usage of pf overload table option inside anchors

2016-11-08 Thread Pedro Caetano 
Hi,

How does one use the overload state option inside an anchor?

I'm running -current (7th november snapshot) 64bit, sample pf
configurations follow with two different configuration attempts.
Both print the following warning:

pfctl: warning: namespace collision with  global table.


sample pf configurations below:

table 
icmp_types = "{ echoreq, unreach }"
ext_if=""
int_if="{ em1 em2 em3 }"
int_networks="{ em1:network, em2:network, em3:network }"
v6broker=""
v6resolver=""
mediacenter=""
set skip on lo
set loginterface egress
block drop in all
antispoof quick for (egress)

match proto { udp tcp } to port { domain ntp } set prio 6
match proto tcp to port ssh set prio 6
match in all scrub (no-df max-mss 1440)
anchor "inet" on $ext_if {
block quick from 
block all
pass inet proto ipv6 from ($ext_if) to $v6broker tag GOOD
pass inet proto icmp all icmp-type $icmp_types tag GOOD
pass in inet proto {tcp,udp} from any to any port 4 rdr-to
$mediacenter tag GOOD
pass in inet proto tcp from any to any port {80,443} tag GOOD
pass in inet proto tcp from any to any port 22 keep state (max-src-conn
50, max-src-conn-rate 3/15, overload  flush global ) tag GOOD
pass out from (self) to any tag GOOD
pass out inet from $int_networks to any nat-to (egress) tag GOOD
match out inet from $int_networks to any nat-to (egress) tag GOOD
pass out inet6 from  em2:network to any tag GOOD
pass out inet6 proto udp from em2:network to $v6resolver port 53 tag
GOOD
block quick inet ! tagged GOOD
}

# > pfctl -f /etc/pf.conf
pfctl: warning: namespace collision with  global table.




table 
icmp_types = "{ echoreq, unreach }"
ext_if=""
int_if="{ em1 em2 em3 }"
int_networks="{ em1:network, em2:network, em3:network }"
v6broker=""
v6resolver=""
mediacenter=""
set skip on lo
set loginterface egress
block drop in all
antispoof quick for (egress)

match proto { udp tcp } to port { domain ntp } set prio 6
match proto tcp to port ssh set prio 6
match in all scrub (no-df max-mss 1440)
anchor "inet" on $ext_if {
block quick from 
block all
pass inet proto ipv6 from ($ext_if) to $v6broker tag GOOD
pass inet proto icmp all icmp-type $icmp_types tag GOOD
pass in inet proto {tcp,udp} from any to any port 4 rdr-to
$mediacenter tag GOOD
pass in inet proto tcp from any to any port {80,443} tag GOOD
pass in inet proto tcp from any to any port 22 keep state (max-src-conn
50, max-src-conn-rate 3/15, overload  flush global ) tag GOOD
pass out from (self) to any tag GOOD
pass out inet from $int_networks to any nat-to (egress) tag GOOD
match out inet from $int_networks to any nat-to (egress) tag GOOD
pass out inet6 from  em2:network to any tag GOOD
pass out inet6 proto udp from em2:network to $v6resolver port 53 tag
GOOD
block quick inet ! tagged GOOD
}

# > pfctl -f /etc/pf.conf
pfctl: warning: namespace collision with  global table.


Thank you for your help,
Pedro Caetano

Re: Dell R930 server

2016-11-08 Thread Mihai Popescu 
| Does OBSD "see" all the 96*128G memory available ?

Out of curiosity, what does need such a memory today? Do you want to
use a ramdisk?

Thanks.

Re: Removal of old libraries

2016-11-08 Thread Amit Kulkarni 
On Tue, Nov 8, 2016 at 12:53 AM, Clint Pachl  wrote:

> Ax0n wrote on 09/03/16 13:12:
>
>> I've got a Toshiba NB305 netbook that's been my daily-use laptop for more
>> than 6 years now. The last fresh install I did was OpenBSD 4.9-RELEASE in
>> early May 2011. I've been quite happy with how it works, and I've been
>> doing bsd.rd upgrades and M:Tier binary updates ever since.
>>
>> There is a lot of seemingly unused cruft in /usr/local/lib -- stuff with
>> an
>> atime of my last level 0 dump several months ago.   Looks like pkg_add -u
>> left a bunch of stuff behind. Is there a recommended way to clean this
>> stuff up, or should I just start chopping away with something like:
>>
>> find /usr/local/lib -type f -atime +90 | doas xargs rm
>>
>> (after a new level 0 dump, obviously...)
>>
>>
> Ax0n wrote on 09/03/16 13:12:
> > I've got a Toshiba NB305 netbook that's been my daily-use laptop for more
> > than 6 years now. The last fresh install I did was OpenBSD 4.9-RELEASE in
> > early May 2011. I've been quite happy with how it works, and I've been
> > doing bsd.rd upgrades and M:Tier binary updates ever since.
> >
> > There is a lot of seemingly unused cruft in /usr/local/lib -- stuff with
> an
> > atime of my last level 0 dump several months ago.   Looks like pkg_add -u
> > left a bunch of stuff behind. Is there a recommended way to clean this
> > stuff up, or should I just start chopping away with something like:
> >
> > find /usr/local/lib -type f -atime +90 | doas xargs rm
> >
> > (after a new level 0 dump, obviously...)
>
> I've been removing the old system during the upgrade script since 4.9,
> coincidentally. I haven't had a problem yet while upgrading two production
> servers and my two laptops, from release to release.
>
> After selecting the OS sets during the upgrade, but before hitting ENTER,
> type ! at the “Set name(s)?” prompt to enter a shell. Then run: `cd /mnt
&&
> rm -rf bin sbin usr/!(local) && exit`. Then just hit enter and continue
> running the upgrade script.
>
> WARNING: this will wipe out your system, so if the upgrade fails for some
> reason, you are TOTALLY SCREWED!
>
> I periodically (every few releases) clean out /usr/local. First, get a
> list of manually installed packages using `pkg_info -m`. Then uninstall
> everything. It is interesting to see what gets left behind. If any garbage
> is left over, remove it. Then reinstall from your generated list. I don't
> do this very often anymore as `pkg_delete -a` seems to clean up quite well.
>
> As insurance, I take level 0 dumps just before upgrading or cleaning
> /usr/local. Also, one of my laptops is a spare that has all the same
> software installed as the production servers and my main laptop. So this
> laptop is a test run if you will. If there are quirks, my main laptop is my
> second chance to make sure I know what the hell I'm doing before finally
> upgrading my two production systems.
>
> Also, just a public announcement, test your restore-from-backup process
> once in awhile.
>
> I've always thought about sharing this process, but always thought it is
> probably not the best advice.
>
>
Clint,

pkg_add sysclean

This will restore your system as close to a new install as possible. What
you are doing is quite dangerous.

Re: IPSec flow not properly routed

2016-11-08 Thread Stuart Henderson 
On 2016-11-08, Mik J  wrote:
> Openbsd: 6.0
>
> Hello,
>
> I have an ipsec vpn set up but I don't understand why my packets are going 
> out on the wrong interface.
>
> # ipsecctl -sa
> FLOWS:
> flow esp in from 192.168.8.0/24 to 10.2.89.224/27 peer remote.y.y.y srcid 
> external.ip.x.x/32 dstid remote.y.y.y/32 type use
> flow esp out from 10.2.89.224/27 to 192.168.8.0/24 peer remote.y.y.y srcid 
> external.ip.x.x/32 dstid remote.y.y.y/32 type require
>
> SAD:
> esp tunnel from remote.y.y.y to external.ip.x.x spi 0x779061a9 auth hmac-sha1 
> enc aes-256
> esp tunnel from external.ip.x.x to remote.y.y.y spi 0xfd952672 auth hmac-sha1 
> enc aes-256
>
> When I ping 192.168.8.1 it's going out on OpenBSD external interface and 
> doesn't get into the tunnel.
>
> # tcpdump -n -i vmx0 icmp
>
> 08:23:35.881059 external.ip.x.x > 192.168.8.1: icmp: echo request

The external IP is not covered by the flow. Try ping -I 10.2.89.whatever 
192.168.8.1.

(OpenBSD only has flow-based IPsec, not route-based.)


> I have another OpenBSD version 5.8 and everything is working properly For 
> example

Do you have some extra route on that machine causing it to change
the source address?

Re: Simple example for httpd fastcgi

2016-11-08 Thread Markus Rosjat 

Well do it mean I have to have a folder

/var/www/cgi-bin/hydrus/data

to put my scripts ord does it mean I need to have a cgi-bin folder unter

/var/www/htdocs/hydrus/data

regards

Markus

Am 06.11.2016 um 16:37 schrieb Mark Willson:

-Original Message-
From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of
Markus Rosjat
Sent: 06 November 2016 13:56
To: misc@openbsd.org
Subject: Re: Simple example for httpd fastcgi

Hi mark,

I saw that befor and did the steps for python like there and I can thest
my script by chroot but I cant really figure what to do in the httpd
config to get my script called when I surf it to it over the browser.

regards

Markus

Am 05.11.2016 um 21:16 schrieb Mark Willson:

On 05/11/2016, 20:10, "Markus Rosjat"  wrote:


Hi there,Â
Is there some how-to or examples out there to get a clue how to configure
httpd to run python scripts ?
RegardsÂ
Markus
Von meinem Samsung GerÀt gesendet.


Markus,

This might help …

http://hydrus.org.uk/journal/openbsd-httpd.html


-mark



Markus,

Here's what the key portion of the httpd.conf file contains:

# A name-based "virtual" server
server "chrome.hydrus.org.uk" {
alias "chrome"
listen on * port 80

root "/hydrus/data"
log access "hydrus-access.log"
log error "hydrus-error.log"

location "/cgi-bin/*" {
fastcgi
root "/hydrus/data"
}

}

Hope that helps.

-mark



--
Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before 
you print it, think about your responsibility and commitment to the 
ENVIRONMENT