Re: It is 2010. Still no >3GB support by default?
On Mon, Jun 7, 2010 at 9:32 PM, VICTOR TARABOLA CORTIANO wrote: > > Most people that have those big amounts of memory don't use their > PCs full potential. CPU is mostly idle, etc. Also they don't > realize how big those amounts of memory are... > > Also there is the environment problem, too many good computers > throwned away because of mere fashion... > > When questions of OpenBSD's short comings come around, it seems legions of OpenBSD apologetics leap out of the woodwork. My favourite instance was someone asking about rate-limiting in PF (which at the time didn't exist), and him being thoroughly berated because that wasn't the job of the firewall! That's the job of the daemon running the service. Shortly after someone implemented rate-limiting in PF, and it was touted as PF's awesomeness, now enhanced. Or how much better using a VPN over your WEP protected AP us rather than using WPA2. But really, the fact is, OpenBSD doesn't (didn't?) support WPA2. People waxing on about how unnecessary they think >4GB of RAM is, seems about par for the course. But I believe it to be equally ridiculous. Where I work, we have databases that would gladly use as much RAM as you could throw at them. Memcached, which does its job all the better with >4GB, and many many PHP utilizing webservers with a metric tonne of modules. Inefficient in CPU and memory use, yes, but we can't afford to pay our web developers to write our site in C. But why stop at C? How inefficient when compared to hand-tuned assembly?! I'm not complaining about what OpenBSD can or can't do. I'm just saying that telling people what their needs are is rather insulting. I imagine they'd just like to use their favourite OS in more places. Chris
Post-intrusion forensics
For our Windows/Solaris/Linux servers, we've had PWC say that they're qualified and able to do post-intrusion forensics on our server(s). I'm told this will go a long way in making everyone in our company as well as our customers feel better. Partly because it's an outside party verification of what happened, and partly because everyone knows PWC. What PWC won't do for us is OpenBSD forensics; and thus the reason for this email. Does anyone know of a company that does this? We like big names, but management seems to understand that that isn't always possible with OpenBSD. Any help would be appreciated. Chris
Intel Gigabit VT Quad NIC support
I made a mistake and bought a couple Dell servers with Intel "VT" NICs.
These aren't recognized by 4.2, and the January 15th Snapshot seems to
recognize them, but they're marked as "not configured".
So, in the most humble way I possibly can, (without any hint of "demand"
I hope) can someone tell me what my situation is with these cards? Do I
have a card that I just need to sit on for a few more months? Or is this
a "done when it's done" situation?
Thank you,
Chris
OpenBSD 4.2-current (GENERIC) #649: Tue Jan 15 11:57:08 MST 2008
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Xeon(R) CPU 5110 @ 1.60GHz ("GenuineIntel" 686-class)
1.60 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,TM2,CX16,xTPR
real mem = 1068400640 (1018MB)
avail mem = 1025187840 (977MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 10/27/07, BIOS32 rev. 0 @ 0xffe90,
SMBIOS rev. 2.4 @ 0x3fb9c000 (64 entries)
bios0: vendor Dell Inc. version "2.0.1" date 10/27/2007
bios0: Dell Inc. PowerEdge 2950
acpi0 at bios0: rev 2
acpi0: tables DSDT FACP APIC SPCR HPET MCFG WDAT SLIC ERST HEST BERT
EINJ TCPA
acpi0: wakeup devices PCI0(S5)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 4 (PEX2)
acpiprt2 at acpi0: bus 5 (UPST)
acpiprt3 at acpi0: bus 6 (DWN1)
acpiprt4 at acpi0: bus 8 (DWN2)
acpiprt5 at acpi0: bus 1 (PEX3)
acpiprt6 at acpi0: bus 0 (PE2P)
acpiprt7 at acpi0: bus 10 (PEX4)
acpiprt8 at acpi0: bus 15 (PEX6)
acpiprt9 at acpi0: bus 2 (SBEX)
acpiprt10 at acpi0: bus 20 (COMP)
acpicpu0 at acpi0: C3
bios0: ROM list: 0xc/0x9000! 0xc9000/0x1000 0xca000/0x5c00
0xd/0x1e00 0xec000/0x4000!
ipmi at mainbus0 not configured
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 5000X Host" rev 0x12
ppb0 at pci0 dev 2 function 0 "Intel 5000 PCIE" rev 0x12
pci1 at ppb0 bus 4
ppb1 at pci1 dev 0 function 0 "Intel 6321ESB PCIE" rev 0x01
pci2 at ppb1 bus 5
ppb2 at pci2 dev 0 function 0 "Intel 6321ESB PCIE" rev 0x01
pci3 at ppb2 bus 6
ppb3 at pci3 dev 0 function 0 "ServerWorks PCIE-PCIX" rev 0xc3
pci4 at ppb3 bus 7
bnx0 at pci4 dev 0 function 0 "Broadcom BCM5708" rev 0x12: irq 5
ppb4 at pci2 dev 1 function 0 "Intel 6321ESB PCIE" rev 0x01: irq 5
pci5 at ppb4 bus 8
ppb5 at pci1 dev 0 function 3 "Intel 6321ESB PCIE-PCIX" rev 0x01
pci6 at ppb5 bus 9
ppb6 at pci0 dev 3 function 0 "Intel 5000 PCIE" rev 0x12
pci7 at ppb6 bus 1
mpi0 at pci7 dev 0 function 0 "Symbios Logic SAS1068E" rev 0x08: irq 5
scsibus0 at mpi0: 112 targets
sd0 at scsibus0 targ 0 lun 0: SCSI3
0/direct fixed
sd0: 34732MB, 34401 cyl, 3 head, 689 sec, 512 bytes/sec, 71132959 sec total
sd1 at scsibus0 targ 1 lun 0: SCSI3
0/direct fixed
sd1: 34732MB, 34401 cyl, 3 head, 689 sec, 512 bytes/sec, 71132959 sec total
ses0 at scsibus0 targ 8 lun 0: SCSI3 13/enclosure
services fixed
ppb7 at pci0 dev 4 function 0 "Intel 5000 PCIE" rev 0x12
pci8 at ppb7 bus 10
ppb8 at pci8 dev 0 function 0 vendor "IDT", unknown product 0x8018 rev 0x0e
pci9 at ppb8 bus 11
ppb9 at pci9 dev 2 function 0 vendor "IDT", unknown product 0x8018 rev 0x0e
pci10 at ppb9 bus 12
"Intel PRO/1000 QP (82575GB)" rev 0x02 at pci10 dev 0 function 0 not
configured
"Intel PRO/1000 QP (82575GB)" rev 0x02 at pci10 dev 0 function 1 not
configured
ppb10 at pci9 dev 4 function 0 vendor "IDT", unknown product 0x8018 rev 0x0e
pci11 at ppb10 bus 13
"Intel PRO/1000 QP (82575GB)" rev 0x02 at pci11 dev 0 function 0 not
configured
"Intel PRO/1000 QP (82575GB)" rev 0x02 at pci11 dev 0 function 1 not
configured
ppb11 at pci0 dev 5 function 0 "Intel 5000 PCIE" rev 0x12
pci12 at ppb11 bus 14
ppb12 at pci0 dev 6 function 0 "Intel 5000 PCIE" rev 0x12
pci13 at ppb12 bus 15
ppb13 at pci13 dev 0 function 0 vendor "IDT", unknown product 0x8018 rev
0x0e
pci14 at ppb13 bus 16
ppb14 at pci14 dev 2 function 0 vendor "IDT", unknown product 0x8018 rev
0x0e
pci15 at ppb14 bus 17
"Intel PRO/1000 QP (82575GB)" rev 0x02 at pci15 dev 0 function 0 not
configured
"Intel PRO/1000 QP (82575GB)" rev 0x02 at pci15 dev 0 function 1 not
configured
ppb15 at pci14 dev 4 function 0 vendor "IDT", unknown product 0x8018 rev
0x0e
pci16 at ppb15 bus 18
"Intel PRO/1000 QP (82575GB)" rev 0x02 at pci16 dev 0 function 0 not
configured
"Intel PRO/1000 QP (82575GB)" rev 0x02 at pci16 dev 0 function 1 not
configured
ppb16 at pci0 dev 7 function 0 "Intel 5000 PCIE" rev 0x12
pci17 at ppb16 bus 19
pchb1 at pci0 dev 16 function 0 "Intel 5000 Error Reporting" rev 0x12
pchb2 at pci0 dev 16 function 1 "Intel 5000 Error Reporting" rev 0x12
pchb3 at pci0 dev 16 function 2 "Intel 5000 Error Reporting" rev 0x12
pchb4 at pci0 dev 17 function 0 "Intel 5000 Reserved" rev 0x12
pchb5 at pci0 dev 19 function 0 "Intel 5000 Reserved" rev 0x12
pchb6 at pci0 dev 21 function 0 "Intel 5000 FBD" rev 0x12
pchb
Re: Helping with Softraid testing
I thought the manpage was just covering things that worked well, and in the code itself were things waiting to be tested better. It shows a "3 chunk raid 1" setup, but doesn't mention anything about hot standby. I'm not aware of 3 disk RAID 1 otherwise. Also, for some reason (I think past misc@ posts) I was under the impression that this would be similar to Vinum. From what I'm hearing back it's actually a RAIDFrame replacement. The manpage doesn't really go over it's final goal. Testing related: I saw your message on the 15th asking for help. I plan to run that through a SPARC machine, but I'm not sure if there are different ways to poke at the new code. Will different underlying hardware (besides architecture) make a difference, or is this a layer above that? Chris Marco Peereboom wrote: I'll take this as the documentation isn't good enough. Can you point me to the area that isn't clear? On Fri, Nov 16, 2007 at 11:29:20AM -0700, Chris Cameron wrote: I'm in a good position to test Softraid on an AMD and an UltraSPARC, however I've realized I don't know a lot about it (what -exactly- it's working to accomplish, and commands to use). Is there an overview of Softraid to get me started so I can be of some use? Chris
Helping with Softraid testing
I'm in a good position to test Softraid on an AMD and an UltraSPARC, however I've realized I don't know a lot about it (what -exactly- it's working to accomplish, and commands to use). Is there an overview of Softraid to get me started so I can be of some use? Chris
Re: pf_src_connlimit messing things up
Stuart Henderson wrote: On 2007/05/01 09:04, Chris Cameron wrote: pf_src_connlimit: blocking address xx.xx.xx.xx, 7 states killed Can someone point me to where I can read about this? I'd like to know how it decides to block the IP, how I can change it and at what point this block times out (which it seems to do). pf.conf(5): max-src-conn This looks to be only for rules, not the entire firewall. I only use this for my SSH rule, which doesn't block all traffic from that IP (which is what I'm seeing now). What I'm running into blocks this IP entirely, and doesn't log anything. This shouldn't be possible with my ruleset. Chris
pf_src_connlimit messing things up
I'm getting the following: pf_src_connlimit: blocking address xx.xx.xx.xx, 7 states killed Which is a pretty neat feature except I can't find anything on it, and it's (somewhat) silently doing this. Can someone point me to where I can read about this? I'd like to know how it decides to block the IP, how I can change it and at what point this block times out (which it seems to do). I've searched the man pages, and tried Google but haven't had any luck. We've forked out good money for a security audit and a big name saying we're compliant with whatever guideline they're looking at. They're getting a little perturbed because their scans aren't coming back accurately (first scrub and now this). So I need to turn this off at least temporarily. Whether or not turning off various forms of security for a security audit is "valid" has been well discussed on our end already. Thanks, Chris
Wireless access point being flakey
Have a Soekris with and Atheros AR5212. Wirelessly, out to the internet
packets get dropped. Wired, out to the internet, no problem. This is
with the same laptop using the same outbound internet connection.
Wirelessly, from this laptop to the router no packets are dropped. From
the router to some remote IP, no packets are dropped. From the laptop to
the remote IP many packets are dropped.
Running tcpdump on both interfaces:
ath0:
08:46:08.875787 192.168.118.151 > 66.102.7.147: icmp: echo request
08:46:08.943949 66.102.7.147 > 192.168.118.151: icmp: echo reply [tos 0xe0]
08:46:09.872006 192.168.118.151 > 66.102.7.147: icmp: echo request
08:46:15.291102 192.168.118.151 > 66.102.7.147: icmp: echo request
08:46:15.344601 66.102.7.147 > 192.168.118.151: icmp: echo reply [tos 0xe0]
08:46:16.287958 192.168.118.151 > 66.102.7.147: icmp: echo request
sis0:
08:46:08.876374 70.72.102.186 > 66.102.7.147: icmp: echo request
08:46:08.943440 66.102.7.147 > 70.72.102.186: icmp: echo reply [tos 0xe0]
08:46:09.872583 70.72.102.186 > 66.102.7.147: icmp: echo request
08:46:15.291684 70.72.102.186 > 66.102.7.147: icmp: echo request
08:46:15.344103 66.102.7.147 > 70.72.102.186: icmp: echo reply [tos 0xe0]
08:46:16.288543 70.72.102.186 > 66.102.7.147: icmp: echo request
It simply looks like the remote site doesn't reply. With PF passing all
traffic the problem persists, as well nothing is logged by pf.
Anyone know what might be going on?
Thanks,
Chris
My dmesg:
OpenBSD 4.1 (GENERIC) #1435: Sat Mar 10 19:07:45 MST 2007
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: AMD Am486DX4 W/B or Am5x86 W/B 150 ("AuthenticAMD" 486-class)
cpu0: FPU
real mem = 66678784 (65116K)
avail mem = 52539392 (51308K)
using 844 buffers containing 3457024 bytes (3376K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+ BIOS, date 20/50/27, BIOS32 rev. 0 @ 0xf7840
pcibios0 at bios0: rev 2.0 @ 0xf/0x1
pcibios0: pcibios_get_intr_routing - function not supported
pcibios0: PCI IRQ Routing information unavailable.
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc8000/0x9000
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
elansc0 at pci0 dev 0 function 0 "AMD ElanSC520 PCI" rev 0x00: product 0
stepping 1.1, CPU clock 100MHz, reset 0
gpio0 at elansc0: 32 pins
cbb0 at pci0 dev 9 function 0 "TI PCI1410 CardBus" rev 0x02: irq 10
ath0 at pci0 dev 16 function 0 "Atheros AR5212" rev 0x01: irq 11
ath0: AR5213 5.9 phy 4.3 rf5112a 3.6, FCC2A*, address 00:0b:6b:57:bd:4a
sis0 at pci0 dev 18 function 0 "NS DP83815 10/100" rev 0x00, DP83816A:
irq 5, address 00:00:24:c7:19:b8
nsphyter0 at sis0 phy 0: DP83815 10/100 PHY, rev. 1
sis1 at pci0 dev 19 function 0 "NS DP83815 10/100" rev 0x00, DP83816A:
irq 9, address 00:00:24:c7:19:b9
nsphyter1 at sis1 phy 0: DP83815 10/100 PHY, rev. 1
cardslot0 at cbb0 slot 0 flags 0
cardbus0 at cardslot0: bus 1 device 0 cacheline 0x10, lattimer 0x3f
pcmcia0 at cardslot0
isa0 at mainbus0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard
wdc0 at isa0 port 0x1f0/8 irq 14
wd0 at wdc0 channel 0 drive 0:
wd0: 4-sector PIO, LBA, 977MB, 2001888 sectors
wd0(wdc0:0:0): using BIOS timings
pcppi0 at isa0 port 0x61
midi0 at pcppi0:
spkr0 at pcppi0
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom0: console
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
biomask f5c5 netmask ffe5 ttymask ffe7
pctr: no performance counters in CPU
dkcsum: wd0 matches BIOS drive 0x80
root on wd0a
rootdev=0x0 rrootdev=0x300 rawdev=0x302
dhclient on a Sokeris
I'm trying to setup a Soekris that I can hand to someone and have it work just like a Linksys might. My one snag is grabbing a DHCP address from a server that may always not be there. For instance if they plug the device in, but then don't plug in the network cable until several minutes later. The dhclient process just goes away without the link. The only solution I see right now is making a script that watches for a dhclient process, and then manually starts it whenever it goes away. This doesn't seem that "elegant" in my mind. I'm sure people have setup these boxes like this before, what was done to reliably grab a DHCP lease? Thanks, Chris
Re: Firewall partially failing with high traffic (Updated)
Just building off my last message. Answering Ryans questions first: - Do you have dedicated addresses on the carp parent interfaces? For sure. - Are all the carp devices on the master firewall MASTER; what about the backup? Before and after the network dies, primary firewall is all MASTER, secondary stays as BACKUP. - Can you reach the 'dissapearing' network from the backup firewall? Yes. - Is preemption enabled? (sysctl net.inet.carp.preempt=1) Yes. - What is the output of 'netstat -sp carp' on both the master and backup firewalls? Have it below. - What about the output of 'netstat -i'? Are there output errors on the offending interface? Exact output below, but no errors in or out, before or after. - Have you tried running with carp debugging turned on? (sysctl net.inet.carp.log=1) Did this on both firewalls, didn't see output one way or the other. Restarted with it in sysctls.conf just to be sure, but didn't see anything. What further I know: - set debug loud, lots of output, nothing looks different while the problem is present. - From the "dead" network, if I ping the firewall, tcpdump shows the firewall making an arp request for the originating machine. 18:17:50.015307 arp who-has 172.168.120.50 tell 172.168.120.2 172.168.120.50 is the machine on the dead network, which was trying to ping the firewall. This would lead me to believe the firewall saw -something-. Lots of traffic trying to going to, but none come back from that network. - I can ping the dead interface locally. - Bringing interface down and up doesn't help - From the firewall itself, I can hang that interface. Before I was doing it from my desktop, through the firewall. Ifconfig explanation: gem0 - external gem1 - 120.x - network that "disappears" hme0 - 0.x - pfsync traffic hme1 - 121.x - Network my terminal is on hme2 - 119.x My ifconfig -A output from the master firewall: $ ifconfig -A lo0: flags=8049 mtu 33192 groups: lo inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0xa gem0: flags=8b63 mtu 1500 lladdr 00:03:ba:f2:bc:1c groups: egress media: Ethernet autoselect (100baseTX full-duplex) status: active inet 216.2.22.123 netmask 0xffe0 broadcast 216.82.41.127 inet6 fe80::203:baff:fef2:bc1c%gem0 prefixlen 64 scopeid 0x1 gem1: flags=8b63 mtu 1500 lladdr 00:03:ba:f2:bc:1d media: Ethernet autoselect (100baseTX full-duplex) status: active inet 172.168.120.2 netmask 0xff00 broadcast 172.168.120.255 inet6 fe80::203:baff:fef2:bc1d%gem1 prefixlen 64 scopeid 0x2 hme0: flags=8863 mtu 1500 lladdr 08:00:20:ee:66:60 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 10.0.0.1 netmask 0xff00 broadcast 10.0.0.255 inet6 fe80::a00:20ff:feee:6660%hme0 prefixlen 64 scopeid 0x3 hme1: flags=8b63 mtu 1500 lladdr 08:00:20:ee:66:61 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 172.168.121.2 netmask 0xff00 broadcast 172.168.121.255 inet6 fe80::a00:20ff:feee:6661%hme1 prefixlen 64 scopeid 0x4 hme2: flags=8b63 mtu 1500 lladdr 08:00:20:ee:66:62 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 172.168.119.2 netmask 0xff00 broadcast 172.168.119.255 inet6 fe80::a00:20ff:feee:6662%hme2 prefixlen 64 scopeid 0x5 hme3: flags=8822 mtu 1500 lladdr 08:00:20:ee:66:63 media: Ethernet autoselect pflog0: flags=141 mtu 33192 pfsync0: flags=41 mtu 1348 pfsync: syncdev: hme0 maxupd: 128 enc0: flags=0<> mtu 1536 tun0: flags=8051 mtu 1500 groups: tun inet 172.168.123.1 --> 172.168.123.2 netmask 0x carp0: flags=8843 mtu 1500 carp: MASTER carpdev gem0 vhid 1 advbase 1 advskew 0 groups: carp inet 216.82.41.116 netmask 0xffe0 broadcast 216.82.41.127 inet 216.82.41.97 netmask 0xffe0 broadcast 216.82.41.127 inet 216.82.41.98 netmask 0xffe0 broadcast 216.82.41.127 inet 216.82.41.117 netmask 0xffe0 broadcast 216.82.41.127 inet 216.82.41.118 netmask 0xffe0 broadcast 216.82.41.127 inet 216.82.41.119 netmask 0xffe0 broadcast 216.82.41.127 inet 216.82.41.120 netmask 0xffe0 broadcast 216.82.41.127 inet 216.82.41.125 netmask 0xffe0 broadcast 216.82.41.127 inet 216.82.41.126 netmask 0xffe0 broadcast 216.82.41.127 carp1: flags=8843 mtu 1500 carp: MASTER carpdev gem1 vhid 2 advbase 1 advskew 0 groups: carp inet 172.168.120.1 netmask 0xff00 broadcast 172.168.120.255 carp2: flags=8843 mtu 1500 carp: MASTER carpdev hme1 vhid 3 advbase 1 advskew 0 groups: carp inet 172.168.121.1 netmask 0xff00 broadcast 172.168.121.255 carp3: flags=8843 mtu 1500 carp: MASTER carpdev
Re: Firewall partially failing with high traffic
This is while it's working. I'll repost this tonight when I'm able to hang it. Status: Enabled for 0 days 16:47:54 Debug: Urgent Interface Stats for gem0 IPv4 IPv6 Bytes In 1560279475 272 Bytes Out 1464940667 352 Packets In Passed 23485100 Blocked 883254 Packets Out Passed 23883682 Blocked 213 State Table Total Rate current entries 784 searches18122501 299.7/s inserts 1069401.8/s removals 1061561.8/s Counters match 3044965.0/s bad-offset 00.0/s fragment 20.0/s short 00.0/s normalize 00.0/s memory 00.0/s bad-timestamp 00.0/s congestion 1290.0/s ip-option 00.0/s proto-cksum 3010.0/s state-mismatch 15190.0/s state-insert 9030.0/s state-limit00.0/s src-limit 00.0/s synproxy 00.0/s $ sudo pfctl -s memory stateshard limit1 src-nodes hard limit1 frags hard limit 5000 tableshard limit 1000 table-entries hard limit 10 $ Chris On Tue, 2006-11-14 at 13:05 -0500, Carlos A. Carnero Delgado wrote: > Hi, > > On 11/14/06, Chris Cameron <[EMAIL PROTECTED]> wrote: > > I have a 3.8 PF/CARP setup that I can reproducibly screw up simply by > > cat'ing lots of text over a telnet session. > > can you post `pfctl -s info` and `pfctl -s memory`? > > Best regards, > Carlos.
Firewall partially failing with high traffic
I have a 3.8 PF/CARP setup that I can reproducibly screw up simply by cat'ing lots of text over a telnet session. It has several subnets, and several NICs, but only 1 subnet becomes unavailable. Everything else continues to work. There are no errors in messages, daemon, with PF debug set to misc. Counters all look normal, same with state table and netstat -m output. The only reason I believe it's the firewall is restarting it will bring the network back up. I can't (easily) give direct output from things like ifconfig or pf.conf as they're both huge and contain information I've been told we don't want to send out. Hopefully this doesn't prevent anyone from helping me out. gem0 - external gem1 - 120.x hme0 - 0.x hme1 - 121.x hme2 - 119.x Coming in on hme1 routed through gem1, I can cause everything off gem1 to stop working. The interface shows as up, but nothing works. All other interfaces work fine. PF continues to work as NAT and external firewalling still operates. No errors anywhere, even with debugging turned on in PF. netstat -m looks the same before and after. I'm hoping someone can give me a better way to debug this, considering I can reproduce it. I don't believe it's PF as I can disable and re-enable it with no effect. I've disabled ohci using config -e as those were the only errors I was seeing. Specifically: ohci0: 1 scheduling overruns However they didn't happen anywhere near this problem. dmesg (out of messages): syncing disks... done o arpresolve console is /[EMAIL PROTECTED],0/[EMAIL PROTECTED],1/[EMAIL PROTECTED]/[EMAIL PROTECTED],3f8 Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved. Copyright (c) 1995-2005 OpenBSD. All rights reserved. http://www.OpenBSD.org Copyright (c) 1995-2005 OpenBSD. All rights reserved. http://www.OpenBSD.org OpenBSD 3.8 (CARP) #0: Fri Feb 24 15:29:15 MST 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/sparc64/compile/CARP total memory = 1073741824 avail memory = 969023488 using 6553 buffers containing 53682176 bytes of memory bootpath: /[EMAIL PROTECTED],0/[EMAIL PROTECTED],0/[EMAIL PROTECTED],0/[EMAIL PROTECTED],0 mainbus0 (root): Sun Fire V120 (UltraSPARC-IIe 648MHz) cpu0 at mainbus0: SUNW,UltraSPARC-IIe @ 648 MHz, version 0 FPU cpu0: physical 32K instruction (32 b/l), 16K data (32 b/l), 2048K external (64 b/l) psycho0 at mainbus0 SUNW,sabre: impl 0, version 0: ign 7c0 bus range 0 to 3; PCI bus 0 DVMA map: c000 to e000 IOTDB: 4d0a000 to 4d8a000 pci0 at psycho0 ppb0 at pci0 dev 1 function 1 "Sun Simba PCI-PCI" rev 0x13 pci1 at ppb0 bus 1 ebus0 at pci1 dev 12 function 0 "Sun PCIO Ebus2 (US III)" rev 0x01 flashprom at ebus0 addr 0-f not configured clock1 at ebus0 addr 0-1fff: mk48t59: hostid 83f2bc1c ebus_attach: idprom: incomplete SUNW,lomh at ebus0 addr 20-23 ipl 42 not configured gem0 at pci1 dev 12 function 1 "Sun ERI Ether" rev 0x01: ivec 3006, address 00:03:ba:f2:bc:1c bmtphy0 at gem0 phy 1: BCM5221 100baseTX PHY, rev. 4 ohci0 at pci1 dev 12 function 3 "Sun USB" rev 0x01: ivec 24, version 1.0, legacy support usb0 at ohci0: USB revision 1.0 uhub0 at usb0 uhub0: Sun OHCI root hub, rev 1.00/1.00, addr 1 uhub0: 4 ports with 4 removable, self powered "Acer Labs M7101 Power" rev 0x00 at pci1 dev 3 function 0 not configured "Acer Labs M7101 Power" rev 0x00 at pci1 dev 3 function 0 not configured ebus1 at pci1 dev 7 function 0 "Acer Labs M1533 ISA" rev 0x00 power at ebus1 addr 800-82f ipl 37 not configured com0 at ebus1 addr 3f8-3ff ipl 43: ns16550a, 16 byte fifo com0: console com1 at ebus1 addr 2e8-2ef ipl 43: ns16550a, 16 byte fifo pciide0 at pci1 dev 13 function 0 "Acer Labs M5229 UDMA IDE" rev 0xc3: DMA, channel 0 configured to native-PCI, channel 1 configured to native-PCI pciide0: using ivec 180c for native-PCI interrupt pciide0: channel 0 disabled (no drives) pciide0: channel 1 disabled (no drives) gem1 at pci1 dev 5 function 1 "Sun ERI Ether" rev 0x01: ivec 301c, address 00:03:ba:f2:bc:1d bmtphy1 at gem1 phy 1: BCM5221 100baseTX PHY, rev. 4 ohci1 at pci1 dev 5 function 3 "Sun USB" rev 0x01: ivec 26, version 1.0, legacy support usb1 at ohci1: USB revision 1.0 uhub1 at usb1 uhub1: Sun OHCI root hub, rev 1.00/1.00, addr 1 uhub1: 4 ports with 4 removable, self powered ppb1 at pci0 dev 1 function 0 "Sun Simba PCI-PCI" rev 0x13 pci2 at ppb1 bus 2 siop0 at pci2 dev 8 function 0 "Symbios Logic 53c896" rev 0x07: ivec 1820, using 8K of on-board RAM scsibus0 at siop0: 16 targets sd0 at scsibus0 targ 0 lun 0: SCSI4 0/direct fixed sd0: 70007MB, 14100 cyl, 24 head, 423 sec, 512 bytes/sec, 143374738 sec total sd1 at scsibus0 targ 1 lun 0: SCSI4 0/direct fixed sd1: 70007MB, 14100 cyl, 24 head, 423 sec, 512 bytes/sec, 143374738 sec total siop1 at pci2 dev 8 function 1 "Symbios Logic 53c896" rev 0x07: ivec 1820, using 8K of on-board RAM scsibus1 at siop1: 16 targets ppb2 at pci2 dev 5 function 0 "Intel S21154AE/BE PCI-PCI" rev 0x00 pci3 at ppb2 bus 3 "Sun PCIO Ebus2" rev 0x01 at pc
Re: Firewall partially failing with high traffic
On Tue, 2006-11-14 at 15:59 +, Tobias Weingartner wrote: > In article <[EMAIL PROTECTED]>, Chris Cameron wrote: > > > > I have a 3.8 PF/CARP setup that I can reproducibly screw up simply by > > cat'ing lots of text over a telnet session. > > Chances are that you're hitting some bug in 3.8, that has likely been > fixed in 3.9, or 4.0. Or the rule you're using to pass the traffic is > wrong. You using "keep state"? Are you using 'flags S/SA' on that > rule? The firewall works fine, and has been working fine since 3.8 was released. It's this one specific thing that kills it. I'm fairly certain it isn't PF. Upgrading isn't an option. I mean it is, but as soon as I say "Don't know, lets just upgrade", that's a major hit to something that was tough to get in in the first place. This will be a Firewall-1 shop again quite quickly and any future thing I recommend isn't going to have much weight. > With the amount of information you've given, it is hard to even theorize > what could be wrong. People would need more information. I mentioned this in my original email. What do you want for information? Cause I'll post it if you think it'll help, but as I explained, I don't believe it's PF. The entire machine acts as if nothing is wrong, so short of including ever single configuration file I've touched, and the output of most system commands, I'm not certain of what to include. I can disable and re-enable PF. I've turned on debugging in PF. PF continues to work for the other 4 networks both natting and filtering. I don't think this is the problem. Chris > --Toby.
Re: Sun BlackBox
Do you plan to need a trailer full of Sun hardware? They're just normal Sun machines in a trailer. On Wed, 2006-11-01 at 14:55 -0300, Gustavo Rios wrote: > Dear list members, > > While visiting sun blackbox home page, i saw they have a new project > called blackbox. But i don't know whether openbsd could be used within > it. > > Gustavo Rios
Re: Website(s) being blocked by CARP/PF firewall
On Thu, 2006-09-07 at 10:46 -0400, Asenchi wrote: > On 9/7/06, Chris Cameron <[EMAIL PROTECTED]> wrote: > > Have two 3.8 firewalls in a CARP setup, and through this firewall I'm > > unable to get to ticketmaster.ca or .com. They both have different IPs. > But make sure you have read and understand the FAQ [1] and the man > pages for pf.conf [2], carp [3], pfsync [4] before responding. > > hth, > Asenchi. > > [1] http://www.openbsd.org/faq/pf/index.html > [2] http://urlx.org/openbsd.org/4a4bc > [3] http://urlx.org/openbsd.org/5ca9f > [4] http://urlx.org/openbsd.org/558dd I didn't see any "Can't access Tickmaster.ca" entries; but I think I have the rest covered. No other sites have this problem. The firewall sits in front of an office of 15 or so, so I believe I would have heard something. Logging is turned on for my default block rule, which isn't returning anything for the ticketmaster IPs. The connection is just refused though. Nothing gets "lost", or dropped. The server gets the request, replies, and the client sees it. I don't see how this could be a problem of my ruleset; if something was being blocked, no packets would have been received by the client. Again, does anyone have any ideas? Can other people access ticketmaster through their CARP'd NAT firewall? Chris
Website(s) being blocked by CARP/PF firewall (2 of 2)
Sorry, hit Ctrl+Enter. 192.168.0.1 - CARP IP 192.168.0.2 - Master firewall IP On the master CARP firewall, with tcpdump on the external interface: Connecting behind firewall: 08:18:30.705631 192.168.0.1.53119 > 209.104.48.144.80: S 4111080674:4111080674(0) win 16384 (DF) [tos 0x10] 08:18:30.785334 209.104.48.144.80 > 192.168.0.1.53119: R 0:0(0) ack 4111080675 win 0 (DF) Connecting on firewall: 08:18:48.623292 192.168.0.2.7390 > 209.104.48.144.80: S 4083495652:4083495652(0) win 16384 (DF) [tos 0x10] 08:18:48.704195 209.104.48.144.80 > 192.168.0.2.7390: S 35837621:35837621(0) ack 4083495653 win 5792 (DF) 08:18:48.704334 192.168.0.2.7390 > 209.104.48.144.80: . ack 1 win 16384 (DF) [tos 0x10] 08:18:50.449324 192.168.0.2.7390 > 209.104.48.144.80: F 1:1(0) ack 1 win 16384 (DF) [tos 0x10] 08:18:50.528828 209.104.48.144.80 > 192.168.0.2.7390: F 1:1(0) ack 2 win 5792 (DF) 08:18:50.528933 192.168.0.2.7390 > 209.104.48.144.80: . ack 2 win 16383 (DF) [tos 0x10] Anyone know why the ticketmaster server closes the connection (from what I can tell) when I connect with my CARP IP, and not when I just use the local IP? Thanks, Chris
Website(s) being blocked by CARP/PF firewall
Have two 3.8 firewalls in a CARP setup, and through this firewall I'm unable to get to ticketmaster.ca or .com. They both have different IPs. On the master CARP firewall, with tcpdump on the external interface:
isakmpd - Two subnets behind 1 server
I have 3 subnets, 192.168.120.x, 121.x and 122.x. 120 and 121 are physically connected, 122 connects through a VPN. In my VPN config, in Phase 2 I have: Local-ID= 120network Remote-ID= 122network As expected, the 120 and 122 networks talk fine, traffic coming from or going to 121 doesn't get routed to 122. From what I can tell it's because there's no entry for it to do such under route's 'Encap'. Question is, is there anyway in isakmpd.conf to define 2 subnets for the Remote-ID? Can this route be added manually somehow? Thanks, Chris
Compiling BandwidthD
Has anyone recently compiled BandwidthD on OpenBSD? I've been banging my head against this for a while, and it's just one thing after another not working. This is on 3.8/Sparc64, but would be willing to hear from anyone who has done this before. Chris
Re: using queues to limit bandwidth
On Mon, 2006-05-01 at 13:02 -0400, Chris Bullock wrote: > Can queues be used to queue overall bandwidth? We have a project where we > will be sharing an Internet connection with another company, we will have an > IP and they will have an IP each company providing their own firewall. I > understand that queuing is able to queue based on protocol, etc on the same > box but lets say there is a T1 shared between the companies, The company > tells us, you can have one of our IP addresses but you can only use 100k of > our bandwidth, can pf do this? I guess this is more bandwitdh throttling > more so than queuing. > TIA, > Chris > No one mentioned it, but this'll only work in one direction. It won't stop you from saturating the pipe with incoming traffic.
'set skip on' being inconsistent
In my pf.conf I have: set skip on tun0 set skip on enc0 set skip on lo0 tun0 is for OpenVPN. If I run pfctl -f /etc/pf.conf, I can connect with OpenVPN and telnet to a server. If I disconnect OpenVPN, wait for a couple of minutes, then try connecting with telnet again, pf blocks the connection. If I run pfctl -f /etc/pf.conf, I can connect again. OpenVPN connects fine, it's just the telnet after that doesn't work. tcpdump -i tun0 shows the packets coming in. The connection attempt in my pflog: Apr 13 14:03:37.157867 rule 0/(match) block in on tun0: 192.168.123.6.1160 > 192.168.120.50.23: S 648098994:648098994(0) win 16384 (DF) Apr 13 14:03:43.092857 rule 0/(match) block in on tun0: 192.168.123.6.1160 > 192.168.120.50.23: S 648098994:648098994(0) win 16384 (DF) Anyone know what's going on? This is a patched Sparc64/3.8 in a carp setup. Chris
Hanging Sun V100
Have/had a V100 working as an office firewall. It maintains a VPN connection between itself and another OBSD firewall. All running OBSD 3.8. Both are quite new in their current positions. Previous to this an Ultra2 with 3.5 was doing this job without issue. The V100 twice now has hung without any output to the terminal. The first time it happened I was moving a large file over the VPN using SMB. The second time I wasn't here, but from what I'm told no one was moving any large files over the VPN. Hoping it was load related tonight I've done all I could to make it hang again, but with no luck. Filled up the state table (10k states), moved big files over the VPN, moved lots of little files, ran multiple ab's over the VPN, not over the VPN, scp, downloading, sending, etc. etc. It all worked fine. My worry now is that it's an uptime related (or just random) and that this will extend to our CARP/V120 setup which hasn't been in for more than a week and is in a much more important position. Long story short, I've put our Ultra2 back in but running a snapshot from today and my question is what can I do to coax some output from this firewall if it hangs again? A recompiled kernel with 'option DEBUG' in it wouldn't boot, gave the following: Sun Fire V100 (UltraSPARC-IIe 548MHz), No Keyboard OpenBoot 4.0, 1024 MB memory installed, Serial #55471518. Ethernet address 0:3:ba:4e:6d:9e, Host ID: 834e6d9e. Executing last command: boot Boot device: disk0 File and args: OpenBSD IEEE 1275 Bootblock 1.1 ..>> OpenBSD 3.8 (obj) #1: Thu Sep 1 17:32:37 MDT 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/sparc64/stand/ofwboot/obj : trying bsd... Booting /[EMAIL PROTECTED],0/[EMAIL PROTECTED]/[EMAIL PROTECTED],0:a/bsd [EMAIL PROTECTED]@[EMAIL PROTECTED] symbols @ 0xfff02280 58+278328+170379 start=0x100 [ using 449416 bytes of bsd ELF symbol table ] Setting DTLB entry 0100 data e000 df800074 Setting DTLB entry 0180 data e000 df400076 Setting ITLB entry 0100 data e000 df800074 Fast Data Access MMU Miss ok The kernel has RAIDFrame added, but is otherwise generic. Any help on this would be appreciated. Like I mentioned above, my real concern is my V120 setup. In the least if anyone could tell me that they have non-hanging V120's that'd make me feel better. It was no small chore getting the ok to put them in. Thanks, Chris dmesg for V100: console is /[EMAIL PROTECTED],0/[EMAIL PROTECTED]/[EMAIL PROTECTED],3f8 Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved. Copyright (c) 1995-2005 OpenBSD. All rights reserved. http://www.OpenBSD.org OpenBSD 3.8 (GATE1) #0: Sat Feb 4 19:09:00 MST 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/sparc64/compile/GATE1 total memory = 1073741824 avail memory = 969138176 using 6553 buffers containing 53682176 bytes of memory bootpath: /[EMAIL PROTECTED],0/[EMAIL PROTECTED],0/[EMAIL PROTECTED],0 mainbus0 (root): Sun Fire V100 (UltraSPARC-IIe 548MHz) cpu0 at mainbus0: SUNW,UltraSPARC-IIe @ 548 MHz, version 0 FPU cpu0: physical 32K instruction (32 b/l), 16K data (32 b/l), 512K external (64 b/l) psycho0 at mainbus0 SUNW,sabre: impl 0, version 0: ign 7c0 bus range 0 to 0; PCI bus 0 DVMA map: 6000 to 8000 IOTDB: 84d08000 to 84d88000 pci0 at psycho0 ebus0 at pci0 dev 7 function 0 "Acer Labs M1533 ISA" rev 0x00 dma at ebus0 addr 0- ipl 42 not configured rtc0 at ebus0 addr 70-71: m5819 power at ebus0 addr 2000-2007 ipl 35 not configured SUNW,lomh at ebus0 addr 8010-8011 ipl 42 not configured com0 at ebus0 addr 3f8-3ff ipl 43: ns16550a, 16 byte fifo com0: console com1 at ebus0 addr 2e8-2ef ipl 43: ns16550a, 16 byte fifo flashprom at ebus0 addr 0-7 not configured "Acer Labs M7101 Power" rev 0x00 at pci0 dev 3 function 0 not configured "Acer Labs M7101 Power" rev 0x00 at pci0 dev 3 function 0 not configured dc0 at pci0 dev 12 function 0 "Davicom DM9102" rev 0x31: ivec 3006, address 00:03:ba:4e:6d:9e amphy0 at dc0 phy 1: DM9102 10/100 PHY, rev. 0 dc1 at pci0 dev 5 function 0 "Davicom DM9102" rev 0x31: ivec 301c, address 00:03:ba:4e:6d:9f amphy1 at dc1 phy 1: DM9102 10/100 PHY, rev. 0 "Acer Labs M5237 USB" rev 0x03 at pci0 dev 10 function 0 not configured pciide0 at pci0 dev 13 function 0 "Acer Labs M5229 UDMA IDE" rev 0xc3: DMA, channel 0 configured to native-PCI, channel 1 configured to native-PCI pciide0: using ivec 180c for native-PCI interrupt wd0 at pciide0 channel 0 drive 0: wd0: 16-sector PIO, LBA48, 38166MB, 78165360 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 wd1 at pciide0 channel 1 drive 0: wd1: 16-sector PIO, LBA48, 38166MB, 78165360 sectors atapiscsi0 at pciide0 channel 1 drive 1 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: SCSI0 5/cdrom removable wd1(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 cd0(pciide0:1:1): using PIO mode 4, DMA mode 2 pcons at mainbus0 not configured No counter
Re: Preventing breaks on Sparc's
Bryan Irvine wrote: If I unplug both drives, set bootmode to reset_nvram in LOM and boot the machine I can use break to get to an ok prompt. However if I plug the drives back in, the instant the OpenBSD boot loader comes up, I again can't get back to an ok prompt. This is while OpenBSD is loaded (or loading), or while the machine is coming up, but before the boot loader has started. I hit stop-a before the boot loader comes up. :-) Right, doesn't work. From the instant I hit the power button, I can send breaks till I'm blue in the face. It ignores them. Chris
Preventing breaks on Sparc's
What is it OpenBSD does to prevent breaks/Stop+A from working? Did a net install of 3.8 on a V100 and was playing with RAIDFrame. Trying to get it to boot off the second disk, it refuses to go to an ok prompt. If I unplug both drives, set bootmode to reset_nvram in LOM and boot the machine I can use break to get to an ok prompt. However if I plug the drives back in, the instant the OpenBSD boot loader comes up, I again can't get back to an ok prompt. This is while OpenBSD is loaded (or loading), or while the machine is coming up, but before the boot loader has started. For now I've just set it not to auto-boot, but ideally break would work outside of OpenBSD, and be disabled only while it's running. Anyone know what's going on? Thanks, Chris
Re: CARP not preempt-ing correctly
Running 3.8. Chris Daniel Ouellet wrote: Chris Cameron wrote: When one interface fails in a carp setup, it is my understanding that if net.inet.carp.preempt is set to '1', that both interfaces on the single machine should fail. However I'm not seeing this happening and I'm hoping this is why I'm dropping connections during fail over. If I fail both interfaces at the exact same time I have no problems with dropped connections. Nope, just the carp interface that actually fail, not both. They are process independently of one an other Also, what version of OS are you running? My setup is as follows, I'll mention that pfsync traffic is going over the local network. Also, I've tried with setting advskew to 100 one one firewall, as well as not setting it at all with net.inet.carp.preempt set.
CARP not preempt-ing correctly
When one interface fails in a carp setup, it is my understanding that if
net.inet.carp.preempt is set to '1', that both interfaces on the single
machine should fail. However I'm not seeing this happening and I'm
hoping this is why I'm dropping connections during fail over. If I fail
both interfaces at the exact same time I have no problems with dropped
connections.
My setup is as follows, I'll mention that pfsync traffic is going over
the local network. Also, I've tried with setting advskew to 100 one one
firewall, as well as not setting it at all with net.inet.carp.preempt set.
Firewall 1:
# sysctl -a | grep carp
net.inet.carp.allow=1
net.inet.carp.preempt=1
net.inet.carp.log=1
net.inet.carp.arpbalance=0
# ifconfig -a
...
gem0:
flags=8b63
mtu 1500
lladdr 00:03:ba:94:5f:06
groups: egress
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 209.82.103.244 netmask 0xfff8 broadcast 209.82.103.247
inet6 fe80::203:baff:fe94:5f06%gem0 prefixlen 64 scopeid 0x1
gem1:
flags=8b63
mtu 1500
lladdr 00:03:ba:94:5f:07
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 192.168.121.2 netmask 0xff00 broadcast 192.168.121.255
inet6 fe80::203:baff:fe94:5f07%gem1 prefixlen 64 scopeid 0x2
pflog0: flags=141 mtu 33192
pfsync0: flags=41 mtu 1348
pfsync: syncdev: gem1 maxupd: 128
enc0: flags=0<> mtu 1536
carp0: flags=8843 mtu 1500
carp: BACKUP carpdev gem0 vhid 1 advbase 1 advskew 100
groups: carp
inet 209.82.103.246 netmask 0xfff8 broadcast 209.82.103.247
carp1: flags=8843 mtu 1500
carp: BACKUP carpdev gem1 vhid 2 advbase 1 advskew 100
groups: carp
inet 192.168.121.1 netmask 0xff00 broadcast 192.168.121.255
# cat pf.conf | grep -v "#"
nat on gem0 from 192.168.121.0/24 to any -> 209.82.103.246
rdr pass on gem0 proto tcp from any to any port 25 -> 192.168.121.10
rdr pass on gem0 proto udp from any to any port 53 -> 192.168.121.10
rdr pass on gem0 proto tcp from any to any port 6881 -> 192.168.121.123
pass quick on gem1 proto pfsync
pass on { gem0 gem1 } proto carp keep state
pass out on gem0 keep state
pass in on gem0 keep state
Firewall 2:
# sysctl -a | grep carp
net.inet.carp.allow=1
net.inet.carp.preempt=1
net.inet.carp.log=1
net.inet.carp.arpbalance=0
# ifconfig -a
...
gem0:
flags=8b63
mtu 1500
lladdr 00:03:ba:94:5f:1c
groups: egress
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 209.82.103.245 netmask 0xfff8 broadcast 209.82.103.247
inet6 fe80::203:baff:fe94:5f1c%gem0 prefixlen 64 scopeid 0x1
gem1:
flags=8b63
mtu 1500
lladdr 00:03:ba:94:5f:1d
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 192.168.121.3 netmask 0xff00 broadcast 192.168.121.255
inet6 fe80::203:baff:fe94:5f1d%gem1 prefixlen 64 scopeid 0x2
pflog0: flags=141 mtu 33192
pfsync0: flags=41 mtu 1348
pfsync: syncdev: gem1 maxupd: 128
enc0: flags=0<> mtu 1536
carp0: flags=8843 mtu 1500
carp: MASTER carpdev gem0 vhid 1 advbase 1 advskew 0
groups: carp
inet 209.82.103.246 netmask 0xfff8 broadcast 209.82.103.247
carp1: flags=8843 mtu 1500
carp: MASTER carpdev gem1 vhid 2 advbase 1 advskew 0
groups: carp
inet 192.168.121.1 netmask 0xff00 broadcast 192.168.121.255
# cat pf.conf | grep -v "#"
nat on gem0 from 192.168.121.0/24 to any -> 209.82.103.246
rdr pass on gem0 proto tcp from any to any port 25 -> 192.168.121.10
rdr pass on gem0 proto udp from any to any port 53 -> 192.168.121.10
rdr pass on gem0 proto tcp from any to any port 6881 -> 192.168.121.123
pass quick on { gem1 } proto pfsync
pass on { gem0 gem1 } proto carp keep state
pass out on gem0 all keep state
pass in on gem0 all keep state
Any help on this would be appreciated.
Thanks,
Chris
3 VPNs, 3 networks, 2 subnets
I'm trying to do something I'm pretty sure I recall reading couldn't be done. Although I wasn't able to find any information this last time around. We're going to be temporarily splitting our data centre, but still want both data centre halfs connected to our office through our VPN. Everyone needs to maintain the same subnet as we have software that is licensed based on the subnet it is on. So: 192.168.120.x <-> 192.168.121.x <-> 192.168.120.x I don't care if the two .120's can talk to one another, I just need to be able to talk to both .120's from the .121 Now, some cursory poking around, using a local ID type of IPV4_ADDR_SUBNET is no good. Using IPV4_ADDR isn't working for me, as the .121 firewall (understandably) doesn't know to route the internal traffic that way. So, immidate question would be, would there be a way to add routing table entries for the specifc IPs I want going to the second .120 network? I understand how arp requests work, but obviously not how an arp proxy works, as I wasn't able to fix "network unreachable" errors. If that's a no go, is this even possible? At all? I'm willing to do bizarre things. The other thought I've had is to have a .130 subnet on a vlan and the second .120 on another vlan, and then just translate packets. Any help appreciated. Chris
"Pausing" firewall
Have an OpenBSD firewall working in an office doing very straight
forward NAT and some persistent VPN tunnels.
Couple weeks ago, this firewall just stopped responding to any traffic.
It was sporadic, as after several minutes it'd start going again. At
that point it was a patched Sparc64 3.5.
While trying to troubleshoot this, I started setting up a spare x86 PC
with 3.7. I didn't get anywhere with the troubleshooting, and I'm now
running OpenBSD 3.7, with the same config files, and I'm having this
exact same problem.
- Terminal is responsive while the pauses happen
- I've turned on debugging in PF, and I'm not seeing anything I don't
see on my other firewalls.
- The firewall can ping itself, but can't ping machines on either the
LAN or WAN
- With PF disabled pings on the local network still don't get replies
from the firewall
- tcpdump doesn't show any traffic during the pause, although it does
"spew" traffic once things get moving again
- State table isn't filling up
- top -S looks normal
- Default blocking with logging is on, but nothing unusual is getting
logged.
- Exact same pf.conf and isakmpd.conf had been used for over a year
prior to this happening.
I can post isakmpd config info if anyone think it's relevant, dmesg and
pf.conf are below.
Any help with this would be appreciated.
Chris
3.7/x86 dmesg:
OpenBSD 3.7 (GENERIC) #50: Sun Mar 20 00:01:57 MST 2005
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel Pentium II ("GenuineIntel" 686-class, 512KB L2 cache) 448 MHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR
real mem = 200908800 (196200K)
avail mem = 176566272 (172428K)
using 2478 buffers containing 10149888 bytes (9912K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(0e) BIOS, date 02/08/99, BIOS32 rev. 0 @ 0xec700
pcibios0 at bios0: rev 2.1 @ 0xec700/0x3900
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf7280/128 (6 entries)
pcibios0: PCI Interrupt Router at 000:20:0 ("Intel 82371AB PIIX4 ISA"
rev 0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc/0xa800 0xe/0x8000!
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82443BX AGP" rev 0x03
ppb0 at pci0 dev 1 function 0 "Intel 82443BX AGP" rev 0x03
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 "Nvidia Riva TNT2" rev 0x15
wsdisplay0 at vga1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
xl0 at pci0 dev 14 function 0 "3Com 3c905B 100Base-TX" rev 0x30: irq 11,
address 00:01:02:c6:6f:ae
exphy0 at xl0 phy 24: 3Com internal media interface
xl1 at pci0 dev 15 function 0 "3Com 3c905B 100Base-TX" rev 0x24: irq 11,
address 00:10:4b:9d:22:26
exphy1 at xl1 phy 24: 3Com internal media interface
pcib0 at pci0 dev 20 function 0 "Intel 82371AB PIIX4 ISA" rev 0x02
pciide0 at pci0 dev 20 function 1 "Intel 82371AB IDE" rev 0x01: DMA,
channel 0 wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0:
wd0: 16-sector PIO, LBA, 9541MB, 19541088 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: SCSI0 5/cdrom
removable
cd0(pciide0:1:0): using PIO mode 4, DMA mode 2
uhci0 at pci0 dev 20 function 2 "Intel 82371AB USB" rev 0x01: irq 11
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
"Intel 82371AB Power Mgmt" rev 0x02 at pci0 dev 20 function 3 not configured
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0 (mux 1 ignored for console): console keyboard, using
wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0:
sysbeep0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
biomask ff65 netmask ff65 ttymask ffe7
pctr: 686-class user-level performance counters enabled
mtrr: Pentium Pro MTRR support
dkcsum: wd0 matched BIOS disk 80
root on wd0a
rootdev=0x0 rrootdev=0x300 rawdev=0x302
pf.conf:
## Settings
###
set limit states 4
set optimization aggressive
set debug misc
nat on xl0 from 192.168.121.0/24 to any -> xl0
rdr pass on xl0 proto tcp from any to any port 25 -> 192.168.121.10
rdr pass on xl0 proto udp from any to any port 53 -> 192.168.121.10
block in log on xl0 all
pass in on xl0 proto esp from any to 209.82.103.246
pass in on xl0 proto { udp tcp } from any port isakmp to 209.82.103.246
port isakmp
pass in on xl0 proto tcp from any to 209.82.103.246 port 53 flags S/SA
keep state
pass in on xl0 proto tcp from any to 209.82.103.246 port 25 flags S/SA
keep s
Re: OpenBSD VPN
http://www.openbsd.org/cgi-bin/cvsweb/~checkout~/www/faq/faq13.html?rev=1.79&content-type=text/html Keep in mind it was removed for a reason (I used it successfully though). Bruce Marriner wrote: I am trying to setup an OpenBSD <> OpenBSD VPN Tunnel to connect two remote offices together. I looked around on Google for a how-to or some documentation. It seems the OpenBSD documentation is blank (due to no support). And all the how-to's on the Internet seem to reference very old versions of OpenBSD and none of them that I tried seem to work. If someone knows of an up to date how to or some good documentation on how to get this working I would really appreciate it. I want to set up the VPN using manual keying, as from what I have read it is easier to configure and seems to be just fine for my application.
Re: Will different CPU and RAM matter?
I do this with -very- different computers all the time. As long as you're keeping GENERIC as your kernel, it should be fine. Chris On Thursday 05 May 2005 12:15, you wrote: > Hi All, > > I have a co-located 3.4 web/mail box at a remote location with a P3 > 1.2Ghz and > 1Gb RAM (on-board LAN and video). At home I have another copy of the > exact same motherboard but with a Celeron 1.1Ghz and 512 Gb RAM. > > The question is, can I install 3.7 on the box at home and then simply > take out the HDD > and swap it into the co-lo server? Will it care that it was installed > on a different CPU with less > RAM? > > TIA.
