Re: Troubleshooting NFS/SFU
On May 13, 2007, at 8:44 PM, David Higgs wrote: I've tried to configure NFS and am nearly all the way there, but it seems like I've hit a pretty big stumbling block. I've got OpenBSD 4.1-stable (10.0.0.1) with an NFS export of my home directory. I also have a Windows XP machine (10.0.0.2) and installed the SFU 3.5 NFS client. Are most of your clients going to be windows machines? if so, you should thing seriously about using samba. ( you should also read http://www.openbsd.org/mail.html and include all even vaguely related config files and output of things like dmesg and nfsstat ) [/etc/exports] /home/david -mapall=david:guest -network=10.0.0.0 -mask=255.255.255.0 i notice you're using 'david:guest' here... the first question springs to mind is to verify that user david is in group guest? I can successfully mount this share locally and perform both reads and writes. Without any of SFU's User Name Mapping configured, I can mount the share with uid/gid of -2/-2 as advertised. Appropriately, I cannot access any files or directories that are not world-readable. However, inside a chmod-777 directory, I cannot create files or directories (which might be as expected). After configuring User Name Mapping to map my Windows account to the UNIX account, I can mount the share with the expected uid/gid. Please provide specifics? do you mean with the david:guest uid:gid mentioned above? Although I can read user-only files and directories, I still cannot create any files or directories. what user:group are the parent directory? david:guest, or something like david:david ? what permissions are they? Windows keeps reporting that the drive has write-protection enabled. What do the log files on the server say? I know this isn't a SFU help forum, but any ideas to try or tips on troubleshooting the NFS side is more than welcome. Thanks in advance. --david P.S. On an unrelated sidenote, does mountd always bind to the same ports by default? man mountd ( http://www.openbsd.org/cgi-bin/man.cgi? query=mountdapropos=0sektion=0manpath=OpenBSD +Currentarch=i386format=html ) will answer this for you If not, is there a way to fix them at certain values, so that PF rules can be written to match? Linux rpc.mountd(8) supposedly has a -p option that can be used for this purpose.
Re: startx problem
On May 13, 2007, at 10:02 PM, arnuld wrote: i have configures X and my /etc/X11/xorg.conf file is same as i have used on DragonFyBSd and Gentoo, Arch Linux etc. when i do startx on OpenBSD amd64 4.1 it 1st turns-OFF and then after 2 seconds turns-ON my monitor *automatically*. i had the same problem in OpenBSD 3.9 i386. pls supply your xorg.conf and the contents of the X error log. dmesg might also be useful any solution ? -- http://arnuld.blogspot.com/
Re: s3virge pci card on xenocara/sparc64 ?
2007/5/13, Edd Barrett [EMAIL PROTECTED]: Hi, On 13/05/07, Landry Breuil [EMAIL PROTECTED] wrote: Hello, i'm trying to make an old Ultra 10 working in dual-screen/xinerama, with onboard ati (works fine at [EMAIL PROTECTED]) and additional old s3 pci (detected by kernel). As far as I am aware sparc64 requires OpenBoot aware graphics cards. I'm not sure how it works in the case of a secondary graphics card for X only however. Just an idea. If it doesnt work then try a creator3d / elite3d? -- Best Regards Edd PS. Would you mind if I grab that xorg.conf? I have a U10 that I never got X working on. here it is : http://gcu.info/~gaston/sparc64/xorg.conf-u10 basically, it's the result of X -configure + a few tweaks to make the sun mouse work. I think i'll try to build the s3virge driver upon my next upgrade on this box, this'd be really neat to make this old card work with it. Landry
Re: rdate issue
On 2007/05/13 23:06, John Nietzsche wrote: */5 * * * * /usr/sbin/rdate -4ncva -c corrects for leap seconds */5 * * * * /usr/sbin/rdate -4cva gw | and here you do it again i.e. you are correcting time coming from a source which is already corrected. I would really recommend against using rdate like this, it jumps the clock. ntpd skews the clock (makes it run slightly fast or slow until the time is correct), so you don't miss out on any seconds (which sometimes skips cron jobs, makes logging more confusing, and can cause a lot of trouble with some other applications).
Re: Failing to get [EMAIL PROTECTED] in X
Quoting Ted Unangst ([EMAIL PROTECTED]): On 5/13/07, Alex Holst [EMAIL PROTECTED] wrote: I set VertRefresh to 60-60, included a modeline generated by gtf and disabled DDC, resulting in X being a smartarse (Sure, I can do 60Hz): can you post the full log somewhere? if you can wait to tuesday, i'll also try to get it working myself. Sure, my current configs and logs are at the URLs below. If you need anything else to reproduce this problem, let me know. http://a.mongers.org/x/915resolution.txt http://a.mongers.org/x/Xorg.0.log http://a.mongers.org/x/xorg.conf -- I prefer the dark of the night, after midnight and before four-thirty, when it's more bare, more hollow.http://a.mongers.org
PF
Hi again, And sorry to insist on this I'm really lost. I read in most webs-docs with rdr rule trafic get redirected to internal servers and with this and pass rule is enought. But i find myself in a different scenario, with rdr rule and pass rule packets get redirected to internal server with the same external ip. With a tcpdump on internal server packets arrive to internal server but this one don't ask it back. If i add a nat rule from any to internal server, the server logs show me access only from firewall ip address ( logically ). Is there some way to redirect external traffic to internal server and the internal server to see external address ( for logs control, and access without firewall rule...only on server machine ) and all works fine? thanks, and sorry for the insistence.. Alberich.
Re: Absolute OpenBSD out-of-print?
(Hurrah for the US health care system!) You can add `Downunder` to the list, we follow you VERY closely! Hope you well. Ioan Michael W. Lucas [EMAIL PROTECTED] 05/11 7:29 am On Thu, May 10, 2007 at 03:11:09PM -0500, James Hartley wrote: On 5/10/07, Matthew Szudzik [EMAIL PROTECTED] wrote: Does anybody know if there are plans for another printing? Or maybe even a second edition? According to Lucas' Website, he still intends on writing an _Absolute_ book for NetBSD. I may be wrong, but I don't suspect we will see second editions of the other two volumes. http://www.blackhelicopters.org/~mwlucas/#stuff Hi, Competing publishers have taken to eavesdropping on what I'm writing, and then rushing competing books of their own into print. I no longer publically announce what I'm writing at any time because of this. Paranoid? Perhaps. I do run OpenBSD, however. ;-) The publisher generally tells me when a book is out-of-print, but AO is outdated at this point so they might not have. Much of it is still applicable, but it doesn't cover all the new nifty features that have come out in the last few years. It might also be in that dregs can be found here and there, but not really totally out of print limbo. Family medical problems have generally thrown my writing schedule into the toilet the last couple of years. (Hurrah for the US health care system!) But I am working on a tech book to come out later this year. ==ml -- Michael W. Lucas[EMAIL PROTECTED], [EMAIL PROTECTED] http://www.BlackHelicopters.org/~mwlucas/ Latest book: PGP GPG -- http://www.pgpandgpg.com On 5/4/2007, the TSA kept 3 pairs of my soiled undies for security reasons.
Re: rdate issue
On Mon, 14 May 2007, Stuart Henderson wrote: On 2007/05/13 23:06, John Nietzsche wrote: */5 * * * * /usr/sbin/rdate -4ncva -c corrects for leap seconds */5 * * * * /usr/sbin/rdate -4cva gw | and here you do it again i.e. you are correcting time coming from a source which is already corrected. I would really recommend against using rdate like this, it jumps the clock. ntpd skews the clock (makes it run slightly fast or slow until the time is correct), so you don't miss out on any seconds (which sometimes skips cron jobs, makes logging more confusing, and can cause a lot of trouble with some other applications). While I agree with the advise, this is not true when the -a flag is given to rdate, in that case rdate uses adjtime(2). ntpd is of course much nicer, since its adjust the clock frequency as well, and poses a very light stress on the server: once time is synced, queries do not happen a lot. Not to speak of the ability to use time sensors and multiple time sources to provide redundancy. -Otto
Re: dual g4 needed for hackathon
On 5/11/07, Mark Kettenis [EMAIL PROTECTED] wrote: On this years hackathon I'd like to hack more on macppc smp support. For obvious reasons I cannot bring my own machine. Is there anyone in the Calgary or Edmonton area that can loan us a dual g4 machine end may/early june? Mark If somebody in the area has any old G4, I have a Dual 533Mhz G4 CPU I can ship from Flint, MI
isakmpd not deleting old SAD
Greetings,
I have an isakmpd process that's not letting go of old SADs. While it
doesn't seem to be causing issues with the tunnels, it is causing higher
than normal system utilization. It seems to be occurring on the tunnels
which have multiple subnets defined (e.g. VPNA and VPNB, but not VPNC).
Any insight would be appreciated.
fw1$ sudo ipsecctl -sa |grep tunnel |wc
24 3122184
fw1$ sudo ipsecctl -sa |grep tunnel |wc
32 4162890
fw1$ sudo ipsecctl -sa |grep tunnel |wc
36 4683258
fw1$ sudo ipsecctl -sa |grep tunnel |wc
58 7545212
kern.version=OpenBSD 4.0-stable (GENERIC) #6: Fri Apr 13 07:23:48 EDT
2007
/var/log/messages:
May 14 06:19:06 fw1 isakmpd[3337]: pf_key_v2_flow: ADDFLOW: File exists
May 14 06:19:21 fw1 isakmpd[3337]: pf_key_v2_flow: ADDFLOW: File exists
May 14 06:20:40 fw1 isakmpd[3337]: pf_key_v2_flow: ADDFLOW: File exists
May 14 06:36:16 fw1 isakmpd[3337]: pf_key_v2_flow: ADDFLOW: File exists
May 14 06:38:45 fw1 last message repeated 4 times
May 14 06:56:27 fw1 last message repeated 6 times
/etc/ipsec.conf:
# VPNA from Here to ThereA PIX
ike esp from { 10.1.0.0/16 , 10.5.0.0/24 } to 10.99.10.192/28 \
peer 192.168.40.17 \
local 192.168.3.4 \
main auth hmac-md5 enc aes group modp1024 \
quick auth hmac-md5 enc aes \
psk stupidkeyA
# VPNB from Here to ThereB OBSD
ike esp from { 10.1.0.0/26, 10.5.0.0/24 } to { 10.224.0.0/24,
10.99.10.208/28 } \
peer 192.168.40.19 \
local 192.168.3.4 \
psk stupidkeyB
# VPNC from Here to ThereC PIX
ike esp from 10.1.0.0/16 to 10.0.0.0/16 \
peer 192.168.95.80 \
local 192.168.3.4 \
main auth hmac-md5 enc des \
quick auth hmac-md5 enc des \
psk stupidkeyC
-Steve S.
Re: booting problem
On 5/12/07, alicornio [EMAIL PROTECTED] wrote: Hi guys Problems with my webmail. I'm sorry. Hi all I can't boot my system after the instalation. My OS can't be finded. I follow the faq (4.12.2 - My i386 won't boot after install) and nothing change. But I can boot with CD typing b hd0a:\bsd. When I tried install again I saw a warning in disklabel stage: WARNING: inode blocks/cyl group (155) = data blocks (5) in last cylinder group. This implies 188 sector(s) cannot be allocated. What's happening? How I can solve this problem? thx all Thiago If you post at least output of fdisk wd0 and disklabel wd0 commands... My disk: [WIN(ntfs)][DATA(ntfs)][OpenBSD] 1- Booting from frist partition (my webmail can't print lines with '*' in the begin) 2- I jump 1 cylinder between partition 1 and 2. #fdisk -e wd0 Enter 'help' for information fdisk: 1 p m Disk: wd0 geometry: 9729/255/63 [76317 Megabytes] Offset: 0 Signature: 0xAA55 Starting Ending LBA Info: #: id C H S - C H S [ start: size ] - 0: 070 1 1 - 2549 254 63 [ 63: 20003M]HPFS/QNX/AUX 1: 07 2550 0 1 - 7649 254 63 [ 40965750: 40006M] HPFS/QNX/AUX 2: A6 7651 0 1 - 9728 254 63 [ 122913315: 16300M] OpenBSD 3: 00 0 0 0 - 0 0 0 [ 0: 0M] unused fdisk: 1 +++ fdisk: 1 p Disk: wd0 geometry: 9729/255/63 [156296385 Sectors] Offset: 0 Signature: 0xAA55 Starting Ending LBA Info: #: id C H S - C H S [ start: size ] - 0: 070 1 1 - 2549 254 63 [ 63: 40965687] HPFS/QNX/AUX 1: 07 2550 0 1 - 7649 254 63 [ 40965750: 81931500] HPFS/QNX/AUX 2: A6 7651 0 1 - 9728 254 63 [ 122913315: 33383070] OpenBSD 3: 00 0 0 0 - 0 0 0 [ 0: 0] unused fdisk: 1 +++ a = /, d = /tmp, e = /var, g = /usr, h = /home i = Windows, j = data # disklabel wd0 # Inside MBR partition 2: type A6 start 122913315 size 33383070 # /dev/rwd0c: type: ESDI disk: ESDI/IDE disk label: ST380817AS falgs: bytes/sector: 512 sectors/track: 63 tracks/cylinder: 16 sectors/cylinder: 1008 cylinders: 16383 total sectors: 156301488 rpm: 3600 interleave: 1 trackskew: 0 cylinderskew: 0 headswitch: 0 # microseconds track-to-track seek: 0 # microseconds drivedata: 0 16 partitions: # size offset fstype [fsize bsize cpg] a: 306621 122913315 4.2BSD 2048 16384 304 # Cyl 121937*-122241 b: 524160 123219936 swap # Cyl 122242 -122761 c: 156301488 0 unused 0 0 # Cyl 0 -155060 d: 1536192 123744096 4.2BSD 2048 16384 328 # Cyl 122762 -124285 e: 307440 125280288 4.2BSD 2048 16384 306 # Cyl 124286 -124590 g: 14335776 125587728 4.2BSD 2048 16384 328 # Cyl 124591 -138812 h: 16372881 139923504 4.2BSD 2048 16384 328 # Cyl 138813 -155055* i: 40965687 63 unknown # Cyl 0*- 40640* j: 81931500 40965750 unknown # Cyl 40640*-121921* # Need more information? What's happening? How I can solve this problem? thanks thiago I jump 1 cylinder between partition 1 and 2. 1. What do you mean by this? 2. If your active partition is a Windows one how do you intend to boot OpenBSD? Do you have a boot manager? Do you use ntldr and boot.ini? 3. What happens when you try to boot? Do you have any error messages? Andrey
Re: PF
On Mon, May 14, 2007 at 12:41:18PM +0200, Alberich de megres wrote: Hi again, And sorry to insist on this I'm really lost. I read in most webs-docs with rdr rule trafic get redirected to internal servers and with this and pass rule is enought. But i find myself in a different scenario, with rdr rule and pass rule packets get redirected to internal server with the same external ip. With a tcpdump on internal server packets arrive to internal server but this one don't ask it back. If i add a nat rule from any to internal server, the server logs show me access only from firewall ip address ( logically ). Is there some way to redirect external traffic to internal server and the internal server to see external address ( for logs control, and access without firewall rule...only on server machine ) and all works fine? thanks, and sorry for the insistence.. Alberich. I don't really see what you mean: is there a server with public address 1.2.3.4 behind a firewall with public address 1.2.3.1, and rules like rdr pass on $ext_if to $server $port1 - $port2 pass on $ext_if to $server port $port3 In that case, that should just work. Joachim -- TFMotD: atq (1) - display the at(1) job queue
Re: PF
No, There's a firewall with public address, and a server with internal address. firewall: 1.2.3.4 server: 192.168.1.1 On 5/14/07, Joachim Schipper [EMAIL PROTECTED] wrote: On Mon, May 14, 2007 at 12:41:18PM +0200, Alberich de megres wrote: Hi again, And sorry to insist on this I'm really lost. I read in most webs-docs with rdr rule trafic get redirected to internal servers and with this and pass rule is enought. But i find myself in a different scenario, with rdr rule and pass rule packets get redirected to internal server with the same external ip. With a tcpdump on internal server packets arrive to internal server but this one don't ask it back. If i add a nat rule from any to internal server, the server logs show me access only from firewall ip address ( logically ). Is there some way to redirect external traffic to internal server and the internal server to see external address ( for logs control, and access without firewall rule...only on server machine ) and all works fine? thanks, and sorry for the insistence.. Alberich. I don't really see what you mean: is there a server with public address 1.2.3.4 behind a firewall with public address 1.2.3.1, and rules like rdr pass on $ext_if to $server $port1 - $port2 pass on $ext_if to $server port $port3 In that case, that should just work. Joachim -- TFMotD: atq (1) - display the at(1) job queue
ftp and pf (nat)
Dear gentleman/madam, i have installed my openbsd firewall and i am trying to get ftp client behind working. It is working nicely. But, when i try to lookup and the nat rules inserted by ftp-proxy, i get nothing : [EMAIL PROTECTED] pfctl -sn -a '*' nat-anchor ftp-proxy/* all nat-anchor neif on pppoe0 all nat-anchor niif_0 on sis0 all rdr-anchor ftp-proxy/* all rdr-anchor reif on pppoe0 all rdr-anchor riif_0 on sis0 all [EMAIL PROTECTED] pfctl -sn -a 'ftp-proxy/*' I am very confused on why it is not showed anything. Thanks in advance.
Re: PF
On Mon, May 14, 2007 at 06:12:12PM +0200, Alberich de megres wrote: On 5/14/07, Joachim Schipper [EMAIL PROTECTED] wrote: On Mon, May 14, 2007 at 12:41:18PM +0200, Alberich de megres wrote: Hi again, And sorry to insist on this I'm really lost. I read in most webs-docs with rdr rule trafic get redirected to internal servers and with this and pass rule is enought. But i find myself in a different scenario, with rdr rule and pass rule packets get redirected to internal server with the same external ip. With a tcpdump on internal server packets arrive to internal server but this one don't ask it back. If i add a nat rule from any to internal server, the server logs show me access only from firewall ip address ( logically ). Is there some way to redirect external traffic to internal server and the internal server to see external address ( for logs control, and access without firewall rule...only on server machine ) and all works fine? I don't really see what you mean: is there a server with public address 1.2.3.4 behind a firewall with public address 1.2.3.1, and rules like rdr pass on $ext_if to $server $port1 - $port2 pass on $ext_if to $server port $port3 In that case, that should just work. No, There's a firewall with public address, and a server with internal address. firewall: 1.2.3.4 server: 192.168.1.1 In that case, server = 192.168.1.1 rdr pass on $ext_if to $ext_if $port1 - $server rdr pass on $ext_if to $ext_if $port2 - $server $port3 should work just fine. What is your /etc/pf.conf? And what doesn't work? (The underlying idea is that 'rdr pass' is very useful for simple cases, and one should be careful with NAT.) Joachim -- TFMotD: vclean (9) - disassociate the underlying file system from a vnode
Re: ftp and pf (nat)
On Mon, May 14, 2007 at 01:24:07PM -0300, John Nietzsche wrote: Dear gentleman/madam, i have installed my openbsd firewall and i am trying to get ftp client behind working. It is working nicely. But, when i try to lookup and the nat rules inserted by ftp-proxy, i get nothing : [EMAIL PROTECTED] pfctl -sn -a '*' nat-anchor ftp-proxy/* all nat-anchor neif on pppoe0 all nat-anchor niif_0 on sis0 all rdr-anchor ftp-proxy/* all rdr-anchor reif on pppoe0 all rdr-anchor riif_0 on sis0 all [EMAIL PROTECTED] pfctl -sn -a 'ftp-proxy/*' I am very confused on why it is not showed anything. I'm fairly certain ftp-proxy only inserts rules for active FTP sessions, and removes them as soon as they are no longer active. Joachim -- TFMotD: vgrind (1) - grind nice listings of programs
Re: s3virge pci card on xenocara/sparc64 ?
On 5/13/07, Landry Breuil [EMAIL PROTECTED] wrote: Hello, i'm trying to make an old Ultra 10 working in dual-screen/xinerama, with onboard ati (works fine at [EMAIL PROTECTED]) and additional old s3 pci (detected by kernel). I've seen on xenocara/driver/Makefile that s3virge driver, which this card normally uses on other archs/OS, is not enabled on sparc64. Is there a particular reason, there is a known problem with this hardware, or is it only because sparc64 are normally only bundled/tested with ati's (as stated on http://www.openbsd.org/sparc64.html) ? May i try building the driver, or it's not worth trying ? is it possible to build _only_ the driver/ part of xenocara, taking the rest of xenocara from snapshot ? I've tried with wsfb(4), but the primary card is always taken, even when specifiying BusID.. If i make the card work, do i have a chance to get Xinerama ? The sparc64 kernel currently lacks the support for running multi-head with PCI cards all together. -- Matthieu Herrb
EasyWeb Suspension
TD Canada Trust Account Suspension In an effort to protect your EasyWeb TD Canada Trust Online Banking security. we have suspended your account until such time that it can be safely restored by you.. We have taken this action because youryour EasyWeb TD Canada Trust online account may have been compromised, Sometimes this happens when members respond to tropans,worms and other effected virus files. Although we cannot disclose our investigative procedures that led to this conclusion, Please know that we took this action in order to maintain the safety of your account. [IMAGE]* Protection. Ensure the payment has not already been made by viewing [IMAGE] your Account Activity . We are not responsible if your request cannot be processed because the payment has been made, or you provided incomplete or incorrect information.. * Secure. To complete our activation process for your account restoring access click here: EasyWeb TD Canada Trust Bank Login Also more information about Interac. With an Interac Email Money Transfer you can win about $10,000.00CAD and it will be paid directly into your bank account summited for any of your Interac payment made. Interac Email Money Transfer : receive payments quickly and easily, and use the time saved to focus on your business! - I'm interested. Tell me more. Show me later. Go to EasyWeb. I'm not interested. Go to EasyWeb. 1 Participating financial institutions include BMO Bank of Montreal, CIBC, RBC Royal Bank, Scotiabank and TD Canada Trust. Alternatively, the recipient can collect an Interac Email Money Transfer using the CertaPay Transfer site. EasyWeb Security Guarantee: You will receive 100% reimbursement in the unlikely event account losses occur resulting from unauthorized EasyWeb activity. Maintaining the care, control and confidentiality of your Access Card number, Connect ID and EasyWeb password is your responsibility as set out in our customer agreements. TD Canada Trust and its affiliates are not responsible for unauthorized access to accounts online or losses that occur as a result of careless or improper handling, storing or disclosure by you of your Access Card, Connect ID or EasyWeb password. Privacy Policy | Internet Security | Legal | TD Group Financial Services Site - Copyright ) TD
Re: PF
I tried this you told me, and that not works, i get a syntax error my pf.conf: #supose 10.0.0.254 is external address.. ext_if=sis0 ext_carp_if=carp1 int_if=rl0 int_carp_if=carp0 nat on carp1 from 192.168.1.0/24 to any - 10.0.0.254 rdr on sis0 inet proto tcp from any to 10.0.0.254 port 80 - 192.168.1.69port 80 pass all On 5/14/07, Joachim Schipper [EMAIL PROTECTED] wrote: On Mon, May 14, 2007 at 06:12:12PM +0200, Alberich de megres wrote: On 5/14/07, Joachim Schipper [EMAIL PROTECTED] wrote: On Mon, May 14, 2007 at 12:41:18PM +0200, Alberich de megres wrote: Hi again, And sorry to insist on this I'm really lost. I read in most webs-docs with rdr rule trafic get redirected to internal servers and with this and pass rule is enought. But i find myself in a different scenario, with rdr rule and pass rule packets get redirected to internal server with the same external ip. With a tcpdump on internal server packets arrive to internal server but this one don't ask it back. If i add a nat rule from any to internal server, the server logs show me access only from firewall ip address ( logically ). Is there some way to redirect external traffic to internal server and the internal server to see external address ( for logs control, and access without firewall rule...only on server machine ) and all works fine? I don't really see what you mean: is there a server with public address 1.2.3.4 behind a firewall with public address 1.2.3.1, and rules like rdr pass on $ext_if to $server $port1 - $port2 pass on $ext_if to $server port $port3 In that case, that should just work. No, There's a firewall with public address, and a server with internal address. firewall: 1.2.3.4 server: 192.168.1.1 In that case, server = 192.168.1.1 rdr pass on $ext_if to $ext_if $port1 - $server rdr pass on $ext_if to $ext_if $port2 - $server $port3 should work just fine. What is your /etc/pf.conf? And what doesn't work? (The underlying idea is that 'rdr pass' is very useful for simple cases, and one should be careful with NAT.) Joachim -- TFMotD: vclean (9) - disassociate the underlying file system from a vnode
Re: ftp and pf (nat)
According to pf FAQ: With passive mode FTP (the default mode with OpenBSD's ftp(1) client), the client requests that the server pick a random port to listen on for the data connection. The server informs the client of the port it has chosen, and the client connects to this port to transfer the data. Unfortunately, this is not always possible or desirable because of the possibility of a firewall in front of the FTP server blocking the incoming data connection. OpenBSD's ftp(1) uses passive mode by default; to force active mode FTP, use the -A flag to ftp, or set passive mode to off by issuing the command passive off at the ftp prompt. ok! I am really having a bad time with this issue! Not to get it working but to understand it. If ftp-proxy does not insert rules how does the outgoing traffic is permitted across the firewall for a dynamic port choosen by the server? Thanks once more. On 5/14/07, Joachim Schipper [EMAIL PROTECTED] wrote: On Mon, May 14, 2007 at 01:24:07PM -0300, John Nietzsche wrote: Dear gentleman/madam, i have installed my openbsd firewall and i am trying to get ftp client behind working. It is working nicely. But, when i try to lookup and the nat rules inserted by ftp-proxy, i get nothing : [EMAIL PROTECTED] pfctl -sn -a '*' nat-anchor ftp-proxy/* all nat-anchor neif on pppoe0 all nat-anchor niif_0 on sis0 all rdr-anchor ftp-proxy/* all rdr-anchor reif on pppoe0 all rdr-anchor riif_0 on sis0 all [EMAIL PROTECTED] pfctl -sn -a 'ftp-proxy/*' I am very confused on why it is not showed anything. I'm fairly certain ftp-proxy only inserts rules for active FTP sessions, and removes them as soon as they are no longer active. Joachim -- TFMotD: vgrind (1) - grind nice listings of programs
Flags for WD driver
Is there any documentation on the exact functions of the flags that can be passed to WD via config? I haven't found any, and I'm not a good enough C programmer to tease them out of the source. -- Jeff Simmons [EMAIL PROTECTED] Simmons Consulting - Network Engineering, Administration, Security By these actions SRL became the first to operate intentionally lethal machinery over the net with standard browser software. -- Survival Research Laboratories
Re: Flags for WD driver
Is there any documentation on the exact functions of the flags that can be passed to WD via config? I haven't found any, and I'm not a good enough C programmer to tease them out of the source. Unexpectably, these flags are described in the wd(4) manual page. Miod
Re: Flags for WD driver
On 5/14/07, Jeff Simmons [EMAIL PROTECTED] wrote: Is there any documentation on the exact functions of the flags that can be passed to WD via config? I haven't found any, and I'm not a good enough C programmer to tease them out of the source. man wd?
Re: Flags for WD driver
On 2007/05/14 11:50, Jeff Simmons wrote: Is there any documentation on the exact functions of the flags that can be passed to WD via config? yes, in wd(4), surprisingly enough. The flags are used only with controllers that support DMA operations and mode settings (like some pciide(4) controllers). The lowest order (rightmost) nibble of the flags define the PIO mode to use. The next four bits indicate the DMA mode and the third nibble the UltraDMA mode. For each set of four bits, the 3 lower bits define the mode to use and the last bit must be set to 1 for this setting to be used. For DMA and UltraDMA, 0xf () means ``disable''. For example, a flags value of 0x0fac ( 1010 1100) means ``use PIO mode 4, DMA mode 2, disable UltraDMA''. The special setting 0x means ``use whatever the drive claims to support''.
Re: PF
Alberich de megres wrote: I tried this you told me, and that not works, i get a syntax error my pf.conf: #supose 10.0.0.254 is external address.. ext_if=sis0 ext_carp_if=carp1 int_if=rl0 int_carp_if=carp0 nat on carp1 from 192.168.1.0/24 to any - 10.0.0.254 rdr on sis0 inet proto tcp from any to 10.0.0.254 port 80 - 192.168.1.69port 80 you are missing a space between '192.168.1.69' and 'port' fixing that makes pfctl -n happy. pass all On 5/14/07, Joachim Schipper [EMAIL PROTECTED] wrote: On Mon, May 14, 2007 at 06:12:12PM +0200, Alberich de megres wrote: On 5/14/07, Joachim Schipper [EMAIL PROTECTED] wrote: On Mon, May 14, 2007 at 12:41:18PM +0200, Alberich de megres wrote: Hi again, And sorry to insist on this I'm really lost. I read in most webs-docs with rdr rule trafic get redirected to internal servers and with this and pass rule is enought. But i find myself in a different scenario, with rdr rule and pass rule packets get redirected to internal server with the same external ip. With a tcpdump on internal server packets arrive to internal server but this one don't ask it back. If i add a nat rule from any to internal server, the server logs show me access only from firewall ip address ( logically ). Is there some way to redirect external traffic to internal server and the internal server to see external address ( for logs control, and access without firewall rule...only on server machine ) and all works fine? I don't really see what you mean: is there a server with public address 1.2.3.4 behind a firewall with public address 1.2.3.1, and rules like rdr pass on $ext_if to $server $port1 - $port2 pass on $ext_if to $server port $port3 In that case, that should just work. No, There's a firewall with public address, and a server with internal address. firewall: 1.2.3.4 server: 192.168.1.1 In that case, server = 192.168.1.1 rdr pass on $ext_if to $ext_if $port1 - $server rdr pass on $ext_if to $ext_if $port2 - $server $port3 should work just fine. What is your /etc/pf.conf? And what doesn't work? (The underlying idea is that 'rdr pass' is very useful for simple cases, and one should be careful with NAT.) Joachim -- TFMotD: vclean (9) - disassociate the underlying file system from a vnode
Re: Flags for WD driver
On Mon, May 14, 2007 at 11:57:55AM -0700, Ted Unangst wrote: Is there any documentation on the exact functions of the flags that can be passed to WD via config? I haven't found any, and I'm not a good enough C programmer to tease them out of the source. man wd? That last bit confuses me ;) Index: wd.4 === RCS file: /cvs/src/share/man/man4/wd.4,v retrieving revision 1.12 diff -u -w -p -r1.12 wd.4 --- wd.415 Feb 2005 19:24:41 - 1.12 +++ wd.414 May 2007 19:05:16 - @@ -52,7 +52,7 @@ The next four bits indicate the DMA mode mode. .Pp For each set of four bits, the 3 lower bits define the mode to use -and the last bit must be set to 1 for this setting to be used. +and the highest bit must be set to 1 for this setting to be used. For DMA and UltraDMA, 0xf () means .Dq disable . For example, a
Re: Chrooting users the right way
[EMAIL PROTECTED] wrote: Hi I am setting up a new OpenBSD machine in which I want to chroot users. I don't want to use any of the patching solutions to OpenSSH but want to implement a real system chroot solution so any user, who is chrooted, is jailed even if he logs in manually. I have tried to find articles on this, but haven't been succesfull. Does anyone know of a good tutorial on how to do this on OpenBSD? Best and kind regards. Rico Secada. Hi, just try to use combination of directives of sshd_config (Match ForceCommand) and your own made script-wrapper for systrace... Something like this: sshd_config ForceCommand /path/to/systrace-wrapper systrace-wrapper: /bin/systrace -a /usr/libexec/sftp-server
Re: OpenBSD 4.1 install issue??
Rob , raising VM_PHYSSEG_MAX to 16 did the trick. I'm running stable 4.1 now. Thanks a lot for the sound advice ! Regards, Marcos Laufer - Original Message - From: Rob Waite [EMAIL PROTECTED] To: misc@openbsd.org Sent: Saturday, May 12, 2007 1:04 PM Subject: Re: OpenBSD 4.1 install issue?? Oh yeah... I also noticed that others were trying the snapshot. I do not think you should run it at all. I only used it to see if the change to vmparam.h was likely to be the culprit. If you are getting the uvm_page_physload: ... increase VM_PHYSSEG_MAX error (and you wont see it easily... it flies by after about 2/10ths of a second) it is definately the change to vmparam.h For a truly clean install (that is if you are not a pro and want to be certain things are up to stable plus this patch) get the -stable (or the cd release if you don't mind the errata patches missing) and make the change to vmparam.h and build a release. This way you get safe code... a safe build ... and you will have cds that can be used to install this on these machines without having to go through all of this again. The reason I only used my built bsd kernel and the cd41.iso was because I wanted to make sure etc.tar.gz was clean. I actually did the whole build on 4.0 so I didn't want to use it's version of etc.tar.gz. I also suppose if you took a look at the makefiles.. you could build the cd41.iso much more quickly instead of going through the whole release.. but as I said... if you don't have the time to look through and make sure you are doing something safe (or dont know if you are)... you might as well just do the whole release and be sure its clean.
Re: Flags for WD driver
On Monday 14 May 2007 11:57, Ted Unangst wrote: On 5/14/07, Jeff Simmons [EMAIL PROTECTED] wrote: Is there any documentation on the exact functions of the flags that can be passed to WD via config? I haven't found any, and I'm not a good enough C programmer to tease them out of the source. man wd? So a flag for, say, PIO, of 0x0100 would be ignored, since it says to set PIO mode 4 but not to use it? And then would it revert to the equivalent of 0x? Not trying to be difficult here, I'm just having some ... interesting ... results passing flags to WD, and it would be nice to know exactly what's going on. -- Jeff Simmons [EMAIL PROTECTED] Simmons Consulting - Network Engineering, Administration, Security By these actions SRL became the first to operate intentionally lethal machinery over the net with standard browser software. -- Survival Research Laboratories
Re: PF
On Mon, May 14, 2007 at 07:25:34PM +0200, Alberich de megres wrote: On 5/14/07, Joachim Schipper [EMAIL PROTECTED] wrote: On Mon, May 14, 2007 at 06:12:12PM +0200, Alberich de megres wrote: On 5/14/07, Joachim Schipper [EMAIL PROTECTED] wrote: On Mon, May 14, 2007 at 12:41:18PM +0200, Alberich de megres wrote: Hi again, And sorry to insist on this I'm really lost. I read in most webs-docs with rdr rule trafic get redirected to internal servers and with this and pass rule is enought. But i find myself in a different scenario, with rdr rule and pass rule packets get redirected to internal server with the same external ip. With a tcpdump on internal server packets arrive to internal server but this one don't ask it back. If i add a nat rule from any to internal server, the server logs show me access only from firewall ip address ( logically ). Is there some way to redirect external traffic to internal server and the internal server to see external address ( for logs control, and access without firewall rule...only on server machine ) and all works fine? I don't really see what you mean: is there a server with public address 1.2.3.4 behind a firewall with public address 1.2.3.1, and rules like rdr pass on $ext_if to $server $port1 - $port2 pass on $ext_if to $server port $port3 In that case, that should just work. No, There's a firewall with public address, and a server with internal address. firewall: 1.2.3.4 server: 192.168.1.1 In that case, server = 192.168.1.1 rdr pass on $ext_if to $ext_if $port1 - $server rdr pass on $ext_if to $ext_if $port2 - $server $port3 should work just fine. What is your /etc/pf.conf? And what doesn't work? (The underlying idea is that 'rdr pass' is very useful for simple cases, and one should be careful with NAT.) I tried this you told me, and that not works, i get a syntax error my pf.conf: #supose 10.0.0.254 is external address.. ext_if=sis0 ext_carp_if=carp1 int_if=rl0 int_carp_if=carp0 nat on carp1 from 192.168.1.0/24 to any - 10.0.0.254 rdr on sis0 inet proto tcp from any to 10.0.0.254 port 80 - 192.168.1.69port 80 pass all Why are you messing with CARP before the whole thing works at all? CARP is wonderful and not that difficult to set up, but there are a couple of gotchas in combining CARP and pf that are best dealt with once you know pf.conf works. At least the first time. Also, actually using the $ext_if macro might be more useful than just defining it; there is no magic there, it's just a common macro to define. 'pass all' is the default; no need to define it. Your handling of IPv6 makes little sense (why allow IPv4 to $server port 80, but handle IPv6 on the firewall? Either 'block drop inet6' or do without 'inet'). Finally, symbolic names are more readable: use 'http' instead of '80'. That said, ext_if=sis0 int_if=rl0 server=192.168.1.69 nat on $ext_if from $int_if:network - $ext_if rdr on $ext_if inet proto tcp to $ext_if port http - $server should work for the no-CARP scenario. With CARP, that should become something like the below (not tested): ext_if_base=sis0 ext_if_carp=carp1 int_if_base=rl0 int_if_carp=carp0 server=192.168.1.69 nat on $ext_if_base from $int_if_carp:network - ($ext_if_carp) rdr on $ext_if_base proto tcp to $ext_if_carp port http - $server Joachim -- TFMotD: trek (6) - trekkie game
Re: ftp and pf (nat)
On Mon, May 14, 2007 at 02:43:34PM -0300, John Nietzsche wrote: On 5/14/07, Joachim Schipper [EMAIL PROTECTED] wrote: On Mon, May 14, 2007 at 01:24:07PM -0300, John Nietzsche wrote: Dear gentleman/madam, i have installed my openbsd firewall and i am trying to get ftp client behind working. It is working nicely. But, when i try to lookup and the nat rules inserted by ftp-proxy, i get nothing : [EMAIL PROTECTED] pfctl -sn -a '*' nat-anchor ftp-proxy/* all nat-anchor neif on pppoe0 all nat-anchor niif_0 on sis0 all rdr-anchor ftp-proxy/* all rdr-anchor reif on pppoe0 all rdr-anchor riif_0 on sis0 all [EMAIL PROTECTED] pfctl -sn -a 'ftp-proxy/*' I am very confused on why it is not showed anything. I'm fairly certain ftp-proxy only inserts rules for active FTP sessions, and removes them as soon as they are no longer active. According to pf FAQ: With passive mode FTP (the default mode with OpenBSD's ftp(1) client), (...) ok! I am really having a bad time with this issue! Not to get it working but to understand it. If ftp-proxy does not insert rules how does the outgoing traffic is permitted across the firewall for a dynamic port choosen by the server? Oops, poor word choice. 'Active FTP sessions' was not intended to mean 'sessions using active FTP' (as opposed to passive FTP), but 'FTP sessions that are active' (i.e., connected). ftp-proxy does insert rules in anchrors, but only for sessions that are connected at that time. In other words, were you actually sending FTP data across your firewall when you looked in the table? Joachim -- TFMotD: systrace (4) - enforce and generate policies for system calls
Re: new openbsd 4.0 server, panic on ufsdirhash
Or, perhaps, the drive is just going bad. I would have expected errors on installing the os if that were the case. We have done a low level disk format using an ultimate boot cd. Didn't output any errors. Did this on both drives in the system. Took a very long time. Then, tried to install the OS. Received a panic on installing the comp set, ffs_valloc dup alloc. Reconfigured to have all install go to one drive. Same error, different inode. Tried all on other drive, same error, different inode. Kept trying it over and over. Always panicked on comp set. Always same error of ffs_valloc dup alloc. Always a different inode. I am unable to copy in the actual error. I just have this on a monitor in the room. No console capability. Same dmesg as before in this thread. I can post again if needed. My question is, to debug this, or fix it, do I need to start swapping out cables, hard disks, motherboard, etc? Any hints or suggestions are appreciated. Thanks in advance! JohnM -- john mendenhall [EMAIL PROTECTED] surf utopia internet services
OT: 32bit vs 64bit network card question
I have a question. Some 64 bit cards (PCI-X?) seem to work in 32 bit slots (PCI 2.2?). Is this a feature, or am I looking at possible issues down the road? Specifically, I am trying to build a n old(er) box, and on a whim (and vague memories about this working), stuck an em card into it. Box seems to boot, and network traffic seems to flow. Not sure if I should spend some $$ to buy another network card. Thanx. -- This officer's men seem to follow him merely out of idle curiosity. -- Sandhurst officer cadet evaluation.
Re: new openbsd 4.0 server, panic on ufsdirhash
On Mon, May 14, 2007 at 12:41:33PM -0700, John Mendenhall wrote: Or, perhaps, the drive is just going bad. I would have expected errors on installing the os if that were the case. We have done a low level disk format using an ultimate boot cd. Didn't output any errors. Did this on both drives in the system. Took a very long time. Then, tried to install the OS. Received a panic on installing the comp set, ffs_valloc dup alloc. Reconfigured to have all install go to one drive. Same error, different inode. Tried all on other drive, same error, different inode. Kept trying it over and over. Always panicked on comp set. Always same error of ffs_valloc dup alloc. Always a different inode. I am unable to copy in the actual error. I just have this on a monitor in the room. No console capability. Same dmesg as before in this thread. I can post again if needed. My question is, to debug this, or fix it, do I need to start swapping out cables, hard disks, motherboard, etc? Any hints or suggestions are appreciated. Running memtest86 is pretty painless, so that's usually a good first step. Joachim -- TFMotD: enc2xs (1) - Perl Encode Module Generator
4.1 changelog discrepency? - *Make sure pf(4) doesn't set 'flags S/SA' on stateless rules.
I have a stateless rule on one of my boxes which was just upgraded from 4.0to 4.1. After the upgrade there were some odd issues that were reported and after looking into them I tracked the source of the issues down to a rule that was set not to keep state in pf.conf, but was actually keeping state with the S/SA flags set. I was able to manipulate the rule to use other flags and seen the change reflected but when reverting back to the stateless rule flags S/SA keep state was the actual behavior which confused/frustrated me. So I looked at the changelog again to take a closer look at what changes were made to PF and came across this line: *Make sure pf(4) doesn't set 'flags S/SA' on stateless rules. which confuses me even more. Anyone seeing the same issues I am?
Re: new openbsd 4.0 server, panic on ufsdirhash
On Mon, 14 May 2007, Joachim Schipper wrote: We have done a low level disk format using an ultimate boot cd. Didn't output any errors. Did this on both drives in the system. Took a very long time. Then, tried to install the OS. Received a panic on installing the comp set, ffs_valloc dup alloc. Reconfigured to have all install go to one drive. Same error, different inode. Tried all on other drive, same error, different inode. Kept trying it over and over. Always panicked on comp set. Always same error of ffs_valloc dup alloc. Always a different inode. I am unable to copy in the actual error. I just have this on a monitor in the room. No console capability. Same dmesg as before in this thread. I can post again if needed. My question is, to debug this, or fix it, do I need to start swapping out cables, hard disks, motherboard, etc? Any hints or suggestions are appreciated. Running memtest86 is pretty painless, so that's usually a good first step. Already done that. No errors. See previous thread, subject 'openbsd 4.0 server, new setup, getting panics', dated 5/1-5/3. JohnM -- john mendenhall [EMAIL PROTECTED] surf utopia internet services
Re: 4.1 changelog discrepency? - *Make sure pf(4) doesn't set 'flags S/SA' on stateless rules.
On Mon, 14 May 2007, [EMAIL PROTECTED] wrote: I have a stateless rule on one of my boxes which was just upgraded from 4.0to 4.1. After the upgrade there were some odd issues that were reported and after looking into them I tracked the source of the issues down to a rule that was set not to keep state in pf.conf, but was actually keeping state with the S/SA flags set. I was able to manipulate the rule to use other flags and seen the change reflected but when reverting back to the stateless rule flags S/SA keep state was the actual behavior which confused/frustrated me. So I looked at the changelog again to take a closer look at what changes were made to PF and came across this line: *Make sure pf(4) doesn't set 'flags S/SA' on stateless rules. which confuses me even more. Anyone seeing the same issues I am? I don't think you've read http://www.openbsd.org/faq/upgrade41.html before upgrading. -Otto
Re: 4.1 changelog discrepency? - *Make sure pf(4) doesn't set 'flags S/SA' on stateless rules.
On 5/14/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I have a stateless rule on one of my boxes which was just upgraded from 4.0to 4.1. After the upgrade there were some odd issues that were reported and after looking into them I tracked the source of the issues down to a rule that was set not to keep state in pf.conf, but was actually keeping state with the S/SA flags set. I was able to manipulate the rule to use other flags and seen the change reflected but when reverting back to the stateless rule flags S/SA keep state was the actual behavior which confused/frustrated me. So I looked at the changelog again to take a closer look at what changes were made to PF and came across this line: *Make sure pf(4) doesn't set 'flags S/SA' on stateless rules. which confuses me even more. Anyone seeing the same issues I am? From the URL http://www.openbsd.org/faq/upgrade41.html : 1.2. Operational changes - flags S/SA keep state implicit in pf.conf(5) flags S/SA keep state is now the default for pass rules in pf.conf(5), and new no state and flags any options have been added to override these defaults. Current rulesets will continue to load, but the behaviour may be slightly changed as these defaults are more restrictive. Rulesets with stateless filtering (no state) or a requirement to create states on intermediate packets (flags any) should be updated to explicitly request the desired behaviour. -- Rivanor
Re: Flags for WD driver
On 5/14/07, Jeff Simmons [EMAIL PROTECTED] wrote: On Monday 14 May 2007 11:57, Ted Unangst wrote: On 5/14/07, Jeff Simmons [EMAIL PROTECTED] wrote: Is there any documentation on the exact functions of the flags that can be passed to WD via config? I haven't found any, and I'm not a good enough C programmer to tease them out of the source. man wd? So a flag for, say, PIO, of 0x0100 would be ignored, since it says to set PIO mode 4 but not to use it? And then would it revert to the equivalent of 0x? yes. Not trying to be difficult here, I'm just having some ... interesting ... results passing flags to WD, and it would be nice to know exactly what's going on. well, why are you changing them? my initial response was more along the lines of crazy person, look out.
Re: OT: 32bit vs 64bit network card question
* bofh [EMAIL PROTECTED] [2007-05-14 21:54]: I have a question. Some 64 bit cards (PCI-X?) seem to work in 32 bit slots (PCI 2.2?). Is this a feature, or am I looking at possible issues down the road? Specifically, I am trying to build a n old(er) box, and on a whim (and vague memories about this working), stuck an em card into it. Box seems to boot, and network traffic seems to flow. Not sure if I should spend some $$ to buy another network card. yes, may 64bit PCI cards (from 64/33 to PCI-X 133) wor just fine in plain old boring slow pci 32/33 slots. it's a feature. if the cards shows up it'll work. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: ftp and pf (nat)
Yes, i was receiving file. But a look as ftp-proxy (8) : In case of active mode (PORT or EPRT): rdr from $server to $proxy port $port - $client pass quick inet proto tcp \ from $server to $client port $port In case of passive mode (PASV or EPSV): nat from $client to $server port $port - $proxy pass in quick inet proto tcp \ from $client to $server port $port pass out quick inet proto tcp \ from $proxy to $server port $port So i understand ftp-proxy injects rules for both connection type. What am i missing ? On 5/14/07, Joachim Schipper [EMAIL PROTECTED] wrote: On Mon, May 14, 2007 at 02:43:34PM -0300, John Nietzsche wrote: On 5/14/07, Joachim Schipper [EMAIL PROTECTED] wrote: On Mon, May 14, 2007 at 01:24:07PM -0300, John Nietzsche wrote: Dear gentleman/madam, i have installed my openbsd firewall and i am trying to get ftp client behind working. It is working nicely. But, when i try to lookup and the nat rules inserted by ftp-proxy, i get nothing : [EMAIL PROTECTED] pfctl -sn -a '*' nat-anchor ftp-proxy/* all nat-anchor neif on pppoe0 all nat-anchor niif_0 on sis0 all rdr-anchor ftp-proxy/* all rdr-anchor reif on pppoe0 all rdr-anchor riif_0 on sis0 all [EMAIL PROTECTED] pfctl -sn -a 'ftp-proxy/*' I am very confused on why it is not showed anything. I'm fairly certain ftp-proxy only inserts rules for active FTP sessions, and removes them as soon as they are no longer active. According to pf FAQ: With passive mode FTP (the default mode with OpenBSD's ftp(1) client), (...) ok! I am really having a bad time with this issue! Not to get it working but to understand it. If ftp-proxy does not insert rules how does the outgoing traffic is permitted across the firewall for a dynamic port choosen by the server? Oops, poor word choice. 'Active FTP sessions' was not intended to mean 'sessions using active FTP' (as opposed to passive FTP), but 'FTP sessions that are active' (i.e., connected). ftp-proxy does insert rules in anchrors, but only for sessions that are connected at that time. In other words, were you actually sending FTP data across your firewall when you looked in the table? Joachim -- TFMotD: systrace (4) - enforce and generate policies for system calls
Re: rdate issue
I would really recommend against using rdate like this, it jumps the clock. ntpd skews the clock (makes it run slightly fast or slow until the time is correct), so you don't miss out on any seconds (which sometimes skips cron jobs, makes logging more confusing, and can cause a lot of trouble with some other applications). the -a option fixes the skew problem. -a Use the adjtime(2) call to gradually skew the local time to the remote time rather than just hopping. I still recommend ntp if you need to continually update the clock. It's always worked for me in the past. Ntpd (AFIK) continually monitors the difference between your clock and the remote server to try and adjust the skew for a more accurate local clock. Rdate doesn't. Cheers, A
Re: ftp and pf (nat)
Ok! I am really having a bad times playing with ftp-proxy!
It is working, but rules inserted are not showed, like in:
[EMAIL PROTECTED] pfctl -sn -a 'ftp-proxy/*'
[EMAIL PROTECTED] pfctl -sr -a 'ftp-proxy/*'
[EMAIL PROTECTED] pfctl -sr -a '*'
scrub out on pppoe0 all max-mss 1452 fragment reassemble
block return log all
anchor * all {
pfctl: DIOCGETRULES: Invalid argument
}
anchor feif on pppoe0 all {
pass in log from any to (pppoe0) flags S/SA keep state (if-bound)
pass out log from (pppoe0) to any flags S/SA keep state (if-bound) !
tagged NAT
pass out log proto tcp from (pppoe0) to any port = www flags S/SA keep state (
if-bound) tagged NAT
pass out log proto tcp from (pppoe0) to any port = https flags S/SA
keep state (if-bound) tagged NAT
pass out log proto tcp from (pppoe0) to any port = 5999 flags S/SA
keep state (if-bound) tagged NAT
}
anchor fiif_0 on sis0 all {
pass in log from (sis0:network) to (sis0) flags S/SA keep state (if-bound)
pass in log from (sis0:network) to (sis0:broadcast) flags S/SA keep
state (if-bound)
pass out log from (sis0) to (sis0:network) flags S/SA keep state (if-bound)
pass in log proto tcp from (sis0:network) to ! (sis0) port = www
flags S/SA keep state (if-bound)
pass in log proto tcp from (sis0:network) to ! (sis0) port = https
flags S/SA keep state (if-bound)
pass in log proto tcp from (sis0:network) to ! (sis0) port = 5999
flags S/SA keep state (if-bound)
pass in log proto tcp from (sis0:network) to (lo0:0) port = 8021
flags S/SA keep state (if-bound) tagged RDR_0
}
block return in log on ! lo0 from (lo0:network) to any
block return in log on sis0 from (sis0:broadcast) to any
block return in log on ! sis0 from (sis0:network) to any
block return in log on ! sis0 from any to (sis0:broadcast)
block return in log on sis0 inet from any to 127.0.0.0/8 ! tagged RDR_0
block return in log on ! pppoe0 from (pppoe0) to any
block return in log on pppoe0 from any to net ! tagged RDR
block return in log inet from 255.255.255.255 to any
block return in log inet from any to 0.0.0.0/8
Does anybody have any ideia why? (i tried during passive/active data transfer).
I really thank you for your time and cooperation.
Very best regards.
On 5/14/07, Joachim Schipper [EMAIL PROTECTED] wrote:
On Mon, May 14, 2007 at 02:43:34PM -0300, John Nietzsche wrote:
On 5/14/07, Joachim Schipper [EMAIL PROTECTED] wrote:
On Mon, May 14, 2007 at 01:24:07PM -0300, John Nietzsche wrote:
Dear gentleman/madam,
i have installed my openbsd firewall and i am trying to get ftp client
behind working.
It is working nicely. But, when i try to lookup and the nat rules
inserted by ftp-proxy, i get nothing :
[EMAIL PROTECTED] pfctl -sn -a '*'
nat-anchor ftp-proxy/* all
nat-anchor neif on pppoe0 all
nat-anchor niif_0 on sis0 all
rdr-anchor ftp-proxy/* all
rdr-anchor reif on pppoe0 all
rdr-anchor riif_0 on sis0 all
[EMAIL PROTECTED] pfctl -sn -a 'ftp-proxy/*'
I am very confused on why it is not showed anything.
I'm fairly certain ftp-proxy only inserts rules for active FTP sessions,
and removes them as soon as they are no longer active.
According to pf FAQ:
With passive mode FTP (the default mode with OpenBSD's ftp(1)
client), (...)
ok! I am really having a bad time with this issue! Not to get it
working but to understand it. If ftp-proxy does not insert rules how
does the outgoing traffic is permitted across the firewall for a
dynamic port choosen by the server?
Oops, poor word choice. 'Active FTP sessions' was not intended to mean
'sessions using active FTP' (as opposed to passive FTP), but 'FTP
sessions that are active' (i.e., connected).
ftp-proxy does insert rules in anchrors, but only for sessions that are
connected at that time. In other words, were you actually sending FTP
data across your firewall when you looked in the table?
Joachim
--
TFMotD: systrace (4) - enforce and generate policies for system calls
Re: Troubleshooting NFS/SFU
On 5/14/07, Ben Calvert [EMAIL PROTECTED] wrote: On May 13, 2007, at 8:44 PM, David Higgs wrote: I've tried to configure NFS and am nearly all the way there, but it seems like I've hit a pretty big stumbling block. I've got OpenBSD 4.1-stable (10.0.0.1) with an NFS export of my home directory. I also have a Windows XP machine (10.0.0.2) and installed the SFU 3.5 NFS client. Are most of your clients going to be windows machines? if so, you should thing seriously about using samba. This is my private network and I've used samba previously; I'm just trying to learn how to configure NFS. I'll go back to samba if I can't figure this out. ( you should also read http://www.openbsd.org/mail.html and include all even vaguely related config files and output of things like dmesg and nfsstat ) I've googled quite a bit on this as well as searched MARC. I don't know any other files to include other than /etc/exports. [EMAIL PROTECTED] dmesg OpenBSD 4.1 (GENERIC) #1435: Sat Mar 10 19:07:45 MST 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Pentium III (GenuineIntel 686-class, 512KB L2 cache) 599 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE real mem = 267993088 (261712K) avail mem = 236847104 (231296K) using 3302 buffers containing 13524992 bytes (13208K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+ BIOS, date 10/13/00, BIOS32 rev. 0 @ 0xfd790, SMBIOS rev. 2.1 @ 0xefa30 (49 entries) bios0: Dell Computer Corporation XPST600 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 30102 dobusy 0 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xfd790/0x870 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf20/192 (10 entries) pcibios0: PCI Interrupt Router at 000:07:0 (Intel 82371FB ISA rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0xb800 0xcb800/0x800 0xcc000/0x800 0xe/0x4000! 0xe4000/0xc000 acpi at mainbus0 not configured cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82443BX AGP rev 0x03 ppb0 at pci0 dev 1 function 0 Intel 82443BX AGP rev 0x03 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 NVIDIA GeForce3 rev 0xa3 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) pcib0 at pci0 dev 7 function 0 Intel 82371AB PIIX4 ISA rev 0x02 pciide0 at pci0 dev 7 function 1 Intel 82371AB IDE rev 0x01: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: Maxtor 52049H3 wd0: 16-sector PIO, LBA, 19473MB, 39882528 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: SONY, CD-RW CRX100E, 1.0n SCSI0 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, DMA mode 2 uhci0 at pci0 dev 7 function 2 Intel 82371AB USB rev 0x01: irq 9 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered piixpm0 at pci0 dev 7 function 3 Intel 82371AB Power rev 0x02: SMI iic0 at piixpm0 emu0 at pci0 dev 14 function 0 Creative Labs SoundBlaster Live rev 0x05: irq 3 ac97: codec id 0x54524123 (TriTech Microelectronics TR28602) audio0 at emu0 Creative Labs PCI Gameport Joystick rev 0x05 at pci0 dev 14 function 1 not configured skc0 at pci0 dev 16 function 0 3Com 3c940 rev 0x10, Yukon (0x1): irq 9 sk0 at skc0 port A, address 00:0a:5e:5c:50:41 eephy0 at sk0 phy 0: Marvell 88E1011 Gigabit PHY, rev. 3 xl0 at pci0 dev 17 function 0 3Com 3c905C 100Base-TX rev 0x74: irq 10, address 00:01:03:c3:66:4e bmtphy0 at xl0 phy 24: Broadcom 3C905C internal PHY, rev. 6 isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec biomask fb65 netmask ff65 ttymask ffe7 pctr: 686-class user-level performance counters enabled mtrr: Pentium Pro MTRR support ugen0 at uhub0 port 1 ugen0: APC Back-UPS ES 750 FW:819.z2.D USB FW:z2, rev 1.10/1.06, addr 2 dkcsum: wd0 matches BIOS drive 0x80 root on wd0a rootdev=0x0 rrootdev=0x300 rawdev=0x302 uhub1 at uhub0 port 2 uhub1: ATEN International product 0x7000, rev 1.10/1.00, addr 3 uhub1: 4 ports with 4 removable, self powered uhidev0 at uhub1 port 1 configuration 1 interface 0 uhidev0: Logitech USB Receiver, rev 1.10/21.00, addr 4, iclass 3/1 ukbd0 at uhidev0: 8 modifier keys, 6 key codes wskbd1 at ukbd0 mux 1 wskbd1: connecting to wsdisplay0 uhidev1 at uhub1 port 1 configuration 1 interface 1 uhidev1: Logitech
OT: unix/openbsd printer support
Dear gentleman/madam, some time ago, i reached an internet site on printing information for unix deployment. There there was information for hundreds of printer from lots of manufacturers. Including information on how-well was a given printer supported. Now i have lost such reference (i mean the site url) and to the best of my recollections i can't recollect. I wonder if some here has already deployed such in openbsd environment and knows the site i am talking about. Thanks a lot for your time and cooperation. best regards.
Re: OT: unix/openbsd printer support
On 5/14/07, John Nietzsche [EMAIL PROTECTED] wrote: Dear gentleman/madam, some time ago, i reached an internet site on printing information for unix deployment. There there was information for hundreds of printer from lots of manufacturers. Including information on how-well was a given printer supported. Now i have lost such reference (i mean the site url) and to the best of my recollections i can't recollect. http://gimp-print.sourceforge.net/ ? Greg
authpf wrong shell warning
I am trying to set up authpf. I created all the files however i would like to be able to login and then start authpf instead of having a separate user for authpf. when ever i try to start authpf after loging in with ssh i get the below error May 14 22:03:31 freemon authpf: wrong shell for user lawrence.horvath, uid 1002 how do i get it to be the right shell? -- -Lawrence
