Re: VPS default gateway in a different subnet than host
With tcp, the default is pretty much always in the same subnet as at least one interface of any given host. One can do things with VPN, and gif's and gre's etc which can work around some oddball situations. however. if there is a local router that you use to get to your 'default' gateway, I would characterize that local router as your default gateway. how about showing us an ifconfig and a netsat -rn Jyri Hovila [iki.fi] wrote: Hi, a brief follow-up. With Linux, default gateway that resides in different subnet than the host, all that has to be done is 1) adding a static route to the default gateway and then 2) adding the default gateway to routing table. With my OpenBSD test case, I already have a static route to the default gateway (thanks to correctly configured DHCP server) but when I try to add default gateway: # route add default 5.166.16.254 add net default: gateway 5.166.16.254: Too many levels of symbolic links I'm still googling but haven't found a solution yet. Any tips, anyone? - Jyri -- Dag H. Richards ( no title / no lettres ) The first rule of tautology club is the first rule of tautology club. This message may or may not contain proprietary information. Since it is being relayed by SMTP across an unknown number of relays to its destination, using a protocol that is traditionally plain ASCII, it's silly to pretend it is still confidential. If you are not the intended recipient of this message, there is simply nothing I can do about that. Attempting to bind you to some destruction protocol through this windbag sig paragraph is Quixotic at best..
Re: can't find fstab entry ?
On 9/10/16 12:54 PM, Theo de Raadt wrote: On Sat, Sep 10, 2016 at 06:52:39PM +0300, Consus wrote: On 03:09 Mon 05 Sep, Theo de Raadt wrote: OpenBSD 6.0 GENERIC.MP#0 amd64 My fstab entry looks like : 10.10.10.10:/srv/share /mnt/ops_test nfs defaults,noexec,nosuid,nodev,auto 0 0 However: $ doas mount /mnt/ops_test doas (m...@example.com) password: mount: can't find fstab entry for /mnt/ops_test Any ideas ? That style of fstab entry seems to work fine on my linux boxes (albeit with nfs4 instead of nfs, but that makes no difference on openbsd). Well, openbsd is not linux. Have no idea what that word "defaults" in there means. I guess it would've been better to say something like: mount: unknown option "defaults" for /mnt/ops_test Care for a patch? The option parsing code already gives you en error message if it sees an unknown option. Such as: mount_ffs: -o default: option not supported Summary: The OP has a learning disability. He should probably stay in Linux land, where the field is large, and his inability can remain hidden. See, once again I am not insulting Linux. "See, once again I am not insulting Linux." Hopefully you have derived at some modicum of amusement from this exchange. It's had me chuckling all afternoon. More proof that OBSD deserves it's reputation for harshness. Whereas with Linux ... Well Linus is known as a humble compassionate person, who's patience kindness is admired by all. It's always heart warming how Linus monitors the maligning lists and chimes in with helpful hints and words of encouragement. when I type dir in the command thingy it never tells me this files is sees. -- IS-IS sleeps. BGP peers are quiet. Something must be wrong.
Re: OpenVPN, tap interface and bridge
I run OpenVPN on a pair of carped up gateways What are you trying to achieve with this very odd sounding config. There may be a more straightforward way to get there. Adam Wysocki wrote: Hi, I have an OpenVPN server running on OpenBSD. I use tunX interface in tap mode (as far as I know, it's the OpenBSD equivalent of tapX interface from Linux, so it should be bridgeable): dev tun1 dev-typetap No IP is assigned to this interface, because I want to bridge two OpenVPN interfaces and one Ethernet interface and assign IP address directly to a bridge. OpenVPN is running and ifconfig looks like that: tun1: flags=8051mtu 1500 priority: 0 groups: tun status: active However: gof@bsd:~$ sudo ifconfig bridge0 create gof@bsd:~$ sudo ifconfig bridge0 add tun1 ifconfig: bridge0: tun1: Invalid argument Bridge ifconfig: bridge0: flags=0<> groups: bridge priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp Can I do something to solve it? -- Dag H. Richards ( no title / no lettres ) The first rule of tautology club is the first rule of tautology club. This message may or may not contain proprietary information. Since it is being relayed by SMTP across an unknown number of relays to its destination, using a protocol that is traditionally plain ASCII, it's silly to pretend it is still confidential. If you are not the intended recipient of this message, there is simply nothing I can do about that. Attempting to bind you to some destruction protocol through this windbag sig paragraph is Quixotic at best..
Re: NFS umount stuck on client machine
I had this happen once before in the long long ago. I wound up creating a new nfs server with an export of the same name. The client was then able to dismount. Certainly a PITA, a reboot though cause for self loathing may be simpler. If you mount from fstab in the future make sure you soft mount it. Dot Yet wrote: Hello, I've a stale nfs mount stuck on one of the client machines. The NFS server was powered down and decommissioned, but the client did not umount the nfs directory beforehand. Is there a way for me to clean up the stale nfs connection on the client side without restarting the machine? I've tried umount -f, but that did not help. Let me know if there is a simpler way. Thanks, dot. -- Dag H. Richards ( no title / no lettres ) The first rule of tautology club is the first rule of tautology club. This message may or may not contain proprietary information. Since it is being relayed by SMTP across an unknown number of relays to its destination, using a protocol that is traditionally plain ASCII, it's silly to pretend it is still confidential. If you are not the intended recipient of this message, there is simply nothing I can do about that. Attempting to bind you to some destruction protocol through this windbag sig paragraph is Quixotic at best..
Re: What happens to OpenBSD when Secure Boot becomes manditory?
Todd C. Miller wrote: On Thu, 02 Apr 2015 16:38:29 -0400, Steve Litt wrote: What happens to OpenBSD when Secure Boot becomes manditory? Please read those articles again, Secure Boot is *not* mandatory for Windows 10. The major change is that for Windows 8 Microsoft *required* hardware vendors to provide a setting to disable Secure Boot. To be certified for Windows 10, the hardware is no longer required to have this setting. So no one is being forced to make Secure Boot mandatory. If some hardware vendors choose not to include a way to turn it off they'll simply lose some business. At worst this creates new opportunities for vendors interested in PC sales for Linux, BSD, etc... The sky is not falling. - todd Pretty sure the sky _is_ falling, I know a guy whose cousin saw a piece of it on the sidewalk yesterday. -- Dag H. Richards ( no title / no lettres ) The first rule of tautology club is the first rule of tautology club. This message may or may not contain proprietary information. Since it is being relayed by SMTP across an unknown number of relays to its destination, using a protocol that is traditionally plain ASCII, it's silly to pretend it is still confidential. If you are not the intended recipient of this message, there is simply nothing I can do about that. Attempting to bind you to some destruction protocol through this windbag sig paragraph is Quixotic at best..
Re: libressl.org broken link
Sigh, its sad when a project with that much potential has no goals. Hopefully its just a phase. Daniel Dyla wrote: I'm not sure where this sort of thing is supposed to be reported but the Project Goals link on libressl.org (http://libressl.org/goals.html) is giving me a 404 error.
Re: Donations to OpenBSD
Seems pretty easy to make donations. Send money. Don't want a CD? OK, Send money. The documentation is already provided, the FAQ is an excellent codicil to the man pages. No need for a PDF really. There is a clear need for money. Demonstrate your willingness and interest to contribute by ... contributing. The free suggestions are not as useful as money. Send some money, then sit back enjoy the software and be generally quiet. Every now and again we get to watch Theo go off on someone, its fun even though I kinda worry about him bursting a vein at us. Theo de Raadt wrote: Suggestion: Package the release notes, FAQ and some other documentation into a PDF and sell that at the same price as the CD, from the same place. I'd buy that. It would be better quality than the (often) crap O'Reilly sell, and I buy that. We should do more... Then you'll give us more
Re: feature patch - replace /etc/crontab by /etc/cron.d/
No Theo I don't think understand, if you accept the patch then you will be more like Ubuntu and other MODERN operating systems. Why put everything in a single easily readable file, when you can split it up in to multiple directories. Which reminds me when are you going to ditch /etc for a nice registry data base. Theo de Raadt wrote: In your dreams. here is a simple patch to replace /etc/crontab by /etc/cron.d/. You need to manually mkdir /etc/cron.d. --- pathnames_original.hMon Apr 7 22:31:53 2014 +++ pathnames.h Tue Apr 8 16:12:30 2014 @@ -92,8 +92,8 @@ #define PIDFILEcron.pid #define _PATH_CRON_PID PIDDIR PIDFILE - /* 4.3BSD-style crontab */ -#define SYSCRONTAB /etc/crontab + /* system crontab dir */ +#define SYSCRON_DIR/etc/cron.d /* what editor to use if no EDITOR or VISUAL * environment variable specified. @@ -42,30 +42,31 @@ Debug(DLOAD, ([%ld] load_database()\n, (long)getpid())) - /* before we start loading any data, do a stat on SPOOL_DIR -* so that if anything changes as of this moment (i.e., before we've -* cached any of the database), we'll see the changes next time. + /* before we start loading any data, do a stat on SPOOL_DIR and +* SYSCRON_DIR so that if anything changes as of this moment +* (i.e., before we've cached any of the database), we'll see +* the changes next time. */ if (stat(SPOOL_DIR, statbuf) OK) { log_it(CRON, getpid(), STAT FAILED, SPOOL_DIR); return; } - /* track system crontab file -*/ - if (stat(SYSCRONTAB, syscron_stat) OK) - syscron_stat.st_mtime = 0; + if (stat(SYSCRON_DIR, syscron_stat) OK) { + log_it(CRON, getpid(), STAT FAILED, SYSCRON_DIR); + return; + } - /* if spooldir's mtime has not changed, we don't need to fiddle with -* the database. + /* if spooldir's and syscrondir's mtime has not changed, we don't +* need to fiddle with the database. * * Note that old_db-mtime is initialized to 0 in main(), and * so is guaranteed to be different than the stat() mtime the first * time this function is called. */ if (old_db-mtime == HASH(statbuf.st_mtime, syscron_stat.st_mtime)) { - Debug(DLOAD, ([%ld] spool dir mtime unch, no load needed.\n, - (long)getpid())) + Debug(DLOAD, ([%ld] spool dirs mtime unch, no load needed.\n, + (long)getpid())) return; } @@ -77,28 +78,45 @@ new_db.mtime = HASH(statbuf.st_mtime, syscron_stat.st_mtime); new_db.head = new_db.tail = NULL; - if (syscron_stat.st_mtime) { - process_crontab(ROOT_USER, NULL, SYSCRONTAB, syscron_stat, - new_db, old_db); - } - /* we used to keep this dir open all the time, for the sake of * efficiency. however, we need to close it in every fork, and * we fork a lot more often than the mtime of the dir changes. */ - if (!(dir = opendir(SPOOL_DIR))) { - log_it(CRON, getpid(), OPENDIR FAILED, SPOOL_DIR); + if (!(dir = opendir(SYSCRON_DIR))) { + log_it(CRON, getpid(), OPENDIR FAILED, SYSCRON_DIR); return; } - while (NULL != (dp = readdir(dir))) { - char fname[MAXNAMLEN+1], tabname[MAXNAMLEN]; + char fname[MAXNAMLEN+1], tabname[MAXNAMLEN]; + while (NULL != (dp = readdir(dir))) { /* avoid file names beginning with .. this is good * because we would otherwise waste two guaranteed calls * to getpwnam() for . and .., and also because user names * starting with a period are just too nasty to consider. */ + if (dp-d_name[0] == '.') + continue; + + if (strlcpy(fname, dp-d_name, sizeof fname) = sizeof fname) + continue; /* XXX log? */ + + if (snprintf(tabname, sizeof tabname, %s/%s, SYSCRON_DIR, + fname) = sizeof(tabname)) + continue; /* XXX log? */ + + process_crontab(ROOT_USER, NULL, tabname, syscron_stat, + new_db, old_db); + } + + closedir(dir); + + if (!(dir = opendir(SPOOL_DIR))) { + log_it(CRON, getpid(), OPENDIR FAILED, SPOOL_DIR); + return; + } + + while (NULL != (dp = readdir(dir))) { if (dp-d_name[0] == '.') continue; --- cron_original.8 Mon Apr 7 22:31:53 2014 +++ cron.8 Tue Apr
Re: feature patch - replace /etc/crontab by /etc/cron.d/
all sarcasm on my part. hate the whole /etc/hourly /etc/daily /etc/whim-time cron crap was happy to see Theo's reaction. Was jerking the list's chain. sven falempin wrote: Look what linux are accepting now : stuff like systemd, how modern ! and so nicely done ! Maybe having a .d looks .damned cool but does it really solve something ? New is not better, modern surely isn't. If there is a way for OpenBSD to move to a cron.d it probably needs a nice explanation : - problems to be solved - why is it the best way to solved it - what other solution has been discarded and why. - (and does the gain of the change worth the work of the change) PS: If you install a software that require recurrent task it should be done with a user with specific priviledge , so set up a crontab for this user. Geez don't you have a TLS server to patch ! On Tue, Apr 8, 2014 at 4:59 PM, Dag Richards dagricha...@speakeasy.netwrote: No Theo I don't think understand, if you accept the patch then you will be more like Ubuntu and other MODERN operating systems. Why put everything in a single easily readable file, when you can split it up in to multiple directories. Which reminds me when are you going to ditch /etc for a nice registry data base. Theo de Raadt wrote: In your dreams. here is a simple patch to replace /etc/crontab by /etc/cron.d/. You need to manually mkdir /etc/cron.d. --- pathnames_original.hMon Apr 7 22:31:53 2014 +++ pathnames.h Tue Apr 8 16:12:30 2014 @@ -92,8 +92,8 @@ #define PIDFILEcron.pid #define _PATH_CRON_PID PIDDIR PIDFILE - /* 4.3BSD-style crontab */ -#define SYSCRONTAB /etc/crontab + /* system crontab dir */ +#define SYSCRON_DIR/etc/cron.d /* what editor to use if no EDITOR or VISUAL * environment variable specified. @@ -42,30 +42,31 @@ Debug(DLOAD, ([%ld] load_database()\n, (long)getpid())) - /* before we start loading any data, do a stat on SPOOL_DIR -* so that if anything changes as of this moment (i.e., before we've -* cached any of the database), we'll see the changes next time. + /* before we start loading any data, do a stat on SPOOL_DIR and +* SYSCRON_DIR so that if anything changes as of this moment +* (i.e., before we've cached any of the database), we'll see +* the changes next time. */ if (stat(SPOOL_DIR, statbuf) OK) { log_it(CRON, getpid(), STAT FAILED, SPOOL_DIR); return; } - /* track system crontab file -*/ - if (stat(SYSCRONTAB, syscron_stat) OK) - syscron_stat.st_mtime = 0; + if (stat(SYSCRON_DIR, syscron_stat) OK) { + log_it(CRON, getpid(), STAT FAILED, SYSCRON_DIR); + return; + } - /* if spooldir's mtime has not changed, we don't need to fiddle with -* the database. + /* if spooldir's and syscrondir's mtime has not changed, we don't +* need to fiddle with the database. * * Note that old_db-mtime is initialized to 0 in main(), and * so is guaranteed to be different than the stat() mtime the first * time this function is called. */ if (old_db-mtime == HASH(statbuf.st_mtime, syscron_stat.st_mtime)) { - Debug(DLOAD, ([%ld] spool dir mtime unch, no load needed.\n, - (long)getpid())) + Debug(DLOAD, ([%ld] spool dirs mtime unch, no load needed.\n, + (long)getpid())) return; } @@ -77,28 +78,45 @@ new_db.mtime = HASH(statbuf.st_mtime, syscron_stat.st_mtime); new_db.head = new_db.tail = NULL; - if (syscron_stat.st_mtime) { - process_crontab(ROOT_USER, NULL, SYSCRONTAB, syscron_stat, - new_db, old_db); - } - /* we used to keep this dir open all the time, for the sake of * efficiency. however, we need to close it in every fork, and * we fork a lot more often than the mtime of the dir changes. */ - if (!(dir = opendir(SPOOL_DIR))) { - log_it(CRON, getpid(), OPENDIR FAILED, SPOOL_DIR); + if (!(dir = opendir(SYSCRON_DIR))) { + log_it(CRON, getpid(), OPENDIR FAILED, SYSCRON_DIR); return; } - while (NULL != (dp = readdir(dir))) { - char fname[MAXNAMLEN+1], tabname[MAXNAMLEN]; + char fname[MAXNAMLEN+1], tabname[MAXNAMLEN]; + while (NULL != (dp = readdir(dir))) { /* avoid file names beginning with .. this is good * because we would otherwise waste two guaranteed calls * to getpwnam() for . and .., and also because user names * starting with a period are just too nasty
Re: cheapest firewall?
Block of spruce with 2 rj45 ports. Its new and will stop all unwanted traffic, you can put OpenBSD right on top of it. Low power, easy to maintain. Theophile Envt wrote: Gigabyte GA-C1037UN-EU motherboard ? 2 Lan fanless... 2014-02-01 Adam s...@my-balls.com: Any suggestions for the cheapest possible firewall (that is new hardware not re-purposing some old stuff)? All I need is 2 ethernet interfaces and for it to run openbsd.
Re: Cisco routers
On 1/31/14 11:59 AM, Holger Glaess wrote: Am 31.01.2014 20:44, schrieb Matt M: This may not be the most appropriate place to ask, but I figured a lot of you are using Cisco on your networks. I am beginning to study for the CCNA and I want to purchase at least one Cisco router and a switch for a home lab. I don't want to spend a lot of money unnecessarily, and have been looking at the 2600 routers. Since I don't know anything about Cisco hardware, I don't know if this is too old, if it still applies in the industry, what I might be lacking in the IOS and the hardware capabilities, etc. What would you guys recommend for a starter lab that will give me what I need to apply to real-world networks? hi dont wast your mony for old cisco hardware. everything what you need is the gns3 - www.gns3.net. and , maybe , the cisco packettracer. i finish allready the ccna with this tools completly and i use these tools for the ccnp certification too. holger Holger is correct. Packet Tracer is the best tool for the CCNA level training. To replicate the labs you need you would need a couple of switches and maybe as many as 4 routers. Cisco Academies use Packet Tracer almost exclusively for the training. Everything you can get tested on can be done there. You can find it for download on web in various places, though it is _supposed_ to be restricted to students at a Cisco Academy. GNS3 is great, though for now you can't do IOS switches there. People will tell you there are work arounds, and there are. But if your objectivee is to train for and pass your CCNA, Packet Tracer is your friend. -- IS-IS sleeps. BGP peers are quiet. Something must be wrong.
Re: Request for Funding our Electricity
I have a suggestion for every one of us that has mailed in an idea in response to a solicitaion for money... Send money. Just do it right now, write a cheque. Send it, send it now. Do that a couple of times a year. Buy a cd twice a year, get at least one t-shirt with each order. Were we told how much the monthly electron bill is? I can step up my contribution a bit. Could we save money by converting to steam, maybe we could remove support for coff binary's cause they are , you know, bad or old or something. Or perhaps running the build farm on raspberry pi's. I understand Linux has a cross compiler and that way we could all just shut up and chip in some dough. Steven Chamberlain wrote: I've set up a small recurring donation for now. I'd like to throw out some ideas and questions if I may: * Anyone selling an OpenBSD-based solution to business customers might want to imagine the OS has some sort of 'license fee', increase the quote for their work accordingly, and pass along the sum in donations. * Please could we get a newer picture than rack2009.jpg? I assume much has already changed; I don't see a loongson build machine for example. Would the picture be anywhere near representative of where the CAN$20k electricity costs arise? * Is there any easy means on-hand to measure power consumption, maybe reading stats from the UPSes, or using plug-in meters such as those made by CurrentCost; would anything like that be worth putting on the hardware wishlist? * Could potential energy savings be roughly worked out, and maybe mentioned in the hardware wishlist somehow? Would a Sun Fire T1000 be able to replace some number of older sparc boxes for example? And as SSDs become larger, would a pair of them be able to replace some number of power-hungry 10k RPM disks? Such things are all the more valuable as donations if they have a lower operating cost than what they replaced. Regards,
Re: Looking for a laptop in the Toronto area
Theo de Raadt wrote: On 2013-10-30, Aaron Mason simplersolut...@gmail.com wrote: Is the fan functioning? If so, have you tried opening up the laptop and re-applying thermal grease to the CPU? If the laptop has a few years under its belt, the old grease could have perished. While this might give the machine a bit more life, a laptop old enough to have suffered this is not the most ideal of machines to be used for ports development work which frequently involves building fairly large pieces of software. It's all well and nice to try to recommend that a developer who works on many of the ports you use -- go fix his fan... But really, those of you are telling him that are MISSING THE POINT ENTIRELY. sarcasm Oh no we get the point the dev is just a freeloader looking for a hand out of some free hardware. Where the rest of us have to work hard and pay for all the hardware and software . we get irony Right 'cause we pay good money for the BSD software we run our businesses on not to mention the expensive support contracts required. /irony sarcasm Oh time to help is it? Where to send the cheque? -- IS-IS sleeps. BGP peers are quiet. Something must be wrong.
Re: Notifies on CARP failover
Andy wrote: Hi, Could anyone point me in the right direction on how to have a script be executed whenever a CARP failover or preempt event occurs? Need to write a script to send an event message into our monitoring systems so we can see when a change has occurred. I haven't used ifstated yet, is this the right tool for this? and if so could someone throw me an example if you have one? Thanks, Andy. read the ifstated man page and the man for ifstated.conf That should get you there. -- IS-IS sleeps. BGP peers are quiet. Something must be wrong.
Re: Network question
Seems like it would be pretty straightforward to NAT, no? /--existing servers /28 EVIL - lie agreed upon [Puffy] \-new servers on RFC 1918 Would need to know more to make better recommendations. On 9/4/13 8:24 PM, patrick keshishian wrote: Hi Networking gurus, Say I have /28 address space. Between them and the internet is pf. Not all of the addresses are in use ATM. I may have the need to add a couple new servers behind that pf server within the same /28 range. Problem: I need to have traffic between the new servers and what already exists filtered through some pf. Ideally I would like to put the new servers together on a new (unmanaged) switch and connect one of the switch's ports to an available port on the pf machine. Does there exist a nice way to do this without further sub-dividing the /28? Thoughts? --patrick -- IS-IS sleeps. BGP peers are quiet. Something must be wrong.
Re: BSD licensed gnupg replacement question
Maximo Pech wrote: It's incredible for me that OpenBSD, an operating system that claims to have integrated cryptography (yes I know that the cryptography is on the core OS layers) doesn't have in the base system a tool like gnupg, and even more incredible, that there isn't a single production ready, gnupg-like, BSD licensed tool out there (I don't have the skills and time to program one myself). I'd like to know your thoughts about this. No, I don't think you are going to want to know their thoughts on this. -- IS-IS sleeps. BGP peers are quiet. Something must be wrong.
Re: ss20's wanted for ports builds
Theo de Raadt wrote: On Mon, Jul 16, 2012 at 08:45:30PM +0200, [BG-Consulting] Elmar Bschorer wrote: What do you mean with ss20? Actually a good question. At least for those old enough to remember the Soviet era SS-20 intermediate-range ballistic nucelar missiles. I'd like one of those too. Lets be honest with ouselves sir, with your temper is a nuclear weapon really a good idea? -- IS-IS sleeps. BGP peers are quiet. Something must be wrong.
Re: Default route distribution by ospfd
Shot in the dark here new to OSPF myself Have you tried adding vlan208 interface on R1 to OSPF config on R1? On 8/13/11 11:39 AM, Shohrukh Shoyoqubov wrote: Hi, I have the following set-up: |R2other routers | ISPR1 | |R3other routers There is a static default route on R1 pointing to ISP's gateway (192.168.60.253). R1, R2, R3 and other routers (except ISP's) are running ospfd in area 0.0.0.0. R1 should be injecting a default route into ospf domain towards itself. Below are ospfd.conf's from these routers: R1: --- # cat /etc/ospfd.conf router-id 10.10.10.9 redistribute default area 0.0.0.0 { interface trunk0 interface vr2 } R2: --- # cat /etc/ospfd.conf router-id 10.10.10.18 area 0.0.0.0 { interface trunk0 interface vlan208 } R3: --- # cat /etc/ospfd.conf router-id 10.10.10.19 area 0.0.0.0 { interface trunk0 interface vlan208 } All adjacencies are up and routes are updated fine except for default route originated from R1. If you look into ospfctl show database command output on R2 for example, you can see that this default route's LSA is there. But for some reason it does not end up in kernel routing table. $ ospfctl show data Router Link States (Area 0.0.0.0) Link ID Adv Router Age Seq# Checksum 10.10.10.9 10.10.10.9 1182 0x8041 0xd4de 10.10.10.18 10.10.10.18 1653 0x804f 0x02cb 10.10.10.19 10.10.10.19 83 0x8050 0x18b0 10.10.10.20 10.10.10.20 1966 0x8093 0x6760 10.10.10.26 10.10.10.26 1314 0x8048 0xbc64 10.10.10.27 10.10.10.27 1323 0x8048 0xba63 10.10.10.34 10.10.10.34 1149 0x803c 0x2c5e 10.10.10.35 10.10.10.35 1134 0x804e 0x5d22 Net Link States (Area 0.0.0.0) Link ID Adv Router Age Seq# Checksum 10.10.10.9 10.10.10.9 1672 0x803d 0x9aaf 10.10.10.20 10.10.10.20 1722 0x8037 0xce40 10.10.10.27 10.10.10.27 1313 0x8049 0x05f9 10.10.10.34 10.10.10.34 1139 0x801c 0xc746 Type-5 AS External Link States Link ID Adv Router Age Seq# Checksum 0.0.0.0 10.10.10.9 1182 0x8013 0x41d2 $ netstat -nr Routing tables Internet: Destination Gateway Flags Refs Use Mtu Prio Iface 10.10.10.0/29 link#9 UC 0 0 - 4 vlan201 10.10.10.8/29 link#10 UC 3 0 - 4 vlan208 10.10.10.8/29 10.10.10.13 UG 0 0 - 32 vlan208 10.10.10.9 00:00:24:ce:06:d8 UHLc 3 16267 - 4 vlan208 10.10.10.13 00:00:24:ce:06:d2 UHLc 1 2 - 4 lo0 10.10.10.14 00:00:24:ce:06:d6 UHLc 0 1 - 4 vlan208 10.10.10.16/29 link#7 UC 3 0 - 4 trunk0 10.10.10.16/29 10.10.10.18 UG 0 0 - 32 trunk0 10.10.10.18 00:00:24:ce:06:d0 UHLc 1 0 - 4 lo0 10.10.10.19 00:00:24:ce:06:d4 UHLc 0 266 - 4 trunk0 10.10.10.20 e8:ba:70:ef:bf:c1 UHLc 3 329 - 4 trunk0 10.10.10.24/29 10.10.10.20 UG 0 0 - 32 trunk0 10.10.10.32/29 10.10.10.20 UG 0 530 - 32 trunk0 127/8 127.0.0.1 UGRS 0 0 33200 8 lo0 127.0.0.1 127.0.0.1 UH 1 6 33200 4 lo0 192.168.0/24 10.10.10.20 UG 1 4820 - 32 trunk0 192.168.60.252/30 10.10.10.9 UG 0 0 - 32 vlan208 224/4 127.0.0.1 URS 0 0 33200 8 lo0 What am I doing wrong? I have deleted /etc/mygate on all routers except R1 and deleted default route and rebooted just in case. I am running OpenBSD 4.9 release on Soekris boxes. Thank you, Shohrukh -- IS-IS sleeps. BGP peers are quiet. Something must be wrong.
Re: Default route distribution by ospfd
On 8/13/11 12:54 PM, Shohrukh Shoyoqubov wrote: On 08/14/2011 12:19 AM, Dag Richards wrote: Shot in the dark here new to OSPF myself Have you tried adding vlan208 interface on R1 to OSPF config on R1? R1 has no vlan208 interface configured. R1 uses trunk0 to connect to access mode switch ports in VLAN 208. R2 and R3 have vlan208 interfaces connected to the trunk ports of the same switch with VLAN 208 allowed on it. Adjacencies are up. It is the default route that is not ending up in the kernel routing table. What else except the existing static routes can prevent it to get into the routing table? OK I see, so vr2 is what faces the ISP on R1. Whose netstat -nr did you print? Is that R 3? I see that 192.168.60.252/30 10.10.10.9 UG 0 0 - 32 vlan208 made it to the route table. i you were on CISCO I would suggest you try redistribute static in your OSPF conf. I see in the man page for ospfd.conf you can redist static and connected I think you need to redist static and default. the man page seems to indicate that redist default will cause a default route pointing to this router will be announced over OSPF. in the CISCO land -- IS-IS sleeps. BGP peers are quiet. Something must be wrong.
Re: FreeBSD isn't Free
Super Biscuit wrote: Did they get the licensing, approval, or letter? missing the point
Re: isakmpd will not initiate connection to Cisco ASA
I recently had a problem that looked similar. I would try to bring up the tunnels configured in ipsec.conf. No Phase 2 A dump on the external iface revealed that we were sending Phase 1 initiation. Their end was configured for a different encryption scheme, than ours ( even though we had agreed on one ). Since they were showing up with a vlaid PSK we accepted the values they proposed, whereas they rejected our proposal's. tcpdump -nvs1400 port 500 Christoph Leser wrote: Are you sure that obsd does not try to initiate the connection at least once? I have noticed the following problem with cisco: Some Cisco models delete the security association after an inactivity timeout, they call it Cisco IPSec Security Association Idle Timers. When this happens, openBSDs drop the information for this tunnel and is unable to recreate it. Cisco keeps the information and can reestablish the connection when someone pings or otherwise addresses the remote end. I had a short conversation about this with Hans-Jvrg Hvxer, but cannot say whether this behaviour is desired or considered a bug. I would try to delete the tunnel complete and configure it again while running tcpdump on the external interface ( or enable isakmpd packet capture, see the -L switch of isakmpd ). This will at least answer the question, whether openBSD attempts to establish the connection when the tunnel is defined for the first time. Regards Christoph -Urspr|ngliche Nachricht- Von: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] Im Auftrag von Chris Bullock Gesendet: Dienstag, 17. November 2009 15:45 An: misc@openbsd.org Betreff: isakmpd will not initiate connection to Cisco ASA We have many tunnels and for some reason I just set up a tunnel with a Cisco ASA and we can not initiate the connection from the OpenBSD side. If the Cisco side pings a device on the OpenBSD side the tunnel comes up. On the Cisco side they have bidirectional enabled, and they are not seeing the OpenBSD try to initiate the tunnel. Any help would be appreciated, Regards, Chris Bullock
ipsec Phase 2 tunnels will not initiate from OBSD side
Running 4.3 GENERIC#698 i386 I have a VPN with a vendor using a I think he said it was a Sonic Wall FW. We are able to get Phase 1 associations up and happy. But Phase 2 never seems to start, at least not from my side. If he sends traffic from his side then his device makes a phase 2 proposal, and I accept and traffic flows. I can do nothing to kick this off from my end. I have an ipsec.conf phile for this vendor ike active esp from { 172.18.101.22 } to { 10.0.3.222 10.0.6.222 10.0.11.43 10.0.11.188 10.0.11.222 10.0.11.36 } local 10.120.10.50 peer xxx.xxx.xx.xx.x0x main auth hmac-sha1 enc 3des-cbc group modp1024 quick auth hmac-sha1 enc 3des-cbc group none psk SEKRET He sends me i a ping I get a flow ipsecctl -s flow | grep xxx.xxx.xx.xx.x0x flow esp in from 10.0.11.43 to 172.18.101.22 peer xxx.xxx.xx.xx.x0x srcid 10.120.10.50/32 dstid xxx.xxx.xx.xx.x0x/32 type use flow esp out from 172.18.101.22 to 10.0.11.43 peer xxx.xxx.xx.xx.x0x srcid 10.120.10.50/32 dstid xxx.xxx.xx.xx.x0x/32 type require I the past I have been able to: echo M active /var/run/isakmpd.fifo But since I have a phase 1 up, I guess this won't have any effect? I guess I am not really even sure what to be showing anyone, usually once pahse 1 is established everything has just worked.
Anyone heard from Jason Dixon lately?
Hey Jason, been trying to get a hold of you. Are we still doing business?
Re: Defending OpenBSD Performance
I have been actively maintaining a firewall cluster and a VPN cluster of BSD system since 3.5. I have upgraded each system from a factory boot cd every 6 - 8 months. I have never had any problems due the to upgrade not once. I run a 4000 PC network in a 24x7 Health Care environment. There is nothing more reliable and straight forward than OBSD's upgrade procedure. Which reminds me time order 4.6
Re: openbsd and ethernet tap (port replication)
Put an ip address on em0. FRLinux wrote: Hello, I am trying to replicate some traffic from a Cisco 6500 onto an OpenBSD 4.5 vanilla machine. I have two NICs, rl0 which is the administration interface and em0 which I hope to use for the ethernet tap. So far, my cisco replicates traffic happily, i can see the packet count in/egress increasing but nothing seems to reach em0. I have no PF running, the box is inside the network with a cable connected straight from em0 to a cisco port on the 6500. The cisco router reports the link live (so does OpenBSD) but no traffic seems to be flowing. I realize that has to be something stupid but if anyone could send me a pointer, that would be most welcome. em0: flags=8802BROADCAST,SIMPLEX,MULTICAST mtu 1500 lladdr xx:xx:xx:xx:xx priority: 0 media: Ethernet autoselect (1000baseT full-duplex,rxpause) status: active OpenBSD 4.5 (GENERIC) #1749: Sat Feb 28 14:51:18 MST 2009 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Pentium(R) 4 CPU 3.20GHz (GenuineIntel 686-class) 3.22 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID,xTPR real mem = 1073246208 (1023MB) avail mem = 1029500928 (981MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 01/19/04, BIOS32 rev. 0 @ 0xfb1a0, SMBIOS rev. 2.3 @ 0xf0120 (49 entries) bios0: vendor Award Software International, Inc. version F5 date 01/19/2004 bios0: NEC Computers International 000 acpi0 at bios0: rev 0 acpi0: tables DSDT FACP APIC acpi0: wakeup devices USB0(S3) USB1(S3) USB2(S3) AMR0(S4) UAR1(S4) UAR2(S4) PCI0(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 200MHz ioapic0 at mainbus0: apid 2 pa 0xfec0, version 14, 24 pins ioapic0: misconfigured as apic 0, remapped to apid 2 acpiprt0 at acpi0: bus 0 (PCI0) acpicpu0 at acpi0 acpibtn0 at acpi0: PWRB bios0: ROM list: 0xc/0x8000 0xc8000/0x8000! 0xd/0x1800 0xd2000/0x1000 pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 SiS 648 PCI rev 0x51 sisagp0 at pchb0 agp0 at sisagp0: aperture at 0xe000, size 0x800 ppb0 at pci0 dev 1 function 0 SiS 648FX AGP rev 0x00 pci1 at ppb0 bus 1 pcib0 at pci0 dev 2 function 0 SiS 85C503 System rev 0x14 SiS 7007 FireWire rev 0x00 at pci0 dev 2 function 3 not configured pciide0 at pci0 dev 2 function 5 SiS 5513 EIDE rev 0x00: 648: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility pciide0: channel 0 disabled (no drives) wd0 at pciide0 channel 1 drive 0: SAMSUNG SP2014N wd0: 16-sector PIO, LBA48, 190782MB, 390721968 sectors wd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 5 auich0 at pci0 dev 2 function 7 SiS 7012 AC97 rev 0xa0: apic 2 int 18 (irq 9), SiS7012 AC97 ac97: codec id 0x414c4760 (Avance Logic ALC655 rev 0) audio0 at auich0 ohci0 at pci0 dev 3 function 0 SiS 5597/5598 USB rev 0x0f: apic 2 int 20 (irq 5), version 1.0, legacy support ohci1 at pci0 dev 3 function 1 SiS 5597/5598 USB rev 0x0f: apic 2 int 21 (irq 10), version 1.0, legacy support ohci2 at pci0 dev 3 function 2 SiS 5597/5598 USB rev 0x0f: apic 2 int 22 (irq 11), version 1.0, legacy support ehci0 at pci0 dev 3 function 3 SiS 7002 USB rev 0x00: apic 2 int 23 (irq 6) usb0 at ehci0: USB revision 2.0 uhub0 at usb0 SiS EHCI root hub rev 2.00/1.00 addr 1 vga1 at pci0 dev 9 function 0 S3 Trio32/64 rev 0x54 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) em0 at pci0 dev 11 function 0 Intel PRO/1000MT (82540EM) rev 0x02: apic 2 int 19 (irq 10), address 00:07:e9:39:50:d5 rl0 at pci0 dev 15 function 0 Realtek 8139 rev 0x10: apic 2 int 16 (irq 11), address 00:0d:61:1b:69:27 rlphy0 at rl0 phy 0: RTL internal PHY isa0 at pcib0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 it0 at isa0 port 0x2e/2: IT8705F rev 2, EC port 0x290 npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 usb1 at ohci0: USB revision 1.0 uhub1 at usb1 SiS OHCI root hub rev 1.00/1.00 addr 1 usb2 at ohci1: USB revision 1.0 uhub2 at usb2 SiS OHCI root hub rev 1.00/1.00 addr 1 usb3 at ohci2: USB revision 1.0 uhub3 at usb3 SiS OHCI root hub rev 1.00/1.00 addr 1 mtrr: Pentium Pro MTRR support uhidev0 at uhub1 port 1 configuration 1 interface 0 Sun Microsystems Type 6 Keyboard rev 1.10/2.00 addr 2 uhidev0: iclass 3/1 ukbd0 at uhidev0: 8 modifier keys, 6 key codes, country code 33 wskbd1 at ukbd0 mux 1 wskbd1: connecting to wsdisplay0 softraid0 at root root on wd0a swap on
Re: bind
configure: error: ar program not found. Please fix your PATH to include the directory in which ar resides, or set AR in the environment with the full path to ar. *** Error code 1 The likely solution is listed in the error message. dark knight neo wrote: Hello everyone, I'm trying compiling the patch of bind .. and the following error occur: # patch -p0 007_bind.patch Hmm... Looks like a unified diff to me... The text leading up to this was: -- |--- usr.sbin/bind/bin/named/update.c (revision 1875) |+++ usr.sbin/bind/bin/named/update.c (working copy) -- Patching file usr.sbin/bind/bin/named/update.c using Plan A... Hunk #1 succeeded at 861. done # cd usr.sbin/bind # make -f Makefile.bsd-wrapper obj /usr/src/usr.sbin/bind/obj - /usr/obj/usr.sbin/bind # make -f Makefile.bsd-wrapper depend # Nothing here so far... # make -f Makefile.bsd-wrapper PATH=/bin:/usr/bin:/sbin:/usr/sbin CC=cc CFLAGS=-O2 -pipe LDFLAGS= INSTALL_PROGRAM=install -c -s sh /usr/src/usr.sbin/bind/configure --prefix=/usr --localstatedir=/var --sysconfdir=/etc --disable-shared --disable-threads --disable-openssl-version-check checking build system type... i386-unknown-openbsd4.5 checking host system type... i386-unknown-openbsd4.5 checking whether make sets $(MAKE)... yes checking for ranlib... no checking for a BSD-compatible install... /usr/bin/install -c checking whether ln -s works... yes checking for ar... no configure: error: ar program not found. Please fix your PATH to include the directory in which ar resides, or set AR in the environment with the full path to ar. *** Error code 1 Stop in /usr/src/usr.sbin/bind (line 70 of /usr/src/usr.sbin/bind/Makefile.bsd-wrapper) How proceced ? Thanks in advanced .
Re: RES: Route problem
I don't think it is possible to help you with limited information you have provided. Lets see some sort of description of your network topology, and the out put of netstat -rn and and an ifconfig -A of your OBSD router. My initial guess on why adding the route to the OBSD router failed to help is that the mikrotik does not know how to get back to your clients, are you natting or not natting? Ricardo Augusto de Souza wrote: Wrong. I AM Just able to ping it. Clients Who have openBSD as default gateway cannot Access network 10.100.0.0/24 ( like HTTP and other services ). Can anyone help me? _ De: Ricardo Augusto de Souza Enviada em: terga-feira, 7 de julho de 2009 10:45 Para: misc@openbsd.org Assunto: Route problem HI, I use na OpenBSD 4.3 as gw + firewall. I also have a Mikrotik as a backup gateway. Now I lost the connectivity of one of my links . ( router 10.100.0.1 is down ) From mikrotik i AM able to reach the target network ( 10.100.0.0/24 ) So I removed this route from OpenBSD and added new route to mikrotik . At OpenBSD: route add 10.100.0.0/24 10.10.0.1 # ping 10.100.0.8 PING 10.100.0.8 (10.100.0.8): 56 data bytes ping: sendto: Host is down ping: wrote 10.100.0.8 64 chars, ret=-1 ping: sendto: Host is down ping: wrote 10.100.0.8 64 chars, ret=-1 --- 10.100.0.8 ping statistics --- 2 packets transmitted, 0 packets received, 100.0% packet loss After around 5 min i was able to ping 10.100.0.0/24. What I AM missing? Thanks
Re: IPX/SPX between two locations running OpenBSD
journey-...@shaw.ca wrote: I have two locations each using OpenBSD 4.5 for their gateways with the two subnets connected using IPSEC. I have an application that requires IPX/SPX between the two locations. Is this feasible? The two internal subnets are 192.168.0.x and 192.168.1.x but they can easily be changed. enabling IPX in the kernel? PPTP from each workstation to the XP server? bridging the two networks? I don't know much about IPX/SPX and what it can or can't do between the two locations. A man -k showed me no hits on spx or ipx, at least noe pertaining to networking. You should be able to bridge that traffic. I believe SPX/IPX builds a routing table through broadcasts, so bridging should work. Is this for a Netware network? You know that Netware now supports IP natively.
Re: slim and capable hardware for firewalls use
HP DL360G5 we have 5 of these that we use with 4 port bge cards as vpn servers and firewall. Running or have run 4.3 4.4 4.5 HW Raid controller I like the lights out management cards on the older ones ( G3 ) better as they just give you a screen scrape console. The G5 does something different I have not yet really looked in to well enough to get a console running on. SunFire x2100 - Meh, less expensive not as ready for prime time, no RAID no management card that runs for us. Peter N. M. Hansteen wrote: I've been asked to hunt for hardware that meets roughly these specs: * preferably in a 1u, space for two autonomous machines with as many Ethernet interfaces as will physically fit the form factor * Gigabit capable Anything else is really just a bonus, 'works with OpenBSD' is a must, onboard graphics, sound etc is totally irellevant, humans will interact physically with this only rarely if we do this right. The location is in northern Europe, anybody who is not scared of shipping there is fine with us. Any war stories, notes or anecdotes (including don't do this, go for $foo instead) welcome. The amount of misleadingly tagged webshop pages stuffed to the brim with inane animated and barely related ads sort of got to me at one point. All the best, Peter
anybody using OpenBSD diskless workstations?
Anybody currently running BSD diskless workstations? Expository text below. We have been working on SunRay-Windows_virtual_desktop pilot here at my office for a while. The tech seems pretty workable. Leaving aside any question of personal taste, we use windows desktops and will continue to do so. We seem to have been hit with a bit of a budget whammy. So now we are looking in to making older PCs operate as netbooted numb terminals., as least a two year interim step. My thought was to pxe boot, run x and dump them in to an RDP session to our shiney new MS terminal servers.
Re: OpenBSD ESXi VMware image on Soekris Net5501
Jason Dixon wrote: On Thu, May 21, 2009 at 08:05:52AM -0700, Obiozor Okeke wrote: Well I should have mentioned that the ESXi is also running a Windows server VM for a custom app that requires it. So the idea was to have one box running ESXi and reduce hardware costs. BWAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA *whew* Thanks, I needed that. Er yes, you will not be able to get there from here. Re-think. Don't run vmware on your firewall. If you virtualize your entire DC in to a single box, still don't run your firewall as a vm.
Re: Intel PRO/1000MT (82541GI) not working with 4.5
If you want to upgrade from 4.4 to 4.5 Boot off the 4.5 install image and perform an upgrade. If you wish to compile things for your 4.5, do that after you are running 4.5. I don't think in general they will help you do what it looks like you are trying to do. Rosen Nedialkov wrote: Hi all, I am trying to upgrade my box from 4.4 to 4.5 through compile. I managed to compile the kernel successfully, but upon booting the new kernel I didn't get any network connection to my box. When I attached a monitor I saw that everything is working fine except that the network card does not work. It is present as em0, but when I do ifconfig I get error messages (sorry didn't remember which ones exactly). So no network interface :( Can someone, please, help me to identify the problem? The machine is MSI barebone Hetis 945 and I am running 32bit OpenBSD 4.4. I am attaching my 4.4 and 4.5 dmesgs 4.4 dmesg OpenBSD 4.4-stable (GENERIC) #0: Mon Mar 9 10:57:55 EET 2009 r...@deimos.izrod.com:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Celeron(R) CPU 420 @ 1.60GHz (GenuineIntel 686-class) 1.60 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,TM,SBF,SSE3,MWAIT,DS-CPL,TM2,CX16,xTPR real mem = 1063743488 (1014MB) avail mem = 1020145664 (972MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 02/02/07, BIOS32 rev. 0 @ 0xf9df0, SMBIOS rev. 2.4 @ 0xf (28 entries) bios0: vendor Phoenix Technologies, LTD version 6.00 PG date 02/02/2007 bios0: MICRO-STAR INTERNATIONAL CO., LTD MS-7231 apm0 at bios0: Power Management spec V1.2 (slowidle) apm0: AC on, battery charge unknown acpi at bios0 function 0x0 not configured pcibios0 at bios0: rev 3.0 @ 0xf/0xc2b4 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfc170/272 (15 entries) pcibios0: bad IRQ table checksum pcibios0: PCI BIOS has 18 Interrupt Routing table entries pcibios0: PCI Exclusive IRQs: 5 9 10 11 pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82801GB LPC rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0xaa00! 0xcc000/0x1000 0xef000/0x1000! cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82945G Host rev 0x02 vga1 at pci0 dev 2 function 0 Intel 82945G Video rev 0x02 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) agp0 at vga1: aperture at 0xd000, size 0x1000 drm at vga1 unsupported azalia0 at pci0 dev 27 function 0 Intel 82801GB HD Audio rev 0x01: irq 5 azalia0: codec[s]: Realtek/0x0888 audio0 at azalia0 uhci0 at pci0 dev 29 function 0 Intel 82801GB USB rev 0x01: irq 9 uhci1 at pci0 dev 29 function 1 Intel 82801GB USB rev 0x01: irq 11 uhci2 at pci0 dev 29 function 2 Intel 82801GB USB rev 0x01: irq 10 uhci3 at pci0 dev 29 function 3 Intel 82801GB USB rev 0x01: irq 5 ehci0 at pci0 dev 29 function 7 Intel 82801GB USB rev 0x01: irq 9 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1 ppb0 at pci0 dev 30 function 0 Intel 82801BA Hub-to-PCI rev 0xe1 pci1 at ppb0 bus 1 em0 at pci1 dev 2 function 0 Intel PRO/1000MT (82541GI) rev 0x05: irq 10, address 00:19:db:aa:57:f0 ichpcib0 at pci0 dev 31 function 0 Intel 82801GB LPC rev 0x01: PM disabled pciide0 at pci0 dev 31 function 1 Intel 82801GB IDE rev 0x01: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: QUANTUM FIREBALLlct15 07 wd0: 16-sector PIO, LBA, 7162MB, 14668290 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 4 pciide0: channel 1 disabled (no drives) ichiic0 at pci0 dev 31 function 3 Intel 82801GB SMBus rev 0x01: irq 11 iic0 at ichiic0 adt0 at iic0 addr 0x2e: adt7467 rev 0x71 iic0: addr 0x2f 00=c0 01=07 02=01 03=00 04=07 05=00 06=00 07=00 14=14 15=62 16=03 17=04 words 00=c0ff 01=07ff 02=01ff 03=00ff 04=07ff 05=00ff 06=00ff 07=00ff spdmem0 at iic0 addr 0x50: 1GB DDR2 SDRAM non-parity PC2-6400CL5 usb1 at uhci0: USB revision 1.0 uhub1 at usb1 Intel UHCI root hub rev 1.00/1.00 addr 1 usb2 at uhci1: USB revision 1.0 uhub2 at usb2 Intel UHCI root hub rev 1.00/1.00 addr 1 usb3 at uhci2: USB revision 1.0 uhub3 at usb3 Intel UHCI root hub rev 1.00/1.00 addr 1 usb4 at uhci3: USB revision 1.0 uhub4 at usb4 Intel UHCI root hub rev 1.00/1.00 addr 1 isa0 at ichpcib0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 wbsio0 at isa0 port 0x2e/2: W83627EHF rev 0x68 lm1 at wbsio0 port 0x290/8: W83627EHF npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 biomask ffe5 netmask ffe5 ttymask mtrr: Pentium Pro MTRR support softraid0 at root root on wd0a swap on wd0b dump on
Re: European orders
As a rule I generally don't post in response to community discussions as I am essentially nobody here. This time however I just have to ask ...Theo? Why on Earth do you keep doing this? How the hell do you put up with all of this ... crap? I am sure there are still companies that would pay you handsomely for your copyrights. I sure hope you don't do it, but were I in your position I would seriously think about it.
Re: PF Seems To Reload Its Default Rules Unexpectedly
On 3/9/09 2:05 AM, J.C. Roberts wrote: On Sun, 8 Mar 2009 16:01:57 -0700 Hilco Wijbenga hilco.wijbe...@gmail.com wrote: I have pf running on my firewall box and I'm experiencing some strange behaviour. After several hours (this may even be 24 hours) of functioning normally, pf seems to reload its default rules which means that from that point on all traffic is blocked. A simple pfctl -f /etc/pf.conf fixes the problem but it is very annoying. ummm... no. Think about it for a moment. The default rules *are* stored in /etc/pf.conf --the very same file you are manually reloading, so it's obviously not magically reloading the default rules as you claim. What kind of connection are you running? Is your public IP address static or dynamic? More importantly, are you running some sort of tunneling/authentication such as PPPoE or simlar? In sort my first guess is your IP is changing every 24 hours or so due to your service provider using dynamic addressing (and trying to prevent you from having a particular IP for too long). If I'm right, then your problem is that pf is holding on to the old rules for your old IP address even though your IP had changed. In other words, you have a configuration error. Interesting, that is brings up a question for me... what do we do in this case? My ISP seems to be content to give the same ip back over and over again. If they did not is there something I can do besides monitor my $ext_if and reload the rules on ip addr change? Just curious.
Re: Pre-Order Prizes
I thought the prize was you got the software?
Re: Thank you for Relayd
I assume that your company will send say 10% of that saved cash to the project now to ensure continued development and maintenance ? ;) On 1/26/09 9:32 AM, uday wrote: I just wanted thank the developers and contributors of Relayd. It's a wonderful load balancer, very well written GOOD JOB guys ! FYI, you saved us 75,000$ in F5 equipments. um
Re: PF/NAT Issue
Try setting your nat line to look something more like . nat on $ext_if from 10.100.100.0/24 to any - ($public_ip) or nat on $ext_if from 10.100.100.0/24 to any - ($ext_if) As long as pf is enabled AND your traffic actually matches the nat rule nat happens. what do see when you: pfctl -f /etc/pf.conf pfctl -e pfctl -s info On 1/26/09 8:35 AM, John Brahy wrote: Hello, I'm having a problem with NAT. I have given up trying fancy pf stuff and I am using a barely modified version of the example ruleset from the using pf guide on the OpenBSD site: # OpenBSD Packet Filter Configuration # # macros ext_if=dc0 int_if=sis0 tcp_services={ 22, 113 } icmp_types=echoreq # options set block-policy return set loginterface $ext_if set skip on lo # scrub scrub in # nat/rdr nat on $ext_if from !($ext_if) - ($ext_if:0) nat-anchor ftp-proxy/* rdr-anchor ftp-proxy/* rdr pass on $int_if proto tcp to port ftp - 127.0.0.1 port 8021 # filter rules block in pass out keep state anchor ftp-proxy/* antispoof quick for { lo $int_if } pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state pass in inet proto icmp all icmp-type $icmp_types keep state pass in quick on $int_if the only thing that I took out was the web server, so there is no inbound access in this configuration. I have the same pf.conf file on both of my servers. The layout looks like this. Internet | - public ip OpenBSD box A running as router - public ip | - public ip OpenBSD box B running as firewall - 10.100.100.1 | - 10.100.100.120 OpenBSD box C running as desktop The problem that I am having is that I can't surf the information superhighway from box C. So I've been looking at the network traffic to see how far it is going and it's getting past the firewall but not past the router. I believe the problem is that box B is not preforming network address translation for box C. When I do a tcpdump on the interface connection box A and box B I see packets with 10.100.100.120 as the address. Is there a magic Turn Nat On switch I'm not using? I have modified by /etc/sysctl.conf to enable ip forwarding. I'm stuck... Does anyone have a suggestion on what I can try or what I am doing wrong? Thanks, JB
Re: VLAN Problem
Is possible You need to specify the netmask of your vlan interfaces cat out one of your hostname.vlan?? and show us one of mine looks like inet 10.120.6.102 255.255.255.0 NONE vlan 6 vlandev em0 On 1/26/09 10:42 AM, Denis Souza wrote: Friends, I'm using OpenBSD 4.1 with a VLAN with 2 IPs only (Netmask 30bits-255.255.255.252), but the SO is classfull, creating a link line in my router table: # netstat -rn ... 172.16/16 link#12 UC 10 - vlan1 ... But in my project the subnet 172.16.0.0/16 is wrong. The correct subnet is 172.16.1.1/30 to VLAN1. How may I do this with OpenBSD, because I have others subnets in my project: 172.16.2.1/30 to VLAN2, ... , 172.16.9.1/30 to VLAN9? Is this possible with OpenBSD? Thanks, Denis
Re: Packet Filter: how to keep device names on hardware failure?
Peter N. M. Hansteen wrote: Denis Doroshenko [EMAIL PROTECTED] writes: what keeps you from writing a script that would be called from the end of /etc/netstart; the script would check whether the initialized network interfaces match those described by a predefined table? in case of failure it would react somehow... Then again, given the 'failure is not an option' scenario, any sane network design would mean you most likely have a multiply redundant CARP'd setup in place, so a hardware failure like the one described on one box would simply mean the machine would take itself out of the running, one of the backups would take over and your friendly robot helper would be paging you to replace the failed hardware at your earliest opportunity. By all means nothing stops you from writing script magic, but the tools already in your OpenBSD base system lets you solve these situations quite admirably and in several differen ways already. If you actually require fault tolerance, this is the best advice so far. Your devices are ordered as you expect them to be, your rule base is in a known good state. The system uses supported features making upgrades simple, as well as leaving off the sort of site specific quirks that can make inheriting a site so challenging.
Re: VPN troubleshooting help request.
Are you using preshared keys? Your policy seems to imply that you are, but you do not seem to have your passphrases in the correct place. I think the line should be more like this Licensees: passphrase:properpasswd || passphrase:otherproperpasswd Though the debug output does imply that it is finding your password correctly. I have had the CISCO's be very finicky, certain IOS's seem to to only work with md5 and others sha as the hashing algorithms run tcpdump -nvs1400 port 500 or turn on pcap and do this tcpdump -nvs 1500 -r /var/run/isakmpd.pcap You then can observe the negotiations and compare what the running config on CIZCOE is doing to what the config says it should. nuffnough wrote: Hi, a client with a cisco device is attemtping to set up a VPN to my OBSD 4.3 firewall. Phase 1 is okay, but phase 2 is fail. It says it fails the policy check. But... Checking through everything in the policy against the debug it seems like it conforms to the policy to me. Are there other things that might cause it to fail the policy check? The policy entry has matches for everything in it within this negotaiation. I sure would appreciate it if you could help me figure out what it doesn't like about my policy. TIA nuffi Debug output looks like this: 194907.101644 Plcy 40 check_policy: adding authorizer [passphrase:123456789] 194907.101668 Plcy 40 check_policy: adding authorizer [passphrase-md5-hex:edb0afdb2eb73b1efb437dc6778bdfcf] 194907.101684 Plcy 40 check_policy: adding authorizer [passphrase-sha1-hex:ca6920eca6f25ec15bc7718e1ac4f03aa6f00a38] 194907.102199 Plcy 80 Policy context (action attributes): 194907.10 Plcy 80 esp_present == yes 194907.102235 Plcy 80 ah_present == no 194907.102248 Plcy 80 comp_present == no 194907.102259 Plcy 80 ah_hash_alg == 194907.102271 Plcy 80 esp_enc_alg == 3des 194907.102283 Plcy 80 comp_alg == 194907.102295 Plcy 80 ah_auth_alg == 194907.102307 Plcy 80 esp_auth_alg == hmac-md5 194907.102318 Plcy 80 ah_life_seconds == 194907.102330 Plcy 80 ah_life_kbytes == 194907.102342 Plcy 80 esp_life_seconds == 1200 194907.102353 Plcy 80 esp_life_kbytes == 194907.102365 Plcy 80 comp_life_seconds == 194907.102377 Plcy 80 comp_life_kbytes == 194907.102389 Plcy 80 ah_encapsulation == 194907.102400 Plcy 80 esp_encapsulation == tunnel 194907.102413 Plcy 80 comp_encapsulation == 194907.102425 Plcy 80 comp_dict_size == 194907.102436 Plcy 80 comp_private_alg == 194907.102448 Plcy 80 ah_key_length == 194907.102460 Plcy 80 ah_key_rounds == 194907.102472 Plcy 80 esp_key_length == 194907.102483 Plcy 80 esp_key_rounds == 194907.102495 Plcy 80 ah_group_desc == 194907.102507 Plcy 80 esp_group_desc == 2 194907.102519 Plcy 80 comp_group_desc == 194907.102531 Plcy 80 ah_ecn == no 194907.102543 Plcy 80 esp_ecn == no 194907.102555 Plcy 80 comp_ecn == no 194907.102567 Plcy 80 remote_filter_type == IPv4 address 194907.102579 Plcy 80 remote_filter_addr_upper == 010.005.010.022 194907.102591 Plcy 80 remote_filter_addr_lower == 010.005.010.022 194907.102604 Plcy 80 remote_filter == 010.005.010.022 194907.102616 Plcy 80 remote_filter_port == 0 194907.102628 Plcy 80 remote_filter_proto == 0 194907.102640 Plcy 80 local_filter_type == IPv4 address 194907.102652 Plcy 80 local_filter_addr_upper == 192.168.020.217 194907.102664 Plcy 80 local_filter_addr_lower == 192.168.020.217 194907.102676 Plcy 80 local_filter == 172.030.020.217 194907.102688 Plcy 80 local_filter_port == 0 194907.102700 Plcy 80 local_filter_proto == 0 194907.102713 Plcy 80 remote_id_type == IPv4 address 194907.102725 Plcy 80 remote_id_addr_upper == 195.022.200.170 194907.102738 Plcy 80 remote_id_addr_lower == 195.022.200.170 194907.102750 Plcy 80 remote_id == 195.022.200.170 194907.102762 Plcy 80 remote_id_port == 500 194907.102774 Plcy 80 remote_id_proto == udp 194907.102804 Plcy 80 remote_negotiation_address == 195.022.200.170 194907.102818 Plcy 80 local_negotiation_address == 200.022.100.170 194907.102830 Plcy 80 pfs == yes 194907.102842 Plcy 80 initiator == yes 194907.102854 Plcy 80 phase1_group_desc == 2 194907.103881 Plcy 40 check_policy: kn_do_query returned 0 194907.104093 Default check_policy: negotiated SA failed policy check 194907.104123 Default dropped message from 195.022.200.170 port 500 due to notification type NO_PROPOSAL_CHOSEN The policy entry looks like this: Comment: # Comment: Cisco box Authorizer: POLICY Licensees: Comment:passphrase:properpassphrase passphrase:123456789 Conditions: app_domain == IPsec policy doi == ipsec remote_negotiation_address == 195.022.200.170 esp_present == yes esp_enc_alg == 3des esp_auth_alg == hmac-md5 local_filter_type == IPv4 address ( local_filter == 192.168.020.217 ) remote_filter_type == IPv4 address ( remote_filter == 010.005.010.022 ) - true;
Re: Resume - Mumps Developer
Lars NoodC)n wrote: Matt Bettinger wrote: Yes. I have a buddy who works with it and Cache`(Multi-Value DB I believe) on VMS in Houston Medical Center. They manage their prescriptions with it. He also makes very good $$ but talk about getting pigeon holed. There is a port Maverick on Freebsd , maybe openbsd , that is U2 like. -mb If you want to go whole hog, you can grab the Vista source code and set it up on OpenBSD: ftp://ftp.va.gov/Vista/Software/ A lot of centers use it, so pigeon-holed or not, there's good money. (but since the original post mentioned VB whatnot, I suspect it was a troll) regards, -Lars Actually Cache is used extensively by a vertical market company called Epic. It is a major player in the medical industry. Lots of jobs around admining Epic systems on AIX, for those that swing that way.
Re: Google in shell - looks interesting
Ted Unangst wrote: If it were actually usable from a shell, it'd be interesting. If I'm already running a graphical interbrowser, it's because I want graphical interwebs. Exactly.
Re: Google in shell - looks interesting
Mark Zimmerman wrote: On Wed, Jun 04, 2008 at 09:46:26AM -0700, Dag Richards wrote: Ted Unangst wrote: If it were actually usable from a shell, it'd be interesting. If I'm already running a graphical interbrowser, it's because I want graphical interwebs. Exactly. So, can you launch a graphical browser from the goosh command line? sorry... No, but if we could launch it from a shell then we could parse the out put in our own apps. Store the results for our own purposes, wget and scrape pages etc.
Need help reporting kernel panic
Understand that I am not (quite) reporting a panic without a ps and trace. I had kernel panic this weekend on my standby vpn firewall, this is the third time this has happened in the last 300 days or so, always with the same panic. I run with ddb.log=1 I ran ps and trace expecting the output to be put in a log erm ... 'somewhere'. Then I performed a boot dump, I have drwxrwx--- 2 root wheel 512 Apr 14 07:53 ./ drwxr-xr-x 25 root wheel 512 Aug 28 2007 ../ -rw--- 1 root wheel 2 Apr 14 07:51 bounds -rw--- 1 root wheel 6229740 Apr 14 07:53 bsd.0 -rw--- 1 root wheel 1048568340 Apr 14 07:53 bsd.0.core -rw-r--r-- 1 root wheel 5 Sep 10 2005 minfree But am clueless ... yes you are thinking it, I said for you. Clueless about where to find the output from my ps and trace. My guess at this point is that it is gone. So what should I have done? Or where do I expect to find this output? Besides logging in from the console server and getting a screen scrape of the output, I could not get the ilo to respond to me. I have included as much of the panic message as I have and the dmesg from the system in case anyone is curious about the system in question, as well as a ps of what is normally left running on the system. panic: pmap_pinit: kernel_map out of virtual space! Stopped at Debugger + 0x4: leave -- OpenBSD 4.2 (GENERIC) #375: Tue Aug 28 10:38:44 MDT 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Xeon(TM) CPU 3.00GHz (GenuineIntel 686-class) 3.01 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,CNXT-ID,CX16,xTPR real mem = 1073258496 (1023MB) avail mem = 1030156288 (982MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 12/31/99, BIOS32 rev. 0 @ 0xf, SMBIOS rev. 2.3 @ 0xec000 (54 entries) bios0: vendor HP version P52 date 04/14/2005 bios0: HP ProLiant DL360 G4 pcibios0 at bios0: rev 2.1 @ 0xf/0x2000 pcibios0: PCI BIOS has 7 Interrupt Routing table entries pcibios0: PCI Interrupt Router at 000:31:0 (Intel 6300ESB LPC rev 0x00) pcibios0: PCI bus #13 is the last bus bios0: ROM list: 0xc/0x8000 0xc8000/0x4000! 0xcc000/0x1800 0xcd800/0x1600 0xee000/0x2000! acpi at mainbus0 not configured cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel E7520 MCH rev 0x0c ppb0 at pci0 dev 2 function 0 Intel MCH PCIE rev 0x0c pci1 at ppb0 bus 13 ppb1 at pci0 dev 4 function 0 Intel MCH PCIE rev 0x0c pci2 at ppb1 bus 6 ppb2 at pci2 dev 0 function 0 Intel PCIE-PCIE rev 0x09 pci3 at ppb2 bus 7 ppb3 at pci2 dev 0 function 2 Intel PCIE-PCIE rev 0x09 pci4 at ppb3 bus 10 bge0 at pci4 dev 1 function 0 Broadcom BCM5703 Alt rev 0x10, BCM5703 B0 (0x1100): irq 5, address 00:10:18:0c:44:6b brgphy0 at bge0 phy 1: BCM5703 10/100/1000baseT PHY, rev. 3 ppb4 at pci0 dev 6 function 0 Intel MCH PCIE rev 0x0c pci5 at ppb4 bus 3 ppb5 at pci0 dev 28 function 0 Intel 6300ESB PCIX rev 0x02 pci6 at ppb5 bus 2 ciss0 at pci6 dev 1 function 0 Compaq Smart Array 64xx rev 0x01: irq 5 ciss0: 1 LD, HW rev 1, FW 2.36/2.36 scsibus0 at ciss0: 1 targets sd0 at scsibus0 targ 0 lun 0: HP, LOGICAL VOLUME, 2.36 SCSI0 0/direct fixed sd0: 34727MB, 4427 cyl, 255 head, 63 sec, 512 bytes/sec, 71122560 sec total bge1 at pci6 dev 2 function 0 Broadcom BCM5704C rev 0x10, BCM5704 B0 (0x2100): irq 5, address 00:14:38:4b:ef:fe brgphy1 at bge1 phy 1: BCM5704 10/100/1000baseT PHY, rev. 0 bge2 at pci6 dev 2 function 1 Broadcom BCM5704C rev 0x10, BCM5704 B0 (0x2100): irq 5, address 00:14:38:4b:ef:fd brgphy2 at bge2 phy 1: BCM5704 10/100/1000baseT PHY, rev. 0 uhci0 at pci0 dev 29 function 0 Intel 6300ESB USB rev 0x02: irq 5 uhci1 at pci0 dev 29 function 1 Intel 6300ESB USB rev 0x02: irq 5 Intel 6300ESB WDT rev 0x02 at pci0 dev 29 function 4 not configured Intel 6300ESB APIC rev 0x02 at pci0 dev 29 function 5 not configured ehci0 at pci0 dev 29 function 7 Intel 6300ESB USB rev 0x02: irq 5 usb0 at ehci0: USB revision 2.0 uhub0 at usb0: Intel EHCI root hub, rev 2.00/1.00, addr 1 ppb6 at pci0 dev 30 function 0 Intel 82801BA AGP rev 0x0a pci7 at ppb6 bus 1 vga1 at pci7 dev 3 function 0 ATI Rage XL rev 0x27 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) Compaq iLO rev 0x01 at pci7 dev 4 function 0 not configured Compaq iLO rev 0x01 at pci7 dev 4 function 2 not configured ichpcib0 at pci0 dev 31 function 0 Intel 6300ESB LPC rev 0x02: 24-bit timer at 3579545Hz pciide0 at pci0 dev 31 function 1 Intel 6300ESB IDE rev 0x02: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility atapiscsi0 at pciide0 channel 0 drive 0 scsibus1 at atapiscsi0: 2 targets cd0 at scsibus1 targ 0 lun 0: COMPAQ, CD-ROM SN-124, N104 SCSI0 5/cdrom removable cd0(pciide0:0:0): using PIO mode 4
Re: Need help reporting kernel panic
Josh Grosse wrote: On Mon, 14 Apr 2008 08:57:55 -0700, Dag Richards wrote Then I performed a boot dump, I have drwxrwx--- 2 root wheel 512 Apr 14 07:53 ./ drwxr-xr-x 25 root wheel 512 Aug 28 2007 ../ -rw--- 1 root wheel 2 Apr 14 07:51 bounds -rw--- 1 root wheel 6229740 Apr 14 07:53 bsd.0 -rw--- 1 root wheel 1048568340 Apr 14 07:53 bsd.0.core -rw-r--r-- 1 root wheel 5 Sep 10 2005 minfree But am clueless ... yes you are thinking it, I said for you. Clueless about where to find the output from my ps and trace. My guess at this point is that it is gone. Your ddb console ouput should be in the dmesg contained within the bsd.0.core file. You will want to use the dmesg command with -M and -N operands. See the dmesg(1) man page. So what should I have done? Or where do I expect to find this output? Besides logging in from the console server and getting a screen scrape of the output, I could not get the ilo to respond to me. A great place to start is the crash(8) man page; I've found it a helpful reference. Thanks, I had read crash. I started to question my comprehension as the result I was getting looked like this: hsdcert1:root:/root #dmesg -N /var/crash/bsd.0 -M /var/crash/bsd.0.core dmesg: kvm_read: (d0932000) hsdcert1:root:/root #ps -N /var/crash/bsd.0 -M /var/crash/bsd.0.core -O paddr PID PADDR TT STAT TIME COMMAND 3257 d773781c p0- I 0:00.00 (tcpdump) 12147 d7ae0564 C0 Is+ 0:00.00 (ksh) 21336 d77ee970 C1 Is+ 0:08.00 (getty) 22401 d773700c C2 Is+ 0:08.00 (getty) 25004 d7737164 C3 Is+ 0:08.00 (getty) 3004 d77372bc C5 Is+ 0:08.00 (getty) So it would seem that my ps and trace did not get appended to the file. Or maybe ... appended you say? I did the ps, then trace, then the boot dump. So did the dump then overwrite my ps and trace? Boot dump seems like it should be the last thing run, as it ends with a boot, right? Can I just perform a dump? Guess I will find out is a few weeks.
Re: Sun Creator 3D hardware wanted
I have one of the cards from an Ultra 10, not sure which one. It was alive back when the system was, I will check the model no, tonight ( GMT + 8 ). If you can use the card, I would be happy to ship it to any one that needs it. And how many times have I tried to pawn of this Enterprise 450 on some poor sap with more electricity than sense? Only used on Fridays by a little old startup that stoppeddown in 2001.
Re: Apache box behind Openbsd
Sewan wrote: Hi, I have an apache-php website running on windows server 2003 port 80, i have correct rdr rules that pointing my web server, i can view website inside my LAN, but i can't view page outside of my network. I've checked all dns- ip settings, everything's fine but problem continues. I've read at some forums that apache doesn't recognize rdr rules from openbsd, so how can i publish my site ? Thanks... You read somewhere that ... what? Oh right you need to have Linux rdr rules, make sure your database is blue too, that make them faster. Some actual information is required. Try posting say your pf.conf file
Re: avoiding a mac address filter
[EMAIL PROTECTED] wrote: On Jan 7, 2008 9:00 AM, Josh Grosse [EMAIL PROTECTED] wrote: On Mon, 7 Jan 2008 13:39:01 +0100, Targus Neoprene wrote Hi, in my flat I can see a lot of open connection points. They do not require a password and, in principle, I can log in every time... but they seem to be protected with a mac filter, because I cannot get an IP address via dhclient I have a naive question: Is there any way to avoid that? I mean: is there a way to surpass the mac filter and get an ip? Do I understand this correctly? You are asking how to *defeat* someone else's SOHO NAT router, using its MAC filter as their only security? If so, I'm appalled by your lack of ethics. I'm appalled by his lack of reading the man page. I have a similar issue. In my building they sometimes miss-deliver our mail. Some of the apartments are protected with filters called locked doors. Though the locks are of a poor design and trivial to circumvent, they still are defeating me. I wonder will you help me to circumvent the locks. Since I will only be looking for my mail, or perhaps interesting junk mail, and the security is bad in the first place, it is perfectly ethical for me to break in.
Re: Two carp firewalls keep swapping from master/backup
Josh wrote: Hello, A quick question. I have a pair of 4.1 boxes acting as firewalls using carp/pfsync etc. The primary has advskew 0, the backup has advskew 100. I have net.inet.carp.preempt=1 on both. So anyway, I was downloading some 4.2 install binaries onto the backup fw, and I noticed that the backup/primary carp interfaces kept on switching between master/backup fairly rapidly ( around every 5 - 10 seconds or so ) despite both hosts being up just fine. Any ideas on what might be causing this? Also, My understanding of net.inet.carp.preempt=1 needs to be adjusted I think; I thought that it meant if one carp interface goes down, ie, unplugged or whatever, then the rest go down, ie all other interfaces on the box? Is this right? Thanks, Josh Your understanding of preempt seems correct I had a similar issue on a pair of 4.1 FW's. A careful examination revealed that one of the carp ifaces on one system had ip addrs that were missing on the other. Carefully compare ifconfig -aA on each machine to each other. I now slavishly alsoensure that the addrs occur in the same order ... I am sure that has no effect, but there it is. Are you allowing the carp traffic in and out? Does a tcpdump show the expected traffic?.
Re: OpenBSD kernel janitors
n0g0013 wrote: On 31.10-11:12, Nick Guenther wrote: [ ... ] and i would suggest that the severe and prevelant attitude toward the possibilty of poor patches or under-educated actions is the most significant barrier to encouraging new/young developers. Well that's the point of it; or at least, a useful side-effect. Linux can get away with sending fanboi masses at its code because it's fine with fanboi masses poking at all parts of the kernel, no matter how secure it may be. Right? i think we'll simply agree to disagree. i personally find it quite disheartening to hear the attitude that prevails here but that's the community's decision. it certainaly seems to refelect the attitute of it's leaders (developers). Consider it the voice of experience (bitter). Its easy to tell which ones are the programmers. They write code, then they submit it, it does not suck too much and they take the suggestions of the current project leads. Then they resubmit better code. The rest of us should simply buy CD's, ask and answer the occasional question, and other wise keep quiet. When you run a Data Centre, that has thousands of users serving tens of thousands of customers who need medical services on a 24 hour basis, you will miss the hand holding and warm friendly thoughts less; and appreciate the complete documentation and conformity to that documentation way way WAY more. BTW I was a Linux user from kernel .92 ( that is some time in 1994 ) through 2.6. Trying to run that professionally was always fun and exciting. Man I don't miss that.
Re: How can I install 4 OS'es on one disk?
Amarendra Godbole wrote: On 10/7/07, stan [EMAIL PROTECTED] wrote: I have a new laptop that I would like to set up to have 4 different OS's on. The OS's I would like to install are: OpenBSD FreeBSD Linux Windows (XP r Vista) Is it possible to do this on the one disk. I do have enough space, my concern is about portions. If it is possible can anyone give me an idea how best to approach this? Or a pointer to some docs? I have almost similar configuration on my IBM Thinkpad X61 laptop. Here is how I did it: 1. Install Windows XP/ Vista in the first primary partition. 2. Install OpenBSD in the second primary partition. 3. Install FreeBSD in the third. 4. Install Linux (Debian, in my case) in the fourth - which becomes extended because of the way Linux handles the partitions. Use grub as your bootloader, as it can boot Linux from the extended partition. All other three OSes' will chainload through grub, which means you have to add entries to menu.lst of grub. Booting FreeBSD through grub is nicely explained here: http://ezine.daemonnews.org/200102/grub.html. A similar entry needs to be made for OpenBSD too. Also note that grub starts the numbering from 0, so your partitions will be 0 for Win, 1 for OpenBSD, 2 for FreeBSD, and 3 for Linux. HTH. -Amarendra Ate the moment the machine has the Vista part-ion, and it's recovery partition (which I figure I don;t need), and a Linux partition on it. I can boot Linux, or Vista using Grub. -- I'm sorry, no one here has any intentions of helping you with anything. I am the manager of all of Customer Service. Blasphemy Seems to me that the simplest and most flexible way to do this is to install Linux or Windows as your host OS and use VMware. I do that on my MacBook Pro running OS X, and run OBSD, Linux, and Solaris as guest OSes. Works great, and I can have all of them up at the same time, and network between them. \Blasphemy
Re: ipsec with carp
Patrick Hemmen wrote: Hello all, I have two OpenBSD machines for a redundancy VPN-Gateway. They use carp to share one IP-Address and sasyncd to synchronize SAs and SPDs. I setup a ipsec-tunnel in /etc/ipsec.conf. The tunnel isn't established and the error PAYLOAD_MALFORMED appears in the logs. With tcpdump I can see that the initial packet (isakmp v1.0 exchange ID_PROT) to establish the tunnel come from the host IP-Address and not from the carp address. Thanks in advance. Patrick Maybe it's the humidity. Maybe it's something in your ipsec.conf file. Based on the info you have provided so far, both seem to be about as like as each other ;) ipsec.conf ifconfig -A maybe a quote from your dumps and perhaps a bit of logging info
Re: To whom can I direct email for artwork use permission pls?
Hannah Schroeter wrote: Hi! On Mon, Oct 01, 2007 at 10:50:05AM -0400, Nick Guenther wrote: [...] To explain this more fully with the party line: the project supports itself via donations and selling CDs of releases. If you create DVDs to distribute you are hurting the project by discouraging the sale of CDs. You could volunteer to become a reseller, though (i.e. you buy a large shipment of CDs and sell them at cost to people in your country.) Wouldn't it be win-win if people there could buy DVD (with more data on it, i.e. needing less downloads) and an agreement could be made that XX $ (enough to compensate for the not-sold CDs) for each DVD sold are paid to OpenBSD? Kind regards, Hannah. The real win-win is they buy official CD's, support OBSD, and thereby help ensure more OBSD is available to use.
Re: 2 internet connections on 1 router
Marian Hettwer wrote: Hi All, I'm using a Soekris box with OpenBSD 4.0 (sorry *g*) on my home soekris box. Actual setup is one interface with a cable modem connected for internet use. The cable modem provider talks dhcp, so no pppoe magic involved. Now I do have an old second DSL provider lying around, which I basically not use anymore. However, the old DSL provider tries to get on my ass, and I figured, okay boys, if you don't let me outta this contract, I'll use your uplink to the max 24/7 (while true; do wget -O /dev/null http://something.iso; done). I know my way to configure pppoe and to dial in (without having pppoe modifying my default gw). Question is: How do I fiddle around with my routing table, that basically the wget running on my router is using sis2 (with the pppoe uplink), while the rest (my existing working lan) is still using sis0 with my good-guys cable modem uplink? Any hints highly appreciated. Thanks in advance, Marian route add -host addr of iso source addr of dsl gateway would work, there probably are better ways, but this would be dead simple So vengeance is a dish best served in binary?
Re: Show your appreciation and get your 4.2 DVD
Theo de Raadt wrote: Theo de Raadt wrote: Theo de Raadt wrote: snip Decreasing CD sales means the margins have to be adjusted. More of you are relying on our FTP services, and also donating less. snip Hey Theo just a quick suggestion to increase the cash donations: Why aren't the web-order-cash-donations (no longer) added to the donations.html page ? Sad but unfortunately true there are petty people like me for whom that actually matters. They are, but there is a lot of latency. Yes, that really sucks. Perhaps I will take a shot at 'pushing' a lot of them forward today. Yup me too petty and whiner. I have been sending $20 a month for something over a year. I was on the donation page, then gone. Sent mail to Austin a couple of times, got peevish and wanted to stop the donation ... then remembered, I don't do it for credit. I do it so the project can continue, or in this case buy pizza for one day of one hackathon once a year. I order CD, poster and T-shirt for every release, not because I think you care but because I get fantastic value for dollar. Yours is a special case. Yours comes as that weird mailed cheque, and I did add you. Bizzare, but I never commited it, because ... I don't know how. Bizzare. Maybe it conflicted by the time I wanted to. The big issue these days is donation fraud -- I'm not joking. About 20-30% of donations by credit/paypal come in, and then the transaction does not clear (credit card) or gets backed out of later (credit card or paypal). We have been trying to not cope with that through a process of deleting names later, and that has introduced latency. But I don't know how to tell the public those figures. It is unbelievably stupid. I did not know that. You have already spent way more time on this than the donation in question is worth. I do it this way because it is automated from my perspective and therefore reliable, and allows me to retain control of the transaction. If there is a better way I would be happy to change.
Re: scp batch mode?
James Hartley wrote: The manpage for scp(1) mentions the -B option for running scp in batch mode, but no further details. How can scp be run without prompting for a password? Thanks. passwordless rsa key?
Re: dysfunctional carp
Nico Meijer wrote: Hi all, I have a new carp setup that somehow just won't work. The two machines are Jetway mini-itx J7F4 machines, dual Gb LAN. dmesg below. So if each system sees only its own carp traffic it makes sense that each would consider themselves master. I assume that the systems can send and receive tcp icmp, and udp traffic. Is it possible that the switch is not carrying multicast traffic?. If you attach them to each other with a crossover cable do they (pointlessly) negotiate proper carp relationships?
Re: PF Config problem
I think you will find that since carp is communicated with multicast that your rules are not behaving as you think. They are allowing the outbound transmissions, but since you are not establishing tcp sessions the keep state does not do what you want. Try explicitly allowing in protocol carp What I do is this: pass out quick proto carp pass in quick proto carp Gordon Ross wrote: I've got two OBSD 4.1 boxes. They are setup identically, and I'm using CARP ( pfsync) to obtain a redundant firewall. I appear to have CARP working fine. My problem is when I enable pf. The initial TCP packet goes through fine, but the return packet gets blocked. (I have verified this by putting LOG entries in my ruleset) If I disable PF, everything works fine Cutting down the pf ruleset to the bare minimum, I have: adsl_if=em2 int_if=em0 pfsync_if=bge0 scrub in set skip on lo block in #These three lines allow the failover mechanisms to work pass on { $int_if } proto carp keep state pass on { $adsl_if } proto carp keep state pass quick on { $pfsync_if} proto pfsync #Allow internal people to SSH in. pass in on $int_if proto tcp to ($int_if) port ssh keep state #ICMP pass in proto icmp to me pass in on $int_if proto tcp from 172.16.2.34 to 192.168.249.3 keep state With this config, 172.16.2.34 cannot make a TCP connection to 192.168.249.3. What stupid thing have I missed ? For reference, below are the details of the carp em interfaces. If anything else is needed, let me know. Thanks, GTG # ifconfig carp0 carp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:5e:00:01:01 carp: MASTER carpdev em0 vhid 1 advbase 1 advskew 0 groups: carp inet 192.168.253.253 netmask 0xff00 broadcast 192.168.253.255 inet6 fe80::200:5eff:fe00:101%carp0 prefixlen 64 scopeid 0xb # ifconfig carp2 carp2: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:5e:00:01:03 carp: MASTER carpdev em2 vhid 3 advbase 1 advskew 0 groups: carp inet6 fe80::200:5eff:fe00:103%carp2 prefixlen 64 scopeid 0xc inet 192.168.249.253 netmask 0xff00 broadcast 192.168.249.255 # ifconfig em0 em0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 lladdr 00:1b:21:01:c8:30 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 192.168.253.20 netmask 0xff00 broadcast 192.168.253.255 inet6 fe80::21b:21ff:fe01:c830%em0 prefixlen 64 scopeid 0x3 # ifconfig em2 em2: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 lladdr 00:1b:21:01:c8:32 media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause) status: active inet 192.168.249.251 netmask 0xff00 broadcast 192.168.249.255 inet6 fe80::21b:21ff:fe01:c832%em2 prefixlen 64 scopeid 0x5
Re: PF Config problem
Gordon Ross wrote: So why is this different to what I put ? #These three lines allow the failover mechanisms to work pass on { $int_if } proto carp keep state pass on { $adsl_if } proto carp keep state pass quick on { $pfsync_if} proto pfsync The only difference I can see, is that your lines would allow CARP on the pfsync (and loopback) interface. GTG Dag Richards [EMAIL PROTECTED] 07/19/07 4:55 PM I think you will find that since carp is communicated with multicast that your rules are not behaving as you think. They are allowing the outbound transmissions, but since you are not establishing tcp sessions the keep state does not do what you want. Try explicitly allowing in protocol carp What I do is this: pass out quick proto carp pass in quick proto carp The difference is you were paying attention. I really thought I saw pass out not just pass on your lines. When you do tcpdump -n -e -ttt -i pflog0 with rules enables to you see inbound carp being blocked?
Re: support for Sun Fire
Daniel Ouellet wrote: Toni Mueller wrote: Hi Mark, On Tue, 29.05.2007 at 14:13:06 +0100, mark reardon [EMAIL PROTECTED] wrote: I just got a x2100 M2 from Sun yesterday on a 60 day trial and am having trouble setting the MTU on one of the bge NICs. Just some initial findings. Not a big problem for me really. did you get it to run OpenBSD properly? Which model do you have? I have one as well. Some results in the archive as well, but my biggest griff with it is with the admin console for this unit. Sun really cut way to short on it to make if a decent remote admin box. Plus the share the BGE with the admin port, instead of the nVidia, witch I could do without. The box is not bad, but could be better. It's more expensive, but it make me definitely switch to the 4100 instead. I only got one, and wouldn't get an other one, unless it's not in a remote setup configuration witch is pretty rear these days. Even the serial console is limited in operation and work until OpenBSD start when it goes dead. Then you can do some more from the Ethernet port instead, but then if you reboot the box, you loose the admin on the Ethernet port and needs to go back to the serial console. My own feedback is not a top of the line box, but not the worst either. Just not as good as it should be for me to recommend it however. It work well in some setup, not all. YMMV, Daniel I use a few of these, and second all of Daniel griffs. I use them because they are cheap, and a fairly good value. I would recommend you take a look at the HP DL360, one U hardware raid and have nice little management interface you can ssh to which allows pretty complete console access, go into bios, watch boot messages, power set the system.
formerly working vpn between obsd 4.0 hosts failing ....
I have two bsd firewall / routers that have a vpn between them ... sometimes. They have a late May build of 4.0 386, they have been working well until a few days ago, and we of course all swear that nothing was changed... they just started failing. I left last night with tunnels up and running, came in this morning and found them down again. Isakmpd is running on both ends, on my 'client network' end the I started it with isakmpd -TLv -D A=40 , below is some log. I had found that if I restarted the daemon on the 'server network' side that I could get the tunnels to come up, but it might require a couple of attempts, so I really can not prove it was merely a coincidence that were starting. This morning I found that the clocks were off between the fws and synched them, then restarted isakmpd on the client net side the tunnels came right up. I claim that pf is configured properly, else the tunnels would never come up. I use preshared keys, I know they match again because the tunnels work for a while. I have never really seen tunnels just go down once running, so what would you do to isolate the cause? Any help would be appreciated. -snip with tunnels down -- Jul 12 06:31:29 mz1000wa isakmpd[13493]: timer_handle_expirations: event message_send_expire(0x87234480) Jul 12 06:31:29 mz1000wa isakmpd[13493]: timer_add_event: event message_send_expire(0x87234480) added before exchange_free_aux(0x7ed17700), expiration in 11s Jul 12 06:31:29 mz1000wa isakmpd[13493]: timer_add_event: event exchange_free_aux(0x7ed17a00) added last, expiration in 120s Jul 12 06:31:29 mz1000wa isakmpd[13493]: exchange_setup_p1: 0x7ed17a00 unnamed no policy policy responder phase 1 doi 0 exchange 5 step 0 Jul 12 06:31:29 mz1000wa isakmpd[13493]: exchange_setup_p1: icookie 987bc831de38f5d4 rcookie 93d3d4c89d53786b Jul 12 06:31:29 mz1000wa isakmpd[13493]: exchange_setup_p1: msgid Jul 12 06:31:29 mz1000wa isakmpd[13493]: isakmp_responder: got NOTIFY of type INVALID_COOKIE, ignoring Jul 12 06:31:29 mz1000wa isakmpd[13493]: exchange_finalize: 0x7ed17a00 unnamed no policy policy responder phase 1 doi 0 exchange 5 step 0 Jul 12 06:31:29 mz1000wa isakmpd[13493]: exchange_finalize: icookie 987bc831de38f5d4 rcookie 93d3d4c89d53786b Jul 12 06:31:29 mz1000wa isakmpd[13493]: exchange_finalize: msgid Jul 12 06:31:29 mz1000wa isakmpd[13493]: timer_remove_event: removing event exchange_free_aux(0x7ed17a00) Jul 12 06:31:29 mz1000wa isakmpd[13493]: message_free: freeing 0x87234500 Jul 12 06:31:33 mz1000wa isakmpd[13493]: message_free: freeing 0x87234500 Jul 12 06:31:40 mz1000wa isakmpd[13493]: timer_handle_expirations: event message_send_expire(0x87234480) Jul 12 06:31:40 mz1000wa isakmpd[13493]: timer_add_event: event message_send_expire(0x87234480) added before exchange_free_aux(0x7ed17700), expiration in 13s Jul 12 06:31:40 mz1000wa isakmpd[13493]: timer_add_event: event exchange_free_aux(0x7ed17a00) added last, expiration in 120s Jul 12 06:31:40 mz1000wa isakmpd[13493]: exchange_setup_p1: 0x7ed17a00 unnamed no policy policy responder phase 1 doi 0 exchange 5 step 0 Jul 12 06:31:40 mz1000wa isakmpd[13493]: exchange_setup_p1: icookie b65fccde1f52143b rcookie fee87d767fbe664b Jul 12 06:31:40 mz1000wa isakmpd[13493]: exchange_setup_p1: msgid Jul 12 06:31:40 mz1000wa isakmpd[13493]: isakmp_responder: got NOTIFY of type INVALID_COOKIE, ignoring Jul 12 06:31:40 mz1000wa isakmpd[13493]: exchange_finalize: 0x7ed17a00 unnamed no policy policy responder phase 1 doi 0 exchange 5 step 0 Jul 12 06:31:40 mz1000wa isakmpd[13493]: exchange_finalize: icookie b65fccde1f52143b rcookie fee87d767fbe664b Jul 12 06:31:40 mz1000wa isakmpd[13493]: exchange_finalize: msgid Jul 12 06:31:40 mz1000wa isakmpd[13493]: timer_remove_event: removing event exchange_free_aux(0x7ed17a00) Jul 12 06:31:40 mz1000wa isakmpd[13493]: message_free: freeing 0x87234500 Jul 12 06:31:46 mz1000wa isakmpd[13493]: message_free: freeing 0x87234500 Jul 12 06:31:53 mz1000wa isakmpd[13493]: timer_handle_expirations: event message_send_expire(0x87234480) Jul 12 06:31:53 mz1000wa isakmpd[13493]: timer_add_event: event message_send_expire(0x87234480) added before exchange_free_aux(0x7ed17700), expiration in 15s Jul 12 06:31:53 mz1000wa isakmpd[13493]: timer_add_event: event exchange_free_aux(0x7ed17a00) added last, expiration in 120s Jul 12 06:31:53 mz1000wa isakmpd[13493]: exchange_setup_p1: 0x7ed17a00 unnamed no policy policy responder phase 1 doi 0 exchange 5 step 0 Jul 12 06:31:53 mz1000wa isakmpd[13493]: exchange_setup_p1: icookie 6de5b4121e72cece rcookie 33e61848a188464b Jul 12 06:31:53 mz1000wa isakmpd[13493]: exchange_setup_p1: msgid Jul 12 06:31:53 mz1000wa isakmpd[13493]: isakmp_responder: got NOTIFY of type INVALID_COOKIE, ignoring Jul 12 06:31:53 mz1000wa isakmpd[13493]: exchange_finalize: 0x7ed17a00 unnamed no policy policy responder phase 1 doi 0 exchange 5 step 0 Jul 12
Re: SOS! isakmpd cannot be loaded in OpenBSD properly
Have you looked in /var/log/messages for messages? have you run isakmpd in the foreground with debugging enabled? isakmpd -d -DA=2 Wilson Liu wrote: I am currently building an OpenBSD 4.1 firewall and setting VPN as well. I've changed isakmpd_flag=NO to isakmpd_flags=# for normal use: to enable isakmpd Daemon. I've created two isakmpd related files in /etc/isakmpd as below. I can also see a message from console after restart starting isakmpd Somehow I cannot find isakmpd precess running in background while I typed command: ps -ax There are two NICs on that firewall: em0 is for external 172.20.0.188 and em1 is for for internal set to 192.168.30.1 What does problem look like? How can I load isakmpd properly? Thanks a million! isakmpd.conf -- [General] Retransmits=5 Exchange-max-time= 120 Listen-on= 172.20.0.188 [Phase 1] default=ISAKMP-clients [Phase 2] Passive-Connections=IPsec-clients [ISAKMP-clients] Phase= 1 Transport= udp Configuration= SoftPK-main-mode Authentication= hgKfdsGFd67ds9gdmenglals98csds [IPsec-clients] Phase= 2 Configuration= SoftPK-quick-mode Local-ID= default-route Remote-ID= dummy-remote [Net-ASGT] ID-type=IPV4_ADDR_SUBNET Network=192.168.30.0 Netmask=255.255.255.0 [default-route] ID-type=IPV4_ADDR_SUBNET Network=0.0.0.0 Netmask=0.0.0.0 [dummy-remote] ID-type=IPV4_ADDR Address=0.0.0.0 [Default-main-mode] DOI=IPSEC EXCHANGE_TYPE= ID_PROT Transforms= 3DES-SHA [Default-quick-mode] DOI=IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-AES-SHA-PFS-SUITE [SoftPK-main-mode] DOI=IPSEC EXCHANGE_TYPE= ID_PROT Transforms= 3DES-SHA [SoftPK-quick-mode] DOI=IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-3DES-SHA-PFS-SUITE #---end of file isakmpd.policy -- KeyNote-Version: 2 Comment:This policy accepts ESP SAs from a remote that uses the right password Authorizer: POLICY Licensees: passphrase:hgKfdsGFd67ds9gdmenglals98csds Conditions: app_domain == IPsec policy esp_present == yes esp_enc_alg != null esp_auth_alg == hmac-sha - true; #---end of file Wilson J. Liu Network Systems Administrator 23 Lesmill Road, Suite 404 Toronto, Ontario M3B 3P6, Canada Tel: (416) 445-7162 x 230Fax: (416) 445-2341 e-mail: [EMAIL PROTECTED] website: www.bsharp.com http://www.bsharp.com/ --- Information contained in this e-mail message is intended only for the use of the individual to whom it is addressed and is private and confidential. If you are not the intended recipient, or the employee or agent responsible for delivering this message to the intended recipient, any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this message in error, please kindly destroy it and notify the sender immediately by reply e-mail. Thank you for your cooperation. [demime 1.01d removed an attachment of type image/jpeg which had a name of image001.jpg]
Re: Redundant Firewalls, CARP + IPSEC + SASYNCD
[EMAIL PROTECTED] wrote: I have a redundant firewall setup with carp interfaces on both sides of the firewall. I have a mirror of this setup in a 2nd location. Now im a little confused on how to set up the VPN. Do I use 1) the physical interfaces between the peers or 2) do I use the carp interface as the peers or 3)do I use both the physical and carp interfaces as the peers. When trying to setup sasyncd in this sort of enviornment I cant get the slave firewall to establish an IKE session because of the ips of the peers. Can anyone give me any insight into this? What I have been doing is setting up the VPNs between the sites using the carp addrs. sasync follows the state of the carp interface so you should get box a -- box y- \ /\ carp 0 ---vpncarp 0 carp1 --internal nets / \/ box c -- box z- a netstat -rnf encap run on a and c should look the same and y and z should as well. Packets will only be forwarded down the tunnel by the machine who is carp master of either end. You will probably want to have internal carp ifaces as well, as seen on boxes y and z.
Re: Redundant Firewalls, CARP + IPSEC + SASYNCD
[EMAIL PROTECTED] wrote: Ok that setup is similar to what I have and I do have carp interfaces on both sides of the firewall. I was able to configure sasynd but when running netstat -rnf encap was not able to see any of the flows on the slave machine, but then I realized or thought that it was because the ISAKMPD session was not established on the slave machine. I do not understand your terms here, ISAKMPD session If your trying to establish the ISAKMPD session from the slave box which does not have control of the active carp interface, how is the ISAKMPD/IPSEC connection established? Doesn't it need to be established for sasynd to know about the SA's? or upon failover does the session then get established on the fly? Do you use isakmpd.conf or ipsec.conf to control your flows? I use isakmpd.conf, though it seems to be deprecated and so really should be moving over to ipsec.conf. I have a dedicated NIC on each machine with a x-over cable to carry the sasync and pfsync traffic, you can use an ipsec tunnel for this though I found it to fail occasionally. Run isakmpd on both hosts with the listen addr being that of the carp iface and you should see SPI's propagated from the active server to the second. off to lunch now, if this does not clear things up sufficiently you should consider posting ifconfigs, sassync.conf isakmpd.conf and maybe some dumps ... maybe one of the smart people will help us then,. Thanks. On 5/2/07, *Dag Richards* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: I have a redundant firewall setup with carp interfaces on both sides of the firewall. I have a mirror of this setup in a 2nd location. Now im a little confused on how to set up the VPN. Do I use 1) the physical interfaces between the peers or 2) do I use the carp interface as the peers or 3)do I use both the physical and carp interfaces as the peers. When trying to setup sasyncd in this sort of enviornment I cant get the slave firewall to establish an IKE session because of the ips of the peers. Can anyone give me any insight into this? What I have been doing is setting up the VPNs between the sites using the carp addrs. sasync follows the state of the carp interface so you should get box a - - box y- \ /\ carp 0 ---vpncarp 0 carp1 --internal nets / \/ box c - - box z- a netstat -rnf encap run on a and c should look the same and y and z should as well. Packets will only be forwarded down the tunnel by the machine who is carp master of either end. You will probably want to have internal carp ifaces as well, as seen on boxes y and z.
Re: Carp not behaving
Dummy Dummy wrote: On 4/30/07, Stuart Henderson [EMAIL PROTECTED] wrote: Check you have a PF rule to pass carp traffic on that interface. N.B. applications using bpf, like tcpdump, see the packets *before* PF. Yes, PF rules was the cause. I had a bunch of carp/pfsync rules there were at the end of the PF rules, but there were things at the top of the rules that was causing the blockage. Thanks Stuart and Dag. User error :( Oh sure always my pleasure to be confused and of no help whatsoever. I thought you had said that you tried this with pf disabled... Whatever, this is how we all learn together, right?
Re: Carp not behaving
I have had this problem before where two systems each claim to be master on only one of the shared subnets. My problem was one system had an alias on the carp iface that the other did not. Do an ifconfig of the physical ifaces and the carp iface on each box, so it shows all the configured aliases. Your dump is showing some source addrs that do not appear in the config you submitted for inspection. mismatched addresses and netmasks can create the situation I believe you are describing. Dummy Dummy wrote: Hi OpenBSDers! We have two 4.0 box that we are planning to use as a HA firewall. While setting it up, we encounter a problem where the interface doesn't know how to go into a backup state and stayed as master. Both boxes have the same hardware, connected to the same subnet. When doing a tcpdump on the physical interface, both boxes can see the carp advertisements but they don't seem to be responding to it. There are four other interfaces on the same box, and they're all behaving as expected (ie. when one's master, one'll be backup and vice versa). We've ran out of ideas on why this is and need some expert opinion. Have anyone seen this before? Thanks in advance... Here is the configuration of the box A: # ifconfig em0 em0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 lladdr 00:04:23:c1:fe:4a description: World core switch uplink media: Ethernet 100baseTX full-duplex status: active inet 192.168.108.5 netmask 0xff00 broadcast 192.168.108.255 inet6 fe80::204:23ff:fec1:fe4a%em0 prefixlen 64 scopeid 0x1 # ifconfig carp0 carp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:5e:00:01:04 carp: MASTER carpdev em0 vhid 4 advbase 1 advskew 100 groups: carp inet6 fe80::200:5eff:fe00:104%carp0 prefixlen 64 scopeid 0xa inet 192.168.108.2 netmask 0xff00 broadcast 192.168.108.255 # tcpdump -nvvv -r /tmp/em0.5.tr proto carp 15:16:46.006407 carp 192.168.108.4 224.0.0.18: CARPv2-advertise 36: vhid=4 advbase=1 advskew=50 demote=0 (DF) (ttl 255, id 9319, len 56) 15:16:47.088866 carp 192.168.108.6 224.0.0.18: CARPv2-advertise 20: vhid=80 advbase=3 advskew=150 demote=0 [tos 0xc0] (ttl 255, id 60466, len 40) 15:16:47.216383 carp 192.168.108.4 224.0.0.18: CARPv2-advertise 36: vhid=4 advbase=1 advskew=50 demote=0 (DF) (ttl 255, id 17369, len 56) 15:16:48.426361 carp 192.168.108.4 224.0.0.18: CARPv2-advertise 36: vhid=4 advbase=1 advskew=50 demote=0 (DF) (ttl 255, id 20131, len 56) 15:16:48.784260 carp 192.168.108.5 224.0.0.18: CARPv2-advertise 36: vhid=4 advbase=1 advskew=100 demote=0 (DF) [tos 0x10] (ttl 255, id 56385, len 56) 15:16:49.636337 carp 192.168.108.4 224.0.0.18: CARPv2-advertise 36: vhid=4 advbase=1 advskew=50 demote=0 (DF) (ttl 255, id 6185, len 56) 15:16:50.091449 carp 192.168.108.6 224.0.0.18: CARPv2-advertise 20: vhid=80 advbase=3 advskew=150 demote=0 [tos 0xc0] (ttl 255, id 38698, len 40) 15:16:50.194262 carp 192.168.108.5 224.0.0.18: CARPv2-advertise 36: vhid=4 advbase=1 advskew=100 demote=0 (DF) [tos 0x10] (ttl 255, id 34793, len 56) 15:16:50.846313 carp 192.168.108.4 224.0.0.18: CARPv2-advertise 36: vhid=4 advbase=1 advskew=50 demote=0 (DF) (ttl 255, id 31704, len 56) 15:16:51.604272 carp 192.168.108.5 224.0.0.18: CARPv2-advertise 36: vhid=4 advbase=1 advskew=100 demote=0 (DF) [tos 0x10] (ttl 255, id 62842, len 56) 15:16:52.056289 carp 192.168.108.4 224.0.0.18: CARPv2-advertise 36: vhid=4 advbase=1 advskew=50 demote=0 (DF) (ttl 255, id 2899, len 56) 15:16:53.014276 carp 192.168.108.5 224.0.0.18: CARPv2-advertise 36: vhid=4 advbase=1 advskew=100 demote=0 (DF) [tos 0x10] (ttl 255, id 50211, len 56) 15:16:53.092038 carp 192.168.108.6 224.0.0.18: CARPv2-advertise 20: vhid=80 advbase=3 advskew=150 demote=0 [tos 0xc0] (ttl 255, id 59937, len 40) 15:16:53.274872 carp 192.168.108.4 224.0.0.18: CARPv2-advertise 36: vhid=4 advbase=1 advskew=50 demote=0 (DF) [tos 0x10] (ttl 255, id 848, len 56) # netstat -sp carp carp: 232749 packets received (IPv4) 0 packets received (IPv6) 0 packets discarded for bad interface 0 packets discarded for wrong TTL 0 packets shorter than header 0 discarded for bad checksums 0 discarded packets with a bad version 0 discarded because packet too short 0 discarded for bad authentication 0 discarded for bad vhid 0 discarded because of a bad address list 54530 packets sent (IPv4) 0 packets sent (IPv6) 0 send failed due to mbuf memory error # netstat -rn | head Routing tables Internet: DestinationGatewayFlagsRefs UseMtu Interface default192.168.108.33 UGS 215250 - em0 Here is the configuration of the box B: # ifconfig em0 em0:
Re: carp, 2 router
Caveat -- bge? ospf? eh I only know them at the executive brief level. carp, stp, static routing I know well enough. So call router one primary traffic is coming routes are all up everything is good. Switch 1 dies, carp switches master over to router 2 bge2. If you had carp inside and out, you would be done, router2 bge1 would take over your outside ip and traffic would go there. If I understand your issue: In the case of the failure upstream 1 is going to continue to send traffic to router 1, you want rtr 1 to then forward traffic to router 2. Router 2 then hands traffic to the internal systems. OSPF is refusing to add a route showing something like 10.50.4/241xx.1xx.35.1 UGS 00 - bge0 because you already have 10.50.4.22 00:00:0c:9f:f0:4e UHLc 0 11351930 - carp1 or some such What if you use were to use ifstat to remove the ips from router1 be2 on failure? If you do this manually will ospf add the routes you desire? FranC'ois Rousseau wrote: Well at the end I will have BGP for the upstream provider but this part work fine so I have not talk about it in my last email. I have done a fast schema of my setup: http://step.polymtl.ca/~spock/draft.jpg. The reason I want to use CARP inside is because I want to have a single gateway on my servers. The BGP part will take care of annoncing the routes and taking the good exit point. The CARP part will take care of the gateway for my servers. But OSPF is not able to enter the carp route in the routing table... probably because a route is already there. thanks, Francois Rousseau 2007/4/12, Chris Black [EMAIL PROTECTED]: FranC'ois Rousseau wrote: Hi, I have a problem to understand how to dynamically change the route destinate to a carp interface. I have 2 routers, both have 3 NIC. On each router I have: 1 Nic for the upstream 1 Nic for the LAN ( 5 carp, no nat) 1 Nic for inter-router traffic. What I want: If one of my CARP goes in Backup state or if the cable is unplug, every route to those network are automatically redirected to the other router. Ex: Carp on router 1 goes backup so every traffic destinate to those network are automatically redirected to the router2 who have the CARP Master. So my router1 can continue to communicate with host on the LAN. (use full to route traffic from my upstream provider) Right now, I think is impossible because the route always stay in route show regardless of the interface state. Any idea how to do this? Not sure I /totally/ understand your architecture, but I think what you need is a carp on the upstream. Chris
Re: Redirect traffic through VPN
Matiss Miglans wrote: Hi good people ! I need to make connection from server witch is in LAN1 to server witch is in LAN3. And I need to make another connection from that same server witch is in LAN3 to that same server witch is in LAN1. There is 3 different company Ethernets, and I need to make this connection trough my company. There is no way to make direct VPN from LAN1 to LAN3 - Business etc. |---LAN1-| |OpenBSD--| |--LAN2--| |-10.210.1.0/24--|---|--Router/pf/vpn--||-192.168.0.0/24-| || |-| || | | VPN IPsec over public Internet. | |---LAN3--||---Netscreen 5xt---| |-192.168.30.0/29-|--|---Router/pf/vpn---| |-||---| This VPN is from LAN2 to LAN3 I will make nat,rdr or binat, because I can't give direct access. I need to control what, where and how can connect. I tried to make redirect like this: rdr from 10.210.1.2 to 10.210.1.1 - 192.168.30.1 But, OpenBSD box, cant see the LAN3 network, or Nestcreen box internal IP. - I tried ping, telnet, ssh etc. Of course I can see that all, if i connect from LAN2 or LAN3. How can I see this server in LAN3 from OpenBSD box ? Or maybe there is better way to do that ? In my pf.conf is no deny rulle There is my ipsec.conf: ike esp from 192.168.0.0/24 to 192.168.30.0/29 \ local x.x.x.x peer x.x.x.x \ main auth hmac-md5 enc 3des \ quick auth hmac-md5 enc 3des \ psk xxx This is OpenBSD snapshot from 2007.26. Jan. (or something that way). Best regards Matiss So you have working VPN from LAN2 to LAN# and reverse? You can not NAT on the same box you run ipsec on ... Nat is applied first, then a routing decision is made and if your ip addr are outside your encryption 'domain' your traffic will not traverse the tunnel. Are LAN1 and LAN2 really hosted off the same firewall? If so then the statement no no VPN between LAN1 and LAN3 is silly. In the layout as described you need to setup a VPN from LAN1 to LAN3. You could possibly introduce an additional firewall to do nating prior to VPN but that would be again silly.
Re: binat questions
A quick read of the faq shows the pass keyword causes a bypass all filtering ...so don't use it if you want your filters to be applied . Bruce Bauer wrote: Using OpenBSD 4.0 Using binat for the first time in the real world Questions: binat pass on fxp0 from $server_int to any - $server_ext does this bypass all other pf filter rules? binat on fxp0 from $server_int to any - $server_ext does this form allow filtering? Googleing comes up with many different opinions
Re: isakmpd gateway-to-gateway VPN woes...
Do your firewalls forward ip 4? sysctl net.inet.ip.forwarding=1 Jack Bates wrote: If you can help, please feel free to CC: me directly: [EMAIL PROTECTED] My partner-in-crime and I are having some trouble getting a LAN-to-LAN VPN working with OpenBSD-4.0-stable isakmpd. Both firewalls have a relatively unaltered install. Both firewalls still have pf, ipsec and isakmpd_flags unset in rc.conf (we are configuring and starting manually - is this a problem?). We have followed the directions from the Zero to IPSec on 4 minutes webpage. I hope that this error report is thorough. Here is a picture of the configuration: 10.0.0.2/24 --- 10.0.0.1/24 L1 F1 F2 L2 10.4.14.1 --- 10.4.12.1/22 10.2.12.1/22 --- 10.2.14.1 L1,L2 - laptops F1,F2 - Soekris net4801 firewalls What works: L1-F1 lan communication L2-F2 lan communication F1-F2 lan communication F1-F2 IPSec communication (evidenced by F1 running ping 10.0.0.1 and seeing only esp packets in tcpdump) What doesn't work: F1-L2 gateway'd VPN F2-L1 gateway'd VPN L1-L2 gateway-to-gateway'd VPN What is interesting is that the routing tables have a section named Encap: that seem to contain valid routes for the flows that do not work above, but when attempting to use ping on addresses on a broken flow we get No route to host. This has got to be something simple. Thanks in advance for your help. Here are the pf.conf files from both firewalls: ### F1: pf.conf ### # jack ext_if=sis0 int_if=sis1 set skip on { lo $int_if enc0 } nat on $ext_if from !($ext_if) - ($ext_if:0) block in pass quick on $ext_if from 10.0.0.1 pass out keep state pass in on $ext_if proto tcp to ($ext_if) port ssh keep state ### F2: pf.conf ### # sabino ext_if=sis0 int_if=sis1 set skip on { lo $int_if enc0 } nat on $ext_if from !($ext_if) - ($ext_if:0) block in pass quick on $ext_if from 10.0.0.2 pass out keep state pass in on $ext_if proto tcp to ($ext_if) port ssh keep state ## F1: ipsec.conf ## # jack to sabino sabino_ext = 10.0.0.1 sabino_int = 10.2.12.0/22 jack_ext = 10.0.0.2 jack_int = 10.4.12.0/22 ike esp from $jack_int to $sabino_int peer $sabino_ext ike esp from $jack_ext to $sabino_int peer $sabino_ext ike esp from $jack_ext to $sabino_ext ## F2: ipsec.conf ## # sabino to jack sabino_ext=10.0.0.1 sabino_int=10.2.12.0/22 jack_ext=10.0.0.2 jack_int=10.4.12.0/22 ike passive esp from $sabino_int to $jack_int peer $jack_ext ike passive esp from $sabino_ext to $jack_int peer $jack_ext ike passive esp from $sabino_ext to $jack_ext ### F1: What isakmpd says after running ipsecctl -f /etc/ipsec.conf ### # isakmpd -K -d -v 164953.991350 Default isakmpd: phase 1 done: initiator id 0a02: 10.0.0.2, responder id 0a01: 10.0.0.1, src: 10.0.0.2 dst: 10.0.0.1 164955.074708 Default isakmpd: quick mode done: src: 10.0.0.2 dst: 10.0.0.1 164955.283055 Default isakmpd: quick mode done: src: 10.0.0.2 dst: 10.0.0.1 164955.652188 Default isakmpd: quick mode done: src: 10.0.0.2 dst: 10.0.0.1 165058.199701 Default isakmpd: shutting down... 165058.219397 Default isakmpd: exit ### F2: What isakmpd says after running ipsecctl -f /etc/ipsec.conf ### # isakmpd -K -d -v 171251.878157 Default isakmpd: phase 1 done: initiator id 0a02: 10.0.0.2, responder id 0a01: 10.0.0.1, src: 10.0.0.1 dst: 10.0.0.2 171253.351373 Default isakmpd: quick mode done: src: 10.0.0.1 dst: 10.0.0.2 171253.557425 Default isakmpd: quick mode done: src: 10.0.0.1 dst: 10.0.0.2 171253.566780 Default isakmpd: quick mode done: src: 10.0.0.1 dst: 10.0.0.2 171356.739110 Default isakmpd: shutting down... 171356.741411 Default isakmpd: exit ## F1: routing table after isakmpd negotiates tunnels ## # ipsecctl -f /etc/ipsec.conf # netstat -rn Routing tables Internet: DestinationGatewayFlagsRefs UseMtu Interface 10.0.0/24 link#1 UC 10 - sis0 10.0.0.1 00:00:24:c8:1d:60 UHLc2 125 - sis0 10.4.12/22 link#2 UC 10 - sis1 10.4.14.1 00:e0:00:c2:6e:2c UHLc4 644 - sis1 10.4.16/22 link#3 UC 00 - sis2 127/8 127.0.0.1 UGRS00 33224 lo0 127.0.0.1 127.0.0.1 UH 14 33224 lo0 224/4 127.0.0.1 URS 00 33224 lo0 Internet6: ...abbreviated - irrelevant... Encap: Source Port DestinationPort Proto
Re: carp iface keeps switching to master
Camiel Dobbelaar wrote: Make sure your addresses are in sync... number of addresses and the netmask are different. On Wed, 14 Mar 2007, Dag Richards wrote: inet 10.120.10.50 netmask 0xff00 broadcast 10.120.10.255 inet 10.120.10.50 netmask 0xff00 broadcast 10.120.10.255 inet 10.120.10.2 netmask 0xff00 broadcast 10.120.10.255 Yup don't know why that netmask was like that as I was snap-shotting my config for posting ... but it is/was not like that as a rule. Anyway it was the magic clue, thanks, master had an address that slave did not. As soon as I synced the config joy and correctness followed. Thanks for the help.
Re: carp iface keeps switching to master
Since reporting this problem I have tried running both systems on one switch, and performed a kernel and userland build from stable. The behavior is unchanged in both cases. help? Am I really that stupid? This was working on 3.9 Dag Richards wrote: Two systems running 4.0 GENERIC#1107 i386 on bge drivers. They are being used as vpn servers They are each jacked to their own cisco 2950. The switches are connected with to each other xover cables. Each host can see the others carp traffic, pf is configured to quick pass carp traffic. both system insists on being master. I can ifconfig the desired slave to backup state but after a couple of seconds it pops back to master. I am using sasync, the tunnels are all up and traffic flows as expected though I think that has more to do with pfsync keeping the state tables synced, and the internal interfaces are behaving correctly. The inside ifaces are jacked into the same switch, but shouldn't I be able to be jacked into two separate switches? Erm ... ? I am in GMT + 8, tomorrow morning I will try putting the slave on the same switch as master, but that or course creates a single point of failure. Any other hints? dump from should be slave 18:21:16.870759 CARPv2-advertise 36: vhid=33 advbase=1 advskew=200 demote=0 (DF) [tos 0x10] 18:21:16.960298 CARPv2-advertise 36: vhid=33 advbase=1 advskew=10 demote=0 (DF) [tos 0x10] 18:21:18.010311 CARPv2-advertise 36: vhid=33 advbase=1 advskew=10 demote=0 (DF) [tos 0x10] 18:21:18.670753 CARPv2-advertise 36: vhid=33 advbase=1 advskew=200 demote=0 (DF) [tos 0x10] 18:21:19.060327 CARPv2-advertise 36: vhid=33 advbase=1 advskew=10 demote=0 (DF) [tos 0x10] 18:21:20.110341 CARPv2-advertise 36: vhid=33 advbase=1 advskew=10 demote=0 (DF) [tos 0x10] 18:21:20.470750 CARPv2-advertise 36: vhid=33 advbase=1 advskew=200 demote=0 (DF) [tos 0x10] ifconfig on slave carp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:5e:00:01:21 carp: MASTER carpdev bge0 vhid 33 advbase 1 advskew 200 groups: carp inet6 fe80::200:5eff:fe00:121%carp0 prefixlen 64 scopeid 0x8 inet 10.120.10.50 netmask 0xff00 broadcast 10.120.10.255 slave:root:/etc #sysctl -a | grep carp net.inet.carp.allow=1 net.inet.carp.preempt=1 net.inet.carp.log=0 net.inet.carp.arpbalance=0 dump from should be master 18:21:16.871448 CARPv2-advertise 36: vhid=33 advbase=1 advskew=200 demote=0 (DF) [tos 0x10] 18:21:16.960692 CARPv2-advertise 36: vhid=33 advbase=1 advskew=10 demote=0 (DF) [tos 0x10] 18:21:18.010696 CARPv2-advertise 36: vhid=33 advbase=1 advskew=10 demote=0 (DF) [tos 0x10] 18:21:18.671396 CARPv2-advertise 36: vhid=33 advbase=1 advskew=200 demote=0 (DF) [tos 0x10] 18:21:19.060686 CARPv2-advertise 36: vhid=33 advbase=1 advskew=10 demote=0 (DF) [tos 0x10] 18:21:20.110681 CARPv2-advertise 36: vhid=33 advbase=1 advskew=10 demote=0 (DF) [tos 0x10] ifconfig on master carp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:5e:00:01:21 carp: MASTER carpdev bge0 vhid 33 advbase 1 advskew 10 groups: carp inet6 fe80::200:5eff:fe00:121%carp0 prefixlen 64 scopeid 0x8 inet 10.120.10.50 netmask 0xff00 broadcast 10.120.10.255 inet 10.120.10.2 netmask 0xff00 broadcast 10.120.10.255 master:root:/root #sysctl -a | grep carp net.inet.carp.allow=1 net.inet.carp.preempt=1 net.inet.carp.log=0 net.inet.carp.arpbalance=0
carp iface keeps switching to master
Two systems running 4.0 GENERIC#1107 i386 on bge drivers. They are being used as vpn servers They are each jacked to their own cisco 2950. The switches are connected with to each other xover cables. Each host can see the others carp traffic, pf is configured to quick pass carp traffic. both system insists on being master. I can ifconfig the desired slave to backup state but after a couple of seconds it pops back to master. I am using sasync, the tunnels are all up and traffic flows as expected though I think that has more to do with pfsync keeping the state tables synced, and the internal interfaces are behaving correctly. The inside ifaces are jacked into the same switch, but shouldn't I be able to be jacked into two separate switches? Erm ... ? I am in GMT + 8, tomorrow morning I will try putting the slave on the same switch as master, but that or course creates a single point of failure. Any other hints? dump from should be slave 18:21:16.870759 CARPv2-advertise 36: vhid=33 advbase=1 advskew=200 demote=0 (DF) [tos 0x10] 18:21:16.960298 CARPv2-advertise 36: vhid=33 advbase=1 advskew=10 demote=0 (DF) [tos 0x10] 18:21:18.010311 CARPv2-advertise 36: vhid=33 advbase=1 advskew=10 demote=0 (DF) [tos 0x10] 18:21:18.670753 CARPv2-advertise 36: vhid=33 advbase=1 advskew=200 demote=0 (DF) [tos 0x10] 18:21:19.060327 CARPv2-advertise 36: vhid=33 advbase=1 advskew=10 demote=0 (DF) [tos 0x10] 18:21:20.110341 CARPv2-advertise 36: vhid=33 advbase=1 advskew=10 demote=0 (DF) [tos 0x10] 18:21:20.470750 CARPv2-advertise 36: vhid=33 advbase=1 advskew=200 demote=0 (DF) [tos 0x10] ifconfig on slave carp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:5e:00:01:21 carp: MASTER carpdev bge0 vhid 33 advbase 1 advskew 200 groups: carp inet6 fe80::200:5eff:fe00:121%carp0 prefixlen 64 scopeid 0x8 inet 10.120.10.50 netmask 0xff00 broadcast 10.120.10.255 slave:root:/etc #sysctl -a | grep carp net.inet.carp.allow=1 net.inet.carp.preempt=1 net.inet.carp.log=0 net.inet.carp.arpbalance=0 dump from should be master 18:21:16.871448 CARPv2-advertise 36: vhid=33 advbase=1 advskew=200 demote=0 (DF) [tos 0x10] 18:21:16.960692 CARPv2-advertise 36: vhid=33 advbase=1 advskew=10 demote=0 (DF) [tos 0x10] 18:21:18.010696 CARPv2-advertise 36: vhid=33 advbase=1 advskew=10 demote=0 (DF) [tos 0x10] 18:21:18.671396 CARPv2-advertise 36: vhid=33 advbase=1 advskew=200 demote=0 (DF) [tos 0x10] 18:21:19.060686 CARPv2-advertise 36: vhid=33 advbase=1 advskew=10 demote=0 (DF) [tos 0x10] 18:21:20.110681 CARPv2-advertise 36: vhid=33 advbase=1 advskew=10 demote=0 (DF) [tos 0x10] ifconfig on master carp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:5e:00:01:21 carp: MASTER carpdev bge0 vhid 33 advbase 1 advskew 10 groups: carp inet6 fe80::200:5eff:fe00:121%carp0 prefixlen 64 scopeid 0x8 inet 10.120.10.50 netmask 0xff00 broadcast 10.120.10.255 inet 10.120.10.2 netmask 0xff00 broadcast 10.120.10.255 master:root:/root #sysctl -a | grep carp net.inet.carp.allow=1 net.inet.carp.preempt=1 net.inet.carp.log=0 net.inet.carp.arpbalance=0
Re: carp iface keeps switching to master
Joel Knight wrote: --- Quoting Dag Richards on 2007/03/12 at 18:50 -0700: Two systems running 4.0 GENERIC#1107 i386 on bge drivers. They are being used as vpn servers They are each jacked to their own cisco 2950. The switches are connected with to each other xover cables. Each host can see the others carp traffic, pf is configured to quick pass carp traffic. both system insists on being master. I can ifconfig the desired slave to backup state but after a couple of seconds it pops back to master. I am using sasync, the tunnels are all up and traffic flows as expected though I think that has more to do with pfsync keeping the state tables synced, and the internal interfaces are behaving correctly. On the slave, what does 'netstat -sp carp' show for packets received? hsdcert1:root:/root #netstat -sp carp carp: 66020 packets received (IPv4) 26401 packets received (IPv6) 0 packets discarded for bad interface 0 packets discarded for wrong TTL 0 packets shorter than header 0 discarded for bad checksums 0 discarded packets with a bad version 0 discarded because packet too short 26384 discarded for bad authentication 39619 discarded for bad vhid 0 discarded because of a bad address list 7552 packets sent (IPv4) 6745 packets sent (IPv6) 0 send failed due to mbuf memory error There are a pair of firewalls in the same network with different passwords and vhid's. So that should explain the bad auth and bad vhid packet counts. What do your pf rules look like that are passing carp packets? You're permitting carp packets on the physical interfaces, correct? pass out quick log on { $ext_if $int_if } proto carp pass in quick log on { $ext_if $int_if } proto carp yes these are the physical devs I'm quite certain you should not be seeing advertisements on the wire from both hosts at the same time. The master advertises on a continual basis. Only during a transition might you see multiple advertisements. For some reason, your slave box is not seeing the advertisements from the master. hmm, yes I get the impression that I am not seeing the intended masters packets from the slave. But the dump told me otherwise. I will put both on the same switch, observe/report the results, then the patch recommended by Stuart, observe/report. Thanks Dag .joel
Re: carp iface keeps switching to master
Stuart Henderson wrote: On 2007/03/12 18:50, Dag Richards wrote: insists on being master. I can ifconfig the desired slave to backup state but after a couple of seconds it pops back to master. how do you tell the state, ifconfig(8)? if so, try yes precisely http://www.openbsd.org/cgi-bin/cvsweb/src/sys/netinet6/in6.c.diff?r1=1.68r2=1.68.2.1 (in 4.0-stable and will be in 4.1 of course) Oh patching ... never thought of that! Heh, I'll give that a shot thanks. Does this mean that it is only misreporting state?
Re: watch traffic on IPSEC tunnel?
Tim Pushor wrote: May be a dumb question, but how do I look at traffic going over an IPSEC tunnel, on one of the OpenBSD machines? I've tried tcpdump -i enc0 but get nothing .. That is exactly what you do. Remember you can not use filters on it, no tcpdump -i enc0 host wakkawakka if plain old tcpdump -i enc0 is not showing anything then probably you are not actually encrypting. Does tcpdump -i outside_iface show you ESP traffic does netstat -rnf encap show tunnels?
Re: missing isakmpd.fifo
Toni Mueller wrote: Hi Dag, On Thu, 01.02.2007 at 08:37:01 -0800, Dag Richards [EMAIL PROTECTED] wrote: locations. Yesterday I needed to add a tunnel, there was no /var/run/isakmpd.fifo ... odd says I. isakmpd had been running since mid The fifo was recreated, I could use it to control isakmpd. OK. Today I look for isakmpd.fifo, it has disappeared again. and nothing I do not expect to see. I am not running out of disk space ... anybody seen this before? please check again using -i in order to find out whether you have enough disk space. Best, --Toni++ hsdcert0:root:/root #df -i Filesystem 1K-blocks Used Avail Capacity iused ifree %iused Mounted on /dev/sd0a 4126462 35180 3884960 1%2204 533602 0% / /dev/sd0e 103030244978744 0% 16 144238 0% /home /dev/sd0d 1030302 2978786 0% 1 144253 0% /tmp /dev/sd0f10318830391228 9411662 4% 13887 1305023 1% /usr /dev/sd0g16423486 1080606 14521706 7%3564 2077842 0% /var Nope plenty inodes too.
Re: SSH client (putty) hangs after name/password login
Brian A. Seklecki wrote: Hello Brian, Not quite sure what you mean with pstree...don't know the command and no 'man pstree' on my 3.8 system..? It's in the psmisc/ package Note that I no problems logging into the system while on the local network (doing this via a PC that I remotely manage). When I do a SSH session (via the VPN tunnel) on the INSIDE of the OBSD box, I get the same problem(using the same account). Okay I must be asleep again. I thought we eliminated pf(4) as the problem. Technically if you can negotiate a 3-way handshake and establish the TCP socket, MTU should be a non-issue. What about netstat -s. Anything suspicious (grep -i drop) for sections esp: tcp: ip: icmp: etherip: If you have access via the LAN, what about tcpdump(8) on the tun(4) interface? is not the case locaclly Problem here is that this system is 900Km away...if I would stop the SSHD (so i could Normally I'd say to you Oh you're fine with pkill -HUP sshd; but that's because I'm accustomed to out-of-band management like DRAC and mgetty :} nohup kill -HUP pid-of-sshd-listener-process should get it for you or if you are really (justifiably) paranoid a little temporary cron that will restart sshd if not running, or in five minutes. ~BAS restart it with debug options) I will not be able to reach it anymore :-(
Re: Sun Fire X2100 M2
[EMAIL PROTECTED] wrote: Hi, Does anyone have any experience with this HW on OpenBSD. I can't find specifics on the NICs used on Suns webpage. What are they and are they well supported? This seems like the perfect package for my purposes. Regards, Edvard There has been a fair amount of discussion of these on the list ... My experience with have been in general good. One nic is a broadcom that shows up as a bge device. The other is an nvidia that shows up as an nfe device. Do keep in mind that the raid controller is not actually a raid controller. So no HW Raid1. I have not tried to use the LOM module yet, though I have some for my next pair.
missing isakmpd.fifo
I have a little production vpn server with 28 tunnels to various locations. Yesterday I needed to add a tunnel, there was no /var/run/isakmpd.fifo ... odd says I. isakmpd had been running since mid Septembe, so I justed edited the config file and hupped the controlling process. The fifo was recreated, I could use it to control isakmpd. OK. Today I look for isakmpd.fifo, it has disappeared again. I have looked through messages, I see lots things I expect to see -- Feb 1 07:01:44 hsdcert0 isakmpd[8856]: dropped message from 2xx.xx.xx4.4 port 500 due to notification type Unknown 0 Feb 1 07:01:45 hsdcert0 isakmpd[8856]: isakmpd: quick mode done: src: 10.120.10.50 dst: 1.26.19.30 Feb 1 07:02:09 hsdcert0 isakmpd[8856]: isakmpd: quick mode done: src: 10.120.10.50 dst: 1.26.19.30 Feb 1 07:02:46 hsdcert0 isakmpd[8856]: isakmpd: phase 1 done: initiator id 011a131e: 1.26.19.30, responder id 0a780a32: 10.120.10.50, src: 10.120.10.50 dst: 1.26.19.30 Feb 1 07:03:19 -- and nothing I do not expect to see. I am not running out of disk space ... anybody seen this before?
Re: missing isakmpd.fifo
Um in case it *might* be useful information I am using OBSD 3.9 i386 though I can remember exactly when I built userland it is not the stock from dist CD version. Dag Richards wrote: I have a little production vpn server with 28 tunnels to various locations. Yesterday I needed to add a tunnel, there was no /var/run/isakmpd.fifo ... odd says I. isakmpd had been running since mid Septembe, so I justed edited the config file and hupped the controlling process. The fifo was recreated, I could use it to control isakmpd. OK. Today I look for isakmpd.fifo, it has disappeared again. I have looked through messages, I see lots things I expect to see -- Feb 1 07:01:44 hsdcert0 isakmpd[8856]: dropped message from 2xx.xx.xx4.4 port 500 due to notification type Unknown 0 Feb 1 07:01:45 hsdcert0 isakmpd[8856]: isakmpd: quick mode done: src: 10.120.10.50 dst: 1.26.19.30 Feb 1 07:02:09 hsdcert0 isakmpd[8856]: isakmpd: quick mode done: src: 10.120.10.50 dst: 1.26.19.30 Feb 1 07:02:46 hsdcert0 isakmpd[8856]: isakmpd: phase 1 done: initiator id 011a131e: 1.26.19.30, responder id 0a780a32: 10.120.10.50, src: 10.120.10.50 dst: 1.26.19.30 Feb 1 07:03:19 -- and nothing I do not expect to see. I am not running out of disk space ... anybody seen this before?
Re: x2100 M2
Toni Mueller wrote: Hi, On Thu, 04.01.2007 at 22:18:58 -0800, Dag Richards [EMAIL PROTECTED] wrote: You can use raidframe to do software raid, though I at least have not been able to do an upgrade of a system with its root slices on a raidframe disk. in theory, this should work in that you first upgrade your non-raidframe'd root partitions, then reboot and proceed with the normal upgrade. Or at least I've yet to find out how to make the machine genuinely boot from a root partition on raid - including the kernel... Yes that is the theory, and that I am sure would work. What I was trying to do is have _every_ slice be raidframe raid1. I was able to get that to work, with a custom kernel sitting on a small boot slice on each disk. When it came time to upgrade... Every solution I came up with seemed to be a kludge, and not conducive to a click and drool upgrade path. So we just do an rsync to the other disk daily and know that here will be a drive swap and reboot required in the event of disk failure. Hardware raid is very much preferred if possible, IBM has some nice low end x series servers with raid controllers. We have six of these little x2100's and I have really liked them. They are in my opinion the best inexpensive 1U servers generally available. Best, --Toni++
Re: x2100 M2
Stephen Schaff wrote: I'm thinking about buying the Sun x2100 M2 for OpenBSD 4.0. I've purchased one for a client that's running linux. I set it up but don't admin it. I don't use linux, but I really like the hardware. I want to do RAID1 with it, which the motherboard supports. However, I'm told that the RAID controllers they put on motherboards are just glorified software RAID and don't even compare to real hardware RAID. Further, I don't think that OpenBSD would even work with the motherboard RAID controller - please correct me if I'm wrong. So, I'm looking for a suggested course of action regarding the x2100 M2. Anyone have any experience with it - especially keeping RAID1 in mind? Best Regards, Stephen This has been answered, and quite recently ... The X2100's work well with OpenBSD 4.0. The Raid controllers do not, at all. You can use raidframe to do software raid, though I at least have not been able to do an upgrade of a system with its root slices on a raidframe disk. I am of course one of the less sharp tools on the list. Still a tool though ... heh heh heh.
Re: Disable IPv6 on OpenBSD 4.0 - forking discussion to icmp echo request blockage
smith wrote: Blocking icmp violates RFC rules which means in a nutshell weird things will happen on your network. Buda says : Amen... obey RFC 1122. RFC compliance is almost always a good reason to do something. So I have learned something I apparently should already have known. i.e. icmp helps negotiate traffic throughput when two nodes are communication over networks with various amounts of bandwidth. If you have firewall rules that allowed udp/tcp 53 and icmp to your dns server, you would not violate RFC rules. For someone to transport traffic through icmp with these rules means that they would have to root your dns server. At that point, icmp isn't your problem. Let me restate by saying if anyone on your network tries to send traffic out via icmp, icmp isn't the problem, it's the security of that computer that's the problem. We let users send out pretty much any traffic they want from their network, this debate was for me about what to allow _in_ to the dmz. Oh and if you're trying to prevent your users from sending out confidential information to an external source, let's face it, that's almost impossible. Yup, too true. Not trying to stop confidential info flow. Just trying to make illicit shell shipping harder. Such a user can use http or better yet https as a transport as well or a floppy, usb hard drive, usb tump drive, and email (especially with an encrypted attachment so that your filter can see what it is). Hell they can print it out and carry it in their briefcase if they wanted. Thats what I do ;)
Re: Disable IPv6 on OpenBSD 4.0 - forking discussion to icmp echo request blockage
Jason Dixon wrote: On Dec 17, 2006, at 2:51 PM, carlopmart wrote: Philip Guenther wrote: On 12/17/06, carlopmart [EMAIL PROTECTED] wrote: Somebody knows if exists some option to put on rc.conf file like FreeBSD does with ipv6_enable=NO option to disable IPv6 support on OpenBSD 4.0? Nope. No such option exists in OpenBSD. Or do I need to recompile kernel, modify sendmail.cf, etc, etc, etc ...?? In other owrds, do I need to reconfigure all process that need ipv6 to startup?? Yeah, that's one way to end up with a system for which the developers will basically ignore you if you report a problem. Is that what you're trying to accomplish? Yes, my security staff orders to disable IPv6 protocol on all our firewalls ... Your security staff is clueless. I bet they like to block icmp echo- request too. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net Erm, I am don't think I am clueless, often a sign of cluelessness I am sure ... However. I block inbound icmp, well actually inbound anything not shown to be required for specific 'services'. What about this is cluelez? I ask in a tone not of belligerence, but a desire to be informed by my betters.
Re: Disable IPv6 on OpenBSD 4.0 - forking discussion to icmp echo request blockage
Jason Dixon wrote: On Dec 17, 2006, at 6:28 PM, Dag Richards wrote: Jason Dixon wrote: Your security staff is clueless. I bet they like to block icmp echo- request too. Erm, I am don't think I am clueless, often a sign of cluelessness I am sure ... However. I block inbound icmp, well actually inbound anything not shown to be required for specific 'services'. What about this is cluelez? I ask in a tone not of belligerence, but a desire to be informed by my betters. Why would you block icmp echo-request? What does that gain you in terms of security? -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net I block all inbound traffic to my networks not required for operations. I have a dns server I allow inbound udp / tcp 53, if its not running other services thats all I allow. I run rules on the dns server that block it from making outbound connections except to 53 on servers off my network, and ntp to the time servers. Why would I let icmp in? I have telnet turned off on all the servers, but I still block port 23, or actually fail to open it. Tools can be written to use icmp as a transport, obviously anything can be used as a transport which is why we only allow traffic inbound to servers with services running we want public. Why should I allow someone to ping my dns server? If you need to see if the server is up telnet to port 53, a traceroute will die at the hop above the firewall, I know which ip that is. I don't care/need others to do so.
Re: ipsec vpn
Reyk Floeter wrote: On Fri, Nov 03, 2006 at 12:35:55AM +, Paul Civati wrote: My understanding is, if you want to support the simple connection of Windows clients, using the built-in VPN connector (eg. control panel - network - make new connection - VPN - L2TP), the server side needs: 1. IPSec VPN transport mode, most likely with dynamic IP endpoint 2. L2TP tunneling daemon 3. PPP daemon no. you don't need l2tp + ppp. you're not talking about the built-in ipsec support, you're talking about a stupid wizard... starting with windows 2000, it is possible to use the built-in ipsec support. it is a bit hidden and the configuration is painful, but it actually works... you can configure it from the system management console or by executing system32\secpol.msc. you can find some details on the openbsd-support.com website about mtu's approach to connect windows clients to openbsd ipsec gateways: http://www.openbsd-support.com/jp/en/htm/mgp/pacsec05/index.html reyk I use the following little script to startup ipsec on my w2k and xp clients. Preshared key is in a file c:\vpn\key. Running with certs is also fairly simple. This link http://vpn.ebootis.de/ will show you how to configure the windowze side. Configure the OBSD side as per the manpage. I have clients using the preshared method to AIX boxen, and others using x509 to a OBSD gateway mordred:root:/home/drichard # cat ipseccmds.bat @ECHO OFF if exist c:\vpn\key ( for /f tokens=1 %%a in ( 'type c:\vpn\key') do ( set prekey=%%a) ) ELSE ( echo No Key no encrypty! EXITING GOTO END ) for /f tokens=1 %%a in ( 'hostname') do ( set hostname=%%a) if EXIST C:\Program Files\Support Tools\ipseccmd.exe ( REM this is an XP machine then SET PATH=%PATH%;C:\Program Files\Support Tools ipseccmd -w REG -p BobSwan -r Host-arthur -t cqaddr -f %hostname%/255.255.255.255=cqaddr/255.255.255.255 -n ESP[MD5,3DES] -a PRESHARE:1234 -lan ipseccmd -w REG -p BobSwan -r arthur-Host -t %hostname% -f cqaddr/255.255.255.255=%hostname%/255.255.255.255 -n ESP[MD5,3DES] -a PRESHARE:1234 -lan ipseccmd -w REG -p BobSwan -x GOTO END ) ELSE ( IF EXIST C:\Program Files\Resource Kit\ipsecpol.exe ( SET PATH=%PATH%;C:\Program Files\Resource Kit ipsecpol -w REG -p BobSwan -r Host-arthur -t cqaddr -f %hostname%/255.255.255.255=cqaddr/255.255.255.255 -n ESP[MD5,3DES] -a PRESHARE:1234 -lan ipsecpol -w REG -p BobSwan -r arthur-Host -t %hostname% -f cqaddr/255.255.255.255=%hostname%/255.255.255.255 -n ESP[MD5,3DES] -a PRESHARE:1234 -lan ipsecpol -w REG -p BobSwan -x ) ELSE ( ECHO Don't know what you are running no ipsec tools installed ) ) :END
Re: Status of hardware encryption accelerators - wetblanket
Andreas Bihlmaier wrote: On Mon, Nov 06, 2006 at 09:49:07AM -0700, Darrin Chandler wrote: Greg Mortensen wrote: On Sun, 5 Nov 2006, Darrin Chandler wrote: Can you say what the irrelevant i386 machine is? Lots of difference between a 90MHz PentiumI and a 3GHz Opteron, and I'd like to know where those numbers fit in. The i386 results were sent to me off-list, so I don't know the processor details. It's fast will have to suffice. To put it in perspective, my fastest Intel systems report: Xeon 3.00GHz aes-128-cbc 56117.94k 59781.24k 62908.69k 63702.29k 63485.95k Xeon 3.40GHz aes-128-cbc 64935.33k 71725.72k 74294.15k 75431.37k 75419.89k My fastest: cpu0: AMD Opteron(tm) Processor 246, 1994.63 MHz cpu1: AMD Opteron(tm) Processor 246, 1994.32 MHz type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes aes-128-cbc 80713.16k 87876.85k 91431.72k92622.31k92688.52k While that's *more* than fast enough for common tasks, the SBC + VIA PadlockACE numbers you gave whip the pants off it for anything 16 bytes. Well, you should also consider bytes/watt :) type 16 bytes 64 bytes256 bytes 1024 bytes 8192 bytes aes-128-cbc 48246.54k 175071.41k 472434.09k 788228.58k 980033.81k OpenBSD 4.0 (GENERIC) #1107: Sat Sep 16 19:15:58 MDT 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: VIA Esther processor 1500MHz (CentaurHauls 686-class) 1.50 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,CMOV,PAT,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,TM,SBF,SSE3,EST,TM2 Regards, ahb Those are very impressive numbers. What are you getting through these gateways? What is the net usable throughput client PCs on either end are able to exchange over the VPN?
Re: DNS setup
martin g wrote: Hello all Aprox. 2 weeks ago i posted a question titled web browsing to this list. It was about how to setup NAT on my gateway so intranet computers can access Internet. The current situation is: I have a obsd3.9 box connected to internet using ppp.conf, on the inside i have a winXP box connected to switch, connected to obsd box. The thing that wasn't working was that my XP box couldn't access web pages. I blamed it on pf.conf. But that wasn't the case. Today i tried this: I turned off Pf i will set that up later I checked man ppp and found this info. ...to turn on NAT add this line to ppp.confnat enable yes... . With this line added to ppp.conf things started to work. Now the question : 1. My resolv.conf contains namesservers from my ISP 2. At the begining xp box was setup with DNS parameter pointing to my gateway 192.168.0.1. I could not access Internet, then i changed this parameter to dns server ip of my ISP and things work again. What must i do that things will work with dns parameter set to my gateway ? Your GW needs to run dns, resolv.conf sets up dns for the GW to use for itself; it does not make it a forwarder or nameserver . Do a search for setting up a caching dns box. Alternatively you could I suppose proxy dns requests from your client PC to your ISP's dns servers ... Are there any security threats with parameters set to dns ip form my ISP ? Will this be a problem when setting up Pf ? Depends on weather your ISP knows how to keep their dns servers secure.
Re: Need help with NAT + IPSEC
Johan Hedin wrote: Hi I need help with our IPSEC setup. We have an internal net 192.168.1.0/24. We have IPSEC to a customer on net 10.92.0.0/16. However, they already used the 192.168.1.0 net, so the IPSEC tunnel is to 10.84.230.0/28. I have set up 10.84.230.1 on the internal network interface (hme3), and added a manual route to 10.92.0.0/16 via 10.84.230.1. All works perfect on the firewall. On the internal net however, I can not reach the 10.92 net. I have tried to nat 192.168.1.0 via 10.84.230.1. NAT works, but the packets are thrown back out on hme3 with 10.84.230.1 as source address and to via enc0 as I want. How would one solve this? TIA Johan Hedin CTO eCare AB [demime 1.01d removed an attachment of type application/x-pkcs7-signature which had a name of smime.p7s] Hi this has been discussed here before From the man page --- NAT can also be applied to enc# interfaces, but special care should be taken because of the interactions between NAT and the IPsec flow matching, especially on the packet output path. Inside the TCP/IP stack,packets go through the following stages: UL/R - [X] - PF/NAT(enc0) - IPsec - PF/NAT(IF) - IF UL/R PF/NAT(enc0) - IPsec - PF/NAT(IF) - IF With IF being the real interface and UL/R the Upper Layer or Routing code. The [X] stage on the output path represents the point where the packet is matched against the IPsec flow database (SPD) to determine if and how the packet has to be IPsec-processed. If, at this point, it is determined that the packet should be IPsec-processed, it is processed by the PF/NAT code. Unless PF drops the packet, it will then be IPsec-pro- cessed, even if the packet has been modified by NAT. - What I do for this is I have my vpn server in a dmz EVIL INTERNET / \ / \ em0 em0 || ---\ /\ fw | - em1 -DMZ- - em1 | vpn | ---/ \/ | em2 Internal networks Outbound traffic to your customer gets nat-ed on em1 of fw Inbound traffic from your customer gets nated on em1 of vpn This may or may not be 'correct' but it works here, and it is pretty simple.
low through-put on bge cards OBSD 4.0 3.9
I have a pair of Sunfire x2100's I am trying to configure as vpn routers to bridge between two Data Centres. isakmpd - easy working bridging - also easy bridging over ipsec tunnel - surprisingly easy as well The problem I am having is the one part that I _assumed_ would be the easiest. I can not seem to get more that ~43 megabytes per second through the bge cards on these boxes. This is the unencrypted speed with the cards attached by x-over cable or on a 2950 switch with only these two boxes attached. I am running 4.0 using the 386 mp kernel compiled for IOAPIC. I had essentially the same results w/ 3.9. I tried installing Suse 10.0 just to see what kind of throughput I got there, and was getting ~80 megabytes per second. This told me that the HW was at least capable of getting the throughput I expected. Of course the bloody linux dist is useless for these types of applications.
low through-put on bge cards OBSD 4.0 3.9
I have a pair of Sunfire x2100's I am trying to configure as vpn routers to bridge between two Data Centres. isakmpd - easy working bridging - also easy bridging over ipsec tunnel - surprisingly easy as well The problem I am having is the one part that I _assumed_ would be the easiest. I can not seem to get more that ~43 megabytes per second through the bge cards on these boxes. This is the unencrypted speed with the cards attached by x-over cable or on a 2950 switch with only these two boxes attached. I am running 4.0 using the 386 mp kernel compiled for IOAPIC. I had essentially the same results w/ 3.9. I tried installing Suse 10.0 just to see what kind of throughput I got there, and was getting ~80 megabytes per second. This told me that the HW was at least capable of getting the throughput I expected. Of course the bloody linux dist is useless for these types of applications. Any suggestions?
Re: low through-put on bge cards OBSD 4.0 3.9
Kyle George wrote: On Mon, 30 Oct 2006, Dag Richards wrote: I can not seem to get more that ~43 megabytes per second through the bge cards on these boxes. This is the unencrypted speed with the cards attached by x-over cable or on a 2950 switch with only these two boxes attached. [snip] Any suggestions? Try bumping net.inet.tcp.recvspace and net.inet.tcp.sendspace. http://www.openbsd.org/faq/faq6.html#Tuning Yes I had tried setting the send and receive buffers to 65536 om 3.9 it helped but not much as I recall. I just tried setting the buffers on 4.0 and got ~57 MBps throughput, so thanks thats it better. I am using the oh so precise and accurate ftp as a means of measuring throughput. I know it is at best an imprecise method, but I was so far off my expectation I did not see the point in being more rigorous. I just download the iperf package, I will see if I can get some more precise numbers.
Re: Experience with isakmpd/ipsec in production?
Sven Ingebrigt Ulland wrote: We are about to deploy some fairly critical VPN functionality in our network, and for that purpose we're considering using OpenBSD with isakmp/ipsec. We've had a test setup running for some time now with no problems, but I'm interested in hearing about your long-term experiences with running openbsd ipsec/isakmpd in critical production environments. My excuses for the survey-ish feeling of this post. How long have you been running openbsd isakmpd/ipsec (in production)? What problems, if any, have you had with the openbsd vpn implementations? Which of them are the most recurring? How do you usually fix them? Have you experienced any interoperability problems when establishing tunnels with peers that run other implementations (cisco, checkpoint, etc)? And if so, how do you work around those? On the outside, it seems to me that the vpn implementation in openbsd is good and stable, which could also stem from the corporate funding it received. And the relevant files in cvs seem to be changed rather infrequently.. also a good sign. But I'm not familiar with the inside, which is what i was hoping you could help out with. regards, Sven U We have been running vpn's here for over a year using isakmpd on OBSD beginning with 3.7. We have currently a mix of 3.7 3.8 and 3.9, on SPARC and AMD, all on SUN hardware. We use it to connect medical system at two county jails to our hospital data center. We also use it to connect pharmacists and radiologists to our systems for after hours service. So an entire county medical infrastructure would be unable to issue meds or read x-rays after hours if our vpn tunnels were down. We have found OBSD to be very reliable. We have a single 'hang' that could not be resolved by HUP-ing isakmpd, so we simply failed over to the sasync secondary system. Otherwise once these puppies go up ... they pretty much just work and work and work. Interop with Checkpoint has been dead simple, with Cisco less so. I have found that when tunneling to something the other side has called Cisco VPN concentrators, things go more smoothly if you use 3DES and MD5. Seems that if you try to use SHA that we never seem to get past a phase one state. One thing about OBSD you will find to be truly bizarre is that things work as documented AND the man pages are concise and useful AND all features and config files are documented. I used to manage a small herd of Checkpoints and Netscreens, I have never looked back.
Re: sshd question
holger glaess wrote: hi i hope this list is the right one for my question . i look for an funktion to limit the login by name AND ip range. example. root login ALLOW from www.xxx.yyy.zzz deny from all myname login ALLOW from all deny from www.xxx.yyy.zzz if there exist an feature / funktion of sshd to do this or i need an additional software ? i diden4t wan4t to start an diskussion about security and why i have permit to login as root. holger I think this request looks kinda silly use pf block quick log on $ext_if proto { tcp udp } from bad_people to any to keep out those you don't want on that you know you don't want on. Require certs with passwords, no tunneled plaintext passwords. You don't HAVE to allow root logins, make people login as themselves and su, or better sudo.
Re: tunnels
Yes you can do that but, why gre tunnels instead of ipsec? Gustavo Rios wrote: I would like to configure a virtual network on multiple physical location. So, i am seeking if it could be possible using gre tunnels. Local private address address will be 10/8 and the gre network of tunnels should be 192.168.0.0/23. It is possible? Thanks in advance.
[Fwd: Re: OpenBSD and high availability]
I am running two clusters using carp for network failover. I use rsync every 15 minutes for the simple webapp which issues x509 certs. A script runs on each node to check if it is master if so it makes a crl, if not it pulls the directory hierarchy from the master. The other cluster does the same for the web pages, but uses Mysql replication to keep the databases in sync. Sooo ho hoo mch cheaper than our AIX HACMP clusters on EMC . 80-90% of the functionality for ~5% of the cost. Seems to me that there was/is some daemon on the redhated step child of an distro that you could use to look for changes in an file or dir structure that you could use. I'll see if I can rember/find it, I though it was from SGI. This may or may not help http://oss.sgi.com/projects/fam/links.html Jens Mayer wrote: Dear all, we are thinking about a scenario on how to set up a server offering http, ftp and a few postfix/mailman driven mailinglists with a redundant failover. I'm _not_ talking about load balancing here - only the master is serving, while the slave sits still and waits, probably with all services shut down until taking over. While the networking part can be handled by carp, I'm collecting ideas on how to keep the local file systems in synch - especially for ftp users and the mailinglist archives. The synchronization will be done via a dedicated cross coonect cable directly between the boxes. I've seen nice concepts like DRBD (www.drbd.org), offering a RAID-1 network block device, but did not find anything like that for OpenBSD. Of course there's always the possibility of scripting something own using rsync and friends, but I'm curious if some of you have a similar setup running and can share some ideas, thoughts and big red warnings. Kind regards, Jens
Re: OpenBSD and high availability
Nick Holland wrote: knitti wrote: On 8/7/06, Jens Mayer [EMAIL PROTECTED] wrote: While the networking part can be handled by carp, I'm collecting ideas on how to keep the local file systems in synch - especially for ftp users and the mailinglist archives. The synchronization will be done via a dedicated cross coonect cable directly between the boxes. while I would do it with rsync (I know, depends on what you want to do), I don't see any reason why ccd'ing two large nfs-exposed files shouldn't work. But I think this would be more ugly and complicated than rsyncing every x minutes... Simplicity is your friend. rsync is simple, easy to understand, and easy to recover. mirroring over NFS is not simple. My money would be that you would spend less time up and lose more data than a single, completely non-redundant workstation (yes, no rsync, but with a good backup plan, which you need anyway)...all in the name of high redundancy. No, I can't prove it, but I much prefer the simple solution which has simple and understood problems, than the system which is never supposed to break...and will anyway, in ways you never imagined, and may not be able to figure out. Experience tends to suggest I'm right on that... Nick. Seconded, we buy a lot of expensive proprietary gear and ware here. No one truly understands most of it, vendors wont tell us about it. It is never supposed to break and when it does it is expensive to get fixed. Home grown is great if it is dead simple/straight forward/elegant. If you are going to go make a hairball you may as well buy one. That way you can get to the pain quicker and it will take less time.
Re: OpenBSD Gateway to replace old Linux gateway
Webmaster Elaconta wrote: I'm not looking forward to addressing the router to a different subnet (and i know that would solve the problem) because our Internet-facing servers are connected directly to that router in DMZ fashion (the router forwards ports to them). The firewall is also connected directly to that router and the LAN is in turn connected to the firewall. Changing the subnet on the router would mean we would have to reconfigure a number of Internet services which sort of depend on the 192.168.1.x network configuration. Now, if you know how to do what I want with OpenBSD, i would love to hear it. You can configure OBSD to be a transparent bridge, as people here have told you. Setting up bridging is pretty simple, I did it in an afternoon for a test env. Having a system conf-ed to bridge does not preclude an IP or running services. Read the bridge and brconfig man pages, that will get you going you can find the man pages http://www.openbsd.org/cgi-bin/man.cgi if you do not have a running system. After listening to the solution, i can then judge for myself if the solution works. Even if we maintain the broken architecture for a while - i'm not even sure if it is that broken, since it worked for years without a squeak - at least we'll have a secure OS running it. A better way to config may be to run your fw as out_if= 192.168.1.121 in_if=192.168.2.1 Nat your pcs behind 192.168.1.121 change the default gw of your pcs to be 192.168.2.1 and continue life fairly close to what you consider to be normal. If its not something you can get to perhaps you could hire someone to set it up, Jason Dixon monitors this list he consults and seems to be pretty sharp. Trust them however when they say your configuration is broken. People with heart murmurs pump blood for a long while, but are often eventually betrayed by their hearts. working( today yesterday ) != { working( tomorrow ) || good_idea(1) }; -- Elaconta.com webmaster -- Em 7/27/2006, Nick Holland [EMAIL PROTECTED] escreveu: elaconta.com Webmaster wrote: Howdy We have here an old (Mandrake Linux 8 - yeah i know...) PC with two NICs which serves as a firewall for our LAN and runs a Bind caching nameserver. Although the machine is getting old, it still works well. Thing is, i'm having a hard time trying to reproduce it, that is, getting another PC to do exactly the same thing this PC is doing. It was configured by a guy that left the company, so i can't simply ask him how he configured it configured. It's a precautionary measure, if the machine breaks down we need another one to go in its place. Yes You Do. So while am at it i would love to replace the crusty old thing with a new one running OpenBSD. The networking scheme is: Router (192.168.1.120) - (192.168.1.121) Firewall PC (192.168.1.122) - (192.168.1.0/24) LAN Now, thing is, the Linux firewall has two NICs: NIC 1: 192.168.1.121 NIC 2: 192.168.1.122 The two NICs on the Linux box are configured with 192.168.1.121 and 192.168.1.122, both interfaces on the same subnet. 192.168.1.121 acesses the company router (192.168.1.120) and 192.168.1.122 acesses the company LAN (192.168.1.0/24) From what i've googled, this shouldn't even be possible, everything is on the same subnet. Regardless, it works great, and if i went and got an OpenBSD rig to replace the old Linux rig, it would have to retain this networking scheme, we can't afford to reconfigure the entire network just for switching our firewall. NO, you can't afford to avoid switching your firewall because of a misconfigured network. Your network is broke NOW. If that old box dies or gets rooted (if it hasn't been already), you will be looking at a lot bigger problems than renumbering a network. I known we could use a network bridge, but we need the caching nameserver functionality. Not everything has to be in one box. I don't know how big your company is, but I'm sure you have spare boxes lying around you can use as a DNS resolver/server. Split the task up if you need to. Or..put an IP address on one leg of the bridge. Lots of options. I'm an all round Unix guy, but i'm a bit green on the routing departament. Can an OpenBSD box be configured the same way the Linux box is so it can be a drop-in replacement for the Linux box? I can of course depict in further detail the configuration of the Linux box (netstat -r to show the routes, ifconfig or whatever). If your network is dependent upon strange tricks, it is misconfigured. If you can't pull one part out and replace it with another one, it is misconfigured. You should be able to chose the components that serve you best, not live with the only thing that works. It is better to fix this on your schedule than to react to a disaster when it happens (note use of the word when...) Keep in mind...rather than renumbering your internal network, you can just re-address your router to
Re: pf isakmpd: NAT through encryption interface?
Stephen Bosch wrote: Imagine the following scenario: You have two VPN endpoints. One is an OpenBSD system running isakmpd and pf, the other is a VPN concentrator from some vendor. The OpenBSD already has other VPNs set up, all using the same internal network. Renumbering isn't going to work. The VPN concentrator operator has an internal addressing scheme he insists other endpoints conform to. The question, then: Is it even possible to NAT through an encryption interface? For example: OpenBSD internal network: 192.168.45.0/24 Network other guy would prefer OpenBSD use: 10.110.40.0/24 Network other guy is using: 10.110.10.0/24 The command might look like this: nat on $enc_if from 192.168.45.0:network to 10.110.10.0:network - 10.110.40.10 Forgive me if this i) is impossible, ii) is crazy, iii) the syntax of the command is wrong. I'd rather run it past the list than tinker on production equipment. Thanks for any help and advice, -Stephen- blind leading the blind here but This was recently discussed, and it was pointed out that the decision to encrypt happens before the nat-ing. I deal with this self same issue by the lazy expedient of a firewall with a vpn server that has one interface in the dmz and one on the public net. So I do the vendor mandated nat-ing and pass to the vpn server. This made writing the pf rules for both sets of machines pretty straight forward.