Re: Issues with TP-Link UE300

[Torsten]

Sorry

Still connected to USB, I looked it up before replying

It looks more like a hardware design issue of the device it is connected to 
plus many other issues related to the “Dongle” itself.

 

T 

 

 

From: Joel Carnat  
Sent: 28 September 2020 00:21
To: Torsten 
Cc: misc@openbsd.org
Subject: Re: Issues with TP-Link UE300

 

Well, this is no wifi device. This is an ethernet dongle.

That particular one:

https://www.tp-link.com/en/home-networking/computer-accessory/ue300/

Envoyé de mon iPad





Le 28 sept. 2020 à 00:55, Torsten mailto:tors...@cnc-london.net> > a écrit :

HI
As far as I can tell, WiFi is nominal speed, not designated speed
Another dominating factors for that would be USB connection type, hardware bus 
connections, motherboard design, direct processor lanes to where

Wifi is what it is, never as good as hard wired 100mb/1000mb or even 10gb 
connections

Best
T 

-Original Message-
From: owner-m...@openbsd.org <mailto:owner-m...@openbsd.org>  
mailto:owner-m...@openbsd.org> > On Behalf Of Joel 
Carnat
Sent: 27 September 2020 22:43
To: misc@openbsd.org <mailto:misc@openbsd.org> 
Subject: Issues with TP-Link UE300

Hi,

I have plugged a TP-Link UE300 on my ThinkPad X260 running OpenBSD -snapshot 
and it seems I can't get more than 100Mbps.

The dongle attaches and get an IP address. But the speed seems limited.
Same behaviour when attached to the USB3 port of my APU4D4 (running 6.7).
When plugged in a MacBook Pro (running macos), it gets Gbps speed.

I have noticed that it gets attached to cdce0; I thought the RTL8153 chipset 
would give me an ure0 device.

Is this expected?
Is there something I can do to get Gbps out of this device?

Thanks for help,
Jo

--
OpenBSD 6.8 (GENERIC.MP) #85: Sun Sep 27 13:39:51 MDT 2020

cdce0 at uhub0 port 15 configuration 2 interface 0 "TP-LINK USB 10/100/1000 
LAN" rev 3.00/30.00 addr 4

# doas usbdevs -v   
   
Controller /dev/usb0:
addr 01: 8086: Intel, xHCI root hub
super speed, self powered, config 1, rev 1.00
driver: uhub0
addr 02: 8087:0a2b Intel, Bluetooth
full speed, self powered, config 1, rev 0.01
driver: ugen0
addr 03: 5986:0706 SunplusIT Inc, Integrated Camera
high speed, power 500 mA, config 1, rev 0.12
driver: uvideo0
addr 04: 2357:0601 TP-LINK, USB 10/100/1000 LAN
super speed, power 64 mA, config 2, rev 30.00, iSerial 0100
driver: cdce0

Re: Issues with TP-Link UE300

[Torsten]

HI
As far as I can tell, WiFi is nominal speed, not designated speed
Another dominating factors for that would be USB connection type, hardware bus 
connections, motherboard design, direct processor lanes to where

Wifi is what it is, never as good as hard wired 100mb/1000mb or even 10gb 
connections

Best
T 

-Original Message-
From: owner-m...@openbsd.org  On Behalf Of Joel Carnat
Sent: 27 September 2020 22:43
To: misc@openbsd.org
Subject: Issues with TP-Link UE300

Hi,

I have plugged a TP-Link UE300 on my ThinkPad X260 running OpenBSD -snapshot 
and it seems I can't get more than 100Mbps.

The dongle attaches and get an IP address. But the speed seems limited.
Same behaviour when attached to the USB3 port of my APU4D4 (running 6.7).
When plugged in a MacBook Pro (running macos), it gets Gbps speed.

I have noticed that it gets attached to cdce0; I thought the RTL8153 chipset 
would give me an ure0 device.

Is this expected?
Is there something I can do to get Gbps out of this device?

Thanks for help,
Jo

--
OpenBSD 6.8 (GENERIC.MP) #85: Sun Sep 27 13:39:51 MDT 2020

cdce0 at uhub0 port 15 configuration 2 interface 0 "TP-LINK USB 10/100/1000 
LAN" rev 3.00/30.00 addr 4

# doas usbdevs -v   
   
Controller /dev/usb0:
addr 01: 8086: Intel, xHCI root hub
 super speed, self powered, config 1, rev 1.00
 driver: uhub0
addr 02: 8087:0a2b Intel, Bluetooth
 full speed, self powered, config 1, rev 0.01
 driver: ugen0
addr 03: 5986:0706 SunplusIT Inc, Integrated Camera
 high speed, power 500 mA, config 1, rev 0.12
 driver: uvideo0
addr 04: 2357:0601 TP-LINK, USB 10/100/1000 LAN
 super speed, power 64 mA, config 2, rev 30.00, iSerial 0100
 driver: cdce0

Re: ideas needed for password management

[Torsten]

Hi
You need a smtpd server which is native to BSD and supports auth backends

Have a look here
https://www.fehcom.de/sqmail/sqmail.html

I use it with dovecot with mysql auth backend, sqlmail basically calls a
dovadmin socket to authenticate, so no need for mysql as long as you can
login to dovecot pop3 or imap

T

-Original Message-
From: owner-m...@openbsd.org  On Behalf Of Roderick
Sent: 24 September 2020 14:33
To: Hakan E. Duran 
Cc: misc@openbsd.org
Subject: Re: ideas needed for password management


(1) I would separate login to Email (smtp+imap authentication)
 from any other login (to machine) as many people told you here.

(2) Perhaps write a cgi script? But that needs a lot of care
 due to security.

(3) offer a web mailer that has this service? Prayer webmail has
 this, but it looks very primitive, just calls a program as I
 remember, and seems not to be mantained. Perhaps other webmail has it?

Rod.



On Wed, 23 Sep 2020, Hakan E. Duran wrote:

> Dear all,
>
> I set up a simple mail server on OpenBSD on a VPS, based on OpenSMTP and
Dovecot. The users will be the Unix users on the VPS for simplicity.
However, I now have the problem of allowing users setting and modifying
their own passwords (perhaps even their usernames) without giving them ssh
access to the host. I don't have technical background and training for this
type of work; however, I love doing this, please be gentle with me. The mail
server is a hobby that is intended for family and a few friends, and is not
mission critical.
>
> I thought something like Webmin could work for this purpose, but without
root access of course. However, I am not sure if such a tool exists. Any
other ideas are welcome.
>
> Thank you so much in advance for your suggestions.
>
> Hakan
>
>

Re: TCP wrapper alternative?

[Torsten]

HI
A much simpler option Is D.J.  Bernstein's tcpserver in combination with 
daemontools

I use it for all sorts of things including IP black listing into pf's tables
The packages are in the ports system

T

-Original Message-
From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of 
Thomas Smith
Sent: 09 July 2019 19:04
To: misc@openbsd.org
Subject: TCP wrapper alternative?

Hi,

I'm considering an option to evaluate connecting IPs before they're evaluated 
by `pf` in order to make some decisions about the "reputation" of a connecting 
IP. Then if that reputation is low enough, some action could either be taken: 
in `pf` to protect the associated application (say by blocking the connection); 
or in the app responsible for the listening port. 

`pf`, unfortunately, isn't able to make routing decisions based on external 
factors (insofar as I understand)--I'm hoping to add some additional (very 
simple) intelligence to that. Just another metric or two for determining if a 
connection is legitimate.

I've been looking into TCP wrappers for OpenBSD but it seems that this 
functionality was removed in version 5. Is my understanding of that correct?

If so, is there an alternate way to achieve what I mentioned?

I know I can use something like sshguard or fail2ban, but I'm looking for a 
much simpler option and one that preferably doesn't rely on tailing log files 
(if there aren't viable alternatives, I may consider these, however). 

~ Tom

Re: packet loss when > 1000 clients connect

[Torsten]

> Check with pfctl -si if you reach a limit

Thanks, will do.

Marc Peters also suggested to check pf state limit, upon digging into
that I found

  https://serverascode.com/2011/09/12/openbsd-pf-set-limit-states.html

and therefore added

  set limit states 20

to pf.conf.

packet loss when > 1000 clients connect

[Torsten]

Hi!

Problem description:
In a customers network more than 2k clients connect to a server and
perform https requests. When in the morning more and more clients become
active, the number of connections rises until more and more clients fail
to connect to the server. The reason appears to be packet losses.


Question:
Are we hitting system limits or resource exhaustion that we should have
configured higher? Any other idea what to look for?

Thanks in advance!
T.




Findings:
Debugging on the production server is not trivial, so we've done some
tests on the client side first and those showed that when there's an
error, the client sends a tcp SYN but does not receive back a SYN-ACK.





Setup, OS:
We're using Bernsteins daemontools to start a go (golang) based https
server in a chroot running as user www on OpenBSD63.

hardware:
The server runs as VM on VMWare Esxi 6.5. The above mentioned client ran
on the same ESXi server, so there's only one virtual 10GB switch between
the client and the server. The issue has been reproduced when the server
was running on a different virtualisation host.

Network:
To redirect port 443 to the high port that the userspace golang code can
open, we're using pf:

port 443 -> pf -> 8443 -> go-httpd -> 127.0.0.1(Database)

pf.conf:
#[...]
block all
#[...]
pass in proto tcp from any to any port 443 rdr-to 127.0.0.1 port 8443
keep state

Limits:
User www is member of login-class daemon. The ulimits for daemon in
/etc/login.conf were set to

daemon:\
:ignorenologin:\
:datasize=infinity:\
:maxproc=infinity:\
:openfiles-max=8192:\
:openfiles-cur=1024:\
:stacksize-cur=8M:\
:localcipher=blowfish,a:\
:tc=default:

Re: blocking openvpn port scanners

[Torsten]

Hi Steve


Try to add below to your pf.conf 

table  persist

 pass in on $ext_if inet proto tcp from any to $ext_if port 1194 \
(max-src-conn 10, max-src-conn-rate 30/5, \
 overload  flush global)

T

-Original Message-
From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of Steve 
Fairhead
Sent: 19 December 2018 21:27
To: misc@openbsd.org
Subject: blocking openvpn port scanners

I'm probably missing something obvious. Cluebats invited.

A few OpenBSD servers I look after have OpenVPN server installed (for 
homeworkers' access), which means port 1194 is open. Recently they seem to have 
appeared on some scumbag's "hack this" list, as they're constantly deluged with 
brute-force hack attacks. A snippet from
openvpn.log:

 >>
Wed Dec 19 18:28:53 2018 185.81.153.117:55881 TLS Error: TLS key 
negotiation failed to occur within 60 seconds (check your network 
connectivity)
Wed Dec 19 18:28:53 2018 185.81.153.117:55881 TLS Error: TLS handshake 
failed
Wed Dec 19 18:28:53 2018 185.81.153.117:64379 TLS Error: TLS key 
negotiation failed to occur within 60 seconds (check your network 
connectivity)
Wed Dec 19 18:28:53 2018 185.81.153.117:64379 TLS Error: TLS handshake 
failed
Wed Dec 19 18:28:53 2018 185.81.153.117:27493 TLS Error: TLS key 
negotiation failed to occur within 60 seconds (check your network 
connectivity)
Wed Dec 19 18:28:53 2018 185.81.153.117:27493 TLS Error: TLS handshake 
failed
<<

(IP addresses obscured to protect the sinner - no, wait...)(and logfile 
filtered by "failed".)

For now, I manually log the above IPs and add them to a badhosts file - 
no more access of any kind for you, mwahaha. But it's a lot of work, and 
my logfile is just noise...

I already use pf.conf to protect my ssh port against such attacks 
(rate-limiting). Can I do anything similar with pf for the openvpn port? 
Don't want to block real users if they screw up once or twice... 
although they are few enough that I can be super-aggressive in denying 
access, and sort it out by phone...

Maybe I shouldn't even worry about it, but I'd really like to hit back. 
(See above re "mwahaha".)

Steve

Re: Cheaper alternatives for APC UPS

[Torsten]

Hi Radek
I had a lot of problems such as overheating,  and much shorter lifespan of 
batteries with cheaper brands.
I'm not a fan of branded overprices but I need my server to run 24/7
We had some cyberpower for workstations and 2 started leaking battery acid 
after 8 months

R

-Original Message-
From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of Radek
Sent: 17 December 2018 20:47
To: misc@openbsd.org
Subject: Cheaper alternatives for APC UPS

Hello,

could you recommend me any UPS brands *cheaper* than APC that are fully 
supported in OpenBSD?
I always use APC, managing them via USB and apcupsd(both servers and clients) 
and PowerChute(windows clients). It works like a charm.  APC is quite expensive 
brand so I am looking for any cheaper alternatives.

Thanks!

-- 
radek

Re: VMWare tools - VM does not shut down

[Torsten]

For the archives I'm answering my own question:


https://man.openbsd.org/vmt.4:

> vmt handles shutdown and reboot requests from the host by signalling
> init(8) with SIGUSR2 and SIGINT respectively.

We made our own init listen to SIGUSR2 and SIGINT and that solved our
problem.



> Le 25 septembre 2018 18:22:57 GMT+02:00, Torsten  a écrit :
>> Hi!
>>
>> I'm working on a project with a large number of highly customized
>> OpenBSD6.3 based appliances.
>>
>> On each of these machines VMWare reports VMWare tools to be "installed
>> and ready". However, when I try to actually do something like shutdown,
>> reboot or sleep, there simply is no reaction. The machine remains up
>> and
>> running.
>>
>> When I run a standard OpenBSD 6.3 machine on the same hypervisor,
>> everything works fine, so in general everything seems to be functional.
>> But we must have missed something when building these individual
>> appliances. I just cannot figure out what that could be. I read "man
>> vmt" but I couldn't figure if vmt would require some service that's
>> normally started by rc, which in our appliances is not being started.
>> In
>> fact, the appliances do not use the OpenBSD init system at all but
>> replace them with some custom init.
>>
>> What are we missing?
>>
>> Thanks in advance!
>> T.
> 
> I just read your message as "we run modified openbsd and it doesn't work, but 
> official openbsd work" 
> 
> It's hard to help you. 
> 

VMWare tools - VM does not shut down

[Torsten]

Hi!

I'm working on a project with a large number of highly customized
OpenBSD6.3 based appliances.

On each of these machines VMWare reports VMWare tools to be "installed
and ready". However, when I try to actually do something like shutdown,
reboot or sleep, there simply is no reaction. The machine remains up and
running.

When I run a standard OpenBSD 6.3 machine on the same hypervisor,
everything works fine, so in general everything seems to be functional.
But we must have missed something when building these individual
appliances. I just cannot figure out what that could be. I read "man
vmt" but I couldn't figure if vmt would require some service that's
normally started by rc, which in our appliances is not being started. In
fact, the appliances do not use the OpenBSD init system at all but
replace them with some custom init.

What are we missing?

Thanks in advance!
T.

Re: Google abruptly accessed photos on memory card and MUCH more without permission

[Torsten]

Sadly you are not in the EU or that would cost google 500K

-Original Message-
From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of 
Michael Ayres
Sent: 19 September 2018 14:48
To: Chris Bennett 
Cc: misc@openbsd.org
Subject: Re: Google abruptly accessed photos on memory card and MUCH more 
without permission

Chrome is banned at my workplace shop, as are pretty much all of Google 
products. We use DuckDuckGo, or other one-off for search and Firefox or Safari 
for browsers.

Michael Ayres

Michael Ayres, MS, CISSP, CSEP, CSM, PMI-ACP, PMP | www.mace-associates.com San 
Francisco, CA. | 415.999.2049  https://www.linkedin.com/in/michaelmaceayres
michael.ay...@yahoo.com




> On Sep 19, 2018, at 5:43 AM, Chris Bennett  
> wrote:
> 
> I travel frequently. Often outside of the US. I decided when in Mexico 
> that I could possibly lose the tiny notepad so I took photos of my 
> passwords on it. I did this on a Mexican phone and I have often used 
> these photos when I couldn't remember rarely used passwords and my 
> notepad wasn't with me. Seemed like a good idea at the time.
> 
> I also use Google photos and drive since I download a lot of photos of 
> different beards and moustaches since this is the one thing I can 
> change to look different  (hey it's fun).
> 
> Suddenly, I discovered yesterday, basically by accident, that Google, 
> on it's own, without asking permission, just decided that it should 
> backup folders including my photos.
> 
> Now Google has all of my usernames and account numbers and passwords 
> that are in those photos.
> 
> So today, I have to change every single password and username in those 
> photos.
> Which means I have to drop every single forum, app info, etc. And sign 
> up again.
> 
> NOTE WELL:
> I also discovered that Google is not just storing passwords in Chrome, 
> but is also monitoring ALL my app activities, passwords AND passing 
> (selling most likely) my profile info and reviews to companies. Their 
> wording is deliberately obscure as to what exactly is being stored and 
> disclosed to others.
> 
> I use JuiceSSH on my Android phone. I like it.
> Guess what. Now I can't use it or definitely I may or am getting my 
> usernames and passwords stolen!
> I also do not want my actual activities showing up. You know, like 
> database passwords,etc.
> 
> I would really appreciate any advice on how to deal with this.
> Not being able to use SSH on my phone is a problem.
> Yet I see that this is no longer an option.
> 
> Google is now very clearly out of control and violating, against our 
> will, any level of privacy and not asking permission.
> Yet, they also offer some very alluring services such as YouTubeTV, 
> which I both use and like. It's basically cheap cable that's portable 
> and has DVR also included.
> 
> I'm going to start another thread right now that is probably a better 
> place to answer this in, instead of spread over two threads.
> 
> Fahrenheit 451,
> Chris Bennett
> 
> 

Re: Running your own mail server

[Torsten]

I definitely agree to qmail
It was a learning curve for me in the late 90's to get it going on Redhat, 
after that Mandrake and Slackware with finally settling down on FreeBSD and 
OpenBSD

Sadly, there are some concerns about the aging code with various patches 
available to compensate, but I have not found a viable replacement ever since 
getting fond of qmails/tcpserver's flexibility  with patches and pain to adopt 
to new encoders and ssl/tls versions

Be aware, qmail is not an off the shelf usable software but once you get into 
it - you may never leave 
I did not and do not intent until it can't be maintained.
 
--

if you demand for performance, FreeBSD + Qmail-ldap is THE way to go.

my 1 cent.

On Sat, Sep 8, 2018 at 12:26 PM Ken M  wrote:

> Just curious how many of you use openbsd to run your own personal 
> email server?
> Do you find it a hassle to manage in any way?
>
> I know openbsd is perfectly fine for a mail server, don't get me wrong 
> the question is more about is it worth it to do yourself. Specifically 
> I will probably be doing it through a guest on vultr.
>
> Back story my family all has email addresses through the domain I have.
> Which
> basically will forward to a gmail account. The kids accounts don't 
> really forward anywhere, they are place holders I guess. But they are 
> getting old enough to use their own accounts for things and not just 
> through the school which sets them up with google accounts to use through 
> their chromebook.
>
> So my wife really doesn't like the idea of setting them loose on their 
> own email accounts, and I don't necessarily disagree with her, but I 
> disagree on the way to do it. In a gmail point of view all I can think 
> of is shared passwords for for the kids. I don't like that because 
> first of all they could change it, second of all monitoring their 
> email means literally reading their email.
>
> My wife and I have different views on privacy as well.
>
> I was thinking I could run my own email server to give them accounts 
> there, and at the same time instead of reading their email be able to 
> more specifically block certain senders, but also to scan the email 
> for troubling words. In my mind that is things like suicide, kill, 
> etc.
>
> So I guess the end question, is for protecting the email of minors is 
> running my own email server, when I have never done it before on any 
> OS, worth it over some other solution. And yes I am very open to other 
> suggestions for a solution, even if it is something I have to pay for, 
> to avoid sharing passwords or grotesque privacy infringement of 
> literally reading all their emails.
>
> Welcome to differences of opinion as well.  Thank you.
>
> Ken
>
>

Re: using installboot to create a custom OpenBSD install on sd1

[Torsten]

I spent another three hours on this and now I've come to a point where
at least my kernel boots.



> Hi!
> 
> In short:
> I am trying to use installboot to make a new harddrive bootable that
> should contain a custom OpenBSD installation, however, when trying to
> boot from that new hd I always get "No O/S".
> 
> 
> Detailed:
> I successfully set up a standard OpenBSD6.3 (machine A) on sd0 using
> install.iso. Using custom scripts, I would like to create custom
> installations on sd1 to create individual installations (machine B, C
> and so on), each on a separate HD that I would swap for sd1 each time.
> 
> On (A) I did:
> 
> fdisk -iy sd1
> echo "a a\n\n2g\n\na b\n\n\n\n\nw\nq\n"|disklabel -E sd1
> newfs /dev/rsd1a
> 
> mount /dev/sd1a /mnt
> 
> cp -R /altroot  /mnt/altroot
> cp -R /bin  /mnt/bin
> cp -R /dev  /mnt/dev
> cp -R /etc  /mnt/etc
> cp -R /home /mnt/home
> cp -R /root /mnt/root
> cp -R /sbin /mnt/sbin
> cp -R /tmp  /mnt/tmp
> cp -R /usr  /mnt/usr
> cp -R /var  /mnt/var
> cp /bsd* /mnt/
> 
> cd /mnt/dev
> ./MAKEDEV std
> 
> installboot -v sd1 /usr/mdec/biosboot /usr/mdec/boot
> 
> (also tried
> installboot -v -r /mnt/ sd1 /usr/mdec/biosboot /usr/mdec/boot
> without success)
> 
> 
> Hints and help will be appreciated!
> 
> Regards,
> T.
> 

using installboot to create a custom OpenBSD install on sd1

[Torsten]

Hi!

In short:
I am trying to use installboot to make a new harddrive bootable that
should contain a custom OpenBSD installation, however, when trying to
boot from that new hd I always get "No O/S".


Detailed:
I successfully set up a standard OpenBSD6.3 (machine A) on sd0 using
install.iso. Using custom scripts, I would like to create custom
installations on sd1 to create individual installations (machine B, C
and so on), each on a separate HD that I would swap for sd1 each time.

On (A) I did:

fdisk -iy sd1
echo "a a\n\n2g\n\na b\n\n\n\n\nw\nq\n"|disklabel -E sd1
newfs /dev/rsd1a

mount /dev/sd1a /mnt

cp -R /altroot  /mnt/altroot
cp -R /bin  /mnt/bin
cp -R /dev  /mnt/dev
cp -R /etc  /mnt/etc
cp -R /home /mnt/home
cp -R /root /mnt/root
cp -R /sbin /mnt/sbin
cp -R /tmp  /mnt/tmp
cp -R /usr  /mnt/usr
cp -R /var  /mnt/var
cp /bsd* /mnt/

cd /mnt/dev
./MAKEDEV std

installboot -v sd1 /usr/mdec/biosboot /usr/mdec/boot

(also tried
installboot -v -r /mnt/ sd1 /usr/mdec/biosboot /usr/mdec/boot
without success)


Hints and help will be appreciated!

Regards,
T.

Re: stop syslogd from opening port 514 UDP

[Torsten]

> it is your test methodology that is broken

Well, I said "I want the machine to be invisible", so I don't think
there is anything wrong with me testing which ports are open and
checking what I can do (besides pf) to close them.

Anyway, thanks for your help!

Cheers!

Re: stop syslogd from opening port 514 UDP

[Torsten]

>> On my OpenBSD 6.2 syslogd is listening to port 514
>> [...]
>> prevent syslogd from opening that port in the first place?

> If [...] no logging rules exist to send to a remote
> host the socket is closed per default since 6.2. Perhaps you are logging
> to a remote host?

Thank you for you answer, indeed I am logging to a remote host. However,
I don't understand why logging to a remote host opens port 514 incoming.

Anyway, I understand you're saying that this is intended behaviour and
cannot be circumvented other than using pf, right?

stop syslogd from opening port 514 UDP

[Torsten]

Hi!

On my OpenBSD 6.2 syslogd is listening to port 514, even though it is
not started with "-r" (to receive remote syslog messages). It does not
actually seem to log anything if I send something to port 514 UDP,
however, I want the machine to be invisible when someone is probing for
open ports. I know I could use PF as a workaround, but can't I not
prevent syslogd from opening that port in the first place?

Thanks,
T.

Re: Kernel memory leaking on Intel CPUs?

[torsten]

Ps
security.bsd.see_other_uids=0
security.bsd.see_other_gids=0
security.bsd.unprivileged_read_msgbuf=0
security.bsd.unprivileged_proc_debug=0
kern.randompid=$(jot -r 1 )
security.bsd.stack_guard_page=1


> -Original Message-
> From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf
> Of torsten
> Sent: 05 January 2018 00:59
> To: 'Rupert Gallagher'; 'Daniel Wilkins'; 'Allan Streib'
> Cc: 'Alceu R. de Freitas Jr.'; misc@openbsd.org
> Subject: Re: Kernel memory leaking on Intel CPUs?
> 
> I wonder how it is in reality for most *BSD users due to 1. hide
> processes run by other users 2. disable reading kernel messaging
> buffers...
> 3. disable kernel messaging debugging by unprivileged users
> 
> And some other tweeks
> 
> What surprises me is the "panic" publication of this because of already
> known and in *BSDs addressed concerns about hyper threatening and
> shared memory well back since 1994
> 
> 
> > -Original Message-
> > From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On
> Behalf
> > Of Rupert Gallagher
> > Sent: 04 January 2018 22:22
> > To: Daniel Wilkins; Allan Streib
> > Cc: Alceu R. de Freitas Jr.; misc@openbsd.org
> > Subject: Re: Kernel memory leaking on Intel CPUs?
> >
> > https://mobile.twitter.com/misc0110/status/948706387491786752
> >
> > On Thu, Jan 4, 2018 at 16:49, Daniel Wilkins <t...@parlementum.net>
> > wrote:
> >
> > > Intel's said that it affects every processor in the last 20+ years
> > and that it's "not a big deal for most users" because it's only a
> > kernel memory *read*. @yahoo.com.br>

Re: Kernel memory leaking on Intel CPUs?

[torsten]

I wonder how it is in reality for most *BSD users due to 
1. hide processes run by other users
2. disable reading kernel messaging buffers...
3. disable kernel messaging debugging by unprivileged users

And some other tweeks

What surprises me is the "panic" publication of this because of already known 
and in *BSDs addressed concerns about hyper threatening and shared memory well 
back since 1994


> -Original Message-
> From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf
> Of Rupert Gallagher
> Sent: 04 January 2018 22:22
> To: Daniel Wilkins; Allan Streib
> Cc: Alceu R. de Freitas Jr.; misc@openbsd.org
> Subject: Re: Kernel memory leaking on Intel CPUs?
> 
> https://mobile.twitter.com/misc0110/status/948706387491786752
> 
> On Thu, Jan 4, 2018 at 16:49, Daniel Wilkins 
> wrote:
> 
> > Intel's said that it affects every processor in the last 20+ years
> and that it's "not a big deal for most users" because it's only a
> kernel memory *read*. @yahoo.com.br>

Re: IPMI still requires Java! I'm screwed.

[Torsten]

NO,
Just download ipmiview from SM and use the build in viewer and all is OK
The power can still be managed  with the web site.

IPMI vire requires java.exe on your PC but rund independently of any browser
T


-Original Message-
From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of Chris 
Bennett
Sent: 20 December 2017 21:04
To: misc@openbsd.org
Subject: IPMI still requires Java! I'm screwed.

I found a new server that uses IPMI and offers using it to setup your own 
custom OS. So I bought in.

Damn thing requires Java.
They offered me some pretty worthless advice on using Java.

I'm screwed into having to use Windows 7.
I've tried the Firefox ESR 32bit that supports Java.
Nope.
Opera. Nope
Edge. Nope
Chrome. Nope, including trying to use IEtab

Is it actually possible to get any web browser to open a Java applet?

I'm using a friends laptop and it can't stay on while in the BIOS or after 
booting OpenBSD just to the point of running memtest.

I'm a bit confused about what to do.
They offer IPMI that won't work without Java.

Is this even anything more than a scam??
I don't know squat about windows other than it sucks.


Serious question:
Is it acceptable practice to offer remote access that cannot be used?

Re: Suppessing logging of arp movement messages

[torsten]

> -Original Message-
> From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf
> Of OpenBSD
> Sent: 08 November 2017 15:44
> To: misc@openbsd.org
> Subject: Suppessing logging of arp movement messages
> 
> hello all,
> 
> I have finally build an internet gateway with OpenBSD 6.2 (AMD64),
> including pf and IPSec. Great stuff.
> Now I am seeing a lot of arp movement, that I know are caused by
> Apple's Bonjour Sleep Proxy.
> 
> Nov  8 00:00:27 gatekeeper /bsd: arp info overwritten for 192.168.20.99
> by 00:46:ab:ba:19:87 on vmx0 Nov  8 00:00:58 gatekeeper /bsd: arp info
> overwritten for 192.168.20.99 by 9c:ab:3b:ca:fe:99 on vmx0 Nov  8
> 00:01:57 gatekeeper /bsd: arp info overwritten for 192.168.20.99 by
> 00:46:ab:ba:19:87 on vmx0 Nov  8 00:02:04 gatekeeper /bsd: arp info
> overwritten for 192.168.20.99 by 9c:ab:3b:ca:fe:99 on vmx0 Nov  8
> 00:02:35 gatekeeper /bsd: arp info overwritten for 192.168.20.99 by
> 00:46:ab:ba:19:87 on vmx0 Nov  8 00:03:28 gatekeeper /bsd: arp info
> overwritten for 192.168.20.99 by 9c:ab:3b:ca:fe:99 on vmx0 Nov  8
> 00:03:42 gatekeeper /bsd: arp info overwritten for 192.168.20.99 by
> 00:46:ab:ba:19:87 on vmx0 Nov  8 00:04:27 gatekeeper /bsd: arp info
> overwritten for 192.168.20.99 by 9c:ab:3b:ca:fe:99 on vmx0
> 
> These messages are repeating every 15-30 seconds for Apple devices like
> laptops that are in standby (sleep mode).
> 
> On pfSense and FreeBSD you have a sysctl:
> net.link.ether.inet.log_arp_movements
> when set to zero it will no longer log the messages.
> 
> Discussions can be found on internet dating back to 2010, but no
> solution has been provided for what I could find.
> I have not yet found any sysctl in OpenBSD to do the same. Did I miss
> something or does OpenBSD have any trick to not log these messages.
> Currently these messages are filling up the logs /var/run/dmesg.boot
> and /var/log/messages.
> 
> Marco PC

Mi Marco
In freebsd is is usually done with 
sysctl net.link.ether.inet.log_arp_movements=0

and I guess this applies to openbsd too.
T

OpenBSD 6.1: httpd.conf macro usage and string concatenation

[Torsten]

Hi!

I thought I could copy the same static server definition block and only
change a unique macro definition at the top of each server. But this is
not working:

##
# from httpd.conf
##
# [...]

# macro definition
certroot="/etc/ssl/httpd"
docroot="/htdocs"

domain="domain.tld"
server $domain{
 listen on * tls port 443
 tls certificate $certroot/$domain/$domain.pem
 tls key $certroot/$domain/$domain.key
 root $docroot/$domain
}

domain="anotherdomain.tld"
server $domain{
 listen on * tls port 443
 tls certificate $certroot/$domain/$domain.pem
 tls key $certroot/$domain/$domain.key
 root $docroot/$domain
}

# [...]
##

The idea was if you have a lot of server definitions you could keep
static the parts that are the same and just change the macro for each
server the line above the server block.

Because httpd.conf man page says "Macros are not expanded inside
quotes." I cannot use 'root "$docroot/$domain"'. But 'root
$docroot/$domain' isn't accepted either. Does that mean I cannot use
Macros for parts of the config file that reference to files or folders,
because Macros are not expanded inside quotes but keywords with file or
folder options require enclosing quotes? If that's the case I don't
understand what Macros are good for.

Thanks in advance!

T.

Re: META: Does this list have no moderators?

[torsten]

Freedom of speech and expression is the cause.
How could we at the open source community start policing any other then
abusive, commercial, racist or political spam.
That would make us no better then what we are opposing.
I don't want to offend anyone but this is the point, or better, the sole
reason of existence, of what we are doing.

Regards
Torsten 

> -Original Message-
> From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf
> Of Gareth Nelson
> Sent: 04 June 2016 22:27
> To: OpenBSD general usage list
> Subject: META: Does this list have no moderators?
> 
> I'm sure we're all aware of the individual i'm thinking of when I say
> their posts are both inappropriate and annoying.
> 
> The individual in question should be referred privately to mental
> health services, but they should also be prohibited from posting
> further to this list.
> 
> Thoughts?

Re: META: Does this list have no moderators?

[torsten]

HI
I guess I put it clear, now comments are coming though which are excessive or
simply not necessary
A Yea or Nay will do, sometimes silence is a virtue
T

> -Original Message-
> From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf
> Of ludovic coues
> Sent: 04 June 2016 23:18
> To: Gareth Nelson
> Cc: OpenBSD general usage list
> Subject: Re: META: Does this list have no moderators?
>
> 2016-06-04 23:26 GMT+02:00 Gareth Nelson :
> > I'm sure we're all aware of the individual i'm thinking of when I say
> > their posts are both inappropriate and annoying.
> >
> > The individual in question should be referred privately to mental
> > health services, but they should also be prohibited from posting
> > further to this list.
> >
> > Thoughts?
> >
>
> Asking to exclude someone for their supposed mental health is plain
> wrong.
> If we are thinking to the same person, you can call out their abuse of
> cross-list.
>
> Or as some great people on this list would say, ignore the problem and
> watch if it goes away.
>
> --
>
> Cordialement, Coues Ludovic
> +336 148 743 42

Re: Small FW boxes for CORP use (was: T40E APU?)

[torsten]

> -Original Message-
> From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of
Josh
> Grosse
> Sent: 12 March 2016 13:22
> To: misc@openbsd.org
> Subject: Re: Small FW boxes for CORP use (was: T40E APU?)
> 
> On Sat, Mar 12, 2016 at 10:34:16AM +, Kapfhammer, Stefan wrote:
> > But how would you feed the CAT female jack out of the original
> > pcengines enclosure? There are no further mounting holes in it.
> 
> I was thinking of the Alix, where enclosures are not included.

I like standard 1u low power equipment and prefer supermicro for it's
linux/BSD support,
This is no advertising for ebay but I usually get stuff like this
http://www.ebay.co.uk/itm/Supermicro-1U-Server-Xeon-X3430-2-4Ghz-Quad-Core-8
GB-RAM-Low-Power-R210-DL120-/291687112072?hash=item43e9e81d88:g:034AAOSwcwhV
ON9U
then add a dual port NIC, usually HP Intel and off I go.
The benefit is the KVM, integrated HDD's and flexibility. MY gateways are
proxies, vpn and http servers with port forwarding to internal workstation
and servers after authentication for vnc, sql and other   

Re: Supermicro AOC-SG-I2 (two ports Intel 82575EB) hwfeatures

[torsten]

> -Original Message-
> From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of
> Atanas Vladimirov
> Sent: 04 March 2016 19:33
> To: misc@openbsd.org
> Subject: Re: Supermicro AOC-SG-I2 (two ports Intel 82575EB) hwfeatures
> 
> On 04.03.2016 19:55, torsten wrote:
> > Hi Atanas,
> > It looks like a link speed negotiation error.
> > can you set the link speed to 100MB/s and see what happens. I don't
> > think it is a driver or server hard ware issue but more and switch
> > issue.
> > Have you tried another switch or hub
> > I use the same board in Servers and Gateways with FreeBSD and OpenBSD
> > without any issues.
> 
> Hi Torsten,
> Yes, I tried with three switches.
> I'm not sure that the problem is link negotiation because on-board Intel
NICs
> are OK.
> Can you send me the output of `ifconfig em hwfeatures` from a server which
is
> running OpenBSD and has AOC-SG-I2?
> Thanks,
> Atanas

Here is the output in 5.8
This is a multipath gateway setup - very stable - and connected to DELL 1xxx
managed switches

Dec 20 12:50:20 gate01 /bsd: em0 at pci2 dev 0 function 0 "Intel 82571EB"
rev 0x06: apic 2 int 17, address 00:15:17:48:7b:22
Dec 20 12:50:20 gate01 /bsd: em1 at pci2 dev 0 function 1 "Intel 82571EB"
rev 0x06: apic 2 int 18, address 00:15:17:48:7b:23
Dec 20 12:50:20 gate01 /bsd: em2 at pci0 dev 25 function 0 "Intel 82579LM"
rev 0x05: msi, address 00:25:90:d0:17:11
Dec 20 12:50:20 gate01 /bsd: em3 at pci4 dev 0 function 0 "Intel 82574L" rev
0x00: msi, address 00:25:90:d0:17:10

em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
hwfeatures=36<CSUM_TCPv4,CSUM_UDPv4,VLAN_MTU,VLAN_HWTAGGING> hardmtu
9216
lladdr 00:15:17:48:7b:22
priority: 0
groups: egress
media: Ethernet autoselect (1000baseT full-duplex)
status: active
em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
hwfeatures=36<CSUM_TCPv4,CSUM_UDPv4,VLAN_MTU,VLAN_HWTAGGING> hardmtu
9216
lladdr 00:15:17:48:7b:23
priority: 0
groups: egress
media: Ethernet autoselect (1000baseT full-duplex)
status: active
em2: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
hwfeatures=36<CSUM_TCPv4,CSUM_UDPv4,VLAN_MTU,VLAN_HWTAGGING> hardmtu
9216
lladdr 00:25:90:d0:17:11
priority: 0
media: Ethernet autoselect (none)
status: no carrier
em3: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
hwfeatures=36<CSUM_TCPv4,CSUM_UDPv4,VLAN_MTU,VLAN_HWTAGGING> hardmtu
9216
lladdr 00:25:90:d0:17:10
priority: 0
media: Ethernet autoselect (1000baseT full-duplex)
status: active
inet 192.168.0.238 netmask 0xfc00 broadcast 192.168.3.255

Re: Supermicro AOC-SG-I2 (two ports Intel 82575EB) hwfeatures

[torsten]

Hi Atanas,
It looks like a link speed negotiation error.
can you set the link speed to 100MB/s and see what happens. I don't think it
is a driver or server hard ware issue but more and switch issue.
Have you tried another switch or hub
I use the same board in Servers and Gateways with FreeBSD and OpenBSD
without any issues.


> -Original Message-
> From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of
> Atanas Vladimirov
> Sent: 04 March 2016 17:04
> To: misc@openbsd.org
> Subject: Re: Supermicro AOC-SG-I2 (two ports Intel 82575EB) hwfeatures
> 
> On 27.02.2016 11:42, Atanas Vladimirov wrote:
> > Hi,
> > I'm running -current on Supermicro X9SCL-F with two on-board Gigabit
> > Intel (82579LM and 82574L) and one PCI-e 4x Supermicro AOC-SG-I2 [0]
> > (two ports Intel 82575EB).
> > The question is why 82575EB doesn't support hwfeatures
> > (CSUM_TCPv4,CSUM_UDPv4 and VLAN_HWTAGGING) as 82579LM and 82574L.
> > Thanks.
> > ..
> > [0] http://www.supermicro.com/products/accessories/addon/AOC-SG-I2.cfm
> 
> Hi,
> Before my previous email I had a strange issue but back then I didn't know
> that it was related to the NIC.
> I have a basic ifstated config [1] to monitor my WAN connection (first
port on
> AOC-SG-I2 was my uplink to my ISP).
> At some time ifstated sent me two emails - the link was DOWN and after 9
> (nine) seconds was back ON-Line.
> I had a few phone calls with my IPS and they checked the switch a few
times.
> I started to wonder if the problem was on my side. I plugged the second
port
> of AOC-SG-I2 to an tp-link wdr4900 which I use as 5 port gigabit switch
for my
> home LAN and began to observe two ports with a `while` loop:
> 
> [ns]~$ while true; do date; ifconfig emp[1-0] | grep -e "media:" -e
"status:";
> sleep 1; done > mon_if_em[1-0]
> 
> Both ports had 2-3 seconds disconnects at the same time (two different
> switches).
> Here's the question - Could this be a hardware related problem or it's a
> driver issue?
> Is anyone out there also using Intel 82575EB?
> 
> That's why I asked for hwfeatures in first email because that's the only
> difference I saw.
> Now I moved the NIC to another (test) server (dmesg and pcdump at the end
[2])
> to test the same way.
> 
> em(4) says:
> "The em driver supports IPv4 receive IP/TCP/UDP checksum offload and
>   transmit TCP/UDP checksum offload on all but 82542-based adapters,
VLAN
>   tag insertion and stripping, and jumbo frames on all but 82562V,
>   82566DC/82566DM and 82573E/82573L/82573V-based adapters."
> 
> ..
> Tue Mar  1 15:52:43 EET 2016
>  media: Ethernet autoselect (1000baseT
> full-duplex,master,rxpause,txpause)
>  status: active
> Tue Mar  1 15:52:44 EET 2016
>  media: Ethernet autoselect (none)
>  status: no carrier
> Tue Mar  1 15:52:45 EET 2016
>  media: Ethernet autoselect (none)
>  status: no carrier
> Tue Mar  1 15:52:46 EET 2016
>  media: Ethernet autoselect (1000baseT
> full-duplex,master,rxpause,txpause)
>  status: active
> ..
> Wed Mar  2 08:03:17 EET 2016
>  media: Ethernet autoselect (1000baseT
> full-duplex,master,rxpause,txpause)
>  status: active
> Wed Mar  2 08:03:18 EET 2016
>  media: Ethernet autoselect (none)
>  status: no carrier
> Wed Mar  2 08:03:19 EET 2016
>  media: Ethernet autoselect (none)
>  status: no carrier
> Wed Mar  2 08:03:21 EET 2016
>  media: Ethernet autoselect (1000baseT
> full-duplex,rxpause,txpause)
>  status: active
> ..
> 
> [1] 
> 
> [ns]~$ cat /etc/ifstated.conf
> # $OpenBSD: ifstated.conf,v 1.6 2005/02/07 06:08:10 david Exp $ # This is
a
> sample config for a pair of firewalls with two interfaces # init-state
auto
> peer_up = '( "ping -q -c 4 -i 3 -w 4 XX.87.YY.ZZ > /dev/null" every 20 )'
> em0_up = "em0.link.up"
> em0_down = "em0.link.down"
> 
> state auto {
> if $em0_up {
>  set-state extif_up
> }
> if $em0_up && $peer_up {
>  set-state extif_online
> }
> if $em0_down {
>  set-state extif_down
> }
> }
> 
> state extif_up {
> init {
>  run "echo External interface UP @ `date +%H:%M:%S` | mail -s
> 'External Interface UP' vl...@bsdbg.net"
> }
> if $em0_down {
>  set-state extif_down
> }
> if $em0_up && $peer_up {
>  set-state extif_online
> }
> }
> 
> state extif_online {
> init {
>  run "echo External interface ON-line @ `date +%H:%M:%S` | mail -s
> 'External Interface ON-line' vl...@bsdbg.net"
> }
> if $em0_up && ! $peer_up {
>  set-state extif_up
> }
> if $em0_down {
>  set-state extif_down
> }
> }
> 
> state extif_down {
> init {
>  run "echo External interface DOWN @ `date +%H:%M:%S` | mail -s
> 'External Interface 

Re: Newbie question: Proxy for appearing in Sweden for on demand streaming?

[torsten]

Hi all!

My mom lives in Sweden but spends loads of time in Spain. She likes the
public service online TV streaming service, which cannot be watched abroad
for various reasons. I thought I'd try to setup a proxy of some sort that
she could turn her iPad to, and appear as if in Sweden while in fact in
Spain. I live in Sweden and have a 5.8-stable box handy.

How would I do that? Can relayd help here? What do I need in terms of
network setup etc?

Any pointers would be appreciated (except flames).

Happy new year!
Andreas

Hi Andreas
I have the same problem while going abroad a lot for work and sometimes with
the kids who a hooked on CBBC
and I've setup dynDNS and PPTP/sslVPN. It's easy to use from ipads and
windoze /other mac clients.
I found PPTP give the leased problems and CPU overheads on both ends while
ignoring the flaws in encryption.

Regards
Torsten

Re: build an openbsd router/modem

[torsten]

A quick question, how do these boards with Intel atom CPU's cope with gigabit
traffic and sslVPN. I love the look of them.
I use the Supermicro Intel i3/E3 midi boards with add-on NIC's at the moment


>oh thank u very much, I think it's exactly what I am looking for.


2015-12-22 20:05 GMT+00:00 Joost Runsink :
> Some modem (Draytek comes to mind) allow you to set the modem in
> bridge mode. At that point it is a atm to ethernet converter. Have a
> look at Soekris and Alixboard, used a lot for this exact task.
>
> On Tue, Dec 22, 2015 at 07:32:57PM +, Frank White wrote:
>> Hi,
>> Yes I am sorry, I want build a small embedded system with openbsd to
>> connect a lan to an adsl line. I want all the devices with openbsd,
>> included the adsl modem. So the embedded system must have one or more
>> ethernet nic and a modem.
>>
>>
>>
>>
>> 2015-12-22 19:08 GMT+00:00 Tati Chevron :
>> > On Tue, Dec 22, 2015 at 06:45:04PM +, Frank White wrote:
>> >>
>> >> I want build a router/modem with openbsd. My is that I don't want
>> >> anykind of linux code around. I don't have any problems to build a
>> >> router, my problem is to have a modem without any linux firmware.
>> >> Anyone know if there are any pure modem to use it ?
>> >> Or any chip I can connect on any "itx or what u want" motherboard ?
>> >
>> >
>> > Can you be more specific about what you are trying to do?
>> >
>> > Are you trying to build a small embedded system using OpenBSD, or
>> > do you want to configure a normal desktop machine to route data
>> > from a, (3g?  DSL?  Cable internet?), source to other machines on
>> > the LAN?
>> >
>> > --
>> > Tati Chevron
>> > Perl and FORTRAN specialist.
>> > SWABSIT development and migration department.
>> > http://www.swabsit.com

Re: npppd pppx0 VPN Client can access wan but cannot access lan

[torsten]

> I'm, running OpenBSD 5.8, npppd, mpath and have tried the same on 5.7 and
5.3.
> npppd is works fine and clients can connect using windows pptp client.
> The Client has the pptp connection set as default gateway and can 
> access the internet through the vpn gateway but cannot access the LAN
network.
> Traffic arrives on the pppx0 interface but never get forwarded to the 
> LAN ip address.

Can you see the traffic for the LAN on $int_if or the other physical
interfaces?

>   ## vpn
> pass quick log on pppx
> match out log on $ext1_if from $vpn_net nat-to ($ext1_if)
> match out log on $ext2_if from $vpn_net nat-to ($ext2_if)
> match out log on $int_if from $vpn_net nat-to ($int_if)

Fist line, "pass quick", becomes the last rule for traffic in/out on the
pppx interface since it is "quick".  So subsequent rules (including nat) are
not applied.

--yasuoka

I'm used to pf on FreeBSD, the problem was not the quick rule.
It looks like that pf or kernel on OpenBSD sets a "block all" on any
interface not defined in the pf.conf using skip or pass rules, which is a
good thing because this closes unintended security holes.

Thanks for your help.

The  below pf.conf does the trick
### NAT
  ## int_net
match out log on $ext1_if from $int_net nat-to ($ext1_if)
match out log on $ext2_if from $int_net nat-to ($ext2_if)

  ## vpn
match out log on $ext1_if from $vpn_net nat-to ($ext1_if)
match out log on $ext2_if from $vpn_net nat-to ($ext2_if)
match out log on $int_if from $vpn_net nat-to ($int_if)

### FILTER RULES
block drop quick inet6
block log all
pass out log

  ## allow ping, traceroute and echo
pass in log inet proto icmp all icmp-type $icmp_types

  ## internal network
pass in log on $int_if

  ## pass connections to vpn server
pass in log on pppx
pass log proto { gre } from any to any keep state
pass in log on $ext1_if proto tcp from any to $ext1_if port 1723
pass in log on $ext2_if proto tcp from any to $ext2_if port 1723

Re: npppd pppx0 VPN Client can access wan but cannot access lan

[torsten]

Hi
Is there anyone who can help to resolve the problem i have with pppx, tun and
tap using npppd and openVPN not forwarding traffic to ingress but egress works
fine.
It was my first post to the list and if there is any info or further details
required just ask, I would appreciate any help or hints.
I know I'm missing something in my config but can't find it.
Thanks
torsten


-Original Message-
From: torsten [mailto:tors...@cnc-london.net]
Sent: 16 December 2015 23:21
To: 'misc@openbsd.org'
Subject: npppd pppx0 VPN Client can access wan but cannot access lan

Hi

I'm, running OpenBSD 5.8, npppd, mpath and have tried the same on 5.7 and 5.3.
npppd is works fine and clients can connect using windows pptp client.
The Client has the pptp connection set as default gateway and can access the
internet through the vpn gateway but cannot access the LAN network.
Traffic arrives on the pppx0 interface but never get forwarded to the LAN ip
address.
I have been looking and trying for over 2 weeks now and can't figure that one
out.
Setting everything to pass in pf.conf and only enabling nat - still no
result.

Setup: OpenBSD 5.8 with npppd using pppx0 or tun0 and pf 2 WAN interfaces
equal cost routing (net.inet.ip.multipath=1), 1 LAN interface

sysctl.conf

net.inet.ip.forwarding=1
net.inet.ip.multipath=1
net.inet.gre.allow=1
net.pipex.enable=1

npptp.conf:

set max-session 20
set user-max-session 5
authentication LOCAL type local {
users-file "/etc/npppd/npppd-users"
}
tunnel VPN protocol pptp {
listen on 0.0.0.0
}
ipcp IPCP {
pool-address 10.219.219.2-10.219.219.100
dns-servers 192.168.0.189 192.168.0.19
nbns-servers 192.168.0.189 192.168.0.19 } interface pppx0 address
10.219.219.1 ipcp IPCP bind tunnel from VPN authenticated by LOCAL to pppx0

pf.conf

### NAT
match out log on $ext1_if from $int_net nat-to ($ext1_if)
match out log on $ext2_if from $int_net nat-to ($ext2_if)

  ## vpn
pass quick log on pppx
match out log on $ext1_if from $vpn_net nat-to ($ext1_if)
match out log on $ext2_if from $vpn_net nat-to ($ext2_if)
match out log on $int_if from $vpn_net nat-to ($int_if)

### FILTER RULES
block log quick inet6
block in log on $ext1_if
block in log on $ext2_if

  ## allow ping, traceroute and echo
pass in log inet proto icmp all icmp-type $icmp_types

  ## pass connections to vpn server
pass log proto { gre } from any to any keep state
pass in log on $ext1_if proto tcp from any to $ext1_if port 1723
pass in log on $ext2_if proto tcp from any to $ext2_if port 1723
pass in  on enc0 from $vpn_net to $int_net keep state (if-bound)
pass out on enc0 from $int_net to $vpn_net keep state (if-bound)
pass in  on pppx from $vpn_net to $int_net keep state (if-bound)
pass out on pppx from $int_net to $vpn_net keep state (if-bound)

netstat -rn Routing tables

Internet:
DestinationGatewayFlags   Refs  Use   Mtu  Prio Iface
defaulta.a.a.113  UGSP   0  1073494 - 8 em0
defaultb.b.b.97   UGSP   410294 - 8 em1
10.219.219.1   10.219.219.1   UHl00 - 1 lo0
10.219.219.14  10.219.219.1   UH 0  679 - 8 pppx0
127/8  127.0.0.1  UGRS   00 32768 8 lo0
127.0.0.1  127.0.0.1  UHl14 32768 1 lo0
b.b.b.96/28b.b.b.110  UC 10 - 8 em1
b.b.b.97   bc:16:65:34:33:81  UHLc   10 - 8 em1
b.b.b.110  00:15:17:48:7b:23  HLl00 - 1 lo0
b.b.b.111  b.b.b.110  UHb00 - 1 em1
192.168.0/22   192.168.0.238  UC 90 - 8 em3
192.168.0.400:25:90:7c:40:cf  UHLc   04 - 8 em3
192.168.0.500:30:48:7d:7c:64  UHLc   01 - 8 em3
192.168.0.600:25:90:3c:30:67  UHLc   02 - 8 em3
192.168.0.10   f4:6d:04:29:ea:f7  UHLc   04 - 8 em3
192.168.0.19   00:25:90:72:89:1a  UHLc   0 8388 - 8 em3
192.168.0.189  00:30:48:d8:f0:0b  UHLc   0 9661 - 8 em3
192.168.0.238  00:25:90:d0:17:10  HLl00 - 1 lo0
192.168.0.253  00:25:90:af:5d:0a  UHLc   0  154 - 8 em3
192.168.2.167  50:e5:49:e6:c3:3c  UHLc   0 2048 - 8 em3
192.168.3.202  00:25:90:af:5d:0a  UHLc   1 9329 - L   8 em3
192.168.3.255  192.168.0.238  UHb00 - 1 em3
a.a.a.112/28   a.a.a.126  UC 20 - 8 em0
a.a.a.113  00:00:5e:00:01:0c  UHLc   10 - 8 em0
a.a.a.116  00:25:90:af:5d:0b  UHLc   234417 - L   8 em0
a.a.a.126  00:15:17:48:7b:22  HLl00 - 1 lo0
a.a.a.127  a.a.a.126  UH

Re: npppd pppx0 VPN Client can access wan but cannot access lan

[torsten]

On Sat, 19 Dec 2015 01:11:40 -
"torsten" <tors...@cnc-london.net> wrote:
> I'm, running OpenBSD 5.8, npppd, mpath and have tried the same on 5.7 and
5.3.
> npppd is works fine and clients can connect using windows pptp client.
> The Client has the pptp connection set as default gateway and can 
> access the internet through the vpn gateway but cannot access the LAN
network.
> Traffic arrives on the pppx0 interface but never get forwarded to the 
> LAN ip address.

Can you see the traffic for the LAN on $int_if or the other physical
interfaces?

>   ## vpn
> pass quick log on pppx
> match out log on $ext1_if from $vpn_net nat-to ($ext1_if)
> match out log on $ext2_if from $vpn_net nat-to ($ext2_if)
> match out log on $int_if from $vpn_net nat-to ($int_if)

Fist line, "pass quick", becomes the last rule for traffic in/out on the
pppx interface since it is "quick".  So subsequent rules (including nat) are
not applied.

--yasuoka

I will trace it in the morning, looks promising trough
Thank you for your reply

npppd pppx0 VPN Client can access wan but cannot access lan

[torsten]

Hi

I'm, running OpenBSD 5.8, npppd, mpath and have tried the same on 5.7 and 5.3.
npppd is works fine and clients can connect using windows pptp client.
The Client has the pptp connection set as default gateway and can access the
internet through the vpn gateway
but cannot access the LAN network.
Traffic arrives on the pppx0 interface but never get forwarded to the LAN ip
address.
I have been looking and trying for over 2 weeks now and can't figure that one
out.
Setting everything to pass in pf.conf and only enabling nat - still no
result.

Setup: OpenBSD 5.8 with npppd using pppx0 or tun0 and pf 2 WAN interfaces
equal cost routing (net.inet.ip.multipath=1), 1 LAN interface

sysctl.conf

net.inet.ip.forwarding=1
net.inet.ip.multipath=1
net.inet.gre.allow=1
net.pipex.enable=1

npptp.conf:

set max-session 20
set user-max-session 5
authentication LOCAL type local {
users-file "/etc/npppd/npppd-users"
}
tunnel VPN protocol pptp {
listen on 0.0.0.0
}
ipcp IPCP {
pool-address 10.219.219.2-10.219.219.100
dns-servers 192.168.0.189 192.168.0.19
nbns-servers 192.168.0.189 192.168.0.19
}
interface pppx0 address 10.219.219.1 ipcp IPCP
bind tunnel from VPN authenticated by LOCAL to pppx0

pf.conf

### NAT
match out log on $ext1_if from $int_net nat-to ($ext1_if)
match out log on $ext2_if from $int_net nat-to ($ext2_if)

  ## vpn
pass quick log on pppx
match out log on $ext1_if from $vpn_net nat-to ($ext1_if)
match out log on $ext2_if from $vpn_net nat-to ($ext2_if)
match out log on $int_if from $vpn_net nat-to ($int_if)

### FILTER RULES
block log quick inet6
block in log on $ext1_if
block in log on $ext2_if

  ## allow ping, traceroute and echo
pass in log inet proto icmp all icmp-type $icmp_types

  ## pass connections to vpn server
pass log proto { gre } from any to any keep state
pass in log on $ext1_if proto tcp from any to $ext1_if port 1723
pass in log on $ext2_if proto tcp from any to $ext2_if port 1723
pass in  on enc0 from $vpn_net to $int_net keep state (if-bound)
pass out on enc0 from $int_net to $vpn_net keep state (if-bound)
pass in  on pppx from $vpn_net to $int_net keep state (if-bound)
pass out on pppx from $int_net to $vpn_net keep state (if-bound)

netstat -rn Routing tables

Internet:
DestinationGatewayFlags   Refs  Use   Mtu  Prio Iface
defaulta.a.a.113  UGSP   0  1073494 - 8 em0
defaultb.b.b.97   UGSP   410294 - 8 em1
10.219.219.1   10.219.219.1   UHl00 - 1 lo0
10.219.219.14  10.219.219.1   UH 0  679 - 8 pppx0
127/8  127.0.0.1  UGRS   00 32768 8 lo0
127.0.0.1  127.0.0.1  UHl14 32768 1 lo0
b.b.b.96/28b.b.b.110  UC 10 - 8 em1
b.b.b.97   bc:16:65:34:33:81  UHLc   10 - 8 em1
b.b.b.110  00:15:17:48:7b:23  HLl00 - 1 lo0
b.b.b.111  b.b.b.110  UHb00 - 1 em1
192.168.0/22   192.168.0.238  UC 90 - 8 em3
192.168.0.400:25:90:7c:40:cf  UHLc   04 - 8 em3
192.168.0.500:30:48:7d:7c:64  UHLc   01 - 8 em3
192.168.0.600:25:90:3c:30:67  UHLc   02 - 8 em3
192.168.0.10   f4:6d:04:29:ea:f7  UHLc   04 - 8 em3
192.168.0.19   00:25:90:72:89:1a  UHLc   0 8388 - 8 em3
192.168.0.189  00:30:48:d8:f0:0b  UHLc   0 9661 - 8 em3
192.168.0.238  00:25:90:d0:17:10  HLl00 - 1 lo0
192.168.0.253  00:25:90:af:5d:0a  UHLc   0  154 - 8 em3
192.168.2.167  50:e5:49:e6:c3:3c  UHLc   0 2048 - 8 em3
192.168.3.202  00:25:90:af:5d:0a  UHLc   1 9329 - L   8 em3
192.168.3.255  192.168.0.238  UHb00 - 1 em3
a.a.a.112/28   a.a.a.126  UC 20 - 8 em0
a.a.a.113  00:00:5e:00:01:0c  UHLc   10 - 8 em0
a.a.a.116  00:25:90:af:5d:0b  UHLc   234417 - L   8 em0
a.a.a.126  00:15:17:48:7b:22  HLl00 - 1 lo0
a.a.a.127  a.a.a.126  UHb00 - 1 em0
224/4  127.0.0.1  URS00 32768 8 lo0

multiple certificates in httpd

[Torsten]

Hi!

man httpd.conf says:
[tls option]
"Set the TLS configuration for the server."

I assumed that "the server" would mean that every (virtual) server can
have its own tls options (and certificates). Otherwise it would have
said "Set the TLS configuration for httpd and all virtual servers."

Is that wrong? Can I only have ONE key and ONE cert and the cert must be
a multi domain certificate?

I tried this:


ext_addr="*"
prefork 3

server "domaina.com" {
alias "www.domaina.com"
listen on $ext_addr tls port 443
tls dhe "auto"
root "/htdocs/domaina"
}

server "domainb.com" {
alias "www.domainb.com"
listen on $ext_addr tls port 443
tls dhe "auto"
tls certificate "/etc/ssl/domainb.crt"
tls key "/etc/ssl/private/domainb.key"
root "/htdocs/domainb"
}


You see in domaina.com there is no certificate specification. According
to the documentation the default values should be used. And they are. On
OpenBSD 5.7 I get the cert from the default files when I try to access
https://www.domaina.com

On OpenBSD5.7 I also get the certificate for domaina when I access
domainb.com, which results in a certificate error.

On OpenBSD5.8 it's the other way round: when accessing domainb the
browser reports the correct certificate. When accessing domaina I get
the certificate of domainb (and the corresponding cert error).

I started
httpd -d -
on OpenBSD5.7 to check the output and found that the messages
server_tls_load_keypair: using certificate /etc/ssl/cert.pem
server_tls_load_keypair: using private key /etc/ssl/private/server.key
only appear for those two files. So the httpd obviously does not read
the other certificates.

T.

Re: httpd, SlowCGI, POST_MAX and 413 Payload Too Large

[Torsten]

 Check the httpd.conf(5) man page for max request body, which defaults to 1M.


Thx, got it.

Re: httpd client certificate authentication in OpenBSD5.8

[Torsten]

 | Will httpd in OpenBSD 5.8 support client certificates
 At least not until LibreSSL's libtls supports it.  See
 https://github.com/reyk/httpd/issues/23

Thanks for the hint! For my purpose Client Cert authentication is
mandatory and therefore I'm desperate. But now I have hope!

Reyk wrote: Once libtls supports things like SNI or
client certificates with an easy-to-use interface, we can review such
features.

On the 21. August 2015, so just a couple of days ago, markokr submitted
a patch to libressl-portable which added this feature:

https://github.com/libressl-portable/openbsd/pull/41

So there is hope that this will become available in the (near?) future.

However, probably not in OpenBSD 5.8

T.

httpd client certificate authentication in OpenBSD5.8

[Torsten]

Hi!

Will httpd in OpenBSD 5.8 support client certificates for
authentication? It was announced (see
http://www.openbsd.org/papers/httpd-slides-asiabsdcon2015.pdf) but I
http://www.openbsd.org/58.html does not mention it.

T.

httpd, SlowCGI, POST_MAX and 413 Payload Too Large

[Torsten]

Hi!

OpenBSD 5.7, httpd, slowcgi

upload.pl CGI:

# [...]
$CGI::POST_MAX = 1024 * 1024 * 20; #20MB
# [...]

But when I try to upload a file I get 413 Payload Too Large if the
file is larger than 1MB.

Help will be appreciated!

T.

Re: fastcgi (without slowcgi)

[Torsten]

Paul,

thank you so much for taking the time to write such detailed answer.


 script needs to be able to create a file in its
 /run directory

Thanks to your hints I might have been able to narrow it down a bit, but
I'm still not there.

The fastcgi directive from httpd.conf defaults to /run/slowcgi.sock
(http://www.openbsd.org/papers/httpd-asiabsdcon2015.pdf).

So I removed the socket file which might be there from previous starts
of slowcgi:
# rm /var/run/slowcgi.sock

I tried this to tell perl about which socket to use:

# cat cgi-bin/fcgi.fcgi

##
#!/usr/bin/perl
use FCGI;

my $socket = FCGI::OpenSocket( /run/slowcgi.sock, 5 );
my $request = FCGI::Request( \*STDIN, \*STDOUT, \*STDERR, \%ENV, $socket );

my $count;
while( $request-Accept() = 0 ) {
print Content-type: text/html\r\n\r\n;
print ++$count;
}

FCGI::CloseSocket( $socket );
##

# rcctl start httpd
httpd(ok)

I still get 500 Internal Server Error

but:
# ls -ld /var/www/run/slowcgi.sock
ls: /var/www/run/slowcgi.sock: No such file or directory

So the socket file is not being created when the script was started from
httpd.

Now I try to start the very same script without any change, but instead
letting httpd start the script, I will start it manually, using the
(presumably) same credentials:

# chroot -g www -u www /var/www /cgi-bin/fcgi.fcgi

The script does not return, which is probably because of the while loop
waiting for a new connection. However, in a second shell I can see that
this time the socket was created:

# ls -ld /var/www/run/slowcgi.sock
srwxr-xr-x  1 www  www  0 May 24 13:46 /var/www/run/slowcgi.sock

Can anyone explain this to me? How is httpd starting the script in a
different way than I do with that chroot command?

Help will be appreciated!

Regards,
T.

Re: fastcgi (without slowcgi)

[Torsten]

Paul,

thanks a lot again!

I got something working but I don't have the time today to do further
tests. Just wanted you to know that thanks to your help (and the help of
another friend of mine who brought me OpenBSD 13 years ago) I think I
know what my mistake was and what needed to be done.

I'll post a brief description of what I did to get it working in the
next days to get this into the archives.

Regards,
T.

fastcgi (without slowcgi)

[Torsten]

Hi!

I am trying to use fastcgi in OpenBSD 5.7 httpd but keep getting 500
Internal Server Error.

httpd.conf:
##
ext_addr=*
server www.domain.com {
listen on $ext_addr tls port 443
tls dhe auto
connection { max requests 500, timeout 3600 }
location /cgi-bin/* {
fastcgi socket /run/fcgi.socket
root /
}
root /htdocs/www.domain.com
}
##

/var/www/cgi-bin/fcgi-test.cgi:
##
#!/usr/bin/perl
  use CGI::Fast;
  $ENV{FCGI_SOCKET_PATH} = /run/fcgi.socket;
  $ENV{FCGI_LISTEN_QUEUE} = 100;
  my $cnt=0;
  while ($q = new CGI::Fast) {
   print Content-type: text/html\r\n\r\n;
   print head\ntitleFastCGI Demo Page (perl)/title\n/head\n;
   print  h1FastCGI Demo Page (perl)/h1\n;
   print This is coming from a FastCGI server.\nBR\n;
   $cnt++;
   print This is connection number $cnt\n;
  }
##

I was able to start a simple cgi (print hello world\n;) by using
slowcgi so I believe my perl environment in chroot is more or less OK.
Also the script itself seems to be OK:

# chroot /var/www /usr/bin/perl -c /cgi-bin/fcgi2.cgi
/cgi-bin/fcgi2.cgi syntax OK

Things that might be part of the problem:
- No socket file /run/fcgi.socket is being created when I start httpd.
- Nothing was ever written to /var/www/logs/error.log, not even when I
tried to start httpd with a boguous httpd.conf. However,
/var/www/logs/access.log has logs from access to static html.

Any hints about where to find out more about the 500 Internal Server
Error? I have no more hints to follow and I could not find one single
example of a working httpd.conf along with a perl fastcgi example in the
web. All discussions seem to explain how to use cgi with slowcgi
instead. But that's not what I'm looking for.

Thanks in advance!

T.

pf: multiple reply-to rules; could it be done more simple?

[Dr.-Ing. Torsten Finke]

Dear List, 

my network is connected to the internet by three different DSL
connections. At connection my ISP provides always the same IP addresses, so
that they are effectively configured with a fix IP address each. These
connections are managed by my external firewall. 

Outbound traffic is load balanced via round robin on the three mpath default
routes. 

Since I run several services on my system (e.g. openvpn, which is actually
served by my internal firewall), I have to ensure, that inbound traffic will
be returned to exactly that connection the request came from. This is done by
the following pf rules (openvpn handling as an example among others):

#---
ext_if0 = tun0
ext_if1 = tun1
ext_if2 = tun2
int_fw  = # my internal firewall's address
...

pass in quick on $ext_if0 proto udp from any to any port 1194 \
rdr-to $int_fw port 1194 reply-to ( $ext_if0 $ext_if0:peer )
pass in quick on $ext_if1 proto udp from any to any port 1194 \
rdr-to $int_fw port 1194 reply-to ( $ext_if1 $ext_if1:peer )
pass in quick on $ext_if2 proto udp from any to any port 1194 \
rdr-to $int_fw port 1194 reply-to ( $ext_if2 $ext_if2:peer )
#---

May there be any trick that avoids this rule definition for each connection? I
am trying to get the rules more simple and also looking for a rule, that is
independent of the actual connection state (if one of the connections is
broken, pfctl complains about an unreacheable peer of course).

Has anyone tried somthing like this using pf anchors? 

Thank you for advice and thanks to the openbsd Team for their great work!


Torsten 



-- 

Dr.-Ing. Torsten Finke
torsten.fi...@igh-essen.com
Tel.: +49 201 / 36014-17

Ingenieurgemeinschaft IgH
Gesellschaft für Ingenieurleistungen mbH
Heinz-Bäcker-Str. 34
D-45356 Essen

Amtsgericht Essen HRB 11500
USt-Id.-Nr.: DE 174 626 722
Geschäftsführung: 
- Dr.-Ing. T. Finke, 
- Dr.-Ing. W. Hagemeister
Tel.: +49 201 / 360-14-0
http://www.igh-essen.com

GnuPG-Key: 1024D/8F2300D8
Fingerprint: B929 7FA5 4D2E E9B6 C55C  8A0B 7DF4 86E9 8F23 00D8

Defining two vpn's in ipsec.conf wich different crypto

[sigge torsten]

hi, I've setup a roadwarrior ipsec/l2tp (undeadly guide) that worked fine
until I made some new rules in ipsec.conf in order to get a vpn-connection to
a FreeBSD machine to work.
My ipsec.conf looks like this. When connecting from a roadwarrior ip I still
goes to the crypto that it supposed to be for the obsd-fbsd connection.Is it
possible two have two different crypto definitions like this?
# cat /etc/ipsec.conf# macros#ext_if = em0local_net =
10.11.12.0/24remote_gw = 85.23.19.11remote_nets = 192.168.1.0/24
#win7 android etc.ike passive esp transport \proto udp from 98.10.x.x
to any port 1701 \main auth hmac-sha1 enc 3des group modp2048 \
quick auth hmac-sha1 enc aes \psk lamas
#obsd-freebsdike esp from $local_net to $remote_nets peer $remote_gw \
main auth hmac-sha1 enc aes-256 group modp2048 \quick auth
hmac-sha2-256 enc aes-256 group modp2048
best regards

remotely provide entropy

[Torsten Valentin]

Hi!

I have a couple of machines that run as VM and are lacking good entropy
data. I was wondering if there is a way of feeding the local random
number pool of a VM with entropy that was generated on a hardware random
number generator on a physical machine.

I thought the hardware random number generator could constantly fill up
its own pool and whenever a VM needs entropy, it could connect to the
hardware, retrieve some randomness (fill up its own random number pool).

I can set up the hardware random number generator but I don't know how
to fill OpenBSDs own entry data stack.

It's not as easy as cat randomnumbersfile/dev/random, is it?

Thanks in advance!

T.

Re: Multiple ISP-connections/Routing/Packet filtering

[Dr.-Ing. Torsten Finke]

Dear Ken, 

On Thu, Jan 12, 2012 at 01:05:10PM -0500, Kenneth Gober wrote:
 On Tue, Jan 10, 2012 at 1:41 PM, Dr.-Ing. Torsten Finke 
 torsten.fi...@igh-essen.com wrote:
 
  On my firewall I have TWO different internet connections. It is simple to
  forward - for instance ssh -
  from both connections to an internal machine. Now this machine answers and
  the
  firewall sends the reply back. How can I force the firewall to send the
  reply
  over exactly that interface the request came in? The problem is that the
  client anywhere on the internet expects the answer from the very address it
  had contacted. If now the reply comes from another address, it will get
  lost.
 
 
 I am doing this using OpenBSD 4.6, without any apparent problems, using the
 following syntax:
 
 pass in log quick on $pri inet proto tcp to ($pri) port 1194
 pass in log quick on $sec reply-to $sec inet proto tcp to ($sec) port 1194

great! I thought it to this simple.

May I ask about your routing? For this to work I consider you should have
multipath routing. You call your interfaces $pri and $sec. Are they configured
differently? 

The pf.conf(5) man page says, that reply-to is useful only in rules that
create state. Do you manage state by some other rule before? 

 Unfortunately, the pf.conf syntax has changed since v4.6 and while I do
 plan to upgrade my
 own firewall to v5.0 (I've bought the CD already) I haven't yet had time to
 perform the upgrade.
 As a result, I haven't worked out what the equivalent 'modern' syntax would
 be, but you might
 be able to get some hints from what I'm using in v4.6.

Yes! 

Concerning syntax I did some tests. The follwing rule is syntactically
correct (in the sense that it is accepted by pf, at least on 4.8):

   pass in on $vpn_if inet proto udp from any to any port 1194 \
keep state reply-to ( $vpn_if $vpn_if:peer )

I think this can be done simpler. 


Thanks a lot for your advice


Torsten





 
 -ken

-- 

Dr.-Ing. Torsten Finke
torsten.fi...@igh-essen.com
Tel.: +49 201 / 36014-17

Ingenieurgemeinschaft IgH
Gesellschaft f|r Ingenieurleistungen mbH
Heinz-Bdcker-Str. 34
D-45356 Essen
Amtsgericht Essen HRB 11500
USt-Id.-Nr.: DE 174 626 722
Geschdftsf|hrung: 
- Dr.-Ing. S. Rotthduser, 
- Dr.-Ing. T. Finke, 
- Dr.-Ing. W. Hagemeister
Tel.: +49 201 / 360-14-0
http://www.igh-essen.com

Re: Multiple ISP-connections/Routing/Packet filtering

[Dr.-Ing. Torsten Finke]

Hello Russell, 

On Wed, Jan 11, 2012 at 07:46:59AM -0500, Russell Garrison wrote:
 Have you considered routing domains?


no I have not. According to your hint I started to study their concept, but
have not found a description that would meet my situation. 


Thanks for your idea and 

best regards


Torsten


 On Tue, Jan 10, 2012 at 1:41 PM, Dr.-Ing. Torsten Finke
 torsten.fi...@igh-essen.com wrote:
  Hello Jorge,
 
  I read again your mail and now i'm lost !
 
  You Wrote:
 
  How can I force my Extl. FW to reply on exactly the same interface it
had been requested on?  For example I am running OpenVPN(1194/UDP)
between my HomeOffice (Z=Client) and the Intl. FW(=Server). Alike I
would appretiate SSH-portforwarding from Internet to the Intl. FW. 
 
 
  SSH port forwarding from internet to Internal server is something like :
 
  ext_if=vr0
  ext_ip=1.2.3.4
  Spvt= 4.5.6.7
 
  match in on $ext_if proto tcp from any to $ext_ip port 22 rdr-to $Spvt
 
  pass in on $ext_if proto tcp from any to $Spvt port 22
  pass out on $int_if proto tcp from any to $Spvt port 22
 
 
 
 
  The above line redirects all traffic coming from any place in internet to
  my external IP ( 1.2.3.4) to the server  4.5.6.7 which is located in my
  internal lan, in other words the packet comes in on external interface ,
  goes out on internal interface ..
 
  These works on OpenBSD 4.8 or newer !
 
  Is this what you need ?
 
  no. Obviously I have not explained clearly what my problem is.
 
  On my firewall I have TWO different internet connections. It is simple to 
  forward - for instance ssh -
  from both connections to an internal machine. Now this machine answers and 
  the
  firewall sends the reply back. How can I force the firewall to send the 
  reply
  over exactly that interface the request came in? The problem is that the
  client anywhere on the internet expects the answer from the very address it
  had contacted. If now the reply comes from another address, it will get 
  lost.
 
 
  Best regards
 
  Torsten
 
 
 
  On Tue, Jan 10, 2012 at 10:46 AM, Dr.-Ing. Torsten Finke 
  torsten.fi...@igh-essen.com wrote:
 
   Hello Jorge,
  
If i understood you well, the answer to your question is here !
   
   
http://www.openbsd.org/faq/pf/pools.html
   
Under the section Load Balancing outgoing traffic, or take a look at:
   
http://www.openbsd.org/faq/faq6.html#Multipath
   
   
There are good examples there !
   
I hope this can help !
  
   thank you for this. The FAQ on pools has nice examples but none of them
   really
   faces my problem. It discusses load balancing of incoming traffic to
   several
   servers as well as load balancing of outgoing traffic. I cannot figure 
   out
   how
   to dispatch replies to incoming requests over different connections.
  
   The FAQ on multipath has helped me very well to set up multiple default
   routes
   - this works very well.
  
   Best regards
  
   Torsten
  
  
 Dear List,

 Here I show my network topology. Maybe it seems quite typical. My
 internal network is located behind an Intl/Extl Firewall which is
 connected to the Internet(IN) via pppoe/ppp(8). On the other side I 
 run
 different systems, for instance a home office network, a mobile 
 laptop,
 and several customers.


+---+ +---+
| A | | B | (PC)
+-+-+ +-+-+
  | |   +-+
--+-+---| Intl FW |---(DMZ)---+
(LAN/int)   +-+   |
  |
  +---+
  |  +---+
  |      | Z | 
 (PC)
  |  ()  +---+
  |  +-+ pppoe/ppp(8) +---+  ()  ++|
  |  | |--| DSL-Modem |--()--| GW |+-
  |  | | rl0/tun0 +---+  ()  ++
(HomeOffice)
  +--| Extl FW | ( IN )  +--+
 | | pppoe/ppp(8) +---+  ()--| Customer |
 | |--| DSL-Modem |--()  +--+
 +-+ rl1/tun1 +---+  ()  ++
 OpenBSD 4.8 ()--| Mobile |
 ++

 My question is about the setup of routing and packet filtering on the
 External Firewall:

 How can I force my Extl. FW to reply on exactly the same interface it
 had been requested on?  For example I am running OpenVPN(1194/UDP)
 between my HomeOffice (Z=Client) and the Intl. FW(=Server). Alike I
 would appretiate SSH-portforwarding from Internet to the Intl. FW.

 I tried using route-to and reply-to, but that did not work -
 PF.CONF(5

Multiple ISP-connections/Routing/Packet filtering

[Dr.-Ing. Torsten Finke]

Dear List, 

Here I show my network topology. Maybe it seems quite typical. My
internal network is located behind an Intl/Extl Firewall which is
connected to the Internet(IN) via pppoe/ppp(8). On the other side I run
different systems, for instance a home office network, a mobile laptop,
and several customers.


+---+ +---+
| A | | B | (PC)
+-+-+ +-+-+
  | |   +-+
--+-+---| Intl FW |---(DMZ)---+
(LAN/int)   +-+   |
  |
  +---+
  |  +---+
  |      | Z | (PC)
  |  ()  +---+
  |  +-+ pppoe/ppp(8) +---+  ()  ++|
  |  | |--| DSL-Modem |--()--| GW |+-
  |  | | rl0/tun0 +---+  ()  ++  (HomeOffice)
  +--| Extl FW | ( IN )  +--+
 | | pppoe/ppp(8) +---+  ()--| Customer |
 | |--| DSL-Modem |--()  +--+
 +-+ rl1/tun1 +---+  ()  ++
 OpenBSD 4.8 ()--| Mobile |
 ++

My question is about the setup of routing and packet filtering on the
External Firewall:

How can I force my Extl. FW to reply on exactly the same interface it
had been requested on?  For example I am running OpenVPN(1194/UDP)
between my HomeOffice (Z=Client) and the Intl. FW(=Server). Alike I
would appretiate SSH-portforwarding from Internet to the Intl. FW.

I tried using route-to and reply-to, but that did not work -
PF.CONF(5) says this should do, but I could not figure out, how. I did
not not understand how route-to and reply-to actually work (could
not find any explanation, though I have tried hard to search for).

Everything else (NAT, outbound load balancing, filtering) works just
fine. 

My routing is:

default  XXX.X.XX.XXXUGSP   2   101853 - 8 tun0
default  XXX.X.XX.XXXUGSP   0  988 - 8 tun1

I manage my multipath routes (net.inet.ip.multipath=1) via
- ppp.linkup:
MYADDR:
  shell route add -mpath default HISADDR

- ppp.linkdown
MYADDR:
  shell route delete -mpath default HISADDR

What I tried in pf.conf is:

   pass in on tun0 all keep state reply-to ( tun0 tun0:peer )
   pass in on tun1 all keep state reply-to ( tun1 tun1:peer )

Asking PF statistics (pfctl -v -s rules) shows that no packet has been
operated by those reply-to rules.

Since I consider PF a brilliant concept I would really appretiate any
hint that would help. Thanks to all OpenBSD developers for their great
work and thanks for any advice.


Best regards

Torsten


-- 

Torsten Finke
f...@igh-essen.com

Re: Multiple ISP-connections/Routing/Packet filtering

[Dr.-Ing. Torsten Finke]

Hello Jorge, 

 If i understood you well, the answer to your question is here !
 
 
 http://www.openbsd.org/faq/pf/pools.html
 
 Under the section Load Balancing outgoing traffic, or take a look at:
 
 http://www.openbsd.org/faq/faq6.html#Multipath
 
 
 There are good examples there !
 
 I hope this can help !

thank you for this. The FAQ on pools has nice examples but none of them really
faces my problem. It discusses load balancing of incoming traffic to several
servers as well as load balancing of outgoing traffic. I cannot figure out how
to dispatch replies to incoming requests over different connections.

The FAQ on multipath has helped me very well to set up multiple default routes
- this works very well.

Best regards

Torsten


  Dear List,
 
  Here I show my network topology. Maybe it seems quite typical. My
  internal network is located behind an Intl/Extl Firewall which is
  connected to the Internet(IN) via pppoe/ppp(8). On the other side I run
  different systems, for instance a home office network, a mobile laptop,
  and several customers.
 
 
 +---+ +---+
 | A | | B | (PC)
 +-+-+ +-+-+
   | |   +-+
 --+-+---| Intl FW |---(DMZ)---+
 (LAN/int)   +-+   |
   |
   +---+
   |  +---+
   |      | Z | (PC)
   |  ()  +---+
   |  +-+ pppoe/ppp(8) +---+  ()  ++|
   |  | |--| DSL-Modem |--()--| GW |+-
   |  | | rl0/tun0 +---+  ()  ++  (HomeOffice)
   +--| Extl FW | ( IN )  +--+
  | | pppoe/ppp(8) +---+  ()--| Customer |
  | |--| DSL-Modem |--()  +--+
  +-+ rl1/tun1 +---+  ()  ++
  OpenBSD 4.8 ()--| Mobile |
  ++
 
  My question is about the setup of routing and packet filtering on the
  External Firewall:
 
  How can I force my Extl. FW to reply on exactly the same interface it
  had been requested on?  For example I am running OpenVPN(1194/UDP)
  between my HomeOffice (Z=Client) and the Intl. FW(=Server). Alike I
  would appretiate SSH-portforwarding from Internet to the Intl. FW.
 
  I tried using route-to and reply-to, but that did not work -
  PF.CONF(5) says this should do, but I could not figure out, how. I did
  not not understand how route-to and reply-to actually work (could
  not find any explanation, though I have tried hard to search for).
 
  Everything else (NAT, outbound load balancing, filtering) works just
  fine.
 
  My routing is:
 
  default  XXX.X.XX.XXXUGSP   2   101853 - 8 tun0
  default  XXX.X.XX.XXXUGSP   0  988 - 8 tun1
 
  I manage my multipath routes (net.inet.ip.multipath=1) via
  - ppp.linkup:
  MYADDR:
   shell route add -mpath default HISADDR
 
  - ppp.linkdown
  MYADDR:
   shell route delete -mpath default HISADDR
 
  What I tried in pf.conf is:
 
pass in on tun0 all keep state reply-to ( tun0 tun0:peer )
pass in on tun1 all keep state reply-to ( tun1 tun1:peer )
 
  Asking PF statistics (pfctl -v -s rules) shows that no packet has been
  operated by those reply-to rules.
 
  Since I consider PF a brilliant concept I would really appretiate any
  hint that would help. Thanks to all OpenBSD developers for their great
  work and thanks for any advice.
 
 
  Best regards
 
  Torsten
 
 
  --
  
  Torsten Finke
  f...@igh-essen.com
  
 
 
 
 
 -- 
 Cordialmente,
 
 00110111  00111011


--

Torsten Finke
f...@igh-essen.com

Re: Multiple ISP-connections/Routing/Packet filtering

[Dr.-Ing. Torsten Finke]

Hello Jorge, 

 I read again your mail and now i'm lost !
 
 You Wrote:
 
 How can I force my Extl. FW to reply on exactly the same interface it
   had been requested on?  For example I am running OpenVPN(1194/UDP)
   between my HomeOffice (Z=Client) and the Intl. FW(=Server). Alike I
   would appretiate SSH-portforwarding from Internet to the Intl. FW. 
 
 
 SSH port forwarding from internet to Internal server is something like :
 
 ext_if=vr0
 ext_ip=1.2.3.4
 Spvt= 4.5.6.7
 
 match in on $ext_if proto tcp from any to $ext_ip port 22 rdr-to $Spvt
 
 pass in on $ext_if proto tcp from any to $Spvt port 22
 pass out on $int_if proto tcp from any to $Spvt port 22
 
 
 
 
 The above line redirects all traffic coming from any place in internet to
 my external IP ( 1.2.3.4) to the server  4.5.6.7 which is located in my
 internal lan, in other words the packet comes in on external interface ,
 goes out on internal interface ..
 
 These works on OpenBSD 4.8 or newer !
 
 Is this what you need ?

no. Obviously I have not explained clearly what my problem is. 

On my firewall I have TWO different internet connections. It is simple to 
forward - for instance ssh -
from both connections to an internal machine. Now this machine answers and the
firewall sends the reply back. How can I force the firewall to send the reply
over exactly that interface the request came in? The problem is that the
client anywhere on the internet expects the answer from the very address it
had contacted. If now the reply comes from another address, it will get lost. 


Best regards

Torsten



 On Tue, Jan 10, 2012 at 10:46 AM, Dr.-Ing. Torsten Finke 
 torsten.fi...@igh-essen.com wrote:
 
  Hello Jorge,
 
   If i understood you well, the answer to your question is here !
  
  
   http://www.openbsd.org/faq/pf/pools.html
  
   Under the section Load Balancing outgoing traffic, or take a look at:
  
   http://www.openbsd.org/faq/faq6.html#Multipath
  
  
   There are good examples there !
  
   I hope this can help !
 
  thank you for this. The FAQ on pools has nice examples but none of them
  really
  faces my problem. It discusses load balancing of incoming traffic to
  several
  servers as well as load balancing of outgoing traffic. I cannot figure out
  how
  to dispatch replies to incoming requests over different connections.
 
  The FAQ on multipath has helped me very well to set up multiple default
  routes
  - this works very well.
 
  Best regards
 
  Torsten
 
 
Dear List,
   
Here I show my network topology. Maybe it seems quite typical. My
internal network is located behind an Intl/Extl Firewall which is
connected to the Internet(IN) via pppoe/ppp(8). On the other side I run
different systems, for instance a home office network, a mobile laptop,
and several customers.
   
   
   +---+ +---+
   | A | | B | (PC)
   +-+-+ +-+-+
 | |   +-+
   --+-+---| Intl FW |---(DMZ)---+
   (LAN/int)   +-+   |
 |
 +---+
 |  +---+
 |      | Z | (PC)
 |  ()  +---+
 |  +-+ pppoe/ppp(8) +---+  ()  ++|
 |  | |--| DSL-Modem |--()--| GW |+-
 |  | | rl0/tun0 +---+  ()  ++
   (HomeOffice)
 +--| Extl FW | ( IN )  +--+
| | pppoe/ppp(8) +---+  ()--| Customer |
| |--| DSL-Modem |--()  +--+
+-+ rl1/tun1 +---+  ()  ++
OpenBSD 4.8 ()--| Mobile |
++
   
My question is about the setup of routing and packet filtering on the
External Firewall:
   
How can I force my Extl. FW to reply on exactly the same interface it
had been requested on?  For example I am running OpenVPN(1194/UDP)
between my HomeOffice (Z=Client) and the Intl. FW(=Server). Alike I
would appretiate SSH-portforwarding from Internet to the Intl. FW.
   
I tried using route-to and reply-to, but that did not work -
PF.CONF(5) says this should do, but I could not figure out, how. I did
not not understand how route-to and reply-to actually work (could
not find any explanation, though I have tried hard to search for).
   
Everything else (NAT, outbound load balancing, filtering) works just
fine.
   
My routing is:
   
default  XXX.X.XX.XXXUGSP   2   101853 - 8 tun0
default  XXX.X.XX.XXXUGSP   0  988 - 8 tun1
   
I manage my multipath routes (net.inet.ip.multipath=1) via
- ppp.linkup:
MYADDR:
 shell

Re: how to find dependencies when building a new kernel

[Torsten Valentin]

 dmesg is the lazy way to get this info, the same info is written to
 /var/log/messages during boot.  Are you saying your system is so
 stripped down you don't even log anything?

Yep. And because the only persistent memory is Flash (32MB, which
quickly dies if you permanently write to it), the whole system runs
inside a RAMDISK only. And there is no terminal or ssh. Modifying the
system means setting up a new system with modified /sbin/init each time.

Hard to believe, I know, but what people do with OpenBSD is sometimes
quite different from what you know from usual systems. I said it's
embedded stuff. I said hardware cannot be changed. I said I cannot
easily provide this info. There certainly is a way, but it's not worth
the effort.

I can provide a dmesg from a virtual machine that we use for testing
purposes, but obviously that's not the same as the system that the
kernel is going to be running on later in production environment. But,
hey, yet, I haven't been able to compile the kernel on this testing
machine, either. I explain this so elaborately because I know I'd
otherwise get replies like: What did you tell us about having little
memory and such, this is a usual virtual machine and therefor you've got
no need to use a custom kernel... ;-) You know what I mean... My goal
is to have kernel config files that will do on both, the virtual machine
for testing and the production environment. Being able to compile a
custom kernel on this VM would be a good first step. From there on I
could add the drivers I need on the production machine and that way get
closer to a final solution...

I'm very curious how dmesg will help...

OpenBSD 5.0 (GENERIC) #43: Wed Aug 17 10:10:52 MDT 2011
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Core(TM)2 Duo CPU E8400 @ 3.00GHz (GenuineIntel
686-class) 3 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,SSE3,SSSE3,CX16,SSE4.1
real mem  = 267907072 (255MB)
avail mem = 253472768 (241MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 09/22/09, BIOS32 rev. 0 @ 0xfd780,
SMBIOS rev. 2.4 @ 0xe0010 (98 entries)
bios0: vendor Phoenix Technologies LTD version 6.00 date 09/22/2009
bios0: VMware, Inc. VMware Virtual Platform
acpi0 at bios0: rev 2
acpi0: sleep states S0 S1 S4 S5
acpi0: tables DSDT FACP BOOT APIC MCFG SRAT
acpi0: wakeup devices PCI0(S3) USB_(S1) P2P0(S3) S1F0(S3) S2F0(S3)
S3F0(S3) S4F0(S3) S5F0(S3) S6F0(S3) S7F0(S3) S8F0(S3) S9F0(S3) Z00P(S3)
Z00Q(S3) Z00R(S3) Z00S(S3) Z00T(S3) Z00U
(S3) Z00V(S3) Z00W(S3) Z00X(S3) Z00Y(S3) Z00Z(S3) Z010(S3) Z011(S3)
Z012(S3) Z013(S3) Z014(S3) Z015(S3) Z016(S3) Z017(S3) Z018(S3) Z019(S3)
Z01A(S3) Z01B(S3) P2P1(S3) S1F0(S3) S2F
0(S3) S3F0(S3) S4F0(S3) S5F0(S3) S6F0(S3) S7F0(S3) S8F0(S3) S9F0(S3)
Z00P(S3) Z00Q(S3) Z00R(S3) Z00S(S3) Z00T(S3) Z00U(S3) Z00V(S3) Z00W(S3)
Z00X(S3) Z00Y(S3) Z00Z(S3) Z010(S3) Z0
11(S3) Z012(S3) Z013(S3) Z014(S3) Z015(S3) Z016(S3) Z017(S3) Z018(S3)
Z019(S3) Z01A(S3) Z01B(S3) P2P2(S3) S1F0(S3) S2F0(S3) S3F0(S3) S4F0(S3)
S5F0(S3) S6F0(S3) S7F0(S3) S8F0(S3) S
9F0(S3) Z00P(S3) Z00Q(S3) Z00R(S3) Z00S(S3) Z00T(S3) Z00U(S3) Z00V(S3)
Z00W(S3) Z00X(S3) Z00Y(S3) Z00Z(S3) Z010(S3) Z011(S3) Z012(S3) Z013(S3)
Z014(S3) Z015(S3) Z016(S3) Z017(S3)
Z018(S3) Z019(S3) Z01A(S3) Z01B(S3) P2P3(S3) S1F0(S3) S2F0(S3) S3F0(S3)
S4F0(S3) S5F0(S3) S6F0(S3) S7F0(S3) S8F0(S3) S9F0(S3) Z00P(S3) Z00Q(S3)
Z00R(S3) Z00S(S3) Z00T(S3) Z00U(S3)
 Z00V(S3) Z00W(S3) Z00X(S3) Z00Y(S3) Z00Z(S3) Z010(S3) Z011(S3) Z012(S3)
Z013(S3) Z014(S3) Z015(S3) Z016(S3) Z017(S3) Z018(S3) Z019(S3) Z01A(S3)
Z01B(S3) PE40(S3) S1F0(S3) PE50(S3
) S1F0(S3) PE60(S3) S1F0(S3) PE70(S3) S1F0(S3) PE80(S3) S1F0(S3)
PE90(S3) S1F0(S3) PEA0(S3) S1F0(S3) PEB0(S3) S1F0(S3) PEC0(S3) S1F0(S3)
PED0(S3) S1F0(S3) PEE0(S3) S1F0(S3) PE41(S
3) S1F0(S3) PE42(S3) S1F0(S3) PE43(S3) S1F0(S3) PE44(S3) S1F0(S3)
PE45(S3) S1F0(S3) PE46(S3) S1F0(S3) PE47(S3) S1F0(S3) PE51(S3) S1F0(S3)
PE52(S3) S1F0(S3) PE53(S3) S1F0(S3) PE54(
S3) S1F0(S3) PE55(S3) S1F0(S3) PE56(S3) S1F0(S3) PE57(S3) S1F0(S3)
PE61(S3) S1F0(S3) PE62(S3) S1F0(S3) PE63(S3) S1F0(S3) PE64(S3) S1F0(S3)
PE65(S3) S1F0(S3) PE66(S3) S1F0(S3) PE67
(S3) S1F0(S3) PE71(S3) S1F0(S3) PE72(S3) S1F0(S3) PE73(S3) S1F0(S3)
PE74(S3) S1F0(S3) PE75(S3) S1F0(S3) PE76(S3) S1F0(S3) PE77(S3) S1F0(S3)
PE81(S3) S1F0(S3) PE82(S3) S1F0(S3) PE8
3(S3) S1F0(S3) PE84(S3) S1F0(S3) PE85(S3) S1F0(S3) PE86(S3) S1F0(S3)
PE87(S3) S1F0(S3) PE91(S3) S1F0(S3) PE92(S3) S1F0(S3) PE93(S3) S1F0(S3)
PE94(S3) S1F0(S3) PE95(S3) S1F0(S3) PE
96(S3) S1F0(S3) PE97(S3) S1F0(S3) PEA1(S3) S1F0(S3) PEA2(S3) S1F0(S3)
PEA3(S3) S1F0(S3) PEA4(S3) S1F0(S3) PEA5(S3) S1F0(S3) PEA6(S3) S1F0(S3)
PEA7(S3) S1F0(S3) PEB1(S3) S1F0(S3) P
EB2(S3) S1F0(S3) PEB3(S3) S1F0(S3) PEB4(S3) S1F0(S3) PEB5(S3) S1F0(S3)
PEB6(S3) S1F0(S3) PEB7(S3) S1F0(S3) SLPB(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock 

Re: how to find dependencies when building a new kernel

[Torsten Valentin]

 Would you be able to use TFTP to try booting test kernels off a
 remote machine? 

Nope. I try every attempt with a hardware flash drive which I generate
for that test machine. But I've got to get the kernel basically running
on my test VM, then another not that damn small hardware. Once this is
working, I just need to add one more network driver or so and that
should be it. At least it it worked for me in the past.

Re: how to find dependencies when building a new kernel

[Torsten Valentin]

 welcome to the ignore list of many developers.  You aren't even
 following directions on how to hurt yourself properly without wasting
 people's time.

I always found that people waste my time when they write explanations
and tons of bla bla that does not have to do with the issue itself,
instead of just writing about what the problem really is.

Because of the permanent repeating of USE THE GENERIC KERNEL instead
of answering any questions that have to do with my problem:

Total available disk space on the target system: 32MB

The GENERIC Kernel of OpenBSD 5.0 is 8MB.

I really do a lot to save every bit I can. I delete all programs that
are not constantly needed from disk and compress seldom used programs
and have wrappers that unzip these compressed in case they are needed.
And so on. I don't want to bore you with details, but just take this: I
need it and ...

 I probably have a lesser machine in production.

I'd go for that bet!


And pllleeaeee don't come up now with use different
hardware!!!

There are hundreds of things to think about when it comes to the
hardware you'd be using for a certain purpose. And please don't make me
explain why exactly this hardware is needed for this purpose.

I've got all that running perfectly since OpenBSD 3.5. I've used custom
kernels with success ever since, but with always spending a lot of time
fiddling with which driver to use and which to get rid of. Now I'd like
to find a more convenient way to generally solve this issue.

If you guys say that there is no convenient way of solving this problem
but to really dig into this and completely understand the architecture -
then I still believe that I'll find a working config by fiddling around
and trying this and that until I succeed. I just hoped I'd get a hint
how to ease this process.

T.

Which drivers are required for proper system functioning? (was: how to find dependencies when building a new kernel)

[Torsten Valentin]

 So why don't you show us the dmesg
 of the most recent kernel that worked for you?

Because I don't see what that has to do with the issue. I'm not looking
for that one line that's missing in my current config files. I'm not
hoping for someone to tell me that I should include line #5 and then it
will work.

Instead I was hoping to learn a way how to find out myself which lines
must be included (and which in my case don't need to). Quite what Andres
Perera explained in his first reply. Just that Adres' explanation
obviously cannot be the complete answer or at least I didn't fully
understand it.

To really get a minimal kernel, I'm going bottom up, not top down. I'm
not deleting lines from GENERIC but I'm copying lines from GENERIC to
an empty file. So there is no go back one step to where it worked the
last time.

Though it might be a lot of work, there must be a solution to this issue.

 The npx driver is required for proper system functioning regardless
 of whether or not an NPX is present.
 
 so there's no 1:1 mapping between the devices you have and the ones
 you may need included in the kernel config. could potentially apply to
 other drivers, so why waste time figuring out which ones fall under
 this category and which ones don't?

To me it seems like this is the real question that I'm facing: To which
drivers does this apply?

Anyway, thanks to you all for your patience and attempts to help.

Also please understand that it will not help if I explained why there is
no way to use GENERIC and why the hardware cannot be changed. That would
be a long story which in the end would lead to nothing... except wasting
time.

Re: Thanks Jacek Artymiak: Book PDF's

[Torsten Schuchort]

Mark Smith schrieb:
 On Thu, Apr 15, 2010 at 5:10 PM, Bill Dunshie gho...@suddenlink.net wrote:
 
 A huge Thanks to Jacek Artymiak for the PDF's of Building Firewalls with
 OpenBSD and PF, 3rd ed. and  The OpenBSD Command-LineCompanion. The wait
 was worth it !!!


 Link or didn't happen.
 
@mark: sorry for the pm


http://www.devguide.net/books/bfwoap3

but there is no contact with jacek artymiak, i've paid for the pdf and
didnt get the book. thanks paypal i've get my money back while jacek or
devguide.net (it's jacek, too) didn't reply on my mails.
so i will not buy this record, because it's scratched.

german:

ACHTUNG: Der Kontakt zum Verlag ist derzeit vC6llig abgebrochen. Daher
kC6nnen wir leider derzeit nicht ermitteln, ob und wann dieses Buch
erscheinen soll.

http://www.lob.de/cgi-bin/work/framesetneu?flag=newframe=yesid=4bd15dfd6b119

Re: Hardware recommendation for firewalls (more than 4 NICs)

[Torsten Frost]

On Fri, Jul 11, 2008 at 11:47 PM, Martmn Coco
[EMAIL PROTECTED] wrote:
 Hi misc,

 I'm currently looking for hardware alternatives for firewalls that should
 have more than four NICs.

 Currently we are buying R200s from Dell, but we have the 4 NIC limitation.
 We could tell Dell to install a quad port NIC (in addition to the two-port
 onboard card), but I haven't read good things about the way they work.

 I've also looked into soekris, but they don't seem to have enough CPU for
 what we want (this is pure speculation) as we also have intense IPSec
 traffic on some of these firewalls (I've seen that some of them could have
 encryption boards added to increase performance, but I don't know if it
 works for any kind of protocol, or at what rate).

 In any case, what I would like to have is firewalls with multiple NICs (at
 least 6 NICs) *and* sufficient CPU to let IPSec work alright at least at
 ~50Mbps (internal backbone firewalls). The multiple NICs are to use trunk,
 pfsync, real network interfaces, etc.

 Thanks,
 Martmn.




We run a pair of dell 1950s and have been generally happy with them.

We run one dual port intel card and the two build in ports,  no
problem pushing about
400mbit. The intel cards have worked ok for us for years now in
various versions.

You can configure the box with two dual nics or two quad nics on the dell
web.

Re: Hardware recommendation for firewalls (more than 4 NICs)

[Torsten Frost]

Never done the quad in my maxchines. I havent heard anyone getting
fired over it either though.

A quick check on dells web indicates you have two pci-e slots in those
r200s, why not get two dual nics.

On Mon, Jul 14, 2008 at 8:28 PM, Martmn Coco
[EMAIL PROTECTED] wrote:
 Thanks!

 Have you tried the quad nics on those Dells? We do have a couple of R200s,
 860s and 850s running with 2 dual port cards no problem, but we have never
 tried the quad ports.

 Torsten Frost escribis:

 On Fri, Jul 11, 2008 at 11:47 PM, Martmn Coco
 [EMAIL PROTECTED] wrote:

 Hi misc,

 I'm currently looking for hardware alternatives for firewalls that should
 have more than four NICs.

 Currently we are buying R200s from Dell, but we have the 4 NIC
 limitation.
 We could tell Dell to install a quad port NIC (in addition to the
 two-port
 onboard card), but I haven't read good things about the way they work.

 I've also looked into soekris, but they don't seem to have enough CPU for
 what we want (this is pure speculation) as we also have intense IPSec
 traffic on some of these firewalls (I've seen that some of them could
 have
 encryption boards added to increase performance, but I don't know if it
 works for any kind of protocol, or at what rate).

 In any case, what I would like to have is firewalls with multiple NICs
 (at
 least 6 NICs) *and* sufficient CPU to let IPSec work alright at least at
 ~50Mbps (internal backbone firewalls). The multiple NICs are to use
 trunk,
 pfsync, real network interfaces, etc.

 Thanks,
 Martmn.




 We run a pair of dell 1950s and have been generally happy with them.

 We run one dual port intel card and the two build in ports,  no
 problem pushing about
 400mbit. The intel cards have worked ok for us for years now in
 various versions.

 You can configure the box with two dual nics or two quad nics on the dell
 web.

Re: scsi disk i/o hanging 4.3 system

[Torsten Frost]

I have a few machines with the same behavior. The boxes run fine
unless you tax them with
things like unpacking ports, du on a large tree or dd'ng some
/dev/zero to disk. The 1950 can route 400mbit
ethernet with no problems for weeks if you don't mess with the disks,
so i guess the hardware is
reasonably unbroken.


Broken hardware or some driver/chipset issue?


Dell 1950 with a PERC5 raid1 SATA 160gb mirror. 4.2-RELEASE

A 300mb dd write makes an unkillable process. Outputs a few sd0: not
queued, error 5 lines.


Recently flashed the card to the latest firmware. Behaves somewhat better.

Happens with a single drive too.

Needs rebooting to be able to write to the
drive after it has started to behave.
Takes forever to unpack ports.tar.gz, i aborted the unpacking after 20
minutes and about 100mb unpacked.
Is at least stable, doesn't die, just writes to the disk really slow.
Like previous poster, unkillable processes and weird behaviour. Needs
rebooting to be able to write to the
drive after it has started to behave.

-

Dell 1750 scsi

Our two 1750 scsi boxes works good though. Doesn't seem to crash from dd.

-

Re: scsi disk i/o hanging 4.3 system

[Torsten Frost]

I guess the previous message got garbled somehow.




Dell 1950 with a PERC5 raid1 SATA 160gb mirror. 4.2-RELEASE

A 300mb dd write makes an unkillable process. Outputs a few sd0: not
queued, error 5 lines.


Recently flashed the card to the latest firmware. Behaves somewhat better.

Happens with a single drive too.

Needs rebooting to be able to write to the
drive after it has started to behave.
Takes forever to unpack ports.tar.gz, i aborted the unpacking after 20
minutes and about 100mb unpacked.
Is atleast stable, doesn't die, just writes to the disk really slow.
Like previous poster, unkillable processes and weird behaviour. Needs
rebooting to be able to write to the
drive after it has started to behave.

-

Dell 1750 scsi

Our two 1750 scsi boxes works good though. Doesn't seem to crash from dd.

-

Solved: cron - setusercontext failed for root

[Torsten]

The system 
is VERY much stripped down to the absolute necessary files only.
Then it's no longer OpenBSD 


It can be discussed if an OS where I delete certain files cannot be 
called by its original name anymore.


Anyway, I found that cron needs /etc/login.conf though that file is not 
mentioned in any documentation.

Re: Solved: cron - setusercontext failed for root

[Torsten]

Are you serious? You break things by removing an essential, documented
file and then complain? 


It's obvious that I must be dumb. I wasn't smart enough to find out that 
running a program by schedule (which cron does) _must_ have something to 
do with the _login_ process, which login.conf is obviously related to!!! 
As if that wasn't obvious!!! ;-)


Stupid as I am I thought that documentation of cron would point to the 
files that cron relies upon. Or at least, if it finds a file missing, it 
would tell me which one it is. Stupid me! ;-)



 Please stop wasting our time.

And after not finding a solution by reading documentation and trying all 
sorts of debugging options, I was so stupid to ask this ML if someone 
has an idea which files cron would need. I'm so sorry to have wasted 
your precious time! Again: stupid me! I apologize.


Anyway, I'm glad Stuart Henson was kind enough to point an obvious idiot 
like me also to setusercontext (3), which finally led me to find cron is 
missing login.conf. @Stu: Thx alot!

Re: Solved: cron - setusercontext failed for root

[Torsten]

If you start breaking stuff by removing files without the knowledge
how things work, you should expect harsh treatment from this list.
What's next, sombody complaining he cannot login because he removed
the passwd file? 


Without any irony: I'm sorry if I didn't make things clear enough! The 
problem here is that you understood I'd be complaining, which I really 
wasn't! I was just asking! And I still think I asked questions that are 
somewhat valid, though I must admit, not in normal situations.


My project is an embedded system which has certain requirements that do 
not meet in a normal setup. So, yes, there may come up very special 
requirements where I could even imagine that /etc/passwd must be removed 
(not that I'm about to do that). I don't see why it shouldn't be valid 
to ask which files a certain program relies upon.


Anyway: I got you.

Re: Solved: cron - setusercontext failed for root

[Torsten]

Yes, it is *totally* obvious if you actually know what you're doing.


Well, I didn't say I know exactly what I'm doing. If everybody always 
knew exactly what they're doing, this ML would be obsolete, wouldn't it?


Thanks a lot for your explanations (no irony! I've learned from it!)!!! 
That helps me asking less stupid questions in the future.



You don't have to know about it, but if you start deleting 


Well I didn't tell yet, the idea is the other way round. I build up this 
embedded system from scratch by putting the files that I need together, 
not by deleting files from a full install. So I didn't delete anything, 
I just didn't copy enough files together. That's not stupid at all, it's 
a design-question. The design is as minimalistic as can be, it says that 
the resulting system should not have _any_ obsolete files at all. So 
that's why I set it up this way. I know it's not common and I know it's 
not pure OpenBSD anymore, but there's nothing non-OpenBSD in it. And 
yes: It's my lack of knowledge and I didn't mean to hide that at any time.




If you don't know what you're doing, don't do it.


The world would be better if everybody would admit to this. But wouldn't 
this be boring? ;-)




cron also relies on the dynamic linker and its related files. You
didn't delete those, did you ?


No, when I first tried to use a program that missed a lib, it told me so 
and I could go and copy that file to my target system. It's easy when a 
program tells you why it is in trouble.




What should we do with the next guy that deletes this stuff thinking
he doesn't need it and neglects to tell us when he comes here asking
for help ? 


Try to help him. What else? Why would you read this ML if not to help 
others that don't get along with whatever they do with OpenBSD? You guys 
helped me, too: Stuards hint indirectly pointed me to login.conf. If you 
don't want to help, then just don't do it. So I don't see any problem here.




You didn't know the importance of login.conf and you burn your fingers
deleting it. Don't blame others for it, 


I didn't intend to blame anybody. I'm pretty aware that what I do is not 
the usual way. But I still think it's a valid way to do things.



and don't play the hey, I got mistreated-card either. 


Nah, come on, how could I react to don't waste my time! if not by a 
little irony? ;-) I'd be a lamer if I took everything too seriously!




It just makes you look lame.


I'm sorry that's what you think about me. Anyway, in my age, it's not so 
important anymore if a few people think you're lame. Maybe I am. Who cares?


But let's no abuse this ML for personal discussions. I think I got you 
and I'm willing to do my best to provide the correct complete 
information that are in relation to my problem, next time I bother you 
here on this ML. OK?

cron - setusercontext failed for root

[Torsten]

I'm setting up an embedded system from scratch with OpenBSD. The system 
is VERY much stripped down to the absolute necessary files only.


I have troubles using cron:

in /etc/crontab I have:
---
SHELL=/bin/sh
PATH=/bin:/sbin:/usr/bin:/usr/sbin
HOME=/tmp/log
*/1 * * * * root /bin/sh -c echo DEBUGMARKER/tmp/console
---

I have an entry for root in /etc/passwd (and master.passwd respectively).

Nevertheless, when cron starts, I get this:

---
# /usr/sbin/cron -n -x sch
debug flags enabled: sch
[9538] cron started
[9538] GMToff=7200
[9538] Target time=1209315180, sec-to-wait=28
[9538] tick(53,16,26,3,0)
user [root:0:0:...] cmd=/bin/sh -c echo DEBUGMARKER/tmp/console
[9538] Target time=1209315240, sec-to-wait=60
log_it: (root 14005) CMD (/bin/sh -c echo DEBUGMARKER/tmp/console)
setusercontext failed for root
log_it: (root 20135) MAIL (mailed 31 bytes of output but got status 0x0001)
[9538] Target time=1209315240, sec-to-wait=59
---

The problem seems to be: setusercontext failed for root
Why is this so and what can I do to solve this?

A little more explanation:
I'm not using std init-procedure, the kernel loads a custom init-script 
which does the things the system is designed to do. One task in the 
init-script is to start crond which is just there to do some cleanups 
regularly.


Help will be appreciated!

T.

Re: chroot issues with accessing /dev/ entries

[Torsten]

I am setting up an embedded system that's supposed to run from RAMDISK 
only.


You really should not do this.  The RAMDISK kernel uses the
SMALL_KERNEL option, and this can have all sorts of unknown effects.


I appreciate you comment, but it seems I'm missing something or there's 
a misunderstanding. I don't see the connection between using mount_mfs 
and the ramdisk kernel. I don't think I'm using a ramdisk kernel. I'm 
using a self compiled standard kernel, only I am creating a ramdisk with 
mount_mfs in my init-script, copy my stuff into that ramdisk and chroot 
to it. I don't see there's anything wrong with this?

Solved: Re: chroot issues with accessing /dev/ entries

[Torsten]

OK, thank you, that got me onto the right track, now I think I know what 
the problem is: mount_mfs.

/sbin/mount_mfs -s 9 swap /mnt
Is there a way to have devices under that mountpoint?

Of course, just mknod(8) them (each time after creating the mfs),


Thanks everybody for your help. For whatever reason it did not work (for 
me) to just copy (pax) the /dev/* files from / to my ramdisk-mountpoint 
(/mnt). The files were there but always caused a failed to open error 
when used from within the chrooted environment. It also did not work to 
first chroot and then (within the chroot environment) create the files 
with mknod.


What worked was first creating the files with mknod and then chroot.

I don't know why this is so, but I'm happy with it.

chroot issues with accessing /dev/ entries

[Torsten]

I am setting up an embedded system that's supposed to run from RAMDISK 
only. Therefore I create a ramdisk, copy everything into it and then 
chroot. I encounter problems when accessing pcap-libs (or devices in 
/dev generally) as soon as I actually chroot:


# ls -l /dev/bpf0
crw---  1 root  wheel   23,   0 Sep 27  2006 /dev/bpf0
# ls -l /tmp/chroot/dev/bpf0
crw---  1 root  wheel   23,   0 Sep 28  2006 /tmp/chroot/dev/bpf0
# tcpdump
tcpdump: listening on fxp0, link-type EN10MB
[...]
60 packets received by filter
0 packets dropped by kernel
# chroot /tmp/chroot/
/bin/ksh: No controlling tty (open /dev/tty: Device not configured)
/bin/ksh: warning: won't have full job control
# tcpdump
tcpdump: Failed to open bpf device for fxp0: Device not configured

tcpdump is just an example. Other programs access bpf0 (exactly) 
correctly when in the native system and fail to access bpf0 when in 
chrooted environment.


What am I missing? And why is there this tty warning message? The tty 
device entry is in the chrooted /dev just like it is in the source system.


Help will be appreciated!

T.

Re: chroot issues with accessing /dev/ entries

[Torsten]

# tcpdump
tcpdump: Failed to open bpf device for fxp0: Device not configured

Is /tmp mounted nodev?



OK, thank you, that got me onto the right track, now I think I know what 
the problem is: mount_mfs.


This is how I set up the ramdisk:

/sbin/mount_mfs -s 9 swap /mnt

Is there a way to have devices under that mountpoint?

MP kernel doesn't update kernel.cp_time on interrupt load

[torsten frost]

Im running some throughput testing using OpenBSD as the router OS. Running
the GENERIC.MP kernel im not seeing any system load despite the NIC's generating
about 40 000 interrupts in vmstat.

Running the same test on a  GENERIC kernel results in 80% system utilization.

Checking with sysctl confirms that a pure interrupt based load from
the NIC's doesn't
update kern.cp_time. A userspace load like compiling the src tree
however does show
the expected behaviour and updates kern.cp_time.

Im seeing this on both of my Dell machines.

Dell 1750 with 4.0 MP kernel. Single core xeon. Runs MP to get APIC.

Dell 1950 with -CURRENT as of yesterday. Dual core xeon.