DLINK DUB-E100
Hi there, I would buy an Ethernet card usb, and I've found the Dlink dub-e100. It is supported on OpenBSD 5.0? Someone has ever used it? Thanks in advance.
Re: DLINK DUB-E100
On 01/08/2012 06:02 PM, Nico Kadel-Garcia wrote: On Sun, Jan 8, 2012 at 6:01 AM, Tomas Bodzartomas.bod...@gmail.com wrote: On Sun, Jan 8, 2012 at 11:42 AM, Alessandro Baggi alessandro.ba...@gmail.com wrote: On 01/08/2012 11:38 AM, Tomas Bodzar wrote: On Sun, Jan 8, 2012 at 11:16 AM, Alessandro Baggi alessandro.ba...@gmail.com B wrote: Hi there, I would buy an Ethernet card usb, and I've found the Dlink dub-e100. It is supported on OpenBSD 5.0? Why don't you check? http://www.openbsd.org/cgi-bin/man.cgi?query=usbapropos=0sektion=4manpath= OpenBSD+5.0arch=i386format=html Someone has ever used it? Thanks in advance. Sorry, I'm new to OpenBSD, and I don't know that there was the manual page for usb. Thanks for info. Ah, probably Linux background. Then this http://www.openbsd.org/faq/index.html and man pages (man help and man afterboot for start) can be good start for you. One of the pros of BSD world is quality of documentation. That documentation unfortunately does not answer the question, because many USB devices share the same chipsets and simply have manufactures relabel the packages with their name. Since that device was not specifically listed, that's not a really strong indicator one way or the other. Form working with various devices and various OS's, I'd estimate that the chances are good that it will work right out of the box. Try it and publish your results, so people like yourself can know whether it works! For all OS's, for laptops, deskops, or servers, I've carried a spare USB/Ethernet adapter for years in my toolkit for exactly the situations where a new network driver is needed to get the updates with new network driver in it at install time. And I keep replacing them because people won't give them back. I there. I've bought the USB Dlink DUB-E100. It works great.
Squid on LAN
Hi list. I've a question about positioning a proxy server into the LAN. I've tried this in dmz (also in transparent mode + rdr pf), and works great, but now I'm trying to put this proxy in LAN. Also in this case it works, but when I try to set it in transparent mode, and put rdr rules on the firewall (OpenBSD 4.8): match in on $int proto tcp from $int:network to any port 80 rdr-to $proxy port 3128 it does not work, and the request seems not be redirected on the proxy. I've ridden this: http://www.openbsd.org/faq/pf/rdr.html I'm trying to get solution only with pf rules without no results. Could some point me in the right direction? Thanks in advance
Re: Squid on LAN
I've tried the rdrnat without results and I can't put in other vlan, I'm trying this at home. Other issue? Thanks in advance On 09/05/2011 19:06, Stuart Henderson wrote: If possible, put the proxy server on a different vlan. If you can't, try the method in http://www.openbsd.org/faq/pf/rdr.html#rdrnat It works, but your proxy logs will then only show the firewall's address rather than the original client addresses. On 2011-05-09, Alessandro Baggialessandro.ba...@gmail.com wrote: Hi list. I've a question about positioning a proxy server into the LAN. I've tried this in dmz (also in transparent mode + rdr pf), and works great, but now I'm trying to put this proxy in LAN. Also in this case it works, but when I try to set it in transparent mode, and put rdr rules on the firewall (OpenBSD 4.8): match in on $int proto tcp from $int:network to any port 80 rdr-to $proxy port 3128 it does not work, and the request seems not be redirected on the proxy. I've ridden this: http://www.openbsd.org/faq/pf/rdr.html I'm trying to get solution only with pf rules without no results. Could some point me in the right direction? Thanks in advance
rc_scripts
Hi list. I'm trying to use rc_script in rc.conf.local but without results. In rc.conf.local I put this: rc_scripts=clamd but after reboot, clamd does not start. I've tried also: rc_scripts=clamd start and clamd_flags= but without result. Can someone point me in the right direction? Thanks in advance.
Re: rc_scripts
Hi Tomas, Yes, clamd is already running. Now i'm starting it from rc.local. Reading man pages from www.openbsd.org I get: The fourth section contains the/pkg_scripts/ variable, responsible for starting and stoppingrc.d(8) http://www.openbsd.org/cgi-bin/man.cgi?query=rc.dsektion=8arch=i386apropos=0manpath=OpenBSD+Current scripts installed by packages in the speci- fied order. For example, the following line pkg_scripts=dbus_daemon cupsd will run//etc/rc.d/dbus_daemon/ then//etc/rc.d/cupsd/ with the/start/ argu- ment at boot time and in reverse order with the/stop/ argument at shut- down. but reading man from my installed OpenBSD (4.9/amd64), i get: The fourth section contains the/rc_scripts/ variable, responsible for starting and stoppingrc.d(8) http://www.openbsd.org/cgi-bin/man.cgi?query=rc.dsektion=8arch=i386apropos=0manpath=OpenBSD+Current scripts installed by packages in the speci- fied order. For example, the following line rc_scripts=dbus_daemon cupsd will run//etc/rc.d/dbus_daemon/ then//etc/rc.d/cupsd/ with the/start/ argu- ment at boot time and in reverse order with the/stop/ argument at shut- down. What's the way? On 09/24/2011 04:16 PM, Tomas Bodzar wrote: On Sat, Sep 24, 2011 at 3:59 PM, Alessandro Baggi alessandro.ba...@gmail.com wrote: Hi list. I'm trying to use rc_script in rc.conf.local but without results. In rc.conf.local I put this: rc_scripts=clamd but after reboot, clamd does not start. I've tried also: rc_scripts=clamd start and clamd_flags= but without result. Did you set clamd already? Because you need to config clamd first and uncomment at least one line in config to get that daemon running Can someone point me in the right direction? man rc.d man rc.subr find env for debug Thanks in advance.
Re: rc_scripts
Hi Vijay, I've put in my rc.conf.local, at the end of the file, this: rc_scripts=clamd but it does not work. I've tried to start directly from /etc/rc.d/clamd start and it works. I understand where is the problem... On 09/24/2011 04:51 PM, Vijay Sankar wrote: Quoting Alessandro Baggi alessandro.ba...@gmail.com: Hi Tomas, Yes, clamd is already running. Now i'm starting it from rc.local. Reading man pages from www.openbsd.org I get: The fourth section contains the/pkg_scripts/ variable, responsible for starting and stoppingrc.d(8) http://www.openbsd.org/cgi-bin/man.cgi?query=rc.dsektion=8arch=i386apropos=0manpath=OpenBSD+Current scripts installed by packages in the speci- fied order. For example, the following line pkg_scripts=dbus_daemon cupsd will run//etc/rc.d/dbus_daemon/ then//etc/rc.d/cupsd/ with the/start/ argu- ment at boot time and in reverse order with the/stop/ argument at shut- down. but reading man from my installed OpenBSD (4.9/amd64), i get: The fourth section contains the/rc_scripts/ variable, responsible for starting and stoppingrc.d(8) http://www.openbsd.org/cgi-bin/man.cgi?query=rc.dsektion=8arch=i386apropos=0manpath=OpenBSD+Current scripts installed by packages in the speci- fied order. For example, the following line rc_scripts=dbus_daemon cupsd will run//etc/rc.d/dbus_daemon/ then//etc/rc.d/cupsd/ with the/start/ argu- ment at boot time and in reverse order with the/stop/ argument at shut- down. What's the way? On 09/24/2011 04:16 PM, Tomas Bodzar wrote: On Sat, Sep 24, 2011 at 3:59 PM, Alessandro Baggi alessandro.ba...@gmail.com wrote: Hi list. I'm trying to use rc_script in rc.conf.local but without results. In rc.conf.local I put this: rc_scripts=clamd but after reboot, clamd does not start. I've tried also: rc_scripts=clamd start and clamd_flags= but without result. Did you set clamd already? Because you need to config clamd first and uncomment at least one line in config to get that daemon running Can someone point me in the right direction? man rc.d man rc.subr find env for debug Thanks in advance. Hi, I think the man pages at the web site reflect -current and I recall reading something about pkg_scripts is the way to go in 5.0 etc. On my 4.9 AMD system I have the following in rc.conf.local. rc_scripts=dbus_daemon icinga clamd freshclam slapd postgresql dovecot I don't have anything in rc.local anymore. This works very well. HTH, Vijay Vijay Sankar ForeTell Technologies Limited vsan...@foretell.ca 204.885.9535 - This message was sent using ForeTell-POST 4.7
Re: rc_scripts
Nothing, I've also tried to use pkg_scripts=clamd It does not work. There some place where I can find some logs error? In /var/log I don't see nothing. On 09/24/2011 05:21 PM, William Yodlowsky wrote: On 24 September 2011 at 17:23, Alessandro Baggialessandro.ba...@gmail.com wrote: I've put in my rc.conf.local, at the end of the file, this: rc_scripts=clamd but it does not work. The variable was renamed to pkg_scripts so try this in rc.conf.local instead: pkg_scripts=clamd The system's manpage of rc.d(8) should say at the top of the page which the correct one is.
Re: rc_scripts
kernel version is: kern.version=OpenBSD 4.9 (GENERIC.MP) #819: Wed Mar 2 06:57:49 MST 2011 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP On 09/24/2011 07:15 PM, Vijay Sankar wrote: Can you do a sysctl kern.version and send that to the list? May be that will help pinpoint your issue. I can confirm that rc_scripts work for me (and pkg_scripts do not) on 4.9 AMD64 from the CD Release. Quoting Alessandro Baggi alessandro.ba...@gmail.com: Nothing, I've also tried to use pkg_scripts=clamd It does not work. There some place where I can find some logs error? In /var/log I don't see nothing. On 09/24/2011 05:21 PM, William Yodlowsky wrote: On 24 September 2011 at 17:23, Alessandro Baggialessandro.ba...@gmail.com wrote: I've put in my rc.conf.local, at the end of the file, this: rc_scripts=clamd but it does not work. The variable was renamed to pkg_scripts so try this in rc.conf.local instead: pkg_scripts=clamd The system's manpage of rc.d(8) should say at the top of the page which the correct one is. Vijay Sankar ForeTell Technologies Limited vsan...@foretell.ca 204.885.9535 - This message was sent using ForeTell-POST 4.7
Re: rc_scripts
On 09/24/2011 08:35 PM, Vijay Sankar wrote: Quoting Alessandro Baggi alessandro.ba...@gmail.com: kernel version is: kern.version=OpenBSD 4.9 (GENERIC.MP) #819: Wed Mar 2 06:57:49 MST 2011 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP On 09/24/2011 07:15 PM, Vijay Sankar wrote: Can you do a sysctl kern.version and send that to the list? May be that will help pinpoint your issue. I can confirm that rc_scripts work for me (and pkg_scripts do not) on 4.9 AMD64 from the CD Release. Quoting Alessandro Baggi alessandro.ba...@gmail.com: Nothing, I've also tried to use pkg_scripts=clamd It does not work. There some place where I can find some logs error? In /var/log I don't see nothing. On 09/24/2011 05:21 PM, William Yodlowsky wrote: On 24 September 2011 at 17:23, Alessandro Baggialessandro.ba...@gmail.com wrote: I've put in my rc.conf.local, at the end of the file, this: rc_scripts=clamd but it does not work. The variable was renamed to pkg_scripts so try this in rc.conf.local instead: pkg_scripts=clamd The system's manpage of rc.d(8) should say at the top of the page which the correct one is. I went through my server and noticed that I was doing one thing wrong. My rc_scripts line included icinga and dovecot but those were not installed on that server. It was there because of a bad cut/paste from a -current server. However, clamd and freshclam and others run properly from rc_scripts. Is it possible that you are installing packages from the wrong version? I have done that a couple of times because I copied .profile files from the wrong server Is your PKG_PATH set to /pub/OpenBSD/4.9/packages/amd64, for example? - This message was sent using ForeTell-POST 4.7 No, I've installed them from ports. It is possible that this is the problem?
Re: Problem with installing OpenBSD
On 09/30/2011 01:42 AM, Hugo Osvaldo Barrera wrote: On 2011-09-28 23:07, Sales - OrangeWebsite.com wrote: Hey, We are experiencing problem with installing OpenBSD on our VPS servers. We'd hope you provided us some assistance how we could fix this. You can see our VPS details here at http://www.orangewebsite.com/docs/vps.php. Best greetings, - Henry K. Johannes Orangewebsite.com - 'Your solid business partner' In my experience, you need to disable mpbios: http://www.cyberciti.biz/faq/kvm-virtualization-openbsd-guest-hangs-at-starting-tty-flags/ Quoting Hugo. My only problem is with mpbios on KVM. Best regards
squid + squidclamav + squidGuard[Zombie].
Hi all. I've a problem with squid + squidclamav + squidGuard. squidGuard process become a Zombie Process. This problem comes with OpenBSD 4.5 and 4.6. Then, squid without other redirector...works fine. If I set url_rewrite program /usr/local/bin/squidGuard, squid works fine. And now the problem. If I try to use squid, squidclamav and squidGuard together, all squidguard processes die. Then I set url_rewrite program /usr/local/bin/squidclamav and in squidclamav.conf I set squidguard /usr/local/bin/squidGuard. With this configuration, squid works, squidclamav works but squidguard dies. Log File report: [/var/log/squidguard/squidGuard.log] 2009/11/29 18:26:52| httpReadReply: Excess data from HEAD http://bid.openx.net/json?c=OXM_64644365420pid=5269c2d6-ad46-45b3-ab8b-b07b7a65d779s=336x280f=10url =http%3A%2F%2Fwww.linuxjournal.com%2Farticle%2F8758referer=http%3A%2F%2Fwww.google.it%2Furl%3 Fsa%3Dt%26source%3Dweb%26ct%3Dres%26cd%3D1%26ved%3D0CAoQFjAA%26url%3Dhttp%253A%252F% 252Fwww.linuxjournal.com%252Farticle%252F8758%26rct%3Dj%26q%3Dtripwire%2Bhowto%26ei%3DvKASS5D SHoSv4QbZ3ZSFBA%26usg%3DAFQjCNE_CRMzgPL7aUXMzFs6CXbLiVOPfQ [/var/squidguard/log/squidGuard.log] reports: 2009-11-29 18:30:00 [6702] Info: recalculating alarm in 30 seconds 2009-11-29 18:30:00 [6702] squidGuard stopped (1259515800.261) 2009-11-29 18:30:00 [29852] Info: recalculating alarm in 30 seconds 2009-11-29 18:30:00 [29852] squidGuard stopped (1259515800.290) 2009-11-29 18:30:00 [23681] Info: recalculating alarm in 30 seconds 2009-11-29 18:30:00 [13322] Info: recalculating alarm in 30 seconds 2009-11-29 18:30:00 [13322] squidGuard stopped (1259515800.362) 2009-11-29 18:30:00 [23681] squidGuard stopped (1259515800.368) 2009-11-29 18:30:00 [19733] Info: recalculating alarm in 30 seconds 2009-11-29 18:30:00 [19733] squidGuard stopped (1259515800.370) 2009-11-29 18:30:00 [10963] Info: recalculating alarm in 30 seconds 2009-11-29 18:30:00 [29024] Info: recalculating alarm in 30 seconds 2009-11-29 18:30:00 [29024] squidGuard stopped (1259515800.431) 2009-11-29 18:30:00 [10963] squidGuard stopped (1259515800.437) 2009-11-29 18:30:00 [4752] Info: recalculating alarm in 30 seconds 2009-11-29 18:30:00 [4752] squidGuard stopped (1259515800.446) 2009-11-29 18:30:00 [9844] Info: recalculating alarm in 30 seconds 2009-11-29 18:30:00 [9844] squidGuard stopped (1259515800.452) 2009-11-29 18:30:00 [10946] Info: recalculating alarm in 30 seconds 2009-11-29 18:30:00 [10946] squidGuard stopped (1259515800.471) 2009-11-29 18:30:00 [15118] Info: recalculating alarm in 30 seconds 2009-11-29 18:30:00 [15118] squidGuard stopped (1259515800.480) 2009-11-29 18:30:00 [24546] Info: recalculating alarm in 30 seconds 2009-11-29 18:30:00 [24546] squidGuard stopped (1259515800.571) 2009-11-29 18:30:00 [28657] Info: recalculating alarm in 30 seconds 2009-11-29 18:30:00 [28657] squidGuard stopped (1259515800.600) 2009-11-29 18:30:00 [26160] Info: recalculating alarm in 30 seconds 2009-11-29 18:30:00 [26160] squidGuard stopped (1259515800.621) 2009-11-29 18:30:00 [10505] Info: recalculating alarm in 30 seconds 2009-11-29 18:30:00 [10505] squidGuard stopped (1259515800.671) 2009-11-29 18:30:00 [31381] Info: recalculating alarm in 30 seconds 2009-11-29 18:30:00 [31381] squidGuard stopped (1259515800.851) 2009-11-29 18:30:00 [6034] Info: recalculating alarm in 30 seconds 2009-11-29 18:30:00 [6034] squidGuard stopped (1259515800.901) 2009-11-29 18:30:00 [8429] Info: recalculating alarm in 30 seconds 2009-11-29 18:30:00 [8429] squidGuard stopped (1259515800.951) 2009-11-29 18:30:01 [32393] Info: recalculating alarm in 30 seconds 2009-11-29 18:30:01 [32393] squidGuard stopped (1259515801.060) 2009-11-29 18:30:01 [8880] Info: recalculating alarm in 30 seconds 2009-11-29 18:30:01 [8880] squidGuard stopped (1259515801.140) 2009-11-29 18:30:01 [9160] Info: recalculating alarm in 30 seconds 2009-11-29 18:30:01 [9160] squidGuard stopped (1259515801.191) 2009-11-29 18:30:01 [20881] Info: recalculating alarm in 30 seconds 2009-11-29 18:30:01 [20881] squidGuard stopped (1259515801.211) and ps: _squid6702 0.0 0.0 0 0 ?? Z - 0:00.00 (squidGuard) _squid 29852 0.0 0.0 0 0 ?? Z - 0:00.00 (squidGuard) _squid 13322 0.0 0.0 0 0 ?? Z - 0:00.00 (squidGuard) _squid 19733 0.0 0.0 0 0 ?? Z - 0:00.00 (squidGuard) _squid 23681 0.0 0.0 0 0 ?? Z - 0:00.00 (squidGuard) _squid 29024 0.0 0.0 0 0 ?? Z - 0:00.00 (squidGuard) _squid 10963 0.0 0.0 0 0 ?? Z - 0:00.00 (squidGuard) _squid4752 0.0 0.0 0 0 ?? Z - 0:00.00 (squidGuard) _squid9844 0.0 0.0 0 0 ?? Z - 0:00.00 (squidGuard) _squid 10946 0.0 0.0 0 0 ?? Z - 0:00.00 (squidGuard) _squid 15118 0.0 0.0 0 0 ?? Z - 0:00.00 (squidGuard) _squid 24546 0.0
Re: squid + squidclamav + squidGuard[Zombie].
John E.P. Hynes wrote: Anyone has idea about this problem? It's a squidguard or squidclamav problem? I've had the same problem, except I also get in the logs /bsd: file: table is full Try sysctl kern.nfiles or pstat -T to see how many open file descriptors you have. With either redirector, but not both, I end up with a sane amount (300-400 in my installation) but 3-4k with both, and setting kern.maxfiles to 32768 or some really high number seems only to slightly delay this. -John Hi john! thanks for the reply. I've tried another time, after 7/10 hours squidGuard processes become zombie...and the number of fd opened was 567, after the zombing the number is 314... another issue? thanks in advance.
Re: squid + squidclamav + squidGuard[Zombie].
Alessandro Baggi wrote: John E.P. Hynes wrote: Anyone has idea about this problem? It's a squidguard or squidclamav problem? I've had the same problem, except I also get in the logs /bsd: file: table is full Try sysctl kern.nfiles or pstat -T to see how many open file descriptors you have. With either redirector, but not both, I end up with a sane amount (300-400 in my installation) but 3-4k with both, and setting kern.maxfiles to 32768 or some really high number seems only to slightly delay this. -John Hi john! thanks for the reply. I've tried another time, after 7/10 hours squidGuard processes become zombie...and the number of fd opened was 567, after the zombing the number is 314... another issue? thanks in advance. Hi there, always with squidclamav and squidGuard Problem!! I've tried to do another test. I've runned in a terminal only squidclamav, that in configuration file recall squidGuard, but squidGuard become always a zombie...the problem is on squidclamav root 27342 0.0 0.0 0 0 C0 Z+- 0:00.00 (squidGuard) root 11810 0.0 0.2 560 448 C0 Is11:52AM0:00.10 -ksh (ksh) root 32228 0.0 0.6 624 1852 C0 I+11:58AM0:00.07 squidclamav and squid with only squidguard...and works fine... Anyone has an issue? There is for OpenBSD a tool such as strace o similar? thanks in advance.
Re: squid + squidclamav + squidGuard[Zombie].
j...@hytronix.com wrote: Hi Alessandro, I have managed to get Squid to crash all by itself. This is, in a way, good, because it finally gave me some information that I think might be helpful. First, Are you running squid with diskd? I am, and that's where one of the problems manifests: Running out of available message queues. If you can, try compiling a kernel with maxusers 1024 option MSGMAX=16384 # (max characters in a message) option MSGMNI=4096 # (# of message queues) option MSGMNB=32768 # (max characters in a message queue) option MSGTQL=2048 # #max # of messages in system) option MSGSSZ=64 # (size of a message segment) option MSGSEG=4096 # (# of message segments in system) ...and try setting kern.maxfiles=32768 ...and in login.conf openfiles-cur to 16384 ...and see if it helps. I'll let you know what it does for me. Of course, this is REALLY increasing the file handles to a ludicrous level too, and probably isn't necessary, but at this point, I just want to see what works. -John Hi John. I'm running squid with ufs. I can make this test on a vm. But this test is necessary? I say this because I've tried to run squidclamav without squid, then only two processes, squidclamav and squidGuard called by squidclamav...no operation, not redirect from squid...nothing..only runned by the shell. It dies in the same mode... the problem is not openBSD Kernel but squidclamav for me...and how we can see, squidclamav is not in openbsd package mirror dir and in a OpenBSD ports directory. In the next days I will try to recompile the kernel with new option, try not harm. But there is another way: using squid + squidclamav to filter viruses (if squidclamav doesn't crash, I'll make a test for this), and use squidguard domain blacklists in an acl to get content filtering. It's possibile that openbsd kill squidguard because squidclamav make a strange operation not allowed? Or maybe this is a bug also for Linux environment...I can try also with Linux (always on vm) too see if it has the same behaviour.
Re: squid + squidclamav + squidGuard[Zombie].
John E.P. Hynes wrote: On 12/03/2009 03:04 PM, Alessandro Baggi wrote: j...@hytronix.com wrote: Hi Alessandro, I have managed to get Squid to crash all by itself. This is, in a way, good, because it finally gave me some information that I think might be helpful. First, Are you running squid with diskd? I am, and that's where one of the problems manifests: Running out of available message queues. If you can, try compiling a kernel with maxusers 1024 option MSGMAX=16384 # (max characters in a message) option MSGMNI=4096 # (# of message queues) option MSGMNB=32768 # (max characters in a message queue) option MSGTQL=2048 # #max # of messages in system) option MSGSSZ=64 # (size of a message segment) option MSGSEG=4096 # (# of message segments in system) ...and try setting kern.maxfiles=32768 ...and in login.conf openfiles-cur to 16384 ...and see if it helps. I'll let you know what it does for me. Of course, this is REALLY increasing the file handles to a ludicrous level too, and probably isn't necessary, but at this point, I just want to see what works. -John Hi John. I'm running squid with ufs. I can make this test on a vm. But this test is necessary? I say this because I've tried to run squidclamav without squid, then only two processes, squidclamav and squidGuard called by squidclamav...no operation, not redirect from squid...nothing..only runned by the shell. It dies in the same mode... the problem is not openBSD Kernel but squidclamav for me...and how we can see, squidclamav is not in openbsd package mirror dir and in a OpenBSD ports directory. In the next days I will try to recompile the kernel with new option, try not harm. But there is another way: using squid + squidclamav to filter viruses (if squidclamav doesn't crash, I'll make a test for this), and use squidguard domain blacklists in an acl to get content filtering. It's possibile that openbsd kill squidguard because squidclamav make a strange operation not allowed? Or maybe this is a bug also for Linux environment...I can try also with Linux (always on vm) too see if it has the same behaviour. Maybe we do have different problems then, because I now don't even have squid alone stable. It takes days to crash though. For me, squid and squidclamav and squidguard all crash with the same two errors, one related to file handles and the other related to message queues, but the latter is only because I'm using diskd instead of straight ufs. I think my problem is kernel related. And yes, it all runs flawlessly on Linux. Very strange. -John Hi john! I've make the test with: maxusers 1024 option MSGMAX=16384 # (max characters in a message) option MSGMNI=4096 # (# of message queues) option MSGMNB=32768 # (max characters in a message queue) option MSGTQL=2048 # #max # of messages in system) option MSGSSZ=64 # (size of a message segment) option MSGSEG=4096 # (# of message segments in system) ...and try setting kern.maxfiles=32768 ...and in login.conf openfiles-cur to 16384 but the result is the same...squidGuard dies. A question: how are explained this option? in man options there aren't.
Re: squid + squidclamav + squidGuard[Zombie].
Stuart Henderson wrote: On 2009-12-01, Alessandro Baggi alessandro.ba...@gmail.com wrote: Hi there, always with squidclamav and squidGuard Problem!! I've tried to do another test. I've runned in a terminal only squidclamav, that in configuration file recall squidGuard, but squidGuard become always a zombie...the problem is on squidclamav I don't know about squidclamav, but you could try ports/www/havp instead, it works fine. Anyone has an issue? There is for OpenBSD a tool such as strace o similar? ktrace, or gdb of course. Hi there. Sorry for the delay. I've traced squidguard processes and ktrace give: 14078 squidGuard EMUL native 14078 squidGuard PSIG SIGALRM caught handler=0xb7b61d8 mask=0x0 14078 squidGuard RET poll -1 errno 4 Interrupted system call 14078 squidGuard CALL write(0x5,0xcfbe6fa7,0x1) 14078 squidGuard GIO fd 5 wrote 1 bytes \^N 14078 squidGuard RET write 1 14078 squidGuard CALL sigreturn(0xcfbe6fcc) 14078 squidGuard RET sigreturn JUSTRETURN 14078 squidGuard CALL sigprocmask(0x1,0x) 14078 squidGuard RET sigprocmask 0 14078 squidGuard CALL mprotect(0x2b7a8000,0x1000,0x3) 14078 squidGuard RET mprotect 0 14078 squidGuard CALL mprotect(0x2b7a8000,0x1000,0x1) 14078 squidGuard RET mprotect 0 14078 squidGuard CALL sigprocmask(0x3,0) 14078 squidGuard RET sigprocmask -65793/0xfffefeff 14078 squidGuard CALL read(0x3,0xcfbe7210,0x80) 14078 squidGuard GIO fd 3 read 1 bytes \^N 14078 squidGuard RET read 1 14078 squidGuard CALL sigprocmask(0x1,0x) 14078 squidGuard RET sigprocmask 0 14078 squidGuard CALL mprotect(0x2b7a8000,0x1000,0x3) 14078 squidGuard RET mprotect 0 14078 squidGuard CALL mprotect(0x2b7a8000,0x1000,0x1) 14078 squidGuard RET mprotect 0 14078 squidGuard CALL sigprocmask(0x3,0) 14078 squidGuard RET sigprocmask -65793/0xfffefeff 14078 squidGuard CALL sigprocmask(0x1,0x) 14078 squidGuard RET sigprocmask 0 14078 squidGuard CALL mprotect(0x2b7a8000,0x1000,0x3) 14078 squidGuard RET mprotect 0 14078 squidGuard CALL mprotect(0x2b7a8000,0x1000,0x1) 14078 squidGuard RET mprotect 0 14078 squidGuard CALL sigprocmask(0x3,0) 14078 squidGuard RET sigprocmask -65793/0xfffefeff 14078 squidGuard CALL sigprocmask(0x1,0x) 14078 squidGuard RET sigprocmask 0 14078 squidGuard CALL mprotect(0x2b7a8000,0x1000,0x3) 14078 squidGuard RET mprotect 0 14078 squidGuard CALL mprotect(0x2b7a8000,0x1000,0x1) 14078 squidGuard RET mprotect 0 14078 squidGuard CALL sigprocmask(0x3,0) 14078 squidGuard RET sigprocmask -65793/0xfffefeff 14078 squidGuard CALL sigprocmask(0x1,0x) 14078 squidGuard RET sigprocmask 0 14078 squidGuard CALL mprotect(0x2b7a8000,0x1000,0x3) 14078 squidGuard RET mprotect 0 14078 squidGuard CALL mprotect(0x2b7a8000,0x1000,0x1) 14078 squidGuard RET mprotect 0 14078 squidGuard CALL sigprocmask(0x3,0) 14078 squidGuard RET sigprocmask -65793/0xfffefeff 14078 squidGuard CALL read(0x3,0xcfbe7210,0x80) 14078 squidGuard RET read -1 errno 35 Resource temporarily unavailable 14078 squidGuard CALL gettimeofday(0x2b7a7058,0) 14078 squidGuard RET gettimeofday 0 14078 squidGuard CALL sigprocmask(0x1,0x) 14078 squidGuard RET sigprocmask 0 14078 squidGuard CALL mprotect(0x2b7a8000,0x1000,0x3) 14078 squidGuard RET mprotect 0 14078 squidGuard CALL mprotect(0x2b7a8000,0x1000,0x1) 14078 squidGuard RET mprotect 0 14078 squidGuard CALL sigprocmask(0x3,0) 14078 squidGuard RET sigprocmask -65793/0xfffefeff 14078 squidGuard CALL sigprocmask(0x1,0x) 14078 squidGuard RET sigprocmask 0 14078 squidGuard CALL mprotect(0x2b7a8000,0x1000,0x3) 14078 squidGuard RET mprotect 0 14078 squidGuard CALL mprotect(0x2b7a8000,0x1000,0x1) 14078 squidGuard RET mprotect 0 14078 squidGuard CALL sigprocmask(0x3,0) 14078 squidGuard RET sigprocmask -65793/0xfffefeff 14078 squidGuard CALL sigprocmask(0x1,0x) 14078 squidGuard RET sigprocmask 0 14078 squidGuard CALL mprotect(0x2b7a8000,0x1000,0x3) 14078 squidGuard RET mprotect 0 14078 squidGuard CALL mprotect(0x2b7a8000,0x1000,0x1) 14078 squidGuard RET mprotect 0 14078 squidGuard CALL sigprocmask(0x3,0) 14078 squidGuard RET sigprocmask -65793/0xfffefeff 14078 squidGuard CALL sigprocmask(0x1,0x) 14078 squidGuard RET sigprocmask 0 14078 squidGuard CALL mprotect(0x2b7a8000,0x1000,0x3) 14078 squidGuard RET mprotect 0 14078 squidGuard CALL mprotect(0x2b7a8000,0x1000,0x1) 14078 squidGuard RET mprotect 0 14078 squidGuard CALL sigprocmask(0x3,0) 14078 squidGuard RET sigprocmask -65793/0xfffefeff 14078 squidGuard CALL sigprocmask(0x1,0x) 14078 squidGuard RET sigprocmask 0 14078 squidGuard CALL mprotect(0x2b7a8000,0x1000,0x3) 14078 squidGuard RET mprotect 0 14078 squidGuard CALL mprotect(0x2b7a8000,0x1000,0x1) 14078 squidGuard RET mprotect 0 14078 squidGuard CALL
SquidGuard problem
Hi there. I've a problem using squidguard under openbsd (4.4, 4.5, 4.6) with this combination (squid + squidclamav + squidguard). The problem is that after different hours that squidguard got not request, all squidguard processes becomes zombies. when the error show i get from [/var/squidguard/log/squidGuard.log] reports: 2010-04-22 18:30:00 [6702] Info: recalculating alarm in 30 seconds 2010-04-22 18:30:00 [6702] squidGuard stopped (1259515800.261) .. and ps: _squid6702 0.0 0.0 0 0 ?? Z - 0:00.00 (squidGuard) _squid 29852 0.0 0.0 0 0 ?? Z - 0:00.00 (squidGuard) _squid 13322 0.0 0.0 0 0 ?? Z - 0:00.00 (squidGuard) _squid 19733 0.0 0.0 0 0 ?? Z - 0:00.00 (squidGuard) _squid 23681 0.0 0.0 0 0 ?? Z - 0:00.00 (squidGuard) _squid 29024 0.0 0.0 0 0 ?? Z - 0:00.00 (squidGuard) _squid 10963 0.0 0.0 0 0 ?? Z - 0:00.00 (squidGuard) _squid4752 0.0 0.0 0 0 ?? Z - 0:00.00 (squidGuard) _squid9844 0.0 0.0 0 0 ?? Z - 0:00.00 (squidGuard) _squid 10946 0.0 0.0 0 0 ?? Z - 0:00.00 (squidGuard) _squid 15118 0.0 0.0 0 0 ?? Z - 0:00.00 (squidGuard) _squid 24546 0.0 0.0 0 0 ?? Z - 0:00.00 (squidGuard) _squid 28657 0.0 0.0 0 0 ?? Z - 0:00.00 (squidGuard) _squid 26160 0.0 0.0 0 0 ?? Z - 0:00.00 (squidGuard) _squid 10505 0.0 0.0 0 0 ?? Z - 0:00.00 (squidGuard) _squid 31381 0.0 0.0 0 0 ?? Z - 0:00.00 (squidGuard) _squid6034 0.0 0.0 0 0 ?? Z - 0:00.00 (squidGuard) _squid8429 0.0 0.0 0 0 ?? Z - 0:00.00 (squidGuard) _squid 32393 0.0 0.0 0 0 ?? Z - 0:00.00 (squidGuard) _squid8880 0.0 0.0 0 0 ?? Z - 0:00.00 (squidGuard) _squid9160 0.0 0.0 0 0 ?? Z - 0:00.00 (squidGuard) _squid 20881 0.0 0.0 0 0 ?? Z - 0:00.00 (squidGuard) root 18821 0.0 0.4 1236 1268 ?? Is 3:15PM0:00.02 squid -d 10 _squid 16228 0.0 4.3 10312 12804 ?? S 3:15PM0:09.64 (squid) -d 10 (squid) _squid 31884 0.0 0.7 756 2076 ?? Is 3:15PM0:00.81 (squidclamav) (squidclamav) _squid 25836 0.0 0.7 632 2076 ?? Is 3:15PM0:00.54 (squidclamav) (squidclamav) _squid6972 0.0 0.7 764 2084 ?? Is 3:15PM0:00.27 (squidclamav) (squidclamav) _squid 15649 0.0 0.7 776 2052 ?? Is 3:15PM0:00.16 (squidclamav) (squidclamav) _squid6213 0.0 0.7 672 2064 ?? Is 3:15PM0:00.16 (squidclamav) (squidclamav) _squid 17857 0.0 0.7 716 2076 ?? Is 3:15PM0:00.21 (squidclamav) (squidclamav) _squid 17810 0.0 0.7 756 2076 ?? Is 3:15PM0:00.17 (squidclamav) (squidclamav) _squid 988 0.0 0.7 652 2072 ?? Is 3:15PM0:00.14 (squidclamav) (squidclamav) _squid4536 0.0 0.7 608 1920 ?? Is 3:15PM0:00.15 (squidclamav) (squidclamav) _squid 13393 0.0 0.7 508 1952 ?? Is 3:15PM0:00.14 (squidclamav) (squidclamav) _squid 623 0.0 0.7 668 1936 ?? Is 3:15PM0:00.08 (squidclamav) (squidclamav) _squid 24677 0.0 0.7 696 1948 ?? Is 3:15PM0:00.10 (squidclamav) (squidclamav) _squid 30591 0.0 0.7 544 1940 ?? Is 3:15PM0:00.08 (squidclamav) (squidclamav) _squid 32597 0.0 0.7 688 1920 ?? Is 3:15PM0:00.14 (squidclamav) (squidclamav) _squid 24345 0.0 0.7 584 1920 ?? Is 3:15PM0:00.11 (squidclamav) (squidclamav) _squid3959 0.0 0.7 568 1940 ?? Is 3:15PM0:00.07 (squidclamav) (squidclamav) _squid 24872 0.0 0.7 668 1924 ?? Is 3:15PM0:00.14 (squidclamav) (squidclamav) _squid 26243 0.0 0.7 484 1924 ?? Is 3:15PM0:00.14 (squidclamav) (squidclamav) _squid 26139 0.0 0.7 528 1948 ?? Is 3:15PM0:00.14 (squidclamav) (squidclamav) _squid1263 0.0 0.7 516 1936 ?? Is 3:15PM0:00.13 (squidclamav) (squidclamav) _squid8850 0.0 0.7 588 1932 ?? Is 3:15PM0:00.07 (squidclamav) (squidclamav) _squid7546 0.0 0.7 504 1952 ?? Is 3:15PM0:00.13 (squidclamav) (squidclamav) After this error, squid can receive the request, and send the request to squidclamav, squidclamav, receive the request and (log) says: [6972] DEBUG Request:http://www.openbsd.org/ 192.168.1.65/- - GET [6972] DEBUG Sending request to chained program: /usr/local/bin/squidGuard but all processes of squidguard are died...and they don't process the request. Then, I've make different tests. squid + squidguard (works fine) squid + squidclamav (works fine) squid + squidclamav + squidguard
Re: SquidGuard problem
Hi there, thanks for the reply. I've added in makefile -pthread, compiled and runned squidclamav but squid + squidclamav + squidguard problem persist. Other issue? thanks in advance Stuart Henderson wrote: On 2010-05-04, Alessandro Baggi alessandro.ba...@gmail.com wrote: Hi there. I've a problem using squidguard under openbsd (4.4, 4.5, 4.6) with this combination (squid + squidclamav + squidguard). The problem is that after different hours that squidguard got not request, all squidguard processes becomes zombies. squid + squidguard (works fine) squid + squidclamav (works fine) squid + squidclamav + squidguard (squidguard processes becomes zombie) squid + ad-zap (zapchain) + squidclamav + squidguard (squidguard processes becomes zombie) Run 'ldd /path/to/squidclamav'. If it doesn't include libpthread then try adding -pthread to the compiler flags when you build it.
Re: SquidGuard problem
Stuart Henderson wrote: On 2010-05-06, Alessandro Baggi alessandro.ba...@gmail.com wrote: Hi there, thanks for the reply. I've added in makefile -pthread, compiled and runned squidclamav but squid + squidclamav + squidguard problem persist. Other issue? I don't know what else it might be.. FWIW, ports/www/havp does work ok. I've tried also to modify squidguard to handle read error but the problem there is also. Yes I'm trying havp from ports. Thanks for the reply
pfsync question
Hi list. I've a question about pfsync. Suppose that I've two openbsd firewall with carp e pfsync with this scenario: fw 1:fw 2: em0 rl0WAN rl0 rl1 LAN rl1 rl2 DMZ The question is, if I try to sync the interfaces (em0, to rl0), the sincronizzation will be fine? All states of em0 will be valid for rl0 on fw2 or the traffic will be dropped because they have 2 different names for the interface and the states for rl0 (from em0) are invalid? Thanks in advance
rdr-to question
Hi list. I've installed OpenBSD 4.7 and seen the upgrade guide with different changes. My question is about redirect rules. before the update a redirect rule was: rdr on $int from $int:network to any port ftp - 127.0.0.1 port 8021 but with 4.7 update the thing has changed. Now a valid rule for rdr is: a) pass in on $int from $int:network to any port ftp rdr-to 127.0.0.1 port 8021 b) match in on $int from $int:network to any port ftp rdr-to 127.0.0.1 port 8021 my questions are: the a rule is the same of a rdr (openbsd 4.6) rule with the pass keyword? the b rule is the same of a rdr (openbsd 4.6) rule without the pass keyword? and then using b rule, I must add a pass rule for a service (suppose http) such as with the old rdr rule? What is the best solution? Using the match rule with other filter rules for all redirect? Using the pass rule with redirect for all redirect? Using the match rule for redirect such as rdr on squid-proxy or ftp-proxy with filter rules and the pass rdr rule for services? thanks in advance
RDR problem
Hi misc. I've a openbsd 4.7 firewall with 3 nic, one for lan, one for wan and one for dmz. On the same machine I've a squid proxy, and in dmz i've a web server. My problem is when I get a request for the web server on dmz by a lan client. In my ruleset I've this rdr rules for http request: match in on $int proto tcp from $int:network to any port 80 rdr-to $int:0 port 3128 and it works fine for all requests. When I make from a $int:network client an http request like http://mydomain.ath.cx;, the proxy (working with rdr rule or browser config) give me the web managment of my router. Then I've tried a first set: match in quick on $int proto tcp from $int:network to mydomain.ath.cx port 80 rdr-to $apache port 80 match in quick on $int proto tcp from $int:network to $int:0 port 3128 rdr-to $apache port 80 match in on $int proto tcp from $int:network to any port 80 rdr-to $int:0 port 3128 but the behaviour is the same. I've tried to modify my rdr rules into (second set): pass in quick on $int proto tcp from $int:network to mydomain.ath.cx port 80 rdr-to $apache port 80 pass in quick on $int proto tcp from $int:network to $int:0 port 3128 rdr-to $apache port 80 match in on $int proto tcp from $int:network to any port 80 rdr-to $int:0 port 3128 and it works fine. I've tried third ruleset: match in on $int proto tcp from $int:network to any port 80 rdr-to $int:0 port 3128 match in on $int proto tcp from any to mydomain.ath.cx port 80 rdr-to $apache port 80 but doesn't work. My question is about these three ruleset. Why in the first ruleset match in quick rules, the key quick does not affect the third rule of squid redirection? Why the pass rules works instead the match rules? Why in the third ruleset match in on $int...doesn't work? The rules parsing is the last match rule? thanks in advance
Re: RDR problem
Hi stuart. Thanks for the reply. Can you give me a valid example to understand this directive? Reading man pages and on the web I understand that with match directive, the quick keyword has no durable effect, and the match directive set on the fly the values e not after last rule match such as pass. True? It is a valid ruleset? match on $ext proto tcp from any to any port 80 rdr-to $dmz-host port 80 ... ... pass on $ext proto tcp from any to $hostweb port 80 synproxy state in this example when the pass rule will be matched from a packet, the settings of match rule will be applied, and then change the packet addr to $dmz-host? and if there is: pass on $ext proto tcp from any to any port 80 rdr-to $dmz-host port 80 I must not to put another filter rule for pass this service such as pf of openbsd4.5? Another question, in my example I want that my internal request for my internal site in dmz, are redirected versus dmz directly. Staying at my understandig, the ruleset must be: #redirect packet for http versus squid match in on $int proto tcp from $int:network to any port 80 rdr-to $int:0 port 3128 # redirect packet for mydomain.ath.cd to dmz-host match in on $int proto tcp from $int:network to mydomain.ath.cx port 80 rdr-to $dmz-host port 80 # pass all traffic for int network pass in on $int from $int:network to any than, if the $int network client sends a request for mydomain.ath.cx the first rule match, the second match and when the pass rule will be processed, settings take place and then redirected? thanks in advance Stuart Henderson wrote: match is a modifier. the settings are remembered and applied to the pass rule lower in the ruleset which permits the traffic to go through. On 2010-06-17, Alessandro Baggi alessandro.ba...@gmail.com wrote: Hi misc. I've a openbsd 4.7 firewall with 3 nic, one for lan, one for wan and one for dmz. On the same machine I've a squid proxy, and in dmz i've a web server. My problem is when I get a request for the web server on dmz by a lan client. In my ruleset I've this rdr rules for http request: match in on $int proto tcp from $int:network to any port 80 rdr-to $int:0 port 3128 and it works fine for all requests. When I make from a $int:network client an http request like http://mydomain.ath.cx;, the proxy (working with rdr rule or browser config) give me the web managment of my router. Then I've tried a first set: match in quick on $int proto tcp from $int:network to mydomain.ath.cx port 80 rdr-to $apache port 80 match in quick on $int proto tcp from $int:network to $int:0 port 3128 rdr-to $apache port 80 match in on $int proto tcp from $int:network to any port 80 rdr-to $int:0 port 3128 but the behaviour is the same. I've tried to modify my rdr rules into (second set): pass in quick on $int proto tcp from $int:network to mydomain.ath.cx port 80 rdr-to $apache port 80 pass in quick on $int proto tcp from $int:network to $int:0 port 3128 rdr-to $apache port 80 match in on $int proto tcp from $int:network to any port 80 rdr-to $int:0 port 3128 and it works fine. I've tried third ruleset: match in on $int proto tcp from $int:network to any port 80 rdr-to $int:0 port 3128 match in on $int proto tcp from any to mydomain.ath.cx port 80 rdr-to $apache port 80 but doesn't work. My question is about these three ruleset. Why in the first ruleset match in quick rules, the key quick does not affect the third rule of squid redirection? Why the pass rules works instead the match rules? Why in the third ruleset match in on $int...doesn't work? The rules parsing is the last match rule? thanks in advance
Re: RDR problem
Hi there. There were different errors on the last email. For the first rdr-to I have lost the direction, and for the second rule host specification, the same with different host. But today, reading these mail, I've another question: the rdr-to rules does not accept only inbound packet? thanks in advance Stuart Henderson wrote: On 2010-06-17, Alessandro Baggi alessandro.ba...@gmail.com wrote: Hi stuart. Thanks for the reply. Can you give me a valid example to understand this directive? Reading man pages and on the web I understand that with match directive, the quick keyword has no durable effect, and the match directive set on the fly the values e not after last rule match such as pass. True? It is a valid ruleset? match on $ext proto tcp from any to any port 80 rdr-to $dmz-host port 80 ... ... pass on $ext proto tcp from any to $hostweb port 80 synproxy state not valid, rdr-to needs a direction (in/out). also see this: Translation [...] Subsequent rules will see packets as they look after any addresses and ports have been translated. These rules will therefore have to filter based on the translated address and port number. so for the pass rule you probably want $dmz-host not $hostweb. pass on $ext proto tcp from any to any port 80 rdr-to $dmz-host port 80 I must not to put another filter rule for pass this service such as pf of openbsd4.5? you don't need a separate rule. you can either do it this way, with 'rdr-to' directly on the pass rule, or you can use separate match and pass rules, depending on what works best for you and your ruleset. Another question, in my example I want that my internal request for my internal site in dmz, are redirected versus dmz directly. Staying at my understandig, the ruleset must be: #redirect packet for http versus squid match in on $int proto tcp from $int:network to any port 80 rdr-to $int:0 port 3128 # redirect packet for mydomain.ath.cd to dmz-host match in on $int proto tcp from $int:network to mydomain.ath.cx port 80 rdr-to $dmz-host port 80 # pass all traffic for int network pass in on $int from $int:network to any than, if the $int network client sends a request for mydomain.ath.cx the first rule match, the second match and when the pass rule will be processed, settings take place and then redirected? from a quick read, i think so, but you can test this yourself much more easily than i can. thanks in advance Stuart Henderson wrote: match is a modifier. the settings are remembered and applied to the pass rule lower in the ruleset which permits the traffic to go through. On 2010-06-17, Alessandro Baggi alessandro.ba...@gmail.com wrote: Hi misc. I've a openbsd 4.7 firewall with 3 nic, one for lan, one for wan and one for dmz. On the same machine I've a squid proxy, and in dmz i've a web server. My problem is when I get a request for the web server on dmz by a lan client. In my ruleset I've this rdr rules for http request: match in on $int proto tcp from $int:network to any port 80 rdr-to $int:0 port 3128 and it works fine for all requests. When I make from a $int:network client an http request like http://mydomain.ath.cx;, the proxy (working with rdr rule or browser config) give me the web managment of my router. Then I've tried a first set: match in quick on $int proto tcp from $int:network to mydomain.ath.cx port 80 rdr-to $apache port 80 match in quick on $int proto tcp from $int:network to $int:0 port 3128 rdr-to $apache port 80 match in on $int proto tcp from $int:network to any port 80 rdr-to $int:0 port 3128 but the behaviour is the same. I've tried to modify my rdr rules into (second set): pass in quick on $int proto tcp from $int:network to mydomain.ath.cx port 80 rdr-to $apache port 80 pass in quick on $int proto tcp from $int:network to $int:0 port 3128 rdr-to $apache port 80 match in on $int proto tcp from $int:network to any port 80 rdr-to $int:0 port 3128 and it works fine. I've tried third ruleset: match in on $int proto tcp from $int:network to any port 80 rdr-to $int:0 port 3128 match in on $int proto tcp from any to mydomain.ath.cx port 80 rdr-to $apache port 80 but doesn't work. My question is about these three ruleset. Why in the first ruleset match in quick rules, the key quick does not affect the third rule of squid redirection? Why the pass rules works instead the match rules? Why in the third ruleset match in on $int...doesn't work? The rules parsing is the last match rule? thanks in advance
reassemble tcp
Hi there. I've a problem with pf on OpenBSD 4.6 After different test, I've been reduced my pf.conf to those rules: macros set block-policy drop match all scrub (no-df, random-id, reassemble tcp, max-mss 1440) nat on $ext from $int:network - $ext:0 block log all pass in on $int from any to any pass out on $ext from $ext:0 to any pfctl get all rules without errors, but I've problem during connection. If I try to get login with pidgin (MSN) from slackware Linux It doesn't work. If I try to get login with pidgin proxied from slackware it works. I've tried also to remove reassemble tcp from the scrub and it works If I try to get login with MSN from windows (proxied, with reassemble tcp, and no proxy) It works. In all Linux pidgin failed connection I receive this: connection: Connection error on 0x8551180 (reason: 0 description: Connection error from Notification server: Reading error) But the connection will be dropped? (I receive also a block log of ack for the pidgin connection) Another problem with reassemble tcp is with windows boot. I receive from syslog those messages: block in on rl0: 10.1.3.53.137 10.1.255.255.137: udp 50 If I remove reassemble tcp It works fine. I've tried also with a pass all rules...but with the same result. It's possible that a scrub with reassemble tcp option, blocks some packet? What is the reason for this? It's a my misconfiguration or is a normal behaviuour? Thanks in advance!
Re: reassemble tcp
Ted Unangst wrote: On Fri, Jan 15, 2010 at 3:33 PM, Alessandro Baggi alessandro.ba...@gmail.com wrote: If I remove reassemble tcp It works fine. I've tried also with a pass all rules...but with the same result. It's possible that a scrub with reassemble tcp option, blocks some packet? What is the reason for this? http://marc.info/?l=openbsd-miscm=126344466917828w=2 Hi ted, thanks for the reply. but then what's the meaning of this options?
OpenBSD Bandwidth Question.
Hi list. I've a OpenBSD firewall with proxy for home use. I've noticed that when I'm going to surf on the web through squid proxy , my bandwidth is minor of 1.5 mbps, when I don't use proxy I have all bandwidth (7Mbps). I've made some test, and when I download from the same workstation with linux (without proxy), i've all bandwidth (7 Mbps), If I try to get download through squid from non OpenBSD workstation, always less 1.5 Mbps of bandwidth. If I try to download from http or ftp, by the OpenBSD firewall (without pf rules, queue, forwardind and proxy) on the external nic, the same problem, and from another workstation with openbsd (4.6) without proxy, another time the same problem. Then I've problem with downloading from OpenBSD. What's depend this behaviour? Thanks in advance.
Re: OpenBSD Bandwidth Question.
Marco Peereboom wrote: try this: net.inet.tcp.recvspace=256000 net.inet.tcp.sendspace=256000 On Sun, Jan 17, 2010 at 02:41:23PM +0100, Alessandro Baggi wrote: Hi list. I've a OpenBSD firewall with proxy for home use. I've noticed that when I'm going to surf on the web through squid proxy , my bandwidth is minor of 1.5 mbps, when I don't use proxy I have all bandwidth (7Mbps). I've made some test, and when I download from the same workstation with linux (without proxy), i've all bandwidth (7 Mbps), If I try to get download through squid from non OpenBSD workstation, always less 1.5 Mbps of bandwidth. If I try to download from http or ftp, by the OpenBSD firewall (without pf rules, queue, forwardind and proxy) on the external nic, the same problem, and from another workstation with openbsd (4.6) without proxy, another time the same problem. Then I've problem with downloading from OpenBSD. What's depend this behaviour? Thanks in advance. Thank you Marco. It works.
OpenVPN problem.
Hi list! I'm setting up a vpn between two openbsd firewall: This is the scenario: FW1 FW2 $ext 192.168.1.33 $ext 192.168.1.2 $int 10.1.1.1 $int 192.168.7.1 $host 10.1.3.53 $host2 192.168.7.2 then I've made the certificate, client can contact the server, and from the client I can ping a Linux Machine behind the server, and from linux machine to client. Then I've tried to get communication with LAN clients behind the VPN client gw. Then, 192.168.7.2 of FW2's VPN can comunicate with 10.1.3.53, but not viceversa. All routing table are ok (I think). server configuration file: proto udp port 1194 dev tun0 ca /etc/openvpn/ca.crt cert /etc/openvpn/192.168.1.33.crt key /etc/openvpn/private/192.168.1.33.key dh /etc/openvpn/dh1024.pem server 10.0.8.0 255.255.255.0 keepalive 10 50 comp-lzo user _openvpn group _openvpn daemon openvpn persist-key persist-tun client-config-dir ccd push route 10.1.1.1 255.255.0.0 route 192.168.7.0 255.255.255.0 status /var/log/openvpn-status.log log /tmp/openvpn.log verb 2 /etc/openvpn/ccd/192.168.1.2: iroute 192.168.7.0 255.255.255.0 Client conf: client remote 192.168.1.33 1194 proto udp dev tun0 daemon openvpn keepalive 10 50 nobind persist-key persist-tun ca /etc/openvpn/ca.crt cert /etc/openvpn/192.168.1.2.crt key /etc/openvpn/private/192.168.1.2.key comp-lzo log /tmp/openvpn.log verb 2 It is a routing problem? This is the server routing table: default192.168.1.1UGS2 2995 - 8 vr0 10.0.8/24 10.0.8.2 UGS0 301 - 8 tun0 10.0.8.2 10.0.8.1 UH 30 - 4 tun0 10.1/16link#1 UC 20 - 4 rl0 10.1.3.53 00:1d:60:ec:a5:14 UHLc 2 3480 - 4 rl0 loopback localhost UGRS 00 33200 8 lo0 localhost localhostUH 10 33200 4 lo0 192.168.1/24 link#3 UC 20 - 4 vr0 192.168.1.100:13:49:cb:fa:75 UHLc 10 - 4 vr0 192.168.1.200:1d:0f:c4:0c:1d UHLc 1 1482 - 4 vr0 192.168.7/24 10.0.8.2 UGS0 516 - 8 tun0 ifconfig tun0 on server: tun0: flags=8151UP,POINTOPOINT,RUNNING,PROMISC,MULTICAST mtu 1500 priority: 0 groups: tun media: Ethernet autoselect status: active inet 10.0.8.1 -- 10.0.8.2 netmask 0x can someone tell me a point? Thanks in advanced.
Re: OpenVPN problem.
Johan Beisser wrote: On Mon, Jan 25, 2010 at 5:45 AM, Alessandro Baggi alessandro.ba...@gmail.com wrote: Hi list! I'm setting up a vpn between two openbsd firewall: This is the scenario: FW1 FW2 $ext 192.168.1.33 $ext 192.168.1.2 $int 10.1.1.1 $int 192.168.7.1 $host 10.1.3.53 $host2 192.168.7.2 then I've made the certificate, client can contact the server, and from the client I can ping a Linux Machine behind the server, and from linux machine to client. Then I've tried to get communication with LAN clients behind the VPN client gw. Then, 192.168.7.2 of FW2's VPN can comunicate with 10.1.3.53, but not viceversa. Are you permitting traffic from $host through the firewall? What's your pf.conf? Have you verified that your firewalls pass other traffic normally? Hi Johan. Thanks for the answer. I've reduced my pf.conf on client and server side to: ext=rl0 int=rl1 nat on $ext from $int:network - $ext:0 nat on tun0 from $int:network - tun0:0 pass all I can ping from client LAN of the vpn client the entire Server side lan, but not viceversa.
Re: OpenVPN problem.
Johan Beisser wrote: On Mon, Jan 25, 2010 at 10:05 AM, Alessandro Baggi alessandro.ba...@gmail.com wrote: Johan Beisser wrote: Hi Johan. Thanks for the answer. I've reduced my pf.conf on client and server side to: ext=rl0 int=rl1 nat on $ext from $int:network - $ext:0 nat on tun0 from $int:network - tun0:0 pass all What version of OpenBSD are you running? I can ping from client LAN of the vpn client the entire Server side lan, but not viceversa. Are you certain your packets are being natted properly? On server side 4.5 updated to 4.6 and client side 4.6. Packet from server side network are natted, with tcpdump on tun0, I get 10.0.8.1 - 192.168.7.2 but I don't receive an answer. I can ping client side (10.0.8.6) from server (10.0.8.1) I can ping and ssh to client server side (10.1.0.0/16) from 192.168.7.0/24
Re: OpenVPN problem.
Simen Stavdal wrote: and... do you have the routing table for some of the hosts that can/cannot ping each other? Are there other gateways out of the networks, other than the openvpn box? S. I'm trying openvpn in my internal network: internet | primary node 192.168.1.1 / \ OBSD OBSD 2 192.168.1.33 192.168.1.2 10.1.0.0/16 192.168.7.0/24 | | . .
Re: OpenVPN problem.
Simen Stavdal wrote: Hello Alessandro, Can you see any of the traffic on the inside LAN on the client side with tcpdump? I.e set tcpdump on $int with tcpdump -i nameofinternalinterface proto icmp and then try to ping from a server? Silly suggestion, but What about client side firewalls? Do they allow to be pinged? What is your server.conf file for openvpn and the client conf file? Simon. Alessandro Baggi wrote: Johan Beisser wrote: On Mon, Jan 25, 2010 at 5:45 AM, Alessandro Baggi alessandro.ba...@gmail.com wrote: Hi list! I'm setting up a vpn between two openbsd firewall: This is the scenario: FW1 FW2 $ext 192.168.1.33 $ext 192.168.1.2 $int 10.1.1.1 $int 192.168.7.1 $host 10.1.3.53 $host2 192.168.7.2 then I've made the certificate, client can contact the server, and from the client I can ping a Linux Machine behind the server, and from linux machine to client. Then I've tried to get communication with LAN clients behind the VPN client gw. Then, 192.168.7.2 of FW2's VPN can comunicate with 10.1.3.53, but not viceversa. Are you permitting traffic from $host through the firewall? What's your pf.conf? Have you verified that your firewalls pass other traffic normally? Hi Johan. Thanks for the answer. I've reduced my pf.conf on client and server side to: ext=rl0 int=rl1 nat on $ext from $int:network - $ext:0 nat on tun0 from $int:network - tun0:0 pass all I can ping from client LAN of the vpn client the entire Server side lan, but not viceversa. Hi simon. I've already tried this. I've putted tcpdump also on openvpn client on tun0 interface, and on rl0 (interlan interface) and on (tun0) of server openvpn side. When I try to ping from lan client side I get from openvpn client tcpdump on tun0: 10.0.8.6 - 10.1.3.53 10.1.3.53 - 10.0.8.6 on internal interface nothing and on tun0 of openvpn server the previous result. When I ping from this network (10.1.0.0/16) to 192.168.7.0/24 I get result from tcpdump only on server openvpn, with natted address: 10.0.8.1 - 192.168.7.2: icmp: echo request 10.0.8.1 - 192.168.7.2: icmp: echo request 10.0.8.1 - 192.168.7.2: icmp: echo request and so on... Those are my configuration file: server.conf: -- proto udp port 1194 dev tun0 ca /etc/openvpn/ca.crt cert /etc/openvpn/192.168.1.33.crt key /etc/openvpn/private/192.168.1.33.key dh /etc/openvpn/dh1024.pem server 10.0.8.0 255.255.255.0 keepalive 10 120 comp-lzo user _openvpn group _openvpn daemon openvpn persist-key persist-tun client-config-dir ccd push route 10.1.1.1 255.255.0.0 route 192.168.7.0 255.255.255.0 status /var/openvpn/openvpn-status.log log-append /var/openvpn/openvpn.log verb 8 ccd/client: - iroute 192.168.7.0 255.255.255.0 client.conf: -- client dev tun0 proto udp remote 192.168.1.33 1194 nobind user _openvpn group _openvpn persist-key persist-tun ca /etc/openvpn/ca.crt cert /etc/openvpn/client.crt key /etc/openvpn/private/client.key comp-lzo verb 8 mute 20 log-append /var/openvpn/openvpn.log This is the routing table of the openvpn server: default192.168.1.1UGS2 145394 - 8 vr0 10.0.8/24 10.0.8.2 UGS0 206 - 8 tun0 10.0.8.2 10.0.8.1 UH 30 - 4 tun0 10.1/16link#1 UC 30 - 4 rl0 10.1/1610.0.8.2 UGS00 - 8 tun0 10.1.3.53 00:1d:60:ec:a5:14 UHLc 210834 - 4 rl0 192.168.7/24 10.0.8.2 UGS0 175 - 8 tun0 loopback localhost UGRS 00 33200 8 lo0 localhost localhost UH 10 33200 4 lo0 192.168.1/24 link#3 UC 20 - 4 vr0 192.168.1.100:13:49:cb:fa:75 UHLc 10 - 4 vr0 192.168.1.200:19:66:65:53:1c UHLc 1 1158 - 4 vr0 BASE-ADDRESS.MCAST localhost URS00 33200 8 lo0 This is the routing table of the openvpn client: default192.168.1.1UGS1 141 - 8 re0 10.0.8.1/3210.0.8.5 UGS00 - 8 tun0 10.0.8.5 10.0.8.6 UH 20 - 4 tun0 10.1/1610.0.8.5 UGS1 105 - 8 tun0 192.168.7/24 link#2 UC 10 - 4 rl0 192.168.7.2 00:1f:c6:7e:35:75 UHLc 02 - 4 rl0 loopback localhost UGRS 00 33200 8 lo0 localhost localhost UH 10 33200 4 lo0 192.168.1/24 link#1 UC 20 - 4 re0 192.168.1.1
Re: OpenVPN problem.
Hi Simen. Then 10.0.8.1 and 10.0.8.2 are allocate by openvpn server and in the client are 10.0.8.6 and 10.0.8.5 they appear in ifconfing of tun0 on client and server side in this form: 10.0.8.1 - 10.0.8.2 10.0.8.6 - 10.0.8.5 My purpose is to study VPN with openvpn and i've not a remote place to get this setup and then I've reproduced a little reality. Simen Stavdal wrote: Ciao Alessandro, So, from the server, the client gets allocated 10.0.8.5/32 (btw, probably a minor thing, but in your server conf file, you have a mismatch on the host/mask when you push the routes- it reads push route 10.1.1.1 255.255.0.0 while it should read 10.1.0.0) (doesn't seem to bother the client too much, but it might be worth a try to correct it). Also, on the server side routing table, you have the following : 192.168.7/24 10.0.8.2 UGS0 175 - 8 tun0 Where is 10.0.8.2? This is from the pool of client addresses, but does not exist anywhere? You also have som route statements in your server conf file, like this one : route 192.168.7.0 255.255.255.0 It doesn't have a gateway, and is not locally connected This tells the client host to route 192.168.7.0 to nowhere (even though it is locally connected on the client side). On my config, the client side routing table looks like this (windows host) : 10.10.177.0255.255.255.0 10.10.177.5 10.10.177.6 1 10.10.177.4 255.255.255.252 10.10.177.6 10.10.177.6 30 Also, the two hosts are not connected with public addresses, can I ask why you want to use NAT between to RFC1918 networks that don't overlap? I am trying to understand your objective and the purpose of the setup, maybe there is a different way of setting it up? Cheers, Simon. Alessandro Baggi wrote: Simen Stavdal wrote: and... do you have the routing table for some of the hosts that can/cannot ping each other? Are there other gateways out of the networks, other than the openvpn box? S. I'm trying openvpn in my internal network: internet | primary node 192.168.1.1 / \ OBSD OBSD 2 192.168.1.33 192.168.1.2 10.1.0.0/16 192.168.7.0/24 | | . .
pfsync nic problem.
Hi list. I've a little question about pfsync. Supposing to have two firewall, with 3 nic, one for lan, one for wan and one for DMZ, and supposing a similar scenario: firewall 1 firewall 2 WAN: re0WAN: xl0 LAN: rl0 LAN: rl0 DMZ: rl1DMZ: rl1 when pfsync send the interface state updates on backup firewall, pfsync update the table of states for the name of interfaces of first firewall? (in my scenario, the syncronization won't works for re0 and xl0, right? Then, firewall 2 box must have nic card name equal to nic card name of first firewall or they can to be different? if this is the issue, and having those scenario, there is a method to make a valid update for re0 and xl0? thanks in advance.
Re: pfsync nic problem.
On 12/19/2010 07:49 PM, Johan Beisser wrote: On Sun, Dec 19, 2010 at 9:12 AM, Alessandro Baggi alessandro.ba...@gmail.com wrote: Hi list. I've a little question about pfsync. Supposing to have two firewall, with 3 nic, one for lan, one for wan and one for DMZ, and supposing a similar scenario: firewall 1 firewall 2 WAN: re0WAN: xl0 LAN: rl0 LAN: rl0 DMZ: rl1DMZ: rl1 when pfsync send the interface state updates on backup firewall, pfsync update the table of states for the name of interfaces of first firewall? (in my scenario, the syncronization won't works for re0 and xl0, right? I don't see why not. Adjust your pf rules to use the groups field for the interface if you're worried. ok I will try. Thanks for the reply
Re: pfsync nic problem.
On 12/19/2010 07:49 PM, Johan Beisser wrote: On Sun, Dec 19, 2010 at 9:12 AM, Alessandro Baggi alessandro.ba...@gmail.com wrote: Hi list. I've a little question about pfsync. Supposing to have two firewall, with 3 nic, one for lan, one for wan and one for DMZ, and supposing a similar scenario: firewall 1 firewall 2 WAN: re0WAN: xl0 LAN: rl0 LAN: rl0 DMZ: rl1DMZ: rl1 when pfsync send the interface state updates on backup firewall, pfsync update the table of states for the name of interfaces of first firewall? (in my scenario, the syncronization won't works for re0 and xl0, right? I don't see why not. Adjust your pf rules to use the groups field for the interface if you're worried. Hi list, I've tried to use the groups field for pfsync. I've changed in my pf rules, the wan interface ext=xl0 with ext=egress, then when I try to get a fault with firewall 1, firewall 2 become master, but all connections die. In state tables of firewall 2 there are syncronized states for xl0, but the wan interface is rl2. It's normal that all connections die, there are not valid states for rl2. Then at this point the problem persist. There is something that I've missed with ifconfig groups field? This is my misconfiguration or the use of groups field is not a valid issue for this problem? thanks in advance.
Re: pfsync nic problem.
On 12/22/2010 01:18 AM, Stuart Henderson wrote: On 2010-12-19, Alessandro Baggialessandro.ba...@gmail.com wrote: Hi list. I've a little question about pfsync. Supposing to have two firewall, with 3 nic, one for lan, one for wan and one for DMZ, and supposing a similar scenario: firewall 1 firewall 2 WAN: re0WAN: xl0 LAN: rl0 LAN: rl0 DMZ: rl1DMZ: rl1 when pfsync send the interface state updates on backup firewall, pfsync update the table of states for the name of interfaces of first firewall? (in my scenario, the syncronization won't works for re0 and xl0, right? Then, firewall 2 box must have nic card name equal to nic card name of first firewall or they can to be different? if this is the issue, and having those scenario, there is a method to make a valid update for re0 and xl0? thanks in advance. states don't normally depend on the interface (and if you *do* make them dependent on that with if-bound states, i'm not sure if pfsync handles that...) are you having problems or is this theoretical? if you're having problems then send a dmesg and full details. if it's theoretical, why don't you just try it for yourself? this stuff is easy to check and first-hand experience beats a post from some random dude on a mailing list. This problem is not theoretical.
Re: pfsync nic problem.
On 12/23/2010 06:43 PM, Johan Beisser wrote: On Thu, Dec 23, 2010 at 9:19 AM, Alessandro Baggi alessandro.ba...@gmail.com wrote: Hi list, I've tried to use the groups field for pfsync. I've changed in my pf rules, the wan interface ext=xl0 with ext=egress, then when I try to get a fault with firewall 1, firewall 2 become master, but all connections die. In state tables of firewall 2 there are syncronized states for xl0, but the wan interface is rl2. It's normal that all connections die, there are not valid states for rl2. Then at this point the problem persist. There is something that I've missed with ifconfig groups field? This is my misconfiguration or the use of groups field is not a valid issue for this problem? Please post your pf.conf, ifconfig output and dmesg. There may be another issue not addressed. dmesg of Firewall 1 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Pentium III (GenuineIntel 686-class, 512KB L2 cache) 448 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PSE36,MMX,FXSR,SSE real mem = 335114240 (319MB) avail mem = 319672320 (304MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 02/10/99, BIOS32 rev. 0 @ 0xec700, SMBIOS rev. 2.1 @ 0xf20ba (46 entries) bios0: vendor Compaq version 686T2 date 02/10/99 bios0: Compaq Deskpro EP/SB Series apm0 at bios0: Power Management spec V1.2 (BIOS managing devices) apm0: AC on, battery charge unknown acpi at bios0 function 0x0 not configured pcibios0 at bios0: rev 2.1 @ 0xec700/0x3900 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf7360/128 (6 entries) pcibios0: PCI Interrupt Router at 000:20:0 (Intel 82371AB PIIX4 ISA rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0x8000 0xe/0x8000! cpu0 at mainbus0: (uniprocessor) pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 Intel 82443BX AGP rev 0x03 intelagp0 at pchb0 agp0 at intelagp0: aperture at 0x4400, size 0x400 ppb0 at pci0 dev 1 function 0 Intel 82443BX AGP rev 0x03 pci1 at ppb0 bus 1 Matrox MGA G200 AGP rev 0x03 at pci1 dev 0 function 0 not configured vga1 at pci0 dev 13 function 0 Matrox MGA G200 PCI rev 0x01 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) xl0 at pci0 dev 14 function 0 3Com 3c905B 100Base-TX rev 0x30: irq 11, address 00:10:5a:2e:0f:9e exphy0 at xl0 phy 24: 3Com internal media interface rl0 at pci0 dev 15 function 0 Realtek 8139 rev 0x10: irq 11, address 00:1d:0f:c4:0c:1d rlphy0 at rl0 phy 0: RTL internal PHY rl1 at pci0 dev 16 function 0 Realtek 8139 rev 0x10: irq 11, address 00:1d:0f:c4:17:cb rlphy1 at rl1 phy 0: RTL internal PHY piixpcib0 at pci0 dev 20 function 0 Intel 82371AB PIIX4 ISA rev 0x02 pciide0 at pci0 dev 20 function 1 Intel 82371AB IDE rev 0x01: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: Maxtor 6Y080L0 wd0: 16-sector PIO, LBA, 78167MB, 160086528 sectors atapiscsi0 at pciide0 channel 0 drive 1 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: HL-DT-ST, DVD-ROM GDR8164B, 0L06 ATAPI 5/cdrom removable wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 cd0(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 2 pciide0: channel 1 disabled (no drives) uhci0 at pci0 dev 20 function 2 Intel 82371AB USB rev 0x01: irq 11 piixpm0 at pci0 dev 20 function 3 Intel 82371AB Power rev 0x02: SMI iic0 at piixpm0 spdmem0 at iic0 addr 0x50: 128MB SDRAM non-parity PC133CL2 spdmem1 at iic0 addr 0x51: 128MB SDRAM non-parity PC100CL3 spdmem2 at iic0 addr 0x52: 64MB SDRAM non-parity PC66CL2 isa0 at piixpcib0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 spkr0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 Intel UHCI root hub rev 1.00/1.00 addr 1 biomask ff65 netmask ff65 ttymask mtrr: Pentium Pro MTRR support uhidev0 at uhub0 port 2 configuration 1 interface 0 CC Technology Inc. HID Keyboard/Mouse PS/2 to USB Translator rev 2.00/1.64 addr 2 uhidev0: iclass 3/1 ukbd0 at uhidev0: 8 modifier keys, 6 key codes wskbd1 at ukbd0 mux 1 wskbd1: connecting to wsdisplay0 uhidev1 at uhub0 port 2 configuration 1 interface 1 CC Technology Inc. HID Keyboard/Mouse PS/2 to USB Translator rev 2.00/1.64 addr 2 uhidev1: iclass 3/1, 3 report ids ums0 at uhidev1 reportid 1: 5 buttons, Z dir wsmouse0 at ums0 mux 0 uhid0 at uhidev1 reportid 2: input=1, output=0, feature=0 uhid1 at uhidev1 reportid 3: input=5, output=0, feature=0 softraid0 at root root on wd0a swap on wd0b dump on wd0b syncing disks... done rebooting... OpenBSD
Re: pfsync nic problem.
On 12/23/2010 10:48 PM, Johan Beisser wrote:
On Thu, Dec 23, 2010 at 10:43 AM, Alessandro Baggi
alessandro.ba...@gmail.com wrote:
Please post your pf.conf, ifconfig output and dmesg. There may be
another issue not addressed.
I still need your pf.conf.
ext=egress
int=rl0
dmz=rl1
hostweb=172.16.2.3
carpl=10.1.1.5
carpw=192.168.1.84
carpd=172.16.2.4
pfsyncpeer=10.1.1.5
pfsyncdev=rl0
table httpabuse persist
table httpsabuse persist
table sshblacklist persist
# LIMIT and Policy
set block-policy drop
set fingerprints /etc/pf.os
set hostid 1
#set debug none
set limit states 7000
set limit tables 100
set limit table-entries 9
set limit frags 6000
set limit src-nodes 1
set optimization aggressive
set ruleset-optimization basic
set loginterface $ext
#set state-policy if-bound
#set state-defaults
set skip on lo0
set timeout tcp.established 900
set timeout tcp.closed 5
set timeout tcp.first 20
set timeout tcp.opening 20
set timeout tcp.closing 10
set timeout tcp.finwait 30
match all scrub (no-df, random-id, max-mss 1440)
# NAT
match out on $ext inet from $int:network to any nat-to (carp0:0)
match out on $ext inet from $dmz:network to any nat-to (carp0:0)
# RDR
match in log on $int proto tcp from $int:network to any port 21 rdr-to
127.0.0.1 port 8021
# FILTERING RULES
# Bloccaggio delle blacklist http - https - sshd
block in log quick on $ext from { blacklist, httpabuse,
httpsabuse, sshblacklist } to any
# REGOLE ANTISPOOFING
antispoof log quick for { $int , $ext, $dmz }
# CARP RULES
pass in log quick on $int proto carp from $carpl to $int:0 keep state
(no-sync)
pass in log quick on $ext proto carp from $carpw to $ext:0 keep state
(no-sync)
pass in log quick on $dmz proto carp from $carpd to $dmz:0 keep state
(no-sync)
# PFSYNC RULES
pass in log quick on $pfsyncdev proto pfsync from $pfsyncpeer to $int:0
keep state (no-sync)
# DEFAULT DENY
block in log all
pass out all
anchor ftp-proxy/*
# LAN MACHINE RULES
pass in on $int from any to any
# DMZ RULES DOES NOT EXIST
Thanks in advance
Re: pfsync nic problem [SOLVED]
On 12/24/2010 10:25 AM, Alessandro Baggi wrote:
On 12/23/2010 10:48 PM, Johan Beisser wrote:
On Thu, Dec 23, 2010 at 10:43 AM, Alessandro Baggi
alessandro.ba...@gmail.com wrote:
Please post your pf.conf, ifconfig output and dmesg. There may be
another issue not addressed.
I still need your pf.conf.
ext=egress
int=rl0
dmz=rl1
hostweb=172.16.2.3
carpl=10.1.1.5
carpw=192.168.1.84
carpd=172.16.2.4
pfsyncpeer=10.1.1.5
pfsyncdev=rl0
table httpabuse persist
table httpsabuse persist
table sshblacklist persist
# LIMIT and Policy
set block-policy drop
set fingerprints /etc/pf.os
set hostid 1
#set debug none
set limit states 7000
set limit tables 100
set limit table-entries 9
set limit frags 6000
set limit src-nodes 1
set optimization aggressive
set ruleset-optimization basic
set loginterface $ext
#set state-policy if-bound
#set state-defaults
set skip on lo0
set timeout tcp.established 900
set timeout tcp.closed 5
set timeout tcp.first 20
set timeout tcp.opening 20
set timeout tcp.closing 10
set timeout tcp.finwait 30
match all scrub (no-df, random-id, max-mss 1440)
# NAT
match out on $ext inet from $int:network to any nat-to (carp0:0)
match out on $ext inet from $dmz:network to any nat-to (carp0:0)
# RDR
match in log on $int proto tcp from $int:network to any port 21 rdr-to
127.0.0.1 port 8021
# FILTERING RULES
# Bloccaggio delle blacklist http - https - sshd
block in log quick on $ext from { blacklist, httpabuse,
httpsabuse, sshblacklist } to any
# REGOLE ANTISPOOFING
antispoof log quick for { $int , $ext, $dmz }
# CARP RULES
pass in log quick on $int proto carp from $carpl to $int:0 keep state
(no-sync)
pass in log quick on $ext proto carp from $carpw to $ext:0 keep state
(no-sync)
pass in log quick on $dmz proto carp from $carpd to $dmz:0 keep state
(no-sync)
# PFSYNC RULES
pass in log quick on $pfsyncdev proto pfsync from $pfsyncpeer to
$int:0 keep state (no-sync)
# DEFAULT DENY
block in log all
pass out all
anchor ftp-proxy/*
# LAN MACHINE RULES
pass in on $int from any to any
# DMZ RULES DOES NOT EXIST
Thanks in advance
Hi list. I've tried another nic same as xl0, and the problem was the
same. The only thing to see was the pf ruleset. All carp rules was
wrong. Then I've tried with xl0 - rl2 and all works fine.
I've changed the rules:
pass in log quick on $int proto carp from $carpl to $int:0 keep state
(no-sync)
pass in log quick on $ext proto carp from $carpw to $ext:0 keep state
(no-sync)
pass in log quick on $dmz proto carp from $carpd to $dmz:0 keep state
(no-sync)
in:
pass in quick on { $int, $ext, $dmz } proto carp keep state (no-sync)
Best regards and thanks for the time.
Another carp problem.
Hi list. I've installed two firewall, 1 master and 1 backup. Trying some test to see if carp and pfsync works, I get this issue: fw master works, all network connection works, then I disconnect che external interface cable of fw1 and carp0 go in INIT, carp1 in BACKUP and carp2 in BACKUP, on fw 2, carp0, carp1 and carp2 become MASTER. After 5/10 seconds, always with cable disconnected, the carp0 of firewall 1 is in INIT, carp1 and carp2 return to MASTER, and on fw2 the carp0 is MASTER and carp1, carp2 become BACKUP, and each 5/10 seconds fw1: carp0 INIT carp1 MASTER carp2 MASTER, after 5/10 seconds fw1 become carp0 INIT carp1 BACKUP carp2 BACKUP and so on. Then: State before cable disconnection fw1fw2 carp0: MASTERcarp0: BACKUP carp1: MASTERcarp1: BACKUP carp2: MASTERcarp2: BACKUP State after cable disconnection: fw1fw2 carp0: INITcarp0: MASTER carp1: BACKUPcarp1: MASTER carp2: BACKUPcarp2: MASTER State after 5/10 seconds always with disconnected cable: fw1fw2 carp0: INIT carp0: MASTER carp1: MASTERcarp1: BACKUP carp2: MASTERcarp2: BACKUP after other 5/10 seconds with disconnected cable: fw1fw2 carp0: INITcarp0: MASTER carp1: BACKUPcarp1: MASTER carp2: BACKUPcarp2: MASTER after other 5/10 seconds without cable: fw1fw2 carp0: INIT carp0: MASTER carp1: MASTERcarp1: BACKUP carp2: MASTERcarp2: BACKUP and so on... these are my pf rules for carp and pfsync: pass in quick proto pfsync pass in quick proto carp .. block in all ... FW1 [MASTER]: net.inet.carp.preempt=1 FW2 [BACKUP]: net.inet.carp.preempt=0 (tried also with 1) and this are my ifconfig. IFCONFIG FW1: lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33200 priority: 0 groups: lo inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 xl0: flags=8b43UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST mtu 1500 lladdr 00:10:5a:2e:0f:9e priority: 0 groups: egress media: Ethernet autoselect (100baseTX full-duplex) status: active inet 192.168.1.84 netmask 0xff00 broadcast 192.168.1.255 inet6 fe80::210:5aff:fe2e:f9e%xl0 prefixlen 64 scopeid 0x1 rl0: flags=8b43UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST mtu 1500 lladdr 00:1d:0f:c4:0c:1d priority: 0 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 10.1.1.5 netmask 0x broadcast 10.1.255.255 inet6 fe80::21d:fff:fec4:c1d%rl0 prefixlen 64 scopeid 0x2 rl1: flags=8b43UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST mtu 1500 lladdr 00:1d:0f:c4:17:cb priority: 0 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 172.16.2.4 netmask 0xff00 broadcast 172.16.2.255 inet6 fe80::21d:fff:fec4:17cb%rl1 prefixlen 64 scopeid 0x3 enc0: flags=0 priority: 0 groups: enc status: active pfsync0: flags=41UP,RUNNING mtu 1500 priority: 0 pfsync: syncdev: rl0 maxupd: 128 defer: off groups: carp pfsync pflog0: flags=141UP,RUNNING,PROMISC mtu 33200 priority: 0 groups: pflog carp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:5e:00:01:01 priority: 0 carp: MASTER carpdev xl0 vhid 1 advbase 1 advskew 0 carppeer 192.168.1.85 groups: carp status: master inet6 fe80::200:5eff:fe00:101%carp0 prefixlen 64 scopeid 0x6 inet 192.168.1.33 netmask 0xff00 broadcast 192.168.1.255 carp1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:5e:00:01:02 priority: 0 carp: MASTER carpdev rl0 vhid 2 advbase 1 advskew 0 carppeer 10.1.1.6 groups: carp status: master inet 10.1.1.1 netmask 0x broadcast 10.1.255.255 inet6 fe80::200:5eff:fe00:102%carp1 prefixlen 64 scopeid 0x7 carp2: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:5e:00:01:03 priority: 0 carp: MASTER carpdev rl1 vhid 3 advbase 1 advskew 0 carppeer 172.16.2.5 groups: carp status: master inet 172.16.2.1 netmask 0xff00 broadcast 172.16.2.255 inet6 fe80::200:5eff:fe00:103%carp2 prefixlen 64 scopeid 0x8 IFCONFIG FW2: lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33200 priority: 0 groups: lo inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 xl0: flags=8b43UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST mtu 1500 lladdr 00:50:04:50:fe:c3 priority: 0 groups: egress media: Ethernet autoselect (100baseTX full-duplex) status: active inet 192.168.1.85 netmask 0xff00 broadcast 192.168.1.255 inet6 fe80::250:4ff:fe50:fec3%xl0 prefixlen 64 scopeid 0x1 rl0:
Re: Another carp problem.
On 12/30/2010 08:43 PM, Johan Fredin wrote: On 30 dec 2010, at 19:58, Alessandro Baggi wrote: Hi list. I've installed two firewall, 1 master and 1 backup. Trying some test to see if carp and pfsync works, I get this issue: fw master works, all network connection works, then I disconnect che external interface cable of fw1 and carp0 go in INIT, carp1 in BACKUP and carp2 in BACKUP, on fw 2, carp0, carp1 and carp2 become MASTER. After 5/10 seconds, always with cable disconnected, the carp0 of firewall 1 is in INIT, carp1 and carp2 return to MASTER, and on fw2 the carp0 is MASTER and carp1, carp2 become BACKUP, and each 5/10 seconds fw1: carp0 INIT carp1 MASTER carp2 MASTER, after 5/10 seconds fw1 become carp0 INIT carp1 BACKUP carp2 BACKUP and so on. [.. snip ..] FW1 [MASTER]: net.inet.carp.preempt=1 FW2 [BACKUP]: net.inet.carp.preempt=0 (tried also with 1) [.. snip ..] I don't understand why carp0 carp1 and carp2 switch every 5/10 sec between master and backup.some issue? thanks in advance Afaik, the sysctl value net.inet.carp.preempt should be set to the same value on both nodes. Are you sure you see the same behavior if you set that value to 0 on both nodes, or alternatively to 1? /Johan Hi Johan. Thanks for the reply, I've already tried to set on each firewall net.inet.carp.preempt=1 and the problem is the same. Now I've tried to set them to 0, and seems to work. My question is, why setting up each firewall net.inet.carp.preempt to 1 it does not work? On OpenBSD faq: net.inet.carp.preempt Allow hosts within a redundancy group that have a better advbase and advskew to preempt the master. In addition, this option also enables failing over a group of interfaces together in the event that one interface goes down. If one physical CARP-enabled interface goes down, CARP will increase the demotion counter, carpdemote, by 1 on interface groups that the carp(4) interface is a member of, in effect causing all group members to fail-over together. net.inet.carp.preempt is 0 (disabled) by default. another issue, but with preempt enabled, removing $ext iface cable, carp0 go in INIT and it must forces carp(0/1/2) to go in backup mode. Why there is not this behaviuor? Disabling preemption, If an interface goes down, the group members go on fail-over together? Another question, it is the same thing set all firewall to 1 and 0? The preempt allow to a fw that was master to become a new time master in front of other backup, if has advbase and advskew will be better of them, but if it is disabled, the master without preempt can't become another time the master without a carpdemote for carp group? This is the difference between 1 and 0? thanks in advance.
Re: Another carp problem.
On 12/31/2010 05:45 PM, Patrick Lamaiziere wrote: Le Thu, 30 Dec 2010 19:58:21 +0100, Alessandro Baggialessandro.ba...@gmail.com a icrit : these are my pf rules for carp and pfsync: pass in quick proto pfsync pass in quick proto carp .. block in all ... And in output? in output I've: pass out all To exclude also pf rules problem, I've tried a rule set as: match...nat-to... pass all but the problem persists. Other Issue? thanks in advance
Re: Another carp problem.
On 01/02/2011 03:03 AM, Patrick Lamaiziere wrote: Le Fri, 31 Dec 2010 18:09:40 +0100, Alessandro Baggialessandro.ba...@gmail.com a icrit : To exclude also pf rules problem, I've tried a rule set as: match...nat-to... pass all but the problem persists. Other Issue? Hmmm Ok, I don't know where is the problem. I've made recently a lot of tests with carp and pfsync without any problem (on 4.8/amd64). IMO it should work (but I don't use the carp peer option). One remark, you should use a dedicated interface for pfsync. In your setup, rl0 is shared by pfsync and carp1. This is a no sense. Best regards and happy new year to all. Hi list and happy new year to all. Now, I've solve temporarly this problem using ifstated, and master and backup work fine. For pfsync nic, in past I had used a dedicated nic for pfsync but now cause xl0 for wan, rl0 for lan and rl1 for dmz, I must use rl0 only 3 nic. I've read on OpenBSD FAQ that we can use the same iface, but using IPSec. Best regards For now it's only testing, but in future
Re: Another carp problem.
On 01/06/2011 05:54 PM, Johan Fredin wrote: On 2 jan 2011, at 10:42, Alessandro Baggi wrote: Hi list and happy new year to all. Now, I've solve temporarly this problem using ifstated, and master and backup work fine. For pfsync nic, in past I had used a dedicated nic for pfsync but now cause xl0 for wan, rl0 for lan and rl1 for dmz, I must use rl0 only 3 nic. I've read on OpenBSD FAQ that we can use the same iface, but using IPSec. Best regards For now it's only testing, but in future Hi Alessandro, As you say, it shouldn't be an issue to use a non-dedicated NIC for the pfsync/carp traffic. But your issue doesn't really have anything to do with pfsync, since it seems to be purely a carp issue. What does your PF rules look like for the carp traffic? I saw in an earlier post that you pass everything out, but are you also letting the carp traffic in on both nodes? /Johan Hi johan, for this problem I've reduced my pf.conf to: pass in all pass out all on fw1 and fw2 and carp interfaces communicate beetwen them, same with the entire pf rule set. I've tried also to set the slave as master and viceversa, but the problem persists. I've solved this problem with ifstated, and using macro relevation when a iface become down, ifstated set advskew to 254 (demoted) and my backup become the master. Then, it seems to be that preempt is not setted up to 1 on master and slave. do you think the same? thanks in advance
Security List
Hi List, i had registered me to the security list: security-annou...@openbsd.org since 9 Genuary 2011, but any email come on my account. Some that had security list subscribtion, can tell me if since 09/01/2001 at today there are mails? Thanks in advance
Re: Security List
Il 05/02/2011 20:35, Henning Brauer ha scritto: * Alessandro Baggialessandro.ba...@gmail.com [2011-02-05 20:33]: Hi List, i had registered me to the security list: security-annou...@openbsd.org since 9 Genuary 2011, but any email come on my account. Some that had security list subscribtion, can tell me if since 09/01/2001 at today there are mails? since 09/01/2001, yeah, a couple. in 2011, no. Ah ok. But the security list concernes the bugs only for OpenBSD Set, or also for ports? Thanks in advance
[OT] squid and https.
Hi list. I have a squid proxy with url filtering and file av scan composed by OpenBSD 4.8 + squid-2.7-STABLE7 + squidGuard + havp, all works fine but i'm not able to get https traffic scanned. To avoid this, we can use squid-3.1.11 with ssl-bump feature. At this point I've tried to set this configuration on a linux host, to avoid to break my firewall, on Slackware 13.1 + squid-3.1.11 + sslbump + c-icap + squidclamav-6.0 + squidGuard + clamav. from http://wiki.squid-cache.org/Features/SslBump: Squid-in-the-middle decryption and encryption of straight CONNECT and transparently redirected SSL traffic, using configurable client- and server-side certificates. While decrypted, the traffic can be inspected using ICAP. At this point there's no needed examplation about sslbump. All HTTP and HTTPS traffic will be scanned greatly. I've tried also to set an env with: Slackware 13.1 + squid-3.1.11 + sslbump + havp + clamav + squidguard. The point is that, to get in work squid with havp, I must insert a parent (cache_peer) to havp and then when squid get the request from a client, it sends the request to havp, and havp tells (rightly) that the request is an invalid request returning the havp page. There is a method to avoid this? Or the problem is related only to havp that could not see https traffic? Another question is about security. With this method, the SSL communication beetween two endpoint is broken with the squid in the middle, what are the security implication using this method? There are many pro in front of cons to use this solution? The last question: why openbsd does not get squid-3.x instead 2.7-x? Thanks in advance
Re: [OT] squid and https.
Il 11/02/2011 19:17, R0me0 *** ha scritto: Hello Alessandro ! Try read this If possible, coment after try :D Regards, spawn 2011/2/11 Alessandro Baggi alessandro.ba...@gmail.com mailto:alessandro.ba...@gmail.com Hi list. I have a squid proxy with url filtering and file av scan composed by OpenBSD 4.8 + squid-2.7-STABLE7 + squidGuard + havp, all works fine but i'm not able to get https traffic scanned. To avoid this, we can use squid-3.1.11 with ssl-bump feature. At this point I've tried to set this configuration on a linux host, to avoid to break my firewall, on Slackware 13.1 + squid-3.1.11 + sslbump + c-icap + squidclamav-6.0 + squidGuard + clamav. from http://wiki.squid-cache.org/Features/SslBump: Squid-in-the-middle decryption and encryption of straight CONNECT and transparently redirected SSL traffic, using configurable client- and server-side certificates. While decrypted, the traffic can be inspected using ICAP. At this point there's no needed examplation about sslbump. All HTTP and HTTPS traffic will be scanned greatly. I've tried also to set an env with: Slackware 13.1 + squid-3.1.11 + sslbump + havp + clamav + squidguard. The point is that, to get in work squid with havp, I must insert a parent (cache_peer) to havp and then when squid get the request from a client, it sends the request to havp, and havp tells (rightly) that the request is an invalid request returning the havp page. There is a method to avoid this? Or the problem is related only to havp that could not see https traffic? Another question is about security. With this method, the SSL communication beetween two endpoint is broken with the squid in the middle, what are the security implication using this method? There are many pro in front of cons to use this solution? The last question: why openbsd does not get squid-3.x instead 2.7-x? Thanks in advance Azz, is very very secure this solution :D. Letting the jokes, i've ridden something about this, and I would the assurance of this. For my second question: cause squid-3 permit mitm. Thanks for the reply. Best regards
Re: a good audit tool ?
On 01/03/2011 19:47, Francois Pussault wrote: he network are unix-like and some unix computers OpenVAS based on nessus
OpenBSD MAC ACL
Hi list. I'm looking for a software that performs controls based on MAC ACL for access to the network and that possible detects ARP poisoning and block it with pf. There is this software for OpenBSD? Thanks in advance.
Re: OpenBSD MAC ACL
Il 25/03/2011 14:28, R0me0 *** ha scritto: here: http://www.openbsd.org/faq/pf/tagging.html Is a good point to start your journey Regards, 2011/3/25 Alessandro Baggi alessandro.ba...@gmail.com mailto:alessandro.ba...@gmail.com Hi list. I'm looking for a software that performs controls based on MAC ACL for access to the network and that possible detects ARP poisoning and block it with pf. There is this software for OpenBSD? Thanks in advance. thanks, if there are not misunderstanding it is only for filter MAC address and this is for bridge. It's possible make association between IP and MAC?
ARP and libpcap
Hi list. I'm coding a little program with libpcap that captures ARP
packet. In this program I try to cast an arphdr struct pointer to the
packet, to read ARP packet parameters, and in this point I have the
problem.
This is the code of the callback pcap_loop function:
void mac(u_char *args, const struct pcap_pkthdr *header, const u_char
*packet)
{
struct arphdr *arp = NULL;
arp = (struct arphdr *) packet;
printf(%d:%d:%d\n, arp-ar_sha[0], arp-ar_sha[1],
arp-ar_sha[2]);
return;
}
Compiling this source, I get the following error:
oad-cap.c: In function 'mac':
oad-cap.c:11: error: 'struct arphdr' has no member named 'ar_sha'
oad-cap.c:11: error: 'struct arphdr' has no member named 'ar_sha'
oad-cap.c:11: error: 'struct arphdr' has no member named 'ar_sha'
Now, I've seen in /usr/include/net/if_arp.h and get:
struct arphdr {
u_int16_t ar_hrd; /* format of hardware address */
#define ARPHRD_ETHER1 /* ethernet hardware format */
#define ARPHRD_IEEE802 6 /* IEEE 802 hardware format */
#define ARPHRD_FRELAY 15 /* frame relay hardware format */
#define ARPHRD_IEEE1394 24 /* IEEE 1394 (FireWire) hardware format */
u_int16_t ar_pro; /* format of protocol address */
u_int8_t ar_hln; /* length of hardware address */
u_int8_t ar_pln; /* length of protocol address */
u_int16_t ar_op;/* one of: */
#define ARPOP_REQUEST 1 /* request to resolve address */
#define ARPOP_REPLY 2 /* response to previous request */
#define ARPOP_REVREQUEST 3 /* request protocol address given
hardware */
#define ARPOP_REVREPLY 4 /* response giving protocol address */
#define ARPOP_INVREQUEST 8 /* request to identify peer */
#define ARPOP_INVREPLY 9 /* response identifying peer */
/*
* The remaining fields are variable in size,
* according to the sizes above.
*/
#ifdef COMMENT_ONLY
u_int8_t ar_sha[]; /* sender hardware address */
u_int8_t ar_spa[]; /* sender protocol address */
u_int8_t ar_tha[]; /* target hardware address */
u_int8_t ar_tpa[]; /* target protocol address */
#endif
};
I've tried to #define COMMENT_ONLY, with no result. But I think that the
solution is not #define COMMENT_ONLY.
I've searched on google, same with no result.
Someone know what it does depend?
Thanks in advance.
Re: ARP and libpcap
Ok, but my app must take those packet from the net for other operation.
For this purpose I can also build my own structure to see arp parameter,
but I'm trying to know how to use arphdr structure. Someone has
experience about it?
Thanks in advance.
Il 05/04/2011 14:51, Jan Stary ha scritto:
On Apr 04 21:03:58, Alessandro Baggi wrote:
Hi list. I'm coding a little program with libpcap that captures ARP
packet.
Why? tcpdump arp
In this program I try to cast an arphdr struct pointer to
the packet, to read ARP packet parameters, and in this point I have
the problem.
tcpdump -e arp
If you are sure you need to write your own code for this,
look at the source of tcpdump to see how they do it.
This is the code of the callback pcap_loop function:
void mac(u_char *args, const struct pcap_pkthdr *header, const
u_char *packet)
{
struct arphdr *arp = NULL;
arp = (struct arphdr *) packet;
printf(%d:%d:%d\n, arp-ar_sha[0], arp-ar_sha[1],
arp-ar_sha[2]);
return;
}
Compiling this source, I get the following error:
oad-cap.c: In function 'mac':
oad-cap.c:11: error: 'struct arphdr' has no member named 'ar_sha'
oad-cap.c:11: error: 'struct arphdr' has no member named 'ar_sha'
oad-cap.c:11: error: 'struct arphdr' has no member named 'ar_sha'
Now, I've seen in /usr/include/net/if_arp.h and get:
struct arphdr {
u_int16_t ar_hrd; /* format of hardware address */
#define ARPHRD_ETHER1 /* ethernet hardware format */
#define ARPHRD_IEEE802 6 /* IEEE 802 hardware format */
#define ARPHRD_FRELAY 15 /* frame relay hardware format */
#define ARPHRD_IEEE1394 24 /* IEEE 1394 (FireWire) hardware format */
u_int16_t ar_pro; /* format of protocol address */
u_int8_t ar_hln; /* length of hardware address */
u_int8_t ar_pln; /* length of protocol address */
u_int16_t ar_op;/* one of: */
#define ARPOP_REQUEST 1 /* request to resolve address */
#define ARPOP_REPLY 2 /* response to previous request */
#define ARPOP_REVREQUEST 3 /* request protocol address given
hardware */
#define ARPOP_REVREPLY 4 /* response giving protocol address */
#define ARPOP_INVREQUEST 8 /* request to identify peer */
#define ARPOP_INVREPLY 9 /* response identifying peer */
/*
* The remaining fields are variable in size,
* according to the sizes above.
*/
#ifdef COMMENT_ONLY
u_int8_t ar_sha[]; /* sender hardware address */
u_int8_t ar_spa[]; /* sender protocol address */
u_int8_t ar_tha[]; /* target hardware address */
u_int8_t ar_tpa[]; /* target protocol address */
#endif
};
I've tried to #define COMMENT_ONLY, with no result. But I think that
the solution is not #define COMMENT_ONLY.
I've searched on google, same with no result.
Someone know what it does depend?
Thanks in advance.
Re: ARP and libpcap
Il 06/04/2011 08:25, Jan Stary ha scritto: On Apr 05 19:06:40, Alessandro Baggi wrote: Ok, but my app must take those packet from the net for other operation. Huh? tpcdump/pcap also takes those packet from the net of course. For this purpose I can also build my own structure to see arp parameter, but I'm trying to know how to use arphdr structure. Why exactly do you need to write your own code for this, replicating the functionality that already is in base? Someone has experience about it? Yes, libpcap does it somehow. Look at its source. What is it that yo actually want to do? Hi jan, i'm trying to make a program that map a specified MAC address to a specified IP, and then get information by getting arp packets for the specified nic to see if some host changes its IP. I can do this getting tcp/upd packets on a specified nic, and query with arp each hosts, but it can take more resources.
Re: ARP and libpcap
Il 06/04/2011 15:26, Jan Stary ha scritto: of of course For some obscure reason :D, not really, to avoid problem as poisoning for insecure services.
DNS reverse lookup from ip to CNAME
Hi list. I'm making a program that maps some ip address to a specified dns. My problem is relative to CNAME record. Supposing we have google ip, generated from a program, and we don't know that this ip is pointing to www.google.it. This program try to get hostname and give that the specified ip points to: fra07s07-in-f103.1e100.net. This name is obtained from gethostbyaddr(); There is a method to know that fra07s07-in-f103.1e100.net is pointed from www.google.it? Try to do the simple dns query to www.google.it, i get ; DiG 9.7.3 www.google.it ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 58155 ;; flags: qr rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 4, ADDITIONAL: 4 ;; QUESTION SECTION: ;www.google.it. IN A ;; ANSWER SECTION: www.google.it. 327389 IN CNAME www.google.com. www.google.com. 586589 IN CNAME www.l.google.com. www.l.google.com. 165 IN A 209.85.148.104 www.l.google.com. 165 IN A 209.85.148.105 www.l.google.com. 165 IN A 209.85.148.106 www.l.google.com. 165 IN A 209.85.148.147 www.l.google.com. 165 IN A 209.85.148.99 www.l.google.com. 165 IN A 209.85.148.103 ;; AUTHORITY SECTION: google.com. 282625 IN NS ns2.google.com. google.com. 282625 IN NS ns3.google.com. google.com. 282625 IN NS ns1.google.com. google.com. 282625 IN NS ns4.google.com. ;; ADDITIONAL SECTION: ns3.google.com. 240988 IN A 216.239.36.10 ns4.google.com. 240988 IN A 216.239.38.10 ns1.google.com. 240988 IN A 216.239.32.10 ns2.google.com. 240988 IN A 216.239.34.10 ;; Query time: 0 msec ;; SERVER: 10.1.1.5#53(10.1.1.5) ;; WHEN: Mon Apr 18 11:54:33 2011 ;; MSG SIZE rcvd: 311 It said that www.google.it is a cname that point to www.google.com, that point to www.l.google.com and that www.l.google.com. points to some addresses. Supposing that I have 209.85.148.104 ip, is possible (only knowing the ip) go back to the CNAME record www.google.it? I've tried this: dig -x 209.85.148.104: ; DiG 9.7.3 -x 209.85.148.104 ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 64966 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4 ;; QUESTION SECTION: ;104.148.85.209.in-addr.arpa. IN PTR ;; ANSWER SECTION: 104.148.85.209.in-addr.arpa. 69495 IN PTR fra07s07-in-f104.1e100.net. ;; AUTHORITY SECTION: 148.85.209.in-addr.arpa. 70180 IN NS ns4.google.com. 148.85.209.in-addr.arpa. 70180 IN NS ns3.google.com. 148.85.209.in-addr.arpa. 70180 IN NS ns1.google.com. 148.85.209.in-addr.arpa. 70180 IN NS ns2.google.com. ;; ADDITIONAL SECTION: ns4.google.com. 240552 IN A 216.239.38.10 ns1.google.com. 240552 IN A 216.239.32.10 ns2.google.com. 240552 IN A 216.239.34.10 ns3.google.com. 240552 IN A 216.239.36.10 ;; Query time: 0 msec ;; SERVER: 10.1.1.5#53(10.1.1.5) ;; WHEN: Mon Apr 18 12:01:49 2011 ;; MSG SIZE rcvd: 231 and then, query the google dns: dig @ns1.google.com -x 209.85.148.104 ; DiG 9.7.3 @ns1.google.com -x 209.85.148.104 ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 62862 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;104.148.85.209.in-addr.arpa. IN PTR ;; ANSWER SECTION: 104.148.85.209.in-addr.arpa. 86400 IN PTR fra07s07-in-f104.1e100.net. ;; Query time: 46 msec ;; SERVER: 216.239.32.10#53(216.239.32.10) ;; WHEN: Mon Apr 18 12:02:15 2011 ;; MSG SIZE rcvd: 85 and this is the max level that I can obtain. I've tried also with another domain (www.cnr.it) and using this method, I can get from ip address that it points to www.cnr.it, The only difference is that in cnr dns, www.cnr.it is not a cname record but IN record. Could someone point me in the right direction? Thanks in advance
kvm and Openbsd 5.1
Hi list, today I've installed OpenBSD 5.1 amd64 on a kvm (linux slackware) kvm version is 1.0.1. Starting machine with 4 core, and bsd.mp it crash. Disabling mpbios see only one core and not smp. Then, I've updated kvm to 1.1.1 but the results are the same. There is someone that has started obsd on kvm and avoid this problem? This problem is kvm related? Another, someone has tried obsd 5.1 on ESX? Thanks in advance.
Re: kvm and Openbsd 5.1
Ok zz i will give a try with i386. On 07/22/2012 06:10 PM, z...@sdf.org wrote: On Fri, Jul 20, 2012 at 07:29:03PM +0200, Alessandro Baggi wrote: There is someone that has started obsd on kvm and avoid this problem? This problem is kvm related? Another, someone has tried obsd 5.1 on ESX? I am running OpenBSD 5.1 and a bunch of NetBSD guests with kvm and everything works as expectecd. They are all i386 machines, so you should try that instaed of amd64.
su and passwd
Hi list, today, I've logged on my openbsd box, and when I change the root password I get this: $ uname -pmrsv OpenBSD 5.1 GENERIC.MP#207 amd64 amd64 $ whoami userlog $ echo $USER userlog $ su Password: # passwd Changing local password for userlog. New password: Password unchanged. # echo $USER userlog # Logging in with an user called userlog, get su, run passwd as root, it says that i'm changing password for userlog. From manual page I get: By default, the environment is unmodified with the exception of LOGNAME, HOME, SHELL, and USER. HOME and SHELL are set to the target login's default values. LOGNAME and USER are set to the target login, unless the target login has a user ID of 0 and the -l flag was not specified, in which case it is unmodified. The invoked shell is the target login's. This is the traditional behavior of su Running su -l works good. Why if user ID is == 0 or if there's no -l, the $USER will not be set? What is the policy? I've tried this also on OpenBSD 4.9 with same result. Thanks in advance. Alessandro.
Re: Ports security updates in 5.1 or 5.2
Hi list, sorry for late, but you are talking about update, and I've a question about this. I'm installing software precompiled using pkg_add -r ftp://ftp.openbsd.org/../openvpn-version.tgz How to see if there are update/security fix for openvpn? From Ports ml? Thanks in advance. On 09/01/2012 07:26 AM, Tomas Bodzar wrote: On Fri, Aug 31, 2012 at 6:06 PM, Sébastien Marie semarie-open...@latrappe.fr wrote: On Thu, Aug 30, 2012 at 06:52:15PM +, Stuart Henderson wrote: On 2012-08-30, Sébastien Mariesemarie-open...@latrappe.fr wrote: I not used all pervious ports, and some are used in safe usage (like using postgresql ports, but not for server). It just a question to known what follow, in order to keep updated... really, in order to keep updated, following -current is a good policy. sure, updates in -current are more fresh ! but the investissement may be important, as it is required to upgrade the system before add or upgrade ports... I think I will consider installing -current on an external disk, in order to see and learn upgrade process (via snapshots) before definitively switch to -current on my laptop. You will find it very quick and easy: boot bsd.rd and choose (U)pgrade reboot sysmerge -s $ -x $ maybe reboot check current.html for possible manual steps pkg_add -ui It's possible to have modest machine to be completely updated in about 10 minutes completely binary way. Thanks Stuart. -- Sebastien Marie
Re: Ports security updates in 5.1 or 5.2
Hi Robert, thanks for the tips. If I give -u without parameters, it will update all system or only installed packages? Another, it's useful read Ports ml for update and vulnerability? Thanks in advance. On 09/18/2012 02:16 AM, Robert Connolly wrote: See 'man pkg_add'... the -a, -u, -n, and -i options might be of interest to you. I use pkg_add -a -u On Mon, Sep 17, 2012 at 10:56 AM, Alessandro Baggi alessandro.ba...@gmail.com mailto:alessandro.ba...@gmail.com wrote: Hi list, sorry for late, but you are talking about update, and I've a question about this. I'm installing software precompiled using pkg_add -r ftp://ftp.openbsd.org/../openvpn-version.tgz How to see if there are update/security fix for openvpn? From Ports ml? Thanks in advance. On 09/01/2012 07:26 AM, Tomas Bodzar wrote: On Fri, Aug 31, 2012 at 6:06 PM, Sébastien Marie semarie-open...@latrappe.fr mailto:semarie-open...@latrappe.fr wrote: On Thu, Aug 30, 2012 at 06:52:15PM +, Stuart Henderson wrote: On 2012-08-30, Sébastien Mariesemarie-open...@latrappe.fr mailto:semarie-open...@latrappe.fr wrote: I not used all pervious ports, and some are used in safe usage (like using postgresql ports, but not for server). It just a question to known what follow, in order to keep updated... really, in order to keep updated, following -current is a good policy. sure, updates in -current are more fresh ! but the investissement may be important, as it is required to upgrade the system before add or upgrade ports... I think I will consider installing -current on an external disk, in order to see and learn upgrade process (via snapshots) before definitively switch to -current on my laptop. You will find it very quick and easy: boot bsd.rd and choose (U)pgrade reboot sysmerge -s $ -x $ maybe reboot check current.html for possible manual steps pkg_add -ui It's possible to have modest machine to be completely updated in about 10 minutes completely binary way. Thanks Stuart. -- Sebastien Marie
Re: Ports security updates in 5.1 or 5.2
ah, sorry but when run pkg_add -a -u I must give also ftp://ftp.openbsd.org/pathamd64repo/... ? On 09/18/2012 07:56 PM, Alessandro Baggi wrote: Hi Robert, thanks for the tips. If I give -u without parameters, it will update all system or only installed packages? Another, it's useful read Ports ml for update and vulnerability? Thanks in advance. On 09/18/2012 02:16 AM, Robert Connolly wrote: See 'man pkg_add'... the -a, -u, -n, and -i options might be of interest to you. I use pkg_add -a -u On Mon, Sep 17, 2012 at 10:56 AM, Alessandro Baggi alessandro.ba...@gmail.com mailto:alessandro.ba...@gmail.com wrote: Hi list, sorry for late, but you are talking about update, and I've a question about this. I'm installing software precompiled using pkg_add -r ftp://ftp.openbsd.org/../openvpn-version.tgz How to see if there are update/security fix for openvpn? From Ports ml? Thanks in advance. On 09/01/2012 07:26 AM, Tomas Bodzar wrote: On Fri, Aug 31, 2012 at 6:06 PM, Sébastien Marie semarie-open...@latrappe.fr mailto:semarie-open...@latrappe.fr wrote: On Thu, Aug 30, 2012 at 06:52:15PM +, Stuart Henderson wrote: On 2012-08-30, Sébastien Mariesemarie-open...@latrappe.fr mailto:semarie-open...@latrappe.fr wrote: I not used all pervious ports, and some are used in safe usage (like using postgresql ports, but not for server). It just a question to known what follow, in order to keep updated... really, in order to keep updated, following -current is a good policy. sure, updates in -current are more fresh ! but the investissement may be important, as it is required to upgrade the system before add or upgrade ports... I think I will consider installing -current on an external disk, in order to see and learn upgrade process (via snapshots) before definitively switch to -current on my laptop. You will find it very quick and easy: boot bsd.rd and choose (U)pgrade reboot sysmerge -s $ -x $ maybe reboot check current.html for possible manual steps pkg_add -ui It's possible to have modest machine to be completely updated in about 10 minutes completely binary way. Thanks Stuart. -- Sebastien Marie
OpenVPN and OBSD 5.1
Hi list, i'm setting up a vpn with OpenVPN on OpenBSD 5.1 amd64. (Not IPSec because I still do not know how to use well, this will be the next study). My configuration is 1:N. No problem with ca, key, cert creation. I've this scenario: 1 firewall (Snapgear) not openbsd and managed by other people. 2 A network with different server; I've installed on a vm OpenBSD 5.1 and openvpn. Generating certificates, keys...etc. Firewall: 192.168.0.1 OBSD: 192.168.0.118 on port 10194 (10.0.8.1 - 10.0.8.2) FTPSVR: 192.168.0.115 Remote Client: 10.0.8.5 - 10.0.8.6 When client connect on openvpn server, handshake goes well, client connect and receive fixed ip from the server. At this point client can communicate with virtual ip of server, local openvpn server ip, and can send packet to other server locally to the openvpn server (on remote lan). The other server, get the packet, reply to this packet, but (obviously) the reply does not reaches the openvpn client because there are no route for packet of 10.0.8.0/24. All traffic flow has been monitored with tcpdump on openvpn server and on FTPSVR and all packet go in the right direction. I've ridden in the past that I must insert a route on the bastion host (firewall snapgear) to say that packet for 10.0.8/24 network must be routed on 192.168.0.118 (the openvpn server). I've asked to the firewall admin to add route for this purpose, but it says, this is not secure. Why this is not secure? There are other method other than routing rules, as such as nat for this purpose? Thanks in advance. Alessandro.
Re: OpenVPN and OBSD 5.1
Hi list, thanks for replies. Luis, than I must have on @snapgear route rule as: 10.0.8.0/24 - 192.168.0.118? It must be considered insecure? Thanks in advance. 2012/10/16 pavel pocheptsov lilit-aibo...@mail.ru Also in case of rejection adding route to your box, you have to add source NAT for packets coming from vpn net on local_if. Tue, 16 Oct 2012 13:08:23 -0600 Ð¾Ñ Luis Coronado lcoron...@ticoit.com: No, you need to have that route rule in place @snapgear in order to get the reply from the server. -luis On Tue, Oct 16, 2012 at 12:52 PM, Alessandro Baggi alessandro.ba...@gmail.com wrote: Hi list, i'm setting up a vpn with OpenVPN on OpenBSD 5.1 amd64. (Not IPSec because I still do not know how to use well, this will be the next study).
Squid proxy
Hi list, I'm plannig to setup a squid proxy for a network with about 120 User. I have not great experience with proxying network that has over 20 user. For this scenario, is better transparent or not-trasparent proxy? I've searched on the web but can't get real experience pros and cons with these two type of method. Someone has expirience about using trasparent vs not-trasparent proxy, problems found with these two method, ecc? Another question is about DansGuarding. More people say that seems to be dead. It's true? Thanks in advance.
Re: Squid proxy
On 03/10/2013 12:49 PM, Jiri B wrote: On Sun, Mar 10, 2013 at 12:38:35PM +0100, Alessandro Baggi wrote: Hi list, I'm plannig to setup a squid proxy for a network with about 120 User. I have not great experience with proxying network that has over 20 user. For this scenario, is better transparent or not-trasparent proxy? Non-transparent. Then everything which tries to leave your network without going via mandatory http proxy is suspicious. Easy to detect, easy to troubleshoot. jirib Hi jirib, but if squid has problems (bad configuration, machine failure without failover) there are 120 pcs, that try to communicate with a failure proxy. At this point, how to solve? With transparent I can remove redirect rule and forward web traffic directly on internet but with non-transparent proxy there are 120 pcs to reconfigure. Do you know something about Dansguardian status? Thanks in advance.
Re: Squid proxy
On 03/10/2013 05:21 PM, Sven Thomsen wrote: Hi, but if squid has problems (bad configuration, machine failure without failover) there are 120 pcs, that try to communicate with a failure proxy. At this point, how to solve? With transparent I can remove redirect rule and forward web traffic directly on internet but with non-transparent proxy there are 120 pcs to reconfigure. Did you try proxy auto-configuration? http://homepage.ntlworld.com./jonathan.deboynepollard/FGA/web-browser-auto-proxy-configuration.html http://www.proxypacfiles.com/proxypac/ http://findproxyforurl.com/ Sven Thank sven. Good resources.
Re: OpenBSD + pf + DPI
I don't search an all in one solution software for DPI, but asking if there is some software on base/ports to accomplish to this purpose and if someone had configured a solution with OBSD for DPI (personal experiences). My question is malformed, sorry. Il 02/12/2015 13:25, Romain FABBRI ha scritto: I don't understant your purpose What specific protocols would you like to inspect deeply ? Because the is no base/port complete solution that I am aware of. And the idea sounds crazy. Some vendors have filters/plugins/proxies that are application aware... And it's often disabled by admins because it's making the applications which doesn't comply strictly to fail -Message d'origine- De : owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] De la part de Alessandro Baggi Envoyé : mercredi 2 décembre 2015 12:45 À : misc@openbsd.org Objet : OpenBSD + pf + DPI Hi list, I don't know how to start to make Deep Packet Inspection. My interest is OpenBSD and pf related. Anyone has already used on OpenBSD? It is possibile on OpenBSD with shipped (base/ports) software? Every tips are appreciated. Thanks in advance.
OpenBSD + pf + DPI
Hi list, I don't know how to start to make Deep Packet Inspection. My interest is OpenBSD and pf related. Anyone has already used on OpenBSD? It is possibile on OpenBSD with shipped (base/ports) software? Every tips are appreciated. Thanks in advance.
Re: OpenBSD help
Il 15/12/2015 17:41, Jan Stary ha scritto: On Dec 15 17:07:59, alessandro.ba...@gmail.com wrote: Hi list, I've a firewall on an apu1D running OpenBSD. Today during a simple management, I've noticed that the system is up since 1 day and 23 hours. Running "cat authlog" I see that the last two logged session are: Dec 2 at 12 and today. Running "last" I see: myuser (current session) (still logged in) reboot ~Sun Dec 13 18:06 Maybe Hacked? Someone can help me to find what happened? So your machine rebooted around Dec 13 18:06. I would guess a power failure. My machine are under UPS, and on Sun 13 all machines were off and no general blackout. Maybe is cable but I'm not sure. I will check for next "false reboot". > > from last(1) > The pseudo-user ``reboot'' logs in at reboots of the system; thus > last > reboot will give an indication of mean time between reboot. I've ridden last manual before post on ml, but thanks for tips.
OpenBSD help
Hi list, I've a firewall on an apu1D running OpenBSD. Today during a simple management, I've noticed that the system is up since 1 day and 23 hours. Running "cat authlog" I see that the last two logged session are: Dec 2 at 12 and today. Running "last" I see: myuser (current session) (still logged in) reboot ~Sun Dec 13 18:06 In my configuration I don't give access from wan and dmz. Access is only from LAN ssh key based (key is on a usbdrive) and from console and the console machine is off since installation. Reading other logfile (messages.X.gz, daemon.X.gz...) I can't find nothing useful. I don't think that there is an automatic (magic) reboot and I've no configured personal script or other. Maybe Hacked? Someone can help me to find what happened? Thanks in advance.
Re: NSD/Unbound clarifications
Thanks for all clarification about NSD/Unbound usage. I've another question about dns dynamic update for dhcpd. With named, installing isc-dhcp using dynamic update for dns from dhcpd. It is possibile with unbound/NSD? From google I can't find a valid answer. In my case, I've ridden unbound man pages but seems that this is not supported. The only useful command is on unbound-control that can help to add/remove zone and data for zone. Thanks in advance. Il 24/11/2015 20:00, Christopher Sean Hilton ha scritto: On Mon, Nov 23, 2015 at 12:24:53PM +0100, Alessandro Baggi wrote: Hi list, I've switched from Obsd 5.3 from Pfsense to try it. Now I want come back to Obsd. I prefer it. Great choice. [snip]
NSD/Unbound clarifications
Hi list, I've switched from Obsd 5.3 from Pfsense to try it. Now I want come back to Obsd. I prefer it. Today, the last version is 5.8 and from 5.6 named was replaced from nsd and unbound. The first is only authoritative and the other is recursive/forwarder/caching/validating/authoritative. In my last valid OBSD config, I used named for my lan (not exposed on internet) only for lan dns serving, not exposed, with recursion and forwarder. Now today I've nsd and unbound that I can use on my firewall. I don't need authoritative server, and I should use unbound. nsd and unbound have similar syntax and I reading from web I can resolve dns with each of them. Now I'm confused...who use? Correct me if I'm wrong: 1) I must use only nsd for authoritative server (internet exposed) for my ipotetic zone (I can use it in my lan for dns resolver?). 2) I can use only unbound for lan dns resolving/caching/validating with zones if not needed an authoritative domain. 3) I can use nsd for authoritative server (internet exposed) and for lan use unbound as recursive/cache dns with the authoritative server. 4) I can use unbound as authoritative server and for recursing and other. 5) NSD is the best for authoritative and unbound for other things.
OBSD 5.8 and console
Hi list, I've an APU1D where I want install OpenBSD 5.8 amd64. The only option that I have is install from console. I've downloaded install58.fs and modified /etc/boot.conf adding: set tty com0 (saved) During boot it recognizes obsd install media then print this message: switching to com0 after this I can't receive any output from terminal console (in my case screen from linux) and don't know what happen. Can someone point me in the right direction? Thanks in advance.
Re: OBSD 5.8 and console
Thanks Jan, I'm connecting with baud 115200, tried the default and works. Sorry for my distraction. Il 22/11/2015 17:32, Jan Vlach ha scritto: Hi Alessandro, what's the baud rate of the APU? (in APU bios ...) man boot.conf says, that openbsd's default is 9600. (look for stty) I did some ALIX installs in the past, I vaguely remember that I had to change this from 115200 to 9600 in the ALIX BIOS ... Jan On Sun, Nov 22, 2015 at 05:13:23PM +0100, Alessandro Baggi wrote: Hi list, I've an APU1D where I want install OpenBSD 5.8 amd64. The only option that I have is install from console. I've downloaded install58.fs and modified /etc/boot.conf adding: set tty com0 (saved) During boot it recognizes obsd install media then print this message: switching to com0 after this I can't receive any output from terminal console (in my case screen from linux) and don't know what happen. Can someone point me in the right direction? Thanks in advance.
Re: OBSD 5.8 and console
Il 22/11/2015 17:22, Alexander Salmin ha scritto: I have a similar setup. Kill your screen, and connect again, usually works for me. On 2015-11-22 17:13, Alessandro Baggi wrote: set tty com0 Thanks alexander, problem not solved, after restarting session I don't have output.
Re: OBSD 5.8 and console
Il 22/11/2015 17:44, Mike Bregg ha scritto: On 2015-11-22 09:13, Alessandro Baggi wrote: Hi list, I've an APU1D where I want install OpenBSD 5.8 amd64. The only option that I have is install from console. I've downloaded install58.fs and modified /etc/boot.conf adding: set tty com0 (saved) During boot it recognizes obsd install media then print this message: switching to com0 after this I can't receive any output from terminal console (in my case screen from linux) and don't know what happen. Can someone point me in the right direction? Thanks in advance. The default baud rate for your APU is probably 115200bps. OpenBSD will be set to 9600. You can either change the baud rate to 115200 in boot.conf (stty com0 115200), or connect your screen session at 9600bps. Yes, my APU is 115200bps. Installation performed at 9600. Administration setted to 115200. Thanks for support.
Re: NSD/Unbound clarifications
Thanks for clarification. Unbound configured and works well. Another question abount unbound "capacity". I've configured unbound for a small network. What is "maximum capacity" of Unbound? Is suitable for big networks? Il 23/11/2015 13:28, Dahlberg, David ha scritto: Am Montag, den 23.11.2015, 12:24 +0100 schrieb Alessandro Baggi: Today, the last version is 5.8 and from 5.6 named was replaced from nsd and unbound. The first is only authoritative and the other is recursive/forwarder/caching/validating/authoritative. Right. Except that unbound is not really intended to work as an authoritative server, except maybe for a tiny local stub zone. Now today I've nsd and unbound that I can use on my firewall. I don't need authoritative server, and I should use unbound. Correct. nsd and unbound have similar syntax and I reading from web I can resolve dns with each of them. Wrong. You cannot use nsd as a resolver. It is authoritative only. Now I'm confused...who use? You want to announce your domain to the whole internet? Use NSD. You want to resolve internet domain names for your clients? Use unbound. You want to do both? Use both. Correct me if I'm wrong: 1) I must use only nsd for authoritative server (internet exposed) for my ipotetic zone (I can use it in my lan for dns resolver?). No. It is not a resolver. It won't answer to queries for domains that it does not host. 2) I can use only unbound for lan dns resolving/caching/validating with zones if not needed an authoritative domain. Correct. 3) I can use nsd for authoritative server (internet exposed) and for lan use unbound as recursive/cache dns with the authoritative server. With the authoritative server being nsd, right. 4) I can use unbound as authoritative server and for recursing and other. You seem to confuse the concepts of authoritative and recursing. The authoritative server is the Facebook DNS server that answers queries for the facebook.com domain. Just for that domain. It won't answer queries for other domains nor queries that have the "recurse" flag set. A resolver is typically located at your provider. You query it for any domain and it will happily resolve that query for you (by querying the authoritative servers). See https://en.wikipedia.org/wiki/Domain_Name_Sy stem image in chapter "Address resolution mechanism": The "DNS recurser" in the image is the resolver, the "root/org/wikipedia.org nameservers" are authoritative ones. Unbound is a resolver. It may also have authoritative functions for a small local zone (e.g. "mylaptop.local", "myfileshare.local" and "mytv.local"). But if you really want to host a domain, you should use NSD instead. 5) NSD is the best for authoritative and unbound for other things. NSD is /only/ useful as an authoritative server (i.e. serving a zone). It cannot resolve. Unbound is most useful for resolving DNS names (i.e. you send it a query, it will figure out the answer). Here is how it works: (1) Your clients (PC, Laptop, Playstation) will send queries to the resolver (e.g. dnsmasq, unbound, bind9). Asking them for IP adresses for openbsd.org, gmail.com and sony.com. (2) The resolver will send queries to the authoritative nameservers (e.g. bind9, nsd) of Root, Verisign (.com and .org), Google (gmail.com) OpenBSD and Sony to find out the requested IP addresses. (3) The resolver will return the result to your clients. Bind9 of the Internet Systems Consortium just happens to be a software, that can do both jobs: It can be a resolver, or an authoritative nameserver, or even both at the same time. NLnet Labs decided not to go that way. They created software just for the authoritative nameserver task (NSD) and one for the resolver task (unbound). Cheers David
Re: 5.8 EOL
Il 02/12/2016 00:47, OpenBSD lists ha scritto: Alessandro Baggi wrote: Il 01/12/2016 17:01, Marko Cupać ha scritto: On Thu, 1 Dec 2016 15:59:41 +0100 Alessandro Baggi <alessandro.ba...@gmail.com> wrote: Hi list, I've installed some years ago OpenBSD 5.8 on apu with 3 nics. I've tried to search but no look. What is the EOL for OpenBSD 5.8? Thanks in advance. https://www.openbsd.org/faq/faq5.html#Flavors AFAIK Once 6.0 is out, 5.8 becomes unsupported (EOS). But it by no means its life ends (EOL). I have just upgraded 2 boxes that were at 5.5, but were quite alive and kicking :) -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/ Then, when 6.1 will be released, Somewhere between March and May of next year. Depends on when the code is in a releasable state. 5.9 will become unsupported. Yep, it won't be getting patches anymore. How do you provide to security patch for 5.5? We don't. Supporting a release that old would require quite a lot more volunteers to back-port and test every patch that would apply and we'd rather not waste resources on supporting the old stuff and use our time to move the project forward. Upgrading is painless and major changes are very rare, so I can't think of any compelling reasons to stay on an old version (well, unless it is the last version your platform supports) Thanks to all for your answer. It's time to upgrade. Best regards.
Re: 5.8 EOL
Il 02/12/2016 23:30, Erling Westenvik ha scritto: On Fri, Dec 02, 2016 at 02:43:01PM +0100, Alessandro Baggi wrote: Il 02/12/2016 00:47, OpenBSD lists ha scritto: Alessandro Baggi wrote: Il 01/12/2016 17:01, Marko Cupać ha scritto: On Thu, 1 Dec 2016 15:59:41 +0100 Alessandro Baggi <alessandro.ba...@gmail.com> wrote: Hi list, I've installed some years ago OpenBSD 5.8 on apu with 3 nics. I've tried to search but no look. What is the EOL for OpenBSD 5.8? Thanks in advance. https://www.openbsd.org/faq/faq5.html#Flavors AFAIK Once 6.0 is out, 5.8 becomes unsupported (EOS). But it by no means its life ends (EOL). I have just upgraded 2 boxes that were at 5.5, but were quite alive and kicking :) -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/ Then, when 6.1 will be released, Somewhere between March and May of next year. Depends on when the code is in a releasable state. 5.9 will become unsupported. Yep, it won't be getting patches anymore. How do you provide to security patch for 5.5? We don't. Supporting a release that old would require quite a lot more volunteers to back-port and test every patch that would apply and we'd rather not waste resources on supporting the old stuff and use our time to move the project forward. Upgrading is painless and major changes are very rare, so I can't think of any compelling reasons to stay on an old version (well, unless it is the last version your platform supports) Thanks to all for your answer. It's time to upgrade. Please take note of the upgrade guides in the FAQ and upgrade one version at a time, first from 5.8 to 5.9, then from 5.9 to 6.0 -- NOT directly from 5.8 to 6.0. The upgrade guides can be found here: http://www.openbsd.org/faq/upgrade59.html http://www.openbsd.org/faq/upgrade60.html Be sure to read both guides carefully. There may be files that needs to be removed manually, and services that may require configuration. Have fun! :) Thank you Erling for suggestions.
5.8 EOL
Hi list, I've installed some years ago OpenBSD 5.8 on apu with 3 nics. I've tried to search but no look. What is the EOL for OpenBSD 5.8? Thanks in advance.
Re: 5.8 EOL
Il 01/12/2016 17:01, Marko Cupać ha scritto: On Thu, 1 Dec 2016 15:59:41 +0100 Alessandro Baggi <alessandro.ba...@gmail.com> wrote: Hi list, I've installed some years ago OpenBSD 5.8 on apu with 3 nics. I've tried to search but no look. What is the EOL for OpenBSD 5.8? Thanks in advance. https://www.openbsd.org/faq/faq5.html#Flavors AFAIK Once 6.0 is out, 5.8 becomes unsupported (EOS). But it by no means its life ends (EOL). I have just upgraded 2 boxes that were at 5.5, but were quite alive and kicking :) -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/ Then, when 6.1 will be released, 5.9 will become unsupported. How do you provide to security patch for 5.5?
Unable to connect to ftp.openbsd.org
Hi there, this morning I'm upgrading my obsd firewall 5.8 to 5.9. All processes gone fine but when running pkg_add -u I get that "unable to connect or login to ftp.openbsd.org". This is on $PKG_PATH. When I try to connect to ftp.openbsd.org from shell using ftp I got connection refused. The same behaviour with different hosts. Trying to connect to other ftp all works fine. So I've changed pkg_path to another ftp mirror and pkg_add -u worked. ftp.openbsd.org has problems? Thanks in advance.
Re: Unable to connect to ftp.openbsd.org
Il 15/04/2017 10:12, Andreas Kusalananda Kähäri ha scritto: On Sat, Apr 15, 2017 at 09:58:00AM +0200, Alessandro Baggi wrote: Hi there, this morning I'm upgrading my obsd firewall 5.8 to 5.9. All processes gone fine but when running pkg_add -u I get that "unable to connect or login to ftp.openbsd.org". This is on $PKG_PATH. When I try to connect to ftp.openbsd.org from shell using ftp I got connection refused. The same behaviour with different hosts. Trying to connect to other ftp all works fine. So I've changed pkg_path to another ftp mirror and pkg_add -u worked. ftp.openbsd.org has problems? Thanks in advance. Related: https://marc.info/?l=openbsd-announce=149220549500948=2 thank you for the information. I must subscribe ml announce.
Re: Unable to connect to ftp.openbsd.org
Il 15/04/2017 16:15, Alessandro Baggi ha scritto: Il 15/04/2017 11:20, Stuart Henderson ha scritto: On 2017-04-15, Alessandro Baggi <alessandro.ba...@gmail.com> wrote: this morning I'm upgrading my obsd firewall 5.8 to 5.9. 5.9 is out of support now. I'd strongly recommend moving to 6.1 which was released last week. When I try to connect to ftp.openbsd.org from shell using ftp I got connection refused. The same behaviour with different hosts. Trying to connect to other ftp all works fine. So I've changed pkg_path to another ftp mirror and pkg_add -u worked. That site only does http/https now. But unless you're in Alberta the other mirrors are likely to be a better choice anyway. I know that 5.9 is out of support with release of 6.1. Today I'm upgrading from 5.8 -> 5.9 -> 6.0 -> 6.1. thank you for suggestions. Thanks to OpenBSD team, update process works very well. Upgrading from 5.8 to 6.1 in very short time and without issues. Great job guys.
Re: Unable to connect to ftp.openbsd.org
Il 15/04/2017 11:20, Stuart Henderson ha scritto: On 2017-04-15, Alessandro Baggi <alessandro.ba...@gmail.com> wrote: this morning I'm upgrading my obsd firewall 5.8 to 5.9. 5.9 is out of support now. I'd strongly recommend moving to 6.1 which was released last week. When I try to connect to ftp.openbsd.org from shell using ftp I got connection refused. The same behaviour with different hosts. Trying to connect to other ftp all works fine. So I've changed pkg_path to another ftp mirror and pkg_add -u worked. That site only does http/https now. But unless you're in Alberta the other mirrors are likely to be a better choice anyway. I know that 5.9 is out of support with release of 6.1. Today I'm upgrading from 5.8 -> 5.9 -> 6.0 -> 6.1. thank you for suggestions.
Re: Update from 6.5 to 7.3
Il 08/09/23 18:24, Peter N. M. Hansteen ha scritto: On Fri, Sep 08, 2023 at 10:01:45AM +0200, Alessandro Baggi wrote: I've a problem. I need to upgrade OpenBSD from 6.5 to 7.3 on an APU2D. This is a firewall. The problem is that I cannot find older ISO of OpenBSD. Can someone point me in the right direction? If you are planning to go the supported route and upgrade from release to release, you have eight rounds of upgrading ahead. If this is a firewall that does not do anything else, I would join a few of the other posters here in recommending that you back up the tiny number of files that could differ from a default install do a fresh reinstall, only editing in the things you need from your old /etc/ such as (likely most of) pf.conf. - Peter Actually I upgraded from 6.5 to 7.0 and I learned many new things. Wow...I love OpenBSD. Definitely I will install fresh from 7.3. Thank you for your suggestions. Best regards
Re: Update from 6.5 to 7.3
Il 08/09/23 19:54, Marc Espie ha scritto: On Fri, Sep 08, 2023 at 06:36:57PM +0200, Alessandro Baggi wrote: Il 08/09/23 18:24, Peter N. M. Hansteen ha scritto: On Fri, Sep 08, 2023 at 10:01:45AM +0200, Alessandro Baggi wrote: I've a problem. I need to upgrade OpenBSD from 6.5 to 7.3 on an APU2D. This is a firewall. The problem is that I cannot find older ISO of OpenBSD. Can someone point me in the right direction? If you are planning to go the supported route and upgrade from release to release, you have eight rounds of upgrading ahead. If this is a firewall that does not do anything else, I would join a few of the other posters here in recommending that you back up the tiny number of files that could differ from a default install do a fresh reinstall, only editing in the things you need from your old /etc/ such as (likely most of) pf.conf. - Peter Actually I upgraded from 6.5 to 7.0 and I learned many new things. Wow...I love OpenBSD. Please tell us about your experience ! it's probably going to be rather interesting. The process is really easy, more easy than on Linux distros. I used media installation images until I learned about sysupgrade, but I can't run it due to cert.pem expired so I did proceed with media installation from 6.5 to 7.0. At 7.0 I copied a valid cert.pem from a 7.3 install and tried to run sysupgrade but it took very long time to get upgrades. I don't know if this is due to my APU2D low resources (on a VM with 7.3 it did very quickly) but sysupgrade stay there for several minutes before starting something (that I can read). I learned also about sysmerge and syspatch, I love this tools. On 6.5 I installed wget with pkg_add and (obviously) running wget from 6.5 to 7.0 got seg fault. So I proceeded to remove all packages installed with pkg_add. Here I learned new things about tool pkg_info. So I reinstalled needed packages with pkg_add. This process is really easy and clean. I learned about a new tool called sysclean but I have not yet tried it. Plus before every upgrade, I read notes from https://www.openbsd.org/faq/upgradeXX.html I got good information about what's updated and what changed for critical services like pf.conf syntax changes. This helped me to reduce errors during upgrade. During the upgrade process from 6.5 to 7.3 I expected a big changes in the system but this is not the case. I love this, OpenBSD (through upgrades) remains modern with new packages (including feautures) and removing unsupported/obsolete software without modifing the core system deeply. The best it does not change to much from 6.5 to 7.0 and this is very good because it maintans a compatibility with scripts and software used in older release (except is some case but it is rare in my usage case). This is not the case of Linux like RHEL upgrades from one major release to another one (I call that a big bang upgrade) where you need to re-deploy all due to incompatibility. Probably the best linux distro that is similar to OpenBSD is Slackware (witch I love) and in second place debian. This is my experiences running upgrades on OpenBSD. PS: I noticed that I can found many resources (blog post, maling list archives, reddit posts) that helped me to solve some problem Best regards
unbound and root.hints
Hi list, when using unbound on OpenBSD 6.5 in the default configuration unbound comes with root.hints file. Upgrading to OpenBSD 7.3 I noticed that root.hints is not more supplied but unbound manual page says: "root-hints: read the root hints from this file. Default is nothing, using builtin hints for the IN class. The file has the format of zone files, with root nameserver names and addresses only. The default may become outdated, when servers change, therefore it is good practice to use a root-hints file." Where I can find root-hints file? Thank you in advance.
Re: unbound and root.hints
Il 09/09/23 16:54, Otto Moerbeek ha scritto: On Sat, Sep 09, 2023 at 04:45:51PM +0200, Alessandro Baggi wrote: Hi list, when using unbound on OpenBSD 6.5 in the default configuration unbound comes with root.hints file. Upgrading to OpenBSD 7.3 I noticed that root.hints is not more supplied but unbound manual page says: "root-hints: read the root hints from this file. Default is nothing, using builtin hints for the IN class. The file has the format of zone files, with root nameserver names and addresses only. The default may become outdated, when servers change, therefore it is good practice to use a root-hints file." Where I can find root-hints file? Thank you in advance. https://www.iana.org/domains/root/files But don't worry too much, as long as at least one IP in the (builtin) hints works, a DNS resolver can bootstrap. -Otto Hi Otto, thank you for your answer and the resource. Best regards
Update from 6.5 to 7.3
Hi list, I've a problem. I need to upgrade OpenBSD from 6.5 to 7.3 on an APU2D. This is a firewall. The problem is that I cannot find older ISO of OpenBSD. Can someone point me in the right direction? Thank you in advance.
Re: Update from 6.5 to 7.3
Il 08/09/23 10:12, Herbert J. Skuhra ha scritto: On Fri, 08 Sep 2023 10:01:45 +0200, Alessandro Baggi wrote: Hi list, I've a problem. I need to upgrade OpenBSD from 6.5 to 7.3 on an APU2D. This is a firewall. The problem is that I cannot find older ISO of OpenBSD. Can someone point me in the right direction? Thank you in advance. Mirror in Australia: https://mirror.aarnet.edu.au/pub/OpenBSD/ -- Herbert Hi Herbert, thank you very much for the resource. Best regards.
OpenBSD disk I/O read and write
Hi list, I'm trying to read I/O read and write value. Currently I'm using iostat but I can't understand if the speed in MB/s is relative to write or read ops. There is a way to get these 2 values separately? Thank you in advance. Alessandro.
Re: OpenBSD disk I/O read and write
Il 21/09/23 13:47, Stuart Henderson ha scritto: On 2023-09-21, Alessandro Baggi wrote: Hi list, I'm trying to read I/O read and write value. Currently I'm using iostat but I can't understand if the speed in MB/s is relative to write or read ops. In+out combined. There is a way to get these 2 values separately? systat io, or it's simple to modify iostat to print cur.dk_rbytes[dn] and/or cur.dk_wbytes[dn] instead of the current combined value. Hi and thank you for your answer
Panic during 7.3 installation on VM
Hi list, I'm trying to install OpenBSD 7.3 on a VM (Linux KVM) but when it starts to install sets I got panic and "syncing disk... 8 8 8 8 ..." until it reboot automatically. This is a simple installation, no disk encryption, default OpenBSD layout... The VM has VNC Server as "graphic" instead of spice, disk is SATA and it has fixed allocation. Someone can put me in the right direction? Thank you in advance.
Re: OpenBSD 7.3 found a process with PID 0
Il 26/09/23 17:30, Claudio Jeker ha scritto: On Tue, Sep 26, 2023 at 05:13:46PM +0200, Andreas Kähäri wrote: On Tue, Sep 26, 2023 at 04:59:22PM +0200, Alessandro Baggi wrote: Hi list, running this python3 script: #!/usr/bin/env python3 import psutil pids = psutil.pids() for i in pids: p = psutil.Process(i) with p.oneshot(): print(str(i) + " " + p.name()) The result start with: 0 swapper 1 init 536 smtpd 868 ksh ... This process does not appear in ps, top and htop. $ ps -p 0 PID TT STATTIME COMMAND 0 ?? DK 0:02.19 (swapper) For top, you need to press S to show system processes. I don't use htop, but I assume it has a similar capability to show system processes. How could be that there is a process with PID 0 before init? Probably I'm missing something about OpenBSD core. Can someone point me in the right direction? See uvm_init(9): The swapper process swaps in runnable processes that are currently swapped out, if there is room. ... and this is a lie. The swapper process does nothing. Ok, but why it is running?
OpenBSD 7.3 found a process with PID 0
Hi list, running this python3 script: #!/usr/bin/env python3 import psutil pids = psutil.pids() for i in pids: p = psutil.Process(i) with p.oneshot(): print(str(i) + " " + p.name()) The result start with: 0 swapper 1 init 536 smtpd 868 ksh ... This process does not appear in ps, top and htop. How could be that there is a process with PID 0 before init? Probably I'm missing something about OpenBSD core. Can someone point me in the right direction? Thank you in advance. Alessandro.
