Re: Getting unswapped?
On 27.05.2014 07:33, Alan Corey wrote: Mostly so when I switch to a different application, maybe on a different page of the FVWM desktop, it isn't sitting there swapped out and it's responsive. I've usually got 20 or more applications open at once (most just RXVT windows) and reboot about once a week. If I invest in RAM I expect it to get used. Seems like Linux and FreeBSD are better about this but I don't use them often. Now I've got 864 free, 25 swapped out (restarted Firefox). LOL at Linux better about this... Fresh Ubuntu 14.04 LTS with updates user@laptop:~$ free -m total used free sharedbuffers cached Mem: 3819834 2984 1 3 141 -/+ buffers/cache:689 3129 Swap: 3959313 3646 user@laptop:~$ sysctl vm.swappiness vm.swappiness = 10 user@laptop:~$ With vm.swappiness on default 60 even more pages in swap. Only Firefox with 2 tabs running. Trying to get open and load some other page result in like ~1 minute hang of OS where I can do nothing, not even switch to text console. Adding flash in the mix result in memory leak and Firefox eating everything. Setting swappiness to 0 helps more, but then why is that parameter here at all? Why Linux is swapping most used pages even as there's plenty of free RAM and cache is total mystery. I'm sure they will come with something clever, like systemd handling vm. That will help for sure. OpenBSD is superspeedy heaven (even in reality) compared to this crap On 5/27/14, Philip Guenther guent...@gmail.com wrote: On Mon, May 26, 2014 at 9:49 PM, Philip Guenther guent...@gmail.com wrote: On Mon, May 26, 2014 at 9:36 PM, Alan Corey alan01...@gmail.com wrote: Several hours ago I edited a few big images in The Gimp so there was some swapping. I still have about 60 megs swapped out even though I've got 600 megs of RAM free. I've seen this before, sometimes it'll stay swapped out overnight until I reboot to clear it. The Gimp was closed hours ago. Is there any command to cause the swap system to do a HUP or something to re-evaluate the situation? [Stupid gmail control-enter] If the data has remained swapped out, it's because it hasn't been needed yet. Perhaps its the process memory for a daemon which isn't being connected to and doesn't need to do anything. Why would you *want* to swap that in? Philip Guenther
Re: Getting unswapped?
On Tue, May 27, 2014 at 08:04:54AM +0200, bodie wrote: Setting swappiness to 0 helps more, but then why is that parameter here at all? Why Linux is swapping most used pages even as there's plenty of free RAM and cache is total mystery. because it is doing exactly what you asked it to do. This isn't a linux list so I won't bother explaining why but it just goes to show if you play with things you don't understand you can end up shooting yourself in the foot and then amplify the effect by telling everyone. -- Brett Lymn This email has been sent on behalf of one of the following companies within the BAE Systems Australia group of companies: BAE Systems Australia Limited - Australian Company Number 008 423 005 BAE Systems Australia Defence Pty Limited - Australian Company Number 006 870 846 BAE Systems Australia Logistics Pty Limited - Australian Company Number 086 228 864 Our registered office is Evans Building, Taranaki Road, Edinburgh Parks, Edinburgh, South Australia, 5111. If the identity of the sending company is not clear from the content of this email please contact the sender. This email and any attachments may contain confidential and legally privileged information. If you are not the intended recipient, do not copy or disclose its content, but please reply to this email immediately and highlight the error to the sender and then immediately delete the message.
Re: Getting unswapped?
On 27.05.2014 08:10, Brett Lymn wrote: On Tue, May 27, 2014 at 08:04:54AM +0200, bodie wrote: Setting swappiness to 0 helps more, but then why is that parameter here at all? Why Linux is swapping most used pages even as there's plenty of free RAM and cache is total mystery. because it is doing exactly what you asked it to do. This isn't a linux list so I won't bother explaining why but it just goes to show if you play with things you don't understand you can end up shooting yourself in the foot and then amplify the effect by telling everyone. I did not ask Linux to swap something if there's plenty of RAM and cache. Especially not stuff which is actively used. That's called failed design. Was not happening couple of years back and is not happening inside my OpenBSD systems. I know that there's number of other knobs to tune it, but I don't want to waste my time with them. And I know what's vm.swappiness doing just that's it's not worth of it especially in distro like Ubuntu which is supposed to work for most of the typical home users. System on HW where all devices are working in that system and which swap and lags even during simplest usage can't be considered proper design at all no matter if fiddling with knobs can improve/fix situation. It's more fine example of bad design decisions like oom-killer, systemd and such. -- Brett Lymn This email has been sent on behalf of one of the following companies within the BAE Systems Australia group of companies: BAE Systems Australia Limited - Australian Company Number 008 423 005 BAE Systems Australia Defence Pty Limited - Australian Company Number 006 870 846 BAE Systems Australia Logistics Pty Limited - Australian Company Number 086 228 864 Our registered office is Evans Building, Taranaki Road, Edinburgh Parks, Edinburgh, South Australia, 5111. If the identity of the sending company is not clear from the content of this email please contact the sender. This email and any attachments may contain confidential and legally privileged information. If you are not the intended recipient, do not copy or disclose its content, but please reply to this email immediately and highlight the error to the sender and then immediately delete the message.
Re: Wrong Shutdown
hmm, on Tue, May 27, 2014 at 07:14:49AM +0200, Otto Moerbeek said that block size is between 4096 and 65536, fragment size between 512 and block size. Both are powers of 2, and block size can be 1, 2, 4, or 8 times fragments size. For media files -b 65536 -i 65536 is fine. If you still have too many inodes, I use -i to reduce the numbers of inodes during newfs, unit is bytes per inode. Newfs reports what it is doing, so you can see how many inodes you are getting. The numbers for -g -and -h matter only at runtime, they do not influence the fs layout during newfs. i smell some great FAQ material here :) [otto@lou:17]$ sudo newfs -N -i 100 -f 65536 -b 65536 /dev/rsd0l would there be an explicit advantage of using ffs2 in this case? is the biggest plus of ffs2 the increased size of all the limits and the fact that inodes are allocated only when needed? -f -- someone whom you reject today, will reject you tomorrow.
Re: Wrong Shutdown
On Tue, May 27, 2014 at 11:06:10AM +0200, frantisek holop wrote: hmm, on Tue, May 27, 2014 at 07:14:49AM +0200, Otto Moerbeek said that block size is between 4096 and 65536, fragment size between 512 and block size. Both are powers of 2, and block size can be 1, 2, 4, or 8 times fragments size. For media files -b 65536 -i 65536 is fine. If you still have too many inodes, I use -i to reduce the numbers of inodes during newfs, unit is bytes per inode. Newfs reports what it is doing, so you can see how many inodes you are getting. The numbers for -g -and -h matter only at runtime, they do not influence the fs layout during newfs. i smell some great FAQ material here :) [otto@lou:17]$ sudo newfs -N -i 100 -f 65536 -b 65536 /dev/rsd0l would there be an explicit advantage of using ffs2 in this case? is the biggest plus of ffs2 the increased size of all the limits and the fact that inodes are allocated only when needed? I'd say that are the only plusses. But they are good enough ;-) The FAQ already contains some material on these issues. I wondert if adding more details would clarify things. Note that disklabel already sets larger blocks sizes for larger partitions. That should do for most uses, though it keeps 8 frags per block. -Otto
pf+voip
Does pf have specific rules for voip, may be example of working pf_rule with voip? Because for «standart rules» i have problems with voip. set skip on lo match out on pppoe0 from { em1:network } nat-to (pppoe0) block pass out pass in on { em1 } - after hanging up, the line near 3 minutes still busy (may be keep state set to no state in rules) - badly hear person on the phone (quiet)
Re: pf+voip
On Tue, May 27, 2014 at 01:59:07PM +0400, Швецов Михаил wrote: Does pf have specific rules for voip, may be example of working pf_rule with voip? Because for «standart rules» i have problems with voip. set skip on lo match out on pppoe0 from { em1:network } nat-to (pppoe0) block pass out pass in on { em1 } - after hanging up, the line near 3 minutes still busy (may be keep state set to no state in rules) Assuming your VOIP client is in the em1 network it might run into problems with NAT traversal if you don't use the static-port option. static-port With nat rules, the static-port option prevents pf(4) from modifying the source port on TCP and UDP packets. - badly hear person on the phone (quiet) I don't believe pf could have anything to do with that.
Re: pf+voip
Hi! It is most unlikely the issue of pf or its rules. Simply because your issues are related to SIP (busy issue) and RTP/phone (voice volume). Pf does not have any SIP ALG built-in so can't affect VoIP. I'd like to suggest you to check busy issue with your VoIP provider or to check out different clients or phones. On 27.05.14 13:59, Швецов Михаил wrote: Does pf have specific rules for voip, may be example of working pf_rule with voip? Because for «standart rules» i have problems with voip. set skip on lo match out on pppoe0 from { em1:network } nat-to (pppoe0) block pass out pass in on { em1 } - after hanging up, the line near 3 minutes still busy (may be keep state set to no state in rules) - badly hear person on the phone (quiet) -- WBR Dimon sip:88...@sip.skirron.com
Re: pf+voip
Am Dienstag, den 27.05.2014, 14:15 +0400 schrieb Dmitry Petrakoff: It is most unlikely the issue of pf or its rules. Simply because your issues are related to SIP (busy issue) and RTP/phone (voice volume). Pf does not have any SIP ALG built-in so can't affect VoIP. Well that is not completely right. SIP negotiates parameters of a call in one connection, and then opens media streams in both directions. The problem is more or less the same as with (active) FTP, and some packets filters are L7 aware and configure the required port forwardings dynamically some aren't. (Actually most appliances/stacks are kind of SIP aware but then fail erraticaly, when push comes to shove.) I am pretty sure, that pf is /not/ SIP aware. So you have the following options: * Get a public IP space * Use static port rdrs, configure your SIP application accordingly. * Get a public IPv6 space * Use STUN and other ugly NAT traversal mechanisms * Use an application layer gateway/proxy/PBX: I found Asterisk in packages, FreeSWITCH from source or siproxd in packages, which looks exactly right, but I do have no experiences with it. * Use IPv6, get rid of NAT. Seriously. Cheers David I'd like to suggest you to check busy issue with your VoIP provider or to check out different clients or phones. On 27.05.14 13:59, Швецов Михаил wrote: Does pf have specific rules for voip, may be example of working pf_rule with voip? Because for «standart rules» i have problems with voip. set skip on lo match out on pppoe0 from { em1:network } nat-to (pppoe0) block pass out pass in on { em1 } - after hanging up, the line near 3 minutes still busy (may be keep state set to no state in rules) - badly hear person on the phone (quiet) -- David Dahlberg Fraunhofer FKIE, Dept. Communication Systems (KOM) | Tel: +49-228-9435-845 Fraunhoferstr. 20, 53343 Wachtberg, Germany| Fax: +49-228-856277
Re: Run 'n' play missing home-based package manager for OpenBSD
Em 27-05-2014 02:26, bodie escreveu: On 27.05.2014 07:09, Giancarlo Razzolini wrote: Em 27-05-2014 01:22, bodie escreveu: Why do you think that it's good idea to allow users install 3rd party packages without need for root privileges? Users can compile and run whatever they want in their home directories, and any other directory they can write to. There is no need for root privileges. I mean what are the benefits of such design and how they interact with security concepts (not only in OpenBSD). I don't like nor dislike this idea. From my point of view it will have it's audience, but I'll probably never use it myself. And I'll probably never install it system wide for users. Cheers, I think that he mean approach like on Fedore where you can install anything without a root and not only to your /home If you meant Fedora, I don't really thing that users can install rpm packages without root permission system wide. I might be wrong, but I use other red hat based systems, mostly centos, and they don't allow it. If Fedora is doing that, then it's just another linux distro that went wrong. This new system simplifies the compiling and installation. Aka as ports in your home. I took a look at the code by the way and it was relatively well coded. Not that many formulas yet, though. OP, you're on the right direction. Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC
Re: pf+voip
Tue, 27 May 2014 13:59:07 +0400 Швецов Михаил mv...@ya.ru wrote: Does pf have specific rules for voip, may be example of working pf_rule with voip? Because for «standart rules» i have problems with voip. set skip on lo match out on pppoe0 from { em1:network } nat-to (pppoe0) block pass out pass in on { em1 } - after hanging up, the line near 3 minutes still busy (may be keep state set to no state in rules) - badly hear person on the phone (quiet) VoIP in NAT environments isn't this simple. You have two different protocols: SIP for signaling und RTP for media. Media information between the endpoints is specified in SIP-SDP-packets (session description protocol). SDP-packets contain the original IPs of the VoIP-endpoints, and these IPs won't be NATed! Do you make use of an sip-proxy or an external STUN-server at least? -- Andre Ruppert Network Administrator
Re: Run 'n' play missing home-based package manager for OpenBSD
It's just like Homebrew. But, with no sudo. Em terça-feira, 27 de maio de 2014, Giancarlo Razzolini grazzol...@gmail.com escreveu: Em 27-05-2014 02:26, bodie escreveu: On 27.05.2014 07:09, Giancarlo Razzolini wrote: Em 27-05-2014 01:22, bodie escreveu: Why do you think that it's good idea to allow users install 3rd party packages without need for root privileges? Users can compile and run whatever they want in their home directories, and any other directory they can write to. There is no need for root privileges. I mean what are the benefits of such design and how they interact with security concepts (not only in OpenBSD). I don't like nor dislike this idea. From my point of view it will have it's audience, but I'll probably never use it myself. And I'll probably never install it system wide for users. Cheers, I think that he mean approach like on Fedore where you can install anything without a root and not only to your /home If you meant Fedora, I don't really thing that users can install rpm packages without root permission system wide. I might be wrong, but I use other red hat based systems, mostly centos, and they don't allow it. If Fedora is doing that, then it's just another linux distro that went wrong. This new system simplifies the compiling and installation. Aka as ports in your home. I took a look at the code by the way and it was relatively well coded. Not that many formulas yet, though. OP, you're on the right direction. Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC -- Antonio Feitosa (http://twitter.com/teebsd) #DevOps believer in Prototype Driven Development, #Security Consultant, #OpenBSD addicted, #ARM hobbyst and #Blues #Musician. #P2P is the real #cloudcomputing. Rio de Janeiro, Brazil · Github: https://github.com/TeeBSB Blog: http://teebsd.github.io/
Re: pf+voip
Sorry, that was exactly I meant ( OT probably ): The first issue with late hang-up most likely means, that calee hung up and his UAC sent SIP BYE within existing dialog. For some reasons either UAS on caller's side or intermediate SIP proxy discarded that BYE. There could be the same issue with a reply on that BYE, but idea is the same: something wrong with SIP header. Anyway it is a problem of layer 7 proto but not a PF. The second issue with speech volume is only VoIP client dependant. If RTP works in both ways it is not an issue PF with NAT enabled again because SDP headers already rewrote somewhere ( usually on provider's side ). Anyway, pf can't be a point of problem here simply because L3 packets can travel back and forth without issues. WBR Dimon Sip: 88...@sip.skirron.com Tel: +4141 7674448 On 27 мая 2014 г., at 18:03, Dahlberg, David david.dahlb...@fkie.fraunhofer.de wrote: Am Dienstag, den 27.05.2014, 14:15 +0400 schrieb Dmitry Petrakoff: It is most unlikely the issue of pf or its rules. Simply because your issues are related to SIP (busy issue) and RTP/phone (voice volume). Pf does not have any SIP ALG built-in so can't affect VoIP. Well that is not completely right. SIP negotiates parameters of a call in one connection, and then opens media streams in both directions. The problem is more or less the same as with (active) FTP, and some packets filters are L7 aware and configure the required port forwardings dynamically some aren't. (Actually most appliances/stacks are kind of SIP aware but then fail erraticaly, when push comes to shove.) I am pretty sure, that pf is /not/ SIP aware. So you have the following options: * Get a public IP space * Use static port rdrs, configure your SIP application accordingly. * Get a public IPv6 space * Use STUN and other ugly NAT traversal mechanisms * Use an application layer gateway/proxy/PBX: I found Asterisk in packages, FreeSWITCH from source or siproxd in packages, which looks exactly right, but I do have no experiences with it. * Use IPv6, get rid of NAT. Seriously. Cheers David I'd like to suggest you to check busy issue with your VoIP provider or to check out different clients or phones. On 27.05.14 13:59, Швецов Михаил wrote: Does pf have specific rules for voip, may be example of working pf_rule with voip? Because for «standart rules» i have problems with voip. set skip on lo match out on pppoe0 from { em1:network } nat-to (pppoe0) block pass out pass in on { em1 } - after hanging up, the line near 3 minutes still busy (may be keep state set to no state in rules) - badly hear person on the phone (quiet) -- David Dahlberg Fraunhofer FKIE, Dept. Communication Systems (KOM) | Tel: +49-228-9435-845 Fraunhoferstr. 20, 53343 Wachtberg, Germany| Fax: +49-228-856277
Re: Run 'n' play missing home-based package manager for OpenBSD
Em 27-05-2014 13:18, Eric Lalonde escreveu: On a multi-user production system this is unattractive from this system administrator's point of view. On a single-user system this is redundant because the ports system already exists, and you have the priveledge to install whatever you want. So you rm all the compilers from your system. And what you do when a user copies a binary from another machine that is compiled statically and executes it? Or when he uses the perl interpret that come with OpenBSD base install and runs a script? If a user has access to the system there's really no point in trying to preventing him/her to run anything they want, simply because it's very hard to do so. So, bottom line, if you don't want people executing code on your machine, don't give them access. I don't see the problem that is solved with this. No problem solved, just make the life of users simpler. Not every tool must solve a problem. Although there are some that create others problems. Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC
Re: pf+voip
On Tue, May 27, 2014 at 01:59:07PM +0400, wrote: Does pf have specific rules for voip, may be example of working pf_rule with voip? Because for «standart rules» i have problems with voip. set skip on lo match out on pppoe0 from { em1:network } nat-to (pppoe0) block pass out pass in on { em1 } - after hanging up, the line near 3 minutes still busy (may be keep state set to no state in rules) - badly hear person on the phone (quiet) Hey, I don't use this anymore, but i still have the blurbs from my pf.conf that had a pretty much perfect working voip connection: Queuing: this was originally around 900kbit up when i used it (diff isp). i also had given the voip queue around 12% i think, left it there as I was unsure of whether i'd still be using the voip phone after i left that company, and just knocked it down to 2% ;) also pre-newqueue, warning! ;) ext01 and ext02 are aastra phone and obihai voip device, respectively. --snip-- # hfsc queueing altq on $ext_if bandwidth 460Kb hfsc queue \ { voip, ack, dns, game, ssh, www_ftp, std_out } queue voipbandwidth 2% priority 8 hfsc(realtime 2%) queue ack bandwidth 15% priority 7 hfsc(realtime 15%) queue gamebandwidth 37% priority 6 hfsc(realtime 40%) queue dns bandwidth 5% priority 5 hfsc(realtime 5%) queue ssh bandwidth 15% priority 4 hfsc(realtime 17%) {ssh_im, ssh_bulk} queue ssh_im bandwidth 90% priority 4 hfsc queue ssh_bulk bandwidth 10% priority 3 hfsc queue www_ftp bandwidth 3% priority 2 hfsc(linkshare 3%) queue std_out bandwidth 15% hfsc(linkshare 5% default) --snip-- # NAT voip, static-port required to maintain UDP port mappings for SIP proxy match out on $ext_if from $ext01 to any nat-to ($ext_if) static-port match out on $ext_if from $ext02 to any nat-to ($ext_if) static-port # queue voip, to AND from match inet proto udp to port $rtp_ports scrub(set-tos ef) queue voip match inet proto udp from port $rtp_ports scrub(set-tos ef) queue voip --snip-- above here took care of the rest. this was using both a obihai voip device for hookup of a POTS phone, and an Aastra phone as my primary voip phone hooked into the company directory etc (all quite easy with asterisk!) The above worked enough that I could take business calls including calls that may have resulted in sales of voip service, without it sounding like i was on a shitty link with various vocal artifacts etc. in the end i could pretty much hammer my inet connection as hard as i wanted while a call was in progress and never really lost anything. YMMV :) I found my values via hours of tweaking, hammering with various bandwidth-intensive applications, and hammering more. I believe we did have a form of STUN or SIP proxy, the phones we used could be preconfigured to fetch a config from the company server, which would include things like a STUN or SIP proxy ip. in my setup, my normal nat line in pf does not use static-port, hence the added line before that point to catch the voip devices and make sure they are natted with static-port. Cheers, -ryan
pipex and npppd syslog
Hi, I have relatively busy npppd pptp server, and it logs a lot of output into /var/log/messages. How can I move npppd and pipex log messages into separate file? Thank you in advance, -- Marko Cupać
Re: Weird disklabel problem
OK, I got it booting. In a fairly useless config, but ... Booting from a -current amd64 cd55.iso cd-rom, I (E)dited the MBR so that the OpenBSD 'A6' partition started on sector 2048, and was 500MB in size. I accepted the auto configured disklabel (i.e. all space in 'a') and installed w/o X, Compiler or games sets. Removing the CD and rebooting got me to the usual login prompt. I'm going to experiment some more, but I'm now suspicious that the old '512MB' limit is coming into play somehow. So for those following along, try a tiny OpenBSD MBR partition starting at sector 2048 and see what happens. And of course if it works, how big can your partition be before it stops working. I've tried this and the system boots with 500MB, 1000MB, 2000MB but doesn't with 4000MB. Since 2GB is way too small, I'm going to buying a pci - sata card to avoid the Intel SATA chip. I'm thinking of buying a HighPoint Rocket 620 card. Anybody using this card with OpenBSD? Or recommendations for a different pci - sata card? Unfortunately the pci - sata card didn't work either. However there was a bios upgrade released by Gigabyte a few days after my initial mail and with that bios version it works (using the Intel SATA chip). So I would like to thank everybody that has spent time diagnosing this problem. Kind regards, Martijn Rijkeboer
problem between postfix and Courier authdaemond
Hi, i habe a little problem with authdaemond. cat /var/log/maillog May 27 21:12:30 2-2-2-2 postfix/smtps/smtpd[6446]: Anonymous TLS connection established from 1-1-1-1-di.dum.di[1.1.1.1]: TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits) May 27 21:12:30 2-2-2-2 postfix/smtps/smtpd[6446]: warning: SASL authentication failure: cannot connect to Courier authdaemond: Connection refused May 27 21:12:30 2-2-2-2 postfix/smtps/smtpd[6446]: warning: SASL authentication failure: Password verification failed cat /usr/local/lib/sasl2/smtpd.conf pwcheck_method: authdaemond authdaemond_path: courier-authdaemon-socket mech_list: PLAIN LOGIN cat /etc/postfix/main.cf . # Enable SASL authentication in the Postfix SMTP server smtpd_sasl_auth_enable = yes # Only accept mail from trusted networks, authenticated clients or mail with # a 'RCPT TO' address that Postfix is forwarder or final destination for smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination # Enable inter-operability with old SMTP clients broken_sasl_auth_clients = yes # Name of the Postfix SMTP server's local SASL authentication realm smtpd_sasl_local_domain = $mydomain cat /etc/postfix/master.cf .. # == # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # == smtp inet n - n - - smtpd .. smtps inet n - - - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING ls -la /var/run/courier-auth/ total 16 drwxrwxr-x 2 root wheel 512 May 27 21:05 . drwxr-xr-x 6 root wheel 512 May 27 21:05 .. srwxrwxrwx 1 root wheel0 May 27 20:48 mux -rw--- 1 root wheel0 May 27 20:48 mux.accept -rw-r--r-- 1 root wheel6 May 27 21:05 pid -rw--- 1 root wheel0 May 24 22:24 pid.lock -rw--- 1 root wheel6 May 27 20:48 saslauthd.pid srwxrwxrwx 2 root wheel0 May 27 21:05 socket Everything looks good but there is no connection between postfix and courier authdaemond But where to start to find the problem? Google is not really any help... :-( best regards, Mika
Re: pf+voip
On 2014/05/27 13:59, Швецов Михаил wrote: Does pf have specific rules for voip, may be example of working pf_rule with voip? Because for «standart rules» i have problems with voip. set skip on lo match out on pppoe0 from { em1:network } nat-to (pppoe0) block pass out pass in on { em1 } - after hanging up, the line near 3 minutes still busy (may be keep state set to no state in rules) - badly hear person on the phone (quiet) It just workstm for me, no special setup needed, no static-port or anything, just a standard nat-to rule. This is with various devices; snom and gigaset hardware phones, softclient on android, pjsua on OpenBSD. But the SIP servers I use are setup properly to handle natted clients...
Re: pf+voip
On Tue, May 27, 2014 at 3:33 PM, Stuart Henderson s...@spacehopper.org wrote: It just workstm for me, no special setup needed, no static-port or anything, just a standard nat-to rule. This is with various devices; snom and gigaset hardware phones, softclient on android, pjsua on OpenBSD. But the SIP servers I use are setup properly to handle natted clients... Seconded. The only thing I've had to do at times is increase UDP timeouts as some SIP clients don't send keep-alives often enough to maintain state: set timeout udp.multiple 120
PF log entry
Using tcpdump -n -ttt -r /var/log/pflog I have a log entry with [len16asnlen69] at the end. The packet was from port 65500 to 161. What is len16asnlen69 ?
Authentication with LDAP on OpenBSD
For the past three months our small academic lab has used LDAP server from the base of OpenBSD to authenticate users. All our computing nodes and desktops run RedHat Linux while file servers run FreeNAS. Getting them to authenticate users using OpenBSD LDAP directory server was a breeze. Today I set myself one task, which was to create an OpenBSD amd64 5.4 shell gateway to the lab. After about 30 minutes I had fully functional gateway to which I could log using local credentials. I spent the rest of the day trying in vain to enable LDAP authentication on the gateway. I started by reading man pages for ypldap and ypldap.conf as well as 10.19 Directory services from FAQ but quickly realized that I might need little bit more reading. So in violation of common recommendation I went and read http://blogs.helion-prime.com/2009/05/07/authorization-with-ldap-on-openbsd.html I adapted the above blog to my needs as follows: I added ldap:\ :auth=-ldap:\ :x-ldap-server=atlas.int.autonlab.org,,starttls:\ :x-ldap-basedn=dc=autonlab,dc=org:\ :x-ldap-filter=((objectclass=posixAccount)(uid=%u)):\ :tc=default: to /etc/login.conf Edited /etc/openldap/ldap.conf as follows BASE dc=autonlab,dc=org URI ldap://atlas.int.autonlab.org:389 SIZELIMIT 12 TIMELIMIT 15 DEREF never SSL START_TLS TLS_REQCERT allow TLS_CACERT /etc/openldap/certs/ca.crt TLS_CACERTDIR /etc/openldap/certs TLS_CIPHER_SUITEHIGH:MEDIUM:+SSLv3 and edited /etc/ypldap.conf as: # $OpenBSD: ypldap.conf,v 1.4 2012/04/30 12:16:43 ajacoutot Exp $ domain autonlab.org interval60 provide map passwd.byname provide map passwd.byuid provide map group.byname provide map group.bygid # provide map netid.byname directory atlas.int.autonlab.org { # directory options binddn cn=admin,dc=autonlab,dc=org basedn dc=autonlab,dc=org # basedn ou=users,dc=autonlab,dc=org # starting point for groups directory search, default to basedn # groupdn ou=group,dc=autonlab,dc=org # passwd maps configuration (RFC 2307 posixAccount object class) passwd filter (objectClass=posixAccount) attribute name maps to uid fixed attribute passwd * attribute uid maps to uidNumber attribute gid maps to gidNumber attribute gecos maps to cn attribute home maps to homeDirectory attribute shell maps to loginShell fixed attribute change 0 fixed attribute expire 0 fixed attribute class # group maps configuration (RFC 2307 posixGroup object class) group filter (objectClass=posixGroup) attribute groupname maps to cn fixed attribute grouppasswd * attribute groupgid maps to gidNumber # memberUid returns multiple group members list groupmembers maps to memberUid } From that point on I could do ldapsearch, I could /usr/libexec/auth/login_-ldap -d -s login USERNAME ldap without a glitch and running ypldap -dv was pushing usernames and their uidNumbers. The minor nunsense was finding this in /var/log/messages May 27 23:36:27 shell ypldap[5839]: main: user: predrag is referenced \ as a group member, but can't be found in the users map. I was also able to run su - predrag and get loged in but could not make much sense of steps 3 and 4 of the article http://blogs.helion-prime.com/2009/05/07/authorization-with-ldap-on-openbsd.html which is clearly related to my inability to use LDAP password to ssh into shell gateway. After starting portmap and ypldap I could start ypbind but ypserv and yppasswdd daemons would fail to start to me due to the obvious reason that my defaultdomain has no YP servers. I am even more confused by the following sentence from FAQ To use other directory services except YP, you either need to populate local configuration files from the directory, or you need a YP frontend to the directory. For example, you can use the sysutils/login_ldap port when you choose the former, while the ypldap(8) daemon provides the latter. Which seems to indicate that I just need ypldap as a front end to my LDAP server. Could a kind soul give me some directions and point the mistakes I am making? I am sure I am not the only one who is trying to use LDAP directory services to log into my OpenBSD box. Thank you, Predrag