Re: OpenBSD 6-stable vmd
Thanks for the update, ml. The VM Just did it again in the middle of backspacing over uname -a... $ uname -a OpenBSD vmmbsd.labs.h-i-r.net 6.0 GENERIC.MP#0 amd64 $ un <-- frozen Spinning like mad. [axon@transient ~]$ vmctl status ID PID VCPUSMAXMEMCURMEM TTY NAME 2 2769 1 512MB 149MB /dev/ttyp3 -c 1 48245 1 512MB 211MB /dev/ttyp0 obsdvmm.vm [axon@transient ~]$ ps aux | grep 48245 _vmd 48245 98.5 2.3 526880 136956 ?? Rp 1:54PM 47:08.30 vmd: obsdvmm.vm (vmd) load averages: 2.43, 2.36, 2.26 transient.my.domain 18:29:10 56 processes: 53 idle, 3 on processor up 4:35 CPU0 states: 3.8% user, 0.0% nice, 15.4% system, 0.6% interrupt, 80.2% idle CPU1 states: 15.3% user, 0.0% nice, 49.3% system, 0.0% interrupt, 35.4% idle CPU2 states: 6.6% user, 0.0% nice, 24.3% system, 0.0% interrupt, 69.1% idle CPU3 states: 4.7% user, 0.0% nice, 18.1% system, 0.0% interrupt, 77.2% idle Memory: Real: 1401M/2183M act/tot Free: 3443M Cache: 536M Swap: 0K/4007M PID USERNAME PRI NICE SIZE RES STATE WAIT TIMECPU COMMAND 48245 _vmd 430 515M 134M onprocthrslee 47:37 98.00% vmd 7234 axon 20 737M 715M sleep poll 33:18 19.14% firefox 42481 _x11 550 16M 42M onproc- 2:53 9.96% Xorg 2769 _vmd 290 514M 62M idle thrslee 2:29 9.62% vmd 13503 axon 100 512K 2496K sleep nanosle 0:52 1.12% wmapm 76008 axon 100 524K 2588K sleep nanosle 0:10 0.73% wmmon 57059 axon 100 248M 258M sleep nanosle 0:08 0.34% wmnet 23088 axon 20 580K 2532K sleep select0:10 0.00% wmclockmon 64041 axon 20 3752K 10M sleep poll 0:05 0.00% wmaker 16919 axon 20 7484K 20M sleep poll 0:04 0.00% xfce4-terminal 1 root 100 408K 460K idle wait 0:01 0.00% init 80619 _ntp 2 -20 880K 2480K sleep poll 0:01 0.00% ntpd 9014 _pflogd40 672K 408K sleep bpf 0:01 0.00% pflogd 58764 root 100 2052K 7524K idle wait 0:01 0.00% slim On Mon, Oct 24, 2016 at 10:47 PM, Mike Larkinwrote: > On Mon, Oct 24, 2016 at 07:36:48PM -0500, Ax0n wrote: > > I suppose I'll ask here since it seems on-topic for this thread. Let me > > know if I shouldn't do this in the future. I've been testing vmm for > > exactly a week on two different snapshots. I have two VMs: One running > the > > same snapshot (amd64, Oct 22) I'm running on the host vm, the other > running > > amd64 6.0-RELEASE with no patches of any kind. > > > > For some reason, the vm running a recent snapshot locks up occasionally > > while I'm interacting with it via cu or occasionally ssh. Should I > expect a > > ddb prompt and/or kernel panic messages via the virtualized serial > console? > > Is there some kind of "break" command on the console to get into ddb when > > it appears to hang? A "No" or "Not yet" on those two questions would > > suffice if not possible. I know this isn't supported, and appreciate the > > hard work. > > > > Host dmesg: > > http://stuff.h-i-r.net/2016-10-22.Aspire5733Z.dmesg.txt > > > > VM (Oct 22 Snapshot) dmesg: > > http://stuff.h-i-r.net/2016-10-22.vmm.dmesg.txt > > > > These look fine. Not sure why it would have locked up. Is the associated > vmd > process idle, or spinning like mad? > > -ml > > > Second: > > I'm using vm.conf (contents below) to start the aforementioned snapshot > vm > > at boot. > > There's a "disable" line inside vm.conf to keep one VM from spinning up > > with vmd. Is there a way to start this one with vmctl aside from passing > > all the options to vmctl as below? > > > > doas vmctl start -c -d OBSD-RELa -i 1 -k /home/axon/obsd/amd64/bsd -m > 512M > > > > I've tried stuff along the lines of: > > doas vmctl start OBSD-RELa.vm > > > > vm "obsdvmm.vm" { > > memory 512M > > kernel "bsd" > > disk "/home/axon/vmm/OBSD6" > > interface tap > > } > > vm "OBSD-RELa.vm" { > > memory 512M > > kernel "/home/axon/obsd/amd64/bsd" > > disk "/home/axon/vmm/OBSD-RELa" > > interface tap > > disable > > } > > > > I think this is being worked on, but not done yet. > > -ml
Re: OpenBSD 6-stable vmd
On Mon, Oct 24, 2016 at 07:36:48PM -0500, Ax0n wrote: > I suppose I'll ask here since it seems on-topic for this thread. Let me > know if I shouldn't do this in the future. I've been testing vmm for > exactly a week on two different snapshots. I have two VMs: One running the > same snapshot (amd64, Oct 22) I'm running on the host vm, the other running > amd64 6.0-RELEASE with no patches of any kind. > > For some reason, the vm running a recent snapshot locks up occasionally > while I'm interacting with it via cu or occasionally ssh. Should I expect a > ddb prompt and/or kernel panic messages via the virtualized serial console? > Is there some kind of "break" command on the console to get into ddb when > it appears to hang? A "No" or "Not yet" on those two questions would > suffice if not possible. I know this isn't supported, and appreciate the > hard work. > > Host dmesg: > http://stuff.h-i-r.net/2016-10-22.Aspire5733Z.dmesg.txt > > VM (Oct 22 Snapshot) dmesg: > http://stuff.h-i-r.net/2016-10-22.vmm.dmesg.txt > These look fine. Not sure why it would have locked up. Is the associated vmd process idle, or spinning like mad? -ml > Second: > I'm using vm.conf (contents below) to start the aforementioned snapshot vm > at boot. > There's a "disable" line inside vm.conf to keep one VM from spinning up > with vmd. Is there a way to start this one with vmctl aside from passing > all the options to vmctl as below? > > doas vmctl start -c -d OBSD-RELa -i 1 -k /home/axon/obsd/amd64/bsd -m 512M > > I've tried stuff along the lines of: > doas vmctl start OBSD-RELa.vm > > vm "obsdvmm.vm" { > memory 512M > kernel "bsd" > disk "/home/axon/vmm/OBSD6" > interface tap > } > vm "OBSD-RELa.vm" { > memory 512M > kernel "/home/axon/obsd/amd64/bsd" > disk "/home/axon/vmm/OBSD-RELa" > interface tap > disable > } > I think this is being worked on, but not done yet. -ml
Re: OpenBSD 6-stable vmd
I suppose I'll ask here since it seems on-topic for this thread. Let me know if I shouldn't do this in the future. I've been testing vmm for exactly a week on two different snapshots. I have two VMs: One running the same snapshot (amd64, Oct 22) I'm running on the host vm, the other running amd64 6.0-RELEASE with no patches of any kind. For some reason, the vm running a recent snapshot locks up occasionally while I'm interacting with it via cu or occasionally ssh. Should I expect a ddb prompt and/or kernel panic messages via the virtualized serial console? Is there some kind of "break" command on the console to get into ddb when it appears to hang? A "No" or "Not yet" on those two questions would suffice if not possible. I know this isn't supported, and appreciate the hard work. Host dmesg: http://stuff.h-i-r.net/2016-10-22.Aspire5733Z.dmesg.txt VM (Oct 22 Snapshot) dmesg: http://stuff.h-i-r.net/2016-10-22.vmm.dmesg.txt Second: I'm using vm.conf (contents below) to start the aforementioned snapshot vm at boot. There's a "disable" line inside vm.conf to keep one VM from spinning up with vmd. Is there a way to start this one with vmctl aside from passing all the options to vmctl as below? doas vmctl start -c -d OBSD-RELa -i 1 -k /home/axon/obsd/amd64/bsd -m 512M I've tried stuff along the lines of: doas vmctl start OBSD-RELa.vm vm "obsdvmm.vm" { memory 512M kernel "bsd" disk "/home/axon/vmm/OBSD6" interface tap } vm "OBSD-RELa.vm" { memory 512M kernel "/home/axon/obsd/amd64/bsd" disk "/home/axon/vmm/OBSD-RELa" interface tap disable } On Mon, Oct 24, 2016 at 4:58 PM, R0me0 ***wrote: > Hey @Peter, one more time thank so much for the heads up :) > > For those that interest. > > I'm running OpenBSD-Current under VMware-Workstation 12 ( just need to set > processor proprieties to virtualize intel VT-x/EPT or AMD-V/RVI ) > > And have fun to test VMD > > :) > > Thank you > > > > > > 2016-10-22 8:43 GMT-02:00 R0me0 *** : > > > Hey Peter , > > > > Thank you for the advice, I'll get current > > > > Cheers dude ! > > > > (: > > > > > > 2016-10-22 6:44 GMT-02:00 Peter Hessler : > > > >> This isn't expected to work at all. That is why it was disabled. > >> You'll need to upgrade the Hypervisor to -current, or to 6.1 when it is > >> released. > >> > >> > >> > >> On 2016 Oct 22 (Sat) at 00:06:08 -0200 (-0200), R0me0 *** wrote: > >> :Hello misc. > >> : > >> :For testing purposes > >> : > >> :I compiled kernel with vmd support. > >> : > >> :After start the vm -> vmctl start "myvm" -m 512M -i 1 -d disk.img -k > >> /bsd.rd > >> : > >> :I created a bridge and added vether0 and tap0 > >> : > >> :In the vm I have configured an ip 192.168.1.30 > >> : > >> :If I perform ping from OpenBSD Hypervisor -> ping 192.168.1.30 all > >> packages > >> :are send and received "on the fly" > >> : > >> :But if I perform the same step from "myvm", there is no packet loss but > >> the > >> :packets take so long to be send and consecutively replied > >> : > >> :I am performing this tests on Linux running Vmware Workstation 12 . > >> : > >> :Is this behavior expected ? > >> : > >> :Any directions will be appreciated. > >> : > >> :Thank you > >> : > >> :myvm dmesg: > >> : > >> :OpenBSD 6.0 (RAMDISK_CD) #2100: Tue Jul 26 13:05:59 MDT 2016 > >> : dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/ > RAMDISK_CD > >> :RTC BIOS diagnostic error 20 > >> :real mem = 520093696 (496MB) > >> :avail mem = 502673408 (479MB) > >> :mainbus0 at root > >> :bios0 at mainbus0 > >> :acpi at bios0 not configured > >> :cpu0 at mainbus0: (uniprocessor) > >> :cpu0: Intel(R) Core(TM) i7-4810MQ CPU @ 2.80GHz, 14335.74 MHz > >> :cpu0: > >> :FPU,VME,DE,PSE,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV, > >> PAT,PSE36,CFLUSH,DS,MMX,FXSR,SSE,SSE2,SS,SSE3,PCLMUL,SSSE3, > >> FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,AVX,F1 > >> :6C,RDRAND,HV,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,ARAT > >> :pvbus0 at mainbus0: OpenBSD > >> :pci0 at mainbus0 bus 0 > >> :pchb0 at pci0 dev 0 function 0 "OpenBSD VMM PCI Host Bridge" rev 0x00 > >> :virtio0 at pci0 dev 1 function 0 "Qumranet Virtio RNG" rev 0x00 > >> :viornd0 at virtio0 > >> :virtio0: irq 3 > >> :virtio1 at pci0 dev 2 function 0 "Qumranet Virtio Storage" rev 0x00 > >> :vioblk0 at virtio1 > >> :scsibus0 at vioblk0: 2 targets > >> :sd0 at scsibus0 targ 0 lun 0: SCSI3 0/direct > >> fixed > >> :sd0: 5120MB, 512 bytes/sector, 10485760 sectors > >> :virtio1: irq 5 > >> :virtio2 at pci0 dev 3 function 0 "Qumranet Virtio Network" rev 0x00 > >> :vio0 at virtio2: address fe:e1:ba:d0:d0:94 > >> :virtio2: irq 9 > >> :isa0 at mainbus0 > >> :com0 at isa0 port 0x3f8/8 irq 4: ns8250, no fifo > >> :com0: console > >> :softraid0 at root > >> :scsibus1 at softraid0: 256 targets > >> :root on rd0a swap on rd0b dump on rd0b > >> :WARNING: invalid
Re: OpenBSD 6-stable vmd
Hey @Peter, one more time thank so much for the heads up :) For those that interest. I'm running OpenBSD-Current under VMware-Workstation 12 ( just need to set processor proprieties to virtualize intel VT-x/EPT or AMD-V/RVI ) And have fun to test VMD :) Thank you 2016-10-22 8:43 GMT-02:00 R0me0 ***: > Hey Peter , > > Thank you for the advice, I'll get current > > Cheers dude ! > > (: > > > 2016-10-22 6:44 GMT-02:00 Peter Hessler : > >> This isn't expected to work at all. That is why it was disabled. >> You'll need to upgrade the Hypervisor to -current, or to 6.1 when it is >> released. >> >> >> >> On 2016 Oct 22 (Sat) at 00:06:08 -0200 (-0200), R0me0 *** wrote: >> :Hello misc. >> : >> :For testing purposes >> : >> :I compiled kernel with vmd support. >> : >> :After start the vm -> vmctl start "myvm" -m 512M -i 1 -d disk.img -k >> /bsd.rd >> : >> :I created a bridge and added vether0 and tap0 >> : >> :In the vm I have configured an ip 192.168.1.30 >> : >> :If I perform ping from OpenBSD Hypervisor -> ping 192.168.1.30 all >> packages >> :are send and received "on the fly" >> : >> :But if I perform the same step from "myvm", there is no packet loss but >> the >> :packets take so long to be send and consecutively replied >> : >> :I am performing this tests on Linux running Vmware Workstation 12 . >> : >> :Is this behavior expected ? >> : >> :Any directions will be appreciated. >> : >> :Thank you >> : >> :myvm dmesg: >> : >> :OpenBSD 6.0 (RAMDISK_CD) #2100: Tue Jul 26 13:05:59 MDT 2016 >> : dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/RAMDISK_CD >> :RTC BIOS diagnostic error 20 >> :real mem = 520093696 (496MB) >> :avail mem = 502673408 (479MB) >> :mainbus0 at root >> :bios0 at mainbus0 >> :acpi at bios0 not configured >> :cpu0 at mainbus0: (uniprocessor) >> :cpu0: Intel(R) Core(TM) i7-4810MQ CPU @ 2.80GHz, 14335.74 MHz >> :cpu0: >> :FPU,VME,DE,PSE,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV, >> PAT,PSE36,CFLUSH,DS,MMX,FXSR,SSE,SSE2,SS,SSE3,PCLMUL,SSSE3, >> FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,AVX,F1 >> :6C,RDRAND,HV,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,ARAT >> :pvbus0 at mainbus0: OpenBSD >> :pci0 at mainbus0 bus 0 >> :pchb0 at pci0 dev 0 function 0 "OpenBSD VMM PCI Host Bridge" rev 0x00 >> :virtio0 at pci0 dev 1 function 0 "Qumranet Virtio RNG" rev 0x00 >> :viornd0 at virtio0 >> :virtio0: irq 3 >> :virtio1 at pci0 dev 2 function 0 "Qumranet Virtio Storage" rev 0x00 >> :vioblk0 at virtio1 >> :scsibus0 at vioblk0: 2 targets >> :sd0 at scsibus0 targ 0 lun 0: SCSI3 0/direct >> fixed >> :sd0: 5120MB, 512 bytes/sector, 10485760 sectors >> :virtio1: irq 5 >> :virtio2 at pci0 dev 3 function 0 "Qumranet Virtio Network" rev 0x00 >> :vio0 at virtio2: address fe:e1:ba:d0:d0:94 >> :virtio2: irq 9 >> :isa0 at mainbus0 >> :com0 at isa0 port 0x3f8/8 irq 4: ns8250, no fifo >> :com0: console >> :softraid0 at root >> :scsibus1 at softraid0: 256 targets >> :root on rd0a swap on rd0b dump on rd0b >> :WARNING: invalid time in clock chip >> :WARNING: CHECK AND RESET THE DATE! >> : >> :openbsd hypervisor : >> : >> : >> :OpenBSD 6.0-stable (GENERIC.MP) #0: Fri Oct 21 20:07:42 BRST 2016 >> : root@puffysor.localdomain:/usr/src/sys/arch/amd64/compile/GENERIC.MP >> :real mem = 2130640896 (2031MB) >> :avail mem = 2061631488 (1966MB) >> :mpath0 at root >> :scsibus0 at mpath0: 256 targets >> :mainbus0 at root >> :bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xe0010 (242 entries) >> :bios0: vendor Phoenix Technologies LTD version "6.00" date 07/02/2015 >> :bios0: VMware, Inc. VMware Virtual Platform >> :acpi0 at bios0: rev 2 >> :acpi0: sleep states S0 S1 S4 S5 >> :acpi0: tables DSDT FACP BOOT APIC MCFG SRAT HPET WAET >> :acpi0: wakeup devices PCI0(S3) USB_(S1) P2P0(S3) S1F0(S3) S2F0(S3) >> S3F0(S3) >> :S4F0(S3) S5F0(S3) S6F0(S3) S7F0(S3) S8F0(S3) S9F0(S3) S10F(S3) S11F(S3) >> :S12F(S3) S13F(S3) [...] >> :acpitimer0 at acpi0: 3579545 Hz, 24 bits >> :acpimadt0 at acpi0 addr 0xfee0: PC-AT compat >> :cpu0 at mainbus0: apid 0 (boot processor) >> :cpu0: Intel(R) Core(TM) i7-4810MQ CPU @ 2.80GHz, 3800.69 MHz >> :cpu0: >> :FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CM >> OV,PAT,PSE36,CFLUSH,DS,MMX,FXSR,SSE,SSE2,SS,HTT,SSE3,PCLMUL, >> VMX,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLIN >> :E,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,LONG,LAHF,ABM,PE >> RF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT >> : >> :cpu0: 256KB 64b/line 8-way L2 cache >> :cpu0: smt 0, core 0, package 0 >> :mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges >> :cpu0: apic clock running at 65MHz >> :cpu1 at mainbus0: apid 1 (application processor) >> :cpu1: Intel(R) Core(TM) i7-4810MQ CPU @ 2.80GHz, 3810.50 MHz >> :cpu1: >> :FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CM >> OV,PAT,PSE36,CFLUSH,DS,MMX,FXSR,SSE,SSE2,SS,HTT,SSE3,PCLMUL, >>
dante socksify authenticate a different user
Hello, Can someone provide a sample configuration for socks.conf to use socsk5 protocol with authentication. after basic configuration it uses a system user but I have a different username for proxy server here is /etc/socks.conf route { from: 0.0.0.0/0 to: 0.0.0.0/0 via: x.x.x.x port = 1080 proxyprotocol: socks_v5 # server supports socks v5. } this is only modified afer pkg_add dante OpenBSD rkm.my.domain 6.0 GENERIC.MP#2319 amd64 -- Regards, Rashad
Re: pf rule for openvpn
Assuming you block the traffic by default pf.conf block log all # tcpdump -e -ttt -ni pflog0 action block You will be able to see what exactly is being blocked :) -Regards 2016-10-24 12:19 GMT-02:00 Kenneth Gober: > On Sun, Oct 23, 2016 at 4:46 PM, Thuban wrote: > > Here are the relevant parts of my pf.conf : > > > > ext_if = "re0" > > tcp_pass = "{ gopher ipp 8000 }" > > udp_pass = "{ 1194 }" > > > > pass in quick on $ext_if proto tcp to any port $tcp_pass keep state > > pass in quick on $ext_if proto udp to any port $udp_pass keep state > > > > pass out on $ext_if from 10.8.0.0/24 to any nat-to $ext_if > > > > pass out on $ext_if proto { tcp udp icmp } all modulate state > > Do you have rules that allow traffic in from tun0? Something like: > > pass in quick on tun0 keep state > > Otherwise traffic will reach OpenVPN but get no further, being blocked > coming out of the tunnel. > > -ken
Re: openbsd bgp problem send /128 ipv6 announcement for remote blackhole
On Mon, Oct 24, 2016 at 04:03:01PM +0200, Thomas Boernert wrote: > Dear List, > > with ipv4 it works fine: > bgpctl network add ipv4-address/32 community 1:0 > > but with ipv6 it won't work: > > # bgpctl network add ipv6-address/128 community 1:0 > request sent. > > => but no update will be send to the neighbor, checked with > tcpdump too, no packet will be send. > > # bgpctl sh network > flags: S = Static > flags destination > *S 0 ipv4/21 0.0.0.0 > *S 0 ipv6/32 :: > *0 ipv6-address/128 :: > > => it looks ok You look in the wrong place. That is parts of the FIB and not the RIB. bgpctl show rib empty-as or bgpctl show rib This should give you more ideas what goes wrong. > > i tried to run bgpd in forground and verbose mode, but no message. > > i also tried to add this line to bgpd.conf > > allow from group "isp1" prefix myipv6prefix/32 prefixlen = 128 community > 1:0 > or > allow to group "isp1" prefix myipv6prefix/32 prefixlen = 128 community > 1:0 > > same problem. > > Has everyone an idea ? > > Thanks > > Thomas > > > > > > > > > > > > > > Diese Nachricht wurde versandt mit Webmail von www.tbits.net. > This message was sent using webmail of www.tbits.net. > -- :wq Claudio
Re: pf rule for openvpn
On Sun, Oct 23, 2016 at 4:46 PM, Thubanwrote: > Here are the relevant parts of my pf.conf : > > ext_if = "re0" > tcp_pass = "{ gopher ipp 8000 }" > udp_pass = "{ 1194 }" > > pass in quick on $ext_if proto tcp to any port $tcp_pass keep state > pass in quick on $ext_if proto udp to any port $udp_pass keep state > > pass out on $ext_if from 10.8.0.0/24 to any nat-to $ext_if > > pass out on $ext_if proto { tcp udp icmp } all modulate state Do you have rules that allow traffic in from tun0? Something like: pass in quick on tun0 keep state Otherwise traffic will reach OpenVPN but get no further, being blocked coming out of the tunnel. -ken
openbsd bgp problem send /128 ipv6 announcement for remote blackhole
Dear List, with ipv4 it works fine: bgpctl network add ipv4-address/32 community 1:0 but with ipv6 it won't work: # bgpctl network add ipv6-address/128 community 1:0 request sent. => but no update will be send to the neighbor, checked with tcpdump too, no packet will be send. # bgpctl sh network flags: S = Static flags destination *S 0 ipv4/21 0.0.0.0 *S 0 ipv6/32 :: *0 ipv6-address/128 :: => it looks ok i tried to run bgpd in forground and verbose mode, but no message. i also tried to add this line to bgpd.conf allow from group "isp1" prefix myipv6prefix/32 prefixlen = 128 community 1:0 or allow to group "isp1" prefix myipv6prefix/32 prefixlen = 128 community 1:0 same problem. Has everyone an idea ? Thanks Thomas Diese Nachricht wurde versandt mit Webmail von www.tbits.net. This message was sent using webmail of www.tbits.net.
Re: dmidecode and access to /dev/mem denied
On Fri, Oct 21, 2016 at 11:56 AM, Theo de Raadtwrote: > For the simple reason that this is 2016 not 1986, and userland code that > can sniff through the kernel's physical address space is a ridiculous > process. It needs to die; or have proper device driver interface that > gives it exactly what it needs. And if anyone is wondering why and has not been a part of the discussions, here's an illustration of the issue: http://arstechnica.com/security/2016/10/using-rowhammer-bitflips-to-root-android-phones-is-now-a-thing/ (That said, if you do not see this message because of that url and filtering, ... there will be nothing I am going to do about that.) -- Raul
Re: pf rule for openvpn
* Predrag Punosevacle [23-10-2016 20:18:27 -0400]: > Op 23-10-2016 om 17:01 schreef Thuban: > > Hi, > > I have an openvpn server running and working, but can't > > go "outside" the server to access the web. > > > > To configure the server, I followed this : > > http://2f30.org/guides/openvpn.html > > > > So ip forwarding is ative, vpn port is open, clients can connect to > the > > vpn. But they can't access wwweb. > > > > I guess the problem comes from this pf rule : > > > > pass out on $ext_if from 10.8.0.0/24 to any nat-to ($ext_if) > > > > I've been on this issue for too many hours to have a clear mind on > this. > > Any advice to find why I'm stuck on the server? > > > > Regards. > > > > > > Hi, > > I saw your e-mail this morning but I had no idea what to make out of it > as I am confused about your network topology. I was also not impressed > that you were following some howto from the internet. Both PF and > OpenVPN are well documented. Grab the books and read it. > The link to the howto was to avoid long explanations. Anyway, here is some more information. I'm pretty sure I'm wrong to redirect packets. What I want is this : VPN Clients -> Server -> Web simply. openvpn configuration : dev tun0 server 10.8.0.0 255.255.255.0 push "dhcp-option DNS 80.67.169.12" push "redirect-gateway def1" ca /etc/openvpn/certs/ca.crt cert /etc/openvpn/certs/server.crt key /etc/openvpn/private/server.key dh /etc/openvpn/dh.pem crl-verify /etc/openvpn/crl.pem daemon openvpn group _openvpn user _openvpn keepalive 10 120 management 127.0.0.1 1195 /etc/openvpn/private/mgmt.pwd max-clients 100 persist-key persist-tun port 1194 proto udp comp-lzo client-cert-not-required username-as-common-name script-security 3 system auth-user-pass-verify /usr/local/libexec/openvpn_bsdauth via-env auth-nocache log-append /var/log/openvpn/openvpn.log status /var/log/openvpn/openvpn-status.log verb 3 /etc/pf.conf : ext_if = "re0" # interface ssh_port = "" # port ssh http_ports = "{ www https }"# ports http(s) mail_ports = "{ submission imaps }" # ports mails tcp_pass = "{ gopher ipp 8000 }" # ports tcp ouverts udp_pass = "{ 1194 }" # ports udp ouverts set block-policy drop # bloque silencieusement set skip on lo # Pas de filtre en local set limit table-entries 40 ## tables pour les vilains bruteforceurs table persist table persist table persist # antispam avec greylisting table persist table persist file "/etc/mail/nospamd" table persist ## Traitement des paquets ## match in all scrub (no-df) # Paquets partiels block in quick from urpf-failed ## Les règles du parefeu ## # on bloque tout par défaut block log all # on bloque les ip blacklistées block in log quick proto tcp from to any port $http_ports block in log quick proto tcp from to any port $ssh_port # antispam pass in on $ext_if proto tcp from any to any port smtp \ divert-to 127.0.0.1 port spamd pass in on $ext_if proto tcp from to any port smtp pass in on $ext_if proto tcp from to any port smtp pass in quick on $ext_if proto tcp from to any port smtp # Si + de 3 connections toutes les 60 secondes sur le port ssh # on rajoute l'ip pour la bloquer. pass in on $ext_if proto tcp to any port $ssh_port flags S/SA keep state \ (max-src-conn-rate 5/60, overload flush global) # Si + de 50 connections toutes les 5 secondes sur les ports http(s) # ou si elle essaie de se connecter + de 100 fois # on rajoute l'ip pour la bloquer. pass in on $ext_if proto tcp to any port $http_ports flags S/SA keep state \ (max-src-conn-rate 50/5, overload flush) # Protection bruteforce pour les mails pass in on $ext_if proto tcp to any port $mail_ports flags S/SA keep state \ (max-src-conn-rate 10/60, overload flush global) # on autorise le ping pass quick inet6 proto ipv6-icmpall icmp6-type { echoreq, unreach } pass quick inet proto icmp all icmp-type { echoreq, unreach } # on ouvre les autres ports pass in quick on $ext_if proto tcp to any port $tcp_pass keep state pass in quick on $ext_if proto udp to any port $udp_pass keep state # vpn pass out on $ext_if from 10.8.0.0/24 to any nat-to ($ext_if) # tout ouvert en sortie pass out on $ext_if proto { tcp udp icmp } all modulate state Regards. [demime 1.01d removed an attachment of type application/pgp-signature
Re: How to analyse excessive PF states?
Le Sat, 22 Oct 2016 18:12:37 +0200, Federico Giannicia écrit : > We have a firewall with OpenBSD 6.0 amd64 that handles about 1.5 Gbps > of traffic. > > I noticed that from a few weeks the number of states is increased > from around 250.000 to almost 2 millions (no change in PF config)! > > At the same time the firewall started loosing a few packets (around > 1-2%, with peeks of 4%). Maybe this is due to too many states to > handle? Hard to tell for the number of states but you have some PF congestions, which is bad. Did you try to augment the sysctl net.inet.ip.ifq.maxlen ? In my previous setup that helped a bit against congestion (net.inet.ip.ifq.maxlen=2048). Regards,