Le Sat, 22 Oct 2016 18:12:37 +0200,
Federico Giannici a écrit :
> We have a firewall with OpenBSD 6.0 amd64 that handles about 1.5 Gbps
> of traffic.
>
> I noticed that from a few weeks the number of states is increased
> from around 250.000 to almost 2 millions (no change in PF config)!
>
> At
Le Tue, 16 Feb 2016 13:05:51 +0100,
Clemens Goessnitzer a écrit :
Ok I think :
the pf.conf rule
### rules for internal network ###
pass inet proto { tcp, udp } from internal:network to port $udp_services
is expanded to
pass inet proto udp from 10.0.0.0/24 to any port = 22
pass inet proto udp
Le Tue, 16 Feb 2016 00:10:41 +0100,
Clemens Goessnitzer a écrit :
> Hello misc,
Hi
...
> So, if I specify a group for re1, everything is working as expected.
> However, if re1 is not a member of any group, DHCP request are blocked
> by pf, as tcpdump shows. Is this intended behaviour? Or have
Le Wed, 09 Jul 2014 20:33:47 +0200,
Mxher a écrit :
Hello,
> >> I'm doing few more tests and now I'm wondering if this is possible
> >> to disallow CARP to have some resources on serverA and others on
> >> serverB?
You can use ifstated to implement your own logic.
I have a pair of firewall, th
Le Wed, 26 Mar 2014 12:19:25 +0100,
"Dmitrij D. Czarkoff" a écrit :
Hello,
> For some reason POSIX X/Open Systems Interfaces option requires
> 'unlink' utility to be present in operating system. Sure, it does
> nothing that 'rm' doesn't already do, but given that 'unlink' is
> already used in s
Le Wed, 12 Feb 2014 11:25:58 -0600,
"Bales, Tracy" a écrit :
Hello,
> Is it possible to have a shell script modify the contents of a user
> defined OID that is setup in snmpd.conf?
>
> I would like to have a cron event run a shell script and that script
> modify the OID values so that a remote
Le Mon, 20 Jan 2014 18:59:02 -0200,
Eduardo Meyer a écrit :
> hello,
>
> I am doing some basic testings on the above mentioned scenario and I
> am stuck on some limits which I consider to be very low: I cannot get
> more than 27Kpps and 200Mbit/s routing performance without starting
> to loose p
Le Mon, 09 Dec 2013 12:31:04 +,
Stuart Henderson a écrit :
Hello,
> I don't think msi can be re-enabled for this part in OpenBSD, the
> reason it's disabled is that there is a bug in the 82571/2 chips
> (errata 63 in
> http://www.intel.co.uk/content/dam/www/public/us/en/documents/specificati
Le Tue, 1 Oct 2013 08:37:09 + (UTC),
Stuart Henderson a écrit :
Hello,
> On 2013-10-01, Patrick Lamaiziere wrote:
> > Hello,
> >
> > With OpenBSD 5.3, our firewall does not handle our network load
> > well. We loose around 5% of packets and netstat shows a lot o
Le Tue, 03 Dec 2013 17:05:59 +0100,
Alexis VACHETTE a écrit :
> Hi everyone,
Hello,
> I would like to share an issue with one of my OpenBSD Firewall which
> is present in my company.
>
> Everything was working fine until a server crash this last week-end.
>
> We have setup the netflow proto
Hello,
With OpenBSD 5.3, our firewall does not handle our network load well.
We loose around 5% of packets and netstat shows a lot of Ierr.
That worked much better with 5.1. There was a change to not enable MSI
on 82572 chipset on our Intel card ( "Intel PRO/1000 QP (82571EB)" rev 0x06) in
5.2 :
Hello,
I'm upgrading our firewalls to OpenBSD 5.3 (with erratas) from 5.1 :
As far I can see now, the firewall (without any problem) starts with a
carp demote count = "33". On 5.1 the demote count was = 0
looks like the "33" comes with a pfsync bulk start
Jul 29 13:51:01 ucop2 /bsd: carp: pfsync
Le Thu, 11 Jul 2013 13:18:13 +0200 (CEST),
Jummo a écrit :
> This works quiet good for me and my firewalls with one exception, my
> big fat central router/firewall. This firewall has around 2000 lines
> of pf.conf, is attached with 12 VLAN interfaces and get slowly
> unmanageable with this concep
Le Wed, 03 Jul 2013 07:11:08 -0500,
"Mark Felder" a écrit :
> On Wed, 03 Jul 2013 07:00:02 -0500, Loïc Blot
> wrote:
>
> > Hello,
> > no carp is used at this time.
>
> pfsync needs to be used with carp... without it you're just playing
> whack-a-mole with your session table.
I don't see w
Le Wed, 27 Mar 2013 19:28:08 -0700,
David Ruggiero a écrit :
> Thanks! No, it didn't occur to me, so very appreciated. I didn't
> remember that you could do that form of the table command to show
> explicit members in a list, so that's also really helpful.
>
> FWIW, though..I would not have
Le Sat, 16 Mar 2013 12:36:35 +0400,
Alexander Nusov a écrit :
Hello,
> I'm trying to get why to use binary packages if they are not updated?
I don't see any reason to use packages too (IMHO).
> For example, this package confuses me: lighttpd
>
> ftp://ftp.openbsd.org/pub/OpenBSD/5.2/packages/
Le Wed, 2 Jan 2013 13:39:25 +0100,
Toni Mueller a écrit :
Hello,
> With this setup, carp1 will stay in BACKUP mode when I say "ifconfig
> carp1 advskew 120" on A, while on B, it would go into MASTER
> immediately.
Hmm, did you check the value of the carp demote counter?
# ifconfig -g carp
(ju
Le Fri, 27 Jul 2012 11:13:21 +0200,
Hrvoje Popovski a écrit :
> On 26.7.2012. 18:31, Patrick Lamaiziere wrote:
> > Hello,
> >
> > We have just noticed that pflow (v5) sometime (but often) uses a
> > StartTime value which is later than the EndTime.
> &g
Le Thu, 1 Nov 2012 13:28:18 -0200,
Fernando Braga a écrit :
Hello,
> pass in on $int_if from to ! route-to
> $cosmo@$int_if
>
> However, when I issue a pfctl -sr, I get
>
> pass in on trunk1 inet from to ! flags S/SA
> route-to 172.16.99.249@$int_if
>
> Shouldn't this @$int_if be translat
(openbsd 5.1/amd64)
Hello,
I filter icmp echoreq for one host, but on output.
The rules are :
pass in quick on $ext_if inet proto icmp from any to any icmp-type echoreq keep
state (floating)
block out quick on $int_if inet proto icmp from any to $host
When I ping this $host from out, I see som
Le Wed, 29 Aug 2012 09:59:46 +0200,
Sebastien Marie a écrit :
Hello,
> I currently follow STABLE branch for openbsd (and so, for ports too),
> which is OPENBSD_5_1.
>
> But, I saw that the last security updates for ports go to OPENBSD_5_2
> and not to OPENBSD_5_1.
Any examples ? The probleme m
Hello,
We have just noticed that pflow (v5) sometime (but often) uses a
StartTime value which is later than the EndTime.
So the duration is interpreted 4294966.29600 secondes.
This confuses our collector (nfsen).
(wireshark)
pdu 19/30
SrcAddr: 194.57.169.116 (194.57.169.116)
Le Thu, 26 Jul 2012 12:44:40 +0430,
Bahador NazariFard a écrit :
> "block in quick on msk0 proto tcp *to* port ssh"
> whats this?
>
> "instead of above wrong statement, you can use "block in quick on msk0
> proto tcp from any to any port ssh"
This is the same thing. The from is optional, and a
Le Tue, 24 Jul 2012 15:50:30 +0200,
Gilles Chehade a écrit :
Hello,
> > That worked fine on 4.8, but with 4.9 the box does not send any
> > mail :
> >
> > /var/log/mailog:
> > smtpd[4269]:1317598201.5Tsv7GvPDRFc1Ozt:from=,
> > size=6325, nrcpts=1, proto=ESMTP, relay=0@localhost [IPv6:::1]
> >
Hello,
On 4.8 I was using smtpd to relay periodic mails. The box is
a firewall and the resolver is not configured at all.
smtp.conf
# This is the smtpd server system-wide configuration file.
# See smtpd.conf(5) for more information.
listen on lo0
map "aliases" { source db "/etc/mail/aliases.db"
Le Wed, 30 May 2012 09:27:23 + (UTC),
Matt Hamilton a icrit :
Hello,
> I'd be very interested to see your ifstated config and how you use
> that to verify peers being up as we could do with some better
> monitoring here.
Here we use "bgpctl show summary terse" with a grep on the
peer name a
Le Wed, 29 Feb 2012 13:13:30 +0100,
Peter Hessler a icrit :
Hello,
> On 2012 Feb 29 (Wed) at 11:54:13 +0100 (+0100), Patrick Lamaiziere
> wrote: :OpenBSD is not perfect too, it would be nice that pflow
> handles ipv6
>
> pflow now handles ipv6 (in 5.1)
That's cool! Thanks.
Le Mon, 27 Feb 2012 16:58:05 -0300,
"Christiano F. Haesbaert" a icrit :
Hello,
> With a decent hardware, I think you can reach 1mpps (that's million
> packets per second).
I don't think.
As far I can see here with a rate of 50K packets through the system, it
already spents 50% in interrupt.
Le Mon, 27 Feb 2012 19:38:45 +,
Kaya Saman a icrit :
Hello,
> I have currently only used OpenBSD as a test vector setup on
> VirtualBox and 2x Sun Fire V240's as a DNS server (master/slave)
> using Bind9. So basically in short am an OpenBSD newbee :-)
>
>
> Ok so here goes;
>
> I've been
Le Tue, 3 Jan 2012 17:54:18 +0100,
Henning Brauer a icrit :
Hello,
> * Patrick Lamaiziere [2012-01-03 17:45]:
> > I think there is a off-by-one error in Packet Filter port ranges,
> > for example with an exclude boundary range : port1 >< port2
>
> nope.
>
>
Hello, happy new year.
I think there is a off-by-one error in Packet Filter port ranges, for
example with an exclude boundary range : port1 >< port2
PF or pfctl does not check that port1 <= port2 and if port1 > port2 the
port range is not correct.
For example 82 >< 80 is not the same as 80 >< 8
Le Tue, 22 Feb 2011 18:09:32 +0100,
Patrick Lamaiziere a icrit :
> (4.8/amd64)
> I'm using two ethernet cards Intel 1000/PRO quad ports (gigabit) on a
> firewall (one fiber and one copper).
>
> The problem is that we don't get more than ~320 Mbits/s of bandwith
> be
Le Wed, 30 Nov 2011 12:35:40 +0100,
Marc Espie a icrit :
> Fix your proxy/connection. pkg_add keeps one ftp connection alive,
> not more, but it does interrupt connections brutally as soon as it
> has the information it wants.
>
> All such problems come from stale ftp connections, there's someth
Hello,
I'm trying to update packages with pkg_add via ftp :
# pkg_add -ui
Error from
ftp://ftp.irisa.fr/pub/OpenBSD/5.0/packages/amd64/gperf-3.0.4.tgz 421
There are too many connections from your internet address. ftp: Can't
connect or login to host `ftp.irisa.fr'
Error from
ftp://ftp.irisa
Le Tue, 08 Nov 2011 15:27:02 -0500,
Guillaume Filion a icrit :
> Hi all,
Hello,
> I also tried using pf route-to but that seems to only work with
> NAT...
No it does routing. I use it without nat.
> So basically my question is how to tell OpenBSD to send packets to the
> interface they came f
Le Mon, 7 Nov 2011 16:58:29 -0500,
"Bentley, Dain" a icrit :
Hello,
> block in on $ext from
> #NAT INBOUND TO DMZ
> pass in on $ext proto tcp from any to any port $web_services rdr-to
> $webserver tag INET_TO_DMZ
> pass in on $ext proto tcp from any to any port $mail_services rdr-to
> $mailserv
Le Thu, 20 Oct 2011 15:41:51 +0600,
PP;QQ P(P8P?P8QP8P= a C)crit :
Hello,
> but I do not find "skip" in "pfctl -s rules" output:
Yes, you can check that the interface is skiped with
# pfctl -vs Interfaces -i lo0
lo0 (skip)
Regards.
Hello,
On 4.8 I was using smtpd to relay periodic mails. The box is
a firewall and the resolver is not configured at all.
smtp.conf
# This is the smtpd server system-wide configuration file.
# See smtpd.conf(5) for more information.
listen on lo0
map "aliases" { source db "/etc/mail/aliases.db"
Le Wed, 31 Aug 2011 07:19:15 +0200,
Tony Sarendal a C)crit :
Hi,
> current1# cat /etc/bgpd.conf
> AS 65001
> network 10.0.1.0/24
>
> current1# bgpctl show rib nei 172.29.1.52 out
> flags: * = Valid, > = Selected, I = via IBGP, A = Announced
> origin: i = IGP, e = EGP, ? = Incomplete
>
> flags
Le Tue, 23 Aug 2011 19:21:32 +0200,
Per-Olov SjC6holm a C)crit :
Hello,
> > Here we reach 400 MBits/s with a CPU rate ~70% but we
> > run OpenBSD 4.9.
> How fast is your CPU ?
cpu0: Intel(R) Xeon(R) CPU E5520 @ 2.27GHz, 2261.30 MHz
It's a Dell R610 with 4Go RAM.
Le Mon, 22 Aug 2011 20:04:50 + (UTC),
Stuart Henderson a C)crit :
Hello,
> OpenBSD has another way to handle this, MCLGETI.
Is there a documentation (for the human being, not the developer)
about how MCLGETI works? (don't find a lot about it)
Thanks, regards.
Le Mon, 22 Aug 2011 22:49:47 +0200,
Per-Olov SjC6holm a C)crit :
Hello,
> Have not tried current, but will try current as soon as I can.
> Also... I will try to do some laborations with CPU speed of the core
> the OpenBSD virtual machine has. This to see how the interrupts and
> throughput is rel
Le Tue, 09 Aug 2011 15:29:17 +0200,
Michael Lechtermann a icrit :
> Hi all,
hello,
> # ifconfig carp0
> carp0: flags=8843 mtu 1500
> lladdr 00:00:5e:00:01:0a
> priority: 0
> carp: carpdev em0 advbase 1 balancing ip-stealth carppeer
> 10.0.1.11
>
Le Mon, 01 Aug 2011 16:04:08 +0200,
Daniel Gracia a icrit :
> Yep! That's it, and I totally agree with the discusion there but, as
> far as msdosfs is in OpenBSD for the very reason of portability -and
> now I'm supposing-, I wonder if this would be an any welcomed patch.
Well Windows itself all
Le Wed, 22 Jun 2011 09:23:01 +0200,
Patrick Lamaiziere a C)crit :
> Hello,
>
> I've updated my two pf firewalls today from 4.8 to 4.9 (worked fine,
> nice). But it looks there is a problem with net-snmp and the
> traffic reported (IF-MIB). This is not correct anymore (like
Hello,
I've updated my two pf firewalls today from 4.8 to 4.9 (worked fine,
nice). But it looks there is a problem with net-snmp and the
traffic reported (IF-MIB). This is not correct anymore (like 30
Mbits/s instead more than 150 Mbits/s). I've checked the interfaces
indexes in the snmp tables an
Le Tue, 7 Jun 2011 20:49:50 -0700 (PDT),
Stefan N a C)crit :
> Hi All,
Hello,
> Have you ever tried to install OpenBSD 4.9/amd64 on the Dell
> PowerEdge Server
> R210,R410,R610,R710 (2.5" SAS Disk) with additional Intel.
> Gigabit ET Quad Port
> Server Adapter? If yes, are those servers fully
Le Mon, 06 Jun 2011 15:06:54 +0300,
Kapetanakis Giannis a icrit :
> Who is this 'Charlie' guy anyway???
That is a good question. I've searched in the past looking old system
passwd to find who decided this name for the root account but with no
luck.
Looks like "Charlie &" is a tribute to Charli
Le Tue, 22 Mar 2011 13:01:48 +0100,
Marcus M|lb|sch a icrit :
hello,
> > carp3: flags=8843 mtu 1500
> > lladdr 00:00:5e:00:01:21
> > priority: 0
> > carp: carpdev bge0 advbase 1 balancing arp carppeer
> > 192.168.3.3 state MASTER vhid 33 advskew 0
> > stat
Hello,
Just noticed that pkg.conf(5) is missing in the "see also" section
of pkg_add(1) and friends.
Regards.
Le Sat, 26 Feb 2011 00:23:36 +0900,
Ryan McBride a icrit :
> > > > How about a _full_ dmesg, so someone can take a wild guess at
> > > > what your machine is capable of?
> >
> > full dmesg : http://user.lamaiziere.net/patrick/dmesg-open48.txt
> >
> > The box is a Dell R610 server.
>
> This box
Le Tue, 22 Feb 2011 18:09:32 +0100,
Patrick Lamaiziere a icrit :
> (4.8/amd64)
>
> Hello,
>
> I'm using two ethernet cards Intel 1000/PRO quad ports (gigabit) on a
> firewall (one fiber and one copper).
>
> The problem is that we don't get more than ~320
Le Fri, 25 Feb 2011 13:51:32 +0100,
Patrick Lamaiziere a icrit :
> systat mbufs:
> IFACELIVELOCKS SIZE ALIVE LWM HWM CWM
What does these counters mean?
Thanks.
Le Fri, 25 Feb 2011 13:51:32 +0100,
Patrick Lamaiziere a icrit :
(ooops, push the wrong button)
> > How about a _full_ dmesg, so someone can take a wild guess at what
> > your machine is capable of?
full dmesg : http://user.lamaiziere.net/patrick/dmesg-open48.txt
The box is a Dell
Le Fri, 25 Feb 2011 08:41:20 +0900,
Ryan McBride a icrit :
> On Wed, Feb 23, 2011 at 06:07:16PM +0100, Patrick Lamaiziere wrote:
> > I log the congestion counter (each 10s) and there are at max 3 or 4
> > congestions per day. I don't think the bottleneck is pf.
>
&
Le Wed, 23 Feb 2011 22:09:18 +0100,
Manuel Guesdon a icrit :
> >| Did you try to increase the number of descriptor?
> >| #define EM_MAX_TXD 256
> >| #define EM_MAX_RXD 256
> >|
> >| I've tried up to 2048 (and with MAX_INTS_PER_SEC = 16000) but it
> >looks | worth.
>
> Thank you ! I'll investig
Le Tue, 22 Feb 2011 10:22:16 -0800 (PST),
"James A. Peltier" a icrit :
> Those documents do not necessarily apply any more. Don't go tweaking
> knobs until you know what they do. We have machines here that
> transfer nearly a gigabit of traffic/s without tuning in bridge mode
> non-the-less.
>
Le Tue, 22 Feb 2011 19:13:48 +0100,
Manuel Guesdon a icrit :
Hello,
> We've got same problems (on a routeur, not a firewall). Increasing
> MAX_INTS_PER_SEC to 24000 increased bandwith and lowered packet loss.
> Our cards are "Intel PRO/1000 (82576)" and "Intel PRO/1000 FP
> (82576)".
Did you t
Le Tue, 22 Feb 2011 11:19:26 -0600,
Mark Nipper a icrit :
> > The problem is that we don't get more than ~320 Mbits/s of bandwith
> > beetween the internal networks and internet (gigabit).
>
> Have you already looked at:
> ---
> https://calomel.org/network_performance.html
Yes thanks. I'v
(4.8/amd64)
Hello,
I'm using two ethernet cards Intel 1000/PRO quad ports (gigabit) on a
firewall (one fiber and one copper).
The problem is that we don't get more than ~320 Mbits/s of bandwith
beetween the internal networks and internet (gigabit).
As far I can see, on load there is a number of
[4.8/amd64]
Hello,
Is there a way to change the dump device without rebuilding the kernel?
That's not clear if "config(8) -e" is able to do this.
Thanks, regards.
Le Mon, 31 Jan 2011 18:24:04 +0100,
Joachim Tingvold a icrit :
> Hi,
Hello,
> This does not work at all. If I change
http://www.openbsd.org/faq/pf/carp.html#RulesetTips
+ Ruleset Tips
Filter the physical interface. As far as PF is concerned, network
traffic comes from the physical interface,
Hello,
Are there some plans to implement netflow v9 in pflow(4) (to be able to
trace ipv6 flows)?
Without, which collector can I use in userland? And is the load
introduced by such userland tool a concern with a network traffic
passing the firewall around ~500Mb/s?
Thanks, regards.
Le Fri, 31 Dec 2010 18:09:40 +0100,
Alessandro Baggi a icrit :
> To exclude also pf rules problem, I've tried a rule set as:
>
> match...nat-to...
>
> pass all
>
> but the problem persists.
>
> Other Issue?
Hmmm Ok, I don't know where is the problem.
I've made recently a lot of tests with c
Le Thu, 30 Dec 2010 19:58:21 +0100,
Alessandro Baggi a icrit :
> these are my pf rules for carp and pfsync:
>
> pass in quick proto pfsync
> pass in quick proto carp
>
> ..
> block in all
> ...
And in output?
Le Fri, 3 Dec 2010 08:44:43 -0500,
"Adam M. Dutko" a icrit :
> The specifications for the Soekris system you mentioned don't lead me
> to be believe they'd be great for file server duty. When I think of
> file servers I think of fast disk (5501 can use SATA so that's a
> plus)
On the net5501 th
Le Fri, 3 Dec 2010 19:28:19 +0800 (CST),
shweg...@gmail.com a icrit :
> Hello, I'm considering buying a Soekris net5501-70 and install
> OpenBSD on it to make myself a small server and use it as a proxy
> (ssh tunnel), it might serve as backup file sever as well. I guess at
> the most there will b
(4.8/amd4)
Hello,
Looks like the carp "demote count" is limited to 255 but the max value
in ifconfig is less or equal to 128.
# ifconfig -g carp
carp: carp demote count 0
# ifconfig -g carp carpdemote 100
# ifconfig -g carp carpdemote 100
# ifconfig -g carp
carp: ca
Le Mon, 8 Nov 2010 20:03:11 +0100,
Claudio Jeker a icrit :
> > Can you run a "bgpctl show rib detail 129.20.0.0/16" and a "bgpctl
> > show table". For some reason none of the above routes got selected
> > and so nothing is redistributed. It looks like the decision process
> > is turned off. So i
Le Mon, 8 Nov 2010 16:07:06 +0100,
Claudio Jeker a icrit :
> Have you checked if the networks were actaully added to the RIB?
Do you mean bgpctl show rib ? No.
Well, it takes some time but I'm able to reproduce this:
# bgpctl show rib
flags: * = Valid, > = Selected, I = via IBGP, A = Announced
Le Mon, 8 Nov 2010 15:14:49 +0100,
David Coppa a icrit :
> > Do you know if Quagga in OpenBSD 4.8 implements the tcp-md5
> > signature (for BGP) ? Looks like it does not work.
>
> Why using quagga when you have bgpd (which is in the tree and supports
> md5 signatures as well)?
Because: http://w
Hello,
Do you know if Quagga in OpenBSD 4.8 implements the tcp-md5
signature (for BGP) ? Looks like it does not work.
Thanks, regards.
(4.8/amd64)
Hello,
I'm doing some tests with OpenBGPd and sometimes (but often), when I
restart bgpd it does not send anymore the routes to the peer.
The routes are static and configured into bgpd.conf
How to repeat:
# bgpd -d -v
wait until the routes are sent to the peer.
^D
shoot again
After
Hello,
(snaphot 4.8/amd64)
I'm trying to use a "pf.conf" hardware independent using some interface
groups.
PacketFilter "Set skip" does not look to work fine with interface group.
# ifconfig IFPFSYNC
bnx0: flags=8843 mtu 1500
lladdr 00:22:19:5b:ad:da
description: PFSYNC
Hello,
I'm using a snapshot of 4.8/amd64 (october, 6) and I'm not able to
shutdown properly the box using the power on/off button.
The machine is a Dell PowerEdge R610:
bios bios0: vendor Dell Inc.
version "2.1.9" date 05/21/2010 bios0: Dell Inc. PowerEdge R610
full dmesg : http://user.lamaizie
Le Fri, 15 Oct 2010 15:29:30 +0100,
"Harrower Gary (NHS National Services Scotland)"
a icrit :
> Hi,
> Any ideas why they were both trying to be master?
did you set carp preemption on both machines?
Hello,
(snapshot 4.8/amd64)
I'm playing with carp in master/backup mode. When a server becomes
inactive (from master to backup or from backup to master) there is a
"dupplicate IP6 address". Is it bad doctor?
By example on the master:
Oct 15 15:34:27 ucop1 /bsd: carp1: state transition: MASTER ->
77 matches
Mail list logo