Re: VPS default gateway in a different subnet than host

[Dag Richards]

With tcp, the default is pretty much always in the same subnet as at 
least one interface of any given host. One can do things with VPN, and 
gif's and gre's etc which can work around some oddball situations.


however.

if there is a local router that you use to get to your 'default' 
gateway, I would characterize that local router as your default gateway.


how about showing us an ifconfig and a netsat -rn

Jyri Hovila [iki.fi] wrote:

Hi,

a brief follow-up.

With Linux, default gateway that resides in different subnet than the
host, all that has to be done is 1) adding a static route to the
default gateway and then 2) adding the default gateway to routing table.

With my OpenBSD test case, I already have a static route to the default
gateway (thanks to correctly configured DHCP server) but when I try to
add default gateway:

# route add default 5.166.16.254
add net default: gateway 5.166.16.254: Too many levels of symbolic links

I'm still googling but haven't found a solution yet.

Any tips, anyone?

- Jyri



--
Dag H. Richards  ( no title / no lettres )

The first rule of tautology club is the first rule of tautology club.

This message may or may not contain proprietary information.
Since it is being relayed by SMTP across an unknown number of
relays to its destination, using a protocol that is traditionally
plain ASCII, it's silly to pretend it is still confidential.
If you are not the intended recipient of this message,
there is simply nothing I can do about that. Attempting to bind you
to some destruction protocol through this windbag sig paragraph is
Quixotic at best..

Re: can't find fstab entry ?

[Dag Richards]

On 9/10/16 12:54 PM, Theo de Raadt wrote:

On Sat, Sep 10, 2016 at 06:52:39PM +0300, Consus wrote:


On 03:09 Mon 05 Sep, Theo de Raadt wrote:

OpenBSD 6.0 GENERIC.MP#0 amd64

My fstab entry looks like :

10.10.10.10:/srv/share /mnt/ops_test nfs defaults,noexec,nosuid,nodev,auto 0 0

However:

$ doas mount /mnt/ops_test
doas (m...@example.com) password:
mount: can't find fstab entry for /mnt/ops_test


Any ideas  ?  That style of fstab entry seems to work fine on my linux
boxes (albeit with nfs4 instead of nfs, but that makes no difference
on openbsd).


Well, openbsd is not linux.

Have no idea what that word "defaults" in there means.


I guess it would've been better to say something like:

mount: unknown option "defaults" for /mnt/ops_test

Care for a patch?


The option parsing code already gives you en error message if it sees
an unknown option.


Such as:

 mount_ffs: -o default: option not supported

Summary: The OP has a learning disability.  He should probably stay in
Linux land, where the field is large, and his inability can remain
hidden.  See, once again I am not insulting Linux.




"See, once again I am not insulting Linux."

Hopefully you have derived at some modicum of amusement from this exchange.

It's had me chuckling all afternoon.

More proof that OBSD deserves it's reputation for harshness.

Whereas with Linux ... Well Linus is known as a humble compassionate 
person, who's patience kindness is admired by all.  It's always heart 
warming how Linus monitors the maligning lists and chimes in with 
helpful hints and words of encouragement.



when I type dir in the command thingy it never tells me this files is sees.



--

IS-IS sleeps.
BGP peers are quiet.
Something must be wrong.

Re: OpenVPN, tap interface and bridge

[Dag Richards]

I run OpenVPN on a pair of carped up gateways 

What are you trying to achieve with this very odd sounding config.
There may be a more straightforward way to get there.


Adam Wysocki wrote:

Hi,

I have an OpenVPN server running on OpenBSD. I use tunX interface in tap
mode (as far as I know, it's the OpenBSD equivalent of tapX interface from
Linux, so it should be bridgeable):

dev tun1
dev-typetap

No IP is assigned to this interface, because I want to bridge two OpenVPN
interfaces and one Ethernet interface and assign IP address directly to a
bridge.

OpenVPN is running and ifconfig looks like that:

tun1: flags=8051 mtu 1500
priority: 0
groups: tun
status: active

However:

gof@bsd:~$ sudo ifconfig bridge0 create
gof@bsd:~$ sudo ifconfig bridge0 add tun1
ifconfig: bridge0: tun1: Invalid argument

Bridge ifconfig:

bridge0: flags=0<>
groups: bridge
priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp

Can I do something to solve it?



--
Dag H. Richards  ( no title / no lettres )

The first rule of tautology club is the first rule of tautology club.

This message may or may not contain proprietary information.
Since it is being relayed by SMTP across an unknown number of
relays to its destination, using a protocol that is traditionally
plain ASCII, it's silly to pretend it is still confidential.
If you are not the intended recipient of this message,
there is simply nothing I can do about that. Attempting to bind you
to some destruction protocol through this windbag sig paragraph is
Quixotic at best..

Re: NFS umount stuck on client machine

[Dag Richards]

I had this happen once before in the long long ago.

I wound up creating a new nfs server with an export of the same name.
The client was then able to dismount.
Certainly a PITA, a reboot though cause for self loathing may be simpler.

If you mount from fstab in the future make sure you soft mount it.


Dot Yet wrote:

Hello,

I've a stale nfs mount stuck on one of the client machines. The NFS server
was powered down and decommissioned, but the client did not umount the nfs
directory beforehand. Is there a way for me to clean up the stale nfs
connection on the client side without restarting the machine? I've tried
umount -f, but that did not help.

Let me know if there is a simpler way.

Thanks,
dot.



--
Dag H. Richards  ( no title / no lettres )

The first rule of tautology club is the first rule of tautology club.

This message may or may not contain proprietary information.
Since it is being relayed by SMTP across an unknown number of
relays to its destination, using a protocol that is traditionally
plain ASCII, it's silly to pretend it is still confidential.
If you are not the intended recipient of this message,
there is simply nothing I can do about that. Attempting to bind you
to some destruction protocol through this windbag sig paragraph is
Quixotic at best..

Re: What happens to OpenBSD when Secure Boot becomes manditory?

[Dag Richards]

Todd C. Miller wrote:

On Thu, 02 Apr 2015 16:38:29 -0400, Steve Litt wrote:


What happens to OpenBSD when Secure Boot becomes manditory?


Please read those articles again, Secure Boot is *not* mandatory
for Windows 10.  The major change is that for Windows 8 Microsoft
*required* hardware vendors to provide a setting to disable Secure
Boot.  To be certified for Windows 10, the hardware is no longer
required to have this setting.

So no one is being forced to make Secure Boot mandatory.  If some
hardware vendors choose not to include a way to turn it off they'll
simply lose some business.  At worst this creates new opportunities
for vendors interested in PC sales for Linux, BSD, etc...

The sky is not falling.

 - todd




Pretty sure the sky _is_ falling, I know a guy whose cousin saw a piece 
of it on the sidewalk yesterday.


--
Dag H. Richards  ( no title / no lettres )

The first rule of tautology club is the first rule of tautology club.

This message may or may not contain proprietary information.
Since it is being relayed by SMTP across an unknown number of
relays to its destination, using a protocol that is traditionally
plain ASCII, it's silly to pretend it is still confidential.
If you are not the intended recipient of this message,
there is simply nothing I can do about that. Attempting to bind you
to some destruction protocol through this windbag sig paragraph is
Quixotic at best..

Re: libressl.org broken link

[Dag Richards]

Sigh, its sad when a project with that much potential has no goals.
Hopefully its just a phase.


Daniel Dyla wrote:

I'm not sure where this sort of thing is supposed to be reported but the
Project Goals link on libressl.org (http://libressl.org/goals.html) is
giving me a 404 error.

Re: Donations to OpenBSD

[Dag Richards]

Seems pretty easy to make donations.
Send money. Don't want a CD? OK, Send money.

The documentation is already provided, the FAQ is an excellent codicil 
to the man pages.  No need for a PDF really.

There is a clear need for money.

Demonstrate your willingness and interest to contribute by ... 
contributing.


The free suggestions are not as useful as money.
Send some money, then sit back enjoy the software and be generally quiet.

Every now and again we get to watch Theo go off on someone, its fun even 
though I kinda worry about him bursting a vein at us.



Theo de Raadt wrote:

Suggestion:  Package the release notes, FAQ and some other documentation
into a PDF and sell that at the same price as the CD, from the same
place.  I'd buy that.  It would be better quality than the (often) crap
O'Reilly sell, and I buy that.


We should do more...  Then you'll give us more

Re: feature patch - replace /etc/crontab by /etc/cron.d/

[Dag Richards]

No Theo I don't think understand, if you accept the patch then you will 
be more like Ubuntu and other MODERN operating systems.


Why put everything in a single easily readable file, when you can split 
it up in to multiple directories.


Which reminds me when are you going to ditch /etc for a nice registry 
data base.




Theo de Raadt wrote:

In your dreams.



here is a simple patch to replace /etc/crontab by /etc/cron.d/.
You need to manually mkdir /etc/cron.d.


--- pathnames_original.hMon Apr  7 22:31:53 2014
+++ pathnames.h Tue Apr  8 16:12:30 2014
@@ -92,8 +92,8 @@
  #define PIDFILEcron.pid
  #define _PATH_CRON_PID PIDDIR PIDFILE

-   /* 4.3BSD-style crontab */
-#define SYSCRONTAB /etc/crontab
+   /* system crontab dir */
+#define SYSCRON_DIR/etc/cron.d

 /* what editor to use if no EDITOR or VISUAL
  * environment variable specified.
@@ -42,30 +42,31 @@

 Debug(DLOAD, ([%ld] load_database()\n, (long)getpid()))

-   /* before we start loading any data, do a stat on SPOOL_DIR
-* so that if anything changes as of this moment (i.e., before 
we've

-* cached any of the database), we'll see the changes next time.
+   /* before we start loading any data, do a stat on SPOOL_DIR and
+* SYSCRON_DIR so that if anything changes as of this moment
+* (i.e., before we've cached any of the database), we'll see
+* the changes next time.
  */
 if (stat(SPOOL_DIR, statbuf)  OK) {
 log_it(CRON, getpid(), STAT FAILED, SPOOL_DIR);
 return;
 }

-   /* track system crontab file
-*/
-   if (stat(SYSCRONTAB, syscron_stat)  OK)
-   syscron_stat.st_mtime = 0;
+   if (stat(SYSCRON_DIR, syscron_stat)  OK) {
+   log_it(CRON, getpid(), STAT FAILED, SYSCRON_DIR);
+   return;
+   }

-   /* if spooldir's mtime has not changed, we don't need to fiddle 
with

-* the database.
+   /* if spooldir's and syscrondir's mtime has not changed, we 
don't

+* need to fiddle with the database.
  *
  * Note that old_db-mtime is initialized to 0 in main(), and
  * so is guaranteed to be different than the stat() mtime the 
first

  * time this function is called.
  */
 if (old_db-mtime == HASH(statbuf.st_mtime, 
syscron_stat.st_mtime)) {
-   Debug(DLOAD, ([%ld] spool dir mtime unch, no load 
needed.\n,

- (long)getpid()))
+   Debug(DLOAD, ([%ld] spool dirs mtime unch, no load 
needed.\n,

+   (long)getpid()))
 return;
 }

@@ -77,28 +78,45 @@
 new_db.mtime = HASH(statbuf.st_mtime, syscron_stat.st_mtime);
 new_db.head = new_db.tail = NULL;

-   if (syscron_stat.st_mtime) {
-   process_crontab(ROOT_USER, NULL, SYSCRONTAB, 
syscron_stat,

-   new_db, old_db);
-   }
-
 /* we used to keep this dir open all the time, for the sake of
  * efficiency.  however, we need to close it in every fork, and
  * we fork a lot more often than the mtime of the dir changes.
  */
-   if (!(dir = opendir(SPOOL_DIR))) {
-   log_it(CRON, getpid(), OPENDIR FAILED, SPOOL_DIR);
+   if (!(dir = opendir(SYSCRON_DIR))) {
+   log_it(CRON, getpid(), OPENDIR FAILED, SYSCRON_DIR);
 return;
 }

-   while (NULL != (dp = readdir(dir))) {
-   char fname[MAXNAMLEN+1], tabname[MAXNAMLEN];
+   char fname[MAXNAMLEN+1], tabname[MAXNAMLEN];

+   while (NULL != (dp = readdir(dir))) {
 /* avoid file names beginning with ..  this is good
  * because we would otherwise waste two guaranteed calls
  * to getpwnam() for . and .., and also because user 
names
  * starting with a period are just too nasty to 
consider.

  */
+   if (dp-d_name[0] == '.')
+   continue;
+
+   if (strlcpy(fname, dp-d_name, sizeof fname) = sizeof 
fname)

+   continue;   /* XXX log? */
+
+   if (snprintf(tabname, sizeof tabname, %s/%s, 
SYSCRON_DIR,

+   fname) = sizeof(tabname))
+   continue;   /* XXX log? */
+
+   process_crontab(ROOT_USER, NULL, tabname, syscron_stat,
+   new_db, old_db);
+   }
+
+   closedir(dir);
+
+   if (!(dir = opendir(SPOOL_DIR))) {
+   log_it(CRON, getpid(), OPENDIR FAILED, SPOOL_DIR);
+   return;
+   }
+
+   while (NULL != (dp = readdir(dir))) {
 if (dp-d_name[0] == '.')
 continue;


--- cron_original.8 Mon Apr  7 22:31:53 2014
+++ cron.8  Tue Apr 

Re: feature patch - replace /etc/crontab by /etc/cron.d/

[Dag Richards]

all sarcasm on my part.
hate the whole /etc/hourly /etc/daily /etc/whim-time cron crap

was happy to see Theo's reaction.  Was jerking the list's chain.


sven falempin wrote:

Look what linux are accepting now : stuff like systemd, how modern ! and so
nicely done !

Maybe having a .d looks .damned cool but does it really solve something ?

New is not better, modern surely isn't.

If there is a way for OpenBSD to move to a cron.d  it probably needs a nice
explanation :
 - problems to be solved
 - why is it the best way to solved it
 - what other solution has been discarded and why.
 - (and does the gain of the change worth the work of the change)

PS:
If you install a software that require recurrent task it should be done
with a user with specific priviledge , so set up a crontab for this user.


Geez don't you have a TLS server to patch !

On Tue, Apr 8, 2014 at 4:59 PM, Dag Richards dagricha...@speakeasy.netwrote:


No Theo I don't think understand, if you accept the patch then you will be
more like Ubuntu and other MODERN operating systems.

Why put everything in a single easily readable file, when you can split it
up in to multiple directories.

Which reminds me when are you going to ditch /etc for a nice registry data
base.




Theo de Raadt wrote:


In your dreams.


 here is a simple patch to replace /etc/crontab by /etc/cron.d/.

You need to manually mkdir /etc/cron.d.


--- pathnames_original.hMon Apr  7 22:31:53 2014
+++ pathnames.h Tue Apr  8 16:12:30 2014
@@ -92,8 +92,8 @@
  #define PIDFILEcron.pid
  #define _PATH_CRON_PID PIDDIR PIDFILE

-   /* 4.3BSD-style crontab */
-#define SYSCRONTAB /etc/crontab
+   /* system crontab dir */
+#define SYSCRON_DIR/etc/cron.d

 /* what editor to use if no EDITOR or VISUAL
  * environment variable specified.
@@ -42,30 +42,31 @@

 Debug(DLOAD, ([%ld] load_database()\n, (long)getpid()))

-   /* before we start loading any data, do a stat on SPOOL_DIR
-* so that if anything changes as of this moment (i.e., before
we've
-* cached any of the database), we'll see the changes next time.
+   /* before we start loading any data, do a stat on SPOOL_DIR and
+* SYSCRON_DIR so that if anything changes as of this moment
+* (i.e., before we've cached any of the database), we'll see
+* the changes next time.
  */
 if (stat(SPOOL_DIR, statbuf)  OK) {
 log_it(CRON, getpid(), STAT FAILED, SPOOL_DIR);
 return;
 }

-   /* track system crontab file
-*/
-   if (stat(SYSCRONTAB, syscron_stat)  OK)
-   syscron_stat.st_mtime = 0;
+   if (stat(SYSCRON_DIR, syscron_stat)  OK) {
+   log_it(CRON, getpid(), STAT FAILED, SYSCRON_DIR);
+   return;
+   }

-   /* if spooldir's mtime has not changed, we don't need to fiddle
with
-* the database.
+   /* if spooldir's and syscrondir's mtime has not changed, we don't
+* need to fiddle with the database.
  *
  * Note that old_db-mtime is initialized to 0 in main(), and
  * so is guaranteed to be different than the stat() mtime the
first
  * time this function is called.
  */
 if (old_db-mtime == HASH(statbuf.st_mtime,
syscron_stat.st_mtime)) {
-   Debug(DLOAD, ([%ld] spool dir mtime unch, no load
needed.\n,
- (long)getpid()))
+   Debug(DLOAD, ([%ld] spool dirs mtime unch, no load
needed.\n,
+   (long)getpid()))
 return;
 }

@@ -77,28 +78,45 @@
 new_db.mtime = HASH(statbuf.st_mtime, syscron_stat.st_mtime);
 new_db.head = new_db.tail = NULL;

-   if (syscron_stat.st_mtime) {
-   process_crontab(ROOT_USER, NULL, SYSCRONTAB,
syscron_stat,
-   new_db, old_db);
-   }
-
 /* we used to keep this dir open all the time, for the sake of
  * efficiency.  however, we need to close it in every fork, and
  * we fork a lot more often than the mtime of the dir changes.
  */
-   if (!(dir = opendir(SPOOL_DIR))) {
-   log_it(CRON, getpid(), OPENDIR FAILED, SPOOL_DIR);
+   if (!(dir = opendir(SYSCRON_DIR))) {
+   log_it(CRON, getpid(), OPENDIR FAILED, SYSCRON_DIR);
 return;
 }

-   while (NULL != (dp = readdir(dir))) {
-   char fname[MAXNAMLEN+1], tabname[MAXNAMLEN];
+   char fname[MAXNAMLEN+1], tabname[MAXNAMLEN];

+   while (NULL != (dp = readdir(dir))) {
 /* avoid file names beginning with ..  this is good
  * because we would otherwise waste two guaranteed calls
  * to getpwnam() for . and .., and also because user
names
  * starting with a period are just too nasty

Re: cheapest firewall?

[Dag Richards]

Block of spruce with 2 rj45 ports.

Its new and will stop all unwanted traffic, you can put OpenBSD right on 
top of it.


Low power, easy to maintain.



Theophile Envt wrote:

 Gigabyte GA-C1037UN-EU  motherboard ? 2 Lan fanless...


2014-02-01 Adam s...@my-balls.com:


Any suggestions for the cheapest possible firewall (that is new hardware
not re-purposing some old stuff)?  All I need is 2 ethernet interfaces and
for it to run openbsd.

Re: Cisco routers

[Dag Richards]

On 1/31/14 11:59 AM, Holger Glaess wrote:

Am 31.01.2014 20:44, schrieb Matt M:

This may not be the most appropriate place to ask, but I figured a lot of
you are using Cisco on your networks.

I am beginning to study for the CCNA and I want to purchase at least one
Cisco router and a switch for a home lab. I don't want to spend a lot of
money unnecessarily, and have been looking at the 2600 routers. Since I
don't know anything about Cisco hardware, I don't know if this is too
old,
if it still applies in the industry, what I might be lacking in the
IOS and
the hardware capabilities, etc.

What would you guys recommend for a starter lab that will give me what I
need to apply to real-world networks?


hi


dont wast your mony for old cisco hardware.

everything what you need is the gns3 - www.gns3.net.


and , maybe , the cisco packettracer.


i finish allready the ccna with this tools completly and i use these
tools for the ccnp certification too.


holger



Holger is correct.

Packet Tracer is the best tool for  the CCNA level training.

To replicate the labs you need you would need a couple of switches and 
maybe as many as 4 routers.


Cisco Academies use Packet Tracer almost exclusively for the training.
Everything you can get tested on can be done there.

You can find it for download on web in various places, though it is 
_supposed_ to be restricted to students at a Cisco Academy.



GNS3 is great, though for now you can't do IOS switches there.
People will tell you there are work arounds, and there are.

But if your objectivee is to train for and pass your CCNA, Packet Tracer 
is your friend.

--

IS-IS sleeps.
BGP peers are quiet.
Something must be wrong.

Re: Request for Funding our Electricity

[Dag Richards]

I have a suggestion for every one of us that has mailed in an idea in 
response to a solicitaion for money...


Send money.

Just do it right now, write a cheque. Send it, send it now.
Do that a couple of times a year.
Buy a cd twice a year, get at least one t-shirt with each order.

Were we told how much the monthly electron bill is?
I can step up my contribution a bit.

Could we save money by converting to steam, maybe we could remove 
support for coff binary's cause they are , you know, bad or old or 
something. Or perhaps running the build farm on raspberry pi's. I 
understand Linux has a cross compiler and that way  we could all 
just shut up and chip in some dough.



Steven Chamberlain wrote:

I've set up a small recurring donation for now.

I'd like to throw out some ideas and questions if I may:

* Anyone selling an OpenBSD-based solution to business customers might
want to imagine the OS has some sort of 'license fee', increase the
quote for their work accordingly, and pass along the sum in donations.

* Please could we get a newer picture than rack2009.jpg?  I assume much
has already changed;  I don't see a loongson build machine for example.
 Would the picture be anywhere near representative of where the CAN$20k
electricity costs arise?

* Is there any easy means on-hand to measure power consumption, maybe
reading stats from the UPSes, or using plug-in meters such as those made
by CurrentCost; would anything like that be worth putting on the
hardware wishlist?

* Could potential energy savings be roughly worked out, and maybe
mentioned in the hardware wishlist somehow?  Would a Sun Fire T1000 be
able to replace some number of older sparc boxes for example?  And as
SSDs become larger, would a pair of them be able to replace some number
of power-hungry 10k RPM disks?  Such things are all the more valuable as
donations if they have a lower operating cost than what they replaced.

Regards,

Re: Looking for a laptop in the Toronto area

[Dag Richards]

Theo de Raadt wrote:

On 2013-10-30, Aaron Mason simplersolut...@gmail.com wrote:

Is the fan functioning?  If so, have you tried opening up the laptop
and re-applying thermal grease to the CPU?  If the laptop has a few
years under its belt, the old grease could have perished.

While this might give the machine a bit more life, a laptop old enough
to have suffered this is not the most ideal of machines to be used for ports
development work which frequently involves building fairly large pieces of
software.


It's all well and nice to try to recommend that a developer who
works on many of the ports you use -- go fix his fan...

But really, those of you are telling him that are MISSING THE POINT
ENTIRELY.



sarcasm
Oh no we get the point the dev is just a freeloader looking for a hand 
out of some free hardware.  Where the rest of us have to work hard and 
pay for all the hardware and  software . we get 


irony
Right 'cause we pay good money for the BSD software we run our 
businesses on not to mention the expensive support contracts required.


/irony

sarcasm

Oh time to help is it?
Where to send the cheque?




--
IS-IS sleeps.
BGP peers are quiet.
Something must be wrong.

Re: Notifies on CARP failover

[Dag Richards]

Andy wrote:

Hi,

Could anyone point me in the right direction on how to have a script be 
executed whenever a CARP failover or preempt event occurs?


Need to write a script to send an event message into our monitoring 
systems so we can see when a change has occurred.


I haven't used ifstated yet, is this the right tool for this? and if so 
could someone throw me an example if you have one?


Thanks, Andy.



read the ifstated man page and the man for ifstated.conf

That should get you there.



--
IS-IS sleeps.
BGP peers are quiet.
Something must be wrong.

Re: Network question

[Dag Richards]

Seems like it would be pretty straightforward to NAT, no?


 /--existing servers /28
EVIL -  lie agreed upon [Puffy] 
 \-new servers on RFC 1918


Would need to know more to make better recommendations.



On 9/4/13 8:24 PM, patrick keshishian wrote:

Hi Networking gurus,

Say I have /28 address space. Between them and the internet is
pf. Not all of the addresses are in use ATM.

I may have the need to add a couple new servers behind that pf
server within the same /28 range. Problem: I need to have traffic
between the new servers and what already exists filtered through
some pf.

Ideally I would like to put the new servers together on a new
(unmanaged) switch and connect one of the switch's ports to an
available port on the pf machine.

Does there exist a nice way to do this without further sub-dividing
the /28?

Thoughts?
--patrick




--

IS-IS sleeps.
BGP peers are quiet.
Something must be wrong.

Re: BSD licensed gnupg replacement question

[Dag Richards]

Maximo Pech wrote:

It's incredible for me that OpenBSD, an operating system that claims to
have integrated cryptography (yes I know that the cryptography is on the
core OS layers)  doesn't have in the base system a tool like gnupg, and
even more incredible, that there isn't a single production ready,
gnupg-like, BSD licensed tool out there (I don't have the skills and time
to program one myself).

I'd like to know your thoughts about this.




No, I don't think you are going to want to know their thoughts on this.


--
IS-IS sleeps.
BGP peers are quiet.
Something must be wrong.

Re: ss20's wanted for ports builds

[Dag Richards]

Theo de Raadt wrote:

On Mon, Jul 16, 2012 at 08:45:30PM +0200, [BG-Consulting] Elmar Bschorer wrote:

What do you mean with ss20?

Actually a good question. At least for those old enough to remember the
Soviet era SS-20 intermediate-range ballistic nucelar missiles.


I'd like one of those too.




Lets be honest with ouselves sir, with your temper is a nuclear weapon 
really a good idea?



--
IS-IS sleeps.
BGP peers are quiet.
Something must be wrong.

Re: Default route distribution by ospfd

[Dag Richards]

Shot in the dark here new to OSPF myself

Have you tried adding vlan208 interface on R1 to OSPF config on R1?

On 8/13/11 11:39 AM, Shohrukh Shoyoqubov wrote:

Hi,

I have the following set-up:

|R2other routers
|
ISPR1
|
|R3other routers

There is a static default route on R1 pointing to ISP's gateway
(192.168.60.253).

R1, R2, R3 and other routers (except ISP's) are running ospfd in area
0.0.0.0. R1 should be injecting a default route into ospf domain towards
itself.

Below are ospfd.conf's from these routers:

R1:
---
# cat /etc/ospfd.conf
router-id 10.10.10.9
redistribute default
area 0.0.0.0 {
interface trunk0
interface vr2
}

R2:
---
# cat /etc/ospfd.conf
router-id 10.10.10.18
area 0.0.0.0 {
interface trunk0
interface vlan208
}

R3:
---
# cat /etc/ospfd.conf
router-id 10.10.10.19
area 0.0.0.0 {
interface trunk0
interface vlan208
}

All adjacencies are up and routes are updated fine except for default
route originated from R1. If you look into ospfctl show database
command output on R2 for example, you can see that this default route's
LSA is there. But for some reason it does not end up in kernel routing
table.

$ ospfctl show data

Router Link States (Area 0.0.0.0)

Link ID Adv Router Age Seq# Checksum
10.10.10.9 10.10.10.9 1182 0x8041 0xd4de
10.10.10.18 10.10.10.18 1653 0x804f 0x02cb
10.10.10.19 10.10.10.19 83 0x8050 0x18b0
10.10.10.20 10.10.10.20 1966 0x8093 0x6760
10.10.10.26 10.10.10.26 1314 0x8048 0xbc64
10.10.10.27 10.10.10.27 1323 0x8048 0xba63
10.10.10.34 10.10.10.34 1149 0x803c 0x2c5e
10.10.10.35 10.10.10.35 1134 0x804e 0x5d22

Net Link States (Area 0.0.0.0)

Link ID Adv Router Age Seq# Checksum
10.10.10.9 10.10.10.9 1672 0x803d 0x9aaf
10.10.10.20 10.10.10.20 1722 0x8037 0xce40
10.10.10.27 10.10.10.27 1313 0x8049 0x05f9
10.10.10.34 10.10.10.34 1139 0x801c 0xc746

Type-5 AS External Link States

Link ID Adv Router Age Seq# Checksum
0.0.0.0 10.10.10.9 1182 0x8013 0x41d2

$ netstat -nr
Routing tables

Internet:
Destination Gateway Flags Refs Use Mtu Prio Iface
10.10.10.0/29 link#9 UC 0 0 - 4 vlan201
10.10.10.8/29 link#10 UC 3 0 - 4 vlan208
10.10.10.8/29 10.10.10.13 UG 0 0 - 32 vlan208
10.10.10.9 00:00:24:ce:06:d8 UHLc 3 16267 - 4 vlan208
10.10.10.13 00:00:24:ce:06:d2 UHLc 1 2 - 4 lo0
10.10.10.14 00:00:24:ce:06:d6 UHLc 0 1 - 4 vlan208
10.10.10.16/29 link#7 UC 3 0 - 4 trunk0
10.10.10.16/29 10.10.10.18 UG 0 0 - 32 trunk0
10.10.10.18 00:00:24:ce:06:d0 UHLc 1 0 - 4 lo0
10.10.10.19 00:00:24:ce:06:d4 UHLc 0 266 - 4 trunk0
10.10.10.20 e8:ba:70:ef:bf:c1 UHLc 3 329 - 4 trunk0
10.10.10.24/29 10.10.10.20 UG 0 0 - 32 trunk0
10.10.10.32/29 10.10.10.20 UG 0 530 - 32 trunk0
127/8 127.0.0.1 UGRS 0 0 33200 8 lo0
127.0.0.1 127.0.0.1 UH 1 6 33200 4 lo0
192.168.0/24 10.10.10.20 UG 1 4820 - 32 trunk0
192.168.60.252/30 10.10.10.9 UG 0 0 - 32 vlan208
224/4 127.0.0.1 URS 0 0 33200 8 lo0

What am I doing wrong?
I have deleted /etc/mygate on all routers except R1 and deleted default
route and rebooted just in case.

I am running OpenBSD 4.9 release on Soekris boxes.

Thank you,
Shohrukh




--

IS-IS sleeps.
BGP peers are quiet.
Something must be wrong.

Re: Default route distribution by ospfd

[Dag Richards]

On 8/13/11 12:54 PM, Shohrukh Shoyoqubov wrote:

On 08/14/2011 12:19 AM, Dag Richards wrote:

Shot in the dark here new to OSPF myself

Have you tried adding vlan208 interface on R1 to OSPF config on R1?


R1 has no vlan208 interface configured. R1 uses trunk0 to connect to
access mode switch ports in VLAN 208. R2 and R3 have vlan208 interfaces
connected to the trunk ports of the same switch with VLAN 208 allowed on
it.

Adjacencies are up. It is the default route that is not ending up in the
kernel routing table. What else except the existing static routes can
prevent it to get into the routing table?



OK I see, so vr2 is what faces the ISP on R1.
Whose netstat -nr did you print? Is that R 3?

I see that 192.168.60.252/30 10.10.10.9 UG 0 0 - 32 vlan208 
made it to the route table.

i you were on CISCO  I would suggest you try redistribute static in your 
OSPF conf.


I see in the man page for ospfd.conf you can redist static and connected

I think you need to redist static and default. the man page seems to 
indicate that redist default will cause  a default route pointing

 to this router will be announced over OSPF.




in the CISCO land
--

IS-IS sleeps.
BGP peers are quiet.
Something must be wrong.

Re: FreeBSD isn't Free

[Dag Richards]

Super Biscuit wrote:

Did they get the licensing, approval, or letter?


missing the point

Re: isakmpd will not initiate connection to Cisco ASA

[Dag Richards]

I recently had a problem that looked similar.

I would try to bring up the tunnels configured in ipsec.conf.
 No Phase 2

A dump on the external iface revealed that we were sending Phase 1 
initiation.  Their end was configured for a different encryption scheme, 
 than ours ( even though we had agreed on one ).  Since they were 
showing up with a vlaid PSK we accepted the values they proposed, 
whereas they rejected our proposal's.



tcpdump -nvs1400 port 500



Christoph Leser wrote:

Are you sure that obsd does not try to initiate the connection at least once?

I have noticed the following problem with cisco:

Some Cisco models delete the security association after an inactivity timeout,
they call it Cisco IPSec Security Association Idle Timers.

When this happens, openBSDs drop the information for this tunnel and is unable
to recreate it. Cisco keeps the information and can reestablish the connection
when someone pings or otherwise addresses the remote end.

I had a short conversation about this with Hans-Jvrg Hvxer, but cannot say
whether this behaviour is desired or considered a bug.

I would try to delete the tunnel complete and configure it again while running
tcpdump on the external interface ( or enable isakmpd packet capture, see the
-L switch of isakmpd ).

This will at least answer the question, whether openBSD attempts to establish
the connection when the tunnel is defined for the  first time.

Regards

Christoph


-Urspr|ngliche Nachricht-
Von: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org]
Im Auftrag von Chris Bullock
Gesendet: Dienstag, 17. November 2009 15:45
An: misc@openbsd.org
Betreff: isakmpd will not initiate connection to Cisco ASA


We have many tunnels and for some reason I just set up a
tunnel with a Cisco ASA and we can not initiate the
connection from the OpenBSD side.  If the Cisco side pings a
device on the OpenBSD side the tunnel comes up.  On the Cisco
side they have bidirectional enabled, and they are not seeing
the OpenBSD try to initiate the tunnel. Any help would be
appreciated, Regards, Chris Bullock

ipsec Phase 2 tunnels will not initiate from OBSD side

[Dag Richards]

Running  4.3 GENERIC#698 i386

I have a VPN with a vendor using a I think he said it was a Sonic Wall 
FW.  We are able to get Phase 1 associations up and happy. But Phase 2 
never seems to start, at least not from my side.


If he sends traffic from his side then his device makes a phase 2 
proposal, and I accept and traffic flows.  I can do nothing to kick this 
off from my end.


I have an ipsec.conf phile for this vendor

ike active esp from { 172.18.101.22 } to { 10.0.3.222 10.0.6.222 
10.0.11.43 10.0.11.188 10.0.11.222 10.0.11.36 } local 10.120.10.50 peer 
xxx.xxx.xx.xx.x0x main auth hmac-sha1 enc 3des-cbc group modp1024 quick 
auth hmac-sha1 enc 3des-cbc group none psk SEKRET


He sends me i a ping I get a flow

ipsecctl -s flow | grep xxx.xxx.xx.xx.x0x
flow esp in from 10.0.11.43 to 172.18.101.22 peer xxx.xxx.xx.xx.x0x 
srcid 10.120.10.50/32 dstid xxx.xxx.xx.xx.x0x/32 type use
flow esp out from 172.18.101.22 to 10.0.11.43 peer xxx.xxx.xx.xx.x0x 
srcid 10.120.10.50/32 dstid xxx.xxx.xx.xx.x0x/32 type require



I the past I have been able to: echo M active  /var/run/isakmpd.fifo
But since I have a phase 1 up, I guess this won't have any effect?

I guess I am not really even sure what to be showing anyone, usually 
once pahse 1 is established everything has just worked.

Anyone heard from Jason Dixon lately?

[Dag Richards]

Hey Jason, been trying to get a hold of you.
Are we still doing business?

Re: Defending OpenBSD Performance

[Dag Richards]

I have been actively maintaining a firewall cluster and a VPN cluster of 
BSD system since 3.5. I have upgraded each system from a factory boot cd
every 6 - 8 months.  I have never had any problems due the to upgrade 
not once.  I run a 4000 PC network in a 24x7 Health Care environment.


There is nothing more reliable and straight forward than OBSD's upgrade 
procedure.  Which reminds me  time order 4.6

Re: openbsd and ethernet tap (port replication)

[Dag Richards]

Put an ip address on  em0.

FRLinux wrote:

Hello,

I am trying to replicate some traffic from a Cisco 6500 onto an
OpenBSD 4.5 vanilla machine. I have two NICs, rl0 which is the
administration interface and em0 which I hope to use for the ethernet
tap. So far, my cisco replicates traffic happily, i can see the packet
count in/egress increasing but nothing seems to reach em0.

I have no PF running, the box is inside the network with a cable
connected straight from em0 to a cisco port on the 6500. The cisco
router reports the link live (so does OpenBSD) but no traffic seems to
be flowing.

I realize that has to be something stupid but if anyone could send me
a pointer, that would be most welcome.

em0: flags=8802BROADCAST,SIMPLEX,MULTICAST mtu 1500
lladdr xx:xx:xx:xx:xx
priority: 0
media: Ethernet autoselect (1000baseT full-duplex,rxpause)
status: active

OpenBSD 4.5 (GENERIC) #1749: Sat Feb 28 14:51:18 MST 2009
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Pentium(R) 4 CPU 3.20GHz (GenuineIntel 686-class) 3.22 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID,xTPR
real mem  = 1073246208 (1023MB)
avail mem = 1029500928 (981MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 01/19/04, BIOS32 rev. 0 @
0xfb1a0, SMBIOS rev. 2.3 @ 0xf0120 (49 entries)
bios0: vendor Award Software International, Inc. version F5 date 01/19/2004
bios0: NEC Computers International 000
acpi0 at bios0: rev 0
acpi0: tables DSDT FACP APIC
acpi0: wakeup devices USB0(S3) USB1(S3) USB2(S3) AMR0(S4) UAR1(S4)
UAR2(S4) PCI0(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 200MHz
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 14, 24 pins
ioapic0: misconfigured as apic 0, remapped to apid 2
acpiprt0 at acpi0: bus 0 (PCI0)
acpicpu0 at acpi0
acpibtn0 at acpi0: PWRB
bios0: ROM list: 0xc/0x8000 0xc8000/0x8000! 0xd/0x1800 0xd2000/0x1000
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 SiS 648 PCI rev 0x51
sisagp0 at pchb0
agp0 at sisagp0: aperture at 0xe000, size 0x800
ppb0 at pci0 dev 1 function 0 SiS 648FX AGP rev 0x00
pci1 at ppb0 bus 1
pcib0 at pci0 dev 2 function 0 SiS 85C503 System rev 0x14
SiS 7007 FireWire rev 0x00 at pci0 dev 2 function 3 not configured
pciide0 at pci0 dev 2 function 5 SiS 5513 EIDE rev 0x00: 648: DMA,
channel 0 wired to compatibility, channel 1 wired to compatibility
pciide0: channel 0 disabled (no drives)
wd0 at pciide0 channel 1 drive 0: SAMSUNG SP2014N
wd0: 16-sector PIO, LBA48, 190782MB, 390721968 sectors
wd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 5
auich0 at pci0 dev 2 function 7 SiS 7012 AC97 rev 0xa0: apic 2 int
18 (irq 9), SiS7012 AC97
ac97: codec id 0x414c4760 (Avance Logic ALC655 rev 0)
audio0 at auich0
ohci0 at pci0 dev 3 function 0 SiS 5597/5598 USB rev 0x0f: apic 2
int 20 (irq 5), version 1.0, legacy support
ohci1 at pci0 dev 3 function 1 SiS 5597/5598 USB rev 0x0f: apic 2
int 21 (irq 10), version 1.0, legacy support
ohci2 at pci0 dev 3 function 2 SiS 5597/5598 USB rev 0x0f: apic 2
int 22 (irq 11), version 1.0, legacy support
ehci0 at pci0 dev 3 function 3 SiS 7002 USB rev 0x00: apic 2 int 23 (irq 6)
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 SiS EHCI root hub rev 2.00/1.00 addr 1
vga1 at pci0 dev 9 function 0 S3 Trio32/64 rev 0x54
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
em0 at pci0 dev 11 function 0 Intel PRO/1000MT (82540EM) rev 0x02:
apic 2 int 19 (irq 10), address 00:07:e9:39:50:d5
rl0 at pci0 dev 15 function 0 Realtek 8139 rev 0x10: apic 2 int 16
(irq 11), address 00:0d:61:1b:69:27
rlphy0 at rl0 phy 0: RTL internal PHY
isa0 at pcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: PC speaker
spkr0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
it0 at isa0 port 0x2e/2: IT8705F rev 2, EC port 0x290
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
usb1 at ohci0: USB revision 1.0
uhub1 at usb1 SiS OHCI root hub rev 1.00/1.00 addr 1
usb2 at ohci1: USB revision 1.0
uhub2 at usb2 SiS OHCI root hub rev 1.00/1.00 addr 1
usb3 at ohci2: USB revision 1.0
uhub3 at usb3 SiS OHCI root hub rev 1.00/1.00 addr 1
mtrr: Pentium Pro MTRR support
uhidev0 at uhub1 port 1 configuration 1 interface 0 Sun Microsystems
Type 6 Keyboard rev 1.10/2.00 addr 2
uhidev0: iclass 3/1
ukbd0 at uhidev0: 8 modifier keys, 6 key codes, country code 33
wskbd1 at ukbd0 mux 1
wskbd1: connecting to wsdisplay0
softraid0 at root
root on wd0a swap on 

Re: bind

[Dag Richards]

configure: error:
ar program not found.  Please fix your PATH to include the directory in
which ar resides, or set AR in the environment with the full path to ar.

 *** Error code 1


The likely solution is listed in the error message.



dark knight neo wrote:

Hello everyone,
I'm trying compiling the patch of bind .. and the following error occur:

# patch -p0  007_bind.patch
Hmm...  Looks like a unified diff to me...
The text leading up to this was:
--
|--- usr.sbin/bind/bin/named/update.c   (revision 1875)
|+++ usr.sbin/bind/bin/named/update.c   (working copy)
--
Patching file usr.sbin/bind/bin/named/update.c using Plan A...
Hunk #1 succeeded at 861.
done
# cd usr.sbin/bind
# make -f Makefile.bsd-wrapper obj
/usr/src/usr.sbin/bind/obj - /usr/obj/usr.sbin/bind
# make -f Makefile.bsd-wrapper depend
# Nothing here so far...
# make -f Makefile.bsd-wrapper
PATH=/bin:/usr/bin:/sbin:/usr/sbin  CC=cc CFLAGS=-O2 -pipe  
LDFLAGS=  INSTALL_PROGRAM=install -c -s  sh
/usr/src/usr.sbin/bind/configure --prefix=/usr  --localstatedir=/var
--sysconfdir=/etc  --disable-shared  --disable-threads
--disable-openssl-version-check
checking build system type... i386-unknown-openbsd4.5
checking host system type... i386-unknown-openbsd4.5
checking whether make sets $(MAKE)... yes
checking for ranlib... no
checking for a BSD-compatible install... /usr/bin/install -c
checking whether ln -s works... yes
checking for ar... no
configure: error:
ar program not found.  Please fix your PATH to include the directory in
which ar resides, or set AR in the environment with the full path to ar.

*** Error code 1

Stop in /usr/src/usr.sbin/bind (line 70 of
/usr/src/usr.sbin/bind/Makefile.bsd-wrapper)

How proceced ?

Thanks in advanced .

Re: RES: Route problem

[Dag Richards]

I don't think it is possible to help you with limited information you 
have provided.




Lets see some sort of description of your network topology, and the out 
put of netstat -rn and and an ifconfig -A of your OBSD router.


My initial guess on why adding the route to the OBSD router failed to 
help is that the mikrotik does not know how to get back to your clients, 
are you natting or not natting?




Ricardo Augusto de Souza wrote:

Wrong.

I AM Just able to ping it.
Clients Who have openBSD as default gateway cannot Access network
10.100.0.0/24 ( like HTTP and other services ).

Can anyone help me?

_
De: Ricardo Augusto de Souza
Enviada em: terga-feira, 7 de julho de 2009 10:45
Para: misc@openbsd.org
Assunto: Route problem


HI,

I use na OpenBSD 4.3 as gw + firewall.
I also have a Mikrotik as a backup gateway.
Now I lost the connectivity of one of my links . ( router 10.100.0.1 is down
)
From  mikrotik i AM able to reach the target network ( 10.100.0.0/24 )
So I removed this route from OpenBSD and added new route to mikrotik .


At OpenBSD:
route add 10.100.0.0/24 10.10.0.1

# ping 10.100.0.8
PING 10.100.0.8 (10.100.0.8): 56 data bytes
ping: sendto: Host is down
ping: wrote 10.100.0.8 64 chars, ret=-1
ping: sendto: Host is down
ping: wrote 10.100.0.8 64 chars, ret=-1
--- 10.100.0.8 ping statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss

After around 5 min i was able to ping 10.100.0.0/24.

What I AM missing?


Thanks

Re: IPX/SPX between two locations running OpenBSD

[Dag Richards]

journey-...@shaw.ca wrote:

I have two locations each using OpenBSD 4.5 for their gateways with the two
subnets connected using IPSEC.

I have an application that requires IPX/SPX between the two locations.  Is
this feasible?

The two internal subnets are 192.168.0.x and 192.168.1.x but they can easily
be changed.

enabling IPX in the kernel?
PPTP from each workstation to the XP server?
bridging the two networks?

I don't know much about IPX/SPX and what it can or can't do between the two
locations.



A man -k showed me no hits on spx or ipx, at least noe pertaining to 
networking.


You should be able to bridge that traffic.  I believe SPX/IPX builds a 
routing table through broadcasts, so bridging should work.  Is this for 
a Netware network?   You know that Netware now supports IP natively.

Re: slim and capable hardware for firewalls use

[Dag Richards]

HP DL360G5 we have 5 of these that we use with 4 port bge cards
as vpn servers and firewall.

Running or have run 4.3 4.4 4.5

HW Raid controller
I like the lights out management  cards on  the older ones ( G3 ) better 
as they just give you a screen scrape console.  The G5 does something 
different I have not yet really looked in to  well enough to get a 
console running on.


SunFire x2100 - Meh, less expensive not as ready for prime time, no RAID
no management card that runs for us.

Peter N. M. Hansteen wrote:

I've been asked to hunt for hardware that meets roughly these specs:

* preferably in a 1u, space for two autonomous machines with as many
  Ethernet interfaces as will physically fit the form factor

* Gigabit capable 


Anything else is really just a bonus, 'works with OpenBSD' is a must,
onboard graphics, sound etc is totally irellevant, humans will
interact physically with this only rarely if we do this right. The
location is in northern Europe, anybody who is not scared of shipping
there is fine with us.

Any war stories, notes or anecdotes (including don't do this, go for
$foo instead) welcome.  The amount of misleadingly tagged webshop
pages stuffed to the brim with inane animated and barely related ads
sort of got to me at one point.

All the best,
Peter

anybody using OpenBSD diskless workstations?

[Dag Richards]

Anybody currently running BSD diskless workstations?


Expository text below.


We have been working on SunRay-Windows_virtual_desktop pilot here at my 
office for a while.   The tech seems pretty workable. Leaving aside any 
question of personal taste, we use windows desktops and will continue to 
do so.


We seem to have been hit with a bit of a budget whammy.  So now we are 
looking in to making older PCs operate as netbooted numb terminals., as 
least a two year interim step.


My thought was to pxe boot, run x and dump them in to an RDP session to 
our shiney new MS terminal servers.

Re: OpenBSD ESXi VMware image on Soekris Net5501

[Dag Richards]

Jason Dixon wrote:

On Thu, May 21, 2009 at 08:05:52AM -0700, Obiozor Okeke wrote:

Well I should have mentioned that the ESXi is also running a Windows server VM 
for a custom app that requires it.  So the idea was to have one box running 
ESXi and reduce hardware costs.



BWAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA


*whew*

Thanks, I needed that.



Er yes, you will not be able to get there from here.

Re-think.


Don't run vmware on your firewall.

If you virtualize your entire DC in to a single box, still don't run 
your firewall as a vm.

Re: Intel PRO/1000MT (82541GI) not working with 4.5

[Dag Richards]

If you want to upgrade from 4.4 to 4.5

Boot off the 4.5 install image and perform an upgrade.

If you wish to compile things for your 4.5, do that after you are 
running 4.5.


I don't think in general they will help you do what it looks like you 
are trying to do.



Rosen Nedialkov wrote:

Hi all,

I am trying to upgrade my box from 4.4 to 4.5 through compile.
I managed to compile the kernel successfully, but upon booting the new
kernel I didn't get any network connection to my box. When I attached a
monitor I saw that everything is working fine except that the network
card does not work. It is present as em0, but when I do ifconfig I get
error messages (sorry didn't remember which ones exactly). So no network
interface :( Can someone, please, help me to identify the problem?

The machine is MSI barebone Hetis 945 and I am running 32bit OpenBSD
4.4.

I am attaching my 4.4 and 4.5 dmesgs

 4.4 dmesg

OpenBSD 4.4-stable (GENERIC) #0: Mon Mar  9 10:57:55 EET 2009
r...@deimos.izrod.com:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Celeron(R) CPU 420 @ 1.60GHz (GenuineIntel 686-class)
1.60 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,TM,SBF,SSE3,MWAIT,DS-CPL,TM2,CX16,xTPR
real mem  = 1063743488 (1014MB)
avail mem = 1020145664 (972MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 02/02/07, BIOS32 rev. 0 @ 0xf9df0,
SMBIOS rev. 2.4 @ 0xf (28 entries)
bios0: vendor Phoenix Technologies, LTD version 6.00 PG date
02/02/2007
bios0: MICRO-STAR INTERNATIONAL CO., LTD MS-7231
apm0 at bios0: Power Management spec V1.2 (slowidle)
apm0: AC on, battery charge unknown
acpi at bios0 function 0x0 not configured
pcibios0 at bios0: rev 3.0 @ 0xf/0xc2b4
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfc170/272 (15 entries)
pcibios0: bad IRQ table checksum
pcibios0: PCI BIOS has 18 Interrupt Routing table entries
pcibios0: PCI Exclusive IRQs: 5 9 10 11
pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82801GB LPC rev
0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc/0xaa00! 0xcc000/0x1000 0xef000/0x1000!
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 Intel 82945G Host rev 0x02
vga1 at pci0 dev 2 function 0 Intel 82945G Video rev 0x02
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
agp0 at vga1: aperture at 0xd000, size 0x1000
drm at vga1 unsupported
azalia0 at pci0 dev 27 function 0 Intel 82801GB HD Audio rev 0x01: irq
5
azalia0: codec[s]: Realtek/0x0888
audio0 at azalia0
uhci0 at pci0 dev 29 function 0 Intel 82801GB USB rev 0x01: irq 9
uhci1 at pci0 dev 29 function 1 Intel 82801GB USB rev 0x01: irq 11
uhci2 at pci0 dev 29 function 2 Intel 82801GB USB rev 0x01: irq 10
uhci3 at pci0 dev 29 function 3 Intel 82801GB USB rev 0x01: irq 5
ehci0 at pci0 dev 29 function 7 Intel 82801GB USB rev 0x01: irq 9
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1
ppb0 at pci0 dev 30 function 0 Intel 82801BA Hub-to-PCI rev 0xe1
pci1 at ppb0 bus 1
em0 at pci1 dev 2 function 0 Intel PRO/1000MT (82541GI) rev 0x05: irq
10, address 00:19:db:aa:57:f0
ichpcib0 at pci0 dev 31 function 0 Intel 82801GB LPC rev 0x01: PM
disabled
pciide0 at pci0 dev 31 function 1 Intel 82801GB IDE rev 0x01: DMA,
channel 0 configured to compatibility, channel 1 configured to
compatibility
wd0 at pciide0 channel 0 drive 0: QUANTUM FIREBALLlct15 07
wd0: 16-sector PIO, LBA, 7162MB, 14668290 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 4
pciide0: channel 1 disabled (no drives)
ichiic0 at pci0 dev 31 function 3 Intel 82801GB SMBus rev 0x01: irq 11
iic0 at ichiic0
adt0 at iic0 addr 0x2e: adt7467 rev 0x71
iic0: addr 0x2f 00=c0 01=07 02=01 03=00 04=07 05=00 06=00 07=00 14=14
15=62 16=03 17=04 words 00=c0ff 01=07ff 02=01ff 03=00ff 04=07ff 05=00ff
06=00ff 07=00ff
spdmem0 at iic0 addr 0x50: 1GB DDR2 SDRAM non-parity PC2-6400CL5
usb1 at uhci0: USB revision 1.0
uhub1 at usb1 Intel UHCI root hub rev 1.00/1.00 addr 1
usb2 at uhci1: USB revision 1.0
uhub2 at usb2 Intel UHCI root hub rev 1.00/1.00 addr 1
usb3 at uhci2: USB revision 1.0
uhub3 at usb3 Intel UHCI root hub rev 1.00/1.00 addr 1
usb4 at uhci3: USB revision 1.0
uhub4 at usb4 Intel UHCI root hub rev 1.00/1.00 addr 1
isa0 at ichpcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: PC speaker
spkr0 at pcppi0
wbsio0 at isa0 port 0x2e/2: W83627EHF rev 0x68
lm1 at wbsio0 port 0x290/8: W83627EHF
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
biomask ffe5 netmask ffe5 ttymask 
mtrr: Pentium Pro MTRR support
softraid0 at root
root on wd0a swap on wd0b dump on 

Re: European orders

[Dag Richards]

As a rule I generally don't post in response to community discussions as 
I am essentially nobody here.  This time however I just have to ask


...Theo?

Why on Earth do you keep doing this?
How the hell do you put up with all of this  ... crap?

I am sure there are still companies that would pay you handsomely
for your copyrights.  I sure hope you don't do it, but were I in your 
position I would seriously think about it.

Re: PF Seems To Reload Its Default Rules Unexpectedly

[Dag Richards]

On 3/9/09 2:05 AM, J.C. Roberts wrote:

On Sun, 8 Mar 2009 16:01:57 -0700 Hilco Wijbenga
hilco.wijbe...@gmail.com  wrote:


I have pf running on my firewall box and I'm experiencing some strange
behaviour. After several hours (this may even be 24 hours) of
functioning normally, pf seems to reload its default rules which means
that from that point on all traffic is blocked. A simple pfctl -f
/etc/pf.conf fixes the problem but it is very annoying.


ummm... no. Think about it for a moment. The default rules *are* stored
in /etc/pf.conf --the very same file you are manually reloading, so
it's obviously not magically reloading the default rules as you claim.

What kind of connection are you running?
Is your public IP address static or dynamic?
More importantly, are you running some sort of
tunneling/authentication such as PPPoE or simlar?

In sort my first guess is your IP is changing every 24 hours or so due
to your service provider using dynamic addressing (and trying to
prevent you from having a particular IP for too long). If I'm right,
then your problem is that pf is holding on to the old rules for your
old IP address even though your IP had changed. In other words, you
have a configuration error.



Interesting, that is brings up a question for me... what do we do in 
this case?  My ISP seems to be content to give the same ip back over and 
over again.  If they did not is there something I can do besides monitor 
my $ext_if and reload the rules on ip addr change?


Just curious.

Re: Pre-Order Prizes

[Dag Richards]

I thought the prize was you got the software?

Re: Thank you for Relayd

[Dag Richards]

I assume that your company will send say 10% of that saved cash to the 
project now to ensure continued development and maintenance ?


;)


On 1/26/09 9:32 AM, uday wrote:

I just wanted thank the developers and contributors of Relayd. It's a
wonderful load balancer, very well written GOOD JOB guys ! FYI, you
saved us 75,000$ in F5 equipments.

um

Re: PF/NAT Issue

[Dag Richards]

Try setting your nat line to look something more like .

nat on $ext_if from 10.100.100.0/24 to any -  ($public_ip)

or

nat on $ext_if from 10.100.100.0/24 to any -  ($ext_if)


As  long as pf is enabled AND your traffic actually matches the nat rule 
nat happens.


what do see when you:

 pfctl -f /etc/pf.conf

 pfctl -e

 pfctl -s info



On 1/26/09 8:35 AM, John Brahy wrote:

Hello,

I'm having a problem with NAT. I have given up trying fancy pf stuff
and I am using a barely modified version of the example ruleset from
the using pf guide on the OpenBSD site:

# OpenBSD Packet Filter Configuration
#

# macros
ext_if=dc0
int_if=sis0

tcp_services={ 22, 113 }
icmp_types=echoreq

# options
set block-policy return
set loginterface $ext_if

set skip on lo

# scrub
scrub in

# nat/rdr
nat on $ext_if from !($ext_if) -  ($ext_if:0)
nat-anchor ftp-proxy/*
rdr-anchor ftp-proxy/*

rdr pass on $int_if proto tcp to port ftp -  127.0.0.1 port 8021

# filter rules
block in

pass out keep state

anchor ftp-proxy/*
antispoof quick for { lo $int_if }

pass in on $ext_if inet proto tcp from any to ($ext_if) port
$tcp_services flags S/SA keep state

pass in inet proto icmp all icmp-type $icmp_types keep state

pass in quick on $int_if


the only thing that I took out was the web server, so there is no
inbound access in this configuration. I have the same pf.conf file on
both of my servers. The layout looks like this.


Internet
  |
  - public ip
OpenBSD box A running as router
  - public ip
  |
  - public ip
OpenBSD box B running as firewall
  - 10.100.100.1
  |
  - 10.100.100.120
OpenBSD box C running as desktop


The problem that I am having is that I can't surf the information
superhighway from box C. So I've been looking at the network traffic
to see how far it is going and it's getting past the firewall but not
past the router.

I believe the problem is that box B is not preforming network address
translation for box C. When I do a tcpdump on the interface connection
box A and box B I see packets with 10.100.100.120 as the address.

Is there a magic Turn Nat On switch I'm not using? I have modified
by /etc/sysctl.conf to enable ip forwarding.

I'm stuck... Does anyone have a suggestion on what I can try or what I
am doing wrong?

Thanks,

JB

Re: VLAN Problem

[Dag Richards]

Is possible

You need to specify the netmask of your vlan interfaces
cat out one of your hostname.vlan?? and show us


one of mine looks like


inet 10.120.6.102 255.255.255.0 NONE vlan 6 vlandev em0


On 1/26/09 10:42 AM, Denis Souza wrote:

Friends,

I'm using OpenBSD 4.1 with a VLAN with 2 IPs only (Netmask
30bits-255.255.255.252), but the SO is classfull, creating a link line in my
router table:

# netstat -rn
...
172.16/16  link#12
UC  10  -   vlan1
...

But in my project the subnet
172.16.0.0/16 is wrong. The correct subnet is 172.16.1.1/30 to VLAN1. How may
I do this with OpenBSD, because I have others subnets in my project:
172.16.2.1/30 to VLAN2, ... , 172.16.9.1/30 to VLAN9? Is this possible with
OpenBSD?

Thanks,

  Denis

Re: Packet Filter: how to keep device names on hardware failure?

[Dag Richards]

Peter N. M. Hansteen wrote:

Denis Doroshenko [EMAIL PROTECTED] writes:


what keeps you from writing a script that would be called
from the end of /etc/netstart; the script would check whether the
initialized network interfaces match those described by a
predefined table? in case of failure it would react somehow...


Then again, given the 'failure is not an option' scenario, any sane
network design would mean you most likely have a multiply redundant
CARP'd setup in place, so a hardware failure like the one described on
one box would simply mean the machine would take itself out of the
running, one of the backups would take over and your friendly robot
helper would be paging you to replace the failed hardware at your
earliest opportunity.

By all means nothing stops you from writing script magic, but the
tools already in your OpenBSD base system lets you solve these
situations quite admirably and in several differen ways already.




If you actually require fault tolerance, this is the best advice so far.
Your devices are ordered as you expect them to be, your rule base is in 
a known good state.  The system uses supported features making upgrades
simple, as well as leaving off the sort of site specific quirks that can 
make inheriting a site so challenging.

Re: VPN troubleshooting help request.

[Dag Richards]

Are you using preshared keys?
Your policy seems to imply that you are, but you do not seem to have 
your passphrases in the correct place.


I think the line should be more like this

Licensees:  passphrase:properpasswd  || passphrase:otherproperpasswd

Though the debug output does imply that it is finding your password 
correctly.


I have had the CISCO's be very finicky, certain IOS's seem to to only 
work with md5 and others sha as the hashing algorithms


run

tcpdump -nvs1400 port 500

or turn on pcap
and do this
tcpdump -nvs 1500 -r /var/run/isakmpd.pcap

You then can observe the negotiations and compare what the running 
config on CIZCOE is doing to what the config says it should.




nuffnough wrote:

Hi,  a client with a cisco device is attemtping to set up a VPN to my
OBSD 4.3 firewall.

Phase 1 is okay,  but phase 2 is fail.   It says it fails the policy
check.  But...  Checking through everything in the policy against the
debug it seems like it conforms to the policy to me.  Are there other
things that might cause it to fail the policy check?

The policy entry has matches for everything in it within this
negotaiation. I sure would appreciate it if you could help me figure
out what it doesn't like about my policy.

TIA

nuffi


Debug output looks like this:


194907.101644 Plcy 40 check_policy: adding authorizer [passphrase:123456789]
194907.101668 Plcy 40 check_policy: adding authorizer
[passphrase-md5-hex:edb0afdb2eb73b1efb437dc6778bdfcf]
194907.101684 Plcy 40 check_policy: adding authorizer
[passphrase-sha1-hex:ca6920eca6f25ec15bc7718e1ac4f03aa6f00a38]
194907.102199 Plcy 80 Policy context (action attributes):
194907.10 Plcy 80 esp_present == yes
194907.102235 Plcy 80 ah_present == no
194907.102248 Plcy 80 comp_present == no
194907.102259 Plcy 80 ah_hash_alg ==
194907.102271 Plcy 80 esp_enc_alg == 3des
194907.102283 Plcy 80 comp_alg ==
194907.102295 Plcy 80 ah_auth_alg ==
194907.102307 Plcy 80 esp_auth_alg == hmac-md5
194907.102318 Plcy 80 ah_life_seconds ==
194907.102330 Plcy 80 ah_life_kbytes ==
194907.102342 Plcy 80 esp_life_seconds == 1200
194907.102353 Plcy 80 esp_life_kbytes ==
194907.102365 Plcy 80 comp_life_seconds ==
194907.102377 Plcy 80 comp_life_kbytes ==
194907.102389 Plcy 80 ah_encapsulation ==
194907.102400 Plcy 80 esp_encapsulation == tunnel
194907.102413 Plcy 80 comp_encapsulation ==
194907.102425 Plcy 80 comp_dict_size ==
194907.102436 Plcy 80 comp_private_alg ==
194907.102448 Plcy 80 ah_key_length ==
194907.102460 Plcy 80 ah_key_rounds ==
194907.102472 Plcy 80 esp_key_length ==
194907.102483 Plcy 80 esp_key_rounds ==
194907.102495 Plcy 80 ah_group_desc ==
194907.102507 Plcy 80 esp_group_desc == 2
194907.102519 Plcy 80 comp_group_desc ==
194907.102531 Plcy 80 ah_ecn == no
194907.102543 Plcy 80 esp_ecn == no
194907.102555 Plcy 80 comp_ecn == no
194907.102567 Plcy 80 remote_filter_type == IPv4 address
194907.102579 Plcy 80 remote_filter_addr_upper == 010.005.010.022
194907.102591 Plcy 80 remote_filter_addr_lower == 010.005.010.022
194907.102604 Plcy 80 remote_filter == 010.005.010.022
194907.102616 Plcy 80 remote_filter_port == 0
194907.102628 Plcy 80 remote_filter_proto == 0
194907.102640 Plcy 80 local_filter_type == IPv4 address
194907.102652 Plcy 80 local_filter_addr_upper == 192.168.020.217
194907.102664 Plcy 80 local_filter_addr_lower == 192.168.020.217
194907.102676 Plcy 80 local_filter == 172.030.020.217
194907.102688 Plcy 80 local_filter_port == 0
194907.102700 Plcy 80 local_filter_proto == 0
194907.102713 Plcy 80 remote_id_type == IPv4 address
194907.102725 Plcy 80 remote_id_addr_upper == 195.022.200.170
194907.102738 Plcy 80 remote_id_addr_lower == 195.022.200.170
194907.102750 Plcy 80 remote_id == 195.022.200.170
194907.102762 Plcy 80 remote_id_port == 500
194907.102774 Plcy 80 remote_id_proto == udp
194907.102804 Plcy 80 remote_negotiation_address == 195.022.200.170
194907.102818 Plcy 80 local_negotiation_address == 200.022.100.170
194907.102830 Plcy 80 pfs == yes
194907.102842 Plcy 80 initiator == yes
194907.102854 Plcy 80 phase1_group_desc == 2
194907.103881 Plcy 40 check_policy: kn_do_query returned 0
194907.104093 Default check_policy: negotiated SA failed policy check
194907.104123 Default dropped message from 195.022.200.170 port 500
due to notification type NO_PROPOSAL_CHOSEN

The policy entry looks like this:

Comment: #
Comment: Cisco box

Authorizer: POLICY
Licensees:
Comment:passphrase:properpassphrase
passphrase:123456789
Conditions:
app_domain == IPsec policy  doi == ipsec 
remote_negotiation_address == 195.022.200.170 
esp_present == yes 
esp_enc_alg == 3des 
esp_auth_alg == hmac-md5 
local_filter_type == IPv4 address 
(
local_filter == 192.168.020.217
) 
remote_filter_type == IPv4 address 
(
remote_filter == 010.005.010.022
)
- true;

Re: Resume - Mumps Developer

[Dag Richards]

Lars NoodC)n wrote:

Matt Bettinger wrote:

Yes.  I have a buddy who works with it and Cache`(Multi-Value DB I
believe) on VMS in Houston Medical Center. They manage their
prescriptions with it.  He also makes very good $$ but talk about
getting pigeon holed. There is a port Maverick on Freebsd , maybe
openbsd , that is U2 like.

-mb


If you want to go whole hog, you can grab the Vista source code and set
it up on OpenBSD:
ftp://ftp.va.gov/Vista/Software/

A lot of centers use it, so pigeon-holed or not, there's good money.
(but since the original post mentioned VB whatnot, I suspect it was a
troll)

regards,
-Lars



Actually Cache is used extensively by a vertical market company called 
Epic.  It is a major player in the medical industry. Lots of jobs around 
admining Epic systems on AIX, for those that swing that way.

Re: Google in shell - looks interesting

[Dag Richards]

Ted Unangst wrote:

If it were actually usable from a shell, it'd be interesting.  If I'm
already running a graphical interbrowser, it's because I want
graphical interwebs.



Exactly.

Re: Google in shell - looks interesting

[Dag Richards]

Mark Zimmerman wrote:

On Wed, Jun 04, 2008 at 09:46:26AM -0700, Dag Richards wrote:

 Ted Unangst wrote:

If it were actually usable from a shell, it'd be interesting.  If I'm
already running a graphical interbrowser, it's because I want
graphical interwebs.

 Exactly.



So, can you launch a graphical browser from the goosh command line?

sorry...

No, but if we could launch it from a shell then we could parse the out 
put in our own apps. Store the results for our own purposes, wget and 
scrape pages etc.

Need help reporting kernel panic

[Dag Richards]

Understand that I am not (quite) reporting a panic without a ps and trace.

I had kernel panic this weekend on my standby vpn firewall, this is the 
third time this has happened in the last 300 days or so, always with the 
same panic.


I run with ddb.log=1
I ran ps and trace expecting the output to be put in a log erm ... 
'somewhere'.


Then I performed a boot dump, I have
drwxrwx---   2 root  wheel 512 Apr 14 07:53 ./
drwxr-xr-x  25 root  wheel 512 Aug 28  2007 ../
-rw---   1 root  wheel   2 Apr 14 07:51 bounds
-rw---   1 root  wheel 6229740 Apr 14 07:53 bsd.0
-rw---   1 root  wheel  1048568340 Apr 14 07:53 bsd.0.core
-rw-r--r--   1 root  wheel   5 Sep 10  2005 minfree

But am clueless ... yes you are thinking it, I said for you.
Clueless about where to find the output from my ps and trace.
My guess at this point is that it is gone.


So what should I have done? Or where do I expect to find this output?
Besides logging in from the console server and getting a screen scrape 
of the output,  I could not get the ilo to respond to me.



I have included as much of the panic message as I have and the dmesg 
from the system in case anyone is curious about the system in question,

as well as a ps of what is normally left running on the system.






panic: pmap_pinit: kernel_map out of virtual space!
Stopped at Debugger + 0x4: leave

--




OpenBSD 4.2 (GENERIC) #375: Tue Aug 28 10:38:44 MDT 2007
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Xeon(TM) CPU 3.00GHz (GenuineIntel 686-class) 3.01 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,CNXT-ID,CX16,xTPR

real mem  = 1073258496 (1023MB)
avail mem = 1030156288 (982MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 12/31/99, BIOS32 rev. 0 @ 0xf, 
SMBIOS rev. 2.3 @ 0xec000 (54 entries)

bios0: vendor HP version P52 date 04/14/2005
bios0: HP ProLiant DL360 G4
pcibios0 at bios0: rev 2.1 @ 0xf/0x2000
pcibios0: PCI BIOS has 7 Interrupt Routing table entries
pcibios0: PCI Interrupt Router at 000:31:0 (Intel 6300ESB LPC rev 0x00)
pcibios0: PCI bus #13 is the last bus
bios0: ROM list: 0xc/0x8000 0xc8000/0x4000! 0xcc000/0x1800 
0xcd800/0x1600 0xee000/0x2000!

acpi at mainbus0 not configured
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 Intel E7520 MCH rev 0x0c
ppb0 at pci0 dev 2 function 0 Intel MCH PCIE rev 0x0c
pci1 at ppb0 bus 13
ppb1 at pci0 dev 4 function 0 Intel MCH PCIE rev 0x0c
pci2 at ppb1 bus 6
ppb2 at pci2 dev 0 function 0 Intel PCIE-PCIE rev 0x09
pci3 at ppb2 bus 7
ppb3 at pci2 dev 0 function 2 Intel PCIE-PCIE rev 0x09
pci4 at ppb3 bus 10
bge0 at pci4 dev 1 function 0 Broadcom BCM5703 Alt rev 0x10, BCM5703 
B0 (0x1100): irq 5, address 00:10:18:0c:44:6b

brgphy0 at bge0 phy 1: BCM5703 10/100/1000baseT PHY, rev. 3
ppb4 at pci0 dev 6 function 0 Intel MCH PCIE rev 0x0c
pci5 at ppb4 bus 3
ppb5 at pci0 dev 28 function 0 Intel 6300ESB PCIX rev 0x02
pci6 at ppb5 bus 2
ciss0 at pci6 dev 1 function 0 Compaq Smart Array 64xx rev 0x01: irq 5
ciss0: 1 LD, HW rev 1, FW 2.36/2.36
scsibus0 at ciss0: 1 targets
sd0 at scsibus0 targ 0 lun 0: HP, LOGICAL VOLUME, 2.36 SCSI0 0/direct 
fixed

sd0: 34727MB, 4427 cyl, 255 head, 63 sec, 512 bytes/sec, 71122560 sec total
bge1 at pci6 dev 2 function 0 Broadcom BCM5704C rev 0x10, BCM5704 B0 
(0x2100): irq 5, address 00:14:38:4b:ef:fe

brgphy1 at bge1 phy 1: BCM5704 10/100/1000baseT PHY, rev. 0
bge2 at pci6 dev 2 function 1 Broadcom BCM5704C rev 0x10, BCM5704 B0 
(0x2100): irq 5, address 00:14:38:4b:ef:fd

brgphy2 at bge2 phy 1: BCM5704 10/100/1000baseT PHY, rev. 0
uhci0 at pci0 dev 29 function 0 Intel 6300ESB USB rev 0x02: irq 5
uhci1 at pci0 dev 29 function 1 Intel 6300ESB USB rev 0x02: irq 5
Intel 6300ESB WDT rev 0x02 at pci0 dev 29 function 4 not configured
Intel 6300ESB APIC rev 0x02 at pci0 dev 29 function 5 not configured
ehci0 at pci0 dev 29 function 7 Intel 6300ESB USB rev 0x02: irq 5
usb0 at ehci0: USB revision 2.0
uhub0 at usb0: Intel EHCI root hub, rev 2.00/1.00, addr 1
ppb6 at pci0 dev 30 function 0 Intel 82801BA AGP rev 0x0a
pci7 at ppb6 bus 1
vga1 at pci7 dev 3 function 0 ATI Rage XL rev 0x27
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
Compaq iLO rev 0x01 at pci7 dev 4 function 0 not configured
Compaq iLO rev 0x01 at pci7 dev 4 function 2 not configured
ichpcib0 at pci0 dev 31 function 0 Intel 6300ESB LPC rev 0x02: 24-bit 
timer at 3579545Hz
pciide0 at pci0 dev 31 function 1 Intel 6300ESB IDE rev 0x02: DMA, 
channel 0 configured to compatibility, channel 1 configured to compatibility

atapiscsi0 at pciide0 channel 0 drive 0
scsibus1 at atapiscsi0: 2 targets
cd0 at scsibus1 targ 0 lun 0: COMPAQ, CD-ROM SN-124, N104 SCSI0 
5/cdrom removable

cd0(pciide0:0:0): using PIO mode 4

Re: Need help reporting kernel panic

[Dag Richards]

Josh Grosse wrote:

On Mon, 14 Apr 2008 08:57:55 -0700, Dag Richards wrote


Then I performed a boot dump, I have
drwxrwx---   2 root  wheel 512 Apr 14 07:53 ./
drwxr-xr-x  25 root  wheel 512 Aug 28  2007 ../
-rw---   1 root  wheel   2 Apr 14 07:51 bounds
-rw---   1 root  wheel 6229740 Apr 14 07:53 bsd.0
-rw---   1 root  wheel  1048568340 Apr 14 07:53 bsd.0.core
-rw-r--r--   1 root  wheel   5 Sep 10  2005 minfree

But am clueless ... yes you are thinking it, I said for you.
Clueless about where to find the output from my ps and trace.
My guess at this point is that it is gone.


Your ddb console ouput should be in the dmesg contained within the bsd.0.core
file.  You will want to use the dmesg command with -M and -N operands.  See
the dmesg(1) man page.


So what should I have done? Or where do I expect to find this output?
Besides logging in from the console server and getting a screen 
scrape of the output,  I could not get the ilo to respond to me.


A great place to start is the crash(8) man page; I've found it a helpful
reference.



Thanks, I had read crash. I started to question my comprehension as the 
result I was getting looked like this:


hsdcert1:root:/root #dmesg -N /var/crash/bsd.0 -M /var/crash/bsd.0.core
dmesg: kvm_read:  (d0932000)
hsdcert1:root:/root #ps -N /var/crash/bsd.0 -M /var/crash/bsd.0.core -O 
paddr

  PID  PADDR TT  STAT   TIME COMMAND
 3257 d773781c p0- I   0:00.00 (tcpdump)
12147 d7ae0564 C0  Is+ 0:00.00 (ksh)
21336 d77ee970 C1  Is+ 0:08.00 (getty)
22401 d773700c C2  Is+ 0:08.00 (getty)
25004 d7737164 C3  Is+ 0:08.00 (getty)
 3004 d77372bc C5  Is+ 0:08.00 (getty)

So it would seem that my ps and trace did not get appended to the file.
Or maybe ... appended you say?

I did the ps, then trace, then the boot dump.

So did the dump then overwrite my ps and trace?

Boot dump seems like it should be the last thing run, as it ends with a 
boot, right?

Can I just perform a dump? Guess I will find out is a few weeks.

Re: Sun Creator 3D hardware wanted

[Dag Richards]

I have one of the cards from an Ultra 10, not sure which one.
It was alive back when the system was, I will check the model no, 
tonight ( GMT + 8 ).


If you can use the card, I would be happy to ship it to any one that 
needs it.


And how many times have I tried to pawn of this Enterprise 450 on some 
poor sap with more electricity than sense? Only used on Fridays by a 
little old startup that stoppeddown in 2001.

Re: Apache box behind Openbsd

[Dag Richards]

Sewan wrote:

Hi,

I have an apache-php website running on windows server 2003 port 80, i have
correct rdr rules that pointing my web server, i can view website inside my
LAN, but i can't view page outside of my network. I've checked all dns- ip
settings, everything's fine but problem continues. I've read at some forums
that apache doesn't recognize rdr rules from openbsd, so how can i publish
my site ? Thanks...




You read somewhere that ... what?

Oh right you need to have Linux rdr rules, make sure your database 
is blue too, that make them faster.


Some actual information is required. Try posting say your pf.conf file

Re: avoiding a mac address filter

[Dag Richards]

[EMAIL PROTECTED] wrote:

On Jan 7, 2008 9:00 AM, Josh Grosse [EMAIL PROTECTED] wrote:

On Mon, 7 Jan 2008 13:39:01 +0100, Targus Neoprene wrote


Hi,

in my flat I can see a lot of open connection points. They do not
require a password and, in principle, I can log in every time... but
they seem to be protected with a mac filter, because I cannot get an
IP address via dhclient

I have a naive question: Is there any way to avoid that? I mean: is
there a way to surpass the mac filter and get an ip?

Do I understand this correctly?  You are asking how to *defeat* someone else's
SOHO NAT router, using its MAC filter as their only security?

If so, I'm appalled by your lack of ethics.




I'm appalled by his lack of reading the man page.



I have a similar issue.
In my building they sometimes miss-deliver our mail.
Some of the apartments are protected with filters called locked doors.
Though the locks are of a poor design and trivial to circumvent, they 
still are defeating me.


I wonder will you help me to circumvent the locks. Since I will only be 
looking for my mail, or perhaps interesting junk mail, and the security 
is bad in the first place, it is perfectly ethical for me to break in.

Re: Two carp firewalls keep swapping from master/backup

[Dag Richards]

Josh wrote:

Hello, A quick question.

I have a pair of 4.1 boxes acting as firewalls using carp/pfsync etc.

The primary has advskew 0, the backup has advskew 100. I have 
net.inet.carp.preempt=1 on both.


So anyway, I was downloading some 4.2 install binaries onto the backup 
fw, and I noticed that the backup/primary carp interfaces kept on 
switching between master/backup fairly rapidly ( around every 5 - 10 
seconds or so ) despite both hosts being up just fine.


Any ideas on what might be causing this?

Also, My understanding of net.inet.carp.preempt=1 needs to be adjusted I 
think; I thought that it meant if one carp interface goes down, ie, 
unplugged or whatever, then the rest go down, ie all other interfaces on 
the box? Is this right?



Thanks,
   Josh


Your understanding of preempt seems correct

I had a similar issue on a pair of 4.1 FW's.

A careful examination revealed that one of the carp ifaces on one system 
had ip addrs that were missing on the other.



Carefully compare ifconfig -aA on each machine to each other.
I now slavishly alsoensure that the addrs occur in the same order ... I 
am sure that has no effect, but there it is.



Are you allowing the carp traffic in and out?
Does a tcpdump show the expected traffic?.

Re: OpenBSD kernel janitors

[Dag Richards]

n0g0013 wrote:

On 31.10-11:12, Nick Guenther wrote:
[ ... ]

and i would suggest that the severe and prevelant attitude toward the
possibilty of poor patches or under-educated actions is the most
significant barrier to encouraging new/young developers.

Well that's the point of it; or at least, a useful side-effect.
Linux can get away with sending fanboi masses at its code because it's
fine with fanboi masses poking at all parts of the kernel, no matter
how secure it may be. Right?


i think we'll simply agree to disagree.  i personally find it quite
disheartening to hear the attitude that prevails here but that's the
community's decision.  it certainaly seems to refelect the attitute
of it's leaders (developers).



Consider it the voice of experience (bitter).

Its easy to tell which ones are the programmers.

They write code, then they submit it, it does not suck too much and they
take the suggestions of the current project leads. Then they resubmit 
better code.


The rest of us should simply buy CD's, ask and answer the occasional 
question, and other wise keep quiet.


When you run a Data Centre, that has thousands of users serving tens of 
thousands of customers who need medical services on a 24 hour basis, you 
will miss the hand holding and warm friendly thoughts less; and 
appreciate the complete documentation and conformity to that 
documentation way way WAY more.


BTW I was a Linux user from kernel .92 ( that is some time in 1994 ) 
through 2.6.  Trying to run that professionally was always fun and 
exciting. Man I don't miss that.

Re: How can I install 4 OS'es on one disk?

[Dag Richards]

Amarendra Godbole wrote:

On 10/7/07, stan [EMAIL PROTECTED] wrote:


I have a new laptop that I would like to set up to have 4 different OS's
on. The OS's I would like to install are:

OpenBSD
FreeBSD
Linux
Windows (XP r Vista)

Is it possible to do this on the one disk. I do have enough space, my
concern is about portions. If it is possible can anyone give me an idea how
best to approach this? Or a pointer to some docs?



I have almost similar configuration on my IBM Thinkpad X61 laptop.
Here is how I did it:
1. Install Windows XP/ Vista in the first primary partition.
2. Install OpenBSD in the second primary partition.
3. Install FreeBSD in the third.
4. Install Linux (Debian, in my case) in the fourth - which becomes
extended because of the way Linux handles the partitions.

Use grub as your bootloader, as it can boot Linux from the extended
partition. All other three OSes' will chainload through grub, which
means you have to add entries to menu.lst of grub. Booting FreeBSD
through grub is nicely explained here:
http://ezine.daemonnews.org/200102/grub.html. A similar entry needs to
be made for OpenBSD too. Also note that grub starts the numbering from
0, so your partitions will be 0 for Win, 1 for OpenBSD, 2 for FreeBSD,
and 3 for Linux.

HTH.

-Amarendra



Ate the moment the machine has the Vista part-ion, and it's recovery partition
(which I figure I don;t need), and a Linux partition on it. I can boot Linux,
or Vista using Grub.

--
I'm sorry, no one here has any intentions of helping you with anything.
I am the manager of all of Customer Service.





Blasphemy 

Seems to me that the simplest and most flexible way to do this is to 
install Linux or Windows as your host OS and use VMware.  I do that on 
my MacBook Pro running OS X, and run OBSD, Linux, and Solaris as guest OSes.


Works great, and I can have all of them up at the same time, and network 
between them.


\Blasphemy 

Re: ipsec with carp

[Dag Richards]

Patrick Hemmen wrote:

Hello all,

I have two OpenBSD machines for a redundancy VPN-Gateway. They use
carp to share one IP-Address and sasyncd to synchronize SAs and SPDs.
I setup a ipsec-tunnel in /etc/ipsec.conf. The tunnel isn't
established and the error PAYLOAD_MALFORMED appears in the logs.
With tcpdump I can see that the initial packet (isakmp v1.0 exchange
ID_PROT) to establish the tunnel come from the host IP-Address and not
from the carp address.

Thanks in advance.
Patrick



Maybe it's the humidity.
Maybe it's  something in your ipsec.conf file.
Based on the info you have provided so far, both seem to be about as 
like as each other  ;)


ipsec.conf
ifconfig -A

maybe a quote from your dumps
and perhaps a bit of logging info 

Re: To whom can I direct email for artwork use permission pls?

[Dag Richards]

Hannah Schroeter wrote:

Hi!

On Mon, Oct 01, 2007 at 10:50:05AM -0400, Nick Guenther wrote:

[...]



To explain this more fully with the party line: the project supports
itself via donations and selling CDs of releases. If you create DVDs
to distribute you are hurting the project by discouraging the sale of
CDs. You could volunteer to become a reseller, though (i.e. you buy a
large shipment of CDs and sell them at cost to people in your
country.)


Wouldn't it be win-win if people there could buy DVD (with more data on
it, i.e. needing less downloads) and an agreement could be made that XX
$ (enough to compensate for the not-sold CDs) for each DVD sold are paid
to OpenBSD?

Kind regards,

Hannah.



The real win-win is they buy official CD's, support OBSD, and thereby 
help ensure more OBSD is available to use.

Re: 2 internet connections on 1 router

[Dag Richards]

Marian Hettwer wrote:

Hi All,

I'm using a Soekris box with OpenBSD 4.0 (sorry *g*) on my home soekris box.
Actual setup is one interface with a cable modem connected for internet use. 
The cable modem provider talks dhcp, so no pppoe magic involved.
Now I do have an old second DSL provider lying around, which I basically not 
use anymore.
However, the old DSL provider tries to get on my ass, and I figured, okay boys, 
if you don't let me outta this contract, I'll use your uplink to the max 24/7 
(while true; do wget -O /dev/null http://something.iso; done).

I know my way to configure pppoe and to dial in (without having pppoe modifying 
my default gw).

Question is:
How do I fiddle around with my routing table, that basically the wget running 
on my router is using sis2 (with the pppoe uplink), while the rest (my existing 
working lan) is still using sis0 with my good-guys cable modem uplink?

Any hints highly appreciated.

Thanks in advance,
Marian


route add -host addr of iso source addr of dsl gateway

would work, there probably are better ways, but this would be dead simple

So vengeance is a dish best served in binary?

Re: Show your appreciation and get your 4.2 DVD

[Dag Richards]

Theo de Raadt wrote:

Theo de Raadt wrote:

Theo de Raadt wrote:
snip

Decreasing CD sales means the margins have to be adjusted.  More of
you are relying on our FTP services, and also donating less.

snip

Hey Theo just a quick suggestion to increase the cash donations:

Why aren't the web-order-cash-donations (no longer) added to the 
donations.html page ? Sad but unfortunately true there are petty people 
like me for whom that actually matters.

They are, but there is a lot of latency.  Yes, that really sucks.
Perhaps I will take a shot at 'pushing' a lot of them forward today.


Yup me too petty and whiner.

I have been sending $20 a month for something over a year. I was on the 
donation page, then gone.  Sent mail to Austin a couple of times, got 
peevish and wanted to stop the donation  ... then remembered, I don't do 
it for credit. I do it so the project can continue, or in this case buy 
pizza for one day of one hackathon once a year.  I order  CD, poster and 
T-shirt for every release, not because I think you care but because I 
get fantastic value for dollar.


Yours is a special case.  Yours comes as that weird mailed cheque,
and I did add you.  Bizzare, but I never commited it, because ... I don't
know how.  Bizzare.  Maybe it conflicted by the time I wanted to.

The big issue these days is donation fraud -- I'm not joking.  About
20-30% of donations by credit/paypal come in, and then the transaction
does not clear (credit card) or gets backed out of later (credit card
or paypal).  We have been trying to not cope with that through a
process of deleting names later, and that has introduced latency.
But I don't know how to tell the public those figures.  It is
unbelievably stupid.



I did not know that.  You have already spent way more time on this than 
the donation in question is worth.  I do it this way because it is 
automated from my perspective and therefore reliable, and allows me to 
retain control of the transaction.  If there is a better way I would be 
happy to change.

Re: scp batch mode?

[Dag Richards]

James Hartley wrote:

The manpage for scp(1) mentions the -B option for running scp in batch
mode, but no further details.  How can scp be run without prompting
for a password?

Thanks.




passwordless rsa key?

Re: dysfunctional carp

[Dag Richards]

Nico Meijer wrote:

Hi all,

I have a new carp setup that somehow just won't work.

The two machines are Jetway mini-itx J7F4 machines, dual Gb LAN. dmesg
below.



So if each system sees only its own carp traffic it makes sense that 
each would consider themselves master. I assume that the systems can 
send and receive tcp icmp, and udp traffic.  Is it possible that the 
switch is not carrying multicast traffic?. If you attach them to each 
other with a crossover cable do they (pointlessly) negotiate proper carp 
relationships?

Re: PF Config problem

[Dag Richards]

I think you will find that since carp is communicated with multicast 
that your rules are not behaving as you think.


They are allowing the outbound transmissions, but since you are not 
establishing tcp sessions the keep state does not do what you want.


Try explicitly allowing in protocol carp

What I do is this:

pass out quick proto carp
pass in  quick proto carp




Gordon Ross wrote:

I've got two OBSD 4.1 boxes. They are setup identically, and I'm using CARP (
pfsync) to obtain a redundant firewall. I appear to have CARP working fine. My
problem is when I enable pf. The initial TCP packet goes through fine, but the
return packet gets blocked. (I have verified this by putting LOG entries in
my ruleset) If I disable PF, everything works fine

Cutting down the pf ruleset to the bare minimum, I have:

adsl_if=em2
int_if=em0
pfsync_if=bge0

scrub in
set skip on lo

block in

#These three lines allow the failover mechanisms to work
pass on { $int_if } proto carp keep state
pass on { $adsl_if } proto carp keep state
pass quick on { $pfsync_if} proto pfsync

#Allow internal people to SSH in.
pass in on $int_if proto tcp to ($int_if) port ssh keep state

#ICMP
pass in proto icmp to me

pass in on $int_if proto tcp from 172.16.2.34 to 192.168.249.3 keep state

With this config, 172.16.2.34 cannot make a TCP connection to 192.168.249.3.

What stupid thing have I missed ?

For reference, below are the details of the carp  em interfaces. If anything
else is needed, let me know.

Thanks,

GTG


# ifconfig carp0
carp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:00:5e:00:01:01
carp: MASTER carpdev em0 vhid 1 advbase 1 advskew 0
groups: carp
inet 192.168.253.253 netmask 0xff00 broadcast 192.168.253.255
inet6 fe80::200:5eff:fe00:101%carp0 prefixlen 64 scopeid 0xb
# ifconfig carp2
carp2: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:00:5e:00:01:03
carp: MASTER carpdev em2 vhid 3 advbase 1 advskew 0
groups: carp
inet6 fe80::200:5eff:fe00:103%carp2 prefixlen 64 scopeid 0xc
inet 192.168.249.253 netmask 0xff00 broadcast 192.168.249.255
# ifconfig em0
em0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500
lladdr 00:1b:21:01:c8:30
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 192.168.253.20 netmask 0xff00 broadcast 192.168.253.255
inet6 fe80::21b:21ff:fe01:c830%em0 prefixlen 64 scopeid 0x3
# ifconfig em2
em2: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500
lladdr 00:1b:21:01:c8:32
media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause)
status: active
inet 192.168.249.251 netmask 0xff00 broadcast 192.168.249.255
inet6 fe80::21b:21ff:fe01:c832%em2 prefixlen 64 scopeid 0x5

Re: PF Config problem

[Dag Richards]

Gordon Ross wrote:

So why is this different to what I put ?

#These three lines allow the failover mechanisms to work
pass on { $int_if } proto carp keep state
pass on { $adsl_if } proto carp keep state
pass quick on { $pfsync_if} proto pfsync

The only difference I can see, is that your lines would allow CARP on the
pfsync (and loopback) interface.

GTG


Dag Richards [EMAIL PROTECTED] 07/19/07 4:55 PM 

I think you will find that since carp is communicated with multicast
that your rules are not behaving as you think.

They are allowing the outbound transmissions, but since you are not
establishing tcp sessions the keep state does not do what you want.

Try explicitly allowing in protocol carp

What I do is this:

pass out quick proto carp
pass in  quick proto carp




The difference is you were paying attention.
I really thought I saw pass out not just pass on your lines.

When you do

tcpdump -n -e -ttt -i pflog0

with rules enables to you see inbound carp being blocked?

Re: support for Sun Fire

[Dag Richards]

Daniel Ouellet wrote:

Toni Mueller wrote:

Hi Mark,

On Tue, 29.05.2007 at 14:13:06 +0100, mark reardon 
[EMAIL PROTECTED] wrote:

I just got a x2100 M2 from Sun yesterday on a 60 day trial and am having
trouble setting the MTU on one of the bge NICs. Just some initial 
findings.

Not a big problem for me really.


did you get it to run OpenBSD properly? Which model do you have?


I have one as well. Some results in the archive as well, but my biggest 
griff with it is with the admin console for this unit. Sun really cut 
way to short on it to make if a decent remote admin box. Plus the share 
the BGE with the admin port, instead of the nVidia, witch I could do 
without. The box is not bad, but could be better. It's more expensive, 
but it make me definitely switch to the 4100 instead. I only got one, 
and wouldn't get an other one, unless it's not in a remote setup 
configuration witch is pretty rear these days.


Even the serial console is limited in operation and work until OpenBSD 
start when it goes dead. Then you can do some more from the Ethernet 
port instead, but then if you reboot the box, you loose the admin on the 
Ethernet port and needs to go back to the serial console.


My own feedback is not a top of the line box, but not the worst either. 
Just not as good as it should be for me to recommend it however. It work 
well in some setup, not all.


YMMV,

Daniel

I use a few of these, and second all of Daniel griffs.  I use them 
because they are cheap, and a fairly good value.


I would recommend you take a look at the HP DL360,
one U
hardware raid
and have nice little management interface you can ssh to
which allows pretty complete console access, go into bios, watch boot 
messages, power set the system.

formerly working vpn between obsd 4.0 hosts failing ....

[Dag Richards]

I have two bsd firewall / routers that have a vpn between them ... 
sometimes.  They have a late May build of 4.0 386, they have been 
working well until a few days ago, and we of course all swear that 
nothing was changed... they just started failing.


I left last night with tunnels up and running, came in this morning and 
found them down again. Isakmpd is running on both ends, on my 'client 
network' end the I started it with  isakmpd -TLv -D A=40  , below is 
some log.


I had found that if I restarted the daemon on the 'server network' side 
that I could get the tunnels to come up, but it might require a couple 
of attempts, so I really can not prove it was merely a coincidence that 
were starting.  This morning I found that the clocks were off between 
the fws and synched them, then restarted isakmpd on the client net side 
the tunnels came right up.


I claim that pf is configured properly, else the tunnels would never 
come up.  I use preshared keys, I know they match again because the 
tunnels work for a while.


I have never really seen tunnels just go down once running, so what 
would you do to isolate the cause?


Any help would be appreciated.



-snip with tunnels down --
Jul 12 06:31:29 mz1000wa isakmpd[13493]: timer_handle_expirations: event 
message_send_expire(0x87234480)
Jul 12 06:31:29 mz1000wa isakmpd[13493]: timer_add_event: event 
message_send_expire(0x87234480) added before 
exchange_free_aux(0x7ed17700), expiration in 11s
Jul 12 06:31:29 mz1000wa isakmpd[13493]: timer_add_event: event 
exchange_free_aux(0x7ed17a00) added last, expiration in 120s
Jul 12 06:31:29 mz1000wa isakmpd[13493]: exchange_setup_p1: 0x7ed17a00 
unnamed no policy policy responder phase 1 doi 0 exchange 5 step 0
Jul 12 06:31:29 mz1000wa isakmpd[13493]: exchange_setup_p1: icookie 
987bc831de38f5d4 rcookie 93d3d4c89d53786b

Jul 12 06:31:29 mz1000wa isakmpd[13493]: exchange_setup_p1: msgid 
Jul 12 06:31:29 mz1000wa isakmpd[13493]: isakmp_responder: got NOTIFY of 
type INVALID_COOKIE, ignoring
Jul 12 06:31:29 mz1000wa isakmpd[13493]: exchange_finalize: 0x7ed17a00 
unnamed no policy policy responder phase 1 doi 0 exchange 5 step 0
Jul 12 06:31:29 mz1000wa isakmpd[13493]: exchange_finalize: icookie 
987bc831de38f5d4 rcookie 93d3d4c89d53786b

Jul 12 06:31:29 mz1000wa isakmpd[13493]: exchange_finalize: msgid 
Jul 12 06:31:29 mz1000wa isakmpd[13493]: timer_remove_event: removing 
event exchange_free_aux(0x7ed17a00)

Jul 12 06:31:29 mz1000wa isakmpd[13493]: message_free: freeing 0x87234500
Jul 12 06:31:33 mz1000wa isakmpd[13493]: message_free: freeing 0x87234500
Jul 12 06:31:40 mz1000wa isakmpd[13493]: timer_handle_expirations: event 
message_send_expire(0x87234480)
Jul 12 06:31:40 mz1000wa isakmpd[13493]: timer_add_event: event 
message_send_expire(0x87234480) added before 
exchange_free_aux(0x7ed17700), expiration in 13s
Jul 12 06:31:40 mz1000wa isakmpd[13493]: timer_add_event: event 
exchange_free_aux(0x7ed17a00) added last, expiration in 120s
Jul 12 06:31:40 mz1000wa isakmpd[13493]: exchange_setup_p1: 0x7ed17a00 
unnamed no policy policy responder phase 1 doi 0 exchange 5 step 0
Jul 12 06:31:40 mz1000wa isakmpd[13493]: exchange_setup_p1: icookie 
b65fccde1f52143b rcookie fee87d767fbe664b

Jul 12 06:31:40 mz1000wa isakmpd[13493]: exchange_setup_p1: msgid 
Jul 12 06:31:40 mz1000wa isakmpd[13493]: isakmp_responder: got NOTIFY of 
type INVALID_COOKIE, ignoring
Jul 12 06:31:40 mz1000wa isakmpd[13493]: exchange_finalize: 0x7ed17a00 
unnamed no policy policy responder phase 1 doi 0 exchange 5 step 0
Jul 12 06:31:40 mz1000wa isakmpd[13493]: exchange_finalize: icookie 
b65fccde1f52143b rcookie fee87d767fbe664b

Jul 12 06:31:40 mz1000wa isakmpd[13493]: exchange_finalize: msgid 
Jul 12 06:31:40 mz1000wa isakmpd[13493]: timer_remove_event: removing 
event exchange_free_aux(0x7ed17a00)

Jul 12 06:31:40 mz1000wa isakmpd[13493]: message_free: freeing 0x87234500
Jul 12 06:31:46 mz1000wa isakmpd[13493]: message_free: freeing 0x87234500
Jul 12 06:31:53 mz1000wa isakmpd[13493]: timer_handle_expirations: event 
message_send_expire(0x87234480)
Jul 12 06:31:53 mz1000wa isakmpd[13493]: timer_add_event: event 
message_send_expire(0x87234480) added before 
exchange_free_aux(0x7ed17700), expiration in 15s
Jul 12 06:31:53 mz1000wa isakmpd[13493]: timer_add_event: event 
exchange_free_aux(0x7ed17a00) added last, expiration in 120s
Jul 12 06:31:53 mz1000wa isakmpd[13493]: exchange_setup_p1: 0x7ed17a00 
unnamed no policy policy responder phase 1 doi 0 exchange 5 step 0
Jul 12 06:31:53 mz1000wa isakmpd[13493]: exchange_setup_p1: icookie 
6de5b4121e72cece rcookie 33e61848a188464b

Jul 12 06:31:53 mz1000wa isakmpd[13493]: exchange_setup_p1: msgid 
Jul 12 06:31:53 mz1000wa isakmpd[13493]: isakmp_responder: got NOTIFY of 
type INVALID_COOKIE, ignoring
Jul 12 06:31:53 mz1000wa isakmpd[13493]: exchange_finalize: 0x7ed17a00 
unnamed no policy policy responder phase 1 doi 0 exchange 5 step 0
Jul 12 

Re: SOS! isakmpd cannot be loaded in OpenBSD properly

[Dag Richards]

Have you looked in /var/log/messages  for messages?
have you run isakmpd in the foreground with debugging enabled?


isakmpd -d -DA=2


Wilson Liu wrote:

I am currently  building an OpenBSD 4.1 firewall and setting VPN as
well.
I've changed isakmpd_flag=NO to isakmpd_flags=# for normal
use:  to enable isakmpd Daemon. I've created two isakmpd related files
in /etc/isakmpd as below. I can also see a message from console after
restart

starting isakmpd

Somehow I cannot find isakmpd precess running in background while I
typed command:

ps -ax

There are two NICs on that firewall: em0 is for external 172.20.0.188
and em1 is for for internal set to 192.168.30.1

What does problem look like?  How can I load isakmpd properly?

Thanks a million!




isakmpd.conf --

[General]
Retransmits=5
Exchange-max-time=  120
Listen-on=  172.20.0.188

[Phase 1]
default=ISAKMP-clients

[Phase 2]
Passive-Connections=IPsec-clients


[ISAKMP-clients]
Phase=  1
Transport=  udp
Configuration=  SoftPK-main-mode
Authentication= hgKfdsGFd67ds9gdmenglals98csds


[IPsec-clients]
Phase=  2
Configuration=  SoftPK-quick-mode
Local-ID=   default-route
Remote-ID=  dummy-remote


[Net-ASGT]
ID-type=IPV4_ADDR_SUBNET
Network=192.168.30.0
Netmask=255.255.255.0

[default-route]
ID-type=IPV4_ADDR_SUBNET
Network=0.0.0.0
Netmask=0.0.0.0

[dummy-remote]
ID-type=IPV4_ADDR
Address=0.0.0.0

[Default-main-mode]
DOI=IPSEC
EXCHANGE_TYPE=  ID_PROT
Transforms= 3DES-SHA

[Default-quick-mode]
DOI=IPSEC
EXCHANGE_TYPE=  QUICK_MODE
Suites= QM-ESP-AES-SHA-PFS-SUITE

[SoftPK-main-mode]
DOI=IPSEC
EXCHANGE_TYPE=  ID_PROT
Transforms= 3DES-SHA

[SoftPK-quick-mode]
DOI=IPSEC
EXCHANGE_TYPE=  QUICK_MODE
Suites= QM-ESP-3DES-SHA-PFS-SUITE

#---end of file

isakmpd.policy --
KeyNote-Version: 2
Comment:This policy accepts ESP SAs from a remote that uses the
right password
Authorizer: POLICY
Licensees:  passphrase:hgKfdsGFd67ds9gdmenglals98csds
Conditions: app_domain == IPsec policy 
esp_present == yes 
esp_enc_alg != null 
esp_auth_alg == hmac-sha - true;

#---end of file





Wilson J. Liu



Network Systems Administrator





  23 Lesmill Road, Suite 404

  Toronto, Ontario M3B 3P6, Canada

  Tel:  (416) 445-7162 x 230Fax: (416) 445-2341

  e-mail: [EMAIL PROTECTED]

  website:   www.bsharp.com http://www.bsharp.com/
---

Information contained in this e-mail message is intended only for the
use of the individual to whom it is addressed and is private and
confidential. If you are not the intended recipient, or the employee or
agent responsible for delivering this message to the intended recipient,
any dissemination, distribution or copying of this communication is
strictly prohibited. If you have received this message in error, please
kindly destroy it and notify the sender immediately by reply e-mail.
Thank you for your cooperation.


[demime 1.01d removed an attachment of type image/jpeg which had a name of 
image001.jpg]

Re: Redundant Firewalls, CARP + IPSEC + SASYNCD

[Dag Richards]

[EMAIL PROTECTED] wrote:

I have a redundant firewall setup with carp interfaces on both sides of the
firewall. I have a mirror of this setup in a 2nd location. Now im a little
confused on how to set up the VPN. Do I use 1) the physical interfaces
between the peers or 2) do I use the carp interface as the peers or 3)do I
use both the physical and carp interfaces as the peers.

When trying to setup sasyncd in this sort of enviornment I cant get the
slave firewall to establish an IKE session because of the ips of the peers.
Can anyone give me any insight into this?



What I have been doing is setting up the VPNs between the sites using 
the carp addrs.  sasync follows the state of the carp interface so you 
should get




 box a -- box y-
\  /\
carp 0 ---vpncarp 0  carp1 --internal nets
/  \/
 box c -- box z-

a netstat -rnf encap run on a and c should look the same
and y and z should as well. Packets will only be forwarded down the 
tunnel by the machine who is carp master of either end. You will 
probably want to have internal carp ifaces as well, as seen on boxes y 
and z.	

Re: Redundant Firewalls, CARP + IPSEC + SASYNCD

[Dag Richards]

[EMAIL PROTECTED] wrote:
Ok that setup is similar to what I have and I do have carp interfaces on 
both sides of the firewall. I was able to configure sasynd but when 
running netstat -rnf encap was not able to see any of the flows on the 
slave machine, but then I realized or thought that it was because the 
ISAKMPD session was not established on the slave machine.


I do not understand your terms here, ISAKMPD session 



If your trying to establish the ISAKMPD session from the slave box which 
does not have control of the active carp interface, how is the 
ISAKMPD/IPSEC connection established? Doesn't it need to be established 
for sasynd to know about the SA's? or upon failover does the session 
then get established on the fly? Do you use isakmpd.conf or ipsec.conf 
to control your flows?


I use isakmpd.conf, though it seems to be deprecated and so really 
should be moving over to ipsec.conf.


I have a dedicated NIC on each machine with a x-over cable to carry the 
sasync and pfsync traffic, you can use an ipsec tunnel for this though I 
found it to fail occasionally.


Run isakmpd on both hosts with the listen addr being that of the carp 
iface and you should see SPI's propagated from the active server to the 
second.



off to lunch now, if this does not clear things up sufficiently you 
should consider posting ifconfigs, sassync.conf isakmpd.conf and maybe 
some dumps ...




maybe one of the smart people will help us then,.



Thanks.

On 5/2/07, *Dag Richards* [EMAIL PROTECTED] 
mailto:[EMAIL PROTECTED] wrote:


[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote:
  I have a redundant firewall setup with carp interfaces on both
sides of the
  firewall. I have a mirror of this setup in a 2nd location. Now im
a little
  confused on how to set up the VPN. Do I use 1) the physical
interfaces
  between the peers or 2) do I use the carp interface as the peers
or 3)do I
  use both the physical and carp interfaces as the peers.
 
  When trying to setup sasyncd in this sort of enviornment I cant
get the
  slave firewall to establish an IKE session because of the ips of
the peers.
  Can anyone give me any insight into this?
 

What I have been doing is setting up the VPNs between the sites using
the carp addrs.  sasync follows the state of the carp interface so you
should get



  box a -   - box y-
\  /\
carp 0 ---vpncarp 0  carp1 --internal nets
 / \/
  box c -   - box z-

a netstat -rnf encap run on a and c should look the same
and y and z should as well. Packets will only be forwarded down the
tunnel by the machine who is carp master of either end. You will
probably want to have internal carp ifaces as well, as seen on boxes y
and z.

Re: Carp not behaving

[Dag Richards]

Dummy Dummy wrote:

On 4/30/07, Stuart Henderson [EMAIL PROTECTED] wrote:



Check you have a PF rule to pass carp traffic on that interface.
N.B. applications using bpf, like tcpdump, see the packets *before* PF.





Yes, PF rules was the cause. I had a bunch of carp/pfsync rules there were
at the end of the PF rules, but there were things at the top of the rules
that
was causing the blockage.

Thanks Stuart and Dag.

User error  :(


Oh sure always my pleasure to be confused and of no help whatsoever.
I thought you had said that you tried this with pf disabled...
Whatever, this is how we all learn together, right?

Re: Carp not behaving

[Dag Richards]

I have had  this problem before where two systems each claim to be 
master on only one of the shared subnets.  My problem was one system had 
an alias on the carp iface that the other did not.  Do an ifconfig of 
the physical ifaces and the carp iface on each box, so it shows all the 
configured aliases.  Your dump is showing some source addrs that do not 
appear in the config you submitted for inspection.


mismatched addresses and netmasks can create the situation I believe you 
are describing.


Dummy Dummy wrote:

Hi OpenBSDers!

We have two 4.0 box that we are planning to use as a HA firewall.
While setting it up, we encounter a problem where the interface
doesn't know how to go into a backup state and stayed as master.

Both boxes have the same hardware, connected to the same subnet.
When doing a tcpdump on the physical interface, both boxes can
see the carp advertisements but they don't seem to be responding to it.

There are four other interfaces on the same box, and they're all
behaving as expected (ie. when one's master, one'll be backup and
vice versa).  We've ran out of ideas on why this is and need some
expert opinion. Have anyone seen this before?

Thanks in advance...

Here is the configuration of the box A:
# ifconfig em0
em0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500
lladdr 00:04:23:c1:fe:4a
description: World core switch uplink
media: Ethernet 100baseTX full-duplex
status: active
inet 192.168.108.5 netmask 0xff00 broadcast 192.168.108.255
inet6 fe80::204:23ff:fec1:fe4a%em0 prefixlen 64 scopeid 0x1
# ifconfig carp0
carp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:00:5e:00:01:04
carp: MASTER carpdev em0 vhid 4 advbase 1 advskew 100
groups: carp
inet6 fe80::200:5eff:fe00:104%carp0 prefixlen 64 scopeid 0xa
inet 192.168.108.2 netmask 0xff00 broadcast 192.168.108.255
# tcpdump -nvvv -r /tmp/em0.5.tr proto carp
15:16:46.006407 carp 192.168.108.4  224.0.0.18: CARPv2-advertise 36: vhid=4
advbase=1 advskew=50 demote=0 (DF) (ttl 255, id 9319, len 56)
15:16:47.088866 carp 192.168.108.6  224.0.0.18: CARPv2-advertise 20:
vhid=80 advbase=3 advskew=150 demote=0 [tos 0xc0] (ttl 255, id 60466, len
40)
15:16:47.216383 carp 192.168.108.4  224.0.0.18: CARPv2-advertise 36: vhid=4
advbase=1 advskew=50 demote=0 (DF) (ttl 255, id 17369, len 56)
15:16:48.426361 carp 192.168.108.4  224.0.0.18: CARPv2-advertise 36: vhid=4
advbase=1 advskew=50 demote=0 (DF) (ttl 255, id 20131, len 56)
15:16:48.784260 carp 192.168.108.5  224.0.0.18: CARPv2-advertise 36: vhid=4
advbase=1 advskew=100 demote=0 (DF) [tos 0x10] (ttl 255, id 56385, len 56)
15:16:49.636337 carp 192.168.108.4  224.0.0.18: CARPv2-advertise 36: vhid=4
advbase=1 advskew=50 demote=0 (DF) (ttl 255, id 6185, len 56)
15:16:50.091449 carp 192.168.108.6  224.0.0.18: CARPv2-advertise 20:
vhid=80 advbase=3 advskew=150 demote=0 [tos 0xc0] (ttl 255, id 38698, len
40)
15:16:50.194262 carp 192.168.108.5  224.0.0.18: CARPv2-advertise 36: vhid=4
advbase=1 advskew=100 demote=0 (DF) [tos 0x10] (ttl 255, id 34793, len 56)
15:16:50.846313 carp 192.168.108.4  224.0.0.18: CARPv2-advertise 36: vhid=4
advbase=1 advskew=50 demote=0 (DF) (ttl 255, id 31704, len 56)
15:16:51.604272 carp 192.168.108.5  224.0.0.18: CARPv2-advertise 36: vhid=4
advbase=1 advskew=100 demote=0 (DF) [tos 0x10] (ttl 255, id 62842, len 56)
15:16:52.056289 carp 192.168.108.4  224.0.0.18: CARPv2-advertise 36: vhid=4
advbase=1 advskew=50 demote=0 (DF) (ttl 255, id 2899, len 56)
15:16:53.014276 carp 192.168.108.5  224.0.0.18: CARPv2-advertise 36: vhid=4
advbase=1 advskew=100 demote=0 (DF) [tos 0x10] (ttl 255, id 50211, len 56)
15:16:53.092038 carp 192.168.108.6  224.0.0.18: CARPv2-advertise 20:
vhid=80 advbase=3 advskew=150 demote=0 [tos 0xc0] (ttl 255, id 59937, len
40)
15:16:53.274872 carp 192.168.108.4  224.0.0.18: CARPv2-advertise 36: vhid=4
advbase=1 advskew=50 demote=0 (DF) [tos 0x10] (ttl 255, id 848, len 56)
# netstat -sp carp
carp:
232749 packets received (IPv4)
0 packets received (IPv6)
0 packets discarded for bad interface
0 packets discarded for wrong TTL
0 packets shorter than header
0 discarded for bad checksums
0 discarded packets with a bad version
0 discarded because packet too short
0 discarded for bad authentication
0 discarded for bad vhid
0 discarded because of a bad address list
54530 packets sent (IPv4)
0 packets sent (IPv6)
0 send failed due to mbuf memory error
# netstat -rn | head
Routing tables

Internet:
DestinationGatewayFlagsRefs  UseMtu
Interface
default192.168.108.33 UGS 215250  -   em0

Here is the configuration of the box B:
# ifconfig em0
em0: 

Re: carp, 2 router

[Dag Richards]

Caveat -- bge? ospf? eh I only know them at the executive brief level.
  carp, stp, static routing I know well enough.


So call router one primary
traffic is coming routes are all up everything is good.

Switch 1 dies, carp  switches master over to router 2 bge2.
If you had carp inside and out, you would be done, router2 bge1 would 
take over your outside ip and traffic would go there.


If I understand your issue:
In the case of the failure
upstream 1 is going to continue to send traffic to router 1, you want 
rtr 1 to then forward traffic to router 2.  Router 2 then hands traffic 
to the internal systems.


OSPF is refusing to add a route showing something like

10.50.4/241xx.1xx.35.1 UGS 00  -   bge0

because you already have

10.50.4.22  00:00:0c:9f:f0:4e  UHLc   0 11351930  -   carp1

or some such



What if you use were to use ifstat to remove the ips from router1 be2
on failure?

If you do this manually will ospf add the routes you desire?



FranC'ois Rousseau wrote:

Well at the end I will have BGP for the upstream provider but this
part work fine so I have not talk about it in my last email.

I have done a fast schema of my setup: 
http://step.polymtl.ca/~spock/draft.jpg.


The reason I want to use CARP inside is because I want to have a
single gateway on my servers.

The BGP part will take care of annoncing the routes and taking the
good exit point.
The CARP part will take care of the gateway for my servers.

But OSPF is not able to enter the carp route in the routing table...
probably because a route is already there.

thanks,
Francois Rousseau



2007/4/12, Chris Black [EMAIL PROTECTED]:

FranC'ois Rousseau wrote:
 Hi,

 I have a problem to understand how to dynamically change the route
 destinate to a carp interface.

 I have 2 routers, both have 3 NIC.

 On each router I have:
 1 Nic for the upstream
 1 Nic for the LAN ( 5 carp, no nat)
 1 Nic for inter-router traffic.

 What I want:

 If one of my CARP goes in Backup state or if the cable is unplug,
 every route to those network are automatically redirected to the other
 router.

 Ex:
 Carp on router 1 goes backup so every traffic destinate to those
 network are automatically redirected to the router2 who have the CARP
 Master.  So my router1 can continue to communicate with host on the
 LAN.  (use full to route traffic from my upstream provider)

 Right now, I think is impossible because the route always stay in
 route show regardless of the interface state.

 Any idea how to do this?
Not sure I /totally/ understand your architecture, but I think what you
need is a carp on the upstream.

Chris

Re: Redirect traffic through VPN

[Dag Richards]

Matiss Miglans wrote:

Hi good people !
I need to make connection from server witch is in LAN1 to server witch 
is in LAN3.
And I need to make another connection from that same server witch is in 
LAN3 to that same server witch is in LAN1.
There is 3 different company Ethernets, and I need to make this 
connection trough my company. There is no way to make direct VPN from 
LAN1 to LAN3 - Business etc.


|---LAN1-| |OpenBSD--|  |--LAN2--|
|-10.210.1.0/24--|---|--Router/pf/vpn--||-192.168.0.0/24-|
|| |-|  ||
 |
 | VPN IPsec over public Internet.
 |
|---LAN3--||---Netscreen 5xt---|
|-192.168.30.0/29-|--|---Router/pf/vpn---|
|-||---|

This VPN is from LAN2 to LAN3

I will make nat,rdr or binat, because I can't give direct access. I need 
to control what, where and how can connect.

I tried to make redirect like this:
rdr from 10.210.1.2 to 10.210.1.1 - 192.168.30.1
But, OpenBSD box, cant see the LAN3 network, or Nestcreen box internal 
IP. - I tried ping, telnet, ssh etc.

Of course I can see that all, if i connect from LAN2 or LAN3.

How can I see this server in LAN3 from OpenBSD box ?
Or maybe there is better way to do that ?

In my pf.conf is no deny rulle
There is my ipsec.conf:
ike esp from 192.168.0.0/24 to 192.168.30.0/29  \
   local x.x.x.x peer x.x.x.x  \
   main auth hmac-md5 enc 3des  \
   quick auth hmac-md5 enc 3des  \
   psk xxx

This is OpenBSD snapshot from 2007.26. Jan. (or something that way).

Best regards
Matiss


So you have working VPN from LAN2 to LAN# and reverse?
You can not NAT on the same box you run ipsec on ...
Nat is applied first, then a routing decision is made and if your ip 
addr are outside your encryption 'domain' your traffic will not traverse 
the tunnel.



Are LAN1 and LAN2 really hosted off the same firewall?
If so then the statement no  no VPN between LAN1 and LAN3 is silly.

In the layout as described you need to setup a VPN from LAN1 to LAN3.
You could possibly introduce an additional firewall to do nating prior 
to VPN but that would be again silly.

Re: binat questions

[Dag Richards]

A quick read of the faq shows the pass keyword causes a bypass all 
filtering ...so don't use it if you want your filters to be applied .



Bruce Bauer wrote:

Using OpenBSD 4.0
Using binat for the first time in the real world
Questions:
binat pass on fxp0 from $server_int to any - $server_ext
does this bypass all other pf filter rules?
binat on fxp0 from $server_int to any - $server_ext
does this form allow filtering?
Googleing comes up with many different opinions

Re: isakmpd gateway-to-gateway VPN woes...

[Dag Richards]

Do your firewalls forward ip 4?

sysctl net.inet.ip.forwarding=1


Jack Bates wrote:

If you can help, please feel free to CC: me directly:
[EMAIL PROTECTED]

My partner-in-crime and I are having some trouble getting a LAN-to-LAN VPN
working with OpenBSD-4.0-stable isakmpd.  Both firewalls have a relatively
unaltered install.  Both firewalls still have pf, ipsec and isakmpd_flags
unset in rc.conf (we are configuring and starting manually - is this a
problem?).  We have followed the directions from the Zero to IPSec on 4
minutes webpage.  I hope that this error report is thorough.

Here is a picture of the configuration:

   10.0.0.2/24 --- 10.0.0.1/24
L1 F1   F2 L2
10.4.14.1 --- 10.4.12.1/22 10.2.12.1/22 --- 10.2.14.1

L1,L2 - laptops
F1,F2 - Soekris net4801 firewalls

What works:

L1-F1 lan communication
L2-F2 lan communication
F1-F2 lan communication
F1-F2 IPSec communication (evidenced by F1 running ping 10.0.0.1 and
seeing only esp packets in tcpdump)

What doesn't work:

F1-L2 gateway'd VPN
F2-L1 gateway'd VPN
L1-L2 gateway-to-gateway'd VPN

What is interesting is that the routing tables have a section named
Encap: that seem to contain valid routes for the flows that do not work
above, but when attempting to use ping on addresses on a broken flow we
get No route to host.  This has got to be something simple. Thanks in
advance for your help.

Here are the pf.conf files from both firewalls:

###
F1: pf.conf
###

# jack
ext_if=sis0
int_if=sis1
set skip on { lo $int_if enc0 }
nat on $ext_if from !($ext_if) - ($ext_if:0)
block in
pass quick on $ext_if from 10.0.0.1
pass out keep state
pass in on $ext_if proto tcp to ($ext_if) port ssh keep state

###
F2: pf.conf
###

# sabino
ext_if=sis0
int_if=sis1
set skip on { lo $int_if enc0 }
nat on $ext_if from !($ext_if) - ($ext_if:0)
block in
pass quick on $ext_if from 10.0.0.2
pass out keep state
pass in on $ext_if proto tcp to ($ext_if) port ssh keep state

##
F1: ipsec.conf
##

# jack to sabino
sabino_ext = 10.0.0.1
sabino_int = 10.2.12.0/22
jack_ext   = 10.0.0.2
jack_int   = 10.4.12.0/22
ike esp from $jack_int to $sabino_int peer $sabino_ext
ike esp from $jack_ext to $sabino_int peer $sabino_ext
ike esp from $jack_ext to $sabino_ext

##
F2: ipsec.conf
##

# sabino to jack
sabino_ext=10.0.0.1
sabino_int=10.2.12.0/22
jack_ext=10.0.0.2
jack_int=10.4.12.0/22
ike passive esp from $sabino_int to $jack_int peer $jack_ext
ike passive esp from $sabino_ext to $jack_int peer $jack_ext
ike passive esp from $sabino_ext to $jack_ext

###
F1: What isakmpd says after running ipsecctl -f /etc/ipsec.conf
###

# isakmpd -K -d -v
164953.991350 Default isakmpd: phase 1 done: initiator id 0a02:
10.0.0.2, responder id 0a01: 10.0.0.1, src: 10.0.0.2 dst: 10.0.0.1
164955.074708 Default isakmpd: quick mode done: src: 10.0.0.2 dst: 10.0.0.1
164955.283055 Default isakmpd: quick mode done: src: 10.0.0.2 dst: 10.0.0.1
164955.652188 Default isakmpd: quick mode done: src: 10.0.0.2 dst: 10.0.0.1
165058.199701 Default isakmpd: shutting down...
165058.219397 Default isakmpd: exit

###
F2: What isakmpd says after running ipsecctl -f /etc/ipsec.conf
###

# isakmpd -K -d -v
171251.878157 Default isakmpd: phase 1 done: initiator id 0a02:
10.0.0.2, responder id 0a01: 10.0.0.1, src: 10.0.0.1 dst: 10.0.0.2
171253.351373 Default isakmpd: quick mode done: src: 10.0.0.1 dst: 10.0.0.2
171253.557425 Default isakmpd: quick mode done: src: 10.0.0.1 dst: 10.0.0.2
171253.566780 Default isakmpd: quick mode done: src: 10.0.0.1 dst: 10.0.0.2
171356.739110 Default isakmpd: shutting down...
171356.741411 Default isakmpd: exit

##
F1: routing table after isakmpd negotiates tunnels
##

# ipsecctl -f /etc/ipsec.conf
# netstat -rn
Routing tables

Internet:
DestinationGatewayFlagsRefs  UseMtu 
Interface

10.0.0/24  link#1 UC  10  -   sis0
10.0.0.1   00:00:24:c8:1d:60  UHLc2  125  -   sis0
10.4.12/22 link#2 UC  10  -   sis1
10.4.14.1  00:e0:00:c2:6e:2c  UHLc4  644  -   sis1
10.4.16/22 link#3 UC  00  -   sis2
127/8  127.0.0.1  UGRS00  33224   lo0
127.0.0.1  127.0.0.1  UH  14  33224   lo0
224/4  127.0.0.1  URS 00  33224   lo0

Internet6:
...abbreviated - irrelevant...

Encap:
Source Port  DestinationPort  Proto

Re: carp iface keeps switching to master

[Dag Richards]

Camiel Dobbelaar wrote:
Make sure your addresses are in sync...  number of addresses and the 
netmask are different.



On Wed, 14 Mar 2007, Dag Richards wrote:

inet 10.120.10.50 netmask 0xff00 broadcast 10.120.10.255



inet 10.120.10.50 netmask 0xff00 broadcast 10.120.10.255
inet 10.120.10.2 netmask 0xff00 broadcast 10.120.10.255


Yup don't know why that netmask was like that as I was snap-shotting my 
config for posting ... but it is/was not like that as a rule.


Anyway it was the magic clue, thanks, master had an address that slave 
did not.  As soon as I synced the config joy and correctness followed.

Thanks for the help.

Re: carp iface keeps switching to master

[Dag Richards]

Since reporting this problem I have tried running both systems on one 
switch, and performed a kernel and userland build from stable.

The behavior is unchanged in both cases.

help? Am I really that stupid? This was working on 3.9

Dag Richards wrote:

Two systems running  4.0 GENERIC#1107 i386 on bge drivers.
They are being used as vpn servers
They are each jacked to their own cisco 2950. The switches are connected 
with to each other xover cables.  Each host can see the others carp 
traffic, pf is configured to quick pass carp traffic. both system 
insists on being master. I can ifconfig the desired slave to backup 
state but after a couple of seconds it pops back to master.

I am using sasync, the tunnels are all up and traffic flows as expected
though I think that has more to do with pfsync keeping the state tables 
synced, and the internal interfaces are behaving correctly.


The inside ifaces are jacked into the same switch, but shouldn't I be 
able to be jacked into two separate switches?


Erm ... ?  I am in GMT + 8, tomorrow morning I will try putting the 
slave on the same switch as master, but that or course creates a single 
point of failure.


Any other hints?



dump from should be slave

18:21:16.870759 CARPv2-advertise 36: vhid=33 advbase=1 advskew=200 
demote=0 (DF) [tos 0x10]
18:21:16.960298 CARPv2-advertise 36: vhid=33 advbase=1 advskew=10 
demote=0 (DF) [tos 0x10]
18:21:18.010311 CARPv2-advertise 36: vhid=33 advbase=1 advskew=10 
demote=0 (DF) [tos 0x10]
18:21:18.670753 CARPv2-advertise 36: vhid=33 advbase=1 advskew=200 
demote=0 (DF) [tos 0x10]
18:21:19.060327 CARPv2-advertise 36: vhid=33 advbase=1 advskew=10 
demote=0 (DF) [tos 0x10]
18:21:20.110341 CARPv2-advertise 36: vhid=33 advbase=1 advskew=10 
demote=0 (DF) [tos 0x10]
18:21:20.470750 CARPv2-advertise 36: vhid=33 advbase=1 advskew=200 
demote=0 (DF) [tos 0x10]


ifconfig on slave
carp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:00:5e:00:01:21
carp: MASTER carpdev bge0 vhid 33 advbase 1 advskew 200
groups: carp
inet6 fe80::200:5eff:fe00:121%carp0 prefixlen 64 scopeid 0x8
inet 10.120.10.50 netmask 0xff00 broadcast 10.120.10.255

slave:root:/etc #sysctl -a  | grep carp
net.inet.carp.allow=1
net.inet.carp.preempt=1
net.inet.carp.log=0
net.inet.carp.arpbalance=0



dump from should be master
18:21:16.871448 CARPv2-advertise 36: vhid=33 advbase=1 advskew=200 
demote=0 (DF) [tos 0x10]
18:21:16.960692 CARPv2-advertise 36: vhid=33 advbase=1 advskew=10 
demote=0 (DF) [tos 0x10]
18:21:18.010696 CARPv2-advertise 36: vhid=33 advbase=1 advskew=10 
demote=0 (DF) [tos 0x10]
18:21:18.671396 CARPv2-advertise 36: vhid=33 advbase=1 advskew=200 
demote=0 (DF) [tos 0x10]
18:21:19.060686 CARPv2-advertise 36: vhid=33 advbase=1 advskew=10 
demote=0 (DF) [tos 0x10]
18:21:20.110681 CARPv2-advertise 36: vhid=33 advbase=1 advskew=10 
demote=0 (DF) [tos 0x10]


ifconfig on master
carp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:00:5e:00:01:21
carp: MASTER carpdev bge0 vhid 33 advbase 1 advskew 10
groups: carp
inet6 fe80::200:5eff:fe00:121%carp0 prefixlen 64 scopeid 0x8
inet 10.120.10.50 netmask 0xff00 broadcast 10.120.10.255
inet 10.120.10.2 netmask 0xff00 broadcast 10.120.10.255

master:root:/root #sysctl -a | grep carp
net.inet.carp.allow=1
net.inet.carp.preempt=1
net.inet.carp.log=0
net.inet.carp.arpbalance=0

carp iface keeps switching to master

[Dag Richards]

Two systems running  4.0 GENERIC#1107 i386 on bge drivers.
They are being used as vpn servers
They are each jacked to their own cisco 2950. The switches are connected 
with to each other xover cables.  Each host can see the others carp 
traffic, pf is configured to quick pass carp traffic. both system 
insists on being master. I can ifconfig the desired slave to backup 
state but after a couple of seconds it pops back to master.

I am using sasync, the tunnels are all up and traffic flows as expected
though I think that has more to do with pfsync keeping the state tables 
synced, and the internal interfaces are behaving correctly.


The inside ifaces are jacked into the same switch, but shouldn't I be 
able to be jacked into two separate switches?


Erm ... ?  I am in GMT + 8, tomorrow morning I will try putting the 
slave on the same switch as master, but that or course creates a single 
point of failure.


Any other hints?



dump from should be slave

18:21:16.870759 CARPv2-advertise 36: vhid=33 advbase=1 advskew=200 
demote=0 (DF) [tos 0x10]
18:21:16.960298 CARPv2-advertise 36: vhid=33 advbase=1 advskew=10 
demote=0 (DF) [tos 0x10]
18:21:18.010311 CARPv2-advertise 36: vhid=33 advbase=1 advskew=10 
demote=0 (DF) [tos 0x10]
18:21:18.670753 CARPv2-advertise 36: vhid=33 advbase=1 advskew=200 
demote=0 (DF) [tos 0x10]
18:21:19.060327 CARPv2-advertise 36: vhid=33 advbase=1 advskew=10 
demote=0 (DF) [tos 0x10]
18:21:20.110341 CARPv2-advertise 36: vhid=33 advbase=1 advskew=10 
demote=0 (DF) [tos 0x10]
18:21:20.470750 CARPv2-advertise 36: vhid=33 advbase=1 advskew=200 
demote=0 (DF) [tos 0x10]


ifconfig on slave
carp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:00:5e:00:01:21
carp: MASTER carpdev bge0 vhid 33 advbase 1 advskew 200
groups: carp
inet6 fe80::200:5eff:fe00:121%carp0 prefixlen 64 scopeid 0x8
inet 10.120.10.50 netmask 0xff00 broadcast 10.120.10.255

slave:root:/etc #sysctl -a  | grep carp
net.inet.carp.allow=1
net.inet.carp.preempt=1
net.inet.carp.log=0
net.inet.carp.arpbalance=0



dump from should be master
18:21:16.871448 CARPv2-advertise 36: vhid=33 advbase=1 advskew=200 
demote=0 (DF) [tos 0x10]
18:21:16.960692 CARPv2-advertise 36: vhid=33 advbase=1 advskew=10 
demote=0 (DF) [tos 0x10]
18:21:18.010696 CARPv2-advertise 36: vhid=33 advbase=1 advskew=10 
demote=0 (DF) [tos 0x10]
18:21:18.671396 CARPv2-advertise 36: vhid=33 advbase=1 advskew=200 
demote=0 (DF) [tos 0x10]
18:21:19.060686 CARPv2-advertise 36: vhid=33 advbase=1 advskew=10 
demote=0 (DF) [tos 0x10]
18:21:20.110681 CARPv2-advertise 36: vhid=33 advbase=1 advskew=10 
demote=0 (DF) [tos 0x10]


ifconfig on master
carp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:00:5e:00:01:21
carp: MASTER carpdev bge0 vhid 33 advbase 1 advskew 10
groups: carp
inet6 fe80::200:5eff:fe00:121%carp0 prefixlen 64 scopeid 0x8
inet 10.120.10.50 netmask 0xff00 broadcast 10.120.10.255
inet 10.120.10.2 netmask 0xff00 broadcast 10.120.10.255

master:root:/root #sysctl -a | grep carp
net.inet.carp.allow=1
net.inet.carp.preempt=1
net.inet.carp.log=0
net.inet.carp.arpbalance=0

Re: carp iface keeps switching to master

[Dag Richards]

Joel Knight wrote:

--- Quoting Dag Richards on 2007/03/12 at 18:50 -0700:



Two systems running  4.0 GENERIC#1107 i386 on bge drivers.
They are being used as vpn servers
They are each jacked to their own cisco 2950. The switches are connected 
with to each other xover cables.  Each host can see the others carp 
traffic, pf is configured to quick pass carp traffic. both system 
insists on being master. I can ifconfig the desired slave to backup 
state but after a couple of seconds it pops back to master.

I am using sasync, the tunnels are all up and traffic flows as expected
though I think that has more to do with pfsync keeping the state tables 
synced, and the internal interfaces are behaving correctly.



On the slave, what does 'netstat -sp carp' show for packets received?

hsdcert1:root:/root #netstat -sp carp
carp:
66020 packets received (IPv4)
26401 packets received (IPv6)
0 packets discarded for bad interface
0 packets discarded for wrong TTL
0 packets shorter than header
0 discarded for bad checksums
0 discarded packets with a bad version
0 discarded because packet too short
26384 discarded for bad authentication
39619 discarded for bad vhid
0 discarded because of a bad address list
7552 packets sent (IPv4)
6745 packets sent (IPv6)
0 send failed due to mbuf memory error

There are a pair of firewalls in the same network with different 
passwords and vhid's. So that should explain the bad auth and bad vhid 
packet counts.

What do your pf rules look like that are passing carp packets? You're
permitting carp packets on the physical interfaces, correct?

pass out quick log on  { $ext_if $int_if } proto carp
pass in  quick log on  { $ext_if $int_if } proto carp

yes these are the physical devs


I'm quite certain you should not be seeing advertisements on the wire
from both hosts at the same time. The master advertises on a continual
basis. Only during a transition might you see multiple advertisements.
For some reason, your slave box is not seeing the advertisements from
the master.
hmm, yes I get the impression that I am not seeing the intended masters 
packets from the slave.  But the dump told me otherwise.

I will put both on the same switch, observe/report the results,
then the patch recommended by Stuart, observe/report.


Thanks
Dag





.joel

Re: carp iface keeps switching to master

[Dag Richards]

Stuart Henderson wrote:

On 2007/03/12 18:50, Dag Richards wrote:

insists on being master. I can ifconfig the desired slave to backup 
state but after a couple of seconds it pops back to master.



how do you tell the state, ifconfig(8)? if so, try


yes precisely


http://www.openbsd.org/cgi-bin/cvsweb/src/sys/netinet6/in6.c.diff?r1=1.68r2=1.68.2.1
(in 4.0-stable and will be in 4.1 of course)


Oh patching ... never thought of that! Heh, I'll give that a shot thanks.

Does this mean that it is only misreporting state?

Re: watch traffic on IPSEC tunnel?

[Dag Richards]

Tim Pushor wrote:
May be a dumb question, but how do I look at traffic going over an IPSEC 
tunnel, on one of the OpenBSD machines? I've tried tcpdump -i enc0 but 
get nothing ..



That is exactly what you do.  Remember you can not use filters on it, no

tcpdump -i enc0 host wakkawakka

if plain old  tcpdump -i enc0
is not showing anything then probably you are not actually encrypting.

Does
tcpdump -i outside_iface

show you ESP traffic
does
netstat -rnf encap

show tunnels?

Re: missing isakmpd.fifo

[Dag Richards]

Toni Mueller wrote:

Hi Dag,

On Thu, 01.02.2007 at 08:37:01 -0800, Dag Richards [EMAIL PROTECTED] wrote:
locations. Yesterday I needed to add a tunnel, there was no 
/var/run/isakmpd.fifo ... odd says I. isakmpd had been running since mid 


The fifo was recreated, I could use it to control isakmpd. OK.

Today I look for isakmpd.fifo, it has disappeared again.


and nothing I do not expect to see.  I am not running out of disk space 
... anybody seen this before?


please check again using -i in order to find out whether you have
enough disk space.


Best,
--Toni++



hsdcert0:root:/root #df -i 

Filesystem  1K-blocks  Used Avail Capacity iused   ifree  %iused 
 Mounted on

/dev/sd0a 4126462 35180   3884960 1%2204  533602 0%   /
/dev/sd0e 103030244978744 0%  16  144238 0% 
  /home
/dev/sd0d 1030302 2978786 0%   1  144253 0% 
  /tmp
/dev/sd0f10318830391228   9411662 4%   13887 1305023 1% 
  /usr
/dev/sd0g16423486   1080606  14521706 7%3564 2077842 0% 
  /var



Nope plenty inodes too.

Re: SSH client (putty) hangs after name/password login

[Dag Richards]

Brian A. Seklecki wrote:

Hello Brian,

Not quite sure what you mean with pstree...don't know the
command and no 'man pstree' on my 3.8 system..?


It's in the psmisc/ package

Note that I no problems logging into the system while on the local 
network

(doing this
via a PC that I remotely manage). When I do a SSH session (via the VPN
tunnel) on the INSIDE
of the OBSD box, I get the same problem(using the same account).


Okay I must be asleep again.  I thought we eliminated pf(4) as the 
problem.  Technically if you can negotiate a 3-way handshake and 
establish the TCP socket, MTU should be a non-issue.


What about netstat -s.  Anything suspicious (grep -i drop) for 
sections esp: tcp: ip: icmp: etherip:


If you have access via the LAN, what about tcpdump(8) on the tun(4) 
interface?



is
not the case locaclly




Problem here is that this system is 900Km away...if I would stop the SSHD
(so i could


Normally I'd say to you Oh you're fine with pkill -HUP sshd; but 
that's because I'm accustomed to out-of-band management like DRAC and 
mgetty :}


nohup kill -HUP pid-of-sshd-listener-process

should get it for you

or if you are really (justifiably) paranoid a little temporary cron that 
will restart sshd if not running, or in five minutes.





~BAS


restart it with debug options) I will not be able to reach it anymore
:-(

Re: Sun Fire X2100 M2

[Dag Richards]

[EMAIL PROTECTED] wrote:

Hi,

Does anyone have any experience with this HW on OpenBSD. I can't find 
specifics on the NICs used on Suns webpage. What are they and are they 
well supported? This seems like the perfect package for my purposes.


Regards,
Edvard


There has been a fair amount of discussion of these on the list ...
My experience with have been in general good.
One nic is a broadcom that shows up as a bge device.
The other is an nvidia that shows up as an nfe device.


Do keep in mind that the raid controller is not actually a raid 
controller.  So no HW Raid1. I have not tried to use the LOM module yet, 
though I have some for my next pair.

missing isakmpd.fifo

[Dag Richards]

I have a little production vpn server with 28 tunnels to various 
locations. Yesterday I needed to add a tunnel, there was no 
/var/run/isakmpd.fifo ... odd says I. isakmpd had been running since mid 
Septembe, so I justed edited the config file and hupped the controlling 
process.


The fifo was recreated, I could use it to control isakmpd. OK.

Today I look for isakmpd.fifo, it has disappeared again.
I have looked through messages, I see lots things I expect to see

--
Feb  1 07:01:44 hsdcert0 isakmpd[8856]: dropped message from 
2xx.xx.xx4.4 port 500 due to notification type Unknown 0
Feb  1 07:01:45 hsdcert0 isakmpd[8856]: isakmpd: quick mode done: src: 
10.120.10.50 dst: 1.26.19.30
Feb  1 07:02:09 hsdcert0 isakmpd[8856]: isakmpd: quick mode done: src: 
10.120.10.50 dst: 1.26.19.30
Feb  1 07:02:46 hsdcert0 isakmpd[8856]: isakmpd: phase 1 done: initiator 
id 011a131e: 1.26.19.30, responder id 0a780a32: 10.120.10.50, src: 
10.120.10.50 dst: 1.26.19.30

Feb  1 07:03:19
--

and nothing I do not expect to see.  I am not running out of disk space 
... anybody seen this before?

Re: missing isakmpd.fifo

[Dag Richards]

Um in case it *might* be useful information I am using OBSD 3.9 i386
though I can remember exactly when I built userland it is not the stock 
from dist CD version.


Dag Richards wrote:
I have a little production vpn server with 28 tunnels to various 
locations. Yesterday I needed to add a tunnel, there was no 
/var/run/isakmpd.fifo ... odd says I. isakmpd had been running since mid 
Septembe, so I justed edited the config file and hupped the controlling 
process.


The fifo was recreated, I could use it to control isakmpd. OK.

Today I look for isakmpd.fifo, it has disappeared again.
I have looked through messages, I see lots things I expect to see

--
Feb  1 07:01:44 hsdcert0 isakmpd[8856]: dropped message from 
2xx.xx.xx4.4 port 500 due to notification type Unknown 0
Feb  1 07:01:45 hsdcert0 isakmpd[8856]: isakmpd: quick mode done: src: 
10.120.10.50 dst: 1.26.19.30
Feb  1 07:02:09 hsdcert0 isakmpd[8856]: isakmpd: quick mode done: src: 
10.120.10.50 dst: 1.26.19.30
Feb  1 07:02:46 hsdcert0 isakmpd[8856]: isakmpd: phase 1 done: initiator 
id 011a131e: 1.26.19.30, responder id 0a780a32: 10.120.10.50, src: 
10.120.10.50 dst: 1.26.19.30

Feb  1 07:03:19
--

and nothing I do not expect to see.  I am not running out of disk space 
... anybody seen this before?

Re: x2100 M2

[Dag Richards]

Toni Mueller wrote:

Hi,

On Thu, 04.01.2007 at 22:18:58 -0800, Dag Richards [EMAIL PROTECTED] wrote:

You can use raidframe to do software raid, though I at least have not 
been able to do an upgrade of a system with its root slices on a

raidframe disk.



in theory, this should work in that you first upgrade your
non-raidframe'd root partitions, then reboot and proceed with the
normal upgrade. Or at least I've yet to find out how to make the
machine genuinely boot from a root partition on raid - including the
kernel...



Yes that is the theory, and that I am sure would work.
What I was trying to do is have _every_ slice be raidframe raid1.
I was able to get that to work, with a custom kernel sitting on a small 
boot slice on each disk.


When it came time to upgrade...

Every solution I came up with seemed to be a kludge, and not conducive 
to a click and drool upgrade path. So we just do an rsync to the other 
disk daily and know that here will be a drive swap and reboot required 
in the event of  disk failure.


Hardware raid is very much preferred if possible, IBM has some nice low 
end x series servers with raid controllers.



We have six of these little x2100's and I have really liked them.
They are in my opinion the best inexpensive 1U servers generally available.


Best,
--Toni++

Re: x2100 M2

[Dag Richards]

Stephen Schaff wrote:
I'm thinking about buying the Sun x2100 M2 for OpenBSD 4.0. I've  
purchased one for a  client that's running linux. I set it up but  don't 
admin it. I don't use linux, but I really like the hardware. I  want to 
do RAID1 with it, which the motherboard supports. However,  I'm told 
that the RAID controllers they put on motherboards are just  glorified 
software RAID and don't even compare to real hardware RAID.  Further, I 
don't think that OpenBSD would even work with the  motherboard RAID 
controller - please correct me if I'm wrong.


So, I'm looking for a suggested course of action regarding the x2100 M2.
Anyone have any experience with it - especially keeping RAID1 in mind?


Best Regards,
Stephen



This has been answered, and quite recently ...
The X2100's work well with OpenBSD 4.0.
The Raid controllers do not, at all.

You can use raidframe to do software raid, though I at least have not 
been able to do an upgrade of a system with its root slices on a

raidframe disk. I am of course one of the less sharp tools on the list.
Still a tool though ... heh heh heh.

Re: Disable IPv6 on OpenBSD 4.0 - forking discussion to icmp echo request blockage

[Dag Richards]

 smith wrote:



Blocking icmp violates RFC rules which means in a nutshell weird things will
happen on your network.  


Buda says :
Amen... obey RFC 1122. 

RFC compliance is almost always a good reason to do something.
So I have learned something I apparently should already have known.



i.e. icmp helps negotiate traffic throughput when two

nodes are communication over networks with various amounts of bandwidth.  If
you have firewall rules that allowed udp/tcp 53 and icmp to your dns server,
you would not violate RFC rules.  For someone to transport traffic through
icmp with these rules means that they would have to root your dns server.  At
that point, icmp isn't your problem.  Let me restate by saying if anyone on
your network tries to send traffic out via icmp, icmp isn't the problem, it's
the security of that computer that's the problem. 


We let users send out pretty much any traffic they want from their 
network, this debate was for me about what to allow _in_ to the dmz.


 Oh and if you're trying to

prevent your users from sending out confidential information to an external
source, let's face it, that's almost impossible. 


Yup, too true. Not trying to stop confidential info flow. Just trying to 
make illicit shell shipping harder.


 Such a user can use http or

better yet https as a transport as well or a floppy, usb hard drive, usb tump
drive, and email (especially with an encrypted attachment so that your filter
can see what it is).  Hell they can print it out and carry it in their
briefcase if they wanted.


Thats what I do ;)

Re: Disable IPv6 on OpenBSD 4.0 - forking discussion to icmp echo request blockage

[Dag Richards]

Jason Dixon wrote:

On Dec 17, 2006, at 2:51 PM, carlopmart wrote:


Philip Guenther wrote:


On 12/17/06, carlopmart [EMAIL PROTECTED] wrote:


 Somebody knows if exists some option to put on rc.conf file like
FreeBSD does with ipv6_enable=NO option to disable IPv6 support on
OpenBSD 4.0?



Nope.  No such option exists in OpenBSD.



Or do I need to recompile kernel, modify sendmail.cf, etc,
etc, etc ...?? In other owrds, do I need to reconfigure all  process 
that

need ipv6 to startup??



Yeah, that's one way to end up with a system for which the developers
will basically ignore you if you report a problem.  Is that what
you're trying to accomplish?



Yes, my security staff orders to disable IPv6 protocol on all our  
firewalls ...



Your security staff is clueless.  I bet they like to block icmp echo- 
request too.


--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net



Erm, I am don't think I am clueless, often a sign of cluelessness I am 
sure ... However.  I block inbound icmp, well actually inbound anything 
not shown to be required for specific 'services'.



What about this is cluelez?  I ask in a tone not of belligerence, but a 
desire to be informed by my betters.

Re: Disable IPv6 on OpenBSD 4.0 - forking discussion to icmp echo request blockage

[Dag Richards]

Jason Dixon wrote:

On Dec 17, 2006, at 6:28 PM, Dag Richards wrote:


Jason Dixon wrote:

Your security staff is clueless.  I bet they like to block icmp  
echo- request too.



Erm, I am don't think I am clueless, often a sign of cluelessness I  
am sure ... However.  I block inbound icmp, well actually inbound  
anything not shown to be required for specific 'services'.


What about this is cluelez?  I ask in a tone not of belligerence,  but 
a desire to be informed by my betters.



Why would you block icmp echo-request?  What does that gain you in  
terms of security?


--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net


I block all inbound traffic to my networks not required for operations.

I have a dns server I allow inbound udp / tcp 53, if its not running 
other services thats all I allow.  I run rules on the dns server that 
block it from making outbound connections except to 53 on servers off my 
network, and ntp to the time servers.


Why would I let icmp in? I have telnet turned off on all the servers, 
but I still block port 23, or actually fail to open it.


Tools can be written to use icmp as a transport, obviously anything can 
be used as a transport which is why we only allow traffic inbound to 
servers with services running we want public.  Why should I allow 
someone to ping my dns server?



If you need to see if the server is up telnet to port 53, a traceroute 
will die at the hop above the firewall, I know which ip that is. I don't 
care/need others to do so.

Re: ipsec vpn

[Dag Richards]

Reyk Floeter wrote:

On Fri, Nov 03, 2006 at 12:35:55AM +, Paul Civati wrote:

My understanding is, if you want to support the simple connection
of Windows clients, using the built-in VPN connector (eg. control 
panel - network - make new connection - VPN - L2TP), the 
server side needs:



1. IPSec VPN transport mode, most likely with dynamic IP endpoint
2. L2TP tunneling daemon
3. PPP daemon



no. you don't need l2tp + ppp. you're not talking about the built-in
ipsec support, you're talking about a stupid wizard...

starting with windows 2000, it is possible to use the built-in ipsec
support. it is a bit hidden and the configuration is painful, but it
actually works... you can configure it from the system management
console or by executing system32\secpol.msc.

you can find some details on the openbsd-support.com website about
mtu's approach to connect windows clients to openbsd ipsec gateways:
  http://www.openbsd-support.com/jp/en/htm/mgp/pacsec05/index.html

reyk



I use the following little script to startup ipsec on my w2k and xp 
clients. Preshared key is in a file c:\vpn\key.


Running with certs is also fairly simple.
This link http://vpn.ebootis.de/ will show you how to configure the 
windowze side.  Configure the OBSD side as per the manpage.  I have 
clients using the preshared method to AIX boxen, and others using x509 
to a OBSD gateway



mordred:root:/home/drichard # cat ipseccmds.bat
@ECHO OFF

if exist c:\vpn\key (

for /f tokens=1   %%a in  ( 'type c:\vpn\key') do ( set 
prekey=%%a)


) ELSE (

echo No Key no encrypty! EXITING
GOTO END

)



for /f tokens=1   %%a in  ( 'hostname') do ( set hostname=%%a)


if EXIST C:\Program Files\Support Tools\ipseccmd.exe (

REM this is an XP machine then
SET PATH=%PATH%;C:\Program Files\Support Tools

ipseccmd -w REG -p BobSwan -r Host-arthur -t cqaddr -f 
%hostname%/255.255.255.255=cqaddr/255.255.255.255 -n ESP[MD5,3DES]  -a 
PRESHARE:1234 -lan


ipseccmd -w REG -p BobSwan -r arthur-Host -t %hostname% -f 
cqaddr/255.255.255.255=%hostname%/255.255.255.255 -n ESP[MD5,3DES]  -a 
PRESHARE:1234 -lan




ipseccmd -w REG -p BobSwan -x

GOTO END



   ) ELSE (

IF EXIST C:\Program Files\Resource Kit\ipsecpol.exe (

SET PATH=%PATH%;C:\Program Files\Resource Kit

ipsecpol -w REG -p BobSwan -r Host-arthur -t cqaddr -f 
%hostname%/255.255.255.255=cqaddr/255.255.255.255 -n ESP[MD5,3DES]  -a 
PRESHARE:1234 -lan


ipsecpol -w REG -p BobSwan -r arthur-Host -t %hostname% -f 
cqaddr/255.255.255.255=%hostname%/255.255.255.255 -n ESP[MD5,3DES]  -a 
PRESHARE:1234 -lan




ipsecpol -w REG -p BobSwan -x



) ELSE (
ECHO Don't know what you are running no ipsec tools installed
)

   )


:END

Re: Status of hardware encryption accelerators - wetblanket

[Dag Richards]

Andreas Bihlmaier wrote:

On Mon, Nov 06, 2006 at 09:49:07AM -0700, Darrin Chandler wrote:

Greg Mortensen wrote:

On Sun, 5 Nov 2006, Darrin Chandler wrote:


Can you say what the irrelevant i386 machine is? Lots of difference
between a 90MHz PentiumI and a 3GHz Opteron, and I'd like to know where
those numbers fit in.
 The i386 results were sent to me off-list, so I don't know the 
processor details. It's fast will have to suffice.  To put it in 
perspective, my fastest Intel systems report:


Xeon 3.00GHz
aes-128-cbc  56117.94k  59781.24k  62908.69k  63702.29k  63485.95k

Xeon 3.40GHz
aes-128-cbc  64935.33k  71725.72k  74294.15k  75431.37k  75419.89k

My fastest:
cpu0: AMD Opteron(tm) Processor 246, 1994.63 MHz
cpu1: AMD Opteron(tm) Processor 246, 1994.32 MHz
type 16 bytes   64 bytes   256 bytes   1024 bytes   8192 bytes
aes-128-cbc  80713.16k  87876.85k   91431.72k92622.31k92688.52k

While that's *more* than fast enough for common tasks, the SBC + VIA 
PadlockACE numbers you gave whip the pants off it for anything  16 bytes.


Well, you should also consider bytes/watt :)
type 16 bytes 64 bytes256 bytes   1024 bytes   8192 bytes
aes-128-cbc  48246.54k   175071.41k   472434.09k   788228.58k   980033.81k

OpenBSD 4.0 (GENERIC) #1107: Sat Sep 16 19:15:58 MDT 2006
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: VIA Esther processor 1500MHz (CentaurHauls 686-class) 1.50 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,CMOV,PAT,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,TM,SBF,SSE3,EST,TM2

Regards,
ahb



Those are very impressive numbers.
What are you getting through these gateways?
What is the net usable throughput client PCs on either end are able to 
exchange over the VPN?

Re: DNS setup

[Dag Richards]

martin g wrote:

Hello all

Aprox. 2 weeks ago i posted a question titled web browsing to this list. It
was about  how to setup NAT  on my  gateway  so intranet computers  can
access  Internet.

The current situation is:

I have a obsd3.9 box connected to internet using ppp.conf, on the inside i
have a winXP box connected to switch, connected to obsd box.

The thing that wasn't working was that my XP box couldn't access web pages.
I blamed it on pf.conf. But that wasn't the case.

Today i tried this:   I turned off Pf   i will set that up later
I checked man ppp and found this info. ...to turn on NAT add this line to
ppp.confnat enable yes... . With this line added to ppp.conf things
started to work.

Now the question :

1. My resolv.conf contains namesservers from my ISP

2. At the begining xp box was setup with DNS parameter pointing to my
gateway 192.168.0.1. I could not access Internet, then i changed this
parameter to dns server ip of my ISP
and things work again.


What must i do that things will work with dns parameter set to my gateway ?


Your GW needs to run dns, resolv.conf sets up dns for the GW to use for 
itself; it does not make it a forwarder or nameserver . Do a search for 
setting up a caching dns box.


Alternatively you could I suppose proxy dns requests from your client PC 
to your ISP's dns servers ...




Are there any security threats with parameters set to dns ip form my ISP ?
Will this be a problem when setting up Pf ?


Depends on weather your ISP knows how to keep their dns servers secure.

Re: Need help with NAT + IPSEC

[Dag Richards]

Johan Hedin wrote:

Hi

I need help with our IPSEC setup. We have an internal net 
192.168.1.0/24. We have IPSEC to a customer on net 10.92.0.0/16. 
However, they already used the 192.168.1.0 net, so the IPSEC tunnel is 
to 10.84.230.0/28. I have set up 10.84.230.1 on the internal network 
interface (hme3), and added a manual route to 10.92.0.0/16 via 
10.84.230.1. All works perfect on the firewall. On the internal net 
however, I can not reach the 10.92 net. I have tried to nat 192.168.1.0 
via 10.84.230.1. NAT works, but the packets are thrown back out on hme3 
with 10.84.230.1 as source address and to via enc0 as I want. How would 
one solve this?


TIA

Johan Hedin
CTO eCare AB

[demime 1.01d removed an attachment of type application/x-pkcs7-signature which 
had a name of smime.p7s]



Hi
this has been discussed here before 
From the man page
---
NAT can also be applied to enc# interfaces, but special care should be
taken because of the interactions between NAT and the IPsec flow 
matching, especially on the packet output path.  Inside the TCP/IP 
stack,packets go through the following stages:


   UL/R - [X] - PF/NAT(enc0) - IPsec - PF/NAT(IF) - IF
   UL/R  PF/NAT(enc0) - IPsec - PF/NAT(IF) - IF

With IF being the real interface and UL/R the Upper Layer or Routing
code.  The [X] stage on the output path represents the point where the
packet is matched against the IPsec flow database (SPD) to determine if
and how the packet has to be IPsec-processed.  If, at this point, it is
determined that the packet should be IPsec-processed, it is processed by
the PF/NAT code.  Unless PF drops the packet, it will then be IPsec-pro-
cessed, even if the packet has been modified by NAT.
-


What I do for this is I have my vpn server in a dmz


EVIL
   INTERNET
 / \
/   \   
em0 em0 
||
---\  /\
fw  | - em1  -DMZ-  - em1 | vpn |
---/  \/
|
em2

Internal networks


Outbound traffic to your customer gets nat-ed on em1 of fw

Inbound traffic from your customer gets nated on em1 of vpn

This may or may not be 'correct' but it works here, and it is pretty simple.

low through-put on bge cards OBSD 4.0 3.9

[Dag Richards]

I have a pair of Sunfire x2100's I am trying to configure as vpn 
routers to bridge between two Data Centres.


isakmpd - easy working
bridging - also easy

bridging over ipsec tunnel - surprisingly easy as well

The problem I am having is the one part that I
_assumed_ would be the easiest.

I can not seem to get more that ~43 megabytes per second through
the bge cards on these boxes.  This is the unencrypted speed
with the cards attached by x-over cable or on a 2950 switch with only
these two boxes attached.

I am running 4.0 using the 386 mp kernel compiled for IOAPIC.

I had essentially the same results w/ 3.9.

I tried installing  Suse 10.0 just to see what kind of throughput I got 
there, and was getting ~80 megabytes per second. This told me that the 
HW was at least capable of getting the throughput I expected. Of course 
the bloody linux  dist is useless for these types of applications.

low through-put on bge cards OBSD 4.0 3.9

[Dag Richards]

I have a pair of Sunfire x2100's I am trying to configure as vpn 
routers to bridge between two Data Centres.


isakmpd - easy working
bridging - also easy

bridging over ipsec tunnel - surprisingly easy as well

The problem I am having is the one part that I
_assumed_ would be the easiest.

I can not seem to get more that ~43 megabytes per second through
the bge cards on these boxes.  This is the unencrypted speed
with the cards attached by x-over cable or on a 2950 switch with only
these two boxes attached.

I am running 4.0 using the 386 mp kernel compiled for IOAPIC.

I had essentially the same results w/ 3.9.

I tried installing  Suse 10.0 just to see what kind of throughput I got 
there, and was getting ~80 megabytes per second. This told me that the 
HW was at least capable of getting the throughput I expected. Of course 
the bloody linux  dist is useless for these types of applications.


Any suggestions?

Re: low through-put on bge cards OBSD 4.0 3.9

[Dag Richards]

Kyle George wrote:

On Mon, 30 Oct 2006, Dag Richards wrote:


I can not seem to get more that ~43 megabytes per second through
the bge cards on these boxes.  This is the unencrypted speed
with the cards attached by x-over cable or on a 2950 switch with only
these two boxes attached.

[snip]

Any suggestions?


Try bumping net.inet.tcp.recvspace and net.inet.tcp.sendspace.

http://www.openbsd.org/faq/faq6.html#Tuning


Yes I had tried setting the send and receive buffers to 65536
om 3.9 it helped but not much as I recall.  I just tried setting the 
buffers on 4.0 and got ~57 MBps throughput, so thanks thats it better.


 I am using the oh so precise and accurate ftp as a means of measuring 
throughput.


I know it is at best an imprecise method, but I was so far off my 
expectation I did not see the point in being more rigorous.



I just download the iperf package, I will see if I can get some more 
precise numbers.

Re: Experience with isakmpd/ipsec in production?

[Dag Richards]

Sven Ingebrigt Ulland wrote:

We are about to deploy some fairly critical VPN functionality in our
network, and for that purpose we're considering using OpenBSD with
isakmp/ipsec. We've had a test setup running for some time now with
no problems, but I'm interested in hearing about your long-term
experiences with running openbsd ipsec/isakmpd in critical production
environments. My excuses for the survey-ish feeling of this post.

How long have you been running openbsd isakmpd/ipsec (in production)?

What problems, if any, have you had with the openbsd vpn
implementations? Which of them are the most recurring? How do you
usually fix them?

Have you experienced any interoperability problems when establishing
tunnels with peers that run other implementations (cisco, checkpoint,
etc)? And if so, how do you work around those?

On the outside, it seems to me that the vpn implementation in openbsd
is good and stable, which could also stem from the corporate funding
it received. And the relevant files in cvs seem to be changed rather
infrequently.. also a good sign. But I'm not familiar with the inside,
which is what i was hoping you could help out with.

regards,
Sven U

We have been running vpn's here for over a year using isakmpd on OBSD 
beginning with 3.7.  We have currently a mix of 3.7 3.8 and 3.9, on 
SPARC and AMD, all on SUN hardware.


We use it to connect medical system at two county jails to our hospital 
data center.  We also use it to connect pharmacists and radiologists to 
our systems for after hours service.  So an entire county medical 
infrastructure would be unable to issue meds or read x-rays after hours 
if our vpn tunnels were down.


We have found OBSD to be very reliable. We have a single 'hang' that 
could not be resolved by HUP-ing isakmpd,  so we simply failed over to 
the sasync secondary system.  Otherwise once these puppies go up ... 
they pretty much just work and work and work.


Interop with Checkpoint has been dead simple, with Cisco less so.
I have found that when tunneling to something the other side has called 
Cisco VPN concentrators, things go more smoothly if you use 3DES and 
MD5.  Seems that if you try to use SHA that we never seem to get past a 
phase one state.


One thing about OBSD you will find to be truly bizarre is that things 
work as documented AND the man pages are concise and useful AND all 
features and config files are documented.


I used to manage a small herd of Checkpoints and Netscreens, I have 
never looked back.

Re: sshd question

[Dag Richards]

holger glaess wrote:

hi

i hope this list is the right one for my question .

i look for an funktion to limit the login by name AND ip range.

example.

root login ALLOW from www.xxx.yyy.zzz 
deny from all


myname login ALLOW from all 
deny from www.xxx.yyy.zzz


if there exist an feature / funktion of sshd to do this or i need an additional 
software ?

i diden4t wan4t to start an diskussion about security and why i have permit to 
login as root.

holger


I think this request looks kinda silly

use pf

block quick log on $ext_if  proto { tcp udp }  from bad_people to any


to keep out those you don't want on that you know you don't want on.

Require certs with passwords, no tunneled plaintext passwords.
You don't HAVE to allow root logins, make people login as themselves and 
su, or better sudo.

Re: tunnels

[Dag Richards]

Yes you can do that but, why gre tunnels instead of ipsec?

Gustavo Rios wrote:

I would like to configure a virtual network on multiple physical
location. So, i am seeking if it could be possible using gre tunnels.

Local private address address will be 10/8 and the gre network of
tunnels should be 192.168.0.0/23.

It is possible?

Thanks in advance.

[Fwd: Re: OpenBSD and high availability]

[Dag Richards]

I am running two clusters using carp for network failover.

I use rsync every 15 minutes for the simple webapp which issues
x509 certs. A script runs on each node to check if it is
master if so it makes a crl, if not it pulls the directory hierarchy
 from the master.

The other cluster does the same for the web pages, but uses Mysql
replication to keep the databases in sync.



Sooo ho hoo  mch cheaper than our AIX HACMP clusters on EMC .
80-90% of the functionality for ~5% of the cost.



Seems to me that there was/is some daemon on the redhated step child of
an distro that you could use to look for changes in an file or dir
structure that you could use. I'll see if I can rember/find it, I though
it was from SGI.

This may or may not help

http://oss.sgi.com/projects/fam/links.html



Jens Mayer wrote:

Dear all,

we are thinking about a scenario on how to set up a server offering http, ftp 
and a few postfix/mailman driven mailinglists with a redundant failover. I'm 
_not_ talking about load balancing here - only the master is serving, while 
the slave sits still and waits, probably with all services shut down until 
taking over.


While the networking part can be handled by carp, I'm collecting ideas on how 
to keep the local file systems in synch - especially for ftp users and the 
mailinglist archives. The synchronization will be done via a dedicated cross 
coonect cable directly between the boxes.


I've seen nice concepts like DRBD (www.drbd.org), offering a RAID-1 network 
block device, but did not find anything like that for OpenBSD. 

Of course there's always the possibility of scripting something own using 
rsync and friends, but I'm curious if some of you have a similar setup 
running and can share some ideas, thoughts and big red warnings.


Kind regards,
Jens

Re: OpenBSD and high availability

[Dag Richards]

Nick Holland wrote:

knitti wrote:


On 8/7/06, Jens Mayer [EMAIL PROTECTED] wrote:

While the networking part can be handled by carp, I'm collecting 
ideas on how
to keep the local file systems in synch - especially for ftp users 
and the
mailinglist archives. The synchronization will be done via a 
dedicated cross

coonect cable directly between the boxes.



while I would do it with rsync (I know, depends on what you want to do),
I don't see any reason why ccd'ing two large nfs-exposed files shouldn't
work. But I think this would be more ugly and complicated than rsyncing
every x minutes...



Simplicity is your friend.
rsync is simple, easy to understand, and easy to recover.

mirroring over NFS is not simple.  My money would be that you would 
spend less time up and lose more data than a single, completely 
non-redundant workstation (yes, no rsync, but with a good backup plan, 
which you need anyway)...all in the name of high redundancy.


No, I can't prove it, but I much prefer the simple solution which has 
simple and understood problems, than the system which is never supposed 
to break...and will anyway, in ways you never imagined, and may not be 
able to figure out.  Experience tends to suggest I'm right on that...


Nick.



Seconded, we buy a lot of expensive proprietary gear and ware here.  No 
one truly understands most of it, vendors wont tell us about it.  It is 
never supposed to break and when it does it is expensive to get fixed.


Home grown is great if it is dead simple/straight forward/elegant. If 
you are going to go make a hairball you may as well buy one.  That way 
you can get to the pain  quicker and it will take less time.

Re: OpenBSD Gateway to replace old Linux gateway

[Dag Richards]

Webmaster Elaconta wrote:

I'm not looking forward to addressing the router to a different subnet
(and i know that would solve the problem) because our Internet-facing
servers are connected directly to that router in DMZ fashion (the router
forwards ports to them). The firewall is also connected directly to that
router and the LAN is in turn connected to the firewall. Changing the
subnet on the router would mean we would have to reconfigure a number of
Internet services which sort of depend on the 192.168.1.x network
configuration.

Now, if you know how to do what I want with OpenBSD, i would love to hear
it. 


You can configure OBSD to be a transparent bridge, as people here have 
told you. Setting up bridging is pretty simple, I did it in an afternoon 
for a test env. Having a system conf-ed to bridge does not preclude an 
IP or running services. Read the bridge and brconfig man pages, that 
will get you going you can find the man pages 
http://www.openbsd.org/cgi-bin/man.cgi if you do not have a running system.



After listening to the solution, i can then judge for myself if the

solution works. Even if we maintain the broken architecture for a
while - i'm not even sure if it is that broken, since it worked for
years without a squeak - at least we'll have a secure OS running it.



A better way to config may be to run your fw as out_if= 192.168.1.121
in_if=192.168.2.1

Nat your pcs behind 192.168.1.121
change the default gw of your pcs to be 192.168.2.1 and continue life 
fairly close to what you consider to be normal.


If its not something you can get to perhaps you could hire someone to 
set it up, Jason Dixon monitors this list he consults and seems to be 
pretty sharp.


Trust them however when they say your configuration is broken.
People with heart murmurs pump blood for a long while, but are often 
eventually betrayed  by their hearts.



working( today  yesterday ) != { working( tomorrow ) || good_idea(1) };




--
Elaconta.com webmaster
--

Em 7/27/2006, Nick Holland [EMAIL PROTECTED] escreveu:


elaconta.com Webmaster wrote:

Howdy

We have here an old (Mandrake Linux 8 - yeah i know...) PC with two NICs
which serves as a firewall for our LAN and runs a Bind caching nameserver.
Although the machine is getting old, it still works well. Thing is, i'm
having a hard time trying to reproduce it, that is, getting another PC
to do exactly the same thing this PC is doing. It was configured by a
guy that left the company, so i can't simply ask him how he configured
it configured.
It's a precautionary measure, if the machine breaks down we need another
one to go in its place.

Yes You Do.


So while am at it i would love to replace the crusty old thing with a
new one running OpenBSD.
The networking scheme is:

Router (192.168.1.120) - (192.168.1.121) Firewall PC (192.168.1.122)
- (192.168.1.0/24) LAN

Now, thing is, the Linux firewall has two NICs:

NIC 1: 192.168.1.121
NIC 2: 192.168.1.122

The two NICs on the Linux box are configured with 192.168.1.121 and
192.168.1.122, both interfaces on the same subnet. 192.168.1.121 acesses
the company router (192.168.1.120) and 192.168.1.122 acesses the company
LAN (192.168.1.0/24)
From what i've googled, this shouldn't even be possible, everything is
on the same subnet. Regardless, it works great, and if i went and got an
OpenBSD rig to replace the old Linux rig, it would have to retain this
networking scheme, we can't afford to reconfigure the entire network
just for switching our firewall.

NO, you can't afford to avoid switching your firewall because of a
misconfigured network.

Your network is broke NOW.  If that old box dies or gets rooted (if it
hasn't been already), you will be looking at a lot bigger problems than
renumbering a network.


I known we could use a network bridge, but we need the caching
nameserver functionality.

Not everything has to be in one box.  I don't know how big your company
is, but I'm sure you have spare boxes lying around you can use as a DNS
resolver/server.  Split the task up if you need to.  Or..put an IP
address on one leg of the bridge.  Lots of options.


I'm an all round Unix guy, but i'm a bit green on the routing departament.

Can an OpenBSD box be configured the same way the Linux box is so it can
be a drop-in replacement for the Linux box? I can of course depict in
further detail the configuration of the Linux box (netstat -r to show
the routes, ifconfig or whatever).

If your network is dependent upon strange tricks, it is misconfigured.
If you can't pull one part out and replace it with another one, it is
misconfigured.  You should be able to chose the components that serve
you best, not live with the only thing that works.

It is better to fix this on your schedule than to react to a disaster
when it happens (note use of the word when...)

Keep in mind...rather than renumbering your internal network, you can
just re-address your router to 

Re: pf isakmpd: NAT through encryption interface?

[Dag Richards]

Stephen Bosch wrote:

Imagine the following scenario:

You have two VPN endpoints. One is an OpenBSD system running isakmpd and 
pf, the other is a VPN concentrator from some vendor.


The OpenBSD already has other VPNs set up, all using the same internal 
network. Renumbering isn't going to work.


The VPN concentrator operator has an internal addressing scheme he 
insists other endpoints conform to.


The question, then:

Is it even possible to NAT through an encryption interface? For example:

OpenBSD internal network: 192.168.45.0/24
Network other guy would prefer OpenBSD use: 10.110.40.0/24

Network other guy is using: 10.110.10.0/24

The command might look like this:

nat on $enc_if from 192.168.45.0:network to 10.110.10.0:network - 
10.110.40.10


Forgive me if this i) is impossible, ii) is crazy, iii) the syntax of 
the command is wrong.


I'd rather run it past the list than tinker on production equipment.

Thanks for any help and advice,

-Stephen-


blind leading the blind here but 
This was recently discussed, and it was pointed out that
the decision to encrypt happens before the nat-ing.

I deal with this self same issue by the lazy expedient of a firewall 
with a vpn server that has one interface in the dmz and one on the 
public net.  So I do the vendor mandated nat-ing and pass to the vpn 
server.  This made writing the pf rules for both sets of machines pretty 
straight forward.