On Tue, Apr 24, 2007 at 06:36:17PM -0400, Chris Smith wrote:
Hello,
Using openbsd as a firewall in several cases - a few small businesses, and
also for home use. Some websites, such as grc.com, stress that stealth mode
(which openbsd handles with ease) is the safest. But I've also read
On Tue, Apr 24, 2007 at 11:47:00PM +0100, poncenby wrote:
List,
Are there plans to change vnconfig so it will accept a file for the key when
-K
is specified?
I notice there was a patch put up to misc in 2004, does anyone know if there
is a
patch for 4.0?
vnconfig in -current, at least,
Hi,
I'm playing around with carp and routers. My scenario is the next:
One ISP address ( for exemple: 10.2.2.1 )
Two openbsd 4.0 machines with 3 NICs
Lan switch
On LAN side, i set one NIC on every machine with private ip:
Machine#1: 192.168.0.20
Machine#2: 192.168.0.21
And they share a virtual
On 2007/04/25 12:43, Tang Tse wrote:
I got only one IP address, 10.2.2.1, how do share it? I mean, i can't set up
other 2 new IPs like 10.2.2.2 and .3.. any suggestion?
just configure the carp interface as 10.2.2.1, you don't need a
'real' address as well. use carpdev to specify the parent
Thanks!!!
2007/4/25, Stuart Henderson [EMAIL PROTECTED]:
On 2007/04/25 12:43, Tang Tse wrote:
I got only one IP address, 10.2.2.1, how do share it? I mean, i can't
set up
other 2 new IPs like 10.2.2.2 and .3.. any suggestion?
just configure the carp interface as 10.2.2.1, you don't need
Hi,
We have two internet connection with 2 different firewalls that we want
to merge into a new single pf based firewall.
Connection 1 (wan1) will be used for nat-ing the internal network (lan)
to the outside world and access to a few internal servers.
Connection 2 (wan2) will be used for the
On Wed, 25 Apr 2007, Miod Vallat wrote:
There was an unconditional Debugger() call in this codepath, which got
commited by mistake. Snapshots after march 23rd have this corrected.
Miod
thanks for the quick reply. I'll try a newer kernel went I get to the
office
diana
On 4/25/07, Tang Tse [EMAIL PROTECTED] wrote:
Hi,
I'm playing around with carp and routers. My scenario is the next:
One ISP address ( for exemple: 10.2.2.1 )
Two openbsd 4.0 machines with 3 NICs
Lan switch
On LAN side, i set one NIC on every machine with private ip:
Machine#1: 192.168.0.20
I was redirected here from the tech group.
I am trying to install OpenBSD 4.0 on a Dell OptiPlex 745. The computer has
a SATA CD-ROM and a SATA hard drive.
After the install/upgrade/shell part, I see a lot of kernel messages.
Everything looks normal, and it looks like all of my hardware is
Well, in fact, I was wondering:
1. What is the purpose of the $user_id macro in authpf rules?
2. Is anybody using it successfully?
3. Is it possible to use it to track per user traffic?
Thanks if you read this and help me :-)
Matthias Bertschy
Matthias Bertschy wrote:
Hello
Do you mean what is the purpose of user_id compared to user_ip?
I think it is interesting if several users use the same computer.
On 4/25/07, Matthias Bertschy [EMAIL PROTECTED] wrote:
Well, in fact, I was wondering:
1. What is the purpose of the $user_id macro in authpf rules?
Greetings! Included below is my pf.conf set up to use
dansguardian (proxyport 3128, filterport 8080)
and tinyproxy (listen port 3128) as a transparent
proxy.
What changes do I need to make to keep someone on
int_if/int_net from circumventing dansguardian
by changing their browser to point to
I have an i386 laptop with two NICs: xl(4) and an(4).
For me, trunk(4) does not seem to be able to send any packets over the an(4)
NIC. The xl(4) NIC works just fine. The an0 NIC never shows active as
a child of the trunk. Viz.:
When I set a single NIC in the trunk, just for testing as shown
On 4/25/07, Matthias Bertschy [EMAIL PROTECTED] wrote:
Well, in fact, I was wondering:
1. What is the purpose of the $user_id macro in authpf rules?
well, whatever you want it do. :)
2. Is anybody using it successfully?
honestly, about the only thing i can think of is that
On 04/23/07 17:06, Marco Peereboom wrote:
When will you be fixed?
ROFL...
+++chefren
On Apr 25, 2007, at 11:05 AM, Allen Theobald wrote:
pass in inet proto icmp all icmp-type $icmp_types keep state
This can be used as a covert communication channel. Allowing
internal IPs to send/receive ping is bad.
As for your question, only allow internal devices to do what you want
On Wed, 25 Apr 2007, Diana Eichert wrote:
On Wed, 25 Apr 2007, Miod Vallat wrote:
There was an unconditional Debugger() call in this codepath, which got
commited by mistake. Snapshots after march 23rd have this corrected.
Miod
thanks for the quick reply. I'll try a newer kernel went I get
The power button problem I reported in an earlier thread was resolved with
a newer kernel.
Now I have another question. In order to get power down to work, you have
to set powerdown=YES to power down the unit. Now that's pretty obvious,
but why when you run shutdown -r/reboot does the
Hi,
I readed the faq before. I know carp device needs to be the one i want to
share. My question is not for the carp device, is just for the network
interfaces ( in my case rl0 on both machines ). Which address should i gave
them? anyone into the isp ip-mask rank?
2007/4/25, Todd Alan Smith
On 2007/04/25 21:38, Tang Tse wrote:
I readed the faq before. I know carp device needs to be the one i want to
share. My question is not for the carp device, is just for the network
interfaces ( in my case rl0 on both machines ). Which address should i gave
them? anyone into the isp ip-mask
Heya,
It seems I'm experiencing some data corruption on nfs when -w or -r
aren't powers of 2.
I have a local file with these settings:
% md5 sunclock.diff
MD5 (sunclock.diff) = 9f002849da08cd6ab76032a8cf2726e1
now, if I export the filesystem (nfsd -tu -n 4) it's on I get data
corruption when I
thanks!!
2007/4/25, Stuart Henderson [EMAIL PROTECTED]:
On 2007/04/25 21:38, Tang Tse wrote:
I readed the faq before. I know carp device needs to be the one i want
to
share. My question is not for the carp device, is just for the network
interfaces ( in my case rl0 on both machines ).
Chad M Stewart wrote:
On Apr 25, 2007, at 11:05 AM, Allen Theobald wrote:
pass in inet proto icmp all icmp-type $icmp_types keep state
This can be used as a covert communication channel. Allowing
internal IPs to send/receive ping is bad.
Bull. Not allowing ICMP is just as bad.
Paul de Weerd wrote:
Hi all,
For those interested here's a copy of the dmesg output on a Sun Fire
4200 system. More info (`sysctl hw; openssl speed; sysctl hw` output
for the temperature difference is also included for example ;) is
available at
On 4/25/07, poncenby [EMAIL PROTECTED] wrote:
i'm obviously missing something here.
could you explain why it is a bad idea to have two files, the key and salt,
which
would be used to initially mount the regular file, then securely deleted from
the
host and only re-introduced to the host when
On Wed, 25 Apr 2007 20:19:42 + (UTC)
Tobias Weingartner [EMAIL PROTECTED] wrote:
Chad M Stewart wrote:
On Apr 25, 2007, at 11:05 AM, Allen Theobald wrote:
pass in inet proto icmp all icmp-type $icmp_types keep state
This can be used as a covert communication channel. Allowing
On Apr 25, 2007, at 4:19 PM, Tobias Weingartner wrote:
Chad M Stewart wrote:
On Apr 25, 2007, at 11:05 AM, Allen Theobald wrote:
pass in inet proto icmp all icmp-type $icmp_types keep state
This can be used as a covert communication channel. Allowing
internal IPs to send/receive ping
I am running an X4100 with -current and I see no issues at all.
On Wed, Apr 25, 2007 at 04:23:54PM -0400, Daniel Ouellet wrote:
Paul de Weerd wrote:
Hi all,
For those interested here's a copy of the dmesg output on a Sun Fire
4200 system. More info (`sysctl hw; openssl speed; sysctl hw`
Marco Peereboom wrote:
I am running an X4100 with -current and I see no issues at all.
Thank you!
I will order some then and will see the results.
I appreciate your time.
Best
Daniel
On Wed, 25 Apr 2007 23:56:50 +0200
Joachim Schipper [EMAIL PROTECTED] wrote:
On Wed, Apr 25, 2007 at 10:40:45PM +0200, Timo Schoeler wrote:
On Wed, 25 Apr 2007 20:19:42 + (UTC)
Tobias Weingartner [EMAIL PROTECTED] wrote:
Chad M Stewart wrote:
On Apr 25, 2007, at 11:05 AM,
On 2007/04/25 16:23, Daniel Ouellet wrote:
Is there any changes on the support of the X4200, specially the X4100
M2 and X2100 M2 with SAS version, not the SATA one? There wasn't much
updates in the archive on the subject still.
X4100 are AMD8131, 4 em(4) nics
X4200 are nvidia nforce
On 25/04/07, Joachim Schipper [EMAIL PROTECTED] wrote:
On Wed, Apr 25, 2007 at 10:40:45PM +0200, Timo Schoeler wrote:
On Wed, 25 Apr 2007 20:19:42 + (UTC)
Tobias Weingartner [EMAIL PROTECTED] wrote:
Chad M Stewart wrote:
On Apr 25, 2007, at 11:05 AM, Allen Theobald wrote:
Stuart Henderson wrote:
X4100 are AMD8131, 4 em(4) nics
X4200 are nvidia nforce systems, 2 em(4) nics and on solaris 2 nge
- presumably nfe(4) here.
I know what my choice would be...
Thanks! (; I know too!
I don't know if it is related, but you could perhaps try the patch at the
end of this report
http://cvs.openbsd.org/cgi-bin/query-pr-wrapper?full=yesnumbers=5420
/Markus
Josh Grosse wrote:
I have an i386 laptop with two NICs: xl(4) and an(4).
For me, trunk(4) does not seem to be able to
I did NOT suggest blocking ALL ICMP, just echo-request and echo-
replies from internal hosts to untrusted IPs. Trojans have used
echo-request and echo-reply as a method of covert communication. If
you had read the original post you'd see that $icmp_types was defined
to be echoreq.
Although it's not well known TCP seriously depends on ICMP packets of
type 3 code 4 for Path MTU Discovery (PTMTUD). Blocking of these
packets lead to congested IP connections, broken transmissions and thus
to frustrated users.
Some documentation:
http://en.wikipedia.org/wiki/Pmtud
On 2007/04/26 01:01, chefren wrote:
Although it's not well known TCP seriously depends on ICMP packets of
type 3 code 4 for Path MTU Discovery (PTMTUD). Blocking of these
packets lead to congested IP connections, broken transmissions and thus
to frustrated users.
for PF, 'keep state' on
On 2007/04/26 08:02, Mathieu Sauve-Frankel wrote:
I did NOT suggest blocking ALL ICMP, just echo-request and echo-
replies from internal hosts to untrusted IPs. Trojans have used
echo-request and echo-reply as a method of covert communication. If
you had read the original post
Shipments of the OpenBSD Command-Line Companion Book have been delayed and
ETA is unknown at this time. According to the author's blog:
http://devguide.net
there was a problem with the UPS shipment, but we are unable to contact
Jacek Artymiak directly, and we have no tracking number for the
On Wednesday, April 25, Chad M Stewart wrote:
I did NOT suggest blocking ALL ICMP, just echo-request and echo-
replies from internal hosts to untrusted IPs.
And how is this not violating RFCs?
Trojans have used echo-request and echo-reply as a method of covert
communication.
I've you've
On Wed, Apr 25, 2007 at 04:38:32PM -0700, Austin Hook wrote:
Shipments of the OpenBSD Command-Line Companion Book have been delayed and
ETA is unknown at this time. According to the author's blog:
http://devguide.net
there was a problem with the UPS shipment, but we are unable to contact
Tobias Weingartner wrote:
Telling people to worry about the door to the barn after the horse
has left is not FUD? It's not misdirection? Tell them to solve the
root of their problems instead.
Don't poo-poo his effort to mitigate information leaks.
Did you realize that even LAMP can be used
On Wed, 25 Apr 2007, Diana Eichert wrote:
Now I have another question. In order to get power down to work, you have to
set powerdown=YES to power down the unit. Now that's pretty obvious, but
why when you run shutdown -r/reboot does the system power down? Doesn't
that obviate the reboot
On Wed, 25 Apr 2007, Diana Eichert wrote:
on further perusal through reboot.c I see where the -p switch only works if
program is called as halt.
case 'p':
/* Only works if we're called as halt. */
if (dohalt) {
On 4/25/07, Austin Hook [EMAIL PROTECTED] wrote:
Shipments of the OpenBSD Command-Line Companion Book have been delayed and
ETA is unknown at this time. According to the author's blog:
http://devguide.net
there was a problem with the UPS shipment, but we are unable to contact
Jacek Artymiak
chayashida wrote:
I am trying to install OpenBSD 4.0 on a Dell OptiPlex 745. The computer
has a SATA CD-ROM and a SATA hard drive.
After the install/upgrade/shell part, I see a lot of kernel messages.
Everything looks normal, and it looks like all of my hardware is detected.
The install
On Wednesday 25 April 2007 17:48, Jason Dixon wrote:
Tobias Weingartner wrote:
Telling people to worry about the door to the barn after the horse
has left is not FUD? It's not misdirection? Tell them to solve
the root of their problems instead.
Don't poo-poo his effort to mitigate
On 4/26/07, chayashida [EMAIL PROTECTED] wrote:
chayashida wrote:
The install appears to go okay, but then it hangs after the file sets are
copied. It doesn't matter if I select all, some, or the minimal file sets:
the installation always hangs after the copy is finished. I tried a
separate
Jeffrey wrote:
uh... so many CDs... which CDs are u using? And why should u be
modifying them in the first place?
I was installing the servers in at a low-bandwidth site, so I downloaded the
4.0/i386 directory from the ftp site and burnt it to a CD at a site with a
better connection. It
Is it possible for users (non-root) to mount NFS exports?
I seem to be able to mount_nfs using sudo, but not as a regular user.
I actually want to allow regular users to mount the NFS share from
another machine/OS (MacOSX), but since I couldn't get a regular user
to do the mount just on the local
On Thu, Apr 26, 2007 at 03:33:47AM +, Douglas Maus wrote:
Is it possible for users (non-root) to mount NFS exports?
From mount_nfs(8):
HISTORY
The -P flag historically informed the kernel to use a reserved port
when communicating with clients. In OpenBSD, a reserved port is
Tobias Weingartner wrote:
Chad M Stewart wrote:
On Apr 25, 2007, at 11:05 AM, Allen Theobald wrote:
pass in inet proto icmp all icmp-type $icmp_types keep state
This can be used as a covert communication channel. Allowing
internal IPs to send/receive ping is bad.
Bull. Not allowing
52 matches
Mail list logo