Re: Network appliance recomendation.
I recommend the atom 1u by supermicro. If you buy a pic riser with it you can extend how many interfaces you have ( the board comes with two). You can get a cheap SSD and your set. I've been running one as a firewall-vpn for two years and it works great. Sent from my iPhone On Aug 9, 2013, at 11:06 AM, Francisco Valladolid H. fic...@gmail.com wrote: Hi folks. Currently I have a Wireless network serving in my town using a small form factor (mini-itx) PC with OpenBSD for pf,squid, and dns cache. I need recommendations for a network appliance in rack mode with flash storage and five rj45 ports. Can anyone recommended a solution for my needs ? I'm disappointing using other network solutions with proprietary brands in the market. Best Regards. P.S sorry for my bad english. -- Francisco Valladolid H. -- http://blog.bsdguy.org - Jesus Christ follower.
Re: Network appliance recomendation.
I second this. An atom board with ECC and a pci NiC to add the ports you need is a great solution. I have a supermicro running and the performance is fantastic. I think you can get an 1u barebones for a good price On Aug 9, 2013, at 9:27 PM, William Ahern will...@25thandclement.com wrote: On Fri, Aug 09, 2013 at 06:50:19PM -0500, Francisco Valladolid H. wrote: On Fri, Aug 9, 2013 at 5:22 PM, Hermes Ojeda Ruiz hermes@gmail.com wrote: I've used the Soekris brand. http://soekris.com/, but they are a little expensive. (In M?xico taxes are a big problem). Yes, taxes and import duties are a pain. I have a pair of Soekris 4501 running OpenBSD 4.6 yet! In two months I'll test ALIX appliances: http://pcengines.ch/alix.htm I don't found rack cases for this cards. Try netgate.com. They resell and repackage from various vendors, including PC Engines. They sell ALIX boards in 1U cases. I need to upgrade my ALIX board 'cause it's too slow for IPSec, even with the VPN card. Intel just came out with new Atom chips with ECC support. http://www.newegg.com/Product/Product.aspx?Item=N82E16813182782 It might be easier and cheaper to just toss that into a 1U case.
PF Queues not working
Hello misc, I have an openbsd 5.1 firewall running with PF and four interfaces. One is not active but I have on ext, one int and one dmz. I'm trying to get qos working and I'm having issues. My pf rules load fine but everything seems to be applied to only one queue despite the traffic. Now, because I have three interfaces, soon to be four (VOIP on the other interface), I'm trying to get it running on just the inside part before I shape the other interfaces. Here is my pf.conf for the most part (I used the packet tagging guide in the FAQ. I've remarked out the pass out rules on the ext interface at the bottom because they're not working as intended. Everything get's applied to the bulk queue despite the traffic type ## MACROS ### int = re0 dmz = fxp0 ext = re1 int_net = 192.168.200.0/24 dmz_net = 192.168.100.0/24 RFC1918={ 10/8 172.16/12 192.168/16 } outbound services from internal network int_tcp_services = { 443, 22, 53, 21, 143, 110, 25, 587, 993, 465, 995 } int_udp_services = { 53 } ###outbound services from dmz - control outbound dmz - http/smptp/dns/https/dns/smtp-ssl/github dmz_services = { 20, 21, 80, 25, 53, 443, 587, 9418, 4242, 11371, 17662, 3690 } service hosts webserver = 192.168.100.x sharepoint = 192.168.200.10 inbound services web_services = { 22, 80, 3000 } sp_services = { 443, 52164 } openvpn = {xxx} ### END MACROS ### ## QOS # altq on $ext bandwidth 30Mb hfsc queue { ack, dns, ssh, web, mail, bulk, bittor, spamd } queue ackbandwidth 30% qlimit 500 hfsc (realtime 20%) queue dnsbandwidth 5% qlimit 500 hfsc (realtime5%) queue sshbandwidth 20% qlimit 500 hfsc (realtime 20%) {ssh_login, ssh_bulk} queue ssh_login bandwidth 50% qlimit 500 hfsc queue ssh_bulk bandwidth 50% qlimit 500 hfsc queue bulk bandwidth 20% qlimit 500 hfsc (realtime 20% default, ecn) queue webbandwidth 5% qlimit 500 hfsc (realtime (10%, 1, 5%)) queue mail bandwidth 5% qlimit 500 hfsc (realtime5%) queue bittor bandwidth 1% qlimit 500 hfsc (upperlimit 95%) queue spamd bandwidth 1% qlimit 500 hfsc (upperlimit 1Kb) ##TABLES table spamd persist file /etc/spammers table bastards persist file /etc/pf.tables/bastards table emerging_threats_blocklist persist file /etc/pf.tables/etblocklist ##OPTIONS set skip on { lo0, enc0 } set block-policy drop set loginterface re1 ##NORMALIZE TRAFFIC match in all scrub ( no-df max-mss 1440 ) # NAT RULES match out on $ext tag LAN_TO_INET tagged LAN nat-to ($ext) match out on $ext tag DMZ_TO_INET tagged DMZ nat-to ($ext) match out on $ext tag FTP_PROXY nat-to ($ext) ### BLOCKING AND PACKET TAGGING block log all antispoof for { lo0 re0 re1 em0 } block in quick on $ext from $RFC1918 to any block out quick on $ext from any to $RFC1918 block in log quick on $ext from bastards block in log quick on $ext from emerging_threats_blocklist #LAN OUT pass in quick on $int from $int_net to $dmz_net tag LAN_TO_DMZ label LAN_TO_DMZ pass in quick on $int from $int_net tag LAN label LAN_TO_INET #OPENVPN pass in quick on tun0 from any tag VPN_TRAFFIC label VPN_Traffic #DMZ OUT pass in log on $dmz proto tcp from $dmz_net to any port $dmz_services tag DMZ label DMZ_OUT:$proto:$dstport pass in log on $dmz proto udp from $dmz_net to any port domain keep state tag DMZ label DMZ_OUT:$proto:$dstport #SPAMD and FTP-PROXY anchor ftp-proxy/* pass in log quick on $dmz proto tcp from $dmz_net to any port 21 divert-to 127.0.0.1 port 8021 tag FTP_PROXY #pass in log quick on $int proto tcp from $int_net to any port 21 divert-to 127.0.0.1 port 8021 tag FTP_PROXY pass in on $ext proto tcp from spamd to port smtp tag SPAMD rdr-to 127.0.0.1 port 8025 tag SPAMD #INBOUND TRAFFIC #OPENVPN TO FIREWALL pass in on $ext proto udp from any to $ext port $openvpn keep state #NAT INBOUND TO DMZ pass in on $ext proto tcp from any to any port $web_services rdr-to $webserver tag INET_TO_DMZ label DMZ_INBOUND_WEBSERVER:$proto:$dstport #NAT INBOUND TO Sharepoint pass in log on $ext proto tcp from any to any port $sp_services rdr-to $sharepoint tag INET_TO_Sharepoint label SHAREPOINT_INBOUND:$proto:$dstport #POLICY ENFORCEMENT pass in quick on $ext tagged SPAMD pass out quick on $ext tagged FTP_PROXY #pass out on $ext inet proto tcp from $ext to any modulate state queue ( bulk, ack )tagged LAN_TO_INET #pass out on $ext inet proto tcp from $ext to any modulate state queue ( web )tagged LAN_TO_INET #pass out on $ext inet proto { tcp, udp } from $ext to any port 53 queue (dns) tagged LAN_TO_INET pass out on $ext tagged LAN_TO_INET pass out on $ext tagged DMZ_TO_INET pass out quick on $dmz tagged LAN_TO_DMZ pass out quick on $dmz tagged INET_TO_DMZ pass out quick on $int tagged INET_TO_Sharepoint pass out quick on $int tagged VPN_TRAFFIC
Re: Absolute OpenBSD 2nd Edition pre-orders are up.
Bought the last one. Just ordered thia one. Great book Sent from my Android phone using TouchDown (www.nitrodesk.com) -Original Message- From: Francisco Valladolid H. [fic...@gmail.com] Received: Sunday, 17 Mar 2013, 1:01am To: Pablo Velasco Fernández [warlock...@gmail.com] CC: Brandon Tanner [thelette...@gmail.com]; misc [misc@openbsd.org] Subject: Re: Absolute OpenBSD 2nd Edition pre-orders are up. Just order today! Best regards. On Sat, Mar 16, 2013 at 10:46 PM, Pablo Velasco Fern?ndez warlock...@gmail.com wrote: I ordered mine yesterday too. :D On Mar 17, 2013 8:38 AM, Brandon Tanner thelette...@gmail.com wrote: I got mine ordered today, when do you think it will ship from NoStarch Press? On Sat, Mar 16, 2013 at 3:32 PM, Michael W. Lucas mwlu...@blackhelicopters.org wrote: On Fri, Mar 15, 2013 at 11:59:28PM -0600, Austin Hook wrote: Pre-orders for the 2nd Edition of Michael Lucas' Absolute OpenBSD are now up on the main order website. Expected to arrive about the same time we start shipping pre-orders for OpenBSD 5.3. Pre-orders for the latter will show up pretty soon as well. No special early discount, but the difference does go to support the project. Or, if you need to pinch those pennies (before they are discontinued), take the early order path suggested by Michael's website, rather than through the big online monopoly. He gets a bit more that way. You thought you knew all there is to learn in an introductory book to OpenBSD? You might be surprised. A reference when you need it, and worth a skim even just to see how OpenBSD has evolved over the last 10 years, if you have the original volume. http://www.openbsd.org/books.html#B10 And follow the links. Excellent, Austin! Glad you got them. Linked from the book page. And thanks for the plug. Before anyone asks: I don't really care where you buy it. ==ml -- Michael W. Lucas - mwlu...@michaelwlucas.com, Twitter @mwlauthor http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/ Latest book: Absolute OpenBSD 2/e - http://www.nostarch.com/openbsd2e coupon code ILUVMICHAEL gets you 30% off helps me. -- Francisco Valladolid H. -- http://blog.bsdguy.net - Jesus Christ follower.
Re: Verizon FIOS, OpenBSD, and DHCP
You shouldn't have to input the actiontec MAC. I feel your pain about the support though. It sucks. To alleviate this put the actiontec back in. Log into it and go to the interface and actually release the IP. After that unplug it immediately. Plug your ONT into your BSD firewall and boot it up and you'll be good to go. You can also just run dhclient on yiur interfacr but I found a solid reboot worked for me as just requesting a new IP did not. Sent from my Android phone using TouchDown (www.nitrodesk.com) -Original Message- From: Liviu Daia [liviu.d...@romednet.com] Received: Wednesday, 06 Feb 2013, 4:55am To: misc@openbsd.org [misc@openbsd.org] Subject: Re: Verizon FIOS, OpenBSD, and DHCP On 6 February 2013, bofh goodb...@gmail.com wrote: On Tue, Feb 5, 2013 at 11:18 PM, Jay Hart jh...@kevla.org wrote: Solved this. It took Verizon three tries (three calls by me), to actually get the RJ-45 port working on the ONT. Hmm... I had to set my MAC address to the Actiontec's. $ cat /etc/hostname.em0 !ifconfig \$if lladdr 00:0f:b3:aa:aa:aa dhcp For what it's worth, it's probably useful to keep around a packet capture of a successful DHCP negotiation with your ISP. DHCP is a complicated protocol, and ISPs do weird things with it. A known-good packet capture might save you a lot of time when switching equipment. Regards, Liviu Daia
Re: openbsd and vmware
I've personally never has issues and performance is good. I've been running a php-fpm/nginx stack with OpenBSD and VMware and performance has been great. Only issue is the tools install. I've had issues with that but it runs fine without it. I've also run it on KVM and found VMWare to be better. I have iSCSI storage with ZFS as a backend and can't complain Sent from my Android phone using TouchDown (www.nitrodesk.com) -Original Message- From: Bogdan Andu [bo...@yahoo.com] Received: Tuesday, 05 Feb 2013, 6:04am To: misc@openbsd.org [misc@openbsd.org] Subject: openbsd and vmware Hello, A few questions related to openbsd and vmware. What are the best practices to run OpenBSD in vmware? Are there any known problems one should take into consideration before virtualization? I already have a functional machine runnig OpenBSD 5.2 /amd64 on bare metal. It is possible to create a virtual machine from one already running apart from installing the os in vm and then migrating and installing all applications? Thank you in advanced, Bogdan
NGINX wordpress error 5.2
Hello all, I've configured a wordpress site on NGINX/OpenBSD 5.2/php_fpm. It works fine but I seem to have problems installing plugins and getting information from RSS feeds because the wordpress API can't seem to resolve hostnames. I suspect it has something to do with the fact NGINX is chrooted so I tried to move the resolv.conf over but nothing. Is there anything I need to move over to the /var/www directory to get name resolution working correctly with my web apps?
Re: NGINX wordpress error 5.2
Hello Aaron, I thought so too. Here is the error's I'm getting: WP HTTP Error: 0: php_network_getaddresses: getaddrinfo failed: temporary failure in name resolution It seems to be an issue with PHP unable to open a network connection? -Original Message- From: Aaron [mailto:def...@gmail.com] Sent: Thursday, December 20, 2012 3:48 PM To: Bentley, Dain Cc: misc@openbsd.org Subject: Re: NGINX wordpress error 5.2 On Thu, Dec 20, 2012 at 1:45 PM, Bentley, Dain dbent...@nas.edu wrote: Hello all, I've configured a wordpress site on NGINX/OpenBSD 5.2/php_fpm. It works fine but I seem to have problems installing plugins and getting information from RSS feeds because the wordpress API can't seem to resolve hostnames. I suspect it has something to do with the fact NGINX is chrooted so I tried to move the resolv.conf over but nothing. Is there anything I need to move over to the /var/www directory to get name resolution working correctly with my web apps? Copying /etc/resolv.conf to /var/www/etc/resolv.conf should be all that is required.
Re: NGINX wordpress error 5.2
PHP_FPm is running as the www user, but the permissions on resolv.conf is readable to everyone. Perhaps I missed installing PHP extension required? -Original Message- From: Aaron [mailto:def...@gmail.com] Sent: Thursday, December 20, 2012 3:53 PM To: Bentley, Dain Cc: misc@openbsd.org Subject: Re: NGINX wordpress error 5.2 On Thu, Dec 20, 2012 at 1:49 PM, Bentley, Dain dbent...@nas.edu wrote: Hello Aaron, I thought so too. Here is the error's I'm getting: WP HTTP Error: 0: php_network_getaddresses: getaddrinfo failed: temporary failure in name resolution AFAIK, php-fpm will use your resolv.conf in /etc, as it isn't bound by the chroot that nginx is. Perhaps the issue is there? It seems to be an issue with PHP unable to open a network connection? -Original Message- From: Aaron [mailto:def...@gmail.com] Sent: Thursday, December 20, 2012 3:48 PM To: Bentley, Dain Cc: misc@openbsd.org Subject: Re: NGINX wordpress error 5.2 On Thu, Dec 20, 2012 at 1:45 PM, Bentley, Dain dbent...@nas.edu wrote: Hello all, I've configured a wordpress site on NGINX/OpenBSD 5.2/php_fpm. It works fine but I seem to have problems installing plugins and getting information from RSS feeds because the wordpress API can't seem to resolve hostnames. I suspect it has something to do with the fact NGINX is chrooted so I tried to move the resolv.conf over but nothing. Is there anything I need to move over to the /var/www directory to get name resolution working correctly with my web apps? Copying /etc/resolv.conf to /var/www/etc/resolv.conf should be all that is required.
Re: NGINX wordpress error 5.2
You're correct, it is. The php-fpm.conf points to /var/www. From: owner-m...@openbsd.org [owner-m...@openbsd.org] On Behalf Of frantisek holop [min...@obiit.org] Sent: Thursday, December 20, 2012 9:19 PM To: misc@openbsd.org Subject: Re: NGINX wordpress error 5.2 hmm, on Thu, Dec 20, 2012 at 03:58:53PM -0500, Bentley, Dain said that PHP_FPm is running as the www user, but the permissions on resolv.conf is readable to everyone. Perhaps I missed installing PHP extension required? php_fpm when installed from the ports is also running chroot by default IIRC. -f -Original Message- From: Aaron [mailto:def...@gmail.com] Sent: Thursday, December 20, 2012 3:53 PM To: Bentley, Dain Cc: misc@openbsd.org Subject: Re: NGINX wordpress error 5.2 On Thu, Dec 20, 2012 at 1:49 PM, Bentley, Dain dbent...@nas.edu wrote: Hello Aaron, I thought so too. Here is the error's I'm getting: WP HTTP Error: 0: php_network_getaddresses: getaddrinfo failed: temporary failure in name resolution AFAIK, php-fpm will use your resolv.conf in /etc, as it isn't bound by the chroot that nginx is. Perhaps the issue is there? It seems to be an issue with PHP unable to open a network connection? -Original Message- From: Aaron [mailto:def...@gmail.com] Sent: Thursday, December 20, 2012 3:48 PM To: Bentley, Dain Cc: misc@openbsd.org Subject: Re: NGINX wordpress error 5.2 On Thu, Dec 20, 2012 at 1:45 PM, Bentley, Dain dbent...@nas.edu wrote: Hello all, I've configured a wordpress site on NGINX/OpenBSD 5.2/php_fpm. It works fine but I seem to have problems installing plugins and getting information from RSS feeds because the wordpress API can't seem to resolve hostnames. I suspect it has something to do with the fact NGINX is chrooted so I tried to move the resolv.conf over but nothing. Is there anything I need to move over to the /var/www directory to get name resolution working correctly with my web apps? Copying /etc/resolv.conf to /var/www/etc/resolv.conf should be all that is required. -- how much can i get away with and still go to heaven?
Re: bsd cloud
That would be great! KVM on openbsd. The joyent folks did it with illumos/opensolaris based smartos. I would think a port to OpenBSD would be possible. Sent from my Android phone using TouchDown (www.nitrodesk.com) -Original Message- From: Jiri B [ji...@devio.us] Received: Tuesday, 27 Nov 2012, 2:20pm To: Friedrich Locke [friedrich.lo...@gmail.com] CC: openbsd-misc [misc@openbsd.org] Subject: Re: bsd cloud On Tue, Nov 27, 2012 at 04:13:47PM -0200, Friedrich Locke wrote: Hi folks, i have seen, some minutes ago, a message about cloud with BSD! I have seen announcements on cloud computing every where. What is the difference between a BSD cloud and a linux cloud ? A windows cloud and a linux cloud ? Isn't all that the new buzz word in the market ? So what would a BSD cloud be different in the context of cloud (not openbsd features) ? So in essence what is it really cloud we have not doing since networks have been in the game ? Don't take this as an offense, i just cannot understand all this frenesy about clouds ... As now qemu has direct support for glusterfs (a distributed filesystem) and glusterfs daemon[1] should run on any Unix-like OS you can have OpenBSD-based cloud too :D For glusterfs is that you won't be able to mount it on OpenBSD as other posix filesystem as there's neither support nor FUSE-like workaround. You can of course try to port KVM to OpenBSD, hehe. jirib [1] http://community.gluster.org/q/does-glusterfs-support-freebsd/
Re: pfsense and or OpenBSD Home router.
I've had good luck with the supermicro 1u with the intel atom processors. Add a riser card, intel dual gig port nic, 2gigs of RAM and you have a good machine. I also put a 32 gig SSD and I have a quiet, low power packet pusher. I'd also drop the pfsense in favor of OpenBSD Regards, Dain Bentley -Original Message- From: Stuart Henderson [s...@spacehopper.org] Received: Wednesday, 12 Sep 2012, 5:37am To: misc@openbsd.org [misc@openbsd.org] Subject: Re: pfsense and or OpenBSD Home router. On 2012-09-12, Sean Kamath kam...@moltingpenguin.com wrote: [And now I'll CC the entire list. :-P) On Sep 11, 2012, at 2:47 AM, Peter N. M. Hansteen wrote: On Tue, Sep 11, 2012 at 11:38:28AM +0200, Shaka Nkofo wrote: http://store.netgate.com/Desktop-Kits-C82.aspx I found this shop while looking for parts to build a home router. Has anyone been through this and can give me links to cheap parts within Europe? For Alix, pcengines.ch could be a useful place to start. For those of us on even slimmer budgets, building infrastructure by dumpster diving works too. I ended up buying direct from PC Engines for my alix 2d13's. Even though I'm in the US, it was cheaper than netgate (where I bought a bunch of the exact same thing for work). I ended up getting the red metal cases because they were cheaper and in stock. ;-) And as far as I'm concerned, these little alix boards rock. Sean For ADSL type speeds they're pretty good for the price, but above 60Mbps or so (or less if you're doing a lot of small packets e.g. voip) they're definitely pushing it..
Re: Snort not logging to alerts files
I got it working fine. It's logging as expected. I have pf2snort installed and it seems to be working ok. I have portscans logging to portscan.log so I could just log the portscans to the alert file so snort2pf can see it I'll be super happy. Regards, Dain Bentley -Original Message- From: Markus Lude [markus.l...@gmx.de] Received: Sunday, 09 Sep 2012, 9:52am To: misc@openbsd.org [misc@openbsd.org] Subject: Re: Snort not logging to alerts files On Fri, Sep 07, 2012 at 11:54:07AM -0400, Bentley, Dain wrote: Hello Misc, I've installed Snort on OpenBSD 4.9 from source and everything installed fine. When I configure the following rules I see alerts generated: # cat /etc/snort/snort.conf include /etc/snort/rules/icmp.rules # cat /etc/snort/rules/icmp.rules alert icmp any any - any any (msg:ICMP Packet; sid:477; rev:3;) /usr/local/bin/snort --daq-dir /usr/local/lib/daq -c /etc/snort/snort.conf -l /var/log/snort -i fxp1 So when I ping the outside interface I get the following in /var/log/snort/alert [**] [1:477:3] ICMP Packet [**] [Priority: 0] 09/07-10:30:08.599075 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx ICMP TTL:113 TOS:0x20 ID:25441 IpLen:20 DgmLen:28 Type:8 Code:0 ID:512 Seq:26063 ECHO So I now snort can see packets. Even though I have icmp blocked on the outside interface it still logs it. Why should snort not see them? snort sees packet which arrive at that interface. Packet filters handle packets later. When download and load the snort rules from the snort site nothing happens. The logfile sits empty. What do you expect? Do you have configured snort correctly? Are the rules you want to fire really enabled? Has anyone successfully installed snort on openbsd and logged data? Of course. Running recent snort on -current. Recently I send an update of the snort port to ports@. Maybe you could help test it, so we have a more up-to-date snort version in 5.3. Regards, Markus
Snort not logging to alerts files
Hello Misc, I've installed Snort on OpenBSD 4.9 from source and everything installed fine. When I configure the following rules I see alerts generated: # cat /etc/snort/snort.conf include /etc/snort/rules/icmp.rules # cat /etc/snort/rules/icmp.rules alert icmp any any - any any (msg:ICMP Packet; sid:477; rev:3;) /usr/local/bin/snort --daq-dir /usr/local/lib/daq -c /etc/snort/snort.conf -l /var/log/snort -i fxp1 So when I ping the outside interface I get the following in /var/log/snort/alert [**] [1:477:3] ICMP Packet [**] [Priority: 0] 09/07-10:30:08.599075 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx ICMP TTL:113 TOS:0x20 ID:25441 IpLen:20 DgmLen:28 Type:8 Code:0 ID:512 Seq:26063 ECHO So I now snort can see packets. Even though I have icmp blocked on the outside interface it still logs it. When download and load the snort rules from the snort site nothing happens. The logfile sits empty. Has anyone successfully installed snort on openbsd and logged data?
iked.conf question - muplitple clients with certs.
Hello Misc, I'm having a small issue with my iked.conf on my openbsd 4.9 firewall. I have the following config and it works fine: Ikev2 laptop passive esp \ From 192.168.10.0/24 to 1.1.1.0/24 local any peer any \ srcid xxx.xxx.xxx.xxx \ config address 1.1.1.2 I have a win 7 laptop with certs and I connect with no issue. Now I'd like to add a couple of more clients in the mix. So I created certs for them and distributed them correctly and now have the following: Ikev2 home-PC passive esp \ From 192.168.10.0/24 to 1.1.1.0/24 local any peer any \ srcid xxx.xxx.xxx.xxx \ config address 1.1.1.3 Ikev2 laptop passive esp \ From 192.168.10.0/24 to 1.1.1.0/24 local any peer any \ srcid xxx.xxx.xxx.xxx \ config address 1.1.1.2 But when I connect I cannot and starting iked -dvv shows it's trying to connect with the laptop policy. I'm afraid I have the config wrong. Is this the correct way to add multiple clients and if not what would I do? I can't seem to find any info on the web or man pages.
Re: Windows 7 and IkeV2 VPN Issue
I see that now It appears after browsing through the lists more a.change was.comitted sometime in May or June that fixed the issue. Regards, Dain Bentley -Original Message- From: Mike Belopuhov [m...@crypt.org.ru] Received: Friday, 27 Jul 2012, 6:54am To: Bentley, Dain [dbent...@nas.edu] CC: owner-m...@openbsd.org [owner-m...@openbsd.org]; misc@openbsd.org [misc@openbsd.org] Subject: Re: Windows 7 and IkeV2 VPN Issue On Thu, Jul 26, 2012 at 9:27 PM, Bentley, Dain dbent...@nas.edu wrote: Hello fellow OpenBSD users, I've run into a of couple issues with setting up and IKE IPSEC VPN with a windows 7 native client. Now I've ran through the lists and have found a solution to get it working somewhat how I'd like it working. And on my W7 client I have a static IP configured and using machine certificates. I connect there with no issue and everything is kosher...kind of. I want to use a username and password so I have this in my iked.conf: user my user ID Wouldn't_you_like_to_know? When I do this I get an error: Error Code 13803 IKE Negotiation in progress and it just sits there. Has anyone gotten this to work before? Sure. Any help would be appreciated. Is there any setting or something I should apply? I'm running windows with 7 within NAT. Like I said, certs work fine, password and usernames do not. Are you running -current version of iked? Because you have to.
Windows 7 and IkeV2 VPN Issue
Hello fellow OpenBSD users, I've run into a of couple issues with setting up and IKE IPSEC VPN with a windows 7 native client. Now I've ran through the lists and have found a solution to get it working somewhat how I'd like it working. I currently have this in my iked.conf: ikev2 passive esp \ from 192.168.200.0/24 to 10.10.10.0/24 local any peer any \ srcid xxx.xxx.xxx.xxx \ config address 10.10.10.1 \ config name-server 192.168.200.x And on my W7 client I have a static IP configured and using machine certificates. I connect there with no issue and everything is kosher...kind of. I want to use a username and password so I have this in my iked.conf: user my user ID Wouldn't_you_like_to_know? ikev2 passive esp \ from 192.168.200.0/24 to 10.10.10.0/24 local any peer any \ eap mschap-v2 \ srcid xxx.xxx.xxx.xxx \ config address 10.10.10.1 \ config name-server 192.168.200.x \ tag $name-$id When I do this I get an error: Error Code 13803 IKE Negotiation in progress and it just sits there. Has anyone gotten this to work before? I run iked in debug mode with verbose output and receiving the following; /etc/iked.conf: loaded 2 configuration rules config_new_user: inserting new user my_user user my_user password config_getpolicy: received policy ikev2 win7 passive esp from 192.168.200.0/24 to 10.10.10.0/24 local any peer any ikesa enc aes-256,aes-192,ca_reload: loaded ca file ca.crt aes-128,3des prf hmac-sha2-256,hmac-sha1,hmac-md5 auth hmac-sha2-256,hmac-sha1,hmac-md5 group modp2048-256,modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 srcid xxx.xxx.xxx.xxxca_reload: loaded crl file ca.crl lifetime 10800 bytes 536870912 eap MSCHAP_V2 config address 10.10.10.7 ca_reload: /C=US/ST=/L=/O=xxx.com/OU=VPN/CN=cerberus.xxx.x/e mailAddress=info@xxx.xx config_getpfkey: received pfkey fd 4 ca_reload: loaded 1 ca certificate config_getcompile: compilation done config_getsocket: received socket fd 11 config_getsocket: received socket fd 12 config_getsocket: received socket fd 14 config_getsocket: received socket fd 20 ca_reload: loaded cert file xxx.xxx.xxx.xxx.crt ca_validate_cert: /C=US/ST=/L=/O=xxx.com/OU=VPN/CN=xxx.xxx.xxx.xxx/emailAdd ress=i...@xxx.com ok ikev2_dispatch_cert: updated local CERTREQ signatures length 20 ikev2_recv: IKE_SA_INIT from initiator xxx.xxx.xxx.xxx:56506 to xxx.xxx.xxx.xxx:500 policy 'win7', 792 bytes ikev2_policy2id: srcid IPV4/xxx.xxx.xxx.xxx length 8 ikev2_pld_parse: header ispi 0x46459f2713e1d8d3 rspi 0x nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 792 response 0 ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 520 ikev2_pld_sa: more 2 reserved 0 length 40 proposal #1 protoid IKE spisize 0 xforms 4 spi 0 ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96 ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1 ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024 ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 136 ikev2_pld_ke: dh group MODP_1024 reserved 0 ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 52 ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP ikev2_nat_detection: peer source 0x46459f2713e1d8d3 0x xxx.xxx.xxx.xxx:56506 ikev2_pld_notify: NAT_DETECTION_SOURCE_IP detected NAT, enabling UDP encapsulation ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP ikev2_nat_detection: peer destination 0x46459f2713e1d8d3 0x xxx.xxx.xxx.xxx:500 sa_state: INIT - SA_INIT ikev2_sa_negotiate: score 23 sa_stateok: SA_INIT flags 0x00, require 0x00 sa_stateflags: 0x00 - 0x08 sa (required 0x00 ) ikev2_sa_keys: SKEYSEED with 20 bytes ikev2_sa_keys: S with 96 bytes ikev2_prfplus: T1 with 20 bytes ikev2_prfplus: T2 with 20 bytes ikev2_prfplus: T3 with 20 bytes ikev2_prfplus: T4 with 20 bytes ikev2_prfplus: T5 with 20 bytes ikev2_prfplus: T6 with 20 bytes ikev2_prfplus: T7 with 20 bytes ikev2_prfplus: T8 with 20 bytes ikev2_prfplus: Tn with 160 bytes ikev2_sa_keys: SK_d with 20 bytes ikev2_sa_keys: SK_ai with 20 bytes ikev2_sa_keys: SK_ar with 20 bytes ikev2_sa_keys: SK_ei with 24 bytes ikev2_sa_keys: SK_er with 24 bytes ikev2_sa_keys: SK_pi with 20 bytes ikev2_sa_keys: SK_pr with 20 bytes ikev2_add_proposals: length 40 ikev2_next_payload: length 44 nextpayload KE ikev2_next_payload: length 136 nextpayload NONCE ikev2_next_payload: length 36 nextpayload NOTIFY ikev2_nat_detection: local source 0x46459f2713e1d8d3 0x7916745180423feb xxx.xxx.xxx.xxx:500 ikev2_next_payload: length 28
Re: Tuning for pppoe over fibre 30M/1M link
You'll find the atom performance is good. I have an atom 330 with 2 gigs of RAM and dual on board NICs with another PCI NIC and it runs great. I also have openvpn in bridge mode and squid running and no hiccups ar all. Regards, Dain Bentley -Original Message- From: David Diggles [da...@elven.com.au] Received: Thursday, 31 May 2012, 4:51pm To: misc@openbsd.org [misc@openbsd.org] Subject: Re: Tuning for pppoe over fibre 30M/1M link FYI I have now run the same pppoe(4) download test on core2duo with OpenBSD 5.1, on em0 interface. It beats the Mac. Mac G5 dual core 2GHz 3MB/s Intel core2duo 3GHz OpenBSD i386 3.44MB/s I have found on the Geode 300MHz, cleaning up the pf.conf, removing modulate state, and no-df from scrub improves the throughput to: 1.8MB/s. I ordered an Atom with 3 Intel NICs, just arrived! Looking forward to testing it out. The test I am doing is ftp -o /dev/null http://mirror.internode.on.net/pub/OpenBSD/5.1/src.tar.gz Internode is my ISP. On Mon, May 28, 2012 at 05:07:01PM +0200, Andre Keller wrote: Am 28.05.2012 15:26, schrieb David Diggles: Maybe I should try some of the kernel tuning suggested on calomel. I would not even visit that site... It's mostly a waste of time as most of the tunings are not up-to-date or just plain wrong. OpenBSD ships with pretty sane defaults that normally do not need any tweaking unless you run some unorthodox configuration. If you need to tweak something look into the faq and the sysctl(3) man page and not to calomel.org Could you please be a bit more specific about your setup? Are you using pppoe(4) or pppoe(8)? Do you see maxed out mbufs (netstat -m), a very high interrupt load (top / vmstat -i), ifq drops (sysctl net.inet.ip.ifq.drops), interface errors (netstat -i)? I'm running pppoe(4) on a lot of Geode 500MHz powered boxes and have no problem getting 30Mbit/s throughput of unencrypted traffic... g Andri
Re: Backup Redundancy Etcetera
I second Bacula. It runs on pretty much any OS and has tons of options and is very configurable. You could run it on an OpenBSD server and back up you windows and OpenBSD clients. If you have enough disk space back up your clients to disk and migrate to tape for offsite. The windows client is also stable and you can be very glandular with you config. Regards, Dain Bentley -Original Message- From: Anonymous Remailer (austria) [mixmas...@remailer.privacy.at] Received: Tuesday, 07 Feb 2012, 4:01am To: misc@openbsd.org [misc@openbsd.org] Subject: Re: Backup Redundancy Etcetera Anonymous cripto () ecn ! org wrote: Solaris ZFS I've heard of it (ZFS) but here's the thing, I struggle enough keeping up with Wndows and OpenBSD I don't want to put another system into the mix. Understood. Unfortunately or fortunately however you look at it OpenBSD doesn't have ZFS. But FreeBSD does. That could be another option with less of a learning curve than Solaris which admittedly is steep. Another thing to consider is a prebuilt NAS appliance based on FreeBSD or OpenSolaris. There are numerous ones out check distrowatch.com What ZFS does for you aside from offering pretty high quality software RAID and other redundancy/protection from data loss is give you really nice management features like being able to do quotas and resize filesystems and compress (and with Solaris 11 even encrypt them) all from one central management interface instead of external or add-on tools. It's one stop shopping. It also makes NFS and SAMBA less painful since you don't have to play around with the normal share tables and portmapper stuff (not THAT big of a deal but not zero) you can just turn features on or off at the ZFS filesystem level. It's really ideal for a backup or NAS appliance. Again you must have known good hardware from the disks to the backplane to the RAM or ZFS will ruin your week or even your whole month. When it works, it works. When it doesn't, oh shit. You could probably script Filezilla to SSH what you want to the file server. Good idea. I'll probably end up either installing the Microsoft NFS client and scripting that or use the bog standard ftp client and script that. The problem is the M/S NFS client only works on certain versions of Windows and not others. Even on the versions it is supposed to work on it doesn't always work. I have an XP Pro box that SFU refuses to install on.
Re: Backup Redundancy Etcetera
Damn auto-correct Regards, Dain Bentley -Original Message- From: Josh Grosse [j...@jggimi.homeip.net] Received: Tuesday, 07 Feb 2012, 10:22am To: Bentley, Dain [dbent...@nas.edu] Subject: Re: Backup Redundancy Etcetera Bentley, Dain dbent...@nas.edu wrote: and you can be very glandular with you config. You have to hate auto correction software. :) -- Sent from my phone. Please excuse any idiotic automated word choices. It wasn't me. Honest.
Re: Softraid raid 5 throughput problem
Drop the RAID 5 and go with a RAID 10 as you were talking about but add a hot spare if you can. RAID 10 doesn't have a parity bit which slows down write times. But if a disk is bad and isn't replaced you can have a bad day. Hot spares have saved my butt more than once. Regards, Dain Bentley -Original Message- From: keith [ke...@scott-land.net] Received: Monday, 16 Jan 2012, 12:14pm To: Joel Sing [j...@sing.id.au] CC: misc@openbsd.org [misc@openbsd.org] Subject: Re: Softraid raid 5 throughput problem On 16/01/2012 15:43, Joel Sing wrote: On Monday 16 January 2012, keith wrote: I built a storage server to run the Bacula storage daemon on. My plan was to boot of a usb key then to use the four 2TB sata disks that are in the server as a softraid raid 5 volume. The server in question is a dell poweredge R310, i3 CPU 540 @ 3.07GHz with OBSD 5.0 amd64. I put the OS onto the usb key but the softraid 5 volume seemed realy slow. Sftping files over the local network to the servers softraid volume was taking ages. So as I was short of time I just rebuilt the server installing OBSD into one of the sata disks wd0 Later I connect to the server and made a raid5 volume on the remaining three disks but the speed was really slow to I tried a raid1 on two of the disks and that works fine speed wise. I've tried to get some stats to figure out what's going on raid 5 (wd1, wd2,wd3) Time for newfs command to complete = 1 min 14 secs raid 5 (wd1, wd2,wd3) Time to copy 2.3G file from wd0 onto the softraid5 disk = 5 mins ish raid 1 (wd1, wd2) = 1.8TB Time for newfs command to complete = 4 secs raid 1 (wd1, wd2) copy 2.3G Time to copy 2.3G file from wd0 onto softraid disk = 25 secs RAID 5 with softraid(4) is not ready for primetime - in particular it does not support scrub or rebuild. If you have a single disk failure you will get to keep your data, however you will need to dump/rebuild/restore. I'm not specifically aware of performance issues, but I'm not entirely surprised either - I'll try to take a look at some point. RAID 5 writes will be slower, but not that much slower... As this point I though I'd try raid0 but the server went and hung for some reason. #bioctl -d sd0 #bioctl -c 0 -l /dev/wd2a,/dev/wd3a softraid0 It hung on this command Won't know what happed till I get to the datacenter. I'm guessing that you did not clear the existing RAID 1 metadata first, in which case you'll probably have a divide by zero with a trace that ends in sr_raid1_assemble() - there is a bug there that I hit the other night. Idealy I wanted one large disk but if can't get a quick raid5 working I will just use two softraid raid 1 disks and work around it. Does anyone have any suggestions ? I'd stick with RAID 1 - you can use more than two disks, which will give you increased redundancy and should improve read throughput. Obviously you'll have less capacity though. Thanks for the quick answers, If I just create two raid 1 sets on the server then could I just make a raid 0 volume using both raid1's ? Thanks Keith
PF Snort tutorial
I've been looking around for a good tutorial on implementing snort with PF and everything I see is old, does anyone know of or have implemented a solution using an IDS/IPS with PF on the same box? If possible I'd like snort of some other IDS inspect packets and have pf drop them based on the fact they match certain signatures. Thanks in advance.
Re: PF Snort tutorial
ughthat's what I thought. I'm reading through some OSSEC docs right now and it seems pretty promising. Having trouble finding anything about having it read from pflog. From: Andres Genovez [andresgeno...@gmail.com] Sent: Tuesday, January 03, 2012 3:04 PM To: Bentley, Dain Cc: misc@openbsd.org Subject: Re: PF Snort tutorial 2012/1/3 Bentley, Dain dbent...@nas.edumailto:dbent...@nas.edu I've been looking around for a good tutorial on implementing snort with PF and everything I see is old, does anyone know of or have implemented a solution using an IDS/IPS with PF on the same box? If possible I'd like snort of some other IDS inspect packets and have pf drop them based on the fact they match certain signatures. Thanks in advance. Implimenting that is really a Pain in the hell out..I did it on a 4.9, i need to do it from sources, there is no complete tutorial, it works on 4.9, not implemented with PF tought... Greetings... -- Atentamente Andris Genovez Tobar / Tecnico Elastix ECE - Linux LPI-1 - Novell CLA - Apple ACMT http://www.puntonet.ec
PHP SQLite connection in OpenBSD
Hello all, I'm trying to connect to a sqlite database with PHP and I'm having an issue of driver not found. I've installed php from packages and and have installed the php_sqlite package and configured the module for apache. The PDO driver seems to be installed as evidenced by my php info page: SQLite support enabled PECL Module version 2.0-dev $Id: sqlite.c 298697 2010-04-28 12:10:10Z iliaa $ SQLite Library2.8.17 SQLite Encodingiso8859 PDO driverssqlite2 Here is the code I am using to attempt to connect ?php try { // connect to SQLite from PDO database $dbh = new PDO(sqlite:/bandwith/stats.db); } catch(PDOException $e) { echo $e-getMessage();//this getMessage throws an exception if any } ?
Re: PHP SQLite connection in OpenBSD
Same error when run from command-line. I should also add this is 4.9 not 5.0. Sorry I didn't input that info earlier. -Original Message- From: richardtoo...@paradise.net.nz [mailto:richardtoo...@paradise.net.nz] Sent: Tuesday, December 13, 2011 3:35 PM To: Bentley, Dain Cc: misc@openbsd.org Subject: Re: PHP SQLite connection in OpenBSD Quoting Bentley, Dain dbent...@nas.edu: Hello all, I'm trying to connect to a sqlite database with PHP and I'm having an issue of driver not found. I've installed php from packages and and have installed the php_sqlite package and configured the module for apache. The PDO driver seems to be installed as evidenced by my php info page: SQLite support enabled PECL Module version 2.0-dev $Id: sqlite.c 298697 2010-04-28 12:10:10Z iliaa $ SQLite Library 2.8.17 SQLite Encoding iso8859 PDO drivers sqlite2 Here is the code I am using to attempt to connect ?php try { // connect to SQLite from PDO database $dbh = new PDO(sqlite:/bandwith/stats.db); } catch(PDOException $e) { echo $e-getMessage();//this getMessage throws an exception if any } ? Does the code work OUTSIDE of Apache? php-5.3 your-script.php Have you considered chroot? http://www.openbsd.org/faq/faq10.html#httpdchroot HTH
Re: PHP SQLite connection in OpenBSD
Thanks for the help. I'm getting a different error now: SQLSTATE[HY000] [1] unable to open database: /path/to/db Can't seem to find much on this error. Something from the PHP website about having to recompile PHP from source but it's an old thread and I'd rather not use non-packaged third party tools if I can help it. From: joshua stein [j...@openbsd.org] Sent: Tuesday, December 13, 2011 6:08 PM To: Bentley, Dain Subject: Re: PHP SQLite connection in OpenBSD PDO driverssqlite2 Here is the code I am using to attempt to connect ?php try { // connect to SQLite from PDO database $dbh = new PDO(sqlite:/bandwith/stats.db); you have sqlite2 installed, but the sqlite pdo prefix is for sqlite 3 databases. try opening sqlite2:/bandwith/stats.db.
Re: PHP SQLite connection in OpenBSD
Thanks, that helped. I got it to connect. From: richardtoo...@paradise.net.nz [richardtoo...@paradise.net.nz] Sent: Tuesday, December 13, 2011 7:50 PM To: Bentley, Dain Cc: misc@openbsd.org; richardtoo...@paradise.net.nz Subject: Re: PHP SQLite connection in OpenBSD Quoting richardtoo...@paradise.net.nz: Quoting Bentley, Dain dbent...@nas.edu: Thanks for the help. I'm getting a different error now: SQLSTATE[HY000] [1] unable to open database: /path/to/db Can't seem to find much on this error. Something from the PHP website about having to recompile PHP from source but it's an old thread and I'd rather not use non-packaged third party tools if I can help it. And have you tried using the file from sqlite command line to check all OK with sqlite the database file? $ sqlite /path/to/db Got to be something you've done - works fine here for me ... Built a 4.9 i386 box, installed same packages as you ... No need to build anything or configure anything. # cd /tmp/ # sqlite test.db SQLite version 2.8.17 Enter .help for instructions sqlite CREATE TABLE apple (apple_id INTEGER); sqlite INSERT INTO apple (apple_id) VALUES(44); sqlite SELECT * FROM apple; 44 sqlite # php test.php Array ( [apple_id] = 44 [0] = 44 ) # cat /tmp/test.php ?php try { $dbh=new PDO(sqlite2:/tmp/test.db); } catch (PDOException $e) { print_r($e); } $res=$dbh-query(SELECT * FROM apple); foreach ($res as $r) { print_r($r); } ? HTH. From: joshua stein [j...@openbsd.org] Sent: Tuesday, December 13, 2011 6:08 PM To: Bentley, Dain Subject: Re: PHP SQLite connection in OpenBSD PDO drivers sqlite2 Here is the code I am using to attempt to connect ?php try { // connect to SQLite from PDO database $dbh = new PDO(sqlite:/bandwith/stats.db); you have sqlite2 installed, but the sqlite pdo prefix is for sqlite 3 databases. try opening sqlite2:/bandwith/stats.db.
Re: What generates the OpenBSD page?
This discussion does not contribute to either furthering peoples knowledge of OpenBSD, or provide any technical guidance. Can we just let bygones be bygones and move on and stop spamming the list with this nonsense Regards, Dain Bentley -Original Message- From: Nomen Nescio [nob...@dizum.com] Received: Saturday, 10 Dec 2011, 1:11pm To: misc@openbsd.org [misc@openbsd.org] Subject: Re: What generates the OpenBSD page? Oh man, you are drastically reducing the average intelligence of any group you join. But I liked this admission on your blog: Just for the record, I make no illusions about being a complete jerk. Nor have I ever tried to be nice to a stranger once in my life, unless it was a homeless person whom could buy me alcohol or cigarettes as a teenager. I am a callous, rude, and unforgiving person. To the accusations against me I will plead: guilty as charged. I am an arsehole. Source: http://old.johntate.org/node/316?page=1 Considering that you proudly admit to being an asshole, with zero consideration for your fellow man, don't you think that you are sometimes expecting too much from others? You asshole! John Tate j...@johntate.org wrote: Where did I state I think I am a genius? I want an actual quote, nothing less. Your grammar indicates rage rather than humor. My actual expertise is philosophy and psychology, you have narcissistic personality disorder. That is what the world calls it. In Objectivism, we call it misplaced self-esteem. [snip] You are projecting, you really are the one with the most obvious disorders on this list. And although I can't bring myself to read through the diarrhea on your site, it seems that the majority of your philosophy posts are about bashing an Objectivist Ph.D in philosophy. Your level is ...? And yet you pretend to speak for Objectivists. Please don't think this guy understands Objectivism better than he understands OpenBSD, C++, psychology, or anything.
Re: Something similar to Soekris boards, for server applications
I second that. I run an atom 330 with two gigs of RAM and two 500gig drives in a raid for development server at home is a 1u case. It performs great and its low power Regards, Dain Bentley -Original Message- From: Jason Crawford [ja...@purebsd.net] Received: Wednesday, 30 Nov 2011, 12:33pm To: misc@openbsd.org [misc@openbsd.org] Subject: Re: Something similar to Soekris boards, for server applications On 11/30/11 11:27, Sime Ramov wrote: Hello, I am looking for something in the spirit of Soekris boards, but more suited for server applications, e.g. for hosting Django apps. Current net6501 is maxed out at 2 GB of RAM and 1.6 Ghz *single-core* (two threads) atom. The reason I am considering Soekris is because dedicated servers are often underused and idling. Few GB of memory, anemic processor and SSD gets one a surprisingly long way, especially with properly chosen stack and caching. So the general idea is: one Django app = one Soekris board. This is much better than virtualization (bare metal forever) or putting more apps on a big server. Some apps would run great on this, but a more powerful CPU and more memory would be needed for more demanding workloads. Any recommendations for similar, but a bit more powerful and versatile hardware (think one app = one hardware device)? Thanks. Maybe look at this: http://www.newegg.com/Product/Product.aspx?Item=N82E16816101364 It's cheaper, has twice the RAM, 6 SATA ports, 1.8GHz Atom dual core. Oh, and rackmount case. -- Jason
Re: I want copy pf.conf from FreeBSD 8.2 to OpenBSD 5 and use it
No it will not. The version in FreeBSD is older and thus the syntax has changed. Read the pf faq on the OpenBSD website. Also why are you running samba on your firewall? Sent from my Android phone using TouchDown (www.nitrodesk.com) -Original Message- From: Mostaf Faridi [mostafafar...@gmail.com] Received: Tuesday, 08 Nov 2011, 1:46pm To: David Walker [davidianwal...@gmail.com] CC: misc@openbsd.org [misc@openbsd.org] Subject: Re: I want copy pf.conf from FreeBSD 8.2 to OpenBSD 5 and use it Thanks Your guide learn me many thing .my experience with FreeBSD and OpenBSD is good .but my experience with FreeBSD is much better . In work place I run FreeBSD server for Samba and NAT and this server work good and work like charm , but I do not know why PF does not work good , if you see my conf , you see my conf does not has problem , but I do not know why this conf does not work good , and sometimes some users do not have internet and can not browse webpage but they can chat with messenger . I want migrate from FreeBSD to OpenBSD , yesterday I install OpenBSD 5 amd64 and run samba server with OpenBSD and it work good . In first step I run samba server with OpenBSD , and after this I want run NAT server with OpenBSD . And for start I want understand , is my PF.conf work in OpenBSD or no ? I hate Windows OS , and want only run all of my servers with BSD, specially OpenBSD. Thanks in advance On Nov 8, 2011 5:32 PM, David Walker davidianwal...@gmail.com wrote: Mostaf Faridi mostafafaridi () gmail ! com wrote: My problem is this I do not enough time to start from scratch and make new rule . If you were moderately familiar with OpenBSD you could have, in the time between the start of this thread and now, read pf.conf for OpenBSD 5.0 and written on paper or wherever a complex ruleset. If your boss won't allocate time for this and expects you to outsource it to the web and whatever then he's doing it wrong. You don't have a good enough familiarity with OpenBSD (or FreeBSD) to know where to start. Right? If you do plan to migrate then you should build a machine, install OpenBSD 5.0, write a ruleset and test it. In your workplace, testing may mean swapping the machines until everyone complains and you swap them back and try again but doing it the way you're doing it now (no experience, asking for copy and paste administration, no testing) is wrong. in my work place , my boss find another person can do internet sharing with Windows 2008 and ISA and this person say he can make best internet sharing server So you want pf on OpenBSD and don't want to see a Windows machine ... ... but you're not interested in reading about pf on OpenBSD ... Who's running the current FreeBSD machine? How come they can't understand it? Why not troubleshoot that? Etcetera ... How will swapping to a new operating system be better than using the current one which almost works? If you want to stay with FreeBSD you should at a minimum understand your current ruleset (removing any non-essential lines might be a good start) if you want to get help on it. Again though you're in the wrong place. Can you explain what every line in the pf.conf you sent is for? If not, find out, if it does nothing, delete it, whatever. Describe your network, do you have issues with DNS, do you have a http proxy, what tests have you done from clients, etcetera ... Have you looked here: http://www.freebsd.org/cgi/man.cgi?query=pfctlsektion=8manpath=FreeBSD+8.2- RELEASE So on and so forth. Under those circumstances, maybe Windows is the better choice. Certainly without any relevant OpenBSD experience you're better off with FreeBSD right? I said before my my pf.conf in FreeBSD work good , but sometimes some user lost internet and they can not browse web pages , but they can chat with paltalk , after reboot or disbable or enable PF this problem solve . Fine. You have choices. Fix your current setup which should involve reading the FreeBSD pf.conf documentation and talking to people on the FreeBSD lists. Goodbye. Build an OpenBSD machine, in which case, talk to you when you've got a machine running and you have some more appropriate questions. People will help you. Either way you're should be willing to invest time and if you won't do that on your own and your boss doesn't want you to do it in work time then let the Windows people worry about it. Good times. Best wishes.
PF.CONF - with DMZ and packet tagging example
Hello all, With the help of the PF Faq on the OpenBSD website, The Book of PF (2nd Edition) and of course from the nice folks here on this mailing list I have a pf.conf someone might find useful. This configuration file is for an OpenBSD box with three interfaces assuming you want one interface for internal, external and DMZ. I really wanted to use packet tagging to keep things a little easier to manage and visualize in my head. It allows all traffic from the LAN out - which you can filter obviously - filters DMZ traffic outbound and provides some basic services inbound from the internet to some DMZ servers. It will also allow users from the internal LAN to access the DMZ services which one might also want to restrict if they wish. It's taken me a few days to get it configured with a lot of watching TCPDump on the screen. I've run multiple NMAP scans against my network just to ensure no unwanted ports were open. I also ran TCPDump on the dmz interface and tried to access the internet with some unwanted protocols to ensure they would be filtered and so far so good. Also, on the outbound DMZ traffic I decided to log all traffic so I could see where my servers were going when they left my network. ##MACROS int = re0 dmz = fxp0 ext = fxp1 int_net = 192.168.1.0/24 dmz_net = 192.168.10.0/24 RFC1918={ 10/8 172.16/12 192.168/16 } webserver = 192.168.10.1 mailserver = 192.168.10.5 dmz_services = { 80, 25, 53, 443 } web_services = { 80, 3000, 4567 } mail_services = { 25, 110, 443 } ##TABLES table spamd persist file /etc/spammers table bastards persist file /etc/bastards ##OPTIONS set skip on lo set block-policy drop set loginterface fxp1 ##NORMALIZE TRAFFIC match in all scrub ( no-df max-mss 1440 ) # NAT RULES match out on $ext tag LAN_TO_INET tagged LAN nat-to ($ext) match out on $ext tag DMZ_TO_INET tagged DMZ nat-to ($ext) match out on $ext tag FTP_PROXY nat-to ($ext) ### BLOCKING AND PACKET TAGGING block log all antispoof for { lo0 re0 fxp0 fxp1 } block in on $ext from $RFC1918 to any block out on $ext from any to $RFC1918 block in on $ext from bastards #LAN OUT pass in on $int from $int_net tag LAN pass in on $int from $int_net to $dmz_net tag LAN_TO_DMZ #DMZ OUT #pass in log on $dmz from $dmz_net tag DMZ pass in log on $dmz proto { tcp, udp } from $dmz_net to any port $dmz_services tag DMZ #Allow FTP from DMZ to install programs from ports collection anchor ftp-proxy/* pass in log quick on $dmz proto tcp from $dmz_net to any port 21 rdr-to 127.0.0.1 port 8021 tag FTP_PROXY #SPAMD AND FTP PROXY pass in on $ext proto tcp from spamd to port smtp tag SPAMD rdr-to 127.0.0.1 port 8025 tag SPAMD #NAT INBOUND TO DMZ pass in on $ext proto tcp from any to any port $web_services rdr-to $webserver tag INET_TO_DMZ pass in on $ext proto tcp from any to any port $mail_services rdr-to $mailserver tag INET_TO_DMZ #POLICY ENFORCEMENT pass in quick on $ext tagged SPAMD pass out quick on $ext tagged FTP_PROXY pass out quick on $ext tagged LAN_TO_INET pass out quick on $ext tagged DMZ_TO_INET pass out quick on $dmz tagged LAN_TO_DMZ pass out quick on $dmz tagged INET_TO_DMZ I've been running the firewall on an OpenBSD 4.9 box with an Atom 330 and the performance has been fantastic. I was tired of dealing with Cisco and having to pay money just to get access to download new software. In any case, I hope someone might find this useful in someway and since I received some help from here I'd thought I post back my results... regards, Dain
Re: PF.CONF - with DMZ and packet tagging example
I guess I should add quick to the following: block in on $ext from $RFC1918 to any block out on $ext from any to $RFC1918 block in on $ext from bastards From: Patrick Lamaiziere [patf...@davenulle.org] Sent: Monday, November 07, 2011 5:37 PM To: misc@openbsd.org; Bentley, Dain Subject: Re: PF.CONF - with DMZ and packet tagging example Le Mon, 7 Nov 2011 16:58:29 -0500, Bentley, Dain dbent...@nas.edu a icrit : Hello, block in on $ext from bastards #NAT INBOUND TO DMZ pass in on $ext proto tcp from any to any port $web_services rdr-to $webserver tag INET_TO_DMZ pass in on $ext proto tcp from any to any port $mail_services rdr-to $mailserver tag INET_TO_DMZ Looks not good, missing quick in the block rule? Regards.
Re: PF.CONF - with DMZ and packet tagging example
I guess I should add quick to the following it does make sense: block in on $ext from $RFC1918 to any block out on $ext from any to $RFC1918 block in on $ext from bastards From: Patrick Lamaiziere [patf...@davenulle.org] Sent: Monday, November 07, 2011 5:37 PM To: misc@openbsd.org; Bentley, Dain Subject: Re: PF.CONF - with DMZ and packet tagging example Le Mon, 7 Nov 2011 16:58:29 -0500, Bentley, Dain dbent...@nas.edu a icrit : Hello, block in on $ext from bastards #NAT INBOUND TO DMZ pass in on $ext proto tcp from any to any port $web_services rdr-to $webserver tag INET_TO_DMZ pass in on $ext proto tcp from any to any port $mail_services rdr-to $mailserver tag INET_TO_DMZ Looks not good, missing quick in the block rule? Regards.
Re: PF.CONF - with DMZ and packet tagging example
Would I need the quick though? I would think you want pf to keep evaluating the rules after they enter the int interface. From: Adriaan [misc.adri...@gmail.com] Sent: Monday, November 07, 2011 6:09 PM To: Bentley, Dain Cc: Patrick Lamaiziere; misc@openbsd.org Subject: Re: PF.CONF - with DMZ and packet tagging example On Mon, Nov 7, 2011 at 11:59 PM, Bentley, Dain dbent...@nas.edu wrote: I guess I should add quick to the following: block in on $ext from $RFC1918 to any block out on $ext from any to $RFC1918 block in on $ext from bastards From: Patrick Lamaiziere [patf...@davenulle.org] Sent: Monday, November 07, 2011 5:37 PM To: misc@openbsd.org; Bentley, Dain Subject: Re: PF.CONF - with DMZ and packet tagging example Le Mon, 7 Nov 2011 16:58:29 -0500, Bentley, Dain dbent...@nas.edu a icrit : Hello, block in on $ext from bastards #NAT INBOUND TO DMZ pass in on $ext proto tcp from any to any port $web_services rdr-to $webserver tag INET_TO_DMZ pass in on $ext proto tcp from any to any port $mail_services rdr-to $mailserver tag INET_TO_DMZ Looks not good, missing quick in the block rule? Regards. You should also consider the advice I gave in http://www.daemonforums.org/showthread.php?t=6483#post41274 Adriaan
Re: Patch for FAQ - PF: Packet Tagging (Policy Filtering) - New NAT Syntax
In the case of the LAN_INET and the LAN_DMZ wouldn't one need to apply the quick rule? If you ping a DMZ server from the internal net, pass in on $int_if from $int_net tag LAN_INET on it will be tagged with LAN_INET. However, because the quick option isn't inserted in the rule pf will keep evaluating the ping with the next rule pass in on $int_if from $int_net to $dmz_net tag LAN_DMZ Will this wrongly tag the packet? From: owner-m...@openbsd.org [owner-m...@openbsd.org] On Behalf Of Axton [axton.gr...@gmail.com] Sent: Thursday, November 03, 2011 6:50 PM To: misc Subject: Patch for FAQ - PF: Packet Tagging (Policy Filtering) - New NAT Syntax This is a patch to update the FAQ at http://www.openbsd.org/faq/pf/tagging.html with the nat syntax changes introduced in 4.7 (http://openbsd.org/faq/upgrade47.html#newPFnat): $ diff -ub tagging.html.bak tagging.html --- tagging.html.bak2011-11-03 17:40:01.596053714 -0500 +++ tagging.html2011-11-03 17:47:07.696539268 -0500 @@ -199,7 +199,7 @@ blockquote tt block allbr -pass out on $ext_if tag LAN_INET_NAT tagged LAN_INET nat-to ($ext_if)br +match out on $ext_if tag LAN_INET_NAT tagged LAN_INET nat-to ($ext_if)br pass in on $int_if from $int_net tag LAN_INETbr pass in on $int_if from $int_net to $dmz_net tag LAN_DMZbr pass in on $ext_if proto tcp to $www_server port 80 tag INET_DMZbr @@ -256,7 +256,7 @@ # classification -- classify packets based on the defined firewall # policy. block all -pass out on $ext_if tag LAN_INET_NAT tagged LAN_INET nat-to ($ext_if)br +match out on $ext_if tag LAN_INET_NAT tagged LAN_INET nat-to ($ext_if)br pass in on $int_if from $int_net tag LAN_INETbr pass in on $int_if from $int_net to $dmz_net tag LAN_DMZbr pass in on $ext_if proto tcp to $www_server port 80 tag INET_DMZ There is a rule on the page that may also require changes: pass in on $ext_if proto tcp from spamd to port smtp \ tag SPAMD rdr-to 127.0.0.1 port 8025 I'm not familiar enough with rdr-to to know if this requires changes. Based on my reading it does not appear to require a change, but someone needs to check me on this. Axton Grams
Packet Tagging issues with NAT in pf OBSD 4.9
Hello all, I recently stood up an OpenBSD server to replace and older ASA. I read the faq and was interested in the packet tagging aspect because I have a DMZ and it makes the rule set seem more readable to my brain.. In any case I have the following taken from the PF faqs on the OpenBSD website... _int = re0 _ext = fxp1 int_net = 192.168.200.0/24 pass out on $_ext tag LAN_NAT_TO_INET tagged LAN_TO_INET nat-to ($_ext) pass in on $_int from $int_net tag LAN_TO_INET .. pass out quick on $_ext tagged LAN_NAT_TO_INET I've obviously changed around some of the macros and there are other rules (although commented out at this time until I get get LAN conenctivity) but it doesn't work. Interestingly enough this does: _int = re0 _ext = fxp1 int_net = 192.168.200.0/24 pass out on $_ext tag LAN_NAT_TO_INET tagged LAN_TO_INET pass in on $_int from $int_net tag LAN_TO_INET .. pass out quick on $_ext tagged LAN_NAT_TO_INET nat-to ($_ext) Any reason why at the bottom of my .conf file where nat-to is in my quick rule it would work but when it's at the first filter rule it does not? I've read over the man page and have the book of pf v.2 and still am confused. Any tought is greatly appreciated. Regards, Dain
Re: how to gain high performance with big memory
Take a look at this: http://www.packetmischief.ca/openbsd-compact-flash-firewall/ http://blog.spoofed.org/2007/12/openbsd-on-soekris-cheaters-guide.html It's about installing on a flash card but how to mount filesystems to memory is in there. ___t_ From: owner-m...@openbsd.org [owner-m...@openbsd.org] On Behalf Of f5b [f...@163.com] Sent: Wednesday, November 02, 2011 11:32 PM To: misc@openbsd.org Subject: how to gain high performance with big memory how to gain high performance with big memory amd64 ,OpenBSD 5.0 Release, machine has big memory = 48G for example,how to mount memory for /usr/ports file system, letting make build more quickly. other suggestion? how to tune sysctl.conf file according?
Re: Packet Tagging issues with NAT in pf OBSD 4.9
Hi, thanks for replying I was looking to use packet tagging though. -Original Message- From: Wesley M. [mailto:open...@e-solutions.re] Sent: Thursday, November 03, 2011 6:20 AM To: Bentley, Dain Cc: misc@openbsd.org Subject: Re: Packet Tagging issues with NAT in pf OBSD 4.9 Hi, try this sample _int = re0 _ext = fxp1 int_net = 192.168.200.0/24 set block-policy drop set skip on lo match in all scrub (no-df max-mss 1440) match out on $_ext inet from $int_net to any nat-to (egress) block log all pass in on $_int inet proto udp from $int_net to any port domain pass in on $_int inet proto tcp from $int_net to any port \ { www, https, ssh, pop3, imap, imaps, pop3s, submission, smtps } pass out on $_ext inet proto tcp all pass out on $_ext inet proto udp all All the best, Wesley MOUEDINE ASSABY. _int = re0 _ext = fxp1 int_net = 192.168.200.0/24 pass out on $_ext tag LAN_NAT_TO_INET tagged LAN_TO_INET pass in on $_int from $int_net tag LAN_TO_INET .. pass out quick on $_ext tagged LAN_NAT_TO_INET nat-to ($_ext) Any reason why at the bottom of my .conf file where nat-to is in my quick rule it would work but when it's at the first filter rule it does not? I've read over the man page and have the book of pf v.2 and still am confused. Any tought is greatly appreciated. Regards, Dain
Re: Packet Tagging issues with NAT in pf OBSD 4.9
Hello Stuart and thanks for your reply. It still doesn't help, this seems to work but I'm not sure if this is a good config: # NAT RULES match out on $ext tagged LAN nat-to ($ext) # BLOCKING AND PACKET TAGGING pass in on $int from $int_net tag LAN #pass in on $int tag LAN block out on $ext from any to any pass out quick on $ext tagged LAN From: owner-m...@openbsd.org [owner-m...@openbsd.org] On Behalf Of Stuart Henderson [s...@spacehopper.org] Sent: Thursday, November 03, 2011 6:53 AM To: misc@openbsd.org Subject: Re: Packet Tagging issues with NAT in pf OBSD 4.9 you aren't using tagging in your sample. On 2011-11-03, Wesley M. open...@e-solutions.re wrote: Hi, try this sample _int = re0 _ext = fxp1 int_net = 192.168.200.0/24 set block-policy drop set skip on lo match in all scrub (no-df max-mss 1440) match out on $_ext inet from $int_net to any nat-to (egress) block log all pass in on $_int inet proto udp from $int_net to any port domain pass in on $_int inet proto tcp from $int_net to any port \ { www, https, ssh, pop3, imap, imaps, pop3s, submission, smtps } pass out on $_ext inet proto tcp all pass out on $_ext inet proto udp all All the best, Wesley MOUEDINE ASSABY. _int = re0 _ext = fxp1 int_net = 192.168.200.0/24 pass out on $_ext tag LAN_NAT_TO_INET tagged LAN_TO_INET pass in on $_int from $int_net tag LAN_TO_INET .. pass out quick on $_ext tagged LAN_NAT_TO_INET nat-to ($_ext) Any reason why at the bottom of my .conf file where nat-to is in my quick rule it would work but when it's at the first filter rule it does not? I've read over the man page and have the book of pf v.2 and still am confused. Any tought is greatly appreciated. Regards, Dain
Re: Packet Tagging issues with NAT in pf OBSD 4.9
Hello Axton...cool name by the way. I noticed the match statements work for me as well, Perhaps it is required? From: Axton [axton.gr...@gmail.com] Sent: Thursday, November 03, 2011 2:06 PM To: Bentley, Dain Cc: Stuart Henderson; misc@openbsd.org Subject: Re: Packet Tagging issues with NAT in pf OBSD 4.9 On Thu, Nov 3, 2011 at 12:26 PM, Bentley, Dain dbent...@nas.edumailto:dbent...@nas.edu wrote: Hello Stuart and thanks for your reply. It still doesn't help, this seems to work but I'm not sure if this is a good config: # NAT RULES match out on $ext tagged LAN nat-to ($ext) # BLOCKING AND PACKET TAGGING pass in on $int from $int_net tag LAN #pass in on $int tag LAN block out on $ext from any to any pass out quick on $ext tagged LAN From: owner-m...@openbsd.orgmailto:owner-m...@openbsd.org [owner-m...@openbsd.orgmailto:owner-m...@openbsd.org] On Behalf Of Stuart Henderson [s...@spacehopper.orgmailto:s...@spacehopper.org] Sent: Thursday, November 03, 2011 6:53 AM To: misc@openbsd.orgmailto:misc@openbsd.org Subject: Re: Packet Tagging issues with NAT in pf OBSD 4.9 you aren't using tagging in your sample. On 2011-11-03, Wesley M. open...@e-solutions.remailto:open...@e-solutions.re wrote: Hi, try this sample _int = re0 _ext = fxp1 int_net = 192.168.200.0/24http://192.168.200.0/24 set block-policy drop set skip on lo match in all scrub (no-df max-mss 1440) match out on $_ext inet from $int_net to any nat-to (egress) block log all pass in on $_int inet proto udp from $int_net to any port domain pass in on $_int inet proto tcp from $int_net to any port \ { www, https, ssh, pop3, imap, imaps, pop3s, submission, smtps } pass out on $_ext inet proto tcp all pass out on $_ext inet proto udp all All the best, Wesley MOUEDINE ASSABY. _int = re0 _ext = fxp1 int_net = 192.168.200.0/24http://192.168.200.0/24 pass out on $_ext tag LAN_NAT_TO_INET tagged LAN_TO_INET pass in on $_int from $int_net tag LAN_TO_INET .. pass out quick on $_ext tagged LAN_NAT_TO_INET nat-to ($_ext) Any reason why at the bottom of my .conf file where nat-to is in my quick rule it would work but when it's at the first filter rule it does not? I've read over the man page and have the book of pf v.2 and still am confused. Any tought is greatly appreciated. Regards, Dain I use something like this. The ruleset has been modified before posting, so no guarantees that I didn't mess something up. # interfaces if_lo=lo if_enc=enc0 if_gif=gif0 if_ext=vlan3 if_int=vlan20 if_srv=vlan40 # interface ip's ip4_int=10.0.0.1 ip6_int=2001:::20::10 ip4_srv=10.0.20.1 ip6_srv=2001:::40::10 # networks net4_int=10.0.0.0/22http://10.0.0.0/22 net6_int=2001:::20::/64 net4_srv=10.0.20.0/22http://10.0.20.0/22 net6_srv=2001:::40::/64 # other macros icmp_types=echoreq # default policy block log all # TRANSLATION match out on $if_ext inet tag INT_INET_NAT tagged INT_INET nat-to ($if_ext) static-port match out on $if_ext inet tag SRV_INET_NAT tagged SRV_INET nat-to ($if_ext) # allow router access to all nets (ipv4) pass out on $if_ext proto tcp from $if_ext to any pass out on $if_ext proto udp from $if_ext to any keep state pass out on $if_ext inet proto icmp from $if_ext to any keep state pass out on $if_int proto tcp from $if_int to any pass out on $if_int proto udp from $if_int to any keep state pass out on $if_int inet proto icmp from $if_int to any keep state pass out on $if_int inet6 proto ipv6-icmp from $if_int to any keep state pass out on $if_srv proto tcp from $if_srv to any pass out on $if_srv proto udp from $if_srv to any keep state pass out on $if_srv inet proto icmp from $if_srv to any keep state pass out on $if_srv inet6 proto ipv6-icmp from $if_srv to any keep state # tag packets per network pass in on $if_int proto tcp from { $net4_int, $net6_int } tag INT_INET pass in on $if_int proto udp from { $net4_int, $net6_int } tag INT_INET keep state pass in on $if_int inet proto icmp from $net4_int icmp-type $icmp_types tag INT_INET keep state pass in on $if_int inet6 proto ipv6-icmp tag INT_INET keep state pass in on $if_srv proto tcp from { $net4_srv, $net6_srv } tag SRV_INET pass in on $if_srv proto udp from { $net4_srv, $net6_srv } tag SRV_INET keep state pass in on $if_srv inet proto icmp from $net4_srv icmp-type $icmp_types tag SRV_INET keep state pass in on $if_srv inet6 proto ipv6-icmp tag SRV_INET keep state # policy enforcement # networks to internet (ipv4) pass out quick on $if_ext tagged INT_INET_NAT pass out quick on $if_ext tagged SRV_INET_NAT # internal network to other networks (ipv4) pass out quick on $if_srv tagged INT_INET # server networks to other networks (ipv4) pass out quick on $if_int tagged SRV_INET Axton Grams
Re: Packet Tagging issues with NAT in pf OBSD 4.9
http://www.openbsd.org/faq/pf/tagging.html From: Axton [axton.gr...@gmail.com] Sent: Thursday, November 03, 2011 2:51 PM To: Bentley, Dain Cc: Stuart Henderson; misc@openbsd.org Subject: Re: Packet Tagging issues with NAT in pf OBSD 4.9 On Thu, Nov 3, 2011 at 1:33 PM, Bentley, Dain dbent...@nas.edumailto:dbent...@nas.edu wrote: Hello Axton...cool name by the way. I noticed the match statements work for me as well, Perhaps it is required? This changed with 4.7: http://openbsd.org/faq/upgrade47.html#newPFnat More details available here: http://marc.info/?l=openbsd-miscm=125181847818600w=2 It may be that the FAQ you used is out of date. What FAQ page were you looking at while setting this up? Axton Grams