Re: eSATA support?
On Sun, 21 Sep 2008, Brian wrote: I'm thinking about picking up an eSATA pci card and backing up my data to an external hd over eSATA using rsync. Is this supported? eSATA is a conector, cable and electrical specification and otherwise is identical to regular SATA. If the particular adapter's chipset you have chosen is supported for SATA then it will work for eSATA. -d
Re: alix help
Vladimir Kirillov [EMAIL PROTECTED] writes: On 12:55 Sun 21 Sep, [EMAIL PROTECTED] wrote: /etc/boot.conf: set tty com0 stty com0 38400 I think it's better to set com speed _before_ setting com0 as tty, it can start throwing garbage into console, as it was spectated on soekris net4801: stty com0 38400 set tty com0 If I set the speed before setting com0 as tty, I don't get garbage on the serial console but I don't get the boot prompt. If I set com0 as tty before setting the speed, I get a bit of garbage but I also get the boot prompt. I higly prefer the latter. But what I see on my console is maybe because I didn't read enough manual material. A+ -AJ
Re: Need Help badly - PF related
On 2008-09-22, Parvinder Bhasin [EMAIL PROTECTED] wrote: I have users that can access the website fine (75.44.229.18) and some user that complain they can't access it. Include the dmesg so we can see what OS version you're running. Set pfctl -x misc and watch /var/log/messages, include any output from around the time of a failed connection. Include the relevant state table entries from pfctl -vss. Why is the user in the below pflog getting blocked. Where as most of the user can access the website just fine. tcpdump: listening on pflog0, link-type PFLOG Sep 21 21:53:21.903554 rule 0/(match) block in on fxp0: 172.16.10.11.80 75.18.177.36.1106: [|tcp] (DF) Sep 21 21:53:34.570469 rule 0/(match) block in on fxp1: 75.18.177.36.1105 172.16.10.11.80: [|tcp] (DF) Here is my pf.conf file: # MACROS ext_if=fxp1 int_if=fxp0 pf_log=pflog0 icmp_types=echoreq OPTIONS # set loginterface $ext_if set loginterface $int_if set block-policy return set skip on lo # scrub scrub in nat on $ext_if from !($ext_if) - ($ext_if:0) nat-anchor ftp-proxy/* rdr-anchor ftp-proxy/* rdr on $ext_if proto tcp from any to 75.44.229.18 port 80 - 172.16.10.11 port 80 rdr on $ext_if proto tcp from any to 75.44.229.19 port 3128 - 172.16.10.12 port 3128 # filter block in log (all, to pflog0) pass out keep state antispoof quick for { lo $int_if } pass in on $ext_if inet proto tcp from any to 172.16.10.11 port 80 flags S/SA keep state pass in on $ext_if inet proto tcp from any to 75.44.229.17 port 22 flags S/SA keep state pass in on $ext_if inet proto tcp from any to 172.16.10.12 port 3128 flags S/SA synproxy state pass in inet proto icmp all icmp-type $icmp_types keep state pass in quick on $int_if If this is a newer OS version, flags S/SA and keep state are redundant. If it's an old one, your pass in quick on $int_if should also use them.
Re: alix help
Hi, Kendall Shaw [EMAIL PROTECTED] writes: If I were able to upgrade the bios, I don't know how I will actually install openbsd on the disk. Aside from transfering files using Xmodem, what is the procedure for actually installing an image onto the CF card? I usually install such systems by booting from install43.iso in a virtual machine to which the CF card is plugged via usb. I then make a normal installation on the cf card instead of the hard drive. I did it with both virtualbox and vmware for both soekris and alix boards. Before rebooting, you have to edit /etc/boot as follow: set tty com0 stty com0 38400 and modify the line in /etc/ttys starting with tty00 as follow: tty00 /usr/libexec/getty std.38400 vt100 on secure If you've installed the system through a vm, the CF card will not appear as the same device node. You'll thus edit /etc/fstab to reflect the change (usually change sd0 w/ wd0). Also think to change the network config. Your network card certainly won't be the same on the vm and on the board. This way to install OpenBSD is not the simplest one (in regard of the pxeboot one) but has the advantage to not have to put pxe stuff on the network. A+ -AJ
Re: Need Help badly - PF related
On Sun, Sep 21, 2008 at 10:00:58PM -0700, Parvinder Bhasin wrote: I have users that can access the website fine (75.44.229.18) and some user that complain they can't access it. I don't know what gives. I have asked on the list for help but haven't still resolved this. I would really appreciate any help. Why is the user in the below pflog getting blocked. Where as most of the user can access the website just fine. I have spent countless hours on this. I really don't want a PIX firewall. When I switch to the pix the access seems fine. tcpdump: listening on pflog0, link-type PFLOG Sep 21 21:53:21.903554 rule 0/(match) block in on fxp0: 172.16.10.11.80 75.18.177.36.1106: [|tcp] (DF) Sep 21 21:53:34.570469 rule 0/(match) block in on fxp1: 75.18.177.36.1105 172.16.10.11.80: [|tcp] (DF) Here is my pf.conf file: # MACROS ext_if=fxp1 int_if=fxp0 pf_log=pflog0 icmp_types=echoreq OPTIONS # set loginterface $ext_if set loginterface $int_if set block-policy return set skip on lo # scrub scrub in nat on $ext_if from !($ext_if) - ($ext_if:0) nat-anchor ftp-proxy/* rdr-anchor ftp-proxy/* rdr on $ext_if proto tcp from any to 75.44.229.18 port 80 - 172.16.10.11 port 80 rdr on $ext_if proto tcp from any to 75.44.229.19 port 3128 - 172.16.10.12 port 3128 # filter block in log (all, to pflog0) pass out keep state antispoof quick for { lo $int_if } pass in on $ext_if inet proto tcp from any to 172.16.10.11 port 80 flags S/SA keep state pass in on $ext_if inet proto tcp from any to 75.44.229.17 port 22 flags S/SA keep state pass in on $ext_if inet proto tcp from any to 172.16.10.12 port 3128 flags S/SA synproxy state pass in inet proto icmp all icmp-type $icmp_types keep state pass in quick on $int_if Show the output of `pfctl -sr` and `pfctl -sn`. Also, capture the states of this client when this is happening: $ sudo pfctl -ss | grep 75.18.177.36 -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: pf to block against DDoS?
Redd Vinylene wrote: ... You can also use two tables so that the first overload gets shunted to a slow queue and given a second chance before ending up in the second table which gets blocked. ... Lars Noodin: Would you happen to have an example of that? Not really, here is an illustration of how it might be approached: http://www-personal.umich.edu/~lars/PF/pf.ssh-2tables.conf I expect that the last-rule-matched takes care of the decision. The However, there might be some divergence between what I think it does and what it really does. Another question is, in which cases is that useful? Regards -Lars
Re: isakmpd on 4.3: pf_key_v2_write: writev failed
On Fri, Sep 19, 2008 at 12:33:36AM +0200, Lukas Ratajski wrote: IPsec tunnel between two computers - a Soekris net5501 running [...] key_encrypt: bits 256: The crypto driver for the net5501 does not support 256bit AES. you have to switch to 128bit AES keys or backport revision 1.15 http://www.openbsd.org/cgi-bin/cvsweb/src/sys/arch/i386/pci/glxsb.c (and replace M_ZERO with a call to bzero()). -m
Re: Need Help badly - PF related
On Sep 22, 2008, at 1:14 AM, Stuart Henderson wrote: On 2008-09-22, Parvinder Bhasin [EMAIL PROTECTED] wrote: I have users that can access the website fine (75.44.229.18) and some user that complain they can't access it. Include the dmesg so we can see what OS version you're running. Set pfctl -x misc and watch /var/log/messages, include any output from around the time of a failed connection. Include the relevant state table entries from pfctl -vss. Stuart/Jason: The OS version is 4.3. I did pfctl -x misc and I don't see any messages appearing related to the bad connection from that IP. I logged on remotely on one of the system and tried accessing the site but nothing showed up in /var/ log/messages. Here is the output : # pfctl -x misc debug level set to 'misc' # tail -f /var/log/messages Sep 19 07:02:34 firetalk ntpd[18456]: bad peer from pool pool.ntp.org (209.132.176.4) Sep 19 07:02:34 firetalk ntpd[18456]: bad peer from pool pool.ntp.org (208.53.158.34) Sep 20 02:00:01 firetalk syslogd: restart Sep 20 04:00:02 firetalk syslogd: restart Sep 20 14:00:02 firetalk syslogd: restart Sep 21 02:00:01 firetalk syslogd: restart Sep 21 20:43:56 firetalk ntpd[18456]: 3 out of 5 peers valid Sep 21 20:43:56 firetalk ntpd[18456]: bad peer from pool pool.ntp.org (209.132.176.4) Sep 21 20:43:56 firetalk ntpd[18456]: bad peer from pool pool.ntp.org (208.53.158.34) Sep 22 02:00:01 firetalk syslogd: restart Here is the output from pfctl -vss - with the host(75.18.177.36) trying to access the website: # pfctl -vss all udp 204.152.186.173:123 - 172.16.10.12:19727 MULTIPLE:MULTIPLE age 12:04:07, expires in 00:00:31, 1364:1364 pkts, 103664:103664 bytes all udp 172.16.10.12:19727 - 75.44.229.17:60314 - 204.152.186.173:123 MULTIPLE:MULTIPLE age 12:04:07, expires in 00:00:31, 1364:1364 pkts, 103664:103664 bytes all udp 82.165.177.157:123 - 172.16.10.12:44282 MULTIPLE:MULTIPLE age 10:04:30, expires in 00:00:57, 1138:1138 pkts, 86488:86488 bytes all udp 172.16.10.12:44282 - 75.44.229.17:56413 - 82.165.177.157:123 MULTIPLE:MULTIPLE age 10:04:30, expires in 00:00:57, 1138:1138 pkts, 86488:86488 bytes all udp 207.192.69.197:123 - 172.16.10.12:42096 MULTIPLE:MULTIPLE age 03:06:08, expires in 00:00:47, 355:355 pkts, 26980:26980 bytes, rule 14 all udp 172.16.10.12:42096 - 75.44.229.17:60864 - 207.192.69.197:123 MULTIPLE:MULTIPLE age 03:06:08, expires in 00:00:47, 355:355 pkts, 26980:26980 bytes, rule 1 all tcp 75.44.229.17:22 - 76.202.196.187:59799 ESTABLISHED:ESTABLISHED [654074524 + 524232] wscale 0 [3656802774 + 16952] wscale 3 age 00:07:21, expires in 24:00:00, 490:427 pkts, 35301:77260 bytes, rule 11 all tcp 216.39.62.89:25 - 172.16.10.12:29315 CLOSED:SYN_SENT [0 + 16384] [4185608820 + 1] age 00:00:33, expires in 00:00:15, 3:0 pkts, 192:0 bytes, rule 14 all tcp 172.16.10.12:29315 - 75.44.229.17:61775 - 216.39.62.89:25 SYN_SENT:CLOSED [4185608820 + 1] [0 + 16384] age 00:00:33, expires in 00:00:15, 3:0 pkts, 192:0 bytes, rule 1 all udp 75.44.229.17:21902 - 66.250.45.2:123 MULTIPLE:SINGLE age 00:00:22, expires in 00:00:09, 1:1 pkts, 76:76 bytes, rule 1 # pfctl -vss | grep 75.18.177.36 # pfctl -vss all udp 204.152.186.173:123 - 172.16.10.12:19727 MULTIPLE:MULTIPLE age 12:06:24, expires in 00:00:47, 1369:1369 pkts, 104044:104044 bytes all udp 172.16.10.12:19727 - 75.44.229.17:60314 - 204.152.186.173:123 MULTIPLE:MULTIPLE age 12:06:24, expires in 00:00:47, 1369:1369 pkts, 104044:104044 bytes all udp 82.165.177.157:123 - 172.16.10.12:44282 MULTIPLE:MULTIPLE age 10:06:47, expires in 00:00:50, 1142:1142 pkts, 86792:86792 bytes all udp 172.16.10.12:44282 - 75.44.229.17:56413 - 82.165.177.157:123 MULTIPLE:MULTIPLE age 10:06:47, expires in 00:00:50, 1142:1142 pkts, 86792:86792 bytes all udp 207.192.69.197:123 - 172.16.10.12:42096 MULTIPLE:MULTIPLE age 03:08:25, expires in 00:00:38, 359:359 pkts, 27284:27284 bytes, rule 14 all udp 172.16.10.12:42096 - 75.44.229.17:60864 - 207.192.69.197:123 MULTIPLE:MULTIPLE age 03:08:25, expires in 00:00:38, 359:359 pkts, 27284:27284 bytes, rule 1 all tcp 75.44.229.17:22 - 76.202.196.187:59799 ESTABLISHED:ESTABLISHED [654079468 + 524232] wscale 0 [3656804886 + 16952] wscale 3 age 00:09:38, expires in 24:00:00, 603:497 pkts, 43349:85892 bytes, rule 11 all tcp 172.16.10.11:80 - 75.44.229.18:80 - 75.18.177.36:1125 SYN_SENT:ESTABLISHED [2398465402 + 65535] [930424393 + 5840] age 00:00:11, expires in 00:00:30, 3:5 pkts, 144:240 bytes, rule 10 all tcp 75.18.177.36:1125 - 172.16.10.11:80 ESTABLISHED:SYN_SENT [930424393 + 5840] [2398465402 + 65535] age 00:00:11, expires in 00:00:30, 3:5 pkts, 144:240 bytes, rule 1 # pfctl -vss all udp 204.152.186.173:123 - 172.16.10.12:19727 MULTIPLE:MULTIPLE age 12:06:31, expires in 00:00:40,
4.4-current on XenServer 5
In know virtualization is not one of the primary targets of OpenBSD. However, in case someone is interested, here's a dmesg of 4.4-current booting bsd.rd on latest XenServer 5 (Express, with Intel VT). As you can see, there is no harddisk detected. I am ready to help testing if a developer wants to look at it. Cheers, Stephan OpenBSD 4.4-current (RAMDISK_CD) #883: Wed Sep 17 13:17:23 MDT 2008 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/RAMDISK_CD cpu0: Intel(R) Xeon(R) CPU E5410 @ 2.33GHz (GenuineIntel 686-class) 2.33 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,CX16 real mem = 267976704 (255MB) avail mem = 252547072 (240MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 06/23/99, BIOS32 rev. 0 @ 0xfa4e0, SMBIOS rev. 2.4 @ 0xe901f (11 entries) bios0: vendor Xen version 3.2.1 date 06/23/1999 bios0: Xen HVM domU apm0 at bios0: Power Management spec V1.2 acpi at bios0 function 0x0 not configured pcibios0 at bios0: rev 2.1 @ 0xf/0x0 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfa780/128 (6 entries) pcibios0: PCI Interrupt Router at 000:01:0 (Intel 82371SB ISA rev 0x00) pcibios0: PCI bus #0 is the last bus bios0: ROM list: 0xc/0x8c00 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 Intel 82441FX rev 0x02 pcib0 at pci0 dev 1 function 0 Intel 82371SB ISA rev 0x00 pciide0 at pci0 dev 1 function 1 Intel 82371SB IDE rev 0x00: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: QEMU HARDDISK wd0: 16-sector PIO, LBA48, 5120MB, 10485760 sectors wd0(pciide0:0:0): using PIO mode 0, DMA mode 2 atapiscsi0 at pciide0 channel 1 drive 1 scsibus0 at atapiscsi0: 2 targets, initiator 7 cd0 at scsibus0 targ 0 lun 0: QEMU, QEMU CD-ROM, 0.8. ATAPI 5/cdrom removable cd0(pciide0:1:1): using PIO mode 0, DMA mode 2 Intel 82371AB Power rev 0x01 at pci0 dev 1 function 2 not configured uhci0 at pci0 dev 1 function 3 Intel 82371SB USB rev 0x01: irq 5 vga1 at pci0 dev 2 function 0 Cirrus Logic CL-GD5446 rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) unknown vendor 0x5853 product 0x0001 (class mass storage subclass SCSI, rev 0x01) at pci0 dev 3 function 0 not configured re0 at pci0 dev 4 function 0 Realtek 8139 rev 0x20: RTL8139C+ (0x7480), irq 5, address c2:37:9e:eb:1b:19 rlphy0 at re0 phy 0: RTL internal PHY isa0 at pcib0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16450, no fifo pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 Intel UHCI root hub rev 1.00/1.00 addr 1 biomask ffed netmask ffed ttymask rd0: fixed, 3800 blocks uhidev0 at uhub0 port 2 configuration 1 interface 0 QEMU 0.8.2 QEMU USB Tablet rev 0.10/0.00 addr 2 uhidev0: iclass 3/1 uhid at uhidev0 not configured softraid0 at root root on rd0a swap on rd0b dump on rd0b
Re: 4.4-current on XenServer 5
Stupid me, the disk is there and OpenBSD runs just fine on it. Sorry for the noise. On Mon, 2008-09-22 at 12:24 +0200, Stephan A. Rickauer wrote: In know virtualization is not one of the primary targets of OpenBSD. However, in case someone is interested, here's a dmesg of 4.4-current booting bsd.rd on latest XenServer 5 (Express, with Intel VT). As you can see, there is no harddisk detected. I am ready to help testing if a developer wants to look at it. Cheers, Stephan OpenBSD 4.4-current (RAMDISK_CD) #883: Wed Sep 17 13:17:23 MDT 2008 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/RAMDISK_CD cpu0: Intel(R) Xeon(R) CPU E5410 @ 2.33GHz (GenuineIntel 686-class) 2.33 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,CX16 real mem = 267976704 (255MB) avail mem = 252547072 (240MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 06/23/99, BIOS32 rev. 0 @ 0xfa4e0, SMBIOS rev. 2.4 @ 0xe901f (11 entries) bios0: vendor Xen version 3.2.1 date 06/23/1999 bios0: Xen HVM domU apm0 at bios0: Power Management spec V1.2 acpi at bios0 function 0x0 not configured pcibios0 at bios0: rev 2.1 @ 0xf/0x0 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfa780/128 (6 entries) pcibios0: PCI Interrupt Router at 000:01:0 (Intel 82371SB ISA rev 0x00) pcibios0: PCI bus #0 is the last bus bios0: ROM list: 0xc/0x8c00 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 Intel 82441FX rev 0x02 pcib0 at pci0 dev 1 function 0 Intel 82371SB ISA rev 0x00 pciide0 at pci0 dev 1 function 1 Intel 82371SB IDE rev 0x00: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: QEMU HARDDISK wd0: 16-sector PIO, LBA48, 5120MB, 10485760 sectors wd0(pciide0:0:0): using PIO mode 0, DMA mode 2 atapiscsi0 at pciide0 channel 1 drive 1 scsibus0 at atapiscsi0: 2 targets, initiator 7 cd0 at scsibus0 targ 0 lun 0: QEMU, QEMU CD-ROM, 0.8. ATAPI 5/cdrom removable cd0(pciide0:1:1): using PIO mode 0, DMA mode 2 Intel 82371AB Power rev 0x01 at pci0 dev 1 function 2 not configured uhci0 at pci0 dev 1 function 3 Intel 82371SB USB rev 0x01: irq 5 vga1 at pci0 dev 2 function 0 Cirrus Logic CL-GD5446 rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) unknown vendor 0x5853 product 0x0001 (class mass storage subclass SCSI, rev 0x01) at pci0 dev 3 function 0 not configured re0 at pci0 dev 4 function 0 Realtek 8139 rev 0x20: RTL8139C+ (0x7480), irq 5, address c2:37:9e:eb:1b:19 rlphy0 at re0 phy 0: RTL internal PHY isa0 at pcib0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16450, no fifo pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 Intel UHCI root hub rev 1.00/1.00 addr 1 biomask ffed netmask ffed ttymask rd0: fixed, 3800 blocks uhidev0 at uhub0 port 2 configuration 1 interface 0 QEMU 0.8.2 QEMU USB Tablet rev 0.10/0.00 addr 2 uhidev0: iclass 3/1 uhid at uhidev0 not configured softraid0 at root root on rd0a swap on rd0b dump on rd0b -- Stephan A. Rickauer --- Institute of Neuroinformatics Tel +41 44 635 30 50 University / ETH Zurich Sec +41 44 635 30 52 Winterthurerstrasse 190 Fax +41 44 635 30 53 CH-8057 ZurichWebwww.ini.uzh.ch
Re: 4.4-current on XenServer 5
From: Stephan A. Rickauer [EMAIL PROTECTED] To: misc misc@openbsd.org Sent: Monday, September 22, 2008 11:24 AM Subject: 4.4-current on XenServer 5 In know virtualization is not one of the primary targets of OpenBSD. However, in case someone is interested, here's a dmesg of 4.4-current booting bsd.rd on latest XenServer 5 (Express, with Intel VT). As you can see, there is no harddisk detected. I am ready to help testing if a developer wants to look at it. Cheers, Stephan pchb0 at pci0 dev 0 function 0 Intel 82441FX rev 0x02 pcib0 at pci0 dev 1 function 0 Intel 82371SB ISA rev 0x00 pciide0 at pci0 dev 1 function 1 Intel 82371SB IDE rev 0x00: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: QEMU HARDDISK wd0: 16-sector PIO, LBA48, 5120MB, 10485760 sectors wd0(pciide0:0:0): using PIO mode 0, DMA mode 2 Looks like a harddisk to me... am I missing something? PK
snapshots/i386/MD5 out of sync?
Hi all, it seems that the actual MD5 checksum of snapshots/i386/install44.iso differs from the one specified in snapshots/i386/MD5: MD5 (install44.iso) = 519daedda756537d5efbe8ad5fd4eb23 MD5 (install44.iso) = f87b839db833380f41f02bd7fffb2d27 (My tiny little script that downloads snapshots has been reporting this since saturday.) Jan
wol clarification for multi-homed host
wol 0.7.1 seemed to be ignoring the option to restrict the broadcast to a particular subnet and/or doing nothing when that option is specified, but it turned out to be my misinterpretation of the man page: -h HOST --host=HOST -i HOST --ipaddr=HOST Broadcast packet to this IP address or hostname. This is important if your wol client is a multihomed host and you want to send only to one subnet (default IP address is 255.255.255.255). Using the ip address of the interface (e.g. 192.168.4.1) or hostname there *does not* appear to work. However, sending to the subnet (?) e.g. 192.168.4.0 does do the trick. That is from 4.4-current (GENERIC#1037) with two ethernet interfaces. Regards, -Lars
Re: alix help
someone mentioned working on it, but nothing further.. That was me. Unfortunately this is an ultra-low priority spare-time project =( The code is 95% ready, however, last time I worked on it was during Easter... It is a loadable kernel module that directly talks to the flash chip. - Christian
Re: Need Help badly - PF related
On Mon, Sep 22, 2008 at 02:25:01AM -0700, Parvinder Bhasin wrote: On Sep 22, 2008, at 1:14 AM, Stuart Henderson wrote: On 2008-09-22, Parvinder Bhasin [EMAIL PROTECTED] wrote: I have users that can access the website fine (75.44.229.18) and some user that complain they can't access it. Include the dmesg so we can see what OS version you're running. Set pfctl -x misc and watch /var/log/messages, include any output from around the time of a failed connection. Include the relevant state table entries from pfctl -vss. Here is the output from pfctl -vss - with the host(75.18.177.36) trying to access the website: Please do that again, but grep only the relevant bits. I'm not going to sift through all the noise. $ sudo pfctl -ss | grep 75.18.177.36 I'm pretty sure your outbound nat needs to be moved *after* your rdr's. I think the inbound traffic is having the src_addr translated to your firewall's ($ext_if). -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
assembly for x86
Dear List, I'd like to study the assembly language of the x86 architecture. I've searched for books, but there are a lot of them. Could you please recommend me a good writer/book about this topic? Thank You!
Re: eSATA support?
Damien Miller wrote: On Sun, 21 Sep 2008, Brian wrote: I'm thinking about picking up an eSATA pci card and backing up my data to an external hd over eSATA using rsync. Is this supported? eSATA is a conector, cable and electrical specification and otherwise is identical to regular SATA. If the particular adapter's chipset you have chosen is supported for SATA then it will work for eSATA. -d PCI card for (e)SATA ??? Does this mean the motherboard hasn't a SATA connector and/or does not have support? In that case, you would better be off with a fast USB. Again MBs with no SATA don't have fast USBs either. Since you are asking, I guess you should start with establishing a budget: - eSATA (as USBs) will need an enclosure. These generally come with a power supply.As do external hard disks. Those cases cost the price of a hard disk. - external hard disks often are supplied with two interfaces, any combination of Ethernet/USB/eSATA. Those with two interfaces usually are dearer, but the hard disk itself also is of better quality. - external cabinets can be RAID and/or NAS (these are yet another computer in fact). - recent fully integrated motherboards (with SATA and fast USB) are cheaper than a VGA card. My eSATA disk is housed in an Antec cabinet (with extra cooling), comes with SATA and USB. I mostly use the USB interface as this one can easily be connected and disconnected on almost every box. eSATA brakets seem to be a spare that is hard to find at standard PC shops.
Re: pf to block against DDoS?
On Mon, Sep 22, 2008 at 10:36 AM, Lars Noodin [EMAIL PROTECTED]wrote: Redd Vinylene wrote: ... You can also use two tables so that the first overload gets shunted to a slow queue and given a second chance before ending up in the second table which gets blocked. ... Lars Noodin: Would you happen to have an example of that? Not really, here is an illustration of how it might be approached: http://www-personal.umich.edu/~lars/PF/pf.ssh-2tables.confhttp://www-persona l.umich.edu/%7Elars/PF/pf.ssh-2tables.conf I expect that the last-rule-matched takes care of the decision. The However, there might be some divergence between what I think it does and what it really does. Another question is, in which cases is that useful? Regards -Lars This has been a very interesting example, Lars. Thanks a lot for sharing! As for your last question though, I think I know what you mean. It is to say, should a rapist really be given a second chance? -- http://www.home.no/reddvinylene
Re: pf to block against DDoS?
Redd Vinylene wrote: ... a second chance? Well ssh on port 22 does occasionally have legitmate uses and even occasionally legitimate users. So some kind of indicator (such as a slowdown) could be useful for them. -Lars
Re: Need Help badly - PF related
On Sep 22, 2008, at 4:46 AM, Jason Dixon wrote: On Mon, Sep 22, 2008 at 02:25:01AM -0700, Parvinder Bhasin wrote: On Sep 22, 2008, at 1:14 AM, Stuart Henderson wrote: On 2008-09-22, Parvinder Bhasin [EMAIL PROTECTED] wrote: I have users that can access the website fine (75.44.229.18) and some user that complain they can't access it. Include the dmesg so we can see what OS version you're running. Set pfctl -x misc and watch /var/log/messages, include any output from around the time of a failed connection. Include the relevant state table entries from pfctl -vss. Here is the output from pfctl -vss - with the host(75.18.177.36) trying to access the website: Please do that again, but grep only the relevant bits. I'm not going to sift through all the noise. $ sudo pfctl -ss | grep 75.18.177.36 I'm pretty sure your outbound nat needs to be moved *after* your rdr's. I think the inbound traffic is having the src_addr translated to your firewall's ($ext_if) Jason, Here it is without the noise. # pfctl -ss | grep 75.18.177.36 all tcp 172.16.10.11:80 - 75.44.229.18:80 - 75.18.177.36:1056 SYN_SENT:ESTABLISHED all tcp 75.18.177.36:1056 - 172.16.10.11:80 ESTABLISHED:SYN_SENT # pfctl -ss | grep 75.18.177.36 all tcp 172.16.10.11:80 - 75.44.229.18:80 - 75.18.177.36:1056 SYN_SENT:ESTABLISHED all tcp 75.18.177.36:1056 - 172.16.10.11:80 ESTABLISHED:SYN_SENT # -Parvinder Bhasin -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: Need Help badly - PF related
On Mon, Sep 22, 2008 at 05:23:31AM -0700, Parvinder Bhasin wrote: On Sep 22, 2008, at 4:46 AM, Jason Dixon wrote: On Mon, Sep 22, 2008 at 02:25:01AM -0700, Parvinder Bhasin wrote: On Sep 22, 2008, at 1:14 AM, Stuart Henderson wrote: On 2008-09-22, Parvinder Bhasin [EMAIL PROTECTED] wrote: I have users that can access the website fine (75.44.229.18) and some user that complain they can't access it. Include the dmesg so we can see what OS version you're running. Set pfctl -x misc and watch /var/log/messages, include any output from around the time of a failed connection. Include the relevant state table entries from pfctl -vss. Here is the output from pfctl -vss - with the host(75.18.177.36) trying to access the website: Please do that again, but grep only the relevant bits. I'm not going to sift through all the noise. $ sudo pfctl -ss | grep 75.18.177.36 I'm pretty sure your outbound nat needs to be moved *after* your rdr's. I think the inbound traffic is having the src_addr translated to your firewall's ($ext_if) Jason, Here it is without the noise. # pfctl -ss | grep 75.18.177.36 all tcp 172.16.10.11:80 - 75.44.229.18:80 - 75.18.177.36:1056 SYN_SENT:ESTABLISHED all tcp 75.18.177.36:1056 - 172.16.10.11:80 ESTABLISHED:SYN_SENT # pfctl -ss | grep 75.18.177.36 all tcp 172.16.10.11:80 - 75.44.229.18:80 - 75.18.177.36:1056 SYN_SENT:ESTABLISHED all tcp 75.18.177.36:1056 - 172.16.10.11:80 ESTABLISHED:SYN_SENT Looks ok. Let's see the output of `pfctl -sr` and `pfctl -sn`. Also, let's correlate your states to the logged blocks. In separate terminals, do the `pfctl -ss | grep foo` and then find the corresponding traffic in pflog0 that's being blocked. Let's see them both. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: New scheduler, same problem (ALTQ questions)
Chris McGee escreveu: Hi guys- I've been using an OpenBSD firewall on my home network for about 10 years. I recently upgraded the hardware to a retired gaming machine and went to OpenBSD 4.3 (woo!). I'm playing with the new scheduler in altq, and I like the way that it works, but the documentation is iffy and it still doesn't look like it solves one problem that priq and cbq couldn't solve... prioritizing outbound traffic on a variable-bandwidth link. (Yes, I've got a cable modem. =D) Here's the problem I'm trying to solve: My cable modem allows around 750kb/s when traffic is really ugly, and about 2100kb/s in the dead of the night. In order for the scheduler to know when to start limiting traffic, I have to tell it how fast the link is but I don't *know* how fast the link is, because it varies. I've been trying the following rules: altq on $ext_if bandwidth 2048Kb hfsc queue { ack, dns, games, def, bt } queue ack bandwidth 80% priority 6 qlimit 500 hfsc (realtime 50% ecn) queue dns bandwidth 5% priority 5 qlimit 500 hfsc (realtime 5% ecn) queue games bandwidth 5% priority 3 qlimit 500 hfsc (realtime 5% ecn) queue def bandwidth 5% priority 2 qlimit 500 hfsc (realtime 10% ecn default) queue bt bandwidth 5% priority 1 qlimit 500 hfsc (upperlimit 80% red) (the ack queue is TCP ack's, the dns queue is DNS requests, high priority user traffic and VOIP goes in games, and the rest is regular and low-priority user traffic. When I'm usually using the internet connection, my outbound bandwidth is probably around 1200kb. Cranking the bandwidth down to 750 or so is one solution, but then I'm artificially limiting my own upstream to the worst case scenario. My questions are: 1) Is there a more effective way I could be doing the above? Yes and no. You could have your modem checked by snmp every and so seconds to see what velocity it was getting from your ISP. But this is even if it supports it, and even if it changes the negotiated speed trough these variations. 2) Regarding hfsc, what is the old bandwidth statement used for? It seems like it would be obsolete. Changing it doesn't seem to affect anything, either. The manpage doesn't say. :) What do you mean by old bandwidth? 3) Another hfsc question- exactly what does the linkshare statement do? The manpage says : linkshare sc The bandwidth share of a backlogged queue.). The linkshare statement specify how much of the bandwidth of that queue will be shared with other queues when not used. Think in it like a shared pool. Thanks :) --Chris My suggestion for you would be you to configure the highest rate you can get as the bandwidth for the interface, to see how it would be. If your rate decreases, it will get slow for the things that have less priority, but, the altq implementation of openbsd kind of auto regulate the token bucket based on the interface speed. If you modem doesn't get to renegotiate the speed with you ISP, then you are doomed, because snmp won't work, so you variable rate won't work either. You can do something. You can install syweb or any other graph tool to measure how your bandwidth vary trough, i'd say, a week. Based on that, you can have cron entries to change you hfsc rates trough the day. This could work also. My regards, -- Giancarlo Razzolini http://lock.razzolini.adm.br Linux User 172199 Red Hat Certified Engineer no:804006389722501 Verify:https://www.redhat.com/certification/rhce/current/ Moleque Sem Conteudo Numero #002 OpenBSD Stable Ubuntu 8.04 Hardy Heron 4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85
Re: Need Help badly - PF related
On Sep 22, 2008, at 6:10 AM, Jason Dixon wrote: On Mon, Sep 22, 2008 at 05:23:31AM -0700, Parvinder Bhasin wrote: On Sep 22, 2008, at 4:46 AM, Jason Dixon wrote: On Mon, Sep 22, 2008 at 02:25:01AM -0700, Parvinder Bhasin wrote: On Sep 22, 2008, at 1:14 AM, Stuart Henderson wrote: On 2008-09-22, Parvinder Bhasin [EMAIL PROTECTED] wrote: I have users that can access the website fine (75.44.229.18) and some user that complain they can't access it. Include the dmesg so we can see what OS version you're running. Set pfctl -x misc and watch /var/log/messages, include any output from around the time of a failed connection. Include the relevant state table entries from pfctl -vss. Here is the output from pfctl -vss - with the host(75.18.177.36) trying to access the website: Please do that again, but grep only the relevant bits. I'm not going to sift through all the noise. $ sudo pfctl -ss | grep 75.18.177.36 I'm pretty sure your outbound nat needs to be moved *after* your rdr's. I think the inbound traffic is having the src_addr translated to your firewall's ($ext_if) Jason, Here it is without the noise. # pfctl -ss | grep 75.18.177.36 all tcp 172.16.10.11:80 - 75.44.229.18:80 - 75.18.177.36:1056 SYN_SENT:ESTABLISHED all tcp 75.18.177.36:1056 - 172.16.10.11:80 ESTABLISHED:SYN_SENT # pfctl -ss | grep 75.18.177.36 all tcp 172.16.10.11:80 - 75.44.229.18:80 - 75.18.177.36:1056 SYN_SENT:ESTABLISHED all tcp 75.18.177.36:1056 - 172.16.10.11:80 ESTABLISHED:SYN_SENT Looks ok. Let's see the output of `pfctl -sr` and `pfctl -sn`. Also, let's correlate your states to the logged blocks. In separate terminals, do the `pfctl -ss | grep foo` and then find the corresponding traffic in pflog0 that's being blocked. Let's see them both. # pfctl -sr scrub in all fragment reassemble block return in log (all) all pass out all flags S/SA keep state block drop in quick on ! lo inet from 127.0.0.0/8 to any block drop in quick on ! lo inet6 from ::1 to any block drop in quick inet from 127.0.0.1 to any block drop in quick on ! fxp0 inet from 172.16.10.0/24 to any block drop in quick inet from 172.16.10.10 to any block drop in quick inet6 from ::1 to any block drop in quick on lo0 inet6 from fe80::1 to any block drop in quick on fxp0 inet6 from fe80::206:29ff:fecf:7d5f to any pass in on fxp1 inet proto tcp from any to 172.16.10.11 port = www flags S/SA keep state pass in on fxp1 inet proto tcp from any to 75.44.229.17 port = ssh flags S/SA keep state pass in on fxp1 inet proto tcp from any to 172.16.10.12 port = 3128 flags S/SA synproxy state pass in inet proto icmp all icmp-type echoreq keep state pass in quick on fxp0 all flags S/SA keep state # pfctl -sn nat on fxp1 from ! (fxp1) to any - (fxp1:0) nat-anchor ftp-proxy/* all rdr-anchor ftp-proxy/* all rdr on fxp1 inet proto tcp from any to 75.44.229.18 port = www - 172.16.10.11 port 80 rdr on fxp1 inet proto tcp from any to 75.44.229.19 port = 3128 - 172.16.10.12 port 3128 # pfctl -ss | grep 75.18.177.36 all tcp 172.16.10.11:80 - 75.44.229.18:80 - 75.18.177.36:1057 SYN_SENT:ESTABLISHED all tcp 75.18.177.36:1057 - 172.16.10.11:80 ESTABLISHED:SYN_SENT -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: Need Help badly - PF related
On Mon, Sep 22, 2008 at 07:20:50AM -0700, Parvinder Bhasin wrote: On Sep 22, 2008, at 6:10 AM, Jason Dixon wrote: On Mon, Sep 22, 2008 at 05:23:31AM -0700, Parvinder Bhasin wrote: On Sep 22, 2008, at 4:46 AM, Jason Dixon wrote: On Mon, Sep 22, 2008 at 02:25:01AM -0700, Parvinder Bhasin wrote: On Sep 22, 2008, at 1:14 AM, Stuart Henderson wrote: On 2008-09-22, Parvinder Bhasin [EMAIL PROTECTED] wrote: I have users that can access the website fine (75.44.229.18) and some user that complain they can't access it. Include the dmesg so we can see what OS version you're running. Set pfctl -x misc and watch /var/log/messages, include any output from around the time of a failed connection. Include the relevant state table entries from pfctl -vss. Here is the output from pfctl -vss - with the host(75.18.177.36) trying to access the website: Please do that again, but grep only the relevant bits. I'm not going to sift through all the noise. $ sudo pfctl -ss | grep 75.18.177.36 I'm pretty sure your outbound nat needs to be moved *after* your rdr's. I think the inbound traffic is having the src_addr translated to your firewall's ($ext_if) Jason, Here it is without the noise. # pfctl -ss | grep 75.18.177.36 all tcp 172.16.10.11:80 - 75.44.229.18:80 - 75.18.177.36:1056 SYN_SENT:ESTABLISHED all tcp 75.18.177.36:1056 - 172.16.10.11:80 ESTABLISHED:SYN_SENT # pfctl -ss | grep 75.18.177.36 all tcp 172.16.10.11:80 - 75.44.229.18:80 - 75.18.177.36:1056 SYN_SENT:ESTABLISHED all tcp 75.18.177.36:1056 - 172.16.10.11:80 ESTABLISHED:SYN_SENT Looks ok. Let's see the output of `pfctl -sr` and `pfctl -sn`. Also, let's correlate your states to the logged blocks. In separate terminals, do the `pfctl -ss | grep foo` and then find the corresponding traffic in pflog0 that's being blocked. Let's see them both. # pfctl -sr scrub in all fragment reassemble block return in log (all) all pass out all flags S/SA keep state block drop in quick on ! lo inet from 127.0.0.0/8 to any block drop in quick on ! lo inet6 from ::1 to any block drop in quick inet from 127.0.0.1 to any block drop in quick on ! fxp0 inet from 172.16.10.0/24 to any block drop in quick inet from 172.16.10.10 to any block drop in quick inet6 from ::1 to any block drop in quick on lo0 inet6 from fe80::1 to any block drop in quick on fxp0 inet6 from fe80::206:29ff:fecf:7d5f to any pass in on fxp1 inet proto tcp from any to 172.16.10.11 port = www flags S/SA keep state pass in on fxp1 inet proto tcp from any to 75.44.229.17 port = ssh flags S/SA keep state pass in on fxp1 inet proto tcp from any to 172.16.10.12 port = 3128 flags S/SA synproxy state pass in inet proto icmp all icmp-type echoreq keep state pass in quick on fxp0 all flags S/SA keep state # pfctl -sn nat on fxp1 from ! (fxp1) to any - (fxp1:0) nat-anchor ftp-proxy/* all rdr-anchor ftp-proxy/* all rdr on fxp1 inet proto tcp from any to 75.44.229.18 port = www - 172.16.10.11 port 80 rdr on fxp1 inet proto tcp from any to 75.44.229.19 port = 3128 - 172.16.10.12 port 3128 # pfctl -ss | grep 75.18.177.36 all tcp 172.16.10.11:80 - 75.44.229.18:80 - 75.18.177.36:1057 SYN_SENT:ESTABLISHED all tcp 75.18.177.36:1057 - 172.16.10.11:80 ESTABLISHED:SYN_SENT And the blocked packets? -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: assembly for x86
--- G??bri M??t?? [Mon, Sep 22, 2008 at 01:45:30PM +0200]: --- Dear List, I'd like to study the assembly language of the x86 architecture. I've searched for books, but there are a lot of them. Could you please recommend me a good writer/book about this topic? i'm a beginner, but i picked up The Art of Assembly Language, a No Starch Press book by Randall Hyde. ISBN 1886411972. i'm sure there's a much longer list of book an assembly programmer should have at arm's reach, but this is the only one i'm using so far.
Re: assembly for x86
On Mon, Sep 22, 2008 at 1:45 PM, Gabri Mati [EMAIL PROTECTED] wrote: Dear List, I'd like to study the assembly language of the x86 architecture. I've searched for books, but there are a lot of them. Could you please recommend me a good writer/book about this topic? Thank You! You can ask or try to search on comp.lang.asm.x86, I think its a better place for your question. You can also read the comp.lang.asm faq : http://www.frontiernet.net/~fys/faq/index.htm -- Gallon sylvestre OpenBSD fan | Rathaxes Core Developper LSE researcher | kernel developer for adeneo http://devsyl.blogspot.com/ | www.rathaxes.org
Re: Help with CARP
Not set on the MASTER, 230 on the backup. Saludos, Jose. Jonathan Carter wrote: I have it set to (1) on the promary and (100) on the backup. How high did you set yours? Jonathan -Original Message- From: Jose Quinteiro [mailto:[EMAIL PROTECTED] Sent: 20 September 2008 20:45 To: Jonathan Carter Cc: misc@openbsd.org Subject: Re: Help with CARP I had similar problems with a couple of little Soekris boxes. I solved it by increasing advskew. I think they can't handle the interrupt load at peak times. I'm in the process of replacing them. HTH, Jose. Jonathan Carter wrote: Hi Any ideas with this one please? I have 2 openBSD boxes running as pair of firewalls using CARP + PF. This set up is already working for 12 months. Last week I was troubleshooting network problems reported by my clients and I noticed that several CARP interfaces had failed over. I checked that there were no more problems with the Primary firewall and I set the interfaces on the backup firewall back to BACKUP and made sure that the the primary firewall interfaces were all set to MASTER. However I had intermittent timeout problems for the next 24hrs. Eventually I enabled loud debugging on PF and I saw that traffic was coming through both firewalls evenn though the backup firewall has all its CARP interfaces set back to BACKUP. I tried several basic TCP debugging techniques but in the end I set all of the CARP interfaces on the backup firewall to down. This is where I am at the moment. Can anyone point me in the direction of how I can investigate this further. I want to bring up the backup firewall interfaces as soon as possible so that I have my redundant set up but at the moment I am at a loss to think of what could be wrong. The only thing I can think off is that I have accidentally enabled load balancing - but I have checked the basics from the CARP documentation and , on the surface it does not look like it. I am running 4.1 GENERIC#874 amd64 Regards Jonathan
3. Satinalma Yonetimi Zirvesi
III. SATINALMA ve TEDARIK ZINCIRI YONETIMI ZIRVESI 10 - 11 - 12 Ekim 2008 / Sheraton Istanbul Otel w w w b o s p h o r u s c o n f e r e n c e sc o m / tel: 0-216 486 3O 95 Konusmacilar: (Sunum Sirasiyla) Mehmet Ali NEYZI (Zorlu Enerji Grubu Baskan Yardimcisi), Yelda KABAKLARLI (AstraZeneca, Satinalma Muduru), Dr. Fatih SARACOGLU (Frentek Otomotiv San. A.S.), Atilla FILIZ (Uretim Yonetimi Uzmani Yazar), Metin KANSU - Endustriyel Satinalma Danismani - Otoyol Sanayi Eski Satinalma Yoneticisi, Prof. Dr. Mehmet TANYAS (Okan Universitesi Uluslararasi Lojistik Bolum Bsk.), Murat BOG (Ekol Lojistik, Genel Mudur Yardimcisi), Doc. Dr. Gulcin BUYUKOZKAN (Galatasaray Universitesi Endustri Muhendisligi), Metin YILMAZ (Duzey Pazarlama Genel Muduru), Bulent CILINGIR (Zorlu Enerji Grubu Satinalma Direktoru), Huseyin CELIK (Acibadem Saglik Grubu Satinalma ve Lojistik Direktoru), Atilla YILDIZTEKIN (Arkas Lojistik E. Gn. Md. UTIKAD, UND, LODER Yon.), Dilek OGAN (KESWICK), Feza OZALP (Tedarik Zinciri Yonetimi, Profesyonelleri Konsulu (ABD) Uyesi Bilgi Universitesi MBA Ogr. Gor.), Yrd. Doc. Dr. Berrin AGARAN (Dogus Universitesi. Endustri Muhendisligi), Umut Hulusi INAN (End. Y. Muhendis Yonetim Danismani), Doc. Dr. Murat BASKAK (Istanbul Teknik Universitesi), Gurkan HURYILMAZ (Satinalma Yonetim Uzmani), Basak ULKENLI OZEL (Havelsan A.S. Sozlesmeler E. Yoneticisi), Necdet UYGURER (ODTU ve Yeditepe Universitesi Ogretim Gorevlisi), Doc. Dr. Sevket SAYILGAN (Marmara Universitesi Kurumsal Finansman Uzmani), Baha SIPAHI (Danisman, Nortel Netas (E) Isletmeler Lideri), Dr. Dogan KARADOGAN (K.K.K. (E) Ulastirma Binbasi Lojistik Sistem Uzmani) Oturum Konulari Satinalmada Yeni Ufuklar Satinalmada Stratejik Karar Surecleri Satinalma Yoneticileri Icin Lojistik / Tedarikci Firma Belirleme Kriterleri Stratejik Satinalmanin Tanimi, Gelisimi, Yeni Uygulamalar, Yonetimdeki Yeri ve Onemi Satinalma Surecinde Urun, Veri, Yasam Yonetimi (PDM/PLM) Lojistik Yonetiminde IT Uygulamalari Lojistik Yonetiminde Yenilikci Cozumler ve Teknoloji Uretim ve Satinalmada Tedarikci ile Esgudum Basarili Tedarik Zinciri Yonetimi Uygulamalari Dr. Murphy Tedarik Zinciri Yonetimi Satinalmada Outsource Hizmetlerin Yonetimi Dagitim Merkezi Depo Yonetimi Tedarik Zinciri Yonetimi ve Denetim Yesil Tedarik Zinciri Yonetimi Tedarik Zincirinde Bilgi Paylasimi Satinalma ve Tedarik Zinciri Yonetiminde Surec Iyilestirme Metodlari Yap - Satin al Disari Yaptir Kararlarinin Verilmesindeki Etkenler Satinalmada Fiyatlandirma, Optimal Fiyat Tespiti ve Satinalma Butce Yonetimi Satinalma Yonetiminin Hukuksal Boyutu; Sozlesmeler ve Anlasmazliklar Satinalma Iletisimi: Satinalma Yoneticileri Icin Etkili Muzakere ve Pazarlik Teknikleri Satinalma Finansmani: Satinalma Surecinin Finans Sureciyle Etkilesimi Dis Kaynaga Aktarim ve Yeni Gelismeler Olaganustu Hal Kriz Lojistigi w w w b o s p h o r u s c o n f e r e n c e s . c o m BOSPHORUS CONFERENCES Bir Bogazici Organizasyonudur. w w w b o g a z i c i e g i t i mc o mt r / tel: 0216 486 3O 95 Katilim icin Kayit Formu doldurulmasi ve tarafimiza gonderilmesi gerekmektedir. Kisi basi katilim bedelimiz; 1500 YTL + KDV dir. Ucret, zirve tarihinden once Bogazici Egitim ve Danismanlikin Isbankasi Beylerbeyi Subesi 215148 Nolu hesabina yatirilmalidir. Ucrete organizasyon suresince tum ogle yemekleri, cay-kahve, kokteyl ikramlari, programa ait tum kitap, cd, canta, dosya ve dokumanlari dahildir. 1 Ekim 2008 tarihinden sonra yapilacak iptallerde para iadesi yapilmaz ancak isim degisikligi kabul edilmektedir. Zirve organizasyon heyeti mucbir sebepler gerektirdiginde program mekanini veya programi degistirme, iptal etme veya erteleme hakkini sakli tutmaktadir. Bu durumda odenmis olan ucretler iade edilir. Tarafiniza Duyuru Amaciyla Gonderilmis olan bultenimizi farkli bir mail adresinize yonlendirmemizi ya da iptal etmemizi isterseniz maille bildirebilirsiniz.
Re: Help with CARP
On Mon, Sep 22, 2008 at 8:30 AM, Jose Quinteiro [EMAIL PROTECTED] wrote: Not set on the MASTER, 230 on the backup. Can you post the output of 'ifconfig' and 'netstat -s -p carp' and 'netstat -s -p pfsync' from both firewalls? -B
Using trunk(4) to put a router in a switch ring
I am trying to work out a way to add some redundancy to my network, by putting my switches in a ring. I have a pair of CARP'd routers, each with 2 GigE interfaces, and the ability to add more on PCI-E cards. I have a number of switches with 24x100Mb ports and 2 GigE uplink ports. Currently the topology is flat, with the GigE backbone having a router on each end, and the switches in a line between them. The spare GigE interface on each router is used for the pfsync link. I would like to fine a way to join the two ends of the ring together, so that a failure of any one switch will mean that only the machines on the 100Mb ports of that particular switch are affected. To do this I need to be able to connect the routers in both directions round the ring, and so have two GigE ports acting as if a three port switch almost, with the ring in each direction and the carp/vlan/ip interfaces of the router. I'm not sure if trunk or bridge are more appropriate in this case, and if I were to use trunk I'm not sure if I would want broadcast or not. Can anyone help me out of the confusing hole I've dug myself into? SD
Re: Help with CARP
IP addresses have been changed to protect the guilty. The wrong VHID packets have a simple explanation: There are two other machines on this net with their own CARP interfaces. No idea what the short packets are about. Master: # ifconfig lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33224 groups: lo inet 127.0.0.1 netmask 0xff00 sis0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:24:c8:45:48 groups: egress media: Ethernet autoselect (100baseTX full-duplex) status: active inet 2.1.7.3 netmask 0xffe0 broadcast sis1: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:24:c8:45:49 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 1.3.3.7 netmask 0xffc0 broadcast sis2: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:24:c8:45:4a media: Ethernet autoselect (100baseTX full-duplex) status: active inet 10.40.28.13 netmask 0xff00 broadcast 10.40.28.255 sis3: flags=8842BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:24:c7:98:6c media: Ethernet autoselect (none) status: no carrier sis4: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:24:c7:98:6d media: Ethernet autoselect (100baseTX full-duplex) status: active inet 172.16.1.3 netmask 0xff00 broadcast 172.16.1.255 pflog0: flags=0 mtu 33224 pfsync0: flags=0 mtu 1460 pfsync: syncdev: sis4 syncpeer: 224.0.0.240 maxupd: 128 enc0: flags=0 mtu 1536 carp1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 carp: MASTER carpdev sis0 vhid 1 advbase 1 advskew 0 groups: carp inet 6.2.8.8 netmask 0xfff8 broadcast carp3: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 carp: MASTER carpdev sis1 vhid 3 advbase 1 advskew 0 groups: carp inet 1.3.7.8 netmask 0xffc0 broadcast carp4: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 carp: MASTER carpdev sis2 vhid 4 advbase 1 advskew 0 groups: carp inet 10.40.28.1 netmask 0xff00 broadcast 10.40.28.255 # netstat -s -p carp carp: 11770017 packets received (IPv4) 0 packets received (IPv6) 0 packets discarded for bad interface 0 packets discarded for wrong TTL 0 packets shorter than header 0 discarded for bad checksums 0 discarded packets with a bad version 3956879 discarded because packet too short 0 discarded for bad authentication 7803201 discarded for bad vhid 0 discarded because of a bad address list 4263104 packets sent (IPv4) 0 packets sent (IPv6) 0 send failed due to mbuf memory error # netstat -s -p pfsync pfsync: 8396009 packets received (IPv4) 0 packets received (IPv6) 0 packets discarded for bad interface 0 packets discarded for bad ttl 0 packets shorter than header 0 packets discarded for bad version 0 packets discarded for bad HMAC 0 packets discarded for bad action 0 packets discarded for short packet 0 states discarded for bad values 0 stale states 6148732 failed state lookup/inserts 22453726 packets sent (IPv4) 0 packets sent (IPv6) 0 send failed due to mbuf memory error 0 send error On the backup: # ifconfig lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33224 groups: lo inet 127.0.0.1 netmask 0xff00 sis0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:24:c6:a8:fc media: Ethernet autoselect (100baseTX full-duplex) status: active inet 2.1.7.5 netmask 0xffe0 broadcast sis1: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:24:c6:a8:fd media: Ethernet autoselect (100baseTX full-duplex) status: active inet 1.3.3.6 netmask 0xffc0 broadcast sis2: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:24:c6:a8:fe media: Ethernet autoselect (100baseTX full-duplex) status: active inet 10.40.28.12 netmask 0xff00 broadcast 10.40.28.255 sis3: flags=8842BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:24:c6:2e:74 media: Ethernet autoselect (none) status: no carrier sis4: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:24:c6:2e:75 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 172.16.1.2 netmask 0xff00 broadcast 172.16.1.255 pflog0: flags=0 mtu
Re: Getting the Thinkpad X200 working fully under OpenBSD
WARNING: 16384 bytes not available for msgbuf in last cluster (4096 used) [ using 682848 bytes of bsd ELF symbol table ] for now you can put 'option MSGBUFSIZE=4096' in your kernel config just to stop it from misbehaving. The P8600 Core2Duo is not regognized by the speedstep code. Adding the model 0x7 to est.c results in: cpu0: unknown Enhanced SpeedStep CPU, msr 0x0617091f0691f cpu0: using only highest and lowest powerstates cpu0: Enhanced SpeedStep 2400 MHz (1196mV): speeds: 2400, 2600 MHz Now i just have to find out how to populate fqlist with the right data. try this, it works on my x200 and gives me 2400, 2133, 1867, and 1600 mhz. Index: est.c === RCS file: /cvs/src/sys/arch/amd64/amd64/est.c,v retrieving revision 1.7 diff -u -r1.7 est.c --- est.c 6 Aug 2008 05:24:44 - 1.7 +++ est.c 22 Sep 2008 17:42:33 - @@ -55,6 +55,7 @@ #include sys/param.h #include sys/systm.h +#include sys/malloc.h #include sys/sysctl.h #include machine/cpu.h @@ -77,10 +78,11 @@ #define BUS266 26667 #define BUS333 3 -#define MSR2MHZ(msr, bus) \ - (int) (msr) 8) 0xff) * (bus) + 50) / 100) -#define MSR2MV(msr) \ - (((int) (msr) 0xff) * 16 + 700) +#define MSR2FREQINC(msr) (((int) (msr) 8) 0xff) +#define MSR2VOLTINC(msr) ((int) (msr) 0xff) + +#define MSR2MHZ(msr, bus) ((MSR2FREQINC((msr)) * (bus) + 50) / 100) +#define MSR2MV(msr)(MSR2VOLTINC(msr) * 16 + 700) struct fqlist { int vendor: 5; @@ -91,7 +93,7 @@ static const struct fqlist *est_fqlist; -static u_int16_t fake_table[3]; +static u_int16_t *fake_table; static struct fqlist fake_fqlist; extern int setperf_prio; @@ -158,6 +160,7 @@ model = (ci-ci_signature 4) 15; switch (model) { case 0xe: /* Core Duo/Solo */ + case 0x7: /* Core 2 Duo */ case 0xf: /* Core Xeon */ msr = rdmsr(MSR_FSB_FREQ); bus = (msr 0) 0x7; @@ -244,29 +247,74 @@ return; } if (est_fqlist == NULL) { - printf(%s: unknown Enhanced SpeedStep CPU, msr 0x%016llx\n, - cpu_device, msr); + int j, tablesize, freq, volt; + int minfreq, minvolt, maxfreq, maxvolt, freqinc, voltinc; - /* -* Generate a fake table with the power states we know. -*/ - fake_table[0] = idhi; - if (cur == idhi || cur == idlo) { - printf(%s: using only highest and lowest power - states\n, cpu_device); - - fake_table[1] = idlo; - fake_fqlist.n = 2; - } else { - printf(%s: using only highest, current and lowest - power states\n, cpu_device); - - fake_table[1] = cur; - fake_table[2] = idlo; - fake_fqlist.n = 3; +#ifdef EST_DEBUG + printf(%s: bus_clock = %d\n, __func__, bus_clock); + printf(%s: idlo = 0x%x\n, __func__, idlo); + printf(%s: lo %4d mV, %4d MHz\n, __func__, + MSR2MV(idlo), MSR2MHZ(idlo, bus_clock)); + printf(%s: raw %4d , %4d\n, __func__, + (idlo 0xff), ((idlo 8) 0xff)); + printf(%s: idhi = 0x%x\n, __func__, idhi); + printf(%s: hi %4d mV, %4d MHz\n, __func__, + MSR2MV(idhi), MSR2MHZ(idhi, bus_clock)); + printf(%s: raw %4d , %4d\n, __func__, + (idhi 0xff), ((idhi 8) 0xff)); + printf(%s: cur = 0x%x\n, __func__, cur); +#endif + +/* + * Generate a fake table with the power states we know, +* interpolating the voltages and frequencies between the +* high and low values. The (milli)voltages are always +* rounded up when computing the table. +*/ + minfreq = MSR2FREQINC(idlo); + maxfreq = MSR2FREQINC(idhi); + minvolt = MSR2VOLTINC(idlo); + maxvolt = MSR2VOLTINC(idhi); + freqinc = maxfreq - minfreq; + voltinc = maxvolt - minvolt; + + /* Avoid diving by zero. */ + if (freqinc == 0 || voltinc == 0) + return; + + if (freqinc voltinc || voltinc == 0) { + tablesize = maxfreq - minfreq + 1; + if (voltinc != 0) + voltinc = voltinc * 100 / freqinc - 1; + freqinc = 100; + } else { + tablesize = maxvolt - minvolt + 1; + freqinc = freqinc * 100 / voltinc - 1; + voltinc = 100; } -
Re: assembly for x86
Thank You! I've ordered this book. I like No Starch Press books anyway. 2008/9/22 jmc [EMAIL PROTECTED] --- G??bri M??t?? [Mon, Sep 22, 2008 at 01:45:30PM +0200]: --- Dear List, I'd like to study the assembly language of the x86 architecture. I've searched for books, but there are a lot of them. Could you please recommend me a good writer/book about this topic? i'm a beginner, but i picked up The Art of Assembly Language, a No Starch Press book by Randall Hyde. ISBN 1886411972. i'm sure there's a much longer list of book an assembly programmer should have at arm's reach, but this is the only one i'm using so far.
OpenBSD Road Warrior connecting to L2TP/IPSec VPN?
Hell All, I am trying to connect to my University's VPN System, with little luck, I am not sure how to even begin, though I have found Undeadly articles on IPSec in Under 4 Minutes, as well as some various tutorials and documents on connecting OpenBSD Servers to other Servers and gateways. I don't even know if this is possible, but looking at ipsec.conf, I can't see any details about how I would configure my system to connect to this VPN. Is it possible? If so, how? I've added just a basic ipsec.conf line: ike dynamic esp from any to any peer ipsec.indiana.edu psk hermanbwells But I haven't gotten much further than that. Does any one have any suggestions? The University's Guide to the VPN is: http://kb.iu.edu/data/ajrq.html Aaron Hsu
Re: Need Help badly - PF related
On Sep 22, 2008, at 7:30 AM, Jason Dixon wrote: On Mon, Sep 22, 2008 at 07:20:50AM -0700, Parvinder Bhasin wrote: On Sep 22, 2008, at 6:10 AM, Jason Dixon wrote: On Mon, Sep 22, 2008 at 05:23:31AM -0700, Parvinder Bhasin wrote: On Sep 22, 2008, at 4:46 AM, Jason Dixon wrote: On Mon, Sep 22, 2008 at 02:25:01AM -0700, Parvinder Bhasin wrote: On Sep 22, 2008, at 1:14 AM, Stuart Henderson wrote: On 2008-09-22, Parvinder Bhasin [EMAIL PROTECTED] wrote: I have users that can access the website fine (75.44.229.18) and some user that complain they can't access it. Include the dmesg so we can see what OS version you're running. Set pfctl -x misc and watch /var/log/messages, include any output from around the time of a failed connection. Include the relevant state table entries from pfctl -vss. Here is the output from pfctl -vss - with the host(75.18.177.36) trying to access the website: Please do that again, but grep only the relevant bits. I'm not going to sift through all the noise. $ sudo pfctl -ss | grep 75.18.177.36 I'm pretty sure your outbound nat needs to be moved *after* your rdr's. I think the inbound traffic is having the src_addr translated to your firewall's ($ext_if) Jason, Here it is without the noise. # pfctl -ss | grep 75.18.177.36 all tcp 172.16.10.11:80 - 75.44.229.18:80 - 75.18.177.36:1056 SYN_SENT:ESTABLISHED all tcp 75.18.177.36:1056 - 172.16.10.11:80 ESTABLISHED:SYN_SENT # pfctl -ss | grep 75.18.177.36 all tcp 172.16.10.11:80 - 75.44.229.18:80 - 75.18.177.36:1056 SYN_SENT:ESTABLISHED all tcp 75.18.177.36:1056 - 172.16.10.11:80 ESTABLISHED:SYN_SENT Looks ok. Let's see the output of `pfctl -sr` and `pfctl -sn`. Also, let's correlate your states to the logged blocks. In separate terminals, do the `pfctl -ss | grep foo` and then find the corresponding traffic in pflog0 that's being blocked. Let's see them both. # pfctl -sr scrub in all fragment reassemble block return in log (all) all pass out all flags S/SA keep state block drop in quick on ! lo inet from 127.0.0.0/8 to any block drop in quick on ! lo inet6 from ::1 to any block drop in quick inet from 127.0.0.1 to any block drop in quick on ! fxp0 inet from 172.16.10.0/24 to any block drop in quick inet from 172.16.10.10 to any block drop in quick inet6 from ::1 to any block drop in quick on lo0 inet6 from fe80::1 to any block drop in quick on fxp0 inet6 from fe80::206:29ff:fecf:7d5f to any pass in on fxp1 inet proto tcp from any to 172.16.10.11 port = www flags S/SA keep state pass in on fxp1 inet proto tcp from any to 75.44.229.17 port = ssh flags S/SA keep state pass in on fxp1 inet proto tcp from any to 172.16.10.12 port = 3128 flags S/SA synproxy state pass in inet proto icmp all icmp-type echoreq keep state pass in quick on fxp0 all flags S/SA keep state # pfctl -sn nat on fxp1 from ! (fxp1) to any - (fxp1:0) nat-anchor ftp-proxy/* all rdr-anchor ftp-proxy/* all rdr on fxp1 inet proto tcp from any to 75.44.229.18 port = www - 172.16.10.11 port 80 rdr on fxp1 inet proto tcp from any to 75.44.229.19 port = 3128 - 172.16.10.12 port 3128 # pfctl -ss | grep 75.18.177.36 all tcp 172.16.10.11:80 - 75.44.229.18:80 - 75.18.177.36:1057 SYN_SENT:ESTABLISHED all tcp 75.18.177.36:1057 - 172.16.10.11:80 ESTABLISHED:SYN_SENT And the blocked packets? How should I capture them? did you mean via pflog? Thanks Parvinder bhasin -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: OpenBSD Road Warrior connecting to L2TP/IPSec VPN?
-Urspr|ngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Aaron W. Hsu Gesendet: Montag, 22. September 2008 20:04 An: misc@openbsd.org Betreff: OpenBSD Road Warrior connecting to L2TP/IPSec VPN? Hell All, I am trying to connect to my University's VPN System, with little luck, I am not sure how to even begin, though I have found Undeadly articles on IPSec in Under 4 Minutes, as well as some various tutorials and documents on connecting OpenBSD Servers to other Servers and gateways. I don't even know if this is possible, but looking at ipsec.conf, I can't see any details about how I would configure my system to connect to this VPN. Is it possible? If so, how? I've added just a basic ipsec.conf line: ike dynamic esp from any to any peer ipsec.indiana.edu psk hermanbwells But I haven't gotten much further than that. Does any one have any suggestions? The University's Guide to the VPN is: http://kb.iu.edu/data/ajrq.html Aaron Hsu From the cited page I would guess they use l2tp over ipsec. I think this is not suppoerted by openbsd, but I may be wrong.
Re: Need Help badly - PF related
On Mon, Sep 22, 2008 at 11:16:53AM -0700, Parvinder Bhasin wrote: On Sep 22, 2008, at 7:30 AM, Jason Dixon wrote: On Mon, Sep 22, 2008 at 07:20:50AM -0700, Parvinder Bhasin wrote: On Sep 22, 2008, at 6:10 AM, Jason Dixon wrote: On Mon, Sep 22, 2008 at 05:23:31AM -0700, Parvinder Bhasin wrote: On Sep 22, 2008, at 4:46 AM, Jason Dixon wrote: On Mon, Sep 22, 2008 at 02:25:01AM -0700, Parvinder Bhasin wrote: On Sep 22, 2008, at 1:14 AM, Stuart Henderson wrote: On 2008-09-22, Parvinder Bhasin [EMAIL PROTECTED] wrote: I have users that can access the website fine (75.44.229.18) and some user that complain they can't access it. Include the dmesg so we can see what OS version you're running. Set pfctl -x misc and watch /var/log/messages, include any output from around the time of a failed connection. Include the relevant state table entries from pfctl -vss. Here is the output from pfctl -vss - with the host(75.18.177.36) trying to access the website: Please do that again, but grep only the relevant bits. I'm not going to sift through all the noise. $ sudo pfctl -ss | grep 75.18.177.36 I'm pretty sure your outbound nat needs to be moved *after* your rdr's. I think the inbound traffic is having the src_addr translated to your firewall's ($ext_if) Jason, Here it is without the noise. # pfctl -ss | grep 75.18.177.36 all tcp 172.16.10.11:80 - 75.44.229.18:80 - 75.18.177.36:1056 SYN_SENT:ESTABLISHED all tcp 75.18.177.36:1056 - 172.16.10.11:80 ESTABLISHED:SYN_SENT # pfctl -ss | grep 75.18.177.36 all tcp 172.16.10.11:80 - 75.44.229.18:80 - 75.18.177.36:1056 SYN_SENT:ESTABLISHED all tcp 75.18.177.36:1056 - 172.16.10.11:80 ESTABLISHED:SYN_SENT Looks ok. Let's see the output of `pfctl -sr` and `pfctl -sn`. Also, let's correlate your states to the logged blocks. In separate terminals, do the `pfctl -ss | grep foo` and then find the corresponding traffic in pflog0 that's being blocked. Let's see them both. # pfctl -sr scrub in all fragment reassemble block return in log (all) all pass out all flags S/SA keep state block drop in quick on ! lo inet from 127.0.0.0/8 to any block drop in quick on ! lo inet6 from ::1 to any block drop in quick inet from 127.0.0.1 to any block drop in quick on ! fxp0 inet from 172.16.10.0/24 to any block drop in quick inet from 172.16.10.10 to any block drop in quick inet6 from ::1 to any block drop in quick on lo0 inet6 from fe80::1 to any block drop in quick on fxp0 inet6 from fe80::206:29ff:fecf:7d5f to any pass in on fxp1 inet proto tcp from any to 172.16.10.11 port = www flags S/SA keep state pass in on fxp1 inet proto tcp from any to 75.44.229.17 port = ssh flags S/SA keep state pass in on fxp1 inet proto tcp from any to 172.16.10.12 port = 3128 flags S/SA synproxy state pass in inet proto icmp all icmp-type echoreq keep state pass in quick on fxp0 all flags S/SA keep state # pfctl -sn nat on fxp1 from ! (fxp1) to any - (fxp1:0) nat-anchor ftp-proxy/* all rdr-anchor ftp-proxy/* all rdr on fxp1 inet proto tcp from any to 75.44.229.18 port = www - 172.16.10.11 port 80 rdr on fxp1 inet proto tcp from any to 75.44.229.19 port = 3128 - 172.16.10.12 port 3128 # pfctl -ss | grep 75.18.177.36 all tcp 172.16.10.11:80 - 75.44.229.18:80 - 75.18.177.36:1057 SYN_SENT:ESTABLISHED all tcp 75.18.177.36:1057 - 172.16.10.11:80 ESTABLISHED:SYN_SENT And the blocked packets? How should I capture them? did you mean via pflog? Yes, just like you did before. I'd like to see where they're being passed (pfctl -ss) *and* blocked (pflog) at the same time. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: Need Help badly - PF related
On Sep 22, 2008, at 11:40 AM, Jason Dixon wrote: On Mon, Sep 22, 2008 at 11:16:53AM -0700, Parvinder Bhasin wrote: On Sep 22, 2008, at 7:30 AM, Jason Dixon wrote: On Mon, Sep 22, 2008 at 07:20:50AM -0700, Parvinder Bhasin wrote: On Sep 22, 2008, at 6:10 AM, Jason Dixon wrote: On Mon, Sep 22, 2008 at 05:23:31AM -0700, Parvinder Bhasin wrote: On Sep 22, 2008, at 4:46 AM, Jason Dixon wrote: On Mon, Sep 22, 2008 at 02:25:01AM -0700, Parvinder Bhasin wrote: On Sep 22, 2008, at 1:14 AM, Stuart Henderson wrote: On 2008-09-22, Parvinder Bhasin [EMAIL PROTECTED] wrote: I have users that can access the website fine (75.44.229.18) and some user that complain they can't access it. Include the dmesg so we can see what OS version you're running. Set pfctl -x misc and watch /var/log/messages, include any output from around the time of a failed connection. Include the relevant state table entries from pfctl -vss. Here is the output from pfctl -vss - with the host(75.18.177.36) trying to access the website: Please do that again, but grep only the relevant bits. I'm not going to sift through all the noise. $ sudo pfctl -ss | grep 75.18.177.36 I'm pretty sure your outbound nat needs to be moved *after* your rdr's. I think the inbound traffic is having the src_addr translated to your firewall's ($ext_if) Jason, Here it is without the noise. # pfctl -ss | grep 75.18.177.36 all tcp 172.16.10.11:80 - 75.44.229.18:80 - 75.18.177.36:1056 SYN_SENT:ESTABLISHED all tcp 75.18.177.36:1056 - 172.16.10.11:80 ESTABLISHED:SYN_SENT # pfctl -ss | grep 75.18.177.36 all tcp 172.16.10.11:80 - 75.44.229.18:80 - 75.18.177.36:1056 SYN_SENT:ESTABLISHED all tcp 75.18.177.36:1056 - 172.16.10.11:80 ESTABLISHED:SYN_SENT Looks ok. Let's see the output of `pfctl -sr` and `pfctl -sn`. Also, let's correlate your states to the logged blocks. In separate terminals, do the `pfctl -ss | grep foo` and then find the corresponding traffic in pflog0 that's being blocked. Let's see them both. # pfctl -sr scrub in all fragment reassemble block return in log (all) all pass out all flags S/SA keep state block drop in quick on ! lo inet from 127.0.0.0/8 to any block drop in quick on ! lo inet6 from ::1 to any block drop in quick inet from 127.0.0.1 to any block drop in quick on ! fxp0 inet from 172.16.10.0/24 to any block drop in quick inet from 172.16.10.10 to any block drop in quick inet6 from ::1 to any block drop in quick on lo0 inet6 from fe80::1 to any block drop in quick on fxp0 inet6 from fe80::206:29ff:fecf:7d5f to any pass in on fxp1 inet proto tcp from any to 172.16.10.11 port = www flags S/SA keep state pass in on fxp1 inet proto tcp from any to 75.44.229.17 port = ssh flags S/SA keep state pass in on fxp1 inet proto tcp from any to 172.16.10.12 port = 3128 flags S/SA synproxy state pass in inet proto icmp all icmp-type echoreq keep state pass in quick on fxp0 all flags S/SA keep state # pfctl -sn nat on fxp1 from ! (fxp1) to any - (fxp1:0) nat-anchor ftp-proxy/* all rdr-anchor ftp-proxy/* all rdr on fxp1 inet proto tcp from any to 75.44.229.18 port = www - 172.16.10.11 port 80 rdr on fxp1 inet proto tcp from any to 75.44.229.19 port = 3128 - 172.16.10.12 port 3128 # pfctl -ss | grep 75.18.177.36 all tcp 172.16.10.11:80 - 75.44.229.18:80 - 75.18.177.36:1057 SYN_SENT:ESTABLISHED all tcp 75.18.177.36:1057 - 172.16.10.11:80 ESTABLISHED:SYN_SENT And the blocked packets? How should I capture them? did you mean via pflog? Yes, just like you did before. I'd like to see where they're being passed (pfctl -ss) *and* blocked (pflog) at the same time Jason, Here are the blocked packets and pfctl -ss , pfctl -sn , pfctl -sr dump. # tcpdump -n -e -ttt -i pflog0 tcpdump: listening on pflog0, link-type PFLOG Sep 22 11:57:34.445702 rule 0/(match) block in on fxp1: 222.134.38.214.80 75.44.229.17.64783: [|tcp] Sep 22 11:57:38.496743 rule 0/(match) block in on fxp1: 222.134.38.214.80 75.44.229.17.64783: [|tcp] Sep 22 11:58:59.557561 rule 0/(match) block in on fxp0: 172.16.10.11.80 75.18.177.36.1058: [|tcp] (DF) # pfctl -sn nat on fxp1 from ! (fxp1) to any - (fxp1:0) nat-anchor ftp-proxy/* all rdr-anchor ftp-proxy/* all rdr on fxp1 inet proto tcp from any to 75.44.229.18 port = www - 172.16.10.11 port 80 rdr on fxp1 inet proto tcp from any to 75.44.229.19 port = 3128 - 172.16.10.12 port 3128 # pfctl -sr scrub in all fragment reassemble block return in log (all) all pass out all flags S/SA keep state block drop in quick on ! lo inet from 127.0.0.0/8 to any block drop in quick on ! lo inet6 from ::1 to any block drop in quick inet from 127.0.0.1 to any block drop in quick on ! fxp0 inet from 172.16.10.0/24 to any block drop in quick inet from 172.16.10.10 to any block drop in quick inet6 from ::1 to any block drop in quick on lo0 inet6 from fe80::1 to any block drop in quick on fxp0 inet6 from fe80::206:29ff:fecf:7d5f to any pass in on fxp1 inet proto tcp from any to 172.16.10.11 port = www flags
Re: Getting the Thinkpad X200 working fully under OpenBSD
On Mon, 22 Sep 2008 12:46:07 -0500 joshua stein [EMAIL PROTECTED] wrote: WARNING: 16384 bytes not available for msgbuf in last cluster (4096 used) [ using 682848 bytes of bsd ELF symbol table ] for now you can put 'option MSGBUFSIZE=4096' in your kernel config just to stop it from misbehaving. Hello Joshua, this gets rid of the warning and the garbage in /var/run/dmesg.boot. As expected the output in dmesg boot is truncated. Much better than before. try this, it works on my x200 and gives me 2400, 2133, 1867, and 1600 mhz. Index: est.c === RCS file: /cvs/src/sys/arch/amd64/amd64/est.c,v retrieving revision 1.7 diff -u -r1.7 est.c --- est.c 6 Aug 2008 05:24:44 - 1.7 +++ est.c 22 Sep 2008 17:42:33 - Very nice! This works fine for me too. Thank you very much! - Robert
Re: Getting the Thinkpad X200 working fully under OpenBSD
On Sun, 21 Sep 2008 21:22:33 -0500 Neal Hogan [EMAIL PROTECTED] wrote: Fyi -- Similar issues with a new T400. The dmesg is below (I had a better/cleaner dmesg with an i386/4.4 install (09/10/2008)). Hi Neal, indeed the systems are very similar. Looking at the tabook confirms that the T400 uses the same chipset. Same problems, same fixes. bye - Robert
Re: Using trunk(4) to put a router in a switch ring
On 2008-09-22, Dave Wilson [EMAIL PROTECTED] wrote: I'm not sure if trunk or bridge are more appropriate in this case I think probably bridge with RSTP, but I'm not sure how that will play with vlans (if you use them). I'd like to do something similar, but I have vlans, and as an added twist my interconnects are over third-party vlans, and I'm not especially keen on breaking the third party's switch fabric, so I haven't risked experimenting much with this yet :)
Re: recommendation for router (COMMELL)
On Sep 17, 2008, at 12:49 AM, Aaron Stellman wrote: On Tue, Sep 16, 2008 at 10:20:08PM -0400, Steve Shockley wrote: Juan Miscaro wrote: Has anyone any experience running OpenBSD on this puppy: http://www.commell-sys.com/Product/IPC/EMB-564.htm I'm looking for a replacement for my tower that is currently acting as router, anti-spam, mail server for a small network/domain. Anti-spam might be a little slow on that depending on your volume. I haven't used that product though. This commell site is suspiciously similar to Liantec site; moreover, this commell device is very similar to EMB-5740 Liantec. I assume these two companies are owned by same individuals. I still can't find any places in US that sell EMB-5740. The domains are registered to the same person, for what ever that is worth. I have exchanged a number of emails with someone at Liantec.com and when the emails stopped I was left thinking they want my money, but won't provide details on when the product could ship as the product was not in stock at the moment, no thanks. I asked them to contact me when the product went in stock but I have never heard back from them. Perhaps Wim has had more luck, but last I knew he didn't have any luck with them either. I wonder if these boards are simply vaporware. -Chad
Re: acpitz diff changes warnings on compaq nc6000 [Re: CVS: cvs.openbsd.org: src]
On Fri, 12 Sep 2008 11:51:40 +0300 Denis Doroshenko [EMAIL PROTECTED] wrote: hi, On Thu, Sep 11, 2008 at 3:45 PM, Miod Vallat [EMAIL PROTECTED] wrote: CVSROOT:/cvs Module name:src Changes by: [EMAIL PROTECTED]2008/09/11 06:45:20 Modified files: sys/dev/acpi : acpitz.c Log message: Thermal Zone entities might not be direct object references, but named references. Account for this, and the hp530 laptop won't spontaneously power down thinking internal temperature is over 500C. ok marco@ in a hope this diff would fix overheating under ACPI on my compaq nc6000, built the kernel and found out that this diff changed acpitz warnings from: acpitz0: _AL1[0] not a object ref acpitz0: _AL2[0] not a object ref acpitz0: _AL3[0] not a object ref to acpitz0: _AL1[0.0] _PRO not a package acpitz0: _AL2[0.0] _PRO not a package acpitz0: _AL3[0.0] _PRO not a package Hi, running the snapshot from the weekend (2008-09-22) on my HP nc6400 doesn't show the above mentioned console output anymore. Getting one step closer to run OpenBSD on the notebook. Thanks. Below the hw.sensors output which looks fine and the dmesg. Sven hw.sensors.acpitz0.temp0=45.05 degC (zone temperature) hw.sensors.acpitz1.temp0=39.05 degC (zone temperature) hw.sensors.acpitz2.temp0=37.05 degC (zone temperature) hw.sensors.acpitz3.temp0=23.85 degC (zone temperature) hw.sensors.acpitz4.temp0=20.05 degC (zone temperature) hw.sensors.acpibat0.volt0=10.80 VDC (voltage) hw.sensors.acpibat0.volt1=12.49 VDC (current voltage) hw.sensors.acpibat0.amphour0=4.43 Ah (last full capacity) hw.sensors.acpibat0.amphour1=0.22 Ah (warning capacity) hw.sensors.acpibat0.amphour2=0.04 Ah (low capacity) hw.sensors.acpibat0.amphour3=3.88 Ah (remaining capacity), OK hw.sensors.acpibat0.raw0=2 (battery charging), OK hw.sensors.acpibat0.raw1=1034 (rate) hw.sensors.acpiac0.indicator0=On (power supply) hw.sensors.cpu0.temp0=43.00 degC OpenBSD 4.4-current (GENERIC.MP) #878: Sat Sep 20 14:12:25 MDT 2008 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: Genuine Intel(R) CPU T2400 @ 1.83GHz (GenuineIntel 686-class) 1.83 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,VMX,EST,TM2,xTPR real mem = 3614863360 (3447MB) avail mem = 3508621312 (3346MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 09/05/07, BIOS32 rev. 0 @ 0xf, SMBIOS rev. 2.4 @ 0xf398f (23 entries) bios0: vendor Hewlett-Packard version 68YCU Ver. F.0B date 09/05/2007 bios0: Hewlett-Packard HP Compaq nc6400 (RA270AA#ABD) acpi0 at bios0: rev 2 acpi0: tables DSDT FACP SLIC HPET APIC MCFG TCPA SSDT SSDT SSDT SSDT SSDT acpi0: wakeup devices C098(S5) C0F7(S3) C0F8(S3) C0F9(S3) C0FA(S3) C101(S0) C229(S0) C111(S5) C234(S5) C117(S5) C235(S5) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpihpet0 at acpi0: 14318179 Hz acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 166MHz cpu1 at mainbus0: apid 1 (application processor) cpu1: Genuine Intel(R) CPU T2400 @ 1.83GHz (GenuineIntel 686-class) 1.83 GHz cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,VMX,EST,TM2,xTPR ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 24 pins ioapic0: duplicate apic id, remapped to apid 2 acpiprt0 at acpi0: bus 2 (C098) acpiprt1 at acpi0: bus 8 (C101) acpiprt2 at acpi0: bus 16 (C111) acpiprt3 at acpi0: bus 32 (C117) acpiprt4 at acpi0: bus 0 (C002) acpiec0 at acpi0 acpicpu0 at acpi0 acpicpu1 at acpi0 acpitz0 at acpi0: critical temperature 256 degC acpitz1 at acpi0: critical temperature 105 degC acpitz2 at acpi0: critical temperature 105 degC acpitz3 at acpi0: critical temperature 105 degC acpitz4 at acpi0: critical temperature 110 degC acpibat0 at acpi0: C1B4 model Primary serial 14908 2007/01/24 type LIon oem Hewlett-Packard acpibat1 at acpi0: C1B3 not present acpiac0 at acpi0: AC unit online acpibtn0 at acpi0: C249 acpibtn1 at acpi0: C241 acpivideo at acpi0 not configured bios0: ROM list: 0xc/0x1! cpu0: unknown Enhanced SpeedStep CPU, msr 0x06130b2c06000b2c cpu0: using only highest and lowest power states cpu0: Enhanced SpeedStep 1833 MHz (1404 mV): speeds: 1833, 1000 MHz pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82945GM Host rev 0x03 vga1 at pci0 dev 2 function 0 Intel 82945GM Video rev 0x03 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) agp0 at vga1: aperture at 0xe000, size 0x1000 Intel 82945GM Video rev 0x03 at pci0 dev 2 function 1 not configured azalia0 at pci0 dev 27 function 0 Intel 82801GB HD Audio rev 0x01: apic 2 int 16 (irq 10) azalia0: codec[s]: Analog Devices/0x1981, ATT/Lucent/0x3026, using Analog Devices/0x1981 audio0 at azalia0 ppb0 at pci0 dev 28 function 0 Intel
How to add new modules to httpd?
Hello, I'd like to use an Apache module, mod_proxy_http to build a reverse-proxy, see: http://www.apachetutor.org/admin/reverseproxies This module requires the inclusion of several others, eg: LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_http_module modules/mod_proxy_http.so LoadModule headers_modulemodules/mod_headers.so LoadFile /usr/lib/libxml2.so LoadModule proxy_html_module modules/mod_proxy_html.so I'm running OpenBSD 4.3 stable on amd64. It looks like the OpenBSD stock httpd inclues mod_proxy and mod_headers, but not mod_proxy_http, or mod_proxy_html, and although libxml2 seems to be available as a package, httpd compains when one tries to LoadFile it as above. Despite looking thru the FAQ and a few other places, I'm not finding the documentation I would need to figure out how to add the modules above. Do I need to recompile httpd after adding new modules into the tree? Any advice or pointers to documentation on this would be greatly appreciated! Thanks, Don
Re: How to add new modules to httpd?
I have some corrections and clarifications I need to make to this query: 1) The primary module I am trying to use/load is mod_proxy_html, which in turn requires mod_proxy_http (among others) 2) for a while I forgot I needed to turn off the chroot feature, now that I have, it looks like the LoadFile of libxml works, eg: LoadFile /usr/local/lib/libxml2.so.9.7 Yields no error messages on startup, so that is a big improvement! 3) In looking around the source code for httpd, I see that in ./src/usr.sbin/httpd/src/modules/proxy I see that proxy_http.c is in there, so does that mean that mod_proxy_http is already included in httpd? If so, it seems that the only remaining module I would need is mod_proxy_html. Do I need to recompile httpd to get this this into the build? (if so, how?) Or can I create a .so and just load it? Thanks again, Don On Mon, Sep 22, 2008 at 3:35 PM, Don Jackson [EMAIL PROTECTED] wrote: Hello, I'd like to use an Apache module, mod_proxy_http to build a reverse-proxy, see: http://www.apachetutor.org/admin/reverseproxies This module requires the inclusion of several others, eg: LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_http_module modules/mod_proxy_http.so LoadModule headers_modulemodules/mod_headers.so LoadFile /usr/lib/libxml2.so LoadModule proxy_html_module modules/mod_proxy_html.so I'm running OpenBSD 4.3 stable on amd64. It looks like the OpenBSD stock httpd inclues mod_proxy and mod_headers, but not mod_proxy_http, or mod_proxy_html, and although libxml2 seems to be available as a package, httpd compains when one tries to LoadFile it as above. Despite looking thru the FAQ and a few other places, I'm not finding the documentation I would need to figure out how to add the modules above. Do I need to recompile httpd after adding new modules into the tree? Any advice or pointers to documentation on this would be greatly appreciated! Thanks, Don
Re: Need Help badly - PF related
Any word Jason/Stuart? I am stuck at this. I have had sniffers all over the pace to see what was wrong that PF was NOT liking this connection but Nothing turned up. -Parvinder Bhasin On Sep 22, 2008, at 11:40 AM, Jason Dixon wrote: On Mon, Sep 22, 2008 at 11:16:53AM -0700, Parvinder Bhasin wrote: On Sep 22, 2008, at 7:30 AM, Jason Dixon wrote: On Mon, Sep 22, 2008 at 07:20:50AM -0700, Parvinder Bhasin wrote: On Sep 22, 2008, at 6:10 AM, Jason Dixon wrote: On Mon, Sep 22, 2008 at 05:23:31AM -0700, Parvinder Bhasin wrote: On Sep 22, 2008, at 4:46 AM, Jason Dixon wrote: On Mon, Sep 22, 2008 at 02:25:01AM -0700, Parvinder Bhasin wrote: On Sep 22, 2008, at 1:14 AM, Stuart Henderson wrote: On 2008-09-22, Parvinder Bhasin [EMAIL PROTECTED] wrote: I have users that can access the website fine (75.44.229.18) and some user that complain they can't access it. Include the dmesg so we can see what OS version you're running. Set pfctl -x misc and watch /var/log/messages, include any output from around the time of a failed connection. Include the relevant state table entries from pfctl -vss. Here is the output from pfctl -vss - with the host(75.18.177.36) trying to access the website: Please do that again, but grep only the relevant bits. I'm not going to sift through all the noise. $ sudo pfctl -ss | grep 75.18.177.36 I'm pretty sure your outbound nat needs to be moved *after* your rdr's. I think the inbound traffic is having the src_addr translated to your firewall's ($ext_if) Jason, Here it is without the noise. # pfctl -ss | grep 75.18.177.36 all tcp 172.16.10.11:80 - 75.44.229.18:80 - 75.18.177.36:1056 SYN_SENT:ESTABLISHED all tcp 75.18.177.36:1056 - 172.16.10.11:80 ESTABLISHED:SYN_SENT # pfctl -ss | grep 75.18.177.36 all tcp 172.16.10.11:80 - 75.44.229.18:80 - 75.18.177.36:1056 SYN_SENT:ESTABLISHED all tcp 75.18.177.36:1056 - 172.16.10.11:80 ESTABLISHED:SYN_SENT Looks ok. Let's see the output of `pfctl -sr` and `pfctl -sn`. Also, let's correlate your states to the logged blocks. In separate terminals, do the `pfctl -ss | grep foo` and then find the corresponding traffic in pflog0 that's being blocked. Let's see them both. # pfctl -sr scrub in all fragment reassemble block return in log (all) all pass out all flags S/SA keep state block drop in quick on ! lo inet from 127.0.0.0/8 to any block drop in quick on ! lo inet6 from ::1 to any block drop in quick inet from 127.0.0.1 to any block drop in quick on ! fxp0 inet from 172.16.10.0/24 to any block drop in quick inet from 172.16.10.10 to any block drop in quick inet6 from ::1 to any block drop in quick on lo0 inet6 from fe80::1 to any block drop in quick on fxp0 inet6 from fe80::206:29ff:fecf:7d5f to any pass in on fxp1 inet proto tcp from any to 172.16.10.11 port = www flags S/SA keep state pass in on fxp1 inet proto tcp from any to 75.44.229.17 port = ssh flags S/SA keep state pass in on fxp1 inet proto tcp from any to 172.16.10.12 port = 3128 flags S/SA synproxy state pass in inet proto icmp all icmp-type echoreq keep state pass in quick on fxp0 all flags S/SA keep state # pfctl -sn nat on fxp1 from ! (fxp1) to any - (fxp1:0) nat-anchor ftp-proxy/* all rdr-anchor ftp-proxy/* all rdr on fxp1 inet proto tcp from any to 75.44.229.18 port = www - 172.16.10.11 port 80 rdr on fxp1 inet proto tcp from any to 75.44.229.19 port = 3128 - 172.16.10.12 port 3128 # pfctl -ss | grep 75.18.177.36 all tcp 172.16.10.11:80 - 75.44.229.18:80 - 75.18.177.36:1057 SYN_SENT:ESTABLISHED all tcp 75.18.177.36:1057 - 172.16.10.11:80 ESTABLISHED:SYN_SENT And the blocked packets? How should I capture them? did you mean via pflog? Yes, just like you did before. I'd like to see where they're being passed (pfctl -ss) *and* blocked (pflog) at the same time. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: assembly for x86
http://www.drpaulcarter.com/pcasm/ Gratis book. Uses nasm as assembler. and you can use yasm (BSD license) if you want. Mic
19 Days Until NYCBSDCon 2008
NYCBSDCon begins in a few weeks, so make sure you register as soon as possible. http://www.nycbsdcon.org/2008/register.html NYCBSDCon brings together the best and brightest of the BSD communities from the New York area and beyond. The conference costs $95, including breakfast and lunch on both days, in addition to a number of other extras. Full-time students and Columbia University affiliates pay only $50 with valid identification. This year's schedule is impressive: from file systems and the portable C compiler to system and network management, we are thrilled to be able to provide such strong content. A full array of BSD developers and systems administrators are speaking, including Pawel Dawidek, Michael Lucas, Jason Wright and DragonFly BSD's Matt Dillon. And Jason Dixon looks to top his 2006 presentation on Is BSD Dying? with a look at BSD versus the GPL. While the conference officially begins on Saturday morning, October 11th, attendees will be gathering on Friday night at Havanna Central, just across from Columbia University. More information, including the schedule and transportation options, can be found at http://www.nycbsdcon.org.
Re: Postfix race condition at boot
On Jul 20, 2008, at 1:48 AM, Uwe Dippel wrote: On Mon, 14 Jul 2008 12:47:40 -0500, Karl O. Pinc wrote: I've an OpenBSD box that's been running postfix for a few years, strictly as a send-only mta, and every night the box gets rebooted. Every couple of months postfix does not come up on reboot. All that shows up in the logs is: snip postfix/postfix-script[3005]: fatal: Postfix integrity check failed! Solution? Remove the sendmail-flags from rc.conf.local and put a 'postfix start' at the end of rc.local. That should help. Uwe I just saw the same thing after upgrading my Mac Mini G4 from 4.0 to 4.4-current and upgrading Postfix to 2.6.20080726. I have the sasl2 flavor installed, so perhaps it's a problem with that, as mentioned later in this thread? At your suggestion, I changed sendmail_flags to NO in /etc/ rc.conf.local and simply added a /usr/local/sbin/postfix start to/etc/ rc.local . All working fine now... -- bk
Re: Need Help badly - PF related
Here is some more info: The request gets to the web server but when webserver is responding back to the client's request, PF BLOCKS the request: Here is tcpdump view from webserver: 20:44:47.539217 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto 6, length: 48) 172.16.10.11.80 75.18.177.36.1120: S [tcp sum ok] 802414809:802414809(0) ack 740304551 win 5840 mss 1460,nop,nop,sackOK 20:44:51.738331 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto 6, length: 48) 172.16.10.11.80 75.18.177.36.1120: S [tcp sum ok] 802414809:802414809(0) ack 740304551 win 5840 mss 1460,nop,nop,sackOK 20:44:57.737882 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto 6, length: 48) 172.16.10.11.80 75.18.177.36.1120: S [tcp sum ok] 802414809:802414809(0) ack 740304551 win 5840 mss 1460,nop,nop,sackOK 20:45:09.935925 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto 6, length: 48) 172.16.10.11.80 75.18.177.36.1120: S [tcp sum ok] 802414809:802414809(0) ack 740304551 win 5840 mss 1460,nop,nop,sackOK 20:45:33.932113 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto 6, length: 48) 172.16.10.11.80 75.18.177.36.1120: S [tcp sum ok] 802414809:802414809(0) ack 740304551 win 5840 mss 1460,nop,nop,sackOK 20:46:22.124476 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto 6, length: 48) 172.16.10.11.80 75.18.177.36.1120: S [tcp sum ok] 802414809:802414809(0) ack 740304551 win 5840 mss 1460,nop,nop,sackOK 20:46:22.125818 IP (tos 0x10, ttl 64, id 35465, offset 0, flags [DF], proto 6, length: 40) 75.18.177.36.1120 172.16.10.11.80: R [tcp sum ok] 1:1(0) ack 1 win 0 Here is PF blocking the same: # tcpdump -n -e -ttt -i pflog0 tcpdump: listening on pflog0, link-type PFLOG Sep 22 22:16:18.905238 rule 0/(match) block in on fxp0: 172.16.10.11.80 75.18.177.36.1120: [|tcp] (DF) Sep 22 22:17:07.101648 rule 0/(match) block in on fxp0: 172.16.10.11.80 75.18.177.36.1120: [|tcp] (DF) Why is PF blocking??? HEL!!! On Sep 22, 2008, at 11:40 AM, Jason Dixon wrote: On Mon, Sep 22, 2008 at 11:16:53AM -0700, Parvinder Bhasin wrote: On Sep 22, 2008, at 7:30 AM, Jason Dixon wrote: On Mon, Sep 22, 2008 at 07:20:50AM -0700, Parvinder Bhasin wrote: On Sep 22, 2008, at 6:10 AM, Jason Dixon wrote: On Mon, Sep 22, 2008 at 05:23:31AM -0700, Parvinder Bhasin wrote: On Sep 22, 2008, at 4:46 AM, Jason Dixon wrote: On Mon, Sep 22, 2008 at 02:25:01AM -0700, Parvinder Bhasin wrote: On Sep 22, 2008, at 1:14 AM, Stuart Henderson wrote: On 2008-09-22, Parvinder Bhasin [EMAIL PROTECTED] wrote: I have users that can access the website fine (75.44.229.18) and some user that complain they can't access it. Include the dmesg so we can see what OS version you're running. Set pfctl -x misc and watch /var/log/messages, include any output from around the time of a failed connection. Include the relevant state table entries from pfctl -vss. Here is the output from pfctl -vss - with the host(75.18.177.36) trying to access the website: Please do that again, but grep only the relevant bits. I'm not going to sift through all the noise. $ sudo pfctl -ss | grep 75.18.177.36 I'm pretty sure your outbound nat needs to be moved *after* your rdr's. I think the inbound traffic is having the src_addr translated to your firewall's ($ext_if) Jason, Here it is without the noise. # pfctl -ss | grep 75.18.177.36 all tcp 172.16.10.11:80 - 75.44.229.18:80 - 75.18.177.36:1056 SYN_SENT:ESTABLISHED all tcp 75.18.177.36:1056 - 172.16.10.11:80 ESTABLISHED:SYN_SENT # pfctl -ss | grep 75.18.177.36 all tcp 172.16.10.11:80 - 75.44.229.18:80 - 75.18.177.36:1056 SYN_SENT:ESTABLISHED all tcp 75.18.177.36:1056 - 172.16.10.11:80 ESTABLISHED:SYN_SENT Looks ok. Let's see the output of `pfctl -sr` and `pfctl -sn`. Also, let's correlate your states to the logged blocks. In separate terminals, do the `pfctl -ss | grep foo` and then find the corresponding traffic in pflog0 that's being blocked. Let's see them both. # pfctl -sr scrub in all fragment reassemble block return in log (all) all pass out all flags S/SA keep state block drop in quick on ! lo inet from 127.0.0.0/8 to any block drop in quick on ! lo inet6 from ::1 to any block drop in quick inet from 127.0.0.1 to any block drop in quick on ! fxp0 inet from 172.16.10.0/24 to any block drop in quick inet from 172.16.10.10 to any block drop in quick inet6 from ::1 to any block drop in quick on lo0 inet6 from fe80::1 to any block drop in quick on fxp0 inet6 from fe80::206:29ff:fecf:7d5f to any pass in on fxp1 inet proto tcp from any to 172.16.10.11 port = www flags S/SA keep state pass in on fxp1 inet proto tcp from any to 75.44.229.17 port = ssh flags S/SA keep state pass in on fxp1 inet proto tcp from any to 172.16.10.12 port = 3128 flags S/SA synproxy state pass in inet proto icmp all icmp-type echoreq keep state pass in quick on fxp0 all flags S/SA keep state # pfctl -sn nat on fxp1 from ! (fxp1) to any - (fxp1:0)