Re: mbuf leak with rl

2006-09-14 Thread Abel Talaverón Estevez 
El Jueves, 14 de Septiembre de 2006 17:38, escribiC3:
> Is anyone using a Realtek 8139 card with OpenBSD 3.9?  I noticed that mbufs
> will slowly leak when using it.  I noticed this after switching to 3.9.  I
> don't know if something happened to the card or not... maybe there is a
> hardware error now that is making it behave funky.
>
> If you're using a "rl*" can you take a look at your mbuf usage (netstat
> -m)? Me and another person both see something similar.
>
> Thanks,
> Chris
>
>
> dmesg:
> rl0 at pci0 dev 8 function 0 "Realtek 8139" rev 0x10: irq 11, address
> 00:48:54:65:39:5a
> rlphy0 at rl0 phy 0: RTL internal PHY

Look, I have a realtek NIC in OpenBSD 3.7 and OpenBSD 3.9:

OpenBSD 3.9:

# dmesg | grep rl
rl0 at pci0 dev 13 function 0 "D-Link Systems 530TX+" rev 0x10: irq 11, 
address 00:0d:88:1a:8e:3a
rlphy0 at rl0 phy 0: RTL internal PHY
rlphy1 at vr0 phy 1: RTL8201L 10/100 PHY, rev. 1
# netstat -m
4 mbufs in use:
1 mbuf allocated to packet headers
3 mbufs allocated to socket names and addresses
0/10/6144 mbuf clusters in use (current/peak/max)
28 Kbytes allocated to network (3% in use)
0 requests for memory denied
0 requests for memory delayed
0 calls to protocol drain routines
#


OpenBSD 3.7:

# netstat -m
12 mbufs in use:
1 mbuf allocated to packet headers
11 mbufs allocated to socket names and addresses
0/64/6144 mbuf clusters in use (current/peak/max)
168 Kbytes allocated to network (1% in use)
0 requests for memory denied
0 requests for memory delayed
0 calls to protocol drain routines
# dmesg | grep rl
rl0 at pci0 dev 8 function 0 "Realtek 8139" rev 0x10: irq 12 address 
00:03:2d:04:60:40
rlphy0 at rl0 phy 0: RTL internal phy
rl1 at pci0 dev 9 function 0 "Realtek 8139" rev 0x10: irq 10 address 
00:03:2d:04:60:3f
rlphy1 at rl1 phy 0: RTL internal phy
rl2 at pci0 dev 10 function 0 "Realtek 8139" rev 0x10: irq 11 address 
00:03:2d:04:60:3e
rlphy2 at rl2 phy 0: RTL internal phy
rl3 at pci0 dev 11 function 0 "Realtek 8139" rev 0x10: irq 15 address 
00:03:2d:04:60:3d
rlphy3 at rl3 phy 0: RTL internal phy

What do you think?

-- 
Abel TalaverC3n Estevez
Ingeniero Superior de Telecomunicaciones
Analista de Proyectos

OpenWired
Caballero 87 - Bajos
08029 - Barcelona
Tel. 93 495 0990
Fax. 93 419 4591

http://www.openwired.com

Re: Know CPU usage

2006-08-28 Thread Abel Talaverón Estevez 
El Lunes, 28 de Agosto de 2006 12:23, escribis:
> On Aug 28, 2006, at 5:45 AM, Abel Talaversn Estevez wrote:
> > Hi all,
> >
> > I'd like to know if there's a way to know the CPU usage. I can see
> > it with
> > 'top' but I need to script it and 'top -n' doesn't show this info.
> >
> > Does anybody know any other command?
> >
> > I've tried to download and run 'cpud' and 'cpuctl' but they don't
> > show the
> > %CPU.
>
> man 8 vmstat
>

Thanks a lot! 'vmstat' is perfect!

> --
> Jason Dixon
> DixonGroup Consulting
> http://www.dixongroup.net

-- 
Abel Talaversn Estevez
Ingeniero Superior de Telecomunicaciones
Analista de Proyectos

OpenWired
Caballero 87 - Bajos
08029 - Barcelona
Tel. 93 495 0990
Fax. 93 419 4591

http://www.openwired.com

Know CPU usage

2006-08-28 Thread Abel Talaverón Estevez 
Hi all,

I'd like to know if there's a way to know the CPU usage. I can see it with 
'top' but I need to script it and 'top -n' doesn't show this info.

Does anybody know any other command?

I've tried to download and run 'cpud' and 'cpuctl' but they don't show the 
%CPU.

Thanks a lot
-- 
Abel Talaversn Estevez
Ingeniero Superior de Telecomunicaciones
Analista de Proyectos

OpenWired
Caballero 87 - Bajos
08029 - Barcelona
Tel. 93 495 0990
Fax. 93 419 4591

http://www.openwired.com

Re: binat + table

2006-05-18 Thread Abel Talaverón Estevez 
Hi all,

I'd like to use binat rules with tables. For example:

table  persist file
"/var/securityhome/securityfiles/objects/user/IPExterna"

table  persist file
"/var/securityhome/securityfiles/objects/user/enrutador1"

binat on $DMZ_if from  to any  -> 

where:

#cat /var/securityhome/securityfiles/objects/user/IPExterna
#10.0.0.10
#cat /var/securityhome/securityfiles/objects/user/enrutador1
#192.168.0.10

It doesn't work. But it works:

binat on $DMZ_if from 192.168.0.10 to any  -> 10.0.0.10

Why?

I've read "man pf.conf" and it says:

 Tables can be used as the source or destination of filter rules, scrub
 rules or translation rules such as nat or rdr (see below for details on
 the various rule types).  Tables can also be used for the redirect ad-
 dress of nat and rdr rules and in the routing options of filter rules,
 but only for round-robin pools.

But... why tables can't be used with binat?

Thanks
--
Abel Talaversn Estevez
Ingeniero Superior de Telecomunicaciones
Analista de Proyectos

OpenWired
Caballero 87 - Bajos
08029 - Barcelona
Tel. 93 495 0990
Fax. 93 419 4591

http://www.openwired.com

binat + table

2006-05-18 Thread Abel Talaverón Estevez 
Hi all,

I'd like to use binat rules with tables. For example:

table  persist file 
"/var/securityhome/securityfiles/objects/user/IPExterna"

table  persist file 
"/var/securityhome/securityfiles/objects/user/enrutador1"

binat on $DMZ_if from  to any  -> 

where:

#cat /var/securityhome/securityfiles/objects/user/IPExterna
#10.0.0.10
#cat /var/securityhome/securityfiles/objects/user/enrutador1
#192.168.0.10

It doesn't work. But it works:

binat on $DMZ_if from 192.168.0.10 to any  -> 10.0.0.10

Why?

Thanks
-- 
Abel Talaversn Estevez
Ingeniero Superior de Telecomunicaciones
Analista de Proyectos

OpenWired
Caballero 87 - Bajos
08029 - Barcelona
Tel. 93 495 0990
Fax. 93 419 4591

http://www.openwired.com

Cavium crypto card

2006-03-27 Thread Abel Talaverón Estevez 
Hi all,

Has anybody a 'High performance IPSec and SSL accelerator PCI card with Cavium 
CN1010' running on OpenBSD?

I am looking for a crypto card and it could be an option but it isn't in the 
hardware supported list in http://www.openbsd.org/i386.html#hardware

Thanks!
-- 
Abel Talaversn Estevez
Ingeniero Superior de Telecomunicaciones
Analista de Proyectos

OpenWired
Caballero 87 - Bajos
08029 - Barcelona
Tel. 93 495 0990
Fax. 93 419 4591

Openwired
Alejandro Villegas,29
28043 - MADRID - ESPAQA
Telifono: 91 300 51 09
Fax:  91 300 28 13
http://www.openwired.com

Problems with unsupported hardware

2006-01-13 Thread Abel Talaverón Estevez 
Hi all,

I'd like to know if someone knows about a not standard driver for the ethernet 
cards: Marvell Yukon 8053. 

I'm running OpenBSD 3.7 and my dmesg shows:

skc0 at pci1 dev 0 function 0 "Marvell Yukon 8053" rev 0x19: irq 12
skc0: bad VPD resource id: expected 82 got 0
skc0: unknown media type: 0x31
skc1: ... (similar lines) 

Many thanks!

-- 
Abel Talaversn Estevez
Ingeniero Superior de Telecomunicaciones
Analista de Proyectos

OpenWired
Caballero 87 - Bajos
08029 - Barcelona
Tel. 93 495 0990
Fax. 93 419 4591

Openwired
Alejandro Villegas,29
28043 - MADRID - ESPAQA
Telifono: 91 300 51 09
Fax:  91 300 28 13
http://www.openwired.com

Re: how to disable remote root login

2005-12-22 Thread Abel Talaverón Estevez 
El Jueves, 22 de Diciembre de 2005 14:35, escribis:
> hi
> i was looking how to disable remote root login but i cant find it
> some tip?
>

Look at /etc/ssh/sshd_config and man ssh
> thanks
> David

-- 
Abel Talaversn Estevez
Ingeniero Superior de Telecomunicaciones
Analista de Proyectos

OpenWired
Caballero 87 - Bajos
08029 - Barcelona
Tel. 93 495 0990
Fax. 93 419 4591

Openwired
Alejandro Villegas,29
28043 - MADRID - ESPAQA
Telifono: 91 300 51 09
Fax:  91 300 28 13
http://www.openwired.com

Re: pf anchor problem (not working as expected)

2005-12-22 Thread Abel Talaverón Estevez 
El Jueves, 22 de Diciembre de 2005 13:37, escribis:
> Hi,
>
> I would like to load/unload an "emule" anchor when needed.
> Unfortunately it does not work as expected as ort tcp 4662 traffic coming
> back to my router is still blocked.
> Dec 22 13:05:36.720276 rule 2/(match) block in on pppoe0:
> 80.239.200.108.34965 > 158.64.125.147.4662: [|tcp] (DF)
> Dec 22 13:05:37.330539 rule 2/(match) block in on pppoe0:
> 212.112.238.82.13114 > 158.64.125.147.4662: [|tcp] (DF)
> Dec 22 13:05:39.720729 rule 2/(match) block in on pppoe0:
> 80.239.200.108.34965 > 158.64.125.147.4662: [|tcp] (DF)
> Dec 22 13:05:40.330485 rule 2/(match) block in on pppoe0:
> 212.112.238.82.13114 > 158.64.125.147.4662: [|tcp] (DF)
>
> May be I misunderstood the anchors manual, but I honestly don't know what
> is wrong. I would really appreciate if you can help me on this issue.
>
> Why is the traffic still blocked via this rule "block log (all) all",
> shoudn't it pass through as the anchor rules allow the traffic?
>
> Here is my pf.conf:
> # VARIABLES SECTION #
> int_if="sis0"
> ext_if="pppoe0"
> localnet="172.16.43.0/24"
> outftp="53000:53450"
>
> icmp_types="echoreq"
> icmp_types = "echoreq"
>
> # TABLES SECTION #
> table  {x,y}
> table  persist
>
> # OPTIONS SECTION #
> set block-policy drop
> set loginterface $ext_if
>
> # SCRUBBING SECTION #
> scrub in on $ext_if all
> scrub out on $ext_if max-mss 1440
>
> # NAT SECTION #
> nat on $ext_if from $localnet to any -> ($ext_if) static-port
>
> # REDIRECTION #
> rdr on $int_if proto tcp from !$ext_if to !$localnet port ftp \
> -> 127.0.0.1 port ftp-proxy
> rdr on $int_if proto tcp from $localnet to $int_if port ssh \
> -> $int_if port 8022
>
> rdr-anchor "authpf/*"
> rdr-anchor emule
>

This rdr-anchor is ok

> #pass quick all
> block quick from 
> block quick inet6 all

but here you are blocking the emule traffic
You should put here this:
anchor emule
anchor "authpf/*"

and not below

> block log (all) all
>
> #loopback and internal interface are ok
> pass quick on lo0 all
> pass quick on $int_if all
>
>  EXTERNAL INTERFACE 
> pass out on $ext_if inet proto tcp from ($ext_if) to any \
> flags S/SA modulate state
> pass out on $ext_if inet proto udp from ($ext_if) to any \
> keep state
> pass out quick on $ext_if inet proto tcp from ($ext_if) to any \
> port > 1023 user proxy modulate state label ftpproxy
> pass on $ext_if inet proto icmp icmp-type $icmp_types keep state
> anchor emule
> anchor "authpf/*"
>
> END OF PF RULE
>
> Here is my emule anchor (/etc/emule.pf):
> ext_if = "pppoe0"
> MuleIP= "172.16.43.10"
> localnet= "172.16.43.0/24"
> InMuleTCP = "{ 4661, 4662 }"
> InMuleUDP = "{ 4665, 4672 }"
>
> rdr on $ext_if proto tcp from !$localnet to any port 4661:4662 -> $MuleIP
> port 4661:*
> rdr on $ext_if proto udp from !$localnet to any port 4665 -> $MuleIP port
> 4665 rdr on $ext_if proto udp from !$localnet to any port 4672 -> $MuleIP
> port 4672
>
> pass in quick on $ext_if inet proto tcp from any to ($ext_if) port
> $InMuleTCP\ flags S/SA keep state label eMuleTCP
> pass in quick on $ext_if inet proto udp from any to ($ext_if) port
> $InMuleUDP\ keep state label eMuleUDP
>
> END OF EMULE ANCHOR
>
> The anchor is loaded when I need it via:
> pfctl -v -a emule -f /etc/emule.pf
> and unloaded
> pfctl -v -a emule -Fa -sn && pfctl -v -a emule -Fa -sr
>
> THX A LOT FOR HELPING

-- 
Abel Talaversn Estevez
Ingeniero Superior de Telecomunicaciones
Analista de Proyectos

OpenWired
Caballero 87 - Bajos
08029 - Barcelona
Tel. 93 495 0990
Fax. 93 419 4591

Openwired
Alejandro Villegas,29
28043 - MADRID - ESPAQA
Telifono: 91 300 51 09
Fax:  91 300 28 13
http://www.openwired.com

PPTP + PPPoE ?

2005-12-05 Thread Abel Talaverón Estevez 
Hi all,

I'm running OpenBSD 3.7. I use my OpenBSD machine as a firewall, including a 
PPTP server and it runs ok. But...

I want to connect to my ISP with PPPoE and configure my router as bridge and 
I've achieve it!! But now my PPTP server is not running, I cannot connect 
from a Windows client as before. Does anybody know why? Can I use ppp.conf 
with two different applications? Or the problem is with the tun devices?

Thanks a lot.


My ppp.conf:

pptp:
 #set ifaddr 172.16.1.100 172.16.1.10-172.16.1.20
 enable proxy
 set timeout 0
 enable MSChapV2
 disable ipv6cp
 disable ipv6

default:
 set log Phase Chat LCP IPCP CCP tun command
 set device /dev/cua01
 set speed 115200
# set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" AT OK-AT-OK ATE1Q0 OK 
\\dATDT\\T TIMEOUT 40 CONNECT"


CHAPserver:
 enable chap
 enable proxy
 set ifaddr 192.244.176.44 292.244.184.31
 accept dns

pppoe:
 set device "!/usr/sbin/pppoe -i rl0"
 set mtu max 1492
 set mru max 1492
 set speed sync
 disable acfcomp protocomp
 deny acfcomp
 set authname "[EMAIL PROTECTED]"
 set authkey "adslppp"
 add default HISADDR
 enable dns
 enable mssfixup


-- 
Abel Talaversn Estevez
Ingeniero Superior de Telecomunicaciones
Analista de Proyectos

OpenWired
Caballero 87 - Bajos
08029 - Barcelona
Tel. 93 495 0990
Fax. 93 419 4591

Openwired
Alejandro Villegas,29
28043 - MADRID - ESPAQA
Telifono: 91 300 51 09
Fax:  91 300 28 13
http://www.openwired.com

Make a backup

2005-10-31 Thread Abel Talaverón Estevez 
Hi all,

I'm using OpenBSD in a firewall which runs 3.6 and I want to upgrade it from 
3.6 to 3.7.

I have two different machines, one running 3.6 and the another one running 
3.7. But I want to do an automatic upgrade from one running 3.6 to 3.7. I 
have an image of the 3.7 firewall and I want to backup the 3.6 one and 
install the 3.7.

If I make the backup with 'dd if=/dev/wd0c of=/image bs=512' the image is a 
file of about 2 GB because the hard disk is of 40 GB. But with a 'du -sh /' I 
can see that all files are only 221 MB.

How could I do it to achieve a smaller image? The last option is using 'tar' 
but I prefer to have an image. Is it possible?

Thanks!!
-- 
Abel Talaversn Estevez
Ingeniero Superior de Telecomunicaciones
Analista de Proyectos

OpenWired
Caballero 87 - Bajos
08029 - Barcelona
Tel. 93 495 0990
Fax. 93 419 4591

Openwired
Alejandro Villegas,29
28043 - MADRID - ESPAQA
Telifono: 91 300 51 09
Fax:  91 300 28 13
http://www.openwired.com

Re: OpenBSD's 10th birthday

2005-10-18 Thread Abel Talaverón Estevez 
El Martes, 18 de Octubre de 2005 11:00, escribiC3:
> Now it is really OpenBSD's 10th birthday ;)

It's simply, CONGRATULATIONS. This OS is the best choice I could'nt do to 
build a firewall.

-- 
Abel TalaverC3n Estevez
Ingeniero Superior de Telecomunicaciones
Analista de Proyectos

OpenWired
Caballero 87 - Bajos
08029 - Barcelona
Tel. 93 495 0990
Fax. 93 419 4591

Openwired
Alejandro Villegas,29
28043 - MADRID - ESPACA
TelC)fono: 91 300 51 09
Fax: B 91 300 28 13
http://www.openwired.com

Re: USB to RS232

2005-10-07 Thread Abel Talaverón Estevez 
El Viernes, 7 de Octubre de 2005 12:07, escribis:
> Hi,
>
> I'll soon buy a soekris, but just realized i have no serial port on my
> laptop (duh!), has someone already tried to use a usb serial adapter?
> Most of the time this works as a traditional com port on windows, but
> what about openbsd, will it be ok for a serial console?

Yes I do. It runs ok! I've tried a 

laptop running Windows XP + usb-serial + serial-serial + firewall running 
openbsd 

and it works

-- 
Abel Talaversn Estevez
Ingeniero Superior de Telecomunicaciones
Analista de Proyectos

OpenWired
Caballero 87 - Bajos
08029 - Barcelona
Tel. 93 495 0990
Fax. 93 419 4591

Openwired
Alejandro Villegas,29
28043 - MADRID - ESPAQA
Telifono: 91 300 51 09
Fax:  91 300 28 13
http://www.openwired.com

resize a partition

2005-10-05 Thread Abel Talaverón Estevez 
Hi all,

How could I resize an OpenBSD partition?

I have a /var partition of 20 GB and I want to have it of about 1 GB and I 
don't know how to do it.

thanks a lot

-- 
Abel Talaversn Estevez
Ingeniero Superior de Telecomunicaciones
Analista de Proyectos

OpenWired
Caballero 87 - Bajos
08029 - Barcelona
Tel. 93 495 0990
Fax. 93 419 4591

Openwired
Alejandro Villegas,29
28043 - MADRID - ESPAQA
Telifono: 91 300 51 09
Fax:  91 300 28 13
http://www.openwired.com

Re: Create my own shell? SOLVED

2005-07-27 Thread Abel Talaverón Estevez 
With Ctrl-c the shell doesn't finish.

The shell file is showed here:


#!/bin/sh
# $Id: menu,v 1.5 2004/05/20 12:15:57 holsta Exp $
#
# Menu wrapper for FireWired. Ctrl-C is ignored and user input is never
# passed to the command line.

PATH=$HOME/bin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/games:.
export PATH HOME TERM

umask 077

HELP=/home/console/menu.help
GREETING=/home/console/menu.greeting


trap "" 2

grep -v "^#" $GREETING

while true
do
echo "FireWired> \c"
if read line
then
case "$line" in
"") continue;;
esac

set -- $line
case "$1" in

CASAV.bash) CASAV.bash;;
CAcceso.bash)   CAcceso.bash;;
CActivarPolitica.sh)CActivarPolitica.sh;;
CAnadirFiltroProxy.sh)  CAnadirFiltroProxy.sh;;
CAnadirPuertoProxy.sh)  CAnadirPuertoProxy.sh;;
CAnadirRedProxy.sh) CAnadirRedProxy.sh;;
CApaga.sh)  CApaga.sh;;
CAplicarRFPProxy.sh)CAplicarRFPProxy.sh;;
CAyuda.sh)  CAyuda.sh;;
CBorrarEncam.sh)CBorrarEncam.sh;;
CBorrarEstad.sh)CBorrarEstad.sh;;
CBorrarFiltroProxy.sh)  CBorrarFiltroProxy.sh;;
CBorrarObjeto.bash) CBorrarObjeto.bash;;
CBorrarPolitica.sh) CBorrarPolitica.sh;;
CBorrarPuertoProxy.sh)  CBorrarPuertoProxy.sh;;
CBorrarRedProxy.sh) CBorrarRedProxy.sh;;
CBorrarRegla.bash)  CBorrarRegla.bash;;
CBorrarReglaBINAT.bash) CBorrarReglaBINAT.bash;;
CBorrarReglaNAT.bash)   CBorrarReglaNAT.bash;;
CBorrarReglaPF.bash)CBorrarReglaPF.bash;;
CBorrarReglaRDR.bash)   CBorrarReglaRDR.bash;;
CBorrarReglaVPN.bash)   CBorrarReglaVPN.bash;;
CBorrarRuta.bash)   CBorrarRuta.bash;;
CBridges.bash)  CBridges.bash;;
CConfFabrica.sh)CConfFabrica.sh;;
CConsola.bash)  CConsola.bash;;
CCrearObjeto.bash)  CCrearObjeto.bash;;
CCrearPolitica.bash)CCrearPolitica.bash;;
CCrearReglaBINAT.bash)  CCrearReglaBINAT.bash;;
CCrearReglaNAT.bash)CCrearReglaNAT.bash;;
CCrearReglaPF.bash) CCrearReglaPF.bash;;
CCrearReglaRDR.bash)CCrearReglaRDR.bash;;
CCrearReglaVPN.bash)CCrearReglaVPN.bash;;
CCrearRuta.bash)CCrearRuta.bash;;
CDNS.sh)CDNS.sh;;
CDepurar.sh)CDepurar.sh;;
CDesactivarPolitica.sh) CDesactivarPolitica.sh;;
CGW.sh) CGW.sh;;
CInterfacesIP.bash) CInterfacesIP.bash;;
CListaObj.sh)   CListaObj.sh;;
CLogout.sh) CLogout.sh;;
CManuales.sh)   CManuales.sh;;
CModificarObjeto.bash)  CModificarObjeto.bash;;
CModificarReglaBINAT.bash)  CModificarReglaBINAT.bash;;
CModificarReglaNAT.bash)CModificarReglaNAT.bash;;
CModificarReglaPF.bash) CModificarReglaPF.bash;;
CModificarReglaRDR.bash)CModificarReglaRDR.bash;;
CModificarReglaVPN.bash)CModificarReglaVPN.bash;;
CMostrarPolActiva.sh)   CMostrarPolActiva.sh;;
CMostrarPoliticas.sh)   CMostrarPoliticas.sh;;
CMostrarPoliticasUser.sh)   CMostrarPoliticasUser.sh;;
CMostrarReglas.sh)  CMostrarReglas.sh;;
CMostrarReglasBINAT.sh) CMostrarReglasBINAT.sh;;
CMostrarReglasNAT.sh)   CMostrarReglasNAT.sh;;
CMostrarReglasPF.sh)CMostrarReglasPF.sh;;
CMostrarReglasRDR.sh)   CMostrarReglasRDR.sh;;
CMostrarReglasVPN.sh)   CMostrarReglasVPN.sh;;
CMoverReglaPF.bash) CMoverReglaPF.bash;;
CMoverReglaVPN.bash)CMoverReglaVPN.bash;;
CPassword.sh)   CPassword.sh;;
CPing.sh)   CPing.sh;;
CProxy.sh)  CProxy.sh;;
CProxyFtp.sh)   CProxyFtp.sh;;
CProxyTransp.sh)CProxyTransp.sh;;
CReboot.sh) CReboot.sh;;
CReloj.sh)  CReloj.sh;;
CSMTP.bash) CSMTP.bash;;
CSsh.sh)CSsh.sh;;
CTraceroute.sh) CTraceroute.sh;;
CVPN.bash)  CVPN.bash;;
CVPNAnadirSucursal.bash)CVPNAnadirSucursal.bash;;
CVPNClientes.ba

Re: Create my own shell? SOLVED

2005-07-27 Thread Abel Talaverón Estevez 
Yes


El Miircoles, 27 de Julio de 2005 15:09, Alexander Farber escribis:
> :-) What about ctrl-Z, does that "secure gateway menu" script ignore that
> : too?
>
> 2005/7/27, Abel Talaversn Estevez <[EMAIL PROTECTED]>:
> > Many thanks to all people of this mailing list for all the replies.
> >
> > Finally, I have edited the files I've downloaded from
> >
> > http://mongers.org/gw_menu
> >
> > and make my own shell.
> >
> > Thanks ;)
> >
> > El Lunes, 25 de Julio de 2005 21:03, escribis:
> > > On 2005-07-25 16:01:49 +0200, Abel Talaversn Estevez wrote:
> > > > I need to create a particular but simple shell for a firewall running
> > > > OpenBSD 3.6. The idea is create a user whose shell is a very limited
> > > > one. This shell or command line interpreter (CLI) must have
> > > > permissions only in the home directory.
> > > >
> > > > How could I do this? Any ideas? Editing the source code of sh?, for
> > > > example. Make my own cli?
> > >
> > > http://mongers.org/gw_menu
> > >
> > > But that might be too restricted for you.

-- 
Abel Talaversn Estevez
Ingeniero Superior de Telecomunicaciones
Analista de Proyectos
OpenWired, S.L.
C/ Caballero, 87 - 08029 - Barcelona (Spain)
Tel (+34) 93/410 75 70 - Fax (+34) 93/419 45 91

Re: Create my own shell? SOLVED

2005-07-27 Thread Abel Talaverón Estevez 
Many thanks to all people of this mailing list for all the replies.

Finally, I have edited the files I've downloaded from 

http://mongers.org/gw_menu

and make my own shell.

Thanks ;)

El Lunes, 25 de Julio de 2005 21:03, escribis:
> On 2005-07-25 16:01:49 +0200, Abel Talaversn Estevez wrote:
> > I need to create a particular but simple shell for a firewall running
> > OpenBSD 3.6. The idea is create a user whose shell is a very limited one.
> > This shell or command line interpreter (CLI) must have permissions only
> > in the home directory.
> >
> > How could I do this? Any ideas? Editing the source code of sh?, for
> > example. Make my own cli?
>
> http://mongers.org/gw_menu
>
> But that might be too restricted for you.
>
> Have a nice day
>  Morten

-- 
Abel Talaversn Estevez
Ingeniero Superior de Telecomunicaciones
Analista de Proyectos
OpenWired, S.L.
C/ Caballero, 87 - 08029 - Barcelona (Spain)
Tel (+34) 93/410 75 70 - Fax (+34) 93/419 45 91

Create my own shell?

2005-07-25 Thread Abel Talaverón Estevez 
Hi all,

I need to create a particular but simple shell for a firewall running OpenBSD 
3.6. The idea is create a user whose shell is a very limited one. This shell 
or command line interpreter (CLI) must have permissions only in the home 
directory.

How could I do this? Any ideas? Editing the source code of sh?, for example. 
Make my own cli?
-- 
Abel Talaversn Estevez
Ingeniero Superior de Telecomunicaciones
Analista de Proyectos
OpenWired, S.L.
C/ Caballero, 87 - 08029 - Barcelona (Spain)
Tel (+34) 93/410 75 70 - Fax (+34) 93/419 45 91

Re: isakmpd only works if one side begins the communication

2005-06-22 Thread Abel Talaverón Estevez 
El Miircoles, 22 de Junio de 2005 15:33, jared r r spiegel escribis:
> On Wed, Jun 22, 2005 at 02:01:43PM +0200, Abel Talaversn Estevez wrote:
> > Is it normal? Can I solve it with a parameter like "Retransmit" or
> > "Timeout"? I know that it happens something similar with D-Link
> > Firewalls.
>
>   need configs to answer accurately, please.
>
>   shouldn't need to dinker with retransmit or timeout values., shouldn't
>   need to 'kickstart' the connection with a ping or so, unless it was
> so-configured to begin with.
>
>   jared
>
> -
>
> [ openbsd 3.7 GENERIC ( jun 10 ) // i386 ]



isakmpd.conf on one side:

[General]
Exchange-max-time=  30
Check-interval= 30
DPD_check_interval= 30


[Phase 1]
10.0.0.57=  PEER-VPNPrueba2
Default=ISAKMP-clients

[Phase 2]
Connections=IPsec-clients,CONN-VPNPrueba2


# Phase 1 mobile client peer sections
#
[ISAKMP-clients]
Phase=  1
Transport=  udp
Configuration=  Client-main-mode
Authentication= vpnclientopenwired

# Phase 2 mobile client connection sections
###
[IPsec-clients]
Phase=  2
Configuration=  Client-quick-mode
Local-ID=   local-subnet
Remote-ID=  remote-client

# Mobile client ID sections
###
[local-subnet]
ID-type=IPV4_ADDR_SUBNET
Network=0.0.0.0
Netmask=0.0.0.0

[remote-client]
ID-type=IPV4_ADDR
Address=0.0.0.0

# Mobile client modes
#
[Client-main-mode]
DOI=IPSEC
EXCHANGE_TYPE=  ID_PROT
Transforms= 3DES-SHA

[Client-quick-mode]
DOI=IPSEC
EXCHANGE_TYPE=  QUICK_MODE
Suites= QM-ESP-3DES-SHA-SUITE

[Sucursal-main-mode]
DOI=IPSEC
EXCHANGE_TYPE=  ID_PROT
Transforms= 3DES-SHA

[Sucursal-quick-mode]
DOI=IPSEC
EXCHANGE_TYPE=  QUICK_MODE
Suites= QM-ESP-3DES-SHA-SUITE

# Sucursales
#PEER Section VPNPrueba2
[PEER-VPNPrueba2]
Phase=  1
Transport=  udp
Address=10.0.0.57
Configuration=  Sucursal-main-mode
Authentication= hen3ex

#CONNECTION SECTION VPNPrueba2
[CONN-VPNPrueba2]
Phase=  2
ISAKMP-peer=PEER-VPNPrueba2
Configuration=  Sucursal-quick-mode
Local-ID=   ID-LocalSubnet-VPNPrueba2
Remote-ID=  ID-RemoteSubnet-VPNPrueba2

#Local ID Section
[ID-LocalSubnet-VPNPrueba2]
ID-type=IPV4_ADDR_SUBNET
Network=10.0.40.0
Netmask=255.255.255.0

#Remote ID Section
[ID-RemoteSubnet-VPNPrueba2]
ID-type=IPV4_ADDR_SUBNET
Network=10.0.10.0
Netmask=255.255.255.0



isakmpd.conf on the other side:

[General]
Exchange-max-time=  30
Check-interval= 30
DPD_check_interval= 30




[Phase 1]
10.0.0.67=  PEER-VPNPrueba
Default=ISAKMP-clients

[Phase 2]
Connections=IPsec-clients,CONN-VPNPrueba


# Phase 1 mobile client peer sections
#
[ISAKMP-clients]
Phase=  1
Transport=  udp
Configuration=  Client-main-mode
Authentication= vpnclientopenwired

# Phase 2 mobile client connection sections
###
[IPsec-clients]
Phase=  2
Configuration=  Client-quick-mode
Local-ID=   local-subnet
Remote-ID=  remote-client

# Mobile client ID sections
###
[local-subnet]
ID-type=IPV4_ADDR_SUBNET
Network=0.0.0.0
Netmask=0.0.0.0

[remote-client]
ID-type=IPV4_ADDR
Address=0.0.0.0

# Mobile client modes
#
[Client-main-mode]
DOI=IPSEC
EXCHANGE_TYPE=  ID_PROT
Transforms= 3DES-SHA

[Client-quick-mode]
DOI=IPSEC
EXCHANGE_TYPE=  QUICK_MODE
Suites= QM-ESP-3DES-SHA-SUITE

[Sucursal-main-mode]
DOI=IPSEC
EXCHANGE_TYPE=  ID_PROT
Transforms= 3DES-SHA

[Sucursal-quick-mode]
DOI=IPSEC
EXCHANGE_TYPE=  QUICK_MODE
Suites= QM-ESP-3DES-SHA-SUITE

# Sucursales
#PEER Section VPNPrueba
[PEER-VPNPrueba]
Phase=  1
Transport=  udp
Address=10.0.0.67
Configuration=  Sucursal-main-mode
Authentication= hen3ex

#CONNECTION SECTION VPNPrueba
[CONN-VPNPrueba]
Phase=  2
ISAKMP-peer=PEER-VPNPrueba
Configuration=  Sucursal-quick-mode
Local-ID=   ID-LocalSubnet-VPNPrueba
Remote-ID=  ID-RemoteSubnet-VPNPrueba

#Local ID Section
[ID-LocalSubnet-VPNPrueba]
ID-type=IPV4_ADDR_SUBNET
Network=10.0.10.0
Netmask=255.255.255.0

#Remote ID Section
[ID-RemoteSubnet-VPNPrueba]
ID-type=IPV4_ADDR_SUBNET
Network=10.0.40.0
Netmask=255.255.255.0



Any idea?
I've been trying some values in check-interval and exchange-max-time with no 
success

isakmpd only works if one side begins the communication

2005-06-22 Thread Abel Talaverón Estevez 
Hi all,

I'm working with a firewall running OpenBSD with isakmpd. When I want to 
connect 2 or more firewalls, I can see the tunnels via: "netstat -rn | grep 
encap" but the only way to begin the real communication is starting it by one 
of the sides. If a try to begin with the other side it doesn't work until I 
do a ping (or some kind of communication) from the other side.

Is it normal? Can I solve it with a parameter like "Retransmit" or "Timeout"? 
I know that it happens something similar with D-Link Firewalls.

Thanks!!