Re: dhclient ignoring DHCPOFFERS?
On Dec 19, 2007 10:26 AM, Nick Guenther <[EMAIL PROTECTED]> wrote: > I've seen this problem intermittently before. Every once in a while, > this happens (the adapter it happens on doesn't matter): > > # dhclient de0 > DHCPREQUEST on de0 to 255.255.255.255 port 67 > DHCPREQUEST on de0 to 255.255.255.255 port 67 > DHCPDISCOVER on de0 to 255.255.255.255 port 67 interval 5 > DHCPDISCOVER on de0 to 255.255.255.255 port 67 interval 12 > DHCPDISCOVER on de0 to 255.255.255.255 port 67 interval 12 > DHCPOFFER from 192.168.0.1 > DHCPREQUEST on de0 to 255.255.255.255 port 67 > DHCPREQUEST on de0 to 255.255.255.255 port 67 > DHCPDISCOVER on de0 to 255.255.255.255 port 67 interval 7 DHCP process goes 1. Discover 2. Offer 3. Request 4. Ack In the above, the request for the offered address was never acknowledged, so it asked again, and then went back to discovery. -Kian
Re: dhclient ignoring DHCPOFFERS?
On Dec 19, 2007 8:25 PM, Nick Guenther <[EMAIL PROTECTED]> wrote: > On Dec 19, 2007 7:53 PM, Kian Mohageri <[EMAIL PROTECTED]> wrote: > > On Dec 19, 2007 10:26 AM, Nick Guenther <[EMAIL PROTECTED]> wrote: > > > I've seen this problem intermittently before. Every once in a while, > > > this happens (the adapter it happens on doesn't matter): > > > > > > # dhclient de0 > > > DHCPREQUEST on de0 to 255.255.255.255 port 67 > > > DHCPREQUEST on de0 to 255.255.255.255 port 67 > > > DHCPDISCOVER on de0 to 255.255.255.255 port 67 interval 5 > > > DHCPDISCOVER on de0 to 255.255.255.255 port 67 interval 12 > > > DHCPDISCOVER on de0 to 255.255.255.255 port 67 interval 12 > > > DHCPOFFER from 192.168.0.1 > > > DHCPREQUEST on de0 to 255.255.255.255 port 67 > > > DHCPREQUEST on de0 to 255.255.255.255 port 67 > > > DHCPDISCOVER on de0 to 255.255.255.255 port 67 interval 7 > > > > DHCP process goes > > > >1. Discover > >2. Offer > >3. Request > >4. Ack > > Ooh, that's very good to know. I didn't know it worked like that! Thanks. > > > In the above, the request for the offered address was never > > acknowledged, so it asked again, and then went back to discovery. > > But how do you explain the "No DHCPOFFERS received" phrase (that you > snipped)? That would seem to say that the problem is not that the > server never ACK'd, it's that the server never OFFER'd.. except it > did, and dhclient 'knew' that. > I didn't read it literally as if no offers were received throughout the entire process. I read it as "no offers received during this discovery period". Kian
Re: strange pfctl output
On Dec 25, 2007 10:54 AM, Daniel <[EMAIL PROTECTED]> wrote: > Hi! > > I'm having this problem: > > # pfctl -sr |fgrep ftp > [...] > pass out on rl0 inet proto tcp from to <__automatic_39c048b4_0> > port = ftp flags S/SA keep state > > What is that automatic stuff? It's a table identifier. The optimizer created it (prefix is always __automatic_) and redesigned your ruleset to make use of it rather than a long list of separate rules. Kian
Re: Remote syslog
On Feb 19, 2008 8:42 PM, Steve B <[EMAIL PROTECTED]> wrote: > My employer has given me some free colo space and I thought I would take > advantage of it to do remote system logging. Those of you here who are doing > it, could you comment on whether you are using Syslog-NG or something else, > and whether you are doing it over SSH or IPSEC? I have looked at various > articles around the net but would like some first hand comments. > I set up an OpenBSD syslog server a few months ago. The OpenBSD logserver runs syslog-ng and Tenshi (to mail out alerts). Clients run FreeBSD and OpenBSD. No encryption currently (maybe change that in the future) because all of the machines that log are local. http://www.zampanosbits.com/wordpress/2007/07/08/implementing-a-central-logserver-with-openbsd/ Hope that helps, -Kian
Re: syslog-ng and log analyzers
On Feb 20, 2008 10:51 AM, Ryan Corder <[EMAIL PROTECTED]> wrote: > > On Wed, Feb 20, 2008 at 08:32:31AM -0800, Rami Sik wrote: > | I would like to see what you'd suggest as a log analyzer tool(s) on a > | centralized log server running syslog-ng. > | > | I also need to use a specific tool as PF log analyzer. What do you > | suggest for that purpose? > > I prefer to use a log notification tool instead of relying on a tool > to figure out what is going on. Since I pretty much know what I'm looking > out for, I can define certain things to watch for and then set up > appropriate notifications. > > Check out tenshi -- written for Gentoo Linux, but is just Perl. Another vote for Tenshi. Probably the best way to do it with syslog-ng is to have syslog-ng forward logs to Tenshi (listening on loopback) because otherwise Tenshi won't be able to follow the logs (if you organize them by date, etc.). -Kian
Re: revision control system for system administration
On 12/18/06, atstake atstake <[EMAIL PROTECTED]> wrote: > > Not directly OpenBSD related but I thought I'd ask. I'd like to use > a revision control system to manage files on 25-30 > servers but I'm not sure whether I'd use a centralized repository or > have a separate revision control system on each box. It would also be good > to know how much leverage can a revision control system can give > over a "make-backup-before-change" policy in the long run and also > what files and directories should I add to it. Anything else anyone > would like to add from experience would be much appreciated. Our (fairly small) organization uses our CVS repository like this in small ways. I really detest having everything in CVS for obvious reasons, but it can be useful in some situations. For example, redundant OpenBSD firewalls may share some configuration files for custom Snort rules. Update them in CVS, and use a shell script on the hosts to pull the updated configuration files via CVS+SSH. If multiple people are managing the rules, it is nice to see what people changed. Probably not so useful in the case of relatively static configuration files like pf.conf which shouldn't be modified much anyway. I wouldn't advise using it simply as a storage place in case you delete the local copy (that's what backups are for!), but you might find it useful serving identical configuration files to multiple hosts (as opposed to actual network file shares). Your comment about "make-backup-before-change" is somewhat frightening though :) If you don't have one already, you should set up a system that does daily+ backups, depending on how often things change. -- Kian Mohageri
Re: State table not recovering on CARP backup machine
On 1/15/07, Christopher Snell <[EMAIL PROTECTED]> wrote: Has anybody experienced sudden surges of state > entries like this? Denial of service attack perhaps? > > There has been a surge of SYN scanning from machines on our network that were affected by the Symantec hole. That created a few thousand states and I ended up putting in some rules to deal with it. Check your state table for patterns...e.g. recurring ports, addresses with unreasonable numbers of states, a lot of connections to port 2967 outside of your network, etc. -- Kian Mohageri
Re: keep state for http connections
On 1/24/07, Travers Buda <[EMAIL PROTECTED]> wrote: > Last time I checked though, clients only talk with the web server on > port 80. So, the only reason you would want to keep state would be if > you have a ruleset like block out all (which is generally only usefull > if you don't trust the users of said machine.) So, just unconditionally > pass port 80 traffic in both directions. That was really bad advice. Stateful filtering is much more efficient, and that is very important for a firewall handling thousands of connections. The default state limit of 10,000 is pretty reasonable and you can change it easily. I usually have around 100,000 states on my firewall. You can also put limits on the number of states each client can create to prevent Denial of Service. In my opinion, it is best to keep state unless you have a reason NOT to. Keeping state will soon be the default behavior in pf...that says something about it. Also see the three articles Daniel Hartmeier wrote: http://undeadly.org/cgi?action=article&sid=20060927091645 -- Kian Mohageri
Re: A question on pf rules
On 2/20/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
>
> Greetings,
>
> Does it make any difference if I group my rules like this .
> ## logs smtp sessions
> pass in log on $ext_if proto tcp to $mailhost port smtp keep state
> ## Pass all outgoing traffics
> pass out on $ext_if inet proto tcp all flags S/SA keep state
> pass out log on $ext_if inet proto tcp from $mailhost to any port smtp
> keep state
> pass out on $ext_if inet proto { icmp, udp } all keep state
>
> Or, like this .
> ## logs smtp sessions
> pass in log on $ext_if proto tcp to $mailhost port smtp keep state
> pass out log on $ext_if inet proto tcp from $mailhost to any port smtp
> keep state
> ## Pass all outgoing traffics
> pass out on $ext_if inet proto tcp all flags S/SA keep state
> pass out on $ext_if inet proto { icmp, udp } all keep state
Last matching rule wins so the second example won't do what you're
expecting.
http://www.openbsd.org/faq/pf/filter.html
Also, try to use "flags S/SA" on all of your stateful TCP rules unless you
have a good reason not to.
--
Kian Mohageri
Re: OpenBSD 4.1 Pre-Orders...
On 3/12/07, Darrin Chandler <[EMAIL PROTECTED]> wrote: > > Have you got yours yet?! Just ordered the CD set and a poster myself! -- Kian Mohageri
Re: Important OpenBSD errata
On 3/15/07, Karl O. Pinc <[EMAIL PROTECTED]> wrote: > > On 03/15/2007 10:48:49 PM, Ray Percival wrote: > > On Mar 15, 2007, at 7:31 PM, Karl O. Pinc wrote: > > >> I rely on having a clear channel for security related > >> problems. > > > The only communication problem here is that you don't look > > at the information that the project puts out there for you. > > The project says it will announce security errata > on the security-announce list. I _am_ assuming this > will be done in a timely fashion... This does not > seem like an unreasonable assumption. I bet you'd also like somebody other than you to patch your systems in a timely fashion. If security-announce is not a place for timely > security announcments then change the description, > or get rid of it. Which brings the discussion back > to where it started, and where it belongs. Security isn't about receiving notifications to your Inbox in a timely fashion. It is about being proactive yourself. You should be the one taking measures to secure your systems, and you should be the one ACTIVELY LOOKING for problems. Watching mailing lists isn't enough, and this was announced very early on the ERRATA page. Do something for yourself. -- Kian Mohageri
Re: Important OpenBSD errata
On 3/16/07, Lars Hansson <[EMAIL PROTECTED]> wrote: > > On Fri, 16 Mar 2007 18:03:02 +1100 > Sunnz <[EMAIL PROTECTED]> wrote: > > > If I tell you that I'll give you fries as they become available what > > would you think I am saying? > > Unless it's your job to give them to me now and I have paid you to do > so I'd expect to get them whenever you have them and feel like giving > me some. > > Yeah. Expectations aside, being condescending is never warranted. Both Karl and Martin did just that. They could have asked if there was a reason it wasn't sent to security-announce@ instead of misc@, rather than saying "This is terrible handling of a bug" after it was fixed almost immediately. Seems some people spend very little time thanking the developers for the immediate fix and instead go straight to suggestions on how to handle their project better. -- Kian Mohageri
Re: Important OpenBSD errata
On 3/16/07, Karl O. Pinc <[EMAIL PROTECTED]> wrote: > > > On 03/16/2007 02:51:48 AM, Kian Mohageri wrote: > > > Yeah. Expectations aside, being condescending is never warranted. > > We've all spent more time on this than it's worth, but I would > appreciate it if you'd point out any condescension in my > initial posts so I can do better next time. Promise I won't > waste your time by trying to justify my choice of words. I hate to keep this going, but it sounds like you genuinely want to know for future reference. So, from your initial post: "I agree. I'm very annoyed that I have to read about this problem on slashdot. The misc list is not the right place for this announcement" Martin's reply was much more condescending. I know it is very easy to misinterpret people online, which is what seems to have happened here. To me, both of your posts initially came across as kind of unappreciative, and I'd imagine at least a few developers probably feel that way too (but I can't speak for them). I'm not saying that you're unappreciative, just that it seemed that way. That is why when I write suggestions, I usually find something to thank the person for too, just so they don't feel under attack. Only hearing from people about things that are done _wrong_ really gets old. We all know that. Darren's latest reply summed up what I have to say so I'm gonna stop replying to this thread. I think everyone has made their points and we're all on the same page. -- Kian Mohageri
Re: pf.conf propagation
On 3/20/07, Alexander Lind <[EMAIL PROTECTED]> wrote:
>
> Hello misc.
>
> Can anyone recommend a pf propagation script, intended to be used to
> spread changes from one carp:ed openbsd firewall to another?
>
>
for host in fw1 fw2 fw3 fw4 fw5; do scp ~/master.pf.conf
${host}:/etc/pf.conf; done
--
Kian Mohageri
Re: any site or doc about openbsd kernel configuration, info or tweak?
On 3/25/07, Jay Jesus Amorin <[EMAIL PROTECTED]> wrote: > > any site or doc about openbsd kernel configuration, info or tweak > aside from man page? > > thanks > > http://www.openbsd.org/faq/faq5.html#Why Q: 5.6 - Why do I need a custom kernel? A: Actually, you probably don't. That said, http://www.openbsd.org/faq/faq5.html#Options -- Kian Mohageri
Re: safe PF start / restart
On 4/11/07, christian johansson <[EMAIL PROTECTED]> wrote: > > I had to set up a linux firewall the other day, and I used the iptables > script generating program shorewall. > While pulling my hair over how ugly the iptables stuff (even via > shorewall) > is compared to OpenBSDs nice clean PF syntax, I did find one very nice > feature in shorewall - safe restart. > > When safe restarting, shorewall will implement all rules in the iptables > config files, then give the user a prompt: keep rules y/n? > > If 'yes' the rules are kept and everyone is happy. If 'no', iptables are > disabled and all traffic let in. If no answer then default to answer 'no' > after 60 seconds. > Very useful, even if just for the added peace of mind when applying new > changes. > > Is there a ready made script accomplishing this for openbsd / pf? Or any > plans of building such functionality? > > Christian > > FreeBSD has a similar script for ipfw(8) called change_rules.sh. You could probably modify it to suit your needs, but I haven't really looked at how it works, as I don't find it necessary with pf. http://www.freebsd.org/cgi/cvsweb.cgi/src/share/examples/ipfw/change_rules.sh?annotate=1.2.2.5 -- Kian Mohageri
Re: sk or em
On 4/16/07, Ronnie Garcia <[EMAIL PROTECTED]> wrote: > > Bryan Vyhmeister a icrit : > > On Apr 16, 2007, at 1:58 AM, Ronnie Garcia wrote: > > > >> Clint Pachl a icrit : > >>> Ronnie Garcia wrote: > >>>> Do you expect doing more than 100mbits with this hadware (with PF > >>>> anabled) ? > >>>> I'm maxing a P4 2.4Ghz at 40mbits, with a dual em, and a ~300 lines > >>>> pf.conf > >>> What is your packets/sec when your pushing 40Mbs? Does the traffic > >>> flow in one em and out the other or is the dual em in a trunk (i.e. > >>> 2Gbs)? > >> > >> Traffic gets in one em, is filtered by pf, and gets out from the other > >> em (and the other way around). > >> Its doing 11kpps in and 6kpps out of each em, plus 7kpps on the pfsync > >> interface, which is a sis > > > > This brings up a question I have had for a while. Does pfsync generate > > enough traffic that running gigabit cards for your $ext_if and $int_if > > and a 100base-TX card for your pfsync interface cause a major > bottleneck? > > It depends on the rate of the states changes. > Here, we have ~30mbits on pfsync, for ~40mbits of traffic (!) On our college campus with 50Mbps, we see ~8Mbps pfsync traffic. Your ratio amazes me... What type of environment is that in? -- Kian Mohageri
Re: Mail Server (seeking recommendations)
On 4/13/07, Steven Presser <[EMAIL PROTECTED]> wrote: > > Hello, > I'm working for a small company which has settled on OpenBSD as its > server software (because the security is excellent). We have settled on > what software to use for everything but the mail server. I'd like to > request recommendations from the knowledgeable people of this > list. The priorities for the mail server are: > 1. Security > 2. Usability (for the end user - not everyone is technically skilled, > although the setup can be done for anyone who needs help) > 3. Ease of setup > 4. Scaleability > Obviously the first is by far the most important. The other three > are more perks than anything else. Throwing in another vote for Dovecot for IMAP. I'm stuck with Qmail at the moment (works fine), but Postfix is nice. As for webmail, I haven't heard Roundcube mentioned yet. We use it, and it's at least pretty enough. Requires a database, unfortunately, but it works with LDAP and our staff like it. http://roundcube.net/ -- Kian Mohageri
Re: [Fwd: Shipped Order:2007/3/12-13:27:10-21493:]
On 4/20/07, Peter N. M. Hansteen <[EMAIL PROTECTED]> wrote: > > "Allie D." <[EMAIL PROTECTED]> writes: > > > YES ! It's on it's way !! > > got mine on wednesday :) > Mine arrived in Seattle, Washington yesterday (4/20). Looks great! So psyched about the stickers... -- Kian Mohageri
Re: pf - drop or return - is stealth mode overrated?
On 4/24/07, Chris Smith <[EMAIL PROTECTED]> wrote: > > Hello, > > Using openbsd as a firewall in several cases - a few small businesses, and > also for home use. Some websites, such as grc.com, stress that "stealth > mode" > (which openbsd handles with ease) is the safest. But I've also read that > using 'return' instead of 'drop' is good netizenship. So I'm wondered how > others are handling this and what recommendations you might have. I use drop in most cases. Stealth mode isn't exactly going to add much, but I see no reason a host should receive any response at all when it is trying to talk to a host that doesn't exist or a port that isn't actually listening. Much of that activity is simply host/port scanning. I could argue either way, but my preference is 'block drop' most of the time. -- Kian Mohageri
Re: pf - drop or return - is stealth mode overrated?
On 4/24/07, Lars Hansson <[EMAIL PROTECTED]> wrote: > > Kian Mohageri wrote: > > I could argue either way, but my preference is 'block drop' most of the > > time. > > Hopefully "most of the time" does not include ICMP. > > It doesn't. -- Kian Mohageri
Re: pf - drop or return - is stealth mode overrated?
Henning Brauer wrote: > * Chris Smith <[EMAIL PROTECTED]> [2007-04-25 00:42]: >> Using openbsd as a firewall in several cases - a few small businesses, and >> also for home use. Some websites, such as grc.com, stress that "stealth >> mode" >> (which openbsd handles with ease) is the safest. But I've also read that >> using 'return' instead of 'drop' is good netizenship. So I'm wondered how >> others are handling this and what recommendations you might have. > > "stealth" mode is totally overrated. > For my clarification, are we talking about "stealth mode" as in dropping everything (including pings) from untrusted hosts, or the default block-policy (drop vs. return)? Based on this discussion, I'm trying to decide if I want to change our firewall block-policy to 'return' even though we already allow ping and 'return' traffic to the firewalls themselves so things like traceroute can work.
Re: c2k7 hackathon is over
On 6/2/07, Theo de Raadt <[EMAIL PROTECTED]> wrote: The c2k7 hackathon is over, with roughly 50 developers attending the event for 10 days in Calgary. So many projects were started or finished, it is basically impossible for me to describe all the projects. Hope you guys out there enjoy the changes that we've made. In addition to all the great progress being made, based on the pictures, it looks like you guys had a lot of fun. Makes me glad to have bought a CD set/poster/shirt to help fund stuff like this. Thanks for sharing your work with the rest of us! Kian
Re: Problem with Intel Pro/1000 PT
On 6/6/07, Robert Warning <[EMAIL PROTECTED]> wrote: Hello everybody, I've been getting some strange errors with this dual port nic. My system is a dual core AMD64 system running 4.1-stable with multiprocessor support enabled. The chipset of the card is 82571EB. This problem also occurs when I boot into a kernel without MP support. em0 works fine, but em1 throws watchdog timeout errors frequently, and it is so slow to the point of being unusable. em1 is slow even if it happens to not be throwing the watchdog timeout errors. I first noticed this when i set both devices to configure via dhcp. Thinking it might be a broken card, I swapped in another card of the same model and chipset, and experienced the same problem. The other nic in the system, re0, works fine. I've looked through some message boards on the subject but I have not found anything conclusive, and I'm at a loss at what the problem could be. I'm hoping it's a configuration issue, or a problem at my end. Any advice would be greatly appreciated. Bob Not sure if you saw this or not - http://marc.info/?l=openbsd-tech&m=117848134811286&w=2 Kian
syslog disabling question
Hello, I was setting up a central logserver this afternoon and some of the functionality I need wasn't in the stock syslogd(8), so I chose to use syslog-ng. I noticed that you cannot specify syslogd=NO or syslogd_flags=NO to disable it (in rc.conf.local), and I was mostly curious why. I'm sure it has something to do with the gap between when things start up and may need to log vs. when the local startup happens -- if that's true, what is the suggested way around that? Originally I thought to simply keep syslogd enabled, but syslog-ng will not be able to start in that case. Is my best option to kill syslogd from rc.local or manually edit /etc/rc? Thanks for any suggestions. Kian
Re: syslog disabling question
On 6/13/07, Stuart Henderson <[EMAIL PROTECTED]> wrote: On 2007/06/13 02:00, Kian Mohageri wrote: > Is my best option to kill syslogd from rc.local or manually edit /etc/rc? How about leaving them both running, and binding syslog-ng to just the relevant IP address? Thank you all for the suggestions. For some reason I didn't think of what Stuart suggested, so I'll try that out. I think it is better than modifying rc(8). I think I will have the stock syslogd do it's thing default thing and maybe even forward messages to syslog-ng in addition so there is some consistency with the rest of the hosts. Thanks again, Kian
internal em(4) NIC stuck in OACTIVE on 3.9
I have been experiencing an issue lately where the internal NIC of our
firewall stops passing traffic until the interface is manually restarted (or
machine rebooted). This happens to whichever machine is MASTER of the
carp(4) group, but seems to only ever happen to the internal interface
though both the external and internal interfaces are sharing a dual port
GigE card. It seems to happen every few weeks lately.
When it happened tonight, I noticed the OACTIVE flag being set on the
internal interface. Pinging out the internal interface results in "No
buffer space available" which, as I understand it, makes sense if OACTIVE is
set because that flag indicates that the TX queue is full.
PF is active on both machines, along with pfsync(4) and carp(4). The
firewalls pass 28Mb throughout the year. This summer they're only passing
about 5Mb yet the problem continues (so far once this summer).
At the time, the arp and routing tables looked fine. pf also seemed to be
processing traffic on the internal interface.
I came across this while googling. It appears to be the same issue I'm
having: http://www.mail-archive.com/pf@benzedrine.cx/msg07554.html
Any suggestions would be much appreciated.
Thanks,
-Kian
pfctl -sr snip:
scrub in all fragment reassemble
block drop log all
...
pass in on em1 inet from any to (em1)
pass in on em1 inet from any to (carp0)
pass out on em1 inet from (em1) to any
pass out on em1 inet from (carp0) to any
pass in on em2 inet from any to (em2)
pass in on em2 inet from any to (carp1)
pass out on em2 inet from (em2) to any
pass out on em2 inet from (carp1) to any
pass in on em1 from any to
pass out on em1 from to any
pass in on em2 from to any
pass out on em2 from any to
...
ifconfig snip during problems (em2 is internal; as you can see, OACTIVE is
set):
...
em1: flags=8943 mtu 1500
lladdr 00:04:23:a9:18:06
groups: egress
media: Ethernet autoselect (1000baseT full-duplex)
status: active
inet 216.57.208.163 netmask 0xfff0 broadcast 216.57.208.175
inet6 fe80::204:23ff:fea9:1806%em1 prefixlen 64 scopeid 0x2
em2: flags=8d43 mtu
1500
lladdr 00:04:23:a9:18:07
media: Ethernet autoselect (1000baseT full-duplex)
status: active
inet 66.165.31.245 netmask 0xfff8 broadcast 66.165.31.247
inet6 fe80::204:23ff:fea9:1807%em2 prefixlen 64 scopeid 0x3
...
netstat -m during problems:
1385 mbufs in use:
1379 mbufs allocated to data
3 mbufs allocated to packet headers
3 mbufs allocated to socket names and addresses
1379/1590/6144 mbuf clusters in use (current/peak/max)
3564 Kbytes allocated to network (87% in use)
0 requests for memory denied
0 requests for memory delayed
0 calls to protocol drain routines
netstat -m during normal activity:
839 mbufs in use:
833 mbufs allocated to data
3 mbufs allocated to packet headers
3 mbufs allocated to socket names and addresses
832/888/6144 mbuf clusters in use (current/peak/max)
2020 Kbytes allocated to network (92% in use)
0 requests for memory denied
0 requests for memory delayed
0 calls to protocol drain routines
dmesg:
OpenBSD 3.9 (GENERIC) #617: Thu Mar 2 02:26:48 MST 2006
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Pentium(R) 4 CPU 2.80GHz ("GenuineIntel" 686-class) 2.80 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-IDreal
mem = 536387584 (523816K)
avail mem = 482426880 (471120K)
using 4278 buffers containing 26923008 bytes (26292K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(00) BIOS, date 08/10/04, BIOS32 rev. 0 @ 0xf0010
pcibios0 at bios0: rev 2.1 @ 0xf/0x1
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf4f70/208 (11 entries)
pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 6300ESB LPC" rev 0x00)
pcibios0: PCI bus #3 is the last bus
bios0: ROM list: 0xc/0x8000 0xc8000/0x1000 0xc9000/0x1800
ipmi at mainbus0 not configured
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82875P Host" rev 0x02
ppb0 at pci0 dev 3 function 0 "Intel 82875P PCI-CSA" rev 0x02
pci1 at ppb0 bus 1
em0 at pci1 dev 1 function 0 "Intel PRO/1000CT (82547GI)" rev 0x00: irq 11,
address 00:02:b3:ea:27:a4
ppb1 at pci0 dev 28 function 0 "Intel 6300ESB PCIX" rev 0x02
pci2 at ppb1 bus 2
em1 at pci2 dev 2 function 0 "Intel PRO/1000MT (82546GB)" rev 0x03: irq 9,
address 00:04:23:a9:18:06
em2 at pci2 dev 2 function 1 "Intel PRO/1000MT (82546GB)" rev 0x03: irq 9,
address 00:04:23:a9:18:07
uhci0 at pci0 dev 29 function 0 "Intel 6300ESB USB" rev 0x02: irq 5
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
uhci1 at pci0 dev 29 function 1 "Intel 5300ESB USB" rev 0x02: irq 9
usb1 at uhci1: USB revision 1.0
uhub1 at usb1
uhub1: Intel UHCI root hub, rev 1.00
Re: testing max tcp connections
On 7/10/06, Lawrence Horvath <[EMAIL PROTECTED]> wrote: > > Im using a OpenBSD 3.9 server and a FreeBSD 6.1 server on either end > of a firewall to test throughput and max open connections of the > firewall, i tested throughput with netstrain(d) but im unsure how to > test the max open connections, anyone recommend a program? or script? > to test the max number of open tcp connections, basically i just need > to open as many tcp connnections as my servers will handle. > > Thanks > > -- > -Lawrence > > Try hping (http://www.hping.org) -Kian
Re: ping: sendto: No buffer space available
On 7/14/06, Jason Dixon <[EMAIL PROTECTED]> wrote: > > We have an OpenBSD 3.8 firewall that has been in production for the > last six months. Until the last week or two, everything has been > great. Recently while diagnosing a problem with the bonded T1 pair, > I noticed the following error while pinging the gateway: > > ping: sendto: No buffer space available > > This always coincided with a very high spike (1000-3000ms) in > latency, which would usually go back down to ~0ms and operate > normally. The interface in question is an Intel em connected to a > Cisco 2950 trunk. The other two interfaces (em1, sk0) are working > fine. The LAN interface (em1) pushes *much* more data, as it routes > between 13 internal VLANs. I've also had another box perform the > same ping test concurrently to confirm this isn't a problem with the > gateway. This is the same behavior I would see when trying to ping out our internal em(4) interface when the transmit queue filled up (or it was thought to be full). You can confirm that is the case by checking ifconfig (look for OACTIVE). But, does that interface ever fail completely and require an interface restart, or just spike? Kian
Re: Web mail
http://www.roundcube.net/ It is pretty new still, but I replaced SquirrelMail with it because SquirrelMail is terrible. People seemed to like the change. Very simple to configure, and it's pretty. -Kian On 7/19/06, Bachman Kharazmi <[EMAIL PROTECTED]> wrote: > > [EMAIL PROTECTED]:~/ > pkg_info > > ftp://ftp.stacken.kth.se/pub/OpenBSD/3.9/packages/i386/openwebmail-2.51.tgz > Information for > > ftp://ftp.stacken.kth.se/pub/OpenBSD/3.9/packages/i386/openwebmail-2.51.tgz > > Comment: > highly configurable webmail client > > Description: > Open WebMail is a webmail system designed to manage very large mail folder > files in a memory efficient way. It also provides a range of features to > help users migrate smoothly from Microsoft Outlook to Open WebMail. > > FEATURES: > - > 1. fast folder access > 2. efficient messages movement > 3. smaller memory footprint > 4. convenient folder and message operation > 5. graceful filelock > 6. remote SMTP relaying > 7. virtual hosting and account alias > 8. pam support > 9. per user capability configuration > 10. full content search > 11. strong MIME message capability > 12. draft folder support > 13. spelling check support > 14. POP3 mail support > 15. mail filter support > 16. message count preview > 17. confirm reading support > 18. BIG5/GB conversion (for Chinese only) > > Maintainer: Kevin Lo <[EMAIL PROTECTED]> > > WWW: http://www.openwebmail.org/ > > /bkw > > On 19/07/06, Eric Johnson <[EMAIL PROTECTED]> wrote: > > Which web mail package is easiest to install and use on > > OpenBSD? Are there any gaping security holes?
Re: Carp/Pfsync problem
Change 'syncif' to 'syncdev' in your hostname.pfsync files.
Also, out of curiosity, why are there two CARP addresses between the
workstation and firewalls?
Kian
On 9/20/06, Tim Pushor <[EMAIL PROTECTED]> wrote:
>
> Hi friends,
>
> I am trying to setup my first firewall w/failover via carp & pfsync. I
> have it almost working, but am having a couple issues. I am hoping
> someone will be able to help :)
>
> First, before I enabled preemption I almost always had one machine being
> master for one of the carp interfaces, and slave for the other two. It
> seemed to work, but just looked troublesome. Enabling preemption seemed
> to solve this. Does this point to a bigger problem somewhere?
>
> Second, and what I am really trying to fix - is to have an in progress
> TCP session fail over to the second firewall. The connection stalls and
> eventually times out when failing over, but attempting to re-establish
> after the failover works (through the second firewall). I've confirmed
> (at least in my mind) that state updates are being properly propagated
> to the second firewall by watching the pfsync interface, and noting the
> state via pfctl -s state. I've watched syslog with pfctl -x loud and
> didn't see anything.
>
> Any hints on how I can go about troubleshooting this further? I've
> included as much info as I can think of. The included PF ruleset is
> just a proof of concept - I realize theres quite a bit more to be done,
> I'm just trying to get the failover working.
>
> Thanks!,
> Tim
>
> BTW If there is any OpenBSD guru in Calgary thats looking for a few
> hours of consultancy I'd love to hear from you :)
>
> Details:
>
> Both systems are Dell 850 servers w/added Intel Etherexpress Pro 10/100
> cards as the pfsync interface, with a crossover cable between them. OS
> is OpenBSD 3.9, GENERIC Kernel.
>
> 192.168.1.246
> +--+
> | Test Workstation |
> +--|
> |
> +| carp1 |+
> | 192.168.1.22 |
> | |
> +| carp2 |+
> | 192.168.1.23 |
> ||
> 192.168.1.20 bge0||bge0 192.168.1.21
>+-+ +-+
>| fw1 |-fxp0fxp0-| fw2 |
>+-+ +-+
> 10.0.10.253 bge1||bge1 10.0.10.254
> ||
>---+--- carp0 ---+---
> 10.0.10.1
> |
> |
>+-+
>| Test Server |
>+-+
> 10.0.10.42
>
> (fw1 fxp0 - 192.168.254.253)
> (fs2 fxp0 - 192.168.254.254)
>
>
> fw1:
>
> # cat hostname.bge0
> inet 192.168.1.20 255.255.255.0 NONE
>
> # cat hostname.bge1
> inet 10.0.10.253 255.255.255.0 NONE
>
> # cat hostname.fxp0
> inet 192.168.254.253 255.255.255.0 NONE
>
> # cat hostname.carp0
> inet 10.0.10.1 255.255.255.0 10.0.10.255 vhid 1 pass foo1 carpdev bge1
>
> # cat hostname.carp1
> inet 192.168.1.22 255.255.255.0 192.168.1.255 vhid 2 pass foo2 carpdev
> bge0
>
> # cat hostname.carp2
> inet 192.168.1.23 255.255.255.0 192.168.1.255 vhid 3 pass foo3 carpdev
> bge0
>
> # cat hostname.pfsync0
> up syncif fxp0
>
> # sysctl -a | grep carp
> net.inet.carp.allow=1
> net.inet.carp.preempt=1
> net.inet.carp.log=0
> net.inet.carp.arpbalance=0
>
> fw2:
>
> # cat hostname.bge0
> inet 192.168.1.21 255.255.255.0 NONE
>
> # cat hostname.bge1
> inet 10.0.10.254 255.255.255.0 NONE
>
> # cat hostname.fxp0
> inet 192.168.254.254 255.255.255.0 NONE
>
> # cat hostname.carp0
> inet 10.0.10.1 255.255.255.0 10.0.10.255 vhid 1 pass foo1 advskew 128
> carpdev bge1
>
> # cat hostname.carp1
> inet 192.168.1.22 255.255.255.0 192.168.1.255 vhid 2 pass foo2 advskew
> 128 carpdev bge0
>
> # cat hostname.carp2
> 192.168.1.23 255.255.255.0 192.168.1.255 vhid 3 pass foo3 advskew 128
> carpdev bge0
>
> # cat hostname.pfsync0
> up syncif fxp0
>
> # sysctl -a | grep carp
> net.inet.carp.allow=1
> net.inet.carp.preempt=1
> net.inet.carp.log=0
> net.inet.carp.arpbalance=0
>
>
> PF Rules (identical on both machines)
>
> # cat /etc/pf.conf
> ext_if="bge0"
> int_if="bge1"
> pfsync_if="fxp0"
>
> # All interfaces (real + virtual via carp) thought of as external
> ext_ifs="{ bge0, carp1, carp2 }"
>
> # Our internal network(s). Used for access rules and NAT
> internal_nets="10.0.10.0/24"
>
> # Define NAT source port range (all source ports will be rewritten to use
> # this range)
> nat_port_range="20001:65535"
>
> # Define virtual carp interface that should be used as NAT source
> # (i.e. outbound h
Re: PF redirect to another IP on LAN
> Wouldn't this do the trick? > > rdr on rl1 proto tcp from any to 192.168.1.121 port 80 -> 192.168.1.103 > > "Redirect any port 80 traffic originally meant for me to 192.168.1.103" Yes, but why are you asking if you already have the answer? As stated in the man page, your traffic will also need to pass filter evaluation AFTER the redirect rule is processed. Can't you just test that line? Kian
Re: Carp/Pfsync problem
On 7/31/06, Tim Pushor <[EMAIL PROTECTED]> wrote: > > Sorry to bump this thread, but I'd really like to know how to > troubleshoot something like this. I'd suggest tcpdump'ing at the point when the connection fails, on the pflog(4) interface of both machines, especially the backup which is apparently dropping traffic after failover. Also, you haven't said whether there are any packet filters enabled on the client/server themselves, though I'd assume not. -Kian
Re: saslauthd issue?
> B14xVu: Undefined variable. > > where "B14xVu" is a fragment of the password. The full password was: > V$B14xVu > > I tried this on other user/password combinations, and got reasonable > results. But the "$" char seems to cause a problem consistently. In all > other cases, the result was either: Have you tried escaping the $ char to make sure the shell doesn't interpret it? V\$B14xVu
Re: saslauthd issue?
On 8/7/06, J Moore <[EMAIL PROTECTED]> wrote: > > On Mon, Aug 07, 2006 at 10:51:02PM -0700, the unit calling itself Kian > Mohageri wrote: > > > > > >B14xVu: Undefined variable. > > > > > >where "B14xVu" is a fragment of the password. The full password was: > > >V$B14xVu > > > > > >I tried this on other user/password combinations, and got reasonable > > >results. But the "$" char seems to cause a problem consistently. In all > > >other cases, the result was either: > > > > > > Have you tried escaping the $ char to make sure the shell doesn't > interpret > > it? > > > > V\$B14xVu > > Yes - sorry I failed to mention that... esc'ing the $ does get by, but > I've just never ever heard of having to escape a password... does that > seem logical? shouldn't it at least be documented? It isn't that unusual. The program you're testing with is run on the command line, so special characters are going to be interpreted by the shell. Might be worth a note in the man page example or something but it's pretty common knowledge (not saying you should've known that or anything) Kian
Re: NFS over 2 PF firewalls with CARP/pfsync
On 8/17/06, Alastair Johnson <[EMAIL PROTECTED]> wrote: > > I have 2 OpenBSD 4.0beta firewalls arranged in a CARP > failover configuration with PFsync. > > It seems to work very well for everything except NFS. > My ssh, remote desktop and telnet connections seem to > survive a failover very nicely. I've never tried it, but pf.conf(5) states that scrub (assuming you're scrubbing traffic) can cause problems with NFS unless 'no-df' keyword is specified.. I don't really know if that is related at all to what you're experiencing but figured I'd mention it. Kian
syncing pf tables
Hello, I was just curious if any of you sync pf tables between hosts, and how you do it. I know it may be considered abusing tables, but in our setup, we hold a list of registered clients within tables (which are updated dynamically by scripts). We also use carp (and soon pfsync) for failover. Obviously both hosts need to have the same addresses in their tables for this to work well, so the script runs on both hosts...which is fine I suppose, and cleaner than scp'ing the list from one to the other. But I was curious how other people handle this issue. So, how do you guys sync your tables? Thanks, Kian
Re: syncing pf tables
> On CARP'd machines, it can be kinda handy, make a quick change on the > primary, test it, if it works, run the script. If it doesn't, you can > easily revert it by simply running the script on the standby machine. > > Nick. > > Ah...that is a pretty cool idea. I was more curious about dynamically syncing them though, as opposed to having any user interaction. For example, say you have redundant firewalls with a table which is populated by the overflow keyword, it may be useful to sync this table between master and backup nodes, without manual intervention -- so that in the event of a failover, the backup has the same hosts in in it's tables. Does that make sense? Kian
Re: VPN(8) pf.conf
On 9/12/06, Gustavo Rios <[EMAIL PROTECTED]> wrote: > > While reading VPN(8) manual page, i could no figure it out in what > interface context the following line applies: > > # Pass encrypted traffic to/from security gateways > pass in proto esp from $GATEWAY_B to $GATEWAY_A > pass out proto esp from $GATEWAY_A to $GATEWAY_B No interface is specified so it applies to any interface. pf.conf(5) makes that pretty clear. Kian
Re: Got 'em !
On Thu, Apr 10, 2008 at 1:29 AM, Paul de Weerd <[EMAIL PROTECTED]> wrote: > Hi all, > > The new 4.3 CD set has just arrived here in Zurich, Switzerland ! I've > put up a pic on http://www.weirdnet.nl/images/openbsd43set.jpg .. > looking very cool yet again ;) > Artwork looks great! Are those the same semi-transparent stickers from 4.2? I can't tell from the picture. -Kian
Re: PF and states of connections with same src port
On Fri, May 2, 2008 at 7:35 AM, B A <[EMAIL PROTECTED]> wrote: > Hello! > > > > I have question about PF. > > > > I have just found interesting behavior of of PF. > > For example if I fix source port and run from my PC: > >echo 'aaa' | nc -p www.my.rerver 80 > > I got response. > > But if I just run this command again - connection stuck. > > I should wait about 1 min to be able make connection with > > same src port. Looks like ps states didn'd imediately removed after > > FIN send. > > Directly connected PC haven't show such behavior, I got response immediately. > > > > Am I wrong or something about PF? How can fix this behavior? > > States aren't purged immediately. Take a look at the timeout values, specifically tcp.closed. -Kian
Re: NAT Question
On 9/13/06, Monah Baki <[EMAIL PROTECTED]> wrote: > > Hi all, > > Yesterday I just received 8 public IP addresses from my ISP. I'm running > ppp on my OpenBSD 3.9 server (DSL). > My xl0 has the public IP address (67.100.x.x) provided to me by my ISP, my > xl1 interface is my 192.168.3.1 > Once I run /usr/sbin/ppp -ddial pppoe, my tun0 gets created > > If I issue a netstat -an, I see the 5 other public IP addresses given to > me. > > Now I have 4 other machines behind the OBSD box, in the 192.168.3.x IP > range. > > My NAT rule is: > nat on xl1 from 192.168.3.0/24 to any -> xl0 > > Now if I were to assign the gateway on my internal hosts the IP address of > xl1 on my BSD box, I can't seem to access the internet. > > Now if I were to assign one of the public interfaces on one of the > internal machines, and the gateway is the IP address of xl0 on my BSD box, > it works fine. > > > Hope this makes sense, cause I'm completely lost as to why something that > was working on a single IP, I introduced 8 other IP's and it does not work > anymore. > Nothing has changed in my pf.rule file, only the new 8 IP addresses. > > > Thank you > > BSD Networking, Microsoft Notworking > > Maybe I'm wrong, but usually you perform NAT on the external interface (in your case it looks to be xl0). You might also want to read the FAQ on how to do NAT properly. Based on your description (which is a bit unclear so maybe I'm wrong) it doesn't sound like you ever had NAT working properly... Also, post your pf.conf and take Joachim's advice about tcpdump'ing on pflog0 and the other interfaces. Kian
Re: OT: 4.0 = happy
On 9/21/06, Greg Thomas <[EMAIL PROTECTED]> wrote: > > On 9/21/06, Spruell, Darren-Perot <[EMAIL PROTECTED]> wrote: > > http://www.openbsd.org/40.html > > > > Every time I go through the release notes I can't help but squirm with > > happiness in my seat. > > > > The progress is always impressive and out of so many other OSS projects > that > > stagnate and undergo "questionable" changes of one kind or another, I > can > > always look forward to OpenBSD making tremendous advances on improving > the > > system and sticking to the guns. Even the kind of changes being made to > some > > of the long-lived apps to enhance them - simply *brilliant*. Small as my voice may be, I'd also like to say thank you. Whenever I'm reading (computer related or not) about a few motivated brilliant individuals moving things in the right direction, I ALWAYS think of OpenBSD and its developers. Keep up the awesome work.
Re: Letter to OLPC
On 10/5/06, Ingo Schwarze <[EMAIL PROTECTED]> wrote: > > > The structure of the OpenBSD project suggests that this project > might be able to resist better than others. It is no company. > It is no charity. It is not so small that it needs to grasp at > every straw to survive. It is not so large that any of the big > players will put any real effort into trying to corrupt it. As > long as it has a few people who know what they want, it might > stand unconquered for a while. Not because those people are > morally better than or in any way stronger than others, but > because they wisely choose a context for living and working > that lets them grow rather than corrupting them. > > The success of OpenBSD (with regard to keeping its original ideals in mind) has less to do with the size or structure and more to do with the overall goals and strength of the people involved. Writing off their ability to remain true to themselves and the community as a sort of accident or one of many equally probable outcomes is completely wrong. If it was not for Theo and the rest of the developers, and the community, standing up for themselves, it would have been dissolved into something different long ago despite the structure, popularity, size, whatever. They actively work AGAINST corruption -- they don't simply avoid, ignore, or resist it.
Re: 'flags S/SA keep state' now the default
On 10/6/06, Ryan McBride <[EMAIL PROTECTED]> wrote: > > I've just committed code based on a suggestion made by Daniel Hartmeier > to make flags S/SA keep state the default for rules. Very cool. Thank you.
Re: Version 4.0 release
On 10/9/06, Lars Hansson <[EMAIL PROTECTED]> wrote: > > Asking for code submission if you want feature x or y doesn't really > > float my boat. I only do some high level programming and I know nothing > > about kernel internals. > > I guess you didn't understand; OpenBSD does not exist for you or me, it > exists > for the developers. This is a truth everybody should have to read before submitting their complaint/feature request/rant/whatever. Well said Lars. -Kian
Re: OpenBSD exists for the developers? [Was: Re: Version 4.0 release]
On 10/10/06, chefren <[EMAIL PROTECTED]> wrote: > > > > On 10/10/06 4:46 AM, Kian Mohageri wrote: > > On 10/9/06, Lars Hansson <[EMAIL PROTECTED]> wrote: > > > >> I guess you didn't understand; OpenBSD does not exist for you or me, it > >> exists for the developers. > > > > > > > > This is a truth everybody should have to read before submitting their > > complaint/feature request/rant/whatever. > > It's definitely not as simple as that, probably about a dynamic half > of the truth. > > A large part of the developers give away their work and solve problems > of other people just because they like to do so. I presume they > believe enough of the receivers will do something in return > (donations, or even code) to help the whole project. Yes, the developers do to give away their creations to the public free of charge, but as far as I'm concerned that does not change who the project is actually *for*. The public benefits from the generosity and intelligence of the developers (and people who contribute in other ways to the project). But ultimately the project was never under anyones control except the leaders -- it belongs to them, and exists for them. They are in no way required to do what they do; there is no REAL obligation to the public. I agree with you, though, that there is a balance in the community despite who the project is originally for -- and that balance works well. In fact, most people in here probably don't actually think that OpenBSD owes them something (hopefully...)...but it can be hard to tell from some of the complaints. -Kian
Re: problems using HFSC with pf
On 10/12/06, S t i n g r a y <[EMAIL PROTECTED]> wrote: > > i am facing problems using hfsc with PF. do you see anything wrong with this ? is there a bug in this ? I don't mean to be rude but you *really* need to start learning how to look into these things by yourself. It will help you out a lot in the long run. People grow very tired of seeing people post their entire pf.conf time after time with new problems and no indication that you've even tried googling the error message from pfctl yourself. Kian
Re: pf: 'block drop' used, but ICMP unreachables returned anyway...
On 10/12/06, Martin Gignac <[EMAIL PROTECTED]> wrote: > > > Man, I need "The Utterly Dumbass' Guide to pf" (with pretty pictures) > 'cause my brain doesn't seem to be equipped to understand this concept > clearly. :-) > > Check out the 3 articles on PF by Daniel Hartmeier (OpenBSD developer). I found them to be very clear and concise and I'm pretty sure his explanations will help you out. http://www.undeadly.org -- Kian Mohageri
Re: DHCP, CARP, and VLANs
On 10/12/06, Bryan Vyhmeister <[EMAIL PROTECTED]> wrote: > > > This would send the DHCP requests to whatever server they needed to go > to. I have been trying to use dhcrelay on the firewalls for this purpose > with dismal results. If a DHCPREQUEST for comes in, all is well, > but if a DHCPDISCOVER request comes in, DHCPOFFER does not seem to reach > the client. Where is your DHCP server? Where is the DHCPOFFER being lost? Have you sniffed on interface between the firewalls and DHCP server? The client and firewalls? -- Kian Mohageri
Re: OpenVPN Server and nice setting on OpenBSD
On 10/20/06, Bill Chmura <[EMAIL PROTECTED]> wrote: > > > I have set verbosity to 5 and watched it. I get lots of W (Writes) and > R's (Reads) while it is idle, which I was thinking was the pings. On the > client side I would see WRWRWRWRWRW... (drop and reset) Do you have any firewalling going on between these machines? -- Kian Mohageri
Re: new tool: openportd
On 10/22/06, Steffen Wendzel <[EMAIL PROTECTED]> wrote: > > > You normaly have different open ports pf(4) makes this a minor issue. No offense, but what you have there (in the example specifically) is no better than a "limited" (if you consider ability to reboot or kill ssh "limited") version of rexec/rsh. The way you authenticate is obscured a bit, but not secured. A neat project, I'll give you that. But I don't recommend it on a production server. -- Kian Mohageri
Re: Lenovo notebooks
On 10/26/06, Andreas Kahari <[EMAIL PROTECTED]> wrote: > > On 26/10/06, martin g <[EMAIL PROTECTED]> wrote: > > Hello all > > > > Has anyone got experience with Lenovo notebooks running OpenBSD. > > If you are so kind to share your experience. > > > I have a Thinkpad T43 running an OpenBSD snapshot at the moment. I dual boot FreeBSD and OpenBSD on it. I haven't run into any problems with basic functionality but I haven't tried out much in the way of power management. -- Kian Mohageri
Re: Problem with Intel PRO/1000GT (82541GI) adaptors
On 11/13/06, Joe <[EMAIL PROTECTED]> wrote: > > I have 2 of these adaptors > "Intel PRO/1000GT (82541GI)" rev 0x05 > > The 82541GI chipset is supported by em(4). > > Every day, the box "drops" of the network. The interfaces show > themselves as active, but I can't ping, arp, or sniff any traffic. A > reboot solves the problem. Is anyone else having this problem? > > For now, I had to remove the NICs because the box is a firewall and goes > down at random times throughout the day. I didn't notice any particular > traffic patterns. Output of `ifconfig` and `netstat -m` is also helpful. I had this issue too in 3.8 and 3.9, but it is really rare. It happens on both firewalls, and only on the internal interface. I've talked to a few others with the same issue too. Happened about once every few months or so. http://archives.neohapsis.com/archives/openbsd/2006-06/1813.html em1 at pci2 dev 2 function 0 "Intel PRO/1000MT (82546GB)" rev 0x03: irq 9, address 00:04:23:a9:18:06 em2 at pci2 dev 2 function 1 "Intel PRO/1000MT (82546GB)" rev 0x03: irq 9, address 00:04:23:a9:18:07 You'll probably notice the same thing I did (OACTIVE in the output of ifconfig). I couldn't find any patterns though, unfortunately. I know there were some related changes in 4.0 though, so I'm hoping that fixes it. -- Kian Mohageri
Re: Problem with Intel PRO/1000GT (82541GI) adaptors
On 11/14/06, Brian Keefer <[EMAIL PROTECTED]> wrote: > > > FWIW I was having very similar problems with em(4) in OpenBSD 4.0- > release under VMware (amd64 SMP). It would cease to recognize ARP > replies and just flood the network with ARP requests endlessly. It > was enough to bring VMware to it's knees and totally swamp my cheap > switch. > The same card too? -- Kian Mohageri
Re: Problem with Intel PRO/1000GT (82541GI) adaptors
On 11/15/06, Stuart Henderson <[EMAIL PROTECTED]> wrote: > > On 2006/11/15 09:25, Kian Mohageri wrote: > > On 11/14/06, Brian Keefer <[EMAIL PROTECTED]> wrote: > > > > > > > > > FWIW I was having very similar problems with em(4) in OpenBSD 4.0- > > > release under VMware (amd64 SMP). It would cease to recognize ARP > > > replies and just flood the network with ARP requests endlessly. It > > > was enough to bring VMware to it's knees and totally swamp my cheap > > > switch. > > > > > > > The same card too? > > vmware can emulate em(4): > http://sanbarrow.com/vmx-network.html > > I was curious as to what it was being detected as (PRO/1000MT (82545EM)) on the guest OS. Assuming we're seeing the same bug, the weirdest thing about this bug to me is this... Usually it doesn't come up for a couple of months. A few times when it has come up on the master firewall (which fails), the second one takes over, and then fails too. -- Kian Mohageri
Re: Linksys support... hmm
> Maybe someone on the mailing list can provide me with an answer to: > 1. Can v5 af the card be used with the ral driver? Yes, I used it to create an access point on 3.8-stable. [EMAIL PROTECTED] ~ $ dmesg|grep ral0 ral0 at pci0 dev 10 function 0 "Ralink RT2560" rev 0x01: irq 11, address 00:16:b6:57:1e:59 ral0: MAC/BBP RT2560 (rev 0x04), RF RT2525 Hope that helps. -- Kian Mohageri Western Washington University [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: Linksys support... hmm
Sorry - never mind. I cracked open my case after I got home to verify, and I'm using a v4. v5 must be really new then, because I bought this just a few weeks ago. Kian Kian Mohageri wrote: Maybe someone on the mailing list can provide me with an answer to: 1. Can v5 af the card be used with the ral driver? Yes, I used it to create an access point on 3.8-stable. [EMAIL PROTECTED] ~ $ dmesg|grep ral0 ral0 at pci0 dev 10 function 0 "Ralink RT2560" rev 0x01: irq 11, address 00:16:b6:57:1e:59 ral0: MAC/BBP RT2560 (rev 0x04), RF RT2525 Hope that helps. -- Kian Mohageri ResTek, Western Washington University [EMAIL PROTECTED]
Re: exploit for openbsd 3.9 php 4.4.1p0/5.0.5p0
Is somebody stopping you from installing via source?
Kian
paul dansing wrote:
Is there some reason this issue is being ignored? What, you people
need to see an exploit before you will even LOOK at it and answer
whether it is vuln?
Can someone please give a straight answer about these PHP security
holes? OpenBSD 3.9 released yesterday had packages supporting:
php 4.4.1p0
php 5.0.5p0
are either of these vulnerable? if so, is someone going to release
updated packages (not just ports)?
the php 5.1.3 release:
The security issues resolved include the following:
* Disallow certain characters in session names.
* Fixed a buffer overflow inside the wordwrap() function.
* Prevent jumps to parent directory via the 2nd parameter of the tempnam()
function.
* Enforce safe_mode for the source parameter of the copy() function.
* Fixed cross-site scripting inside the phpinfo() function.
* Fixed offset/length parameter validation inside the substr_compare()
function.
* Fixed a heap corruption inside the session extension.
* Fixed a bug that would allow variable to survive unset().
thanks
Monday, May 1, 2006, 7:18:50 AM, you wrote:
Hi.
I haven't recieved a single test report, but I still get
letters about asking for an update. How's that?
This tarball also includes mysqli, fastcgi and hardened php support:
http://gi.unideb.hu/~robert/php.tar.gz
On (28/04/06 01:59), Robert Nagy wrote:
Hi.
Finally after fighting with pear I've managed to create a working update
for the php5 port.
The PHP guys have changed the installation method of pear to use some crappy
PHP_Archive. With this move they broke the installation of pear on serveral
linux distros (e.g. Frugalware), OpenDarwin and on OpenBSD of course.
Any other crappy package managements where they install files directly to
${LOCALBASE}
--
Kian Mohageri
ResTek, Western Washington University
[EMAIL PROTECTED]
Re: Router with NAT and DMZ host
> # DMZ Host > rdr on $red_if proto tcp from any to any port $dmz_ports -> $dmz_host This doesn't look right. If you redirect all connections on those ports to the DMZ host, how do you expect your router to receive replies to those unprivileged ($dmz_ports) ports for stuff like web browsing? Kian
Re: Spam Trapping
Maybe you're really looking for something like spamd: http://www.openbsd.org/spamd/ Much more effective than a trap e-mail address in my opinion? Kian On 6/1/06, Mike Spenard <[EMAIL PROTECTED]> wrote: > > What are some thoughts on purposely getting a spam trap email > address acquired by spammers and the best way to do so. > > i.e. Is it best to use only a defunct address for trapping, or will > intentionally getting a new trap address spammed only increase > ones spam input and be detrimental overall. I would like to hear > feedback based on experience and not just theory of course =) > > If it's not detrimental overall how feasible would it be to construct > a service that automated the (counter intuitive) act getting an email > address acquired by as many spammers as possible? > > Mike Spenard
