Re: OBSD 6.8 vlan communication issues
On 11 Nov 2020 at 20:48, len zaifman wrote:
> Thanks Tom,Aaron: I did 2 things,
>
> 1 re IPs - all ips removed from aggr0 and 1 ip for each vlan
>
> ifconfig -A | grep -A 7 vlan7 | grep -E 'vlan7
> inet' ; ifconfig aggr0 | grep inet
> vlan70: flags=8843 mtu 1500
> inet 10.10.70.1 netmask 0xff00 broadcast 10.10.70.255
> vlan77: flags=8843 mtu 1500
> inet 10.10.77.1 netmask 0xff00 broadcast 10.10.77.255
> vlan79: flags=8843 mtu 1500
> inet 10.10.79.1 netmask 0xff00 broadcast 10.10.79.255
>
>
> Still no luck
>
>
> 2 I went to switch and made vlan70 the native vlan, with vlan 77,79
> still tagged to see if that would help. Still no ping even to the switch
> which is on vlan 70.
>
> Now the switch is back to all 3 vlans are tagged, no native vlan.
>
>
> I am trying to see vlan tags when i ping 10.10.7x.1 with tcpdump -e but
> no luck. I assume loopback interface is being used when i ping locally
> on the firewall so that doesn't work.
>
>
> I will contact switch vendor to see if they can help. But for openbsd,
> does the config look okay now? All ips on the vlan, not the parent
> interface?
>
>
> PS to Aaro'squestion re: sysctl
>
> sysctl for ip forwarding is set
>
> net.inet.ip.forwarding=1
>
Hi Len,
To narrow down the issue I would temporarily eliminate link aggregation
and focus on vlan tagging. Namely, recreate the setup with just one
physical link and all the tagged vlans to make sure that works. From
experience, getting link aggregation to work -- i.e. matching the
aggregation protocol -- between disparate devices can be rather tricky.
-Jacob.
>
> On 2020-11-11 7:32 p.m., Tom Smyth wrote:
> > Hi Len,
> > Hi Remove the Ip addresses from the agg0 interfaces
> >
> > put the Ip addresses on the vlan interfaces only
> >
> > ie
> > mg /etc/hostname.vlanxxx
> > up vnetid xxx
> > inet 10.10.xx.1/24
> >
> > if you need to route between the vlans make sure you enable forwarding in
> > the kernel with sysctl
> >
> > when you get it working make sure to post to the Misc List :)
> >
> >
> >
> > Hope this helps,
> >
> >
> >
> >
> >
> >
> > On Thu, 12 Nov 2020 at 00:18, len zaifman wrote:
> >
> >> I am setting up a new system as a firewall using OpenBSD 6.8 current
> >> -uname -a
> >> OpenBSD fw1.lfz.net 6.8 GENERIC.MP#175 amd64.
> >>
> >> I have 3 vlans 70,77,79 on the firewall using two em devices, em0 and
> >> em1, in an aggregation to serve these vlans.
> >>
> >>
> >> There is a Unifi switch which has 2 ports (where em0,em1 are attached)
> >> set up to pass tagged vlans 70,77,79. The switch ip is 10.10.70.3.
> >>
> >> I have a linux host setup on vans 70,77,79 and at address 77 -
> >> 10.10.70.77, 10.10.77.77,10.10.79.77.
> >>
> >>
> >> So far i cannot communicate over the vlans. Before I vlanned these
> >> subnets : ie only vlan 1 everywhere - communication worked fine.
> >>
> >> So i do not believe there is a physical issue. The issues arose with the
> >> introduction of the vlans. Is there a configuration issue that anyone
> >> can spot?
> >>
> >>
> >> Thank you for any help you can give.
> >>
> >> Evidence:
> >>
> >> ping on the firewall works locally
> >>
> >> for n in 0 7 9 ; do ping -c 2 10.10.7${n}.1 ; done
> >> PING 10.10.70.1 (10.10.70.1): 56 data bytes
> >> 64 bytes from 10.10.70.1: icmp_seq=0 ttl=255 time=0.037 ms
> >> 64 bytes from 10.10.70.1: icmp_seq=1 ttl=255 time=0.025 ms
> >>
> >> --- 10.10.70.1 ping statistics ---
> >> 2 packets transmitted, 2 packets received, 0.0% packet loss
> >> round-trip min/avg/max/std-dev = 0.025/0.031/0.037/0.006 ms
> >> PING 10.10.77.1 (10.10.77.1): 56 data bytes
> >> 64 bytes from 10.10.77.1: icmp_seq=0 ttl=255 time=0.038 ms
> >> 64 bytes from 10.10.77.1: icmp_seq=1 ttl=255 time=0.025 ms
> >>
> >> --- 10.10.77.1 ping statistics ---
> >> 2 packets transmitted, 2 packets received, 0.0% packet loss
> >> round-trip min/avg/max/std-dev = 0.025/0.031/0.038/0.006 ms
> >> PING 10.10.79.1 (10.10.79.1): 56 data bytes
> >> 64 bytes from 10.10.79.1: icmp_seq=0 ttl=255 time=0.038 ms
> >> 64 bytes from 10.10.79.1: icmp_seq=1 ttl=255 time=0.025 ms
> >>
> >> --- 10.10.79.1 ping statistics ---
> >> 2 packets transmitted, 2 packets received, 0.0% packet loss
> >> round-trip min/avg/max/std-dev = 0.025/0.032/0.038/0.007 ms
> >>
> >>
> >> ping to the switch does not work
> >>
> >> ping -c 2 10.10.70.3
> >> PING 10.10.70.3 (10.10.70.3): 56 data bytes
> >>
> >> --- 10.10.70.3 ping statistics ---
> >> 2 packets transmitted, 0 packets received, 100.0% packet loss
> >>
> >> ping to the linux host does not work.
> >>
> >> ping -c 2 10.10.70.3
> >> PING 10.10.70.3 (10.10.70.3): 56 data bytes
> >>
> >> --- 10.10.70.3 ping statistics ---
> >> 2 packets transmitted, 0 packets received, 100.0% packet loss
> >> [13:47:04] leonardz@fw1 etc>>for n in 0 7 9 ; do ping -c 2
> >> 10.10.7${n}.77 ; done
> >> PING 10.10.70.77 (10.10.70.77): 56 data bytes
> >>
> >> --- 10.10.70.77 ping statistics ---
> >> 2 packets transmitted, 0 packets received, 100.0% packet loss
> >> PING
Re: crontab
On 28 May 2019 at 15:14, Carlos Aguilar wrote: > Hi, > > I am having lots of problems to execute a shell script at boot time. > > My crontab is as follows; > >> > SHELL=/bin/ksh > > @reboot $HOME/bin/app-ferre > << > My shell script is as follows: > >> > #!/bin/ksh > > lua=/usr/local/bin/lua53 > > for f in $(ls /home/alberto/app/service-*.lua) ;do > echo 'Initializing' $f '\n' > $lua $f & > done > >> > > Thanks for any help or advice, > > // Carlos > Hi Carlos, The $HOME environment variable is defined by the interactive shell for login sessions. Moreover, unless you regularly log into your system as root -- which is the user that kicks off cron tasks and runs them unless changed with su or doas -- it does not point where you are expecting (*your* home folder). When specifying crontab entries, it is best to spell out the program path. -Jacob.
Re: Non-free firmware without asking the user
at the risk of feeding a troll... see below On 8 Jan 2017 at 0:02, Martin Hanson wrote: > ludovic coues said: > > > You are free to use OpenBSD code. > > You are free to copy OpenBSD code. > > You are free to modify OpenBSD code. > > You are free to distribute you fork. > > > > So unless your dictionary is twisted, shipping non-free firmware isn't > > an exception to these freedom. > > You're wrong. That's not what it says on the OpenBSD website. Please > read on. > > Stefan Sperling said: > > > I agree with Theo. Don't buy hardware you don't like. > > Avoiding the hardware isn't the issue! > > The issue is MISGUIDANCE by OpenBSD! > > On the frontpage of openbsd.org it says "free" with big bold letters: > > "The OpenBSD project produces a FREE, multi-platform 4.4BSD-based > UNIX-like operating system." > > And there is a link to the explanation of the "free" term used by > OpenBSD: > > https://www.openbsd.org/policy.html > > The explanation is not as given by "ludovic coues" in the above. > > On policy page it clearly says: "OpenBSD strives to provide code that > can be freely used, copied, modified, and distributed by anyone and for > any purpose." > > This is MISGUIDING! > > OpenBSD ALSO provides software that cannot freely be modified in any way > and it DOES THIS WITHOUT EVEN ASKING THE USER! No, it does not. Stop confusing SOFTWARE (general purpose code running on the main processor of the computer) with FIRMWARE (specilized instructions embedded in hardware and required to make that hardware operate in a prescribed manner). As has been pointed out numerous times, OpenBSD does not make a distinction between firmware that is pre- installed in hardware components of your computer and firmware that is loaded onto similar hardware component each time the computer starts. > Stop avoiding the issue by pointing to problems with "crappy" hardware > and vendors. This is not the issue. > > The issue is a misguiding policy statement.
Re: pf.conf something is VERY wrong here, need advice.
On 20 Apr 2015 at 0:11, Ton Muller wrote:
i have last week setup my old asus laptop, model A6000 ,1GB ram, 80GB HDD.
SK0 is the internal interface.
RE0 is the WAN interface
i kept my pf.conf as simple posible to get it start
START CONFIG ##
#
int_if = sk0
ext_if = re0
tcp_services={ 22,53,113 }
icmp_types=echoreq
# options
# increase default state limit from 10'000 states on busy systems
#set limit states 10
set block-policy return
set loginterface egress
set skip on lo
# match rules
match out on egress inet from !(egress:network) to any nat-to (egress:0)
#
# filter rules
block in log
pass out quick
antispoof quick for { lo $int_if }
pass in on egress inet proto tcp from any to (egress) port $tcp_services
#
pass in inet proto icmp all icmp-type $icmp_types
pass in on $int_if
# end config ##
this is my resolv.conf
# Generated by re0 dhclient
search xs4non.nl
nameserver 192.168.1.240
lookup file bind
RE0 ip 192.168.1.240
SK0 ip 192.168.0.240
mygate 192.168.1.240
Well, as far i can remember ,if i set RE0 to dhcp ,it would get its ip
from the DHCP server from modem, that works (192.168.1.1) and mygate
would not be used.
here comes the isue.
what ever combination i do, forced or not.
i can ping a host, and i get NO result back.
ping i its IP adres, i get a result back.
so my question is, what am i doing wrong here.
i never changed my basic configs so i knowed that i would work.
but for some reasen this time i get a masive headache from it.
anyone ideas?
Tony.
Here are some ideas that may (or may not) resolve your issues.
Hopefully, they will at least get you started in the right direction:
1) Since you are using the 'egress' interface group name rather than
the explicitly defined $ext_if macro variable, make sure that it is
defined and for the correct interface. I know it works well when
/etc/mygate is correctly defined, but never had the need to test with
dhclient controlled interfaces.
2) You seem to want to allow DNS (port 53) traffic inbound, but are you
aware that most DNS communication is over UDP? TCP DNS is used mostly,
if not only, for zone transfers.
3) Similarly, for ICMP (used by ping) you are allowing in only the
query subtype and not the reply (icmp-type echorep).
Good luck!
Re: When should tables be used in pf.conf?
On 28 Mar 2015 at 8:00, Jeff wrote: Hi, We've been using pf.conf and tables for years but have recently embarked on a project to optimize pf.conf. In reading about tables it's not clear when tables are more efficient than individual rules. Is there a definitive point? Is it three entries? six entries? ten entries? If it's not a constant, is there a simple test that we can run to determine if a table is more efficient than individual rules in each case? Thanks! Jeff -- Aside from the documented performance advantage to using tables where multiple hosts are involved (whatever that exact number may be), there is a very important administrative advantage and the reason I often use tables with as few as one or two hosts in them -- you can modify entries in the table *without* having to reload your rule set (i.e. it is much safer and less disruptive). But as far as squeezing a few micro-seconds of performance (if that much) by optimizing pf.conf, I would not worry about that -- the developers are constantly improving the network stack and performance of all of its components, including the packet filter. The primary optimization we, the sysadmins, should focus on is manageability. All your marginal performance gains will be lost if the resulting pf.conf becomes unwieldy and unmanageable.
Re: pf add not working
On 26 Feb 2015 at 23:16, D'Arcy J.M. Cain wrote: On Thu, 26 Feb 2015 17:02:48 -0500 Ted Unangst t...@tedunangst.com wrote: all udp 98.158.139.74:5060 - 207.35.13.14:5060 MULTIPLE:MULTIPLE What does MULTIPLE:MULTIPLE mean? multiple packets have passed, in both directions. i.e., you have a state. And yet; # pfctl -vv -sr | grep sip @14 pass in log on bge0 proto udp from any to any port = sip no state This particular rule does not have the quick keyword, which means it might not be final -- any subsequent rule that also matches will have execution priority and may introduce state. Clearly no state. Is it just ignoring the option? Maybe I have to modify my script. pfctl -t AUTOBLOCK -T add $ip pfctl -k $ip -- D'Arcy J.M. Cain System Administrator, Vex.Net http://www.Vex.Net/ IM:da...@vex.net VoIP: sip:da...@vex.net
Re: CPU criteria for OpenBSD firewall
On 18 Feb 2015 at 15:18, Gene wrote: To expand on Alexander's point, look at the FAQ: http://www.openbsd.org/faq/pf/perf.html If you aren't doing a lot of filtering, just passing traffic over multiple interfaces, more cores might be beneficial. -Eugene Actually, at this time and the near future, passing traffic (i.e. the kernel network stack) happens entirely on CPU0. The network gurus *are* working on making the network layer multiprocessor capable, but my impression from watching the tech@ list is that this goal is still some ways off. At the present time, only userland applications can and do make use of the additional CPU cores. So to quote the old-timers on this list -- only the OP can determine the characterstics of the specific workload and firewall configuration. But unless that firewall includes many CPU-intensive proxies, it will most likely perform best with fewer yet faster cores. -Jacob. On Wed, Feb 18, 2015 at 2:50 PM, Alexander Salmin alexan...@salmin.biz wrote: I might start a flame now but the higher freq and less core model is the better choice unless your firewall will do other things than packetfiltering and routing. On 2015-02-18 22:30:31, ML mail wrote: Hi, Stupid question but if you would have to choose between two different Intel CPUs for an OpenBSD firewall using 4 to 6 Intel NICs with all /24 networks behind and around 50-60 Mbit/s average traffic would you rather choose the CPU with higher Frequency and less cores or for a CPU with lower frequency but more cores? For example: - E5-2630Lv3, 20M Cache, 1.80 GHz, 8 cores: http://ark.intel.com/products/83357/Intel-Xeon-Processor-E5-2630L-v3-2 0M-Cache-1_80-GHz - E5-2637v3, 15M Cache, 3.50 GHz, 4 cores: http://ark.intel.com/products/83358/Intel-Xeon-Processor-E5-2637-v3-15 M-Cache-3_50-GHz Or asked differently, which are the importants criteria to look at first for a CPU intended to be used in an OpenBSD firewall? Regards ML
Re: missing packages for SPARC
On 3 Dec 2014 at 18:36, dev wrote: You are speaking out of turn, basically insulting people who want to make sure that older architectures do work. The Sun Fire V890 and Niagara machines are not sparc architecture. They are sparc64. Not sure where the anger is coming from. Regardless, there may be people that are interested in running OpenBSD on a DEC alphaserver or even a Sun SparcStation 20 from 1996 and that may just be entertainment. I would hope that there was an interest in more modern architectures where OpenBSD may run very very well. Oh just shut up. I would hope you can keep your mouth shut when people talk about the things they love to hack on. Because otherwise, you know, you might come off looking like you are a self-entitled prick who only wants them to work on things you want, you know? Actually I was closely following the discussion on utf8 issues and found it interesting. OpenBSD is generally looked at as a serious and secure UNIX implementation and I was giving consideration to getting GCC 4.9.2 built ansd tested on it. I don't see results[1] in the GCC project for recent GCC and felt it would be of value to try. With a recent GCC it may have been possible to then build Apache 2.4.x and some other things that would allow an up to date set of tools to exist. These would allow a web site to run with great security and stability. Really that was my entire interest in OpenBSD. Oh, that and the LibreSSL work and OpenSSH of course. You, however, seem to feel a need to crash into a room like a mad man off his meds. Not sure what your intent is. What is it? Really? Pot meet kettle. Of course the big difference is that kettle has been running the show (and very successully too) for the past two decades. Now, let this thread die! All entertainment value has long evaporated. Dennis [1] https://gcc.gnu.org/gcc-4.9/buildstat.html
possible typo in ssh-keygen(1) man page
In the description of the -b option: ... three elliptic curve sizes: 256, 384 or 521 bits. Is 521 correct or is it supposed to be 512?
question about hosts.equiv and ssh
In OpenBSD 5.6, the prototype and man-page for hosts.equiv(5) have disappeared. However, this file is still referenced in sshd_config(5) and (if I'm searching the sources correctly) in /usr/src/usr.bin/ssh auth-rhosts.c which is included in the sshd/Makefile. Is the removal accidental or an indication that its use is deprecated? If the latter, what is the [new] recommended best practices for HostBasedAuthentication within a cluster of trusted servers? Thanks in advance.
Re: relayd question - from the man page
The answer to your question is right there in the very manpage
paragraph you quoted below.
On 21 Oct 2014 at 10:24, Alan McKay wrote:
Anyone?
Anyone?
Buehler?
On Fri, Oct 17, 2014 at 9:41 AM, Alan McKay alan.mc...@gmail.com
wrote:
Hi folks,
The manpage for relayd.conf has this basic construct in it a couple
of times :
table service { 192.168.1.1, 192.168.1.2, 192.168.2.3
}
table fallback disable { 10.1.5.1 retry 2 }
redirect www {
listen on www.example.com port 80
forward to service check http / code 200
forward to fallback check http / code 200
}
And also has this to say about the disable attribute.
disable
The redirection is initially disabled. It can be later
enabled through relayctl(8).
What I don't understand from the given examples is how
fallback
above is getting re-enabled. It starts out with the table disabled
-
I get that. But then within the redirect we are basically saying
(correct me if I am wrong) always use service unless it is not
availble, in which case use fallback
But I don't see anywhere that fallback was re-enabled so how can
it
be used? And I search through the manpage and don't see any
mention
of this. Does it automatically get re-enabled within the redirect
-
forward? And if that is the case, what was the point of starting
it
disabled in the first place?
thanks,
-Alan
--
Don't eat anything you've ever seen advertised on TV
- Michael Pollan, author of In Defense of Food
--
Don't eat anything you've ever seen advertised on TV
- Michael Pollan, author of In Defense of Food
Re: openbsdstore: enable javascript and buy something or gtfo
Responding here at the risk of continuing to feed the troll, but in the interest of setting the record straight (i.e. for the archives). On 4 Oct 2014 at 13:53, Matti Karnaattu wrote: Many a naïve person believe you can add security as an afterthought but I'm not aware of this approach ever truly succeeding. I think that OpenBSD has done decent job. Decades ago that old unix code, originally did not quite exactly been EAL7. 1. OpenBSD is a great example of the difference that having security as a primary design and development objective makes, unlike most other OSes (including all flavors of linux) which do added security. 2. Open*BSD* as the name implies, had no decades old Unix code and by now has had much of the _original_ BSD code replaced as well. 3. A quick look at [0] demonstrates your utter ignorance of EAL or the issues involved in having formal certification of OpenBSD specifically. To wit: a) No operating system is certified to EAL7; b) Highest level certification achieved by any Unix-like OS is EAL4; c) Minimum reported timeframe to achieve EAL4 is 9 months (to as long as two years) at which point the released OBSD version is guaranteed to have changed, and the code being certified is about to or possibly already no longer supported; d) EAL certification requires a specific Target of Evaluation (e.g. it is well known that Windows NT achieved EAL4 but only without networking) whereas OpenBSD is a general purpose open-source OS that anyone is free to use and *modify* any way they please. 4. It's probably high time to let this utterly degenerated thread die.. [0] https://en.wikipedia.org/wiki/Evaluation_Assurance_Level
Re: openbsdstore: enable javascript and buy something or gtfo
No, the one lacking understanding is you -- the fact that 99.9% of the Internet users are clueless (and even worse, *lax*) about security, probably never heard of OpenBSD and most likely will never use it because it interferes with their daily fill of spam and malware is totally irrelevant for this particular community that, thankfully, has always been willing to do things *right* rather than *easy*. On 3 Oct 2014 at 22:01, Matti Karnaattu wrote: I can't know what interest openbsdeurope has in requiring users to enable JS to obtain any information from their website. Probably 999 users in thousand doesn't want to make web crippled and doesn't even think that standard JS is any special requirement. *I* choose what programs my shell executes. But when I visit a webpage on the internet with javascript enabled, someone *else* chooses what programs are executed. No, you choosed that web page to visit. I think that you don't probably understand that web is nowadays by default, software platform. Web pages are applications. You can make your life easier by enabling Javascript. Soon it is probably nearly impossible to do anything useful with web without Javascript. It is defacto and dejure standard language for portable applications.
Re: openbsdstore: enable javascript and buy something or gtfo
On 3 Oct 2014 at 23:48, Matti Karnaattu wrote: ... etc...and that's not the only way javascript can be used maliciously These are called security holes. There is good reason not to explicitly trust javascript or any other browser plugin that allow the remote site to execute code on your machine. Unfortunately, we are living world where almost all applications are nowadays writen with Javascript or compiled to Javascript. And it is matter of time when rest of the issues are solved which prevents it using ~everywhere to reduce server load. Many a naïve person believe you can add security as an afterthought but I'm not aware of this approach ever truly succeeding. For that reason, it is not beneficial to avoid Javascript. Instead it useful to think how it can be run securely. The only possible way to run it securely is to run it very very sparingly, and *only* when you believe that you are working with reasonable input. (You wouldn't go into a minefield armed only with a blindfold in order to think how to do it safely, would you?) Javascript is todays C. Fruits and vegetables. C is a fairly low-level *language* and the quality of the resulting application is entirely dependant on the programmer. Browser Javascript is as you yourself pointed out a *platform* i.e. it IS a complete application designed and built by people that do not think to close the barn until after the cows are gone (and probably consider any real lock to be too cumbersome).
Re: [Bulk] Re: openbsdstore: enable javascript and buy something or gtfo
On 4 Oct 2014 at 1:41, Matti Karnaattu wrote: ... I don't think that is pragmatic to expect people to use computers without applications. Or expect users of some software doesn't want to use applications. why not be the ultimate pragmatist you preach and go run Windows? (Isn't that what everybody runs and the only platform all software developers support? and the best part -- you won't be spamming OpenBSD mailing lists anymore ;-)
Re: Firewall: Where is the bottleneck?
On 2 Oct 2014 at 18:15, Andy wrote: Setup some queues and prioritise your ACK's ;) The box is fine under the load I'm sure, but you'll still need to prioritise those TCP acknowledgments to make things snappy when lots of traffic is going on.. All these (otherwise valid) suggestions are useless until we know more about the specific firewall in question -- information best delivered in the form of dmesg, 'pfctl -si' output and other statistics as indicated in Ville's response below. I recently struggled with a very similar problem until I noticed that the total number of states reported in pftop was stuck at 10,000 ... guess what? that is a default limit and (also by default) stateless traffic is *dropped*! Raising that particular limit _magically_ tripled the throughput. -Jacob. On 02/10/14 17:13, Ville Valkonen wrote: Hello Patrick, On 2 October 2014 17:32, Patrick jum...@yahoo.de wrote: Hi, I use a OpenBSD based firewall (version 5.2, I know I should upgrade but ...) between a 8 host cluster of Linux server and 300 clients which will access this clutser via VNC. Each server is connected with one gigabit port to a dedicated switch and the firewall has on each site one gigabit (dedicated switch and campus network). The users complains about slow VNC response times (if I connect a client system to the dedicated switch, the access is faster, even during peak hours), and the admins of the cluster blame my firewall :(. I use MRTG for traffic monitoring (data retrieves from OpenBSD in one minute interval) and can see average traffic of 160 Mbit/s during office hours and peaks and 280 Mbit/s. With bwm-ng and a five second interval I can see peaks and 580 Mbit/s. The peak packets per second is arround 8 packets (also measured with bwm-ng). The interrupt of CPU0 is in peak 25%. So with this data I don't think the firewall is at the limit, I'm right? The server is a standard Intel Xeon (E3-1220V2, 4 Cores, 3.10 GHz) with 4 GByte of memory and 4 1 Gbit/s ethernet cooper Intel nics (driver em). Where is the problem? Can't the nics handle more packets/second? How can I check for this? If I connect a client system directly to the dedicated system, the response times are better. Thanks for your help, Patrick In addition to dmesg, could you please provide the following information: $ pfctl -si $ sysctl kern.netlivelocks and interrupt statistics (by systat for example) would be helpful. Thanks! -- Regards, Ville
Re: OpenBSD 5.5: question regarding pf syntax
On 28 Sep 2014 at 8:44, Andy Lemin wrote:
On 28 Sep 2014, at 05:00, System Administrator ad...@bitwise.net
wrote:
On 27 Sep 2014 at 18:50, Andrew Lester wrote:
Hey guys,
I have what I hope is a simple syntax question for pf rules. I have
not been able to find any example of this online or in the man pages.
I suspect it is perhaps not possible. Basically I want to allow out
certain web services, with a simple rule like below:
pass out on em0 proto tcp from 192.168.1.0/24 port $ports to any
My trouble is with the $ports macro. Here's what I am trying to do:
$common= '{80,443,465,587,993}'
$games= '{5222,7778,28900}'
$ports= { $common $games }
NOTE: In my real config the macros are above the rule, and I have
tried with and without enclosing the top two macros in the single
quotes.
Your problem is not with the quotes but with the braces -- only one
set of braces is needed and accepted when defining a list.
Or turn ports into a table and put the macros for each interesting set
of ports into the table, and use the table in the rule etc.
Have you even tried this??? I'm quite certain that tables can only hold
various forms of IP addresses and, accordingly, be used in place of
source or destination *addresses* but not ports.
This way when I need to allow specific applications out, instead of
having a huge single macro where I will forget what the ports are
for, I can have smaller macros that I just add into the single macro
which I use in the pf rule. Instead of making a new rule for each
application, I can just add to the $ports macro.
pf however indicates that the $ports macro is not valid syntax.
Is this a syntax error on my part, or is this something pf cannot do?
Totally fine if the latter, I just want to make sure I am not missing
something silly with the syntax. :)
Warm regards,
Andrew
Re: OpenBSD 5.5: question regarding pf syntax
On 27 Sep 2014 at 18:50, Andrew Lester wrote:
Hey guys,
I have what I hope is a simple syntax question for pf rules. I have not
been able to find any example of this online or in the man pages. I
suspect it is perhaps not possible. Basically I want to allow out
certain web services, with a simple rule like below:
pass out on em0 proto tcp from 192.168.1.0/24 port $ports to any
My trouble is with the $ports macro. Here's what I am trying to do:
$common= '{80,443,465,587,993}'
$games= '{5222,7778,28900}'
$ports= { $common $games }
NOTE: In my real config the macros are above the rule, and I have tried
with and without enclosing the top two macros in the single quotes.
Your problem is not with the quotes but with the braces -- only one set
of braces is needed and accepted when defining a list.
This way when I need to allow specific applications out, instead of
having a huge single macro where I will forget what the ports are for, I
can have smaller macros that I just add into the single macro which I
use in the pf rule. Instead of making a new rule for each application, I
can just add to the $ports macro.
pf however indicates that the $ports macro is not valid syntax.
Is this a syntax error on my part, or is this something pf cannot do?
Totally fine if the latter, I just want to make sure I am not missing
something silly with the syntax. :)
Warm regards,
Andrew
Re: low power device
On 18 Sep 2014 at 17:33, Stan Gammons wrote: On 09/18/14 17:21, Steve Litt wrote: On Thu, 18 Sep 2014 16:54:13 -0500 Stan Gammons sg063...@gmail.com wrote: On 09/18/14 16:47, Steve Litt wrote: How many ethernet ports does it have? I'd love to use something like that as a firewall/router. SteveT The APU has 3 - 1 gig Ethernet ports and works great as a firewall. Stan Thanks Stan, What's the device's exact name, and where do I get one? SteveT Steve Litt* http://www.troubleshooters.com/ Troubleshooting Training * Human Performance Sorry, I should have included the link to the website. http://www.pcengines.ch/apu.htm Click shop to find a location near you. Stan Hi, PC Engines documentation for the APU is not explicit whether the RAM is ECC or not. Researching the AMD G CPU it appears that it is only compatible with non-ECC memory. Can you confirm that from your unit? Also, is there consensus among developers to what extent having ECC RAM is crucial for production servers and appliances? To put it another way -- PC Engines do claim that their products are industrial grade, so would you trust the APU as a key component of your infrastructure if it does not have ECC RAM? Thanks in advance, -Jacob.
Re: daily insecurity says my swap device changed
On 11 Sep 2014 at 12:23, Scott Bonds wrote: On Thu, Sep 11, 2014 at 07:35:47PM +0200, Christer Solskogen wrote: On Thu, Sep 11, 2014 at 7:21 PM, Ingo Schwarze schwa...@usta.de wrote: Hi Scott, Scott Bonds wrote on Thu, Sep 11, 2014 at 09:38:10AM -0700: My daily insecurity email on one of my boxes says this: Block device changes: brw-r- 1 root operator 0, 1 Aug 16 17:44:40 2014 /dev/wd0b brw-r- 1 root operator 0, 1 Sep 8 18:43:56 2014 /dev/wd0b On all my other (openbsd) boxes, the swap partition has the same date as all the other block devices. And all the other devices on *this* box have the same timestamp of August 16. After this insecurity report, I ran a script that eats up memory and started to use swap space and I verified that at least in that case, the swap device timestamp didn't change...so it would seem that using swap wouldn't lead to the timestamp change in my daily insecurity report. Does anyone know why the date would change on a swap device like this? One obvious possibility would be that maybe somebody ran mknod(1) or touch(1) on the file /dev/wd0b. The script /dev/MAKEDEV was run, perhaps? Understood. I'm the only user on this box and I did not run mknod, touch, or MAKEDEV. I'm wondering whether something nefarious is going on, or if there's some system process that's doing something normal. Does anyone know whether system crash dump (which goes to the swap device) updates the timestampt? And did the system crash with a dump?
Re: OpenBSD 5.5 sysctl reports hw.ncpu=1 when using 2-core processor Intel Atom CPU S1260 @ 2.00GHz
If you look at the header line of the dmesg you quoted below, you will notice that it says GENERIC -- that is the official name of the SP (single processor) kernel. To utilize more than one CPU core, you need to be running the MP (multi-processor) kernel, as in GENERIC.MP. On 1 Sep 2014 at 15:51, Ryan wrote: I am using OpenBSD 5.5 with motherboard Supermicro X9SBAA-F which has CPU Intel(R) Atom(TM) CPU S1260 @ 2.00GHz. Intel's website reports that my CPU has 2 cores and 4 hardware threads: http://ark.intel.com/products/71267/Intel-Atom-Processor-S1260-1M-Cache- 2_00-GHz I was using the top command to observe CPU utilization and I noticed that when toggling with the '1' key, top was only showing 1 CPU on the All CPUs line. After noticing this, I ran the following command and received the following output: $ sysctl -a | egrep -i 'hw.machine|hw.model|hw.ncpu' hw.machine=amd64 hw.model=Intel(R) Atom(TM) CPU S1260 @ 2.00GHz hw.ncpu=1 hw.ncpufound=4 Does this output indicate that my operating system is only using one core? During the installation process I was careful to ensure that the bsd.mp was marked during the installation process. Assuming my operating system is only recognizing one core, does this mean that the installer put my processor in the single-core list and used bsd.sp? Is it more likely that I made a mistake and I simply need to install bsd.mp right now? Am I misinterpreting the clues as to whether or not the operating system is recognizing the two cores? Thank you for helping me understand my observations. I have included the contents of my email to dm...@openbsd.org below: -- Forwarded message -- From: Ryan pennilessanddo...@gmail.com Date: Sun, Aug 3, 2014 at 12:08 AM Subject: Supermicro X9SBAA-F To: dm...@openbsd.org System purpose: Home SFTP file server with softraid three-disk RAID1 and hard disk encryption for casual family use on LAN and public Internet. Installation experience: The Supermicro X9SBAA-F's built-in USB hardware is 3.0-only, so I had to put a USB 2.0 PCI card in to use a keyboard during installation. KVM keyboard input wouldn't work in the installation program over IPMI with or without the USB 2.0 PCI card in place. Other notes: At the time this dmesg was run, I had already moved a hardware jumper to disable the IPMI BMC for security purposes. (There's a nasty Supermicro IPMI bug concerning port 49152.) - OpenBSD 5.5-stable (GENERIC) #0: Sat Aug 2 03:42:47 UTC 2014 maintenance@rigmarole.kimternet:/usr/src/sys/arch/amd64/compile/GENE RIC real mem = 8556257280 (8159MB) avail mem = 8319922176 (7934MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xe94c0 (23 entries) bios0: vendor American Megatrends Inc. version 1.0b date 04/26/2013 bios0: Supermicro X9SBAA acpi0 at bios0: rev 2 acpi0: sleep states S0 S4 S5 acpi0: tables DSDT FACP APIC FPDT MCFG HPET EINJ ERST HEST BERT acpi0: wakeup devices PRP4(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Atom(TM) CPU S1260 @ 2.00GHz, 1995.22 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36, CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL, VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,NXE,LONG,LAHF,PERF,ITSC cpu0: 512KB 64b/line 8-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 7 var ranges, 88 fixed ranges cpu0: apic clock running at 99MHz cpu at mainbus0: not configured cpu at mainbus0: not configured cpu at mainbus0: not configured ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins acpimcfg0 at acpi0 addr 0xc000, bus 0-255 acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 1 (PRP1) acpiprt2 at acpi0: bus 2 (PRP2) acpiprt3 at acpi0: bus 4 (P3P4) acpicpu0 at acpi0: C3, C2, C1, PSS acpitz0 at acpi0: critical temperature is 127 degC acpitz1 at acpi0: critical temperature is 175 degC acpibtn0 at acpi0: SLPB acpibtn1 at acpi0: PWRB ipmi at mainbus0 not configured cpu0: Enhanced SpeedStep 1995 MHz: speeds: 2000, 1900, 1800, 1700, 1600, 1500, 1400, 1300, 1200, 1100, 1000, 900, 800, 700, 600 MHz pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 vendor Intel, unknown product 0x0c75 rev 0x02 ppb0 at pci0 dev 1 function 0 vendor Intel, unknown product 0x0c46 rev 0x02 pci1 at ppb0 bus 1 ahci0 at pci1 dev 0 function 0 vendor Marvell, unknown product 0x9230 rev 0x10: msi, AHCI 1.2 scsibus0 at ahci0: 32 targets sd0 at scsibus0 targ 0 lun 0: ATA, ST4000VN000-1H41, SC42 SCSI3 0/direct fixed naa.5000c50063ddbe20 sd0: 3815447MB, 512 bytes/sector, 7814037168 sectors sd1 at scsibus0 targ 1 lun 0: ATA, ST4000VN000-1H41, SC42 SCSI3 0/direct fixed naa.5000c50063dda04e sd1: 3815447MB, 512
Re: pfsync and trunk
And what does OP's message have to do with pfSense ??? (especially since he's clearly indicating currently supported OpenBSD versions 5.4 and 5.5 near the bottom...) On 30 Aug 2014 at 14:22, Chuck Burns wrote: On Saturday, August 30, 2014 8:27:24 AM Tony Sarendal wrote: Good morning, I'm having issues with pfsync on trunk interfaces, although I suspect it to snip Running on pfsync on trunk(4) that initial request never shows up, and the bulk update never starts/finishes. I would like to run pfsync on trunk(4) lacp link, but as it looks now I have firewalls with carp demote counter 33 forever. snip pfSense is FreeBSD-based. not OpenBSD-based... different versions of pf between OpenBSD and FreeBSD -- Chuck Burns Audemus Jura Nostra Defendere
Looking for version advice
I need to deploy a BGP router in the next week or so. Generally, I run stable in production, but having watched on the lists the many advancements from 5.5 (last release) to current which is about to become 5.6 release, my question is thus -- is there or soon will be a stable snapshot that is (or easily upgradeable to) 5.6 release? If so, where do I go to fetch it and the corresponding packages? This will run on PowerEdge 1850 (amd64) with em(4) multi-port cards. Many thanks in advance, -Jacob.
Re: pf icmp redirect question
On 30 May 2014 at 13:56, Sebastian Benoit wrote: Marko Cupa??(marko.cu...@mimar.rs) on 2014.05.30 11:32:14 +0200: Hi, let's say for example I have web server on internal network, and I have redirected tcp port 80 from firewall to it: pass in on $ext_if inet proto tcp from any to $pub_web port 80 \ rdr-to $priv_web From the wording of your subject, i suspect you somehow think that rdr-to has something to do with icmp redirects, icmp messages with type 5. This is not so. This is correct. Assuming that $pub_web ip address is used exclusively for web server access, and no other ports are redirected to other internal addresses, should I also redirect icmp: pass in on $ext_if inet proto icmp from any to $pub_web rdr-to $priv_web No. This is not entirely correct -- you *may* want to have the above redirect *if* you want external users to be able to ping the real web server to ascertain that it is up, in which case you probably want to limit icmp types to echo-request/echo-reply (you certainly do NOT want to pass through the icmp redirect or the many other routing controls).
Re: feature patch - replace /etc/crontab by /etc/cron.d/
wasn't the registry database a dead giveaway???
On 8 Apr 2014 at 17:22, Dag Richards wrote:
all sarcasm on my part.
hate the whole /etc/hourly /etc/daily /etc/whim-time cron crap
was happy to see Theo's reaction. Was jerking the list's chain.
sven falempin wrote:
Look what linux are accepting now : stuff like systemd, how modern ! and so
nicely done !
Maybe having a .d looks .damned cool but does it really solve something ?
New is not better, modern surely isn't.
If there is a way for OpenBSD to move to a cron.d it probably needs a nice
explanation :
- problems to be solved
- why is it the best way to solved it
- what other solution has been discarded and why.
- (and does the gain of the change worth the work of the change)
PS:
If you install a software that require recurrent task it should be done
with a user with specific priviledge , so set up a crontab for this user.
Geez don't you have a TLS server to patch !
On Tue, Apr 8, 2014 at 4:59 PM, Dag Richards
dagricha...@speakeasy.netwrote:
No Theo I don't think understand, if you accept the patch then you will be
more like Ubuntu and other MODERN operating systems.
Why put everything in a single easily readable file, when you can split it
up in to multiple directories.
Which reminds me when are you going to ditch /etc for a nice registry data
base.
Theo de Raadt wrote:
In your dreams.
here is a simple patch to replace /etc/crontab by /etc/cron.d/.
You need to manually mkdir /etc/cron.d.
--- pathnames_original.hMon Apr 7 22:31:53 2014
+++ pathnames.h Tue Apr 8 16:12:30 2014
@@ -92,8 +92,8 @@
#define PIDFILEcron.pid
#define _PATH_CRON_PID PIDDIR PIDFILE
- /* 4.3BSD-style crontab */
-#define SYSCRONTAB /etc/crontab
+ /* system crontab dir */
+#define SYSCRON_DIR/etc/cron.d
/* what editor to use if no EDITOR or VISUAL
* environment variable specified.
@@ -42,30 +42,31 @@
Debug(DLOAD, ([%ld] load_database()\n, (long)getpid()))
- /* before we start loading any data, do a stat on SPOOL_DIR
-* so that if anything changes as of this moment (i.e., before
we've
-* cached any of the database), we'll see the changes next time.
+ /* before we start loading any data, do a stat on SPOOL_DIR and
+* SYSCRON_DIR so that if anything changes as of this moment
+* (i.e., before we've cached any of the database), we'll see
+* the changes next time.
*/
if (stat(SPOOL_DIR, statbuf) OK) {
log_it(CRON, getpid(), STAT FAILED, SPOOL_DIR);
return;
}
- /* track system crontab file
-*/
- if (stat(SYSCRONTAB, syscron_stat) OK)
- syscron_stat.st_mtime = 0;
+ if (stat(SYSCRON_DIR, syscron_stat) OK) {
+ log_it(CRON, getpid(), STAT FAILED, SYSCRON_DIR);
+ return;
+ }
- /* if spooldir's mtime has not changed, we don't need to fiddle
with
-* the database.
+ /* if spooldir's and syscrondir's mtime has not changed, we don't
+* need to fiddle with the database.
*
* Note that old_db-mtime is initialized to 0 in main(), and
* so is guaranteed to be different than the stat() mtime the
first
* time this function is called.
*/
if (old_db-mtime == HASH(statbuf.st_mtime,
syscron_stat.st_mtime)) {
- Debug(DLOAD, ([%ld] spool dir mtime unch, no load
needed.\n,
- (long)getpid()))
+ Debug(DLOAD, ([%ld] spool dirs mtime unch, no load
needed.\n,
+ (long)getpid()))
return;
}
@@ -77,28 +78,45 @@
new_db.mtime = HASH(statbuf.st_mtime, syscron_stat.st_mtime);
new_db.head = new_db.tail = NULL;
- if (syscron_stat.st_mtime) {
- process_crontab(ROOT_USER, NULL, SYSCRONTAB,
syscron_stat,
- new_db, old_db);
- }
-
/* we used to keep this dir open all the time, for the sake of
* efficiency. however, we need to close it in every fork, and
* we fork a lot more often than the mtime of the dir changes.
*/
- if (!(dir = opendir(SPOOL_DIR))) {
- log_it(CRON, getpid(), OPENDIR FAILED, SPOOL_DIR);
+ if (!(dir = opendir(SYSCRON_DIR))) {
+ log_it(CRON, getpid(), OPENDIR FAILED, SYSCRON_DIR);
return;
}
- while (NULL != (dp = readdir(dir))) {
- char fname[MAXNAMLEN+1], tabname[MAXNAMLEN];
+ char fname[MAXNAMLEN+1], tabname[MAXNAMLEN];
Re: OpenBSD users web page updates
On 31 Mar 2014 at 18:13, Chi wrote: On Mon, 31 Mar 2014 18:34:39 +0100 skin...@britvault.co.uk (Craig R. Skinner) wrote: Reverse.Net uses OpenBSD on AMD hardware to provide shell accounts, website hosting, and domain name hosting. results to Access Denied: Because of high incidents of credit card fraud, we do not accept clients from your Internet Service Provider. Can you add, please Approved friends only. No strangers allowed. Ever. Thanks Chi I don't think that comment is warranted: I'm not a current customer and have no problem accessing the site, the order page, or the checkout process (though I did not complete it simply because I have no need of it) from att.net -- a major US provider (and not one of the most responsible one's either ;-) -Jacob.
Re: pf to redirect local dns traffic to another port
On 29 Mar 2014 at 22:10, Stéphane Guedon wrote:
Hello
I am currently trying to run two nameserver on the same Openbsd
server.
The first one is an autoritative (let's say bind or nsd, no one
cares).
the second will be dnsmasq.
You guess the objective of the construction : give local answers from
dhcp leases to local requests, and give autoritatives for the internet
requests.
That's for the presentation.
I can run dnsmasq on a different port, but how do I give my local
hosts
the idea of interrogating a non standard dns port ?
Then I though I could drive the traffic from my LAN to the port where
dnsmasq is running on.
so here is pf conf (obviously expurged) :
###
table localnet { local addresses }
# common
pass in log on egress proto { tcp, udp } from any to re0 port domain
# local
pass in quick log on re0 inet proto { udp,tcp } from localnet
port domain rdr-to 127.0.0.1 port 5353
unless I'm severly mistaken (and someone will correct me), the rule as
written will match only packets whose SOURCE port is domain ... you are
missing a to (self) or to any in front of the port specification to
achieve your objective.
#pass in quick log on re0 proto { udp,tcp } from localnet port
domain divert-packet port 5353
###
I first tried to use the divert-packet rule (that way I don't have to
care if the traffic is ipv6 or ipv4), then I tried to redirect using
rdr-to 127... like most tutorials I found regarding rdr.
I move the local rules before or after the common one, place a quick
on the common or removed it...
Nothing : the common rule is always the one that applies according to
the logs.
Can you tell me what I am doing wrong ?
Re: Patch to remove adult content from spamd(8) man page
Hi J. Lewis, I am not a developer, but I've been lurking on this list for a very long time and on that basis can tell you that you've committed two cardinal sins as far as this mailing list is concerned: 1) you failed to do your homework -- had you done some research, in particular about the OpenBSD development philosophy, you would know that 2) OpenBSD is the ultimate volunteer effort -- the developers do it in their free time FOR PERSONAL FUN. Many of them have made it very clear that they would cease development if it stops being fun. Your original message (title and intro) goes to the heart of this issue. Its tone and attitude is no different than the efforts in the Bible Belt to ban Mark Twain's Huckleberry Fin from public libraries, i.e. since somebody finds some content to be offensive lets get rid of it irrespective of the overall true value or consideration for the fact that the author has used the offensive language ON PURPOSE. -Jacob. On 22 Nov 2013 at 12:06, J. Lewis Muir wrote: ... I'm a little puzzled over the whole resistance to the patch. If I wrote a man page for some software I wrote, and if an example in it was considered off-color by someone, and that someone submitted a patch to me to change it slightly to no longer be off-color to them, and they asked in a kind way, and the patch didn't hurt the clarity of the man page in any way, I would likely accept the patch. How am I hurt by it? I may not agree with the person, but why would I insist on keeping an example that seems off-color to them? If it's somehow offensive to them and can be changed in a small way not to be, then I would accept the patch to change it. Everybody wins--no big deal. Lewis
Re: Two primary OBSD partitions on a HDD
On 25 Aug 2013 at 10:50, Tony Abernethy wrote: josef.win...@email.de wrote I read fdisk(8) carefully (At least I think so), but I repeatedly failed to install two OBSDS on two primary partitions of a HDD. The idea was to realize a multiboot by toogleing the boot-flag to the primary partition of the particular OBSD system I want to boot. However, I think that the install process always chooses the same primary OBSD partition for installation (the first that appears in the table?) and I have no control. /jo ##- I'm sure Nick Holland will explain it better, but OpenBSD works from THE (singular) disklabel on the physical disk Other than keeping other OS's out, and a bit of help booting, the fdisk partitions are actually completely irrelevant. To expand on Tony's comment, OpenBSD uses the fdisk(8) partition information only just enough to locate its disklabel(8). So if you want to have two complete (primary) OBSD installs on a single disk you have to *hide* them one from another. I succeeded in doing just that by using grub's hide/unhide partition feature -- it toggle the partition id of the inactive (other) partition from a6 to b6. YMMV
Re: bad rule, or special filtering needed for bootp packets?
On 27 Mar 2013 at 16:01, David Ruggiero wrote:
Thanks to Jan for pointing out I neglected to include the macro defs
for the nets (though they're vanilla and what you'd expect). Here's
the full source for the first rule, the one I think should catch the
bogon packets but doesn't:
int_net = 192.168.5.128/25
wls_net = 192.168.10.128/25
ptr_net = 192.168.99.128/25
table unroutable_ips const { 10.0.0.0/8, 172.16.0.0/12,
192.168.0.0/16, !$int_net, !$wls_net, !$ptr_net, 169.254.0.0/16,
127.0.0.0/8, 192.0.2.0/24, 0.0.0.0/32, 240.0.0.0/4,
255.255.255.255/32
}
block drop in log quick on ! lo0 inet from unroutable_ips to any
label block unroutable ip
The rest of the question below remains the same.
thankee much /david/
On Wed, Mar 27, 2013 at 10:12 AM, David Ruggiero
thatseattle...@gmail.com wrote:
The very, very first rule in my pf ruleset is part of a fairly
vanilla anti-spoof/sanity check set, intended to catch incoming
bogon/martian packets:
table unroutable_ips const { 10.0.0.0/8, 172.16.0.0/12,
192.168.0.0/16, !$int_net, !$wls_net, !$ptr_net, 169.254.0.0/16,
127.0.0.0/8, 192.0.2.0/24, 0.0.0.0/32, 240.0.0.0/4,
255.255.255.255/32 }
block drop in log quick on ! lo0 inet from unroutable_ips to any
label block unroutable ip
I can see it being evaluated using pfctl -v -s rules, but so far
(~40hrs uptime) it hasn't matched anything yet. That would normally
not be of concern, except I'm seeing stuff like this in the pflog
that I think it should have caught - but had to get caught by a
later,
fail-safe rule at the bottom of the ruleset. In particular, I'm
seeing lots of bootp packets from badly-configured Windows clients:
Mar 26 19:22:05.85 rule 49/(match) [uid 0, pid 2590] block in on
em0: 0.0.0.0.68 255.255.255.255.67: xid:0x64f14f [|bootp] (DF)
[tos
0x10] (ttl 64, id 0, len 330)
So:
- Is there something wrong with my first rule that I'm not seeing
that causes these 0.0.0.0 bootp packets to miss it, OR
- Is there something special about the bootp packets [remember,
bootp uses UDP] that they won't match that rule, even
though the source is in the unroutable_ips table?
Thanks for any insight, or other debugging ideas I can test.
/d/
PS: Notice the quick keyword in the block rule - this isn't a
last rule that matches issue, in case you're tempted to reply with
something about that - I would think a packet from 0.0.0.0 should
hit the rule, match, and then due to quick undergo no further
evaluation, end of story.
Did you take the time to display the content of the table?
'pfctl -t unroutable_ips -Ts' should do the trick, and then you would
see that 0.0.0.0 is *not* in the table. I just ran a quick test to
verify that it is not possible to add such an address to a table. I
did not dig through the source code and is not an expert on the IP
stack as some devs on this list, but I do suspect that there are many
special properties attached to a null address field.
Re: Intel hyperthreading w/ Atom E6xx OpenBSD 5.2?
On 7 Mar 2013 at 20:24, David Ruggiero wrote: I've been using OpenBsd for 8+ years on my main router/firewall (4 NICs). Time to upgrade (I'm back on v3.8, yikes). Past time, really. Solots to learn / re-learn here. Have patience. First question: I'll be loading 5.2 on a low-power, Atom E640-based box (the Soekris net6501). That chip has two Hyperthreading cores. Several net-references (esp. ca**mel.org ) advocate turning off HTT in the bios when using OpenBSD for faster interrupt servicing / task switching latency. Butperhaps that advice is pre-5.2, when we got pthreads(3) support? What's the best current advice for that kind of one-cpu, multi-logical-thread system? 1) Single processor kernel or multi-processor (smp) kernel? 2) If the latter, HTT turned on or off? Thanks. Bonnie First thing first, read, read, and re-read the official documentation. Many things changed in the intervening years, in particular, PF configuration syntax has changed a fair bit. Do note that unlike the Linux world where you have to dig for third party how-tos, OpenBSD official documentation is very complete and up to date. Which is one of the reasons the website you referenced is frowned upon as most of its information is either out of date or simply wrong. That said, the particular point you bring up may still be valid -- much depends on your specific situation. Whether or not to use hyperthreading and multiprocessor (MP) kernel depends on the workload of your firewall. The OpenBSD kernel and network stack still do run only on CPU0, so if all you plan to do is use PF to filter traffic, then you are indeed better off disabling HTT. However, if your firewall is also going to be running a fair amount of userland processes (e.g. your website with db backend) then you may well benefit from multiprocessor support.
Re: OpenBSD-Update Tool
OpenBSD is all about KISS (simplicity) -- have you tried running the bi- annual release update procedure? have you read (carefully) the FAQ section on upgrading? Many users report it takes less than 15 minutes to perform a *remote* upgrade. Also you need to mind that OpenBSD does not support version rollbacks or offer binary updates to stable. So will an additional tool which requires ongoing maintenance and a configuration file setup, really add value (simplicity) ? On 9 Feb 2013 at 20:23, Crookedmaze wrote: Dear OpenBSD Community, Hello I am wondering if there is a tool similar to FreeBSD-update on OpenBSD? If not are there any reasons for why a tool like this hasn't been developed? Also if there isn't a tool like this (I am pretty sure there isn't one as I have checked) if I were to develop one do you think it would be accepted into OpenBSD? Please let me know what you think! Sincerely, Crookedmaze
Re: OpenBSD-Update Tool
On 9 Feb 2013 at 21:11, Crookedmaze wrote: On 02/09/2013 08:42 PM, System Administrator wrote: OpenBSD is all about KISS (simplicity) -- have you tried running the bi- annual release update procedure? have you read (carefully) the FAQ section on upgrading? Many users report it takes less than 15 minutes to perform a *remote* upgrade. Also you need to mind that OpenBSD does not support version rollbacks or offer binary updates to stable. So will an additional tool which requires ongoing maintenance and a configuration file setup, really add value (simplicity) ? On 9 Feb 2013 at 20:23, Crookedmaze wrote: Dear OpenBSD Community, Hello I am wondering if there is a tool similar to FreeBSD-update on OpenBSD? If not are there any reasons for why a tool like this hasn't been developed? Also if there isn't a tool like this (I am pretty sure there isn't one as I have checked) if I were to develop one do you think it would be accepted into OpenBSD? Please let me know what you think! Sincerely, Crookedmaze Yes, System Administrator I have had a look at the FAQ the reason I am asking about such a tool is because it seems as if the only way to update OpenBSD (Errata update wise) is to download a patch from the errata page and to manually patch the source code then follow the instructions for applying the patch (Or you could follow stable using CVS). I just thought it would be easier (and Simpler) if you were able to patch the version of OpenBSD you are running by simply typing openbsd-update which would then apply the security update by download and installing a binary package. I also don't think that it would require as much overhead as you might think because currently (OpenBSD 5.2) there has only been one release errata patch and in OpenBSD 5.1 there was also only one. So it would really only require a few binary packages (or at most 18 depending on the number of architectures affected) to be released I am not necessarily talking about upgrading openbsd to a new release I am more so talking about simply applying errata patch fixes through binary packages. So I think this would actually help to simplify the updating process because it would reduce the number of steps you would have to take to apply security (and reliability) updates to OpenBSD. Please correct me if I am wrong (or simply mistaken) but I think this would definitely help to simply things. Sincerely, Crookedmaze While it will probably (but not definitely, as the target audience for OpenBSD is the more technical users) simplify things for some users, it has been deemed to be undue burden for the developers -- the topic of binary updates has come up on the mailing lists a few times in the past and has always concluded the same... I recommend perusing the archives, for example at marc.info. BTW, the overhead mentioned in my original message is that of maintaining the tool itself (for the developers) and configuring it (for the end-users).
CARP best practices
I finally got to deploy a CARP firewall cluster (HA failover for now). Using only the official OpenBSD.org documentation, everything went very smoothly even though the setup is not quite trivial (14 carp addresses on 6 active interfaces). I even got system replication going using rdist(1). While testing the failover and trying to ssh to a carp address I got hit with the server key mismatch; hence this email. What is considered best practice wrt ssh keys in a carp cluster -- install the same keys on all member nodes to avoid the alerts or just live with the occasional mismatch? Thanks in advance. OpenBSD 5.2-stable (GENERIC.MP) #0: Tue Jan 1 19:44:42 EST 2013
Re: CARP best practices
On 30 Jan 2013 at 9:29, Johan Beisser wrote: On Wed, Jan 30, 2013 at 8:56 AM, System Administrator ad...@bitwise.net wrote: I finally got to deploy a CARP firewall cluster (HA failover for now). Using only the official OpenBSD.org documentation, everything went very smoothly even though the setup is not quite trivial (14 carp addresses on 6 active interfaces). I even got system replication going using rdist(1). While testing the failover and trying to ssh to a carp address I got hit with the server key mismatch; hence this email. What is considered best practice wrt ssh keys in a carp cluster -- install the same keys on all member nodes to avoid the alerts or just live with the occasional mismatch? Don't monitor SSH on the CARP address. Sorry, I'm not following you
a possible rdist bug
To simplify maintenance of a carp firewall cluster, I setup system
replication with rdist(1), which works rather nicely with one notable
exception where cmdspecial fires even when there are no updated files.
It is the only instance of cmdspecial that misfires, it is also the
only instance that specifies globbing explicitly.
If this is known (or a feature), where is it documented? If this is a
bug, how do I go about tracking it down?
Relevant parts of Distfile:
(Yes, there is a bunch of pf.conf* files in addition to the main one --
each logical function of the firewall is in its own anchor loaded via a
separate pf.conf.anchor file.)
NOTIFY = ( root ad...@bitwise.net )
SAVED = ( \\.OLD\$ )# previously saved
TRASH = ( \\..*\\.swp\$ ~\$ ) # vim junk
USERS = ( /etc/{master.passwd,passwd,{,s}pwd.db} )
LOCAL = ( myname hostname.* ssh/ssh_host_*key* *.orig
disklabels dumpdates iked isakmpd rndc.key )
etc:
/etc - ${HOSTS}
install -compare,savetargets,updateperm,younger ;
notify ( ${NOTIFY} ) ;
except ( /etc/${LOCAL} ${USERS} ) ;
except_pat ( ${TRASH} ${SAVED} );
cmdspecial ( /etc/pf.conf* )/sbin/pfctl -f /etc/pf.conf ;
special /etc/relayd.conf/usr/sbin/relayctl reload ;
special /etc/syslogd.conf /etc/rc.d/syslogd reload ;
special /etc/inetd.conf /etc/rc.d/inetd reload ;
special /etc/ntpd.conf /etc/rc.d/ntpd restart ;
special /etc/ssh/sshd_config/usr/sbin/sshd -qt
/etc/rc.d/sshd reload
|| mv -f \$FILE.OLD \$FILE ;
Re: CARP best practices
Thank you Alexander (and Johan) for confirming what I kinda suspected -- use shared keys if it is a published (ie. failover required) service, otherwise bind only to dedicated address(es) using dedicated keys. On 30 Jan 2013 at 18:33, Alexander Hall wrote: On 01/30/13 17:56, System Administrator wrote: I finally got to deploy a CARP firewall cluster (HA failover for now). Using only the official OpenBSD.org documentation, everything went very smoothly even though the setup is not quite trivial (14 carp addresses on 6 active interfaces). I even got system replication going using rdist(1). While testing the failover and trying to ssh to a carp address I got hit with the server key mismatch; hence this email. What is considered best practice wrt ssh keys in a carp cluster -- install the same keys on all member nodes to avoid the alerts or just live with the occasional mismatch? Is the ssh service one of the failover'able services? If it is, I believe it makes sense to share the keys (that's what I do anyway), alternatively you could have a second sshd configured with a shared HostKey. If it is not, I'd suggest letting sshd listen only on the host address and not on the carp address. /Alexander
Re: AR9485WB-EG libre port
On 14 Dec 2012 at 16:43, Sha'ul wrote: The driver for AR9485 seems to be fully function in libre Linux from what I've tried, don't need the vanilla Linux version for at least the wifi to work. Would it not be possible to thereby port over the libre linux driver version to get some kind of code going to start hacking on to support wifi? Your code is welcome, but remember you must re-develop, you cannot port -- your driver must be independently developed and free of the GPL code (mandatory for libre linux and not compatible with BSD kernel).
i386 or amd64?
Looking to build a firewall for a fairly busy (25+mb) site. Hardware is Dell PE2850, 2 Xeon 64-bit CPUs, 4GB RAM, 6 em(4) interfaces. Software is primarily pf(4) and relayd(8). Not so long ago the recommendation was to use the i386 build for a slight perfomance and stability benefit. Is that still the case? What are the advantages and shortcomings of amd64? Thanks in advance.
Re: Cascading pf firewalls with both nat and no nat
On 1 Mar 2010 at 21:01, Thomas Schwarz-Gulden wrote: Hi, Interface re0 of the external firewall is configured as 10.1.0.1/16. That's your problem, see below. netstat -rn on external firewall lists 10.1/16 with flags UC. So I think that anything with a destination like 10.1.x.x would be sent there, including anything to 10.1.2.1. Yes, BUT only if it is directly connected -- it is trying to reach 10.1.2.1 directly *without* using any gateways. Am I wrong? In a way. Original-Nachricht On 01/03/2010 18:26, tsg12...@gmx.de wrote: What am I doing wrong? Any hints would be appreciated. Thank you very much in advance. Hi, Has the external fw a route to 10.1.2.1/24 ? -- GMX DSL: Internet, Telefon und Entertainment f|r nur 19,99 EUR/mtl.! http://portal.gmx.net/de/go/dsl02
Re: routing and pf at 10Gbps
On 11 Feb 2010 at 23:15, Dirk Mast wrote: Daniel Ouellet wrote: On 2/11/10 2:46 PM, Henning Brauer wrote: disk i/o is irrelevant. you will need a very very very fast opengl capable graphics card with loads of memory of course. ??? I am sure I am missing something big here, but Fast Video Card with OpenGL for router? Are you trying to look live every packets routed here? If I may asked Henning, please give me a clue stick as that part I really do not understand what so ever. No bunt intended, I just do not understand that at all, please help me get it? What Video have to do with routing? Best, Daniel http://www.youtube.com/watch?v=DF7MroTLDfU Actually I was hoping that if it is nothing more than sarcasm Henning would give a hint -- I'm old enough to remember earlier generations of i386 architecture where poorly designed graphics card would affect the entire bus performance to slow down all kinds of I/O (disk, lan, etc.)
Re: routing and pf at 10Gbps
On 12 Feb 2010 at 11:44, Aaron Mason wrote: On Fri, Feb 12, 2010 at 9:48 AM, System Administrator ad...@bitwise.net wrote: On 11 Feb 2010 at 23:15, Dirk Mast wrote: Daniel Ouellet wrote: On 2/11/10 2:46 PM, Henning Brauer wrote: disk i/o is irrelevant. you will need a very very very fast opengl capable graphics card with loads of memory of course. ??? I am sure I am missing something big here, but Fast Video Card with OpenGL for router? Are you trying to look live every packets routed here? If I may asked Henning, please give me a clue stick as that part I really do not understand what so ever. No bunt intended, I just do not understand that at all, please help me get it? What Video have to do with routing? Best, Daniel http://www.youtube.com/watch?v=DF7MroTLDfU Actually I was hoping that if it is nothing more than sarcasm Henning would give a hint -- I'm old enough to remember earlier generations of i386 architecture where poorly designed graphics card would affect the entire bus performance to slow down all kinds of I/O (disk, lan, etc.) That's why you see very few servers with video cards. Even well-designed cards can rob the system of precious, precious I/O. Same goes for sound cards (which, from what I've heard, used to create havoc by not lowering its IRQ after each request), floppy drives, anything not needed for the system to function basically. They might not have physical add-in cards, but all i386/amd64 servers have graphics hardware attached to some interconnect bus. Otherwise they would not be able to paste those Microsoft Windows stickers. And on many the only way to turn off the on-board (often inferior) graphics hardware is to insert an add-in card... -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: BGP and NATting to multiple ISPs
Daniel is quite right, if least interrupted connectivity is so crucial to you, your best bet is to find the most reliable ISP in your area. In my experience that would be the so-called Tier 2 (transit) carriers -- they will have the fully redundant connectivity to multiple Tier 1 (long-haul) carriers or possibly direct connection to a NAP/IX. And the redundancy they have is of the kind you cannot get at your location, which is diverse egresses from the building. No matter how many ISP's you connect at your location, unless you use different media (such as radio or cable), your last-mile delivery is going to be in the same bundle of copper wires or over the same strand of fiber, so that a cut or any other telco problem will affect both links simultaneously. On 18 Jun 2009 at 18:52, Daniel Ouellet wrote: Hi, here is a few ideas for you. A few things to think about here depending on what issue you really try to solved. First a good ISP after you actually reach them have built redundancy on their network, so unless you try a cheap one, then you should be fine there. Then what could go wrong? Well plenty yes, but less take them. - Power, well UPS, if UPS runs out, two ISP will do nothing. - single router blow up, same thing. So, you designed it with two as you put it, great. - Local loop, last mile, well if it get cut, then it's cut and needs to be fix. So two line needs to come in. One solution may be as simple as getting these two lines form the same ISP and have them merge together. Like if you use T1 for example, then they could be bundle together via PPP and allow you to use the full capacity of both and if one goes down, you still have the first one and nothing is lost, no traffic is lost and all continue, just slower. You might be able to get it cheaper if both from the same ISP as well and they would need to be provision on the same router on their end anyway to merge them. This way, you don't need BGP, you get backup as you want to get, on line goes dead, you still have the second one. But then, you don't have your IP problem and believe me, getting any IP's from ARIN these days is pretty darn hard! Unless you want IPvShit, then you will be giving them right away. They change their policy last month if my memory is good and you sure can get it for your site, but then, you hell open a truck load of other issues however. This combine lines also address your requirement of balancing your traffic, but in this case, you don't need anything special, it works no problem. I don't know how things are in Chicago, but if it is like hereon the east coast, looks like Verizon enjoy playing with wire in central office and disconnect lines at random. I don't really think they are doing that, but sure hell look like it however as problem are always with the local loop! So, this may well works for you and get you want you want to do. Just a thought anyway for your consideration that may address your needs in a different way. Best, Daniel - System Administratorad...@bitwise.net Bitwise Internet Technologies, Inc. 22 Drydock Avenue tel: (617) 737-1837 Boston, MA 02210 fax: (617) 439-4941
Re: authpf for incoming connections
On 22 May 2009 at 15:05, Aaron Martinez wrote: Hi All, I am setting up an openbsd 4.5 stable based pf firewall and was wondering if there is a way to make it so only certain users could log in from certain IP addresses. I have authpf set up and working well, but the problem is if someone that isn't coming from one of my safe ip addresses, i don't want them to be able to log in using a login name that has a standard shell like ksh. I saw the Match statement for sshd but it looks like the only things that can be set are: AllowAgentForwarding, AllowTcpForwarding, Banner, ChrootDirectory, ForceCommand, GatewayPorts, GSSAPIAuthentication, HostbasedAuthentication, KbdInteractiveAuthentication, KerberosAuthentication, MaxAuthTries, MaxSessions, PasswordAuthentication, PermitEmptyPasswords, PermitOpen, PermitRootLogin, RhostsRSAAuthentication, RSAAuthentication, X11DisplayOffset, X11Forwarding and X11UseLocalHost. none of which would allow for what i'm trying. (if i'm understanding this correctly) I'm trying to have authpf authenticate people before they are able to use certain services behind the firewall, i.e. pptp server, pop server etc., while allowing certain people from static IP addresses to actually log into the openbsd firewall. You did say you are setting up a pf firewall, so why not use its firewalling functionality to limit those services to the specific _static IP addresses_? This is one of the simplest use cases for pf! Any ideas greatly appreciated. Thanks in advance. Aaron Martinez
Re: authpf for incoming connections
On 22 May 2009 at 16:37, Aaron Martinez wrote: On 22 May 2009 at 15:05, Aaron Martinez wrote: Hi All, I am setting up an openbsd 4.5 stable based pf firewall and was wondering if there is a way to make it so only certain users could log in from certain IP addresses. I have authpf set up and working well, but the problem is if someone that isn't coming from one of my safe ip addresses, i don't want them to be able to log in using a login name that has a standard shell like ksh. I saw the Match statement for sshd but it looks like the only things that can be set are: AllowAgentForwarding, AllowTcpForwarding, Banner, ChrootDirectory, ForceCommand, GatewayPorts, GSSAPIAuthentication, HostbasedAuthentication, KbdInteractiveAuthentication, KerberosAuthentication, MaxAuthTries, MaxSessions, PasswordAuthentication, PermitEmptyPasswords, PermitOpen, PermitRootLogin, RhostsRSAAuthentication, RSAAuthentication, X11DisplayOffset, X11Forwarding and X11UseLocalHost. none of which would allow for what i'm trying. (if i'm understanding this correctly) I'm trying to have authpf authenticate people before they are able to use certain services behind the firewall, i.e. pptp server, pop server etc., while allowing certain people from static IP addresses to actually log into the openbsd firewall. You did say you are setting up a pf firewall, so why not use its firewalling functionality to limit those services to the specific _static IP addresses_? This is one of the simplest use cases for pf! Any ideas greatly appreciated. Thanks in advance. Aaron Martinez I don't want to limit the services behind the firewall to certain IP addressed, only to people that can authenticate with authpf at the firewall, they can be at any IP. Then after they authenticate a rule is loaded to allow their IP to get to the pop or pptp server behind the firewall. The safe addresses are for people that need to do administration on the fw and have an account on the fw system itself that has a shell other than authpf. What kind of firewall would it be if it could not protect itself? Ergo, my original suggestion still holds. Please review the pf FAQ and other documentation, they contain a number of examples to do exactly what you are asking. Thanks.
Re: Raid controller?
On 15 May 2009 at 17:11, Chuck Robey wrote: I'm trying to see if there's any way I can get my Raid controller, which is a AMCC (3Ware) 9650-4, to work under OpenBSD. The man page for the twe driver says it works for several different 3Ware controllers, but it seems to omit the 9000 controllers. The FreeBSD driver, named twa.c, well, I can't see that it's been brought into OpenBSD anywhere. If it's in as part of another driver, then my only chance to find it would be to ask here, right? I've been using that twa driver under FreeBSD for a couple years now, it (at least) works really well, so I sure hope there's some option I have (beyond launching off on a project to move that driver, because I already have myself a project I'm working on under OpenBSD, and it would just take me too darn long to wait, if I had to put it onto my own stack). I saw that the current OpenBSD driver supports the Escalade model, I've never heard that term before, if it's supposed to stand in for some 3Ware model, well, the AMCC 3Ware site seems to be unaware of it. I suppose it might be some name that they're trying to forget, for some odd marketing reason. It hasn't got anything to do with the 9650, has it? Boy, I sure hope I don't have to wait until I get enough time to port that FreeBSD driver myself, it's going to take me a good long while. Unlike FreeBSD, this project (OpenBSD) does not support or incorporate drivers based around binary-blobs. Furthermore, with rare exceptions, the project does not reverse-engineer but insists on having complete documentation to do proper development. Back in the days of the Escalade product line (the 5000 and 6000 series PATA RAID) 3ware Corp. produced the twe driver. But they have subsequently abandoned support for it and have steadfastly refused to release any documentation for their hardware. As a result, you should expect this hardware to be non- functional in OpenBSD. AFAIK, the FreeBSD twa driver is not portable to OpenBSD because a major portion of it is a binary blob. If you want more details and additional background on these matters, you should search the mailing list archives for the discussions involving 3ware.
Re: ADSL2+ PCI card
On 14 May 2009 at 21:29, John Bond wrote: On Thu, May 14, 2009 at 9:16 PM, Russell Howe rh...@bmtmarinerisk.com wrote: These should work fine - the S518 presents itself as a special ADSL controller on the PCI bus, but AFAIK the 519 is actually an ethernet chip (Realtek 8139?) paired up with an ADSL modem on a PCI card, so all the computer sees is an ethernet card. I think you configure the ADSL modem by telnetting to it through the ethernet card, but I'm not sure. Thanks for your reposne russell, what i have read agrees with your response however i wasn't sure if the rel8139 chip was supported, i couldn't find it on the hardware list man 4 rl
Re: [semi-OT] Can anyone recommend an OpenBSD-compatible colour laser printer?
CUPS and Linux/Windows blobs are so often required because printers have gone the way of the modems -- i.e. minimal intelligence in the device with most of the processing happening on the host. If you stick to real hardware printers that provide built-in Postscript (or at least PCL) language and fonts, you will have no problems with OpenBSD. The simple litmus test is does it work in DOS? (just like a modem;-) BTW, most USB-only printers are of the dumb Windoze variety. Beware of laser printers with ultra-cheap cartridges (e.g. Brother) which do not contain all of the consumables -- before you know it you will be shelling the cost of the printer to service the developer drum. OTOH, the integrated cartridges (e.g. HP and Lexmark) typically cost a bit more but the printer should not require anything additional for its multi-year life. For the longest time I used to be a fan of HP, although I have also always liked Lexmark. But now my preference is shifting -- HP's lower priced models are almost all of the host-based variety. Also I recently learned from a reseller that HP's cartridges include a page counter and stop operating at the prescribed number of pages regardless of actual utilization, which is in stark contrast to Lexmark whose cartridges are guaranteed for at least a certain number of pages and the company will replace it free of charge if it runs out sooner but does not prevent you using it past that many pages. On 5 Apr 2009 at 19:44, ropers wrote: I'm looking for a colour laser printer that's so cheap that I can put it on my birthday wish list and stand a chance of getting it (too broke to buy one myself). - The printer should work with OpenBSD without a hitch, and by that I don't mean can sometimes be gotten to work by endlessly tweaking CUPS, and I also don't mean can be gotten to work with compat_linux and a binary blob, - the printer should also be Linux-compatible (Windows-compatibility not required), - it should be a colour laser printer, - replacement cartridges shouldn't be prohibitively expensive, - and it should be as cheap as possible without totally sucking monkey balls.** Oh, and I have an aversion to HP, so it would be better if it wasn't from them. All-in-one stuff and similar shenanigans aren't important at all. In fact, I'd prefer it if the device didn't offer that, as BSD/Linux support of such features tends to be spotty. I looked at http://openbsd.org/i386.html#hardware and didn't see any printers mentioned there, though I suppose they sort of fall under RJ45 support or ulpt(4) http://www.openbsd.org/cgi-bin/man.cgi?query=ulptsektion=4 and the rest is lpd/CUPS? If a printer is supported by CUPS/Linux, will it work on OpenBSD? Sorry for the daft questions, but a cursory Google search didn't reveal much. I found this: http://www.onlamp.com/pub/a/bsd/2004/07/08/FreeBSD_Basics.html and this: http://openprinting.org/printer_list.cgi , but while it offers good info on specific printers, entering requirements such as blob-free and colour laser and then searching for a list of suitable models doesn't seem to be possible there. If anyone could recommend anything, or even warn me against buying certain models, I'd be very grateful. Thanks and regards, --ropers **My current inkjet printer takes well over a minute to print a single page, so my definition of not totally sucking monkey balls is actually quite modest.
Re: Security issue, damn I've been hacked
On 21 Feb 2009 at 0:46, Jean-Francois wrote: Hi All, It looks like my server running since few days has already been hacked. It looks like a new user called 'daemon' ID 1 and a new group daemon. User's full name 'The devil itself' First time I find out evidence of hack on my server, however it's only one month running !! It looks like ntpd was the entry daemon connected to other than ntp site but I'm not sure. I am not sure at all about this, maybe one has changed the daemon. After I checked the adresses that this daemon connected to, they were very strange as webservers content (blogs, default page 'It works' and so one ... I guess ntp servers shall not act like this). Please find enclosed the ntpd server md5 print, one could check if /usr/sbin/ntpd (OpenBSD 4.4) has the same print ? md5 print of ntpd daemon (/usr/sbin) on my OpenBSD 4.4 : a0c8961d5818b438ecbfd6c40be47a5f Thanks for your kind help. Thank you for helping me finish an ardous week with a hearty laugh! ROTFL
Re: Find - Sillyness
On 22 Jan 2009 at 14:54, Morris, Roy wrote:
I know this is more of a general 'huh' kind of thing, but I figured someone
could kick start my brain for me. Anyone know why this doesn't work? It
appears to find the files ok but the -exec part thinks it can't?
spider:/var/log# find . -name daemon.*.gz -exec echo {} \;
find: echo ./daemon.2.gz: No such file or directory
find: echo ./daemon.1.gz: No such file or directory
find: echo ./daemon.5.gz: No such file or directory
find: echo ./daemon.4.gz: No such file or directory
find: echo ./daemon.3.gz: No such file or directory
find: echo ./daemon.0.gz: No such file or directory
specifying echo {} -- i.e. putting both `words' in the same set of
quotes -- you made it a single token as far as the find command is
concerned, which is what it passes to the exec call.
(Fwd) Re: RESUBMIT: sysutils/apcupsd
missed the list when replying... --- Forwarded message follows --- On 7 Jan 2009 at 21:59, Toni Mueller wrote: Hi, On Sat, 03.01.2009 at 20:51:40 +0300, Kirill S. Bychkov ya...@linklevel.net wrote: This is a resubmit of apcupsd port. Any comments/oks? I have no comment on the port, just a question: What would be the advantage of using apcupsd in favour of nut? Better compatibility and smoother integration and management in heterogeneous (as far as OS's are concerned) environments. I find that some linux distros bundle an up-to-date apcupsd but nut is out of date or not available as a binary package. Things are even bleaker on the Windows side -- WinNUT is client only and older version at that. And although the two utilities have a very similar comm protocol, neither has made an effort to verify and ensure true compatibility. Kind regards, --Toni++ --- End of forwarded message ---
Re: help with pf and transparent squid
What you are attempting is known as assymetric routing. An extensive
search of the archives will show that it has been discussed a number of
times, and the configuration you are attempting _can_ be made to work.
However, to get it working [properly] requires a fairly advanced
routing an pf know-how and is most likely not the desired solution.
Here is a hint to simpler life: to avoid assymtric routing make sure
that all you redirect (RDR) rules fully traverse the firewall, i.e. the
source and destination are connected to different interfaces. In your
case that would mean that the squid proxy should either run on the
firewall or reside outside the firewall (and each of these solutions
has its own advantages).
On 26 Dec 2008 at 16:40, fRANz wrote:
Hi.
I've some trouble with this configuration:
LAN -- fw (openbsd 4.4) -- adsl router
LAN: 192.168.100.0/24
fw int int: sis1
fw int ind: 192.168.100.2
fw ext int: sis0
fw ext ind: 10.0.0.2
router int ind: 10.0.0.1
I try to configure pf to redirect all web traffic from internal lan to
an internal squid server (192.168.100.8) but rdr doens't works.
Now clients works _without_ proxy; when I enable this rule:
rdr pass on $int_if inet proto tcp from any to port www -
192.168.100.8 port 3128
no one can navigate.
If I manually config browser to use squid as proxy, everything goes
fine (so squid is active and functionally).
What's the trouble in this config?!
Regards,
-f
#pf.conf
# macros ###
ext_if = sis0
int_if = sis1
out_tcp = {25, 53, 80, 110, 443}
out_udp = {53}
table class1 { 192.168.100.1/32, 192.168.100.2/32, 192.168.100.4/32,
192.168.
100.5/32, 192.168.100.6/32, 192.168.100.7/32, 192.168.100.8/32,
192.168.100.250/
32 }
table class2 { 192.168.100.50/32, 192.168.100.51/32, 192.168.100.52/32,
192.1
68.100.53/32 }
table class3 { 192.168.100.3/32, 192.168.100.100/32, 192.168.100.230/32 }
# options ##
set block-policy return
set skip on lo0
scrub in
# nat ##
nat on $ext_if from !($ext_if) to any - ($ext_if)
nat-anchor ftp-proxy/*
rdr-anchor ftp-proxy/*
rdr on $int_if inet proto tcp from any to port ftp - 127.0.0.1 port 8021
#rdr pass on $int_if inet proto tcp from any to port www -
192.168.100.8 port 3128
rdr on $int_if inet proto tcp from any to 192.168.100.251/32 port 8080
- 10.0.0.1 port 80
# filter ###
anchor ftp-proxy/*
antispoof quick for { lo $int_if }
block in all
pass in on $int_if proto icmp all keep state
pass in on $int_if proto tcp from any to 192.168.100.8 port 3128 keep state
pass in on $int_if proto {tcp, udp} from class1 to any keep state
pass in on $int_if proto {tcp, udp} from class3 to any keep state
pass in on $int_if proto tcp from class2 to any port $out_tcp keep state
pass in on $int_if proto udp from class2 to any port $out_udp keep state
pass out keep state
-
System Administratorad...@bitwise.net
Bitwise Internet Technologies, Inc.
22 Drydock Avenue tel: (617) 737-1837
Boston, MA 02210 fax: (617) 439-4941
Re: help with pf and transparent squid
On 27 Dec 2008 at 1:02, fRANz wrote: On Fri, Dec 26, 2008 at 7:50 PM, System Administrator ad...@bitwise.net wrote: Here is a hint to simpler life: to avoid assymtric routing make sure that all you redirect (RDR) rules fully traverse the firewall, i.e. the source and destination are connected to different interfaces. In your case that would mean that the squid proxy should either run on the firewall or reside outside the firewall (and each of these solutions has its own advantages). can move squid in dmz solve the trouble? Yes it should. -f - System Administratorad...@bitwise.net Bitwise Internet Technologies, Inc. 22 Drydock Avenue tel: (617) 737-1837 Boston, MA 02210 fax: (617) 439-4941
Re: AuthPF removing all the states created from an IP
This list tends to favor those who do at least some basic homework before asking redundant questions. Had you read the authpf man page or searched the list archives, you would have certainly realized that what you are describing is EXACTLY the intended behavior, in other words, your system is working exactly as it was designed. Regarding your follow-up question: OpenBSD pf is a very powerful firewall sub-system and supports a number of viable work-arounds to accomplish what you want. However, unless you are offering to pay market-rate consulting fees, do not expect anyone on this list to do your research for you. On 23 Dec 2008 at 8:12, Derek wrote: Hello, Seeing that nobody is answering to the question below I'd add: Is there anybody who uses authpf in the same scenario? Does it behave like in my case? Any suggestion to keep the states for the user after he/she closes the session? Thank you. On Wed, Dec 17, 2008 at 1:46 PM, Derek derekmail...@gmail.com wrote: Hi list, I'm using authpf to allow external users to access to certain restricted services within our network. This network hosts public services as well, this is services which are open to all internet. The thing is that after some tests I realized that a client who has an authpf session opened and uses both, the autpf-protected service and the public service, gets disconnected of all services when he/she closes the authpf session. Looking a little bit closer I can see that all the states created by an IP address are removed when the user from that IP closes the authpf session so the states created by the authpf rules but also the ones created by the regular pf.conf rules disappear from the table. I guess that this is because there is only one states table and it could be difficult to know which states are genereated by which rules. The question is, is there any plan to label or mark the states so will be possible in the future for the non-authpf states to survive the authpf session? Thank you all. Derek.
Re: bash for root?
On 2 Dec 2008 at 14:33, Juan Miscaro wrote: 2008/12/2 Daniel Ouellet [EMAIL PROTECTED]: Juan Miscaro wrote: 2008/12/2 Tony Abernethy [EMAIL PROTECTED]: Juan Miscaro wrote: I turn off those annoying checks and I use the same password. Works great. /juan ... until it doesn't. Got anything to back that up? I remember one specially where a user had to drive about 200 miles... ...He forget that bash wasn't compile statically and needed library... Stop. Install bash statically linked. That's all. You are missing a very important point that Chris Linn has aluded to: no two shells are exactly alike and sooner or later a script written for one will blow-up in another. And since OpenBSD comes with and reasonably assumes that /bin/sh is the Korn Shell, all system (i.e. root) scripts are written accordingly. The converse is also a likely problem -- you install bash as root shell and start installing bash- specific scripts critical for system operation. Then during an upgrade bash is no longer available or is no longer statically compiled (remember bash in packages is dynamic and you have to upgrade the base OS before you can custom build your bastardized port...) The long and the short of it has been repeated here many times: leave the root shell alove /juan
dhclient regression? 4.3 - 4.4
I have an i386 box that used to be running 4.3-stable and was recently upgraded to 4.4 using a CD and following the instructions. Everything seemed to be working fine including rum wireless in its primary location. However, a previously working configuration in an alternate location now results in the following log entries: DHCPDISCOVER on rum0 to 255.255.255.255 port 67 interval 1 DHCPDISCOVER on rum0 to 255.255.255.255 port 67 interval 2 ... No DHCPOFFERS received. No working leases in persistent database - sleeping. The two configuration files are shown below. The only significant difference is in how the alternate location uses a non-zero key index. working hostname.rum0 (in primary location): dhcp nwid HOME nwkey HomeWEPString no-longer working hostname.rum0: dhcp nwid WIFI nwkey 2:,SomeKeyString,, The box is a P-III class running GENERIC kernel. I did not include a dmesg because currently it lacks connectivity (the very reason for the posting) and the above information was hand-typed. However, if it does become really important, I will find a way to transfer the dmesg and/or output of any other command as requested. All input greatly appreciated, -Jacob.
Re: question about useradd command on 4.4
On 16 Nov 2008 at 10:55, Don Jackson wrote: My system installation script (similar to install.site, run right after the system was installed, and before first boot) attempts to configure a user account using sometime pretty much like this: /usr/sbin/useradd -mv -b /home -c name of user -u 2002 -g wheel -s /bin/ksh -p 'encrypted-password' foo When I did this, it created the user, but did not add the user to the group wheel. Based on the man page, I was expecting the -g option to do so: useradd -D [-b base-dir] [-e expiry-time] [-f inactive-time] [-g gid | name | =uid] [-k skel-dir] [-L login-class] [-r low..high] [-s shell] useradd [-mov] [-b base-dir] [-c comment] [-d home-dir] [-e expiry-time] [-f inactive-time] [-G secondary-group[,group,...]] [-g gid | name | =uid] [-k skel-dir] [-L login-class] [-p password] [-r low..high] [-s shell] [-u uid] user -g gid | groupname | =uid sets the default group for new users. But it didn't, the user was created with gid 0. When I changed the above command to use -G instead of -g, it worked. Why? Because the -g options sets the user's primary gid and wheel=0, whereas -G adds supplemental groups which manifests in the group file as having the user added to group. Am I just not understanding the documentation for useradd? Yes ;-)
Re: In a bit of a pickle with ral0
On 14 Nov 2008 at 1:18, STeve Andre' wrote: On Thursday 13 November 2008 19:54:55 Juan Miscaro wrote: I'm providing wireless internet access for a small building with OpenBSD 4.3 (some snapshot) as access point. I'm using the ral driver. I regularly need to bring down and then back up the interface with ifconfig. Is this normal? Is there anything I can do short of replacing the card? As an aside, I'm pondering going wired but plugging into a wireless bridge. Any recommendations on models? ral0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:18:f8:28:b9:f4 groups: wlan media: IEEE802.11 DS11 mode 11b hostap (autoselect mode 11b hostap) status: active ieee80211: nwid MYNETWORK chan 11 bssid 00:18:f8:28:b9:f4 100dBm inet6 fe80::218:f8ff:fe28:b9f4%ral0 prefixlen 64 scopeid 0x1 inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255 Thanks for listening, /juan I had a random ral USB device on a T60p ThinkPad, which was rock stable, so if you're having to reset things, I'd try another card. I'd also try another newer snapshot. --STeve Andre' Actually, I have observed a similar problem (regular freezups and crashes) with multiple ral devices (Belkin/Asus/no-name) on OpenBSD 4.3 -stable system. The big gotcha in my case, and main difference from STeve, is that the system was a PIII with USB 1.1 only. Interestingly, I have not [yet] had any problems since upgrading to 4.4-stable. YMMV.
Re: In a bit of a pickle with ral0
On 14 Nov 2008 at 21:50, Stuart Henderson wrote: On 2008-11-14, STeve Andre' [EMAIL PROTECTED] wrote: On Thursday 13 November 2008 19:54:55 Juan Miscaro wrote: I'm providing wireless internet access for a small building with OpenBSD 4.3 (some snapshot) as access point. I'm using the ral driver. I regularly need to bring down and then back up the interface with ifconfig. Is this normal? Is there anything I can do short of replacing the card? As an aside, I'm pondering going wired but plugging into a wireless bridge. Any recommendations on models? ral0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:18:f8:28:b9:f4 groups: wlan media: IEEE802.11 DS11 mode 11b hostap (autoselect mode 11b hostap) status: active ieee80211: nwid MYNETWORK chan 11 bssid 00:18:f8:28:b9:f4 100dBm inet6 fe80::218:f8ff:fe28:b9f4%ral0 prefixlen 64 scopeid 0x1 inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255 Thanks for listening, /juan I had a random ral USB device on a T60p ThinkPad, which was rock stable, ural is different to ral, and there are also differences between the various chips (RT2560, RT2860 etc). on closer examination, mine are rum... also hostap is a different case to using it as a client.. that makes sense, but to what extent are they different? (especially if the symptoms appear very similar)
(Fwd) Re: pf-altq-bandwith_problem
sorry, missed misc@ when replying... On 18 May 2008 at 19:16, Jesus Sanchez wrote: Martin Gignac escribis: I will try, thanks for the info. Just to make sure I'm not dealing with a bug can anyone try this??... just set a global limit to a interface ($int_if), then do a ftp transfer to the gateway ( the one with the PF+ALTQ) and time the put and get transfers with a large file. When I get a download time of 3 minutes, the upload is of 10 seconds... :s Hi, Just a shot in the dark here. Maybe I totally misunderstood your sentence: When I get a download time of 3 minutes, the upload is of 10 seconds... Did you mean: _While_ I get a download time of 3 minutes, the upload is of 10 seconds... If that's what you meant, isn't that behavior normal? Considering that (as the PF user's guide puts it): Note that queueing is only useful for packets in the outbound direction. Once a packet arrives on an interface in the inbound direction it's already too late to queue it -- it's already consumed network bandwidth to get to the interface that just received it. Sorry if my question is beside the point! :o) -Martin Maybe you're right with the PF user's guide, anyway I explain better to avoid confussions: [Joe PC] -- [OpenBSD box] -- Internet, lets take away the internet, only the Joe - box thing is the matter. OpenBSD is doing nat as explained on my pf.conf in the original post of this thread. The OpenBSD box also makes of FTP server, but I want a limit of 100Kbs (simetrical 100Kbs) speaking of bits, and not bytes. So I do the needed rules on pf.conf to make Joe get only 100Kbs of the interface in OpenBSD box serving Joe PC. If, from Joe PC, I get a file by ftp from the OpenBSD box, I get exactly what I want, the 100Kb limit. (at the same time I'm not doing anything with the net, like browsing or getting mail...) If, from Joe PC, I put a file by ftp to OpenBSD box, then the problem appears, and the speed ups in a factor of 40x. If I change the bandwidth value on altq rule of pf.conf, then the speed of put a file on OpenBSD box also changes, but is 40 times more speed. I mean, I want simetrical 100Kbs limit on the interface to Joe PC, can I have this setting? Not easily. As Martin pointed out, pf can only control outbound bandwidth, i.e. from the OpenBSD box out to Joe and not the other way around. So any control applied to the opposite direction is indirect. That is you can slow down most TCP protocols (such as FTP) by slowing down the ACKnowledgements of the received packets. But of course the ACK packets do not use nearly as much bandwidth as the data packets they are acknowledging. The 40x ratio you have observed sounds quite reasonable given header overheads. So, if you want to try to control Joe's upload bandwidth you will need to set up a special very slow queue for the FTP ACK packets. I hope not to be making noise in the mail list. Thanks for your time. -Jesus --- End of forwarded message --- - System Administrator[EMAIL PROTECTED] Bitwise Internet Technologies, Inc. 22 Drydock Avenue tel: (617) 737-1837 Boston, MA 02210 fax: (617) 439-4941
Re: Would OpenBSD and Squid be considered a Proxy Firewall?
On 23 Mar 2008 at 7:58, Ed Flecko wrote: The book is called Counter Hack Reloaded: A Step-by-Step Guide to Computer Attacks and Effective Defenses (2nd Edition) - http://www.amazon.com/Counter-Hack-Reloaded-Step-Step/dp/0131481045/re f=pd_bb s_1?ie=UTF8s=booksqid=1206284032sr=8-1 The author makes several references to proxy firewalls and implies they are more secure than traditional firewalls because they ignore typical reconnaissance, probing attempts like nmap, etc. because they function at the application layer. Assuming you have correctly understood the author's intent, then he is completely wrong. There is no difference in the abilities of either proxy or packet-filtering firewalls to block probing (reconnaissance) attempts. In fact, it is much much easier to configure a stealthy (or invisible) firewall with a powerful packet filtering engine like OpenBSD's pf. The main argument about proxy firewalls being more secure focuses on the ease of configuration, or more specifically on the fact that it is fairly easy for a novice to mis-configure a packet-filter wide open, whereas a well designed application gateway will preclude such a faux- pas. The second half of the same argument has to do with content analysis -- application gateways (proxies) by definition operate at the application layer and have an inherent ability to analyze the application specific data content and react accordingly, including extensive data re-writing and manipulation. A properly designed packet filter operates only on TCP/IP headers and is oblivious of the payload (data content). This is the reason OpenBSD's pf(4) requires the support of ftp-proxy(8) to allow FTP data transfers across the firewall. For a thorough discussion of this issue (payload manipulation on the firewall) please check the list archives -- there has been a number of excellent threads recently. If you've come from Linux world or have looked at some Linux-based commercial firewalls, you have probably seen the term deep packet inspection. That is an ugly hack whereby the packet filter uses various special cases to examine the payload of the packets passing the firewall. While at first glance this approach seems to provide more control than generic packet header filtering, it still falls way short of the capabilities and reliability of a true proxy -- after all, it still operates on individual packets and will miss many things due to normal or malicious fragmentation. So, to bring it back to your original question, a typical SOHO OpenBSD firewall is a packet filtering firewall even with a Squid Cache running. After all, which part of the firewall actually implements the security policy and handles the traffic control? BTW, even if you were to add some application gateways to your OpenBSD firewall, you would only have a hybrid firewall, i.e. one that combines the features and functionality of both packet filtering and proxying. The classic, or true proxy firewall turns IP forwarding off and requires that any traffic crossing the firewall use a dedicated proxy. Such firewalls are never transparent -- the client computers always make their connections to the firewall itself regardless of what the ultimate destination may be. Moreover, because they require a specialized application (the proxy) for every type of communication that is to be supported across the firewall, they are typically very expensive -- too many development hours for a share of a relatively small market of deep-pocketed customers ;-) Ed On Sat, Mar 22, 2008 at 7:38 AM, Lars Noodin [EMAIL PROTECTED] wrote: Ed Flecko wrote: I'm reading a book on network security and it mentions proxy firewalls ... are there other proxy firewalls the author is referring to? Which book? Title, author, ISBN would help. Or send a link to a review. As a matter of curiosity, has anyone ran an nmap scan against an OpenBSD box with Squid? What did the scan results indicate? The results depend entirely on how you have Squid set up and how PF is configured. Regards, -Lars - System Administrator[EMAIL PROTECTED] Bitwise Internet Technologies, Inc. 22 Drydock Avenue tel: (617) 737-1837 Boston, MA 02210 fax: (617) 439-4941
Re: [OT] Pursuing Management to adopt OpenBSD
On 20 Mar 2008 at 20:33, Richard Daemon wrote: On Thu, Mar 20, 2008 at 5:50 PM, Chris [EMAIL PROTECTED] wrote: I been trying (rather unsuccessfully) to convince various clients and employers to adopt OpenBSD. Most people, I find, are resistent to change and would not use anything they are not familiar with. Others would say that if I leave the job, it would be hard to find people who can use (or even heard of) OpenBSD and in some places Management never heard of OpenBSD and have very little clue as to how good or bad it is compared to Linux/ Solaris and Windows thus they will just knock off the proposal in 2 seconds. Is there any way I could convince these people to make the move to OpenBSD? Suggestions, tips and tricks along with real life examples would be much appreciated. Thanks. I'm in the same boat... Wondering the same things and looking for ways as well, especially with the clueless IT manager types that have only heard of Linux or Solaris at most. Now if only someone could write a book on how to sell free, OSS solutions like this (with a lot of focus on OpenBSD) I would be one of the first to pre-order it! There is no magic to selling OSS or for that matter, any kind of solution. Only two things ever sell. The first, easiest, default sale is brand name -- can anyone provide a _technical_ reason for any company to buy the over-priced AND under-powered CISCO iron? (and the older folks will remember the saying no-one ever got fired for buying IBM which finally died in the eighties.) There is a silver lining here for the successful consultant (whether outside or in-house expert) -- you make the sale by BECOMING the brand name, i.e. once you are accepted as THE expert, ANY solution you propose will sail. The second sale is that of opportunity and was described earlier on this thread by Gerardo Santana -- in certain engagements there is a genuine interest in solving a genuine problem, and you are given the freedom to choose your own tools (or rope to hang yourself if you over- reach). If you are successful at picking and solving these engagements, you eventually become a recognized expert -- see previous paragraph. - System Administrator[EMAIL PROTECTED] Bitwise Internet Technologies, Inc. 22 Drydock Avenue tel: (617) 737-1837 Boston, MA 02210 fax: (617) 439-4941
Re: What is our ultimate goal??
On 18 Feb 2008 at 10:16, Mayuresh Kathe wrote: On Feb 18, 2008 7:57 AM, Leonardo Rodrigues [EMAIL PROTECTED] wrote: Actually what Ted has done was utterly disastrous, he knows his own code well enough to have completed it. BTW, you are as big an oaf as Richard Stallman, you keep ranting about how you've put in your blood, sweat and tears, but forget to understand the point that without us users you are nothing. Wow... People should inform themselves instead of writing things like that. OpenBSD states very clearly that it has a developer culture, and not an user one. Just be grateful for the code that you get FOR FREE. Also, if you feel that the project helps you, give something back to the project (like code or donations) to keep it running, and to keep it helping YOU. The developers code and share their code not because they want to be famous or to receive accolades from the project's users, but because they are solving the problems that they have an interest. They don't own the users anything, instead, they give their code for free to whoever might find it useful. Is it so hard to understand that? Leonardo, I've NEVER got any of the code for FREE, I've always paid for it by buying CDs, unlike you who might have done an FTP install, you're a cheap-skate aren't you. Mayuresh, do you honestly think that the few dollars you spent on that CD actually paid for any code, as in code development? Are you naove, a fool, or really that arrogant? It has been pointed out many times on this list, that CD sales do not even cover the electricity costs to keep the core infrastructure running. But given the size of those bills, the sales represent an important subsidy, allowing to literally keep the lights on. And I do not need auditor's reports to confirm that assertion not because I'm gullible, but because I know from personal experience of running a similar business just how true it is. Moreover, I know how much time and money will be sucked out of the project to generate accounting reports. Now, to hopefully put an end to these useless rants, let me rephrase something the others have tried to explain to you: You can only expect and demand any level of professional performance from your _employees_ (or subcontractors), i.e. when you are specifically and directly responsible for paying their livelihood. Anything else is a mutually convenient arrangement that _either_ party is free to terminate at any time. Actually, since slavery and bonded servitude have been abolished all over the world, even employment is at will and your employees may and sometimes will quit without completing _your_ goals. To use your own example to elaborate: Did Ted ever acccept any funding from you for which he specifically promised any concrete deliverables? I very much doubt that. Did you make a fundamental business mistake by undertaking a business venture so reliant on his contribution without making any effort to assure that his contribution will be completed and forthcoming in accordance with your business' schedule? Absolutely. Well, all the rantings against the project, Ted or any other developer, will not rectify _your_ mistake, nor change the fact the _you_ made such a critical mistake in _your_ business venture. (Next time you start building your dream house, make sure you have a complete and solid foundation.) Go buy yourself a CD set, contribute to the OpenBSD foundation, or better still, since you are talking about flying pigs, go code up a good application in C for OpenBSD or enhance an existing one. ~Mayuresh - System Administrator[EMAIL PROTECTED] Bitwise Internet Technologies, Inc. 22 Drydock Avenue tel: (617) 737-1837 Boston, MA 02210 fax: (617) 439-4941
Re: What is our ultimate goal??
To the majority on this list -- my apologies if I end up feeding this troll instead of making him 'go away'. to the OP -- this is why you got absolutely NO answer from the devs. and now for the archives in the hopes that at least some of the future would be posters will research before posting. First a disclaimer: I am not a developer, but have been using OBSD and following this list for many years. I do believe what I am about to say is fairly accurate and is definitely more consistent with the subject line than some of the incessant whining already taking place. OpenBSD is an OS developed by very intelligent THINKING people with its sole target audience being other THINKING persons. For the thousands of lusers too lazy to use an option already made available by the native tools -- there are thousands of flavors of Linux, at least one of which will do things consistent with your desires. For the totally illiterate lusers who cannot even read the docs to find the said option -- there is always Windoze whose stated goal is to save the users from themselves. Personally, I like the fact that aside from an occasional bug, I am in charge of my computer and NOT the other way around. Sure, that usually starts with a thinking cap and almost always requires a fair ability to read and comprehend the best documentation of any OS bar none. (BTW, genuine bugs get addressed in record time and much faster than any other OS I know, which is a rather long list.) And now let's get back to the only real business that we, the users, have on this list -- testing and reporting on the features and technical innovations that the developers already put in to the upcoming release. On 17 Feb 2008 at 16:22, Zbigniew Baniewski wrote: On Sun, Feb 17, 2008 at 10:12:09AM -0500, David Higgs wrote: Does the -B option to pkg_add do exactly this? Or YOU could do the equivalent and tell ./configure to install to a different base directory. This doesn't need any funding either. And did I ask for any funding? When? Of course, that I can - and thousands of other users are able to either - play with ./configure switches before compilation of every non-ported package. I just would to point attention, that _one single change_ can save the time of that thousands people. Instead of playing with ./configure switches - they could be busy... porting software to OpenBSD, for example. -- pozdrawiam / regards Zbigniew Baniewski - System Administrator[EMAIL PROTECTED] Bitwise Internet Technologies, Inc. 22 Drydock Avenue tel: (617) 737-1837 Boston, MA 02210 fax: (617) 439-4941
need some help with base httpd
After spending the weekend testing this every which way and searching the net and archives to no avail, I need a few more eyes to help determine whether this is a bug, a feature, or some minor stupidity on my part... First the environment: OpenBSD 4.2-stable (GENERIC) #1: Fri Feb 1 02:28:33 EST 2008 - kernel patched and rebuilt by meticulously following the FAQ on performing CVS patch-branch update and rebuild. - using base httpd with no additional packages. Now, the problem: I need to secure a few distinct directories on this server, and to simplify config file maintenance decided to put the common directives into a file to be 'Include'd - reproduced further below. Here is an example of such an 'Include' in the main httpd.conf: Directory /var/www/cgi-bin AllowOverride None Options None Include conf/admins.conf /Directory conf/admins.conf: # May use password auth AuthType Basic AuthName By Invitation Only AuthUserFile conf/passwords Require valid-user # Or must come from known IP Order allow,deny # Special address Allow from a.b.c.d # Internal LAN Allow from 192.168.1.0/24 # Bitwise NOC Allow from 204.97.222.0/26 # Remote site 1 Allow from x.y.z.w/28 # Remote site 2 Allow from j.k.l.m/29 # Either/Or is okay Satisfy any Notes: 1) there is a blank line at the top and the bottom of the file. 2) remote addresses are obfuscated, rest of file is shown intact. Running 'apachectl configtest' generates the following error: root:18# apachectl configtest Syntax error on line 3 of /var/www/conf/admins.conf: AuthType not allowed here My dilemma is that actually including the directives instead of using the 'Include' above works perfectly as expected. I even tried transferring only some of the directives from the include file into the main httpd.conf, and invariably configtest complains about the very first active directive in the include file. Every clue is welcome, -Jacob. - System Administrator[EMAIL PROTECTED] Bitwise Internet Technologies, Inc. 22 Drydock Avenue tel: (617) 737-1837 Boston, MA 02210 fax: (617) 439-4941
Re: 3ware Escalade 7210 (3w7210) supported in OpenBSD?
To quote the regular contributors on this mailing list: check the fine list archives (e.g. http://marc.info/?l=openbsd-miscr=1w=2) And the condensed summary of the discussions is: OpenBSD _recognizes_ the 3ware Escalade (6x00, 7xx0) series of controllers, but for all practical purposes you will NOT get the benefits normally associated with RAID. So the only circumstances I would use one of these today is if I have to recover from an existing controller hardware failure and for whatever reason I cannot (or do not want to) rebuild the system. 7210 will sucessfully replace a 6500 when used with a mirrored pair of drives, but even then you will loose functionality -- the 6500 does rebuilds in firmware, whereas all (except _maybe_ the very old) 7000 series controllers do it in the host driver binary blob which is NOT available on OpenBSD. On 26 Dec 2007 at 18:05, Matthias Tarasiewicz wrote: i have to replace a 3ware 6500 ata-pci card and since i could get a 3ware Escalade 7210 quite cheap i was wondering, if that card is compatible with openbsd? - the hardware compatibility site for openbsd says 3W-7x00 - anyone has the 7210 running with openbsd or knows if it will work? thanks, matthias - System Administrator[EMAIL PROTECTED] Bitwise Internet Technologies, Inc. 22 Drydock Avenue tel: (617) 737-1837 Boston, MA 02210 fax: (617) 439-4941
Re: Support for 3ware 3W 8x00 (8006-2LP) in 4.2
On 16 Nov 2007 at 16:36, Pawel Veselov wrote: Hi, I was wondering if the 3ware 8006-2LP is supported in 4.2. The http://www.openbsd.org/i386.html page only lists 5x00, 6x00 and 7x00 as supported devices, but the man page says that 8000 is supported as well. (just trying to find a cheap SATA hardware raid card...) Thanks ! Pawel. Executive summary: Find another card or use soft-raid. The long answer: The redundancy provided by a RAID set is merely a stop-gap measure -- it allows to avoid a hard crash and perform the necessary maintenance on your terms (i.e. when it is more convenient). It is not a panacea against disk failure, which almost inevitably will eventually occur given heavy enough usage and/or harsh environmental conditions. Therefore, the health monitoring and any live maintenace capabilities provided by the card are probably its most important features. Unfortunately, due to pigheadedness of 3ware marketing team, neither of these capabilities are available to OSS -- they exist strictly in form of binary blobs for a very few platforms. Moreover, certain critical RAID functionality (e.g. background rebuild) has been moved from the card firmware and into the binary blob. Therefore, using one of these cards in a server you are flying TOTALLY BLIND. (BTW, even on their supported platforms they leave a lot to be desired: recently I've lost critical data during a cold reboot of a long-running server with a 3ware mirror set, as BOTH drives had developed serious hardware flaws that the card did not detect until the full reboot! Apparently they do NOT do SMART monitoring of connected drives...) - System Administrator[EMAIL PROTECTED] Bitwise Internet Technologies, Inc. 22 Drydock Avenue tel: (617) 737-1837 Boston, MA 02210 fax: (617) 439-4941
Re: Finding a ral(4) cardbus card
On 12 Apr 2007 at 19:33, Luke Eckley wrote: I am having a hard time finding a ral(4) cardbus card for my laptop. I recently bought a Hawking Tech HWC54G - which happens to be acx(4) - thinking I was buying a Hawking Tech HWC54GR (which is listed as supported by ral(4)). Searching ebay.com and pricewatch.com I am only turning up the Belkin card. I am a little reluctant to purchase that one since ral(4) states that it supports version 2 only - and dealers never seem to know what version they are selling and I don't want to take another gamble. From personal experience I can vouch that Belkin F5D7010 v.3001 is also a ral(4) card. Interestingly, according to the official Belkin support site, that is also the only version of the card supported under Mac OS 10.3, which gives you a nifty way to confirm compatibility at purchase. Does anyone know of any place that sells a ral(4) supported card? Where did everyone get theirs? I got mine at Circuit City, and these are currently on sale at $34.95. Unfortunately, they tend to carry up-to-date inventory which probably means the Windows-only version 7xxx (again according to official Belkin support page) Thanks, Luke Eckley http://xifos.org - System Administrator[EMAIL PROTECTED] Bitwise Internet Technologies, Inc. 22 Drydock Avenue tel: (617) 737-1837 Boston, MA 02210 fax: (617) 439-4941
Re: Removing chmod world write support and sftp
On 11 Apr 2007 at 16:33, Joshua Gimer wrote: On 4/11/07, Nick ! [EMAIL PROTECTED] wrote: you're not really planning on security by obscurity are you? The wrapper will work because the users that are doing this are doing it out of ignorance and not with malicious intentions. If the only thing that can be done is to change the sftp code, then I think that I will just write a script that will go through and remove o+w from directories every hour or so. There are going to only be about 50 users accessing You'll be amazed how much warez and porn can get uploaded in less than an hour ... this system and I do not think that putting forth the effort is worth it, especially when I still have 11 other systems to setup and configure by May 13th. :) -- Thx Joshua Gimer - System Administrator[EMAIL PROTECTED] Bitwise Internet Technologies, Inc. 22 Drydock Avenue tel: (617) 737-1837 Boston, MA 02210 fax: (617) 439-4941
Re: monitoring APC UPSes
On 30 Mar 2007 at 10:21, Aaron Poffenberger wrote: I was recently running apcupsd without problem. Nevertheless I swtiched, recently, to nut [1] because it's so much better. It has excellent APC monitoring. If your APC is Smart or a Backups Pro model, it can control all the exposed functions. Even cooler, it's called nut because it's the Network UPS Tools kit. If you have more than one system plugged into the same UPS, the system monitoring the UPS can let other systems know they should shutdown so everything goes down cleanly. Lastly, it has a nice scheduler that send you alerts when the UPS has been on battery power for some n period of time and let you know when it's back on the mains. Use nut. You'll be happy you did. Aaron Actually your information is inacurate and unfairly biased. Both NUT and APCUPSd have very similar capabilities for shared UPSes and notifying other servers, as well as reporting, graphing, etc. In fact, they share a lot of code (pls review the changelogs) and even the comm protocol is similar although by default it runs on different ports. The major difference has to do with their development cycles, goals and sponsorship. Namely, APCUPSd is totally independent development of UPS management code for only one brand of UPS (APC) and with frequent releases. In the last 3 years NUT has not been properly updated; its original goal was to support as many UPS brands as possible; and in recent years it has been sponsored by MGE. (I believe that includes full-time employment for the primary developer.) Now, an interesting recent development may change this analysis completely -- the fact that APC has been acquired by MGE, but only time will tell the story... [1] Found in ports. Online documentation at http://www.networkupstools.org/compat/. Thierry Lacoste wrote: I'd like to know if it is safe to run apcupsd-3.14.0. There are some issues regarding pthreads on OpenBSD raised in the apcupsd-3.12.x user's guide but these issues are not mentioned anymore in the apcupsd-3.14.x user's guide. Is it better to use apc-upsd from ports? It seems to be a bit old and I could not find any documentation on how to configure and use it. Any recommandations would be much appreciated. Regards, Thierry. - System Administrator[EMAIL PROTECTED] Bitwise Internet Technologies, Inc. 22 Drydock Avenue tel: (617) 737-1837 Boston, MA 02210 fax: (617) 439-4941
