Re: DVD burning, cdrloots, dvdrtools, dvd+rw_tools on OpenBSD-3.8
Jacob Meuser wrote: On Fri, Feb 03, 2006 at 10:35:16AM +0100, Guido Tschakert wrote: Jacob Meuser wrote: On Fri, Feb 03, 2006 at 12:04:20PM +0500, Dmitry Slobodchikov wrote: Growisofs don't work too neither -Z nor -M arguments /home/zoosman-dvd+rw-format -blank /dev/dvd * DVDRW/-RAM format utility by [EMAIL PROTECTED], version 4.10. :-( unable to open(/dev/dvd): Invalid argument or /home/zoosman-dvd+rw-mediainfo /dev/dvd /dev/dvd: unable to open: Invalid argument what is /dev/dvd? you should use /dev/rcd0c or /dev/rcd1c. Hello, /dev/dvd ist the appropriate device name under linux. maybe some distros set that up for you. there is nothing stopping a user from doing: # ln -s /dev/rcd1c /dev/dvd Hello, ok you're right. I thought there where a config file for dvd+rw-tools which contains the name of the device to use. (next time I do: reading, thinking, writing ;-) and not just writing) And /dev/dvd is actually not the device name under linux but a convenience which also can be used under OpenBSD. guido
Re: Broadcom BCM5752 NIC
Thanks everybody for helpful hints. Dear Brad, This morning downloaded the latest i386 snapshot and installed it. Although I still get the error message firmware handshake timed out, but after the machine boots, the NIC speed is OK. Thanks for your engagement. Regards, Amir
need help with pf tcpdump
Hello all,
I'm trying to debug my packet filtering rules. The problem is that
messages sent from my internal network are not getting through to the
SMTP host on my OpenBSD 3.8-CURRENT system.
The only output I'm getting from tcpdump is:
Feb 06 00:56:09.237698 0:3:93:eb:21:f2 0:a0:cc:65:ba:d0 0800 74:
192.168.18.47.65248 192.168.19.242.25: S 3208584508:3208584508(0) win 65535
mss 1460,nop,wscale 0,nop,nop,timestamp 1838120409 0 (DF)
Feb 06 00:56:09.237735 0:a0:cc:65:ba:d0 0:3:93:eb:21:f2 0800 58:
192.168.19.242.25 192.168.18.47.65248: S 3124286715:3124286715(0) ack
3208584509 win 0 mss 1460 (DF) [tos 0x10]
Feb 06 00:56:09.238491 0:3:93:eb:21:f2 0:a0:cc:65:ba:d0 0800 60:
192.168.18.47.65248 192.168.19.242.25: . ack 1 win 65535 (DF)
Feb 06 00:56:09.954495 0:3:93:eb:21:f2 0:a0:cc:65:ba:d0 0800 74:
192.168.18.47.65249 192.168.19.242.25: S 2319452229:2319452229(0) win 65535
mss 1460,nop,wscale 0,nop,nop,timestamp 1838120411 0 (DF)
Feb 06 00:56:09.954545 0:a0:cc:65:ba:d0 0:3:93:eb:21:f2 0800 58:
192.168.19.242.25 192.168.18.47.65249: S 2347749644:2347749644(0) ack
2319452230 win 0 mss 1460 (DF) [tos 0x10]
Feb 06 00:56:09.955300 0:3:93:eb:21:f2 0:a0:cc:65:ba:d0 0800 60:
192.168.18.47.65249 192.168.19.242.25: . ack 1 win 65535 (DF)
192.168.19.242 is the OpenBSD system. 192.168.18.47 is my laptop.
Beyond that, I have no clue what this means. And all I know is that
the SMTP logs show on the OpenBSD system show no sign of contact.
On the laptop:
2006-02-06 00:56:08.528514500 starting delivery 812: msg 36185520 to remote
[EMAIL PROTECTED]
2006-02-06 00:56:08.528522500 status: local 0/10 remote 3/20
2006-02-06 00:56:08.528523500 starting delivery 813: msg 36182781 to remote
[EMAIL PROTECTED]
2006-02-06 00:56:08.528527500 status: local 0/10 remote 4/20
2006-02-06 01:00:39.530878500 delivery 810: deferral:
Connected_to_192.168.19.242_but_connection_died._(#4.4.2)/
2006-02-06 01:00:39.530885500 status: local 0/10 remote 3/20
Both systems are running qmail. A copy of my /etc/pf.conf is
attached.
--
David Benfell, LCP
[EMAIL PROTECTED]
---
Resume available at http://www.parts-unknown.org/
# $OpenBSD: pf.conf,v 1.19 2003/03/24 01:47:28 ian Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Required order: options, normalization, queueing, translation, filtering.
# Macros and tables may be defined and used anywhere.
# Note that translation rules are first match while filter rules are last match.
# Macros: define common values, so they can be referenced and changed easily.
#ext_if=ext0 # replace with actual external interface name i.e., dc0
ext_if=xl0
#int_if=int0 # replace with actual internal interface name i.e., dc1
int_if=dc0
dmz_if=sf3
pub_if=sf0
lupin_if=sf1
#internal_net=10.1.1.1/8
internal_net=192.168.18.1/24
external_addr=66.93.170.242
routable_subnet=66.93.170.241/28
dmz_net=192.168.19.0/24
dmz_addr=192.168.19.242
mta_ad = 192.168.19.242
mta_pt = 25
dhcp_net=192.168.20.0/24
lupin_net=192.168.100.0/24
public_admin_net=192.168.17.0/24
starshine=216.240.40.161/27
allowed_nets={ $starshine, $dmz_net, $internal_net }
trusted_external={ 12.22.55.0/24 24.23.206.48/32 64.0.0.0/4 134.154.0.0/16
216.240.40.161/27 166.154.0.0/16 166.147.140.0/24 198.144.195.188/32 4.4.0.0/16
207.47.24.0/24 208.54.15.0/24 209.172.123.0/24 }
# DoubletreeKing's Head Local CSU Hayward
starshine.org Verizon Wireless
earth_ext=66.93.170.243
earth_dmz=192.168.19.243
earth_int=192.168.18.43
dnscache=192.168.19.4
kindling_ext=66.93.170.244
kindling_int=192.168.19.244
home_ext=66.93.170.245
home_int=192.168.18.44
raven_ext=66.93.170.246
raven_int=192.168.18.45
lair_ext=66.93.170.247
lair_int=192.168.18.46
thunder_ext=66.93.170.248
thunder_int=192.168.18.47
lupin_ext=66.93.170.254
non_routable={ 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 }
macintoshes={ $lair_ext, $lair_int, $thunder_ext, $thunder_int }
linux_pcs={ $dnscache, $kindling_ext, $kindling_int, $home_ext, $home_int,
$raven_ext, $raven_int }
auth_local={ $lair_ext, $lair_int, $thunder_ext, $thunder_int \
$earth_ext, $earth_dmz, $dnscache, $kindling_ext, $kindling_int,
$home_ext, $home_int, $raven_ext, $raven_int }
lupin_router=192.168.100.1
lupin_net=192.168.100.0/24
dmz_services=port { smtp, pop3, http, ftp-data, ftp, domain, ntp }
tcp_udp=proto { tcp, udp }
in_out={ in, out }
# Tables: similar to macros, but more flexible for many addresses.
#table foo { 10.0.0.0/8, !10.1.0.0/16, 192.168.0.0/24, 192.168.1.18 }
# Options: tune the behavior of pf, default values are given.
#set timeout { interval 30, frag 10 }
#set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
#set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
#set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
#set timeout { icmp.first 20, icmp.error 10 }
#set timeout { other.first 60, other.single 30, other.multiple 60 }
#set limit { states 1, frags 5000 }
#set loginterface
Re: httpd question - solved
And there is also ipcheck.py On 2/6/06, Keith Richardson [EMAIL PROTECTED] wrote: This will handle the pesty case of your IP changing. 1. dyndns.org - get a free subdomain to map to your IP. 2. ddclient package - updates your DNS whenever your IP changes.
pf macros in table-filenames?
hi guys, i try to use a macro for having the dir for my tables only once in my pf.conf file: dir_tab = /etc/pf/tables table tab1 persist file $dir_tab/tab1 table tab2 persist file $dir_tab/tab2 table tab3 persist file $dir_tab/tab3 the filename w/o quotes is a syntax error. with quotes, the macro does not get expanded. any way to solve this directly in the pf.conf, or will i have to write shell-scripts for that? br, mdff...
OpenBGPD OPEN Error
Hi, I've just upgraded a box to the 3.9 Snapshot from 30th January and now whenever bgpd tries to open a session with a Extreme BlackDiamond it reports the following: received notification: error in OPEN message, optional parameter error This was all working fine with a 3.8 snapshot before. Anyone else had similar issue, a Google and Newsnet didn't turn up anything and I don't recall seeing anything on-list either. I'm aware that the BD is probably doing something it shouldn't be in terms of sticking to the RFCs, but non-the-less, it did work before. Thanks, Karl
Re: OpenBGPD OPEN Error
* Karl Austin [EMAIL PROTECTED] [2006-02-06 11:39]: Hi, I've just upgraded a box to the 3.9 Snapshot from 30th January and now whenever bgpd tries to open a session with a Extreme BlackDiamond it reports the following: received notification: error in OPEN message, optional parameter error This was all working fine with a 3.8 snapshot before. Anyone else had similar issue, a Google and Newsnet didn't turn up anything and I don't recall seeing anything on-list either. I'm aware that the BD is probably doing something it shouldn't be in terms of sticking to the RFCs, but non-the-less, it did work before. we are announcing something to the BD it does not like. a tcpdump (increase snaplen, like, tcpdump -vvv -n -s 1500 port 179) would help, and you can play with announce IPv6/IPv6 in the config, and, as last resort, announce capabilities no. But I'd really prefer to debug this properly, maybe we need to change something in he way we announce capabilites by default. also, check logs on the other side. -- BS Web Services, http://www.bsws.de/ OpenBSD-based Webhosting, Mail Services, Managed Servers, ... Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: OpenBGPD OPEN Error
Henning Brauer wrote: * Karl Austin [EMAIL PROTECTED] [2006-02-06 11:39]: Hi, I've just upgraded a box to the 3.9 Snapshot from 30th January and now whenever bgpd tries to open a session with a Extreme BlackDiamond it reports the following: received notification: error in OPEN message, optional parameter error This was all working fine with a 3.8 snapshot before. Anyone else had similar issue, a Google and Newsnet didn't turn up anything and I don't recall seeing anything on-list either. I'm aware that the BD is probably doing something it shouldn't be in terms of sticking to the RFCs, but non-the-less, it did work before. we are announcing something to the BD it does not like. a tcpdump (increase snaplen, like, tcpdump -vvv -n -s 1500 port 179) would help, and you can play with announce IPv6/IPv6 in the config, and, as last resort, announce capabilities no. But I'd really prefer to debug this properly, maybe we need to change something in he way we announce capabilites by default. also, check logs on the other side. Just trying to get the BD to give me something remotely useful about it. Reading back what I typed, wasn't all that clear in my first message, it's OpenBGPD giving the error, not the BD. tcpdump: # tcpdump -i ti1 -vvv -n -s 1500 port 179 and host 192.168.1.5 tcpdump: listening on ti1, link-type EN10MB 11:09:46.794102 192.168.1.5.1381 192.168.1.6.179: S [tcp sum ok] 3055653480:3055653480(0) win 3600 mss 1460 [tos 0xc0] (ttl 30, id 43716, len 44) 11:09:46.794121 192.168.1.6.179 192.168.1.5.1381: S [tcp sum ok] 2689756459:2689756459(0) ack 3055653481 win 16384 mss 1460 (DF) (ttl 64, id 15313, len 44) 11:09:46.795217 192.168.1.5.1381 192.168.1.6.179: . [tcp sum ok] 1:1(0) ack 1 win 3600 [tos 0xc0] (ttl 30, id 43717, len 40) 11:09:46.795340 192.168.1.6.179 192.168.1.5.1381: F [tcp sum ok] 1:1(0) ack 1 win 17520 (DF) (ttl 64, id 18823, len 40) 11:09:46.795747 192.168.1.5.1381 192.168.1.6.179: . [tcp sum ok] 1:1(0) ack 2 win 3600 [tos 0xc0] (ttl 30, id 43718, len 40) 11:09:47.087864 192.168.1.5.1381 192.168.1.6.179: P [tcp sum ok] 1:30(29) ack 2 win 3600: BGP (OPEN: Version 4, AS #65535, Holdtime 180, ID 192.168.1.1, Option length 0) [tos 0xc0] (ttl 30, id 43720, len 69) 11:09:47.087877 192.168.1.6.179 192.168.1.5.1381: R [tcp sum ok] 2689756461:2689756461(0) win 0 (DF) (ttl 64, id 22030, len 40) 11:09:47.088335 192.168.1.5.1381 192.168.1.6.179: F [tcp sum ok] 30:30(0) ack 2 win 3600 [tos 0xc0] (ttl 30, id 43721, len 40) 11:09:47.088342 192.168.1.6.179 192.168.1.5.1381: R [tcp sum ok] 2689756461:2689756461(0) win 0 (DF) (ttl 64, id 25445, len 40) Tried with: announce IPv6 none and: announce capabilities no but neither make any difference. Thanks, Karl
Re: OpenBGPD OPEN Error
Karl Austin wrote: Tried with: announce IPv6 none and: announce capabilities no but neither make any difference. Thanks, Karl Just tried again, shut the session down at both sides for a few minutes and waited, then brought them back up, and it seems that announce capabilities no did the trick in establishing the session again - But like yourself, I'd rather get to the bottom of it. Thanks, Karl
Re: OpenBGPD OPEN Error
* Karl Austin [EMAIL PROTECTED] [2006-02-06 12:33]: Henning Brauer wrote: * Karl Austin [EMAIL PROTECTED] [2006-02-06 11:39]: I've just upgraded a box to the 3.9 Snapshot from 30th January and now whenever bgpd tries to open a session with a Extreme BlackDiamond it reports the following: received notification: error in OPEN message, optional parameter error This was all working fine with a 3.8 snapshot before. Anyone else had similar issue, a Google and Newsnet didn't turn up anything and I don't recall seeing anything on-list either. I'm aware that the BD is probably doing something it shouldn't be in terms of sticking to the RFCs, but non-the-less, it did work before. we are announcing something to the BD it does not like. a tcpdump (increase snaplen, like, tcpdump -vvv -n -s 1500 port 179) would help, and you can play with announce IPv6/IPv6 in the config, and, as last resort, announce capabilities no. But I'd really prefer to debug this properly, maybe we need to change something in he way we announce capabilites by default. also, check logs on the other side. Just trying to get the BD to give me something remotely useful about it. Reading back what I typed, wasn't all that clear in my first message, it's OpenBGPD giving the error, not the BD. well, openbgpd logs that the BD sent us a notification, so the BD errors out and tells us so. 11:09:47.087864 192.168.1.5.1381 192.168.1.6.179: P [tcp sum ok] 1:30(29) ack 2 win 3600: BGP (OPEN: Version 4, AS #65535, Holdtime 180, ID 192.168.1.1, Option length 0) [tos 0xc0] (ttl 30, id 43720, len 69) 192.168.1.5 beeing the BD? hmm. announce capabilities no definately should get you going. if I guessworked correctly your tcpdump does not show the OPEN message from the OpenBGPD box. it should work with no capabilities. wait, I think I see a bug and announce capabilities no doesn't work :) please try this diff. Index: session.c === RCS file: /cvs/src/usr.sbin/bgpd/session.c,v retrieving revision 1.243 diff -u -p -r1.243 session.c --- session.c 24 Jan 2006 10:08:16 - 1.243 +++ session.c 6 Feb 2006 12:01:08 - @@ -1200,7 +1200,7 @@ session_open(struct peer *p) if (p-capa.ann.refresh) op_len += 2 + 0;/* 1 code + 1 len, no data */ - if (op_len 0) + if (p-conf.announce_capa op_len 0) optparamlen = sizeof(op_type) + sizeof(op_len) + op_len; len = MSGSIZE_OPEN_MIN + optparamlen; however, after receiving a Optional Parameter Error notofcation, OpenBGPD should quickly retry without any capabilites announced (and thus optional parameters) on its own. did you wait for the second trial? -- BS Web Services, http://www.bsws.de/ OpenBSD-based Webhosting, Mail Services, Managed Servers, ... Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: OpenBGPD OPEN Error
* Karl Austin [EMAIL PROTECTED] [2006-02-06 12:48]: Karl Austin wrote: Tried with: announce IPv6 none and: announce capabilities no but neither make any difference. Thanks, Karl Just tried again, shut the session down at both sides for a few minutes and waited, then brought them back up, and it seems that announce capabilities no did the trick in establishing the session again - But like yourself, I'd rather get to the bottom of it. you could try with announce IPv4 none announce IPv6 none then we do not announce any multiprotocol stuff at all but only route refresh. I am pretty sure tho that we announce route refresh and IPv4 unicast in 3.8 too... -- BS Web Services, http://www.bsws.de/ OpenBSD-based Webhosting, Mail Services, Managed Servers, ... Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
testers required for NVIDIA Ethernet driver
So Damien Bergamini and I have put together a driver for the Ethernet controllers NVIDIA put out. They don't provide documentation or even have a list of names for the chips, but will happily agree to let various parties distribute a driver kludged around a binary blob. Suffice to say, we have have not taken this approach. Snapshots starting 5th Feb for i386 and amd64 have the driver (nfe) included. What we would really like now, is some feedback from a wide range of nforce based systems. Send a dmesg and a mention of whether you have any issues to damien ([EMAIL PROTECTED]) and me ([EMAIL PROTECTED]).
Re: Problem with HP NetRAID Controller
I have replied to this type of email several times before. The short answer is that I don't know why it is broken and have not been able to fix it yet. The message is there to warn and protect you from bad things. thanks for the adice; looks like I have to try other OS, maybe Debian :-( Dirk
Re: Good SMTP and POP proxy for OpenBSD
On Mon, Feb 06, 2006 at 12:34:26PM +0530, Siju George wrote: Hi all, Till now I have been Simply NATing SMTP and POP connections form the LAN through the OpenBSD 3.8 Firewall. I would like to have some finer control of mails comming in and going out and would like to install a SMTP Proxy and also a POP proxy on my OpenBSD Firewall. Messagewall doesnot seem to be in ports. Could some one recommend a good Software for me in these two categories available for OpenBSD? Is there any good reason why a decent mailer daemon will not work? Almost all offer some sort of content filter, to which you can add your own hooks. As to the second part, I don't know. If you can control incoming/outgoing mail (via SMTP), I do not see the point of checking POP as well, either. Joachim
Re: Good SMTP and POP proxy for OpenBSD
Joachim Schipper wrote: On Mon, Feb 06, 2006 at 12:34:26PM +0530, Siju George wrote: Hi all, Till now I have been Simply NATing SMTP and POP connections form the LAN through the OpenBSD 3.8 Firewall. I would like to have some finer control of mails comming in and going out and would like to install a SMTP Proxy and also a POP proxy on my OpenBSD Firewall. Messagewall doesnot seem to be in ports. Could some one recommend a good Software for me in these two categories available for OpenBSD? There is p3scan_pf for pop3 proxying... It can be found at www.undergroundsecurity.com. Brandon
Re: mpt driver and Intel SE7520JR2 board
Marco Peereboom([EMAIL PROTECTED]) on 2006.02.03 14:30:19 +: You need to give some more to work with. Can you please figure out the serial deal and send me that output please? Okay, the serial console does not work, despite 2 hours of trying. If anybody knows how to use serial console on an Intel SE7520JR2 board, please tell me. However, I was able to install -current: OpenBSD 3.9-beta (GENERIC) #436: Mon Jan 30 13:40:20 MST 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/GENERIC There is this in dmesg: scsibus0 at mpt0: 16 targets sd0 at scsibus0 targ 0 lun 0: LSILOGIC, 1030 IM, 1000 SCSI2 0/direct fixed sd0: 70135MB, 70136 cyl, 16 head, 127 sec, 512 bytes/sec, 143637165 sec total mpt0: Unknown async event: 0xb mpt0: External Bus Reset mpt0: Unknown async event: 0xb mpt0: target 0 Asynchronous at 0MHz width 8bit offset 0 QAS 0 DT 0 IU 0 Now, the system has two SCSI disks that are currently configured as RAID-1 (in the LSI-SCSI Bios, i set this up while playing with FreeBSD). I then broke the mirror and the error I observed during my first install attempt was back: (hand-copied from screen) sd0(mpt0:0:0): mpt0: timeout on request index=0xf8, seq 0x00c8 mpt0: status 0x, Mask 0x0001, Doorbell 0x2400 mpt0: request state: OnChip mpt0: Command timeout [repeat with mpt0:1:0, ...] Setting up the mirror again now... okay, summary, in case you are confused: - system runs OpenBSD-snapshot with mirrored disks, but not without. - system works with FreeBSD, with mirrored SCSI disks and without. - system works with Linux, without mirror, not tested with. complete dmesg attached. /Benno -- Sebastian Benoit [EMAIL PROTECTED] My mail is GnuPG signed -- Unsigned ones are bogus -- http://www.gnupg.org/ GnuPG 0xD777DBA7 2003-09-10 D02B D0E0 3790 1AA1 DA3A B508 BF48 87BF D777 DBA7 Next the statesmen will invent cheap lies, putting the blame upon the nation that is attacked, and every man will be glad of those conscience-soothing falsities, and will diligently study them, and refuse to examine any refutations of them; and thus he will by and by convince himself that the war is just, and will thank God for the better sleep he enjoys after this process of grotesque self-deception. -- Mark Twain OpenBSD 3.9-beta (GENERIC) #436: Mon Jan 30 13:40:20 MST 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/GENERIC real mem = 3757568000 (3669500K) avail mem = 3224768512 (3149188K) using 22937 buffers containing 375963648 bytes (367152K) of memory mainbus0 (root) ipmi0 at mainbus0: version 2.0 interface KCS iobase 0xca2/2 spacing 1 cpu0 at mainbus0: (uniprocessor) cpu0: Intel(R) Xeon(TM) CPU 3.40GHz, 3391.88 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,NXE,LONG cpu0: 2MB 64b/line 8-way L2 cache pci0 at mainbus0 bus 0: configuration mode 1 pchb0 at pci0 dev 0 function 0 Intel E7520 MCH rev 0x0c Intel E7520 MCH ERR rev 0x0c at pci0 dev 0 function 1 not configured Intel E7520 MCH DMA rev 0x0c at pci0 dev 1 function 0 not configured ppb0 at pci0 dev 2 function 0 Intel MCH PCIE rev 0x0c pci1 at ppb0 bus 1 ppb1 at pci1 dev 0 function 0 Intel PCIE-PCIE rev 0x09 pci2 at ppb1 bus 2 mpt0 at pci2 dev 5 function 0 Symbios Logic 53c1030 rev 0x08: irq 7 mpt0: sending FW Upload request to IOC (size: 36, img size: 69796) mpt0: IM support: 6 scsibus0 at mpt0: 16 targets sd0 at scsibus0 targ 0 lun 0: LSILOGIC, 1030 IM, 1000 SCSI2 0/direct fixed sd0: 70135MB, 70136 cyl, 16 head, 127 sec, 512 bytes/sec, 143637165 sec total mpt0: Unknown async event: 0xb mpt0: External Bus Reset mpt0: Unknown async event: 0xb mpt0: target 0 Asynchronous at 0MHz width 8bit offset 0 QAS 0 DT 0 IU 0 mpt1 at pci2 dev 5 function 1 Symbios Logic 53c1030 rev 0x08: irq 11 mpt1: sending FW Upload request to IOC (size: 36, img size: 69796) mpt1: IM support: 6 scsibus1 at mpt1: 16 targets ppb2 at pci1 dev 0 function 2 Intel PCIE-PCIE rev 0x09 pci3 at ppb2 bus 3 em0 at pci3 dev 4 function 0 Intel PRO/1000MT (82546GB) rev 0x03: irq 7, address 00:04:23:be:5a:ea em1 at pci3 dev 4 function 1 Intel PRO/1000MT (82546GB) rev 0x03: irq 10, address 00:04:23:be:5a:eb uhci0 at pci0 dev 29 function 0 Intel 82801EB/ER USB rev 0x02: irq 10 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1 at pci0 dev 29 function 1 Intel 82801EB/ER USB rev 0x02: irq 10 usb1 at uhci1: USB revision 1.0 uhub1 at usb1 uhub1: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered uhci2 at pci0 dev 29 function 2 Intel 82801EB/ER USB rev 0x02: irq 7 usb2 at uhci2: USB revision 1.0 uhub2 at usb2 uhub2: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub2: 2 ports with 2 removable, self powered ehci0 at pci0 dev 29 function 7 Intel 82801EB/ER USB2 rev 0x02: irq 5 usb3 at ehci0: USB revision 2.0 uhub3 at usb3 uhub3: Intel EHCI root hub, rev
Re: need help with pf tcpdump
--- David Benfell [EMAIL PROTECTED] wrote: Hello all, I'm trying to debug my packet filtering rules. The problem is that messages sent from my internal network are not getting through to the SMTP host on my OpenBSD 3.8-CURRENT system. A common debugging approach is to log on all block rules and then identify which rule is blocking the traffic. So add the log keyword to your block rules, reload your set, activate the pflog0 interface, and then tcpdump: # ifconfig pflog0 up # tcpdump -i pflog0 -qtne host an_involved_host
Re: Good SMTP and POP proxy for OpenBSD
Smtp proxy? You mean an emailserver. I have postfix running as my primary mailserver. It delivers mail to my backend Exchange server and relays e-mail voor the same exchange server. So, in a way, it's proxy-ing the e-mail. With postfix, you have almost unlimited control over the complete mail process. I thought stunnel could also proxy encrypted pop3 traffic. Nils -Original Message- From: Brandon Mercer [mailto:[EMAIL PROTECTED] Sent: maandag 6 februari 2006 14:19 To: Joachim Schipper Cc: misc Subject: Re: Good SMTP and POP proxy for OpenBSD Joachim Schipper wrote: On Mon, Feb 06, 2006 at 12:34:26PM +0530, Siju George wrote: Hi all, Till now I have been Simply NATing SMTP and POP connections form the LAN through the OpenBSD 3.8 Firewall. I would like to have some finer control of mails comming in and going out and would like to install a SMTP Proxy and also a POP proxy on my OpenBSD Firewall. Messagewall doesnot seem to be in ports. Could some one recommend a good Software for me in these two categories available for OpenBSD? There is p3scan_pf for pop3 proxying... It can be found at www.undergroundsecurity.com. Brandon = A disclaimer applies to this email and any attachments. Refer to http://www.sparkholland.com/emaildisclaimer for the full text of this disclaimer.
Re: httpd question - solved
Alexander Farber wrote: And there is also ipcheck.py On 2/6/06, Keith Richardson [EMAIL PROTECTED] wrote: This will handle the pesty case of your IP changing. 1. dyndns.org - get a free subdomain to map to your IP. 2. ddclient package - updates your DNS whenever your IP changes. Having used both ddclient and ipcheck.py, I greatly prefer ddclient for a couple reasons: 1. ddclient doesn't rely on crontabs or ppp.linkup scripts. It runs as a background perl process, checking every n seconds for a new IP address. Great for kernel PPPoE users. Can run as a regular user (not sure if that's post 3.8-RELEASE or not). 2. At least in 3.8-RELEASE, it is less likely to trigger repeat (ie, abusive) updates. Not sure what happened to ipcheck.py between 3.7 (used ipcheck.py here with userland PPPoE and ppp.linkup) and 3.8 to make it abusive, but something (kernel PPPoE + crontab?) did. 3. ddclient will send you an email any time it actually does something (true update, keep-alive update, system shutdown, error)
inet failover solution
Hi, All! I have a router with two external ethernet links to two different ISPs. Could someone recommend me a good technique to organize failover with these two channels (similar to trunk(4) but on higher level)? I thought about writing the Perl script to periodically ping destination on master ISP and if it is failure, reconfigure routing tables and NAT to slave provider's addr. Cause of this is a very network topology dependent things (timeouts, way of check dst, etc..) i wonder if somebody has a good expirience with this situation. br
Re: Good SMTP and POP proxy for OpenBSD
On Mon, 6 Feb 2006 12:34:26 +0530 Siju George [EMAIL PROTECTED] spake: Hi all, Till now I have been Simply NATing SMTP and POP connections form the LAN through the OpenBSD 3.8 Firewall. I would like to have some finer control of mails comming in and going out and would like to install a SMTP Proxy and also a POP proxy on my OpenBSD Firewall. Messagewall doesnot seem to be in ports. Could some one recommend a good Software for me in these two categories available for OpenBSD? Thankyou so much :-) Kind Regards Siju Siju, We've implemented, on a few small scale installations, Postfix on the firewall which simply does a few Spam checks and passes it on to the real mail server. Never had any problems, and makes me feel better since I can't fully trust my internal mail server. Happy days, Bill
isakmpd - only cookies
Hello all, Currently my brother and I try to set up a vpn using isakmpd between two OBSD 3.8 boxes. We had a similar vpn working before. We both changed ADSL providers and thought it is time for an upgrade. However... Our vpn refuses to work. We singled out a possible firewall problem. The pflog is quet and even after a '$pfctl -F rules' we keep the same problem. A 'tcpdump -i xl1 port 500' shows that both sided receive cookies, but nothing more: like this $ tcpdump -i xl1 port 500 13:24:47.067067 broeahs.net.isakmp daim.broeahs.net.isakmp: isakmp v1.0 exchange ID_PROT cookie: 385103343a680645-9c61c0d839d1d9ec msgid: len: 168 13:24:48.878894 daim.broeahs.net.isakmp broeahs.net.isakmp: isakmp v1.0 exchange ID_PROT cookie: 7fd785c9ee93e8fe-31884d57a94e56a0 msgid: len: 168 The debuggin' info gives messages like this: 132740.737518 Exch 40 exchange_establish_finalize: finalizing exchange 0x7cdb9b0 0 with arg 0x85e318d0 (daim-dimitri) fail = 1 132740.736495 SA 90 sa_find: no SA matched query 132641.268445 Default transport_send_messages: giving up on exchange dimitri, no response from peer 194.109.199.156:500 My question is: What is happening here? How is it possible there is traffic on both sides on port 500 but the two are not able to get decent contact? Thank you in advance. Daom confs follow: # cat /etc/isakmpd/isakmpd.policy KeyNote-Version: 2 Authorizer: POLICY Licensees: our_bad_passw Conditions: app_domain == IPsec policy esp_present == yes esp_enc_alg != null - true; # cat /etc/isakmpd/isakmpd.conf # $OpenBSD: VPN-east.conf,v 1.7 1999/10/29 07:46:04 todd Exp $ # $EOM: VPN-east.conf,v 1.7 1999/07/18 09:25:34 niklas Exp $ # A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon. [General] Retransmits= 5 Exchange-max-time=120 Listen-on= xxx.xxx.xxx.xxx #Shared-SADB= Defined # Incoming phase 1 negotiations are multiplexed on the source IP address [Phase 1] yyy.yyy.yyy.yyy=dimitri # These connections are walked over after config file parsing and told # to the application layer so that it will inform us when traffic wants to # pass over them. This means we can do on-demand keying. [Phase 2] Connections= daim-dimitri [dimitri] Phase= 1 Transport= udp Local-address= xxx.xxx.xxx.xxx Address= yyy.yyy.yyy.yyy Configuration= Default-main-mode Authentication= our_bad_passw [daim-dimitri] Phase= 2 ISAKMP-peer= dimitri Configuration= Default-quick-mode Local-ID= Net-daim Remote-ID= Net-dimitri [Net-daim] ID-type= IPV4_ADDR_SUBNET Network= 192.168.0.0 Netmask= 255.255.255.0 [Net-dimitri] ID-type= IPV4_ADDR_SUBNET Network= 10.10.10.0 Netmask= 255.255.255.0 # Main mode descriptions [Default-main-mode] DOI= IPSEC EXCHANGE_TYPE= ID_PROT Transforms= DES-SHA # Main mode transforms ## # DES [DES-MD5] ENCRYPTION_ALGORITHM= DES_CBC HASH_ALGORITHM= MD5 AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= MODP_768 Life= LIFE_600_SECS,LIFE_1000_KB [DES-MD5-NO-VOL-LIFE] ENCRYPTION_ALGORITHM= DES_CBC HASH_ALGORITHM= MD5 AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= MODP_768 Life= LIFE_600_SECS [DES-SHA] ENCRYPTION_ALGORITHM= DES_CBC HASH_ALGORITHM= SHA AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= MODP_768 Life= LIFE_600_SECS,LIFE_1000_KB # 3DES [3DES-SHA] ENCRYPTION_ALGORITHM= 3DES_CBC HASH_ALGORITHM= SHA AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= MODP_1024 Life= LIFE_3600_SECS # Blowfish [BLF-SHA-M1024] ENCRYPTION_ALGORITHM= BLOWFISH_CBC KEY_LENGTH= 128,96:192 HASH_ALGORITHM= SHA AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= MODP_1024 Life= LIFE_600_SECS,LIFE_1000_KB [BLF-SHA-EC155] ENCRYPTION_ALGORITHM= BLOWFISH_CBC KEY_LENGTH= 128,96:192 HASH_ALGORITHM= SHA AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= EC2N_155 Life= LIFE_600_SECS,LIFE_1000_KB [BLF-MD5-EC155] ENCRYPTION_ALGORITHM= BLOWFISH_CBC KEY_LENGTH= 128,96:192 HASH_ALGORITHM= MD5 AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= EC2N_155 Life= LIFE_600_SECS,LIFE_1000_KB [BLF-SHA-EC185] ENCRYPTION_ALGORITHM= BLOWFISH_CBC KEY_LENGTH= 128,96:192 HASH_ALGORITHM= SHA AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= EC2N_185 Life= LIFE_600_SECS,LIFE_1000_KB [3DES-MD5] ENCRYPTION_ALGORITHM= 3DES_CBC HASH_ALGORITHM= MD5 AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= MODP_1024 Life= LIFE_1_DAY [CAST-SHA] ENCRYPTION_ALGORITHM= CAST_CBC HASH_ALGORITHM= SHA AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= MODP_1536 Life= LIFE_1_DAY # Quick mode description [Default-quick-mode] DOI= IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-3DES-SHA-PFS-SUITE,QM-ESP-3DES-SHA-PFS-SUITE,QM-ESP-DES-MD5-PFS-SUITE [Greenbow-quick-mode] DOI= IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-DES-SHA-PFS-SUITE # Quick mode protection suites ## # DES [QM-ESP-DES-SUITE] Protocols= QM-ESP-DES [QM-ESP-DES-PFS-SUITE] Protocols= QM-ESP-DES-PFS [QM-ESP-DES-MD5-SUITE] Protocols= QM-ESP-DES-MD5
isakmpd problem only cookies
Hello all, Currently my brother and I try to set up a vpn using isakmpd between two OBSD 3.8 boxes. We had a similar vpn working before. We both changed ADSL providers and thought it is time for an upgrade. However... Our vpn refuses to work. We singled out a possible firewall problem. The pflog is quet and even after a '$pfctl -F rules' we keep the same problem. A 'tcpdump -i xl1 port 500' shows that both sided receive cookies, but nothing more: like this $ tcpdump -i xl1 port 500 13:24:47.067067 broeahs.net.isakmp daim.broeahs.net.isakmp: isakmp v1.0 exchange ID_PROT cookie: 385103343a680645-9c61c0d839d1d9ec msgid: len: 168 13:24:48.878894 daim.broeahs.net.isakmp broeahs.net.isakmp: isakmp v1.0 exchange ID_PROT cookie: 7fd785c9ee93e8fe-31884d57a94e56a0 msgid: len: 168 The debuggin' info gives messages like this: 132740.737518 Exch 40 exchange_establish_finalize: finalizing exchange 0x7cdb9b0 0 with arg 0x85e318d0 (daim-dimitri) fail = 1 132740.736495 SA 90 sa_find: no SA matched query 132641.268445 Default transport_send_messages: giving up on exchange dimitri, no response from peer 194.109.199.156:500 My question is: What is happening here? How is it possible there is traffic on both sides on port 500 but the two are not able to get decent contact? Thank you in advance. Daom
Re: httpd question - solved
On 2/5/2006 at 11:10 PM Keith Richardson wrote: |If you get your IP dynamically from you ISP, your IP can potentially |change every max-lease-time | |This will handle the pesty case of your IP changing. | |1. dyndns.org - get a free subdomain to map to your IP. |2. ddclient package - updates your DNS whenever your IP changes. | = An alternative, now that domain name registrations are so cheap... Register your own domain and use www.zoneedit.com for your name servers. ZoneEdit has the ability to make DNS changes based upon dynamic IP address changes. http://www.zoneedit.com/doc/dynamic.html? Zoneedit is free (as in, no charge) for the typical low-usage individual hosts. http://www.zoneedit.com/doc/faq.html#faq6 Also, ZoneEdit's infrastructure is pretty solid. http://www.zoneedit.com/doc/network.html (a satisfied customer of ZoneEdit for about four years now...)
Re: Good SMTP and POP proxy for OpenBSD
On 2006/02/06 14:41, [EMAIL PROTECTED] wrote: Smtp proxy? You mean an emailserver. Siju, if you want to do this, look at 'mailertable' in Sendmail or the equivalent in other MTAs.
Re: inet failover solution
On Monday 06 February 2006 06:46, Nickolay A Burkov wrote: Hi, All! I have a router with two external ethernet links to two different ISPs. Could someone recommend me a good technique to organize failover with these two channels (similar to trunk(4) but on higher level)? I thought about writing the Perl script to periodically ping destination on master ISP and if it is failure, reconfigure routing tables and NAT to slave provider's addr. Cause of this is a very network topology dependent things (timeouts, way of check dst, etc..) i wonder if somebody has a good expirience with this situation. br I use ifstated for that purpose. -- John R. Shannon, CISSP
vpn problem
Hello all, Currently my brother and I try to set up a vpn using isakmpd between two OBSD 3.8 boxes. We had a similar vpn working before. We both changed ADSL providers and thought it is time for an upgrade. However... Our vpn refuses to work. We singled out a possible firewall problem. The pflog is quet and even after a '$pfctl -F rules' we keep the same problem. A 'tcpdump -i xl1 port 500' shows that both sided receive cookies, but nothing more: like this $ tcpdump -i xl1 port 500 13:24:47.067067 broeahs.net.isakmp daim.broeahs.net.isakmp: isakmp v1.0 exchange ID_PROT cookie: 385103343a680645-9c61c0d839d1d9ec msgid: len: 168 13:24:48.878894 daim.broeahs.net.isakmp broeahs.net.isakmp: isakmp v1.0 exchange ID_PROT cookie: 7fd785c9ee93e8fe-31884d57a94e56a0 msgid: len: 168 The debuggin' info gives messages like this: 132740.737518 Exch 40 exchange_establish_finalize: finalizing exchange 0x7cdb9b0 0 with arg 0x85e318d0 (daim-dimitri) fail = 1 132740.736495 SA 90 sa_find: no SA matched query 132641.268445 Default transport_send_messages: giving up on exchange dimitri, no response from peer 194.109.199.156:500 My question is: What is happening here? How is it possible there is traffic on both sides on port 500 but the two are not able to get decent contact? Thank you in advance. Daom confs follow: # cat /etc/isakmpd/isakmpd.policy KeyNote-Version: 2 Authorizer: POLICY Licensees: our_bad_passw Conditions: app_domain == IPsec policy esp_present == yes esp_enc_alg != null - true; # cat /etc/isakmpd/isakmpd.conf # $OpenBSD: VPN-east.conf,v 1.7 1999/10/29 07:46:04 todd Exp $ # $EOM: VPN-east.conf,v 1.7 1999/07/18 09:25:34 niklas Exp $ # A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon. [General] Retransmits= 5 Exchange-max-time=120 Listen-on= xxx.xxx.xxx.xxx #Shared-SADB= Defined # Incoming phase 1 negotiations are multiplexed on the source IP address [Phase 1] yyy.yyy.yyy.yyy=dimitri # These connections are walked over after config file parsing and told # to the application layer so that it will inform us when traffic wants to # pass over them. This means we can do on-demand keying. [Phase 2] Connections= daim-dimitri [dimitri] Phase= 1 Transport= udp Local-address= xxx.xxx.xxx.xxx Address= yyy.yyy.yyy.yyy Configuration= Default-main-mode Authentication= our_bad_passw [daim-dimitri] Phase= 2 ISAKMP-peer= dimitri Configuration= Default-quick-mode Local-ID= Net-daim Remote-ID= Net-dimitri [Net-daim] ID-type= IPV4_ADDR_SUBNET Network= 192.168.0.0 Netmask= 255.255.255.0 [Net-dimitri] ID-type= IPV4_ADDR_SUBNET Network= 10.10.10.0 Netmask= 255.255.255.0 # Main mode descriptions [Default-main-mode] DOI= IPSEC EXCHANGE_TYPE= ID_PROT Transforms= DES-SHA # Main mode transforms ## # DES [DES-MD5] ENCRYPTION_ALGORITHM= DES_CBC HASH_ALGORITHM= MD5 AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= MODP_768 Life= LIFE_600_SECS,LIFE_1000_KB [DES-MD5-NO-VOL-LIFE] ENCRYPTION_ALGORITHM= DES_CBC HASH_ALGORITHM= MD5 AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= MODP_768 Life= LIFE_600_SECS [DES-SHA] ENCRYPTION_ALGORITHM= DES_CBC HASH_ALGORITHM= SHA AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= MODP_768 Life= LIFE_600_SECS,LIFE_1000_KB # 3DES [3DES-SHA] ENCRYPTION_ALGORITHM= 3DES_CBC HASH_ALGORITHM= SHA AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= MODP_1024 Life= LIFE_3600_SECS # Blowfish [BLF-SHA-M1024] ENCRYPTION_ALGORITHM= BLOWFISH_CBC KEY_LENGTH= 128,96:192 HASH_ALGORITHM= SHA AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= MODP_1024 Life= LIFE_600_SECS,LIFE_1000_KB [BLF-SHA-EC155] ENCRYPTION_ALGORITHM= BLOWFISH_CBC KEY_LENGTH= 128,96:192 HASH_ALGORITHM= SHA AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= EC2N_155 Life= LIFE_600_SECS,LIFE_1000_KB [BLF-MD5-EC155] ENCRYPTION_ALGORITHM= BLOWFISH_CBC KEY_LENGTH= 128,96:192 HASH_ALGORITHM= MD5 AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= EC2N_155 Life= LIFE_600_SECS,LIFE_1000_KB [BLF-SHA-EC185] ENCRYPTION_ALGORITHM= BLOWFISH_CBC KEY_LENGTH= 128,96:192 HASH_ALGORITHM= SHA AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= EC2N_185 Life= LIFE_600_SECS,LIFE_1000_KB [3DES-MD5] ENCRYPTION_ALGORITHM= 3DES_CBC HASH_ALGORITHM= MD5 AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= MODP_1024 Life= LIFE_1_DAY [CAST-SHA] ENCRYPTION_ALGORITHM= CAST_CBC HASH_ALGORITHM= SHA AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= MODP_1536 Life= LIFE_1_DAY # Quick mode description [Default-quick-mode] DOI= IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-3DES-SHA-PFS-SUITE,QM-ESP-3DES-SHA-PFS-SUITE,QM-ESP-DES-MD5-PFS-SUITE [Greenbow-quick-mode] DOI= IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-DES-SHA-PFS-SUITE # Quick mode protection suites ## # DES [QM-ESP-DES-SUITE] Protocols= QM-ESP-DES [QM-ESP-DES-PFS-SUITE] Protocols= QM-ESP-DES-PFS [QM-ESP-DES-MD5-SUITE] Protocols=
rdist notify@ broken?
Greetings misc@,
I am using rdist (with ssh as the transport) to update files from one
machine to another.
This works fine, except that it does not send the notify message once it
is complete. When running rdist from the command line, it hangs here:
$ sudo rdist -o remove -f /etc/Distfile.notifytest
testhost: updating host testhost
testhost: notify @testhost ( test@test.com )
(obviously I swapped out users and hosts for this mail)
When this happens I see sendmail in the process list:
11497 p0 I+ 0:00.02 /usr/sbin/sendmail -oi -t
But the mail never sends.
Here is the distfile:
HOSTS = ( testhost )
FILES = (
/etc/resolv.conf
)
default:
${FILES} - ${HOSTS}
notify test@test.com ;
And of course, the obligatory dmesg below.
Thanks,
Matt
OpenBSD 3.8-stable (xxx) #1: Tue Jan 24 16:08:05 CST 2006
[EMAIL PROTECTED]:/usr/obj/xxx
cpu0: Intel(R) Pentium(R) 4 CPU 3.00GHz (GenuineIntel 686-class) 3 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,CNXT-ID
real mem = 1072193536 (1047064K)
avail mem = 971747328 (948972K)
using 4278 buffers containing 53710848 bytes (52452K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(91) BIOS, date 03/09/05, BIOS32 rev. 0 @ 0xfb790
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
apm0: flags 70102 dobusy 1 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xf/0xdf64
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfde60/240 (13 entries)
pcibios0: PCI Exclusive IRQs: 5 7 9 10 11 12
pcibios0: no compatible PCI ICU found: ICU vendor 0x8086 product 0x25a1
pcibios0: PCI bus #4 is the last bus
bios0: ROM list: 0xc/0x8000 0xc8000/0x2200
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 Intel 82875P Host rev 0x02
ppb0 at pci0 dev 1 function 0 Intel 82875P AGP rev 0x02
pci1 at ppb0 bus 1
ppb1 at pci0 dev 3 function 0 Intel 82875P PCI-CSA rev 0x02
pci2 at ppb1 bus 2
em0 at pci2 dev 1 function 0 Intel PRO/1000CT (82547GI) rev 0x00: irq
10, address: 00:30:48:82:95:02
ppb2 at pci0 dev 28 function 0 Intel 6300ESB PCIX rev 0x02
pci3 at ppb2 bus 3
ami0 at pci3 dev 1 function 0 Symbios Logic MegaRAID rev 0x01: irq 9
LSI 523 64b/lhc
ami0: FW 713N, BIOS vG119, 64MB RAM
ami0: 1 channels, 0 FC loops, 1 logical drives
scsibus0 at ami0: 40 targets
sd0 at scsibus0 targ 0 lun 0: AMI, Host drive #00, SCSI2 0/direct fixed
sd0: 152623MB, 19456 cyl, 255 head, 63 sec, 512 bytes/sec, 312571904 sec
total
scsibus1 at ami0: 16 targets
vendor Marvell, unknown product 0x5041 (class mass storage subclass
RAID, rev 0x00) at pci3 dev 4 function 0 not configured
ppb3 at pci0 dev 30 function 0 Intel 82801BA AGP rev 0x0a
pci4 at ppb3 bus 4
trm0 at pci4 dev 2 function 0 Tekram DC-3x5U rev 0x01: irq 11
scsibus2 at trm0: 8 targets
trm0: target 1 using 8 bit 10.0 MHz, Offset 15 data transfers
st0 at scsibus2 targ 1 lun 0: ARCHIVE, Python 04106-XXX, 7550 SCSI2
1/sequential removable
st0: drive empty or not ready
vga1 at pci4 dev 9 function 0 ATI Rage XL rev 0x27
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
em1 at pci4 dev 10 function 0 Intel PRO/1000MT (82541GI) rev 0x00: irq
5, address: 00:30:48:82:95:03
ichpcib0 at pci0 dev 31 function 0 Intel 6300ESB LPC rev 0x02
pciide0 at pci0 dev 31 function 1 Intel 6300ESB IDE rev 0x02: DMA,
channel 0 configured to compatibility, channel 1 configured to compatibility
pciide0: channel 0 disabled (no drives)
atapiscsi0 at pciide0 channel 1 drive 0
scsibus3 at atapiscsi0: 2 targets
cd0 at scsibus3 targ 0 lun 0: LITE-ON, DVD SOHD-16P9SV, F$01 SCSI0
5/cdrom removable
cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
pciide1 at pci0 dev 31 function 2 Intel 6300ESB SATA rev 0x02: DMA,
channel 0 configured to native-PCI, channel 1 configured to native-PCI
pciide1: couldn't map channel 0 cmd regs
pciide1: couldn't map channel 1 cmd regs
Intel 6300ESB SMBus rev 0x02 at pci0 dev 31 function 3 not configured
isa0 at ichpcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: PC speaker
spkr0 at pcppi0
sysbeep0 at pcppi0
lm0 at isa0 port 0x290/8: W83627HF
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
biomask fbc5 netmask ffe5 ttymask ffe7
pctr: user-level cycle counter enabled
dkcsum: sd0 matches BIOS drive 0x80
root on sd0a
rootdev=0x400 rrootdev=0xd00 rawdev=0xd02
Re: OpenBGPD OPEN Error
Henning Brauer wrote: wait, I think I see a bug and announce capabilities no doesn't work :) please try this diff. Index: session.c === RCS file: /cvs/src/usr.sbin/bgpd/session.c,v retrieving revision 1.243 diff -u -p -r1.243 session.c --- session.c 24 Jan 2006 10:08:16 - 1.243 +++ session.c 6 Feb 2006 12:01:08 - @@ -1200,7 +1200,7 @@ session_open(struct peer *p) if (p-capa.ann.refresh) op_len += 2 + 0;/* 1 code + 1 len, no data */ - if (op_len 0) + if (p-conf.announce_capa op_len 0) optparamlen = sizeof(op_type) + sizeof(op_len) + op_len; len = MSGSIZE_OPEN_MIN + optparamlen; however, after receiving a Optional Parameter Error notofcation, OpenBGPD should quickly retry without any capabilites announced (and thus optional parameters) on its own. did you wait for the second trial? Just tried from CVS with the patch applied and still the same :( I do have what I believe is the open packet as sent to the BD, unfortunately it's not top drawer at logging these things, logged in hex: 02/06/2006 15:06.21 DBUG:KERN 0x08815b0fd0: 00 * 02/06/2006 15:06.21 DBUG:KERN 0x08815b0fc0: 00 21 01 04 78 d5 00 5a c1 97 7c 06 04 02 02 02 *!**x**Z**|* 02/06/2006 15:06.21 DBUG:KERN 0x08815b0fb0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Thanks, Karl
writing to /var/log/ftpd
Hi Is it possible to have normal people's ftp file transfers to /var/log/ftpd? TIA Paolo
firewall (pf): where to view current scrub settings
hi, if i, for example setup scrub max-mss 1462 in my pf.conf, where can i see these values have been set? is there any command that views the current scrub rules/states? btw., anybody had a look on my other posting regarding the macros for filenames in table-statements? br, mdff..
Re: writing to /var/log/ftpd
RTFM.
Re: writing to /var/log/ftpd
Hi Joel There is a special case where anonymous ftp transfers are written to /var/log/ftpd (when using double 'l' switch) . When writing /var/log/ftpd it uses a different file format than the one used when writing to /var/log/xferlog. I'm interested in the information and not the name of the file TIA Paolo Joel Dinel wrote: On 02/06/06 at 11:03, Paolo Supino wrote: Hi Is it possible to have normal people's ftp file transfers to /var/log/ftpd? syslog.conf states that ftp stuff is logged to /var/log/xferlog. Just change that to /var/log/ftpd, -HUP inetd (or your ftpd), and don't forget to add /var/log/ftpd to /etc/newsyslog.conf (you can just change the existing 'xferlog' line in newsyslog.conf to read 'ftpd' instead).
Re: writing to /var/log/ftpd
Paolo Supino wrote: Hi Is it possible to have normal people's ftp file transfers to /var/log/ftpd? TIA Paolo man ftpd, you are looking for -l x2 me thinks .. -- Roy Morris
Re: SpamD, Postfix and mobile users
* [EMAIL PROTECTED] [EMAIL PROTECTED] [2006-02-03 15:11]: Thanks a bunch fella's. I got TLS working. Except for the fact that I cannot use port 587 in (yes I know) Outlook Express. If I keep it at port 25, everything runs like a charm. The server is listening on port tcp 587. However, the connection get's shut right after the first connect. Perhaps it's an Outlook Express bug. I'll test it with firefox tomorrow. Thanks again. It is also, exactly, what we do here. Our users use port 587 for this, NOT port 25 Outhouse express is a wormy pile of moose faeces.. Having said that our users also use it - and for this reason we also speak smtps on port 465 - we just use it just like port 587 - Outhouse express (and regular Outhouse) will use port 465 just fine, and it's not terribly hard to get users to use it: http://www.ualberta.ca/HELP/email/outlook.html?menu=3-8:0 has our version of the 8x10 color glossy screenshots with circles and arrows and a paragraph on the back of each one explaining what each one is that seems to be necessary to teach windows users anything more complicated than washing their hands after wiping their butts. -Bob
users filling partitions crashing system
Hi, I'm seeing a recurring problem whereby a users process is causing the system to crash by (I believe) filling up the /tmp partition. Twice this week this has happened shortly after I have renice-d a resource hungry bittorrent download I've seen a user running. I have sensible user block quotas set on the /home partition and everywhere else besides /tmp that the users could be putting data, and there is of course the 5% of space reserved on all partitions. Everything divided into separate partitions as recommended. /tmp is virtually unused most of the time so I can't figure out what might be happening. When the system comes back up everything appears to be fine, /tmp having been emptied by rc. There seems to be nothing logged to tell me what might have happened so I'm just left scratching my head. Does anyone have any ideas, or suggest ways of getting more diagnostic information? Thanks Mike $ uname -a OpenBSD xxx.xxx.xxx 3.7 GENERIC#50 i386 $ df -h Filesystem SizeUsed Avail Capacity Mounted on /dev/wd0a 251M 82.3M156M35%/ /dev/wd0h 36.5G 13.7G 20.9G40%/home /dev/wd0i 36.5G 25.0G9.6G72%/home2 /dev/wd0d 251M 26.0K238M 0%/tmp /dev/wd0e 1006M356M600M37%/usr /dev/wd0f 251M 86.7M152M36%/var $ mount /dev/wd0a on / type ffs (local, softdep) /dev/wd0h on /home type ffs (local, nodev, nosuid, with quotas, softdep) /dev/wd0i on /home2 type ffs (local, nodev, with quotas, softdep) /dev/wd0d on /tmp type ffs (local, nodev, noexec, nosuid, softdep) /dev/wd0e on /usr type ffs (local, nodev, softdep) /dev/wd0f on /var type ffs (local, nodev, nosuid, softdep)
Re: users filling partitions crashing system
When the system comes back up everything appears to be fine, /tmp having been emptied by rc. There seems to be nothing logged to tell me what might have happened so I'm just left scratching my head. After a crash boot into single user and see what's in /tmp.
Re: nmap Issue on 3.8-release?
On Sun, Feb 05, 2006 at 10:03:57PM -0500, Melameth, Daniel D. wrote: Joachim Schipper wrote: On Fri, Feb 03, 2006 at 10:02:32PM -0500, Melameth, Daniel D. wrote: An nmap scan gives me this: $ sudo nmap 208.139.x.x Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-02-03 19:45 MST Note: Host seems down. If it is really up, but blocking our ping probes, try -P0 Nmap finished: 1 IP address (0 hosts up) scanned in 2.109 seconds Which I follow up with a: $ ping -c 5 208.139.x.x PING 208.139.x.x (208.139.x.x): 56 data bytes 64 bytes from 208.139.x.x: icmp_seq=0 ttl=239 time=91.979 ms --- 208.139.x.x ping statistics --- 5 packets transmitted, 5 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 82.354/86.470/91.979/3.295 ms Running while the above is happening, tcpdumps yield: $ sudo tcpdump -qni pflog0 tcpdump: WARNING: pflog0: no IPv4 address assigned tcpdump: listening on pflog0, link-type PFLOG I'm not certain where to look next. Look into what the return packets actually contain. If, for instance, the remote end is a OpenBSD firewall that has been configured explicitly to drop nmap (using pf's passive OS recognition feature, for instance), you'd see exactly what you see now. (Discarding OpenBSD for a while, almost any decent firewall can be configured to drop traffic that looks like it came from nmap.) And the return packets are not too useful - is that first icmp packet an echo reply or a destination-unreachable notice? And the TCP packet - is it a SYN/ACK or RST packet? The remote end is an OpenBSD machine that has not been configured to drop nmap packets and allows incoming ssh and http connections. On second thought, I'd not certain why I made tcpdump quiet--habit perhaps. Here is the same test with more verbosity: $ sudo nmap 208.139.x.x Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-02-05 19:43 MST Note: Host seems down. If it is really up, but blocking our ping probes, try -P0 Nmap finished: 1 IP address (0 hosts up) scanned in 2.163 seconds $ ping -c 5 208.139.x.x PING 208.139.x.x (208.139.x.x): 56 data bytes 64 bytes from 208.139.x.x: icmp_seq=0 ttl=239 time=85.137 ms 64 bytes from 208.139.x.x: icmp_seq=1 ttl=239 time=83.103 ms 64 bytes from 208.139.x.x: icmp_seq=2 ttl=239 time=90.038 ms 64 bytes from 208.139.x.x: icmp_seq=3 ttl=239 time=86.490 ms 64 bytes from 208.139.x.x: icmp_seq=4 ttl=239 time=92.098 ms --- 208.139.x.x ping statistics --- 5 packets transmitted, 5 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 83.103/87.373/92.098/3.274 ms $ sudo tcpdump -ni pppoe0 host 208.139.x.x tcpdump: listening on pppoe0, link-type PPP_ETHER 19:43:01.507785 209.180.x.x 208.139.x.x: icmp: echo request 19:43:01.507980 209.180.x.x.60199 208.139.x.x.80: . ack 2409580574 win 1024 19:43:01.595748 208.139.x.x 209.180.x.x: icmp: echo reply 19:43:01.600100 208.139.x.x.80 209.180.x.x.60199: R 2409580574:2409580574(0) win 0 (DF) 19:43:02.520065 209.180.x.x 208.139.x.x: icmp: echo request 19:43:02.520244 209.180.x.x.60200 208.139.x.x.80: . ack 2829011038 win 1024 19:43:02.609989 208.139.x.x 209.180.x.x: icmp: echo reply 19:43:02.611334 208.139.x.x.80 209.180.x.x.60200: R 2829011038:2829011038(0) win 0 (DF) 19:43:37.650310 209.180.x.x 208.139.x.x: icmp: echo request 19:43:37.735247 208.139.x.x 209.180.x.x: icmp: echo reply 19:43:38.660020 209.180.x.x 208.139.x.x: icmp: echo request 19:43:38.743035 208.139.x.x 209.180.x.x: icmp: echo reply 19:43:39.669973 209.180.x.x 208.139.x.x: icmp: echo request 19:43:39.759944 208.139.x.x 209.180.x.x: icmp: echo reply 19:43:40.679970 209.180.x.x 208.139.x.x: icmp: echo request 19:43:40.766399 208.139.x.x 209.180.x.x: icmp: echo reply 19:43:41.689986 209.180.x.x 208.139.x.x: icmp: echo request 19:43:41.781991 208.139.x.x 209.180.x.x: icmp: echo reply $ sudo tcpdump -ni pflog0 tcpdump: WARNING: pflog0: no IPv4 address assigned tcpdump: listening on pflog0, link-type PFLOG So the return packets are definitely coming back, but nmap is not seeing them. (On the TCP end, it appears nmap is sending an ACK and the target is send a RST.) Looks strange. Unless I am mistaken, though, you check the output of nmap against a trace of ping. Could you please post a tcpdump for nmap? Also, check /etc/pf.conf for any rules marked block without being marked log; and please post your routing table if it's interesting. Joachim
Re: need help with pf tcpdump
On Mon, Feb 06, 2006 at 01:10:20AM -0800, David Benfell wrote:
Hello all,
I'm trying to debug my packet filtering rules. The problem is that
messages sent from my internal network are not getting through to the
SMTP host on my OpenBSD 3.8-CURRENT system.
The only output I'm getting from tcpdump is:
Feb 06 00:56:09.237698 0:3:93:eb:21:f2 0:a0:cc:65:ba:d0 0800 74:
192.168.18.47.65248 192.168.19.242.25: S 3208584508:3208584508(0) win 65535
mss 1460,nop,wscale 0,nop,nop,timestamp 1838120409 0 (DF)
Feb 06 00:56:09.237735 0:a0:cc:65:ba:d0 0:3:93:eb:21:f2 0800 58:
192.168.19.242.25 192.168.18.47.65248: S 3124286715:3124286715(0) ack
3208584509 win 0 mss 1460 (DF) [tos 0x10]
Feb 06 00:56:09.238491 0:3:93:eb:21:f2 0:a0:cc:65:ba:d0 0800 60:
192.168.18.47.65248 192.168.19.242.25: . ack 1 win 65535 (DF)
Feb 06 00:56:09.954495 0:3:93:eb:21:f2 0:a0:cc:65:ba:d0 0800 74:
192.168.18.47.65249 192.168.19.242.25: S 2319452229:2319452229(0) win 65535
mss 1460,nop,wscale 0,nop,nop,timestamp 1838120411 0 (DF)
Feb 06 00:56:09.954545 0:a0:cc:65:ba:d0 0:3:93:eb:21:f2 0800 58:
192.168.19.242.25 192.168.18.47.65249: S 2347749644:2347749644(0) ack
2319452230 win 0 mss 1460 (DF) [tos 0x10]
Feb 06 00:56:09.955300 0:3:93:eb:21:f2 0:a0:cc:65:ba:d0 0800 60:
192.168.18.47.65249 192.168.19.242.25: . ack 1 win 65535 (DF)
192.168.19.242 is the OpenBSD system. 192.168.18.47 is my laptop.
Beyond that, I have no clue what this means. And all I know is that
the SMTP logs show on the OpenBSD system show no sign of contact.
On the laptop:
2006-02-06 00:56:08.528514500 starting delivery 812: msg 36185520 to remote
[EMAIL PROTECTED]
2006-02-06 00:56:08.528522500 status: local 0/10 remote 3/20
2006-02-06 00:56:08.528523500 starting delivery 813: msg 36182781 to remote
[EMAIL PROTECTED]
2006-02-06 00:56:08.528527500 status: local 0/10 remote 4/20
2006-02-06 01:00:39.530878500 delivery 810: deferral:
Connected_to_192.168.19.242_but_connection_died._(#4.4.2)/
2006-02-06 01:00:39.530885500 status: local 0/10 remote 3/20
Both systems are running qmail. A copy of my /etc/pf.conf is
attached.
--
David Benfell, LCP
[EMAIL PROTECTED]
---
Resume available at http://www.parts-unknown.org/
# $OpenBSD: pf.conf,v 1.19 2003/03/24 01:47:28 ian Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Required order: options, normalization, queueing, translation, filtering.
# Macros and tables may be defined and used anywhere.
# Note that translation rules are first match while filter rules are last
match.
# Macros: define common values, so they can be referenced and changed easily.
#ext_if=ext0# replace with actual external interface name i.e., dc0
ext_if=xl0
#int_if=int0# replace with actual internal interface name i.e., dc1
int_if=dc0
dmz_if=sf3
pub_if=sf0
lupin_if=sf1
#internal_net=10.1.1.1/8
internal_net=192.168.18.1/24
external_addr=66.93.170.242
routable_subnet=66.93.170.241/28
dmz_net=192.168.19.0/24
dmz_addr=192.168.19.242
mta_ad = 192.168.19.242
mta_pt = 25
dhcp_net=192.168.20.0/24
lupin_net=192.168.100.0/24
public_admin_net=192.168.17.0/24
starshine=216.240.40.161/27
allowed_nets={ $starshine, $dmz_net, $internal_net }
trusted_external={ 12.22.55.0/24 24.23.206.48/32 64.0.0.0/4 134.154.0.0/16
216.240.40.161/27 166.154.0.0/16 166.147.140.0/24 198.144.195.188/32
4.4.0.0/16 207.47.24.0/24 208.54.15.0/24 209.172.123.0/24 }
# DoubletreeKing's Head Local CSU Hayward
starshine.org Verizon Wireless
earth_ext=66.93.170.243
earth_dmz=192.168.19.243
earth_int=192.168.18.43
dnscache=192.168.19.4
kindling_ext=66.93.170.244
kindling_int=192.168.19.244
home_ext=66.93.170.245
home_int=192.168.18.44
raven_ext=66.93.170.246
raven_int=192.168.18.45
lair_ext=66.93.170.247
lair_int=192.168.18.46
thunder_ext=66.93.170.248
thunder_int=192.168.18.47
lupin_ext=66.93.170.254
non_routable={ 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 }
macintoshes={ $lair_ext, $lair_int, $thunder_ext, $thunder_int }
linux_pcs={ $dnscache, $kindling_ext, $kindling_int, $home_ext, $home_int,
$raven_ext, $raven_int }
auth_local={ $lair_ext, $lair_int, $thunder_ext, $thunder_int \
$earth_ext, $earth_dmz, $dnscache, $kindling_ext, $kindling_int,
$home_ext, $home_int, $raven_ext, $raven_int }
lupin_router=192.168.100.1
lupin_net=192.168.100.0/24
dmz_services=port { smtp, pop3, http, ftp-data, ftp, domain, ntp }
tcp_udp=proto { tcp, udp }
in_out={ in, out }
# Tables: similar to macros, but more flexible for many addresses.
#table foo { 10.0.0.0/8, !10.1.0.0/16, 192.168.0.0/24, 192.168.1.18 }
# Options: tune the behavior of pf, default values are given.
#set timeout { interval 30, frag 10 }
#set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
#set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
#set timeout { udp.first 60, udp.single 30,
Re: nmap Issue on 3.8-release?
On Mon 2006.02.06 at 20:31 +0100, Joachim Schipper wrote: On Sun, Feb 05, 2006 at 10:03:57PM -0500, Melameth, Daniel D. wrote: Joachim Schipper wrote: On Fri, Feb 03, 2006 at 10:02:32PM -0500, Melameth, Daniel D. wrote: An nmap scan gives me this: $ sudo nmap 208.139.x.x Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-02-03 19:45 MST Note: Host seems down. If it is really up, but blocking our ping probes, try -P0 Nmap finished: 1 IP address (0 hosts up) scanned in 2.109 seconds Which I follow up with a: $ ping -c 5 208.139.x.x PING 208.139.x.x (208.139.x.x): 56 data bytes 64 bytes from 208.139.x.x: icmp_seq=0 ttl=239 time=91.979 ms --- 208.139.x.x ping statistics --- 5 packets transmitted, 5 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 82.354/86.470/91.979/3.295 ms Running while the above is happening, tcpdumps yield: $ sudo tcpdump -qni pflog0 tcpdump: WARNING: pflog0: no IPv4 address assigned tcpdump: listening on pflog0, link-type PFLOG I'm not certain where to look next. Look into what the return packets actually contain. If, for instance, the remote end is a OpenBSD firewall that has been configured explicitly to drop nmap (using pf's passive OS recognition feature, for instance), you'd see exactly what you see now. (Discarding OpenBSD for a while, almost any decent firewall can be configured to drop traffic that looks like it came from nmap.) And the return packets are not too useful - is that first icmp packet an echo reply or a destination-unreachable notice? And the TCP packet - is it a SYN/ACK or RST packet? The remote end is an OpenBSD machine that has not been configured to drop nmap packets and allows incoming ssh and http connections. On second thought, I'd not certain why I made tcpdump quiet--habit perhaps. Here is the same test with more verbosity: $ sudo nmap 208.139.x.x Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-02-05 19:43 MST Note: Host seems down. If it is really up, but blocking our ping probes, try -P0 Nmap finished: 1 IP address (0 hosts up) scanned in 2.163 seconds $ ping -c 5 208.139.x.x PING 208.139.x.x (208.139.x.x): 56 data bytes 64 bytes from 208.139.x.x: icmp_seq=0 ttl=239 time=85.137 ms 64 bytes from 208.139.x.x: icmp_seq=1 ttl=239 time=83.103 ms 64 bytes from 208.139.x.x: icmp_seq=2 ttl=239 time=90.038 ms 64 bytes from 208.139.x.x: icmp_seq=3 ttl=239 time=86.490 ms 64 bytes from 208.139.x.x: icmp_seq=4 ttl=239 time=92.098 ms --- 208.139.x.x ping statistics --- 5 packets transmitted, 5 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 83.103/87.373/92.098/3.274 ms $ sudo tcpdump -ni pppoe0 host 208.139.x.x tcpdump: listening on pppoe0, link-type PPP_ETHER 19:43:01.507785 209.180.x.x 208.139.x.x: icmp: echo request 19:43:01.507980 209.180.x.x.60199 208.139.x.x.80: . ack 2409580574 win 1024 19:43:01.595748 208.139.x.x 209.180.x.x: icmp: echo reply 19:43:01.600100 208.139.x.x.80 209.180.x.x.60199: R 2409580574:2409580574(0) win 0 (DF) 19:43:02.520065 209.180.x.x 208.139.x.x: icmp: echo request 19:43:02.520244 209.180.x.x.60200 208.139.x.x.80: . ack 2829011038 win 1024 19:43:02.609989 208.139.x.x 209.180.x.x: icmp: echo reply 19:43:02.611334 208.139.x.x.80 209.180.x.x.60200: R 2829011038:2829011038(0) win 0 (DF) 19:43:37.650310 209.180.x.x 208.139.x.x: icmp: echo request 19:43:37.735247 208.139.x.x 209.180.x.x: icmp: echo reply 19:43:38.660020 209.180.x.x 208.139.x.x: icmp: echo request 19:43:38.743035 208.139.x.x 209.180.x.x: icmp: echo reply 19:43:39.669973 209.180.x.x 208.139.x.x: icmp: echo request 19:43:39.759944 208.139.x.x 209.180.x.x: icmp: echo reply 19:43:40.679970 209.180.x.x 208.139.x.x: icmp: echo request 19:43:40.766399 208.139.x.x 209.180.x.x: icmp: echo reply 19:43:41.689986 209.180.x.x 208.139.x.x: icmp: echo request 19:43:41.781991 208.139.x.x 209.180.x.x: icmp: echo reply $ sudo tcpdump -ni pflog0 tcpdump: WARNING: pflog0: no IPv4 address assigned tcpdump: listening on pflog0, link-type PFLOG So the return packets are definitely coming back, but nmap is not seeing them. (On the TCP end, it appears nmap is sending an ACK and the target is send a RST.) Looks strange. Unless I am mistaken, though, you check the output of nmap against a trace of ping. Could you please post a tcpdump for nmap? Also, check /etc/pf.conf for any rules marked block without being marked log; and please post your routing table if it's interesting. i too would look at pf(4) - disable it, pass quick, no state, log, whatever; but look at your state table. also, you may have mentioned this before, but what arch is this on?
Re: rdist notify@ broken?
On Mon, Feb 06, 2006 at 09:07:59AM -0600, Matthew S Elmore wrote:
Greetings misc@,
I am using rdist (with ssh as the transport) to update files from one
machine to another.
This works fine, except that it does not send the notify message once it
is complete. When running rdist from the command line, it hangs here:
$ sudo rdist -o remove -f /etc/Distfile.notifytest
testhost: updating host testhost
testhost: notify @testhost ( test@test.com )
(obviously I swapped out users and hosts for this mail)
When this happens I see sendmail in the process list:
11497 p0 I+ 0:00.02 /usr/sbin/sendmail -oi -t
But the mail never sends.
Here is the distfile:
HOSTS = ( testhost )
FILES = (
/etc/resolv.conf
)
default:
${FILES} - ${HOSTS}
notify test@test.com ;
Reproducible here (3.8-stable/i386), using postfix instead of sendmail.
Joachim
Re: vpn problem
--- plz? yeah plz [EMAIL PROTECTED] wrote: Hello all, Currently my brother and I try to set up a vpn using isakmpd between two OBSD 3.8 boxes. We had a similar vpn working before. We both changed ADSL providers and thought it is time for an upgrade. However... I did notice some redundancy under [Default-quick-mode]. What about the other file?
Re: 3.9beta on macppc snapshot 30-01-06: no keyboard
on my powerbook5,2 (G4 15), runs through booting fine, but at the install,upgrade,shell prompt, the keyboard doesn't work ( but shift still lights the LED) Can you try the latest snapshot (January 30th)? If the built-in keyboard still fails to work, can you plug an external USB keyboard to get the dmesg? And are you willing to test kernels if the problem still arises? Miod
Re: 3.9beta on macppc snapshot 30-01-06: no keyboard
same problem with 30-01-06 snapshot (burned from ISO). An external USB keyboard works fine. dmesg follows: [ bsd ELF symbol table not valid: symtab unaligned ] [ no symbol table formats found ] console out [ATY,Jasper_A]console in [keyboard] USB and ADB found, using USB using parent ATY,JasperParent:: memaddr b800 size 800, : consaddr bc008000, : ioaddr b002, size 2: memtag 8000, iotag 8000: width 1280 linebytes 1280 height 854 depth 8 Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved. Copyright (c) 1995-2006 OpenBSD. All rights reserved. http:// www.OpenBSD.org OpenBSD 3.9-beta (RAMDISK) #779: Mon Jan 30 19:14:24 MST 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/macppc/compile/ RAMDISK real mem = 1342177280 (1310720K) avail mem = 1214750720 (1186280K) using 1254 buffers containing 67108864 bytes (65536K) of memory mainbus0 (root): model PowerBook5,2 cpu0 at mainbus0: Version 8002 (Revision 0x101): 1249 MHz memc0 at mainbus0: uni-n hw-clock at memc0 not configured ki2c0 at memc0 offset 0xf8001000 mpcpcibr0 at mainbus0 pci: uni-north, Revision 0xff find_node_intr unable to find step size pci0 at mpcpcibr0 bus 0 pchb0 at pci0 dev 11 function 0 Apple UniNorth AGP rev 0x00 vgafb0 at pci0 dev 16 function 0 ATI Radeon Mobility M10 NP rev 0x00, mmio wsdisplay0 at vgafb0 mux 1: console (std, vt100 emulation) mpcpcibr1 at mainbus0 pci: uni-north, Revision 0x5 pci1 at mpcpcibr1 bus 0 pchb1 at pci1 dev 11 function 0 Apple UniNorth PCI rev 0x00 Broadcom BCM4306 rev 0x03 at pci1 dev 18 function 0 not configured cbb0 at pci1 dev 19 function 0 Texas Instruments PCI1510 CardBus rev 0x00: irq 53 macobio0 at pci1 dev 23 function 0 Apple Intrepid rev 0x00 openpic0 at macobio0 offset 0x4: version 0x4614 macgpio0 at macobio0 offset 0x50 macgpio1 at macgpio0 offset 0x9 irq 47 programmer-switch at macgpio0 offset 0x11 not configured gpio4 at macgpio0 offset 0x1e not configured frequency-gpio at macgpio0 offset 0x1a not configured voltage-gpio at macgpio0 offset 0x1b not configured slewing-done at macgpio0 offset 0x12 not configured gpio5 at macgpio0 offset 0x6f not configured gpio6 at macgpio0 offset 0x70 not configured extint-gpio4 at macgpio0 offset 0x5c not configured gpio11 at macgpio0 offset 0x75 not configured extint-gpio15 at macgpio0 offset 0x67 not configured escc-legacy at macobio0 offset 0x12000 not configured zsc0 at macobio0 offset 0x13000: irq 22,23 zstty0 at zsc0 channel 0 zstty1 at zsc0 channel 1 i2s at macobio0 offset 0x1 not configured timer at macobio0 offset 0x15000 not configured adb0 at macobio0 offset 0x16000 irq 25: via-pmu, 0 targets battery at macobio0 offset 0x0 not configured backlight at macobio0 offset 0xf300 not configured i2c at macobio0 offset 0x18000 not configured wdc0 at macobio0 offset 0x2 irq 24: DMA atapiscsi0 at wdc0 channel 0 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: MATSHITA, DVD-R UJ-816, DXJ3 SCSI0 5/ cdrom removable cd0(wdc0:0:0): using BIOS timings, DMA mode 2 ohci0 at pci1 dev 24 function 0 Apple Intrepid USB rev 0x00: irq 0, version 1.0, legacy support usb0 at ohci0: USB revision 1.0 uhub0 at usb0 uhub0: Apple OHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered ohci1 at pci1 dev 25 function 0 Apple Intrepid USB rev 0x00: irq 0, version 1.0, legacy support usb1 at ohci1: USB revision 1.0 uhub1 at usb1 uhub1: Apple OHCI root hub, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered ohci2 at pci1 dev 26 function 0 Apple Intrepid USB rev 0x00: irq 29, version 1.0, legacy support usb2 at ohci2: USB revision 1.0 uhub2 at usb2 uhub2: Apple OHCI root hub, rev 1.00/1.00, addr 1 uhub2: 2 ports with 2 removable, self powered ohci3 at pci1 dev 27 function 0 NEC USB rev 0x43: irq 63, version 1.0 usb3 at ohci3: USB revision 1.0 uhub3 at usb3 uhub3: NEC OHCI root hub, rev 1.00/1.00, addr 1 uhub3: 3 ports with 3 removable, self powered ohci4 at pci1 dev 27 function 1 NEC USB rev 0x43: irq 63, version 1.0 usb4 at ohci4: USB revision 1.0 uhub4 at usb4 uhub4: NEC OHCI root hub, rev 1.00/1.00, addr 1 uhub4: 2 ports with 2 removable, self powered ehci0 at pci1 dev 27 function 2 NEC USB rev 0x04: irq 63 usb5 at ehci0: USB revision 2.0 uhub5 at usb5 uhub5: NEC EHCI root hub, rev 2.00/1.00, addr 1 uhub5: 5 ports with 5 removable, self powered cardslot0 at cbb0 slot 0 flags 0 cardbus0 at cardslot0: bus 1 device 0 cacheline 0x8, lattimer 0x20 pcmcia0 at cardslot0 mpcpcibr2 at mainbus0 pci: uni-north, Revision 0x20 pci2 at mpcpcibr2 bus 0 pchb2 at pci2 dev 11 function 0 Apple UniNorth PCI rev 0x00 kauaiata0 at pci2 dev 13 function 0 Apple Intrepid ATA rev 0x00 wdc1 at kauaiata0 irq 39: DMA wd0 at wdc1 channel 0 drive 0: FUJITSU MHT2080AT wd0: 16-sector PIO, LBA48, 76319MB, 156301488 sectors wd0(wdc1:0:0): using PIO mode 4, DMA mode 2, Ultra-DMA mode 5 Apple UniNorth Firewire rev 0x81 at pci2 dev 14 function
Re: Problem with HP NetRAID Controller
Or you could just create a single RAID disk and then slice it up... On Feb 6, 2006, at 6:56 AM, Dirk Fohrenkamm wrote: I have replied to this type of email several times before. The short answer is that I don't know why it is broken and have not been able to fix it yet. The message is there to warn and protect you from bad things. thanks for the adice; looks like I have to try other OS, maybe Debian :-( Dirk
Re: tutorial for securing wifi networks with ipsec and openbsd, somewhere?
Christian Weisgerber [EMAIL PROTECTED] wrote: Okay, this is as good an opportunity as any to write down what I did to my wireless a while ago: Meanwhile, ipsecctl has gained support for pre-shared key authentication. So in 3.9, things are simpler still: Configure dhcpd on the gateway (172.16.1.1) to always give the same address (172.16.1.99) to my laptop, based on its MAC address. Start up isakmpd -K on both machines. No isakmpd configuration. None. On the gateway, create a one-line /etc/ipsec.conf: ike esp from any to 172.16.1.99 psk secretpassphrase On the laptop, create a one-line /etc/ipsec.conf: ike esp from ral0 to any peer 172.16.1.1 psk secretpassphrase Run ipsecctl -f /etc/ipsec.conf on both machines. Congratulations, you have set up IPsec. Repeat the same procedure for additional wireless clients. Wait a moment, you say, does that mean that two hosts on the wireless will talk to each other through the IPsec gateway rather than directly? That's right, but in infrastructure mode, i.e., if you use an access point, the packets already cross the air twice (host 1 - AP - host 2). Looping them through the gateway doesn't add appreciable overhead. The wireless clients only need to talk ISAKMP (to authenticate and renegotiate keys) and ESP to the gateway. Block everything else on the gateway: block return on $wlan all pass in on $wlan proto esp to $wlan keep state pass out on $wlan proto esp from $wlan keep state pass in on $wlan proto udp to $wlan port isakmp keep state pass out on $wlan proto udp from $wlan port isakmp keep state Actually, there is one more thing, and it's important. With the setup above, you will run into MTU issues with hosts behind the gateway. The symptom is that bulk data transfers _to_ the wireless host will be redicuously slow or stall completely. There must be a better way, but in the meantime TCP MSS clamping on the gateway works: scrub in on enc0 all max-mss 1318 As far as pf is concerned, all decoded IPsec traffic is from the enc0 interface. If you use the antispoof directive, make sure to add a pass rule for traffic on enc0. -- Christian naddy Weisgerber [EMAIL PROTECTED]
Re: users filling partitions crashing system
MikeyG wrote: Hi, I'm seeing a recurring problem whereby a users process is causing the system to crash by (I believe) filling up the /tmp partition. Twice this week this has happened shortly after I have renice-d a resource hungry bittorrent download I've seen a user running. I question your diagnosis. I just deliberately filled my /tmp partition. System is still running fine (which actually is a pleasant surprise, as this machine has been horribly unstable the last few days. Maybe I should have filled the /tmp partition long ago! :). If you can crash your system by filling the /tmp partition, I think that would be better described as a bug that needs fixing rather than trying to work around it. How about defining what you mean by crash, what message you are getting, etc. If you really want to prove to yourself that it isn't your tmp partition getting filled, ssh into the box, set up a little script to do df -i every second or so. When the system crashes, look at the last several df outputs. The -i is there to see if you are filling the inodes, rather than the disk (that won't cause a crash, either. Done that many times on /tmp, myself), that gives you a second chance to be right. :) Nick. (wondering if /tmp space is needed to send mail...) (hm. apparently. just deleted a 4k file, let's try again)
Re: users filling partitions crashing system
On 2/6/06, MikeyG [EMAIL PROTECTED] wrote: I'm seeing a recurring problem whereby a users process is causing the system to crash by (I believe) filling up the /tmp partition. I have several boxes which all have /tmp (and /var/log) on a mfs, which is 105% after some time. These boxes admittedly are gateways/firewalls only, just doing pf, nat and ipsec stuff. they run happily with full /tmp for months. could it be, that there are some resource hungry processes, that have sometimes a run-away condition starving your box of memory? (of course not user processes) i had this problem sometimes ago with snort. --knitti
Re: OpenBSD { future=PIM (DM-SM) } support or { only=XORP } ?
On Sun, 5 Feb 2006, Esben Norby wrote: Yes, tiny baby steps has been taking in order to startup a OpenPIMD project, but don't hold your breath... ;-P (I've never been one for doing as I am told) Step one would probably be a PIM-DM, later on it can be expanded to support PIM-SM. DM would be progress and lead to SM. A flood and prune method I think would be easier to implement initially than everything in SM so I am all for it and currently reading the RFC's over again. If any one are interested in this sort of thing please chip in. I can't donate any code worth forken looking at but I can test in a live environment and inter-operate with that dirty Crisco vendor. I can read code but I am still learning =( (aka lots of books) I'm going to start playing with DVMRP now that I see I can use mrouted with our current PIM routers and hopefull get a tunnel up to transport the multicast traffic to a OpenBSD gateway. This doesn't create a PIM router but it does give me more features to learn/play with on OpenBSD which is always a goal of mine. I use mrouted myself on OpenBSD routers, and I really really want to replace them. I only read the protocol and never tried to set it up on a Crisco but now that the network is up I see no reason not to as I am not that interested in trying out XORP and can patiently hold my breath till I start to catch wind of some commits on the CVS posts. If you want to play, mrouted is good enough - I mainly use it for multicast video streaming, and IPerf multicast test streams. /Esben Thanks for the reply Esben that is exactly what I was looking for.
Re: inet failover solution
John R. Shannon wrote: On Monday 06 February 2006 06:46, Nickolay A Burkov wrote: Hi, All! I have a router with two external ethernet links to two different ISPs. Could someone recommend me a good technique to organize failover with these two channels (similar to trunk(4) but on higher level)? I thought about writing the Perl script to periodically ping destination on master ISP and if it is failure, reconfigure routing tables and NAT to slave provider's addr. Cause of this is a very network topology dependent things (timeouts, way of check dst, etc..) i wonder if somebody has a good expirience with this situation. br I use ifstated for that purpose. I do have a similar situation in my work. We have two ADSL connections to two different ISP's. I did an ifstated configuration and some shell scripts that basically do the following things: a) check if any of the internet links in the modems are up, using snmp (if your device has support to snmp, the majority of the DSL/ADSL routers does) b) if any of them are down, mail the root to warn about the situation, load the pf rule set pertaining the other link, set the gateway to the other modem and vice versa c) if any of the modems are down (i mean physically down) it point's to the other and also mail root. I do some other tricks, as rebooting the modems. I'm still testing it, but today it behaved very well. I only need to balance the incoming services now. Is you want more info, i can give privately. My regards, -- Giancarlo Razzolini Linux User 172199 Moleque Sem Conteudo Numero #002 Slackware Current Snike Tecnologia em Informatica 4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85 [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: nmap Issue on 3.8-release?
Okan Demirmen wrote: On Mon 2006.02.06 at 20:31 +0100, Joachim Schipper wrote: On Sun, Feb 05, 2006 at 10:03:57PM -0500, Melameth, Daniel D. wrote: Joachim Schipper wrote: On Fri, Feb 03, 2006 at 10:02:32PM -0500, Melameth, Daniel D. wrote: An nmap scan gives me this: $ sudo nmap 208.139.x.x Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-02-03 19:45 MST Note: Host seems down. If it is really up, but blocking our ping probes, try -P0 Nmap finished: 1 IP address (0 hosts up) scanned in 2.109 seconds Which I follow up with a: $ ping -c 5 208.139.x.x PING 208.139.x.x (208.139.x.x): 56 data bytes 64 bytes from 208.139.x.x: icmp_seq=0 ttl=239 time=91.979 ms --- 208.139.x.x ping statistics --- 5 packets transmitted, 5 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 82.354/86.470/91.979/3.295 ms Running while the above is happening, tcpdumps yield: $ sudo tcpdump -qni pflog0 tcpdump: WARNING: pflog0: no IPv4 address assigned tcpdump: listening on pflog0, link-type PFLOG I'm not certain where to look next. Look into what the return packets actually contain. If, for instance, the remote end is a OpenBSD firewall that has been configured explicitly to drop nmap (using pf's passive OS recognition feature, for instance), you'd see exactly what you see now. (Discarding OpenBSD for a while, almost any decent firewall can be configured to drop traffic that looks like it came from nmap.) And the return packets are not too useful - is that first icmp packet an echo reply or a destination-unreachable notice? And the TCP packet - is it a SYN/ACK or RST packet? The remote end is an OpenBSD machine that has not been configured to drop nmap packets and allows incoming ssh and http connections. On second thought, I'd not certain why I made tcpdump quiet--habit perhaps. Here is the same test with more verbosity: $ sudo nmap 208.139.x.x Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-02-05 19:43 MST Note: Host seems down. If it is really up, but blocking our ping probes, try -P0 Nmap finished: 1 IP address (0 hosts up) scanned in 2.163 seconds $ ping -c 5 208.139.x.x PING 208.139.x.x (208.139.x.x): 56 data bytes 64 bytes from 208.139.x.x: icmp_seq=0 ttl=239 time=85.137 ms 64 bytes from 208.139.x.x: icmp_seq=1 ttl=239 time=83.103 ms 64 bytes from 208.139.x.x: icmp_seq=2 ttl=239 time=90.038 ms 64 bytes from 208.139.x.x: icmp_seq=3 ttl=239 time=86.490 ms 64 bytes from 208.139.x.x: icmp_seq=4 ttl=239 time=92.098 ms --- 208.139.x.x ping statistics --- 5 packets transmitted, 5 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 83.103/87.373/92.098/3.274 ms $ sudo tcpdump -ni pppoe0 host 208.139.x.x tcpdump: listening on pppoe0, link-type PPP_ETHER 19:43:01.507785 209.180.x.x 208.139.x.x: icmp: echo request 19:43:01.507980 209.180.x.x.60199 208.139.x.x.80: . ack 2409580574 win 1024 19:43:01.595748 208.139.x.x 209.180.x.x: icmp: echo reply 19:43:01.600100 208.139.x.x.80 209.180.x.x.60199: R 2409580574:2409580574(0) win 0 (DF) 19:43:02.520065 209.180.x.x 208.139.x.x: icmp: echo request 19:43:02.520244 209.180.x.x.60200 208.139.x.x.80: . ack 2829011038 win 1024 19:43:02.609989 208.139.x.x 209.180.x.x: icmp: echo reply 19:43:02.611334 208.139.x.x.80 209.180.x.x.60200: R 2829011038:2829011038(0) win 0 (DF) 19:43:37.650310 209.180.x.x 208.139.x.x: icmp: echo request 19:43:37.735247 208.139.x.x 209.180.x.x: icmp: echo reply 19:43:38.660020 209.180.x.x 208.139.x.x: icmp: echo request 19:43:38.743035 208.139.x.x 209.180.x.x: icmp: echo reply 19:43:39.669973 209.180.x.x 208.139.x.x: icmp: echo request 19:43:39.759944 208.139.x.x 209.180.x.x: icmp: echo reply 19:43:40.679970 209.180.x.x 208.139.x.x: icmp: echo request 19:43:40.766399 208.139.x.x 209.180.x.x: icmp: echo reply 19:43:41.689986 209.180.x.x 208.139.x.x: icmp: echo request 19:43:41.781991 208.139.x.x 209.180.x.x: icmp: echo reply $ sudo tcpdump -ni pflog0 tcpdump: WARNING: pflog0: no IPv4 address assigned tcpdump: listening on pflog0, link-type PFLOG So the return packets are definitely coming back, but nmap is not seeing them. (On the TCP end, it appears nmap is sending an ACK and the target is send a RST.) Looks strange. Unless I am mistaken, though, you check the output of nmap against a trace of ping. Could you please post a tcpdump for nmap? The full tcpdump of nmap is reflected in the first eight full lines directly above. Also, check /etc/pf.conf for any rules marked block without being marked log; and please post your routing table if it's interesting. There is really only one block rule and it
Re: nmap Issue on 3.8-release?
FWIW, it appears the issue only happens in relation to the pppoe interface--meaning, nmap scans over wi and fxp work as expected. Melameth, Daniel D. wrote: Okan Demirmen wrote: On Mon 2006.02.06 at 20:31 +0100, Joachim Schipper wrote: On Sun, Feb 05, 2006 at 10:03:57PM -0500, Melameth, Daniel D. wrote: Joachim Schipper wrote: On Fri, Feb 03, 2006 at 10:02:32PM -0500, Melameth, Daniel D. wrote: An nmap scan gives me this: $ sudo nmap 208.139.x.x Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-02-03 19:45 MST Note: Host seems down. If it is really up, but blocking our ping probes, try -P0 Nmap finished: 1 IP address (0 hosts up) scanned in 2.109 seconds Which I follow up with a: $ ping -c 5 208.139.x.x PING 208.139.x.x (208.139.x.x): 56 data bytes 64 bytes from 208.139.x.x: icmp_seq=0 ttl=239 time=91.979 ms --- 208.139.x.x ping statistics --- 5 packets transmitted, 5 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 82.354/86.470/91.979/3.295 ms Running while the above is happening, tcpdumps yield: $ sudo tcpdump -qni pflog0 tcpdump: WARNING: pflog0: no IPv4 address assigned tcpdump: listening on pflog0, link-type PFLOG I'm not certain where to look next. Look into what the return packets actually contain. If, for instance, the remote end is a OpenBSD firewall that has been configured explicitly to drop nmap (using pf's passive OS recognition feature, for instance), you'd see exactly what you see now. (Discarding OpenBSD for a while, almost any decent firewall can be configured to drop traffic that looks like it came from nmap.) And the return packets are not too useful - is that first icmp packet an echo reply or a destination-unreachable notice? And the TCP packet - is it a SYN/ACK or RST packet? The remote end is an OpenBSD machine that has not been configured to drop nmap packets and allows incoming ssh and http connections. On second thought, I'd not certain why I made tcpdump quiet--habit perhaps. Here is the same test with more verbosity: $ sudo nmap 208.139.x.x Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-02-05 19:43 MST Note: Host seems down. If it is really up, but blocking our ping probes, try -P0 Nmap finished: 1 IP address (0 hosts up) scanned in 2.163 seconds $ ping -c 5 208.139.x.x PING 208.139.x.x (208.139.x.x): 56 data bytes 64 bytes from 208.139.x.x: icmp_seq=0 ttl=239 time=85.137 ms 64 bytes from 208.139.x.x: icmp_seq=1 ttl=239 time=83.103 ms 64 bytes from 208.139.x.x: icmp_seq=2 ttl=239 time=90.038 ms 64 bytes from 208.139.x.x: icmp_seq=3 ttl=239 time=86.490 ms 64 bytes from 208.139.x.x: icmp_seq=4 ttl=239 time=92.098 ms --- 208.139.x.x ping statistics --- 5 packets transmitted, 5 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 83.103/87.373/92.098/3.274 ms $ sudo tcpdump -ni pppoe0 host 208.139.x.x tcpdump: listening on pppoe0, link-type PPP_ETHER 19:43:01.507785 209.180.x.x 208.139.x.x: icmp: echo request 19:43:01.507980 209.180.x.x.60199 208.139.x.x.80: . ack 2409580574 win 1024 19:43:01.595748 208.139.x.x 209.180.x.x: icmp: echo reply 19:43:01.600100 208.139.x.x.80 209.180.x.x.60199: R 2409580574:2409580574(0) win 0 (DF) 19:43:02.520065 209.180.x.x 208.139.x.x: icmp: echo request 19:43:02.520244 209.180.x.x.60200 208.139.x.x.80: . ack 2829011038 win 1024 19:43:02.609989 208.139.x.x 209.180.x.x: icmp: echo reply 19:43:02.611334 208.139.x.x.80 209.180.x.x.60200: R 2829011038:2829011038(0) win 0 (DF) 19:43:37.650310 209.180.x.x 208.139.x.x: icmp: echo request 19:43:37.735247 208.139.x.x 209.180.x.x: icmp: echo reply 19:43:38.660020 209.180.x.x 208.139.x.x: icmp: echo request 19:43:38.743035 208.139.x.x 209.180.x.x: icmp: echo reply 19:43:39.669973 209.180.x.x 208.139.x.x: icmp: echo request 19:43:39.759944 208.139.x.x 209.180.x.x: icmp: echo reply 19:43:40.679970 209.180.x.x 208.139.x.x: icmp: echo request 19:43:40.766399 208.139.x.x 209.180.x.x: icmp: echo reply 19:43:41.689986 209.180.x.x 208.139.x.x: icmp: echo request 19:43:41.781991 208.139.x.x 209.180.x.x: icmp: echo reply $ sudo tcpdump -ni pflog0 tcpdump: WARNING: pflog0: no IPv4 address assigned tcpdump: listening on pflog0, link-type PFLOG So the return packets are definitely coming back, but nmap is not seeing them. (On the TCP end, it appears nmap is sending an ACK and the target is send a RST.) Looks strange. Unless I am mistaken, though, you check the output of nmap against a trace of ping. Could you please post a tcpdump for
Re: inet failover solution
[EMAIL PROTECTED] wrote: John R. Shannon wrote: On Monday 06 February 2006 06:46, Nickolay A Burkov wrote: Hi, All! I have a router with two external ethernet links to two different ISPs. Could someone recommend me a good technique to organize failover with these ... I use ifstated for that purpose. I do have a similar situation in my work. We have two ADSL connections to two different ISP's. I did an ifstated configuration and some shell scripts that basically do the following things: a) check if any of the internet links in the modems are up, using snmp (if your device has support to snmp, the majority of the DSL/ADSL routers does) ... I used ifstated with ping to the other side of the link (as determined by traceroute). You might need to create a static route or use the route-to pf command to make sure you're pinging through the correct interface to determine the state. This shows my ifstated.conf: http://marc.theaimsgroup.com/?l=openbsd-miscm=113776959830873w=2 I ended up moving the ping to, '(ping -q -c 3 -w 2 10.10.10.1 /dev/null every 30)' and using a single if statement in the downed states. I also found moving everything in pf that did a route-to to an anchor was helpful. Then I reload the anchor as shown in the ifstated.conf in the link. Because this is an active test I also reserved a little (very little) bandwidth via altq for this ICMP traffic. Another approach might be to test to see if there is _any_ traffic coming into an interface, if not, it is probably down. BTW, I do this with dual carp'ed firewalls with site-to-site ipsec VPNs and OpenVPN for road warriors. Thanks for the great OS! -Steve S.
Why /bin/[
Why is there a file called [ in the /bin directory of my generic 3.8 build? 144 -r-xr-xr-x 2 root bin 72128 Sep 10 15:18 [ Tim B Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: Why /bin/[
Why is there a file called [ in the /bin directory of my generic 3.8 build? 144 -r-xr-xr-x 2 root bin 72128 Sep 10 15:18 [ Have you tried 'man [' ? -- 'And you've got 10 gig of files to put through our mail system?' I ask, squeezing my mouse in a non-approved manner. -- BOFH, 2006-01
Re: Why /bin/[
On Mon, Feb 06, 2006 at 09:00:59PM -0800, [EMAIL PROTECTED] wrote: Why is there a file called [ in the /bin directory of my generic 3.8 build? 144 -r-xr-xr-x 2 root bin 72128 Sep 10 15:18 [ Ever wondered why: if [ -x some/file ] then echo file executable fi works in /bin/sh? -- Brett Lymn
Re: Why /bin/[
On Tuesday 07 February 2006 05:00, [EMAIL PROTECTED] wrote: Why is there a file called [ in the /bin directory of my generic 3.8 build? 144 -r-xr-xr-x 2 root bin 72128 Sep 10 15:18 [ Tim B Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com Did you do a man [ ? --STeve Andre'
Re: Why /bin/[
Brett Lymn wrote: Ever wondered why: if [ -x some/file ] then echo file executable fi works in /bin/sh? Actually [ in sh is a shell-builtin, but apart from that that's what it's about. Additionally: ls -li '/bin/test' '/bin/[' # Han
Re: Why /bin/[
On Mon, 6 Feb 2006 [EMAIL PROTECTED] wrote: Why is there a file called [ in the /bin directory of my generic 3.8 build? 144 -r-xr-xr-x 2 root bin 72128 Sep 10 15:18 [ man [ will explain everything. :) --Bart
Re: Why /bin/[
Interesting. I see that man calls it test(1) but searching the online man pages for [ doesn't find it. On Mon, Feb 06, 2006 at 09:00:59PM -0800, [EMAIL PROTECTED] wrote: Why is there a file called [ in the /bin directory of my generic 3.8 build? 144 -r-xr-xr-x 2 root bin 72128 Sep 10 15:18 [ Ever wondered why: if [ -x some/file ] then echo file executable fi works in /bin/sh? -- Brett Lymn Tim B [EMAIL PROTECTED] Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: inet failover solution
On Mon, 6 Feb 2006 23:54:21 -0500, Steven S wrote: [EMAIL PROTECTED] wrote: John R. Shannon wrote: On Monday 06 February 2006 06:46, Nickolay A Burkov wrote: Hi, All! I have a router with two external ethernet links to two different ISPs. Could someone recommend me a good technique to organize failover with these ... I use ifstated for that purpose. I do have a similar situation in my work. We have two ADSL connections to two different ISP's. I did an ifstated configuration and some shell scripts that basically do the following things: a) check if any of the internet links in the modems are up, using snmp (if your device has support to snmp, the majority of the DSL/ADSL routers does) ... I used ifstated with ping to the other side of the link (as determined by traceroute). You might need to create a static route or use the route-to pf command to make sure you're pinging through the correct interface to determine the state. This shows my ifstated.conf: http://marc.theaimsgroup.com/?l=openbsd-miscm=113776959830873w=2 I ended up moving the ping to, '(ping -q -c 3 -w 2 10.10.10.1 /dev/null every 30)' and using a single if statement in the downed states. I also found moving everything in pf that did a route-to to an anchor was helpful. Then I reload the anchor as shown in the ifstated.conf in the link. Because this is an active test I also reserved a little (very little) bandwidth via altq for this ICMP traffic. Another approach might be to test to see if there is _any_ traffic coming into an interface, if not, it is probably down. BTW, I do this with dual carp'ed firewalls with site-to-site ipsec VPNs and OpenVPN for road warriors. Thanks for the great OS! -Steve S. I don't see any ping commands of the form: ping -I fxp0 .. in examples of ifstated use. I would think that forcing the interface to be used would be useful to prevent misleading results. Whilst I'm at it: Why wouldn't I change the default route by doing a route delete default route add default $SecondChoice type command and the reverse when a link comes up on $FirstChoice ? In general I'd love to see some more configurations with all the relevant pf.conf bits so that I can study an example or three in conjunction with the ifstated manpage. I think I'm going to have to set up a lab test and see what works well but some other viewpoints may may choosing a better way easier. From the land down under: Australia. Do we look umop apisdn from up over? Do NOT CC me - I am subscribed to the list. Replies to the sender address will fail except from the list-server.
Re: Why /bin/[
It's a digital phone for left-handed people. [EMAIL PROTECTED] wrote: Why is there a file called [ in the /bin directory of my generic 3.8 build? 144 -r-xr-xr-x 2 root bin 72128 Sep 10 15:18 [ Tim B Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
chrsh unofficial w/ current 3.9 - nope
Just a heads up for the few that use Ben Goren's Trumpetpower port for chrsh, http://www.trumpetpower.com/OpenBSD/chrsh It may not work as is with OpenBSD 3.9, without tweaking. but the official ports for current is compiling nicely even kde so far! got the following with current grabbed this weekend, complaining about extra tokens at end of directives and a while loop using test on error return value... if anyone has a quick suggestion, I'll try it, else I will set it aside. # make === Checking files for chrsh-1.0b2 chrsh.c doesn't seem to exist on this system. Fetch http://www.aarongifford.com/computers/chrsh.c. 100% || 26266 00:00 No size recorded for /usr/ports/distfiles/chrsh.c No checksum file. === Extracting for chrsh-1.0b2 mkdir -p /usr/ports/chrsh/w-chrsh-1.0b2/chrsh cp /usr/ports/test/distfiles/chrsh.c /usr/ports/test/chrsh/w-chrsh-1.0b2/chrsh/ cp files/Makefile /usr/ports/test/chrsh/w-chrsh-1.0b2/chrsh/ === Patching for chrsh-1.0b2 === Configuring for chrsh-1.0b2 === Building for chrsh-1.0b2 cc -o chrsh chrsh.c chrsh.c:99:25: warning: extra tokens at end of #undef directive chrsh.c:186:8: warning: extra tokens at end of #endif directive chrsh.c: In function `main': chrsh.c:335: error: `errno' undeclared (first use in this function) chrsh.c:335: error: (Each undeclared identifier is reported only once chrsh.c:335: error: for each function it appears in.) *** Error code 1 Stop in /usr/ports/test/chrsh/w-chrsh-1.0b2/chrsh (line 4 of Makefile). *** Error code 1 Stop in /usr/ports/test/chrsh (line 1924 of /usr/ports/infrastructure/mk/bsd.port.mk). NOTES for chrsh.c Line 99: #undef LOG_USEFILE /var/log/chrsh.log Line 186: #endif DEBUG Line 335: while (close(i) != 0 errno == EINTR);
