Debug or find issue in IPSec site-to-site

2018-11-19 Thread lilit-aibolit 

Hi list.
There is IPSec site-to-site configuration between five endpoint over 
Internet.

IPSec configured with manual flows and manual SAs.
All is working smooth for years.

Except one new route/tunnel that looks like working fine, i.e. it 
delivers traffic

between local nets (A and B) that are behind firewalls (gwA and gwB).
But suddenly it may occur that traffic from net A isn't going to net B.
After a while it resume to work.

The output of "ipsecctl -sa" always reports that FLOWS and SADs
are exists for problematic route/tunnel.
pf.conf allows ESP proto on external interface on both gateways in both 
direction.
pf.conf allows traffic on both gateways from opposite network to local 
network.
In case there were mistakes in ipsec.conf or pf.conf it won't even work 
I think.


Any thoughts how to deal with that?
Will it be helpful to provide extra information, configs, etc?
Thanks.

Pavel.

Re: 4-ports router under $150

2018-04-12 Thread lilit-aibolit 

I haven't tried via serial because I used vga+usb keyboard.

However I'll definitely try that lan-serial port.


On 11/04/18 18:27, Todd C. Miller wrote:

On Wed, 11 Apr 2018 10:49:54 +0300, lilit-aibolit wrote:


Hi, I've been looking for more then one year to get something similar
until I found this:

https://pt.aliexpress.com/item/Celeron-J1900-Mini-pc-free-shipping-micro-sd-t
wo-usb-and-four-lan-laptop-overwatch-Computer/32794678352.html?spm

I already got and tested it and it work fine.

Can you access the BIOS from the serial port or only via VGA?

  - todd
.

Re: 4-ports router under $150

2018-04-11 Thread lilit-aibolit 
Hi, I've been looking for more then one year to get something similar 
until I found this:


https://pt.aliexpress.com/item/Celeron-J1900-Mini-pc-free-shipping-micro-sd-two-usb-and-four-lan-laptop-overwatch-Computer/32794678352.html?spm

I already got and tested it and it work fine.


On 08/04/18 00:59, Anatoli wrote:

Hi All!

I'm looking for a modest 4-5 ports router under $150 that works well 
with OpenBSD. I don't need WiFi, USB or console port, and the 
throughput don't need to exceed 100Mbps. The ideal device would be 
EdgeRouter X (compact, 5 ports, $50) but I know it's not supported at 
this moment and probably never will be.


EdgeRouter (ER) Lite only has 3 ports and the switch ports (eth2-4) of 
ERPOE-5 are not yet supported.


ER-4 would be great, but the 4th port is SFP, I'd need to by an SFP 
NIC for one of my devices and I'm not sure it's supported as the 
octeon page says ER PRO SFP ports are not supported yet. Also it's a 
bit expensive ($190).


Banana Pi R2 would be great too, but I couldn't find if it's supported 
by OpenBSD (it has MediaTek MT7623N, Quad-core ARM Cortex-A7).


Are there 4-5 port devices that are known to work well with OpenBSD?

Thanks,
Anatoli

.

Can't boot 6.2 on Intel Celeron J1900

2017-11-23 Thread lilit-aibolit 

I've found this cheap mini computer and installed 6.2 there:

- http://www.xcyminipc.com/product/showproduct.php?lang=en=51

But after reboot it freezes quickly. I recorded a video:

- https://www.youtube.com/watch?v=OLGblwGx5c0

What could be the issue?

Re: l2tp and openbsd 6.1

2017-10-05 Thread lilit-aibolit 


On 05/10/17 09:17, lilit-aibolit wrote:

Hi,
I've just try your suggestion and IPhone could connect but Windows
gives new errors in log:


##here is Windows attempt
Oct  5 09:08:16 gw isakmpd[19354]: message_parse_payloads: invalid 
next payload type  in payload of type 5
Oct  5 09:08:16 gw isakmpd[19354]: dropped message from 37.73.208.173 
port 2715 due to notification type INVALID_PAYLOAD_TYPE



I've testes one more time and it seems that
INVALID_PAYLOAD_TYPE means wrong PSK in windows vpn client.

So after correction I was able to establish vpn
both from IPhone, Android and from Windows (at least version 7)
with this ipsec.conf:

ike passive esp transport \
proto udp from a.b.s.d to any port 1701 \
main auth hmac-sha1 enc aes group modp2048 \
quick auth hmac-sha1 enc aes \
psk "psk"

ike passive esp transport \
proto udp from a.b.s.d to any port 1701 \
main auth hmac-sha1 enc aes group modp1024 \
quick auth hmac-sha1 enc aes \
psk "psk"

Re: l2tp and openbsd 6.1

2017-10-05 Thread lilit-aibolit 

Hi,
I've just try your suggestion and IPhone could connect but Windows
gives new errors in log:

Oct  5 09:05:44 gw isakmpd[19354]: attribute_unacceptable: 
GROUP_DESCRIPTION: got MODP_1024, expected MODP_2048
Oct  5 09:05:46 gw npppd[10826]: l2tpd ctrl=6 logtype=Started RecvSCCRQ 
from=37.73.214.69:57298/udp tunnel_id=6/17 protocol=1.0 winsize=4 
hostname=imuca vendor=(no vendorname) firm=
Oct  5 09:05:46 gw npppd[10826]: l2tpd ctrl=6 call=12298 logtype=PPPBind 
ppp=5
Oct  5 09:05:49 gw npppd[10826]: ppp id=5 layer=base logtype=TUNNELSTART 
user="xxx" duration=3sec layer2=L2TP layer2from=37.73.214.69:57298 
auth=MS-CHAP-V2  ip=192.168.222.101 iface=tun0
Oct  5 09:05:49 gw /bsd: pipex: ppp=5 iface=tun0 protocol=L2TP id=12298 
PIPEX is ready.

Oct  5 09:05:49 gw npppd[10826]: ppp id=5 layer=base Using pipex=yes
Oct  5 09:06:59 gw npppd[10826]: l2tpd ctrl=6 call=12298 logtype=PPPUnbind
Oct  5 09:06:59 gw npppd[10826]: ppp id=5 layer=base logtype=TUNNELUSAGE 
user="ppo" duration=72sec layer2=L2TP layer2from=37.73.214.69:57298 
auth=MS-CHAP-V2 data_in=167613bytes,1911packets 
data_out=2819616bytes,2540packets error_in=1 error_out=0 mppe=no iface=tun0

Oct  5 09:06:59 gw npppd[10826]: l2tpd ctrl=6 logtype=Finished

##here is Windows attempt
Oct  5 09:08:16 gw isakmpd[19354]: message_parse_payloads: invalid next 
payload type  in payload of type 5
Oct  5 09:08:16 gw isakmpd[19354]: dropped message from 37.73.208.173 
port 2715 due to notification type INVALID_PAYLOAD_TYPE


After I removed first ike config line with modp2048
then log returned to this:

Oct  5 09:16:08 gw isakmpd[12442]: attribute_unacceptable: 
GROUP_DESCRIPTION: got MODP_2048, expected MODP_1024
Oct  5 09:16:08 gw isakmpd[12442]: attribute_unacceptable: 
ENCRYPTION_ALGORITHM: got 3DES_CBC, expected AES_CBC
Oct  5 09:16:08 gw isakmpd[12442]: attribute_unacceptable: 
ENCRYPTION_ALGORITHM: got 3DES_CBC, expected AES_CBC
Oct  5 09:16:08 gw isakmpd[12442]: message_negotiate_sa: no compatible 
proposal found
Oct  5 09:16:08 gw isakmpd[12442]: dropped message from 37.73.208.173 
port 10552 due to notification type NO_PROPOSAL_CHOSEN




On 04/10/17 20:54, Vijay Sankar wrote:


Unfortunately I am not sure if what I am saying is correct or valid 
because maybe this stuff works for me only because I am using older 
versions of Android etc., plus I am using a slightly modified OpenBSD 
5.5 kernel. But you may want to try the following.


The order is important -- doesn't seem to work if modp2048 is listed 
after modp1024. If I do something like


ike passive esp transport proto udp from $local_ip to any port 1701 \
    main auth "hmac-sha1" enc "aes" group modp2048 \
    quick auth "hmac-sha1" enc "aes" \
    psk "mypsk"
ike passive esp transport proto udp from $local_ip to any port 1701 \
    main auth "hmac-sha1" enc "aes" group modp1024 \
    quick auth "hmac-sha1" enc "aes" \
    psk "mypsk"

in the order listed, it works, and it has been working for at least a 
few years. To make sure I am not posting wrong information, I have 
double-checked using Lenovo YogaPad (Android 4.4.2), Windows 7, 
Windows 8, Windows 10, iOS 10.3.3, and MacOS 10.13.


I will try the same thing with -current and report back to the list if 
it is useful.


Hope this helps.

Vijay

Re: l2tp and openbsd 6.1

2017-10-04 Thread lilit-aibolit 

Hi,
with l2tp I have situation when iOS  and Android devices could connect
but Windows 7 and Windows 10 couldn't.

Is it possible to adjust ipsec.conf somehow so it could accept
connection from Windows clients too?
Or is there a way to adjust some settings in Windows so it
will work with current ipsec.conf?

I also noticed that I have to add pass rule for tun0 to PF explicitly:
- pass on tun0 all
instead of having just:
- set skip on  { lo0, tun0 }

Here is ipsec.conf:

ike passive esp transport \
proto udp from a.b.x.y to any port 1701 \
main auth hmac-sha1 enc aes group modp1024 \
quick auth hmac-sha1 enc aes \
psk "password"

Here is npppd.conf:
authentication LOCAL type local {
    users-file "/etc/npppd/npppd-users"
}
tunnel L2TP protocol l2tp {
    listen on x.x.y.y
}
ipcp IPCP {
    pool-address 192.168.222.2-192.168.222.254
    dns-servers 192.168.a.b
}
interface tun0  address 192.168.222.1 ipcp IPCP
bind tunnel from L2TP authenticated by LOCAL to tun0

Log from Android:

Oct  2 16:22:39 gw npppd[10826]: l2tpd ctrl=4 logtype=Started RecvSCCRQ 
from=192.38.129.182:41634/udp tunnel_id=4/4667 protocol=1.0 winsize=1 
hostname=anonymous vendor=(no vendorname) firm=
Oct  2 16:22:40 gw npppd[10826]: l2tpd ctrl=4 call=7962 logtype=PPPBind 
ppp=3
Oct  2 16:22:41 gw npppd[10826]: ppp id=3 layer=base logtype=TUNNELSTART 
user="xxx" duration=1sec layer2=L2TP layer2from=192.38.129.182:41634 
auth=MS-CHAP-V2  ip=192.168.222.110 iface=tun0
Oct  2 16:22:41 gw /bsd: pipex: ppp=3 iface=tun0 protocol=L2TP id=7962 
PIPEX is ready.

Oct  2 16:22:41 gw npppd[10826]: ppp id=3 layer=base Using pipex=yes

Log from IPhone6s:

Oct  2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: 
HASH_ALGORITHM: got SHA2_256, expected SHA
Oct  2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: 
GROUP_DESCRIPTION: got MODP_2048, expected MODP_1024
Oct  2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: 
HASH_ALGORITHM: got MD5, expected SHA
Oct  2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: 
HASH_ALGORITHM: got SHA2_512, expected SHA
Oct  2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: 
HASH_ALGORITHM: got SHA2_256, expected SHA
Oct  2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: 
GROUP_DESCRIPTION: got MODP_1536, expected MODP_1024
Oct  2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: 
HASH_ALGORITHM: got MD5, expected SHA
Oct  2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: 
HASH_ALGORITHM: got SHA2_256, expected SHA
Oct  2 16:13:14 gw npppd[10826]: l2tpd ctrl=3 logtype=Started RecvSCCRQ 
from=192.38.129.182:65367/udp tunnel_id=3/7 protocol=1.0 winsize=4 
hostname=xxx-iPhone vendor=(no vendorname) firm=
Oct  2 16:13:14 gw npppd[10826]: l2tpd ctrl=3 call=11161 logtype=PPPBind 
ppp=2
Oct  2 16:13:18 gw npppd[10826]: ppp id=2 layer=base logtype=TUNNELSTART 
user="xxx" duration=4sec layer2=L2TP layer2from=192.38.129.182:65367 
auth=MS-CHAP-V2  ip=192.168.222.110 iface=tun0
Oct  2 16:13:18 gw /bsd: pipex: ppp=2 iface=tun0 protocol=L2TP id=11161 
PIPEX is ready.

Oct  2 16:13:18 gw npppd[10826]: ppp id=2 layer=base Using pipex=yes

Log from IPhone4s:

Oct  2 15:55:55 gw npppd[10826]: l2tpd ctrl=1 logtype=Started RecvSCCRQ 
from=37.73.241.124:59028/udp tunnel_id=1/15 protocol=1.0 winsize=4 
hostname=xxx vendor=(no vendorname) firm=
Oct  2 15:55:55 gw npppd[10826]: l2tpd ctrl=1 call=5660 logtype=PPPBind 
ppp=0
Oct  2 15:55:58 gw npppd[10826]: ppp id=0 layer=base logtype=TUNNELSTART 
user="xxx" duration=3sec layer2=L2TP layer2from=37.73.241.124:59028 
auth=MS-CHAP-V2  ip=192.168.222.101 iface=tun0

Oct  2 15:55:58 gw npppd[10826]: ppp id=0 layer=base Using pipex=yes
Oct  2 15:55:58 gw /bsd: pipex: ppp=0 iface=tun0 protocol=L2TP id=5660 
PIPEX is ready.


And unsuccessful connection from Win7:

Oct  4 10:12:37 gw isakmpd[24211]: attribute_unacceptable: 
GROUP_DESCRIPTION: got MODP_2048, expected MODP_1024
Oct  4 10:12:37 gw isakmpd[24211]: attribute_unacceptable: 
ENCRYPTION_ALGORITHM: got 3DES_CBC, expected AES_CBC
Oct  4 10:12:37 gw isakmpd[24211]: attribute_unacceptable: 
ENCRYPTION_ALGORITHM: got 3DES_CBC, expected AES_CBC
Oct  4 10:12:37 gw isakmpd[24211]: message_negotiate_sa: no compatible 
proposal found
Oct  4 10:12:37 gw isakmpd[24211]: dropped message from 37.73.208.134 
port 16884 due to notification type NO_PROPOSAL_CHOSEN


On 02/10/17 23:03, Charles Amstutz wrote:

Hello everyone,

I'm new to this list and l2tp/openbsd (but do have working UNIX/Linux 
knowledge).  After searching the previous forum posts (and the internet) I have 
found a lot of information on l2tp ipsec.conf connection strings. However, I 
can't get android to connect. I keep getting IKE negotiation failed errors.

I've looked at sites such as:

http://bluepilltech.blogspot.com/2017/02/openbsd-l2tp-over-ipsec-android-601-ios.html
https://www.authbsd.com/blog/?p=20
http://daemonforums.org/showthread.php?t=10326
https://rzemieniecki.wordpress.com/2014/05/28/debugging-ipsec-on-openbsd-invalid_cookie/

Re: Access old PPTP behind OpenBSD 6.1

2017-09-05 Thread lilit-aibolit 

You need to have redirect rule to PPTP server for GRE protocol.

However you'll have only one vpn session at same time.


On 05/09/17 08:06, Lars Bonnesen wrote:

Yes... I know... Don't run MS PPTP and that is why I am implementing
OpenBSD.

Untill OpenVPN is fully installed on every client, I need to provide access
to PPTP during transition.

I don't know what to use in pf.conf though. I have tried everything that I
find logical.

In sysctl.conf I have added:


net.inet.gre.allow=1
net.inet.gre.wccp=1
net.inet.mobileip.allow=1


Lets say that openBSD public IP is 1.2.3.4  local IP 10.77.1.2 and LAN is
10.77.1.0/24 - PPTP server is 10.77.1.106

How would my PPTP lines look in pf.conf?

Help is greatly appriciated.

Regards, Lars.

Re: Help with server not accepting new connections but is still accessible through ONE existing open ssh-session

2017-02-09 Thread lilit-aibolit 

On 02/01/2017 03:41 PM, Erling Westenvik wrote:

I have an OpenBSD 5.9 server at a colocation. It stopped accepting new
connections (ping, ssh, http, whatever) yesterday night but fortunately
I had one ssh session open from my workstation from which I can still
access it.


Did you think about creation of second sshd instance
on other port and start it in debug mode?

Re: IPSEC from behind NAT stage 2 failure

2017-02-01 Thread lilit-aibolit 

On 02/01/2017 10:21 PM, Yury Shefer wrote:

Your behind-NAT IPsec client should use external IP (78.111.187.234) as IKE
identifier (IDi/initiator id) to be able to establish the SA. IMHO, the
better option for your remote clients would be a use of different ID type
like ID_RFC822_ADDR.



Thanks for your answer.

Could you explain better how can I do this,
because I don't see any settings in native
Windows VPN client to specify current external IP.

Moreover what to do if this is a road warrior case
and external IP changes each time for every client?

Re: IPSEC from behind NAT stage 2 failure

2017-02-01 Thread lilit-aibolit 

On 12/06/2016 11:04 AM, Florian Ermisch wrote:

And I guess that's the problem: the client
goes "hi I'm 10.1.1.58 and I'd like to
connect" and isakmpd doesn't know no
10.1.1.58. IKEv1 is very picky about those
things: When it doesn't expect an ID no
peer presenting one will be allowed to
connect AFAIK.

Maybe adding local/peer or srcid/dstid
will help. You can try with using the
clients current local IP of 10.1.1.58
as ID to expect.


Hi folks, I faced with same issue. Here are my details.

1) Win7 which is behind 3G wireless router(192.168.5.250)

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) Wireless WiFi Link 4965AGN
   Physical Address. . . . . . . . . : 00-1F-00-12-00-91
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.5.88(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.5.250
   DNS Servers . . . . . . . . . . . : 192.168.5.250
   NetBIOS over Tcpip. . . . . . . . : Enabled

Myip lookup in browser gives me 78.111.187.234 as my real
public IP in Internet.

VPN connection details:
Security: L2TP,
Advanced settings: Use preshared key (one from ipsec.conf),
Data encryption: Require encryption,
Authentication: Allow CHAP, MS-CHAP v2

2) OpenBSD side.

ipsec.conf:

ike passive esp transport \
proto udp from any to any port 1701 \
main auth hmac-sha1 enc aes group modp2048 \
quick auth hmac-sha1 enc 3des \
psk "secret"

pf.conf:

set skip on  { lo0, tun0 }
pass in on $ext_if inet proto udp from any to re1 port { 1701, 500, 4500 }
pass in on $ext_if proto { esp, ah } from any to re1
pass on enc0 from any to any keep state (if-bound)

npppd.conf:

authentication LOCAL type local {
users-file "/etc/npppd/npppd-users"
}
tunnel L2TP protocol l2tp {
listen on 195.68.x.y
}
ipcp IPCP {
pool-address 192.168.222.2-192.168.222.254
dns-servers 192.168.8.254
}
interface tun0  address 192.168.222.1 ipcp IPCP
bind tunnel from L2TP authenticated by LOCAL to tun0

3) Action.
I start npppd, isakmpd and apply ipsecctl -f /etc/ipsec.conf
and then connect from Win7 client.

# npppd -d
2017-02-01 13:28:10:NOTICE: Starting npppd pid=2226 version=5.0.0
2017-02-01 13:28:10:NOTICE: Load configuration 
from='/etc/npppd/npppd.conf' successfully.

2017-02-01 13:28:10:INFO: tun0 Started ip4addr=192.168.222.1
2017-02-01 13:28:10:INFO: ipcp=IPCP pool 
dyn_pool=[192.168.222.2/31,192.168.222.4/30,192.168.222.8/29,192.168.222.16/28,192.168.222.32/27,192.168.222.64/26,192.168.222.128/26,192.168.222.192/27,192.168.222.224/28,192.168.222.240/29,192.168.222.248/30,192.168.222.252/31,192.168.222.254/32] 
pool=[192.168.222.2/31,192.168.222.4/30,192.168.222.8/29,192.168.222.16/28,192.168.222.32/27,192.168.222.64/26,192.168.222.128/26,192.168.222.192/27,192.168.222.224/28,192.168.222.240/29,192.168.222.248/30,192.168.222.252/31,192.168.222.254/32]

2017-02-01 13:28:10:INFO: Added 13 routes for new pool addresses
2017-02-01 13:28:10:INFO: Loading pool config successfully.
2017-02-01 13:28:10:INFO: l2tpd Listening 195.68.x.y:1701/udp (L2TP LNS) 
[L2TP]


# isakmpd -Kdv
133951.389348 Default isakmpd: starting [priv]
134008.194204 Default isakmpd: phase 1 done (as responder): initiator id 
192.168.5.88, responder id 195.68.x.y, src: 195.68.x.y dst: 78.111.187.234
134008.307485 Default responder_recv_HASH_SA_NONCE: peer proposed 
invalid phase 2 IDs: initiator id 192.168.5.88, responder id 195.68.x.y
134008.307509 Default dropped message from 78.111.187.234 port 4500 due 
to notification type INVALID_ID_INFORMATION

^C134045.852435 Default isakmpd: shutting down...
134045.852621 Default isakmpd: exit

# tcpdump -i re1 -nvvv host 78.111.187.234
tcpdump: listening on re1, link-type EN10MB
13:40:07.820658 78.111.187.234.14717 > 195.68.x.y.500: isakmp v1.0 
exchange ID_PROT

cookie: f226e0502ef70be5-> msgid:  len: 384
payload: SA len: 212 [|isakmp] (ttl 123, id 6811, len 412)
13:40:07.821374 195.68.x.y.500 > 78.111.187.234.14717: isakmp v1.0 
exchange ID_PROT

cookie: f226e0502ef70be5->377d76144ad08a15 msgid:  len: 188
payload: SA len: 60 [|isakmp] (ttl 64, id 32899, len 216, bad 
ip cksum 0! -> 676d)
13:40:08.007137 78.111.187.234.14717 > 195.68.x.y.500: isakmp v1.0 
exchange ID_PROT

cookie: f226e0502ef70be5->377d76144ad08a15 msgid:  len: 388
payload: KEY_EXCH len: 260 [|isakmp] (ttl 123, id 6812, len 416)
13:40:08.045493 195.68.x.y.500 > 78.111.187.234.14717: isakmp v1.0 
exchange ID_PROT

cookie: f226e0502ef70be5->377d76144ad08a15 msgid:  len: 388
payload: KEY_EXCH len: 260 [|isakmp] (ttl 64, id 11204, len 
416, bad ip cksum 0! -> bb64)
13:40:08.193866 78.111.187.234.4500 > 195.68.x.y.4500: udpencap: isakmp 
v1.0 exchange ID_PROT encrypted
cookie: f226e0502ef70be5->377d76144ad08a15 msgid:  len: 
76 (ttl 122, id 6815,

Re: Skype issue with office behind PF

2017-01-30 Thread lilit-aibolit 

On 01/28/2017 12:13 PM, Stuart Henderson wrote:

On 2017-01-27, lilit-aibolit<lilit-aibo...@mail.ru>  wrote:

Hi list, I have an office behind NAT with PF.
There are mostly Win7 workstations with
different Skype versions but mostly with
7.3x or the latest versions.
Two days ago any skype call started to drop
after few seconds without any voice from
opposite side.
I got skype support which remotely looked
at affected machines and after a while he
resolved this by installing 7.15 version.

However there is no trouble with skype
by using it from other places of from personal
hotspot 3G connection so I suspect here
maybe be an issue with PF which somehow
doesn't met to how last skype versions work.
Any thoughts about that?



They might be sending packets which are passed by some NAT devices
but not by PF. Use "log" on your block rules and watch pflog0, see if
something is being blocked.

tcpdump -n -e -i pflog0

.


Hi and thanks for your answer.
It turned out that the latest skype version
is trying to reach host in 104.44.200.x
network by using UDP 3480 port which was
blocked in my pf.conf.
Above network belongs to Microsoft.
So this could be used as trick to block
voice in skype)

Skype issue with office behind PF

2017-01-27 Thread lilit-aibolit 

Hi list, I have an office behind NAT with PF.
There are mostly Win7 workstations with
different Skype versions but mostly with
7.3x or the latest versions.
Two days ago any skype call started to drop
after few seconds without any voice from
opposite side.
I got skype support which remotely looked
at affected machines and after a while he
resolved this by installing 7.15 version.

However there is no trouble with skype
by using it from other places of from personal
hotspot 3G connection so I suspect here
maybe be an issue with PF which somehow
doesn't met to how last skype versions work.
Any thoughts about that?

Re: Build a new kernel for apcupsd

2016-10-31 Thread lilit-aibolit 

On 10/25/2016 04:47 PM, Stephen Bertoni wrote:

Have you tried this instead?

root@...[~]config -e -o /bsd.new /bsd
OpenBSD 5.9-stable (GENERIC) #0: Thu May  7 23:16:45 CEST 2015
root@...***.org:/usr/src/sys/arch/i386/compile/GENERIC
Enter 'help' for information
ukc> disable upd
458 upd* disabled
ukc> disable uhidev
395 uhidev* disabled
ukc> quit
Saving modified kernel.
root@...[~]mv /bsd /bsd.old
root@...[~]mv /bsd.new /bsd
root@...[~]chmod -x /bsd
root@...[~]reboot

Steve

Hi Steve, I worry that I can't use my usb keyboard after this.

Re: Build a new kernel for apcupsd

2016-10-21 Thread lilit-aibolit 

On 10/20/2016 07:25 PM, Stuart Henderson wrote:

On 2016-10-20, lilit-aibolit<lilit-aibo...@mail.ru>  wrote:

Hi list.
In recent OpeBSD versions usb devices attached to upd driver.
This is why apcupsd doesn't detect APC USB devices.

After installing apcupsd there is statement
how to deal with above situation:
...
The option with fewest side-effects is to add the following entries to
the table in /sys/dev/usb/usb_quirks.c and build a new kernel:

{ USB_VENDOR_APC, USB_PRODUCT_APC_UPS, ANY, { UQ_BAD_HID }},
{ USB_VENDOR_APC, USB_PRODUCT_APC_UPS5G, ANY, { UQ_BAD_HID }},

Alternatively, if you do not use a USB keyboard/mouse, you could simply
disable the upd and uhid drivers. The following line creates a new kernel
with the relevant changes:

printf 'disable uhid\ndisable upd\nquit\n' | config -e -o /bsd.no-uhid /bsd
...
Second option isn't suitable because I have usb keyboard
and on very rare occasions it's used to fix something locally.
So regardless of undefined "fewest side-effects" I have to use
first option and build new kernel. I downloaded and extracted
src.tar.gz and sys.tar.gz into /usr/src. Then I modified usb_quirks.c file
and added specified lines into usb_quirks[] table.

See the "Build and install a new kernel" step in release(8).


Then I've read faq5.html and man config but didn't get
a clue how to build new kernel with applied changed in usb_quirks.c file.

In config man page there is statement that "Most people save their
backup kernels as //bsd.1/, //bsd.2/, etc." I'd also like to know how to
save my current kernel

cp(1)


and how to switch between new and old ones in case
of some troubles with new kernel.

at the boot-loader prompt, you can type "boot bsd.1"



Hi and thanks for your answer.
I followed steps in release(8) and executed:

# cd /usr/src/sys/arch/i386/conf/
# config GENERIC.MP
# cd ../compile/GENERIC.MP/
# make clean && make

However the size of my current kernel
is exactly the same as just built one:

# ls -la /bsd
-rw-r--r--  1 root  wheel  10628645 May  5  2015 /bsd
# ls -la ./bsd
-rwxr-xr-x  1 root  wsrc  10628645 Oct 21 11:24 ./bsd

Is it expected result and new kernel
includes changes in usb_quirks.c?

Build a new kernel for apcupsd

2016-10-20 Thread lilit-aibolit 
Hi list.
In recent OpeBSD versions usb devices attached to upd driver.
This is why apcupsd doesn't detect APC USB devices.

After installing apcupsd there is statement
how to deal with above situation:
...
The option with fewest side-effects is to add the following entries to
the table in /sys/dev/usb/usb_quirks.c and build a new kernel:

{ USB_VENDOR_APC, USB_PRODUCT_APC_UPS, ANY, { UQ_BAD_HID }},
{ USB_VENDOR_APC, USB_PRODUCT_APC_UPS5G, ANY, { UQ_BAD_HID }},

Alternatively, if you do not use a USB keyboard/mouse, you could simply
disable the upd and uhid drivers. The following line creates a new kernel
with the relevant changes:

printf 'disable uhid\ndisable upd\nquit\n' | config -e -o /bsd.no-uhid /bsd
...
Second option isn't suitable because I have usb keyboard
and on very rare occasions it's used to fix something locally.
So regardless of undefined "fewest side-effects" I have to use
first option and build new kernel. I downloaded and extracted
src.tar.gz and sys.tar.gz into /usr/src. Then I modified usb_quirks.c file
and added specified lines into usb_quirks[] table.
Then I've read faq5.html and man config but didn't get
a clue how to build new kernel with applied changed in usb_quirks.c file.

In config man page there is statement that "Most people save their
backup kernels as //bsd.1/, //bsd.2/, etc." I'd also like to know how to 
save
my current kernel and how to switch between new and old ones in case
of some troubles with new kernel.

Re: Change MTU for IPSec

2016-04-26 Thread lilit-aibolit 

On 04/25/2016 06:13 PM, Marc Peters wrote:

Am 04/25/16 um 16:00 schrieb lilit-aibolit:

Hi list.
I've typical site-to-site IPsec tunnel.
On rare occasions users got infinite loop in their browser
while opening web-sites in opposite endpoints, however
in same time ping works well from one network to other.
SSH connection to remote hosts looks like you're almost
entered, but it freezes and can only interrupt connection.

I had similar issues some years ago with branch offices and a simple

"""
match in all scrub (random-id no-df)
"""

in the /etc/pf.conf on each host solved this for me (the no-df part was
the important bit).

HTH,
Marc


Thanks for your answer.
I already have this line in pf.conf on all machines:

>>match in all scrub (no-df)<<

Change MTU for IPSec

2016-04-25 Thread lilit-aibolit 

Hi list.
I've typical site-to-site IPsec tunnel.
On rare occasions users got infinite loop in their browser
while opening web-sites in opposite endpoints, however
in same time ping works well from one network to other.
SSH connection to remote hosts looks like you're almost
entered, but it freezes and can only interrupt connection.

As I understand IPSec sets Don't Fragment bit but during
maintenance (or something else) of intermediate gateways
on Internet providers side it could be the case when
MTU on that gateways are lower than IPSec uses and
such gateways don't reply with ICMP unreachable messages,
so IPSec stuck at this point.

Is it possible to resolve this somehow manually by
changing (reducing) MTU for IPSec packets?

Re: sensorsd, upd, and state changes

2016-02-26 Thread lilit-aibolit 

I've tried to change low=1:high=2 to low=0:high=0
but I haven't got *Off* current state for this sensor from sensord:

- hw.sensors.upd0.indicator2=On (ACPresent), OK

Even for AC disconnected sensord repors that ACPresent is *On*,
however when I look for

- sysctl hw.sensors.upd0.indicator2

it repororts that ACPresent is *Off*, so I decided don't rely
on sensord logic and place own script to cron and execute it
every minute.

#!/bin/sh
if [ -f /tmp/powerout.lock ]; then
exit 0
fi

ACstatus () {
sysctl hw.sensors.upd0.indicator2 | cut -c28-29 | grep -q "On" > /dev/null
}

i=0

if ACstatus ; then
  exit 0
else
  logger -t UPS "AC has been disconnected"
  touch /tmp/powerout.lock
  /usr/local/bin/mutt -s "Power outage in office" -- ad...@example.com 
< /root/powerout

while [ $i -lt "360" ]
  do
i=$((i+60))
sleep 60
  if ACstatus ; then
logger -t UPS "AC has been connected again after ${i} seconds."
/usr/local/bin/mutt -s "Power returned in office" -- 
ad...@example.com

rm -rf /tmp/powerout.lock
exit 0
  else
if [ "$i" -eq "300" ]; then
  /usr/local/bin/mutt -s "No power for 5 min. System is 
shutting down now." -- ad...@example.com

  logger -t UPS "System is shutting down now."
  shutdown -hp +0
fi
  fi
  done
fi

Re: sensorsd, upd, and state changes

2016-02-25 Thread lilit-aibolit 
Hi list, why I don't have extra line in output with sensor 
upd0.percent1(RemainingCapacity)?

Is it related to model of my UPS?

# usbdevs | grep UPS
  addr 4: Back-UPS ES 525 FW:851.t3.I USB FW:t3, American Power Conversion

# sysctl hw.sensors
hw.sensors.upd0.indicator0=Off (Charging), OK
hw.sensors.upd0.indicator1=Off (Discharging), OK
hw.sensors.upd0.indicator2=On (ACPresent), OK
hw.sensors.upd0.indicator3=On (BatteryPresent), OK
hw.sensors.upd0.indicator4=Off (ShutdownImminent), OK
hw.sensors.upd0.percent0=100.00% (FullChargeCapacity), OK

# tail /var/log/messages | grep upd
Feb 25 12:59:27 gw sensorsd[2261]: upd0.percent1: 0.00%, UNKNOWN
Feb 25 13:45:43 gw sensorsd[13167]: upd0.percent1: 0.00%, UNKNOWN

Re: APC UPS & sensorsd - how?

2016-02-24 Thread lilit-aibolit 

On 03/22/2015 05:44 PM, T. Ribbrock wrote:
Then, I re-applied power, but that, too, was never flagged by 
sensorsd. For some reason, it looks like sensorsd only ever detects a 
status change (for these rules) when it gets started - but not 
afterwards. Regards, Thomas 

Have you succeed with getting status change while sensord is running?

Re: fsck_ffs mystic

2016-02-15 Thread lilit-aibolit 

On 02/15/2016 04:43 PM, Josh Grosse wrote:

On 2016-02-15 09:08, lilit-aibolit wrote:

On 02/15/2016 04:03 PM, Josh Grosse wrote:



See the words "NO WRITE" in that message?  This happens because you
are attempting to fsck(8) a *mounted* file system.


Yes, it's true. But I can't unmount /var under normal boot.
And then why errors haven't been fixed or even detected in single mode,
where partitions are unmounted.


When you are in a normal multi-user boot, daemons are running with 
files open in /var,
and in particular, /var/run.  The warnings you get from fsck() relate 
to all of these

open files.

Your filesystem was repaired, and is now working properly.  You are 
only seeing these
messages because you are running fsck() against a mounted filesystem 
with open files.





Thank you. This is definitely the case then.
I didn't know that fsck could produce fake errors while running on 
mounted fs.

Re: fsck_ffs mystic

2016-02-15 Thread lilit-aibolit 

On 02/15/2016 04:03 PM, Josh Grosse wrote:

On 2016-02-15 07:57, lilit-aibolit wrote:

Hi list.
After unclear shutdown I've booted in single user mode
by typing "boot -s".
I executed "fsck -fp" and "fsck -fy" few times and got
no problem, see screenshot here:
http://i.piccy.info/i9/f7bced6083e3f77d29dc832102147bfd/1455540839/795750/999296/image1.jpg 



But after reboot with normal login I got next.
How can I fix errors and why they aren't fixed in single mode?

# fsck_ffs -f /dev/sd0e
** /dev/rsd0e (NO WRITE)



See the words "NO WRITE" in that message?  This happens because you
are attempting to fsck(8) a *mounted* file system.


Yes, it's true. But I can't unmount /var under normal boot.
And then why errors haven't been fixed or even detected in single mode,
where partitions are unmounted.

fsck_ffs mystic

2016-02-15 Thread lilit-aibolit 

Hi list.
After unclear shutdown I've booted in single user mode
by typing "boot -s".
I executed "fsck -fp" and "fsck -fy" few times and got
no problem, see screenshot here:
http://i.piccy.info/i9/f7bced6083e3f77d29dc832102147bfd/1455540839/795750/999296/image1.jpg

But after reboot with normal login I got next.
How can I fix errors and why they aren't fixed in single mode?

# fsck_ffs -f /dev/sd0e
** /dev/rsd0e (NO WRITE)
** Last Mounted on /var
** Phase 1 - Check Blocks and Sizes
INCORRECT BLOCK COUNT I=3663757 (4 should be 0)
CORRECT? no

** Phase 2 - Check Pathnames
UNALLOCATED  I=415876  OWNER=_ups MODE=100644
SIZE=5 MTIME=Feb 15 14:40 2016
FILE=/db/nut/upsd.pid

REMOVE? no

UNALLOCATED  I=415958  OWNER=_nfcapd MODE=100644
SIZE=6 MTIME=Feb 15 14:40 2016
FILE=/www/var/db/nfsen/run/p.pid

REMOVE? no

UNALLOCATED  I=432062  OWNER=_nfcapd MODE=100644
SIZE=6 MTIME=Feb 15 14:40 2016
FILE=/www/var/db/nfsen/run/nfsend.pid

REMOVE? no

UNALLOCATED  I=432064  OWNER=_nfcapd MODE=140755
SIZE=0 MTIME=Feb 15 14:40 2016
FILE=/www/var/db/nfsen/run/nfsen.comm

REMOVE? no

UNALLOCATED  I=432034  OWNER=_nfcapd MODE=100644
SIZE=0 MTIME=Feb 15 14:40 2016
FILE=/www/var/db/nfsen/profiles-data/live/upstream1/nfcapd.current

REMOVE? no

** Phase 3 - Check Connectivity
** Phase 4 - Check Reference Counts
UNREF FILE I=2468495  OWNER=root MODE=100444
SIZE=15177 MTIME=Feb 15 14:13 2016
CLEAR? no

UNREF FILE I=3663757  OWNER=root MODE=100600
SIZE=0 MTIME=Feb 15 14:41 2016
CLEAR? no

** Phase 5 - Check Cyl groups
SUMMARY INFORMATION BAD
SALVAGE? no

BLK(S) MISSING IN BIT MAPS
SALVAGE? no

FREE BLK COUNT(S) WRONG IN SUPERBLK
SALVAGE? no

82047 files, 4617855 used, 10860496 free (39552 frags, 1352618 blocks, 
0.3% fragmentation)

ipsec between three networks

2016-01-25 Thread lilit-aibolit 

Hi list.
Currently I'm using a simple config to connect two networks
over the Internet, ipsec.conf from $net2 side looks like this:


net1 = "{ 192.168.1.0/24, 192.168.11.0/24 }"
net2 = "{ 192.168.2.0/24, 192.168.22.0/24, 192.168.33.0/24 }"
flow esp from $net2 to $net1 peer x.x.x.x
esp from y.y.y.y to x.x.x.x spi 0xdeadbeef:0xbeefdead \
auth hmac-sha2-512 enc blowfish \
authkey file "/root/akey.local:/root/akey.remote" \
enckey file "/root/ekey:/root/ekey"


Suppose I have third endpoint in the Internet
with public IP z.z.z.z and network 192.168.3.0/24.
What is the way to establish extra tunnel with third endpoint?
I need to be able to reach $net1 and $net2 networks from
$net3 with is 192.168.3.0/24 and vice versa.

Is it enough to create tunnel between $net3 and $net2
to reach $net1 from $net3 or I need to setup two tunnels
on each endpoint?

I doubt if such config work:

net1 = "{ 192.168.1.0/24, 192.168.11.0/24 }"
net2 = "{ 192.168.2.0/24, 192.168.22.0/24, 192.168.33.0/24 }"
net3 = "{ 192.168.3.0/24 }"

flow esp from $net2 to $net1 peer x.x.x.x
esp from y.y.y.y to x.x.x.x spi 0xdeadbeef:0xbeefdead \
auth hmac-sha2-512 enc blowfish \
authkey file "/root/akey.local:/root/akey.remote" \
enckey file "/root/ekey:/root/ekey"

flow esp from $net2 to $net3 peer z.z.z.z
esp from y.y.y.y to z.z.z.z spi 0xdeadbeef:0xbeefdead \
auth hmac-sha2-512 enc blowfish \
authkey file "/root/akey.local3:/root/akey.remote3" \
enckey file "/root/ekey3:/root/ekey3"

Re: openbsd's complete packages size

2015-05-07 Thread lilit-aibolit 

On 05/06/2015 02:26 PM, elvis wrote:

Hi guys I'd like to know the size of the whole packages.. In particular for the 
i386 architecture. I really don't know where to get this info.!

Thnks..!!
Enviado desde mi BlackBerry de Movistar

.


Download them :)

Re: dhcpd log issues

2015-03-12 Thread lilit-aibolit 

On 11/07/2014 12:48 PM, Marc Peters wrote:

Hi misc@,

after upgrading our pair of dhcpd servers to 5.6(-stable), i am seeing
strange DHCPACKs in our logs (in both of them):

Nov  7 09:28:34 dhcpd2 dhcpd[9269]: DHCPINFORM from 192.168.20.251
Nov  7 09:28:34 dhcpd2 dhcpd[9269]: DHCPACK onnull address  to
5c:51:4f:56:81:c3 via em0


The entries in the leasesfile are correct and the clients are getting
the right addresses, so this seems merely a logging issue to me.

dmesg dhcpd1 (kvm-host):


Cheers,
Marc



Hi, same here.
I also found this discussion about null address
https://lists.isc.org/pipermail/dhcp-users/2008-May/006266.html

Mar 10 17:00:49 gw56 dhcpd[2020]: Listening on rum0 (10.10.10.1).
Mar 10 17:01:04 gw56 dhcpd[11367]: DHCPDISCOVER from 00:1f:3b:12:93:91 
via rum0
Mar 10 17:01:05 gw56 dhcpd[11367]: DHCPOFFER on 10.10.10.100 to 
00:1f:3b:12:93:91 via rum0
Mar 10 17:01:05 gw56 dhcpd[11367]: DHCPREQUEST for 10.10.10.100 from 
00:1f:3b:12:93:91 via rum0
Mar 10 17:01:05 gw56 dhcpd[11367]: DHCPACK on 10.10.10.100 to 
00:1f:3b:12:93:91 via rum0

Mar 10 17:01:11 gw56 dhcpd[11367]: DHCPINFORM from 10.10.10.100
Mar 10 17:01:11 gw56 dhcpd[11367]: DHCPACK on null address to 
00:1f:3b:12:93:91 via rum0


# cat /etc/dhcpd.conf
subnet 10.10.10.0 netmask 255.255.255.0 {
option routers 10.10.0.1;
option domain-name kh.ektos;
option domain-name-servers 10.10.0.1;
max-lease-time 604800;
default-lease-time 604800;
range 10.10.10.100 10.10.10.200; }

# uname -a
OpenBSD gw56 5.6 GENERIC.MP#299 i386

Re: How to Selectively route DESTINATIONS via wan1_gw and via wan2_gw

2015-01-14 Thread lilit-aibolit 

On 01/14/2015 07:19 AM, Indunil Jayasooriya wrote:

Hi misc,

I have /etc/ip_list1 file containing some destinations.

  format of /etc/ip_list1 is given below.

1.2.3.4
1.6.3.0/24


I want to route ALL DESTINATIONS listed in /etc/ip_list1 via wan1_gw.  The
rest of trafficc , I want to route via wan2_gw .

I have enabled below things in sysctl.conf file (including multipath
routing)

net.inet.ip.forwarding=1# 1=Permit forwarding (routing) of IPv4
packets
#net.inet.ip.mforwarding=1  # 1=Permit forwarding (routing) of IPv4
multicast packets
net.inet.ip.multipath=1 # 1=Enable IP multipath routing
net.inet.icmp.rediraccept=1 # 1=Accept ICMP redirects


my 2 gatewys

wan1_gw= 192.168.2.100
wan2_gw= 192.168.1.1


my hostname.xxx files like these.

my wan1 interface

# cat /etc/hostname.rl0
inet 192.168.2.35 255.255.255.0
!route add -mpath default 192.168.2.100

my wan2 interface

# cat /etc/hostname.rl1
inet 192.168.1.11 255.255.255.0
!route add -mpath default 192.168.1.1

my lan interface

# cat /etc/hostname.bge0
inet 192.168.100.208 255.255.255.0


my pf.conf file looks like this.

# macros

int_if=bge0
wan1_if=rl0
wan2_if=rl1

lan_net=192.168.100.0/24
#lan_net=192.168.101.0/24

wan1_gw= 192.168.2.100
wan2_gw= 192.168.1.1

tableip_list1  persist file /etc/ip_list1

# options

set block-policy return
set loginterface $wan1_if
set skip on lo

#THIS IS THE RULE TO ROUTE VIA WAN1_GW
pass out quick log from any toip_list1  route-to ($wan1_if $wan1_gw)

# match rules

match out on $wan1_if from $lan_net nat-to ($wan1_if)
match out on $wan2_if from $lan_net nat-to ($wan2_if)

# filter rules

block in log
#block out log
pass out quick log

antispoof quick for { lo $int_if }

pass in log inet proto icmp all icmp-type $icmp_types



I still can NOT traceroute to destinations in /etc/ip_list1 via wan1_gw and
the rest via wan2_gw

How to achive this goal?






Hi, I've snipped full rules set to show needed lines, hope this will 
help you.

I'm sure that I didn't enable multipath.
/etc/mygate contains any A or B gw address.
In case you won't achieve policy based routing with this example I'll 
send you

full pf.conf that works well for years.

ext_if_a = xl0
ext_gw_a = 195.26.92.129

ext_if_b = fxp1
ext_gw_b = 188.230.122.53

int_if   = fxp0

table lan  { 192.168.16.0/24 }
table mail   { 192.168.16.5 }

match out on $ext_if_a inet proto tcp from lan to !lan nat-to $ext_if_a
match out on $ext_if_b inet from lan, to !lan nat-to $ext_if_b

pass in on $int_if inet proto tcp from mail to any port { www, smtp, 
https, smtps } route-to ($ext_if_a $ext_gw_a)
pass in on $int_if inet proto tcp from lan to any route-to ($ext_if_b 
$ext_gw_b)


pass out inet from $ext_if_a route-to ($ext_if_a $ext_gw_a)
pass out inet from $ext_if_b route-to ($ext_if_b $ext_gw_b)

pass out on { $ext_if_a, $ext_if_b }

IPSec stopped working accidently

2014-08-18 Thread lilit-aibolit 

Hi list.
I have two gateways which were working fine two years.
And suddenly I couldn't reach remote network behind both gateways from 
other sides.

Nothing changed in configs.
Both gateways seems to works as expected except VPN.
Both gateways have identical setup like this.
How to debug and where can be trouble?
# ifconfig
em0: flags=28843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6 mtu 1500
lladdr 00:18:7d:0e:f5:34
priority: 0
media: Ethernet autoselect (1000baseT full-duplex)
status: active
inet 192.168.5.254 netmask 0xff00 broadcast 192.168.5.255
em1: flags=28843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6 mtu 1500
lladdr 00:18:7d:0e:f5:33
priority: 0
groups: egress
media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause)
status: active
inet 194.106.218.98 netmask 0xfffc broadcast 194.106.218.99
enc0: flags=0
priority: 0
groups: enc
status: active
vlan0: flags=28843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6 mtu 1500
lladdr 00:18:7d:0e:f5:34
priority: 0
vlan: 2 parent interface: em0
groups: vlan
status: active
inet 192.168.223.1 netmask 0xff00 broadcast 192.168.223.255
tun0: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST mtu 1500
priority: 0
groups: tun
status: active
inet 192.168.99.1 -- 192.168.99.2 netmask 0x
pflog0: flags=141UP,RUNNING,PROMISC mtu 33196
priority: 0
groups: pflog

# cat /etc/ipsec.conf
#   $OpenBSD: ipsec.conf,v 1.5 2006/09/14 15:10:43 hshoexer Exp $
#
# See ipsec.conf(5) for syntax and examples.

tlv = { 192.168.2.0/24, 192.168.88.0/24 }
tlk = { 192.168.5.0/24, 192.168.99.0/24, 192.168.66.0/24 }
flow esp from $tlk to $tlv peer 92.246.22.143
#flow esp from 194.106.218.98 to 192.168.2.0/24 peer 92.246.22.143
esp from 194.106.218.98 to 92.246.22.143 spi 0xdeadbeef:0xbeefdead \
auth hmac-sha2-512 enc blowfish \
authkey file /root/akey.local:/root/akey.remote \
enckey file /root/ekey:/root/ekey

# ls -la /root/akey*
-rw---  1 root  wheel  128 Jul  2  2012 /root/akey.local
-rw---  1 root  wheel  128 Jul  2  2012 /root/akey.remote

# ls -la /root/ekey
-rw---  1 root  wheel  40 Jul  2  2012 /root/ekey

# cat /etc/pf.conf | grep esp
pass in on $ext_if proto esp from tlv_gw to em1
pass out on $ext_if proto esp from em1 to tlv_gw

# ipsecctl -sa
FLOWS:
flow esp in from 192.168.88.0/24 to 192.168.66.0/24 peer 92.246.22.143 
type require
flow esp out from 192.168.66.0/24 to 192.168.88.0/24 peer 92.246.22.143 
type require
flow esp in from 192.168.2.0/24 to 192.168.66.0/24 peer 92.246.22.143 
type require
flow esp out from 192.168.66.0/24 to 192.168.2.0/24 peer 92.246.22.143 
type require
flow esp in from 192.168.88.0/24 to 192.168.99.0/24 peer 92.246.22.143 
type require
flow esp out from 192.168.99.0/24 to 192.168.88.0/24 peer 92.246.22.143 
type require
flow esp in from 192.168.2.0/24 to 192.168.99.0/24 peer 92.246.22.143 
type require
flow esp out from 192.168.99.0/24 to 192.168.2.0/24 peer 92.246.22.143 
type require
flow esp in from 192.168.88.0/24 to 192.168.5.0/24 peer 92.246.22.143 
type require
flow esp out from 192.168.5.0/24 to 192.168.88.0/24 peer 92.246.22.143 
type require
flow esp in from 192.168.2.0/24 to 192.168.5.0/24 peer 92.246.22.143 
type require
flow esp out from 192.168.5.0/24 to 192.168.2.0/24 peer 92.246.22.143 
type require


SAD:
esp tunnel from 92.246.22.143 to 194.106.218.98 spi 0xbeefdead auth 
hmac-sha2-512 enc blowfish
esp tunnel from 194.106.218.98 to 92.246.22.143 spi 0xdeadbeef auth 
hmac-sha2-512 enc blowfish


# netstat -rnf encap
Routing tables

Encap:
Source Port  DestinationPort  Proto 
SA(Address/Proto/Type/Direction)
192.168.88/24  0 192.168.66/24  0 0 
92.246.22.143/esp/require/in
192.168.66/24  0 192.168.88/24  0 0 
92.246.22.143/esp/require/out
192.168.2/24   0 192.168.66/24  0 0 
92.246.22.143/esp/require/in
192.168.66/24  0 192.168.2/24   0 0 
92.246.22.143/esp/require/out
192.168.88/24  0 192.168.99/24  0 0 
92.246.22.143/esp/require/in
192.168.99/24  0 192.168.88/24  0 0 
92.246.22.143/esp/require/out
192.168.2/24   0 192.168.99/24  0 0 
92.246.22.143/esp/require/in
192.168.99/24  0 192.168.2/24   0 0 
92.246.22.143/esp/require/out
192.168.88/24  0 192.168.5/24   0 0 
92.246.22.143/esp/require/in
192.168.5/24   0 192.168.88/24  0 0 
92.246.22.143/esp/require/out
192.168.2/24   0 192.168.5/24   0 0 
92.246.22.143/esp/require/in
192.168.5/24   0 192.168.2/24   0 0 
92.246.22.143/esp/require/out


# cat /etc/sysctl.conf | grep -v ^#
net.inet.ip.forwarding=1# 1=Permit forwarding (routing) of IPv4 
packets

net.inet.esp.enable=1

Re: IPSec stopped working accidently

2014-08-18 Thread lilit-aibolit 

On 08/18/2014 12:40 PM, lilit-aibolit wrote:

Hi list.


When I star ping from 192.168.2.0/24 network to 192.168.5.0/2:

C:\Users\userping 192.168.5.251t -t
Pinging 192.168.5.251 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.

I got packets on gateway from 2.0/24 side:

# tcpdump -i enc0 -n
tcpdump: listening on enc0, link-type ENC
17:46:36.966932 (authentic,confidential): SPI 0xbeefdead: 192.168.2.25  
192.168.5.251: icmp: echo request (encap)
17:46:41.965424 (authentic,confidential): SPI 0xbeefdead: 192.168.2.25  
192.168.5.251: icmp: echo request (encap)


and I got packets on gateway from 5.0/24 side:

# tcpdump -i enc0 -n
tcpdump: listening on enc0, link-type ENC
18:45:10.581652 (authentic,confidential): SPI 0xbeefdead: 192.168.2.25  
192.168.5.251: icmp: echo request (encap)
18:45:10.581898 (authentic,confidential): SPI 0xdeadbeef: 192.168.5.251 
 192.168.2.25: icmp: echo reply (encap)


Does it mean that VPN tunnel works somehow and host 192.168.5.251 reply 
back to ping

but first gateway doesn't get that reply from 192.168.5.251?

Unable to stop nfsen

2014-06-04 Thread lilit-aibolit 

# ps -ax |grep nfsen | grep -v grep
16371 ??  I   0:27.89 /usr/local/bin/nfcapd -w -D -p  -u _nfcapd 
-g www -B 20 -S 1 -P /var/db/nfsen/r

 1333 ??  Is  2:17.70 perl: /usr/local/bin/nfsend-comm (perl)
 6030 ??  Is 63:05.79 /usr/bin/perl -w /usr/local/bin/nfsend
19674 ??  I   0:00.01 /usr/local/bin/nfexpire -Y -p -e 
/var/db/nfsen/profiles-data/./live -w 90 -s 1073741824


# /etc/rc.d/nfsen stop
..long time here..
nfsen(failed)

# grep nf /var/log/daemon
Jun  4 13:13:06 gw nfcapd[16371]: ioctl(F_WRLCK) error in nfstatfile.c 
line 338: Interrupted system call

Jun  4 13:13:06 gw nfcapd[16371]: Terminating nfcapd.

# ps -ax |grep nfsen | grep -v grep
 1333 ??  Is  2:17.82 perl: /usr/local/bin/nfsend-comm (perl)
 6030 ??  Is 63:05.79 /usr/bin/perl -w /usr/local/bin/nfsend
19674 ??  I   0:00.01 /usr/local/bin/nfexpire -Y -p -e 
/var/db/nfsen/profiles-data/./live -w 90 -s 1073741824


What should I do to stop or restart it?

Re: Get statistics of websites visited without proxy/squid

2014-04-28 Thread lilit-aibolit 

On 04/25/2014 06:18 PM, James Records wrote:

I posted this on reddit a while back, i've been doing this on pfsense for a
while don't see why it wouldn't work with OBSD:

http://www.reddit.com/r/PFSENSE/comments/1vn51f/monitoring_question_analysis_of_uris_by_ip_address/

basically install httpry and do this: httpry -i em1 | grep 'GET\|POST' |
logger

Jim




Thank you. This is exactly what I've looked for.
I'll try to calculate number of unique Get or Post requests per IP and 
that's all.


# httpry -i em0 -d -o /home/httpry/em0.log -u nobody -f 
timestamp,source-ip,host,method -m get,post 'tcp port 80'


# # egrep GET|POST em0.log | uniq | head -10
2014-04-28 12:27:03 192.168.5.32pagestat.mmi.bemobile.uaGET
2014-04-28 12:27:05 192.168.5.32pbs.twimg.com   GET
2014-04-28 12:27:07 192.168.5.32glavcom.ua  GET
2014-04-28 12:27:07 192.168.5.32pagestat.mmi.bemobile.uaGET
2014-04-28 12:27:07 192.168.5.32 
ep01.irl.amz.nimbus.bitdefender.net POST

2014-04-28 12:27:07 192.168.5.32hq.nimbus.bitdefender.net   POST
2014-04-28 12:27:07 192.168.5.32glavcom.ua  GET
2014-04-28 12:27:08 192.168.5.32glavcom.ua  GET
2014-04-28 12:27:08 192.168.5.32informers.ukr.net   GET
2014-04-28 12:27:08 192.168.5.32glavcom.ua  GET

Get statistics of websites visited without proxy/squid

2014-04-25 Thread lilit-aibolit 

Hi misc, I know this is not truly OpenBSD related, but I'd like to know
if there is any possibility to collect such statistics.
I'm using NAT with PF for my LAN and I don't have any proxy applications 
like squid.
I have already started collecting traffic statistics with nfsen, but it 
collect only IP.

Is there any lightweight solution?

Find last month abbreviation

2014-04-18 Thread lilit-aibolit 

This works in linux:
$ date --date=last month +%b
Mar

In OpenBSD i tried
# MonthCurrent=`date +%m`
# MonthPrevious=`expr $MonthCur - 1`
# echo $MonthPrevious
3

But I need month's abbreviation.

Re: PF NAT statistic per month per IP

2014-04-16 Thread lilit-aibolit 

On 04/15/2014 09:51 PM, Stefan Sieg wrote:

Hello,

with the already mentioned netflow solution you will not see connections
that are not expired. So you will not see long live connections like vpn or 
ssh
in your statistics at the appointed date.

Maybe pf labels is for you ...

lan = { 192.168.5.1, 192.168.5.2,  }
match out on $ext_if inet proto tcp to any received-on $int_if nat-to $ext_if
pass in on $int_if inet proto tcp from $lan to any label $srcaddr \
tag LAN-INET

pass out on $ext_if tagged LAN-INET


With pfctl -s labels will get this (the numbers are explained in the manpage)

192.168.5.1 57 0 0 0 0 0 0 0
192.168.5.2 37 0 0 0 0 0 0 0


192.168.5.37 37 1950 1318232 1094 1215437 856 102795 37



pfctl -z clears the per rule statistics


Greetings

Stefan




Thanks for sharing this simple example.
Is it true, that I need to use list/macros
(and define all IPs from my /24 LAN there) in _from_ statement?
Because when I use tables:

table admin  { 192.168.5.1, 192.168.5.20 }
table lan   { 192.168.5.0/24 }
pass in on $int_if inet from admin to any label $srcaddr queue 
(manager, ack)
pass in on $int_if inet proto tcp from lan to any port $portstuff 
label $srcaddr queue (bulk, ack)


I got:

# pfctl -s labels
admin 3055 97 5125 49 2437 48 2688 17
lan 1315 0 0 0 0 0 0 0
lan 1315 0 0 0 0 0 0 0
lan 1315 0 0 0 0 0 0 0
lan 1315 3 152 3 152 0 0 1
lan 1315 0 0 0 0 0 0 0
lan 1315 0 0 0 0 0 0 0
lan 1315 0 0 0 0 0 0 0
lan 1315 74292 60498330 28705 5930177 45587 54568153 595
lan 1315 14227 3446348 7315 919595 6912 2526753 371
lan 1315 0 0 0 0 0 0 0
lan 1315 0 0 0 0 0 0 0
lan 1315 0 0 0 0 0 0 0

Re: PF NAT statistic per month per IP

2014-04-16 Thread lilit-aibolit 
On 04/15/2014 05:34 PM, Peter N. M. Hansteen wrote:
 lilit-aibolitlilit-aibo...@mail.ru  writes:

 tablelan   { 192.168.5.0/24 }
 match out on $ext_if inet proto tcp fromlan  to any nat-to em1
 pass in on $int_if inet proto tcp fromlan  to any port
 pass out on $ext_if inet proto tcp from em1 to any

 I'd like to know how many traffic does specific IPs fromlan  consumed.
 export flow data via pflow, collect and make per IP address statistics
 from the collected flow data.  See eg [1] to get started and add some
 minimal scriptery, you'll have just what you're looking for.

 [1] http://bsdly.blogspot.ca/2014/02/yes-you-too-can-be-evil-network.html

Thank you and others for pointing to pflow+nfsend.
What I actually did is:
1) modify pf.conf:

set state-defaults pflow
table lan  { 192.168.5.0/24 }
match out on $ext_if inet proto tcp from lan to any nat-to em1
pass in log on $int_if inet proto tcp from lan to any port
pass out on $ext_if inet proto tcp from em1 to any

2) add pflow if:

pflow0: flags=41UP,RUNNING mtu 1492
 priority: 0
 pflow: sender: 127.0.0.1 receiver: 127.0.0.1: version: 5
 groups: pflow

3) install and configure nfsend:

# pkg_add -i php nfsend
# grep -n1 upstream1 /etc/nfsen.conf
163-%sources = (
164:'upstream1'= { 'port' = '', 'IP' = '127.0.0.1', 'col' 
= '#ff', 'type' = 'netflow' },
165-);

4) restart Apache and finally I got nfsend web page with content

But I still didn't find filter expression to get statistics only for my 
LAN's IPs:

 ** nfdump -M /var/db/nfsen/profiles-data/live/upstream1  -T  -R 
 2014/04/16/nfcapd.201404161420:2014/04/16/nfcapd.201404161455 -n 20 -s 
 srcip/bytes
 nfdump filter:
 NET 192.168.5.0/24
 Top 20 Src IP Addr ordered by bytes:
 Date first seen  Duration Proto   Src IP AddrFlows(%) 
 Packets(%)   Bytes(%) pps  bps   bpp
 2014-04-16 13:50:26.098  4076.001 any192.168.5.78  
 http://gw.kh.ektos/nfsen/nfsen.php#null   271( 0.8)   116309( 9.3)  
 141.3 M(23.2)   28   277268  1214
 2014-04-16 14:21:58.098  1175.000 any8.20.213.65  
 http://gw.kh.ektos/nfsen/nfsen.php#null 9( 0.0)29265( 2.3)   
 43.9 M( 7.2)   24   298620  1498
 2014-04-16 14:30:20.098   809.000 any54.230.94.189  
 http://gw.kh.ektos/nfsen/nfsen.php#null 1( 0.0)25283( 2.0)   
 37.4 M( 6.1)   31   369475  1477
 2014-04-16 14:25:33.098  1289.000 any8.20.213.38  
 http://gw.kh.ektos/nfsen/nfsen.php#null 6( 0.0)23279( 1.9)   
 34.9 M( 5.7)   18   216542  1498
 2014-04-16 14:25:40.098   287.000 any54.230.94.94  
 http://gw.kh.ektos/nfsen/nfsen.php#null 2( 0.0)22579( 1.8)   
 33.5 M( 5.5)   78   933758  1483
 2014-04-16 14:20:26.098  2276.001 any192.168.2.245  
 http://gw.kh.ektos/nfsen/nfsen.php#null   241( 0.7)86438( 6.9)   
 32.2 M( 5.3)   37   113079   372
 2014-04-16 14:25:32.098  1184.000 any8.19.240.41  
 http://gw.kh.ektos/nfsen/nfsen.php#null 2( 0.0)16211( 1.3)   
 24.3 M( 4.0)   13   164228  1499
 2014-04-16 14:00:46.098  2275.000 any176.103.207.168  
 http://gw.kh.ektos/nfsen/nfsen.php#null 1( 0.0)   129597(10.4)   
 16.6 M( 2.7)   5658232   127
 2014-04-16 14:00:46.098  3456.001 any192.168.5.14  
 http://gw.kh.ektos/nfsen/nfsen.php#null   110( 0.3)   132729(10.6)   
 16.1 M( 2.6)   3837265   121
 2014-04-16 14:43:06.098   704.000 any178.63.72.144  
 http://gw.kh.ektos/nfsen/nfsen.php#null38( 0.1)10683( 0.9)   
 13.6 M( 2.2)   15   154907  1276
 2014-04-16 14:21:01.098  2008.000 any8.20.213.95  
 http://gw.kh.ektos/nfsen/nfsen.php#null 2( 0.0) 7481( 0.6)   
 11.2 M( 1.8)344665  1498
 2014-04-16 14:32:57.098   345.000 any46.33.68.171  
 http://gw.kh.ektos/nfsen/nfsen.php#null 4( 0.0) 6014( 0.5)
 8.9 M( 1.5)   17   206844  1483
 2014-04-16 14:47:24.09831.000 any8.20.213.37  
 http://gw.kh.ektos/nfsen/nfsen.php#null 1( 0.0) 5945( 0.5)
 8.9 M( 1.5)  1912.3 M  1499
 2014-04-16 13:50:38.098  4127.001 any192.168.5.15  
 http://gw.kh.ektos/nfsen/nfsen.php#null  1593( 4.7)79268( 6.3)
 8.6 M( 1.4)   1916727   108
 2014-04-16 13:54:37.098  3825.001 any46.118.77.60  
 http://gw.kh.ektos/nfsen/nfsen.php#null74( 0.2)61866( 4.9)
 8.5 M( 1.4)   1617689   136
 2014-04-16 14:24:53.098  1041.000 any46.149.185.47  
 http://gw.kh.ektos/nfsen/nfsen.php#null 2( 0.0)37694( 3.0)
 6.8 M( 1.1)   3652527   181
 2014-04-16 13:56:20.098  3785.001 any192.168.5.254  
 http://gw.kh.ektos/nfsen/nfsen.php#null  6520(19.1)12670( 1.0)
 6.0 M( 1.0)312672   473
 2014-04-16 14:06:38.098  3052.001 any68.232.35.139  
 http://gw.kh.ektos/nfsen/nfsen.php#null   132( 0.4) 5033( 0.4)
 5.5 M( 0.9)114292  1083
 2014-04-16 14:14:12.098  1155.000 any195.95.206.13  
 http://gw.kh.ektos/nfsen/nfsen.php#null 1( 0.0) 7084(

PF NAT statistic per month per IP

2014-04-15 Thread lilit-aibolit 

Hello misc.
Please provide any hints how to get amount of
Internet traffic per each IP in LAN for period of
time month.

Suppose I have such simple rules to share Internet connection
for lan:

table lan  { 192.168.5.0/24 }
match out on $ext_if inet proto tcp from lan to any nat-to em1
pass in on $int_if inet proto tcp from lan to any port
pass out on $ext_if inet proto tcp from em1 to any

I'd like to know how many traffic does specific IPs from lan consumed.

Re: Accept two vlans (Solved)

2013-08-08 Thread lilit-aibolit 

Martin, Christian, Kent thank you all for explanation.
It was more than enough to understand things.

Accept two vlans

2013-08-07 Thread lilit-aibolit 

Hello misc.
I'd like to setup guest Wi-Fi in my LAN to prevent access to local 
resources.

I have OpenBSD gateway with em NIC connected to LAN.
LAN based on switches with VLAN support.
Suppose I have created two VLANs and added ports from my network
to vlan1 and wi-fi AP to vlan2.
What should I do on gateway to accept network from both vlans?
Should there be a different subnets in vlan1/2 or it can be the same?

Re: nut-2.7.1 (Solved)

2013-07-31 Thread lilit-aibolit 

On 07/30/2013 01:52 PM, Stuart Henderson wrote:

On 2013-07-29, lilit-aibolitlilit-aibo...@mail.ru  wrote:

Using existing bestuferrups.8 manual page, since 'asciidoc' was not found.
Using existing bestups.8 manual page, since 'asciidoc' was not found.
Using existing bestfcom.8 manual page, since 'asciidoc' was not found.
Using existing blazer.8 manual page, since 'asciidoc' was not found.
make: don't know how to make blazer_ser.8 (prerequisite of: all-am)
Stop in docs/man
*** Error 1 in docs (Makefile:511 'all-recursive')
*** Error 1 in /root/nut (Makefile:499 'all-recursive')

I suspect that installing asciidoc might get you further here.


.


I have try this way, but it doesn't help, same error after
# pkg_add asciidoc
But fortunately I solved my goals:
build new driver on 2.7.1 and use it on 2.6.5
Full thread here:
http://lists.alioth.debian.org/pipermail/nut-upsuser/2013-July/008507.html

nut-2.7.1

2013-07-29 Thread lilit-aibolit 

Does someone have compiled i386 package for current nut?
https://github.com/networkupstools/nut
Or walkthrough how to build it on 5.3.
The reason for install development version it's added
Riello UPS support.
This is my step:
# git clone https://github.com/networkupstools/nut.git
# pkg_add python-3.2.3p0 autoconf-2.69p0 automake-1.13.1
# ln -s /usr/local/bin/python3.2 /usr/local/bin/python
# cd nut
# ./autogen.sh
Regenerating Augeas ups.conf lens...
  File ./gen-nutupsconf-aug.py, line 72
print dirPrefix
  ^
SyntaxError: invalid syntax
Regenerating the USB helper files...
./autogen.sh[31]: cd: /root/nut/scripts/augeas/tools - No such file or 
directory

Calling autoreconf...
Provide an AUTOCONF_VERSION environment variable, please
# AUTOCONF_VERSION=2.69 ./autogen.sh
Regenerating Augeas ups.conf lens...
  File ./gen-nutupsconf-aug.py, line 72
print dirPrefix
  ^
SyntaxError: invalid syntax
Regenerating the USB helper files...
./autogen.sh[31]: cd: /root/nut/scripts/augeas/tools - No such file or 
directory

Calling autoreconf...
autoreconf-2.69: 'configure.ac' or 'configure.in' is required

Re: nut-2.7.1

2013-07-29 Thread lilit-aibolit 

On 07/29/2013 11:31 AM, Marios Makassikis wrote:

ln -s /usr/local/bin/python3.2 /usr/local/bin/python

Thanks. It helped a bit, but now

# rm /usr/local/bin/python
# ln -s /usr/local/bin/python2.7 /usr/local/bin/python
# pwd
/root/nut
# export AUTOMAKE_VERSION=1.13.1
# export AUTOCONF_VERSION=2.69
# export CONFIGURE_STYLE=autoconf
# ./autogen.sh
Regenerating Augeas ups.conf lens...
Calling autoreconf...
/usr/local/bin/aclocal[35]: /usr/local/bin/aclocal-1.13.1: not found
autoreconf-2.69: aclocal failed with exit status: 127

Re: nut-2.7.1

2013-07-29 Thread lilit-aibolit 

On 07/29/2013 12:13 PM, lilit-aibolit wrote:

On 07/29/2013 11:31 AM, Marios Makassikis wrote:

ln -s /usr/local/bin/python3.2 /usr/local/bin/python

Thanks. It helped a bit, but now

# rm /usr/local/bin/python
# ln -s /usr/local/bin/python2.7 /usr/local/bin/python
# pwd
/root/nut
# export AUTOMAKE_VERSION=1.13.1
# export AUTOCONF_VERSION=2.69
# export CONFIGURE_STYLE=autoconf
# ./autogen.sh
Regenerating Augeas ups.conf lens...
Calling autoreconf...
/usr/local/bin/aclocal[35]: /usr/local/bin/aclocal-1.13.1: not found
autoreconf-2.69: aclocal failed with exit status: 127


.


corrected:
# pkg_add libtool asciidoc
libtool-2.4.2: ok
# ls -la /usr/local/bin/aclocal
aclocalaclocal-1.13
# export AUTOMAKE_VERSION=1.13
# export AUTOCONF_VERSION=2.69
# export CONFIGURE_STYLE=autoconf
# ./autogen.sh
Calling autoreconf...
aclocal-1.13: warning: autoconf input should be named 'configure.ac', 
not 'configure.in'

libtoolize: putting auxiliary files in `.'.
libtoolize: copying file `./ltmain.sh'
libtoolize: putting macros in AC_CONFIG_MACRO_DIR, `m4'.
libtoolize: copying file `m4/libtool.m4'
libtoolize: copying file `m4/ltoptions.m4'
libtoolize: copying file `m4/ltsugar.m4'
libtoolize: copying file `m4/ltversion.m4'
libtoolize: copying file `m4/lt~obsolete.m4'
aclocal-1.13: warning: autoconf input should be named 'configure.ac', 
not 'configure.in'
automake-1.13: warning: autoconf input should be named 'configure.ac', 
not 'configure.in'

configure.in:11: installing './config.guess'
configure.in:11: installing './config.sub'
configure.in:15: installing './install-sh'
configure.in:15: installing './missing'
automake-1.13: warning: autoconf input should be named 'configure.ac', 
not 'configure.in'

clients/Makefile.am: installing './depcomp'
parallel-tests: installing './test-driver'

# ./configure --with-user=_ups --with-group=_ups

Configuration summary:
==
build serial drivers: yes
build USB drivers: yes
build SNMP drivers: no
build neon based XML driver: no
enable Avahi support: no
build Powerman PDU client driver: no
build IPMI driver: no
build Mac OS X meta-driver: no
enable SSL support: yes (OpenSSL)
enable libwrap (tcp-wrappers) support: no
enable libltdl (Libtool dlopen abstraction) support: no
build nut-scanner: no
build CGI programs: no
enable HAL support: no
build and install documentation: no
build and install the development files: no

# make

Making all in include
NUT_VERSION: 2.6.5-183-ga074844
test -f nut_version.h || cp _nut_version.h nut_version.h
cmp -s _nut_version.h nut_version.h || cp _nut_version.h nut_version.h
rm -f _nut_version.h
make  all-am
Making all in common
Making all in clients
Making all in conf
Making all in data
Making all in html
Making all in tools
Making all in .
Making all in nut-scanner
make  all-am
Regenerating the SNMP helper files.
Regenerating the USB helper files.
Making all in docs
Making all in .
Making all in man
Using existing nut.conf.5 manual page, since 'asciidoc' was not found.
Using existing ups.conf.5 manual page, since 'asciidoc' was not found.
Using existing upsd.conf.5 manual page, since 'asciidoc' was not found.
Using existing upsd.users.5 manual page, since 'asciidoc' was not found.
Using existing upsmon.conf.5 manual page, since 'asciidoc' was not found.
Using existing upssched.conf.5 manual page, since 'asciidoc' was not found.
Using existing nutupsdrv.8 manual page, since 'asciidoc' was not found.
Using existing upsc.8 manual page, since 'asciidoc' was not found.
Using existing upscmd.8 manual page, since 'asciidoc' was not found.
Using existing upsd.8 manual page, since 'asciidoc' was not found.
Using existing upsdrvctl.8 manual page, since 'asciidoc' was not found.
Using existing upslog.8 manual page, since 'asciidoc' was not found.
Using existing upsmon.8 manual page, since 'asciidoc' was not found.
Using existing upsrw.8 manual page, since 'asciidoc' was not found.
Using existing upssched.8 manual page, since 'asciidoc' was not found.
Using existing nut-scanner.8 manual page, since 'asciidoc' was not found.
Using existing nut-recorder.8 manual page, since 'asciidoc' was not found.
Using existing apcsmart.8 manual page, since 'asciidoc' was not found.
Using existing apcsmart-old.8 manual page, since 'asciidoc' was not found.
Using existing bcmxcp.8 manual page, since 'asciidoc' was not found.
Using existing belkin.8 manual page, since 'asciidoc' was not found.
Using existing belkinunv.8 manual page, since 'asciidoc' was not found.
Using existing bestfortress.8 manual page, since 'asciidoc' was not found.
Using existing bestuferrups.8 manual page, since 'asciidoc' was not found.
Using existing bestups.8 manual page, since 'asciidoc' was not found.
Using existing bestfcom.8 manual page, since 'asciidoc' was not found.
Using existing blazer.8 manual page, since 'asciidoc' was not found.
make: don't know how to make blazer_ser.8 (prerequisite of: all-am)
Stop in docs/man
*** Error 1 in docs (Makefile:511 'all-recursive

Re: wireless ethernet (ralink) not working

2013-06-10 Thread lilit-aibolit 

On 03/25/2013 11:08 AM, lilit-aibolit wrote:

On 03/24/2013 12:13 AM, Riccardo Mottola wrote:

Hi,

On 03/23/13 20:13, Peter N. M. Hansteen wrote:

Riccardo Mottola riccardo.mott...@libero.it writes:


But i am connecting to a WEP protected network, not WPA.

typical hostname.if for a wep network:

media autoselect nwid wepnetwork nwkey secretasitgets
dhcp
rtsol

activates at boot, or if you do 'sudo sh /etc/netstart ifname'

for wpa, you would change 'nwkey' to 'wpakey' and get sensible 
defaults.


Thanks, this looks equivalent to me to what I did configure at the 
shell command line using ifconfig.

In fact, If I run netstart later, I too get no link... sleeping.

I start to think that there is a problem with the card's driver: if I 
leave the card in at boot time, the kernel will panic and drop into 
ddb. However if I insert later, as I did up to now, I don't


Riccardo


.


Hello, you are not alone with Ralink issues.
In my cases as AP:
# cat /etc/hostname.rum0(ral0)
inet 192.168.111.254 255.255.255.0 NONE -inet6 \
media autoselect mode 11g \
mediaopt hostap chan 1 nwid network \
wpakey xx
#wpa wpaprotos wpa2 wpaakms psk wpakey x
***
I happy with my first servers with:
# uname -a
OpenBSD gw.dk 5.0 GENERIC.MP#59 i386

# dmesg | grep ral0
ral0 at pci1 dev 0 function 0 Ralink RT3090 rev 0x00: apic 2 int 16, 
address 00:12:0e:b1:6e:c7

ral0: MAC/BBP RT3071 (rev 0x0213), RF RT3020 (MIMO 1T1R)

But But periodically dmesg and messages log have next error:
ral0: Michael MIC failure

And once per two or three weeks wi-fi stops serving client, so once 
per week I do

cron job with:
@weekly/bin/sh /etc/netstart ral0
*
Let's look to my second box:
# uname -a
OpenBSD gw.kh 5.2 GENERIC.MP#339 i386

# dmesg | grep rum0
rum0 at uhub2 port 3 Ralink 802.11 bg WLAN rev 2.00/0.01 addr 3
rum0: MAC/BBP RT2573 (rev 0x2573a), RF RT2528, address 6c:62:6d:12:5d:59

Wi-fi doesn't work after configuration:
rum0: device timeout
***
And third one:
# uname -a
OpenBSD gw 5.2 GENERIC.MP#339 i386

# dmesg | grep ral0
ral0 at pci1 dev 0 function 0 Ralink RT2790 rev 0x00: apic 0 int 16, 
address 00:22:43:5d:6c:b1

ral0: MAC/BBP RT2872 (rev 0x0200), RF RT2720 (MIMO 1T2R)

# ifconfig ral0
ral0: flags=28843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6 mtu 
1500

lladdr 00:22:43:5d:6c:b1
priority: 4
groups: wlan
media: IEEE802.11 autoselect mode 11g hostap
status: active
ieee80211: nwid test chan 3 bssid 00:22:43:5d:6c:b1 wpakey 
0x437fe128e9de20eedab446ea43a2b68a6b833c66bc62e13a2bef13b24ad7d5ed 
wpaprotos wpa1,wpa2 wpaakms psk wpaciphers tkip,ccmp wpagroupcipher tkip

inet 192.168.55.254 netmask 0xff00 broadcast 192.168.55.255

# tail /var/log/daemon
Mar 25 12:51:00 gw dhcpd[22330]: DHCPDISCOVER from 00:17:9a:b0:19:db 
via ral0
Mar 25 12:51:00 gw dhcpd[22330]: DHCPOFFER on 192.168.55.18 to 
00:17:9a:b0:19:db via ral0
Mar 25 12:51:08 gw dhcpd[22330]: DHCPDISCOVER from 00:17:9a:b0:19:db 
via ral0
Mar 25 12:51:08 gw dhcpd[22330]: DHCPOFFER on 192.168.55.18 to 
00:17:9a:b0:19:db via ral0
Mar 25 12:51:08 gw dhcpd[22330]: DHCPREQUEST for 192.168.55.18 from 
00:17:9a:b0:19:db via ral0
Mar 25 12:51:08 gw dhcpd[22330]: DHCPACK on 192.168.55.18 to 
00:17:9a:b0:19:db via ral0


And it seems to work fine until you do something real,
for example I try to copy 10MB file to this server from client,
that connected to it via wi-fi:
# scp ppo@192.168.55.18:/home/ppo/Downloads/gfibackup2009home.exe .
ppo@192.168.55.18's password:
gfibackup2009home.exe   
15% 1872KB   0.5KB/s - stalled -

^CKilled by signal 2.

Copying started with speed 100KB/sec and than slowdown so I need to 
ctrl+c it.
Client PC stays at the from of the server and it shows connection 
speed 54Mb/sec


So in this case no error present, but wi-fi didn't work as expected.
***
I've no idea how much mini-pci cards I should test to find which is 
works without any issues.





This weird issue is killing me:
ral0: Michael MIC failure

It worked about year in Host AP mode with WPA PSK
and now it doesn't work even after
# sh /etc/netstart ral0

Only if I change hostname.ral0 to

inet 192.168.22.1 255.255.255.0 NONE -inet6 \
mediaopt hostap nwid ektos-tlv \
-wpakey

clients can connect and get IP from dhcpd. If I change back to

inet 192.168.22.1 255.255.255.0 NONE -inet6 \
mediaopt hostap nwid ektos-tlv \
wpa wpaprotos wpa2 wpaakms psk wpakey PresharedKey

Any clients immediately report that they are unable to connect.

Re: wireless ethernet (ralink) not working

2013-03-25 Thread lilit-aibolit 

On 03/24/2013 12:13 AM, Riccardo Mottola wrote:

Hi,

On 03/23/13 20:13, Peter N. M. Hansteen wrote:

Riccardo Mottola riccardo.mott...@libero.it writes:


But i am connecting to a WEP protected network, not WPA.

typical hostname.if for a wep network:

media autoselect nwid wepnetwork nwkey secretasitgets
dhcp
rtsol

activates at boot, or if you do 'sudo sh /etc/netstart ifname'

for wpa, you would change 'nwkey' to 'wpakey' and get sensible defaults.

Thanks, this looks equivalent to me to what I did configure at the 
shell command line using ifconfig.

In fact, If I run netstart later, I too get no link... sleeping.

I start to think that there is a problem with the card's driver: if I 
leave the card in at boot time, the kernel will panic and drop into 
ddb. However if I insert later, as I did up to now, I don't


Riccardo


.


Hello, you are not alone with Ralink issues.
In my cases as AP:
# cat /etc/hostname.rum0(ral0)
inet 192.168.111.254 255.255.255.0 NONE -inet6 \
media autoselect mode 11g \
mediaopt hostap chan 1 nwid network \
wpakey xx
#wpa wpaprotos wpa2 wpaakms psk wpakey x
***
I happy with my first servers with:
# uname -a
OpenBSD gw.dk 5.0 GENERIC.MP#59 i386

# dmesg | grep ral0
ral0 at pci1 dev 0 function 0 Ralink RT3090 rev 0x00: apic 2 int 16, 
address 00:12:0e:b1:6e:c7

ral0: MAC/BBP RT3071 (rev 0x0213), RF RT3020 (MIMO 1T1R)

But But periodically dmesg and messages log have next error:
ral0: Michael MIC failure

And once per two or three weeks wi-fi stops serving client, so once per 
week I do

cron job with:
@weekly/bin/sh /etc/netstart ral0
*
Let's look to my second box:
# uname -a
OpenBSD gw.kh 5.2 GENERIC.MP#339 i386

# dmesg | grep rum0
rum0 at uhub2 port 3 Ralink 802.11 bg WLAN rev 2.00/0.01 addr 3
rum0: MAC/BBP RT2573 (rev 0x2573a), RF RT2528, address 6c:62:6d:12:5d:59

Wi-fi doesn't work after configuration:
rum0: device timeout
***
And third one:
# uname -a
OpenBSD gw 5.2 GENERIC.MP#339 i386

# dmesg | grep ral0
ral0 at pci1 dev 0 function 0 Ralink RT2790 rev 0x00: apic 0 int 16, 
address 00:22:43:5d:6c:b1

ral0: MAC/BBP RT2872 (rev 0x0200), RF RT2720 (MIMO 1T2R)

# ifconfig ral0
ral0: flags=28843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6 mtu 1500
lladdr 00:22:43:5d:6c:b1
priority: 4
groups: wlan
media: IEEE802.11 autoselect mode 11g hostap
status: active
ieee80211: nwid test chan 3 bssid 00:22:43:5d:6c:b1 wpakey 
0x437fe128e9de20eedab446ea43a2b68a6b833c66bc62e13a2bef13b24ad7d5ed 
wpaprotos wpa1,wpa2 wpaakms psk wpaciphers tkip,ccmp wpagroupcipher tkip

inet 192.168.55.254 netmask 0xff00 broadcast 192.168.55.255

# tail /var/log/daemon
Mar 25 12:51:00 gw dhcpd[22330]: DHCPDISCOVER from 00:17:9a:b0:19:db via 
ral0
Mar 25 12:51:00 gw dhcpd[22330]: DHCPOFFER on 192.168.55.18 to 
00:17:9a:b0:19:db via ral0
Mar 25 12:51:08 gw dhcpd[22330]: DHCPDISCOVER from 00:17:9a:b0:19:db via 
ral0
Mar 25 12:51:08 gw dhcpd[22330]: DHCPOFFER on 192.168.55.18 to 
00:17:9a:b0:19:db via ral0
Mar 25 12:51:08 gw dhcpd[22330]: DHCPREQUEST for 192.168.55.18 from 
00:17:9a:b0:19:db via ral0
Mar 25 12:51:08 gw dhcpd[22330]: DHCPACK on 192.168.55.18 to 
00:17:9a:b0:19:db via ral0


And it seems to work fine until you do something real,
for example I try to copy 10MB file to this server from client,
that connected to it via wi-fi:
# scp ppo@192.168.55.18:/home/ppo/Downloads/gfibackup2009home.exe .
ppo@192.168.55.18's password:
gfibackup2009home.exe   
15% 1872KB   0.5KB/s - stalled -

^CKilled by signal 2.

Copying started with speed 100KB/sec and than slowdown so I need to 
ctrl+c it.
Client PC stays at the from of the server and it shows connection speed 
54Mb/sec


So in this case no error present, but wi-fi didn't work as expected.
***
I've no idea how much mini-pci cards I should test to find which is 
works without any issues.

Re: altq: upsteam and downstream

2013-03-07 Thread lilit-aibolit 

On 03/04/2013 10:17 PM, Martin Pelikan wrote:

Hello. Thanks for your reply.
I need to guaranty bandwidth for selected host (abu, ali) and
pass all other traffic to bulk queue, but I have a lot of filter rules
and don't know how to do it. I have applied queues to some pass rules
and lost connection to Internet and to ssh (22555)

Follow notes inline, in the config.
My biggest advice (I've done the same mistake so many times myself) in
building a firewall ruleset is to go one step at a time.  Don't try to
write the whole ruleset all at once, and then loading it and expecting
it to work right away.
The same applies to queueing.  Add two queues, default one big enough,
start using them both and observe systat queues 1.  If it worked, go
and add another one, and so forth.

If you've lost your connectivity to ssh, first find out which step in
the process did it.  pflog(4) is quite handy (match ... log ...).



tabletlv_qnap { 192.168.2.200 }
tabletlk_proxmox { 192.168.5.201 }
tabletlv_proxmox { 192.168.2.201 }
tabletlv_mentor { 192.168.2.205 }
tabletlv_bugzilla { 192.168.2.206 }
tablemacintosh { 192.168.5.73 }
tableogo { 192.168.5.36 }
tablemsn { 192.168.5.44 }
tablesma { 192.168.5.210 }
tablepresentation { 192.168.5.13 }

Actually, I believe creating tables for just one host can be wasteful of
resources (if you're planning to add hosts dynamically to them, then it
is okay).  pfctl(8) automatically creates tables when one rule appears
seven or more times but just with one address changed.  In cases of a
single host, macros are better, because the kernel sees directly that
one IP adddress and doesn't have to look it up in a table (which is a
different memory location that doesn't have to be present in CPU caches
and therefore consuming more CPU time).

But on 20 Mbit/s gateway CPU power shouldn't bother you.



tableprivate { 0.0.0.0/8, 10.0.0.0/8, 14.0.0.0/8, \
  127.0.0.0/8, 128.0.0.0/16, 169.254.0.0/16, \
  172.16.0.0/12, 191.255.0.0/16, 192.0.2.0/24, \
  192.168.0.0/16, 240.0.0.0/4, 255.255.255.0/24 }

One, you're missing 100.64/10, which is the new CGN private range.
Two, such a table be better marked const, so you accidentally don't add
something unexpected in it.
Three, 128.0/16 has some allocated bits in it.  There are lots of books
suggesting people block martian IPv4 ranges (the valid ones being
0.0.0.0/8 and few others), but some of them have been allocated since
the books were released.
You may want to read http://tools.ietf.org/html/rfc5735 .



block quick proto tcp flags /S
block quick proto tcp flags A/A

I've seen people being told that playing with rules to various TCP flag
combinations usually leads to the firewall misbehaving and that pf(4) is
doing most of the sanity checks already by itself.  Are you sure you
really need these rules for anything in particular?
Did your internet connection work without them?



altq on $ext_if hfsc bandwidth $upstream queue { root_out }
queue root_out on $ext_if bandwidth 100% hfsc {ack, dns, manager, bulk}
queue dns on $ext_if priority 7 bandwidth 5% qlimit 500 hfsc (realtime 5%)
queue ack on $ext_if priority 6 bandwidth 10% qlimit 500 hfsc (realtime 10%)
queue manager on $ext_if priority 5 bandwidth 20% qlimit 500 hfsc
(realtime 10% upperlimit 95%)
queue bulk on $ext_if priority 1 bandwidth 40% qlimit 500 hfsc (default,
red realtime 20%  upperlimit 95%)
altq on $int_if hfsc bandwidth $downstream queue { root_in}
queue root_in on $int_if bandwidth 100% hfsc {ack, dns, manager, bulk}
queue dns on $int_if priority 7 bandwidth 5% qlimit 500 hfsc (realtime 5%)
queue ack on $int_if priority 6 bandwidth 10% qlimit 500 hfsc (realtime 10%)
queue manager on $int_if priority 5 bandwidth 20%  qlimit 500 hfsc
(realtime 10% upperlimit 95%)
queue bulk on $int_if priority 1 bandwidth 40% qlimit 500 hfsc (default,
red realtime 20% upperlimit 95%)

It occurs to me these two are exactly the same.  I think you can make it
a lot shorter by writing it at once, like so:

altq on $ext_if hfsc bandwidth $upstream queue { ack dns manager bulk }
altq on $int_if hfsc bandwidth $downstream queue { ack dns manager bulk }

queue ack bandwidth 10% qlimit 500 priority 6 hfsc(realtime 10%)
queue dns bandwidth 5% qlimit 500 priority 7 hfsc(realtime 5%)
queue manager bandwidth 20% qlimit 500 priority 5 hfsc(...)
...

And it will create two of each of them automatically (you can check
pfctl -vvsq if it matched your expectations).  You can always
differentiate them per interface if you want.  But keeping the file
minimal in size is good for readability after a time period when you
forget about what you did.  Also qlimit of 500 is a little too high
(I use 150 on 200+ Mbit/s 50kpps gateways and it is more than enough).



#in
pass in on $ext_if inet proto tcp from any to em1 port 22555

This alone should match every time you connect.  Also note the rule is
to em1 port 22555, which means you can only

Re: em(4) watchdog timeouts on 5.0-release

2013-03-07 Thread lilit-aibolit 

On 11/09/2011 10:27 PM, Jussi Peltola wrote:

You can ignore the clueless parts in my previous message :)

I can set up remote access to one of these machines if needed.

This made the ems work again:

--- if_em.c.origWed Nov  9 21:37:39 2011
+++ if_em.c Wed Nov  9 21:39:01 2011
@@ -331,6 +331,2 @@

-   /* Only use MSI on the newer PCIe parts */
-   if (sc-hw.mac_type  em_82571)
-   sc-osdep.em_pa.pa_flags= ~PCI_FLAGS_MSI_ENABLED;
-
 /* Parameters (to be read from user) */
@@ -1621,3 +1617,3 @@

-   if (pci_intr_map_msi(pa,ih)  pci_intr_map(pa,ih)) {
+   if (pci_intr_map(pa,ih)) {
 printf(: couldn't map interrupt\n);


.


I had no problem with this box until strange network behaviour occur.
It comes and leaves unexpectedly but cause trouble with access network
behind em0.

# dmesg
OpenBSD 5.0 (GENERIC.MP) #59: Wed Aug 17 10:19:44 MDT 2011
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
cpu0: Intel(R) Core(TM)2 Duo CPU T7300 @ 2.00GHz (GenuineIntel 
686-class) 2 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM

real mem  = 1064431616 (1015MB)
avail mem = 1036947456 (988MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 08/12/08, BIOS32 rev. 0 @ 0xf0010, 
SMBIOS rev. 2.5 @ 0x9f800 (28 entries)

bios0: vendor American Megatrends Inc. version 080014 date 08/12/2008
bios0: ICP / iEi KINO-9652
acpi0 at bios0: rev 0
acpi0: sleep states S0 S1 S4 S5
acpi0: tables DSDT FACP APIC MCFG OEMB ASF! SSDT
acpi0: wakeup devices P0P2(S4) P0P1(S4) PS2K(S4) PS2M(S4) USB0(S4) 
USB1(S4) USB2(S4) USB3(S4) EUSB(S4) P0P4(S4) P0P5(S4) P0P6(S4) P0P7(S4) 
P0P8(S4) P0P9(S4) HDAC(S4) USB4(S4) USB5(S4) USBE(S4) GBEC(S4)

acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 199MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Core(TM)2 Duo CPU T7300 @ 2.00GHz (GenuineIntel 
686-class) 2 GHz
cpu1: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM

ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins
acpimcfg0 at acpi0 addr 0xe000, bus 0-255
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus -1 (P0P2)
acpiprt2 at acpi0: bus 1 (P0P1)
acpiprt3 at acpi0: bus 2 (P0P4)
acpiprt4 at acpi0: bus 3 (P0P5)
acpiprt5 at acpi0: bus -1 (P0P6)
acpiprt6 at acpi0: bus -1 (P0P7)
acpiprt7 at acpi0: bus -1 (P0P8)
acpiprt8 at acpi0: bus -1 (P0P9)
acpicpu0 at acpi0: C3, C2, C1, PSS
acpicpu1 at acpi0: C3, C2, C1, PSS
acpibtn0 at acpi0: PWRB
acpivideo0 at acpi0: GFX0
bios0: ROM list: 0xc/0xec00!
cpu0: Enhanced SpeedStep 1994 MHz: speeds: 2000, 1600, 1200 MHz
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 Intel GME965 Host rev 0x03
vga1 at pci0 dev 2 function 0 Intel GME965 Video rev 0x03
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
intagp0 at vga1
agp0 at intagp0: aperture at 0xd000, size 0x1000
inteldrm0 at vga1: apic 2 int 16
drm0 at inteldrm0
Intel GME965 Video rev 0x03 at pci0 dev 2 function 1 not configured
Intel GME965 HECI rev 0x03 at pci0 dev 3 function 0 not configured
em0 at pci0 dev 25 function 0 Intel ICH8 IGP M AMT rev 0x04: msi, 
address 00:18:7d:1a:37:d6

uhci0 at pci0 dev 26 function 0 Intel 82801H USB rev 0x04: apic 2 int 16
uhci1 at pci0 dev 26 function 1 Intel 82801H USB rev 0x04: apic 2 int 21
ehci0 at pci0 dev 26 function 7 Intel 82801H USB rev 0x04: apic 2 int 18
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1
azalia0 at pci0 dev 27 function 0 Intel 82801H HD Audio rev 0x04: msi
azalia0: codecs: Realtek ALC883
audio0 at azalia0
ppb0 at pci0 dev 28 function 0 Intel 82801H PCIE rev 0x04: apic 2 int 22
pci1 at ppb0 bus 2
ral0 at pci1 dev 0 function 0 Ralink RT3090 rev 0x00: apic 2 int 16, 
address 00:12:0e:b1:6e:c7

ral0: MAC/BBP RT3071 (rev 0x0213), RF RT3020 (MIMO 1T1R)
ppb1 at pci0 dev 28 function 1 Intel 82801H PCIE rev 0x04: apic 2 int 23
pci2 at ppb1 bus 3
em1 at pci2 dev 0 function 0 Intel PRO/1000MT (82573L) rev 0x00: msi, 
address 00:18:7d:1a:37:d8

uhci2 at pci0 dev 29 function 0 Intel 82801H USB rev 0x04: apic 2 int 23
uhci3 at pci0 dev 29 function 1 Intel 82801H USB rev 0x04: apic 2 int 19
uhci4 at pci0 dev 29 function 2 Intel 82801H USB rev 0x04: apic 2 int 18
ehci1 at pci0 dev 29 function 7 Intel 82801H USB rev 0x04: apic 2 int 23
usb1 at ehci1: USB revision 2.0
uhub1 at usb1 Intel EHCI root hub rev 2.00/1.00 addr 1
ppb2 at pci0 dev 30 function 0 Intel 82801BAM Hub-to-PCI rev 0xf4
pci3 at ppb2 bus 1
pcib0 at pci0 dev 31 function 0 Intel 82801HEM LPC rev 0x04
pciide0 at pci0 dev 31 function 1

Re: em(4) watchdog timeouts on 5.0-release

2013-03-07 Thread lilit-aibolit 

On 03/07/2013 01:10 PM, mxb wrote:

What about 5.2? Same issues?

//mxb


I don't know.
This is remote host1 and it holds IPSec with another host2.
When issue come - network behind host2 can't reach resources
behind host1.

altq: upsteam and downstream

2013-03-01 Thread lilit-aibolit 

Hello misc, I'm a bit confusion with understanding such things.
I have a symmetrical channel to the Internet with 20 Mbits and
openbsd5.2 as gateway, with NAT.
Imagine I defined ALTQ on $ext_if and on $int_if.
Am I right that:
1) ALTQ on $ext_if will be applied for upstream channel (i.e. upload speed
from the point of view the client behind the NAT)?
2) ALTQ on $int_if will be applied for download channel (i.e. download 
speed

from the point of view the client behind the NAT)?
If be much more simple, get for example http://speedtest.net.
After the test I have two result: download and upload speed.
Is it true, that if I apply queue for myself in filter rule, it will 
work both,

for download and upload in the terms of speedtest.net, but only for
upstream channel in the terms of ALTQ?
Or am I totally wrong? Because I read man, faq, calomel.org,
BANDWIDTH MANAGEMENT by Benjamin Heckmann, misc, etc
and still can't understood how upstream and downstream channel speed
correlates with ALTQ and upload and download speeds for clients behind NAT.

named not answer on external query

2013-01-17 Thread lilit-aibolit 
This is weird trouble. Years ago I did authoritative server on openbsd 
4.x and it's just works

for both - local network and queries from Internet.
But now it doesn't. I know - this is my issue, please help to resolve.
###named.conf###
// $OpenBSD: named-simple.conf,v 1.10 2009/11/02 21:12:56 jakob Exp $
acl tlk {
192.168.5.0/24;
192.168.55.0/24;
192.168.66.0/24;
192.168.99.0/24;
127.0.0.1; };
options {
version ;// remove this to allow version queries
listen-on { 127.0.0.1; 192.168.5.254; 192.168.55.254; ext_if; };
listen-on-v6 { none; };
allow-transfer { none; };
empty-zones-enable yes;
//forward first;
forwarders { provider's dns; };
allow-recursion { tlk; };
allow-query { any; };
};
view allow-recursion {
match-clients { tlk; };
//recursion yes;

zone . {
type hint;
file etc/root.hint; };

zone localhost {
type master;
file standard/localhost;
//allow-transfer { localhost; };
};

zone 127.in-addr.arpa {
type master;
file standard/loopback;
//allow-transfer { localhost; };
};

zone zone.1 {
type master;
file /master/zone.1; };

zone zone.2 {
type master;
file /master/zone.3; };

zone zone.4 {
type master;
file /master/zone.4; };

zone 168.192.in-addr.arpa {
type master;
file /master/168.192.in-addr.arpa; };

include /master/forbidden.conf;
};

view deny-recursion {
recursion no;
additional-from-cache no;
additional-from-auth no;
zone zone.5 {
type master;
file /master/zone.5; };
};

key rndc-key {
algorithm hmac-md5;
secret **;
};

controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { rndc-key; };
};

logging {
channel security_channel {
# Send log messages to the specified file
filelog/security.log;
# Log all messages
severitydebug;
# Log the date and time of the message
print-time  yes;
# Log the category of the message
print-category  yes;
# Log the severity level of the message
print-severity  yes;
};

channel default {
# Send logs to the 'local0' syslog facility
syslog  local0;
# Log messages of severity 'info' or higher
severityinfo;
print-category  yes;
print-severity  yes;
};

# Logs about approval and denial of requests
category security {
security_channel;
default;
};

# Ignore logs about misconfigured remote servers
category lame-servers { null; };

# Default logging options
category default { default; };
};

###zone.5###
; $OpenBSD: db.localhost,v 1.2 2005/02/07 06:08:10 david Exp $
$ORIGIN zone.5.
$TTL 24h
@INSOAns1.zone.5. admin.zone.com. (
10; serial
1h; refresh
30m; retry
7d; expiration
1h ); minimum
NSns1.zone.5.
NSns2.zone.5.
@INAright.IP
wwwINAright.IP
ns1INAright.IP
ns2INAright.IP2


###pf.conf related rules###
pass in on $ext_if inet proto { tcp, udp } from any to em1 port domain
pass in on $int_if inet proto { udp, tcp } from lan to $int_if port { 
ntp, domain }

pass out on $ext_if inet proto udp from em1 to any

I see a numbers of external queries to my server, but don't see the answers:
# tcpdump -i em1 -p udp 'port domain'
09:28:23.152111 smtp.eurocom.su.19716  my.server.domain: 59597 [1au] A? 
www.zone.5. (45)
09:28:24.136607 idbh.ru.47793  my.server.domain: 26171% [1au] A? 
www.zone.5. (45)
09:28:26.942971 smtp.eurocom.su.44341  my.server.domain: 615 A? 
www.zone.5. (34)
09:28:27.191067 smtp.eurocom.su.17302  my.server.domain: 42979 [1au] A? 
www.zone.5. (45)
09:28:29.417383 smtp.eurocom.su.34958  my.server.domain: 53565 A? 
www.zone.5. (34)

09:28:29.737934 idbh.ru.45564  my.server.domain: 27837 A? www.zone.5. (34)

From local net:
user@pc.local:~$ nslookup
 zone.5
Server: 192.168.5.254
Address:192.168.5.254#53
Non-authoritative answer:
Name:   zone.5
Address: right.IP
# tcpdump -i em0 -p udp 'port domain'
10:00:41.702484 pc.local.46571  my.server.domain: 50830+ A? zone.5. (30)
10:00:41.702625 my.server.domain  pc.local.46571: 50830 1/2/0 A 
right.IP (82)

Re: named not answer on external query

2013-01-17 Thread lilit-aibolit 

On 01/17/2013 11:27 AM, Vadim Zhukov wrote:


At first, find where the flow gets stopped: enable debug logging on 
resolver and add match log (matches) to port 53 rule as first one in 
your firewall. Then probably you'll see the problem yourself.


Oh, and please, if you get no packets seen problems, print all of 
your firewall rules. Always. Don't pretend that you know better - if 
it was so, why would you asking ever?



Incoming packets still coming, but I see only my request to provider's DNS.
Should I see reply from my server to request from Internet?

Jan 17 13:31:44.480883 rule 4/(match) match in on em1: 
178.45.248.150.43780  my.IP.53: 687[|domain]
Jan 17 13:33:25.076188 rule 4/(match) match in on em1: 
212.14.176.40.33699  my.IP.53: 61511[|domain] (DF)
Jan 17 13:33:25.080570 rule 4/(match) match in on em1: 
212.14.176.40.19055  my.ip.53: 3658[|domain]
Jan 17 13:33:26.216774 rule 4/(match) match out on em1: my.ip.9342  
194.106.219.12.53: 10130+% [1au][|domain]
Jan 17 13:33:26.721533 rule 4/(match) match out on em1: my.ip.42595  
194.106.219.10.53: 21720+% [1au][|domain]



###pf.conf###
#$OpenBSD: pf.conf,v 1.50 2011/04/28 00:19:42 mikeb Exp $
# See pf.conf(5) for syntx and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.

ext_if = em1
wifi_if = rum0
int_if = em0

portstuff = { smtps, 5190, submission, pop3, pop3s, imap, imaps, www, 
https, 1863, 1935, 3389, 5222, 5900, 8200 }
portstuffwww = { smtps, 445, 5190, submission, pop3, pop3s, imap, 
imaps, www, https, 1863, 1935, 3389, 5222, 9100 }


table firewall const { self }
table tlv_lan{ 192.168.2.0/24 }
table tlv_wifi{ 192.168.22.0/24 }
table tlk_lan{ 192.168.5.0/24 }
table tlk_wifi{ 192.168.55.0/24 }
table tlv_gw{ x.x.x.x }
table admin{ 192.168.5.1, 192.168.5.61 }
table dns{ 194.106.219.10, 194.106.219.12 }
table tlv_vpn{ 192.168.88.0/24 }
table tlk_vpn{ 192.168.99.0/24 }
table pptp_vpn{ 192.168.66.0/24 }
#table adminvpn{ 192.168.14.115, 192.168.14.113 }
table rm{ 192.168.5.250 }
table tlv_rm{ 192.168.2.250 }
table mysql{ 192.168.5.248 }
table tlv_mysql{ 192.168.2.248 }
table tlk_scm{ 192.168.5.251 }
table tw{ 192.168.2.247 }
table lic{ 192.168.5.246 }
table ogo{ 192.168.5.36 }
table macintosh{ 192.168.5.73 }
table scm{ 192.168.5.251 }
table tlv_scm{ 192.168.2.251 }
table psu{ 192.168.5.17, 192.168.5.50 }
table tlk_qnap{ 192.168.5.200 }
table tlv_qnap{ 192.168.2.200 }
table proxmox{ 192.168.5.201 }
table bugzilla{ 192.168.2.206 }
table agcoclient{ 192.168.5.15, 192.168.5.32, 192.168.5.34, \
192.168.5.35, 192.168.5.41, 192.168.5.42, 192.168.5.49, 
192.168.5.72 }

table agco{x.x.x.x }
table private{ 0.0.0.0/8, 10.0.0.0/8, 14.0.0.0/8, \
127.0.0.0/8, 128.0.0.0/16, 169.254.0.0/16, \
172.16.0.0/12, 191.255.0.0/16, 192.0.2.0/24, \
192.168.0.0/16, 240.0.0.0/4, 255.255.255.0/24 }
table bruteforce persist
#table advertisement file /etc/advertisement
table spamd-white persist
table spamd persist
#table spamd-bypass file /etc/mail/spamd.bypass
#table spamd-black file /etc/mail/spamd.black

set skip on  { lo, enc0 }
set loginterface em1
set timeout { frag 20, tcp.established 3600 }
set block-policy return

antispoof quick for { em1 }

match in all scrub (no-df)

anchor ftp-proxy/*
match log on $ext_if inet proto udp to port 53
#nat
match out on $ext_if inet proto tcp from { tlk_lan, tlk_wifi, 
pptp_vpn } to any nat-to em1
match out on $ext_if inet proto udp from { tlk_lan, tlk_wifi } to 
agco nat-to em1

match out on $ext_if inet from admin to any nat-to em1

#rdr
match in on $ext_if inet proto tcp from any to em1 port { www, https } 
rdr-to rm
match in on $ext_if inet proto tcp from any to em1 port 3690 rdr-to 
scm port www
match in on $ext_if inet proto tcp from any to em1 port 16881 rdr-to 
192.168.5.1
match in on $ext_if inet proto udp from any to em1 port 27015 rdr-to 
192.168.5.244
match in on $ext_if inet proto tcp from any to em1 port 8080 rdr-to 
192.168.5.244 port www


#block in quick on $int_if from any to advertisement
block quick proto tcp flags /S
block quick proto tcp flags A/A
block in quick on $ext_if from { bruteforce, private, spamd-black 
} to any

block out quick on $ext_if from any to private
#block in quick on $int_if inet proto tcp from { !twmail, !twtest } 
to any port smtp

block all

#in
pass in on $ext_if inet proto tcp from any to em1 port 22555
pass in on $ext_if proto esp from tlv_gw to em1
pass in on $ext_if proto gre from any to em1
pass in on $ext_if inet proto tcp from any to em1 port pptp modulate state
pass in on $ext_if inet proto udp from any to em1 port 1194
pass in on $ext_if inet proto tcp from any to rm port { www, https } 
synproxy state

pass in on $ext_if

Re: named not answer on external query

2013-01-17 Thread lilit-aibolit 

On 01/17/2013 04:05 PM, Michael Lambert wrote:

On 17 Jan 2013, at 06:44, lilit-aibolit wrote:


On 01/17/2013 11:27 AM, Vadim Zhukov wrote:

At first, find where the flow gets stopped: enable debug logging on resolver and add 
match log (matches) to port 53 rule as first one in your firewall. Then 
probably you'll see the problem yourself.

match log on $ext_if inet proto udp to port 53

Don't you want:

match log on $ext_if inet proto {tcp, udp} to port 53

Michael


.


done. but this didn't help me.
I also see incoming request from Internet and request from my server to 
provider's DNS forwarders.

I'm sure that named running on all my interfaces:
# netstat -na | grep .53
tcp  0  0  ext.ip.53  *.*LISTEN
tcp  0  0  127.0.0.1.953  *.*LISTEN
tcp  0  0  192.168.55.254.53  *.*LISTEN
tcp  0  0  192.168.5.254.53   *.*LISTEN
tcp  0  0  127.0.0.1.53   *.*LISTEN
udp  0  0  ext.ip.53  *.*
udp  0  0  192.168.55.254.53  *.*
udp  0  0  192.168.5.254.53   *.*
udp  0  0  127.0.0.1.53   *.*
# fstat | grep internet | grep named
namednamed  21647   20* internet stream tcp 0xd89db198 127.0.0.1:53
namednamed  21647   21* internet stream tcp 0xd89db000 
192.168.5.254:53
namednamed  21647   22* internet stream tcp 0xd89db330 
192.168.55.254:53

namednamed  21647   23* internet stream tcp 0xd89db4c8 127.0.0.1:953
namednamed  21647   25* internet stream tcp 0xd88a17fc ext.ip:53
namednamed  21647  512* internet dgram udp 127.0.0.1:53
namednamed  21647  513* internet dgram udp 192.168.5.254:53
namednamed  21647  514* internet dgram udp 192.168.55.254:53
namednamed  21647  515* internet dgram udp *:13169
namednamed  21647  516* internet dgram udp ext.ip:53

Re: tftp - no route to host

2013-01-10 Thread lilit-aibolit 

On 05/01/2011 10:13 AM, Henning Brauer wrote:

* Emille Blancsar...@sarlok.com  [2011-04-30 19:56]:

since TFTP uses UDP, pf won't create a state

wrong.


Hello, I'm stuck again with no route to host
# uname -a
OpenBSD gw 5.2 GENERIC.MP#339 i386
# ls -la /usr/tftpboot/
total 12728
drwxrwxrwx   2 root  wheel  512 Jan 10 15:36 .
drwxr-xr-x  18 root  wheel  512 Jan 10 14:48 ..
-rwxrwxrwx   1 root  wheel3 Jan 10 15:35 1.txt
-rwxrwxrwx   1 root  wheel  6427696 Feb 13  2012 bsd.rd
-rwxrwxrwx   1 root  wheel53732 Feb 13  2012 pxeboot
# pfctl -sr | grep 69
pass in quick on em0 inet proto udp from any to any port = 69
pass out quick on em0 inet proto udp from any to any port = 69

from localhost:
# tftp
tftp connect 192.168.5.254
tftp get 1.txt
Received 3 bytes in 0.0 seconds
tftp get pxeboot
Received 54044 bytes in 0.0 seconds
tftp quit
# ls -la | grep 1.txt
-rw-r--r--   1 root  wheel3 Jan 10 17:14 1.txt
# ls -la | grep pxeboot
-rw-r--r--   1 root  wheel53732 Jan 10 17:14 pxeboot

from remote PC:
admin:~/Downloads$ tftp
tftp connect gw
tftp status
Connected to gw.
Mode: netascii Verbose: off Tracing: off
Rexmt-interval: 5 seconds, Max-timeout: 25 seconds
tftp mode binary
tftp status
Connected to gw.
Mode: octet Verbose: off Tracing: off
Rexmt-interval: 5 seconds, Max-timeout: 25 seconds
tftp get 1.txt
^C
tftp

on tftpd host:
# ping 192.168.5.1
PING 192.168.5.1 (192.168.5.1): 56 data bytes
64 bytes from 192.168.5.1: icmp_seq=0 ttl=64 time=0.524 ms
...
# tftpd -4dv -l 192.168.5.254 /usr/tftpboot
tftpd: 192.168.5.254: read request for '1.txt'   # can get files 
locally

tftpd: 192.168.5.254: read request for 'pxeboot' # can get files locally
tftpd: 192.168.5.1: read request for '1.txt'   # can get 
files remotely

tftpd: send(block): No route to host
tftpd: 192.168.5.1: read request for '1.txt'
tftpd: send(block): No route to host
tftpd: 192.168.5.1: read request for '1.txt'
tftpd: send(block): No route to host
# tcpdump -i em0 -p udp 'port 69'
tcpdump: listening on em0, link-type EN10MB
17:21:38.462907 admin.40154  gw.tftp: 14 RRQ 1.txt (DF)
17:21:43.462961 admin.40154  gw.tftp: 14 RRQ 1.txt (DF)
17:21:48.463020 admin.40154  gw.tftp: 14 RRQ 1.txt (DF)
^C
8554 packets received by filter
0 packets dropped by kernel
# fstat | grep internet | grep tftpd
_tftpd   tftpd  181603* internet dgram udp 192.168.5.254:69

Re: tftp - no route to host (Solved)

2013-01-10 Thread lilit-aibolit 

On 01/10/2013 05:24 PM, lilit-aibolit wrote:

On 05/01/2011 10:13 AM, Henning Brauer wrote:

* Emille Blancsar...@sarlok.com  [2011-04-30 19:56]:

since TFTP uses UDP, pf won't create a state

wrong.


Hello, I'm stuck again with no route to host
# uname -a
OpenBSD gw 5.2 GENERIC.MP#339 i386
# ls -la /usr/tftpboot/
total 12728
drwxrwxrwx   2 root  wheel  512 Jan 10 15:36 .
drwxr-xr-x  18 root  wheel  512 Jan 10 14:48 ..
-rwxrwxrwx   1 root  wheel3 Jan 10 15:35 1.txt
-rwxrwxrwx   1 root  wheel  6427696 Feb 13  2012 bsd.rd
-rwxrwxrwx   1 root  wheel53732 Feb 13  2012 pxeboot
# pfctl -sr | grep 69
pass in quick on em0 inet proto udp from any to any port = 69
pass out quick on em0 inet proto udp from any to any port = 69

from localhost:
# tftp
tftp connect 192.168.5.254
tftp get 1.txt
Received 3 bytes in 0.0 seconds
tftp get pxeboot
Received 54044 bytes in 0.0 seconds
tftp quit
# ls -la | grep 1.txt
-rw-r--r--   1 root  wheel3 Jan 10 17:14 1.txt
# ls -la | grep pxeboot
-rw-r--r--   1 root  wheel53732 Jan 10 17:14 pxeboot

from remote PC:
admin:~/Downloads$ tftp
tftp connect gw
tftp status
Connected to gw.
Mode: netascii Verbose: off Tracing: off
Rexmt-interval: 5 seconds, Max-timeout: 25 seconds
tftp mode binary
tftp status
Connected to gw.
Mode: octet Verbose: off Tracing: off
Rexmt-interval: 5 seconds, Max-timeout: 25 seconds
tftp get 1.txt
^C
tftp

on tftpd host:
# ping 192.168.5.1
PING 192.168.5.1 (192.168.5.1): 56 data bytes
64 bytes from 192.168.5.1: icmp_seq=0 ttl=64 time=0.524 ms
...
# tftpd -4dv -l 192.168.5.254 /usr/tftpboot
tftpd: 192.168.5.254: read request for '1.txt'   # can get 
files locally
tftpd: 192.168.5.254: read request for 'pxeboot' # can get files 
locally
tftpd: 192.168.5.1: read request for '1.txt'   # can get 
files remotely

tftpd: send(block): No route to host
tftpd: 192.168.5.1: read request for '1.txt'
tftpd: send(block): No route to host
tftpd: 192.168.5.1: read request for '1.txt'
tftpd: send(block): No route to host
# tcpdump -i em0 -p udp 'port 69'
tcpdump: listening on em0, link-type EN10MB
17:21:38.462907 admin.40154  gw.tftp: 14 RRQ 1.txt (DF)
17:21:43.462961 admin.40154  gw.tftp: 14 RRQ 1.txt (DF)
17:21:48.463020 admin.40154  gw.tftp: 14 RRQ 1.txt (DF)
^C
8554 packets received by filter
0 packets dropped by kernel
# fstat | grep internet | grep tftpd
_tftpd   tftpd  181603* internet dgram udp 192.168.5.254:69




I fix this by changing from
pass out quick on em0 inet proto udp from any to any port = 69
to
pass out quick on em0 inet proto udp from $int_if to $local_net
Is this right? Maybe I don't want to allow all udp traffic from my gateway.

how to save /home during reinstall

2012-12-27 Thread lilit-aibolit 

Hello misc.
I have a /home at old system and I want
to install new one from scratch.
But I need to save all data in /home without
moving it out of box.
As I understood I need to stop at this point:

Use (W)hole disk or (E)dit the MBR? [whole]

and select Edit instead of Whole (which erase all data).
But I don't understand what I should do next.

Re: how to save /home during reinstall

2012-12-27 Thread lilit-aibolit 

On 12/27/2012 12:29 PM, Wesley wrote:

Le 2012-12-27 14:15, lilit-aibolit a écrit :

Hello misc.
I have a /home at old system and I want
to install new one from scratch.
But I need to save all data in /home without
moving it out of box.
As I understood I need to stop at this point:

Use (W)hole disk or (E)dit the MBR? [whole]


At this prompt, hit Ctrl+C or ! and
Why don't you mount a second disk and backup /home to
this one? just before fdisk part.

Cheers,
Wesley


.


For example I don't have physical access or second disk.
Or I have a situation when I need to roll back to previous
5.1 system version and then probably to 5.0 due to

Dec 11 14:13:38 gw /bsd: rum0: device timeout
Dec 11 14:13:39 gw /bsd: rum0: could not transmit buffer: TIMEOUT

In 5.0 I had no problem with rum0 in AP mode, but in 5.2 I have.
And I don't want on every reinstall backup/copy data from /home.

Re: how to save /home during reinstall

2012-12-27 Thread lilit-aibolit 

On 12/27/2012 02:24 PM, Nick Holland wrote:

On 12/27/12 05:57, lilit-aibolit wrote:

On 12/27/2012 12:29 PM, Wesley wrote:

Le 2012-12-27 14:15, lilit-aibolit a écrit :

Hello misc.
I have a /home at old system and I want
to install new one from scratch.
But I need to save all data in /home without
moving it out of box.
As I understood I need to stop at this point:

Use (W)hole disk or (E)dit the MBR? [whole]

At this prompt, hit Ctrl+C or ! and
Why don't you mount a second disk and backup /home to
this one? just before fdisk part.

Cheers,
Wesley


.


For example I don't have physical access or second disk.
Or I have a situation when I need to roll back to previous
5.1 system version and then probably to 5.0 due to

Dec 11 14:13:38 gw /bsd: rum0: device timeout
Dec 11 14:13:39 gw /bsd: rum0: could not transmit buffer: TIMEOUT

In 5.0 I had no problem with rum0 in AP mode, but in 5.2 I have.

well...  you need to get a bug report in; I see no bug reports on rum
issues in over a year.  That's the real problem here.  Reverting is not
a good answer here.


As for your question...

Before reinstalling, make note of where all your partitions are mounted
currently.

For a reinstall, the fdisk prompt will include Existing OpenBSD
partition or something along those lines...you will chose that (the
default).

After that, you will be brought to the disklabel options -- you want to
chose CUSTOM Layout.  Define a mount point for all partitions you wish
to reformat, do NOT define mount points for the /home partition or any
others you wish to retain.  You aren't marking don't reformat
partitions, you need to mark where all partitions will be mounted,
leaving out the ones you wish to retain.

After you complete your install, edit your /etc/fstab to point to your
old /home partition, mount it (I'd suggest a reboot), done.

btw: you will want to practice this locally on a test system first.

Nick.




Thanks for reply Nick, I just did it:
1) select openBSD area
2) select custom
3) delete and create all partition except /home
4) reboot
5) edit /etc/fstab and add line for my /home
end it's work!

You may find my letter about rum0 with
subject rum0: device timeout from 12/11/2012 03:15 PM
I'll look into how to create bug report, but how to be sure
that it's not my issue?

I just reverted to 5.1 and it seems to work much more stable:
I can start several ping in wireless and sit in ssh via wifi without lags.

rum0: device timeout

2012-12-11 Thread lilit-aibolit 

network is visible but not working or temporary working after reboot.

# tail /var/log/messages
Dec 11 10:00:01 gw syslogd: restart
Dec 11 12:00:01 gw syslogd: restart
Dec 11 14:00:01 gw syslogd: restart
Dec 11 14:13:38 gw /bsd: rum0: device timeout
Dec 11 14:13:39 gw /bsd: rum0: could not transmit buffer: TIMEOUT
Dec 11 14:28:15 gw /bsd: ehci_idone: ex=0xd2e67600 is done!
Dec 11 14:28:15 gw /bsd: ehci_idone: ex=0xd2e67700 is done!
Dec 11 14:38:37 gw /bsd: rum0: could not transmit buffer: TIMEOUT
Dec 11 14:38:39 gw /bsd: rum0: device timeout
Dec 11 15:00:01 gw syslogd: restart

# cat /etc/hostname.rum0
inet 192.168.55.254 255.255.255.0 NONE -inet6 media autoselect mode 11g \
mediaopt hostap chan 8 nwid name \
wpa wpaprotos wpa2 wpaakms psk wpakey 1234qwerty

# dmesg
OpenBSD 5.2 (GENERIC.MP) #339: Wed Aug  1 10:13:24 MDT 2012
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
cpu0: Intel(R) Celeron(R) CPU P4500 @ 1.87GHz (GenuineIntel 686-class) 
1.87 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,NXE,LONG,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,POPCNT,LAHF

real mem  = 2003451904 (1910MB)
avail mem = 1959845888 (1869MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 11/27/09, SMBIOS rev. 2.6 @ 
0xeb0c0 (24 entries)

bios0: vendor American Megatrends Inc. version 4.6.3 date 01/06/2011
bios0: ICP / iEi B186
acpi0 at bios0: rev 3
acpi0: sleep states S0 S1 S4 S5
acpi0: tables DSDT FACP APIC SSDT MCFG HPET
acpi0: wakeup devices P0P1(S1) PEGP(S4) P0P2(S1) P0P3(S1) P0P4(S1) 
P0P5(S1) PS2K(S1) PS2M(S1) BR20(S1) EUSB(S4) USB0(S1) USB1(S1) USB2(S1) 
USB3(S1) USBE(S4) USB4(S1) USB5(S1) USB6(S1) PEX0(S4) PEX1(S4) PEX2(S4) 
PEX3(S4) PEX4(S4) PEX5(S4) PEX6(S4) LAN2(S1) PEX7(S4) SLPB(S0) PWRB(S1)

acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 133MHz
cpu1 at mainbus0: apid 4 (application processor)
cpu1: Intel(R) Celeron(R) CPU P4500 @ 1.87GHz (GenuineIntel 686-class) 
1.87 GHz
cpu1: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,NXE,LONG,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,POPCNT,LAHF

ioapic0 at mainbus0: apid 0 pa 0xfec0, version 20, 24 pins
acpimcfg0 at acpi0 addr 0xe000, bus 0-255
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 4 (BR20)
acpiprt2 at acpi0: bus 1 (PEX0)
acpiprt3 at acpi0: bus -1 (PEX1)
acpiprt4 at acpi0: bus -1 (PEX2)
acpiprt5 at acpi0: bus -1 (PEX3)
acpiprt6 at acpi0: bus 2 (PEX4)
acpiprt7 at acpi0: bus 3 (PEX5)
acpiprt8 at acpi0: bus -1 (PEX6)
acpiprt9 at acpi0: bus -1 (PEX7)
acpicpu0 at acpi0: C1, PSS
acpicpu1 at acpi0: C1, PSS
acpibtn0 at acpi0: SLPB
acpibtn1 at acpi0: PWRB
acpivideo0 at acpi0: GFX0
acpivout0 at acpivideo0: DD02
bios0: ROM list: 0xc/0xfa00! 0xd/0x1000
ipmi at mainbus0 not configured
cpu0: Enhanced SpeedStep 1867 MHz: speeds: 1862, 1729, 1596, 1463, 1330, 
1197, 1064, 931 MHz

pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 Intel Core Host rev 0x12
vga1 at pci0 dev 2 function 0 Intel HD Graphics rev 0x12
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
intagp0 at vga1
agp0 at intagp0: aperture at 0xc000, size 0x1000
inteldrm0 at vga1: apic 0 int 16
drm0 at inteldrm0
Intel 3400 MEI rev 0x06 at pci0 dev 22 function 0 not configured
ehci0 at pci0 dev 26 function 0 Intel 3400 USB rev 0x06: apic 0 int 16
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1
ppb0 at pci0 dev 28 function 0 Intel 3400 PCIE rev 0x06: apic 0 int 17
pci1 at ppb0 bus 1
ppb1 at pci0 dev 28 function 4 Intel 3400 PCIE rev 0x06: apic 0 int 17
pci2 at ppb1 bus 2
re0 at pci2 dev 0 function 0 Realtek 8168 rev 0x06: RTL8168E/8111E 
(0x2c00), apic 0 int 16, address 00:18:7d:2a:f1:1c

rgephy0 at re0 phy 7: RTL8169S/8110S PHY, rev. 4
ppb2 at pci0 dev 28 function 5 Intel 3400 PCIE rev 0x06: apic 0 int 16
pci3 at ppb2 bus 3
re1 at pci3 dev 0 function 0 Realtek 8168 rev 0x06: RTL8168E/8111E 
(0x2c00), apic 0 int 17, address 00:18:7d:2a:f1:1d

rgephy1 at re1 phy 7: RTL8169S/8110S PHY, rev. 4
ehci1 at pci0 dev 29 function 0 Intel 3400 USB rev 0x06: apic 0 int 23
usb1 at ehci1: USB revision 2.0
uhub1 at usb1 Intel EHCI root hub rev 2.00/1.00 addr 1
ppb3 at pci0 dev 30 function 0 Intel 82801BAM Hub-to-PCI rev 0xa6
pci4 at ppb3 bus 4
pcib0 at pci0 dev 31 function 0 Intel HM55 LPC rev 0x06
ahci0 at pci0 dev 31 function 2 Intel 3400 AHCI rev 0x06: msi, AHCI 1.3
scsibus0 at ahci0: 32 targets
cd0 at scsibus0 targ 4 lun 0: Optiarc, DVD RW AD-7760H, 1.00 ATAPI 
5/cdrom removable
sd0 at scsibus0 targ 5 lun 0: ATA, WDC WD800HLFS-75, 04.0 SCSI3 
0/direct fixed naa.50014ee00231af66

sd0: 76293MB, 512 bytes/sector, 15625

what's wrong with /etc/netstart rum0 on 5.2

2012-12-05 Thread lilit-aibolit 

There is no problem with executing on 5.0

# sh /etc/netstat rum0

But when I change wpa key in my /etc/hostname.rum0 on 5.2

inet 192.168.55.254 255.255.255.0 NONE -inet6 media autoselect mode 11g \
mediaopt hostap chan 8 nwid namewifi \
wpa wpaprotos wpa2 wpaakms psk wpakey xx

and execute /etc/netstart rum0 - it's not work. command don't release 
the session

and I need to close and open ssh again and see in ps -ax:

15401 p0- D   0:00.08 ifconfig rum0 inet 192.168.55.254 netmask 
255.255.255.0 -inet6 media autoselect mo


# Ifconfig rum0
rum0: flags=28803UP,BROADCAST,SIMPLEX,MULTICAST,NOINET6 mtu 1500
lladdr 00:24:21:8b:7b:aa
priority: 4
groups: wlan
media: IEEE802.11 autoselect mode 11g hostap
status: no network
ieee80211: nwid namewifi chan 8 bssid 00:24:21:8b:7b:aa wpakey 
somehashhere wpaprotos wpa2 wpaakms psk wpaciphers tkip,ccmp 
wpagroupcipher tkip 100dBm


what should I do to apply new wpa key. /etc/netstart also don't help,
second instance of ifconfig is showing in ps -ax..

restart relayd with new config

2012-11-28 Thread lilit-aibolit 

Scenario: I'm using relayd as transparent proxy
and block some sites in work time, so I have two configs:

# cat /etc/relayd.conf
prefork 5
http protocol httpfilter {
tcp { nodelay, sack, socket buffer 65536, backlog 1000 }
return error
request header filter *youtube.com* from Host

header change Connection to close
}
relay httpproxy {
listen on 127.0.0.1 port 8080
protocol httpfilter
forward to destination
}
# cat /etc/relaydfree.conf
prefork 5
http protocol httpfilter {
tcp { nodelay, sack, socket buffer 65536, backlog 1000 }
}
relay httpproxy {
listen on 127.0.0.1 port 8080
protocol httpfilter
forward to destination
}

Executing relayd -f /newconfig at specified time have not the same 
result as for example pfctl -f /newconfig.

New number of relayd process were started instead of apply new config.

I've add this to cron:
0   9   *   *   1-5 /usr/bin/pkill relayd  sleep 3 
 /usr/sbin/relayd -f /etc/relayd.conf
0   12  *   *   1-5 /usr/bin/pkill relayd  sleep 3 
 /usr/sbin/relayd -f /etc/relaydfree.conf
0   13  *   *   1-5 /usr/bin/pkill relayd  sleep 3 
 /usr/sbin/relayd -f /etc/relayd.conf
0   18  *   *   1-5 /usr/bin/pkill relayd  sleep 3 
 /usr/sbin/relayd -f /etc/relaydfree.conf


But unfortunately this cause a trouble due pkill can't shutdown all 
relayd instances.
relayctl stop and kill -15 `pgrep relayd` also don't work and have 
same result:


# ps -aux | grep relayd
_relayd  30639 99.0  0.3  6960  5192 ??  R/11:00PM   10:09.65 
relayd: relay (relayd)
_relayd  25093 50.1  0.3  7200  5568 ??  R/01:00PM   26:29.77 
relayd: relay (relayd)
_relayd   4696 49.0  0.3  6936  5432 ??  R/01:00PM   48:01.41 
relayd: relay (relayd)
root 18847  0.0  0.1  1236  1876 ??  Is 1:00PM0:00.01 
relayd: parent (relayd)
_relayd   1306  0.0  0.1   808  1648 ??  I  1:00PM0:00.00 
relayd: hce (relayd)
_relayd   4036  0.0  0.3  7176  5596 ??  S  1:00PM0:02.17 
relayd: relay (relayd)
_relayd  32523  0.0  0.1  2280  2552 ??  S  1:00PM0:00.21 
relayd: relay (relayd)
_relayd636  0.0  0.1  1132  2020 ??  S  1:00PM0:00.01 
relayd: pfe (relayd)
root 29834  0.0  0.0   876 4 p0  R+/1   3:29PM0:00.00 grep 
relayd (ksh)

# kill -15 `pgrep relayd`
# ps ax | grep relayd
30639 ??  R/012:32.21 relayd: relay (relayd)
 4696 ??  R/049:31.75 relayd: relay (relayd)
25093 ??  R/127:54.53 relayd: relay (relayd)

Is there a way to don't use:

kill -9 `pgrep relayd`  relayd -f /newconfig

or it's a normal to use kill -9 for relayd.

Re: restart relayd with new config

2012-11-28 Thread lilit-aibolit 

On 11/29/2012 01:04 AM, Sebastian Benoit wrote:

lilit-aibolit(lilit-aibo...@mail.ru) on 2012.11.28 15:58:42 +0200:

Scenario: I'm using relayd as transparent proxy
and block some sites in work time, so I have two configs:

# cat /etc/relayd.conf
prefork 5
http protocol httpfilter {
 tcp { nodelay, sack, socket buffer 65536, backlog 1000 }
 return error
 request header filter *youtube.com* from Host
 
 header change Connection to close
}
relay httpproxy {
 listen on 127.0.0.1 port 8080
 protocol httpfilter
 forward to destination
}
# cat /etc/relaydfree.conf
prefork 5
http protocol httpfilter {
 tcp { nodelay, sack, socket buffer 65536, backlog 1000 }
}
relay httpproxy {
 listen on 127.0.0.1 port 8080
 protocol httpfilter
 forward to destination
}


You are starting relayd a second time here, you are not reloading the
configuration:


Executing relayd -f /newconfig at specified time have not the same
result as for example pfctl -f /newconfig.

Use 'relayctl reload'.

/Benno



Good. I have two configs. And in specified time I need to *reload* to 
new config-file,

not reload same config-file.
How 'relayctl reload' help me?

Re: low signal strength hostap (Solved)

2012-11-05 Thread lilit-aibolit 

On 11/04/2012 08:33 PM, Mihai Popescu wrote:

Hello there,

You need to post full dmesg and configuration files for wireless
letting out the sensitive data like wpakey or passwords, maybe domain
names too. This way you might get some help, because nobody likes to
guess what you have there.
Just curious, what is that kind of hardware you posted on the web, is
it an alix board?

Thanks.


.


It's not OpenBSD issue.
Low signal was due weak contact in labelled red area:
http://i.piccy.info/i7/37594bb9588bf4f5da19327a4419f1ca/4-48-188/36478797/SAM_5902.jpg
After some hand made tweaks and available means problem was solved.
This is not ALIX board.

# dmesg
OpenBSD 5.1 (GENERIC.MP) #188: Sun Feb 12 09:55:11 MST 2012
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
cpu0: Intel(R) Celeron(R) CPU P4500 @ 1.87GHz (GenuineIntel 686-class) 
1.87 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,NXE,LONG,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,POPCNT,LAHF

real mem  = 2003460096 (1910MB)
avail mem = 1960562688 (1869MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 11/27/09, SMBIOS rev. 2.6 @ 
0xeb140 (26 entries)

bios0: vendor American Megatrends Inc. version 4.6.3 date 05/07/2010
bios0: ICP / iEi B158
acpi0 at bios0: rev 3
acpi0: sleep states S0 S1 S4 S5
acpi0: tables DSDT FACP APIC SSDT MCFG HPET ASF!
acpi0: wakeup devices P0P1(S1) PEGP(S4) P0P2(S1) P0P3(S1) P0P4(S1) 
P0P5(S1) PS2K(S1) PS2M(S1) BR20(S1) EUSB(S4) USB0(S1) USB1(S1) USB2(S1) 
USB3(S1) USBE(S4) USB4(S1) USB5(S1) USB6(S1) PEX0(S1) PEX1(S1) PEX2(S1) 
PEX3(S1) PEX4(S1) PEX5(S1) PEX6(S1) LAN2(S1) PEX7(S1) GBE_(S4) SLPB(S0) 
PWRB(S1)

acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 133MHz
cpu1 at mainbus0: apid 4 (application processor)
cpu1: Intel(R) Celeron(R) CPU P4500 @ 1.87GHz (GenuineIntel 686-class) 
1.87 GHz
cpu1: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,NXE,LONG,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,POPCNT,LAHF

ioapic0 at mainbus0: apid 0 pa 0xfec0, version 20, 24 pins
acpimcfg0 at acpi0 addr 0xe000, bus 0-255
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 3 (BR20)
acpiprt2 at acpi0: bus 1 (PEX0)
acpiprt3 at acpi0: bus -1 (PEX1)
acpiprt4 at acpi0: bus -1 (PEX2)
acpiprt5 at acpi0: bus -1 (PEX3)
acpiprt6 at acpi0: bus -1 (PEX4)
acpiprt7 at acpi0: bus -1 (PEX5)
acpiprt8 at acpi0: bus 2 (PEX6)
acpiprt9 at acpi0: bus -1 (PEX7)
acpicpu0 at acpi0: C1, PSS
acpicpu1 at acpi0: C1, PSS
acpibtn0 at acpi0: SLPB
acpibtn1 at acpi0: PWRB
acpivideo0 at acpi0: GFX0
acpivout0 at acpivideo0: DD02
bios0: ROM list: 0xc/0xfa00! 0xd/0x1000
ipmi at mainbus0 not configured
cpu0: Enhanced SpeedStep 1867 MHz: speeds: 1862, 1729, 1596, 1463, 1330, 
1197, 1064, 931 MHz

pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 Intel Core Host rev 0x12
vga1 at pci0 dev 2 function 0 Intel Mobile HD graphics rev 0x12
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
intagp0 at vga1
agp0 at intagp0: aperture at 0xd000, size 0x1000
inteldrm0 at vga1: apic 0 int 16
drm0 at inteldrm0
Intel 3400 MEI rev 0x06 at pci0 dev 22 function 0 not configured
em0 at pci0 dev 25 function 0 Intel 82577LM rev 0x06: msi, address 
00:18:7d:0e:f5:34

ehci0 at pci0 dev 26 function 0 Intel 3400 USB rev 0x06: apic 0 int 16
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1
ppb0 at pci0 dev 28 function 0 Intel 3400 PCIE rev 0x06: apic 0 int 17
pci1 at ppb0 bus 1
ppb1 at pci0 dev 28 function 6 Intel 3400 PCIE rev 0x06: apic 0 int 18
pci2 at ppb1 bus 2
em1 at pci2 dev 0 function 0 Intel PRO/1000 MT (82574L) rev 0x00: msi, 
address 00:18:7d:0e:f5:33

ehci1 at pci0 dev 29 function 0 Intel 3400 USB rev 0x06: apic 0 int 23
usb1 at ehci1: USB revision 2.0
uhub1 at usb1 Intel EHCI root hub rev 2.00/1.00 addr 1
ppb2 at pci0 dev 30 function 0 Intel 82801BAM Hub-to-PCI rev 0xa6
pci3 at ppb2 bus 3
pcib0 at pci0 dev 31 function 0 Intel QM57 LPC rev 0x06
ahci0 at pci0 dev 31 function 2 Intel 3400 AHCI rev 0x06: msi, AHCI 1.3
scsibus0 at ahci0: 32 targets
sd0 at scsibus0 targ 1 lun 0: ATA, WDC WD800HLFS-75, 04.0 SCSI3 
0/direct fixed naa.50014ee0ab8b7ce0

sd0: 76293MB, 512 bytes/sector, 15625 sectors
cd0 at scsibus0 targ 5 lun 0: Optiarc, DVD RW AD-7710H, 1.01 ATAPI 
5/cdrom removable

ichiic0 at pci0 dev 31 function 3 Intel 3400 SMBus rev 0x06: apic 0 int 18
iic0 at ichiic0
spdmem0 at iic0 addr 0x50: 2GB DDR3 SDRAM PC3-8500 SO-DIMM
isa0 at pcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: probed fifo depth: 15 bytes
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
com1:

low signal strength hostap

2012-11-02 Thread lilit-aibolit 

Description: I have two very identical box with integrated wlan.
One of them have ral device and there is no problem with it:
ral0 at pci1 dev 0 function 0 Ralink RT3090 rev 0x00: apic 2 int 16, 
address 00:12:0e:b1:6e:c7

ral0: MAC/BBP RT3071 (rev 0x0213), RF RT3020 (MIMO 1T1R)
I'm able to work with wlan in large office with many rooms.
Another system have rum device and even I change default antenna to:
http://www.tp-link.com/en/products/details/?categoryid=217model=TL-ANT2408C#spec
I only able to work with wifi near the box. At five meters distance 
signal and speed are lost.

Second box inside:
http://i.piccy.info/i7/1a7b8b084d13e55847dcd752803b92a4/4-48-83/45834655/SAM_5902.jpg

uname:
OpenBSD gw2.kh 5.2 GENERIC.MP#339 i386

dmesg:
rum0 at uhub2 port 3 Ralink 802.11 bg WLAN rev 2.00/0.01 addr 3
rum0: MAC/BBP RT2573 (rev 0x2573a), RF RT2528, address 00:24:21:8b:7b:aa

ifconfig rum0
rum0: flags=28843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6 mtu 1500
lladdr 00:24:21:8b:7b:aa
priority: 4
groups: wlan
media: IEEE802.11 autoselect mode 11g hostap
status: active
ieee80211: nwid Monkey chan 8 bssid 00:24:21:8b:7b:aa wpakey 
0xef79762bd4241d691eeaf9d5281a9604b62a96374ead5be90b6d012b92c7522e 
wpaprotos wpa2 wpaakms psk wpaciphers tkip,ccmp wpagroupcipher tkip 100dBm

inet 192.168.44.1 netmask 0xff00 broadcast 192.168.44.255

Re: kvm and Openbsd 5.1

2012-09-17 Thread lilit-aibolit 

On 07/21/2012 01:50 PM, Holger Glaess wrote:

Hi list,
today I've installed OpenBSD 5.1 amd64 on a kvm (linux slackware) kvm
version is 1.0.1.

Starting machine with 4 core, and bsd.mp it crash.
Disabling mpbios see only one core and not smp.

Then, I've updated kvm to 1.1.1 but the results are the same.


There is someone that has started obsd on kvm and avoid this problem?

This problem is kvm related?

Another, someone has tried obsd 5.1 on ESX?


Thanks in advance.



hi

i run 2 guests with 5.1 on proxmox 2.1 distribution .

i don't know what the version of kvm is behind of proxmox.

but openbsd 5.1 run as expected normal ;)

fort more information check
http://www.proxmox.com/products/proxmox-ve

holger



Hi Holger. I had read and remember  you answer and now I have a machine 
with full hw intel vt support. I had try to install 5.1 and it work. But 
I have issue to shutdown guest 5.1.
It's not work when I try to halt -p in console and also not work when I 
try to shutdown from proxmox page. Only stop is work.

this is issue why I can't for example just reboot proxmox.
do you have such trouble?

Re: ftp in both direction through pf

2012-08-22 Thread lilit-aibolit 

On 08/21/2012 08:48 PM, Maurice Janssen wrote:

On 08/21/2012 10:15 AM, lilit-aibolit wrote:

On 08/20/2012 09:49 PM, Maurice Janssen wrote:

On 08/20/2012 04:43 PM, lilit-aibolit wrote:

I have internal ftp-server.
To give access for it from Internet I use ftp-proxy:

ftpproxy_flags=-R ftp_server -p 21 -b ext_ip

and rules:

anchor ftp-proxy/*
pass in on $ext_if inet proto tcp from any to (em1) port ftp
pass out on $int_if inet proto tcp from any to ftp_server port ftp
user proxy

and this work. But I need to give access to external ftp-servers 
from my

lan.
I use rules:

match out on $ext_if inet proto tcp from lan to any nat-to (em1)
pass in on $int_if inet proto tcp from lan to any port { ftp, 
49151 }

pass out on $ext_if inet proto tcp from (em1) to any port { ftp,
49151 }

and it not work from lan:

snip

what is wrong with my config?
thanks.


You need to start ftp-proxy twice. One to redirect the external
clients to the internal server and another one for the internal 
clients.


And of course you also need to redirect the internal client to the
second instance of ftp-proxy.

Something like this should work:

rc.conf.local (for internal clients):
ftpproxy_flags=

rc.local (for external clients):
/usr/sbin/ftp-proxy -R internal ip of server -p 21 -b external ip

And make sure you have something like this in your pf.conf:
pass in on $int_if inet proto tcp to port ftp divert-to 127.0.0.1 port
8021


Thanks for reply Maurice.
I just start new instanse of ftp-proxy and modify rules:

# fstat | grep internet | grep ftp
proxy ftp-proxy 24178 3* internet stream tcp 0xd6354198 127.0.0.1:8021
proxy ftp-proxy 29949 3* internet stream tcp 0xd6bea334 ext_ip:21
# ps -ax | grep ftp
29949 ?? Is 0:00.87 ftp-proxy -R 192.168.2.102 -p 21 -b ext_ip
24178 ?? Is 0:00.00 ftp-proxy


That looks good.


match out on $ext_if inet proto tcp from lan to any nat-to (em1)
pass in on $int_if inet proto tcp to port ftp divert-to 127.0.0.1 
port 8021
pass out on $ext_if inet proto tcp from (em1) to any port { ftp, 
49151 }


With this ftp connection work in passive mode, but if I delete 49151 it
stop to work.


You mean for internal clients connecting to external ftp servers?


As it should be? Because man-page don't say to open 49151:
http://www.openbsd.org/cgi-bin/man.cgi?query=ftp-proxysektion=8manpath=OpenBSD+5.1#end 



The high port should be opened by ftp-proxy, so something is not 
right.  Difficult to say without seeing the whole pf.conf.


Maurice


Maurice




Ok. Just if you have a time to review it.
twikimail - internal ftp server. From it I also test connection to 
external ftp servers.


#$OpenBSD: pf.conf,v 1.50 2011/04/28 00:19:42 mikeb Exp $
# See pf.conf(5) for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.

ext_if = em1
wifi_if = ral0
int_if = em0

portstuff = { smtps, submission, pop3, pop3s, imap, imaps, www, https, 
pptp, 1194, 1863, 5222 }


table firewall const { self }
table tlv_lan{ 192.168.2.0/24 }
table tlv_wifi{ 192.168.22.0/24 }
table tlk{ 192.168.5.0/24 }
table tlk_gw{ x.x.x.x }
#table admin{ 192.168.2.208 }
table dns{ x.x.x.x, 8.8.8.8 }
table vpn{ 192.168.88.0/24 }
#table adminvpn{ 192.168.14.115, 192.168.14.113 }
table redmine{ 192.168.5.252 }
table mysql{ 192.168.5.248 }
table twikimail{ 192.168.2.102 }
table lic{ 192.168.5.246 }
table qnap{ 192.168.5.200 }
table private{ 0.0.0.0/8, 10.0.0.0/8, 14.0.0.0/8, \
127.0.0.0/8, 128.0.0.0/16, 169.254.0.0/16, \
172.16.0.0/12, 191.255.0.0/16, 192.0.2.0/24, \
192.168.0.0/16, 240.0.0.0/4, 255.255.255.0/24 }
table bruteforce persist
#table advertisement file /etc/advertisement
table spamd-white persist
table spamd persist
#table spamd-bypass file /etc/mail/spamd.bypass
#table spamd-black file /etc/mail/spamd.black

set skip on  { lo, enc0 }
#set loginterface ral0
set timeout { frag 20, tcp.established 3600 }
set block-policy return

#antispoof quick for { em1 }

match in all scrub (no-df)

anchor ftp-proxy/*

#nat
#match out on $ext_if inet from admin to any nat-to (em1)
match out on $ext_if inet proto tcp from { tlv_lan, tlv_wifi } to 
any nat-to (em1)
match out on $ext_if inet proto udp from { tlv_lan, tlv_wifi } to 
any nat-to (em1)
match out on $ext_if inet proto gre from { tlv_lan, tlv_wifi } to 
any nat-to (em1)


#rdr
match in on $ext_if inet proto tcp from any to (em1) port { www, https, 
3690 } rdr-to 192.168.2.102


#block in quick on $int_if from any to advertisement
block quick proto tcp flags /S
block quick proto tcp flags A/A
block in quick on $ext_if from { bruteforce, private, spamd-black 
} to any

block out quick on $ext_if from any to private
block in quick on $int_if inet proto tcp from !twikimail to any port smtp
block all

#in
pass in on $ext_if inet proto tcp from any

Re: ftp in both direction through pf (SOLVED)

2012-08-22 Thread lilit-aibolit 

In above letter I had a mistake.
I did

pass in on $int_if inet proto tcp from tlv_lan to port ftp divert-to 
127.0.0.1 port 8021


and in same time allow { ftp,  49151 } for internal host on which I 
tested connection to remote ftp.
I  deleted that ports and now internal client can connect to external 
ftp servers with active and passive mode. Connection to internal ftp 
also work.


pass in on $int_if inet proto tcp from twikimail to any port { smtp, 
submission, www, https, ftp, 49151 }

Re: ftp in both direction through pf

2012-08-21 Thread lilit-aibolit 

On 08/20/2012 09:49 PM, Maurice Janssen wrote:

On 08/20/2012 04:43 PM, lilit-aibolit wrote:

I have internal ftp-server.
To give access for it from Internet I use ftp-proxy:

ftpproxy_flags=-R ftp_server -p 21 -b ext_ip

and rules:

anchor ftp-proxy/*
pass in on $ext_if inet proto tcp from any to (em1) port ftp
pass out on $int_if inet proto tcp from any to ftp_server port ftp
user proxy

and this work. But I need to give access to external ftp-servers from my
lan.
I use rules:

match out on $ext_if inet proto tcp from lan to any nat-to (em1)
pass in on $int_if inet proto tcp from lan to any port { ftp, 49151 }
pass out on $ext_if inet proto tcp from (em1) to any port { ftp, 
49151 }


and it not work from lan:

snip

what is wrong with my config?
thanks.


You need to start ftp-proxy twice.  One to redirect the external 
clients to the internal server and another one for the internal clients.


And of course you also need to redirect the internal client to the 
second instance of ftp-proxy.


Something like this should work:

rc.conf.local (for internal clients):
ftpproxy_flags=

rc.local (for external clients):
/usr/sbin/ftp-proxy -R internal ip of server -p 21 -b external ip

And make sure you have something like this in your pf.conf:
pass in on $int_if inet proto tcp to port ftp divert-to 127.0.0.1 port 
8021



Maurice




Thanks for reply Maurice.
I just start new instanse of ftp-proxy and modify rules:

# fstat | grep internet | grep ftp
proxyftp-proxy  241783* internet stream tcp 0xd6354198 
127.0.0.1:8021

proxyftp-proxy  299493* internet stream tcp 0xd6bea334 ext_ip:21
# ps -ax | grep ftp
29949 ??  Is  0:00.87 ftp-proxy -R 192.168.2.102 -p 21 -b ext_ip
24178 ??  Is  0:00.00 ftp-proxy

match out on $ext_if inet proto tcp from lan to any nat-to (em1)
pass in on $int_if inet proto tcp to port ftp divert-to 127.0.0.1 port 8021
pass out on $ext_if inet proto tcp from (em1) to any port { ftp, 49151 }

With this ftp connection work in passive mode, but if I delete 49151 it 
stop to work.

As it should be? Because man-page don't say to open 49151:
http://www.openbsd.org/cgi-bin/man.cgi?query=ftp-proxysektion=8manpath=OpenBSD+5.1#end

ftp in both direction through pf

2012-08-20 Thread lilit-aibolit 

I have internal ftp-server.
To give access for it from Internet I use ftp-proxy:

ftpproxy_flags=-R ftp_server -p 21 -b ext_ip

and rules:

anchor ftp-proxy/*
pass in on $ext_if inet proto tcp from any to (em1) port ftp
pass out on $int_if inet proto tcp from any to ftp_server port ftp 
user proxy


and this work. But I need to give access to external ftp-servers from my 
lan.

I use rules:

match out on $ext_if inet proto tcp from lan to any nat-to (em1)
pass in on $int_if inet proto tcp from lan to any port { ftp, 49151 }
pass out on $ext_if inet proto tcp from (em1) to any port { ftp, 49151 }

and it not work from lan:

ftp open ftpserver
Connected to ftpserver.
220 www.ftpserver FTP server ready.
User (ftpserver:(none)): user
331 Password required for user.
Password:
230 User user logged in.
ftp dir
500 Illegal PORT rejected (address wrong).
425 Can't build data connection: Connection refused.
ftp dir
425 Can't build data connection: Connection refused.
ftp quit
221 Goodbye.

what is wrong with my config?
thanks.

Re: Dilemma: between OpenBSD and NetBSD

2012-08-10 Thread lilit-aibolit 

On 08/10/2012 05:17 PM, Francois Pussault wrote:

In computer file systems, soft updates is an approach to maintaining disk
integrity after a crash or power outage. They are an alternative to journaling
file system.

Why softdep not enabled by default?

/etc/mygate not work

2012-07-30 Thread lilit-aibolit 

there is strange behaviour in 5.1.
before reboot:
# cat /etc/mygate
192.168.2.80
# ls -la /etc/mygate
-rw-r--r-- 1 root wheel 13 Jul 30 13:15 /etc/mygate
# ifconfig -a
lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33196
...
em0: flags=28843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6 mtu 1500
..
status: active
inet 192.168.2.2 netmask 0xff00 broadcast 192.168.2.255
em1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
...
status: no carrier
inet6 fe80::218:7dff:fe13:f325%em1 prefixlen 64 scopeid 0x2
enc0: flags=0
..
rum0: flags=28843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6 mtu 1500
..
status: active
..
inet 192.168.22.2 netmask 0xff00 broadcast 192.168.22.255
tun0: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST mtu 1500
юю
status: active
inet 192.168.88.1 -- 192.168.88.2 netmask 0x
pflog0: flags=141UP,RUNNING,PROMISC mtu 33196

after reboot:
# netstat -rn
Destination Gateway Flags Refs Use Mtu Prio Iface
127/8 127.0.0.1 UGRS 0 0 33196 8 lo0
127.0.0.1 127.0.0.1 UH 1 6 33196 4 lo0
192.168.2/24 link#1 UC 2 0 - 4 em0


default route is absent.
please, help to understand what is wrong?

ipsec between 5.0 5.1

2012-07-27 Thread lilit-aibolit 

Hi misc.
is it possible?

is application goes to sleep?

2012-07-23 Thread lilit-aibolit 

Hi misc, please send me to the right way.
I have java-application:
https://bitbucket.org/sdorra/scm-manager/wiki/Home
It has stoped answering after one week from the start,
but application is listening tcp port and present in process list.
Seems, that no one has touched it in that time ...
and app goes to sleep and not come back??
Is it possible that this app went to sleep and didn't come back??
And is this situation possible in principal for any applications/daemons?
After doing stop/start the app works  fine.
Unfortunately I can't touch/open application every day
to verify that it works and prevent it from going to sleep.

pf: interface in parentheses

2012-07-02 Thread lilit-aibolit 

Hi misc.
Simple question to fully understanding:
I have DHCP on WAN interface.
Can I use macros for this interface in rules?
like this:

ext_if = em1
antispoof quick for { em1 } or { (em1) }
match out on $ext_if inet from admin to any nat-to (em1)
pass in on $ext_if inet proto tcp from any to (em1) port ssh
pass out on $ext_if inet proto udp from (em1) to dns port domain

I.e. I need to use parentheses only in src_addr/dst_addr?
In other case (interface name) I can use macros.

It is possible to define dhcp interface in macros ext_if = (em1)?

opensmtpd php_mail /usr/sbin/sendmail

2012-05-30 Thread lilit-aibolit 

Hello misc.
There are many web applications that used php_mail function,
which points to /usr/sbin/sendmail on localhost.
In some case sendmail used with smart_host+masquerade options
to deliver email via gmail for example.
Configure sendmail to work with gmail (SMTP AUTH/TLS) is hard for me.
The question: it is possible to use opensmtpd instead sendmail to
compose email from php_mail function?
and how point web-application to opensmtpd?

Re: opensmtpd php_mail /usr/sbin/sendmail

2012-05-30 Thread lilit-aibolit 

30.05.2012 10:23, Gilles Chehade P?P8QP5Q:

You can configure opensmtpd to work with gmail relatively easily:

/etc/mail/gmail-credentials.txt:

mail.google.com user:password

/etc/mail/smtpd.conf:

map gmail source plain /etc/mail/gmail-credentials.txt
accept for all relay via mail.google.com tls auth gmail

To let your chrooted apache communicate with opensmtpd, you can use
mini_sendmail from packages, or any smtp client really.

However there is no masquerading at the envelope level yet



thanks for your reply Gilles.
I will try to test it.
but while I wait a some answers for my question,
I found great how-to and proceed it with good
final result: gmail recieve mail from my sendmail.
http://theory14.wordpress.com/2009/06/16/openbsd-smtp-authtls-imaps-proxy/

Re: kqemu in 5.1

2012-05-07 Thread lilit-aibolit 

04.05.2012 13:28, Weldon Goree P?P8QP5Q:

On 05/04/12 06:12, Jes wrote:

Hi all:

I can't find kqemu between snapshots packages, ports, or even in 5.1
packages. I think I've read something about kqemu is deprecated in
newer versions of qemu (1.0.1) Is this correct? Because performance
without kqemu is horrible. Any solution?




Yes, it was killed upstream since Linux now comes with its own
hypervisor (KVM).

AFAIK OpenBSD currently does not have a working hypervisor since it also
can't be dom0 on xen until such time as xen stops randomly overwriting
register contents at unpredictable times.

So, as of now, any virtualization will have to be of the plain qemu or
bochs variety. Sorry.

Best,
Weldon


.



qemu-0.14.1p4.tgz and kqemu-1.3.0pre11p3.tgz in packages.
is this not work?

Re: Intel ICH9R compatibility with OpenBSD

2012-03-13 Thread lilit-aibolit 

12.03.2012 18:01, Axton P?P8QP5Q:

On Mon, Mar 12, 2012 at 9:44 AM, lilit-aibolitlilit-aibo...@mail.ru  wrote:

Hello misc, please give me some advice
to buy low-power and low-noise HW.
My selection - is:
http://www.supermicro.nl/products/system/1U/5015/SYS-5015A-PHF.cfm?typ=E
that have Intel ICH9R chipset.
But in supported hardware it is absent:
- Intel 82801
(ICH/ICH0/ICH2/ICH3/ICH4/ICH4-M/ICH5/ICH5R/ICH6/ICH6/ICH6/ICH7)



I am using a 5015A (I think 5015A-EHF) without any issues.  I don't
use the ICH9R or any other ICHxx RAID capabilities, so that chipset
does not matter to me.  I think the whole architecture of using
allowing the chipset to use the kernel for RAID
capabilities/offloading is garbage.  The design has too many points of
failure (kernel driver, chipset implementation and firmware, userland
software for raid management, etc.).  It's an unreliable
implementation that allows people who do not understand what they are
doing to say I have a RAID array and gives them a pretty GUI to
manage the array.  Software based raid in OpenBSD is fine, but lacks
some capabilities for setting up a raid array for the root partition,
though I admit I lack in depth knowledge in this area, so I could be
wrong with this statement.  I'm sure others will chime in if I'm
mistaken.

Note these bits:
pciide0 at pci0 dev 31 function 2 Intel 82801I SATA rev 0x02: DMA,
channel 0 configured to native-PCI, channel 1 configured to native-PCI
pciide0: using apic 3 int 19 for native-PCI interrupt

That's the important part.  OpenBSD seems to work well with this
chipset.  The network hardware/driver for this machine results in high
interrupt rates under heavy load.  This is my only complaint with the
box.  For my needs it works just fine though.  I can move traffic
through the box at a rate that is acceptable for my needs.

OpenBSD 5.0 (GENERIC.MP) #59: Wed Aug 17 10:19:44 MDT 2011
 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
cpu0: Intel(R) Atom(TM) CPU D510 @ 1.66GHz (GenuineIntel 686-class) 1.67 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE
real mem  = 3220283392 (3071MB)
avail mem = 3157540864 (3011MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 05/26/10, BIOS32 rev. 0 @
0xf0010, SMBIOS rev. 2.6 @ 0x9ac00 (19 entries)
bios0: vendor American Megatrends Inc. version 1.0c date 05/26/2010
bios0: Supermicro X7SPA-HF
acpi0 at bios0: rev 2
acpi0: sleep states S0 S1 S4 S5
acpi0: tables DSDT FACP APIC MCFG SLIC OEMB HPET
acpi0: wakeup devices P0P1(S4) PS2K(S4) PS2M(S4) USB0(S4) USB1(S4)
USB2(S4) USB5(S4) EUSB(S4) USB3(S4) USB4(S4) USB6(S4) USBE(S4)
P0P4(S4) P0P5(S4) P0P6(S4) P0P7(S4) P0P8(S4) P0P9(S4) GBE_(S4)
SLPB(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 168MHz
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Atom(TM) CPU D510 @ 1.66GHz (GenuineIntel 686-class) 1.69 GHz
cpu1: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE
ioapic0 at mainbus0: apid 3 pa 0xfec0, version 20, 24 pins
ioapic0: misconfigured as apic 1, remapped to apid 3
acpimcfg0 at acpi0 addr 0xe000, bus 0-255
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 4 (P0P1)
acpiprt2 at acpi0: bus 1 (P0P4)
acpiprt3 at acpi0: bus -1 (P0P5)
acpiprt4 at acpi0: bus -1 (P0P6)
acpiprt5 at acpi0: bus -1 (P0P7)
acpiprt6 at acpi0: bus 2 (P0P8)
acpiprt7 at acpi0: bus 3 (P0P9)
acpicpu0 at acpi0
acpicpu1 at acpi0
acpibtn0 at acpi0: SLPB
acpibtn1 at acpi0: PWRB
bios0: ROM list: 0xc/0x8000
ipmi at mainbus0 not configured
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 Intel Pineview DMI rev 0x02
uhci0 at pci0 dev 26 function 0 Intel 82801I USB rev 0x02: apic 3 int 16
uhci1 at pci0 dev 26 function 1 Intel 82801I USB rev 0x02: apic 3 int 21
uhci2 at pci0 dev 26 function 2 Intel 82801I USB rev 0x02: apic 3 int 19
ehci0 at pci0 dev 26 function 7 Intel 82801I USB rev 0x02: apic 3 int 18
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1
ppb0 at pci0 dev 28 function 0 Intel 82801I PCIE rev 0x02: apic 3 int 17
pci1 at ppb0 bus 1
ppb1 at pci0 dev 28 function 4 Intel 82801I PCIE rev 0x02: apic 3 int 17
pci2 at ppb1 bus 2
em0 at pci2 dev 0 function 0 Intel PRO/1000 MT (82574L) rev 0x00:
msi, address 00:25:90:09:9b:80
ppb2 at pci0 dev 28 function 5 Intel 82801I PCIE rev 0x02: apic 3 int 16
pci3 at ppb2 bus 3
em1 at pci3 dev 0 function 0 Intel PRO/1000 MT (82574L) rev 0x00:
msi, address 00:25:90:09:9b:81
uhci3 at pci0 dev 29 function 0 Intel 82801I USB rev 0x02: apic 3 int 23
uhci4 at pci0 dev 29 function 1 Intel 82801I USB rev 0x02: apic 3 int 19
uhci5 at

Re: SSH, root can repeat commands with up arrow, others cannot

2012-03-12 Thread lilit-aibolit 

11.03.2012 21:43, Chris Bennett P?P8QP5Q:

This started for me a while back.
Login as root, I can repeat older commands with up down arrows.
History command shows history.

su -l otheruser

Cannot use up down arrows to access history.
History command shows correct history.

Login remotely as otheruser.
Same problem.

Chris Bennett


.



try to add this to your .profile:

export HISTFILE=~/.sh_history

and re-login.

it is work for me and save all history after disconnect
and start new session.

Intel ICH9R compatibility with OpenBSD

2012-03-12 Thread lilit-aibolit 

Hello misc, please give me some advice
to buy low-power and low-noise HW.
My selection - is:
http://www.supermicro.nl/products/system/1U/5015/SYS-5015A-PHF.cfm?typ=E
that have Intel ICH9R chipset.
But in supported hardware it is absent:
- Intel 82801 
(ICH/ICH0/ICH2/ICH3/ICH4/ICH4-M/ICH5/ICH5R/ICH6/ICH6/ICH6/ICH7)

Re: disk management

2012-02-23 Thread lilit-aibolit 

13.01.2012 17:22, Stuart Henderson P?P8QP5Q:

On 2012/01/13 16:55, lilit-aibolit wrote:

13.01.2012 16:11, Stuart Henderson P?P8QP5Q:


a: 1.0G   63  4.2BSD   2048 163841 # /
b: 1.2G  2097215swap
c:37.3G0  unused
d: 2.6G  4683375  4.2BSD   2048 163841 # /tmp
e: 4.0G 10052439  4.2BSD   2048 163841 # /var
f: 2.0G 18541648  4.2BSD   2048 163841 # /usr
g: 1.0G 22735952  4.2BSD   2048 163841 # /usr/X11R6
h: 3.5G 24833104  4.2BSD   2048 163841 # /usr/local
i: 1.9G 32229473  4.2BSD   2048 163841 # /usr/src
j: 1.9G 36247864  4.2BSD   2048 163841 # /usr/obj
k:18.1G 40266255  4.2BSD   2048 163841 # /home

As you have partitions on the disk between /usr and /home,
you can't easily just grow /var.

Here are some options:

- backup, reinstall with better partition sizes, restore.

- swap /var and /home partitions (shut down services, copy files
around between the partitions, swap the fstab entries, reboot).
if you are not totally confident with doing this, make sure your
backups are up-to-date first.

- if you only need a little more space, or if you need to buy some
time until you an plan a proper reinstallation, move your squid
cache_dir to /home.




I got the same recommendation from Vadim Zhukov persg...@gmail.com
with little difference, do it in single mode:

1. Boot in single user mode, enter shell.
2. mount /, /usr, /var and /home.
3. Move /var/* to /home.
4. Move /home/* to /var (except what moved on step 3).
5. Umount /home and /var.
6. Edit fstab and switch /home and /var mount points.
7. Try to mount /home and /var now, checking all is ok.
8. Proceed booting (^D) and have a nice day.

but I operate remotely, and can't shut down all services, such PF or
SSH. So in any way I need to do this locally?


I do not *recommend* doing this without console access, but
sometimes there is no other choice. ;-) Since you don't have
full access you need to take extra care.

Shut down anything that you don't absolutely require. syslogd,
squid, httpd/nginx, whatever.

I would *copy* files from /home to /var, not move them (of course
you'll need to clear some space first - old logs or squid cache
might be a good candidate). I would probably skip steps 5 and
7, just be careful that your fstab lines are correct.

Take care and think about every command before you press the
enter key. Check that everything is in the right place before
you reboot.




Thanks all, who help to do this.
After testing on local PC,
I do it on remote server by following next step:
- shutdown and pkill all process except sshd
- cp -pR /var/* /home
- same for home dir to var
- change letter in fstab
- reboot and remove unnesessary files in var and home
- everything is work correctly and now I have more space in var
for www-project:

Using username root.
Last login: Thu Feb 23 08:57:29 2012 from 192.168.14.113
OpenBSD 4.7-stable (GENERIC) #3: Mon Sep 27 15:35:17 EEST 2010

# df -h
Filesystem SizeUsed   Avail Capacity  Mounted on
/dev/wd0a 1005M211M744M22%/
/dev/wd0k 17.8G2.0G   14.9G12%/var
/dev/wd0d  2.5G6.0K2.4G 0%/tmp
/dev/wd0f  2.0G927M985M48%/usr
/dev/wd0g 1005M167M787M18%/usr/X11R6
/dev/wd0h  3.5G280M3.0G 8%/usr/local
/dev/wd0j  1.9G993M841M54%/usr/obj
/dev/wd0i  1.9G790M1.0G43%/usr/src
/dev/wd0e  4.0G411M3.4G11%/home
#

Re: NFS : RPC: Program not registered

2012-01-19 Thread lilit-aibolit 

19.01.2012 13:29, Giridhari P?P8QP5Q:

HELO.

I am following http://openbsd.org/faq/faq6.html#NFS  and have the server
running, and showmount shows an export but on the client when I get to the
line in the faq

# mount -t nfs 10.0.0.1:/work /mnt

and adapt it to the setup I have here I get the message

RPC: Program not registered


I did a bit of searching but couldnbt find anything for OpenBSD about this.
Everything else in the faq has worked fine.
What am I doing wrong?

Giridhari


.


try mount without -t nfs
also be sure /mnt is created on clinet
also try sudo mount

Re: NFS : RPC: Program not registered

2012-01-19 Thread lilit-aibolit 

19.01.2012 16:23, Jan Stary P?P8QP5Q:

On Jan 19 13:02:33, David Coppa wrote:

On Thu, Jan 19, 2012 at 12:29 PM, Giridharigiridh...@live.com.au  wrote:

HELO.

I am following http://openbsd.org/faq/faq6.html#NFS  and have the server
running, and showmount shows an export but on the client when I get to the
line in the faq

# mount -t nfs 10.0.0.1:/work /mnt

and adapt it to the setup I have here I get the message

RPC: Program not registered


I did a bit of searching but couldnb t find anything for OpenBSD about

this.

Everything else in the faq has worked fine.
What am I doing wrong?


You need to start portmap on the clients


Mounting NFS Filesystems

NFS filesystems can be mounted from a client
without needing to enable any services or daemons.


.


in this case we don't know about from what system he try to mount.
for example in linux the nfs-common pakage needed.

disk management

2012-01-13 Thread lilit-aibolit 

Hi misc. Here is newbee question.
I have disk with unused space:

# disklabel -p g wd0
16 partitions:
#size   offset  fstype [fsize bsize  cpg]
  a: 1.0G   63  4.2BSD   2048 163841 # /
  b: 1.2G  2097215swap
  c:37.3G0  unused
  d: 2.6G  4683375  4.2BSD   2048 163841 # /tmp
  e: 4.0G 10052439  4.2BSD   2048 163841 # /var
  f: 2.0G 18541648  4.2BSD   2048 163841 # /usr
  g: 1.0G 22735952  4.2BSD   2048 163841 # 
/usr/X11R6
  h: 3.5G 24833104  4.2BSD   2048 163841 # 
/usr/local

  i: 1.9G 32229473  4.2BSD   2048 163841 # /usr/src
  j: 1.9G 36247864  4.2BSD   2048 163841 # /usr/obj
  k:18.1G 40266255  4.2BSD   2048 163841 # /home


and I have /var with ending space:

# df -h
Filesystem SizeUsed   Avail Capacity  Mounted on
/dev/wd0a 1005M206M749M22%/
/dev/wd0k 17.8G411M   16.5G 2%/home
/dev/wd0d  2.5G6.0K2.4G 0%/tmp
/dev/wd0f  2.0G927M985M48%/usr
/dev/wd0g 1005M167M787M18%/usr/X11R6
/dev/wd0h  3.5G280M3.0G 8%/usr/local
/dev/wd0j  1.9G993M841M54%/usr/obj
/dev/wd0i  1.9G790M1.0G43%/usr/src
/dev/wd0e  4.0G3.4G376M90%/var

In /var I store some sites for apache and need more space for it.
How can I use unused space  for /var or it will be used automatically 
when /var reaches capacity 100%?

Re: disk management

2012-01-13 Thread lilit-aibolit 

13.01.2012 14:28, Francois Pussault P?P8QP5Q:



With a so huge /var 90% is anormal, you should already look for a logrotate
solution or choose a new partition map you will use on next update of the
machine.



First of all, thanks all for your replies.
As I said /var is used for www-aplication under chroot apache.
/var/log is clear:

# du -sch /var/*
2.0K/var/account
2.0K/var/audit
2.0K/var/authpf
1.5M/var/backups
730K/var/cache
4.0K/var/crash
20.0K   /var/cron
14.7M   /var/db
4.0K/var/empty
44.0K   /var/games
1.4M/var/log
8.0K/var/lost+found
4.2M/var/mail
4.0K/var/msgs
26.4M   /var/mysql
52.0K   /var/named
2.0K/var/quotas
152K/var/run
2.0K/var/rwho
2.0K/var/sasl2
2.0K/var/siproxd
28.0K   /var/spool
781M/var/squid
4.0K/var/tmp
1.4G/var/www
28.0K   /var/yp
2.2Gtotal

do I understand correctly, that in my case the easiest way is
decrease /home and increase /var?

Re: disk management

2012-01-13 Thread lilit-aibolit 

13.01.2012 16:11, Stuart Henderson P?P8QP5Q:


a: 1.0G   63  4.2BSD   2048 163841 # /
b: 1.2G  2097215swap
c:37.3G0  unused
d: 2.6G  4683375  4.2BSD   2048 163841 # /tmp
e: 4.0G 10052439  4.2BSD   2048 163841 # /var
f: 2.0G 18541648  4.2BSD   2048 163841 # /usr
g: 1.0G 22735952  4.2BSD   2048 163841 # /usr/X11R6
h: 3.5G 24833104  4.2BSD   2048 163841 # /usr/local
i: 1.9G 32229473  4.2BSD   2048 163841 # /usr/src
j: 1.9G 36247864  4.2BSD   2048 163841 # /usr/obj
k:18.1G 40266255  4.2BSD   2048 163841 # /home

As you have partitions on the disk between /usr and /home,
you can't easily just grow /var.

Here are some options:

- backup, reinstall with better partition sizes, restore.

- swap /var and /home partitions (shut down services, copy files
around between the partitions, swap the fstab entries, reboot).
if you are not totally confident with doing this, make sure your
backups are up-to-date first.

- if you only need a little more space, or if you need to buy some
time until you an plan a proper reinstallation, move your squid
cache_dir to /home.




I got the same recommendation from Vadim Zhukov persg...@gmail.com
with little difference, do it in single mode:

1. Boot in single user mode, enter shell.
2. mount /, /usr, /var and /home.
3. Move /var/* to /home.
4. Move /home/* to /var (except what moved on step 3).
5. Umount /home and /var.
6. Edit fstab and switch /home and /var mount points.
7. Try to mount /home and /var now, checking all is ok.
8. Proceed booting (^D) and have a nice day.

but I operate remotely, and can't shut down all services, such PF or 
SSH. So in any way I need to do this locally?

Re: NPPPD/L2TP IPsec problems

2011-12-16 Thread lilit-aibolit 

29.09.2011 16:30, YASUOKA Masahiko P?P8QP5Q:

On Mon, 26 Sep 2011 15:20:50 +0200
Martin Poulsenmar...@dividebyzero.dk  wrote:

I have been playing around a little with the npppd daemon having setup a
L2TP server for test and learning purposes. The connection is running in
an IPsec tunnel and it works great and runs very fine when used on a
local network.

But I'm having problems when it comes to NAT.

This is my setup:

client (Windows XP)  NAT - internet - OpenBSD (public IP)


npppd L2TP/IPsec with NAT-T is not supported yet.

We need 3 more hacks.

   1. support FQDN identifier type on isakmpd
   2. ignore UDP checksum to pass L2TP messages.  (checksums is broken
  by IPsec transport mode)
   3. npppd must be able to send a L2TP message to different peer
  behind NAT by socket API.  (API is not fixed yet.)

1. and 2. are `just do it' task.  But 3. may take time.
I'll start to discuss this on tech@.

Thanks,

--yasuoka

.



Do you have any progress in that?

pptpd - connect external win-client to local net

2011-05-07 Thread lilit-aibolit 

hello misc!
I need to realize vpn-connections between external Win-clients
and local Win-servers via openbsd-box.

ext_win - Internet - OpenBSD 4.8 - local net - win-server

main problem:
- after establish connections do not work Internet on ext_win_client
and work connections to local_net,
- if remove selection use default gateway in remote network in
properties of vpn on ext_win_client, then Internet work, but
local resource not.
- manipulate with nodefaultroute-parameter in /etc/ppp/options and in
/etc/ppp/options.pptpd has no effect.

what exactly needed to establish vpn from Internet to local_net
and leave workable internet on ext_client?

here is settings:

# cd /dev
# ls -la | grep tun
crw---   1 root  wheel  40,   0 May  7 12:06 tun0
crw---   1 root  wheel  40,   1 Apr 20  2010 tun1
crw---   1 root  wheel  40,   2 Apr 20  2010 tun2
crw---   1 root  wheel  40,   3 Apr 20  2010 tun3
crw-r--r--   1 root  wheel  49,  16 Apr 20  2010 tuner0

# pkg_info | grep poptop
poptop-1.3.4p0  PPTP Server
# cat /etc/pptpd.conf
option /etc/ppp/options.pptpd
noipparam
localip 192.168.14.111
remoteip 192.168.14.112-113
listen 188.230.122.54

pptpd - connect external win-client to local net

2011-05-07 Thread lilit-aibolit 

hello misc!
I need to realize vpn-connections between external Win-clients
and local Win-servers via openbsd-box.

ext_win - Internet - OpenBSD 4.8 - local net - win-server

main problem:
- after establish connections do not work Internet on ext_win_client
and work connections to local_net,
- if remove selection use default gateway in remote network in
properties of vpn on ext_win_client, then Internet work, but
local resource not.
- manipulate with nodefaultroute-parameter in /etc/ppp/options and in
/etc/ppp/options.pptpd has no effect.

what exactly needed to establish vpn from Internet to local_net
and leave workable internet on ext_client?

here is settings:

# ifconfig
lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33200
priority: 0
groups: lo
inet 127.0.0.1 netmask 0xff00
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
fxp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:d0:b7:60:5f:2e
priority: 0
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 192.168.16.8 netmask 0xff00 broadcast 192.168.16.255
xl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:04:76:36:bb:2b
priority: 0
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 195.26.xx.xx netmask 0xffe0 broadcast 195.26.xx.xx
fxp1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:d0:b7:60:5f:28
priority: 0
groups: egress
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 188.230.xx.xx netmask 0xfffc broadcast 188.230.xx.xx
fxp2: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:0c:f1:6c:a7:66
priority: 0
media: Ethernet autoselect (none)
status: no carrier
inet 10.10.10.1 netmask 0xff00 broadcast 10.10.10.255
enc0: flags=0 mtu 1536
priority: 0
pflog0: flags=141UP,RUNNING,PROMISC mtu 33200
priority: 0
groups: pflog
tun0: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST mtu 1398
priority: 0
groups: tun
media: Ethernet autoselect
status: active
inet 192.168.14.111 -- 192.168.14.113 netmask 0x
# ping 192.168.14.113
PING 192.168.14.113 (192.168.14.113): 56 data bytes
64 bytes from 192.168.14.113: icmp_seq=0 ttl=128 time=144.465 ms
64 bytes from 192.168.14.113: icmp_seq=1 ttl=128 time=189.242 ms
# cd /dev
# ls -la | grep tun
crw---   1 root  wheel  40,   0 May  7 12:06 tun0
crw---   1 root  wheel  40,   1 Apr 20  2010 tun1
crw---   1 root  wheel  40,   2 Apr 20  2010 tun2
crw---   1 root  wheel  40,   3 Apr 20  2010 tun3
crw-r--r--   1 root  wheel  49,  16 Apr 20  2010 tuner0
# cat /etc/sysctl.conf | grep ip.forwarding
net.inet.ip.forwarding=1
# pkg_info | grep poptop
poptop-1.3.4p0  PPTP Server
# cat /etc/pptpd.conf
option /etc/ppp/options.pptpd
noipparam
localip 192.168.14.111
remoteip 192.168.14.112-113
listen 188.230.122.54
# cat /etc/ppp/ppp.conf
default:
 set log Phase Chat LCP IPCP CCP tun command
 set speed 115200
loop:
 set timeout 0
 set log phase chat connect lcp ipcp command
 set device localhost:pploop
 set dial
 set login
 set mppe * stateful
 set ifaddr 192.168.14.111 192.168.14.112-192.168.14.113 255.255.255.255
 set server /var/tmp/loop  0177
loop-in:
 set timeout 0
 set log phase lcp ipcp command
 allow mode direct
pptp:
 load loop
 disable pap
 disable chap
 disable ipv6
 disable ipv6cp
 disable deflate pred1
 deny deflate pred1
 enable mschapv2
 accept mppe
 accept dns
 set dns 8.8.8.8
 enable proxy
 set device !/etc/ppp/secure
# cat /etc/ppp/options
+mschap-v2 mppe-128 mppe-stateless
# cat /etc/ppp/options.pptpd
-pap
-chap
-chapms
+mschap-v2
mppe-128
mppe-stateless
lock
auth
usehostname
nodefaultroute
proxyarp

with this settings I successfully connect to local_net,
but route print on win_client looks like this:

0.0.0.0  0.0.0.0 77.52.44.14877.52.44.148   2
0.0.0.0  0.0.0.0   192.168.14.113  192.168.14.113   1
77.52.44.148  255.255.255.255127.0.0.1   127.0.0.1   50
77.255.255.255  255.255.255.255 77.52.44.14877.52.44.148  50
80.255.77.41  255.255.255.255 77.52.44.14877.52.44.148   1
127.0.0.0255.0.0.0127.0.0.1   127.0.0.1   1
188.230.122.54  255.255.255.255 77.52.44.14877.52.44.148   1
192.168.14.113  255.255.255.255127.0.0.1   127.0.0.1  50
192.168.14.255  255.255.255.255   192.168.14.113  192.168.14.113  50
224.0.0.0240.0.0.0 77.52.44.14877.52.44.148   2
224.0.0.0240.0.0.0   192.168.14.113  192.168.14.113   1
255.255.255.255  255.255.255.255 77.52.44.14877.52.44.148  1
255.255.255.255  255.255.255.255   192.168.14.113  192.168.14.113  1
default gateway:  192.168.14.113

Re: tftp - no route to host

2011-04-29 Thread lilit-aibolit 

Janne Johansson PI[ET:



2011/4/29 pavel pocheptsov lilit-aibo...@mail.ru 
mailto:lilit-aibo...@mail.ru


openbsd 4.8
# cat /etc/pf.conf | grep tftp
pass in on $int_if inet proto udp from any to $int_if port tftp
# tftp 127.0.0.1


127.0.0.1 would not be on the $int_if, would it?

--
 To our sweethearts and wives.  May they never meet. -- 19th century toast

yes, but from localhost I just test it,
and connect to $int_if is work too:

# tftp 192.168.15.6
tftp get ekey
Received 40 bytes in 0.0 seconds
tftp quit

problem with connect another machine from 192.168.15.0/24
to tftpd on 192.168.15.6

Re: tftp - no route to host

2011-04-29 Thread lilit-aibolit 

Evgeniy Sudyr P?P8QP5Q:

Pavel,

1) Are you sure that you uncommented tftpd in inetd.conf ? Is inetd started ?
2) netstat -na | grep 69
3) tcpdump -ni lo port 69
4) check PF rules as Janne wrote before (maybe you need to pass or
just skip on lo). Btw, does it make any sense to use TFTP on localhost
? :)

--
Thanks!
Eugene Sudyr
  

# tcpdump -i rl0 | grep 192.168.15.6.tftp
tcpdump: listening on rl0, link-type EN10MB
17:55:51.398535 192.168.15.7.1117  192.168.15.6.tftp: 16 RRQ ekey
17:55:52.400286 192.168.15.7.1117  192.168.15.6.tftp: 16 RRQ ekey

# tail /var/log/daemon
Apr 29 17:54:14 ipsec2 dhcpd[24382]: DHCPREQUEST for 192.168.15.155 from 
6c:62:6d:0c:56:f9 via rl0
Apr 29 17:54:14 ipsec2 dhcpd[24382]: DHCPACK on 192.168.15.155 to 
6c:62:6d:0c:56:f9 via rl0

Apr 29 17:54:55 ipsec2 tftpd[17823]: send: No route to host
Apr 29 17:54:56 ipsec2 tftpd[7381]: send: No route to host
Apr 29 17:54:58 ipsec2 tftpd[21669]: send: No route to host
Apr 29 17:55:22 ipsec2 dhcpd[24382]: DHCPINFORM from 192.168.15.155
Apr 29 17:55:22 ipsec2 dhcpd[24382]: DHCPACK on 192.168.15.155 to 
6c:62:6d:0c:56:f9 via rl0

Apr 29 17:55:51 ipsec2 tftpd[5857]: send: No route to host
Apr 29 17:55:52 ipsec2 tftpd[30407]: send: No route to host
Apr 29 17:55:54 ipsec2 tftpd[7320]: send: No route to host

Re: pptpd reload config

2011-04-27 Thread lilit-aibolit 

Gregory Edigarov P?P8QP5Q:

On Tue, 26 Apr 2011 22:02:19 +0300
lilit-aibolit lilit-aibo...@mail.ru wrote:

  

I made changes in /etc/pptpd.conf and do
kill -HUP `cat /var/run/pptpd.pid`
but pptpd isn't reload their config, it die:(
I start again
/usr/local/sbin/pptpd
and nothing change for remote client - they are still receive
old IP settings from /etc/pptpd.conf
what is wrong?



Perhaps you send wrong signal.
AFAIR, poptop react on SIGUSR1, SIGUSR2. So, see manual page for pptpd.

  

in pptpd man page is nothig say about react on signal.
I found solution in this simple way:
/usr/local/sbin/pptpd reload

pptpd reload config

2011-04-26 Thread lilit-aibolit 

I made changes in /etc/pptpd.conf and do
kill -HUP `cat /var/run/pptpd.pid`
but pptpd isn't reload their config, it die:(
I start again
/usr/local/sbin/pptpd
and nothing change for remote client - they are still receive
old IP settings from /etc/pptpd.conf
what is wrong?

Re: Routing all traffic through IPSEC VPN

2011-04-19 Thread lilit-aibolit 

Matt S P?P8QP5Q:

Hello @misc:

I am up against a stumper.  I have a Site-to-Site IPSEC VPN working beautifully. 
 However, I would like the remote site to route all of its traffic through the 
VPN.  After googling, I seemed to come up with a suggestion to do a route change 
-net 0.0.0.0/0 gateway which didn't work well.  I think it might have to do 
with NAT.  The main office is doing the NAT.  Perhaps I need to some sort of NAT 
traversal on the VPN??



  

Hello.
Here is working config. I have two nets 15.0/24 and 16.0/24.
16.0/24 have default gateway to Internet.
between 15 and 16 setup IPSec.
from 15 for lucky boys I setup tunnel to any.
on router in 16 lucky boys go out with NAT.
===net 15.0=
ipsec.conf

remote_nets = { 192.168.16.0/24, 172.20.252.0/24}
nat_clients = { 192.168.15.10, 192.168.15.167, 192.168.15.170 }
flow esp from 192.168.15.0/24 to $remote_nets peer 192.168.10.1
flow esp from $nat_clients to any peer 192.168.10.1
esp from 192.168.10.2 to 192.168.10.1

ifconfig

rl0: flags=28843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6 mtu 1500
lladdr 00:02:44:56:39:04
priority: 0
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 192.168.15.6 netmask 0xff00 broadcast 192.168.15.255
vr0: flags=28843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6 mtu 1500
lladdr 00:13:d3:36:f5:ce
priority: 0
groups: egress
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 192.168.10.2 netmask 0xff00 broadcast 192.168.10.255

route -n show
Internet:
Destination Gateway Flags Refs Use Mtu Prio Iface
default 192.168.10.1 UGS 5 5440 - 8 vr0
127/8 127.0.0.1 UGRS 0 0 33200 8 lo0
127.0.0.1 127.0.0.1 UH 2 4 33200 4 lo0
192.168.10/24 link#2 UC 1 0 - 4 vr0
192.168.10.1 00:d0:b7:60:5f:5c UHLc 3 1357436 - 4 vr0
192.168.15/24 link#1 UC 38 0 - 4 rl0
Encap:
Source Port Destination Port Proto SA(Address/Proto/Type/Direction)
default 0 192.168.15.170/32 0 0 192.168.10.1/esp/require/in
192.168.15.170/32 0 default 0 0 192.168.10.1/esp/require/out
default 0 192.168.15.167/32 0 0 192.168.10.1/esp/require/in
192.168.15.167/32 0 default 0 0 192.168.10.1/esp/require/out
default 0 192.168.15.10/32 0 0 192.168.10.1/esp/require/in
192.168.15.10/32 0 default 0 0 192.168.10.1/esp/require/out
172.20.252/24 0 192.168.15/24 0 0 192.168.10.1/esp/require/in
192.168.15/24 0 172.20.252/24 0 0 192.168.10.1/esp/require/out
192.168.16/24 0 192.168.15/24 0 0 192.168.10.1/esp/require/in
192.168.15/24 0 192.168.16/24 0 0 192.168.10.1/esp/require/out

net 16=
local_nets = { 172.20.252.0/24, 192.168.16.0/24 }
flow esp from $local_nets to 192.168.15.0/24 peer 192.168.10.2
flow esp from any to { 192.168.15.10, 192.168.15.167, 192.168.15.170 } 
peer 192.168.10.2

esp from 192.168.10.1 to 192.168.10.2

fxp0: flags=28843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6 mtu 1500
lladdr 00:d0:b7:60:75:51
priority: 0
groups: egress
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 192.168.16.6 netmask 0xff00 broadcast 192.168.16.255
fxp1: flags=28843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6 mtu 1500
lladdr 00:d0:b7:60:5f:5c
priority: 0
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 192.168.10.1 netmask 0xff00 broadcast 192.168.10.255
fxp2: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:d0:b7:60:5d:9c
priority: 0
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 172.20.252.36 netmask 0xfff8 broadcast 172.20.252.39
inet6 fe80::2d0:b7ff:fe60:5d9c%fxp2 prefixlen 64 scopeid 0x3
rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:0d:88:45:68:aa
priority: 0
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 192.168.20.55 netmask 0xff00 broadcast 192.168.20.255

Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu Prio Iface
default 192.168.16.8 UGS 6 14997670 - 8 fxp0
127/8 127.0.0.1 UGRS 0 0 33200 8 lo0
127.0.0.1 127.0.0.1 UH 2 11204 33200 4 lo0
172.20.252.32/29 link#3 UC 1 0 - 4 fxp2
172.20.252.38 00:03:7e:00:73:40 UHLc 0 4831569 - 4 fxp2
192.168.10/24 link#2 UC 2 0 - 4 fxp1
192.168.10.1 00:d0:b7:60:5f:5c UHLc 0 4 - 4 lo0
192.168.10.2 00:13:d3:36:f5:ce UHLc 15 102190836 - 4 fxp1
192.168.15/24 192.168.10.2 UGS 0 119979 - 8 fxp1
Encap:
Source Port Destination Port Proto SA(Address/Proto/Type/Direction)
192.168.15.170/32 0 default 0 0 192.168.10.2/esp/require/in
default 0 192.168.15.170/32 0 0 192.168.10.2/esp/require/out
192.168.15.167/32 0 default 0 0 192.168.10.2/esp/require/in
default 0 192.168.15.167/32 0 0 192.168.10.2/esp/require/out
192.168.15.10/32 0 default 0 0 192.168.10.2/esp/require/in
default 0 192.168.15.10/32 0 0 192.168.10.2/esp/require/out
192.168.15/24 0 192.168.16/24 0 0 192.168.10.2/esp/require/in
192.168.16/24 0 192.168.15/24 0 0 192.168.10.2/esp/require/out
192.168.15/24 0 172.20.252/24 0 0 192.168.10.2/esp/require/in
172.20.252/24 0 192.168.15/24 0 0 192.168.10.2/esp/require/out


host 192.168.16.8 doint

IPSec between 4.8 and 4.9

2011-04-18 Thread lilit-aibolit 

I have IPSec with manual flow between two 4.8 box, and all is work great.
I can't in one moment setup two 4.9, and I want to ask: can I change one 
side of IPSec

on 4.9?

Re: kern.maxcluster

2011-03-25 Thread lilit-aibolit 

Tomas Bodzar P?P8QP5Q:

On Fri, Mar 25, 2011 at 3:37 AM, Kleber Rocha kli...@gmail.com wrote:
  
And may be of some interest to know where did you get those

recommendations? Smells like calomel.org or similar


  

why so many people hate calomel.org?

Re: pf rules for Load Balance Incoming Connections for webservers

2011-02-01 Thread lilit-aibolit 

Indunil Jayasooriya P?P8QP5Q:

Hi list,

I have 3 web servers running on port 8080 behind PF firewall.  I am trying
to load balance these incoming connections to these web servers.

I wrote rules as below. Pls pay attention  to *highligthed BOLD* rules .
they are the once I have written. But, I can NOT login to these web servers
from the Internet.




# macros
ext_if=em0
int_if=em1

web_servers = { 192.168.x.64, 192.168.x.66, 192.168.x.67 }
lan_net=192.168.x.0/24


# options
set block-policy return
set loginterface $ext_if
set skip on lo
set state-policy if-bound


# Normalizing packets
# Filter traffic for unusual packets
match in on $ext_if scrub (random-id min-ttl 5 no-df)
match out on $ext_if scrub (random-id no-df)


*match in on $ext_if inet proto tcp to $ext_if port 8080 rdr-to $web_servers
\
round-robin sticky-address *


# filter rules
block in log
block out log


*pass out log on $int_if inet proto tcp from any to $web_servers port 8080 \
   flags S/SA modulate state*



I visited this url as well.  http://www.openbsd.org/faq/pf/pools.html

Still no luck.

Where have I gone wrong?





  

probably you need to add this:
pass in on $ext_if inet proto tcp from any to $web_servers port 8080

how to NAT IP-phones

2011-01-27 Thread lilit-aibolit 

Hello misc.
I have PBX samsung office serv 7400 with VOIP module.
SIP-provider give out small privat /29 network to connect to their
sip-server directly.
So I need to include in this network my OBSD box to translate IP-phone
from my
own private /24 network. All work is fine with only one IP-phone, any
other phones
can't establish connections with PBX, becouse static port directive is
use in nat rules.
Without static port directive only one side be hear in talk.
Please, help to resolve this problem.

#pf.conf#
int_if = fxp0
ipsec_if = fxp1
phone_if = fxp2
waterpas_if = rl0

table khaer{ 192.168.16.0/24 }
table baza{ 192.168.15.0/24 }
table phone{ 172.20.252.0/29 }
table ipsec1{ 192.168.10.1 }
table ipsec2{ 192.168.10.2 }

set skip on { lo0, enc0 }
set loginterface fxp0
set block-policy drop

block log all
#nat
match out on $phone_if inet proto udp from 192.168.16.13 to any nat-to
$phone_if static-port
match out on $phone_if inet proto udp from 192.168.16.14 to any nat-to
$phone_if static-port
#in
pass in on $int_if inet proto udp from 192.168.16.13 to fxp2:network
route-to $phone_if
pass in on $int_if inet proto udp from 192.168.16.14 to fxp2:network
route-to $phone_if
#out
pass out on { $phone_if, $waterpas_if } inet proto { tcp, udp }
pass out on $int_if inet proto { tcp, udp } from 192.168.16.6 to any
pass out on $int_if inet proto icmp from 192.168.16.6 to any
###

route-to is used for policy based routing, because I have four network
on this box.
Here is state:

# pfctl -s state | grep .13
all udp 172.20.252.34:6000 - 192.168.16.13:6000   MULTIPLE:MULTIPLE
all udp 172.20.252.36:6000 (192.168.16.13:6000) -
172.20.252.34:6000   MULTIPLE:MULTIPLE
all udp 172.20.252.34:9000 - 192.168.16.13:9000   NO_TRAFFIC:SINGLE
all udp 172.20.252.36:9000 (192.168.16.13:9000) -
172.20.252.34:9000   SINGLE:NO_TRAFFIC
all udp 172.20.252.35:30012 - 192.168.16.13:9000   MULTIPLE:MULTIPLE
all udp 172.20.252.36:9000 (192.168.16.13:9000) -
172.20.252.35:30012   MULTIPLE:MULTIPLE
all udp 172.20.252.35:30013 - 192.168.16.13:9001   MULTIPLE:MULTIPLE
all udp 172.20.252.36:9001 (192.168.16.13:9001) -
172.20.252.35:30013   MULTIPLE:MULTIPLE
# pfctl -s state | grep .14
all udp 172.20.252.34:6000 - 192.168.16.14:6000   NO_TRAFFIC:SINGLE

192.168.16.13 is ringing and talk, but 192.168.16.14 can't.
I read this: http://www.bastard.net/~kos/pf-voip.html and directly
copy-paste setup for my case,
but with tagging again only one phone is done.
Possibility I don't understand how nat is work and PF can't translate
192.168.16.14 with same port,
that in use in this moment.
here translate is work:
all udp 172.20.252.34:6000 - 192.168.16.13:6000   MULTIPLE:MULTIPLE
all udp 172.20.252.36:6000 (192.168.16.13:6000) -
172.20.252.34:6000   MULTIPLE:MULTIPLE
but here not work
all udp 172.20.252.34:6000 - 192.168.16.14:6000   NO_TRAFFIC:SINGLE
because port 6000 already take up in previous state.

Re: pf question: multiple multihomed machines

2011-01-06 Thread lilit-aibolit 
 gwes ohxer:

  What is the recommended pf.conf to get symmetrical routing
  for incoming and outgoing connections using a dual-homed
  gateway and internal hosts with static IPs on both WANs?
  
  I'm assuming route-to and reply-to are the correct
  tools to use.
  
  I've looked at the FAQ, googled for dual  multihomed machines,
  and haven't found a clear answer yet.
  
  I know there's a multihome section in the FAQ, but
  it only handles pools of nat-ed machines, and the last couple
  of lines are not obvious.

Hi, I use policy based routing with PF. I have one local_if and three
external_if.
two of they have own gateway, and one don't have.
Here is my pf.conf, but it havn't comment, but if read carefully - all is
done.
have a nice day with PF=)

#$OpenBSD: pf.conf,v 1.49 2009/09/17 06:39:03 jmc Exp $
#
# See pf.conf(5) for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or
net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.

ext_if_a = xl0
ext_gw_a = 195.26.xxx.xxx

ext_if_b = fxp1
ext_gw_b = 188.230.xxx.xxx

ext_if_c = fxp2
ext_gw_c = 172.20.252.33

int_if   = fxp0

table firewall const { self }
table khaer  { 192.168.16.0/24 }
table admin  { 192.168.16.1, 192.168.16.4, 192.168.16.6,
192.168.16.100 }
table www{ 192.168.16.2 }
table 1c { 192.168.16.3 }
table zvit   { 192.168.16.4 }
table mail   { 192.168.16.5 }
table ad { 192.168.16.7 }
table fourblock  { 192.168.16.188 }
table milestone  { 192.168.16.200 }
#table officeserv{  }
table dns{ 194.44.xxx.xxx, 217.12.xxx.xxx }
table kl-bank{ 192.168.16.184, 192.168.16.185, 192.168.16.201,
\
192.168.16.207, 192.168.16.210, 192.168.16.218, \
192.168.16.221, 192.168.16.241 }
table ipsec  { 192.168.15.0/24 }
table private{ 0.0.0.0/8, 10.0.0.0/8, 14.0.0.0/8, \
127.0.0.0/8, 128.0.0.0/16, 169.254.0.0/16, \
172.16.0.0/12, 191.255.0.0/16, 192.0.2.0/24, \
192.168.0.0/16, 240.0.0.0/4, 255.255.255.0/24 }
table bruteforce persist
table advertisement file /etc/advertisement

set skip on { lo0, enc0 }
set loginterface $ext_if_b
set timeout { frag 20, tcp.established 3600 }
set block-policy drop

antispoof quick for { fxp1, fxp2, xl0 }

match in all scrub (no-df)

#anchor ftp-proxy/*

#queuening
#altq on fxp0 cbq bandwidth 400Kb queue { q_std_a, q_mail_a, q_www_a }
#queue q_std_abandwidth 10% priority 1 cbq (default)
#queue q_mail_a   bandwidth 70% priority 5 cbq (borrow)
#queue q_www_abandwidth 20% priority 3 cbq (borrow)
#altq on fxp1 cbq bandwidth 4Mb queue { q_std_b, q_admin, q_kl-bank,
q_www_b }
#queue q_std_bbandwidth 5% priority 1 cbq(default)
#queue q_adminbandwidth 40% priority 4 cbq(borrow)
#queue q_kl-bank  bandwidth 15% priority 7 cbq(borrow)
#queue q_www_bbandwidth 40% priority 2 cbq(borrow)

#nat
match out on $ext_if_a inet proto tcp from khaer to !khaer nat-to
$ext_if_a
match out on $ext_if_b inet from khaer to !khaer nat-to $ext_if_b
match out on $ext_if_b inet from ipsec to !ipsec nat-to $ext_if_b
match out on $ext_if_c inet proto { tcp, udp } from admin to any nat-to
$ext_if_c
#rdr
match in on $ext_if_a inet proto tcp from any to $ext_if_a port { smtp,
smtps, 444, 5 } tag MAIL_A rdr-to mail
match in on $ext_if_b inet proto tcp from any to $ext_if_b port 444 tag
EXT_B rdr-to mail
match in on $ext_if_b inet proto tcp from any to $ext_if_b port 666 tag
EXT_B rdr-to 1c port rdp
match in on $ext_if_b inet proto tcp from any to $ext_if_b port 50666 tag
EXT_B rdr-to zvit port rdp
#match in on $ext_if_b inet proto udp from any to $ext_if_b port 27015
tag EXT_B rdr-to milestome
match in on $ext_if_b inet proto tcp from any to $ext_if_b port 55111 tag
EXT_B rdr-to milestone
match in on $ext_if_b inet proto tcp from any to $ext_if_b port 1 tag
EXT_B rdr-to milestone port rdp
match in on $ext_if_b inet proto tcp from any to $ext_if_b port 55222 tag
EXT_B rdr-to 192.168.16.26 port ssh
match in on $ext_if_b inet proto tcp from any to $ext_if_b port 55333 tag
EXT_B rdr-to 192.168.16.26 port 80
#match in on $int_if inet proto tcp from 1c to any port www rdr-to
127.0.0.1 port 3128
#match in on $ext_if_b inet proto tcp from any to $ext_if_b port 8080 tag
EXT_B rdr-to 192.168.16.100 port 80
#match in on $ext_if_b inet proto tcp from any to $ext_if_b port { 6001,
6002 } tag EXT_B rdr-to 192.168.16.100
#block
block in quick on $ext_if_a from bruteforce
block in quick on $int_if from any to advertisement
block quick proto tcp flags /S
block quick proto tcp flags A/A
block in quick on { $ext_if_a, $ext_if_b } from private to any
block out quick on { $ext_if_a, $ext_if_b } from any to private
block log all
#in
pass in on $ext_if_a inet proto tcp from any to $ext_if_a port 5522
reply-to ($ext_if_a $ext_gw_a)
pass in on $ext_if_b inet proto udp from any to $ext_if_b port domain
reply-to ($ext_if_b

route show

2010-12-19 Thread lilit-aibolit 

Hi folks!
I have a little problem with route show command.
after I type this command and press Enter on first machine - all is done:

# route show
Routing tables
Internet:
DestinationGatewayFlags   Refs  Use   Mtu  Prio 
Iface

defaultNS UGS00 - 8 rl0
loopback   localhost  UGRS   00 33200 8 lo0
localhost  localhost  UH 10 33200 4 lo0
192.168.10/24  link#2 UC 10 - 4 rl1
192.168.10.2   00:d0:b7:d3:a7:99  UHLc   1  552 - 4 rl1
192.168.15/24  192.168.10.2   UGS00 - 8 rl1
192.168.16/24  link#1 UC 30 - 4 rl0
khaer-100:11:2f:8d:00:9b  UHLc   2  714 - 4 rl0
NS 00:d0:b7:60:5f:2e  UHLc   1   84 - 4 rl0
192.168.16.222 00:11:d8:dd:a0:ee  UHLc   04 - 4 rl0
BASE-ADDRESS.MCAST localhost  URS00 33200 8 lo0
Internet6:
DestinationGatewayFlags   Refs  Use   Mtu  Prio 
Iface

::/104 localhost  UGRS   00 - 8 lo0
::/96  localhost  UGRS   00 - 8 lo0
localhost  localhost  UH140 33200 4 lo0
::127.0.0.0/104localhost  UGRS   00 - 8 lo0
::224.0.0.0/100localhost  UGRS   00 - 8 lo0
::255.0.0.0/104localhost  UGRS   00 - 8 lo0
:::0.0.0.0/96  localhost  UGRS   00 - 8 lo0
2002::/24  localhost  UGRS   00 - 8 lo0
2002:7f00::/24 localhost  UGRS   00 - 8 lo0
2002:e000::/20 localhost  UGRS   00 - 8 lo0
2002:ff00::/24 localhost  UGRS   00 - 8 lo0
fe80::/10  localhost  UGRS   00 - 8 lo0
fe80::%lo0/64  fe80::1%lo0U  00 - 4 lo0
fe80::1%lo0link#4 UHL00 - 4 lo0
fec0::/10  localhost  UGRS   00 - 8 lo0
ff01::/16  localhost  UGRS   00 - 8 lo0
ff01::%lo0/32  localhost  UC 00 - 4 lo0
ff02::/16  localhost  UGRS   20 - 8 lo0
ff02::%lo0/32  localhost  UC 00 - 4 lo0
Encap:
Source Port  DestinationPort  Proto 
SA(Address/Proto/Type/Direction)
192.168.15/24  0 192.168.16/24  0 0 
192.168.10.2/esp/require/in
192.168.16/24  0 192.168.15/24  0 0 
192.168.10.2/esp/require/out


But if I do it on second machine, output in console and terminal is 
very-very slow,
and while I write this letter it still end and show per line every 10-20 
seconds:


#route show
Routing tables
Internet:
DestinationGatewayFlags   Refs  Use   Mtu  Prio 
Iface

loopback   localhost  UGRS   00 33200 8 lo0
localhost  localhost  UH 12 33200 4 lo0
192.168.10/24  link#2 UC 10 - 4 fxp1
192.168.10.1   00:50:fc:6f:47:6f  UHLc   1  181 - 4 fxp1
192.168.15/24  link#1 UC 10 - 4 fxp0
192.168.15.1   e0:cb:4e:95:c3:19  UHLc   0   13 - 4 fxp0
192.168.16/24  192.168.10.1   UGS00 - 8 fxp1
BASE-ADDRESS.MCAST localhost  URS00 33200 8 lo0
Internet6:
DestinationGatewayFlags   Refs  Use   Mtu  Prio 
Iface

::/104 localhost  UGRS   00 - 8 lo0
::/96  localhost  UGRS   00 - 8 lo0
localhost  localhost  UH140 33200 4 lo0
::127.0.0.0/104localhost  UGRS   00 - 8 lo0
::224.0.0.0/100localhost  UGRS   00 - 8 lo0
::255.0.0.0/104localhost  UGRS   00 - 8 lo0
:::0.0.0.0/96  localhost  UGRS   00 - 8 lo0
2002::/24  localhost  UGRS   00 - 8 lo0
2002:7f00::/24 localhost  UGRS   00 - 8 lo0
2002:e000::/20 localhost  UGRS   00 - 8 lo0
.
.

this happen after add route for ipsec connection:
#route add 192.168.16.0/24 192.168.10.1

if I delete this route:
# route delete 192.168.16/24
delete net 192.168.16/24

route show output is fast, but ipsec between network isn't work.

System -  OpenBSD 4.8
Thanks a lot.

virtualhost and httpd -U output

2010-11-18 Thread lilit-aibolit 

Good day! I'm OpenBSD's newbie, that live in strange country,called Ukraine.
I have an OpenBSD 4.7 and uncomment httpd_flags=.
Section VirtualHost in httpd.conf looks like this:
##
NameVirtualHost *:80
VirtualHost *:80
   ServerAdmin ad...@xxx.com.ua
   DocumentRoot /var/www/users/xxx.com.ua
   ServerName xxx.com.ua
   ServerAlias www.xxx.com.ua
   CustomLog logs/xxx.com.ua-access_log common
   ErrorLog logs/xxx.com.ua-error_log
#   TransferLog |rotatelogs /var/www/logs/xxx.com.ua-access_log 86400
/VirtualHost
VirtualHost *:80
   ServerAdmin ad...@yyy.com.ua
   DocumentRoot /var/www/users/yyy.com.ua
   ServerName yyy.com.ua
   ServerAlias www.yyy.com.ua
   CustomLog logs/yyy.com.ua-access_log common
   ErrorLog logs/yyy.com.ua-error_log
/VirtualHost
VirtualHost *:80
   ServerAdmin ad...@zzz.org.ua
   DocumentRoot /var/www/users/zzz.org.ua
   ServerName zzz.org.ua
   ServerAlias www.zzz.org.ua
   CustomLog logs/zzz.org.ua-access_log common
   ErrorLog logs/zzz.org.ua-error_log
/VirtualHost
###
Everything is fine and each site is open by their domain name in browser 
from any place,

and access/error for each site is loggin in different log-file.
But..I want to see something else in httpd -U output that I have:
# httpd -U
[Thu Nov 18 12:03:19 2010] [warn] VirtualHost *:80 overlaps with 
VirtualHost *:80, the first has precedence, perhaps you need a 
NameVirtualHost directive
[Thu Nov 18 12:03:19 2010] [warn] VirtualHost *:80 overlaps with 
VirtualHost *:80, the first has precedence, perhaps you need a 
NameVirtualHost directive

[Thu Nov 18 12:03:19 2010] [warn] NameVirtualHost *:80 has no VirtualHosts
What is the trouble?
Sorry for bad English.
Thanks.

  1   2   >