Re: eSATA support?

[Damien Miller]

On Sun, 21 Sep 2008, Brian wrote:

 I'm thinking about picking up an eSATA pci card and backing up my data
 to an external hd over eSATA using rsync. Is this supported?

eSATA is a conector, cable and electrical specification and otherwise is
identical to regular SATA. If the particular adapter's chipset you have
chosen is supported for SATA then it will work for eSATA.

-d

Re: alix help

[Antoine Junod]

Vladimir Kirillov [EMAIL PROTECTED] writes:

 On 12:55 Sun 21 Sep, [EMAIL PROTECTED] wrote:
 /etc/boot.conf:
 set tty com0
 stty com0 38400

 I think it's better to set com speed _before_ setting com0 as tty, it
 can start throwing garbage into console, as it was spectated on soekris
 net4801:

 stty com0 38400
 set tty com0

If I set the speed before setting com0 as tty, I don't get garbage on
the serial console but I don't get the boot prompt.

If I set com0 as tty before setting the speed, I get a bit of garbage
but I also get the boot prompt.

I higly prefer the latter. But what I see on my console is maybe
because I didn't read enough manual material.

A+
-AJ

Re: Need Help badly - PF related

[Stuart Henderson]

On 2008-09-22, Parvinder Bhasin [EMAIL PROTECTED] wrote:
 I have users that can access the website fine (75.44.229.18) and some  
 user that complain they can't access it.

Include the dmesg so we can see what OS version you're running.
Set pfctl -x misc and watch /var/log/messages, include any output
from around the time of a failed connection. Include the relevant
state table entries from pfctl -vss.

Why is the user in the below pflog  
 getting blocked.  Where as most of the user can access the website  
 just fine.


 tcpdump: listening on pflog0, link-type PFLOG
 Sep 21 21:53:21.903554 rule 0/(match) block in on fxp0:  
 172.16.10.11.80  75.18.177.36.1106: [|tcp] (DF)
 Sep 21 21:53:34.570469 rule 0/(match) block in on fxp1:  
 75.18.177.36.1105  172.16.10.11.80: [|tcp] (DF)


 Here is my pf.conf file:

 # MACROS 
 ext_if=fxp1
 int_if=fxp0
 pf_log=pflog0

 icmp_types=echoreq

  OPTIONS #
 set loginterface $ext_if
 set loginterface $int_if
 set block-policy return
 set skip on lo

 # scrub
 scrub in

 nat on $ext_if from !($ext_if) - ($ext_if:0)
 nat-anchor ftp-proxy/*
 rdr-anchor ftp-proxy/*

 rdr on $ext_if proto tcp from any to 75.44.229.18 port 80 -  
 172.16.10.11 port 80
 rdr on $ext_if proto tcp from any to 75.44.229.19 port 3128 -  
 172.16.10.12 port 3128

 # filter
 block in log (all, to pflog0)

 pass out keep state
 antispoof quick for { lo $int_if }

 pass in on $ext_if inet proto tcp from any to 172.16.10.11 port 80  
 flags S/SA keep state
 pass in on $ext_if inet proto tcp from any to 75.44.229.17 port 22  
 flags S/SA keep state
 pass in on $ext_if inet proto tcp from any to 172.16.10.12 port 3128  
 flags S/SA synproxy state
 pass in inet proto icmp all icmp-type $icmp_types keep state
 pass in quick on $int_if

If this is a newer OS version, flags S/SA and keep state are redundant.
If it's an old one, your pass in quick on $int_if should also use them.

Re: alix help

[Antoine Junod]

Hi,

Kendall Shaw [EMAIL PROTECTED] writes:

 If I were able to upgrade the bios, I don't know how I will actually
 install openbsd on the disk.  Aside from transfering files using
 Xmodem, what is the procedure for actually installing an image onto
 the CF card?

I usually install such systems by booting from install43.iso in a
virtual machine to which the CF card is plugged via usb. I then make a
normal installation on the cf card instead of the hard drive. I did it
with both virtualbox and vmware for both soekris and alix boards.

Before rebooting, you have to edit /etc/boot as follow:

 set tty com0
 stty com0 38400

and modify the line in /etc/ttys starting with tty00 as follow:

 tty00   /usr/libexec/getty std.38400  vt100   on secure

If you've installed the system through a vm, the CF card will not
appear as the same device node. You'll thus edit /etc/fstab to reflect
the change (usually change sd0 w/ wd0).

Also think to change the network config. Your network card certainly
won't be the same on the vm and on the board.

This way to install OpenBSD is not the simplest one (in regard of the
pxeboot one) but has the advantage to not have to put pxe stuff on the
network.

A+
-AJ

Re: Need Help badly - PF related

[Jason Dixon]

On Sun, Sep 21, 2008 at 10:00:58PM -0700, Parvinder Bhasin wrote:
 I have users that can access the website fine (75.44.229.18) and some  
 user that complain they can't access it.  I don't know what gives.  I  
 have asked on the list for help but haven't still resolved this.   I  
 would really appreciate any help.  Why is the user in the below pflog  
 getting blocked.  Where as most of the user can access the website  
 just fine.  I have spent countless hours on this.  I really don't want  
 a PIX firewall.  When I switch to the pix the access seems fine.
 
 
 tcpdump: listening on pflog0, link-type PFLOG
 Sep 21 21:53:21.903554 rule 0/(match) block in on fxp0:  
 172.16.10.11.80  75.18.177.36.1106: [|tcp] (DF)
 Sep 21 21:53:34.570469 rule 0/(match) block in on fxp1:  
 75.18.177.36.1105  172.16.10.11.80: [|tcp] (DF)
 
 
 
 Here is my pf.conf file:
 
 # MACROS 
 ext_if=fxp1
 int_if=fxp0
 pf_log=pflog0
 
 icmp_types=echoreq
 
  OPTIONS #
 set loginterface $ext_if
 set loginterface $int_if
 set block-policy return
 set skip on lo
 
 # scrub
 scrub in
 
 nat on $ext_if from !($ext_if) - ($ext_if:0)
 nat-anchor ftp-proxy/*
 rdr-anchor ftp-proxy/*
 
 rdr on $ext_if proto tcp from any to 75.44.229.18 port 80 -  
 172.16.10.11 port 80
 rdr on $ext_if proto tcp from any to 75.44.229.19 port 3128 -  
 172.16.10.12 port 3128
 
 # filter
 block in log (all, to pflog0)
 
 pass out keep state
 antispoof quick for { lo $int_if }
 
 pass in on $ext_if inet proto tcp from any to 172.16.10.11 port 80  
 flags S/SA keep state
 pass in on $ext_if inet proto tcp from any to 75.44.229.17 port 22  
 flags S/SA keep state
 pass in on $ext_if inet proto tcp from any to 172.16.10.12 port 3128  
 flags S/SA synproxy state
 pass in inet proto icmp all icmp-type $icmp_types keep state
 pass in quick on $int_if
 
Show the output of `pfctl -sr` and `pfctl -sn`.  Also, capture the
states of this client when this is happening:

$ sudo pfctl -ss | grep 75.18.177.36

-- 
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/

Re: pf to block against DDoS?

[Lars Noodén]

Redd Vinylene wrote:
 ...
 You can also use two tables so that the first overload gets shunted to a
 slow queue and given a second chance before ending up in the second
 table which gets blocked.
 ...
 Lars Noodin: Would you happen to have an example of that?

Not really, here is an illustration of how it might be approached:

 http://www-personal.umich.edu/~lars/PF/pf.ssh-2tables.conf

I expect that the last-rule-matched takes care of the decision.  The
However, there might be some divergence between what I think it does and
what it really does.

Another question is, in which cases is that useful?

Regards
-Lars

Re: isakmpd on 4.3: pf_key_v2_write: writev failed

[Markus Friedl]

On Fri, Sep 19, 2008 at 12:33:36AM +0200, Lukas Ratajski wrote:
 IPsec tunnel between two computers - a Soekris net5501 running  
 [...]
 key_encrypt: bits 256:  

The crypto driver for the net5501 does not support 256bit AES.
you have to switch to 128bit AES keys or backport revision 1.15
http://www.openbsd.org/cgi-bin/cvsweb/src/sys/arch/i386/pci/glxsb.c
(and replace M_ZERO with a call to bzero()).

-m

Re: Need Help badly - PF related

[Parvinder Bhasin]

On Sep 22, 2008, at 1:14 AM, Stuart Henderson wrote:


On 2008-09-22, Parvinder Bhasin [EMAIL PROTECTED] wrote:

I have users that can access the website fine (75.44.229.18) and some
user that complain they can't access it.


Include the dmesg so we can see what OS version you're running.
Set pfctl -x misc and watch /var/log/messages, include any output
from around the time of a failed connection. Include the relevant
state table entries from pfctl -vss.

Stuart/Jason:

The OS version is 4.3.
I did pfctl -x misc and I don't see any messages appearing related  
to the bad connection from that IP.  I logged on remotely on one of  
the system  and tried accessing the site but nothing showed up in /var/ 
log/messages.  Here is the output :


# pfctl -x misc
debug level set to 'misc'
# tail -f /var/log/messages
Sep 19 07:02:34 firetalk ntpd[18456]: bad peer from pool pool.ntp.org  
(209.132.176.4)
Sep 19 07:02:34 firetalk ntpd[18456]: bad peer from pool pool.ntp.org  
(208.53.158.34)

Sep 20 02:00:01 firetalk syslogd: restart
Sep 20 04:00:02 firetalk syslogd: restart
Sep 20 14:00:02 firetalk syslogd: restart
Sep 21 02:00:01 firetalk syslogd: restart
Sep 21 20:43:56 firetalk ntpd[18456]: 3 out of 5 peers valid
Sep 21 20:43:56 firetalk ntpd[18456]: bad peer from pool pool.ntp.org  
(209.132.176.4)
Sep 21 20:43:56 firetalk ntpd[18456]: bad peer from pool pool.ntp.org  
(208.53.158.34)

Sep 22 02:00:01 firetalk syslogd: restart


Here is the output from pfctl -vss - with the host(75.18.177.36)   
trying to access the website:


# pfctl -vss
all udp 204.152.186.173:123 - 172.16.10.12:19727
MULTIPLE:MULTIPLE
   age 12:04:07, expires in 00:00:31, 1364:1364 pkts, 103664:103664  
bytes
all udp 172.16.10.12:19727 - 75.44.229.17:60314 -  
204.152.186.173:123   MULTIPLE:MULTIPLE
   age 12:04:07, expires in 00:00:31, 1364:1364 pkts, 103664:103664  
bytes

all udp 82.165.177.157:123 - 172.16.10.12:44282   MULTIPLE:MULTIPLE
   age 10:04:30, expires in 00:00:57, 1138:1138 pkts, 86488:86488 bytes
all udp 172.16.10.12:44282 - 75.44.229.17:56413 -  
82.165.177.157:123   MULTIPLE:MULTIPLE

   age 10:04:30, expires in 00:00:57, 1138:1138 pkts, 86488:86488 bytes
all udp 207.192.69.197:123 - 172.16.10.12:42096   MULTIPLE:MULTIPLE
   age 03:06:08, expires in 00:00:47, 355:355 pkts, 26980:26980  
bytes, rule 14
all udp 172.16.10.12:42096 - 75.44.229.17:60864 -  
207.192.69.197:123   MULTIPLE:MULTIPLE
   age 03:06:08, expires in 00:00:47, 355:355 pkts, 26980:26980  
bytes, rule 1
all tcp 75.44.229.17:22 - 76.202.196.187:59799
ESTABLISHED:ESTABLISHED

   [654074524 + 524232] wscale 0  [3656802774 + 16952] wscale 3
   age 00:07:21, expires in 24:00:00, 490:427 pkts, 35301:77260  
bytes, rule 11

all tcp 216.39.62.89:25 - 172.16.10.12:29315   CLOSED:SYN_SENT
   [0 + 16384]  [4185608820 + 1]
   age 00:00:33, expires in 00:00:15, 3:0 pkts, 192:0 bytes, rule 14
all tcp 172.16.10.12:29315 - 75.44.229.17:61775 -  
216.39.62.89:25   SYN_SENT:CLOSED

   [4185608820 + 1]  [0 + 16384]
   age 00:00:33, expires in 00:00:15, 3:0 pkts, 192:0 bytes, rule 1
all udp 75.44.229.17:21902 - 66.250.45.2:123   MULTIPLE:SINGLE
   age 00:00:22, expires in 00:00:09, 1:1 pkts, 76:76 bytes, rule 1
# pfctl -vss | grep 75.18.177.36
# pfctl -vss
all udp 204.152.186.173:123 - 172.16.10.12:19727
MULTIPLE:MULTIPLE
   age 12:06:24, expires in 00:00:47, 1369:1369 pkts, 104044:104044  
bytes
all udp 172.16.10.12:19727 - 75.44.229.17:60314 -  
204.152.186.173:123   MULTIPLE:MULTIPLE
   age 12:06:24, expires in 00:00:47, 1369:1369 pkts, 104044:104044  
bytes

all udp 82.165.177.157:123 - 172.16.10.12:44282   MULTIPLE:MULTIPLE
   age 10:06:47, expires in 00:00:50, 1142:1142 pkts, 86792:86792 bytes
all udp 172.16.10.12:44282 - 75.44.229.17:56413 -  
82.165.177.157:123   MULTIPLE:MULTIPLE

   age 10:06:47, expires in 00:00:50, 1142:1142 pkts, 86792:86792 bytes
all udp 207.192.69.197:123 - 172.16.10.12:42096   MULTIPLE:MULTIPLE
   age 03:08:25, expires in 00:00:38, 359:359 pkts, 27284:27284  
bytes, rule 14
all udp 172.16.10.12:42096 - 75.44.229.17:60864 -  
207.192.69.197:123   MULTIPLE:MULTIPLE
   age 03:08:25, expires in 00:00:38, 359:359 pkts, 27284:27284  
bytes, rule 1
all tcp 75.44.229.17:22 - 76.202.196.187:59799
ESTABLISHED:ESTABLISHED

   [654079468 + 524232] wscale 0  [3656804886 + 16952] wscale 3
   age 00:09:38, expires in 24:00:00, 603:497 pkts, 43349:85892  
bytes, rule 11
all tcp 172.16.10.11:80 - 75.44.229.18:80 - 75.18.177.36:1125
SYN_SENT:ESTABLISHED

   [2398465402 + 65535]  [930424393 + 5840]
   age 00:00:11, expires in 00:00:30, 3:5 pkts, 144:240 bytes, rule 10
all tcp 75.18.177.36:1125 - 172.16.10.11:80   ESTABLISHED:SYN_SENT
   [930424393 + 5840]  [2398465402 + 65535]
   age 00:00:11, expires in 00:00:30, 3:5 pkts, 144:240 bytes, rule 1
# pfctl -vss
all udp 204.152.186.173:123 - 172.16.10.12:19727
MULTIPLE:MULTIPLE
   age 12:06:31, expires in 00:00:40, 

4.4-current on XenServer 5

[Stephan A. Rickauer]

In know virtualization is not one of the primary targets of OpenBSD.
However, in case someone is interested, here's a dmesg of 4.4-current
booting bsd.rd on latest XenServer 5 (Express, with Intel VT). As you
can see, there is no harddisk detected.

I am ready to help testing if a developer wants to look at it.

Cheers,
Stephan


OpenBSD 4.4-current (RAMDISK_CD) #883: Wed Sep 17 13:17:23 MDT 2008
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/RAMDISK_CD
cpu0: Intel(R) Xeon(R) CPU E5410 @ 2.33GHz (GenuineIntel 686-class)
2.33 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,CX16
real mem  = 267976704 (255MB)
avail mem = 252547072 (240MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 06/23/99, BIOS32 rev. 0 @ 0xfa4e0,
SMBIOS rev. 2.4 @ 0xe901f (11 entries)
bios0: vendor Xen version 3.2.1 date 06/23/1999
bios0: Xen HVM domU
apm0 at bios0: Power Management spec V1.2
acpi at bios0 function 0x0 not configured
pcibios0 at bios0: rev 2.1 @ 0xf/0x0
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfa780/128 (6 entries)
pcibios0: PCI Interrupt Router at 000:01:0 (Intel 82371SB ISA rev
0x00)
pcibios0: PCI bus #0 is the last bus
bios0: ROM list: 0xc/0x8c00
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 Intel 82441FX rev 0x02
pcib0 at pci0 dev 1 function 0 Intel 82371SB ISA rev 0x00
pciide0 at pci0 dev 1 function 1 Intel 82371SB IDE rev 0x00: DMA,
channel 0 wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: QEMU HARDDISK
wd0: 16-sector PIO, LBA48, 5120MB, 10485760 sectors
wd0(pciide0:0:0): using PIO mode 0, DMA mode 2
atapiscsi0 at pciide0 channel 1 drive 1
scsibus0 at atapiscsi0: 2 targets, initiator 7
cd0 at scsibus0 targ 0 lun 0: QEMU, QEMU CD-ROM, 0.8. ATAPI 5/cdrom
removable
cd0(pciide0:1:1): using PIO mode 0, DMA mode 2
Intel 82371AB Power rev 0x01 at pci0 dev 1 function 2 not configured
uhci0 at pci0 dev 1 function 3 Intel 82371SB USB rev 0x01: irq 5
vga1 at pci0 dev 2 function 0 Cirrus Logic CL-GD5446 rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
unknown vendor 0x5853 product 0x0001 (class mass storage subclass SCSI,
rev 0x01) at pci0 dev 3 function 0 not configured
re0 at pci0 dev 4 function 0 Realtek 8139 rev 0x20: RTL8139C+
(0x7480), irq 5, address c2:37:9e:eb:1b:19
rlphy0 at re0 phy 0: RTL internal PHY
isa0 at pcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16450, no fifo
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
usb0 at uhci0: USB revision 1.0
uhub0 at usb0 Intel UHCI root hub rev 1.00/1.00 addr 1
biomask ffed netmask ffed ttymask 
rd0: fixed, 3800 blocks
uhidev0 at uhub0 port 2 configuration 1 interface 0 QEMU 0.8.2 QEMU USB
Tablet rev 0.10/0.00 addr 2
uhidev0: iclass 3/1
uhid at uhidev0 not configured
softraid0 at root
root on rd0a swap on rd0b dump on rd0b

Re: 4.4-current on XenServer 5

[Stephan A. Rickauer]

Stupid me, the disk is there and OpenBSD runs just fine on it. Sorry for
the noise.

On Mon, 2008-09-22 at 12:24 +0200, Stephan A. Rickauer wrote:
 In know virtualization is not one of the primary targets of OpenBSD.
 However, in case someone is interested, here's a dmesg of 4.4-current
 booting bsd.rd on latest XenServer 5 (Express, with Intel VT). As you
 can see, there is no harddisk detected.
 
 I am ready to help testing if a developer wants to look at it.
 
 Cheers,
 Stephan
 
 
 OpenBSD 4.4-current (RAMDISK_CD) #883: Wed Sep 17 13:17:23 MDT 2008
 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/RAMDISK_CD
 cpu0: Intel(R) Xeon(R) CPU E5410 @ 2.33GHz (GenuineIntel 686-class)
 2.33 GHz
 cpu0:
 FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,CX16
 real mem  = 267976704 (255MB)
 avail mem = 252547072 (240MB)
 mainbus0 at root
 bios0 at mainbus0: AT/286+ BIOS, date 06/23/99, BIOS32 rev. 0 @ 0xfa4e0,
 SMBIOS rev. 2.4 @ 0xe901f (11 entries)
 bios0: vendor Xen version 3.2.1 date 06/23/1999
 bios0: Xen HVM domU
 apm0 at bios0: Power Management spec V1.2
 acpi at bios0 function 0x0 not configured
 pcibios0 at bios0: rev 2.1 @ 0xf/0x0
 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfa780/128 (6 entries)
 pcibios0: PCI Interrupt Router at 000:01:0 (Intel 82371SB ISA rev
 0x00)
 pcibios0: PCI bus #0 is the last bus
 bios0: ROM list: 0xc/0x8c00
 cpu0 at mainbus0
 pci0 at mainbus0 bus 0: configuration mode 1 (bios)
 pchb0 at pci0 dev 0 function 0 Intel 82441FX rev 0x02
 pcib0 at pci0 dev 1 function 0 Intel 82371SB ISA rev 0x00
 pciide0 at pci0 dev 1 function 1 Intel 82371SB IDE rev 0x00: DMA,
 channel 0 wired to compatibility, channel 1 wired to compatibility
 wd0 at pciide0 channel 0 drive 0: QEMU HARDDISK
 wd0: 16-sector PIO, LBA48, 5120MB, 10485760 sectors
 wd0(pciide0:0:0): using PIO mode 0, DMA mode 2
 atapiscsi0 at pciide0 channel 1 drive 1
 scsibus0 at atapiscsi0: 2 targets, initiator 7
 cd0 at scsibus0 targ 0 lun 0: QEMU, QEMU CD-ROM, 0.8. ATAPI 5/cdrom
 removable
 cd0(pciide0:1:1): using PIO mode 0, DMA mode 2
 Intel 82371AB Power rev 0x01 at pci0 dev 1 function 2 not configured
 uhci0 at pci0 dev 1 function 3 Intel 82371SB USB rev 0x01: irq 5
 vga1 at pci0 dev 2 function 0 Cirrus Logic CL-GD5446 rev 0x00
 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
 unknown vendor 0x5853 product 0x0001 (class mass storage subclass SCSI,
 rev 0x01) at pci0 dev 3 function 0 not configured
 re0 at pci0 dev 4 function 0 Realtek 8139 rev 0x20: RTL8139C+
 (0x7480), irq 5, address c2:37:9e:eb:1b:19
 rlphy0 at re0 phy 0: RTL internal PHY
 isa0 at pcib0
 isadma0 at isa0
 com0 at isa0 port 0x3f8/8 irq 4: ns16450, no fifo
 pckbc0 at isa0 port 0x60/5
 pckbd0 at pckbc0 (kbd slot)
 pckbc0: using irq 1 for kbd slot
 wskbd0 at pckbd0: console keyboard, using wsdisplay0
 npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
 usb0 at uhci0: USB revision 1.0
 uhub0 at usb0 Intel UHCI root hub rev 1.00/1.00 addr 1
 biomask ffed netmask ffed ttymask 
 rd0: fixed, 3800 blocks
 uhidev0 at uhub0 port 2 configuration 1 interface 0 QEMU 0.8.2 QEMU USB
 Tablet rev 0.10/0.00 addr 2
 uhidev0: iclass 3/1
 uhid at uhidev0 not configured
 softraid0 at root
 root on rd0a swap on rd0b dump on rd0b
 
-- 

 Stephan A. Rickauer

 ---
 Institute of Neuroinformatics Tel  +41 44 635 30 50
 University / ETH Zurich   Sec  +41 44 635 30 52
 Winterthurerstrasse 190   Fax  +41 44 635 30 53
 CH-8057 ZurichWebwww.ini.uzh.ch

Re: 4.4-current on XenServer 5

[Peter Kay - Syllopsium]

From: Stephan A. Rickauer [EMAIL PROTECTED]
To: misc misc@openbsd.org
Sent: Monday, September 22, 2008 11:24 AM
Subject: 4.4-current on XenServer 5




In know virtualization is not one of the primary targets of OpenBSD.
However, in case someone is interested, here's a dmesg of 4.4-current
booting bsd.rd on latest XenServer 5 (Express, with Intel VT). As you
can see, there is no harddisk detected.

I am ready to help testing if a developer wants to look at it.

Cheers,
Stephan




pchb0 at pci0 dev 0 function 0 Intel 82441FX rev 0x02
pcib0 at pci0 dev 1 function 0 Intel 82371SB ISA rev 0x00
pciide0 at pci0 dev 1 function 1 Intel 82371SB IDE rev 0x00: DMA,
channel 0 wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: QEMU HARDDISK
wd0: 16-sector PIO, LBA48, 5120MB, 10485760 sectors
wd0(pciide0:0:0): using PIO mode 0, DMA mode 2


Looks like a harddisk to me... am I missing something?

PK

snapshots/i386/MD5 out of sync?

[Jan Stary]

Hi all,

it seems that the actual MD5 checksum of
snapshots/i386/install44.iso differs from
the one specified in snapshots/i386/MD5:

 MD5 (install44.iso) = 519daedda756537d5efbe8ad5fd4eb23
 MD5 (install44.iso) = f87b839db833380f41f02bd7fffb2d27

(My tiny little script that downloads snapshots
has been reporting this since saturday.)

Jan

wol clarification for multi-homed host

[Lars Noodén]

wol 0.7.1 seemed to be ignoring the option to restrict the broadcast to
a particular subnet and/or doing nothing when that option is specified,
but it turned out to be my misinterpretation of the man page:

   -h HOST
   --host=HOST
   -i HOST
   --ipaddr=HOST
   Broadcast packet to this IP address or hostname. This
   is important if your wol client is a multihomed host
   and you want to send only to one subnet (default IP
   address is 255.255.255.255).

Using the ip address of the interface (e.g. 192.168.4.1) or hostname
there *does not* appear to work.  However, sending to the subnet (?)
e.g. 192.168.4.0 does do the trick.

That is from 4.4-current (GENERIC#1037) with two ethernet interfaces.

Regards,
-Lars

Re: alix help

[Christian]

 someone mentioned working on it, but nothing further..

That was me. Unfortunately this is an ultra-low priority 
spare-time project =( The code is 95% ready, however, last time 
I worked on it was during Easter... It is a loadable kernel 
module that directly talks to the flash chip.


- Christian

Re: Need Help badly - PF related

[Jason Dixon]

On Mon, Sep 22, 2008 at 02:25:01AM -0700, Parvinder Bhasin wrote:
 On Sep 22, 2008, at 1:14 AM, Stuart Henderson wrote:

 On 2008-09-22, Parvinder Bhasin [EMAIL PROTECTED] wrote:
 I have users that can access the website fine (75.44.229.18) and some
 user that complain they can't access it.

 Include the dmesg so we can see what OS version you're running.
 Set pfctl -x misc and watch /var/log/messages, include any output
 from around the time of a failed connection. Include the relevant
 state table entries from pfctl -vss.

 Here is the output from pfctl -vss - with the host(75.18.177.36)  trying 
 to access the website:

Please do that again, but grep only the relevant bits.  I'm not going to
sift through all the noise.

$ sudo pfctl -ss | grep 75.18.177.36

I'm pretty sure your outbound nat needs to be moved *after* your rdr's.
I think the inbound traffic is having the src_addr translated to your
firewall's ($ext_if).

-- 
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/

assembly for x86

[Gábri Máté]

Dear List,
I'd like to study the assembly language of the x86 architecture. I've
searched for books, but there are a lot of them. Could you please recommend
me a good writer/book about this topic?

Thank You!

Re: eSATA support?

[Louis V. Lambrecht]

Damien Miller wrote:

On Sun, 21 Sep 2008, Brian wrote:

  

I'm thinking about picking up an eSATA pci card and backing up my data
to an external hd over eSATA using rsync. Is this supported?



eSATA is a conector, cable and electrical specification and otherwise is
identical to regular SATA. If the particular adapter's chipset you have
chosen is supported for SATA then it will work for eSATA.

-d


  

PCI card for (e)SATA ???
Does this mean the motherboard hasn't a SATA connector and/or does not 
have support?
In that case, you would better be off with a fast USB. 
Again MBs with no SATA don't have fast USBs either.


Since you are asking, I guess you should start with establishing a budget:
- eSATA (as USBs) will need an enclosure. These generally come with a
power supply.As do external hard disks. Those cases cost the price of
a hard disk.
- external hard disks often are supplied with two interfaces, 
any combination of Ethernet/USB/eSATA. Those with two interfaces usually

are dearer, but the hard disk itself also is of better quality.
- external cabinets can be RAID and/or NAS (these are yet another
computer in fact).
- recent fully integrated motherboards (with SATA and fast USB) 
are cheaper than a VGA card.


My eSATA disk is housed in an Antec cabinet (with extra cooling), comes
with SATA and USB. I mostly use the USB interface as this one can 
easily be connected and disconnected on almost every box.

eSATA brakets seem to be a spare that is hard to find at standard
PC shops.

Re: pf to block against DDoS?

[Redd Vinylene]

On Mon, Sep 22, 2008 at 10:36 AM, Lars Noodin
[EMAIL PROTECTED]wrote:

 Redd Vinylene wrote:
  ...
  You can also use two tables so that the first overload gets shunted to a
  slow queue and given a second chance before ending up in the second
  table which gets blocked.
  ...
  Lars Noodin: Would you happen to have an example of that?

 Not really, here is an illustration of how it might be approached:


http://www-personal.umich.edu/~lars/PF/pf.ssh-2tables.confhttp://www-persona
l.umich.edu/%7Elars/PF/pf.ssh-2tables.conf

 I expect that the last-rule-matched takes care of the decision.  The
 However, there might be some divergence between what I think it does and
 what it really does.

 Another question is, in which cases is that useful?

 Regards
 -Lars


This has been a very interesting example, Lars. Thanks a lot for sharing!

As for your last question though, I think I know what you mean. It is to
say, should a rapist really be given a second chance?

--
http://www.home.no/reddvinylene

Re: pf to block against DDoS?

[Lars Noodén]

Redd Vinylene wrote:
 ... a second chance?

Well ssh on port 22 does occasionally have legitmate uses and even
occasionally legitimate users.  So some kind of indicator (such as a
slowdown) could be useful for them.

-Lars

Re: Need Help badly - PF related

[Parvinder Bhasin]

On Sep 22, 2008, at 4:46 AM, Jason Dixon wrote:


On Mon, Sep 22, 2008 at 02:25:01AM -0700, Parvinder Bhasin wrote:

On Sep 22, 2008, at 1:14 AM, Stuart Henderson wrote:


On 2008-09-22, Parvinder Bhasin [EMAIL PROTECTED] wrote:
I have users that can access the website fine (75.44.229.18) and  
some

user that complain they can't access it.


Include the dmesg so we can see what OS version you're running.
Set pfctl -x misc and watch /var/log/messages, include any output
from around the time of a failed connection. Include the relevant
state table entries from pfctl -vss.


Here is the output from pfctl -vss - with the host(75.18.177.36)   
trying

to access the website:


Please do that again, but grep only the relevant bits.  I'm not  
going to

sift through all the noise.

$ sudo pfctl -ss | grep 75.18.177.36

I'm pretty sure your outbound nat needs to be moved *after* your  
rdr's.

I think the inbound traffic is having the src_addr translated to your
firewall's ($ext_if)


Jason,

Here it is without the noise.

# pfctl -ss | grep 75.18.177.36
all tcp 172.16.10.11:80 - 75.44.229.18:80 - 75.18.177.36:1056
SYN_SENT:ESTABLISHED

all tcp 75.18.177.36:1056 - 172.16.10.11:80   ESTABLISHED:SYN_SENT
# pfctl -ss | grep 75.18.177.36
all tcp 172.16.10.11:80 - 75.44.229.18:80 - 75.18.177.36:1056
SYN_SENT:ESTABLISHED

all tcp 75.18.177.36:1056 - 172.16.10.11:80   ESTABLISHED:SYN_SENT
#


-Parvinder Bhasin





--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/

Re: Need Help badly - PF related

[Jason Dixon]

On Mon, Sep 22, 2008 at 05:23:31AM -0700, Parvinder Bhasin wrote:

 On Sep 22, 2008, at 4:46 AM, Jason Dixon wrote:

 On Mon, Sep 22, 2008 at 02:25:01AM -0700, Parvinder Bhasin wrote:
 On Sep 22, 2008, at 1:14 AM, Stuart Henderson wrote:

 On 2008-09-22, Parvinder Bhasin [EMAIL PROTECTED] wrote:
 I have users that can access the website fine (75.44.229.18) and  
 some
 user that complain they can't access it.

 Include the dmesg so we can see what OS version you're running.
 Set pfctl -x misc and watch /var/log/messages, include any output
 from around the time of a failed connection. Include the relevant
 state table entries from pfctl -vss.

 Here is the output from pfctl -vss - with the host(75.18.177.36)   
 trying
 to access the website:

 Please do that again, but grep only the relevant bits.  I'm not going 
 to
 sift through all the noise.

 $ sudo pfctl -ss | grep 75.18.177.36

 I'm pretty sure your outbound nat needs to be moved *after* your  
 rdr's.
 I think the inbound traffic is having the src_addr translated to your
 firewall's ($ext_if)

 Jason,

 Here it is without the noise.

 # pfctl -ss | grep 75.18.177.36
 all tcp 172.16.10.11:80 - 75.44.229.18:80 - 75.18.177.36:1056
 SYN_SENT:ESTABLISHED
 all tcp 75.18.177.36:1056 - 172.16.10.11:80   ESTABLISHED:SYN_SENT
 # pfctl -ss | grep 75.18.177.36
 all tcp 172.16.10.11:80 - 75.44.229.18:80 - 75.18.177.36:1056
 SYN_SENT:ESTABLISHED
 all tcp 75.18.177.36:1056 - 172.16.10.11:80   ESTABLISHED:SYN_SENT

Looks ok.  Let's see the output of `pfctl -sr` and `pfctl -sn`.  Also,
let's correlate your states to the logged blocks.  In separate
terminals, do the `pfctl -ss | grep foo` and then find the
corresponding traffic in pflog0 that's being blocked.  Let's see them
both.

-- 
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/

Re: New scheduler, same problem (ALTQ questions)

[Giancarlo Razzolini]

Chris McGee escreveu:
 Hi guys-



   I've been using an OpenBSD firewall on my home network for about 10 
 years. I recently upgraded the hardware to a retired gaming machine and 
 went to OpenBSD 4.3 (woo!).



   I'm playing with the new scheduler in altq, and I like the way that it 
 works, but the documentation is iffy and it still doesn't look like it 
 solves one problem that priq and cbq couldn't solve...  prioritizing 
 outbound traffic on a variable-bandwidth link. (Yes, I've got a cable 
 modem. =D)



   Here's the problem I'm trying to solve: My cable modem allows around 
 750kb/s when traffic is really ugly, and about 2100kb/s in the dead of the 
 night.  In order for the scheduler to know when to start limiting traffic, 
 I have to tell it how fast the link is but I don't *know* how fast the 
 link is, because it varies.



   I've been trying the following rules:



 altq on $ext_if bandwidth 2048Kb hfsc queue { ack, dns, games, def, bt }
   queue ack   bandwidth 80% priority 6 qlimit 500 hfsc (realtime 50% 
 ecn)
   queue dns   bandwidth  5% priority 5 qlimit 500 hfsc (realtime 5% 
 ecn)
   queue games bandwidth  5% priority 3 qlimit 500 hfsc (realtime 5% ecn)
   queue def   bandwidth  5% priority 2 qlimit 500 hfsc (realtime 10% 
 ecn default)
   queue bt  bandwidth  5% priority 1 qlimit 500 hfsc (upperlimit 80% 
 red)



 (the ack queue is TCP ack's, the dns queue is DNS requests, high priority 
 user traffic and VOIP goes in games, and the rest is regular and 
 low-priority user traffic.



 When I'm usually using the internet connection, my outbound bandwidth is 
 probably around 1200kb.  Cranking the bandwidth down to 750 or so is one 
 solution, but then I'm artificially limiting my own upstream to the worst 
 case scenario.



 My questions are:



 1) Is there a more effective way I could be doing the above?
   
Yes and no. You could have your modem checked by snmp every and so
seconds to see what velocity it was getting from your ISP. But this is
even if it supports it, and even if it changes the negotiated speed
trough these variations.
 2) Regarding hfsc, what is the old bandwidth statement used for? It seems 
 like it would be obsolete. Changing it doesn't seem to affect anything, 
 either. The manpage doesn't say. :)
   
What do you mean by old bandwidth?
 3) Another hfsc question- exactly what does the linkshare statement do? The 
 manpage says :  linkshare sc The bandwidth share of a backlogged 
 queue.).


   
The linkshare statement specify how much of the bandwidth of that queue
will be shared with other queues when not used. Think in it like a
shared pool.


 Thanks :)



 --Chris


   
My suggestion for you would be you to configure the highest rate you can
get as the bandwidth for the interface, to see how it would be. If your
rate decreases, it will get slow for the things that have less priority,
but, the altq implementation of openbsd kind of auto regulate the token
bucket based on the interface speed. If you modem doesn't get to
renegotiate the speed with you ISP, then you are doomed, because snmp
won't work, so you variable rate won't work either. You can do
something. You can install syweb or any other graph tool to measure how
your bandwidth vary trough, i'd say, a week. Based on that, you can have
cron entries to change you hfsc rates trough the day. This could work also.

My regards,

-- 
Giancarlo Razzolini
http://lock.razzolini.adm.br
Linux User 172199
Red Hat Certified Engineer no:804006389722501
Verify:https://www.redhat.com/certification/rhce/current/
Moleque Sem Conteudo Numero #002
OpenBSD Stable
Ubuntu 8.04 Hardy Heron
4386 2A6F FFD4 4D5F 5842  6EA0 7ABE BBAB 9C0E 6B85

Re: Need Help badly - PF related

[Parvinder Bhasin]

On Sep 22, 2008, at 6:10 AM, Jason Dixon wrote:


On Mon, Sep 22, 2008 at 05:23:31AM -0700, Parvinder Bhasin wrote:


On Sep 22, 2008, at 4:46 AM, Jason Dixon wrote:


On Mon, Sep 22, 2008 at 02:25:01AM -0700, Parvinder Bhasin wrote:

On Sep 22, 2008, at 1:14 AM, Stuart Henderson wrote:

On 2008-09-22, Parvinder Bhasin [EMAIL PROTECTED]  
wrote:

I have users that can access the website fine (75.44.229.18) and
some
user that complain they can't access it.


Include the dmesg so we can see what OS version you're running.
Set pfctl -x misc and watch /var/log/messages, include any output
from around the time of a failed connection. Include the relevant
state table entries from pfctl -vss.


Here is the output from pfctl -vss - with the host(75.18.177.36)
trying
to access the website:


Please do that again, but grep only the relevant bits.  I'm not  
going

to
sift through all the noise.

$ sudo pfctl -ss | grep 75.18.177.36

I'm pretty sure your outbound nat needs to be moved *after* your
rdr's.
I think the inbound traffic is having the src_addr translated to  
your

firewall's ($ext_if)


Jason,

Here it is without the noise.

# pfctl -ss | grep 75.18.177.36
all tcp 172.16.10.11:80 - 75.44.229.18:80 - 75.18.177.36:1056
SYN_SENT:ESTABLISHED
all tcp 75.18.177.36:1056 - 172.16.10.11:80
ESTABLISHED:SYN_SENT

# pfctl -ss | grep 75.18.177.36
all tcp 172.16.10.11:80 - 75.44.229.18:80 - 75.18.177.36:1056
SYN_SENT:ESTABLISHED
all tcp 75.18.177.36:1056 - 172.16.10.11:80
ESTABLISHED:SYN_SENT


Looks ok.  Let's see the output of `pfctl -sr` and `pfctl -sn`.  Also,
let's correlate your states to the logged blocks.  In separate
terminals, do the `pfctl -ss | grep foo` and then find the
corresponding traffic in pflog0 that's being blocked.  Let's see them
both.



# pfctl -sr
scrub in all fragment reassemble
block return in log (all) all
pass out all flags S/SA keep state
block drop in quick on ! lo inet from 127.0.0.0/8 to any
block drop in quick on ! lo inet6 from ::1 to any
block drop in quick inet from 127.0.0.1 to any
block drop in quick on ! fxp0 inet from 172.16.10.0/24 to any
block drop in quick inet from 172.16.10.10 to any
block drop in quick inet6 from ::1 to any
block drop in quick on lo0 inet6 from fe80::1 to any
block drop in quick on fxp0 inet6 from fe80::206:29ff:fecf:7d5f to any
pass in on fxp1 inet proto tcp from any to 172.16.10.11 port = www  
flags S/SA keep state
pass in on fxp1 inet proto tcp from any to 75.44.229.17 port = ssh  
flags S/SA keep state
pass in on fxp1 inet proto tcp from any to 172.16.10.12 port = 3128  
flags S/SA synproxy state

pass in inet proto icmp all icmp-type echoreq keep state
pass in quick on fxp0 all flags S/SA keep state
# pfctl -sn
nat on fxp1 from ! (fxp1) to any - (fxp1:0)
nat-anchor ftp-proxy/* all
rdr-anchor ftp-proxy/* all
rdr on fxp1 inet proto tcp from any to 75.44.229.18 port = www -  
172.16.10.11 port 80
rdr on fxp1 inet proto tcp from any to 75.44.229.19 port = 3128 -  
172.16.10.12 port 3128



# pfctl -ss | grep 75.18.177.36
all tcp 172.16.10.11:80 - 75.44.229.18:80 - 75.18.177.36:1057
SYN_SENT:ESTABLISHED

all tcp 75.18.177.36:1057 - 172.16.10.11:80   ESTABLISHED:SYN_SENT








--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/

Re: Need Help badly - PF related

[Jason Dixon]

On Mon, Sep 22, 2008 at 07:20:50AM -0700, Parvinder Bhasin wrote:
 On Sep 22, 2008, at 6:10 AM, Jason Dixon wrote:

 On Mon, Sep 22, 2008 at 05:23:31AM -0700, Parvinder Bhasin wrote:

 On Sep 22, 2008, at 4:46 AM, Jason Dixon wrote:

 On Mon, Sep 22, 2008 at 02:25:01AM -0700, Parvinder Bhasin wrote:
 On Sep 22, 2008, at 1:14 AM, Stuart Henderson wrote:

 On 2008-09-22, Parvinder Bhasin [EMAIL PROTECTED]  
 wrote:
 I have users that can access the website fine (75.44.229.18) and
 some
 user that complain they can't access it.

 Include the dmesg so we can see what OS version you're running.
 Set pfctl -x misc and watch /var/log/messages, include any output
 from around the time of a failed connection. Include the relevant
 state table entries from pfctl -vss.

 Here is the output from pfctl -vss - with the host(75.18.177.36)
 trying
 to access the website:

 Please do that again, but grep only the relevant bits.  I'm not  
 going
 to
 sift through all the noise.

 $ sudo pfctl -ss | grep 75.18.177.36

 I'm pretty sure your outbound nat needs to be moved *after* your
 rdr's.
 I think the inbound traffic is having the src_addr translated to  
 your
 firewall's ($ext_if)

 Jason,

 Here it is without the noise.

 # pfctl -ss | grep 75.18.177.36
 all tcp 172.16.10.11:80 - 75.44.229.18:80 - 75.18.177.36:1056
 SYN_SENT:ESTABLISHED
 all tcp 75.18.177.36:1056 - 172.16.10.11:80
 ESTABLISHED:SYN_SENT
 # pfctl -ss | grep 75.18.177.36
 all tcp 172.16.10.11:80 - 75.44.229.18:80 - 75.18.177.36:1056
 SYN_SENT:ESTABLISHED
 all tcp 75.18.177.36:1056 - 172.16.10.11:80
 ESTABLISHED:SYN_SENT

 Looks ok.  Let's see the output of `pfctl -sr` and `pfctl -sn`.  Also,
 let's correlate your states to the logged blocks.  In separate
 terminals, do the `pfctl -ss | grep foo` and then find the
 corresponding traffic in pflog0 that's being blocked.  Let's see them
 both.


 # pfctl -sr
 scrub in all fragment reassemble
 block return in log (all) all
 pass out all flags S/SA keep state
 block drop in quick on ! lo inet from 127.0.0.0/8 to any
 block drop in quick on ! lo inet6 from ::1 to any
 block drop in quick inet from 127.0.0.1 to any
 block drop in quick on ! fxp0 inet from 172.16.10.0/24 to any
 block drop in quick inet from 172.16.10.10 to any
 block drop in quick inet6 from ::1 to any
 block drop in quick on lo0 inet6 from fe80::1 to any
 block drop in quick on fxp0 inet6 from fe80::206:29ff:fecf:7d5f to any
 pass in on fxp1 inet proto tcp from any to 172.16.10.11 port = www flags 
 S/SA keep state
 pass in on fxp1 inet proto tcp from any to 75.44.229.17 port = ssh flags 
 S/SA keep state
 pass in on fxp1 inet proto tcp from any to 172.16.10.12 port = 3128  
 flags S/SA synproxy state
 pass in inet proto icmp all icmp-type echoreq keep state
 pass in quick on fxp0 all flags S/SA keep state
 # pfctl -sn
 nat on fxp1 from ! (fxp1) to any - (fxp1:0)
 nat-anchor ftp-proxy/* all
 rdr-anchor ftp-proxy/* all
 rdr on fxp1 inet proto tcp from any to 75.44.229.18 port = www -  
 172.16.10.11 port 80
 rdr on fxp1 inet proto tcp from any to 75.44.229.19 port = 3128 -  
 172.16.10.12 port 3128


 # pfctl -ss | grep 75.18.177.36
 all tcp 172.16.10.11:80 - 75.44.229.18:80 - 75.18.177.36:1057
 SYN_SENT:ESTABLISHED
 all tcp 75.18.177.36:1057 - 172.16.10.11:80   ESTABLISHED:SYN_SENT

And the blocked packets?

-- 
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/

Re: assembly for x86

[jmc]

--- G??bri M??t?? [Mon, Sep 22, 2008 at 01:45:30PM +0200]: --- 
 Dear List,
 I'd like to study the assembly language of the x86 architecture. I've
 searched for books, but there are a lot of them. Could you please recommend
 me a good writer/book about this topic?

i'm a beginner, but i picked up The Art of Assembly Language, a No Starch
Press book by Randall Hyde. ISBN 1886411972.

i'm sure there's a much longer list of book an assembly programmer
should have at arm's reach, but this is the only one i'm using so far.

Re: assembly for x86

[Gallon Sylvestre]

On Mon, Sep 22, 2008 at 1:45 PM, Gabri Mati [EMAIL PROTECTED] wrote:
 Dear List,
 I'd like to study the assembly language of the x86 architecture. I've
 searched for books, but there are a lot of them. Could you please recommend
 me a good writer/book about this topic?

 Thank You!



You can ask or try to search on comp.lang.asm.x86, I think its a
better place for
your question.

You can also read the comp.lang.asm faq :
  http://www.frontiernet.net/~fys/faq/index.htm

--
Gallon sylvestre
OpenBSD fan | Rathaxes Core Developper
LSE researcher | kernel developer for adeneo
http://devsyl.blogspot.com/ | www.rathaxes.org

Re: Help with CARP

[Jose Quinteiro]

Not set on the MASTER, 230 on the backup.

Saludos,
Jose.

Jonathan Carter wrote:

I have it set to (1) on the promary and (100) on the backup.

How high did you set yours?

Jonathan


-Original Message-
From: Jose Quinteiro [mailto:[EMAIL PROTECTED] 
Sent: 20 September 2008 20:45

To: Jonathan Carter
Cc: misc@openbsd.org
Subject: Re: Help with CARP

I had similar problems with a couple of little Soekris boxes.  I solved it
by increasing advskew.  I think they can't handle the interrupt load at peak
times.  I'm in the process of replacing them.

HTH,
Jose.

Jonathan Carter wrote:

Hi
 
Any ideas with this one please?
 
I have 2 openBSD boxes running as pair of firewalls using CARP + PF.  
This set up is already working for 12 months.
 
Last week I was troubleshooting network problems reported by my 
clients and I noticed that several CARP interfaces had failed over.  I 
checked that there were no more problems with the Primary firewall and 
I set the interfaces on the backup firewall back to BACKUP and made 
sure that the the primary firewall interfaces were all set to MASTER.
 
However I had intermittent timeout problems for the next 24hrs. 
Eventually I enabled loud debugging on PF and I saw that traffic was 
coming through both firewalls evenn though the backup firewall has all 
its CARP interfaces set back to BACKUP.  I tried several basic TCP 
debugging techniques but in the end I set all of the CARP interfaces on

the backup firewall to down.
 
This is where I am at the moment.  Can anyone point me in the 
direction of how I can investigate this further.  I want to bring up 
the backup firewall interfaces as soon as possible so that I have my 
redundant set up but at the moment I am at a loss to think of what could

be wrong.
 
The only thing I can think off is that I have accidentally enabled 
load balancing - but I have checked the basics from the CARP 
documentation and , on the surface it does not look like it.
 
I am running 4.1 GENERIC#874 amd64


 
Regards
 
Jonathan

3. Satinalma Yonetimi Zirvesi

[Seminer ilan]

III. SATINALMA ve TEDARIK ZINCIRI YONETIMI ZIRVESI

10 - 11 - 12 Ekim 2008 / Sheraton Istanbul Otel

w w w   b o s p h o r u s c o n f e r e n c e sc o m   / tel: 0-216
486   3O  95

Konusmacilar: (Sunum Sirasiyla)

Mehmet Ali NEYZI (Zorlu Enerji Grubu Baskan Yardimcisi), Yelda KABAKLARLI
(AstraZeneca, Satinalma Muduru), Dr. Fatih SARACOGLU (Frentek Otomotiv
San. A.S.), Atilla FILIZ (Uretim Yonetimi Uzmani  Yazar), Metin KANSU -
Endustriyel Satinalma Danismani - Otoyol Sanayi Eski Satinalma
Yoneticisi, Prof. Dr. Mehmet TANYAS (Okan Universitesi Uluslararasi
Lojistik Bolum Bsk.), Murat BOG (Ekol Lojistik, Genel Mudur Yardimcisi),
Doc. Dr. Gulcin BUYUKOZKAN (Galatasaray Universitesi Endustri
Muhendisligi), Metin YILMAZ (Duzey Pazarlama Genel Muduru), Bulent
CILINGIR (Zorlu Enerji Grubu Satinalma Direktoru), Huseyin CELIK
(Acibadem Saglik Grubu  Satinalma ve Lojistik Direktoru), Atilla
YILDIZTEKIN (Arkas Lojistik E. Gn. Md.  UTIKAD, UND, LODER Yon.), Dilek
OGAN (KESWICK), Feza OZALP (Tedarik Zinciri Yonetimi, Profesyonelleri
Konsulu (ABD) Uyesi  Bilgi Universitesi MBA Ogr. Gor.), Yrd. Doc. Dr.
Berrin AGARAN (Dogus Universitesi. Endustri Muhendisligi), Umut Hulusi
INAN (End. Y. Muhendis  Yonetim Danismani), Doc. Dr. Murat BASKAK
(Istanbul Teknik Universitesi), Gurkan HURYILMAZ (Satinalma Yonetim
Uzmani), Basak ULKENLI OZEL (Havelsan A.S. Sozlesmeler E. Yoneticisi),
Necdet UYGURER (ODTU ve Yeditepe Universitesi Ogretim Gorevlisi), Doc.
Dr. Sevket SAYILGAN (Marmara Universitesi  Kurumsal Finansman Uzmani),
Baha SIPAHI (Danisman, Nortel Netas (E) Isletmeler Lideri), Dr. Dogan
KARADOGAN (K.K.K. (E) Ulastirma Binbasi  Lojistik Sistem Uzmani)

Oturum Konulari

Satinalmada Yeni Ufuklar
Satinalmada Stratejik Karar Surecleri
Satinalma Yoneticileri Icin Lojistik / Tedarikci Firma Belirleme
Kriterleri
Stratejik Satinalmanin Tanimi, Gelisimi, Yeni Uygulamalar, Yonetimdeki
Yeri ve Onemi
Satinalma Surecinde Urun, Veri, Yasam Yonetimi (PDM/PLM)
Lojistik Yonetiminde IT Uygulamalari
Lojistik Yonetiminde Yenilikci Cozumler ve Teknoloji
Uretim ve Satinalmada Tedarikci ile Esgudum
Basarili Tedarik Zinciri Yonetimi Uygulamalari
Dr. Murphy  Tedarik Zinciri Yonetimi
Satinalmada Outsource Hizmetlerin Yonetimi
Dagitim Merkezi  Depo Yonetimi

Tedarik Zinciri Yonetimi ve Denetim
Yesil Tedarik Zinciri Yonetimi
Tedarik Zincirinde Bilgi Paylasimi
Satinalma ve Tedarik Zinciri Yonetiminde Surec Iyilestirme Metodlari
Yap - Satin al  Disari Yaptir Kararlarinin Verilmesindeki Etkenler
Satinalmada Fiyatlandirma, Optimal Fiyat Tespiti ve Satinalma Butce
Yonetimi
Satinalma Yonetiminin Hukuksal Boyutu; Sozlesmeler ve Anlasmazliklar
Satinalma Iletisimi: Satinalma Yoneticileri Icin Etkili Muzakere ve
Pazarlik Teknikleri
Satinalma Finansmani: Satinalma Surecinin Finans Sureciyle Etkilesimi
Dis Kaynaga Aktarim ve Yeni Gelismeler
Olaganustu Hal  Kriz Lojistigi

w w w   b o s p h o r u s c o n f e r e n c e s . c o m

BOSPHORUS

CONFERENCES

Bir Bogazici Organizasyonudur.

w w w   b o g a z i c i e g i t i mc o mt r / tel: 0216 486 
3O  95

Katilim icin Kayit Formu doldurulmasi ve tarafimiza gonderilmesi
gerekmektedir.
Kisi basi katilim bedelimiz; 1500 YTL + KDV dir. Ucret, zirve tarihinden
once Bogazici Egitim ve Danismanlikin Isbankasi Beylerbeyi Subesi 215148
Nolu hesabina yatirilmalidir.
Ucrete organizasyon suresince tum ogle yemekleri, cay-kahve, kokteyl
ikramlari, programa ait tum kitap, cd, canta, dosya ve dokumanlari
dahildir.
1 Ekim 2008 tarihinden sonra yapilacak iptallerde para iadesi yapilmaz
ancak isim degisikligi kabul edilmektedir.
Zirve organizasyon heyeti mucbir sebepler gerektirdiginde program
mekanini veya programi degistirme, iptal etme veya erteleme hakkini sakli
tutmaktadir. Bu durumda odenmis olan ucretler iade edilir.

Tarafiniza Duyuru Amaciyla Gonderilmis olan bultenimizi farkli bir mail
adresinize yonlendirmemizi ya da iptal etmemizi isterseniz maille
bildirebilirsiniz.

Re: Help with CARP

[Bryan Irvine]

On Mon, Sep 22, 2008 at 8:30 AM, Jose Quinteiro [EMAIL PROTECTED] wrote:
 Not set on the MASTER, 230 on the backup.

Can you post the output of 'ifconfig' and 'netstat -s -p carp' and
'netstat -s -p pfsync' from both firewalls?

-B

Using trunk(4) to put a router in a switch ring

[Dave Wilson]

I am trying to work out a way to add some redundancy to my network, by 
putting my switches in a ring.


I have a pair of CARP'd routers, each with 2 GigE interfaces, and the 
ability to add more on PCI-E cards. I have a number of switches with 
24x100Mb ports and 2 GigE uplink ports. Currently the topology is flat, 
with the GigE backbone having a router on each end, and the switches in 
a line between them. The spare GigE interface on each router is used for 
the pfsync link.


I would like to fine a way to join the two ends of the ring together, so 
that a failure of any one switch will mean that only the machines on the 
100Mb ports of that particular switch are affected. To do this I need to 
be able to connect the routers in both directions round the ring, and so 
have two GigE ports acting as if a three port switch almost, with the 
ring in each direction and the carp/vlan/ip interfaces of the router.


I'm not sure if trunk or bridge are more appropriate in this case, and 
if I were to use trunk I'm not sure if I would want broadcast or not.


Can anyone help me out of the confusing hole I've dug myself into?

SD

Re: Help with CARP

[Jose Quinteiro]

IP addresses have been changed to protect the guilty.  The wrong VHID 
packets have a simple explanation: There are two other machines on this 
net with their own CARP interfaces.  No idea what the short packets are 
about.


Master:

# ifconfig
lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33224
groups: lo
inet 127.0.0.1 netmask 0xff00
sis0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500
lladdr 00:00:24:c8:45:48
groups: egress
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 2.1.7.3 netmask 0xffe0 broadcast
sis1: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500
lladdr 00:00:24:c8:45:49
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 1.3.3.7 netmask 0xffc0 broadcast
sis2: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500
lladdr 00:00:24:c8:45:4a
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 10.40.28.13 netmask 0xff00 broadcast 10.40.28.255
sis3: flags=8842BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:00:24:c7:98:6c
media: Ethernet autoselect (none)
status: no carrier
sis4: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:00:24:c7:98:6d
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 172.16.1.3 netmask 0xff00 broadcast 172.16.1.255
pflog0: flags=0 mtu 33224
pfsync0: flags=0 mtu 1460
pfsync: syncdev: sis4 syncpeer: 224.0.0.240 maxupd: 128
enc0: flags=0 mtu 1536
carp1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
carp: MASTER carpdev sis0 vhid 1 advbase 1 advskew 0
groups: carp
inet 6.2.8.8 netmask 0xfff8 broadcast
carp3: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
carp: MASTER carpdev sis1 vhid 3 advbase 1 advskew 0
groups: carp
inet 1.3.7.8 netmask 0xffc0 broadcast
carp4: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
carp: MASTER carpdev sis2 vhid 4 advbase 1 advskew 0
groups: carp
inet 10.40.28.1 netmask 0xff00 broadcast 10.40.28.255
# netstat -s -p carp
carp:
11770017 packets received (IPv4)
0 packets received (IPv6)
0 packets discarded for bad interface
0 packets discarded for wrong TTL
0 packets shorter than header
0 discarded for bad checksums
0 discarded packets with a bad version
3956879 discarded because packet too short
0 discarded for bad authentication
7803201 discarded for bad vhid
0 discarded because of a bad address list
4263104 packets sent (IPv4)
0 packets sent (IPv6)
0 send failed due to mbuf memory error
# netstat -s -p pfsync
pfsync:
8396009 packets received (IPv4)
0 packets received (IPv6)
0 packets discarded for bad interface
0 packets discarded for bad ttl
0 packets shorter than header
0 packets discarded for bad version
0 packets discarded for bad HMAC
0 packets discarded for bad action
0 packets discarded for short packet
0 states discarded for bad values
0 stale states
6148732 failed state lookup/inserts
22453726 packets sent (IPv4)
0 packets sent (IPv6)
0 send failed due to mbuf memory error
0 send error

On the backup:

# ifconfig
lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33224
groups: lo
inet 127.0.0.1 netmask 0xff00
sis0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500
lladdr 00:00:24:c6:a8:fc
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 2.1.7.5 netmask 0xffe0 broadcast
sis1: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500
lladdr 00:00:24:c6:a8:fd
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 1.3.3.6 netmask 0xffc0 broadcast
sis2: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500
lladdr 00:00:24:c6:a8:fe
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 10.40.28.12 netmask 0xff00 broadcast 10.40.28.255
sis3: flags=8842BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:00:24:c6:2e:74
media: Ethernet autoselect (none)
status: no carrier
sis4: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:00:24:c6:2e:75
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 172.16.1.2 netmask 0xff00 broadcast 172.16.1.255
pflog0: flags=0 mtu 

Re: Getting the Thinkpad X200 working fully under OpenBSD

[joshua stein]

 WARNING: 16384 bytes not available for msgbuf in last cluster (4096
 used)
 [ using 682848 bytes of bsd ELF symbol table ]

for now you can put 'option MSGBUFSIZE=4096' in your kernel config
just to stop it from misbehaving.

 The P8600 Core2Duo is not regognized by the speedstep code.
 
 Adding the model 0x7 to est.c results in:
 cpu0: unknown Enhanced SpeedStep CPU, msr 0x0617091f0691f
 cpu0: using only highest and lowest powerstates
 cpu0: Enhanced SpeedStep 2400 MHz (1196mV): speeds: 2400, 2600 MHz
 
 Now i just have to find out how to populate fqlist with the right data.

try this, it works on my x200 and gives me 2400, 2133, 1867, and
1600 mhz.


Index: est.c
===
RCS file: /cvs/src/sys/arch/amd64/amd64/est.c,v
retrieving revision 1.7
diff -u -r1.7 est.c
--- est.c   6 Aug 2008 05:24:44 -   1.7
+++ est.c   22 Sep 2008 17:42:33 -
@@ -55,6 +55,7 @@
 
 #include sys/param.h
 #include sys/systm.h
+#include sys/malloc.h
 #include sys/sysctl.h
 
 #include machine/cpu.h
@@ -77,10 +78,11 @@
 #define BUS266 26667
 #define BUS333 3
 
-#define MSR2MHZ(msr, bus) \
-   (int) (msr)  8)  0xff) * (bus) + 50) / 100)
-#define MSR2MV(msr) \
-   (((int) (msr)  0xff) * 16 + 700)
+#define MSR2FREQINC(msr)   (((int) (msr)  8)  0xff)
+#define MSR2VOLTINC(msr)   ((int) (msr)  0xff)
+
+#define MSR2MHZ(msr, bus)  ((MSR2FREQINC((msr)) * (bus) + 50) / 100)
+#define MSR2MV(msr)(MSR2VOLTINC(msr) * 16 + 700)
 
 struct fqlist {
int vendor: 5;
@@ -91,7 +93,7 @@
 
 static const struct fqlist *est_fqlist;
 
-static u_int16_t fake_table[3];
+static u_int16_t *fake_table;
 static struct fqlist fake_fqlist;
 
 extern int setperf_prio;
@@ -158,6 +160,7 @@
model = (ci-ci_signature  4)  15;
switch (model) {
case 0xe: /* Core Duo/Solo */
+   case 0x7: /* Core 2 Duo */
case 0xf: /* Core Xeon */
msr = rdmsr(MSR_FSB_FREQ);
bus = (msr  0)  0x7;
@@ -244,29 +247,74 @@
return;
}
if (est_fqlist == NULL) {
-   printf(%s: unknown Enhanced SpeedStep CPU, msr 0x%016llx\n,
-   cpu_device, msr);
+   int j, tablesize, freq, volt;
+   int minfreq, minvolt, maxfreq, maxvolt, freqinc, voltinc;
 
-   /*
-* Generate a fake table with the power states we know.
-*/
-   fake_table[0] = idhi;
-   if (cur == idhi || cur == idlo) {
-   printf(%s: using only highest and lowest power 
-   states\n, cpu_device);
-
-   fake_table[1] = idlo;
-   fake_fqlist.n = 2;
-   } else {
-   printf(%s: using only highest, current and lowest 
-   power states\n, cpu_device);
-
-   fake_table[1] = cur;
-   fake_table[2] = idlo;
-   fake_fqlist.n = 3;
+#ifdef EST_DEBUG
+   printf(%s: bus_clock = %d\n, __func__, bus_clock);
+   printf(%s: idlo = 0x%x\n, __func__, idlo);
+   printf(%s: lo  %4d mV, %4d MHz\n, __func__,
+   MSR2MV(idlo), MSR2MHZ(idlo, bus_clock));
+   printf(%s: raw %4d   , %4d\n, __func__,
+   (idlo  0xff), ((idlo  8)  0xff));
+   printf(%s: idhi = 0x%x\n, __func__, idhi);
+   printf(%s: hi  %4d mV, %4d MHz\n, __func__,
+   MSR2MV(idhi), MSR2MHZ(idhi, bus_clock));
+   printf(%s: raw %4d   , %4d\n, __func__,
+   (idhi  0xff), ((idhi  8)  0xff));
+   printf(%s: cur  = 0x%x\n, __func__, cur);
+#endif
+
+/*
+ * Generate a fake table with the power states we know,
+* interpolating the voltages and frequencies between the
+* high and low values.  The (milli)voltages are always
+* rounded up when computing the table.
+*/
+   minfreq = MSR2FREQINC(idlo);
+   maxfreq = MSR2FREQINC(idhi);
+   minvolt = MSR2VOLTINC(idlo);
+   maxvolt = MSR2VOLTINC(idhi);
+   freqinc = maxfreq - minfreq;
+   voltinc = maxvolt - minvolt;
+
+   /* Avoid diving by zero. */
+   if (freqinc == 0 || voltinc == 0)
+   return;
+
+   if (freqinc  voltinc || voltinc == 0) {
+   tablesize = maxfreq - minfreq + 1;
+   if (voltinc != 0)
+   voltinc = voltinc * 100 / freqinc - 1;
+   freqinc = 100;
+   } else {
+   tablesize = maxvolt - minvolt + 1;
+   freqinc = freqinc * 100 / voltinc - 1;
+   voltinc = 100;
}
- 

Re: assembly for x86

[Gábri Máté]

Thank You!
I've ordered this book. I like No Starch Press books anyway.


2008/9/22 jmc [EMAIL PROTECTED]

 --- G??bri M??t?? [Mon, Sep 22, 2008 at 01:45:30PM +0200]: ---
  Dear List,
  I'd like to study the assembly language of the x86 architecture. I've
  searched for books, but there are a lot of them. Could you please
 recommend
  me a good writer/book about this topic?

 i'm a beginner, but i picked up The Art of Assembly Language, a No Starch
 Press book by Randall Hyde. ISBN 1886411972.

 i'm sure there's a much longer list of book an assembly programmer
 should have at arm's reach, but this is the only one i'm using so far.

OpenBSD Road Warrior connecting to L2TP/IPSec VPN?

[Aaron W. Hsu]

Hell All,

I am trying to connect to my University's VPN System, with little luck, 
I am not sure how to even begin, though I have found Undeadly articles 
on IPSec in Under 4 Minutes, as well as some various tutorials and 
documents on connecting OpenBSD Servers to other Servers and gateways.

I don't even know if this is possible, but looking at ipsec.conf, I can't 
see any details about how I would configure my system to connect to 
this VPN. Is it possible? If so, how?

I've added just a basic ipsec.conf line:

ike dynamic esp from any to any peer ipsec.indiana.edu psk hermanbwells 

But I haven't gotten much further than that. Does any one have any 
suggestions? The University's Guide to the VPN is: 

http://kb.iu.edu/data/ajrq.html

Aaron Hsu

Re: Need Help badly - PF related

[Parvinder Bhasin]

On Sep 22, 2008, at 7:30 AM, Jason Dixon wrote:


On Mon, Sep 22, 2008 at 07:20:50AM -0700, Parvinder Bhasin wrote:

On Sep 22, 2008, at 6:10 AM, Jason Dixon wrote:


On Mon, Sep 22, 2008 at 05:23:31AM -0700, Parvinder Bhasin wrote:


On Sep 22, 2008, at 4:46 AM, Jason Dixon wrote:


On Mon, Sep 22, 2008 at 02:25:01AM -0700, Parvinder Bhasin wrote:

On Sep 22, 2008, at 1:14 AM, Stuart Henderson wrote:


On 2008-09-22, Parvinder Bhasin [EMAIL PROTECTED]
wrote:
I have users that can access the website fine (75.44.229.18)  
and

some
user that complain they can't access it.


Include the dmesg so we can see what OS version you're running.
Set pfctl -x misc and watch /var/log/messages, include any  
output
from around the time of a failed connection. Include the  
relevant

state table entries from pfctl -vss.


Here is the output from pfctl -vss - with the host(75.18.177.36)
trying
to access the website:


Please do that again, but grep only the relevant bits.  I'm not
going
to
sift through all the noise.

$ sudo pfctl -ss | grep 75.18.177.36

I'm pretty sure your outbound nat needs to be moved *after* your
rdr's.
I think the inbound traffic is having the src_addr translated to
your
firewall's ($ext_if)


Jason,

Here it is without the noise.

# pfctl -ss | grep 75.18.177.36
all tcp 172.16.10.11:80 - 75.44.229.18:80 - 75.18.177.36:1056
SYN_SENT:ESTABLISHED
all tcp 75.18.177.36:1056 - 172.16.10.11:80
ESTABLISHED:SYN_SENT
# pfctl -ss | grep 75.18.177.36
all tcp 172.16.10.11:80 - 75.44.229.18:80 - 75.18.177.36:1056
SYN_SENT:ESTABLISHED
all tcp 75.18.177.36:1056 - 172.16.10.11:80
ESTABLISHED:SYN_SENT


Looks ok.  Let's see the output of `pfctl -sr` and `pfctl -sn`.   
Also,

let's correlate your states to the logged blocks.  In separate
terminals, do the `pfctl -ss | grep foo` and then find the
corresponding traffic in pflog0 that's being blocked.  Let's see  
them

both.



# pfctl -sr
scrub in all fragment reassemble
block return in log (all) all
pass out all flags S/SA keep state
block drop in quick on ! lo inet from 127.0.0.0/8 to any
block drop in quick on ! lo inet6 from ::1 to any
block drop in quick inet from 127.0.0.1 to any
block drop in quick on ! fxp0 inet from 172.16.10.0/24 to any
block drop in quick inet from 172.16.10.10 to any
block drop in quick inet6 from ::1 to any
block drop in quick on lo0 inet6 from fe80::1 to any
block drop in quick on fxp0 inet6 from fe80::206:29ff:fecf:7d5f to  
any
pass in on fxp1 inet proto tcp from any to 172.16.10.11 port = www  
flags

S/SA keep state
pass in on fxp1 inet proto tcp from any to 75.44.229.17 port = ssh  
flags

S/SA keep state
pass in on fxp1 inet proto tcp from any to 172.16.10.12 port = 3128
flags S/SA synproxy state
pass in inet proto icmp all icmp-type echoreq keep state
pass in quick on fxp0 all flags S/SA keep state
# pfctl -sn
nat on fxp1 from ! (fxp1) to any - (fxp1:0)
nat-anchor ftp-proxy/* all
rdr-anchor ftp-proxy/* all
rdr on fxp1 inet proto tcp from any to 75.44.229.18 port = www -
172.16.10.11 port 80
rdr on fxp1 inet proto tcp from any to 75.44.229.19 port = 3128 -
172.16.10.12 port 3128


# pfctl -ss | grep 75.18.177.36
all tcp 172.16.10.11:80 - 75.44.229.18:80 - 75.18.177.36:1057
SYN_SENT:ESTABLISHED
all tcp 75.18.177.36:1057 - 172.16.10.11:80
ESTABLISHED:SYN_SENT


And the blocked packets?



How should I capture them?  did you mean via pflog?

Thanks
Parvinder bhasin

--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/

Re: OpenBSD Road Warrior connecting to L2TP/IPSec VPN?

[Christoph Leser]

 -Urspr|ngliche Nachricht-
 Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
 Im Auftrag von Aaron W. Hsu
 Gesendet: Montag, 22. September 2008 20:04
 An: misc@openbsd.org
 Betreff: OpenBSD Road Warrior connecting to L2TP/IPSec VPN?


 Hell All,

 I am trying to connect to my University's VPN System, with
 little luck,
 I am not sure how to even begin, though I have found Undeadly
 articles
 on IPSec in Under 4 Minutes, as well as some various tutorials and
 documents on connecting OpenBSD Servers to other Servers and gateways.

 I don't even know if this is possible, but looking at
 ipsec.conf, I can't
 see any details about how I would configure my system to connect to
 this VPN. Is it possible? If so, how?

 I've added just a basic ipsec.conf line:

   ike dynamic esp from any to any peer ipsec.indiana.edu
 psk hermanbwells

 But I haven't gotten much further than that. Does any one have any
 suggestions? The University's Guide to the VPN is:

   http://kb.iu.edu/data/ajrq.html

   Aaron Hsu



From the cited page I would guess they use l2tp over ipsec. I think this is
not suppoerted by openbsd, but I may be wrong.

Re: Need Help badly - PF related

[Jason Dixon]

On Mon, Sep 22, 2008 at 11:16:53AM -0700, Parvinder Bhasin wrote:
 On Sep 22, 2008, at 7:30 AM, Jason Dixon wrote:

 On Mon, Sep 22, 2008 at 07:20:50AM -0700, Parvinder Bhasin wrote:
 On Sep 22, 2008, at 6:10 AM, Jason Dixon wrote:

 On Mon, Sep 22, 2008 at 05:23:31AM -0700, Parvinder Bhasin wrote:

 On Sep 22, 2008, at 4:46 AM, Jason Dixon wrote:

 On Mon, Sep 22, 2008 at 02:25:01AM -0700, Parvinder Bhasin wrote:
 On Sep 22, 2008, at 1:14 AM, Stuart Henderson wrote:

 On 2008-09-22, Parvinder Bhasin [EMAIL PROTECTED]
 wrote:
 I have users that can access the website fine 
 (75.44.229.18) and
 some
 user that complain they can't access it.

 Include the dmesg so we can see what OS version you're running.
 Set pfctl -x misc and watch /var/log/messages, include any  
 output
 from around the time of a failed connection. Include the  
 relevant
 state table entries from pfctl -vss.

 Here is the output from pfctl -vss - with the host(75.18.177.36)
 trying
 to access the website:

 Please do that again, but grep only the relevant bits.  I'm not
 going
 to
 sift through all the noise.

 $ sudo pfctl -ss | grep 75.18.177.36

 I'm pretty sure your outbound nat needs to be moved *after* your
 rdr's.
 I think the inbound traffic is having the src_addr translated to
 your
 firewall's ($ext_if)

 Jason,

 Here it is without the noise.

 # pfctl -ss | grep 75.18.177.36
 all tcp 172.16.10.11:80 - 75.44.229.18:80 - 75.18.177.36:1056
 SYN_SENT:ESTABLISHED
 all tcp 75.18.177.36:1056 - 172.16.10.11:80
 ESTABLISHED:SYN_SENT
 # pfctl -ss | grep 75.18.177.36
 all tcp 172.16.10.11:80 - 75.44.229.18:80 - 75.18.177.36:1056
 SYN_SENT:ESTABLISHED
 all tcp 75.18.177.36:1056 - 172.16.10.11:80
 ESTABLISHED:SYN_SENT

 Looks ok.  Let's see the output of `pfctl -sr` and `pfctl -sn`.   
 Also,
 let's correlate your states to the logged blocks.  In separate
 terminals, do the `pfctl -ss | grep foo` and then find the
 corresponding traffic in pflog0 that's being blocked.  Let's see  
 them
 both.


 # pfctl -sr
 scrub in all fragment reassemble
 block return in log (all) all
 pass out all flags S/SA keep state
 block drop in quick on ! lo inet from 127.0.0.0/8 to any
 block drop in quick on ! lo inet6 from ::1 to any
 block drop in quick inet from 127.0.0.1 to any
 block drop in quick on ! fxp0 inet from 172.16.10.0/24 to any
 block drop in quick inet from 172.16.10.10 to any
 block drop in quick inet6 from ::1 to any
 block drop in quick on lo0 inet6 from fe80::1 to any
 block drop in quick on fxp0 inet6 from fe80::206:29ff:fecf:7d5f to  
 any
 pass in on fxp1 inet proto tcp from any to 172.16.10.11 port = www  
 flags
 S/SA keep state
 pass in on fxp1 inet proto tcp from any to 75.44.229.17 port = ssh  
 flags
 S/SA keep state
 pass in on fxp1 inet proto tcp from any to 172.16.10.12 port = 3128
 flags S/SA synproxy state
 pass in inet proto icmp all icmp-type echoreq keep state
 pass in quick on fxp0 all flags S/SA keep state
 # pfctl -sn
 nat on fxp1 from ! (fxp1) to any - (fxp1:0)
 nat-anchor ftp-proxy/* all
 rdr-anchor ftp-proxy/* all
 rdr on fxp1 inet proto tcp from any to 75.44.229.18 port = www -
 172.16.10.11 port 80
 rdr on fxp1 inet proto tcp from any to 75.44.229.19 port = 3128 -
 172.16.10.12 port 3128


 # pfctl -ss | grep 75.18.177.36
 all tcp 172.16.10.11:80 - 75.44.229.18:80 - 75.18.177.36:1057
 SYN_SENT:ESTABLISHED
 all tcp 75.18.177.36:1057 - 172.16.10.11:80
 ESTABLISHED:SYN_SENT

 And the blocked packets?


 How should I capture them?  did you mean via pflog?

Yes, just like you did before.  I'd like to see where they're being
passed (pfctl -ss) *and* blocked (pflog) at the same time.

-- 
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/

Re: Need Help badly - PF related

[Parvinder Bhasin]

On Sep 22, 2008, at 11:40 AM, Jason Dixon wrote:


On Mon, Sep 22, 2008 at 11:16:53AM -0700, Parvinder Bhasin wrote:

On Sep 22, 2008, at 7:30 AM, Jason Dixon wrote:


On Mon, Sep 22, 2008 at 07:20:50AM -0700, Parvinder Bhasin wrote:

On Sep 22, 2008, at 6:10 AM, Jason Dixon wrote:


On Mon, Sep 22, 2008 at 05:23:31AM -0700, Parvinder Bhasin wrote:


On Sep 22, 2008, at 4:46 AM, Jason Dixon wrote:

On Mon, Sep 22, 2008 at 02:25:01AM -0700, Parvinder Bhasin  
wrote:

On Sep 22, 2008, at 1:14 AM, Stuart Henderson wrote:


On 2008-09-22, Parvinder Bhasin [EMAIL PROTECTED]
wrote:

I have users that can access the website fine
(75.44.229.18) and
some
user that complain they can't access it.


Include the dmesg so we can see what OS version you're  
running.

Set pfctl -x misc and watch /var/log/messages, include any
output
from around the time of a failed connection. Include the
relevant
state table entries from pfctl -vss.


Here is the output from pfctl -vss - with the  
host(75.18.177.36)

trying
to access the website:


Please do that again, but grep only the relevant bits.  I'm not
going
to
sift through all the noise.

$ sudo pfctl -ss | grep 75.18.177.36

I'm pretty sure your outbound nat needs to be moved *after* your
rdr's.
I think the inbound traffic is having the src_addr translated to
your
firewall's ($ext_if)


Jason,

Here it is without the noise.

# pfctl -ss | grep 75.18.177.36
all tcp 172.16.10.11:80 - 75.44.229.18:80 - 75.18.177.36:1056
SYN_SENT:ESTABLISHED
all tcp 75.18.177.36:1056 - 172.16.10.11:80
ESTABLISHED:SYN_SENT
# pfctl -ss | grep 75.18.177.36
all tcp 172.16.10.11:80 - 75.44.229.18:80 - 75.18.177.36:1056
SYN_SENT:ESTABLISHED
all tcp 75.18.177.36:1056 - 172.16.10.11:80
ESTABLISHED:SYN_SENT


Looks ok.  Let's see the output of `pfctl -sr` and `pfctl -sn`.
Also,
let's correlate your states to the logged blocks.  In separate
terminals, do the `pfctl -ss | grep foo` and then find the
corresponding traffic in pflog0 that's being blocked.  Let's see
them
both.



# pfctl -sr
scrub in all fragment reassemble
block return in log (all) all
pass out all flags S/SA keep state
block drop in quick on ! lo inet from 127.0.0.0/8 to any
block drop in quick on ! lo inet6 from ::1 to any
block drop in quick inet from 127.0.0.1 to any
block drop in quick on ! fxp0 inet from 172.16.10.0/24 to any
block drop in quick inet from 172.16.10.10 to any
block drop in quick inet6 from ::1 to any
block drop in quick on lo0 inet6 from fe80::1 to any
block drop in quick on fxp0 inet6 from fe80::206:29ff:fecf:7d5f to
any
pass in on fxp1 inet proto tcp from any to 172.16.10.11 port = www
flags
S/SA keep state
pass in on fxp1 inet proto tcp from any to 75.44.229.17 port = ssh
flags
S/SA keep state
pass in on fxp1 inet proto tcp from any to 172.16.10.12 port = 3128
flags S/SA synproxy state
pass in inet proto icmp all icmp-type echoreq keep state
pass in quick on fxp0 all flags S/SA keep state
# pfctl -sn
nat on fxp1 from ! (fxp1) to any - (fxp1:0)
nat-anchor ftp-proxy/* all
rdr-anchor ftp-proxy/* all
rdr on fxp1 inet proto tcp from any to 75.44.229.18 port = www -
172.16.10.11 port 80
rdr on fxp1 inet proto tcp from any to 75.44.229.19 port = 3128 -
172.16.10.12 port 3128


# pfctl -ss | grep 75.18.177.36
all tcp 172.16.10.11:80 - 75.44.229.18:80 - 75.18.177.36:1057
SYN_SENT:ESTABLISHED
all tcp 75.18.177.36:1057 - 172.16.10.11:80
ESTABLISHED:SYN_SENT


And the blocked packets?



How should I capture them?  did you mean via pflog?


Yes, just like you did before.  I'd like to see where they're being
passed (pfctl -ss) *and* blocked (pflog) at the same time


Jason,

Here are the blocked packets and pfctl -ss  , pfctl -sn , pfctl -sr  
dump.


# tcpdump -n -e -ttt -i pflog0
tcpdump: listening on pflog0, link-type PFLOG
Sep 22 11:57:34.445702 rule 0/(match) block in on fxp1:  
222.134.38.214.80  75.44.229.17.64783: [|tcp]
Sep 22 11:57:38.496743 rule 0/(match) block in on fxp1:  
222.134.38.214.80  75.44.229.17.64783: [|tcp]
Sep 22 11:58:59.557561 rule 0/(match) block in on fxp0:  
172.16.10.11.80  75.18.177.36.1058: [|tcp] (DF)



# pfctl -sn
nat on fxp1 from ! (fxp1) to any - (fxp1:0)
nat-anchor ftp-proxy/* all
rdr-anchor ftp-proxy/* all
rdr on fxp1 inet proto tcp from any to 75.44.229.18 port = www -  
172.16.10.11 port 80
rdr on fxp1 inet proto tcp from any to 75.44.229.19 port = 3128 -  
172.16.10.12 port 3128

# pfctl -sr
scrub in all fragment reassemble
block return in log (all) all
pass out all flags S/SA keep state
block drop in quick on ! lo inet from 127.0.0.0/8 to any
block drop in quick on ! lo inet6 from ::1 to any
block drop in quick inet from 127.0.0.1 to any
block drop in quick on ! fxp0 inet from 172.16.10.0/24 to any
block drop in quick inet from 172.16.10.10 to any
block drop in quick inet6 from ::1 to any
block drop in quick on lo0 inet6 from fe80::1 to any
block drop in quick on fxp0 inet6 from fe80::206:29ff:fecf:7d5f to any
pass in on fxp1 inet proto tcp from any to 172.16.10.11 port = www  
flags 

Re: Getting the Thinkpad X200 working fully under OpenBSD

[Robert]

On Mon, 22 Sep 2008 12:46:07 -0500
joshua stein [EMAIL PROTECTED] wrote:

  WARNING: 16384 bytes not available for msgbuf in last cluster (4096
  used)
  [ using 682848 bytes of bsd ELF symbol table ]
 
 for now you can put 'option MSGBUFSIZE=4096' in your kernel config
 just to stop it from misbehaving.

Hello Joshua,

this gets rid of the warning and the garbage in /var/run/dmesg.boot.
As expected the output in dmesg boot is truncated.
Much better than before.


 try this, it works on my x200 and gives me 2400, 2133, 1867, and
 1600 mhz.
 
 
 Index: est.c
 ===
 RCS file: /cvs/src/sys/arch/amd64/amd64/est.c,v
 retrieving revision 1.7
 diff -u -r1.7 est.c
 --- est.c 6 Aug 2008 05:24:44 -   1.7
 +++ est.c 22 Sep 2008 17:42:33 -

Very nice!
This works fine for me too.


Thank you very much!

- Robert

Re: Getting the Thinkpad X200 working fully under OpenBSD

[Robert]

On Sun, 21 Sep 2008 21:22:33 -0500
Neal Hogan [EMAIL PROTECTED] wrote:

 Fyi --
 
 Similar issues with a new T400. The dmesg is below (I had a
 better/cleaner dmesg with an i386/4.4 install (09/10/2008)).

Hi Neal,

indeed the systems are very similar.
Looking at the tabook confirms that the T400 uses the same chipset.

Same problems, same fixes.


bye

- Robert

Re: Using trunk(4) to put a router in a switch ring

[Stuart Henderson]

On 2008-09-22, Dave Wilson [EMAIL PROTECTED] wrote:
 I'm not sure if trunk or bridge are more appropriate in this case

I think probably bridge with RSTP, but I'm not sure how that will
play with vlans (if you use them).

I'd like to do something similar, but I have vlans, and as an
added twist my interconnects are over third-party vlans, and I'm
not especially keen on breaking the third party's switch fabric,
so I haven't risked experimenting much with this yet :)

Re: recommendation for router (COMMELL)

[Chad M Stewart]

On Sep 17, 2008, at 12:49 AM, Aaron Stellman wrote:


On Tue, Sep 16, 2008 at 10:20:08PM -0400, Steve Shockley wrote:

Juan Miscaro wrote:

Has anyone any experience running OpenBSD on this puppy:

http://www.commell-sys.com/Product/IPC/EMB-564.htm

I'm looking for a replacement for my tower that is currently  
acting as

router, anti-spam, mail server for a small network/domain.


Anti-spam might be a little slow on that depending on your volume.  I
haven't used that product though.


This commell site is suspiciously similar to Liantec site; moreover,
this commell device is very similar to EMB-5740 Liantec.
I assume these two companies are owned by same individuals.
I still can't find any places in US that sell EMB-5740.



The domains are registered to the same person, for what ever that is  
worth.  I have exchanged a number of emails with someone at  
Liantec.com and when the emails stopped I was left thinking they want  
my money, but won't provide details on when the product could ship as  
the product was not in stock at the moment, no thanks.  I asked them  
to contact me when the product went in stock but I have never heard  
back from them.  Perhaps Wim has had more luck, but last I knew he  
didn't have any luck with them either.  I wonder if these boards are  
simply vaporware.



-Chad

Re: acpitz diff changes warnings on compaq nc6000 [Re: CVS: cvs.openbsd.org: src]

[Sven Gaerner]

On Fri, 12 Sep 2008 11:51:40 +0300
Denis Doroshenko [EMAIL PROTECTED] wrote:

 hi,
 
 On Thu, Sep 11, 2008 at 3:45 PM, Miod Vallat [EMAIL PROTECTED]
 wrote:
  CVSROOT:/cvs
  Module name:src
  Changes by: [EMAIL PROTECTED]2008/09/11 06:45:20
 
  Modified files:
 sys/dev/acpi   : acpitz.c
 
  Log message:
  Thermal Zone entities might not be direct object references, but
  named references. Account for this, and the hp530 laptop won't
  spontaneously power down thinking internal temperature is over 500C.
 
  ok marco@
 
 in a hope this diff would fix overheating under ACPI on my compaq
 nc6000, built the kernel and found out that this diff changed acpitz
 warnings from:
 
 acpitz0: _AL1[0] not a object ref
 acpitz0: _AL2[0] not a object ref
 acpitz0: _AL3[0] not a object ref
 
 to
 
 acpitz0: _AL1[0.0] _PRO not a package
 acpitz0: _AL2[0.0] _PRO not a package
 acpitz0: _AL3[0.0] _PRO not a package
 

Hi,

running the snapshot from the weekend (2008-09-22) on my HP nc6400
doesn't show the above mentioned console output anymore. Getting one
step closer to run OpenBSD on the notebook. Thanks.

Below the hw.sensors output which looks fine and the dmesg.

Sven

hw.sensors.acpitz0.temp0=45.05 degC (zone temperature)
hw.sensors.acpitz1.temp0=39.05 degC (zone temperature)
hw.sensors.acpitz2.temp0=37.05 degC (zone temperature)
hw.sensors.acpitz3.temp0=23.85 degC (zone temperature)
hw.sensors.acpitz4.temp0=20.05 degC (zone temperature)
hw.sensors.acpibat0.volt0=10.80 VDC (voltage)
hw.sensors.acpibat0.volt1=12.49 VDC (current voltage)
hw.sensors.acpibat0.amphour0=4.43 Ah (last full capacity)
hw.sensors.acpibat0.amphour1=0.22 Ah (warning capacity)
hw.sensors.acpibat0.amphour2=0.04 Ah (low capacity)
hw.sensors.acpibat0.amphour3=3.88 Ah (remaining capacity), OK
hw.sensors.acpibat0.raw0=2 (battery charging), OK
hw.sensors.acpibat0.raw1=1034 (rate)
hw.sensors.acpiac0.indicator0=On (power supply)
hw.sensors.cpu0.temp0=43.00 degC

OpenBSD 4.4-current (GENERIC.MP) #878: Sat Sep 20 14:12:25 MDT 2008
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC.MP
cpu0: Genuine Intel(R) CPU T2400 @ 1.83GHz (GenuineIntel 686-class)
1.83 GHz cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,VMX,EST,TM2,xTPR
real mem  = 3614863360 (3447MB) avail mem = 3508621312 (3346MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 09/05/07, BIOS32 rev. 0 @
0xf, SMBIOS rev. 2.4 @ 0xf398f (23 entries) bios0: vendor
Hewlett-Packard version 68YCU Ver. F.0B date 09/05/2007 bios0:
Hewlett-Packard HP Compaq nc6400 (RA270AA#ABD) acpi0 at bios0: rev 2
acpi0: tables DSDT FACP SLIC HPET APIC MCFG TCPA SSDT SSDT SSDT SSDT
SSDT acpi0: wakeup devices C098(S5) C0F7(S3) C0F8(S3) C0F9(S3) C0FA(S3)
C101(S0) C229(S0) C111(S5) C234(S5) C117(S5) C235(S5) acpitimer0 at
acpi0: 3579545 Hz, 24 bits acpihpet0 at acpi0: 14318179 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 166MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Genuine Intel(R) CPU T2400 @ 1.83GHz (GenuineIntel 686-class)
1.83 GHz cpu1:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,VMX,EST,TM2,xTPR
ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 24 pins ioapic0:
duplicate apic id, remapped to apid 2 acpiprt0 at acpi0: bus 2 (C098)
acpiprt1 at acpi0: bus 8 (C101)
acpiprt2 at acpi0: bus 16 (C111)
acpiprt3 at acpi0: bus 32 (C117)
acpiprt4 at acpi0: bus 0 (C002)
acpiec0 at acpi0
acpicpu0 at acpi0
acpicpu1 at acpi0
acpitz0 at acpi0: critical temperature 256 degC
acpitz1 at acpi0: critical temperature 105 degC
acpitz2 at acpi0: critical temperature 105 degC
acpitz3 at acpi0: critical temperature 105 degC
acpitz4 at acpi0: critical temperature 110 degC
acpibat0 at acpi0: C1B4 model Primary serial 14908 2007/01/24 type
LIon oem Hewlett-Packard acpibat1 at acpi0: C1B3 not present
acpiac0 at acpi0: AC unit online
acpibtn0 at acpi0: C249
acpibtn1 at acpi0: C241
acpivideo at acpi0 not configured
bios0: ROM list: 0xc/0x1!
cpu0: unknown Enhanced SpeedStep CPU, msr 0x06130b2c06000b2c
cpu0: using only highest and lowest power states
cpu0: Enhanced SpeedStep 1833 MHz (1404 mV): speeds: 1833, 1000 MHz
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 Intel 82945GM Host rev 0x03
vga1 at pci0 dev 2 function 0 Intel 82945GM Video rev 0x03
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
agp0 at vga1: aperture at 0xe000, size 0x1000
Intel 82945GM Video rev 0x03 at pci0 dev 2 function 1 not configured
azalia0 at pci0 dev 27 function 0 Intel 82801GB HD Audio rev 0x01:
apic 2 int 16 (irq 10) azalia0: codec[s]: Analog Devices/0x1981,
ATT/Lucent/0x3026, using Analog Devices/0x1981 audio0 at azalia0
ppb0 at pci0 dev 28 function 0 Intel 

How to add new modules to httpd?

[Don Jackson]

Hello,

I'd like to use an Apache module, mod_proxy_http to build a reverse-proxy, see:

   http://www.apachetutor.org/admin/reverseproxies

This module requires the inclusion of several others, eg:

  LoadModule proxy_module  modules/mod_proxy.so
  LoadModule proxy_http_module modules/mod_proxy_http.so
  LoadModule headers_modulemodules/mod_headers.so
  LoadFile   /usr/lib/libxml2.so
  LoadModule proxy_html_module modules/mod_proxy_html.so

I'm running OpenBSD 4.3 stable on amd64.

It looks like the OpenBSD stock httpd inclues mod_proxy and
mod_headers, but not mod_proxy_http, or mod_proxy_html, and although
libxml2 seems to be available
as a package, httpd compains when one tries to LoadFile it as above.

Despite looking thru the FAQ and a few other places, I'm not finding
the documentation I would need to figure out how to add the modules
above.

Do I need to recompile httpd after adding new modules into the tree?

Any advice or pointers to documentation on this would be greatly appreciated!

Thanks,

Don

Re: How to add new modules to httpd?

[Don Jackson]

I have some corrections and clarifications I need to make to this query:

1) The primary module I am trying to use/load is mod_proxy_html, which
in turn requires mod_proxy_http (among others)

2) for a while I forgot I needed to turn off the chroot feature, now
that I have, it looks like the LoadFile of libxml works, eg:

LoadFile   /usr/local/lib/libxml2.so.9.7

Yields no error messages on startup, so that is a big improvement!

3) In looking around the source code for httpd, I see that in

  ./src/usr.sbin/httpd/src/modules/proxy

I see that proxy_http.c is in there, so does that mean that
mod_proxy_http is already included in httpd?

If so, it seems that the only remaining module I would need is mod_proxy_html.
Do I need to recompile httpd to get this this into the build?  (if so,
how?) Or can I create a .so and just load it?

Thanks again,

Don


On Mon, Sep 22, 2008 at 3:35 PM, Don Jackson [EMAIL PROTECTED] wrote:
 Hello,

 I'd like to use an Apache module, mod_proxy_http to build a reverse-proxy, 
 see:

   http://www.apachetutor.org/admin/reverseproxies

 This module requires the inclusion of several others, eg:

  LoadModule proxy_module  modules/mod_proxy.so
  LoadModule proxy_http_module modules/mod_proxy_http.so
  LoadModule headers_modulemodules/mod_headers.so
  LoadFile   /usr/lib/libxml2.so
  LoadModule proxy_html_module modules/mod_proxy_html.so

 I'm running OpenBSD 4.3 stable on amd64.

 It looks like the OpenBSD stock httpd inclues mod_proxy and
 mod_headers, but not mod_proxy_http, or mod_proxy_html, and although
 libxml2 seems to be available
 as a package, httpd compains when one tries to LoadFile it as above.

 Despite looking thru the FAQ and a few other places, I'm not finding
 the documentation I would need to figure out how to add the modules
 above.

 Do I need to recompile httpd after adding new modules into the tree?

 Any advice or pointers to documentation on this would be greatly appreciated!

 Thanks,

 Don

Re: Need Help badly - PF related

[Parvinder Bhasin]

Any word Jason/Stuart?  I am stuck at this.  I have had sniffers all  
over the pace to see what was wrong that PF was NOT liking this  
connection but  Nothing turned up.


-Parvinder Bhasin

On Sep 22, 2008, at 11:40 AM, Jason Dixon wrote:


On Mon, Sep 22, 2008 at 11:16:53AM -0700, Parvinder Bhasin wrote:

On Sep 22, 2008, at 7:30 AM, Jason Dixon wrote:


On Mon, Sep 22, 2008 at 07:20:50AM -0700, Parvinder Bhasin wrote:

On Sep 22, 2008, at 6:10 AM, Jason Dixon wrote:


On Mon, Sep 22, 2008 at 05:23:31AM -0700, Parvinder Bhasin wrote:


On Sep 22, 2008, at 4:46 AM, Jason Dixon wrote:

On Mon, Sep 22, 2008 at 02:25:01AM -0700, Parvinder Bhasin  
wrote:

On Sep 22, 2008, at 1:14 AM, Stuart Henderson wrote:


On 2008-09-22, Parvinder Bhasin [EMAIL PROTECTED]
wrote:

I have users that can access the website fine
(75.44.229.18) and
some
user that complain they can't access it.


Include the dmesg so we can see what OS version you're  
running.

Set pfctl -x misc and watch /var/log/messages, include any
output
from around the time of a failed connection. Include the
relevant
state table entries from pfctl -vss.


Here is the output from pfctl -vss - with the  
host(75.18.177.36)

trying
to access the website:


Please do that again, but grep only the relevant bits.  I'm not
going
to
sift through all the noise.

$ sudo pfctl -ss | grep 75.18.177.36

I'm pretty sure your outbound nat needs to be moved *after* your
rdr's.
I think the inbound traffic is having the src_addr translated to
your
firewall's ($ext_if)


Jason,

Here it is without the noise.

# pfctl -ss | grep 75.18.177.36
all tcp 172.16.10.11:80 - 75.44.229.18:80 - 75.18.177.36:1056
SYN_SENT:ESTABLISHED
all tcp 75.18.177.36:1056 - 172.16.10.11:80
ESTABLISHED:SYN_SENT
# pfctl -ss | grep 75.18.177.36
all tcp 172.16.10.11:80 - 75.44.229.18:80 - 75.18.177.36:1056
SYN_SENT:ESTABLISHED
all tcp 75.18.177.36:1056 - 172.16.10.11:80
ESTABLISHED:SYN_SENT


Looks ok.  Let's see the output of `pfctl -sr` and `pfctl -sn`.
Also,
let's correlate your states to the logged blocks.  In separate
terminals, do the `pfctl -ss | grep foo` and then find the
corresponding traffic in pflog0 that's being blocked.  Let's see
them
both.



# pfctl -sr
scrub in all fragment reassemble
block return in log (all) all
pass out all flags S/SA keep state
block drop in quick on ! lo inet from 127.0.0.0/8 to any
block drop in quick on ! lo inet6 from ::1 to any
block drop in quick inet from 127.0.0.1 to any
block drop in quick on ! fxp0 inet from 172.16.10.0/24 to any
block drop in quick inet from 172.16.10.10 to any
block drop in quick inet6 from ::1 to any
block drop in quick on lo0 inet6 from fe80::1 to any
block drop in quick on fxp0 inet6 from fe80::206:29ff:fecf:7d5f to
any
pass in on fxp1 inet proto tcp from any to 172.16.10.11 port = www
flags
S/SA keep state
pass in on fxp1 inet proto tcp from any to 75.44.229.17 port = ssh
flags
S/SA keep state
pass in on fxp1 inet proto tcp from any to 172.16.10.12 port = 3128
flags S/SA synproxy state
pass in inet proto icmp all icmp-type echoreq keep state
pass in quick on fxp0 all flags S/SA keep state
# pfctl -sn
nat on fxp1 from ! (fxp1) to any - (fxp1:0)
nat-anchor ftp-proxy/* all
rdr-anchor ftp-proxy/* all
rdr on fxp1 inet proto tcp from any to 75.44.229.18 port = www -
172.16.10.11 port 80
rdr on fxp1 inet proto tcp from any to 75.44.229.19 port = 3128 -
172.16.10.12 port 3128


# pfctl -ss | grep 75.18.177.36
all tcp 172.16.10.11:80 - 75.44.229.18:80 - 75.18.177.36:1057
SYN_SENT:ESTABLISHED
all tcp 75.18.177.36:1057 - 172.16.10.11:80
ESTABLISHED:SYN_SENT


And the blocked packets?



How should I capture them?  did you mean via pflog?


Yes, just like you did before.  I'd like to see where they're being
passed (pfctl -ss) *and* blocked (pflog) at the same time.

--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/

Re: assembly for x86

[Mic J]

http://www.drpaulcarter.com/pcasm/

Gratis book.
Uses nasm as assembler. and you can use yasm (BSD license) if you want.


Mic

19 Days Until NYCBSDCon 2008

[George Rosamond]

NYCBSDCon begins in a few weeks, so make sure you register as soon as 
possible.


http://www.nycbsdcon.org/2008/register.html

NYCBSDCon brings together the best and brightest of the BSD communities 
from the New York area and beyond.


The conference costs $95, including breakfast and lunch on both days, in 
addition to a number of other extras.  Full-time students and Columbia 
University affiliates pay only $50 with valid identification.


This year's schedule is impressive: from file systems and the portable C 
compiler to system and network management, we are thrilled to be able to 
provide such strong content.  A full array of BSD developers and systems 
administrators are speaking, including Pawel Dawidek, Michael Lucas, 
Jason Wright and DragonFly BSD's Matt Dillon.  And Jason Dixon looks to 
top his 2006 presentation on Is BSD Dying? with a look at BSD versus 
the GPL.


While the conference officially begins on Saturday morning, October 
11th, attendees will be gathering on Friday night at Havanna Central, 
just across from Columbia University.


More information, including the schedule and transportation options, can 
be found at http://www.nycbsdcon.org.

Re: Postfix race condition at boot

[Brian Keefer]

On Jul 20, 2008, at 1:48 AM, Uwe Dippel wrote:


On Mon, 14 Jul 2008 12:47:40 -0500, Karl O. Pinc wrote:



I've an OpenBSD box that's been running postfix for a few
years, strictly as a send-only mta, and every night the
box gets rebooted.  Every couple of months postfix does
not come up on reboot.

All that shows up in the logs is:
snip postfix/postfix-script[3005]: fatal: Postfix integrity check
failed!


Solution? Remove the sendmail-flags from rc.conf.local and put a  
'postfix

start' at the end of rc.local. That should help.

Uwe


I just saw the same thing after upgrading my Mac Mini G4 from 4.0 to  
4.4-current and upgrading Postfix to 2.6.20080726.  I have the sasl2  
flavor installed, so perhaps it's a problem with that, as mentioned  
later in this thread?


At your suggestion, I changed sendmail_flags to NO in /etc/ 
rc.conf.local and simply added a /usr/local/sbin/postfix start to/etc/ 
rc.local .  All working fine now...


--
bk

Re: Need Help badly - PF related

[Parvinder Bhasin]

Here is some more info:  The request gets to the web server but when  
webserver is responding back to the client's request, PF BLOCKS the  
request:


Here is tcpdump view from webserver:

20:44:47.539217 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF],  
proto 6, length: 48) 172.16.10.11.80  75.18.177.36.1120: S [tcp sum  
ok] 802414809:802414809(0) ack 740304551 win 5840 mss  
1460,nop,nop,sackOK
20:44:51.738331 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF],  
proto 6, length: 48) 172.16.10.11.80  75.18.177.36.1120: S [tcp sum  
ok] 802414809:802414809(0) ack 740304551 win 5840 mss  
1460,nop,nop,sackOK
20:44:57.737882 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF],  
proto 6, length: 48) 172.16.10.11.80  75.18.177.36.1120: S [tcp sum  
ok] 802414809:802414809(0) ack 740304551 win 5840 mss  
1460,nop,nop,sackOK
20:45:09.935925 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF],  
proto 6, length: 48) 172.16.10.11.80  75.18.177.36.1120: S [tcp sum  
ok] 802414809:802414809(0) ack 740304551 win 5840 mss  
1460,nop,nop,sackOK
20:45:33.932113 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF],  
proto 6, length: 48) 172.16.10.11.80  75.18.177.36.1120: S [tcp sum  
ok] 802414809:802414809(0) ack 740304551 win 5840 mss  
1460,nop,nop,sackOK
20:46:22.124476 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF],  
proto 6, length: 48) 172.16.10.11.80  75.18.177.36.1120: S [tcp sum  
ok] 802414809:802414809(0) ack 740304551 win 5840 mss  
1460,nop,nop,sackOK
20:46:22.125818 IP (tos 0x10, ttl  64, id 35465, offset 0, flags [DF],  
proto 6, length: 40) 75.18.177.36.1120  172.16.10.11.80: R [tcp sum  
ok] 1:1(0) ack 1 win 0



Here is PF blocking the same:

# tcpdump -n -e -ttt -i pflog0
tcpdump: listening on pflog0, link-type PFLOG
Sep 22 22:16:18.905238 rule 0/(match) block in on fxp0:  
172.16.10.11.80  75.18.177.36.1120: [|tcp] (DF)
Sep 22 22:17:07.101648 rule 0/(match) block in on fxp0:  
172.16.10.11.80  75.18.177.36.1120: [|tcp] (DF)



Why is PF blocking???

HEL!!!



On Sep 22, 2008, at 11:40 AM, Jason Dixon wrote:


On Mon, Sep 22, 2008 at 11:16:53AM -0700, Parvinder Bhasin wrote:

On Sep 22, 2008, at 7:30 AM, Jason Dixon wrote:


On Mon, Sep 22, 2008 at 07:20:50AM -0700, Parvinder Bhasin wrote:

On Sep 22, 2008, at 6:10 AM, Jason Dixon wrote:


On Mon, Sep 22, 2008 at 05:23:31AM -0700, Parvinder Bhasin wrote:


On Sep 22, 2008, at 4:46 AM, Jason Dixon wrote:

On Mon, Sep 22, 2008 at 02:25:01AM -0700, Parvinder Bhasin  
wrote:

On Sep 22, 2008, at 1:14 AM, Stuart Henderson wrote:


On 2008-09-22, Parvinder Bhasin [EMAIL PROTECTED]
wrote:

I have users that can access the website fine
(75.44.229.18) and
some
user that complain they can't access it.


Include the dmesg so we can see what OS version you're  
running.

Set pfctl -x misc and watch /var/log/messages, include any
output
from around the time of a failed connection. Include the
relevant
state table entries from pfctl -vss.


Here is the output from pfctl -vss - with the  
host(75.18.177.36)

trying
to access the website:


Please do that again, but grep only the relevant bits.  I'm not
going
to
sift through all the noise.

$ sudo pfctl -ss | grep 75.18.177.36

I'm pretty sure your outbound nat needs to be moved *after* your
rdr's.
I think the inbound traffic is having the src_addr translated to
your
firewall's ($ext_if)


Jason,

Here it is without the noise.

# pfctl -ss | grep 75.18.177.36
all tcp 172.16.10.11:80 - 75.44.229.18:80 - 75.18.177.36:1056
SYN_SENT:ESTABLISHED
all tcp 75.18.177.36:1056 - 172.16.10.11:80
ESTABLISHED:SYN_SENT
# pfctl -ss | grep 75.18.177.36
all tcp 172.16.10.11:80 - 75.44.229.18:80 - 75.18.177.36:1056
SYN_SENT:ESTABLISHED
all tcp 75.18.177.36:1056 - 172.16.10.11:80
ESTABLISHED:SYN_SENT


Looks ok.  Let's see the output of `pfctl -sr` and `pfctl -sn`.
Also,
let's correlate your states to the logged blocks.  In separate
terminals, do the `pfctl -ss | grep foo` and then find the
corresponding traffic in pflog0 that's being blocked.  Let's see
them
both.



# pfctl -sr
scrub in all fragment reassemble
block return in log (all) all
pass out all flags S/SA keep state
block drop in quick on ! lo inet from 127.0.0.0/8 to any
block drop in quick on ! lo inet6 from ::1 to any
block drop in quick inet from 127.0.0.1 to any
block drop in quick on ! fxp0 inet from 172.16.10.0/24 to any
block drop in quick inet from 172.16.10.10 to any
block drop in quick inet6 from ::1 to any
block drop in quick on lo0 inet6 from fe80::1 to any
block drop in quick on fxp0 inet6 from fe80::206:29ff:fecf:7d5f to
any
pass in on fxp1 inet proto tcp from any to 172.16.10.11 port = www
flags
S/SA keep state
pass in on fxp1 inet proto tcp from any to 75.44.229.17 port = ssh
flags
S/SA keep state
pass in on fxp1 inet proto tcp from any to 172.16.10.12 port = 3128
flags S/SA synproxy state
pass in inet proto icmp all icmp-type echoreq keep state
pass in quick on fxp0 all flags S/SA keep state
# pfctl -sn
nat on fxp1 from ! (fxp1) to any - (fxp1:0)