Re: Options for 1U server with watchdog?
If power is a suspect why not get a UPS, it sounds like even a small one would do, and it would probly work out better than buying a new server? On 07/09/2007, K K [EMAIL PROTECTED] wrote: I am looking for recommendations for a new rackmount server with a watchdog(4) device fully supported under OpenBSD 4.2. Currently I have a pair of Sun Fire v100 servers providing recursive DNS services; each of these handles a peak of perhaps 50 requests/second. One of the two servers will crash hard about once every two months. When this happens, the server just stops, no debugger, no console output. We've gone so far as to replace the entire server with an identical v100 built from scratch with a standard OpenBSD/sparc64 install from CD, and yet the problem still happens on the same approximate schedule. I suspect a power glitch. Since power quality is out of our control, I've been asked by management to make this problem go away, or at least to hide the symptoms. Since I haven't been able to diagnose much less resolve the problem, I figure the next best thing is to make sure that when the server does freeze, it self-reboots instead of waiting for a human to respond and manually power-cycle the machine. I see support for the pmc(4) watchdog on UltraSparc-III (my V100s are IIe, no watchdog) systems, can I safely assume all new IIIi servers from Sun (e.g. V125) include the PMC watchdog? Are there less expensive AMD64 rackmount 1U systems with hardware watchdogs which I should also consider? Thanks, Kevin -- -Lawrence -Student ID 1028219
classify scp and ssh
Is there a way using pf to distinguish between ssh shell logins, and scp file transfers? -- -Lawrence
Re: nat trouble accessing web
I resolved this at least for now by setting no-df on my scrub, im
still investigating the mtu
On 26/06/07, Daniel Melameth [EMAIL PROTECTED] wrote:
Sounds like a possible MTU issue... Liberal use of tcpdump should
help in diagnosing the problem.
On 6/25/07, Lawrence Horvath [EMAIL PROTECTED] wrote:
Im having some trouble accessing certain sites from my laptop going
through a obsd router doing nat
I have 2 tested configurations
Laptop---Cisco1721[doing nat]---internet msn.com
and
Laptop---Cisco1721--(gre0)Openbsd[doing nat]---internet
msn.com
in the first setup, i have a local network behind a cisco1721, the
cisco does nat, and all works well
in the second setup, i have an internal network that spans via gre
from the cisco to an Openbsd router in colo which does the nat, this
is not working for me at all, when i try to go to msn.com, my browser
just sits there, i have tried this from 1 other computer as well
OpenBSD 4.0 GENERIC.MP#936 i386
# cat /etc/pf.conf.test
# Macros
# Tables
# Options
# Traffic Normalization(scrub)
# Queueing
# Translation(nat-binat-rdr)
# Packet Filtering
ext_if=tl0
tun_if=gre0
int_ip={ 10/8 192.168/16 }
natpool_ip=208.179.68.11
local_ip={ 10/8 192.168/16 208.179.68.8/29 208.179.25/24 }
set optimization high-latency
no nat on $ext_if from $local_ip to $local_ip
nat on $ext_if from $int_ip to any - $natpool_ip
pass in all
pass out all
im using ospfd to route over the gre
with either situation, i can get good name resolution, and i can
telnet to the msn server on 0 and issue a get request successfully i
can get to almost any other website in either config, google, yahoo,
etc, there are only a few i cant get to
if there is any other info requested, im happy to provide
thank you
--
-Lawrence
-Student ID 1028219
-CCNA
nat trouble accessing web
Im having some trouble accessing certain sites from my laptop going
through a obsd router doing nat
I have 2 tested configurations
Laptop---Cisco1721[doing nat]---internet msn.com
and
Laptop---Cisco1721--(gre0)Openbsd[doing nat]---internet msn.com
in the first setup, i have a local network behind a cisco1721, the
cisco does nat, and all works well
in the second setup, i have an internal network that spans via gre
from the cisco to an Openbsd router in colo which does the nat, this
is not working for me at all, when i try to go to msn.com, my browser
just sits there, i have tried this from 1 other computer as well
OpenBSD 4.0 GENERIC.MP#936 i386
# cat /etc/pf.conf.test
# Macros
# Tables
# Options
# Traffic Normalization(scrub)
# Queueing
# Translation(nat-binat-rdr)
# Packet Filtering
ext_if=tl0
tun_if=gre0
int_ip={ 10/8 192.168/16 }
natpool_ip=208.179.68.11
local_ip={ 10/8 192.168/16 208.179.68.8/29 208.179.25/24 }
set optimization high-latency
no nat on $ext_if from $local_ip to $local_ip
nat on $ext_if from $int_ip to any - $natpool_ip
pass in all
pass out all
im using ospfd to route over the gre
with either situation, i can get good name resolution, and i can
telnet to the msn server on 0 and issue a get request successfully i
can get to almost any other website in either config, google, yahoo,
etc, there are only a few i cant get to
if there is any other info requested, im happy to provide
thank you
lawrence
T1 pci card
I am looking for a Data T1 card to put in an OBSD firewall/router looking for suggestions on a quality card for under 1000 that OBSD supports reasonably well. digium offers the Wildcard TE120P for about 600 but i was unsure of support where could i find out if such a card is supported with out asking the list? thanks -- -Lawrence
Re: T1 pci card
looks like im going sangoma, already emailed sales@ thanks for the input, glad to know someone has one up and working On 10/06/07, Bryan Vyhmeister [EMAIL PROTECTED] wrote: On Jun 10, 2007, at 4:15 PM, Lawrence Horvath wrote: I am looking for a Data T1 card to put in an OBSD firewall/router looking for suggestions on a quality card for under 1000 that OBSD supports reasonably well. The Sangoma A101 (1 port) and A102 (2 port) T1 cards work fine and support is already included in OpenBSD. No additional drivers are needed. http://www.sangoma.com/datasheets/p_a101-specs http://www.sangoma.com/datasheets/p_a102-specs I am currently using a Sangoma A101 in a Soekris net4801 at a remote location. It runs perfectly. I have not actually used the A102 on OpenBSD but it should work without issue. It is on my list to test. http://www.soekris.com/bundles.htm digium offers the Wildcard TE120P for about 600 but i was unsure of support This is not supported at all. I would steer clear of Digium if you want OpenBSD support. They are not at all interested in supporting anything but Linux and their quality is not as good as Sangoma. In contrast, Sangoma has made great efforts to support all three BSDs and they even support TDM (for Asterisk) on FreeBSD. Having used about five cards from each company, I can say that Sangoma is much, much better all the way around. This especially includes support. You can get right through to the main BSD engineer at Sangoma while you have to go through a bunch of people at Digium that know very little even on a Linux issue. Bryan -- -Lawrence -Student ID 1028219 -CCNA
Re: type 2 or 3 pcmcia wireless card
It does not have any built in USB ports, so unless i can find a typeII or III usb card i got no usb On 04/06/07, Reyk Floeter [EMAIL PROTECTED] wrote: On Sun, Jun 03, 2007 at 09:46:44PM -0700, Lawrence Horvath wrote: I am working with a ThinkPad 365X that i am installing obsd on and would like wireless access on. it supports 2 type II or 1 type III PCMCIA, I wanted a ral card however those only appear to come at the lowest as a CB which i dont believe my thinkpad will support. Any suggestions on a card i could use in this laptop? wi(4) prism2 or orinoco. does it support usb 1 for ural(4) etc.? reyk -- -Lawrence -Student ID 1028219 -CCNA
Re: type 2 or 3 pcmcia wireless card
I purchased the orinoco, well see how that goes, thanks for the comment On 04/06/07, Lawrence Horvath [EMAIL PROTECTED] wrote: It does not have any built in USB ports, so unless i can find a typeII or III usb card i got no usb On 04/06/07, Reyk Floeter [EMAIL PROTECTED] wrote: On Sun, Jun 03, 2007 at 09:46:44PM -0700, Lawrence Horvath wrote: I am working with a ThinkPad 365X that i am installing obsd on and would like wireless access on. it supports 2 type II or 1 type III PCMCIA, I wanted a ral card however those only appear to come at the lowest as a CB which i dont believe my thinkpad will support. Any suggestions on a card i could use in this laptop? wi(4) prism2 or orinoco. does it support usb 1 for ural(4) etc.? reyk -- -Lawrence -Student ID 1028219 -CCNA -- -Lawrence -Student ID 1028219 -CCNA
Reclaim mounted space
I have just changed from 1 harddrive into having a root, and a home harddrive. its now working but i had several gigs in the old home that i would like to clear off, how can i clear the old home dir with out unmounting the new home -- -Lawrence
Re: Reclaim mounted space
Well my old set up was to have just one harddrive, so my old home is part of the root drive, and since my root drive is in use as root, how would i mount just that part of it? On 03/06/07, Darrin Chandler [EMAIL PROTECTED] wrote: On Sun, Jun 03, 2007 at 09:10:34AM -0700, Lawrence Horvath wrote: I have just changed from 1 harddrive into having a root, and a home harddrive. its now working but i had several gigs in the old home that i would like to clear off, how can i clear the old home dir with out unmounting the new home # mount /dev/old /mnt where old is whatever your old home directory was. Perhaps wd0h. Then it'll be available under /mnt/* -- Darrin Chandler| Phoenix BSD User Group | MetaBUG [EMAIL PROTECTED] | http://phxbug.org/ | http://metabug.org/ http://www.stilyagin.com/ | Daemons in the Desert | Global BUG Federation -- -Lawrence -Student ID 1028219 -CCNA
Re: Reclaim mounted space
unmounted the new home, rm'd the old home, and remounted the new home, all is working well I was just hoping there was some kind of cleanup i could use to clear unused space on a hd with out having to unmount anything On 03/06/07, Darren Spruell [EMAIL PROTECTED] wrote: On 6/3/07, Lawrence Horvath [EMAIL PROTECTED] wrote: Well my old set up was to have just one harddrive, so my old home is part of the root drive, and since my root drive is in use as root, how would i mount just that part of it? When you added your new drive and mounted it as /home, did you do anything to the old disk (repartition, reformat?) if not, then you've probably got your new disk and its data mounted at /home. If you unmount /home, you should be able to uncover your old /home on the old drive and clean it up. Then remount the new drive on its /home mountpoint. DS On 03/06/07, Darrin Chandler [EMAIL PROTECTED] wrote: On Sun, Jun 03, 2007 at 09:10:34AM -0700, Lawrence Horvath wrote: I have just changed from 1 harddrive into having a root, and a home harddrive. its now working but i had several gigs in the old home that i would like to clear off, how can i clear the old home dir with out unmounting the new home # mount /dev/old /mnt where old is whatever your old home directory was. Perhaps wd0h. Then it'll be available under /mnt/* -- Darrin Chandler| Phoenix BSD User Group | MetaBUG [EMAIL PROTECTED] | http://phxbug.org/ | http://metabug.org/ http://www.stilyagin.com/ | Daemons in the Desert | Global BUG Federation -- -Lawrence -Student ID 1028219 -CCNA -- Darren Spruell [EMAIL PROTECTED] -- -Lawrence -Student ID 1028219 -CCNA
type 2 or 3 pcmcia wireless card
I am working with a ThinkPad 365X that i am installing obsd on and would like wireless access on. it supports 2 type II or 1 type III PCMCIA, I wanted a ral card however those only appear to come at the lowest as a CB which i dont believe my thinkpad will support. Any suggestions on a card i could use in this laptop? thanks -- -Lawrence
ftpd passive port range
I am trying to confine my ftp to a smaller port range by editing net.inet.ip.porthifirst=49152 net.inet.ip.porthilast=65535 is there anything else that uses these variables other than ftpd? and would it be possible to force ftpd into using port 20 as its passive port? this is on 4.0 generic -- thanks -Lawrence
Re: ftpd passive port range
well i figure if active ftp can work many connectsion off one data port why cant passive ftp i see no problems with it, after all, all the control connections terminate on one port why cant the data On 24/05/07, Darren Spruell [EMAIL PROTECTED] wrote: On 5/24/07, Lawrence Horvath [EMAIL PROTECTED] wrote: I am trying to confine my ftp to a smaller port range by editing net.inet.ip.porthifirst=49152 net.inet.ip.porthilast=65535 is there anything else that uses these variables other than ftpd? and would it be possible to force ftpd into using port 20 as its passive port? Huh? You want your control channels to be on port 21, and then you want every data channel to terminate inbound on port 20? Why? DS -- -Lawrence -Student ID 1028219 -CCNA
authpf wrong shell warning
I am trying to set up authpf. I created all the files however i would like to be able to login and then start authpf instead of having a separate user for authpf. when ever i try to start authpf after loging in with ssh i get the below error May 14 22:03:31 freemon authpf: wrong shell for user lawrence.horvath, uid 1002 how do i get it to be the right shell? -- -Lawrence
Re: couple of questions
Yes, I do believe that you can create a bridge and include the wireless device in the bridge, and this should work as you need it to. if anyone knows different please let me know. On 06/05/07, Paolo Supino [EMAIL PROTECTED] wrote: Hi Maxime I know that OpenBSD supports IPSEC very well (have been using it for several years), but that wasn't the question: Is it possible to __tunnel Ethernet__ over IPSEC in OpenBSD? TIA Paolo Maxime DERCHE wrote: Hello. The answer to your first question is the Ralink chipsets family (see, for exemple, the recent thread initiated by Vincent GROSS on this list). For the second question the answer is yes. There is a very good support of IPSEC in OpenBSD :p. Regards, Maxime DERCHE Paolo Supino wrote: Hi I have a couple of questions: 1. I'm in the process of setting up OpenBSD firewall for a building's network. one of the NICs on the firewall will be a wifi PCI card. I need to buy the card for it and I want to buy a card from a company that helped OpenBSD. Which wifi (PCI) vendor gave the best support for developing drivers for OpenBSD? 2. I have another project where I'm expanding a network to an adjacent building and I can't run cables between the building so I will be setting up a wifi connection between the 2 buildings. I intend to use OpenBSD on both ends of the wifi link. The network in the new building will only have 3 computer and has to be on the same Ethernet segment as the original network. Is it possible to tunnel Ethernet frames over an IPSEC tunnel in OpenBSD? TIA Paolo -- -Lawrence -Student ID 1028219 -CCNA
pps limit with pf
is there a way to limit pps with PF? -- -Lawrence -Student ID 1028219 -CCNA
Re: pps limit with pf
no, i got the data rate controled, this is my firewall that i use to control traffic in my cage, my provider has a pps cap and i want my firewall to catch a pps spikes before the provider cap does, becuase the providers cap trips a port shut down, id rather drop a few packets for a few seconds on a pps spike then to have my port shut down for xamount of time until i find out about it and call my provider(yes i understand how stupid such a mechanism is) i was thinking about using the qlimit, as i think this is the best way i can do it, but thats kinda guess and check i think(i need a cap at roughly 4000pps, which i would have trouble generating in a test environment) anyone have a good resource i could look into tbrsize with? On 24/03/07, Chris Kuethe [EMAIL PROTECTED] wrote: not that i see directly. you may be able to achieve the desired effect by adjusting the tbrsize, qlimit and bandwidth knobs. you're sure you need to control packet rate, not data rate? CK On 3/24/07, Lawrence Horvath [EMAIL PROTECTED] wrote: is there a way to limit pps with PF? -- -Lawrence -Student ID 1028219 -CCNA -- GDB has a 'break' feature; why doesn't it have 'fix' too? -- -Lawrence -Student ID 1028219 -CCNA
passing to inside interface
this is on OpenBSD 4.0 Generic I have the below rule set in my pf.conf, i am having the following problem, i need to be able to log into the firewall with ssh from outside, and nothing should be able to hit the firewall from inside, not even ping from outside i can hit the shadow server, ssh, ping, etc from outside i can not hit the firewall with anything, ssh, ping, etc from inside i can hit the firewall with pings from inside i can not hit the firewall with ssh xl0 and xl1 are in a bridge together xl0 faces the rest of the network xl1 is set up as a transparent fireall for the 192.168.25.0/24 network xl0 has no ip address xl1 has an ip of 192.168.25.253/24 switch1 ip 192.168.25.1 switch2 ip 192.168.25.253 switch1 - firewall1 - switch2 - ext_if=xl0 int_if=xl1 set block-policy drop set skip on lo0 #set loginterface xl0 block return in on $ext_if from any to any block drop in on $int_if from any to any #allow management #firewall pass in on $ext_if from any to 192.168.25.253 #switch pass in on $ext_if from any to 192.168.25.252 pass in on $int_if from 192.168.25.252 to any #allow shadow pass in on $ext_if from any to 192.168.25.201 pass in on $int_if from 192.168.25.201 to any -- -Lawrence
Re: passing to inside interface
On 20/03/07, Stuart Henderson [EMAIL PROTECTED] wrote: On 2007/03/20 04:41, Lawrence Horvath wrote: I have the below rule set in my pf.conf, i am having the following problem, i need to be able to log into the firewall with ssh from outside, and nothing should be able to hit the firewall from inside, not even ping You don't pass out anything, either directly or via keep state. Also see the Notes section of bridge(4). then why can i get to the servers on the inside of the FW they dont have pass out, or keep state either? -- -Lawrence -Student ID 1028219 -CCNA
Re: passing to inside interface
is there a way to tag the packets going to pflog, i can see the packets being blocked with tcpdump on /var/log/pflog, but i would like to know what rule is blocking them i changed my rules a little bit here is the output of pfctl -s rules, i was hoping that explictly defining some of these would help but same result block return in log on xl0 all block drop in log on xl1 all pass in on xl0 inet from any to 192.168.25.253 keep state pass in on xl1 inet from 192.168.25.253 to any keep state pass out on xl0 all pass out on xl1 all pass in on xl0 inet from any to 192.168.25.33 pass in on xl1 inet from 192.168.25.33 to any pass in on xl0 inet from any to 192.168.25.69 pass in on xl1 inet from 192.168.25.69 to any pass in on xl0 inet from any to 192.168.25.84 pass in on xl1 inet from 192.168.25.64 to any pass in on xl0 inet from any to 192.168.25.100 pass in on xl1 inet from 192.168.25.100 to any pass in on xl0 inet from any to 192.168.25.201 pass in on xl1 inet from 192.168.25.201 to any pass in on xl0 inet from any to 192.168.25.252 pass in on xl1 inet from 192.168.25.252 to any On 20/03/07, Stuart Henderson [EMAIL PROTECTED] wrote: On 2007/03/20 06:18, Lawrence Horvath wrote: On 20/03/07, Stuart Henderson [EMAIL PROTECTED] wrote: On 2007/03/20 04:41, Lawrence Horvath wrote: I have the below rule set in my pf.conf, i am having the following problem, i need to be able to log into the firewall with ssh from outside, and nothing should be able to hit the firewall from inside, not even ping You don't pass out anything, either directly or via keep state. Also see the Notes section of bridge(4). ahh, I missed that you have a default pass out since your default blocks are only for inbound. tcpdump on various interfaces (including pflog0 with the relevant log keywords adding to pf.conf) will help you see how it works. Some things depend on which interface has the IP address. The advice in bridge(4) about passing/skipping traffic on one of the interfaces makes things easier to follow. -- -Lawrence -Student ID 1028219 -CCNA
Re: passing to inside interface
On 20/03/07, Stuart Henderson [EMAIL PROTECTED] wrote: On 2007/03/20 09:24, Lawrence Horvath wrote: is there a way to tag the packets going to pflog, i can see the packets being blocked with tcpdump on /var/log/pflog, but i would like to know what rule is blocking them if you use '-e' to tcpdump, it dumps the link-layer headers - on a pflog(4) interface this includes the rule number. switched to the below rules, it seems that it was ignoring the exterior interface, perhaps because it has no ip on it or perhaps because its in a bridge, not sure in fact it seems to ignore all rules on the exterior interface completely, could anyone shed some light on why that is? and how i can get it to pass through both interface rules? is it possible to put the IP on the bridge interface instead of one of the ether interfaces? in order to make the firewall IP independant of any one interface? # pfctl -s rules block return in log on xl0 all block drop in log on xl1 all pass in on xl1 inet from any to 192.168.25.253 keep state pass out on xl0 all pass out on xl1 all pass in on xl0 inet from any to 192.168.25.33 pass in on xl1 inet from 192.168.25.33 to any pass in on xl0 inet from any to 192.168.25.69 pass in on xl1 inet from 192.168.25.69 to any pass in on xl0 inet from any to 192.168.25.84 pass in on xl1 inet from 192.168.25.64 to any pass in on xl0 inet from any to 192.168.25.100 pass in on xl1 inet from 192.168.25.100 to any pass in on xl0 inet from any to 192.168.25.201 pass in on xl1 inet from 192.168.25.201 to any pass in on xl0 inet from any to 192.168.25.252 pass in on xl1 inet from 192.168.25.252 to any -- -Lawrence -Student ID 1028219 -CCNA
Re: monitoring traffic/bandwidth on a bridge
Check out bandwidthd, i dont think its in ports or pkgs, however it does an excellent job, gives per IP graphs and total bandwidth used. never tried it on a bridge thou On 22/02/07, Ross Davis [EMAIL PROTECTED] wrote: I am running OpenBSD 4.0 and have a bridge set up between two interfaces: fxp0 and xl0. I would like a program that gives a fairly basic report on the traffic flowing through this bridge. I am primarily interested in knowing which IPs on the xl0 side of the bridge are pulling the most bandwidth. I am currently experimenting with bwm-ng and ntop, but was wondering if anyone had a super magic awesome tool that they could recommend. Thanks, Ross -- -Lawrence -Student ID 1028219 -CCNA
Re: is there [EMAIL PROTECTED] archive?
I agree with scorch, how do we find out what hardware is working best and most used with OpenBSD. Even we you cant release the dmesg reports, what about a statistics page, something along the lines of, x amount of x mobos is used with OpenBSD, and other hardware as well. would that be possible? On 18/02/07, Theo de Raadt [EMAIL PROTECTED] wrote: The dmesgs submitted to [EMAIL PROTECTED] are not publicly accessible. At some point in time this was discussed, but we can't do that, since we never told people that they would be published. So they remain accessible to developers only. They are consulted very often, so keep them coming in! On this topic - should we resubmit dmesgs periodically as the machines are updated to newer versions? DEFINATELY! There are developers in the group who read the dmesg output very closely, looking for issues that you, as a user, would not even notice ;) -- -Lawrence -Student ID 1028219 -CCNA
Re: altq+HFSC
As far as I know there is no specific altq list, just use the main misc list.
Please make sure to post to the list and not to people privately
thank you
On 2/11/07, Ralf Braga [EMAIL PROTECTED] wrote:
Hi Lawrence and Atren,
I'm with one few dificults for configure altq+pf+hfsc,
Need balancear traffic of the output and input,
See my script:
#Default configuration
##
set limit { states 4, frags 2, src-nodes 35000 }
set block-policy return
set loginterface fxp0
set timeout { interval 10, frag 30 }
set timeout { tcp.first 60, tcp.opening 30, tcp.established 3600 }
set timeout { udp.first 20, udp.single 10, udp.multiple 15 }
set timeout { icmp.first 11, icmp.error 6 }
set timeout { other.first 40, other.single 20, other.multiple 30 }
scrub in all fragment reassemble no-df
scrub out all random-id
##
#IP table
##
table invalidos { 10.0.0.0/8 , 192.168.0.0/16 , 172.16.0.0/12
}
table fw_ip { 10.0.254.254/32, 200.166.104.200/32 }
# Clientes - Objetivo - Limitar a saida em 200Kbps e balancear a banda de
download e upload
table sindimaq_cci { 10.1.201.0/21 }
table condordia_cci { 10.200.0.0/21 }
portas_lixo=69 135 137 139 445 7778 8594 8563 3 11173
portas_servico=20 21 22 23 25 69 80 81 110 113 123 143 135 137 139 161 162
443 445 514 587 873 901 993 995 1023 1025 1026 1080 1234 1433 1434 2745 3128
3306 3410 5554 6129 6588 8080 8866 9898 9996 12345 17300 27374
##
#Rules of QoS for Upload
##
altq on { rl0 } hfsc bandwidth 6Mb qlimit 75 queue { deflt_up,
champtower_up }
queue deflt_up bandwidth 3Mb qlimit 75 priority 3 hfsc(linkshare 3Mb
default realtime 4Mb upperlimit 6Mb red)
queue champtower_up bandwidth 3096Kb qlimit 75 priority 5 hfsc(realtime
3096Kb upperlimit 3096Kb red) { sindimaq_cci_u,condordia_cci_u }
queue sindimaq_cci_u bandwidth 64Kb qlimit 75 priority 5
hfsc(linkshare 64Kb realtime 64Kb upperlimit 200Kb red)
queue condordia_cci_u bandwidth 64Kb qlimit 75 priority 5
hfsc(realtime 64Kb upperlimit 200Kb red)
##
#Default rules
##
pass in on { fxp0 rl0 } keep state
pass out keep state
pass quick on lo all
pass quick proto icmp
antispoof quick for lo
##
If help me, thanks,
Why the address of list about altq ?
--
Ralf Braga
--
-Lawrence
-Student ID 1028219
-CCNA
rsa remote auth
I am trying to get my openbsd 4.0 box to allow remote ssh logins using an rsa key, i added the key into my ~/.ssh/authorized_keys file, and set permissions on ~/.ssh and ~/.ssh/authorized_keys to 0600 i added the rsa of its self, for testing, however i cant seem to get an ssh session to authenticate with out the password contents of authorized_keys(parts of the key omited): ssh-rsa .== Anyone know what im doing wrong? why it wont authenticate with the rsa key? If anymore info is needed please let me know -- -Lawrence -Student ID 1028219 -CCNA
Re: rsa remote auth
On 2/7/07, Darren Spruell [EMAIL PROTECTED] wrote:
On 2/7/07, Lawrence Horvath [EMAIL PROTECTED] wrote:
I am trying to get my openbsd 4.0 box to allow remote ssh logins using
an rsa key,
i added the key into my ~/.ssh/authorized_keys file, and set
permissions on ~/.ssh and ~/.ssh/authorized_keys to 0600
Verify that the user itself is the owner of these files, not root or
anyone else.
Verified ownership of the file is the user, both owner and group
i added the rsa of its self, for testing, however i cant seem to get
an ssh session to authenticate with out the password
Are there any line breaks in the copied key? 'cat -e
~/.ssh/authorized_keys' might reveal these kind of oopses.
used the cat -e command, no line breaks
Did you place the exact contents of id_{rsa,dsa}.pub and not id_{rsa,dsa}?
I did
$cd ~/.ssh
$cp id_rsa.pub authorized_keys
so yes it would be the exact contents
ssh-rsa .==
There's no reason to obfuscate this. Your public key is not sensitive.
DS
and made sure of the file permissions
~/.ssh is 0700
~/.ssh/authorized_keys is 0600
--
-Lawrence
-Student ID 1028219
-CCNA
Re: rsa remote auth
Ahh ok there we go, It was a permissions issue on ~/ i had read and write set for group, changed it to 0700, its now working On 2/7/07, Stuart Henderson [EMAIL PROTECTED] wrote: On 2007/02/07 06:49, Lawrence Horvath wrote: and made sure of the file permissions ~/.ssh is 0700 ~/.ssh/authorized_keys is 0600 run sshd -d -p some_port (unless you want to disturb your main daemon on port 22) and watch the screen output while you connect. -- -Lawrence -Student ID 1028219 -CCNA
Re: altq hfsc issue
i believe if you do not specify the realtime in the qd queue it
assumes 100% this creating a math issue, try giving qd a realtime
limit
On 1/22/07, Piotr Lukawski [EMAIL PROTECTED] wrote:
Dear misc@openbsd.org,
I wanted to share bandwidth 512Kb between 4 users with guaranted
bandwidth 20Kb for each of them and the maximum bandwidth 256Kb for
the first user, and 128 Kb for any other. Of course if all of them are
connected in the same time I assume that they share existing
bandwidth.
I tried different configurations but I have always communicate:
/etc/pf.conf:20: errors in queue definition
pfctl: the sum of the child bandwidth higher than parent root_ep1
pfctl: linkshare sc exceeds parent's sc
/etc/pf.conf:21: errors in queue definition
pfctl: the sum of the child bandwidth higher than parent root_ep1
pfctl: linkshare sc exceeds parent's sc
/etc/pf.conf:22: errors in queue definition
pfctl: the sum of the child bandwidth higher than parent root_ep1
pfctl: linkshare sc exceeds parent's sc
/etc/pf.conf:23: errors in queue definition
My present configuration is:
altq on $ext_if bandwidth 512Kb hfsc queue {q1, q2, q3, q4, qd}
queue q1 hfsc (realtime 20Kb upperlimit 256Kb ecn)
queue q2 hfsc (realtime 20Kb upperlimit 128Kb ecn)
queue q3 hfsc (realtime 20Kb upperlimit 128Kb ecn)
queue q4 hfsc (realtime 20Kb upperlimit 128Kb ecn)
queue qd hfsc (default ecn)
What am I doing wrong? Please help!
Regards,
Piotr
--
-Lawrence
-Student ID 1028219
-CCNA
Re: Virtualisation on OpenBSD?
qemu is your best bet, its not quite as fast as vmware but it runs on OpenBSD, and supports several archs, it has a nice pkg and everything vmware could run on OpenBSD if you have linux compatibility turned on i think On 1/24/07, John Tate [EMAIL PROTECTED] wrote: Is there any software that supports OpenBSD that can do full virtualisation? I don't think VMware would be supported on OpenBSD. -- Faced with the fact that Intelligent Design doesn't meet the criteria for a scientific theory, leading proponent redefines what a scientific theory is. Result: Astrology now a scientific theory. -- -Lawrence -Student ID 1028219 -CCNA
Re: JOB OFFER
I get a number of spams that make it though the misc list, not many but at least a few, i use gmail and wasn't sure if its safe to classify them as spam of if i should just delete them, i was concerned that in classifying them as spam it could count negative toward the list server? thanks On 1/24/07, Raymond Limited [EMAIL PROTECTED] wrote: Good Day, Are you looking for a lucrative job? The job takes only 3-5 hours a week , And it a chance for you to make over $3,000 extra per month depending on how usefull you are to the company. Also you do not need to resume at any office to get started ,Its a work from home and you do not pay any fee to get started . Try now without risking your current job. Do get back to me if interested Thanks Tanya -- -Lawrence -Student ID 1028219 -CCNA
multi queu
usually its only possible to queue once going out an interface, as far as i know, is it possible to use a loopback interface to run traffic through muliple queues? internet---em0 (queue)---lo2 (queue)-em1---lan -- -Lawrence -Student ID 1028219 -CCNA
Re: multi queu
Processing my mutliple queues, i would like to run it through 2 queue sets, one for capping and individual ip bandwidth management, and the second is a master cap, becuase you cant oversell queues i have 10 megs at my disposal, and i need to allot 12 people 1 meg each, the math wont work on only one queue, and i dont want to have to set up multiple firewalls, id rather have everything in one nice pf.conf, im gonna do carp later On 1/24/07, Stuart Henderson [EMAIL PROTECTED] wrote: On 2007/01/24 06:45, Lawrence Horvath wrote: usually its only possible to queue once going out an interface, as far as i know, is it possible to use a loopback interface to run traffic through muliple queues? what are you trying to achieve? -- -Lawrence -Student ID 1028219 -CCNA
Re: Virtualisation on OpenBSD?
I tried looking for source but was unable, vmware is a closed source as far as i can tell(please correct me if im wrong, as i like to get hold of the source) when i was looking for it online you have to download the binarys, and you have to email in for a serial number to use it, they also have higher up pay-for versions, with more features On 1/24/07, Lachlan Gunn [EMAIL PROTECTED] wrote: vmware could run on OpenBSD if you have linux compatibility turned on i think It uses a number of kernel modules, so I doubt it. However, the source may be available, so someone could probably try to implement similar functionality. -- Lachlan -- -Lawrence -Student ID 1028219 -CCNA
Re: multi queu
Like i sd over selling, im setting the etherface queue to linkshare or realtime(im having trouble finding the practical difference) to 1Mb, then leaving no upper limit, so they can burst, but the realtime|linkshare will protect other customers, im considering setting all 12 people to 1Mb, and then setting the loopback queue to 10Mb, so i control the max bandwidth of the link, im also going to use the loopback queue to prioritize certain traffic i really doubt that more then 10 people will try to use more than a meg at a time, thats why im over selling, so the linkshare|realtime will still work ok, and the loopback queue will still keep anyone from going over the 10 meg link, and allow certain over all prioritization. its kinda strange i know, but i think it will work On 1/24/07, Bill Marquette [EMAIL PROTECTED] wrote: On 1/24/07, Lawrence Horvath [EMAIL PROTECTED] wrote: Processing my mutliple queues, i would like to run it through 2 queue sets, one for capping and individual ip bandwidth management, and the second is a master cap, becuase you cant oversell queues i have 10 megs at my disposal, and i need to allot 12 people 1 meg each, the math wont work on only one queue, and i dont want to have to set up multiple firewalls, id rather have everything in one nice pf.conf, im gonna do carp later What's your guaranteed rate? Obviously you aren't guaranteeing each person 1mbit. I think you'll need HFSC to do this, put your guaranteed rate as the realtime limit and the 1mbit rate as the upperlimit for each queue. --Bill -- -Lawrence -Student ID 1028219 -CCNA
altq hfsc
I was looking at the pf.conf(5) page for my altq/hfsc config and had some trouble understanding the exact workings of hfsc queues, the pf.conf man page has limited info on there workings. Also when i was looking at pf(4) it noted altq(9) which didnt seem to exist, is that an old listing in the pf(4) man page or is my man folder missing something? Is there a better recommended resource for hfsc? -- -Lawrence -Student ID 1028219 -CCNA
Re: Idea for additionnal funding
I could be wrong, but the original question said nothing about non-profit the way i read the first question as simply as, why cant OpenBSD(a for-profit entity) do advertising, via a search page for google(a for-profit entity, as far as i know), and get paid for it. Nothing non-profit required, simply an advertising deal between 2 for-profit companies. This would not require any inconsistencies either, as both companies are for-profit. So in much the same way that we pay OpenBSD for CD sets, Google would be paying OpenBSD for searches. Am I wrong somewhere in that? On 1/22/07, Martin SchrC6der [EMAIL PROTECTED] wrote: 2007/1/21, L. V. Lammert [EMAIL PROTECTED]: Actually, I talked to Theo about this last year, as we currently operate a non-profit that is underutilized. The problem is that since OBSD is NOT a non-profit, a 'regular' corp cannot transfer funds without a TON of justification paperwork (especially internationally) - our attorney said it was definately not worth the legal expense involved and would almos certainly invite an IRS audit (at more expense). That's why the OpenBSD Enterprise Bundle exists: http://www.dixongroup.net/?q=openbsd Best Martin -- -Lawrence -Student ID 1028219 -CCNA
altq with hfsc
Im trying to implement hfsc altq on a firewall i have running, i currently have the linkshare option working properly with only the bandwidth assigned to the queue not a full service curve. I would like to implement upperlimit however i don't quite understand how the delay works, i understand how to write it, i know the correct syntax, but how does the queue know that the service curve is over and it should reset so to speak? say i have the following queue 68.10_out bandwidth 20Kb priority 2 qlimit 100 hfsc ( linkshare 200Kb upperlimit (1000Kb 5000 500Kb)) the upperlimit allows the queue to spike up to 1Mb for 5 seconds, then cuts it back down to 500Kb, but at what point does it say, OK the spike it over, and reset the queue so as to allow it to spike again if needed? please let me know if that was not clear. i understand using linkshare in hfsc is roughly equivalent as setting a bandwidth and using borrow in cbq, correct? also doesn't the bandwidth directive conflict with the upper limit? -- -Lawrence -Student ID 1028219 -CCNA
Re: apache security
I had an idea but not sure if its possible, section off and chroot each site into a folder of its own, not sure if thats possible to chroot each site to a diff dir or not, i think apache only allows you to chroot the process Maybe use permissions, diff user on each site, chmod to disallow writing from other users? Just some thoughts i had not sure if they are valid. On 1/23/07, Almir Karic [EMAIL PROTECTED] wrote: what i would like to achieve is that on a shared host if bad guys (tm) break into one site they can't get to other sites. is this possible? i've been looking at su-exec but it is for cgi scripts only :/, what other options there are? AFAIK chroot is not the correct answer to my question as it protects the rest of the system from being exploited if one of the sites gets cracked but it can't protect one site from another... -- almir -- -Lawrence -Student ID 1028219 -CCNA
rc.conf.local
when using rc.conf.local do you need to add #!/bin/sh - at the top of the file, or just start inserting lines? thanks -- -Lawrence -Student ID 1028219 -CCNA
Re: pf+altq
Try defining q_pri with a bandwidth, you might even be able to set it as:
queue q_pri bandwidth 0% priority 7 cbq(borrow)
This way it wouldnt reserve any bandwidth but it shouldnt cause issues
with the bandwidth math either. If you get that working, please let me
know.
On 1/17/07, sonjaya [EMAIL PROTECTED] wrote:
Dear All
here my altq+pf
##---queue+alq---###
altq on $ext_if cbq bandwidth 100Kb queue{q_std}
queue q_std bandwidth 100% cbq \
{q_def,q_pri,q_web,q_msc,q_dat,q_gms}
queue q_def bandwidth 25% priority 1 cbq(borrow default red ecn)
queue q_dat bandwidth 10% priority 0 cbq(red)
queue q_web bandwidth 25% priority 5 cbq(borrow)
queue q_msc bandwidth 15% priority 4 cbq(borrow)
queue q_gms bandwidth 25% priority 6 cbq(borrow)
queue q_pri priority 7
when i try to use it always get error :
demorate# pfctl -f /etc/pf.conf
pfctl: the sum of the child bandwidth higher than parent q_std
demorate#
when i try use this :
#queue q_pri priority 7
is working .
-sonjaya-
http://sicute.blogspot.com
--
-Lawrence
-Student ID 1028219
-CCNA
Re: looking for (custom) dial-in
May i ask why? I'm sure google could tell you quite a few dial-up company's in the country's you would like On 12/28/06, Peter Philipp [EMAIL PROTECTED] wrote: Hi misc@, I know OpenBSD isn't a telco nor an internet service provider, but perhaps someone out there has a spare POTS line where they can hook a modem to. I'm looking for people in the following countries willing to provide dial-in service for 10 hours a month at no more than 12 euros a year. If your POTS is sitting around doing nothing and you could use 12 euros a year, the internet connectivity does not need to give an IP it can be NAT service just as long as one can get Internet. I'm looking for connects in denmark, belgium, netherlands, luxemburg, switzerland, czech republic, france, austria, poland and germany. The service can be anything from 2400 bps through whatever is highest now, just as long as my modems can completely handshake. Whether the services behind the dial-in are OpenBSD-run is irrelevant to me. Alternatively if it isn't too much of your time send me a list of Internet providers that provide cheap dial-in in your respective country. Yer a great bunch fellers! -p -- -Lawrence -Student ID 1028219
Re: pf altq and cbq borrowing
On 12/12/06, Matt Hamilton [EMAIL PROTECTED] wrote:
Hi All,
Something I just noticed on 3.9 with our firewall that I'm hoping
someone can explain, as it looks like a bug to me. Our simplified
config for queueing is:
altq on $ext_if cbq bandwidth 8Mb queue { colo, bmex, deflt }
queue bmex bandwidth 4Mb cbq { A, B, C, D }
queue A bandwidth 1Mb cbq(borrow)
queue B bandwidth 1Mb cbq(borrow)
queue C bandwidth 1Mb cbq(borrow)
queue D bandwidth 1Mb cbq(borrow)
queue colo bandwidth 4Mb cbq(borrow) { E, F, G, H }
queue E bandwidth 1Mb cbq(borrow)
queue F bandwidth 1Mb cbq(borrow)
queue G bandwidth 1Mb cbq(borrow)
queue H bandwidth 1Mb cbq(borrow)
As you can see, although queues A-D have borrow, their parent, bmex,
does not have borrow. This seems that no-one on A-D can get above
1Mb. If I add borrow to the parent, bmex, then it works.
Is this right? Surely a child should be able to borrow from its
parent regardless of if its parent can borrow from root? Is this a
bug, or am I not understanding something? Is this something that
hfsc might address?
-Matt
--
Matt Hamilton [EMAIL PROTECTED]
Netsight Internet Solutions, Ltd.Business Vision on the Internet
http://www.netsight.co.uk +44 (0)117 9090901
Web Design | Zope/Plone Development Consulting | Co-location | Hosting
afaik and speaking from my personal cbq set up, you should not have to
have (borrow) on the bmex, i have the following cbq and it works
properly, for outgoing queues at least, i can get a full 2000Kb out of
any of the child queues
##BEGIN_QUEUES##
altq on tl0 cbq bandwidth 2000Kb qlimit 200 queue { \
ssh_out, http_out, ftp_control_out, ftp_data_out, other_out \
ssh_in, http_in, ftp_control_in, ftp_data_in, other_in }
queue other_out bandwidth 100Kb qlimit 200 cbq (
default, borrow )
queue ssh_out bandwidth 100Kb qlimit 200 cbq ( borrow )
queue http_out bandwidth 100Kb qlimit 200 cbq ( borrow )
queue ftp_control_out bandwidth 100Kb qlimit 200 cbq ( borrow )
queue ftp_data_out bandwidth 100Kb qlimit 200 cbq ( borrow )
queue other_in bandwidth 100Kb qlimit 200 cbq ( borrow )
queue ssh_inbandwidth 100Kb qlimit 200 cbq ( borrow )
queue http_in bandwidth 100Kb qlimit 200 cbq ( borrow )
queue ftp_control_inbandwidth 100Kb qlimit 200 cbq ( borrow )
queue ftp_data_in bandwidth 100Kb qlimit 200 cbq ( borrow )
##END_QUEUES##
--
-Lawrence
-Student ID 1028219
Re: Is there a deluser equivalent in OpenBSD?
On 10/28/06, Leonardo Rodrigues [EMAIL PROTECTED] wrote: Hello everyone, So, I'm trying to set up a samba server, and looking into the smb.conf, there's this command deluser that I can't find a similar one on OpenBSD to replace it. I need a tool that is able to delete a user from a group, by using the username and the group as arguments. I've looked on userdel, useradd, groupmod and groupdel, but it seems that they won't do what I want... I think I'm missing something pretty obvious... =( Can anyone give me some hints please? -- An OpenBSD user... and that's all you need to know =) man rmuser -- -Lawrence -Student ID 1028219
Re: Oldest Server you run
$ sysctl hw hw.machine=i386 hw.model=Intel Pentium III (GenuineIntel 686-class, 512KB L2 cache) hw.ncpu=2 hw.byteorder=1234 hw.physmem=268001280 hw.usermem=267599872 hw.pagesize=4096 hw.disknames=sd0,sd1,sd2,cd0,fd0 hw.diskcount=5 hw.cpuspeed=449 On 10/12/06, Falk Husemann [EMAIL PROTECTED] wrote: Hello List! We're trying to put an old server to good use again and would like to know what's exactly the oldest machine running OpenBSD? As machine we defined something with processor, ram, network, hard disk and a connection to the internet. So no Newton or toaster (at least not if there's no disk being toasted). Thank you in advance, Falk -- -Lawrence -Student ID 1028219
pf queue skipping
I have the following config for my pf.conf and i noticed that nothing
shows in the queues for incomming:
##BEGIN_QUEUES##
altq on tl0 cbq bandwidth 3000Kb qlimit 200 queue { traffic_out, traffic_in }
queue traffic_out bandwidth 1500Kb qlimit 200 cbq { \
other_out, ssh_out, ftp_data_out, ftp_control_out, http_out }
queue traffic_in bandwidth 1500Kb qlimit 200 cbq { \
other_in, ssh_in, ftp_data_in, ftp_control_in, http_in }
queue other_out bandwidth 100Kb qlimit 200 cbq (default, borrow)
queue ssh_out bandwidth 100Kb qlimit 200 cbq (borrow)
queue http_out bandwidth 200Kb qlimit 200 cbq (borrow)
queue ftp_control_out bandwidth 100Kb qlimit 200 cbq (borrow)
queue ftp_data_out bandwidth 1000Kb qlimit 200 cbq
queue other_in bandwidth 100Kb qlimit 200 cbq ( borrow )
queue ssh_in bandwidth 100Kb qlimit 200 cbq (borrow)
queue http_in bandwidth 200Kb qlimit 200 cbq (borrow)
queue ftp_control_in bandwidth 100Kb qlimit 200 cbq (borrow)
queue ftp_data_in bandwidth 1000Kb qlimit 200 cbq
##END_QUEUES##
##BEGIN_PACKETFILTERS##
block in on tl0 from any to any
pass in on tl0 proto tcp from any to any port 22 queue ssh_in
pass in on tl0 proto tcp from any to any port 20 queue ftp_data_in
pass in on tl0 proto tcp from any to any port 21 queue ftp_control_in
pass in on tl0 proto tcp from any to any port 80 queue http_in
pass in on tl0 proto udp from any to any port 53
pass in on tl0 proto icmp from any to any queue other_in
pass out on tl0 from any to any queue other_out keep state
pass out on tl0 proto tcp from any port 22 to any queue ssh_out
pass out on tl0 proto tcp from any port 20 to any queue ftp_data_out keep state
pass out on tl0 proto tcp from any port 21 to any queue ftp_control_out
pass out on tl0 proto tcp from any port 80 to any queue http_out
block out on tl0 proto icmp from any to any
##END_PACKETFILTERS##
queue root_tl0 bandwidth 3Mb priority 0 qlimit 200 cbq( wrr root )
{traffic_out, traffic_in}
[ pkts: 44766 bytes:2785500 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/200 borrows: 0 suspends: 0 ]
[ measured: 410.6 packets/s, 198.50Kb/s ]
queue traffic_out bandwidth 1.50Mb qlimit 200 {other_out, ssh_out,
http_out, ftp_control_out, ftp_data_out}
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/200 borrows: 0 suspends: 0 ]
[ measured: 0.0 packets/s, 0 b/s ]
queue other_out bandwidth 100Kb qlimit 200 cbq( borrow default )
[ pkts: 3 bytes:374 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/200 borrows: 0 suspends: 0 ]
[ measured: 0.0 packets/s, 4.14 b/s ]
queue ssh_out bandwidth 100Kb qlimit 200 cbq( borrow )
[ pkts: 44763 bytes:2785126 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/200 borrows: 44016 suspends: 0 ]
[ measured: 410.6 packets/s, 198.50Kb/s ]
queue http_out bandwidth 200Kb qlimit 200 cbq( borrow )
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/200 borrows: 0 suspends: 0 ]
[ measured: 0.0 packets/s, 0 b/s ]
queue ftp_control_out bandwidth 100Kb qlimit 200 cbq( borrow )
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/200 borrows: 0 suspends: 0 ]
[ measured: 0.0 packets/s, 0 b/s ]
queue ftp_data_out bandwidth 1Mb qlimit 200
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/200 borrows: 0 suspends: 0 ]
[ measured: 0.0 packets/s, 0 b/s ]
queue traffic_in bandwidth 1.50Mb qlimit 200 {other_in, ssh_in,
http_in, ftp_control_in, ftp_data_in}
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/200 borrows: 0 suspends: 0 ]
[ measured: 0.0 packets/s, 0 b/s ]
queue other_in bandwidth 100Kb qlimit 200 cbq( borrow )
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/200 borrows: 0 suspends: 0 ]
[ measured: 0.0 packets/s, 0 b/s ]
queue ssh_in bandwidth 100Kb qlimit 200 cbq( borrow )
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/200 borrows: 0 suspends: 0 ]
[ measured: 0.0 packets/s, 0 b/s ]
queue http_in bandwidth 200Kb qlimit 200 cbq( borrow )
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/200 borrows: 0 suspends: 0 ]
[ measured: 0.0 packets/s, 0 b/s ]
queue ftp_control_in bandwidth 100Kb qlimit 200 cbq( borrow )
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/200 borrows: 0 suspends: 0 ]
[ measured: 0.0 packets/s, 0 b/s ]
queue ftp_data_in bandwidth 1Mb qlimit 200
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes:
Re: pf queue skipping
Yes it says its only useful for outbound, that doesnt mean that it shoudnt still try to queue inbound, which it does sorta do as per my pfctl -vvs queue, however it skips on parent queue for some reason On 8/23/06, Jason Dixon [EMAIL PROTECTED] wrote: On Aug 23, 2006, at 6:28 AM, Lawrence Horvath wrote: I have the following config for my pf.conf and i noticed that nothing shows in the queues for incomming: snip at this time i was transfering files into the server and it was not showing in the incomming queues, not sure why, i know its hard to limit incomming traffic, but this doesnt even show the traffic to start with http://www.openbsd.org/faq/pf/queueing.html Read the 2nd paragraph under the first section. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net -- -Lawrence
pf queue monitoring
Is there a way to monitor how much traffic is passing through a queue in bps? Im using 'pfctl -s queue -v' but it seems to only show a running total of packets and bits that have passed through it, and i want to be able to see it in bps anyone know of a way to do this? # uname -a OpenBSD localhost.localdomain 3.9 GENERIC.MP#598 i386 thanks -- -Lawrence
testing max tcp connections
Im using a OpenBSD 3.9 server and a FreeBSD 6.1 server on either end of a firewall to test throughput and max open connections of the firewall, i tested throughput with netstrain(d) but im unsure how to test the max open connections, anyone recommend a program? or script? to test the max number of open tcp connections, basically i just need to open as many tcp connnections as my servers will handle. Thanks -- -Lawrence
Re: X not found
thats what i was asking, can i just install a small set of libs or do i need to entirely install X On 7/4/06, Peter Blair [EMAIL PROTECTED] wrote: If you have no parts of X installed, then how do you expect to link against it? If you plan to use your OpenBSD machine as a headless X client, then you'll need to install the requisite libs. You'll save yourself a lot of time and headache if you just install the X set. On 7/4/06, Lawrence Horvath [EMAIL PROTECTED] wrote: I have been getting the following error, and wasnt sure if i have to totally install X or can i just install a minimal lib set to get the error to stop, at this time I do not have any parts of X installed. # make === qemu-0.8.0p3 uses X11, but /usr/X11R6 not found. Thanks -- -Lawrence -- -Lawrence
Re: X not found
so how do you install that, i was thinking it would just be # pkg_add /home/music/xbase39.tgz Can't resolve /home/music/xbase39.tgz but that didnt work, how do you install that package? On 7/5/06, Joachim Schipper [EMAIL PROTECTED] wrote: On Wed, Jul 05, 2006 at 12:03:35AM -0700, Lawrence Horvath wrote: thats what i was asking, can i just install a small set of libs or do i need to entirely install X xbase will do for (almost?) all ports. Joachim -- -Lawrence
X not found
I have been getting the following error, and wasnt sure if i have to totally install X or can i just install a minimal lib set to get the error to stop, at this time I do not have any parts of X installed. # make === qemu-0.8.0p3 uses X11, but /usr/X11R6 not found. Thanks -- -Lawrence
binding ftpd
Is there any way at all to bind ftpd to a single ip, i would like to keep ftpd running on one ip of my server while i setup and play with proftpd on another ip, the man page for ftpd says nothing about being able to bind but is there any other way, Jerry Rig it if you will. Thanks -- -Lawrence
Mixing queues in pf
Is it possible to mix queue types with pf, for instance all http traffic is sent to a hfsc queue while all ssh traffic is sent to a priq queue, or could you have a master priq queue and child cbq queues under it? thanks -- -Lawrence
Re: T1 and DSL failover? redundancy?
You can use SNMP to monitor the wan interface on almost all routers, (I know personally about the cisco), so you might set something up that monitors taht, or you could using a dynamic routing protcocal, even rip would do, just something interactive between OBSD firewall and the router, the router would update the firewall via the routing protocal if the line was down and use a higher admin distance on the DSL link. On 6/21/06, NetNeanderthal [EMAIL PROTECTED] wrote: On 6/21/06, John Brahy [EMAIL PROTECTED] wrote: What are my other options? I'd like to have it automatically fail over but I'm not sure what is required to do that. Have you considered using a WAN card for your T1 natively on OpenBSD? As well, you might have a look at ifstated(8) if that's the case -- this would be a cinch to configure with PF. I believe there are several manufacturers of WAN cards, including art(4), lmc(4) and san(4). I have used the Sangoma cards before with good luck. Otherwise, depending on the router (Cisco?), you might be able to setup tracking on the T1 WAN interface to bring down the ethernet interface (assumption?) that points towards your OpenBSD firewall. This in turn would trigger an ifstated event that manages your pf.conf configuration(s). Or... routing metrics. There are so many ways to solve this with OpenBSD. Good luck! -- -Lawrence
Re: T1 and DSL failover? redundancy?
On 6/22/06, L. V. Lammert [EMAIL PROTECTED] wrote: At 11:13 PM 6/21/2006 -0700, Lawrence Horvath wrote: You can use SNMP to monitor the wan interface on almost all routers, (I know personally about the cisco), so you might set something up that monitors taht, or you could using a dynamic routing protcocal, even rip would do, just something interactive between OBSD firewall and the router, the router would update the firewall via the routing protocal if the line was down and use a higher admin distance on the DSL link. Keep in mind also that redundancy is fine for outgoing traffic, but to actually route incoming traffic you must also have an upstream ISP(s) that can handle redundant links, or you will have to obtain your own ASN and manage your own BGP. Lee there are only two ways i know to maintain routing on incomming traffic, first being to have your DSL and T1 from the same company and they can set up your links with routing on there side that will reflect your fail over situation, the second way is to multihome with and AS and run BGP, so if you have any sort of IP specific traffic such as running servers at your location you will have to do one of the above option, however if this is just for a office connection to allow your employees to check myspace and play poker, then you can do it much easier, would be as simple as running and internal routing protocal -- -Lawrence
Re: turning on PF
On 6/19/06, Alexander Hall [EMAIL PROTECTED] wrote:
Lawrence Horvath wrote:
Im having alittle trouble with my queues in PF i have the following in
my pf.conf
altq on tl0 cbq bandwidth 100Kb queue {all}
queue all bandwidth 100% {default}
pass out on tl0 from any to any queue all
pass in on tl0 from any to any
however i get the following:
$ sudo pfctl -e
pfctl: pf already enabled
$ sudo pfctl -A
$ sudo pfctl -R
$ sudo pfctl -s queue
No queue in use
Sorry for asking, but you have, at some point, run
pfctl -ef /etc/pf.conf, right?
^^
(And made damn sure that the file exists at that place, too?)
/alexander
This is on 3.9 Generic,
thanks
$ sudo pfctl -ef /etc/pf.conf
Password:
/etc/pf.conf:39: syntax error
/etc/pf.conf:41: syntax error
/etc/pf.conf:43: syntax error
pfctl: Syntax error in config file: pf rules not loaded
$
39: altq on tl0 cbq bandwidth 100Kb queue {all}
40:
41: queue all bandwidth 100% (default)
42:
43: pass out on tl0 from any to any queue all
44: pass in on tl0 from any to any
--
-Lawrence
turning on PF
Im having alittle trouble with my queues in PF i have the following in
my pf.conf
altq on tl0 cbq bandwidth 100Kb queue {all}
queue all bandwidth 100% {default}
pass out on tl0 from any to any queue all
pass in on tl0 from any to any
however i get the following:
$ sudo pfctl -e
pfctl: pf already enabled
$ sudo pfctl -A
$ sudo pfctl -R
$ sudo pfctl -s queue
No queue in use
This is on 3.9 Generic,
thanks
--
-Lawrence
rate limiting an interface
3.9 GENERIC#617 i386 Wanted to know what are the possible ways to rate limit an ethernet interface, if queues in pf will do this, or is any other way, i have a 2meg colo connection and dont wnat to go over it or ill get charged, and the ISP wont cap it, so i have to cap myself. Thanks -- -Lawrence
Re: rate limiting an interface
On 6/15/06, John R. Shannon [EMAIL PROTECTED] wrote: Lawrence Horvath wrote: 3.9 GENERIC#617 i386 Wanted to know what are the possible ways to rate limit an ethernet interface, if queues in pf will do this, or is any other way, i have a 2meg colo connection and dont wnat to go over it or ill get charged, and the ISP wont cap it, so i have to cap myself. Thanks You can rate limit with the altq built into pf. -- John R. Shannon, CISSP [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Can i rate limit both ways, incomming and outgoing, the pf documentation for queues sd only one way, but is there a way to keep the system from downloading as much to it? so as to keep under my quota going both ways? -- -Lawrence
Re: rate limiting an interface
On 6/15/06, John R. Shannon [EMAIL PROTECTED] wrote: Lawrence Horvath wrote: On 6/15/06, John R. Shannon [EMAIL PROTECTED] wrote: Lawrence Horvath wrote: 3.9 GENERIC#617 i386 Wanted to know what are the possible ways to rate limit an ethernet interface, if queues in pf will do this, or is any other way, i have a 2meg colo connection and dont wnat to go over it or ill get charged, and the ISP wont cap it, so i have to cap myself. Thanks You can rate limit with the altq built into pf. -- John R. Shannon, CISSP [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Can i rate limit both ways, incomming and outgoing, the pf documentation for queues sd only one way, but is there a way to keep the system from downloading as much to it? so as to keep under my quota going both ways? You might find this E-mail answers your question: http://lists.freebsd.org/pipermail/freebsd-pf/2005-November/001657.html -- John R. Shannon, CISSP [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Thank you for that link, i was under the impression that altq wouldn't work on incoming, period, but the link helped, thank you -- -Lawrence
