Re: PF and states of connections with same src port
On Fri, May 2, 2008 at 7:35 AM, B A [EMAIL PROTECTED] wrote: Hello! I have question about PF. I have just found interesting behavior of of PF. For example if I fix source port and run from my PC: echo 'aaa' | nc -p www.my.rerver 80 I got response. But if I just run this command again - connection stuck. I should wait about 1 min to be able make connection with same src port. Looks like ps states didn'd imediately removed after FIN send. Directly connected PC haven't show such behavior, I got response immediately. Am I wrong or something about PF? How can fix this behavior? States aren't purged immediately. Take a look at the timeout values, specifically tcp.closed. -Kian
Re: Got 'em !
On Thu, Apr 10, 2008 at 1:29 AM, Paul de Weerd [EMAIL PROTECTED] wrote: Hi all, The new 4.3 CD set has just arrived here in Zurich, Switzerland ! I've put up a pic on http://www.weirdnet.nl/images/openbsd43set.jpg .. looking very cool yet again ;) Artwork looks great! Are those the same semi-transparent stickers from 4.2? I can't tell from the picture. -Kian
Re: syslog-ng and log analyzers
On Feb 20, 2008 10:51 AM, Ryan Corder [EMAIL PROTECTED] wrote: On Wed, Feb 20, 2008 at 08:32:31AM -0800, Rami Sik wrote: | I would like to see what you'd suggest as a log analyzer tool(s) on a | centralized log server running syslog-ng. | | I also need to use a specific tool as PF log analyzer. What do you | suggest for that purpose? I prefer to use a log notification tool instead of relying on a tool to figure out what is going on. Since I pretty much know what I'm looking out for, I can define certain things to watch for and then set up appropriate notifications. Check out tenshi -- written for Gentoo Linux, but is just Perl. Another vote for Tenshi. Probably the best way to do it with syslog-ng is to have syslog-ng forward logs to Tenshi (listening on loopback) because otherwise Tenshi won't be able to follow the logs (if you organize them by date, etc.). -Kian
Re: Remote syslog
On Feb 19, 2008 8:42 PM, Steve B [EMAIL PROTECTED] wrote: My employer has given me some free colo space and I thought I would take advantage of it to do remote system logging. Those of you here who are doing it, could you comment on whether you are using Syslog-NG or something else, and whether you are doing it over SSH or IPSEC? I have looked at various articles around the net but would like some first hand comments. I set up an OpenBSD syslog server a few months ago. The OpenBSD logserver runs syslog-ng and Tenshi (to mail out alerts). Clients run FreeBSD and OpenBSD. No encryption currently (maybe change that in the future) because all of the machines that log are local. http://www.zampanosbits.com/wordpress/2007/07/08/implementing-a-central-logserver-with-openbsd/ Hope that helps, -Kian
Re: strange pfctl output
On Dec 25, 2007 10:54 AM, Daniel [EMAIL PROTECTED] wrote: Hi! I'm having this problem: # pfctl -sr |fgrep ftp [...] pass out on rl0 inet proto tcp from ip to __automatic_39c048b4_0 port = ftp flags S/SA keep state What is that automatic stuff? It's a table identifier. The optimizer created it (prefix is always __automatic_) and redesigned your ruleset to make use of it rather than a long list of separate rules. Kian
Re: dhclient ignoring DHCPOFFERS?
On Dec 19, 2007 8:25 PM, Nick Guenther [EMAIL PROTECTED] wrote: On Dec 19, 2007 7:53 PM, Kian Mohageri [EMAIL PROTECTED] wrote: On Dec 19, 2007 10:26 AM, Nick Guenther [EMAIL PROTECTED] wrote: I've seen this problem intermittently before. Every once in a while, this happens (the adapter it happens on doesn't matter): # dhclient de0 DHCPREQUEST on de0 to 255.255.255.255 port 67 DHCPREQUEST on de0 to 255.255.255.255 port 67 DHCPDISCOVER on de0 to 255.255.255.255 port 67 interval 5 DHCPDISCOVER on de0 to 255.255.255.255 port 67 interval 12 DHCPDISCOVER on de0 to 255.255.255.255 port 67 interval 12 DHCPOFFER from 192.168.0.1 DHCPREQUEST on de0 to 255.255.255.255 port 67 DHCPREQUEST on de0 to 255.255.255.255 port 67 DHCPDISCOVER on de0 to 255.255.255.255 port 67 interval 7 DHCP process goes 1. Discover 2. Offer 3. Request 4. Ack Ooh, that's very good to know. I didn't know it worked like that! Thanks. In the above, the request for the offered address was never acknowledged, so it asked again, and then went back to discovery. But how do you explain the No DHCPOFFERS received phrase (that you snipped)? That would seem to say that the problem is not that the server never ACK'd, it's that the server never OFFER'd.. except it did, and dhclient 'knew' that. I didn't read it literally as if no offers were received throughout the entire process. I read it as no offers received during this discovery period. Kian
Re: dhclient ignoring DHCPOFFERS?
On Dec 19, 2007 10:26 AM, Nick Guenther [EMAIL PROTECTED] wrote: I've seen this problem intermittently before. Every once in a while, this happens (the adapter it happens on doesn't matter): # dhclient de0 DHCPREQUEST on de0 to 255.255.255.255 port 67 DHCPREQUEST on de0 to 255.255.255.255 port 67 DHCPDISCOVER on de0 to 255.255.255.255 port 67 interval 5 DHCPDISCOVER on de0 to 255.255.255.255 port 67 interval 12 DHCPDISCOVER on de0 to 255.255.255.255 port 67 interval 12 DHCPOFFER from 192.168.0.1 DHCPREQUEST on de0 to 255.255.255.255 port 67 DHCPREQUEST on de0 to 255.255.255.255 port 67 DHCPDISCOVER on de0 to 255.255.255.255 port 67 interval 7 DHCP process goes 1. Discover 2. Offer 3. Request 4. Ack In the above, the request for the offered address was never acknowledged, so it asked again, and then went back to discovery. -Kian
syslog disabling question
Hello, I was setting up a central logserver this afternoon and some of the functionality I need wasn't in the stock syslogd(8), so I chose to use syslog-ng. I noticed that you cannot specify syslogd=NO or syslogd_flags=NO to disable it (in rc.conf.local), and I was mostly curious why. I'm sure it has something to do with the gap between when things start up and may need to log vs. when the local startup happens -- if that's true, what is the suggested way around that? Originally I thought to simply keep syslogd enabled, but syslog-ng will not be able to start in that case. Is my best option to kill syslogd from rc.local or manually edit /etc/rc? Thanks for any suggestions. Kian
Re: syslog disabling question
On 6/13/07, Stuart Henderson [EMAIL PROTECTED] wrote: On 2007/06/13 02:00, Kian Mohageri wrote: Is my best option to kill syslogd from rc.local or manually edit /etc/rc? How about leaving them both running, and binding syslog-ng to just the relevant IP address? Thank you all for the suggestions. For some reason I didn't think of what Stuart suggested, so I'll try that out. I think it is better than modifying rc(8). I think I will have the stock syslogd do it's thing default thing and maybe even forward messages to syslog-ng in addition so there is some consistency with the rest of the hosts. Thanks again, Kian
Re: c2k7 hackathon is over
On 6/2/07, Theo de Raadt [EMAIL PROTECTED] wrote: The c2k7 hackathon is over, with roughly 50 developers attending the event for 10 days in Calgary. So many projects were started or finished, it is basically impossible for me to describe all the projects. Hope you guys out there enjoy the changes that we've made. In addition to all the great progress being made, based on the pictures, it looks like you guys had a lot of fun. Makes me glad to have bought a CD set/poster/shirt to help fund stuff like this. Thanks for sharing your work with the rest of us! Kian
Re: pf - drop or return - is stealth mode overrated?
Henning Brauer wrote: * Chris Smith [EMAIL PROTECTED] [2007-04-25 00:42]: Using openbsd as a firewall in several cases - a few small businesses, and also for home use. Some websites, such as grc.com, stress that stealth mode (which openbsd handles with ease) is the safest. But I've also read that using 'return' instead of 'drop' is good netizenship. So I'm wondered how others are handling this and what recommendations you might have. stealth mode is totally overrated. For my clarification, are we talking about stealth mode as in dropping everything (including pings) from untrusted hosts, or the default block-policy (drop vs. return)? Based on this discussion, I'm trying to decide if I want to change our firewall block-policy to 'return' even though we already allow ping and 'return' traffic to the firewalls themselves so things like traceroute can work.
Re: pf - drop or return - is stealth mode overrated?
On 4/24/07, Chris Smith [EMAIL PROTECTED] wrote: Hello, Using openbsd as a firewall in several cases - a few small businesses, and also for home use. Some websites, such as grc.com, stress that stealth mode (which openbsd handles with ease) is the safest. But I've also read that using 'return' instead of 'drop' is good netizenship. So I'm wondered how others are handling this and what recommendations you might have. I use drop in most cases. Stealth mode isn't exactly going to add much, but I see no reason a host should receive any response at all when it is trying to talk to a host that doesn't exist or a port that isn't actually listening. Much of that activity is simply host/port scanning. I could argue either way, but my preference is 'block drop' most of the time. -- Kian Mohageri
Re: pf - drop or return - is stealth mode overrated?
On 4/24/07, Lars Hansson [EMAIL PROTECTED] wrote: Kian Mohageri wrote: I could argue either way, but my preference is 'block drop' most of the time. Hopefully most of the time does not include ICMP. It doesn't. -- Kian Mohageri
Re: sk or em
On 4/16/07, Ronnie Garcia [EMAIL PROTECTED] wrote: Bryan Vyhmeister a icrit : On Apr 16, 2007, at 1:58 AM, Ronnie Garcia wrote: Clint Pachl a icrit : Ronnie Garcia wrote: Do you expect doing more than 100mbits with this hadware (with PF anabled) ? I'm maxing a P4 2.4Ghz at 40mbits, with a dual em, and a ~300 lines pf.conf What is your packets/sec when your pushing 40Mbs? Does the traffic flow in one em and out the other or is the dual em in a trunk (i.e. 2Gbs)? Traffic gets in one em, is filtered by pf, and gets out from the other em (and the other way around). Its doing 11kpps in and 6kpps out of each em, plus 7kpps on the pfsync interface, which is a sis This brings up a question I have had for a while. Does pfsync generate enough traffic that running gigabit cards for your $ext_if and $int_if and a 100base-TX card for your pfsync interface cause a major bottleneck? It depends on the rate of the states changes. Here, we have ~30mbits on pfsync, for ~40mbits of traffic (!) On our college campus with 50Mbps, we see ~8Mbps pfsync traffic. Your ratio amazes me... What type of environment is that in? -- Kian Mohageri
Re: Mail Server (seeking recommendations)
On 4/13/07, Steven Presser [EMAIL PROTECTED] wrote: Hello, I'm working for a small company which has settled on OpenBSD as its server software (because the security is excellent). We have settled on what software to use for everything but the mail server. I'd like to request recommendations from the knowledgeable people of this list. The priorities for the mail server are: 1. Security 2. Usability (for the end user - not everyone is technically skilled, although the setup can be done for anyone who needs help) 3. Ease of setup 4. Scaleability Obviously the first is by far the most important. The other three are more perks than anything else. Throwing in another vote for Dovecot for IMAP. I'm stuck with Qmail at the moment (works fine), but Postfix is nice. As for webmail, I haven't heard Roundcube mentioned yet. We use it, and it's at least pretty enough. Requires a database, unfortunately, but it works with LDAP and our staff like it. http://roundcube.net/ -- Kian Mohageri
Re: safe PF start / restart
On 4/11/07, christian johansson [EMAIL PROTECTED] wrote: I had to set up a linux firewall the other day, and I used the iptables script generating program shorewall. While pulling my hair over how ugly the iptables stuff (even via shorewall) is compared to OpenBSDs nice clean PF syntax, I did find one very nice feature in shorewall - safe restart. When safe restarting, shorewall will implement all rules in the iptables config files, then give the user a prompt: keep rules y/n? If 'yes' the rules are kept and everyone is happy. If 'no', iptables are disabled and all traffic let in. If no answer then default to answer 'no' after 60 seconds. Very useful, even if just for the added peace of mind when applying new changes. Is there a ready made script accomplishing this for openbsd / pf? Or any plans of building such functionality? Christian FreeBSD has a similar script for ipfw(8) called change_rules.sh. You could probably modify it to suit your needs, but I haven't really looked at how it works, as I don't find it necessary with pf. http://www.freebsd.org/cgi/cvsweb.cgi/src/share/examples/ipfw/change_rules.sh?annotate=1.2.2.5 -- Kian Mohageri
Re: any site or doc about openbsd kernel configuration, info or tweak?
On 3/25/07, Jay Jesus Amorin [EMAIL PROTECTED] wrote: any site or doc about openbsd kernel configuration, info or tweak aside from man page? thanks http://www.openbsd.org/faq/faq5.html#Why Q: 5.6 - Why do I need a custom kernel? A: Actually, you probably don't. That said, http://www.openbsd.org/faq/faq5.html#Options -- Kian Mohageri
Re: pf.conf propagation
On 3/20/07, Alexander Lind [EMAIL PROTECTED] wrote: Hello misc. Can anyone recommend a pf propagation script, intended to be used to spread changes from one carp:ed openbsd firewall to another? for host in fw1 fw2 fw3 fw4 fw5; do scp ~/master.pf.conf ${host}:/etc/pf.conf; done -- Kian Mohageri
Re: Important OpenBSD errata
On 3/16/07, Lars Hansson [EMAIL PROTECTED] wrote: On Fri, 16 Mar 2007 18:03:02 +1100 Sunnz [EMAIL PROTECTED] wrote: If I tell you that I'll give you fries as they become available what would you think I am saying? Unless it's your job to give them to me now and I have paid you to do so I'd expect to get them whenever you have them and feel like giving me some. Yeah. Expectations aside, being condescending is never warranted. Both Karl and Martin did just that. They could have asked if there was a reason it wasn't sent to security-announce@ instead of misc@, rather than saying This is terrible handling of a bug after it was fixed almost immediately. Seems some people spend very little time thanking the developers for the immediate fix and instead go straight to suggestions on how to handle their project better. -- Kian Mohageri
Re: Important OpenBSD errata
On 3/16/07, Karl O. Pinc [EMAIL PROTECTED] wrote: On 03/16/2007 02:51:48 AM, Kian Mohageri wrote: Yeah. Expectations aside, being condescending is never warranted. We've all spent more time on this than it's worth, but I would appreciate it if you'd point out any condescension in my initial posts so I can do better next time. Promise I won't waste your time by trying to justify my choice of words. I hate to keep this going, but it sounds like you genuinely want to know for future reference. So, from your initial post: I agree. I'm very annoyed that I have to read about this problem on slashdot. The misc list is not the right place for this announcement Martin's reply was much more condescending. I know it is very easy to misinterpret people online, which is what seems to have happened here. To me, both of your posts initially came across as kind of unappreciative, and I'd imagine at least a few developers probably feel that way too (but I can't speak for them). I'm not saying that you're unappreciative, just that it seemed that way. That is why when I write suggestions, I usually find something to thank the person for too, just so they don't feel under attack. Only hearing from people about things that are done _wrong_ really gets old. We all know that. Darren's latest reply summed up what I have to say so I'm gonna stop replying to this thread. I think everyone has made their points and we're all on the same page. -- Kian Mohageri
Re: Important OpenBSD errata
On 3/15/07, Karl O. Pinc [EMAIL PROTECTED] wrote: On 03/15/2007 10:48:49 PM, Ray Percival wrote: On Mar 15, 2007, at 7:31 PM, Karl O. Pinc wrote: I rely on having a clear channel for security related problems. The only communication problem here is that you don't look at the information that the project puts out there for you. The project says it will announce security errata on the security-announce list. I _am_ assuming this will be done in a timely fashion... This does not seem like an unreasonable assumption. I bet you'd also like somebody other than you to patch your systems in a timely fashion. If security-announce is not a place for timely security announcments then change the description, or get rid of it. Which brings the discussion back to where it started, and where it belongs. Security isn't about receiving notifications to your Inbox in a timely fashion. It is about being proactive yourself. You should be the one taking measures to secure your systems, and you should be the one ACTIVELY LOOKING for problems. Watching mailing lists isn't enough, and this was announced very early on the ERRATA page. Do something for yourself. -- Kian Mohageri
Re: OpenBSD 4.1 Pre-Orders...
On 3/12/07, Darrin Chandler [EMAIL PROTECTED] wrote: Have you got yours yet?! Just ordered the CD set and a poster myself! -- Kian Mohageri
Re: A question on pf rules
On 2/20/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Greetings, Does it make any difference if I group my rules like this . ## logs smtp sessions pass in log on $ext_if proto tcp to $mailhost port smtp keep state ## Pass all outgoing traffics pass out on $ext_if inet proto tcp all flags S/SA keep state pass out log on $ext_if inet proto tcp from $mailhost to any port smtp keep state pass out on $ext_if inet proto { icmp, udp } all keep state Or, like this . ## logs smtp sessions pass in log on $ext_if proto tcp to $mailhost port smtp keep state pass out log on $ext_if inet proto tcp from $mailhost to any port smtp keep state ## Pass all outgoing traffics pass out on $ext_if inet proto tcp all flags S/SA keep state pass out on $ext_if inet proto { icmp, udp } all keep state Last matching rule wins so the second example won't do what you're expecting. http://www.openbsd.org/faq/pf/filter.html Also, try to use flags S/SA on all of your stateful TCP rules unless you have a good reason not to. -- Kian Mohageri
Re: State table not recovering on CARP backup machine
On 1/15/07, Christopher Snell [EMAIL PROTECTED] wrote: Has anybody experienced sudden surges of state entries like this? Denial of service attack perhaps? There has been a surge of SYN scanning from machines on our network that were affected by the Symantec hole. That created a few thousand states and I ended up putting in some rules to deal with it. Check your state table for patterns...e.g. recurring ports, addresses with unreasonable numbers of states, a lot of connections to port 2967 outside of your network, etc. -- Kian Mohageri
Re: revision control system for system administration
On 12/18/06, atstake atstake [EMAIL PROTECTED] wrote: Not directly OpenBSD related but I thought I'd ask. I'd like to use a revision control system to manage files on 25-30 servers but I'm not sure whether I'd use a centralized repository or have a separate revision control system on each box. It would also be good to know how much leverage can a revision control system can give over a make-backup-before-change policy in the long run and also what files and directories should I add to it. Anything else anyone would like to add from experience would be much appreciated. Our (fairly small) organization uses our CVS repository like this in small ways. I really detest having everything in CVS for obvious reasons, but it can be useful in some situations. For example, redundant OpenBSD firewalls may share some configuration files for custom Snort rules. Update them in CVS, and use a shell script on the hosts to pull the updated configuration files via CVS+SSH. If multiple people are managing the rules, it is nice to see what people changed. Probably not so useful in the case of relatively static configuration files like pf.conf which shouldn't be modified much anyway. I wouldn't advise using it simply as a storage place in case you delete the local copy (that's what backups are for!), but you might find it useful serving identical configuration files to multiple hosts (as opposed to actual network file shares). Your comment about make-backup-before-change is somewhat frightening though :) If you don't have one already, you should set up a system that does daily+ backups, depending on how often things change. -- Kian Mohageri
Re: Problem with Intel PRO/1000GT (82541GI) adaptors
On 11/15/06, Stuart Henderson [EMAIL PROTECTED] wrote: On 2006/11/15 09:25, Kian Mohageri wrote: On 11/14/06, Brian Keefer [EMAIL PROTECTED] wrote: FWIW I was having very similar problems with em(4) in OpenBSD 4.0- release under VMware (amd64 SMP). It would cease to recognize ARP replies and just flood the network with ARP requests endlessly. It was enough to bring VMware to it's knees and totally swamp my cheap switch. The same card too? vmware can emulate em(4): http://sanbarrow.com/vmx-network.html I was curious as to what it was being detected as (PRO/1000MT (82545EM)) on the guest OS. Assuming we're seeing the same bug, the weirdest thing about this bug to me is this... Usually it doesn't come up for a couple of months. A few times when it has come up on the master firewall (which fails), the second one takes over, and then fails too. -- Kian Mohageri
Re: Problem with Intel PRO/1000GT (82541GI) adaptors
On 11/14/06, Brian Keefer [EMAIL PROTECTED] wrote: FWIW I was having very similar problems with em(4) in OpenBSD 4.0- release under VMware (amd64 SMP). It would cease to recognize ARP replies and just flood the network with ARP requests endlessly. It was enough to bring VMware to it's knees and totally swamp my cheap switch. The same card too? -- Kian Mohageri
Re: Problem with Intel PRO/1000GT (82541GI) adaptors
On 11/13/06, Joe [EMAIL PROTECTED] wrote: I have 2 of these adaptors Intel PRO/1000GT (82541GI) rev 0x05 The 82541GI chipset is supported by em(4). Every day, the box drops of the network. The interfaces show themselves as active, but I can't ping, arp, or sniff any traffic. A reboot solves the problem. Is anyone else having this problem? For now, I had to remove the NICs because the box is a firewall and goes down at random times throughout the day. I didn't notice any particular traffic patterns. Output of `ifconfig` and `netstat -m` is also helpful. I had this issue too in 3.8 and 3.9, but it is really rare. It happens on both firewalls, and only on the internal interface. I've talked to a few others with the same issue too. Happened about once every few months or so. http://archives.neohapsis.com/archives/openbsd/2006-06/1813.html em1 at pci2 dev 2 function 0 Intel PRO/1000MT (82546GB) rev 0x03: irq 9, address 00:04:23:a9:18:06 em2 at pci2 dev 2 function 1 Intel PRO/1000MT (82546GB) rev 0x03: irq 9, address 00:04:23:a9:18:07 You'll probably notice the same thing I did (OACTIVE in the output of ifconfig). I couldn't find any patterns though, unfortunately. I know there were some related changes in 4.0 though, so I'm hoping that fixes it. -- Kian Mohageri
Re: Lenovo notebooks
On 10/26/06, Andreas Kahari [EMAIL PROTECTED] wrote: On 26/10/06, martin g [EMAIL PROTECTED] wrote: Hello all Has anyone got experience with Lenovo notebooks running OpenBSD. If you are so kind to share your experience. I have a Thinkpad T43 running an OpenBSD snapshot at the moment. I dual boot FreeBSD and OpenBSD on it. I haven't run into any problems with basic functionality but I haven't tried out much in the way of power management. -- Kian Mohageri
Re: new tool: openportd
On 10/22/06, Steffen Wendzel [EMAIL PROTECTED] wrote: You normaly have different open ports pf(4) makes this a minor issue. No offense, but what you have there (in the example specifically) is no better than a limited (if you consider ability to reboot or kill ssh limited) version of rexec/rsh. The way you authenticate is obscured a bit, but not secured. A neat project, I'll give you that. But I don't recommend it on a production server. -- Kian Mohageri
Re: OpenVPN Server and nice setting on OpenBSD
On 10/20/06, Bill Chmura [EMAIL PROTECTED] wrote: I have set verbosity to 5 and watched it. I get lots of W (Writes) and R's (Reads) while it is idle, which I was thinking was the pings. On the client side I would see WRWRWRWRWRW... (drop and reset) Do you have any firewalling going on between these machines? -- Kian Mohageri
Re: pf: 'block drop' used, but ICMP unreachables returned anyway...
On 10/12/06, Martin Gignac [EMAIL PROTECTED] wrote: Man, I need The Utterly Dumbass' Guide to pf (with pretty pictures) 'cause my brain doesn't seem to be equipped to understand this concept clearly. :-) Check out the 3 articles on PF by Daniel Hartmeier (OpenBSD developer). I found them to be very clear and concise and I'm pretty sure his explanations will help you out. http://www.undeadly.org -- Kian Mohageri
Re: DHCP, CARP, and VLANs
On 10/12/06, Bryan Vyhmeister [EMAIL PROTECTED] wrote: This would send the DHCP requests to whatever server they needed to go to. I have been trying to use dhcrelay on the firewalls for this purpose with dismal results. If a DHCPREQUEST for ip comes in, all is well, but if a DHCPDISCOVER request comes in, DHCPOFFER does not seem to reach the client. Where is your DHCP server? Where is the DHCPOFFER being lost? Have you sniffed on interface between the firewalls and DHCP server? The client and firewalls? -- Kian Mohageri
Re: problems using HFSC with pf
On 10/12/06, S t i n g r a y [EMAIL PROTECTED] wrote: i am facing problems using hfsc with PF. do you see anything wrong with this ? is there a bug in this ? I don't mean to be rude but you *really* need to start learning how to look into these things by yourself. It will help you out a lot in the long run. People grow very tired of seeing people post their entire pf.conf time after time with new problems and no indication that you've even tried googling the error message from pfctl yourself. Kian
Re: OpenBSD exists for the developers? [Was: Re: Version 4.0 release]
On 10/10/06, chefren [EMAIL PROTECTED] wrote: On 10/10/06 4:46 AM, Kian Mohageri wrote: On 10/9/06, Lars Hansson [EMAIL PROTECTED] wrote: I guess you didn't understand; OpenBSD does not exist for you or me, it exists for the developers. This is a truth everybody should have to read before submitting their complaint/feature request/rant/whatever. It's definitely not as simple as that, probably about a dynamic half of the truth. A large part of the developers give away their work and solve problems of other people just because they like to do so. I presume they believe enough of the receivers will do something in return (donations, or even code) to help the whole project. Yes, the developers do to give away their creations to the public free of charge, but as far as I'm concerned that does not change who the project is actually *for*. The public benefits from the generosity and intelligence of the developers (and people who contribute in other ways to the project). But ultimately the project was never under anyones control except the leaders -- it belongs to them, and exists for them. They are in no way required to do what they do; there is no REAL obligation to the public. I agree with you, though, that there is a balance in the community despite who the project is originally for -- and that balance works well. In fact, most people in here probably don't actually think that OpenBSD owes them something (hopefully...)...but it can be hard to tell from some of the complaints. -Kian
Re: Version 4.0 release
On 10/9/06, Lars Hansson [EMAIL PROTECTED] wrote: Asking for code submission if you want feature x or y doesn't really float my boat. I only do some high level programming and I know nothing about kernel internals. I guess you didn't understand; OpenBSD does not exist for you or me, it exists for the developers. This is a truth everybody should have to read before submitting their complaint/feature request/rant/whatever. Well said Lars. -Kian
Re: 'flags S/SA keep state' now the default
On 10/6/06, Ryan McBride [EMAIL PROTECTED] wrote: I've just committed code based on a suggestion made by Daniel Hartmeier to make flags S/SA keep state the default for rules. Very cool. Thank you.
Re: Letter to OLPC
On 10/5/06, Ingo Schwarze [EMAIL PROTECTED] wrote: The structure of the OpenBSD project suggests that this project might be able to resist better than others. It is no company. It is no charity. It is not so small that it needs to grasp at every straw to survive. It is not so large that any of the big players will put any real effort into trying to corrupt it. As long as it has a few people who know what they want, it might stand unconquered for a while. Not because those people are morally better than or in any way stronger than others, but because they wisely choose a context for living and working that lets them grow rather than corrupting them. The success of OpenBSD (with regard to keeping its original ideals in mind) has less to do with the size or structure and more to do with the overall goals and strength of the people involved. Writing off their ability to remain true to themselves and the community as a sort of accident or one of many equally probable outcomes is completely wrong. If it was not for Theo and the rest of the developers, and the community, standing up for themselves, it would have been dissolved into something different long ago despite the structure, popularity, size, whatever. They actively work AGAINST corruption -- they don't simply avoid, ignore, or resist it.
Re: VPN(8) pf.conf
On 9/12/06, Gustavo Rios [EMAIL PROTECTED] wrote: While reading VPN(8) manual page, i could no figure it out in what interface context the following line applies: # Pass encrypted traffic to/from security gateways pass in proto esp from $GATEWAY_B to $GATEWAY_A pass out proto esp from $GATEWAY_A to $GATEWAY_B No interface is specified so it applies to any interface. pf.conf(5) makes that pretty clear. Kian
syncing pf tables
Hello, I was just curious if any of you sync pf tables between hosts, and how you do it. I know it may be considered abusing tables, but in our setup, we hold a list of registered clients within tables (which are updated dynamically by scripts). We also use carp (and soon pfsync) for failover. Obviously both hosts need to have the same addresses in their tables for this to work well, so the script runs on both hosts...which is fine I suppose, and cleaner than scp'ing the list from one to the other. But I was curious how other people handle this issue. So, how do you guys sync your tables? Thanks, Kian
Re: syncing pf tables
On CARP'd machines, it can be kinda handy, make a quick change on the primary, test it, if it works, run the script. If it doesn't, you can easily revert it by simply running the script on the standby machine. Nick. Ah...that is a pretty cool idea. I was more curious about dynamically syncing them though, as opposed to having any user interaction. For example, say you have redundant firewalls with a table which is populated by the overflow keyword, it may be useful to sync this table between master and backup nodes, without manual intervention -- so that in the event of a failover, the backup has the same hosts in in it's tables. Does that make sense? Kian
Re: NFS over 2 PF firewalls with CARP/pfsync
On 8/17/06, Alastair Johnson [EMAIL PROTECTED] wrote: I have 2 OpenBSD 4.0beta firewalls arranged in a CARP failover configuration with PFsync. It seems to work very well for everything except NFS. My ssh, remote desktop and telnet connections seem to survive a failover very nicely. I've never tried it, but pf.conf(5) states that scrub (assuming you're scrubbing traffic) can cause problems with NFS unless 'no-df' keyword is specified.. I don't really know if that is related at all to what you're experiencing but figured I'd mention it. Kian
Re: saslauthd issue?
On 8/7/06, J Moore [EMAIL PROTECTED] wrote: On Mon, Aug 07, 2006 at 10:51:02PM -0700, the unit calling itself Kian Mohageri wrote: B14xVu: Undefined variable. where B14xVu is a fragment of the password. The full password was: V$B14xVu I tried this on other user/password combinations, and got reasonable results. But the $ char seems to cause a problem consistently. In all other cases, the result was either: Have you tried escaping the $ char to make sure the shell doesn't interpret it? V\$B14xVu Yes - sorry I failed to mention that... esc'ing the $ does get by, but I've just never ever heard of having to escape a password... does that seem logical? shouldn't it at least be documented? It isn't that unusual. The program you're testing with is run on the command line, so special characters are going to be interpreted by the shell. Might be worth a note in the man page example or something but it's pretty common knowledge (not saying you should've known that or anything) Kian
Re: saslauthd issue?
B14xVu: Undefined variable. where B14xVu is a fragment of the password. The full password was: V$B14xVu I tried this on other user/password combinations, and got reasonable results. But the $ char seems to cause a problem consistently. In all other cases, the result was either: Have you tried escaping the $ char to make sure the shell doesn't interpret it? V\$B14xVu
Re: PF redirect to another IP on LAN
Wouldn't this do the trick? rdr on rl1 proto tcp from any to 192.168.1.121 port 80 - 192.168.1.103 Redirect any port 80 traffic originally meant for me to 192.168.1.103 Yes, but why are you asking if you already have the answer? As stated in the man page, your traffic will also need to pass filter evaluation AFTER the redirect rule is processed. Can't you just test that line? Kian
Re: Carp/Pfsync problem
Change 'syncif' to 'syncdev' in your hostname.pfsync files. Also, out of curiosity, why are there two CARP addresses between the workstation and firewalls? Kian On 9/20/06, Tim Pushor [EMAIL PROTECTED] wrote: Hi friends, I am trying to setup my first firewall w/failover via carp pfsync. I have it almost working, but am having a couple issues. I am hoping someone will be able to help :) First, before I enabled preemption I almost always had one machine being master for one of the carp interfaces, and slave for the other two. It seemed to work, but just looked troublesome. Enabling preemption seemed to solve this. Does this point to a bigger problem somewhere? Second, and what I am really trying to fix - is to have an in progress TCP session fail over to the second firewall. The connection stalls and eventually times out when failing over, but attempting to re-establish after the failover works (through the second firewall). I've confirmed (at least in my mind) that state updates are being properly propagated to the second firewall by watching the pfsync interface, and noting the state via pfctl -s state. I've watched syslog with pfctl -x loud and didn't see anything. Any hints on how I can go about troubleshooting this further? I've included as much info as I can think of. The included PF ruleset is just a proof of concept - I realize theres quite a bit more to be done, I'm just trying to get the failover working. Thanks!, Tim BTW If there is any OpenBSD guru in Calgary thats looking for a few hours of consultancy I'd love to hear from you :) Details: Both systems are Dell 850 servers w/added Intel Etherexpress Pro 10/100 cards as the pfsync interface, with a crossover cable between them. OS is OpenBSD 3.9, GENERIC Kernel. 192.168.1.246 +--+ | Test Workstation | +--| | +| carp1 |+ | 192.168.1.22 | | | +| carp2 |+ | 192.168.1.23 | || 192.168.1.20 bge0||bge0 192.168.1.21 +-+ +-+ | fw1 |-fxp0fxp0-| fw2 | +-+ +-+ 10.0.10.253 bge1||bge1 10.0.10.254 || ---+--- carp0 ---+--- 10.0.10.1 | | +-+ | Test Server | +-+ 10.0.10.42 (fw1 fxp0 - 192.168.254.253) (fs2 fxp0 - 192.168.254.254) fw1: # cat hostname.bge0 inet 192.168.1.20 255.255.255.0 NONE # cat hostname.bge1 inet 10.0.10.253 255.255.255.0 NONE # cat hostname.fxp0 inet 192.168.254.253 255.255.255.0 NONE # cat hostname.carp0 inet 10.0.10.1 255.255.255.0 10.0.10.255 vhid 1 pass foo1 carpdev bge1 # cat hostname.carp1 inet 192.168.1.22 255.255.255.0 192.168.1.255 vhid 2 pass foo2 carpdev bge0 # cat hostname.carp2 inet 192.168.1.23 255.255.255.0 192.168.1.255 vhid 3 pass foo3 carpdev bge0 # cat hostname.pfsync0 up syncif fxp0 # sysctl -a | grep carp net.inet.carp.allow=1 net.inet.carp.preempt=1 net.inet.carp.log=0 net.inet.carp.arpbalance=0 fw2: # cat hostname.bge0 inet 192.168.1.21 255.255.255.0 NONE # cat hostname.bge1 inet 10.0.10.254 255.255.255.0 NONE # cat hostname.fxp0 inet 192.168.254.254 255.255.255.0 NONE # cat hostname.carp0 inet 10.0.10.1 255.255.255.0 10.0.10.255 vhid 1 pass foo1 advskew 128 carpdev bge1 # cat hostname.carp1 inet 192.168.1.22 255.255.255.0 192.168.1.255 vhid 2 pass foo2 advskew 128 carpdev bge0 # cat hostname.carp2 192.168.1.23 255.255.255.0 192.168.1.255 vhid 3 pass foo3 advskew 128 carpdev bge0 # cat hostname.pfsync0 up syncif fxp0 # sysctl -a | grep carp net.inet.carp.allow=1 net.inet.carp.preempt=1 net.inet.carp.log=0 net.inet.carp.arpbalance=0 PF Rules (identical on both machines) # cat /etc/pf.conf ext_if=bge0 int_if=bge1 pfsync_if=fxp0 # All interfaces (real + virtual via carp) thought of as external ext_ifs={ bge0, carp1, carp2 } # Our internal network(s). Used for access rules and NAT internal_nets=10.0.10.0/24 # Define NAT source port range (all source ports will be rewritten to use # this range) nat_port_range=20001:65535 # Define virtual carp interface that should be used as NAT source # (i.e. outbound hide nat will appear to come from this virtual interface) nat_carp=carp1 # real interfaces that have virtual carp addresses associated with them carp_interfaces={
Re: Web mail
http://www.roundcube.net/ It is pretty new still, but I replaced SquirrelMail with it because SquirrelMail is terrible. People seemed to like the change. Very simple to configure, and it's pretty. -Kian On 7/19/06, Bachman Kharazmi [EMAIL PROTECTED] wrote: [EMAIL PROTECTED]:~/ pkg_info ftp://ftp.stacken.kth.se/pub/OpenBSD/3.9/packages/i386/openwebmail-2.51.tgz Information for ftp://ftp.stacken.kth.se/pub/OpenBSD/3.9/packages/i386/openwebmail-2.51.tgz Comment: highly configurable webmail client Description: Open WebMail is a webmail system designed to manage very large mail folder files in a memory efficient way. It also provides a range of features to help users migrate smoothly from Microsoft Outlook to Open WebMail. FEATURES: - 1. fast folder access 2. efficient messages movement 3. smaller memory footprint 4. convenient folder and message operation 5. graceful filelock 6. remote SMTP relaying 7. virtual hosting and account alias 8. pam support 9. per user capability configuration 10. full content search 11. strong MIME message capability 12. draft folder support 13. spelling check support 14. POP3 mail support 15. mail filter support 16. message count preview 17. confirm reading support 18. BIG5/GB conversion (for Chinese only) Maintainer: Kevin Lo [EMAIL PROTECTED] WWW: http://www.openwebmail.org/ /bkw On 19/07/06, Eric Johnson [EMAIL PROTECTED] wrote: Which web mail package is easiest to install and use on OpenBSD? Are there any gaping security holes?
Re: ping: sendto: No buffer space available
On 7/14/06, Jason Dixon [EMAIL PROTECTED] wrote: We have an OpenBSD 3.8 firewall that has been in production for the last six months. Until the last week or two, everything has been great. Recently while diagnosing a problem with the bonded T1 pair, I noticed the following error while pinging the gateway: ping: sendto: No buffer space available This always coincided with a very high spike (1000-3000ms) in latency, which would usually go back down to ~0ms and operate normally. The interface in question is an Intel em connected to a Cisco 2950 trunk. The other two interfaces (em1, sk0) are working fine. The LAN interface (em1) pushes *much* more data, as it routes between 13 internal VLANs. I've also had another box perform the same ping test concurrently to confirm this isn't a problem with the gateway. This is the same behavior I would see when trying to ping out our internal em(4) interface when the transmit queue filled up (or it was thought to be full). You can confirm that is the case by checking ifconfig (look for OACTIVE). But, does that interface ever fail completely and require an interface restart, or just spike? Kian
Re: testing max tcp connections
On 7/10/06, Lawrence Horvath [EMAIL PROTECTED] wrote: Im using a OpenBSD 3.9 server and a FreeBSD 6.1 server on either end of a firewall to test throughput and max open connections of the firewall, i tested throughput with netstrain(d) but im unsure how to test the max open connections, anyone recommend a program? or script? to test the max number of open tcp connections, basically i just need to open as many tcp connnections as my servers will handle. Thanks -- -Lawrence Try hping (http://www.hping.org) -Kian
internal em(4) NIC stuck in OACTIVE on 3.9
I have been experiencing an issue lately where the internal NIC of our firewall stops passing traffic until the interface is manually restarted (or machine rebooted). This happens to whichever machine is MASTER of the carp(4) group, but seems to only ever happen to the internal interface though both the external and internal interfaces are sharing a dual port GigE card. It seems to happen every few weeks lately. When it happened tonight, I noticed the OACTIVE flag being set on the internal interface. Pinging out the internal interface results in No buffer space available which, as I understand it, makes sense if OACTIVE is set because that flag indicates that the TX queue is full. PF is active on both machines, along with pfsync(4) and carp(4). The firewalls pass 28Mb throughout the year. This summer they're only passing about 5Mb yet the problem continues (so far once this summer). At the time, the arp and routing tables looked fine. pf also seemed to be processing traffic on the internal interface. I came across this while googling. It appears to be the same issue I'm having: http://www.mail-archive.com/pf@benzedrine.cx/msg07554.html Any suggestions would be much appreciated. Thanks, -Kian pfctl -sr snip: scrub in all fragment reassemble block drop log all ... pass in on em1 inet from any to (em1) pass in on em1 inet from any to (carp0) pass out on em1 inet from (em1) to any pass out on em1 inet from (carp0) to any pass in on em2 inet from any to (em2) pass in on em2 inet from any to (carp1) pass out on em2 inet from (em2) to any pass out on em2 inet from (carp1) to any pass in on em1 from any to registered pass out on em1 from registered to any pass in on em2 from registered to any pass out on em2 from any to registered ... ifconfig snip during problems (em2 is internal; as you can see, OACTIVE is set): ... em1: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 lladdr 00:04:23:a9:18:06 groups: egress media: Ethernet autoselect (1000baseT full-duplex) status: active inet 216.57.208.163 netmask 0xfff0 broadcast 216.57.208.175 inet6 fe80::204:23ff:fea9:1806%em1 prefixlen 64 scopeid 0x2 em2: flags=8d43UP,BROADCAST,RUNNING,PROMISC,OACTIVE,SIMPLEX,MULTICAST mtu 1500 lladdr 00:04:23:a9:18:07 media: Ethernet autoselect (1000baseT full-duplex) status: active inet 66.165.31.245 netmask 0xfff8 broadcast 66.165.31.247 inet6 fe80::204:23ff:fea9:1807%em2 prefixlen 64 scopeid 0x3 ... netstat -m during problems: 1385 mbufs in use: 1379 mbufs allocated to data 3 mbufs allocated to packet headers 3 mbufs allocated to socket names and addresses 1379/1590/6144 mbuf clusters in use (current/peak/max) 3564 Kbytes allocated to network (87% in use) 0 requests for memory denied 0 requests for memory delayed 0 calls to protocol drain routines netstat -m during normal activity: 839 mbufs in use: 833 mbufs allocated to data 3 mbufs allocated to packet headers 3 mbufs allocated to socket names and addresses 832/888/6144 mbuf clusters in use (current/peak/max) 2020 Kbytes allocated to network (92% in use) 0 requests for memory denied 0 requests for memory delayed 0 calls to protocol drain routines dmesg: OpenBSD 3.9 (GENERIC) #617: Thu Mar 2 02:26:48 MST 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Pentium(R) 4 CPU 2.80GHz (GenuineIntel 686-class) 2.80 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-IDreal mem = 536387584 (523816K) avail mem = 482426880 (471120K) using 4278 buffers containing 26923008 bytes (26292K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(00) BIOS, date 08/10/04, BIOS32 rev. 0 @ 0xf0010 pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf4f70/208 (11 entries) pcibios0: PCI Interrupt Router at 000:31:0 (Intel 6300ESB LPC rev 0x00) pcibios0: PCI bus #3 is the last bus bios0: ROM list: 0xc/0x8000 0xc8000/0x1000 0xc9000/0x1800 ipmi at mainbus0 not configured cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82875P Host rev 0x02 ppb0 at pci0 dev 3 function 0 Intel 82875P PCI-CSA rev 0x02 pci1 at ppb0 bus 1 em0 at pci1 dev 1 function 0 Intel PRO/1000CT (82547GI) rev 0x00: irq 11, address 00:02:b3:ea:27:a4 ppb1 at pci0 dev 28 function 0 Intel 6300ESB PCIX rev 0x02 pci2 at ppb1 bus 2 em1 at pci2 dev 2 function 0 Intel PRO/1000MT (82546GB) rev 0x03: irq 9, address 00:04:23:a9:18:06 em2 at pci2 dev 2 function 1 Intel PRO/1000MT (82546GB) rev 0x03: irq 9, address 00:04:23:a9:18:07 uhci0 at pci0 dev 29 function 0 Intel 6300ESB USB rev 0x02: irq 5 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1 at pci0 dev 29 function
Re: Router with NAT and DMZ host
# DMZ Host rdr on $red_if proto tcp from any to any port $dmz_ports - $dmz_host This doesn't look right. If you redirect all connections on those ports to the DMZ host, how do you expect your router to receive replies to those unprivileged ($dmz_ports) ports for stuff like web browsing? Kian
Re: Spam Trapping
Maybe you're really looking for something like spamd: http://www.openbsd.org/spamd/ Much more effective than a trap e-mail address in my opinion? Kian On 6/1/06, Mike Spenard [EMAIL PROTECTED] wrote: What are some thoughts on purposely getting a spam trap email address acquired by spammers and the best way to do so. i.e. Is it best to use only a defunct address for trapping, or will intentionally getting a new trap address spammed only increase ones spam input and be detrimental overall. I would like to hear feedback based on experience and not just theory of course =) If it's not detrimental overall how feasible would it be to construct a service that automated the (counter intuitive) act getting an email address acquired by as many spammers as possible? Mike Spenard
Re: exploit for openbsd 3.9 php 4.4.1p0/5.0.5p0
Is somebody stopping you from installing via source? Kian paul dansing wrote: Is there some reason this issue is being ignored? What, you people need to see an exploit before you will even LOOK at it and answer whether it is vuln? Can someone please give a straight answer about these PHP security holes? OpenBSD 3.9 released yesterday had packages supporting: php 4.4.1p0 php 5.0.5p0 are either of these vulnerable? if so, is someone going to release updated packages (not just ports)? the php 5.1.3 release: The security issues resolved include the following: * Disallow certain characters in session names. * Fixed a buffer overflow inside the wordwrap() function. * Prevent jumps to parent directory via the 2nd parameter of the tempnam() function. * Enforce safe_mode for the source parameter of the copy() function. * Fixed cross-site scripting inside the phpinfo() function. * Fixed offset/length parameter validation inside the substr_compare() function. * Fixed a heap corruption inside the session extension. * Fixed a bug that would allow variable to survive unset(). thanks Monday, May 1, 2006, 7:18:50 AM, you wrote: Hi. I haven't recieved a single test report, but I still get letters about asking for an update. How's that? This tarball also includes mysqli, fastcgi and hardened php support: http://gi.unideb.hu/~robert/php.tar.gz On (28/04/06 01:59), Robert Nagy wrote: Hi. Finally after fighting with pear I've managed to create a working update for the php5 port. The PHP guys have changed the installation method of pear to use some crappy PHP_Archive. With this move they broke the installation of pear on serveral linux distros (e.g. Frugalware), OpenDarwin and on OpenBSD of course. Any other crappy package managements where they install files directly to ${LOCALBASE} -- Kian Mohageri ResTek, Western Washington University [EMAIL PROTECTED]
Re: Linksys support... hmm
Sorry - never mind. I cracked open my case after I got home to verify, and I'm using a v4. v5 must be really new then, because I bought this just a few weeks ago. Kian Kian Mohageri wrote: Maybe someone on the mailing list can provide me with an answer to: 1. Can v5 af the card be used with the ral driver? Yes, I used it to create an access point on 3.8-stable. [EMAIL PROTECTED] ~ $ dmesg|grep ral0 ral0 at pci0 dev 10 function 0 Ralink RT2560 rev 0x01: irq 11, address 00:16:b6:57:1e:59 ral0: MAC/BBP RT2560 (rev 0x04), RF RT2525 Hope that helps. -- Kian Mohageri ResTek, Western Washington University [EMAIL PROTECTED]
Re: Linksys support... hmm
Maybe someone on the mailing list can provide me with an answer to: 1. Can v5 af the card be used with the ral driver? Yes, I used it to create an access point on 3.8-stable. [EMAIL PROTECTED] ~ $ dmesg|grep ral0 ral0 at pci0 dev 10 function 0 Ralink RT2560 rev 0x01: irq 11, address 00:16:b6:57:1e:59 ral0: MAC/BBP RT2560 (rev 0x04), RF RT2525 Hope that helps. -- Kian Mohageri Western Washington University [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]