Postgres Open
Any OpenBSD users in Chicago for the Postgres Open? -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: Laffs with Lennart
On Sat, Jul 16, 2011 at 12:37:57PM +, Jona Joachim wrote: > On 2011-07-16, Chris Cappuccio wrote: > > Lennart Poettering has graced the world with his brilliance one more time. > > Why? Lennart doesn't "think BSD is too relevant anymore." > [nolog] > > This is nothing new, it has been anticipated by BSD developers a long time > ago: > http://talks.dixongroup.net/nycbsdcon2006/ Indeed, I've been proclaiming BSD dead for the last five years. Get with the times. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: Remotely installing OpenBSD on dedicated server
On Wed, Apr 27, 2011 at 05:20:35AM -0500, C. Bensend wrote: > > I've a VPS OpenBSD server at www.arpnetworks.com [1] - they're a > > good price and I've had no problems with them if it helps. > > > > I know it's > > a VPS rather than a dedicated server but it might be worth a look. > > I'll second that, I also have a VPS at ARP. Just need to remember > to disable mpbios on the host. +1 -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: Give old laptops
Is the hostname "lucky"? http://www.stationbay.com/images/P/lostdog_R.jpg -J. On Sat, Jan 29, 2011 at 08:08:13PM +0100, TeXitoi wrote: > Hi, > > I have 2 similar old laptops that I do not use. They are 15" compaq > presario 2100. You can find dmesg, pcidump and sysctl hw here : > > http://www.texitoi.eu/~texitoi/laptops/ > > One have a dead batterie, the keyboard sometime bugs (repeating > constantly a key) and do not have CDROM drive (I use it in another > computer). I have only 1 power supply. > > PCMCIA is buggy (on one, inserting a card do not do anything, and in > the other one, you can see at the end of the dmesg the messages). I > have a CISCO an(4) card that works on Linux and should be supported on > OpenBSD. > > Suspend do not work: the kernel page-fault while suspending the radeon > card on the two computers. > > DRI does not seem to work (30-50 fps on glxgears with 0% idle). > > If an OpenBSD developper is interested by all that (for acpi, > pcmcia/cardbus, drm development or simply to recycle the hard drives, > the memory or using them directly), I'll ship them for free in > European Union (preferably in Paris for hand to hand exchange, or in > France by mail). > > If you have any question on the hardware, just ask. > > -- > Guillaume Pinot http://www.texitoi.eu > > + Il semble que la perfection soit atteinte non quand il n'y a plus > rien ` ajouter, mais quand il n'y a plus rien ` retrancher. ; > -- Antoine de Saint-Exupiry, Terre des hommes > > () ASCII ribbon campaign -- Against HTML e-mail > /\ http://www.asciiribbon.org -- Against proprietary attachments > -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: sysjail project
On Wed, Dec 15, 2010 at 06:26:24AM +0300, Mikle Krutov wrote: > Hello, list! > > I'm interested, why is it said on sysjail projects site that > >Sources tested variously on i386, AMD64, alpha, and others. It will only > >work with OpenBSD 3.9, 4.0, 4.1, 4.2, and 4.3. The most current version > >is 1.2.35, dated 29 May 2010. > While > >dated 29 May 2010 > ? > Is that information wrong? If not, what are the reasons that it does not > work on nowdays realeases? http://en.wikipedia.org/wiki/Sysjail "The project was officially discontinued on 2009-03-03 due to flaws inherent to syscall wrapper-based security architectures. The restrictions of sysjail could be evaded by exploiting race conditions between the wrapper's security checks and kernel's execution of the syscalls.[1]" 1. http://www.watson.org/~robert/2007woot/ -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: mod_auth_pgsql trouble (SOLVED)
On Tue, Nov 30, 2010 at 03:16:37PM +0100, Michael wrote: > > The problem here was the > > where user='name' > > part. When I used phpPgAdmin to generate that select it gave me > > where "user" = 'name' > > instead and that worked. So user seems to be some special name. After I > renamed the row to username it suddenly worked. > > Really weird. > > Is that a bug or a feature? Someone able to enlighten me? :-) USER is a "SQL Key Word" (reserved word) in PostgreSQL. http://www.postgresql.org/docs/8.4/static/sql-keywords-appendix.html -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: EuroBSDcon
On Thu, Sep 23, 2010 at 02:55:12AM +0200, Henning Brauer wrote: > I unfortunately have to suggest that those of you planing to go to > eurobsdcon in karlsruhe hold back on booking your tickets. The > organizers have failed to confirm that they cover speakers' travel and > accomodation expenses despite countless requests. This is not an issue of > us being able to afford it or not - it is standard practice for > conferences to do so. And it must be. Writing software in your free > time, giving it away for free, and then traveling around the world on > your own budget to speak about it just doesn't work out. It's a matter > of fairness. Conferences charge quite a bit for admittance, and part of > that money covers the speakers' expenses. We don't know where/how the > organizers intend to use that money. The talks and thus the speakers > are what you pay for, after all. I have no insight into EuroBSDCon's budget, but I'll say that statement is very ignorant of conference expenditures. Speaker travel and hotel can easily suck up 50% of a small conference budget, but the venue (space, networking, power) and catering can quickly overwhelm all of it. I wager that most of the other conferences benefit from academic venues which are typically free or low-cost. I have no such luxury with DCBSDCon. Not sure about EuroBSDCon. But I will agree that any conference that charges admission should first and foremost, cover speaker costs. Larger conferences should strive to pay speakers an honorarium. If you can't do the minimum, then you shouldn't have the event. Don't half-ass it. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: Bridge Monitoring
On Mon, Sep 06, 2010 at 09:26:09PM -0700, James Peltier wrote: > Hi All, > > Now that I have my new bridge in place and happily filtering away I would > like > to look at monitoring and graphing it. I'd like to setup a "monitor port" > style > so that I can send the traffic over to another box for processing. > > I was thinking of installing symon on the bridge itself and sending it over > to > another box. Additionally, I was looking at setting up a pflow device and > sending it to another box and analyze using something like netflow dashboard. > > We currently use a Cisco sending data to a GNU/Linux box running MRTG. We > use > arpwatch, IP Audit and other tools. > > Any ideas what might be best to use in this case? What are others using to > monitor their network firewalls, bridges or networks in general? Off the top of my head (probably forgetting a lot): munin, symon, cacti, reconnoiter, nfsen, netflow dashboard -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: which monitoring do you use (on OpenBSD)
On Wed, Aug 11, 2010 at 10:07:53PM +0200, Jiri B. wrote: > On Tue, 10 Aug 2010 18:05:51 -0400 > Jason Dixon wrote: > > > http://omniti.com/video/noit-oscon-demo > > Sorry no flash :) > > Some screenshots should be sufficient for this products, interesting is > there are no screenshots except that architecture picture. Here's a quick one I just grabbed. We don't actively use Reconnoiter these days as much as we do Circonus. http://www.flickr.com/photos/78527...@n00/4892326857/ > Does it have some event console? So an operator can watch it 24x7 and > see if something goes wrong and do a repair action? It has support for alerting in stratcon (iirc), but no fault detection functionality is exposed in Reconnoiter's current web UI. > It's nice it can act as snmp trap daemon... A lot of SAN devices have > SNMP and Vmware ESXes can make good monitoring via SNMP as well. > > In our enterprise environment we have huge operators centers which > watch 24x7 Tivoli Enteprise Console (yeah, ld shite), but what I > saw is that one can right client on an event and run an action directly > from event console (OK, it is not used at all but nice feature and you > exclude possibility to fuck up something just with a similar but bad > commmand). P.S. Sorry for the slow response, been enjoying my vacation. :) -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: which monitoring do you use (on OpenBSD)
On Tue, Aug 10, 2010 at 01:11:41PM -0700, James Peltier wrote: > > Being as I have never used Reconnoiter or Circonus, would you care to > elaborate > as to where these products "suck less" then Nagios or other solutions? I am > looking into replacing out very aged monitoring system now and Nagios is the > one > that seems to stand out the most, although Zabbix and Munin look good in > their > own rights. Theo Schlossnagle (our CEO and the architect of Reconnoiter) answers it pretty well in his talk from OSCON (requires flash, sorry). http://omniti.com/video/noit-oscon-demo In my words, Reconnoiter was designed to overcome a lot of the performance and design problems native in Nagios and Cacti. It does a lot of the things that either of those do, although it was designed foremost as a highly scalable metrics collection "engine". Like Nagios, the types of checks it can perform is virtually limitless. Unlike Nagios, it is highly performant by design. Checks are deployed across scout "agents" in your network, giving you both perspective and non-persective collection points. The web UI in Reconnoiter is adequate. One of its really nice features is the cli console, allowing you to configure checks and metrics in an environment familiar to Cisco admins. That said, the bread-and-butter in Reconnoiter is the sort of graphs which you can create and recreate with ease. Unlike trending tools like Cacti, you can easily correlate dissimilar metrics in a single graph, with just a few clicks. Stack sets, composite datapoints and RPN conversion of source and display values are just a few of the other features that are easy to implement within Reconnoiter. > Guidance is always appreciated. :) Reconnoiter is not for everyone. It's a very powerful system, but it's not intended to be a drop-in replacement for other ECA/Trending systems. It takes time and effort to get value out of it, but it offers some Capacity Planning and Root Cause Analysis capabilities that aren't available or usable in the alternatives. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: which monitoring do you use (on OpenBSD)
On Tue, Aug 10, 2010 at 12:41:26PM -0500, C. Bensend wrote: > > nagios is shit. misdesigned, horrible code, and someone who obviously > > doesn't understand blocking semantics of sockets writing that part of > > the code... > > > > that said, I use it, too. and as almost every other serious user with > > at least a little bit of standards left I hate it. > > I cannot speak to the quality of code; I couldn't code my way out of > a wet paper bag and am horribly unqualified to comment. Henning is completely accurate (*). Nagios code is shite and reflects poorly on the engineering skills of the creator. Its near-monopoly position in the community is based on two factors: 1) Price. Although you pay dearly in time spent setting it up, maintaining it, and in outages caused by it (keep reading). 2) It's the least crappy of all crappy open-source monitoring options. > However, this is a majority of my job where I am now, and I don't > dislike it. It's infinitely extensible, makes it simple to write > plugins for stuff that you can't already find one for, and has a > fairly large community. We used it for a very long time on a very large scale. While it is extensible, it promotes poor design choices and puts no limitations on the style or number of shite extensions. But my biggest beef is on some of the design choices that allow you to shoot yourself in the foot. As my therapist would say, Nagios is an "enabler". Take for example, Nagios acknowledgments. They never expire, so it's very easy to ack something and forget about it. For days. Or better yet, the idea of "flapping". At face value, this seems like a good idea. But whatever happened to actually *responding* to an alert when something goes wrong. Let me get this straight... you WANT your monitoring system to stop alerting you when your shit goes down? What am I missing here? > It's a *helluva* lot better than Mon or Big Brother, both of which > I've used in the past, and both of which made me weep tears of > blood. See above. (*) I should disclose that I'm the Prod. Mgr. for Circonus, a SaaS version of Reconnoiter with trending, fault detection and notifications. Circonus is not free, but is based on Reconnoiter which is actively developed as an open-source BSD-licensed project. Both were engineered to directly address the pain we've experienced over the years working with "solutions" like Nagios and Cacti. So although it's fair to consider me biased towards our software, suffice it to say that if Nagios didn't suck so badly we never would have developed either Reconnoiter or Circonus. There are some OpenBSD-Reconnoiter users in the community; if you're interested in finding out more about Reconnoiter, ask around or check out the project website. http://labs.omniti.com/labs/reconnoiter -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: OpenBSD users.
On Sun, Jul 18, 2010 at 01:07:12AM +0200, Mateusz Gierblinski wrote: > > I'm just wondering. Where are you OpenBSD users from? Your mom's bedroom. -J.
Re: BSDStats: Status Report
On Tue, May 25, 2010 at 06:00:24PM -0300, Marc G. Fournier wrote: > News: > > Its been almost three weeks since we fixed a bug with the stats collector > that was causing alot of reportings to get lumped under 'Panama', and our > numbers are back up (or above) where they were before we effectively > re-set the statistics. If there's a less scientific examination of the impact and reach of various BSD distributions, I've yet to see it. "This sample represents users of the given BSD operating systems that opted in to install a data collection program." "...we are trying to demonstrate to hardware and software vendors out there that *BSD should be viewed as a serious operating system, not just as a hobbyist system, for support (ie. hardware drivers) purposes." Your poll will have zero influence on hardware manufacturers to increase support of any particular BSD. You know what will? Your money. If a manufacturer or wholesaler wants to ignore your favorite OS, you: 1) Ask them to support your OS. 2) Spend your money on a manufacturer or vendor that supports your OS. 3) Remind the original vendor that they lost your money, WHY they lost your money, and where it went. Money talks, polls get ignored. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: any web management gui for pf ?
On Sun, Mar 14, 2010 at 12:12:31PM +0500, ??? wrote: > 2010/3/14 Jason Dixon : > > On Sun, Mar 14, 2010 at 11:48:44AM +0500, ??? wrote: > >> we have many people who know ISA very well and all they do with ISA is > >> "publishing applications", rdr rules in terms of pf. > >> they do not need to know "all the pf detailed", all they need is > >> > >> a) something ISA-like > >> b) syntax-checker, I mean that gui should only allow adding correct > >> rules (what is not true when you edit file) > >> > >> "learn pf.conf and edit file" is not our case though. > > > > You're SOL on all counts. Oh by the way, when you find that magical > > firewall ui that "only allows adding correct rules", please let me know. > > That's some insanely smart code that knows right from wrong. Not even > > pf itself will keep you from shooting yourself in the foot with > > stupidity. > > text files do not have any structure, from pf.conf's point of view the rule > > "blok in all" > > is nothing more that just a line You obviously haven't read pfctl(8). It supports syntax checking. $ sudo grep -n blok /etc/pf.conf 30:blok in all $ sudo pfctl -nf /etc/pf.conf /etc/pf.conf:30: syntax error -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: any web management gui for pf ?
On Sun, Mar 14, 2010 at 11:48:44AM +0500, ??? wrote: > we have many people who know ISA very well and all they do with ISA is > "publishing applications", rdr rules in terms of pf. > they do not need to know "all the pf detailed", all they need is > > a) something ISA-like > b) syntax-checker, I mean that gui should only allow adding correct > rules (what is not true when you edit file) > > "learn pf.conf and edit file" is not our case though. You're SOL on all counts. Oh by the way, when you find that magical firewall ui that "only allows adding correct rules", please let me know. That's some insanely smart code that knows right from wrong. Not even pf itself will keep you from shooting yourself in the foot with stupidity. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: any web management gui for pf ?
On Sun, Mar 14, 2010 at 11:02:29AM +0500, ??? wrote: > Hello, > > is there any GUI (like pfsense) around which can be installed on a > clean OpenBSD box (or even two CARP-connected boxes) for pf management > ? > I've found comixwall, but it seems to be dead already. None that are worth it, imho. If you want to do it right (you wouldn't use OpenBSD if you didn't) then learn pf and understand what you're putting together. It's not hard. In fact, compared to the other *nix firewalling alternatives, it's fucking easy. I've considered long and hard (TWSS) to write my own web interface for pf. The prevailing design philosophies SUCK. If you're going to bother, do it right; proper abstraction of filtering and routing concepts is mandatory if you want to make something easy *and* secure. Why hasn't anyone done it? It's really, really difficult. And most developers that might take a crack at an OpenBSD pf web ui aren't experienced in interface design. I've written a few web applications related to OpenBSD (Hatchet, NetFlow Dashboard, Blogsum). Compared to what a good web engineering team can put out, they suck. But they do an adequate job with the task they're designed to handle. Writing a log filtering interface isn't hard. Writing a NetFlow query interface isn't hard. Writing a blog application isn't hard (unless you're WordPress... then it's just bloated). I'll say it again... writing a good pf web UI is HARD. It's infinitely more complicated and prone to security problems. Reading the pf FAQ and editing pf.conf yourself is easier by geometric proportions. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
OpenBSD 4.7 pre-orders are live!
https://https.openbsd.org/cgi-bin/order?CD47=1&CD47%2b=Add -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: VLANs and security (was:network performance problems)
On Tue, Feb 16, 2010 at 07:54:47PM -0600, Corey wrote: > > Throwing out a topic for discussion...I have seen a couple of posts on > here regarding use of VLANs to segregate traffic that I would usually > use separate interfaces for. I am just curious what the thoughts of the > list are on this practice. I haven't ever set up VLANs on anything > large or serious, and do not claim to know the security implications, > other than switch/interface misconfiguration possibly getting one into > trouble, and awareness of (but no experience with) tools like dsniff. They're fine if you know how to use them properly. I use them all the time in "heavy" production (whatever the fuck that means). ;-) -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: Options for graphing pf rule matches
On Mon, Feb 15, 2010 at 06:57:06PM -0800, Brian Keefer wrote: > On Feb 15, 2010, at 3:29 PM, Jason Dixon wrote: > > > On Mon, Feb 15, 2010 at 03:00:59PM -0800, Brian Keefer wrote: > >> Hello, > >> > >> I'm wondering what other folks are using to graph pf data beyond what is > >> provided by pfstat. The aggregate values are useful and I'd also like to > >> setup graphs of particular services, particular tables, etc. Is there a > >> way > >> for pfstat to graph labeled traffic that I have overlooked? > > > > There are lots of different ways to graph network data on pf firewalls. > > I don't know that any (besides pfstat) are specifically designed for pf, > > but it's not hard to retrofit them. > > Are there any tools that have built-in support to query pf label counters? > Is there a MIB for pf? I'm guessing the answer to both is no, so I'd have to > write a custom script to call pfctl -sl and parse it, then dump that into RRD > or some such. Is there a better approach? A quick Google search of "pf mib" leads you to this: http://www.packetmischief.ca/openbsd/snmp/ But it hasn't been updated since 4.4. I also don't see any support in OpenBSD's snmpd(8) for pf(4) MIBs yet. Alternatively, you can use your own scripts and call them with Net-SNMP's extend directive. That's what I use for tracking states in production. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: Options for graphing pf rule matches
On Mon, Feb 15, 2010 at 03:00:59PM -0800, Brian Keefer wrote: > Hello, > > I'm wondering what other folks are using to graph pf data beyond what is > provided by pfstat. The aggregate values are useful and I'd also like to > setup graphs of particular services, particular tables, etc. Is there a way > for pfstat to graph labeled traffic that I have overlooked? There are lots of different ways to graph network data on pf firewalls. I don't know that any (besides pfstat) are specifically designed for pf, but it's not hard to retrofit them. > I also looked briefly at NetFlow support, but as near as I can tell that's > only for established flows, or am I wrong? If by "established" you mean finished, then yes. pfstat(4) exports expired states into NetFlow datagrams. NetFlow is very handy for looking at specific traffic events (or representative traffic of a large event) but is not useful for trending or regression analysis. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: routing and pf at 10Gbps
On Wed, Feb 10, 2010 at 07:57:44PM +, Mike Williams wrote: > Really, nobody firewalls at multi-Gbps? I know some folks at NASA that use OpenBSD firewalls that would make your head spin. And yes, that means "multi-Gbps". -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: Measuring network data?
On Mon, Jan 25, 2010 at 01:46:18AM +1100, Sunnz wrote: > Hi I am running OpenBSD as a gateway to the internet using pf to nat > my LAN machines. > > Just wondering if there is a way to measure how much data have moved > through my obsd router for a given frame of time? E.g. 300 MB today > between 2pm ~ 5pm? There are any number of tools that do this, typically using SNMP or NetFlow accounting protocols. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Announcing: JigglyPuffBSD
I'm proud to announce the rebirth of JigglyPuffBSD. Catering to the distinguished *BSD user, JigglyPuffBSD aims to meet the demanding requirements of today's enterprise architectures. With support for a broad range of buzzwords, it excels in B.S. and P.O.S. applications. As a fork of OpenBSD, we're proud of our heritage. We've taken great pains to craft our regex with performance and precision in mind. Copyrights have been rewritten and attributions vanquished. This is not your grandfather's BSD. We're American and damn proud of it. http://jigglypuffbsd.blogspot.com/ -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: ComixWall terminated
On Sat, Dec 12, 2009 at 03:12:34PM -0200, dark knight neo wrote: > Yes .. > You have all the reason . Seriously, STFU. Take it offlist with individuals if you still have questions. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: ComixWall terminated [WAS: ComixWall 4.6 released, December 8, 2009]
On Wed, Dec 09, 2009 at 07:26:39PM +0100, Christopher Zimmermann wrote: > > I'm quite new to OpenBSD, but I already read a few "NEW:" > and "UPDATED:" announcements on the -ports mailing list. misc != ports > The only problem is the advocacy list is quite dead. So the > decision to post the announcement of ComixWall to the misc > list does not seem too stupid to me. ComixWall != OpenBSD > > Do we see release announcements on our lists for Firefox? > > comixwall is developed to make using OpenBSD easier. It's How does the announcement of new releases for ComixWall help OpenBSD? How does abstraction of arguably the cleanest, easiest to learn UNIX, help OpenBSD? > According to the archives at MARC there were exactly two > release announcements of comixwall on this list. One in 2008 > and one in 2009. This is not exactly the amount it takes to > pollute a mailing list. That doesn't make it right. > This stupid thread did already produce enough noise to make > up for 7 years of comixwall release announcements. Pat yourself on the back. > I know I just added some additional noise, still I would be > glad to see this issue settled in a non-destructive way. It is settled. You're whining. > OpenBSD is a great OS and ComixWall enables many people to > use it. I don't see any reason why the two projects should > not be able to cooperate. Because they are not "cooperative" projects. OpenBSD doesn't need ComixWall. OpenBSD is Free, Functional and Secure(*). (*) And easy. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: ComixWall terminated [WAS: ComixWall 4.6 released, December 8, 2009]
On Wed, Dec 09, 2009 at 06:31:05PM +0200, Soner Tari wrote: > Due to unexpected reaction from the leader of the OpenBSD project > (please read below), I am terminating the ComixWall project. I will keep > the project server running until the end of this month. I might > resurrect the project in the future with another host OS perhaps. > > I am going to unsubscribe from this list after posting this last > message. He apparently prefers reading messages from 'pricks' (to use > his terms) rather than release announcements from people trying to help. I'm not taking sides, but how exactly are you "trying to help"? The few times I've seen you post to misc@ have been to promote your own fork of OpenBSD, or to ask for help in getting your own stuff running. How exactly does this help the _OpenBSD_project_? -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: OpenBSD blog software
On Tue, Nov 17, 2009 at 06:56:40PM +0100, Daniel Gracia Garallar wrote: >> [...] >> P.S. And this will be the last you hear about it from me. ;) > > I hope this doesn't come to mean the project falls dead. I've been > reading the source and seems surprisingly simple, but those damned > regulars... hehehe. Not at all. I intentionally wrote Blogsum so I could begin blogging. I avoided installing the bloat-heavy CMS/blogging alternatives out there until I was satisfied it would meet my own criteria. I intend to add new features at a very slow pace, and only if they truly make it a better piece of software. Focus is on maintainability and security. But it's here to stay. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: Changing the NIC on installed system?
On Wed, Nov 18, 2009 at 06:01:26PM +0100, Roger Schreiter wrote: > Hello, > > I did not yet understand very well, how the NIC drivers are > selected. Is it done while installing OpenBSD or is it > done at boot? > > In the latter case, I assume, I can replace a PCI network > interface without changing any driver settings. > > If the logical interface name will be different, I maybe > will have to rename hostname.vge0 to hostname.XX0 or similar. > > Or are there much more changes necessary, when replacing a > MikroTik NIC by an Intel one? System in OpenBSD-4.5 It identifies them at boot. Just rename your hostname.XX file accordingly and update any service configurations (e.g. pf, dhcpd) that may rely on the interface name. HTH. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
OpenBSD blog software
A friend on misc@ brought it to my attention that I never formally announced Blogsum. Enjoy at your own peril. Blogsum is a very basic blogging application. It was written from scratch with a focus on simplicity and security. The author was frustrated with the lack of small blog applications that were written well and would reside in OpenBSD's httpd(8) chroot without too much pain. Blogsum addresses these needs while providing the most popular features that the typical blogger might require (tags, rss, basic authoring tools). Currently it requires a VirtualHost configuration due to some absolute paths and shit. It's on my roadmap for 1.1 to make this more flexible for it to run as a URI instead (e.g. ). Users running -current can "pkg_add -i blogsum". Otherwise you can track svn. Full instructions here: http://trac.obfuscurity.com/blogsum/wiki/InstallOpenBSD My personal blog has been running Blogsum since day zero. The CapBUG site was nicely ported over to it by Mike Erdely. There is a migration script that imports WordPress xml. It's not perfect but works pretty well. http://obfuscurity.com/ http://capbug.org/ P.S. And this will be the last you hear about it from me. ;) -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: Please use this to convert people to OpenBSD
On Tue, Nov 17, 2009 at 05:46:00PM +0530, Girish Venkatachalam wrote: > Dear friends, Please stop spamming the list about your project. I'm happy to see it exists, but I think it's inappropriate (and annoying) to email misc@ on a daily basis (4 days now). A more appropriate venue would be the OpenBSD Journal. Why don't you submit a story? P.S. Today's promotion of liveusb-openbsd is bordering on zealotry. Zealotry is stupid and attracts users we don't want in the first place. P.P.S. I think I need to go blog about this now. http://blogsum.obfuscurity.com/ ;) -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: POOR support for layer 7 security in OBSD. Options or another OS?
On Wed, Nov 11, 2009 at 09:25:45PM -0600, David Taveras wrote: > I love OpenBSD focused security in many areas, and in the ones not > included in base there are always options in packages. > > However specifically speaking about the options to complement as an > application level firewall seems it is truly underestimated the way I > see it: > Do I have an alternative? There are plenty of L7 tools in OpenBSD base and ports/packages to help you reach your goals. It's up to you to deploy and configure them properly for your environment. Just a few off the top of my head: relayd(8) authpf(8) net/snort www/mod_security Indeed, mod_security is only currently available for apache-1.3. But I think the lack of modsecurity-2.x is only because nobody has stepped up to complete the port, not because of any technical hurdles. HTH. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: pf n00b
On Sun, Nov 01, 2009 at 01:16:10PM -0700, ghe wrote: > On Oct 31, 2009, at 5:13 PM, Stuart Henderson wrote: > >> no need for that, we have automatic skip steps, and a ruleset >> optimizer that re-orders where it makes sense. > > Well, I'll be damned. The pf optimizer actually works! If I order the > rules properly and put in enough info into them that pf can tell what I > mean, the compiled ruleset skips over huge hunks of rules. > > This does bring a question to my mind, though. Why is this ruleset > optimization kept a secret? It's a *very* major piece of pf, IMHO. I did > a significant amount of reading and looking around, and I never saw it > discussed in any detail at all until I asked the list about my iptables > wannabe pf ruleset... Because it just works the way a firewall *should*? The OpenBSD developers aren't distratcted by World Domination (TM) like some other operating systems. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: Script to ping, traceroute a destination and record the time
On Thu, Oct 29, 2009 at 04:26:49PM +0200, Kasper Adel wrote: > Hi, > > I am trying to troubleshoot a problem that is totally random and the one > idea that would help me is to have a bash script that will ping a few > destinations every minute, then do a traceroute to these destinations, > record the time and all that output in a file. then the whole process would > repeat minute. > > This way, i'll be able to look at the script at the end of each day and find > out if these destinations were reachable when a problem was reported. > > The problem/disconnect happens for a few minutes only. > > Can any one help me get a script to do that? If you can't whip this up yourself in a matter of 2 minutes they have the wrong person debugging it. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: decreasing the size of the distribution
On Mon, Oct 26, 2009 at 12:10:20AM +0100, Abdullah Sendul wrote: > Hi, > > we are having a couple of openbsd servers, of which, the content is static. > > I would like to identify all the files needed for this system to run, > and then move it to a flash disk to minimise the size of the > distribution > > find -mtime -atime is giving me some ideas, but is this the right > approach to remove the rest of the files not used on the system. > > what do you suggest? If you have to ask, you shouldn't be doing it. Why would you possibly need to get smaller than the baseXX, etcXX and manXX sets? These easily fit on a few hundered MB. What modern flash disk won't fit this? Seriously, stop overthinking it. If you primary goal is to use flash (not necessarily to remove files), look at something like flashrd. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: Forum engine
On Thu, Oct 15, 2009 at 03:08:11PM +1000, Aaron Mason wrote: > > Something that really bugs me about web software is how they limit > themselves to MySQL. I chose PunBB because it supported SQLite and > had a solid module base, along with a builtin update manager. I presume you're talking primarily about bulletin boards. I know plenty of web developers that use PostgreSQL and SQLite. I think a better statement would be: "... how inexperienced web developers default to using MySQL because it has a lower barrier to entry, without considering if it's the right tool for the job or how to configure and secure it appropriately for production use." > And if they really piss you off, you could always write your own. Oh please don't. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: Using all mod_perl in chrooted Apache, what needs to be inside?
On Wed, Oct 07, 2009 at 04:51:28PM +0200, Alexander Hall wrote:
> Chris Bennett wrote:
> > After seeing Jason Dixon's suggestion to use mod_perl to solve chroot
> > problem, I am going to setup a test server on my laptop while traveling.
> > With no mod_cgi scripts at all, what, if anything would I need to move
> > inside chroot?
>
> Any dynamically loaded stuff that failed to load prior to the chroot'ing
> and forking. Normally I try to preload stuff using statements like
>
> BEGIN {
> my $nevermind = PackageName::doWhatIWantToDoLater();
> }
>
> to be executed prior to chrooting and forking. However it can be hard to
> pinpoint and trigger all variants, e.g. if you are using an imaging
> library, make sure you "preload" the parsers for all input file formats
> you will use, etc. etc.
>
> I do not know of a way to bypass the "wonderful" dynamic loading stuff.
> I would love to though.
ktrace. Welcome to hell. ;)
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/
Re: Using all mod_perl in chrooted Apache, what needs to be inside?
On Wed, Oct 07, 2009 at 10:28:19AM -0400, Jason Dixon wrote: > On Wed, Oct 07, 2009 at 07:59:42AM -0500, Chris Bennett wrote: > > After seeing Jason Dixon's suggestion to use mod_perl to solve chroot > > problem, I am going to setup a test server on my laptop while traveling. > > With no mod_cgi scripts at all, what, if anything would I need to move > > inside chroot? > > In most cases, nothing. But I left my mind-reading beanie at home, so > there's a reasonable chance you might try to do something I hadn't > foreseen. In that case, you might need to put something in the chroot. Let me clarify my answer a bit. There are times, which I experienced recently with Blogsum, that CPAN modules you use() will import other modules within a certain scope (i.e. within a function). In those cases you might have to ktrace httpd to figure out what it's trying to include so that you can add it to your startup.pl. LWP::UserAgent was a major PITA here. I worked around this by not using the module that depended on LWP and rewriting the functionality (Captcha) in my own code and using p5-HTTP-Lite. It was a little more work but it made the application much cleaner and easier to port. This is just meant as an example, YMMV. None of this affected what I had to copy into the chroot (nothing). Obviously, any non-module files that you open() will need to be in the chroot. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: Using all mod_perl in chrooted Apache, what needs to be inside?
On Wed, Oct 07, 2009 at 07:59:42AM -0500, Chris Bennett wrote: > After seeing Jason Dixon's suggestion to use mod_perl to solve chroot > problem, I am going to setup a test server on my laptop while traveling. > With no mod_cgi scripts at all, what, if anything would I need to move > inside chroot? In most cases, nothing. But I left my mind-reading beanie at home, so there's a reasonable chance you might try to do something I hadn't foreseen. In that case, you might need to put something in the chroot. Definitive enough for you? ;) -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: Logging when interfaces go down
On Sep 18, 2009, at 9:37 AM, Ian Chard wrote: Hi, Is it possible to log, or in some other way capture the event, when network interfaces go down? Ifstated(8) -J.
Re: Anyone heard from Jason Dixon lately?
ACK -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: OT: Laptop advice. SSD costs.
On Mon, Sep 14, 2009 at 12:40:36PM -0400, STeve Andre' wrote: > > Certainly there are SSDs that work just fine, but from the experiences of > friends, I'd say they're at least 3 times more flaky than disks are. Intel > had a recall on some earlier this summer, too. > > Disks are cheap, really cheap right now... Disks for the X40/X41 are not at all cheap. These are a very rare breed, hence the discussion and frustration of many X40/X41 owners. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: Recommended Switches for Trunking?
On Wed, Sep 02, 2009 at 01:26:27PM +0200, Toni Mueller wrote: > Hi, > > I'm looking into getting switches to be used in port-extender style, > and found a thread from last year recommending Cisco switches. I need > about 20-50 ports atm, and would like to avoid Cisco. My current > preference is using Procurve (2810 or 29xx). Do they work? > > What do you recommend? Any gotchas? We use Foundry LS 648 switches throughout our infrastructure. They've worked great with OpenBSD features. P.S. Foundry was bought out by Brocade last year, so the model line is now sold as Brocade FastIron. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: openbsd and ethernet tap (port replication)
On Tue, Aug 25, 2009 at 03:37:55PM +0100, FRLinux wrote: > Hello, > > I am trying to replicate some traffic from a Cisco 6500 onto an > OpenBSD 4.5 vanilla machine. I have two NICs, rl0 which is the > administration interface and em0 which I hope to use for the ethernet > tap. So far, my cisco replicates traffic happily, i can see the packet > count in/egress increasing but nothing seems to reach em0. > > I have no PF running, the box is inside the network with a cable > connected straight from em0 to a cisco port on the 6500. The cisco > router reports the link live (so does OpenBSD) but no traffic seems to > be flowing. > > I realize that has to be something stupid but if anyone could send me > a pointer, that would be most welcome. > > em0: flags=8802 mtu 1500 > lladdr xx:xx:xx:xx:xx > priority: 0 > media: Ethernet autoselect (1000baseT full-duplex,rxpause) > status: active $ sudo ifconfig em0 up -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: Bind ntpd on certain interface?
On Fri, Aug 14, 2009 at 12:55:03PM +0200, Nice Daemon wrote: > > The point was that Henning started insulting. If you were truly upset you would have just gone away. Instead, you chose to stay here and troll. You try to sound like a martyr but just come off as an infant. Go cry somewhere else, baby. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: boot disk ???
On Wed, Aug 05, 2009 at 07:25:25PM -0500, neal hogan wrote: > > > Temper, temper. > > > > > If anyone had taken seriously all the problems and hormanure I have had > > to put up with for the last two they would have either gone out and done > > something stupid to someone else or to themselves... I have to vent my > > frustrations somewhere and whatever got in the way was a target... lucky > > I'm a peacful guy but I sure don't like some of the shit I've been > > putting up with, especially recently. I just can't believe this > > absurdly stupid lg dvd drive not booting... it writes the dvds allright, > > but why the hell doesn't it read or boot from them? I'll know tomorrow > > when I return the damned thing. > > > -Marcus Watts > > Is that an apology for your obnoxious behavior (in your very first misc@ > thread, I might add)? > > We all have had trouble at one time or another and if you would have > opened up about what you've done and with what, you may have gotten more > help. You stil have yet to provide answers to many of the basic, > help-inducing questions that have been asked. I hope you provide more > info tomorrow (after you've rested and calmed down), so that we can get > our situation under control. Just today I was explaining to a friend why recommending an OS is almost always a bad idea. Especially OpenBSD. If it's the right system for them, they'll usually find it on their own. Nobody here wants (or deserves) this sort of unprovoked nonsense. The OpenBSD community is a very fun and helpful bunch. But we're not good at suffering fools or assholes. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: Is there an imap vulnerability under attack?
On Mon, Aug 03, 2009 at 10:24:41AM -0500, Eric wrote: > I'm suddenly seeing numbers of various computers trying to > log on imap on my mail server. > > I've never noticed this before. Is there a new > vulnerability out there someone is trying to exploit? Why don't you check with your IMAP software project/vendor? Last time I looked there was no imapd in base. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: PF: 3 NICS. 1 WAN, 2 LAN. How to manage each LAN open ports individually?
On Tue, Jul 28, 2009 at 06:10:26PM -0500, Andres Salazar wrote: > Hello Jason, > > Thank you for assisting me getting this together.. > > I do understand that translation happens before filtering (at least > think i do), what I dont understand is why the filtering is done with > "pass in" if traffic is actually going from within the int_if2 network > to the outside? Where is the traffic actually going "in"? PF filtering is done from the "perspective" of the firewall. If you imagine yourself as an inanimate object with a couple interfaces allowing traffic inbound and outbound, you're there. ;) -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: PF: 3 NICS. 1 WAN, 2 LAN. How to manage each LAN open ports individually?
On Sun, Jul 26, 2009 at 01:16:02PM -0500, Andres Salazar wrote:
> Hello Jason,
>
> I understood the purpose of allowing internet access for the firewall
> itself. However this is exactly where Iam still stuck.
>
> By doing this after our default block all:
>
> pass out on $ext_if inet proto { tcp udp } from ($ext_if) to any \
> port { 53 80 22 443 }
>
> Iam actually allowing it for both $int_if and $int_if2 , thus the following
> port restriction rules are not getting evaluated.
In an effort to simplify your ruleset I was guilty of forgetting that
translation happens before filtering. Here is a new version that
filters on the internal interfaces. Let me know if you have any
questions.
ext_if = "re1"
int_if = "re0"
int_if2 = "re2"
set skip on lo
scrub in
nat on $ext_if inet proto { tcp udp } from $int_if:network to any \
-> ($ext_if)
nat on $ext_if inet proto { tcp udp } from $int_if2:network to any \
-> ($ext_if)
block all
pass out on $ext_if
pass in on $int_if inet proto tcp from $int_if:network to any \
port { 53 80 }
pass in on $int_if inet proto udp from $int_if:network to any \
port 53
pass in on $int_if2 inet proto tcp from $int_if2:network to any \
port { 22 53 80 443 }
pass in on $int_if2 inet proto udp from $int_if2:network to any \
port 53
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/
Re: PF: 3 NICS. 1 WAN, 2 LAN. How to manage each LAN open ports individually?
On Sun, Jul 26, 2009 at 12:14:53PM -0500, Andres Salazar wrote:
> Thank you for the help, I believe that I already tried something similar and
> could not access the internet behind $int_if, ot $int_if2. Traffic is
> getting blocked by "block all" as per the following pflog1:
>
> Jul 26 05:11:51.250502 rule 0/(match) block out on re1: 192.168.1.2.55533 >
> 190.40.3.10.53: 22454+[|domain] (DF)
> Jul 26 05:11:51.407931 rule 0/(match) block out on re1: 192.168.1.2.63872 >
> 190.40.3.13.53: 37289+[|domain] (DF)
> Jul 26 05:11:51.408132 rule 0/(match) block out on re1: 192.168.1.2.51104 >
> 190.40.3.13.53: 14850+[|domain] (DF)
>
> 192.168.1.2 is the IP of the firewall itself in relationship to $ext_if.
To reiterate:
> > There
> > are also no "pass out" rules for traffic originating from the firewall
> > itself, you'll probably want to add something for this.
Add a pass rule for outbound traffic from the firewall itself. Adjust
for any additional services that it should be able to reach.
pass out on $ext_if inet proto { tcp udp } from ($ext_if) to any port 53
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/
Re: PF: 3 NICS. 1 WAN, 2 LAN. How to manage each LAN open ports individually?
On Sun, Jul 26, 2009 at 12:58:08AM -0500, Andres Salazar wrote:
> I apologize that my ruleset isnt very clear. Iam trying to put together a
> ruleset that will allow the following access:
>
> Outbound port 80 (web) & 53 (domain) from users at $int_if via $ext_if
> Outbound port 80 (web) & 53 (domain) & 443 (ssl) & 22 (ssh) from $int_if2
> via $ext_if
Here's a basic ruleset that meets your requirements. Hasn't been tested
for syntax. Note that I make no effort to filter traffic between the
two internal segments. This would require a different approach (no set
skip on internal if's, pass in on the internal if's explicitly). There
are also no "pass out" rules for traffic originating from the firewall
itself, you'll probably want to add something for this.
ext_if = "re1"
int_if = "re0"
int_if2 = "re2"
set skip on { lo $int_if $int_if2 }
scrub in
nat on $ext_if inet proto { tcp udp } from $int_if:network to any \
-> ($ext_if)
nat on $ext_if inet proto { tcp udp } from $int_if2:network to any \
-> ($ext_if)
block all
pass out on $ext_if inet proto tcp from $int_if:network to any \
port { 53 80 }
pass out on $ext_if inet proto udp from $int_if:network to any \
port 53
pass out on $ext_if inet proto tcp from $int_if2:network to any \
port { 22 53 80 443 }
pass out on $ext_if inet proto udp from $int_if2:network to any \
port 53
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/
Re: PF: 3 NICS. 1 WAN, 2 LAN. How to manage each LAN open ports individually?
On Sat, Jul 25, 2009 at 09:41:45PM -0500, Andres Salazar wrote:
> Hello OpenBSD-misc,
>
> I have a newbie question in pf that Ive been trying to debug on what would
> be wrong with my ruleset. Iam trying to have the users that are on $int_if
> only have ports 80 & 52 opened out, and users on $int_if be able to have
> less restrictions and more ports out. So far I have something like this but
> it isnt working:
Allow me to be the first to say "RTFAQ".
> ext_if = "re1"
> int_if = "re0"
> int_if2 = "re2"
>
>
> set skip on lo
>
> scrub in
>
> nat on re1 from re0:network to any -> re1
> nat on re1 from re2:network to any -> re1
>
> block all
> pass quick on $ext_if // I have added this so that the firewall itself has
> full internet access
> #pass in quick on $int_if
Here you're blocking all by default (inbound and outbound on all
interfaces), but then you immediately "pass quick" (outbound *and*
inbound) on your external interface. Very wrong.
> pass out log quick on $ext_if inet proto { tcp, udp } from ($ext_if) to any
> \
> port 53 keep state
>
> pass out log quick on $ext_if inet proto { tcp } from ($ext_if) to any \
> port 80 keep state
Here you're passing outbound on your external interface for DNS and http
traffic. But a) you've already allowed everything on $ext_if so this is
unnecessary, and b) you've never allowed any traffic from your internal
interfaces.
Honestly, I don't know *what* you're trying to accomplish because your
description doesn't match anything in your ruleset. Perhaps you can
describe again what you're trying to do and what the differences are
supposed to be between $int_if and $int_if2.
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/
Re: pfctl no longer showing table details in 4.5
On Thu, Jun 18, 2009 at 04:16:02PM +0700, Egbert Krook wrote: > Hi, > > I've just finished upgrading one of our systems from OpenBSD 4.2 to 4.5. > > I've run into a small problem with pfctl as it's no longer showing the > details for each individual IP address in our tables, just the date the > table was last cleared. You need the "counters" option for each table. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: how to debug 'starting network' hangs
On Wed, Jun 17, 2009 at 11:25:51AM -0700, David Newman wrote: > On 6/16/09 10:07 PM, Jason Dixon wrote: > > > I would suggest booting into single-user and using netstart for each of > > the physical and carp interfaces until you find out where your > > misconfiguration is. Set it all up manually, document it, then use > > hostname.* to properly bring up your interfaces and routes. Get rid of > > that junk in rc.local. > > Sweet! With proper hostname.* files there are no more hangs. Thanks for > the pointer on what to fix. Cool beans. > One other question, not covered in the FAQ: Is rc.local the proper place > for adding a static route and dhcrelay commands? If not, where do these > belong? Add your static routes in your hostname.if files. Use the "!command-line" syntax as described in hostname.if(5). The dhcrelay stuff is probably fine in rc.local. Typically you enable it in rc.conf.local, but I think that only works for a single invocation. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: how to debug 'starting network' hangs
On Tue, Jun 16, 2009 at 09:42:06PM -0700, David Newman wrote: > On 6/16/09 4:36 PM, Jason Dixon wrote: > > > > Why are you starting your network interfaces and adding routes in > > rc.local? > > I maintain these systems, but did not do the initial setup or > configuration. > > > Have you read the FAQ to learn how OpenBSD networking is > > configured? > > Yes, and read the ifconfig and rc and pf.conf manpages and searched the > misc mailing list on marc.info. I saw info on pf and carp and pfsync and > VLANs, but not on how they work together. > > dn > > hostname.bge0 -- unprotected physical interface > inet 666.1.2.188 255.255.255.192 NONE > > hostname.bge1 -- protected physical interface > inet 10.0.127.1 255.255.255.0 NONE > > hostname.carp1 -- unprotected logical interface > inet 666.1.2.130 255.255.255.192 666.1.2.191 vhid 202 carpdev bge0 > advskew 1 pass sekret123 > > hostname.em0 -- pfsync physical interface > inet 192.18.0.1 255.255.255.0 NONE media autoselect > > hostname pfsync0 -- pfsync logical interface > up syncdev em0 Honestly, I don't trust much of what you've pasted. You're using invalid IPv4 addresses and have hostname.carp1 on 2 lines (is that wrapped?). You also don't list a carp interface for bge1. I would suggest booting into single-user and using netstart for each of the physical and carp interfaces until you find out where your misconfiguration is. Set it all up manually, document it, then use hostname.* to properly bring up your interfaces and routes. Get rid of that junk in rc.local. Example: # sh /etc/netstart bge0 # sh /etc/netstart bge1 # sh /etc/netstart carp1 # sh /etc/netstart em0 # sh /etc/netstart pfsync0 Thanks, -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: how to debug 'starting network' hangs
On Tue, Jun 16, 2009 at 03:47:47PM -0700, David Newman wrote: > Running 4.5/i386 on a pair of firewalls using pf and carp and pfsync > (and also multiple VLANs). > > After a reboot, either system will hang at 'starting network' until > pressing Ctrl-C at the console. (By 'hang' I means no action for at > least 60 minutes; I have not waited longer than that.) > > Initially I thought this was because of a hostname resolution problem, > but pf.conf and resolv.conf contain only IP addresses, not hostnames. > > Also, 'pfctl -f /etc/pf.conf' runs OK from the console. Same deal with > 'sh /etc/netstart' and the OpenVPN stuff in rc.local, pasted below. > > Presumably something is broken after /etc/rc says 'starting network', > but what? I've read on this list one should never edit /etc/rc. You've given us no information about your hostname.* files. How could we possibly help diagnose problems starting your network? > ps. FWIW I've pasted the contents of /etc/rc.local below. Addresses and > passwords have been obfuscated. Why are you starting your network interfaces and adding routes in rc.local? Have you read the FAQ to learn how OpenBSD networking is configured? -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: Translating dst_port (but not dst_addr) with PF?
On Mon, Jun 15, 2009 at 04:52:17PM -0700, Matthew Dempsky wrote: > On Mon, Jun 15, 2009 at 2:52 PM, Jason Dixon wrote: > > One of our internal customers asked me to setup a bypass rule for some > > outbound SMTP tests so that they could send to a specific high port > > (e.g. 60025) and have it redirect to port 25 on the same target. > > You can abuse the bitmask pool flag for this: > > rdr on $intif proto tcp to any port 60025 -> 0.0.0.0/0 port 25 bitmask Brilliant, thanks! -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Translating dst_port (but not dst_addr) with PF?
One of our internal customers asked me to setup a bypass rule for some outbound SMTP tests so that they could send to a specific high port (e.g. 60025) and have it redirect to port 25 on the same target. I feel like I'm overlooking something obvious, but I don't see any way to do this with nat or rdr. This feels like some sort of hybrid nat/rdr function. Example connection: 10.0.0.20:1025 -> 1.2.3.4:60025 becomes... 10.0.0.20:1025 -> :2048 -> 1.2.3.4:25 This customer does a lot of messaging tests, so it's important for them to be able to send from any of their test systems to a variety of external vendor systems to test compliance. Using a designated "bypass port" will make it easy on them to test with any of their systems. If there's no way to do this with PF we'll just have to set aside a pool of addresses to bypass the existing SMTP filters instead. Thanks, -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: Change source IP to enable pass through VPN
On Sun, Jun 14, 2009 at 08:03:54PM -0700, Lord Sporkton wrote:
> I would like to change the source IP that applications use when making
> connections for my backup.
> I have 2 firewalls, one at home, one in colo, each with a LAN segment
> behind it, the LANs are connected via IPSec.conf vpns between the
> firewalls.
>
> The home public IP is dynamic so I was not able to make my SA specific
> between the public ips only from lan to lan. I am trying to do backups
> of the colo firewall to a thumb drive in the home firewall via the LAN
> ip of the home firewall however when the colo tries to connect(via nfs
> in this case) to the home it sources from its public IP which is not
> in the SA. I have the same problem going the other way as well. Is
> there a way to force my backup script to source from or appear to
> source from the LAN ip instead of the WAN ip?
There are numerous ways around this, most of which probably involve
more common sense. Unfortunately, you haven't told us what sort of
backup software you're using so it's hard to make good recommendations
for your existing setup. If your backup software will allow you to bind
to the internal address of your home firewall, that's the way to go.
Otherwise you might be able to get it working with some sort of port
redirection (bouncing off the internal interface). But again, without
more details it's impossible for me to give you concrete examples.
Personally, I just "pull" my server backups using dump-over-ssh. This
works great for me. I've rebuilt my entire server within the past year
using these backups so I guarantee this process works as advertised.
Here is the script I use:
#!/bin/sh
# DayOfWeek
DOW=`date +%w`
DATE=`date +%Y%m%d`
ssh r...@server "dump ${DOW}ufa - / | /usr/local/bin/bzip2" | \
dd of=/backups/dumps/server-root-${DOW}-${DATE}.bz2
ssh r...@server "dump ${DOW}ufa - /data | /usr/local/bin/bzip2" | \
dd of=/backups/dumps/server-data-${DOW}-${DATE}.bz2
ssh r...@server "dump ${DOW}ufa - /home | /usr/local/bin/bzip2" | \
dd of=/backups/dumps/server-home-${DOW}-${DATE}.bz2
ssh r...@server "dump ${DOW}ufa - /var | /usr/local/bin/bzip2" | \
dd of=/backups/dumps/server-var-${DOW}-${DATE}.bz2
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/
Re: carp active/active works only as failover
On Thu, Jun 11, 2009 at 07:21:25PM +0200, Federico wrote: > Jason Dixon wrote: > > >> I'm not able to obtain both carp interfaces work in a load balanced way. > > > > http://cvs.openbsd.org/cgi-bin/query-pr-wrapper?full=yes&numbers=6084 > > Dang, thank you Jason, I've googled for similar posts, but I didn't find > anything. > > So, I've read about the new implementation of pfsync on undeadly.org and > I was excited. I hoped to make this configuration works. I'm now sad! > > I read that there is not a workaround. Is there a patch coming out? > > I hope developers will embrace my cause! :P (unfortunately I can't help > with code). I wish I had some useful information for you. I don't. Nobody has responded to the PR or direct emails. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: carp active/active works only as failover
On Thu, Jun 11, 2009 at 05:49:31PM +0200, Federico wrote: > Hi all, > > I've just upgraded two OpenBSD boxes from 4.4 to 4.5. > > I'm using the AMD64 version of GENERIC kernel, all patches applied. > > I'm trying to convert my old gateway configuration from active/passive > to active/active, thanks to the brand new pfsync protocol > implementation. I'd like to use stealth-ip mode, because I have to use a > poor 24 ports switch. > > So, when I start to send packets through the cluster, if I start tcpdump > on both machines I can see carp interfaces work correctly, but traffic > is forwarded only through one host, ALWAYS, even if I try to generate > traffic from different hosts across the Internet. > > If I reboot the active machine, the traffic starts to flow throught the > other machine (so failover works). > > I'm not able to obtain both carp interfaces work in a load balanced way. http://cvs.openbsd.org/cgi-bin/query-pr-wrapper?full=yes&numbers=6084 -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: Fan mail!
On Mon, Jun 08, 2009 at 07:59:45AM -0700, Johan Beisser wrote: > On Mon, Jun 8, 2009 at 6:43 AM, Anton Parol wrote: > > I still can't believe that I saw mpf@ on my train this morning. I thought I > > remembered his face from hackathon pics, but then he pulls out his thinkpad > > and I see the blue console messages come up. I was like, woah, very cool. > > Thats a good start to the week! > > Stalker mail! :) I saw Todd Miller (millert@) in the bathroom this morning! P.S. We work in the same office. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: Detailed usage graphs w/PF
On Mon, Jun 01, 2009 at 03:58:08PM -0400, Steven Surdock wrote: > Greetings, > > I'm looking at using a pair of OBSD systems to perform a couple of > functions, > + ISP load balancing & failover (using NAT) > + Site to Site IPSec termination (via ipsec) > + Egress Bandwidth Management (via PF) > + Web/HTML Detailed usage reporting (via ??) > > I've done the first three, and the last with flow-tools, but has anyone > used anything a little "friendlier" than flow-tools/flowscan to get > detailed (per IP, per protocol, per port) usage reporting? I also see > that pfflowd is marked as broken due to pfsync changes. I suspect this > means I'll need to use 4.4 if I want to use pfflowd... Thanks! You don't need pfflowd any longer. man 4 pflow -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: amd64/grub package?
On Sat, May 30, 2009 at 11:05:26AM -0400, Donald Allen wrote: > On Sat, May 30, 2009 at 9:58 AM, Jason Dixon wrote: > > On Sat, May 30, 2009 at 09:10:58AM -0400, Donald Allen wrote: > >> > >> So, I'd like to ask why grub is apparently unsupported on the amd64 > >> architecture? And I would suggest that grub provides a simple solution > >> to dual-booting OpenBSD on a system that had been previously > >> dual-booted with Windows and something else and where the Windows > >> version of the mbr is no longer present. I'd be happy to provide the > >> documentation for the procedure to add to the install guide, if the > >> developers are interested. > > > > Save yourself some headaches. ?Use GAG. > > > > http://gag.sourceforge.net/ > > I looked over the documentation. Yes, for dual-booting OpenBSD with > Windows, this looks fine, very nice. And I'll concede that it's a bit > easier to configure than grub (it guides you through the > configuration, rather than your having to make up a menu.lst), but > when there's a grub package available, as there is with i386 OpenBSD, > the difference isn't great, especially for someone like me with years > of experience with grub, or if good documentation is available > explaining how to do it. > > Though it isn't important in the Windows/OpenBSD case, it appears that > GAG is less general than grub, in the sense that it is assuming > there's a loader in the partition boot record of every partition you > want to boot and appears to always use the grub chainloader technique. > This is not a problem for OpenBSD, which installs its bootloader in > its partition boot record when you tell it during installation that > you aren't going to use the whole disk. But it is a problem if you > want to, say, triple-boot Windows, OpenBSD, and Linux. Linux will > require installing grub in its partition boot record, as the GAG > author notes in his document. In that situation, it would make more > sense, I think, to skip GAG and let the Linux installer install grub > in the mbr for booting all three. In that setup, Linux would be booted > by grub directly, not via a secondary loader. I've used GAG to multi-boot OpenBSD, Linux, Solaris and Windows. Yes, I use it as a first stage bootloader. So what? It works great and you don't see me whining about grub support in OpenBSD. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: Wireless help, please
On Sat, May 30, 2009 at 06:48:59AM -0700, Ben Goren wrote: > I'm trying to set up my first wireless network, with less than stellar > success. You need to narrow your spectrum of diagnosis. Start ruling out those things which are known to work. Rule out those things which are known to work and you'll be left with the thing(s) that don't. Examples: - OpenBSD wireless connectivity (as a client) - OpenBSD wired connectivity - Mac wired connectivity - Mac wireless connectivity (to a different WAP) - etc... -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: amd64/grub package?
On Sat, May 30, 2009 at 09:10:58AM -0400, Donald Allen wrote: > > So, I'd like to ask why grub is apparently unsupported on the amd64 > architecture? And I would suggest that grub provides a simple solution > to dual-booting OpenBSD on a system that had been previously > dual-booted with Windows and something else and where the Windows > version of the mbr is no longer present. I'd be happy to provide the > documentation for the procedure to add to the install guide, if the > developers are interested. Save yourself some headaches. Use GAG. http://gag.sourceforge.net/ -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: OpenBSD ESXi VMware image on Soekris Net5501
On Thu, May 21, 2009 at 08:05:52AM -0700, Obiozor Okeke wrote: > > Well I should have mentioned that the ESXi is also running a Windows server > VM for a custom app that requires it. So the idea was to have one box > running ESXi and reduce hardware costs. BWAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA *whew* Thanks, I needed that. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: Failing over all CARP interfaces
On Thu, May 21, 2009 at 10:47:57AM -0400, (private) HKS wrote: > Host1 has three carp interfaces in Master state. I'd like to fail them > all over to Backup at once without taking down any of the physical > interfaces (that's how I'm connected to it). > > I have not found a way to do this. Enable net.inet.carp.preempt only > fails the whole pile over on a downed physical interface. If I jack up > advskew for carp1 it goes into Backup mode but carp2 and carp3 are > still Masters. > > Is ifstated the accepted way to do this, or is there another avenue > I'm overlooking? Search for "carpdemote" in ifconfig(8). -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: OpenBSD ESXi VMware image on Soekris Net5501
On Thu, May 21, 2009 at 06:47:08AM -0700, Obiozor Okeke wrote: > Hi Diana (and Stuart) thanks for all your advice. > > The problem or nut we're > trying to crack is that we're trying to deploy OpenBSD to remote clients and > we wanted an inexpensive but very high reliability system with the flexibility > to change configurations (switch in/out different VMs) and add/modify services > remotely on-the-fly. For example we could upgrade a client from 4.4 to 4.5 > along with all the custom apps and client data packaged in a VM. We would > grab the old 4.4 VM bring it back to our lab, then upgrade and re-configure it > the way we wanted to and drop it back on the ESXi. Then just change the > network configs and switch the old for the new all remotely without ever > visiting the client No offense, but that's a terrible design. Get yourself two inexpensive systems (5501's are ok) and run them in a failover configuration. You have redundancy and the flexiblity to alternate between releases. Without the headache of middleware patches, an unsupported configuration, etc. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: old and new pf tandem test ---help
On Tue, May 19, 2009 at 02:52:03PM +0200, I?igo Ortiz de Urbina wrote: > On Tue, May 19, 2009 at 2:37 PM, Stuart Henderson > wrote: > > On 2009-05-19, Iqigo Ortiz de Urbina wrote: > >> Mehma, > >> > >> You can find more info on the performance boost, and how developers > >> achieved it, in this article. You can go through all of it as its > >> really interesting IMHO: > >> > >> http://www.onlamp.com/pub/a/bsd/2007/11/01/whats-new-in-bsd-42.html > >> > >> Hope it helps you feel the need of trying pf _at home_ :) > > > > That is a good start, but there have been other changes since. > > Not only pf, but also pfsync, nic drivers, and more. > > > > -current has some nice extras (added after 4.5) for ruleset sanity > > too. For example, "match" rules, which are absolutely great when > > combined with tags. > > Indeed, and the active-active setup. > > For those interested, here's more info on the subject: > > Lecture: http://www.youtube.com/watch?v=cBxDgevQpCg > Paper, part1 : http://undeadly.org/cgi?action=article&sid=20090220014805 This will get you all of the related stories: http://undeadly.org/cgi?action=search&mode=&thres=&method=and&sort=revtime&query=redesign+pfsync -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: OpenVPN destroys tun
On Wed, May 06, 2009 at 06:26:30PM -0300, Giancarlo Razzolini wrote: > Jason Dixon escreveu: >> >> I appreciate your digging into the code. That was above and beyond, >> even if it doesn't really do me any good. >> > Well, it can't always be elegant. IT isn't elegant. As you saw in the > code yourself. You only forgot to mention that you already had a > workaround for your problem. If i knew it, would had saved a lot of > time, by not suggesting another one. I mentioned it in a reply to Vadim. Sorry for not making it more obvious and that it caused you any wasted time. Thanks, -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: OpenVPN destroys tun
On Wed, May 06, 2009 at 11:25:20PM +0200, Ross Cameron wrote: > On Wed, May 6, 2009 at 10:38 PM, Giancarlo Razzolini > wrote: > > > > Well, i wasn't OT with my reply. And i use openvpn from the beginning of > > the project, even made a plugin for it. So i know i little of it. My > > suggestion was to avoid what you might be already suspecting. You will have > > to mess with openvpn code and recompile it to do what you want. The solution > > i suggested is a viable one, even if already have queueing policies on that > > interface. It'll only require a little adaptation on your altq rules. I > > guess you won't get far with an attitude like that, being rude with people > > that are trying to help you. That said, you might want to take a look at > > openvpn source code, mainly tun.c and tun.h files. > > I'm with Giancarlo here,... I use OpenVPN extensively (not on OpenBSD > admittedly - my own embedded BSD variant). > And the man knows what he's talking about when it comes to OpenVPN. > > Really man IF you want help don't douche on the guys trying to help you. I just wanted a simple question to a simple answer. Not the same old "jeez, you should try this instead". > An attitude like that deserves a response akin to "Use the source Luke" and > no more. We all have good and bad days. I've been offering free (hopefully good) advice to these lists for almost 10 years now. I keep my questions brief and my answers concise. Detours piss me off. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: OpenVPN destroys tun
On Wed, May 06, 2009 at 06:04:19PM -0300, Giancarlo Razzolini wrote: > Jason Dixon escreveu: >> > Well, my rude friend, i guess you'll have to accept my suggestion > because you're simply stuck with it. I shouldn't but, i took a little > time and dove in openvpn source code. This is the piece of code that > does what exactly what you're saying: Or I can continue to reload pf in /etc/rc.local like we currently do. No harm no foul. It's just not elegant. Sorry if you find my demeanor rude. I don't have a lot of patience for tangents when I'm asking a straightforward question and getting horizontal advice instead. New workarounds aren't necessarily better than existing workarounds. I appreciate your digging into the code. That was above and beyond, even if it doesn't really do me any good. Thanks, -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: OpenVPN destroys tun
On Wed, May 06, 2009 at 05:38:51PM -0300, Giancarlo Razzolini wrote: > > Well, i wasn't OT with my reply. And i use openvpn from the beginning of > the project, even made a plugin for it. So i know i little of it. My > suggestion was to avoid what you might be already suspecting. You will > have to mess with openvpn code and recompile it to do what you want. The > solution i suggested is a viable one, even if already have queueing > policies on that interface. It'll only require a little adaptation on > your altq rules. I guess you won't get far with an attitude like that, > being rude with people that are trying to help you. That said, you might > want to take a look at openvpn source code, mainly tun.c and tun.h files. Regardless of how much you claim to know about it, the fact remains that there's no way to have OpenVPN bind to an existing tun device. Thanks for the roundabout answer. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: OpenVPN destroys tun
On Wed, May 06, 2009 at 11:51:19PM +0400, Vadim Zhukov wrote: > On Wednesday 06 May 2009 23:34:52 Jason Dixon wrote: > > > > I'm specifying "dev tun0". Per the openvpn(8) man page, dev-type > > should only be used "if the TUN/TAP device used with --dev does not > > begin with tun or tap". [ ... ] > 1. Did you tried specifing tunnel type? > > 2. "tap" devices exists on Windows and on Linux, but NOT on OpenBSD. So > OpenVPN cannot determine device type via its name. Both of your questions were answered by my last reply (see above). Thanks, -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: OpenVPN destroys tun
On Wed, May 06, 2009 at 11:43:15PM +0400, Vadim Zhukov wrote: > On Wednesday 06 May 2009 23:18:31 Jason Dixon wrote: > > > > Having OpenVPN create the tun device does me no good. I'd still have > > to re-load pf/altq after the file descriptor is created. > > Strange, I do not have such problem. But I'm not using altq there, > just some block/allow and NAT... Could you post your OpenVPN config? Right, this only really manifests with altq on tun(4). There's no point to pasting my config, but I'll include most of it here so you don't think I'm jerking your chain. ;) # local x.x.x.9 port 1194 proto udp dev tun0 ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/server.crt key /etc/openvpn/keys/server.key dh /etc/openvpn/keys/dh1024.pem crl-verify /etc/openvpn/crl.pem tls-auth /etc/openvpn/keys/ta.key 0 client-config-dir /etc/openvpn/ccd server 192.168.210.0 255.255.255.0 ifconfig-pool-persist /etc/openvpn/ipp.txt 86400 push "route 10.0.116.0 255.255.254.0" keepalive 10 120 comp-lzo user nobody group nobody persist-key persist-tun status /etc/openvpn/openvpn-status.log verb 3 management 127.0.0.1 7505 # -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: OpenVPN destroys tun
On Wed, May 06, 2009 at 04:29:10PM -0300, Giancarlo Razzolini wrote: > Jason Dixon escreveu: >> So apparently OpenVPN is a douche of an application by >> destroying/recreating any tun devices you ask it to bind to. This >> causes havoc with pf/altq if you queue on those tun interfaces. >> >> I've asked on the openvpn-users mailing list if there's any way to have >> OpenVPN avoid teardown of an existing tun(4) interface but nobody had >> any useful answers (besides "use the up/down scripts")... yeah, thanks. >> Has anyone here used OpenVPN in server mode and overcome this? >> > Well, you don't necessarily need to enable altq on the tun interface to > get your packets queued. I did overcome this by making the queue on > another interface, a physical one, and then making packets coming or > leaving the tun interface to get queued on that interface. This works, > and you won't have to deal with the tun interface being destroyed across > openvpn starts/stops. You don't understand the usage. We have a remote office with a fixed pipe and *all* of their traffic crossing the VPN tunnel to our office. It's necessary to queue a fraction of the traffic crossing the physical interface for this purpose. We also perform queueing on the physical interface that has a completely different usage model than the VPN tunnel. Please, let's not get off-topic. It's a simple question... can you start OpenVPN without having it destroy/recreate the tun interface. If you haven't used this, please refrain from commenting. Thanks, -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: OpenVPN destroys tun
On Wed, May 06, 2009 at 03:21:16PM -0400, Mark Shroyer wrote: > On Wed, May 06, 2009 at 11:20:43AM -0400, Jason Dixon wrote: > > So apparently OpenVPN is a douche of an application by > > destroying/recreating any tun devices you ask it to bind to. This > > causes havoc with pf/altq if you queue on those tun interfaces. > > > > I've asked on the openvpn-users mailing list if there's any way to have > > OpenVPN avoid teardown of an existing tun(4) interface but nobody had > > any useful answers (besides "use the up/down scripts")... yeah, thanks. > > Has anyone here used OpenVPN in server mode and overcome this? > > Weird. I ran an OpenVPN server on my OpenBSD gateway until just > recently, and I'm 98% sure that it never did this to me. Are you > specifying both "dev-type" and "dev" in the VPN configuration? I'm specifying "dev tun0". Per the openvpn(8) man page, dev-type should only be used "if the TUN/TAP device used with --dev does not begin with tun or tap". Were you actually using altq on your tun device? > Actually, that's one thought... are you sure that the "dev-type" > setting in your OpenVPN configuration file and the configuration of your > tun(4) device are either both as tun or both as tap? One of the things > that caught me off-guard about setting up OpenVPN on OpenBSD is that > OpenBSD's tap interfaces are actually called "tunX", they just have the > link0 flag set. (So you could properly end up with, e.g., "dev-type > tap" and "dev tun0" in your OpenVPN configuration.) Could be that if > OpenVPN expects one type of device but gets the other, it automatically > destroys and replaces it... As mentioned, "dev-type" is unnecessary. We have no problems with this configuration other than OpenVPN destroying the device at runtime which causes the file-descriptor to change, confusing pf/altq. Thanks, -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: OpenVPN destroys tun
On Wed, May 06, 2009 at 11:14:21PM +0400, Vadim Zhukov wrote: > On Wednesday 06 May 2009 21:39:15 Jason Dixon wrote: > > On Wed, May 06, 2009 at 08:48:06PM +0400, Vadim Zhukov wrote: > > > On Wednesday 06 May 2009 19:20:43 Jason Dixon wrote: > > > > So apparently OpenVPN is a douche of an application by > > > > destroying/recreating any tun devices you ask it to bind to. This > > > > causes havoc with pf/altq if you queue on those tun interfaces. > > > > > > > > I've asked on the openvpn-users mailing list if there's any way to > > > > have OpenVPN avoid teardown of an existing tun(4) interface but > > > > nobody had any useful answers (besides "use the up/down > > > > scripts")... yeah, thanks. Has anyone here used OpenVPN in server > > > > mode and overcome this? > > > > > > See "persist-tun" option. > > > > This only affects restarts, not the initial startup. > > The idea is that you pre-create tun device (possibly in startup script, > or in /etc/rc.local) and then OpenVPN uses it. You're missing the point. I create the necessary tun devices at boot with hostname.tun* so that we get no pf/altq load errors. But as soon as OpenVPN runs from rc.local, it destroys the tun device and recreates it. This breaks altq because the file descriptor (/dev/tun*) changes. Having OpenVPN create the tun device does me no good. I'd still have to re-load pf/altq after the file descriptor is created. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: OpenVPN destroys tun
On Wed, May 06, 2009 at 08:48:06PM +0400, Vadim Zhukov wrote: > On Wednesday 06 May 2009 19:20:43 Jason Dixon wrote: > > So apparently OpenVPN is a douche of an application by > > destroying/recreating any tun devices you ask it to bind to. This > > causes havoc with pf/altq if you queue on those tun interfaces. > > > > I've asked on the openvpn-users mailing list if there's any way to > > have OpenVPN avoid teardown of an existing tun(4) interface but nobody > > had any useful answers (besides "use the up/down scripts")... yeah, > > thanks. Has anyone here used OpenVPN in server mode and overcome this? > > See "persist-tun" option. This only affects restarts, not the initial startup. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
OpenVPN destroys tun
So apparently OpenVPN is a douche of an application by destroying/recreating any tun devices you ask it to bind to. This causes havoc with pf/altq if you queue on those tun interfaces. I've asked on the openvpn-users mailing list if there's any way to have OpenVPN avoid teardown of an existing tun(4) interface but nobody had any useful answers (besides "use the up/down scripts")... yeah, thanks. Has anyone here used OpenVPN in server mode and overcome this? Thanks, -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: Migration from IPTABLES to PF
On Mon, May 04, 2009 at 04:14:45PM -0400, Mark Shroyer wrote: > On Mon, May 04, 2009 at 04:46:16PM -0300, Gonzalo Lionel Rodriguez wrote: > > jaja OMG... i love PF and OpenBSD. > > > > 2009/5/4 Jason Dixon : > > > LOL, you ain't seen nothing yet. Look at the "extended version" he just > > > sent out. :) > > To be fair, I've seen some pretty horrid pf.conf files, too. (Although > I certainly prefer it over iptables in most cases.) Indeed. I clawed my eyes out this weekend on a friend's pf.conf (hi Kevin :) while trying to diagnose some relayd problems. At least pf syntax lends itself to logical separation and organization. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: Migration from IPTABLES to PF
On Mon, May 04, 2009 at 04:34:55PM -0300, Gonzalo Lionel Rodriguez wrote: > 2009/5/4 Marco Peereboom : > > MY EYES!!! make it stop bleeding!!! > > jajajaja i think the same. grrr LOL, you ain't seen nothing yet. Look at the "extended version" he just sent out. :) -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: Migration from IPTABLES to PF
On Mon, May 04, 2009 at 02:17:33PM -0300, Ricardo Augusto de Souza wrote: > Hi, > > I have a firewall running on a Fedora Core 4 (STentz) with iptables. The Guy > Who installed it left our company some months ago. > I spent some years far from iptables, now i have to migrate this firewall to > PF. > THere are some 'special' features on this firewall, i need some documentation > or help about implementing this features at new firewall ( PF ). The documentation is available online: http://www.openbsd.org/faq/pf/index.html http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf I made a quick review of your ruleset. I gave up after a few PgDn's. I belive it's in your best interests to contact someone that provides commercial support. http://www.openbsd.org/support.html On a good day, someone might step up and help you with this. But I wouldn't expect it. Thanks, -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: Recovering data from OpenBSD drive using OSX
On Fri, May 01, 2009 at 06:13:38PM -0400, bofh wrote: > On 5/1/09, Jason Dixon wrote: > > On Fri, May 01, 2009 at 02:50:48PM -0700, jebyrnes wrote: > >> Hello, all. I have a question. A long time ago in college I ran an > >> openBSD > >> server. It was an old, cantankerous machine, and eventually something > >> happened to the motherboard, and it died. The drives, with all of their > >> data, are still fine. In fact, I'd like to recover the data. In my > >> current > >> situation, I don't have access to the equipment to put together a new box > >> with the old drives in it. I would like to get the data, off, however. > >> All > >> I have is a mac laptop. > >> > >> Will OSX be able to access these drives? Are their any utilities that > >> would > >> help in this? It's been a while since I hacked around at this level, so > >> would appreciate any advice you all could give. Thanks. > > > > Find an external USB enclosure. Toss them in. Connect it. Boot > > OpenBSD in a virtual machine. Mount drive. Read files. > > > I'd s/external usb enclosure/ide+sata->usb adapter/ > > Much more flexible, and cheaper, iirc. Technically, I said _find_, not buy. ;) -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: Recovering data from OpenBSD drive using OSX
On Fri, May 01, 2009 at 02:50:48PM -0700, jebyrnes wrote: > Hello, all. I have a question. A long time ago in college I ran an openBSD > server. It was an old, cantankerous machine, and eventually something > happened to the motherboard, and it died. The drives, with all of their > data, are still fine. In fact, I'd like to recover the data. In my current > situation, I don't have access to the equipment to put together a new box > with the old drives in it. I would like to get the data, off, however. All > I have is a mac laptop. > > Will OSX be able to access these drives? Are their any utilities that would > help in this? It's been a while since I hacked around at this level, so > would appreciate any advice you all could give. Thanks. Find an external USB enclosure. Toss them in. Connect it. Boot OpenBSD in a virtual machine. Mount drive. Read files. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
DCBSDCon 2009 Videos
As announced on Undeadly, the speaker videos for DCBSDCon 2009 are now available on YouTube and the conference website. http://undeadly.org/cgi?action=article&sid=20090424204748 http://www.youtube.com/profile?user=bsdconferences&view=videos&query=dcbsdcon http://www.dcbsdcon.org/speakers/videos/ Will Backman (bsdtalk) has also posted audio from the conference. http://cisx1.uma.maine.edu/~wbackman/bsdtalk/DCBSDCon2009/ I'd like to also express my gratitude to Todd Fries (todd@) for his assistance with encoding videos in OpenBSD. Needless to say I won't be doing any more multimedia work in OS X. :) -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: Multiple layers of NAT
On Tue, Apr 21, 2009 at 08:42:44PM +0300, Lars Nooden wrote: > Alexander Hall wrote: > > Lars Nooden wrote: > >> Sometimes I have to set up a LAN inside a pre-existing NAT'd LAN and > >> traffic from the inner LAN (B) does not make it to the Internet or even > >> to final, external interface (4). > >> > >> +---+ ++ > >>LAN B ---+ 1 + + Box2 + > >> + NAT + + 4+---> Internet > >> + 2+--LAN A--+3 NAT + > >> + Box1 + ++ > >> +---+ ++ > >> > >> What kind of generic change is needed in PF to get from LAN B through to > >> the outside? > > > > If the subnets are different, say 192.168.10.0/24 and 192.168.11.0/24, > > and each box does its NAT and 'net.inet.ip.forwarding=1' I cannot see > > anything that would prevent this from working. > > > > Start by tracing how far the package makes it and what src address it has. > > I can ping from LAN B to interface 3 and get a response, but not to 4. > I can ping (and everything else) from LAN A to interface 4 and the Internet. > > I've searched around a bit and see there is something wrong (in general) > with "double NAT" It's a simple matter of: * does the route exist * does the firewall allow it Verify that both are true. Monitor your traffic with tcpdump as needed. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: slow httpd on 4.4
On Sun, Apr 19, 2009 at 02:43:02AM +0300, Angelin Lalev wrote: > Earlier today mostly out of curiosity I installed OpenBSD for the > first time. I used it to replace perfectly sound installation of > debian+lighttpd which served some big files in my home network. > Unfortunately I'm noticing drastic performance degradation. > The debian server achieved speeds that were well into the megabyte per > second range. Now > OpenBSD + httpd (the included apache 1.3) on the same machine (P4 > 2,4) gives me only 20Kbit/sec traffic on 100Mbit Ethernet which is > rather weird and actually had me checking cables, switches and duplex > modes. It seems that everything is ok with them. > > Is it possible this limitation to be result of some OpenBSD > configuration option that I'm missing? No. Please post your test methods and relevant system information (dmesg, ifconfig, httpd.conf) so people can spend their time helping, not guessing. Thanks, -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: Sun X4140 support?
On Thu, Apr 16, 2009 at 07:52:25AM +0200, Otto Moerbeek wrote: > On Thu, Apr 16, 2009 at 07:47:14AM +0200, Henning Brauer wrote: > > > * Jason Dixon [2009-04-16 07:18]: > > > We had a spare set of servers available, so I went back to the lab and > > > reproduced the traffic profile. I then tested the same load with the MP > > > kernel. My tests revealed that even though the kernel is not threaded, > > > we benefit from equal distribution of interrupts across all cores. Our > > > interrupt load effectively decreased by a factor of 4; since we aren't > > > performing any userland activity, the other 3 cores are otherwise > > > unused. > > > > was this 4.5 or earlier? If earlier what you saw could be pic vs apic. > > since 4.5 we have apic usually on UP too. > > if it isn't that, I am stunned. could speculate about better cache > > usage, but that would be about the only idea i'd have. It was a 2/28 snapshot, both cases (bsd vs bsd.mp). > I think wrong statistics collection in the MP case should also be > considered as a possible cause. I've considered that as well. I was hoping someone smarter than me would have answers. :) -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: Sun X4140 support?
On Thu, Apr 16, 2009 at 12:34:47AM -0400, Daniel Ouellet wrote: >> I'm looking for hardware to replace my current firewalls, and >> my understanding is that Opteron gear is the way to go for pf >> performance. > > As Theo said there is not point in that. The only thing I could think of > really is put your money more into good network card, or hardware with > good built in nic, a single core processor would be best as the kernel > is not fully taking advantage of it yet. Sure getting better and better > all the time and as it looks like soon may be pretty good. Don't get me > wrong, it's not bad as is, but for firewall and router for example, > unless things have changed dramatically in the last two year, you still > best to have single core CPU for this type of setup. Although I've subscribed to this philosophy for a while now, I recently deployed a pf pair where it was beneficial to run the MP kernel. At least it was according to systat. This particular site does nothing but forward packets at layer 3. No translation or bridging. It has a typical traffic profile for a high-volume website, except that we also recently merged networks to include their mail campaigns as well. We completed the migration after upgrading their core firewalls to a pair of SuperMicro systems with all em(4) interfaces on snapshots from around the 4.5 tagging (primarily to take advantage of recent interrupt mitigation and livelock enhancements). While the firewalls handled the workload, CPU numbers were very high. The MASTER node peaked between 80-90% each day, almost exclusively from interrupts. I had thoroughly tested these systems before deploying them, but hadn't triggered this behavior in my benchmarks. We had a spare set of servers available, so I went back to the lab and reproduced the traffic profile. I then tested the same load with the MP kernel. My tests revealed that even though the kernel is not threaded, we benefit from equal distribution of interrupts across all cores. Our interrupt load effectively decreased by a factor of 4; since we aren't performing any userland activity, the other 3 cores are otherwise unused. I've been meaning to bring this up with some of the pf developers. This seems like a good place to address it. I hope that my findings are accurate and not a user (or systat) error. Perhaps this will help others with their purchasing decisions. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: Games
On Wed, Apr 08, 2009 at 04:17:09PM -0400, STeve Andre' wrote: > On Wednesday 08 April 2009 15:57:54 Matthew Szudzik wrote: > > On Wed, Apr 08, 2009 at 09:19:00PM +0200, Matthias Kilian wrote: > > > The new release song is really catchy. Many thanks to Jonathan, > > > > I'm in complete agreement. It's probably the best OpenBSD song yet, and > > has the potential to appeal to frustrated computer users outside the > > OpenBSD community (e.g. the slashdot crowd) with lyrics like "I love to > > hate my PC", "Just wanna get this job done", and "Lost my mind, it's > > such a waste of time". > > Nah, its Systemagic. ;-) +1 -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: [semi-OT] Can anyone recommend an OpenBSD-compatible colour laser printer?
On Mon, Apr 06, 2009 at 11:49:28AM -0700, J.C. Roberts wrote: > On Mon, 6 Apr 2009 11:37:30 +0200 ropers wrote: > > > 2009/4/6 Toni Mueller : > > > > > > I don't know what exactly you want to do, but you might be > > > interested in reading some reports about the printing quality and > > > operating cost, too. Eg. a good ink jet printer should deliver > > > better quality printouts than a bad laser printer. > > > > I do positively, affirmatively, definitely want a laser printer. ;) > > > > Because: > > (a), I already have a (dead slow and old but portable) ink jet > > printer, (b), ink jet printers are more likely to go into the > > direction of weird binary blob printer drivers with neither built-in > > postscript, nor good ghostscript/driver support, and > > (c), an ink jet printer cannot do this: > > http://www.riccibitti.com/pcb/pcb.htm > > For Do-It-Yourself PCB's, you *really* want postscript support. Color > support is not necessary, and you can easily get away with finding a > free, used, office laser printer. As odd as it might seem, some of the > old laser printers are actually "better" in the sense of they were > built to last and you can still get parts for most of them. > > Network support is very nice to have, and makes your life a lot easier, > but isn't a show stopper since you can almost always use a small > "print-server" device. I've had *decades* of success with HP LaserJet I, > and LaserJet II-P printers, although I would not suggest the former for > PCB work due to resolution. Yes, I know they're ancient, but they work. If the above is correct (and I believe JCR) then I can highly recommend the Brother HL-2170W. It's inexpensive and has worked great for me with OpenBSD. Comes with wireless *and* wired networking. http://www.brother-usa.com/Printer/ModelDetail.aspx?ProductID=hl2170W -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: love me love me, fool me fool me
On Wed, Apr 01, 2009 at 05:50:17PM +0200, frantisek holop wrote: > hey there, > > so no 1st of april fools this year, hm? > > how about we start a big flamewar about something? > oh wait... One is enough. > happy fools' day fools! :] Meh. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: openbsd in virtualization
On Thu, Mar 19, 2009 at 08:12:51AM -0700, Mike wrote: > > BTW, how many VM's can I setup using a fast/supped up laptop in a > @home environment which would be something that one would setup in > work environment. Certainly no more than 37. Maybe 38 if you lower the display settings. As few as 32 when you're playing Halo. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: Ramifications of blocking SYN+FIN TCP packets
On Wed, Mar 11, 2009 at 01:04:34PM -0400, David Goldsmith wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Jason Dixon wrote: > > > > S/SAFR > > > > I just had to deal with this on our customer's PCI scan. Don't argue > > with the logic, just do it. :) > > Let me guess -- TrustKeeper? We just had to deal with this as well. > Submit an appeal and they should accept it. Yup. > The "flags S/SAFR" will work unless you are being a good little pf admin > and also scrubbing all the traffic. The problem is pf considers SYN-RST > packets to be illegal and drops them (good) but only considers SYN-FIN > packets to be ambiguous and so it "normalizes" them and clears the FIN > bit (in this case for the PCI scan - bad) Then your server behind the > firewall received what it thinks is a nice clean SYN packet and it sends > back SYN-ACK. Yes, we have our own reasons not to scrub there. Well, *someone* has their reasons. I have to deal with those reasons. ;) -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: Ramifications of blocking SYN+FIN TCP packets
On Wed, Mar 11, 2009 at 10:54:18AM -0400, Jason Dixon wrote: > On Wed, Mar 11, 2009 at 10:42:38AM -0400, Stuart VanZee wrote: > > I understand that this might annoy a few of you, If it does > > please accept my apologies. > > > > The place I work is required to have an external security scan > > from time to time and the latest scan says that we have failed > > because the firewall responded to a TCP packet that has the SYN > > and FIN flags set. I know that OpenBSD isn't vulnerable to the > > exploits that use this: > > > > http://www.kb.cert.org/vuls/id/IAFY-5F8RWP > > > > However, I don't see any reason to respond to a packet with SYN > > and FIN set, AND, a firewall rule that drops said TCP packets > > would fix the fact that we are now "non compliant" as far as > > the security scan goes. I think a pf rule such as: > > > > block drop in quick proto tcp all flags SF/SF > > > > would do it. > > > > Does anyone see a way that this would come back to bite me on > > the ass later? > > S/SAFR > > I just had to deal with this on our customer's PCI scan. Don't argue > with the logic, just do it. :) I should clarify, you want to use the above flags on your pass rule. Don't bother with a block rule matching on flags. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: Ramifications of blocking SYN+FIN TCP packets
On Wed, Mar 11, 2009 at 10:42:38AM -0400, Stuart VanZee wrote: > I understand that this might annoy a few of you, If it does > please accept my apologies. > > The place I work is required to have an external security scan > from time to time and the latest scan says that we have failed > because the firewall responded to a TCP packet that has the SYN > and FIN flags set. I know that OpenBSD isn't vulnerable to the > exploits that use this: > > http://www.kb.cert.org/vuls/id/IAFY-5F8RWP > > However, I don't see any reason to respond to a packet with SYN > and FIN set, AND, a firewall rule that drops said TCP packets > would fix the fact that we are now "non compliant" as far as > the security scan goes. I think a pf rule such as: > > block drop in quick proto tcp all flags SF/SF > > would do it. > > Does anyone see a way that this would come back to bite me on > the ass later? S/SAFR I just had to deal with this on our customer's PCI scan. Don't argue with the logic, just do it. :) -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: Where is "Secure by default" ?
On Mon, Mar 09, 2009 at 03:48:05PM +, - Tethys wrote: > On Mon, Mar 9, 2009 at 2:56 PM, Marco Peereboom wrote: > > because it is. > > And therein lies some of the problem with the OpenBSD community. Don't > get me wrong, I like OpenBSD, I use it, and have donated to the > project. But here we have a user that has security concerns, and > rather than either admit there's a problem or point out why there's no > security hole, the answer given is just that it's secure "because it > is". That wouldn't fill me with confidence if I was looking to deploy > an OpenBSD system. I'm worried that some are getting complacent about > OpenBSD's security here... > > Maybe it's a troll. Maybe not. Can we afford to be turning away > potential users on the off chance? As a community, we don't suffer fools well. Take it or leave it, but don't try to change us. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: PF Seems To Reload Its Default Rules Unexpectedly
On Sun, Mar 08, 2009 at 04:01:57PM -0700, Hilco Wijbenga wrote: > Hi all, > > I have pf running on my firewall box and I'm experiencing some strange > behaviour. After several hours (this may even be 24 hours) of > functioning normally, pf seems to reload its default rules which means > that from that point on all traffic is blocked. A simple "pfctl -f > /etc/pf.conf" fixes the problem but it is very annoying. There's nothing in OpenBSD or pf that reloads any configurations "automagically". > I don't see anything relevant in /var/log/pflog or /var/log/messages > but I'm not sure what I am looking for so I may have missed something. > > Do you have any idea why this is happening? Do you have any tips for > debugging this? I'm running a stock OpenBSD 4.4. You could start by showing us "pfctl -sr" before and after this supposedly takes place. And "uptime" to prove it hasn't been rebooted. And "grep pf /etc/rc.conf.local" so we can see how you're starting it. In other words, *useful information*. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: How do I monitor my PF based firewall?
On Wed, Mar 04, 2009 at 02:55:46PM +0100, Falk Brockerhoff - smartTERRA GmbH wrote: > Am 04.03.2009 um 14:46 schrieb Jason Dixon: > >> Other people use the PF-MIB patch to net-snmp. We don't need that >> functionality. We like to monitor the following for our PF firewalls in >> Cacti: > > The number of the passed and blocked packets would be also interesting. > Perfect, if I can get this values per vlan... > > Any idea how to get this values? You've already been given the link to the PF-MIB patch. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
