Re: limit ftp download
On 3-11-2011 6:07, Wesley M. wrote: I suppose it is because traffic are redirect to 127.0.0.1 (ftpproxy) sample of my pf.conf: ... anchor ftp-proxy/* pass in on $lan inet proto tcp from $limithost \ to port 21 divert-to 127.0.0.1 port 8021 queue ilimit ... Is there a way to solve this problem? ftp-proxy has a '-q' option to set a queue.
Re: Updating plus.html
I've worked with Janne and some stuff are almost but not yet published (to week #26, the beginning of c2k11 for 5.0, and week #33 and #34 of current). I've done some work I could submit soon to Janne with weeks #35, #36 and #37. Let me know if it's needed. Please submit, if you have already done the work! Sure, I'll send them as usual to Janne Johansson within a week. You really should contact him about plus.html. I forgot to Cc him on my last message, done now. Hi Janne, Are you co-ordinating and/or working on plus.html? If not, let me know and I will startup from where the others have left off (once its submitted). If yes, shoot me an email if you want me to do some of it. Cheers, Brett.
Re: limit ftp download
On 2011-11-03, Wesley M. open...@e-solutions.re wrote: I'm using OpenBSD 5.0 I'm testing traffic shapping using altq. I can limit a user (his Ip address) to a 160Kb/s, it works great. But when this user try to download a file using ftp, he downloads it at 1024Kb/s. I suppose it is because traffic are redirect to 127.0.0.1 (ftpproxy) sample of my pf.conf: ... anchor ftp-proxy/* pass in on $lan inet proto tcp from $limithost \ to port 21 divert-to 127.0.0.1 port 8021 queue ilimit ... Is there a way to solve this problem? for the simple case, -q as Camiel suggested. I want also that the others can download on ftp at full speed* for this second requirement you can use -T to tag the data connections, and have separate pass rules, one for $limithost with the queue, and one for normal hosts.
Re: limit ftp download
Thank you for your reply. I read the man page of ftp-proxy. There's an option like you said, -q queue. But in my way, i have 2 queue : ilimit and istd ilimit : bandwidth - 20Ko/s istd : bandwidth - 128 Ko/s So i just modified to my /etc/rc.conf.local : ftpproxy_flags= to ftpproxyflags=-q ilimit Restart the box. Now, when this limited user download files using ftp, it downloads at 20Ko/s. But the others download also at 20Ko/s ; How can i fix the others to download files at 128 Ko/s ? How can i have 2 ftp stream like one 20Ko/s and 128 Ko/s ? Thank you very much for your help. Wesley. On Thu, 03 Nov 2011 07:04:04 +0100, Camiel Dobbelaar c...@sentia.nl wrote: On 3-11-2011 6:07, Wesley M. wrote: I suppose it is because traffic are redirect to 127.0.0.1 (ftpproxy) sample of my pf.conf: ... anchor ftp-proxy/* pass in on $lan inet proto tcp from $limithost \ to port 21 divert-to 127.0.0.1 port 8021 queue ilimit ... Is there a way to solve this problem? ftp-proxy has a '-q' option to set a queue.
Re: limit ftp download
On 3-11-2011 9:01, Wesley M. wrote: Thank you for your reply. I read the man page of ftp-proxy. There's an option like you said, -q queue. But in my way, i have 2 queue : ilimit and istd ilimit : bandwidth - 20Ko/s istd : bandwidth - 128 Ko/s So i just modified to my /etc/rc.conf.local : ftpproxy_flags= to ftpproxyflags=-q ilimit Restart the box. Now, when this limited user download files using ftp, it downloads at 20Ko/s. But the others download also at 20Ko/s ; How can i fix the others to download files at 128 Ko/s ? How can i have 2 ftp stream like one 20Ko/s and 128 Ko/s ? Run two ftp-proxies: one with the -q ilimit and one with the -q istd. Then redirect the limited user to one proxy and the rest to the other.
Re: High interrupt rates after resume
On Tue, Nov 1, 2011 at 10:12 AM, Alexander Polakov polac...@gmail.com wrote: * Leroy van Engelen leroy.vanenge...@gmail.com [111019 19:07]: This was also seen on a macbook by Jan Stary: http://marc.info/?l=openbsd-miscm=131213545109050w=2 And on my Samsung N210: http://marc.info/?l=openbsd-miscm=131193104030288w=2 I still have this problem, and ran out of options to investigate. The funny thing is that, just like the MacBook case above, the high interrupt load goes away every other suspend/resume. Do you see this as well? It seems like a clue, but I have no idea where to begin investigating, except for the ipi code you wrote the diff for. Hi, mikeb@ just committed a diff for ppb which solves the problem for me. Is it the case for you? Yes, the high interrupt load is gone! However, right after booting the new kernel I saw some weird behaviour. Before rebooting, suddenly my laptop would not resume anymore (can't be related to the fix, but still weird) and I had to use the power switch for a reboot. Then I booted the new kernel, and during boot the system started to fsck the root partition. When the check for the next partition started, it suddonly suspended and when resumed, it would continue for a couple of seconds and resume again. Then, I rebooted the old kernel, let fsck finish without problems and rebooted into the new kernel again. I haven't had the change to test the stability further. If I find out more, I'll post the results. Just out of curiosity, what was the problem and how did you debug it? Bye, -Leroy
Packet Tagging issues with NAT in pf OBSD 4.9
Hello all, I recently stood up an OpenBSD server to replace and older ASA. I read the faq and was interested in the packet tagging aspect because I have a DMZ and it makes the rule set seem more readable to my brain.. In any case I have the following taken from the PF faqs on the OpenBSD website... _int = re0 _ext = fxp1 int_net = 192.168.200.0/24 pass out on $_ext tag LAN_NAT_TO_INET tagged LAN_TO_INET nat-to ($_ext) pass in on $_int from $int_net tag LAN_TO_INET .. pass out quick on $_ext tagged LAN_NAT_TO_INET I've obviously changed around some of the macros and there are other rules (although commented out at this time until I get get LAN conenctivity) but it doesn't work. Interestingly enough this does: _int = re0 _ext = fxp1 int_net = 192.168.200.0/24 pass out on $_ext tag LAN_NAT_TO_INET tagged LAN_TO_INET pass in on $_int from $int_net tag LAN_TO_INET .. pass out quick on $_ext tagged LAN_NAT_TO_INET nat-to ($_ext) Any reason why at the bottom of my .conf file where nat-to is in my quick rule it would work but when it's at the first filter rule it does not? I've read over the man page and have the book of pf v.2 and still am confused. Any tought is greatly appreciated. Regards, Dain
Re: how to gain high performance with big memory
Take a look at this: http://www.packetmischief.ca/openbsd-compact-flash-firewall/ http://blog.spoofed.org/2007/12/openbsd-on-soekris-cheaters-guide.html It's about installing on a flash card but how to mount filesystems to memory is in there. ___t_ From: owner-m...@openbsd.org [owner-m...@openbsd.org] On Behalf Of f5b [f...@163.com] Sent: Wednesday, November 02, 2011 11:32 PM To: misc@openbsd.org Subject: how to gain high performance with big memory how to gain high performance with big memory amd64 ,OpenBSD 5.0 Release, machine has big memory = 48G for example,how to mount memory for /usr/ports file system, letting make build more quickly. other suggestion? how to tune sysctl.conf file according?
Re: Packet Tagging issues with NAT in pf OBSD 4.9
Hi, try this sample _int = re0 _ext = fxp1 int_net = 192.168.200.0/24 set block-policy drop set skip on lo match in all scrub (no-df max-mss 1440) match out on $_ext inet from $int_net to any nat-to (egress) block log all pass in on $_int inet proto udp from $int_net to any port domain pass in on $_int inet proto tcp from $int_net to any port \ { www, https, ssh, pop3, imap, imaps, pop3s, submission, smtps } pass out on $_ext inet proto tcp all pass out on $_ext inet proto udp all All the best, Wesley MOUEDINE ASSABY. _int = re0 _ext = fxp1 int_net = 192.168.200.0/24 pass out on $_ext tag LAN_NAT_TO_INET tagged LAN_TO_INET pass in on $_int from $int_net tag LAN_TO_INET .. pass out quick on $_ext tagged LAN_NAT_TO_INET nat-to ($_ext) Any reason why at the bottom of my .conf file where nat-to is in my quick rule it would work but when it's at the first filter rule it does not? I've read over the man page and have the book of pf v.2 and still am confused. Any tought is greatly appreciated. Regards, Dain
Re: Updating plus.html
That said, i don't think having individual developers provide plus.html entries in addition to commit messages would work - additional workload, lack of uniform style, and lack of a big picture pespective. So it has to be done by one person, or by a small team. The ideal person to do it would know all the technical internals of all parts of the system, have huge experience in using the system, but be completely unwilling or unable to write any code in there first place, to not be distracted from writing and committing code improvements. Oh well, what a contradictory job ad... :) Even if what you are doing is not perfect, having a least something, in a consistent style and with regular updates, is certainly a huge improvement, compared to letting plus.html die. .Dd $Mdocdate$ .Dt PLUS49 7 .Os .Sh NAME .Nm plus49 .Nd major changes for OpenBSD 4.9 .Sh DESCRIPTION This is a partial list of the major machine-independent changes (i.e., these are the changes people ask about most often). Machine specific changes have also been made, and are sometimes mentioned in the pages for the specific platforms. .Bl -enum .It Introduced a dummy function in .Xr ifconfig 8 if SMALL is defined to digest arguments like rdomain, description, etc. so that the .Xr ifconfig 8 on RAMDISK is able to parse .Xr hostname.if 5 files on updates. .\ ... (ducks)
Re: Packet Tagging issues with NAT in pf OBSD 4.9
Hi, thanks for replying I was looking to use packet tagging though. -Original Message- From: Wesley M. [mailto:open...@e-solutions.re] Sent: Thursday, November 03, 2011 6:20 AM To: Bentley, Dain Cc: misc@openbsd.org Subject: Re: Packet Tagging issues with NAT in pf OBSD 4.9 Hi, try this sample _int = re0 _ext = fxp1 int_net = 192.168.200.0/24 set block-policy drop set skip on lo match in all scrub (no-df max-mss 1440) match out on $_ext inet from $int_net to any nat-to (egress) block log all pass in on $_int inet proto udp from $int_net to any port domain pass in on $_int inet proto tcp from $int_net to any port \ { www, https, ssh, pop3, imap, imaps, pop3s, submission, smtps } pass out on $_ext inet proto tcp all pass out on $_ext inet proto udp all All the best, Wesley MOUEDINE ASSABY. _int = re0 _ext = fxp1 int_net = 192.168.200.0/24 pass out on $_ext tag LAN_NAT_TO_INET tagged LAN_TO_INET pass in on $_int from $int_net tag LAN_TO_INET .. pass out quick on $_ext tagged LAN_NAT_TO_INET nat-to ($_ext) Any reason why at the bottom of my .conf file where nat-to is in my quick rule it would work but when it's at the first filter rule it does not? I've read over the man page and have the book of pf v.2 and still am confused. Any tought is greatly appreciated. Regards, Dain
Re: Updating plus.html
On Thu, Nov 03, 2011 at 11:42:55AM +0100, Kristaps Dzonsons wrote: [...] (ducks) _ _ _ _ _ ('), ('), ('), ('), (') ___, (` =~~/(` =~~/(` =~~/(` =~~/(` =~~/ jgs ~^~^`---'~^~^~^`---'~^~^~^`---'~^~^~^`---'~^~^~^`---'~^~^~ No need to thank me ;-) -- Gilles Chehade http://www.poolp.org/http://u.poolp.org/~gilles/
Re: Packet Tagging issues with NAT in pf OBSD 4.9
On 2011-11-03, Bentley, Dain dbent...@nas.edu wrote: Hello all, I recently stood up an OpenBSD server to replace and older ASA. I read the faq and was interested in the packet tagging aspect because I have a DMZ and it makes the rule set seem more readable to my brain.. In any case I have the following taken from the PF faqs on the OpenBSD website... There are quite possibly some remaining glitches in the FAQ after converting the translation rules over to using nat-to. _int = re0 _ext = fxp1 int_net = 192.168.200.0/24 pass out on $_ext tag LAN_NAT_TO_INET tagged LAN_TO_INET nat-to ($_ext) pass in on $_int from $int_net tag LAN_TO_INET .. pass out quick on $_ext tagged LAN_NAT_TO_INET Packets are tagged as the ruleset is traversed, so at the time the nat-to rule is handled, the packet has not yet been tagged (this also explains why your alternative config file does work). Try reversing the rules: pass in on $_int from $int_net tag LAN_TO_INET pass out on $_ext tag LAN_NAT_TO_INET tagged LAN_TO_INET nat-to ($_ext) .. pass out quick on $_ext tagged LAN_NAT_TO_INET Let me know if this helps and I'll swap them in the faq.
Re: Packet Tagging issues with NAT in pf OBSD 4.9
you aren't using tagging in your sample. On 2011-11-03, Wesley M. open...@e-solutions.re wrote: Hi, try this sample _int = re0 _ext = fxp1 int_net = 192.168.200.0/24 set block-policy drop set skip on lo match in all scrub (no-df max-mss 1440) match out on $_ext inet from $int_net to any nat-to (egress) block log all pass in on $_int inet proto udp from $int_net to any port domain pass in on $_int inet proto tcp from $int_net to any port \ { www, https, ssh, pop3, imap, imaps, pop3s, submission, smtps } pass out on $_ext inet proto tcp all pass out on $_ext inet proto udp all All the best, Wesley MOUEDINE ASSABY. _int = re0 _ext = fxp1 int_net = 192.168.200.0/24 pass out on $_ext tag LAN_NAT_TO_INET tagged LAN_TO_INET pass in on $_int from $int_net tag LAN_TO_INET .. pass out quick on $_ext tagged LAN_NAT_TO_INET nat-to ($_ext) Any reason why at the bottom of my .conf file where nat-to is in my quick rule it would work but when it's at the first filter rule it does not? I've read over the man page and have the book of pf v.2 and still am confused. Any tought is greatly appreciated. Regards, Dain
Re: www/faq/index.html mentioning 4.9
committed, thank you. On 2011-11-03, Mike Putnam m...@theputnams.net wrote: Noticed by wepy in #openbsd on freenode. 21:21 wepy http://www.openbsd.org/faq/index.html -- says installation guide is for 4.9, but links to 5.0 Mike Index: www/faq/index.html === RCS file: /cvs/www/faq/index.html,v retrieving revision 1.342 diff -u -r1.342 index.html --- www/faq/index.html 1 Nov 2011 11:59:22 - 1.342 +++ www/faq/index.html 3 Nov 2011 03:24:38 - @@ -112,7 +112,7 @@ lia href=faq1.html#Next1.7 - When is the next release of OpenBSD?/a lia href=faq1.html#Included1.8 - What is included with OpenBSD?/a -lia href=faq1.html#WhatsNew1.9 - What is new in OpenBSD 4.9?/a +lia href=faq1.html#WhatsNew1.9 - What is new in OpenBSD 5.0?/a lia href=faq1.html#Desktop 1.10 - Can I use OpenBSD as a desktop system?/a lia href=faq1.html#HowAbout1.11 - Why is/isn't ProductX included?/a @@ -137,7 +137,7 @@ to learn OpenBSD on?/a /ul -h3a href=faq4.html4 - OpenBSD 4.9 Installation Guide/a/h3 +h3a href=faq4.html4 - OpenBSD 5.0 Installation Guide/a/h3 ul lia href=faq4.html#Overview4.1 - Overview of the OpenBSD installation procedure/a
Flashboot for OpenBSD 5.0 is now available
Hi Flashboot is a small infrastructure to build minimal OpenBSD installations suitable for booting of flash and USB devices originally by Damien Miller. Flashboot his is derived from the scripts and tools used to build the OpenBSD installation media and has evolved over the years. You will found Flashboot at Github: https://github.com/openbsd/flashboot We need people to test some of the builds for example WRAP12 and PCENGINES kernel. If you don't want to build by our self there is a full set of images ready to put on a USB memory stick or Flash card media. Best regards Flashboot team
Re: limit ftp download
I tried this : added a second ftpproxy_flags in my /etc/rc.conf.local So in the file, we have : ftpproxy_flags=-q ilimit # Listen by default on 8021 ftpproxy_flags=-q istd # It doesn't work, it use the last line in /etc/rc.conf.local : istd queue I suppose that it doesn't listen on the same port 8021 for 2 queue. So i try this, add this line to /etc/rc.local : ftpproxy_flags=-q istd -p8022 And in my /etc/rc.conf.local : ftpproxy_flags=-q ilimit Restart the box, and do : netstat -anf inet Listen on 127.0.0.1:8021 and 127.0.0.1:8022, seem to work But the limit user download now 10Ko/s instead of 20Ko/s. I think, it is not the right way to do it. Is there someone who have a sample ? using -T option for ftp-proxy ? Thank you very much. Wesley. On Thu, 03 Nov 2011 09:02:32 +0100, Camiel Dobbelaar c...@sentia.nl wrote: Run two ftp-proxies: one with the -q ilimit and one with the -q istd. Then redirect the limited user to one proxy and the rest to the other.
Re: limit ftp download
You can only start one ftp-proxy with rc.conf. Just start the other one like this in /etc/rc.local (example from my own system, where I bind them to other addresses, you just need the -q and the -p): # Add your local startup actions here. echo -n ' ftp-proxy' /usr/sbin/ftp-proxy -D6 -a Y -p 8022 -r /usr/sbin/ftp-proxy -D6 -a Z -p 8023 -r On 3-11-2011 12:23, Wesley M. wrote: I tried this : added a second ftpproxy_flags in my /etc/rc.conf.local So in the file, we have : ftpproxy_flags=-q ilimit # Listen by default on 8021 ftpproxy_flags=-q istd # It doesn't work, it use the last line in /etc/rc.conf.local : istd queue I suppose that it doesn't listen on the same port 8021 for 2 queue. So i try this, add this line to /etc/rc.local : ftpproxy_flags=-q istd -p8022 And in my /etc/rc.conf.local : ftpproxy_flags=-q ilimit Restart the box, and do : netstat -anf inet Listen on 127.0.0.1:8021 and 127.0.0.1:8022, seem to work But the limit user download now 10Ko/s instead of 20Ko/s. I think, it is not the right way to do it. Is there someone who have a sample ? using -T option for ftp-proxy ? Thank you very much. Wesley. On Thu, 03 Nov 2011 09:02:32 +0100, Camiel Dobbelaar c...@sentia.nl wrote: Run two ftp-proxies: one with the -q ilimit and one with the -q istd. Then redirect the limited user to one proxy and the rest to the other.
Re: how to gain high performance with big memory
On Thu, Nov 3, 2011 at 4:24 AM, Bentley, Dain dbent...@nas.edu wrote: Take a look at this: http://www.packetmischief.ca/openbsd-compact-flash-firewall/ http://blog.spoofed.org/2007/12/openbsd-on-soekris-cheaters-guide.html Why send people to third party documentation that won't be properly maintained over time? What can you learn there with regards to memory filesystems that man mount_mfs doesn't cover?
Re: traffic shaping in OpenBSD
On Tue, 1 Nov 2011 08:55:07 -0400 Nico Kadel-Garcia nka...@gmail.com wrote: On Tue, Nov 1, 2011 at 4:10 AM, Gregory Edigarov g...@bestnet.kharkov.ua wrote: On Tue, 1 Nov 2011 08:53:46 +0100 Bret S. Lambert bret.lamb...@gmail.com wrote: On Tue, Nov 01, 2011 at 09:47:35AM +0200, Gregory Edigarov wrote: On Tue, 1 Nov 2011 11:17:56 +0400 ZZ Wave zzw...@gmail.com wrote: What solution should be used for traffic shaping on real-life, production gateways with tens and hundreds users? PF queues seem to be too userspace-ish and CPU consuming. Pardon? What do you mean userspace-ish ? I believe he wants to communicate with the kernel with the power of his mind. Where's my brain implant? ;-) Hold still. (I actually used to design electronics for those: they used a *BIG* and wonderfully frightening drill.) Implants seem so, er, unsanitary. Seems to me something like yer basic tinfoil hat would a more elegant approach ... Dhu
Full ruleset Packet filter OpenBSD 5.0
Hi, See here : http://mouedine.net/ruleset49.aspx (with divert/tag use) All the best, Wesley MOUEDINE ASSABY
Re: Flashboot for OpenBSD 5.0 is now available
Would be awsome if the're was support for embedded board MIPS processor. Le 2011-11-03 07:17, Johan Ryberg a icrit : Hi Flashboot is a small infrastructure to build minimal OpenBSD installations suitable for booting of flash and USB devices originally by Damien Miller. Flashboot his is derived from the scripts and tools used to build the OpenBSD installation media and has evolved over the years. You will found Flashboot at Github: https://github.com/openbsd/flashboot We need people to test some of the builds for example WRAP12 and PCENGINES kernel. If you don't want to build by our self there is a full set of images ready to put on a USB memory stick or Flash card media. Best regards Flashboot team -- Michel Blais Administrateur riseau / Network administrator Targo Communications www.targo.ca 514-448-0773
Merhaba
Muyyuuytdfuucize 36 saat etkialsana bir oyuncakli Eralsana bir oyuncakkeklere vzelCialsana bir oyuncakalalsana bir oyuncakisalsana bir oyuncak. ile Mutlu ve Uzun s|reli ilialsana bir oyuncakÅkiler YaÅamaya Merhaba deyin.Ciallxcxcis Erksssxcxcsssiyon Haalsana bir oyuncakpı Åimdi T|rkiye'de!; Analsana bir oyuncakındalsana bir oyuncaka ereksiyalsana bir oyuncakon kuvalsana bir oyuncakvetalsana bir oyuncaki verir.; Ealsana bisdfr oyuncakrkalsaxcna bxcir oyuxcncaken balsxcana bir oyxcxcuncakoÅalsana bir oyuncakalma soalsana bir oyuncakrunu biter.; Dalsasdana bir oyussncakaha gok zevalssdana bixcr oyxcvuncakk aldırır.; Dikalssana bir oyucncaklealssdana bir oyugdncakÅme ve salsxcanxca bir oyxcuxcncakertalsana bir oyuncakleÅmeyi saÄlar.; Palsadxxna bir occyuncakaalsansda bir oyunsdcakrtneralsxcaxcna bir oyuxcncakinize mutlalsana bir oyuncakuluk kazandırır.; ialsansda bir oyuncsdakktialsana bir oyuncakdarsalssdana bir oyuncakızlıÄı giderir.; ilialssdana bir oyuncakÅkide kialssdana bir oyuncak stralsaxxccna bir oyuxcxcncakesi, korkalsana bir oyuncakuyu ve tedirgalsana bir oyuncakinliÄi yok eder.Ayrıntılı Bilgi ve SipariÅ Ä°gin Tıklayın Bu e-posta igindir. Bu e-postayı 'dan e-postaları almak |zere kayıt yaptırdıÄınız igin aldınız. Umarız bu mesajı yararlı bulmuÅsunuzdur. Fakat e-postalarını almak istemiyorsanız, buradan |yeliÄinizi iptal edin. E-posta tercihlerinizi g|ncellemek istiyorsanız, adresini ziyaret edin. ) 2011 ynga Inc., 414 24. Cadde, #363, San Francisco, California 94114 Gizlilik Politikası
Re: Has php-fpm been left out of OBSD 5.0 ?
yes you have to go to -current ports if you want php-fpm keith [ke...@scott-land.net] wrote: Was planning on setting php-fpm up today on a new OpenBSD 5.0 box but can't find php-fpm. I though it was built in to php from version 5.3.3 onwards but it doesn't seem to be. I am trying to setup a chrooted nginx and running php scripts as the websites user. Keith -- There are only three sports: bullfighting, motor racing, and mountaineering; all the rest are merely games. - E. Hemingway
Re: Flashboot for OpenBSD 5.0 is now available
Sorry but we can only support official hardware platforms but you are right, it would be awesome =) Best regards Johan 2011/11/3 Michel Blais mic...@targointernet.com: Would be awsome if the're was support for embedded board MIPS processor. Le 2011-11-03 07:17, Johan Ryberg a icrit : Hi Flashboot is a small infrastructure to build minimal OpenBSD installations suitable for booting of flash and USB devices originally by Damien Miller. Flashboot his is derived from the scripts and tools used to build the OpenBSD installation media and has evolved over the years. You will found Flashboot at Github: https://github.com/openbsd/flashboot We need people to test some of the builds for example WRAP12 and PCENGINES kernel. If you don't want to build by our self there is a full set of images ready to put on a USB memory stick or Flash card media. Best regards Flashboot team -- Michel Blais Administrateur riseau / Network administrator Targo Communications www.targo.ca 514-448-0773
Re: Packet Tagging issues with NAT in pf OBSD 4.9
Hello Stuart and thanks for your reply. It still doesn't help, this seems to work but I'm not sure if this is a good config: # NAT RULES match out on $ext tagged LAN nat-to ($ext) # BLOCKING AND PACKET TAGGING pass in on $int from $int_net tag LAN #pass in on $int tag LAN block out on $ext from any to any pass out quick on $ext tagged LAN From: owner-m...@openbsd.org [owner-m...@openbsd.org] On Behalf Of Stuart Henderson [s...@spacehopper.org] Sent: Thursday, November 03, 2011 6:53 AM To: misc@openbsd.org Subject: Re: Packet Tagging issues with NAT in pf OBSD 4.9 you aren't using tagging in your sample. On 2011-11-03, Wesley M. open...@e-solutions.re wrote: Hi, try this sample _int = re0 _ext = fxp1 int_net = 192.168.200.0/24 set block-policy drop set skip on lo match in all scrub (no-df max-mss 1440) match out on $_ext inet from $int_net to any nat-to (egress) block log all pass in on $_int inet proto udp from $int_net to any port domain pass in on $_int inet proto tcp from $int_net to any port \ { www, https, ssh, pop3, imap, imaps, pop3s, submission, smtps } pass out on $_ext inet proto tcp all pass out on $_ext inet proto udp all All the best, Wesley MOUEDINE ASSABY. _int = re0 _ext = fxp1 int_net = 192.168.200.0/24 pass out on $_ext tag LAN_NAT_TO_INET tagged LAN_TO_INET pass in on $_int from $int_net tag LAN_TO_INET .. pass out quick on $_ext tagged LAN_NAT_TO_INET nat-to ($_ext) Any reason why at the bottom of my .conf file where nat-to is in my quick rule it would work but when it's at the first filter rule it does not? I've read over the man page and have the book of pf v.2 and still am confused. Any tought is greatly appreciated. Regards, Dain
post-Altq
Hi, What's about the post-Altq ? See here : http://bsdly.blogspot.com/2011/07/anticipating-post-altq-world.html Does someone have any news about that? Cheers, Wesley.
Re: Packet Tagging issues with NAT in pf OBSD 4.9
On Thu, Nov 3, 2011 at 12:26 PM, Bentley, Dain dbent...@nas.edu wrote: Hello Stuart and thanks for your reply. It still doesn't help, this seems to work but I'm not sure if this is a good config: # NAT RULES match out on $ext tagged LAN nat-to ($ext) # BLOCKING AND PACKET TAGGING pass in on $int from $int_net tag LAN #pass in on $int tag LAN block out on $ext from any to any pass out quick on $ext tagged LAN From: owner-m...@openbsd.org [owner-m...@openbsd.org] On Behalf Of Stuart Henderson [s...@spacehopper.org] Sent: Thursday, November 03, 2011 6:53 AM To: misc@openbsd.org Subject: Re: Packet Tagging issues with NAT in pf OBSD 4.9 you aren't using tagging in your sample. On 2011-11-03, Wesley M. open...@e-solutions.re wrote: Hi, try this sample _int = re0 _ext = fxp1 int_net = 192.168.200.0/24 set block-policy drop set skip on lo match in all scrub (no-df max-mss 1440) match out on $_ext inet from $int_net to any nat-to (egress) block log all pass in on $_int inet proto udp from $int_net to any port domain pass in on $_int inet proto tcp from $int_net to any port \ { www, https, ssh, pop3, imap, imaps, pop3s, submission, smtps } pass out on $_ext inet proto tcp all pass out on $_ext inet proto udp all All the best, Wesley MOUEDINE ASSABY. _int = re0 _ext = fxp1 int_net = 192.168.200.0/24 pass out on $_ext tag LAN_NAT_TO_INET tagged LAN_TO_INET pass in on $_int from $int_net tag LAN_TO_INET .. pass out quick on $_ext tagged LAN_NAT_TO_INET nat-to ($_ext) Any reason why at the bottom of my .conf file where nat-to is in my quick rule it would work but when it's at the first filter rule it does not? I've read over the man page and have the book of pf v.2 and still am confused. Any tought is greatly appreciated. Regards, Dain I use something like this. The ruleset has been modified before posting, so no guarantees that I didn't mess something up. # interfaces if_lo=lo if_enc=enc0 if_gif=gif0 if_ext=vlan3 if_int=vlan20 if_srv=vlan40 # interface ip's ip4_int=10.0.0.1 ip6_int=2001:::20::10 ip4_srv=10.0.20.1 ip6_srv=2001:::40::10 # networks net4_int=10.0.0.0/22 net6_int=2001:::20::/64 net4_srv=10.0.20.0/22 net6_srv=2001:::40::/64 # other macros icmp_types=echoreq # default policy block log all # TRANSLATION match out on $if_ext inet tag INT_INET_NAT tagged INT_INET nat-to ($if_ext) static-port match out on $if_ext inet tag SRV_INET_NAT tagged SRV_INET nat-to ($if_ext) # allow router access to all nets (ipv4) pass out on $if_ext proto tcp from $if_ext to any pass out on $if_ext proto udp from $if_ext to any keep state pass out on $if_ext inet proto icmp from $if_ext to any keep state pass out on $if_int proto tcp from $if_int to any pass out on $if_int proto udp from $if_int to any keep state pass out on $if_int inet proto icmp from $if_int to any keep state pass out on $if_int inet6 proto ipv6-icmp from $if_int to any keep state pass out on $if_srv proto tcp from $if_srv to any pass out on $if_srv proto udp from $if_srv to any keep state pass out on $if_srv inet proto icmp from $if_srv to any keep state pass out on $if_srv inet6 proto ipv6-icmp from $if_srv to any keep state # tag packets per network pass in on $if_int proto tcp from { $net4_int, $net6_int } tag INT_INET pass in on $if_int proto udp from { $net4_int, $net6_int } tag INT_INET keep state pass in on $if_int inet proto icmp from $net4_int icmp-type $icmp_types tag INT_INET keep state pass in on $if_int inet6 proto ipv6-icmp tag INT_INET keep state pass in on $if_srv proto tcp from { $net4_srv, $net6_srv } tag SRV_INET pass in on $if_srv proto udp from { $net4_srv, $net6_srv } tag SRV_INET keep state pass in on $if_srv inet proto icmp from $net4_srv icmp-type $icmp_types tag SRV_INET keep state pass in on $if_srv inet6 proto ipv6-icmp tag SRV_INET keep state # policy enforcement # networks to internet (ipv4) pass out quick on $if_ext tagged INT_INET_NAT pass out quick on $if_ext tagged SRV_INET_NAT # internal network to other networks (ipv4) pass out quick on $if_srv tagged INT_INET # server networks to other networks (ipv4) pass out quick on $if_int tagged SRV_INET Axton Grams
Xeito Novo - Folk Celta y Bailes de Galicia - 19/11 ND Ateneo
Sabado 19 de Noviembre - 21:00 hs ND/ATENEO Paraguay 918 Ciudad de Buenos Aires Entradas en venta por Plateanet (www.plateanet.com) o en el teatro: 4328-2888 Este espectaculo en el que conviven lo moderno y lo tradicional de esta entraqable cultura, es ya un clasico de 27 aqos consecutivos, dentro de la rica propuesta cultural de Buenos Aires. En la primera parte del show, Xeito Novo, el grupo de Mzsica Folk Celta referencial de nuestro pams, nos plantea una mirada musical de las armonmas del Mundo Celta (Galicia, Irlanda, Escocia, Gales y la Bretaqa Francesa), con su exquisita y original propuesta plasmada a lo largo de su extensa trayectoria en varios trabajos discograficos e innumerables conciertos por nuestro pams, Latinoamirica y Europa. En tanto, en la segunda parte, se abren paso los sones mas terrenales de la mzsica popular gallega y sus bailes tradicionales, a travis del cuerpo de Bailes Tradicionales de la Fundacisn Xeito Novo de Cultura Gallega. Muiqeiras Jotas Gaitas Panderetas coronaran un espectaculo multicolor que es todo un viaje imaginario por la Galicia Campesina y Marinera, a travis de sus danzas, su mzsica y sus cantos populares. Galiza Sempre es la gala anual que realiza la Fundacisn Xeito Novo de Cultura Gallega, en donde se refleja el trabajo realizado durante todo el aqo en materia de mzsica folk celta, melodmas y bailes tradicionales. El espectaculo consta generalmente de dos partes; comenzando con la actuacisn del grupo folk celta Xeito Novo en donde se materializa la fusisn musical producida por la combinacisn de melodmas tradicionales provenientes del mundo celta, en la que los instrumentos tradicionales se fusionan con armonmas e instrumentos contemporaneos, logrando un color muy particular que identifica el trabajo de ya 27 aqos de esta gran banda. En la segunda parte, el grupo de mzsica y bailes tradicionales recrean la esencia de las tradiciones populares de Galicia por medio de la interpretacisn de coreografmas y mzsica, manteniendo con absoluta fidelidad las caractermsticas de estas expresiones artmsticas antiqumsimas. Un trabajo realizado con gran rigurosidad etnografica, que nos metera de lleno en una de las culturas que mas se han asimilado, por parte de las corrientes migratorias establecidas en nuestro pams. Gracias a esto, se puede apreciar un espectaculo lleno de sensaciones que recrean un ambiente festivo como se hubiese vivido en cualquier aldea gallega. A travis de sus ediciones, Galiza Sempre conts con la participacisn de artistas destacados como Lesn Gieco, Lito Vitale, Chango Spasiuk, Marcelo Torres, entre otros. Fundacisn Xeito Novo de Cultura Gallega. Av Independencia 1722 Ciuidad de Buenos Aires i...@xeitonovo.org.ar Tel: 4382-2638/4942-5848/4384-8587 Noticias RSS www.xeitonovo.org.ar Aclaracisn: bajo decreto s1618 titulo 3: aprobado por el 105: congreso de estandarizacisn de normativas internacionales. Este e-mail no podra ser considerado SPAM mientras incluya una forma de ser removido.Si no quiere recibir mas informacisn, responda este mail a i...@xeitonovo.org.ar con la palabra REMOVER en el asunto.
Re: Packet Tagging issues with NAT in pf OBSD 4.9
Hello Axton...cool name by the way. I noticed the match statements work for me as well, Perhaps it is required? From: Axton [axton.gr...@gmail.com] Sent: Thursday, November 03, 2011 2:06 PM To: Bentley, Dain Cc: Stuart Henderson; misc@openbsd.org Subject: Re: Packet Tagging issues with NAT in pf OBSD 4.9 On Thu, Nov 3, 2011 at 12:26 PM, Bentley, Dain dbent...@nas.edumailto:dbent...@nas.edu wrote: Hello Stuart and thanks for your reply. It still doesn't help, this seems to work but I'm not sure if this is a good config: # NAT RULES match out on $ext tagged LAN nat-to ($ext) # BLOCKING AND PACKET TAGGING pass in on $int from $int_net tag LAN #pass in on $int tag LAN block out on $ext from any to any pass out quick on $ext tagged LAN From: owner-m...@openbsd.orgmailto:owner-m...@openbsd.org [owner-m...@openbsd.orgmailto:owner-m...@openbsd.org] On Behalf Of Stuart Henderson [s...@spacehopper.orgmailto:s...@spacehopper.org] Sent: Thursday, November 03, 2011 6:53 AM To: misc@openbsd.orgmailto:misc@openbsd.org Subject: Re: Packet Tagging issues with NAT in pf OBSD 4.9 you aren't using tagging in your sample. On 2011-11-03, Wesley M. open...@e-solutions.remailto:open...@e-solutions.re wrote: Hi, try this sample _int = re0 _ext = fxp1 int_net = 192.168.200.0/24http://192.168.200.0/24 set block-policy drop set skip on lo match in all scrub (no-df max-mss 1440) match out on $_ext inet from $int_net to any nat-to (egress) block log all pass in on $_int inet proto udp from $int_net to any port domain pass in on $_int inet proto tcp from $int_net to any port \ { www, https, ssh, pop3, imap, imaps, pop3s, submission, smtps } pass out on $_ext inet proto tcp all pass out on $_ext inet proto udp all All the best, Wesley MOUEDINE ASSABY. _int = re0 _ext = fxp1 int_net = 192.168.200.0/24http://192.168.200.0/24 pass out on $_ext tag LAN_NAT_TO_INET tagged LAN_TO_INET pass in on $_int from $int_net tag LAN_TO_INET .. pass out quick on $_ext tagged LAN_NAT_TO_INET nat-to ($_ext) Any reason why at the bottom of my .conf file where nat-to is in my quick rule it would work but when it's at the first filter rule it does not? I've read over the man page and have the book of pf v.2 and still am confused. Any tought is greatly appreciated. Regards, Dain I use something like this. The ruleset has been modified before posting, so no guarantees that I didn't mess something up. # interfaces if_lo=lo if_enc=enc0 if_gif=gif0 if_ext=vlan3 if_int=vlan20 if_srv=vlan40 # interface ip's ip4_int=10.0.0.1 ip6_int=2001:::20::10 ip4_srv=10.0.20.1 ip6_srv=2001:::40::10 # networks net4_int=10.0.0.0/22http://10.0.0.0/22 net6_int=2001:::20::/64 net4_srv=10.0.20.0/22http://10.0.20.0/22 net6_srv=2001:::40::/64 # other macros icmp_types=echoreq # default policy block log all # TRANSLATION match out on $if_ext inet tag INT_INET_NAT tagged INT_INET nat-to ($if_ext) static-port match out on $if_ext inet tag SRV_INET_NAT tagged SRV_INET nat-to ($if_ext) # allow router access to all nets (ipv4) pass out on $if_ext proto tcp from $if_ext to any pass out on $if_ext proto udp from $if_ext to any keep state pass out on $if_ext inet proto icmp from $if_ext to any keep state pass out on $if_int proto tcp from $if_int to any pass out on $if_int proto udp from $if_int to any keep state pass out on $if_int inet proto icmp from $if_int to any keep state pass out on $if_int inet6 proto ipv6-icmp from $if_int to any keep state pass out on $if_srv proto tcp from $if_srv to any pass out on $if_srv proto udp from $if_srv to any keep state pass out on $if_srv inet proto icmp from $if_srv to any keep state pass out on $if_srv inet6 proto ipv6-icmp from $if_srv to any keep state # tag packets per network pass in on $if_int proto tcp from { $net4_int, $net6_int } tag INT_INET pass in on $if_int proto udp from { $net4_int, $net6_int } tag INT_INET keep state pass in on $if_int inet proto icmp from $net4_int icmp-type $icmp_types tag INT_INET keep state pass in on $if_int inet6 proto ipv6-icmp tag INT_INET keep state pass in on $if_srv proto tcp from { $net4_srv, $net6_srv } tag SRV_INET pass in on $if_srv proto udp from { $net4_srv, $net6_srv } tag SRV_INET keep state pass in on $if_srv inet proto icmp from $net4_srv icmp-type $icmp_types tag SRV_INET keep state pass in on $if_srv inet6 proto ipv6-icmp tag SRV_INET keep state # policy enforcement # networks to internet (ipv4) pass out quick on $if_ext tagged INT_INET_NAT pass out quick on $if_ext tagged SRV_INET_NAT # internal network to other networks (ipv4) pass out quick on $if_srv tagged INT_INET # server networks to other networks (ipv4) pass out quick on $if_int tagged SRV_INET Axton Grams
Re: Packet Tagging issues with NAT in pf OBSD 4.9
On Thu, Nov 3, 2011 at 1:33 PM, Bentley, Dain dbent...@nas.edu wrote: Hello Axton...cool name by the way. I noticed the match statements work for me as well, Perhaps it is required? This changed with 4.7: http://openbsd.org/faq/upgrade47.html#newPFnat More details available here: http://marc.info/?l=openbsd-miscm=125181847818600w=2 It may be that the FAQ you used is out of date. What FAQ page were you looking at while setting this up? Axton Grams
Re: post-Altq
Quoting Wesley M. open...@e-solutions.re: Hi, What's about the post-Altq ? See here : http://bsdly.blogspot.com/2011/07/anticipating-post-altq-world.html Does someone have any news about that? You need to read undeadly.org http://undeadly.org/cgi?action=articlesid=20111027082217mode=expandedcount=5 Cheers, Wesley.
Re: Packet Tagging issues with NAT in pf OBSD 4.9
http://www.openbsd.org/faq/pf/tagging.html From: Axton [axton.gr...@gmail.com] Sent: Thursday, November 03, 2011 2:51 PM To: Bentley, Dain Cc: Stuart Henderson; misc@openbsd.org Subject: Re: Packet Tagging issues with NAT in pf OBSD 4.9 On Thu, Nov 3, 2011 at 1:33 PM, Bentley, Dain dbent...@nas.edumailto:dbent...@nas.edu wrote: Hello Axton...cool name by the way. I noticed the match statements work for me as well, Perhaps it is required? This changed with 4.7: http://openbsd.org/faq/upgrade47.html#newPFnat More details available here: http://marc.info/?l=openbsd-miscm=125181847818600w=2 It may be that the FAQ you used is out of date. What FAQ page were you looking at while setting this up? Axton Grams
Has any one had any problem with install50.iso?
Hi there I has done some testing with install50.iso and USB stick installations and yesterday I had problem with corrupt packages like xetc50.tgz and others and I wanted to debug what happened but today every things works perfectly. I haven't changed any scripts that I'm using and the only thing that is a unknown factor is install50.iso that I downloaded several times yesterday and several times today. I don't have yesterdays downloaded iso stored but I'm started to think that the iso was corrupt. I where using ftp.eu.openbsd.org. Has any one else experienced any problem with install50.iso? I don't like loose ends =( Best regards Johan
..
Dear friend! http://co-p.com/index135tww--.php?lulyCIDID=50 Thu, 3 Nov 2011 22:12:46 __ While the ingenious lad was fond of machinery--to make a machine of himself was utterly distasteful to him. (c) OLIN vkga489
Re: Has any one had any problem with install50.iso?
Hi Johan, Have you checked the SHA256 sig with the iso? They can be found here: http://ftp.openbsd.org/pub/OpenBSD/5.0/arch/SHA256 If you don't have an OpenBSD installation already running to use the sha256 command, you can pick up tools over on sourceforge http://md5deep.sourceforge.net/ that can help you out with whatever platform you are running. Cheers, Jason. -- Roads? Where we're going, we don't need roads - Dr. Emmett Doc Brown
Re: Has any one had any problem with install50.iso?
On 11/03/11 17:02, Johan Ryberg wrote: Hi there I has done some testing with install50.iso and USB stick installations and yesterday I had problem with corrupt packages like xetc50.tgz and others and I wanted to debug what happened but today every things works perfectly. _corrupt_, or checksum mismatches? HUGE difference. I haven't changed any scripts that I'm using and the only thing that is a unknown factor is install50.iso that I downloaded several times yesterday and several times today. I don't have yesterdays downloaded iso stored but I'm started to think that the iso was corrupt. I where using ftp.eu.openbsd.org. Has any one else experienced any problem with install50.iso? I don't like loose ends =( neither do I. :) Unfortunately, you are very short on details. Any good OpenBSD mirror will have about 18 files with the name install50.iso. Some (half!) of them should be absolutely perfect. The other half will be likely to have checksum mismatches ('specially in things like the X file sets), and are also prone to changes on the fly, which may result in interesting issues, as they may be updated once a day (or more. or less). So, what you are reporting is either a big problem, or a non-issue. Probably not both. Maybe a random network glitch. Nick.
Patch for FAQ - PF: Packet Tagging (Policy Filtering) - New NAT Syntax
This is a patch to update the FAQ at http://www.openbsd.org/faq/pf/tagging.html with the nat syntax changes introduced in 4.7 (http://openbsd.org/faq/upgrade47.html#newPFnat): $ diff -ub tagging.html.bak tagging.html --- tagging.html.bak2011-11-03 17:40:01.596053714 -0500 +++ tagging.html2011-11-03 17:47:07.696539268 -0500 @@ -199,7 +199,7 @@ blockquote tt block allbr -pass out on $ext_if tag LAN_INET_NAT tagged LAN_INET nat-to ($ext_if)br +match out on $ext_if tag LAN_INET_NAT tagged LAN_INET nat-to ($ext_if)br pass in on $int_if from $int_net tag LAN_INETbr pass in on $int_if from $int_net to $dmz_net tag LAN_DMZbr pass in on $ext_if proto tcp to $www_server port 80 tag INET_DMZbr @@ -256,7 +256,7 @@ # classification -- classify packets based on the defined firewall # policy. block all -pass out on $ext_if tag LAN_INET_NAT tagged LAN_INET nat-to ($ext_if)br +match out on $ext_if tag LAN_INET_NAT tagged LAN_INET nat-to ($ext_if)br pass in on $int_if from $int_net tag LAN_INETbr pass in on $int_if from $int_net to $dmz_net tag LAN_DMZbr pass in on $ext_if proto tcp to $www_server port 80 tag INET_DMZ There is a rule on the page that may also require changes: pass in on $ext_if proto tcp from spamd to port smtp \ tag SPAMD rdr-to 127.0.0.1 port 8025 I'm not familiar enough with rdr-to to know if this requires changes. Based on my reading it does not appear to require a change, but someone needs to check me on this. Axton Grams
Re: Has any one had any problem with install50.iso?
The problem was on my side. I found the problem in the building scripts. Thanks anyway Regards Johan Den 3 nov 2011 23:45 skrev Nick Holland n...@holland-consulting.net: On 11/03/11 17:02, Johan Ryberg wrote: Hi there I has done some testing with install50.iso and USB stick installations and yesterday I had problem with corrupt packages like xetc50.tgz and others and I wanted to debug what happened but today every things works perfectly. _corrupt_, or checksum mismatches? HUGE difference. I haven't changed any scripts that I'm using and the only thing that is a unknown factor is install50.iso that I downloaded several times yesterday and several times today. I don't have yesterdays downloaded iso stored but I'm started to think that the iso was corrupt. I where using ftp.eu.openbsd.org. Has any one else experienced any problem with install50.iso? I don't like loose ends =( neither do I. :) Unfortunately, you are very short on details. Any good OpenBSD mirror will have about 18 files with the name install50.iso. Some (half!) of them should be absolutely perfect. The other half will be likely to have checksum mismatches ('specially in things like the X file sets), and are also prone to changes on the fly, which may result in interesting issues, as they may be updated once a day (or more. or less). So, what you are reporting is either a big problem, or a non-issue. Probably not both. Maybe a random network glitch. Nick.
symon monitor pf?
symon monitor pf? http://wpd.home.xs4all.nl/symon/documentation.html Installation notes == Privileges == symux needs read and write access to its rrdfiles. symon needs to interface with your kernel. Depending on your host system this leads to different privilege requirements: OpenBSD: - no privs: cpu, debug, df, if, io, mbuf, mem, proc, sensor - rw on /dev/pf for pf now I want to monitor pf, so we must grant user(_symon) rw Privileges to /dev/pf? why need write Privilege? only read Privilege may work? Will you suggest a workaround?
hola
hola Estoy muy contenta de presentar un sitio web de la electrC3nicapara usted hay muchos tipos de telC)fonos mC3viles, cC!maras digitales,laptop.watch, television.gultar podemos ofrecer el precio mC!s bajo si usted estC! interesado en nuestros productos S ite : rol .com 2011-11-4 12:04:51