014 at 2:00 AM, C. L. Martinez carlopm...@gmail.com wrote: Is my approach correct? Any other better solution? Is it stupid this approach? You did not really state what your goal was. Or what the problem is. Securing communications between front and back end via SSH/SSL is not a goal or problem. It is a solution to a problem. To me it seems a bit strange that you'd want to do this if they are all in the same rack, for example, connected to switches that you control. Is the goal just to make your infrastructure as secure as possible? -- Don't eat anything you've ever seen advertised on TV - Michael Pollan, author of In Defense of Food
Re: Securing communications with OpenBSD
On Mon, Oct 6, 2014 at 4:17 PM, Giancarlo Razzolini grazzol...@gmail.com wrote: Traffic in the clear, even on a switch controlled by you, doesn't mean that anyone with physical access couldn't tap into your switch and see the traffic. Which is why you need to lock down the switch as well. Password protected. Disable all unused ports. Have some kind of MAC detection to detect and alert unknown MACs (e.g. infoblox or something home rolled - not that difficult) Good security is also a matter of the policies and procedures you have in place. Who has root access? How do they access root? (sudo is best - and log it all). Is there a change management policy and procedure? -- Don't eat anything you've ever seen advertised on TV - Michael Pollan, author of In Defense of Food
Re: openbsdstore: enable javascript and buy something or gtfo
On Fri, Oct 3, 2014 at 10:25 AM, Bryan Steele bry...@gmail.com wrote: So, you visit an order page likely content on providing your billing information and shipping address, but it's the use of Javascript that sways your final decision to order? I thought it was the ellipsis that did it :-) -- Don't eat anything you've ever seen advertised on TV - Michael Pollan, author of In Defense of Food
Re: carp not reverting to master
You have not yet shown the output of ifconfig Check the advskew values on the interfaces. When carpdemote values are equal then advskew determines who is MASTER
Re: carp not reverting to master
On Thu, Oct 2, 2014 at 11:03 AM, Marko Cupać marko.cu...@mimar.rs wrote: I have posted advskew values in initial mail (0 on masters, 100 on backups). That shows me what they are supposed to be. That does not show me what they actually are. ifconfig output will show what they actually are. -- “Don't eat anything you've ever seen advertised on TV” - Michael Pollan, author of In Defense of Food
Re: How to follow -stable and verify it with signify?
On Tue, Sep 30, 2014 at 4:56 PM, Josh Grosse j...@jggimi.homeip.net wrote: They happen whenever a fix is backported but not deemed critical enough or in wide enough use for errata. Here's the first two I found in 5.5-stable, there may be others but I stopped looking, since you just wanted a couple of examples. Thanks. How do I go about finding those myself? -- Don't eat anything you've ever seen advertised on TV - Michael Pollan, author of In Defense of Food
Build is hard-coded to /usr/src and /usr/obj?
Hi folks, This seems to be the case but wondering whether there is a way to override this. In particular I want to be able to build 5.5 -stable and then 5.5 -release + patches and keep the two source trees separate. thanks, -Alan -- Don't eat anything you've ever seen advertised on TV - Michael Pollan, author of In Defense of Food
Re: Build is hard-coded to /usr/src and /usr/obj?
On Wed, Oct 1, 2014 at 11:20 AM, Josh Grosse j...@jggimi.homeip.net wrote: Guidance for environment variable setting can be found in the top level src/Makefile, and also in the /usr/share/mk/bsd.README -- and you may find the bsd.own.mk Makefile helpful. Dang, should have thought to look there. I was looking at the release manpage which gives the details on how to build from source. There is mention there of env vars for building the final release, but not for alternate source code locations. -- Don't eat anything you've ever seen advertised on TV - Michael Pollan, author of In Defense of Food
Re: Change routing tables when ISP goes down
ifstated could do it ...
No SSH fingerprints for Alberta Anon CVS Server?
Hi again folks, This is yet another email relating to my search for a secure way to download -stable source. When I first started building -stable a couple of weeks ago I chose the Alberta CVS server because I considered it Home Base (or maybe I should say Center Ice? :-)) Now that I have the building down pat I am looking at ways to ensure I have the correct source code. So I'm looking at what someone mentioned in my other thread I started - verify SSH fingerprints. However, it seems that all the servers except the Alberta one have this information published at http://www.openbsd.org/anoncvs.html Is there a reason this one does not have its fingerprints listed? thanks, -Alan -- Don't eat anything you've ever seen advertised on TV - Michael Pollan, author of In Defense of Food
Re: No SSH fingerprints for Alberta Anon CVS Server?
On Wed, Oct 1, 2014 at 12:32 PM, trondd tro...@gmail.com wrote: Note: If your server is listed on here with inaccurate or unknown information, please contact b...@openbsd.org Yeah, damned if you do, damned if you don't. I saw that and was not 100% sure whether this fell into that category and did not want to bug him and/or get chewed out for bugging him. So I figured I'd ask the list first. Thanks, I'll just check with beck@ -- Don't eat anything you've ever seen advertised on TV - Michael Pollan, author of In Defense of Food
Re: Change routing tables when ISP goes down
On Wed, Oct 1, 2014 at 2:10 PM, Gerald Chudyk gchu...@gmail.com wrote: I have been casually working on this for some time now. Hey, nice work! -- Don't eat anything you've ever seen advertised on TV - Michael Pollan, author of In Defense of Food
How to follow -stable and verify it with signify?
Hi folks, I've been googling for a couple of hours now and not coming up with much here. I see how to download the -release source and then verify it, but I cannot find any way to grab -stable from CVS and do the same. I guess the only way I do see is to start out with the -release code, verify it, and then download each patch and apply it after verifying. That looks to me like it would be a lot of jumping through hoops. Am I missing something somewhere? Or is there really no way to do this (directly)? thanks, -Alan -- Don't eat anything you've ever seen advertised on TV - Michael Pollan, author of In Defense of Food
Re: How to follow -stable and verify it with signify?
On Tue, Sep 30, 2014 at 10:27 AM, Stefan Olsson stefan.karl.ols...@gmail.com wrote: I don't do this myself, but stable=patch branch, i.e. release + patches. All info you need is really in these two pages: Yes, I have it working great already. But at no point during that process does it have me verify that the source code I have downloaded is safe and came from the place I was expecting to get it from. That's the part I'm asking about. thanks, -Alan -- Don't eat anything you've ever seen advertised on TV - Michael Pollan, author of In Defense of Food
Re: How to follow -stable and verify it with signify?
Sounds like I'll need to go with the signed tarballs for the -release and then apply the signed patches to get -stable. Dangit, I already had my process down (building from CVS) and now I have to change it ...
Re: How to follow -stable and verify it with signify?
On Tue, Sep 30, 2014 at 4:21 PM, Stuart Henderson s...@spacehopper.org wrote: binpatchng can help you with this process. I will have to look into that But note that -stable sometimes has extra commits that don't have errata; release+patches is not quite the same thing as -stable. Can you give 1 or 2 examples? I've been digging into this and it actually looks like release+patches will be easier for me to build than -stable -- Don't eat anything you've ever seen advertised on TV - Michael Pollan, author of In Defense of Food
Re: OT: Goldman Sachs rescued(?) by Google
On Tue, Sep 23, 2014 at 3:43 AM, Maurice McCarthy m...@mythic-beasts.com wrote: OK I surrender! I get the message lol Hey at least I marked it OT: :-) -- Don't eat anything you've ever seen advertised on TV - Michael Pollan, author of In Defense of Food
OT: Goldman Sachs rescued(?) by Google
Wow! I can't believe the could email something like that in the first place without encrypting it first. Holy moly! -- Don't eat anything you've ever seen advertised on TV - Michael Pollan, author of In Defense of Food
Re: OT? - people going to EuroBSDcon in Sofia
Personally I would not consider this off-topic in the least ... Sadly, I will not be going. But I may see you at the next one in Ottawa :-)
Re: Automated PXE install auto_install issue (was: Serva)
On Sat, Aug 30, 2014 at 12:54 PM, Jiri B ji...@devio.us wrote: And you probably didn't mention problem with auto_install as 'filename' :) See http://devio.us/~jirib/pxelinux-openbsd.html Quote : The caveat is how pxelinux reacts when filename is set to auto_install, as stated in autoinstall(8). pxelinux would use the value and it would split it on underscore character and use the beginning part as prefix for every path is is supposed to be loaded. Awesome! Thanks for that tip! I had set up an auto-installer about a month ago to do Linux and BSD installs and hit upon this fairly major stumbling block. I ended up doing things a bit differently that requires some manual steps but this should let me get it back going the way I want. There were some other issues I'd found with the OpenBSD auto install - I should summarize them to the list. Room for improvement. As a first release of an auto installer it is pretty good though. One nice addition would be if there is no answer in the automated answer file, then prompt for that question. I was surprised to find out that OpenBSD requires you to have all questions answered or else it bombs out. I'll check my notes to see whether there was anything else. -- Don't eat anything you've ever seen advertised on TV - Michael Pollan, author of In Defense of Food
Problems with older nc without -N option ... also how to detect nc version
Hi folks, I'm writing some scripts to clone over the network, and since I have mostly boxes that do not have the -N option on nc, this is proving to be an issue. I have a bunch of dump files - one for each filesystem - that were created from a live system. When I want to send them back over the network to another system, it seems that the sender never really sees the end of the file. One the sender I do nc DEST IP DEST PORT dump.file On the receiver I do simply nc -l DEST PORT | restore -rf - That send/receive pair will just hang there forever. But if I add the -N option to the sender, it works as expected. However I've also implemented some rudimentary handshaking - when the recipient is done with the file I do : echo OK | nc SENDER IP DEST PORT Note no -N option - and it works great. The other end is just doing nc -l DEST PORT The difference seems to be the pipe. So I'm thinking maybe introduce a superfluous dd on the original sender, perhaps : dd if=dump.file | nc DEST IP DEST PORT But I try that and get the same results - they will just stay in that state forever. Any ideas on how to solve this problem? Is there some way I can tell dd to do something differently? Looking at the man page did not turn up much obvious. Also, I'd like for my script to use the -N option if it is available, but I don't see any easy way to detect that. I can do a man nc and grep for -N, which seems clumsy. nc does not seem to have a command line option to get it to tell you what version it is. I tried just doing a pseudo-call with -N and checking the return code, but it seems to always return 1 no matter what I do. I even went into the source code to see what was up with that. Anyone have any ideas here? The only thing I can think of is to write a little subroutine on the sender which backgrounds itself and monitors the mounted disk. When the disk usage does not change for X seconds, kill the running 'nc'. It should work buy oh man is that hacky! thanks, -Alan -- Don't eat anything you've ever seen advertised on TV - Michael Pollan, author of In Defense of Food
Re: Problems with older nc without -N option ... also how to detect nc version
On Wed, Aug 27, 2014 at 12:56 PM, Alan McKay alan.mc...@gmail.com wrote: Anyone have any ideas here? Well I'd been through the nc man page close to a dozen times ... and just this one last time noticed the -w option for timeout Works a charm! -- Don't eat anything you've ever seen advertised on TV - Michael Pollan, author of In Defense of Food
Re: Cloning an OpenBSD system (and potential FAQ (4.15) error?)
On Sat, Aug 23, 2014 at 6:21 AM, Stuart Henderson s...@spacehopper.org wrote: It may be easier to installboot(8) after copying. Yeah I used installboot -- Don't eat anything you've ever seen advertised on TV - Michael Pollan, author of In Defense of Food
Cloning an OpenBSD system (and potential FAQ (4.15) error?)
Hi folks, I've done this a (n exaggerated) million times on Linux but I'm new at OpenBSD. Google found me a few options and I just want to see whether there are any more that I missed. FAQ 4.15 addresses this matter and says : Unfortunately, there are no known disk imaging packages which are FFS-aware However my googling turned up http://clonezilla.org/, and their FAQ claims that they understand UFS. More googling tells me that UFS and FFS are the same thing. However I have not yet tried Clonezilla. I have also found this : http://www.ualberta.ca/~antoine/clone/openbsd.html Also looks promising. I like the looks of the latter since it seems to allow me to run the first part on a live system, to make a copy of that system (can anyone confirm that?). I'd much rather not have to take it down to make the image since I don't have to do that when I clone Linux. And my production systems will be happier that way :-) Clonezilla looks to be all-singing-all-dancing, but seems to require me to boot from their CD or USB in order to make a copy of my original system (can anyone confirm or refute?). Not a massive issue in my DEV rack but not ideal in production. In Linux the way I do systems is to boot the target system in Live Linux (Ubuntu), and then partition the HD(s) the way I want, and mount them up under /mnt/target/ with that being my root. Then run rsync locally to copy the master live system into /mnt/target. Use a couple of options to tell it what not to copy. Works awesome. The above perl scripts from U Alberta seem to be at least a bit similar to this procedure. Are there any options I am missing that I should look at? Has anyone used the above methods and can comment on how well they work or whether or not I should just avoid one or the other? thanks, -Alan -- Don't eat anything you've ever seen advertised on TV - Michael Pollan, author of In Defense of Food
Re: Cloning an OpenBSD system (and potential FAQ (4.15) error?)
Wow, thanks for the responses so far! An ancilliary question : am I going to have any issues bringing it up in a VM? I know that for example NIC names will change so I'll have to rename hostname.bnx0 to hostname.em0 Any other gotchas?
Re: Cloning an OpenBSD system (and potential FAQ (4.15) error?)
On Fri, Aug 22, 2014 at 10:22 AM, Jiri B ji...@devio.us wrote: What about automated installation and configuration management to do the rest? What is this? -- Don't eat anything you've ever seen advertised on TV - Michael Pollan, author of In Defense of Food
Re: Cloning an OpenBSD system (and potential FAQ (4.15) error?)
On Fri, Aug 22, 2014 at 10:37 AM, sven falempin sven.falem...@gmail.com wrote: Openbsd is simple, you may easily script an install or use the automated install feature.IE a file containing the answer to the install process. And finally siteXX.tgz to push your own file. Oh OK I missed that. Yes, we do this actually. But I need to clone/move a system that was created outside of that infrastructure. I'm actually working towards pulling it into the automated installs and cloning/moving it is part of that. We've got a pretty slick system with svn and maven for doing this. Just one outlier that needs to be brought in. -- Don't eat anything you've ever seen advertised on TV - Michael Pollan, author of In Defense of Food
Re: Cloning an OpenBSD system (and potential FAQ (4.15) error?)
On Fri, Aug 22, 2014 at 10:28 AM, Christopher Zimmermann chr...@openbsd.org wrote: I usually do dump -0auf 140822var.dump0 /var for dumping /var in a file or dump -0auf - /var |nc -l 1 on source and restore -rf - |nc source 1 OK I want to try this so that I have better control of things and understand it all better On the restore side I guess I have to have the new /var mounted in the cwd where I run this command? e.g. mkdir /mnt/var chmod 0777 /mnt/var mount /dev/foo /mnt/var cd /mnt/var and shouldn't the restore/nc be the other way around? So now : nc source 1 | restore -rf - Also, I have the OpenBSD install CD booted and I exited to shell, but there does not seem to be an nc there. What are you booting on the restore side? And do you have the -l option on the correct end up there? I'm relatively new to nc as well but man page says that is listen for incoming connection -- Don't eat anything you've ever seen advertised on TV - Michael Pollan, author of In Defense of Food
Re: Cloning an OpenBSD system (and potential FAQ (4.15) error?)
On Fri, Aug 22, 2014 at 11:07 AM, Alan McKay alan.mc...@gmail.com wrote: Also, I have the OpenBSD install CD booted and I exited to shell, but there does not seem to be an nc there. What are you booting on the restore side? Looks like this problem is easily solved thus : http://livecd-openbsd.sourceforge.net/ Is that a trustworthy product? And the intricacies of dump/restore/nc I can work out on my own ... -- Don't eat anything you've ever seen advertised on TV - Michael Pollan, author of In Defense of Food
Re: Cloning an OpenBSD system (and potential FAQ (4.15) error?)
Clone worked great with the LiveCD booted in the destination, and dump/restore/nc I will be happy to document it for the FAQ if anyone wants it there. Not sure what the process is for that. And I will also be happy to update the FAQ regarding the aforementioned error. Now, I do have one problem with the cloned system, but I'll start a new thread for it.
CARP interfaces stay in BACKUP on cloned system
Hey folks, I got my system cloned and it runs fine in a VM. I had to make a few obvious changes like changing bnx to em in all the places where I definite things with interfaces. So /etc/hostname.* /etc/pf.conf, /etc/relayd.conf. And I greped for bnx in /etc/* and /etc/*/* to make sure I did not miss anything. But darnit those CARP interfaces do not want to leave BACKUP state. Even when I used ifconfig and state master to force it to master - nope. And there is currently no firewall partner for the pair. There was not for the original and it was working fine. It is configured as one of a pair with pfsync and so on, but its partner has been missing for some time. But - if I copy a hostname.carpX to a new file, give it a new vhid, and then sh /etc/netstart carpY the new interface comes up in MASTER. Just all of the existing ones before the clone want to stay in BACKUP I've destroyed them and brought them back up. I've put state master into the hostname.carpX. I'm really stumped here - any thoughts on the matter? Any thoughts? Do MAC addresses get cached somewhere maybe? Something like that? thanks, -Alan -- Don't eat anything you've ever seen advertised on TV - Michael Pollan, author of In Defense of Food
Re: troubleshooting carp [solved]
This is very interesting. I have the faulty config in 5.5 but it seems to work. But we have it all on 1 line if that matters and we also specify carpdev ---snip--- This doesn't work so well: # cat /etc/hostname.carp0 inet 192.168.16.1/24 vhid 100 pass blahblah advbase 5 advskew 0 This works however: # cat /etc/hostname.carp0 vhid 100 pass blahblah advbase 5 advskew 0 inet 192.168.16.1/24
Re: named does not start?
On Wed, Aug 20, 2014 at 3:08 PM, Christer Solskogen christer.solsko...@gmail.com wrote: named_flags= Try named_flags= I had the same issue with httpd in 5.5. It seems that ntpd lets you have blank afer =, but not httpd Not running named on this system so dunno : ntpd_flags= # enabled during install httpd_flags= # for normal use: -- Don't eat anything you've ever seen advertised on TV - Michael Pollan, author of In Defense of Food
Re: troubleshooting carp
On Thu, Aug 14, 2014 at 2:36 PM, Stefan Olsson stur...@hotmail.com wrote: That begs the question though - http://begthequestion.info/ :-) (former philosophy major ...) -- Don't eat anything you've ever seen advertised on TV - Michael Pollan, author of In Defense of Food
Re: [Bulk] Re: Donations to OpenBSD
On Thu, Aug 14, 2014 at 4:40 PM, Daniel Villarreal yclwebmas...@gmail.com wrote: It means Producer, or maker also manufacturer ... -- Don't eat anything you've ever seen advertised on TV - Michael Pollan, author of In Defense of Food