Tcp connections dropping out after 5 minutes
This is getting close to OT but they are OpenBSD firewalls. I am getting connections dropping out after being idle for exactly 5 minutes The servers are 3.2 and 3.5 - (I know time to upgrade) The dropouts occur on ssh as well as a redirected telnet session to an internal server. I am testing with telnet rather than ssh to keep away from any client keep alive issues Here is a connection started and left idle 11:42:52.376607 202.126.96.150.4211 > 10.250.2.183.7755: S 3588045201:3588045201(0) win 16384 11:42:52.376825 10.250.2.183.7755 > 202.126.96.150.4211: S 2231228792:2231228792(0) ack 3588045202 win 65535 (DF) 11:42:52.487471 202.126.96.150.4211 > 10.250.2.183.7755: . ack 1 win 16384 11:47:53.784419 202.126.96.150.4211 > 10.250.2.183.7755: R 3588045202:3588045202(0) win 0 There have been no changes to the default timeouts in the tcp connection and up until they disappear the state is listed in netstat -n -v -f inet as being established with almost 24 hours to go (the default state timeout for a Established connection) The relevant rules from pf.conf are rdr on $Ext proto tcp from any to $ExtIp port 7755 -> 10.250.2.183 port 7755 rdr on $Ext proto tcp from any to $ExtIp port 7766 -> 10.250.2.183 port 7766 pass in quick on $Ext inet proto tcp from any to 10.250.2.183 port { 7755 } keep state pass in quick on $Ext inet proto tcp from any to 10.250.2.183 port { 7766 } keep state I have searched for information on Resets, connection reset by peer, state timeouts but everything is still at default settings Thanks in advance for any direction Gordon Chalmers A&LWINDOWS 20 Apollo Drive Hallam Vic 3803 T (03) 8786 0069 F (03) 8786 0169 E [EMAIL PROTECTED] W www.alwindows.com.au
Re: Pf rule for carp and round-robin
On Thu, 8 Sep 2005 16:07:27 -0400 "Monah Baki" <[EMAIL PROTECTED]> wrote: > { $web_srvr1, $web_srvr2 } round-robin sticky-address Try rdr on $ext_if proto tcp from any to $carp5 port 80 \ -> { $web_srvr1, $web_srvr2 } round-robin source-hash The above may be incorrect so you should check out the load balance section of the FAQ, I am not sure off the top of my head if the round-robin and source-hash will conflict, as the default action when you specify greater than one address to forward to is to round-robin anyway. -- http://edd.link9.net - http://irc.is-cool.net
the joys of spamd
Helo misc@ For those of you that haven't yet tried it, I love OpenBSD's spamd and recommend it with two thumbs up. At the behest of Jason Dixon, I (finally) set up spamd ~ a week ago, and since then, it's *amazing* to see how many miscreants are getting caught up in it. Our spam, previously ~300-500/week (even with spamassassin), has plummetted to nothing. Meanwhile, no one has called to say their messages aren't getting delivered. Memory load seems to be up just a couple of MB (essentially nothing) over a couple of weeks ago; it is a joy to behold: Sep 8 11:47:11 mail spamd[19133]: 61.159.253.63: disconnected after 408 seconds. lists: china Sep 8 12:10:16 mail spamd[19133]: 211.193.204.4: disconnected after 77 seconds. lists: korea Sep 8 14:22:23 mail spamd[2121]: 61.100.12.105: disconnected after 54 seconds. lists: korea What can you do but chuckle? Thanks for the great tool, gang--well done. Kevin S. -- http://www.ebiinc.com : Background Screening from EBI Drug testing & corporate background checks, worldwide.
Re: superviser daemon
On Thu, 8 Sep 2005 20:10:48 -0300 Gustavo Rios <[EMAIL PROTECTED]> wrote: > 0) Very high process overhead, i.e., each pair > requires 2 other process for monitoring, and Considering how small these processes are it's not a real problem on any even remotely modern hardware. > 1) djb license: i believe the old abd good BSD one. runit and freedt, daemontools replacements, are both in ports. --- Lars Hansson
Re: OpenBSD website Design.
Siju George wrote: > Hi, > > One of my friends sent me this new OpenBSD website design he created. > Please have a look at it :-D > > http://mayuresh.freeshell.org/openbsd/ > > Thankyou so much > > Kind Regards > > Siju Changing the basic website look isn't something we are going to do lightly. Unfortunately, there are an almost unlimited number of ways to present the content on the front page, and while a lot of those are clearly "bad", that still leaves a lot of very usable, and even very good options. If we switch from one usable solution to another, we'll end up with dozens of people sending us competing solutions to what really isn't a problem at this point. Someday, perhaps, Theo will say, "I'm tired of this look, I want to do THIS", and boom, things will change, but until then (and after then!), I'd suggest working on the content, rather than the layout. That's not to say the suggested layout was bad in any way (in fact, I rather like it), but I don't think it solves any problem, and some of us are attached to the current layout. :) Nick.
Re: Slow connection / route unreachable
On Thu, 08 Sep 2005 11:14:20 -0400, Michel Hubert wrote: > First there is 2 computers on 2 differents networks > > Computer1 (10.10.0.2) --- (10.10.0.5) OpenBSD 3.5 router --- (10.10.0.1) > Novell router (10.0.0.1) --- Computer2 (10.0.0.11) > > 10.10.0.0/24 = ethernet > 10.0.0.0/24 = Token-ring > > Computer1 gw=10.10.0.5 > Computer2 gw=10.0.0.1 > > Novell route packets for 10.10.0.0 from 10.0.0.0 to 10.10.0.5 > OpenBSD router route packets for 10.0.0.0 to 10.10.0.1 I don't understand the setup. Neither do I understand the intentions behind it, though this might explain my question: (10.10.0.5) OpenBSD 3.5 router --- (10.10.0.1) How is this a router; with both ends sitting in 10.10.0.0/24 ? Or is it supposed to be a bridge ? But then, it would not have IPs. Where does this 10.50.0.0 come in, in your drawing ?: > Transfer from Computer1 to Computer2 is very slow... plus alot of > 09:45:39.755861 10.50.0.1 > 10.10.0.40: icmp: host 10.0.0.11 unreachable
Re: Solaris DTrace on OpenBSD ?
On Thu, 8 Sep 2005, Uwe Dippel wrote: > Any chance to see it in here; one day ? if somebody does it.. -- And that's why we've come to you.
Re: ifconfig gem0 lladdr
On Thu, 8 Sep 2005, Troex Nevelin wrote: > This is not an ARP problem, because i change MAC before bringing up > network and i tried "arp -da" but i didn't help, as i said NIC begins to work > only in promiscuous mode this is a good sign the driver needs to be fixed. (or the chip just can't be given a new mac.) -- And that's why I won't have sex with you.
Re: superviser daemon
On Thu, 8 Sep 2005, Gustavo Rios wrote: Ok, i see! What, then, should i address more? There is no guarantee that 3rd party code will be included in OpenBSD. Frankly, the odds are against importing random software into base unless it is quite wonderful, but getting software in to ports is somewhat easier. -d
Re: Solaris DTrace on OpenBSD ?
On Sep 8, 2005, at 7:46 PM, Edd Barrett wrote: Any chance to see it in here; one day ? No. (CDDL) how about as a port? I don't mean this to be inflammatory, but that's a stupid question. If someone writes a yet-to-exist port for some yet-to-exist software, and the quality meets the ports maintainers' expectations, why wouldn't it be accepted (as a port)? That goes for just about any software that is secure and answers a need (and the port isn't crap). -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: superviser daemon
Ok, i see! What, then, should i address more? Thanks once more. 2005/9/8, Damien Miller <[EMAIL PROTECTED]>: > On Thu, 8 Sep 2005, Gustavo Rios wrote: > > > By using BSD license, would i be able to confidently consider my tools > > to be included wihtin OBSD? > > this is a necessary but by no means sufficient quality.
Re: Solaris DTrace on OpenBSD ?
> > Any chance to see it in here; one day ? > > No. (CDDL) > how about as a port? regards edd
Re: Guidelines for kern.maxfiles and kern.maxvnodes...
On Thu, 8 Sep 2005, Jeff Ross wrote: This morning httpd was failing to deliver files because of a "too many open files" error. I'd previously bumped kern.maxfiles from the default 1772 to 2048 and kern.maxvnodes from its default 1310 to 2048, so this morning I doubled them both to 4096. You probably have a file descriptor leak. You need to figure out where it is. Look at "man 1 fstat" and use it on the Apache PIDs. -d
Re: superviser daemon
On Thu, 8 Sep 2005, Gustavo Rios wrote: By using BSD license, would i be able to confidently consider my tools to be included wihtin OBSD? this is a necessary but by no means sufficient quality.
superviser daemon
Hey folks, i am using obsd for a shell server access. For monitoring daemons, i use DJB daemontools. What i dislike about it, is: 0) Very high process overhead, i.e., each pair requires 2 other process for monitoring, and 1) djb license: i believe the old abd good BSD one. So, i decided to came up with my own supervise daemon, with the following features: 0) Only one single process monitoring n pair of process. 1) BSD license style. Now, i am facing some design consideration, for instance: Suppose, my supervise process (from now on, svd for short) fork a new daemon, this daemon then sends sigterm to its dad, i.e., my svd process. Is this a acceptable consideration? What does OBSD inetd would do for instance? By using BSD license, would i be able to confidently consider my tools to be included wihtin OBSD? thanks for adivces.
Re: Guidelines for kern.maxfiles and kern.maxvnodes...
On Thu, 08 Sep 2005 15:05:11 -0600 "Jeff Ross" <[EMAIL PROTECTED]> wrote: > I posted the following message to misc@ last May 31 but got no > replies. The problem has gotten worse, even though I've now raised > > kern.maxfiles=16384 > kern.maxvnodes=16384. Don't forget to make sure your login.conf lets apache have as many fds as you think it needs too. Also, you know your apache better than we do, where are those files going? Use fstat and find out. If its TCP sockets, then you probably want to turn down apache's keepalive settings so it doesn't hold so many open sockets for such a long time. > But, I'm just plucking these numbers from air. Can someone point me > in the general vicinity of a procedure to correctly size these and > other parameters?This is a moderately busy web server, but its > load is increasing. The only person that can point you to the right size for you is you. sysctl kern.nfiles will tell you how many files are open, fstat will let you find out what has them open and why. You will have to figure out from there how many fds you really need, or if something is leaking fds, or just leaving them open too long. > I saw in the archives that this would be a temporary fix unless I > brought the file usage pigs under control. In our case this morning, > the pig was httpd with over 1200 open files. Stopping and restarting > apache dropped that down to 168, but in the last hour that number had > already grown to 324. I'm headed to the apache docs to see if I can > figure out how to keep apache under control, but any pointers there > would be greatly appreciated, too. Its not necessarily a temporary fix, if you just need 6000 open files on your system, then raising it above 6000 will solve it. But if something is leaking fds, then it will only delay the problem showing up. If you're sure its apache using all the fds, then its just an apache question, not an openbsd question. There's lots of apache tuning docs out there that should mention turning down or even disabling keepalives to use fewer fds. But you will need to set MaxRequestsPerChild if apache is actually leaking fds (from some module perhaps?). Adam
Re: Guidelines for kern.maxfiles and kern.maxvnodes...
fd leak in apache? on one of our reverse proxies we have MaxKeepAliveRequests and MaxRequestsPerChild set so as to make it difficult to leak. This made our proxy go from running out of 4000 fds in a day to averaging about 120 fds in use. From what I've seen it's usually MaxRequestsPerChild that has the biggest effect on leaks, both mem and fd. Your mileage may vary. I wouldn't bother too much about MaxKeepAliveRequests unless you're having a problem in that area.
Re: Guidelines for kern.maxfiles and kern.maxvnodes...
On 9/8/05, Jeff Ross <[EMAIL PROTECTED]> wrote: > I posted the following message to misc@ last May 31 but got no replies. > The problem has gotten worse, even though I've now raised > > kern.maxfiles=16384 > kern.maxvnodes=16384. > > Here is the original message, with a current dmesg and /etc/sysctl.conf: > > Hi all, > > This morning httpd was failing to deliver files because of a "too many open > files" error. I'd previously bumped kern.maxfiles from the default 1772 to > 2048 and kern.maxvnodes from its default 1310 to 2048, so this morning I > doubled them both to 4096. fd leak in apache? on one of our reverse proxies we have MaxKeepAliveRequests and MaxRequestsPerChild set so as to make it difficult to leak. This made our proxy go from running out of 4000 fds in a day to averaging about 120 fds in use. -- GDB has a 'break' feature; why doesn't it have 'fix' too?
Guidelines for kern.maxfiles and kern.maxvnodes...
I posted the following message to misc@ last May 31 but got no replies. The problem has gotten worse, even though I've now raised kern.maxfiles=16384 kern.maxvnodes=16384. Here is the original message, with a current dmesg and /etc/sysctl.conf: Hi all, This morning httpd was failing to deliver files because of a "too many open files" error. I'd previously bumped kern.maxfiles from the default 1772 to 2048 and kern.maxvnodes from its default 1310 to 2048, so this morning I doubled them both to 4096. But, I'm just plucking these numbers from air. Can someone point me in the general vicinity of a procedure to correctly size these and other parameters?This is a moderately busy web server, but its load is increasing. I saw in the archives that this would be a temporary fix unless I brought the file usage pigs under control. In our case this morning, the pig was httpd with over 1200 open files. Stopping and restarting apache dropped that down to 168, but in the last hour that number had already grown to 324. I'm headed to the apache docs to see if I can figure out how to keep apache under control, but any pointers there would be greatly appreciated, too. Thanks, Jeff Ross OpenBSD 3.7-current (GENERIC) #1: Fri Jul 15 17:06:01 MDT 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Xeon(TM) CPU 2.66GHz ("GenuineIntel" 686-class) 2.67 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CF LUSH,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID real mem = 2147000320 (2096680K) avail mem = 1953148928 (1907372K) using 4278 buffers containing 107454464 bytes (104936K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(00) BIOS, date 02/04/03, BIOS32 rev. 0 @ 0xf0010 pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf2fb0/256 (14 entries) pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 82801CA LPC" rev 0x00) pcibios0: PCI bus #4 is the last bus bios0: ROM list: 0xc/0x8000 0xc8000/0x1000 0xc9800/0x800 0xca000/0x1800 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 "Intel E7501 MCH Host" rev 0x01 ppb0 at pci0 dev 2 function 0 "Intel E7500 MCH" rev 0x01 pci1 at ppb0 bus 1 "Intel 82870P2 IOxAPIC" rev 0x04 at pci1 dev 28 function 0 not configured ppb1 at pci1 dev 29 function 0 "Intel 82870P2 PCI-PCI" rev 0x04 pci2 at ppb1 bus 2 em0 at pci2 dev 1 function 0 "Intel PRO/1000MT (82545EM)" rev 0x01: irq 10, addr ess: 00:e0:81:28:e9:71 "Intel 82870P2 IOxAPIC" rev 0x04 at pci1 dev 30 function 0 not configured ppb2 at pci1 dev 31 function 0 "Intel 82870P2 PCI-PCI" rev 0x04 pci3 at ppb2 bus 3 ahc1 at pci3 dev 3 function 0 "Adaptec AHA-29160 U160" rev 0x02: irq 10 scsibus0 at ahc1: 16 targets st0 at scsibus0 targ 6 lun 0: SCSI3 1/sequential removable st0: density code 0x26, 512-byte blocks, write-enabled twe0 at pci3 dev 6 function 0 "3ware Escalade IDE RAID" rev 0x01: irq 10 twe0: Escalade V1.3 scsibus1 at twe0: 16 targets sd0 at scsibus1 targ 0 lun 0: <3WARE, Host drive #00, > SCSI2 0/direct fixed sd0: 117799MB, 15017 cyl, 255 head, 63 sec, 512 bytes/sec, 241252672 sec total sd1 at scsibus1 targ 2 lun 0: <3WARE, Host drive #02, > SCSI2 0/direct fixed sd1: 117799MB, 15017 cyl, 255 head, 63 sec, 512 bytes/sec, 241252672 sec total uhci0 at pci0 dev 29 function 0 "Intel 82801CA/CAM USB" rev 0x02: irq 10 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1uhub0: 2 ports with 2 removable, self powered uhci1 at pci0 dev 29 function 1 "Intel 82801CA/CAM USB" rev 0x02: irq 9 usb1 at uhci1: USB revision 1.0 uhub1 at usb1 uhub1: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered uhci2 at pci0 dev 29 function 2 "Intel 82801CA/CAM USB" rev 0x02: irq 11 usb2 at uhci2: USB revision 1.0 uhub2 at usb2 uhub2: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub2: 2 ports with 2 removable, self powered ppb3 at pci0 dev 30 function 0 "Intel 82801BA AGP" rev 0x42 pci4 at ppb3 bus 4 fxp0 at pci4 dev 1 function 0 "Intel 82557" rev 0x10, i82551: irq 5, address 00: e0:81:28:e9:70 inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 4 vga1 at pci4 dev 2 function 0 "ATI Rage XL" rev 0x27 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) fxp1 at pci4 dev 3 function 0 "Intel 82557" rev 0x05, i82558: irq 11, address 00 :90:27:2a:33:a6 inphy1 at fxp1 phy 1: i82555 10/100 PHY, rev. 0 ichpcib0 at pci0 dev 31 function 0 "Intel 82801CA LPC" rev 0x02 pciide0 at pci0 dev 31 function 1 "Intel 82801CA IDE" rev 0x02: DMA, channel 0 c onfigured to compatibility, channel 1 configured to compatibility pciide0: channel 0 disabled (no drives) atapiscsi0 at pciide0 channel 1 drive 1 scsibus2 at atapiscsi0: 2 targets cd0 at scsibus2 targ 0 lun 0: <_NEC, DVD+RW ND-1100A, 1.A0> SCSI0 5/cdrom remova ble cd0(pciide0:1:1): using PIO mode 4, Ultra-D
max preshared key length in isakmpd?
Does anyone know what is the max length of the preshared key in Authentication= field? A pointer to a IKE RFC would be also nice, if the key size is defined somewhere. Google told me some Ciscos accept up to 48 characters as PSK, but couldn't find anything more specific. I'm trying to connect to a wise guy who wants me to use a 140+ characters string as PSK. I'm looking for stronger aguments than "that's ridiculous". Thanks, Mitja
Pf rule for carp and round-robin
Hi all, I'm having problems implementing round-robin on a carp interface. The rule that I have is rdr on $ext_if proto tcp from any to $carp5 port 80 \ -> { $web_srvr1, $web_srvr2 } round-robin sticky-address Does this look correct?, it works if I remove: { $web_srvr1, $web_srvr2 } round-robin sticky-address and just have $web_srvr1 or $web_srvr2, but not both. ext_if is 133.85.19.240 my public IP address. carp5 is 133.85.19.244 Thank you
Re: ppp over ssh
(pardon, this mail may become a dup) On Wed 2005.09.07 at 19:27 -0401, yippy ya yah wrote: > trying to get a ppp tunnel over ssh working as you've received other replies, i've been using the inetd loopback trick for sometime now. yes, as it was noted, ugly. but it was a quick workaround for me which i never took any further 'cause of this pesky thing called time funny thing is that the hints are in /etc/ppp/ppp.conf.sample ;) sometimes unplugging from the internet and reading what exists on the disk has a greater returnnotably with this OS. and for the reply about tcp over tcp, sometimes it is a necessary thing depending on what devices you have to get through...(in my case at least) cheers, okan
Re: ifconfig gem0 lladdr
On 8 SEN 2005, at 21:10, ober wrote: try running arp -da This is not an ARP problem, because i change MAC before bringing up network and i tried "arp -da" but i didn't help, as i said NIC begins to work only in promiscuous mode -- born to create future Troex Nevelin ([EMAIL PROTECTED])
Re: ppp over ssh
On Thursday 08 September 2005 01.28, yippy ya yah wrote: > trying to get a ppp tunnel over ssh working > > server/gateway > --- > ip.inet.net.forwarding=1 > > /etc/ppp/ppp.conf > vpn: > allow mode direct > set ifaddr 10.1.1.1 10.1.1.2 255.255.255.255 > > /etc/sudoers: > pppuser ALL = NOPASSWD: /usr/sbin/ppp > > ~pppuser/.ssh/authorized_keys > command="sudo /usr/sbin/ppp -direct vpn" key follows > > client > --- > ip.inet.net.forwarding=1 > > /etc/ppp/ppp.conf > vpn: > set ifaddr 10.1.1.2 10.1.1.1 255.255.255.255 > set dial > set timeout 3600 > set device "!env SSH_AUTH_SOCK= ssh -C -c blowfish -i > /path/to/pppuser.key [EMAIL PROTECTED]" > > on the client, i can see tun0 get created and assigned 10.1.1.2, but > on the gateway, tun0 is created but no ip is assigned. (pf on both > devices has skip on tun, also disabled pf on both to test) > > 10.1.1/24 is not used anywhere in the network. > > if i "ssh -C -c blowfish -i pppuser.key [EMAIL PROTECTED]", i can see > sudo ppp -direct vpn getting launched... > > what is the key ingredient i'm missing here to get the gateway to > assign tun0 10.1.1.1? or rather to get the tunnel up? > > both are i386, running the same snapshot: > OpenBSD 3.8 (GENERIC) #137: Thu Sep 1 17:41:20 MDT 2005 > [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC > > p.s. i'm not subscribed to [EMAIL PROTECTED], so please cc: on replies... > > thank you Hi Mr/Ms/Mrs "yippy ya yah" Cool name ;-) I have seen you already have working answers to your question from from the list. Good! I only posted this to give you some hints for a hopefully better choice. A recommendation is to (if possible) not use TCP over TCP. Each layer has its own timer. And a packet loss situation can quickly cause a "meltdown". It will also often be slower. Use an UDP based connection as the carrier session to the upper TCP. One good choice is an UDP configured OpenVPN. If you are interested you can read more here on Olaf Titz page... http://sites.inka.de/sites/bigred/devel/tcp-tcp.html But you maybe have a very good reasons to use SSH... Thanks Per-Olov -- GPG keyID: 4DB283CE GPG fingerprint: 45E8 3D0E DE05 B714 D549 45BC CFB4 BBE9 4DB2 83CE
Re: ifconfig gem0 lladdr
try running arp -da -Ober On Thu, 8 Sep 2005, Troex Nevelin wrote: I change MAC on current/macppc with "ifconfig gem0 lladdr MAC" and networking stop working, i run tcpdump to see what happens and networking works again while tcpdump is running, if i run "tcpdump -p" network won't work. Looks like after MAC change NIC works only in promiscuous mode. Without MAC change everything works fine. [demime 1.01d removed an attachment of type application/octet-stream which had a name of dmesg] -- born to create future Troex Nevelin ([EMAIL PROTECTED])
Re: ifconfig gem0 lladdr (dmesg)
[ using 323864 bytes of bsd ELF symbol table ] console out [ATY,Bee_A]console in [keyboard] ADB found using parent ATY,BeeParent:: memaddr 9800 size 800, : consaddr 9c008000, : ioaddr 9002, size 2: memtag 8000, iotag 8000: width 1024 linebytes 1024 height 768 depth 8 Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved. Copyright (c) 1995-2005 OpenBSD. All rights reserved. http://www.OpenBSD.org OpenBSD 3.8 (GENERIC) #424: Thu Sep 1 20:15:38 MDT 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/macppc/compile/GENERIC real mem = 671088640 (655360K) avail mem = 603791360 (589640K) using 1254 buffers containing 33554432 bytes of memory mainbus0 (root) cpu0 at mainbus0: 750FX (Revision 0x203): 800 MHz: 512KB L2 cache memc0 at mainbus0: uni-n mpcpcibr0 at mainbus0: uni-north, Revision 0xff pci0 at mpcpcibr0 bus 0 pchb0 at pci0 dev 11 function 0 "Apple Pangea AGP" rev 0x00 vgafb0 at pci0 dev 16 function 0 "ATI Radeon Mobility M7 LW" rev 0x00, mmio wsdisplay0 at vgafb0 mux 1: console (std, vt100 emulation) mpcpcibr1 at mainbus0: uni-north, Revision 0x0 pci1 at mpcpcibr1 bus 0 pchb1 at pci1 dev 11 function 0 "Apple Pangea PCI" rev 0x00 macobio0 at pci1 dev 23 function 0 "Apple Pangea" rev 0x00 openpic0 at macobio0: version 0x4614 macgpio0 at macobio0 macgpio1 at macgpio0 offset 0x9 irq 47 programmer-switch at macgpio0 offset 0x11 not configured firewire-linkon at macgpio0 offset 0x5b not configured cpu-vcore-select at macgpio0 offset 0x6b not configured extint-gpio4 at macgpio0 offset 0x5c not configured gpio9 at macgpio0 offset 0x73 not configured extint-gpio12 at macgpio0 offset 0x64 not configured gpio5 at macgpio0 offset 0x6f not configured gpio6 at macgpio0 offset 0x70 not configured extint-gpio4 at macgpio0 offset 0x5c not configured gpio11 at macgpio0 offset 0x75 not configured extint-gpio15 at macgpio0 offset 0x67 not configured zsc0 at macobio0: irq 22,23 zstty0 at zsc0 channel 0 zstty1 at zsc0 channel 1 snapper0 at macobio0: irq 30,1,2 adb0 at macobio0 irq 25: via-pmu , 3 targets aed0 at adb0 addr 0: ADB Event device akbd0 at adb0 addr 2: iBook keyboard with inverted T (ISO layout) wskbd0 at akbd0: console keyboard, using wsdisplay0 ams0 at adb0 addr 3: EMP trackpad 2-button, 400 dpi wsmouse0 at ams0 mux 0 abtn0 at adb0 addr 7: brightness/volume/eject buttons apm0 at adb0: battery flags 0x5, 99% charged ki2c0 at macobio0 wdc0 at macobio0 irq 19: DMA wd0 at wdc0 channel 0 drive 0: wd0: 16-sector PIO, LBA, 28615MB, 58605120 sectors atapiscsi0 at wdc0 channel 0 drive 1 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: SCSI0 5/cdrom removable wd0(wdc0:0:0): using PIO mode 4, DMA mode 2 cd0(wdc0:0:1): using PIO mode 4, DMA mode 2 audio0 at snapper0 ohci0 at pci1 dev 24 function 0 "Apple Pangea USB" rev 0x00: irq 27, version 1.0 usb0 at ohci0: USB revision 1.0 uhub0 at usb0 uhub0: Apple OHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered ohci1 at pci1 dev 25 function 0 "Apple Pangea USB" rev 0x00: irq 28, version 1.0 usb1 at ohci1: USB revision 1.0 uhub1 at usb1 uhub1: Apple OHCI root hub, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered mpcpcibr2 at mainbus0: uni-north, Revision 0x6 pci2 at mpcpcibr2 bus 0 pchb2 at pci2 dev 11 function 0 "Apple Pangea PCI" rev 0x00 "Apple Pangea FireWire" rev 0x00 at pci2 dev 14 function 0 not configured gem0 at pci2 dev 15 function 0 "Apple GMAC" rev 0x00: irq 41, address 00:0a:95:eb:cb:e4 bmtphy0 at gem0 phy 0: BCM5221 100baseTX PHY, rev. 4 uhidev0 at uhub1 port 1 configuration 1 interface 0 uhidev0: Logitech USB-PS/2 Optical Mouse, rev 2.00/18.00, addr 2, iclass 3/1 ums0 at uhidev0: 6 buttons and Z dir. wsmouse1 at ums0 mux 0 bootpath: '/[EMAIL PROTECTED]/[EMAIL PROTECTED]/[EMAIL PROTECTED]/[EMAIL PROTECTED]/bsd' boot device: wd0. root on wd0a rootdev=0x0 rrootdev=0xb00 rawdev=0xb02 ugen0 at uhub1 port 2 ugen0: HCF USB V.90 Data/Fax Modem Apple internal modem, rev 1.10/1.00, addr 3 -- born to create future Troex Nevelin ([EMAIL PROTECTED])
ifconfig gem0 lladdr
I change MAC on current/macppc with "ifconfig gem0 lladdr MAC" and networking stop working, i run tcpdump to see what happens and networking works again while tcpdump is running, if i run "tcpdump -p" network won't work. Looks like after MAC change NIC works only in promiscuous mode. Without MAC change everything works fine. [demime 1.01d removed an attachment of type application/octet-stream which had a name of dmesg] -- born to create future Troex Nevelin ([EMAIL PROTECTED])
Re: isakmpd/x509 - 'default-phase-1-id' required? (user-fqdn)
On Thu, Sep 08, 2005 at 07:25:52AM -0600, jared r r spiegel wrote: mis-format on the two configs, please split them thus: > -[peer a] > [general] > #default-phase-1-id=id1hklocal > > [phase 2] > connections=cx > > [id1p54c] > id-type=user_fqdn > name= [EMAIL PROTECTED] > > [id1hklocal] > id-type=user_fqdn > name= [EMAIL PROTECTED] > > [cx] > phase= 2 > isakmp-peer=peerp54c > configuration= poo > local-id= id2hklocal > remote-id= id2p54c > > [peerp54c] > phase= 1 > address=67.50.143.54 > id= id1hklocal > remote-id= id1p54c > > [id2p54c] > id-type=ipv4_addr > address=172.16.4.1 > > [id2hklocal] > id-type=ipv4_addr > address=172.16.7.30 > > [poo] > exchange_type= quick_mode > suites= qm-esp-aes-sha2-512-pfs-grp14-suite -[peer b] > [general] > #default-phase-1-id=id1p54c > > [phase 2] > Connections=cx > > [id1p54c] > id-type=user_fqdn > Name= [EMAIL PROTECTED] > > [id1hklocal] > id-type=user_fqdn > name= [EMAIL PROTECTED] > > [cx] > phase= 2 > isakmp-peer=peerhklocal > configuration= poo > local-id= id2p54c > remote-id= id2hklocal > > [peerhklocal] > phase= 1 > address=67.139.90.84 > id= id1p54c > remote-id= id1hklocal > > [id2p54c] > id-type=ipv4_addr > address=172.16.4.1 > > [id2hklocal] > id-type=ipv4_addr > address=172.16.7.30 > > [poo] > exchange_type= quick_mode > suites= qm-esp-aes-sha2-512-pfs-grp14-suite > -
Re: scp Remote -> Remote fails
Roy Morris wrote: I know this is not 'exactly' openbsd directly related but I'll give it a go anyway. I am trying to copy remote 2 remote, basically to change the name of a file. It appears that the first half of the command works fine but the second half get an authentication failure. I am not sure if this was by design or if I am doing something WAY wrong. If anyone has time, lemme know. *Assume the first file already exists and permissions are fine* scp [EMAIL PROTECTED]:original-file-name [EMAIL PROTECTED]:new-file-name authlog entries are as follows: Sep 8 10:10:55 spider sshd[32009]: Accepted password for rmorris from xx.0.xx.33 port 16301 ssh2 Sep 8 10:10:57 spider sshd[23066]: Failed password for rmorris from xx.0xx.33 port 22851 ssh2 Hi Roy, I guess scp is working different from what you expect in this case. If you scp from remote to remote, it tries to directly scp from one remote to the other. This means you have to authenticate your ssh session from [EMAIL PROTECTED] to [EMAIL PROTECTED], additionally to authenticating yourself when you contact somehost from where you are. I cant' find this exactly in your authlog (there is a typo anyway), but this is what happened to me when I did something like: host1$ scp host2:file host3: ssh [EMAIL PROTECTED] mv original-file-name new-file-name should work anyway. Andreas -- InSecTeam GmbH - www.InSecTeam.de Ihr Partner f|r Internet-Sicherheit An der Foche 9a, D-51503 Rvsrath Andreas Kdser, Tel: +49-02205-908883, Fax: +49-2205-910478 mailina befreit von Spam und Viren: http://mailina.de
Re: Solaris DTrace on OpenBSD ?
On Sep 8, 2005, at 11:22 AM, Uwe Dippel wrote: Just read :DTrace comes to FreeBSD. (http://bsd.slashdot.org/article.pl? sid=05/09/08/1217229&tid=102&tid=7&tid=218) Is *coming to* and *comes to* are two different things. Devon just started on this, there's no idea how long or if it will ever be completed. More power to him, he's a smart kid. Any chance to see it in here; one day ? No. (CDDL) Would be cool ... wouldn't it ? Perhaps. Or do we see licence problems ? Yup. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: Migration to PF - some questions
Hi Stephan, > Well, if I suggested to port netfilter to OpenBSD I would most > probably be killed in seconds. ;) If you're lucky. ;-) You might want to check http://openbsd.unixtech.be/books.html and more specifically get a hold of Jacek's book. HTH... Nico
Slow connection / route unreachable
Hi, Im running 3.5 (will install 3.7 soon) and I got slow transfer on a computer since the last time I rebooted my router. First there is 2 computers on 2 differents networks Computer1 (10.10.0.2) --- (10.10.0.5) OpenBSD 3.5 router --- (10.10.0.1) Novell router (10.0.0.1) --- Computer2 (10.0.0.11) 10.10.0.0/24 = ethernet 10.0.0.0/24 = Token-ring Computer1 gw=10.10.0.5 Computer2 gw=10.0.0.1 Novell route packets for 10.10.0.0 from 10.0.0.0 to 10.10.0.5 OpenBSD router route packets for 10.0.0.0 to 10.10.0.1 OpenBSD ifconfig for the interface bge0: flags=8843 mtu 1500 address: 00:02:55:67:94:e0 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 10.10.0.5 netmask 0xff00 broadcast 10.10.0.255 inet6 fe80::202:55ff:fe67:94e0%bge0 prefixlen 64 scopeid 0x2 inet 10.20.0.1 netmask 0xff00 broadcast 10.20.0.255 inet 10.25.0.1 netmask 0xff00 broadcast 10.25.0.255 inet 10.40.0.1 netmask 0xff00 broadcast 10.40.0.255 inet 10.50.0.1 netmask 0xff00 broadcast 10.50.0.255 This is what I got from OpenBSD router if 09:45:37.688915 10.10.0.40.8471 > 10.0.0.11.1031: P 72462:72691(229) ack 1 win 8192 09:45:37.979583 10.10.0.40.8471 > 10.0.0.11.1031: . 67322:67836(514) ack 1 win 8192 09:45:37.979585 10.10.0.40.8471 > 10.0.0.11.1031: P 67836:68350(514) ack 1 win 8192 09:45:38.569418 10.10.0.40.8471 > 10.0.0.11.1031: . 67322:67836(514) ack 1 win 8192 09:45:38.569420 10.10.0.40.8471 > 10.0.0.11.1031: P 67836:68350(514) ack 1 win 8192 09:45:39.755800 10.10.0.40.8471 > 10.0.0.11.1031: . 67322:67836(514) ack 1 win 8192 09:45:39.755803 10.10.0.40.8471 > 10.0.0.11.1031: P 67836:68350(514) ack 1 win 8192 09:45:39.755861 10.50.0.1 > 10.10.0.40: icmp: host 10.0.0.11 unreachable 09:45:39.755882 10.50.0.1 > 10.10.0.40: icmp: host 10.0.0.11 unreachable 09:45:42.174260 10.10.0.40.8471 > 10.0.0.11.1031: . 67322:67836(514) ack 1 win 8192 09:45:42.174263 10.10.0.40.8471 > 10.0.0.11.1031: P 67836:68350(514) ack 1 win 8192 09:45:42.174309 10.50.0.1 > 10.10.0.40: icmp: host 10.0.0.11 unreachable 09:45:42.174329 10.50.0.1 > 10.10.0.40: icmp: host 10.0.0.11 unreachable There is no packet lost in Computer1 to Computer2 Computer2 to Computer1 OpenBSD to Novell (2 ips) Transfer from Computer1 to Computer2 is very slow... plus alot of 09:45:39.755861 10.50.0.1 > 10.10.0.40: icmp: host 10.0.0.11 unreachable Look like the routing is not working fine. Is it because the last subnet to be setup is 10.50.0.1 in ifconfig? Or any other explaination. Is there any work around I may do before I install 3.7? Regards, -- Michel Hubert Administrateur riseau / programmeur La Coop fidirie tel.: 819-379-8551 fax.: 819-379-0063
Re: Migration to PF - some questions
On 8 Sep 2005, at 16:13, Erik Wikstrvm wrote: >> # Put this macro at the top >> if_dmz="xl2" >> # Later on in the ruleset, deny everything but smtp to the DMZ >> block in on $if_dmz keep state >> pass in on $if_dmz from any to 1.2.3.4 port smtp keep state > > Wouldn't that block traffic from the SMTP-server and allow traffic > from the DMZ-net to 1.2.3.4 (which should be on that net)? Should > it not be like this? > > block out on $if_dmz > pass in on { $if_lan, $if_wan } from any to 1.2.3.4 port smtp keep > state Yes, correct, my bad... Or perhaps this would work also: block out on $if_dmz keep state pass out on $if_dmz from {$if_lan, $if_inet} to 1.2.3.4 port smtp keep state Maybe that was what I intended to write... :) Gaby -- Junkets for bunterish lickspittles since 1998! [EMAIL PROTECTED] http://weblog.vanhegan.net
Re: scp Remote -> Remote fails
On 9/8/05, Roy Morris <[EMAIL PROTECTED]> wrote: > I know this is not 'exactly' openbsd directly related but > I'll give it a go anyway. I am trying to copy remote 2 > remote, basically to change the name of a file. If you are working with remote files only, and you know they exist, why not just use something like: ssh hostname to run cp? Just a thought... Mike
Re: Migration to PF - some questions
Stephan A. Rickauer wrote: Gaby vanhegan wrote: > $if_in="xl0" $if_out="xl1" pass in on $if_in keep state pass out on $if_out keep state Ok, let's stick to that example. Imagine a firewall having three interfaces connecting Internet, LAN and DMZ. When I would like to allow SMTP traffic to my mail server in the DMZ, from LAN _and_ Internet, where would you filter? Thanks, int_if="xl0" ext_if="xl1" dmz_if="xl3" mail_server="192.168.0.1" pass in on { $int_if, $ext_if } proto tcp from any to $mail_server port smtp keep state
Re: scp Remote -> Remote fails [Solved]
i think the idea is that src-host has to have pubkey auth to the dst-host and make sure src knows dst's hostkey too! cu what I did was use sftp with the -b option. As you mention as long as the public key auth is in place, it all works as expected. Thanks Rm
Solaris DTrace on OpenBSD ?
Just read :DTrace comes to FreeBSD. (http://bsd.slashdot.org/article.pl?sid=05/09/08/1217229&tid=102&tid=7&tid=218) Any chance to see it in here; one day ? Would be cool ... wouldn't it ? Or do we see licence problems ? Just asking, Uwe
Re: Migration to PF - some questions
On 2005-09-08 16:51, Gaby vanhegan wrote: On 8 Sep 2005, at 15:32, Stephan A. Rickauer wrote: Gaby vanhegan wrote: $if_in="xl0" $if_out="xl1" pass in on $if_in keep state pass out on $if_out keep state Ok, let's stick to that example. Imagine a firewall having three interfaces connecting Internet, LAN and DMZ. When I would like to allow SMTP traffic to my mail server in the DMZ, from LAN _and_ Internet, where would you filter? Just spotted a bug. The first two lines should not have the dollars on them: if_in="xl0" if_out="xl1" As to your question, much the same as a normal firewall config set, but the line you would want is this (assuming your mailserver runs on 1.2.3.4): # Put this macro at the top if_dmz="xl2" # Later on in the ruleset, deny everything but smtp to the DMZ block in on $if_dmz keep state pass in on $if_dmz from any to 1.2.3.4 port smtp keep state Wouldn't that block traffic from the SMTP-server and allow traffic from the DMZ-net to 1.2.3.4 (which should be on that net)? Should it not be like this? block out on $if_dmz pass in on { $if_lan, $if_wan } from any to 1.2.3.4 port smtp keep state My understanding is that this will first block all traffic to the DMZ- net, and then allow traffic coming from the LAN or Internet to pass to the server 1.2.3.4 (which should be on the DMZ). Since we use keep state the traffic will not be blocked by rule 1. Or is it me who missunderstood things? -- Erik Wikstrvm
Re: Ethereal 0.10.12
The patch for tethereal(1) is at http://www.linbsd.org/setuid_tethereal.patch This only works for capture mode. It takes an extra -u option for the user. So create user _ethereal then run tethereal -Nn -tad -u _ethereal -w foo or decode the output. Either way this should remove the issue of root. Same can be applied to ethereal for capture. Every other condition of just reading traces files should not be done as root. I use OpenBSD because on the misc@ and tech@ mailing lists I get to see more *'s-holes than a Turkish Customs Agent. -Ober On Thu, 8 Sep 2005, Bruno Rohee wrote: On Thu, Sep 08, 2005 at 03:10:41PM +0200, Sebastian .Rother wrote: surely, but has security improved? does it have privsep? until that has changed, ethereal will not come back. sorry. jakob Then drop all ports! Has Gnome Priv-Sep? hydra? nmap? KDE? xpdf? XMMS? mplayer? No one remotely sane run those as root. Another uninformed post of yours. Capturing traffic by some other mean then analysing it with Ethereal under an unprivileged account might be safe, actually capturing an analysing traffic with Ethereal is definitely not, given its architecture and history of sloppy coding...
Re: scp Remote -> Remote fails
Making, drinking tea and reading an opus magnum from Roy Morris: [Charset ISO-8859-1 unsupported, filtering to ASCII...] > I know this is not 'exactly' openbsd directly related but > I'll give it a go anyway. I am trying to copy remote 2 > remote, basically to change the name of a file. It appears > that the first half of the command works fine but the > second half get an authentication failure. I am not sure > if this was by design or if I am doing something WAY > wrong. If anyone has time, lemme know. > > *Assume the first file already exists and permissions are fine* > > scp [EMAIL PROTECTED]:original-file-name [EMAIL PROTECTED]:new-file-name > > authlog entries are as follows: > Sep 8 10:10:55 spider sshd[32009]: Accepted password for rmorris from > xx.0.xx.33 port 16301 ssh2 > Sep 8 10:10:57 spider sshd[23066]: Failed password for rmorris from > xx.0xx.33 port 22851 ssh2 i think the idea is that src-host has to have pubkey auth to the dst-host and make sure src knows dst's hostkey too! cu -- paranoic mickey (my employers have changed but, the name has remained)
Re: Ethereal 0.10.12
> "Bruno" == Bruno Rohee <[EMAIL PROTECTED]> writes: Bruno> Capturing traffic by some other mean then analysing it with Bruno> Ethereal under an unprivileged account might be safe, Bruno> actually capturing an analysing traffic with Ethereal is Bruno> definitely not, given its architecture and history of sloppy Bruno> coding... There is always an option of disabling capturing code with a patch. This will force people to capture with something else. I personally capture with tcpdump and view with Ethereal. Thanks Greg
Re: Migration to PF - some questions
From: Stephan A. Rickauer [mailto:[EMAIL PROTECTED] > Gaby vanhegan wrote: > > $if_in="xl0" > > $if_out="xl1" > > pass in on $if_in keep state > > pass out on $if_out keep state > > Ok, let's stick to that example. Imagine a firewall having three > interfaces connecting Internet, LAN and DMZ. When I would > like to allow > SMTP traffic to my mail server in the DMZ, from LAN _and_ Internet, > where would you filter? Look at this netfilter rule again: iptables -A FORWARD -i in-iface -o out-iface ... You're simply allowing any traffic which comes in on 'in-iface' and goes out on 'out-iface'. Put simply by itself, all its doing is allowing traffic to cross interfaces (as someone said before, not originating from the firewall, not destined to the firewall. Contrary to what others said, the FORWARD chain is not for any form of NAT.) Your "..." doesn't say what else you're doing, like passing through the state module, or whatever, but we'll assume you are. PF allows you to match (filter) on the incoming interface ("pass in on $ifname ..."), and then you need to specify where you are going to allow the traffic to. Depending on your configuration and topology, you can accomplish what you want in more than one way. You will want to read pf.conf(5), and then re-read it, and then go back and re-read the most important parts (to your situation) again. Also read the PF FAQ on www.openbsd.org. So you have a mail server in the DMZ, and you need to allow access to it from your LAN and from the Internet. If you choose (like many do) to apply your filters on the incoming interface - so that the packet gets droppped before traversing the firewall in the event that it is prohibited communication - you can safely end up with two rules. pass in on $ext_if proto tcp from any to $smtpsvr port 25 keep state pass in on $lan_if proto tcp from any to $smtpsvr port 25 keep state Or you can group interfaces for one rule: nodmz_ifs = "{" $ext_if $lan_if "}" pass in on $nodmz_ifs proto tcp from any to $smtpsvr port 25 keep state Point being, you're not going to find a 1-to-1 mapping for all of your netfilter rules into PF syntax. Rather, you should take the concept of what your netfilter ruleset is accomplishing, and map that into PF. This is real "migration." You will likely end up implementing some rules differently. You could end up with more rules per count, or maybe less. DS
Re: Migration to PF - some questions
--On 08 September 2005 16:32 +0200, Stephan A. Rickauer wrote: $if_in="xl0" $if_out="xl1" pass in on $if_in keep state pass out on $if_out keep state Ok, let's stick to that example. Imagine a firewall having three interfaces connecting Internet, LAN and DMZ. When I would like to allow SMTP traffic to my mail server in the DMZ, from LAN _and_ Internet, where would you filter? You don't need to filter on a particular interface. from pf.conf(5): pf-rule= action [ ( "in" | "out" ) ] [ "log" [ "(" logopts ")"] ] [ "quick" ] [ "on" ifspec ] [ route ] [ af ] [ protospec ] hosts [ filteropt-list ] the [...] sections are optional. Typically you would use something like, pass in proto tcp to 11.22.33.44 port 25 flags S/SA keep state
Re: Migration to PF - some questions
On 8 Sep 2005, at 15:32, Stephan A. Rickauer wrote: Gaby vanhegan wrote: $if_in="xl0" $if_out="xl1" pass in on $if_in keep state pass out on $if_out keep state Ok, let's stick to that example. Imagine a firewall having three interfaces connecting Internet, LAN and DMZ. When I would like to allow SMTP traffic to my mail server in the DMZ, from LAN _and_ Internet, where would you filter? Just spotted a bug. The first two lines should not have the dollars on them: if_in="xl0" if_out="xl1" As to your question, much the same as a normal firewall config set, but the line you would want is this (assuming your mailserver runs on 1.2.3.4): # Put this macro at the top if_dmz="xl2" # Later on in the ruleset, deny everything but smtp to the DMZ block in on $if_dmz keep state pass in on $if_dmz from any to 1.2.3.4 port smtp keep state I reckon. I'm sure I'll be corrected if I'm wrong :) Gaby -- Junkets for bunterish lickspittles since 1998! [EMAIL PROTECTED] http://weblog.vanhegan.net
Re: Migration to PF - some questions
Gaby vanhegan wrote: I came across the problem from the other direction. I found that I needed to learn netfilter for use on a FreeBSD box. I grappled with it for a couple of hours before finding out that it was quicker and easier to build pf into the kernel and use that under FreeBSD. 2 hours of faffing versus a 10 minute kernel build. Nice. Well, if I suggested to port netfilter to OpenBSD I would most probably be killed in seconds. ;) -- Stephan A. Rickauer Institut f|r Neuroinformatik Universitdt / ETH Z|rich Winterthurerstriasse 190 CH-8057 Z|rich Tel: +41 44 635 30 50 Sek: +41 44 635 30 52 Fax: +41 44 635 30 53 http://www.ini.ethz.ch
Re: Migration to PF - some questions
9/8/2005, "Stephan A. Rickauer" <[EMAIL PROTECTED]> napisa3(a): >Micha3 Ful wrote: >> I had similar problem few months ago. In my case I used fwbuilder to >> check how my netfilter rules looks in pf syntax. It was very helpful. > >Good that you mention that. I also use fwbuilder to manage my rule sets >with netfilter. I thought I could simply 'compile' a pf rule set for >migration but that left me with a broken one. Investigating the issue >revealed a fundamental difference in the way pf and netfilter work. Now >I am trying to understand it ;) In my case rule set worked after compilation for pf, but my multihomed setup has been broken. Things that are made with iproute under linux needs to be rewriten to pf in openbsd. With nat and "keep state". Try to experiment with fwbuilder different options. -- Regards, Michal Ful
Re: Migration to PF - some questions
On 8 Sep 2005, at 15:18, Stephan A. Rickauer wrote: >> I had similar problem few months ago. In my case I used fwbuilder to >> check how my netfilter rules looks in pf syntax. It was very helpful. > > Good that you mention that. I also use fwbuilder to manage my rule > sets with netfilter. I thought I could simply 'compile' a pf rule > set for migration but that left me with a broken one. Investigating > the issue revealed a fundamental difference in the way pf and > netfilter work. Now I am trying to understand it ;) I came across the problem from the other direction. I found that I needed to learn netfilter for use on a FreeBSD box. I grappled with it for a couple of hours before finding out that it was quicker and easier to build pf into the kernel and use that under FreeBSD. 2 hours of faffing versus a 10 minute kernel build. Nice. Gaby -- Junkets for bunterish lickspittles since 1998! [EMAIL PROTECTED] http://weblog.vanhegan.net
Re: Migration to PF - some questions
Gaby vanhegan wrote: > $if_in="xl0" $if_out="xl1" pass in on $if_in keep state pass out on $if_out keep state Ok, let's stick to that example. Imagine a firewall having three interfaces connecting Internet, LAN and DMZ. When I would like to allow SMTP traffic to my mail server in the DMZ, from LAN _and_ Internet, where would you filter? Thanks, -- Stephan A. Rickauer Institut f|r Neuroinformatik Universitdt / ETH Z|rich Winterthurerstriasse 190 CH-8057 Z|rich Tel: +41 44 635 30 50 Sek: +41 44 635 30 52 Fax: +41 44 635 30 53 http://www.ini.ethz.ch
Re: Migration to PF - some questions
Micha3 Ful wrote: I had similar problem few months ago. In my case I used fwbuilder to check how my netfilter rules looks in pf syntax. It was very helpful. Good that you mention that. I also use fwbuilder to manage my rule sets with netfilter. I thought I could simply 'compile' a pf rule set for migration but that left me with a broken one. Investigating the issue revealed a fundamental difference in the way pf and netfilter work. Now I am trying to understand it ;) -- Stephan A. Rickauer Institut f|r Neuroinformatik Universitdt / ETH Z|rich Winterthurerstriasse 190 CH-8057 Z|rich Tel: +41 44 635 30 50 Sek: +41 44 635 30 52 Fax: +41 44 635 30 53 http://www.ini.ethz.ch
scp Remote -> Remote fails
I know this is not 'exactly' openbsd directly related but I'll give it a go anyway. I am trying to copy remote 2 remote, basically to change the name of a file. It appears that the first half of the command works fine but the second half get an authentication failure. I am not sure if this was by design or if I am doing something WAY wrong. If anyone has time, lemme know. *Assume the first file already exists and permissions are fine* scp [EMAIL PROTECTED]:original-file-name [EMAIL PROTECTED]:new-file-name authlog entries are as follows: Sep 8 10:10:55 spider sshd[32009]: Accepted password for rmorris from xx.0.xx.33 port 16301 ssh2 Sep 8 10:10:57 spider sshd[23066]: Failed password for rmorris from xx.0xx.33 port 22851 ssh2
Re: Migration to PF - some questions
On 8 Sep 2005, at 14:55, Stephan A. Rickauer wrote: > Ok, I'll make it more concrete. If a machine has traffic going over > two interfaces (router) a netfilter rule would look like this: > > iptables -A FORWARD -i in-iface -o out-iface ... > > It looks like with pf one achieves that with: > > pass in on in-iface ... > pass out on out-iface ... > > Is that basically correct? Yes, that's all you need. You might want to use: $if_in="xl0" $if_out="xl1" pass in on $if_in keep state pass out on $if_out keep state Gaby -- Junkets for bunterish lickspittles since 1998! [EMAIL PROTECTED] http://weblog.vanhegan.net
Re: Migration to PF - some questions
--On 08 September 2005 15:55 +0200, Stephan A. Rickauer wrote: Ok, I'll make it more concrete. If a machine has traffic going over two interfaces (router) a netfilter rule would look like this: iptables -A FORWARD -i in-iface -o out-iface ... It looks like with pf one achieves that with: pass in on in-iface ... pass out on out-iface ... pass in on in-iface ... keep state
Re: Migration to PF - some questions
9/8/2005, "Stephan A. Rickauer" <[EMAIL PROTECTED]> napisa3(a): >Thanks to the kind help on this list, my test firewall successfully runs >OpenBSD 3.7 and is basically configured. I now need to think about >migrating my existing netfilter rule set to pf and would like to ask >also some general questions to understand the concept(s) suffiently. > >If I understand correctly, pf has no 'forward' chain like netfiler >(which is probably by design). I have to admit I've found it pretty >handy to use forward chains since one does not have to specify IN and >OUT rules separately. But I don't want to argue about that. The simple >question is: Does that mean, a netfilter forward rules needs to be >replaced by two pf rules (in general)? > >Thanks, I had similar problem few months ago. In my case I used fwbuilder to check how my netfilter rules looks in pf syntax. It was very helpful. www.fwbuilder.org -- Regards, Michal Ful
Re: Migration to PF - some questions
Ok, I'll make it more concrete. If a machine has traffic going over two interfaces (router) a netfilter rule would look like this: iptables -A FORWARD -i in-iface -o out-iface ... It looks like with pf one achieves that with: pass in on in-iface ... pass out on out-iface ... Is that basically correct? Thanks, -- Stephan A. Rickauer Institut f|r Neuroinformatik Universitdt / ETH Z|rich Winterthurerstriasse 190 CH-8057 Z|rich Tel: +41 44 635 30 50 Sek: +41 44 635 30 52 Fax: +41 44 635 30 53 http://www.ini.ethz.ch
Re: firewall products
--On 08 September 2005 14:53 +0200, Florian wrote: ok, squid, but what about POP and SMTP ? What are you looking for in POP or SMTP proxies? pop-gw from fwtk might suit your POP requirement, but PF rdr might be equally suitable (especially combined with authpf to give strong authentication, maybe using a easy-to-click putty or cygwin/macosx openssh to make things easy on desktop users). For smtp, if you just want to pass mail in to e.g. a backend server you don't trust to communicate with public networks, you can just setup sendmail with a mailertable to direct the incoming mail to the backend server, with filtering as appropriate if you need to help guard against content-based attacks. You also asked about ftp proxies - this suggests a certain lack of research .. (google: openbsd ftp proxy). Have you actually done a test install yet?
Re: Migration to PF - some questions
Hello On 8 Sep 2005, at 13:55, Stephan A. Rickauer wrote: Thanks to the kind help on this list, my test firewall successfully runs OpenBSD 3.7 and is basically configured. I now need to think about migrating my existing netfilter rule set to pf and would like to ask also some general questions to understand the concept(s) suffiently. If I understand correctly, pf has no 'forward' chain like netfiler (which is probably by design). I have to admit I've found it pretty handy to use forward chains since one does not have to specify IN and OUT rules separately. But I don't want to argue about that. The simple question is: Does that mean, a netfilter forward rules needs to be replaced by two pf rules (in general)? Does rdr not provide forward-like functionality in pf? Or is it that you want to filter rdr'd connections? No, I think he doesn't speak of redirections. What he means are packets, which travel through the firewall but aren't from or for the firewall. Yes, you have to define rules for incoming and for outgoing packets (just like it was in ipchains but there you had also to define rules for forward), but pf is stateful! if you use pass in on $int from $net to $internet keep state then the packet is known when it leaves on $ext and you don't need another rule their. Btw (and that's just my 2 cents) I worked 5 years with ipchains/iptables and started some month ago with pf and I must say I like it, it's easier to understand, simpler to debug and I like the idea of not having a forward chain: Packets just come in and go out. And the logging, the logging is absolutly cool. Nothing else then sniffing on an interface. guido
Re: Migration to PF - some questions
--On 08 September 2005 14:55 +0200, Stephan A. Rickauer wrote: If I understand correctly, pf has no 'forward' chain like netfiler (which is probably by design). I'm guessing at what netfilter 'forward chain' means here since (presumably like many people here) I don't have much need to admin netfilter firewalls... I guess it is different to what 'fwd' means in FreeBSD's ipfw (which is more like rdr in PF) since one does not have to specify IN and OUT rules separately. if you mean what I think you mean, you might want to re-read the 'STATEFUL INSPECTION' section of pf.conf(5) (especially the pp starting 'by default, packets coming in and out...') - there's no need to specify both incoming and outgoing rule for normal traffic passing through a router.
Re: firewall products
Florian wrote: ok, squid, but what about POP and SMTP ? Hmm, Proxy for smtp? What about sendmail, postfix, qmail, etc? Almost every MTA should work as a smtp proxy (i.e. is a smtp proxy) Proxy for pop? Never used one of them but have you looked at balance-2.33.tgz nylon-1.2.tgz proxy-suite-1.9.tgz and pop3gwd-1.2.tgz (I just looked at the packages for tcp proxies and found the aboves) Install them on a test system read the manuals and have a look at google. guido
isakmpd/x509 - 'default-phase-1-id' required? (user-fqdn)
i've been trying to write an isakmpd.conf for two peers to establish IPsec after using x509 certs for Phase 1. each peer has a copy of the CA cert in /etc/isakmpd/ca, has their own public cert in /etc/isakmpd/certs, and their private key in /etc/isakmpd/private. i used the procedure documented in 3.5's isakmpd(8) because i'm not sure how to get a subjectAltName of a user_fqdn without certpatch yet. all x509s were made by me recently, and there are no other x509 certs/keys in the above dirs other than mentioned. both hosts are current from sep.1 snapshots/i386. isakmpd.policy is just 'authorizer: "POLICY"' on both. basically everything works great if i put my in a 'default-phase-1-id' line under "[general]", but if i do not use the 'default-phase-1-id', and instead, put reference my via 'ID=' in the section, both peers use their own IP address as their phase 1 ID instead of their user_fqdn certificate. here are the full configs: -[peer a] [general] #default-phase-1-id=id1hklocal [phase 2] connections=cx [id1p54c] id-type=user_fqdn name= [EMAIL PROTECTED] [id1hklocal] id-type=user_fqdn name= [EMAIL PROTECTED] [cx] phase= 2 isakmp-peer=peerp54c configuration= poo local-id= id2hklocal remote-id= id2p54c [peerp54c] phase= 1 address=67.50.143.54 id= id1hklocal remote-id= id1p54c [id2p54c] id-type=ipv4_addr address=172.16.4.1 [id2hklocal] id-type=ipv4_addr address=172.16.7.30 [poo] exchange_type= quick_mode suites= qm-esp-aes-sha2-512-pfs-grp14-suite [general] #default-phase-1-id=id1p54c [phase 2] Connections=cx [id1p54c] id-type=user_fqdn Name= [EMAIL PROTECTED] [id1hklocal] id-type=user_fqdn name= [EMAIL PROTECTED] [cx] phase= 2 isakmp-peer=peerhklocal configuration= poo local-id= id2p54c remote-id= id2hklocal [peerhklocal] phase= 1 address=67.139.90.84 id= id1p54c remote-id= id1hklocal [id2p54c] id-type=ipv4_addr address=172.16.4.1 [id2hklocal] id-type=ipv4_addr address=172.16.7.30 [poo] exchange_type= quick_mode suites= qm-esp-aes-sha2-512-pfs-grp14-suite - on one of the hosts, it reports "received remote ID other than expected", and the other reports having the remote peer using user_fqdn, but itself using IP_ADDR. this is the case if peer-a is the initator or if peer-b is the intiator. --- 073427.151804 Mesg 70 MSG_TYPE: INITIAL_CONTACT 073427.152991 Exch 90 exchange_validate: checking for required ID 073427.154109 Exch 90 exchange_validate: checking for required AUTH 073427.155461 Default ike_phase_1_recv_ID: received remote ID other than expected [EMAIL PROTECTED] 073427.156619 Mesg 20 message_free: freeing 0x8b64aa80 --- --- 063405.054306 Exch 40 exchange_run: exchange 0x88748300 finished step 5, advancing... 063405.065988 Exch 10 exchange_finalize: 0x88748300 Default-phase-1 Default-phase-1-configuration policy responder phase 1 doi 1 exchange 2 step 6 063405.072617 Exch 10 exchange_finalize: icookie 966027ecedf981b6 rcookie f4b41b4b452b46f0 063405.079576 Exch 10 exchange_finalize: msgid 063405.084959 SA 90 sa_find: no SA matched query 063405.097162 Exch 10 exchange_finalize: phase 1 done: initiator id [EMAIL PROTECTED], responder id 438b5a54: 67.139.90.84, src: 67.139.90.84 dst: 67.50.143.54 --- i put full -dDA=99 -D0=90 up at: http://www.ice-nine.org/jrrs/isakmpd - [ ] output.hklocal 08-Sep-2005 05:47 252k [ ] output.hklocal.works08-Sep-2005 06:36 552k [ ] output.p54c 08-Sep-2005 05:51 162k [ ] output.p54c.works 08-Sep-2005 06:25 443k - the ones with '*.works' are using the 'default-phase-1-id' in [general], other two are with using 'id=' in the instead. looks like the output is the same, per host, except on the ".works" one, you can see it say: --[output.hklocal.works]-- 072112.524384 Misc 30 ipsec_responder: phase 1 exchange 2 step 5 072112.524755 Negt 40 ike_phase_1_send_ID: USER_FQDN: 072112.525196 Negt 40 686b6c6f 63616c40 76706e2e 6e6f6465 6c657373 2e6e6574 072112.530235 Plcy 30 keynote_cert_obtain: failed to open "/etc/isakmpd/keynote//[EMAIL PROTECTED]/credentials" 072112.533600 Cryp 70 cert_cmp: --- as opposed to : --[output.hklocal]-- 064155.710215 Misc 30 ipsec_responder: phase 1 exchange 2 step 5 064155.712450 Negt 40 ike_phase_1_send_ID: IPV4_ADDR: 064155.714199 Negt 40 438b5a54 064155.717882 Plcy 30 keynote_cert_obtain: failed to open "/etc/isakmpd/keynote//67.139.90.84/credentials" 064155.719676 Cryp 70 x509_hash_find: no certificate matched query 064155.721740 Misc 10 rsa_sig_encode_hash:
Re: firewall products
Thank you everyone
Re: Ethereal 0.10.12 [X-Post, Sorry!]
Sebastian .Rother schrieb: Jakob Schlyter schrieb: On Thu, 8 Sep 2005, Matt Jibson wrote: I believe that Ethereal has improved greatly since when it was removed from ports. surely, but has security improved? does it have privsep? until that has changed, ethereal will not come back. sorry. jakob Then drop all ports! Has Gnome Priv-Sep? hydra? nmap? KDE? xpdf? XMMS? mplayer? If you choose ports because of security and priv.-sep. then you should think about dropping the most ports and keeping just some (~150?) ports. Kind regards, Sebastian Sorry, wrong mailinglist! Sorry for the misstake... Kind regards, Sebastian
Re: Migration to PF - some questions
Hi, You can use rdr pass rules so you only have 1 rule setting I Don't know if you can use logging on that rule Kind regards -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gaby vanhegan Sent: donderdag 8 september 2005 15:05 To: misc@openbsd.org Subject: Re: Migration to PF - some questions On 8 Sep 2005, at 13:55, Stephan A. Rickauer wrote: > Thanks to the kind help on this list, my test firewall successfully > runs OpenBSD 3.7 and is basically configured. I now need to think > about migrating my existing netfilter rule set to pf and would like > to ask also some general questions to understand the concept(s) > suffiently. > > If I understand correctly, pf has no 'forward' chain like netfiler > (which is probably by design). I have to admit I've found it pretty > handy to use forward chains since one does not have to specify IN > and OUT rules separately. But I don't want to argue about that. The > simple question is: Does that mean, a netfilter forward rules needs > to be replaced by two pf rules (in general)? Does rdr not provide forward-like functionality in pf? Or is it that you want to filter rdr'd connections? Gaby -- Junkets for bunterish lickspittles since 1998! [EMAIL PROTECTED] http://weblog.vanhegan.net
Re: Ethereal 0.10.12
On Thu, Sep 08, 2005 at 03:10:41PM +0200, Sebastian .Rother wrote: > > > >surely, but has security improved? does it have privsep? until that > >has changed, ethereal will not come back. sorry. > > > >jakob > > > Then drop all ports! > Has Gnome Priv-Sep? hydra? nmap? KDE? xpdf? XMMS? mplayer? No one remotely sane run those as root. Another uninformed post of yours. Capturing traffic by some other mean then analysing it with Ethereal under an unprivileged account might be safe, actually capturing an analysing traffic with Ethereal is definitely not, given its architecture and history of sloppy coding...
Re: firewall products
We use Postfix to handle incoming and outgoing mail routing (with some cbl's). POP we just use dovecot on our mail server... we don't do anything to proxy it... On Thu, 8 Sep 2005 14:53:57 +0200 "Florian" <[EMAIL PROTECTED]> wrote: > ok, squid, but what about POP and SMTP ? > -- Bill Chmura Director of Internet Technology Explosivo ITG Wolcott, CT p: 860.621.8693 e: [EMAIL PROTECTED] w. http://www.explosivo.com
Re: Ethereal 0.10.12
Jakob Schlyter schrieb: On Thu, 8 Sep 2005, Matt Jibson wrote: I believe that Ethereal has improved greatly since when it was removed from ports. surely, but has security improved? does it have privsep? until that has changed, ethereal will not come back. sorry. jakob Then drop all ports! Has Gnome Priv-Sep? hydra? nmap? KDE? xpdf? XMMS? mplayer? If you choose ports because of security and priv.-sep. then you should think about dropping the most ports and keeping just some (~150?) ports. Kind regards, Sebastian
Re: Migration to PF - some questions
On 8 Sep 2005, at 13:55, Stephan A. Rickauer wrote: > Thanks to the kind help on this list, my test firewall successfully > runs OpenBSD 3.7 and is basically configured. I now need to think > about migrating my existing netfilter rule set to pf and would like > to ask also some general questions to understand the concept(s) > suffiently. > > If I understand correctly, pf has no 'forward' chain like netfiler > (which is probably by design). I have to admit I've found it pretty > handy to use forward chains since one does not have to specify IN > and OUT rules separately. But I don't want to argue about that. The > simple question is: Does that mean, a netfilter forward rules needs > to be replaced by two pf rules (in general)? Does rdr not provide forward-like functionality in pf? Or is it that you want to filter rdr'd connections? Gaby -- Junkets for bunterish lickspittles since 1998! [EMAIL PROTECTED] http://weblog.vanhegan.net
Re: firewall products
On Thu, Sep 08, 2005 at 02:53:57PM +0200, Florian wrote: > ok, squid, but what about POP and SMTP ? spamd(8) is something like a SMTP proxy reyk -- /* .vantronix|secure systems - (research & development) * reyk floeter - friendly known free software engineer * [EMAIL PROTECTED] - http://team.vantronix.net/reyk/ */
Re: OpenBSD website Design.
I like the new design better. Looks better in Lynx too. --ja --
Migration to PF - some questions
Thanks to the kind help on this list, my test firewall successfully runs OpenBSD 3.7 and is basically configured. I now need to think about migrating my existing netfilter rule set to pf and would like to ask also some general questions to understand the concept(s) suffiently. If I understand correctly, pf has no 'forward' chain like netfiler (which is probably by design). I have to admit I've found it pretty handy to use forward chains since one does not have to specify IN and OUT rules separately. But I don't want to argue about that. The simple question is: Does that mean, a netfilter forward rules needs to be replaced by two pf rules (in general)? Thanks, -- Stephan A. Rickauer Institut f|r Neuroinformatik Universitdt / ETH Z|rich Winterthurerstriasse 190 CH-8057 Z|rich Tel: +41 44 635 30 50 Sek: +41 44 635 30 52 Fax: +41 44 635 30 53 http://www.ini.ethz.ch
firewall products
ok, squid, but what about POP and SMTP ?
Re: OpenBSD website Design.
On 9/8/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > Quoting Siju George <[EMAIL PROTECTED]>: > > > Hi, > > > > One of my friends sent me this new OpenBSD website design he created. > > Please have a look at it :-D > > > > http://mayuresh.freeshell.org/openbsd/ > > > > Thankyou so much > > > > Kind Regards > > > > Siju > > > > > > > It's clean and far more viewable in (e)links. > I would change the page if it were mine, but I'm afraid > people are not willing to change it. > A while back he sent me this >BTW, people can get the entire archive from >http://mayuresh.freeshell.org/newsite.tgz > Thankyou so much :-) kind regards Siju
procmail DROPPRIVS and relaydb
I'm using a spam blocking setup utilizing procmail, relaydb, spamd-setup and pf. The problem is that if I specify DROPPRIVS in my /etc/procmailrc: DROPPRIVS=yes :0fw | /usr/local/bin/spamc :0c * ^X-Spam-Status: Yes | /usr/local/bin/relaydb -b :0: * ^X-Spam-Status: Yes in-x-spam :0c | /usr/local/bin/relaydb -w then relaydb seems to create a .relaydb for the user that the mail was delivered for so that when spamd-setup is called (which uses relaydb as one of its inputs) it doesn't find any of them because it's ran as root. Now obviously I could just get rid of DROPPRIVS but spamd doesn't seem to like this: Sep 8 11:07:37 bollo spamd[4493]: info: setuid to root succeeded Sep 8 11:07:37 bollo spamd[4493]: Still running as root: user not specified with -u, not found, or set to root. Fall back to nobody. and it's obviously not ideal from a security standpoint. So my question is does anybody have any solutions or suggestions on how to work around this? Many thanks. Simon -- I am the mother of all things, and all things should wear a sweater.
Re: ppp over ssh
recompiling sshd with includes.h:#define USE_PIPES 1 removed would also help. i think it's better to fix ppp(8)
Re: firewall products
squid -Original Message- From: Florian [mailto:[EMAIL PROTECTED] Sent: donderdag 8 september 2005 11:49 To: misc@openbsd.org Subject: firewall products good morning i'll have to build a complete firewall solution with OpenBSD. wich products do you prefer for sedcurity proxy integration for HTTP, FTP, POP, SMTP and GENERIC ? Thanks for answers florian = A disclaimer applies to this email and any attachments. Refer to http://www.sparkholland.com/emaildisclaimer for the full text of this disclaimer.
firewall products
good morning i'll have to build a complete firewall solution with OpenBSD. wich products do you prefer for sedcurity proxy integration for HTTP, FTP, POP, SMTP and GENERIC ? Thanks for answers florian
Re: OpenBSD website Design.
Quoting Siju George <[EMAIL PROTECTED]>: > Hi, > > One of my friends sent me this new OpenBSD website design he created. > Please have a look at it :-D > > http://mayuresh.freeshell.org/openbsd/ > > Thankyou so much > > Kind Regards > > Siju > > It's clean and far more viewable in (e)links. I would change the page if it were mine, but I'm afraid people are not willing to change it. This message has been sent through ihosting.be To report spamming or other unaccepted behavior by a iHosting customer, please send a message to [EMAIL PROTECTED]
Re: OpenBSD website Design.
On 09/08/05 06:29, Bruno S. Delbono wrote: Siju George wrote: Hi, One of my friends sent me this new OpenBSD website design he created. Please have a look at it :-D http://mayuresh.freeshell.org/openbsd/ Fresh and neat. I like it. Very well structured. A linear setup so people can read without distractions from beginning to the end, this will avoid stupid questions. Missing the "search" option, could be at the end, if you haven't found it in the text you can try that one, or at the beginning so people who know the page don't have to scroll. More color/pictures needed to win people for it... +++chefren
El mensaje enviado a Apc.lac espera la aprobacion del moderador
El mensaje que ha enviado a la lista 'Apc.lac' y que versa sobre: (sin asunto) Ha sido retenido en espera de que el moderador de la lista lo revise y lo apruebe. Ha sido retenido por: Mensaje dirigido a una lista privada procedente de una direccisn que no pertenece a la lista O se mandara el mensaje a la lista o se le enviara una notificacisn con la decisisn del moderador. Si desea cancelar este envmo, puede hacerlo a travis de la siguiente URL: http://listas.laneta.apc.org/mailman/confirm/apc.lac/993411270cd64f74bad21638ba9e9e0056527f97
Re: ppp over ssh
On Wed, Sep 07, 2005 at 07:27:24PM -0401, yippy ya yah wrote: > trying to get a ppp tunnel over ssh working > > server/gateway > --- > ip.inet.net.forwarding=1 > > /etc/ppp/ppp.conf > vpn: > allow mode direct > set ifaddr 10.1.1.1 10.1.1.2 255.255.255.255 > > /etc/sudoers: > pppuser ALL = NOPASSWD: /usr/sbin/ppp > > ~pppuser/.ssh/authorized_keys > command="sudo /usr/sbin/ppp -direct vpn" key follows > > client > --- > ip.inet.net.forwarding=1 > > /etc/ppp/ppp.conf > vpn: > set ifaddr 10.1.1.2 10.1.1.1 255.255.255.255 > set dial > set timeout 3600 > set device "!env SSH_AUTH_SOCK= ssh -C -c blowfish -i > /path/to/pppuser.key [EMAIL PROTECTED]" > > on the client, i can see tun0 get created and assigned 10.1.1.2, but > on the gateway, tun0 is created but no ip is assigned. (pf on both > devices has skip on tun, also disabled pf on both to test) > > 10.1.1/24 is not used anywhere in the network. > > if i "ssh -C -c blowfish -i pppuser.key [EMAIL PROTECTED]", i can see > sudo ppp -direct vpn getting launched... > > what is the key ingredient i'm missing here to get the gateway to > assign tun0 10.1.1.1? or rather to get the tunnel up? > > both are i386, running the same snapshot: > OpenBSD 3.8 (GENERIC) #137: Thu Sep 1 17:41:20 MDT 2005 > [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC > > p.s. i'm not subscribed to [EMAIL PROTECTED], so please cc: on replies... > imho, 'ppp -direct' expects that descriptor 0 is a socket (used for both input and output). But ssh(1) uses two descriptors: descriptor 0 (stdin) for input only and descriptor 1 (stdout) for output only. Thus if ppp(8) is launched by ssh(1), its output will be silently discarded. Have i missed something? There is an ugly workaround: on the server side, add an entry for ppp(8) in inetd.conf(5), like: 127.0.0.1:6669 stream tcp nowait root /usr/sbin/ppp ppp -unit0 -direct vpn and restart inetd. On the client side, set the device in ppp.conf(8) to "127.0.0.1:6669/tcp" and finally use ssh just for port forwarding. Example: ssh -N -f -L 6669:127.0.0.1:6669 [EMAIL PROTECTED] ppp vpn Let me know if you find a more elegant solution. -- Alexandre