Re: broadcast relay
On Sat, Nov 07, 2015 at 03:33:04PM +, S??bastien Morand wrote: > > Hi, > > > > I'm trying to relay a broadcast message. > > > > I've tried the following in pf : > > > > pass in quick proto udp from any to vlan1:broadcast port 3121 rdr-to > > vlan3:broadcast port 3121 > > pass out quick on vlan3 from any to vlan3:broadcast nat-to vlan3 > > > > with no success any chance to do it with pf? > > > > other tools? > > > > Hi, > > Complementary: can pf rdr to unicast a broadcast packet? > > Thanks by advance, > Sebastien > Hi, maybe you could adapt dhcrelay(8) from base to your needs? See /usr/src/usr.sbin/dhcrelay HTH rru
Re: Making IPv6 NAT prefer privacy address
Em 22-09-2015 15:06, Daniel Gillen escreveu: > Hi > > I currently have the following rule to nat traffic out to the internet: > > match out on $if_ext inet6 from $if_int:network to any nat-to ($if_ext) > > But this chooses from one of the configures addresses (using round-robin). > > Is there a way I can configure pf to prefer the privacy address (the one > without my MAC in it)? > > Thx in advance > > Daniel > Daniel, I've managed to accomplish this by using dhcpcd with the slaac private option. You need first to activate the interface with the inet6 -autoconf option, so you'll get only the link-local address. When you run dhcpcd it will configure only a private address on the interface thus solving your issue. You don't need to make pf prefer the privacy address, because there will only be one address on the interface. Cheers, Giancarlo Razzolini
pfctl -f /etc/pf.conf fails on boot when DNS-resolved symbolic names are used
Precondition: /etc/pf.conf contains scr_addr/dst_addr set to FQDNs On boot, the consoles shows error about not being able to load pf.conf because it can't resolve the symbolic names. http://www.openbsd.org/faq/faq6.html#Setup.activate says:    "... if you had specified a DNS-resolved symbolic name in any of    the files, you would probably find it worked as expected after    reconfigure, but on initial boot, your external resolver may    not be available, so the configuration will fail." but I thought that the statement might be limited to `netstat`, and /etc/rc runs `netstat` before loading the firewall rules. So I'm not sure why it's not working... Anybody run into this before? - is the fix to add all the symbolic names to /etc/hosts? Thanks, Kent
Re: USB mouse often not detected
On Tue, Nov 10, 2015 at 10:47:24AM +0100, Stefan Sperling wrote: >We need a dmesg from both of you. OpenBSD 5.8 (GENERIC.MP) #1: Wed Oct 14 19:38:08 CEST 2015 jas...@stable-58-amd64.mtier.org:/binpatchng/work-binpatch58-amd64/src/sys/arch/amd64/compile/GENERIC.MP real mem = 4160245760 (3967MB) avail mem = 4030267392 (3843MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xeb450 (75 entries) bios0: vendor American Megatrends Inc. version "F22" date 11/14/2013 bios0: Gigabyte Technology Co., Ltd. Z77-D3H acpi0 at bios0: rev 2 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP APIC MCFG HPET SSDT SSDT SSDT DMAR acpi0: wakeup devices PS2K(S3) PS2M(S3) P0P1(S4) USB1(S3) USB2(S3) USB3(S3) USB4(S3) USB5(S3) USB6(S3) USB7(S3) PXSX(S4) RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) RP03(S4) [...] acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Core(TM) i5-3570 CPU @ 3.40GHz, 3403.85 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,SENSOR,ARAT cpu0: 256KB 64b/line 8-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges cpu0: apic clock running at 100MHz cpu0: mwait min=64, max=64, C-substates=0.2.1.1, IBE cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Core(TM) i5-3570 CPU @ 3.40GHz, 3403.36 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,SENSOR,ARAT cpu1: 256KB 64b/line 8-way L2 cache cpu1: smt 0, core 1, package 0 cpu2 at mainbus0: apid 4 (application processor) cpu2: Intel(R) Core(TM) i5-3570 CPU @ 3.40GHz, 3403.36 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,SENSOR,ARAT cpu2: 256KB 64b/line 8-way L2 cache cpu2: smt 0, core 2, package 0 cpu3 at mainbus0: apid 6 (application processor) cpu3: Intel(R) Core(TM) i5-3570 CPU @ 3.40GHz, 3403.36 MHz cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,SENSOR,ARAT cpu3: 256KB 64b/line 8-way L2 cache cpu3: smt 0, core 3, package 0 ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins acpimcfg0 at acpi0 addr 0xf800, bus 0-63 acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus -1 (P0P1) acpiprt2 at acpi0: bus 1 (RP01) acpiprt3 at acpi0: bus -1 (RP02) acpiprt4 at acpi0: bus -1 (RP03) acpiprt5 at acpi0: bus -1 (RP04) acpiprt6 at acpi0: bus -1 (RP05) acpiprt7 at acpi0: bus 2 (RP06) acpiprt8 at acpi0: bus 4 (RP07) acpiprt9 at acpi0: bus 5 (RP08) acpiprt10 at acpi0: bus -1 (PEG0) acpiprt11 at acpi0: bus -1 (PEG1) acpiprt12 at acpi0: bus -1 (PEG2) acpiprt13 at acpi0: bus -1 (PEG3) acpiec0 at acpi0: not present acpicpu0 at acpi0: C3(350@80 mwait.1@0x20), C1(1000@1 mwait.1), PSS acpicpu1 at acpi0: C3(350@80 mwait.1@0x20), C1(1000@1 mwait.1), PSS acpicpu2 at acpi0: C3(350@80 mwait.1@0x20), C1(1000@1 mwait.1), PSS acpicpu3 at acpi0: C3(350@80 mwait.1@0x20), C1(1000@1 mwait.1), PSS acpipwrres0 at acpi0: FN00, resource for FAN0 acpipwrres1 at acpi0: FN01, resource for FAN1 acpipwrres2 at acpi0: FN02, resource for FAN2 acpipwrres3 at acpi0: FN03, resource for FAN3 acpipwrres4 at acpi0: FN04, resource for FAN4 acpitz0 at acpi0: critical temperature is 106 degC acpitz1 at acpi0: critical temperature is 106 degC acpibat0 at acpi0: BAT0 not present acpibat1 at acpi0: BAT1 not present acpibat2 at acpi0: BAT2 not present acpibtn0 at acpi0: PWRB acpibtn1 at acpi0: LID0 acpivideo0 at acpi0: GFX0 acpivout0 at acpivideo0: DD02 cpu0: Enhanced SpeedStep 3403 MHz: speeds: 3801, 3800, 3600, 3500, 3300, 3200, 3000, 2900, 2700, 2500, 2400, 2200, 2100, 1900, 1800, 1600 MHz pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 "Intel Core 3G Host" rev 0x09 vga1 at pci0 dev 2 function 0 "Intel HD Graphics 2500" rev 0x09 intagp at vga1 not configured inteldrm0 at vga1 drm0 at inteldrm0 inteldrm0: 1280x1024 wsdisplay0 at vga1 mux 1: console (std, vt100 emulation) wsdisplay0: screen 1-5 added (std, vt100 emulation)
Re: pfctl -f /etc/pf.conf fails on boot when DNS-resolved symbolic names are used
Em 10-11-2015 13:58, Kent Watsen escreveu: > Precondition: /etc/pf.conf contains scr_addr/dst_addr set to FQDNs > > On boot, the consoles shows error about not being able to load pf.conf > because it can't resolve the symbolic names. If your resolver can't be accessed, this will happen. > > http://www.openbsd.org/faq/faq6.html#Setup.activate says: > >    "... if you had specified a DNS-resolved symbolic name in any of >    the files, you would probably find it worked as expected after >    reconfigure, but on initial boot, your external resolver may >    not be available, so the configuration will fail." > > but I thought that the statement might be limited to `netstat`, and > /etc/rc runs `netstat` before loading the firewall rules. So I'm not > sure why it's not working... As a general rule you should avoid using dns names on anything that might cause the boot process to fail. Even more, you should really avoid using names on hostname.if files. > > Anybody run into this before? - is the fix to add all the symbolic > names to /etc/hosts? Well, if the hosts have fixed addresses, you'd be better using macros on pf.conf that translate to their IP address. This way you won't run into boot issues (or reload issues, in case your resolver is down). This has the added inconvenience that you need to update your pf.conf file manually every time one address changes. Now, if you really, really need to use fqdn's on pf.conf, my suggestion is that you use ifstated to detected if your link is up and your resolver working, and them load the rules into an anchor afterwards. Also, you can update the anchor to reflect any uplink unavailability. Or you can use unbound with local-zones or a unbound + nsd combo, if you also need authoritative. I think you'll need to hack your /etc/rc file to load them before your pf.conf is loaded. Cheers, Giancarlo Razzolini
Re: pfctl -f /etc/pf.conf fails on boot when DNS-resolved symbolic names are used
On 15-11-10 01:45 PM, Giancarlo Razzolini wrote: As a general rule you should avoid using dns names on anything that might cause the boot process to fail. Even more, you should really avoid using names on hostname.if files. Anybody run into this before? - is the fix to add all the symbolic names to /etc/hosts? Well, if the hosts have fixed addresses, you'd be better using macros on pf.conf that translate to their IP address. This way you won't run into boot issues (or reload issues, in case your resolver is down). This has the added inconvenience that you need to update your pf.conf file manually every time one address changes. Now, if you really, really need to use fqdn's on pf.conf, my suggestion is that you use ifstated to detected if your link is up and your resolver working, and them load the rules into an anchor afterwards. Also, you can update the anchor to reflect any uplink unavailability. Or you can use unbound with local-zones or a unbound + nsd combo, if you also need authoritative. I think you'll need to hack your /etc/rc file to load them before your pf.conf is loaded. FWIW, yes, putting the entries into /etc/hosts *will* work, and it avoids the need to use pf.conf macros, ifstated, etc. However, it now means that you have to ensure /etc/hosts remains 100% accurate... although I shudder to think of using ifstated and anchors to do this, it does avoid the /etc/hosts maintenance problem. And make no mistake: you *will* eventually forget to update /etc/hosts. Absolutely, 100% guaranteed. -Adam
Re: USB mouse often not detected
Hi, I reinstalled OpenBSD 5.8 and updated to stable again, so I now have a clean install. The only thing I configured manually is: I added 'apmd_flags="-A"' in /etc/rc.conf.local to do CPU frequency scaling while I'm not sure my system supports it. It seems a randomly occuring problem. My mouse: "vendor 0x USB OPTICAL MOUSE". It's wholesale cheap stuff. Other OSes don't show the problem, and that makes me believe the mouse is doing alright. I happen to have two of them, so to be certain I'll swap it and test this new configuration in a few days. I'll keep you informed. I wouldn't be surprised if this cheap piece of hardware would have some minor incompatibility that only a correct OS's (OpenBSD) driver would crash upon. :-) (That doesn't explain Maurice's identical problem using a Logitech mouse. Also, to my knowledge a crashed driver would raise an error message which I didn't see.) Here are my dmesg outputs that might help. Of course if you want to see more files, I'd be happy to provide them. Also if you come up with some ideas I could test, let me know. (I won't be available for a few days however.) My dmesg detecting the mouse: OpenBSD 5.8-stable (GENERIC.MP) #0: Tue Nov 10 19:15:31 CET 2015 r...@test.example.com:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: Intel(R) Pentium(R) 4 CPU 3.00GHz ("GenuineIntel" 686-class) 3 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,CNXT-ID,xTPR,PERF real mem = 2675343360 (2551MB) avail mem = 2609262592 (2488MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: date 06/16/04, BIOS32 rev. 0 @ 0xeb560, SMBIOS rev. 2.3 @ 0xeeae0 (63 entries) bios0: vendor Hewlett-Packard version "786C1 v01.05" date 06/16/2004 bios0: Hewlett-Packard HP Compaq dc7100 SFF(DX878AV) acpi0 at bios0: rev 0 acpi0: sleep states S0 S1 S3 S4 S5 acpi0: tables DSDT FACP SSDT APIC ASF! MCFG acpi0: wakeup devices PCI0(S4) PEG1(S4) PCX1(S4) PCX2(S4) PCX4(S4) HUB_(S4) COM1(S4) COM2(S4) USB1(S3) USB2(S3) USB3(S3) USB4(S3) EUSB(S3) PBTN(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 199MHz cpu0: mwait min=64, max=64 cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Pentium(R) 4 CPU 3.00GHz ("GenuineIntel" 686-class) 3 GHz cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,CNXT-ID,xTPR,PERF ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 24 pins ioapic0: misconfigured as apic 0, remapped to apid 1 acpimcfg0 at acpi0 addr 0xd000, bus 0-255 acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 32 (PCX1) acpiprt2 at acpi0: bus 64 (PCX2) acpiprt3 at acpi0: bus -1 (PCX4) acpiprt4 at acpi0: bus 5 (HUB_) acpicpu0 at acpi0: C1(@1 halt!) acpicpu1 at acpi0: C1(@1 halt!) acpibtn0 at acpi0: PBTN bios0: ROM list: 0xc/0xa800! 0xca800/0x1000 0xcb800/0x2000 0xe9c00/0x6400! pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 "Intel 82915G Host" rev 0x04 vga1 at pci0 dev 2 function 0 "Intel 82915G Video" rev 0x04 intagp0 at vga1 agp0 at intagp0: aperture at 0xe000, size 0x1000 inteldrm0 at vga1 drm0 at inteldrm0 inteldrm0: 1024x768 wsdisplay0 at vga1 mux 1: console (std, vt100 emulation) wsdisplay0: screen 1-5 added (std, vt100 emulation) "Intel 82915G Video" rev 0x04 at pci0 dev 2 function 1 not configured ppb0 at pci0 dev 28 function 0 "Intel 82801FB PCIE" rev 0x03 pci1 at ppb0 bus 32 ppb1 at pci0 dev 28 function 1 "Intel 82801FB PCIE" rev 0x03: apic 1 int 17 pci2 at ppb1 bus 64 bge0 at pci2 dev 0 function 0 "Broadcom BCM5751" rev 0x01, BCM5750 A1 (0x4001): apic 1 int 17, address 00:12:79:67:d1:01 brgphy0 at bge0 phy 1: BCM5750 10/100/1000baseT PHY, rev. 0 uhci0 at pci0 dev 29 function 0 "Intel 82801FB USB" rev 0x03: apic 1 int 20 uhci1 at pci0 dev 29 function 1 "Intel 82801FB USB" rev 0x03: apic 1 int 18 uhci2 at pci0 dev 29 function 2 "Intel 82801FB USB" rev 0x03: apic 1 int 21 uhci3 at pci0 dev 29 function 3 "Intel 82801FB USB" rev 0x03: apic 1 int 22 ehci0 at pci0 dev 29 function 7 "Intel 82801FB USB" rev 0x03: apic 1 int 20 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1 ppb2 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0xd3 pci3 at ppb2 bus 5 auich0 at pci0 dev 30 function 2 "Intel 82801FB AC97" rev 0x03: apic 1 int 21, ICH6 AC97 ac97: codec id 0x41445374 (Analog Devices AD1981B) ac97: codec features headphone, 20 bit DAC, No 3D Stereo audio0 at auich0 ichpcib0 at pci0 dev 31 function 0 "Intel 82801FB LPC" rev 0x03: PM disabled pciide0 at pci0 dev 31 function 1 "Intel 82801FB IDE" rev 0x03: DMA, channel 0 configured to compatibility, channel 1 configured to
Re: USB mouse often not detected
Paco Willers schreef op 2015-11-10 07:53: Hi, When using a PS/2 mouse everything worked fine. I swapped it for a USB mouse, but this mouse isn't always detected while booting my (386-based) OpenBSD 5.8-stable system. Replugging the mouse when the system is running usually solves the problem: the mouse is detected and works fine. Sometimes this replugging needs to be done several times on different USB ports for it to have effect. Before sending this message I checked whether the mouse itself is the problem because it's a cheap one, so I tried other OSes (Debian Linux 8.2, NetBSD 7.0 and FreeBSD 10.2) and the problem was gone, so my mouse looks OK. Possibly the problem is in the combination of my hardware with OpenBSD. However I would like to use OpenBSD. :) Is this a known problem? I saw some people on this mailing list having trouble with USB mouses periodically reconnecting, but that's not my problem: most of the time it isn't detected at all. I have the same issue, but much less frequent. I guess it happens one out of 20 or 30 times I start the machine and replugging it once (in the same port) always makes it work. And once it works, it keeps working without any further issues. I run 5.8-stable/amd64, but this also happened on 5.7-stable (and I think also on older versions). Maurice
Re: USB mouse often not detected
Sure, I'll post it when I'm at home. :) 2015-11-10 10:47 GMT+01:00 Stefan Sperling: > > We need a dmesg from both of you.
Re: USB mouse often not detected
On Tue, Nov 10, 2015 at 08:28:24AM +0100, Maurice Janssen wrote: > Paco Willers schreef op 2015-11-10 07:53: > >Hi, > > > > > >When using a PS/2 mouse everything worked fine. I swapped it for a USB > >mouse, but this mouse isn't always detected while booting my (386-based) > >OpenBSD 5.8-stable system. Replugging the mouse when the system is running > >usually solves the problem: the mouse is detected and works fine. > >Sometimes > >this replugging needs to be done several times on different USB ports for > >it to have effect. > > > >Before sending this message I checked whether the mouse itself is the > >problem because it's a cheap one, so I tried other OSes (Debian Linux 8.2, > >NetBSD 7.0 and FreeBSD 10.2) and the problem was gone, so my mouse looks > >OK. Possibly the problem is in the combination of my hardware with > >OpenBSD. > >However I would like to use OpenBSD. :) > > > >Is this a known problem? I saw some people on this mailing list having > >trouble with USB mouses periodically reconnecting, but that's not my > >problem: most of the time it isn't detected at all. > > I have the same issue, but much less frequent. I guess it happens one out > of 20 or 30 times I start the machine and replugging it once (in the same > port) always makes it work. And once it works, it keeps working without any > further issues. > I run 5.8-stable/amd64, but this also happened on 5.7-stable (and I think > also on older versions). > > Maurice We need a dmesg from both of you.
Re: pfctl -f /etc/pf.conf fails on boot when DNS-resolved symbolic names are used
Hi Kent, On 2015-11-10 Tue 10:58 AM |, Kent Watsen wrote: > > Anybody run into this before?? - is the fix to add all the symbolic > names to /etc/hosts? > Yes, use /etc/hosts. Same for hostnames in /etc/syslog.conf if using localhost unbound as the only nameserver in /etc/resolv.conf. Then also: 1) have a daily script that updates /etc/hosts' IP addresses. But you must remember to add/remove the names manually. 2) reload pf's rules in /etc/rc.local - for when /etc/hosts is wrong... Cheers. -- The reason computer chips are so small is computers don't eat much.
Ipsec tunnel not starting after update to recent snapshot
(( I have been trying to send this message all day - this is my third attempt -- I am sorry if it appears multiple times suddenly, but not sure why it is not posting to the list... )) Hello I recently updated to the 11-9 amd64 snapshot. I had started following current, and, in general, seem to be doing fine. But, after this last update, an IPSEC tunnel that I have been using for months/years all of a sudden is not coming up with a system reboot. I have not changed the ipsec.conf files in a really long time. So, I did not included them, but can if necessary. The important point (I think) is that I am using some FQDN with dynamic ip's. What I have noticed is that the "dynamic" side of the tunnel seems to be trying to connect, but the "passive" side refuses to accept the connection. On the passive side, I get this: ... Nov 10 10:21:46 xxx isakmpd[12622]: attribute_unacceptable: ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC Nov 10 10:21:46 xxx isakmpd[12622]: message_negotiate_sa: no compatible proposal found Nov 10 10:21:46 xxx isakmpd[12622]: dropped message from a.b.c.d port 500 due to notification type NO_PROPOSAL_CHOSEN ... So, I understand this is because isakmpd is "falling back" to a default 3DES setting, and the AES proposal from the dynamic side of the tunnel is being rejected. This led me to the dmesg on the passive host: ... starting early daemons: syslogd pflogd ntpd isakmpd. no IP address found for ipsec1.FQDN.com /etc/ipsec.conf: 40: could not parse host specification no IP address found for ipsec1.FQDN.com /etc/ipsec.conf: 41: could not parse host specification no IP address found for ipsec2.FQDN.com /etc/ipsec.conf: 42: could not parse host specification no IP address found for ipsec2.FQDN.com /etc/ipsec.conf: 43: could not parse host specification ipsecctl: Syntax error in config file: ipsec rules not loaded ... So, I reload the ipsec.conf file manually - "ipsecctl -f /etc/ipsec.conf" - and the tunnel goes up. Now, on the dynamic host, there is no issue loading ipsec at boot - dmesg for the dynamic host: ... starting early daemons: syslogd pflogd ntpd isakmpd. starting RPC daemons:. ... As I said, no changes to ipsec.conf, and it was working last week before the current snapshot. I don't see anything in 'following current' about changes to ipsec configuration. Also, both ends of the tunnel point to the same resolver (openDNS) during the boot up process. If it was an issue with the resolver, I would have expected a problem on both ends of the tunnel. The confusing thing to me is why a line like: "ike passive esp from $local_ip to $remote_gw srcid $local_id dstid $remote_id" is failing during boot with "could not parse host specification." But, a line like: "ike dynamic esp from $local_ip to $remote_gw srcid $local_id dstid $remote_id" works without an issue. So, am I missing something, or is this a bug? And, if so, what should I do? Thanks Ted W. [demime 1.01d removed an attachment of type application/x-pkcs7-signature which had a name of smime.p7s]
Re: Firewall rules and features
On 2015-11-10, sven falempinwrote: > Ok , I agree, and thank you for the accurate answer. > > > OTOH the server was rejecting all the other request, (i do not think it > was badly configure) > and it ended up rejecting the good one also (after a lng time of use) > I first look in nsd manpages to see if i could figure why and found nothing > ( a log like i reject packet because ...) > I tried verbosity: 2, ratelimit: 1024 ( but nsd wasnt up to date - NSD > version 3.2.5 ) > I wanted to have a workaround, of course there is another authoritative to > answer, > therefore i ended up filtering content. > Sounds like you should first update, then if the problem persists work on tracking down the problem you see with NSD. Or outsource it (maybe run your server as a "hidden master" and use a DNS provider that will secondary from you, http://efball.com/dns/ lists free-of-charge ones). > If i run authoritative server can i filter to answer to only certain IP > addresses ? > Like a list of public/root DNS ? You are missing some knowledge of how DNS works. The root servers don't send queries, they answer them. There is no such list of addresses (and it wouldn't help anyway - lots of queries from different places for various "random".whatever.com will still give you problems. > My next step was to look at dnssec, which would be nice to have anyway. That is not going to make this any better. > On Mon, Nov 9, 2015 at 10:34 PM, Nick Holland > wrote: > >> > with iptables i was able to add >> > <-m string --hex-string whatever|03|com> >> > in the rules. >> > >> > So i only accept DNS request that matters to me. L7 filtering to remove DNS attack traffic can be useful, but mostly where it's done it is to carefully remove specific packets (e.g. if you have a bunch of spoofed queries trying to use you as a bouncer/amplifier and you can identify them from certain bits in the query) >> > Is there a way ? (something simpler than diverting to a >> > sort of grep -v ). >> >> I'd call that a wrong way to do it, definitely. >> >> If your name server is configured properly, it should be ignoring domain >> requests it isn't authoritative for. Not a problem. It should be returning REFUSED rather than just ignoring so it is still sending out packets (possibly to an unwitting victim). It can be a problem on the dns server or firewall too, e.g. if it fills PF state table.
Re: pfctl -f /etc/pf.conf fails on boot when DNS-resolved symbolic names are used
On 11/10/15 10:57, Kent Watsen wrote: > Precondition: /etc/pf.conf contains scr_addr/dst_addr set to FQDNs > > On boot, the consoles shows error about not being able to load pf.conf > because it can't resolve the symbolic names. > > http://www.openbsd.org/faq/faq6.html#Setup.activate says: > >    "... if you had specified a DNS-resolved symbolic name in any of >    the files, you would probably find it worked as expected after >    reconfigure, but on initial boot, your external resolver may >    not be available, so the configuration will fail." > > but I thought that the statement might be limited to `netstat`, and > /etc/rc runs `netstat` before loading the firewall rules. So I'm not > sure why it's not working... > > Anybody run into this before? - is the fix to add all the symbolic > names to /etc/hosts? adding yet another voice, though somewhat different answer: don't use symbolic names. Here's the thing: PF works on IP addresses. NOT DNS names. While you might argue DNS names resolve to IP addresses, they do NOT do a 1:1 correlation. You will end up with problems someday that might take a bit of investigation to figure out. Long long ago, a company I used to work for had a firewall that Wasn't My Problem. Or so I thought. It would block various sites management didn't want people going to; the user would just end up at a friendly site saying, "we don't want you to go here". Management decided that webmail was not something they wanted people going to, so they blocked most of the known major webmail services. But every once in a while, when someone would go to Google, they would get the "Blocked!" message. It was rare, but definitely happening, and it could happen all over the company. And half an hour later...problem is gone...only to appear later on someone else's computer. Maybe you are ahead of me. If so, congratulate yourself, I puzzled over this for a few weeks. Turned out the way this firewall blocked SITES was by resolving the name, and adding redirections for those addresses. Someone entered "gmail.google.com" into that table, and it quickly got lost among all the other entries. On boot, the firewall would resolve gmail.google.com, and put the one or five or whatever entries in the block/redirect table, and forget about it. Well...you see, google uses a massive front-end infrastructure for most or all of their services, and the requested name would dictate the route through the load balancers. So...this firewall was blocking probably one or five of the HUNDREDS or THOUSANDS of IP addresses Google would return for ANY of its services. So once in a while, gmail.google.com was blocked, but sometimes so was www.google.com. The point is...if you put in a DNS name, odds are you are going to end up thinking you are blocking/passing/redirecting a DNS name..when in reality, you are whatevering JUST the IP address that it resolves to at the time the firewall rules were loaded. You may have missed a lot, or it may move. IF you are really in a situation where the only things you are trying to manage with DNS names are simple 1:1 name:ip mappings, an easy solution would be to have your pf.conf file a "stub" with enough to let the system come up, then a post boot and periodic (re)load of the "real" rules in a separate file. Nick.
Re: Rspamd with smtpd
> Am 11.11.2015 um 05:44 schrieb Daniel Ouellet: > > Does anyone use this port yet Rspamd. > > I saw Stuart + a few helpers making a port of Rspamd. Only on current > now, so I install current on a server and try to run it. > > But anyone have any clue stick to provide on how to actually plug it > with smtpd? I do not use it, but I guess you can use it in LDA mode with "... deliver to mda rspamc..." in smtpd.conf, as described here https://rspamd.com/doc/integration.html > Looks like Rspamd accept only input via the http standard. > > I have to say google provide me more questions, then answers. > > I thought that may be relay to the rspamd port 11333 where it is > listening at would work, but well, it's not coming back on port 11334 > that appear to definitely listening for http request > > In any case, either ports doesn't do it. > > It appear to be a nice port to use and fast, but well, can't fugue out > how to use it yet... > > # telnet 127.0.0.1 11333 > Trying 127.0.0.1... > Connected to 127.0.0.1. > Escape character is '^]'. > EHLO home.ouellet.biz > Connection closed by foreign host. > > # telnet 127.0.0.1 11334 > Trying 127.0.0.1... > Connected to 127.0.0.1. > Escape character is '^]'. > EHLO home.ouellet.biz > HTTP/1.1 14 (NULL) > Connection: close > Server: rspamd/1.0.9 > Date: Wed, 11 Nov 2015 04:43:20 GMT > Content-Length: 38 > Content-Type: text/plain > > HTTP parser error: invalid HTTP methodConnection closed by foreign host. > > So, how one can or would use this if I would like to try it?
Rspamd with smtpd
Does anyone use this port yet Rspamd. I saw Stuart + a few helpers making a port of Rspamd. Only on current now, so I install current on a server and try to run it. But anyone have any clue stick to provide on how to actually plug it with smtpd? Looks like Rspamd accept only input via the http standard. I have to say google provide me more questions, then answers. I thought that may be relay to the rspamd port 11333 where it is listening at would work, but well, it's not coming back on port 11334 that appear to definitely listening for http request In any case, either ports doesn't do it. It appear to be a nice port to use and fast, but well, can't fugue out how to use it yet... # telnet 127.0.0.1 11333 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. EHLO home.ouellet.biz Connection closed by foreign host. # telnet 127.0.0.1 11334 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. EHLO home.ouellet.biz HTTP/1.1 14 (NULL) Connection: close Server: rspamd/1.0.9 Date: Wed, 11 Nov 2015 04:43:20 GMT Content-Length: 38 Content-Type: text/plain HTTP parser error: invalid HTTP methodConnection closed by foreign host. So, how one can or would use this if I would like to try it?
Fwd: USB mouse often not detected
-- Forwarded message -- From: Notofsoundmind .Date: Tue, Nov 10, 2015 at 5:47 PM Subject: Re: USB mouse often not detected To: Paco Willers Hello everyone, I am having a similar problem with USB. At times I can attach a device (mouse, keyboard, external HDD) and the machine will recognize it immediately. Other times this is not the case, and I have to unplug and replug multiple times for it to work. Also these devices will randomly disconnect, and I get the message "ehci_sync_hc: tsleep() = 35". After much thought I assumed the problem may be related to the nVidia hardware on the motherboard so I ordered another motherboard without nVidia components.. My dmesg as follows: OpenBSD 5.8 (GENERIC) #1170: Sun Aug 16 02:26:00 MDT 2015 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC real mem = 1056636928 (1007MB) avail mem = 1020821504 (973MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.3 @ 0xf906f (4 entries) bios0: vendor American Megatrends Inc. version "P2.40" date 07/16/2007 acpi0 at bios0: rev 0 acpi0: sleep states S0 S1 S4 S5 acpi0: tables DSDT FACP APIC OEMB acpi0: wakeup devices PS2K(S4) PS2M(S4) UAR1(S4) USB0(S4) MAC_(S5) AC97(S4) USB1(S4) USB2(S4) P0P1(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: AMD Athlon(tm) 64 Processor 3000+, 2010.03 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW,LAHF cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 16-way L2 cache cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu0: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu0: AMD erratum 89 present, BIOS upgrade may be required mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 200MHz ioapic0 at mainbus0: apid 1 pa 0xfec0, version 11, 24 pins ioapic0: misconfigured as apic 0, remapped to apid 1 acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 2 (P0P1) acpicpu0 at acpi0: C1(@1 halt!), PSS acpipwrres0 at acpi0: ISAV, resource for IDE0 acpibtn0 at acpi0: PWRB cpu0: Cool'n'Quiet K8 2010 MHz: speeds: 2000 1800 1000 MHz pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 "NVIDIA nForce3 250 PCI Host" rev 0xa1 agp at pchb0 not configured pcib0 at pci0 dev 1 function 0 "NVIDIA nForce3 250 ISA" rev 0xa2 nviic0 at pci0 dev 1 function 1 "NVIDIA nForce3 250 SMBus" rev 0xa1 iic0 at nviic0 spdmem0 at iic0 addr 0x50: 1GB DDR SDRAM non-parity PC3200CL3.0 iic1 at nviic0 ohci0 at pci0 dev 2 function 0 "NVIDIA nForce3 250 USB" rev 0xa1: apic 1 int 9, version 1.0, legacy support ohci1 at pci0 dev 2 function 1 "NVIDIA nForce3 250 USB" rev 0xa1: apic 1 int 5, version 1.0, legacy support ehci0 at pci0 dev 2 function 2 "NVIDIA nForce3 250 USB" rev 0xa2: apic 1 int 3 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 "NVIDIA EHCI root hub" rev 2.00/1.00 addr 1 nfe0 at pci0 dev 5 function 0 "NVIDIA nForce3 LAN" rev 0xa2: apic 1 int 9, address 00:19:66:54:59:33 rlphy0 at nfe0 phy 1: RTL8201L 10/100 PHY, rev. 1 auich0 at pci0 dev 6 function 0 "NVIDIA nForce3 250 AC97" rev 0xa1: apic 1 int 9, nForce3 AC97 ac97: codec id 0x414c4790 (Avance Logic ALC850 rev 0) audio0 at auich0 pciide0 at pci0 dev 8 function 0 "NVIDIA nForce3 250 IDE" rev 0xa2: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility pciide0: channel 0 disabled (no drives) atapiscsi0 at pciide0 channel 1 drive 1 scsibus1 at atapiscsi0: 2 targets cd0 at scsibus1 targ 0 lun 0: ATAPI 5/cdrom removable cd0(pciide0:1:1): using PIO mode 4, Ultra-DMA mode 2 pciide1 at pci0 dev 10 function 0 "NVIDIA nForce3 250 SATA" rev 0xa2: DMA pciide1: using apic 1 int 10 for native-PCI interrupt wd0 at pciide1 channel 0 drive 0: wd0: 16-sector PIO, LBA48, 76319MB, 156301488 sectors wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 5 ppb0 at pci0 dev 11 function 0 "NVIDIA nForce3 250 AGP" rev 0xa2 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 "NVIDIA GeForce FX 5500" rev 0xa1 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) ppb1 at pci0 dev 14 function 0 "NVIDIA nForce3 250" rev 0xa2 pci2 at ppb1 bus 2 rl0 at pci2 dev 5 function 0 "Realtek 8139" rev 0x10: apic 1 int 9, address 00:e0:52:9d:a1:08 rlphy1 at rl0 phy 0: RTL internal PHY pchb1 at pci0 dev 24 function 0 "AMD AMD64 0Fh HyperTransport" rev 0x00 pchb2 at pci0 dev 24 function 1 "AMD AMD64 0Fh Address Map" rev 0x00 pchb3 at pci0 dev 24 function 2 "AMD AMD64 0Fh DRAM Cfg" rev 0x00 kate0 at pci0 dev 24 function 3 "AMD AMD64 0Fh Misc Cfg" rev 0x00 isa0 at pcib0 isadma0 at isa0 fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head,