I think he did answer your question, if you read between the lines.. A session
cannot be 'pushed' to max! It needs to demand the bandwidth in the first place.
Try reading this; http://trash.net/~kaber/hfsc/SIGCOM97.pdf
This along side /many/ other Internet pages allowed us to fully implement
Hi, sadly OpenBSD does not boot with the latest Ivy Bridge EP (E5-2637v2) with
'Power Technology' in the supermicro BIOS set to 'Max Performance', on both
5.4 release and the snapshot dated Nov 3rd;
[demime 1.01d removed an attachment of type image/jpeg which had a name of
image.jpeg]
If I reset
Hi, as a complete guess (not used relayd yet let alone DSR) a 502 sounds like
an error return from nginx/apache etc. could be a direct server return issue
causing the TCP three way handshake to not be completing properly between the
endpoints, even though a 502 is usually server side issue.. I'd
In fact thinking about it if think that is a relayd issue somewhere and not pf
at all..
Sent from my iPhone
On 14 Nov 2013, at 19:37, Leonardo Santagostini lsantagost...@gmail.com
wrote:
Well well well there is one thing its ocurring that i cant figure out.
im getting some relay site3
Fantastic! Thanks Camiel :)
Sent from my iPhone
On 18 Dec 2013, at 21:32, Camiel Dobbelaar c...@sentia.nl wrote:
On 18/12/13 14:50, Maxim Khitrov wrote:
On Wed, Dec 18, 2013 at 8:42 AM, Camiel Dobbelaar c...@sentia.nl wrote:
On 18/12/13 13:53, Maxim Khitrov wrote:
When writing outbound
Maybe try configuring bind (read the manuals and online docs) and setting
resolv.conf to 127.0.0.1 would be a good start.
OpenBSD's resolv logic won't be 'fixed' unless you want to change the code..
Sent from my iPhone
On 19 Dec 2013, at 22:36, Mikael mikael.tr...@gmail.com wrote:
Seems
Hi, it's not a good idea to distribute /32 routes around your routing domain as
it will make convergence times longer and adds unnecessary load to the other
routers. OSPF and other routing daemons like summary routes. I'm guessing
you've assigned a 'unique' /24 network for the VPN clients which
Hi, haven't read your original email but if my assumptions about your setup are
correct is the VPN tunnel dropping every now and then?
I had a similar issue with 4 OBSD firewalls (2 at each end), all running
isakmpd and sasyncd to keep the SAs in sync between a pair. With the tunnels
Couldn't agree more! :)
Andy
Sent from my iPhone
On 29 Mar 2014, at 09:10, Eric Oyen eric.o...@gmail.com wrote:
geez! there are better technologies out here. SUre, if a technology works for
20 years, then go with it. However, there are loads faster ways (and a lot
more secure too). Why
On further thought, using option 1 and randomising the next hop used wouldn't
provide a very good distribution of load as it would be on a per network route
basis and not on a per IP basing like proper multipath.
Would also be costly in route look ups etc.
So looks like we would need to use
Hi Wiesław,
Definitely support your desire to try to add more structure to your PF writing!
:)
We use git to version control PF and many other files (over 60 files across an
OBSD system now come to think of it).
For PF, I wouldn't recommend using anchors as I *think* their slower and
On 20 Apr 2014, at 19:24, Henning Brauer lists-open...@bsws.de wrote:
* Andy Lemin a...@brandwatch.com [2014-04-09 00:14]:
For PF, I wouldn't recommend using anchors as I *think* their slower
where on earth are people getting this ridiculous ideas from?
Can't remember. Thanks
Hi Henning,
Thanks for your reply. We agree it's an edge case but would have an impact,
albeit small.
So taking your work as truth and good judgement as best as any human can (which
I do), should we all just strip all our 'prio's if we use queues?
I don't want things in my PF which aren't
We know... ;)
Sent from my iPhone
On 14 Aug 2014, at 16:14, Nicolai nicolai-om...@chocolatine.org wrote:
On Thu, Aug 14, 2014 at 07:16:41AM +0100, Bernte wrote:
Could you please just clarify: I have money and I want that to go to the
OpenBSD project. I would like as much as possible to
Hahaha, lol!! Yes peter :)
Sent from my iPhone
On 14 Aug 2014, at 10:17, Peter Hessler phess...@theapt.org wrote:
options:
1) cash in envelope, put into mail
2) bank cheque in envelope, put in mail
3) suck it up, and stop caring about the middle man's cut
4) bank transfers (also: see
On 28 Sep 2014, at 05:00, System Administrator ad...@bitwise.net wrote:
On 27 Sep 2014 at 18:50, Andrew Lester wrote:
Hey guys,
I have what I hope is a simple syntax question for pf rules. I have not
been able to find any example of this online or in the man pages. I
suspect it is
Please excuse typos, sent from my phone
On 15 Oct 2014, at 19:13, Marko Cupać marko.cu...@mimar.rs wrote:
On Thu, 02 Oct 2014 18:02:23 +0100
Andy a...@brandwatch.com wrote:
Hi
Try setting the advskew to a number greater than 200 and less then
254. This seems to be the most stable.
Please excuse typos, sent from my phone
On 15 Oct 2014, at 19:13, Marko Cupać marko.cu...@mimar.rs wrote:
On Thu, 02 Oct 2014 18:02:23 +0100
Andy a...@brandwatch.com wrote:
Hi
Try setting the advskew to a number greater than 200 and less then
254. This seems to be the most stable.
Hi guys,
I’m a bit confused (easily done) as to how I would configure a GRE tunnel
through an IPSec tunnel?
I have *many* subnets at each site, and I have a full mesh of IPSec tunnels
between each site, for each and every subnet at each site.. Urghhh! :_(
Its over 100 tunnels now..
If I were
Hi,
Hopefully this is just a quick question and I'm missing something here, but it
seems that we can no longer use percentages in our PF child queues.
For example;
This:-
altq on $if_trunk bandwidth 4294Mb hfsc queue { _local, _wan }
oldqueue _local on $if_trunk bandwidth 4100Mb priority 4
...@spacehopper.org wrote:
In gmane.os.openbsd.misc, Andy Lemin wrote:
Hopefully this is just a quick question and I'm missing something here, but
it
seems that we can no longer use percentages in our PF child queues.
It hasn't been implemented for the queue rewrite yet.
That said
percentages take from their parent etc..
Cheers, Andy.
On 24 Feb 2015, at 15:26, Andy Lemin a...@brandwatch.com wrote:
Hi,
Hopefully this is just a quick question and I'm missing something here, but
it
seems that we can no longer use percentages in our PF child queues.
For example;
This:-
altq
Hi Stuart,
Thanks for this. However I think I'm still missing something.. Sorry ;)
On 24 Apr 2015, at 00:37, Stuart Henderson s...@spacehopper.org wrote:
On 2015-04-23, andy a...@brandwatch.com wrote:
Hi,
This should be a simple one ;)
I have configured and started snmpd, and then used
Haha, Oops! thanks Doug..
Here it is instead..
http://s12.postimg.org/i4pggq465/Open_BSDPFPacket_Flow.jpg
http://s12.postimg.org/i4pggq465/Open_BSDPFPacket_Flow.jpg
Cheers, Andy.
On 23 Jun 2015, at 14:13, Doug Hogan d...@acyclic.org wrote:
On Tue, Jun 23, 2015 at 11:56:17AM +0100, Andy
Hi,
We do exactly the same thing for our wifi network. Users on wifi can *only*
use public IP addresses.
The solution is easy, you just have to consider where you do your nat'ing;
You can't do bin-at, so you will need nat-to and rdr-to rules to make it
work.
E.g. The following line translates
Hi,
On 25 Jun 2015, at 10:31, Jiri B ji...@devio.us wrote:
On Thu, Jun 25, 2015 at 10:15:08AM +0100, Andy Lemin wrote:
Surprised I've not had any replies for this?
http://s12.postimg.org/i4pggq465/Open_BSDPFPacket_Flow.jpg
http://s12.postimg.org/i4pggq465/Open_BSDPFPacket_Flow.jpg
I
On 25 Jun 2015, at 15:46, Marko Cupać marko.cu...@mimar.rs wrote:
On Wed, 24 Jun 2015 08:17:15 -0400
Michel Blais mic...@targointernet.com wrote:
The solution seem his explain on this link
http://www.openbsd.org/faq/pf/rdr.html#reflect
On Thu, 25 Jun 2015 14:50:42 +0100
Andy Lemin
quickly re-do it.
I can't believe nothing has changed in 5 years (I think thats when the
original I saw was dated).
Anyway, I try and message Henning directly and get his thoughts, and I'll post
back here once its got his approval.
Cheers, Andy.
On 23 Jun 2015, at 14:27, Andy Lemin
Hi, You can already do active-active CARP with OpenBSD. I believe it hashes by
the MAC address (the MAC hash dictates which firewall responds to an ARP for
the gateway IP).
However you may have issues with states and state synchronisation depending on
the pps and firewall hardware performance,
in active-backup mode for now.
Doesn't mean you should't try active-active out (in a lab)..
But if you're only talking 500mbps, stick with steady and stable ;)
Romain
From: Andy Lemin [mailto:a...@brandwatch.com]
Sent: mardi 23 juin 2015 11:25
To: Romain FABBRI
Cc: Aviolat Romain; 'misc
Hi,
I was updating an old copy of the PF flow diagram I had lying around and
thought I'd post here quickly for comments / additions / corrections?
Would be nice to update this and make it comprehensive as possible.
[demime 1.01d removed an attachment of type application/pdf which had a name of
Hi,
Is their any news whether we'll have 64bit PF queue sizes soon?
Our link between our Primary and DR DCs needs more than 4.2Gbps, but we
cannot shape traffic above this due to the 32bit queues.
Simply we need to impose shaping to ensure the CDR is not breached. We
really need to upgrade the
this second box also append this extra info to the state that was
created at the previous step (Packet Filtering)?
I haven't added this yet..
On Thu, Jun 25, 2015 at 10:15:08AM +0100, Andy Lemin wrote:
Surprised I've not had any replies for this?
http://s12.postimg.org/i4pggq465
Because of this "Remember that static-port means you can't have two
machines behind the same NAT using the same source port and destination.",
you should instead probably use "binat-to" as a good practice.
This will help force you to not be able to accidentally reuse the same
public IP for
Hi list :)
We have noticed our monitoring systems are reporting and alerting the wrong
data for OpenBSD Interface Discards since adding all the OpenBSD firewalls
to our new Monitoring system.
And we have proven that it is SNMPD which is returning the same value for
every single interface with;
Not to say previous releases haven't been as great (they all are), but I
must say that 5.9 really does feel like a huge step towards a massive
milestone (well done), and 6.0 will hopefully be the release that kills the
GIANT lock for OpenBSD as a firewall. So really thank you..
For ourselves,
Peter is quite right, to add some examples to his suggestion;
tcpdump -nettti pflog0 <- Shows only dropped packets
tcpdump -nettti em0 <- Shows all packets on the interface, including ToS
values and VLAN ID etc.
tcpdump -nettti vlanX <- Shows only packets on the VLAN without the extra
info.
Sure
HP switches, you cannot modify this DiffServ <-> CoS mapping.
So the suggestion at the bottom is just to set a ToS that HP switches will
prioritise..
Have fun, all the best.
Andy Lemin
On Wed, Jun 15, 2016 at 8:18 PM, Andy Lemin <a...@brandwatch.com> wrote:
> Peter is quite rig
Hi everyone,
Just a couple very quick 5.9 questions;
1) Will 5.9 have a 64bit integer for the queue sizes, or are we still
limited to ~4294M?
2) When 5.9 comes out, will the new ARC routing table be enabled by
default? If not can we turn it on without building from source?
3) Does anyone know
created at the previous step
(Packet Filtering)?
Thanks everyone,
Andy.
On Sun, Feb 7, 2016 at 9:06 PM, Stuart Henderson <s...@spacehopper.org>
wrote:
> On 2016-02-07, Andy Lemin <a...@brandwatch.com> wrote:
> > Hi everyone,
> >
> > Just a couple very quick 5.9 que
Cappuccio wrote:
> > Andy Lemin [a...@brandwatch.com] wrote:
> > >
> > > >ART not ARC. It's not enabled by default, you'll need to build
> > > a new kernel to use it.
> > >
> > > Any clues how to enable "ART" when building? ;)
> >
tart INIT->Backup (without a Master flap), and no errors are
seen in dmesg.
This is not obvious after working with the ifconfig commands, and there is
no man so I hope this helps some people :)
Cheers, All the best, Andy.
On Wed, May 18, 2016 at 11:24 AM, Andy Lemin <a...@brandwatch.com> wr
Hi Misc,
Since 5.9 (maybe earlier), we noticed that our CARP interfaces no longer
behave as before, don't initialise properly on boot up, and throw errors at
boot.
I know there has been lots of changes, especially IPv6. So hopefully this
is a simple question and I'm just being stupid, and unable
e 2 advskew 10 carppeer 10.255.12.3 pass testpass vhid 212
inet 10.255.12.1 255.255.255.0 10.255.12.255
inet6 2a00:77e0:255:12::1 64
inet6 eui64
description "4D_CDC_VPLS"
Cheers, Andy.
On Tue, May 17, 2016 at 5:37 PM, Martin Pieuchot <m...@openbsd.org> wrote:
> On 17/05/16(T
Hi guys,
Has anyone else seen issues with "output errors" occurring on only VLAN
interfaces since upgrading to 5.9? (and after using openup to get latest
kernel).
It does not happen on all VLAN interfaces, only ones under load.
The underlying trunk does not report any Rx or Tx errors at all.
Hi,
Does anyone know if it is possible to set an ethernet crossover cable
between two OpenBSD firewalls running OpenOSPFD as point-to-point?
OpenOSPFD recognises GRE's as point-to-point so the logic is there for
handling a point-to-point adjacency, but cannot see how to set this on the
ethernet
ethernet p2p link. This causes local traffic
to briefly traverse another remote router via the GRE's for a moment,
whilst waiting for the local adjacency via the ethernet cable to finish
their election etc.
Thanks, Andy.
On Mon, Aug 8, 2016 at 5:12 PM, Andy Lemin <a...@brandwatch.com> wrote:
Hi,
TLDR; Is there a way of fixing the "source address" that SNMPD should use?
We are having issues with reply snmpd packets sourcing from the egress
interface and not the loopback interface which the poll request was sent to
:(
We have many GRE tunnels and various routes which traffic can
I have the code open, I am also going to have another go
at trying to find the missing 64bit counter/range check etc for the HFSC
queue size tomorrow (if I dont get dragged onto anything else).
Thanks for your time and help guys,
Kind regards, Andy Lemin
On Tue, Aug 9, 2016 at 2:48 AM, Chris Cap
Hi,
I know this is probably a simple question, but we have searched, found very
little, and tried various things to no effect.
We have a Supermicro server running OpenBSD which is _screaming_ loud due
to fan noise.
BIOS is latest and power mode is "Balanced" (during POST it is nice and
quiet
Surprised this is the
default, but it is a server...
Cheers, Andy.
On Mon, Nov 21, 2016 at 2:10 PM, Delan Azabani <de...@azabani.com> wrote:
> At 19:11, Andy Lemin <a...@brandwatch.com> wrote:
> > but we cannot figure out how to control the fan speed at all.
>
> Every board in the X9D
Hi Stuart and Joel,
Just to confirm for others reading, you are very correct.
And patch 014_libcrypto has fixed this :) So just run syspatch (or openup) and
you'll be working again.
Thanks for the commits ;)
PS; good to hear from you again Stuart! Long time.. I'm on this email now
rather
c.. However notice that openvpn is still linking to 2.5.2.
>
> It would be great if someone would be kind enough to confirm if this CVE is
> indeed the same issue, and if 2.5.4 includes the relevant fixes for it?
>
> And if yes, a gentle nudge as to how to get openvpn to link to t
t 12:56:26PM +, Andy Lemin wrote:
>> Really, did he actually post any real vulnerabilities to OpenBSD!
>>
>> This article has to be govt propaganda..
>>
>> https://www.csoonline.com/article/3250653/open-source-tools/is-the-bsd-os-dying-some-security-researchers-th
Really, did he actually post any real vulnerabilities to OpenBSD!
This article has to be govt propaganda..
https://www.csoonline.com/article/3250653/open-source-tools/is-the-bsd-os-dying-some-security-researchers-think-so.amp.html
I was laughing with tears when I read this..
OpenBSD is the
Hi Andreas,
Thanks for your reply. Sorry I should have been more clear.
I know that rdomains are the correct method with overlapping addressing.
The challenge is that I cannot figure out how to get openvpn to initialise it’s
resulting tunX interface directly into the correct rdomain?
You
Hi,
So for completeness, I did some more testing with your suggestions.
First I tried using different nexthop’s in each of the interface-nexthop pairs
in the route-to pool (as the next hop doesn’t really matter with p2p
interfaces). And it did start to work! :)
But after some more testing it
9:14:19AM +0100, Andy Lemin wrote:
>>
>> Hi guys,
>>
>> Is anyone else aware of the Unbound and PF race condition that exists when
>> FQDNs are used in pf.conf with a local Unbound server?
>
> Yes, it's an obvious one isn't it?
>
>>
>>
Hi guys,
Is anyone else aware of the Unbound and PF race condition that exists when
FQDNs are used in pf.conf with a local Unbound server?
The issue occurs when pf starts before unbound, but where pf fails to start as
it cannot resolve some DNS names.. and so unbound also fails to work when it
from a teeny tiny keyboard, so please excuse typos
> On 7 Aug 2019, at 00:03, Andy Lemin wrote:
>
> Hi Stuart,
>
> Thanks for your reply.
>
> So I put in some leg work to set myself up so I could build a new release
> base system, and went digging.
>
> And I foun
with fresh eyes the next day ;)
All working now. You guys are heros.
Thank you for the gentle nudges in the right direction.
Kindest regards.
Andy Lemin
Sent from a teeny tiny keyboard, so please excuse typos
> On 7 Aug 2019, at 09:01, Claudio Jeker wrote:
>
>> On Wed, Aug 07, 2019 a
> On 2 Aug 2019, at 09:52, Jonathan Gray wrote:
>
>> On Fri, Aug 02, 2019 at 09:19:09AM +0100, Andy Lemin wrote:
>> Hi list,
>>
>> I know this is a rather classic question, but I have searched a lot on this
>> again recently, and I just cannot find a
Hi list,
I know this is a rather classic question, but I have searched a lot on this
again recently, and I just cannot find any conclusive up to date information?
I am looking to buy the best 1Gbe NIC possible for OpenBSD and the only
official comments I can find relate to 3COM for ISA, or
ote:
>
> I find cheap PCI-Express and PCI-X em(4) cards suffice for my needs. 990-992
> Mbps with tcpbench.
>
>
>>> On Aug 2, 2019, at 11:26 AM, Claudio Jeker wrote:
>>>
>>> On Fri, Aug 02, 2019 at 12:28:58PM +0100, Andy Lemin wrote:
>>> Ahhh,
Hi guys,
I’m just after some general advice as I feel like I’m doing something wrong,
and having to hack around too much for what I believe should be simple.
I am developing a simple Python plugin for Unbound, and the default Unbound
install on OpenBSD sadly wasn’t built with
this project native/portable
so other users can use this project without having to rebuild Unbound?
Thanks Andy.
Sent from a teeny tiny keyboard, so please excuse typos
> On 6 Aug 2019, at 19:36, Stuart Henderson wrote:
>
>> On 2019-08-06, Andy Lemin wrote:
>> Hi guys,
>>
For completeness, I discovered I was having issues with downloading the sources
for the sysupgrade command on my edge firewall also! So it was not limited to
internet servers as first thought.
Since upgrading the 6.6 (had to run sysupgrade 4 times to get it to complete
the downloads), the
Hahaha
Thanks Theo, that made me smile.
But you have answered my question perfectly, albeit in a round about way.
Indeed it doesn’t matter what it is called, and would be clearer with a generic
name, as we got caught out by a program calling another program with colliding
name.
For example,
Hi guys,
Does anyone know if it is possible to completely disable ftp in the package
management utilities; pkg_add, syspatch, sysupgrade etc?
My PKG_PATH references http:// urls, as does /etc/install. But I cannot stop
these tools trying to use ftp which does not work! :(
Every time I try and
Hi smart people :)
The current implementation of ‘sticky-address‘ relates only to a sticky source
IP.
https://www.openbsd.org/faq/pf/pools.html
This is used for inbound server load balancing, by ensuring that all socket
connections from the same client/user/IP on the internet goes to the same
> On 15 Sep 2023, at 18:54, Stuart Henderson wrote:
>
> On 2023/09/15 13:40, Andy Lemin wrote:
>> Hi Stuart,
>>
>> Seeing as it seems like everyone is too busy, and my workaround
>> (not queue some flows on interfaces with queue defined) seems of no
Hi Stuart,Seeing as it seems like everyone is too busy, and my workaround (not queue some flows on interfaces with queue defined) seems of no interest, and my current hack to use queuing on Vlan interfaces is a very incomplete and restrictive workaround;Would you please be so kind as to provide me
8:39:33AM -, Stuart Henderson wrote:
>>> On 2023-10-24, Andy Lemin wrote:
>>> Hi all,
>>>
>>> Just a quick question.
>>>
>>> I have multiple rdomains. My outside rdomain (rdomain 0) has a single
>>> default route to my ISP. And my
> On 29 Sep 2023, at 00:09, Sonic wrote:
>
>
> Hopefully not as dumb of a question as I suspect it might be.
> Does the generic...
> =
> match out on $ext_if inet proto tcp from ($ext_if) set prio (3, 7)
> match in on $ext_if inet proto tcp to ($ext_if) set prio (3, 7)
> =
>
On 19 Sep 2023, at 20:07, Janne Johansson wrote:Den sön 17 sep. 2023 kl 09:19 skrev Andrew Lemin :Hi,
I have been testing the Wireguard implementation on OpenBSD and noticed
that the ToS field is not being copied from the inner unencrypted header to
the outer Wireguard
routes, so now have to _always_ prefix with route -T0 exec (to support
automated route changes etc).
This must be unexpected behaviour to change dynamically like this?
Thanks for your help, Andy.
> On 24 Oct 2023, at 14:09, Lyndon Nerenberg (VE7TFX/VE6BBM)
> wrote:
>
> Andy
Hi all,
Just a quick question.
I have multiple rdomains. My outside rdomain (rdomain 0) has a single default
route to my ISP. And my internal rdomain 9 has multiple default routes pointing
to various pairX interfaces for some funky routing stuff.
Everything works beautifully, however, every
77 matches
Mail list logo