Re: How many IPs can I block before taking a performance hit?

So here is a related question - I want to implement something like what some of you folks seem to have in place with dynamically updated blacklists and reloading pf on the fly. With a redundant pair of firewalls should I be doing this on the MASTER only? I'm just wondering about reloading pf on

Re: How many IPs can I block before taking a performance hit?

ked. No idea what your criteria is for "performance impact", > but we have no issues. > > > On 12.08.20 14:11, Alan McKay wrote: > > Hey folks, > > > > This is one that is difficult to test in a test environment. > > > > I've got OpenBSD 6.5 on a re

How many IPs can I block before taking a performance hit?

Hey folks, This is one that is difficult to test in a test environment. I've got OpenBSD 6.5 on a relatively new pair of servers each with 8G RAM. With some scripting I'm looking at feeding block IPs to the firewalls to block bad-guys in near real time, but in theory if we got attacked by a bot

Way to find most active IPs for rate limiting with pf

So I want to implement rate limiting, and to determine a reasonable rate based on current traffic patterns I'd like to be able to figure out which source IPs are generating the most connections and at what rate. Is there a way to do that? -- "You should sit in nature for 20 minutes a day.

/usr/bin/false issue (was: relayd flapping)

OK this is interesting, and the only thing I can think of is that it is a hardware issue that is starting to manifest itself in this odd way. This relates to my email earlier today about relayd. Because of the odd way we use relayd with "/usr/bin/false" as the "check", we decided to just run

Re: 5.5 odd issue with relayd flapping

Yes, upgrading is on our to-do list. But it will be a few months before we can do that.

5.5 odd issue with relayd flapping

Hi folks, I have googled this and found something similar back here : https://www.mail-archive.com/misc@openbsd.org/msg77218.html There are a couple of threads but everything seems to say it was a known issue that was fixed post 5.2. But I have an extra oddity to add to it as you will see

Re: Small FW boxes for CORP use (was: T40E APU?)

On Fri, Mar 11, 2016 at 4:36 PM, Josh Grosse wrote: > 100Mbit? You could go even smaller, such as the PCEngines Alix > platform. They are 32-bit (i386) only, however. > > Each NIC is able to sustain 70-80 Mbps, in my experience. Do those have 4 NICs? Ideally I'd like

Re: Small FW boxes for CORP use (was: T40E APU?)

On Fri, Mar 11, 2016 at 4:09 PM, Brandon Vincent wrote: > If you have a pair setup for redundancy, it really comes down to the > expected network utilization. What sort of network are we talking > about? Well I guess I'd place them according to their capability. Could I

Small FW boxes for CORP use (was: T40E APU?)

On Mon, Mar 7, 2016 at 3:37 PM, Chris Cappuccio wrote: > > Nope. You might want a Supermicro X11SBA-LN4F or maybe Netgate's > RCC-VE 2440 if you need 4 ports. Opinions on using either of those as a redundant pair for corporate use? -- "You should sit in nature for 20 minutes

Re: OpenBSD on AMD Embedded G-Series T40E APU?

Next question ... do they make them with 4 or more NIC ports? I only see them with 3 ports on that site.

OpenBSD on AMD Embedded G-Series T40E APU?

Hey folks, The website does not seem to have a lot of info on what CPUs are supported. I'm looking at this box for a home firewall with OpenBSD http://www.corpshadow.biz/bizstore/apu1d-red-combo-kit-p-345.html?cPath=51 thanks, -Alan -- "You should sit in nature for 20 minutes a day. Unless

implementing circular queue for tcpdump logging

Hi folks, Something I've done on other platforms e.g on a firewall is have tcpdump running and logging to disk. You know ahead of time how much disk space to allocate to this task, and there are command line options on tcpdump that you can adjust to accomplish this. So it will always occupy

Re: implementing circular queue for tcpdump logging

On Thu, Jan 28, 2016 at 10:31 AM, sven falempin wrote: > syslog has memory buffer that rotates. (:name:size) > pflogd can log, tcpump | logger is you want something else > > problem solved. Thanks. I should have thought of pflogd! Looks like a modification of the

Re: Munich BSD meetup

Na und? Wie war das Bier? Das wolle man mal wissen! Etwas Dunkles ausgetrunken?

ntpd.conf - add ability to read servers from an include file?

Hey folks, Would anyone else see value in this? Basically for the sake of automated deployments it would be nice / clean to be able to do : includeservers /path/to/file And then read them all from the file. And the same file would be used as a table in pf.conf for NTP FW rules. One server per

Re: Mapping pf syslog rule numbers to lines in pf.conf

On Mon, Jan 26, 2015 at 3:47 PM, James Shupe jsh...@hermetek.com wrote: pfctl -sr -R rulenum Further details can be found in the man page. Oh man that was way too easy! Anyone in Ottawa is welcome to come by and give me 10 lashes ... ( hangs head in shame ) THanks. I was trying to search

Mapping pf syslog rule numbers to lines in pf.conf

Hey folks, This one seems to be difficult to google - not coming up with much. I have some firewall blocks I want to investigate and of course they are reported as matching a specific rule number - but I am not sure how to map that back to a line in my pf.conf Could someone enlighten me?

Re: Hannover BSD meetup

Time it with CeBit and everyone will have a reason to come from afar :-)

1U / 2 Computers? For redundant FW pair

I know that Supermicro has some interesting side-by-sides starting at 2U, but I'm not aware of anything in 1U. Basically I'd like to have my redundant FW pairs take up less rack space. I guess another option would be half-width 1U if anything like that exists, and install a rack shelf. --

Re: 1U / 2 Computers? For redundant FW pair

On Wed, Jan 21, 2015 at 8:05 AM, Ganguin Michel michel.gang...@nagra.com wrote: in 1U (another one goes up to 8 systems in 2U, twin3): http://www.supermicro.nl/products/nfo/1UTwin.cfm Oh they do have them ... I checked a while back and could have sworn the Twins only started at 2U However

building ntop from ports with -w enabled

Hey folks, I install ntop from ports and try to run it with -w and it tells me it is disabled due to security reasons. (1) I'd like to read more on those reasons, and (2) I'd like to enable that feature anyway at very least in my test setup to evaluate while also reading up on (1). Is there any

Re: Crash cart console adapters compatible with OpenBSD?

On Fri, Jan 16, 2015 at 1:38 PM, Devin Reade g...@gno.org wrote: Well, in an attempt to dig myself out of the hole, the OP *did* say, or in a pinch, Linux ... That I did :-) -- Don't eat anything you've ever seen advertised on TV - Michael Pollan, author of In Defense of Food

Crash cart console adapters compatible with OpenBSD?

Hey folks, I'm looking for something like this that I can plug into a network debugging laptop to get console access to servers in a rack. Ideally the laptop would run OpenBSD or in a pinch Linux. The comments section of this page says there is required software and that it stopped working when

Re: Crash cart console adapters compatible with OpenBSD?

On Thu, Jan 15, 2015 at 1:22 PM, Jon Simola jsim...@gmail.com wrote: To explain better, this would be in a private /30 network just so you can VNC from laptop to the KVM. OK that might work -- Don't eat anything you've ever seen advertised on TV - Michael Pollan, author of In

Re: Crash cart console adapters compatible with OpenBSD?

This one seems reasonable so I will get one in to try out. http://www.newegg.ca/Product/Product.aspx?Item=9SIA5SC1VA2702cm_re=lantronix_spider-_-9SIA5SC1VA2702-_-Product The only downside I see is that a laptop will have only 1 NIC and so I won't have both a console and network connection at the

Re: mouse spontaneously detaches in console

We've been having a similar issue with keyboards on 5.1 with no X, and when we upgraded to 5.5 recently we seem to still have it. All HP hardware about 3 years old. You have to unplug the keyboard and plug it into a different port, then return it back to the original to get it back. Sometimes

Re: OpenBSD embedded? (was: OpenBSD 5.6-current on ASUS Chromebox)

On Thu, Dec 4, 2014 at 1:15 AM, Vivek Vinod vi...@icanconnect.com wrote: We have been using Mikrotik routerboards since 7 years Huh? With OpenBSD on them? -- Don't eat anything you've ever seen advertised on TV - Michael Pollan, author of In Defense of Food

OpenBSD embedded? (was: OpenBSD 5.6-current on ASUS Chromebox)

This is very interesting - I've been looking at various small boxes like this to use as a home firewall. The only problem is that not many of them have 2 NICs, and the ones that do are very expensive (higher end Zotac) Does anyone know of a similar device with 2 NICs that might be suitable as a

Re: OpenBSD embedded? (was: OpenBSD 5.6-current on ASUS Chromebox)

On Wed, Dec 3, 2014 at 4:54 PM, Mikkel C. Simonsen m...@post5.tele.dk wrote: As I have written many times - used thin clients are available in huge numbers as scrap. Many of them have a PCI or PCIe slot, so adding a second NIC is easy. I often use thin clients with a Compaq 2- or 4-port NIC.

Re: OpenBSD embedded? (was: OpenBSD 5.6-current on ASUS Chromebox)

I see one of these on my local kijiji but can't tell whether or not it has a PCI slot. It is not on the hardware list of that parkytowers site http://h10010.www1.hp.com/wwpc/us/en/sm/WF06a/12454-12454-321959-338927-5112717-5295294.html?dnr=2

Re: ifstated intermittant flapping after 5.1 to 5.5 upgrade

We believe we've found it - the internet-facing NIC had a minor configuration change as well, as part of the upgrade. It was no longer explicitly being set in full duplex mode, and as it turns out it was coming up in half-duplex. Now we play the waiting game to see whether we are right :-)

ifstated intermittant flapping after 5.1 to 5.5 upgrade

Hi folks, After a 5.1 to 5.5 upgrade on a redundant firewall pair, every once in a while my FW2 (backup) promotes itself and then immediately demotes itself again. Which I find very odd because it is doing so based on pinging its peer every 10 seconds, and so the value of that boolean should

Re: ifstated intermittant flapping after 5.1 to 5.5 upgrade

On Thu, Nov 20, 2014 at 3:57 PM, Alan McKay alan.mc...@gmail.com wrote: peer1 = '( ping -q -c 1 -w 1 10.1.1.1 /dev/null 21 every 10)' peer2 = '( ping -q -c 1 -w 1 10.20.1.1 /dev/null 21 every 10)' At present I am thinking that my problem would go away if I changed my pings to -c 3 -w 3

Input from upgrade script overwrites files in site55-hostname.tgz

Hi folks, Maybe this is by design but it seems odd to me. I have a site55-hostname.tgz file with all of my local customizations, and it installs great over http. However, /etc/mygate ends up being based on the input I provided during the upgrade script. And /etc/hostname.bnx3 as well (install

Re: Logging Password change attempts

Take the original passwd command and rename it to passwd.orig and rename your script into its place (without the .sh ending) and have your script call passwd.orig. Still not perfect since someone who knows the difference can still call the orig directly. The alternative would be to dig into the

Re: relayd question - from the man page

Anyone? Anyone? Buehler? On Fri, Oct 17, 2014 at 9:41 AM, Alan McKay alan.mc...@gmail.com wrote: Hi folks, The manpage for relayd.conf has this basic construct in it a couple of times : table service { 192.168.1.1, 192.168.1.2, 192.168.2.3 } table fallback disable

Re: relayd question - from the man page

On Tue, Oct 21, 2014 at 1:25 PM, System Administrator ad...@bitwise.net wrote: The answer to your question is right there in the very manpage paragraph you quoted below. Yes, I should have clarified that I did see that. (That is why I quoted it) It just does not seem to make a lot of sense

relayd question - from the man page

Hi folks, The manpage for relayd.conf has this basic construct in it a couple of times : table service { 192.168.1.1, 192.168.1.2, 192.168.2.3 } table fallback disable { 10.1.5.1 retry 2 } redirect www { listen on www.example.com port 80

Re: carp not reverting to master

On Wed, Oct 15, 2014 at 2:13 PM, Marko Cupać marko.cu...@mimar.rs wrote: Oct 14 15:21:19 bgp1 /bsd: carp2: state transition: MASTER - BACKUP Oct 14 15:21:19 bgp1 /bsd: carp1: state transition: MASTER - BACKUP Oct 14 15:21:22 bgp1 /bsd: carp1: state transition: BACKUP - MASTER Oct 14 15:21:22

Where is the 'tar' source code?

Hey folks, I'm experiencing some really bizarre behavior with tar when trying to pass it a list of files with the -I option, and I want to look at the source code but alas it is not in the tree that I can find. Yet the machine having the issue was built on this very same build machine. I'd

Re: Where is the 'tar' source code?

Aha, should have figured to look for a link! Anyway, I solved my problem without looking at source code. There was a blank line in the file I was using with -I, and that caused tar/pax to barf.

Re: rc.conf issue on upgrade from 5.5 to 5.6

On Fri, Oct 10, 2014 at 5:35 PM, Stuart Henderson s...@spacehopper.org wrote: Yep. You *have* to run sysmerge for this upgrade or you will have broken rc scripts. Note to self ... -- Don't eat anything you've ever seen advertised on TV - Michael Pollan, author of In Defense of Food

Re: Securing communications with OpenBSD

On Mon, Oct 6, 2014 at 2:00 AM, C. L. Martinez carlopm...@gmail.com wrote: Is my approach correct? Any other better solution? Is it stupid this approach? You did not really state what your goal was. Or what the problem is. Securing communications between front and back end via SSH/SSL is

Re: Securing communications with OpenBSD

On Mon, Oct 6, 2014 at 4:17 PM, Giancarlo Razzolini grazzol...@gmail.com wrote: Traffic in the clear, even on a switch controlled by you, doesn't mean that anyone with physical access couldn't tap into your switch and see the traffic. Which is why you need to lock down the switch as well.

Re: openbsdstore: enable javascript and buy something or gtfo

On Fri, Oct 3, 2014 at 10:25 AM, Bryan Steele bry...@gmail.com wrote: So, you visit an order page likely content on providing your billing information and shipping address, but it's the use of Javascript that sways your final decision to order? I thought it was the ellipsis that did it :-)

Re: carp not reverting to master

You have not yet shown the output of ifconfig Check the advskew values on the interfaces. When carpdemote values are equal then advskew determines who is MASTER

Re: carp not reverting to master

On Thu, Oct 2, 2014 at 11:03 AM, Marko Cupać marko.cu...@mimar.rs wrote: I have posted advskew values in initial mail (0 on masters, 100 on backups). That shows me what they are supposed to be. That does not show me what they actually are. ifconfig output will show what they actually are.

Re: How to follow -stable and verify it with signify?

On Tue, Sep 30, 2014 at 4:56 PM, Josh Grosse j...@jggimi.homeip.net wrote: They happen whenever a fix is backported but not deemed critical enough or in wide enough use for errata. Here's the first two I found in 5.5-stable, there may be others but I stopped looking, since you just wanted a

Build is hard-coded to /usr/src and /usr/obj?

Hi folks, This seems to be the case but wondering whether there is a way to override this. In particular I want to be able to build 5.5 -stable and then 5.5 -release + patches and keep the two source trees separate. thanks, -Alan -- Don't eat anything you've ever seen advertised on TV

Re: Build is hard-coded to /usr/src and /usr/obj?

On Wed, Oct 1, 2014 at 11:20 AM, Josh Grosse j...@jggimi.homeip.net wrote: Guidance for environment variable setting can be found in the top level src/Makefile, and also in the /usr/share/mk/bsd.README -- and you may find the bsd.own.mk Makefile helpful. Dang, should have thought to look

Re: Change routing tables when ISP goes down

ifstated could do it ...

No SSH fingerprints for Alberta Anon CVS Server?

Hi again folks, This is yet another email relating to my search for a secure way to download -stable source. When I first started building -stable a couple of weeks ago I chose the Alberta CVS server because I considered it Home Base (or maybe I should say Center Ice? :-)) Now that I have the

Re: No SSH fingerprints for Alberta Anon CVS Server?

On Wed, Oct 1, 2014 at 12:32 PM, trondd tro...@gmail.com wrote: Note: If your server is listed on here with inaccurate or unknown information, please contact b...@openbsd.org Yeah, damned if you do, damned if you don't. I saw that and was not 100% sure whether this fell into that category and

Re: Change routing tables when ISP goes down

On Wed, Oct 1, 2014 at 2:10 PM, Gerald Chudyk gchu...@gmail.com wrote: I have been casually working on this for some time now. Hey, nice work! -- Don't eat anything you've ever seen advertised on TV - Michael Pollan, author of In Defense of Food

How to follow -stable and verify it with signify?

Hi folks, I've been googling for a couple of hours now and not coming up with much here. I see how to download the -release source and then verify it, but I cannot find any way to grab -stable from CVS and do the same. I guess the only way I do see is to start out with the -release code, verify

Re: How to follow -stable and verify it with signify?

On Tue, Sep 30, 2014 at 10:27 AM, Stefan Olsson stefan.karl.ols...@gmail.com wrote: I don't do this myself, but stable=patch branch, i.e. release + patches. All info you need is really in these two pages: Yes, I have it working great already. But at no point during that process does it have me

Re: How to follow -stable and verify it with signify?

Sounds like I'll need to go with the signed tarballs for the -release and then apply the signed patches to get -stable. Dangit, I already had my process down (building from CVS) and now I have to change it ...

Re: How to follow -stable and verify it with signify?

On Tue, Sep 30, 2014 at 4:21 PM, Stuart Henderson s...@spacehopper.org wrote: binpatchng can help you with this process. I will have to look into that But note that -stable sometimes has extra commits that don't have errata; release+patches is not quite the same thing as -stable. Can you

Re: OT: Goldman Sachs rescued(?) by Google

On Tue, Sep 23, 2014 at 3:43 AM, Maurice McCarthy m...@mythic-beasts.com wrote: OK I surrender! I get the message lol Hey at least I marked it OT: :-) -- Don't eat anything you've ever seen advertised on TV - Michael Pollan, author of In Defense of Food

OT: Goldman Sachs rescued(?) by Google

Wow! I can't believe the could email something like that in the first place without encrypting it first. Holy moly! -- Don't eat anything you've ever seen advertised on TV - Michael Pollan, author of In Defense of Food

Re: OT? - people going to EuroBSDcon in Sofia

Personally I would not consider this off-topic in the least ... Sadly, I will not be going. But I may see you at the next one in Ottawa :-)

Re: Automated PXE install auto_install issue (was: Serva)

On Sat, Aug 30, 2014 at 12:54 PM, Jiri B ji...@devio.us wrote: And you probably didn't mention problem with auto_install as 'filename' :) See http://devio.us/~jirib/pxelinux-openbsd.html Quote : The caveat is how pxelinux reacts when filename is set to auto_install, as stated in autoinstall(8).

Problems with older nc without -N option ... also how to detect nc version

Hi folks, I'm writing some scripts to clone over the network, and since I have mostly boxes that do not have the -N option on nc, this is proving to be an issue. I have a bunch of dump files - one for each filesystem - that were created from a live system. When I want to send them back over the

Re: Problems with older nc without -N option ... also how to detect nc version

On Wed, Aug 27, 2014 at 12:56 PM, Alan McKay alan.mc...@gmail.com wrote: Anyone have any ideas here? Well I'd been through the nc man page close to a dozen times ... and just this one last time noticed the -w option for timeout Works a charm! -- Don't eat anything you've ever seen

Re: Cloning an OpenBSD system (and potential FAQ (4.15) error?)

On Sat, Aug 23, 2014 at 6:21 AM, Stuart Henderson s...@spacehopper.org wrote: It may be easier to installboot(8) after copying. Yeah I used installboot -- Don't eat anything you've ever seen advertised on TV - Michael Pollan, author of In Defense of Food

Cloning an OpenBSD system (and potential FAQ (4.15) error?)

Hi folks, I've done this a (n exaggerated) million times on Linux but I'm new at OpenBSD. Google found me a few options and I just want to see whether there are any more that I missed. FAQ 4.15 addresses this matter and says : Unfortunately, there are no known disk imaging packages which are

Re: Cloning an OpenBSD system (and potential FAQ (4.15) error?)

Wow, thanks for the responses so far! An ancilliary question : am I going to have any issues bringing it up in a VM? I know that for example NIC names will change so I'll have to rename hostname.bnx0 to hostname.em0 Any other gotchas?

Re: Cloning an OpenBSD system (and potential FAQ (4.15) error?)

On Fri, Aug 22, 2014 at 10:22 AM, Jiri B ji...@devio.us wrote: What about automated installation and configuration management to do the rest? What is this? -- Don't eat anything you've ever seen advertised on TV - Michael Pollan, author of In Defense of Food

Re: Cloning an OpenBSD system (and potential FAQ (4.15) error?)

On Fri, Aug 22, 2014 at 10:37 AM, sven falempin sven.falem...@gmail.com wrote: Openbsd is simple, you may easily script an install or use the automated install feature.IE a file containing the answer to the install process. And finally siteXX.tgz to push your own file. Oh OK I missed that.

Re: Cloning an OpenBSD system (and potential FAQ (4.15) error?)

On Fri, Aug 22, 2014 at 10:28 AM, Christopher Zimmermann chr...@openbsd.org wrote: I usually do dump -0auf 140822var.dump0 /var for dumping /var in a file or dump -0auf - /var |nc -l 1 on source and restore -rf - |nc source 1 OK I want to try this so that I have better control of

Re: Cloning an OpenBSD system (and potential FAQ (4.15) error?)

On Fri, Aug 22, 2014 at 11:07 AM, Alan McKay alan.mc...@gmail.com wrote: Also, I have the OpenBSD install CD booted and I exited to shell, but there does not seem to be an nc there. What are you booting on the restore side? Looks like this problem is easily solved thus : http://livecd

Re: Cloning an OpenBSD system (and potential FAQ (4.15) error?)

Clone worked great with the LiveCD booted in the destination, and dump/restore/nc I will be happy to document it for the FAQ if anyone wants it there. Not sure what the process is for that. And I will also be happy to update the FAQ regarding the aforementioned error. Now, I do have one problem

CARP interfaces stay in BACKUP on cloned system

Hey folks, I got my system cloned and it runs fine in a VM. I had to make a few obvious changes like changing bnx to em in all the places where I definite things with interfaces. So /etc/hostname.* /etc/pf.conf, /etc/relayd.conf. And I greped for bnx in /etc/* and /etc/*/* to make sure I did

Re: troubleshooting carp [solved]

This is very interesting. I have the faulty config in 5.5 but it seems to work. But we have it all on 1 line if that matters and we also specify carpdev ---snip--- This doesn't work so well: # cat /etc/hostname.carp0 inet 192.168.16.1/24 vhid 100 pass blahblah advbase 5 advskew 0 This

Re: named does not start?

On Wed, Aug 20, 2014 at 3:08 PM, Christer Solskogen christer.solsko...@gmail.com wrote: named_flags= Try named_flags= I had the same issue with httpd in 5.5. It seems that ntpd lets you have blank afer =, but not httpd Not running named on this system so dunno : ntpd_flags=

Re: troubleshooting carp

On Thu, Aug 14, 2014 at 2:36 PM, Stefan Olsson stur...@hotmail.com wrote: That begs the question though - http://begthequestion.info/ :-) (former philosophy major ...) -- Don't eat anything you've ever seen advertised on TV - Michael Pollan, author of In Defense of Food

Re: [Bulk] Re: Donations to OpenBSD

On Thu, Aug 14, 2014 at 4:40 PM, Daniel Villarreal yclwebmas...@gmail.com wrote: It means Producer, or maker also manufacturer ... -- Don't eat anything you've ever seen advertised on TV - Michael Pollan, author of In Defense of Food