PF and DNS requests

[Matthew R Powell]

Greetings,

My 3.7 firewall is holding up DNS requests.  pflog suggests that my very 
first rule, 'block log all' is stopping them.


Nov 11 02:11:48.853946 rule 0/(match) block in on xl0: 
192.168.2.254.60399 > 68.12.16.229.53:  23554+[|domain] (DF)


Further down my rule set, however, exists the following rule:
pass out quick log on $ext_if proto udp all keep state

If I'm not mistaken, that rule should allow outgoing DNS requests on my 
external interface, as well as the return packets.


Any suggestions on getting a "resolution" to this matter would be 
appreciated.  Thanks.


My /etc/pf.conf:

--

int_if = "re0" # 192.168.1.0/24
wir_if = "xl0" # 192.168.2.0/24
ext_if = "rl0" # DHCP

tcp_services = "{ 22, 993, 80 }"

icmp_types = "echoreq"

set block-policy return
set loginterface $ext_if

scrub in all

nat on $ext_if from 192.168.1.0/24 to any -> ($ext_if)
nat on $ext_if from 192.168.2.0/24 to any -> ($ext_if)

block log all
pass quick on lo0 all
antispoof quick for $int_if inet
pass in on $wir_if inet proto tcp from any to ($wir_if) port 
$tcp_services flags S/SA keep state


pass out on $ext_if proto tcp all modulate state flags S/SA
pass out quick log on $ext_if proto udp all keep state
pass out quick log on $ext_if proto icmp all keep state
pass in inet proto icmp all icmp-type $icmp_types keep state

Re: PF and DNS requests

[Lars Hansson]

On Fri, 11 Nov 2005 02:40:08 -0600
Matthew R Powell <[EMAIL PROTECTED]> wrote:

> Nov 11 02:11:48.853946 rule 0/(match) block in on xl0: 
> 192.168.2.254.60399 > 68.12.16.229.53:  23554+[|domain] (DF)
> 
> Further down my rule set, however, exists the following rule:
> pass out quick log on $ext_if proto udp all keep state

you have no pass in for udp on $int_if and $wir_if.

---
Lars Hansson

Re: PF and DNS requests

[Chris Kuethe]

On 11/11/05, Matthew R Powell <[EMAIL PROTECTED]> wrote:
> Greetings,
>
> My 3.7 firewall is holding up DNS requests.  pflog suggests that my very
> first rule, 'block log all' is stopping them.

As it should.

> Further down my rule set, however, exists the following rule:
> pass out quick log on $ext_if proto udp all keep state
>
> If I'm not mistaken, that rule should allow outgoing DNS requests on my
> external interface, as well as the return packets.

That will allow outbound stuff, but you said to block log all. And
that blocks all packets on all interfaces until otherwise notified.

You're allowing packets to leave the external interface, but that
doesn't do you much good until you allow packets to enter the internal
interface...

--
GDB has a 'break' feature; why doesn't it have 'fix' too?

Re: Strange behavior with carp and preemption

[Ralf Hornik Mailings]

Hi Nick,

> Nick Holland wrote:
> To the top of google we go! :)

Great! :-)

> are all the interfaces really in the carp group?

Yes, I believe, because carp works if I shut down the Box, or something...

> are the interfaces accurately and reliably detecting the cable-unplug?
> Might some NICs (or their drivers) have trouble detecting that the cable
> was suddenly unplugged, and thus, the change in advskew doesn't take

When I unplug the cable or power off the switch, carp0 (what is the
affected) goes into INIT and the carp1 goes into BACKUP. Then a can access
the backup machine via carp0. So that works.

However, the advskew of carp1 on the master side keeps being zero,
allthough showing itself as BACKUP. Should ifconfig show advskew 240 then?
That could be the problem...
Thank you and Best regards!

Ralf

Re: ath0: bogus xmit rate 0x0

[Joakim Aronius]

What brand, model, and revision is this card?

/Joakim

* Alexandre ([EMAIL PROTECTED]) wrote:
> Hi again,
> 
> Well, in doubt, I got the latest kernel and the latest userland, in case 
> there would have been corrections (Thanks Fred) compiled everything and 
> I still have the
> 
> ath0: bogus xmit rate 0x0
> 
> Maybe it's due to my card version (AR5213 and not AR5212 as I saw in the 
> archives), as dmesg writes:
> 
> ath0 at pci0 dev 9 function 0 "Atheros AR5212" rev 0x01: irq 9
> ath0: AR5213 5.6 phy 4.1 rf5111 1.7 rf2111 2.3, FCC2A*, address
> 00:09:5b:e8:5f:e9
> 
> I have the message only when a client (my windows or my PC) connects to 
> the hotspot.
> My client is connected, but no trafic passes (tried ping, tcpdumps and 
> so on).
> 
> Thanks.
> 
> 
> Fred Crowson wrote:
> >Alexandre wrote:
> >
> >>Hi all,
> >>
> >>I have an atheros based card on my OpenBSD 3.8.
> >>When I activate it, I have this error message
> >>
> >>ath0: bogus xmit rate 0x0
> >>
> >>coming regurlaly when I try and ping another machine.
> >>
> >>Here is an extract of my dmesg :
> >>
> >>ath0 at pci0 dev 9 function 0 "Atheros AR5212" rev 0x01: irq 9
> >>ath0: AR5213 5.6 phy 4.1 rf5111 1.7 rf2111 2.3, FCC2A*, address 
> >>00:09:5b:e8:5f:e9
> >>
> >>My hostname.ath0 is:
> >>
> >>inet 192.168.1.1 255.255.255.0 NONE media DS11 chan 8 nwid SPEENICS 
> >>mediaopt hostap
> >>
> >>The laptop on which I have a wifi card (Netgear WG511) runs either 
> >>Linux or Windows XP. I just put the adress 192.168.1.2 and I tried a 
> >>ping from both side, but there is no answer.
> >>
> >>No wep or PF is used while testing.
> >>
> >>uname -a gives
> >>OpenBOpenBSD hades.olympe.div 3.8 GENERIC#4 i386
> >>
> >>Thanks.
> >>
> >
> >Hi,
> >
> >There have been changes to ath in -current see:
> >
> >http://marc.theaimsgroup.com/?l=openbsd-misc&m=112867773214527&w=2
> >
> >HTH
> >
> >Fred

Re: Hardware RAID

[Henning Brauer]

* Tobias Weingartner <[EMAIL PROTECTED]> [2005-11-11 08:03]:
> On Friday, November 11, Karl Kopp wrote:
> > 
> > We are in the process of setting up a production OBSD box to do some (a
> > lot!) of routing and I want to make sure I get as much redundancy as
> > possible. We have failover everything in the box, and we will use carp to
> > setup multiple boxes.
> 
> If you use carp to fail-over full boxes, why complicate and add to the
> potential failure modes of each box?  Keep each box simple, and chances
> are it will keep running and be more reliable.

very important point, and that is what we do.

we also often use CF instead of real harddisks with dumb IDE-CF 
adapters. the CF then just shows up as wd0. Don't bother with 
"specialized" flash distributions, waste of time and useless 
complication. just get a 256M+ CF and do an openbsd standard install.

-- 
BS Web Services, http://www.bsws.de/
OpenBSD-based Webhosting, Mail Services, Managed Servers, ...
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)

Re: ath0: bogus xmit rate 0x0

[Reyk Floeter]

On Wed, Nov 09, 2005 at 08:17:14PM +0100, Alexandre wrote:
> I have an atheros based card on my OpenBSD 3.8.
> When I activate it, I have this error message
> 
> ath0: bogus xmit rate 0x0
> 

i recently changed the driver to use rssadapt(9) but there seems to be
a bug under some circumstances. please hang on, i'll fix it asap or
back out it.

reyk

Re: PF and DNS requests

[Matthew R Powell]

Chris Kuethe wrote:


On 11/11/05, Matthew R Powell <[EMAIL PROTECTED]> wrote:
 


Greetings,

My 3.7 firewall is holding up DNS requests.  pflog suggests that my very
first rule, 'block log all' is stopping them.
   



As it should.

 


Further down my rule set, however, exists the following rule:
pass out quick log on $ext_if proto udp all keep state

If I'm not mistaken, that rule should allow outgoing DNS requests on my
external interface, as well as the return packets.
   



That will allow outbound stuff, but you said to block log all. And
that blocks all packets on all interfaces until otherwise notified.

You're allowing packets to leave the external interface, but that
doesn't do you much good until you allow packets to enter the internal
interface...

--
GDB has a 'break' feature; why doesn't it have 'fix' too?
 

Yeah, I see that now.  The problem was... it's 3AM local and I 
misunderstood 'keep state' to mean that return traffic would be 
automatically passed in response to the original request.


I need to establish a bed time for myself.

Thanks all.

pf tagging and matching over more than one interface ...

[Karl-Heinz Wild]

I try to tag a connection on the wan_if and
accordingly on the tag I'll restrict the
access on an other interface like.

an example ...

pass in quick on wan_if proto tcp from  to port 1194 tag NORM  
keep state
pass in quick on wan_if proto tcp from  to port 1194 tag POWER  
keep state


pass in quick on tun_if to port { 80, 443 } tagged NORM  keep state
pass in quick on tun_if to port { 22, 80, 443 } tagged POWER keep state

...

but I don't know why. It doesn't work.
I thought that works.

I ask for advice.
Thanks

Karl-Heinz

share PPPoE

[David fire]

hi
i want to share the internet conection i configured the PPPoE but i have a
bridge i should do NAT whit the interfase which is pppoe client and the if
where i want share internet or if a iam doing the bridge i dont need nat?
thanks!
David

Re: Bug bounty for pciide/atapiscsi

[Johan P . Lindström]

On 11/10/05, Stephen Nelson <[EMAIL PROTECTED]> wrote:
>
> 
> Thanks for your help.
> 
>
> I would appreciate your suggestions on how to spin this as an
> interesting problem worthy of an OpenShaman.
>
> I've found a workaround by using usb flash media, but I'd still like to
> get this problem fixed.
>
> >
> >Stephen, you have made a gross miscalculation. If you had taken the time
> >to acquaint yourself with the required readings, you would know that
> >OpenBSD dogma prescribes that developers work only on those things that
> >interest them. Neither money, personal recognition, crass commercial
> >interests, and least of all the problems of unwashed, ignorant users
> >are of any concern to them. Just what the hell were you thinking,
> >anyway? How dare you attempt to bribe an OpenShaman with money. You have
> >sickened us all.
> >
>
>
I am guessing you want to use the CD because you can't write to it (but you
can replace it with a "dirty" one) What about solid state memory? as in the
Soekris boxes, use a industrial grade CompactFlash solution, you'll still
mount the CF as ro? look at the other threads for today for some hints.


--
// Johan

Re: Hardware RAID

[michael hamerski]

Karl Kopp wrote:

Hi Jason,

Like yr idea - LOTS :) We may still use a disk for some logs, but if that
goes, no big deal! Any idea how to mount a CF as a boot device? Quick search
on Google didn't bring much back of interest. Is their a faq / how-to? Also,
what kinds of CF adapters work - anything I should be looking out for? I
checked on the amd64 page on OpenBSD and it didn't specifically mention
anything about CF devices. Any advice would be greatly appreciated :)

Cheers,
Karl


http://www.pcengines.ch makes IDE CF adapters powered through either a 
HD or floppy connector, I have a few of these which seem to work well. 
You can get a reseller list from the website shop.


It's pretty straightforward to set up a full OBSD system, just use mfs 
for var and temp. (from memory, for 3.6 there was a small change to make 
to rc to avoid double-mounted partitions, I'm not sure it's still necessary)


this short doc outlines the install on CF:

http://www.kaschwig.net/projects/openbsd/wrap/

cheers,

mike

Re: ath0: bogus xmit rate 0x0

[Reyk Floeter]

On Wed, Nov 09, 2005 at 08:17:14PM +0100, Alexandre wrote:
> I have an atheros based card on my OpenBSD 3.8.
> When I activate it, I have this error message
> 
> ath0: bogus xmit rate 0x0
> 

could you please try it with the following patch for ath again? it
won't fix the problem, it just adds additional information for me.

reyk

Index: ath.c
===
RCS file: /cvs/src/sys/dev/ic/ath.c,v
retrieving revision 1.42
diff -u -p -r1.42 ath.c
--- ath.c   23 Sep 2005 20:06:50 -  1.42
+++ ath.c   11 Nov 2005 14:04:56 -
@@ -2281,8 +2281,9 @@ ath_tx_start(struct ath_softc *sc, struc
rix = sc->sc_rixmap[ni->ni_rates.rs_rates[ni->ni_txrate] &
IEEE80211_RATE_VAL];
if (rix == 0xff) {
-   printf("%s: bogus xmit rate 0x%x\n", ifp->if_xname,
-   ni->ni_rates.rs_rates[ni->ni_txrate]);
+   printf("%s: bogus xmit rate 0x%x (idx 0x%x)\n",
+   ifp->if_xname, ni->ni_rates.rs_rates[ni->ni_txrate],
+   ni->ni_txrate);
sc->sc_stats.ast_tx_badrate++;
m_freem(m0);
return EIO;

OT: looking for commercial OpenBSD support in Hungary

[Schöberle Dániel]

Hi all,

Sorry for the OT post but I think my best chances for getting 
the info needed are by posting here.

I'm looking for a _legal entity_ doing OpenBSD support. Things
like configuring and installing internet firewalls, VPN and 
regular patch management. Preferrably one located in Budapest.

If you can recommend someone please contact me directly via email:
[EMAIL PROTECTED]

Thank you and sorry if this OT bothered anyone.

Daniel.

Re: pf tagging and matching over more than one interface ...

[David fire]

hi
you only tag the package to port 1194 in both case and you are allowing only
tagged packaged to ports 22, 80, 443

David


2005/11/11, Karl-Heinz Wild <[EMAIL PROTECTED]>:
>
> I try to tag a connection on the wan_if and
> accordingly on the tag I'll restrict the
> access on an other interface like.
>
> an example ...
>
> pass in quick on wan_if proto tcp from  to port 1194 tag NORM
> keep state
> pass in quick on wan_if proto tcp from  to port 1194 tag POWER
> keep state
>
> pass in quick on tun_if to port { 80, 443 } tagged NORM keep state
> pass in quick on tun_if to port { 22, 80, 443 } tagged POWER keep state
>
> ...
>
> but I don't know why. It doesn't work.
> I thought that works.
>
> I ask for advice.
> Thanks
>
> Karl-Heinz

ami unknown stuff

[Per-Olov Sjöholm]

Even though this server seems to work perfect, I must ask what the "unknown" 
on the first dmesg row below actually mean?
 [except that something is not recognized ;-) ]
Is it dangerous?


Part of dmesg follows
--snip--
ami0 at pci2 dev 14 function 0 "Symbios Logic MegaRAID 320-2E" rev 0x07: irq 5 
unknown 0x10651734/32b
ami0: FW 515H, BIOS vH420, 128MB RAM
ami0: 2 channels, 0 FC loops, 1 logical drives
scsibus0 at ami0: 40 targets
sd0 at scsibus0 targ 0 lun 0:  SCSI2 0/direct fixed
sd0: 69400MB, 8847 cyl, 255 head, 63 sec, 512 bytes/sec, 142131200 sec total
scsibus1 at ami0: 16 targets
safte0 at scsibus1 targ 8 lun 0:  SCSI2 3/processor fixed
scsibus2 at ami0: 16 targets
--snip--

This is a Fujitsu-Siemens RX300S2 dual xeon that has 6 hotswap disk slots in 
the front and a built in 53C10130+IM raid card. We just put in an optional 
raid DIMM expansion (as IM sucks) and the build in 53C10130 card magically 
was translated to a real MegaRAID 320-2E card with battery and 128MB. The 
MegaRAID 320-2E add-on was only $170. And now the server seems to work 
perfect which was not the case with the 53C10130 with mirroring.


b t w... Comment on bioctl: good work!

Thanks
Per-Olov
-- 
GPG keyID: 4DB283CE
GPG fingerprint: 45E8 3D0E DE05 B714 D549 45BC CFB4 BBE9 4DB2 83CE

Re: pf tagging and matching over more than one interface ...

[Wild Karl-Heinz]

In message "pf tagging and matching over more than one interface ..."
   on 11.11.2005, David fire <[EMAIL PROTECTED]> writes:

Df> you only tag the package to port 1194 in both case and you are allowing only
Df> tagged packaged to ports 22, 80, 443

Port 1194 on wan_if is handled by openvpn.
Then the data will be redirected to the
tun interface and there I'll filtering the
traffic.

Sorry, I did't explain enough.

Df> 2005/11/11, Karl-Heinz Wild <[EMAIL PROTECTED]>:
>>
>> I try to tag a connection on the wan_if and
>> accordingly on the tag I'll restrict the
>> access on an other interface like.
>>
>> an example ...
>>
>> pass in quick on wan_if proto tcp from  to port 1194 tag NORM
>> keep state
>> pass in quick on wan_if proto tcp from  to port 1194 tag POWER
>> keep state
>>
>> pass in quick on tun_if to port { 80, 443 } tagged NORM keep state
>> pass in quick on tun_if to port { 22, 80, 443 } tagged POWER keep state
>>
>> ...
>>
>> but I don't know why. It doesn't work.
>> I thought that works.
>>
>> I ask for advice.
>> Thanks
>>
>> Karl-Heinz

Head Command Thanks!!

[Marcos Marconcini]

Hi,

 

 I am trying to extract a portion of a large file, to do a sha1 check, it's
greater than 2.7Gb. I was reading help for head command, but it's only
permit me put number of lines to extract, and I need to extract the portion
of 1.5Gb in bytes, and generate a new file. Is this posible? How can I do ?
I am using openbsd 3.6. Any help are welcome!!!

 

Thanks in Advance.

 

 

Marcos

Re: su on 3.8 soekris

[Joachim Schipper]

On Thu, Nov 10, 2005 at 06:19:04PM +0100, Andreas M|rdter wrote:
> On Thu, 2005-11-10 at 14:19 +0100, Joachim Schipper wrote:
> > Is /dev/tty00 marked as 'secure' in /dev/ttys?
> 
> ttys
> ---snip---
> tty00   "/usr/libexec/getty std.19200"  vt100   on  secure
> ---snip---
> 
> Passwort ist 100% correct!!
> 
> Andreas
> 
> 
> > 
> > Are you really, really sure you use the correct password? Can you
> > login
> > as root using this password? From the same keyboard, etc? If you type
> > the password where you can see it (make sure it doesn't get stored
> > anywhere!), does it match what you want to type?
> > 
> > Failing that, you can always try debugging with ktrace(1)...
> > 
> > Joachim

Looks good.

I must admit I'm a bit stumped.

First, re-install the system. Untar everything you have installed, with
the exception of etcXY.tgz, in the root.

If that doesn't work, inspect /etc/passwd manually (for instance, with
vipw). Do the same for the other passwd-type files. Run

$ sudo pwd_mkdb -c /etc/master.passwd
$ sudo pwd_mkdb -c /etc/master.passwd

Additionally, try to su and sudo to another account - create one, if
necessary. Report back on your findings.

Post /etc/passwd, /etc/login.conf and /etc/sudoers.

If it still doesn't work, try

$ sudo passwd root
Password:
Changing local password for root.
New password:
Retype new password:
$ su
Password:
Sorry
$ ktrace su
Password:
Sorry
$ kdump | mail -s 'Re: su on 3.8 soekris' misc@openbsd.org

At least it'll show you if some file cannot be read, or somesuch. Please
note that the above will send the password in question to the mailing
list.

Good luck. I must admit I'm stumped, though I'm too new to OpenBSD to
know all the gotchas...

Joachim

Re: httpd: semop permission denied

[Need Coffee]

Don't mean to be a nuisance but does anyone have any advice here?

File mutex didn't solve the problem.

I'd rather not bug tech@ about it but this is important to me.  Some
more information...  this system runs GENERIC.MP (4 CPU's) and has
4GB RAM.  Apache segfaulted chrooted and non-chrooted but it usually
only happened when the load was high.  Some posts suggested php5
could be to blame as well.  Am I alone w.r.t the segfaults (and
occasionally Bus Errors) that I get under load?

I am building another box with 3.8 and php 4.4.1 so we'll see in a few
days if the issues remain.  I'm also running memtest86 on both boxes
just to rule out memory issues.  So far, no errors on the machine in
question...

Thanks.


On 11/8/05, Need Coffee <[EMAIL PROTECTED]> wrote:
> Hi.
>
> I have an amd64/3.7-stable machine here running apache with mod_ssl
> and php 5.0.4.  SSLMutex is set to 'sem', the default.  Intermittently
> the httpds start segfaulting.
> Of course the parent process remains, and respawns them.  There's a
> large number of clients
> and the machine is kept pretty busy.
>
> The httpds always end the same way:
>
>  26510 httpdCALL  semop(0x7,0x7f7eced0,0x1)
>  26510 httpdRET   semop -1 errno 13 Permission denied
>  26510 httpdCALL  semop(0x7,0x7f7eced0,0x1)
>  26510 httpdRET   semop -1 errno 13 Permission denied
>  26510 httpdCALL  semop(0x7,0x7f7eced0,0x1)
>  26510 httpdRET   semop -1 errno 13 Permission denied
>  26510 httpdPSIG  SIGSEGV SIG_DFL code 1 addr=0x2f2e2e trapno=6
>
> From what I've read, semume and semaem values that are too low can
> cause this.  I've cranked semume to 100 but haven't messed with
> semaem since that's actually hardcoded in sys/sem.h.
>
> Should I be messing with semaem or is there something else at work
> here?  I'm tempted to try a file mutex but saw a post (which I only
> vaguely remember) where henning@ said it was defaulted to 'sem' for
> permissions reasons and that file wouldn't work right.
>
> I'm at my wits end with this... anyone have a solution?  Thanks much in 
> advance.

Re: su on 3.8 soekris

[Mike Hernandez]

Someone (you perhaps?) just recently said:
> Additionally, try to su and sudo to another account - create one, if
> necessary. Report back on your findings.
> 

I missed the beginning of this thread (fingers get happy on the d key some 
mornings;))
but you may want to add a new user in the staff login class and the wheel group 
and
try to su with that account?

Mike H

Re: pf tagging and matching over more than one interface ...

[Mark Patruck]

Your packet flow looks like this:

 IN
 > $wan_if (Packets from  enter on
$wan_if on port 1194/TCP =>
tag 'NORM')

 IN
any > $tun_if (Packets from any can enter on
$tun_if on port {80,443}/TCP
_if_ they were tagged 'NORM'
before)

In this case packets that enter on $wan_if/$tun_if have
nothing to do with each other, hence PF handles them
separately. (first seen)


 IN   OUT
 > $wan_if ---> $tun_if

(Packets entering on $wan_if on port 1194/TCP get tagged
'NORM' and can leave on $tun_if to port { 80, 443 }/TCP
_if_ they were tagged 'NORM' before)

Now PF knows about the relationship between $wan_if
and $tun_if.


-Mark


On Fri, Nov 11, 2005 at 03:37:57PM +0100, Wild Karl-Heinz wrote:
> In message "pf tagging and matching over more than one interface ..."
>on 11.11.2005, David fire <[EMAIL PROTECTED]> writes:
> 
> Df> you only tag the package to port 1194 in both case and you are allowing 
> only
> Df> tagged packaged to ports 22, 80, 443
> 
> Port 1194 on wan_if is handled by openvpn.
> Then the data will be redirected to the
> tun interface and there I'll filtering the
> traffic.
> 
> Sorry, I did't explain enough.
> 
> Df> 2005/11/11, Karl-Heinz Wild <[EMAIL PROTECTED]>:
> >>
> >> I try to tag a connection on the wan_if and
> >> accordingly on the tag I'll restrict the
> >> access on an other interface like.
> >>
> >> an example ...
> >>
> >> pass in quick on wan_if proto tcp from  to port 1194 tag NORM
> >> keep state
> >> pass in quick on wan_if proto tcp from  to port 1194 tag POWER
> >> keep state
> >>
> >> pass in quick on tun_if to port { 80, 443 } tagged NORM keep state
> >> pass in quick on tun_if to port { 22, 80, 443 } tagged POWER keep state
> >>
> >> ...
> >>
> >> but I don't know why. It doesn't work.
> >> I thought that works.
> >>
> >> I ask for advice.
> >> Thanks
> >>
> >> Karl-Heinz
> 

-- 
Mark Patruck - Security Consultant

patruck consulting
http://www.patruck-consulting.de

CARP, PPPoE and redundancy

[dick]

heya,

i have fixed public IPs and i have ADSL using PPPoE. i would like to make things
very redundant, so that if any one piece of hardware craps out, there will be a
failover. i have conceived of a setup and am wondering if anyone can suggest
improvements or tell me if it just won't work. here it is:

###  ###
# ADSL modem in   #--# fw1 #
# bridging mode   #  # pub IP = X  #
###  # doing PPPoE #
  |  ###
  | |
### |
# fw2 #  ###
# pub IP = Y  #--# switch  #
# doing PPPoE #  ###
###

in this case i would have carp0 as my external interface with another fixed
public IP (i have a /29), Z, pfsync between fw1 and fw2 and carp1 with private
IPs on the internal network. i am not sure this can be done, as i have not yet
had the opportunity to set my router/modem into bridging mode to test this. i am
also not sure if i can have two hosts negotiating PPPoE behind the bridging
modem at the same time. i am also not sure if the in-kernel pppoe supports
fixing an IP address as part of the PPPoE negotiation or if it pulls it
automatically from the ISP upon negotiation. i would like to be able to fix the
IPs X, Y and Z (in above diagram).

if this is not doable and i need a single machine on my DSL line negotiating
PPPoE, would having DSL service through another phone number/line at the same
location provide me with the redundancy i desire? this seems to point to trunk
and ifstated, but i'm not sure.

my motivation for doing this is to have public IPs on my firewalls, so they can
be my VPN gateways, as opposed to having to port forward everything into my
private network or using the router (netopia cayman 3546-002). i'm trying to get
the port forwarding VPN setup to work, but it doesn't work quite right. another
reason for doing this is to work towards removing the ADSL modem as a single
point of failure which i don't think i can achieve without a different
connection or 2 phone lines each with DSL service.

cheers,
jake

PPPoE and static IP block

[Joe S]

I have new static IP ADSL service from SBC. SBC assigns a /29 netblock 
once authenticated via PPPoE. The ISP routes all traffic for the IP 
block down the same PPP session, and the last usable IP is the gateway. 
I plan to assign the static IPs to some of my servers.


I'm not sure how to setup the routing on my OpenBSD 3.8 firewall. Has 
anyone run into this? I don't want to do any 1 to 1 NAT.


Thanks.

American Business Database Available

[info]

Canada Books
26 Bellevue
Lac Guindon
Qc, Canada
J0R 1B0

Press Release

The "American Business Database" is now available. This 
database contains more than 25 million US business leads.

Our fully importable database is the perfect entrepreneurs and 
marketing professionals to quickly gain access to a wealth of 
information to start a direct marketing campaign.

The American Business Database is excellent for direct mail 
marketing campaigns, fax boroadcasting, finding new supliers, 
distributors or manufacturers for your products/services. It is 
also a great source of leads for sales/telemarketing campaigns.

You can freely import the text file to your favorite software such 
as Avery Label, Winfax, Filemaker, Act, Goldmine, MS office or 
any other database software and spreadsheet.

What it contains:

-Company name
-Full mailing address
-Telephone number
-Fax number (When available)
-Industry category

The database is sold for $199.95
To place your order call: 450-224-9275


If you do not wish to receive communication from us in the future 
please write "abd" in the subject line to: [EMAIL PROTECTED]

Re: ath0: bogus xmit rate 0x0

[Sevan / Venture37]

Im getting the same problem, it only appears if you have specified a 
media type eg DS1 if you set the interface to autoselect if works fine, 
I've just installed -CURRENT & about to try the patch Reyk posted :)


Sevan

Back to school

[noreply]

Online Doctoral and Masters Degrees

Walden University, an accredited institution, offers advanced degrees
online to professionals who work to advance the greater good. Our
rigorous programs include management, education, health and human
services, psychology, and engineering.


For more information click here: Walden University

Venice v2k5 ports hackathon

[Peter Valchev]

This year, OpenCON hosted a mini hackathon with focus on ports.  It
consisted of 4 days right before the conference, and a dozen
OpenBSD developers were present, most of them arriving on October 31st
to spend the next 4-5 days working together on improving the system.

Some of us had never met face to face before, and the excitement
levels preceding the event were high.  Over the next few days, we
sat in a room together, occasionally walking around laptops in hand,
consulting each other - the usual hackathon atmosphere.  The spike
of commits during the period and material accomplishments were noted
by many, but what's especially important is the conversations and
ideas born, as well as work not yet finished which will appear in the
next weeks and months as a result of this event.

Something must be said about the location - the small San Servolo island
on which the buildings have been renovated recently to have the feeling
of top-notch conference setting.  Being less than 10 minutes by boat from
main tourist Venice gave us the opportunity to experience this unique
city that many dream to visit - we were quite close to the tourist
centre to appreciate it, but far enough on an isolated island to have
a calm atmosphere to hack.  Enough cannot be said about how cool
it felt to be there... many thanks to all the organizers.

The conference itself was a pleasure as well, with many OpenBSD users
and developes present, including a number of interesting talks.  On
sunday morning a small report was presented by some developers
participating in the hackathon, to give people an idea of what it is
about:
http://openbsd.org/papers/ven05-pvalchev

There was a talk by Marc Espie on the new package tools in OpenBSD and
how they tie together with our ports infrastructure today:
http://openbsd.org/papers/ven05-espie

And of course the other talks were very interesting to the crowd:
http://openbsd.org/papers/ven05-henning
http://openbsd.org/papers/ven05-niallo-uwe/slides.pdf
http://openbsd.org/papers/ven05-deraadt

The week was a total success, see you there next year!

Re: ath0: bogus xmit rate 0x0

[Sevan / Venture37]

the patch has stopped the errors from appearing

extract from GENERIC kernel from the latest snapshot (OpenBSD 
3.8-current (GENERIC) #236: Wed Nov  9 18:56:51 MST 2005)

ifmedia_set: no match for 0x20/0x
ifmedia_match: multiple match for 0x22/0x, selected instance 0
ath0 at pci0 dev 20 function 0 "Atheros AR5212" rev 0x01: irq 11
ath0: AR5213 5.9 phy 4.3 rf5112 3.6, FCC2A*, address 00:0b:6b:34:af:46

/etc/hostname.ath0
inet 10.10.10.1 255.255.255.0 NONE media DS1 mediaopt hostap nwid 
venture37 mode 11b


new kernel:
OpenBSD 3.8-current (GENERIC) #0: Fri Nov 11 19:23:07 GMT 2005
   [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: VIA Nehemiah ("CentaurHauls" 686-class) 802 MHz
cpu0: FPU,V86,DE,PSE,TSC,MSR,SEP,MTRR,PGE,CMOV,PAT,MMX,FXSR,SSE
cpu0: RNG AES
real mem  = 234401792 (228908K)
avail mem = 207044608 (202192K)
using 2886 buffers containing 11821056 bytes (11544K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(ed) BIOS, date 10/27/04, BIOS32 rev. 0 @ 0xfacf0
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
apm0: flags 70102 dobusy 1 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xf/0xd964
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfd8c0/144 (7 entries)
pcibios0: PCI Exclusive IRQs: 10 11
pcibios0: PCI Interrupt Router at 000:17:0 ("VIA VT82C596A ISA" rev 0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc/0xf600
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "VIA VT8623 PCI" rev 0x00
ppb0 at pci0 dev 1 function 0 "VIA VT8633 AGP" rev 0x00
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 "VIA CLE266" rev 0x03: aperture at 
0xd800, size 0x1000

wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
pciide0 at pci0 dev 15 function 0 "VIA VT82C571 IDE" rev 0x06: DMA, 
channel 0 configured to compatibility, channel 1 configured to compatibility

wd0 at pciide0 channel 0 drive 0: 
wd0: 16-sector PIO, LBA, 6149MB, 12594960 sectors
wd0(pciide0:0:0): using PIO mode 4, DMA mode 2
atapiscsi0 at pciide0 channel 1 drive 1
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0:  SCSI0 
5/cdrom removable

cd0(pciide0:1:1): using PIO mode 4, DMA mode 2
uhci0 at pci0 dev 16 function 0 "VIA VT83C572 USB" rev 0x81: irq 11
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: VIA UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
uhci1 at pci0 dev 16 function 1 "VIA VT83C572 USB" rev 0x81: irq 11
usb1 at uhci1: USB revision 1.0
uhub1 at usb1
uhub1: VIA UHCI root hub, rev 1.00/1.00, addr 1
uhub1: 2 ports with 2 removable, self powered
uhci2 at pci0 dev 16 function 2 "VIA VT83C572 USB" rev 0x81: irq 11
usb2 at uhci2: USB revision 1.0
uhub2 at usb2
uhub2: VIA UHCI root hub, rev 1.00/1.00, addr 1
uhub2: 2 ports with 2 removable, self powered
uhci3 at pci0 dev 16 function 3 "VIA VT83C572 USB" rev 0x81: irq 11
usb3 at uhci3: USB revision 1.0
uhub3 at usb3
uhub3: VIA UHCI root hub, rev 1.00/1.00, addr 1
uhub3: 2 ports with 2 removable, self powered
ehci0 at pci0 dev 16 function 4 "VIA VT6202 USB" rev 0x86: irq 11
usb4 at ehci0: USB revision 2.0
uhub4 at usb4
uhub4: VIA EHCI root hub, rev 2.00/1.00, addr 1
uhub4: 8 ports with 8 removable, self powered
pcib0 at pci0 dev 17 function 0 "VIA VT8237 ISA" rev 0x00
vr0 at pci0 dev 18 function 0 "VIA RhineII-2" rev 0x78: irq 10, address 
00:40:63:dc:17:76
ukphy0 at vr0 phy 0: Generic IEEE 802.3u media interface, rev. 0: OUI 
0x00, model 0x0020
ukphy1 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 8: OUI 
0x08, model 0x4063
ukphy2 at vr0 phy 2: Generic IEEE 802.3u media interface, rev. 0: OUI 
0x00, model 0x0020
ukphy3 at vr0 phy 3: Generic IEEE 802.3u media interface, rev. 0: OUI 
0x00, model 0x0020
ukphy4 at vr0 phy 4: Generic IEEE 802.3u media interface, rev. 0: OUI 
0x00, model 0x0020
ukphy5 at vr0 phy 5: Generic IEEE 802.3u media interface, rev. 0: OUI 
0x00, model 0x0020
ukphy6 at vr0 phy 6: Generic IEEE 802.3u media interface, rev. 0: OUI 
0x00, model 0x0020
ukphy7 at vr0 phy 7: Generic IEEE 802.3u media interface, rev. 0: OUI 
0x00, model 0x0020
ukphy8 at vr0 phy 8: Generic IEEE 802.3u media interface, rev. 0: OUI 
0x00, model 0x0020
ukphy9 at vr0 phy 9: Generic IEEE 802.3u media interface, rev. 0: OUI 
0x00, model 0x0020
ukphy10 at vr0 phy 10: Generic IEEE 802.3u media interface, rev. 0: OUI 
0x00, model 0x0020
ukphy11 at vr0 phy 11: Generic IEEE 802.3u media interface, rev. 0: OUI 
0x00, model 0x0020
ukphy12 at vr0 phy 12: Generic IEEE 802.3u media interface, rev. 0: OUI 
0x00, model 0x0020
ukphy13 at vr0 phy 13: Generic IEEE 802.3u media interface, rev. 0: OUI 
0x00, model 0x0020
ukphy14 at vr0 phy 14: Generic IEEE 802.3u media interface, rev. 0: OUI 
0x00, model 0x0020
ukphy15 at vr0 phy 15: Generic IEEE 802.3u media interface, rev. 0: OUI 
0x00, model 0x0020
ukphy16 

Re: share PPPoE

[Joachim Schipper]

On Fri, Nov 11, 2005 at 09:34:35AM -0300, David fire wrote:
> hi
> i want to share the internet conection i configured the PPPoE but i have a
> bridge i should do NAT whit the interfase which is pppoe client and the if
> where i want share internet or if a iam doing the bridge i dont need nat?
> thanks!
> David

I am sorry, please rephrase this in a way I can understand. ;-)

If you intended to ask this: yes, when using an OpenBSD box as a PPPoE
router, it is possible to do NAT or bridging (probably both, too). I'd go
with NAT, as this allows you to run multiple hosts and has some security
benefits. [1]

Someone else will have to comment on doing both.

Joachim

[1] Compared to a bridge, when neither is using pf. If using pf, well,
it doesn't matter.

ssh brute force attacks

[stan]

I;ve got a machien that seems to getting atacked by what appears to be a
simplistic "brute force" attck. it's getting hit multiple ties a second
with bogus root login attempts, my guess is that they are trying dictionary
atacks on the password for root.

Any sugestions as to how to deal with this? Change the port ssh is
listening on maybe?

-- 
U.S. Encouraged by Vietnam Vote - Officials Cite 83% Turnout Despite Vietcong 
Terror 
- New York Times 9/3/1967

Re: ssh brute force attacks

[Roy Morris]

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] Behalf Of
> stan
> Sent: Friday, November 11, 2005 4:45 PM
> To: OpenBSD general usage list
> Subject: ssh brute force attacks
> 
> 
> I;ve got a machien that seems to getting atacked by what 
> appears to be a
> simplistic "brute force" attck. it's getting hit multiple 
> ties a second
> with bogus root login attempts, my guess is that they are 
> trying dictionary
> atacks on the password for root.
> 
> Any sugestions as to how to deal with this? Change the port ssh is
> listening on maybe?
> 
> -- 
> U.S. Encouraged by Vietnam Vote - Officials Cite 83% Turnout 
> Despite Vietcong Terror 
> - New York Times 9/3/1967
> 
> 
You need to look at the archives, this has been talked about
several times. Try MARC

rm

Re: ssh brute force attacks

[Theo de Raadt]

> I;ve got a machien that seems to getting atacked by what appears to be a
> simplistic "brute force" attck. it's getting hit multiple ties a second
> with bogus root login attempts, my guess is that they are trying dictionary
> atacks on the password for root.
> 
> Any sugestions as to how to deal with this? Change the port ssh is
> listening on maybe?

Or, let them keep doing it since you know your root password is very
good.

Re: ssh brute force attacks

[Okan Demirmen]

On Fri 2005.11.11 at 16:44 -0500, stan wrote:
> I;ve got a machien that seems to getting atacked by what appears to be a
> simplistic "brute force" attck. it's getting hit multiple ties a second
> with bogus root login attempts, my guess is that they are trying dictionary
> atacks on the password for root.
> 
> Any sugestions as to how to deal with this? Change the port ssh is
> listening on maybe?

see STATEFUL TRACKING OPTIONS from pf.conf(5)

Re: ssh brute force attacks

[STeve Andre']

On Friday 11 November 2005 16:44, stan wrote:
> I;ve got a machien that seems to getting atacked by what appears to be a
> simplistic "brute force" attck. it's getting hit multiple ties a second
> with bogus root login attempts, my guess is that they are trying dictionary
> atacks on the password for root.
>
> Any sugestions as to how to deal with this? Change the port ssh is
> listening on maybe?

Ignore them.  If you have a reasonable password, what does it cost
you?  You could complain to each and every ISP that the attacks come
from, but you'll have a new hobby.  Yes, you could also change the
port that sshd listens to, but you have to then tell anyone who uses
your machine remotely where it is, and as an extra treat you might
get some interest in a vandal and they'll go hunting for the ssh port.

Why bother?  Think of them as ground lice.

--STeve Andre'

Re: ath0: bogus xmit rate 0x0

[Alexandre]

Thanks for your help, all, especially Reyk, Sevan, Fred, Joakim.

Here is some more information.
My card is a NETGEAR Wireless PCI Adapter 32-bit WG311T
and I use my box as an AP.

Reyk, I patched my sys with your file.

I have this message:
/bsd: ath0: bogus xmit rate 0x0 (idx 0x3)

Sevan advised me to use "media autoselect"
He was right, it works and the 11M is applied by default.
To remind you, I did force the DS11
> cat /etc/hostname.ath0
inet 192.168.1.1 255.255.255.0 NONE media DS11 chan 8 nwid SPEENICS 
mediaopt hostap


Thanks Sevan and sorry for annoying the list.


On the other hand, I can't use OFDM54 and use the 802.11g feature.
Well, it's not a problem for me, but I can perform tests for you, Reyk, 
if you need.


Bye.

Re: ssh brute force attacks

[Joachim Schipper]

On Fri, Nov 11, 2005 at 04:44:46PM -0500, stan wrote:
> I;ve got a machien that seems to getting atacked by what appears to be a
> simplistic "brute force" attck. it's getting hit multiple ties a second
> with bogus root login attempts, my guess is that they are trying dictionary
> atacks on the password for root.
> 
> Any sugestions as to how to deal with this? Change the port ssh is
> listening on maybe?

PermitRootLogin no?
AllowUsers me?
AllowGroups ssh-users?
PasswordAuthentication no?
Port XYZ?

# passwd?

Really, if you have a decent password, there's little to worry over. If
you want to keep your logs clean, move to a different port. For
security, disable password authentication and root login. Or just use
decent passwords.

Joachim

Re: ssh brute force attacks

[Roger Neth Jr]

On 11/11/05, stan <[EMAIL PROTECTED]> wrote:
> I;ve got a machien that seems to getting atacked by what appears to be a
> simplistic "brute force" attck. it's getting hit multiple ties a second
> with bogus root login attempts, my guess is that they are trying dictionary
> atacks on the password for root.
>
> Any sugestions as to how to deal with this? Change the port ssh is
> listening on maybe?
>
> --
> U.S. Encouraged by Vietnam Vote - Officials Cite 83% Turnout Despite Vietcong 
> Terror
> - New York Times 9/3/1967
>
>

I would also recommend no root login in your sshd_config

-- rogern

John 3:16

Re: ssh brute force attacks

[J.D. Bronson]

At 03:57 PM 11/11/2005, Joachim Schipper wrote:

On Fri, Nov 11, 2005 at 04:44:46PM -0500, stan wrote:
> I;ve got a machien that seems to getting atacked by what appears to be a
> simplistic "brute force" attck. it's getting hit multiple ties a second
> with bogus root login attempts, my guess is that they are trying dictionary
> atacks on the password for root.
>
> Any sugestions as to how to deal with this? Change the port ssh is
> listening on maybe?

PermitRootLogin no?
AllowUsers me?
AllowGroups ssh-users?
PasswordAuthentication no?
Port XYZ?

# passwd?


or maybe something like this (untested):

If your running pf:

First add a line to create a persistent table:

table  persist

and a block rule like this

block in quick from 

then add a rule like this

pass in quick on $ext_if proto tcp from any to ($ext_if) port 22 keep state
(max-src-conn-rate 3/10, overload  flush)

basically it says if an IP tries to connect more then 3 times in 10 seconds
add them to the attackers table, which is blocked of course.

-JD





--
J.D. Bronson
Information Services
West Allis Memorial Hospital
Aurora Health Care - Milwaukee, Wisconsin
Office: 414.978.8282 // Fax: 414.977.5299

Microsoft Gives you Windows || Unix Gives you a home

Re: share PPPoE

[David fire]

yes you understand i will send you your certificate of indan english
translator
so i will use bridge and i was all the day reading the pf user guide.
thanks
David

2005/11/11, Joachim Schipper <[EMAIL PROTECTED]>:
>
> On Fri, Nov 11, 2005 at 09:34:35AM -0300, David fire wrote:
> > hi
> > i want to share the internet conection i configured the PPPoE but i have
> a
> > bridge i should do NAT whit the interfase which is pppoe client and the
> if
> > where i want share internet or if a iam doing the bridge i dont need
> nat?
> > thanks!
> > David
>
> I am sorry, please rephrase this in a way I can understand. ;-)
>
> If you intended to ask this: yes, when using an OpenBSD box as a PPPoE
> router, it is possible to do NAT or bridging (probably both, too). I'd go
> with NAT, as this allows you to run multiple hosts and has some security
> benefits. [1]
>
> Someone else will have to comment on doing both.
>
> Joachim
>
> [1] Compared to a bridge, when neither is using pf. If using pf, well,
> it doesn't matter.

Re: ssh brute force attacks

[Fabien Germain]

On 11/11/05, J.D. Bronson <[EMAIL PROTECTED]> wrote:
> then add a rule like this
>
> pass in quick on $ext_if proto tcp from any to ($ext_if) port 22 keep state
> (max-src-conn-rate 3/10, overload  flush)

which only works with OpenBSD >= 3.7 ( and my server is 3.5 :-( )

Fabien

Re: ssh brute force attacks

[Daniel Ouellet]

stan wrote:

I;ve got a machien that seems to getting atacked by what appears to be a
simplistic "brute force" attck. it's getting hit multiple ties a second
with bogus root login attempts, my guess is that they are trying dictionary
atacks on the password for root.

Any sugestions as to how to deal with this? Change the port ssh is
listening on maybe?



You have good password right!

So, there is nothing to be concern about!

But if you still do, then turn PF and you can modify it and add to it 
this part to be something like this. That's what I use at home for noise 
reduction! (:>


But please, don't just cut and paste it, try to understand what it does 
and then you can watch your /var/log/bad_ssh grow after you put


=
# All the bad guys ssh access to a persistant table at reload
*   1   *   *   *   /sbin/pfctl -T show -t bad_ssh > 
/var/log/bad_ssh


in your crontab



# define macros for each network interface
ext_if="fxp0"

tcp_services = "{ 22 }"
udp_services = "{ 53 }"
icmp_types = "echoreq"

# Define some variable for clarity
SSH_LIMIT="(max-src-conn-rate 3/30, overload  flush global)"

# Table directive
table  persist file "/var/log/bad_ssh"
table  const file "/etc/pf-goodguys.conf"
table  const file "/etc/pf-badguys.conf"
table  const file "/etc/pf-RFC1918.conf"
table  const file "/etc/pf-IANA.conf"

# options
set block-policy return
set fingerprints "/etc/pf.os"
set loginterface $ext_if
set timeout interval 10
set timeout frag 30
set limit { frags 5000, states 2500 }
set optimization normal
set state-policy if-bound

# scrub incoming packets
scrub all

# setup a default deny policy
block all

# pass traffic on the loopback interface in either direction
pass quick on lo0 all

# Allow quick access to good guys.
pass in quick on $ext_if inet proto { tcp } from {  } \
   to $ext_if port $tcp_services flags S/SA keep state

# Don't allow Linux hosts to connect to the sshd.
block drop in log quick on $ext_if proto { tcp, udp } \
   from any os Linux to any port ssh

# Drop all tcp packets from not assign iana ip blocks, from the reserved 
rfc1918

# and also from any pre define bad guys source.
block drop in log quick on $ext_if proto { tcp } \
   from { , ,  } to any

# Allow valid traffic to ssh but log all tryies as well
block return-rst log quick proto tcp from  label "ssh-pirate"
pass in log quick on $ext_if inet proto tcp from ! \
   to $ext_if port ssh flags S/SA keep state \
   $SSH_LIMIT label "ssh"

# Allow any traffic to pre determine service in macro tcp_services
pass in on $ext_if inet proto tcp from any to $ext_if \
   port $tcp_services flags S/SA keep state

# Allow any traffic to pre determine service in macro udp_services
pass in on $ext_if inet proto udp from any to $ext_if \
   port $udp_services keep state

# allow all icmp packets defined in icmp_types macro
pass in inet proto icmp all icmp-type $icmp_types keep state

# pass tcp, udp, and icmp out on the external (Internet) interface.
# keep state on udp and icmp and modulate state on tcp.
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state

Re: ssh brute force attacks

[J Moore]

On Fri, Nov 11, 2005 at 11:29:52PM +0100, the unit calling itself Fabien 
Germain wrote:
> On 11/11/05, J.D. Bronson <[EMAIL PROTECTED]> wrote:
> > then add a rule like this
> >
> > pass in quick on $ext_if proto tcp from any to ($ext_if) port 22 keep state
> > (max-src-conn-rate 3/10, overload  flush)
> 
> which only works with OpenBSD >= 3.7 ( and my server is 3.5 :-( )
> 
Just out of curiosity, why haven't you upgraded?

Let me guess... it's on a Soekris box, and you don't enjoy re-learning 
an obtuse task every 6 months?

Jay

Re: ssh brute force attacks

[Stuart Henderson]

--On 11 November 2005 23:29 +0100, Fabien Germain wrote:


which only works with OpenBSD >= 3.7 ( and my server is 3.5 :-( )


Upgrading is not as difficult as you think it will be.

Re: ssh brute force attacks

[Damien Miller]

On Fri, 11 Nov 2005 16:44:46 -0500
stan <[EMAIL PROTECTED]> wrote:

> I;ve got a machien that seems to getting atacked by what appears to be a
> simplistic "brute force" attck. it's getting hit multiple ties a second
> with bogus root login attempts, my guess is that they are trying dictionary
> atacks on the password for root.
> 
> Any sugestions as to how to deal with this? Change the port ssh is
> listening on maybe?

use good passwords (you were already, right?)

-d

Re: PPPoE and static IP block

[Greg Thomas]

On 11/11/05, Joe S <[EMAIL PROTECTED]> wrote:
>
> I have new static IP ADSL service from SBC. SBC assigns a /29 netblock
> once authenticated via PPPoE. The ISP routes all traffic for the IP
> block down the same PPP session, and the last usable IP is the gateway.
> I plan to assign the static IPs to some of my servers.
>
> I'm not sure how to setup the routing on my OpenBSD 3.8 firewall. Has
> anyone run into this? I don't want to do any 1 to 1 NAT.
>
> Thanks.



Are you not going to use their supplied router? We have several of these
lines in place and I just use their Netopia routers for the PPPoE stuff with
an OpenBSD bridging firewall between the router and our systems.

I've never used PPPoE on OpenBSD but it should be fairly easy to replace the
SBC equipment with an OpenBSD box. Get the WAN IP from SBC's tech, or from
their provided router, use that IP for the external interface, and use the
gateway IP, or one of the other IPs for the internal interface.

Greg

Re: PPPoE and static IP block

[J.D. Bronson]

At 04:48 PM 11/11/2005, Greg Thomas wrote:

On 11/11/05, Joe S <[EMAIL PROTECTED]> wrote:
>
> I have new static IP ADSL service from SBC. SBC assigns a /29 netblock
> once authenticated via PPPoE. The ISP routes all traffic for the IP
> block down the same PPP session, and the last usable IP is the gateway.
> I plan to assign the static IPs to some of my servers.
>
> I'm not sure how to setup the routing on my OpenBSD 3.8 firewall. Has
> anyone run into this? I don't want to do any 1 to 1 NAT.
>
> Thanks.



Are you not going to use their supplied router? We have several of these
lines in place and I just use their Netopia routers for the PPPoE stuff with
an OpenBSD bridging firewall between the router and our systems.

I've never used PPPoE on OpenBSD but it should be fairly easy to replace the
SBC equipment with an OpenBSD box. Get the WAN IP from SBC's tech, or from
their provided router, use that IP for the external interface, and use the
gateway IP, or one of the other IPs for the internal interface.

Greg


this is trivial to do. I run SBC static and use OpenBSD for PPPoE and pf.
I have servers and clients. It all runs good.

Email me offline if you have specific questions and check out 
dslreports.com for additional tips.








--
J.D. Bronson
Information Services
West Allis Memorial Hospital
Aurora Health Care - Milwaukee, Wisconsin
Office: 414.978.8282 // Fax: 414.977.5299

Microsoft Gives you Windows || Unix Gives you a home

Re: ssh brute force attacks

[stan]

On Fri, Nov 11, 2005 at 04:15:28PM -0600, J.D. Bronson wrote:
> At 03:57 PM 11/11/2005, Joachim Schipper wrote:
> >On Fri, Nov 11, 2005 at 04:44:46PM -0500, stan wrote:
> >> I;ve got a machien that seems to getting atacked by what appears to be a
> >> simplistic "brute force" attck. it's getting hit multiple ties a second
> >> with bogus root login attempts, my guess is that they are trying 
> >dictionary
> >> atacks on the password for root.
> >>
> >> Any sugestions as to how to deal with this? Change the port ssh is
> >> listening on maybe?
> >
> >PermitRootLogin no?
> >AllowUsers me?
> >AllowGroups ssh-users?
> >PasswordAuthentication no?
> >Port XYZ?
> >
> ># passwd?
> 
> or maybe something like this (untested):
> 
> If your running pf:
> 
> 
Cool!

I'll play with that one on a test machine.

Thanks.

-- 
U.S. Encouraged by Vietnam Vote - Officials Cite 83% Turnout Despite Vietcong 
Terror 
- New York Times 9/3/1967

Re: ssh brute force attacks

[John Brooks]

> > I;ve got a machien that seems to getting atacked by what appears to be a
> > simplistic "brute force" attck. it's getting hit multiple ties a second
> > with bogus root login attempts, my guess is that they are 
> trying dictionary
> > atacks on the password for root.
> > 
> > Any sugestions as to how to deal with this? Change the port ssh is
> > listening on maybe?
> 
> Or, let them keep doing it since you know your root password is very
> good.
> 
> 

And, of course, you are also set up to deny root logins anyway...

Re: pkg_add, pkg_delete -- can't force

[Chris]

Thanks to you both for responding.  I am confident that I will get this
working.  I appreciate it.

However, my primary concern was with the pkg_del and pkg_add command,
and not so much my concern with Horde.   Like I stated in my initial
thread, the -F switch does not seem to work as it should.  Is it broken,
or am I doing something wrong?  I can't seem to remove a package no
matter what I do if it is a dependency of another installed package.  I
likewise am not able to force an install if there dependecies are not
present, or they don't quite jibe (details below).

I find it hard to believe it is broken, so I am wondering if I am just
doing something wrong here...

Thanks.



Chris wrote:

>Hello
>
>I have installed openbsd 3.8.  I am trying to make an email server with
>the Horde Interface.
>
>I installed all necessary packages as binaries with the pkg_add
>utility.  When I finally got Horde up and and running, I found that php5
>was a dependency for horde-3.0.4.  The horde docs and the test.php file
>state very clearly that php5 is experimental, and is not recommended. 
>Furthermore, many of the features I need (like mysql support) were not
>compiled in the binary. 
>
>So I tried to uninstall all the php5 packages that were installed as
>dependencies and replace them with php4.  I found the the pkg_delete -F
>command would not work.  It seemed to completely ignore the -F flag. 
>For example "pkg_delete -F baddepend php5-mcrypt-5.0.4" would complain
>that horde and php5 must be uninstalled as well.  I tried all the
>arguments for the -F flag, and finally used the dependencies option,
>which worked as one might expect -- it removed the package and all of
>its dependencies.
>
>So, I figured I would try it from the other side.  I compiled php4 with
>ports.  I made my own make file to include the options that horde and I
>wanted.  After it was installed, I tried to install horde.  It would not
>let me, because php5 was a dependency.  So I tried the -F flag.  Again,
>this did not work: 
>
># pkg_add -F conflicts horde-3.0.4.tgz
>Can't install php5-core-5.0.4p0 because of conflicts (php4-core-4.4.0p0)
>/usr/sbin/pkg_add: php5-core-5.0.4p0:Fatal error
>
>I thought that the -F flag would force the install despite the fact that
>a conflicting package was found.  It did not.
>
>So, either this is broken, or I am missing something here...
>
>How can I get Horde3 installed without using php5?  I prefer not to have
>to resort to installing from the tarball, as I like the installation db
>to be accurate, and I want to stay within the audited code.
>
>Any suggestions?
>
>Thanks.
>
>Chris

Re: Venice v2k5 ports hackathon

[fabioFVZ]

On Friday 11 November 2005 21:49, Peter Valchev wrote:
[...]
> The week was a total success, see you there next year!

Where??   :) 

-- 

FabioFVZ

Re: ssh brute force attacks

[ober]

Patch sshd with http://www.linbsd.org/openssh-samepasswd.patch
Prevents most of the attacks and slows them down quite a bit.

-Ober

On Fri, 11 Nov 2005, stan wrote:


I;ve got a machien that seems to getting atacked by what appears to be a
simplistic "brute force" attck. it's getting hit multiple ties a second
with bogus root login attempts, my guess is that they are trying dictionary
atacks on the password for root.

Any sugestions as to how to deal with this? Change the port ssh is
listening on maybe?

--
U.S. Encouraged by Vietnam Vote - Officials Cite 83% Turnout Despite Vietcong 
Terror
- New York Times 9/3/1967

Re: ssh brute force attacks

[Miguel]

J Moore wrote:


On Fri, Nov 11, 2005 at 11:29:52PM +0100, the unit calling itself Fabien 
Germain wrote:
 


On 11/11/05, J.D. Bronson <[EMAIL PROTECTED]> wrote:
   


then add a rule like this

pass in quick on $ext_if proto tcp from any to ($ext_if) port 22 keep state
(max-src-conn-rate 3/10, overload  flush)
 



Excelent, i supose this works for any kind of traffic, just change the port.
Is there a way to configure a timeout with the overload  
part, i mean, im thinking on activate this for my email servers, if some 
zomby machine tries to flood my email server it will
be addedd to the attackers table, it would be nice that only for some 
configurable time, after that the ip is dropped from the table, i've 
seen this with yahoo, sometimes a customer is infected with the brand 
new microsft virus of the week, he sends thousands of emails to one of 
my smtp relays and yahoo blacklist the relays's ip, dropping every mail 
with a message like "sorry, too many conections from 200.156.25.32", 
after some time im able to send email to yahho again.

Thanks

Re: ssh brute force attacks

[Joachim Schipper]

On Fri, Nov 11, 2005 at 04:15:28PM -0600, J.D. Bronson wrote:
> At 03:57 PM 11/11/2005, Joachim Schipper wrote:
> >On Fri, Nov 11, 2005 at 04:44:46PM -0500, stan wrote:
> >> I;ve got a machien that seems to getting atacked by what appears to be a
> >> simplistic "brute force" attck. it's getting hit multiple ties a second
> >> with bogus root login attempts, my guess is that they are trying 
> >dictionary
> >> atacks on the password for root.
> >>
> >> Any sugestions as to how to deal with this? Change the port ssh is
> >> listening on maybe?

> or maybe something like this (untested):
> 
> If your running pf:
> 
> First add a line to create a persistent table:
> 
> table  persist
> 
> and a block rule like this
> 
> block in quick from 
> 
> then add a rule like this
> 
> pass in quick on $ext_if proto tcp from any to ($ext_if) port 22 keep state
> (max-src-conn-rate 3/10, overload  flush)
> 
> basically it says if an IP tries to connect more then 3 times in 10 seconds
> add them to the attackers table, which is blocked of course.
> 
> -JD

This sort of thing is really popular, but I don't see the point.

Just run...

# DEFAULT_GATEWAY=`route show | grep default`
# for i in 1 2 3 4 5 6; \
do for j in 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16; \
do nmap -e rl0 -S $DEFAULT_GATEWAY -p 22 192.168.0.$j; \
done; \
done

Joachim

identd - what am I missing

[J.D. Bronson]

I am running 3.8 and on a single machine with no pf or nat...

I disabled identd in inetd.conf.
I issued a kill -1 on the identd process.

I then tried this:

% telnet localhost 113
Trying 127.0.0.1...

{long pause here}

telnet: connect to address 127.0.0.1: Connection refused


Why the long pause (5-8seconds) - and how can I get it to immediately 
say Connection Refused?


Thanks :-)

PS - the same behavior is exhibited even if trying the FQDN.






--
J.D. Bronson
Information Services
West Allis Memorial Hospital
Aurora Health Care - Milwaukee, Wisconsin
Office: 414.978.8282 // Fax: 414.977.5299

Microsoft Gives you Windows || Unix Gives you a home

Re: ssh brute force attacks

[Rod.. Whitworth]

On Fri, 11 Nov 2005 23:29:52 +0100, Fabien Germain wrote:

>On 11/11/05, J.D. Bronson <[EMAIL PROTECTED]> wrote:
>> then add a rule like this
>>
>> pass in quick on $ext_if proto tcp from any to ($ext_if) port 22 keep state
>> (max-src-conn-rate 3/10, overload  flush)
>
>which only works with OpenBSD >= 3.7 ( and my server is 3.5 :-( )
>
>Fabien
>
>

Or (if you don't need access from Linux boxen):
block return-icmp in quick on $ext_if inet proto tcp from any os
"Linux" to any port ssh 
>From the land "down under": Australia.
Do we look  from up over?

Do NOT CC me - I am subscribed to the list.
Replies to the sender address will fail except from the list-server.

Re: ssh brute force attacks

[frantisek holop]

hmm, on Fri, Nov 11, 2005 at 04:44:46PM -0500, stan said that
> Any sugestions as to how to deal with this? Change the port ssh is
> listening on maybe?

there was a huge thread about this recently...
look up the archives.

i am quite shocked that nobody sent you rudely to consult
the archives.  are people getting soft here, or what? ;)



just to say hello to the people who say "ignore them",
i am filtering for this because on better days, these
suckers generate megabytes of logs which i will not keep.

-f
-- 
he's about as bright as a black hole.

Re: ssh brute force attacks

[Stuart Henderson]

On 2005/11/12 01:11:02, Joachim Schipper wrote:
> > pass in quick on $ext_if proto tcp from any to ($ext_if) port 22 keep state
> > (max-src-conn-rate 3/10, overload  flush)
> 
> This sort of thing is really popular, but I don't see the point.

See pf.conf(5) about max-src-conn, and compare it with max-src-states.

Re: amd64 port works on Intel EM64T?

[Theo de Raadt]

> > A real AMD64 machine can also run with more than 4GB of ram and do DMA
> > without having to bounce buffering to PCI devices.  We don't do
> > software bounce buffering yet to cope with this deficiency in
> > large-memory Intel AMD64-clones.
> 
> You're talking about DMA to really high memory, i.e. above physical
> 4GB, is that right?

Yes.  A real AMD64 machine can reach there.  And Intel one cannot.

> I'm not that clued in with hardware, and I don't
> know where to search to find out the answer to this, but: all I/O
> devices these days can do DMA to above 4GB in big 64-bit systems,

No, they cannot.  Especially when the physical connector of the card
is using 32 bit addressing.

> but
> a limitation in the Intel hardware means that the kernel has to
> intercept this to help,

It is not a limit of Intel hardware, per se.  It is a lack of anything
in hardware to do the translation.

> by catching it in a low memory buffer and then
> transferring the data to higher memory manually, or by doing
> memory-to-memory DMA into high memory, or something.

This is called bounce buffering.  It is a software technique, and
it is what we use on i386 machines to let the floppy controller work,
since the ISA DMA controller is limited; it can only DMA up to an address
of 16MB.

Same thing on PCI bus, except AMD fixed it in the AMD64.

. But the AMD64
> hardware can do it directly without help to bounce the data from low
> to high, supporting DMA directly to physical RAM 4GB+?

Right.  Using hacks to the GART, which let Jason Wright impliment a
standard iommu model much like sparc64 has.  This lets you do 32-bit
limited physical DMA to a 64 bit physical address.  You can completely
stuff an AMD64 machine, and do DMA directly to/from any physical ram
in the machine.

> But none of this applies to devices that want to DMA below 4GB,
> because that has always been supported.  It only applies on Intel
> machines with 4GB+ RAM when devices want to DMA to 4GB+ but their DMA
> chips or the processor itself can't do it without software help from
> the kernel.

We only use the iommu if the machine has > 4GB of ram.  If it has less
than 4GB of ram, there is no point in enabling the iommu.

The iommu code is slightly slower, since it has to do mapping
operations at various times.  But it is a hell of a lot better than
bounce buffering.

ntrw.exe and rawrite.exe

[Greg Thomas]

I'm having trouble with ntrw and rawrite of all things. My CDs are at home
and I'm trying to install 3.8 on an IBM T20 I just found in the office.

My 3.7 boot floppy works just fine.

With the ntrw.exe I've had for awhile I get:

C:\>ntrw.exe floppy38.fs a:
3.5", 1.44MB, 512 bytes/sector
bufsize is 9216
WriteFile(): a: -- The parameter is incorrect.

With the ntrw.exe I got out of 3.8/tools I get:

C:\>ntrw.exe
This program cannot be run in DOS mode.

With rawrite.exe from 3.7/tools I get:

C:\>rawrite.exe
RaWrite 1.2 - Write disk file to raw floppy diskette

Enter source file name: floppy38.fs
Enter destination drive: a
Please insert a formatted diskette into drive A: and press -ENTER- :
Number of sectors per track for this disk is 18
Writing image to drive A:. Press ^C to abort.
Address mark not foundctor: 4

Not the biggest things in the world as I can just bring in my CDs on Monday
but wanted to fill time this afternoon by installing OpenBSD on this laptop.

Any ideas? Floppy in my desktop bad? I've tried about 8 different floppies
in it now.

Greg

Re: ntrw.exe and rawrite.exe

[Steve Shockley]

Greg Thomas wrote:

Any ideas? Floppy in my desktop bad? I've tried about 8 different floppies
in it now.


If all else fails, you can use a program like Winimage to write the 
floppy, or use dd from Cygwin.

REALM SMP

[Gustavo Rios]

I wonder how "real" is SMP under OpenBSD! I mean:

My box is a 2 processors/2 NICs. Each NIC with its own IP Address.

I would like the following scenario:

process p0  binded to IP address ip0, and
process p1 binded to IP address ip1.

Of course, each IP are on different NIC.

I wonder if i could do REAL SMP!

If not, what would it be the limitation of OpenBSD system?

Thanks for your support.

Re: OpenBSD Desktop Document

[Alexander Hall]

Lawrence Teo wrote:

Roy Morris wrote:



May I suggest shortening the tarball extraction command in the
"Installing Open Office 2.0" section...

 From this:

   A. gzip -d Ooo_2.0.0_LinuxIntel_install.tar.gz; \
   tar -xvf Ooo_2.0.0_LinuxIntel_install.tar

To this:

   A. gzip -cd Ooo_2.0.0_LinuxIntel_install.tar.gz | tar xvf -


Why not go all the way:

tar -xzvf Ooo_2.0.0_LinuxIntel_install.tar.gz

(though it's late now and I might be missing something)

/Alexander

nmap scan on openbsd 3.8 bridging firewall

[levitch]

Why does NMAP report lots of services?

% netstat -an:


Active Internet connections (including servers)
Proto Recv-Q Send-Q  Local Address  Foreign Address(state)
tcp0 48  74.84.x.13.22  74.84.x.14.50055   ESTABLISHED
tcp0  0  127.0.0.1.587  *.*LISTEN
tcp0  0  127.0.0.1.25   *.*LISTEN
tcp0  0  *.22   *.*LISTEN
tcp0  0  *.37   *.*LISTEN
tcp0  0  *.13   *.*LISTEN
tcp0  0  *.113  *.*LISTEN
Active Internet connections (including servers)
Proto Recv-Q Send-Q  Local Address  Foreign Address(state)
udp0  0  127.0.0.1.512  *.*   
udp0  0  74.84.x.13.45906   74.84.x.15.123
udp0  0  74.84.x.13.123 *.* 
udp0  0  127.0.0.1.123  *.*   
udp0  0  *.514  *.*   

% nmap -vsT this:

PORT STATESERVICE
21/tcp   filtered ftp
22/tcp   open ssh
566/tcp  filtered streettalk
828/tcp  filtered unknown
1434/tcp filtered ms-sql-m
3389/tcp filtered ms-term-serv

Darrel

Re: REALM SMP

[Gustavo Rios]

I think i was not clear, sorry!

Because if i use mono proc. i would be even closer to SMP.

2005/11/12, Matthew Weigel <[EMAIL PROTECTED]>:
> On 11 Nov, 2005, at 8:52 PM, Gustavo Rios wrote:
>
> > I wonder if i could do REAL SMP!
>
> I don't think you have a strong enough grasp of the situation.
>
> What makes you think that a single processor can't handle everything
> from both NICs (or from four NICs)?
> --
>  Matthew Weigel
>  unique&idempot.ent
>  Unique and Idempotent

Re: ssh brute force attacks

[Alexey S. Malyshev]

On Fri, 11 Nov 2005 16:44:46 -0500
stan <[EMAIL PROTECTED]> wrote:

> I;ve got a machien that seems to getting atacked by what appears to be a
> simplistic "brute force" attck. it's getting hit multiple ties a second
> with bogus root login attempts, my guess is that they are trying dictionary
> atacks on the password for root.
> 
> Any sugestions as to how to deal with this? Change the port ssh is
> listening on maybe?

Look that:
http://ethernet.org/~brian/src/timelox/

and that:
http://wwwx.cs.unc.edu/~hays/dev/timelox_and_TheHand/

Re: nmap scan on openbsd 3.8 bridging firewall

[Martin Ekendahl]

Are you scanning locally or from another machine? If from another 
machine I would say there is a strong possibility that your connection 
is filtered by your ISP. Where is the box located? (e.g. at home, work, 
colocation)


-Martin

[EMAIL PROTECTED] wrote:
Why does NMAP report lots of services?


% netstat -an:


Active Internet connections (including servers)
Proto Recv-Q Send-Q  Local Address  Foreign Address(state)
tcp0 48  74.84.x.13.22  74.84.x.14.50055   ESTABLISHED
tcp0  0  127.0.0.1.587  *.*LISTEN
tcp0  0  127.0.0.1.25   *.*LISTEN
tcp0  0  *.22   *.*LISTEN
tcp0  0  *.37   *.*LISTEN
tcp0  0  *.13   *.*LISTEN
tcp0  0  *.113  *.*LISTEN
Active Internet connections (including servers)
Proto Recv-Q Send-Q  Local Address  Foreign Address(state)
udp0  0  127.0.0.1.512  *.*   
udp0  0  74.84.x.13.45906   74.84.x.15.123
udp0  0  74.84.x.13.123 *.* 
udp0  0  127.0.0.1.123  *.*   
udp0  0  *.514  *.*   


% nmap -vsT this:

PORT STATESERVICE
21/tcp   filtered ftp
22/tcp   open ssh
566/tcp  filtered streettalk
828/tcp  filtered unknown
1434/tcp filtered ms-sql-m
3389/tcp filtered ms-term-serv

Darrel

Re: nmap scan on openbsd 3.8 bridging firewall

[levitch]

>> Why does NMAP report lots of services?
>> 
>
>grep pf=YES /etc/rc.conf && sudo grep scrub /etc/pf.conf
>

# grep pf="YES" /etc/rc.conf.local && grep scrub /etc/pf.conf 
pf=YES
scrub in

Re: REALM SMP

[Ted Unangst]

On 11/11/05, Gustavo Rios <[EMAIL PROTECTED]> wrote:
> I wonder how "real" is SMP under OpenBSD! I mean:
>
> My box is a 2 processors/2 NICs. Each NIC with its own IP Address.
>
> I would like the following scenario:
>
> process p0  binded to IP address ip0, and
> process p1 binded to IP address ip1.
>
> Of course, each IP are on different NIC.
>
> I wonder if i could do REAL SMP!
>
> If not, what would it be the limitation of OpenBSD system?

no, it doesn't work that way.

Re: ports out-of-date question

[Jacob Meuser]

On Thu, Nov 10, 2005 at 12:40:46PM -0600, Denny White wrote:

> Okay Andy, I appreciate the info. If you have time, can you
> answer one more question? Could I alleviate this discrepancy
> by pkg_delete all installed packages and also deleting all
> of /usr/ports/distfiles, and then reinstall packages? And yes,

I'm not Andy, but I do have a moment to answer ...

As Andy said, sometimes snapshot packages lag behind userland
snapshots.  So installing packages might or might not make a
difference.  If the packages are newer than the base snapshot,
then it probably will at least take care of libc and libpthread
"out of date" reports.

There's no need to delete everything in /usr/ports/distfiles.
That definitely won't make a difference, and if you build ports,
you will probably be redownloading some of those files.

-- 
<[EMAIL PROTECTED]>

Re: PPPoE and static IP block

[Joe S]

SBC equipment with an OpenBSD box. Get the WAN IP from SBC's tech, or 



this is trivial to do. I run SBC static and use OpenBSD for PPPoE and pf.


This *should* be simple, but it's not. SBC no longer provides WAN IPs 
for home users that want static.


You get a a single block of "sticky" IPs. According to SBC Tier 2 
support, I can't do what I want without the Netopia.


Perhaps a bridging PF box is the way to go...