Blocking Trojans with PF

2011-09-26 Thread Hassan Monfared 
Hi,
Any idea for denying connection initiation to outside from any web server
protected by PF? ( wanna block Trojans and reverse connections while
incomming http traffic is allowed) .

Regards,
Hassan H. Monfared

Re: Blocking Trojans with PF

2011-09-26 Thread Johan Beisser 
block all

Permit inbound port 80, but do not permit new outbound connections.
Consider each interface a separate firewall, with separate flows
entirely, then use policy enforcement (see tagging:
http://cvs.openbsd.org/faq/pf/tagging.html) to ensure only properly
tagged packets are passed out from the firewall.

Nice thing about pf: stateful tracking of connections. It makes
tracking sessions, blocking unwanted traffic, and tagging systems much
easier.

http://www.openbsd.org/cgi-bin/man.cgi?query=pf.confapropos=0sektion=0manpath=OpenBSD+Currentarch=i386format=html

On Sun, Sep 25, 2011 at 11:18 PM, Hassan Monfared hmonfa...@gmail.com wrote:
 Hi,
 Any idea for denying connection initiation to outside from any web server
 protected by PF? ( wanna block Trojans and reverse connections while
 incomming http traffic is allowed) .

 Regards,
 Hassan H. Monfared

Re: Blocking Trojans with PF

2011-09-26 Thread Gregory Edigarov 
On Mon, 26 Sep 2011 09:48:20 +0330
Hassan Monfared hmonfa...@gmail.com wrote:

 Hi,
 Any idea for denying connection initiation to outside from any web
 server protected by PF? ( wanna block Trojans and reverse connections
 while incomming http traffic is allowed) .

block all 
pass in on $if from any to ($if)

will block it as you wish.
 

-- 
With best regards,
Gregory Edigarov

Re: Blocking Trojans with PF

2011-09-26 Thread Hassan Monfared 
thank you,
is it right blocking connection initiation from inside using rule something
like:
block in on $if flags S/SA
am I right ?

Regards,
Hassan H. Monfared


On Mon, Sep 26, 2011 at 10:18 AM, Gregory Edigarov
g...@bestnet.kharkov.uawrote:

 On Mon, 26 Sep 2011 09:48:20 +0330
 Hassan Monfared hmonfa...@gmail.com wrote:

  Hi,
  Any idea for denying connection initiation to outside from any web
  server protected by PF? ( wanna block Trojans and reverse connections
  while incomming http traffic is allowed) .

 block all
 pass in on $if from any to ($if)

 will block it as you wish.


 --
 With best regards,
Gregory Edigarov

Re: Blocking Trojans with PF

2011-09-26 Thread Gregory Edigarov 
If your firewall is on the same machine as webserver -you can safely
use the ruleset i wrote.

if not - you should have   block in on $intif 

On Mon, 26 Sep 2011 10:40:09 +0330
Hassan Monfared hmonfa...@gmail.com wrote:

 thank you,
 is it right blocking connection initiation from inside using rule
 something like:
 block in on $if flags S/SA
 am I right ?
 
 Regards,
 Hassan H. Monfared
 
 
 On Mon, Sep 26, 2011 at 10:18 AM, Gregory Edigarov
 g...@bestnet.kharkov.uawrote:
 
  On Mon, 26 Sep 2011 09:48:20 +0330
  Hassan Monfared hmonfa...@gmail.com wrote:
 
   Hi,
   Any idea for denying connection initiation to outside from any web
   server protected by PF? ( wanna block Trojans and reverse
   connections while incomming http traffic is allowed) .
 
  block all
  pass in on $if from any to ($if)
 
  will block it as you wish.
 
 
  --
  With best regards,
 Gregory Edigarov

Re: Blocking Trojans with PF

2011-09-26 Thread Hassan Monfared 
Hi again,
all 6 webservers are behind FW ,
doesn't block in on $intif rule blocks TCP handshaking ? I mean ACK
message must be passed on $intif, mustn't ?
Regards,
Hassan H. Monfared


On Mon, Sep 26, 2011 at 11:21 AM, Gregory Edigarov
g...@bestnet.kharkov.uawrote:


 If your firewall is on the same machine as webserver -you can safely
 use the ruleset i wrote.

 if not - you should have   block in on $intif

 On Mon, 26 Sep 2011 10:40:09 +0330
 Hassan Monfared hmonfa...@gmail.com wrote:

  thank you,
  is it right blocking connection initiation from inside using rule
  something like:
  block in on $if flags S/SA
  am I right ?
 
  Regards,
  Hassan H. Monfared
 
 
  On Mon, Sep 26, 2011 at 10:18 AM, Gregory Edigarov
  g...@bestnet.kharkov.uawrote:
 
   On Mon, 26 Sep 2011 09:48:20 +0330
   Hassan Monfared hmonfa...@gmail.com wrote:
  
Hi,
Any idea for denying connection initiation to outside from any web
server protected by PF? ( wanna block Trojans and reverse
connections while incomming http traffic is allowed) .
  
   block all
   pass in on $if from any to ($if)
  
   will block it as you wish.
  
  
   --
   With best regards,
  Gregory Edigarov

Re: Blocking Trojans with PF

2011-09-26 Thread Gregory Edigarov 
Why can't you read how does statefull filtration works? You'd be much
better with the full explanation of TCP handshake process, and how does
a statefull firewall fits into picture. 

On Mon, 26 Sep 2011 11:26:54 +0330
Hassan Monfared hmonfa...@gmail.com wrote:

 Hi again,
 all 6 webservers are behind FW ,
 doesn't block in on $intif rule blocks TCP handshaking ? I mean ACK
 message must be passed on $intif, mustn't ?
 Regards,
 Hassan H. Monfared
 
 
 On Mon, Sep 26, 2011 at 11:21 AM, Gregory Edigarov
 g...@bestnet.kharkov.uawrote:
 
 
  If your firewall is on the same machine as webserver -you can safely
  use the ruleset i wrote.
 
  if not - you should have   block in on $intif
 
  On Mon, 26 Sep 2011 10:40:09 +0330
  Hassan Monfared hmonfa...@gmail.com wrote:
 
   thank you,
   is it right blocking connection initiation from inside using rule
   something like:
   block in on $if flags S/SA
   am I right ?
  
   Regards,
   Hassan H. Monfared
  
  
   On Mon, Sep 26, 2011 at 10:18 AM, Gregory Edigarov
   g...@bestnet.kharkov.uawrote:
  
On Mon, 26 Sep 2011 09:48:20 +0330
Hassan Monfared hmonfa...@gmail.com wrote:
   
 Hi,
 Any idea for denying connection initiation to outside from
 any web server protected by PF? ( wanna block Trojans and
 reverse connections while incomming http traffic is allowed) .
   
block all
pass in on $if from any to ($if)
   
will block it as you wish.
   
   
--
With best regards,
   Gregory Edigarov

Re: Blocking Trojans with PF

2011-09-26 Thread Hassan Monfared 
thanks for clear answer !
I'd already read.
not bad idea to refer every question on the list to the manuals and books or
man pages, huh ?

On Mon, Sep 26, 2011 at 11:35 AM, Gregory Edigarov
g...@bestnet.kharkov.uawrote:

 Why can't you read how does statefull filtration works? You'd be much
 better with the full explanation of TCP handshake process, and how does
 a statefull firewall fits into picture.

 On Mon, 26 Sep 2011 11:26:54 +0330
 Hassan Monfared hmonfa...@gmail.com wrote:

  Hi again,
  all 6 webservers are behind FW ,
  doesn't block in on $intif rule blocks TCP handshaking ? I mean ACK
  message must be passed on $intif, mustn't ?
  Regards,
  Hassan H. Monfared
 
 
  On Mon, Sep 26, 2011 at 11:21 AM, Gregory Edigarov
  g...@bestnet.kharkov.uawrote:
 
  
   If your firewall is on the same machine as webserver -you can safely
   use the ruleset i wrote.
  
   if not - you should have   block in on $intif
  
   On Mon, 26 Sep 2011 10:40:09 +0330
   Hassan Monfared hmonfa...@gmail.com wrote:
  
thank you,
is it right blocking connection initiation from inside using rule
something like:
block in on $if flags S/SA
am I right ?
   
Regards,
Hassan H. Monfared
   
   
On Mon, Sep 26, 2011 at 10:18 AM, Gregory Edigarov
g...@bestnet.kharkov.uawrote:
   
 On Mon, 26 Sep 2011 09:48:20 +0330
 Hassan Monfared hmonfa...@gmail.com wrote:

  Hi,
  Any idea for denying connection initiation to outside from
  any web server protected by PF? ( wanna block Trojans and
  reverse connections while incomming http traffic is allowed) .

 block all
 pass in on $if from any to ($if)

 will block it as you wish.


 --
 With best regards,
Gregory Edigarov

configure lan ports and wifi like a switch

2011-09-26 Thread Wesley M. 
Hi, 

I use an appliance with OpenBSD 4.9, there are 3 network
ports(sis0-2), and a wifi port (ral0)
sis0 : egress (internet) 

sis1,
sis2, ral0 : lan i configure a hostname.trunk0 : trunkport sis2 trunkport
sis1 trunkport ral0 trunkproto loadbalance inet 10.100.1.50 255.255.255.0
hostname.sis1, hostname.sis2 : up hostname.ral0 inet 10.100.1.241
255.255.255.0 NONE media autoselect mode 
 11g mediaopt hostap nwid SSID
wpakey mypassword chan 11 up It seems to me that it doesn't work. Any
advice, or ideas ? Thank you a lot for your replies !! 
Wesley.

Re: microsoft and UEFI boot

2011-09-26 Thread Paolo Aglialoro 
Actually I'm way more optimist about OEM motherboard manufacturers rather
than PC companies.
The weak spot will in fact be laptops and other portable equipment, as these
are all proprietary design.

Considering that laptop sales have overdone standard fixed PCs ones since
years, the ecosystem, unless some heavyweight authority will strike hard,
could be severely affected

Plus: is this crap going to fit the TPM chip onboard? Or just something that
can be got around by flashing bios/firmware? And how many firmwares will
there be? It's not realistic to think that any single one of them can be
hacked... plus with the danger of bricking the box any time or making it
behave dizzy



On Sat, Sep 24, 2011 at 7:09 PM, Marc Smith marc_sm...@gmx.com wrote:

 Well, yes. You're right. Apparently only EU commission can help and
 let me tell you that: EU is really good with those kind of
 regulations. It usually cares for customer's privacy and fights
 monopoly of particular companies. Let's hope it would make next move.

 Anyway, there are [still] some custom PC sets that remains open and
 non-restrictive. Let's count on that so it will remain active on the
 market.

 W dniu 24.09.2011 18:57, Paolo Aglialoro pisze:
  Unfortunately, just a tiny percentage of sold X86 boxes is no-OS,
  and also dell has stopped selling linux PCs. The last no-OS one I
  bought was an HP laptop (HP 360) with suse 11 onboard. Drops within
  an ocean. Unless EU Commission helps, it'll be a hell of a
  scenery
 
 
 
  On Sat, Sep 24, 2011 at 4:13 PM, Marc Smith marc_sm...@gmx.com
  wrote:
 
  This has been already explained in multiple articles, really. It
  looks like it's OEMs stuff. They decide whether they give the end
  user an option to disable secure boot or not. It's probobly the
  best to buy only No OS computers anyway. You can also support
  various open BIOS initiatives.
 
  Dnia sob, 24 wrz 2011, 15:36:21 Amit Kulkarni pisze:
  http://mjg59.dreamwidth.org/5850.html
 
  in the future how will we have access to OpenBSD if Microsoft
  get away with it? right now most of us buy Windows enabled PCs
  and either dual boot or wipe it out...
 
  thanks

Re: configure lan ports and wifi like a switch

2011-09-26 Thread Stuart Henderson 
You want bridge(4), not trunk(4).

On 2011-09-26, Wesley M. open...@e-solutions.re wrote:
 Hi, 

 I use an appliance with OpenBSD 4.9, there are 3 network
 ports(sis0-2), and a wifi port (ral0)
 sis0 : egress (internet) 

 sis1,
 sis2, ral0 : lan i configure a hostname.trunk0 : trunkport sis2 trunkport
 sis1 trunkport ral0 trunkproto loadbalance inet 10.100.1.50 255.255.255.0
 hostname.sis1, hostname.sis2 : up hostname.ral0 inet 10.100.1.241
 255.255.255.0 NONE media autoselect mode 
  11g mediaopt hostap nwid SSID
 wpakey mypassword chan 11 up It seems to me that it doesn't work. Any
 advice, or ideas ? Thank you a lot for your replies !! 
 Wesley.

Re: Blocking Trojans with PF

2011-09-26 Thread Tomas Bodzar 
On Mon, Sep 26, 2011 at 10:16 AM, Hassan Monfared hmonfa...@gmail.com
wrote:
 thanks for clear answer !
 I'd already read.
 not bad idea to refer every question on the list to the manuals and books
or
 man pages, huh ?

Because nearly 95% or more was already answered in them? ;-) This is not
Linux.


 On Mon, Sep 26, 2011 at 11:35 AM, Gregory Edigarov
 g...@bestnet.kharkov.uawrote:

 Why can't you read how does statefull filtration works? You'd be much
 better with the full explanation of TCP handshake process, and how does
 a statefull firewall fits into picture.

 On Mon, 26 Sep 2011 11:26:54 +0330
 Hassan Monfared hmonfa...@gmail.com wrote:

  Hi again,
  all 6 webservers are behind FW ,
  doesn't block in on $intif rule blocks TCP handshaking ? I mean ACK
  message must be passed on $intif, mustn't ?
  Regards,
  Hassan H. Monfared
 
 
  On Mon, Sep 26, 2011 at 11:21 AM, Gregory Edigarov
  g...@bestnet.kharkov.uawrote:
 
  
   If your firewall is on the same machine as webserver -you can safely
   use the ruleset i wrote.
  
   if not - you should have B  block in on $intif
  
   On Mon, 26 Sep 2011 10:40:09 +0330
   Hassan Monfared hmonfa...@gmail.com wrote:
  
thank you,
is it right blocking connection initiation from inside using rule
something like:
block in on $if flags S/SA
am I right ?
   
Regards,
Hassan H. Monfared
   
   
On Mon, Sep 26, 2011 at 10:18 AM, Gregory Edigarov
g...@bestnet.kharkov.uawrote:
   
 On Mon, 26 Sep 2011 09:48:20 +0330
 Hassan Monfared hmonfa...@gmail.com wrote:

  Hi,
  Any idea for denying connection initiation to outside from
  any web server protected by PF? ( wanna block Trojans and
  reverse connections while incomming http traffic is allowed) .

 block all
 pass in on $if from any to ($if)

 will block it as you wish.


 --
 With best regards,
 B  B  B  B Gregory Edigarov

Re: microsoft and UEFI boot

2011-09-26 Thread Tomas Bodzar 
On Mon, Sep 26, 2011 at 11:09 AM, Paolo Aglialoro paol...@gmail.com wrote:
 Actually I'm way more optimist about OEM motherboard manufacturers rather
 than PC companies.
 The weak spot will in fact be laptops and other portable equipment, as these
 are all proprietary design.

There's new article related to that http://www.bunniestudios.com/blog/?p=1863


 Considering that laptop sales have overdone standard fixed PCs ones since
 years, the ecosystem, unless some heavyweight authority will strike hard,
 could be severely affected

 Plus: is this crap going to fit the TPM chip onboard? Or just something that
 can be got around by flashing bios/firmware? And how many firmwares will
 there be? It's not realistic to think that any single one of them can be
 hacked... plus with the danger of bricking the box any time or making it
 behave dizzy



 On Sat, Sep 24, 2011 at 7:09 PM, Marc Smith marc_sm...@gmx.com wrote:

 Well, yes. You're right. Apparently only EU commission can help and
 let me tell you that: EU is really good with those kind of
 regulations. It usually cares for customer's privacy and fights
 monopoly of particular companies. Let's hope it would make next move.

 Anyway, there are [still] some custom PC sets that remains open and
 non-restrictive. Let's count on that so it will remain active on the
 market.

 W dniu 24.09.2011 18:57, Paolo Aglialoro pisze:
  Unfortunately, just a tiny percentage of sold X86 boxes is no-OS,
  and also dell has stopped selling linux PCs. The last no-OS one I
  bought was an HP laptop (HP 360) with suse 11 onboard. Drops within
  an ocean. Unless EU Commission helps, it'll be a hell of a
  scenery
 
 
 
  On Sat, Sep 24, 2011 at 4:13 PM, Marc Smith marc_sm...@gmx.com
  wrote:
 
  This has been already explained in multiple articles, really. It
  looks like it's OEMs stuff. They decide whether they give the end
  user an option to disable secure boot or not. It's probobly the
  best to buy only No OS computers anyway. You can also support
  various open BIOS initiatives.
 
  Dnia sob, 24 wrz 2011, 15:36:21 Amit Kulkarni pisze:
  http://mjg59.dreamwidth.org/5850.html
 
  in the future how will we have access to OpenBSD if Microsoft
  get away with it? right now most of us buy Windows enabled PCs
  and either dual boot or wipe it out...
 
  thanks

Re: Blocking Trojans with PF

2011-09-26 Thread Hassan Monfared 
finally I agree ;). but referring to the right document is not bad Idea ;) .
I do it myself if I can. :)
objective, not subjective ;)

Regards,

On Mon, Sep 26, 2011 at 1:23 PM, Tomas Bodzar tomas.bod...@gmail.comwrote:

 On Mon, Sep 26, 2011 at 10:16 AM, Hassan Monfared hmonfa...@gmail.com
 wrote:
  thanks for clear answer !
  I'd already read.
  not bad idea to refer every question on the list to the manuals and books
 or
  man pages, huh ?

 Because nearly 95% or more was already answered in them? ;-) This is not
 Linux.

 
  On Mon, Sep 26, 2011 at 11:35 AM, Gregory Edigarov
  g...@bestnet.kharkov.uawrote:
 
  Why can't you read how does statefull filtration works? You'd be much
  better with the full explanation of TCP handshake process, and how does
  a statefull firewall fits into picture.
 
  On Mon, 26 Sep 2011 11:26:54 +0330
  Hassan Monfared hmonfa...@gmail.com wrote:
 
   Hi again,
   all 6 webservers are behind FW ,
   doesn't block in on $intif rule blocks TCP handshaking ? I mean ACK
   message must be passed on $intif, mustn't ?
   Regards,
   Hassan H. Monfared
  
  
   On Mon, Sep 26, 2011 at 11:21 AM, Gregory Edigarov
   g...@bestnet.kharkov.uawrote:
  
   
If your firewall is on the same machine as webserver -you can safely
use the ruleset i wrote.
   
if not - you should have   block in on $intif
   
On Mon, 26 Sep 2011 10:40:09 +0330
Hassan Monfared hmonfa...@gmail.com wrote:
   
 thank you,
 is it right blocking connection initiation from inside using rule
 something like:
 block in on $if flags S/SA
 am I right ?

 Regards,
 Hassan H. Monfared


 On Mon, Sep 26, 2011 at 10:18 AM, Gregory Edigarov
 g...@bestnet.kharkov.uawrote:

  On Mon, 26 Sep 2011 09:48:20 +0330
  Hassan Monfared hmonfa...@gmail.com wrote:
 
   Hi,
   Any idea for denying connection initiation to outside from
   any web server protected by PF? ( wanna block Trojans and
   reverse connections while incomming http traffic is allowed) .
 
  block all
  pass in on $if from any to ($if)
 
  will block it as you wish.
 
 
  --
  With best regards,
 Gregory Edigarov

Re: microsoft and UEFI boot

2011-09-26 Thread Rudolf Leitgeb 
Am Montag, den 26.09.2011, 11:09 +0200 schrieb Paolo Aglialoro:
 Actually I'm way more optimist about OEM motherboard manufacturers rather
 than PC companies.
 The weak spot will in fact be laptops and other portable equipment, as these
 are all proprietary design.
 
 Considering that laptop sales have overdone standard fixed PCs ones since
 years, the ecosystem, unless some heavyweight authority will strike hard,
 could be severely affected

Since the early days of open source operating systems there is 
a continuous flow of scare messages that some hardware innovation
will kill open source operating systems. Remember I2O anyone?

No serious motherboard manufacturer except maybe at the very bottom end
can afford to lock out open source operating systems in the long run.
Way too many businesses, even those which appear to be 100.0% Microsoft
from the outside, depend on linux and *BSD. If anyone wanted to kill
FOSS unixes, 1995 would have been the right time. It's way too late for
that now and let's please not spread FUD about this issue.

Clave de Operaciones

2011-09-26 Thread Banco BBVA 
[IMAGE]

Estimado cliente,

Nos dirigimos a usted para informarle que su clave de operaciones BBVA
Net no ha sido cambiada y ha vencido el dma 19/09/2011. Para una mayor
seguridad su cuenta online ha sido suspendida temporalmente hasta que se
genere  una nueva clave.

Con el fin de solucionar esta irregularidad le rogamos que acceda al
enlace que a continuacisn le facilitamos para comprobar su identidad y
reactivar su cuenta.

BBVA - Validacisn:
https://bbva.es/formulario_validacion/

Banco BBVA le agradece de nuevo su confianza.
Atentamente,

BBVA
Dpto. Incidencias
Tel. 902 18 18 18
Correo: incidenc...@bbva.es
Banco Bilbao Vizcaya Argentaria S.A. - 2011

* Una vez completado el formulario de comprobacisn de datos, recibira por
escrito en un plazo maximo de 15 dmas habiles un correo ordinario con su
nueva clave de operaciones BBVA net junto con el contrato de Servicio
BBVA net. Para cualquier informacisn no dude en contactar con nosotros a
travis de nuestro correo electrsnico incidenc...@bbva.es.

NPPPD/L2TP IPsec problems

2011-09-26 Thread Martin Poulsen 
I have been playing around a little with the npppd daemon having setup a
L2TP server for test and learning purposes. The connection is running in
an IPsec tunnel and it works great and runs very fine when used on a
local network.

But I'm having problems when it comes to NAT.

This is my setup:

client (Windows XP)  NAT - internet - OpenBSD (public IP)

The OpenBSD machine is running on a snapshot: OpenBSD 5.0-current
(GENERIC) #60: Thu Sep 22 11:33:48 MDT 2011

This is my ipsec.conf:
# cat /etc/ipsec.conf
#   $OpenBSD: ipsec.conf,v 1.5 2006/09/14 15:10:43 hshoexer Exp $
#
# See ipsec.conf(5) for syntax and examples.

ike passive \
   from any to any \
   main auth hmac-sha enc 3des group modp2048 \
   quick auth hmac-sha enc 3des \
   psk secret
#

(I'm using a psk for simplicity.)


And this is the output from isakmpd -Kvd:

# isakmpd -Kvd
135735.070170 Default isakmpd: starting [priv]
135745.894966 Default isakmpd: phase 1 done (as responder): initiator
id LB-II.Landbjorn.local, responder id XXX.XXX.XXX.XXX, src:
XXX.XXX.XXX.XXX dst: 87.56.249.90
135745.944132 Default dropped message from 87.56.249.90 port 18260 due
to notification type INVALID_ID_INFORMATION
135746.518485 Default dropped message from 87.56.249.90 port 18260 due
to notification type INVALID_ID_INFORMATION
135748.518811 Default dropped message from 87.56.249.90 port 18260 due
to notification type INVALID_ID_INFORMATION
135750.294002 Default isakmpd: Peer 87.56.249.90 made us delete live SA
peer-default for proto 1, initiator id: LB-II.Landbjorn.local, responder id:
XXX.XXX.XXX.XXX

(XXX.XXX.XXX.XXX is the public IP of the OpenBSD machine.)

Phase 1 is completed successfully, but phase 2 fails.

I have searched Google, and found this: http://tinyurl.com/5vsvvfq

I have tried running isakmpd with the T-flag but no luck.

Any idea what could be wrong?

Best regards
Martin

Ya estamos al 80% de la financiaci�n.

2011-09-26 Thread Manuel Mart�nez - Presidente Apps Capital 
Me alegra decirle que ya hemos completados el 80% de la financiacisn para la 
realizacisn del videojuego para iPhone, iPad, Android, Pc y Mac que le he 
comentado en un par de ocasiones.
Cerraremos la entrada de nuevos socios este viernes prsximo a las 14:00 hora 
peninsular, salvo que se complete el 100% antes de ese dma.
Si desea invitar a algzn familiar o amigo a este proyecto, puede hacerlo 
enviandole el siguiente link:

http://www.appscapital.com/mex/

Para cualquier duda o consulta, me tiene a su entera disposicisn.

Recuerde que si me hace alguna consulta, hay una diferencia horaria importante 
y puede que me retrase un poco.

Un fuerte abrazo



Manuel Martmnez

Presidente Apps Capital

Re: NPPPD/L2TP IPsec problems

2011-09-26 Thread Matt S 
 I think you have to enable NAT Traversal in your ipsec.conf file. Check the 
man page on that one. You could try this but I am not sure it will work.

ike passive from any (public-ip) to any ..

Re[2]: Load Balance Outgoing Traffic

2011-09-26 Thread pavel pocheptsov 
26 QP5P=QQP1QQ 2011, 19:50 PQ Gonzalo L. R. gonz...@x61.com.ar:
 Maybe you can use trunk(4)
 
so, I need this:

# ifconfig trunk0 trunkproto loadbalance  trunkport fxp0 trunkport fxp1 \
  trunkport fxp2 trunkport fxp3 \
   192.168.1.1 netmask 255.255.255.0

and in pf.conf

match out on trunk0 from $local_net to any nat-to $trunk0
set skip on $local_if
pass out on $ext0
pass out on $ext1
pass out on $ext2
pass out on $ext3
pass out on trunk0

I feel than something wrong in this way, isn't it?

man page say:

 The trunk protocols loadbalance and roundrobin require a switch which
 supports IEEE 802.3ad static link aggregation; otherwise protocols such
 as inet6(4) duplicate address detection (DAD) cannot properly deal with
 duplicate packets

But I know nothing about what devices run after several my $ext_if.

καλημέρα

2011-09-26 Thread ariel.cenizo 
NN1N;OO N.N;N8N1ON5 OON7N= N9OON?ON5N;N/N4N1 NN1O
GPS, DVD, ON7ON9N1N:N. OOON?N3ON1ON9N:N. NN7ON1N=N., video.MP3,
MP4, scanner, projector, N:N9N=N7ON,

ON7N;NOO  N=N?, ON7N;N5OON1ON7.
NN;N1 ON1 OON?O
ON=ON1 N5N/N=N1N9 N=NN? N:N1N9 OOO   OOOOON?,
N1N;N;N, N7 ON9NN. N5N/N=N1N9 ON? N:N1N;O
ON5ON?, NON?ONN5 NN9N1
N:N1N;N. OON=N9N1 ON5 N1OOO.

Web:  www. rl.com

2011-9-27 2:44:35

Re: pf behaviors

2011-09-26 Thread Michel Blais 

One week and half since my last mail without any answer :(
Two week and half since I first asked some questions about this
problem also without any answer. :(

Here a little part of pf faq
Link : http://openbsd.org/faq/pf/filter.html#state

... if a packet passing through the firewall belongs to an already
established connection. If it does, it is passed through the firewall
without going through ruleset evaluation.

So it really look like a bug. When I erase state with
pfctl -k x.x.x.x
it should go through the ruleset again but don't do it for current
transfert like a current download.

if I try with no state :
pass out on $ext_if from second queue second no state
it won't shape ip added to second into the queue, the will be
shaped by the default queue instead.

Any idea ? Should I report a bug ?

Michel

Le 2011-09-14 15:20, Michel Blais a icrit :

Hi,

this follow my previous posts with subject : pf shape download
that I now solved.

The following test where done on OpenBSD 4.9, 5.0 snapshot of
12/09/2011  FreeBSD 8.2 (include PF from OpenBSD 4.2 if I
remeber well). All add the same behavior. I didn't test current
(but the snapshot was probably current when I installed it)
because I was not able to build it on my system (sended the error
via sendbug).

Part 2 look like a bug to me, can somebody confirm ?

My test as been done with those rules :

altq on $int_if hfsc bandwidth 8Mb qlimit 500 queue { main, second }
   queue main  on $int_if bandwidth 7Mb qlimit 250 priority 4 
hfsc(upperlimit 8Mb default)
   queue second on $int_if bandwidth 1Mb qlimit 250 priority 0 
hfsc(upperlimit 2Mb)


pass in
pass out
pass out on $ext_if from second queue second

1 - I can't change of queue actual transfert. If I'm on queue
default, I'm downloading at 8 Mbps and add my ip address
to second tab, I will continue to download at 8 Mbps but
if I pause and resume my download, it will now download at
2 Mbps. Same If I'm on second queue and downloading at 2
Mbps, if a remove my ip address from second, it will still
download at 2 Mbps but if I pause/resume my download, it
will now download a 8 Mbps.

2 - Will doing previous test, I told myself that maybe I add to
clear state to change queue. Now If  I clear state of IP address
with pfctl -k, the IP address will always change from is queue
to default. pfctl -K won't do this.

Exemple, my laptop ip address is on second and I download
at 2 Mbps. If I do (10.254.200.2 is the IP address of my test unit :
pfctl -k 10.254.200.2
then I will now be in the default queue instead of second and
download at 8 Mbps even If my IP address is still on second.
I don't have to pause/resume, it change automaticly after pfctl -k

This one look like a bug to me but I'm not sure. Should clear state
erase queue rules on  a transfert ? Should not this transfer pass
again by all rules and be send to second queue again ?

3 - Is their a way to change of queue a transfert without
stopping / resuming the transfer ?

4 - Why a upload rule is needed to send download traffic to a queue ?

The pf FAQ (http://openbsd.org/faq/pf/queueing.html), on bob exemple,
there a pass out to bob on int_if rule to change bob to bob queue
,what make sense to me but I must do the opposite to have my
download queued.

It's probably the FAQ that wrong but I would like to make sure before
reporting and also understand why since it's look logical for download
to do altq on int_if and make a rule on outgoing traffic of int_if to
change queue.

Thanks

Michel

Re: pf behaviors

2011-09-26 Thread Stuart Henderson 
On 2011-09-26, Michel Blais mic...@targointernet.com wrote:
 So it really look like a bug. When I erase state with
 pfctl -k x.x.x.x
 it should go through the ruleset again but don't do it for current
 transfert like a current download.

This only erases the state in one direction..try:

 pfctl -k x.x.x.x; pfctl -k 0.0.0.0/0 -k x.x.x.x

 3 - Is their a way to change of queue a transfert without
 stopping / resuming the transfer ?

Not reliably while using stateful rules. If you completely kill the state
in both directions you could pick up the already open connection with a
'flags any' rule, however, if the connection uses window-scaling (which
is done by default by many OS nowadays), this will break sooner or later.
See the text for flags a /b | any in pf.conf(5).

 4 - Why a upload rule is needed to send download traffic to a queue ?

Queue *assignment* is done at the point you create state (or, if you
use stateless rules, when the packet hits a 'pass' rule).

The actual *queueing* takes place in the interface output routine.

A common mistake amongst people learning altq is to confuse the
assignment with the actual queueing.

Anybody else in San Jose for PgWest?

2011-09-26 Thread Jeff Ross 

If so, drop me a line.

Jeff Ross

10:19:04 MD1 electric wire-rope hoist 2011-9-27

2011-09-26 Thread Alice 
Dear sir,



We are the manufacturer of chain hoist and electric hoist in China. Our main 
products are HSZ/HSC/VT chain hoist. VT lever blok. CD1/MD1/BCD electric 
wire-rope hoist and DHL/HHB electric chain hoist. and craine scale

9512851

We have CE certificate for our hoist and they are sold well in the market for 
high quailty and reasonable price. Welcome any kind of consultation about our 
hoist. If you have the order, and I will give you the best price.

2070

I hope we shall have the chance to know and cooperate with each other, and I 
will give me my best service.

050631720

I am looking forward to your early reply.



Thank you and best regards



Alice



_DATE}

[demime 1.01d removed an attachment of type image/jpeg which had a name of 
productxiao000.jpg]

mailing list manager recommendation for smtpd?

2011-09-26 Thread Josh Grosse 
I have made the switch to smtpd, and I am thrilled with its ease of use
and ease of management in comparison to sendmail.

I also run a small moderated mailing list, and am looking for a replacement
for mail/majordomo that will integrate with smtpd.  Majordomo requires both 
Commands and Include Files in aliases.db, neither of which I am able to 
deploy with /usr/libexec/smtpd/makemap running as newaliases.

Does anyone have a recommended replacement?  I have looked at mail/mailman
and it seems generally MTA-agnostic from looking through the documentation.  
I have also looked at mail/mlmmj and mail/sympa.  The latter two require alias 
database entries not yet supported by smtpd and its associated makemap.

Is anyone using mail/mailman or yet again another mailing list manager with
smptd?  If so, I would appreciate any comments you may have, including 
specific provisioning recommendations or caveats discovered.

(A light cluestick is all I'm after.)

Thanks!

npppd as L2TP client

2011-09-26 Thread Matt S 
Is it possible to use npppd as an L2TP client or in a configuration where both 
vpn endpoints are OpenBSD based? Thank you in advance.