Re: Does pfsync require same firewall rules on each fw?

2012-06-29 Thread Ryan McBride
On Fri, Jun 29, 2012 at 01:20:49PM +0200, Martin Pelikan wrote:
> 2012/6/29 Matt Hamilton :
> > Does pfsync require firewalls to have the same firewall rules on all
> > hosts in the sync group?
>
> pfsync only synchronizes states. Which rules created them is
> irrelevant. 

This absolutely incorrect (see below)


> > But, I was wondering... could I use pfsync to sync states across
> > from one side of the network to the other? 

How well this will work depends a lot on the nature of your traffic and
the latency between the two firewalls. You will probably need to use the
'defer' option for the pfsync interface, which will cause delays on
connection setup if the firewalls are too far apart.


> > Do pfsync packets contain reference to the firewall rule number or
> > specific interface? Or does it just have information specific to the
> > packet itself (ie, src address, dst address, sequence numbers etc)?

If the firewall rulesets are the same, pfsync will link the state
entries to the matching rules. this is necessary to get timeouts, max-*
limits and overload table behavior, per-rule src node tracking, etc. If
the rulesets are different, all states will be associated with the
'default' rule and as such will get the defaults for these items,
regardless of the options on the rule which matched when the state was
created.

It's not impossible to get the same ruleset across two very different
firewalls though, as long as the general policy is the same you can
probably make it work by using interface groups rather than the actual
interface names, and tables where ip addresses need to be different.


>
> http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/if_pfsync.h?rev=1.44
>
> struct pfsync_upd_c {

This is only used for state updates, state creations are done with
struct pfsync_state in pfvar.h.



Actualizacion Normativa de Alto Impacto

2012-06-29 Thread Administracion Publica Mexicana


© 2012 Conference Corporativo S.C. Asista a los 48 Mejores Cursos en
México de la Serie:NOVEDADES NORMATIVAS en la
ADMINISTRACIÓN PÚBLICA MEXICANA Incluye 4 cursos de ALTO IMPACTO
para el
CIERRE de GESTIÓN 2012:
1) Taller para la Elaboración Puntual de las Memorias Documentales.
2) Curso sobre el Libro Blanco y las Memorias Documentales
del Sector Público Mexicano.
3) Curso sobre Cómo Solventar Observaciones
4) Taller para la Elaboración del Acta Entrega Recepción y
Rendición de Cuentas
Cursos, Contenidos y Metodologías Desarrollados en Alianza con las
Mejores Universidades Europeas con Calidad ISO 9000.
Curso 1
(Nueva) Ley Federal Anticorrupción.

Curso 2
(Nueva)  Ley de Asociaciones Público-Privadas.

Curso 3
(NUEVO TALLER) Elaboración Puntual de las Memorias Documentales.

Curso 4
(NUEVO CURSO) Excelencia en la Conformación del LIBRO BLANCO y las
Memorias Documentales del Sector Público Mexicano.

Curso 5
(NUEVO TALLER) Acta ENTREGA RECEPCIÓN.

Curso 6
Cómo Solventar Observaciones (BASADO EN JURISPRUDENCIA DEFINIDA DE LA
SUPREMA CORTE DE JUSTICIA DE LA NACIÓN) (Incluye Acuerdo por el Cual se
Establecen las Disposiciones Generales para la Realización de
Auditorías, Revisiones y Visitas de Inspección).

Curso 7
(NUEVA) Ley Federal de Archivos.
Curso 8
 Ley Federal de Responsabilidades Administrativas.

Curso 9
Defensa Estratégica de los Servidores Públicos y su
Procedimiento Administrativo.

Curso 10
Auditoría Gubernamental. (Incluye Acuerdo por el Cual se Establecen las
Disposiciones Generales para la Realización de Auditorías,
Revisiones y Visitas de Inspección).

Curso 11
Régimen Jurídico de las Responsabilidades de los Servidores
Públicos.

Curso 12
Dualidad Penal Administrativa.

Curso 13
Fundamentos Penales para Auditores Gubernamentales.

Curso 14
Técnicas de Argumentación Jurídica.

Curso 15
Nuevo Enfoque Estratégico para los OIC′S Órganos Internos
de Control del Gobierno Mexicano.  (Incluye Acuerdo por el Cual se Establecen
las Disposiciones Generales para la Realización de Auditorías,
Revisiones y Visitas de Inspección).

Curso 16
Licitaciones Electrónicas de las ADQUISICIONES - COMPRANET para
Servidores Públicos (Convocantes).
Curso 15
Licitaciones Electrónicas de las OBRAS PÚBLICAS - COMPRANET para
Servidores Públicos (Convocantes).
Curso 17
NUEVAS Disposiciones del CONAC.

Curso 19
Manual de Contabilidad Gubernamental.

Curso 20
Clasificador por Objeto del Gasto.

Curso 21
Matriz de Administración de Riesgos (MAR).

Curso 22
MANUAL Administrativo de ADQUISICIONES.

Curso 23
MANUAL Administrativo de OBRAS PÚBLICAS.

Curso 24
Manual Administrativo de RECURSOS MATERIALES y SERVICIOS GENERALES.

Curso 25
Manual Administrativo de Aplicación General en Materia de RECURSOS
FINANCIEROS.

Curso 26
Manual Administrativo de RECURSOS HUMANOS.

Curso 27
Manual Administrativo de Aplicación General en Materia de
Tecnologías de la Información y Comunicaciones (TIC).

Curso 28
Manual de Transparencia.

Curso 29
Disposiciones en Materia de Control Interno y su Manual Administrativo.

Curso 30
Servicio Profesional de Carrera y su Reglamento.

Curso 31
NUEVO Manual del Servicio Profesional de Carrera.

Curso 32
Auditorías, Revisiones y Visitas de Inspección.

Curso 33
NUEVO Esquema de Inducción a la Administración Pública
Federal.

Curso 34
NUEVO Esquema de Inducción a la Institución.

Curso 35
NUEVO Esquema de Inducción al Puesto.

Curso 36
Ley de Adquisiciones.

Curso 37
Ley de Obras Públicas.

Curso 38
Licitaciones y Contrataciones de las Adquisiciones.

Curso 39
Licitaciones y Contrataciones de las Obras Públicas.

Curso 40
Reglamento de la Ley de Adquisiciones.

Curso 41
Reglamento de la Ley de Obras Públicas.

Curso 42
Cómo Elaborar Detalladamente la Matriz de Conversión del CONAC.

Curso 43
Presupuesto Basado en Resultados (PBR).

Curso 44
Diseño de la Matriz del Marco Lógico para la Evaluación
del PBR.

Curso 45
Sistema de Evaluación del Desempeño (SED).

Curso 46
Nuevos Lineamientos sobre Indicadores para Medir los Avances Físicos y
Financieros.

Curso 47
Contabilidad Gubernamental en la Transparencia de las Finanzas
Públicas.

Curso 48
Contabilidad Gubernamental en la Armonización Contable y el Nuevo Plan
de Cuentas.

Atención Ejecutiva

Centro de Atención Telefónica:
DF y Área Metropolitana (55) 91 40 30 30
Lada sin costo: (01 800) 439 66 66
Correo dirigido a:
ESTE  MAIL CUMPLE CON LAS POLíTICAS  ANTISPAM INTERNACIONALES Y
LOCALES.
Para darse de baja  sólo  haga click aquí



Re: OpenBSD's webpage desing

2012-06-29 Thread frantisek holop
oi, fur-for-brains-man

you said you will never see an email from me ever
because i go directly to /dev/null.

your mama's so fat you cannot even set up procmail.




hmm, on Fri, Jun 29, 2012 at 07:20:29AM -0400, Eric Furman said that
> frantisek holop is a shit eating moron who should
> be ignored by anyone who is not a shit eating moron...
> FUCK YOU holop.
> FUCK YOU holop.
> Please SHUT THE FUCK UP you stupid moron, frantisek holop.
> I beg all true @misc followers
> Search the archives for this shit eating moron's posts.
> He is nothing but a shit eating moron troll.
> 
> On Fri, Jun 29, 2012, at 01:19 PM, Sunnz Yiu wrote:
> > On Jun 29, 2012 6:56 AM, "frantisek holop"  wrote:
> > >
> > > hmm, on Thu, Jun 28, 2012 at 04:15:56PM -0400, Dave Anderson said that
> > > > For dynamic content it's even simpler -- the program producing the
> > > > content should also provide the corresponding header information.
> > >
> > > and it does so inside the  of the page.
> > > a perfectly normal and accepted practice.
> > 
> > it'll do it in the http header if the developer for the dynamic page
> > knows
> > what they are doing.

-- 
don't /usr/bin/talk to strangers



RFQ FOR ARC1220

2012-06-29 Thread purch...@lti.co.il [LTi]
 Hi TopSuplier69432-WSBE- Please do not delete this line

You show in your Web-Site ARECA items.

Please quote for 1 pcs of ARC1220

Thank you for your cooperation

PS:
We buy stocks, Please send your stock for sale to st...@lti.co.il

Thanks and Regards,

Purchasing Department

Tel. +972-74-7147791

Fax.+972-74-7147791

LTi

www.lti.co.il

Remove me from E-Mail List

If the above link doesn't work please copy the following link and insert
into your browser:
http://ns.lti.co.il/RemoveFrom.php?Email=misc@openbsd.org&Key=a66
8997f60e51a5403cf4502d78d3b8598



Re: OpenBSD's webpage desing

2012-06-29 Thread Mayuresh Kathe
On Wed 27/06/12 08:32, "Theo de Raadt" dera...@cvs.openbsd.org wrote:
> > > On Tue, Jun 26, 2012 at 3:24 PM,  wrote:
> > > I'd prefer the (small) team of developers
> to work on the code.
> >
> > > Well, that's a false dichotomy: not all OpenBSD
> committers work on the
> > code. A handful work primarily on maintaining
> the website and/or
> > documentation, because that's an important job
> too.
> >
> > >
> > Fair enough, I am not a developer, so it was
> entirely my 2c.
>
> > I'm sure there are a lot of people who pop up and
> offer to do stuff but when the
> going gets tough and not much fun, they melt away
> like snowflakes.  I've seen it
> in a number of organisations - lots of ideas, not
> enough implementers (if
> there's such a word.)
>
> Yeah.  I get mails like that.  "We can make this much prettier using
> php".

bullshit, "we can make it prettier using javascript/node"  >;^)



Re: OpenBSD's webpage desing

2012-06-29 Thread Peter Laufenberg
what kind of shit are we talking about here? Scheisster baby eat my caviar 
turds or sinewy shrimp intestines you have to swallow wholesale lest being 
called a fag?

Don't leave this up for interpretation or commentators unaware of Tourette 
syndrome tax deductions will /again/ quote out of context and label OpenBSD a 
psychopath hangout. Btw I read Theo was "probably" going Reiser-loco, that's 
fucking hilarious. "I left OpenBSD to become a murder profiler".

-- p


>frantisek holop is a shit eating moron who should
>be ignored by anyone who is not a shit eating moron...
>FUCK YOU holop.
>FUCK YOU holop.
>Please SHUT THE FUCK UP you stupid moron, frantisek holop.
>I beg all true @misc followers
>Search the archives for this shit eating moron's posts.
>He is nothing but a shit eating moron troll.
>
>On Fri, Jun 29, 2012, at 01:19 PM, Sunnz Yiu wrote:
>> On Jun 29, 2012 6:56 AM, "frantisek holop"  wrote:
>> >
>> > hmm, on Thu, Jun 28, 2012 at 04:15:56PM -0400, Dave Anderson said that
>> > > For dynamic content it's even simpler -- the program producing the
>> > > content should also provide the corresponding header information.
>> >
>> > and it does so inside the  of the page.
>> > a perfectly normal and accepted practice.
>> 
>> it'll do it in the http header if the developer for the dynamic page
>> knows
>> what they are doing.



Re: Manpage update for option "user " ?

2012-06-29 Thread Jason McIntyre
On Tue, Jun 26, 2012 at 12:36:25PM +0100, Ti Zed wrote:
> Hello,
> recently, i migrated an old pf_old.conf file (OpenBSD 4.4) to the new
> pf_new.conf grammar of OpenBSD 5.0. In the pf_old.conf there is a line with a
> user restriction "user ". As the old manpage of pf.conf states, just
> tcp/udp protocols are handled and other ignored. Which means, in the
> pf_old.conf the rules are loaded even without tcp/udp flags. With the new
> version, the tcp/udp flags has to be set in the rule, otherwise an error is
> thrown (see below) and the rules will not be loaded into the pf engine.
> ...
> user only applies to tcp/udo
> ... skipping rule due to errors
> 
> Unfurtonately
> this can lead to faults during a migration (without the knowledge of this
> fact). From my point of view, the manpage of pf.conf should be updated with
> the comment, that the option "user " HAS TO BE bound to an protocol
> otherwise the rules will not be loaded. 
> 
> Kind regards
> 

man page updated. thanks,
jmc



dhcpd sync: tuncated or invalid packet

2012-06-29 Thread Marc Peters
Hi List,

i am using two machines in our network as DHCP servers and want to
synchronise them via the -Y and -y switches. After a while, they get out
of sync and have slight differences in their leasefiles. After
investigating a bit, i activated the sync_debug mode in
/usr/src/usr.sbin/dhcpd/sync.c by setting sync_debug != 0:

int sync_debug = 1;

recompiled dhcpd and installed it. Watching the logs shows, that the
messages aren't received properly:

on sparc64:
 Jun 29 13:42:03 sparci dhcpd[23673]: DHCPREQUEST for 192.168.1.144 from
00:23:12:06:d6:34 via 192.168.1.242
Jun 29 13:42:03 sparci dhcpd[23673]: DHCPACK on 192.168.1.144 to
00:23:12:06:d6:34 via 192.168.1.242
Jun 29 13:42:03 sparci dhcpd[23673]: sending DHCP_SYNC_LEASE for hw
00:23:12:06:d6:34 -> ip 192.168.1.144, start 1340970122, end 1343562122
Jun 29 13:42:03 sparci dhcpd[23673]: sending sync message to
192.168.1.240 (192.168.1.240)
Jun 29 13:42:03 sparci dhcpd[23673]: sending sync message to
192.168.1.244 (192.168.1.244)
Jun 29 13:42:03 sparci dhcpd[23673]: 192.168.1.244(sync): truncated or
invalid packet
Jun 29 13:42:03 sparci dhcpd[23673]: DHCPREQUEST for 192.168.1.144 from
00:23:12:06:d6:34 via 192.168.1.242
Jun 29 13:42:03 sparci dhcpd[23673]: DHCPACK on 192.168.1.144 to
00:23:12:06:d6:34 via 192.168.1.242
Jun 29 13:42:03 sparci dhcpd[23673]: sending DHCP_SYNC_LEASE for hw
00:23:12:06:d6:34 -> ip 192.168.1.144, start 1340970123, end 1343562123
Jun 29 13:42:03 sparci dhcpd[23673]: sending sync message to
192.168.1.240 (192.168.1.240)
Jun 29 13:42:03 sparci dhcpd[23673]: sending sync message to
192.168.1.244 (192.168.1.244)


on amd64 (virtual):
Jun 29 13:42:03 infra0 dhcpd[21062]: DHCPREQUEST for 192.168.1.144 from
00:23:12:06:d6:34 via 192.168.1.242
Jun 29 13:42:03 infra0 dhcpd[21062]: DHCPACK on 192.168.1.144 to
00:23:12:06:d6:34 via 192.168.1.242
Jun 29 13:42:03 infra0 dhcpd[21062]: sending DHCP_SYNC_LEASE for hw
00:23:12:06:d6:34 -> ip 192.168.1.144, start 1340970122, end 1343562122
Jun 29 13:42:03 infra0 dhcpd[21062]: sending sync message to
192.168.1.240 (192.168.1.240)
Jun 29 13:42:03 infra0 dhcpd[21062]: sending sync message to
192.168.1.241 (192.168.1.241)
Jun 29 13:42:03 infra0 dhcpd[21062]: 192.168.1.241(sync): truncated or
invalid packet
Jun 29 13:42:03 infra0 dhcpd[21062]: 192.168.1.241(sync): truncated or
invalid packet

on amd64 (real hardware):
Jun 29 13:42:03 infra1 dhcpd[11844]: 192.168.1.244(sync): truncated or
invalid packet
Jun 29 13:42:03 infra1 dhcpd[11844]: 192.168.1.241(sync): truncated or
invalid packet
Jun 29 13:42:03 infra1 dhcpd[11844]: 192.168.1.241(sync): truncated or
invalid packet

These are logentries from three machines, to rule out anything is
related to the second host running on virtual hardware. The dhcpd syncs
are started in unicast mode with "-Y 192.168.1.244 -Y 192.168.1.240 -y
192.168.1.241" (on the sparc64, and vice versa on the other hosts).
Multicast syncs don't change the situation.

Is there anything, i can do about the truncated messages to get this
working as it should?

marc



Re: Does pfsync require same firewall rules on each fw?

2012-06-29 Thread Martin Pelikan
2012/6/29 Matt Hamilton :
> Hi All,
>
> Does pfsync require firewalls to have the same firewall rules on all
> hosts in the sync group? May seem an odd thing to ask, but I have a
> situation in which I have two firewalls on different sides of my
> network, each one connected to a different external
> network. Occasionally due to BGP weights etc we might get asymettric
> packet flow and packets come into our network via one firewall and out
> via the other. This is a problem for pf's state system and the only
> way I've been able to work around it is to not keep state at all --
> obviously not a great idea.

Hi.
pfsync only synchronizes states. Which rules created them is
irrelevant. If you have a PI address space, you're probably fine.
Don't forget to provide a stable and possibly separate link between
the routers, IPsec tunnel or a VLAN, or don't rely on multicast and
set syncpeers. On an open network it can sometimes bite, which is
probably caused by others using similar multicast addresses, or I
don't know.

> But, I was wondering... could I use pfsync to sync states across from
> one side of the network to the other? Do pfsync packets contain
> reference to the firewall rule number or specific interface? Or does
> it just have information specific to the packet itself (ie, src
> address, dst address, sequence numbers etc)?

http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/if_pfsync.h?rev=1.44

struct pfsync_upd_c {
u_int64_t   id;
struct pfsync_state_peersrc;
struct pfsync_state_peerdst;
u_int32_t   creatorid;
u_int32_t   expire;
u_int8_ttimeout;
u_int8_tstate_flags;
u_int8_t_pad[2];
} __packed;

Imagine what would you gain if you forced people to use the same rules
or even the same interface names. These are completely separate
things.

-- 
Martin Pelikan



Re: OpenBSD's webpage desing

2012-06-29 Thread Eric Furman
frantisek holop is a shit eating moron who should
be ignored by anyone who is not a shit eating moron...
FUCK YOU holop.
FUCK YOU holop.
Please SHUT THE FUCK UP you stupid moron, frantisek holop.
I beg all true @misc followers
Search the archives for this shit eating moron's posts.
He is nothing but a shit eating moron troll.

On Fri, Jun 29, 2012, at 01:19 PM, Sunnz Yiu wrote:
> On Jun 29, 2012 6:56 AM, "frantisek holop"  wrote:
> >
> > hmm, on Thu, Jun 28, 2012 at 04:15:56PM -0400, Dave Anderson said that
> > > For dynamic content it's even simpler -- the program producing the
> > > content should also provide the corresponding header information.
> >
> > and it does so inside the  of the page.
> > a perfectly normal and accepted practice.
> 
> it'll do it in the http header if the developer for the dynamic page
> knows
> what they are doing.



Does pfsync require same firewall rules on each fw?

2012-06-29 Thread Matt Hamilton
Hi All,

Does pfsync require firewalls to have the same firewall rules on all
hosts in the sync group? May seem an odd thing to ask, but I have a
situation in which I have two firewalls on different sides of my
network, each one connected to a different external
network. Occasionally due to BGP weights etc we might get asymettric
packet flow and packets come into our network via one firewall and out
via the other. This is a problem for pf's state system and the only
way I've been able to work around it is to not keep state at all --
obviously not a great idea.

I'm hoping I might be able to re-arrange my network to a point where
this is not an issue and both external connections come into a single
OpenBSD box so that pf states can work. 

But, I was wondering... could I use pfsync to sync states across from
one side of the network to the other? Do pfsync packets contain
reference to the firewall rule number or specific interface? Or does
it just have information specific to the packet itself (ie, src
address, dst address, sequence numbers etc)?

-Matt



Re: Fn keyboard issue on lenovo ideapad

2012-06-29 Thread frantisek holop
hmm, on Fri, Jun 29, 2012 at 10:35:41AM +0300, Paul Irofti said that
> On Thu, Jun 28, 2012 at 08:24:46PM +0200, frantisek holop wrote:
> > hi there,
> > 
> > it seems that the Fn key on my netbook is a bit too "eager".
> > it seems to work at first glance all right, fn+volume up/down,
> > fn+brightness works, though fn+rfkill does not.
> 
> This is bugs@ material.
> 
> Can you put the acpidump somewhere?

your wish is my command.  obiit.org/f/s100/

> Curious that acpithinkpad doesn't attach.

i paused about it as well, but strictly speaking
this is not a thinkpad.  it's the other "family"
'ideapad'.  there are other acpi extensions in
linux as well for some of the ideapads.


while we are at acpi, please also notice the acpicpu lines:

acpicpu0 at acpi0:, C3, C2, C1, PSS
  ^
acpicpu1 at acpi0:, C3, C2, C1, PSS
acpicpu2 at acpi0:, C3, C2, C1, PSS
acpicpu3 at acpi0:, C3, C2, C1, PSS

-f
-- 
it is always dark if you don't open your eyes.



Re: OpenBSD's webpage desing

2012-06-29 Thread frantisek holop
hmm, on Fri, Jun 29, 2012 at 01:19:47PM +1000, Sunnz Yiu said that
> On Jun 29, 2012 6:56 AM, "frantisek holop"  wrote:
> >
> > hmm, on Thu, Jun 28, 2012 at 04:15:56PM -0400, Dave Anderson said that
> > > For dynamic content it's even simpler -- the program producing the
> > > content should also provide the corresponding header information.
> >
> > and it does so inside the  of the page.
> > a perfectly normal and accepted practice.
> 
> it'll do it in the http header if the developer for the dynamic page knows
> what they are doing.

still, it is not the webserver doing it.

-f
-- 
even if you win the rat race, you're still a rat.



SIL 3512 sata card dma errors

2012-06-29 Thread LEVAI Daniel

Hi!

I'm using a SIL 3512A (BIOS ver. 4.3.79) SATA raid card with two disks
connected to it.
When I'm starting an I/O intensive archive unpacking from wd0 to wd1, I
get DMA errors on the console. If I unpack from wd0 -> wd0, then it
seems fine. I've replaced/switched cables and replaced wd1 too.
I can not get a dmesg at the moment, sorry, but I'll post it later when
I get to the machine. It is an old Pentium 4 2.4 GHz and runs 5.1-base.
I've tried to remove every other PCI cards and left just the SIL, but I
could still reproduce this error.

Here is a transcript of the error messages:

wd1(pciide0:1:0): timeout
type: ata
c_bcount: 16384
c_skip: 0
pciide0:1:0: bus_master DMA error: missing interrupt, status=0x21
pciide0 channel 1: reset failed for drive 0
wd1d: device timeout writing fsbn 124405184 of 124405184-124405215 (wd1
bn 14642 6976; cn 145264 tn 13  sn 45), retrying
pciide0:1:0: not ready, st=0xd1, err=0x00
pciide0 channel 1: reset failed for drive 0
wd1d: device timeout writing fsbn 124405184 of 124405184-124405215 (wd1
bn 14642 6976; cn 145264 tn 13  sn 45), retrying

Anyone has a clue what should I do? I assume the problem is with wd1,
is this correct? I could not replace wd0, but if it could be the 
problem
then I reinstall the system to another disk. I'll also try to update 
the

SIL card's BIOS. Should I try -current with this problem?


Thanks,
Daniel

--
LÉVAI Dániel
PGP key ID = 0x83B63A8F
Key fingerprint = DBEC C66B A47A DFA2 792D  650C C69B BE4C 83B6 3A8F



Re: Fn keyboard issue on lenovo ideapad

2012-06-29 Thread Paul Irofti
On Thu, Jun 28, 2012 at 08:24:46PM +0200, frantisek holop wrote:
> hi there,
> 
> it seems that the Fn key on my netbook is a bit too "eager".
> it seems to work at first glance all right, fn+volume up/down,
> fn+brightness works, though fn+rfkill does not.

This is bugs@ material.

Can you put the acpidump somewhere?
Curious that acpithinkpad doesn't attach.