Re: limit ftp download

[Camiel Dobbelaar]

On 3-11-2011 6:07, Wesley M. wrote:
 I suppose it is because traffic are redirect to 127.0.0.1 (ftpproxy)
 
 sample of my pf.conf:
 ...
 anchor ftp-proxy/*
 pass in on $lan inet proto tcp from $limithost \
 to port 21 divert-to 127.0.0.1 port 8021 queue ilimit
 ...
 
 Is there a way to solve this problem?

ftp-proxy has a '-q' option to set a queue.

Re: Updating plus.html

[Brett]

I've worked with Janne and some stuff are almost but not yet
published (to week
#26, the beginning of c2k11 for 5.0, and week #33 and #34 of
current). I've done some work I could submit soon to Janne
with weeks
#35, #36 and #37. Let me know if it's needed.
  
   Please submit, if you have already done the work!
 
 Sure, I'll send them as usual to Janne Johansson within a week. You
 really should contact him about plus.html. I forgot to Cc him on my
 last message, done now.
 

Hi Janne,
Are you co-ordinating and/or working on plus.html? If not, let me
know and I will startup from where the others have left off (once its
submitted). If yes, shoot me an email if you want me to do some of it.
Cheers,
Brett. 

Re: limit ftp download

[Stuart Henderson]

On 2011-11-03, Wesley M. open...@e-solutions.re wrote:

 I'm using OpenBSD 5.0 
 I'm testing traffic shapping using altq. 
 I can limit a user (his Ip address) to a 160Kb/s, it works great.
 But when this user try to download a file using ftp, he downloads it at
 1024Kb/s. 

 I suppose it is because traffic are redirect to 127.0.0.1 (ftpproxy)

 sample of my pf.conf:
 ...
 anchor ftp-proxy/*
 pass in on $lan inet proto tcp from $limithost \
 to port 21 divert-to 127.0.0.1 port 8021 queue ilimit
 ...

 Is there a way to solve this problem?

for the simple case, -q as Camiel suggested.

 I want also that the others can download on ftp at full speed*

for this second requirement you can use -T to tag the data connections,
and have separate pass rules, one for $limithost with the queue, and
one for normal hosts.

Re: limit ftp download

[Wesley M.]

Thank you for your reply.
I read the man page of ftp-proxy.
There's an option like you said, -q queue.
But in my way, i have 2 queue : ilimit and istd
ilimit : bandwidth - 20Ko/s
istd : bandwidth - 128 Ko/s

So i just modified to my /etc/rc.conf.local :
ftpproxy_flags= to ftpproxyflags=-q ilimit
Restart the box.

Now, when this limited user download files using ftp, it downloads at
20Ko/s.
But the others download also at 20Ko/s ; How can i fix the others to
download files at 128 Ko/s ?
How can i have 2 ftp stream like one 20Ko/s and 128 Ko/s ?

Thank you very much for your help.

Wesley.

On Thu, 03 Nov 2011 07:04:04 +0100, Camiel Dobbelaar c...@sentia.nl wrote:
 On 3-11-2011 6:07, Wesley M. wrote:
 I suppose it is because traffic are redirect to 127.0.0.1 (ftpproxy)
 
 sample of my pf.conf:
 ...
 anchor ftp-proxy/*
 pass in on $lan inet proto tcp from $limithost \
 to port 21 divert-to 127.0.0.1 port 8021 queue ilimit
 ...
 
 Is there a way to solve this problem?
 
 ftp-proxy has a '-q' option to set a queue.

Re: limit ftp download

[Camiel Dobbelaar]

On 3-11-2011 9:01, Wesley M. wrote:
 Thank you for your reply.
 I read the man page of ftp-proxy.
 There's an option like you said, -q queue.
 But in my way, i have 2 queue : ilimit and istd
 ilimit : bandwidth - 20Ko/s
 istd : bandwidth - 128 Ko/s
 
 So i just modified to my /etc/rc.conf.local :
 ftpproxy_flags= to ftpproxyflags=-q ilimit
 Restart the box.
 
 Now, when this limited user download files using ftp, it downloads at
 20Ko/s.
 But the others download also at 20Ko/s ; How can i fix the others to
 download files at 128 Ko/s ?
 How can i have 2 ftp stream like one 20Ko/s and 128 Ko/s ?

Run two ftp-proxies: one with the -q ilimit and one with the -q istd.

Then redirect the limited user to one proxy and the rest to the other.

Re: High interrupt rates after resume

[Leroy van Engelen]

On Tue, Nov 1, 2011 at 10:12 AM, Alexander Polakov polac...@gmail.com
wrote:
 * Leroy van Engelen leroy.vanenge...@gmail.com [111019 19:07]:
 This was also seen on a macbook by Jan Stary:
 http://marc.info/?l=openbsd-miscm=131213545109050w=2

 And on my Samsung N210:
 http://marc.info/?l=openbsd-miscm=131193104030288w=2

 I still have this problem, and ran out of options to investigate. The
funny
 thing is that, just like the MacBook case above, the high interrupt load
 goes away every other suspend/resume. Do you see this as well?  It seems
 like a clue, but I have no idea where to begin investigating, except for
the
 ipi code you wrote the diff for.


 Hi,
 mikeb@ just committed a diff for ppb which solves the problem for me.
 Is it the case for you?

Yes, the high interrupt load is gone!

However, right after booting the new kernel I saw some weird
behaviour. Before rebooting, suddenly my laptop would not resume
anymore (can't be related to the fix, but still weird) and I had to
use the power switch for a reboot.

Then I booted the new kernel, and during boot the system started to
fsck the root partition. When the check for the next partition
started, it suddonly suspended and when resumed, it would continue for
a couple of seconds and resume again. Then, I rebooted the old kernel,
let fsck finish without problems and rebooted into the new kernel
again. I haven't had the change to test the stability further. If I
find out more, I'll post the results.

Just out of curiosity, what was the problem and how did you debug it?

Bye,

-Leroy

Packet Tagging issues with NAT in pf OBSD 4.9

[Bentley, Dain]

Hello all,

I recently stood up an OpenBSD server to replace and older ASA.  I read the
faq and was interested in the packet tagging aspect because I have a DMZ and
it makes the rule set seem more readable to my brain..

In any case I have the following taken from the PF faqs on the OpenBSD
website...


_int = re0
_ext = fxp1
int_net = 192.168.200.0/24
pass out on $_ext tag LAN_NAT_TO_INET tagged LAN_TO_INET nat-to ($_ext)
pass in on $_int from $int_net tag LAN_TO_INET

..



pass out quick on $_ext tagged LAN_NAT_TO_INET





I've obviously changed around some of the macros and there are other rules
(although commented out at this time until I get get LAN conenctivity) but it
doesn't work.



Interestingly enough this does:


_int = re0
_ext = fxp1
int_net = 192.168.200.0/24

pass out on $_ext tag LAN_NAT_TO_INET tagged LAN_TO_INET
pass in on $_int from $int_net tag LAN_TO_INET

..

pass out quick on $_ext tagged LAN_NAT_TO_INET  nat-to ($_ext)



Any reason why at the bottom of my .conf file where nat-to is in my quick
rule it would work but when it's at the first filter rule it does not?  I've
read over the man page and have the book of pf v.2 and still am confused.  Any
tought is greatly appreciated.



Regards,

Dain

Re: how to gain high performance with big memory

[Bentley, Dain]

Take a look at this:
http://www.packetmischief.ca/openbsd-compact-flash-firewall/
http://blog.spoofed.org/2007/12/openbsd-on-soekris-cheaters-guide.html


It's about installing on a flash card but how to mount filesystems to memory
is in there.

___t_
From: owner-m...@openbsd.org [owner-m...@openbsd.org] On Behalf Of f5b
[f...@163.com]
Sent: Wednesday, November 02, 2011 11:32 PM
To: misc@openbsd.org
Subject: how to gain high performance with big memory

how to gain high performance with big memory

amd64 ,OpenBSD 5.0 Release,
machine has big memory = 48G


for example,how to mount memory for /usr/ports file system, letting make
build more quickly.
other suggestion? how to tune sysctl.conf file according?

Re: Packet Tagging issues with NAT in pf OBSD 4.9

[Wesley M.]

Hi, try this sample

_int = re0
_ext = fxp1
int_net = 192.168.200.0/24
set block-policy drop
set skip on lo
match in all scrub (no-df max-mss 1440)
match out on $_ext inet from $int_net to any nat-to (egress)
block log all
pass in on $_int inet proto udp from $int_net to any port domain
pass in on $_int inet proto tcp from $int_net to any port \
{ www, https, ssh, pop3, imap, imaps, pop3s, submission, smtps }
pass out on $_ext inet proto tcp all
pass out on $_ext inet proto udp all


All the best,

Wesley MOUEDINE ASSABY.


 _int = re0
 _ext = fxp1
 int_net = 192.168.200.0/24
 
 pass out on $_ext tag LAN_NAT_TO_INET tagged LAN_TO_INET
 pass in on $_int from $int_net tag LAN_TO_INET
 
 ..
 
 pass out quick on $_ext tagged LAN_NAT_TO_INET  nat-to ($_ext)
 
 
 
 Any reason why at the bottom of my .conf file where nat-to is in my
quick
 rule it would work but when it's at the first filter rule it does not? 
 I've
 read over the man page and have the book of pf v.2 and still am
confused. 
 Any
 tought is greatly appreciated.
 
 
 
 Regards,
 
 Dain

Re: Updating plus.html

[Kristaps Dzonsons]

That said, i don't think having individual developers provide
plus.html entries in addition to commit messages would work -
additional workload, lack of uniform style, and lack of a big
picture pespective.  So it has to be done by one person, or by
a small team.  The ideal person to do it would know all the
technical internals of all parts of the system, have huge
experience in using the system, but be completely unwilling
or unable to write any code in there first place, to not be
distracted from writing and committing code improvements.
Oh well, what a contradictory job ad...  :)

Even if what you are doing is not perfect, having a least something,
in a consistent style and with regular updates, is certainly a
huge improvement, compared to letting plus.html die.


.Dd $Mdocdate$
.Dt PLUS49 7
.Os
.Sh NAME
.Nm plus49
.Nd major changes for OpenBSD 4.9
.Sh DESCRIPTION
This is a partial list of the major machine-independent changes (i.e., 
these are the changes people ask about most often).
Machine specific changes have also been made, and are sometimes 
mentioned in the pages for the specific platforms.

.Bl -enum
.It
Introduced a dummy function in
.Xr ifconfig 8
if SMALL is defined to digest arguments like rdomain, description, 
etc. so that the

.Xr ifconfig 8
on RAMDISK is able to parse
.Xr hostname.if 5
files on updates.
.\ ...

(ducks)

Re: Packet Tagging issues with NAT in pf OBSD 4.9

[Bentley, Dain]

Hi, thanks for replying

I was looking to use packet tagging though.





-Original Message-

From: Wesley M. [mailto:open...@e-solutions.re] 

Sent: Thursday, November 03, 2011 6:20 AM

To: Bentley, Dain

Cc: misc@openbsd.org

Subject: Re: Packet Tagging issues with NAT in pf OBSD 4.9



Hi, try this sample



_int = re0

_ext = fxp1

int_net = 192.168.200.0/24

set block-policy drop

set skip on lo

match in all scrub (no-df max-mss 1440)

match out on $_ext inet from $int_net to any nat-to (egress) block log all pass 
in on $_int inet proto udp from $int_net to any port domain pass in on $_int 
inet proto tcp from $int_net to any port \

{ www, https, ssh, pop3, imap, imaps, pop3s, submission, smtps } pass 
out on $_ext inet proto tcp all pass out on $_ext inet proto udp all





All the best,



Wesley MOUEDINE ASSABY.





 _int = re0

 _ext = fxp1

 int_net = 192.168.200.0/24

 

 pass out on $_ext tag LAN_NAT_TO_INET tagged LAN_TO_INET pass in on 

 $_int from $int_net tag LAN_TO_INET

 

 ..

 

 pass out quick on $_ext tagged LAN_NAT_TO_INET  nat-to ($_ext)

 

 

 

 Any reason why at the bottom of my .conf file where nat-to is in my

quick

 rule it would work but when it's at the first filter rule it does not? 

 I've

 read over the man page and have the book of pf v.2 and still am

confused. 

 Any

 tought is greatly appreciated.

 

 

 

 Regards,

 

 Dain

Re: Updating plus.html

[Gilles Chehade]

On Thu, Nov 03, 2011 at 11:42:55AM +0100, Kristaps Dzonsons wrote:

 [...]
 
 (ducks)
 

_  _  _  _  _  
  ('),  ('),  ('),  ('),  (') ___, 
(` =~~/(` =~~/(` =~~/(` =~~/(` =~~/ 
 jgs ~^~^`---'~^~^~^`---'~^~^~^`---'~^~^~^`---'~^~^~^`---'~^~^~


No need to thank me ;-)

-- 
Gilles Chehade

http://www.poolp.org/http://u.poolp.org/~gilles/

Re: Packet Tagging issues with NAT in pf OBSD 4.9

[Stuart Henderson]

On 2011-11-03, Bentley, Dain dbent...@nas.edu wrote:
 Hello all,

 I recently stood up an OpenBSD server to replace and older ASA.  I read the
 faq and was interested in the packet tagging aspect because I have a DMZ and
 it makes the rule set seem more readable to my brain..

 In any case I have the following taken from the PF faqs on the OpenBSD
 website...

There are quite possibly some remaining glitches in the FAQ after
converting the translation rules over to using nat-to.

 _int = re0
 _ext = fxp1
 int_net = 192.168.200.0/24
 pass out on $_ext tag LAN_NAT_TO_INET tagged LAN_TO_INET nat-to ($_ext)
 pass in on $_int from $int_net tag LAN_TO_INET

 ..

 pass out quick on $_ext tagged LAN_NAT_TO_INET

Packets are tagged as the ruleset is traversed, so at the time
the nat-to rule is handled, the packet has not yet been tagged
(this also explains why your alternative config file does work).

Try reversing the rules:

 pass in on $_int from $int_net tag LAN_TO_INET
 pass out on $_ext tag LAN_NAT_TO_INET tagged LAN_TO_INET nat-to ($_ext)
..
 pass out quick on $_ext tagged LAN_NAT_TO_INET

Let me know if this helps and I'll swap them in the faq.

Re: Packet Tagging issues with NAT in pf OBSD 4.9

[Stuart Henderson]

you aren't using tagging in your sample.

On 2011-11-03, Wesley M. open...@e-solutions.re wrote:
 Hi, try this sample

 _int = re0
 _ext = fxp1
 int_net = 192.168.200.0/24
 set block-policy drop
 set skip on lo
 match in all scrub (no-df max-mss 1440)
 match out on $_ext inet from $int_net to any nat-to (egress)
 block log all
 pass in on $_int inet proto udp from $int_net to any port domain
 pass in on $_int inet proto tcp from $int_net to any port \
 { www, https, ssh, pop3, imap, imaps, pop3s, submission, smtps }
 pass out on $_ext inet proto tcp all
 pass out on $_ext inet proto udp all


 All the best,

 Wesley MOUEDINE ASSABY.


 _int = re0
 _ext = fxp1
 int_net = 192.168.200.0/24
 
 pass out on $_ext tag LAN_NAT_TO_INET tagged LAN_TO_INET
 pass in on $_int from $int_net tag LAN_TO_INET
 
 ..
 
 pass out quick on $_ext tagged LAN_NAT_TO_INET  nat-to ($_ext)
 
 
 
 Any reason why at the bottom of my .conf file where nat-to is in my
 quick
 rule it would work but when it's at the first filter rule it does not? 
 I've
 read over the man page and have the book of pf v.2 and still am
 confused. 
 Any
 tought is greatly appreciated.
 
 
 
 Regards,
 
 Dain

Re: www/faq/index.html mentioning 4.9

[Stuart Henderson]

committed, thank you.

On 2011-11-03, Mike Putnam m...@theputnams.net wrote:
 Noticed by wepy in #openbsd on freenode.

 21:21  wepy http://www.openbsd.org/faq/index.html -- says installation 
 guide is for 4.9, but links to 5.0

 Mike




 Index: www/faq/index.html
===
 RCS file: /cvs/www/faq/index.html,v
 retrieving revision 1.342
 diff -u -r1.342 index.html
 --- www/faq/index.html  1 Nov 2011 11:59:22 -   1.342
 +++ www/faq/index.html  3 Nov 2011 03:24:38 -
 @@ -112,7 +112,7 @@
 lia href=faq1.html#Next1.7 - When is the next release
  of OpenBSD?/a
 lia href=faq1.html#Included1.8 - What is included with OpenBSD?/a
 -lia href=faq1.html#WhatsNew1.9 - What is new in OpenBSD 4.9?/a
 +lia href=faq1.html#WhatsNew1.9 - What is new in OpenBSD 5.0?/a
 lia href=faq1.html#Desktop 1.10 - Can I use OpenBSD as a desktop
  system?/a
 lia href=faq1.html#HowAbout1.11 - Why is/isn't ProductX 
 included?/a
 @@ -137,7 +137,7 @@
 to learn OpenBSD on?/a
 /ul

 -h3a href=faq4.html4 - OpenBSD 4.9 Installation Guide/a/h3
 +h3a href=faq4.html4 - OpenBSD 5.0 Installation Guide/a/h3
 ul
 lia href=faq4.html#Overview4.1 - Overview of the OpenBSD
  installation procedure/a

Flashboot for OpenBSD 5.0 is now available

[Johan Ryberg]

Hi

Flashboot is a small infrastructure to build minimal OpenBSD
installations suitable for booting of flash and USB devices originally
by Damien Miller. Flashboot his is derived from the scripts and tools
used to build the OpenBSD installation media and has evolved over the
years.

You will found Flashboot at Github: https://github.com/openbsd/flashboot

We need people to test some of the builds for example WRAP12 and
PCENGINES kernel. If you don't want to build by our self there is a
full set of images ready to put on a USB memory stick or Flash card
media.

Best regards Flashboot team

Re: limit ftp download

[Wesley M.]

I tried this :
added a second ftpproxy_flags in my /etc/rc.conf.local

So in the file, we have :
ftpproxy_flags=-q ilimit # Listen by default on 8021
ftpproxy_flags=-q istd # 

It doesn't work, it use the last line in /etc/rc.conf.local : istd queue
I suppose that it doesn't listen on the same port 8021 for 2 queue.

So i try this, add this line to /etc/rc.local :
ftpproxy_flags=-q istd -p8022
And in my /etc/rc.conf.local :
ftpproxy_flags=-q ilimit
Restart the box, and do : netstat -anf inet
Listen on 127.0.0.1:8021 and 127.0.0.1:8022, seem to work
But the limit user download now 10Ko/s instead of 20Ko/s.

I think, it is not the right way to do it.
Is there someone who have a sample ? using -T option for ftp-proxy ?
Thank you very much.

Wesley.

 On Thu, 03 Nov 2011 09:02:32 +0100, Camiel Dobbelaar c...@sentia.nl
wrote:

 Run two ftp-proxies: one with the -q ilimit and one with the -q istd.
 
 Then redirect the limited user to one proxy and the rest to the other.

Re: limit ftp download

[Camiel Dobbelaar]

You can only start one ftp-proxy with rc.conf.

Just start the other one like this in /etc/rc.local (example from my own
system, where I bind them to other addresses, you just need the -q and
the -p):


# Add your local startup actions here.

echo -n ' ftp-proxy'
/usr/sbin/ftp-proxy -D6 -a Y -p 8022 -r
/usr/sbin/ftp-proxy -D6 -a Z -p 8023 -r


On 3-11-2011 12:23, Wesley M. wrote:
 I tried this :
 added a second ftpproxy_flags in my /etc/rc.conf.local
 
 So in the file, we have :
 ftpproxy_flags=-q ilimit # Listen by default on 8021
 ftpproxy_flags=-q istd # 
 
 It doesn't work, it use the last line in /etc/rc.conf.local : istd queue
 I suppose that it doesn't listen on the same port 8021 for 2 queue.
 
 So i try this, add this line to /etc/rc.local :
 ftpproxy_flags=-q istd -p8022
 And in my /etc/rc.conf.local :
 ftpproxy_flags=-q ilimit
 Restart the box, and do : netstat -anf inet
 Listen on 127.0.0.1:8021 and 127.0.0.1:8022, seem to work
 But the limit user download now 10Ko/s instead of 20Ko/s.
 
 I think, it is not the right way to do it.
 Is there someone who have a sample ? using -T option for ftp-proxy ?
 Thank you very much.
 
 Wesley.
 
 On Thu, 03 Nov 2011 09:02:32 +0100, Camiel Dobbelaar c...@sentia.nl
 wrote:
 
 Run two ftp-proxies: one with the -q ilimit and one with the -q istd.

 Then redirect the limited user to one proxy and the rest to the other.

Re: how to gain high performance with big memory

[J Sisson]

On Thu, Nov 3, 2011 at 4:24 AM, Bentley, Dain dbent...@nas.edu wrote:

 Take a look at this:
 http://www.packetmischief.ca/openbsd-compact-flash-firewall/
 http://blog.spoofed.org/2007/12/openbsd-on-soekris-cheaters-guide.html


Why send people to third party documentation that won't be properly
maintained over time?

What can you learn there with regards to memory filesystems that
man mount_mfs doesn't cover?

Re: traffic shaping in OpenBSD

[Duncan Patton a Campbell]

On Tue, 1 Nov 2011 08:55:07 -0400
Nico Kadel-Garcia nka...@gmail.com wrote:

 On Tue, Nov 1, 2011 at 4:10 AM, Gregory Edigarov
 g...@bestnet.kharkov.ua wrote:
  On Tue, 1 Nov 2011 08:53:46 +0100
  Bret S. Lambert bret.lamb...@gmail.com wrote:
 
  On Tue, Nov 01, 2011 at 09:47:35AM +0200, Gregory Edigarov wrote:
   On Tue, 1 Nov 2011 11:17:56 +0400
   ZZ Wave zzw...@gmail.com wrote:
  
What solution should be used for traffic shaping on real-life,
production gateways with tens and hundreds users? PF queues
seem to be too userspace-ish and CPU consuming.
  
   Pardon?
   What do you mean userspace-ish ?
 
  I believe he wants to communicate with the kernel with the power of
  his mind.
  Where's my brain implant? ;-)
 
 Hold still. (I actually used to design electronics for those: they
 used a *BIG* and wonderfully frightening drill.)
 

Implants seem so, er, unsanitary.  Seems to me 
something like yer basic tinfoil hat would a 
more elegant approach ... 

Dhu

Full ruleset Packet filter OpenBSD 5.0

[Wesley M.]

Hi, 

See here : 

http://mouedine.net/ruleset49.aspx 

(with divert/tag
use) 

All the best, 

Wesley MOUEDINE ASSABY 

Re: Flashboot for OpenBSD 5.0 is now available

[Michel Blais]

Would be awsome if the're was support for embedded board MIPS processor.

Le 2011-11-03 07:17, Johan Ryberg a icrit :

Hi

Flashboot is a small infrastructure to build minimal OpenBSD
installations suitable for booting of flash and USB devices originally
by Damien Miller. Flashboot his is derived from the scripts and tools
used to build the OpenBSD installation media and has evolved over the
years.

You will found Flashboot at Github: https://github.com/openbsd/flashboot

We need people to test some of the builds for example WRAP12 and
PCENGINES kernel. If you don't want to build by our self there is a
full set of images ready to put on a USB memory stick or Flash card
media.

Best regards Flashboot team




--
Michel Blais
Administrateur riseau / Network administrator
Targo Communications
www.targo.ca
514-448-0773

Merhaba

[Musteri Hizmetleri]

Muyyuuytdfuucize 36 saat etkialsana bir oyuncakli Eralsana bir oyuncakkeklere
vzelCialsana bir oyuncakalalsana bir oyuncakisalsana bir oyuncak. ile
Mutlu ve Uzun s|reli ilialsana bir oyuncakşkiler Yaşamaya Merhaba 
deyin.Ciallxcxcis
Erksssxcxcsssiyon Haalsana bir oyuncakpı şimdi T|rkiye'de!; Analsana
bir oyuncakındalsana bir oyuncaka ereksiyalsana bir oyuncakon kuvalsana
bir oyuncakvetalsana bir oyuncaki verir.; Ealsana bisdfr oyuncakrkalsaxcna
bxcir oyuxcncaken balsxcana bir oyxcxcuncakoşalsana bir oyuncakalma soalsana
bir oyuncakrunu biter.; Dalsasdana bir oyussncakaha gok zevalssdana bixcr
oyxcvuncakk aldırır.; Dikalssana bir oyucncaklealssdana bir oyugdncakşme
ve salsxcanxca bir oyxcuxcncakertalsana bir oyuncakleşmeyi sağlar.; Palsadxxna
bir occyuncakaalsansda bir oyunsdcakrtneralsxcaxcna bir oyuxcncakinize
mutlalsana bir oyuncakuluk kazandırır.; ialsansda bir oyuncsdakktialsana
bir oyuncakdarsalssdana bir oyuncakızlığı giderir.; ilialssdana bir
oyuncakşkide kialssdana bir oyuncak stralsaxxccna bir oyuxcxcncakesi,
korkalsana bir oyuncakuyu ve tedirgalsana bir oyuncakinliği yok 
eder.Ayrıntılı
Bilgi ve Sipariş İgin Tıklayın

Bu e-posta igindir. Bu e-postayı 'dan e-postaları almak |zere kayıt
yaptırdığınız igin aldınız. Umarız bu mesajı yararlı bulmuşsunuzdur.
Fakat e-postalarını almak istemiyorsanız, buradan |yeliğinizi iptal edin.
E-posta tercihlerinizi g|ncellemek istiyorsanız, adresini ziyaret edin.

) 2011 ynga Inc., 414 24. Cadde, #363, San Francisco, California 94114
Gizlilik Politikası

Re: Has php-fpm been left out of OBSD 5.0 ?

[Chris Cappuccio]

yes you have to go to -current ports if you want php-fpm

keith [ke...@scott-land.net] wrote:
 Was planning on setting php-fpm up today on a new OpenBSD 5.0 box
 but can't find php-fpm. I though it was built in to php from version
 5.3.3 onwards but it doesn't seem to be. I am trying to setup a
 chrooted nginx and running php scripts as the websites user.
 
 Keith

-- 
There are only three sports: bullfighting, motor racing, and mountaineering; 
all the rest are merely games. - E. Hemingway

Re: Flashboot for OpenBSD 5.0 is now available

[Johan Ryberg]

Sorry but we can only support official hardware platforms but you are
right, it would be awesome =)

Best regards Johan

2011/11/3 Michel Blais mic...@targointernet.com:
 Would be awsome if the're was support for embedded board MIPS processor.

 Le 2011-11-03 07:17, Johan Ryberg a icrit :

 Hi

 Flashboot is a small infrastructure to build minimal OpenBSD
 installations suitable for booting of flash and USB devices originally
 by Damien Miller. Flashboot his is derived from the scripts and tools
 used to build the OpenBSD installation media and has evolved over the
 years.

 You will found Flashboot at Github: https://github.com/openbsd/flashboot

 We need people to test some of the builds for example WRAP12 and
 PCENGINES kernel. If you don't want to build by our self there is a
 full set of images ready to put on a USB memory stick or Flash card
 media.

 Best regards Flashboot team



 --
 Michel Blais
 Administrateur riseau / Network administrator
 Targo Communications
 www.targo.ca
 514-448-0773

Re: Packet Tagging issues with NAT in pf OBSD 4.9

[Bentley, Dain]

Hello Stuart and thanks for your reply.

It still doesn't help, this seems to work but I'm not sure if this is a good
config:

# NAT RULES
match out on $ext tagged LAN nat-to ($ext)

# BLOCKING AND PACKET TAGGING
pass in on $int from $int_net tag LAN
#pass in on $int tag LAN

block out on $ext from any to any

pass out quick on $ext tagged LAN


From: owner-m...@openbsd.org [owner-m...@openbsd.org] On Behalf Of Stuart
Henderson [s...@spacehopper.org]
Sent: Thursday, November 03, 2011 6:53 AM
To: misc@openbsd.org
Subject: Re: Packet Tagging issues with NAT in pf OBSD 4.9

you aren't using tagging in your sample.

On 2011-11-03, Wesley M. open...@e-solutions.re wrote:
 Hi, try this sample

 _int = re0
 _ext = fxp1
 int_net = 192.168.200.0/24
 set block-policy drop
 set skip on lo
 match in all scrub (no-df max-mss 1440)
 match out on $_ext inet from $int_net to any nat-to (egress)
 block log all
 pass in on $_int inet proto udp from $int_net to any port domain
 pass in on $_int inet proto tcp from $int_net to any port \
 { www, https, ssh, pop3, imap, imaps, pop3s, submission, smtps }
 pass out on $_ext inet proto tcp all
 pass out on $_ext inet proto udp all


 All the best,

 Wesley MOUEDINE ASSABY.


 _int = re0
 _ext = fxp1
 int_net = 192.168.200.0/24

 pass out on $_ext tag LAN_NAT_TO_INET tagged LAN_TO_INET
 pass in on $_int from $int_net tag LAN_TO_INET

 ..

 pass out quick on $_ext tagged LAN_NAT_TO_INET  nat-to ($_ext)



 Any reason why at the bottom of my .conf file where nat-to is in my
 quick
 rule it would work but when it's at the first filter rule it does not?
 I've
 read over the man page and have the book of pf v.2 and still am
 confused.
 Any
 tought is greatly appreciated.



 Regards,

 Dain

post-Altq

[Wesley M.]

Hi, 

What's about the post-Altq ? 

See here :
http://bsdly.blogspot.com/2011/07/anticipating-post-altq-world.html 

Does
someone have any news about that? 

Cheers, 

Wesley.

Re: Packet Tagging issues with NAT in pf OBSD 4.9

[Axton]

On Thu, Nov 3, 2011 at 12:26 PM, Bentley, Dain dbent...@nas.edu wrote:

 Hello Stuart and thanks for your reply.

 It still doesn't help, this seems to work but I'm not sure if this is a
 good
 config:

 # NAT RULES
 match out on $ext tagged LAN nat-to ($ext)

 # BLOCKING AND PACKET TAGGING
 pass in on $int from $int_net tag LAN
 #pass in on $int tag LAN

 block out on $ext from any to any

 pass out quick on $ext tagged LAN

 
 From: owner-m...@openbsd.org [owner-m...@openbsd.org] On Behalf Of Stuart
 Henderson [s...@spacehopper.org]
 Sent: Thursday, November 03, 2011 6:53 AM
 To: misc@openbsd.org
 Subject: Re: Packet Tagging issues with NAT in pf OBSD 4.9

 you aren't using tagging in your sample.

 On 2011-11-03, Wesley M. open...@e-solutions.re wrote:
  Hi, try this sample
 
  _int = re0
  _ext = fxp1
  int_net = 192.168.200.0/24
  set block-policy drop
  set skip on lo
  match in all scrub (no-df max-mss 1440)
  match out on $_ext inet from $int_net to any nat-to (egress)
  block log all
  pass in on $_int inet proto udp from $int_net to any port domain
  pass in on $_int inet proto tcp from $int_net to any port \
  { www, https, ssh, pop3, imap, imaps, pop3s, submission, smtps }
  pass out on $_ext inet proto tcp all
  pass out on $_ext inet proto udp all
 
 
  All the best,
 
  Wesley MOUEDINE ASSABY.
 
 
  _int = re0
  _ext = fxp1
  int_net = 192.168.200.0/24
 
  pass out on $_ext tag LAN_NAT_TO_INET tagged LAN_TO_INET
  pass in on $_int from $int_net tag LAN_TO_INET
 
  ..
 
  pass out quick on $_ext tagged LAN_NAT_TO_INET  nat-to ($_ext)
 
 
 
  Any reason why at the bottom of my .conf file where nat-to is in my
  quick
  rule it would work but when it's at the first filter rule it does not?
  I've
  read over the man page and have the book of pf v.2 and still am
  confused.
  Any
  tought is greatly appreciated.
 
 
 
  Regards,
 
  Dain

 I use something like this.  The ruleset has been modified before posting,
so no guarantees that I didn't mess something up.

# interfaces
if_lo=lo
if_enc=enc0
if_gif=gif0
if_ext=vlan3
if_int=vlan20
if_srv=vlan40

# interface ip's
ip4_int=10.0.0.1
ip6_int=2001:::20::10
ip4_srv=10.0.20.1
ip6_srv=2001:::40::10

# networks
net4_int=10.0.0.0/22
net6_int=2001:::20::/64
net4_srv=10.0.20.0/22
net6_srv=2001:::40::/64

# other macros
icmp_types=echoreq

# default policy
block log all

# TRANSLATION
match out on $if_ext inet tag INT_INET_NAT tagged INT_INET nat-to ($if_ext)
static-port
match out on $if_ext inet tag SRV_INET_NAT tagged SRV_INET nat-to ($if_ext)

# allow router access to all nets (ipv4)
pass out on $if_ext  proto tcp from $if_ext to any
pass out on $if_ext  proto udp from $if_ext to any keep state
pass out on $if_ext  inet  proto icmp from $if_ext to any keep state
pass out on $if_int  proto tcp from $if_int to any
pass out on $if_int  proto udp from $if_int to any keep state
pass out on $if_int  inet  proto icmp from $if_int to any keep state
pass out on $if_int  inet6 proto ipv6-icmp from $if_int to any keep state
pass out on $if_srv  proto tcp from $if_srv to any
pass out on $if_srv  proto udp from $if_srv to any keep state
pass out on $if_srv  inet  proto icmp from $if_srv to any keep state
pass out on $if_srv  inet6 proto ipv6-icmp from $if_srv to any keep state

# tag packets per network
pass in on $if_int  proto tcp from { $net4_int, $net6_int } tag INT_INET
pass in on $if_int  proto udp from { $net4_int, $net6_int } tag INT_INET
keep state
pass in on $if_int  inet  proto icmp from $net4_int  icmp-type $icmp_types
tag INT_INET   keep state
pass in on $if_int  inet6 proto ipv6-icmp tag INT_INET keep state
pass in on $if_srv  proto tcp from { $net4_srv, $net6_srv } tag SRV_INET
pass in on $if_srv  proto udp from { $net4_srv, $net6_srv } tag SRV_INET
keep state
pass in on $if_srv  inet  proto icmp from $net4_srv  icmp-type $icmp_types
tag SRV_INET keep state
pass in on $if_srv  inet6 proto ipv6-icmp tag SRV_INET keep state

# policy enforcement

# networks to internet (ipv4)
pass out quick on $if_ext tagged INT_INET_NAT
pass out quick on $if_ext tagged SRV_INET_NAT

# internal network to other networks (ipv4)
pass out quick on $if_srv tagged INT_INET

# server networks to other networks (ipv4)
pass out quick on $if_int tagged SRV_INET

Axton Grams

Xeito Novo - Folk Celta y Bailes de Galicia - 19/11 ND Ateneo

[Fundación Xeito novo de cultura Gallega]

Sabado 19 de Noviembre - 21:00 hs

ND/ATENEO

Paraguay 918  Ciudad de Buenos Aires

Entradas en venta por Plateanet (www.plateanet.com) o en el teatro:
4328-2888

Este espectaculo en el que conviven lo moderno y lo tradicional de esta
entraqable cultura, es ya un clasico de 27 aqos consecutivos, dentro de
la rica propuesta cultural de Buenos Aires.

En la primera parte del show, Xeito Novo, el grupo de Mzsica Folk Celta
referencial de nuestro pams, nos plantea una mirada musical de las
armonmas del Mundo Celta (Galicia, Irlanda, Escocia, Gales y la Bretaqa
Francesa), con su exquisita y original propuesta plasmada a lo largo de
su extensa trayectoria en varios trabajos discograficos e innumerables
conciertos por nuestro pams, Latinoamirica y Europa.

En tanto, en la segunda parte, se abren paso los sones mas terrenales de
la mzsica popular gallega y sus bailes tradicionales, a travis del cuerpo
de Bailes Tradicionales de la Fundacisn Xeito Novo de Cultura Gallega.

Muiqeiras Jotas Gaitas Panderetas coronaran un espectaculo multicolor
que es todo un viaje imaginario por la Galicia Campesina y Marinera, a
travis de sus danzas, su mzsica y sus cantos populares.

Galiza Sempre es la gala anual que realiza la Fundacisn Xeito Novo de
Cultura Gallega, en donde se refleja el trabajo realizado durante todo el
aqo en materia de mzsica folk celta, melodmas y bailes tradicionales.

El espectaculo consta generalmente de dos partes; comenzando con la
actuacisn del grupo folk celta Xeito Novo en donde se materializa la
fusisn musical producida por la combinacisn de melodmas tradicionales
provenientes del mundo celta, en la que los instrumentos tradicionales se
fusionan con armonmas e instrumentos contemporaneos, logrando un color
muy particular que identifica el trabajo de ya 27 aqos de esta gran
banda.

En la segunda parte, el grupo de mzsica y bailes tradicionales recrean la
esencia de las tradiciones populares de Galicia por medio de la
interpretacisn de coreografmas y mzsica, manteniendo con absoluta
fidelidad las caractermsticas de estas expresiones artmsticas
antiqumsimas. Un trabajo realizado con gran rigurosidad etnografica, que
nos metera de lleno en una de las culturas que mas se han asimilado, por
parte de las corrientes migratorias establecidas en nuestro pams.

Gracias a esto, se puede apreciar un espectaculo lleno de sensaciones que
recrean un ambiente festivo como se hubiese vivido en cualquier aldea
gallega.

A travis de sus ediciones, Galiza Sempre conts con la participacisn de
artistas destacados como Lesn Gieco, Lito Vitale, Chango Spasiuk, Marcelo
Torres, entre otros.

Fundacisn Xeito Novo de Cultura Gallega. Av Independencia 1722 Ciuidad de
Buenos Aires i...@xeitonovo.org.ar
Tel: 4382-2638/4942-5848/4384-8587 Noticias RSS

www.xeitonovo.org.ar

Aclaracisn: bajo decreto s1618 titulo 3: aprobado por el 105: congreso de
estandarizacisn de normativas internacionales. Este e-mail no podra ser
considerado SPAM mientras incluya una forma de ser removido.Si no quiere
recibir mas informacisn, responda este mail a i...@xeitonovo.org.ar con
la palabra REMOVER en el asunto.

Re: Packet Tagging issues with NAT in pf OBSD 4.9

[Bentley, Dain]

Hello Axton...cool name by the way.

I noticed the match statements work for me as well,  Perhaps it is required?

From: Axton [axton.gr...@gmail.com]
Sent: Thursday, November 03, 2011 2:06 PM
To: Bentley, Dain
Cc: Stuart Henderson; misc@openbsd.org
Subject: Re: Packet Tagging issues with NAT in pf OBSD 4.9

On Thu, Nov 3, 2011 at 12:26 PM, Bentley, Dain
dbent...@nas.edumailto:dbent...@nas.edu wrote:
Hello Stuart and thanks for your reply.

It still doesn't help, this seems to work but I'm not sure if this is a good
config:

# NAT RULES
match out on $ext tagged LAN nat-to ($ext)

# BLOCKING AND PACKET TAGGING
pass in on $int from $int_net tag LAN
#pass in on $int tag LAN

block out on $ext from any to any

pass out quick on $ext tagged LAN


From: owner-m...@openbsd.orgmailto:owner-m...@openbsd.org
[owner-m...@openbsd.orgmailto:owner-m...@openbsd.org] On Behalf Of Stuart
Henderson [s...@spacehopper.orgmailto:s...@spacehopper.org]
Sent: Thursday, November 03, 2011 6:53 AM
To: misc@openbsd.orgmailto:misc@openbsd.org
Subject: Re: Packet Tagging issues with NAT in pf OBSD 4.9

you aren't using tagging in your sample.

On 2011-11-03, Wesley M.
open...@e-solutions.remailto:open...@e-solutions.re wrote:
 Hi, try this sample

 _int = re0
 _ext = fxp1
 int_net = 192.168.200.0/24http://192.168.200.0/24
 set block-policy drop
 set skip on lo
 match in all scrub (no-df max-mss 1440)
 match out on $_ext inet from $int_net to any nat-to (egress)
 block log all
 pass in on $_int inet proto udp from $int_net to any port domain
 pass in on $_int inet proto tcp from $int_net to any port \
 { www, https, ssh, pop3, imap, imaps, pop3s, submission, smtps }
 pass out on $_ext inet proto tcp all
 pass out on $_ext inet proto udp all


 All the best,

 Wesley MOUEDINE ASSABY.


 _int = re0
 _ext = fxp1
 int_net = 192.168.200.0/24http://192.168.200.0/24

 pass out on $_ext tag LAN_NAT_TO_INET tagged LAN_TO_INET
 pass in on $_int from $int_net tag LAN_TO_INET

 ..

 pass out quick on $_ext tagged LAN_NAT_TO_INET  nat-to ($_ext)



 Any reason why at the bottom of my .conf file where nat-to is in my
 quick
 rule it would work but when it's at the first filter rule it does not?
 I've
 read over the man page and have the book of pf v.2 and still am
 confused.
 Any
 tought is greatly appreciated.



 Regards,

 Dain

I use something like this.  The ruleset has been modified before posting, so
no guarantees that I didn't mess something up.

# interfaces
if_lo=lo
if_enc=enc0
if_gif=gif0
if_ext=vlan3
if_int=vlan20
if_srv=vlan40

# interface ip's
ip4_int=10.0.0.1
ip6_int=2001:::20::10
ip4_srv=10.0.20.1
ip6_srv=2001:::40::10

# networks
net4_int=10.0.0.0/22http://10.0.0.0/22
net6_int=2001:::20::/64
net4_srv=10.0.20.0/22http://10.0.20.0/22
net6_srv=2001:::40::/64

# other macros
icmp_types=echoreq

# default policy
block log all

# TRANSLATION
match out on $if_ext inet tag INT_INET_NAT tagged INT_INET nat-to ($if_ext)
static-port
match out on $if_ext inet tag SRV_INET_NAT tagged SRV_INET nat-to ($if_ext)

# allow router access to all nets (ipv4)
pass out on $if_ext  proto tcp from $if_ext to any
pass out on $if_ext  proto udp from $if_ext to any keep state
pass out on $if_ext  inet  proto icmp from $if_ext to any keep state
pass out on $if_int  proto tcp from $if_int to any
pass out on $if_int  proto udp from $if_int to any keep state
pass out on $if_int  inet  proto icmp from $if_int to any keep state
pass out on $if_int  inet6 proto ipv6-icmp from $if_int to any keep state
pass out on $if_srv  proto tcp from $if_srv to any
pass out on $if_srv  proto udp from $if_srv to any keep state
pass out on $if_srv  inet  proto icmp from $if_srv to any keep state
pass out on $if_srv  inet6 proto ipv6-icmp from $if_srv to any keep state

# tag packets per network
pass in on $if_int  proto tcp from { $net4_int, $net6_int } tag INT_INET
pass in on $if_int  proto udp from { $net4_int, $net6_int } tag INT_INET
keep state
pass in on $if_int  inet  proto icmp from $net4_int  icmp-type $icmp_types tag
INT_INET   keep state
pass in on $if_int  inet6 proto ipv6-icmp tag INT_INET keep state
pass in on $if_srv  proto tcp from { $net4_srv, $net6_srv } tag SRV_INET
pass in on $if_srv  proto udp from { $net4_srv, $net6_srv } tag SRV_INET keep
state
pass in on $if_srv  inet  proto icmp from $net4_srv  icmp-type $icmp_types tag
SRV_INET keep state
pass in on $if_srv  inet6 proto ipv6-icmp tag SRV_INET keep state

# policy enforcement

# networks to internet (ipv4)
pass out quick on $if_ext tagged INT_INET_NAT
pass out quick on $if_ext tagged SRV_INET_NAT

# internal network to other networks (ipv4)
pass out quick on $if_srv tagged INT_INET

# server networks to other networks (ipv4)
pass out quick on $if_int tagged SRV_INET

Axton Grams

Re: Packet Tagging issues with NAT in pf OBSD 4.9

[Axton]

On Thu, Nov 3, 2011 at 1:33 PM, Bentley, Dain dbent...@nas.edu wrote:

 Hello Axton...cool name by the way.

 I noticed the match statements work for me as well,  Perhaps it is
 required?


This changed with 4.7: http://openbsd.org/faq/upgrade47.html#newPFnat
More details available here:
http://marc.info/?l=openbsd-miscm=125181847818600w=2

It may be that the FAQ you used is out of date.  What FAQ page were you
looking at while setting this up?

Axton Grams

Re: post-Altq

[richardtoohey]

Quoting Wesley M. open...@e-solutions.re:

 Hi, 
 
 What's about the post-Altq ? 
 
 See here :
 http://bsdly.blogspot.com/2011/07/anticipating-post-altq-world.html 
 
 Does
 someone have any news about that? 
 

You need to read undeadly.org

http://undeadly.org/cgi?action=articlesid=20111027082217mode=expandedcount=5

 Cheers, 
 
 Wesley.

Re: Packet Tagging issues with NAT in pf OBSD 4.9

[Bentley, Dain]

http://www.openbsd.org/faq/pf/tagging.html


From: Axton [axton.gr...@gmail.com]
Sent: Thursday, November 03, 2011 2:51 PM
To: Bentley, Dain
Cc: Stuart Henderson; misc@openbsd.org
Subject: Re: Packet Tagging issues with NAT in pf OBSD 4.9

On Thu, Nov 3, 2011 at 1:33 PM, Bentley, Dain
dbent...@nas.edumailto:dbent...@nas.edu wrote:
Hello Axton...cool name by the way.

I noticed the match statements work for me as well,  Perhaps it is required?

This changed with 4.7: http://openbsd.org/faq/upgrade47.html#newPFnat
More details available here:
http://marc.info/?l=openbsd-miscm=125181847818600w=2

It may be that the FAQ you used is out of date.  What FAQ page were you
looking at while setting this up?

Axton Grams

Has any one had any problem with install50.iso?

[Johan Ryberg]

Hi there

I has done some testing with install50.iso and USB stick installations
and yesterday I had problem with corrupt packages like xetc50.tgz and
others and I wanted to debug what happened but today every things
works perfectly.

I haven't changed any scripts that I'm using and the only thing that
is a unknown factor is install50.iso that I downloaded several times
yesterday and several times today. I don't have yesterdays downloaded
iso stored but I'm started to think that the iso was corrupt. I where
using ftp.eu.openbsd.org.

Has any one else experienced any problem with install50.iso?

I don't like loose ends =(

Best regards Johan

..

[Jan Izary]

Dear friend!
http://co-p.com/index135tww--.php?lulyCIDID=50

Thu, 3 Nov 2011 22:12:46
__
While the ingenious lad was fond of machinery--to make a machine of himself
was utterly distasteful to him. (c) OLIN vkga489

Re: Has any one had any problem with install50.iso?

[Jason Tubnor]

Hi Johan,

Have you checked the SHA256 sig with the iso?  They can be found here:
http://ftp.openbsd.org/pub/OpenBSD/5.0/arch/SHA256

If you don't have an OpenBSD installation already running to use the sha256
command, you can pick up tools over on sourceforge
http://md5deep.sourceforge.net/ that can help you out with whatever
platform you are running.

Cheers,

Jason.

-- 
Roads?  Where we're going, we don't need roads - Dr. Emmett Doc Brown

Re: Has any one had any problem with install50.iso?

[Nick Holland]

On 11/03/11 17:02, Johan Ryberg wrote:
 Hi there
 
 I has done some testing with install50.iso and USB stick installations
 and yesterday I had problem with corrupt packages like xetc50.tgz and
 others and I wanted to debug what happened but today every things
 works perfectly.

_corrupt_, or checksum mismatches?  HUGE difference.

 I haven't changed any scripts that I'm using and the only thing that
 is a unknown factor is install50.iso that I downloaded several times
 yesterday and several times today. I don't have yesterdays downloaded
 iso stored but I'm started to think that the iso was corrupt. I where
 using ftp.eu.openbsd.org.
 
 Has any one else experienced any problem with install50.iso?
 
 I don't like loose ends =(

neither do I. :)
Unfortunately, you are very short on details.
Any good OpenBSD mirror will have about 18 files with the name
install50.iso.

Some (half!) of them should be absolutely perfect.
The other half will be likely to have checksum mismatches ('specially in
things like the X file sets), and are also prone to changes on the fly,
which may result in interesting issues, as they may be updated once a
day (or more. or less).

So, what you are reporting is either a big problem, or a non-issue.
Probably not both.  Maybe a random network glitch.

Nick.

Patch for FAQ - PF: Packet Tagging (Policy Filtering) - New NAT Syntax

[Axton]

This is a patch to update the FAQ at
http://www.openbsd.org/faq/pf/tagging.html with the nat syntax changes
introduced in 4.7 (http://openbsd.org/faq/upgrade47.html#newPFnat):

$ diff -ub tagging.html.bak tagging.html
--- tagging.html.bak2011-11-03 17:40:01.596053714 -0500
+++ tagging.html2011-11-03 17:47:07.696539268 -0500
@@ -199,7 +199,7 @@
 blockquote
 tt
 block allbr
-pass out on $ext_if tag LAN_INET_NAT tagged LAN_INET nat-to ($ext_if)br
+match out on $ext_if tag LAN_INET_NAT tagged LAN_INET nat-to ($ext_if)br
 pass in on $int_if from $int_net tag LAN_INETbr
 pass in on $int_if from $int_net to $dmz_net tag LAN_DMZbr
 pass in on $ext_if proto tcp to $www_server port 80 tag INET_DMZbr
@@ -256,7 +256,7 @@
 # classification -- classify packets based on the defined firewall
 # policy.
 block all
-pass out on $ext_if tag LAN_INET_NAT tagged LAN_INET nat-to ($ext_if)br
+match out on $ext_if tag LAN_INET_NAT tagged LAN_INET nat-to ($ext_if)br
 pass in on $int_if from $int_net tag LAN_INETbr
 pass in on $int_if from $int_net to $dmz_net tag LAN_DMZbr
 pass in on $ext_if proto tcp to $www_server port 80 tag INET_DMZ

There is a rule on the page that may also require changes:

pass in on $ext_if proto tcp from spamd to port smtp \
   tag SPAMD rdr-to 127.0.0.1 port 8025

I'm not familiar enough with rdr-to to know if this requires changes.
Based on my reading it does not appear to require a change, but
someone needs to check me on this.

Axton Grams

Re: Has any one had any problem with install50.iso?

[rancor]

The problem was on my side. I found the problem in the building scripts.

Thanks anyway

Regards Johan
Den 3 nov 2011 23:45 skrev Nick Holland n...@holland-consulting.net:

 On 11/03/11 17:02, Johan Ryberg wrote:
  Hi there
 
  I has done some testing with install50.iso and USB stick installations
  and yesterday I had problem with corrupt packages like xetc50.tgz and
  others and I wanted to debug what happened but today every things
  works perfectly.

 _corrupt_, or checksum mismatches?  HUGE difference.

  I haven't changed any scripts that I'm using and the only thing that
  is a unknown factor is install50.iso that I downloaded several times
  yesterday and several times today. I don't have yesterdays downloaded
  iso stored but I'm started to think that the iso was corrupt. I where
  using ftp.eu.openbsd.org.
 
  Has any one else experienced any problem with install50.iso?
 
  I don't like loose ends =(

 neither do I. :)
 Unfortunately, you are very short on details.
 Any good OpenBSD mirror will have about 18 files with the name
 install50.iso.

 Some (half!) of them should be absolutely perfect.
 The other half will be likely to have checksum mismatches ('specially in
 things like the X file sets), and are also prone to changes on the fly,
 which may result in interesting issues, as they may be updated once a
 day (or more. or less).

 So, what you are reporting is either a big problem, or a non-issue.
 Probably not both.  Maybe a random network glitch.

 Nick.

symon monitor pf?

[f5b]

symon monitor pf?

http://wpd.home.xs4all.nl/symon/documentation.html

Installation notes
==

Privileges
==
symux needs read and write access to its rrdfiles.

symon needs to interface with your kernel. Depending on your host system this
leads to different privilege requirements:

OpenBSD:  - no privs: cpu, debug, df, if, io, mbuf, mem, proc, sensor
  - rw on /dev/pf for pf

now I want to monitor pf, so we must grant user(_symon) rw Privileges to 
/dev/pf?
why need write Privilege? only read Privilege may work?

Will you suggest a workaround?

hola

[p.bus1]

hola
Estoy muy contenta de presentar un sitio web de la electrC3nicapara usted
hay muchos tipos de telC)fonos mC3viles, cC!maras digitales,laptop.watch,
television.gultar 
podemos ofrecer el precio mC!s bajo si usted estC! interesado en nuestros
productos

S ite :  rol  .com

2011-11-4 12:04:51