Debug or find issue in IPSec site-to-site
Hi list. There is IPSec site-to-site configuration between five endpoint over Internet. IPSec configured with manual flows and manual SAs. All is working smooth for years. Except one new route/tunnel that looks like working fine, i.e. it delivers traffic between local nets (A and B) that are behind firewalls (gwA and gwB). But suddenly it may occur that traffic from net A isn't going to net B. After a while it resume to work. The output of "ipsecctl -sa" always reports that FLOWS and SADs are exists for problematic route/tunnel. pf.conf allows ESP proto on external interface on both gateways in both direction. pf.conf allows traffic on both gateways from opposite network to local network. In case there were mistakes in ipsec.conf or pf.conf it won't even work I think. Any thoughts how to deal with that? Will it be helpful to provide extra information, configs, etc? Thanks. Pavel.
Re: 4-ports router under $150
I haven't tried via serial because I used vga+usb keyboard. However I'll definitely try that lan-serial port. On 11/04/18 18:27, Todd C. Miller wrote: On Wed, 11 Apr 2018 10:49:54 +0300, lilit-aibolit wrote: Hi, I've been looking for more then one year to get something similar until I found this: https://pt.aliexpress.com/item/Celeron-J1900-Mini-pc-free-shipping-micro-sd-t wo-usb-and-four-lan-laptop-overwatch-Computer/32794678352.html?spm I already got and tested it and it work fine. Can you access the BIOS from the serial port or only via VGA? - todd .
Re: 4-ports router under $150
Hi, I've been looking for more then one year to get something similar until I found this: https://pt.aliexpress.com/item/Celeron-J1900-Mini-pc-free-shipping-micro-sd-two-usb-and-four-lan-laptop-overwatch-Computer/32794678352.html?spm I already got and tested it and it work fine. On 08/04/18 00:59, Anatoli wrote: Hi All! I'm looking for a modest 4-5 ports router under $150 that works well with OpenBSD. I don't need WiFi, USB or console port, and the throughput don't need to exceed 100Mbps. The ideal device would be EdgeRouter X (compact, 5 ports, $50) but I know it's not supported at this moment and probably never will be. EdgeRouter (ER) Lite only has 3 ports and the switch ports (eth2-4) of ERPOE-5 are not yet supported. ER-4 would be great, but the 4th port is SFP, I'd need to by an SFP NIC for one of my devices and I'm not sure it's supported as the octeon page says ER PRO SFP ports are not supported yet. Also it's a bit expensive ($190). Banana Pi R2 would be great too, but I couldn't find if it's supported by OpenBSD (it has MediaTek MT7623N, Quad-core ARM Cortex-A7). Are there 4-5 port devices that are known to work well with OpenBSD? Thanks, Anatoli .
Can't boot 6.2 on Intel Celeron J1900
I've found this cheap mini computer and installed 6.2 there: - http://www.xcyminipc.com/product/showproduct.php?lang=en=51 But after reboot it freezes quickly. I recorded a video: - https://www.youtube.com/watch?v=OLGblwGx5c0 What could be the issue?
Re: l2tp and openbsd 6.1
On 05/10/17 09:17, lilit-aibolit wrote: Hi, I've just try your suggestion and IPhone could connect but Windows gives new errors in log: ##here is Windows attempt Oct 5 09:08:16 gw isakmpd[19354]: message_parse_payloads: invalid next payload type in payload of type 5 Oct 5 09:08:16 gw isakmpd[19354]: dropped message from 37.73.208.173 port 2715 due to notification type INVALID_PAYLOAD_TYPE I've testes one more time and it seems that INVALID_PAYLOAD_TYPE means wrong PSK in windows vpn client. So after correction I was able to establish vpn both from IPhone, Android and from Windows (at least version 7) with this ipsec.conf: ike passive esp transport \ proto udp from a.b.s.d to any port 1701 \ main auth hmac-sha1 enc aes group modp2048 \ quick auth hmac-sha1 enc aes \ psk "psk" ike passive esp transport \ proto udp from a.b.s.d to any port 1701 \ main auth hmac-sha1 enc aes group modp1024 \ quick auth hmac-sha1 enc aes \ psk "psk"
Re: l2tp and openbsd 6.1
Hi, I've just try your suggestion and IPhone could connect but Windows gives new errors in log: Oct 5 09:05:44 gw isakmpd[19354]: attribute_unacceptable: GROUP_DESCRIPTION: got MODP_1024, expected MODP_2048 Oct 5 09:05:46 gw npppd[10826]: l2tpd ctrl=6 logtype=Started RecvSCCRQ from=37.73.214.69:57298/udp tunnel_id=6/17 protocol=1.0 winsize=4 hostname=imuca vendor=(no vendorname) firm= Oct 5 09:05:46 gw npppd[10826]: l2tpd ctrl=6 call=12298 logtype=PPPBind ppp=5 Oct 5 09:05:49 gw npppd[10826]: ppp id=5 layer=base logtype=TUNNELSTART user="xxx" duration=3sec layer2=L2TP layer2from=37.73.214.69:57298 auth=MS-CHAP-V2 ip=192.168.222.101 iface=tun0 Oct 5 09:05:49 gw /bsd: pipex: ppp=5 iface=tun0 protocol=L2TP id=12298 PIPEX is ready. Oct 5 09:05:49 gw npppd[10826]: ppp id=5 layer=base Using pipex=yes Oct 5 09:06:59 gw npppd[10826]: l2tpd ctrl=6 call=12298 logtype=PPPUnbind Oct 5 09:06:59 gw npppd[10826]: ppp id=5 layer=base logtype=TUNNELUSAGE user="ppo" duration=72sec layer2=L2TP layer2from=37.73.214.69:57298 auth=MS-CHAP-V2 data_in=167613bytes,1911packets data_out=2819616bytes,2540packets error_in=1 error_out=0 mppe=no iface=tun0 Oct 5 09:06:59 gw npppd[10826]: l2tpd ctrl=6 logtype=Finished ##here is Windows attempt Oct 5 09:08:16 gw isakmpd[19354]: message_parse_payloads: invalid next payload type in payload of type 5 Oct 5 09:08:16 gw isakmpd[19354]: dropped message from 37.73.208.173 port 2715 due to notification type INVALID_PAYLOAD_TYPE After I removed first ike config line with modp2048 then log returned to this: Oct 5 09:16:08 gw isakmpd[12442]: attribute_unacceptable: GROUP_DESCRIPTION: got MODP_2048, expected MODP_1024 Oct 5 09:16:08 gw isakmpd[12442]: attribute_unacceptable: ENCRYPTION_ALGORITHM: got 3DES_CBC, expected AES_CBC Oct 5 09:16:08 gw isakmpd[12442]: attribute_unacceptable: ENCRYPTION_ALGORITHM: got 3DES_CBC, expected AES_CBC Oct 5 09:16:08 gw isakmpd[12442]: message_negotiate_sa: no compatible proposal found Oct 5 09:16:08 gw isakmpd[12442]: dropped message from 37.73.208.173 port 10552 due to notification type NO_PROPOSAL_CHOSEN On 04/10/17 20:54, Vijay Sankar wrote: Unfortunately I am not sure if what I am saying is correct or valid because maybe this stuff works for me only because I am using older versions of Android etc., plus I am using a slightly modified OpenBSD 5.5 kernel. But you may want to try the following. The order is important -- doesn't seem to work if modp2048 is listed after modp1024. If I do something like ike passive esp transport proto udp from $local_ip to any port 1701 \ main auth "hmac-sha1" enc "aes" group modp2048 \ quick auth "hmac-sha1" enc "aes" \ psk "mypsk" ike passive esp transport proto udp from $local_ip to any port 1701 \ main auth "hmac-sha1" enc "aes" group modp1024 \ quick auth "hmac-sha1" enc "aes" \ psk "mypsk" in the order listed, it works, and it has been working for at least a few years. To make sure I am not posting wrong information, I have double-checked using Lenovo YogaPad (Android 4.4.2), Windows 7, Windows 8, Windows 10, iOS 10.3.3, and MacOS 10.13. I will try the same thing with -current and report back to the list if it is useful. Hope this helps. Vijay
Re: l2tp and openbsd 6.1
Hi, with l2tp I have situation when iOS and Android devices could connect but Windows 7 and Windows 10 couldn't. Is it possible to adjust ipsec.conf somehow so it could accept connection from Windows clients too? Or is there a way to adjust some settings in Windows so it will work with current ipsec.conf? I also noticed that I have to add pass rule for tun0 to PF explicitly: - pass on tun0 all instead of having just: - set skip on { lo0, tun0 } Here is ipsec.conf: ike passive esp transport \ proto udp from a.b.x.y to any port 1701 \ main auth hmac-sha1 enc aes group modp1024 \ quick auth hmac-sha1 enc aes \ psk "password" Here is npppd.conf: authentication LOCAL type local { users-file "/etc/npppd/npppd-users" } tunnel L2TP protocol l2tp { listen on x.x.y.y } ipcp IPCP { pool-address 192.168.222.2-192.168.222.254 dns-servers 192.168.a.b } interface tun0 address 192.168.222.1 ipcp IPCP bind tunnel from L2TP authenticated by LOCAL to tun0 Log from Android: Oct 2 16:22:39 gw npppd[10826]: l2tpd ctrl=4 logtype=Started RecvSCCRQ from=192.38.129.182:41634/udp tunnel_id=4/4667 protocol=1.0 winsize=1 hostname=anonymous vendor=(no vendorname) firm= Oct 2 16:22:40 gw npppd[10826]: l2tpd ctrl=4 call=7962 logtype=PPPBind ppp=3 Oct 2 16:22:41 gw npppd[10826]: ppp id=3 layer=base logtype=TUNNELSTART user="xxx" duration=1sec layer2=L2TP layer2from=192.38.129.182:41634 auth=MS-CHAP-V2 ip=192.168.222.110 iface=tun0 Oct 2 16:22:41 gw /bsd: pipex: ppp=3 iface=tun0 protocol=L2TP id=7962 PIPEX is ready. Oct 2 16:22:41 gw npppd[10826]: ppp id=3 layer=base Using pipex=yes Log from IPhone6s: Oct 2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: HASH_ALGORITHM: got SHA2_256, expected SHA Oct 2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: GROUP_DESCRIPTION: got MODP_2048, expected MODP_1024 Oct 2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: HASH_ALGORITHM: got MD5, expected SHA Oct 2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: HASH_ALGORITHM: got SHA2_512, expected SHA Oct 2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: HASH_ALGORITHM: got SHA2_256, expected SHA Oct 2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: GROUP_DESCRIPTION: got MODP_1536, expected MODP_1024 Oct 2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: HASH_ALGORITHM: got MD5, expected SHA Oct 2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: HASH_ALGORITHM: got SHA2_256, expected SHA Oct 2 16:13:14 gw npppd[10826]: l2tpd ctrl=3 logtype=Started RecvSCCRQ from=192.38.129.182:65367/udp tunnel_id=3/7 protocol=1.0 winsize=4 hostname=xxx-iPhone vendor=(no vendorname) firm= Oct 2 16:13:14 gw npppd[10826]: l2tpd ctrl=3 call=11161 logtype=PPPBind ppp=2 Oct 2 16:13:18 gw npppd[10826]: ppp id=2 layer=base logtype=TUNNELSTART user="xxx" duration=4sec layer2=L2TP layer2from=192.38.129.182:65367 auth=MS-CHAP-V2 ip=192.168.222.110 iface=tun0 Oct 2 16:13:18 gw /bsd: pipex: ppp=2 iface=tun0 protocol=L2TP id=11161 PIPEX is ready. Oct 2 16:13:18 gw npppd[10826]: ppp id=2 layer=base Using pipex=yes Log from IPhone4s: Oct 2 15:55:55 gw npppd[10826]: l2tpd ctrl=1 logtype=Started RecvSCCRQ from=37.73.241.124:59028/udp tunnel_id=1/15 protocol=1.0 winsize=4 hostname=xxx vendor=(no vendorname) firm= Oct 2 15:55:55 gw npppd[10826]: l2tpd ctrl=1 call=5660 logtype=PPPBind ppp=0 Oct 2 15:55:58 gw npppd[10826]: ppp id=0 layer=base logtype=TUNNELSTART user="xxx" duration=3sec layer2=L2TP layer2from=37.73.241.124:59028 auth=MS-CHAP-V2 ip=192.168.222.101 iface=tun0 Oct 2 15:55:58 gw npppd[10826]: ppp id=0 layer=base Using pipex=yes Oct 2 15:55:58 gw /bsd: pipex: ppp=0 iface=tun0 protocol=L2TP id=5660 PIPEX is ready. And unsuccessful connection from Win7: Oct 4 10:12:37 gw isakmpd[24211]: attribute_unacceptable: GROUP_DESCRIPTION: got MODP_2048, expected MODP_1024 Oct 4 10:12:37 gw isakmpd[24211]: attribute_unacceptable: ENCRYPTION_ALGORITHM: got 3DES_CBC, expected AES_CBC Oct 4 10:12:37 gw isakmpd[24211]: attribute_unacceptable: ENCRYPTION_ALGORITHM: got 3DES_CBC, expected AES_CBC Oct 4 10:12:37 gw isakmpd[24211]: message_negotiate_sa: no compatible proposal found Oct 4 10:12:37 gw isakmpd[24211]: dropped message from 37.73.208.134 port 16884 due to notification type NO_PROPOSAL_CHOSEN On 02/10/17 23:03, Charles Amstutz wrote: Hello everyone, I'm new to this list and l2tp/openbsd (but do have working UNIX/Linux knowledge). After searching the previous forum posts (and the internet) I have found a lot of information on l2tp ipsec.conf connection strings. However, I can't get android to connect. I keep getting IKE negotiation failed errors. I've looked at sites such as: http://bluepilltech.blogspot.com/2017/02/openbsd-l2tp-over-ipsec-android-601-ios.html https://www.authbsd.com/blog/?p=20 http://daemonforums.org/showthread.php?t=10326 https://rzemieniecki.wordpress.com/2014/05/28/debugging-ipsec-on-openbsd-invalid_cookie/
Re: Access old PPTP behind OpenBSD 6.1
You need to have redirect rule to PPTP server for GRE protocol. However you'll have only one vpn session at same time. On 05/09/17 08:06, Lars Bonnesen wrote: Yes... I know... Don't run MS PPTP and that is why I am implementing OpenBSD. Untill OpenVPN is fully installed on every client, I need to provide access to PPTP during transition. I don't know what to use in pf.conf though. I have tried everything that I find logical. In sysctl.conf I have added: net.inet.gre.allow=1 net.inet.gre.wccp=1 net.inet.mobileip.allow=1 Lets say that openBSD public IP is 1.2.3.4 local IP 10.77.1.2 and LAN is 10.77.1.0/24 - PPTP server is 10.77.1.106 How would my PPTP lines look in pf.conf? Help is greatly appriciated. Regards, Lars.
Re: Help with server not accepting new connections but is still accessible through ONE existing open ssh-session
On 02/01/2017 03:41 PM, Erling Westenvik wrote: I have an OpenBSD 5.9 server at a colocation. It stopped accepting new connections (ping, ssh, http, whatever) yesterday night but fortunately I had one ssh session open from my workstation from which I can still access it. Did you think about creation of second sshd instance on other port and start it in debug mode?
Re: IPSEC from behind NAT stage 2 failure
On 02/01/2017 10:21 PM, Yury Shefer wrote: Your behind-NAT IPsec client should use external IP (78.111.187.234) as IKE identifier (IDi/initiator id) to be able to establish the SA. IMHO, the better option for your remote clients would be a use of different ID type like ID_RFC822_ADDR. Thanks for your answer. Could you explain better how can I do this, because I don't see any settings in native Windows VPN client to specify current external IP. Moreover what to do if this is a road warrior case and external IP changes each time for every client?
Re: IPSEC from behind NAT stage 2 failure
On 12/06/2016 11:04 AM, Florian Ermisch wrote: And I guess that's the problem: the client goes "hi I'm 10.1.1.58 and I'd like to connect" and isakmpd doesn't know no 10.1.1.58. IKEv1 is very picky about those things: When it doesn't expect an ID no peer presenting one will be allowed to connect AFAIK. Maybe adding local/peer or srcid/dstid will help. You can try with using the clients current local IP of 10.1.1.58 as ID to expect. Hi folks, I faced with same issue. Here are my details. 1) Win7 which is behind 3G wireless router(192.168.5.250) Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel(R) Wireless WiFi Link 4965AGN Physical Address. . . . . . . . . : 00-1F-00-12-00-91 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes IPv4 Address. . . . . . . . . . . : 192.168.5.88(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.5.250 DNS Servers . . . . . . . . . . . : 192.168.5.250 NetBIOS over Tcpip. . . . . . . . : Enabled Myip lookup in browser gives me 78.111.187.234 as my real public IP in Internet. VPN connection details: Security: L2TP, Advanced settings: Use preshared key (one from ipsec.conf), Data encryption: Require encryption, Authentication: Allow CHAP, MS-CHAP v2 2) OpenBSD side. ipsec.conf: ike passive esp transport \ proto udp from any to any port 1701 \ main auth hmac-sha1 enc aes group modp2048 \ quick auth hmac-sha1 enc 3des \ psk "secret" pf.conf: set skip on { lo0, tun0 } pass in on $ext_if inet proto udp from any to re1 port { 1701, 500, 4500 } pass in on $ext_if proto { esp, ah } from any to re1 pass on enc0 from any to any keep state (if-bound) npppd.conf: authentication LOCAL type local { users-file "/etc/npppd/npppd-users" } tunnel L2TP protocol l2tp { listen on 195.68.x.y } ipcp IPCP { pool-address 192.168.222.2-192.168.222.254 dns-servers 192.168.8.254 } interface tun0 address 192.168.222.1 ipcp IPCP bind tunnel from L2TP authenticated by LOCAL to tun0 3) Action. I start npppd, isakmpd and apply ipsecctl -f /etc/ipsec.conf and then connect from Win7 client. # npppd -d 2017-02-01 13:28:10:NOTICE: Starting npppd pid=2226 version=5.0.0 2017-02-01 13:28:10:NOTICE: Load configuration from='/etc/npppd/npppd.conf' successfully. 2017-02-01 13:28:10:INFO: tun0 Started ip4addr=192.168.222.1 2017-02-01 13:28:10:INFO: ipcp=IPCP pool dyn_pool=[192.168.222.2/31,192.168.222.4/30,192.168.222.8/29,192.168.222.16/28,192.168.222.32/27,192.168.222.64/26,192.168.222.128/26,192.168.222.192/27,192.168.222.224/28,192.168.222.240/29,192.168.222.248/30,192.168.222.252/31,192.168.222.254/32] pool=[192.168.222.2/31,192.168.222.4/30,192.168.222.8/29,192.168.222.16/28,192.168.222.32/27,192.168.222.64/26,192.168.222.128/26,192.168.222.192/27,192.168.222.224/28,192.168.222.240/29,192.168.222.248/30,192.168.222.252/31,192.168.222.254/32] 2017-02-01 13:28:10:INFO: Added 13 routes for new pool addresses 2017-02-01 13:28:10:INFO: Loading pool config successfully. 2017-02-01 13:28:10:INFO: l2tpd Listening 195.68.x.y:1701/udp (L2TP LNS) [L2TP] # isakmpd -Kdv 133951.389348 Default isakmpd: starting [priv] 134008.194204 Default isakmpd: phase 1 done (as responder): initiator id 192.168.5.88, responder id 195.68.x.y, src: 195.68.x.y dst: 78.111.187.234 134008.307485 Default responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 192.168.5.88, responder id 195.68.x.y 134008.307509 Default dropped message from 78.111.187.234 port 4500 due to notification type INVALID_ID_INFORMATION ^C134045.852435 Default isakmpd: shutting down... 134045.852621 Default isakmpd: exit # tcpdump -i re1 -nvvv host 78.111.187.234 tcpdump: listening on re1, link-type EN10MB 13:40:07.820658 78.111.187.234.14717 > 195.68.x.y.500: isakmp v1.0 exchange ID_PROT cookie: f226e0502ef70be5-> msgid: len: 384 payload: SA len: 212 [|isakmp] (ttl 123, id 6811, len 412) 13:40:07.821374 195.68.x.y.500 > 78.111.187.234.14717: isakmp v1.0 exchange ID_PROT cookie: f226e0502ef70be5->377d76144ad08a15 msgid: len: 188 payload: SA len: 60 [|isakmp] (ttl 64, id 32899, len 216, bad ip cksum 0! -> 676d) 13:40:08.007137 78.111.187.234.14717 > 195.68.x.y.500: isakmp v1.0 exchange ID_PROT cookie: f226e0502ef70be5->377d76144ad08a15 msgid: len: 388 payload: KEY_EXCH len: 260 [|isakmp] (ttl 123, id 6812, len 416) 13:40:08.045493 195.68.x.y.500 > 78.111.187.234.14717: isakmp v1.0 exchange ID_PROT cookie: f226e0502ef70be5->377d76144ad08a15 msgid: len: 388 payload: KEY_EXCH len: 260 [|isakmp] (ttl 64, id 11204, len 416, bad ip cksum 0! -> bb64) 13:40:08.193866 78.111.187.234.4500 > 195.68.x.y.4500: udpencap: isakmp v1.0 exchange ID_PROT encrypted cookie: f226e0502ef70be5->377d76144ad08a15 msgid: len: 76 (ttl 122, id 6815,
Re: Skype issue with office behind PF
On 01/28/2017 12:13 PM, Stuart Henderson wrote: On 2017-01-27, lilit-aibolit<lilit-aibo...@mail.ru> wrote: Hi list, I have an office behind NAT with PF. There are mostly Win7 workstations with different Skype versions but mostly with 7.3x or the latest versions. Two days ago any skype call started to drop after few seconds without any voice from opposite side. I got skype support which remotely looked at affected machines and after a while he resolved this by installing 7.15 version. However there is no trouble with skype by using it from other places of from personal hotspot 3G connection so I suspect here maybe be an issue with PF which somehow doesn't met to how last skype versions work. Any thoughts about that? They might be sending packets which are passed by some NAT devices but not by PF. Use "log" on your block rules and watch pflog0, see if something is being blocked. tcpdump -n -e -i pflog0 . Hi and thanks for your answer. It turned out that the latest skype version is trying to reach host in 104.44.200.x network by using UDP 3480 port which was blocked in my pf.conf. Above network belongs to Microsoft. So this could be used as trick to block voice in skype)
Skype issue with office behind PF
Hi list, I have an office behind NAT with PF. There are mostly Win7 workstations with different Skype versions but mostly with 7.3x or the latest versions. Two days ago any skype call started to drop after few seconds without any voice from opposite side. I got skype support which remotely looked at affected machines and after a while he resolved this by installing 7.15 version. However there is no trouble with skype by using it from other places of from personal hotspot 3G connection so I suspect here maybe be an issue with PF which somehow doesn't met to how last skype versions work. Any thoughts about that?
Re: Build a new kernel for apcupsd
On 10/25/2016 04:47 PM, Stephen Bertoni wrote: Have you tried this instead? root@...[~]config -e -o /bsd.new /bsd OpenBSD 5.9-stable (GENERIC) #0: Thu May 7 23:16:45 CEST 2015 root@...***.org:/usr/src/sys/arch/i386/compile/GENERIC Enter 'help' for information ukc> disable upd 458 upd* disabled ukc> disable uhidev 395 uhidev* disabled ukc> quit Saving modified kernel. root@...[~]mv /bsd /bsd.old root@...[~]mv /bsd.new /bsd root@...[~]chmod -x /bsd root@...[~]reboot Steve Hi Steve, I worry that I can't use my usb keyboard after this.
Re: Build a new kernel for apcupsd
On 10/20/2016 07:25 PM, Stuart Henderson wrote: On 2016-10-20, lilit-aibolit<lilit-aibo...@mail.ru> wrote: Hi list. In recent OpeBSD versions usb devices attached to upd driver. This is why apcupsd doesn't detect APC USB devices. After installing apcupsd there is statement how to deal with above situation: ... The option with fewest side-effects is to add the following entries to the table in /sys/dev/usb/usb_quirks.c and build a new kernel: { USB_VENDOR_APC, USB_PRODUCT_APC_UPS, ANY, { UQ_BAD_HID }}, { USB_VENDOR_APC, USB_PRODUCT_APC_UPS5G, ANY, { UQ_BAD_HID }}, Alternatively, if you do not use a USB keyboard/mouse, you could simply disable the upd and uhid drivers. The following line creates a new kernel with the relevant changes: printf 'disable uhid\ndisable upd\nquit\n' | config -e -o /bsd.no-uhid /bsd ... Second option isn't suitable because I have usb keyboard and on very rare occasions it's used to fix something locally. So regardless of undefined "fewest side-effects" I have to use first option and build new kernel. I downloaded and extracted src.tar.gz and sys.tar.gz into /usr/src. Then I modified usb_quirks.c file and added specified lines into usb_quirks[] table. See the "Build and install a new kernel" step in release(8). Then I've read faq5.html and man config but didn't get a clue how to build new kernel with applied changed in usb_quirks.c file. In config man page there is statement that "Most people save their backup kernels as //bsd.1/, //bsd.2/, etc." I'd also like to know how to save my current kernel cp(1) and how to switch between new and old ones in case of some troubles with new kernel. at the boot-loader prompt, you can type "boot bsd.1" Hi and thanks for your answer. I followed steps in release(8) and executed: # cd /usr/src/sys/arch/i386/conf/ # config GENERIC.MP # cd ../compile/GENERIC.MP/ # make clean && make However the size of my current kernel is exactly the same as just built one: # ls -la /bsd -rw-r--r-- 1 root wheel 10628645 May 5 2015 /bsd # ls -la ./bsd -rwxr-xr-x 1 root wsrc 10628645 Oct 21 11:24 ./bsd Is it expected result and new kernel includes changes in usb_quirks.c?
Build a new kernel for apcupsd
Hi list. In recent OpeBSD versions usb devices attached to upd driver. This is why apcupsd doesn't detect APC USB devices. After installing apcupsd there is statement how to deal with above situation: ... The option with fewest side-effects is to add the following entries to the table in /sys/dev/usb/usb_quirks.c and build a new kernel: { USB_VENDOR_APC, USB_PRODUCT_APC_UPS, ANY, { UQ_BAD_HID }}, { USB_VENDOR_APC, USB_PRODUCT_APC_UPS5G, ANY, { UQ_BAD_HID }}, Alternatively, if you do not use a USB keyboard/mouse, you could simply disable the upd and uhid drivers. The following line creates a new kernel with the relevant changes: printf 'disable uhid\ndisable upd\nquit\n' | config -e -o /bsd.no-uhid /bsd ... Second option isn't suitable because I have usb keyboard and on very rare occasions it's used to fix something locally. So regardless of undefined "fewest side-effects" I have to use first option and build new kernel. I downloaded and extracted src.tar.gz and sys.tar.gz into /usr/src. Then I modified usb_quirks.c file and added specified lines into usb_quirks[] table. Then I've read faq5.html and man config but didn't get a clue how to build new kernel with applied changed in usb_quirks.c file. In config man page there is statement that "Most people save their backup kernels as //bsd.1/, //bsd.2/, etc." I'd also like to know how to save my current kernel and how to switch between new and old ones in case of some troubles with new kernel.
Re: Change MTU for IPSec
On 04/25/2016 06:13 PM, Marc Peters wrote: Am 04/25/16 um 16:00 schrieb lilit-aibolit: Hi list. I've typical site-to-site IPsec tunnel. On rare occasions users got infinite loop in their browser while opening web-sites in opposite endpoints, however in same time ping works well from one network to other. SSH connection to remote hosts looks like you're almost entered, but it freezes and can only interrupt connection. I had similar issues some years ago with branch offices and a simple """ match in all scrub (random-id no-df) """ in the /etc/pf.conf on each host solved this for me (the no-df part was the important bit). HTH, Marc Thanks for your answer. I already have this line in pf.conf on all machines: >>match in all scrub (no-df)<<
Change MTU for IPSec
Hi list. I've typical site-to-site IPsec tunnel. On rare occasions users got infinite loop in their browser while opening web-sites in opposite endpoints, however in same time ping works well from one network to other. SSH connection to remote hosts looks like you're almost entered, but it freezes and can only interrupt connection. As I understand IPSec sets Don't Fragment bit but during maintenance (or something else) of intermediate gateways on Internet providers side it could be the case when MTU on that gateways are lower than IPSec uses and such gateways don't reply with ICMP unreachable messages, so IPSec stuck at this point. Is it possible to resolve this somehow manually by changing (reducing) MTU for IPSec packets?
Re: sensorsd, upd, and state changes
I've tried to change low=1:high=2 to low=0:high=0 but I haven't got *Off* current state for this sensor from sensord: - hw.sensors.upd0.indicator2=On (ACPresent), OK Even for AC disconnected sensord repors that ACPresent is *On*, however when I look for - sysctl hw.sensors.upd0.indicator2 it repororts that ACPresent is *Off*, so I decided don't rely on sensord logic and place own script to cron and execute it every minute. #!/bin/sh if [ -f /tmp/powerout.lock ]; then exit 0 fi ACstatus () { sysctl hw.sensors.upd0.indicator2 | cut -c28-29 | grep -q "On" > /dev/null } i=0 if ACstatus ; then exit 0 else logger -t UPS "AC has been disconnected" touch /tmp/powerout.lock /usr/local/bin/mutt -s "Power outage in office" -- ad...@example.com < /root/powerout while [ $i -lt "360" ] do i=$((i+60)) sleep 60 if ACstatus ; then logger -t UPS "AC has been connected again after ${i} seconds." /usr/local/bin/mutt -s "Power returned in office" -- ad...@example.com rm -rf /tmp/powerout.lock exit 0 else if [ "$i" -eq "300" ]; then /usr/local/bin/mutt -s "No power for 5 min. System is shutting down now." -- ad...@example.com logger -t UPS "System is shutting down now." shutdown -hp +0 fi fi done fi
Re: sensorsd, upd, and state changes
Hi list, why I don't have extra line in output with sensor upd0.percent1(RemainingCapacity)? Is it related to model of my UPS? # usbdevs | grep UPS addr 4: Back-UPS ES 525 FW:851.t3.I USB FW:t3, American Power Conversion # sysctl hw.sensors hw.sensors.upd0.indicator0=Off (Charging), OK hw.sensors.upd0.indicator1=Off (Discharging), OK hw.sensors.upd0.indicator2=On (ACPresent), OK hw.sensors.upd0.indicator3=On (BatteryPresent), OK hw.sensors.upd0.indicator4=Off (ShutdownImminent), OK hw.sensors.upd0.percent0=100.00% (FullChargeCapacity), OK # tail /var/log/messages | grep upd Feb 25 12:59:27 gw sensorsd[2261]: upd0.percent1: 0.00%, UNKNOWN Feb 25 13:45:43 gw sensorsd[13167]: upd0.percent1: 0.00%, UNKNOWN
Re: APC UPS & sensorsd - how?
On 03/22/2015 05:44 PM, T. Ribbrock wrote: Then, I re-applied power, but that, too, was never flagged by sensorsd. For some reason, it looks like sensorsd only ever detects a status change (for these rules) when it gets started - but not afterwards. Regards, Thomas Have you succeed with getting status change while sensord is running?
Re: fsck_ffs mystic
On 02/15/2016 04:43 PM, Josh Grosse wrote: On 2016-02-15 09:08, lilit-aibolit wrote: On 02/15/2016 04:03 PM, Josh Grosse wrote: See the words "NO WRITE" in that message? This happens because you are attempting to fsck(8) a *mounted* file system. Yes, it's true. But I can't unmount /var under normal boot. And then why errors haven't been fixed or even detected in single mode, where partitions are unmounted. When you are in a normal multi-user boot, daemons are running with files open in /var, and in particular, /var/run. The warnings you get from fsck() relate to all of these open files. Your filesystem was repaired, and is now working properly. You are only seeing these messages because you are running fsck() against a mounted filesystem with open files. Thank you. This is definitely the case then. I didn't know that fsck could produce fake errors while running on mounted fs.
Re: fsck_ffs mystic
On 02/15/2016 04:03 PM, Josh Grosse wrote: On 2016-02-15 07:57, lilit-aibolit wrote: Hi list. After unclear shutdown I've booted in single user mode by typing "boot -s". I executed "fsck -fp" and "fsck -fy" few times and got no problem, see screenshot here: http://i.piccy.info/i9/f7bced6083e3f77d29dc832102147bfd/1455540839/795750/999296/image1.jpg But after reboot with normal login I got next. How can I fix errors and why they aren't fixed in single mode? # fsck_ffs -f /dev/sd0e ** /dev/rsd0e (NO WRITE) See the words "NO WRITE" in that message? This happens because you are attempting to fsck(8) a *mounted* file system. Yes, it's true. But I can't unmount /var under normal boot. And then why errors haven't been fixed or even detected in single mode, where partitions are unmounted.
fsck_ffs mystic
Hi list. After unclear shutdown I've booted in single user mode by typing "boot -s". I executed "fsck -fp" and "fsck -fy" few times and got no problem, see screenshot here: http://i.piccy.info/i9/f7bced6083e3f77d29dc832102147bfd/1455540839/795750/999296/image1.jpg But after reboot with normal login I got next. How can I fix errors and why they aren't fixed in single mode? # fsck_ffs -f /dev/sd0e ** /dev/rsd0e (NO WRITE) ** Last Mounted on /var ** Phase 1 - Check Blocks and Sizes INCORRECT BLOCK COUNT I=3663757 (4 should be 0) CORRECT? no ** Phase 2 - Check Pathnames UNALLOCATED I=415876 OWNER=_ups MODE=100644 SIZE=5 MTIME=Feb 15 14:40 2016 FILE=/db/nut/upsd.pid REMOVE? no UNALLOCATED I=415958 OWNER=_nfcapd MODE=100644 SIZE=6 MTIME=Feb 15 14:40 2016 FILE=/www/var/db/nfsen/run/p.pid REMOVE? no UNALLOCATED I=432062 OWNER=_nfcapd MODE=100644 SIZE=6 MTIME=Feb 15 14:40 2016 FILE=/www/var/db/nfsen/run/nfsend.pid REMOVE? no UNALLOCATED I=432064 OWNER=_nfcapd MODE=140755 SIZE=0 MTIME=Feb 15 14:40 2016 FILE=/www/var/db/nfsen/run/nfsen.comm REMOVE? no UNALLOCATED I=432034 OWNER=_nfcapd MODE=100644 SIZE=0 MTIME=Feb 15 14:40 2016 FILE=/www/var/db/nfsen/profiles-data/live/upstream1/nfcapd.current REMOVE? no ** Phase 3 - Check Connectivity ** Phase 4 - Check Reference Counts UNREF FILE I=2468495 OWNER=root MODE=100444 SIZE=15177 MTIME=Feb 15 14:13 2016 CLEAR? no UNREF FILE I=3663757 OWNER=root MODE=100600 SIZE=0 MTIME=Feb 15 14:41 2016 CLEAR? no ** Phase 5 - Check Cyl groups SUMMARY INFORMATION BAD SALVAGE? no BLK(S) MISSING IN BIT MAPS SALVAGE? no FREE BLK COUNT(S) WRONG IN SUPERBLK SALVAGE? no 82047 files, 4617855 used, 10860496 free (39552 frags, 1352618 blocks, 0.3% fragmentation)
ipsec between three networks
Hi list. Currently I'm using a simple config to connect two networks over the Internet, ipsec.conf from $net2 side looks like this: net1 = "{ 192.168.1.0/24, 192.168.11.0/24 }" net2 = "{ 192.168.2.0/24, 192.168.22.0/24, 192.168.33.0/24 }" flow esp from $net2 to $net1 peer x.x.x.x esp from y.y.y.y to x.x.x.x spi 0xdeadbeef:0xbeefdead \ auth hmac-sha2-512 enc blowfish \ authkey file "/root/akey.local:/root/akey.remote" \ enckey file "/root/ekey:/root/ekey" Suppose I have third endpoint in the Internet with public IP z.z.z.z and network 192.168.3.0/24. What is the way to establish extra tunnel with third endpoint? I need to be able to reach $net1 and $net2 networks from $net3 with is 192.168.3.0/24 and vice versa. Is it enough to create tunnel between $net3 and $net2 to reach $net1 from $net3 or I need to setup two tunnels on each endpoint? I doubt if such config work: net1 = "{ 192.168.1.0/24, 192.168.11.0/24 }" net2 = "{ 192.168.2.0/24, 192.168.22.0/24, 192.168.33.0/24 }" net3 = "{ 192.168.3.0/24 }" flow esp from $net2 to $net1 peer x.x.x.x esp from y.y.y.y to x.x.x.x spi 0xdeadbeef:0xbeefdead \ auth hmac-sha2-512 enc blowfish \ authkey file "/root/akey.local:/root/akey.remote" \ enckey file "/root/ekey:/root/ekey" flow esp from $net2 to $net3 peer z.z.z.z esp from y.y.y.y to z.z.z.z spi 0xdeadbeef:0xbeefdead \ auth hmac-sha2-512 enc blowfish \ authkey file "/root/akey.local3:/root/akey.remote3" \ enckey file "/root/ekey3:/root/ekey3"
Re: openbsd's complete packages size
On 05/06/2015 02:26 PM, elvis wrote: Hi guys I'd like to know the size of the whole packages.. In particular for the i386 architecture. I really don't know where to get this info.! Thnks..!! Enviado desde mi BlackBerry de Movistar . Download them :)
Re: dhcpd log issues
On 11/07/2014 12:48 PM, Marc Peters wrote: Hi misc@, after upgrading our pair of dhcpd servers to 5.6(-stable), i am seeing strange DHCPACKs in our logs (in both of them): Nov 7 09:28:34 dhcpd2 dhcpd[9269]: DHCPINFORM from 192.168.20.251 Nov 7 09:28:34 dhcpd2 dhcpd[9269]: DHCPACK onnull address to 5c:51:4f:56:81:c3 via em0 The entries in the leasesfile are correct and the clients are getting the right addresses, so this seems merely a logging issue to me. dmesg dhcpd1 (kvm-host): Cheers, Marc Hi, same here. I also found this discussion about null address https://lists.isc.org/pipermail/dhcp-users/2008-May/006266.html Mar 10 17:00:49 gw56 dhcpd[2020]: Listening on rum0 (10.10.10.1). Mar 10 17:01:04 gw56 dhcpd[11367]: DHCPDISCOVER from 00:1f:3b:12:93:91 via rum0 Mar 10 17:01:05 gw56 dhcpd[11367]: DHCPOFFER on 10.10.10.100 to 00:1f:3b:12:93:91 via rum0 Mar 10 17:01:05 gw56 dhcpd[11367]: DHCPREQUEST for 10.10.10.100 from 00:1f:3b:12:93:91 via rum0 Mar 10 17:01:05 gw56 dhcpd[11367]: DHCPACK on 10.10.10.100 to 00:1f:3b:12:93:91 via rum0 Mar 10 17:01:11 gw56 dhcpd[11367]: DHCPINFORM from 10.10.10.100 Mar 10 17:01:11 gw56 dhcpd[11367]: DHCPACK on null address to 00:1f:3b:12:93:91 via rum0 # cat /etc/dhcpd.conf subnet 10.10.10.0 netmask 255.255.255.0 { option routers 10.10.0.1; option domain-name kh.ektos; option domain-name-servers 10.10.0.1; max-lease-time 604800; default-lease-time 604800; range 10.10.10.100 10.10.10.200; } # uname -a OpenBSD gw56 5.6 GENERIC.MP#299 i386
Re: How to Selectively route DESTINATIONS via wan1_gw and via wan2_gw
On 01/14/2015 07:19 AM, Indunil Jayasooriya wrote: Hi misc, I have /etc/ip_list1 file containing some destinations. format of /etc/ip_list1 is given below. 1.2.3.4 1.6.3.0/24 I want to route ALL DESTINATIONS listed in /etc/ip_list1 via wan1_gw. The rest of trafficc , I want to route via wan2_gw . I have enabled below things in sysctl.conf file (including multipath routing) net.inet.ip.forwarding=1# 1=Permit forwarding (routing) of IPv4 packets #net.inet.ip.mforwarding=1 # 1=Permit forwarding (routing) of IPv4 multicast packets net.inet.ip.multipath=1 # 1=Enable IP multipath routing net.inet.icmp.rediraccept=1 # 1=Accept ICMP redirects my 2 gatewys wan1_gw= 192.168.2.100 wan2_gw= 192.168.1.1 my hostname.xxx files like these. my wan1 interface # cat /etc/hostname.rl0 inet 192.168.2.35 255.255.255.0 !route add -mpath default 192.168.2.100 my wan2 interface # cat /etc/hostname.rl1 inet 192.168.1.11 255.255.255.0 !route add -mpath default 192.168.1.1 my lan interface # cat /etc/hostname.bge0 inet 192.168.100.208 255.255.255.0 my pf.conf file looks like this. # macros int_if=bge0 wan1_if=rl0 wan2_if=rl1 lan_net=192.168.100.0/24 #lan_net=192.168.101.0/24 wan1_gw= 192.168.2.100 wan2_gw= 192.168.1.1 tableip_list1 persist file /etc/ip_list1 # options set block-policy return set loginterface $wan1_if set skip on lo #THIS IS THE RULE TO ROUTE VIA WAN1_GW pass out quick log from any toip_list1 route-to ($wan1_if $wan1_gw) # match rules match out on $wan1_if from $lan_net nat-to ($wan1_if) match out on $wan2_if from $lan_net nat-to ($wan2_if) # filter rules block in log #block out log pass out quick log antispoof quick for { lo $int_if } pass in log inet proto icmp all icmp-type $icmp_types I still can NOT traceroute to destinations in /etc/ip_list1 via wan1_gw and the rest via wan2_gw How to achive this goal? Hi, I've snipped full rules set to show needed lines, hope this will help you. I'm sure that I didn't enable multipath. /etc/mygate contains any A or B gw address. In case you won't achieve policy based routing with this example I'll send you full pf.conf that works well for years. ext_if_a = xl0 ext_gw_a = 195.26.92.129 ext_if_b = fxp1 ext_gw_b = 188.230.122.53 int_if = fxp0 table lan { 192.168.16.0/24 } table mail { 192.168.16.5 } match out on $ext_if_a inet proto tcp from lan to !lan nat-to $ext_if_a match out on $ext_if_b inet from lan, to !lan nat-to $ext_if_b pass in on $int_if inet proto tcp from mail to any port { www, smtp, https, smtps } route-to ($ext_if_a $ext_gw_a) pass in on $int_if inet proto tcp from lan to any route-to ($ext_if_b $ext_gw_b) pass out inet from $ext_if_a route-to ($ext_if_a $ext_gw_a) pass out inet from $ext_if_b route-to ($ext_if_b $ext_gw_b) pass out on { $ext_if_a, $ext_if_b }
IPSec stopped working accidently
Hi list. I have two gateways which were working fine two years. And suddenly I couldn't reach remote network behind both gateways from other sides. Nothing changed in configs. Both gateways seems to works as expected except VPN. Both gateways have identical setup like this. How to debug and where can be trouble? # ifconfig em0: flags=28843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6 mtu 1500 lladdr 00:18:7d:0e:f5:34 priority: 0 media: Ethernet autoselect (1000baseT full-duplex) status: active inet 192.168.5.254 netmask 0xff00 broadcast 192.168.5.255 em1: flags=28843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6 mtu 1500 lladdr 00:18:7d:0e:f5:33 priority: 0 groups: egress media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause) status: active inet 194.106.218.98 netmask 0xfffc broadcast 194.106.218.99 enc0: flags=0 priority: 0 groups: enc status: active vlan0: flags=28843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6 mtu 1500 lladdr 00:18:7d:0e:f5:34 priority: 0 vlan: 2 parent interface: em0 groups: vlan status: active inet 192.168.223.1 netmask 0xff00 broadcast 192.168.223.255 tun0: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST mtu 1500 priority: 0 groups: tun status: active inet 192.168.99.1 -- 192.168.99.2 netmask 0x pflog0: flags=141UP,RUNNING,PROMISC mtu 33196 priority: 0 groups: pflog # cat /etc/ipsec.conf # $OpenBSD: ipsec.conf,v 1.5 2006/09/14 15:10:43 hshoexer Exp $ # # See ipsec.conf(5) for syntax and examples. tlv = { 192.168.2.0/24, 192.168.88.0/24 } tlk = { 192.168.5.0/24, 192.168.99.0/24, 192.168.66.0/24 } flow esp from $tlk to $tlv peer 92.246.22.143 #flow esp from 194.106.218.98 to 192.168.2.0/24 peer 92.246.22.143 esp from 194.106.218.98 to 92.246.22.143 spi 0xdeadbeef:0xbeefdead \ auth hmac-sha2-512 enc blowfish \ authkey file /root/akey.local:/root/akey.remote \ enckey file /root/ekey:/root/ekey # ls -la /root/akey* -rw--- 1 root wheel 128 Jul 2 2012 /root/akey.local -rw--- 1 root wheel 128 Jul 2 2012 /root/akey.remote # ls -la /root/ekey -rw--- 1 root wheel 40 Jul 2 2012 /root/ekey # cat /etc/pf.conf | grep esp pass in on $ext_if proto esp from tlv_gw to em1 pass out on $ext_if proto esp from em1 to tlv_gw # ipsecctl -sa FLOWS: flow esp in from 192.168.88.0/24 to 192.168.66.0/24 peer 92.246.22.143 type require flow esp out from 192.168.66.0/24 to 192.168.88.0/24 peer 92.246.22.143 type require flow esp in from 192.168.2.0/24 to 192.168.66.0/24 peer 92.246.22.143 type require flow esp out from 192.168.66.0/24 to 192.168.2.0/24 peer 92.246.22.143 type require flow esp in from 192.168.88.0/24 to 192.168.99.0/24 peer 92.246.22.143 type require flow esp out from 192.168.99.0/24 to 192.168.88.0/24 peer 92.246.22.143 type require flow esp in from 192.168.2.0/24 to 192.168.99.0/24 peer 92.246.22.143 type require flow esp out from 192.168.99.0/24 to 192.168.2.0/24 peer 92.246.22.143 type require flow esp in from 192.168.88.0/24 to 192.168.5.0/24 peer 92.246.22.143 type require flow esp out from 192.168.5.0/24 to 192.168.88.0/24 peer 92.246.22.143 type require flow esp in from 192.168.2.0/24 to 192.168.5.0/24 peer 92.246.22.143 type require flow esp out from 192.168.5.0/24 to 192.168.2.0/24 peer 92.246.22.143 type require SAD: esp tunnel from 92.246.22.143 to 194.106.218.98 spi 0xbeefdead auth hmac-sha2-512 enc blowfish esp tunnel from 194.106.218.98 to 92.246.22.143 spi 0xdeadbeef auth hmac-sha2-512 enc blowfish # netstat -rnf encap Routing tables Encap: Source Port DestinationPort Proto SA(Address/Proto/Type/Direction) 192.168.88/24 0 192.168.66/24 0 0 92.246.22.143/esp/require/in 192.168.66/24 0 192.168.88/24 0 0 92.246.22.143/esp/require/out 192.168.2/24 0 192.168.66/24 0 0 92.246.22.143/esp/require/in 192.168.66/24 0 192.168.2/24 0 0 92.246.22.143/esp/require/out 192.168.88/24 0 192.168.99/24 0 0 92.246.22.143/esp/require/in 192.168.99/24 0 192.168.88/24 0 0 92.246.22.143/esp/require/out 192.168.2/24 0 192.168.99/24 0 0 92.246.22.143/esp/require/in 192.168.99/24 0 192.168.2/24 0 0 92.246.22.143/esp/require/out 192.168.88/24 0 192.168.5/24 0 0 92.246.22.143/esp/require/in 192.168.5/24 0 192.168.88/24 0 0 92.246.22.143/esp/require/out 192.168.2/24 0 192.168.5/24 0 0 92.246.22.143/esp/require/in 192.168.5/24 0 192.168.2/24 0 0 92.246.22.143/esp/require/out # cat /etc/sysctl.conf | grep -v ^# net.inet.ip.forwarding=1# 1=Permit forwarding (routing) of IPv4 packets net.inet.esp.enable=1
Re: IPSec stopped working accidently
On 08/18/2014 12:40 PM, lilit-aibolit wrote: Hi list. When I star ping from 192.168.2.0/24 network to 192.168.5.0/2: C:\Users\userping 192.168.5.251t -t Pinging 192.168.5.251 with 32 bytes of data: Request timed out. Request timed out. Request timed out. I got packets on gateway from 2.0/24 side: # tcpdump -i enc0 -n tcpdump: listening on enc0, link-type ENC 17:46:36.966932 (authentic,confidential): SPI 0xbeefdead: 192.168.2.25 192.168.5.251: icmp: echo request (encap) 17:46:41.965424 (authentic,confidential): SPI 0xbeefdead: 192.168.2.25 192.168.5.251: icmp: echo request (encap) and I got packets on gateway from 5.0/24 side: # tcpdump -i enc0 -n tcpdump: listening on enc0, link-type ENC 18:45:10.581652 (authentic,confidential): SPI 0xbeefdead: 192.168.2.25 192.168.5.251: icmp: echo request (encap) 18:45:10.581898 (authentic,confidential): SPI 0xdeadbeef: 192.168.5.251 192.168.2.25: icmp: echo reply (encap) Does it mean that VPN tunnel works somehow and host 192.168.5.251 reply back to ping but first gateway doesn't get that reply from 192.168.5.251?
Unable to stop nfsen
# ps -ax |grep nfsen | grep -v grep 16371 ?? I 0:27.89 /usr/local/bin/nfcapd -w -D -p -u _nfcapd -g www -B 20 -S 1 -P /var/db/nfsen/r 1333 ?? Is 2:17.70 perl: /usr/local/bin/nfsend-comm (perl) 6030 ?? Is 63:05.79 /usr/bin/perl -w /usr/local/bin/nfsend 19674 ?? I 0:00.01 /usr/local/bin/nfexpire -Y -p -e /var/db/nfsen/profiles-data/./live -w 90 -s 1073741824 # /etc/rc.d/nfsen stop ..long time here.. nfsen(failed) # grep nf /var/log/daemon Jun 4 13:13:06 gw nfcapd[16371]: ioctl(F_WRLCK) error in nfstatfile.c line 338: Interrupted system call Jun 4 13:13:06 gw nfcapd[16371]: Terminating nfcapd. # ps -ax |grep nfsen | grep -v grep 1333 ?? Is 2:17.82 perl: /usr/local/bin/nfsend-comm (perl) 6030 ?? Is 63:05.79 /usr/bin/perl -w /usr/local/bin/nfsend 19674 ?? I 0:00.01 /usr/local/bin/nfexpire -Y -p -e /var/db/nfsen/profiles-data/./live -w 90 -s 1073741824 What should I do to stop or restart it?
Re: Get statistics of websites visited without proxy/squid
On 04/25/2014 06:18 PM, James Records wrote: I posted this on reddit a while back, i've been doing this on pfsense for a while don't see why it wouldn't work with OBSD: http://www.reddit.com/r/PFSENSE/comments/1vn51f/monitoring_question_analysis_of_uris_by_ip_address/ basically install httpry and do this: httpry -i em1 | grep 'GET\|POST' | logger Jim Thank you. This is exactly what I've looked for. I'll try to calculate number of unique Get or Post requests per IP and that's all. # httpry -i em0 -d -o /home/httpry/em0.log -u nobody -f timestamp,source-ip,host,method -m get,post 'tcp port 80' # # egrep GET|POST em0.log | uniq | head -10 2014-04-28 12:27:03 192.168.5.32pagestat.mmi.bemobile.uaGET 2014-04-28 12:27:05 192.168.5.32pbs.twimg.com GET 2014-04-28 12:27:07 192.168.5.32glavcom.ua GET 2014-04-28 12:27:07 192.168.5.32pagestat.mmi.bemobile.uaGET 2014-04-28 12:27:07 192.168.5.32 ep01.irl.amz.nimbus.bitdefender.net POST 2014-04-28 12:27:07 192.168.5.32hq.nimbus.bitdefender.net POST 2014-04-28 12:27:07 192.168.5.32glavcom.ua GET 2014-04-28 12:27:08 192.168.5.32glavcom.ua GET 2014-04-28 12:27:08 192.168.5.32informers.ukr.net GET 2014-04-28 12:27:08 192.168.5.32glavcom.ua GET
Get statistics of websites visited without proxy/squid
Hi misc, I know this is not truly OpenBSD related, but I'd like to know if there is any possibility to collect such statistics. I'm using NAT with PF for my LAN and I don't have any proxy applications like squid. I have already started collecting traffic statistics with nfsen, but it collect only IP. Is there any lightweight solution?
Find last month abbreviation
This works in linux: $ date --date=last month +%b Mar In OpenBSD i tried # MonthCurrent=`date +%m` # MonthPrevious=`expr $MonthCur - 1` # echo $MonthPrevious 3 But I need month's abbreviation.
Re: PF NAT statistic per month per IP
On 04/15/2014 09:51 PM, Stefan Sieg wrote: Hello, with the already mentioned netflow solution you will not see connections that are not expired. So you will not see long live connections like vpn or ssh in your statistics at the appointed date. Maybe pf labels is for you ... lan = { 192.168.5.1, 192.168.5.2, } match out on $ext_if inet proto tcp to any received-on $int_if nat-to $ext_if pass in on $int_if inet proto tcp from $lan to any label $srcaddr \ tag LAN-INET pass out on $ext_if tagged LAN-INET With pfctl -s labels will get this (the numbers are explained in the manpage) 192.168.5.1 57 0 0 0 0 0 0 0 192.168.5.2 37 0 0 0 0 0 0 0 192.168.5.37 37 1950 1318232 1094 1215437 856 102795 37 pfctl -z clears the per rule statistics Greetings Stefan Thanks for sharing this simple example. Is it true, that I need to use list/macros (and define all IPs from my /24 LAN there) in _from_ statement? Because when I use tables: table admin { 192.168.5.1, 192.168.5.20 } table lan { 192.168.5.0/24 } pass in on $int_if inet from admin to any label $srcaddr queue (manager, ack) pass in on $int_if inet proto tcp from lan to any port $portstuff label $srcaddr queue (bulk, ack) I got: # pfctl -s labels admin 3055 97 5125 49 2437 48 2688 17 lan 1315 0 0 0 0 0 0 0 lan 1315 0 0 0 0 0 0 0 lan 1315 0 0 0 0 0 0 0 lan 1315 3 152 3 152 0 0 1 lan 1315 0 0 0 0 0 0 0 lan 1315 0 0 0 0 0 0 0 lan 1315 0 0 0 0 0 0 0 lan 1315 74292 60498330 28705 5930177 45587 54568153 595 lan 1315 14227 3446348 7315 919595 6912 2526753 371 lan 1315 0 0 0 0 0 0 0 lan 1315 0 0 0 0 0 0 0 lan 1315 0 0 0 0 0 0 0
Re: PF NAT statistic per month per IP
On 04/15/2014 05:34 PM, Peter N. M. Hansteen wrote: lilit-aibolitlilit-aibo...@mail.ru writes: tablelan { 192.168.5.0/24 } match out on $ext_if inet proto tcp fromlan to any nat-to em1 pass in on $int_if inet proto tcp fromlan to any port pass out on $ext_if inet proto tcp from em1 to any I'd like to know how many traffic does specific IPs fromlan consumed. export flow data via pflow, collect and make per IP address statistics from the collected flow data. See eg [1] to get started and add some minimal scriptery, you'll have just what you're looking for. [1] http://bsdly.blogspot.ca/2014/02/yes-you-too-can-be-evil-network.html Thank you and others for pointing to pflow+nfsend. What I actually did is: 1) modify pf.conf: set state-defaults pflow table lan { 192.168.5.0/24 } match out on $ext_if inet proto tcp from lan to any nat-to em1 pass in log on $int_if inet proto tcp from lan to any port pass out on $ext_if inet proto tcp from em1 to any 2) add pflow if: pflow0: flags=41UP,RUNNING mtu 1492 priority: 0 pflow: sender: 127.0.0.1 receiver: 127.0.0.1: version: 5 groups: pflow 3) install and configure nfsend: # pkg_add -i php nfsend # grep -n1 upstream1 /etc/nfsen.conf 163-%sources = ( 164:'upstream1'= { 'port' = '', 'IP' = '127.0.0.1', 'col' = '#ff', 'type' = 'netflow' }, 165-); 4) restart Apache and finally I got nfsend web page with content But I still didn't find filter expression to get statistics only for my LAN's IPs: ** nfdump -M /var/db/nfsen/profiles-data/live/upstream1 -T -R 2014/04/16/nfcapd.201404161420:2014/04/16/nfcapd.201404161455 -n 20 -s srcip/bytes nfdump filter: NET 192.168.5.0/24 Top 20 Src IP Addr ordered by bytes: Date first seen Duration Proto Src IP AddrFlows(%) Packets(%) Bytes(%) pps bps bpp 2014-04-16 13:50:26.098 4076.001 any192.168.5.78 http://gw.kh.ektos/nfsen/nfsen.php#null 271( 0.8) 116309( 9.3) 141.3 M(23.2) 28 277268 1214 2014-04-16 14:21:58.098 1175.000 any8.20.213.65 http://gw.kh.ektos/nfsen/nfsen.php#null 9( 0.0)29265( 2.3) 43.9 M( 7.2) 24 298620 1498 2014-04-16 14:30:20.098 809.000 any54.230.94.189 http://gw.kh.ektos/nfsen/nfsen.php#null 1( 0.0)25283( 2.0) 37.4 M( 6.1) 31 369475 1477 2014-04-16 14:25:33.098 1289.000 any8.20.213.38 http://gw.kh.ektos/nfsen/nfsen.php#null 6( 0.0)23279( 1.9) 34.9 M( 5.7) 18 216542 1498 2014-04-16 14:25:40.098 287.000 any54.230.94.94 http://gw.kh.ektos/nfsen/nfsen.php#null 2( 0.0)22579( 1.8) 33.5 M( 5.5) 78 933758 1483 2014-04-16 14:20:26.098 2276.001 any192.168.2.245 http://gw.kh.ektos/nfsen/nfsen.php#null 241( 0.7)86438( 6.9) 32.2 M( 5.3) 37 113079 372 2014-04-16 14:25:32.098 1184.000 any8.19.240.41 http://gw.kh.ektos/nfsen/nfsen.php#null 2( 0.0)16211( 1.3) 24.3 M( 4.0) 13 164228 1499 2014-04-16 14:00:46.098 2275.000 any176.103.207.168 http://gw.kh.ektos/nfsen/nfsen.php#null 1( 0.0) 129597(10.4) 16.6 M( 2.7) 5658232 127 2014-04-16 14:00:46.098 3456.001 any192.168.5.14 http://gw.kh.ektos/nfsen/nfsen.php#null 110( 0.3) 132729(10.6) 16.1 M( 2.6) 3837265 121 2014-04-16 14:43:06.098 704.000 any178.63.72.144 http://gw.kh.ektos/nfsen/nfsen.php#null38( 0.1)10683( 0.9) 13.6 M( 2.2) 15 154907 1276 2014-04-16 14:21:01.098 2008.000 any8.20.213.95 http://gw.kh.ektos/nfsen/nfsen.php#null 2( 0.0) 7481( 0.6) 11.2 M( 1.8)344665 1498 2014-04-16 14:32:57.098 345.000 any46.33.68.171 http://gw.kh.ektos/nfsen/nfsen.php#null 4( 0.0) 6014( 0.5) 8.9 M( 1.5) 17 206844 1483 2014-04-16 14:47:24.09831.000 any8.20.213.37 http://gw.kh.ektos/nfsen/nfsen.php#null 1( 0.0) 5945( 0.5) 8.9 M( 1.5) 1912.3 M 1499 2014-04-16 13:50:38.098 4127.001 any192.168.5.15 http://gw.kh.ektos/nfsen/nfsen.php#null 1593( 4.7)79268( 6.3) 8.6 M( 1.4) 1916727 108 2014-04-16 13:54:37.098 3825.001 any46.118.77.60 http://gw.kh.ektos/nfsen/nfsen.php#null74( 0.2)61866( 4.9) 8.5 M( 1.4) 1617689 136 2014-04-16 14:24:53.098 1041.000 any46.149.185.47 http://gw.kh.ektos/nfsen/nfsen.php#null 2( 0.0)37694( 3.0) 6.8 M( 1.1) 3652527 181 2014-04-16 13:56:20.098 3785.001 any192.168.5.254 http://gw.kh.ektos/nfsen/nfsen.php#null 6520(19.1)12670( 1.0) 6.0 M( 1.0)312672 473 2014-04-16 14:06:38.098 3052.001 any68.232.35.139 http://gw.kh.ektos/nfsen/nfsen.php#null 132( 0.4) 5033( 0.4) 5.5 M( 0.9)114292 1083 2014-04-16 14:14:12.098 1155.000 any195.95.206.13 http://gw.kh.ektos/nfsen/nfsen.php#null 1( 0.0) 7084(
PF NAT statistic per month per IP
Hello misc. Please provide any hints how to get amount of Internet traffic per each IP in LAN for period of time month. Suppose I have such simple rules to share Internet connection for lan: table lan { 192.168.5.0/24 } match out on $ext_if inet proto tcp from lan to any nat-to em1 pass in on $int_if inet proto tcp from lan to any port pass out on $ext_if inet proto tcp from em1 to any I'd like to know how many traffic does specific IPs from lan consumed.
Re: Accept two vlans (Solved)
Martin, Christian, Kent thank you all for explanation. It was more than enough to understand things.
Accept two vlans
Hello misc. I'd like to setup guest Wi-Fi in my LAN to prevent access to local resources. I have OpenBSD gateway with em NIC connected to LAN. LAN based on switches with VLAN support. Suppose I have created two VLANs and added ports from my network to vlan1 and wi-fi AP to vlan2. What should I do on gateway to accept network from both vlans? Should there be a different subnets in vlan1/2 or it can be the same?
Re: nut-2.7.1 (Solved)
On 07/30/2013 01:52 PM, Stuart Henderson wrote: On 2013-07-29, lilit-aibolitlilit-aibo...@mail.ru wrote: Using existing bestuferrups.8 manual page, since 'asciidoc' was not found. Using existing bestups.8 manual page, since 'asciidoc' was not found. Using existing bestfcom.8 manual page, since 'asciidoc' was not found. Using existing blazer.8 manual page, since 'asciidoc' was not found. make: don't know how to make blazer_ser.8 (prerequisite of: all-am) Stop in docs/man *** Error 1 in docs (Makefile:511 'all-recursive') *** Error 1 in /root/nut (Makefile:499 'all-recursive') I suspect that installing asciidoc might get you further here. . I have try this way, but it doesn't help, same error after # pkg_add asciidoc But fortunately I solved my goals: build new driver on 2.7.1 and use it on 2.6.5 Full thread here: http://lists.alioth.debian.org/pipermail/nut-upsuser/2013-July/008507.html
nut-2.7.1
Does someone have compiled i386 package for current nut? https://github.com/networkupstools/nut Or walkthrough how to build it on 5.3. The reason for install development version it's added Riello UPS support. This is my step: # git clone https://github.com/networkupstools/nut.git # pkg_add python-3.2.3p0 autoconf-2.69p0 automake-1.13.1 # ln -s /usr/local/bin/python3.2 /usr/local/bin/python # cd nut # ./autogen.sh Regenerating Augeas ups.conf lens... File ./gen-nutupsconf-aug.py, line 72 print dirPrefix ^ SyntaxError: invalid syntax Regenerating the USB helper files... ./autogen.sh[31]: cd: /root/nut/scripts/augeas/tools - No such file or directory Calling autoreconf... Provide an AUTOCONF_VERSION environment variable, please # AUTOCONF_VERSION=2.69 ./autogen.sh Regenerating Augeas ups.conf lens... File ./gen-nutupsconf-aug.py, line 72 print dirPrefix ^ SyntaxError: invalid syntax Regenerating the USB helper files... ./autogen.sh[31]: cd: /root/nut/scripts/augeas/tools - No such file or directory Calling autoreconf... autoreconf-2.69: 'configure.ac' or 'configure.in' is required
Re: nut-2.7.1
On 07/29/2013 11:31 AM, Marios Makassikis wrote: ln -s /usr/local/bin/python3.2 /usr/local/bin/python Thanks. It helped a bit, but now # rm /usr/local/bin/python # ln -s /usr/local/bin/python2.7 /usr/local/bin/python # pwd /root/nut # export AUTOMAKE_VERSION=1.13.1 # export AUTOCONF_VERSION=2.69 # export CONFIGURE_STYLE=autoconf # ./autogen.sh Regenerating Augeas ups.conf lens... Calling autoreconf... /usr/local/bin/aclocal[35]: /usr/local/bin/aclocal-1.13.1: not found autoreconf-2.69: aclocal failed with exit status: 127
Re: nut-2.7.1
On 07/29/2013 12:13 PM, lilit-aibolit wrote: On 07/29/2013 11:31 AM, Marios Makassikis wrote: ln -s /usr/local/bin/python3.2 /usr/local/bin/python Thanks. It helped a bit, but now # rm /usr/local/bin/python # ln -s /usr/local/bin/python2.7 /usr/local/bin/python # pwd /root/nut # export AUTOMAKE_VERSION=1.13.1 # export AUTOCONF_VERSION=2.69 # export CONFIGURE_STYLE=autoconf # ./autogen.sh Regenerating Augeas ups.conf lens... Calling autoreconf... /usr/local/bin/aclocal[35]: /usr/local/bin/aclocal-1.13.1: not found autoreconf-2.69: aclocal failed with exit status: 127 . corrected: # pkg_add libtool asciidoc libtool-2.4.2: ok # ls -la /usr/local/bin/aclocal aclocalaclocal-1.13 # export AUTOMAKE_VERSION=1.13 # export AUTOCONF_VERSION=2.69 # export CONFIGURE_STYLE=autoconf # ./autogen.sh Calling autoreconf... aclocal-1.13: warning: autoconf input should be named 'configure.ac', not 'configure.in' libtoolize: putting auxiliary files in `.'. libtoolize: copying file `./ltmain.sh' libtoolize: putting macros in AC_CONFIG_MACRO_DIR, `m4'. libtoolize: copying file `m4/libtool.m4' libtoolize: copying file `m4/ltoptions.m4' libtoolize: copying file `m4/ltsugar.m4' libtoolize: copying file `m4/ltversion.m4' libtoolize: copying file `m4/lt~obsolete.m4' aclocal-1.13: warning: autoconf input should be named 'configure.ac', not 'configure.in' automake-1.13: warning: autoconf input should be named 'configure.ac', not 'configure.in' configure.in:11: installing './config.guess' configure.in:11: installing './config.sub' configure.in:15: installing './install-sh' configure.in:15: installing './missing' automake-1.13: warning: autoconf input should be named 'configure.ac', not 'configure.in' clients/Makefile.am: installing './depcomp' parallel-tests: installing './test-driver' # ./configure --with-user=_ups --with-group=_ups Configuration summary: == build serial drivers: yes build USB drivers: yes build SNMP drivers: no build neon based XML driver: no enable Avahi support: no build Powerman PDU client driver: no build IPMI driver: no build Mac OS X meta-driver: no enable SSL support: yes (OpenSSL) enable libwrap (tcp-wrappers) support: no enable libltdl (Libtool dlopen abstraction) support: no build nut-scanner: no build CGI programs: no enable HAL support: no build and install documentation: no build and install the development files: no # make Making all in include NUT_VERSION: 2.6.5-183-ga074844 test -f nut_version.h || cp _nut_version.h nut_version.h cmp -s _nut_version.h nut_version.h || cp _nut_version.h nut_version.h rm -f _nut_version.h make all-am Making all in common Making all in clients Making all in conf Making all in data Making all in html Making all in tools Making all in . Making all in nut-scanner make all-am Regenerating the SNMP helper files. Regenerating the USB helper files. Making all in docs Making all in . Making all in man Using existing nut.conf.5 manual page, since 'asciidoc' was not found. Using existing ups.conf.5 manual page, since 'asciidoc' was not found. Using existing upsd.conf.5 manual page, since 'asciidoc' was not found. Using existing upsd.users.5 manual page, since 'asciidoc' was not found. Using existing upsmon.conf.5 manual page, since 'asciidoc' was not found. Using existing upssched.conf.5 manual page, since 'asciidoc' was not found. Using existing nutupsdrv.8 manual page, since 'asciidoc' was not found. Using existing upsc.8 manual page, since 'asciidoc' was not found. Using existing upscmd.8 manual page, since 'asciidoc' was not found. Using existing upsd.8 manual page, since 'asciidoc' was not found. Using existing upsdrvctl.8 manual page, since 'asciidoc' was not found. Using existing upslog.8 manual page, since 'asciidoc' was not found. Using existing upsmon.8 manual page, since 'asciidoc' was not found. Using existing upsrw.8 manual page, since 'asciidoc' was not found. Using existing upssched.8 manual page, since 'asciidoc' was not found. Using existing nut-scanner.8 manual page, since 'asciidoc' was not found. Using existing nut-recorder.8 manual page, since 'asciidoc' was not found. Using existing apcsmart.8 manual page, since 'asciidoc' was not found. Using existing apcsmart-old.8 manual page, since 'asciidoc' was not found. Using existing bcmxcp.8 manual page, since 'asciidoc' was not found. Using existing belkin.8 manual page, since 'asciidoc' was not found. Using existing belkinunv.8 manual page, since 'asciidoc' was not found. Using existing bestfortress.8 manual page, since 'asciidoc' was not found. Using existing bestuferrups.8 manual page, since 'asciidoc' was not found. Using existing bestups.8 manual page, since 'asciidoc' was not found. Using existing bestfcom.8 manual page, since 'asciidoc' was not found. Using existing blazer.8 manual page, since 'asciidoc' was not found. make: don't know how to make blazer_ser.8 (prerequisite of: all-am) Stop in docs/man *** Error 1 in docs (Makefile:511 'all-recursive
Re: wireless ethernet (ralink) not working
On 03/25/2013 11:08 AM, lilit-aibolit wrote: On 03/24/2013 12:13 AM, Riccardo Mottola wrote: Hi, On 03/23/13 20:13, Peter N. M. Hansteen wrote: Riccardo Mottola riccardo.mott...@libero.it writes: But i am connecting to a WEP protected network, not WPA. typical hostname.if for a wep network: media autoselect nwid wepnetwork nwkey secretasitgets dhcp rtsol activates at boot, or if you do 'sudo sh /etc/netstart ifname' for wpa, you would change 'nwkey' to 'wpakey' and get sensible defaults. Thanks, this looks equivalent to me to what I did configure at the shell command line using ifconfig. In fact, If I run netstart later, I too get no link... sleeping. I start to think that there is a problem with the card's driver: if I leave the card in at boot time, the kernel will panic and drop into ddb. However if I insert later, as I did up to now, I don't Riccardo . Hello, you are not alone with Ralink issues. In my cases as AP: # cat /etc/hostname.rum0(ral0) inet 192.168.111.254 255.255.255.0 NONE -inet6 \ media autoselect mode 11g \ mediaopt hostap chan 1 nwid network \ wpakey xx #wpa wpaprotos wpa2 wpaakms psk wpakey x *** I happy with my first servers with: # uname -a OpenBSD gw.dk 5.0 GENERIC.MP#59 i386 # dmesg | grep ral0 ral0 at pci1 dev 0 function 0 Ralink RT3090 rev 0x00: apic 2 int 16, address 00:12:0e:b1:6e:c7 ral0: MAC/BBP RT3071 (rev 0x0213), RF RT3020 (MIMO 1T1R) But But periodically dmesg and messages log have next error: ral0: Michael MIC failure And once per two or three weeks wi-fi stops serving client, so once per week I do cron job with: @weekly/bin/sh /etc/netstart ral0 * Let's look to my second box: # uname -a OpenBSD gw.kh 5.2 GENERIC.MP#339 i386 # dmesg | grep rum0 rum0 at uhub2 port 3 Ralink 802.11 bg WLAN rev 2.00/0.01 addr 3 rum0: MAC/BBP RT2573 (rev 0x2573a), RF RT2528, address 6c:62:6d:12:5d:59 Wi-fi doesn't work after configuration: rum0: device timeout *** And third one: # uname -a OpenBSD gw 5.2 GENERIC.MP#339 i386 # dmesg | grep ral0 ral0 at pci1 dev 0 function 0 Ralink RT2790 rev 0x00: apic 0 int 16, address 00:22:43:5d:6c:b1 ral0: MAC/BBP RT2872 (rev 0x0200), RF RT2720 (MIMO 1T2R) # ifconfig ral0 ral0: flags=28843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6 mtu 1500 lladdr 00:22:43:5d:6c:b1 priority: 4 groups: wlan media: IEEE802.11 autoselect mode 11g hostap status: active ieee80211: nwid test chan 3 bssid 00:22:43:5d:6c:b1 wpakey 0x437fe128e9de20eedab446ea43a2b68a6b833c66bc62e13a2bef13b24ad7d5ed wpaprotos wpa1,wpa2 wpaakms psk wpaciphers tkip,ccmp wpagroupcipher tkip inet 192.168.55.254 netmask 0xff00 broadcast 192.168.55.255 # tail /var/log/daemon Mar 25 12:51:00 gw dhcpd[22330]: DHCPDISCOVER from 00:17:9a:b0:19:db via ral0 Mar 25 12:51:00 gw dhcpd[22330]: DHCPOFFER on 192.168.55.18 to 00:17:9a:b0:19:db via ral0 Mar 25 12:51:08 gw dhcpd[22330]: DHCPDISCOVER from 00:17:9a:b0:19:db via ral0 Mar 25 12:51:08 gw dhcpd[22330]: DHCPOFFER on 192.168.55.18 to 00:17:9a:b0:19:db via ral0 Mar 25 12:51:08 gw dhcpd[22330]: DHCPREQUEST for 192.168.55.18 from 00:17:9a:b0:19:db via ral0 Mar 25 12:51:08 gw dhcpd[22330]: DHCPACK on 192.168.55.18 to 00:17:9a:b0:19:db via ral0 And it seems to work fine until you do something real, for example I try to copy 10MB file to this server from client, that connected to it via wi-fi: # scp ppo@192.168.55.18:/home/ppo/Downloads/gfibackup2009home.exe . ppo@192.168.55.18's password: gfibackup2009home.exe 15% 1872KB 0.5KB/s - stalled - ^CKilled by signal 2. Copying started with speed 100KB/sec and than slowdown so I need to ctrl+c it. Client PC stays at the from of the server and it shows connection speed 54Mb/sec So in this case no error present, but wi-fi didn't work as expected. *** I've no idea how much mini-pci cards I should test to find which is works without any issues. This weird issue is killing me: ral0: Michael MIC failure It worked about year in Host AP mode with WPA PSK and now it doesn't work even after # sh /etc/netstart ral0 Only if I change hostname.ral0 to inet 192.168.22.1 255.255.255.0 NONE -inet6 \ mediaopt hostap nwid ektos-tlv \ -wpakey clients can connect and get IP from dhcpd. If I change back to inet 192.168.22.1 255.255.255.0 NONE -inet6 \ mediaopt hostap nwid ektos-tlv \ wpa wpaprotos wpa2 wpaakms psk wpakey PresharedKey Any clients immediately report that they are unable to connect.
Re: wireless ethernet (ralink) not working
On 03/24/2013 12:13 AM, Riccardo Mottola wrote: Hi, On 03/23/13 20:13, Peter N. M. Hansteen wrote: Riccardo Mottola riccardo.mott...@libero.it writes: But i am connecting to a WEP protected network, not WPA. typical hostname.if for a wep network: media autoselect nwid wepnetwork nwkey secretasitgets dhcp rtsol activates at boot, or if you do 'sudo sh /etc/netstart ifname' for wpa, you would change 'nwkey' to 'wpakey' and get sensible defaults. Thanks, this looks equivalent to me to what I did configure at the shell command line using ifconfig. In fact, If I run netstart later, I too get no link... sleeping. I start to think that there is a problem with the card's driver: if I leave the card in at boot time, the kernel will panic and drop into ddb. However if I insert later, as I did up to now, I don't Riccardo . Hello, you are not alone with Ralink issues. In my cases as AP: # cat /etc/hostname.rum0(ral0) inet 192.168.111.254 255.255.255.0 NONE -inet6 \ media autoselect mode 11g \ mediaopt hostap chan 1 nwid network \ wpakey xx #wpa wpaprotos wpa2 wpaakms psk wpakey x *** I happy with my first servers with: # uname -a OpenBSD gw.dk 5.0 GENERIC.MP#59 i386 # dmesg | grep ral0 ral0 at pci1 dev 0 function 0 Ralink RT3090 rev 0x00: apic 2 int 16, address 00:12:0e:b1:6e:c7 ral0: MAC/BBP RT3071 (rev 0x0213), RF RT3020 (MIMO 1T1R) But But periodically dmesg and messages log have next error: ral0: Michael MIC failure And once per two or three weeks wi-fi stops serving client, so once per week I do cron job with: @weekly/bin/sh /etc/netstart ral0 * Let's look to my second box: # uname -a OpenBSD gw.kh 5.2 GENERIC.MP#339 i386 # dmesg | grep rum0 rum0 at uhub2 port 3 Ralink 802.11 bg WLAN rev 2.00/0.01 addr 3 rum0: MAC/BBP RT2573 (rev 0x2573a), RF RT2528, address 6c:62:6d:12:5d:59 Wi-fi doesn't work after configuration: rum0: device timeout *** And third one: # uname -a OpenBSD gw 5.2 GENERIC.MP#339 i386 # dmesg | grep ral0 ral0 at pci1 dev 0 function 0 Ralink RT2790 rev 0x00: apic 0 int 16, address 00:22:43:5d:6c:b1 ral0: MAC/BBP RT2872 (rev 0x0200), RF RT2720 (MIMO 1T2R) # ifconfig ral0 ral0: flags=28843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6 mtu 1500 lladdr 00:22:43:5d:6c:b1 priority: 4 groups: wlan media: IEEE802.11 autoselect mode 11g hostap status: active ieee80211: nwid test chan 3 bssid 00:22:43:5d:6c:b1 wpakey 0x437fe128e9de20eedab446ea43a2b68a6b833c66bc62e13a2bef13b24ad7d5ed wpaprotos wpa1,wpa2 wpaakms psk wpaciphers tkip,ccmp wpagroupcipher tkip inet 192.168.55.254 netmask 0xff00 broadcast 192.168.55.255 # tail /var/log/daemon Mar 25 12:51:00 gw dhcpd[22330]: DHCPDISCOVER from 00:17:9a:b0:19:db via ral0 Mar 25 12:51:00 gw dhcpd[22330]: DHCPOFFER on 192.168.55.18 to 00:17:9a:b0:19:db via ral0 Mar 25 12:51:08 gw dhcpd[22330]: DHCPDISCOVER from 00:17:9a:b0:19:db via ral0 Mar 25 12:51:08 gw dhcpd[22330]: DHCPOFFER on 192.168.55.18 to 00:17:9a:b0:19:db via ral0 Mar 25 12:51:08 gw dhcpd[22330]: DHCPREQUEST for 192.168.55.18 from 00:17:9a:b0:19:db via ral0 Mar 25 12:51:08 gw dhcpd[22330]: DHCPACK on 192.168.55.18 to 00:17:9a:b0:19:db via ral0 And it seems to work fine until you do something real, for example I try to copy 10MB file to this server from client, that connected to it via wi-fi: # scp ppo@192.168.55.18:/home/ppo/Downloads/gfibackup2009home.exe . ppo@192.168.55.18's password: gfibackup2009home.exe 15% 1872KB 0.5KB/s - stalled - ^CKilled by signal 2. Copying started with speed 100KB/sec and than slowdown so I need to ctrl+c it. Client PC stays at the from of the server and it shows connection speed 54Mb/sec So in this case no error present, but wi-fi didn't work as expected. *** I've no idea how much mini-pci cards I should test to find which is works without any issues.
Re: altq: upsteam and downstream
On 03/04/2013 10:17 PM, Martin Pelikan wrote: Hello. Thanks for your reply. I need to guaranty bandwidth for selected host (abu, ali) and pass all other traffic to bulk queue, but I have a lot of filter rules and don't know how to do it. I have applied queues to some pass rules and lost connection to Internet and to ssh (22555) Follow notes inline, in the config. My biggest advice (I've done the same mistake so many times myself) in building a firewall ruleset is to go one step at a time. Don't try to write the whole ruleset all at once, and then loading it and expecting it to work right away. The same applies to queueing. Add two queues, default one big enough, start using them both and observe systat queues 1. If it worked, go and add another one, and so forth. If you've lost your connectivity to ssh, first find out which step in the process did it. pflog(4) is quite handy (match ... log ...). tabletlv_qnap { 192.168.2.200 } tabletlk_proxmox { 192.168.5.201 } tabletlv_proxmox { 192.168.2.201 } tabletlv_mentor { 192.168.2.205 } tabletlv_bugzilla { 192.168.2.206 } tablemacintosh { 192.168.5.73 } tableogo { 192.168.5.36 } tablemsn { 192.168.5.44 } tablesma { 192.168.5.210 } tablepresentation { 192.168.5.13 } Actually, I believe creating tables for just one host can be wasteful of resources (if you're planning to add hosts dynamically to them, then it is okay). pfctl(8) automatically creates tables when one rule appears seven or more times but just with one address changed. In cases of a single host, macros are better, because the kernel sees directly that one IP adddress and doesn't have to look it up in a table (which is a different memory location that doesn't have to be present in CPU caches and therefore consuming more CPU time). But on 20 Mbit/s gateway CPU power shouldn't bother you. tableprivate { 0.0.0.0/8, 10.0.0.0/8, 14.0.0.0/8, \ 127.0.0.0/8, 128.0.0.0/16, 169.254.0.0/16, \ 172.16.0.0/12, 191.255.0.0/16, 192.0.2.0/24, \ 192.168.0.0/16, 240.0.0.0/4, 255.255.255.0/24 } One, you're missing 100.64/10, which is the new CGN private range. Two, such a table be better marked const, so you accidentally don't add something unexpected in it. Three, 128.0/16 has some allocated bits in it. There are lots of books suggesting people block martian IPv4 ranges (the valid ones being 0.0.0.0/8 and few others), but some of them have been allocated since the books were released. You may want to read http://tools.ietf.org/html/rfc5735 . block quick proto tcp flags /S block quick proto tcp flags A/A I've seen people being told that playing with rules to various TCP flag combinations usually leads to the firewall misbehaving and that pf(4) is doing most of the sanity checks already by itself. Are you sure you really need these rules for anything in particular? Did your internet connection work without them? altq on $ext_if hfsc bandwidth $upstream queue { root_out } queue root_out on $ext_if bandwidth 100% hfsc {ack, dns, manager, bulk} queue dns on $ext_if priority 7 bandwidth 5% qlimit 500 hfsc (realtime 5%) queue ack on $ext_if priority 6 bandwidth 10% qlimit 500 hfsc (realtime 10%) queue manager on $ext_if priority 5 bandwidth 20% qlimit 500 hfsc (realtime 10% upperlimit 95%) queue bulk on $ext_if priority 1 bandwidth 40% qlimit 500 hfsc (default, red realtime 20% upperlimit 95%) altq on $int_if hfsc bandwidth $downstream queue { root_in} queue root_in on $int_if bandwidth 100% hfsc {ack, dns, manager, bulk} queue dns on $int_if priority 7 bandwidth 5% qlimit 500 hfsc (realtime 5%) queue ack on $int_if priority 6 bandwidth 10% qlimit 500 hfsc (realtime 10%) queue manager on $int_if priority 5 bandwidth 20% qlimit 500 hfsc (realtime 10% upperlimit 95%) queue bulk on $int_if priority 1 bandwidth 40% qlimit 500 hfsc (default, red realtime 20% upperlimit 95%) It occurs to me these two are exactly the same. I think you can make it a lot shorter by writing it at once, like so: altq on $ext_if hfsc bandwidth $upstream queue { ack dns manager bulk } altq on $int_if hfsc bandwidth $downstream queue { ack dns manager bulk } queue ack bandwidth 10% qlimit 500 priority 6 hfsc(realtime 10%) queue dns bandwidth 5% qlimit 500 priority 7 hfsc(realtime 5%) queue manager bandwidth 20% qlimit 500 priority 5 hfsc(...) ... And it will create two of each of them automatically (you can check pfctl -vvsq if it matched your expectations). You can always differentiate them per interface if you want. But keeping the file minimal in size is good for readability after a time period when you forget about what you did. Also qlimit of 500 is a little too high (I use 150 on 200+ Mbit/s 50kpps gateways and it is more than enough). #in pass in on $ext_if inet proto tcp from any to em1 port 22555 This alone should match every time you connect. Also note the rule is to em1 port 22555, which means you can only
Re: em(4) watchdog timeouts on 5.0-release
On 11/09/2011 10:27 PM, Jussi Peltola wrote: You can ignore the clueless parts in my previous message :) I can set up remote access to one of these machines if needed. This made the ems work again: --- if_em.c.origWed Nov 9 21:37:39 2011 +++ if_em.c Wed Nov 9 21:39:01 2011 @@ -331,6 +331,2 @@ - /* Only use MSI on the newer PCIe parts */ - if (sc-hw.mac_type em_82571) - sc-osdep.em_pa.pa_flags= ~PCI_FLAGS_MSI_ENABLED; - /* Parameters (to be read from user) */ @@ -1621,3 +1617,3 @@ - if (pci_intr_map_msi(pa,ih) pci_intr_map(pa,ih)) { + if (pci_intr_map(pa,ih)) { printf(: couldn't map interrupt\n); . I had no problem with this box until strange network behaviour occur. It comes and leaves unexpectedly but cause trouble with access network behind em0. # dmesg OpenBSD 5.0 (GENERIC.MP) #59: Wed Aug 17 10:19:44 MDT 2011 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: Intel(R) Core(TM)2 Duo CPU T7300 @ 2.00GHz (GenuineIntel 686-class) 2 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM real mem = 1064431616 (1015MB) avail mem = 1036947456 (988MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 08/12/08, BIOS32 rev. 0 @ 0xf0010, SMBIOS rev. 2.5 @ 0x9f800 (28 entries) bios0: vendor American Megatrends Inc. version 080014 date 08/12/2008 bios0: ICP / iEi KINO-9652 acpi0 at bios0: rev 0 acpi0: sleep states S0 S1 S4 S5 acpi0: tables DSDT FACP APIC MCFG OEMB ASF! SSDT acpi0: wakeup devices P0P2(S4) P0P1(S4) PS2K(S4) PS2M(S4) USB0(S4) USB1(S4) USB2(S4) USB3(S4) EUSB(S4) P0P4(S4) P0P5(S4) P0P6(S4) P0P7(S4) P0P8(S4) P0P9(S4) HDAC(S4) USB4(S4) USB5(S4) USBE(S4) GBEC(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 199MHz cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Core(TM)2 Duo CPU T7300 @ 2.00GHz (GenuineIntel 686-class) 2 GHz cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins acpimcfg0 at acpi0 addr 0xe000, bus 0-255 acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus -1 (P0P2) acpiprt2 at acpi0: bus 1 (P0P1) acpiprt3 at acpi0: bus 2 (P0P4) acpiprt4 at acpi0: bus 3 (P0P5) acpiprt5 at acpi0: bus -1 (P0P6) acpiprt6 at acpi0: bus -1 (P0P7) acpiprt7 at acpi0: bus -1 (P0P8) acpiprt8 at acpi0: bus -1 (P0P9) acpicpu0 at acpi0: C3, C2, C1, PSS acpicpu1 at acpi0: C3, C2, C1, PSS acpibtn0 at acpi0: PWRB acpivideo0 at acpi0: GFX0 bios0: ROM list: 0xc/0xec00! cpu0: Enhanced SpeedStep 1994 MHz: speeds: 2000, 1600, 1200 MHz pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 Intel GME965 Host rev 0x03 vga1 at pci0 dev 2 function 0 Intel GME965 Video rev 0x03 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) intagp0 at vga1 agp0 at intagp0: aperture at 0xd000, size 0x1000 inteldrm0 at vga1: apic 2 int 16 drm0 at inteldrm0 Intel GME965 Video rev 0x03 at pci0 dev 2 function 1 not configured Intel GME965 HECI rev 0x03 at pci0 dev 3 function 0 not configured em0 at pci0 dev 25 function 0 Intel ICH8 IGP M AMT rev 0x04: msi, address 00:18:7d:1a:37:d6 uhci0 at pci0 dev 26 function 0 Intel 82801H USB rev 0x04: apic 2 int 16 uhci1 at pci0 dev 26 function 1 Intel 82801H USB rev 0x04: apic 2 int 21 ehci0 at pci0 dev 26 function 7 Intel 82801H USB rev 0x04: apic 2 int 18 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1 azalia0 at pci0 dev 27 function 0 Intel 82801H HD Audio rev 0x04: msi azalia0: codecs: Realtek ALC883 audio0 at azalia0 ppb0 at pci0 dev 28 function 0 Intel 82801H PCIE rev 0x04: apic 2 int 22 pci1 at ppb0 bus 2 ral0 at pci1 dev 0 function 0 Ralink RT3090 rev 0x00: apic 2 int 16, address 00:12:0e:b1:6e:c7 ral0: MAC/BBP RT3071 (rev 0x0213), RF RT3020 (MIMO 1T1R) ppb1 at pci0 dev 28 function 1 Intel 82801H PCIE rev 0x04: apic 2 int 23 pci2 at ppb1 bus 3 em1 at pci2 dev 0 function 0 Intel PRO/1000MT (82573L) rev 0x00: msi, address 00:18:7d:1a:37:d8 uhci2 at pci0 dev 29 function 0 Intel 82801H USB rev 0x04: apic 2 int 23 uhci3 at pci0 dev 29 function 1 Intel 82801H USB rev 0x04: apic 2 int 19 uhci4 at pci0 dev 29 function 2 Intel 82801H USB rev 0x04: apic 2 int 18 ehci1 at pci0 dev 29 function 7 Intel 82801H USB rev 0x04: apic 2 int 23 usb1 at ehci1: USB revision 2.0 uhub1 at usb1 Intel EHCI root hub rev 2.00/1.00 addr 1 ppb2 at pci0 dev 30 function 0 Intel 82801BAM Hub-to-PCI rev 0xf4 pci3 at ppb2 bus 1 pcib0 at pci0 dev 31 function 0 Intel 82801HEM LPC rev 0x04 pciide0 at pci0 dev 31 function 1
Re: em(4) watchdog timeouts on 5.0-release
On 03/07/2013 01:10 PM, mxb wrote: What about 5.2? Same issues? //mxb I don't know. This is remote host1 and it holds IPSec with another host2. When issue come - network behind host2 can't reach resources behind host1.
altq: upsteam and downstream
Hello misc, I'm a bit confusion with understanding such things. I have a symmetrical channel to the Internet with 20 Mbits and openbsd5.2 as gateway, with NAT. Imagine I defined ALTQ on $ext_if and on $int_if. Am I right that: 1) ALTQ on $ext_if will be applied for upstream channel (i.e. upload speed from the point of view the client behind the NAT)? 2) ALTQ on $int_if will be applied for download channel (i.e. download speed from the point of view the client behind the NAT)? If be much more simple, get for example http://speedtest.net. After the test I have two result: download and upload speed. Is it true, that if I apply queue for myself in filter rule, it will work both, for download and upload in the terms of speedtest.net, but only for upstream channel in the terms of ALTQ? Or am I totally wrong? Because I read man, faq, calomel.org, BANDWIDTH MANAGEMENT by Benjamin Heckmann, misc, etc and still can't understood how upstream and downstream channel speed correlates with ALTQ and upload and download speeds for clients behind NAT.
named not answer on external query
This is weird trouble. Years ago I did authoritative server on openbsd 4.x and it's just works for both - local network and queries from Internet. But now it doesn't. I know - this is my issue, please help to resolve. ###named.conf### // $OpenBSD: named-simple.conf,v 1.10 2009/11/02 21:12:56 jakob Exp $ acl tlk { 192.168.5.0/24; 192.168.55.0/24; 192.168.66.0/24; 192.168.99.0/24; 127.0.0.1; }; options { version ;// remove this to allow version queries listen-on { 127.0.0.1; 192.168.5.254; 192.168.55.254; ext_if; }; listen-on-v6 { none; }; allow-transfer { none; }; empty-zones-enable yes; //forward first; forwarders { provider's dns; }; allow-recursion { tlk; }; allow-query { any; }; }; view allow-recursion { match-clients { tlk; }; //recursion yes; zone . { type hint; file etc/root.hint; }; zone localhost { type master; file standard/localhost; //allow-transfer { localhost; }; }; zone 127.in-addr.arpa { type master; file standard/loopback; //allow-transfer { localhost; }; }; zone zone.1 { type master; file /master/zone.1; }; zone zone.2 { type master; file /master/zone.3; }; zone zone.4 { type master; file /master/zone.4; }; zone 168.192.in-addr.arpa { type master; file /master/168.192.in-addr.arpa; }; include /master/forbidden.conf; }; view deny-recursion { recursion no; additional-from-cache no; additional-from-auth no; zone zone.5 { type master; file /master/zone.5; }; }; key rndc-key { algorithm hmac-md5; secret **; }; controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { rndc-key; }; }; logging { channel security_channel { # Send log messages to the specified file filelog/security.log; # Log all messages severitydebug; # Log the date and time of the message print-time yes; # Log the category of the message print-category yes; # Log the severity level of the message print-severity yes; }; channel default { # Send logs to the 'local0' syslog facility syslog local0; # Log messages of severity 'info' or higher severityinfo; print-category yes; print-severity yes; }; # Logs about approval and denial of requests category security { security_channel; default; }; # Ignore logs about misconfigured remote servers category lame-servers { null; }; # Default logging options category default { default; }; }; ###zone.5### ; $OpenBSD: db.localhost,v 1.2 2005/02/07 06:08:10 david Exp $ $ORIGIN zone.5. $TTL 24h @INSOAns1.zone.5. admin.zone.com. ( 10; serial 1h; refresh 30m; retry 7d; expiration 1h ); minimum NSns1.zone.5. NSns2.zone.5. @INAright.IP wwwINAright.IP ns1INAright.IP ns2INAright.IP2 ###pf.conf related rules### pass in on $ext_if inet proto { tcp, udp } from any to em1 port domain pass in on $int_if inet proto { udp, tcp } from lan to $int_if port { ntp, domain } pass out on $ext_if inet proto udp from em1 to any I see a numbers of external queries to my server, but don't see the answers: # tcpdump -i em1 -p udp 'port domain' 09:28:23.152111 smtp.eurocom.su.19716 my.server.domain: 59597 [1au] A? www.zone.5. (45) 09:28:24.136607 idbh.ru.47793 my.server.domain: 26171% [1au] A? www.zone.5. (45) 09:28:26.942971 smtp.eurocom.su.44341 my.server.domain: 615 A? www.zone.5. (34) 09:28:27.191067 smtp.eurocom.su.17302 my.server.domain: 42979 [1au] A? www.zone.5. (45) 09:28:29.417383 smtp.eurocom.su.34958 my.server.domain: 53565 A? www.zone.5. (34) 09:28:29.737934 idbh.ru.45564 my.server.domain: 27837 A? www.zone.5. (34) From local net: user@pc.local:~$ nslookup zone.5 Server: 192.168.5.254 Address:192.168.5.254#53 Non-authoritative answer: Name: zone.5 Address: right.IP # tcpdump -i em0 -p udp 'port domain' 10:00:41.702484 pc.local.46571 my.server.domain: 50830+ A? zone.5. (30) 10:00:41.702625 my.server.domain pc.local.46571: 50830 1/2/0 A right.IP (82)
Re: named not answer on external query
On 01/17/2013 11:27 AM, Vadim Zhukov wrote: At first, find where the flow gets stopped: enable debug logging on resolver and add match log (matches) to port 53 rule as first one in your firewall. Then probably you'll see the problem yourself. Oh, and please, if you get no packets seen problems, print all of your firewall rules. Always. Don't pretend that you know better - if it was so, why would you asking ever? Incoming packets still coming, but I see only my request to provider's DNS. Should I see reply from my server to request from Internet? Jan 17 13:31:44.480883 rule 4/(match) match in on em1: 178.45.248.150.43780 my.IP.53: 687[|domain] Jan 17 13:33:25.076188 rule 4/(match) match in on em1: 212.14.176.40.33699 my.IP.53: 61511[|domain] (DF) Jan 17 13:33:25.080570 rule 4/(match) match in on em1: 212.14.176.40.19055 my.ip.53: 3658[|domain] Jan 17 13:33:26.216774 rule 4/(match) match out on em1: my.ip.9342 194.106.219.12.53: 10130+% [1au][|domain] Jan 17 13:33:26.721533 rule 4/(match) match out on em1: my.ip.42595 194.106.219.10.53: 21720+% [1au][|domain] ###pf.conf### #$OpenBSD: pf.conf,v 1.50 2011/04/28 00:19:42 mikeb Exp $ # See pf.conf(5) for syntx and examples. # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1 # in /etc/sysctl.conf if packets are to be forwarded between interfaces. ext_if = em1 wifi_if = rum0 int_if = em0 portstuff = { smtps, 5190, submission, pop3, pop3s, imap, imaps, www, https, 1863, 1935, 3389, 5222, 5900, 8200 } portstuffwww = { smtps, 445, 5190, submission, pop3, pop3s, imap, imaps, www, https, 1863, 1935, 3389, 5222, 9100 } table firewall const { self } table tlv_lan{ 192.168.2.0/24 } table tlv_wifi{ 192.168.22.0/24 } table tlk_lan{ 192.168.5.0/24 } table tlk_wifi{ 192.168.55.0/24 } table tlv_gw{ x.x.x.x } table admin{ 192.168.5.1, 192.168.5.61 } table dns{ 194.106.219.10, 194.106.219.12 } table tlv_vpn{ 192.168.88.0/24 } table tlk_vpn{ 192.168.99.0/24 } table pptp_vpn{ 192.168.66.0/24 } #table adminvpn{ 192.168.14.115, 192.168.14.113 } table rm{ 192.168.5.250 } table tlv_rm{ 192.168.2.250 } table mysql{ 192.168.5.248 } table tlv_mysql{ 192.168.2.248 } table tlk_scm{ 192.168.5.251 } table tw{ 192.168.2.247 } table lic{ 192.168.5.246 } table ogo{ 192.168.5.36 } table macintosh{ 192.168.5.73 } table scm{ 192.168.5.251 } table tlv_scm{ 192.168.2.251 } table psu{ 192.168.5.17, 192.168.5.50 } table tlk_qnap{ 192.168.5.200 } table tlv_qnap{ 192.168.2.200 } table proxmox{ 192.168.5.201 } table bugzilla{ 192.168.2.206 } table agcoclient{ 192.168.5.15, 192.168.5.32, 192.168.5.34, \ 192.168.5.35, 192.168.5.41, 192.168.5.42, 192.168.5.49, 192.168.5.72 } table agco{x.x.x.x } table private{ 0.0.0.0/8, 10.0.0.0/8, 14.0.0.0/8, \ 127.0.0.0/8, 128.0.0.0/16, 169.254.0.0/16, \ 172.16.0.0/12, 191.255.0.0/16, 192.0.2.0/24, \ 192.168.0.0/16, 240.0.0.0/4, 255.255.255.0/24 } table bruteforce persist #table advertisement file /etc/advertisement table spamd-white persist table spamd persist #table spamd-bypass file /etc/mail/spamd.bypass #table spamd-black file /etc/mail/spamd.black set skip on { lo, enc0 } set loginterface em1 set timeout { frag 20, tcp.established 3600 } set block-policy return antispoof quick for { em1 } match in all scrub (no-df) anchor ftp-proxy/* match log on $ext_if inet proto udp to port 53 #nat match out on $ext_if inet proto tcp from { tlk_lan, tlk_wifi, pptp_vpn } to any nat-to em1 match out on $ext_if inet proto udp from { tlk_lan, tlk_wifi } to agco nat-to em1 match out on $ext_if inet from admin to any nat-to em1 #rdr match in on $ext_if inet proto tcp from any to em1 port { www, https } rdr-to rm match in on $ext_if inet proto tcp from any to em1 port 3690 rdr-to scm port www match in on $ext_if inet proto tcp from any to em1 port 16881 rdr-to 192.168.5.1 match in on $ext_if inet proto udp from any to em1 port 27015 rdr-to 192.168.5.244 match in on $ext_if inet proto tcp from any to em1 port 8080 rdr-to 192.168.5.244 port www #block in quick on $int_if from any to advertisement block quick proto tcp flags /S block quick proto tcp flags A/A block in quick on $ext_if from { bruteforce, private, spamd-black } to any block out quick on $ext_if from any to private #block in quick on $int_if inet proto tcp from { !twmail, !twtest } to any port smtp block all #in pass in on $ext_if inet proto tcp from any to em1 port 22555 pass in on $ext_if proto esp from tlv_gw to em1 pass in on $ext_if proto gre from any to em1 pass in on $ext_if inet proto tcp from any to em1 port pptp modulate state pass in on $ext_if inet proto udp from any to em1 port 1194 pass in on $ext_if inet proto tcp from any to rm port { www, https } synproxy state pass in on $ext_if
Re: named not answer on external query
On 01/17/2013 04:05 PM, Michael Lambert wrote: On 17 Jan 2013, at 06:44, lilit-aibolit wrote: On 01/17/2013 11:27 AM, Vadim Zhukov wrote: At first, find where the flow gets stopped: enable debug logging on resolver and add match log (matches) to port 53 rule as first one in your firewall. Then probably you'll see the problem yourself. match log on $ext_if inet proto udp to port 53 Don't you want: match log on $ext_if inet proto {tcp, udp} to port 53 Michael . done. but this didn't help me. I also see incoming request from Internet and request from my server to provider's DNS forwarders. I'm sure that named running on all my interfaces: # netstat -na | grep .53 tcp 0 0 ext.ip.53 *.*LISTEN tcp 0 0 127.0.0.1.953 *.*LISTEN tcp 0 0 192.168.55.254.53 *.*LISTEN tcp 0 0 192.168.5.254.53 *.*LISTEN tcp 0 0 127.0.0.1.53 *.*LISTEN udp 0 0 ext.ip.53 *.* udp 0 0 192.168.55.254.53 *.* udp 0 0 192.168.5.254.53 *.* udp 0 0 127.0.0.1.53 *.* # fstat | grep internet | grep named namednamed 21647 20* internet stream tcp 0xd89db198 127.0.0.1:53 namednamed 21647 21* internet stream tcp 0xd89db000 192.168.5.254:53 namednamed 21647 22* internet stream tcp 0xd89db330 192.168.55.254:53 namednamed 21647 23* internet stream tcp 0xd89db4c8 127.0.0.1:953 namednamed 21647 25* internet stream tcp 0xd88a17fc ext.ip:53 namednamed 21647 512* internet dgram udp 127.0.0.1:53 namednamed 21647 513* internet dgram udp 192.168.5.254:53 namednamed 21647 514* internet dgram udp 192.168.55.254:53 namednamed 21647 515* internet dgram udp *:13169 namednamed 21647 516* internet dgram udp ext.ip:53
Re: tftp - no route to host
On 05/01/2011 10:13 AM, Henning Brauer wrote: * Emille Blancsar...@sarlok.com [2011-04-30 19:56]: since TFTP uses UDP, pf won't create a state wrong. Hello, I'm stuck again with no route to host # uname -a OpenBSD gw 5.2 GENERIC.MP#339 i386 # ls -la /usr/tftpboot/ total 12728 drwxrwxrwx 2 root wheel 512 Jan 10 15:36 . drwxr-xr-x 18 root wheel 512 Jan 10 14:48 .. -rwxrwxrwx 1 root wheel3 Jan 10 15:35 1.txt -rwxrwxrwx 1 root wheel 6427696 Feb 13 2012 bsd.rd -rwxrwxrwx 1 root wheel53732 Feb 13 2012 pxeboot # pfctl -sr | grep 69 pass in quick on em0 inet proto udp from any to any port = 69 pass out quick on em0 inet proto udp from any to any port = 69 from localhost: # tftp tftp connect 192.168.5.254 tftp get 1.txt Received 3 bytes in 0.0 seconds tftp get pxeboot Received 54044 bytes in 0.0 seconds tftp quit # ls -la | grep 1.txt -rw-r--r-- 1 root wheel3 Jan 10 17:14 1.txt # ls -la | grep pxeboot -rw-r--r-- 1 root wheel53732 Jan 10 17:14 pxeboot from remote PC: admin:~/Downloads$ tftp tftp connect gw tftp status Connected to gw. Mode: netascii Verbose: off Tracing: off Rexmt-interval: 5 seconds, Max-timeout: 25 seconds tftp mode binary tftp status Connected to gw. Mode: octet Verbose: off Tracing: off Rexmt-interval: 5 seconds, Max-timeout: 25 seconds tftp get 1.txt ^C tftp on tftpd host: # ping 192.168.5.1 PING 192.168.5.1 (192.168.5.1): 56 data bytes 64 bytes from 192.168.5.1: icmp_seq=0 ttl=64 time=0.524 ms ... # tftpd -4dv -l 192.168.5.254 /usr/tftpboot tftpd: 192.168.5.254: read request for '1.txt' # can get files locally tftpd: 192.168.5.254: read request for 'pxeboot' # can get files locally tftpd: 192.168.5.1: read request for '1.txt' # can get files remotely tftpd: send(block): No route to host tftpd: 192.168.5.1: read request for '1.txt' tftpd: send(block): No route to host tftpd: 192.168.5.1: read request for '1.txt' tftpd: send(block): No route to host # tcpdump -i em0 -p udp 'port 69' tcpdump: listening on em0, link-type EN10MB 17:21:38.462907 admin.40154 gw.tftp: 14 RRQ 1.txt (DF) 17:21:43.462961 admin.40154 gw.tftp: 14 RRQ 1.txt (DF) 17:21:48.463020 admin.40154 gw.tftp: 14 RRQ 1.txt (DF) ^C 8554 packets received by filter 0 packets dropped by kernel # fstat | grep internet | grep tftpd _tftpd tftpd 181603* internet dgram udp 192.168.5.254:69
Re: tftp - no route to host (Solved)
On 01/10/2013 05:24 PM, lilit-aibolit wrote: On 05/01/2011 10:13 AM, Henning Brauer wrote: * Emille Blancsar...@sarlok.com [2011-04-30 19:56]: since TFTP uses UDP, pf won't create a state wrong. Hello, I'm stuck again with no route to host # uname -a OpenBSD gw 5.2 GENERIC.MP#339 i386 # ls -la /usr/tftpboot/ total 12728 drwxrwxrwx 2 root wheel 512 Jan 10 15:36 . drwxr-xr-x 18 root wheel 512 Jan 10 14:48 .. -rwxrwxrwx 1 root wheel3 Jan 10 15:35 1.txt -rwxrwxrwx 1 root wheel 6427696 Feb 13 2012 bsd.rd -rwxrwxrwx 1 root wheel53732 Feb 13 2012 pxeboot # pfctl -sr | grep 69 pass in quick on em0 inet proto udp from any to any port = 69 pass out quick on em0 inet proto udp from any to any port = 69 from localhost: # tftp tftp connect 192.168.5.254 tftp get 1.txt Received 3 bytes in 0.0 seconds tftp get pxeboot Received 54044 bytes in 0.0 seconds tftp quit # ls -la | grep 1.txt -rw-r--r-- 1 root wheel3 Jan 10 17:14 1.txt # ls -la | grep pxeboot -rw-r--r-- 1 root wheel53732 Jan 10 17:14 pxeboot from remote PC: admin:~/Downloads$ tftp tftp connect gw tftp status Connected to gw. Mode: netascii Verbose: off Tracing: off Rexmt-interval: 5 seconds, Max-timeout: 25 seconds tftp mode binary tftp status Connected to gw. Mode: octet Verbose: off Tracing: off Rexmt-interval: 5 seconds, Max-timeout: 25 seconds tftp get 1.txt ^C tftp on tftpd host: # ping 192.168.5.1 PING 192.168.5.1 (192.168.5.1): 56 data bytes 64 bytes from 192.168.5.1: icmp_seq=0 ttl=64 time=0.524 ms ... # tftpd -4dv -l 192.168.5.254 /usr/tftpboot tftpd: 192.168.5.254: read request for '1.txt' # can get files locally tftpd: 192.168.5.254: read request for 'pxeboot' # can get files locally tftpd: 192.168.5.1: read request for '1.txt' # can get files remotely tftpd: send(block): No route to host tftpd: 192.168.5.1: read request for '1.txt' tftpd: send(block): No route to host tftpd: 192.168.5.1: read request for '1.txt' tftpd: send(block): No route to host # tcpdump -i em0 -p udp 'port 69' tcpdump: listening on em0, link-type EN10MB 17:21:38.462907 admin.40154 gw.tftp: 14 RRQ 1.txt (DF) 17:21:43.462961 admin.40154 gw.tftp: 14 RRQ 1.txt (DF) 17:21:48.463020 admin.40154 gw.tftp: 14 RRQ 1.txt (DF) ^C 8554 packets received by filter 0 packets dropped by kernel # fstat | grep internet | grep tftpd _tftpd tftpd 181603* internet dgram udp 192.168.5.254:69 I fix this by changing from pass out quick on em0 inet proto udp from any to any port = 69 to pass out quick on em0 inet proto udp from $int_if to $local_net Is this right? Maybe I don't want to allow all udp traffic from my gateway.
how to save /home during reinstall
Hello misc. I have a /home at old system and I want to install new one from scratch. But I need to save all data in /home without moving it out of box. As I understood I need to stop at this point: Use (W)hole disk or (E)dit the MBR? [whole] and select Edit instead of Whole (which erase all data). But I don't understand what I should do next.
Re: how to save /home during reinstall
On 12/27/2012 12:29 PM, Wesley wrote: Le 2012-12-27 14:15, lilit-aibolit a écrit : Hello misc. I have a /home at old system and I want to install new one from scratch. But I need to save all data in /home without moving it out of box. As I understood I need to stop at this point: Use (W)hole disk or (E)dit the MBR? [whole] At this prompt, hit Ctrl+C or ! and Why don't you mount a second disk and backup /home to this one? just before fdisk part. Cheers, Wesley . For example I don't have physical access or second disk. Or I have a situation when I need to roll back to previous 5.1 system version and then probably to 5.0 due to Dec 11 14:13:38 gw /bsd: rum0: device timeout Dec 11 14:13:39 gw /bsd: rum0: could not transmit buffer: TIMEOUT In 5.0 I had no problem with rum0 in AP mode, but in 5.2 I have. And I don't want on every reinstall backup/copy data from /home.
Re: how to save /home during reinstall
On 12/27/2012 02:24 PM, Nick Holland wrote: On 12/27/12 05:57, lilit-aibolit wrote: On 12/27/2012 12:29 PM, Wesley wrote: Le 2012-12-27 14:15, lilit-aibolit a écrit : Hello misc. I have a /home at old system and I want to install new one from scratch. But I need to save all data in /home without moving it out of box. As I understood I need to stop at this point: Use (W)hole disk or (E)dit the MBR? [whole] At this prompt, hit Ctrl+C or ! and Why don't you mount a second disk and backup /home to this one? just before fdisk part. Cheers, Wesley . For example I don't have physical access or second disk. Or I have a situation when I need to roll back to previous 5.1 system version and then probably to 5.0 due to Dec 11 14:13:38 gw /bsd: rum0: device timeout Dec 11 14:13:39 gw /bsd: rum0: could not transmit buffer: TIMEOUT In 5.0 I had no problem with rum0 in AP mode, but in 5.2 I have. well... you need to get a bug report in; I see no bug reports on rum issues in over a year. That's the real problem here. Reverting is not a good answer here. As for your question... Before reinstalling, make note of where all your partitions are mounted currently. For a reinstall, the fdisk prompt will include Existing OpenBSD partition or something along those lines...you will chose that (the default). After that, you will be brought to the disklabel options -- you want to chose CUSTOM Layout. Define a mount point for all partitions you wish to reformat, do NOT define mount points for the /home partition or any others you wish to retain. You aren't marking don't reformat partitions, you need to mark where all partitions will be mounted, leaving out the ones you wish to retain. After you complete your install, edit your /etc/fstab to point to your old /home partition, mount it (I'd suggest a reboot), done. btw: you will want to practice this locally on a test system first. Nick. Thanks for reply Nick, I just did it: 1) select openBSD area 2) select custom 3) delete and create all partition except /home 4) reboot 5) edit /etc/fstab and add line for my /home end it's work! You may find my letter about rum0 with subject rum0: device timeout from 12/11/2012 03:15 PM I'll look into how to create bug report, but how to be sure that it's not my issue? I just reverted to 5.1 and it seems to work much more stable: I can start several ping in wireless and sit in ssh via wifi without lags.
rum0: device timeout
network is visible but not working or temporary working after reboot. # tail /var/log/messages Dec 11 10:00:01 gw syslogd: restart Dec 11 12:00:01 gw syslogd: restart Dec 11 14:00:01 gw syslogd: restart Dec 11 14:13:38 gw /bsd: rum0: device timeout Dec 11 14:13:39 gw /bsd: rum0: could not transmit buffer: TIMEOUT Dec 11 14:28:15 gw /bsd: ehci_idone: ex=0xd2e67600 is done! Dec 11 14:28:15 gw /bsd: ehci_idone: ex=0xd2e67700 is done! Dec 11 14:38:37 gw /bsd: rum0: could not transmit buffer: TIMEOUT Dec 11 14:38:39 gw /bsd: rum0: device timeout Dec 11 15:00:01 gw syslogd: restart # cat /etc/hostname.rum0 inet 192.168.55.254 255.255.255.0 NONE -inet6 media autoselect mode 11g \ mediaopt hostap chan 8 nwid name \ wpa wpaprotos wpa2 wpaakms psk wpakey 1234qwerty # dmesg OpenBSD 5.2 (GENERIC.MP) #339: Wed Aug 1 10:13:24 MDT 2012 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: Intel(R) Celeron(R) CPU P4500 @ 1.87GHz (GenuineIntel 686-class) 1.87 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,NXE,LONG,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,POPCNT,LAHF real mem = 2003451904 (1910MB) avail mem = 1959845888 (1869MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 11/27/09, SMBIOS rev. 2.6 @ 0xeb0c0 (24 entries) bios0: vendor American Megatrends Inc. version 4.6.3 date 01/06/2011 bios0: ICP / iEi B186 acpi0 at bios0: rev 3 acpi0: sleep states S0 S1 S4 S5 acpi0: tables DSDT FACP APIC SSDT MCFG HPET acpi0: wakeup devices P0P1(S1) PEGP(S4) P0P2(S1) P0P3(S1) P0P4(S1) P0P5(S1) PS2K(S1) PS2M(S1) BR20(S1) EUSB(S4) USB0(S1) USB1(S1) USB2(S1) USB3(S1) USBE(S4) USB4(S1) USB5(S1) USB6(S1) PEX0(S4) PEX1(S4) PEX2(S4) PEX3(S4) PEX4(S4) PEX5(S4) PEX6(S4) LAN2(S1) PEX7(S4) SLPB(S0) PWRB(S1) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 133MHz cpu1 at mainbus0: apid 4 (application processor) cpu1: Intel(R) Celeron(R) CPU P4500 @ 1.87GHz (GenuineIntel 686-class) 1.87 GHz cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,NXE,LONG,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,POPCNT,LAHF ioapic0 at mainbus0: apid 0 pa 0xfec0, version 20, 24 pins acpimcfg0 at acpi0 addr 0xe000, bus 0-255 acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 4 (BR20) acpiprt2 at acpi0: bus 1 (PEX0) acpiprt3 at acpi0: bus -1 (PEX1) acpiprt4 at acpi0: bus -1 (PEX2) acpiprt5 at acpi0: bus -1 (PEX3) acpiprt6 at acpi0: bus 2 (PEX4) acpiprt7 at acpi0: bus 3 (PEX5) acpiprt8 at acpi0: bus -1 (PEX6) acpiprt9 at acpi0: bus -1 (PEX7) acpicpu0 at acpi0: C1, PSS acpicpu1 at acpi0: C1, PSS acpibtn0 at acpi0: SLPB acpibtn1 at acpi0: PWRB acpivideo0 at acpi0: GFX0 acpivout0 at acpivideo0: DD02 bios0: ROM list: 0xc/0xfa00! 0xd/0x1000 ipmi at mainbus0 not configured cpu0: Enhanced SpeedStep 1867 MHz: speeds: 1862, 1729, 1596, 1463, 1330, 1197, 1064, 931 MHz pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 Intel Core Host rev 0x12 vga1 at pci0 dev 2 function 0 Intel HD Graphics rev 0x12 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) intagp0 at vga1 agp0 at intagp0: aperture at 0xc000, size 0x1000 inteldrm0 at vga1: apic 0 int 16 drm0 at inteldrm0 Intel 3400 MEI rev 0x06 at pci0 dev 22 function 0 not configured ehci0 at pci0 dev 26 function 0 Intel 3400 USB rev 0x06: apic 0 int 16 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1 ppb0 at pci0 dev 28 function 0 Intel 3400 PCIE rev 0x06: apic 0 int 17 pci1 at ppb0 bus 1 ppb1 at pci0 dev 28 function 4 Intel 3400 PCIE rev 0x06: apic 0 int 17 pci2 at ppb1 bus 2 re0 at pci2 dev 0 function 0 Realtek 8168 rev 0x06: RTL8168E/8111E (0x2c00), apic 0 int 16, address 00:18:7d:2a:f1:1c rgephy0 at re0 phy 7: RTL8169S/8110S PHY, rev. 4 ppb2 at pci0 dev 28 function 5 Intel 3400 PCIE rev 0x06: apic 0 int 16 pci3 at ppb2 bus 3 re1 at pci3 dev 0 function 0 Realtek 8168 rev 0x06: RTL8168E/8111E (0x2c00), apic 0 int 17, address 00:18:7d:2a:f1:1d rgephy1 at re1 phy 7: RTL8169S/8110S PHY, rev. 4 ehci1 at pci0 dev 29 function 0 Intel 3400 USB rev 0x06: apic 0 int 23 usb1 at ehci1: USB revision 2.0 uhub1 at usb1 Intel EHCI root hub rev 2.00/1.00 addr 1 ppb3 at pci0 dev 30 function 0 Intel 82801BAM Hub-to-PCI rev 0xa6 pci4 at ppb3 bus 4 pcib0 at pci0 dev 31 function 0 Intel HM55 LPC rev 0x06 ahci0 at pci0 dev 31 function 2 Intel 3400 AHCI rev 0x06: msi, AHCI 1.3 scsibus0 at ahci0: 32 targets cd0 at scsibus0 targ 4 lun 0: Optiarc, DVD RW AD-7760H, 1.00 ATAPI 5/cdrom removable sd0 at scsibus0 targ 5 lun 0: ATA, WDC WD800HLFS-75, 04.0 SCSI3 0/direct fixed naa.50014ee00231af66 sd0: 76293MB, 512 bytes/sector, 15625
what's wrong with /etc/netstart rum0 on 5.2
There is no problem with executing on 5.0 # sh /etc/netstat rum0 But when I change wpa key in my /etc/hostname.rum0 on 5.2 inet 192.168.55.254 255.255.255.0 NONE -inet6 media autoselect mode 11g \ mediaopt hostap chan 8 nwid namewifi \ wpa wpaprotos wpa2 wpaakms psk wpakey xx and execute /etc/netstart rum0 - it's not work. command don't release the session and I need to close and open ssh again and see in ps -ax: 15401 p0- D 0:00.08 ifconfig rum0 inet 192.168.55.254 netmask 255.255.255.0 -inet6 media autoselect mo # Ifconfig rum0 rum0: flags=28803UP,BROADCAST,SIMPLEX,MULTICAST,NOINET6 mtu 1500 lladdr 00:24:21:8b:7b:aa priority: 4 groups: wlan media: IEEE802.11 autoselect mode 11g hostap status: no network ieee80211: nwid namewifi chan 8 bssid 00:24:21:8b:7b:aa wpakey somehashhere wpaprotos wpa2 wpaakms psk wpaciphers tkip,ccmp wpagroupcipher tkip 100dBm what should I do to apply new wpa key. /etc/netstart also don't help, second instance of ifconfig is showing in ps -ax..
restart relayd with new config
Scenario: I'm using relayd as transparent proxy and block some sites in work time, so I have two configs: # cat /etc/relayd.conf prefork 5 http protocol httpfilter { tcp { nodelay, sack, socket buffer 65536, backlog 1000 } return error request header filter *youtube.com* from Host header change Connection to close } relay httpproxy { listen on 127.0.0.1 port 8080 protocol httpfilter forward to destination } # cat /etc/relaydfree.conf prefork 5 http protocol httpfilter { tcp { nodelay, sack, socket buffer 65536, backlog 1000 } } relay httpproxy { listen on 127.0.0.1 port 8080 protocol httpfilter forward to destination } Executing relayd -f /newconfig at specified time have not the same result as for example pfctl -f /newconfig. New number of relayd process were started instead of apply new config. I've add this to cron: 0 9 * * 1-5 /usr/bin/pkill relayd sleep 3 /usr/sbin/relayd -f /etc/relayd.conf 0 12 * * 1-5 /usr/bin/pkill relayd sleep 3 /usr/sbin/relayd -f /etc/relaydfree.conf 0 13 * * 1-5 /usr/bin/pkill relayd sleep 3 /usr/sbin/relayd -f /etc/relayd.conf 0 18 * * 1-5 /usr/bin/pkill relayd sleep 3 /usr/sbin/relayd -f /etc/relaydfree.conf But unfortunately this cause a trouble due pkill can't shutdown all relayd instances. relayctl stop and kill -15 `pgrep relayd` also don't work and have same result: # ps -aux | grep relayd _relayd 30639 99.0 0.3 6960 5192 ?? R/11:00PM 10:09.65 relayd: relay (relayd) _relayd 25093 50.1 0.3 7200 5568 ?? R/01:00PM 26:29.77 relayd: relay (relayd) _relayd 4696 49.0 0.3 6936 5432 ?? R/01:00PM 48:01.41 relayd: relay (relayd) root 18847 0.0 0.1 1236 1876 ?? Is 1:00PM0:00.01 relayd: parent (relayd) _relayd 1306 0.0 0.1 808 1648 ?? I 1:00PM0:00.00 relayd: hce (relayd) _relayd 4036 0.0 0.3 7176 5596 ?? S 1:00PM0:02.17 relayd: relay (relayd) _relayd 32523 0.0 0.1 2280 2552 ?? S 1:00PM0:00.21 relayd: relay (relayd) _relayd636 0.0 0.1 1132 2020 ?? S 1:00PM0:00.01 relayd: pfe (relayd) root 29834 0.0 0.0 876 4 p0 R+/1 3:29PM0:00.00 grep relayd (ksh) # kill -15 `pgrep relayd` # ps ax | grep relayd 30639 ?? R/012:32.21 relayd: relay (relayd) 4696 ?? R/049:31.75 relayd: relay (relayd) 25093 ?? R/127:54.53 relayd: relay (relayd) Is there a way to don't use: kill -9 `pgrep relayd` relayd -f /newconfig or it's a normal to use kill -9 for relayd.
Re: restart relayd with new config
On 11/29/2012 01:04 AM, Sebastian Benoit wrote: lilit-aibolit(lilit-aibo...@mail.ru) on 2012.11.28 15:58:42 +0200: Scenario: I'm using relayd as transparent proxy and block some sites in work time, so I have two configs: # cat /etc/relayd.conf prefork 5 http protocol httpfilter { tcp { nodelay, sack, socket buffer 65536, backlog 1000 } return error request header filter *youtube.com* from Host header change Connection to close } relay httpproxy { listen on 127.0.0.1 port 8080 protocol httpfilter forward to destination } # cat /etc/relaydfree.conf prefork 5 http protocol httpfilter { tcp { nodelay, sack, socket buffer 65536, backlog 1000 } } relay httpproxy { listen on 127.0.0.1 port 8080 protocol httpfilter forward to destination } You are starting relayd a second time here, you are not reloading the configuration: Executing relayd -f /newconfig at specified time have not the same result as for example pfctl -f /newconfig. Use 'relayctl reload'. /Benno Good. I have two configs. And in specified time I need to *reload* to new config-file, not reload same config-file. How 'relayctl reload' help me?
Re: low signal strength hostap (Solved)
On 11/04/2012 08:33 PM, Mihai Popescu wrote: Hello there, You need to post full dmesg and configuration files for wireless letting out the sensitive data like wpakey or passwords, maybe domain names too. This way you might get some help, because nobody likes to guess what you have there. Just curious, what is that kind of hardware you posted on the web, is it an alix board? Thanks. . It's not OpenBSD issue. Low signal was due weak contact in labelled red area: http://i.piccy.info/i7/37594bb9588bf4f5da19327a4419f1ca/4-48-188/36478797/SAM_5902.jpg After some hand made tweaks and available means problem was solved. This is not ALIX board. # dmesg OpenBSD 5.1 (GENERIC.MP) #188: Sun Feb 12 09:55:11 MST 2012 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: Intel(R) Celeron(R) CPU P4500 @ 1.87GHz (GenuineIntel 686-class) 1.87 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,NXE,LONG,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,POPCNT,LAHF real mem = 2003460096 (1910MB) avail mem = 1960562688 (1869MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 11/27/09, SMBIOS rev. 2.6 @ 0xeb140 (26 entries) bios0: vendor American Megatrends Inc. version 4.6.3 date 05/07/2010 bios0: ICP / iEi B158 acpi0 at bios0: rev 3 acpi0: sleep states S0 S1 S4 S5 acpi0: tables DSDT FACP APIC SSDT MCFG HPET ASF! acpi0: wakeup devices P0P1(S1) PEGP(S4) P0P2(S1) P0P3(S1) P0P4(S1) P0P5(S1) PS2K(S1) PS2M(S1) BR20(S1) EUSB(S4) USB0(S1) USB1(S1) USB2(S1) USB3(S1) USBE(S4) USB4(S1) USB5(S1) USB6(S1) PEX0(S1) PEX1(S1) PEX2(S1) PEX3(S1) PEX4(S1) PEX5(S1) PEX6(S1) LAN2(S1) PEX7(S1) GBE_(S4) SLPB(S0) PWRB(S1) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 133MHz cpu1 at mainbus0: apid 4 (application processor) cpu1: Intel(R) Celeron(R) CPU P4500 @ 1.87GHz (GenuineIntel 686-class) 1.87 GHz cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,NXE,LONG,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,POPCNT,LAHF ioapic0 at mainbus0: apid 0 pa 0xfec0, version 20, 24 pins acpimcfg0 at acpi0 addr 0xe000, bus 0-255 acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 3 (BR20) acpiprt2 at acpi0: bus 1 (PEX0) acpiprt3 at acpi0: bus -1 (PEX1) acpiprt4 at acpi0: bus -1 (PEX2) acpiprt5 at acpi0: bus -1 (PEX3) acpiprt6 at acpi0: bus -1 (PEX4) acpiprt7 at acpi0: bus -1 (PEX5) acpiprt8 at acpi0: bus 2 (PEX6) acpiprt9 at acpi0: bus -1 (PEX7) acpicpu0 at acpi0: C1, PSS acpicpu1 at acpi0: C1, PSS acpibtn0 at acpi0: SLPB acpibtn1 at acpi0: PWRB acpivideo0 at acpi0: GFX0 acpivout0 at acpivideo0: DD02 bios0: ROM list: 0xc/0xfa00! 0xd/0x1000 ipmi at mainbus0 not configured cpu0: Enhanced SpeedStep 1867 MHz: speeds: 1862, 1729, 1596, 1463, 1330, 1197, 1064, 931 MHz pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 Intel Core Host rev 0x12 vga1 at pci0 dev 2 function 0 Intel Mobile HD graphics rev 0x12 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) intagp0 at vga1 agp0 at intagp0: aperture at 0xd000, size 0x1000 inteldrm0 at vga1: apic 0 int 16 drm0 at inteldrm0 Intel 3400 MEI rev 0x06 at pci0 dev 22 function 0 not configured em0 at pci0 dev 25 function 0 Intel 82577LM rev 0x06: msi, address 00:18:7d:0e:f5:34 ehci0 at pci0 dev 26 function 0 Intel 3400 USB rev 0x06: apic 0 int 16 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1 ppb0 at pci0 dev 28 function 0 Intel 3400 PCIE rev 0x06: apic 0 int 17 pci1 at ppb0 bus 1 ppb1 at pci0 dev 28 function 6 Intel 3400 PCIE rev 0x06: apic 0 int 18 pci2 at ppb1 bus 2 em1 at pci2 dev 0 function 0 Intel PRO/1000 MT (82574L) rev 0x00: msi, address 00:18:7d:0e:f5:33 ehci1 at pci0 dev 29 function 0 Intel 3400 USB rev 0x06: apic 0 int 23 usb1 at ehci1: USB revision 2.0 uhub1 at usb1 Intel EHCI root hub rev 2.00/1.00 addr 1 ppb2 at pci0 dev 30 function 0 Intel 82801BAM Hub-to-PCI rev 0xa6 pci3 at ppb2 bus 3 pcib0 at pci0 dev 31 function 0 Intel QM57 LPC rev 0x06 ahci0 at pci0 dev 31 function 2 Intel 3400 AHCI rev 0x06: msi, AHCI 1.3 scsibus0 at ahci0: 32 targets sd0 at scsibus0 targ 1 lun 0: ATA, WDC WD800HLFS-75, 04.0 SCSI3 0/direct fixed naa.50014ee0ab8b7ce0 sd0: 76293MB, 512 bytes/sector, 15625 sectors cd0 at scsibus0 targ 5 lun 0: Optiarc, DVD RW AD-7710H, 1.01 ATAPI 5/cdrom removable ichiic0 at pci0 dev 31 function 3 Intel 3400 SMBus rev 0x06: apic 0 int 18 iic0 at ichiic0 spdmem0 at iic0 addr 0x50: 2GB DDR3 SDRAM PC3-8500 SO-DIMM isa0 at pcib0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo com0: probed fifo depth: 15 bytes com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo com1:
low signal strength hostap
Description: I have two very identical box with integrated wlan. One of them have ral device and there is no problem with it: ral0 at pci1 dev 0 function 0 Ralink RT3090 rev 0x00: apic 2 int 16, address 00:12:0e:b1:6e:c7 ral0: MAC/BBP RT3071 (rev 0x0213), RF RT3020 (MIMO 1T1R) I'm able to work with wlan in large office with many rooms. Another system have rum device and even I change default antenna to: http://www.tp-link.com/en/products/details/?categoryid=217model=TL-ANT2408C#spec I only able to work with wifi near the box. At five meters distance signal and speed are lost. Second box inside: http://i.piccy.info/i7/1a7b8b084d13e55847dcd752803b92a4/4-48-83/45834655/SAM_5902.jpg uname: OpenBSD gw2.kh 5.2 GENERIC.MP#339 i386 dmesg: rum0 at uhub2 port 3 Ralink 802.11 bg WLAN rev 2.00/0.01 addr 3 rum0: MAC/BBP RT2573 (rev 0x2573a), RF RT2528, address 00:24:21:8b:7b:aa ifconfig rum0 rum0: flags=28843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6 mtu 1500 lladdr 00:24:21:8b:7b:aa priority: 4 groups: wlan media: IEEE802.11 autoselect mode 11g hostap status: active ieee80211: nwid Monkey chan 8 bssid 00:24:21:8b:7b:aa wpakey 0xef79762bd4241d691eeaf9d5281a9604b62a96374ead5be90b6d012b92c7522e wpaprotos wpa2 wpaakms psk wpaciphers tkip,ccmp wpagroupcipher tkip 100dBm inet 192.168.44.1 netmask 0xff00 broadcast 192.168.44.255
Re: kvm and Openbsd 5.1
On 07/21/2012 01:50 PM, Holger Glaess wrote: Hi list, today I've installed OpenBSD 5.1 amd64 on a kvm (linux slackware) kvm version is 1.0.1. Starting machine with 4 core, and bsd.mp it crash. Disabling mpbios see only one core and not smp. Then, I've updated kvm to 1.1.1 but the results are the same. There is someone that has started obsd on kvm and avoid this problem? This problem is kvm related? Another, someone has tried obsd 5.1 on ESX? Thanks in advance. hi i run 2 guests with 5.1 on proxmox 2.1 distribution . i don't know what the version of kvm is behind of proxmox. but openbsd 5.1 run as expected normal ;) fort more information check http://www.proxmox.com/products/proxmox-ve holger Hi Holger. I had read and remember you answer and now I have a machine with full hw intel vt support. I had try to install 5.1 and it work. But I have issue to shutdown guest 5.1. It's not work when I try to halt -p in console and also not work when I try to shutdown from proxmox page. Only stop is work. this is issue why I can't for example just reboot proxmox. do you have such trouble?
Re: ftp in both direction through pf
On 08/21/2012 08:48 PM, Maurice Janssen wrote: On 08/21/2012 10:15 AM, lilit-aibolit wrote: On 08/20/2012 09:49 PM, Maurice Janssen wrote: On 08/20/2012 04:43 PM, lilit-aibolit wrote: I have internal ftp-server. To give access for it from Internet I use ftp-proxy: ftpproxy_flags=-R ftp_server -p 21 -b ext_ip and rules: anchor ftp-proxy/* pass in on $ext_if inet proto tcp from any to (em1) port ftp pass out on $int_if inet proto tcp from any to ftp_server port ftp user proxy and this work. But I need to give access to external ftp-servers from my lan. I use rules: match out on $ext_if inet proto tcp from lan to any nat-to (em1) pass in on $int_if inet proto tcp from lan to any port { ftp, 49151 } pass out on $ext_if inet proto tcp from (em1) to any port { ftp, 49151 } and it not work from lan: snip what is wrong with my config? thanks. You need to start ftp-proxy twice. One to redirect the external clients to the internal server and another one for the internal clients. And of course you also need to redirect the internal client to the second instance of ftp-proxy. Something like this should work: rc.conf.local (for internal clients): ftpproxy_flags= rc.local (for external clients): /usr/sbin/ftp-proxy -R internal ip of server -p 21 -b external ip And make sure you have something like this in your pf.conf: pass in on $int_if inet proto tcp to port ftp divert-to 127.0.0.1 port 8021 Thanks for reply Maurice. I just start new instanse of ftp-proxy and modify rules: # fstat | grep internet | grep ftp proxy ftp-proxy 24178 3* internet stream tcp 0xd6354198 127.0.0.1:8021 proxy ftp-proxy 29949 3* internet stream tcp 0xd6bea334 ext_ip:21 # ps -ax | grep ftp 29949 ?? Is 0:00.87 ftp-proxy -R 192.168.2.102 -p 21 -b ext_ip 24178 ?? Is 0:00.00 ftp-proxy That looks good. match out on $ext_if inet proto tcp from lan to any nat-to (em1) pass in on $int_if inet proto tcp to port ftp divert-to 127.0.0.1 port 8021 pass out on $ext_if inet proto tcp from (em1) to any port { ftp, 49151 } With this ftp connection work in passive mode, but if I delete 49151 it stop to work. You mean for internal clients connecting to external ftp servers? As it should be? Because man-page don't say to open 49151: http://www.openbsd.org/cgi-bin/man.cgi?query=ftp-proxysektion=8manpath=OpenBSD+5.1#end The high port should be opened by ftp-proxy, so something is not right. Difficult to say without seeing the whole pf.conf. Maurice Maurice Ok. Just if you have a time to review it. twikimail - internal ftp server. From it I also test connection to external ftp servers. #$OpenBSD: pf.conf,v 1.50 2011/04/28 00:19:42 mikeb Exp $ # See pf.conf(5) for syntax and examples. # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1 # in /etc/sysctl.conf if packets are to be forwarded between interfaces. ext_if = em1 wifi_if = ral0 int_if = em0 portstuff = { smtps, submission, pop3, pop3s, imap, imaps, www, https, pptp, 1194, 1863, 5222 } table firewall const { self } table tlv_lan{ 192.168.2.0/24 } table tlv_wifi{ 192.168.22.0/24 } table tlk{ 192.168.5.0/24 } table tlk_gw{ x.x.x.x } #table admin{ 192.168.2.208 } table dns{ x.x.x.x, 8.8.8.8 } table vpn{ 192.168.88.0/24 } #table adminvpn{ 192.168.14.115, 192.168.14.113 } table redmine{ 192.168.5.252 } table mysql{ 192.168.5.248 } table twikimail{ 192.168.2.102 } table lic{ 192.168.5.246 } table qnap{ 192.168.5.200 } table private{ 0.0.0.0/8, 10.0.0.0/8, 14.0.0.0/8, \ 127.0.0.0/8, 128.0.0.0/16, 169.254.0.0/16, \ 172.16.0.0/12, 191.255.0.0/16, 192.0.2.0/24, \ 192.168.0.0/16, 240.0.0.0/4, 255.255.255.0/24 } table bruteforce persist #table advertisement file /etc/advertisement table spamd-white persist table spamd persist #table spamd-bypass file /etc/mail/spamd.bypass #table spamd-black file /etc/mail/spamd.black set skip on { lo, enc0 } #set loginterface ral0 set timeout { frag 20, tcp.established 3600 } set block-policy return #antispoof quick for { em1 } match in all scrub (no-df) anchor ftp-proxy/* #nat #match out on $ext_if inet from admin to any nat-to (em1) match out on $ext_if inet proto tcp from { tlv_lan, tlv_wifi } to any nat-to (em1) match out on $ext_if inet proto udp from { tlv_lan, tlv_wifi } to any nat-to (em1) match out on $ext_if inet proto gre from { tlv_lan, tlv_wifi } to any nat-to (em1) #rdr match in on $ext_if inet proto tcp from any to (em1) port { www, https, 3690 } rdr-to 192.168.2.102 #block in quick on $int_if from any to advertisement block quick proto tcp flags /S block quick proto tcp flags A/A block in quick on $ext_if from { bruteforce, private, spamd-black } to any block out quick on $ext_if from any to private block in quick on $int_if inet proto tcp from !twikimail to any port smtp block all #in pass in on $ext_if inet proto tcp from any
Re: ftp in both direction through pf (SOLVED)
In above letter I had a mistake. I did pass in on $int_if inet proto tcp from tlv_lan to port ftp divert-to 127.0.0.1 port 8021 and in same time allow { ftp, 49151 } for internal host on which I tested connection to remote ftp. I deleted that ports and now internal client can connect to external ftp servers with active and passive mode. Connection to internal ftp also work. pass in on $int_if inet proto tcp from twikimail to any port { smtp, submission, www, https, ftp, 49151 }
Re: ftp in both direction through pf
On 08/20/2012 09:49 PM, Maurice Janssen wrote: On 08/20/2012 04:43 PM, lilit-aibolit wrote: I have internal ftp-server. To give access for it from Internet I use ftp-proxy: ftpproxy_flags=-R ftp_server -p 21 -b ext_ip and rules: anchor ftp-proxy/* pass in on $ext_if inet proto tcp from any to (em1) port ftp pass out on $int_if inet proto tcp from any to ftp_server port ftp user proxy and this work. But I need to give access to external ftp-servers from my lan. I use rules: match out on $ext_if inet proto tcp from lan to any nat-to (em1) pass in on $int_if inet proto tcp from lan to any port { ftp, 49151 } pass out on $ext_if inet proto tcp from (em1) to any port { ftp, 49151 } and it not work from lan: snip what is wrong with my config? thanks. You need to start ftp-proxy twice. One to redirect the external clients to the internal server and another one for the internal clients. And of course you also need to redirect the internal client to the second instance of ftp-proxy. Something like this should work: rc.conf.local (for internal clients): ftpproxy_flags= rc.local (for external clients): /usr/sbin/ftp-proxy -R internal ip of server -p 21 -b external ip And make sure you have something like this in your pf.conf: pass in on $int_if inet proto tcp to port ftp divert-to 127.0.0.1 port 8021 Maurice Thanks for reply Maurice. I just start new instanse of ftp-proxy and modify rules: # fstat | grep internet | grep ftp proxyftp-proxy 241783* internet stream tcp 0xd6354198 127.0.0.1:8021 proxyftp-proxy 299493* internet stream tcp 0xd6bea334 ext_ip:21 # ps -ax | grep ftp 29949 ?? Is 0:00.87 ftp-proxy -R 192.168.2.102 -p 21 -b ext_ip 24178 ?? Is 0:00.00 ftp-proxy match out on $ext_if inet proto tcp from lan to any nat-to (em1) pass in on $int_if inet proto tcp to port ftp divert-to 127.0.0.1 port 8021 pass out on $ext_if inet proto tcp from (em1) to any port { ftp, 49151 } With this ftp connection work in passive mode, but if I delete 49151 it stop to work. As it should be? Because man-page don't say to open 49151: http://www.openbsd.org/cgi-bin/man.cgi?query=ftp-proxysektion=8manpath=OpenBSD+5.1#end
ftp in both direction through pf
I have internal ftp-server. To give access for it from Internet I use ftp-proxy: ftpproxy_flags=-R ftp_server -p 21 -b ext_ip and rules: anchor ftp-proxy/* pass in on $ext_if inet proto tcp from any to (em1) port ftp pass out on $int_if inet proto tcp from any to ftp_server port ftp user proxy and this work. But I need to give access to external ftp-servers from my lan. I use rules: match out on $ext_if inet proto tcp from lan to any nat-to (em1) pass in on $int_if inet proto tcp from lan to any port { ftp, 49151 } pass out on $ext_if inet proto tcp from (em1) to any port { ftp, 49151 } and it not work from lan: ftp open ftpserver Connected to ftpserver. 220 www.ftpserver FTP server ready. User (ftpserver:(none)): user 331 Password required for user. Password: 230 User user logged in. ftp dir 500 Illegal PORT rejected (address wrong). 425 Can't build data connection: Connection refused. ftp dir 425 Can't build data connection: Connection refused. ftp quit 221 Goodbye. what is wrong with my config? thanks.
Re: Dilemma: between OpenBSD and NetBSD
On 08/10/2012 05:17 PM, Francois Pussault wrote: In computer file systems, soft updates is an approach to maintaining disk integrity after a crash or power outage. They are an alternative to journaling file system. Why softdep not enabled by default?
/etc/mygate not work
there is strange behaviour in 5.1. before reboot: # cat /etc/mygate 192.168.2.80 # ls -la /etc/mygate -rw-r--r-- 1 root wheel 13 Jul 30 13:15 /etc/mygate # ifconfig -a lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33196 ... em0: flags=28843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6 mtu 1500 .. status: active inet 192.168.2.2 netmask 0xff00 broadcast 192.168.2.255 em1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 ... status: no carrier inet6 fe80::218:7dff:fe13:f325%em1 prefixlen 64 scopeid 0x2 enc0: flags=0 .. rum0: flags=28843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6 mtu 1500 .. status: active .. inet 192.168.22.2 netmask 0xff00 broadcast 192.168.22.255 tun0: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST mtu 1500 юю status: active inet 192.168.88.1 -- 192.168.88.2 netmask 0x pflog0: flags=141UP,RUNNING,PROMISC mtu 33196 after reboot: # netstat -rn Destination Gateway Flags Refs Use Mtu Prio Iface 127/8 127.0.0.1 UGRS 0 0 33196 8 lo0 127.0.0.1 127.0.0.1 UH 1 6 33196 4 lo0 192.168.2/24 link#1 UC 2 0 - 4 em0 default route is absent. please, help to understand what is wrong?
ipsec between 5.0 5.1
Hi misc. is it possible?
is application goes to sleep?
Hi misc, please send me to the right way. I have java-application: https://bitbucket.org/sdorra/scm-manager/wiki/Home It has stoped answering after one week from the start, but application is listening tcp port and present in process list. Seems, that no one has touched it in that time ... and app goes to sleep and not come back?? Is it possible that this app went to sleep and didn't come back?? And is this situation possible in principal for any applications/daemons? After doing stop/start the app works fine. Unfortunately I can't touch/open application every day to verify that it works and prevent it from going to sleep.
pf: interface in parentheses
Hi misc. Simple question to fully understanding: I have DHCP on WAN interface. Can I use macros for this interface in rules? like this: ext_if = em1 antispoof quick for { em1 } or { (em1) } match out on $ext_if inet from admin to any nat-to (em1) pass in on $ext_if inet proto tcp from any to (em1) port ssh pass out on $ext_if inet proto udp from (em1) to dns port domain I.e. I need to use parentheses only in src_addr/dst_addr? In other case (interface name) I can use macros. It is possible to define dhcp interface in macros ext_if = (em1)?
opensmtpd php_mail /usr/sbin/sendmail
Hello misc. There are many web applications that used php_mail function, which points to /usr/sbin/sendmail on localhost. In some case sendmail used with smart_host+masquerade options to deliver email via gmail for example. Configure sendmail to work with gmail (SMTP AUTH/TLS) is hard for me. The question: it is possible to use opensmtpd instead sendmail to compose email from php_mail function? and how point web-application to opensmtpd?
Re: opensmtpd php_mail /usr/sbin/sendmail
30.05.2012 10:23, Gilles Chehade P?P8QP5Q: You can configure opensmtpd to work with gmail relatively easily: /etc/mail/gmail-credentials.txt: mail.google.com user:password /etc/mail/smtpd.conf: map gmail source plain /etc/mail/gmail-credentials.txt accept for all relay via mail.google.com tls auth gmail To let your chrooted apache communicate with opensmtpd, you can use mini_sendmail from packages, or any smtp client really. However there is no masquerading at the envelope level yet thanks for your reply Gilles. I will try to test it. but while I wait a some answers for my question, I found great how-to and proceed it with good final result: gmail recieve mail from my sendmail. http://theory14.wordpress.com/2009/06/16/openbsd-smtp-authtls-imaps-proxy/
Re: kqemu in 5.1
04.05.2012 13:28, Weldon Goree P?P8QP5Q: On 05/04/12 06:12, Jes wrote: Hi all: I can't find kqemu between snapshots packages, ports, or even in 5.1 packages. I think I've read something about kqemu is deprecated in newer versions of qemu (1.0.1) Is this correct? Because performance without kqemu is horrible. Any solution? Yes, it was killed upstream since Linux now comes with its own hypervisor (KVM). AFAIK OpenBSD currently does not have a working hypervisor since it also can't be dom0 on xen until such time as xen stops randomly overwriting register contents at unpredictable times. So, as of now, any virtualization will have to be of the plain qemu or bochs variety. Sorry. Best, Weldon . qemu-0.14.1p4.tgz and kqemu-1.3.0pre11p3.tgz in packages. is this not work?
Re: Intel ICH9R compatibility with OpenBSD
12.03.2012 18:01, Axton P?P8QP5Q: On Mon, Mar 12, 2012 at 9:44 AM, lilit-aibolitlilit-aibo...@mail.ru wrote: Hello misc, please give me some advice to buy low-power and low-noise HW. My selection - is: http://www.supermicro.nl/products/system/1U/5015/SYS-5015A-PHF.cfm?typ=E that have Intel ICH9R chipset. But in supported hardware it is absent: - Intel 82801 (ICH/ICH0/ICH2/ICH3/ICH4/ICH4-M/ICH5/ICH5R/ICH6/ICH6/ICH6/ICH7) I am using a 5015A (I think 5015A-EHF) without any issues. I don't use the ICH9R or any other ICHxx RAID capabilities, so that chipset does not matter to me. I think the whole architecture of using allowing the chipset to use the kernel for RAID capabilities/offloading is garbage. The design has too many points of failure (kernel driver, chipset implementation and firmware, userland software for raid management, etc.). It's an unreliable implementation that allows people who do not understand what they are doing to say I have a RAID array and gives them a pretty GUI to manage the array. Software based raid in OpenBSD is fine, but lacks some capabilities for setting up a raid array for the root partition, though I admit I lack in depth knowledge in this area, so I could be wrong with this statement. I'm sure others will chime in if I'm mistaken. Note these bits: pciide0 at pci0 dev 31 function 2 Intel 82801I SATA rev 0x02: DMA, channel 0 configured to native-PCI, channel 1 configured to native-PCI pciide0: using apic 3 int 19 for native-PCI interrupt That's the important part. OpenBSD seems to work well with this chipset. The network hardware/driver for this machine results in high interrupt rates under heavy load. This is my only complaint with the box. For my needs it works just fine though. I can move traffic through the box at a rate that is acceptable for my needs. OpenBSD 5.0 (GENERIC.MP) #59: Wed Aug 17 10:19:44 MDT 2011 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: Intel(R) Atom(TM) CPU D510 @ 1.66GHz (GenuineIntel 686-class) 1.67 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE real mem = 3220283392 (3071MB) avail mem = 3157540864 (3011MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 05/26/10, BIOS32 rev. 0 @ 0xf0010, SMBIOS rev. 2.6 @ 0x9ac00 (19 entries) bios0: vendor American Megatrends Inc. version 1.0c date 05/26/2010 bios0: Supermicro X7SPA-HF acpi0 at bios0: rev 2 acpi0: sleep states S0 S1 S4 S5 acpi0: tables DSDT FACP APIC MCFG SLIC OEMB HPET acpi0: wakeup devices P0P1(S4) PS2K(S4) PS2M(S4) USB0(S4) USB1(S4) USB2(S4) USB5(S4) EUSB(S4) USB3(S4) USB4(S4) USB6(S4) USBE(S4) P0P4(S4) P0P5(S4) P0P6(S4) P0P7(S4) P0P8(S4) P0P9(S4) GBE_(S4) SLPB(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 168MHz cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Atom(TM) CPU D510 @ 1.66GHz (GenuineIntel 686-class) 1.69 GHz cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE ioapic0 at mainbus0: apid 3 pa 0xfec0, version 20, 24 pins ioapic0: misconfigured as apic 1, remapped to apid 3 acpimcfg0 at acpi0 addr 0xe000, bus 0-255 acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 4 (P0P1) acpiprt2 at acpi0: bus 1 (P0P4) acpiprt3 at acpi0: bus -1 (P0P5) acpiprt4 at acpi0: bus -1 (P0P6) acpiprt5 at acpi0: bus -1 (P0P7) acpiprt6 at acpi0: bus 2 (P0P8) acpiprt7 at acpi0: bus 3 (P0P9) acpicpu0 at acpi0 acpicpu1 at acpi0 acpibtn0 at acpi0: SLPB acpibtn1 at acpi0: PWRB bios0: ROM list: 0xc/0x8000 ipmi at mainbus0 not configured pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 Intel Pineview DMI rev 0x02 uhci0 at pci0 dev 26 function 0 Intel 82801I USB rev 0x02: apic 3 int 16 uhci1 at pci0 dev 26 function 1 Intel 82801I USB rev 0x02: apic 3 int 21 uhci2 at pci0 dev 26 function 2 Intel 82801I USB rev 0x02: apic 3 int 19 ehci0 at pci0 dev 26 function 7 Intel 82801I USB rev 0x02: apic 3 int 18 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1 ppb0 at pci0 dev 28 function 0 Intel 82801I PCIE rev 0x02: apic 3 int 17 pci1 at ppb0 bus 1 ppb1 at pci0 dev 28 function 4 Intel 82801I PCIE rev 0x02: apic 3 int 17 pci2 at ppb1 bus 2 em0 at pci2 dev 0 function 0 Intel PRO/1000 MT (82574L) rev 0x00: msi, address 00:25:90:09:9b:80 ppb2 at pci0 dev 28 function 5 Intel 82801I PCIE rev 0x02: apic 3 int 16 pci3 at ppb2 bus 3 em1 at pci3 dev 0 function 0 Intel PRO/1000 MT (82574L) rev 0x00: msi, address 00:25:90:09:9b:81 uhci3 at pci0 dev 29 function 0 Intel 82801I USB rev 0x02: apic 3 int 23 uhci4 at pci0 dev 29 function 1 Intel 82801I USB rev 0x02: apic 3 int 19 uhci5 at
Re: SSH, root can repeat commands with up arrow, others cannot
11.03.2012 21:43, Chris Bennett P?P8QP5Q: This started for me a while back. Login as root, I can repeat older commands with up down arrows. History command shows history. su -l otheruser Cannot use up down arrows to access history. History command shows correct history. Login remotely as otheruser. Same problem. Chris Bennett . try to add this to your .profile: export HISTFILE=~/.sh_history and re-login. it is work for me and save all history after disconnect and start new session.
Intel ICH9R compatibility with OpenBSD
Hello misc, please give me some advice to buy low-power and low-noise HW. My selection - is: http://www.supermicro.nl/products/system/1U/5015/SYS-5015A-PHF.cfm?typ=E that have Intel ICH9R chipset. But in supported hardware it is absent: - Intel 82801 (ICH/ICH0/ICH2/ICH3/ICH4/ICH4-M/ICH5/ICH5R/ICH6/ICH6/ICH6/ICH7)
Re: disk management
13.01.2012 17:22, Stuart Henderson P?P8QP5Q: On 2012/01/13 16:55, lilit-aibolit wrote: 13.01.2012 16:11, Stuart Henderson P?P8QP5Q: a: 1.0G 63 4.2BSD 2048 163841 # / b: 1.2G 2097215swap c:37.3G0 unused d: 2.6G 4683375 4.2BSD 2048 163841 # /tmp e: 4.0G 10052439 4.2BSD 2048 163841 # /var f: 2.0G 18541648 4.2BSD 2048 163841 # /usr g: 1.0G 22735952 4.2BSD 2048 163841 # /usr/X11R6 h: 3.5G 24833104 4.2BSD 2048 163841 # /usr/local i: 1.9G 32229473 4.2BSD 2048 163841 # /usr/src j: 1.9G 36247864 4.2BSD 2048 163841 # /usr/obj k:18.1G 40266255 4.2BSD 2048 163841 # /home As you have partitions on the disk between /usr and /home, you can't easily just grow /var. Here are some options: - backup, reinstall with better partition sizes, restore. - swap /var and /home partitions (shut down services, copy files around between the partitions, swap the fstab entries, reboot). if you are not totally confident with doing this, make sure your backups are up-to-date first. - if you only need a little more space, or if you need to buy some time until you an plan a proper reinstallation, move your squid cache_dir to /home. I got the same recommendation from Vadim Zhukov persg...@gmail.com with little difference, do it in single mode: 1. Boot in single user mode, enter shell. 2. mount /, /usr, /var and /home. 3. Move /var/* to /home. 4. Move /home/* to /var (except what moved on step 3). 5. Umount /home and /var. 6. Edit fstab and switch /home and /var mount points. 7. Try to mount /home and /var now, checking all is ok. 8. Proceed booting (^D) and have a nice day. but I operate remotely, and can't shut down all services, such PF or SSH. So in any way I need to do this locally? I do not *recommend* doing this without console access, but sometimes there is no other choice. ;-) Since you don't have full access you need to take extra care. Shut down anything that you don't absolutely require. syslogd, squid, httpd/nginx, whatever. I would *copy* files from /home to /var, not move them (of course you'll need to clear some space first - old logs or squid cache might be a good candidate). I would probably skip steps 5 and 7, just be careful that your fstab lines are correct. Take care and think about every command before you press the enter key. Check that everything is in the right place before you reboot. Thanks all, who help to do this. After testing on local PC, I do it on remote server by following next step: - shutdown and pkill all process except sshd - cp -pR /var/* /home - same for home dir to var - change letter in fstab - reboot and remove unnesessary files in var and home - everything is work correctly and now I have more space in var for www-project: Using username root. Last login: Thu Feb 23 08:57:29 2012 from 192.168.14.113 OpenBSD 4.7-stable (GENERIC) #3: Mon Sep 27 15:35:17 EEST 2010 # df -h Filesystem SizeUsed Avail Capacity Mounted on /dev/wd0a 1005M211M744M22%/ /dev/wd0k 17.8G2.0G 14.9G12%/var /dev/wd0d 2.5G6.0K2.4G 0%/tmp /dev/wd0f 2.0G927M985M48%/usr /dev/wd0g 1005M167M787M18%/usr/X11R6 /dev/wd0h 3.5G280M3.0G 8%/usr/local /dev/wd0j 1.9G993M841M54%/usr/obj /dev/wd0i 1.9G790M1.0G43%/usr/src /dev/wd0e 4.0G411M3.4G11%/home #
Re: NFS : RPC: Program not registered
19.01.2012 13:29, Giridhari P?P8QP5Q: HELO. I am following http://openbsd.org/faq/faq6.html#NFS and have the server running, and showmount shows an export but on the client when I get to the line in the faq # mount -t nfs 10.0.0.1:/work /mnt and adapt it to the setup I have here I get the message RPC: Program not registered I did a bit of searching but couldnbt find anything for OpenBSD about this. Everything else in the faq has worked fine. What am I doing wrong? Giridhari . try mount without -t nfs also be sure /mnt is created on clinet also try sudo mount
Re: NFS : RPC: Program not registered
19.01.2012 16:23, Jan Stary P?P8QP5Q: On Jan 19 13:02:33, David Coppa wrote: On Thu, Jan 19, 2012 at 12:29 PM, Giridharigiridh...@live.com.au wrote: HELO. I am following http://openbsd.org/faq/faq6.html#NFS and have the server running, and showmount shows an export but on the client when I get to the line in the faq # mount -t nfs 10.0.0.1:/work /mnt and adapt it to the setup I have here I get the message RPC: Program not registered I did a bit of searching but couldnb t find anything for OpenBSD about this. Everything else in the faq has worked fine. What am I doing wrong? You need to start portmap on the clients Mounting NFS Filesystems NFS filesystems can be mounted from a client without needing to enable any services or daemons. . in this case we don't know about from what system he try to mount. for example in linux the nfs-common pakage needed.
disk management
Hi misc. Here is newbee question. I have disk with unused space: # disklabel -p g wd0 16 partitions: #size offset fstype [fsize bsize cpg] a: 1.0G 63 4.2BSD 2048 163841 # / b: 1.2G 2097215swap c:37.3G0 unused d: 2.6G 4683375 4.2BSD 2048 163841 # /tmp e: 4.0G 10052439 4.2BSD 2048 163841 # /var f: 2.0G 18541648 4.2BSD 2048 163841 # /usr g: 1.0G 22735952 4.2BSD 2048 163841 # /usr/X11R6 h: 3.5G 24833104 4.2BSD 2048 163841 # /usr/local i: 1.9G 32229473 4.2BSD 2048 163841 # /usr/src j: 1.9G 36247864 4.2BSD 2048 163841 # /usr/obj k:18.1G 40266255 4.2BSD 2048 163841 # /home and I have /var with ending space: # df -h Filesystem SizeUsed Avail Capacity Mounted on /dev/wd0a 1005M206M749M22%/ /dev/wd0k 17.8G411M 16.5G 2%/home /dev/wd0d 2.5G6.0K2.4G 0%/tmp /dev/wd0f 2.0G927M985M48%/usr /dev/wd0g 1005M167M787M18%/usr/X11R6 /dev/wd0h 3.5G280M3.0G 8%/usr/local /dev/wd0j 1.9G993M841M54%/usr/obj /dev/wd0i 1.9G790M1.0G43%/usr/src /dev/wd0e 4.0G3.4G376M90%/var In /var I store some sites for apache and need more space for it. How can I use unused space for /var or it will be used automatically when /var reaches capacity 100%?
Re: disk management
13.01.2012 14:28, Francois Pussault P?P8QP5Q: With a so huge /var 90% is anormal, you should already look for a logrotate solution or choose a new partition map you will use on next update of the machine. First of all, thanks all for your replies. As I said /var is used for www-aplication under chroot apache. /var/log is clear: # du -sch /var/* 2.0K/var/account 2.0K/var/audit 2.0K/var/authpf 1.5M/var/backups 730K/var/cache 4.0K/var/crash 20.0K /var/cron 14.7M /var/db 4.0K/var/empty 44.0K /var/games 1.4M/var/log 8.0K/var/lost+found 4.2M/var/mail 4.0K/var/msgs 26.4M /var/mysql 52.0K /var/named 2.0K/var/quotas 152K/var/run 2.0K/var/rwho 2.0K/var/sasl2 2.0K/var/siproxd 28.0K /var/spool 781M/var/squid 4.0K/var/tmp 1.4G/var/www 28.0K /var/yp 2.2Gtotal do I understand correctly, that in my case the easiest way is decrease /home and increase /var?
Re: disk management
13.01.2012 16:11, Stuart Henderson P?P8QP5Q: a: 1.0G 63 4.2BSD 2048 163841 # / b: 1.2G 2097215swap c:37.3G0 unused d: 2.6G 4683375 4.2BSD 2048 163841 # /tmp e: 4.0G 10052439 4.2BSD 2048 163841 # /var f: 2.0G 18541648 4.2BSD 2048 163841 # /usr g: 1.0G 22735952 4.2BSD 2048 163841 # /usr/X11R6 h: 3.5G 24833104 4.2BSD 2048 163841 # /usr/local i: 1.9G 32229473 4.2BSD 2048 163841 # /usr/src j: 1.9G 36247864 4.2BSD 2048 163841 # /usr/obj k:18.1G 40266255 4.2BSD 2048 163841 # /home As you have partitions on the disk between /usr and /home, you can't easily just grow /var. Here are some options: - backup, reinstall with better partition sizes, restore. - swap /var and /home partitions (shut down services, copy files around between the partitions, swap the fstab entries, reboot). if you are not totally confident with doing this, make sure your backups are up-to-date first. - if you only need a little more space, or if you need to buy some time until you an plan a proper reinstallation, move your squid cache_dir to /home. I got the same recommendation from Vadim Zhukov persg...@gmail.com with little difference, do it in single mode: 1. Boot in single user mode, enter shell. 2. mount /, /usr, /var and /home. 3. Move /var/* to /home. 4. Move /home/* to /var (except what moved on step 3). 5. Umount /home and /var. 6. Edit fstab and switch /home and /var mount points. 7. Try to mount /home and /var now, checking all is ok. 8. Proceed booting (^D) and have a nice day. but I operate remotely, and can't shut down all services, such PF or SSH. So in any way I need to do this locally?
Re: NPPPD/L2TP IPsec problems
29.09.2011 16:30, YASUOKA Masahiko P?P8QP5Q: On Mon, 26 Sep 2011 15:20:50 +0200 Martin Poulsenmar...@dividebyzero.dk wrote: I have been playing around a little with the npppd daemon having setup a L2TP server for test and learning purposes. The connection is running in an IPsec tunnel and it works great and runs very fine when used on a local network. But I'm having problems when it comes to NAT. This is my setup: client (Windows XP) NAT - internet - OpenBSD (public IP) npppd L2TP/IPsec with NAT-T is not supported yet. We need 3 more hacks. 1. support FQDN identifier type on isakmpd 2. ignore UDP checksum to pass L2TP messages. (checksums is broken by IPsec transport mode) 3. npppd must be able to send a L2TP message to different peer behind NAT by socket API. (API is not fixed yet.) 1. and 2. are `just do it' task. But 3. may take time. I'll start to discuss this on tech@. Thanks, --yasuoka . Do you have any progress in that?
pptpd - connect external win-client to local net
hello misc! I need to realize vpn-connections between external Win-clients and local Win-servers via openbsd-box. ext_win - Internet - OpenBSD 4.8 - local net - win-server main problem: - after establish connections do not work Internet on ext_win_client and work connections to local_net, - if remove selection use default gateway in remote network in properties of vpn on ext_win_client, then Internet work, but local resource not. - manipulate with nodefaultroute-parameter in /etc/ppp/options and in /etc/ppp/options.pptpd has no effect. what exactly needed to establish vpn from Internet to local_net and leave workable internet on ext_client? here is settings: # cd /dev # ls -la | grep tun crw--- 1 root wheel 40, 0 May 7 12:06 tun0 crw--- 1 root wheel 40, 1 Apr 20 2010 tun1 crw--- 1 root wheel 40, 2 Apr 20 2010 tun2 crw--- 1 root wheel 40, 3 Apr 20 2010 tun3 crw-r--r-- 1 root wheel 49, 16 Apr 20 2010 tuner0 # pkg_info | grep poptop poptop-1.3.4p0 PPTP Server # cat /etc/pptpd.conf option /etc/ppp/options.pptpd noipparam localip 192.168.14.111 remoteip 192.168.14.112-113 listen 188.230.122.54
pptpd - connect external win-client to local net
hello misc! I need to realize vpn-connections between external Win-clients and local Win-servers via openbsd-box. ext_win - Internet - OpenBSD 4.8 - local net - win-server main problem: - after establish connections do not work Internet on ext_win_client and work connections to local_net, - if remove selection use default gateway in remote network in properties of vpn on ext_win_client, then Internet work, but local resource not. - manipulate with nodefaultroute-parameter in /etc/ppp/options and in /etc/ppp/options.pptpd has no effect. what exactly needed to establish vpn from Internet to local_net and leave workable internet on ext_client? here is settings: # ifconfig lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33200 priority: 0 groups: lo inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6 fxp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:d0:b7:60:5f:2e priority: 0 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 192.168.16.8 netmask 0xff00 broadcast 192.168.16.255 xl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:04:76:36:bb:2b priority: 0 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 195.26.xx.xx netmask 0xffe0 broadcast 195.26.xx.xx fxp1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:d0:b7:60:5f:28 priority: 0 groups: egress media: Ethernet autoselect (100baseTX full-duplex) status: active inet 188.230.xx.xx netmask 0xfffc broadcast 188.230.xx.xx fxp2: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:0c:f1:6c:a7:66 priority: 0 media: Ethernet autoselect (none) status: no carrier inet 10.10.10.1 netmask 0xff00 broadcast 10.10.10.255 enc0: flags=0 mtu 1536 priority: 0 pflog0: flags=141UP,RUNNING,PROMISC mtu 33200 priority: 0 groups: pflog tun0: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST mtu 1398 priority: 0 groups: tun media: Ethernet autoselect status: active inet 192.168.14.111 -- 192.168.14.113 netmask 0x # ping 192.168.14.113 PING 192.168.14.113 (192.168.14.113): 56 data bytes 64 bytes from 192.168.14.113: icmp_seq=0 ttl=128 time=144.465 ms 64 bytes from 192.168.14.113: icmp_seq=1 ttl=128 time=189.242 ms # cd /dev # ls -la | grep tun crw--- 1 root wheel 40, 0 May 7 12:06 tun0 crw--- 1 root wheel 40, 1 Apr 20 2010 tun1 crw--- 1 root wheel 40, 2 Apr 20 2010 tun2 crw--- 1 root wheel 40, 3 Apr 20 2010 tun3 crw-r--r-- 1 root wheel 49, 16 Apr 20 2010 tuner0 # cat /etc/sysctl.conf | grep ip.forwarding net.inet.ip.forwarding=1 # pkg_info | grep poptop poptop-1.3.4p0 PPTP Server # cat /etc/pptpd.conf option /etc/ppp/options.pptpd noipparam localip 192.168.14.111 remoteip 192.168.14.112-113 listen 188.230.122.54 # cat /etc/ppp/ppp.conf default: set log Phase Chat LCP IPCP CCP tun command set speed 115200 loop: set timeout 0 set log phase chat connect lcp ipcp command set device localhost:pploop set dial set login set mppe * stateful set ifaddr 192.168.14.111 192.168.14.112-192.168.14.113 255.255.255.255 set server /var/tmp/loop 0177 loop-in: set timeout 0 set log phase lcp ipcp command allow mode direct pptp: load loop disable pap disable chap disable ipv6 disable ipv6cp disable deflate pred1 deny deflate pred1 enable mschapv2 accept mppe accept dns set dns 8.8.8.8 enable proxy set device !/etc/ppp/secure # cat /etc/ppp/options +mschap-v2 mppe-128 mppe-stateless # cat /etc/ppp/options.pptpd -pap -chap -chapms +mschap-v2 mppe-128 mppe-stateless lock auth usehostname nodefaultroute proxyarp with this settings I successfully connect to local_net, but route print on win_client looks like this: 0.0.0.0 0.0.0.0 77.52.44.14877.52.44.148 2 0.0.0.0 0.0.0.0 192.168.14.113 192.168.14.113 1 77.52.44.148 255.255.255.255127.0.0.1 127.0.0.1 50 77.255.255.255 255.255.255.255 77.52.44.14877.52.44.148 50 80.255.77.41 255.255.255.255 77.52.44.14877.52.44.148 1 127.0.0.0255.0.0.0127.0.0.1 127.0.0.1 1 188.230.122.54 255.255.255.255 77.52.44.14877.52.44.148 1 192.168.14.113 255.255.255.255127.0.0.1 127.0.0.1 50 192.168.14.255 255.255.255.255 192.168.14.113 192.168.14.113 50 224.0.0.0240.0.0.0 77.52.44.14877.52.44.148 2 224.0.0.0240.0.0.0 192.168.14.113 192.168.14.113 1 255.255.255.255 255.255.255.255 77.52.44.14877.52.44.148 1 255.255.255.255 255.255.255.255 192.168.14.113 192.168.14.113 1 default gateway: 192.168.14.113
Re: tftp - no route to host
Janne Johansson PI[ET: 2011/4/29 pavel pocheptsov lilit-aibo...@mail.ru mailto:lilit-aibo...@mail.ru openbsd 4.8 # cat /etc/pf.conf | grep tftp pass in on $int_if inet proto udp from any to $int_if port tftp # tftp 127.0.0.1 127.0.0.1 would not be on the $int_if, would it? -- To our sweethearts and wives. May they never meet. -- 19th century toast yes, but from localhost I just test it, and connect to $int_if is work too: # tftp 192.168.15.6 tftp get ekey Received 40 bytes in 0.0 seconds tftp quit problem with connect another machine from 192.168.15.0/24 to tftpd on 192.168.15.6
Re: tftp - no route to host
Evgeniy Sudyr P?P8QP5Q: Pavel, 1) Are you sure that you uncommented tftpd in inetd.conf ? Is inetd started ? 2) netstat -na | grep 69 3) tcpdump -ni lo port 69 4) check PF rules as Janne wrote before (maybe you need to pass or just skip on lo). Btw, does it make any sense to use TFTP on localhost ? :) -- Thanks! Eugene Sudyr # tcpdump -i rl0 | grep 192.168.15.6.tftp tcpdump: listening on rl0, link-type EN10MB 17:55:51.398535 192.168.15.7.1117 192.168.15.6.tftp: 16 RRQ ekey 17:55:52.400286 192.168.15.7.1117 192.168.15.6.tftp: 16 RRQ ekey # tail /var/log/daemon Apr 29 17:54:14 ipsec2 dhcpd[24382]: DHCPREQUEST for 192.168.15.155 from 6c:62:6d:0c:56:f9 via rl0 Apr 29 17:54:14 ipsec2 dhcpd[24382]: DHCPACK on 192.168.15.155 to 6c:62:6d:0c:56:f9 via rl0 Apr 29 17:54:55 ipsec2 tftpd[17823]: send: No route to host Apr 29 17:54:56 ipsec2 tftpd[7381]: send: No route to host Apr 29 17:54:58 ipsec2 tftpd[21669]: send: No route to host Apr 29 17:55:22 ipsec2 dhcpd[24382]: DHCPINFORM from 192.168.15.155 Apr 29 17:55:22 ipsec2 dhcpd[24382]: DHCPACK on 192.168.15.155 to 6c:62:6d:0c:56:f9 via rl0 Apr 29 17:55:51 ipsec2 tftpd[5857]: send: No route to host Apr 29 17:55:52 ipsec2 tftpd[30407]: send: No route to host Apr 29 17:55:54 ipsec2 tftpd[7320]: send: No route to host
Re: pptpd reload config
Gregory Edigarov P?P8QP5Q: On Tue, 26 Apr 2011 22:02:19 +0300 lilit-aibolit lilit-aibo...@mail.ru wrote: I made changes in /etc/pptpd.conf and do kill -HUP `cat /var/run/pptpd.pid` but pptpd isn't reload their config, it die:( I start again /usr/local/sbin/pptpd and nothing change for remote client - they are still receive old IP settings from /etc/pptpd.conf what is wrong? Perhaps you send wrong signal. AFAIR, poptop react on SIGUSR1, SIGUSR2. So, see manual page for pptpd. in pptpd man page is nothig say about react on signal. I found solution in this simple way: /usr/local/sbin/pptpd reload
pptpd reload config
I made changes in /etc/pptpd.conf and do kill -HUP `cat /var/run/pptpd.pid` but pptpd isn't reload their config, it die:( I start again /usr/local/sbin/pptpd and nothing change for remote client - they are still receive old IP settings from /etc/pptpd.conf what is wrong?
Re: Routing all traffic through IPSEC VPN
Matt S P?P8QP5Q: Hello @misc: I am up against a stumper. I have a Site-to-Site IPSEC VPN working beautifully. However, I would like the remote site to route all of its traffic through the VPN. After googling, I seemed to come up with a suggestion to do a route change -net 0.0.0.0/0 gateway which didn't work well. I think it might have to do with NAT. The main office is doing the NAT. Perhaps I need to some sort of NAT traversal on the VPN?? Hello. Here is working config. I have two nets 15.0/24 and 16.0/24. 16.0/24 have default gateway to Internet. between 15 and 16 setup IPSec. from 15 for lucky boys I setup tunnel to any. on router in 16 lucky boys go out with NAT. ===net 15.0= ipsec.conf remote_nets = { 192.168.16.0/24, 172.20.252.0/24} nat_clients = { 192.168.15.10, 192.168.15.167, 192.168.15.170 } flow esp from 192.168.15.0/24 to $remote_nets peer 192.168.10.1 flow esp from $nat_clients to any peer 192.168.10.1 esp from 192.168.10.2 to 192.168.10.1 ifconfig rl0: flags=28843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6 mtu 1500 lladdr 00:02:44:56:39:04 priority: 0 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 192.168.15.6 netmask 0xff00 broadcast 192.168.15.255 vr0: flags=28843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6 mtu 1500 lladdr 00:13:d3:36:f5:ce priority: 0 groups: egress media: Ethernet autoselect (100baseTX full-duplex) status: active inet 192.168.10.2 netmask 0xff00 broadcast 192.168.10.255 route -n show Internet: Destination Gateway Flags Refs Use Mtu Prio Iface default 192.168.10.1 UGS 5 5440 - 8 vr0 127/8 127.0.0.1 UGRS 0 0 33200 8 lo0 127.0.0.1 127.0.0.1 UH 2 4 33200 4 lo0 192.168.10/24 link#2 UC 1 0 - 4 vr0 192.168.10.1 00:d0:b7:60:5f:5c UHLc 3 1357436 - 4 vr0 192.168.15/24 link#1 UC 38 0 - 4 rl0 Encap: Source Port Destination Port Proto SA(Address/Proto/Type/Direction) default 0 192.168.15.170/32 0 0 192.168.10.1/esp/require/in 192.168.15.170/32 0 default 0 0 192.168.10.1/esp/require/out default 0 192.168.15.167/32 0 0 192.168.10.1/esp/require/in 192.168.15.167/32 0 default 0 0 192.168.10.1/esp/require/out default 0 192.168.15.10/32 0 0 192.168.10.1/esp/require/in 192.168.15.10/32 0 default 0 0 192.168.10.1/esp/require/out 172.20.252/24 0 192.168.15/24 0 0 192.168.10.1/esp/require/in 192.168.15/24 0 172.20.252/24 0 0 192.168.10.1/esp/require/out 192.168.16/24 0 192.168.15/24 0 0 192.168.10.1/esp/require/in 192.168.15/24 0 192.168.16/24 0 0 192.168.10.1/esp/require/out net 16= local_nets = { 172.20.252.0/24, 192.168.16.0/24 } flow esp from $local_nets to 192.168.15.0/24 peer 192.168.10.2 flow esp from any to { 192.168.15.10, 192.168.15.167, 192.168.15.170 } peer 192.168.10.2 esp from 192.168.10.1 to 192.168.10.2 fxp0: flags=28843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6 mtu 1500 lladdr 00:d0:b7:60:75:51 priority: 0 groups: egress media: Ethernet autoselect (100baseTX full-duplex) status: active inet 192.168.16.6 netmask 0xff00 broadcast 192.168.16.255 fxp1: flags=28843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6 mtu 1500 lladdr 00:d0:b7:60:5f:5c priority: 0 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 192.168.10.1 netmask 0xff00 broadcast 192.168.10.255 fxp2: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:d0:b7:60:5d:9c priority: 0 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 172.20.252.36 netmask 0xfff8 broadcast 172.20.252.39 inet6 fe80::2d0:b7ff:fe60:5d9c%fxp2 prefixlen 64 scopeid 0x3 rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:0d:88:45:68:aa priority: 0 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 192.168.20.55 netmask 0xff00 broadcast 192.168.20.255 Routing tables Internet: Destination Gateway Flags Refs Use Mtu Prio Iface default 192.168.16.8 UGS 6 14997670 - 8 fxp0 127/8 127.0.0.1 UGRS 0 0 33200 8 lo0 127.0.0.1 127.0.0.1 UH 2 11204 33200 4 lo0 172.20.252.32/29 link#3 UC 1 0 - 4 fxp2 172.20.252.38 00:03:7e:00:73:40 UHLc 0 4831569 - 4 fxp2 192.168.10/24 link#2 UC 2 0 - 4 fxp1 192.168.10.1 00:d0:b7:60:5f:5c UHLc 0 4 - 4 lo0 192.168.10.2 00:13:d3:36:f5:ce UHLc 15 102190836 - 4 fxp1 192.168.15/24 192.168.10.2 UGS 0 119979 - 8 fxp1 Encap: Source Port Destination Port Proto SA(Address/Proto/Type/Direction) 192.168.15.170/32 0 default 0 0 192.168.10.2/esp/require/in default 0 192.168.15.170/32 0 0 192.168.10.2/esp/require/out 192.168.15.167/32 0 default 0 0 192.168.10.2/esp/require/in default 0 192.168.15.167/32 0 0 192.168.10.2/esp/require/out 192.168.15.10/32 0 default 0 0 192.168.10.2/esp/require/in default 0 192.168.15.10/32 0 0 192.168.10.2/esp/require/out 192.168.15/24 0 192.168.16/24 0 0 192.168.10.2/esp/require/in 192.168.16/24 0 192.168.15/24 0 0 192.168.10.2/esp/require/out 192.168.15/24 0 172.20.252/24 0 0 192.168.10.2/esp/require/in 172.20.252/24 0 192.168.15/24 0 0 192.168.10.2/esp/require/out host 192.168.16.8 doint
IPSec between 4.8 and 4.9
I have IPSec with manual flow between two 4.8 box, and all is work great. I can't in one moment setup two 4.9, and I want to ask: can I change one side of IPSec on 4.9?
Re: kern.maxcluster
Tomas Bodzar P?P8QP5Q: On Fri, Mar 25, 2011 at 3:37 AM, Kleber Rocha kli...@gmail.com wrote: And may be of some interest to know where did you get those recommendations? Smells like calomel.org or similar why so many people hate calomel.org?
Re: pf rules for Load Balance Incoming Connections for webservers
Indunil Jayasooriya P?P8QP5Q: Hi list, I have 3 web servers running on port 8080 behind PF firewall. I am trying to load balance these incoming connections to these web servers. I wrote rules as below. Pls pay attention to *highligthed BOLD* rules . they are the once I have written. But, I can NOT login to these web servers from the Internet. # macros ext_if=em0 int_if=em1 web_servers = { 192.168.x.64, 192.168.x.66, 192.168.x.67 } lan_net=192.168.x.0/24 # options set block-policy return set loginterface $ext_if set skip on lo set state-policy if-bound # Normalizing packets # Filter traffic for unusual packets match in on $ext_if scrub (random-id min-ttl 5 no-df) match out on $ext_if scrub (random-id no-df) *match in on $ext_if inet proto tcp to $ext_if port 8080 rdr-to $web_servers \ round-robin sticky-address * # filter rules block in log block out log *pass out log on $int_if inet proto tcp from any to $web_servers port 8080 \ flags S/SA modulate state* I visited this url as well. http://www.openbsd.org/faq/pf/pools.html Still no luck. Where have I gone wrong? probably you need to add this: pass in on $ext_if inet proto tcp from any to $web_servers port 8080
how to NAT IP-phones
Hello misc. I have PBX samsung office serv 7400 with VOIP module. SIP-provider give out small privat /29 network to connect to their sip-server directly. So I need to include in this network my OBSD box to translate IP-phone from my own private /24 network. All work is fine with only one IP-phone, any other phones can't establish connections with PBX, becouse static port directive is use in nat rules. Without static port directive only one side be hear in talk. Please, help to resolve this problem. #pf.conf# int_if = fxp0 ipsec_if = fxp1 phone_if = fxp2 waterpas_if = rl0 table khaer{ 192.168.16.0/24 } table baza{ 192.168.15.0/24 } table phone{ 172.20.252.0/29 } table ipsec1{ 192.168.10.1 } table ipsec2{ 192.168.10.2 } set skip on { lo0, enc0 } set loginterface fxp0 set block-policy drop block log all #nat match out on $phone_if inet proto udp from 192.168.16.13 to any nat-to $phone_if static-port match out on $phone_if inet proto udp from 192.168.16.14 to any nat-to $phone_if static-port #in pass in on $int_if inet proto udp from 192.168.16.13 to fxp2:network route-to $phone_if pass in on $int_if inet proto udp from 192.168.16.14 to fxp2:network route-to $phone_if #out pass out on { $phone_if, $waterpas_if } inet proto { tcp, udp } pass out on $int_if inet proto { tcp, udp } from 192.168.16.6 to any pass out on $int_if inet proto icmp from 192.168.16.6 to any ### route-to is used for policy based routing, because I have four network on this box. Here is state: # pfctl -s state | grep .13 all udp 172.20.252.34:6000 - 192.168.16.13:6000 MULTIPLE:MULTIPLE all udp 172.20.252.36:6000 (192.168.16.13:6000) - 172.20.252.34:6000 MULTIPLE:MULTIPLE all udp 172.20.252.34:9000 - 192.168.16.13:9000 NO_TRAFFIC:SINGLE all udp 172.20.252.36:9000 (192.168.16.13:9000) - 172.20.252.34:9000 SINGLE:NO_TRAFFIC all udp 172.20.252.35:30012 - 192.168.16.13:9000 MULTIPLE:MULTIPLE all udp 172.20.252.36:9000 (192.168.16.13:9000) - 172.20.252.35:30012 MULTIPLE:MULTIPLE all udp 172.20.252.35:30013 - 192.168.16.13:9001 MULTIPLE:MULTIPLE all udp 172.20.252.36:9001 (192.168.16.13:9001) - 172.20.252.35:30013 MULTIPLE:MULTIPLE # pfctl -s state | grep .14 all udp 172.20.252.34:6000 - 192.168.16.14:6000 NO_TRAFFIC:SINGLE 192.168.16.13 is ringing and talk, but 192.168.16.14 can't. I read this: http://www.bastard.net/~kos/pf-voip.html and directly copy-paste setup for my case, but with tagging again only one phone is done. Possibility I don't understand how nat is work and PF can't translate 192.168.16.14 with same port, that in use in this moment. here translate is work: all udp 172.20.252.34:6000 - 192.168.16.13:6000 MULTIPLE:MULTIPLE all udp 172.20.252.36:6000 (192.168.16.13:6000) - 172.20.252.34:6000 MULTIPLE:MULTIPLE but here not work all udp 172.20.252.34:6000 - 192.168.16.14:6000 NO_TRAFFIC:SINGLE because port 6000 already take up in previous state.
Re: pf question: multiple multihomed machines
gwes ohxer: What is the recommended pf.conf to get symmetrical routing for incoming and outgoing connections using a dual-homed gateway and internal hosts with static IPs on both WANs? I'm assuming route-to and reply-to are the correct tools to use. I've looked at the FAQ, googled for dual multihomed machines, and haven't found a clear answer yet. I know there's a multihome section in the FAQ, but it only handles pools of nat-ed machines, and the last couple of lines are not obvious. Hi, I use policy based routing with PF. I have one local_if and three external_if. two of they have own gateway, and one don't have. Here is my pf.conf, but it havn't comment, but if read carefully - all is done. have a nice day with PF=) #$OpenBSD: pf.conf,v 1.49 2009/09/17 06:39:03 jmc Exp $ # # See pf.conf(5) for syntax and examples. # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1 # in /etc/sysctl.conf if packets are to be forwarded between interfaces. ext_if_a = xl0 ext_gw_a = 195.26.xxx.xxx ext_if_b = fxp1 ext_gw_b = 188.230.xxx.xxx ext_if_c = fxp2 ext_gw_c = 172.20.252.33 int_if = fxp0 table firewall const { self } table khaer { 192.168.16.0/24 } table admin { 192.168.16.1, 192.168.16.4, 192.168.16.6, 192.168.16.100 } table www{ 192.168.16.2 } table 1c { 192.168.16.3 } table zvit { 192.168.16.4 } table mail { 192.168.16.5 } table ad { 192.168.16.7 } table fourblock { 192.168.16.188 } table milestone { 192.168.16.200 } #table officeserv{ } table dns{ 194.44.xxx.xxx, 217.12.xxx.xxx } table kl-bank{ 192.168.16.184, 192.168.16.185, 192.168.16.201, \ 192.168.16.207, 192.168.16.210, 192.168.16.218, \ 192.168.16.221, 192.168.16.241 } table ipsec { 192.168.15.0/24 } table private{ 0.0.0.0/8, 10.0.0.0/8, 14.0.0.0/8, \ 127.0.0.0/8, 128.0.0.0/16, 169.254.0.0/16, \ 172.16.0.0/12, 191.255.0.0/16, 192.0.2.0/24, \ 192.168.0.0/16, 240.0.0.0/4, 255.255.255.0/24 } table bruteforce persist table advertisement file /etc/advertisement set skip on { lo0, enc0 } set loginterface $ext_if_b set timeout { frag 20, tcp.established 3600 } set block-policy drop antispoof quick for { fxp1, fxp2, xl0 } match in all scrub (no-df) #anchor ftp-proxy/* #queuening #altq on fxp0 cbq bandwidth 400Kb queue { q_std_a, q_mail_a, q_www_a } #queue q_std_abandwidth 10% priority 1 cbq (default) #queue q_mail_a bandwidth 70% priority 5 cbq (borrow) #queue q_www_abandwidth 20% priority 3 cbq (borrow) #altq on fxp1 cbq bandwidth 4Mb queue { q_std_b, q_admin, q_kl-bank, q_www_b } #queue q_std_bbandwidth 5% priority 1 cbq(default) #queue q_adminbandwidth 40% priority 4 cbq(borrow) #queue q_kl-bank bandwidth 15% priority 7 cbq(borrow) #queue q_www_bbandwidth 40% priority 2 cbq(borrow) #nat match out on $ext_if_a inet proto tcp from khaer to !khaer nat-to $ext_if_a match out on $ext_if_b inet from khaer to !khaer nat-to $ext_if_b match out on $ext_if_b inet from ipsec to !ipsec nat-to $ext_if_b match out on $ext_if_c inet proto { tcp, udp } from admin to any nat-to $ext_if_c #rdr match in on $ext_if_a inet proto tcp from any to $ext_if_a port { smtp, smtps, 444, 5 } tag MAIL_A rdr-to mail match in on $ext_if_b inet proto tcp from any to $ext_if_b port 444 tag EXT_B rdr-to mail match in on $ext_if_b inet proto tcp from any to $ext_if_b port 666 tag EXT_B rdr-to 1c port rdp match in on $ext_if_b inet proto tcp from any to $ext_if_b port 50666 tag EXT_B rdr-to zvit port rdp #match in on $ext_if_b inet proto udp from any to $ext_if_b port 27015 tag EXT_B rdr-to milestome match in on $ext_if_b inet proto tcp from any to $ext_if_b port 55111 tag EXT_B rdr-to milestone match in on $ext_if_b inet proto tcp from any to $ext_if_b port 1 tag EXT_B rdr-to milestone port rdp match in on $ext_if_b inet proto tcp from any to $ext_if_b port 55222 tag EXT_B rdr-to 192.168.16.26 port ssh match in on $ext_if_b inet proto tcp from any to $ext_if_b port 55333 tag EXT_B rdr-to 192.168.16.26 port 80 #match in on $int_if inet proto tcp from 1c to any port www rdr-to 127.0.0.1 port 3128 #match in on $ext_if_b inet proto tcp from any to $ext_if_b port 8080 tag EXT_B rdr-to 192.168.16.100 port 80 #match in on $ext_if_b inet proto tcp from any to $ext_if_b port { 6001, 6002 } tag EXT_B rdr-to 192.168.16.100 #block block in quick on $ext_if_a from bruteforce block in quick on $int_if from any to advertisement block quick proto tcp flags /S block quick proto tcp flags A/A block in quick on { $ext_if_a, $ext_if_b } from private to any block out quick on { $ext_if_a, $ext_if_b } from any to private block log all #in pass in on $ext_if_a inet proto tcp from any to $ext_if_a port 5522 reply-to ($ext_if_a $ext_gw_a) pass in on $ext_if_b inet proto udp from any to $ext_if_b port domain reply-to ($ext_if_b
route show
Hi folks! I have a little problem with route show command. after I type this command and press Enter on first machine - all is done: # route show Routing tables Internet: DestinationGatewayFlags Refs Use Mtu Prio Iface defaultNS UGS00 - 8 rl0 loopback localhost UGRS 00 33200 8 lo0 localhost localhost UH 10 33200 4 lo0 192.168.10/24 link#2 UC 10 - 4 rl1 192.168.10.2 00:d0:b7:d3:a7:99 UHLc 1 552 - 4 rl1 192.168.15/24 192.168.10.2 UGS00 - 8 rl1 192.168.16/24 link#1 UC 30 - 4 rl0 khaer-100:11:2f:8d:00:9b UHLc 2 714 - 4 rl0 NS 00:d0:b7:60:5f:2e UHLc 1 84 - 4 rl0 192.168.16.222 00:11:d8:dd:a0:ee UHLc 04 - 4 rl0 BASE-ADDRESS.MCAST localhost URS00 33200 8 lo0 Internet6: DestinationGatewayFlags Refs Use Mtu Prio Iface ::/104 localhost UGRS 00 - 8 lo0 ::/96 localhost UGRS 00 - 8 lo0 localhost localhost UH140 33200 4 lo0 ::127.0.0.0/104localhost UGRS 00 - 8 lo0 ::224.0.0.0/100localhost UGRS 00 - 8 lo0 ::255.0.0.0/104localhost UGRS 00 - 8 lo0 :::0.0.0.0/96 localhost UGRS 00 - 8 lo0 2002::/24 localhost UGRS 00 - 8 lo0 2002:7f00::/24 localhost UGRS 00 - 8 lo0 2002:e000::/20 localhost UGRS 00 - 8 lo0 2002:ff00::/24 localhost UGRS 00 - 8 lo0 fe80::/10 localhost UGRS 00 - 8 lo0 fe80::%lo0/64 fe80::1%lo0U 00 - 4 lo0 fe80::1%lo0link#4 UHL00 - 4 lo0 fec0::/10 localhost UGRS 00 - 8 lo0 ff01::/16 localhost UGRS 00 - 8 lo0 ff01::%lo0/32 localhost UC 00 - 4 lo0 ff02::/16 localhost UGRS 20 - 8 lo0 ff02::%lo0/32 localhost UC 00 - 4 lo0 Encap: Source Port DestinationPort Proto SA(Address/Proto/Type/Direction) 192.168.15/24 0 192.168.16/24 0 0 192.168.10.2/esp/require/in 192.168.16/24 0 192.168.15/24 0 0 192.168.10.2/esp/require/out But if I do it on second machine, output in console and terminal is very-very slow, and while I write this letter it still end and show per line every 10-20 seconds: #route show Routing tables Internet: DestinationGatewayFlags Refs Use Mtu Prio Iface loopback localhost UGRS 00 33200 8 lo0 localhost localhost UH 12 33200 4 lo0 192.168.10/24 link#2 UC 10 - 4 fxp1 192.168.10.1 00:50:fc:6f:47:6f UHLc 1 181 - 4 fxp1 192.168.15/24 link#1 UC 10 - 4 fxp0 192.168.15.1 e0:cb:4e:95:c3:19 UHLc 0 13 - 4 fxp0 192.168.16/24 192.168.10.1 UGS00 - 8 fxp1 BASE-ADDRESS.MCAST localhost URS00 33200 8 lo0 Internet6: DestinationGatewayFlags Refs Use Mtu Prio Iface ::/104 localhost UGRS 00 - 8 lo0 ::/96 localhost UGRS 00 - 8 lo0 localhost localhost UH140 33200 4 lo0 ::127.0.0.0/104localhost UGRS 00 - 8 lo0 ::224.0.0.0/100localhost UGRS 00 - 8 lo0 ::255.0.0.0/104localhost UGRS 00 - 8 lo0 :::0.0.0.0/96 localhost UGRS 00 - 8 lo0 2002::/24 localhost UGRS 00 - 8 lo0 2002:7f00::/24 localhost UGRS 00 - 8 lo0 2002:e000::/20 localhost UGRS 00 - 8 lo0 . . this happen after add route for ipsec connection: #route add 192.168.16.0/24 192.168.10.1 if I delete this route: # route delete 192.168.16/24 delete net 192.168.16/24 route show output is fast, but ipsec between network isn't work. System - OpenBSD 4.8 Thanks a lot.
virtualhost and httpd -U output
Good day! I'm OpenBSD's newbie, that live in strange country,called Ukraine. I have an OpenBSD 4.7 and uncomment httpd_flags=. Section VirtualHost in httpd.conf looks like this: ## NameVirtualHost *:80 VirtualHost *:80 ServerAdmin ad...@xxx.com.ua DocumentRoot /var/www/users/xxx.com.ua ServerName xxx.com.ua ServerAlias www.xxx.com.ua CustomLog logs/xxx.com.ua-access_log common ErrorLog logs/xxx.com.ua-error_log # TransferLog |rotatelogs /var/www/logs/xxx.com.ua-access_log 86400 /VirtualHost VirtualHost *:80 ServerAdmin ad...@yyy.com.ua DocumentRoot /var/www/users/yyy.com.ua ServerName yyy.com.ua ServerAlias www.yyy.com.ua CustomLog logs/yyy.com.ua-access_log common ErrorLog logs/yyy.com.ua-error_log /VirtualHost VirtualHost *:80 ServerAdmin ad...@zzz.org.ua DocumentRoot /var/www/users/zzz.org.ua ServerName zzz.org.ua ServerAlias www.zzz.org.ua CustomLog logs/zzz.org.ua-access_log common ErrorLog logs/zzz.org.ua-error_log /VirtualHost ### Everything is fine and each site is open by their domain name in browser from any place, and access/error for each site is loggin in different log-file. But..I want to see something else in httpd -U output that I have: # httpd -U [Thu Nov 18 12:03:19 2010] [warn] VirtualHost *:80 overlaps with VirtualHost *:80, the first has precedence, perhaps you need a NameVirtualHost directive [Thu Nov 18 12:03:19 2010] [warn] VirtualHost *:80 overlaps with VirtualHost *:80, the first has precedence, perhaps you need a NameVirtualHost directive [Thu Nov 18 12:03:19 2010] [warn] NameVirtualHost *:80 has no VirtualHosts What is the trouble? Sorry for bad English. Thanks.