from:"Andres Salazar"

Re: newbie help with PF. block all, then allowing port 22 doesnt work.

2010-04-22 Thread Andres Salazar

Hello,

Yes it loaded properly. Yes I had missied the macro for the external
NIC it is included in the original ruleset. t_externa = fxp0


This is the result for pfctl -sr:

match in all scrub (no-df)
block drop all
pass out all flags S/SA keep state
pass out quick on fxp0 inet proto tcp from (fxp0) to 208.67.222.220
port = domain flags S/SA keep state
pass out quick on fxp0 inet proto tcp from (fxp0) to 208.67.222.222
port = domain flags S/SA keep state
pass out quick on fxp0 inet proto tcp from (fxp0) to 4.2.2.1 port =
domain flags S/SA keep state
pass out quick on fxp0 inet proto tcp from (fxp0) to 4.2.2.2 port =
domain flags S/SA keep state
pass out quick on fxp0 inet proto udp from (fxp0) to 208.67.222.220
port = domain keep state
pass out quick on fxp0 inet proto udp from (fxp0) to 208.67.222.222
port = domain keep state
pass out quick on fxp0 inet proto udp from (fxp0) to 4.2.2.1 port =
domain keep state
pass out quick on fxp0 inet proto udp from (fxp0) to 4.2.2.2 port =
domain keep state
pass in quick on fxp0 inet proto tcp from any to (fxp0) port = ssh
flags S/SA keep state
pass in quick on fxp0 inet proto tcp from any to (fxp0) port = 8080
flags S/SA keep state
pass in quick on fxp0 inet proto udp from any to (fxp0) port = ssh keep state
pass in quick on fxp0 inet proto udp from any to (fxp0) port = 8080 keep
state
pass out quick on fxp0 inet proto tcp from (fxp0) to any port = www
flags S/SA modulate state
pass out quick on fxp0 inet proto tcp from (fxp0) to any port = https
flags S/SA modulate state
pass out inet proto icmp all icmp-type echoreq keep state
pass out inet proto icmp all icmp-type unreach keep state



As soon as I hit pfctl -f /etc/pf.conf and pfctl -e iam locked and I
cannot SSH in from the outside.

Where am I blocking port SSH in? :(

Andres


On Wed, Apr 21, 2010 at 9:45 PM, Daniel Ouellet dan...@presscom.net wrote:
   ## Traffic IN
   pass in log quick on $t_externa inet proto { tcp, udp } from any
 to ($t_externa) \
  port { 22  8080 } keep state

 In your pf configuration it doesn't show where you actually define the
macro
 for your interface $t_externa.

 Are you sure the rules you run are what you think they are.

 Did it load properly and may be you want to check the rules as active with

 pfctl -sr

 And check that display. I think you may find what you are looking for.

 Compare your pf.conf with what you actually see in pfctl -sr and you will
 work your issue out.

 Best,

 Daniel

Re: newbie help with PF. block all, then allowing port 22 doesnt work.

2010-04-22 Thread Andres Salazar

Hello,

THat solved the issue but I have about 20 rulesets that have the same
syntax. I dont see anything yet also about this.

Please elaborate.

Andres

On Thu, Apr 22, 2010 at 3:59 PM, Alexander Hall alexan...@beard.se wrote:
 On 04/22/10 18:22, Allie Daneman wrote:
 Why are you doing from any to (fxp0) ? That's your problem. Change all

 I fail to see why that would cause any issues. Care to elaborate?

 /Alexander

 the rules like that to from any to any since you're already putting
 the rule on that interface and it should fix you up. As long as you're
 not redirecting you can turn logging on specific rules and see why
 they're blocking as well if that doesn't fix your issue.

 Andres Salazar wrote:
 Hello,

 Yes it loaded properly. Yes I had missied the macro for the external
 NIC it is included in the original ruleset. t_externa = fxp0


 This is the result for pfctl -sr:

 match in all scrub (no-df)
 block drop all
 pass out all flags S/SA keep state
 pass out quick on fxp0 inet proto tcp from (fxp0) to 208.67.222.220
 port = domain flags S/SA keep state
 pass out quick on fxp0 inet proto tcp from (fxp0) to 208.67.222.222
 port = domain flags S/SA keep state
 pass out quick on fxp0 inet proto tcp from (fxp0) to 4.2.2.1 port =
 domain flags S/SA keep state
 pass out quick on fxp0 inet proto tcp from (fxp0) to 4.2.2.2 port =
 domain flags S/SA keep state
 pass out quick on fxp0 inet proto udp from (fxp0) to 208.67.222.220
 port = domain keep state
 pass out quick on fxp0 inet proto udp from (fxp0) to 208.67.222.222
 port = domain keep state
 pass out quick on fxp0 inet proto udp from (fxp0) to 4.2.2.1 port =
 domain keep state
 pass out quick on fxp0 inet proto udp from (fxp0) to 4.2.2.2 port =
 domain keep state
 pass in quick on fxp0 inet proto tcp from any to (fxp0) port = ssh
 flags S/SA keep state
 pass in quick on fxp0 inet proto tcp from any to (fxp0) port = 8080
 flags S/SA keep state
 pass in quick on fxp0 inet proto udp from any to (fxp0) port = ssh
 keep state
 pass in quick on fxp0 inet proto udp from any to (fxp0) port = 8080 keep
 state
 pass out quick on fxp0 inet proto tcp from (fxp0) to any port = www
 flags S/SA modulate state
 pass out quick on fxp0 inet proto tcp from (fxp0) to any port = https
 flags S/SA modulate state
 pass out inet proto icmp all icmp-type echoreq keep state
 pass out inet proto icmp all icmp-type unreach keep state



 As soon as I hit pfctl -f /etc/pf.conf and pfctl -e iam locked and I
 cannot SSH in from the outside.

 Where am I blocking port SSH in? :(

 Andres


 On Wed, Apr 21, 2010 at 9:45 PM, Daniel Ouellet dan...@presscom.net
 wrote:

   ## Traffic IN
   pass in log quick on $t_externa inet proto { tcp, udp } from any
 to ($t_externa) \
  port { 22  8080 } keep state

 In your pf configuration it doesn't show where you actually define the

 macro

 for your interface $t_externa.

 Are you sure the rules you run are what you think they are.

 Did it load properly and may be you want to check the rules as active
 with

 pfctl -sr

 And check that display. I think you may find what you are looking for.

 Compare your pf.conf with what you actually see in pfctl -sr and you
 will
 work your issue out.

 Best,

 Daniel

newbie help with PF. block all, then allowing port 22 doesnt work.

2010-04-21 Thread Andres Salazar

Hello all.

 I have a ruleset where iam explicitly allowing incoming connections
on port 22..  (default is block log all) ..  for some weird reason
they are getting blocked

log says: Apr 21 17:09:49.105052 rule 1/(match) block in on fxp0:
my.client.ip.here.54711  my.server.ip.here.22: S
2999658291:2999658291(0) win 5840 mss 1460,sackOK,timestamp
7094694[|tcp] (


Using OBSD 4.6 .. the name of the interface does match with ifconfig
(only 1 network card) pass out works without any problem.


  dns_servers = { 208.67.222.220, 208.67.222.222, 4.2.2.1, 4.2.2.2 }

  set block-policy drop

  set loginterface $t_externa

  set skip on lo

  set debug urgent

  ##scrub
  match in all scrub (no-df)

  ##translation

  ## filter rules
  block log all
  pass out
  antispoof quick for { lo $t_externa }

  ## Traffic IN
  pass in log quick on $t_externa inet proto { tcp, udp } from any
to ($t_externa) \
 port { 22  8080 } keep state

  ## Traffic OUT
  pass out quick on $t_externa inet proto { tcp, udp } from
($t_externa) to $dns_servers \
   port 53 keep state
  pass out quick on $t_externa inet proto { tcp } from ($t_externa) to any \
   port { 80 443 } flags S/SA modulate state
  pass out inet proto icmp all icmp-type { echoreq, unreach } keep state


Please help! Thanks

Andres

Newbie - Identifying IO bottlenick with systat. How to make sense of these numbers?

2010-03-22 Thread Andres Salazar

Hello..

Iam trying to use systat for identifying if when my applications/db
runs there is an IO bottleneck. Linux systat shows more info and it
seems there are more examples on the net.. but even though with  BSDs
iostat i dont know how to make sense of all these numbers.

I ran it this way:

systat iostat

   2 usersLoad 1.94 1.06 0.68  Mon Mar 22 11:57:16 2010

DEVICE   READWRITE RTPS WTPS  SEC
   STATS
sd0   6786252  8530739  138  521  0.6
 11839 numbufs
cd0 0000  0.0
 11828 freebufs
Totals6786252  8530739  138  521  0.6
 47350 numbufpages

 0 numfreepages

96 numdirtypages

 47210 numcleanpages

   -17 pendingwrites

 0 pendingreads

  2611 numwrites

  2532 numreads

 22564 cachehits

Basically my biggest concern is that whenever I do a mysqldump all
other queries are queued and mysql just gets waay slow.


Also.. this Hard disk is marked as 30Gb/sec (384 megabytes / sec) ..
Is it possible to saturate my HD  IO and view the traffic /megabyte to
see what is the maximum i can achieve?

Thanks...

Andres

possible relayd bug? intermittent SSL handshake errors SSL3_GET_FINISHED:digest check failed) , SSL3_GET_RECORD:decryption failed or bad record mac)

2010-03-04 Thread Andres Salazar

Hello,

I have a very simple relayd config:


## Macros
#
relayd_addr=xx.xx.xx.xx
relayd_port=81

web_port=80
table web_hosts { xx.xx.xx.xx }

## Global Options
#
# Interval in seconds at which the back-end hosts
# will be checked (default: 10 seconds)
interval 10

# Timeout for back-end servers to respond. Set to
# 200 for local servers and around 1000 for servers
# on other subnets. (default: 200 milliseconds)
timeout 1000

# Number of child processes to run. (default: 5)
prefork 5

# Log state notifications after completed host
# checks. State can be up, down or unknown.
log updates

http protocol httpfilter {

   ### TCP performance options
tcp { nodelay, sack, socket buffer 65536, backlog 100 }

   ### Return HTTP/HTML error pages
return error

   ### allow logging of remote client ips to internal web servers
header append $REMOTE_ADDR to X-Forwarded-For

   ### set Keep-Alive timeout to global timeout
header change Keep-Alive to $TIMEOUT

   ### close connections upon receipt
header change Connection to close

ssl { sslv3, tlsv1, ciphers HIGH:!ADH:!MD5, no sslv2 }
ssl session cache disable

}

relay httpproxy {
listen on $relayd_addr port $relayd_port ssl
protocol httpfilter
forward to web_hosts port $web_port mode loadbalance check icmp
}


Intermittently the client making requests to it get this error. 90% of
the time it works without errors.

(SSL: error:1408C095:SSL routines:SSL3_GET_FINISHED:digest check
failed) while SSL handshaking to upstream, client:

THen also.. sometimes my client gets this error.. (this is more rare)

(SSL: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or
bad record mac) while SSL handshaking to upstream, client:

I have started relayd -vv -n  and I dont get any errors BUT
sometimes for the last error mentioned I get this error in relayd:

SSL library error: httpproxy: relay_ssl_accept: error:140943FC:SSL
routines:SSL3_READ_BYTES:sslv3 alert bad record mac



I have tried querying from the outside the relayd box directly with
this command:

openssl s_client -connect ip.of.relayd.box:81 -state -ssl3 -no_ssl2 -no_tls1

I have repeated that 100times and I never get any errors..


My remote client can GET  any other SSL website without any problem.

The cert installed in relayd is valid with the exception that it
doesnt match the hostname being asked for .. but that shouldnt be an
issue right??

Please help.

Andres

Re: Average time for compiling userland? == benchmarking CPU/IO? best result for database hosting?

2010-03-01 Thread Andres Salazar

Hello,

I dont have obj on ram, or /tmp . Iam using make build.

Thank you

Andres

On Mon, Mar 1, 2010 at 5:48 AM, Marc Espie es...@nerim.net wrote:
 On Sun, Feb 28, 2010 at 11:02:37AM -0600, Andres Salazar wrote:
 Hello,

 Iam confused on the different result I get when I compile userland on
 any machine better then a Dual Core 2.5Ghz 2GB RAM 160GB 7200 SATA /
 SATA ii

 You're not even telling us how you compile userland. How should we help ?
 is your obj in ram ? your tmp in ram ? are you building with make build ?
 make -j4 build ? something else ?

Average time for compiling userland? == benchmarking CPU/IO? best result for database hosting?

2010-02-28 Thread Andres Salazar

Hello,

Iam confused on the different result I get when I compile userland on
any machine better then a Dual Core 2.5Ghz 2GB RAM 160GB 7200 SATA /
SATA ii

On some machines I get a compile time of 45min, other machines 30min..
and the best of the case I get 30min.   Sometimes that machine that
takes 45min is far better hardware then a DualCore, in this case a
QuadCore with SATA II/sata...

Iam going to use these machines for database and Iam very concerned
about these results

Based on that I have this question:

Is it normal that this varies so much? (Afterall a variation from
35min to 45min represents an increase of about %25 less efficiency!!)

Is there a better way to benchmark the IO of a Hard Disk on OpenBSD ,
what should be the normal of a hard disk scanned as sd SATA/ SATA II
with similar CPU/RAM as mentioned?

Andres

Re: Average time for compiling userland? == benchmarking CPU/IO? best result for database hosting?

2010-02-28 Thread Andres Salazar

On Sun, Feb 28, 2010 at 11:10 AM, Bret S. Lambert
bret.lamb...@gmail.com wrote:
 Iam going to use these machines for database and Iam very concerned
 about these results

 Honestly, you'd do better asking that on a list dedicated to whatever
 database you're going to be running.

 In addition to helping you choose hardware to fit your needs, they'll
 totally pimp your configs, too.


Thanks, it will still be interested then to know what the avergae
userland compilation is on similar hardware? Also any standard way of
benchmarking IO on openbsd?

Thanks

Andres

slow IO on PowerEdge R210 QUAD-CORE X3460 2.8GHz 4gb of RAM tested in AHCI ATA mode.

2010-02-23 Thread Andres Salazar

Hello,

I have 2 SATA drives without an additional SATA controller on this
box. I have tried this in ATA Mode, and also in AHCI mode. Disk reads
are 50% higher.  Userland compilation takes 55min when the usual on
other similar hardware is 35 min.

Could somebody check my dmesg and comment? It brings to my attention
an error about the clock speed of the processor. Iam running 4.6
OpenBSD i386

Please note that the kernel iam using is a stable kernel, i also tried
with the release GENERIC.MP same result.

OpenBSD 4.6-stable (GENERIC-13-12-09.MP) #0: Tue Feb 23 08:52:54 CST 2010
r...@odeon.my.domain:/usr/src/sys/arch/i386/compile/GENERIC-13-12-09.MP
cpu0: Intel(R) Xeon(R) CPU X3460 @ 2.80GHz (GenuineIntel 686-class) 2.80 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,CX16,xTPR
real mem  = 3210936320 (3062MB)
avail mem = 3110584320 (2966MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 09/11/09, BIOS32 rev. 0 @
0xfa0a0, SMBIOS rev. 2.6 @ 0xbf79c000 (62 entries)
bios0: vendor Dell Inc. version 1.0.4 date 09/11/2009
bios0: Dell Inc. PowerEdge R210
acpi0 at bios0: rev 2
acpi0: tables DSDT FACP APIC SPCR HPET DM__ MCFG WD__ SLIC ERST HEST
BERT EINJ TCPA SSDT
acpi0: wakeup devices PCI0(S5) USBA(S0) USBB(S0)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: unknown i686 model 0x1e, can't get bus clock (0x0)
cpu0: apic clock running at 132MHz
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Xeon(R) CPU X3460 @ 2.80GHz (GenuineIntel 686-class) 2.80 GHz
cpu1: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,CX16,xTPR
cpu2 at mainbus0: apid 4 (application processor)
cpu2: Intel(R) Xeon(R) CPU X3460 @ 2.80GHz (GenuineIntel 686-class) 2.80 GHz
cpu2: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,CX16,xTPR
cpu3 at mainbus0: apid 6 (application processor)
cpu3: Intel(R) Xeon(R) CPU X3460 @ 2.80GHz (GenuineIntel 686-class) 2.80 GHz
cpu3: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,CX16,xTPR
cpu4 at mainbus0: apid 1 (application processor)
cpu4: Intel(R) Xeon(R) CPU X3460 @ 2.80GHz (GenuineIntel 686-class) 2.80 GHz
cpu4: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,CX16,xTPR
cpu5 at mainbus0: apid 3 (application processor)
cpu5: Intel(R) Xeon(R) CPU X3460 @ 2.80GHz (GenuineIntel 686-class) 2.80 GHz
cpu5: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,CX16,xTPR
cpu6 at mainbus0: apid 5 (application processor)
cpu6: Intel(R) Xeon(R) CPU X3460 @ 2.80GHz (GenuineIntel 686-class) 2.80 GHz
cpu6: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,CX16,xTPR
cpu7 at mainbus0: apid 7 (application processor)
cpu7: Intel(R) Xeon(R) CPU X3460 @ 2.80GHz (GenuineIntel 686-class) 2.80 GHz
cpu7: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,CX16,xTPR
ioapic0 at mainbus0: apid 0 pa 0xfec0, version 20, 24 pins
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (LYD0)
acpiprt2 at acpi0: bus -1 (LYD2)
acpiprt3 at acpi0: bus 2 (PEX0)
acpiprt4 at acpi0: bus -1 (PEX4)
acpiprt5 at acpi0: bus -1 (PEX5)
acpiprt6 at acpi0: bus 3 (COMP)
acpicpu0 at acpi0: C3, C2, C1
acpicpu1 at acpi0: C3, C2, C1
acpicpu2 at acpi0: C3, C2, C1
acpicpu3 at acpi0: C3, C2, C1
acpicpu4 at acpi0: C3, C2, C1
acpicpu5 at acpi0: C3, C2, C1
acpicpu6 at acpi0: C3, C2, C1
acpicpu7 at acpi0: C3, C2, C1
bios0: ROM list: 0xc/0x8000 0xc8000/0x1000 0xc9000/0x2200 0xec000/0x4000!
ipmi at mainbus0 not configured
cpu0: EST: unknown system bus clock
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 vendor Intel, unknown product 0xd130 rev 0x11
ppb0 at pci0 dev 3 function 0 vendor Intel, unknown product 0xd138
rev 0x11: apic 0 int 16 (irq 0)
pci1 at ppb0 bus 1
vendor Intel, unknown product 0xd155 (class system subclass
miscellaneous, rev 0x11) at pci0 dev 8 function 0 not configured
vendor Intel, unknown product 0xd156 (class system subclass
miscellaneous, rev 0x11) at pci0 dev 8 function 1 not configured
vendor Intel, unknown product 0xd157 (class system subclass
miscellaneous, rev 0x11) at pci0 dev 8 function 2 not configured
vendor Intel, unknown

Re: slow IO on PowerEdge R210 QUAD-CORE X3460 2.8GHz 4gb of RAM tested in AHCI ATA mode.

2010-02-23 Thread Andres Salazar

Why would that  be , Marco? What special about this hardware?

On Tue, Feb 23, 2010 at 10:15 AM, Marco Peereboom sl...@peereboom.us wrote:
 You need -current to have a fighting chance with that server.

 On Tue, Feb 23, 2010 at 09:10:45AM -0600, Andres Salazar wrote:
 Hello,

 I have 2 SATA drives without an additional SATA controller on this
 box. I have tried this in ATA Mode, and also in AHCI mode. Disk reads
 are 50% higher.  Userland compilation takes 55min when the usual on
 other similar hardware is 35 min.

 Could somebody check my dmesg and comment? It brings to my attention
 an error about the clock speed of the processor. Iam running 4.6
 OpenBSD i386

 Please note that the kernel iam using is a stable kernel, i also tried
 with the release GENERIC.MP same result.

 OpenBSD 4.6-stable (GENERIC-13-12-09.MP) #0: Tue Feb 23 08:52:54 CST 2010

r...@odeon.my.domain:/usr/src/sys/arch/i386/compile/GENERIC-13-12-09.MP
 cpu0: Intel(R) Xeon(R) CPU X3460 @ 2.80GHz (GenuineIntel 686-class) 2.80
GHz
 cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,C
X16,xTPR
 real mem  = 3210936320 (3062MB)
 avail mem = 3110584320 (2966MB)
 mainbus0 at root
 bios0 at mainbus0: AT/286+ BIOS, date 09/11/09, BIOS32 rev. 0 @
 0xfa0a0, SMBIOS rev. 2.6 @ 0xbf79c000 (62 entries)
 bios0: vendor Dell Inc. version 1.0.4 date 09/11/2009
 bios0: Dell Inc. PowerEdge R210
 acpi0 at bios0: rev 2
 acpi0: tables DSDT FACP APIC SPCR HPET DM__ MCFG WD__ SLIC ERST HEST
 BERT EINJ TCPA SSDT
 acpi0: wakeup devices PCI0(S5) USBA(S0) USBB(S0)
 acpitimer0 at acpi0: 3579545 Hz, 24 bits
 acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
 cpu0 at mainbus0: apid 0 (boot processor)
 cpu0: unknown i686 model 0x1e, can't get bus clock (0x0)
 cpu0: apic clock running at 132MHz
 cpu1 at mainbus0: apid 2 (application processor)
 cpu1: Intel(R) Xeon(R) CPU X3460 @ 2.80GHz (GenuineIntel 686-class) 2.80
GHz
 cpu1:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,C
X16,xTPR
 cpu2 at mainbus0: apid 4 (application processor)
 cpu2: Intel(R) Xeon(R) CPU X3460 @ 2.80GHz (GenuineIntel 686-class) 2.80
GHz
 cpu2:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,C
X16,xTPR
 cpu3 at mainbus0: apid 6 (application processor)
 cpu3: Intel(R) Xeon(R) CPU X3460 @ 2.80GHz (GenuineIntel 686-class) 2.80
GHz
 cpu3:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,C
X16,xTPR
 cpu4 at mainbus0: apid 1 (application processor)
 cpu4: Intel(R) Xeon(R) CPU X3460 @ 2.80GHz (GenuineIntel 686-class) 2.80
GHz
 cpu4:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,C
X16,xTPR
 cpu5 at mainbus0: apid 3 (application processor)
 cpu5: Intel(R) Xeon(R) CPU X3460 @ 2.80GHz (GenuineIntel 686-class) 2.80
GHz
 cpu5:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,C
X16,xTPR
 cpu6 at mainbus0: apid 5 (application processor)
 cpu6: Intel(R) Xeon(R) CPU X3460 @ 2.80GHz (GenuineIntel 686-class) 2.80
GHz
 cpu6:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,C
X16,xTPR
 cpu7 at mainbus0: apid 7 (application processor)
 cpu7: Intel(R) Xeon(R) CPU X3460 @ 2.80GHz (GenuineIntel 686-class) 2.80
GHz
 cpu7:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,C
X16,xTPR
 ioapic0 at mainbus0: apid 0 pa 0xfec0, version 20, 24 pins
 acpihpet0 at acpi0: 14318179 Hz
 acpiprt0 at acpi0: bus 0 (PCI0)
 acpiprt1 at acpi0: bus 1 (LYD0)
 acpiprt2 at acpi0: bus -1 (LYD2)
 acpiprt3 at acpi0: bus 2 (PEX0)
 acpiprt4 at acpi0: bus -1 (PEX4)
 acpiprt5 at acpi0: bus -1 (PEX5)
 acpiprt6 at acpi0: bus 3 (COMP)
 acpicpu0 at acpi0: C3, C2, C1
 acpicpu1 at acpi0: C3, C2, C1
 acpicpu2 at acpi0: C3, C2, C1
 acpicpu3 at acpi0: C3, C2, C1
 acpicpu4 at acpi0: C3, C2, C1
 acpicpu5 at acpi0: C3, C2, C1
 acpicpu6 at acpi0: C3, C2, C1
 acpicpu7 at acpi0: C3, C2, C1
 bios0: ROM list: 0xc/0x8000 0xc8000/0x1000 0xc9000/0x2200
0xec000/0x4000!
 ipmi at mainbus0 not configured
 cpu0: EST: unknown system bus clock
 pci0 at mainbus0 bus 0: configuration mode 1 (bios)
 pchb0 at pci0 dev 0 function 0 vendor Intel, unknown product 0xd130 rev
0x11
 ppb0 at pci0 dev 3 function 0 vendor Intel, unknown product 0xd138
 rev 0x11: apic 0 int 16 (irq 0)
 pci1 at ppb0 bus 1
 vendor Intel, unknown product 0xd155 (class

Slow IO in PowerEdge R200 X3330 2.66Ghz 2x3MB Cache.

2010-02-23 Thread Andres Salazar

Hello,

I had a R201 running in 4.6 i386 stable..I was told this configuration
was very new.. so I got a new box this time its a PowerEdge is R200
without any special PCI SATA controller. With 2 SATA II Hard Disks.
BIOS Sata setting is set to be  in ATA Mode (its either this or OFF).

Either after all this change, and a clean install the IO is 55%
greater then all my other machines. For example a userland recompile
takes 55min , vrs the same proc and ram on another box is 35 min.

Below is my dmesg.. which I dont see any flag?? Possibly there must be
some incompatibility with the hard disk?

OpenBSD 4.6-stable (GENERIC-13-12-09.MP) #0: Tue Feb 23 16:08:43 CST 2010
r...@bazz.my.domain:/usr/src/sys/arch/i386/compile/GENERIC-13-12-09.MP
cpu0: Intel(R) Xeon(R) CPU X3330 @ 2.66GHz (GenuineIntel 686-class) 2.67 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,CX16,xTPR
real mem  = 3487866880 (3326MB)
avail mem = 3383250944 (3226MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 05/15/09, BIOS32 rev. 0 @
0xfac90, SMBIOS rev. 2.5 @ 0xcff9c000 (46 entries)
bios0: vendor Dell Inc. version 1.4.3 date 05/15/2009
bios0: Dell Inc. PowerEdge R200
acpi0 at bios0: rev 2
acpi0: tables DSDT FACP APIC SPCR HPET MCFG WD__ SLIC ERST HEST BERT
EINJ SSDT SSDT SSDT SSDT SSDT
acpi0: wakeup devices PCI0(S5)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 333MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Xeon(R) CPU X3330 @ 2.66GHz (GenuineIntel 686-class) 2.67 GHz
cpu1: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,CX16,xTPR
cpu2 at mainbus0: apid 2 (application processor)
cpu2: Intel(R) Xeon(R) CPU X3330 @ 2.66GHz (GenuineIntel 686-class) 2.67 GHz
cpu2: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,CX16,xTPR
cpu3 at mainbus0: apid 3 (application processor)
cpu3: Intel(R) Xeon(R) CPU X3330 @ 2.66GHz (GenuineIntel 686-class) 2.67 GHz
cpu3: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,CX16,xTPR
ioapic0 at mainbus0: apid 4 pa 0xfec0, version 20, 24 pins
ioapic0: misconfigured as apic 0, remapped to apid 4
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (PEX1)
acpiprt2 at acpi0: bus 2 (SBE0)
acpiprt3 at acpi0: bus 3 (SBE4)
acpiprt4 at acpi0: bus 4 (SBE5)
acpiprt5 at acpi0: bus 5 (COMP)
acpicpu0 at acpi0: PSS
acpicpu1 at acpi0: PSS
acpicpu2 at acpi0: PSS
acpicpu3 at acpi0: PSS
bios0: ROM list: 0xc/0x9000 0xc9000/0x1000 0xca000/0x1800 0xec000/0x4000!
ipmi at mainbus0 not configured
cpu0: Enhanced SpeedStep 2667 MHz: speeds: 2667, 2333, 2000 MHz
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 Intel 3200/3210 Host rev 0x01
ppb0 at pci0 dev 1 function 0 Intel 3200/3210 PCIE rev 0x01: apic 4
int 16 (irq 15)
pci1 at ppb0 bus 1
ppb1 at pci0 dev 28 function 0 Intel 82801I PCIE rev 0x02: apic 4
int 16 (irq 15)
pci2 at ppb1 bus 2
ppb2 at pci0 dev 28 function 4 Intel 82801I PCIE rev 0x02
pci3 at ppb2 bus 3
bge0 at pci3 dev 0 function 0 Broadcom BCM5721 rev 0x21, BCM5750 C1
(0x4201): apic 4 int 16 (irq 15), address 00:25:64:3c:7f:8c
brgphy0 at bge0 phy 1: BCM5750 10/100/1000baseT PHY, rev. 0
ppb3 at pci0 dev 28 function 5 Intel 82801I PCIE rev 0x02
pci4 at ppb3 bus 4
bge1 at pci4 dev 0 function 0 Broadcom BCM5721 rev 0x21, BCM5750 C1
(0x4201): apic 4 int 17 (irq 14), address 00:25:64:3c:7f:8d
brgphy1 at bge1 phy 1: BCM5750 10/100/1000baseT PHY, rev. 0
uhci0 at pci0 dev 29 function 0 Intel 82801I USB rev 0x02: apic 4
int 21 (irq 11)
uhci1 at pci0 dev 29 function 1 Intel 82801I USB rev 0x02: apic 4
int 20 (irq 10)
uhci2 at pci0 dev 29 function 2 Intel 82801I USB rev 0x02: apic 4
int 21 (irq 11)
ehci0 at pci0 dev 29 function 7 Intel 82801I USB rev 0x02: apic 4
int 21 (irq 11)
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1
ppb4 at pci0 dev 30 function 0 Intel 82801BA Hub-to-PCI rev 0x92
pci5 at ppb4 bus 5
vga1 at pci5 dev 5 function 0 ATI ES1000 rev 0x02
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
radeondrm0 at vga1: apic 4 int 19 (irq 5)
drm0 at radeondrm0
ichpcib0 at pci0 dev 31 function 0 Intel 82801IR LPC rev 0x02: PM disabled
pciide0 at pci0 dev 31 function 2 Intel 82801I SATA rev 0x02: DMA,
channel 0 configured to native-PCI, channel 1 configured to native-PCI
pciide0: using apic 4 int 23 (irq 6) for native-PCI interrupt
wd0 at pciide0 channel 0 drive 0: ST3250310NS
wd0: 16-sector

Re: Slow IO in PowerEdge R200 X3330 2.66Ghz 2x3MB Cache.

2010-02-23 Thread Andres Salazar

Hello,

I believe that these disks are SATA II
(http://www.seagate.com/ww/v/index.jsp?vgnextoid=6278576e14ee9110VgnVCM10
f5ee0a0aRCRD)
and thus would always fall under wd driver as per the man page.

I believe that sd is for scsi only. Is this assumption correct?

Andres

On Tue, Feb 23, 2010 at 3:36 PM, Marco Peereboom sl...@peereboom.us wrote:
 Your disks are still wd so io sucks.  Use -current.

 On Tue, Feb 23, 2010 at 03:22:28PM -0600, Andres Salazar wrote:
 Hello,

 I had a R201 running in 4.6 i386 stable..I was told this configuration
 was very new.. so I got a new box this time its a PowerEdge is R200
 without any special PCI SATA controller. With 2 SATA II Hard Disks.
 BIOS Sata setting is set to be  in ATA Mode (its either this or OFF).

 Either after all this change, and a clean install the IO is 55%
 greater then all my other machines. For example a userland recompile
 takes 55min , vrs the same proc and ram on another box is 35 min.

 Below is my dmesg.. which I dont see any flag?? Possibly there must be
 some incompatibility with the hard disk?

 OpenBSD 4.6-stable (GENERIC-13-12-09.MP) #0: Tue Feb 23 16:08:43 CST 2010
 r...@bazz.my.domain:/usr/src/sys/arch/i386/compile/GENERIC-13-12-09.MP
 cpu0: Intel(R) Xeon(R) CPU X3330 @ 2.66GHz (GenuineIntel 686-class) 2.67
GHz
 cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,C
X16,xTPR
 real mem  = 3487866880 (3326MB)
 avail mem = 3383250944 (3226MB)
 mainbus0 at root
 bios0 at mainbus0: AT/286+ BIOS, date 05/15/09, BIOS32 rev. 0 @
 0xfac90, SMBIOS rev. 2.5 @ 0xcff9c000 (46 entries)
 bios0: vendor Dell Inc. version 1.4.3 date 05/15/2009
 bios0: Dell Inc. PowerEdge R200
 acpi0 at bios0: rev 2
 acpi0: tables DSDT FACP APIC SPCR HPET MCFG WD__ SLIC ERST HEST BERT
 EINJ SSDT SSDT SSDT SSDT SSDT
 acpi0: wakeup devices PCI0(S5)
 acpitimer0 at acpi0: 3579545 Hz, 24 bits
 acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
 cpu0 at mainbus0: apid 0 (boot processor)
 cpu0: apic clock running at 333MHz
 cpu1 at mainbus0: apid 1 (application processor)
 cpu1: Intel(R) Xeon(R) CPU X3330 @ 2.66GHz (GenuineIntel 686-class) 2.67
GHz
 cpu1:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,C
X16,xTPR
 cpu2 at mainbus0: apid 2 (application processor)
 cpu2: Intel(R) Xeon(R) CPU X3330 @ 2.66GHz (GenuineIntel 686-class) 2.67
GHz
 cpu2:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,C
X16,xTPR
 cpu3 at mainbus0: apid 3 (application processor)
 cpu3: Intel(R) Xeon(R) CPU X3330 @ 2.66GHz (GenuineIntel 686-class) 2.67
GHz
 cpu3:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,C
X16,xTPR
 ioapic0 at mainbus0: apid 4 pa 0xfec0, version 20, 24 pins
 ioapic0: misconfigured as apic 0, remapped to apid 4
 acpihpet0 at acpi0: 14318179 Hz
 acpiprt0 at acpi0: bus 0 (PCI0)
 acpiprt1 at acpi0: bus 1 (PEX1)
 acpiprt2 at acpi0: bus 2 (SBE0)
 acpiprt3 at acpi0: bus 3 (SBE4)
 acpiprt4 at acpi0: bus 4 (SBE5)
 acpiprt5 at acpi0: bus 5 (COMP)
 acpicpu0 at acpi0: PSS
 acpicpu1 at acpi0: PSS
 acpicpu2 at acpi0: PSS
 acpicpu3 at acpi0: PSS
 bios0: ROM list: 0xc/0x9000 0xc9000/0x1000 0xca000/0x1800
0xec000/0x4000!
 ipmi at mainbus0 not configured
 cpu0: Enhanced SpeedStep 2667 MHz: speeds: 2667, 2333, 2000 MHz
 pci0 at mainbus0 bus 0: configuration mode 1 (bios)
 pchb0 at pci0 dev 0 function 0 Intel 3200/3210 Host rev 0x01
 ppb0 at pci0 dev 1 function 0 Intel 3200/3210 PCIE rev 0x01: apic 4
 int 16 (irq 15)
 pci1 at ppb0 bus 1
 ppb1 at pci0 dev 28 function 0 Intel 82801I PCIE rev 0x02: apic 4
 int 16 (irq 15)
 pci2 at ppb1 bus 2
 ppb2 at pci0 dev 28 function 4 Intel 82801I PCIE rev 0x02
 pci3 at ppb2 bus 3
 bge0 at pci3 dev 0 function 0 Broadcom BCM5721 rev 0x21, BCM5750 C1
 (0x4201): apic 4 int 16 (irq 15), address 00:25:64:3c:7f:8c
 brgphy0 at bge0 phy 1: BCM5750 10/100/1000baseT PHY, rev. 0
 ppb3 at pci0 dev 28 function 5 Intel 82801I PCIE rev 0x02
 pci4 at ppb3 bus 4
 bge1 at pci4 dev 0 function 0 Broadcom BCM5721 rev 0x21, BCM5750 C1
 (0x4201): apic 4 int 17 (irq 14), address 00:25:64:3c:7f:8d
 brgphy1 at bge1 phy 1: BCM5750 10/100/1000baseT PHY, rev. 0
 uhci0 at pci0 dev 29 function 0 Intel 82801I USB rev 0x02: apic 4
 int 21 (irq 11)
 uhci1 at pci0 dev 29 function 1 Intel 82801I USB rev 0x02: apic 4
 int 20 (irq 10)
 uhci2 at pci0 dev 29 function 2 Intel 82801I USB rev 0x02: apic 4
 int 21 (irq 11)
 ehci0 at pci0 dev 29 function 7 Intel 82801I USB rev 0x02: apic 4
 int 21 (irq 11)
 usb0 at ehci0: USB revision 2.0
 uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1
 ppb4 at pci0 dev 30 function 0 Intel 82801BA Hub-to-PCI rev 0x92
 pci5 at ppb4 bus 5

Broadcom NetXtreme II BCM5716 1000Base-T being recognized with bnx instead of bge.. is that OK?

2010-02-18 Thread Andres Salazar

Greetings.

I have a R210 DELL with  a built in Broadcom NetXtreme II BCM5716
1000Base-T being recognized with bnx instead of bge .. iam having
problems starting the network within the OPenBSD 4.6 installer.

I noticed that the manual for bge says:

The bge driver provides support for various NICs based on the Broadcom
 BCM570x, 571x

That would include my BCM5716 wouldnt it? Is there a problem if its
getting recognized with the other driver?


Thanks

Andres

possible to configure PF to simulate latency and 1% packet loss?

2010-01-22 Thread Andres Salazar

Hello,

Is it possible to do some rule in pf to simulate 300ms of latency?
This is for testing purposes.

A plus would be to simulate 1% packet loss.

Many Thanks!!

Encrypt entire filesystem with AES 256bit. Softraid tutorial?

2009-12-18 Thread Andres Salazar

Hello,
Iam looking for ways to encrypt my entire filesystem, but it must be
with AES 256bits... Ive bene searching and I deduce that the only
option I have is using softraid, however iam unable to find any
tutorial or guide. Anybody know if this is possible, if I have any
other option (with 256 AES cipher) and if there is a guide?

Thank you.

Andres

PF: Help with a very simple bandwidth capping using hfsc

2009-12-09 Thread Andres Salazar

Hello,

For some reason I cannot get this to work properly... We have a
1Megabyte/sec connection, and I want this box to be capped at up to
200KiloBytes/sec .

However everytime I try, it just always ends up using the entire link.
If I modify it to 1Kb , it ends up using around 80Kilobytes/sec .


# cat /etc/pf.conf
t_externa = re0

## Queueing
altq on $t_externa bandwidth 200Kb hfsc queue { bulk, ack }
  queue ackbandwidth 20% priority 2 qlimit 500 hfsc (realtime 20%)
  queue bulk   bandwidth 80% priority 1 qlimit 500 hfsc (realtime
60% default)

block all
#pass out from self to any
antispoof quick for { lo0 }

pass in quick on $t_externa inet proto tcp from any to ($t_externa) \
port 22 keep state

pass out quick on $t_externa inet proto { tcp, udp } from ($t_externa) to any \
 port 53 keep state

pass out quick on $t_externa inet proto tcp from ($t_externa) to any \
port { 80 443 }

### ICMP
pass inet proto icmp all icmp-type { echoreq, unreach } keep state



This is what systat queues says:

 5 usersLoad 0.77 0.53 0.42  Wed Dec  9 17:59:16 2009

QUEUE BW SCH  PRIO PKTSBYTES
DROP_P   DROP_B QLEN BORROW SUSPEN P/S B/S
root_re0200K hfsc000
 000 0   0
 ack   4 hfsc200
 000 0   0
 bulk   160K hfsc 27060  1818302
 00   62   373   25006

This is what I can download at:776 KiB/sec using lynx


Iam using OPenBSD 4.6 .



Thanks

Andres

Re: PF: Help with a very simple bandwidth capping using hfsc

2009-12-09 Thread Andres Salazar

Hello,

In this case the queue bulk is the one set as default and indeed I
do see the traffic passing through it with the command you gave me.

Please advise.

Thanks
Andres

Re: PF: Help with a very simple bandwidth capping using hfsc

2009-12-09 Thread Andres Salazar

Thank you for your suggestions.. however in this particular case I
still can download at 615Kbytes/sec .. at least now I can download at
a lesser rate with the following:

altq on $t_externa bandwidth 200Kb hfsc queue { bulk, ack }
queue ack bandwidth 20% priority 2 qlimit 500 hfsc (realtime 40Kb
upperlimit 40Kb)
queue bulk bandwidth 80% priority 1 qlimit 500 hfsc (realtime 120Kb
upperlimit 120Kb default)


But I still cannot accomplish what I need.

Andres

On Wed, Dec 9, 2009 at 2:01 PM, Bryan S. Leaman lea...@bitbytes.com wrote:
 Andres Salazar wrote:

 Hello,

 For some reason I cannot get this to work properly... We have a
 1Megabyte/sec connection, and I want this box to be capped at up to
 200KiloBytes/sec .

 However everytime I try, it just always ends up using the entire link.
 If I modify it to 1Kb , it ends up using around 80Kilobytes/sec .


 I don't think you can use the upperlimit directive in the altq definition,
 but you can use it on each queue to force a maximum amount of bandwidth,
 i.e. queue ack bandwidth 20% priority 2 qlimit 500 hfsc (realtime 40Kb
 upperlimit 40Kb).

 If you want each child to be able to borrow free bandwidth from the total
 200Kb, then you can create a queue with upperlimit of 200Kb and create your
 ack and bulk as subqueues with realtime of 40Kb and 160Kb so they have
 guaranteed bandwidth, but then they can also borrow any free bandwidth from
 the 200Kb parent when it's available.  I'm doing this in one case and it
 works fine.

 Bryan

Re: PF: Help with a very simple bandwidth capping using hfsc

2009-12-09 Thread Andres Salazar

I just tried on a new install in 4.5, and still no go.

Help is appreciated.

About priorities in /etc/resolv.conf

2009-10-28 Thread Andres Salazar

Hello,

I have experienced that even though I set up 3 servers in
/etc/resolv.conf , if the first one gets slow apparently it will not
utilize the others untill it is completely down. Is there anyway to
actually force the OS to pick another resolver if one of them is very
slow?

Thank you

Andres

Anyway to force IP to be assigned only if MAC matches?

2009-10-28 Thread Andres Salazar

Hello,

I Have dhcp enabled on my LAN which assigns an IP according to the
clients MAC address, however if a user wanted to be malicious he can
statically assign any IP to his NIC.

Isnt there anyway I can force my ARP tables to only allow IPs to be
assigned if the MAC address matches?


Thanks
Andres

PF:. Possible to loadbalance connectiity of a LAN to different gateways per IP?

2009-10-14 Thread Andres Salazar

Hey guys,

 I know it is possible to route an interface to another gateway via
route-to. But what If I want to loadbalance specific IPs to specific
gateways in my box? Is this possible?

Thank you

--Andres

nfe0: tx v2 error 6204UNDERFLOW

2009-10-09 Thread Andres Salazar

Hello all,

I have three machines that have a integrated NIC. Dmesg says they are :



nfe0 at pci0 dev 7 function 0 NVIDIA MCP61 LAN rev 0xa2: apic 2 int
10 (irq 10), address 00:0f:ea:63:41:fd
rlphy0 at nfe0 phy 1: RTL8201L 10/100 PHY, rev. 1


However, all of them when a download is initiated they spit this error:

nfe0: tx v2 error 6204UNDERFLOW


Iam using 4.5 stable.

Is this a significant error? I dont see a performance issue... but id
like to know what are the implications. Thank you


-- Andres

PF simple rdr help?

2009-10-07 Thread Andres Salazar

Hello guys,

I have the following rules .. iam trying to put the IP of the PF box
into the browser and have it get the page thats on 208.99.249.95.

When I do that the connection just hangs and doesnt give me any content.

cat /etc/pf.conf
## Macros
## TABLES
## GLOBAL OPTIONS
## TRAFFIC NORMALIZATION
## QUEUEING RULES
## TRANSLATION RULES (NAT)
rdr pass on re0 proto tcp from any to any port 80 - 208.99.249.95
## FILTER RULES
pass in log all keep state
pass out log all keep state

# cat /etc/sysctl.conf
 net.inet.ip.forwarding=1# 1=Permit forwarding (routing) of IPv4 packets
 net.inet.ip.mforwarding=1   # 1=Permit forwarding (routing) of
IPv4 multicast packets


pflog says:


Oct 08 00:44:27.605603 rule 0/(match) rdr in on re0: my.ip.here.50755
 208.99.249.95.80: S 6447955:6447955(0) win 5840 mss
1460,sackOK,timestamp 8290643[|tcp] (DF)
Oct 08 00:44:27.605612 rule 1/(match) pass out on re0:
my.ip.here.50755  208.99.249.95.80: S 6447955:6447955(0) win 5840
mss 1460,sackOK,timestamp 8290643[|tcp] (DF)

Thanks for the help.

Andres

Re: PF simple rdr help?

2009-10-07 Thread Andres Salazar

Dorian,

Thank you. I take it for granted that match is for 4.6 . Thats fine.

What is the difference passing it onto netcat, then doing it directly?

Aside from this I also need to redirect a range of ports (1500-2000)..
and I think the issue would get more difficult if i do it with this
method..

--Andres

On Wed, Oct 7, 2009 at 6:38 PM, Dorian B|ttner dorian.buett...@gmx.de
wrote:
 Probably what you want might be something like this in pf.conf
 match in on $int_if proto tcp from any to ($ext_if) port www rdr-to
127.0.0.1
 port 5000
 and in inetd.conf:
 127.0.0.1:5000  stream  tcp nowait  nobody  /usr/bin/nc nc -w 20
 my.internal.gateway.ip.here 80

 I believe this was somewhere in the pf faq, not exactly sure, you should
start
 inetd of course.

 If I'm right you wanna see what's your home hosted httpd doing on the
outside
 interface using your dyndns fqdn from internal network or similar. Actually
 there's changes in pf so you might want to specify your version.

 Regards,
 Dorian

applying errata vrs building userland from source

2009-09-16 Thread Andres Salazar

Hello,


What is the best practice when building a new machine, or why would
one prefer one aside from the other:

a.) Compile kernel and userland from a recent -stable src checkout
or b.) Apply all the errata from http://www.openbsd.org/errata45.html ?

Both are equivalent is this correct?

Thank you.

--Andres

KVM macros and OpenBSD

2009-08-28 Thread Andres Salazar

Hello,

Iam sure other people have run into the same dilemma whereas some
macros dont work on  a KVM

Brands tested: Lantronix SLS / Raritan dominion KX2 232

Macros are being received by the system as you can do the ctrl alt f2
macro which changes the current terminal - this works.

I do not know why it is not accepting ctrl alt del at the OS level,
(niether is it accepting ctrl+alt+esc for ddb) but it does so at bios
level (reboot the box, let it go through bios then ask the keyboard
macro to perform ctrl alt del - this works)

sysctl.conf contains:

ddb.panic=0
machdep.kbdreset=1
ddb.console=1


Help appreciated.

Andres

Boxes hanging intermittently. Anybody seen such ?

2009-08-16 Thread Andres Salazar

Hello,

During the past week two boxes two boxes on the same network have
stopped responding, they carry OpenBSD 4.5 i386 and I have logged at
every possible log to find out why this occurs however I havent been
able to spot anything unusual. All of the sudden they just stop
responding requests.

What these freezes do have in common is that when the boxes are
reached via the KVM they present the login screen, they allow text to
be entered in the login field... but upon hitting enter for it to ask
the password thats when it just hangs.

Iam afraid this will keep on happening and I woudl like to know if
anybody has experienced this before.. these have been perfectly
working boxes and it would be just odd both would have the same
problem in the same few days.

Upon a reboot everything returns to normal.

Thank you.
Andres

apache1.3 without jail and PHP cannot execute some system binaries..why?

2009-08-14 Thread Andres Salazar

Hello,

I have a script that is being called from the web  , it invokes the
system() function and I try to test running some system commands to
see if they are properly invoked.

Apache is running without jail (-d) due to special needs.

mv and cp do not display any output (this do not execute), while cat and ls do.

If I run the script via the command line all of the commands display
ouput (even if its the usage help info of each command) .

I have tried running the commands with the absolute path, and without.

The permissions and ownerhsip for /bin are all the same and are system defaults.

What could be wrong?

Andres

Re: apache1.3 without jail and PHP cannot execute some system binaries..why?

2009-08-14 Thread Andres Salazar

Yes, iam sorry typo I meant i disabled chroot with -u

i went over the php.ini and there is nothing listed in disable_functions

Please advise. thanks

Re: apache1.3 without jail and PHP cannot execute some system binaries..why?

2009-08-14 Thread Andres Salazar

I have also tried using the user www and executing the script.. it
works fine.. It just doesnt work via the web.



On Fri, Aug 14, 2009 at 11:04 AM, Andres Salazarndrsslz...@gmail.com wrote:
 Yes, iam sorry typo I meant i disabled chroot with -u

 i went over the php.ini and there is nothing listed in disable_functions

 Please advise. thanks

Re: apache1.3 without jail and PHP cannot execute some system binaries..why?

2009-08-14 Thread Andres Salazar

ls -la /bin pretty much says that the permissions and ownership are
the same for mv, cp, cat, ls

I dont think its a permission/ownerhsip issue.

Please advise.

On Fri, Aug 14, 2009 at 11:18 AM,# ls -la
total 14192
drwxr-xr-x   2 root  wheel1024 Aug  4 11:58 .
drwxr-xr-x  14 root  wheel 512 Aug  4 11:59 ..
-r-xr-xr-x   2 root  bin 82636 Aug  4 11:58 [
-r-xr-xr-x   1 root  bin 99020 Aug  4 11:58 cat
-r-xr-xr-x   3 root  bin180940 Aug  4 11:58 chgrp
-r-xr-xr-x   1 root  bin 99020 Aug  4 11:58 chio
-r-xr-xr-x   3 root  bin180940 Aug  4 11:58 chmod
-r-xr-xr-x   5 root  bin123596 Aug  4 11:58 cksum
-r-xr-xr-x   1 root  bin111308 Aug  4 11:58 cp
-r-xr-xr-x   3 root  bin271052 Aug  4 11:58 cpio
-r-xr-xr-x   1 root  bin291532 Aug  4 11:58 csh
-r-xr-xr-x   1 root  bin103116 Aug  4 11:58 date
-r-xr-xr-x   1 root  bin 90828 Aug  4 11:58 dd
-r-xr-xr-x   1 root  bin 94924 Aug  4 11:58 df
-r-xr-xr-x   1 root  bin 82636 Aug  4 11:58 domainname
-r-xr-xr-x   1 root  bin 78540 Aug  4 11:58 echo
-r-xr-xr-x   1 root  bin168652 Aug  4 11:58 ed
-r-xr-xr-x   2 root  bin209612 Aug  4 11:58 eject
-r-xr-xr-x   1 root  bin119500 Aug  4 11:58 expr
-r-xr-xr-x   1 root  bin 82636 Aug  4 11:58 hostname
-r-xr-xr-x   1 root  bin 82636 Aug  4 11:58 kill
-r-xr-xr-x   3 root  bin332492 Aug  4 11:58 ksh
-r-xr-xr-x   1 root  bin 82636 Aug  4 11:58 ln
-r-xr-xr-x   1 root  bin180940 Aug  4 11:58 ls
-r-xr-xr-x   5 root  bin123596 Aug  4 11:58 md5
-r-xr-xr-x   1 root  bin 99020 Aug  4 11:58 mkdir
-r-xr-xr-x   2 root  bin209612 Aug  4 11:58 mt
-r-xr-xr-x   1 root  bin164556 Aug  4 11:58 mv
-r-xr-xr-x   3 root  bin271052 Aug  4 11:58 pax
-r-xr-xr-x   1 root  bin201420 Aug  4 11:58 ps
-r-xr-xr-x   1 root  bin 82636 Aug  4 11:58 pwd
-r-xr-xr-x   1 root  bin221900 Aug  4 11:58 rcp
-r-xr-xr-x   3 root  bin332492 Aug  4 11:58 rksh
-r-xr-xr-x   1 root  bin180940 Aug  4 11:58 rm
-r-xr-xr-x   1 root  bin 86732 Aug  4 11:58 rmail
-r-xr-xr-x   5 root  bin123596 Aug  4 11:58 rmd160
-r-xr-xr-x   1 root  bin 99020 Aug  4 11:58 rmdir
-r-xr-xr-x   3 root  bin332492 Aug  4 11:58 sh
-r-xr-xr-x   5 root  bin123596 Aug  4 11:58 sha1
-r-xr-xr-x   1 root  bin 99020 Aug  4 11:58 sleep
-r-xr-xr-x   1 root  bin115404 Aug  4 11:58 stty
-r-xr-xr-x   5 root  bin123596 Aug  4 11:58 sum
-r-xr-xr-x   1 root  bin 82636 Aug  4 11:58 sync
-r-xr-xr-x   1 root  bin352972 Aug  4 11:58 systrace
-r-xr-xr-x   3 root  bin271052 Aug  4 11:58 tar
-r-xr-xr-x   2 root  bin 82636 Aug  4 11:58 test

Intermittent Segmentation fault (11) with new port updates for Compilation of apache-httpd-2.2.11 and php5.2.10 . Bug??

2009-08-09 Thread Andres Salazar

Hello,

Environment: OpenBSD 4.5 stable , generic MP kernel. Dmesg here:
http://pastebin.com/m5f5e96fe

Summary: We have a special need to use Apache 2 with PHP5 and before
the ports where updated from php5.2.6 and apache 2.2.9 this procedure
worked 100% before and now even in a new install just by calling
phpinfo() iam getting the following intermittent errors in the error
log and a white screen:

Error: [Sun Aug 09 12:47:27 2009] [notice] child pid 12566 exit signal
Segmentation fault (11)


Ruled out: I have ruled out hardware issues by totally replacing the
box and also doing a fresh install.. I have made sure all X11 file
sets where installed because they are needed for compilation.

How to recreate the problem:

a.) Compile kernel to stable rebooted, and compiled userland to stable.
b.) Dowloaded the latest ports from the stable branch.
c.) cd /usr/ports/www/apache-httpd/; make; make install. Confirmed
sucessfull install of apache 2.2.11
d.) cd /usr/ports/www/php5/core; vi Makefile and changed:
CONFIGURE_ARGS+=--with-apxs=/usr/sbin/apxs \ to
CONFIGURE_ARGS+=--with-apxs2=/usr/local/sbin/apxs2 \
then make; make install. Confirmed the installation of php5.2.10
e.) Configured httpd2.conf so that it loads the php5 module:
LoadModule php5_module /usr/local/lib/php/libphp5.so
f.) cd /usr/ports/www/php5/extensions; vi Makefile and changed:
CONFIGURE_ARGS+=--with-apxs=/usr/sbin/apxs \ to
CONFIGURE_ARGS+=--with-apxs2=/usr/local/sbin/apxs2 \
then make; make install.
g.) export PKG_PATH=/usr/ports/packages/i386/all/; pkg_add  php5-bz2
php5-curl php5-gd php5-gmp php5-mbstring php5-mcrypt php5-mhash
php5-mysql php5-shmop. (This will grab the packages compiled from the
pkg:path).
h.) Placed a info.php file in the apache2 htdocs and refresh it many
times, many of those generate that error and images (logos) dont load.
.. the issue is totally INTERMITTENT.. after I rebooted I could
load phpinfo() fine but then I tried installing phpmyadmin and
sometimes some functions just yield out the error. Sometimes the issue
is so bad all the pages load half way.


Iam about to throw myself out the window because Ive tried for days to
look for a specific pattern towards when the Segmentation is
generated, but it is absolutely random. Sometimes my sites dont
generate the Seg fault error but they just log a 500 error without
further explanation. I have repeated this so many times that sometimes
it isnt even necessary to load the extensions just the php5-core will
error.

Please advise!

Andres

Re: How to activate extensions after compiling php5 core and extensions? No instructions!

2009-08-06 Thread Andres Salazar

Aaaron,

I suppose that according to the Makefile for the extensions all of
them should be enabled. I also suppose that the correct extension_dir
path for the modules to be placed would be:

/var/www/lib/php/modules

However, this isnt the case... where do I get the modules from to
activate them in the php.ini ?

Thanks

Andres

On Wed, Aug 5, 2009 at 11:06 PM, Bryanbra...@gmail.com wrote:
 On Wed, Aug 5, 2009 at 20:25, Andres Salazarndrsslz...@gmail.com wrote:
 Hello,

 OpenBSD 4.5 stable

 I have done the following:

 cd /usr/ports/www/php5/core; make; make install;
 cd /usr/ports/www/php5/extensions; make; make intall;

 That according to pkg_info installed:

 php5-core-5.2.10 B  B server-side HTML-embedded scripting language
 php5-extensions-5.2.10 informational package about PHP5 extensions

 The instructions after finishing the extensions compiling said:

 --- php5-extensions-5.2.10 ---
 This is a place-holder package to inform you that the PHP port is
 now split into small sub-packages, designed to allow you to install
 modules independently of the main PHP engine.

 For example, to install the IMAP module, just pkg_add the
 php5-imap-5.2.10.tgz package and activate it using the
 'phpxs' command.


 I tried doing pkg_add php5-mysql-5.2.10.tar however that just tries to
 install it from the packages (and off course it wont becuase the
 packages offers 5.2.8)... and then the phpxs command doesnt exist.

 What am I missing to actually finish the install of all the php5
 extensions?

 I believe the instructions are in the php-core package.  Back in the
 day, I would issue phpxs and the extension name to enable it... but
 I may be wrong...

 Regards,
 Bryan

How to activate extensions after compiling php5 core and extensions? No instructions!

2009-08-05 Thread Andres Salazar

Hello,

OpenBSD 4.5 stable

I have done the following:

cd /usr/ports/www/php5/core; make; make install;
cd /usr/ports/www/php5/extensions; make; make intall;

That according to pkg_info installed:

php5-core-5.2.10server-side HTML-embedded scripting language
php5-extensions-5.2.10 informational package about PHP5 extensions

The instructions after finishing the extensions compiling said:

--- php5-extensions-5.2.10 ---
This is a place-holder package to inform you that the PHP port is
now split into small sub-packages, designed to allow you to install
modules independently of the main PHP engine.

For example, to install the IMAP module, just pkg_add the
php5-imap-5.2.10.tgz package and activate it using the
'phpxs' command.


I tried doing pkg_add php5-mysql-5.2.10.tar however that just tries to
install it from the packages (and off course it wont becuase the
packages offers 5.2.8)... and then the phpxs command doesnt exist.

What am I missing to actually finish the install of all the php5 extensions?

Thanks

Andres

Re: PF: 3 NICS. 1 WAN, 2 LAN. How to manage each LAN open ports individually?

2009-07-28 Thread Andres Salazar

Hello Jason,

Thank you for assisting me getting this together..

I do understand that translation happens before filtering (at least
think i do), what I dont understand is why the filtering is done with
pass in if traffic is actually going from within the int_if2 network
to the outside? Where is the traffic actually going in?

 pass in on $int_if2 inet proto udp from $int_if2:network to any \
   port 53

Thank you.

Andres

On Sun, Jul 26, 2009 at 6:36 PM, Jason Dixonja...@dixongroup.net wrote:
 On Sun, Jul 26, 2009 at 01:16:02PM -0500, Andres Salazar wrote:
 Hello Jason,

 I understood the purpose of allowing internet access for the firewall
 itself. However this is exactly where Iam still stuck.

 By doing this after our default block all:

 pass out on $ext_if inet proto { tcp udp } from ($ext_if) to any \
 port { 53 80 22 443 }

 Iam actually allowing it for both $int_if and $int_if2 , thus the
following
 port restriction rules are not getting evaluated.

 In an effort to simplify your ruleset I was guilty of forgetting that
 translation happens before filtering.  Here is a new version that
 filters on the internal interfaces.  Let me know if you have any
 questions.


 ext_if = re1
 int_if = re0
 int_if2 = re2

 set skip on lo

 scrub in

 nat on $ext_if inet proto { tcp udp } from $int_if:network to any \
   - ($ext_if)
 nat on $ext_if inet proto { tcp udp } from $int_if2:network to any \
   - ($ext_if)

 block all
 pass out on $ext_if

 pass in on $int_if inet proto tcp from $int_if:network to any \
   port { 53 80 }
 pass in on $int_if inet proto udp from $int_if:network to any \
   port 53
 pass in on $int_if2 inet proto tcp from $int_if2:network to any \
   port { 22 53 80 443 }
 pass in on $int_if2 inet proto udp from $int_if2:network to any \
   port 53


 --
 Jason Dixon
 DixonGroup Consulting
 http://www.dixongroup.net/

Re: PF: 3 NICS. 1 WAN, 2 LAN. How to manage each LAN open ports individually?

2009-07-26 Thread Andres Salazar

I apologize that my ruleset isnt very clear. Iam trying to put together a
ruleset that will allow the following access:

Outbound port 80 (web)  53 (domain) from users at $int_if via $ext_if
Outbound port 80 (web)  53 (domain)  443 (ssl)  22 (ssh) from $int_if2
via $ext_if

Thank you for the help.

Andres

Re: PF: 3 NICS. 1 WAN, 2 LAN. How to manage each LAN open ports individually?

2009-07-26 Thread Andres Salazar

Thank you for the help, I believe that I already tried something similar and
could not access the internet behind $int_if, ot $int_if2. Traffic is
getting blocked by block all as per the following pflog1:

Jul 26 05:11:51.250502 rule 0/(match) block out on re1: 192.168.1.2.55533 
190.40.3.10.53: 22454+[|domain] (DF)
Jul 26 05:11:51.407931 rule 0/(match) block out on re1: 192.168.1.2.63872 
190.40.3.13.53: 37289+[|domain] (DF)
Jul 26 05:11:51.408132 rule 0/(match) block out on re1: 192.168.1.2.51104 
190.40.3.13.53: 14850+[|domain] (DF)

192.168.1.2 is the IP of the firewall itself in relationship to $ext_if.

Additionally I tried the following:

block all

pass out on $ext_if

pass out log on $ext_if inet proto tcp from $int_if:network to any \
   port { 53 80 }
pass out log on $ext_if inet proto udp from $int_if:network to any \
   port 53
pass out log on $ext_if inet proto tcp from $int_if2:network to any \
   port { 22 53 80 443 }
pass out log on $ext_if inet proto udp from $int_if2:network to any \
   port 53


However that way both $int_if and $int_if2 would have internet access but
the port restriction rulesets would not match.

I think there is some conflict with the rules and NAT, as the firewall once
the packets are NATed then it doesnt recognize the real source? Iam
confused.

Thank you

Andres




On Sun, Jul 26, 2009 at 1:16 AM, Jason Dixon ja...@dixongroup.net wrote:

 On Sun, Jul 26, 2009 at 12:58:08AM -0500, Andres Salazar wrote:
  I apologize that my ruleset isnt very clear. Iam trying to put together a
  ruleset that will allow the following access:
 
  Outbound port 80 (web)  53 (domain) from users at $int_if via $ext_if
  Outbound port 80 (web)  53 (domain)  443 (ssl)  22 (ssh) from $int_if2
  via $ext_if

 Here's a basic ruleset that meets your requirements.  Hasn't been tested
 for syntax.  Note that I make no effort to filter traffic between the
 two internal segments.  This would require a different approach (no set
 skip on internal if's, pass in on the internal if's explicitly).  There
 are also no pass out rules for traffic originating from the firewall
 itself, you'll probably want to add something for this.


 ext_if = re1
 int_if = re0
 int_if2 = re2

 set skip on { lo $int_if $int_if2 }

 scrub in

 nat on $ext_if inet proto { tcp udp } from $int_if:network to any \
- ($ext_if)
 nat on $ext_if inet proto { tcp udp } from $int_if2:network to any \
- ($ext_if)

 block all
 pass out on $ext_if inet proto tcp from $int_if:network to any \
port { 53 80 }
 pass out on $ext_if inet proto udp from $int_if:network to any \
port 53
 pass out on $ext_if inet proto tcp from $int_if2:network to any \
port { 22 53 80 443 }
 pass out on $ext_if inet proto udp from $int_if2:network to any \
port 53


 --
 Jason Dixon
 DixonGroup Consulting
 http://www.dixongroup.net/

Re: PF: 3 NICS. 1 WAN, 2 LAN. How to manage each LAN open ports individually?

2009-07-26 Thread Andres Salazar

Hello Jason,

I understood the purpose of allowing internet access for the firewall
itself. However this is exactly where Iam still stuck.

By doing this after our default block all:

pass out on $ext_if inet proto { tcp udp } from ($ext_if) to any \
port { 53 80 22 443 }

Iam actually allowing it for both $int_if and $int_if2 , thus the following
port restriction rules are not getting evaluated.

Full ruleset is here:

http://pastebin.com/d3f292c50


Andres



On Sun, Jul 26, 2009 at 12:32 PM, Jason Dixon ja...@dixongroup.net wrote:

 On Sun, Jul 26, 2009 at 12:14:53PM -0500, Andres Salazar wrote:
  Thank you for the help, I believe that I already tried something similar
 and
  could not access the internet behind $int_if, ot $int_if2. Traffic is
  getting blocked by block all as per the following pflog1:
 
  Jul 26 05:11:51.250502 rule 0/(match) block out on re1: 192.168.1.2.55533
 
  190.40.3.10.53: 22454+[|domain] (DF)
  Jul 26 05:11:51.407931 rule 0/(match) block out on re1: 192.168.1.2.63872
 
  190.40.3.13.53: 37289+[|domain] (DF)
  Jul 26 05:11:51.408132 rule 0/(match) block out on re1: 192.168.1.2.51104
 
  190.40.3.13.53: 14850+[|domain] (DF)
 
  192.168.1.2 is the IP of the firewall itself in relationship to $ext_if.

 To reiterate:

   There
   are also no pass out rules for traffic originating from the firewall
   itself, you'll probably want to add something for this.

 Add a pass rule for outbound traffic from the firewall itself.  Adjust
 for any additional services that it should be able to reach.

 pass out on $ext_if inet proto { tcp udp } from ($ext_if) to any port 53

 --
 Jason Dixon
 DixonGroup Consulting
 http://www.dixongroup.net/

Re: PF: 3 NICS. 1 WAN, 2 LAN. How to manage each LAN open ports individually?

2009-07-26 Thread Andres Salazar

Hello Patrick,

I also tried your approach, but at the end it behaves the same.
Without the pass out i dont have internet in any of the two
interfaces, with it then I just have totally opened ports on both of
the interfaces. The restrictive port rules are being ignored.

Any help is much appreciated.

Andres

On Sun, Jul 26, 2009 at 1:05 AM, patrick keshishianpkesh...@gmail.com
wrote:
 On Sat, Jul 25, 2009 at 9:23 PM, Jason Dixonja...@dixongroup.net wrote:
 On Sat, Jul 25, 2009 at 09:41:45PM -0500, Andres Salazar wrote:
 Hello OpenBSD-misc,

 I have a newbie question in pf that Ive been trying to debug on what
would
 be wrong with my ruleset. Iam trying to have the users that are on
$int_if
 only have ports 80  52 opened out, and users on $int_if be able to have
 less restrictions and more ports out. So far I have something like this
but
 it isnt working:

 Allow me to be the first to say RTFAQ.

 ext_if = re1
 int_if = re0
 int_if2 = re2


 set skip on lo

 scrub in

 nat on re1 from re0:network to any - re1
 nat on re1 from re2:network to any - re1

 block all
 pass quick on $ext_if // I have added this so that the firewall itself
has
 full internet access
 #pass in quick on $int_if

 Here you're blocking all by default (inbound and outbound on all
 interfaces), but then you immediately pass quick (outbound *and*
 inbound) on your external interface.  Very wrong.

 pass out log quick on $ext_if inet proto { tcp, udp } from ($ext_if) to
any
 \
  port 53 keep state

 pass out log quick on $ext_if inet proto { tcp } from ($ext_if) to any \
  port 80 keep state

 Here you're passing outbound on your external interface for DNS and http
 traffic.  But a) you've already allowed everything on $ext_if so this is
 unnecessary, and b) you've never allowed any traffic from your internal
 interfaces.

 Honestly, I don't know *what* you're trying to accomplish because your
 description doesn't match anything in your ruleset.  Perhaps you can
 describe again what you're trying to do and what the differences are
 supposed to be between $int_if and $int_if2.

 I think he has a few typos in his email that cause confusion. I think
 what he wants is something like the following, which is not tested,
 and I know this is a copout, but I'm tired and should not be doing
 this:


/
--\
 ext_if = re1
 int_if = re0  # only ports 53 and 80 allowed out
 int_if2 = re2 # no restrictions on outbound traffic

 set skip on lo
 match in all scrub (no-df)  # XXX

 # XXX I do not use NAT so leaving this to the experts
 nat on re1 from re0:network to any - re1
 nat on re1 from re2:network to any - re1

 block all
 pass out
 pass in on $int_if2
 pass in log on $int_if inet proto { tcp, udp } from any to any port { 53, 80
}

\
--/

 He may need finer control over who from $int_if2 is allowed access to
 the firewall.

 --patrick

PF: 3 NICS. 1 WAN, 2 LAN. How to manage each LAN open ports individually?

2009-07-25 Thread Andres Salazar

Hello OpenBSD-misc,

I have a newbie question in pf that Ive been trying to debug on what would
be wrong with my ruleset. Iam trying to have the users that are on $int_if
only have ports 80  52 opened out, and users on $int_if be able to have
less restrictions and more ports out. So far I have something like this but
it isnt working:

ext_if = re1
int_if = re0
int_if2 = re2


set skip on lo

scrub in

nat on re1 from re0:network to any - re1
nat on re1 from re2:network to any - re1

block all
pass quick on $ext_if // I have added this so that the firewall itself has
full internet access
#pass in quick on $int_if


pass out log quick on $ext_if inet proto { tcp, udp } from ($ext_if) to any
\
 port 53 keep state

pass out log quick on $ext_if inet proto { tcp } from ($ext_if) to any \
 port 80 keep state


I appreciate the help...

Andres

Nagios package incomplete? Anybody got it working? OBSD 4.5

2009-07-21 Thread Andres Salazar

Hello,

Iam using OBSD 4.5, and i tried to install Nagios nagios-3.0.6p1  (also
tried nagios-3.0.6p1-chroot) from packages.. and Ive noticed that after the
install the WebGUI files are missing and there is no instruction whatsoever
if one should need to get these from somewhere else..? (the faq on
nagios.org also takes for granted that the install includes the files).

Seeing this failed, I also tried compiling from ports with no luck... the
/var/www/nagios is created and left empty.

What could it be that iam missing?

Thanks

Andres

Re: What kernel to use for a QuadProcesor, or Dual Xeon 3.0ghz

2009-07-11 Thread Andres Salazar

On Sat, Jul 11, 2009 at 1:54 AM, Jan-Erik Skata jesk...@gmail.com wrote

 Yes, you should use the SMP kernel on multicore CPUs aswell. I have usually
 just moved /bsd.mp onto /bsd and rebooted.
 Otherwise only one CPU and/or core will be used.

Ok, however since this is Symmetric MultiProcessing then I wouldnt benefit
from running a mysql server because this is a single thread and it would
still only use one core, right?

Does OpenBSD support asymmetrical processing ?

Thank you

Andres

What kernel to use for a QuadProcesor, or Dual Xeon 3.0ghz

2009-07-10 Thread Andres Salazar

Hello community,

 I have two boxes:

Quad Core Processor with 4GB RAM
Dual Xeon 3.0 Ghz with 2GB of RAM


I have heard contradicting information as far as I can use both the MP and
the REGULAR kernel (i386 or amd64) and that both would give me the same
performance..

Isnt it true that If i apply the regular kernel on these boxes I would be
wasting CPU power? Per top it would only show one CPU.

Also.. is it better to use amd64 or i386.. or doesnt matter?

Thank you.

Andres

Re: Letting FTP out through PF with a default block all

2009-05-29 Thread Andres Salazar

Hmm.. Iam starting to think that ftp-proxy isnt possible with a default
block all in the pf.conf  due to BUG???


The PF FAQ at openbsd gives the example of ftp-proxy with block in pass
outall  Which actually defeats the purpose of doing ftp proxy for
outgoing connections if you have free access to the outside!!


So at the end, anybody can share if they have gotten to work fto-proxy with
block all?

Thanks
Andres

On Tue, May 26, 2009 at 5:51 PM, Andres Salazar ndrsslz...@gmail.comwrote:

 Hello,

 Before posting I acknowledge I have read the FAQ.. based on that this is my
 PF config:


 t_externa = re0

 set block-policy drop
 set loginterface $t_externa
 set limit states 10
 set limit frags 30
 set limit src-nodes 5
 set optimization aggressive

 set skip on lo0
 set debug urgent
 scrub in on $t_externa all
 scrub out on $t_externa all random-id

 nat-anchor ftp-proxy/*
 rdr-anchor ftp-proxy/*

 rdr on $t_externa proto tcp from any to any port 21 - 127.0.0.1 port 8021





 block all

 anchor ftp-proxy/*

 antispoof quick for { lo }

 #SSH

 pass in quick on $t_externa inet proto tcp from any to ($t_externa) \
port 22 flags S/SA modulate state


 ##DNS
 pass out log quick on $t_externa inet proto { tcp, udp } from ($t_externa)
 to any \
  port 53 keep state

 ##FTP
 pass out log quick on $t_externa inet proto tcp from ($t_externa) to any \
 port ftp flags S/SA modulate state

 pass out log quick on $t_externa inet proto tcp from ($t_externa) to any \
 port 8021 flags S/SA modulate state


 If I do block log all .. a tcpdump on pflog recieves this:


 May 25 20:03:55.067671 rule 0/(match) block out on re0: 58.46.80.70.46330 
 129.128.5.191.64072: S 1312607360:1312607360(0) win 16384 mss
 1460,nop,nop,sackOK,nop,wscale 0,[|tcp] (DF)
 May 25 20:03:55.375881 rule 0/(match) block in on re0: 129.128.5.191.20 
 58.46.80.70.63627: S 1300023739:1300023739(0) win 16384 mss
 1460,nop,nop,sackOK,nop,wscale 0,[|tcp] (DF)
 May 25 20:04:01.372812 rule 0/(match) block in on re0: 129.128.5.191.20 
 58.46.80.70.63627: S 1300023739:1300023739(0) win 16384 mss
 1460,nop,nop,sackOK,nop,wscale 0,[|tcp] (DF)
 May 25 20:04:13.373244 rule 0/(match) block in on re0: 129.128.5.191.20 
 58.46.80.70.63627: S 1300023739:1300023739(0) win 16384 mss
 1460,nop,nop,sackOK,nop,wscale 0,[|tcp] (DF)

 58 is my IP, 129 is ftp.openbsd.org

 I have also made sure that ftp-proxy is running, if I do telnet localhost
 8021 I get:

 orion:~$telnet localhost 8021
 Trying ::1...
 telnet: connect to address ::1: Connection refused
 Trying 127.0.0.1...
 Connected to localhost.
 Escape character is '^]'.
 Connection closed by foreign host.


 Which I think suggests that iam running it correctly.

 orion:~$telnet localhost 8021
 Trying ::1...
 telnet: connect to address ::1: Connection refused
 Trying 127.0.0.1...
 Connected to localhost.
 Escape character is '^]'.
 Connection closed by foreign host.orion:~$telnet localhost 8021
 Trying ::1...
 telnet: connect to address ::1: Connection refused
 Trying 127.0.0.1...
 Connected to localhost.
 Escape character is '^]'.
 Connection closed by foreign host.

 orion:~$telnet localhost 8021
 Trying ::1...
 telnet: connect to address ::1: Connection refused
 Trying 127.0.0.1...
 Connected to localhost.
 Escape character is '^]'.
 Connection closed by foreign host

 My conclusion is that somehow the rdr part to port 8021 isnt taking place..
 so the communication isnt channeled to the proxy..?

 pfctl -s all reads:

 # pfctl -s all
 TRANSLATION RULES:
 nat-anchor ftp-proxy/* all
 rdr-anchor ftp-proxy/* all
 rdr log on re0 inet proto tcp from any to any port = ftp - 127.0.0.1 port
 8021

 FILTER RULES:
 scrub in on re0 all fragment reassemble
 scrub out on re0 all random-id fragment reassemble
 block drop all
 anchor ftp-proxy/* all
 block drop in quick on ! lo inet from 127.0.0.0/8 to any
 block drop in quick on ! lo inet6 from ::1 to any
 block drop in quick inet6 from ::1 to any
 block drop in quick on lo0 inet6 from fe80::1 to any
 block drop in quick inet from 127.0.0.1 to any
 pass in quick on re0 inet proto tcp from any to (re0) port = ssh flags S/SA
 modulate state
 pass out quick on re0 inet proto tcp from (re0) to any port = ssh flags
 S/SA modulate state
 pass out quick on re0 inet proto tcp from (re0) to any port = domain flags
 S/SA keep state
 pass out quick on re0 inet proto udp from (re0) to any port = domain keep
 state
 pass out quick on re0 inet proto tcp from (re0) to any port = ftp flags
 S/SA modulate state
 pass out quick on re0 inet proto tcp from (re0) to any port = 8021 flags
 S/SA modulate state
 No queue in use


 I have also started ftp.proxy with and without the -r flag.

 Thank you.

 Andres

Best supported Asterisk interface for OpenBSD?

2009-05-29 Thread Andres Salazar

I would like to ask the OBSD community if someone can recommend me a good
supported interface for Asterisk on OBSD.

I have heard that FreePBX is really a pain to configure because it assumes a
linux environment.

Please anybody share their experience?

Thank you.

Andres

Letting FTP out through PF with a default block all

2009-05-26 Thread Andres Salazar

Hello,

Before posting I acklowedge I have read the FAQ.. based on that this is my
PF config:

t_externa = re0

set block-policy drop
set loginterface $t_externa
set limit states 10
set limit frags 30
set limit src-nodes 5
set optimization aggressive

set skip on lo0
set debug urgent
scrub in on $t_externa all
scrub out on $t_externa all random-id

nat-anchor ftp-proxy/*
rdr-anchor ftp-proxy/*

rdr on $t_externa proto tcp from any to any port 21 - 127.0.0.1 port 8021





block all

anchor ftp-proxy/*

antispoof quick for { lo }

#SSH

pass in quick on $t_externa inet proto tcp from any to ($t_externa) \
   port 22 flags S/SA modulate state


##DNS
pass out log quick on $t_externa inet proto { tcp, udp } from ($t_externa)
to any \
 port 53 keep state

##FTP
pass out log quick on $t_externa inet proto tcp from ($t_externa) to any \
port ftp flags S/SA modulate state

pass out log quick on $t_externa inet proto tcp from ($t_externa) to any \
port 8021 flags S/SA modulate state


If I do block log all .. a tcpdump on pflog recieves this:


May 25 20:03:55.067671 rule 0/(match) block out on re0: 58.46.80.70.46330 
129.128.5.191.64072: S 1312607360:1312607360(0) win 16384 mss
1460,nop,nop,sackOK,nop,wscale 0,[|tcp] (DF)
May 25 20:03:55.375881 rule 0/(match) block in on re0: 129.128.5.191.20 
58.46.80.70.63627: S 1300023739:1300023739(0) win 16384 mss
1460,nop,nop,sackOK,nop,wscale 0,[|tcp] (DF)
May 25 20:04:01.372812 rule 0/(match) block in on re0: 129.128.5.191.20 
58.46.80.70.63627: S 1300023739:1300023739(0) win 16384 mss
1460,nop,nop,sackOK,nop,wscale 0,[|tcp] (DF)
May 25 20:04:13.373244 rule 0/(match) block in on re0: 129.128.5.191.20 
58.46.80.70.63627: S 1300023739:1300023739(0) win 16384 mss
1460,nop,nop,sackOK,nop,wscale 0,[|tcp] (DF)

58 is my IP, 129 is ftp.openbsd.org

I have also made sure that ftp-proxy is running, if I do telnet localhost
8021 I get:

orion:~$telnet localhost 8021
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Connection closed by foreign host.


Which I think suggests that iam running it correctly.

orion:~$telnet localhost 8021
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Connection closed by foreign host.orion:~$telnet localhost 8021
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Connection closed by foreign host.

orion:~$telnet localhost 8021
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Connection closed by foreign host

My conclusion is that somehow the rdr part to port 8021 isnt taking place..
so the communication isnt channeled to the proxy..?

pfctl -s all reads:

# pfctl -s all
TRANSLATION RULES:
nat-anchor ftp-proxy/* all
rdr-anchor ftp-proxy/* all
rdr log on re0 inet proto tcp from any to any port = ftp - 127.0.0.1 port
8021

FILTER RULES:
scrub in on re0 all fragment reassemble
scrub out on re0 all random-id fragment reassemble
block drop all
anchor ftp-proxy/* all
block drop in quick on ! lo inet from 127.0.0.0/8 to any
block drop in quick on ! lo inet6 from ::1 to any
block drop in quick inet6 from ::1 to any
block drop in quick on lo0 inet6 from fe80::1 to any
block drop in quick inet from 127.0.0.1 to any
pass in quick on re0 inet proto tcp from any to (re0) port = ssh flags S/SA
modulate state
pass out quick on re0 inet proto tcp from (re0) to any port = ssh flags S/SA
modulate state
pass out quick on re0 inet proto tcp from (re0) to any port = domain flags
S/SA keep state
pass out quick on re0 inet proto udp from (re0) to any port = domain keep
state
pass out quick on re0 inet proto tcp from (re0) to any port = ftp flags S/SA
modulate state
pass out quick on re0 inet proto tcp from (re0) to any port = 8021 flags
S/SA modulate state
No queue in use


I have also started ftp.proxy with and without the -r flag.

Thank you.

Andres

Letting FTP out through PF with a default block all

2009-05-26 Thread Andres Salazar

Hello,

Before posting I acknowledge I have read the FAQ.. based on that this is my
PF config:

t_externa = re0

set block-policy drop
set loginterface $t_externa
set limit states 10
set limit frags 30
set limit src-nodes 5
set optimization aggressive

set skip on lo0
set debug urgent
scrub in on $t_externa all
scrub out on $t_externa all random-id

nat-anchor ftp-proxy/*
rdr-anchor ftp-proxy/*

rdr on $t_externa proto tcp from any to any port 21 - 127.0.0.1 port 8021





block all

anchor ftp-proxy/*

antispoof quick for { lo }

#SSH

pass in quick on $t_externa inet proto tcp from any to ($t_externa) \
   port 22 flags S/SA modulate state


##DNS
pass out log quick on $t_externa inet proto { tcp, udp } from ($t_externa)
to any \
 port 53 keep state

##FTP
pass out log quick on $t_externa inet proto tcp from ($t_externa) to any \
port ftp flags S/SA modulate state

pass out log quick on $t_externa inet proto tcp from ($t_externa) to any \
port 8021 flags S/SA modulate state


If I do block log all .. a tcpdump on pflog recieves this:


May 25 20:03:55.067671 rule 0/(match) block out on re0: 58.46.80.70.46330 
129.128.5.191.64072: S 1312607360:1312607360(0) win 16384 mss
1460,nop,nop,sackOK,nop,wscale 0,[|tcp] (DF)
May 25 20:03:55.375881 rule 0/(match) block in on re0: 129.128.5.191.20 
58.46.80.70.63627: S 1300023739:1300023739(0) win 16384 mss
1460,nop,nop,sackOK,nop,wscale 0,[|tcp] (DF)
May 25 20:04:01.372812 rule 0/(match) block in on re0: 129.128.5.191.20 
58.46.80.70.63627: S 1300023739:1300023739(0) win 16384 mss
1460,nop,nop,sackOK,nop,wscale 0,[|tcp] (DF)
May 25 20:04:13.373244 rule 0/(match) block in on re0: 129.128.5.191.20 
58.46.80.70.63627: S 1300023739:1300023739(0) win 16384 mss
1460,nop,nop,sackOK,nop,wscale 0,[|tcp] (DF)

58 is my IP, 129 is ftp.openbsd.org

I have also made sure that ftp-proxy is running, if I do telnet localhost
8021 I get:

orion:~$telnet localhost 8021
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Connection closed by foreign host.


Which I think suggests that iam running it correctly.

orion:~$telnet localhost 8021
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Connection closed by foreign host.orion:~$telnet localhost 8021
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Connection closed by foreign host.

orion:~$telnet localhost 8021
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Connection closed by foreign host

My conclusion is that somehow the rdr part to port 8021 isnt taking place..
so the communication isnt channeled to the proxy..?

pfctl -s all reads:

# pfctl -s all
TRANSLATION RULES:
nat-anchor ftp-proxy/* all
rdr-anchor ftp-proxy/* all
rdr log on re0 inet proto tcp from any to any port = ftp - 127.0.0.1 port
8021

FILTER RULES:
scrub in on re0 all fragment reassemble
scrub out on re0 all random-id fragment reassemble
block drop all
anchor ftp-proxy/* all
block drop in quick on ! lo inet from 127.0.0.0/8 to any
block drop in quick on ! lo inet6 from ::1 to any
block drop in quick inet6 from ::1 to any
block drop in quick on lo0 inet6 from fe80::1 to any
block drop in quick inet from 127.0.0.1 to any
pass in quick on re0 inet proto tcp from any to (re0) port = ssh flags S/SA
modulate state
pass out quick on re0 inet proto tcp from (re0) to any port = ssh flags S/SA
modulate state
pass out quick on re0 inet proto tcp from (re0) to any port = domain flags
S/SA keep state
pass out quick on re0 inet proto udp from (re0) to any port = domain keep
state
pass out quick on re0 inet proto tcp from (re0) to any port = ftp flags S/SA
modulate state
pass out quick on re0 inet proto tcp from (re0) to any port = 8021 flags
S/SA modulate state
No queue in use


I have also started ftp.proxy with and without the -r flag.

Thank you.

Andres

48 matches

Mail list logo