NFS mapall (OpenBSD 5.1)
Hi, I have configured NFS on my server (10.17.170.126 OpenBSD 5.1). Here is my /etc/exports: /data/ftp/vsftpd/D01 -alldirs -mapall=ftpadm 10.16.128.129 10.16.10.175 (I have tested -maproot and/or without -alldirs, but I have experienced the same problem). Here is the directory: # ls -l /data/ftp/vsftpd/ | grep D01 drwxr-xr-x 4 ftpadm ftpadm 512 Sep 17 18:29 D01/ daemons start OK: # /etc/rc.d/portmap start portmap(ok) # /etc/rc.d/mountd start mountd(ok) # /etc/rc.d/nfsd start nfsd(ok) I can mount the NFS share from both the Linux client (10.16.128.129) as well as from an OpenBSD client (10.16.10.175). I have two issues, which I will address the first one in this email. This is about the Linux client. My problem is that the -mapall=ftpadm doesn't seem to have any effect, or maybe I have understood the role of this parameter wrongly! On Linux I have mounted the NFS share with: mount -t nfs -o rw,noatime,intr,soft,nosuid,nodev,vers=3,proto=udp,rsize=8192,wsize=8192 10.17.170.126:/data/ftp/vsftpd/D01 /mnt (actually I have tested all combinations of mount options, but I have experienced the same problem). Here is the mounted filesystem on the Linux client: # ls -l / | grep mnt drwxr-xr-x 4 ftpadm ftpadm 512 Sep 17 18:29 mnt/ Now I can create files on the NFS share using the account ftpadm without any problem. But using any other account (including root) it doesn't work: # sudo -u ftpadm touch /mnt/t # ls -l /mnt/t -rw-r--r-- 1 ftpadm ftpadm 0 Sep 17 19:29 /mnt/t # sudo -u dns touch /mnt/t0 touch: cannot touch `/mnt/t0': Permission denied # touch /mnt/t1 touch: cannot touch `/mnt/t1': Permission denied Now if on the server I change the mode of the directory to be writeable by all, the behavior is different. On OpenBSD server: # chmod o+w /data/ftp/vsftpd/D01 # ls -l /data/ftp/vsftpd/ | grep D01 drwxr-xrwx 4 ftpadm ftpadm 512 Sep 17 19:18 D01/ After I umount on Linux client, restart all daemons on OpenBSD server, and remount on Linux client, I see: ls -l / | grep mnt drwxr-xrwx 4 ftpadm ftpadm 512 Sep 17 19:18 mnt/ And I can write to the NFS share with any user (including root): # sudo -u dns touch /mnt/t0 # ls -l /mnt/t0 -rw-r--r-- 1 dns ftpadm 0 Sep 17 19:35 /mnt/t0 # touch /mnt/t1 # ls -l /mnt/t1 -rw--- 1 4294967294 ftpadm 0 Sep 17 19:35 /mnt/t1 With the ordinary user dns the owner of the fie is set to the same user account who has issued the commnad (i.e. dns), and with root the owner is set to 4294967294 (which I think is the same as -2). Both files have the group ftpadm. Is this OK although the -mapall switch is in place in exports file? Additionla info: umask of root is: 0077, and umask of dns is 0002 # umask 0077 # su - dns $ umask 0002 What I am trying to achieve is that all files on the NFS server are created as owned by ftpadm:ftpadm, irrespective of the account used on NFS client. I thought this is possible using -mapall switch. Apparently I am missing something here. Thanks for your help. Hossein Badbanchi hossein.badban...@webasto.com
NIC is not recognized.
Hi, I am trying to install OpenBSD 4.2 on a HP Compaq dc7800. After the installation is complete, ifconfig doesn't show any NICs other than lo0 and enc0. The output of dmesg has a line: vendor Intel, unknown product 0x10bd (class network subclass ethernet, rev 0x02) at pci0 dev 25 function 0 not configured Any idea what should I do next? Regards, H. Badbanchi _ _ Webasto AG Sitz: Stockdorf Handelsregister: Munchen HRB 80078 Vorsitzender des Aufsichtsrats: Werner Baier Vorstandsmitglieder: Franz-Josef Kortum (Vorsitzender), Dr. Holger Engelmann, Dr.-Ing. Helmut Leube, Phillip A. Thompson _ _ Webasto AG Head Office: Stockdorf Register of Companies: Munchen HRB 80078 Chairman of Supervisory Board: Werner Baier Member of the Board: Franz-Josef Kortum (President), Dr. Holger Engelmann, Dr.-Ing. Helmut Leube, Phillip A. Thompson _ _
Shared library without SHARED_LIBS:
Hi, I use an application which needs mysql version 4.1! My OpenBSD version is 3.9 (which has mysql version 5). Tried to install the 3.8 package. Didn't work since the 3.8 packages are linked against 3.8 libraries. Next installed 3.8 ports.tar.gz on my 3.9 OpenBSD, and tried make build key=mysql-server-4.0.24p1. The process stops by creating the mysql-client-4.0.24 package, with the following message: == === Building package for mysql-client-4.0.24 Switching to /usr/ports/databases/mysql/pkg/PFRAG.shared Shared library without SHARED_LIBS: @lib lib/libmysqlclient.so.12.0 Shared library without SHARED_LIBS: @lib lib/libmysqlclient_r.so.12.0 Shared library without SHARED_LIBS: @lib lib/mysql/libmysqlclient.so.12.0 Shared library without SHARED_LIBS: @lib lib/mysql/libmysqlclient_r.so.12.0 === Cleaning for mysql-client-4.0.24 rm -f /usr/ports/packages/i386/all/mysql-client-4.0.24.tgz *** Error code 1 Stop in /usr/ports/databases/mysql (line 1956 of /usr/ports/infrastructure/mk/bsd.port.mk). *** Error code 1 Stop in /usr/ports/databases/mysql (line 1232 of /usr/ports/infrastructure/mk/bsd.port.mk). *** Error code 1 Stop in /usr/ports (line 108 of /usr/ports/infrastructure/mk/bsd.port.subdir.mk). == Have tried all I could think of, and have done much googling, but no chance. From the list of what I have already tried: 1) Added #SHARED_LIBS= ??? to /usr/ports/infrastructure/templates/Makefile.template. 2) Added SHARED_LIBS=mysqlclient 12.0 \ mysqlclient_r 12.0 to /usr/ports/databases/mysql/Makefile. 3) Added USE_LIBTOOL=Yes to /usr/ports/databases/mysql/Makefile. I appreciate any help/hint. Regards, H. Badbanchi
Re: Shared library without SHARED_LIBS:
Just a correction: Build works OK. It is the install (make install key=mysql-server-4.0.24p1) which produces the error! Regards, H. Badbanchi -Original Message- From: Badbanchi Hossein Sent: Tuesday, November 07, 2006 11:04 To: misc@openbsd.org Subject: Shared library without SHARED_LIBS: Hi, I use an application which needs mysql version 4.1! My OpenBSD version is 3.9 (which has mysql version 5). Tried to install the 3.8 package. Didn't work since the 3.8 packages are linked against 3.8 libraries. Next installed 3.8 ports.tar.gz on my 3.9 OpenBSD, and tried make build key=mysql-server-4.0.24p1. The process stops by creating the mysql-client-4.0.24 package, with the following message: == === Building package for mysql-client-4.0.24 Switching to /usr/ports/databases/mysql/pkg/PFRAG.shared Shared library without SHARED_LIBS: @lib lib/libmysqlclient.so.12.0 Shared library without SHARED_LIBS: @lib lib/libmysqlclient_r.so.12.0 Shared library without SHARED_LIBS: @lib lib/mysql/libmysqlclient.so.12.0 Shared library without SHARED_LIBS: @lib lib/mysql/libmysqlclient_r.so.12.0 === Cleaning for mysql-client-4.0.24 rm -f /usr/ports/packages/i386/all/mysql-client-4.0.24.tgz *** Error code 1 Stop in /usr/ports/databases/mysql (line 1956 of /usr/ports/infrastructure/mk/bsd.port.mk). *** Error code 1 Stop in /usr/ports/databases/mysql (line 1232 of /usr/ports/infrastructure/mk/bsd.port.mk). *** Error code 1 Stop in /usr/ports (line 108 of /usr/ports/infrastructure/mk/bsd.port.subdir.mk). == Have tried all I could think of, and have done much googling, but no chance. From the list of what I have already tried: 1) Added #SHARED_LIBS= ??? to /usr/ports/infrastructure/templates/Makefile.template. 2) Added SHARED_LIBS=mysqlclient 12.0 \ mysqlclient_r 12.0 to /usr/ports/databases/mysql/Makefile. 3) Added USE_LIBTOOL=Yes to /usr/ports/databases/mysql/Makefile. I appreciate any help/hint. Regards, H. Badbanchi
Re: Broadcom BCM5752 NIC
Thanks everybody for helpful hints. Dear Brad, This morning downloaded the latest i386 snapshot and installed it. Although I still get the error message firmware handshake timed out, but after the machine boots, the NIC speed is OK. Thanks for your engagement. Regards, Amir
Re: Broadcom BCM5752 NIC
:28:20 susrocdns2 savecore: no core dump Regards, Amir -Original Message- From: Brad [mailto:[EMAIL PROTECTED] Sent: Thursday, February 02, 2006 23:28 To: Badbanchi Hossein Subject: Re: Broadcom BCM5752 NIC Ok thanks. I think another developer mentioned something similar to this awhile ago. As I had asked earlier, please try a snapshot and let me know how it goes. On Thu, Feb 02, 2006 at 11:24:01PM +0100, Badbanchi Hossein wrote: I saw this message from both the kernel on the CD during installation AND after booting from the installed kernel on the disk. Here is my messages file: Feb 2 05:13:11 susrocdns1 syslogd: restart Feb 2 05:13:11 susrocdns1 /bsd: syncing disks... Feb 2 05:13:11 susrocdns1 /bsd: OpenBSD 3.8 (RAMDISK_CD) #794: Sat Sep 10 15:58:32 MDT 2005 Feb 2 05:13:11 susrocdns1 /bsd: [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/RAMDISK_CD Feb 2 05:13:11 susrocdns1 /bsd: cpu0: Intel(R) Pentium(R) 4 CPU 3.00GHz (GenuineIntel 686-class) 3 GHz Feb 2 05:13:11 susrocdns1 /bsd: cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,EST,CNXT-ID Feb 2 05:13:11 susrocdns1 /bsd: real mem = 527863808 (515492K) Feb 2 05:13:11 susrocdns1 /bsd: avail mem = 475762688 (464612K) Feb 2 05:13:11 susrocdns1 /bsd: using 4278 buffers containing 26497024 bytes (25876K) of memory Feb 2 05:13:11 susrocdns1 /bsd: mainbus0 (root) Feb 2 05:13:11 susrocdns1 /bsd: bios0 at mainbus0: AT/286+(b0) BIOS, date 05/18/05, BIOS32 rev. 0 @ 0xeb660 Feb 2 05:13:11 susrocdns1 /bsd: pcibios0 at bios0: rev 2.2 @ 0xeb660/0x49a0 Feb 2 05:13:11 susrocdns1 /bsd: pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf5680/240 (13 entries) Feb 2 05:13:11 susrocdns1 /bsd: pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82801GB LPC rev 0x00) Feb 2 05:13:11 susrocdns1 /bsd: pcibios0: PCI bus #3 is the last bus Feb 2 05:13:11 susrocdns1 /bsd: bios0: ROM list: 0xc/0xaa00! 0xcaa00/0x1000 0xcba00/0x1800 0xe8c00/0x7400! Feb 2 05:13:11 susrocdns1 /bsd: cpu0 at mainbus0 Feb 2 05:13:11 susrocdns1 /bsd: pci0 at mainbus0 bus 0: configuration mode 1 (no bios) Feb 2 05:13:11 susrocdns1 /bsd: pchb0 at pci0 dev 0 function 0 Intel 82945GP rev 0x02 Feb 2 05:13:11 susrocdns1 /bsd: vga1 at pci0 dev 2 function 0 vendor Intel, unknown product 0x2772 rev 0x02 Feb 2 05:13:11 susrocdns1 /bsd: wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) Feb 2 05:13:11 susrocdns1 /bsd: vendor Intel, unknown product 0x2776 (class display subclass miscellaneous, rev 0x02) at pci0 dev 2 function 1 not configured Feb 2 05:13:11 susrocdns1 /bsd: Intel 82801GB HD Audio rev 0x01 at pci0 dev 27 function 0 not configured Feb 2 05:13:11 susrocdns1 /bsd: ppb0 at pci0 dev 28 function 0 Intel 82801GB PCIE rev 0x01 Feb 2 05:13:11 susrocdns1 /bsd: pci1 at ppb0 bus 1 Feb 2 05:13:11 susrocdns1 /bsd: ppb1 at pci0 dev 28 function 1 Intel 82801GB PCIE rev 0x01 Feb 2 05:13:11 susrocdns1 /bsd: pci2 at ppb1 bus 2 Feb 2 05:13:11 susrocdns1 /bsd: bge0 at pci2 dev 0 function 0 Broadcom BCM5752 rev 0x01, BCM5752 A1 (0x6001): irq 10bge0: firmware handshake timed out Feb 2 05:13:11 susrocdns1 /bsd: address 00:15:60:4f:22:e4 Feb 2 05:13:11 susrocdns1 /bsd: brgphy0 at bge0 phy 1: BCM5752 10/100/1000baseT PHY, rev. 0 Feb 2 05:13:11 susrocdns1 /bsd: uhci0 at pci0 dev 29 function 0 Intel 82801GB USB rev 0x01: irq 5 Feb 2 05:13:11 susrocdns1 /bsd: usb0 at uhci0: USB revision 1.0 Feb 2 05:13:11 susrocdns1 /bsd: uhub0 at usb0 Feb 2 05:13:11 susrocdns1 /bsd: uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1 Feb 2 05:13:11 susrocdns1 /bsd: uhub0: 2 ports with 2 removable, self powered Feb 2 05:13:11 susrocdns1 /bsd: uhci1 at pci0 dev 29 function 1 Intel 82801GB USB rev 0x01: irq 10 Feb 2 05:13:11 susrocdns1 /bsd: usb1 at uhci1: USB revision 1.0 Feb 2 05:13:11 susrocdns1 /bsd: uhub1 at usb1 Feb 2 05:13:11 susrocdns1 /bsd: uhub1: Intel UHCI root hub, rev 1.00/1.00, addr 1 Feb 2 05:13:11 susrocdns1 /bsd: uhub1: 2 ports with 2 removable, self powered Feb 2 05:13:11 susrocdns1 /bsd: uhci2 at pci0 dev 29 function 2 Intel 82801GB USB rev 0x01: irq 11 Feb 2 05:13:11 susrocdns1 /bsd: usb2 at uhci2: USB revision 1.0 Feb 2 05:13:11 susrocdns1 /bsd: uhub2 at usb2 Feb 2 05:13:11 susrocdns1 /bsd: uhub2: Intel UHCI root hub, rev 1.00/1.00, addr 1 Feb 2 05:13:11 susrocdns1 /bsd: uhub2: 2 ports with 2 removable, self powered Feb 2 05:13:11 susrocdns1 /bsd: uhci3 at pci0 dev 29 function 3 Intel 82801GB USB rev 0x01: irq 11 Feb 2 05:13:11 susrocdns1 /bsd: usb3 at uhci3: USB revision 1.0 Feb 2 05:13:11 susrocdns1 /bsd: uhub3 at usb3 Feb 2 05:13:11 susrocdns1 /bsd: uhub3: Intel UHCI root hub, rev 1.00/1.00, addr 1 Feb 2 05:13:11 susrocdns1 /bsd: uhub3: 2 ports with 2 removable, self powered Feb 2 05:13:11 susrocdns1 /bsd: ehci0 at pci0 dev 29 function 7 Intel 82801GB USB rev
Re: Broadcom BCM5752 NIC
Hi, I did exactly as you have written. I even reinstalled from scratch using the snapshot I had downloaded last night. Both during the installation AND after a boot from the installed kernel I get the same error message, but the time it takes to time out is much less now. The same error message can be seen also when after the boot the OS tries to initialize the NIC with appropriate IP parameters. Good news is that afterwards the NIC works at normal speed!! Regards, -Original Message- From: Srebrenko Sehic [mailto:[EMAIL PROTECTED] Sent: Friday, February 03, 2006 14:05 To: Badbanchi Hossein Cc: misc Subject: Re: Broadcom BCM5752 NIC On 2/3/06, Badbanchi Hossein [EMAIL PROTECTED] wrote: Hi, This morning I installed the kernel from the snapshot. The only (cosmetic) difference is that the time-out values are reduced, so it doesn't take that long as before for the system to boot, but the BCM5752 NIC is still not functioning properly! Ok. Try this. Power-off you machine, unplug the cable from the network card and boot the machine with the latest -current snapshot. Look for firmware handshake error message. It seems like that Broadcom network cards, if not initialized properly (this could've happened when you booted 3.8), have to be re-initialized properly in order to function again. This happened on my IBM e326m and the above approach solved the problem.
Re: Broadcom BCM5752 NIC
Either continue with today updates, or wait a few more days for a new snapshot, but the fixes are NOT in the snapshot you installed. A Trust me! Brad fixed them all and it is fast! But not in the snapshot yet, sorry. Thanks for the clue. I just looked at the snapshot directory and the file dates are still 30/1/2006 except the x...tgz files which I do not install at all. I suppose I have to wait a couple of days until the snapshot is updated, because I have never compiled a kernel myself. Regards, Amir
Broadcom BCM5752 NIC
Hi, Have recently got an HP Compaq dc7600 to be used as DHCP Server. OpenBSD 3.8 install couldn't properly work with the Broadcom BCM5752 NIC! The Error says: bge0: firmware handshake timed out After installation was complete, now each time I reboot the system it takes a long time for the system to boot. It waits during initial boot and a second time while trying to configure the NIC with IP parameters, until it times out (both times with the same error as above). After the boot process is complete the NIC works!! I mean I can ping the box. I haven't tested the throughput of the NIC though. Here is an excerpt from dmesg: # dmesg | grep bge bge0 at pci2 dev 0 function 0 Broadcom BCM5752 rev 0x01, BCM5752 A1 (0x6001): irq 10bge0: firmware handshake timed out brgphy0 at bge0 phy 1: BCM5752 10/100/1000baseT PHY, rev. 0 bge0: firmware handshake timed out # And here is an excerpt from man brgphy: DESCRIPTION The brgphy driver supports Broadcom BCM5400 100/1000TX Ethernet PHY in- terfaces, as well as the BCM5401, BCM5411, BCM5421S, BCM5701, BCM5703, BCM5704, BCM5705, BCM5714, BCM5750 and BCM5752 10/100/1000baseTX Ethernet PHY interfaces. I would greatly appreciate any help? Amir
Re: MAC filter Bridge
Thanks for the clue. I will sure have a closer look at authpf. By the way I am also having a look at: http://acs-wiki.andrew.cmu.edu/twiki/bin/view/NGCoverage/AuthBridge and http://netpass.sourceforge.net/ (http://wings.buffalo.edu/computing/Documentation/gen/UBNetPass.html) Even commercial products like CounterAct from ForeScout and the like. Amir -Original Message- From: Tobias Weingartner [mailto:[EMAIL PROTECTED] Sent: Thursday, February 02, 2006 20:40 To: Badbanchi Hossein Cc: misc@openbsd.org Subject: Re: MAC filter Bridge On Wednesday, February 1, Badbanchi Hossein wrote: Basing security policies on something as easily changable as a MAC address (and as public as a MAC address) is stupid. Thanks for the complement. You're welcome. Honestly though, what would you call it? Although this might seem (or actually BE) stupid in environments publicly accessible, but for a closed environment like our company LAN, this is good enough. Here I don't want to protect the LAN against the extreme hacker, but against our legitimate guests who come to visit someone or take part in some meeting, and simply open their laptop and connect the NIC to the nearest free LAN socket. This could be because they want to download the latest PowerPoint file for their presentation! Our policy is to provide Internet Access to our guests (of course while logging every activity), but we need to first distinguish them in order to provide them with at least an initial AUP (Acceptable User Policy), or even scan the machine for vulnerabilities and the like. And who's to say they actually read the AUP? Personally I'd do it slightly different. 1) Mac-lock the switch ports of the machines that are supposed to be connected permanently. (Yes, not perfect, but what can you do...) 2) vlan the ports that are plug-and-play to their own vlan 3) Use authpf to authenticate them, at least then you can ply them with your AUP before they accept (type a password). It will be a lot less implied, but an active action taken on their part. Rethink your approach. Other approaches like 802.1x is also known to me. But our need is more modest . Have a look at authpf. It's not the end-all be-all, but it does solve a lot of problems in a very elegant fashion. --Toby.
Re: Broadcom BCM5752 NIC
Actually the NIC doesn't work properly. I can ssh to the box, but even output of a simple ls command takes seconds to appear on the screen, and gets interrupted in between. Does anyone know of any patch for this? Here is the output of ifconfig: # ifconfig -a lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33224 groups: lo inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 bge0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:15:60:4f:22:e4 groups: egress media: Ethernet autoselect (100baseTX full-duplex) status: active inet 172.22.11.235 netmask 0xfc00 broadcast 172.22.11.255 inet6 fe80::215:60ff:fe4f:22e4%bge0 prefixlen 64 scopeid 0x1 pflog0: flags=0 mtu 33224 pfsync0: flags=0 mtu 1348 enc0: flags=0 mtu 1536 Thanks for any assistance. Amir -Original Message- From: Badbanchi Hossein Sent: Thursday, February 02, 2006 19:36 To: misc@openbsd.org Subject: Broadcom BCM5752 NIC Hi, Have recently got an HP Compaq dc7600 to be used as DHCP Server. OpenBSD 3.8 install couldn't properly work with the Broadcom BCM5752 NIC! The Error says: bge0: firmware handshake timed out After installation was complete, now each time I reboot the system it takes a long time for the system to boot. It waits during initial boot and a second time while trying to configure the NIC with IP parameters, until it times out (both times with the same error as above). After the boot process is complete the NIC works!! I mean I can ping the box. I haven't tested the throughput of the NIC though. Here is an excerpt from dmesg: # dmesg | grep bge bge0 at pci2 dev 0 function 0 Broadcom BCM5752 rev 0x01, BCM5752 A1 (0x6001): irq 10bge0: firmware handshake timed out brgphy0 at bge0 phy 1: BCM5752 10/100/1000baseT PHY, rev. 0 bge0: firmware handshake timed out # And here is an excerpt from man brgphy: DESCRIPTION The brgphy driver supports Broadcom BCM5400 100/1000TX Ethernet PHY in- terfaces, as well as the BCM5401, BCM5411, BCM5421S, BCM5701, BCM5703, BCM5704, BCM5705, BCM5714, BCM5750 and BCM5752 10/100/1000baseTX Ethernet PHY interfaces. I would greatly appreciate any help? Amir
MAC filter Bridge
Hi, I am trying to implement a MAC filter, based on OpenBSD Bridging facilities. One can read in BRCONFIG(8) man page: rule [rulespec] Add a filtering rule to an interface. Rules have a similar syn- tax to those in pf.conf(5). Rules can be used to selectively block or pass frames based on Ethernet MAC addresses. They can also tag packets for pf(4) to filter on. Rules are processed in the order in which they were added to the interface, and the first rule matched takes the action (block or pass) and, if giv- en, the tag of the rule. If no source or destination address is specified, the rule will match all frames (good for creating a catchall policy). What is bothering me is the sentence: Rules are processed in the order in which they were added to the interface, and the first rule matched takes the action ... Does this really mean that no hash function is used? I mean if I have 2 MAC Addresses and want to check **each packet** against this list serially, I suppose I had better forget about it! Thanks for any ideas and/or experiences to share. Regards, Amir
Re: MAC filter Bridge
Hi, An alternative approach might be to turn off learning and discovery on the interface and add MAC addresses that are allowed to communicate statically. As a matter of fact I can add MACs supposed to be reached from each interface of the bridge, at the same time I update Bridge Rules. But this wouldn't be a (source-)MAC based filter any more! I intend to switch the traffic originating from unknown MACs to a quarantine subnet, connected to a third interface member of the bridge. I-III I--I I LAN II Bridge I--I Protected subnet I I-III I--I I I I II I quarantine I I subnet I II I don't think your proposal would help. I suppose I have to have a look at other Bridge implementations! Regards, Amir
Re: MAC filter Bridge
Don't you already have problems if you have 20,000 nodes communicating on one flat broadcast domain already? OK. I was exaggerating! I have a little more than 2100 MACs. But even with this number, a sequential search doesn't seem to be acceptable. Regards, Amir
Re: MAC filter Bridge
Basing security policies on something as easily changable as a MAC address (and as public as a MAC address) is stupid. Thanks for the complement. Although this might seem (or actually BE) stupid in environments publicly accessible, but for a closed environment like our company LAN, this is good enough. Here I don't want to protect the LAN against the extreme hacker, but against our legitimate guests who come to visit someone or take part in some meeting, and simply open their laptop and connect the NIC to the nearest free LAN socket. This could be because they want to download the latest PowerPoint file for their presentation! Our policy is to provide Internet Access to our guests (of course while logging every activity), but we need to first distinguish them in order to provide them with at least an initial AUP (Acceptable User Policy), or even scan the machine for vulnerabilities and the like. Rethink your approach. Other approaches like 802.1x is also known to me. But our need is more modest. Regards, Amir
MAC based rules in Bridge config
Hi, In patched Linux versions, one can add or remove MAC based filter rules from the interfaces taking part in a bridge. In OpenBSD (according to the man page of brconfig(8)) one can add rules, but there is no (documented) way to delete rules! In order to delete a certain rule, the only possibility is to flushrule the interface, and add all MAC based rules (except the one you want to delete) again. Is my understanding correct? This doesn't seem to be productive! Isn't there any solution or workaround or patch for this? Thanks for any help. Regards, H. Badbanchi
Re: MAC based rules in Bridge config
Thanks Paul, I will have to take a similar approach, I am afraid. (I will use the /sbin/brconfig bridg0 rulefile filename instead of the for loop). But it was very nice if one could remove single entries! Regards, Amir -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Wittmayer Sent: Tuesday, January 24, 2006 12:58 To: Badbanchi Hossein Cc: misc@openbsd.org Subject: Re: MAC based rules in Bridge config Hi, i've listed all allowed MACs in a File and if one MAC changes i'll edit the file and reload the Bridge-Rules by following script: #! /bin/sh /sbin/brconfig bridge0 flushrule fxp0 for i in `cat macs.allow`; do /sbin/brconfig bridge0 rule pass in on fxp0 src $i tag ok; done Paul Am Dienstag, 24. Januar 2006 12:36 schrieb Badbanchi Hossein: Hi, In patched Linux versions, one can add or remove MAC based filter rules from the interfaces taking part in a bridge. In OpenBSD (according to the man page of brconfig(8)) one can add rules, but there is no (documented) way to delete rules! In order to delete a certain rule, the only possibility is to flushrule the interface, and add all MAC based rules (except the one you want to delete) again. Is my understanding correct? This doesn't seem to be productive! Isn't there any solution or workaround or patch for this? Thanks for any help. Regards, H. Badbanchi -- Mit freundlichen GrCssen Paul Wittmayer -- /\ \ /ASCII Ribbon Campaign X against HTML email vCards / \
Re: pf by mac address?
Hi, If you don't want the hostile users know that you are shaping their packets in the way to Internet, you might want to make use of the Bridge facilities in OpenBSD. There you can tag the packets merely based on their MAC, and then in higher layers have pf deal with those packets as you wish! Regards, Amir -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Benfell Sent: Monday, January 23, 2006 06:09 To: misc@openbsd.org Subject: pf by mac address? Hello all, Perhaps I'm looking for this the wrong way. My local network now (and hopefully temporarily) includes hostile users. I may need to exercise controls on their Internet usage by machine. Now, I can certainly tell dhcpd to give certain machines certain IP addresses by reference to their MAC address. But that won't stop these users from allocating their own IP address and essentially bypassing dhcpd. The environment includes a lot of wireless -- most users connect this way. So I'm thinking I'd like to be able to write packet filter rules based on MAC address. I'm not necessarily going to want to simply cut off all their Internet access, but pf offers a lot of options to do what I think I might want to do, if I can make rules by MAC address. Traffic shaping and additional rules about what ports they can access come to mind. Possibly other possibilities will come to your mind -- hopefully you see what I'm thinking. Is it possible? -- David Benfell, LCP [EMAIL PROTECTED] --- Resume available at http://www.parts-unknown.org/
Trunks Bridges
Hi, Can someone please shed some light on the interoperability of the new trunk facility of 3.8 with the bridge functionality. In other words can we group bridged interfaces in trunks to achieve throughput enhancements? Thanks and Regards, H. Badbanchi
Re: Trunks Bridges
Trunking does not yet support link aggregation, or failover. So, no not yet. Thanks for the clear answer. Specially for mentioning the failover case. Regards, H. Badbanchi
Bridge with three IFs
Hi list! I sent the following email on Saturday. Just thought maybe it was because of weekend that I got no feedback! Will try my luck one last time, and already apologize for this. Hi, I want to implement an OpenBSD based bridge with three interfaces (and a fourth one only for management access). The bridge should dispatch the incoming traffic on eth0 to either eth1 or eth2 based on the MAC Address of the ingress packet. If the sender's MAC address is **known** (already entered in a certain table) then it should be sent out via eth1 to its real destination, and otherwise it should go out through eth2 to its real destination OR to a predefined/fixed destination based on protocol/port! I have searched Internet, but there you find mostly tiresome discussions about MAC Filtering not being enough, rather than how to implement this not enough technique! Can anyone provide me with a working configuration which could help in defining appropriate rules for the above scenario. I don't know if everything can be done in pf.conf alone, or there should be some additional rules (with brconfig) tagging packets to be later appropriately handled by pf? Thanks already for any help. Regards, H. Badbanchi
Bridge with three IFs
Sorry to re-send this email. My first emain was sent before my subscription was complete! So I couldn't receive any answer (if any). Hi, I want to implement an OpenBSD based bridge with three interfaces (and a fourth one only for management access). The bridge should dispatch the incoming traffic on eth0 to either eth1 or eth2 based on the MAC Address of the ingress packet. If the sender's MAC address is **known** (already entered in a certain table) then it should be sent out via eth1 to its real destination, and otherwise it should go out through eth2 to its real destination OR to a predefined/fixed destination based on protocol/port! I have searched Internet, but there you find mostly tiresome discussions about MAC Filtering not being enough, rather than how to implement this not enough technique! Can anyone provide me with a working configuration which could help in defining appropriate rules for the above scenario. I don't know if everything can be done in pf.conf alone, or there should be some additional rules (with brconfig) tagging packets to be later appropriately handled by pf? Thanks already for any help. Regards, H. Badbanchi
Bridge with three IFs
Hi, I want to implement an OpenBSD based bridge with three interfaces (and a fourth one only for management access). The bridge should dispatch the incoming traffic on eth0 to either eth1 or eth2 based on the MAC Address of the ingress packet. If the sender's MAC address is **known** (already entered in a certain table) then it should be sent out via eth1 to its real destination, and otherwise it should go out through eth2 to its real destination OR to a predefined/fixed destination based on protocol/port! I have searched Internet, but there you find mostly tiresome discussions about MAC Filtering not being enough, rather than how to implement this not enough technique! Can anyone provide me with a working configuration which could help in defining appropriate rules for the above scenario. I don't know if everything can be done in pf.conf alone, or there should be some additional rules (with brconfig) tagging packets to be later appropriately handled by pf? Thanks already for any help. Regards, H. Badbanchi
