q

2011-09-05 Thread alexandr knyazev 
Hi,

Like a questioner, may i ask you one question.

Is there some history about hardware which you get for free from users.

For example, may be you sold some tower or slim for food at the begging. I
don't ask you what now, but it's too interest and will be great to see some
page, where you track your hardware which you sent to community to help,
etc.


I mean, some funny history about such hardware, which you get, but didn't
know what to do with it.
OR
I mean, some funny history about such hardware, which you was getting, but
was not knew what to do with it.
-Sorry for my bad English.

Some what you change for beer or something. Could you share your personal
experience around this at start of project?
When you were alone, but something already have gave result.
Some people have sent you help...
Some hardware.
What did you do with it?

I think about some project at mobile industry, only with open source and
reciprocity, some hippy's world where i can work in full power, and do not
think so much about money, new hardware, by and for users. Anonymously,
without connect to any corporations or goverment structure.

Your skills, experience and some wishes will be great for me.

For example, some people sent eight iPhone's the second generation to me .
I will sell seven at one time, when i am a developer of some cross-platform
systems.


As I can see, you already meet such situation.
So, some page, where is the hardware, what happens, who have burned it
already, why, etc, its would be popular part of openbsd site. With history
by photos, comments, some logs.
Did you you think like me?

Greetings.

Re: Most secure Operating-System?

2011-09-05 Thread bofh 
Marco,
You're thinking of that C2 aren't you?  Heh, but he wanted a network stack.

I'm thinking MS-DOS with the network stack...

Alec,
Why are you trolling?  If this is a real project/proposal, you need a
hell of a lot more help than this.

On Mon, Sep 5, 2011 at 4:40 PM, Marco Peereboom  wrote:
> Windows NT 3.51 without a network stack.
>
> On Sep 5, 2011, at 8:55, Alec Taylor  wrote:
>
>> Good evening,
>>
>> What's the most secure operating system?
>>
>> /me is thinking OpenBSD
>>
>> Features required:
>>   TCP/IP Suite with IPv4 and IPv6 (yeah, I know, big security loss by
>> incorporating Internet access!)
>>   GUI
>>   Web-server (with HTTPS capabilities)
>>   LDAP+-Kerberos server for User auth
>>   CAS or similar for SSO
>>   Radius or (preferably) Diameter support
>>   Java support
>>   WINE compatible
>>   Multithreaded
>>   Multi-processor capable
>>   Wide architecture support (x86, x64, mainframes)
>>
>> If my project proposal is successful, I will be implementing this
>> system to replace a Windows environment at one of the largest banks in
>> the country.
>>
>> Thanks for all suggestions+advice,
>>
>> Alec Taylor
>
>



--
http://www.glumbert.com/media/shift
http://www.youtube.com/watch?v=tGvHNNOLnCk
"This officer's men seem to follow him merely out of idle curiosity."
-- Sandhurst officer cadet evaluation.
"Securing an environment of Windows platforms from abuse - external or
internal - is akin to trying to install sprinklers in a fireworks
factory where smoking on the job is permitted."  -- Gene Spafford
learn french:  http://www.youtube.com/watch?v=30v_g83VHK4

Westpac Bank Notice

2011-09-05 Thread Westpac banking 
 - This mail is in HTML. Some elements may be ommited in plain text. -

Westpac Protection Alert
An attempt to access Westpac online was denied 30mins ago:
If you do not remember trying to access online banking,
please
select:
That was NOT me
Westpac
Banking Corporation.
All rights reserved
..

Re: Most secure Operating-System?

2011-09-05 Thread Marco Peereboom 
Windows NT 3.51 without a network stack.

On Sep 5, 2011, at 8:55, Alec Taylor  wrote:

> Good evening,
>
> What's the most secure operating system?
>
> /me is thinking OpenBSD
>
> Features required:
>  TCP/IP Suite with IPv4 and IPv6 (yeah, I know, big security loss by
> incorporating Internet access!)
>  GUI
>  Web-server (with HTTPS capabilities)
>  LDAP+-Kerberos server for User auth
>  CAS or similar for SSO
>  Radius or (preferably) Diameter support
>  Java support
>  WINE compatible
>  Multithreaded
>  Multi-processor capable
>  Wide architecture support (x86, x64, mainframes)
>
> If my project proposal is successful, I will be implementing this
> system to replace a Windows environment at one of the largest banks in
> the country.
>
> Thanks for all suggestions+advice,
>
> Alec Taylor

GRATUIT - La meilleure application Iphone pour trouver et reserver un Hôtel

2011-09-05 Thread maroc-info 
Hotel HNR V2 Annonce






Si ce message ne s'affiche pas correctement, vous pouvez le visualiser
grC"ce C  ce lien.





























B 








B 



La meilleure application iPhone de rC)servation db HC4tel

 Voyagez lC)ger, contentez-vous de votre  iPhone B et dC)couvrez notre
derniC(re rC)alisation :  Hotel HNR  ( Hotel Net- Resa ) version  2.

0.1


b OC9 que vous soyez trouvez un HC4tel, rC)servez-le et bC)nC)ficiez des
meilleurs tarifs bB 


B 


Cette application, utilisable par tous, B dispose des fonctions les plus
utiles.B 


ApprC)ciez cet outil, exemple de notre travail dbC)diteur de solutions
professionnelles du tourisme dbaffaire et de lbC)venementiel.


En vous souhaitant de bonnes vacancesB 




B 








B 








B 



RC)servationsB 



B 



Bons plans



B 


TC)lC)chargement


B 


B 
B 
B 
B 
B 
B 
B 


B 
B 
B 
B 
B 
B 
B 


B 







B 







B 







B 


B 
B 
B 
B 
B 
B 
B 


B 



  Utilisez votre iPhone pour trouver, visiter et rC)server votre sC)jour.








 bB 100 000 HC4tels dans le monde entier en direct

bB DisponibilitC)s, services, apprC)ciations clients et 2 millions de
photos pour mieux vous informer.B 


  bB RC)servation, sans frais, sC)curisC)e et mC)morisC)e.B 
















B 



  Nous sC)lectionons quotidiennement les meilleures promotions :






bDes remises de 30 C70 %B 


bBUne liste exclusive   HC4tel HNR  B 


bBDes offres actualisC)es heure par heure







B 





 HC4tel HNR, est une application gratuite :



B 

   bB  C   ompatible iPhone, iPad et iPod Touch.

   bBTC)lC)chargez la sur lb

App Store




   bBEn savoir plus sur

HC4tel HNR







B 





B 








B 



 Vous avez vous aussi un projet iPhone ?B 


 nous lbC)tudions sans engagement de votre part



B 








B 























B 



Hotel Net-Resa - B 

  Gipco-ADNS




  -




  Web-ADNS




  B B 




  Mail-Adns




   sont C)ditC)s par




  ALGO DATA






B 








B 













Si ce message ne s'affiche pas correctement, vous pouvez le visualiser
grC"ce C  ce lien.   Si vous souhaitez ne plus recevoir de message de cette
liste.

Re: Most secure Operating-System?

2011-09-05 Thread bofh 
On Mon, Sep 5, 2011 at 3:07 PM, Amit Kulkarni  wrote:
> AFAIK it doesn't run on current mainframes. Only IBM's various OS's
> run on mainframes, as IBM has a corner on that mainframe market.

But with the Hercules emulator, you can run the mainframe on your desktop!!!
:)


--
http://www.glumbert.com/media/shift
http://www.youtube.com/watch?v=tGvHNNOLnCk
"This officer's men seem to follow him merely out of idle curiosity."
-- Sandhurst officer cadet evaluation.
"Securing an environment of Windows platforms from abuse - external or
internal - is akin to trying to install sprinklers in a fireworks
factory where smoking on the job is permitted."  -- Gene Spafford
learn french:  http://www.youtube.com/watch?v=30v_g83VHK4

Re: Most secure Operating-System?

2011-09-05 Thread Amit Kulkarni 
> Features required:
>  TCP/IP Suite with IPv4 and IPv6 (yeah, I know, big security loss by
> incorporating Internet access!)
>  GUI
>  Web-server (with HTTPS capabilities)
>  LDAP+-Kerberos server for User auth
>  CAS or similar for SSO
>  Radius or (preferably) Diameter support
>  Java support
>  WINE compatible

Wine just got deleted from ports

>  Multithreaded
>  Multi-processor capable

all modern OS's are.

>  Wide architecture support (x86, x64, mainframes)

AFAIK it doesn't run on current mainframes. Only IBM's various OS's
run on mainframes, as IBM has a corner on that mainframe market.

Re: Laptop hard drive and emergency unload

2011-09-05 Thread roberth 
On Mon, 05 Sep 2011 14:25:46 -0400
Steve  wrote:

> For the fun of it, I just installed 4.9 (AMD64) on an SD card, booted 
> from the card and mounted one of my Ext3 partitions on the hard disk.
> I copied a file from  the disk to the card to be sure it was active, 
> umounted the hard disk and halted. Not a sound from the disk no 
> click, nothing.

for testing, use -current/snapshots.


http://marc.info/?l=openbsd-cvs&m=127460880427991&w=2
"""
Changes by: kette...@cvs.openbsd.org2010/05/23 03:58:58

Modified files:
sys/dev/ata: wd.c 

Log message:
Place drive in standby mode before shutdown.  Avoids the loud click
heard on many laptops when powering them down.
"""

That went into 4.8, the oldest supported OpenBSD version.
"Hail to the kettenis@, baby!"

Re: Laptop hard drive and emergency unload

2011-09-05 Thread Steve 
For the fun of it, I just installed 4.9 (AMD64) on an SD card, booted 
from the card and mounted one of my Ext3 partitions on the hard disk. I 
copied a file from  the disk to the card to be sure it was active, 
umounted the hard disk and halted. Not a sound from the disk no 
click, nothing.


On 11-09-05 11:13 AM, Philippe Meunier wrote:

Steve wrote:

6.3.6.1 Emergency unload
[... ]Emergency unload
is intended to be invoked in rare situations. Because this operation
is inherently uncontrolled, it is more mechanically stressful than a
normal unload.


Yes.  I have a Thinkpad T43 with a Hitachi Travelstar 5K100
(HTS541060G9AT00) and used to have the same problem: when shutting
down the computer, the power would be removed from the hard disk while
the heads were still loaded and the disk would then have to perform an
emergency unload, which resulted in the disk making a loud click.
This was the case for me from (I think) OpenBSD 3.9, when I first
installed OpenBSD, up to and including 4.8.  A few months ago I
upgraded to 4.9 (stable) and since then I can hear the disk normally
unloading the heads (a short series of 4-5 muffled clicks in very
short succession with a slightly increasing pitch) before powering
down, which is much quieter.  My disk and I both thank whoever
implemented that change :-)


On Sep 3, 2011, at 15:41, Steve wrote:

Can anyone suggest what I could do to stop this from happening?


Well, it depends...  You could try to manually sync(8) the disk, do
something like "atactl wd0 apmset 1" (YMMV) to put the disk into
standby power saving mode, which would result in the heads being
unloaded after a short time, and then halt(8) the computer.  The
problem is that, as part of the normal powerdown sequence, OpenBSD
writes some logs of the shutdown on the disk (which would then reload
its heads) and also syncs the disk (I don't know if that action alone
would reload the disk heads or not if there were no actual data to
sync to the disk; using sync(8) twice in sequence results in my disk's
light blinking twice but whether the second blink actually means
anything with regard to the disk's heads is an entirely different
question...)  You could try to play with halt(8)'s -q and -n options
and see what happens, but I wouldn't recommend it...  Even if you were
lucky and it worked, it would be an annoyance to do that every time
and it'd be very easy to make a mistake and lose data.  You could
write scripts to automate the process but you'd be on your own if
something went wrong...

You could also try the following:
- put the root partition, /var/log, and everything else required for a
normal shutdown, on a USB stick and boot from that
- have all the other stuff (/home, /usr/local, etc) on your disk
- before shutting down, manually unmount all the partitions that are
on the disk (forcing the unmount if necessary), use atactl to put the
disk in a low-power mode that results in the heads being unloaded,
then shutdown the computer as usual.
Slightly better than the above, but again it'd be annoying to do and
it'd be easy to make a mistake...

With all that being said, I happily used OpenBSD on my laptop for
about five years with my hard disk doing an emergency unload on every
shutdown, and never had any problem.  It's up to you to decide whether
you can sleep at night knowing that your disk goes through a very
small number of "mechanically stressful" events every day.  2
emergency unloads supported by your disk at a minimum (or so Hitachi
says...) / 5 shutdowns a day (say) = about 11 years...  So it might be
an acceptable solution to you until time (and if...) an OpenBSD
developer decides to fix your problem.  You have backups anyway,
right? :-)

Philippe

Re: OpenOSPF + CARP

2011-09-05 Thread Stuart Henderson 
On 2011-09-05, Mathieu Blanc  wrote:
>>> So the ingoing traffic goes into bsd1, and the servers now use bsd2 to
>>> go out.
>>
>>> Is it not a problem ? In terms of firewalling for example (keep state ?
>>> will bsd2 authorize the trafic which is initiated by bsd1 ? maybe with
>>> the help of pfsync ??)
>>
>> pfsync(4) can handle this if you use 'defer', see the pfsync manpage,
>> but this is normally only desirable for load-balancing.
>
> I read the manpage, and it seems to match exactly with what i want to do :
> "Where more than one firewall might actively handle packets, e.g. with 
> certain ospfd(8), bgpd(8) or carp(4) configurations, it is beneficial to
> defer transmission of the initial packet of a connection.  The pfsync
> state insert message is sent immediately; the packet is queued until 
> either this message is acknowledged by another system, or a timeout has 
> expired."

This is for load-sharing between 2 firewalls, you don't want it for a
typical setup with 1 active and 1 passive firewall as it delays things

> If I take my previous example :
> Network A [interconnection with others routers] = 192.168.1.0/24 
> (configured on em0, and carp0)

presumably you are announcing the networks behind bsd1/bsd2 over
ospf to your other routers; so I don't think carp0 is useful.

> Network B [network with servers] = 172.16.1.0/24 (configured on em1, and 
> carp1, used by servers for default gateway)
> em2 is for pfsync.
> The ospfd.conf is very simple.
>
> bsd1# ifconfig -A 
>
> em0: flags=8b43 
>  inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255
> em1: flags=8b43 
>  inet 172.16.1.1 netmask 0xff00 broadcast 172.16.1.255
> em2: flags=8843 mtu 1500
>  inet 172.16.99.1 netmask 0xfffc broadcast 172.16.99.3
> pfsync0: flags=41 mtu 1500
>  pfsync: syncdev: em2 syncpeer: 172.16.99.2 maxupd: 128 defer: off
> carp0: flags=8843 mtu 1500
>  carp: MASTER carpdev em0 vhid 170 advbase 1 advskew 80
>  inet 192.168.1.100 netmask 0xff00 broadcast 192.168.1.255
> carp1: flags=8843 mtu 1500
>  carp: MASTER carpdev em1 vhid 171 advbase 1 advskew 120
>  inet 172.16.1.100 netmask 0xff00 broadcast 172.16.1.255
>
> bsd1# cat /etc/ospfd.conf
> area 0.0.0.0 {
>  interface em0
>  interface em1
>  interface carp0 { passive }
>  interface carp1 { passive }
> }

I would:-

remove "interface carp0 { passive }" from ospfd.conf
remove "interface em1" from ospfd.conf
ospfctl reload
ifconfig carp0 destroy
rm /etc/hostname.carp0

Re: Most secure Operating-System?

2011-09-05 Thread Stuart Henderson 
On 2011-09-05, Alec Taylor  wrote:
> Good evening,
>
> What's the most secure operating system?
>
> /me is thinking OpenBSD
>
> Features required:
>  WINE compatible

nope.

> If my project proposal is successful, I will be implementing this
> system to replace a Windows environment at one of the largest banks in
> the country.

fully replacing an office Windows environment is certainly possible...
you might like to read these:

http://undeadly.org/cgi?action=article&sid=20110420080633
http://puppetlabs.com/blog/guest-post-a-puffy-in-the-corporate-aquarium-the-sequel/

Re: Most secure Operating-System?

2011-09-05 Thread Tomas Bodzar 
On Mon, Sep 5, 2011 at 4:41 PM, Christopher Linn  wrote:
> hi alec,
>
> - Alec Taylor  wrote:
>> Good evening,
>>
>> What's the most secure operating system?
>>
>> /me is thinking OpenBSD
>>
>> Features required:
>> B TCP/IP Suite with IPv4 and IPv6 (yeah, I know, big security loss by
>> incorporating Internet access!)
>> B GUI
>> B Web-server (with HTTPS capabilities)
>> B LDAP+-Kerberos server for User auth
>> B CAS or similar for SSO
>> B Radius or (preferably) Diameter support
>> B Java support
>> B WINE compatible
>> B Multithreaded
>> B Multi-processor capable
>> B Wide architecture support (x86, x64, mainframes)
>>
>> If my project proposal is successful, I will be implementing this
>> system to replace a Windows environment at one of the largest banks in
>> the country.
>>
>> Thanks for all suggestions+advice,
>>
>> Alec Taylor
>>
>
>
> is this for desktop? in an enterprise environment you will surely need
> to run e.g. M$ applications and adobe pro

IPv6, Java, Wine really sounds like any bank on the market which
really "cares" about security in the same way as they care about our
money in hedge funds, sci-fi loans, even more sci-fi ratings and so on
:-)

>
> and, what do you mean by "mainframes"?
>
> --
> Chris Linn

Re: Most secure Operating-System?

2011-09-05 Thread Tomas Bodzar 
On Mon, Sep 5, 2011 at 3:55 PM, Alec Taylor  wrote:
> Good evening,
>
> What's the most secure operating system?
>
> /me is thinking OpenBSD

What you think is not important for suits ;-) For them the most
important part is how much dinners and other gifts will they have from
vendor if they choose "right" one ;-) You will be in the end just
monkey which needs to administer whichever shit they throw at you ;-)

>
> Features required:
> B TCP/IP Suite with IPv4 and IPv6 (yeah, I know, big security loss by
> incorporating Internet access!)
> B GUI
> B Web-server (with HTTPS capabilities)
> B LDAP+-Kerberos server for User auth
> B CAS or similar for SSO
> B Radius or (preferably) Diameter support
> B Java support
> B WINE compatible
> B Multithreaded
> B Multi-processor capable
> B Wide architecture support (x86, x64, mainframes)
>
> If my project proposal is successful, I will be implementing this
> system to replace a Windows environment at one of the largest banks in
> the country.
>
> Thanks for all suggestions+advice,
>
> Alec Taylor

Re: Most secure Operating-System?

2011-09-05 Thread Christopher Linn 
hi alec,

- Alec Taylor  wrote:
> Good evening,
> 
> What's the most secure operating system?
> 
> /me is thinking OpenBSD
> 
> Features required:
>  TCP/IP Suite with IPv4 and IPv6 (yeah, I know, big security loss by
> incorporating Internet access!)
>  GUI
>  Web-server (with HTTPS capabilities)
>  LDAP+-Kerberos server for User auth
>  CAS or similar for SSO
>  Radius or (preferably) Diameter support
>  Java support
>  WINE compatible
>  Multithreaded
>  Multi-processor capable
>  Wide architecture support (x86, x64, mainframes)
> 
> If my project proposal is successful, I will be implementing this
> system to replace a Windows environment at one of the largest banks in
> the country.
> 
> Thanks for all suggestions+advice,
> 
> Alec Taylor
> 


is this for desktop? in an enterprise environment you will surely need 
to run e.g. M$ applications and adobe pro.

and, what do you mean by "mainframes"?

-- 
Chris Linn

Re: Laptop hard drive and emergency unload

2011-09-05 Thread Philippe Meunier 
Steve wrote:
>6.3.6.1 Emergency unload
> [... ]Emergency unload
>is intended to be invoked in rare situations. Because this operation
>is inherently uncontrolled, it is more mechanically stressful than a
>normal unload.

Yes.  I have a Thinkpad T43 with a Hitachi Travelstar 5K100
(HTS541060G9AT00) and used to have the same problem: when shutting
down the computer, the power would be removed from the hard disk while
the heads were still loaded and the disk would then have to perform an
emergency unload, which resulted in the disk making a loud click.
This was the case for me from (I think) OpenBSD 3.9, when I first
installed OpenBSD, up to and including 4.8.  A few months ago I
upgraded to 4.9 (stable) and since then I can hear the disk normally
unloading the heads (a short series of 4-5 muffled clicks in very
short succession with a slightly increasing pitch) before powering
down, which is much quieter.  My disk and I both thank whoever
implemented that change :-)

>On Sep 3, 2011, at 15:41, Steve wrote:
>>Can anyone suggest what I could do to stop this from happening?

Well, it depends...  You could try to manually sync(8) the disk, do
something like "atactl wd0 apmset 1" (YMMV) to put the disk into
standby power saving mode, which would result in the heads being
unloaded after a short time, and then halt(8) the computer.  The
problem is that, as part of the normal powerdown sequence, OpenBSD
writes some logs of the shutdown on the disk (which would then reload
its heads) and also syncs the disk (I don't know if that action alone
would reload the disk heads or not if there were no actual data to
sync to the disk; using sync(8) twice in sequence results in my disk's
light blinking twice but whether the second blink actually means
anything with regard to the disk's heads is an entirely different
question...)  You could try to play with halt(8)'s -q and -n options
and see what happens, but I wouldn't recommend it...  Even if you were
lucky and it worked, it would be an annoyance to do that every time
and it'd be very easy to make a mistake and lose data.  You could
write scripts to automate the process but you'd be on your own if
something went wrong...

You could also try the following:
- put the root partition, /var/log, and everything else required for a
normal shutdown, on a USB stick and boot from that
- have all the other stuff (/home, /usr/local, etc) on your disk
- before shutting down, manually unmount all the partitions that are
on the disk (forcing the unmount if necessary), use atactl to put the
disk in a low-power mode that results in the heads being unloaded,
then shutdown the computer as usual.
Slightly better than the above, but again it'd be annoying to do and
it'd be easy to make a mistake...

With all that being said, I happily used OpenBSD on my laptop for
about five years with my hard disk doing an emergency unload on every
shutdown, and never had any problem.  It's up to you to decide whether
you can sleep at night knowing that your disk goes through a very
small number of "mechanically stressful" events every day.  2
emergency unloads supported by your disk at a minimum (or so Hitachi
says...) / 5 shutdowns a day (say) = about 11 years...  So it might be
an acceptable solution to you until time (and if...) an OpenBSD
developer decides to fix your problem.  You have backups anyway,
right? :-)

Philippe

Re: Most secure Operating-System?

2011-09-05 Thread Tomasz Dereszynski 
On Mon, 5 Sep 2011 16:09:43 +0200, jirib wrote: 

> On Mon, 5 Sep
2011 23:55:52 +1000
> Alec Taylor wrote:
> 
>> Good evening, What's the
most secure operating system? /me is thinking OpenBSD Features
required:

and how exactly is webserver going to secure enduser desktop
env? 

-- 
Best Regards
Tomasz Dereszynski
  

Links:
--
[1]
mailto:alec.tayl...@gmail.com

Re: Most secure Operating-System?

2011-09-05 Thread jirib 
On Mon, 5 Sep 2011 23:55:52 +1000
Alec Taylor  wrote:

> Good evening,
>
> What's the most secure operating system?
>
> /me is thinking OpenBSD
>
> Features required:
>  TCP/IP Suite with IPv4 and IPv6 (yeah, I know, big security loss by
> incorporating Internet access!)
>  GUI
>  Web-server (with HTTPS capabilities)
>  LDAP+-Kerberos server for User auth
>  CAS or similar for SSO
>  Radius or (preferably) Diameter support
>  Java support
>  WINE compatible
>  Multithreaded
>  Multi-processor capable
>  Wide architecture support (x86, x64, mainframes)
>
> If my project proposal is successful, I will be implementing this
> system to replace a Windows environment at one of the largest banks in
> the country.
>

Do NOT smoke that sh1t too much, or if you wanted to be funny you are
not.

jirib

Most secure Operating-System?

2011-09-05 Thread Alec Taylor 
Good evening,

What's the most secure operating system?

/me is thinking OpenBSD

Features required:
 TCP/IP Suite with IPv4 and IPv6 (yeah, I know, big security loss by
incorporating Internet access!)
 GUI
 Web-server (with HTTPS capabilities)
 LDAP+-Kerberos server for User auth
 CAS or similar for SSO
 Radius or (preferably) Diameter support
 Java support
 WINE compatible
 Multithreaded
 Multi-processor capable
 Wide architecture support (x86, x64, mainframes)

If my project proposal is successful, I will be implementing this
system to replace a Windows environment at one of the largest banks in
the country.

Thanks for all suggestions+advice,

Alec Taylor

ikev2

2011-09-05 Thread Wesley M. 
Hi, 

sorry to post again this. 

Is there someone who have already
tried a vpn 

using ikev2 with EAP-MSCHAP-V2 support ? 

Thank you very
much. 

Cheers, 

Wesley.M

Re: OpenOSPF + CARP

2011-09-05 Thread Mathieu Blanc 

Le 03/09/2011 12:35, Stuart Henderson a icrit :

On 2011-09-02, Mathieu BLANC  wrote:

I setup this, *and it seems to work well.*
Routers in network A see 2 routes to Network B : bsd1 and bsd2.
For example :
First route : bsd1
Second route : bsd2

bsd1 is the master carp on network B.
So the ingoing traffic goest to bsd1, and the servers in B use their
gateway ->  bsd1.

But if i do (manually) a carpdemote on bsd1, the the carp master will
switch to bsd2, but on the ospf side, the route will remain the same on
the routers in A.

So the ingoing traffic goes into bsd1, and the servers now use bsd2 to
go out.



Is it not a problem ? In terms of firewalling for example (keep state ?
will bsd2 authorize the trafic which is initiated by bsd1 ? maybe with
the help of pfsync ??)


pfsync(4) can handle this if you use 'defer', see the pfsync manpage,
but this is normally only desirable for load-balancing.


I read the manpage, and it seems to match exactly with what i want to do :
"Where more than one firewall might actively handle packets, e.g. with 
certain ospfd(8), bgpd(8) or carp(4) configurations, it is beneficial to

defer transmission of the initial packet of a connection.  The pfsync
state insert message is sent immediately; the packet is queued until 
either this message is acknowledged by another system, or a timeout has 
expired."




In the situation you describe, the network A should send all of
network B's traffic to whichever machine is currently carp master.
For this setup you need to:-

1. have the subnet (not a /32) configured on the carpXX interface
2. use 'interface carpXX { passive }' in ospfd.conf

If this doesn't help, please show ospfd.conf files and 'ifconfig -A'
output.


I'm not sure to understand, sorry.

Here is my test conf (exactly the same than in prod, but with private 
network).


If I take my previous example :
Network A [interconnection with others routers] = 192.168.1.0/24 
(configured on em0, and carp0)
Network B [network with servers] = 172.16.1.0/24 (configured on em1, and 
carp1, used by servers for default gateway)

em2 is for pfsync.
The ospfd.conf is very simple.

bsd1# ifconfig -A 

em0: flags=8b43 
mtu 1500

lladdr 00:1b:21:b3:c7:18
priority: 0
groups: egress
media: Ethernet autoselect (1000baseT full-duplex)
status: active
inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255
em1: flags=8b43 
mtu 1500

lladdr 00:1b:21:b3:c7:19
priority: 0
media: Ethernet autoselect (1000baseT full-duplex)
status: active
inet 172.16.1.1 netmask 0xff00 broadcast 172.16.1.255
em2: flags=8843 mtu 1500
lladdr 00:1b:21:b3:c7:1c
priority: 0
media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
status: active
inet 172.16.99.1 netmask 0xfffc broadcast 172.16.99.3
pfsync0: flags=41 mtu 1500
priority: 0
pfsync: syncdev: em2 syncpeer: 172.16.99.2 maxupd: 128 defer: off
groups: carp pfsync
carp0: flags=8843 mtu 1500
lladdr 00:00:5e:00:01:aa
priority: 0
carp: MASTER carpdev em0 vhid 170 advbase 1 advskew 80
groups: carp
status: master
inet 192.168.1.100 netmask 0xff00 broadcast 192.168.1.255
carp1: flags=8843 mtu 1500
lladdr 00:00:5e:00:01:ab
priority: 0
carp: MASTER carpdev em1 vhid 171 advbase 1 advskew 120
groups: carp
status: master
inet 172.16.1.100 netmask 0xff00 broadcast 172.16.1.255

bsd1# cat /etc/ospfd.conf
area 0.0.0.0 {
interface em0
interface em1
interface carp0 { passive }
interface carp1 { passive }
}

bsd2 is exactly the same (with different ip address on em0/em1/em2 and 
backup carp).


This setup works quite well (i see 2 routes to 172.16.1.0/24 network in 
my others routers : via bsd1 and bsd2). What i wanted to do is to have 
just one route to 192.168.1.100. But I don't know if it's possible.

If not, i'll destroy the carp0 interface, and use defer in pfsync.

Thanks by advance :-)

Mathieu.