Re: mbuf leak with rl
El Jueves, 14 de Septiembre de 2006 17:38, escribiC3: > Is anyone using a Realtek 8139 card with OpenBSD 3.9? I noticed that mbufs > will slowly leak when using it. I noticed this after switching to 3.9. I > don't know if something happened to the card or not... maybe there is a > hardware error now that is making it behave funky. > > If you're using a "rl*" can you take a look at your mbuf usage (netstat > -m)? Me and another person both see something similar. > > Thanks, > Chris > > > dmesg: > rl0 at pci0 dev 8 function 0 "Realtek 8139" rev 0x10: irq 11, address > 00:48:54:65:39:5a > rlphy0 at rl0 phy 0: RTL internal PHY Look, I have a realtek NIC in OpenBSD 3.7 and OpenBSD 3.9: OpenBSD 3.9: # dmesg | grep rl rl0 at pci0 dev 13 function 0 "D-Link Systems 530TX+" rev 0x10: irq 11, address 00:0d:88:1a:8e:3a rlphy0 at rl0 phy 0: RTL internal PHY rlphy1 at vr0 phy 1: RTL8201L 10/100 PHY, rev. 1 # netstat -m 4 mbufs in use: 1 mbuf allocated to packet headers 3 mbufs allocated to socket names and addresses 0/10/6144 mbuf clusters in use (current/peak/max) 28 Kbytes allocated to network (3% in use) 0 requests for memory denied 0 requests for memory delayed 0 calls to protocol drain routines # OpenBSD 3.7: # netstat -m 12 mbufs in use: 1 mbuf allocated to packet headers 11 mbufs allocated to socket names and addresses 0/64/6144 mbuf clusters in use (current/peak/max) 168 Kbytes allocated to network (1% in use) 0 requests for memory denied 0 requests for memory delayed 0 calls to protocol drain routines # dmesg | grep rl rl0 at pci0 dev 8 function 0 "Realtek 8139" rev 0x10: irq 12 address 00:03:2d:04:60:40 rlphy0 at rl0 phy 0: RTL internal phy rl1 at pci0 dev 9 function 0 "Realtek 8139" rev 0x10: irq 10 address 00:03:2d:04:60:3f rlphy1 at rl1 phy 0: RTL internal phy rl2 at pci0 dev 10 function 0 "Realtek 8139" rev 0x10: irq 11 address 00:03:2d:04:60:3e rlphy2 at rl2 phy 0: RTL internal phy rl3 at pci0 dev 11 function 0 "Realtek 8139" rev 0x10: irq 15 address 00:03:2d:04:60:3d rlphy3 at rl3 phy 0: RTL internal phy What do you think? -- Abel TalaverC3n Estevez Ingeniero Superior de Telecomunicaciones Analista de Proyectos OpenWired Caballero 87 - Bajos 08029 - Barcelona Tel. 93 495 0990 Fax. 93 419 4591 http://www.openwired.com
Re: Know CPU usage
El Lunes, 28 de Agosto de 2006 12:23, escribis: > On Aug 28, 2006, at 5:45 AM, Abel Talaversn Estevez wrote: > > Hi all, > > > > I'd like to know if there's a way to know the CPU usage. I can see > > it with > > 'top' but I need to script it and 'top -n' doesn't show this info. > > > > Does anybody know any other command? > > > > I've tried to download and run 'cpud' and 'cpuctl' but they don't > > show the > > %CPU. > > man 8 vmstat > Thanks a lot! 'vmstat' is perfect! > -- > Jason Dixon > DixonGroup Consulting > http://www.dixongroup.net -- Abel Talaversn Estevez Ingeniero Superior de Telecomunicaciones Analista de Proyectos OpenWired Caballero 87 - Bajos 08029 - Barcelona Tel. 93 495 0990 Fax. 93 419 4591 http://www.openwired.com
Know CPU usage
Hi all, I'd like to know if there's a way to know the CPU usage. I can see it with 'top' but I need to script it and 'top -n' doesn't show this info. Does anybody know any other command? I've tried to download and run 'cpud' and 'cpuctl' but they don't show the %CPU. Thanks a lot -- Abel Talaversn Estevez Ingeniero Superior de Telecomunicaciones Analista de Proyectos OpenWired Caballero 87 - Bajos 08029 - Barcelona Tel. 93 495 0990 Fax. 93 419 4591 http://www.openwired.com
Re: binat + table
Hi all, I'd like to use binat rules with tables. For example: table persist file "/var/securityhome/securityfiles/objects/user/IPExterna" table persist file "/var/securityhome/securityfiles/objects/user/enrutador1" binat on $DMZ_if from to any -> where: #cat /var/securityhome/securityfiles/objects/user/IPExterna #10.0.0.10 #cat /var/securityhome/securityfiles/objects/user/enrutador1 #192.168.0.10 It doesn't work. But it works: binat on $DMZ_if from 192.168.0.10 to any -> 10.0.0.10 Why? I've read "man pf.conf" and it says: Tables can be used as the source or destination of filter rules, scrub rules or translation rules such as nat or rdr (see below for details on the various rule types). Tables can also be used for the redirect ad- dress of nat and rdr rules and in the routing options of filter rules, but only for round-robin pools. But... why tables can't be used with binat? Thanks -- Abel Talaversn Estevez Ingeniero Superior de Telecomunicaciones Analista de Proyectos OpenWired Caballero 87 - Bajos 08029 - Barcelona Tel. 93 495 0990 Fax. 93 419 4591 http://www.openwired.com
binat + table
Hi all, I'd like to use binat rules with tables. For example: table persist file "/var/securityhome/securityfiles/objects/user/IPExterna" table persist file "/var/securityhome/securityfiles/objects/user/enrutador1" binat on $DMZ_if from to any -> where: #cat /var/securityhome/securityfiles/objects/user/IPExterna #10.0.0.10 #cat /var/securityhome/securityfiles/objects/user/enrutador1 #192.168.0.10 It doesn't work. But it works: binat on $DMZ_if from 192.168.0.10 to any -> 10.0.0.10 Why? Thanks -- Abel Talaversn Estevez Ingeniero Superior de Telecomunicaciones Analista de Proyectos OpenWired Caballero 87 - Bajos 08029 - Barcelona Tel. 93 495 0990 Fax. 93 419 4591 http://www.openwired.com
Cavium crypto card
Hi all, Has anybody a 'High performance IPSec and SSL accelerator PCI card with Cavium CN1010' running on OpenBSD? I am looking for a crypto card and it could be an option but it isn't in the hardware supported list in http://www.openbsd.org/i386.html#hardware Thanks! -- Abel Talaversn Estevez Ingeniero Superior de Telecomunicaciones Analista de Proyectos OpenWired Caballero 87 - Bajos 08029 - Barcelona Tel. 93 495 0990 Fax. 93 419 4591 Openwired Alejandro Villegas,29 28043 - MADRID - ESPAQA Telifono: 91 300 51 09 Fax: 91 300 28 13 http://www.openwired.com
Problems with unsupported hardware
Hi all, I'd like to know if someone knows about a not standard driver for the ethernet cards: Marvell Yukon 8053. I'm running OpenBSD 3.7 and my dmesg shows: skc0 at pci1 dev 0 function 0 "Marvell Yukon 8053" rev 0x19: irq 12 skc0: bad VPD resource id: expected 82 got 0 skc0: unknown media type: 0x31 skc1: ... (similar lines) Many thanks! -- Abel Talaversn Estevez Ingeniero Superior de Telecomunicaciones Analista de Proyectos OpenWired Caballero 87 - Bajos 08029 - Barcelona Tel. 93 495 0990 Fax. 93 419 4591 Openwired Alejandro Villegas,29 28043 - MADRID - ESPAQA Telifono: 91 300 51 09 Fax: 91 300 28 13 http://www.openwired.com
Re: how to disable remote root login
El Jueves, 22 de Diciembre de 2005 14:35, escribis: > hi > i was looking how to disable remote root login but i cant find it > some tip? > Look at /etc/ssh/sshd_config and man ssh > thanks > David -- Abel Talaversn Estevez Ingeniero Superior de Telecomunicaciones Analista de Proyectos OpenWired Caballero 87 - Bajos 08029 - Barcelona Tel. 93 495 0990 Fax. 93 419 4591 Openwired Alejandro Villegas,29 28043 - MADRID - ESPAQA Telifono: 91 300 51 09 Fax: 91 300 28 13 http://www.openwired.com
Re: pf anchor problem (not working as expected)
El Jueves, 22 de Diciembre de 2005 13:37, escribis: > Hi, > > I would like to load/unload an "emule" anchor when needed. > Unfortunately it does not work as expected as ort tcp 4662 traffic coming > back to my router is still blocked. > Dec 22 13:05:36.720276 rule 2/(match) block in on pppoe0: > 80.239.200.108.34965 > 158.64.125.147.4662: [|tcp] (DF) > Dec 22 13:05:37.330539 rule 2/(match) block in on pppoe0: > 212.112.238.82.13114 > 158.64.125.147.4662: [|tcp] (DF) > Dec 22 13:05:39.720729 rule 2/(match) block in on pppoe0: > 80.239.200.108.34965 > 158.64.125.147.4662: [|tcp] (DF) > Dec 22 13:05:40.330485 rule 2/(match) block in on pppoe0: > 212.112.238.82.13114 > 158.64.125.147.4662: [|tcp] (DF) > > May be I misunderstood the anchors manual, but I honestly don't know what > is wrong. I would really appreciate if you can help me on this issue. > > Why is the traffic still blocked via this rule "block log (all) all", > shoudn't it pass through as the anchor rules allow the traffic? > > Here is my pf.conf: > # VARIABLES SECTION # > int_if="sis0" > ext_if="pppoe0" > localnet="172.16.43.0/24" > outftp="53000:53450" > > icmp_types="echoreq" > icmp_types = "echoreq" > > # TABLES SECTION # > table {x,y} > table persist > > # OPTIONS SECTION # > set block-policy drop > set loginterface $ext_if > > # SCRUBBING SECTION # > scrub in on $ext_if all > scrub out on $ext_if max-mss 1440 > > # NAT SECTION # > nat on $ext_if from $localnet to any -> ($ext_if) static-port > > # REDIRECTION # > rdr on $int_if proto tcp from !$ext_if to !$localnet port ftp \ > -> 127.0.0.1 port ftp-proxy > rdr on $int_if proto tcp from $localnet to $int_if port ssh \ > -> $int_if port 8022 > > rdr-anchor "authpf/*" > rdr-anchor emule > This rdr-anchor is ok > #pass quick all > block quick from > block quick inet6 all but here you are blocking the emule traffic You should put here this: anchor emule anchor "authpf/*" and not below > block log (all) all > > #loopback and internal interface are ok > pass quick on lo0 all > pass quick on $int_if all > > EXTERNAL INTERFACE > pass out on $ext_if inet proto tcp from ($ext_if) to any \ > flags S/SA modulate state > pass out on $ext_if inet proto udp from ($ext_if) to any \ > keep state > pass out quick on $ext_if inet proto tcp from ($ext_if) to any \ > port > 1023 user proxy modulate state label ftpproxy > pass on $ext_if inet proto icmp icmp-type $icmp_types keep state > anchor emule > anchor "authpf/*" > > END OF PF RULE > > Here is my emule anchor (/etc/emule.pf): > ext_if = "pppoe0" > MuleIP= "172.16.43.10" > localnet= "172.16.43.0/24" > InMuleTCP = "{ 4661, 4662 }" > InMuleUDP = "{ 4665, 4672 }" > > rdr on $ext_if proto tcp from !$localnet to any port 4661:4662 -> $MuleIP > port 4661:* > rdr on $ext_if proto udp from !$localnet to any port 4665 -> $MuleIP port > 4665 rdr on $ext_if proto udp from !$localnet to any port 4672 -> $MuleIP > port 4672 > > pass in quick on $ext_if inet proto tcp from any to ($ext_if) port > $InMuleTCP\ flags S/SA keep state label eMuleTCP > pass in quick on $ext_if inet proto udp from any to ($ext_if) port > $InMuleUDP\ keep state label eMuleUDP > > END OF EMULE ANCHOR > > The anchor is loaded when I need it via: > pfctl -v -a emule -f /etc/emule.pf > and unloaded > pfctl -v -a emule -Fa -sn && pfctl -v -a emule -Fa -sr > > THX A LOT FOR HELPING -- Abel Talaversn Estevez Ingeniero Superior de Telecomunicaciones Analista de Proyectos OpenWired Caballero 87 - Bajos 08029 - Barcelona Tel. 93 495 0990 Fax. 93 419 4591 Openwired Alejandro Villegas,29 28043 - MADRID - ESPAQA Telifono: 91 300 51 09 Fax: 91 300 28 13 http://www.openwired.com
PPTP + PPPoE ?
Hi all, I'm running OpenBSD 3.7. I use my OpenBSD machine as a firewall, including a PPTP server and it runs ok. But... I want to connect to my ISP with PPPoE and configure my router as bridge and I've achieve it!! But now my PPTP server is not running, I cannot connect from a Windows client as before. Does anybody know why? Can I use ppp.conf with two different applications? Or the problem is with the tun devices? Thanks a lot. My ppp.conf: pptp: #set ifaddr 172.16.1.100 172.16.1.10-172.16.1.20 enable proxy set timeout 0 enable MSChapV2 disable ipv6cp disable ipv6 default: set log Phase Chat LCP IPCP CCP tun command set device /dev/cua01 set speed 115200 # set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" AT OK-AT-OK ATE1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT" CHAPserver: enable chap enable proxy set ifaddr 192.244.176.44 292.244.184.31 accept dns pppoe: set device "!/usr/sbin/pppoe -i rl0" set mtu max 1492 set mru max 1492 set speed sync disable acfcomp protocomp deny acfcomp set authname "[EMAIL PROTECTED]" set authkey "adslppp" add default HISADDR enable dns enable mssfixup -- Abel Talaversn Estevez Ingeniero Superior de Telecomunicaciones Analista de Proyectos OpenWired Caballero 87 - Bajos 08029 - Barcelona Tel. 93 495 0990 Fax. 93 419 4591 Openwired Alejandro Villegas,29 28043 - MADRID - ESPAQA Telifono: 91 300 51 09 Fax: 91 300 28 13 http://www.openwired.com
Make a backup
Hi all, I'm using OpenBSD in a firewall which runs 3.6 and I want to upgrade it from 3.6 to 3.7. I have two different machines, one running 3.6 and the another one running 3.7. But I want to do an automatic upgrade from one running 3.6 to 3.7. I have an image of the 3.7 firewall and I want to backup the 3.6 one and install the 3.7. If I make the backup with 'dd if=/dev/wd0c of=/image bs=512' the image is a file of about 2 GB because the hard disk is of 40 GB. But with a 'du -sh /' I can see that all files are only 221 MB. How could I do it to achieve a smaller image? The last option is using 'tar' but I prefer to have an image. Is it possible? Thanks!! -- Abel Talaversn Estevez Ingeniero Superior de Telecomunicaciones Analista de Proyectos OpenWired Caballero 87 - Bajos 08029 - Barcelona Tel. 93 495 0990 Fax. 93 419 4591 Openwired Alejandro Villegas,29 28043 - MADRID - ESPAQA Telifono: 91 300 51 09 Fax: 91 300 28 13 http://www.openwired.com
Re: OpenBSD's 10th birthday
El Martes, 18 de Octubre de 2005 11:00, escribiC3: > Now it is really OpenBSD's 10th birthday ;) It's simply, CONGRATULATIONS. This OS is the best choice I could'nt do to build a firewall. -- Abel TalaverC3n Estevez Ingeniero Superior de Telecomunicaciones Analista de Proyectos OpenWired Caballero 87 - Bajos 08029 - Barcelona Tel. 93 495 0990 Fax. 93 419 4591 Openwired Alejandro Villegas,29 28043 - MADRID - ESPACA TelC)fono: 91 300 51 09 Fax: B 91 300 28 13 http://www.openwired.com
Re: USB to RS232
El Viernes, 7 de Octubre de 2005 12:07, escribis: > Hi, > > I'll soon buy a soekris, but just realized i have no serial port on my > laptop (duh!), has someone already tried to use a usb serial adapter? > Most of the time this works as a traditional com port on windows, but > what about openbsd, will it be ok for a serial console? Yes I do. It runs ok! I've tried a laptop running Windows XP + usb-serial + serial-serial + firewall running openbsd and it works -- Abel Talaversn Estevez Ingeniero Superior de Telecomunicaciones Analista de Proyectos OpenWired Caballero 87 - Bajos 08029 - Barcelona Tel. 93 495 0990 Fax. 93 419 4591 Openwired Alejandro Villegas,29 28043 - MADRID - ESPAQA Telifono: 91 300 51 09 Fax: 91 300 28 13 http://www.openwired.com
resize a partition
Hi all, How could I resize an OpenBSD partition? I have a /var partition of 20 GB and I want to have it of about 1 GB and I don't know how to do it. thanks a lot -- Abel Talaversn Estevez Ingeniero Superior de Telecomunicaciones Analista de Proyectos OpenWired Caballero 87 - Bajos 08029 - Barcelona Tel. 93 495 0990 Fax. 93 419 4591 Openwired Alejandro Villegas,29 28043 - MADRID - ESPAQA Telifono: 91 300 51 09 Fax: 91 300 28 13 http://www.openwired.com
Re: Create my own shell? SOLVED
With Ctrl-c the shell doesn't finish. The shell file is showed here: #!/bin/sh # $Id: menu,v 1.5 2004/05/20 12:15:57 holsta Exp $ # # Menu wrapper for FireWired. Ctrl-C is ignored and user input is never # passed to the command line. PATH=$HOME/bin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/games:. export PATH HOME TERM umask 077 HELP=/home/console/menu.help GREETING=/home/console/menu.greeting trap "" 2 grep -v "^#" $GREETING while true do echo "FireWired> \c" if read line then case "$line" in "") continue;; esac set -- $line case "$1" in CASAV.bash) CASAV.bash;; CAcceso.bash) CAcceso.bash;; CActivarPolitica.sh)CActivarPolitica.sh;; CAnadirFiltroProxy.sh) CAnadirFiltroProxy.sh;; CAnadirPuertoProxy.sh) CAnadirPuertoProxy.sh;; CAnadirRedProxy.sh) CAnadirRedProxy.sh;; CApaga.sh) CApaga.sh;; CAplicarRFPProxy.sh)CAplicarRFPProxy.sh;; CAyuda.sh) CAyuda.sh;; CBorrarEncam.sh)CBorrarEncam.sh;; CBorrarEstad.sh)CBorrarEstad.sh;; CBorrarFiltroProxy.sh) CBorrarFiltroProxy.sh;; CBorrarObjeto.bash) CBorrarObjeto.bash;; CBorrarPolitica.sh) CBorrarPolitica.sh;; CBorrarPuertoProxy.sh) CBorrarPuertoProxy.sh;; CBorrarRedProxy.sh) CBorrarRedProxy.sh;; CBorrarRegla.bash) CBorrarRegla.bash;; CBorrarReglaBINAT.bash) CBorrarReglaBINAT.bash;; CBorrarReglaNAT.bash) CBorrarReglaNAT.bash;; CBorrarReglaPF.bash)CBorrarReglaPF.bash;; CBorrarReglaRDR.bash) CBorrarReglaRDR.bash;; CBorrarReglaVPN.bash) CBorrarReglaVPN.bash;; CBorrarRuta.bash) CBorrarRuta.bash;; CBridges.bash) CBridges.bash;; CConfFabrica.sh)CConfFabrica.sh;; CConsola.bash) CConsola.bash;; CCrearObjeto.bash) CCrearObjeto.bash;; CCrearPolitica.bash)CCrearPolitica.bash;; CCrearReglaBINAT.bash) CCrearReglaBINAT.bash;; CCrearReglaNAT.bash)CCrearReglaNAT.bash;; CCrearReglaPF.bash) CCrearReglaPF.bash;; CCrearReglaRDR.bash)CCrearReglaRDR.bash;; CCrearReglaVPN.bash)CCrearReglaVPN.bash;; CCrearRuta.bash)CCrearRuta.bash;; CDNS.sh)CDNS.sh;; CDepurar.sh)CDepurar.sh;; CDesactivarPolitica.sh) CDesactivarPolitica.sh;; CGW.sh) CGW.sh;; CInterfacesIP.bash) CInterfacesIP.bash;; CListaObj.sh) CListaObj.sh;; CLogout.sh) CLogout.sh;; CManuales.sh) CManuales.sh;; CModificarObjeto.bash) CModificarObjeto.bash;; CModificarReglaBINAT.bash) CModificarReglaBINAT.bash;; CModificarReglaNAT.bash)CModificarReglaNAT.bash;; CModificarReglaPF.bash) CModificarReglaPF.bash;; CModificarReglaRDR.bash)CModificarReglaRDR.bash;; CModificarReglaVPN.bash)CModificarReglaVPN.bash;; CMostrarPolActiva.sh) CMostrarPolActiva.sh;; CMostrarPoliticas.sh) CMostrarPoliticas.sh;; CMostrarPoliticasUser.sh) CMostrarPoliticasUser.sh;; CMostrarReglas.sh) CMostrarReglas.sh;; CMostrarReglasBINAT.sh) CMostrarReglasBINAT.sh;; CMostrarReglasNAT.sh) CMostrarReglasNAT.sh;; CMostrarReglasPF.sh)CMostrarReglasPF.sh;; CMostrarReglasRDR.sh) CMostrarReglasRDR.sh;; CMostrarReglasVPN.sh) CMostrarReglasVPN.sh;; CMoverReglaPF.bash) CMoverReglaPF.bash;; CMoverReglaVPN.bash)CMoverReglaVPN.bash;; CPassword.sh) CPassword.sh;; CPing.sh) CPing.sh;; CProxy.sh) CProxy.sh;; CProxyFtp.sh) CProxyFtp.sh;; CProxyTransp.sh)CProxyTransp.sh;; CReboot.sh) CReboot.sh;; CReloj.sh) CReloj.sh;; CSMTP.bash) CSMTP.bash;; CSsh.sh)CSsh.sh;; CTraceroute.sh) CTraceroute.sh;; CVPN.bash) CVPN.bash;; CVPNAnadirSucursal.bash)CVPNAnadirSucursal.bash;; CVPNClientes.ba
Re: Create my own shell? SOLVED
Yes El Miircoles, 27 de Julio de 2005 15:09, Alexander Farber escribis: > :-) What about ctrl-Z, does that "secure gateway menu" script ignore that > : too? > > 2005/7/27, Abel Talaversn Estevez <[EMAIL PROTECTED]>: > > Many thanks to all people of this mailing list for all the replies. > > > > Finally, I have edited the files I've downloaded from > > > > http://mongers.org/gw_menu > > > > and make my own shell. > > > > Thanks ;) > > > > El Lunes, 25 de Julio de 2005 21:03, escribis: > > > On 2005-07-25 16:01:49 +0200, Abel Talaversn Estevez wrote: > > > > I need to create a particular but simple shell for a firewall running > > > > OpenBSD 3.6. The idea is create a user whose shell is a very limited > > > > one. This shell or command line interpreter (CLI) must have > > > > permissions only in the home directory. > > > > > > > > How could I do this? Any ideas? Editing the source code of sh?, for > > > > example. Make my own cli? > > > > > > http://mongers.org/gw_menu > > > > > > But that might be too restricted for you. -- Abel Talaversn Estevez Ingeniero Superior de Telecomunicaciones Analista de Proyectos OpenWired, S.L. C/ Caballero, 87 - 08029 - Barcelona (Spain) Tel (+34) 93/410 75 70 - Fax (+34) 93/419 45 91
Re: Create my own shell? SOLVED
Many thanks to all people of this mailing list for all the replies. Finally, I have edited the files I've downloaded from http://mongers.org/gw_menu and make my own shell. Thanks ;) El Lunes, 25 de Julio de 2005 21:03, escribis: > On 2005-07-25 16:01:49 +0200, Abel Talaversn Estevez wrote: > > I need to create a particular but simple shell for a firewall running > > OpenBSD 3.6. The idea is create a user whose shell is a very limited one. > > This shell or command line interpreter (CLI) must have permissions only > > in the home directory. > > > > How could I do this? Any ideas? Editing the source code of sh?, for > > example. Make my own cli? > > http://mongers.org/gw_menu > > But that might be too restricted for you. > > Have a nice day > Morten -- Abel Talaversn Estevez Ingeniero Superior de Telecomunicaciones Analista de Proyectos OpenWired, S.L. C/ Caballero, 87 - 08029 - Barcelona (Spain) Tel (+34) 93/410 75 70 - Fax (+34) 93/419 45 91
Create my own shell?
Hi all, I need to create a particular but simple shell for a firewall running OpenBSD 3.6. The idea is create a user whose shell is a very limited one. This shell or command line interpreter (CLI) must have permissions only in the home directory. How could I do this? Any ideas? Editing the source code of sh?, for example. Make my own cli? -- Abel Talaversn Estevez Ingeniero Superior de Telecomunicaciones Analista de Proyectos OpenWired, S.L. C/ Caballero, 87 - 08029 - Barcelona (Spain) Tel (+34) 93/410 75 70 - Fax (+34) 93/419 45 91
Re: isakmpd only works if one side begins the communication
El Miircoles, 22 de Junio de 2005 15:33, jared r r spiegel escribis: > On Wed, Jun 22, 2005 at 02:01:43PM +0200, Abel Talaversn Estevez wrote: > > Is it normal? Can I solve it with a parameter like "Retransmit" or > > "Timeout"? I know that it happens something similar with D-Link > > Firewalls. > > need configs to answer accurately, please. > > shouldn't need to dinker with retransmit or timeout values., shouldn't > need to 'kickstart' the connection with a ping or so, unless it was > so-configured to begin with. > > jared > > - > > [ openbsd 3.7 GENERIC ( jun 10 ) // i386 ] isakmpd.conf on one side: [General] Exchange-max-time= 30 Check-interval= 30 DPD_check_interval= 30 [Phase 1] 10.0.0.57= PEER-VPNPrueba2 Default=ISAKMP-clients [Phase 2] Connections=IPsec-clients,CONN-VPNPrueba2 # Phase 1 mobile client peer sections # [ISAKMP-clients] Phase= 1 Transport= udp Configuration= Client-main-mode Authentication= vpnclientopenwired # Phase 2 mobile client connection sections ### [IPsec-clients] Phase= 2 Configuration= Client-quick-mode Local-ID= local-subnet Remote-ID= remote-client # Mobile client ID sections ### [local-subnet] ID-type=IPV4_ADDR_SUBNET Network=0.0.0.0 Netmask=0.0.0.0 [remote-client] ID-type=IPV4_ADDR Address=0.0.0.0 # Mobile client modes # [Client-main-mode] DOI=IPSEC EXCHANGE_TYPE= ID_PROT Transforms= 3DES-SHA [Client-quick-mode] DOI=IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-3DES-SHA-SUITE [Sucursal-main-mode] DOI=IPSEC EXCHANGE_TYPE= ID_PROT Transforms= 3DES-SHA [Sucursal-quick-mode] DOI=IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-3DES-SHA-SUITE # Sucursales #PEER Section VPNPrueba2 [PEER-VPNPrueba2] Phase= 1 Transport= udp Address=10.0.0.57 Configuration= Sucursal-main-mode Authentication= hen3ex #CONNECTION SECTION VPNPrueba2 [CONN-VPNPrueba2] Phase= 2 ISAKMP-peer=PEER-VPNPrueba2 Configuration= Sucursal-quick-mode Local-ID= ID-LocalSubnet-VPNPrueba2 Remote-ID= ID-RemoteSubnet-VPNPrueba2 #Local ID Section [ID-LocalSubnet-VPNPrueba2] ID-type=IPV4_ADDR_SUBNET Network=10.0.40.0 Netmask=255.255.255.0 #Remote ID Section [ID-RemoteSubnet-VPNPrueba2] ID-type=IPV4_ADDR_SUBNET Network=10.0.10.0 Netmask=255.255.255.0 isakmpd.conf on the other side: [General] Exchange-max-time= 30 Check-interval= 30 DPD_check_interval= 30 [Phase 1] 10.0.0.67= PEER-VPNPrueba Default=ISAKMP-clients [Phase 2] Connections=IPsec-clients,CONN-VPNPrueba # Phase 1 mobile client peer sections # [ISAKMP-clients] Phase= 1 Transport= udp Configuration= Client-main-mode Authentication= vpnclientopenwired # Phase 2 mobile client connection sections ### [IPsec-clients] Phase= 2 Configuration= Client-quick-mode Local-ID= local-subnet Remote-ID= remote-client # Mobile client ID sections ### [local-subnet] ID-type=IPV4_ADDR_SUBNET Network=0.0.0.0 Netmask=0.0.0.0 [remote-client] ID-type=IPV4_ADDR Address=0.0.0.0 # Mobile client modes # [Client-main-mode] DOI=IPSEC EXCHANGE_TYPE= ID_PROT Transforms= 3DES-SHA [Client-quick-mode] DOI=IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-3DES-SHA-SUITE [Sucursal-main-mode] DOI=IPSEC EXCHANGE_TYPE= ID_PROT Transforms= 3DES-SHA [Sucursal-quick-mode] DOI=IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-3DES-SHA-SUITE # Sucursales #PEER Section VPNPrueba [PEER-VPNPrueba] Phase= 1 Transport= udp Address=10.0.0.67 Configuration= Sucursal-main-mode Authentication= hen3ex #CONNECTION SECTION VPNPrueba [CONN-VPNPrueba] Phase= 2 ISAKMP-peer=PEER-VPNPrueba Configuration= Sucursal-quick-mode Local-ID= ID-LocalSubnet-VPNPrueba Remote-ID= ID-RemoteSubnet-VPNPrueba #Local ID Section [ID-LocalSubnet-VPNPrueba] ID-type=IPV4_ADDR_SUBNET Network=10.0.10.0 Netmask=255.255.255.0 #Remote ID Section [ID-RemoteSubnet-VPNPrueba] ID-type=IPV4_ADDR_SUBNET Network=10.0.40.0 Netmask=255.255.255.0 Any idea? I've been trying some values in check-interval and exchange-max-time with no success
isakmpd only works if one side begins the communication
Hi all, I'm working with a firewall running OpenBSD with isakmpd. When I want to connect 2 or more firewalls, I can see the tunnels via: "netstat -rn | grep encap" but the only way to begin the real communication is starting it by one of the sides. If a try to begin with the other side it doesn't work until I do a ping (or some kind of communication) from the other side. Is it normal? Can I solve it with a parameter like "Retransmit" or "Timeout"? I know that it happens something similar with D-Link Firewalls. Thanks!!