Re: privileged instruction fault trap for pf_tabladdr_setup
Update: Reinstalling the OS and reapplying all patches cleared this issue. I can't explain why security fix 3 previously horked this system. dn On 2/23/22 7:04 PM, David Newman wrote: OpenBSD 7.0 GENERIC#3 i386, running as a VM on VMware vSphere 5.5 After applying a security fix through syspatch, this system failed on reboot with the error: kernel: privileged instruction fault trap, code=0 Stopped at: pf_tabladdr_setup: Links to trace and ps info below. Thanks in advance for clues on reviving this machine. There are other fault trap threads in the misc archive, but I found none about pf_tabladdr_setup. Some other threads suggesting underlying hardware problems. This is certainly possible but there are other VMs running OK on this host, and the host logs don't indicate any disk or memory trouble. FWIW I used this machine for years, at least back into the OpenBSD 5.x days, and have upgraded all along without issue. Here is the ddb trace: ddb> trace pf_tabladdr_setup(d0e95da8,d1dfaf58) at pf_tabladdr_setup pfioctl(4900,ccc84404,d1b26000,3,d19b1980) at pfioctl+0x4028 spec_ioctl(f3ac7734) at spec_ioctl+0x4c VOP_IOCTL(d19919e4,ccc84404,d1b26000,d19b1980) at VOP_IOCTL+0x53 vn_ioctl(d19bbc60,ccc84404,d1b26000,d19b1980) at vn_ioctl+0x4f sys_ioctl(d19b1980,f3ac78f0,f3ac78e8) at sys_ioctl+0x240 syscall(f3ac7930) at syscall+0x2cd Xsyscall_untramp() at Xsyscall_untramp+0xa9 end of kernel Unfortunately I can't copy/paste the output of 'ps' but I've posted screen captures of trace and ps here: https://ibb.co/WP4R58D https://ibb.co/9ZCNdd5 Thanks again. dn
privileged instruction fault trap for pf_tabladdr_setup
OpenBSD 7.0 GENERIC#3 i386, running as a VM on VMware vSphere 5.5 After applying a security fix through syspatch, this system failed on reboot with the error: kernel: privileged instruction fault trap, code=0 Stopped at: pf_tabladdr_setup: Links to trace and ps info below. Thanks in advance for clues on reviving this machine. There are other fault trap threads in the misc archive, but I found none about pf_tabladdr_setup. Some other threads suggesting underlying hardware problems. This is certainly possible but there are other VMs running OK on this host, and the host logs don't indicate any disk or memory trouble. FWIW I used this machine for years, at least back into the OpenBSD 5.x days, and have upgraded all along without issue. Here is the ddb trace: ddb> trace pf_tabladdr_setup(d0e95da8,d1dfaf58) at pf_tabladdr_setup pfioctl(4900,ccc84404,d1b26000,3,d19b1980) at pfioctl+0x4028 spec_ioctl(f3ac7734) at spec_ioctl+0x4c VOP_IOCTL(d19919e4,ccc84404,d1b26000,d19b1980) at VOP_IOCTL+0x53 vn_ioctl(d19bbc60,ccc84404,d1b26000,d19b1980) at vn_ioctl+0x4f sys_ioctl(d19b1980,f3ac78f0,f3ac78e8) at sys_ioctl+0x240 syscall(f3ac7930) at syscall+0x2cd Xsyscall_untramp() at Xsyscall_untramp+0xa9 end of kernel Unfortunately I can't copy/paste the output of 'ps' but I've posted screen captures of trace and ps here: https://ibb.co/WP4R58D https://ibb.co/9ZCNdd5 Thanks again. dn
Re: OT: Dell EMC switches
On 4/13/21 9:38 PM, Ivo Chutkin wrote: > Hello guys, > > Thanks for replies. To add some more info for the case. > > We have DWDM network with star topology. Switches will be connected to > center point with 100G uplink (currently 10G or 2x10G) via DWDM lambda. > Customers are connected to 10G ports. > > We carry Internet traffic and IPTV multicast to regional ISPs over VLANs. > > What is important for me is switch to be capable to carry traffic on > wire speed without packet loss. Latency is not big issue here. > > I will also have a look at Arista switches. > > Thanks a lot for the help, > Ivo In a previous day job, I did large-scale benchmarking of switches and routers from Arista, Cisco, Huawei, Juniper, and many other vendors. Switch ASICs have been commodities for years. Anything sold to enterprises or service providers runs at wire speed* without loss, provided the traffic pattern doesn't create oversubscription. You can force loss by creating an oversubscribed traffic topology (e.g., directing traffic from two or more ingress ports to one egress port), but then the loss is due to the traffic pattern (and to a small extent, the amount of buffer memory), not the switching silicon. Key point is that in terms of the RFC 1242 definition of throughput, you're going to see wire-speed performance for pretty much any enterprise-class switch, for any frame length. You're likely to see differences in latency and jitter, but not throughput. dn *This is really an edge case, but the definition of "wire speed" can differ between transmitting and receiving Ethernet ports because (a) Ethernet is asynchronous (each device uses its own free-running clock) and (b) device clocks can run at slightly different speeds and (c) even within a single device, its clock will vary around that speed by different amounts, depending on the precision of its clocking chip (a timing crystal with 10-ppm precision costs a LOT more than one with 100-ppm precision). As a result, you will see frame loss over time if a transmitter's clock runs slightly faster than a receiver's clock. Many benchmarks are run for a relatively short duration (e.g., 60-300 seconds) where buffering will cover for clocking differences. Run a test long enough, and frame loss may occur. There's no one correct answer here. The IEEE spec says every Ethernet interface must tolerate +/- 100 ppm of clocking variation, which can lead to loss for the reasons discussed above. The IETF RFC 1242/2544 and 2285/2889 specifications on router and switch testing define throughput as a zero-loss condition. There's been much discussion at the IETF about an acceptable loss threshold, but the only number everyone agrees on is zero. > > On 10.4.2021 г. 00:10 ч., Tom Smyth wrote: >> +1 re arista switches... >> >> On Friday, 9 April 2021, Diana Eichert wrote: >> >>> I second Arista switches, in my day job we use a lot of Arista >>> switches. Though one of the "issues" we see is Arista >>> drops older tech regularly. I believe their last presentation to us >>> was 25G/100G/400G switches. >>> >>> On Thu, Apr 8, 2021 at 1:18 PM Mischa wrote: Hi Ivo, I don’t have any experience with the Dell switches but what about the >>> Arista DCS-7050QX-32 or DCS-7050QX-32S? 32x40G QSFP+ for the 7050QX-32 32x40G QSFP+ of which one QSFP+ can act as a dual personality to 4xSFP+ >>> for the 7050QX-32S. (mind the S) There are converters for the QSFP+ to turn them into a SFP+ port if you >>> need more 10G but want to have a way to migrate to 40G. You can do this with the Mellanox 655902-001 QSA adapter. Which is pretty much what we have in production. :) Are you planning to buy new or eBay? There are some pretty good deals on >>> eBay. Mischa >>> >>> >> >
Re: The case of the phantom reboot
On 4/1/21 2:51 PM, Rafael Possamai wrote: >> One of my systems rebooted at 03:01 local time today. > > Do you happen to have a cat nearby? :-) I'm allergic, and this box is in a colo. Appreciate all the feedback. I've enabled accounting per Stuart's suggestion and am pretty sure this is a hiccup on old hardware. dn
Re: The case of the phantom reboot
On 3/29/21 5:28 AM, Nick Holland wrote: > On 3/28/21 12:13 PM, David Newman wrote: >> On 3/28/21 4:58 AM, Kristjan Komloši wrote: >> >>> On 3/27/21 10:27 PM, David Newman wrote: >>>> OpenBSD 6.8 GENERIC#5 i386 >>>> >>>> One of my systems rebooted at 03:01 local time today. I've seen kernel >>>> panics and bad hardware but I've never seen OpenBSD "just reboot" by >>>> itself, ever. > > OpenBSD, not usually. Hardware OpenBSD is running on? Sure. > >>>> There's no cron job that would do this. last(1) is no help; it shows >>>> the >>>> reboot command but not the shutdown that preceded it: >>>> >>>> root@ns ~ 4# last -f /var/log/wtmp.0 >>>> reboot   >>>> ~                                >>>> Sat Mar 27 03:01 >>>> root     ttyp0   192.168.0.132           Wed >>>> Mar 24 11:23 - 11:23 >>>> (00:00) >>>> >>>> wtmp.0 begins Wed Mar 24 11:23 2021 >>>> root@ns ~ 5# last -f /var/log/wtmp.1 >>>> root     ttyp0   192.168.0.132           Tue >>>> Mar 16 21:30 - 21:30 >>>> (00:00) >>>> root     ttyp0   75.82.86.131            Tue >>>> Mar 16 13:14 - 21:30 >>>> (08:15) >>>> root     ttyp0   75.82.86.131            Sun >>>> Mar 14 21:20 - 21:29 >>>> (00:08) >>>> root     ttyp0   75.82.86.131            Sat >>>> Mar 13 17:42 - 21:13 >>>> (03:31) >>>> >>>> The date gaps seem odd. I've ssh'd into this system multiple times >>>> between March 16-27. I don't see other signs of trouble in /var/log. >>>> >>>> I could use some help in looking for evidence of foul play, or "just" a >>>> hardware or software problem. >>>> >>>> Thanks in advance for further troubleshooting clues. >>>> >>>> dn >>>> >>> What kind of a machine is it running on? I remember having reboot >>> problems on certain HP and Supermicro servers with hardware watchdogs. >> >> This is a 10+-year-old Dell 1U server with a 2-GHz Celeron 440, part of >> a pair running CARP. Aside from having to replace spinning disks with >> SSDs a couple of years ago, they've been rock solid. > > basic machine, worked for a long time, then starts giving problems, almost > certainly a hw problem unless you can tie the problem to a recent upgrade. > And that's not terribly likely on a "basic" hardware. > > Every broken device started out "rock solid" ... until it isn't. That's > the definition of "Broken". > >> I too have seen issues with Supermicros but that's with other OSs. I've >> never had a spontaneous reboot, on this system, and am concerned from >> the wtmp stuff above that this *may* have been triggered externally. I >> could use some clues in other things to check. Thanks. > > As Stuart pointed out, that comes from the boot process, not the shutdown. > > If you are really curious, you could put a serial console on it and wait > for the next event. PROBABLY won't see much, however. > > Believe me, I'm all in favor of recycling computers -- in fact, as I > often tell skeptical employers, I'd rather have two ten year old systems > than one brand new system with a service contract, but computers don't > last as long as they used to, and curiously, some big-name servers seem > to sometimes have a shorter life than some desktops, A ten year old > computer that does the job reliably is good, but not an expectation. I hope it is "just" a hardware problem. These ancient machines don't owe me anything. If anything they've been a testament to how well OpenBSD just works, year in, year out. Until I can swap in a replacement (the unit in question is in a colo in another state), I may try Stuart's suggestion of enabling accounting. The only concern I have about an external actor is that there seem to be some missing entries in wtmp, but I don't know enough about init or wtmp to rule out a hardware glitch. Someone else suggested a battery problem, which seems plausible for a unit this old. Appreciate all the feedback -- many thanks. dn
Re: The case of the phantom reboot
On 3/28/21 4:58 AM, Kristjan Komloši wrote: > On 3/27/21 10:27 PM, David Newman wrote: >> OpenBSD 6.8 GENERIC#5 i386 >> >> One of my systems rebooted at 03:01 local time today. I've seen kernel >> panics and bad hardware but I've never seen OpenBSD "just reboot" by >> itself, ever. >> >> There's no cron job that would do this. last(1) is no help; it shows the >> reboot command but not the shutdown that preceded it: >> >> root@ns ~ 4# last -f /var/log/wtmp.0 >> reboot ~ Sat Mar 27 03:01 >> root ttyp0 192.168.0.132 Wed Mar 24 11:23 - 11:23 >> (00:00) >> >> wtmp.0 begins Wed Mar 24 11:23 2021 >> root@ns ~ 5# last -f /var/log/wtmp.1 >> root ttyp0 192.168.0.132 Tue Mar 16 21:30 - 21:30 >> (00:00) >> root ttyp0 75.82.86.131 Tue Mar 16 13:14 - 21:30 >> (08:15) >> root ttyp0 75.82.86.131 Sun Mar 14 21:20 - 21:29 >> (00:08) >> root ttyp0 75.82.86.131 Sat Mar 13 17:42 - 21:13 >> (03:31) >> >> The date gaps seem odd. I've ssh'd into this system multiple times >> between March 16-27. I don't see other signs of trouble in /var/log. >> >> I could use some help in looking for evidence of foul play, or "just" a >> hardware or software problem. >> >> Thanks in advance for further troubleshooting clues. >> >> dn >> > What kind of a machine is it running on? I remember having reboot > problems on certain HP and Supermicro servers with hardware watchdogs. This is a 10+-year-old Dell 1U server with a 2-GHz Celeron 440, part of a pair running CARP. Aside from having to replace spinning disks with SSDs a couple of years ago, they've been rock solid. I too have seen issues with Supermicros but that's with other OSs. I've never had a spontaneous reboot, on this system, and am concerned from the wtmp stuff above that this *may* have been triggered externally. I could use some clues in other things to check. Thanks. dn
The case of the phantom reboot
OpenBSD 6.8 GENERIC#5 i386 One of my systems rebooted at 03:01 local time today. I've seen kernel panics and bad hardware but I've never seen OpenBSD "just reboot" by itself, ever. There's no cron job that would do this. last(1) is no help; it shows the reboot command but not the shutdown that preceded it: root@ns ~ 4# last -f /var/log/wtmp.0 reboot~ Sat Mar 27 03:01 root ttyp0192.168.0.132Wed Mar 24 11:23 - 11:23 (00:00) wtmp.0 begins Wed Mar 24 11:23 2021 root@ns ~ 5# last -f /var/log/wtmp.1 root ttyp0192.168.0.132Tue Mar 16 21:30 - 21:30 (00:00) root ttyp075.82.86.131 Tue Mar 16 13:14 - 21:30 (08:15) root ttyp075.82.86.131 Sun Mar 14 21:20 - 21:29 (00:08) root ttyp075.82.86.131 Sat Mar 13 17:42 - 21:13 (03:31) The date gaps seem odd. I've ssh'd into this system multiple times between March 16-27. I don't see other signs of trouble in /var/log. I could use some help in looking for evidence of foul play, or "just" a hardware or software problem. Thanks in advance for further troubleshooting clues. dn
Re: ikectl ca and subjectAltName for IKEv2 VPNs
On 3/4/21 12:29 AM, Stuart Henderson wrote: > On 2021-03-04, David Newman wrote: >> Apparently Apple iOS and iPadOS VPN clients now require a subjectAltName >> in the client cert, not just the CN, to set up IKEv2 VPN tunnels.* The >> subjectAltName can be the same as the CN; it just has to be present. > > Most IKE software has always needed this. (Web browsers also recently-ish > started needing it too). > >> Questions about this: >> >> 1. Does the 'ikectl ca certificate create' command >> support creation of X.509 certs with a subjectAltName defined in >> addition to the CN? >> >> If so, what's the syntax? > > It does this by default. Thanks, I hadn't realized that, and should have grep'd the cert for 'DNS:' before asking. And yet, an iOS client initiator still fails with an authentication error on the iOS side. 'ipsecctl -sa' on the OpenBSD responder looks fine, with a tunnel established. The server and client certs generated by 'ikectl sa' have alt names but the CA cert does not. Does it need one? I suspect an error in iOS VPN configuration, but just checking. One other thing about the client cert: The CN is for something like 'iphone.networktest.com', which is an FQDN for which I have not created a DNS record. Again, does it need one? This is for a road-warrior configuration that will come in from different IP addresses, so I'm unclear what name/address pair I'd use in the DNS. Thanks again. dn > >> 2. Can a separate standalone CA just create the certs with the necessary >> SAN fields? > > Yes. > >> Is it as easy as just dropping the root cert, the client >> certs, and keys in these respective directories? >> >> /etc/iked/ca >> /etc/iked/certs >> /etc/iked/private >> >> If not, what else is needed? Thanks! > > You don't need anything from the client (certificates or keys) on the server, > just the CA certificate, the server certificate, and the server private key. > > This is fine if the certificates are signed directly by the CA (as would > often be the case if using your own standalone CA) but I haven't been able > to get this working for certs signed by an intermediate 'sub CA' as is > done for most commercial CAs. > >
ikectl ca and subjectAltName for IKEv2 VPNs
Apparently Apple iOS and iPadOS VPN clients now require a subjectAltName in the client cert, not just the CN, to set up IKEv2 VPN tunnels.* The subjectAltName can be the same as the CN; it just has to be present. Questions about this: 1. Does the 'ikectl ca certificate create' command support creation of X.509 certs with a subjectAltName defined in addition to the CN? If so, what's the syntax? 2. Can a separate standalone CA just create the certs with the necessary SAN fields? Is it as easy as just dropping the root cert, the client certs, and keys in these respective directories? /etc/iked/ca /etc/iked/certs /etc/iked/private If not, what else is needed? Thanks! dn * https://discussions.apple.com/thread/250760557
Re: ERR=20:"unable to get local issuer certificate"
On 11/18/20 8:11 PM, Theo Buehler wrote: > On Wed, Nov 18, 2020 at 03:16:57PM -0800, David Newman wrote: >> Do recent complaints about certificate chains [1] [2] also apply when a >> client running OpenBSD 6.8 uses a self-signed cert, and there are no >> intermediate certs? > > This is unrelated. The complaints you mention are due to a deliberate > difference between the old TLS stack and the new TLSv1.3 stack that was > enabled server side in OpenBSD 6.8. We hoped that we could get away > without auto chain but as it turns out some important enough software > depends on it... > >> Since upgrading to OpenBSD 6.8, a machine running the bacula-client >> backup package has been throwing "unable to get local issuer >> certificate" warnings. With the same certs and configuration on OpenBSD >> 6.7, backups ran to completion without errors warnings. > > OpenBSD 6.8 not only enabled the TLSv1.3 server in libssl, but it also > includes a new X.509 verifier in libcrypto [1]. This verifier has a > completely new design to fix major issues with the old one. There are > some bugs, and in some corner cases we don't match the behavior of the > old one. Much of this API is undocumented, and we fail to replicate > behavior parts the ecosystem relies on. > > The issue you are seeing is known [2] and should be fixed in -current. > The most important pieces of the puzzle are in [3] and [4]. We will see > about how best to deal with this and with other problems in 6.8 fairly > soon. > > I don't think you can eliminate this warning without changing either > libcrypto or your setup. Thanks, Theo. Your explanation is very clear and I now understand the source of the warning. dn > > [1]: https://undeadly.org/cgi?action=article;sid=20200921105847 > [2]: https://github.com/znc/znc/issues/1763 > [3]: https://marc.info/?l=openbsd-cvs=160546290826930=2 > [4]: https://marc.info/?l=openbsd-cvs=160512059417991=2 >
ERR=20:"unable to get local issuer certificate"
Do recent complaints about certificate chains [1] [2] also apply when a client running OpenBSD 6.8 uses a self-signed cert, and there are no intermediate certs? Since upgrading to OpenBSD 6.8, a machine running the bacula-client backup package has been throwing "unable to get local issuer certificate" warnings. With the same certs and configuration on OpenBSD 6.7, backups ran to completion without errors warnings. I asked previously on bacula-users [3], and was told this is something with LibreSSL 3.2.2. The two citations below are about cert chains, but the only certs here are a single self-signed root cert and a single client cert issued by that CA. Does something in the certs and/or the config need to change for this to run clean? dn [1] https://marc.info/?l=openbsd-misc=160550705202129=2 [2] https://marc.info/?l=libressl=160457839621584=2 [3] > Director: FreeBSD 12.2, bacula-server-9.6.6 from pkgs > Client: OpenBSD 6.8, bacula-client-9.6.5 from pkgs > > After upgrading a bacula client's OS from OpenBSD 6.7 to 6.8, nightly > backups run successfully but throw this warning: > > ERR=20:"unable to get local issuer certificate" > > This setup uses self-signed certificates and worked without errors or > warnings before this OS upgrade. > > There has been no bacula configuration change on either the client or > director . A diff of the client bacula-fd.conf file (excerpted below) > before and after the upgrade shows no change. > > I tried revoking the old client cert and generating a new one, but this > had no effect on the warning message. > > I also tried command-line "openssl s_client -connect" commands both > ways. Both connections worked on the respective ports 9101 and 9102. > > Besides the bacula client configuration -- which hasn't changed, aside > from pointing to new certs with the same filenames -- is there something > else that needs tweaking on the client? - > client bacula-fd.conf > > Director { > Name = nye-dir > .. > > TLS Require = yes > TLS Enable = yes > TLS Verify Peer = yes > > # Allow only the Director to connect > TLS Allowed CN = "backups.example.com" > TLS CA Certificate File = /etc/bacula/cacert.pem > TLS Certificate = /etc/bacula/client.pem > TLS Key = /etc/bacula/client.key > > } > > .. > > FileDaemon { > Name = client-fd > FDport = 9102 # where we listen for the director > WorkingDirectory = /var/db/bacula > Pid Directory = /var/run > Maximum Concurrent Jobs = 20 > > TLS Require = yes > TLS Enable = yes > > TLS CA Certificate File = /etc/bacula/cacert.pem > TLS Certificate = /etc/bacula/client.pem > TLS Key = /etc/bacula/client.key > > }
Re: can't ping CARP interfaces -- SOLVED (VMware issue)
On 4/8/15 2:42 AM, Martin Pieuchot wrote: On 07/04/15(Tue) 15:42, David Newman wrote: On 3/30/15 12:54 PM, Martin Pieuchot wrote: [...] Not OK for the carp interfaces. On the production machines I'm replicating here as VMs, it looks like the carp interfaces are bound to themselves -- note that the last column is carp21: # netstat -nr -f inet | grep 12.20.174.98 12.20.174.98 12.20.174.98 UH 014853 - 4 carp21 Which version of OpenBSD are you running here? 5.4 But on the similarly configured VM, the carp interface (carp221 in this example) is bound to the lo0 interface: # netstat -nr -f inet | grep 12.220.174.98 12.220.174.98 00:00:5e:00:01:dd UHLl 00 - 1 lo0 This is the behavior since 5.6. Ah, OK. Did not see this in the release notes. The production box is still on 5.4, so that could explain the difference. Now if you configure an IP address of the same subnet on the parent interface, vic1 in your case, this interface will hold the cloning route ('C' in your output) and will be used to reach any other address of the subnet. If you don't to that, then the carp interfaces should hold the cloning route and their address will be used. In both cases above, the parent and carp interfaces are configured with IP addresses on the same subnet. In the case of the physical (production) machines, other machines on that subnet can ping the carp interface (the virtual IP address shared by two machines with carp interfaces). In the case of the VMs, a machine on that subnet cannot ping the carp interface. I think this is because it's bound to lo0, but I don't know why. Can you tcpdump your traffic on the CARP node and see what happen to the icmps packets? Do you see requests on the physical interface? On the carp one? Do you see reply? Now I do, on both CARP and physical interfaces, but for reasons completely unrelated to OpenBSD. The underlying VM infrastructure is VMware vSphere 5.5. During troubleshooting I tried changing the NIC type from Flexible to E1000E after seeing a report that 'vic' type interfaces don't work: http://is.gd/qoG3Sm And in a very Linux-like way, vSphere changed all the NIC assignments -- vic0 became em3, vic1 became em0, vic1 became em0, and vic3 became em2. Very annoying. I only noticed this when running tcpdump and then comparing MAC addresses with the VM settings. With the NICs correctly assigned again, ping and CARP work fine, as they should. Sorry for the waste of bandwidth. For anyone else prototyping CARP on VMware: 1. Use Intel NIC drivers, either E1000 or E1000E (I used the latter), not the vic drivers. 2. The above URL says a virtual switch (or distributed vswitch in my case) needs three settings set to accept (under security settings for the vSwitch or distributed port group): - promiscuous mode - MAC address changes - forged transmits In my experience, CARP and pfsync require promiscuous mode and forged transmits but not MAC address changes (makes sense, since CARP nodes share the same virtual MAC and IP address, and thus the MAC address should not change). 3. The above URL recommends setting Net.ReversePathFwdCheckPromisc to 1 on the ESXi host, then disabling and re-enabling promiscuous mode on the vSwitch. In my experience this step is not needed, and CARP came up and transitioned as expected without it. Again, sorry for the false alarm, but I hope at least these tips will help anyone else doing this on VMware. dn Here again are the hostname files for the physical and carp interfaces on the VM. # cat hostname.vic1 inet 12.220.174.99 255.255.255.224 12.220.174.127 up # backslash added for clarity -- it's 1 line in original # cat hostname.carp221 inet 12.220.174.98 255.255.255.224 12.220.174.127 vhid 221 \ carpdev vic1 advskew 1 pass ** Does that answer your question? In terms of how CARP works, yes. In terms of why it's bound to lo0 here, no, sorry, I'm missing something here. Routes to local address are bounds to lo0 because on this particular machine you don't need to send the packet to the wire when you want to reach your own address. Loopback interfaces are just that, a pipe that connect the output of your stack to the input. But it should not matter in your case.
Re: can't ping CARP interfaces
On 3/30/15 12:54 PM, Martin Pieuchot wrote: On 30/03/15(Mon) 11:58, David Newman wrote: On 3/29/15 12:38 PM, mxb wrote: Probably your PF rules. put in ‘pass quick proto icmp’. No joy. This did not improve on the existing ICMP rule in pf.conf. I think the root problem is that on both firewalls the physical and CARP interface addresses are bound to lo0 instead of vic1. Here both .98 (CARP) and .99 (physical) should be bound to vic1 instead of lo0: netstat -nr -f inet | grep 12.220.174 default12.220.174.97 UGS04 - 8 vic1 12.220.174.96/27 link#2 UC 20 - 4 vic1 12.220.174.98 00:00:5e:00:01:dd HLl00 - 1 lo0 12.220.174.99 00:50:56:b2:33:0e UHLl 08 - 1 lo0 hostname.vic1: inet 12.220.174.99 255.255.255.224 12.220.174.127 up hostname.carp221: inet 12.220.174.98 255.255.255.224 12.20.174.127 vhid 221 carpdev vic1 advskew 1 pass ** CARP is up and MASTER/BACKUP state changes work between boxes, but neither firewall can ping other hosts or vice-versa via the CARP interface. How to get those interfaces to bind to vic1 instead of lo0? You cannot do that. You're mixing the words interfaces and IP addresses which makes things a bit complicated to understand. OK, and thanks for this, and sorry for the high-latency response. Every IP address configured locally will have the l flag in netstat/route outputs and will be linked to lo0. They are linked to lo0 to be able to use them locally without send packets to the wire. OK for the physical interfaces, eg, vic0, vic1 Not OK for the carp interfaces. On the production machines I'm replicating here as VMs, it looks like the carp interfaces are bound to themselves -- note that the last column is carp21: # netstat -nr -f inet | grep 12.20.174.98 12.20.174.98 12.20.174.98 UH 014853 - 4 carp21 But on the similarly configured VM, the carp interface (carp221 in this example) is bound to the lo0 interface: # netstat -nr -f inet | grep 12.220.174.98 12.220.174.98 00:00:5e:00:01:dd UHLl 00 - 1 lo0 In the case of CARP setups the master and the backup nodes have at least one address in common. Which means that pinging this address from any of these CARP nodes should not generate packet on the wire. OK Now if you configure an IP address of the same subnet on the parent interface, vic1 in your case, this interface will hold the cloning route ('C' in your output) and will be used to reach any other address of the subnet. If you don't to that, then the carp interfaces should hold the cloning route and their address will be used. In both cases above, the parent and carp interfaces are configured with IP addresses on the same subnet. In the case of the physical (production) machines, other machines on that subnet can ping the carp interface (the virtual IP address shared by two machines with carp interfaces). In the case of the VMs, a machine on that subnet cannot ping the carp interface. I think this is because it's bound to lo0, but I don't know why. Here again are the hostname files for the physical and carp interfaces on the VM. # cat hostname.vic1 inet 12.220.174.99 255.255.255.224 12.220.174.127 up # backslash added for clarity -- it's 1 line in original # cat hostname.carp221 inet 12.220.174.98 255.255.255.224 12.220.174.127 vhid 221 \ carpdev vic1 advskew 1 pass ** Does that answer your question? In terms of how CARP works, yes. In terms of why it's bound to lo0 here, no, sorry, I'm missing something here. dn
Re: can't ping CARP interfaces
On 3/29/15 12:38 PM, mxb wrote: Probably your PF rules. put in ‘pass quick proto icmp’. No joy. This did not improve on the existing ICMP rule in pf.conf. I think the root problem is that on both firewalls the physical and CARP interface addresses are bound to lo0 instead of vic1. Here both .98 (CARP) and .99 (physical) should be bound to vic1 instead of lo0: netstat -nr -f inet | grep 12.220.174 default12.220.174.97 UGS04 - 8 vic1 12.220.174.96/27 link#2 UC 20 - 4 vic1 12.220.174.98 00:00:5e:00:01:dd HLl00 - 1 lo0 12.220.174.99 00:50:56:b2:33:0e UHLl 08 - 1 lo0 hostname.vic1: inet 12.220.174.99 255.255.255.224 12.220.174.127 up hostname.carp221: inet 12.220.174.98 255.255.255.224 12.20.174.127 vhid 221 carpdev vic1 advskew 1 pass ** CARP is up and MASTER/BACKUP state changes work between boxes, but neither firewall can ping other hosts or vice-versa via the CARP interface. How to get those interfaces to bind to vic1 instead of lo0? Thanks! dn On 28 mar 2015, at 00:59, David Newman dnew...@networktest.com wrote: Greetings. In preparation for upgrading two CARP+pfsync boxes to 5.6/i386, I put together a lab network to test new firewall rules. Topology is pretty simple: outside box (vic0) - (vic1) two carp boxes (vic0) - inside box with a third interface on each firewall for pfsync traffic. I'm focused here on the outside box pinging the carp box's outside CARP interface. In the lab network everyone can ping everyone else, except for the CARP interfaces -- these are not pingable. Hosts on either side of the firewall can ping the underlying interfaces that the CARP interfaces are bound to. Also, 'netstat -f inet -nr' shows that CARP interfaces are bound to lo0. On the production boxes these systems model, carp interfaces are bound to the underlying physical interfaces. tcpdump on the physical interface of the master firewall says the outside box ARPs for the CARP interface, and the firewall sends an ARP response with the CARP interface's IP and MAC addresses. Thanks in advance for troubleshooting clues -- this is almost certainly a misconfiguration but I'm not sure where. dn Outside box's hostname.vic0: inet 12.220.174.101 255.255.255.224 12.220.174.127 FW1 hostname.vic1: inet 12.220.174.99 255.255.255.224 12.220.174.127 FW1 hostname.carp221: inet 12.220.174.98 255.255.255.224 12.220.174.127 vhid 221 advskew 1 pass * carpdev vic1 carppeer 12.220.174.100 FW1 ifconfig vic1: vic1: flags=28b43UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST,NOINET6 mtu 1500 lladdr 00:50:56:b2:33:0e priority: 0 groups: egress media: Ethernet autoselect status: active inet 12.220.174.99 netmask 0xffe0 broadcast 12.220.174.127 FW1 ifconfig carp221: net 12.220.174.98 255.255.255.224 12.220.174.127 vhid 221 advskew 1 pass w00h00 carpdev vic1 carppeer 12.220.174.100 # ifconfig carp221 carp221: flags=28843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6 mtu 1500 lladdr 00:00:5e:00:01:dd priority: 0 carp: MASTER carpdev vic1 vhid 221 advbase 1 advskew 1 carppeer 12.220.174.100 groups: carp status: master inet 12.220.174.98 netmask 0xffe0 broadcast 12.220.174.127 FW1 netstat -f inet -nr: # netstat -f inet -nr Routing tables Internet: DestinationGatewayFlags Refs Use Mtu Prio Iface default12.220.174.97 UGS0 38 - 8 vic1 12.220.174.96/27 link#2 UC 20 - 4 vic1 12.220.174.98 00:00:5e:00:01:dd HLl00 - 1 lo0 # -- NOTE lo0 BINDING 12.220.174.99 00:50:56:b2:33:0e UHLl 00 - 1 lo0 12.220.174.100 00:50:56:b2:32:94 UHLc 0 274 - 4 vic1 12.220.174.101 00:50:56:b2:5e:b5 UHLc 05 - 4 vic1 127/8 127.0.0.1 UGRS 00 32768 8 lo0 127.0.0.1 127.0.0.1 UH 14 32768 4 lo0 FW2 hostname.vic1: inet 12.220.174.100 255.255.255.224 12.220.174.127 FW2 hostname.carp221: inet 12.220.174.98 255.255.255.224 12.220.174.127 vhid 221 advskew 128 pass * carpdev vic1 carppeer 12.220.174.99 FW2 ifconfig carp221: carp221: flags=28843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6 mtu 1500 lladdr 00:00:5e:00:01:dd priority: 0 carp: BACKUP carpdev vic1 vhid 221 advbase 1 advskew 128 carppeer 12.220.174.99 groups: carp status: backup inet 12.220.174.98 netmask 0xffe0 broadcast 12.220.174.127 pf.conf on both boxes: # interfaces pfsync0_if = vic2 carp_dev = { vic0, vic1 } set skip on lo ## # Packet filtering ## block return# block stateless
can't ping CARP interfaces
Greetings. In preparation for upgrading two CARP+pfsync boxes to 5.6/i386, I put together a lab network to test new firewall rules. Topology is pretty simple: outside box (vic0) - (vic1) two carp boxes (vic0) - inside box with a third interface on each firewall for pfsync traffic. I'm focused here on the outside box pinging the carp box's outside CARP interface. In the lab network everyone can ping everyone else, except for the CARP interfaces -- these are not pingable. Hosts on either side of the firewall can ping the underlying interfaces that the CARP interfaces are bound to. Also, 'netstat -f inet -nr' shows that CARP interfaces are bound to lo0. On the production boxes these systems model, carp interfaces are bound to the underlying physical interfaces. tcpdump on the physical interface of the master firewall says the outside box ARPs for the CARP interface, and the firewall sends an ARP response with the CARP interface's IP and MAC addresses. Thanks in advance for troubleshooting clues -- this is almost certainly a misconfiguration but I'm not sure where. dn Outside box's hostname.vic0: inet 12.220.174.101 255.255.255.224 12.220.174.127 FW1 hostname.vic1: inet 12.220.174.99 255.255.255.224 12.220.174.127 FW1 hostname.carp221: inet 12.220.174.98 255.255.255.224 12.220.174.127 vhid 221 advskew 1 pass * carpdev vic1 carppeer 12.220.174.100 FW1 ifconfig vic1: vic1: flags=28b43UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST,NOINET6 mtu 1500 lladdr 00:50:56:b2:33:0e priority: 0 groups: egress media: Ethernet autoselect status: active inet 12.220.174.99 netmask 0xffe0 broadcast 12.220.174.127 FW1 ifconfig carp221: net 12.220.174.98 255.255.255.224 12.220.174.127 vhid 221 advskew 1 pass w00h00 carpdev vic1 carppeer 12.220.174.100 # ifconfig carp221 carp221: flags=28843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6 mtu 1500 lladdr 00:00:5e:00:01:dd priority: 0 carp: MASTER carpdev vic1 vhid 221 advbase 1 advskew 1 carppeer 12.220.174.100 groups: carp status: master inet 12.220.174.98 netmask 0xffe0 broadcast 12.220.174.127 FW1 netstat -f inet -nr: # netstat -f inet -nr Routing tables Internet: DestinationGatewayFlags Refs Use Mtu Prio Iface default12.220.174.97 UGS0 38 - 8 vic1 12.220.174.96/27 link#2 UC 20 - 4 vic1 12.220.174.98 00:00:5e:00:01:dd HLl00 - 1 lo0 # -- NOTE lo0 BINDING 12.220.174.99 00:50:56:b2:33:0e UHLl 00 - 1 lo0 12.220.174.100 00:50:56:b2:32:94 UHLc 0 274 - 4 vic1 12.220.174.101 00:50:56:b2:5e:b5 UHLc 05 - 4 vic1 127/8 127.0.0.1 UGRS 00 32768 8 lo0 127.0.0.1 127.0.0.1 UH 14 32768 4 lo0 FW2 hostname.vic1: inet 12.220.174.100 255.255.255.224 12.220.174.127 FW2 hostname.carp221: inet 12.220.174.98 255.255.255.224 12.220.174.127 vhid 221 advskew 128 pass * carpdev vic1 carppeer 12.220.174.99 FW2 ifconfig carp221: carp221: flags=28843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6 mtu 1500 lladdr 00:00:5e:00:01:dd priority: 0 carp: BACKUP carpdev vic1 vhid 221 advbase 1 advskew 128 carppeer 12.220.174.99 groups: carp status: backup inet 12.220.174.98 netmask 0xffe0 broadcast 12.220.174.127 pf.conf on both boxes: # interfaces pfsync0_if = vic2 carp_dev = { vic0, vic1 } set skip on lo ## # Packet filtering ## block return# block stateless traffic #pass # establish keep-state # By default, do not permit remote connections to X11 block return in on ! lo0 proto tcp to port 6000:6010 # icmp handling -- FIX THIS to specify ICMP types pass log inet proto icmp all # carp and pfsync pass on { $pfsync0_if } proto pfsync pass on $carp_dev proto carp FW1 dmesg: OpenBSD 5.6 (GENERIC.MP) #299: Fri Aug 8 00:10:33 MDT 2014 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: Intel(R) Xeon(R) CPU E5649 @ 2.53GHz (GenuineIntel 686-class) 2.54 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,MMX,FXSR,SSE,SSE2,SS,NXE,LONG,SSE3,PCLMUL,SSSE3,CX16,SSE4.1,SSE4.2,POPCNT,AES,LAHF,PERF,ITSC real mem = 536309760 (511MB) avail mem = 515063808 (491MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 04/14/14, BIOS32 rev. 0 @ 0xfd780, SMBIOS rev. 2.4 @ 0xe0010 (364 entries) bios0: vendor Phoenix Technologies LTD version 6.00 date 04/14/2014 bios0: VMware, Inc. VMware Virtual Platform acpi0 at bios0: rev 2 acpi0: sleep states S0 S1 S4 S5 acpi0: tables DSDT FACP BOOT APIC MCFG SRAT HPET WAET acpi0: wakeup devices PCI0(S3) USB_(S1) P2P0(S3) S1F0(S3) S2F0(S3) S3F0(S3) S4F0(S3)
Re: carppeer and IPv6
I asked about this awhile back but didn't get an answer: Is carppeer supported with IPv6? The ifconfig(8) manpage talks about using carppeer as an alternative to IPv4 multicast traffic but doesn't say anything about v6. With the same syntax for v4 and v6 in a hostname.carpX file (see below), running 'sh /etc/netstart carpX' on that interface returns this error: ifconfig: error in parsing address string: no address associated with name The error goes away if the IPv6 line is commented out, or if it's left in but without the carppeer part. I'm looking to use unicast rather than multicast for carp for both v4 and v6 interfaces. Is this supported in the release versions of 5.1 or 5.2? Thanks dn On 11/1/12 4:39 PM, David Newman wrote: OpenBSD 5.1 / i386, two boxes connected using CARP/pfsync. There are VLANs on the physical interfaces, and CARP interfaces on the VLAN interfaces. Both boxes run dual stack on VLAN and CARP interfaces. This all works fine. To get rid of multicast CARP traffic, I tried using the carppeer keyword in hostname.carpXX files, like this: inet 172.31.16.1 255.255.255.0 172.31.16.255 vhid 16 \ advskew 1 pass WouldntYouLikeToKnow carpdev vlan16 \ carppeer 172.31.16.3 inet6 2604:0:c2:10::1 64 vhid 16 advskew 1 pass \ WouldntYouLikeToKnow carpdev vlan16 carppeer 2604:0:c2:10::3 Problem is, after running 'sh /etc/netstart vlan16' and 'sh /etc/netstart/carp16' I still see multicast CARP packets, but now only from the link-local address. Questions: 1. Why would the command 'sh /etc/netstart carp16' return the error 'ifconfig: error in parsing address string: no address associated with name'? I can ping6 the carppeer 2604:0:c2:10::3 from this box. 2. Are multicast CARP frames from the link-local address expected behavior? 3. If so, is there any way to disable that behavior? Thanks! dn
carppeer and IPv6
OpenBSD 5.1 / i386, two boxes connected using CARP/pfsync. There are VLANs on the physical interfaces, and CARP interfaces on the VLAN interfaces. Both boxes run dual stack on VLAN and CARP interfaces. This all works fine. To get rid of multicast CARP traffic, I tried using the carppeer keyword in hostname.carpXX files, like this: inet 172.31.16.1 255.255.255.0 172.31.16.255 vhid 16 \ advskew 1 pass WouldntYouLikeToKnow carpdev vlan16 \ carppeer 172.31.16.3 inet6 2604:0:c2:10::1 64 vhid 16 advskew 1 pass \ WouldntYouLikeToKnow carpdev vlan16 carppeer 2604:0:c2:10::3 Problem is, after running 'sh /etc/netstart vlan16' and 'sh /etc/netstart/carp16' I still see multicast CARP packets, but now only from the link-local address. Questions: 1. Why would the command 'sh /etc/netstart carp16' return the error 'ifconfig: error in parsing address string: no address associated with name'? I can ping6 the carppeer 2604:0:c2:10::3 from this box. 2. Are multicast CARP frames from the link-local address expected behavior? 3. If so, is there any way to disable that behavior? Thanks! dn
Re: IPv6 and carp(4) problems
On 10/25/11 6:20 PM, Jussi Peltola wrote: I had some similar looking problems some releases back. Using a separate carp if for ipv6 mostly fixed it. Didn't write down the exact problem, though. Had a similar issue awhile back, with duplicate messages due to both pf boxes thinking they were master. The root cause was a lack of MLD support on the switch connecting them. When I rolled back to v4 and IGMP, everything worked fine again. Jussi and I discussed this in an earlier thread: http://marc.info/?l=openbsd-miscm=131104609321662w=4 He suggests using carppeer as a possible workaround but I haven't tried that. Swapping in a switch with MLD support stopped the carp flapping for me, and now carp works fine with both v4 and v6 interfaces. dn
Re: Can I use carp with just one public IP?
On 10/9/11 11:08 AM, rik wrote: i'm not doing load balance, just active/passive router/firewall configuration, but we're using only one ip on carp, with no ip address on the phisical interfaces. +1 We set up CARP on unnumbered interfaces all the time. Works fine. This is useful if, for example, a pair of routers running CARP sits on a /30 network, where there's not enough address space to define virtual and physical addresses. This also works with VLANs; in that case, leave the physical and VLAN addresses unnumbered if necessary. dn
Re: OpenBSD on Dell PowerEdge
On 8/9/11 3:12 PM, Stuart Henderson wrote: bge0 at pci4 dev 0 function 0 Broadcom BCM5721 rev 0x21, BCM5750 C1 (0x4201): apic 2 int 16 (irq 15), address 00:25:64:3c:c1:0a brgphy0 at bge0 phy 1: BCM5750 10/100/1000baseT PHY, rev. 0 bge1 at pci5 dev 0 function 0 Broadcom BCM5721 rev 0x21, BCM5750 C1 (0x4201): apic 2 int 17 (irq 14), address 00:25:64:3c:c1:0b brgphy1 at bge1 phy 1: BCM5750 10/100/1000baseT PHY, rev. 0 vlans work totally fine for me on an R200 with this nic (same device id and revision), double-check your switch configs etc. Same here with Dell OEM CR100s, which also use the same Broadcom chips. These support VLANs just fine. dn
Re: dual-stack IPv4/IPv6 CARP SOLVED
On 7/31/11 4:02 PM, Jussi Peltola wrote: On Sun, Jul 31, 2011 at 02:16:15PM -0700, David Newman wrote: 2. CARP heartbeat messages use multicast. This means a switch with dual-stack CARP-attached devices should support not only IGMP snooping for IPv4 but also MLD snooping for IPv6. Hmm. carppeer does not seem to like an inet6 address to work around that. I wonder what happens if you dual-stack a carp interface with a carppeer - I remember having some mysterious issues after which I've been running a separate carp if for ipv6. OTOH I have dual-stacked carppeer-less carp if's that show no problems. Perhaps I can find time to investigate. Can't say; I've never used carppeer. If it's used with a multicast group address I would think the switch would need to support MLD for this to work with IPv6. The only exception I can think of is with a crummy switch that just floods multicast frames everywhere, same as broadcast. dn
dual-stack IPv4/IPv6 CARP
4.9-release Greetings. I'm looking to configure IPv6 in addition to IPv4 on a two-box pf setup that uses CARP and pfsync. The systems have multiple VLANs, which are bound to physical interfaces, and the CARP interfaces in turn are bound to the VLAN interfaces. There is no dynamic routing protocol such as OSPF or BGP. This all works OK with IPv4. Here are my questions: 1. What's the syntax for adding v6 to the CARP interfaces? Is it sufficient to add an inet6 alias, something like this: inet 666.1.2.3 255.255.255.0 666.1.2.255 vhid 100 carpdev bge0 advskew 1 pass GoogleMinus inet6 alias 2011:0:1:2::2 64 Or does each address require carp credentials, like this: inet 666.1.2.3 255.255.255.0 666.1.2.255 vhid 100 carpdev vlan1001 advskew 1 pass GoogleMinus inet6 2011:0:1:2::3 64 vhid 100 carpdev bge0 advskew 1 pass GoogleMinus Or does the v6 address require a separate CARP hostname.carpXX interface? 2. Same question regarding aliases for the VLAN interfaces. Is something like this sufficient? inet 666.1.2.4 255.255.255.0 666.1.2.255 vlan 1000 vlandev bge0 inet6 alias 2001:0:f0:0d::82 64 Or do the VLAN interfaces also require something more than an alias? 3. One of the existing CARP interfaces is on a /30 network so there's no IPv4 address configured on the physical interface it uses. (There's no VLAN interface in this case, either; the CARP interface is bound to the physical interface.) Will the same setup work with a dual stack setup, where v4 and v6 CARP addresses are bound to an unnumbered physical interface? Many thanks. dn
Re: OT - gmail alternatives
On 12/9/10 12:34 PM, Kapetanakis Giannis wrote: On 09/12/10 17:07, Gilles Chehade wrote: Own box :-) lhmaig...@netvisao.pt wrote: That's ofcourse the best solution. But YOU have to make it secure and private. If you're not able to do this yourself, then your best option is to choose a strong password and change it often. Also you have to trust the machine and the browser you're login in from, to be clean and secure. So no logins from your friend's (hacker wannabe) laptop. The private part may introduce a false sense of security. While it's easy enough to set up authentication and encryption between your clients and your mail server, it's pretty much a sure thing that some (and most likely all) connections *between* mail servers will send stuff in the clear. Unless you're only exchanging mail with other servers that use the same auth/crypto that you have, the privacy ends at the mail server. Of course client privacy is much better than nothing (especially for connections over scary coffee-shop Wi-Fi etc.) but end-to-end privacy requires something else, like encrypting mail before it leaves the client. dn
Re: flushing an errant resolver
On 11/25/10 2:47 PM, Stuart Henderson wrote: Postfix - the network daemons are most likely chroot'ed to /var/spool/postfix and there will be an etc/resolv.conf in the jail. Bingo. It's coming up on 17 hours since changing this and restarting postfix. So far there haven't been any more queries to Google. Thanks to all who responded, both on the list and in private. dn
flushing an errant resolver
Greetings. I manage an mail server running OpenBSD 4.5 i386. For various layer-9 reasons I cannot reboot the server at this time let alone upgrade it. I can stop and restart processes. Awhile back when changing ISPs I temporarily added Google's public nameserver at 8.8.8.8 to /etc/resolv.conf. Although that entry is long gone the server continues to send DNS queries to 8.8.8.8. I've also tried running sh /etc/netstart and restarting the postfix and dovecot services on this box, but that didn't clear this behavior. My questions: 1. How to flush the resolver so it won't use this nameserver any longer? 2. How to determine which process(es) is/are making calls to the Google nameserver? thanks dn
complete restore using NFS
How to restore entire partitions using NFS? When booting the install disk into the shell and bringing up a network interface, an NFS mount command returns an error: # mkdir /store # mount -t nfs -o rw 10.41.2.3:/store /store mount: no mount helper program found for nfs: No such file or directory I am attempting to do a complete restore of all partitions following the dump/restore procedure in the FAQ, but using NFS instead of tape: http://www.openbsd.org/faq/faq14.html#Backup The fdisk, disklabel and newfs commands all worked OK, but getting to the dump images, available on an NFS server, is a problem. How to reach that server when in shell mode? Or is there another way to do this? thanks dn
Re: complete restore using NFS
On 8/2/09 12:11 PM, Nick Bender wrote: How to reach that server when in shell mode? Or is there another way to do this? NFS isn't available on the install media, and neither is ssh. If the server has ftp or http then you can use ftp like: ftp -o - http://someserver/part.dump | restore ... Thanks, this worked fine. This method does require one possible change from the FAQ: http://www.openbsd.org/faq/faq14.html#Backup After restoring root and rebooting into single-user mode to restore the other partitions, ftp isn't available since we haven't yet restored /usr. Options are either to restore all partitions from the shell with ftp, or reboot into single-user mode and use some other means to restore the other partitions. I did the latter, using NFS. Thanks again. dn
Re: how to debug 'starting network' hangs
On 6/18/09 4:36 AM, Tom wrote: # start openvpn # if [ -x /usr/local/sbin/openvpn ]; then /usr/local/sbin/openvpn --config /opt/openvpn-2.0/server.conf echo 'opening openvpn server...' else echo 'ERROR: cannot start openvpn; file /usr/local/sbin/openvpn is missing.' fi Don't start openvpn there. Stick it in your /etc/hostname.tunX file like so: up !/usr/local/sbin/openvpn --daemon openvpn --config /opt/openvpn-2.0/server.conf The reason being, is when OpenVPN starts, it destroys then recreates the tun interface, which makes pf throw a wobbler. I ran into this problem too. It also made other weird stuff happen, like pfctl -vsq showing an invalid file descriptor. Sticking it in the hostname.tun* file sorts that problem out. Thanks much. This never worked from rc.local, even though the package install says to do it that way. I always had to start OpenVPN manually after bootup. There is a race condition with the hostname.tun0 method when boxes also use carp and pfsync. After a reboot, a box initially comes up with carp interfaces in BACKUP state. The carp interfaces will quickly transition to MASTER state if they have the lowest advskew value, but before then hostname.tun0 has already tried and failed to get OpenVPN running. Here is the error log from OpenVPN: Thu Jun 18 13:44:34 2009 OpenVPN 2.1_rc15 i386-unknown-openbsd4.5 [SSL] [LZO1] built on Mar 1 2009 openvpn: writing to routing socket: No such process Thu Jun 18 13:44:34 2009 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables Thu Jun 18 13:44:34 2009 Diffie-Hellman initialized with 2048 bit key Thu Jun 18 13:44:34 2009 TLS-Auth MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:0 ] Thu Jun 18 13:44:34 2009 TCP/UDP: Socket bind failed on local address 10.0.0.1:53962: Can't assign requested address Thu Jun 18 13:44:34 2009 Exiting The (obfuscated) address of 10.0.0.1 is a problem -- that's a carp address, and at the time this is run the other carp/pfsync box owns it because it's in MASTER state. Not sure about the routing socket error on the second line. If I manually run 'sh /etc/netstart tun0' after the carp interfaces come up as MASTER all is good, but that's no better than starting manually as before. Thanks in advance for any clues on getting OpenVPN and carp/pfsync to play nice together. (I think this should be documented somewhere, maybe in the OpenBSD FAQ) It certainly belongs in the package documentation, which currently suggests adding startup lines into rc.local. I can write this up once I get it working with carp/pfsyc. dn Tom
Re: how to debug 'starting network' hangs
On 6/16/09 10:07 PM, Jason Dixon wrote: I would suggest booting into single-user and using netstart for each of the physical and carp interfaces until you find out where your misconfiguration is. Set it all up manually, document it, then use hostname.* to properly bring up your interfaces and routes. Get rid of that junk in rc.local. Sweet! With proper hostname.* files there are no more hangs. Thanks for the pointer on what to fix. One other question, not covered in the FAQ: Is rc.local the proper place for adding a static route and dhcrelay commands? If not, where do these belong? thanks again dn
how to debug 'starting network' hangs
Running 4.5/i386 on a pair of firewalls using pf and carp and pfsync (and also multiple VLANs). After a reboot, either system will hang at 'starting network' until pressing Ctrl-C at the console. (By 'hang' I means no action for at least 60 minutes; I have not waited longer than that.) Initially I thought this was because of a hostname resolution problem, but pf.conf and resolv.conf contain only IP addresses, not hostnames. Also, 'pfctl -f /etc/pf.conf' runs OK from the console. Same deal with 'sh /etc/netstart' and the OpenVPN stuff in rc.local, pasted below. Presumably something is broken after /etc/rc says 'starting network', but what? I've read on this list one should never edit /etc/rc. Thanks in advance for suggested techniques for debugging and fixing the hang behavior. dn ps. FWIW I've pasted the contents of /etc/rc.local below. Addresses and passwords have been obfuscated. echo -n 'starting local daemons:' # Add your local startup actions here. echo '.' # VLAN config ifconfig vlan10 10.0.0.2 netmask 255.255.255.0 vlan 10 vlandev bge1 ifconfig vlan11 10.0.1.2 netmask 255.255.255.0 vlan 11 vlandev bge1 ifconfig vlan12 10.0.2.2 netmask 255.255.255.0 vlan 12 vlandev bge1 ifconfig vlan13 10.0.3.2 netmask 255.255.255.0 vlan 13 vlandev bge1 ifconfig vlan14 10.0.128.2 netmask 255.255.255.0 vlan 14 vlandev bge1 # 07/16/06 CARP config is here to avoid hacking netstart ifconfig carp2 inet 10.0.0.1 netmask 255.255.255.0 broadcast 10.0.0.255 vhid 203 advskew 1 pass seekret123 carpdev vlan10 ifconfig carp3 inet 10.0.1.1 netmask 255.255.255.0 broadcast 10.0.1.255 vhid 204 advskew 1 pass seekret123 carpdev vlan11 ifconfig carp4 inet 10.0.2.1 netmask 255.255.255.0 broadcast 10.0.2.255 vhid 205 advskew 1 pass seekret123 carpdev vlan12 ifconfig carp5 inet 10.0.3.1 netmask 255.255.255.0 broadcast 10.0.3.255 vhid 206 advskew 1 pass seekret123 carpdev vlan13 ifconfig carp6 inet 10.0.128.1 netmask 255.255.255.0 broadcast 10.0.128.255 vhid 207 advskew 1 pass seekret123 carpdev vlan14 # sample static routes /sbin/route add -net 10.0.0.0/16 10.0.1.158 # to do -- add other static routes # DHCP helper addresses dhcrelay -i vlan10 10.0.0.103 dhcrelay -i vlan11 10.0.0.103 dhcrelay -i vlan12 10.0.0.103 dhcrelay -i vlan13 10.0.0.103 dhcrelay -i vlan14 10.0.0.103 # start openvpn # if [ -x /usr/local/sbin/openvpn ]; then /usr/local/sbin/openvpn --config /opt/openvpn-2.0/server.conf echo 'opening openvpn server...' else echo 'ERROR: cannot start openvpn; file /usr/local/sbin/openvpn is missing.' fi # start bacula if [ -x /usr/local/libexec/bacula/bacula-ctl-fd ]; then /usr/local/libexec/bacula/bacula-ctl-fd start echo -n ' bacula-fd' fi # start net-snmp if [ -x /usr/local/sbin/snmpd ]; then echo -n ' snmpd'; /usr/local/sbin/snmpd fi # start apcupsd # Start the UPS daemon. Do not remove the 'TAG_APCUPSD' text if [ -x /etc/rc.apcupsd ]; then # TAG_APCUPSD /etc/rc.apcupsd start # TAG_APCUPSD fi# TAG_APCUPSD
Re: how to debug 'starting network' hangs
On 6/16/09 4:36 PM, Jason Dixon wrote: On Tue, Jun 16, 2009 at 03:47:47PM -0700, David Newman wrote: Running 4.5/i386 on a pair of firewalls using pf and carp and pfsync (and also multiple VLANs). After a reboot, either system will hang at 'starting network' until pressing Ctrl-C at the console. (By 'hang' I means no action for at least 60 minutes; I have not waited longer than that.) Initially I thought this was because of a hostname resolution problem, but pf.conf and resolv.conf contain only IP addresses, not hostnames. Also, 'pfctl -f /etc/pf.conf' runs OK from the console. Same deal with 'sh /etc/netstart' and the OpenVPN stuff in rc.local, pasted below. Presumably something is broken after /etc/rc says 'starting network', but what? I've read on this list one should never edit /etc/rc. You've given us no information about your hostname.* files With addresses and passwords obfuscated, these are pasted below. . How could we possibly help diagnose problems starting your network? ps. FWIW I've pasted the contents of /etc/rc.local below. Addresses and passwords have been obfuscated. Why are you starting your network interfaces and adding routes in rc.local? I maintain these systems, but did not do the initial setup or configuration. Have you read the FAQ to learn how OpenBSD networking is configured? Yes, and read the ifconfig and rc and pf.conf manpages and searched the misc mailing list on marc.info. I saw info on pf and carp and pfsync and VLANs, but not on how they work together. dn hostname.bge0 -- unprotected physical interface inet 666.1.2.188 255.255.255.192 NONE hostname.bge1 -- protected physical interface inet 10.0.127.1 255.255.255.0 NONE hostname.carp1 -- unprotected logical interface inet 666.1.2.130 255.255.255.192 666.1.2.191 vhid 202 carpdev bge0 advskew 1 pass sekret123 hostname.em0 -- pfsync physical interface inet 192.18.0.1 255.255.255.0 NONE media autoselect hostname pfsync0 -- pfsync logical interface up syncdev em0 and here is /etc/rc.local again. I do not know why the consultant who set up these machines put some carp interfaces here rather than in hostname files. echo -n 'starting local daemons:' # Add your local startup actions here. echo '.' # VLAN config ifconfig vlan10 10.0.0.2 netmask 255.255.255.0 vlan 10 vlandev bge1 ifconfig vlan11 10.0.1.2 netmask 255.255.255.0 vlan 11 vlandev bge1 ifconfig vlan12 10.0.2.2 netmask 255.255.255.0 vlan 12 vlandev bge1 ifconfig vlan13 10.0.3.2 netmask 255.255.255.0 vlan 13 vlandev bge1 ifconfig vlan14 10.0.128.2 netmask 255.255.255.0 vlan 14 vlandev bge1 # 07/16/06 CARP config is here to avoid hacking netstart ifconfig carp2 inet 10.0.0.1 netmask 255.255.255.0 broadcast 10.0.0.255 vhid 203 advskew 1 pass seekret123 carpdev vlan10 ifconfig carp3 inet 10.0.1.1 netmask 255.255.255.0 broadcast 10.0.1.255 vhid 204 advskew 1 pass seekret123 carpdev vlan11 ifconfig carp4 inet 10.0.2.1 netmask 255.255.255.0 broadcast 10.0.2.255 vhid 205 advskew 1 pass seekret123 carpdev vlan12 ifconfig carp5 inet 10.0.3.1 netmask 255.255.255.0 broadcast 10.0.3.255 vhid 206 advskew 1 pass seekret123 carpdev vlan13 ifconfig carp6 inet 10.0.128.1 netmask 255.255.255.0 broadcast 10.0.128.255 vhid 207 advskew 1 pass seekret123 carpdev vlan14 # sample static routes /sbin/route add -net 10.0.0.0/16 10.0.1.158 # to do -- add other static routes # DHCP helper addresses dhcrelay -i vlan10 10.0.0.103 dhcrelay -i vlan11 10.0.0.103 dhcrelay -i vlan12 10.0.0.103 dhcrelay -i vlan13 10.0.0.103 dhcrelay -i vlan14 10.0.0.103 # start openvpn # if [ -x /usr/local/sbin/openvpn ]; then /usr/local/sbin/openvpn --config /opt/openvpn-2.0/server.conf echo 'opening openvpn server...' else echo 'ERROR: cannot start openvpn; file /usr/local/sbin/openvpn is missing.' fi # start bacula if [ -x /usr/local/libexec/bacula/bacula-ctl-fd ]; then /usr/local/libexec/bacula/bacula-ctl-fd start echo -n ' bacula-fd' fi # start net-snmp if [ -x /usr/local/sbin/snmpd ]; then echo -n ' snmpd'; /usr/local/sbin/snmpd fi # start apcupsd # Start the UPS daemon. Do not remove the 'TAG_APCUPSD' text if [ -x /etc/rc.apcupsd ]; then # TAG_APCUPSD /etc/rc.apcupsd start # TAG_APCUPSD fi# TAG_APCUPSD
Re: pf visualization
On 8/28/08 10:22 AM, Parvinder Bhasin wrote: perhaps pfsysinfo and pfstat. Some of the stuff you'll have to make your own graphs. -Parvinder Bhasin On Aug 28, 2008, at 8:24 AM, Stephan A. Rickauer wrote: I am curious what tools people here use to visualize pf-generated logs and/or live traffic. What i'm basically looking for is a tool, that provides various stats about a pf firewall usage in a graphical way, but not only 'bytes in/bytes out' (i have that using snmp/cacti) but more detailed stuff like protocol and port distribution, IP based stats and whatnot. Thanks for any ideas beyond pftop, tcpdump, hatched, darkstat and ntop ;) Gave up on pfstat because of a need to watch multiple interfaces. Currently using packetmischief's pf MIB with cacti: http://www.packetmischief.ca/openbsd/snmp/#pfmib It's working OK. dn
installing ports across multiple machines
Two 4.3/i386 machines, one with enough disk space for the ports collection and the other with hardly any disk. I'm looking to install the net-snmp port with the packetmischief patches onto the smaller machine. I tried using NFS, mounting the /usr/ports directory read-write as root: on server's /etc/exports: /usr/ports -alldirs -network=666.2.1.0 -mask=255.255.255.0 on client: mount -t nfs 666.2.1.46:/usr/ports /usr/ports But this produced permissions errors: # make install mkdir: /usr/ports/net/net-snmp/w-net-snmp-5.4.1: Permission denied mkdir: /usr/ports/net/net-snmp/w-net-snmp-5.4.1: Permission denied *** Error code 1 Stop in /usr/ports/net/net-snmp (line 1913 of /usr/ports/infrastructure/mk/bsd.port.mk). *** Error code 1 Is there some other way to install ports across machines? thanks dn
Re: installing ports across multiple machines
On 8/16/08 12:54 PM, Johan Beisser wrote: On Sat, Aug 16, 2008 at 12:37 PM, David Newman [EMAIL PROTECTED] wrote: Is there some other way to install ports across machines? You'll have to either map the root user (-maproot=user) Thanks -- that did the trick. dn in exports(5), or build the package (see ports(7)) on the build system, then install it via pkg_add(1) on the new system.
Re: MPLS On OpenBGP
On 8/6/08 11:29 AM, #ukasz Bromirski wrote: [EMAIL PROTECTED] wrote: I'll be looking for that day wherein those Cisco guys can boost no more that they are the only ones in the planet that has the MPLS skills. Whew, maybe somebody knows where to start on how to add this MPLS feature so as to answer the question like where do I begin? You're top-posting. For the MPLS, you have basically two parts - data plane, which is encapsulation of the frames or cells, and the control plane, which is exchanging VPNv4/VPNv6 information between multiprotocol speaking BGP routers (usually - PEs/LERs in MPLS nomenclature). Quick look at google shows a lot of places where existing MPLS code can be found[1]. But as usual - maybe it's not the best of breed, or even not complete. The MPLS as itself is not Cisco domain, but it was invented by Cisco as tag switching[2] back in the days where nobody believed it will be needed. It was back in 1997. A historical nit: MPLS/tag switching/frame-relay-with-found-objects [1] predates Cisco. Ipsilon Networks, which Nokia bought in 1997, was doing label switching around 6-12 months earlier, but I wouldn't describe their stuff as production grade. Yes, there are many commercial suppliers of MPLS other than Cisco. Whether that will stop sales guys from boasting they're unique is altogether another matter. dn [1] Mike O'Dell's apt description. So, as Claudio said - go for it, if You think you can do better. [1]. http://www.mplsrc.com/vendor.shtml being one of them, with old ayame project as well for NetBSD [2]. http://tools.ietf.org/html/rfc2105
Re: 4.2 and 4.3 BIND: masters_list does not work with masters option
On 7/8/08 9:02 AM, Philip Guenther wrote: acl int_masters { 10.0.0.1; }; ... zone somedomain.com { type slave; masters { int_masters; }; file slave/internal/somedomain.com; }; but apparently named does not parse this and complains that it is 'unable to find masters list 'int_masters'' any clues as to what is going on here? Define int_masters using the 'masters' statement instead of the 'acl' statement: masters int_masters { 10.0.0.1; }; (The 'masters' statement was added in bind 9.4.0, IIRC) You're right about the masters syntax; sorry, I missed before that this was a masters problem and not an ACL problem. The masters statement began with bind 9.3, according to the Albitz/Liu DNS and Bind book. The named.conf(5) manpage describes its syntax. dn
Re: DNS patch
On 7/8/08 2:30 PM, Peter N. M. Hansteen wrote: Pete Vickers [EMAIL PROTECTED] writes: Does this mean we should expect one soon ? Possibly. Still can't think of a valid reason why they decided to post a Microsoft document (your choice of strings or OpenOffice.org) or html: http://is.gd/OD7 dn
Re: 4.2 and 4.3 BIND: masters_list does not work with masters option
On 7/7/08 4:44 PM, Jacob Yocom-Piatt wrote: afaict as of BIND 9.3.2 use of an acl in the masters option was supported, e.g. acl int_masters { 10.0.0.1; }; ... zone somedomain.com { type slave; masters { int_masters; }; file slave/internal/somedomain.com; }; but apparently named does not parse this and complains that it is 'unable to find masters list 'int_masters'' any clues as to what is going on here? Perhaps the missing quote marks around the ACL name? This works for me: acl internal-xfer { 10.0.0.93; 10.0.0.94; }; acl trusted { 10.0.0.0/8; localhost; }; zone somedomain.com in { type master; file master/db.somedomain.com; allow-query { trusted; }; allow-transfer { internal-xfer; }; }; dn
Re: how long does pftop track state?
On 6/12/08 9:14 PM, Tim Donahue wrote: Quoting David Newman [EMAIL PROTECTED]: Looking for info on seeing near-real-time or real-time info on TCP connection states using pftop. A 4.3-release box has pf rules that allow Windows Remote Desktop connections from a handful of sources. pftop shows entries something like the following: PRD SRC DEST STATE AGE EXP PKTS BYTES tcp I 666.1.2.3:2048666.4.5.6:3389 4:4 32387 57663 40930 10M tcp O 666.1.2.3:2048666.4.5.6:3389 4:4 32397 57653 40930 10M Problem is, this RDC session ended more than two hours ago. The pftop(8) manpage says the EXP column means there are more than 40,000 seconds left until these entries expire. Is there some better way of monitoring current TCP connection states? Perhaps the connection didn't close cleanly? You can use `pfctl -ss -v` to show all the states and their ages, etc. Yes, that may be the issue. IE (along with some but not all other apps in Windows XP) close TCP connections with a RST rather than a FIN. In some cases I'm seeing a mismatch between pfctl and pftop readings, with the latter claiming a TCP connection is still around even after it's long gone. At least for me, pfctl provides more up-to-date reporting. ps. Tangential, but where can I learn more about the STATE column above? I don't see anything in the manpage about the meaning of 4:4 but perhaps I missed it. It seems to be the numerical representation of the state's status in pf's state table, i.e. 4:4 == ESTABLISHED:ESTABLISHED. Grab putty or something and maximize the window to see the descriptive versions. Yes, that works, thanks. I'm going to contact Can Acar offlist to see about contributing more detail to the manpage. dn
how long does pftop track state?
Looking for info on seeing near-real-time or real-time info on TCP connection states using pftop. A 4.3-release box has pf rules that allow Windows Remote Desktop connections from a handful of sources. pftop shows entries something like the following: PRD SRC DEST STATE AGE EXP PKTS BYTES tcp I 666.1.2.3:2048666.4.5.6:3389 4:4 32387 57663 40930 10M tcp O 666.1.2.3:2048666.4.5.6:3389 4:4 32397 57653 40930 10M Problem is, this RDC session ended more than two hours ago. The pftop(8) manpage says the EXP column means there are more than 40,000 seconds left until these entries expire. Is there some better way of monitoring current TCP connection states? many thanks dn ps. Tangential, but where can I learn more about the STATE column above? I don't see anything in the manpage about the meaning of 4:4 but perhaps I missed it.
Ethernet card or PCI Express x8 slot
Any recommendations for an Ethernet card that fits into a PCI Express x8 slot? I didn't see anything specific on the hardware page or in the archives. This is for a Dell CR100 OEM server. The spec sheet mentions the usual two Broadcom gigabit Ethernet interfaces, plus a PCI Express x8 (1-lane) slot. I'm not familiar with this slot, but it's much shorter than other PCI slots I've seen, around 50 mm long. If I'm reading the riser card correctly, the slot has 98 pins. None of the relatively old Ethernet NICs I have lying around will fit in this slot. Speed is unimportant; this is just for carp and pfsync between a pair of these boxes. thanks dn
ftpchroot root directories
Greetings. I'm setting up ftp access* for a number of users to a directory structure like this (assume / is an alias for the top of the tree): Username directory perms user1/ rw user2/projects r user3/projects rw user4/ r The FAQ and the ftpd(8) manpage say that chrooting goes to a user's home directory, and nothing about permissions. Is there some other way of setting this up? thanks dn ps. FTP is the client's choice, not mine. Same with this directory structure.
Apache VirtualHost permissions
(apologies in advance if this has been answered before, but I looked in the manpages and on the marc search engine and didn't find a direct answer) I'm looking to set up Apache virtual hosting, with two requirements: 1. Customers can upload files to their vhosts 2. Customers cannot clobber each other's files For requirement 1, I presume I can set up directories like /var/www/htdocs/domain1.tld, /var/www/htdocs/domain2.tld, and so on. For requirement 2, what are the right locations and user:group permissions to do this? This link was helpful on VirtualHost setup: http://marc.info/?l=openbsd-miscm=107108019024812w=2 and this helps on chroot and suexec: http://www.openbsdsupport.org/ApacheSuexecChroot.html but I'm confused about the 'chown nobody:www' part. I don't get how users would be able to upload files with those permissions. thanks dn
Re: RAID 1 in production environment
Martin Toft wrote: On Fri, Mar 28, 2008 at 11:49:01AM +0100, Jordi Espasa Clofent wrote: Hi all, I need a RAID-1 (mirroring) for production environment. ?Should I use RAIDFrame or softraid? The reliability is the main request feature. AFAIK, not all features of softraid are finished yet. However, it appears that the developers themselves do not trust raidframe, so maybe you should stay away from that too. No easy answer :-| Search the archives for the status of softraid. FWIW, I've been using RAIDFrame on sparc64 since 4.0 on a production web server with no issues. dn
mediawiki setup
Two questions about mediawiki that I didn't find in the misc archives: 1. On a 4.2 i386 box, installing mediawiki from ports died during tk install with the header error pasted below. This box has xbase installed but none of the rest of the X stuff. How to remedy? 2. The package and port are version 1.9 while current stable source is at version 1.12. The release notes for 1.10-1.12 mention fixes for some cross-side scripting and other vulnerabilities. For OBSD boxes I understand that packages are preferred and often improve on security, protocol and code correctness, and documentation compared with similar releases for other OSs. Purely from a security standpoint, which is preferabe: installing the 1.9 version from packages or ports, or building the current release from sources? thanks dn === Building for tk-8.4.7p1 cc -pipe -c -O2 -pipe -Wall -Wno-implicit-int -fno-strict-aliasing -fPIC -I/usr/ports/x11/tk/8.4/w-tk-8.4.7p1/tk8.4.7/unix -I/usr/ports/x11/tk/8.4/w-tk-8.4.7p1/tk8.4.7/unix/../generic -I/usr/ports/x11/tk/8.4/w-tk-8.4.7p1/tk8.4.7/unix/../bitmaps -I/usr/local/include/tcl8.4/generic -DHAVE_UNISTD_H=1 -DHAVE_LIMITS_H=1 -DTCL_WIDE_INT_TYPE=long\ long -DSTDC_HEADERS=1 -DHAVE_SYS_TIME_H=1 -DTIME_WITH_SYS_TIME=1 -DHAVE_PW_GECOS=1 -DTCL_NO_DEPRECATED /usr/ports/x11/tk/8.4/w-tk-8.4.7p1/tk8.4.7/unix/../generic/tk3d.c In file included from /usr/ports/x11/tk/8.4/w-tk-8.4.7p1/tk8.4.7/generic/tkInt.h:21, from /usr/ports/x11/tk/8.4/w-tk-8.4.7p1/tk8.4.7/generic/tk3d.h:18, from /usr/ports/x11/tk/8.4/w-tk-8.4.7p1/tk8.4.7/generic/tk3d.c:16: /usr/ports/x11/tk/8.4/w-tk-8.4.7p1/tk8.4.7/generic/tk.h:96:29: X11/Xlib.h: No such file or directory many more screens of errors deleted dn
Re: brute force voip QoS
On 1/23/08 6:28 AM, Jeff Santos wrote: I would like to setup PF so that, whenever an initial voip flow was detetcted, all other non relevant traffic would be blocked, and normal packet flow being restored only after some voip idleness be detected. Can it be done? Can someone give some ideas of how? I'm not sure about quenching non-VoIP traffic; maybe someone else knows the answer on that. How you detect a VoIP flow may also be an issue. If your VoIP traffic uses SIP, you can classify the signaling traffic on 5060/udp -- but then the voice or video traffic will use RTP/RTCP and some ephemeral port chosen during call setup. This isn't necessarily a show-stopper, but you'll need to use some other classification criterion such as IP address or VLAN interface for the media traffic. (Since it's common practice to put VoIP on a separate VLAN and/or IP subnet, you may already be doing this -- then, just prioritize any traffic from that VLAN or subnet, regardless of whether it's signaling or media stuff.) Asterisk optionally can use IAX2 and send both signaling and media traffic over 4569/udp. (If anyone has a method for RTP/RTCP awareness in pf -- including the ability to set up and tear down rules for the call duration -- please share it!) dn
Re: brute force voip QoS
On 1/23/08 4:08 PM, Chris Cappuccio wrote: Just use the 'tos' tag in pf.conf to match against the IP tos field. Most equipment sets this to something predictable, like 0x68 for RTP and 0xb8 for SIP Just use tcpdump to see what your RTP traffic is tagged as, and also prioritize SIP above RTP. You could also try matching based on IP addresses if they are predictable, or a combination of the two. It's a good practice, if possible, to put VoIP gear on a separate VLAN and/or IP subnet. Less broadcast contention for VoIP traffic that way. Using just the tos tag by itself may lead to applications cheating to get priority bandwidth. This came up awhile back. Since pf doesn't (yet) re-mark tos/dscp bits, trusting those bits isn't a good idea. dn
Re: brute force voip QoS
On 1/23/08 4:21 PM, Daniel Ouellet wrote: So, you could check for UDP RTP stream from that IP's and all phones can and are most likely preset with a fix range of ports that they can use and if you can find that, then you have all that you need. Gack. No. I've seen more than one MegaCorp use Linksys/D-Link/etc. routers for SoHo sites and open up ranges like udp/1-2 to allow VoIP. A lousy idea, for obvious reasons. dn
Re: Ethernet jumbo frames?
On 12/29/07 11:11 PM, johan beisser wrote: It's permitted in IEEE 802.3, if not encouraged. This is not correct. The relatively recent (2005) IEEE 802.3as spec extends Ethernet frame length only to 2048 bytes, mainly to accommodate VLAN stacking and various encap methods. It does not define a standard for jumbo frame length. Jumbo frame support is widely implemented but it's still not standard. On 12/30/07 6:05 AM, L. V. Lammert wrote: If you're running 1GB or 10GB, the switches you're using have backbones well capable of running any framesize you can configure. Perhaps because there is no standard, switches differ on jumbo MTU. Most support 9216 bytes or more, but some top out at 9000. dn
Re: openbsd router hardware
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/24/07 5:55 AM, bofh wrote: On Dec 24, 2007 8:45 AM, Lars Noodin [EMAIL PROTECTED] wrote: scott wrote: If small form factor, *LOWEST* power factor (i.e. fanless) and accelerated crypto are of any importance, consider http://www.logicsupply.com/ Those are interesting, but the prices approach those of a macmini. Don't know why via c7 boards are so expensive. But the recent walmart PC is quite cheap, only $60: http://www.engadget.com/2007/11/08/via-offers-a-cheapo-gpc-dev-kit-motherboar d/ Is anyone aware of a beast that has (a) at least three, preferably 4 x 1000Base-T and (b) a smallish (Nexcom/Soekris) form factor? I've been looking, and it seems like most mobos/embedded systems in this area have 1-3 100Base-T interfaces, probably for cost-of-goods reasons. thanks dn iD8DBQFHb9ByyPxGVjntI4IRAjL8AJ9OgvJ8oqVNB5muAICpJsf1EKRgigCeKoSK nrh4uDnjZSzTgMVr03+EIPM= =M/ht -END PGP SIGNATURE-
Re: The Book of PF exists, physical copies documented
On 12/19/07 6:05 AM, Peter N. M. Hansteen wrote: I'm not directly involved in distribution and can not make any guarantees about when you'll get yours I checked yesterday with No Starch, and the company says it should ship in early January. Mine's pre-ordered; looking forward to reading it. dn
Re: securing OpenBSD wireless network
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/22/07 1:55 PM, Christian Weisgerber wrote: David Newman [EMAIL PROTECTED] wrote: There is some layer-2 stuff that happens before layer-3 handshaking begins -- 802.11 association and deassociation, possibly layer-2 learning, and 802.1X authentication if that's used. IPSec will not and cannot secure any of this. Is there any need to secure that? In my local WLAN, you only have two ways of proceeding if you want internet access: a Tor router, or IPsec. Before either of those processes begin, I can associate like crazy to your access point. That would ensure you never get Internet access, even without my flinging a single IP packet at you. Duh. It's a *radio* network. Of course it can be DoS-ed. WEP doesn't change that. In fact, popular attacks against WEP generate massive L2 traffic. Yes. WPA is somewhat better (in that the better controller-based systems have rate controls). Other than being better than nothing on really old hardware, WEP is worthless. dn iD8DBQFHRk3LyPxGVjntI4IRApZlAJ44a3Um15XTftC6s7wlHXlWQOr/dwCg8ULI dZSlpbIowhsNSj3aqcCkoT8= =TjLE -END PGP SIGNATURE-
Re: MAC multicast address
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/20/07 6:45 AM, Fridiric Pli wrote: Hello, Is there a way to control which multicast MAC address an ethernet interface should handle ? I have problem with a server running OpenBSD4.1-rel (A) with a pcn and carp interface. On the same Ethernet network, there is another server (B) and a hi-availability cluster of firewalls (commercial product) (F composed of F1 and F2) reached via unicast IP address (IPADDR{F}) over multicast MAC address (MAC{F}). When B wants to communicate to a service behind F (IP route is known via IPADDR{FW} ) this appens : - B send ARP request to ff:ff:ff:ff:ff:ff from MAC{B} Who has IPADDR{FW}? tell IPADDR{B} - B receive ARP response from MAC{F1} to MAC{B} IPADDR{FW} is at MAC{F} - B receive ARP response from MAC{F2} to MAC{B} IPADDR{FW} is at MAC{F} possible cluster misconfiguration here. there should only be one virtual IP, and it alone should respond to ARP requests, with one IP/MAC address - B send an ethernet frame to F from MAC{B} IPADDR{B} to MAC{F} IPADDR{F} - A receive this ethernet frame why? B and F have unicast MAC and IP addresses so far, yes? So, unless A and B on a hub or wireless LAN, only B and F should see them. - A send a new frame from MAC{A} IPADDR{B} to MAC{?} (this MAC is a multicast mac that is not used by any of my openbsd server) huh? why would A use B's address as its source IP? CARP uses multicast but it sounds like there may be at least a couple of other problems here. I would fix them first before proceeding. dn This mean the one initial frame is duplicated and by cascade, huge of ethernet frames are transmitted. This behavour makes the performance of the firewall decreasing. Ethernet frames sent by another sever (SERVER2) to a multicast mac address that is handled by a cluster of firewall (commercial product) are received and resent to another multicast mac address. Thanks for help, Fred iD8DBQFHREM9yPxGVjntI4IRAmkmAJ9XLQ6ztGmOI1o4CcDUv308ypET3gCg78KY 2X61JjtJLZVMn/q11T63CWI= =/kyo -END PGP SIGNATURE-
Re: securing OpenBSD wireless network
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/19/07 3:18 AM, Tor Houghton wrote: On Sun, Nov 18, 2007 at 10:51:49PM -0700, Clint Pachl wrote: OpenBSD supports WEP. Does it even matter? Well, if you want to prevent someone from accidentally connecting to your network, yes. WEP keys can be captured is less than one minute: http://eprint.iacr.org/2007/120.pdf http://tapir.cs.ucl.ac.uk/bittau-wep.pdf WEP is certainly better than nothing if all you have is older hardware that doesn't support WPA/WPA2, but that's about all. If your APs and host adapters support WPA, use it, not WEP. dn iD8DBQFHQbLVyPxGVjntI4IRAj8xAKDHZGzDcfW/dPf4o1dnhKsAfMkDYACfc/dZ HIfCGJDx82X8sTsbq0p/rJA= =0EMg -END PGP SIGNATURE-
Re: securing OpenBSD wireless network
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/19/07 8:16 AM, Tonnerre LOMBARD wrote: Personally, I use IPsec to secure my WLAN, and I can only recommend that to others. It is very effective. IPSec can be an effective safeguard -- for IP headers and the upper-layer protocols and payloads above them. On the other hand it's a misconception to think IPSec will secure my WLAN. IPSec doesn't know and doesn't care what link layer it runs over. There is some layer-2 stuff that happens before layer-3 handshaking begins -- 802.11 association and deassociation, possibly layer-2 learning, and 802.1X authentication if that's used. IPSec will not and cannot secure any of this. Wireless LANs are a technology in which sensitive data may go in the clear at L2 before L3 gets started. In this case L2 security mechanisms such as WPA are appropriate, and do not rule out the use of complementary mechanisms like IPSec or SSL. Even if you don't care about authenticating or encrypting L2 data, there's still the issue of bandwidth and resource consumption at L2. 802.11 is extremely chatty. Using WPA or (if you must) WEP to keep the airwaves free (well, to the extent possible) can help there. dn iD8DBQFHQgxFyPxGVjntI4IRAnLAAJ0Ysf5O3t8To4QcUBibQ2Yih6QA1QCfX++A 9su1m/P6DfqsnyNlLCDy0oo= =dfhp -END PGP SIGNATURE-
Re: securing OpenBSD wireless network
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/19/07 2:36 PM, Tonnerre LOMBARD wrote: Salut, On Mon, Nov 19, 2007 at 02:20:54PM -0800, David Newman wrote: There is some layer-2 stuff that happens before layer-3 handshaking begins -- 802.11 association and deassociation, possibly layer-2 learning, and 802.1X authentication if that's used. IPSec will not and cannot secure any of this. Is there any need to secure that? In my local WLAN, you only have two ways of proceeding if you want internet access: a Tor router, or IPsec. Before either of those processes begin, I can associate like crazy to your access point. That would ensure you never get Internet access, even without my flinging a single IP packet at you. I have a test tool that can associate 500 times to the same AP, appearing as 500 unique clients. In my experience, most APs crash and burn a long time before then -- and that's before seeing any IP traffic. Even if your AP is robust enough to handle a huge number of client associations, the chatty nature of the 802.11 protocol ensures the medium will be so full of management frames that you won't be able to send an IP packet. (I like to think of 802.11 as a technology that combines the worst aspects of Ethernet and token ring...) If you come in without IPsec, i.e. you cannot establish the IKE handshake, and if you don't us the Socks proxy Tor provides, you are trapped in a local network where noone except all of the laptops are. Sure thing, you can communicate with another unauthenticated laptop, but I don't care that much about this scenario, since it does not cause me any problems. Does not cause *you* problems != no leakage at L2 Wireless LANs are a technology in which sensitive data may go in the clear at L2 before L3 gets started. In this case L2 security mechanisms such as WPA are appropriate, and do not rule out the use of complementary mechanisms like IPSec or SSL. What sensitive data do you see me exchange before IPsec connectivity is established? Well, for starters every 802.11 AP broadcasts its availability 10 times a second. And since 802.11 is a shared-access medium, you'll also see the first packet of every client's 802.1X auth exchange, as well as SSIDs of all available stations. Even if you don't care about authenticating or encrypting L2 data, there's still the issue of bandwidth and resource consumption at L2. 802.11 is extremely chatty. Using WPA or (if you must) WEP to keep the airwaves free (well, to the extent possible) can help there. With a, that's not that much of a problem usually Probably true for your setup, definitely less true in other (and arguably most other large-scale) setups. Most APs consist of a dinky little CPU and a very little bit of memory, both easily swamped by doing too much work *just at layer 2.* Further, they have to contend for spectrum with other 802.11 stations, microwave ovens, Bluetooth devices, cordless phones, ham radios (that's for the far more popular 2.4-GHz spectrum used by 802.11b/g/n. The 5.8-GHz spectrum used by 802.11a/n is much better, though still hardly pristine). Anything you can do to keep your AP's RF section free and clear will result in a better WLAN experience, where better means both faster and more secure. dn iD8DBQFHQhdsyPxGVjntI4IRAiehAJ48mn685Gk0VaQ/ui50Zg07LvpKTQCgsQaW iEhNeWGoplX7tIAAMCYKKgc= =/Guk -END PGP SIGNATURE-
Re: HP Procurve or Soekris w. OpenBSD ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/12/07 5:01 AM, Stuart Henderson wrote: On 2007/11/12 12:56, knitti wrote: Looking to manage several webservers I am wondering if anybody uses something like this: http://soekris.kd85.com/images/tn/dsc03600.med.jpg ? (That image shows Wim's net4801-50 plus quadport lan1641 firewall box, giving 7 ports with low powerconsumption - on OpenBSD) what sort of bandwidth / packets per second? The standard choice in my datacenter (linux users mostly) seems to be HP Procurve but I'd prefer the power of PF. they're most likely switches. (Vantronix have a module for HP 5300xl switches that runs PF, though). I don't know exactly the 4801, but I use a couple of 4501 as firewalls and IPSec-Routers for connections of up to 5 MBit/sec. Seeing the specs of the 4801 and knowing the 4501, I wouldn't use them for more than about 40-50 Mbit/sec. I feel 40-50M would be pushing it, given that you might like some overhead to allow for occasional heavy numbers of packets. 5501 might do better (maybe with a nic rather than the on-board vr). I'd normally prefer a standard amd64/i386 box for a datacentre firewall though. I may change my mind when the net7501 eventually surfaces... I was just about to ask about this. I've been very happy with Nexcom 1563s as pf firewalls, especially with the disk-on-chip. No moving parts is good. (And thanks misc@ for this recommendation.) But the Nexcoms have only 100Base-T interfaces and now I've got a requirement for gig boxes in a couple of data centers. Any recommendations for carp/pfsync hardware with these specs on each box? - - at least 3 x 1000Base-T (mandatory) - - disk on chip if possible (not mandatory) - - fanless (not mandatory) - - rack-mountable (not manadatory) Any reasonable RAM and CPU speed considered, in the context of pushing traffic at ~100-300 Mbit/s. Or am I better off just buying el cheapo PCs and relying on carp and pfsync for redundancy? thanks dn iD8DBQFHOLiRyPxGVjntI4IRAp1hAJ9Uy0cbbip3EEXIlQ+Nnzlqr21ECwCg18g5 vDFGHhVj2htXbuEGqfgXFRY= =wNZl -END PGP SIGNATURE-
Re: PF Rules
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 9/7/07 8:59 AM, Stuart Henderson wrote: On 2007/09/07 08:41, David Newman wrote: 1. I believe keep state is still needed when using queuing. The pf.conf manpage says it must be specified explicitly to apply options to a rule. Only for state-related options (max-src-conn-rate and so); queue is separate (and may also be used where you don't keep state). Ah, ok -- thanks. 2. The queue (class1, class2) syntax assumes class1 TOS == 0 and class2 TOS != 0. look for pqid in sys/net/pf.c or just look at QUEUEING in pf.conf(5): Packets can be assigned to queues based on filter rules by using the queue keyword. Normally only one queue is specified; when a second one is specified it will instead be used for packets which have a TOS of lowdelay and for TCP ACKs with no data payload. Again, thanks. The OP's pass out rule puts at least some VoIP traffic into the first queue: pass out log quick on $ext_if proto {tcp,udp} from $VOIP_SERVERS to any port $VOIP_PORTS queue (voip_out, tos_lowdelay_out) We don't know how voip_out differs from tos_lowdelay_out, but my understanding is that voip_out will only go into that queue if its TOS value is 0. True? thanks dn iD8DBQFG4XoryPxGVjntI4IRAg6ZAKDQCcKNtrMmpNGlV+kgJwrwMKGZ3QCeNwWa 8lEwNscg7SGSOwijTUJXH0I= =TbH0 -END PGP SIGNATURE-
Re: switch or server? (was Re: Max throughput ?)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 9/5/07 2:01 AM, Henning Brauer wrote: * David Newman [EMAIL PROTECTED] [2007-09-05 00:59]: Can any one comment on this ? Would it not be better to use some think like a Cisco layer 3 GB switch. Most el cheapo gig switches will do the job without packet loss. you are beeing tricked by marketing terminology. layer 3 switches are routers. vendors use the term to.. well I dunno :) most so-called layer3 swicthes are regular layer 2 switches with a little extra logic to be able to inspect IP headers and take the switching (it is routing of course) decision based on that. Rule of thumb: they all suck. That's a statement of value, not of fact. The OP asked about switch throughput. Even the el cheapo ones you describe as sucky can forward packets at line rate with zero loss. They have many other problems -- execrable routing code, CLIs and GUIs written by idiots, and horrible hashing algorithms, to name a few -- but basic packet forwarding isn't one of them. That said, I share your allergy to the term layer-3 switch. I don't use this meaningless marketing term. Switches switch; routers route. dn iD8DBQFG3swDyPxGVjntI4IRAkqkAJ93LmSLnpTft6j/sOZ/0bbdeBuSdQCfWENS gEH1SSQe1g0dxOaYp/+p+68= =loeJ -END PGP SIGNATURE-
switch or server? (was Re: Max throughput ?)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 9/4/07 3:03 PM, Michael Gale wrote: Hey, It was suggested that we create an OpenBSD server with 9GB interfaces to start. I think here you mean 9 1-Gbit/s interfaces 7 Will be used right off the bat. This would function as a core router brining 7 GB networks together on the inside of a main firewall. I suggested that maybe we would have some bandwidth issues with trying to push that much traffic through a single server. RFCs 2544 and 2889 define router and switch test methodologies. A related document, RFC 1242, defines throughput as the maximum zero-loss rate. Note that throughput is a single rate. Ergo, there's no such thing as max or min or any other kind of throughput. There's just throughput. Can any one comment on this ? Would it not be better to use some think like a Cisco layer 3 GB switch. Most el cheapo gig switches will do the job without packet loss. Manageability, routing, an sshd server, redundant power, support, etc., cost extra. Commercial switches achieved line-rate, zero-loss performance around a decade ago, with small-frame latency and jitter in the tens of microseconds. These use ASICs or FPGAs or NPs to get there. Big studly servers equipped with 10G interfaces currently achieve goodput somewhere north of 1G but south of 10G with higher latency and jitter than switches. I'm not aware of anyone getting loss-free performance at N-Gbit/s (where N 7) using server hardware alone. dn iD8DBQFG3eCTyPxGVjntI4IRAqu8AKDotF/6ReuA+V/L2Z6Ng7f8tbCpQgCg1YR4 4g+vFsK6cmph88YQGnrXl54= =0N3R -END PGP SIGNATURE-
Re: routing question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 9/3/07 2:15 PM, Paolo Supino wrote: Hi I have a firewall that also acts as a VPN peer for 2 VPNs. One of the VPNs is IPSEC that connects between the main office and a branch office. The second VPN is OpenVPN that connects windows based road warriors to the branch office. I want to enable employees that connect to the branch's OpenVPN to reach the main office servers (and filter traffic to). Both VPNs are working so the appropriate routing entries exist in the firewall's routing table. Even if I disable all the firewall rules and just let everything pass through the firewall the OpenVPN clients still cannot reach the main office servers. What am I missing? One possible issue is that the default config for OpenVPN uses unroutable addresses out of RFC 1918 space. I believe the default config file uses 172.16.111.0/29 or something like that. Routers should never forward packets to RFC 1918 addresses across the public Internet; it's a best practice to filter them. Remote OpenVPN traffic looks like it comes from from 172.16.111.something, and the main office router will quite properly drop traffic destined there. You're either going to need to NAT your VPN traffic or (far better, if you can) get enough public IPv4 or IPv6 addresses not to mess with NAT. dn iD8DBQFG3H+syPxGVjntI4IRAko7AJ9P7SamMasV+9hS/9f6jzPit00FywCgjfnb 9hQTU1zRm18kxf/K6vHpYv4= =4YME -END PGP SIGNATURE-
Re: routing question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 9/3/07 3:28 PM, Paolo Supino wrote: Hi David It's true that all IP addresses are in the 10.x.x.x private address space that isn't supposed to be routed on the Internet, but in all the connections over the Internet the only visible addresses are the public ones (otherwise the VPNs wouldn't be working): Main and branch office public IP addresses and what ever the road warriors receive when connecting their laptops, either at home or at a client's site. The branch's firewall NATs the branch office 10.x.x.x address space on its external interface, but I don't see how that would cause routing problems between the 2 VPNs. Per Stuart's suggestion, check your VPN clients' routing tables with netstat -f inet -nr | more and determine whether they have a path to your main office. Same thing for servers at the main office trying to reach the VPN clients. traceroute might be helpful (or might not; lots of places filter ICMP). dn iD8DBQFG3IxEyPxGVjntI4IRAj6MAKD5KMLoU74rea9P8HyApe8hS5nHmgCeLbco +W9hUUKEAvhqCZM9ktKErd4= =h5aK -END PGP SIGNATURE-
Re: That whole Linux stealing our code thing
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 9/1/07 12:29 PM, Siju George wrote: On 9/1/07, Marco Peereboom [EMAIL PROTECTED] wrote: Try to run strings on windows command line utilities. You'll see that they preserved the copyrights as required. Could somebody please explain about Running Strings? man 1 strings The strings utility finds the printable strings in a object, or other binary, file. example: [EMAIL PROTECTED] ~ 505$ strings /bin/ls | grep -i copyright @(#) Copyright (c) 1989, 1993, 1994 dn iD8DBQFG2cfNyPxGVjntI4IRAtiTAKDUtUkdvgknGf1xBhzV3h8wfWuEkACgsHDc unCO9OHA5cuqLdo3cujTY6M= =IB6u -END PGP SIGNATURE-
Re: DNS server setup for multiple domains
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 8/31/07 9:15 PM, mufurcz wrote: Greetings, Need advise how to setup one DNS server for multiple domain names, like: abcd._com_.xy, abcd._net_.xy, abcd._org_.xy, and abcd._biz_.xy The name server FQDN is server1.abcd._com_.xy (first domain) but, how to name the server in the SOA record for the rest of the domains? 1. Add more zones for your new domains in your named.conf file. Here's a bind 9 example: zone abcd.com.xy in { type master; file /etc/namedb/master/db.abcd.com.xy; allow-query { any; }; allow-transfer { xfer; }; }; zone 2.1.666.in-addr.arpa in { type master; file /etc/namedb/master/db.666.1.2; allow-query { any; }; allow-transfer { xfer; }; }; zone abcd.net.xy in { type master; file /etc/namedb/master/db.abcd.net.xy; allow-query { any; }; allow-transfer { xfer; }; }; zone abcd.org.xy in { type master; file /etc/namedb/master/db.abcd.org.xy; allow-query { any; }; allow-transfer { xfer; }; }; 2. Create new zone files for each zone. They'll look just like your abcd.com.xy zone file except SOA and other references to com should instead read net or org or whatever. (You may want to keep the hostmaster's email address in the .com domain; that's up to you.) 3. Run rndc reload or restart your nameserver. Comments: a. Set up only one reverse zone. An IP address should reverse-resolve to exactly one hostname. b. You must be authoritative for the domains and network addresses, respectively, for the new domains and reverse lookups to work. That's between you, your registrar (for the domains), and your ISP(s) (for the IP addresses). c. DNS Bind by Albitz and Liu is still THE reference on DNS. Highly recommended. dn iD8DBQFG2cy4yPxGVjntI4IRAmN+AKCPhXbVEg/gEZ8oy1nUl5lrOq4MWQCfSVQt LAW87qfpMPGAqm8v+SgWuBs= =iZGy -END PGP SIGNATURE-
Re: setting dscp or tos bits
And here we come full circle. Given the OpenBSD now IS a router -- whether it's a little two-interface pf box for home use or some big studly hardware running OpenBGPD and OpenOSPFD box for ISPs, I would say the addition of support for DSCP re-marking would be a very desirable feature. i'd call it a nice-to-have, yes. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] Just curious: Where would DSCP re-marking be implemented? My question was about pf, but I can see cases where an OpenBGPD and/or OpenOSPFD box could use re-marking with or without pf. thanks dn
Re: setting dscp or tos bits
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 8/21/07 7:31 PM, Chris Cappuccio wrote: On a related note, I work with some equipment that uses TOS values and some that uses DSCP. When you see a TOS value in tcpdump (0x68 for instance) just divide by 4 to get the DSCP (and throw away any remainder.) The DSCP value uses the same field in the IP packet as TOS, but ignores the last bits. So, DSCP to TOS is simply multiply by 4 (and convert to hex) Yes and no. TOS field definitions have changed over the years; there's a history of this moving target in RFC 3168, section 22. The 6-bit DSCP field is defined in RFC 2474. It does not ignore anything in TOS; if anything it's a superset. dn iD8DBQFGzMLgyPxGVjntI4IRAlYLAKDFgai2XDnrKb/hKXqGgdF7HhR4HwCfU0kZ HuUfxAcSHTW6oNohod7TcZA= =J8lb -END PGP SIGNATURE-
Re: setting dscp or tos bits
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 8/22/07 5:22 AM, Henning Brauer wrote: * David Newman [EMAIL PROTECTED] [2007-08-21 21:41]: Question: Can OpenBSD and/or pf itself set TOS and/or DSCP values? not for forwarded traffic, no. for locally originating traffic, there are socket options. OK, thanks. This answers my question. Also, I noticed today that Google marks all their stuff with a DSCP of 0x38 (high throughput, low delay). Nice trick, but also an excellent argument for re-marking capability in all routers. nice trick? rather useless. I'd be extremely surprised if it makes any difference at all. i mean, who is really 1) looking at DSCP/TOS at all, - and - 2) using them for different forward9ng priorities - and - 3) has congestion/fwd capa shortage so that it actually makes a difference, - and - For various reasons I can't name names, but I can tell you that there are some VERY large service provider and enterprise networks using DSCP classification and prioritization. ISPs tend to run at much higher utilization levels than enterprises and congestion is a reality on at least some of their pipes. So is the layer-8 urge to charge a premium to one set of customers over another. And even in the absence of congestion, there's still a desire to service delay- and jitter-sensitive voice and video ahead of other traffic. 4) trusts externally set TOS/DSCP No one should trust external TOS or DSCP markings. Again, what Google is doing is an excellent argument for re-marking capability in all routers. And here we come full circle. Given the OpenBSD now IS a router -- whether it's a little two-interface pf box for home use or some big studly hardware running OpenBGPD and OpenOSPFD box for ISPs, I would say the addition of support for DSCP re-marking would be a very desirable feature. dn iD8DBQFGzMWnyPxGVjntI4IRAnFKAKDKwBLLfP1prDk3Sk1JR3Ltg+E/twCaAsjk /ScJ34YXcBDS7rvxvpIjozs= =J2WL -END PGP SIGNATURE-
setting dscp or tos bits
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm setting up ALTQ and hfsc to prioritize VoIP traffic. The pf.conf(5) says pf uses TOS values to assign packets to queues. Question: Can OpenBSD and/or pf itself set TOS and/or DSCP values? Only some of my VoIP gear does DSCP marking. Also, I noticed today that Google marks all their stuff with a DSCP of 0x38 (high throughput, low delay). Nice trick, but also an excellent argument for re-marking capability in all routers. Is marking/re-marking supported, and if so how? thanks dn iD8DBQFGyz4ayPxGVjntI4IRAi/MAJ9Fhs3Di2+XyN4B16pct0W9PqafawCg7jvT fPyu9fhGY+5DcWgTJiy60tQ= =j+kp -END PGP SIGNATURE-
Re: SSH brute force attacks no longer being caught by PF rule
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 8/13/07 5:25 AM, Stuart Henderson wrote: On 2007/08/13 13:51, [EMAIL PROTECTED]@mgedv.net wrote: why don't you just switch your ssh port to a different one. In my case, because it annoys me, and max-src-conn-rate doesn't. I concur, and would add that this fails the security-by-obscurity test. In any event, max-src-conn-rate and max-src-conn are now keeping the skiddies (or whomever) at bay. Thanks all who responded. dn iD8DBQFGwPm/yPxGVjntI4IRAib4AKCEn0kDDWy0qr9MjMcYVlRKCwVFRACgyB0i 8gwsRtzc+M0W/RwHLYNbXm0= =56Ag -END PGP SIGNATURE-
Re: [OT] cisco switch, router and firewall suggestions
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, Aug 09, 2007 at 06:07:08PM +1000, Chris wrote: I'm trying to buy (from ebay) a cisco switch, router and pix firewall for learning purposes. All these will be connected to a Linksys ADSL modem which also has wireless capability. The OSs will be OpenBSD4.1, Windows XP and Linux distros. I will probably also try IPv6 (not sure if that has got anything to do with this). I had a look at cisco catalyst 1900 series switch and it looked ok. Could anyone recommend anything that would be great for leaning purposes and also be able to handle daily Internet traffic? Thanks. Try asking on cisco-nsp: http://puck.nether.net/cisco-nsp/ dn iD8DBQFGu0oXyPxGVjntI4IRAit2AKCZlgWuFh+VV3Y8YSVOtNsL1ExnZgCg+Yx2 NfUDpQyeszB2evrWMa1aAuQ= =koZs -END PGP SIGNATURE-
Re: SSH brute force attacks no longer being caught by PF rule
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 8/9/07 3:22 AM, Joachim Schipper wrote: # Allow quick valid traffic to ssh but log all attempts as well pass in log quick on $unpro inet proto tcp from ! scanners \ to $unpro port ssh $SSH_LIMIT Skip '! scanners' unless it's intended as documentation; you have already filtered this traffic in the rule above. It's not surprising that this rule fails to limit ssh connections to another host; that's what 'to $unpro' tells pf to do, after all. Couple of clarification questions: 1. When you say skip something, you mean just delete the string '! scanners' and not the whole rule, correct? If you do remove 'to $unpro', you might want to add something like 'from ! $unpro:network'. (Do note that 'from ! { $unpro:network scanners }' is legal syntax, but not sensible.) 2. Shouldn't it be 'to $unpro:network' here since we're substituting one 'to' condition with another? Thanks -- your comments make great sense. dn iD8DBQFGu03dyPxGVjntI4IRAhPoAKDW76FJ9ftepAkjUmDEnQglo0GLVACg7AV9 OzXICCdBU1TMBG3UyCbBOH4= =yHYM -END PGP SIGNATURE-
Re: SSH brute force attacks no longer being caught by PF rule
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 8/9/07 10:24 AM, David Newman wrote: On 8/9/07 3:22 AM, Joachim Schipper wrote: # Allow quick valid traffic to ssh but log all attempts as well pass in log quick on $unpro inet proto tcp from ! scanners \ to $unpro port ssh $SSH_LIMIT Skip '! scanners' unless it's intended as documentation; you have already filtered this traffic in the rule above. It's not surprising that this rule fails to limit ssh connections to another host; that's what 'to $unpro' tells pf to do, after all. Couple of clarification questions: 1. When you say skip something, you mean just delete the string '! scanners' and not the whole rule, correct? If you do remove 'to $unpro', you might want to add something like 'from ! $unpro:network'. (Do note that 'from ! { $unpro:network scanners }' is legal syntax, but not sensible.) 2. Shouldn't it be 'to $unpro:network' here since we're substituting one 'to' condition with another? Thanks -- your comments make great sense. Sorry, scratch question 2. Obviously 'from' is correct. Is this what you meant: pass in log quick on $unpro inet proto tcp \ from ! $unpro:network port ssh flags S/SA \ keep state $SSH_LIMIT thanks undercaffeineated dn iD8DBQFGu07uyPxGVjntI4IRAmDFAJ0Qsd626rzFWWzexZ9AYpgL3/gXZQCg/yyG b9Syg5d+MNO5t+yAg45t3Dw= =/g8E -END PGP SIGNATURE-
Re: MS Exchange to MBOX
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 8/9/07 11:58 AM, Joshua Gimer wrote: We are planning on moving a large amount of Exchange mailboxes to UNIX mbox format. My question is, does anyone know of any projects out there or of any tools that can assist in this conversion? Get IMAP running on Exchange if it's not already and then use imapsync: http://directory.fsf.org/imapsync.html dn iD8DBQFGu2yfyPxGVjntI4IRAlKbAKDGa0j3N8wiIqzfgCmoc1DbjifzXQCdFQNV 11ojDoeFj5rk1hgqEt4C22k= =+rbL -END PGP SIGNATURE-
Re: SSH brute force attacks no longer being caught by PF rule
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 6/27/07 10:39 PM, Daniel Ouellet wrote: Steve B wrote: The rule I've had in my pf.conf file to catch and block forceful SSH attempts no longer appears to be working. I see the entries in my authlog, but the IPs are no longer getting added to my table. I suspect I screwed something up, but so far I am at a loss to see where. Could someone pass another set of eyes over the relevant parts of my pf.conf? Put quickly as an example, but you can try: # Define some variable for clarity SSH_LIMIT=(max-src-conn-rate 3/30, overload scanners flush global) ## SSH Hackers - blocked IPs table scanners persist file /etc/tables/scanners # Block ssh access to bad ssh scanner block drop in log quick on $ext_if inet proto tcp \ from scanners to any port ssh # Allow quick valid traffic to ssh but log all attempts as well pass in log quick on $ext_if inet proto tcp from ! scanners \ to $ext_if port ssh flags S/SA keep state \ $SSH_LIMIT I've added something like this to pf.conf but it's only partially successful. I would appreciate any clues as to why it's not blocking all brute-force attempts. On an OBSD 4.1 box, here's what I added to pf.conf ($unpro is the Internet-facing interface): # # Define limit of ssh connection rates SSH_LIMIT=(max-src-conn-rate 3/30, overload scanners flush global) # SSH scanners - blocked IPs table scanners persist block drop in log quick on $unpro inet proto tcp \ from scanners to any port ssh # Allow quick valid traffic to ssh but log all attempts as well pass in log quick on $unpro inet proto tcp from ! scanners \ to $unpro port ssh $SSH_LIMIT # And it appears to be working, at least in part: [EMAIL PROTECTED] ~ 501$ sudo pfctl -t scanners -T show 61.146.178.13 61.189.145.103 67.76.237.190 161.200.144.108 193.254.31.194 # But some hosts on the protected side of the firewall still report brute-force ssh login attempts exceeding the 3/30 rate: Aug 7 10:16:00 mail sshd[21608]: Invalid user trash from 201.18.81.8 Aug 7 10:16:08 mail sshd[21610]: Invalid user aaron from 201.18.81.8 Aug 7 10:16:11 mail sshd[21612]: Invalid user gt05 from 201.18.81.8 Aug 7 10:16:18 mail sshd[21614]: Invalid user william from 201.18.81.8 Aug 7 10:16:22 mail sshd[21616]: Invalid user stephanie from 201.18.81.8 Aug 7 10:16:59 mail sshd[21628]: Invalid user gary from 201.18.81.8 Aug 7 10:17:07 mail sshd[21632]: Invalid user guest from 201.18.81.8 Aug 7 10:17:11 mail sshd[21634]: Invalid user test from 201.18.81.8 Aug 7 10:17:17 mail sshd[21636]: Invalid user oracle from 201.18.81.8 Aug 7 10:19:24 mail sshd[21717]: Invalid user apache from 201.18.81.8 Aug 7 10:19:43 mail sshd[21723]: Invalid user lab from 201.18.81.8 Aug 7 10:19:55 mail sshd[21729]: Invalid user oracle from 201.18.81.8 Aug 7 10:20:00 mail sshd[21736]: Invalid user svn from 201.18.81.8 Aug 7 10:20:06 mail sshd[21745]: Invalid user iraf from 201.18.81.8 Aug 7 10:20:13 mail sshd[21747]: Invalid user swsoft from 201.18.81.8 Aug 7 10:20:18 mail sshd[21749]: Invalid user production from 201.18.81.8 Aug 7 10:20:23 mail sshd[21751]: Invalid user guest from 201.18.81.8 Aug 7 10:20:28 mail sshd[21753]: Invalid user gast from 201.18.81.8 Aug 7 10:20:34 mail sshd[21755]: Invalid user gast from 201.18.81.8 Aug 7 10:20:40 mail sshd[21762]: Invalid user oliver from 201.18.81.8 Aug 7 10:20:45 mail sshd[21767]: Invalid user sirsi from 201.18.81.8 Aug 7 10:20:50 mail sshd[21769]: Invalid user nagios from 201.18.81.8 Aug 7 10:20:55 mail sshd[21771]: Invalid user nagios from 201.18.81.8 Aug 7 10:20:59 mail sshd[21773]: Invalid user nagios from 201.18.81.8 Thanks in advance for suggestions as to how to reduce these kind of login attempts. dn iD8DBQFGufyzyPxGVjntI4IRAty2AJ9WDCqLqkWyhx/KuciGINow6Upb5wCfUuP+ GfZ8lnaun1QPItnFK5c4MNU= =tjbD -END PGP SIGNATURE-
cgi best practices (was: Re: http://openbsd.rt.fm/faq/faq10.html#httpdchroot)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 6/18/07 4:01 AM, Nick Holland wrote: I plan to implement cgi. which means you probably (though not certainly) have an app which requires the ability to write to files. If that is true, that means you have negated at least some of the benefit of chrooting. You may have to pull some tools into the chroot, that will also negate more of the benefit of chrooting. At some point, you may do enough damage to the chroot idea, it might not be worth fighting with anymore. A related question from a cgi newbie: What are the best practices for writing responses to a form to a file within the chroot? I pulled just enough of perl into the chroot for a script to work, and write to a file in /var/www/tmp with permissions of 0640 and owner:group of www:bin. Anything else? thanks dn iD8DBQFGdp1tyPxGVjntI4IRAuENAJ90tc0VEmth1W4N9T/h2uuGep1mUwCglkF0 P43BLBWQFEwF/ZOgMmh0rLY= =pq6U -END PGP SIGNATURE-
Re: carp on a /30?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 6/13/07 12:40 PM, Bryan Vyhmeister wrote: Is there some means of getting CARP to work where one side of the pf box sits on a /30? You don't actually need an address for each physical interface. It is nice but really not essential. This is the way I understand it. Someone can correct me if I am wrong. Thanks to all who responded. You are correct; I've now got two boxes running CARP on a /30. Now to get redundant providers... dn iD8DBQFGceO5yPxGVjntI4IRAkWgAJ4yZUPYPeViEyOvwBbL8qeu9FgHmQCgpvHa 4kLej5fpCAq/GJ+9QQAeZZM= =3w0u -END PGP SIGNATURE-
carp on a /30?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 What is the longest v4 prefix length CARP supports? In the example given here: http://www.openbsd.org/faq/pf/carp.html Each physical interface has two IPv4 addresses, one for a shared IP and one for the interface address. That would require a /29 or shorter to accommodate these two addresses, plus at least one address on the other side of the link. Is there some means of getting CARP to work where one side of the pf box sits on a /30? thanks dn iD8DBQFGcD41yPxGVjntI4IRAvOJAJ9j+mArDmeoKmnhb5LslDTO7sIZagCfcCDb L62JvcaMTGlibkB3IFCA3y0= =5FTD -END PGP SIGNATURE-
upgrading RAIDFRAME systems
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 What's the deal for upgrading systems running RAIDframe? I have Sparc64 boxes running 4.0 and RAIDframe. Is it possible to upgrade these through the regular process, or do I need to do a clean install and restore from backups? Thanks in advance for pointers about what to do/not to do. dn iD8DBQFGbZmIyPxGVjntI4IRAhtUAKDYrsFHRq/E5BPSof0Lnzi2eLJ/CwCg7+KY gEtkHjL21cFw+T/S3QBdbnM= =G+gZ -END PGP SIGNATURE-
Re: pf, carp, pfsync, maybe without bridging
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Henning Brauer wrote: * David Newman [EMAIL PROTECTED] [2007-06-04 03:59]: but it says carp doesn't work with bridging carp alows two hosts to share an IP. now explain me how that is supposed to work with bridges, where the forwarding does not happen at the IP layer. Pardon my imprecision. I do NOT require bridging. My requirements are: 1. to set up pf (with carp and pfsync) to protect boxes with routable IP addresses 2. to locate the pf machines on the same routable IP subnet as the protected boxes For example, suppose the network is 198.18.0.0/26, the ISP's router is .1, and my hosts are .11-.25. I'm fine with using pf in routing mode, but I wasn't aware that pf (or anything, for that matter) could route between host addresses on the same IP subnet. I could divide the /26 into smaller netblocks and configure pf to route between them but I'm reluctant to do that given that I'd burn a network and broadcast address for each netblock, and a /26 is small enough as it is. Is there a better way? Thanks. dn iD8DBQFGZB2kyPxGVjntI4IRAvzSAJ9ordMIHfD08TUUSoD/Zn9LhTZ9YgCcDUu5 mAKkiAvvZflD1HT0cguQGRM= =g5HN -END PGP SIGNATURE-
Re: pf, carp, pfsync, maybe without bridging
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Stuart Henderson wrote: On 2007/06/04 07:11, David Newman wrote: I could divide the /26 into smaller netblocks and configure pf to route between them but I'm reluctant to do that given that I'd burn a network and broadcast address for each netblock, and a /26 is small enough as it is. Is there a better way? Thanks. yes, bridging. OK, but how then to get redundancy across the firewalls? dn iD8DBQFGZC1uyPxGVjntI4IRAnosAJ9b2fFVYThT852XskMnRf4zlCT0uACgyucf BXAmAhLNjN0wludIC9eWSFA= =0lVG -END PGP SIGNATURE-
pf, carp, pfsync, and bridging
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Thanks in advance for guidelines on using pf with carp and pfsync boxes that bridge rather than route. I found this guide: http://www.seattlecentral.edu/~dmartin/docs/bridge.html but it says carp doesn't work with bridging and to use spanning tree instead. That was on OBSD 3.5 and I don't see anything about bridging in more recent manpages for carp. Has anything changed? As for why I'm bridging: I have an application that NAT breaks. Currently I have another pair of pf boxes running carp/pfsync and routing to NAT'd space. That works fine but the new application requires routable addresses (I've tried rdr to the NAT'd addresses, but no joy). So, instead I plan to set things up like this: Net - 2 pf bridges - new app - 2 pf routers - NAT space There's no redundancy in the net connection, just one IP from the ISP. Thanks again for any clues on setting this up. dn iD8DBQFGY28/yPxGVjntI4IRAiIKAJ95QbjJVjTT9WSmfGjTc+oewImn/ACg9Y5o KKSIYsl5nSzBhEhY9lfmAUU= =y63T -END PGP SIGNATURE-
Re: advice on router and routing books
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 1/27/07 6:57 AM, tony sarendal wrote: On 27/01/07, earx [EMAIL PROTECTED] wrote: hi everyone i want to learn more in BGP, and ospf routing. can u have an advice on a good book about routing ? or documentation ? and better, with openbsd router. i have seen some book on amazon, but there is not great reviews. thanks The cisco website contains lots of quality documentation about routing and routing protocols. The book Internet Routing Architectures by Sam Halabi is also good. BGP4: Inter-Domain Routing in the Internet by John W. Stewart is short and easily accessible. Halabi is the standard reference. It's longer and Cisco-centric in places. Routing in the Internet by Christian Huitema is a useful general-purpose introduction to multiple IP routing protocols, not just BGP but also OSPF, RIP, and IS-IS. I'm not aware of any book that specifically covers bgpd, ospfd, etc. The manpages are fine (as usual) but only cover proper configuration of the daemons. understanding the protocols is much more important. dn Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFvN3fyPxGVjntI4IRAkf0AJ9SnUyS8C8puXUYUMVaChSBn/O4HQCeMqo+ 1QwZsf5tM20BDc6hfcMpvcY= =9bVP -END PGP SIGNATURE-
Re: How similar is the network stack between OpenBSD and FreeBSD
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 1/28/07 11:33 AM, Joe wrote: I've done full packet capture in FreeBSD for 100-200 Mbps networks. Can I expect similar performance numbers for doing full packet capture in OpenBSD? With equivalent hardware, yes And out of curiousity, how different are the two stacks in capture packets? See /etc/pf.os and the ps.of(5) manpage. Even within an OS family, different versions have different fingerprints, especially wrt TCP behavior. dn iD8DBQFFvQ+zyPxGVjntI4IRApseAJwMo6SGNEk+4M/9dDUTqto4DATRwwCdGgXE vNi60j4a1f6NViESQ31UYvs= =G0CD -END PGP SIGNATURE-
Re: OpenBSD on software raid
On 1/23/07 1:13 AM, Thomas Alexander Frederiksen wrote: doc Hyde skrev: cut Can anyone help me please? Thank you. Google can... http://www.eclectica.ca/howto/openbsd-software-raid-howto.php These are the steps you are most likely to have missed: # raidctl -a /dev/sd0d raid0 # raidctl -vF component0 raid0 # raidctl -vP raid0 Reboot after the last step, and you're good to go. I built a Sparc64 RAIDframe system with SCSI disks, making these few changes from Marcus Redivo's howto: 1. Change wd to sd to reference scsi disks. For example, sd0a, sd1d, and so on. 2. There is no fdisk for sparc64, and the installboot procedure is a little different; see the boot_sparc64 and installboot manpages. Here are the commands I used for Marcus' section on making the second disk bootable: # newfs /dev/rsd1a # mount /dev/sd1a /mnt # cp /bsd /mnt/bsd # cp /usr/mdec/ofwboot /mnt/ofwboot # /usr/mdec/installboot /usr/mdec/bootblk /dev/rsd1c And, while not sparc64-specific, I made a couple of other minor changes: 3. Under Make a RAID-Capable Kernel I applied all relevant patches to the source tree before building the new kernel. No point in going through that exercise twice... 4. Under Second Disk Setup, I sped up newfs setup with a for loop: # for i in a d e f g; do newfs raid0${i}; done dn [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
carp flap
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenBSD 4.0 i386 on dual Nexcom 1563 firewall boxes using carp and pfsync. In my setup, there are two carp interfaces bound to the external physical interface fxp0, each in turn bound to a different internal machine using nat and rdr. This worked fine for about six months. Since upgrading from 3.9 to 4.0, the carp0 and carp1 interfaces have been flapping between MASTER and BACKUP state. This is true even if I down all the carp and pfsync interfaces on the backup firewall. (Or vice versa; powering down either of the firewalls doesn't make the problem go away.) The physical links to both machines are stable. I don't see any evidence of links going up or down, or anything like CRC or other errors. Thanks in advance for any clues on debugging and fixing this. Below is some relevant tcpdump and config info. dn pflog0 output on fw1: # tcpdump -n -e -ttt -i pflog0 proto carp or proto pfsync (no output) pfsync0 output on fw1: # tcpdump -nevv -i pfsync0 tcpdump: WARNING: pfsync0: no IPv4 address assigned tcpdump: listening on pfsync0, link-type PFSYNC 12:39:02.188189 PFSYNCv3 count 6: UPD ST: 12:39:02.634228 PFSYNCv3 count 6: UPD ST: 12:39:03.614361 PFSYNCv3 count 6: UPD ST: 12:39:04.624496 PFSYNCv3 count 6: UPD ST: 12:39:05.634636 PFSYNCv3 count 6: UPD ST: 12:39:06.228438 PFSYNCv3 count 6: UPD ST: 12:39:06.674776 PFSYNCv3 count 6: UPD ST: 12:39:07.674914 PFSYNCv3 count 6: UPD ST: 12:39:08.685120 PFSYNCv3 count 5: UPD ST: 12:39:09.245144 PFSYNCv3 count 6: UPD ST: 12:39:09.734795 PFSYNCv3 count 5: UPD ST: 12:39:09.735217 PFSYNCv3 count 2: INS ST: 12:39:10.636297 PFSYNCv3 count 6: UPD ST: 12:39:10.795337 PFSYNCv3 count 6: UPD ST: 12:39:11.775472 PFSYNCv3 count 6: UPD ST: 12:39:12.775605 PFSYNCv3 count 6: UPD ST: 12:39:13.736501 PFSYNCv3 count 5: UPD ST: 12:39:13.785762 PFSYNCv3 count 2: DEL ST: 12:39:14.315835 PFSYNCv3 count 6: UPD ST: 12:39:14.875889 PFSYNCv3 count 6: UPD ST: 12:39:15.736744 PFSYNCv3 count 3: UPD ST: 12:39:15.826041 PFSYNCv3 count 2: DEL ST: 12:39:16.356138 PFSYNCv3 count 6: UPD ST: 12:39:16.670451 PFSYNCv3 count 2: UPD ST: 12:39:16.716224 PFSYNCv3 count 2: INS ST: 12:39:16.736912 PFSYNCv3 count 1: UPD ST: 12:39:16.846173 PFSYNCv3 count 1: DEL ST: 12:39:16.952763 PFSYNCv3 count 5: UPD ST: 12:39:16.952800 PFSYNCv3 count 1: INS ST: 12:39:17.359779 PFSYNCv3 count 1: UPD ST: 12:39:17.359840 PFSYNCv3 count 1: INS ST: 12:39:17.359945 PFSYNCv3 count 1: UPD ST: 12:39:17.359965 PFSYNCv3 count 1: UPD REQ: id: 45b1b92b4cd9 creatorid: e778ffb2 12:39:17.360061 PFSYNCv3 count 1: UPD REQ: id: 45b1b92b4cda creatorid: e778ffb2 12:39:17.360096 PFSYNCv3 count 1: UPD ST: 12:39:17.360221 PFSYNCv3 count 1: UPD ST: 12:39:17.936304 PFSYNCv3 count 6: UPD ST: 12:39:18.906434 PFSYNCv3 count 6: UPD ST: 12:39:19.637473 PFSYNCv3 count 6: UPD ST: 12:39:19.976578 PFSYNCv3 count 6: UPD ST: 12:39:20.057401 PFSYNCv3 count 2: INS ST: 12:39:20.086116 PFSYNCv3 count 2: UPD ST: 12:39:20.087355 PFSYNCv3 count 2: INS ST: 12:39:20.926744 PFSYNCv3 count 6: UPD ST: 12:39:21.637721 PFSYNCv3 count 6: UPD ST: 12:39:22.016860 PFSYNCv3 count 6: UPD ST: 12:39:22.986991 PFSYNCv3 count 6: UPD ST: 12:39:23.347764 PFSYNCv3 count 2: UPD ST: 12:39:23.347802 PFSYNCv3 count 1: INS ST: 12:39:23.737821 PFSYNCv3 count 3: UPD ST: 12:39:23.737936 PFSYNCv3 count 6: DEL ST: 12:39:23.738174 PFSYNCv3 count 1: UPD REQ: id: 45b1b92b4cdc creatorid: e778ffb2 12:39:23.738230 PFSYNCv3 count 1: UPD ST: 12:39:24.437214 PFSYNCv3 count 6: UPD ST: 12:39:24.737952 PFSYNCv3 count 5: UPD ST: 12:39:25.007288 PFSYNCv3 count 4: DEL ST: 12:39:25.232689 PFSYNCv3 count 5: UPD ST: 12:39:25.232725 PFSYNCv3 count 1: INS ST: 12:39:25.638268 PFSYNCv3 count 6: UPD ST: 12:39:25.638733 PFSYNCv3 count 1: UPD ST: 12:39:25.638763 PFSYNCv3 count 1: UPD REQ: id: 45b1b92b4cde creatorid: e778ffb2 12:39:25.638831 PFSYNCv3 count 1: UPD ST: 12:39:26.097416 PFSYNCv3 count 6: UPD ST: 12:39:27.117552 PFSYNCv3 count 6: UPD ST: ^C fw1 settings: hostname.fxp0 inet 207.181.8.188 255.255.255.192 NONE media autoselect hostname.carp0 inet 207.181.8.190 255.255.255.192 207.181.8.191 vhid 1 carpdev fxp0 advbase 1 advskew 1 pass password hostname.carp1 inet 207.181.8.130 255.255.255.192 207.181.8.191 vhid 2 carpdev fxp0 advbase 1 advskew 1 pass password $ sysctl net.inet.carp net.inet.carp.allow=1 net.inet.carp.preempt=1 net.inet.carp.log=0 net.inet.carp.arpbalance=0 $ sysctl net.inet,ip.forwarding net.inet.ip.forwarding=1 from pf.conf: ExtIf=fxp0 CarpIf0 = carp0 CarpIf1 = carp1 pfsyncIf = fxp1 # ICMP types icmpTypes = { echoreq } # Default block log all # carp and pfsync pass quick on { $pfsyncIf } proto pfsync pass on { $ExtIf $IntIf } proto carp keep state pass in on $ExtIf inet proto icmp from any to { $ExtIf, $CarpIf0, $CarpIf1 } pass inet proto icmp all icmp-type $icmpTypes keep state fw2 settings: hostname.fxp0 inet 207.181.8.189 255.255.255.192 NONE media autoselect hostname.carp0 inet
Re: VOIP NAT
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 1/12/07 4:03 PM, Chris 'Xenon' Hanson wrote: Bob DeBolt wrote: I have been trying numerous configs trying to out smart the inability of VOIP to transfer to UDP encapsulated RTP. A very common problem as anyone who deals with NAT and VOIP knows. Hmm. Maybe not. I use VOIP behind NAT (Sipura and Grandstream phones talking to an off-site Asterisk server) without any problems. I was using an OBSD PF firewall. It's booted into Linux right now due to driver problems with my ADSL NIC, but it the VOIP part worked fine under either OS/firewall. What, specifically is your issue? One huge issue has to do with pf and SIP protocol design. SIP signaling messages go over a well-known port (5060/tcp), but the media traffic (the actual voice packets) go over some random port negotiated during call setup. The pf+voip documents I've seen give config examples that just open up a large range of ports [0]. Yikes. What's really needed is either: a. ditch SIP and use IAX instead since at least signaling and media both run over a well known port (and thus it's much easier to firewall and NAT); or b. create a pf proxy that understands SIP. A SIP proxy would need to do the following: - - look into the SIP's SDP sublayer to grok the port number that media traffic will use on a call - - dynamically create a pass rule allowing access on that port number - - dynamically tear down access on that port when the call terminates If there is such a beast for pf, please let me know. thanks dn 0. See for example: http://www.aetherwide.com/articles/voip-pf.html http://www.bastard.net/~kos/pf-voip.html Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFqDqJyPxGVjntI4IRAiL1AJ9Gg04zVUMY4INSVJoxDb3RcevPXACg5UPo IuwYmfqpxfD58IGCgb8TlBU= =0C4V -END PGP SIGNATURE-
Re: moving kernels between machines
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 1/5/07 12:42 AM, Tasmanian Devil wrote: - Machine A, a single i386 box without enough disk space to unpack the source tree http://openbsdbinpatch.sourceforge.net/ :-) Thanks much for this, and also for Nick Holland's excellent suggestion about keeping updated with -release. Paranoid question: How does a user know which binpatches to trust? dn iD8DBQFFnpCayPxGVjntI4IRAugUAJ4gN67UZGnyRgxfuvtk9BFvix2q5wCaA+gD 2Oe+vTwBToPP7J6IxDyf7vA= =LtR5 -END PGP SIGNATURE-
moving kernels between machines
I have two machines: - Machine A, a single i386 box without enough disk space to unpack the source tree - Machine B, a two-CPU i386 box running bsd.mp with plenty of disk My questions: 1. For purposes of applying kernel security patches, can I compile a patched kernel on Machine B and just transfer it over to Machine A and reboot? 2. If the answer to (1) is yes, what if anything do I need to do with userland on Machine A? For example, how would I apply patch 001 for 4.0, which is just for httpd? many thanks dn
Re: Unconfigure Raid
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Julian Labuschagne wrote: raidctl -I 2006111501 Can I undo the previous command? raidctl -u name of raid device dn iD8DBQFFXdZZyPxGVjntI4IRAsPXAJ9pFX5zMUoLJotq3OOQDp2mBF5EXgCeJB2n jNkDUSu/sLB0ePljIQWzkh4= =qhZ9 -END PGP SIGNATURE-
RAID, SCSI, and sparc64
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenBSD 4.0 on UltraSparc II, two 18G SCSI drives I am trying to set up software RAID disk mirroring. There are many fine howtos out there, including: http://www.monkey.org/openbsd/archive/misc/0203/msg00803.html http://www.eclectica.ca/howto/openbsd-software-raid-howto.php http://os.newsforge.com/os/06/03/08/1646257.shtml?tid=8 However, all of these are for x86 and only the first is SCSI-specific. Some steps, like fdisk and copying some files from mdec, don't apply on sparc64. For example these commands don't work: mount /dev/sd1a /mnt cp /bsd /usr/mdec/boot /mnt /usr/mdec/installboot -v /mnt/boot /usr/mdec/biosboot sd1 umount /mnt There is no /usr/mdec/boot or biosboot in sparc64. I've gotten as far as building a RAID kernel and setting up RAID using raidctl -C but not surprisingly the parity bit is dirty and cannot be set clean. The raid1.conf, disklabel contents, and dmesg.boot output are below. Please let me know what I need to do to get RAID mirroring working on this system. thanks! dn - # raidctl -s raid1 raid1 Components: /dev/sd1d: optimal /dev/sd2d: failed No spares. Parity status: DIRTY Reconstruction is 100% complete. Parity Re-write is 100% complete. Copyback is 100% complete. - raid1.conf: START array # numRow numCol numSpare 1 2 0 START disks /dev/sd1d /dev/sd2d START layout # sectPerSU SUsPerParityUnit SUsPerReconUnit RAID_level_1 32 1 1 1 START queue fifo 100 - # disklabel sd0 # /dev/rsd0c: type: SCSI disk: SCSI disk label: MAN3184MP flags: bytes/sector: 512 sectors/track: 597 tracks/cylinder: 2 sectors/cylinder: 1194 cylinders: 30050 total sectors: 35879700 rpm: 10025 interleave: 1 trackskew: 0 cylinderskew: 0 headswitch: 0 # microseconds track-to-track seek: 0 # microseconds drivedata: 0 16 partitions: # sizeoffset fstype [fsize bsize cpg] a: 8389044 0 4.2BSD 2048 16384 16 # Cyl 0 - 7025 b: 1048332 8389044swap # Cyl 7026 - 7903 c: 35879700 0 unused 0 0 # Cyl 0 - 30049 - # disklabel sd1 # /dev/rsd1c: type: SCSI disk: SCSI disk label: MAN3184MP flags: bytes/sector: 512 sectors/track: 597 tracks/cylinder: 2 sectors/cylinder: 1194 cylinders: 30050 total sectors: 35879700 rpm: 10025 interleave: 1 trackskew: 0 cylinderskew: 0 headswitch: 0 # microseconds track-to-track seek: 0 # microseconds drivedata: 0 16 partitions: # sizeoffset fstype [fsize bsize cpg] a:205368 0 4.2BSD 2048 16384 16 # Cyl 0 - 171 c: 35879700 0 unused 0 0 # Cyl 0 - 30049 d: 35674332205368 4.2BSD 2048 16384 16 # Cyl 172 - 30049 ((note: set partition d to type RAID when using disklabel -- not sure why it says 4.2BSD now)) - from dmesg.boot: console is /[EMAIL PROTECTED],0/[EMAIL PROTECTED],1/[EMAIL PROTECTED]/[EMAIL PROTECTED],40:a Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved. Copyright (c) 1995-2006 OpenBSD. All rights reserved. http://www.OpenBSD.org OpenBSD 4.0 (GENERIC_RAID) #0: Mon Nov 13 23:14:58 PST 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/sparc64/compile/GENERIC_RAID total memory = 268435456 avail memory = 233644032 using 1638 buffers containing 13418496 bytes of memory bootpath: /[EMAIL PROTECTED],0/[EMAIL PROTECTED],0/[EMAIL PROTECTED],0/[EMAIL PROTECTED],0 mainbus0 (root): SPARCengine(tm)Ultra(tm) AXi (UltraSPARC-IIi 270MHz) cpu0 at mainbus0: SUNW,UltraSPARC-IIi @ 270.012 MHz, version 0 FPU cpu0: physical 32K instruction (32 b/l), 16K data (32 b/l), 256K external (64 b/l) psycho0 at mainbus0 addr 0xfffc: SUNW,sabre, impl 0, version 0, ign 7c0 psycho0: bus range 0-128, PCI bus 0 psycho0: dvma map c000-dfff, iotdb 1135e000-113de000 pci0 at psycho0 ppb0 at pci0 dev 1 function 1 Sun Simba PCI-PCI rev 0x11 pci1 at ppb0 bus 1 ebus0 at pci1 dev 1 function 0 Sun PCIO Ebus2 rev 0x01 auxio0 at ebus0 addr 726000-726003, 728000-728003, 72a000-72a003, 72c000-72c003, 72f000-72f003 power0 at ebus0 addr 724000-724003 ipl 37 SUNW,pll at ebus0 addr 504000-504002 not configured sab0 at ebus0 addr 40-40007f ipl 43: rev 3.2 sabtty0 at sab0 port 0: console i/o sabtty1 at sab0 port 1 comkbd0 at ebus0 addr 3803f8-3803ff ipl 41: no keyboard com0 at ebus0 addr 3602f8-3602ff ipl 42: mouse: ns16550a, 16 byte fifo lpt0 at ebus0 addr 340278-340287, 30015c-30015d, 70-7f ipl 34: polled fdthree at ebus0 addr 3203f0-3203f7, 706000-70600f, 72-720003 ipl 39 not configured clock1 at ebus0 addr 0-1fff: mk48t59 flashprom at ebus0 addr 0-f not configured beeper0 at ebus0 addr 722000-722003 hme0 at pci1 dev 1 function 1 Sun HME rev 0x01: ivec 0x7e1, address
pf and aliases
Looking for guidance on pf and aliases. I have an OBSD 3.8 box running pf in front of two SMTP servers. Here's my setup: Net - 1.2.3.4- pf box - box1 9.8.7.6 1.2.3.5 (alias)-- box2 9.8.7.7 Problem is, pf sends all requests to box1, even those addressed to 1.2.3.5. Here are the relevant bits from pf.conf: ExtIf=xl1 ExtIfa=1.2.3.5 IntIf=xl0 box1=9.8.7.6 box2=9.8.7.7 nat on $ExtIf from $IntIf:network to any - ($ExtIf) rdr on $ExtIfa inet proto tcp from any to $ExtIfa port 25 - $box2 rdr on $ExtIf inet proto tcp from any to $ExtIf port 25 - $box1 pass in quick on $ExtIfa proto tcp from any to $box2 \ port 25 flags S/SA keep state pass in quick on $ExtIf proto tcp from any to $box1 \ port 25 flags S/SA keep state Again, I'm looking to get requests to two public addresses mapped to two private addresses. Right now, everything goes to the box1. Thanks in advance for clues on this. dn
Re: pf and aliases
Darrin Chandler wrote: rdr on $ExtIfa inet proto tcp from any to $ExtIfa port 25 - $box2 rdr on $ExtIf inet proto tcp from any to $ExtIf port 25 - $box1 Forget for a second what you *want* to have happen, and look at the above snippets of your pf.conf. What's the *last* matching rule for something on $ExtIfa? Ah, good point, thanks. I tried flipping the order (and adding the :0 parameter) but the following still forwards box2's requests to box1: ExtIf=xl1 ExtIfa=1.2.3.5 IntIf=xl0 box1=9.8.7.6 box2=9.8.7.7 nat on $ExtIf:0 from $IntIf:network to any - ($ExtIf:0) rdr on $ExtIf inet proto tcp from any to $ExtIf:0 port 22 - $box1 rdr on $ExtIfa inet proto tcp from any to $ExtIfa port 22 - $box2 pass in quick on $ExtIf proto tcp from any to $box1 \ port 22 flags S/SA keep state pass in quick on 1.2.3.5 proto tcp from any to $box2 \ port 22 flags S/SA keep state Changing to $ExtIf:0 on the first pass rule just blocks traffic. Commenting out the nat rule has no effect, at least for inbound traffic. I've looked for examples of :0 in use, but haven't found anything relevant. Thanks much for any further clues. dn
embedded systems recommendations
I'm looking for recommendations for embedded systems that would work well for an OBSD 3.7 firewall. I've heard of Commell and Soekris. Are there others? Requirements: --abiilty to run OBSD, pf, openvpn, apcupsd --compact flash or 2.5-inch hard drive --forward 3 Mbit/s with ~50 rules in pf --at least 3 10/100 interfaces (gig OK too, not needed) --whole system, not parts Thanks in advance for any opinions and pointers. dn