Re: Not able to boot from softraid :(
This may help you. http://www.bsdnow.tv/tutorials/raid On Tue, Jul 24, 2018 at 12:54 PM, kasak wrote: > Hello everybody. > > I'm trying to install OpenBSD 6.3 on softraid. > > My configuration is simple: > > Asus z170-k motherboard, with i7-6700 cpu, and 16 gb ram. no external vga > or other cards, just this. > > I have 2 similar 750 gb disks. > > I have succesfully booted bsd.rd in uefi mode, then with shell i did: > > cd /dev > > sh MAKEDEV sd1 sd2 > > fdisk -iy -g -b 960 sd0 > > fdisk -iy -g -b 960 sd1 > > then with disklabel -E sd0 i created layout with one RAID type partition. > > then cloned this layout to second drive. > > After that i have created > > bioctl -c 1 -l sd0a,sd1a softraid0 > > sd2 was created successfully. > > i than type "exit" and installed openbsd on sd2 disk, using gpt. > > The installed system boots, but the last line i see is: > > wskbd0 at pckbd0: console keyboard, using wsdisplay0 > > that's all. my keyboard not working and boot process stops. > > I have tried to boot without inteldrm but nothing changed except > resolution. > > Is there i done something wrong? > > -- cat /etc/motd Thank you Indunil Jayasooriya http://www.theravadanet.net/
Re: Fail2ban alternative for OpenBSD
On Mon, Oct 30, 2017 at 3:27 PM, Kamil Cholewiński <harry6...@gmail.com> wrote: > > I am wondering since years why the hell people left SSH port open to > > the word? > > Because I trust OpenSSH. > > Yeah, It is pretty secure. I trust too. great work from OpenBSD. -- cat /etc/motd Thank you Indunil Jayasooriya http://www.theravadanet.net/
Fwd: Get an MAC address of a LAN PC - OpenBSD
If the PF box was serving DHCP and the PC fetched its address that way, it will likely still be in the lease database, /var/db/dhcpd.leases. no DHCP Server is running. If this is something which might come up again in the future, you can run arpwatch (in ports), but it's no time machine. this may come up in the future. Very very useful pkg. I installed it. cd /usr/ports/net/arpwatch/ make install clean I added pkg_scripts="arpwatch" to /etc/rc.conf.local file to start up @ boot. anyway, I think it runs default on my bge0 interface. my lan is bge2 I just hit arpwatch -i bge2 ( man arpwatch ) I want to set bge2 to default. I cant find any .conf file. pls guide me. -- cat /etc/motd Thank you Indunil Jayasooriya http://www.theravadanet.net/
Re: Get an MAC address of a LAN PC - OpenBSD
> > > Some of you will think this is a total joke. > >I do NOT think in that way at all. > This has previously used to assure global unique MAC. > > I suspect Indunil has the same problem. Or, he's begging for > help to do something kind of extra-judicial... > Theo, You are a computer prodigy. (but I am NOT) That's why you founded OpenBSD (My favorite OS). that's why I use OpenBSD. Sir, Thanks a lot for it. If the user of that PC spoofed the MAC address, What does arp -a show in OpenBSD ? I think arp -a shows spoofed MAC address. Am I right? Pls correct me if I am wrong. If we reboot or format that PC , again it will show the real MAC. Sir, hope to hear from you. -- cat /etc/motd Thank you Indunil Jayasooriya http://www.theravadanet.net/
Re: Get an MAC address of a LAN PC - OpenBSD
> > > no idea what to do? > > Plug it back in. Power it up. Make sure it has a reachable IP. Ping > it. > very sorry. It is prohibited to plug it back in and power it up. To do it, We might need a special request. Theo, Anyway, thanks for you support. -- cat /etc/motd Thank you Indunil Jayasooriya http://www.theravadanet.net/
Re: Get an MAC address of a LAN PC - OpenBSD
Hi Raul, I am very glad your effort to support me since I DO NEED to get an MAC of an OLD PC. This PC was removed from the network last week. unfortunately "arp -a" does NOT give the MAC of that PC. I am running darkstat as well. It also does NOT give it either. I think This pf box has been rebooted after removing that PC. no idea what to do? On Fri, Jun 23, 2017 at 10:40 AM, Raul Miller <rauldmil...@gmail.com> wrote: > arp caches, of course, because ip packets are only exchanged > intermittently. > > Whether it caches long enough for you is a different question. > > Thanks, > > -- > Raul > > > On Fri, Jun 23, 2017 at 1:03 AM, Indunil Jayasooriya > <induni...@gmail.com> wrote: > > > > arp -a gives all. > > > > thanks a LOT. > > > > it gives current list. > > > > > > Is there any way to get an MAC address of a PC that was connected to > OpenBSD > > PF box but now it is NOT connect to. > > > > This PC was removed from the network recently for auditing purpose. > > > > Can arp give old stuffs? Does it have a caching database somewhere in > > OpenBSD or do you know any other software that can fulfill my need. > > > > Sir, Hope to hear from you. > > > > > > > > > > On Fri, Jun 23, 2017 at 9:55 AM, Raul Miller <rauldmil...@gmail.com> > wrote: > >> > >> http://man.openbsd.org/arp.8? > >> > >> -- > >> Raul > >> > >> > >> On Fri, Jun 23, 2017 at 12:01 AM, Indunil Jayasooriya > >> <induni...@gmail.com> wrote: > >> > Hi Misc, > >> > > >> > > >> > I do want to get an MAC address of a LAN PC that is 192.168.1.x > >> > > >> > This PC is behind OpenBSD pf box. > >> > > >> > this below command only shows IPs. > >> > > >> > tcpdump -n -e -ttt -r /var/log/pflog > >> > > >> > > >> > How can I get it from this OpenBSD Pf box? > >> > > >> > > >> > > >> > > >> > > >> > > >> > > >> > > >> > > >> > -- > >> > cat /etc/motd > >> > > >> > Thank you > >> > Indunil Jayasooriya > >> > http://www.theravadanet.net/ > > > > > > > > > > -- > > cat /etc/motd > > > > Thank you > > Indunil Jayasooriya > > http://www.theravadanet.net/ > > > -- cat /etc/motd Thank you Indunil Jayasooriya http://www.theravadanet.net/
Re: Get an MAC address of a LAN PC - OpenBSD
arp -a gives all. thanks a LOT. it gives current list. Is there any way to get an MAC address of a PC that was connected to OpenBSD PF box but now it is NOT connect to. This PC was removed from the network recently for auditing purpose. Can arp give old stuffs? Does it have a caching database somewhere in OpenBSD or do you know any other software that can fulfill my need. Sir, Hope to hear from you. On Fri, Jun 23, 2017 at 9:55 AM, Raul Miller <rauldmil...@gmail.com> wrote: > http://man.openbsd.org/arp.8? > > -- > Raul > > > On Fri, Jun 23, 2017 at 12:01 AM, Indunil Jayasooriya > <induni...@gmail.com> wrote: > > Hi Misc, > > > > > > I do want to get an MAC address of a LAN PC that is 192.168.1.x > > > > This PC is behind OpenBSD pf box. > > > > this below command only shows IPs. > > > > tcpdump -n -e -ttt -r /var/log/pflog > > > > > > How can I get it from this OpenBSD Pf box? > > > > > > > > > > > > > > > > > > > > -- > > cat /etc/motd > > > > Thank you > > Indunil Jayasooriya > > http://www.theravadanet.net/ > -- cat /etc/motd Thank you Indunil Jayasooriya http://www.theravadanet.net/
Get an MAC address of a LAN PC - OpenBSD
Hi Misc, I do want to get an MAC address of a LAN PC that is 192.168.1.x This PC is behind OpenBSD pf box. this below command only shows IPs. tcpdump -n -e -ttt -r /var/log/pflog How can I get it from this OpenBSD Pf box? -- cat /etc/motd Thank you Indunil Jayasooriya http://www.theravadanet.net/
Fwd: synproxy state with multipath routing
Resending Hi Misc, Can We have synproxy state in pf.conf, when net.inet.ip.multipath=1 is set in /etc/sysctl.conf here is my config in /etc/sysctl.conf net.inet.ip.forwarding=1# 1=Permit forwarding (routing) of IPv4 packets #net.inet.ip.mforwarding=1 # 1=Permit forwarding (routing) of IPv4 multicast packets net.inet.ip.multipath=1 # 1=Enable IP multipath routing No /etc/mygate file. I have moved it mv /etc/mygate /etc/mygate.orig in /etc/hostname.bge0 !route add -mpath default 1.2.3.4 and in /etc/hostname.bge1 !route add -mpath default 3.4.5.6 rebooted the OpenBSD box. I have below 2 lines in pf.conf file. first rule works. but 2 nd rule with synproxy state does NOT? pass in quick log on $wan_if inet proto tcp from any to $wan_if \ port 22 reply-to ($wan_if $wan_gw) pass in quick log on $wan_if inet proto tcp from any to $wan_if \ port 22 synproxy state (max-src-conn-rate 1/120) reply-to ($wan_if $wan_gw) Why? seeking answers... -- cat /etc/motd Thank you Indunil Jayasooriya http://www.theravadanet.net/ -- cat /etc/motd Thank you Indunil Jayasooriya http://www.theravadanet.net/
synproxy state with multipath routing
Hi Misc, Can We have synproxy state in pf.conf, when net.inet.ip.multipath=1 is set in /etc/sysctl.conf here is my config in /etc/sysctl.conf net.inet.ip.forwarding=1# 1=Permit forwarding (routing) of IPv4 packets #net.inet.ip.mforwarding=1 # 1=Permit forwarding (routing) of IPv4 multicast packets net.inet.ip.multipath=1 # 1=Enable IP multipath routing No /etc/mygate file. I have moved it mv /etc/mygate /etc/mygate.orig in /etc/hostname.bge0 !route add -mpath default 1.2.3.4 and in /etc/hostname.bge1 !route add -mpath default 3.4.5.6 rebooted the OpenBSD box. I have below 2 lines in pf.conf file. first rule works. but 2 nd rule with synproxy state does NOT? pass in quick log on $wan_if inet proto tcp from any to $wan_if \ port 22 reply-to ($wan_if $wan_gw) pass in quick log on $wan_if inet proto tcp from any to $wan_if \ port 22 synproxy state (max-src-conn-rate 1/120) reply-to ($wan_if $wan_gw) Why? seeking answers... -- cat /etc/motd Thank you Indunil Jayasooriya http://www.theravadanet.net/
Re: DNS servers around here not working for days. dig works. fix?
dig mx bsd.org @8.8.4.4 dig mx bsd.org @8.8.8.8 both work for me On Tue, Jun 14, 2016 at 9:27 PM, Chris Bennett < chrisbenn...@bennettconstruction.us> wrote: > They both work for me also, with dig @8.8.8.8, etc. > Whois fails, lynx, elinks, firefox cannot connect outside > > Could this problem be because of my being behind the wifi NAT? > > Chris Bennett > > -- cat /etc/motd Thank you Indunil Jayasooriya http://www.theravadanet.net/ http://www.siyabas.lk/sinhala_how_to_install.html - Download Sinhala Fonts
Re: DNS servers around here not working for days. dig works. fix?
both 8.8.8.8 and 8.8..4.4 work for me. On Tue, Jun 14, 2016 at 8:26 PM, Chris Bennett < chrisbenn...@bennettconstruction.us> wrote: > Neither 8.8.8.8 or 8.8.4.4 works. > After netstart, no. After reboot, no. > > -- cat /etc/motd Thank you Indunil Jayasooriya http://www.theravadanet.net/ http://www.siyabas.lk/sinhala_how_to_install.html - Download Sinhala Fonts
Re: SPF Examples
> > what does the below record mean? > > > > example.com.INTXT"v=spf1 mx a -all" when the above SPF record exists. Let's look at with below Records example.com. IN MX 10 mailgw1.example.com. example.com. IN MX 20 mailgw2.example.com. example.com. IN MX 30 mailgw3.example.com. example.com. IN A 1.2.3.a example.com. IN A 1.2.3.b host1.example.com. IN A 1.2.3.c host2.example.com. IN A 1.2.3.d host3.example.com. INA 1.2.3.e that means , ALL MXes ( mailgw1.example.com , mailgw2.example.com and mailgw3.example.com ) are allowed to send mails using example.com domain. in addition to that example.com ( 1.2.3.a and 1.2.3.b ) are also allowed to send mails using example.com domain. BUT host1.example.com , host2.example.com and host3.example.com and all other hosts in the world are prohibited to send mails using domain example.com Your commnets. > I would recommend RFC 7208 these are all easily answered in Appendix A. > > thanks for the above > > > > > -- > > cat /etc/motd > > > > Thank you > > Indunil Jayasooriya > > http://www.theravadanet.net/ > > http://www.siyabas.lk/sinhala_how_to_install.html - Download Sinhala > > Fonts > > -- cat /etc/motd Thank you Indunil Jayasooriya http://www.theravadanet.net/ http://www.siyabas.lk/sinhala_how_to_install.html - Download Sinhala Fonts
SPF Examples
Hi, First of all, This is NOT an OpenBSD question. But OpenBSD always is based on correctness. So I need a correct answer for this that's why I came to your mailing list. I think THIS is the right place to ask this since you guys are Network gurus. Pls DO NOT discard this mail because this is very USEFUL. Let's go in to below examples and pls answer my questions. example.com. INTXT "v=spf1 a:host1.example.com -all" the above says only server that is allowed to send mail using the example.com domain. that is host1.example.com How can I add Multiple hosts to send using the example.com domain. ( let's say host1.example.com , host2.example.com and host3.example.com ) is the below record OK? example.com. INTXT "v=spf1 a:host1.example.com a:host2.example.com a: host3.example.com -all" or what about this? if host1.example.com =1.2.3.4 , host2.example.com = 1.2.3.5 and host3.example.com = 1.2.3.6 example.com. INTXT "v=spf1 ipv4:1.2.3.4 ipv4:1.2.3.5 ipvr:1.2.3.6 -all" is the ABOVE line is OK ? and also can you explain these as well. example.com.INTXT"v=spf1 mx -all" the above says that Allow domain's MXes to send mail using the example.com domain, prohibit all others. what does the below record mean? example.com.INTXT"v=spf1 mx a -all" Does it say Allow domain's MXes and domain's A records to send mails using example.com domain, prohibit all others. Waiting your INPUTS. -- cat /etc/motd Thank you Indunil Jayasooriya http://www.theravadanet.net/ http://www.siyabas.lk/sinhala_how_to_install.html - Download Sinhala Fonts
ntop on openbsd
Hi, i installed ntop by going to /usr/ports/net/ntop/ (then, make , make install) How to run it on web mode? When I type below command ntop -w 3000 -d it gives below output. -w mode is disabled for security reasons. I want to see traffic via web browser. How can I achieve this ? just a source. http://www.computerglitch.net/blog/attic/ntop-2-0-on-openbsd.html -- cat /etc/motd Thank you Indunil Jayasooriya http://www.theravadanet.net/ http://www.siyabas.lk/sinhala_how_to_install.html - Download Sinhala Fonts
Re: no bandwidthd src pkd in /usr/ports
On Thu, Feb 25, 2016 at 8:35 PM, Marc Espie <es...@nerim.net> wrote: > On Thu, Feb 25, 2016 at 11:56:10AM +0530, Indunil Jayasooriya wrote: > > Hi Misc, > > > > I have OpenBSD 5.5 64 bit gateway. > > UPGRADE. > > You're very badly out of date. That stuff is no longer supported at all. > yes > > There are probably exploitable holes in it by now. > > Hmm, thank you very much this comment. I will upgrade. -- cat /etc/motd Thank you Indunil Jayasooriya http://www.theravadanet.net/ http://www.siyabas.lk/sinhala_how_to_install.html - Download Sinhala Fonts
Re: no bandwidthd src pkd in /usr/ports
> > I want to install bandwidthd. But I can't find a src pkg in /usr/ports > > > > is there a Binary pkg? > > There's neither a package nor a port. Thanks for this. > > > what about this ? > > > > > https://sourceforge.net/projects/bandwidthd/files/bandwidthd/bandwidthd%202.0.1/bandwidthd-2.0.1.tgz/download > > This is just the program's source tarball. > > ok > > Any comment? > > Look for something with a similar functionality which is both in ports > and, preferably, in active development - this software hasn't seen a > release in over 11 years. > > What about darkstat ( /usr/ports/net/darkstat/ ) or something else you can recommend? > Regards, > > Raf > -- cat /etc/motd Thank you Indunil Jayasooriya http://www.theravadanet.net/ http://www.siyabas.lk/sinhala_how_to_install.html - Download Sinhala Fonts
no bandwidthd src pkd in /usr/ports
Hi Misc, I have OpenBSD 5.5 64 bit gateway. I want to install bandwidthd. But I can't find a src pkg in /usr/ports is there a Binary pkg? what about this ? https://sourceforge.net/projects/bandwidthd/files/bandwidthd/bandwidthd%202.0.1/bandwidthd-2.0.1.tgz/download Any comment? -- cat /etc/motd Thank you Indunil Jayasooriya http://www.theravadanet.net/ http://www.siyabas.lk/sinhala_how_to_install.html - Download Sinhala Fonts
Re: how to add squid access log in /etc/newsyslog.conf
Hi Stuart, Hmm, Thanks a lot once a gain. you help me very often. Edited. Now, This is the line in /etc/newsyslog.conf /var/squid/logs/access.log _squid:_squid 640 14 * @T00Z /var/squid/logs/squid.pid SIGUSR1 and also *logfile_rotate 0* in squid.conf file Now it seems to be OK On Mon, Jul 13, 2015 at 8:29 PM, Stuart Henderson s...@spacehopper.org wrote: On 2015-07-13, Indunil Jayasooriya induni...@gmail.com wrote: I delted 30 from that line. Now it looks like this. /var/squid/logs/access.log _squid:_squid 640 14 * @T00Z /var/squid/logs/squid.pid Now it seems to work But now it sends the default signal which is HUP. In Squid, this drains existing connections and reloads the configuration, blocking new connections while that occurs. You probably want USR1. -- cat /etc/motd Thank you Indunil Jayasooriya http://www.theravadanet.net/ http://www.siyabas.lk/sinhala_how_to_install.html - Download Sinhala Fonts
Re: how to add squid access log in /etc/newsyslog.conf
This is correct, Squid wants a SIGUSR1 as this triggers the rotate ( like calling squid -k rotate). You need to configure logfile_rotate 0 in the squid.conf. This tells squid to rotate the files but keep itself. Added, Thank you. -- cat /etc/motd Thank you Indunil Jayasooriya http://www.theravadanet.net/ http://www.siyabas.lk/sinhala_how_to_install.html - Download Sinhala Fonts
Re: how to add squid access log in /etc/newsyslog.conf
I delted 30 from that line. Now it looks like this. /var/squid/logs/access.log _squid:_squid 640 14 * @T00Z /var/squid/logs/squid.pid Now it seems to work # newsyslog -v -F /var/cron/log 3Z: size (KB): 664.08 [10] -- trimming log /var/log/authlog 7Z: age (hr): 435 [168] -- trimming log /var/log/daemon 5Z: size (KB): 26.76 [30] -- trimming log /var/log/lpd-errs 7Z: size (KB): 0.00 [10] -- trimming log /var/log/maillog 4Z: -- trimming log /var/log/messages 4Z: -- trimming log /var/log/secure 7Z: age (hr): 461 [168] -- trimming log /var/log/wtmp 7B: -- trimming log /var/log/xferlog 7Z: size (KB): 0.00 [250] -- trimming log /var/log/pflog 3ZB: size (KB): 1557278.09 [250] -- trimming log /var/squid/logs/access.log 14Z: -- trimming log Now I have 2 files in this way. -rw-r- 1 _squid _squid 28668 Jul 13 16:27 access.log -rw-r- 1 _squid _squid56380324 Jul 13 16:24 access.log.0.gz Let's see tomorrow morning, On Mon, Jul 13, 2015 at 4:24 PM, Craig Skinner skin...@britvault.co.uk wrote: On 2015-07-13 Mon 13:25 PM |, Indunil Jayasooriya wrote: Hi mics, I want /etc/newsyslog.conf to generate /var/squid/logs/access.log daily. This is the entry I have added to /etc/newsyslog.conf file. But it does NOT work. */var/squid/logs/access.log _squid:_squid 640 14 * @T00Z /var/squid/logs/squid.pid 30* any comments ? Squid can rotate its own logs. Search for 'rotate' in squid(8) and 'logfile_rotate' in /usr/local/share/examples/squid/squid.conf.documented Which says: It is best to get in the habit of using 'squid -k rotate' instead of 'kill -USR1 pid' I use a monthly _squid cron job like this: # -- 8 -- # crontab(5) ENVIRONMENT # PATH ( umask) defined in /etc/login.conf MAILTO=webmaster # ENVIRONMENT debug: # * * * * * logname; umask; pwd; printenv | sort @monthlynice -n 20 squid -k rotate || print $? # -- 8 -- Edit _squid's crontab with: $ sudo su -l -s /bin/sh _squid -c 'crontab -e' Cheers. -- Drugs may be the road to nowhere, but at least they're the scenic route! -- cat /etc/motd Thank you Indunil Jayasooriya http://www.theravadanet.net/ http://www.siyabas.lk/sinhala_how_to_install.html - Download Sinhala Fonts
how to add squid access log in /etc/newsyslog.conf
Hi mics, I want /etc/newsyslog.conf to generate /var/squid/logs/access.log daily. This is the entry I have added to /etc/newsyslog.conf file. But it does NOT work. */var/squid/logs/access.log _squid:_squid 640 14 * @T00Z /var/squid/logs/squid.pid 30* any comments ? I referred to below urls http://jamesoff.net/site/reference/squid-log-rotation-with-newsyslog/ http://lists.freebsd.org/pipermail/freebsd-questions/2007-July/154219.html http://lists.freebsd.org/pipermail/freebsd-questions/2003-October/021765.html -- cat /etc/motd Thank you Indunil Jayasooriya http://www.theravadanet.net/ http://www.siyabas.lk/sinhala_how_to_install.html - Download Sinhala Fonts
Re: relayd crashes often
Hi, relayd is a nice software. I also used it once for* http and smtp purpose* for zimbra backend servers. It was very fast. I was very happy about it. But , suddenly I failed. My users complained. So I installed haproxy on Centos. this haproxy has been running without any problems for nearly 3000 zimbra users for nearly 3 years. If you guys can improve relayd, I still give priority to it. Since I am an OpenBSD lover. On Sat, Apr 25, 2015 at 6:59 PM, Claudio Jeker cje...@diehard.n-r-g.com wrote: On Wed, Mar 25, 2015 at 11:37:51PM -0400, Yonas Yanfa wrote: On 15-03-24 03:26 AM, Claudio Jeker wrote: On Mon, Mar 23, 2015 at 11:54:41PM -0400, Yonas Yanfa wrote: Hi, I'm running relayd/OpenBSD 5.6-stable on a KVM virtual machine. relayd always crashes within a few hours of restarting it, but works properly before that. I guess you are talking about reloading relayd (as in relayctl reload)... Killing all relayd processes and then running relayd. When relayd stops working, sometimes the relayd process is up but `relayctl show summary` says that /var/run/relayd.sock doesn't exist. Other times none of the relayd processes are running. I hit similar issues and came up with the following diff against -current. It may apply to 5.6 but did not test that at all. I'm not 100% sure about the ca.c change since OpenSSL is a black box. Thanks for the patches. Before I try to apply the patches, I think the issue might be caused by having too many CLOSE_WAIT connections. I seem to have 2,236 CLOSE_WAIT connections: $ netstat -n|grep CLOSE_WAIT|wc -l 2236 And relayd seems to have 501 active connections: relay www, session 1806 (501 active), 0, xxx.xxx.xxx.xxx - :0, hard timeout How can I get relayd to close these connections? Took some time to hunt down the cause of these CLOSE_WAIT sessions and caused some sleepless nights since our loadbalancer was hitting them as well. I think the following diff should solve the issue without causing further regressions. The problematic connections are HTTP session that are closed before the backend is started. In that case we can not wait for the backend. -- :wq Claudio Index: relay.c === RCS file: /cvs/src/usr.sbin/relayd/relay.c,v retrieving revision 1.191 diff -u -p -r1.191 relay.c --- relay.c 6 Feb 2015 01:37:11 - 1.191 +++ relay.c 25 Apr 2015 13:11:33 - @@ -988,7 +988,7 @@ relay_error(struct bufferevent *bev, sho dst = EVBUFFER_OUTPUT(cre-dst-bev); if (EVBUFFER_LENGTH(dst)) return; - } else + } else if (cre-output != NULL EVBUFFER_LENGTH(cre-output)) return; relay_close(con, done); -- cat /etc/motd Thank you Indunil Jayasooriya http://www.theravadanet.net/ http://www.siyabas.lk/sinhala_how_to_install.html - Download Sinhala Fonts
Load Balance Outgoing Traffic via 3 outgoing interfaces
Hi Mics, I have a requirement that Users in LAN wan to browse INTERNET with squid proxy server via 3 outgoing links. So I have a box with 4 Network interfaces. One for LAN. 3 for outgoing links. I need fail-over as well. So ifstated is a solution for it. I am referring below articles for getting it done. http://www.openbsd.org/faq/pf/pools.html#outgoing http://www.associatedtechs.com/library/configuring-openbsd-load-balancing-outbound/ All these provide info for 2 outgoing links. has anyone out there used OpenBSD for 3 outgoing connections ? any documents? -- cat /etc/motd Thank you Indunil Jayasooriya http://www.theravadanet.net/ http://www.siyabas.lk/sinhala_how_to_install.html - Download Sinhala Fonts
Re: Load Balance Outgoing Traffic via 3 outgoing interfaces
HI, Thanks for your quick response. First of all , I will have to setup equal-cost multipath routing in this way for 3 outgoing interfaces. http://www.openbsd.org/faq/faq6.html#Multipath then, ifstated is the difficult thing. On Wed, Apr 8, 2015 at 8:01 AM, Destan YILANCI des...@parta.com.tr wrote: Hi, If you are using Squid you have to make configuration at proxy side for http/https requests. You can start with looking here : http://www.squid-cache.org/Doc/config/tcp_outgoing_address/ Also you have PF FAQ for other ports/protocols which squid will not be the redirector. 2015-04-08 10:54 GMT+03:00 Indunil Jayasooriya induni...@gmail.com: Hi Mics, I have a requirement that Users in LAN wan to browse INTERNET with squid proxy server via 3 outgoing links. So I have a box with 4 Network interfaces. One for LAN. 3 for outgoing links. I need fail-over as well. So ifstated is a solution for it. I am referring below articles for getting it done. http://www.openbsd.org/faq/pf/pools.html#outgoing http://www.associatedtechs.com/library/configuring-openbsd-load-balancing-outbound/ All these provide info for 2 outgoing links. has anyone out there used OpenBSD for 3 outgoing connections ? any documents? -- cat /etc/motd Thank you Indunil Jayasooriya http://www.theravadanet.net/ http://www.siyabas.lk/sinhala_how_to_install.html - Download Sinhala Fonts -- cat /etc/motd Thank you Indunil Jayasooriya http://www.theravadanet.net/ http://www.siyabas.lk/sinhala_how_to_install.html - Download Sinhala Fonts
How to Selectively route DESTINATIONS via wan1_gw and via wan2_gw
Hi misc,
I have /etc/ip_list1 file containing some destinations.
format of /etc/ip_list1 is given below.
1.2.3.4
1.6.3.0/24
I want to route ALL DESTINATIONS listed in /etc/ip_list1 via wan1_gw. The
rest of trafficc , I want to route via wan2_gw .
I have enabled below things in sysctl.conf file (including multipath
routing)
net.inet.ip.forwarding=1# 1=Permit forwarding (routing) of IPv4
packets
#net.inet.ip.mforwarding=1 # 1=Permit forwarding (routing) of IPv4
multicast packets
net.inet.ip.multipath=1 # 1=Enable IP multipath routing
net.inet.icmp.rediraccept=1 # 1=Accept ICMP redirects
my 2 gatewys
wan1_gw= 192.168.2.100
wan2_gw= 192.168.1.1
my hostname.xxx files like these.
my wan1 interface
# cat /etc/hostname.rl0
inet 192.168.2.35 255.255.255.0
!route add -mpath default 192.168.2.100
my wan2 interface
# cat /etc/hostname.rl1
inet 192.168.1.11 255.255.255.0
!route add -mpath default 192.168.1.1
my lan interface
# cat /etc/hostname.bge0
inet 192.168.100.208 255.255.255.0
my pf.conf file looks like this.
# macros
int_if=bge0
wan1_if=rl0
wan2_if=rl1
lan_net=192.168.100.0/24
#lan_net=192.168.101.0/24
wan1_gw= 192.168.2.100
wan2_gw= 192.168.1.1
table ip_list1 persist file /etc/ip_list1
# options
set block-policy return
set loginterface $wan1_if
set skip on lo
#THIS IS THE RULE TO ROUTE VIA WAN1_GW
pass out quick log from any to ip_list1 route-to ($wan1_if $wan1_gw)
# match rules
match out on $wan1_if from $lan_net nat-to ($wan1_if)
match out on $wan2_if from $lan_net nat-to ($wan2_if)
# filter rules
block in log
#block out log
pass out quick log
antispoof quick for { lo $int_if }
pass in log inet proto icmp all icmp-type $icmp_types
I still can NOT traceroute to destinations in /etc/ip_list1 via wan1_gw and
the rest via wan2_gw
How to achive this goal?
--
cat /etc/motd
Thank you
Indunil Jayasooriya
http://www.theravadanet.net/
http://www.siyabas.lk/sinhala_how_to_install.html - Download Sinhala
Fonts
PF tagging
Hi misc, My PF box hae 3 network cards. (Squid is also ruuning on this PF box) Wan1 , Wan2 and LAN I want LAN users to reach Specific Destination IPs via Wan1, when they browse squid proxy. Everything else via Wan2. ( /etc/mygate has been set to Wan2 router ip ) Lan users' Internet browsers have been configured to proxy ip address and port ) let's assume /etc/ip_list1 contains all the Destination ip addresses that should route via Wan1 What about below rules ? any comment? table ip_list1 persist file /etc/ip_list1 pass out quick log from any to ip_list1 route-to ($wan1_if $wan1_gw) tag ip_list1_traffic pass out quick log on $wan1_if tagged ip_list1_traffic -- cat /etc/motd Thank you Indunil Jayasooriya http://www.theravadanet.net/ http://www.siyabas.lk/sinhala_how_to_install.html - Download Sinhala Fonts
Packet Tagging (Policy Filtering)
Hi misc, I have about 600 destinations to reach via wan1 and wan2.( 300 via wan1 and 300 via wan2 ) my /etc/mygate is *wan_gw1* Let's say *ip_list1 and * *ip_list2. **Let's assume /etc/ip_list1 and * */etc/ip_list2 have ip addresses in this format /etc/ip_list1* *(this consists of about 300 ips)* *66.x.x.x * *60.x.x.0/24**/etc/ip_list2 (this also **consists of **about 300 ips)* *62.x.x.x**66.x.x.0/16* I am going to add below rules for achieving that task. R u guys ok with them? is it OK? *block in log pass out quick* *table ip_list1 persist file /etc/ip_list1table ip_list2 persist file /etc/ip_list2 pass in on $int_if from $int_net to ip_list1 tag ip_list1 route-to ($wan_if1 $wan_gw1)pass out quick on $dmz_if tagged ip_list1pass in on $int_if from $int_net to ip_list2 tag ip_list2 route-to ($wan_if2 $wan_gw2)pass out quick on $dmz_if tagged ip_list2* -- cat /etc/motd Thank you Indunil Jayasooriya http://www.theravadanet.net/ http://www.siyabas.lk/sinhala_how_to_install.html - Download Sinhala Fonts
Re: undeadly.org status?
Hmm, I also can NOT access On Mon, Nov 24, 2014 at 10:25 AM, Antonio Feitosa antonio@gmail.com wrote: For me too. 2014-11-24 1:42 GMT-02:00 Adam Thompson athom...@athompso.net: Anyone know what happened to undeadly? (The|A) host seems to be up but doesn't answer on any port. -- -Adam Thompson athom...@athompso.net -- Antonio Feitosa (http://twitter.com/teebsd) #DevOps believer in Prototype Driven Development, #Security Consultant, #OpenBSD addicted, #ARM hobbyst and #Blues #Musician. #P2P is the real #cloudcomputing. Rio de Janeiro, Brazil · Github: https://github.com/TeeBSB Blog: http://teebsd.github.io/ -- cat /etc/motd Thank you Indunil Jayasooriya http://www.theravadanet.net/ http://www.siyabas.lk/sinhala_how_to_install.html - Download Sinhala Fonts
Re: PF Tagging
Oooo, thats an exciting possibility :) Any opportunities for reducing PF rule sets is always great. Yes, Indeed. +1 -- cat /etc/motd Thank you Indunil Jayasooriya http://www.theravadanet.net/ http://www.siyabas.lk/sinhala_how_to_install.html - Download Sinhala Fonts
pflogd uses high cpu.
Hi list, On OpenBSD 5.4 (32 bit) gateway, Today, I found pflogd uses high cpu. When I run top command, it takes a whole a lot of resources. I searched on the web. But I could NOT find things related to OpenBSD. But for Freebsd, I found this. http://lists.freebsd.org/pipermail/freebsd-current/2009-March/004206.html Can you guys have any comment on this? -- cat /etc/motd Thank you Indunil Jayasooriya http://www.theravadanet.net/ http://www.siyabas.lk/sinhala_how_to_install.html - Download Sinhala Fonts
Re: amavisd uses high cpu usage?
system independent dlopen wrapper libsigsegv-2.10p0 library for handling page faults in user mode libtool-2.4.2p0 generic shared library support script libusb1-1.0.9p8 library for USB device access from userspace libxml-2.9.1XML parsing library libxslt-1.1.28p0XSLT C Library for GNOME lightsquid-1.8p1light and fast log analyzer for squid proxy lzo2-2.06p0 portable speedy lossless data compression library lzop-1.03 fast file compressor similar to gzip m4-1.4.17 GNU m4 metaauto-1.0p1 wrapper for gnu auto* net-snmp-5.7.2p1extendable SNMP implementation openldap-client-2.4.38 open-source LDAP software (client) openmotif-2.3.4p0 Motif toolkit openvpn-2.3.2 easy-to-use, robust, and highly configurable VPN p5-Archive-Zip-1.30p1 perl interface to ZIP files p5-BerkeleyDB-0.51p0 Berkeley DB module p5-Convert-BinHex-1.119p2 module to extract data from Macintosh BinHex files p5-Convert-TNEF-0.18 module to read TNEF files p5-Convert-UUlib-1.4v1 interface to the uulib library p5-Crypt-OpenSSL-Bignum-0.04p4 OpenSSL's multiprecision integer arithmetic p5-Crypt-OpenSSL-RSA-0.28 RSA encoding and decoding using OpenSSL p5-Crypt-OpenSSL-Random-0.06 routines for accessing the OpenSSL prng p5-Digest-HMAC-1.03 interface to HMAC Message-Digest Algorithms p5-Error-0.17019error/exception handling in an OO-ish way p5-GD-2.46p0module to interface with the GD graphics library p5-Geography-Countries-2009041301p0 2-letter, 3-letter, and numerical codes for countries p5-HTML-Parser-3.69 modules to parse and extract information from HTML p5-HTML-Tagset-3.20p0 data tables useful for parsing HTML p5-HTTP-GHTTP-1.07p4 perl interface to the GNOME GHTTP library p5-IO-Multiplex-1.13 handle multiple file handles p5-IO-Socket-INET6-2.72 object interface for AF_INET and AF_INET6 domain sockets p5-IO-Socket-IP-0.26 family-neutral IP socket supporting both IPv4 and IPv6 p5-IO-Socket-SSL-1.967 perl interface to SSL sockets p5-IO-stringy-2.110p1 in-core objects like strings and arrays for I/O p5-IP-Country-2.28 fast lookup of country codes by IP address p5-MIME-tools-5.504 modules for parsing (and creating) MIME entities p5-Mail-DKIM-0.40 DKIM and DomainKeys message-signing implementation p5-Mail-SPF-2.8.0 perl oop implementation of Sender Policy Framework p5-Mail-SpamAssassin-3.3.2p6 mailfilter to identify and mark spam p5-Mail-Tools-2.07 modules for handling mail with perl p5-Net-DNS-0.71 module to interface the DNS resolver p5-Net-DNS-Resolver-Programmable-0.003 programmable DNS resolver class for offline emulation of DNS p5-Net-SSLeay-1.58 perl module for using OpenSSL p5-Net-Server-2.007 extensible framework for Perl server engines p5-NetAddr-IP-4.072 manages IPv4 and IPv6 addresses and subnets p5-SNMP-5.7.2p0 SNMP modules for Perl p5-Socket6-0.25 Perl defines relating to AF_INET6 sockets p5-Time-TimeDate-2.30 library for parsing and formatting dates and times p5-URI-1.60 library to parse Uniform Resource Identifiers p5-Unix-Syslog-1.1p2 interface to the UNIX system logger p5-XML-Parser-2.41p0 perl module for parsing XML documents p5-libwww-5.837p0 library for WWW access in Perl p7zip-9.20.1p0 file archiver with high compression ratio p7zip-rar-9.20.1p1 rar modules for p7zip pcre-8.33 perl-compatible regular expression library pfstat-2.3p5packet filter statistics visualization pftop-0.7p12curses-based real time state and rule display for pf png-1.6.8 library for manipulating PNG images postfix-2.11.0 fast, secure sendmail replacement py-libxml-2.9.1 Python bindings for libxml python-2.7.6p0 interpreted object-oriented programming language quirks-1.113exceptions to pkg_add rules re2c-0.13.6 C-based regular expression scanner generator ripole-0.2.0p1 extract attachments from OLE2 data files rpm2cpio-1.3p2 rpm2cpio converter in Perl squid-3.3.11WWW and FTP proxy cache and accelerator tcl-8.5.15p2Tool Command Language tk-8.5.15p1 graphical toolkit for Tcl unzip-6.0p3 extract, list test files in a ZIP archive vnstat-1.11p6 network traffic monitor wget-1.15 retrieve files from the web via HTTP, HTTPS and FTP xmlto-0.0.25front-end for converting XML files to various formats xmltoman-0.4xml to manpage converter xz-5.0.5p0 LZMA compression and decompression tools zip-3.0 create/update ZIP files compatible with PKZip(tm) zoo-2.10.1p1handle the old .ZOO archive format Hope to hear from you. -- cat /etc/motd Thank you Indunil Jayasooriya http://www.theravadanet.net/ http://www.siyabas.lk/sinhala_how_to_install.html - Download Sinhala Fonts
amavisd uses high cpu usage?
Hi, I am running amavisd-new-2.8.1p0 with postfix on OpenBSD 5.5 64 bi . I noticed amavisd uses high cpu usage. This is the OUTPUT of top command 18748 _vscan640 94M 68M onproc/1 -48:11 99.27% perl Could you pls explain why? anyway to solve this? -- cat /etc/motd Thank you Indunil Jayasooriya http://www.theravadanet.net/ http://www.siyabas.lk/sinhala_how_to_install.html - Download Sinhala Fonts
Re: amavisd uses high cpu usage?
: :This is the OUTPUT of top command : :18748 _vscan640 94M 68M onproc/1 -48:11 99.27% perl : : :Could you pls explain why? : the program requires a lot of CPU time to process the data. Thanks for your quick response. : :anyway to solve this? : : Use less data. Or, ask the amavisd-new group. In Linux (CentOS), It DOES NOT use so much CPU as in OpenBSD. Anyway, Amavisd-new group is the right place for it. I will go with them. Thanks once again. -- A CONS is an object which cares. -- Bernie Greenberg. -- cat /etc/motd Thank you Indunil Jayasooriya http://www.theravadanet.net/ http://www.siyabas.lk/sinhala_how_to_install.html - Download Sinhala Fonts
Re: amavisd uses high cpu usage?
Hi Stuart, amavisd-new runs fine for me on OpenBSD without particularly high CPU use. I am very glad to hear that it is running fine on my favourite Operating system OpenBSD. is Amavisd-new running on OpenBSD 5.5 ? I did a debug with the command /usr/local/sbin/amavisd debug(I set $log_level = 5 in /etc/amavisd.conf file) it says Segmentation fault Then, I uncommented @bypass_spam_checks_maps = (1); in /etc/amavisd.conf file. Pls see below # @bypass_virus_checks_maps = (1); # controls running of anti-virus code @bypass_spam_checks_maps = (1); # controls running of anti-spam code # $bypass_decode_parts = 1; # controls running of decodersdearchivers Then. restarted amavisd ( /etc/rc.d/amavisd restart ) . Then, It started working.. I did a debug with the command /usr/local/sbin/amavisd debug again then, it gave this. The amavisd daemon is already running, PID: [4909] I think may be something is wrong with perl modules. U guys are experts. any comments? -- cat /etc/motd Thank you Indunil Jayasooriya http://www.theravadanet.net/ http://www.siyabas.lk/sinhala_how_to_install.html - Download Sinhala Fonts
Re: hp proliant dl 320e gen 8 for openbsd 5.5 64 bit ?
See if you can switch it to a standard AHCI/SATA mode in the bios. I switched to AHCI/SATA mode in BIOS. OpenBSD 5.5 64 bit Detected BOTH HARD DISKS. So I installed it. I now have 2 TB. On first disk, I partitioned /, swap , /usr and /var on the other 1 TB hard disk, I just partitioned 50 GB /home. many more GB remaining on the 2 nd Hard Drive. Now, My favourite Operating System Open BSD is running. Now, I want to let you know the most important thing. This is it. We got this server with 2 x 1 TB hard disks. Because we want a mirrored Hard drive with 1 TB. But We got it WITHOUT getting it mirrored. We can tell the Hardware vendor to mirror this 2 hard disks. My question is after mirroring, Will OpenBSD work or again will have to change BIOS settings ? Hope to hear from you. -- cat /etc/motd Thank you Indunil Jayasooriya http://www.theravadanet.net/ http://www.siyabas.lk/sinhala_how_to_install.html - Download Sinhala Fonts
Re: hp proliant dl 320e gen 8 for openbsd 5.5 64 bit ?
Try to change the harddrive settings in BIOS. They are probably defaulting to raid-mode, which doesn't work under OpenBSD. i.e - does NOT this server's Hardware Raid (Mirror) work under OpenBSD? Will I have to go with Software RAID? -- Med venlig hilsen/Kind regards Søren Aurehøj -- cat /etc/motd Thank you Indunil Jayasooriya http://www.theravadanet.net/ http://www.siyabas.lk/sinhala_how_to_install.html - Download Sinhala Fonts
Re: hp proliant dl 320e gen 8 for openbsd 5.5 64 bit ?
If so just not use the fake-raid, disable it, and use soft-raid from BSD. If used soft-raid from BSD, does it consume more RAM or processing functions etc? I will have to use this server for PF , OpenVPN , Squid, Postfix or Sendmail and Apache etc.. Therfore I can't beleive HP proliant series use a fake-raid this is HP ProLiant DL320e Gen8 Url http://www8.hp.com/us/en/products/proliant-servers/product-detail.html?oid=5379527#!tab%3Dspecs Mine is a quite recent model DL380G5 but has a real hardware RAID 6 (I am writing this mail from this server). As mine you may have to enter into RAID carte separate BIOS than the mother board BIOS to activate disks setup RAID-levels maybe you missed that step or exited without saving setup. Hmm, I will look in to it. -- cat /etc/motd Thank you Indunil Jayasooriya http://www.theravadanet.net/ http://www.siyabas.lk/sinhala_how_to_install.html - Download Sinhala Fonts
hp proliant dl 320e gen 8 for openbsd 5.5 64 bit ?
Dear OpenBSD users, We have a new hp proliant dl 320e gen 8 server with 2 x 1TB Hard disks. When we are going to install Open BSD 5.5 64 bit, Openbsd can't detect These 2 Hard disks ( 2 x 1 TB) These are 2 hard disks of 7.2 K SATA 1 TB It asks which is the Hard disk with this sign ? ' It does NOT show wd0 or anything. To check, I just installed CentOS 6.3 64 bit. It detected these 2 hard disks and went with installation. I do not want to install CentOS for Production use. this is just a test. How can I install OpenBSd 5.5 64 bit on this Brand new Server? Hope to hear form gurus? -- cat /etc/motd Thank you Indunil Jayasooriya http://www.theravadanet.net/ http://www.siyabas.lk/sinhala_how_to_install.html - Download Sinhala Fonts
mail.ssh with netstat command
Dear ALL, netstat gives below output on my openbsd 5 64 bit firewall. it is a VM. tcp 0128 mail.ssh 192.168.x.y.57850 ESTABLISHED I think it is unusual? your comment? How to find this mail.ssh ? -- Thank you Indunil Jayasooriya http://www.theravadanet.net/ http://www.siyabas.lk/sinhala_how_to_install.html - Download Sinhala Fonts
Re: mail.ssh with netstat command
netstat gives below output on my openbsd 5 64 bit firewall. it is a VM. tcp 0128 mail.ssh 192.168.x.y.57850 ESTABLISHED I think it is unusual? you do not expect an ssh connection from 192.168.x.y to the machine you ran netstat on, which has an interface named mail? --patrick Thank you. I got it. this Openbsd box's /etc/host file says mail.example.com -- Thank you Indunil Jayasooriya http://www.theravadanet.net/ http://www.siyabas.lk/sinhala_how_to_install.html - Download Sinhala Fonts
Re: how to forward port 2222 of pf box to port 22 of internel webserver
Thanks for enlightening me. Have a good day. On Fri, May 2, 2014 at 8:53 PM, John D. Verne j...@clevermonkey.org wrote: On Fri, May 02, 2014 at 12:53:05PM +0530, Indunil Jayasooriya wrote: Thanks for the support. I changed the port from to 2224. Now it works. This PF box is behind a ADSL router. I assume this ADSL router has reserved port . I have no access to this ADSL router. is used by a few LAN client services, and is often a backdoor for trojans. So it is either blocked, or reserved for some Rockwell services. -- John D. Verne j...@clevermonkey.org -- Thank you Indunil Jayasooriya http://www.theravadanet.net/ http://www.siyabas.lk/sinhala_how_to_install.html - Download Sinhala Fonts
Re: how to forward port 2222 of pf box to port 22 of internel webserver
Thanks for the support. I changed the port from to 2224. Now it works. This PF box is behind a ADSL router. I assume this ADSL router has reserved port . I have no access to this ADSL router. These are the rules. pass in log on $wan_if inet proto tcp from any to $wan_if port 2224 \ rdr-to $webserver port 22 synproxy state pass out log on $int_if inet proto tcp from any to $webserver port 22 modulate state sysctl net.inet.ip.forwarding I have already set it to = 1 net.inet.ip.forwarding=1 Thanks for the below rules Using: match in on $wan_if proto tcp to ($wan_if) port rdr-to \ $webserver port ssh and pass in on $wan_if proto tcp to ($wan_if) port flags S/SA synproxy state work for me on: OpenBSD atom.crowsons.com 5.4 GENERIC.MP#44 i386 If the above does not help run tcpdump on both interfaces and see what is / is not being passed... hth Fred Not sure but what does: -- Thank you Indunil Jayasooriya http://www.theravadanet.net/ http://www.siyabas.lk/sinhala_how_to_install.html - Download Sinhala Fonts
how to forward port 2222 of pf box to port 22 of internel webserver
Dear ALL, I want to do ssh to a internel webserver from the outside world. ssh port 22 is running in that web server. SSH port 22 is also ruuning my Openbsd 5.4 ( 32 bit ) firewall to which I do ssh from the outside world. So I want to add a rule to access internel webserver So I decided to forward port of pf box to port 22 of internel webserver So, I added a rules like these. I Still can't access. pass in log on $wan_if inet proto tcp from any to $wan_if port \ rdr-to $webserver port 22 pass out log on $int_if inet proto tcp from any to $webserver port 22 modulate state But, I can't access Why? -- Thank you Indunil Jayasooriya http://www.theravadanet.net/ http://www.siyabas.lk/sinhala_how_to_install.html - Download Sinhala Fonts
Re: Sorry OpenBSD people, been a bit busy
On Wed, Oct 9, 2013 at 6:42 AM, Scott McEachern sc...@blackstaff.ca wrote: On 10/08/13 20:42, thornton.rich...@gmail.com wrote: I love OpenBSD, seriously, and developers of it are clearly geniuses. And any chance I get I promote it. Excellent, and I applaud you for that. My favourite O/S is also OpenBSD. Theo and his guys protect the world. so they are naturally protected. Thank you Indunil Jayasooriya http://www.theravadanet.net/ http://www.siyabas.lk/sinhala_how_to_install.html - Download Sinhala Fonts
the same ip address for 2 vpn client computers
Hi, I configured openvpn on openbsd 5 (64bit) . clients CAN connect to this OpenBSD VPN Server. But OpenBSD VPN Server gives the same ip address for vpn client computers I tested with 2 clients my /etc/openvpn/server.conf file # Address range for the tun(4) interfaces server 10.0.1.0 255.255.255.0 # Uncomment to allow clients to dynamically change address (useful for # road-warriors) #float I connected from one client computer , then that client's vpn ip was 10.0.1.6 While the above client was connected, I connected from another client computer, then too, this client computer got the same ip address (10.0.1.6) Why's that? this is the source I referred to http://www.kernel-panic.it/openbsd/vpn/vpn4.html any idea? -- Thank you Indunil Jayasooriya http://www.theravadanet.net/ http://www.siyabas.lk/sinhala_how_to_install.html - Download Sinhala Fonts
Re: Sorry OpenBSD people, been a bit busy
Yes, let the people spend their time and energy for nothing. It's absolutely not interesting to spend yours on this, It's a kid game. I appraciate much more the work you do all on awsome project like OpenBSD and YYCIX :) I also agree with you. This is a useless topic. Let's discard it. -- Thank you Indunil Jayasooriya http://www.theravadanet.net/ http://www.siyabas.lk/sinhala_how_to_install.html - Download Sinhala Fonts
Re: OpenBSD crypto and NSA/Bruce Schneier
As I have mentioned before: what good is perfect security in an OS if you have no control over the hardware? Put some back doors into the CPU or the networking hardware and OpenSSH will fall. There is really no point in trying to outwit three letter agencies with our laptops. Both good and bad things exist in the world. It is the way of the world. It is quite normal. It is the True Nature of the world. Intention ( volition ) to add protection (security) is the WISE man's characteristic. So this wise man is always protected. He will win his life. -- Thank you Indunil Jayasooriya http://www.theravadanet.net/ http://www.siyabas.lk/sinhala_how_to_install.html - Download Sinhala Fonts
Re: Pf with multi gateways
You can list multiple gateways in priority order (I would usually add these in hostname.if files e.g. !route add) route add default -priority 10 10.1.1.1 route add default -priority 12 10.2.2.2 should the file /etc/mygate be deleted? I think yes -- Thank you Indunil Jayasooriya http://www.theravadanet.net/ http://www.siyabas.lk/sinhala_how_to_install.html - Download Sinhala Fonts
How to list available all hard disks in OpenBSD
HI, I would like to know How to list available all hard disks in OpenBSD ? If I run below 2 commands, it will give an output. dmesg |grep wd0 fdisk wd0 If I install a new Hard Disk, How to get to know whether it is wd1 or anything eles? In Linux, Fdisk -l show all the available hard disks. In OpenBSD what's the command for it? -- Thank you Indunil Jayasooriya
Re: How to list available all hard disks in OpenBSD
Hi misc Thanks a lot On Fri, Dec 21, 2012 at 10:07 AM, Wesley open...@e-solutions.re wrote: Hi, you can try this : /usr/sbin/sysctl hw.disknames Cheers, Wesley Le 2012-12-21 7:17, Indunil Jayasooriya a écrit : HI, I would like to know How to list available all hard disks in OpenBSD ? If I run below 2 commands, it will give an output. dmesg |grep wd0 fdisk wd0 If I install a new Hard Disk, How to get to know whether it is wd1 or anything eles? In Linux, Fdisk -l show all the available hard disks. In OpenBSD what's the command for it? -- Thank you Indunil Jayasooriya
ddb error
Hi List, I have 2 Redhat KVM Servers. On each server, an OpenBSD 5.1 ( 64 bit ) is running. ( i.e - Since I have 2 Redhat KVM Servers, 2 OpenBSD 5.1 ( 64 bit ) are running ) These 2 OpenBSD servers sometimes come in to ddb mode and stuck. Then, I have to force off and start them again, I am sending 2 attachments for you guys to see and let me know what actually happens? Services running on these 2 Open BSD Servers are carp , pf and relayd Any comments? -- Thank you Indunil Jayasooriya [demime 1.01d removed an attachment of type image/jpeg which had a name of ddb1.jpg] [demime 1.01d removed an attachment of type image/jpeg which had a name of ddb2.jpg]
relayd error related /var/run/relayd.sock
Hi misc, I am running relayd for 2 Zimbra Servers in LAN . ( with method *relay* in /etc/relayd.conf file - *NOT redirect *) relayctl show summary showed the correct summary. But, suddenly, 2 hours later, It didNOT work. I checked with the command relayctl show summary but , it gave an error related /var/run/relayd.sock I checked /var/run/relayd.sock file. But It did NOT exist @ that time. I just run relayd command again then, /var/run/relayd.sock appeared Now, Everything is OK. then, I just added *prefork 10* to /etc/relayd.conf file on both Boxes. I would like to know why this happened. (This is on Openbsd 5.1 64 bit - actually 2 boxes with relayd, PF , pfsync and carp ) These are actually 2 Vms running on 2 redhat 6.2 - 64bit KVMs ( network drivers are e1000 ( em0 and em1) Any comments ? -- Thank you Indunil Jayasooriya
relayd for lan servers with carp and pfsync
) 1 host192.168.0.66100.00% up 2 host192.168.0.67100.00% up 2 redirectsmtpactive 2 table servers:25 active (2 hosts) 3 host192.168.0.66100.00% up 4 host192.168.0.67100.00% up 3 redirectpop down 3 table servers:110 empty 5 host192.168.0.660.00% down 6 host192.168.0.670.00% down Seeking your ideas to solve this? where have I gone wrong? I referred to below 2 URLs http://www.openbsd.org/faq/pf/carp.html#failover http://meinit.nl/openbsd-loadbalancing-and-failover-relayd-pf-and-carp -- Thank you Indunil Jayasooriya
Re: relayd for lan servers with carp and pfsync
Hi ALL,
I myself got it working after changing pf.conf file and relayd.conf files
here are the new working ones
*
in /etc/pf.conf file* *( on both nodes - fw1 and fw2 )*
# cat /etc/pf.conf
# $OpenBSD: pf.conf,v 1.50 2011/04/28 00:19:42 mikeb Exp $
#
# See pf.conf(5) for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
ext_if=em0
pfsync_if=em1
servers = { 192.168.0.66, 192.168.0.67 }
set skip on lo
# filter rules and anchor for ftp-proxy(8)
#anchor ftp-proxy/*
#pass in quick inet proto tcp to port ftp divert-to 127.0.0.1 port 8021
# anchor for relayd(8)
*anchor relayd/*
pass on em1 proto pfsync
pass on { em0 em1 } proto carp *
##END
*pass log * # to establish keep-state
# rules for spamd(8)
#table spamd-white persist
#table nospamd persist file /etc/mail/nospamd
#pass in on egress proto tcp from any to any port smtp \
#rdr-to 127.0.0.1 port spamd
#pass in on egress proto tcp from nospamd to any port smtp
#pass in log on egress proto tcp from spamd-white to any port smtp
#pass out log on egress proto tcp to any port smtp
#block in quick from urpf-failed to any # use with care
# By default, do not permit remote connections to X11
#block in on ! lo0 proto tcp to port 6000:6010
*in /etc/relayd.conf file* *( on both nodes - fw1 and fw2 )*
# cat
/etc/relayd.conf
# $OpenBSD: relayd.conf,v 1.14 2011/04/07 13:33:52 reyk Exp $
#
# Macros
#
ext_addr=192.168.0.100
webhost1=192.168.0.66
webhost2=192.168.0.67
#ext_if=em0
table servers { $webhost1 $webhost2 }
*relay www* {
listen on $ext_addr port 80
#forward to servers port 80 mode loadbalance check tcp
forward to servers port 80 mode roundrobin check tcp
}
*relay smtp* {
listen on $ext_addr port 25
#forward to servers port 25 mode loadbalance check tcp
forward to servers port 25 mode roundrobin check tcp
}
anyway, I had to add below lines in /etc/rc.local files
/etc/rc.local (*on fw1*)
# cat
/etc/rc.local
# $OpenBSD: rc.local,v 1.44 2011/04/22 06:08:14 ajacoutot Exp $
# Site-specific startup actions, daemons, and other things which
# can be done AFTER your system goes into securemode. For actions
# which should be done BEFORE your system has gone into securemode
# please see /etc/rc.securelevel.
#configure pfsync
*ifconfig em1 192.168.9.67 netmask 255.255.255.0
ifconfig pfsync0 syncdev em1
ifconfig pfsync0 up*
#configure CARP on the LAN side
*ifconfig carp1 create
ifconfig carp1 vhid 1 carpdev em0 pass lanpasswd \
192.168.0.100 netmask 255.255.255.0*
#Staring relayd
*relayd *
*
*/etc/rc.local (*on fw2) *
# cat
/etc/rc.local
# $OpenBSD: rc.local,v 1.44 2011/04/22 06:08:14 ajacoutot Exp $
# Site-specific startup actions, daemons, and other things which
# can be done AFTER your system goes into securemode. For actions
# which should be done BEFORE your system has gone into securemode
# please see /etc/rc.securelevel.
#configure pfsync
*ifconfig em1 192.168.9.68 netmask 255.255.255.0
ifconfig pfsync0 syncdev em1
ifconfig pfsync0 up*
#configure CARP on the LAN side
*ifconfig carp1 create
ifconfig carp1 vhid 1 carpdev em0 pass lanpasswd \
advskew 128 192.168.0.100 netmask 255.255.255.0*
#Staring relayd
*relayd *
That's it.
Pls NOTE that , in /etc/relayd.conf file, I had to add *relay *www* *instead
of *redirect* www and *relay *smtp instead* *of *redirect* smtp
also in /etc/pf.conf file , instead of the below lines,
# anchor for relayd(8)
*#anchor relayd/*
pass quick on { em1 } proto pfsync keep state (no-sync)
pass on { em0 em1 } proto carp keep state*
I added below lines
# anchor for relayd(8)
*anchor relayd/*
pass on em1 proto pfsync
pass on { em0 em1 } proto carp *
Now. my setup works
On Thu, Aug 16, 2012 at 12:13 PM, Indunil Jayasooriya
induni...@gmail.comwrote:
Hi misc,
I have 2 OpenBSD 5.1 64bit boxes. I want to setup relayd for lan servers
with carp and pfsync for LAN USERS.
What I want to achieve is that LAN USERS connect to carp1 ip address ( lan
shared ip - 192.168.0.100 ). then, relayd will redirect that traffic to 2
lan servers running services http, smtp and pop. If one server goes down,
relayd will remove it from the table.
*This is What I did. *
let's assume 2 OpenBSD 5.1 64bit boxes are fw1 and fw2
fw1
em0 - 192.168.0.10 (and carp1 - LAN shared IP - 192.168.0.100 )
em1 - 192.168.9.67 ( for pfsync )
fw2
em0 - 192.168.0.11 (and carp1 - LAN shared IP - 192.168.0.100 )
em1 - 192.168.9.68 ( for pfsync )
LAN shared IP: 192.168.0.100 ( carp1 ip address on both nodes fw1 and fw2 )
net.inet.ip.forwarding=1 in /etc/sysctl.conf on both fw1 and fw2
Configure fw1:
! enable preemption and group interface failover
# sysctl -w net.inet.carp.preempt=1
! configure pfsync
# ifconfig em1 192.168.9.67 netmask 255.255.255.0
# ifconfig pfsync0 syncdev em1
# ifconfig pfsync0 up
Re: OpenBSD forked
Their work getting rid of GNU stuff will, inevitably, affect OpenBSD (if they succeed at that anyway). Hmm, I personally prefer BSD Style licence. For me, BSD Philosophy has much more freedom. NOT Copyleft. ( I love it very much ) I'd like to see more BSD style stuffs coming in. anyway GPL is also doing a good job in the world of Open Source. -- Thank you Indunil Jayasooriya
Re: Load balancing and fail-over
good :) hopefully I have given you enough clues to work the rest out for yourself, this is much better for you as you get a better understanding so it will be easier for you to diagnose any problems you run into later. The script I wrote worked as expected. (i.e - Fialover happened , when a link goes down. when that link came up , load was balanced via both links. With my script, I had a cronjob ruining every 1 minute to check the link. It did ping every 1 minute. ( I sent that script before. ) But, While Browsing Internet, We found slower than before. I think it was due to bandwidth of links. These are my links WAN1 - ADSL - 2 mbit/s WAN2 - Leased line - 128 kbit/s Before that, Default route was via ADSL ( 2 mbit/s ), Then, We found OK. Since the browsing is slower, we removed the script. Now, We are back with as it was before. ( i.e everything via ADSL) I am happy since the script worked . Stuart, Thanks trillions times for your compassion and effort. Anyway, I welcome your ideas, if I have to look any further and if there are things to be improved. -- Thank you Indunil Jayasooriya
Re: Load balancing and fail-over
Now, the interesting thing is this ( Taken from openbsd website)
# keep https traffic on a single connection; some web applications,
# especially secure ones, don't allow it to change mid-session
pass in on $int_if proto tcp from $lan_net to port https \
route-to ($ext_if1 $ext_gw1)
When both links are UP and WAN1 is UP https traffic will go via WAN1
When, WAN1 goes down, https should go via WAN2
I think If I add another variable to /etc/pf.conf, I will be able to
achieve it too.
ONEWAYHTTPS=1.1.1.1@em0
pass in on $int_if proto tcp from $lan_net to port https \
route-to { $ONEWAYHTTPS }
and use this below while WAN1 goes DOWN
pfctl -D ONEWAYHTTPS=2.2.2.2@em1 -f /etc/pf.conf
Is it allringt ?
No, It is NOT OK ( I think it messes up )
So, I myself found a method. it would be easier with an anchor.
http://www.openbsd.org/faq/pf/anchors.html
The above URL shows the power of PF with anchors. I just tried it. It
worked. Pls see below . ( I feel really sorry to disturb you.) ,
In /etc/pf.conf
GATEWAYS=1.1.1.1@em0 2.2.2.2@em1
##BEGIN - Loadbalancingwithfailover
pass in on $int_if from $lan_net route-to { $GATEWAYS }
anchor onewayhttps {
pass in on em2 proto tcp from 192.168.0.0/24 to port https route-to
2.2.2.2@em1
}
##END
and ,
my script is now like this.
#Checking WAN1
ping -q -c 3 -i 2 -w 3 -I 1.1.1.5 173.194.38.191 /dev/null 21
VARWAN1=$(echo $?)
#Checking WAN2
ping -q -c 3 -i 2 -w 3 -I 2.2.2.5 173.194.38.184 /dev/null 21
VARWAN2=$(echo $?)
if [ ${VARWAN1} = 0 ] [ ${VARWAN2} = 0 ]; then
echo Both links are UP
route add -mpath default 1.1.1.1
route add -mpath default 2.2.2.2
pfctl -D GATEWAYS=1.1.1.1@em0 2.2.2.2@em1 -f /etc/pf.conf
elif [ ${VARWAN1} != 0 ] [ ${VARWAN2} != 0 ]; then
echo Both links are DOWN
route add -mpath default 1.1.1.1
route add -mpath default 2.2.2.2
pfctl -D GATEWAYS=1.1.1.1@em0 2.2.2.2@em1 -f /etc/pf.conf
elif [ ${VARWAN1} != 0 ] ; then
echo WAN1 is DOWN
route add -mpath default 2.2.2.2
route delete -mpath default 1.1.1.1
pfctl -D GATEWAYS=2.2.2.2@em1 -f /etc/pf.conf
elif [ ${VARWAN2} != 0 ] ; then
echo WAN2 is DOWN
route add -mpath default 1.1.1.1
route delete -mpath default 2.2.2.2
pfctl -D GATEWAYS=1.1.1.1@em0 -f /etc/pf.conf
echo pass in on em2 proto tcp from 192.168.0.0/24 to port https
route-to 1.1.1.1@em0 | pfctl -a onewayhttps -f -
fi
I think I am NOW all right. Anyway, I will have to test it in 2 or 3 days
time. Then, I will let you know everything.
Stuart , Thanks a LOT for your compassion towards me. I worked hard. I am
very happy. Any way, I will have to test its behaviour.
Hope to hear from you.
--
Thank you
Indunil Jayasooriya
Re: Load balancing and fail-over
Route lookups are based on the *destination* address not the source
address, you could add a route for a certain destination via a
certain interface to send packets out that way.
Hmm. that sounds good to me. Since I have 2 interfaces for 2 different WAN
connections. It is possible to add route to a certain destination ip
address in /etc/hostname.em0 and /etc/hostname.em1 files and make permanent
in this way.
/etc/hostname.em0
inet 192.168.10.6 255.255.255.0
!route add -host 173.194.38.184 192.168.10.5
!route add -mpath default 192.168.10.5
/etc/hostname.em1
inet 192.168.20.6 255.255.255.0
!route add -host 173.194.38.191 192.168.20.5
!route add -mpath default 192.168.20.5
Then, a shell script in crontab can ping those destination ip addresses
and see if they are UP or DOWN. ( ifstated also can do it. But, I will have
to understand its behaviour )
When , both are up Up, nothing is DONE and when one fails remove that
-mpath default route
In this manner, When one link goes down, all traffic will go via the
available link.
That is what I am looking for. I think I am right.
I am right ain't I?
Then, I will have to discuss this below rule as well.
pass in on $int_if from $lan_net \
route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } \
round-robin
When one link goes DOWN, Will all the traffic go via the available link ?
Does the above rule do this duty?
I think I am getting closer to achieve the goal.
Hi, Stuart Henderson, Many thanks to your effort that put forth me to go
ahead,
Hope to hear from ALL.
--
Thank you
Indunil Jayasooriya
Re: Load balancing and fail-over
why you not try the relayd way ?
look at
http://gouloum.fr/doc/multilink.html
the part with relayd
holger
On 2012/05/17 13:20, Indunil Jayasooriya wrote:
Route lookups are based on the *destination* address not the source
address, you could add a route for a certain destination via a
certain interface to send packets out that way.
Hmm. that sounds good to me. Since I have 2 interfaces for 2 different
WAN connections. It is possible to add route to a certain destination
ip address in /etc/hostname.em0 and /etc/hostname.em1 files and make
permanent in this way.
/etc/hostname.em0
inet 192.168.10.6 255.255.255.0
!route add -host 173.194.38.184 192.168.10.5
!route add -mpath default 192.168.10.5
/etc/hostname.em1
inet 192.168.20.6 255.255.255.0
!route add -host 173.194.38.191 192.168.20.5
!route add -mpath default 192.168.20.5
Then, a shell script in crontab can ping those destination ip
addresses and see if they are UP or DOWN. ( ifstated also can do it.
But, I will have to understand its behaviour )
When , both are up Up, nothing is DONE and when one fails remove that
-mpath default route
In this manner, When one link goes down, all traffic will go via the
available link.
That is what I am looking for. I think I am right.
I am right ain't I?
Yes I think this is what you're looking for.
Then, I will have to discuss this below rule as well.
pass in on $int_if from $lan_net \
route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } \
round-robin
When one link goes DOWN, Will all the traffic go via the available link
?
Does the above rule do this duty?
No, your script or ifstated config will need to adjust this rule,
you can do this by using a macro to write the rule, something like this:
GATEWAYS=1.1.1.1@em0 2.2.2.2@em1
pass in on $int_if from $lan_net route-to { $GATEWAYS }
This helps because you can override the macro on the pfctl command line,
so you can use something like to reload the ruleset with your choice
of gateway:
pfctl -D GATEWAYS=1.1.1.1@em0 -f /etc/pf.conf
pfctl -D GATEWAYS=2.2.2.2@em1 -f /etc/pf.conf
pfctl -D GATEWAYS=1.1.1.1@em0 2.2.2.2@em1 -f /etc/pf.conf
While you're testing, use pfctl -v ... if you would like to check
how the parsed rules look.
I think I am getting closer to achieve the goal.
Hi, Stuart Henderson, Many thanks to your effort that put forth me to
go ahead,
Hope to hear from ALL.
--
Thank you
Indunil Jayasooriya
--
Thank you
Indunil Jayasooriya
Re: Load balancing and fail-over
why you not try the relayd way ? look at http://gouloum.fr/doc/multilink.html the part with relayd I found that URL yesterday, I will have to learn it. I just try to do it with a shell script. anyway, Thanks a lot. -- Thank you Indunil Jayasooriya
Re: Load balancing and fail-over
No, your script or ifstated config will need to adjust this rule,
you can do this by using a macro to write the rule, something like this:
GATEWAYS=1.1.1.1@em0 2.2.2.2@em1
pass in on $int_if from $lan_net route-to { $GATEWAYS }
This helps because you can override the macro on the pfctl command line,
so you can use something like to reload the ruleset with your choice
of gateway:
pfctl -D GATEWAYS=1.1.1.1@em0 -f /etc/pf.conf
pfctl -D GATEWAYS=2.2.2.2@em1 -f /etc/pf.conf
pfctl -D GATEWAYS=1.1.1.1@em0 2.2.2.2@em1 -f /etc/pf.conf
While you're testing, use pfctl -v ... if you would like to check
how the parsed rules look.
Thanks once again for your introduction. I wrote a shell script, pls
see below
in /etc/pf.conf . I have the below variable
GATEWAYS=1.1.1.1@em0 2.2.2.2@em1
Now, This is the script.
#Checking WAN1
ping -q -c 3 -i 2 -w 3 -I 1.1.1.5 173.194.38.191 /dev/null 21
VARWAN1=$(echo $?)
#Checking WAN2
ping -q -c 3 -i 2 -w 3 -I 2.2.2.5 173.194.38.184 /dev/null 21
VARWAN2=$(echo $?)
if [ ${VARWAN1} = 0 ] [ ${VARWAN2} = 0 ]; then
echo Both links are UP
route add -mpath default 1.1.1.1
route add -mpath default 2.2.2.2
pfctl -D GATEWAYS=1.1.1.1@em0 2.2.2.2@em1 -f /etc/pf.conf
elif [ ${VARWAN1} != 0 ] [ ${VARWAN2} != 0 ]; then
echo Both links are DOWN
route add -mpath default 1.1.1.1
route add -mpath default 2.2.2.2
pfctl -D GATEWAYS=1.1.1.1@em0 2.2.2.2@em1 -f /etc/pf.conf
elif [ ${VARWAN1} != 0 ] ; then
echo WAN1 is DOWN
route add -mpath default 2.2.2.2
route delete -mpath default 1.1.1.1
pfctl -D GATEWAYS=2.2.2.2@em1 -f /etc/pf.conf
elif [ ${VARWAN2} != 0 ] ; then
echo WAN2 is DOWN
route add -mpath default 1.1.1.1
route delete -mpath default 2.2.2.2
pfctl -D GATEWAYS=1.1.1.1@em0 -f /etc/pf.conf
fi
Pls NOTE - Section2 ( i.e , when BOTH links are DOWN, No internet at ALL.
So Just behave as BOTH links are UP. It does NOT matter for me )
I think that traffic routes as I expected. I will have to test it.
Now, the interesting thing is this ( Taken from openbsd website)
# keep https traffic on a single connection; some web applications,
# especially secure ones, don't allow it to change mid-session
pass in on $int_if proto tcp from $lan_net to port https \
route-to ($ext_if1 $ext_gw1)
When both links are UP and WAN1 is UP https traffic will go via WAN1
When, WAN1 goes down, https should go via WAN2
I think If I add another variable to /etc/pf.conf, I will be able to
achieve it too.
ONEWAYHTTPS=1.1.1.1@em0
pass in on $int_if proto tcp from $lan_net to port https \
route-to { $ONEWAYHTTPS }
and use this below while WAN1 goes DOWN
pfctl -D ONEWAYHTTPS=2.2.2.2@em1 -f /etc/pf.conf
Is it allringt ?
I think a few miles left for me to reach the goal.
If you can give an example it is worth millions time.
Your comments are welcome...
--
Thank you
Indunil Jayasooriya
Load balancing and fail-over
Hi, I am looking for a Load balancing and fail-over setup. So I am working on below 2 subjects How can I do equal-cost multipath routing? http://www.openbsd.org/faq/faq6.html Load Balance Outgoing Traffic http://www.openbsd.org/faq/pf/pools.html#outexample My first question is how to do failover when one link goes down? Can I do it with ping and ifstated ? If yes, How to ping external internet host when that link is DOWN? I find it difficult? I tried it with below commands ping -I WAN1_if_ip www.google.lk ping -I WAN2_if_ip www.google.lk Some times it works? some times it does NOT? Could you pls explain why? If it does NOT ping, How to do failover? So, Now, I am trying with snmpwalk command. I think it is OKAY? your comments? I found a URL here? http://old.nabble.com/Re:-ifstated-and-ping-p15546523.html Then, the other question is that when loadbalancing works as expected , I will have to send https via one link as described in Openbsd site. Pls see below. http://www.openbsd.org/faq/pf/pools.html#outexample # keep https traffic on a single connection; some web applications, # especially secure ones, don't allow it to change mid-session pass in on $int_if proto tcp from $lan_net to port https \ route-to ($ext_if1 $ext_gw1) Then, If that link goes down, when, failiver happnes, How to send that https traffic via other link? I think delete that rule and add another rule like this? am I right? pass in on $int_if proto tcp from $lan_net to port https \ route-to ($ext_if2 $ext_gw2) If I am right, How to delete the existing rule and add other rule when failover happens? Hope to hear from you. -- Thank you Indunil Jayasooriya
reply-to option for udp port 1194 ( for OpenVPN)
Hi list,
I am running PF on OpenBSD 5 with 2 external links.
One is ASDL and other is Leased line.
my /etc/mygate is set to adsl ip.
So, default route via ADSL.
But, I want to access OpenVPN (i.e port 1194) via Leased line from the
Internet.
when, I try to access I get below error.
Feb 02 13:21:04.717389 rule 17/(match) pass in on ne1: 220.x.y.z.53208
172.16.x.1.1194: udp 14
Feb 02 13:21:04.718461 rule 6/(match) block out on ne2:
192.168.1.z.1194 220.x.y.z.53208: udp 26
Feb 02 13:21:06.043509 rule 6/(match) block out on ne2:
192.168.1.z.1194 220.x.y.z.53208: udp 14
ip 192.168.1.z is the ip address of PF firewall that connects to ADSL router.
my pf.conf file looks like this.
vpn= tun0
match out on $wan_if from 10.0.1.0/24 nat-to ($wan_if)
# filter rules
block in log
block out log
#pass out quick log
antispoof quick for { lo $int_if }
pass in quick log on $vpn
pass out quick log on $vpn
pass in log on $wan_if inet proto udp from any to $wan_if \
port 1194 reply-to ($wan_if $wan_gw)
I need your advice to solve this issue?
Anyway, if i set to with TCP like this
pass in log on $wan_if inet proto tcp from any to $wan_if \
port 1194 reply-to ($wan_if $wan_gw)
It works . Why It does NOT work for udp?
Hope to hear from you..
, it works
--
Thank you
Indunil Jayasooriya
Re: ifstated.conf for multiple links with failover
Thanks for your reply. I am still studying your scripts. anyway, I came across this below URL ( it is for Linux with fail over) http://tech.gaeatimes.com/index.php/archive/how-to-load-balancing-failover-with-dual-multi-wan-adsl-cable-connections-on-linux/ They are doing it. Your comments? Can I apply this to OpenBSD 5 ?
ifstated.conf for multiple links with failover
Hi,
I want to setup ifstated for multiple links.
My requirement is very simple.
I have 2 links. one is ADSL and the other is leased-line.
When both links are up, outgoing traffic should be balanced via both links.
When ADSL is DOWN, outgoing traffic should go via Leased line
When Leased line is DOWN, outgoing traffic should go via ADSL line.
I am wrinting /etc/ifstated.conf file.
But , I still haven't achieved it. Could you pls help me to solve this.
These are the urls I refer.
http://gouloum.fr/doc/multilink.html
http://www.suborbital.org.uk/canofworms/index.php?/archives/2-Failover-routing-with-OpenBSD-and-ifstated.html
And, here's my /etc/ifstated.conf file
pingVIAbothlinks = '( ping -c 1 -I 192.168.1.253 www.google.lk
/dev/null every 10 ping -c 1 -I 172.16.10.253 www.google.lk
/dev/null every 10)'
pingVIAadsl = '( ping -c 1 -I 192.168.1.253 www.google.lk /dev/null
every 10)'
pingVIAleasedline = '( ping -c 1 -I 172.16.10.253 www.google.lk
/dev/null every 10)'
#init-state zero
state zero {
init {
run route add -mpath default 192.168.1.1
run route add -mpath default 172.16.10.254
}
if ! $pingVIAadsl {
set-state one
}
}
state one {
init {
run route delete -mpath default 192.168.1.1
run route add -mpath default 172.16.10.254
}
if ! $pingVIAleasedline {
set-state two
}
}
state two {
init {
run route delete -mpath default 172.16.10.254
run route add -mpath default 192.168.1.1
}
if $pingVIAbothlinks {
set-state zero
}
}
Pls note:
192.168.1.253 is the ip of the PF box that connects to ADSL side.
172.16.10.253 is the leased line ip of the PF box that connects to
Leased line side.
here are my configuration details of the PX box ( OpenBSD - 5 - 64 bit )
# cat /etc/hostname.ne1
inet 172.16.10.253 255.255.255.0
!route add -mpath default 172.16.10.254
# cat /etc/hostname.ne2
inet 192.168.1.253 255.255.255.0
!route add -mpath default 192.168.1.1
# netstat -r |grep default
default192.168.1.1UGSP 0 2274 - 8 ne2
default172.16.10.254 UGSP 1 280 - 8 ne1
I have enabled below values in /etc/sysctl.conf file.
net.inet.ip.forwarding=1
net.inet.ip.multipath=1
hope to hear from you.
--
Thank you
Indunil Jayasooriya
Re: ifstated.conf for multiple links with failover
I am wrinting /etc/ifstated.conf file. But , I still haven't achieved it. Could you pls help me to solve this. www.openbsd.org/faq/pf/pools.html Hi, I have already gone to it. Does automatic fail over happens, when one link goes down? I have Not tried it. Do yo have any experience in regard to it. I am using squid as transparent proxy on my PF box. So I think I only need pass out traffic. So , I am trying the below URL. http://www.openbsd.org/faq/faq6.html#Multipath That's why I try to configure ifstated.. any comments? -- Thank you Indunil Jayasooriya
load balancing outgoing web traffic ( http , https ) with failover
Hi List,
I am trying to load balance outgoing web traffic ( http , https ) with
failover feature with PF.
i.e - Load balance port 80 and 443 web traffic from our LAN between both
ISP's. If one ISP goes down the other will take on 100% of the web traffic
My PF firewall (OpenBSD 5 - 64 bit) has 4 network cards.
they are as follows
#dmz interface
dmz_if=ne0
#wan interface
wan_if=ne1
#adsl interface
adsl_if=ne2
#internal interface - LAN interface
int_if=pcn0
Squid is running as transparent proxy. So , All LAN PCs access internet (
port 80 traffic ) via squid proxy.
Currently, default route has been set to adsl router. ip of adsl router is
in /etc/mygate file.
without changing /etc/mygate file ( i.e - without removing /etc/mygate ),
I want to load balance outgoing web traffic ( http and https ) with
failover.
I think it is possible. I am trying with route-to option. But, I still can
NOT achieve it.
here are a few sites I am studying.
http://www.openbsd.org/faq/pf/pools.html#outgoing
anyway, In the above URL, Squid is NOT included.
here's another. ( Squid is NOT included there too. )
https://calomel.org/pf_config.html
Example is - Two external ISP connections using route-to and round-robin
I do need squid for port 80 traffic. ( http )
How , Can I achieve it ?
here are a few rules in pf.conf
# options
set block-policy return
set loginterface $adsl_if
set skip on lo
# match rules
match out on $adsl_if from $lan_net nat-to ($adsl_if)
match out on $wan_if from $lan_net nat-to ($wan_if)
# filter rules
block in log
#block out log
pass out quick log
antispoof quick for { lo $int_if }
# for squid
pass in log on $int_if proto tcp from $lan_net to any port 80 \
rdr-to 127.0.0.1 port 3128
Could you pls help me to solve it? If you need more info, I would like to
provide.
--
Thank you
Indunil Jayasooriya
how to access a specific port on pf itself when equal-cost multipath routing is present
Hi List, I want to ask an question. I have 2 links. one is Leased line and the other is ADSL line. I have configured equal-cost multipath routing for outgoing traffic according to below URL I have removed /etc/mygate file http://www.openbsd.org/faq/faq6.html#Multipath I can access internet from both links. It is all ok. But, my question is Apache is running on this PF box on port . I want to access it from the internet. So I have added below rule in my pf.conf file pass in log on $wan_if inet proto tcp from any to $wan_if \ port synproxy state I want to access it form wan interface ( Leased line ). Pls see the output of the below # netstat -rnf inet | grep default default172.16.21.254 UGSP 2 2100 - 8 ne1 default192.168.21.1UGSP 3 1050 - 8 ne2 I want to access it via 172.16.21.254 which connects to Leased line. when there is one default route is available, it is possible. But, When there are 2 default routes, I can NOT access. How can I archive this ? -- Thank you Indunil Jayasooriya
Re: how to access a specific port on pf itself when equal-cost multipath routing is present
Hi , Can I archive it with reply-to option what about below URL ( it gives about rdr-to rule ). Can I get an help from this below URL http://n4p1.wordpress.com/2011/10/10/how-to-route-traffic-from-two-isp-in-openbsd-wo-bgp/ -- Thank you Indunil Jayasooriya
Re: pcn0: packet spilled into next buffer
Then, I got below error? pcn0: packet spilled into next buffer I got it before, But, Now, I do NOT get it. I did below stuffs. ( http://www.webspy.com.au/blogs/index.php/openbsd-46-on-xenserver-5/ ) # config -e -f /bsd ukc disable uhci ukc quit But, I doubt about it. Some how, Now, I do NOT get the above error. You should probably switch to an emulated em(4) which is likely to work better. If you have 'watchdog timeout' problems with em(4) on KVM yeah, I got watchdog timeout I deleted ethernet from KVM and added ne2k_pci Now, All is OKAY. I am really happy. Stuart, many thanks for your effort to help me. -- Thank you Indunil Jayasooriya
Re: pcn0: packet spilled into next buffer
Bugs in virtual SW are not problem of OpenBSD ;-) yeah, U r right. OpenBSD is always excellent -- Thank you Indunil Jayasooriya
pcn0: packet spilled into next buffer
Hi mics, I just installed OpenBSD 5 64 bit as a VM on Redhat Linux KVM . Then, I got below error? pcn0: packet spilled into next buffer I searched the internet . then, I got below URL http://www.google.lk/url?sa=trct=jq=packet spilled into next buffersource=webcd=1ved=0CBoQFjAAurl=ftp%3A%2F%2Fftp.irisa.fr %2Fpub%2FOpenBSD%2Fsrc%2Fsys%2Fdev%2Fpci%2Fif_pcn.cei=0KMGT8bKJPHQmAWiutSxAgusg=AFQjCNE_6v0It-SIaxCx7Yblsbf2Po1Y9gcad=rja But, I can't get an idea from it. It is normal or should I solve it ? Hope to hear from you. -- Thank you Indunil Jayasooriya
Re: nginx
On Wed, Nov 9, 2011 at 10:33 PM, bigboy big...@tormail.net wrote: Hi Has anyone got examples of the right way of configuring the nginx no in base? what about this? https://calomel.org/nginx.html -- Thank you Indunil Jayasooriya
Re: OpenBSD 5.0 released Nov 1, 2011
in bug reports, bug fixes, donation cheques, and hardware that we use. We would also like to thank those who pre-ordered the 5.0 CD-ROM or bought our previous CD-ROMs. Those who did not support us financially have still helped us with our goal of improving the quality of the software. Our developers are: Alexander Bluhm, Alexander Hall, Alexander Schrijver, Alexander Yurchenko, Alexandr Shadchin, Alexandre Ratchov, Anil Madhavapeddy, Anthony J. Bentley, Antoine Jacoutot, Ariane van der Steldt, Austin Hook, Benoit Lecocq, Bernd Ahlers, Bob Beck, Bret Lambert, Charles Longeau, Chris Kuethe, Christian Weisgerber, Christiano F. Haesbaert, Claudio Jeker, Dale Rahn, Damien Bergamini, Damien Miller, Darren Tucker, David Coppa, David Gwynne, David Hill, David Krause, Edd Barrett, Eric Faurot, Federico G. Schwindt, Felix Kronlage, Gilles Chehade, Giovanni Bechis, Gleydson Soares, Henning Brauer, Ian Darwin, Igor Sobrado, Ingo Schwarze, Jacek Masiulaniec, Jakob Schlyter, Janne Johansson, Jason George, Jason McIntyre, Jason Meltzer, Jasper Lievisse Adriaanse, Jeremy Evans, Jim Razmus II, Joel Sing, Joerg Zinke, Jolan Luff, Jonathan Armani, Jonathan Gray, Jonathan Matthew, Jordan Hargrave, Joshua Stein, Kenneth R Westerback, Kevin Lo, Kevin Steves, Kurt Miller, Landry Breuil, Laurent Fanis, Marc Espie, Marco Peereboom, Marco Pfatschbacher, Marcus Glocker, Mark Kettenis, Mark Lumsden, Mark Uemura, Markus Friedl, Martin Pieuchot, Martynas Venckus, Mats O Jansson, Matthew Dempsky, Matthias Kilian, Matthieu Herrb, Michael Erdely, Mike Belopuhov, Mike Larkin, Miod Vallat, Nayden Markatchev, Nicholas Marriott, Nick Holland, Nigel Taylor, Nikolay Sturm, Okan Demirmen, Otto Moerbeek, Owain Ainsworth, Paul de Weerd, Paul Irofti, Peter Hessler, Peter Valchev, Philip Guenther, Pierre-Emmanuel Andre, Pierre-Yves Ritschard, Remi Pointel, Reyk Floeter, Robert Nagy, Ryan Freeman, Ryan Thomas McBride, Sasano, Sebastian Reitenbach, Simon Bertrang, Stefan Sperling, Stephan A. Rickauer, Steven Mestdagh, Stuart Henderson, Takuya Asada, Ted Unangst, Theo de Raadt, Thordur I Bjornsson, Tobias Weingartner, Todd C. Miller, Todd Fries, Will Maier, William Yodlowsky, Yasuoka Masahiko, Yojiro Uo -- Thank you Indunil Jayasooriya
Re: I hate Spam
and receive a lot of spam mail through the lists. I only receive a couple a day - no problem at all. I have subscribed to misc , ipv6 and tech. I am free from spam too. works great. No, problem at all. -- Thank you Indunil Jayasooriya
Re: /dev/pf permission for squid 3.2.0.6 on openbsd 4.8
On Tue, Apr 19, 2011 at 12:00 PM, Indunil Jayasooriya induni...@gmail.com wrote: many thanks. I got it working. I changed from http_port 3129 intercept to http_port 127.0.0.1:3129 intercept in squid.conf file. Here's the rule in pf.conf pass in log on $int_if proto tcp from $lan_net to any port 80 \ divert-to 127.0.0.1 port 3129 very sorry. After sending this mail, I checked squid cache.log with below command tail -f /var/squid/logs/cache.log this below error still appears. Intercept.cc(305) PfInterception: PF open failed: (13) Permission denied I just wanted to let you know. If this is a trouble, Pls excuse me. -- Thank you Indunil Jayasooriya
Re: /dev/pf permission for squid 3.2.0.6 on openbsd 4.8
The non-obvious thing here is you must bind the listening socket in squid to 127.0.0.1 e.g. http_port 127.0.0.1:3127 transparent I will talk to the port maintainer about removing --enable-pf-transparent. many thanks. I got it working. I changed from http_port 3129 intercept to http_port 127.0.0.1:3129 intercept in squid.conf file. Here's the rule in pf.conf pass in log on $int_if proto tcp from $lan_net to any port 80 \ divert-to 127.0.0.1 port 3129 -- Thank you Indunil Jayasooriya
Re: /dev/pf permission for squid 3.2.0.6 on openbsd 4.8
The non-obvious thing here is you must bind the listening socket in squid to 127.0.0.1 e.g. http_port 127.0.0.1:3127 transparent I will talk to the port maintainer about removing --enable-pf-transparent. Hi, I think this below link may be useful. ( this reply from a squid developer) http://www.mail-archive.com/squid-users@squid-cache.org/msg78541.html -- Thank you Indunil Jayasooriya
/dev/pf permission for squid 3.2.0.6 on openbsd 4.8
Hi list, I am trying to test squid 3.2.0.6 on OpenBSD 4.8 (amd64) in transparent mode. I can browse internet. But, I get the below error. 2011/04/08 17:43:11 kid1| Intercept.cc(305) PfInterception: PF open failed: (13) Permission denied 2011/04/08 17:43:11 kid1| Intercept.cc(305) PfInterception: PF open failed: (13) Permission denied 2011/04/08 17:44:20 kid1| Intercept.cc(305) PfInterception: PF open failed: (13) Permission denied 2011/04/08 17:44:53 kid1| Intercept.cc(305) PfInterception: PF open failed: (13) Permission denied 2011/04/08 17:44:54 kid1| Intercept.cc(305) PfInterception: PF open failed: (13) Permission denied 2011/04/08 17:44:55 kid1| Intercept.cc(305) PfInterception: PF open failed: (13) Permission denied Then, I did below steps. I got it from http://www.benzedrine.cx/transquid.html (PF founder's link) are the below 2 commnads okay for OpenBSD 4.8? # chgrp _squid /dev/pf # chmod g+rw /dev/pf but, for squid 2.7.9 on OpenBSD 4.8, I have the default. Pls see .I did NOT change /dev/pf # ls -al /dev/pf crw--- 1 root wheel 73, 0 Dec 17 16:33 /dev/pf any comments? -- Thank you Indunil Jayasooriya
Re: pf rule
On Wed, Apr 6, 2011 at 1:49 PM, Gianluca D'Auri Muscelli g...@email.it
wrote:
Hi everyone,
I never had to deal with pf, but if possible i have a question:
on my OpenBSD now block all outcoming connection to ssh and telnet to
internet
with:
block out on re0 proto { tcp } from any to any port { ssh telnet }
do you have one interface?
re0 may be your external interface. What is your internal interface
--
Thank you
Indunil Jayasooriya
Re: No data in pfstat-queues graph
The queue names in pf.conf do not match the names in your pfstat.conf. A collect syntax in your pfstat.conf should look like the following: collect 11 = queue tcp_ack pass bytes diff yes, U r right. in my case, it should be collect 11 = queue tcp_ack_out pass bytes diff it is OKAY. I have replied too. Thanks for your reply. -- Thank you Indunil Jayasooriya
No data in pfstat-queues graph
Hi list,
I use pfstat to get the graphs. every graph is working fine other than
pfstat-queues graph. This graph is always blank. No data to display. always
empty.
Here's the output of
# pfctl -sq
queue std_out on em0 priq( default )
queue ssh_im_out on em0 priority 4 priq( red )
queue dns_out on em0 priority 5
queue tcp_ack_out on em0 priority 6
queue root_em1 on em1 bandwidth 2Mb priority 0 cbq( wrr root ) {std_in,
ssh_im_in, dns_in, student_in, queueforuserm_in}
queue std_in on em1 bandwidth 1.50Mb cbq( borrow default )
queue ssh_im_in on em1 bandwidth 200Kb priority 4
queue dns_in on em1 bandwidth 120Kb priority 5
queue student_in on em1 bandwidth 80Kb
queue queueforuserm_in on em1 bandwidth 100Kb
and, here's the contents of pfstat-queues section in pfstat.conf file
collect 11 = queue ack pass bytes diff
collect 12 = queue dns pass bytes diff
collect 13 = queue ssh pass bytes diff
collect 14 = queue std pass bytes diff
image /var/www/htdocs/pfstat/pfstat-queues.jpg {
from 1 days to now
width 980 height 300
left
graph 11 bps ack bits/s color 0 192 192,
graph 12 bps dns bits/s color 192 0 192,
graph 13 bps ssh bits/s color 255 0 0,
graph 14 bps std bits/s color 192 192 0
}
I dig from the net. I did NOT come across an answer. That's why I sent it.
Could you pls let me know what will I have to do ?
--
Thank you
Indunil Jayasooriya
Re: mount_ffs: -o mand: option not supported for havp
On Sat, Mar 12, 2011 at 1:00 PM, Joachim Schipper joac...@joachimschipper.nl wrote: On Sat, Mar 12, 2011 at 07:39:12AM +0100, Antoine Jacoutot wrote: On Sat, 12 Mar 2011, Indunil Jayasooriya wrote: # /usr/local/sbin/havp Starting HAVP Version: 0.91 *Mandatory locking disabled! KEEPBACK settings not used! * then, I tried to mount in this way. then, I got the below error. Yes, mandatory locking is not supported on *BSD and havp has been compiled with --disable-locking. And it's not an error but just a warning. then, what about this? KEEPBACK settings not used! It it also normal? and I also want to know, which method is recommended? havp as a parent proxy ( i am currently running) or squid as a parent proxy? Hope to hear from you. What don't you go and ask on the havp mailling lists. The second post at http://havp.hege.li/forum/viewtopic.php?p=962 seems to answer the KEEPBACK question (but do check the actual manual); and there are a lot of HAVP-Squid and Squid-HAVP-Squid HOWTO's, and the manul probably says something about that as well. The OP should just read the docs and search the web, not bother yet another list. Thank you very much for your effort to send me the above URL. About, an hour ago, I also came across it. So , it is finished. -- Thank you Indunil Jayasooriya
mount_ffs: -o mand: option not supported for havp
Hi misc, I configured havp form OpenBSD 4.8 port tree. I configured havp as a parent proxy. I added relevant lines squid.conf file. everything works fine. But I started havp. I get below eror. (pls pay attention to the highlited line) # /usr/local/sbin/havp Starting HAVP Version: 0.91 *Mandatory locking disabled! KEEPBACK settings not used! * then, I tried to mount in this way. then, I got the below error. # mount -u -o mand /var *mount_ffs: -o mand: option not supported * I read below URL too. http://havp.hege.li/forum/viewtopic.php?f=3t=493 Is anybody out there that has mounted in a right way. Hope to hear from you. -- Thank you Indunil Jayasooriya
Re: mount_ffs: -o mand: option not supported for havp
# /usr/local/sbin/havp Starting HAVP Version: 0.91 *Mandatory locking disabled! KEEPBACK settings not used! * then, I tried to mount in this way. then, I got the below error. Yes, mandatory locking is not supported on *BSD and havp has been compiled with --disable-locking. And it's not an error but just a warning. Thanks a lot for your response. It makes me to go ahead. then, what about this? KEEPBACK settings not used! It it also normal? or should I need to tweak below stuffs in /etc/havp/havp.config file. KEEPBACKBUFFER 20 and KEEPBACKTIME 5 and I also want to know, which method is recommended? havp as a parent proxy ( i am currently running) or squid as a parent proxy? Hope to hear from you. -- Thank you Indunil Jayasooriya
Re: how to set an alias on a carp interface?
one IP per subnet with the real mask so there is a route, all others with all-ones netmask. Then, It is like this.. # cat /etc/hostname.em0 inet 192.168.9.62 255.255.255.0 inet alias 192.168.9.63 255.255.255.255 inet alias 192.168.5.62 255.255.255.0 inet alias 192.168.5.63 255.255.255.255 inet alias 192.168.6.62 255.255.255.0 inet alias 192.168.6.63 255.255.255.255 your comments? -- Thank you Indunil Jayasooriya
Re: SSH getting blocked on PF after 30 seconds (OpenBSD 4.7)
I have tried the following more specific pass rule above the previous admin rule : pass in quick inet proto tcp from admin_nets to any port ssh flags S/SAFR keep state queue q_admin But that makes no difference. Is it under testing or production? Is it possible to remove *queue q_admin* from the above rule and see ? -- Thank you Indunil Jayasooriya
Re: pf rules for Load Balance Incoming Connections for webservers
But, it always directs to one particular ip address. How to see load balancing? today, I myself learnt it from the below url http://www.openbsd.org/faq/pf/pools.html#incoming match in on $ext_if proto tcp to port 80 rdr-to $web_servers \ round-robin *sticky-address * * * Successive connections will be redirected to the web servers in a round-robin manner with connections from the same source being sent to the same web server. This *sticky connection* will exist as long as there are states that refer to this connection. Once the *states expire*, so will the sticky connection. Further connections from that host will be redirected to *the next web server* in the round robin. If i removed *sticky-address *from the above rule, It will load balance *one by one manner*. * *Thanks you all for your wonderful support. -- Thank you Indunil Jayasooriya -- Thank you Indunil Jayasooriya
pf rules for Load Balance Incoming Connections for webservers
Hi list,
I have 3 web servers running on port 8080 behind PF firewall. I am trying
to load balance these incoming connections to these web servers.
I wrote rules as below. Pls pay attention to *highligthed BOLD* rules .
they are the once I have written. But, I can NOT login to these web servers
from the Internet.
# macros
ext_if=em0
int_if=em1
web_servers = { 192.168.x.64, 192.168.x.66, 192.168.x.67 }
lan_net=192.168.x.0/24
# options
set block-policy return
set loginterface $ext_if
set skip on lo
set state-policy if-bound
# Normalizing packets
# Filter traffic for unusual packets
match in on $ext_if scrub (random-id min-ttl 5 no-df)
match out on $ext_if scrub (random-id no-df)
*match in on $ext_if inet proto tcp to $ext_if port 8080 rdr-to $web_servers
\
round-robin sticky-address *
# filter rules
block in log
block out log
*pass out log on $int_if inet proto tcp from any to $web_servers port 8080 \
flags S/SA modulate state*
I visited this url as well. http://www.openbsd.org/faq/pf/pools.html
Still no luck.
Where have I gone wrong?
--
Thank you
Indunil Jayasooriya
Re: pf rules for Load Balance Incoming Connections for webservers
*match in on $ext_if inet proto tcp to $ext_if port 8080 rdr-to $web_servers \ round-robin sticky-address * You need to pass the inbound traffic somehow (match doesn't do this). Either change the 'match in' above to 'pass in', YES, changed. It worked. or add another rule TESTED this below too. it also worked. below like this: pass in on $ext_if inet proto tcp to $web_servers port 8080 # filter rules block in log block out log I think it's better you put this before the match rule(s). If you don't you'll have to use 'quick' on the pass rules I mentioned above. as You said, I put the above 2 rules before. thanks a lot. *Here are my rules NOW. * ##For web_servers - BEGIN match in on $ext_if inet proto tcp to $ext_if port 8080 rdr-to $web_servers \ round-robin sticky-address pass in on $ext_if inet proto tcp from any to $web_servers port 8080 * # either the above 2 rules or the below one* pass in on $ext_if inet proto tcp to $ext_if port 8080 rdr-to $web_servers \ round-robin sticky-address *#This is to go out from $int_if* pass out log on $int_if inet proto tcp from any to $web_servers port 8080 \ flags S/SA modulate state ##END But, it always directs to one particular ip address. How to see load balancing? -- Thank you Indunil Jayasooriya
Re: allocation bandwidth with cbq
Hi,
I got it done. But for *http *traffic. But, I want to get it done for ftp
download also. It does NOT work.
These are the rules
# enable queueing on the internal interface to control traffic coming in
# from the Internet. use the cbq scheduler to control bandwidth. max
# bandwidth is 2Mbps.
altq on em1 cbq bandwidth 2Mb queue { std_in, ssh_im_in, dns_in, student_in
}
# define the parameters for the child queues.
# std_in - the standard queue. any filter rule below that does not
# explicitly specify a queue will have its traffic added
# to this queue.
# ssh_im_in - interactive SSH and various instant message traffic.
# dns_in - DNS replies.
# student_in - bandwidth reserved for student's workstation.
#
queue std_in bandwidth 1.6Mb cbq(default borrow)
queue ssh_im_in bandwidth 200Kb priority 4
queue dns_in bandwidth 120Kb priority 5
queue student_in bandwidth 80Kb cbq
# FTP Proxy rules ( *This highlighted rule worked in bold DOES NOT work ?
any idea ?)*
anchor ftp-proxy/*
*pass in quick on $int_if proto tcp from $student_pc to any port 21 \
flags S/SA keep state rdr-to 127.0.0.1 port 8021 queue student_in*
pass in quick on $int_if proto tcp from $lan_net to any port 21 \
flags S/SA keep state rdr-to 127.0.0.1 port 8021
# Squid Redirect ( *This highlighted rule worked*)
*pass in quick on $int_if proto tcp from $student_pc to any port { 80 8080 }
\
flags S/SA keep state rdr-to 127.0.0.1 port 3128 queue student_in
*
pass in quick on $int_if proto tcp from $lan_net to any port { 80 8080 } \
flags S/SA keep state rdr-to 127.0.0.1 port 3128
pass in quick log on $int_if inet proto udp from $lan_net to !$int_if \
port $clientudpports keep state queue dns_in
pass in quick log on $int_if inet proto tcp from $student_pc to !$int_if \
port $https flags S/SA keep state queue student_in
pass in quick log on $int_if inet proto tcp from $lan_net to !$int_if \
port $https flags S/SA keep state
I have got what I want up to certain extent. I am still trying to allocate
ftp download for studnet_pc to 80Kbps.
I think port 21 for connection to establish. It further needs ports higher
than 49151
So i added in this way as well.
*pass in quick on $int_if proto tcp from $student_pc to any port ( 21
49151 \
flags S/SA keep state rdr-to 127.0.0.1 port 8021 queue student_in*
Still no luck?
Any idea?
--
Thank you
Indunil Jayasooriya
Re: allocation bandwidth with cbq
You need to get your ftp-proxy setup right.
*I am doing . Pls see below* . Is it right?
AFAICT you just add the anchor, but do not do the pass in to port 21
rdr-to 127.0.0.7 port 8021.
ok. removed 2 rules with* pass in to port 21 rdr-to 127.0.0.7 port 8021*
Later on you must grant the proxy access to external ftp servers. You
can add the traffic to the ftp queue from there
Added these rules instead. Now, rule set is like this. ( newly added rules
in BOLD )
# FTP Proxy rules
anchor ftp-proxy/*
*pass in quick on $int_if proto tcp from $student_pc to any port { 21
49151 } \
flags S/SA keep state queue student_in
*
*pass in quick on $int_if proto tcp from $lan_net to any port { 21 49151 }
\
flags S/SA keep state
*
pass in quick log on $int_if inet proto udp from $lan_net to !$int_if \
port $clientudpports keep state queue dns_in
*pass out log on $ext_if inet proto tcp from $ext_if to any \
port { 21 49151 } flags S/SA modulate state*
Now, Student gets the download speed of *80Kbps*.
Is this way is right? Is there a better way. If so, I would like to hear...
--
Thank you
Indunil Jayasooriya
Re: allocation bandwidth with cbq
Hi, thanks for your reply. I am still NOT be able to get it done ( i.e -
downloading @ 80 Kbps without borrowing for the student . Pls see below.
and wrote my rules. But, I still can NOT allocate 80Kbps for the student,
while downloading. it goes up whole a lot. here are my rules. ( em0 is
ext_if and em1 is int_if )
# enable queueing on the external interface to control traffic going to
# the Internet. use the priq scheduler to control only priorities. set
# the bandwidth to 485Kbps to get the best performance out of the TCP
# ACK queue.
altq on em0 priq bandwidth 485Kb queue { std_out, ssh_im_out, dns_out, \
tcp_ack_out }
altq on em0 cbq bandwidth 485Kb queue { std_out, ssh_im_out, dns_out, \
tcp_ack_out }
it should be like below. ( I added tcp_student_out )
ltq on em0 cbq bandwidth 485Kb queue { std_out, ssh_im_out, dns_out, \
tcp_ack_out, tcp_student_out }
queue std_out bandwidth 300Kb cbq(default borrow)
queue ssh_im_out bandwidth 50Kb cbq(red)
queue dns_out bandwidth 25Kb cbq(borrow)
queue tcp_ack_out bandwidth 30Kb priority 6 cbq(borrow red)
queue tcp_student_out bandwidth 80Kb cbq(red)
# define the parameters for the child queues.
# std_out - the standard queue. any filter rule below that does not
#explicitly specify a queue will have its traffic added
#to this queue.
# ssh_im_out - interactive SSH and various instant message traffic.
# dns_out - DNS queries.
# tcp_ack_out - TCP ACK packets with no data payload.
# enable queueing on the internal interface to control traffic coming in
# from the Internet. use the cbq scheduler to control bandwidth. max
# bandwidth is 2Mbps.
altq on em1 cbq bandwidth 2Mb queue { std_in, ssh_im_in, dns_in,
student_in
}
# define the parameters for the child queues.
# std_in - the standard queue. any filter rule below that does not
# explicitly specify a queue will have its traffic added
# to this queue.
# ssh_im_in - interactive SSH and various instant message traffic.
# dns_in - DNS replies.
# student_in - bandwidth reserved for the workstation.
#
queue std_in bandwidth 1.6Mb cbq(default)
queue ssh_im_in bandwidth 200Kb priority 4
queue dns_in bandwidth 120Kb priority 5
queue student_in bandwidth 80Kb cbq
queue std_in bandwidth 1.6Mb cbq(default borrow)
queue ssh_im_in bandwidth 200Kb priority 4
queue dns_in bandwidth 120Kb priority 5
queue student_in bandwidth 80Kb cbq
added as given above.
clienttcpports={ 21, 80, 8080, 443 }
clientudpports={ 53 }
# FTP-Proxy
anchor ftp-proxy/*
pass in quick on $int_if proto tcp from $lan_net to any port 21 \
flags S/SA keep state rdr-to 127.0.0.1 port 8021
# Squid Redirect
pass in quick on $int_if proto tcp from $lan_net to any port { 80 8080 }
\
flags S/SA keep state rdr-to 127.0.0.1 port 3128
#--
pass in quick on $int_if proto tcp from $student_pc to any port 21 \
flags S/SA keep state rdr-to 127.0.0.1 port 8021 queue student_in
pass in quick on $int_if proto tcp from $student_pc to any port { 80 8080
} \
flags S/SA keep state rdr-to 127.0.0.1 port 3128 queue student_in
pass in quick on $int_if proto tcp from $lan_net to any port 21 \
flags S/SA keep state rdr-to 127.0.0.1 port 8021
pass in quick on $int_if proto tcp from $lan_net to any port { 80 8080 } \
flags S/SA keep state rdr-to 127.0.0.1 port 3128
added as given above
# filter rules
block in log
block out log
#pass out log keep state
antispoof quick for { lo $int_if ext_if }
pass in log on $int_if inet proto udp from $lan_net to !$int_if \
port $clientudpports keep state
pass in log on $int_if inet proto tcp from $student_pc to !$int_if \
port $https flags S/SA keep state queue student_in
pass in log on $int_if inet proto tcp from $lan_net to !$int_if \
port $https flags S/SA keep state
pass out log on $ext_if inet proto udp from $ext_if to any \
port $clientudpports keep state queue dns_out
pass out log on $ext_if inet proto tcp from $ext_if to any \
port $clienttcpports flags S/SA modulate state queue(std_out,
tcp_ack_out)
###pass out on $int_if proto udp from port $clientudpports to $student_pc
\
### queue dns_in --delete
###pass out on $int_if proto tcp from port $clienttcpports to $student_pc
\
### queue student_in -delete
I understood the above 2 rules
block out on $int_if
I think this is NOT needed. since I have default block the above
block in log
block out log
if a rule pass in on $int_if with keep state it will pass back to
$student_pc
Yeah, I understand.
Hope to hear from you.
--
Thank you
Indunil Jayasooriya
allocation bandwidth with cbq
Hi list,
I am trying to allocate bandwidth with cbq. I just want to allocate 80Kbps
for a student. I do Not want him to borrow the bandwidth when it is
available. I am on a 64 bit openbsd 4.8 stable.
**I went to the below URL. I studied *example 1* , Small, Home network
http://www.openbsd.org/faq/pf/queueing.html
and wrote my rules. But, I still can NOT allocate 80Kbps for the student,
while downloading. it goes up whole a lot. here are my rules. ( em0 is
ext_if and em1 is int_if )
# enable queueing on the external interface to control traffic going to
# the Internet. use the priq scheduler to control only priorities. set
# the bandwidth to 485Kbps to get the best performance out of the TCP
# ACK queue.
altq on em0 priq bandwidth 485Kb queue { std_out, ssh_im_out, dns_out, \
tcp_ack_out }
# define the parameters for the child queues.
# std_out - the standard queue. any filter rule below that does not
#explicitly specify a queue will have its traffic added
#to this queue.
# ssh_im_out - interactive SSH and various instant message traffic.
# dns_out - DNS queries.
# tcp_ack_out - TCP ACK packets with no data payload.
queue std_out priq(default)
queue ssh_im_out priority 4 priq(red)
queue dns_out priority 5
queue tcp_ack_out priority 6
# enable queueing on the internal interface to control traffic coming in
# from the Internet. use the cbq scheduler to control bandwidth. max
# bandwidth is 2Mbps.
altq on em1 cbq bandwidth 2Mb queue { std_in, ssh_im_in, dns_in, student_in
}
# define the parameters for the child queues.
# std_in - the standard queue. any filter rule below that does not
# explicitly specify a queue will have its traffic added
# to this queue.
# ssh_im_in - interactive SSH and various instant message traffic.
# dns_in - DNS replies.
# student_in - bandwidth reserved for the workstation.
#
queue std_in bandwidth 1.6Mb cbq(default)
queue ssh_im_in bandwidth 200Kb priority 4
queue dns_in bandwidth 120Kb priority 5
queue student_in bandwidth 80Kb cbq
clienttcpports={ 21, 80, 8080, 443 }
clientudpports={ 53 }
# FTP-Proxy
anchor ftp-proxy/*
pass in quick on $int_if proto tcp from $lan_net to any port 21 \
flags S/SA keep state rdr-to 127.0.0.1 port 8021
# Squid Redirect
pass in quick on $int_if proto tcp from $lan_net to any port { 80 8080 } \
flags S/SA keep state rdr-to 127.0.0.1 port 3128
# filter rules
block in log
block out log
#pass out log keep state
antispoof quick for { lo $int_if ext_if }
pass in log on $int_if inet proto udp from $lan_net to !$int_if \
port $clientudpports keep state
pass in log on $int_if inet proto tcp from $lan_net to !$int_if \
port $https flags S/SA keep state
pass out log on $ext_if inet proto udp from $ext_if to any \
port $clientudpports keep state queue dns_out
pass out log on $ext_if inet proto tcp from $ext_if to any \
port $clienttcpports flags S/SA modulate state queue(std_out, tcp_ack_out)
pass out on $int_if proto udp from port $clientudpports to $student_pc \
queue dns_in
pass out on $int_if proto tcp from port $clienttcpports to $student_pc \
queue student_in
there are some more rules. I think the given rules are enough..
any ideas?
--
Thank you
Indunil Jayasooriya
pf commands to discuss
Hi list, I have an question. I want my pc (i.e admin_pc) to be able to traceroute which is behind a OpenBSD 4.8 pf firewall ( Doing NAT). So , I have added below rules in pf.conf file. match out on $ext_if from $lan_net nat-to ($ext_if) pass in log (all) on $int_if inet proto udp from $admin_pc to !$int_if \ port 33433 33626 keep state pass out log on $ext_if inet proto udp from $ext_if to any \ port 33433 33626 keep state due to the above rules, my PC can traceroute. It works fine. *But*, in addition to that, Firewall also can traceroute because of the above *pass out* rule. I *do NOT* want firewall to be able to traceroute. my question is that How can I exclude my firewall from being able to doing it ? -- Thank you Indunil Jayasooriya
Re: pf commands to discuss
anyway, Thanks for enlightening me. pass in log (all) on $int_if inet proto udp from $admin_pc to !$int_if \ port 33433 33626 keep state tag mytracert pass out log on $ext_if inet proto udp from $ext_if to any \ port 33433 33626 keep state tagged mytracert the above 2 rules were tested. They worked as expected. or: pass in log (all) on $int_if inet proto udp from $admin_pc to !$int_if \ port 33433 33626 keep state pass out log on $ext_if inet proto udp from $ext_if to any \ port 33433 33626 keep state *tagged mytracert* received-on $int_if the above 2 rules were tested as well.but, it did not work. then, *tagged mytracert was removed. after removing, It worked. this is the rule. *pass out log on $ext_if inet proto udp from $ext_if to any \ port 33433 33626 keep state received-on $int_if Now, everything is OK.
Re: pf commands to discuss
pass in log (all) on $int_if inet proto udp from $admin_pc to !$int_if \ port 33433 33626 keep state pass out log on $ext_if inet proto udp from $ext_if to any \ port 33433 33626 keep state tagged mytracert received-on $int_if I guess there is a ``tagged mytracert'' copy-paste error, removed it: yes, u r right. *the below 2 rules worked*. Thanks a lot. pass in log (all) on $int_if inet proto udp from $admin_pc to !$int_if \ port 33433 33626 keep state pass out log on $ext_if inet proto udp from $ext_if to any \ port 33433 33626 keep state received-on $int_if Thank you Indunil Jayasooriya
Re: pf commands to discuss
On Thu, Jan 20, 2011 at 2:57 PM, Ryan McBride mcbr...@openbsd.org wrote: On Thu, Jan 20, 2011 at 01:47:20PM +0530, Indunil Jayasooriya wrote: my question is that How can I exclude my firewall from being able to doing it ? I'm really not sure why you don't want the firewall to be able to traceroute. (hint: if you can't trust the users on your firewall to behave responsibly with basic troubleshooting tools, you're Doing It Wrong (tm)). I thought in this way. If I want to traceroute only from my PC, Why should I open it from firewall? That's why I asked such question. I would like to give another example suppose, My PC behind the firewall only wants to access a port outside. Let's say tcp port 1 ( webmin runs on ), then, from my PC I can do administration since it is web based... So I think that firewall does NOT need access to it since I am Not going to access it from my firewall. In this way, I selectively wanted to filter traffics. so, I achieved it. I realized how to do it as well. I gained the knowledge due to your below rules. Thanks a LOT. This list is also very useful. Thanks once again. match out on $ext_if from $lan_net nat-to ($ext_if) pass in log (all) on $int_if inet proto udp from $admin_pc to !$int_if \ port 33433 33626 tag ADMIN pass out log on $ext_if inet proto udp from $ext_if to any \ port 33433 33626 tagged ADMIN Tested. worked. Note I've removed the 'keep state', it's not necessary to specify that anymore. yes, I know. Thanks a lot for the extra effort you performed. I appreciate a lot.
Re: Sendmail basic mail server
Hi, Pls try below in /usr/share/sendmail/cf/openbsd-proto.mc file Pls change dnl MASQUERADE_AS(`mycompany.com')dnl to MASQUERADE_AS(`my.domain ')dnl Then, m4 /usr/share/sendmail/cf/cf.m4 /etc/mail/openbsd-proto.mc /etc/mail/ sendmail.cf On Mon, Jan 17, 2011 at 1:27 PM, OpenBSD Geek open...@e-solutions.rewrote: Hi, I have an OpenBSD 4.7 machine. I want to build a mailserver using sendmail MTA. Openbsd hostname : box.my.domain When i send a mail, i comes from u...@box.my.domain instead of u...@domainchosed.net What i have done : cp /usr/share/sendmail/cf/openbsd-proto /etc/mail m4 /usr/share/sendmail/cf/cf.m4 /etc/mail/openbsd-proto /etc/mail/sendmail.cf in /etc/rc.conf : sendmail_flags=-L sm-mta -C/etc/mail/sendmail.cf -bd -q30m in my /etc/mail/virtusertable : u...@domainchosed.net user in my /etc/mail/genericstable : user u...@domainchosed.net in my /etc/local-host-names : domainchosed.net i also done : makemap hash genericstable.db genericstable makemap hash virtusertable.db virtusertable restart sendmail But it still send mail using @box.my.domain ; someone can help me ? thanks -- Thank you Indunil Jayasooriya
