Re: Does pfsync require same firewall rules on each fw?
On Fri, Jun 29, 2012 at 01:20:49PM +0200, Martin Pelikan wrote: > 2012/6/29 Matt Hamilton : > > Does pfsync require firewalls to have the same firewall rules on all > > hosts in the sync group? > > pfsync only synchronizes states. Which rules created them is > irrelevant. This absolutely incorrect (see below) > > But, I was wondering... could I use pfsync to sync states across > > from one side of the network to the other? How well this will work depends a lot on the nature of your traffic and the latency between the two firewalls. You will probably need to use the 'defer' option for the pfsync interface, which will cause delays on connection setup if the firewalls are too far apart. > > Do pfsync packets contain reference to the firewall rule number or > > specific interface? Or does it just have information specific to the > > packet itself (ie, src address, dst address, sequence numbers etc)? If the firewall rulesets are the same, pfsync will link the state entries to the matching rules. this is necessary to get timeouts, max-* limits and overload table behavior, per-rule src node tracking, etc. If the rulesets are different, all states will be associated with the 'default' rule and as such will get the defaults for these items, regardless of the options on the rule which matched when the state was created. It's not impossible to get the same ruleset across two very different firewalls though, as long as the general policy is the same you can probably make it work by using interface groups rather than the actual interface names, and tables where ip addresses need to be different. > > http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/if_pfsync.h?rev=1.44 > > struct pfsync_upd_c { This is only used for state updates, state creations are done with struct pfsync_state in pfvar.h.
Actualizacion Normativa de Alto Impacto
 © 2012 Conference Corporativo S.C. Asista a los 48 Mejores Cursos en México de la Serie:NOVEDADES NORMATIVAS en la ADMINISTRACIÓN PÚBLICA MEXICANA Incluye 4 cursos de ALTO IMPACTO para el CIERRE de GESTIÓN 2012: 1) Taller para la Elaboración Puntual de las Memorias Documentales. 2) Curso sobre el Libro Blanco y las Memorias Documentales del Sector Público Mexicano. 3) Curso sobre Cómo Solventar Observaciones 4) Taller para la Elaboración del Acta Entrega Recepción y Rendición de Cuentas Cursos, Contenidos y Metodologías Desarrollados en Alianza con las Mejores Universidades Europeas con Calidad ISO 9000. Curso 1 (Nueva) Ley Federal Anticorrupción. Curso 2 (Nueva) Ley de Asociaciones Público-Privadas. Curso 3 (NUEVO TALLER) Elaboración Puntual de las Memorias Documentales. Curso 4 (NUEVO CURSO) Excelencia en la Conformación del LIBRO BLANCO y las Memorias Documentales del Sector Público Mexicano. Curso 5 (NUEVO TALLER) Acta ENTREGA RECEPCIÓN. Curso 6 Cómo Solventar Observaciones (BASADO EN JURISPRUDENCIA DEFINIDA DE LA SUPREMA CORTE DE JUSTICIA DE LA NACIÓN) (Incluye Acuerdo por el Cual se Establecen las Disposiciones Generales para la Realización de Auditorías, Revisiones y Visitas de Inspección). Curso 7 (NUEVA) Ley Federal de Archivos. Curso 8 Ley Federal de Responsabilidades Administrativas. Curso 9 Defensa Estratégica de los Servidores Públicos y su Procedimiento Administrativo. Curso 10 Auditoría Gubernamental. (Incluye Acuerdo por el Cual se Establecen las Disposiciones Generales para la Realización de Auditorías, Revisiones y Visitas de Inspección). Curso 11 Régimen Jurídico de las Responsabilidades de los Servidores Públicos. Curso 12 Dualidad Penal Administrativa. Curso 13 Fundamentos Penales para Auditores Gubernamentales. Curso 14 Técnicas de Argumentación Jurídica. Curso 15 Nuevo Enfoque Estratégico para los OIC′S Órganos Internos de Control del Gobierno Mexicano. (Incluye Acuerdo por el Cual se Establecen las Disposiciones Generales para la Realización de Auditorías, Revisiones y Visitas de Inspección). Curso 16 Licitaciones Electrónicas de las ADQUISICIONES - COMPRANET para Servidores Públicos (Convocantes). Curso 15 Licitaciones Electrónicas de las OBRAS PÚBLICAS - COMPRANET para Servidores Públicos (Convocantes). Curso 17 NUEVAS Disposiciones del CONAC. Curso 19 Manual de Contabilidad Gubernamental. Curso 20 Clasificador por Objeto del Gasto. Curso 21 Matriz de Administración de Riesgos (MAR). Curso 22 MANUAL Administrativo de ADQUISICIONES. Curso 23 MANUAL Administrativo de OBRAS PÚBLICAS. Curso 24 Manual Administrativo de RECURSOS MATERIALES y SERVICIOS GENERALES. Curso 25 Manual Administrativo de Aplicación General en Materia de RECURSOS FINANCIEROS. Curso 26 Manual Administrativo de RECURSOS HUMANOS. Curso 27 Manual Administrativo de Aplicación General en Materia de Tecnologías de la Información y Comunicaciones (TIC). Curso 28 Manual de Transparencia. Curso 29 Disposiciones en Materia de Control Interno y su Manual Administrativo. Curso 30 Servicio Profesional de Carrera y su Reglamento. Curso 31 NUEVO Manual del Servicio Profesional de Carrera. Curso 32 Auditorías, Revisiones y Visitas de Inspección. Curso 33 NUEVO Esquema de Inducción a la Administración Pública Federal. Curso 34 NUEVO Esquema de Inducción a la Institución. Curso 35 NUEVO Esquema de Inducción al Puesto. Curso 36 Ley de Adquisiciones. Curso 37 Ley de Obras Públicas. Curso 38 Licitaciones y Contrataciones de las Adquisiciones. Curso 39 Licitaciones y Contrataciones de las Obras Públicas. Curso 40 Reglamento de la Ley de Adquisiciones. Curso 41 Reglamento de la Ley de Obras Públicas. Curso 42 Cómo Elaborar Detalladamente la Matriz de Conversión del CONAC. Curso 43 Presupuesto Basado en Resultados (PBR). Curso 44 Diseño de la Matriz del Marco Lógico para la Evaluación del PBR. Curso 45 Sistema de Evaluación del Desempeño (SED). Curso 46 Nuevos Lineamientos sobre Indicadores para Medir los Avances Físicos y Financieros. Curso 47 Contabilidad Gubernamental en la Transparencia de las Finanzas Públicas. Curso 48 Contabilidad Gubernamental en la Armonización Contable y el Nuevo Plan de Cuentas. Atención Ejecutiva Centro de Atención Telefónica: DF y Área Metropolitana (55) 91 40 30 30 Lada sin costo: (01 800) 439 66 66 Correo dirigido a: ESTE MAIL CUMPLE CON LAS POLíTICAS ANTISPAM INTERNACIONALES Y LOCALES. Para darse de baja sólo haga click aquí
Re: OpenBSD's webpage desing
oi, fur-for-brains-man you said you will never see an email from me ever because i go directly to /dev/null. your mama's so fat you cannot even set up procmail. hmm, on Fri, Jun 29, 2012 at 07:20:29AM -0400, Eric Furman said that > frantisek holop is a shit eating moron who should > be ignored by anyone who is not a shit eating moron... > FUCK YOU holop. > FUCK YOU holop. > Please SHUT THE FUCK UP you stupid moron, frantisek holop. > I beg all true @misc followers > Search the archives for this shit eating moron's posts. > He is nothing but a shit eating moron troll. > > On Fri, Jun 29, 2012, at 01:19 PM, Sunnz Yiu wrote: > > On Jun 29, 2012 6:56 AM, "frantisek holop" wrote: > > > > > > hmm, on Thu, Jun 28, 2012 at 04:15:56PM -0400, Dave Anderson said that > > > > For dynamic content it's even simpler -- the program producing the > > > > content should also provide the corresponding header information. > > > > > > and it does so inside the of the page. > > > a perfectly normal and accepted practice. > > > > it'll do it in the http header if the developer for the dynamic page > > knows > > what they are doing. -- don't /usr/bin/talk to strangers
RFQ FOR ARC1220
Hi TopSuplier69432-WSBE- Please do not delete this line You show in your Web-Site ARECA items. Please quote for 1 pcs of ARC1220 Thank you for your cooperation PS: We buy stocks, Please send your stock for sale to st...@lti.co.il Thanks and Regards, Purchasing Department Tel. +972-74-7147791 Fax.+972-74-7147791 LTi www.lti.co.il Remove me from E-Mail List If the above link doesn't work please copy the following link and insert into your browser: http://ns.lti.co.il/RemoveFrom.php?Email=misc@openbsd.org&Key=a66 8997f60e51a5403cf4502d78d3b8598
Re: OpenBSD's webpage desing
On Wed 27/06/12 08:32, "Theo de Raadt" dera...@cvs.openbsd.org wrote: > > > On Tue, Jun 26, 2012 at 3:24 PM, wrote: > > > I'd prefer the (small) team of developers > to work on the code. > > > > > Well, that's a false dichotomy: not all OpenBSD > committers work on the > > code. A handful work primarily on maintaining > the website and/or > > documentation, because that's an important job > too. > > > > > > > Fair enough, I am not a developer, so it was > entirely my 2c. > > > I'm sure there are a lot of people who pop up and > offer to do stuff but when the > going gets tough and not much fun, they melt away > like snowflakes. I've seen it > in a number of organisations - lots of ideas, not > enough implementers (if > there's such a word.) > > Yeah. I get mails like that. "We can make this much prettier using > php". bullshit, "we can make it prettier using javascript/node" >;^)
Re: OpenBSD's webpage desing
what kind of shit are we talking about here? Scheisster baby eat my caviar turds or sinewy shrimp intestines you have to swallow wholesale lest being called a fag? Don't leave this up for interpretation or commentators unaware of Tourette syndrome tax deductions will /again/ quote out of context and label OpenBSD a psychopath hangout. Btw I read Theo was "probably" going Reiser-loco, that's fucking hilarious. "I left OpenBSD to become a murder profiler". -- p >frantisek holop is a shit eating moron who should >be ignored by anyone who is not a shit eating moron... >FUCK YOU holop. >FUCK YOU holop. >Please SHUT THE FUCK UP you stupid moron, frantisek holop. >I beg all true @misc followers >Search the archives for this shit eating moron's posts. >He is nothing but a shit eating moron troll. > >On Fri, Jun 29, 2012, at 01:19 PM, Sunnz Yiu wrote: >> On Jun 29, 2012 6:56 AM, "frantisek holop" wrote: >> > >> > hmm, on Thu, Jun 28, 2012 at 04:15:56PM -0400, Dave Anderson said that >> > > For dynamic content it's even simpler -- the program producing the >> > > content should also provide the corresponding header information. >> > >> > and it does so inside the of the page. >> > a perfectly normal and accepted practice. >> >> it'll do it in the http header if the developer for the dynamic page >> knows >> what they are doing.
Re: Manpage update for option "user " ?
On Tue, Jun 26, 2012 at 12:36:25PM +0100, Ti Zed wrote: > Hello, > recently, i migrated an old pf_old.conf file (OpenBSD 4.4) to the new > pf_new.conf grammar of OpenBSD 5.0. In the pf_old.conf there is a line with a > user restriction "user ". As the old manpage of pf.conf states, just > tcp/udp protocols are handled and other ignored. Which means, in the > pf_old.conf the rules are loaded even without tcp/udp flags. With the new > version, the tcp/udp flags has to be set in the rule, otherwise an error is > thrown (see below) and the rules will not be loaded into the pf engine. > ... > user only applies to tcp/udo > ... skipping rule due to errors > > Unfurtonately > this can lead to faults during a migration (without the knowledge of this > fact). From my point of view, the manpage of pf.conf should be updated with > the comment, that the option "user " HAS TO BE bound to an protocol > otherwise the rules will not be loaded. > > Kind regards > man page updated. thanks, jmc
dhcpd sync: tuncated or invalid packet
Hi List, i am using two machines in our network as DHCP servers and want to synchronise them via the -Y and -y switches. After a while, they get out of sync and have slight differences in their leasefiles. After investigating a bit, i activated the sync_debug mode in /usr/src/usr.sbin/dhcpd/sync.c by setting sync_debug != 0: int sync_debug = 1; recompiled dhcpd and installed it. Watching the logs shows, that the messages aren't received properly: on sparc64: Jun 29 13:42:03 sparci dhcpd[23673]: DHCPREQUEST for 192.168.1.144 from 00:23:12:06:d6:34 via 192.168.1.242 Jun 29 13:42:03 sparci dhcpd[23673]: DHCPACK on 192.168.1.144 to 00:23:12:06:d6:34 via 192.168.1.242 Jun 29 13:42:03 sparci dhcpd[23673]: sending DHCP_SYNC_LEASE for hw 00:23:12:06:d6:34 -> ip 192.168.1.144, start 1340970122, end 1343562122 Jun 29 13:42:03 sparci dhcpd[23673]: sending sync message to 192.168.1.240 (192.168.1.240) Jun 29 13:42:03 sparci dhcpd[23673]: sending sync message to 192.168.1.244 (192.168.1.244) Jun 29 13:42:03 sparci dhcpd[23673]: 192.168.1.244(sync): truncated or invalid packet Jun 29 13:42:03 sparci dhcpd[23673]: DHCPREQUEST for 192.168.1.144 from 00:23:12:06:d6:34 via 192.168.1.242 Jun 29 13:42:03 sparci dhcpd[23673]: DHCPACK on 192.168.1.144 to 00:23:12:06:d6:34 via 192.168.1.242 Jun 29 13:42:03 sparci dhcpd[23673]: sending DHCP_SYNC_LEASE for hw 00:23:12:06:d6:34 -> ip 192.168.1.144, start 1340970123, end 1343562123 Jun 29 13:42:03 sparci dhcpd[23673]: sending sync message to 192.168.1.240 (192.168.1.240) Jun 29 13:42:03 sparci dhcpd[23673]: sending sync message to 192.168.1.244 (192.168.1.244) on amd64 (virtual): Jun 29 13:42:03 infra0 dhcpd[21062]: DHCPREQUEST for 192.168.1.144 from 00:23:12:06:d6:34 via 192.168.1.242 Jun 29 13:42:03 infra0 dhcpd[21062]: DHCPACK on 192.168.1.144 to 00:23:12:06:d6:34 via 192.168.1.242 Jun 29 13:42:03 infra0 dhcpd[21062]: sending DHCP_SYNC_LEASE for hw 00:23:12:06:d6:34 -> ip 192.168.1.144, start 1340970122, end 1343562122 Jun 29 13:42:03 infra0 dhcpd[21062]: sending sync message to 192.168.1.240 (192.168.1.240) Jun 29 13:42:03 infra0 dhcpd[21062]: sending sync message to 192.168.1.241 (192.168.1.241) Jun 29 13:42:03 infra0 dhcpd[21062]: 192.168.1.241(sync): truncated or invalid packet Jun 29 13:42:03 infra0 dhcpd[21062]: 192.168.1.241(sync): truncated or invalid packet on amd64 (real hardware): Jun 29 13:42:03 infra1 dhcpd[11844]: 192.168.1.244(sync): truncated or invalid packet Jun 29 13:42:03 infra1 dhcpd[11844]: 192.168.1.241(sync): truncated or invalid packet Jun 29 13:42:03 infra1 dhcpd[11844]: 192.168.1.241(sync): truncated or invalid packet These are logentries from three machines, to rule out anything is related to the second host running on virtual hardware. The dhcpd syncs are started in unicast mode with "-Y 192.168.1.244 -Y 192.168.1.240 -y 192.168.1.241" (on the sparc64, and vice versa on the other hosts). Multicast syncs don't change the situation. Is there anything, i can do about the truncated messages to get this working as it should? marc
Re: Does pfsync require same firewall rules on each fw?
2012/6/29 Matt Hamilton : > Hi All, > > Does pfsync require firewalls to have the same firewall rules on all > hosts in the sync group? May seem an odd thing to ask, but I have a > situation in which I have two firewalls on different sides of my > network, each one connected to a different external > network. Occasionally due to BGP weights etc we might get asymettric > packet flow and packets come into our network via one firewall and out > via the other. This is a problem for pf's state system and the only > way I've been able to work around it is to not keep state at all -- > obviously not a great idea. Hi. pfsync only synchronizes states. Which rules created them is irrelevant. If you have a PI address space, you're probably fine. Don't forget to provide a stable and possibly separate link between the routers, IPsec tunnel or a VLAN, or don't rely on multicast and set syncpeers. On an open network it can sometimes bite, which is probably caused by others using similar multicast addresses, or I don't know. > But, I was wondering... could I use pfsync to sync states across from > one side of the network to the other? Do pfsync packets contain > reference to the firewall rule number or specific interface? Or does > it just have information specific to the packet itself (ie, src > address, dst address, sequence numbers etc)? http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/if_pfsync.h?rev=1.44 struct pfsync_upd_c { u_int64_t id; struct pfsync_state_peersrc; struct pfsync_state_peerdst; u_int32_t creatorid; u_int32_t expire; u_int8_ttimeout; u_int8_tstate_flags; u_int8_t_pad[2]; } __packed; Imagine what would you gain if you forced people to use the same rules or even the same interface names. These are completely separate things. -- Martin Pelikan
Re: OpenBSD's webpage desing
frantisek holop is a shit eating moron who should be ignored by anyone who is not a shit eating moron... FUCK YOU holop. FUCK YOU holop. Please SHUT THE FUCK UP you stupid moron, frantisek holop. I beg all true @misc followers Search the archives for this shit eating moron's posts. He is nothing but a shit eating moron troll. On Fri, Jun 29, 2012, at 01:19 PM, Sunnz Yiu wrote: > On Jun 29, 2012 6:56 AM, "frantisek holop" wrote: > > > > hmm, on Thu, Jun 28, 2012 at 04:15:56PM -0400, Dave Anderson said that > > > For dynamic content it's even simpler -- the program producing the > > > content should also provide the corresponding header information. > > > > and it does so inside the of the page. > > a perfectly normal and accepted practice. > > it'll do it in the http header if the developer for the dynamic page > knows > what they are doing.
Does pfsync require same firewall rules on each fw?
Hi All, Does pfsync require firewalls to have the same firewall rules on all hosts in the sync group? May seem an odd thing to ask, but I have a situation in which I have two firewalls on different sides of my network, each one connected to a different external network. Occasionally due to BGP weights etc we might get asymettric packet flow and packets come into our network via one firewall and out via the other. This is a problem for pf's state system and the only way I've been able to work around it is to not keep state at all -- obviously not a great idea. I'm hoping I might be able to re-arrange my network to a point where this is not an issue and both external connections come into a single OpenBSD box so that pf states can work. But, I was wondering... could I use pfsync to sync states across from one side of the network to the other? Do pfsync packets contain reference to the firewall rule number or specific interface? Or does it just have information specific to the packet itself (ie, src address, dst address, sequence numbers etc)? -Matt
Re: Fn keyboard issue on lenovo ideapad
hmm, on Fri, Jun 29, 2012 at 10:35:41AM +0300, Paul Irofti said that > On Thu, Jun 28, 2012 at 08:24:46PM +0200, frantisek holop wrote: > > hi there, > > > > it seems that the Fn key on my netbook is a bit too "eager". > > it seems to work at first glance all right, fn+volume up/down, > > fn+brightness works, though fn+rfkill does not. > > This is bugs@ material. > > Can you put the acpidump somewhere? your wish is my command. obiit.org/f/s100/ > Curious that acpithinkpad doesn't attach. i paused about it as well, but strictly speaking this is not a thinkpad. it's the other "family" 'ideapad'. there are other acpi extensions in linux as well for some of the ideapads. while we are at acpi, please also notice the acpicpu lines: acpicpu0 at acpi0:, C3, C2, C1, PSS ^ acpicpu1 at acpi0:, C3, C2, C1, PSS acpicpu2 at acpi0:, C3, C2, C1, PSS acpicpu3 at acpi0:, C3, C2, C1, PSS -f -- it is always dark if you don't open your eyes.
Re: OpenBSD's webpage desing
hmm, on Fri, Jun 29, 2012 at 01:19:47PM +1000, Sunnz Yiu said that > On Jun 29, 2012 6:56 AM, "frantisek holop" wrote: > > > > hmm, on Thu, Jun 28, 2012 at 04:15:56PM -0400, Dave Anderson said that > > > For dynamic content it's even simpler -- the program producing the > > > content should also provide the corresponding header information. > > > > and it does so inside the of the page. > > a perfectly normal and accepted practice. > > it'll do it in the http header if the developer for the dynamic page knows > what they are doing. still, it is not the webserver doing it. -f -- even if you win the rat race, you're still a rat.
SIL 3512 sata card dma errors
Hi! I'm using a SIL 3512A (BIOS ver. 4.3.79) SATA raid card with two disks connected to it. When I'm starting an I/O intensive archive unpacking from wd0 to wd1, I get DMA errors on the console. If I unpack from wd0 -> wd0, then it seems fine. I've replaced/switched cables and replaced wd1 too. I can not get a dmesg at the moment, sorry, but I'll post it later when I get to the machine. It is an old Pentium 4 2.4 GHz and runs 5.1-base. I've tried to remove every other PCI cards and left just the SIL, but I could still reproduce this error. Here is a transcript of the error messages: wd1(pciide0:1:0): timeout type: ata c_bcount: 16384 c_skip: 0 pciide0:1:0: bus_master DMA error: missing interrupt, status=0x21 pciide0 channel 1: reset failed for drive 0 wd1d: device timeout writing fsbn 124405184 of 124405184-124405215 (wd1 bn 14642 6976; cn 145264 tn 13 sn 45), retrying pciide0:1:0: not ready, st=0xd1, err=0x00 pciide0 channel 1: reset failed for drive 0 wd1d: device timeout writing fsbn 124405184 of 124405184-124405215 (wd1 bn 14642 6976; cn 145264 tn 13 sn 45), retrying Anyone has a clue what should I do? I assume the problem is with wd1, is this correct? I could not replace wd0, but if it could be the problem then I reinstall the system to another disk. I'll also try to update the SIL card's BIOS. Should I try -current with this problem? Thanks, Daniel -- LÉVAI Dániel PGP key ID = 0x83B63A8F Key fingerprint = DBEC C66B A47A DFA2 792D 650C C69B BE4C 83B6 3A8F
Re: Fn keyboard issue on lenovo ideapad
On Thu, Jun 28, 2012 at 08:24:46PM +0200, frantisek holop wrote: > hi there, > > it seems that the Fn key on my netbook is a bit too "eager". > it seems to work at first glance all right, fn+volume up/down, > fn+brightness works, though fn+rfkill does not. This is bugs@ material. Can you put the acpidump somewhere? Curious that acpithinkpad doesn't attach.