usage of pf overload table option inside anchors
Hi, How does one use the overload state option inside an anchor? I'm running -current (7th november snapshot) 64bit, sample pf configurations follow with two different configuration attempts. Both print the following warning: pfctl: warning: namespace collision with global table. sample pf configurations below: table icmp_types = "{ echoreq, unreach }" ext_if="" int_if="{ em1 em2 em3 }" int_networks="{ em1:network, em2:network, em3:network }" v6broker="" v6resolver="" mediacenter="" set skip on lo set loginterface egress block drop in all antispoof quick for (egress) match proto { udp tcp } to port { domain ntp } set prio 6 match proto tcp to port ssh set prio 6 match in all scrub (no-df max-mss 1440) anchor "inet" on $ext_if { block quick from block all pass inet proto ipv6 from ($ext_if) to $v6broker tag GOOD pass inet proto icmp all icmp-type $icmp_types tag GOOD pass in inet proto {tcp,udp} from any to any port 4 rdr-to $mediacenter tag GOOD pass in inet proto tcp from any to any port {80,443} tag GOOD pass in inet proto tcp from any to any port 22 keep state (max-src-conn 50, max-src-conn-rate 3/15, overload flush global ) tag GOOD pass out from (self) to any tag GOOD pass out inet from $int_networks to any nat-to (egress) tag GOOD match out inet from $int_networks to any nat-to (egress) tag GOOD pass out inet6 from em2:network to any tag GOOD pass out inet6 proto udp from em2:network to $v6resolver port 53 tag GOOD block quick inet ! tagged GOOD } # > pfctl -f /etc/pf.conf pfctl: warning: namespace collision with global table. table icmp_types = "{ echoreq, unreach }" ext_if="" int_if="{ em1 em2 em3 }" int_networks="{ em1:network, em2:network, em3:network }" v6broker="" v6resolver="" mediacenter="" set skip on lo set loginterface egress block drop in all antispoof quick for (egress) match proto { udp tcp } to port { domain ntp } set prio 6 match proto tcp to port ssh set prio 6 match in all scrub (no-df max-mss 1440) anchor "inet" on $ext_if { block quick from block all pass inet proto ipv6 from ($ext_if) to $v6broker tag GOOD pass inet proto icmp all icmp-type $icmp_types tag GOOD pass in inet proto {tcp,udp} from any to any port 4 rdr-to $mediacenter tag GOOD pass in inet proto tcp from any to any port {80,443} tag GOOD pass in inet proto tcp from any to any port 22 keep state (max-src-conn 50, max-src-conn-rate 3/15, overload flush global ) tag GOOD pass out from (self) to any tag GOOD pass out inet from $int_networks to any nat-to (egress) tag GOOD match out inet from $int_networks to any nat-to (egress) tag GOOD pass out inet6 from em2:network to any tag GOOD pass out inet6 proto udp from em2:network to $v6resolver port 53 tag GOOD block quick inet ! tagged GOOD } # > pfctl -f /etc/pf.conf pfctl: warning: namespace collision with global table. Thank you for your help, Pedro Caetano
Re: Dell R930 server
| Does OBSD "see" all the 96*128G memory available ? Out of curiosity, what does need such a memory today? Do you want to use a ramdisk? Thanks.
Re: Removal of old libraries
On Tue, Nov 8, 2016 at 12:53 AM, Clint Pachlwrote: > Ax0n wrote on 09/03/16 13:12: > >> I've got a Toshiba NB305 netbook that's been my daily-use laptop for more >> than 6 years now. The last fresh install I did was OpenBSD 4.9-RELEASE in >> early May 2011. I've been quite happy with how it works, and I've been >> doing bsd.rd upgrades and M:Tier binary updates ever since. >> >> There is a lot of seemingly unused cruft in /usr/local/lib -- stuff with >> an >> atime of my last level 0 dump several months ago. Looks like pkg_add -u >> left a bunch of stuff behind. Is there a recommended way to clean this >> stuff up, or should I just start chopping away with something like: >> >> find /usr/local/lib -type f -atime +90 | doas xargs rm >> >> (after a new level 0 dump, obviously...) >> >> > Ax0n wrote on 09/03/16 13:12: > > I've got a Toshiba NB305 netbook that's been my daily-use laptop for more > > than 6 years now. The last fresh install I did was OpenBSD 4.9-RELEASE in > > early May 2011. I've been quite happy with how it works, and I've been > > doing bsd.rd upgrades and M:Tier binary updates ever since. > > > > There is a lot of seemingly unused cruft in /usr/local/lib -- stuff with > an > > atime of my last level 0 dump several months ago. Looks like pkg_add -u > > left a bunch of stuff behind. Is there a recommended way to clean this > > stuff up, or should I just start chopping away with something like: > > > > find /usr/local/lib -type f -atime +90 | doas xargs rm > > > > (after a new level 0 dump, obviously...) > > I've been removing the old system during the upgrade script since 4.9, > coincidentally. I haven't had a problem yet while upgrading two production > servers and my two laptops, from release to release. > > After selecting the OS sets during the upgrade, but before hitting ENTER, > type ! at the âSet name(s)?â prompt to enter a shell. Then run: `cd /mnt && > rm -rf bin sbin usr/!(local) && exit`. Then just hit enter and continue > running the upgrade script. > > WARNING: this will wipe out your system, so if the upgrade fails for some > reason, you are TOTALLY SCREWED! > > I periodically (every few releases) clean out /usr/local. First, get a > list of manually installed packages using `pkg_info -m`. Then uninstall > everything. It is interesting to see what gets left behind. If any garbage > is left over, remove it. Then reinstall from your generated list. I don't > do this very often anymore as `pkg_delete -a` seems to clean up quite well. > > As insurance, I take level 0 dumps just before upgrading or cleaning > /usr/local. Also, one of my laptops is a spare that has all the same > software installed as the production servers and my main laptop. So this > laptop is a test run if you will. If there are quirks, my main laptop is my > second chance to make sure I know what the hell I'm doing before finally > upgrading my two production systems. > > Also, just a public announcement, test your restore-from-backup process > once in awhile. > > I've always thought about sharing this process, but always thought it is > probably not the best advice. > > Clint, pkg_add sysclean This will restore your system as close to a new install as possible. What you are doing is quite dangerous.
Re: IPSec flow not properly routed
On 2016-11-08, Mik Jwrote: > Openbsd: 6.0 > > Hello, > > I have an ipsec vpn set up but I don't understand why my packets are going > out on the wrong interface. > > # ipsecctl -sa > FLOWS: > flow esp in from 192.168.8.0/24 to 10.2.89.224/27 peer remote.y.y.y srcid > external.ip.x.x/32 dstid remote.y.y.y/32 type use > flow esp out from 10.2.89.224/27 to 192.168.8.0/24 peer remote.y.y.y srcid > external.ip.x.x/32 dstid remote.y.y.y/32 type require > > SAD: > esp tunnel from remote.y.y.y to external.ip.x.x spi 0x779061a9 auth hmac-sha1 > enc aes-256 > esp tunnel from external.ip.x.x to remote.y.y.y spi 0xfd952672 auth hmac-sha1 > enc aes-256 > > When I ping 192.168.8.1 it's going out on OpenBSD external interface and > doesn't get into the tunnel. > > # tcpdump -n -i vmx0 icmp > > 08:23:35.881059 external.ip.x.x > 192.168.8.1: icmp: echo request The external IP is not covered by the flow. Try ping -I 10.2.89.whatever 192.168.8.1. (OpenBSD only has flow-based IPsec, not route-based.) > I have another OpenBSD version 5.8 and everything is working properly For > example Do you have some extra route on that machine causing it to change the source address?
Re: Simple example for httpd fastcgi
Well do it mean I have to have a folder /var/www/cgi-bin/hydrus/data to put my scripts ord does it mean I need to have a cgi-bin folder unter /var/www/htdocs/hydrus/data regards Markus Am 06.11.2016 um 16:37 schrieb Mark Willson: -Original Message- From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of Markus Rosjat Sent: 06 November 2016 13:56 To: misc@openbsd.org Subject: Re: Simple example for httpd fastcgi Hi mark, I saw that befor and did the steps for python like there and I can thest my script by chroot but I cant really figure what to do in the httpd config to get my script called when I surf it to it over the browser. regards Markus Am 05.11.2016 um 21:16 schrieb Mark Willson: On 05/11/2016, 20:10, "Markus Rosjat"wrote: Hi there, Is there some how-to or examples out there to get a clue how to configure httpd to run python scripts ? Regards Markus Von meinem Samsung GerÀt gesendet. Markus, This might help … http://hydrus.org.uk/journal/openbsd-httpd.html -mark Markus, Here's what the key portion of the httpd.conf file contains: # A name-based "virtual" server server "chrome.hydrus.org.uk" { alias "chrome" listen on * port 80 root "/hydrus/data" log access "hydrus-access.log" log error "hydrus-error.log" location "/cgi-bin/*" { fastcgi root "/hydrus/data" } } Hope that helps. -mark -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT