congrats and update questions

Hi all, First I'd like to give my congrats to all OpenBSD dev team. The last time I used it was back in 2.5 release. I decided to check it out again when an old alpha came in my hands recently, which was ideal running particular services (replacement for an RS6000 that died). I also installed

Re: congrats and update questions

Jim Razmus wrote: Short answer: the two most current releases are supported. http://www.openbsd.org/faq/faq5.html Applies to all archs. Thanks that was specified in faq5, but I didn't notice it. make should be able to figure out what's built and what's not. Try another make build and

pf rule def/(short) pass

Hi, I'm seeing these in the pflog off my firewall: Oct 27 15:20:32.845671 rule def/(short) pass in on vlanxxx: 218.76.138.156.0 x.x.x.63.0: udp 17035 Oct 27 15:21:12.924605 rule def/(short) pass in on vlanxxx: 218.76.138.156.0 x.x.x.38.0: udp 17035 Oct 27 15:21:15.652141 rule def/(short)

Re: 5.0 vmt0 kernel panic in Linux KVM

On 07/11/11 12:10, Walter Haidinger wrote: Hi! Trying to upgrade to 5.0 fails with a kernel panic (vmt0, see dmesg below). Previous 4.9 worked fine, also 5.0 bsd.rd boots (dmesg below too). The VMware Tools driver seems to miss something - vmt0: failed to open backdoor RPC channel (TCLO

correct netmask on carp interfaces

Hi, I'm a bit confused on setting appropriate netmask on carp interface when the carpdev has an IP address. Till yesterday (following http://openbsd.org/faq/pf/carp.html#failover) my carp interfaces had the same netmask as the carpdev interfaces: em1: (no inet adddress) vlanXX: vlan:

libfreetype.so.18.1 missing?

Hi, Is libfreetype.so.18.1 missing from xbase50.tgz (latest snapshot 20/11/11) on purpose? regards, Giannis

Re: correct netmask on carp interfaces

On 22/11/11 19:27, Russell Garrison wrote: I had some experience with this and found another thread where the best thing to do for your routing is to have only one /(32-n) mask and then all /32 for any given subnet and rdomain combination on a system. I have set up my system accordingly and my

Re: correct netmask on carp interfaces

On 24/11/11 21:40, Henning Brauer wrote: * Kapetanakis Giannisbil...@edu.physics.uoc.gr [2011-11-23 14:13]: Also Henning proposed the exact opposite in that old thread (ie /32 on the carp interface) which seems more logical to me, but then I get those errors (arp_rtrequest: bad gateway value)

Re: correct netmask on carp interfaces

On 02/12/11 23:45, Russell Garrison wrote This was very helpful information and I have implemented it, but I am still wondering about a related issue with routing. My default route on the pair of firewalls is set to an IP on the carp5 IP network, so I don't have a useable default route to the

Re: correct netmask on carp interfaces

On 03/12/11 15:16, Henning Brauer wrote: i really dunno where you diverged, but with the setup i described you have internet access on the slave too, perfectly fine - given your carpdevs have routed IPs and you set up the netmasks as I described and didn't muck the routing. really, i use that

Re: PF concurrent connection

On 12/12/11 13:28, Hassan Monfared wrote: pfctl -ss | grep ESTABLISHED | wc -l This might count them double if you are a router cause each connection will be bound to both interfaces. Giannis

Re: OpenVPN issues on 5.0

On 15/12/11 03:54, Erling Westenvik wrote: PROBLEM: Clients successfully connect to VPN server, receive proper dhcp addresses for both wlan and tunnel interfaces (and can reach the wlan subnet) but fail to reach the wired lan or internet. /var/log/messages indicates everything is up and

pimd got me to ddb ?

Hi, One of my firewall/pimd multicast router got today in ddb after 2 months, without any obvious reason. There was no panic. However I got this trace which might be usefull to you. This was one of the first snapshots of 5.0. I updated after that to the latest snapshot. regards Giannis

Re: pimd got me to ddb ?

On 31/01/12 15:17, Stuart Henderson wrote: Any line prior to that in ddb? uvm_fault or something? I logged in remotely from my serial and cu. There was nothing just ddb{0} (something like that) show panic told me there is no panic (something like that)... I rebooted so I cannot give more

Re: pimd got me to ddb ?

On 31/01/12 16:23, Stuart Henderson wrote: For your reference if this happens again, type 'dmesg' in ddb and it should show you those lines again. There was nothing just ddb{0} (something like that) show panic told me there is no panic (something like that)... I rebooted so I cannot give more

nat-to source-hash strangeness

Hi, source-hash gives me different IP when used on different rules pass out quick log on $ext_if proto tcp from 10.0.0.1 to 203.0.113.1 port 80 nat-to 192.0.2.0/24 source-hash pass out quick log on $ext_if proto tcp from 10.0.0.1 to 203.0.113.1 port 443 nat-to 192.0.2.0/24 source-hash With

Re: nat-to source-hash strangeness

On 09/02/12 17:39, Kapetanakis Giannis wrote: Hi, source-hash gives me different IP when used on different rules pass out quick log on $ext_if proto tcp from 10.0.0.1 to 203.0.113.1 port 80 nat-to 192.0.2.0/24 source-hash pass out quick log on $ext_if proto tcp from 10.0.0.1 to 203.0.113.1

pfsync changes in current?

Hi, I'm running a setup of Active/backup firewalls with carp/pfsync successfully for the last year. Today I've upgraded the primary firewall to the latest snapshot (12 Feb), and as soon as the firewall booted it became MASTER before pfsync bulk transfer completed. Mar 7 15:42:04 echidna

Re: pfsync changes in current?

On 08/03/12 18:17, Peter Hessler wrote: On 2012 Mar 07 (Wed) at 15:58:21 +0200 (+0200), Kapetanakis Giannis wrote: :Hi, : :I'm running a setup of Active/backup firewalls with carp/pfsync :successfully for the last year. : :Today I've upgraded the primary firewall to the latest snapshot (12 Feb

Re: pfsync changes in current?

Just an addition on this. I've noticed this after I added the following on the Cisco switch on all intefaces where the firewalls are connected: spanning-tree portfast trunk spanning-tree bpdufilter enable Don't know if it's relevant but I thought I should mention it. interface

pfsync bulk transfer performance

Hi, I'd like to ask if it's normal for pfsync bulk transfer to take 5-15 minutes to end for 60k states. pfsync is on a dedicated gigabit interface on both firewalls. May 4 17:59:35 fw1 /bsd: carp: pfsync0 demoted group carp by 1 to 131 (pfsync bulk start) May 4 17:59:35 fw1 /bsd: carp:

Re: pfsync bulk transfer performance

On 04/05/11 18:40, Otto Moerbeek wrote: Op 4 mei 2011 om 17:23 heeft Kapetanakis Giannisbil...@edu.physics.uoc.gr het volgende geschreven: Hi, I'd like to ask if it's normal for pfsync bulk transfer to take 5-15 minutes to end for 60k states. This is probably the first attempt failing

Re: pfsync bulk transfer performance

On 05/05/11 13:37, David Gwynne wrote: when doing a bulk update pfsync only generates 100 packets a second. each packet will be filled with as many full state update messages as possible. unfortunately the full state update message is about 264 bytes so you can only fit 5 in a packet. that

Re: 4.9 firewalls

On 11/05/11 16:14, David Gwynne wrote: anyone replaced firewalls with 4.9 boxes yet? noticed a difference? Yes, works better :) Giannis [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]

multicast routing and PIM-SM

Hi, I'm trying to forward multicast traffic through my firewalls using PIM-SM. Are there any alternatives to XORP? Is multicast_router=YES enough in rc.conf.local? regards, Giannis [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]

serious security improvement in OpenBSD

I think the following diff will totally improve OpenBSD security (overall) --- etc/master.passwd.old Sat Jul 10 02:37:16 2010 +++ etc/master.passwd Mon Jun 6 15:04:15 2011 @@ -1,4 +1,4 @@ -root::0:0:daemon:0:0:Charlie :/root:/bin/ksh +root::0:0:daemon:0:0:Chuck Norris :/root:/bin/ksh

Re: serious security improvement in OpenBSD

On 06/06/11 15:06, Kapetanakis Giannis wrote: I think the following diff will totally improve OpenBSD security (overall) --- etc/master.passwd.old Sat Jul 10 02:37:16 2010 +++ etc/master.passwd Mon Jun 6 15:04:15 2011 @@ -1,4 +1,4 @@ -root::0:0:daemon:0:0:Charlie:/root:/bin/ksh +root

Re: serious security improvement in OpenBSD

On 06/06/11 15:11, Gilles Chehade wrote: On Mon, Jun 06, 2011 at 03:06:54PM +0300, Kapetanakis Giannis wrote: I think the following diff will totally improve OpenBSD security (overall) --- etc/master.passwd.old Sat Jul 10 02:37:16 2010 +++ etc/master.passwd Mon Jun 6 15:04:15 2011

panic: ioapic0: can't alloc vector

Trying to install latest snapshot 19-Jun-2011 I got kernel panic. SHA256 checksums verified. Problem reported also with sendbug #6637 I've also tried to boot /bsd.sp with no luck Tried disable ioapic with no luck Tried disable acpi with no luck System booted with older kernel OpenBSD 4.9-current

Re: panic: ioapic0: can't alloc vector

On 20/06/11 12:22, Kapetanakis Giannis wrote: Trying to install latest snapshot 19-Jun-2011 I got kernel panic. SHA256 checksums verified. Problem reported also with sendbug #6637 I've also tried to boot /bsd.sp with no luck Tried disable ioapic with no luck Tried disable acpi with no luck

Re: panic: ioapic0: can't alloc vector

On 20/06/11 13:24, Kapetanakis Giannis wrote: On 20/06/11 12:22, Kapetanakis Giannis wrote: Trying to install latest snapshot 19-Jun-2011 I got kernel panic. SHA256 checksums verified. Problem reported also with sendbug #6637 I've also tried to boot /bsd.sp with no luck Tried disable ioapic

Re: asymmetric CARP firewall layout

On 19/07/11 20:03, Joerg Streckfuss wrote: Hi list, i have the following testsetup with four firewall nodes connected to three networks: network A |--| || CARP || || |

Re: amd64 snapshot kqemu hangs

On Fri, Jul 29, 2011 at 11:58 AM, [BG-Consulting] Elmar Bschorer elmar.bscho...@bugconsulting.de wrote: Hi list, I've just tried snapshot version (5.0beta - 27 Jul). I wanted to test bigmem with qemu and kqemu. When I tried to load the kqemu module (pkg_add

compile in 32 bit in alpha

Hi all, Is there a way I would compile in 32 bit compatibility mode in alpha arch? I'm running 4.6 stable thanks Giannis

errata RSS feeds

Hi, The last few weeks http://www.undeadly.org/cgi?action=errata is not working. Is there any other official RSS feed for security errata? Giannis

Re: VPN between OpenBSD Gateway and a mac

On 26/04/10 18:42, Bryan Irvine wrote: On Fri, Apr 23, 2010 at 11:13 AM, juljul_...@yahoo.fr wrote: I use poptop (ports) with great success on built-in mac VPN client. with which release of macos/openbsd/poptop ? I'm interested to your complete configuration. I tried some openbsd vpn

4.7 release date?

Hi, Is there any planned date for releasing 4.7 in ftp? thanks Giannis

change hppa LCD display text

Hi, I have 2 HP J6000 and I want to change the text that is shown on the LCD display. Right now it prints OpenBSD/hppa and I want to change that to OpenBSD/hppa `hostname` Is this possible? lcd(4) wasn't very helpfull as it's only says about the heartbeat. thanks Giannis

network performance problems

Hi, I'm not satisfied with the network performance on my OpenBSD firewall/router. CPU is Intel(R) Core(TM)2 Duo CPU E6550 @ 2.33GHz / with 4G ram OpenBSD server 4.6 GENERIC.MP#89 i386 This pc/router/firewall is directly connected to a Gigabit HP 2810-48G switch. Server: Ext interface:

Re: network performance problems

On 13/02/10 10:39, Claudio Jeker wrote: Update to current to get some msk fixes that should make msk(4) faster. For high performance get a dual em(4) card since those will behave much better (the interrupt mitigation on msk(4) is somewhat bad and causes a 4 to 5 times higher delay). Indeed the

Re: network performance problems

I did a binary upgrade to latest snapshot and followed -current. I've seen huge improvement on server-client performance on the msk0 (internal side) but packet forwarding didn't change at all. 4.6-release: server max in: 300Mbps server max out: 760Mbps forwarding max: 400 Mbps 4.7-current

Re: network performance problems

On 16/02/10 11:41, Jordi Espasa Clofent wrote: As Claudio has pointed you out, try (if you can) a better driver em(4) on good Intel hardware NICs. I use simple Supermicro hardware with Intel NIC PCI-E and em(4) an I move around 400/500MBps without any problem. Claudio was right. Upgrading

Re: network performance problems

On 17/02/10 03:16, FRLinux wrote: Mmmh, you picked my interest here. You mentioned your cisco 6500 but I guess you are going to use only gigabit NICs, so you have no need on the 10gb range? Just asking, not trying to start a war :) Cheers, Steph :) Well not at them moment. 10G is a thought

Re: network performance problems

On 17/02/10 03:47, FRLinux wrote: Err, the backplane cost us about 10.000 euros for the card and 2500 euros per xenpack, and we have 4. So that sounds about right :) If future demands for more than 1G I will probably bond 1G cards (cheap solution) or buy a new L2 10G switch to do the link as

Re: VLANs and security

On 17/02/10 03:54, Corey wrote: I did put all interfaces (in,out,pfsync,management) through VLANs in msk0 Throwing out a topic for discussion...I have seen a couple of posts on here regarding use of VLANs to segregate traffic that I would usually use separate interfaces for. I am just curious

active-active firewall setup

I've setup successfully a pair of 4.7-current obsd load balanced firewall/routers I'd like some clarification on the manual page of carp(4). from carp(4): If IP balancing is being used on a firewall, it is recommended to config- ure the carpnodes in a symmetrical manner. This is achieved by

anything better than the em(4)?

Hello, It has been suggested here that em(4) should give good network performance on gigabit networks . (http://marc.info/?l=openbsd-miscm=126605109632029w=2). Does this include only the non-Intels on the man page (if there is such thing there)? I was thinking to get my hands on an Intel

Re: OT, .. but has anyone seen a crontab editor

On 21/02/10 04:42, L. V. Lammert wrote: Dude? Seriously? Your mother's a whore. Wow! Such intelligence! Sorry, but you's was the one I saw in Amsterdam. Lee http://www.google.com/search?q=crontab+gui http://www.debianhelp.co.uk/cronweb.htm

Re: IPSEC encodes traffic to local IP?

On 21/02/10 13:57, Robert wrote: Hi again, Seems I missed this part in ipsec.conf: mode For ESP and AH the encapsulation mode can be specified. Possible modes are tunnel and transport. When left out, tunnel is chosen. Since I obviously want transport mode for host-host I changed psec.conf:

Re: anything better than the em(4)?

On 22/02/10 14:56, Henning Brauer wrote: * Kapetanakis Giannisbil...@edu.physics.uoc.gr [2010-02-20 16:59]: Does Intel still not provide appropriate documentation or did that web page expire? no, not really. they ae your best bet anyway tho. thanks for clarifying that.

Dell R610 problems with Openbsd?

I'm planing to get a Dell R610 with single Xeon 5570 (since it's the only supporting the 5570) and and dual Intel PRO/1000 ET for routing/pf. I jumped on this http://marc.info/?l=openbsd-miscm=126350942910630w=2 and http://marc.info/?l=openbsd-miscm=126015771720104w=2 mentioning about problems

Re: Dell R610 problems with Openbsd?

On 24/02/10 02:59, Kapetanakis Giannis wrote: I jumped on this http://marc.info/?l=openbsd-miscm=126350942910630w=2 and http://marc.info/?l=openbsd-miscm=126015771720104w=2 mentioning about problems with R610 and OpenBSD. I've also found these 2 bug reports for R610: http://marc.info/?l

Re: Dell R610 problems with Openbsd?

On 24/02/10 03:13, Theo de Raadt wrote: Bot the R610 and R710 had issues (2nd generation bnx(4) was unsupported, and the disk performance sucked). Two people stood up and contributed one of each to the project, and these issues were resolved. Getting these leading edge machines into our hands

Re: Dell R610 problems with Openbsd?

On 24/02/10 15:27, Marco Peereboom wrote: Intel copper running ix. I can send you a dmesg if you want. I would be interested on that dmesg as well.

Re: arbitrary ip range in pf

On 26/02/10 19:23, Leonardo Carneiro - Veltrac wrote: Is it possible to write a rule based on a arbitrary ip rule instead using a full subnet as source address like this? hosts_allowed={ 192.168.0.21-40 } pf.conf(4) Ranges of addresses are specified using the `-' operator. For

Re: arbitrary ip range in pf

On 26/02/10 19:53, Kapetanakis Giannis wrote: pf.conf(4) pf.conf(5)

Re: arbitrary ip range in pf

On 27/02/10 12:24, Vadim Zhukov wrote: Do first a pass from $host_allowed then a pass from $im_server then block rest. Did you mean block all, then allow from $host_allowed and $im_server? Opposite way will get you blocked again. ;) Both ways can work pass in quick block rest regards,

Re: Dump levels ?

On 04/03/10 01:21, Jean-Francois wrote: A level 0 dumps includes all files. A level n dump are all the files that have changed or were added since the last level n - 1 dump. -Otto Are all dump levels packed into the same one file like I seem to understand ? As far as I am concerned

Re: -current or -stable [was: Not another Browser Question]

On 05/03/10 01:33, Ron McDowell wrote: Where does one find details of things like this? If you mean about changes in -current, I monitor these two http://www.openbsd.org/faq/current.html http://www.openbsd.org/plus.html Giannis

Re: 4.7 make release fails

On 08/03/10 20:12, Ron McDowell wrote: su is not setting the group for me. sudo does, so I rebuilt using sudo and everything worked fine. [...@zombie(OpenBSD)] su # id uid=0(root) gid=1000(rcm) groups=1000(rcm), 0(wheel), 5(operator), 12345(apache) # logout try su - Giannis

Re: Configuring openSBD like nat32

On 09/03/10 10:19, Siju George wrote: Hi, How do I configure OpenBSD PF to be like Nat32 ( http://nat32.com/ ) The Idea is it has two internet connections and the second one should pick up if the first goes down and when the first one comes up it shoudl be the default route again. Thanks

h323 statefull firewall

Hi, Looking through the manual pages as well in this list I found out that there is not any h323 helper for pf. Has this situation changed? How do you solve this problem if you must talk h323? regards, Giannis

Re: h323 statefull firewall

On 10/03/10 20:36, Antoine Jacoutot wrote: On Wed, 10 Mar 2010, Kapetanakis Giannis wrote: Hi, Looking through the manual pages as well in this list I found out that there is not any h323 helper for pf. Has this situation changed? How do you solve this problem if you must talk h323

Re: h323 statefull firewall

On 11/03/10 00:40, Bret S. Lambert wrote: Have you ever read the H.323 spec? If so, how have you not blotted out any idea of H.323 + firewall with copious amounts of sex, drugs, and rock and roll? :) Well I did but I found out that linux has 2 modules about that nf_conntrack_h323 and

bad clock caused reboot?

Strange thing today, one of my old OpenBSD did a reboot. If it was a hard reset (ie power problem) I wouldn't have a wtmp record right? # last root ttyp0client.hostMon Mar 15 16:47 still logged in root ttyp0client.hostMon Mar 15 16:26 - 16:27 (00:00) reboot~

Re: bad clock caused reboot?

On 16/03/10 01:10, Nick Holland wrote: nope. Just pulled the plug out of a machine here to verify that, in fact. :) That just means the system came up, not that it went down formally for a reboot... ... Mar 15 09:46:05 server /bsd: WARNING: / was not properly unmounted and again,

Re: h323 statefull firewall

On 16/03/10 21:11, Henning Brauer wrote: * Kapetanakis Giannisbil...@edu.physics.uoc.gr [2010-03-10 18:50]: Looking through the manual pages as well in this list I found out that there is not any h323 helper for pf. Has this situation changed? no. nobody of us runs that shit. and people

Re: ZFS in OpenBSD

On 22/03/10 13:33, Dan Naumov wrote: Hello Are there any plans to bring ZFS support to OpenBSD so that users don't have to worry about things like fsck, running out of inodes and other silly stuff in the year 2010? Check out http://marc.info/?l=openbsd-miscm=123203302805419w=2 Similar thread

Re: External CARP + SSL issues

Where is the web server? Is it internal or is it an external web server? What does telnet web_server 443 and openssl s_client -connect web_server:443 gives you? Have you tried sniffing the traffic to see what goes wrong? SSL should not be mattered by the firewalls, as long as they work the way

Adaptec 5805Z

Hi, I'd like to ask if anyone is using Adaptec 5805Z sata/sas raid controller on OpenBSD. Is this device tested/supported? I guess not cause it's not mentioned anywhere on the man pages, aac(4) etc or the supported hardware web page. regards, Giannis

ldap auth

Hi, I've recently tested login_ldap and ypldap on OpenBSD 4.8 as a test case for an authpf gateway for ldap users. Apart from these solution and having in mind that PAM is not (and probably never will be) an option, what would you suggest as the right place for someone to try to develop

Re: ldap auth

On 26/11/10 19:11, Joachim Schipper wrote: I don't think I understand what you mean - what do you want to improve relative to login_ldap and ypldap? Joachim login_ldap is fine. The problem seems to be getting user info. Instead of ypldap I would prefer the system to direct

Re: ldap auth

On 27/11/10 15:20, Bret S. Lambert wrote: On Sat, Nov 27, 2010 at 02:51:02PM +0200, Kapetanakis Giannis wrote: Looking around getpwent(3) I think it might be possible to extent it's functionality to include ldap support as well. Furthermore ypldap's functions (aldap ...) could be used

Re: OT - gmail alternatives

On 09/12/10 17:01, lh wrote: Hi, what are the good available alternatives (security/privacy) for gmail you're using? Cheers! I believe privacy and gmail cannot coexist ... Giannis

Re: OT - gmail alternatives

On 09/12/10 17:07, Gilles Chehade wrote: Own box :-) lhmaig...@netvisao.pt wrote: That's ofcourse the best solution. But YOU have to make it secure and private. If you're not able to do this yourself, then your best option is to choose a strong password and change it often. Also you have

Re: OT - gmail alternatives

On 09/12/10 22:25, Josh Rickmar wrote: On Thu, December 9, 2010 3:22 pm, patric conant wrote: From their services page: 5. Secure mail services (smtp-auth w/ TLS, IMAPs/POP3s) No, I'm referring to the encryption of the actual email saved on their disks. See http://lavabit.com/secure.html

Openbsd Firewalls in network setup

Hi all, Right now I have a C6500 doing internal vlan switching as well as routing/ACL/ospf/L2 uplink to rest of the network. Ext Net|G5/1 on C6500|---Int Net I want to put 2 obsd firewalls (carp-pfsync) in the way but I cannot afford to put an external switch for the link. So the C6500

flush global not killing states in pf

Hi, The flush global directive in the following pf rule does not kill all states of the offending host. table abusive_hosts persist block in quick log on $ext_if from abusive_hosts block in pass in quick on $ext_if proto tcp from 10.0.0.2 to ($ext_if) port 2000:2002 flags S/ SA keep state

Re: flush global not killing states in pf

Anyone on this? Thanks Giannis On 18/02/11 19:36, Kapetanakis Giannis wrote: Hi, The flush global directive in the following pf rule does not kill all states of the offending host. tableabusive_hosts persist block in quick log on $ext_if fromabusive_hosts block in pass in quick on $ext_if

Re: Ideas for securing OpenVPN on an OpenWrt router

On 08/03/11 17:34, erikmccaskey64 wrote: ok, i putted an OpenVPN server on port 1194 on an OpenWrt 10.03 router. https://pastebin.com/raw.php?i=xEZTvnhT http://pastebin.mozilla.org/1138443 Questions: what could i do to increase security regarding this OpenVPN server? - i mean on server side!

Re: Ideas for securing OpenVPN on an OpenWrt router

On Tue, 08 Mar 2011 23:40:16 -0800, erikmccaskey64 wrote: Why does using only UDP gives more security?? He didn't say it did. TCP-over-TCP is the problem. TCP-over-UDP is less fractious. http://sites.inka.de/bigred/devel/tcp-tcp.html True. Also it's more resilient to dos attacks than

pfsync and ifstated

Hi, I'm testing a new setup of a pair of firewalls (master/backup) using carp, pfsync etc. Can I use ifstated to monitor virtual interfaces like pfsync0 and enc0? I want the master after it reboots (if backup is up) to wait for pfsync0 interface to come up, get the missing states from

Re: pfsync and ifstated

On 23/03/11 15:28, Henning Brauer wrote: * Kapetanakis Giannisbil...@edu.physics.uoc.gr [2011-03-21 22:31]: I want the master after it reboots (if backup is up) to wait for pfsync0 interface to come up, get the missing states from backup firewall and only then advskew carp no need. that

Re: pfsync and ifstated

On 23/03/11 17:57, Otto Moerbeek wrote: no ifstated is needed. The carp interface will be in demoted state until the pfsync bulk trafer is done. -Otto Thanx, I'll put ifstated in the game as well Giannis [demime 1.01d removed an attachment of type application/pkcs7-signature which

Re: network bandwith with em(4)

On 23/03/11 16:59, Martin Pelikan wrote: Hi, we just bought a new firewall, so I did some tests. It has 2 integrated i82574L's and we use 2port i82571EB. I tested routing through this box with a simple match out on em1 nat-to (em1) rule, using 4.8-stable, tcpbench on all five end computers

Re: pfsync and ifstated

On 23/03/11 21:08, Bret Lambert wrote: On Mon, Mar 21, 2011 at 10:27 PM, Kapetanakis Giannis bil...@edu.physics.uoc.gr wrote: Hi, I'm testing a new setup of a pair of firewalls (master/backup) using carp, pfsync etc. Can I use ifstated to monitor virtual interfaces like pfsync0 and enc0

GENERIC.MP cold reboot at savecore

I've tested a while ago the GENERIC.MP kernel of 4.8-stable and the system cold reboots. GENERIC runs fine. Trying to regenerate the problem I went into single user more and found out that it reboots when it executes /sbin/savecore /var/crash I tried ktrace but the dump was empty. I also tried

ifstated body executing before init?

Hi, According to ifstated.conf(5) The init block is used to initialise the state and is executed each time the state is entered. This should be the first thing to be executed right? In debug I see the body executed first. Isn't the code bellow more reasonable? --- /tmp/ifstated.c Fri

Re: GENERIC.MP cold reboot at savecore

On 26/03/11 22:40, Miod Vallat wrote: I've tested a while ago the GENERIC.MP kernel of 4.8-stable and the system cold reboots. GENERIC runs fine. Trying to regenerate the problem I went into single user more and found out that it reboots when it executes /sbin/savecore /var/crash This has very

Re: ifstated body executing before init?

Any thought on this? Giannis On 25/03/11 16:48, Kapetanakis Giannis wrote: Hi, According to ifstated.conf(5) The init block is used to initialise the state and is executed each time the state is entered. This should be the first thing to be executed right? In debug I see the body executed

Re: Upgrade i386 to amd64

On 07/04/11 01:46, Steven R. Gerber wrote: I ran the upgrade from CD. I want to be sure that packages are OK. Is pkg_add -u sufficient? (It looks like nothing changed.) Should I try pkg_add -u -D update or something else? Thanks, Steven Save your self from trouble. Backup /etc, /root, /home

Re: Intel 10GbE SFP+ (82599) and vlan

Try to do ifconfig ix1 up (up in /etc/hostname.ix1) I've seen vlans not coming up until I do this on parent interface, although they appear active in ifconfig. Giannis On 14/04/11 02:43, Hrvoje Popovski wrote: hello eveyone, problem is that when i enable vlan on ix interface i can't ping

Re: Intel 10GbE SFP+ (82599) and vlan

On 14/04/11 02:43, Hrvoje Popovski wrote: hello eveyone, problem is that when i enable vlan on ix interface i can't ping other side. servers are identical and cross connected with twinax SFP+ cable. tried thru switches with other ix interface but same result. card is dual 10GbE intel SFP+

Re: Like OpenBSD? Like to see new stuff happening? You really need to order a CD today :)

On 23/04/11 19:19, Scott Stanley wrote: On Sat, Apr 23, 2011 at 12:08:47AM -0600, Devin Reade wrote: Benny Lofgrenbl-li...@lofgren.biz wrote: If I was to say the following, would it work without causing an unacceptable amount of work? My company wants to pay you to develop or fixfeature

Re: 4.8 and 4.9 panic on Supermicro P8SCi

On 02/05/11 12:07, Ivo Chutkin wrote: Hi Owain, I was not able to disable it by config -e /bsd, it keeps panic. I just compile new kernel with inteldrm disabled and it OK. Thanks for the help, Ivo You should do config -ef /bsd disable inteldrm quit If you are not using /bsd kernel replace

Re: 4.8 and 4.9 panic on Supermicro P8SCi

On 02/05/11 13:14, Ivo Chutkin wrote: On 2.5.2011 P3. 12:31 Q., Kapetanakis Giannis wrote: On 02/05/11 12:07, Ivo Chutkin wrote: Hi Owain, I was not able to disable it by config -e /bsd, it keeps panic. I just compile new kernel with inteldrm disabled and it OK. Thanks for the help, Ivo You

Log or overload for max-src-states in pf

Hi all, I'm interested in logging packets that hit the max-src-states rule or even better put the source IPs in a table like in overload. set block-policy drop set optimization aggressive block in pass out keep state pass in quick on $ext_if proto tcp from any to ($ext_if) port $my_server

Re: pfsync changes in current?

On 12/03/12 16:21, Camiel Dobbelaar wrote: Firewalls use dedicated interface for pfsync ($sync_if). Are they connected directly via a cable or is there a switch in between? Yes they have a direct cable. No switch. I usually have set skip on the sync_if, if it's dedicated. No reason why not

Re: bnx[01] - trunk0 - vlan119 - carp119 problem

On 23/04/12 17:13, Matt Hamilton wrote: So it appears there is somewhere a problem with multicast packets being filtered out somewhere. This is all running with pfctl -d -Matt Hi, Not sure if multicast routing is related with this since it's a single host, but check netstart(8) and search

Re: pfsync changes in current?

On 14/03/12 21:41, Camiel Dobbelaar wrote: This is not from just after the reboot right? The failed state lookup/inserts might be interesting just after the firewalls have stabilized. Hi, After upgrading today to latest -current (i386) (f1) OpenBSD 5.1-current (GENERIC.MP) #252: Tue Apr 24

  1   2   3   4   >