PF rule match only packets for local machine
Hallo all,
May I ask any PF professional for his advice?
I have openbsd router with more interfaces doing routing. It does not work as a
firewall so there is only one rule pass flags any no state.
Because of many hack-scripts doing SSH logins and filling logs I would like to
block every SSH traffic going to this host from unknown IPs, but not routed
traffic. I want to keep this block rule as simple as possible to be correct for
future, even if interfaces change or IP addresses change.
I work mostly with Linux and I in netfilter I would create following rule:
iptables -I INPUT -j DROP -s OURNETWORK -m state --state NEW
In PF I did following rules:
table OutNetworks const { }
pass quick proto tcp from OurNetworks to any port 22 no state
pass in quick proto tcp from any to any port rdr-to 127.0.0.1 port 22
block quick proto tcp from any to any port 22
But of course, the last rule blocks every SSH traffic going from unknown
networks to all hosts.
Could someone please help me to create PF rules to block only traffic going to
local machine from other networks as OutNetworks similary as the iptables rule
above?
I have read PF manual but not found any possibility to tell pf to
LOCAL-HOST. I have search with google but no relevant articles found, maybe I
have not asked correct.
Thank you very much for any idea.
Regards,
Robert Wolf.
Re: PF rule match only packets for local machine
Hi,
On Thursday, 05 Jan 2012 at 09:00 CET
Robert Wolf r.wolf.c...@gmail.com wrote:
table OutNetworks const { }
pass quick proto tcp from OurNetworks to any port 22 no state
pass in quick proto tcp from any to any port rdr-to 127.0.0.1 port 22
block quick proto tcp from any to any port 22
But of course, the last rule blocks every SSH traffic going from unknown
networks to all hosts.
Could someone please help me to create PF rules to block only traffic going to
local machine from other networks as OutNetworks similary as the iptables rule
above?
Just replace to any to to self. Should do what you want.
I have read PF manual but not found any possibility to tell pf to
LOCAL-HOST. I have search with google but no relevant articles found, maybe I
have not asked correct.
Well, it's not very easy to find, but the self word is explained in
the manual.
--
Greetings
Rafal Bisingier
Re: PF rule match only packets for local machine
On Thu, 5 Jan 2012 09:21:16 +0100
Rafal Bisingier ra...@man.poznan.pl wrote:
Hi,
On Thursday, 05 Jan 2012 at 09:00 CET
Robert Wolf r.wolf.c...@gmail.com wrote:
table OutNetworks const { }
pass quick proto tcp from OurNetworks to any port 22 no state
pass in quick proto tcp from any to any port rdr-to 127.0.0.1
port 22 block quick proto tcp from any to any port 22
But of course, the last rule blocks every SSH traffic going from
unknown networks to all hosts.
Could someone please help me to create PF rules to block only
traffic going to local machine from other networks as OutNetworks
similary as the iptables rule above?
Just replace to any to to self. Should do what you want.
I have read PF manual but not found any possibility to tell pf to
LOCAL-HOST. I have search with google but no relevant articles
found, maybe I have not asked correct.
Well, it's not very easy to find, but the self word is explained in
the manual.
Yes, but also keep in mind that self is only evaluated on ruleset
load.
--
With best regards,
Gregory Edigarov
Re: PF rule match only packets for local machine
Hi,
start with block rule without quick, then apply pass rules.
something like this:
table OutNetworks const { }
block proto tcp from any to any port 22
pass quick proto tcp from OurNetworks to any port 22 no state
pass in quick proto tcp from any to any port rdr-to 127.0.0.1 port 22
2012/1/5 Gregory Edigarov g...@bestnet.kharkov.ua:
On Thu, 5 Jan 2012 09:21:16 +0100
Rafal Bisingier ra...@man.poznan.pl wrote:
Hi,
On Thursday, 05 Jan 2012 at 09:00 CET
Robert Wolf r.wolf.c...@gmail.com wrote:
table OutNetworks const { }
pass quick proto tcp from OurNetworks to any port 22 no state
pass in quick proto tcp from any to any port rdr-to 127.0.0.1
port 22 block quick proto tcp from any to any port 22
But of course, the last rule blocks every SSH traffic going from
unknown networks to all hosts.
Could someone please help me to create PF rules to block only
traffic going to local machine from other networks as OutNetworks
similary as the iptables rule above?
Just replace to any to to self. Should do what you want.
I have read PF manual but not found any possibility to tell pf to
LOCAL-HOST. I have search with google but no relevant articles
found, maybe I have not asked correct.
Well, it's not very easy to find, but the self word is explained in
the manual.
Yes, but also keep in mind that self is only evaluated on ruleset
load.
--
With best regards,
B B B B Gregory Edigarov
Re: ro / and /etc on mfs - clarification
On Jan 04 21:18:51, Jiri B wrote: On Thu, Jan 05, 2012 at 01:12:43AM +, Stuart Henderson wrote: What's the advantage in having /etc on mfs? Why not just remount / readonly after booting and mount it read/write when you need to make changes? If you're looking at something more than this then take a look at how flashboot does things but I'd only consider that in special cases.. I wanted to separate service from (not much important) data thus I installed OpenBSD on little usb stick and dedicated normal disk for my own data (mp3, source repo, etc...). If the disk would go down, no problem, dns/ssh/pf etc would still work OK. (I'm ignoring here discussion if the problem is more disk or power supply.) So you store your mp3's on your firewal and DNS server, because you want to separate service from data? So why /etc on mfs? Maybe I'm thinking that always remounting rw / because little changement of a config file would be too much work when computers could do that for us invisible in background :) Always. How often do you edit /etc on the machine that runs dns and pf for you? Also, what does mfs have to do with this?
Re: ro / and /etc on mfs - clarification
On 2012-01-05, Jiri B ji...@devio.us wrote: On Thu, Jan 05, 2012 at 01:12:43AM +, Stuart Henderson wrote: What's the advantage in having /etc on mfs? Why not just remount / readonly after booting and mount it read/write when you need to make changes? If you're looking at something more than this then take a look at how flashboot does things but I'd only consider that in special cases.. As I'm not building super-small embedded appliance the flasboot is not optimal. I wanted to separate service from (not much important) data thus I installed OpenBSD on little usb stick and dedicated normal disk for my own data (mp3, source repo, etc...). If the disk would go down, no problem, dns/ssh/pf etc would still work OK. (I'm ignoring here discussion if the problem is more disk or power supply.) So why /etc on mfs? Maybe I'm thinking that always remounting rw / because little changement of a config file would be too much work when computers could do that for us invisible in background :) (If it would not crash before sync, of course.) On this type of system I just do rw;vi /whatever;ro where rw/ro are simple shell scripts that run mount -uw / and mount -ur / respectively, I don't usually find this a problem. Or you could use a wrapper which does similar and commits the edited file to a version control system (though I usually handle version control on this type of box by pushing the files from another machine to avoid having checkouts all over the place).
Re: PF rule match only packets for local machine
On 2012-01-05, Gregory Edigarov g...@bestnet.kharkov.ua wrote:
On Thu, 5 Jan 2012 09:21:16 +0100
Rafal Bisingier ra...@man.poznan.pl wrote:
Hi,
On Thursday, 05 Jan 2012 at 09:00 CET
Robert Wolf r.wolf.c...@gmail.com wrote:
table OutNetworks const { }
pass quick proto tcp from OurNetworks to any port 22 no state
pass in quick proto tcp from any to any port rdr-to 127.0.0.1 port 22
Surely better to have ssh listen on the additional port if it's needed?
Whatever reason you have for using PF without keeping state presumably
applies to port as well.
block quick proto tcp from any to any port 22
But of course, the last rule blocks every SSH traffic going from
unknown networks to all hosts.
Could someone please help me to create PF rules to block only
traffic going to local machine from other networks as OutNetworks
similary as the iptables rule above?
Just replace to any to to self. Should do what you want.
I have read PF manual but not found any possibility to tell pf to
LOCAL-HOST. I have search with google but no relevant articles
found, maybe I have not asked correct.
Well, it's not very easy to find, but the self word is explained in
the manual.
Yes, but also keep in mind that self is only evaluated on ruleset
load.
Unless enclosed by parentheses; block proto tcp to (self) port ssh
*is* evaluated each time. However on a router with relatively static
IP address configuration, it's often helpful to avoid the overhead
of lookups for each packet (especially if you're not keeping state...).
Merhaba
E-postay} d|zg|n gvremiyorsan}z buraya t}klay}n.
Re: PF rule match only packets for local machine
Hallo all,
thank you for your answers.
table OutNetworks const { }
pass quick proto tcp from OurNetworks to any port 22 no state
pass in quick proto tcp from any to any port rdr-to 127.0.0.1
port 22 block quick proto tcp from any to any port 22
But of course, the last rule blocks every SSH traffic going from
unknown networks to all hosts.
Just replace to any to to self. Should do what you want.
*** YES!:-) That is the keyword I was looking for:-)
I have read PF manual but not found any possibility to tell pf to
LOCAL-HOST. I have search with google but no relevant articles
found, maybe I have not asked correct.
Well, it's not very easy to find, but the self word is explained in
the manual.
*** Oh I see it now. It is in the TABLES section. I have look for in the
section PACKET FILTERING in the article for syntax of from port os to port.
Yes, but also keep in mind that self is only evaluated on ruleset
load.
*** H, OK, it is not same as iptables -I INPUT, but at least I can create
one rule without defining IP addresses or interfaces. Great, thank you for for
info.
I have updated my rules to
pass in quick proto tcp from any to (self) port rdr-to 127.0.0.1 port 22
block quick proto tcp from ! OurNetwork to (self) port 22 no state
we use pass flags any no state because this machine works as router but I
want to block incoming SSH traffic.
Surely better to have ssh listen on the additional port if it's needed?
Whatever reason you have for using PF without keeping state presumably
applies to port as well.
*** You are right. I can configure SSH on both 22 and ports. I want to
have port 22 because of access from our networks with strict firewall allowing
SSH on port 22. But for access from unknown networks I want to have additional
port open. And I wanted to have as less as possible files changed. I have
changed already pf.conf so I wanted to make updates only in pf.conf. But it's
no problem to update sshd_config too.
Unless enclosed by parentheses; block proto tcp to (self) port ssh
*is* evaluated each time. However on a router with relatively static
IP address configuration, it's often helpful to avoid the overhead
of lookups for each packet (especially if you're not keeping state...).
*** Cool, applied:)
start with block rule without quick, then apply pass rules.
something like this:
table OutNetworks const { }
block proto tcp from any to any port 22
pass quick proto tcp from OurNetworks to any port 22 no state
pass in quick proto tcp from any to any port rdr-to 127.0.0.1 port 22
*** This does not work. We have one rule pass flags any no state after this
block because the machine is a router and we want to pass everything. If I
move this block after that pass any, it would block every ssh traffic going
through.
The solution with (self) is the best one, I will try to find a little better
solution for all non-SSH packets to be passed before SSH check, something like
==
pass out quick flags any no state
pass in quick proto ! tcp flags any no state
pass in quick proto tcp from any to any port ! 22 flags any no state
## start sshd on port 22 and instead ##
## pass in quick proto tcp from any to (self) port rdr-to 127.0.0.1 port 22
block in quick proto tcp from ! OurNetwork to (self) port 22 no state
pass flags any no state
==
Is this better?
Thank you all for your answers.
Regards,
Robert Wolf.
Help with rc.local scripts
Hi, I have build a graylog2 server with obsd 5.0 x64 but can't figure out how to get the some of the programs to auto start, They all start when run as root but only the mogod one starts up at boot time. Can anyone help ? if [ -x /etc/rc.d/mongod ]; then echo -n ' MongoDB'; /etc/rc.d/mongod start fi if [ -x /usr/local/elasticsearch/bin/elasticsearch ]; then echo -n ' Elasticsearch'; /usr/local/elasticsearch/bin/elasticsearch fi if [ -x /usr/local/graylog2-server/graylog2-server.jar ]; then echo -n ' Graylog2-Server'; java /usr/local/graylog2-server/graylog2-server.jar fi if [ -x /usr/local/graylog2-server/graylog2-server.jar ]; then echo -n ' Graylog2-Web'; /usr/local/graylog2-web-interface/script/rails server -e production fi I've edited the /root/.profile and have added the path to java to PATH and also set JAVA_HOME. Thanks Keith
Re: Help with rc.local scripts
Aren't you missing a few '' at the end of some of the start commands? I'd say that's the problem... On Jan 5, 2012, at 4:43 PM, keith wrote: Hi, I have build a graylog2 server with obsd 5.0 x64 but can't figure out how to get the some of the programs to auto start, They all start when run as root but only the mogod one starts up at boot time. Can anyone help ? if [ -x /etc/rc.d/mongod ]; then echo -n ' MongoDB'; /etc/rc.d/mongod start fi if [ -x /usr/local/elasticsearch/bin/elasticsearch ]; then echo -n ' Elasticsearch'; /usr/local/elasticsearch/bin/elasticsearch fi if [ -x /usr/local/graylog2-server/graylog2-server.jar ]; then echo -n ' Graylog2-Server'; java /usr/local/graylog2-server/graylog2-server.jar fi if [ -x /usr/local/graylog2-server/graylog2-server.jar ]; then echo -n ' Graylog2-Web'; /usr/local/graylog2-web-interface/script/rails server -e production fi I've edited the /root/.profile and have added the path to java to PATH and also set JAVA_HOME. Thanks Keith
Re: Help with rc.local scripts
On Thu, Jan 05, 2012 at 04:43:30PM +, keith wrote: Hi, I have build a graylog2 server with obsd 5.0 x64 but can't figure out how to get the some of the programs to auto start, They all start when run as root but only the mogod one starts up at boot time. Can anyone help ? if [ -x /etc/rc.d/mongod ]; then echo -n ' MongoDB'; /etc/rc.d/mongod start fi if [ -x /usr/local/elasticsearch/bin/elasticsearch ]; then echo -n ' Elasticsearch'; /usr/local/elasticsearch/bin/elasticsearch fi if [ -x /usr/local/graylog2-server/graylog2-server.jar ]; then echo -n ' Graylog2-Server'; java /usr/local/graylog2-server/graylog2-server.jar fi if [ -x /usr/local/graylog2-server/graylog2-server.jar ]; then echo -n ' Graylog2-Web'; /usr/local/graylog2-web-interface/script/rails server -e production fi I've edited the /root/.profile and have added the path to java to PATH and also set JAVA_HOME. Thanks Keith In general, .jar files are not exectable, so the -x test fails. -Otto
Taller de Procesos, Manual de Políticas y Procedimientos
[IMAGE] Pms de Mixico prestigiada firma de Capacitacisn presenta: Identificacisn de Procesos y Desarrollo de un Manual de Polmticas y Procedimientos 31 de Enero, Guadalajara, Jalisco. !Reciba la informacisn completa! Por favor responda este e-mail con los datos siguientes Empresa Nombre Telifono Email Nzmero de Interesados En breve recibira temario, reseqa de expositor y tarifas. Pms Capacitacisn Efectiva de Mixico es una empresa Registrada ante la STPS Trabajamos con expertos en la materia para poder brindar herramientas tacticas, vanguardistas y de facil aplicacisn. 100% Garantma de Satisfaccisn. Si lo prefiere comunmquese a los telifonos donde con gusto uno de nuestros ejecutivos le atendera. Telifonos: (0133) 8851-2365, (0133) 8851-2741 con mas de 10 lmneas. Smguenos en Twitter@pmscapacitacion o bien en Facebook PMS de Mixico Copyright (C) 2011, PMS Capacitacisn Efectiva de Mixico S.C. Derechos Reservados. E-Mail MARKETING SERVICE POWERED BY MEDIAMKTOOLS. Este Mensaje ha sido enviado a misc@openbsd.org como usuario de Pms de Mixico o bien un usuario le refiris para recibir este boletmn. Como usuario de Pms de Mixico, en este acto autoriza de manera expresa que Pms de Mixico le puede contactar vma correo electrsnico u otros medios. ALTO, si en esta ocasisn la informacisn recibida no fue de su interis pero desea recibir informacisn personalizada en relacisn a otros temas favor de indicarlo. Si usted ha recibido este mensaje por error, haga caso omiso de el y de antemano una sincera disculpa por la molestia, reporte su cuenta respondiendo este correo con el subject BAJAPOLITICA Unsubscribe to this mailing list, reply a blank message with the subject UNSUBSCRIBE BAJAPOLITICA Tenga en cuenta que la gestisn de nuestras bases de datos es de suma importancia para nosotros y no es intencisn de la empresa la inconformidad del receptor, nuestra intencisn es promover herramientas de utilidad para el [demime 1.01d removed an attachment of type image/jpeg which had a name of image002.jpg]
Re: ro / and /etc on mfs - clarification
how about this scenario: 1. tar cvf /tmp/etc.tar /etc 2. mount_mfs -s 20M swap /etc 3. tar xvf /tmp/etc.tar -C / Jiri B [ji...@devio.us] wrote: scenario: = * mkdir /proto_etc * cp -Rp /etc/* /proto_etc * mkdir /pre_etc * cd /pre_etc * for i in boot.conf rc ttys passwd master.passwd pwd.db spwd.db login.conf fstab rc.conf ; do ln /etc/$i $i done * mount_mfs -s 20M -P /proto-etc swap /etc * rsync -vhaz --delete \ --exclude boot.conf \ --exclude rc \ --exclude ttys \ --exclude passwd \ --exclude master.passwd \ --exclude pwd.db \ --exclude spwd.db \ --exclude login.conf \ --exclude fstab \ --exclude rc.conf /etc/ /proto_etc/ * cd /etc * for i in boot.conf rc ttys passwd master.passwd pwd.db spwd.db login.conf fstab rc.conf ; do cat /etc/$i /pre_etc/$i done -- There are only three sports: bullfighting, motor racing, and mountaineering; all the rest are merely games. - E. Hemingway
Re: ro / and /etc on mfs - clarification
Stuart Henderson [s...@spacehopper.org] wrote: On this type of system I just do rw;vi /whatever;ro where rw/ro are simple shell scripts that run mount -uw / and mount -ur / respectively, I don't usually find this a problem. Or you could use a wrapper which does similar and commits the edited file to a version control system (though I usually handle version control on this type of box by pushing the files from another machine to avoid having checkouts all over the place). Yeah there's no real point in /etc being an MFS unless you need to make frequent, automated updates to it. /dev needed to be MFS for sshd to work, it wanted to update metadata on tty devices, i'm not sure if that's still the case anymore. -- There are only three sports: bullfighting, motor racing, and mountaineering; all the rest are merely games. - E. Hemingway
Re: Where do I buy Lemote Loongson/Godson MIPS hardware? (was Re: Longsoon/Godson MIPS boxes, where to buy?)
It anyone wants to go right to Lemote and start selling on Amazon or direct in your area, they were priced at $280/ea in 10 qty about 2 years ago. So they're probably much cheaper now. And it sounds like they ship in single qty now, too. Johan Beisser [j...@caustic.org] wrote: On Tue, Dec 27, 2011 at 10:09 AM, Dave U. Random anonym...@anonymitaet-im-inter.net wrote: Are the Longson/Godson MIPS boxes available over the counter yet? If so where is the best place to order one? Thanks. A brief search of the archives gives a few resources. Spelling the architecture right helps, but searching for lemote does wonders. Start reading here: http://openbsd.org/loongson.html Relevant threads on misc@: http://marc.info/?l=openbsd-miscw=2r=1s=lemoteq=b http://marc.info/?l=openbsd-miscw=2r=1s=loongsonq=b Acquiring hardware: International: http://www.aliexpress.com/wholesale?SearchText=loongsoncatId=0 http://www.aliexpress.com/wholesale?SearchText=lemotecatId=0 In China (drop shipment to a forwarder may be necessary): http://loogson.taobao.com/ In Europe: http://www.tekmote.nl In the US, Amazon has a direct sales from Freedom Included. Prime eligible. http://www.amazon.com/s?ie=UTF8search-alias=computersfield-manufacturer=Lemote http://freedomincluded.com/ Compiled for the archives, YMMV.. Special thanks to Miod, Diana and others for their postings. -- There are only three sports: bullfighting, motor racing, and mountaineering; all the rest are merely games. - E. Hemingway
Re: Where do I buy Lemote Loongson/Godson MIPS hardware? (was Re: Longsoon/Godson MIPS boxes, where to buy?)
they seem to be well made but debian linux is unstable. On Thu, Jan 5, 2012 at 4:49 PM, Chris Cappuccio ch...@nmedia.net wrote: It anyone wants to go right to Lemote and start selling on Amazon or direct in your area, they were priced at $280/ea in 10 qty about 2 years ago. So they're probably much cheaper now. And it sounds like they ship in single qty now, too. Johan Beisser [j...@caustic.org] wrote: On Tue, Dec 27, 2011 at 10:09 AM, Dave U. Random anonym...@anonymitaet-im-inter.net wrote: Are the Longson/Godson MIPS boxes available over the counter yet? If so where is the best place to order one? Thanks. A brief search of the archives gives a few resources. Spelling the architecture right helps, but searching for lemote does wonders. Start reading here: http://openbsd.org/loongson.html Relevant threads on misc@: http://marc.info/?l=openbsd-miscw=2r=1s=lemoteq=b http://marc.info/?l=openbsd-miscw=2r=1s=loongsonq=b Acquiring hardware: International: http://www.aliexpress.com/wholesale?SearchText=loongsoncatId=0 http://www.aliexpress.com/wholesale?SearchText=lemotecatId=0 In China (drop shipment to a forwarder may be necessary): http://loogson.taobao.com/ In Europe: http://www.tekmote.nl In the US, Amazon has a direct sales from Freedom Included. Prime eligible. http://www.amazon.com/s?ie=UTF8search-alias=computersfield-manufacturer=Lemote http://freedomincluded.com/ Compiled for the archives, YMMV.. Special thanks to Miod, Diana and others for their postings. -- There are only three sports: bullfighting, motor racing, and mountaineering; all the rest are merely games. - E. Hemingway
Re: Odd Network Lockups
Okay, so finally I got around to disabling the vether/tun/bridge interfaces and mbuf usage still seems to be climbing. Here's the output from 'netstat -m' and 'systat mbuf' from the morning of Jan. 3rd (an hour or so after a reboot): 79 mbufs in use: 47 mbufs allocated to data 24 mbufs allocated to packet headers 8 mbufs allocated to socket names and addresses 45/64/8192 mbuf 2048 byte clusters in use (current/peak/max) 0/8/8192 mbuf 4096 byte clusters in use (current/peak/max) 0/8/8192 mbuf 8192 byte clusters in use (current/peak/max) 0/8/8192 mbuf 9216 byte clusters in use (current/peak/max) 0/8/8192 mbuf 12288 byte clusters in use (current/peak/max) 0/8/8192 mbuf 16384 byte clusters in use (current/peak/max) 0/8/8192 mbuf 65536 byte clusters in use (current/peak/max) 356 Kbytes allocated to network (30% in use) 0 requests for memory denied 0 requests for memory delayed 0 calls to protocol drain routines 1 usersLoad 0.37 0.32 0.27 Tue Jan 3 10:02:04 2012 IFACE LIVELOCKS SIZE ALIVE LWM HWM CWM System0 25680 9 2k45 32 lo0 em02k 9 4 256 9 em12k13 4 25613 em22k 8 4 256 8 enc0 pflog0 And here the output from the evening of Jan. 5th (with no reboot since the 3rd): 3390 mbufs in use: 3349 mbufs allocated to data 24 mbufs allocated to packet headers 17 mbufs allocated to socket names and addresses 3347/3398/8192 mbuf 2048 byte clusters in use (current/peak/max) 0/8/8192 mbuf 4096 byte clusters in use (current/peak/max) 0/8/8192 mbuf 8192 byte clusters in use (current/peak/max) 0/8/8192 mbuf 9216 byte clusters in use (current/peak/max) 0/8/8192 mbuf 12288 byte clusters in use (current/peak/max) 0/8/8192 mbuf 16384 byte clusters in use (current/peak/max) 0/8/8192 mbuf 65536 byte clusters in use (current/peak/max) 7904 Kbytes allocated to network (95% in use) 0 requests for memory denied 0 requests for memory delayed 0 calls to protocol drain routines 2 usersLoad 0.34 0.25 0.18 Thu Jan 5 18:00:30 2012 IFACE LIVELOCKS SIZE ALIVE LWM HWM CWM System0 256 3382 229 2k 33471699 lo0 em02k11 4 25611 em12k12 4 25612 em22k 8 4 256 8 enc0 pflog0 -Nick On Mon, Dec 19, 2011 at 4:22 AM, Stuart Henderson s...@spacehopper.org wrote: I just noticed the vether/tun/bridge in your systat output. To try and narrow things down, are you able to disable these to see if there's any improvement? On 2011-12-08, Nick Templeton n...@nicktempleton.com wrote: I think you're right Stuart, raising kern.maxclusters is only buying me time. The only sysctl values I've modified are: net.inet.ip.forwarding=1 ddb.panic=0 kern.maxclusters=8192 netstat -m shows increasing values over time, here's the output from this morning: 3510 mbufs in use: 3479 mbufs allocated to data 24 mbufs allocated to packet headers 7 mbufs allocated to socket names and addresses 3477/3522/8192 mbuf 2048 byte clusters in use (current/peak/max) 0/8/8192 mbuf 4096 byte clusters in use (current/peak/max) 0/8/8192 mbuf 8192 byte clusters in use (current/peak/max) 0/8/8192 mbuf 9216 byte clusters in use (current/peak/max) 0/8/8192 mbuf 12288 byte clusters in use (current/peak/max) 0/8/8192 mbuf 16384 byte clusters in use (current/peak/max) 0/8/8192 mbuf 65536 byte clusters in use (current/peak/max) 8204 Kbytes allocated to network (95% in use) 0 requests for memory denied 0 requests for memory delayed 0 calls to protocol drain routines ...and here it is from this evening: 3718 mbufs in use: 3687 mbufs allocated to data 24 mbufs allocated to packet headers 7 mbufs allocated to socket names and addresses 3685/3734/8192 mbuf 2048 byte clusters in use (current/peak/max) 0/8/8192 mbuf 4096 byte clusters in use (current/peak/max) 0/8/8192 mbuf 8192 byte clusters in use (current/peak/max) 0/8/8192 mbuf 9216 byte clusters in use (current/peak/max) 0/8/8192 mbuf 12288 byte clusters in use (current/peak/max) 0/8/8192 mbuf 16384 byte clusters in use (current/peak/max) 0/8/8192 mbuf 65536 byte clusters in use (current/peak/max) 8628 Kbytes allocated to network (96% in use) 0 requests for memory denied 0 requests for memory delayed 0 calls to protocol drain routines Here's the output from systat mbuf: 1 usersLoad 0.65 0.79 0.76 Wed Dec 7 18:15:12 2011 IFACE LIVELOCKS SIZE ALIVE LWM HWM CWM System0 256 3716 242 2k 36861867 lo0 em0
Re: ro / and /etc on mfs - clarification
On Thu, 5 Jan 2012 13:47:43 -0800 Chris Cappuccio wrote: /dev needed to be MFS for sshd to work, it wanted to update metadata on tty devices, i'm not sure if that's still the case anymore. It is though you can use sftp or static dev entries for an admin on his tod. --- Kc
OpenBSD mirror obsd.cec.mtu.edu shutting down
A heads-up to those that care... Due to local support issues, I will soon have to shut down the OpenBSD mirror, obsd.cec.mtu.edu, which has served as a second-level mirror for the last almost four years. To discourage its use as a feeder for third-level mirrors, I'll be shutting down rsync for the outside world on Monday, January 9th. Mirrors feeding from obsd.cec.mtu.edu need to find a new system to pull from immediately, so you continue to provide your users with quality service. The rest of the mirror will remain up until the end of January, or until something happens that takes the system down (we no longer have anyone on site who will be taking time from their day to reset or repair the system, which is the primary reason it is being shut down; it can't be properly maintained as a 2nd-level mirror should be). I do wish to thank Michigan Technological University for the use of their bandwidth, power and air conditioning for the last four years! (and with a little luck and a lot of begging, I *may* have a worthy successor in the not too distant future). Nick.
bc4318
Welcome! Where i can find information about BC4318 wifi card is working under OpenBSD 5.0? Thanks!
Re: bc4318
On Thu, Jan 5, 2012 at 10:00 PM, Nikolas Slivka damagec...@freemail.hu wrote: Welcome! Where i can find information about BC4318 wifi card is working under OpenBSD 5.0? Read first (last) log on this page http://www.openbsd.org/cgi-bin/cvsweb/src/sys/dev/pci/Attic/if_bcw_pci.c for 43xx Here is some background including links https://en.wikipedia.org/wiki/Theo_de_Raadt#Clash_with_Linux_developers And your actual options are here http://www.openbsd.org/faq/faq6.html#Wireless Thanks!
Re: bc4318
On Fri, Jan 06, 2012, Tomas Bodzar wrote: On Thu, Jan 5, 2012 at 10:00 PM, Nikolas Slivka damagec...@freemail.hu wrote: Welcome! Where i can find information about BC4318 wifi card is working under OpenBSD 5.0? Read first (last) log on this page http://www.openbsd.org/cgi-bin/cvsweb/src/sys/dev/pci/Attic/if_bcw_pci.c for 43xx Here is some background including links https://en.wikipedia.org/wiki/Theo_de_Raadt#Clash_with_Linux_developers And your actual options are here http://www.openbsd.org/faq/faq6.html#Wireless man bwi is probably a better source for current information.
Westpac Notice
You have a Westpac Bank Account Notice. To view, click on the ACCOUNTS tab and then click on Statements to verify your transaction.
pcn0: packet spilled into next buffer
Hi mics, I just installed OpenBSD 5 64 bit as a VM on Redhat Linux KVM . Then, I got below error? pcn0: packet spilled into next buffer I searched the internet . then, I got below URL http://www.google.lk/url?sa=trct=jq=packet spilled into next buffersource=webcd=1ved=0CBoQFjAAurl=ftp%3A%2F%2Fftp.irisa.fr %2Fpub%2FOpenBSD%2Fsrc%2Fsys%2Fdev%2Fpci%2Fif_pcn.cei=0KMGT8bKJPHQmAWiutSxAgusg=AFQjCNE_6v0It-SIaxCx7Yblsbf2Po1Y9gcad=rja But, I can't get an idea from it. It is normal or should I solve it ? Hope to hear from you. -- Thank you Indunil Jayasooriya
Re: bc4318
On Fri, Jan 6, 2012 at 8:22 AM, Ted Unangst t...@tedunangst.com wrote: On Fri, Jan 06, 2012, Tomas Bodzar wrote: On Thu, Jan 5, 2012 at 10:00 PM, Nikolas Slivka damagec...@freemail.hu wrote: Welcome! Where i can find information about BC4318 wifi card is working under OpenBSD 5.0? Read first (last) log on this page http://www.openbsd.org/cgi-bin/cvsweb/src/sys/dev/pci/Attic/if_bcw_pci.c for 43xx Here is some background including links https://en.wikipedia.org/wiki/Theo_de_Raadt#Clash_with_Linux_developers And your actual options are here http://www.openbsd.org/faq/faq6.html#Wireless man bwi is probably a better source for current information. Sure, bwi is mentioned in that FAQ part.
