On 2013-07-03 18:55, Theo de Raadt wrote:
About a month ago, I followed up on tech@ that some fuse support had
been merged into the kernel, but disable by default.
(By the way, congrats and thanks to the devs for that! :D)
I'm wondering if there's any timeframe for this getting enabled
similar CRYPTO on RAID 1 configuration
Could you please supply some details of how did you do that?
On Thu, Jul 04, 2013 at 02:33:51AM +1000, Joel Sing wrote:
On Tue, 2 Jul 2013, Erling Westenvik wrote:
Hi folks,
Anyone having any experience with putting an softraid CRYPTO partition
on
On 03/07/2013, at 10:11 PM, Mark Felder f...@feld.me wrote:
On Wed, 03 Jul 2013 07:00:02 -0500, Loïc Blot loic.b...@unix-experience.fr
wrote:
Hello,
no carp is used at this time.
pfsync needs to be used with carp... without it you're just playing
whack-a-mole with your session table.
On 03/07/2013, at 6:23 PM, Loïc Blot loic.b...@unix-experience.fr wrote:
Okay, defer is now enabled on pfsync interface (sorry for my last idea,
i haven't the man on me :) ).
It seems the problem isn't resolved.
The transfer starts but blocked at random time.
i have hit this too, despite
Hello,
I don't know if this may help you, but I have a working BGP setup with two
routers active/active.
I don't use pfsync, but keep state (sloppy).
This is less secure according to pf.conf(5), but that's not really a concern
for me as those routers are not my border firewalls...
But maybe I
Hi misc,
We have what should be a simple VPN routing issue but I can't figure out
what to do with the IPSec config. We have many remote office firewalls
with IPSec tunnels linking to our head office (hub and spoke topology),
each defining Phase 2 policies mapping the remote internal networks
When I try to do a ping or otherwise on the remote firewalls to the head
office lan, I get a 'no route to host' error which implies that the IPSec vpn
policy route which can be seen in the 'route show' is not being used as the
source IP of the ping/payload is not going to have the firewalls
Hi, Yes that does work and is the problem as mentioned, but I don't
know how to change the source address for the 'netcat' command payload?
Ping was just a test to see what is going on..
Cheers, Andy.
On Thu 04 Jul 2013 14:08:41 BST, Anders Berggren wrote:
When I try to do a ping or
Perhaps you've created flows from our LAN network range only? If so, for a
ping to work, you need to specify the local IP, like
ping -I 192.168.1.1 192.168.2.1
how to change the source address for the 'netcat' command payload?
According to http://www.openbsd.org/cgi-bin/man.cgi?query=nc it
Perhaps you've created flows from our LAN network range only? If so, for a
ping to work, you need to specify the local IP, like
ping -I 192.168.1.1 192.168.2.1
how to change the source address for the 'netcat' command payload?
According to http://www.openbsd.org/cgi-bin/man.cgi?query=nc it
PS; Its also not limited to netcat (if it were I would just use the -s
switch on netcat)..
I have other daemons on the remote firewalls that I need to also 'phone
home', and so I believe I need to do it by either changing/adding the
VPN policies or packet mangling with PF..
I'd rather not
I'd rather not have to create extra tunnels or define VPN policies with
subnets which have prefixes wider than the internal LANs.
That leaves mangling, but I cannot see how I would do the mangling in PF to
make it work without doing a redirect through the loopback etc.. Just
wondering if
On Thu 04 Jul 2013 15:22:55 BST, Anders Berggren wrote:
I'd rather not have to create extra tunnels or define VPN policies with subnets
which have prefixes wider than the internal LANs.
That leaves mangling, but I cannot see how I would do the mangling in PF to
make it work without doing a
Hello guys,
Tuesday, July 2, 2013, 5:53:04 PM, Nick Holland wrote:
NH RAID5 rebuild is still not there - there's no RAID5 rebuild. I'm not
NH sure how to make it more clear...
NH Ok, let's try this...
NH Today, you take four 1TB disks, and make a 3TB RAID5 volume. You can do
NH that. Works
Hi all,
I've a Dell Studio Hybrid 140g running July 2nd's amd64 snapshot. When I
reboot/shutdown, on startup, the first stage loader doesn't load. The
machine is stuck, and I think it's because of the shutdown procedure in
OpenBSD and acpi compatibility with this machine.
The problem has
I use OSPFd on each OpenSBD firewall I deploy.
This way you get access to all machines on the remote LAN, including firewall
itself.
and you don't have to maintain routing manually.
//mxb
On 4 jul 2013, at 16:25, Andy a...@brandwatch.com wrote:
On Thu 04 Jul 2013 15:22:55 BST, Anders Berggren
On Wed, Jul 03, 2013 at 05:20:30PM -0400, Jiri B wrote:
On Thu, Jul 04, 2013 at 02:33:51AM +1000, Joel Sing wrote:
[...snip...] FWIW one of my servers (handles mail, etc) is a Sun Fire V210
(sparc64) machine with 2x1GHz CPU, 2GB RAM and a pair of SCSI drives - it
runs perfectly well in a
On Wednesday 03 July 2013 19:11:19 Nathan Goings wrote:
...
I would think if the attach failed it would be in /var/log/messages.
How would I debug this? If the attach is failing, I might try crafting
it to use a different driver. (guess I should try printf)
I usually use printfs in places
On 07/04/13 09:46, Boris Goldberg wrote:
Hello guys,
...
If the softraid is so raw yet, why the old good RAIDFrame was removed
starting the 5.2? It works just fine for me. Big volumes rebuilds take a
long while, but it's something working.
That's quite a leap from RAID 5 is not ready for
[pfsync w/o carp]
* Mark Felder f...@feld.me [2013-07-03 16:37]:
First of all, the states of node 1 being synced to node 2 and vice
versa is worthless because they have different IP addresses; the
states wont match anything.
orly.
have you actually LOOKED at your state table?
pfctl -vvss to
* mxb m...@alumni.chalmers.se [2013-07-03 17:33]:
States ARE synced.
IPs are not the same on node1 and node2 for external. The you
initiated connection to ftp.fr, you done it via node1 with its external
IP. On node2 those packets will be DROPPED as those do not belong to
external NIC on
* BARDOU Pierre bardo...@mipih.fr [2013-07-04 14:38]:
I don't know if this may help you, but I have a working BGP setup with two
routers active/active.
I don't use pfsync, but keep state (sloppy).
This is less secure according to pf.conf(5), but that's not really a concern
for me as those
* openda...@hushmail.com openda...@hushmail.com [2013-07-04 05:09]:
Why do we need FUSE anyway?
it's a firewall between filesystem code written by people who
shouldn't write filesystem code and our kernel.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de,
My apologies for just being noise; I missed his first full post with
much more detail. I was picturing him trying to run redundant servers
without CARP and running into issues of states disappearing.
* openda...@hushmail.com openda...@hushmail.com [2013-07-04 05:09]:
Why do we need FUSE anyway?
it's a firewall between filesystem code written by people who
shouldn't write filesystem code and our kernel.
not really.
it is a simpler to understand interface, than the other userland
* Theo de Raadt dera...@cvs.openbsd.org [2013-07-04 20:19]:
but henning, you just used the word firewall. you're going to be
mocked forever.
firewall? me? I write packet filter code :)
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de, Full-Service ISP
On 7/4/2013 10:27 AM, Remco wrote:
On Wednesday 03 July 2013 19:11:19 Nathan Goings wrote:
...
I would think if the attach failed it would be in /var/log/messages.
How would I debug this? If the attach is failing, I might try crafting
it to use a different driver. (guess I should try printf)
Henning, with all respect(!), I'd cut you off with this home NATing.
My home is far more simple than need of active-active CARP (IT IS NOT as of
writing)
With all respect to ALL devs working and pushing new code upstreams,
we still have MP-problems. For sure, I'm not the one to fix this - I
On Thursday 04 July 2013 20:33:16 Nathan Goings wrote:
Thanks! I was just about to ask how to get more verbose output. What is
printfs?
It's my plural for printf.
Finally, Is there a way to re-test the driver match/attach without
rebooting?
I don't think so, unless your device is
Hello all,
thanks for this interesting debate about pf syncing.
To remember my initial question:
pfsync seems to sync states but not correctly on my BGP+OSPF routers.
Because each BGP router is master/standby to 2 neighbors (full meshed
bgp) packets which are outgoing by one router can income by
On Thu, 04 Jul 2013 21:30:56 +0200
Loïc BLOT loic.b...@unix-experience.fr wrote:
Hello all,
thanks for this interesting debate about pf syncing.
To remember my initial question:
pfsync seems to sync states but not correctly on my BGP+OSPF routers.
Because each BGP router is master/standby
On 7/4/2013 10:27 AM, Remco wrote:
It has an AUTOCONF_VERBOSE define that can be used to get more verbose output,
though I don't remember how useful it is.
Looking at config(8), I think you should be able to set it in your copy of the
GENERIC file as:
option AUTOCONF_VERBOSE=1
ugh, I enabled
you could try using sloppy states like henning suggested. you'll still get to
write stateful rules and get the tcp state machine checks but not the tcp
window checks.
if it works with sloppy states it narrows the issue down to the pfsync state
merge code. at the moment im kind of guessing
Dear OpenBSD developers and users:
Regretfully, I have decided to abandon OpenBSD and thought I would
share my reasoning with this list. I thought the 4th of July was a
good date to do so since my reasons address national security
implications. As a group of people who take development, security,
Please pass point to the code which you believe to be the backdoor so that
I may review it myself.
Thanks
On Jul 4, 2013 10:57 PM, Thomas Jennings thomas.jennings...@gmail.com
wrote:
Dear OpenBSD developers and users:
Regretfully, I have decided to abandon OpenBSD and thought I would
share
I was initially thinking this is a troll, but with these quotes:
...was prepping to migrate the whole of our shop, a regional ISP in the
United States of America, to OpenBSD 5.3...
Pray tell what regional ISP you speak of here to earn their deserved
praise or ridicule for avoiding the OpenBSD
On Fri, Jul 5, 2013 at 12:28 PM, Tito Mari Francis Escaño
titomarifran...@gmail.com wrote:
I was initially thinking this is a troll, but with these quotes:
I vote for another troll... but... this year April Fool was over 3 months
ago.
--
Thank you.
Zamri Besar
On 5. juli 2013 at 4:30 AM, Tito Mari Francis Escaño
titomarifran...@gmail.com wrote:
[...snip...]
Can't you tell by the way he wrote that that he's just a kid (or an uneducated
adult)?
I oughta smack y'all faces in for even replying to this shit.
O.D.
Inquiring minds want to know…. Please cite the sources for your assertions
(including links to actual sources and documents).
In all honesty, it sounds like you have a personal problem with the man himself.
As for OpenBSD, I've found it to be a hell of a lot more secure than most of
the other
On 5. juli 2013 at 4:59 AM, eric oyen eric.o...@gmail.com wrote:
My only problem (and it seems none of the devs really understand this)
is that I must have sighted assistance to install and initially configure the
OS.
What do you mean sighted assistance?
O.D.
On Thu, Jul 04, 2013 at 11:56:50PM -0400, Thomas Jennings wrote:
Dear OpenBSD developers and users:
Regretfully, I have decided to abandon OpenBSD and thought I would
share my reasoning with this list. I thought the 4th of July was a
good date to do so since my reasons address national
On 5. juli 2013 at 5:13 AM, Marc Espie es...@nerim.net wrote:
I actually, no, we don't. You're not anybody I've ever heard of, and your
opinion doesn't matter. I have no particular reason to trust you.
They said the same of Edward Snowden you know.
Now, I read your hilarious email. You have
May I understand you U go for Microsoft instead ?
That would be great idea, they are said to be free from backdoors.
Sorry
Le 05/07/2013 05:56, Thomas Jennings a écrit :
Dear OpenBSD developers and users:
Regretfully, I have decided to abandon OpenBSD and thought I would
share my reasoning
On 5. juli 2013 at 5:31 AM, Jean-Francois Simon jfsimon1...@gmail.com wrote:
May I understand you U go for Microsoft instead ?
That would be great idea, they are said to be free from backdoors.
Sorry
France is in the house y'all.
O.D.
44 matches
Mail list logo
