compiling Snort(Sam) Plugin

[Florian]

Hi

When compiling snort after the patching the source I get following error:


plugbase.o(.text+0x5ea): In function `InitOutputPlugins':
/root/snort-2.4.1/src/plugbase.c:595: undefined reference to
`AlertFWsamSetup'
collect2: ld returned 1 exit status
*** Error code 1

Stop in /root/snort-2.4.1/src (line 295 of Makefile).
*** Error code 1

Stop in /root/snort-2.4.1/src (line 334 of Makefile).
*** Error code 1

Stop in /root/snort-2.4.1 (line 303 of Makefile).
*** Error code 1

Stop in /root/snort-2.4.1 (line 180 of Makefile).


Without the patch it is no problem :-(
Any ideas ?
Thanks for help

PS.: OpenBSD 3.6, Snort 2.4.1, SnortSam 2.40

Catching WINCH signal during sleep...

[Andreas Kahari]

Hi,

I'm running the following simple test script:

#!/bin/ksh -x

trap 'eval $(resize)' WINCH

while true; do
sleep 10
done

What I'm noticing is that the WINCH signal action is not actually
carried out until at the end of the sleep, should the signal be sent
during the sleep period.

I'm wondering if this is the behaviour I should expect or not.  I
initially expected the signal to interrupt the sleep.  The SUSv3
documentation for the sleep(1) utility says The sleep utility shall
take the standard action for all other signals [other than ALRM].
(for the ALRM signal, there is a number of things that could happen,
which is not interesting right now).

(the WINCH signal is delivered when the terminal window changes size)

Any thoughts?

Regards,
Andreas

-- 
Andreas Kahari

Re: Catching WINCH signal during sleep...

[Damien Miller]

Andreas Kahari wrote:

(the WINCH signal is delivered when the terminal window changes size)


SIGWINCH is ignored by default, otherwise your sleep(1) would exit if
you changed the size of your xterm. See signal(3) for the full list.

So it is doing the right thing wrt your quote of SUSv3:


The SUSv3
documentation for the sleep(1) utility says The sleep utility shall
take the standard action for all other signals [other than ALRM].


-d

Re: Catching WINCH signal during sleep...

[Andreas Kahari]

On 19/09/05, Damien Miller [EMAIL PROTECTED] wrote:
 Andreas Kahari wrote:
  (the WINCH signal is delivered when the terminal window changes size)
 
 SIGWINCH is ignored by default, otherwise your sleep(1) would exit if
 you changed the size of your xterm. See signal(3) for the full list.

Ok, so sleep(1) is explicitly ignoring the signal.  Can I get it be
interrupted by the signal instead?  No, maybe that won't solve my
problem because the installed handler ('eval $(resize)') wouldn't be
run, I guess.
 
 So it is doing the right thing wrt your quote of SUSv3:

Yes, that's probably right.  I'll work around it somehow.

Thanks,
Andreas


-- 
Andreas Kahari

Re: ftp-proxy(8) and pf question

[Stephan A. Rickauer]

Hi,

Matt Rowley wrote:
As far as I know, this only applies to _active_ ftp, about which I am 
not concerned at the moment.



Ah yes... that's what I get for doing e-mail at 6am.  :-/


no bother.


Your problem description seems to imply that you have a block out all and
that you're only allowing selet outbound traffic.  In which case you would


Yes, that is true.


need to either open (for outbound, stateful traffic) all the ephemeral ports


that is what I was afraid of. To be honest, I would not like to do that.

that ftp-proxy uses for outbound stateful traffic, or you could probably 
reverse the rule I gave you and do pass out from user proxy keep state.


The problem here (at least to my understanding) is that not the proxy 
tries to handle all the connections, but the client still needs to 
contact the ftp server directly. This seems different to how 'frox' 
works, for example, where the client actually established one connection 
to the proxy and anything else is then done by the proxy exclusively.


One workaround I was thinking of is to use a pf-route-to rule to route 
all ftp traffic to a separate frox server. However, I thought there must 
be a way seting up a transparent ftp proxy with native openbsd tools...


Thanks,

--

 Stephan A. Rickauer

 
 Institut f|r Neuroinformatik
 Universitdt / ETH Z|rich
 Winterthurerstriasse 190
 CH-8057 Z|rich

 Tel: +41 44 635 30 50
 Sek: +41 44 635 30 52
 Fax: +41 44 635 30 53

 http://www.ini.ethz.ch
 

Re: Device not configured (APM, sound, modem)

[Jan Johansson]

Z L [EMAIL PROTECTED] wrote:
 For APM I
 tried to set the apmd_flags=YES in rc.conf. For sound and modem I
 tried the things that are described in the FAQ and manpages.

Correct usage is

apmd_flags=

or with some valid flags between the 

apmd_flags=-q

YES is for binary options like

pf=YES

pOf

[Steve Murdoch]

Is there any way of limiting access to pptpd from pocket pc clients ?

I cant find any fingerprints for pocket pc in pf.os ?



Steve

snort / promiscuous mode

[Sean Kiewiet]

Hey all:



OBSD3.7

SNORT2.3.3



I have a machine with 4 nics running 4 instances of snort:





/usr/local/bin/snort -u sguil -g sguil -l /nsm/em0 -c
/etc/snort/em0.snort.conf -U -A none -m 122 -i em0 -D



/usr/local/bin/snort -u sguil -g sguil -l /nsm/em1 -c
/etc/snort/em1.snort.conf -U -A none -m 122 -i em1 -D



/usr/local/bin/snort -u sguil -g sguil -l /nsm/em2 -c
/etc/snort/em2.snort.conf -U -A none -m 122 -i em2 -D



/usr/local/bin/snort -u sguil -g sguil -l /nsm/em3 -c
/etc/snort/em3.snort.conf -U -A none -m 122 -i em3 -D





One of the 4 nics has an ip address, the others do not.

When I start up the 4 instances of snort, the nic (em0) with the ip
address shows up in promiscuous mode, the others do not.



# ifconfig -a

lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33224

inet 127.0.0.1 netmask 0xff00

inet6 ::1 prefixlen 128

inet6 fe80::1%lo0 prefixlen 64 scopeid 0x8

em0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500

address: 00:04:23:bd:ab:d6

media: Ethernet autoselect (1000baseT full-duplex)

status: active

inet 10.1.1.3 netmask 0xff00 broadcast 10.1.1.255

inet6 fe80::204:23ff:febd:abd6%em0 prefixlen 64 scopeid 0x1

em1: flags=8802BROADCAST,SIMPLEX,MULTICAST mtu 1500

address: 00:04:23:bd:ab:d7

media: Ethernet autoselect (1000baseT full-duplex)

status: active

em2: flags=8802BROADCAST,SIMPLEX,MULTICAST mtu 1500

address: 00:14:22:0f:84:2b

media: Ethernet autoselect (1000baseT full-duplex)

status: active

em3: flags=8802BROADCAST,SIMPLEX,MULTICAST mtu 1500

address: 00:14:22:0f:84:2c

media: Ethernet autoselect (100baseTX full-duplex)

status: active

pflog0: flags=0 mtu 33224

pfsync0: flags=0 mtu 2020

enc0: flags=0 mtu 1536

#



How do I get the other 3 ip-less nics to run in promiscuous mode in
OBSD?



Any help would be appreciated.



Sean

PF ALTQ

[Raphael Brunner]

Hi @ all,

I try to limit the Bandwidth on my OpenBSD 3.7 (Release). But there is 
something wrong. 

On my box run a ftp-server (10.0.0.1) without proxy. 

and I try to copy from/to it from 10.0.0.20 via FTP

The traffic walk through the rules (log with tcpdump...), but there isn't a 
limit of the inbound-Traffic. If I add keep state to it, then there is a 
limit, but not the right (about factor 5 wrong).

Does anyone know this problem? Or know anything else to try?

my pf.conf looks like this

Thanks a lot and have a nice evening...
Raphy

# $OpenBSD: pf.conf,v 1.27 2004/03/02 20:13:55 cedric Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.


# Aliases werden erzeugt

# Netzwerkkarten
ext_if=rl1
int_if=rl0
dmz_if=vr0

# Sub-Netzwerke
ext_net=192.168.1.0/8
int_net=10.0.0.0/8
dmz_net=172.16.0.0/8

# Rechner-IP's
int_ip_modem=192.168.1.1
ext_ip_mickey=192.168.1.2
int_ip_mickey=10.0.0.1
dmz_ip_mickey=172.16.0.1
dmz_ip_www=172.16.0.2
dmz_port_www=80


#table spamd persist
#table spamd-white persist


# einige Definitionen
set limit { states 1, frags 5000 }
set block-policy drop

# Pakete zusammenbauen
scrub in on {$ext_if,$dmz_if} all fragment reassemble 

# Bandwidth Control

# LAN-Interface
altq on $int_if cbq bandwidth 100Mb queue {lan_in, lan_out}
queue lan_in bandwidth 50% cbq {lan_misc_in, ftp_lan_in, ssh_lan_in}
queue lan_misc_in bandwidth 50Kb cbq
queue ftp_lan_in bandwidth 1Mb cbq
queue ssh_lan_in bandwidth 50Kb priority 7 cbq
queue lan_out bandwidth 50% cbq {lan_misc_out, ftp_lan_out, ssh_lan_out}
queue lan_misc_out bandwidth 50Kb cbq(default)
queue ftp_lan_out bandwidth 2Mb cbq
queue ssh_lan_out bandwidth 8Mb priority 7 cbq


# NAT Regeln
nat on $ext_if from !($ext_if) - ($ext_if:0)


# Redirect-Rules...

#rdr pass on $int_if proto tcp to port ftp - 127.0.0.1 port 8021
#rdr pass on $ext_if proto tcp from spamd to port smtp \
# - 127.0.0.1 port spamd
#rdr pass on $ext_if proto tcp from !spamd-white to port smtp \
# - 127.0.0.1 port spamd


# fuer WWW-Server
#rdr on $ext_if proto {tcp,udp} from any to port $dmz_port_www - #$dmz_ip_www 
port $dmz_port_www


# Firewall-Rules

# Base-Rules
block drop in log all
block drop out log all

pass quick on { lo lo0 }
antispoof quick for { lo lo0 $ext_if $int_if $dmz_if }

# ***
# the LAN

# inbound
pass in on $int_if proto tcp from $int_net to $int_ip_mickey port {20, 21} 
queue ftp_lan_in # FTP
pass in on $int_if proto tcp from $int_net to $int_ip_mickey port 22 queue 
ssh_lan_in # SSH

# outbound
pass out on $int_if proto tcp from $int_ip_mickey port {20,21} to $int_net 
queue ftp_lan_out # FTP
pass out on $int_if proto tcp from $int_ip_mickey port 22 to $int_net queue 
ssh_lan_out # SSH

Re: Live dc

[Andreas Bihlmaier]

 I want to thank all of you who replied on my previous mail about the live
 cd. I've seen many of those links you sent me which talk on how you can
 create a live cd. I would have done it my self but unfortunatelly I cant due
 to tech reasons right now. Also I dont know if it would have been good since
 i am an openbsd noob ! As i said I study at the American College of Greece
 and the head of dept agreed to use obsd for the teaching of unix instead of
 the crapy linux and asked me to get it to him. So if someone can create this
 live cd and upload it on the web just to download it and dist to all college
 I would really apriciate it. I know that time is precious for everybody so
 if noone can do it I will understand. But if you can you will help openbsd
 grow not only in many ppl but in the educational system of c.i.s as well.
 Thank you all very much again !
 
 Best Regards
 Alex

Okay here is my own REAL EASY Step-by-Step howto for an OpenBSD live CD

Sorry for the possible bad english, my english is not the best at 2am, but I
wanted to help you quick.
The original (much better) How-To is in German, thus if you can speak German I
could mail you the much better version.
(If anybody is interested in a Live CD I could also translate it 1 : 1 )
Since I really love to show off my OpenBSD Live CD to friends.

anti_flame_request
IMHO Knoppix sucks compared to an OpenBSD live cd
/anti_flame_request

(If you can't understand something just ASK and I will answer ASAP because I'm
just to darn tired to even READ through it again)

Here we go:


The easy way (don't even ask for the complicated way):


NOTE YOU NEED TO ADJUST THE SIZE OF THE MFS PARTITIONS TO YOUR NEEDS!


You need a current system with the right (current) source code for it.
Best thing is to make a release
man 8 release

Grab a virgin harddrive and put it into a spare i386 box, install openbsd onto
this harddrive. 
DON'T make Partitions (actually you could BUT IMHO it makes everything much more
complicated )

Configure it ( with X, packages, configs ) the way it should
boot from the CD later on. Although you COULD use a DVD as medium, I would
RECOMMEND you not to get over the size of a normal CD for the complete install.

Once you have the System exactly the way you want it to be read on:

Rip the harddrive out of the test box and put it into another box ( with cd/dvd
burner ). Mount the drive somewhere and tar it up
cd /mnt/  tar pczf ~/livecd_root.tar.gz *


Create a directory, this will be the root directory on the CD.
# Of course you need a large enough /usr/ Partition
mkdir -p /usr/livecd/backups/dev


Untar the Stuff into the above livecd directory.
cd /usr/livecd  tar pxzf ~/livecd_root.tar.gz


We need some backup directories that will be used later
cp -pR /usr/livecd/{var,etc,root,home} /usr/livecd/backups/
cp -pR /usr/livecd/dev/MAKEDEV /usr/livecd/backups/dev/

We need MFS partitions in order to be able to make config changes ...
the content of the backup directories will be copied into them.
For this purpose we use a modified etc/rc script

--- /usr/livecd/etc/rc -
# ...
# After:rm -f /fastboot # XXX (root 
now writeable)

echo 'mounting mfs'
mount_mfs -s 51200 -o async,nosuid,nodev,noatime swap /var
mount_mfs -i 4096 -s 6144 -o async,nosuid,nodev,noatime swap /etc
mount_mfs -i 128 -s 2048 -o async,noatime swap /dev
mount_mfs -s 6144 -o async,nosuid,nodev,noatime swap /tmp
mount_mfs -s 8192 -o async,nosuid,nodev,noatime swap /home
mount_mfs -s 8192 -o async,nosuid,nodev,noatime swap /root
sleep 2
echo -n 'copying files: var '
cp -pR /backups/var/* /var
echo -n 'etc '
cp -pR /backups/etc/* /etc
echo -n 'dev '
cp -pR /backups/dev/* /dev
echo -n 'home '
cp -pR /backups/home/* /home
echo 'root' 
cp -pR /backups/root/.[a-z]* /root
echo 'creating device nodes'
cd /dev  sh MAKEDEV all

# ...
# After:if [ -f 
/sbin/kbd -a -f /etc/kbdtype ]; then

# We need a root Password
echo 'Need to set a root password'
passwd




We need some basic devices (just create all) on the temporary boot /dev
cd /usr/livecd/dev  ./MAKEDEV all


Now we create the custom kernel (not much customization!)

cd /usr/src/sys/arch/i386/conf
mv RAMDISK_CD RAMDISK_CD.old  cp GENERIC RAMDISK_CD 


--- /usr/src/sys/$arch/conf/RAMDISK_CD -
...
# config bsd swap generic- was commented OUT!
option  RAMDISK_HOOKS
option  MINIROOTSIZE=3800
config  bsd root on cd0a
...



Compile the new RAMDISK kernel
config RAMDISK_CD  cd ../compile/RAMDISK_CD/  make clean  make depend \
 make

Copy the new ramdisk kernel to the livecd folder:
cp bsd /usr/livecd

We need to patch the Makefile.inc
NOTE:
YOU JUST NEED TO FIND THE 

Re: PF performance question

[jared r r spiegel]

On Mon, Sep 19, 2005 at 03:13:33PM -0300, Vinicius Pavanelli Vianna wrote:
 
 I tried to disable pf (pfctl -d) and it continues to loss packets
...
 The count on in and out are different because the pf is blocking some
 packets 

  (?)

  those seem to contradict one another., just a typo?

 didn't resolve the packet lost i begin to suspect something on the
 bridge code, as i don't see any error on the interface.

  welp.. you could turn the bridge off and then run binat in pf, or
  perhaps split the subnet.  
  
  i could see two ways to do this, one being kinda hackish and perhaps
  outright wrong, but i believe either would work.

1) hackish:

  ( this would work, but involves a lot of ugly crap and proxy-arp,
so i decided to not even bring it up because i don't want people
to yell and puke at me ).

2) assuming the ISP and you have both chosen IPs from the beginning
  of the subnet, have your ISP change their iface to you to be a /26 instead of
  a /25.  so, if they're .1/25, ask them to be .1/26.  then change
  the subnet mask on your end to match a /26 also ( 255.255.255.192 ).
  so assume you're 200.xx.xx.2 netmask 0xffc0; have them now
  static route 200.xx.xx.64/26 to 200.xx.xx.2.

  if you and the ISP are high IPs, ( eg, .125, .126 ), sure, doesn't
  matter, just make sure you're both in the same subnet, and then in 
  the next paragraph, use the lower subnet for the lan instead of the
  higher:

  this will make it so that you still get what amounts to the same /25,
  but can put the lower /26 on the external iface and the upper /26 
  on your internal iface.  so then take an IP from the .64/26 and put
  it on the internal em(4) card, renumber any hosts behind that as
  needed, and try to see if you still have the same packet loss
  ( assuming you have changed nothing thus far other than the IP 
  subnetting ).

  if you have the IPs setup that way, you can remove the bridge
  from existance and rely on normal net.inet.ip.forwarding=1.

 but the big problem is that some packets doesn't get even on the
 interface, my setup is like add em0 add em1 up on bridgename.bridge0

  i checked the thread again but didn't see it mentioned.

  where are you losing the packets? 

  are you losing packets on the link between ISP-You or You-YourLan ?

  if you're losing them on ISP-You, is that to the other end of the
  external iface, ( eg, whatever you put for a default gateway on your
  bridge box, their end of your /25 ) or to some other host beyond that?
 
 i also enabled STP as my ISP told me it would help
 their redundancy.

  STP on a bridge seems like a Good Thing, but i don't think the ISP
  side of it is going to matter much...  i mean..  if they require 
  people to have the customer side of the link be either A) one single
  host or B) something running spanning tree, then yeah, it seems logical,
  but if not (eg - they do not make a certain requirement of what you attach
  to their link), i would wager that spanning tree is not going to be part
  of the solution to your problem.  in other words, if they're not
  running STP-aware bridges between the interface that is their side of your
  /25 and the cable hitting your side of your /25, you running spanning 
  tree isn't going to mean dick for them.

  for now, the check autoneg/speed-duplex settings seems to be a 
  good place to start.  make each physical link agree (autoneg or forced)
  on both ends, if they don't already.

  if that doesn't pan out, consider trying the 1x/25- 2x/26 thing i mention
  above.

ps - given the dmesg you showed, the performance of pf is likely to not
  be part of the question.  smells like something else is happening here.

  jared

--

[ openbsd 3.8 GENERIC ( sep 10 ) // i386 ]

Re: Wireless Strangeness

[Alex Kirk]

First, I apologize for the delay -- I had a very long, hectic day at work.
Meanwhile, thank you for replying. 

  wi0 at pci0 dev 12 function 0 National Datacomm Corp NCP130 Rev A2 rev
  0x01: irq 9 wi0: PRISM2 HWB3163 rev.B, Firmware 0.3.0 (primary), 1.7.1
  (station), address 00:80:c6:e3:72:2c
 
 It's ancient but it should work.

It was the most current I could find for this particular chipset. If you know of
any more modern versions that are supported for this card, I'll happily install
them. :-)

  ...my wireless configuration:
 
 No obvious problem there.

Glad to see I'm not totally brain-dead.

  Meanwhile, running tcpdump -n -i wi0 gives me absolutely zip on the
  OpenBSD host system, and the dhcpd that's listening there is getting no
  requests whatsoever.
 
 Tcpdump is not your friend here. 
 
 I suspect the problem lies in a crucial file you did not tell us anything 
 about, your hostname.wi0. Use this:
 
 inet 192.168.1.42 255.255.255.0 NONE nwid kirknet mediaopt hostap
 
 (also, don't use non-alphanumeric characters in your nwid)

This file did not exist. I created it exactly as above and rebooted the machine,
and still had no luck getting my XP client to connect (the Mac system is
currently unavailable).

 Restart the machine and if your clients still can't connect put the wireless
 interface into debug mode:
 
 ifconfig wi0 debug
 
 And send us the wi driver's debug output, your hostname.wi0, and a full dmesg 
 in addition to wicontrol and ifconfig output.

Certainly, here you go:

debug output (taken from /var/log/messages, I'll supply other info on demand if
it exists):
Sep 19 20:10:59 shorty /bsd: wihap_shutdown: sc=0xd0816000 whi=0xd0816fa8
Sep 19 20:10:59 shorty /bsd: Sending disassoc to sta ff:ff:ff:ff:ff:ff
Sep 19 20:10:59 shorty /bsd: Sending deauth to sta ff:ff:ff:ff:ff:ff
Sep 19 20:10:59 shorty /bsd: Sending disassoc to sta ff:ff:ff:ff:ff:ff
Sep 19 20:10:59 shorty /bsd: Sending deauth to sta ff:ff:ff:ff:ff:ff
Sep 19 20:10:59 shorty /bsd: Sending disassoc to sta ff:ff:ff:ff:ff:ff
Sep 19 20:10:59 shorty /bsd: Sending deauth to sta ff:ff:ff:ff:ff:ff
Sep 19 20:10:59 shorty /bsd: Sending disassoc to sta ff:ff:ff:ff:ff:ff
Sep 19 20:10:59 shorty /bsd: Sending deauth to sta ff:ff:ff:ff:ff:ff
Sep 19 20:10:59 shorty /bsd: Sending disassoc to sta ff:ff:ff:ff:ff:ff
Sep 19 20:10:59 shorty /bsd: Sending deauth to sta ff:ff:ff:ff:ff:ff
Sep 19 20:10:59 shorty /bsd: wihap_init: sc=0xd0816000 whi=0xd0816fa8
Sep 19 20:11:00 shorty /bsd: wihap_data_input: no TODS src=00:e0:98:db:02:52
Sep 19 20:11:10 shorty last message repeated 47 times
Sep 19 20:11:10 shorty /bsd: wihap_data_input: no TODS src=00:04:23:4b:38:fd
Sep 19 20:11:10 shorty /bsd: wihap_data_input: no TODS src=00:e0:98:db:02:52
Sep 19 20:11:10 shorty /bsd: wihap_data_input: no TODS src=00:04:23:4b:38:fd
Sep 19 20:11:10 shorty /bsd: wihap_data_input: no TODS src=00:e0:98:db:02:52
Sep 19 20:11:10 shorty /bsd: wihap_data_input: no TODS src=00:04:23:4b:38:fd
Sep 19 20:11:10 shorty /bsd: wihap_data_input: no TODS src=00:e0:98:db:02:52
Sep 19 20:11:10 shorty /bsd: wihap_data_input: no TODS src=00:04:23:4b:38:fd
Sep 19 20:11:10 shorty /bsd: wihap_data_input: no TODS src=00:e0:98:db:02:52
Sep 19 20:11:10 shorty /bsd: wihap_data_input: no TODS src=00:04:23:4b:38:fd
Sep 19 20:11:11 shorty /bsd: wihap_data_input: no TODS src=00:e0:98:db:02:52
Sep 19 20:11:11 shorty /bsd: wihap_data_input: no TODS src=00:e0:98:db:02:52
Sep 19 20:11:11 shorty /bsd: wihap_data_input: no TODS src=00:04:23:4b:38:fd
Sep 19 20:11:11 shorty /bsd: wihap_data_input: no TODS src=00:04:23:4b:38:fd
Sep 19 20:11:11 shorty /bsd: wihap_data_input: no TODS src=00:e0:98:db:02:52
Sep 19 20:11:11 shorty /bsd: wihap_data_input: no TODS src=00:04:23:4b:38:fd
Sep 19 20:11:11 shorty /bsd: wihap_data_input: no TODS src=00:e0:98:db:02:52
Sep 19 20:11:11 shorty /bsd: wihap_data_input: no TODS src=00:04:23:4b:38:fd
Sep 19 20:11:11 shorty /bsd: wihap_data_input: no TODS src=00:e0:98:db:02:52
Sep 19 20:11:12 shorty /bsd: wihap_data_input: no TODS src=00:04:23:4b:38:fd
Sep 19 20:11:12 shorty /bsd: wihap_data_input: no TODS src=00:e0:98:db:02:52
Sep 19 20:11:43 shorty last message repeated 147 times
Sep 19 20:12:29 shorty last message repeated 217 times
Sep 19 20:12:30 shorty /bsd: wihap_data_input: no TODS src=00:04:23:4b:38:fd
Sep 19 20:12:30 shorty /bsd: wihap_data_input: no TODS src=00:e0:98:db:02:52
Sep 19 20:12:30 shorty /bsd: wihap_data_input: no TODS src=00:04:23:4b:38:fd
Sep 19 20:12:30 shorty /bsd: wihap_data_input: no TODS src=00:e0:98:db:02:52
Sep 19 20:12:30 shorty /bsd: wihap_data_input: no TODS src=00:04:23:4b:38:fd
Sep 19 20:12:30 shorty /bsd: wihap_data_input: no TODS src=00:e0:98:db:02:52
Sep 19 20:12:30 shorty /bsd: wihap_data_input: no TODS src=00:04:23:4b:38:fd
Sep 19 20:12:30 shorty /bsd: wihap_data_input: no TODS src=00:e0:98:db:02:52
Sep 19 20:12:30 shorty /bsd: wihap_data_input: no TODS src=00:04:23:4b:38:fd
Sep 19 20:12:30 shorty /bsd: wihap_data_input: no TODS 

Changing kernels from i386 to amd64

[John N. Brahy]

How do I change my kernel from i386 to amd64? Do I have to do a
reinstall or upgrade? I tried simply copying the bsd file from the amd64
directory off an ftp site but I got a unrecognized binary format error
from the boot loader.

Re: PF ALTQ

[jared r r spiegel]

On Tue, Sep 20, 2005 at 01:16:19AM +0100, Stuart Henderson wrote:
 
 You can only queue outgoing traffic with altq, not incoming.
 
 You can sometimes achieve the same effect by queuing outgoing traffic 
 on a different interface (e.g. to queue internet-LAN bandwidth, queue 
 on the LAN interface), though that doesn't help for services running on 
 the box with altq.
 
 If that's a real requirement, you may need some alternative (pure-ftpd, 
 perhaps? or run altq on a different machine to the services?)

  if that wasn't clear for any reason (though it should be), 
  then this will either be clear or it will not make any sense:

http://marc.theaimsgroup.com/?l=openbsd-miscm=109736589107739w=2

  / for puppies.

  jared

-- 

[ openbsd 3.8 GENERIC ( sep 10 ) // i386 ]

Re: logging blocked connections in pf, but no line noise

[jared r r spiegel]

On Mon, Sep 19, 2005 at 08:59:48PM +0200, -f wrote:
 hmm, on Mon, Sep 19, 2005 at 10:01:58AM -0600, j knight said that
   i was thinking of making another rule, just below this one:
   
   block in
   block in log from any to $ext_if
  
  Another alternative:
  
  block in quick to $ext_if:broadcast
  block in log

  eew quick
 
 this doesn't seem to have the disired effect...
 the rule got translated into
 
 block drop in quick inet from any to xxx.xxx.xxx.255
 
 and is not stopping all the noise...

  heh.. cable modem? (arparparparparparparparp.. :P)...

  what is the noise exactly?

  give tcpdump pflog0, make known what is/isn't your IP
  ( xxx out the middle 2 octets or whatever makes you happy ).

  i understand you mean 'noise' to be a lot of traffic that shows up
  on my line that is full of valid CRCs but not intended for me or of
  no interest to me, but what is it, exactly?

  You either do something like this or you filter your logs when viewing
  them/running reports to exclude line noise.
 
 small disk, old machine, why keep the noise? ;)

  i use:

---
e = sis2
adsl_up =   700Kb
TCP_NOISE = { 135 139 445 1080 1433 3128 }
UDP_NOISE = { 1026 1027 }

set block-policy return

altq on $e hfsc bandwidth $adsl_up queue{ exthi extlo extLAN }
queue exthi on $e   bandwidth 20%   priority 6 hfsc( upperlimit 
$adsl_up )
queue extlo on $e   bandwidth 20%   priority 0 hfsc( upperlimit 
$adsl_up default )
queue extLANon $e   bandwidth 20% { u192.168.7.X }
queue u192.168.7.X  on $e   bandwidth 192b  { u192.168.7.Xd u192.168.7.Xa }
queue u192.168.7.Xd on $e   bandwidth  64b  priority 2 hfsc( upperlimit 
$adsl_up )
queue u192.168.7.Xa on $e   bandwidth 128b  priority 4 hfsc( upperlimit 
$adsl_up )

block log all

block on $e proto tcp from any to (carp0:0) port $TCP_NOISE queue( extlo )
block on $e proto udp from any to (carp0:0) port $UDP_NOISE queue( extlo )
---

  please don't flame for the lameass use of HFSC, i'm always in the 
  middle of playing with it G.

  anyway, this makes it so that anything blocked matching the {TCP,UDP}_NOISE
  macros doesn't spam up my pflog.

  jared

-- 

[ openbsd 3.8 GENERIC ( sep 10 ) // i386 ]

Re: Wireless Strangeness

[pedro la peu]

 It was the most current I could find for this particular chipset

The chipset is ancient.

 shorty.kirknet.net:~$ dmesg
 OpenBSD 3.4-stable (GENERIC) #0: Sun Sep 18 18:29:41 EDT 2005

I'm bailing here. I don't remember 3.4 well enough.

Re: PF performance question

[Vinicius Pavanelli Vianna]

jared r r spiegel wrote:

On Mon, Sep 19, 2005 at 03:13:33PM -0300, Vinicius Pavanelli Vianna wrote:
  

I tried to disable pf (pfctl -d) and it continues to loss packets


...
  

The count on in and out are different because the pf is blocking some
packets 



  (?)

  those seem to contradict one another., just a typo?

  

I just disabled pf for a moment to check if it would be the cause of the
loss, but pf isn't the cause.

didn't resolve the packet lost i begin to suspect something on the
bridge code, as i don't see any error on the interface.



  welp.. you could turn the bridge off and then run binat in pf, or
  perhaps split the subnet.  
  
  

To disable the bridge i will have to change the topology with my ISP,
since their are using some layer2 protocols over this link to do some
stuffs between their firewall and their switches, beside this, they take
too long to do something like a topology change like this.

  i could see two ways to do this, one being kinda hackish and perhaps
  outright wrong, but i believe either would work.

1) hackish:

  ( this would work, but involves a lot of ugly crap and proxy-arp,
so i decided to not even bring it up because i don't want people
to yell and puke at me ).

2) assuming the ISP and you have both chosen IPs from the beginning
  of the subnet, have your ISP change their iface to you to be a /26 instead of
  a /25.  so, if they're .1/25, ask them to be .1/26.  then change
  the subnet mask on your end to match a /26 also ( 255.255.255.192 ).
  so assume you're 200.xx.xx.2 netmask 0xffc0; have them now
  static route 200.xx.xx.64/26 to 200.xx.xx.2.

  

I think i can do something better with some routing policy on their
firewall/router, will check this, but again it will need a topology
change :(
The big problem here is that i have to run this machine on bridge, and
pf doesn't perform synproxy in bridge too, what is a bad thing to me, so
i will try to avoid this bridge setup asap.

  if you and the ISP are high IPs, ( eg, .125, .126 ), sure, doesn't
  matter, just make sure you're both in the same subnet, and then in 
  the next paragraph, use the lower subnet for the lan instead of the
  higher:

  this will make it so that you still get what amounts to the same /25,
  but can put the lower /26 on the external iface and the upper /26 
  on your internal iface.  so then take an IP from the .64/26 and put
  it on the internal em(4) card, renumber any hosts behind that as
  needed, and try to see if you still have the same packet loss
  ( assuming you have changed nothing thus far other than the IP 
  subnetting ).

  if you have the IPs setup that way, you can remove the bridge
  from existance and rely on normal net.inet.ip.forwarding=1.

  

The problem is i'm having this loss in the link ISP = OpenBSD
Firewall, so i don't think this would resolve it, but i will give it a
try as soon as i can make then change the topology, when i tcpdump on
the em0 interface (that is connected to the ISP) i can't get some
packets i send from the internet, or even pings between me and the ISP,
so i begin to suspect it's a wire problem, my netstat gives me some
errors on the interface, but nothing that is getting bigger all the
time, i will begin to check more ofter this errors to trace it.

but the big problem is that some packets doesn't get even on the
interface, my setup is like add em0 add em1 up on bridgename.bridge0



  i checked the thread again but didn't see it mentioned.

  where are you losing the packets? 

  are you losing packets on the link between ISP-You or You-YourLan ?

  if you're losing them on ISP-You, is that to the other end of the
  external iface, ( eg, whatever you put for a default gateway on your
  bridge box, their end of your /25 ) or to some other host beyond that?
 
  

The loss is to my gateway, and reflect on all hosts because of it.

i also enabled STP as my ISP told me it would help
their redundancy.



  STP on a bridge seems like a Good Thing, but i don't think the ISP
  side of it is going to matter much...  i mean..  if they require 
  people to have the customer side of the link be either A) one single
  host or B) something running spanning tree, then yeah, it seems logical,
  but if not (eg - they do not make a certain requirement of what you attach
  to their link), i would wager that spanning tree is not going to be part
  of the solution to your problem.  in other words, if they're not
  running STP-aware bridges between the interface that is their side of your
  /25 and the cable hitting your side of your /25, you running spanning 
  tree isn't going to mean dick for them.

  for now, the check autoneg/speed-duplex settings seems to be a 
  good place to start.  make each physical link agree (autoneg or forced)
  on both ends, if they don't already.

  

They say all their ifaces are forced to 100 full duplex, when i try to
autoneg with their switches i always got 100 half duplex, and the 

Re: Wireless Strangeness

[Alex Kirk]

  shorty.kirknet.net:~$ dmesg
  OpenBSD 3.4-stable (GENERIC) #0: Sun Sep 18 18:29:41 EDT 2005
 
 I'm bailing here. I don't remember 3.4 well enough.

I was afraid of that. I've been meaning to upgrade to 3.7 for a while -- is it
likely to make that big of a difference if I upgrade? If I were to still
experience this problem with 3.7, might you be able to offer further assistance
(I can understand not wanting to have to dredge through memory for something not
particularly relevant or exciting for someone else's benefit)?

Meanwhile, does anyone else have a clue what might be going on here?

Thanks,
Alex Kirk

Re: PF performance question

[j knight]

--- Quoting Vinicius Pavanelli Vianna on 2005/09/19 at 22:24 -0300:

 They say all their ifaces are forced to 100 full duplex, when i try to
 autoneg with their switches i always got 100 half duplex, and the speed
 is bad, so i forced all to 100 full duplex so i can get some speed,
 don't ask me why they switch didn't autoneg to full duplex since they
 asked me to put all my machines in full duplex...

That's exactly what should happen. You can't have one side set to
autoneg and one hard set. If you do, you'll get a duplex mismatch.
 


.joel

Re: Problems compiling kernel on 3.7 / amd64

[Ted Unangst]

On Mon, 19 Sep 2005, John N. Brahy wrote:

 cd /usr
 
 cvs -t -z9 update -rOPENBSD_3_ -P src

1.  there is no OPENBSD_3_ tag.
2.  don't retype commands unless you can do it flawlessly.
3.  you forgot the -d option to update.


-- 
And that's why he won't get my vote.

Re: PF performance question

[Spruell, Darren-Perot]

From: Vinicius Pavanelli Vianna [mailto:[EMAIL PROTECTED]
 They say all their ifaces are forced to 100 full duplex, when i try to
 autoneg with their switches i always got 100 half duplex, and 
 the speed
 is bad, so i forced all to 100 full duplex so i can get some speed,
 don't ask me why they switch didn't autoneg to full duplex since they
 asked me to put all my machines in full duplex...

Your ISP asked you to set full duplex because they are explicitly forcing
full duplex on their end of the link. You can't have one side of a link
forced and one side set to autonegotiate and expect them to negotiate. One
side will try to negotiate, the other side will not, so the first one
settles for half-duplex. It's referred to as a duplex mismatch. Either force
both sides or negotiate both sides. 

DS

Re: Changing kernels from i386 to amd64

[Ted Unangst]

On Mon, 19 Sep 2005, John N. Brahy wrote:

 How do I change my kernel from i386 to amd64? Do I have to do a
 reinstall or upgrade? I tried simply copying the bsd file from the amd64
 directory off an ftp site but I got a unrecognized binary format error
 from the boot loader.

reinstall.  despite the obvious similarity that they can run on the same 
hardware, you should consider them as different as sparc and powerpc.


-- 
And that's why you believe it isn't simple.

Re: Wireless Strangeness

[Spruell, Darren-Perot]

From: Alex Kirk [mailto:[EMAIL PROTECTED]
  I'm bailing here. I don't remember 3.4 well enough.
 
 I was afraid of that. I've been meaning to upgrade to 3.7 for 
 a while -- is it
 likely to make that big of a difference if I upgrade? If I 
 were to still
 experience this problem with 3.7, might you be able to offer 
 further assistance
 (I can understand not wanting to have to dredge through 
 memory for something not
 particularly relevant or exciting for someone else's benefit)?

Yes. Review CVS history so you can see how many changes have happened since
3.4, particularly in the ieee80211 stuff.

Strictly speaking, upgrading from 3.4 (per the documented upgrade procedure,
as in 3.4-3.5, 3.5-3.6, 3.6-3.7) will be a likely difficulty. Making the
jump from 3.4 might be easier if you just install 3.7 and restore backups.

DS