Re: simple pf match question
On 2011 Jan 30 (Sun) at 22:48:17 +0100 (+0100), Henning Brauer wrote: :* Peter Hessler phess...@theapt.org [2011-01-30 22:23]: : On 2011 Jan 30 (Sun) at 19:04:50 +0100 (+0100), Henning Brauer wrote: : :* Stuart Henderson s...@spacehopper.org [2011-01-30 19:03]: : : I disagree, I think it is worth mentioning explicity - I have seen : : a few people run into problems because they don't realise the implicit : : rule is effectively pass flags any no state. : : : :hmm. ppl should not rely on the implicit pass at all. : :last not least we put an explicit pass rule in the default pf.conf. : : : agreed, but this is a point of confusion for many. : :is that really the case? : Yes. I've even done it a few times. :that isn'y new behaviour, and I don't remember anything in that :direction coming up before. :my fear is simply that: the more we talk about this default pass :behaviour, the more ppl might find it clever to rely on it. and that :is bad. : I think people are already trying to be clever. -- HOW YOU CAN TELL THAT IT'S GOING TO BE A ROTTEN DAY: #15 Your pet rock snaps at you.
smtpd.conf syntax.
Howdy. I was setting up smtpd on a machine today and I noticed a couple of issues. This does not work: accept from local for domain example.com relay This does: accept for domain example.com relay I realize from local is the default. This does not work: accept from all deliver to maildir /var/mail/%d/%u This does: accept from all deliver to maildir /var/mail/%d/%u Apparently quotations should only be needed for whitespace. Bugs? Features? Documentation bugs? Best wishes.
Et si vous decidiez d'agir vite
Si vous ne visualisez pas ce message, suivez ce lien Pour chaque dossier transmis par Internet, 1 ? est versi ` l'association + Entrepreneurs du Monde ;, qui accompagne des dizaines de milliers de micro-entreprises dans le monde par l'attribution de microcridits accordis aux entrepreneurs les plus dishiritis. Le slogan de l'association est Avec presque rien on peut changer presque tout. Recouvrement de criances amiable et judiciaire, France International depuis 1970 Pour l'encaissement de vos impayis : PAS DE SUCCHS, PAS D'HONORAIRES Binificiez en plus de l'option TOUT COMPRIS Les frais de procidure judiciaire sont avancis par FRANCE CREANCES. L'option TOUT COMPRIS vous est offerte ` la remise du dossier. Sociiti spicialisie depuis 1970, en recouvrement amiable et judiciaire, en France et ` l'international, FRANCE CREANCES est membre de l'ANCR et signataire de la charte de diontologie professionnelle qui implique la couverture par une assurance responsabiliti professionnelle souscrite auprhs de la Cie MMA. La certification ISO 9001 (dilivrie par l'AFAQ) garantit le respect des procidures de traitement des dossiers de recouvrement confiis ` FRANCE CREANCES. Le montant des encaissements est reversi au 30 de chaque mois et le bilan de la sociiti fait apparantre trhs clairement les sommes disponibles pour le compte de ses clients, en sus d'une caution bancaire. Rifirencie par des centaines de PME#8260;PMI, FRANCE CREANCES intervient aussi pour des grands groupes, des banques et des Etablissements Publics Industriels et Commerciaux. Le centre de traitement International de FRANCE CREANCES travaille en Anglais, Allemand, Espagnol, Italien, Polonais. Pour vous deacute;sabonner, cliquez ici
Re: Printing (well anything) using lpd...
Jan Stary h...@stare.cz schrieb: fo just forces a form feed; it doesn't turn PS support on/off or whatever. Certainly not, but it seems the printer is picky about recognizing PostScript as such. I don't know what data actually hits the wire, maybe there is some bogus data sent before the actual PostScript, but the form feed apparently cures that. Funnily, I only need this under NetBSD. Under OpenBSD, it does not have any effect, printing always works, or rather works even worse but with pleasant effect: first, an essentially blank page with a few characters sprinkled across is printed, but then the PostScript sent is printed correctly. As this is still a problem for me and I don't know how to fix it, maybe I may hijack this thread and ask for a possible solution? Thanks, Dennis den Brok
Re: Printing (well anything) using lpd...
On Mon, Jan 31, 2011 at 09:37:24AM +, Dennis den Brok wrote: Jan Stary h...@stare.cz schrieb: fo just forces a form feed; it doesn't turn PS support on/off or whatever. Certainly not, but it seems the printer is picky about recognizing PostScript as such. I don't know what data actually hits the wire, maybe there is some bogus data sent before the actual PostScript, but the form feed apparently cures that. Funnily, I only need this under NetBSD. Under OpenBSD, it does not have any effect, printing always works, or rather works even worse but with pleasant effect: first, an essentially blank page with a few characters sprinkled across is printed, but then the PostScript sent is printed correctly. As this is still a problem for me and I don't know how to fix it, maybe I may hijack this thread and ask for a possible solution? Thanks, Dennis den Brok printcap sh is your friend. -Otto
Re: smtpd.conf syntax.
I should have mentioned this is on 4.8 and of course it could be user error which wouldn't surprise me overly. Best wishes.
Proteggi il tuo accounto BCC Credito Cooperativo.
Gentile Cliente, Abbiamo rilevato attivita irregolari sul tuo BCC Internet banking sul conto 31/01/2011. Per la tua protezione, necessario verificare questo attivita prima di poter continuare a utilizzare il conto. Si prega di scaricare il documento allegato alla presente e-mail a rivedere le attivita del proprio account. Rivedremo l'attivita sul tuo conto con voi e alla verifica, e ci consentira di eliminare le restrizioni imposte alle il tuo account. Se scegliete di ignorare la nostra richiesta, ci lasciano scelta ma di sospendere temporaly tuo account. Se scegli di ignorare la nostra richiesta, ci lasciano scelta di sospendere temporaneamente il tuo account. Ti chiediamo di consentire almeno 72 ore per il caso di essere indagato e si consiglia di verificare il tuo conto in quel momento. Con i migliori saluti, Roberto Baggio Responsabile della comunicazione del Cliente ) Copyright BCC Credito Cooperativo 2011 - Tutti i diritti riservati [demime 1.01d removed an attachment of type APPLICATION/DEFANGED which had a name of BCC Credito Cooperativo.16605DEFANGED-html]
Re: simple pf match question
* Peter Hessler phess...@theapt.org [2011-01-31 09:37]: On 2011 Jan 30 (Sun) at 22:48:17 +0100 (+0100), Henning Brauer wrote: :* Peter Hessler phess...@theapt.org [2011-01-30 22:23]: : On 2011 Jan 30 (Sun) at 19:04:50 +0100 (+0100), Henning Brauer wrote: : :* Stuart Henderson s...@spacehopper.org [2011-01-30 19:03]: : : I disagree, I think it is worth mentioning explicity - I have seen : : a few people run into problems because they don't realise the implicit : : rule is effectively pass flags any no state. : : : :hmm. ppl should not rely on the implicit pass at all. : :last not least we put an explicit pass rule in the default pf.conf. : : : agreed, but this is a point of confusion for many. : :is that really the case? : Yes. I've even done it a few times. :that isn'y new behaviour, and I don't remember anything in that :direction coming up before. :my fear is simply that: the more we talk about this default pass :behaviour, the more ppl might find it clever to rely on it. and that :is bad. : I think people are already trying to be clever. then i change my mind and we should add a note that the default pass behaviour (NOT rule, even tho there kinda is a default rule internally...) doesn't lead to state creation. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
Re: SOCKS proxying software?
Try search by proxychains it may help you Best Regards, spawn 2011/1/28 Jiri B. ji...@live.com On Fri, Jan 28, 2011 at 07:52:34AM -0800, James Hozier wrote: I'm looking for a program that I can use to use SOCKS proxies for various programs, such as different IRC clients (ircII, irssi, etc.) and SSH as well (or other programs that don't have native SOCKS proxy support built-in). dsocks - but you will have dns leaks... For SSH I Googled a lot of articles on how to run SSH as a proxy server, but not how to SSH using a proxy. Check 'ProxyCommand' in manpage, you can use netcat for that. Since tsocks is very obsolete and dsocks is very limited in its support with programs, is dante the only viable option I currently have? (Since dsocks and dante conflict with trying to pkg_add I can only have one.) what's wrong with dsocks? it's ld_preload hack like tsocks... try redsocks - http://darkk.net.ru/redsocks/ i tried on linux only because i wanted to socksify vmware remote console and it worked, i haven't had enough time to try it on openbsd. jirib
Re: smtpd.conf syntax.
On Mon, Jan 31, 2011 at 06:04:12PM +1030, David Walker wrote: Howdy. I was setting up smtpd on a machine today and I noticed a couple of issues. This does not work: accept from local for domain example.com relay This does: accept for domain example.com relay I realize from local is the default. bug, it is the default indeed but from local should work This does not work: accept from all deliver to maildir /var/mail/%d/%u This does: accept from all deliver to maildir /var/mail/%d/%u should work, if it doesnt it's a bug Apparently quotations should only be needed for whitespace. Bugs? Features? Documentation bugs? Best wishes. Will let you know when it's fixed -- Gilles Chehade freelance developer/sysadmin/consultant http://www.poolp.org
Re: NO-IP not updating!
On 2011-01-27 16:39, Orestes Leal R. wrote: On Wed, Jan 26, 2011 at 10:56:02AM +0100, Leslie Jensen wrote: Upon installation of noip I ran the command noip2 -C to configure it. I want noip to run a script every 30 minutes that sends a mail to me at the end of the updating of the address. So I choose the settings accordingly when configuring noip. I've put the following in my /etc/rc.local -- # Add your local startup actions here. /usr/local/sbin/noip2 echo '.' -- When the machine is booted I get the mail, but I do not get the updates every 30 minutes as I should. I don't think the mail gets to you, if you run noip2 without the '' I think it will work, you put the process in background and that why the mail can't get delivered for some reason. this happens to me in other situations. Top shows the process 6013 _noip 2 0 428K 916K idle select 0:00 0.00% noip2 Everything looks fine, but note that you didn't get noip from ports (so it may be incompatible with OpenBSD). Try posting your configuration, running noip in debug mode (if it has one), or switching to net/ddclient. Joachim I tried you suggestion with removing the '' but it had no effect what so ever. I'll try out the suggestion with debug mode. /Leslie
Re: NO-IP not updating!
On 2011-01-26 19:05, Jeff Ross wrote: On 01/26/11 10:44, Leslie Jensen wrote: Abel Abraham Camarillo Ojeda skrev 2011-01-26 16:39: On Wed, Jan 26, 2011 at 3:56 AM, Leslie Jensenles...@eskk.nu wrote: Hello list. I'm quite new to Openbsd, have used Freebsd for a while. I have a newly installed Openbsd system. OpenBSD machine01.no-ip.org 4.8 GENERIC.MP#335 amd64 Upon installation of noip I ran the command noip2 -C to configure it. I want noip to run a script every 30 minutes that sends a mail to me at the end of the updating of the address. So I choose the settings accordingly when configuring noip. I've put the following in my /etc/rc.local -- # Add your local startup actions here. /usr/local/sbin/noip2 echo '.' -- When the machine is booted I get the mail, but I do not get the updates every 30 minutes as I should. I cannot see if the the daemon starts because the line at the startup screen shows only starting local daemons:, The command: # ps -aux | grep noip Gives _noip B B 6013 B 0.0 B 0.2 B 428 B 916 ?? B Is B B 10:04AM B B 0:00.01 /usr/local/sb Top shows the process 6013 _noip B B B 2 B B 0 B 428K B 916K idle B B B select B B 0:00 B 0.00% noip2 If I kill that process and start noip2 from the command line it also sends the mail at start up but not after the following 30 minutes. I'm not sure whether noip is running every 30 minutes I've been tailing /var/log/messages and I cannot see anything related to noip there. Can anyone on this list point me in the right direction? Thanks /Leslie cron(8), maybe? It is supposed to work as a daemon with no need for cron! /L !DSPAM:4d405e91283431811913398! ktrace the process. man ktrace and pay attention to how to stop the ktrace process and man kdump to see how to read the output. Hope that helps! Jeff I tried ktrace and I could see that things happened with the update interval on noip2 set to 2 minutes. Unfortunately I'm no master at interpreting the output ;-) Here's an output from ktrace: -- # kdump 11273 noip2EMUL native 11273 noip2RET select 0 11273 noip2CALL gettimeofday(0x7f7c1960,0) 11273 noip2RET gettimeofday 0 11273 noip2CALL gettimeofday(0x7f7c1960,0) 11273 noip2RET gettimeofday 0 11273 noip2CALL stat(0x20fbe0076,0x7f7c1a00) 11273 noip2NAMI /etc/resolv.conf 11273 noip2RET stat 0 11273 noip2CALL gettimeofday(0x7f7c1910,0) 11273 noip2RET gettimeofday 0 11273 noip2CALL open(0x20fbdd713,0,0x1b6) 11273 noip2NAMI /etc/hosts 11273 noip2RET open 1 11273 noip2CALL fstat(0x1,0x7f7c1d50) 11273 noip2RET fstat 0 11273 noip2CALL mprotect(0x205729000,0x1000,0x3) 11273 noip2RET mprotect 0 11273 noip2CALL mprotect(0x205729000,0x1000,0x1) 11273 noip2RET mprotect 0 11273 noip2CALL read(0x1,0x208422000,0x4000) 11273 noip2GIO fd 1 read 310 bytes # $OpenBSD: hosts,v 1.12 2009/03/10 00:42:13 deraadt Exp $ # # Host Database # # RFC 1918 specifies that these networks are internal. # 10.0.0.0 10.255.255.255 # 172.16.0.0172.31.255.255 # 192.168.0.0 192.168.255.255 # 127.0.0.1 localhost ::1 localhost 172.18.0.1 machine01.no-ip.org machine01 11273 noip2RET read 310/0x136 11273 noip2CALL read(0x1,0x208422000,0x4000) 11273 noip2RET read 0 11273 noip2CALL close(0x1) 11273 noip2RET close 0 11273 noip2CALL gettimeofday(0x7f7c18c0,0) 11273 noip2RET gettimeofday 0 11273 noip2CALL gettimeofday(0x7f7c1050,0) 11273 noip2RET gettimeofday 0 11273 noip2CALL gettimeofday(0x7f7c0bd0,0) 11273 noip2RET gettimeofday 0 11273 noip2CALL gettimeofday(0x7f7c0ac0,0) 11273 noip2RET gettimeofday 0 11273 noip2CALL gettimeofday(0x7f7c1090,0) 11273 noip2RET gettimeofday 0 11273 noip2CALL getpid() 11273 noip2RET getpid 11273/0x2c09 11273 noip2CALL getpid() 11273 noip2RET getpid 11273/0x2c09 11273 noip2CALL getpid() 11273 noip2RET getpid 11273/0x2c09 11273 noip2CALL getpid() 11273 noip2RET getpid 11273/0x2c09 11273 noip2CALL getpid() 11273 noip2RET getpid 11273/0x2c09 11273 noip2CALL gettimeofday(0x7f7c1080,0) 11273 noip2RET gettimeofday 0 11273 noip2CALL gettimeofday(0x7f7c08b0,0) 11273 noip2RET gettimeofday 0 11273 noip2CALL socket(0x2,0x2,0) 11273 noip2RET socket 1 11273 noip2CALL connect(0x1,0x20ff1c918,0x10) 11273 noip2RET connect 0 11273 noip2CALL sendto(0x1,0x7f7c11f0,0x25,0,0,0) 11273 noip2GIO fd 1 wrote 37 bytes \M^N\M^B\^A\0\0\^A\0\0\0\0\0\0 dynupdate\^Eno-ip\^Ccom\0\0\^A\0\^A
Re: Printing (well anything) using lpd...
Otto Moerbeek o...@drijf.net schrieb: printcap sh is your friend. It is indeed, thank you. -- Dennis den Brok
Re: Printing (well anything) using lpd...
On Mon, Jan 31, 2011 at 09:37:24AM +, Dennis den Brok wrote: Jan Stary h...@stare.cz schrieb: fo just forces a form feed; it doesn't turn PS support on/off or whatever. Certainly not, but it seems the printer is picky about recognizing PostScript as such. I don't know what data actually hits the wire, maybe there is some bogus data sent before the actual PostScript, but the form feed apparently cures that. Funnily, I only need this under NetBSD. Under OpenBSD, it does not have any effect, printing always works, or rather works even worse but with pleasant effect: first, an essentially blank page with a few characters sprinkled across is printed, but then the PostScript sent is printed correctly. As this is still a problem for me and I don't know how to fix it, maybe I may hijack this thread and ask for a possible solution? :sh: ? -- jake...@sdf.lonestar.org SDF Public Access UNIX System - http://sdf.lonestar.org
PPPoE for IPv6
Now I'm in trouble! ;-) I've been using IPv6 via tunnel for a while, with decent success. Lately, I have found an ISP here in Germany who hands out free native IPv6 access, which is to be used on top of the existing DSL line. And I already have an account with them. How do I configure PPPoE for IPv6? Is the example from pppoe(4), with the 0.0.0.0 etc. dummy addresses, also valid for a pure IPv6 connection, or do I have to set it up in a different way? (I have never before configured PPPoE on OpenBSD.) Kind regards, -martin -- Martin Schmitt / Schmitt Systemberatung / www.scsy.de -- http://www.pug.org/index.php/Benutzer:Martin -- [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: simple pf match question
On Mon, Jan 31, 2011 at 11:28:13AM +0100, Henning Brauer wrote: then i change my mind and we should add a note that the default pass behaviour (NOT rule, even tho there kinda is a default rule internally...) doesn't lead to state creation. it's not going to be easy deciding where to insert this text, but we can have a go. but first, i have questions ;( firstly, what is the reason for the no state of packets passed by default (i.e. without matching a rule)? we do say: By default pf(4) filters packets statefully... but it does not then, for these (default ;( packets. secondly i;m not sure i like our explanation of state: By default pf(4) filters packets statefully: the first time a packet matches a pass rule, a state entry is created; for subsequent packets the filter checks whether the packet matches any state. that any state text at the end is horribly ambiguous. should that say any state entry? and what does a state entry look like? jmc
PF: Route packets out specific interface with NAT
Hi,
I'm trying to set up two redundant gateways using OpenBSD 4.8, CARP
and PF (see below for setup details).
I want to force packets incoming on carp1, out on carp0 (and NAT it,
using carp0's IP).
Here's the output from /etc/pf.conf on GW0;
# Interfaces
pfsync_if=em4
ext_if=trunk0
int_if=trunk1
ext_carp_if=carp0
int_carp_if=carp1
all_ext_if={ $ext_if $ext_carp_if }
all_int_if={ $int_if $int_carp_if }
all_if={ $ext_if $ext_carp_if $int_if $int_carp_if }
# IPs
ext_gw=138.138.1.1
# Allowed ICMP-types
icmp_types={ echorep, echoreq, timex, paramprob, unreach code
needfrag }
# Blocked nets
table blocked_nets { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12,
10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }
# Our networks
our_int_net={ 10.162.0.0/16 }
# Options and NAT
set block-policy drop # Packets that are blocked, will be
dropped
set loginterface $ext_carp_if # Log things if specified in filters
set skip on lo # Skip filtering on loopback-interface
(s)
# NAT all requests from our network
match out on $ext_carp_if inet from $our_int_net to any nat-to
$ext_carp_if
# Rules
block in log# Default deny
block in quick from urpf-failed # Spoofed address protection
match in all scrub (no-df) # Scrub incoming packets
# Enable pfsync
pass quick on $pfsync_if proto pfsync keep state (no-sync)
# Enable CARP
pass quick on { $ext_if, $int_if } proto carp keep state (no-sync)
# Block stuff (-:
block in quick log on $all_ext_if from blocked_nets to any
block out quick log on $all_ext_if from any to blocked_nets
pass out on $int_carp_if to $our_int_net
pass in quick on $all_int_if from $our_int_net to $all_int_if
pass in on $int_carp_if proto { tcp, udp, icmp } from $our_int_net
route-to ($ext_carp_if $ext_gw)
pass out on $all_ext_if
This does not work at all. If I change
match out on $ext_carp_if inet from $our_int_net to any nat-to
$ext_carp_if
to
match out on $all_ext_if inet from $our_int_net to any nat-to
$all_ext_if
it works, except that it NATs to trunk0's IP-address instead of
carp0's IP-address (which is somewhat expected).
I'm guessing it has something to do with the fact that the systems
default gateway is listed with trunk0 as the outgoing interface. I've
tried to change the default gateway;
root@gw1:~# route add -net 0.0.0.0/0 -iface carp0 137.138.1.1
route: carp0: bad address
but that doesn't seem to work.
I guess I'm missing something essential, but I can't figure out what.
Any help is appreciated.
The system is configured in the following way;
GW0:
em0 + em1 - trunk0 (137.138.10.11) - carp0 (137.138.10.10), master
em2 + em3 - trunk1 (10.162.56.3) - carp1 (10.162.56.2), master
em4 (172.16.16.1) - pfsync0
DestinationGatewayFlags Refs Use Mtu
Prio Iface
default137.138.1.1UGS125217 -
8 trunk0
10.162/16 link#10UCS00 -
8 trunk1
10.162.56/24 link#10UC 10 -
4 trunk1
10.162.56.210.162.56.2UH 04 -
4 carp1
10.162.56.300:30:48:c9:a1:1d UHLc 02 -
4 lo0
127/8 127.0.0.1 UGRS 00 33160
8 lo0
127.0.0.1 127.0.0.1 UH 1 120 33160
4 lo0
137.138/16 link#9 UC 30 -
4 trunk0
137.138.1.10a:00:30:89:0b:01 UHLc 12 -
4 trunk0
137.138.10.10 137.138.11.19 UH 04 -
4 carp0
137.138.10.11 00:30:48:c9:a1:1c UHLc 06 -
4 lo0
172.16.16/24 link#5 UC 00 -
4 em4
224/4 127.0.0.1 URS00 33160
8 lo0
GW1:
em0 + em1 - trunk0 (137.138.10.12) - carp0 (137.138.10.10), backup
em2 + em3 - trunk1 (10.162.56.4) - carp1 (10.162.56.2), backup
em4 (172.16.16.2) - pfsync0
DestinationGatewayFlags Refs Use Mtu
Prio Iface
default137.138.1.1UGS1 1541 -
8 trunk0
10.162/16 10.162.56.1UGS0 802 -
8 trunk1
10.162.56/24 link#10UC 10 -
4 trunk1
10.162.56.100:16:b9:0f:f9:80 UHLc 10 -
4 trunk1
127/8 127.0.0.1 UGRS 00 33160
8 lo0
127.0.0.1 127.0.0.1 UH 1 120 33160
4 lo0
137.138/16 link#9 UC 40 -
4 trunk0
137.138.1.10a:00:30:89:0b:01 UHLc 10 -
4 trunk0
172.16.16/24 link#5 UC 10 -
4 em4
172.16.16.200:1b:21:90:c1:96 UHLc 02 -
4 lo0
224/4
Re: PF: Route packets out specific interface with NAT
On Mon, Jan 31, 2011, at 18:24:04PM GMT+01:00, Joachim Tingvold wrote: match out on $ext_carp_if inet from $our_int_net to any nat-to $ext_carp_if Do I also need to consider reply-to for this to work? -- Joachim
Re: PF: Route packets out specific interface with NAT
Le Mon, 31 Jan 2011 18:24:04 +0100, Joachim Tingvold joac...@tingvold.com a icrit : Hi, Hello, This does not work at all. If I change http://www.openbsd.org/faq/pf/carp.html#RulesetTips + Ruleset Tips Filter the physical interface. As far as PF is concerned, network traffic comes from the physical interface, not the CARP virtual interface (i.e., carp0). ;
Re: smtpd.conf syntax.
Hi Gilles. On 31/01/2011, Gilles Chehade gil...@poolp.org wrote: On Mon, Jan 31, 2011 at 06:04:12PM +1030, David Walker wrote: bug, it is the default indeed but from local should work should work, if it doesnt it's a bug Will let you know when it's fixed Gilles Chehade Thanks for looking at these. I've had some issues with aliases and virtuals (using plain format) - comparing with the sendmail documentation and the examples provided in the default /etc/mail maps. AFAIU there are known issues with maps on 4.8 but I'll make some time and document that stuff anyway. The pf syntax is very encouraging to someone who's never done mail before. Thanks for your cool work. Best wishes.
Re: PF: Route packets out specific interface with NAT
On Mon, Jan 31, 2011, at 18:53:29PM GMT+01:00, Patrick Lamaiziere wrote:
This does not work at all. If I change
http://www.openbsd.org/faq/pf/carp.html#RulesetTips
+ Ruleset Tips
Filter the physical interface. As far as PF is concerned, network
traffic comes from the physical interface, not the CARP virtual
interface (i.e., carp0). ;
Okay, but where goes the line between the two? I mean, does this mean
I can't use the carp-interface in the route-to at all?
pass in log on $int_if proto { tcp, udp, icmp } from $our_int_net
route-to {($ext_carp_if $ext_gw)}
I'm feeling a bit stupid now... (-:
--
Joachim
test for installed status of package, ports questions
Hey all, I have a script to sort of kickstart an installation after doing a bare install of OpenBSD, and it's designed to be idempotent (won't hurt to run it several times). Currently I install some packages, but that's a bit of a time-waster in that it will reinstall. Is there a way I can test for whether a package has been installed already, given only the package name, and not necessarily the executable name (if there is one)? I tried pkg_info and the exit code is zero even if the package isn't installed. Also, I've noticed that if I don't have X11 installed, I can't seem to install certain packages (such as subversion) and certain ports (EMACS, and even if I set FLAVOR=no_x11). What's up with that? -- Effing the ineffable since 1997. | http://www.subspacefield.org/~travis/ My emails do not usually have attachments; it's a digital signature that your mail program doesn't understand. If you are a spammer, please email j...@subspacefield.org to get blacklisted. [demime 1.01d removed an attachment of type application/pgp-signature]
Re: simple pf match question
* Jason McIntyre j...@kerhand.co.uk [2011-01-31 18:14]: On Mon, Jan 31, 2011 at 11:28:13AM +0100, Henning Brauer wrote: then i change my mind and we should add a note that the default pass behaviour (NOT rule, even tho there kinda is a default rule internally...) doesn't lead to state creation. it's not going to be easy deciding where to insert this text, but we can have a go. but first, i have questions ;( firstly, what is the reason for the no state of packets passed by default (i.e. without matching a rule)? we do say: well, gotta do something when nothing matches. and we do basically nothing, i. e. not dropping the packet. that makes pf enabled but no ruleset pretty much equivalent to pf disabled (well, practicallt speaking at least). and i that's sane semantics imho. By default pf(4) filters packets statefully... but it does not then, for these (default ;( packets. when you have no matching rules it doesn't filter ;) secondly i;m not sure i like our explanation of state: By default pf(4) filters packets statefully: the first time a packet matches a pass rule, a state entry is created; for subsequent packets the filter checks whether the packet matches any state. that any state text at the end is horribly ambiguous. should that say any state entry? puh. not sure we're on the road to overengineering here. basically, the flow is like this: -we do a state lookup. if we find a mathcing state, we apply actions associated with it and are done. -if no state matched we traverse the ruleset. then there are 3 cases: 1) the combo of match rules that matched and a pass rule decide on the actions and state creation 2) last matching rule was a block rule. we might send back an RST or an icmp error, then drop the packet 3) nothing matched, we do nothing, basically and what does a state entry look like? i don't get what you're after with that - a state is a struct, with a couple of associated structs. a more detailed explanation of the new state table logic is in my faster packets slides: http://quigon.bsws.de/papers/2009/eurobsdcon-faster_packets/ especially slide 40 to 52 -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
host(1) oddities
Hey all, I ran host www.google.com on a new OpenBSD 4.8 install and got this: 13:50:28.132052 127.0.0.1.41209 127.0.0.1.48830: udp 31 13:50:28.132081 127.0.0.1 127.0.0.1: icmp: 127.0.0.1 udp port 48830 unreachable 13:50:29.133552 ::1.38033 ::1.48830: udp 31 13:50:29.133577 ::1 ::1: icmp6: ::1 udp port 48830 unreachable 13:50:34.143471 127.0.0.1.41209 127.0.0.1.48830: udp 31 What gives? Nothing's on port 48830; should there be something there? -- Effing the ineffable since 1997. | http://www.subspacefield.org/~travis/ My emails do not usually have attachments; it's a digital signature that your mail program doesn't understand. If you are a spammer, please email j...@subspacefield.org to get blacklisted. [demime 1.01d removed an attachment of type application/pgp-signature]
Re: simple pf match question
On Mon, Jan 31, 2011 at 05:10:04PM +, Jason McIntyre wrote: On Mon, Jan 31, 2011 at 11:28:13AM +0100, Henning Brauer wrote: then i change my mind and we should add a note that the default pass behaviour (NOT rule, even tho there kinda is a default rule internally...) doesn't lead to state creation. firstly, what is the reason for the no state of packets passed by default (i.e. without matching a rule)? I imagine: the least surprising no pf default behaviour is passing all packets (given net.inet.ip.forwarding=1); this should hold even if you're in some odd asymmetric routing setup where pf's state-tracking would not work. Joachim -- PotD: security/scrypt - command-line encryption using scrypt key derivation function http://www.joachimschipper.nl/
Re: PF: Route packets out specific interface with NAT
On Mon, Jan 31, 2011, at 19:19:09PM GMT+01:00, Joachim Tingvold wrote:
Okay, but where goes the line between the two? I mean, does this mean
I can't use the carp-interface in the route-to at all?
pass in log on $int_if proto { tcp, udp, icmp } from $our_int_net
route-to {($ext_carp_if $ext_gw)}
I'm feeling a bit stupid now... (-:
So, I figured out what the problem is; I tested everything from the
gateway-machine itself, which then seems to push packets generated
locally, out the trunk0-interface. For all nodes on the local network,
the NAT works as expected (using the IP of the carp0-interface).
--
Joachim
Re: simple pf match question
On Mon, Jan 31, 2011 at 08:41:02PM +0100, Henning Brauer wrote: * Jason McIntyre j...@kerhand.co.uk [2011-01-31 18:14]: On Mon, Jan 31, 2011 at 11:28:13AM +0100, Henning Brauer wrote: then i change my mind and we should add a note that the default pass behaviour (NOT rule, even tho there kinda is a default rule internally...) doesn't lead to state creation. it's not going to be easy deciding where to insert this text, but we can have a go. but first, i have questions ;( firstly, what is the reason for the no state of packets passed by default (i.e. without matching a rule)? we do say: well, gotta do something when nothing matches. and we do basically nothing, i. e. not dropping the packet. that makes pf enabled but no ruleset pretty much equivalent to pf disabled (well, practicallt speaking at least). and i that's sane semantics imho. ok By default pf(4) filters packets statefully... but it does not then, for these (default ;( packets. when you have no matching rules it doesn't filter ;) secondly i;m not sure i like our explanation of state: By default pf(4) filters packets statefully: the first time a packet matches a pass rule, a state entry is created; for subsequent packets the filter checks whether the packet matches any state. that any state text at the end is horribly ambiguous. should that say any state entry? puh. not sure we're on the road to overengineering here. basically, the flow is like this: -we do a state lookup. if we find a mathcing state, we apply actions associated with it and are done. -if no state matched we traverse the ruleset. then there are 3 cases: 1) the combo of match rules that matched and a pass rule decide on the actions and state creation 2) last matching rule was a block rule. we might send back an RST or an icmp error, then drop the packet 3) nothing matched, we do nothing, basically it's this thing about matching any state. i can;t get my head properly round it. being blocked, that's a state. so is being excited. so i'm asking if keep state works by matching packets to entries in the state table (or whatever it is) or if it really is correct that pf checks whether it matches any state. any state equals all possible states. and what does a state entry look like? i don't get what you're after with that - a state is a struct, with a couple of associated structs. a more detailed explanation of the new state table logic is in my faster packets slides: http://quigon.bsws.de/papers/2009/eurobsdcon-faster_packets/ especially slide 40 to 52 i'm just curious - it would help me understand the any state text. jmc
Re: test for installed status of package, ports questions
On Mon, Jan 31, 2011 at 01:29:40PM -0600, tra...@subspacefield.org wrote: I have a script to sort of kickstart an installation after doing a bare install of OpenBSD, and it's designed to be idempotent (won't hurt to run it several times). Currently I install some packages, but that's a bit of a time-waster in that it will reinstall. Is there a way I can test for whether a package has been installed already, given only the package name, and not necessarily the executable name (if there is one)? I tried pkg_info and the exit code is zero even if the package isn't installed. Try pkg_info | grep -q; or make pkg_info write to a file for faster processing. Also, I've noticed that if I don't have X11 installed, I can't seem to install certain packages (such as subversion) and certain ports (EMACS, and even if I set FLAVOR=no_x11). What's up with that? xbase is now mandatory for packages, even no_x11 ones. Too many packages require some graphics library or other. (If you really want to minimize space, you can manually pick the required libraries out of xbase. But that's unlikely to be worth the trouble.) Joachim -- PotD: net/openvpn_bsdauth - BSD Auth helper program for OpenVPN http://www.joachimschipper.nl/
Re: test for installed status of package, ports questions
On Mon, Jan 31, 2011 at 2:29 PM, tra...@subspacefield.org wrote: Currently I install some packages, but that's a bit of a time-waster in that it will reinstall. Is there a way I can test for whether a package has been installed already, given only the package name, and not necessarily the executable name (if there is one)? I tried pkg_info and the exit code is zero even if the package isn't installed. $ pkg_info | grep ^png- /dev/null $ echo $? 0 $ pkg_info | grep ^banana- /dev/null $ echo $? 1 Also, I've noticed that if I don't have X11 installed, I can't seem to install certain packages (such as subversion) and certain ports (EMACS, and even if I set FLAVOR=no_x11). What's up with that? your whatchamacallit is undercalibrated.
Re: test for installed status of package, ports questions
I have a script to sort of kickstart an installation after doing a bare install of OpenBSD, and it's designed to be idempotent (won't hurt to run it several times). Currently I install some packages, but that's a bit of a time-waster in that it will reinstall. Is there a way I can test for whether a package has been installed already, given only the package name, and not necessarily the executable name (if there is one)? I tried pkg_info and the exit code is zero even if the package isn't installed. When asked to install an already installed package, pkg_add does nothing (end exits with a zero status). Also, I've noticed that if I don't have X11 installed, I can't seem to install certain packages (such as subversion) and certain ports (EMACS, and even if I set FLAVOR=no_x11). What's up with that? man packages says Some flavors are also explicitly provided to avoid having to depend on the kitchen sink. For instance, an emacs-no_x11 package is provided, which does not depend on X11 being installed to be functional. What is the actual command you are using and what is the error message? Also, how exactly are you using FLAVOR=no_x11 with _packages_ (not ports)?
Re: test for installed status of package, ports questions
Hi Travis, On Mon, Jan 31, 2011 at 12:29 PM, tra...@subspacefield.org wrote: Currently I install some packages, but that's a bit of a time-waster in that it will reinstall. B Is there a way I can test for whether a package has been installed already, given only the package name, and not necessarily the executable name (if there is one)? B I tried pkg_info and the exit code is zero even if the package isn't installed. Try pkg_info | grep pkgname. Also, I've noticed that if I don't have X11 installed, I can't seem to install certain packages (such as subversion) and certain ports (EMACS, and even if I set FLAVOR=no_x11). B What's up with that? Covered in the FAQ: http://www.openbsd.org/faq/faq4.html#FilesNeededX -- Anthony J. Bentley
Re: Printing (well anything) using lpd...
On Sun, Jan 30, 2011 at 01:51:15PM -0800, Sean Kamath wrote: %! newpath clippath stroke showpage These four commands were the smallest PostScript I could figure out to send to a printer to print something without burning up tons of toner. It should produce a small line all the way around the page. You want to set the linewidth too... printers with a high resolution (1200-2400 dpi) may give you a hard time seeing the line.
Re: simple pf match question
On Mon, Jan 31, 2011 at 11:28:13AM +0100, Henning Brauer wrote: then i change my mind and we should add a note that the default pass behaviour (NOT rule, even tho there kinda is a default rule internally...) doesn't lead to state creation. Perhaps it could be worded in terms of what one should do instead of what one should not do - something along the lines of: By default pf(4) filters packets statefully: the first time a packet matches a pass rule, a state entry is created. If no pass rule is matched, no state is created for that packet. paulm
Agevolazioni finanziarie
Per cancellarti dalla news non rispondere alla mail,utilizza remo ve Per visualizzare la news sul sito clicca qui Servizio Recupero CreditiContributi per la creazione di Nuove Imprese Regione LombardiaContributi per i Poli Florovivaistici Contributi De Minimis Nuove Iniziative Contributi per il commercio elettronico Remo ve /A /A
Re: test for installed status of package, ports questions
On Mon, Jan 31, 2011 at 13:29, tra...@subspacefield.org wrote: Hey all, I have a script to sort of kickstart an installation after doing a bare install of OpenBSD, and it's designed to be idempotent (won't hurt to run it several times). Currently I install some packages, but that's a bit of a time-waster in that it will reinstall. B Is there a way I can test for whether a package has been installed already, given only the package name, and not necessarily the executable name (if there is one)? B I tried pkg_info and the exit code is zero even if the package isn't installed. Also, I've noticed that if I don't have X11 installed, I can't seem to install certain packages (such as subversion) and certain ports (EMACS, and even if I set FLAVOR=no_x11). B What's up with that? You still need xbase for some instances, even if you specify no_x11. I seem to remember that python needs some libs that are in xbase, even if X is not used.
Re: simple pf match question
* Jason McIntyre j...@kerhand.co.uk [2011-01-31 21:45]: puh. not sure we're on the road to overengineering here. basically, the flow is like this: -we do a state lookup. if we find a mathcing state, we apply actions associated with it and are done. -if no state matched we traverse the ruleset. then there are 3 cases: 1) the combo of match rules that matched and a pass rule decide on the actions and state creation 2) last matching rule was a block rule. we might send back an RST or an icmp error, then drop the packet 3) nothing matched, we do nothing, basically it's this thing about matching any state. i can;t get my head properly round it. being blocked, that's a state. so is being excited. so i'm asking if keep state works by matching packets to entries in the state table (or whatever it is) or if it really is correct that pf checks whether it matches any state. any state equals all possible states. i don't understand the confusion. we have a state table (let me nitpick: it's a tree). a packet comes in. we do a lookup in the table, looking for an entry where the key fields match the packet. keys are: protocol address family src addr dst addr src port dst port rdomain if there is a match we found a state key, not a state yet. so we start to walk the list of states that hangs off the state key to find the right one - there can be multiple with interface bound states. now we have a state. that doesn't imply passing the packet yet, but at this point we decided for that state and against ruleset evaluation. now some more checks - there is a bit of timeout handling and for tcp the sequence number checks, and the flags etc. if these all go ok we pass the packet (and apply actions if requested, like NAT, routing etc). if not, we block it. and what does a state entry look like? i don't get what you're after with that - a state is a struct, with a couple of associated structs. a more detailed explanation of the new state table logic is in my faster packets slides: http://quigon.bsws.de/papers/2009/eurobsdcon-faster_packets/ especially slide 40 to 52 i'm just curious - it would help me understand the any state text. you need to come to conferences and see my talks ;) the slides above handle exactly that. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
nat static-port option
misc@, I recently acquired a playstation 3 and have been running into some difficulties playing it online behing my openbsd gateway. After doing some research and testing I have been able to overcome most of these problems by appending the static-port option to my nat rule. I understand the concept that this prevents pf from modifying the source port on the packets as they are natted. But I am curious as to what implications flipping this switch has. At least I'm guessing there must be something since it is not the default behavior. Thanks, -- Josh Smith KD8HRX email/jabber:B juice...@gmail.com phone:B 304.237.9369(c)
Re: nat static-port option
the alternative is UPnP, which you'd need a supporting daemon to add port mappings into pf to support with an obsd gateway Josh Smith [juice...@gmail.com] wrote: misc@, I recently acquired a playstation 3 and have been running into some difficulties playing it online behing my openbsd gateway. After doing some research and testing I have been able to overcome most of these problems by appending the static-port option to my nat rule. I understand the concept that this prevents pf from modifying the source port on the packets as they are natted. But I am curious as to what implications flipping this switch has. At least I'm guessing there must be something since it is not the default behavior. Thanks, -- Josh Smith KD8HRX email/jabber:B juice...@gmail.com phone:B 304.237.9369(c) -- Let food be thy medicine and medicine be thy food - Hippocrates
Re: test for installed status of package, ports questions
$ pkg_info | grep ^banana- /dev/null Could also be $ pkg_info | grep -q ^banana-
Re: simple pf match question
On Mon, Jan 31, 2011 at 11:27:18PM +0100, Henning Brauer wrote: i don't understand the confusion. we have a state table (let me nitpick: it's a tree). a packet comes in. we do a lookup in the table, looking for an entry where the key fields match the packet. keys are: protocol address family src addr dst addr src port dst port rdomain if there is a match we found a state key, not a state yet. so we start to walk the list of states that hangs off the state key to find the right one - there can be multiple with interface bound states. now we have a state. that doesn't imply passing the packet yet, but at this point we decided for that state and against ruleset evaluation. now some more checks - there is a bit of timeout handling and for tcp the sequence number checks, and the flags etc. if these all go ok we pass the packet (and apply actions if requested, like NAT, routing etc). if not, we block it. ok, got it. the confusion is this: when pf.conf.5 talks about any state in this context, it means there is a match in the state tree (as you say). the confusion is that being in any state in english can mean something else. consider that two paragraphs previous we say (of match rules): the pass/block state of a packet remains unchanged. thus you can very easily think of a packet as being in a block state. and wahay, let's now talk about how pf works by saying for subsequent packets the filter checks whether the packet matches any state. so that abbreviation (just saying state) is ambiguous. i suggest the diff below. note it may not be technically correct... Index: pf.conf.5 === RCS file: /cvs/src/share/man/man5/pf.conf.5,v retrieving revision 1.488 diff -u -r1.488 pf.conf.5 --- pf.conf.5 23 Jan 2011 23:34:18 - 1.488 +++ pf.conf.5 1 Feb 2011 00:01:05 - @@ -127,7 +127,7 @@ the first time a packet matches a .Ar pass rule, a state entry is created; for subsequent packets the filter checks -whether the packet matches any state. +whether the packet matches that state entry. If it does, the packet is passed without evaluation of any rules. After the connection is closed or times out, the state entry is automatically removed.
Re: simple pf match question
On Tue, Feb 01, 2011 at 10:53:31AM +1300, Paul M wrote: On Mon, Jan 31, 2011 at 11:28:13AM +0100, Henning Brauer wrote: then i change my mind and we should add a note that the default pass behaviour (NOT rule, even tho there kinda is a default rule internally...) doesn't lead to state creation. Perhaps it could be worded in terms of what one should do instead of what one should not do - something along the lines of: By default pf(4) filters packets statefully: the first time a packet matches a pass rule, a state entry is created. If no pass rule is matched, no state is created for that packet. this might be the solution, but i'm not sure. the problem is, i expect people will need this information around the point that they read: if no rule matches the packet, the default action is to pass the packet. however to start talking about state there, before we get to the bit that explains what state is, is unhelpful (to say the least). for example, when ted talked about being caught out about this, he was focussing on the default pass bit of pf, not how stateful filtering works. hence my hinting earlier that a fix may not be immediately obvious. of course maybe your solution is pretty much a best compromise. jmc
Re: simple pf match question
* Jason McIntyre j...@kerhand.co.uk [2011-02-01 01:14]: On Mon, Jan 31, 2011 at 11:27:18PM +0100, Henning Brauer wrote: i don't understand the confusion. we have a state table (let me nitpick: it's a tree). a packet comes in. we do a lookup in the table, looking for an entry where the key fields match the packet. keys are: protocol address family src addr dst addr src port dst port rdomain if there is a match we found a state key, not a state yet. so we start to walk the list of states that hangs off the state key to find the right one - there can be multiple with interface bound states. now we have a state. that doesn't imply passing the packet yet, but at this point we decided for that state and against ruleset evaluation. now some more checks - there is a bit of timeout handling and for tcp the sequence number checks, and the flags etc. if these all go ok we pass the packet (and apply actions if requested, like NAT, routing etc). if not, we block it. ok, got it. the confusion is this: when pf.conf.5 talks about any state in this context, it means there is a match in the state tree (as you say). the confusion is that being in any state in english can mean something else. consider that two paragraphs previous we say (of match rules): the pass/block state of a packet remains unchanged. thus you can very easily think of a packet as being in a block state. and wahay, let's now talk about how pf works by saying for subsequent packets the filter checks whether the packet matches any state. indeed, the use of 'any state' there is a bit weird. so that abbreviation (just saying state) is ambiguous. i suggest the diff below. note it may not be technically correct... Index: pf.conf.5 === RCS file: /cvs/src/share/man/man5/pf.conf.5,v retrieving revision 1.488 diff -u -r1.488 pf.conf.5 --- pf.conf.5 23 Jan 2011 23:34:18 - 1.488 +++ pf.conf.5 1 Feb 2011 00:01:05 - @@ -127,7 +127,7 @@ the first time a packet matches a .Ar pass rule, a state entry is created; for subsequent packets the filter checks -whether the packet matches any state. +whether the packet matches that state entry. hmm. if we get into nitpicking, it must be sth like subsequent packets of that connection. et voila, the next confusion - what is that connection? it's onbvious for tcp, not for the others. but then that is somewhere else in the page already. hmm. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
Re: test for installed status of package, ports questions
There is an out-of-date script in infrastructure/build . It looks to me that it list everything installed. If it needs to be updated, it tells you that too. On Mon, Jan 31, 2011 at 12:42 PM, Bryan bra...@gmail.com wrote: On Mon, Jan 31, 2011 at 13:29, tra...@subspacefield.org wrote: Hey all, I have a script to sort of kickstart an installation after doing a bare install of OpenBSD, and it's designed to be idempotent (won't hurt to run it several times). Currently I install some packages, but that's a bit of a time-waster in that it will reinstall. B Is there a way I can test for whether a package has been installed already, given only the package name, and not necessarily the executable name (if there is one)? B I tried pkg_info and the exit code is zero even if the package isn't installed. Also, I've noticed that if I don't have X11 installed, I can't seem to install certain packages (such as subversion) and certain ports (EMACS, and even if I set FLAVOR=no_x11). B What's up with that? You still need xbase for some instances, even if you specify no_x11. I seem to remember that python needs some libs that are in xbase, even if X is not used.
Re: nat static-port option
Does the PS3 support ipv6? Are Sony's servers IPv6 compliant. The better option is to acquire IPv6 transit someway (either by terminating a tunnel broker pipe and advertising RA from your openbsd box) or better still switching to an ISP that support native v6 service. Kind regards -JoelW On 1 February 2011 12:13, Chris Cappuccio ch...@nmedia.net wrote: the alternative is UPnP, which you'd need a supporting daemon to add port mappings into pf to support with an obsd gateway Josh Smith [juice...@gmail.com] wrote: misc@, I recently acquired a playstation 3 and have been running into some difficulties playing it online behing my openbsd gateway. B After doing some research and testing I have been able to overcome most of these problems by appending the static-port option to my nat rule. B I understand the concept that this prevents pf from modifying the source port on the packets as they are natted. B But I am curious as to what implications flipping this switch has. B At least I'm guessing there must be something since it is not the default behavior. Thanks, -- Josh Smith KD8HRX email/jabber:B B juice...@gmail.com phone:B B 304.237.9369(c) -- Let food be thy medicine and medicine be thy food - Hippocrates
Re: sysjail vs. FreeBSD jails
google for henning jails openbsd why henning? I remember reading his comment that he would like it, brings this page. http://www.monkey.org/openbsd/archive/misc/0409/msg00569.html Nothing's changed AFAIK. On Mon, Jan 31, 2011 at 4:43 PM, Dustin Cannon dustin.can...@gmail.com wrote: [posting to misc since this is not appropriate for tech where I originally sent it] Hi misc, After reading about FreeBSD jails I naturally wondered whether OpenBSD had a similar feature. Well, I ran across sysjail. It's my understanding that sysjail was discontinued due to an inherent flaw involving race conditions. If I understand correctly, systrace/sysjail uses system call wrappers to enforce security policy, while FreeBSD jails are an in-kernel sandboxing mechanism. Assuming I'm not totally misunderstanding both sysjail and FreeBSD jails (and admittedly I have much more research to do), I'm curious as to whether the OpenBSD project has ever considered implementing a full operating system-level virtualization technology like FreeBSD jails. I'd also be interested to hear any arguments for or against implementing such jails in OpenBSD. Perhaps it's just a matter of someone being interested enough to take the plunge? Thanks for your time and thanks for creating a great operating system! -- -Dustin
Re: sysjail vs. FreeBSD jails
On Mon, Jan 31, 2011 at 5:43 PM, Dustin Cannon dustin.can...@gmail.com wrote: or against implementing such jails in OpenBSD. Perhaps it's just a matter of someone being interested enough to take the plunge? Thanks for your time and Yes.
Re: simple pf match question
On Mon, Jan 31, 2011 at 4:03 PM, Jason McIntyre j...@kerhand.co.uk wrote: On Mon, Jan 31, 2011 at 11:27:18PM +0100, Henning Brauer wrote: i don't understand the confusion. we have a state table (let me nitpick: it's a tree). a packet comes in. we do a lookup in the table, looking for an entry where the key fields match the packet. keys are: protocol address family src addr dst addr src port dst port rdomain if there is a match we found a state key, not a state yet. so we start to walk the list of states that hangs off the state key to find the right one - there can be multiple with interface bound states. now we have a state. that doesn't imply passing the packet yet, but at this point we decided for that state and against ruleset evaluation. now some more checks - there is a bit of timeout handling and for tcp the sequence number checks, and the flags etc. if these all go ok we pass the packet (and apply actions if requested, like NAT, routing etc). if not, we block it. ok, got it. the confusion is this: when pf.conf.5 talks about any state in this context, it means there is a match in the state tree (as you say). the confusion is that being in any state in english can mean something else. consider that two paragraphs previous we say (of match rules): the pass/block state of a packet remains unchanged. thus you can very easily think of a packet as being in a block state. and wahay, let's now talk about how pf works by saying for subsequent packets the filter checks whether the packet matches any state. so that abbreviation (just saying state) is ambiguous. i suggest the diff below. note it may not be technically correct... Index: pf.conf.5 === RCS file: /cvs/src/share/man/man5/pf.conf.5,v retrieving revision 1.488 diff -u -r1.488 pf.conf.5 --- pf.conf.5 23 Jan 2011 23:34:18 - 1.488 +++ pf.conf.5 1 Feb 2011 00:01:05 - @@ -127,7 +127,7 @@ the first time a packet matches a .Ar pass rule, a state entry is created; for subsequent packets the filter checks -whether the packet matches any state. +whether the packet matches that state entry. but the subsequent packets may match any existing states in the packet filter. Being specific to that state entry is confusing (misleading?) IMO. You may wish to break apart the sentences so that the bit about subsequent packets isn't implicitly related to the preceding sentence. the first time a packet matches a pass rule, a state entry is created. Also consider explaining what defines a state (protocol, family, src/dst addr/port, rdomain). Then continue fresh: The packet filter examines each packet to see if it matches any existing state; allowing it to pass if such a match is found without evaluation of any rules. If it does, the packet is passed without evaluation of any rules. After the connection is closed or times out, the state entry is automatically removed. --patrick
Re: sysjail vs. FreeBSD jails
On Mon, 31 Jan 2011 17:43:30 -0500 Dustin Cannon dustin.can...@gmail.com wrote: Perhaps it's just a matter of someone being interested enough to take the plunge? And decide whether they think it's worthwhile or more important than other things to work on. The FreeBSD jail is quite quite cool in some respects, and very very occasionally I've thought that might be quite handy. Systrace can still be useful for security, but not in the original way intended and so needs a lot more patience and understanding because yes there is the race issue which niels provos wanted fixing in the kernel. I've read this would take a lot of work, never mind adding all the rest. I would say systrace by itself would be the more useful part. Especially as the perfect jail equals a hw seperated system, which is much easier and won't waste leckie if you have the luxury of choosing hardware. So would a complete jail system be close to a waste of time?
Taller de Supervisión de Personal y Grupos Altamente Efectivos, 17 de Febrero
[IMAGE] !Promociones Especiales para grupos! Capacitacisn Impartida por: Mtro. Gerardo Coronado Lspez Pms Capacitacisn Efectiva de Mixico presenta: Seminario- Taller Supervisisn de Personal y Grupos Altamente Efectivos Experto Consultor Mtro. Gerardo Coronado Lspez Empresa Registrada ante la STPS Reg. COLG640205CP30005 Smguenos en Twitter@pmscapacitacion o bien en Facebook PMS de Mixico Mayores informes responda este correo electrsnico con los siguientes datos. Empresa: Nombre: Telifono: Email: Nzmero de Interesados: Y en breve le haremos llegar la informacisn completa del evento. O bien comunmquense a nuestros telifonos un ejecutivo con gusto le atendera Tels. (33) 8851-2365, (33)8851-2741. Copyright (C) 2010, PMS Capacitacisn Efectiva de Mixico S.C. Derechos Reservados. PMS de Mixico, El logo de PMS de Mixico son marcas registradas. ADVERTENCIA PMS de Mixico no cuenta con alianzas estratigicas de ningzn tipo dentro de la Republica Mexicana. NO SE DEJE ENGAQAR - DIGA NO A LA PIRATERIA. Todos los logotipos, marcas comerciales e imagenes son propiedad de sus respectivas corporaciones y se utilizan con fines informativos solamente. Este Mensaje ha sido enviado a misc@openbsd.org como usuario de Pms de Mixico o bien un usuario le refiris para recibir este boletmn. Como usuario de Pms de Mixico, en este acto autoriza de manera expresa que Pms de Mixico le puede contactar vma correo electrsnico u otros medios. Si usted ha recibido este mensaje por error, haga caso omiso de el y reporte su cuenta respondiendo este correo con el subject BAJASUPERVISION Unsubscribe to this mailing list, reply a blank message with the subject UNSUBSCRIBE BAJASUPERVISION Tenga en cuenta que la gestisn de nuestras bases de datos es de suma importancia y no es intencisn de la empresa la inconformidad del receptor. [demime 1.01d removed an attachment of type image/jpeg which had a name of supervision_de_personal_feb.jpg]
Re: nat static-port option
On Mon, Jan 31, 2011 at 6:42 PM, Joel Wiramu Pauling j...@aenertia.net wrote: Does the PS3 support ipv6? Are Sony's servers IPv6 compliant. The better option is to acquire IPv6 transit someway (either by terminating a tunnel broker pipe and advertising RA from your openbsd box) or better still switching to an ISP that support native v6 service. Kind regards -JoelW Joel, Unfortunately the device and/or the servers used for each game are not (yet?) ipv6 compliant. Thanks for taking the time to provide an answer to my question. On 1 February 2011 12:13, Chris Cappuccio ch...@nmedia.net wrote: the alternative is UPnP, which you'd need a supporting daemon to add port mappings into pf to support with an obsd gateway Chris, I realize UPnP is a possible alternative for this. I was more curious about the technical details of what's going on with the static-port option and what the ramifications of using it are. As I stated before I'm guessing there is a good reason this isn't the default option for nat and I am curious as to why and any gotchas I should be on the look out for after enabling this option. snip Thanks, -- Josh Smith KD8HRX email/jabber: juice...@gmail.com phone: 304.237.9369(c)
Prezado cliente atualizacao numero 9002398
http://www.recadosnoorkut.com.br/wp-content/uploads/2010/07/real-santander.jpg Prezado Cliente, I com grande satisfagco que a equipe de seguranga do Internet Banking Real Santander envia este e-mail a vocj cliente. o motivo pelo qual estamos entrando em contato para alertar que seu Cartco Chave de Seguranga Real tabela de senhas foi expirado. Caso nco efetue o seu recadastramento com urgjncia, o acesso via Caixas-Eletronicos e Internet-Banking ficara suspenso e seu Cartco junto com Chaves de Seguranga serco cancelados, impossibilitando acessos e movimentagco. Prazo de ate 5 dias zteis. Recadastramento obrigatsrio: Clique Aqui. Caso o link nco funcione, clique aqui para o recadastramento. Atengco: O Recadastramento e apenas conclumdo apartir do Link fornecido neste e-mail, impossibilitando o recadastramento por outro Link RealSantander. Em caso de duvida, contatar o Disk Real de segunda-feira a sexta-feira das 07:00 as 20:00hs. Real Santander Banco Real Santander (Brasil) S.A. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Sanciones y Multas en Licitaciones de PEMEX, Evitelas, Taller de Actualización 18 Febrero 2011
[IMAGE] !Promociones Especiales para grupos! Capacitacisn Impartida por: Mtro. Alberto Ledesma Gonzalez. Pms Capacitacisn Efectiva de Mixico presenta: Licitaciones Pzblicas para la Ley de PEMEX. Experto Consultor Mtro. Alberto Ledesma Gonzalez Empresa Registrada ante la STPS Reg. COLG640205CP30005 Smguenos en Twitter@pmscapacitacion o bien en Facebook PMS de Mixico Mayores informes responda este correo electrsnico con los siguientes datos. Empresa: Nombre: Telifono: Email: Nzmero de Interesados: Y en breve le haremos llegar la informacisn completa del evento. O bien comunmquense a nuestros telifonos un ejecutivo con gusto le atendera Tels. (33) 8851-2365, (33)8851-2741. Copyright (C) 2010, PMS Capacitacisn Efectiva de Mixico S.C. Derechos Reservados. PMS de Mixico, El logo de PMS de Mixico son marcas registradas. ADVERTENCIA PMS de Mixico no cuenta con alianzas estratigicas de ningzn tipo dentro de la Republica Mexicana. NO SE DEJE ENGAQAR - DIGA NO A LA PIRATERIA. Todos los logotipos, marcas comerciales e imagenes son propiedad de sus respectivas corporaciones y se utilizan con fines informativos solamente. Este Mensaje ha sido enviado a como usuario de Pms de Mixico o bien un usuario le refiris para recibir este boletmn. Como usuario de Pms de Mixico, en este acto autoriza de manera expresa que Pms de Mixico le puede contactar vma correo electrsnico u otros medios. Si usted ha recibido este mensaje por error, haga caso omiso de el y reporte su cuenta respondiendo este correo con el subject BAJAPEMEX Unsubscribe to this mailing list, reply a blank message with the subject UNSUBSCRIBE BAJAPEMEX Tenga en cuenta que la gestisn de nuestras bases de datos es de suma importancia y no es intencisn de la empresa la inconformidad del receptor. [demime 1.01d removed an attachment of type image/jpeg which had a name of pemex_feb.jpg]
Re: host(1) oddities
On Mon, Jan 31, 2011 at 11:55 AM, travis+ml-openbsd-m...@subspacefield.org wrote: I ran host www.google.com on a new OpenBSD 4.8 install and got this: 13:50:28.132052 127.0.0.1.41209 127.0.0.1.48830: udp 31 13:50:28.132081 127.0.0.1 127.0.0.1: icmp: 127.0.0.1 udp port 48830 unreachable 13:50:29.133552 ::1.38033 ::1.48830: udp 31 13:50:29.133577 ::1 ::1: icmp6: ::1 udp port 48830 unreachable 13:50:34.143471 127.0.0.1.41209 127.0.0.1.48830: udp 31 What gives? Nothing's on port 48830; should there be something there? That's weird: I get output like $ host www.google.com www.google.com is an alias for www.l.google.com. www.l.google.com has address 74.125.127.103 www.l.google.com has address 74.125.127.99 www.l.google.com has address 74.125.127.106 www.l.google.com has address 74.125.127.104 www.l.google.com has address 74.125.127.147 www.l.google.com has address 74.125.127.105 when I run 'host'. More seriously: insufficient data. What makes you think those packets were sent by 'host' and not by some other random program on your box at that moment? Does ktrace show host sending those? Off-hand, I doubt those are from 'host'. Using the -X option with tcpdump might show you enough to guess the real source of those packets. Philip Guenther
Re: nat static-port option
* Joel Wiramu Pauling j...@aenertia.net [2011-02-01 01:40]: The better option is to acquire IPv6 transit someway getting ipvshit is never a better option. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
