Re: Replace PF rule + inetd Proxy with 2 PF rules
Hi Fabio (xarĂ¡), Apparently I achieved this with these rules: -- pass out log on hvn0 inet proto tcp from any port 1024:65535 to 8.8.8.8 port = flags S/SA label "TESTE LISTA" pass in on hvn0 inet proto tcp from any port 1024:65535 to 10.101.0.17 port = 25 flags S/SA label "TESTE LISTA" tag TESTE rdr-to 8.8.8.8 port match out log quick on hvn0 inet all label "TESTE LISTA" tagged TESTE nat-to 10.101.0.17 -- Of course there's room for improvement, be it simplify the rules or make it more specific. Maybe I needed three rules because I use "block log" as a default rule so: "block in" and "block out" by default. Here is the tcpdump output: -- rule 0/(match) match in on hvn0: 10.101.0.24.47964 > 10.101.0.17.25: S 3824310731:3824310731(0) win 42340 (DF) rule 53/(match) match out on hvn0: 10.101.0.17.60331 > 8.8.8.8.: S 3824310731:3824310731(0) win 42340 rule 16/(match) pass out on hvn0: 10.101.0.17.60331 > 8.8.8.8.: S 3824310731:3824310731(0) win 42340 -- Regards, Fabio Almeida On Fri, Feb 14, 2020 at 8:33 AM Fabio Martins < fm+obsd+misc+l...@phosphorusnetworks.com> wrote: > > Hi Nick, > > Thanks. I applied both rules below, unfortunately I am still only hitting > rule number #1 (rdr-to). nat-to is never reached (added "log" on each to > test). I tried inverting the order, too, but no luck. > > #1 > match in on $ext_if proto tcp from to ($ext_if) port 25 \ > rdr-to 200.200.200.200 port > > #2 > match out on $ext_if proto tcp to 200.200.200.200 port received-on \ > $ext_if nat-to ($ext_if) > > -- > Fabio Martins > > > Hi Fabio, > > > > I believe this will do what you want, seemed to work in quick testing > > here, adjust to suit your environment. > > > > > > match in on $ext_if proto tcp from to ($ext_if) port 25 > > rdr-to 200.200.200.200 port > > match out on $ext_if proto tcp to 200.200.200.200 port received-on > > $ext_if nat-to ($ext_if) > > > > >
Re: Lesser evil
If you really need it, go with what's best for it. Today, to be honest, in your situation I'd run Windows, Linux will have probably half the performance, and the "compromises" you cited. Besides, you can also run Linux on Windows almost natively nowadays, so, the choice is clear. Install a good antivirus, try to be smart and you'll be fine (almost). That's my 2 cents. Regards, On Mon, Sep 3, 2018 at 4:09 PM - - wrote: > Hello all, > > > I am running OpenBSD on my desktop, which is suitable for 99% of my > needs. However I have to run certain proprietary software, which is > available on Linux, Mac OSX and Windows. > > I cannot decide which of the three would be a "lesser evil" to run in > respect with security and privacy. The software (video and photo editing) > runs best on Windows, almost as good on OSX and it runs on Linux with > some compromises. > Does it make sense to accept such compromises and run Linux for security > and privacy OR is the better security and privacy of Linux more or less a > myth and running Windows would be almost the same in that respect? > > I understand that any response is to be just an opinion. > > Thank you > > Jan >
Re: Vmm CentOS Linux guests freezes randomly
No, sometimes it just vanishes, as if the vm was halted, most of the time however it stays stuck, vmd cant be restarted or stopped until the VM's associated vmd process is killed by "kill -9". In fact the the entire system cant be halted or rebooted until theses processes get killed. There's no 100% cpu consumption, nor a spike in utilization. On Tue, Aug 28, 2018 at 4:34 PM Mike Larkin wrote: > On Tue, Aug 28, 2018 at 02:42:19PM -0300, Fabio Almeida wrote: > > In fact, it seens that any Linux, tried Alpine and Ubuntu also. > > If you have any suggestion I can give it a try. > > > > When the VM freezes, does it's associated vmd process go to 100% cpu? > > -ml > > > On Tue, Aug 28, 2018 at 2:35 PM Mike Larkin > wrote: > > > > > On Tue, Aug 28, 2018 at 08:31:06AM -0300, Fabio Almeida wrote: > > > > The VM freezes, cant ssh, cant ping also. > > > > I've disabled some BIOS settings like AMT and other cpu related > security > > > > settings, but it had no effect as a VM just froze again. > > > > > > > > > > Is it only CentOS 1804 that fails? > > > > > > -ml > > > > > > > On Tue, Aug 28, 2018 at 12:47 AM Mike Larkin > > > wrote: > > > > > > > > > On Mon, Aug 27, 2018 at 04:47:31PM -0300, Fabio Almeida wrote: > > > > > > Hi, > > > > > > > > > > > > I'm running current, trying to run 4 Linux guests (to build a > > > kubernetes > > > > > > cluster), installed > > > > > > CentOS Linux release 7.5.1804 (Core) without problems. > > > > > > It appears to work fine, tried with 3G and 2G RAM each guest, my > > > machine > > > > > > has 32G of RAM. > > > > > > Changed grub to start with: clocksource=tsc console=ttyS0,115200 > > > noapic > > > > > > The machines freezes randomly, can't find a way to reproduce the > > > error. > > > > > > To start the virtual machne again, I need to "kill -9" the vmd > > > process > > > > > > attached to it (n1 is the VM name): > > > > > > -- > > > > > > hero# ps ax | grep n1 > > > > > > 60680 ?? Rp/1 22:13.56 vmd: n1 (vmd) > > > > > > hero# kill -9 60680 > > > > > > -- > > > > > > Following is a dmesg also. > > > > > > Output of vmd -dvvv: (killed by CTRL+c). > > > > > > --- > > > > > > > > > > Does the VM freeze or just the console? > > > > > > > > > > Eg, can you still ssh into the VM? > > > > > > > > > > -ml > > > > > > > > > > > vioblk_notifyq: unsupported command 0x8 > > > > > > vioblk_notifyq: unsupported command 0x8 > > > > > > vioblk_notifyq: unsupported command 0x8 > > > > > > rtc_update_rega: set non-32KHz timebase not supported > > > > > > vcpu_process_com_data: guest reading com1 when not ready > > > > > > vcpu_process_com_data: guest reading com1 when not ready > > > > > > vcpu_process_com_data: guest reading com1 when not ready > > > > > > vcpu_process_com_data: guest reading com1 when not ready > > > > > > vcpu_process_com_data: guest reading com1 when not ready > > > > > > vcpu_process_com_data: guest reading com1 when not ready > > > > > > vcpu_process_com_data: guest reading com1 when not ready > > > > > > vcpu_process_com_data: guest reading com1 when not ready > > > > > > vcpu_process_com_data: guest reading com1 when not ready > > > > > > vcpu_process_com_data: guest reading com1 when not ready > > > > > > vcpu_process_com_data: guest reading com1 when not ready > > > > > > vioblk_notifyq: unsupported command 0x8 > > > > > > vioblk_notifyq: unsupported command 0x8 > > > > > > vioblk_notifyq: unsupported command 0x8 > > > > > > vcpu_process_com_data: guest reading com1 when not ready > > > > > > vcpu_process_com_data: guest reading com1 when not ready > > > > > > vcpu_process_com_data: guest reading com1 when not ready > > > > > > vcpu_process_com_data: guest reading com1 when not ready > > > > > > rtc_update_rega: set non-32KHz timebase not supported > > > > > > vcpu_exit_i8253: channel 0 reset, mode=4, start=32767 > &g
Re: Vmm CentOS Linux guests freezes randomly
In fact, it seens that any Linux, tried Alpine and Ubuntu also. If you have any suggestion I can give it a try. On Tue, Aug 28, 2018 at 2:35 PM Mike Larkin wrote: > On Tue, Aug 28, 2018 at 08:31:06AM -0300, Fabio Almeida wrote: > > The VM freezes, cant ssh, cant ping also. > > I've disabled some BIOS settings like AMT and other cpu related security > > settings, but it had no effect as a VM just froze again. > > > > Is it only CentOS 1804 that fails? > > -ml > > > On Tue, Aug 28, 2018 at 12:47 AM Mike Larkin > wrote: > > > > > On Mon, Aug 27, 2018 at 04:47:31PM -0300, Fabio Almeida wrote: > > > > Hi, > > > > > > > > I'm running current, trying to run 4 Linux guests (to build a > kubernetes > > > > cluster), installed > > > > CentOS Linux release 7.5.1804 (Core) without problems. > > > > It appears to work fine, tried with 3G and 2G RAM each guest, my > machine > > > > has 32G of RAM. > > > > Changed grub to start with: clocksource=tsc console=ttyS0,115200 > noapic > > > > The machines freezes randomly, can't find a way to reproduce the > error. > > > > To start the virtual machne again, I need to "kill -9" the vmd > process > > > > attached to it (n1 is the VM name): > > > > -- > > > > hero# ps ax | grep n1 > > > > 60680 ?? Rp/1 22:13.56 vmd: n1 (vmd) > > > > hero# kill -9 60680 > > > > -- > > > > Following is a dmesg also. > > > > Output of vmd -dvvv: (killed by CTRL+c). > > > > --- > > > > > > Does the VM freeze or just the console? > > > > > > Eg, can you still ssh into the VM? > > > > > > -ml > > > > > > > vioblk_notifyq: unsupported command 0x8 > > > > vioblk_notifyq: unsupported command 0x8 > > > > vioblk_notifyq: unsupported command 0x8 > > > > rtc_update_rega: set non-32KHz timebase not supported > > > > vcpu_process_com_data: guest reading com1 when not ready > > > > vcpu_process_com_data: guest reading com1 when not ready > > > > vcpu_process_com_data: guest reading com1 when not ready > > > > vcpu_process_com_data: guest reading com1 when not ready > > > > vcpu_process_com_data: guest reading com1 when not ready > > > > vcpu_process_com_data: guest reading com1 when not ready > > > > vcpu_process_com_data: guest reading com1 when not ready > > > > vcpu_process_com_data: guest reading com1 when not ready > > > > vcpu_process_com_data: guest reading com1 when not ready > > > > vcpu_process_com_data: guest reading com1 when not ready > > > > vcpu_process_com_data: guest reading com1 when not ready > > > > vioblk_notifyq: unsupported command 0x8 > > > > vioblk_notifyq: unsupported command 0x8 > > > > vioblk_notifyq: unsupported command 0x8 > > > > vcpu_process_com_data: guest reading com1 when not ready > > > > vcpu_process_com_data: guest reading com1 when not ready > > > > vcpu_process_com_data: guest reading com1 when not ready > > > > vcpu_process_com_data: guest reading com1 when not ready > > > > rtc_update_rega: set non-32KHz timebase not supported > > > > vcpu_exit_i8253: channel 0 reset, mode=4, start=32767 > > > > vcpu_exit_i8253: channel 0 reset, mode=4, start=32767 > > > > vcpu_exit_i8253: channel 0 reset, mode=4, start=32767 > > > > vcpu_exit_i8253: channel 0 reset, mode=4, start=32767 > > > > vcpu_exit_i8253: channel 0 reset, mode=4, start=32767 > > > > vcpu_exit_i8253: channel 0 reset, mode=4, start=32767 > > > > vcpu_exit_i8253: channel 0 reset, mode=4, start=32767 > > > > vcpu_exit_i8253: channel 0 reset, mode=4, start=32767 > > > > vcpu_exit_i8253: channel 0 reset, mode=4, start=32767 > > > > vcpu_exit_i8253: channel 0 reset, mode=4, start=32767 > > > > vcpu_exit_i8253: channel 0 reset, mode=4, start=32767 > > > > vcpu_exit_i8253: channel 0 reset, mode=4, start=32767 > > > > vcpu_exit_i8253: channel 0 reset, mode=4, start=32767 > > > > vcpu_exit_i8253: channel 0 reset, mode=4, start=32767 > > > > ^Cvmd_sighdlr: handling signal > > > > vmd_shutdown: performing shutdown > > > > vm_remove: parent vmd_shutdown removing vm 1 from running config > > > > vm_stop: parent vmd_shutdown stopping vm 1 > > > > vm_remove: parent vmd_shutdown removing vm 2 from running config > > > >
Re: Vmm CentOS Linux guests freezes randomly
The VM freezes, cant ssh, cant ping also. I've disabled some BIOS settings like AMT and other cpu related security settings, but it had no effect as a VM just froze again. On Tue, Aug 28, 2018 at 12:47 AM Mike Larkin wrote: > On Mon, Aug 27, 2018 at 04:47:31PM -0300, Fabio Almeida wrote: > > Hi, > > > > I'm running current, trying to run 4 Linux guests (to build a kubernetes > > cluster), installed > > CentOS Linux release 7.5.1804 (Core) without problems. > > It appears to work fine, tried with 3G and 2G RAM each guest, my machine > > has 32G of RAM. > > Changed grub to start with: clocksource=tsc console=ttyS0,115200 noapic > > The machines freezes randomly, can't find a way to reproduce the error. > > To start the virtual machne again, I need to "kill -9" the vmd process > > attached to it (n1 is the VM name): > > -- > > hero# ps ax | grep n1 > > 60680 ?? Rp/1 22:13.56 vmd: n1 (vmd) > > hero# kill -9 60680 > > -- > > Following is a dmesg also. > > Output of vmd -dvvv: (killed by CTRL+c). > > --- > > Does the VM freeze or just the console? > > Eg, can you still ssh into the VM? > > -ml > > > vioblk_notifyq: unsupported command 0x8 > > vioblk_notifyq: unsupported command 0x8 > > vioblk_notifyq: unsupported command 0x8 > > rtc_update_rega: set non-32KHz timebase not supported > > vcpu_process_com_data: guest reading com1 when not ready > > vcpu_process_com_data: guest reading com1 when not ready > > vcpu_process_com_data: guest reading com1 when not ready > > vcpu_process_com_data: guest reading com1 when not ready > > vcpu_process_com_data: guest reading com1 when not ready > > vcpu_process_com_data: guest reading com1 when not ready > > vcpu_process_com_data: guest reading com1 when not ready > > vcpu_process_com_data: guest reading com1 when not ready > > vcpu_process_com_data: guest reading com1 when not ready > > vcpu_process_com_data: guest reading com1 when not ready > > vcpu_process_com_data: guest reading com1 when not ready > > vioblk_notifyq: unsupported command 0x8 > > vioblk_notifyq: unsupported command 0x8 > > vioblk_notifyq: unsupported command 0x8 > > vcpu_process_com_data: guest reading com1 when not ready > > vcpu_process_com_data: guest reading com1 when not ready > > vcpu_process_com_data: guest reading com1 when not ready > > vcpu_process_com_data: guest reading com1 when not ready > > rtc_update_rega: set non-32KHz timebase not supported > > vcpu_exit_i8253: channel 0 reset, mode=4, start=32767 > > vcpu_exit_i8253: channel 0 reset, mode=4, start=32767 > > vcpu_exit_i8253: channel 0 reset, mode=4, start=32767 > > vcpu_exit_i8253: channel 0 reset, mode=4, start=32767 > > vcpu_exit_i8253: channel 0 reset, mode=4, start=32767 > > vcpu_exit_i8253: channel 0 reset, mode=4, start=32767 > > vcpu_exit_i8253: channel 0 reset, mode=4, start=32767 > > vcpu_exit_i8253: channel 0 reset, mode=4, start=32767 > > vcpu_exit_i8253: channel 0 reset, mode=4, start=32767 > > vcpu_exit_i8253: channel 0 reset, mode=4, start=32767 > > vcpu_exit_i8253: channel 0 reset, mode=4, start=32767 > > vcpu_exit_i8253: channel 0 reset, mode=4, start=32767 > > vcpu_exit_i8253: channel 0 reset, mode=4, start=32767 > > vcpu_exit_i8253: channel 0 reset, mode=4, start=32767 > > ^Cvmd_sighdlr: handling signal > > vmd_shutdown: performing shutdown > > vm_remove: parent vmd_shutdown removing vm 1 from running config > > vm_stop: parent vmd_shutdown stopping vm 1 > > vm_remove: parent vmd_shutdown removing vm 2 from running config > > vm_stop: parent vmd_shutdown stopping vm 2 > > vm_remove: parent vmd_shutdown removing vm 3 from running config > > vm_stop: parent vmd_shutdown stopping vm 3 > > vm_remove: parent vmd_shutdown removing vm 4 from running config > > vm_stop: parent vmd_shutdown stopping vm 4 > > vm_remove: vmm vmm_shutdown removing vm 2 from running config > > priv exiting, pid 71179 > > vm_stop: vmm vmm_shutdown stopping vm 2 > > vm_remove: vmm vmm_shutdown removing vm 3 from running config > > vm_stop: vmm vmm_shutdown stopping vm 3 > > vm_remove: vmm vmm_shutdown removing vm 1 from running config > > n2: vcpu_assert_pic_irq: can't assert INTR > > n3: vcpu_assert_pic_irq: can't assert INTR > > control exiting, pid 75391 > > vm_stop: vmm vmm_shutdown stopping vm 1 > > vmm exiting, pid 83638 > > parent terminating > > --- > > dmesg: > > --- > > > > OpenBSD 6.4-beta (GENERIC.MP) #0: Fri Aug 24 15:09:55 -03 2018 > > micron@hero.chaos:/home/src/sys/arch/amd64/compile/GENERIC
Vmm CentOS Linux guests freezes randomly
Hi, I'm running current, trying to run 4 Linux guests (to build a kubernetes cluster), installed CentOS Linux release 7.5.1804 (Core) without problems. It appears to work fine, tried with 3G and 2G RAM each guest, my machine has 32G of RAM. Changed grub to start with: clocksource=tsc console=ttyS0,115200 noapic The machines freezes randomly, can't find a way to reproduce the error. To start the virtual machne again, I need to "kill -9" the vmd process attached to it (n1 is the VM name): -- hero# ps ax | grep n1 60680 ?? Rp/1 22:13.56 vmd: n1 (vmd) hero# kill -9 60680 -- Following is a dmesg also. Output of vmd -dvvv: (killed by CTRL+c). --- vioblk_notifyq: unsupported command 0x8 vioblk_notifyq: unsupported command 0x8 vioblk_notifyq: unsupported command 0x8 rtc_update_rega: set non-32KHz timebase not supported vcpu_process_com_data: guest reading com1 when not ready vcpu_process_com_data: guest reading com1 when not ready vcpu_process_com_data: guest reading com1 when not ready vcpu_process_com_data: guest reading com1 when not ready vcpu_process_com_data: guest reading com1 when not ready vcpu_process_com_data: guest reading com1 when not ready vcpu_process_com_data: guest reading com1 when not ready vcpu_process_com_data: guest reading com1 when not ready vcpu_process_com_data: guest reading com1 when not ready vcpu_process_com_data: guest reading com1 when not ready vcpu_process_com_data: guest reading com1 when not ready vioblk_notifyq: unsupported command 0x8 vioblk_notifyq: unsupported command 0x8 vioblk_notifyq: unsupported command 0x8 vcpu_process_com_data: guest reading com1 when not ready vcpu_process_com_data: guest reading com1 when not ready vcpu_process_com_data: guest reading com1 when not ready vcpu_process_com_data: guest reading com1 when not ready rtc_update_rega: set non-32KHz timebase not supported vcpu_exit_i8253: channel 0 reset, mode=4, start=32767 vcpu_exit_i8253: channel 0 reset, mode=4, start=32767 vcpu_exit_i8253: channel 0 reset, mode=4, start=32767 vcpu_exit_i8253: channel 0 reset, mode=4, start=32767 vcpu_exit_i8253: channel 0 reset, mode=4, start=32767 vcpu_exit_i8253: channel 0 reset, mode=4, start=32767 vcpu_exit_i8253: channel 0 reset, mode=4, start=32767 vcpu_exit_i8253: channel 0 reset, mode=4, start=32767 vcpu_exit_i8253: channel 0 reset, mode=4, start=32767 vcpu_exit_i8253: channel 0 reset, mode=4, start=32767 vcpu_exit_i8253: channel 0 reset, mode=4, start=32767 vcpu_exit_i8253: channel 0 reset, mode=4, start=32767 vcpu_exit_i8253: channel 0 reset, mode=4, start=32767 vcpu_exit_i8253: channel 0 reset, mode=4, start=32767 ^Cvmd_sighdlr: handling signal vmd_shutdown: performing shutdown vm_remove: parent vmd_shutdown removing vm 1 from running config vm_stop: parent vmd_shutdown stopping vm 1 vm_remove: parent vmd_shutdown removing vm 2 from running config vm_stop: parent vmd_shutdown stopping vm 2 vm_remove: parent vmd_shutdown removing vm 3 from running config vm_stop: parent vmd_shutdown stopping vm 3 vm_remove: parent vmd_shutdown removing vm 4 from running config vm_stop: parent vmd_shutdown stopping vm 4 vm_remove: vmm vmm_shutdown removing vm 2 from running config priv exiting, pid 71179 vm_stop: vmm vmm_shutdown stopping vm 2 vm_remove: vmm vmm_shutdown removing vm 3 from running config vm_stop: vmm vmm_shutdown stopping vm 3 vm_remove: vmm vmm_shutdown removing vm 1 from running config n2: vcpu_assert_pic_irq: can't assert INTR n3: vcpu_assert_pic_irq: can't assert INTR control exiting, pid 75391 vm_stop: vmm vmm_shutdown stopping vm 1 vmm exiting, pid 83638 parent terminating --- dmesg: --- OpenBSD 6.4-beta (GENERIC.MP) #0: Fri Aug 24 15:09:55 -03 2018 micron@hero.chaos:/home/src/sys/arch/amd64/compile/GENERIC.MP real mem = 33833492480 (32266MB) avail mem = 32798904320 (31279MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 3.0 @ 0x8f11f000 (62 entries) bios0: vendor LENOVO version "N1QET53W (1.28 )" date 03/29/2017 bios0: LENOVO 20HEBR acpi0 at bios0: rev 2 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP SSDT TPM2 UEFI SSDT SSDT HPET APIC MCFG ECDT SSDT SSDT BOOT BATB SLIC SSDT SSDT SSDT WSMT SSDT SSDT DBGP DBG2 MSDM DMAR ASF! FPDT UEFI acpi0: wakeup devices GLAN(S4) XHC_(S3) XDCI(S4) HDAS(S4) RP01(S4) RP02(S4) RP03(S4) RP04(S4) RP05(S4) RP06(S4) RP08(S4) RP09(S4) RP10(S4) RP11(S4) RP12(S4) RP13(S4) [...] acpitimer0 at acpi0: 3579545 Hz, 24 bits acpihpet0 at acpi0: 2399 Hz acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Core(TM) i5-7300U CPU @ 2.60GHz, 1252.92 MHz, 06-8e-09 cpu0:
Re: Lumina-Terminal on OpenBSD
I recommend you spend some time learning a bit of tmux, then you can use any terminal, copy/paste and much much more will be available. I like urxvt, it's simple, stable and lightweight. On Wed, Jul 4, 2018 at 5:37 PM rehcla wrote: > Hey Martijn, > > Just found a Lumina thread on the OpenBSD Mailinglist and in that one you > said you are the maintainer of the Lumina port. > Is that still the case? > I did like Lumina on TrueOS, but TrueOS was far too unstable for me... > Anyway I identifiy much more with OpenBSD and Theo de Raadt:) > If yes, is there any reason wh lumina-terminal is missing? > xterm has no copy paste feature (what is handy if you need to use mpv as > youtube-player)... > I installed the kde-konsole what dependce on a buch of other kde packages. > It would be great to have lumina-terminal available... How about it? > > Greeting > rehcla > >
Re: Help questions
Hi Leroy, I recommend you to read and study at least: - https://www.openbsd.org/faq/ - Everything, from top to bottom. - DNS & Bind - To get a good understanding of Internet and how things work in general. - Some network and TCP/IP specific books** - Absolute OpenBSD - The Book of PF **For me that was TCP/IP Illustrated, Internetworking with TCP/IP Series... For firewall concepts and architecture a very good book at the time (2003) was Linux Firewalls 2nd Edition - New Riders. It's an old book, and it's not OpenBSD related, but I give it to you just as an example, it was my starting point, and a very good one, besides, it's good to know something about different systems, this way you can build a good and solid base of knowledge. Another aspect of OpenBSD you'll soon discover is the quality of documentation, especially man pages, they are really useful, different from other systems, OpenBSD man pages give you examples and good descriptions, it's possible to configure and understand something you've never done before just by reading the man pages. That's it, I hope it helps on your journey. Fabio Almeida On Thu, Feb 22, 2018 at 6:36 PM, leroy jordan <leroy.j.jor...@gmail.com> wrote: > I'm new to oBSD. However, I do wont to learn so i can contribute. The > skills; that I have so far has came from the books that are suggested from > the Open website. Which are useful in getting me started. but they don't > have all the answers and when I post o misc no one seems to reply I know > this is not kindergarten. you're not going to hold my hand however how will > I ever learn. > If no one reaches out I use the emails as a teaching tool so you can bash > me all you want but I'm not going to give up I'm all in. > maybe I'm just ranting. > > Thanks Leroy Jordan >
Re: performace impact of excessive use of the "quick" keyword in pf.conf?
No need to worry about it. I manage systems with more than 6000 rules without any problem. In fact you'll need to worry just about disk I/O if all your rules use log and if the disk is not so fast. In case you have this problem you can always use: pflogd_flags="-f /dev/null" in /etc/rc.conf.local, that way you'll still be able to debug with "tcpdump -i pflog0" without problems. Regards, Fabio Almeida On Wed, Jul 20, 2016 at 4:19 PM, Henning Brauer <hb-open...@ml.bsws.de> wrote: > * Peus, Christoph <christoph.p...@uni-wh.de> [2015-06-15 20:40]: > > I'm currently planning for a complete reorganization i.e. rewrite of a > > historically grown pf.conf of about 300 rules. Up to now each and every > rule > > uses the "quick" keyword, which effectively turns the "last match" > concept of > > pf into a "first match" one. Does that make any sense? > > mostly a matter of personal preference. quick performs slightly better > obviously; I highly doubt w/ just 300 rules you'll even get a > measurable difference tho. > > > Of course.. as evaluation stops at a matching rule with "quick" one may > expect > > that the average time it takes to decide whether a packet is passed or > blocked > > is significantly lower and therefore overall performance of pf will be > better > > with always using "quick". But is this true? > > depends on your definition of significant :) > > > Does this make sense if the CPUs > > are idling most of the time? Are there any rules of thumb when to use > "quick" > > and when to avoid it? > > in general, don't worry too much about performance impact from the way > you write your rules. in 99+% of the cases pf is so efficient that it > doesn't matter anyway, and the ruleset optimizer, skip steps et al do > their job so that you can concentrate on a ruleset optimized for the > human dealing with it, not the machine. > > -- > Henning Brauer, h...@bsws.de, henn...@openbsd.org > BS Web Services GmbH, http://bsws.de, Full-Service ISP > Secure Hosting, Mail and DNS. Virtual & Dedicated Servers, Root to Fully > Managed > Henning Brauer Consulting, http://henningbrauer.com/
Re: OpenBSD 5.8 on VMware 5.5
Hi Felipe, I'm running OpenBSD VMWare guests without problem, both as Firewall, IPSec VPN and FTP/SFTP servers. If you plan to run H.A systems with CARP, just be sure to enable "promiscuous mode" on the carp interfaces, both on the VM and the Hypervisor side. Everything else you can let the default options, I have both 'vic' and 'em' interfaces without problem. regards, Fabio Almeida On Tue, Dec 1, 2015 at 1:50 PM, Felipe Gomes <felan...@gmail.com> wrote: > Folks, > > I've been trying to search for more information on OpenBSD as a VMWare > guest, but I wasn't able to find much... and the information is pretty much > outdated. > > What are the recommendations for OpenBSD 5.8 (amd64) as a guest on VMware > 5.5? > > Guest Operating System: should I pick "Other (64bit)" or FreeBSD? > > How does OpenBSD work with "virtual sockets" and "cores per virtual > socket"? > > What is the best NIC? E1000, E1000E, VMXNET2 ENHANCED or VMXNET3? > > What is the recommended SCSI Controller? LSI Logic Parallel, LSI Logic SAS > or VMware Paravirtual? > > I'd believe that all of these options work... I just don't know which is > more stable or perform better. > > Any other tips on fine tunning or special setting? > > I'm planning on migrating a few Soekris boxes to virtual machines. Is this > reliable? Is anyone running production OpenBSD servers on VMware? > > Thanks in advance!
Successfull installation of OpenBSD on IBM x336
Hi all, I've had the same problems described on (http://marc.info/?l=openbsd-miscw=2r=1s=x336q=b) trying to install OpenBSD on a IBM x336. To be short, the problem is: - You need to disable ACPI to install the system - Even with ACPI disabled, after installation the system can't boot. Problems related to the onboard VGA (ATI Radeon) But I could install and boot the system this way: 1 - Disable Hyper Threading on BIOS 2 - Install the i386 version 3 - Redirect terminal to a Serial console 4 - Disable ACPI and VGA To do this, when the boot prompt appears: boot set tty com0 With a null cable modem: http://en.wikipedia.org/wiki/File:D9_Null_Modem_Wiring.png on another OpenBSD system: # cu -l /dev/ttyU0 (change to you com port) UKC disable acpi UKC disable vga UKC exit And the system happily boots, apparently working without other issues. For now, that's it, seems the system can be installed and used headless. I'll make these configurations permanent, make some tests with iperf to assure stability under network load and put it in production next week or so. Regards, Fabio Almeida
Point-to-point without PPPoe
Hi, Is it possible to configure a point-to-point similar connection without using PPPoe protocol, /30 netmask or VPN? I need to autenticate around 1.000 wireless customers, for this I'll be using authpf, but there's a need to isolate each customer in a way that each client PC can't see each other, but only directly communicates with the Firewall, like a ppp connection. Any advice will be appreciated :) Thanks in advance, Fabio Almeida
LACP Over Wireless Bridge
Hi all :) I have the following scenario: +--+ |Lan Switch| +--+ | +-+ |OpenBSD Bridge + trunk (LACP)| +-+ | | +--+ +--+ |Rocket M5 WiMax Bridge| |Rocket M5 WiMax Bridge| +--+ +--+ ^ ^ ^ ^ ^ ^ +--+ +--+ |Rocket M5 WiMax Bridge| |Rocket M5 WiMax Bridge| +--+ +--+ | | +- -+ |3Com Swich 5500/4200 (LACP)| +---+ | +--+ |Lan Switch| +--+ There's two WiMax Links to the same location, the idea is to use it for failover. In a lab setup, OpenBSD Bridge directed connected on 3Com switch, everything works, no problem. My doubt is related with the LACP packets crossing the wireless links. I've googled, but couldn't find any definitive information about that. Any directions will be aprecciated, so: Is there a chance this messy setup can work? Has anyone configured some setup like that in Bridge mode (not ECMP)? Anyone knows if there are any wireless device that properly handle LACP packets (let then cross the wireless bridge)? Thanks in advance, Fabio Almeida
Re: Linux or OpenBSD
Hi Rikky, What I can say to you, as a former Linux user (as firewalls) is: Iptables is ok, until you know PF, after knowing PF you'll never use Linux, at least for firewalls, anymore. That's is my experience on this subject. Fabio Almeida Em Qua, 2010-09-22 C s 19:29 +, Rikky Taylor escreveu: I was after some general advice. I need to setup a routing firewall with 3 interfaces, moderate traffic and a fair amount of NAT'ing in the rules. Given identical modern server hardware would I expect a performance difference between an OpenBSD/PF setup and a Linux/IPTables one? Rikky
Re: openbsd 4.7 pf + route-to question
Em 27-07-2010 05:04, Maikel Verheijen escreveu: Hello fellow openbsd fans, While preparing a test environment for my upgrade to openbsd 4.7 I ran into a slight problem. My current setup uses route-to rules to send out traffic back out on the interface it received it on like this: pass out on $ext_if2 route-to ($ext_if1 $ext_if1_router) from ($ext_if2) pass out on $ext_if1 route-to ($ext_if2 $ext_if2_router) from ($ext_if2) After changing this to pass out on $ext_if2 from ($ext_if2) route-to ($ext_if1 $ext_if1_router) pass out on $ext_if1 from ($ext_if1) route-to ($ext_if2 $ext_if2_router) and applying this to a fresh install of openbsd 4.7 this only seems to work when I enable multi-path routing with 2 default gateways. This has the disadvantage that all traffic gets sent out round-robin, which is not what I want. Can anyone help me figure out what I'm doing wrong? This setup does seem to work on openbsd 4.5, didn't try 4.6 yet, but will do so later today to see if it works there. Thanks in advance, Kind regards, Maikel Verheijen Hi Maikel, I'm not shure but, don't you need to put some nat rules to translate between the two interfaces? match out on $ext_if1 from $ext_if2 nat-to $ext_if1 match out on $ext_if2 from $ext_if1 nat-to $ext_if2 My best regards, Fabio Almeida
Re: Brazil resellers of OpenBSD - Tempo Real?
Probably you'd better buy anything OpenBSD related on the official site, I gave up trying to find some reseller here in Brazil, and when I bought on the official site I had no problems. Like the system itself, it just works :) Fabio Almeida Em Ter, 2010-04-20 C s 10:40 -0300, Leonardo Rodrigues escreveu: I used to buy official OpenBSD sets there, but I remember trying to buy a set a couple of months ago, and I couldn't find any. Actually, their website isn't even working (www.temporeal.com.br) and there are reports on some forums that the physical store has closed. Meh =( On Mon, Apr 19, 2010 at 9:35 PM, Nenhum_de_Nos math...@eternamente.info wrote: On Mon, 19 Apr 2010 15:24:32 -0700 (MST) Austin Hook aus...@computershop.ca wrote: Does anyone know if the bookstore Tempo Real still exists and if they have a physical mailing address? Or does anyone know of a potential reseller of OpenBSD in Brazil? it looks like is alive. http://www.novatemporeal.com.br/temporeal/contato.asp unfortunately there is no physical address I could find on the site. the devil store (http://www.devilstore.com.br/) deals FreeBSD discs, they may have interest in OpenBSD as well. their comercial mail is comerc...@freebsdbrasil.com.br. HTH, matheus -- We will call you cygnus, The God of balance you shall be A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? http://en.wikipedia.org/wiki/Posting_style
Re: ZFS in OpenBSD
http://openbsd.org/mail.html Do your homework before you post As we say here in Brasil: Who say what he wants, will listen what he doesn't wants (or so). Sure you doesn't even try google first, if so you'd be redirected to: http://kerneltrap.org/mailarchive/openbsd-misc/2009/1/15/4733444 (zfs +openbsd - the first link or I'm lucky button). That's why you get these type of answers. Fabio Almeida
Multiple DHCP interfaces
Hi misc :) I have the following setup: em1 - LAN em0 - Internet connection (DHCP) em2 - Internet connection (Static Route) em3 - Internet connection (DHCP) For now I have two External interfaces working, em3 which sets the default gateway via dhclient and em2 which I have included as an aditional default gateway with the command: /sbin/route add -mpath default 200.x.x.x I was also able to use the static route with a route-to rule. So, my questions: 1- Can I use dhclient on the two DHCP interfaces setting multiple default gateways as I did with -mpath? 2- Is there an option on dhclient.conf (I read the man, but can't figure out how to do this) to not set the gateway but save the gateway ip address in a file, so I can use these files on pf.conf along with route-to rules? 3- Is there a better way to do this? Any directions will be appreciated. Thanks in advance, Fabio Almeida
Re: Per User Bandwidth Limiting
Hi, I'm running HFSC with 251 queues and it's performing very well. I can't say what are the exact implications of increasing the limit from 64 queues to 512 or even 1024 but in my case I increased to 256 and the system is controlling the queues without any problems and as precisely as usual. Fabio On Sun, Dec 14, 2008 at 9:05 AM, Justin Fletcher jyfletc...@gmail.com wrote: I have an ISP situation where there is about 1000 users sitting behind Cisco 3550 switches. Each port is 1 user and is configured with an individual VLAN where each VLAN is assigned a small network subnet and corresponding DHCP scope. The problem is that it seems (so I have been told) is these 3550's will not effectively bandwidth limit at the port level. Incoming bandwith is limited as configured, but outgoing is not. So, I am looking at a pf solution but google is not turning up any specific information for such a situation. Ideally I would limit each subnet (and thus corresponding VLAN/Port/Customer) to what the customer is paying for (1Mb up/1Mb down, etc). Is anyone running 1000 different queues with pf? Any experience or suggestions on the performance and reliability? Is there another direction I should be looking to accomplish this? As an additional note: I don't need to do any traffic prioritization or QoS. Just raw limiting. It might be nice to allow bursting but it is not a requirement. Any info would be appreciated. Thanks, -Justin
Intel Quad Port Gigabit Ethernet
Hi, Is anyone here using Intel Pro1000VT Quad Port adapter. I`m going to buy a couple of Dell Servers to build an H.A Firewall and want to be sure to buy compatible and high performance Ethernet Adapters. Thanks in advance. Fabio Almeida
Re: Altq number of queues
You need to modify just one line on: /usr/src/sys/altq/altq_cbq.h Around line 104 #define CBQ_MAX_CLASSES 512 And/Or /usr/src/sys/altq/altq_hfsc.h Aound line 53 #define HFSC_MAX_CLASSES256 and compile the kernel with the directions: http://cvs.openbsd.org/faq/faq5.html#Options That is everything I have done. Fabio Almeida
Re: Altq number of queues
Hi :) I`ve configured the system with a total of 256 HFSC queues. pf.conf is configured with 250 queues and everything is running smoothly, as far as I can perceive everything is working very well. I also configured the system with a total of 512 cbq queues, but I`m using just HFSC now. Fabio Almeida
Altq number of queues
Hi, Are there any side effects of changing the number of HSFC queues from 64 to 512? What are the implications of such configuration? Thanks in advance
Re: Altq number of queues
Thanks Jared, I checked out the thread as you pointed :) But I would like to know if raising the number of queues to 512 and recompiling the kernel is an alternative or its better to keep the default values. Does anyone have a configuration with 512 or more queues? What is the correct way to configure my system to support that number of queues? Any directions? Cheers, Fabio On Wed, Aug 27, 2008 at 9:52 PM, jared r r spiegel [EMAIL PROTECTED] wrote: On Wed, Aug 27, 2008 at 10:04:25AM -0300, Fabio Almeida wrote: Ooops Yes, I mean HFSC :) http://marc.info/?l=openbsd-pfm=105686547406316w=2 http://marc.info/?l=openbsd-pfm=105696331913195w=2 maybe it just fell off the radar, or maybe there turned out to be a good reason to not change it -- jared
Re: Install VMware 5.5 or 6.0 at OpenBSD 4.3?
Hi, I`m running XP on qemu, using nat, but I`ve used bridge too.
The command is:
sudo /usr/local/bin/qemu -m 756 -net nic -net
tap,ifname=tun0,script=/etc/qemu-XP_ifup
/home/eu/virtuals/windowsXP.img
/etc/qemu-XP_ifup:
-
#! /bin/sh
_ETHER=tun0
_BRIDGE=bridge0
# Let the environment over-ride this
[ $BRIDGE ] || BRIDGE=${_BRIDGE}
[ $ETHER ] || ETHER=${_ETHER}
if test `id -u` -ne 0; then
SUDO=sudo
fi
echo -n {$1 ($BRIDGE - $ETHER)
# Set the tun device into layer2 mode
$SUDO /sbin/ifconfig $1 link0 up
# Set up our bridge
$SUDO /sbin/ifconfig $1 group tun /dev/null 21
$SUDO /sbin/ifconfig $BRIDGE create /dev/null 21 {
$SUDO brconfig $BRIDGE rule block in on $ETHER dst 33:33:0:0:0:12
$SUDO brconfig $BRIDGE rule block in on $ETHER dst 01:00:5e:00:00:12
}
/sbin/ifconfig bridge | sed -n '/^bridge[0-9]*/{s/:.*$//;p;}' | while read brif
do
$SUDO brconfig $brif del $ETHER /dev/null 21
$SUDO brconfig $brif del $1 /dev/null 21
done
$SUDO brconfig $BRIDGE add $ETHER up
$SUDO brconfig $BRIDGE add $1 up || true
echo }
It`s working nicelly with kqemu, I`m running snapshot 02/07/08 i386:
--
OpenBSD kanjiru.nowhere 4.4 GENERIC.MP#783 i386
--
Fabio
Re: security fixes for packages
I've used OpenBSD-RELEASE +patches a long time on my Desktop, and servers of course... Besides the fact that inevitable, after some time a couple of software gets outdated, I feel a lot more secure with my outdated OpenBSD than with any Linux out there on the bleeding edge of software versions. I've no intention to blame Linux since I'm a Linux user too, but OpenBSD is OpenBSD the others are others... And after all, you have the option to download Firefox or whatever software sources an build it yourself, it's not that hard. If you are concerned of having the latest version of everything you can try Gentoo Linux, I'm sure noone here will blame you, it's your choice. Among all, I just prefer OpenBSD, and every night I prey the Lord to bless OpenBSD developers Fabio Almeida
Re: Optimising OpenBSD
I would like to recomend Secure Architectures With OpenBSD. It`s a great book. Cheers, Fabio On Wed, Apr 9, 2008 at 8:58 PM, Douglas A. Tutty [EMAIL PROTECTED] wrote: On Wed, Apr 09, 2008 at 07:55:36AM -0500, Ed Ahlsen-Girard wrote: From: Douglas A. Tutty [mailto:[EMAIL PROTECTED] If you want a book, although its a bit old there's Absolute OpenBSD by nostarch press. A nice book, but it's out of print. It is available as a PDF though. I purchased a copy last year. I'd like a pdf version; I'll google for it unless you have the URL handy. Doug.
Re: problem with on-board Realtek NIC
On Dec 26, 2007 7:09 AM, Ted Hendriks [EMAIL PROTECTED] wrote: Hello, I have installed v4.2 and using the GENERIC kernel. I am not able to bring up the on-board NIC card. My motherboard is a Gigabyte GA-945GCM-S2L.The on-board NIC is a Realtek 8111C. Here is what dmesg reports on the card: re0 at pci2 dev 0 function 0 Realtek 8168 rev 0x02: unknown ASIC (0x3c00), irq 10, address 00:00:00:00:00:00 rgephy0 at re0 phy 7: RTL8169S/8110S PHY, rev. 2 I have a laptop with this Realtek 8168 onboard card, it seens to work but, when I start using network stuff the system hangs without any response, it just freezes. What I have done is disable the re* device and attach a PCMCIA Realtek 8139 (rl0). Now everything just works. And the info from ifconfig: re0: flags=8802BROADCAST,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:00:00:00:00 media: Ethernet autoselect (1000baseT full-duplex,loopback,master,rxpause,txpause) status: active When I manually bring the card up, I get: re0: PHY write failed I confirmed the card/cable is working with Ubuntu 7.10 and winXP. Any ideas? Thanks, Ted Fabio Almeida
