Am 22.03.2009 um 03:21 schrieb Mark Bucciarelli:
Is there danger in upgrading to the latest
snapshot using a script?
AFAIK you can use OpenBSD-binary-upgrade for the job:
http://www.han.dds.nl/software/OpenBSD-binary-upgrade/
Regards,
Falk
Am 16.03.2009 um 14:58 schrieb Falk Brockerhoff - smartTERRA GmbH:
I run OpenBSD 4.4 GENERIC#1021 i386 on a Dell Poweredeg 2650 System
as a firewall. Lan side I configured multiple carp Interfaces -
without any backup system at the moment (for testing purposes).
Almost all is running fine
Hi,
I run OpenBSD 4.4 GENERIC#1021 i386 on a Dell Poweredeg 2650 System as
a firewall. Lan side I configured multiple carp Interfaces - without
any backup system at the moment (for testing purposes). Almost all is
running fine, but sometimes I get a no route to host error - not for
all
Hello,
I like to monitor my firewalls using snmp and cacti. But I don't know
how to get all the information about pf, states, etc. On the net I
only found hints about older OpenBSD Versions (I use OpenBSD 4.4 -
stable and the included snmpd). Can you please give me a hint into the
right
Am 04.03.2009 um 11:23 schrieb Lars Noodin:
It's probably simplest to start with pftop.
After a first quick look pftop is a great tool for debugging und
manually monitoring firewall activity. But it seems that I really
can't use it for a data source collector for cacti, can I?
Or do you
Am 04.03.2009 um 11:11 schrieb Stephan A. Rickauer:
As far as I remember, including a 'PF-MIB' into opensnmpd is on
reyk@'s
ever growing todo list already.
Good news, that this is on a todo list. Bad news, that this list is
ever growing. :)
But thanks for this information anyways!
Am 04.03.2009 um 14:10 schrieb Jason Dixon:
Here's how you can use net-snmp's extend functionality:
$ cat /usr/local/sbin/countPFstates.sh
#!/bin/sh
pfctl -si | grep entries | awk '{print $3}'
Ok, this is a way we can go. Is there any possibility to use the
extend feature with openbsd
Am 04.03.2009 um 14:46 schrieb Jason Dixon:
Other people use the PF-MIB patch to net-snmp. We don't need that
functionality. We like to monitor the following for our PF
firewalls in
Cacti:
The number of the passed and blocked packets would be also
interesting. Perfect, if I can get
Hi,
I'm using relayd for loadbalancing incoming tcp traffic, works fine
like a charme :-)
But as relayd works like a proxy, in the log files of my applications,
there is always the ip address of the load balancing node and not of
the real client. Is there a way to have relayd have all
Am 08.02.2009 um 16:18 schrieb Todd C. Miller:
Do you know whether tentakel is running ssh with the -t flag or
not?
I think tentakel's running without this flag. In the file /etc/
tentakel.conf I can see:
# first section: global parameters
set ssh_path=/usr/bin/ssh
Adding a -t at the end
Am 09.02.2009 um 09:53 schrieb Claudio Jeker:
Please try the attached diff.
A general question about diffs like this: will these diffs
automatically go to -current in the next couple of days/weeks? Or do I
have to apply all these patches by hand?
:wq Claudio
Thanks,
Falk
Am 09.02.2009 um 11:23 schrieb Claudio Jeker:
If the diff works it will go into -current. So currently I'm waiting
for
positive test results and hopefully an ok by henning@
Perfect. Thank you (and Henning and all the others), once again, for
your incredible and fast support!
:wq
Hi there,
is there any way to execute sudo (in combination with a password to
provide) on remote servers using tentakel? Actualy tentakel hangs,
when I'm executing sudo ls -l / on a bunch of servers. Without sudo
anything works fine, as you can see from the example below.
Hi there,
I just installied tentakel tentakel-2.1.2p1 using python-2.5.2p4 on
OpenBSD 4.4 GENERIC#1021 i386. When I call this utility I get the
following error message:
$ tentakel
Traceback (most recent call last):
File /usr/local/bin/tentakel, line 94, in module
Am 07.02.2009 um 23:11 schrieb Tasmanian Devil:
Hello! :-)
Hi :)
What you need is:
Ok, thank you for your hint. I tried, and now tentakel's running fine :)
Tas.
Regards,
Falk
Am 07.02.2009 um 18:39 schrieb Falk Brockerhoff - smartTERRA GmbH:
but I'm not able to install neither python-2.4.4p4 or python-2.4.4p6
(from 4.2 / 4.3 packages) on my (4.4) system:
Hint for myself: works with python-2.4.4p7.tgz from 4.4 packages
*selfslap*
Regards,
Falk
Am 10.12.2008 um 23:32 schrieb Claudio Jeker:
The best thing we can do is to mark the update as ineligible so it
will
not propaget further and will not be used but this is a quite radical
measure. On the other hand this is porbably the safest way to handle
this
error.
Sound good for me.
Am 09.01.2009 um 12:21 schrieb Darren Tucker:
echo $SSH_CLIENT | cut -f1 -d' '
Perfect. Thank you (and all the others) for your support!
Falk
Hi,
is there any gentle way how to determine my ip address if I connected
via ssh to an openbsd system?
who -m shows only my FQDN, but not all providers provide correct RNDS
records.
any idea? I'm not a c programmer, so a way using bash or perl would
be fine.
Falk
Am 02.11.2008 um 23:06 schrieb Claudio Jeker:
If you can reproduce the situation please include all the RIB
information
for the prefix:
As the router are in a productive environment I can't reproduce this
situation without any outage. But I'll set up a test environment and
come back to
Hi,
I have to routers running 4.3 GENERIC#826 i386 and 4.2 GENERIC#476
i386. On both routers I runs a BGP session to the same Juniper Router.
Last weekend there was a configuration change on my neighbor's side:
it would not accept any prefix more or equal (!) specific to /24.
Except for
Am 14.03.2008 um 08:13 schrieb Marc Balmer:
Falk Brockerhoff - smartTERRA GmbH wrote:
I think a good solutions is to look if the given interface is a
carp interface and to figure out the carpdev interface. Then this
can be used to listen on. But my programming skills are really
poor
Hi,
I run a firewall cluster with several vlans configured on one physical
interface. On this vlans I have a carp interface. Same on a second
firewall node, so failover is fine.
To be able to install or boot servers from the network I set up an PXE
boot server. But it's a little bit
Hi,
I think a good solutions is to look if the given interface is a carp
interface and to figure out the carpdev interface. Then this can be
used to listen on. But my programming skills are really poor, else I
would provide a patch...
Regards,
Falk
Hi,
I cleaned up my attic and found some kind of hardware I do not need
any more. I'm not at home at the moment, but AFAIR there is a Sun
Sparc 2 and a Sun Ultra 5. Perhaps there is an DEC Alpha Workstation
II, too.
Can be picked up in Duisburg / Germay. If you like you can spend some
Hi,
I think it was an hardware issue. With another PE2650 Server everything
works fine, when acpi is disabled:
OpenBSD 4.2-current (GENERIC) #642: Tue Jan 8 17:06:33 MST 2008
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Xeon(TM) CPU 2.80GHz (GenuineIntel
Hello,
I just installied OpenBSD 4.2 i386 Release on a Dell Poweredge 2650.
Install works fine, but the server hangs at boot. enable acpi on the
UKC fixed this.
After succesfully booting I updated to the latest snapshot (the laste
before the actual from 15.01.2008) with the help of
Hello,
I'm running two Dell Poweredge 2650 Servers with dual Xeon 2,2 GHz und 5
Gig Ram as a redundant firewall cluster, using Broadcom and Intel
Gigabit Cards (bge and em Drivers).
Last weekend I got a Denial of Service Attack on my network which brings
the firewall to its limits. As some
Henning Brauer wrote:
Hi Henning,
* Falk Brockerhoff [EMAIL PROTECTED] [2008-01-09 14:09]:
works fine up to roundabout 100-120k pps.
I have had and seen _way_ more than that.
Can you please provide some details of the configuration and tweaks you
have done to handle this amount of pps
Henning Brauer wrote:
well, that has been detailed to this list a hundred times...
not much tuning required.
Oh, sorry, I should have had a look at the mailing list archive. I'm not
reading the list all the time. Thank you for your hint!
GENERIC kernel, no SMP (hurts in that case), right
Lars NoodC)n wrote:
we're using G5 HP DL360 and DL380 with no problems whatsoever.
Except that the machine uses Intel Celeron/Xeon/Pentium and not G5. Had
my hopes up for a second or two there until I saw the actual spec sheet.
I think he meant HP DL360/DL380 G5 (Generation five), not the
Der Engel wrote:
Hello,
Hi,
Is it posible to do vlan trunking between an OpenBSD and a cisco
switch? I know you can create vlan interfaces in OpenBSD but how would
they be trunk with the switch?
Yes, without any problems.
$ cat /etc/hostname.em5
Markus Lude wrote:
AFAIK this is the usual way. Make sure each instance use its own data
file.
Oh, ok. Thank you for your post. I've done it this way:
I have several lines of vlanXXX = carpXXX:network in the file /etc/pf.conf
In /etc/rc.local I placed this snippet:
echo -n ' arpwatch'
for
Hello,
does arpwatch (or any other kind of such tools you can suggest) supports
watching multiple interfaces at once? I have one physical interface with
several vlans configured on it and the same count of carp interface on
top of the vlans. I would like to have a look at the known-arp addresses
Camiel Dobbelaar wrote:
A better test would be to try if you can nc target 21 from the
firewall.
I'll try it from outside the firewall. As I tried in the past rdr/nat
rules on specific interfaces will only work on incoming, not outgoing
connections.
Please don't edit the information... Did
Hello,
I'm using pf and ftp-proxy on an OpenBSD 4.2 GENERIC#374 i386 box. Most
the time everything works fine, but sometimes ftp-proxy reports a no
route to host in /var/log/messages. I can reproduce this behaviour, but
I'm able to ping the target ftp host on the cli at the same time
ftp-proxy
Camiel Dobbelaar wrote:
What does the logging say exactly? How do you reproduce it?
When I try to connect a ftp daemon behind the firewall I can see the
following entry in /var/log/messages
/var/log/messages.2.gz:Oct 2 09:58:32 buffy ftp-proxy[21285]: #478593
proxy cannot connect to server
Hi,
I just trapped into a little bug within the combination of OpenBGPd,
Carp and the depend on directive. I'm using the latest OpenBSD 4.2
snapshot on i386.
When I configure the eBGP session without any carp interface the kernel
routing table got the right next-hop: my eBGP neighbor. Same
Hello,
in the last weeks I played around a much with OpenBGPd, ifstated, vlans,
carp, pf and pfsync. I have some trouble, but could always fix the
problem or find a workaround. Because I don't have many I can do without
on the production site of my setup, I run my tests only with one eBGP
Henning Brauer schrieb:
did you pull the carp fix from -current that I pointed you to a few
times? tha behaviour you describe isexactly what happens when carp
mucks with routes w/o any indication o the routing socket.
As far as I remember I'm running OpenBSD 4.1 GENERIC#320 on these boxes.
Stuart Henderson schrieb:
N.B. I'm not picking on you, I just thought I'd jump on it as saying
GENERIC#foo would be an easy habit for other people to get into,
even though !!dmesg is less typing :-)
No problem, you're right. But at the moment the box is at the datacenter
and is switched off
bofh schrieb:
I've been impressed by HP's sliding rails.
Yeah, they are realy fantastic! But only useable with HP servers...
For other servers I use a 19 1U clipboard on the backside of the rack,
where the server lies on. On the foreside I use the normal 19 brackets
of the server an some
Henning Brauer schrieb:
i believe that isfixed in -current
Oh, this would be really nice. Hm, yesterday I switched off ospf on both
routers and set static routes to the other loopbacks and eBGP next-hop
adresses and configured ifstated for a plenty of interfaces - today it
seems I'm switching
Falk Brockerhoff schrieb:
Ok, I'll give it a try. I assume 4.1 GENERIC#320 is current enough?
In this version the bug is NOT fixed. I will try an update and this
setup again tomorrow.
# ospfctl sh rib
Destination Nexthop Path TypeType Cost
Uptime
195.140.213.0/24
Claudio Jeker schrieb:
There are still some issues with carp and the routes it modifies on the
fly. Ospfd and bgpd have problems to see carp routes as connected.
You can force ospfd to redistribute the route by mentioning the network
directly in the redistribute statement for now until the
Hello,
I don't know, if this is a bug, but I can recognize a strange thing. Im
setting up a redundant pair of routers and run some tests with carp for
the failover on the lan side. Because of the bug refreshing the kernel
routing table when changing carp-state I use ifstated with an route
delete
Falk Brockerhoff schrieb:
Could you please post your script? I really like to participate from
your work; this behaviour hasn't changed in an actual snapshot...
Ok, a reply to myself. If someone else runs into the same bug, here is a
snippet of my /etc/ifstated.conf:
carp213_up = carp213
Hi List,
upgrading to 4.1 GENERIC#270 solves this bug.
Thanks for your work!
Falk
FranC'ois Rousseau schrieb:
I have a very similar issue and I working on a solution with ifstated
daemon.
This sounds like a good workaround.
I will post my script on this mailing list when I will have time to
finish it (probably in a few days)
Could you please post your script? I really
Henning Brauer schrieb:
there is some weird unresolved bug in (or rather, with) em. only seems
to happen with multiport ems.
Maybe I can insert a delay before starten ospfd/bgpd; manually starting
after boot works fine.
I run this setup an two Dell Poweredge 1650 boxes with two em-interfaces
Claudio Jeker schrieb:
Most people use carp on both sides of the firewall and then preemption
will take care of makeing the backup system invisible to the network. If
you are using carp with ospfd you need at the moment dedicated carp boxes
that connect to your ospf cloud. The carp backup
Hi,
I installed the latest snapshot, but this issue still exists. Instead of
sh /etc/netstart carp213 I also can try ospfctl fib decouple/couple
to update the kernel routing table.
Hm, anybody an idea how to solve this problem?
Regards,
Falk
Claudio Jeker schrieb:
I updated both system to the latest snapshot. The problem still exists.
Could be you're hitting a similar bug as Jon Morby even though your system
does not fatal at the same place.
Hm, how can I help to isolate the bug? Tell me, what I can do to support
you!
May 1
Claudio Jeker schrieb:
Currently the routing table prefers any present route even if the
corresponding interface is not up. carp(4) does dirty tricks but the
network route is not touched and so all traffic hitting that backup box is
effectifly blackholed.
Yes, that's exactly what I see here
Hello,
I'm running OpenBSD4.1 from the CD and just updated my source-tree to
current a few minutes ago. I only compiled ospfd, ospfctl, bgpd and
bgpdctl and installed it. I left the rest of the system untouched.
I'm running one eBGP and one iBGP Session which worked fine with 4.1.
Box A is
Hello,
I'm running two boxes with a carped-interface facing my LAN. Box A is
connected to the internet (interface em0) and has a direct link to Box
B (Interface em1 on both sides). Both boxes are connected to my
LAN-Switch (via Interface em3) where a single workstation is connetcted.
I configured
Ben Calvert schrieb:
there are differences between OPENBSD_4_1 ( what's on the CD ) and HEAD
( current ) If you expect people to answer your questions, you have to
choose one or the other.
Hm, ok, I will update the whole installation and come back to you.
Thanks for your hint.
Falk
Hello,
I played around with two boxes and installed OpenBSD 4.1 from CD,
configured OSPF und BGP between this two boxes (I connected them via a
crossover cable) and finally tested everything doing a reboot:
both boxes are booting fine 'till the login-prompt. But one of the two
boxes always
Gregory Edigarov schrieb:
yes, I know about these projects, they are used with Linux, in fact
(l2tpd). and I've got l2tpd to compile on openbsd. The problem is, I
need a confirmation they will work correctly, because I will have
only one try.
Especialy with new platforms you don't
Darrin Chandler schrieb:
Have you got yours yet?!
Err, no. Thanks for the link :-)
Now I have placed my order :)
Your order currently is:
- 1 [B01] Building Firewalls with OpenBSD and PF Book @ EUR 40.00
- 1 [CD41] OpenBSD 4.1 CD @ EUR 50.00
Regards,
Falk
Hello,
actualy I'm using some Cisco equipment and one OpenBGPd Box to connect
the eBGP-Upstreams to my network. I want to replace this setup in the
next couple of month by two OpenBSD boxes. I planned to do it this way:
I want to connect some eBGP session to both boxes and an direct iBGP
link
Claudio Jeker schrieb:
Hmm. For some reasons the carp route is not cleared correctly.
I'll have a look at it.
Do you have any news on this topic? I like to run OpenOSPFd on my
routers, but since the bugfix there isn't any redundancy. Hope to hear
some good news :)
Thanks!
Falk
Claudio Jeker wrote:
Hmm. For some reasons the carp route is not cleared correctly.
I'll have a look at it.
Thanks, I would be happy if this works.
Btw. I think for your simple setup with two bgpd routers and one carped LAN
network behind them does not need ospfd. Try to keep it simple
Hello,
I just set up OSPF to talk within two OpenBSD-Boxes (Pinky and Brain, do
you remember? :-). On both machines I configured a carp interface to
provide a default gateway for my local VLANs. The configuration was very
easy and intuitive. OSPF is redistributing routes only for
And the output of the forwarding database with the unexpected nexthop of
the local interface instead of the opsf-neighbor:
# ospfctl sh fib
flags: * = valid, O = OSPF, C = Connected, S = Static
Flags Destination Nexthop
C 195.140.212.0/24 link#22
I killed the ospfd-process
Hello,
I just set up two identical machines to make some tests with vlan, carp
and openbgpd to replace my cisco routers in the next couple of months.
VLAN- and carp-configuratin is quite easy, it works out of the box and
without any problems. OpenBGPd runs fine, too. Err, nearly fine.
I
Claudio Jeker wrote:
bgpd only sends the selected routes to the neighbors and the announced
network from 194.9.86.1 has higher precedence and so only 194.9.86.2 has
both networks in the table. If you remove the network on 194.9.86.1,
194.9.86.2 would announce the network to 194.9.86.1.
Ah,
Hello,
has anybody wrote a nagios plugin to check the presence of some
specified bgp-peers set up with openbgpd? In the past I used check_bgp
in combination with cisco routers, which checks the peer-state via snmp.
Regards,
Falk
Hello,
I want to connect an openbsd router to two swichtes in case of
redundancy. These two switches are connected together, so that I think
trunk in failover mode may be the right way, isn't it?
To create a full redundant setup I want to connect a second openbsd
router. Is there a possibility
Hello,
what's about running several dhcp processes parallel, listening only on
the ip address associated to the specified interface? You can configure,
in each configuration file, the ip-addresse and the corresponding mac
address, so you will get always the same ip-address...
Regards,
Falk
version because of the next-hop self-feature...
Regards,
Tom
Regards,
Falk Brockerhoff
[demime 1.01d removed an attachment of type APPLICATION/DEFANGED which had a
name of fb.21337DEFANGED-vcf]
Hello,
on my OpenBSD 3.9 borderrouter I configured a BGP session to my
core-router and to several external bgp-neighbors. The core-router
announces my prefixes via iBGP to my borderrouters. These announced this
prefixes via eBGP to my neighbors and thus to the world.
For my local transfer
Hello,
is there an equivalent for cisco's
sh ip bgp neighbors neighbor advertised-routes
and
sh ip bgp neighbors neighbor received-routes
Regards,
Falk Brockerhoff
[demime 1.01d removed an attachment of type APPLICATION/DEFANGED which had a
name of fb.6276DEFANGED-vcf]
advskew 100 pass secretpasswort 192.168.0.2
netmask 255.255.255.128
ifconfig_carp0_alias0=inet 192.168.0.10 netmask 255.255.255.128
ifconfig_carp0_alias1=inet 192.168.0.11 netmask 255.255.255.128
Regards,
Falk Brockerhoff
secretpasswort 192.168.0.3
netmask 255.255.255.128
ifconfig_carp0_alias0=inet 192.168.0.10 netmask 255.255.255.128
ifconfig_carp0_alias1=inet 192.168.0.11 netmask 255.255.255.128
But both servers assumes to be in master-state :-/ Is this a FreeBSD-
specific or a generel carp-problem?
Regards,
Falk
. But I still have
no idea how to fix this problem. I would be really happy, if someone
can investigate this behavior.
Regards,
Falk Brockerhoff
Am 29.03.2006 um 14:32 schrieb Falk Brockerhoff:
that, again, is sth nobody ever asked for or missed :)
however, the (completely untested except for compilation) diff below
should add set nexthop self.
Ui, you're realy fast :-) Thank you for your quick response. I'll
compile this and test
this with openbgp?
I hope you can give me a hint to solve this to little problems, thanks!
Regards
Falk Brockerhoff
as
Development-Core next weekend. I'll give you a feedback about it.
Regards,
Falk Brockerhoff
79 matches
Mail list logo
