Re: nat or routing problem?
Andreas Bihlmaier wrote: On Thu, Dec 07, 2006 at 11:27:11PM +0100, Mitja wrote: Hello, I am trying to configure nat from internal network 192.168.1.0/24 to external nat gateway address 193.189.180.193. The problem is that packets are not passing from nat gateway to the interface 193.77.12.154 to the internet. ISP - 193.77.12.154 -- hostA -- 192.168.1.1 | 193.189.180.193 (em1) | /27 network All hosts on 193.189.180.192/27 are routed correctly through 193.77.12.154 to internet. My pf.conf is practically empty: # pfctl -s all TRANSLATION RULES: nat on em1 inet from 192.168.1.0/24 to any - (em1:0) rdr pass on em1 inet proto tcp from any to any port = 5900 - 192.168.1.111 port 5900 FILTER RULES: pass in all keep state pass out all keep state No queue in use What I am doing wrong? Any suggestions? #grep forwarding /etc/sysctl.conf Enabled... net.inet.ip.forwarding=1# 1=Permit forwarding (routing) of IPv4 packets #net.inet.ip.mforwarding=1 # 1=Permit forwarding (routing) of IPv4 multicast packets #net.inet6.ip6.forwarding=1 # 1=Permit forwarding (routing) of IPv6 packets #net.inet6.ip6.accept_rtadv=1 # 1=Permit IPv6 autoconf (forwarding must be 0) For additional info: # netstat -rn Routing tables Internet: DestinationGatewayFlagsRefs UseMtu Interface default193.77.12.153 UGS 963486 - bge0 127/8 127.0.0.1 UGRS00 33224 lo0 127.0.0.1 127.0.0.1 UH 1 92 33224 lo0 172.16.15.4/30 link#4 UC 10 - bge1 172.16.15.500:05:85:86:84:7e UHLc10 - bge1 172.16.16.6172.16.15.5UGHS218739 - bge1 192.168.1/24 link#1 UC 20 - em0 192.168.1.20 00:0f:1f:02:44:1f UHLc0 10 - em0 192.168.1.111 00:60:97:82:73:ce UHLc00 - em0 193.77.12.152/30 link#3 UC 10 - bge0 193.77.12.153 00:05:85:86:84:7e UHLc10 - bge0 193.189.180.192/27 link#2 UC 50 - em1 224/4 127.0.0.1 URS 00 33224 lo0 Encap: Source Port DestinationPort Proto SA(Address/Proto/Type/Direction) 10.1.1/24 0 192.168.1/24 0 0 172.16.16.6/esp/use/in 192.168.1/24 0 10.1.1/24 0 0 172.16.16.6/esp/require/out 172.16.16.6/32 0 172.16.15.6/32 0 0 172.16.16.6/esp/use/in 172.16.15.6/32 0 172.16.16.6/32 0 0 172.16.16.6/esp/require/out 193.189.180.128/27 0 default0 0 172.16.16.6/esp/use/in default0 193.189.180.128/27 0 0 172.16.16.6/esp/require/out Regards, Mitja
problem to chroot ftp users
Hi all, I try to setup the ftpd and to have chrooted users. 1. according to the ftpd man page, the users are in the password database, have a password and ksh as shell 2. their login name is not in /etc/ftpusers 3. their login name is in /etc/ftpchroot when I start the ftpd with -US the users can login but they are not chrooted when I start the ftpd with -A then only anonymous ftp works, the ftpd states: 530 Sorry, only anonymous ftp allowed. ftp: Login failed. when I start the ftpd with -An login access is denied: 530 User ftp_user access denied. ftp: Login failed. I do not have the ftp-chroot variable set in login.conf, the man page of login.conf has nothing about the ftp-chroot variable, I guess I have to add it for the ftp_user, but do not know how. how do I define the ftp-chroot variable in login.conf, or am I missing something else? kind regards Sebastian
Re: problem to chroot ftp users
Add the usernames to /etc/ftpchroot and the user will be chrooted when they login with FTP. If you don't want them to have shell access, add /usr/bin/false to /etc/shells and change the users' shell to /usr/bin/false. That will allow chrooted FTP access and deny shell access. You could also set ftp-chroot in login.conf(5) but I'm not sure exactly how that works since I haven't RTFM for that :) Sebastian Reitenbach wrote: Hi all, I try to setup the ftpd and to have chrooted users. 1. according to the ftpd man page, the users are in the password database, have a password and ksh as shell 2. their login name is not in /etc/ftpusers 3. their login name is in /etc/ftpchroot when I start the ftpd with -US the users can login but they are not chrooted when I start the ftpd with -A then only anonymous ftp works, the ftpd states: 530 Sorry, only anonymous ftp allowed. ftp: Login failed. when I start the ftpd with -An login access is denied: 530 User ftp_user access denied. ftp: Login failed. I do not have the ftp-chroot variable set in login.conf, the man page of login.conf has nothing about the ftp-chroot variable, I guess I have to add it for the ftp_user, but do not know how. how do I define the ftp-chroot variable in login.conf, or am I missing something else? kind regards Sebastian -- Joel Goguen Bachelor of Computer Science III University of New Brunswick http://iapetus.dyndns.org/
Re: problem to chroot ftp users
On Fri, 8 Dec 2006, Sebastian Reitenbach wrote: Hi all, I try to setup the ftpd and to have chrooted users. 1. according to the ftpd man page, the users are in the password database, have a password and ksh as shell 2. their login name is not in /etc/ftpusers 3. their login name is in /etc/ftpchroot when I start the ftpd with -US the users can login but they are not chrooted What is the user's home dir? How do you test if the user is chrooted or not? when I start the ftpd with -A then only anonymous ftp works, the ftpd states: 530 Sorry, only anonymous ftp allowed. ftp: Login failed. when I start the ftpd with -An login access is denied: 530 User ftp_user access denied. ftp: Login failed. I do not have the ftp-chroot variable set in login.conf, the man page of login.conf has nothing about the ftp-chroot variable, I guess I have to add it for the ftp_user, but do not know how. how do I define the ftp-chroot variable in login.conf, or am I missing something else? If the user is in /etc/ftpchroot, there's no need to set ftp-chroot. -Otto
Re: Fintek F71805 driver for test
hi, Geoff Steckel ([EMAIL PROTECTED]) wrote: I've mangled the lm78 driver into a Fintek F71805 sensor driver. If anyone else has a board using this chip I'd appreciate a test of it. i've built a kernel using your drivers. sensor output and dmesg (attached below) look okay (the third temp-sensor isn't connected in my case). i've looked at your files, and the one existing driver for another fintek sensor that's in 4.0, which uses iic in stead of isa. the sensor-part looks pretty easy to rewrite (mostly different offsets and more sensors), but i'm quite mystified by the initialization part. can anybody shed a light ? i'm quite willing to experiment, but i'm not a kernel-level quality programmer... OpenBSD 4.0 (GENERIC) #0: Tue Dec 5 22:21:45 CET 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: VIA Esther processor 1500MHz (CentaurHauls 686-class) 1.72 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,APIC,SEP,MTRR,PGE,CMOV,PAT,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,TM,SBF,SSE3 cpu0: RNG AES AES-CTR SHA1 SHA256 RSA real mem = 468152320 (457180K) avail mem = 418967552 (409148K) using 4256 buffers containing 23511040 bytes (22960K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(d9) BIOS, date 09/15/06, BIOS32 rev. 0 @ 0xfa960, SMBIOS rev. 2.3 @ 0xf (33 entries) apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 70102 dobusy 1 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0xcce4 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfcc20/192 (10 entries) pcibios0: bad IRQ table checksum pcibios0: PCI BIOS has 10 Interrupt Routing table entries pcibios0: PCI Exclusive IRQs: 5 10 11 15 pcibios0: PCI Interrupt Router at 000:17:0 (VIA VT8237 ISA rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0xfc00 0xd/0x5000! cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 VIA CN700 Host rev 0x00 pchb1 at pci0 dev 0 function 1 VIA CN700 Host rev 0x00 pchb2 at pci0 dev 0 function 2 VIA CN700 Host rev 0x00 pchb3 at pci0 dev 0 function 3 VIA PT890 Host rev 0x00 pchb4 at pci0 dev 0 function 4 VIA CN700 Host rev 0x00 pchb5 at pci0 dev 0 function 7 VIA CN700 Host rev 0x00 ppb0 at pci0 dev 1 function 0 VIA VT8377 AGP rev 0x00 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 VIA S3 Unichrome PRO IGP rev 0x01: aperture at 0xf400, size 0x1000 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) re0 at pci0 dev 9 function 0 Realtek 8169SC rev 0x10: irq 11, address 00:30:18:b0:26:ef rgephy0 at re0 phy 7: RTL8169S/8110S PHY, rev. 2 re1 at pci0 dev 11 function 0 Realtek 8169SC rev 0x10: irq 10, address 00:30:18:b0:26:f0 rgephy1 at re1 phy 7: RTL8169S/8110S PHY, rev. 2 pciide0 at pci0 dev 15 function 0 VIA VT6420 SATA rev 0x80: DMA pciide0: using irq 15 for native-PCI interrupt wd0 at pciide0 channel 0 drive 0: ST3320620AS wd0: 16-sector PIO, LBA48, 305245MB, 625142448 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 wd1 at pciide0 channel 1 drive 0: ST3320620AS wd1: 16-sector PIO, LBA48, 305245MB, 625142448 sectors wd1(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 5 viapm0 at pci0 dev 17 function 0 VIA VT8237 ISA rev 0x00 iic0 at viapm0 unknown at iic0 addr 0x18 not configured isa0 at mainbus0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 fins1 at isa0 port 0x4e/2 npx0 at isa0 port 0xf0/16: using exception 16 biomask f3fd netmask fffd ttymask pctr: user-level cycle counter enabled dkcsum: wd0 matches BIOS drive 0x80 wd1: no disk label dkcsum: wd1 matches BIOS drive 0x81 root on wd0a rootdev=0x0 rrootdev=0x300 rawdev=0x302 hw.sensors.0=fins1, +3.3V, 3.34 V DC hw.sensors.1=fins1, Vtt, 1.08 V DC hw.sensors.2=fins1, Vram, 1.50 V DC hw.sensors.3=fins1, Vchips, 1.63 V DC hw.sensors.4=fins1, +5V, 5.00 V DC hw.sensors.5=fins1, +12V, 12.06 V DC hw.sensors.6=fins1, Vcc 1.5V, 1.10 V DC hw.sensors.7=fins1, VCore, 1.08 V DC hw.sensors.8=fins1, Vsb, 5.05 V DC hw.sensors.11=fins1, Temp1, 30.00 degC hw.sensors.12=fins1, Temp2, 22.00 degC hw.sensors.13=fins1, Temp3, 107.00 degC hw.sensors.14=fins1, Fan1, 5791 RPM hw.sensors.15=fins1, Fan2, 4424 RPM hw.sensors.16=fins1, Fan3, 3496 RPM -- CUL8R, Peter.
Re: problem to chroot ftp users
Hi, Otto Moerbeek [EMAIL PROTECTED] wrote: On Fri, 8 Dec 2006, Sebastian Reitenbach wrote: Hi all, I try to setup the ftpd and to have chrooted users. 1. according to the ftpd man page, the users are in the password database, have a password and ksh as shell 2. their login name is not in /etc/ftpusers 3. their login name is in /etc/ftpchroot when I start the ftpd with -US the users can login but they are not chrooted What is the user's home dir? How do you test if the user is chrooted or not? the home directory of the user is /home/ftp_user I test the chroot by just ftp to the host, so I am in my home directory, when I then cd .. I am in /home, therefore not chrooted. how do I define the ftp-chroot variable in login.conf, or am I missing something else? If the user is in /etc/ftpchroot, there's no need to set ftp-chroot. I thought that, after reading ftpd(8), and therefore I have the user in /etc/ftpchroot. I have the same problem on two servers, OpenBSD 4.0 and 3.9. I prevent the ftp users from logging in via ssh via the ssh config, the ftp users are all in group _ftp, and this group is disallowed in /etc/ssh/sshd_config for login, but I doubt that this will interfere with the ftpd. kind regards Sebastian
Re: links in the OpenBSD FAQs
An important note: I missed one of the advices of Tom Cosgrove... I would replace the OpenBSD's Flavors link in the patch with something like section 5 (as Tom suggests) or either FAQ 5, flavors as found on other parts of the FAQ. Tom suggestion is more readable, though. Of course, there are other alternatives as section 5, flavors,. By the way, these FAQ X, word entries are sometimes typed FAQ X - word, don't know if it is what maintainer are looking for, or just a minor mistake. I suppose that using a hyphen can make these entries in the FAQ look nice on a browser or PDF reader (links have different colors than standard text) but more difficult to read on text. On the other hand, I supose that sometimes using lowercases (e.g., replacing Upgrade Guide with upgrade guide) is advisable. Lowercase letters will probably follow better the BSD style. At last, I want to say again that this patch is only a draft. I am awaiting for all the changes recommended by the maintainers and certainly do not expect the final patch to be as this one. I am not proposing this patch, but only providing a draft to work on it. Cheers, Igor.
Re: links in the OpenBSD FAQs
D'oh! Of course, the SIMH entry in the FAQ 12 should read Instructions can be found _at the_ OpenBSD/vax on SIMH page. Well... there are people with more appropriate english skills that will probably suggest a lot of changes like this one. Igor.
Re: One new Soekris net4801-50 available in Moscow
Sold. Sorry for the noise.
Problem configuring vlan interfaces on startup
I'm running OpenBSD 4.0. My external interface, fxp0, is a tagged trunk. I've configured it as follows: # head /etc/hostname.fxp* /etc/hostname.vlan* == /etc/hostname.fxp0 == up == /etc/hostname.vlan0 == dhcp vlan 853 vlandev fxp0 == /etc/hostname.vlan1 == inet 10.69.255.254 netmask 255.255.255.224 vlan 841 vlandev fxp0 == /etc/hostname.vlan2 == inet 10.70.207.142 netmask 255.255.255.240 vlan 842 vlandev fxp0 == /etc/hostname.vlan3 == inet 192.168.0.250 netmask 255.255.255.0 vlan 843 vlandev fxp0 inet alias 192.168.1.250 netmask 255.255.255.0 inet alias 192.168.2.250 netmask 255.255.255.0 inet alias 192.168.168.250 netmask 255.255.255.0 However, what I find is that on power-up, my vlan0 interface is configured correctly (it picks up an IP address via DHCP), but interfaces vlan1-vlan3 are not configured. So I end up configuring them by hand, for example by # ifconfig vlan1 $(cat /etc/hostname.vlan1) # ifconfig vlan2 $(cat /etc/hostname.vlan2) # sed 's/^/ifconfig vlan3 /' /etc/hostname.vlan3 | sh which works fine. So I was just wondering, is there something I've missed which is needed to get them to self-configure at startup? Thanks, Brian.
Re: Openldap
Dr. Harry Knitter wrote: Am Montag, 4. Dezember 2006 20:23 schrieb Bryan Irvine: I have installed the following binaries: openldap-server-2.3.24 openldap-client-2.3.24 db-4.2.52p8 OS is OpenBSD 4.0 You need to install openldap-server-2.3.24-bdb If installed from ports use env FLAVOR=bdb make install to get it, or if you used packages then use the bdb version. --Bryan I installed the package. However, on the mirror I used I don4t find any bdb version. On a side note, some people obersved data corruption or even data loss when using the bdb backend. The gdbm backends on the other hand, is stable.
Re: Problem configuring vlan interfaces on startup
So I was just wondering, is there something I've missed which is needed to get them to self-configure at startup? you could start by reading the man page. pay attention to the examples in hostname.if(5), it should be pretty obvious what you've done wrong. -- Mathieu Sauve-Frankel
Re: problem to chroot ftp users
On Fri, 08 Dec 2006 12:24:48 +0100, Sebastian Reitenbach [EMAIL PROTECTED] wrote: I thought that, after reading ftpd(8), and therefore I have the user in /etc/ftpchroot. I have the same problem on two servers, OpenBSD 4.0 and 3.9. I think I misunderstand you. Are you saying that you have users in /etc/ftpchroot and they're still not chrooted after logging in? Did you restart ftpd? Assuming you're not running it from inetd of course. -- Joel Goguen http://iapetus.dyndns.org/
Re: mounting an svnd device on /var
Original message Date: Fri, 8 Dec 2006 02:32:01 -0500 (EST) From: Woodchuck [EMAIL PROTECTED] Subject: Re: mounting an svnd device on /var To: misc@openbsd.org On Thu, 7 Dec 2006, Jacob Yocom-Piatt wrote: it's not clear to me where the best place to mount a disk image is using vnconfig for the whole /var partition. this should obviously happen after mounting /usr. advice appreciated. cheers, jake For a start, I'd *guess* it could be mounted immediately after the file-system containing its regular file (and of course /usr) is mounted. If this file-system is not nfs, then that is at the first occurences of mount in /etc/rc. (Around line 203 in 4.0). You would add your vnconfig and mount command there. You now have a non-standard /etc/rc. dave, thanks for your input! this is essentially where i was thinking about adding it. specifically, between lines 260 and 261: mount -s /usr /dev/null 21 mount -s /var /dev/null 21 i'll give this a shot. You want it mounted before logging and any other process or daemon that uses /var is run, including daemons that chroot to /var, notably named. You probably want them running on the svnd, not underneath it on whatever /var was before mounting the svnd. correct Note that if you plan on encryption, the vnconfig command will hang waiting for the key. It uses a call to getpass(3) for the key, which will read from /dev/tty. Usually /etc/rc executes with a /dev/tty so I think that if you use vnconfg -k or -K in /etc/rc, a human will have to intervene at boot time to enter the key. (I don't know a cute, simple way (i.e. a shell trick) to execute vnconfig without a controlling terminal, so it could read from its stdin (presumably a disk file or maybe from some dongle-like Sekrit Krypto Device) or if that would be a good idea anyway.) You could hack vnconfig to read the key from a file, but that's kinda insecure. I don't know your threat model. See man getpass(3). i am aware that it will hang at the passphrase prompt, as i have a netbsd machine (ugh!) with cgd as my mailserver and it does just this on boot. using a dongle is a possibility, but i would rather enter a password over a serial console and/or use a salt file. the threat model is physical theft of the mailserver while i am not on-site and that the machine is running netbsd ;). cheers, jake Hoping for further comments, Dave -- [In] all human groups at all times there are the few who rule and the many who are ruled. -- A. Livingston
Re: Problem configuring vlan interfaces on startup
On Fri, Dec 08, 2006 at 10:06:23PM +0900, Mathieu Sauve-Frankel wrote: So I was just wondering, is there something I've missed which is needed to get them to self-configure at startup? you could start by reading the man page. pay attention to the examples in hostname.if(5), it should be pretty obvious what you've done wrong. Hmm. That's what happens when two syntaxes are almost the same, but not quite. I did read that page previously, and what entered my brain was that these lines just contained arguments to ifconfig. But they're not. Thanks for pointing me to what I needed. Regards, Brian.
Re: nat or routing problem?
Mitja wrote: Andreas Bihlmaier wrote: On Thu, Dec 07, 2006 at 11:27:11PM +0100, Mitja wrote: Hello, I am trying to configure nat from internal network 192.168.1.0/24 to external nat gateway address 193.189.180.193. The problem is that packets are not passing from nat gateway to the interface 193.77.12.154 to the internet. ISP - 193.77.12.154 -- hostA -- 192.168.1.1 | 193.189.180.193 (em1) | /27 network More testing: I changed my pf.conf to: # pfctl -s all TRANSLATION RULES: nat on bge0 inet from 192.168.1.0/24 to any - (bge0:0) rdr pass on em1 inet proto tcp from any to any port = 5900 - 192.168.1.111 port 5900 FILTER RULES: pass in all keep state pass out all keep state No queue in use Now I am doing translation from 192.168.1.0/24 to bge0 (193.77.12.154), the closest interface to my ISP. Test: # ping -I 192.168.1.95 209.85.129.147 PING 209.85.129.147 (209.85.129.147): 56 data bytes 64 bytes from 209.85.129.147: icmp_seq=0 ttl=242 time=45.439 ms 64 bytes from 209.85.129.147: icmp_seq=1 ttl=242 time=45.307 ms --- 209.85.129.147 ping statistics --- 2 packets transmitted, 2 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 45.307/45.373/45.439/0.066 ms # tcpdump -i bge0 icmp tcpdump: listening on bge0, link-type EN10MB 14:46:10.614558 193.77.12.154 209.85.129.147: icmp: echo request 14:46:10.659932 209.85.129.147 193.77.12.154: icmp: echo reply 14:46:11.624513 193.77.12.154 209.85.129.147: icmp: echo request 14:46:11.669838 209.85.129.147 193.77.12.154: icmp: echo reply It looks like NAT is working. The same test with changed configuration in pf.conf to: # pfctl -s all TRANSLATION RULES: nat on em1 inet from 192.168.1.0/24 to any - (em1:0) rdr pass on em1 inet proto tcp from any to any port = 5900 - 192.168.1.111 port 5900 FILTER RULES: pass in all keep state pass out all keep state No queue in use The same test, with tcpdump on the last interface (bge0;193.77.12.154). # ping -I 192.168.1.95 209.85.129.147 PING 209.85.129.147 (209.85.129.147): 56 data bytes --- 209.85.129.147 ping statistics --- 15 packets transmitted, 0 packets received, 100.0% packet loss # tcpdump -i bge0 icmp tcpdump: listening on bge0, link-type EN10MB 14:49:16.377482 192.168.1.95 209.85.129.147: icmp: echo request 14:49:17.387437 192.168.1.95 209.85.129.147: icmp: echo request 14:49:18.397398 192.168.1.95 209.85.129.147: icmp: echo request icmp packets are going out, but it looks like NAT is not working (it should change my source IP address). I checked with google, http://www.openbsd.org/faq/pf/nat.html, http://www.openbsd.org/cgi-bin/man.cgi?query=pf.confsektion=5arch=apropos=0manpath=OpenBSD+4.0 and did not found anything usefull. I'm stuck. Any ideas? Regards, Mitja
Re: VPN Howto
On Thu, Dec 07, 2006 at 11:08:40PM +0100, misc(at)openbsd.org wrote: I want to replace my linux firewall/vpn-server with an openbsd 4.0 installation. My problem is, that the linux server is a vpn-endpoint with two draytek vigor 2900. At the moment I'm looking for a vpn-documentation (or a howto) for ipsec and openbsd 4.0. Does somebody have a link for me? The man-pages didn't help me out (I'm using strongswan at the moment, it looks like there are many differences). OpenBSD 4.0 includes the ipsecctl interface, which makes life much easier for the majority of cases, such as basic IPSEC tunnel mode setups. Try this as a starting point (*): http://www.securityfocus.com/infocus/1859 One difference to note between Linux and OpenBSD is the handling of policy. OpenBSD's approach is IMO a lot simpler and cleaner. If you want to enforce that certain traffic is (or is not) encrypted you just do this using pf rules, since encrypted traffic appears to go in and out of the 'enc0' pseudo-interface. So whereas Linux has both a Security Policy Database and a Security Association Database in the kernel, I believe (and someone please correct me if I'm wrong) that OpenBSD kernel has only an SAD. You put your policy into ipsecctl, which passes it onto isakmpd, and isakmpd negotiates keys and sticks them in the SAD. For a typical VPN setup which says everything which comes in via IPSEC is trusted then the pf policy is very simple. Regards, Brian. (*) There are a few errors in this article. What you actually need in /etc/rc.conf or /etc/rc.conf.local is isakmpd_flags=-K # I use -K -4 to disable IPv6 ipsec=YES pf=YES There's no need to stick anything in /etc/rc.local
Re: nat or routing problem?
On Fri, 08 Dec 2006 15:16:50 +0100, Mitja [EMAIL PROTECTED] wrote: [snip] # pfctl -s all TRANSLATION RULES: nat on em1 inet from 192.168.1.0/24 to any - (em1:0) If em1 is only serving the one IP address, try changing em1:0 to em1 and see if that works. -- Joel Goguen http://iapetus.dyndns.org/
Re: nat or routing problem?
Joel Goguen wrote: On Fri, 08 Dec 2006 15:16:50 +0100, Mitja [EMAIL PROTECTED] wrote: [snip] # pfctl -s all TRANSLATION RULES: nat on em1 inet from 192.168.1.0/24 to any - (em1:0) If em1 is only serving the one IP address, try changing em1:0 to em1 and see if that works. Checked that option. It is the same...not working. Regards, Mitja
OpenBSD - Vlans - CISCO
Hi, I have connected my OpenBSD box to a CISCO switch model 2924. I decided to setup vlans and I did the configuration on the CISCO. There is one port where all the trafic goes on the CISCO switch. This is what I did on the firewall: # ifconfig vlan0 10.0.0.1 vlan 2 vlandev rl0 # ifconfig vlan1 10.0.1.1 vlan 3 vlandev rl0 # ifconfig vlan0 10.0.2.1 vlan 4 vlandev rl0 # ... All the configs on the CISCO device have been done. All the hosts on the vlan 2 are able to ping each other and to surf. However, the remaining vlans aren't working. I have tried to ping the ip's of the vlans but that doesn't work. I've created an alias on the interface for a specific vlan but that doesn't work either. I have the same rules in /etc/pf.conf for all the vlans. Is there something I'm missing? The vlans have been done using 802.1q. Thanks, Mik
Re: OpenBSD - Vlans - CISCO
# ifconfig vlan0 10.0.0.1 vlan 2 vlandev rl0 # ifconfig vlan1 10.0.1.1 vlan 3 vlandev rl0 # ifconfig vlan0 10.0.2.1 vlan 4 vlandev rl0 ^ cisco switch port is set as trunk?
Casa en Santo Domingo de Heredia
This e-mail message is an advertisement and/or solicitation.Este mensaje de correo electronico es una publicidad y/o solicitada. BR Si las imaacute;genes no son visibles en este correo, por favor visite la versioacute;n en linea. BR If images are not visible in this email, please visit the online version. BR a href=http://www.envios-cr.com/mail.php?s=68member=92728710members=f6fdebf2; http://www.envios-cr.com/mail.php?s=68member=92728710members=f6fdebf2 /a
Re: OpenBSD - Vlans - CISCO
* michel b?dard [EMAIL PROTECTED] [2006-12-08 17:48]: Hi, I have connected my OpenBSD box to a CISCO switch model 2924. my condolences. I decided to setup vlans and I did the configuration on the CISCO. There is one port where all the trafic goes on the CISCO switch. This is what I did on the firewall: # ifconfig vlan0 10.0.0.1 vlan 2 vlandev rl0 # ifconfig vlan1 10.0.1.1 vlan 3 vlandev rl0 # ifconfig vlan0 10.0.2.1 vlan 4 vlandev rl0 so, let's see. vlan0 is in 10/8. vlan1 is in 10/8. vlan2 is in 10/8. vlan 2 are able to ping each other and to surf. However, the remaining vlans aren't working. I have tried to ping the ip's of the vlans but that doesn't work. no surprise with overlapping address space. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: OpenBSD - Vlans - CISCO
On 12/8/06, michel bidard [EMAIL PROTECTED] wrote: All the configs on the CISCO device have been done. All the hosts on the vlan 2 are able to ping each other and to surf. However, the remaining vlans aren't working. things to check that haven't been mentioned: -set switch vtp mode to transparent -set your native (non-tagged vlan) right on dot1q link on the switch -set allowed vlans correctly on the dot1q link on the switch post your results when you figure it out.
Re: Toshiba Notebook Display Brightness/Power Saving
Hi, Alexey Vatchenko schrieb: Why not to make it available for the public? I am/was not even sure that this is the right list. So before I get flamed for posting at the wrong list I wanted to be sure and not add any attachments to make it even worse. - Michael The screen brightness control in accordance with the battery power by BIOS can be cancelled by executing the following function. Application existence setting of power save utility: AH = 44h AL = FFh BX = 0025h CX = 0002h (power save utility) DX = 0001h INT 15h With this change, the following BIOS functions will be restricted. * ClockRun(GatedClock)will be disabled. * System Auto Off will be disabled. * HDD Auto Off will be disabled. * Display Auto Off will be disabled. * Throttle Control by the amount of battery change will be disabled. * Cooling Method will not be switchable. * C3 Control will be disabled. i.e. every power-saving control in BIOS will be prohibited.a This might cause some problems in the state of power-saving but this will not cause any problem in PC operation. 2-2.35 Reading brightness level [2.35] 2-2.35-1 Function Reads the brightness level. 2-2.35-2 I/O register specifications (1) Input registers AH =44h AL =FEh BX =002Ah brightness level (2) Output registers When the function ends normally AH =00h CX =brightness level DX =possible bit CF =0 When an error is encountered AH =80h Subfunction error, or function not supported by the system. CF =1 2-2.35-3 Function details This function reads the level of the LCD brightness from SM-RAM. For example, if a system uses 3 bits to control its brightness (000:Level 0 111:level 7) and the current setting is the Level 3, this function returns 6000h to CX register and E000h to DX register (indicates bit15-13 are valid). 2-2.36 Setting brightness level [2.35] 2-2.36-1 Function Sets the brightness level. 2-2.36-2 I/O register specifications (1) Input registers AH =44h AL =FFh BX =002Ah brightness level CX =brightness level (2) Output registers When the function ends normally AH =00h CF =0 When an error is encountered AH =80h Subfunction error, or function not supported by the system. CF =1 2-2.36-3 Function details This function sets the LCD brightness. The level of the brightness is set to CX register. If a system uses 3 bits to control the brightness, the valid bits of CX are bit 15,14,13 and the other bits of CX are not cared (so iX=E000h and iX=h are same settings). If a system supports SCI function to set LCD brightness (0115h:LCD Brightness), the LCD brightness is controlled by the SCI function until this HCI function is called.
Re: nat or routing problem?
Mitja wrote: Mitja wrote: Andreas Bihlmaier wrote: On Thu, Dec 07, 2006 at 11:27:11PM +0100, Mitja wrote: Hello, I am trying to configure nat from internal network 192.168.1.0/24 to external nat gateway address 193.189.180.193. The problem is that packets are not passing from nat gateway to the interface 193.77.12.154 to the internet. ISP - 193.77.12.154 -- hostA -- 192.168.1.1 | 193.189.180.193 (em1) | /27 network More testing: I changed my pf.conf to: # pfctl -s all TRANSLATION RULES: nat on bge0 inet from 192.168.1.0/24 to any - (bge0:0) rdr pass on em1 inet proto tcp from any to any port = 5900 - 192.168.1.111 port 5900 FILTER RULES: pass in all keep state pass out all keep state No queue in use Now I am doing translation from 192.168.1.0/24 to bge0 (193.77.12.154), the closest interface to my ISP. Test: # ping -I 192.168.1.95 209.85.129.147 PING 209.85.129.147 (209.85.129.147): 56 data bytes 64 bytes from 209.85.129.147: icmp_seq=0 ttl=242 time=45.439 ms 64 bytes from 209.85.129.147: icmp_seq=1 ttl=242 time=45.307 ms --- 209.85.129.147 ping statistics --- 2 packets transmitted, 2 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 45.307/45.373/45.439/0.066 ms # tcpdump -i bge0 icmp tcpdump: listening on bge0, link-type EN10MB 14:46:10.614558 193.77.12.154 209.85.129.147: icmp: echo request 14:46:10.659932 209.85.129.147 193.77.12.154: icmp: echo reply 14:46:11.624513 193.77.12.154 209.85.129.147: icmp: echo request 14:46:11.669838 209.85.129.147 193.77.12.154: icmp: echo reply It looks like NAT is working. The same test with changed configuration in pf.conf to: # pfctl -s all TRANSLATION RULES: nat on em1 inet from 192.168.1.0/24 to any - (em1:0) rdr pass on em1 inet proto tcp from any to any port = 5900 - 192.168.1.111 port 5900 FILTER RULES: pass in all keep state pass out all keep state No queue in use The same test, with tcpdump on the last interface (bge0;193.77.12.154). # ping -I 192.168.1.95 209.85.129.147 PING 209.85.129.147 (209.85.129.147): 56 data bytes --- 209.85.129.147 ping statistics --- 15 packets transmitted, 0 packets received, 100.0% packet loss # tcpdump -i bge0 icmp tcpdump: listening on bge0, link-type EN10MB 14:49:16.377482 192.168.1.95 209.85.129.147: icmp: echo request 14:49:17.387437 192.168.1.95 209.85.129.147: icmp: echo request 14:49:18.397398 192.168.1.95 209.85.129.147: icmp: echo request icmp packets are going out, but it looks like NAT is not working (it should change my source IP address). Maybe, you should try somthing like this. nat on bge0 inet from 192.168.1.0/24 to any - (em1:0) nat on em1 inet from 192.168.1.0/24 to any - (em1:0) rdr ... I might work. Pozdrav, Aleksandar
Re: Openldap
I installed the package. However, on the mirror I used I don4t find any bdb version. On a side note, some people obersved data corruption or even data loss when using the bdb backend. The gdbm backends on the other hand, is stable. I don't remember the specific details, but there was a version of openldap where that happened a lot. I was having to restore from backups about once a week. IIRC it was 2.2.24 (and earlier?). I've been running 2.2.27 (with db4 FWIW) since august-ish of last year with zero corruption problems. YMMV though. I only have a few tens-of-thousands of lookups a day and roughly 5 writes. So my server may not be the best comparison. --Bryan
Re: nat or routing problem?
Mitja wrote: Mitja wrote: Andreas Bihlmaier wrote: On Thu, Dec 07, 2006 at 11:27:11PM +0100, Mitja wrote: Hello, I am trying to configure nat from internal network 192.168.1.0/24 to external nat gateway address 193.189.180.193. The problem is that packets are not passing from nat gateway to the interface 193.77.12.154 to the internet. ISP - 193.77.12.154 -- hostA -- 192.168.1.1 | 193.189.180.193 (em1) | /27 network More testing: I changed my pf.conf to: # pfctl -s all TRANSLATION RULES: nat on bge0 inet from 192.168.1.0/24 to any - (bge0:0) rdr pass on em1 inet proto tcp from any to any port = 5900 - 192.168.1.111 port 5900 If bge0 is your external interface that nat line now looks correct. If your internal hosts on the 192.168.1.0/24 net have default gateway 192.168.1.1 it should be nating properly. Sounds like you want traffic to traverse: 192.168.1.0/24 - 192.168.1.1 - 193.189.180.193 - 193.77.12.154 - 0/0 I don't yet fully get what you're trying to accomplish. # pfctl -s all TRANSLATION RULES: nat on em1 inet from 192.168.1.0/24 to any - (em1:0) rdr pass on em1 inet proto tcp from any to any port = 5900 - 192.168.1.111 port 5900 FILTER RULES: pass in all keep state pass out all keep state No queue in use The same test, with tcpdump on the last interface (bge0;193.77.12.154). # ping -I 192.168.1.95 209.85.129.147 PING 209.85.129.147 (209.85.129.147): 56 data bytes --- 209.85.129.147 ping statistics --- 15 packets transmitted, 0 packets received, 100.0% packet loss # tcpdump -i bge0 icmp tcpdump: listening on bge0, link-type EN10MB 14:49:16.377482 192.168.1.95 209.85.129.147: icmp: echo request 14:49:17.387437 192.168.1.95 209.85.129.147: icmp: echo request 14:49:18.397398 192.168.1.95 209.85.129.147: icmp: echo request icmp packets are going out, but it looks like NAT is not working (it should change my source IP address). That's because now you are dumping traffic on the internal interface where the packets hasn't traversed the NAT yet. The nat rule you made above has the internal interface where it should have the external: nat on em1:0 from int_net to - em1:0. # This is a proper simple nat example (that works): ext_if=rl0 # (or whatever is your external interface) nat on $ext_if inet from ! ($ext_if) - ($ext_if:0) -- Fridh
Re: OpenBSD - Vlans - CISCO
you need on openbsd ifconfig vlan0 create ifconfig vlan0 vlan 2 vlandev rl0 up Thomas On Friday 08 December 2006 15:25, you wrote: Hi, I have connected my OpenBSD box to a CISCO switch model 2924. I decided to setup vlans and I did the configuration on the CISCO. There is one port where all the trafic goes on the CISCO switch. This is what I did on the firewall: # ifconfig vlan0 10.0.0.1 vlan 2 vlandev rl0 # ifconfig vlan1 10.0.1.1 vlan 3 vlandev rl0 # ifconfig vlan0 10.0.2.1 vlan 4 vlandev rl0 # ... All the configs on the CISCO device have been done. All the hosts on the vlan 2 are able to ping each other and to surf. However, the remaining vlans aren't working. I have tried to ping the ip's of the vlans but that doesn't work. I've created an alias on the interface for a specific vlan but that doesn't work either. I have the same rules in /etc/pf.conf for all the vlans. Is there something I'm missing? The vlans have been done using 802.1q. Thanks, Mik
Re: OpenBSD - Vlans - CISCO
On Fri, 2006-12-08 at 09:25 -0500, michel bC)dard wrote: Hi, I have connected my OpenBSD box to a CISCO switch model 2924. I decided to setup vlans and I did the configuration on the CISCO. There is one port where all the trafic goes on the CISCO switch. This is what I did on the firewall: # ifconfig vlan0 10.0.0.1 vlan 2 vlandev rl0 # ifconfig vlan1 10.0.1.1 vlan 3 vlandev rl0 # ifconfig vlan0 10.0.2.1 vlan 4 vlandev rl0 # ... All the configs on the CISCO device have been done. All the hosts on the vlan 2 are able to ping each other and to surf. However, the remaining vlans aren't working. I have tried to ping the ip's of the vlans but that doesn't work. I've created an alias on the interface for a specific vlan but that doesn't work either. I have the same rules in /etc/pf.conf for all the vlans. Is there something I'm missing? The vlans have been done using 802.1q. Turn off spanning tree on the other VLANs: no spanning-tree vlan 3 no spanning-tree vlan 4 etc. Jeff [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: OpenBSD - Vlans - CISCO
Here is a working configuration for one of our switches running OpenBSD 3.2 with 4 vlans on Cisco devices: ! config-register 0xF version 12.1 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname ***_*** ! enable secret 5 ** ! ip subnet-zero ! spanning-tree mode pvst no spanning-tree optimize bpdu transmission spanning-tree extend system-id ! interface FastEthernet0/1 switchport access vlan 3 switchport protected spanning-tree portfast ! interface FastEthernet0/2 switchport access vlan 4 switchport protected spanning-tree portfast ! interface FastEthernet0/3 switchport access vlan 5 switchport protected spanning-tree portfast ! interface FastEthernet0/4 switchport access vlan 11 switchport protected spanning-tree portfast ! interface FastEthernet0/5 switchport access vlan 12 switchport protected spanning-tree portfast ! interface FastEthernet0/6 switchport protected spanning-tree portfast ! interface FastEthernet0/7 switchport protected spanning-tree portfast ! interface FastEthernet0/8 switchport access vlan 150 switchport protected spanning-tree portfast ! interface FastEthernet0/9 switchport protected spanning-tree portfast ! interface FastEthernet0/10 switchport protected spanning-tree portfast ! interface FastEthernet0/11 switchport protected spanning-tree portfast ! interface FastEthernet0/12 switchport protected spanning-tree portfast ! interface FastEthernet0/13 switchport access vlan 150 switchport protected spanning-tree portfast ! interface FastEthernet0/14 switchport protected spanning-tree portfast ! interface FastEthernet0/15 switchport access vlan 150 switchport protected spanning-tree portfast ! interface FastEthernet0/16 switchport access vlan 150 spanning-tree portfast ! interface FastEthernet0/17 switchport access vlan 150 switchport protected spanning-tree portfast ! interface FastEthernet0/18 switchport access vlan 150 spanning-tree portfast ! interface FastEthernet0/19 switchport mode trunk switchport protected spanning-tree portfast ! interface FastEthernet0/20 switchport access vlan 150 ! interface FastEthernet0/21 switchport access vlan 150 ! interface FastEthernet0/22 switchport access vlan 150 ! interface FastEthernet0/23 switchport access vlan 150 speed 100 duplex full spanning-tree portfast ! interface FastEthernet0/24 switchport mode trunk speed 100 duplex full spanning-tree portfast ! interface Vlan1 ip address 10.***.***.*** 255.255.255.192 no ip route-cache ! ip default-gateway 10.***.***.*** ip http server snmp-server community *** RW ! line con 0 line vty 0 4 password * login line vty 5 15 password * login Regards, Mike Lockhart =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Mike Lockhart[Systems Engineering Operations] StayOnline, Inc http://www.stayonline.net/ mailto: [EMAIL PROTECTED] GPG: 8714 6F73 3FC8 E0A4 0663 3AFF 9F5C 888D 0767 1550 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of michel bidard Sent: Friday, December 08, 2006 9:26 AM To: misc@openbsd.org Subject: OpenBSD - Vlans - CISCO Hi, I have connected my OpenBSD box to a CISCO switch model 2924. I decided to setup vlans and I did the configuration on the CISCO. There is one port where all the trafic goes on the CISCO switch. This is what I did on the firewall: # ifconfig vlan0 10.0.0.1 vlan 2 vlandev rl0 # ifconfig vlan1 10.0.1.1 vlan 3 vlandev rl0 # ifconfig vlan0 10.0.2.1 vlan 4 vlandev rl0 # ... All the configs on the CISCO device have been done. All the hosts on the vlan 2 are able to ping each other and to surf. However, the remaining vlans aren't working. I have tried to ping the ip's of the vlans but that doesn't work. I've created an alias on the interface for a specific vlan but that doesn't work either. I have the same rules in /etc/pf.conf for all the vlans. Is there something I'm missing? The vlans have been done using 802.1q. Thanks, Mik
Prospective hardware angels
Good afternoon misc@ - A gentleman in the UK and I have decided to pool our resources, and start semi-regularly trolling want.html for items that we can get for the devs. I'm able to do something like $50 US each month (I have no idea how much he's in for; he keeps talking about quid, which, as far as I can tell, is some sort of telepathic space crab). If there are fellow-travelers who are interested in going in with us on this, please don't hesitate to let me know. Please reply only to my email, so that we don't clutter the list with chatter. - Bert
Re: firefox + flash
On 12/8/06, Vim Visual [EMAIL PROTECTED] wrote: yes, I was aware of gnash... it sounds indeed very promising http://blogs.zdnet.com/Stewart/index.php?p=177 in principle they should have something working with youtube and similar format videos by next summer, even if their main goal is much more ambitious... thanks for the port hint... I'm installing it right now ps... something went wrong... Error: bad shared lib version /usr/local/lib/libcurl.so.3.4 (curl.=4) Fatal error *** Error code 1 Stop in /usr/ports/www/gnash (line 1523 of /usr/ports/infrastructure/mk/bsd.port.mk). *** Error code 1 Stop in /usr/ports/www/gnash (line 1787 of /usr/ports/infrastructure/mk/bsd.port.mk). *** Error code 1 Stop in /usr/ports/www/gnash (line 1326 of /usr/ports/infrastructure/mk/bsd.port.mk). mmmh... now what? I start to understand why the yencourage you to only use the package binaries and not the ports tree... Are you running -CURRENT? I'm very interested in this port too, but I'm just going to wait 4 months for 4.1 to come out and for gnash to be in packages. -Nick
Re: OpenBSD - Vlans - CISCO
Also, here's the ifconfig output. And I didn't mean a switch running OpenBSD, we have a gateway system running 3.2 connected to a cisco switch ;) vlan2: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 address: 00:02:a5:13:8f:3b vlan: 12 parent interface: fxp1 inet 172.16.4.1 netmask 0xfe00 broadcast 172.16.5.255 vlan3: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 address: 00:02:a5:13:8f:3b vlan: 3 parent interface: fxp1 inet 172.16.6.1 netmask 0xfe00 broadcast 172.16.7.255 vlan4: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 address: 00:02:a5:13:8f:3b vlan: 4 parent interface: fxp1 inet 172.16.8.1 netmask 0xfe00 broadcast 172.16.9.255 vlan5: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 address: 00:02:a5:13:8f:3b vlan: 5 parent interface: fxp1 inet 172.16.10.1 netmask 0xfe00 broadcast 172.16.11.255 vlan6: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 address: 00:02:a5:13:8f:3b vlan: 11 parent interface: fxp1 inet 172.16.12.1 netmask 0xfe00 broadcast 172.16.13.255 our dhcpd.conf is like this: -- snip -- shared-network vlan2 { option domain-name ***.net; option domain-name-servers 172.16.4.1; subnet 172.16.4.0 netmask 255.255.254.0 { option routers 172.16.4.1; range 172.16.4.15 172.16.5.254; } } shared-network vlan3 { option domain-name ***.net; option domain-name-servers 172.16.6.1; subnet 172.16.6.0 netmask 255.255.254.0 { option routers 172.16.6.1; range 172.16.6.15 172.16.7.254; } } shared-network vlan4 { option domain-name ***.net; option domain-name-servers 172.16.8.1; subnet 172.16.8.0 netmask 255.255.254.0 { option routers 172.16.8.1; range 172.16.8.15 172.16.9.254; } } shared-network vlan5 { option domain-name ***.net; option domain-name-servers 172.16.10.1; subnet 172.16.10.0 netmask 255.255.254.0 { option routers 172.16.10.1; range 172.16.10.15 172.16.11.254; } } shared-network vlan6 { option domain-name ***.net; option domain-name-servers 172.16.12.1; subnet 172.16.12.0 netmask 255.255.254.0 { option routers 172.16.12.1; range 172.16.12.15 172.16.13.254; } } -- snip -- So you can see that with the switch config, the proper vlan setup on the interfaces, and a good dhcpd.conf, you shouldn't have any issue no matter what version of OBSD you're running. Just make sure your kernel has a correct number of vlan dev's, not sure what the default limit is on a vanilla kernel, all ours are custom built. Regards, Mike Lockhart =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Mike Lockhart[Systems Engineering Operations] StayOnline, Inc http://www.stayonline.net/ mailto: [EMAIL PROTECTED] GPG: 8714 6F73 3FC8 E0A4 0663 3AFF 9F5C 888D 0767 1550 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Lockhart Sent: Friday, December 08, 2006 3:05 PM To: misc@openbsd.org Subject: Re: OpenBSD - Vlans - CISCO Here is a working configuration for one of our switches running OpenBSD 3.2 with 4 vlans on Cisco devices: ! config-register 0xF version 12.1 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname ***_*** ! enable secret 5 ** ! ip subnet-zero ! spanning-tree mode pvst no spanning-tree optimize bpdu transmission spanning-tree extend system-id ! interface FastEthernet0/1 switchport access vlan 3 switchport protected spanning-tree portfast ! interface FastEthernet0/2 switchport access vlan 4 switchport protected spanning-tree portfast ! interface FastEthernet0/3 switchport access vlan 5 switchport protected spanning-tree portfast ! interface FastEthernet0/4 switchport access vlan 11 switchport protected spanning-tree portfast ! interface FastEthernet0/5 switchport access vlan 12 switchport protected spanning-tree portfast ! interface FastEthernet0/6 switchport protected spanning-tree portfast ! interface FastEthernet0/7 switchport protected spanning-tree portfast ! interface FastEthernet0/8 switchport access vlan 150 switchport protected spanning-tree portfast ! interface FastEthernet0/9 switchport protected spanning-tree portfast ! interface FastEthernet0/10 switchport protected spanning-tree portfast ! interface FastEthernet0/11 switchport protected spanning-tree portfast ! interface FastEthernet0/12 switchport protected spanning-tree portfast ! interface FastEthernet0/13 switchport access vlan 150 switchport protected spanning-tree
[Fwd: [EMAIL PROTECTED] alias live]
- Forwarded message from Craig Skinner - Sun Remote Support Centre [EMAIL PROTECTED] - From: Craig Skinner - Sun Remote Support Centre [EMAIL PROTECTED] Subject: [Fwd: [EMAIL PROTECTED] alias live] To: [EMAIL PROTECTED] Hi there, I have created a new alias/mailing list: [EMAIL PROTECTED] This list is open to the public. There is also an internal only [EMAIL PROTECTED] alias that is cc'd here. I hope that all Sun staff that follow the fish maybe able to assist the OpenBSD crew in some way, and a first step is to subscibe via http://netadmin External people can also be subscribed, just send the list an email and ask. Unfortunately non-Sun addresses can only post, they do not get any internal traffic from the list. I work as a Tier 2 remote sys admin in one of Sun's largest factories, in Scotland: http://www.sun.com/aboutsun/coinfo/history.html#1990 I support customers globally, eg: Alberta Uni, Sydney Uni, NY Stock Exchange, NASA, Honda, NZ Telecom, Air Canada, Chrysler,. Tools sets I support are patching and monitoring: Update Connection, NetConnect, Configuration and Service Tracker, Explorer, etc, etc. - which is probably not much help to OpenBSD related issues, other than having a voice on the inside. Regards, -- Craig Skinner [EMAIL PROTECTED] Phone +44 (0) 1506 673024 5-digit shortdial:x73024 Sun Remote Support Centre, Linlithgow, Scotland, UK
Picasso Events Team
Take the Lead with Us! www.picassome.com
Re: OpenBSD - Vlans - CISCO
Henning Brauer a icrit : * [EMAIL PROTECTED] [EMAIL PROTECTED] [2006-12-08 20:15]: you need on openbsd ifconfig vlan0 create ifconfig vlan0 vlan 2 vlandev rl0 up no. create is implicit. This is what I already did and tried for each port configured on the switch: 1- interface FastEthernet0/23 switchport trunk encapsulation dot1q switchport trunk allowed vlan 2-8 switchport mode trunk spanning-tree portfast no cdp enable 2- And then the ports for the vlans ... interface FastEthernet0/2 switchport access vlan 2 spanning-tree portfast no cdp enable I did the same for all the ports on the switch and then .. write memory. 3- This is what I have in my /etc/hostname.vlan0 10.0.0.1 255.255.255.0 vlan 2 vlandev rl0 And the same for all the vlans ... 4- Finally the config in /etc/pf.conf for natting ... nat on tun0 from 10.0.0.0/24 to any - tun0 And again the same for all the vlans ... So I'm using a Class C mask ... maybe I should change that ? Is there something I should add in /etc/pf.conf ? Thank you very much for your answers, Mik