Change source IP to enable pass through VPN
I would like to change the source IP that applications use when making connections for my backup. I have 2 firewalls, one at home, one in colo, each with a LAN segment behind it, the LANs are connected via IPSec.conf vpns between the firewalls. The home public IP is dynamic so I was not able to make my SA specific between the public ips only from lan to lan. I am trying to do backups of the colo firewall to a thumb drive in the home firewall via the LAN ip of the home firewall however when the colo tries to connect(via nfs in this case) to the home it sources from its public IP which is not in the SA. I have the same problem going the other way as well. Is there a way to force my backup script to source from or appear to source from the LAN ip instead of the WAN ip? Thank you, Lawrence
Re: Change source IP to enable pass through VPN
2009/6/14 Jason Dixon ja...@dixongroup.net:
On Sun, Jun 14, 2009 at 08:03:54PM -0700, Lord Sporkton wrote:
I would like to change the source IP that applications use when making
connections for my backup.
I have 2 firewalls, one at home, one in colo, each with a LAN segment
behind it, the LANs are connected via IPSec.conf vpns between the
firewalls.
The home public IP is dynamic so I was not able to make my SA specific
between the public ips only from lan to lan. I am trying to do backups
of the colo firewall to a thumb drive in the home firewall via the LAN
ip of the home firewall however when the colo tries to connect(via nfs
in this case) to the home it sources from its public IP which is not
in the SA. I have the same problem going the other way as well. Is
there a way to force my backup script to source from or appear to
source from the LAN ip instead of the WAN ip?
There are numerous ways around this, most of which probably involve
more common sense. Unfortunately, you haven't told us what sort of
backup software you're using so it's hard to make good recommendations
for your existing setup. If your backup software will allow you to bind
to the internal address of your home firewall, that's the way to go.
Otherwise you might be able to get it working with some sort of port
redirection (bouncing off the internal interface). But again, without
more details it's impossible for me to give you concrete examples.
Personally, I just pull my server backups using dump-over-ssh. This
works great for me. I've rebuilt my entire server within the past year
using these backups so I guarantee this process works as advertised.
Here is the script I use:
#!/bin/sh
# DayOfWeek
DOW=`date +%w`
DATE=`date +%Y%m%d`
ssh r...@server dump ${DOW}ufa - / | /usr/local/bin/bzip2 | \
dd of=/backups/dumps/server-root-${DOW}-${DATE}.bz2
ssh r...@server dump ${DOW}ufa - /data | /usr/local/bin/bzip2 | \
dd of=/backups/dumps/server-data-${DOW}-${DATE}.bz2
ssh r...@server dump ${DOW}ufa - /home | /usr/local/bin/bzip2 | \
dd of=/backups/dumps/server-home-${DOW}-${DATE}.bz2
ssh r...@server dump ${DOW}ufa - /var | /usr/local/bin/bzip2 | \
dd of=/backups/dumps/server-var-${DOW}-${DATE}.bz2
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/
My current method is just a dump script that pushes the backup to the
remote firewall opposed to pulling. I believe your script would work
just fine for me since the pulling firewall is dynamic.
I did try port redirection with PF but that didnt seem to work very
well, it seemed to be doing the nat after the ipsec filter, so it was
changing the source address but the packets were not hitting the ipsec
tunnel.
Perhaps I will try setting up a /30 network between the firewalls and
set up a gre tunnel between.
Thank you for the sample script.
Lawrence
tap devices on bridge cannot connect
I am running Qemu with 2 virtual machines. I have put the tap devices
into a bridge with a trunk interface, the trunk acts as a gateway,
allowing a virtual network inside the host server which can nat to
public IPs and be firewalled. For some reason the 2 vmhosts cannot
communicate. they will arp each other up but not actually ping each
other. THey are windows hosts. I have a site to site vpn back to my
house which i can ping both vm hosts successfully from my house
computer through the vpn. i can ping the trunk interface from the
hosts as well. just not vmhost to vmhost.
Any thoughts on why they can not ping each other?
thank you
Below is my pf.conf and output of ifconfig and brconfig
# gorilla.sporkton.com
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
#NORMAL ORDER - see no set require-order rule
#Macros
#Tables
#Options
#Traffic Normalization (e.g. scrub)
#Queueing
#Translation (Various forms of NAT)
#Packet Filtering
ext_if=em0
vm_if=trunk0
gorilla=38.102.248.178
table ssh-attack persist
table private const { 10/8, 172.16/12, 192.168/16 }
set skip on {enc0, lo0}
set block-policy drop
scrub in on $ext_if all fragment reassemble
no nat on $ext_if from private to private
nat on $ext_if from private to any - ($ext_if:0)
#--Default--#
block in
pass out
pass in on $vm_if
pass in on $ext_if proto tcp to $gorilla port ssh
#--Custom--#
pass in on $ext_if proto esp
pass in on $ext_if proto udp to $gorilla port {isakmp, ipsec-nat-t}
pass in on $ext_if proto {udp, tcp} to $gorilla port domain
# ifconfig
lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33208
groups: lo
inet 127.0.0.1 netmask 0xff00
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
em0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:14:22:b0:d8:d2
groups: egress
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 38.102.248.178 netmask 0xfff8 broadcast 38.102.248.183
inet6 fe80::214:22ff:feb0:d8d2%em0 prefixlen 64 scopeid 0x1
em1: flags=8802BROADCAST,SIMPLEX,MULTICAST mtu 1500
lladdr 00:14:22:b0:d8:d3
media: Ethernet autoselect (none)
status: no carrier
enc0: flags=0 mtu 1536
trunk0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500
lladdr 00:00:00:00:00:00
trunk: trunkproto roundrobin
groups: trunk
media: Ethernet autoselect
status: no carrier
inet 10.0.1.1 netmask 0xff00 broadcast 10.0.1.255
inet6 fe80::214:22ff:feb0:d8d2%trunk0 prefixlen 64 scopeid 0x5
pflog0: flags=141UP,RUNNING,PROMISC mtu 33208
groups: pflog
tun0: flags=9942BROADCAST,RUNNING,PROMISC,SIMPLEX,LINK0,MULTICAST mtu 1500
lladdr 00:bd:be:64:87:01
groups: tun
inet6 fe80::2bd:beff:fe64:8701%tun0 prefixlen 64 scopeid 0x8
bridge0: flags=41UP,RUNNING mtu 1500
groups: bridge
tun1: flags=9942BROADCAST,RUNNING,PROMISC,SIMPLEX,LINK0,MULTICAST mtu 1500
lladdr 00:bd:3b:4f:63:02
groups: tun
inet6 fe80::2bd:3bff:fe4f:6302%tun1 prefixlen 64 scopeid 0xb
# brconfig
bridge0: flags=41UP,RUNNING
priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp
trunk0 flags=3LEARNING,DISCOVER
port 5 ifpriority 0 ifcost 0
tun1 flags=3LEARNING,DISCOVER
port 11 ifpriority 0 ifcost 0
tun0 flags=3LEARNING,DISCOVER
port 8 ifpriority 0 ifcost 0
Addresses (max cache: 100, timeout: 240):
#
--
-Lawrence
ipsec SA up but passing one way traffic
I have set up an aggressive mode VPN between a cisco 877 and OpenBSD server. The SA seems to have set up correctly however the connection only appears to pass traffic from the cisco to the server. The private IPs on the cisco have a nat exemption to keep it from natting when going through the tunnel. The server its self has no pf running on it right now for testing purposes. Thank you for your response, if you want or need any more info please let me know If i ping the server from my work station behind the cisco i get this and a timeout on the ping # tcpdump -i enc0 tcpdump: listening on enc0, link-type ENC 22:30:25.843966 (authentic,confidential): SPI 0x1fd60d2c: 10.0.0.17 mail.sporkton.com: icmp: echo request (encap) 22:30:31.343855 (authentic,confidential): SPI 0x1fd60d2c: 10.0.0.17 mail.sporkton.com: icmp: echo request (encap) 22:30:36.843874 (authentic,confidential): SPI 0x1fd60d2c: 10.0.0.17 mail.sporkton.com: icmp: echo request (encap) ^C 3 packets received by filter 0 packets dropped by kernel SERVER: # uname -a OpenBSD angie.sporkton.com 4.3 GENERIC#698 i386 # cat /etc/ipsec.conf # angie.sporkton.com ike dynamic esp tunnel proto ip \ from 38.102.248.176/29 to 10.0.0.0/24 \ aggressive auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des \ srcid angie.sporkton.com dstid fire.sporkton.com \ psk secret # ipsecctl -vs all FLOWS: No flows SAD: esp tunnel from 75.22.69.151 to 38.102.248.178 spi 0x6b8a31cd auth hmac-sha1 enc 3des-cbc sa: spi 0x6b8a31cd auth hmac-sha1 enc 3des-cbc state mature replay 16 flags 4 lifetime_cur: alloc 0 bytes 8960 add 1222319514 first 1222319514 lifetime_hard: alloc 0 bytes 0 add 1200 first 0 lifetime_soft: alloc 0 bytes 0 add 1080 first 0 address_src: 75.22.69.151 address_dst: 38.102.248.178 identity_src: type fqdn id 0: fire.sporkton.com identity_dst: type fqdn id 0: angie.sporkton.com src_mask: 255.255.255.0 dst_mask: 255.255.255.248 protocol: proto 0 flags 0 flow_type: type use direction in src_flow: 10.0.0.0 dst_flow: 38.102.248.176 lifetime_lastuse: alloc 0 bytes 0 add 0 first 1222320279 esp tunnel from 38.102.248.178 to 75.22.69.151 spi 0xbf127570 auth hmac-sha1 enc 3des-cbc sa: spi 0xbf127570 auth hmac-sha1 enc 3des-cbc state mature replay 16 flags 4 lifetime_cur: alloc 0 bytes 0 add 1222319514 first 0 lifetime_hard: alloc 0 bytes 0 add 1200 first 0 lifetime_soft: alloc 0 bytes 0 add 1080 first 0 address_src: 38.102.248.178 address_dst: 75.22.69.151 identity_src: type fqdn id 0: angie.sporkton.com identity_dst: type fqdn id 0: fire.sporkton.com src_mask: 255.255.255.248 dst_mask: 255.255.255.0 protocol: proto 0 flags 0 flow_type: type use direction out src_flow: 38.102.248.176 dst_flow: 10.0.0.0 CISCO: ! hostname fire aaa new-model aaa authentication login default local ! ip inspect udp idle-time 180 ip inspect tcp block-non-session ip inspect name outside_in tcp audit-trail on router-traffic timeout 43200 ip inspect name outside_in udp router-traffic ip domain name sporkton.com ip host sporkton.com 38.102.248.178 ! crypto isakmp policy 10 encr 3des authentication pre-share group 2 crypto isakmp key secret hostname angie.sporkton.com no-xauth crypto isakmp identity hostname ! crypto isakmp peer address 38.102.248.178 set aggressive-mode password secret set aggressive-mode client-endpoint fqdn fire.sporkton.com ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! crypto map outside_vpn 10 ipsec-isakmp set peer 38.102.248.178 set transform-set ESP-3DES-SHA match address cryptomap_outside_10 ! interface FastEthernet0 ! interface Vlan1 ip address 10.0.0.1 255.255.255.0 ip nat inside ip virtual-reassembly ! interface Dialer1 ip address negotiated ip nat outside ip virtual-reassembly crypto map outside_vpn ! ip nat inside source route-map NoNAT interface Dialer1 overload ! ip access-list extended NoNAT permit tcp 10.0.0.0 0.0.0.255 38.102.248.176 0.0.0.7 eq 22 deny ip 10.0.0.0 0.0.0.255 38.102.248.176 0.0.0.7 permit ip 10.0.0.0 0.0.0.255 any ip access-list extended cryptomap_outside_10 permit ip 10.0.0.0 0.0.0.255 38.102.248.176 0.0.0.7 ip access-list extended outside_access_in permit tcp any any eq 22 permit icmp any any permit tcp any any established permit udp any eq domain any permit esp any any permit udp any any eq isakmp ! route-map NoNAT permit 10 match ip address NoNAT fire# show crypto session Crypto session current status Interface: Dialer1 Session status: UP-ACTIVE Peer: 38.102.248.178 port 500 IKE SA: local 75.22.69.151/500 remote 38.102.248.178/500 Active IPSEC FLOW: permit ip 10.0.0.0/255.255.255.0 38.102.248.176/255.255.255.248 Active SAs: 2, origin: crypto map IPSEC FLOW: permit ip
altq rules not matching
Currently i am trying to limit the bandwidth of one computer .113,
however there is almost nothing matching and going into the queue.
.113 is currently running BT, chat messengers, and a multiple of web
browsing instances
right now my rules are not as pretty as they might otherwise be, i am
trying to make them as general and short as possible for this
troubleshooting.
Can someone please hit me with the cluestick, much appreciated. thank you
fire# pfctl -vs queue
queue root_xl1 on xl1 bandwidth 100Mb priority 0 cbq( wrr root )
{wow_in, main_in}
[ pkts: 5316 bytes:4864528 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/ 50 borrows: 0 suspends: 0 ]
queue wow_in on xl1 bandwidth 50Kb cbq( red )
[ pkts: 1 bytes:233 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/ 50 borrows: 0 suspends: 0 ]
queue main_in on xl1 bandwidth 90Mb cbq( default )
[ pkts: 5315 bytes:4864295 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/ 50 borrows: 0 suspends: 0 ]
fire# cat /etc/pf.conf.test
#Tables
ext_if=xl0
int_if=xl1
table private const { 10/8, 172.16/12, 192.168/16 }
set block-policy drop
set skip on {enc0, lo0}
altq on $int_if cbq bandwidth 100Mb queue { main_in, wow_in }
queue wow_inbandwidth 50Kb cbq(red)
queue main_in bandwidth 90% cbq(default)
nat on $ext_if from private to any - ($ext_if:0)
pass out from any to 10.0.0.113 queue wow_in
fire# uname -a
OpenBSD fire.sporkton.com 4.3 GENERIC#698 i386
--
-Lawrence
Re: vsftpd [more secure]
2008/6/10 Saulo Bozzi [EMAIL PROTECTED]: my question is to the system administrator. that know about vsftpd. thnkz. regardsbye. I only find 2.0.5 in packages, since you are asking about a system that is not included in base and a version thats not in our packages system, as someone else said, maybe you should ask the vsftpd mailing list... -- -Lawrence
have to add pass in rdr statement
on OpenBSD fire.sporkton.com 4.3 GENERIC#698 i386 I have this pf.conf config, it does not work for vnc ext_if=xl0 lawrence=10.0.0.17 rdr on $ext_if proto tcp from any to $ext_if port vncweb - $lawrence port vncweb rdr on $ext_if proto tcp from any to $ext_if port vnc - $lawrence port vnc pass in on $ext_if inet proto tcp from any to $ext_if port vncweb \ modulate state (max-src-conn-rate 3/30, overload vnc-attack) pass in on $ext_if inet proto tcp from any to $ext_if port vnc \ modulate state (max-src-conn-rate 3/30, overload vnc-attack) If i use the pass keyword instead in the rdr statement(as below), it works fine. rdr pass on $ext_if proto tcp from any to $ext_if port vnc - $lawrence port vnc Does anyone see something worng with my pass statements? thanks -- -Lawrence
Re: Problems trunk-ing tun interfaces
2008/5/25 Romar Morales [EMAIL PROTECTED]: Bump -- Forwarded message -- From: Romar Morales [EMAIL PROTECTED] Date: Sun, May 18, 2008 at 3:46 AM Subject: Problems trunk-ing tun interfaces To: misc@openbsd.org I need help trunking tun interfaces. Actual goal - aggregate six ADSL connections from an office to a central network with gigE internet access for higher bandwidth to the office. Current state- four layer 2 tunnels that work individually, but which fail when part of a trunk virtual interface I've tried trunkproto of roundrobin, loadbalance and failover and none of them work. When not part of the trunk, the individual tun pass traffic properly. Is there some sysctl setting I'm not aware of that is required for trunking the tun interfaces to pass IP traffic across all the tun interfaces? -- Romar Morales This was an interesting one to me as i wanted to do something similar with cable and dsl, so i looked it up in the man pages and i dont see anything sticking out wrong with your setup, could you post in some configs and such? output of interfaces from ifconfig, etc? -- -Lawrence
Re: rtorrent ram issue (using 4.2)
2008/5/25 Jesus Sanchez [EMAIL PROTECTED]: Hi all, I'm using OpenBSD 4.2. I would like to make my OpenBSD box to download torrents and to add new torrents by ssh so I installed rtorrent. I experienced a really huge memory use of the program to hash (check I think) the actual downloads. I know this client has to do the checks but I would like to jail the program on a 64 MB environment (my box have 1 GB RAM) to make able to the machine to run a lot of things, but I can't stop the hashes eat all my RAM, even setting ulimit -m and the .rtorrent.rc max_memory_usage variable to 64M and less, but rtorrent still makes my computer to allocate everything I'm using into swap an HD, really really slow. I know that many simultaneous downloads using a bittorrent-like client may cause system problems but I'm only doing 5 downloads. I have tested many different configs and always get problems, some times the client freezes (loose download time, because it's doing nothing for about 10 seconds every minute), some times I lost all the RAM and browsing the net, using xchat, compile programs and stuff like that becomes really slow. Anyone have found a good .rtorrent.rc configuration to make freeze/ram-use dissapear? Thanks for your time. -Jesus I have been using rtorrent with no ram max and it never took over 30 megs, that was running up to 30 torrents at a time, how many torrents are you running at one time? have you set any limits on IO? perhaps IO is backing up into the ram? i know my windows client does that. -- -Lawrence
Re: small pc recommendation
2008/5/20 Mark Rolen [EMAIL PROTECTED]: Tobias Walkowiak wrote: On Mon, May 19, 2008 at 11:51:04PM -0500, Andrew Konkol wrote: If you're looking for a single board computer using compact flash...I've had good luck with my ALIX 2c3 http://pcengines.ch/alix2c3.htm would be my recommendation, too. just bought one as my home router and works really great! and using a 266x CF card you even have sufficient hard disk speed Alix boards seem to be cheaper than soekris. they are, indeed, and i would say that they aren't any worse. I agree with all of the above (I love my little alix2c3 firewall and it was definitely cheaper than a soekris, less than half the cost for three interfaces + USB), but the OP is complaining about slow USB speeds... aren't the ports on the alix just USB1.0 also? I think they are (not near mine to check right now...) Mark i found some official docs that state its 2.0 this is indeed the system im going to go with, the alix2c3, i found a nice crypto accelerator for it too :) -- -Lawrence
Re: How can I determine ethernet speed?
2008/5/19 Kendall Shaw [EMAIL PROTECTED]: I'm an openbsd novice. I replaced cards on computers in my home network with gigabit ethernet and got a a gigabit switch. Can I determine what speed or maybe what media my re0 interface is using? You can use ifconfig, it should have a media: line, telling what speed and duplex you are at and how you got there, whether it was auto select or not. angie# ifconfig em0 | grep media media: Ethernet autoselect (100baseTX full-duplex) -- -Lawrence
small pc recommendation
I just figured out the slow usb speed im seeing is because my router/lan server only has usb1.0(optiplex GX100) so im looking for a recommendation of a small form computer to use as my home router/server, im going to ebay it until i can fund myself a soekris requirements are simple: usb 2.0 at least 1 pci slot free or 2 built in ethernet ports OpenBSD compatible cheap thank you -- -Lawrence
Re: small pc recommendation
ironically enough, that optiplex just died. and now a pix is in its place until i get a new one 2008/5/19 Lord Sporkton [EMAIL PROTECTED]: I just figured out the slow usb speed im seeing is because my router/lan server only has usb1.0(optiplex GX100) so im looking for a recommendation of a small form computer to use as my home router/server, im going to ebay it until i can fund myself a soekris requirements are simple: usb 2.0 at least 1 pci slot free or 2 built in ethernet ports OpenBSD compatible cheap thank you -- -Lawrence -- -Lawrence
Re: pf-altq-bandwith_problem
2008/5/17 Jesus Sanchez [EMAIL PROTECTED]: Lord Sporkton escribis: 2008/5/17 Jesus Sanchez [EMAIL PROTECTED]: Hi, I'm using OpenBSD 4.2 Here my network to explain later: [Joe PC] --- $int_if [MY_OPENBSD] $ext_if --- [INTERNET] I have a little problem when trying to setup a altq bandwidth shape with pf. My intention is to give Joe only 100Kbs (bits) of the Internet total bandwidth, and also I have set some local local servers on my OpenBSD to give some services to Joe, but I also want to give it at the 100Kbs speed mentioned before, even beign local network (up to 100Mbs). The thing is that I have set the PF rules as manpages say, and everything work as spected when Joe goes out of my box to the internet, the bandwidth is 100Kbs, all OK. But when Joe takes some files by ftp from my OpenBSD box, the speed ups in a factor of 40x, I mean, if Joe takes a file from my box, or my box from Joe, the speed is very very much hight. I have try several things but I don't find the key to this. One thing: the speed factor when Joes connect to my OpenBSD is alwais 40x relative to the bandwidth value I give to the altq. my pf.conf (very simple, very unsafe, just to try this) =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- ext_if=rl0 int_if=sk0 scrub in all altq on $int_if cbq bandwidth 100Kb queue main queue main bandwidth 100% cbq(default) nat on $ext_if from $int_if:network - $ext_if block all pass queue main =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Thanks for your time -Jesus If Joe is accessing things on his local lan, that is, in his subnet, you will not be able to police this traffic as it never even hits the gateway(altq openbsd box), so the only limit will be the layer 2 hardware(your switch(s)). might i suggest putting your servers on a dmz as a solution, then Joe will be forced through the gateway for any server access. If your layer2 hardware is high end enough you may be able to do bandwidth control in the layer2 hardware its self. as a side note, i dont believe openbsd can do altq on anything other than a physical interface, so if you put the servers on a dmz, make sure to use a physical interface, not a vlan. I don't want to disturb, but I think you're not right. I want to shape the bandwidth of the full interface, I know that if joe it's in lan with other PC, the speed limit its the hardware limit, but I just want to limit one of the interfaces on my OpenBSD box to a certain number of Kbs (100Kbs), so PF already made changes, but I saw this weird behaviour and want to make the 100Kbs limit universal to all the interface transfers. If Joe want a file from the OpenBSD gateway running a limit of 100Kbs (pf+altq), even to get a file from the gateway box by FTP, the 100Kbs limit should affect, or not? please, I'm really noob with this and I don't want to bother anyone with my words, I just talk about what I think, if I'm wrong, please let me know. note: DMZ is not posible for this project, I only have the same PC to make as OpenBSD and FTP server to the joe users. Thanks for your time. -Jesus you would need to run the queue outbound on the int_if, which is what it looks like your doing. so in theory, your setup is right, as long as what ever your downloading from is on the other side of that int_if you should only see 100Kbs down to that whole int_if If you are getting more than 100Kbs take a look at pfctl -vvs queue -- -Lawrence
Re: ipsec home network to colo server
2008/5/15 Claer [EMAIL PROTECTED]: On Thu, May 15 2008 at 09:09, Lord Sporkton wrote: 2008/5/14 Lord Sporkton [EMAIL PROTECTED]: 2008/5/14 scott learmonth [EMAIL PROTECTED]: On Tue, May 13, 2008 at 5:41 PM, Lord Sporkton [EMAIL PROTECTED] wrote: I am trying to set up a ipsec link between my home network(private ip network behind dynamic public ip) and my colo server(single public static ip). I was a bit unclear on how to set up a tunnel between a static and dynamic ip interesting traffic: 208.70.72.13 - 10.0.0.0/16 My sad seems to set up ok, however afterward i get no flows and can not pass data, ive checked out logs, and ipsecctl -m, but see nothing of use. Below is data i believe relevant, if anything else is requested i will do my best to post it back in a timely fashion thank you colo server: # uname -a OpenBSD angie.sporkton.com 4.3 GENERIC#846 i386 # cat /etc/ipsec.conf ike passive from 208.70.72.13 to 10.0.0.0/16 \ aggressive auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des \ srcid angie.sporkton.com dstid fire.sporkton.com \ psk password # ipsecctl -sa FLOWS: No flows SAD: esp tunnel from 67.159.171.204 to 208.70.72.13 spi 0x26974f0d auth hmac-sha1 enc 3des-cbc esp tunnel from 208.70.72.13 to 67.159.171.204 spi 0xeac5bef2 auth hmac-sha1 enc 3des-cbc # ipsecctl -m output: sadb_getspi: satype esp vers 2 len 10 seq 9 pid 7557 address_src: 67.159.171.204 address_dst: 208.70.72.13 spirange: min 0x0100 max 0x sadb_getspi: satype esp vers 2 len 10 seq 9 pid 7557 sa: spi 0x581ea1f0 auth none enc none state mature replay 0 flags 0 address_src: 67.159.171.204 address_dst: 208.70.72.13 sadb_add: satype esp vers 2 len 50 seq 10 pid 7557 sa: spi 0xe4968f00 auth hmac-sha1 enc 3des-cbc state mature replay 16 flags 4 lifetime_hard: alloc 0 bytes 0 add 1200 first 0 lifetime_soft: alloc 0 bytes 0 add 1080 first 0 address_src: 208.70.72.13 address_dst: 67.159.171.204 key_auth: bits 160: e7ee5eafe49c95cafc506ba1ba6c174a584e4859 key_encrypt: bits 192: 65c174f84e389d2022ffbf9c1f152348d7b7f708ef757014 identity_src: type fqdn id 0: angie.sporkton.com identity_dst: type fqdn id 0: fire.sporkton.com src_mask: 255.255.255.255 dst_mask: 255.255.0.0 protocol: proto 0 flags 0 flow_type: type unknown direction out src_flow: 208.70.72.13 dst_flow: 10.0.0.0 sadb_add: satype esp vers 2 len 42 seq 10 pid 7557 sa: spi 0xe4968f00 auth hmac-sha1 enc 3des-cbc state mature replay 16 flags 4 lifetime_hard: alloc 0 bytes 0 add 1200 first 0 lifetime_soft: alloc 0 bytes 0 add 1080 first 0 address_src: 208.70.72.13 address_dst: 67.159.171.204 identity_src: type fqdn id 0: angie.sporkton.com identity_dst: type fqdn id 0: fire.sporkton.com src_mask: 255.255.255.255 dst_mask: 255.255.0.0 protocol: proto 0 flags 0 flow_type: type unknown direction out src_flow: 208.70.72.13 dst_flow: 10.0.0.0 sadb_update: satype esp vers 2 len 50 seq 11 pid 7557 sa: spi 0x581ea1f0 auth hmac-sha1 enc 3des-cbc state mature replay 16 flags 4 lifetime_hard: alloc 0 bytes 0 add 1200 first 0 lifetime_soft: alloc 0 bytes 0 add 1080 first 0 address_src: 67.159.171.204 address_dst: 208.70.72.13 key_auth: bits 160: c2beffabe156d0dbaca586e730694a4ff3cc4ef5 key_encrypt: bits 192: 496cd320b35638d36dd8f899b8ce76c150840092db466715 identity_src: type fqdn id 0: fire.sporkton.com identity_dst: type fqdn id 0: angie.sporkton.com src_mask: 255.255.0.0 dst_mask: 255.255.255.255 protocol: proto 0 flags 0 flow_type: type unknown direction in src_flow: 10.0.0.0 dst_flow: 208.70.72.13 sadb_update: satype esp vers 2 len 42 seq 11 pid 7557 sa: spi 0x581ea1f0 auth hmac-sha1 enc 3des-cbc state mature replay 16 flags 4 lifetime_hard: alloc 0 bytes 0 add 1200 first 0 lifetime_soft: alloc 0 bytes 0 add 1080 first 0 address_src: 67.159.171.204 address_dst: 208.70.72.13 identity_src: type fqdn id 0: fire.sporkton.com identity_dst: type fqdn id 0: angie.sporkton.com src_mask: 255.255.0.0 dst_mask: 255.255.255.255 protocol: proto 0 flags 0 flow_type: type unknown direction in src_flow: 10.0.0.0 dst_flow: 208.70.72.13 Home firewall: # uname -a OpenBSD fire.sporkton.com 4.3
Re: ipsec home network to colo server
So egress being something very much like any then? 2008/5/17 Jose Quinteiro [EMAIL PROTECTED]: http://www.openbsd.org/papers/asiabsdcon07-ipsec/mgp00065.html try ipsec.conf on fire: angie = 208.70.72.13 fire = 10.0.0.0/24 ike esp from $fire to $angie local egress \ srcid fire.sporkton.com dstid angie.sporkton.com ipsec.conf on angie: angie = 208.70.72.13 fire = 10.0.0.0/24 ike passive esp from $angie to $fire \ srcid angie.sporkton.com dstid fire.sporkton.com HTH, Jose. Lord Sporkton wrote: 2008/5/15 Claer [EMAIL PROTECTED]: On Thu, May 15 2008 at 09:09, Lord Sporkton wrote: 2008/5/14 Lord Sporkton [EMAIL PROTECTED]: 2008/5/14 scott learmonth [EMAIL PROTECTED]: On Tue, May 13, 2008 at 5:41 PM, Lord Sporkton [EMAIL PROTECTED] wrote: I am trying to set up a ipsec link between my home network(private ip network behind dynamic public ip) and my colo server(single public static ip). I was a bit unclear on how to set up a tunnel between a static and dynamic ip interesting traffic: 208.70.72.13 - 10.0.0.0/16 My sad seems to set up ok, however afterward i get no flows and can not pass data, ive checked out logs, and ipsecctl -m, but see nothing of use. Below is data i believe relevant, if anything else is requested i will do my best to post it back in a timely fashion thank you colo server: # uname -a OpenBSD angie.sporkton.com 4.3 GENERIC#846 i386 # cat /etc/ipsec.conf ike passive from 208.70.72.13 to 10.0.0.0/16 \ aggressive auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des \ srcid angie.sporkton.com dstid fire.sporkton.com \ psk password # ipsecctl -sa FLOWS: No flows SAD: esp tunnel from 67.159.171.204 to 208.70.72.13 spi 0x26974f0d auth hmac-sha1 enc 3des-cbc esp tunnel from 208.70.72.13 to 67.159.171.204 spi 0xeac5bef2 auth hmac-sha1 enc 3des-cbc # ipsecctl -m output: sadb_getspi: satype esp vers 2 len 10 seq 9 pid 7557 address_src: 67.159.171.204 address_dst: 208.70.72.13 spirange: min 0x0100 max 0x sadb_getspi: satype esp vers 2 len 10 seq 9 pid 7557 sa: spi 0x581ea1f0 auth none enc none state mature replay 0 flags 0 address_src: 67.159.171.204 address_dst: 208.70.72.13 sadb_add: satype esp vers 2 len 50 seq 10 pid 7557 sa: spi 0xe4968f00 auth hmac-sha1 enc 3des-cbc state mature replay 16 flags 4 lifetime_hard: alloc 0 bytes 0 add 1200 first 0 lifetime_soft: alloc 0 bytes 0 add 1080 first 0 address_src: 208.70.72.13 address_dst: 67.159.171.204 key_auth: bits 160: e7ee5eafe49c95cafc506ba1ba6c174a584e4859 key_encrypt: bits 192: 65c174f84e389d2022ffbf9c1f152348d7b7f708ef757014 identity_src: type fqdn id 0: angie.sporkton.com identity_dst: type fqdn id 0: fire.sporkton.com src_mask: 255.255.255.255 dst_mask: 255.255.0.0 protocol: proto 0 flags 0 flow_type: type unknown direction out src_flow: 208.70.72.13 dst_flow: 10.0.0.0 sadb_add: satype esp vers 2 len 42 seq 10 pid 7557 sa: spi 0xe4968f00 auth hmac-sha1 enc 3des-cbc state mature replay 16 flags 4 lifetime_hard: alloc 0 bytes 0 add 1200 first 0 lifetime_soft: alloc 0 bytes 0 add 1080 first 0 address_src: 208.70.72.13 address_dst: 67.159.171.204 identity_src: type fqdn id 0: angie.sporkton.com identity_dst: type fqdn id 0: fire.sporkton.com src_mask: 255.255.255.255 dst_mask: 255.255.0.0 protocol: proto 0 flags 0 flow_type: type unknown direction out src_flow: 208.70.72.13 dst_flow: 10.0.0.0 sadb_update: satype esp vers 2 len 50 seq 11 pid 7557 sa: spi 0x581ea1f0 auth hmac-sha1 enc 3des-cbc state mature replay 16 flags 4 lifetime_hard: alloc 0 bytes 0 add 1200 first 0 lifetime_soft: alloc 0 bytes 0 add 1080 first 0 address_src: 67.159.171.204 address_dst: 208.70.72.13 key_auth: bits 160: c2beffabe156d0dbaca586e730694a4ff3cc4ef5 key_encrypt: bits 192: 496cd320b35638d36dd8f899b8ce76c150840092db466715 identity_src: type fqdn id 0: fire.sporkton.com identity_dst: type fqdn id 0: angie.sporkton.com src_mask: 255.255.0.0 dst_mask: 255.255.255.255 protocol: proto 0 flags 0 flow_type: type unknown direction in src_flow: 10.0.0.0 dst_flow: 208.70.72.13 sadb_update: satype esp vers 2 len 42 seq 11 pid 7557 sa: spi 0x581ea1f0 auth hmac-sha1 enc 3des-cbc state mature replay 16 flags 4 lifetime_hard: alloc 0 bytes 0 add 1200 first 0 lifetime_soft: alloc 0 bytes 0 add 1080 first 0 address_src: 67.159.171.204
Re: DNS Question.
2008/5/17 Dark Nebula [EMAIL PROTECTED]: Hi all, Is possible perform a DNS query, that gives me all A records from one ip, (without using the reverse DNS) ? Thanks a lot Are you asking to find all the forward A records for a given IP? If so, there is no way to do that, not even with rDNS -- -Lawrence
Re: pf-altq-bandwith_problem
2008/5/17 Jesus Sanchez [EMAIL PROTECTED]: Hi, I'm using OpenBSD 4.2 Here my network to explain later: [Joe PC] --- $int_if [MY_OPENBSD] $ext_if --- [INTERNET] I have a little problem when trying to setup a altq bandwidth shape with pf. My intention is to give Joe only 100Kbs (bits) of the Internet total bandwidth, and also I have set some local local servers on my OpenBSD to give some services to Joe, but I also want to give it at the 100Kbs speed mentioned before, even beign local network (up to 100Mbs). The thing is that I have set the PF rules as manpages say, and everything work as spected when Joe goes out of my box to the internet, the bandwidth is 100Kbs, all OK. But when Joe takes some files by ftp from my OpenBSD box, the speed ups in a factor of 40x, I mean, if Joe takes a file from my box, or my box from Joe, the speed is very very much hight. I have try several things but I don't find the key to this. One thing: the speed factor when Joes connect to my OpenBSD is alwais 40x relative to the bandwidth value I give to the altq. my pf.conf (very simple, very unsafe, just to try this) =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- ext_if=rl0 int_if=sk0 scrub in all altq on $int_if cbq bandwidth 100Kb queue main queue main bandwidth 100% cbq(default) nat on $ext_if from $int_if:network - $ext_if block all pass queue main =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Thanks for your time -Jesus If Joe is accessing things on his local lan, that is, in his subnet, you will not be able to police this traffic as it never even hits the gateway(altq openbsd box), so the only limit will be the layer 2 hardware(your switch(s)). might i suggest putting your servers on a dmz as a solution, then Joe will be forced through the gateway for any server access. If your layer2 hardware is high end enough you may be able to do bandwidth control in the layer2 hardware its self. as a side note, i dont believe openbsd can do altq on anything other than a physical interface, so if you put the servers on a dmz, make sure to use a physical interface, not a vlan. -- -Lawrence
Re: ipsec home network to colo server
2008/5/14 Lord Sporkton [EMAIL PROTECTED]: 2008/5/14 scott learmonth [EMAIL PROTECTED]: On Tue, May 13, 2008 at 5:41 PM, Lord Sporkton [EMAIL PROTECTED] wrote: I am trying to set up a ipsec link between my home network(private ip network behind dynamic public ip) and my colo server(single public static ip). I was a bit unclear on how to set up a tunnel between a static and dynamic ip interesting traffic: 208.70.72.13 - 10.0.0.0/16 My sad seems to set up ok, however afterward i get no flows and can not pass data, ive checked out logs, and ipsecctl -m, but see nothing of use. Below is data i believe relevant, if anything else is requested i will do my best to post it back in a timely fashion thank you colo server: # uname -a OpenBSD angie.sporkton.com 4.3 GENERIC#846 i386 # cat /etc/ipsec.conf ike passive from 208.70.72.13 to 10.0.0.0/16 \ aggressive auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des \ srcid angie.sporkton.com dstid fire.sporkton.com \ psk password # ipsecctl -sa FLOWS: No flows SAD: esp tunnel from 67.159.171.204 to 208.70.72.13 spi 0x26974f0d auth hmac-sha1 enc 3des-cbc esp tunnel from 208.70.72.13 to 67.159.171.204 spi 0xeac5bef2 auth hmac-sha1 enc 3des-cbc # ipsecctl -m output: sadb_getspi: satype esp vers 2 len 10 seq 9 pid 7557 address_src: 67.159.171.204 address_dst: 208.70.72.13 spirange: min 0x0100 max 0x sadb_getspi: satype esp vers 2 len 10 seq 9 pid 7557 sa: spi 0x581ea1f0 auth none enc none state mature replay 0 flags 0 address_src: 67.159.171.204 address_dst: 208.70.72.13 sadb_add: satype esp vers 2 len 50 seq 10 pid 7557 sa: spi 0xe4968f00 auth hmac-sha1 enc 3des-cbc state mature replay 16 flags 4 lifetime_hard: alloc 0 bytes 0 add 1200 first 0 lifetime_soft: alloc 0 bytes 0 add 1080 first 0 address_src: 208.70.72.13 address_dst: 67.159.171.204 key_auth: bits 160: e7ee5eafe49c95cafc506ba1ba6c174a584e4859 key_encrypt: bits 192: 65c174f84e389d2022ffbf9c1f152348d7b7f708ef757014 identity_src: type fqdn id 0: angie.sporkton.com identity_dst: type fqdn id 0: fire.sporkton.com src_mask: 255.255.255.255 dst_mask: 255.255.0.0 protocol: proto 0 flags 0 flow_type: type unknown direction out src_flow: 208.70.72.13 dst_flow: 10.0.0.0 sadb_add: satype esp vers 2 len 42 seq 10 pid 7557 sa: spi 0xe4968f00 auth hmac-sha1 enc 3des-cbc state mature replay 16 flags 4 lifetime_hard: alloc 0 bytes 0 add 1200 first 0 lifetime_soft: alloc 0 bytes 0 add 1080 first 0 address_src: 208.70.72.13 address_dst: 67.159.171.204 identity_src: type fqdn id 0: angie.sporkton.com identity_dst: type fqdn id 0: fire.sporkton.com src_mask: 255.255.255.255 dst_mask: 255.255.0.0 protocol: proto 0 flags 0 flow_type: type unknown direction out src_flow: 208.70.72.13 dst_flow: 10.0.0.0 sadb_update: satype esp vers 2 len 50 seq 11 pid 7557 sa: spi 0x581ea1f0 auth hmac-sha1 enc 3des-cbc state mature replay 16 flags 4 lifetime_hard: alloc 0 bytes 0 add 1200 first 0 lifetime_soft: alloc 0 bytes 0 add 1080 first 0 address_src: 67.159.171.204 address_dst: 208.70.72.13 key_auth: bits 160: c2beffabe156d0dbaca586e730694a4ff3cc4ef5 key_encrypt: bits 192: 496cd320b35638d36dd8f899b8ce76c150840092db466715 identity_src: type fqdn id 0: fire.sporkton.com identity_dst: type fqdn id 0: angie.sporkton.com src_mask: 255.255.0.0 dst_mask: 255.255.255.255 protocol: proto 0 flags 0 flow_type: type unknown direction in src_flow: 10.0.0.0 dst_flow: 208.70.72.13 sadb_update: satype esp vers 2 len 42 seq 11 pid 7557 sa: spi 0x581ea1f0 auth hmac-sha1 enc 3des-cbc state mature replay 16 flags 4 lifetime_hard: alloc 0 bytes 0 add 1200 first 0 lifetime_soft: alloc 0 bytes 0 add 1080 first 0 address_src: 67.159.171.204 address_dst: 208.70.72.13 identity_src: type fqdn id 0: fire.sporkton.com identity_dst: type fqdn id 0: angie.sporkton.com src_mask: 255.255.0.0 dst_mask: 255.255.255.255 protocol: proto 0 flags 0 flow_type: type unknown direction in src_flow: 10.0.0.0 dst_flow: 208.70.72.13 Home firewall: # uname -a OpenBSD fire.sporkton.com 4.3 GENERIC#698 i386 # cat /etc/ipsec.conf ike from 10.0.0.0/16 to 208.70.72.13 peer 208.70.72.13 \ aggressive auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des \ srcid
Re: ipsec home network to colo server
2008/5/13 Jonathan [EMAIL PROTECTED]: On Tue, May 13, 2008 at 5:41 PM, Lord Sporkton [EMAIL PROTECTED] wrote: I am trying to set up a ipsec link between my home network(private ip network behind dynamic public ip) and my colo server(single public static ip). I was a bit unclear on how to set up a tunnel between a static and dynamic ip interesting traffic: 208.70.72.13 - 10.0.0.0/16 My sad seems to set up ok, however afterward i get no flows and can not pass data, ive checked out logs, and ipsecctl -m, but see nothing of use. Below is data i believe relevant, if anything else is requested i will do my best to post it back in a timely fashion thank you colo server: # uname -a OpenBSD angie.sporkton.com 4.3 GENERIC#846 i386 # cat /etc/ipsec.conf ike passive from 208.70.72.13 to 10.0.0.0/16 \ aggressive auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des \ srcid angie.sporkton.com dstid fire.sporkton.com \ psk password # ipsecctl -sa FLOWS: No flows SAD: esp tunnel from 67.159.171.204 to 208.70.72.13 spi 0x26974f0d auth hmac-sha1 enc 3des-cbc esp tunnel from 208.70.72.13 to 67.159.171.204 spi 0xeac5bef2 auth hmac-sha1 enc 3des-cbc # ipsecctl -m output: sadb_getspi: satype esp vers 2 len 10 seq 9 pid 7557 address_src: 67.159.171.204 address_dst: 208.70.72.13 spirange: min 0x0100 max 0x sadb_getspi: satype esp vers 2 len 10 seq 9 pid 7557 sa: spi 0x581ea1f0 auth none enc none state mature replay 0 flags 0 address_src: 67.159.171.204 address_dst: 208.70.72.13 sadb_add: satype esp vers 2 len 50 seq 10 pid 7557 sa: spi 0xe4968f00 auth hmac-sha1 enc 3des-cbc state mature replay 16 flags 4 lifetime_hard: alloc 0 bytes 0 add 1200 first 0 lifetime_soft: alloc 0 bytes 0 add 1080 first 0 address_src: 208.70.72.13 address_dst: 67.159.171.204 key_auth: bits 160: e7ee5eafe49c95cafc506ba1ba6c174a584e4859 key_encrypt: bits 192: 65c174f84e389d2022ffbf9c1f152348d7b7f708ef757014 identity_src: type fqdn id 0: angie.sporkton.com identity_dst: type fqdn id 0: fire.sporkton.com src_mask: 255.255.255.255 dst_mask: 255.255.0.0 protocol: proto 0 flags 0 flow_type: type unknown direction out src_flow: 208.70.72.13 dst_flow: 10.0.0.0 sadb_add: satype esp vers 2 len 42 seq 10 pid 7557 sa: spi 0xe4968f00 auth hmac-sha1 enc 3des-cbc state mature replay 16 flags 4 lifetime_hard: alloc 0 bytes 0 add 1200 first 0 lifetime_soft: alloc 0 bytes 0 add 1080 first 0 address_src: 208.70.72.13 address_dst: 67.159.171.204 identity_src: type fqdn id 0: angie.sporkton.com identity_dst: type fqdn id 0: fire.sporkton.com src_mask: 255.255.255.255 dst_mask: 255.255.0.0 protocol: proto 0 flags 0 flow_type: type unknown direction out src_flow: 208.70.72.13 dst_flow: 10.0.0.0 sadb_update: satype esp vers 2 len 50 seq 11 pid 7557 sa: spi 0x581ea1f0 auth hmac-sha1 enc 3des-cbc state mature replay 16 flags 4 lifetime_hard: alloc 0 bytes 0 add 1200 first 0 lifetime_soft: alloc 0 bytes 0 add 1080 first 0 address_src: 67.159.171.204 address_dst: 208.70.72.13 key_auth: bits 160: c2beffabe156d0dbaca586e730694a4ff3cc4ef5 key_encrypt: bits 192: 496cd320b35638d36dd8f899b8ce76c150840092db466715 identity_src: type fqdn id 0: fire.sporkton.com identity_dst: type fqdn id 0: angie.sporkton.com src_mask: 255.255.0.0 dst_mask: 255.255.255.255 protocol: proto 0 flags 0 flow_type: type unknown direction in src_flow: 10.0.0.0 dst_flow: 208.70.72.13 sadb_update: satype esp vers 2 len 42 seq 11 pid 7557 sa: spi 0x581ea1f0 auth hmac-sha1 enc 3des-cbc state mature replay 16 flags 4 lifetime_hard: alloc 0 bytes 0 add 1200 first 0 lifetime_soft: alloc 0 bytes 0 add 1080 first 0 address_src: 67.159.171.204 address_dst: 208.70.72.13 identity_src: type fqdn id 0: fire.sporkton.com identity_dst: type fqdn id 0: angie.sporkton.com src_mask: 255.255.0.0 dst_mask: 255.255.255.255 protocol: proto 0 flags 0 flow_type: type unknown direction in src_flow: 10.0.0.0 dst_flow: 208.70.72.13 Home firewall: # uname -a OpenBSD fire.sporkton.com 4.3 GENERIC#698 i386 # cat /etc/ipsec.conf ike from 10.0.0.0/16 to 208.70.72.13 peer 208.70.72.13 \ aggressive auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des \ srcid fire.sporkton.com dstid angie.sporkton.com
Re: ipsec home network to colo server
2008/5/14 scott learmonth [EMAIL PROTECTED]: On Tue, May 13, 2008 at 5:41 PM, Lord Sporkton [EMAIL PROTECTED] wrote: I am trying to set up a ipsec link between my home network(private ip network behind dynamic public ip) and my colo server(single public static ip). I was a bit unclear on how to set up a tunnel between a static and dynamic ip interesting traffic: 208.70.72.13 - 10.0.0.0/16 My sad seems to set up ok, however afterward i get no flows and can not pass data, ive checked out logs, and ipsecctl -m, but see nothing of use. Below is data i believe relevant, if anything else is requested i will do my best to post it back in a timely fashion thank you colo server: # uname -a OpenBSD angie.sporkton.com 4.3 GENERIC#846 i386 # cat /etc/ipsec.conf ike passive from 208.70.72.13 to 10.0.0.0/16 \ aggressive auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des \ srcid angie.sporkton.com dstid fire.sporkton.com \ psk password # ipsecctl -sa FLOWS: No flows SAD: esp tunnel from 67.159.171.204 to 208.70.72.13 spi 0x26974f0d auth hmac-sha1 enc 3des-cbc esp tunnel from 208.70.72.13 to 67.159.171.204 spi 0xeac5bef2 auth hmac-sha1 enc 3des-cbc # ipsecctl -m output: sadb_getspi: satype esp vers 2 len 10 seq 9 pid 7557 address_src: 67.159.171.204 address_dst: 208.70.72.13 spirange: min 0x0100 max 0x sadb_getspi: satype esp vers 2 len 10 seq 9 pid 7557 sa: spi 0x581ea1f0 auth none enc none state mature replay 0 flags 0 address_src: 67.159.171.204 address_dst: 208.70.72.13 sadb_add: satype esp vers 2 len 50 seq 10 pid 7557 sa: spi 0xe4968f00 auth hmac-sha1 enc 3des-cbc state mature replay 16 flags 4 lifetime_hard: alloc 0 bytes 0 add 1200 first 0 lifetime_soft: alloc 0 bytes 0 add 1080 first 0 address_src: 208.70.72.13 address_dst: 67.159.171.204 key_auth: bits 160: e7ee5eafe49c95cafc506ba1ba6c174a584e4859 key_encrypt: bits 192: 65c174f84e389d2022ffbf9c1f152348d7b7f708ef757014 identity_src: type fqdn id 0: angie.sporkton.com identity_dst: type fqdn id 0: fire.sporkton.com src_mask: 255.255.255.255 dst_mask: 255.255.0.0 protocol: proto 0 flags 0 flow_type: type unknown direction out src_flow: 208.70.72.13 dst_flow: 10.0.0.0 sadb_add: satype esp vers 2 len 42 seq 10 pid 7557 sa: spi 0xe4968f00 auth hmac-sha1 enc 3des-cbc state mature replay 16 flags 4 lifetime_hard: alloc 0 bytes 0 add 1200 first 0 lifetime_soft: alloc 0 bytes 0 add 1080 first 0 address_src: 208.70.72.13 address_dst: 67.159.171.204 identity_src: type fqdn id 0: angie.sporkton.com identity_dst: type fqdn id 0: fire.sporkton.com src_mask: 255.255.255.255 dst_mask: 255.255.0.0 protocol: proto 0 flags 0 flow_type: type unknown direction out src_flow: 208.70.72.13 dst_flow: 10.0.0.0 sadb_update: satype esp vers 2 len 50 seq 11 pid 7557 sa: spi 0x581ea1f0 auth hmac-sha1 enc 3des-cbc state mature replay 16 flags 4 lifetime_hard: alloc 0 bytes 0 add 1200 first 0 lifetime_soft: alloc 0 bytes 0 add 1080 first 0 address_src: 67.159.171.204 address_dst: 208.70.72.13 key_auth: bits 160: c2beffabe156d0dbaca586e730694a4ff3cc4ef5 key_encrypt: bits 192: 496cd320b35638d36dd8f899b8ce76c150840092db466715 identity_src: type fqdn id 0: fire.sporkton.com identity_dst: type fqdn id 0: angie.sporkton.com src_mask: 255.255.0.0 dst_mask: 255.255.255.255 protocol: proto 0 flags 0 flow_type: type unknown direction in src_flow: 10.0.0.0 dst_flow: 208.70.72.13 sadb_update: satype esp vers 2 len 42 seq 11 pid 7557 sa: spi 0x581ea1f0 auth hmac-sha1 enc 3des-cbc state mature replay 16 flags 4 lifetime_hard: alloc 0 bytes 0 add 1200 first 0 lifetime_soft: alloc 0 bytes 0 add 1080 first 0 address_src: 67.159.171.204 address_dst: 208.70.72.13 identity_src: type fqdn id 0: fire.sporkton.com identity_dst: type fqdn id 0: angie.sporkton.com src_mask: 255.255.0.0 dst_mask: 255.255.255.255 protocol: proto 0 flags 0 flow_type: type unknown direction in src_flow: 10.0.0.0 dst_flow: 208.70.72.13 Home firewall: # uname -a OpenBSD fire.sporkton.com 4.3 GENERIC#698 i386 # cat /etc/ipsec.conf ike from 10.0.0.0/16 to 208.70.72.13 peer 208.70.72.13 \ aggressive auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des \ srcid fire.sporkton.com dstid angie.sporkton.com
ipsec home network to colo server
I am trying to set up a ipsec link between my home network(private ip network behind dynamic public ip) and my colo server(single public static ip). I was a bit unclear on how to set up a tunnel between a static and dynamic ip interesting traffic: 208.70.72.13 - 10.0.0.0/16 My sad seems to set up ok, however afterward i get no flows and can not pass data, ive checked out logs, and ipsecctl -m, but see nothing of use. Below is data i believe relevant, if anything else is requested i will do my best to post it back in a timely fashion thank you colo server: # uname -a OpenBSD angie.sporkton.com 4.3 GENERIC#846 i386 # cat /etc/ipsec.conf ike passive from 208.70.72.13 to 10.0.0.0/16 \ aggressive auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des \ srcid angie.sporkton.com dstid fire.sporkton.com \ psk password # ipsecctl -sa FLOWS: No flows SAD: esp tunnel from 67.159.171.204 to 208.70.72.13 spi 0x26974f0d auth hmac-sha1 enc 3des-cbc esp tunnel from 208.70.72.13 to 67.159.171.204 spi 0xeac5bef2 auth hmac-sha1 enc 3des-cbc # ipsecctl -m output: sadb_getspi: satype esp vers 2 len 10 seq 9 pid 7557 address_src: 67.159.171.204 address_dst: 208.70.72.13 spirange: min 0x0100 max 0x sadb_getspi: satype esp vers 2 len 10 seq 9 pid 7557 sa: spi 0x581ea1f0 auth none enc none state mature replay 0 flags 0 address_src: 67.159.171.204 address_dst: 208.70.72.13 sadb_add: satype esp vers 2 len 50 seq 10 pid 7557 sa: spi 0xe4968f00 auth hmac-sha1 enc 3des-cbc state mature replay 16 flags 4 lifetime_hard: alloc 0 bytes 0 add 1200 first 0 lifetime_soft: alloc 0 bytes 0 add 1080 first 0 address_src: 208.70.72.13 address_dst: 67.159.171.204 key_auth: bits 160: e7ee5eafe49c95cafc506ba1ba6c174a584e4859 key_encrypt: bits 192: 65c174f84e389d2022ffbf9c1f152348d7b7f708ef757014 identity_src: type fqdn id 0: angie.sporkton.com identity_dst: type fqdn id 0: fire.sporkton.com src_mask: 255.255.255.255 dst_mask: 255.255.0.0 protocol: proto 0 flags 0 flow_type: type unknown direction out src_flow: 208.70.72.13 dst_flow: 10.0.0.0 sadb_add: satype esp vers 2 len 42 seq 10 pid 7557 sa: spi 0xe4968f00 auth hmac-sha1 enc 3des-cbc state mature replay 16 flags 4 lifetime_hard: alloc 0 bytes 0 add 1200 first 0 lifetime_soft: alloc 0 bytes 0 add 1080 first 0 address_src: 208.70.72.13 address_dst: 67.159.171.204 identity_src: type fqdn id 0: angie.sporkton.com identity_dst: type fqdn id 0: fire.sporkton.com src_mask: 255.255.255.255 dst_mask: 255.255.0.0 protocol: proto 0 flags 0 flow_type: type unknown direction out src_flow: 208.70.72.13 dst_flow: 10.0.0.0 sadb_update: satype esp vers 2 len 50 seq 11 pid 7557 sa: spi 0x581ea1f0 auth hmac-sha1 enc 3des-cbc state mature replay 16 flags 4 lifetime_hard: alloc 0 bytes 0 add 1200 first 0 lifetime_soft: alloc 0 bytes 0 add 1080 first 0 address_src: 67.159.171.204 address_dst: 208.70.72.13 key_auth: bits 160: c2beffabe156d0dbaca586e730694a4ff3cc4ef5 key_encrypt: bits 192: 496cd320b35638d36dd8f899b8ce76c150840092db466715 identity_src: type fqdn id 0: fire.sporkton.com identity_dst: type fqdn id 0: angie.sporkton.com src_mask: 255.255.0.0 dst_mask: 255.255.255.255 protocol: proto 0 flags 0 flow_type: type unknown direction in src_flow: 10.0.0.0 dst_flow: 208.70.72.13 sadb_update: satype esp vers 2 len 42 seq 11 pid 7557 sa: spi 0x581ea1f0 auth hmac-sha1 enc 3des-cbc state mature replay 16 flags 4 lifetime_hard: alloc 0 bytes 0 add 1200 first 0 lifetime_soft: alloc 0 bytes 0 add 1080 first 0 address_src: 67.159.171.204 address_dst: 208.70.72.13 identity_src: type fqdn id 0: fire.sporkton.com identity_dst: type fqdn id 0: angie.sporkton.com src_mask: 255.255.0.0 dst_mask: 255.255.255.255 protocol: proto 0 flags 0 flow_type: type unknown direction in src_flow: 10.0.0.0 dst_flow: 208.70.72.13 Home firewall: # uname -a OpenBSD fire.sporkton.com 4.3 GENERIC#698 i386 # cat /etc/ipsec.conf ike from 10.0.0.0/16 to 208.70.72.13 peer 208.70.72.13 \ aggressive auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des \ srcid fire.sporkton.com dstid angie.sporkton.com \ psk password # ipsecctl -sa FLOWS: No flows SAD: esp tunnel from 67.159.171.204 to 208.70.72.13 spi 0x26974f0d auth hmac-sha1 enc 3des-cbc esp tunnel from 208.70.72.13 to 67.159.171.204 spi 0xeac5bef2 auth hmac-sha1 enc 3des-cbc # ipsecctl -m output:
Re: ntfs usb drive fail to mount
2008/4/25 Siju George [EMAIL PROTECTED]: On Fri, Apr 25, 2008 at 3:47 AM, Lord Sporkton [EMAIL PROTECTED] wrote: My appologies, i am indeed using GENERIC, I did think that perhaps it did not support ntfs, but then i also thought it would be rather absent minded to have included mount_ntfs if support was not included, thus since i had mount_ntfs, i assumed i had support for it. Rather than calling people absent minded don't you think you should be thankful that they put mount_ntfs in its place so that you can straight away mount NTFS filesystems once you complie the kernel with the option enabled which is not very difficult if you have the sources. If they hadn't put it there, after you compiled the kernel you will have to go looking for it. Don't call other people absent minded because you assumed the wrong things. What happened here is that you failed to read the Documentation and just assumed things. This happens to many of us once in a while but going to the extreme of calling people absent minded and names like that when the mistake is actually on your part will be looked upon as a direct insult in this list. :-) --Siju Personally i feel it is wrong to include a controlling mechanism for a feature that is not included. I feel if i have to go so far as to rebuild my kernel, then i can certainly take a few more steps to add mount_ntfs. 2008/4/26 Ivo van der Sangen [EMAIL PROTECTED]: On Thu, Apr 24, 2008 at 06:03:13PM -0400, jmc wrote: --- Lord Sporkton [Thu, Apr 24, 2008 at 02:32:37PM -0700]: ---7 I have an NTFS drive attached via USB that was previously attached to an XP home system [ ... ] # mount -t ntfs -r /dev/sd0i /mnt/usb2 mount_ntfs: /dev/sd0i on /mnt/usb2: Operation not supported you don't say if7you're using a GENERIC kernel or not, but from: http://www.openbsd.org/faq/faq14.html#foreignfs Once you have determined which partition it is you want to use, you can move to the final step: mounting the filesystem contained in it. Most filesystems are supported in the GENERIC kernel: just have a look at the kernel configuration file, located in the /usr/src/sys/arch/arch/conf directory. However, some are not, e.g. the NTFS support is experimental and therefore not included in GENERIC. If you want to use one of the filesystems not supported in GENERIC, you will need to build a custom kernel. Would it be a good idea to note the lack of support for NTFS filesystems in a GENERIC kerel in mount_ntfs(8)? If it is appreciated I will send a diff. Regards, Ivo van der Sangen I would most certainly appreciate that, because THAT was the documention i read when i was trying to make this happen. -- -Lawrence
ntfs usb drive fail to mount
I have an NTFS drive attached via USB that was previously attached to an XP home system I am trying to now attach this drive to my OpenBSD server I get the following error however im unsure what im doing wrong also, why does it show as a scsi device, its a pata drive in a usb enclosure? I created a very small partition from some remaining space and made it ffs, that partition works and will mount no problem, it seems to be filesystem specific THank you Lawrence # mount -t ntfs -r /dev/sd0i /mnt/usb2 mount_ntfs: /dev/sd0i on /mnt/usb2: Operation not supported # disklabel sd0 disklabel: warning, DOS partition table with no valid OpenBSD partition # /dev/rsd0c: type: SCSI disk: SCSI disk label: 2A flags: bytes/sector: 512 sectors/track: 63 tracks/cylinder: 255 sectors/cylinder: 16065 cylinders: 36481 total sectors: 586072368 rpm: 3600 interleave: 1 trackskew: 0 cylinderskew: 0 headswitch: 0 # microseconds track-to-track seek: 0 # microseconds drivedata: 0 16 partitions: #size offset fstype [fsize bsize cpg] a: 5103586067265 4.2BSD 2048 163841 c:5860723680 unused 0 0 i:586067202 63 unknown # Apr 24 11:43:40 fire /bsd: umass0 detached Apr 24 11:43:43 fire /bsd: umass0 at uhub0 port 1 configuration 1 interface 0 Apr 24 11:43:43 fire /bsd: Apr 24 11:43:43 fire /bsd: umass0: Cypress Semiconductor Cypress AT2LP, rev 2.00/2.40, addr 2 Apr 24 11:43:43 fire /bsd: umass0: using SCSI over Bulk-Only Apr 24 11:43:43 fire /bsd: scsibus1 at umass0: 2 targets Apr 24 11:43:43 fire /bsd: sd0 at scsibus1 targ 1 lun 0: ST330062, 2A, SCSI0 0/direct fixed Apr 24 11:43:43 fire /bsd: sd0: 286168MB, 36481 cyl, 255 head, 63 sec, 512 bytes/sec, 586072368 sec total -- -Lawrence
Re: ntfs usb drive fail to mount
My appologies, i am indeed using GENERIC, I did think that perhaps it did not support ntfs, but then i also thought it would be rather absent minded to have included mount_ntfs if support was not included, thus since i had mount_ntfs, i assumed i had support for it. I will look into adding ntfs support to my kernel On 24/04/2008, jmc [EMAIL PROTECTED] wrote: --- Lord Sporkton [Thu, Apr 24, 2008 at 02:32:37PM -0700]: ---7 I have an NTFS drive attached via USB that was previously attached to an XP home system [ ... ] # mount -t ntfs -r /dev/sd0i /mnt/usb2 mount_ntfs: /dev/sd0i on /mnt/usb2: Operation not supported you don't say if7you're using a GENERIC kernel or not, but from: http://www.openbsd.org/faq/faq14.html#foreignfs Once you have determined which partition it is you want to use, you can move to the final step: mounting the filesystem contained in it. Most filesystems are supported in the GENERIC kernel: just have a look at the kernel configuration file, located in the /usr/src/sys/arch/arch/conf directory. However, some are not, e.g. the NTFS support is experimental and therefore not included in GENERIC. If you want to use one of the filesystems not supported in GENERIC, you will need to build a custom kernel. -- -Lawrence
Re: bgp routing question
On 25/03/2008, Fridiric Pli [EMAIL PROTECTED] wrote: Hi, I have an openbsd router with two ebgp peers. I have serveral prefixes to announce but I would like to know how I could influence outcoming traffic from each of my prefix. I did not understand how to use weight, localpref and metric nor filter rules to do that. any clue or example ? many thanks, FP I believe you can use local pref to influence outbound traffic. http://www.cisco.com/en/US/docs/internetworking/technology/handbook/bgp.html# wp1020583 -- -Lawrence
Re: constant barrage from rfc 1918 addresses source port 6293
On 10/04/2008, Chris Smith [EMAIL PROTECTED] wrote: I block and log rfc 1918 connection attempts and am seeing the following in pflog continuously ad nauseum: Apr 10 15:10:21.414289 rule 9/(match) block in on fxp1: 172.21.153.70.6293 68.61.77.3.50716: [|tcp] (DF) [tos 0x20] Apr 10 15:10:22.833822 rule 9/(match) block in on fxp1: 172.21.233.57.6293 68.61.77.3.54518: [|tcp] (DF) [tos 0x20] Apr 10 15:10:23.789209 rule 9/(match) block in on fxp1: 172.21.153.22.6293 68.61.77.3.57836: [|tcp] (DF) [tos 0x20] Apr 10 15:10:24.256891 rule 9/(match) block in on fxp1: 172.21.97.2.6293 68.61.77.3.50417: [|tcp] (DF) [tos 0x20] Apr 10 15:10:24.821674 rule 9/(match) block in on fxp1: 172.21.225.72.6293 68.61.77.3.53965: [|tcp] [tos 0x20] Apr 10 15:11:28.559238 rule 9/(match) block in on fxp1: 172.21.240.45.6293 68.61.77.3.58733: [|tcp] (DF) [tos 0x20] Apr 10 15:11:29.397925 rule 9/(match) block in on fxp1: 172.21.240.63.6293 68.61.77.3.62274: [|tcp] [tos 0x20] The source IP addresses do repeat (but not in a specific order) and the source port remains constant at 6293. As these addresses (AFAIK) aren't generally routed I'm wondering about their source. Possibly all spoofed, but as I'm using cable service, they could also be from a system on the local shared subnet. Another thought is that the ISP (Comcast) is using and routing them for their own purposes (VOIP service, etc.). Any ideas? Thanks. -- Chris I would highly doubt that you are seeing internal traffic from your ISP, what ever it is, its pointing directly at you, its not just stray traffic thats passing on your link. I would suggest contacting your ISP concerning this, they may be able to track it and/or prevent it. It is possible that its not really ment for you, but perhaps your modem, something along the lines of a modem checkin? hypothetically speaking, if your modem was trying to report home sourcing from your public ip but the public was actaully assigned on your router, you could see return traffic from your modem report home -- that is of course a stretch and highly unlikely. Any isp that set up something like that would be retarded beyond the capability of their sales team. -- -Lawrence
ssh queue rules
I have this rule in my PF and its not working everything just gets thrown into the high queue and nothing touches the low queue (this is from the output of pfctl -s rules) pass in on em0 inet proto tcp from any to 208.70.72.13 port = ssh flags S/SA modulate state (source-track rule, max-src-conn-rate 3/30, overload ssh-attack, src.track 30) queue(low, high) my ssh is being set with lowdelay (from tcpdump) 14:40:24.180347 13-72-70-208.uniplex.us.ssh georgia.static.qwest.net.61282: P 5820:5984(164) ack 53 win 17520 (DF) [tos 0x10] and my ssh transfer is being tagged high throughput (from tcpdump) 14:43:53.936143 13-72-70-208.uniplex.us.ssh georgia.static.qwest.net.2904: . 269868:271328(1460) ack 961 win 17520 (DF) [tos 0x8] any suggestions on what im doing wrong? thanks -- -Lawrence
Re: ssh queue rules
I was watching my queus via pfctl -vvs queues Per the man page when a second one is specified it will instead be used for packets which have a TOS of lowdelay and for TCP ACKs with no data payload so i believe bulk would go to low as its the first queue listed, and interactive would go to high as its the second queue listed. On 26/03/2008, Calomel [EMAIL PROTECTED] wrote: I believe your low queue is for ssh interactive traffic only. The high queue is for bulk traffic like scp or sftp transfers. If you watch your queues in pftop (page 8) you should see ssh traffic like typed commands in the low queue and the rest goes to the high queue. Hope this helps PF Config how to (pf.conf) http://calomel.org/pf_config.html -- Calomel @ http://calomel.org/ Open Source Research and Reference On Wed, Mar 26, 2008 at 04:41:01PM -0700, Lord Sporkton wrote: I have this rule in my PF and its not working everything just gets thrown into the high queue and nothing touches the low queue (this is from the output of pfctl -s rules) pass in on em0 inet proto tcp from any to 208.70.72.13 port = ssh flags S/SA modulate state (source-track rule, max-src-conn-rate 3/30, overload ssh-attack, src.track 30) queue(low, high) my ssh is being set with lowdelay (from tcpdump) 14:40:24.180347 13-72-70-208.uniplex.us.ssh georgia.static.qwest.net.61282: P 5820:5984(164) ack 53 win 17520 (DF) [tos 0x10] and my ssh transfer is being tagged high throughput (from tcpdump) 14:43:53.936143 13-72-70-208.uniplex.us.ssh georgia.static.qwest.net.2904: . 269868:271328(1460) ack 961 win 17520 (DF) [tos 0x8] any suggestions on what im doing wrong? thanks -- -Lawrence -- -Lawrence -Student ID 1028219
Re: internal virtual network with qemu
On 17/03/2008, Joachim Schipper [EMAIL PROTECTED] wrote: On Tue, Mar 11, 2008 at 09:33:10AM -0700, Lord Sporkton wrote: I am running OpenBSD on OpenBSD with qemu(from pkg) all 4.2 I am using the host OS for network services, ntp, dns, and router, I am using the guest OS's for client services, www, ftp, sql, etc. Eh... are you aware that qemu without kqemu is very, very slow? And that this list has a virtualization does not enhance security mantra? Just checking. If you want to experiment with a real network without having a large amount of hardware, what you're doing is actually a pretty good way of going about it. Just don't try to *actually* run it in production. That is pretty much what im trying to do, simulate a real network. Part of that being that all my virtuals would see themselves on the same layer2 network and would be able to talk to each other with out the host acting as a router, same way vmware does it. My goal is to have all the guests on internal addresses and use the host to nat them to publics as needed, as well as the host providing ipsec tunnels to allow other locations to access the client services via internal address. My question is: Is it best to put my private gateway ip on the real ethernet interface or on a loopback or other interface on the host? I'm not really sure what you mean. Most qemu setups I've seen connect to the host OS via tunX, so there is not really a private gateway there. You could NAT your real external interface into these tun devices. Joachim And part of a real network is that i would have a gateway(firewall). I misunderstood how qemu handle networking, i was under the impression that it piggy backed on a real interface, much the way that vmware or windows virtual machine does, you tell it attach to x interface and it puts a second mac on the interface and then uses that interface(all though shared) as if it was its own physical nic. Your reply suggests i am understanding it wrong, however i did not see anything in the man page saying otherwise, perhaps i missed something -- TFMotD: ul (1) - do underlining -- -Lawrence -Student ID 1028219
Re: internal virtual network with qemu
On 19/03/2008, Stuart Henderson [EMAIL PROTECTED] wrote: On 2008-03-19, Lord Sporkton [EMAIL PROTECTED] wrote: I misunderstood how qemu handle networking, i was under the impression that it piggy backed on a real interface, much the way that vmware or windows virtual machine does, you tell it attach to x interface and it puts a second mac on the interface and then uses that interface(all though shared) as if it was its own physical nic. there are various ways it can handle networking, read the docs... http://fabrice.bellard.free.fr/qemu/qemu-doc.html If you have to refer me to an outside doc, isnt that a sign that the man page should be updated? I dont mind updating it, infact if i can make that outside doc work, ill be more than happy to submit updates for the man page, i just want to make sure that the info _isnt_in the man page and i just missed it? -- -Lawrence -Student ID 1028219
internal virtual network with qemu
I am running OpenBSD on OpenBSD with qemu(from pkg) all 4.2 I am using the host OS for network services, ntp, dns, and router, I am using the guest OS's for client services, www, ftp, sql, etc. My goal is to have all the guests on internal addresses and use the host to nat them to publics as needed, as well as the host providing ipsec tunnels to allow other locations to access the client services via internal address. My question is: Is it best to put my private gateway ip on the real ethernet interface or on a loopback or other interface on the host? Thank you -- -Lawrence
Re: PF and application level firewall
I believe squid is what you are looking for On 11/03/2008, Rami Sik [EMAIL PROTECTED] wrote: Hi All, I currently have PF in place with CARP, and quite happy with them. I need to implement application level firewalling in front of my apache servers as PCI requirement by the end of June this year. So, my question is, do we have any application level firewalling support on openBSD? Or, which third part tool/application would you suggest for that purpose? Thanks, Rami -- -Lawrence -Student ID 1028219
ipsec config old vs new
Im having a bit of trouble understanding how the new ipsec should work, im not sure if isakmpd is no longer needed or if just its config has been moved to ipsec.conf so do i need ipsec.conf and isakmpd or do i just need ipsec.conf -- -Lawrence -Student ID 1028219
Re: ipsec config old vs new
nvm, archives, found my answer On 05/03/2008, Lord Sporkton [EMAIL PROTECTED] wrote: Im having a bit of trouble understanding how the new ipsec should work, im not sure if isakmpd is no longer needed or if just its config has been moved to ipsec.conf so do i need ipsec.conf and isakmpd or do i just need ipsec.conf -- -Lawrence -Student ID 1028219 -- -Lawrence -Student ID 1028219
Re: gotchas for old Proliants
All i can say is that i have a 1850R and a 5000, both of which run wonderfully so far with OpenBSD, the 1850 is duel pII 450 and the 5000 is quad pII 400, havent had a single problem so far. however that price tag is way out of range, i bought both of mine for 90. On 08/02/2008, Douglas A. Tutty [EMAIL PROTECTED] wrote: On Thu, Feb 07, 2008 at 11:24:14PM -0500, Nick Holland wrote: I've warned you about a lot of them, you ignored that, but for some reason I feel obligated to try one more time. I just hate to see people do things like this to themselves (and I want to be able to say, No, not interested in helping on this in clear conscience). Thanks Nick, I didn't ignore it, but you weren't this specific. For that kinda money, they better be delivering it...and helping you get it on the rack. Yeah. I know. Old Compaqs are an art. Old Compaq servers are a black art. They are some of the quirkiest, strangest, and most obnoxious systems I've worked with. Kinda like a Cisco switch, in that once you get the dang thing running the way you want, you feel so great because the pain stopped, so you tend to forget it just shouldn't have been that way. I've yet to see a multi-Pentium and only one Multi-PPro machine run OpenBSD/SMP. (score is at least two Pentiums and two PPros that didn't work with SMP), I know that there's no SMP. I suspect our EISA support has suffered severe bit rot. Between the system and the bus, I'd be rather surprised if you got the thing running OpenBSD (pleasantly surprised, yes, but surprised). If you do, please post dmesg. :) I just looked through the dmesg log, I saw no Pentium class EISA machines that people sent dmesgs from. I saw a few PPro systems, one PPro running GENERIC.MP, several Alphas and HPPA systems. I haven't investigated EISA. These boxes are supposed to be a combination of PCI and EISA. I would be using the PCI slots. However, I suppose that some things internally would be on the EISA bus (e.g. keyboard, floppy drive). The CMOS battery is dead (or will be soon). It isn't going to be easy to replace. See the SPARC Battery FAQ and the part about cutting into the old CMOS chip to solder in your own battery (it works, done it on a SS2 and a mvme88k, worked. I also seem to have toasted another mvme88k doing the same thing, but I didn't pay $300 for that machine. BTW: I'm way out of practice, but I'm still much better than your average $5 soldering iron novice, I used to do component-level repair on computers and other such things. I got good equipment and I sorta know what I'm doing...and I still managed to break the CPU board on the mvme88k. The service manual for these boxes has a section on adding an external battery and there's supposed to be a socket/pin-pair on the motherboard to accept the batttery. Presumably (hopefully??) a lithium button battery of the same number of cells as the orgional should fit. But that is a lot of shoulds and hopefullys for a non-free box. EISA isn't fun when it works properly. I've probably config'd more EISA machines than most people on this list, trust me, it's not fun. If you have never done it before, the time to learn was back in the 1980s, not now. WITH THE RIGHT TOOLS, Compaqs were some of the easiest to configure, but finding the right tools was exciting last time I tried. When it DOESN'T work properly...ew. Is it worse than ISA? Have that on my 486 with no PCI on which to fall-back. No disks...you better hope they include the Compaq config utilities on a CD so you can install 'em and configure the thing. I've done it from floppies, Not Fun. I screwed up the disk config, reinstalled. More Not Fun. I think I did this three or four times. I did learn disk OpenBSD disk configuration Really Well, so I guess it was a good, not fun thing. Hope they include disk trays. There are a lot of old servers laying around, there are a lot of old disk trays. The servers and disk trays are rarely in the same place. No idea how that happens. There are several variations of Compaq disk trays, not sure how cross compatible they are. (68 pin drives, 80 pin (SCA) drives, 1 drives, 1.6 drives). That is an open question which would have to be solved prior to purchase. Did I mention that Compaqs config the disk array using the utility partition or the utility CD? I have a stack of cac(4) cards. Spent a day or so building an array on a Windows machine, moved it to the target machine, and then discovered that cac(4)s are really, really slow. BTW: don't think that because you use SCSI, you don't have to worry about disk size. Expecting to build a 1TB disk array on a 15 year old controller may expose some issues. I found the config utilities on the website. I don't yet know re issues. I wasn't planning a 1 TB array, more like 300 GB or so. speculation Old cac's
OT:what can be done about attackers/crackers
very soon i am getting some static ips for my cable home connections, currently i have 1 dynamic ip. Im using pf to block ssh brute force attempts and its working splendedly. however now i have this pf table full of ips and nice logs indicating hack attempts via ssh not to mention other services they are trying to breach. since i have all these nice logs and data, what can i do about it, other than blocking it. my main concern is that of someone DoSing my connection which will only be 2up and wont support any sort of a planned DoS will lag and congest with to much evil traffic. i have some experiance with abuse departments i know the usual first step is to report to a provider however i also know many providers are unresponsive, so what can i do beyond that? any opinions welcome, thank you -- -Lawrence
Re: OT:what can be done about attackers/crackers
i currently have 512Kb up 6megs down with one dymanic ip im getting 2megs up 15 megs down with a block of 8 static ips im am doing this so i have mobile access to my lab, i work on windows systems all day but i use unix tools most offten to troubleshoot, other thing is im gonna run some backups from my colo down to my house, and some back up servers at my house as well my question was not so much what can i do to mitigate the attack when its happening, its more what can i do after someone attacks to stick it to them i know with a DDoS im pretty much sol, but with a single origination point DoS(i dont just mean bandwidth based DoS i mean any DoS, be that clogging my firewall or clogging my server or what ever) i should be able to identify a offending ip and have logs to back it up, such as an ssh attack is usuaully(not always) from a single zombie node or script kiddy, i would see logs indicating such, so now i have an ip and logs, what can i do with them, who can i report them to other than the provider? On 31/01/2008, Richard Daemon [EMAIL PROTECTED] wrote: On Jan 31, 2008 4:30 PM, Lord Sporkton [EMAIL PROTECTED] wrote: very soon i am getting some static ips for my cable home connections, currently i have 1 dynamic ip. Im using pf to block ssh brute force attempts and its working splendedly. however now i have this pf table full of ips and nice logs indicating hack attempts via ssh not to mention other services they are trying to breach. since i have all these nice logs and data, what can i do about it, other than blocking it. my main concern is that of someone DoSing my connection which will only be 2up and wont support any sort of a planned DoS will lag and congest with to much evil traffic. i have some experiance with abuse departments i know the usual first step is to report to a provider however i also know many providers are unresponsive, so what can i do beyond that? any opinions welcome, thank you -- -Lawrence Just curious, what's the reason(s) you're getting 2 static, instead of 1 dynamic? Just curious... -- -Lawrence -Student ID 1028219
Re: low-MHz server
I fail to see why you are moving the applications off the Athlon? why not just use your apps on the Athlon and ssh to it? it is multi-user after all On 30/01/2008, Douglas A. Tutty [EMAIL PROTECTED] wrote: Hello, I have an unusual situation and problem at which I've been chipping away. The resultant system will need to run OpenBSD so I'm asking here for the accumulated wisdom. The base technology predates my IT experience. My wife is sensitive to what she describes as electromagnetic fields. She gets headaches and other pains when exposed to equipment: the higher the frequency, the worse her symptoms. For example, a VT is better than a regular CRT connected to even a P-II-233 MHZ while a 486DX4-100 is better than the P-II. Both are far better than my Athlon64 @3.5 GHz. And any CRT is better than any LCD/plasma screen. Even my Palm Zire (I think 233 MHz) with its ~2x~3 screen is unsuitable within about 30 feet of her. She can't wear a digital watch. For lack of anything suitable, I have been using my Athlon64 for daily use, with the P-II used for other-machine backup and ssh access to the Athlon64 (one is upstairs, the other is downstairs) for e.g. a quick email check. My 486 isn't used right now since it only has 32 MB ram and an 850 MB hard drive. The backup set size right now is around 2 GB. I now have a VT520 which I can put upstairs for those email checks which means I can move the P-II farther away from her. While I want to keep the Athlon64 for serious heavy lifting (graphical web browsing, watching DVDs, burning CDs, etc,) I want to move the main application server function off of it. The P-II only has 64 MB of ram, is a abused box I rescued (full of cat hair and over-heating). I would like to get a box (or boxes) that is (are) reliable, run at e.g 133 MHz (certainly less than 200 MHz), with lots of ram, and lots of hard drive space. Since the apps run on it will be non-graphical, it could be headless, accessed via the VT520 or ssh from the Athlon. I'm thinking that this will be unsuitable for an embedded device like a soekris and more like an older multi-disk server. I guess I'll have to go to eBay for the hardware since its long gone off any reseller's shelf. I don't have any experience with anything other than i386 or amd64 so in that line I figure this will be a multiple-CPU 486 or Pentium box. Because the box will be so old, it would have to be one that was popular so that spare parts are readily available, but also one that was well designed and built in the first place. I can tolerate some down time while I swap out parts but I want to be able to keep spares on hand. I suppose I could buy 3 complete functioning boxes just for the spares. Looking at the packages lists in the different arches that 4.2 works on, the four possibilities are i386, alpha, sparc, and sparc64. Since this is a finished room in the basement, not a datacenter, I want the box to do its own hard drive storage and not just be a compute node that is supposed to have a separate box full of drives (unless this is straight-forward). I'm envisioning something like a 4- or 5U server box. Rackmounting a single servier is fine since I can make a suitable shelf to simulate a rack. Here's the software that I need to run on the box (beyond what is in 4.2 base): vim mc mutt tex python some kind of printfilter to serve my Epson LQ-2080 impact printer. Here's the hardware-type I'll envisioning: Multiple CPU so that multiple apps can run better on limited individual CPUs, running under 200 MHz Probably PCI bus. Paralell port for the printer (or I would just use a USB adapter) USB for future needs serial port for console multi-port serial for terminal(s) and my external 3Com Courier modem. 10 or 10/100 Ethernet Multiple hard drives: IIRC, the older boxes had 9 GB SCSI drives. I don't know if one can plunk new eg. 250 GB SCSI drives in them. SCSI HBA for a tape drive Any suggestions for good old boxes like this that will run modern OpenBSD and be reasonably reliable? Thanks, Doug. -- -Lawrence -Student ID 1028219
Re: separate processors
what keywords should be be searching for? i have no idea what this would be called? On 28/01/2008, johan beisser [EMAIL PROTECTED] wrote: On Jan 27, 2008, at 9:24 PM, Lord Sporkton wrote: I am setting up a duel core server, the server will be doing 2 things, firewall/routing and user-services since my needs are pretty small for this server and its a duel 2.0 64bit i was hoping to sort of partition the cpus such that firewalling/kernel processes get one processor and user services like webhosting, mail, fileserver, and all userland gets the other processor, that way my firewall wont be bothered by anything else im doing. Multiple CPU systems don't work like that, generally. is this possible and if so where should i start with this. - Google. - the misc@ archives. -- -Lawrence -Student ID 1028219
Re: separate processors
On 28/01/2008, Geoff Steckel [EMAIL PROTECTED] wrote: Lord Sporkton wrote: what keywords should be be searching for? i have no idea what this would be called? On 28/01/2008, johan beisser [EMAIL PROTECTED] wrote: On Jan 27, 2008, at 9:24 PM, Lord Sporkton wrote: I am setting up a duel core server, the server will be doing 2 things, firewall/routing and user-services since my needs are pretty small for this server and its a duel 2.0 64bit i was hoping to sort of partition the cpus such that firewalling/kernel processes get one processor and user services like webhosting, mail, fileserver, and all userland gets the other processor, that way my firewall wont be bothered by anything else im doing. Multiple CPU systems don't work like that, generally. In general, you either don't want it or the system can't do it. Firewall software and routing run in the kernel and therefore have very high priority. They will run regardless of any user services except in rare and very ugly cases. Partitioning like you are asking for is done on extremely large and complex systems. hope this helps geoff steckel well my main concern was that things like fileserver, monitoring, hosting, other user services might spike the cpu and cause degradation on the firewall/router functions, however Geoff's statement seems to indicate that shouldnt be a problem -- -Lawrence
looking for openbsd friendly server vendor
Im about to buy a small server, mostly for personal use looking for a 1u was hoping to find some vendors that are openbsd friendly if they offer more than just i386 that is a plus as im investigating other archs as a possiblilty, any suggestions welcome this server will be doing mostly webhosting, dns, mail, small firewalling, and a vpn or 2 thanks -- -Lawrence
Re: looking for openbsd friendly server vendor
awesome, 64 it is, thankyou On 27/01/2008, NetOne - Doichin Dokov [EMAIL PROTECTED] wrote: Lord Sporkton ??: Perhaps i was wrong but i thought openbsd was only 32 bit for now? Yup, you're wrong. There's amd64 port, which runs fine on all x86 64-bit CPUs. -- -Lawrence -Student ID 1028219
Re: looking for openbsd friendly server vendor
Perhaps i was wrong but i thought openbsd was only 32 bit for now? On 27/01/2008, NetOne - Doichin Dokov [EMAIL PROTECTED] wrote: Lord Sporkton ??: Im about to buy a small server, mostly for personal use looking for a 1u was hoping to find some vendors that are openbsd friendly if they offer more than just i386 that is a plus as im investigating other archs as a possiblilty, any suggestions welcome this server will be doing mostly webhosting, dns, mail, small firewalling, and a vpn or 2 thanks We use lots of SuperMicros here (www.supermicro.com), lately their A+ (AMD64) solutions, and are very glad with them.You can get an AMD64 1U system for as low as $500-600, which will do the work.intended. -- -Lawrence -Student ID 1028219
Re: looking for openbsd friendly server vendor
check out hostmysite.com On 27/01/2008, Chris [EMAIL PROTECTED] wrote: On Jan 28, 2008 8:40 AM, Salim Shaw [EMAIL PROTECTED] wrote: try http://eracks.com/ I been looking to host mail (sendmail) but couldn't find anything cheaper. I don't need any rack mount server - just the cheapest deal will do. Most of what I Googled for and found are not within my budget (which is $30-$50 per year). Could anyone point me to the right vendor? Thanks for any help. -- -Lawrence -Student ID 1028219
separate processors
I am setting up a duel core server, the server will be doing 2 things, firewall/routing and user-services since my needs are pretty small for this server and its a duel 2.0 64bit i was hoping to sort of partition the cpus such that firewalling/kernel processes get one processor and user services like webhosting, mail, fileserver, and all userland gets the other processor, that way my firewall wont be bothered by anything else im doing. is this possible and if so where should i start with this. -- -Lawrence
pci switch card
I waslooking at a commercial firewall recently and i noticed it has a built a wan port, a dmz port and then a built in switch which it considers the lan port, i was wondering if there is a switch card or a pci card with multiple ethernet ports that could be iused as a switch,much the same way that the multiple ports in a sokris can be bridged, however they would be a real switch not just just ethernet ports bridged together and would provide petter performance. the firewall i was looking at was a sonicwall TZ190 -- -Lawrence
Re: pf + wii
On 23/12/2007, scott [EMAIL PROTECTED] wrote: 1. use # tcpdump -eni pflog0 2. if that's not revealing then post its output AND the whole pf.conf file. 3. in the mean time, consider rdr PASS on $IF_RR proto udp from $REMOTE_IP to ($IF_RR) - $HOST_WII where PASS is in lower case inside the pf.conf (UCASE here for emphasis only) /S -Original Message- From: slug bait [EMAIL PROTECTED] To: misc@openbsd.org Subject: pf + wii Date: Sun, 23 Dec 2007 23:10:38 -0500 # tcpdump -ni sis1 udp i could be wrong but here is my 2 cents: ive seen something like this related to upnp, i would venture to guess your 2 friends have routers which support upnp and so far as i know openbsd does not support upnp. I would suggest either consulting the guitar hero manual or a tcpdump for the required ports for this game and try a static pat translation to your public ip. upnp allows the wii to request certain ports from the nat device be opened for it, in this case it sounds like you wii needs certain ports open to allow the server to connect to it, normally upnp would take care of it dynamically, but you dont have upnp, so you have to static assign the pat. Lawrence
Re: pf + wii
my point was that its a possibility, as upnp support is not standard, whether or not that is the issue at hand can be decided from game documentation and testing with static pat however thank you for the mention of the upnp daemons, i will have to check those out. On 24/12/2007, Nick Gustas [EMAIL PROTECTED] wrote: johan beisser wrote: On Dec 24, 2007, at 12:34 AM, Lord Sporkton wrote: i could be wrong but here is my 2 cents: ive seen something like this related to upnp, i would venture to guess your 2 friends have routers which support upnp and so far as i know openbsd does not support upnp. I would suggest either consulting the guitar hero manual or a tcpdump for the required ports for this game and try a static pat translation to your public ip. upnp allows the wii to request certain ports from the nat device be opened for it, in this case it sounds like you wii needs certain ports open to allow the server to connect to it, normally upnp would take care of it dynamically, but you dont have upnp, so you have to static assign the pat. UPnPd for OpenBSD.. http://www.tateoka.org/~tate/doc/openbsd-upnp.html http://miniupnp.free.fr/ Personally, I've yet to need anything like this. I haven't tried it with a Wii yet, but I've used miniupnp for a year or so now and it's worked great whenever I've needed upnp support on a pf firewall. Make sure you follow the documentation and add the required anchors to the appropriate places in your pf.conf or else you won't make too much progress! -- -Lawrence -Student ID 1028219
sysctl.conf.local
is it possible to do a sysctl.conf.local, to the same effect as
rc.conf.local, i added the below to the end of my sysctl.conf, but
this didnt work, net.inet.ip.forwarding was still set to 0 after a
reboot.
local_sysctlconf=/etc/sysctl.conf.local
[ -f ${local_sysctlconf} ] . ${local_sysctlconf} # Do not edit this line
# cat /etc/sysctl.conf.local
net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of IPv4 packets
# uname -a
OpenBSD 4.2 GENERIC#375 i386
Thank you,
Lawrence
ospfd fib vs database
I have ospf running between OpenBSD 4.2 GENERIC.MP#304 i386 and a 1721
Cisco running c1700-k9o3sy7-mz.123-23.bin. ospfctl show fib ospf
shows 2 networks, the loopbacks and the gre link however ospfctl show
database area 0.0.0.0 shows only the loopbacks, why doesn't the
database show the gre link, and how is there an ospf route in the fib
when its not in the database?
Thank you for any help
# ospfctl show data area 0.0.0.0
Router Link States (Area 0.0.0.0)
Link ID Adv Router Age Seq# Checksum
192.168.179.1 192.168.179.1 988 0x8003 0xe33b
192.168.179.2 192.168.179.2 959 0x802e 0x0fbe
# ospfctl show fib osp
flags: * = valid, O = OSPF, C = Connected, S = Static
Flags Destination Nexthop
*O 172.16.0.0/30172.16.0.2
*O 192.168.179.2/32 172.16.0.2
# ifconfig gre0 inet
gre0: flags=9011UP,POINTOPOINT,LINK0,MULTICAST mtu 1476
groups: gre
physical address inet X -- X
inet 172.16.0.1 -- 172.16.0.2 netmask 0xfffc
# cat /etc/ospfd.conf
router-id 192.168.179.1
area 0.0.0.0 {
interface lo1:192.168.179.1
interface gre0
}
Router#sho run | b ospf
router ospf 179
router-id 192.168.179.2
log-adjacency-changes
network 172.16.0.0 0.0.15.255 area 0
network 192.168.179.0 0.0.0.255 area 0
--
-Lawrence
-Student ID 1028219
bgpd nested neighbor groups
Is it possible to nest a neighbor group inside another neighbor group in bgpd.conf? It gives me an errors on the nested group statement when i try to start bgpd. is there a way around this or am i missing something i need to nest? on: OpenBSD 4.2 GENERIC.MP#304 i386 -- -Lawrence
Re: PF/ALTQ/Bridge Question
May i ask why you are using a bridge between ISP and OpenBSD firewall?
why not just implement QoS on the firewall if its OpenBSD anyway?
Have you verified ports for your voip? it looks like you are expecting
your outbound voip connection to be connection control=5060 and
media=1-2, i usually dont see that sort of uniformity on
clients behind nat(assumeing your clients are behind nat)
Hope that helps
On 07/11/2007, Michael Siers [EMAIL PROTECTED] wrote:
Hi,
I have a group of static ips and on one of my static ips I am running
an OpenBSD 4.2 firewall with pf using nat and altq. Behind the OpenBSD
firewall I have an asterisk server.
So in order for me to implement QoS, I have set up a non-transparent
bridge between my ISP router and the OpenBSD firewall. Everything is
working fine except I can not get my outgoing VOIP traffic to be placed
onto the correct queue.
Using pftop, I can see that packets are being passed out using the
rules that specify the queue ovoip. But if I look at the queue view
inside pftop, no data was sent out using the queue. The queue ivoip
is being used for incoming traffic. Below are my pf rules.
WANIF=external bridge interface
PUBIF=internal bridge interface (also has assigned static ip)
PRIVIF=internal private network
VOIP=private ip address for my asterisk server
altq on $WANIF hfsc bandwidth 7168Kb queue {iroot}
queue iroot bandwidth 95% priority 0 hfsc {ivoip, idata}
queue ivoip bandwidth 2% priority 5 hfsc(realtime 112Kb)
queue idata bandwidth 98% priority 2 hfsc(default)
altq on $PUBIF hfsc bandwidth 896Kb queue {oroot}
queue oroot bandwidth 95% priority 0 hfsc {ovoip, odata}
queue ovoip bandwidth 15% priority 6 hfsc(realtime 112Kb)
queue odata bandwidth 85% priority 3 hfsc(default)
nat on $PUBIF from $PRIVIF:network to any - $PUBIF:0
block in all
pass out all
pass in on $WANIF from any to $PUBIF:network
pass in on $PUBIF from $PUBIF:network to any
pass in on $PRIVIF
pass in quick on $PUBIF proto tcp from any to any port {5060} queue ivoip
pass in quick on $PUBIF proto udp from any to any port {5060:5063,
1:2} queue ivoip
pass in quick proto tcp from $VOIP to any port {5060} queue ovoip
pass in quick proto udp from $VOIP to any port {5060:5063,
1:2} queue ovoip
Does anyone have any ideas on how I can get this to work? Any
information or examples of pf/altq rules with a bridge would be
greatly appreciated.
Thanks,
Mike Siers
--
-Lawrence
-Student ID 1028219
ftpd follow symlinks
OpenBSD 4.2 on i386: does ftpd have the capability to follow sym links? or is there a work around that would allow it to? if not, will that support be added any time soon? -- -Lawrence -Student ID 1028219
Re: ftpd follow symlinks
ahh, yes, they are, i have it chrooting to the user home, however the symlink in the user home is linked to something in /mnt hadnt thought of that, any way around that then? On 02/11/2007, Clint Pachl [EMAIL PROTECTED] wrote: Lord Sporkton wrote: OpenBSD 4.2 on i386: does ftpd have the capability to follow sym links? or is there a work around that would allow it to? Are these symlinks pointing outside the chroot? if not, will that support be added any time soon? -- -Lawrence -Student ID 1028219
ms exchange replacement
i am looking into an exchange replacement, im looking to have use of calender appointments, tasks and mail all through a central server, also i have multiple windows based mobile devices syncing with this server, i wasnt able to find anything that looked like a exchange replacement in ports or pkgs this is on 4.1 release was hoping someone here had experience with such and could give suggestions on some i might look into thank you -- -Lawrence -Student ID 1028219
Re: ms exchange replacement
I believe my issue would be sexchange, i wish to use existing outlook installations, non-outlook clients and windows mobile devices with this server. im mostly in need of the features is offers such as calenders, tasks, and sync'd contacts, otherwise i would just use plain imap. On 02/10/2007, bofh [EMAIL PROTECTED] wrote: Is there even anything that's a full sexchange replacement? I'm aware of a group that runs around replacing large sexchange installations with linux running on BigIron, so there may be feasible replacements. Is your issue sexchange or LookOut? On 10/2/07, knitti [EMAIL PROTECTED] wrote: On 10/2/07, Karsten McMinn [EMAIL PROTECTED] wrote: On 10/2/07, Lord Sporkton [EMAIL PROTECTED] wrote: i am looking into an exchange replacement, im looking to have use of calender appointments, tasks and mail all through a central server, also i have multiple windows based mobile devices syncing with this server, i wasnt able to find anything that looked like a exchange replacement in ports or pkgs quite a few options these days- kolab, horde (ports), mozilla +friends (ports), scalix, zimba, open-xchange, and opengroupware. sorts depends on how you define groupware. Not all of these in ports of course. opengroupware is not fun. i have to maintain (keep running) an ogo-installation (on linux), the inner workings are rather opaque, the documentation is sparse and it leaks memory and performance left and right. but if you have mail trouble, you can look at the underlaying smtp and imap servers and actually fix things, much more transparent than exchange (of which i also have some instances to look after) greetings, knitti -- This officer's men seem to follow him merely out of idle curiosity. -- Sandhurst officer cadet evaluation. -- -Lawrence -Student ID 1028219
