Re: termios, setting stopbits question
On 2007-10-04, Christian Weisgerber [EMAIL PROTECTED] wrote: So you just set five data bits, no parity, CSTOPB, and you'll be fine. Just why you would need this is beyond me, though. The only application that comes to mind is interfacing with 50-year-old teletype equipment. Thanks for the answer. Actually, it's just an option for my program. A lot of non-unix programs provide this option for ``stop bits''. Now, my program allows to do the following (this functionality is not released yet): sudo netfwd tcp cua /dev/cuaU0 115200,8,N,1,H It accepts incoming TCP connections on port and redirect all data to serial port (my phone in this example). Then you can take one of the programs from http://en.wikipedia.org/wiki/COM_port_redirector and use your modems remotely :) -- Alexey Vatchenko http://www.bsdua.org E-mail: [EMAIL PROTECTED] JID: [EMAIL PROTECTED]
CARP devices do not see IP broadcasts
Hi list, In order to get familiar with CARP, i have set up a playground with 3 machines under vmware. I noticed that the CARP devices do not see any IP broadcasts, so this would make CARP unusable for a DHCP server or anything else that needs to respond to IP broadcasts. Is this expected behavior or may this be just a vmware anomaly? (Yes, i did chmod 666 /dev/vmnet*) I did not see anything about this in the docs. Attached is the ifconfig output of one CARP machine plus its dmesg. -- Heinrich Rebehn University of Bremen Physics / Electrical and Electronics Engineering - Department of Telecommunications - Phone : +49/421/218-4664 Fax :-3341 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33208 groups: lo inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 pcn0: flags=8b43UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST mtu 1500 lladdr 00:0c:29:b9:64:69 media: Ethernet autoselect (autoselect) inet6 fe80::20c:29ff:feb9:6469%pcn0 prefixlen 64 scopeid 0x1 enc0: flags=0 mtu 1536 vlan0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1496 lladdr 00:0c:29:b9:64:69 vlan: 10 priority: 0 parent interface: pcn0 groups: vlan inet6 fe80::20c:29ff:feb9:6469%vlan0 prefixlen 64 scopeid 0x4 vlan1: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1496 lladdr 00:0c:29:b9:64:69 vlan: 11 priority: 0 parent interface: pcn0 groups: vlan inet6 fe80::20c:29ff:feb9:6469%vlan1 prefixlen 64 scopeid 0x5 carp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:5e:00:01:0a carp: MASTER carpdev vlan0 vhid 10 advbase 1 advskew 1 groups: carp inet6 fe80::200:5eff:fe00:10a%carp0 prefixlen 64 scopeid 0x6 inet 134.102.176.170 netmask 0xff00 broadcast 134.102.176.255 carp1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:5e:00:01:0b carp: MASTER carpdev vlan1 vhid 11 advbase 1 advskew 1 groups: carp inet6 fe80::200:5eff:fe00:10b%carp1 prefixlen 64 scopeid 0x7 inet 192.168.1.100 netmask 0xff00 broadcast 192.168.1.255 OpenBSD 4.2 (GENERIC) #1: Fri Sep 14 12:22:31 CEST 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: AMD Athlon(tm) 64 X2 Dual Core Processor 4400+ (AuthenticAMD 686-class, 1024KB L2 cache) 2.32 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3 cpu0: AMD erratum 89 present, BIOS upgrade may be required real mem = 267939840 (255MB) avail mem = 251437056 (239MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 04/17/06, BIOS32 rev. 0 @ 0xfd880, SMBIOS rev. 2.31 @ 0xe0010 (45 entries) bios0: vendor Phoenix Technologies LTD version 6.00 date 04/17/2006 bios0: VMware, Inc. VMware Virtual Platform apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 30102 dobusy 0 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xfd880/0x780 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf30/176 (9 entries) pcibios0: PCI Interrupt Router at 000:07:0 (Intel 82371FB ISA rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0x8000 0xc8000/0x1000 0xdc000/0x4000! 0xe/0x4000! cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82443BX AGP rev 0x01 ppb0 at pci0 dev 1 function 0 Intel 82443BX AGP rev 0x01 pci1 at ppb0 bus 1 piixpcib0 at pci0 dev 7 function 0 Intel 82371AB PIIX4 ISA rev 0x08 pciide0 at pci0 dev 7 function 1 Intel 82371AB IDE rev 0x01: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: VMware Virtual IDE Hard Drive wd0: 64-sector PIO, LBA, 1024MB, 2097152 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: NECVMWar, VMware IDE CDR10, 1.00 SCSI0 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 piixpm0 at pci0 dev 7 function 3 Intel 82371AB Power rev 0x08: SMBus disabled vga1 at pci0 dev 15 function 0 VMware Virtual SVGA II rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) bha3 at pci0 dev 16 function 0 BusLogic MultiMaster rev 0x01: irq 11, BusLogic 9xxC SCSI bha3: model BT-958, firmware 5.07B bha3: sync, parity scsibus1 at bha3: 8 targets pcn0 at pci0 dev 17 function 0 AMD 79c970 PCnet-PCI rev 0x10, Am79c970A, rev 0: irq 9, address 00:0c:29:b9:64:69 isa0 at piixpcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pmsi0 at pckbc0 (aux slot) pckbc0: using irq 12 for aux slot wsmouse0 at pmsi0 mux 0 pcppi0 at isa0 port 0x61
Re: Cisco 3002 VPN client to OpenBSD?
On Wed, Oct 03 2007 at 32:20, Jeff Simmons wrote: Anyone have any experience with this? A company a client of mine wishes to work with insists this will work, but I have my doubts. The documentation for the 3002 seems to indicate that it is specifically for connections to a Cisco 3000 series VPN concentrator, and it requires (?) group-password and user-password entries for connections to the 3000. Most of the rest of the configuration is pretty standard, if old (3des, sha1). It's just a no-go. The Cisco client license forbids explicitely to connect to anything but Cisco Hardware. Here is an extract from the Cisco Client license : --8---8--8- Grant of License 2. Cisco Systems hereby grants you the right to install and use the Software on an unlimited number of computers, provided that each of those computers must use the Software only to connect to Cisco Systems products, and subject to export restrictions in Paragraph 4 hereof. You may make one copy of the Software for each such computer for the purpose of installing the Software on that computer. The Software is licensed for use only with Cisco Systems products, and for no other use. --8---8--8- Claer
Re: firewall is very slow, something's wrong
On 2007/10/04 17:48, Florin Andrei wrote: All firewall rules are written as stateless as possible - I don't need stateful filtering, the setup is very simple (allow HTTP inbound, allow a few ICMP types, and that's it). You might want to re-think this, stateless rulesets are usually slower. This is interesting: http://www.undeadly.org/cgi?action=articlesid=20060927091645 congestion116169 197.2/s Try setting net.inet.ip.ifq.maxlen to 256 (sysctl/sysctl.conf), if you still see the congestion count increasing then search for net.inet.ip.ifq.maxlen in the list archives and have a read.
Multiple QEMU hosts networking
Hi, I've tried setting up multiple qemu hosts on OpenBSD 4.1 but having problems setting up the networking. The first qemu instance works just fine with -net nic -net tap but I never were able to get the network working with a second or third qemu instance. The server got a main IP and a small subnet and I would love to either set it up in routing mode or bridge the qemu hosts directly to the main interface. I've tried (almost) everything I can imagine and searched the web found couldn't find some helpfull information. Maybe someone got a working setup and could give me some hints? Thanks in advance, Michael
Re: Multiple QEMU hosts networking
On Fri, Oct 05, 2007 at 10:54:17AM +0200, Michael wrote:
Hi,
I've tried setting up multiple qemu hosts on OpenBSD 4.1 but having
problems setting up the networking. The first qemu instance works just
fine with -net nic -net tap but I never were able to get the network
working with a second or third qemu instance.
The server got a main IP and a small subnet and I would love to either
set it up in routing mode or bridge the qemu hosts directly to the main
interface.
I've tried (almost) everything I can imagine and searched the web found
couldn't find some helpfull information. Maybe someone got a working
setup and could give me some hints?
I use this silly script plus a small C program to open up the the tun
devices and pass them to qemu (makes it possible for me to run qemu
without root privs).
The main trick is getmac() which generates hopefully unique mac
addresses per port.
--
:wq Claudio
#!/bin/sh
#
# stupid script to start multiple qemus on a single box
SUDO=/usr/bin/sudo
USER=cjeker
# qemu args
IMAGE=virt.hd
MEMORY=64
FLAGS=-snapshot -nographic
NICFLAGS=-net nic,vlan=\$id,macaddr=\$mac -net tap,vlan=\$id,fd=\$fd
usage() {
echo usage: $0 [-n] [-i image] [-f floppy.fs] instance 12
exit 2
}
getmac() {
mac=00:bd:`printf %02x $(($RANDOM % 256))`:
mac=$mac`printf %02x $(($RANDOM % 256))`:
mac=$mac`printf %02x $(($1 % 256))`:`printf %02x $(($2 % 255 + 1))`
}
start() {
for id in 0 1 2 3; do
fd=$(($id + 3))
tun=tun$(($1 * 10 + $id))
getmac $1 id
eval nics=\$nics $NICFLAGS\
fds=$fds fdpass -n $fd -f /dev/$tun
# make sure a tun interface is available
ifconfig $tun /dev/null 21
if [ $? -ne 0 ]; then
${SUDO} ifconfig $tun link0
fi
done
${SUDO} $fds -u cjeker qemu -m ${MEMORY} ${FLAGS} $nics ${IMAGE}
}
args=`getopt f:i:n $*`
if [ $? -ne 0 ]; then
usage
fi
set -- $args
while [ $# -gt 0 ]; do
case $1 in
-f) shift
FLAGS=-fda $1 -boot a -monitor stdio
;;
-i) shift
IMAGE=$1
;;
-n) FLAGS=-nographic
echo DISABLING SNAPSHOT MODE
;;
--) shift;
break
;;
esac
shift
done
if [ $# -ne 1 ]; then
usage
fi
start $1
Re: ipsec with carp
Patrick Hemmen wrote: Ok. Before using carp/sasyncd the IPSEC tunnel had worked. The isakmpd daemon listen on all interfaces/ip addresses. I am illustrating my set up vpngw01: 10.10.10.101 carp: 10.10.10.1 -- INTERNET -- remote gateway: 192.168.1.1 vpngw02: 10.10.10.102 Remove the IP addresses from the physical interfaces. The master will then use 10.10.10.1 as source address. Use the carpdev clause in ifconfig to specify the physical interface used for carp. Note however that the machine will no longer respond to broadcast packets. -- Heinrich My machines are vpngw01 and 02. The IPSEC tunnel is negotiated between the addresses 10.10.10.1 and 192.168.1.1. But my master (vpngw01) tries to establish the IPSEC connection with the non-carp address 10.10.10.101. The other side is in passive mode. Thanks for the replies. Patrick Brian A. Seklecki schrieb: Also: 1) Does the documentation in ipsec(4) / isakmpd.conf(5) / sasyncd.conf(5) imply that all policies / security associations should be between the CARP HA L3 address? 2) Is your isakmpd(8) binding to wildcard address? 3) Did this problem evolve with the implementation of sasyncd(8) or did your IPSEC never work? ~BAS On Mon, 2007-10-01 at 08:16 -0700, Dag Richards wrote: Patrick Hemmen wrote: Hello all, I have two OpenBSD machines for a redundancy VPN-Gateway. They use carp to share one IP-Address and sasyncd to synchronize SAs and SPDs. I setup a ipsec-tunnel in /etc/ipsec.conf. The tunnel isn't established and the error PAYLOAD_MALFORMED appears in the logs. With tcpdump I can see that the initial packet (isakmp v1.0 exchange ID_PROT) to establish the tunnel come from the host IP-Address and not from the carp address. Thanks in advance. Patrick Maybe it's the humidity. Maybe it's something in your ipsec.conf file. Based on the info you have provided so far, both seem to be about as like as each other ;) ipsec.conf ifconfig -A maybe a quote from your dumps and perhaps a bit of logging info -- Heinrich Rebehn University of Bremen Physics / Electrical and Electronics Engineering - Department of Telecommunications - Phone : +49/421/218-4664 Fax :-3341
Re: qemu speed
I've been informed that I was talking out of my hat, as I suspected. KQEMU (QEMU accelerator) is a Linux kernel module and, therefore, not an option for the OpenBSD. I'll put my hat back on my head now. On 10/4/07, Jacob Yocom-Piatt [EMAIL PROTECTED] wrote: Gerald Thornberry wrote: I've never used QEMU so I may be talking out my hat. Looking at the docs for it yesterday I remember seeing something about the QEMU accelerator. Is that an option here? When used as a virtualizer, QEMU achieves near native performances by executing the guest code directly on the host CPU. A host driver called the QEMU accelerator (also known as KQEMU) is needed in this case. The virtualizer mode requires that both the host and guest machine use x86 compatible processors. i've found qemu-0.8.2p4 on 4.1-release (i386) to be horribly slow and some apps don't install correctly when emulating windows xp. it's ok for viewing ms office documents but doing anything processor or disk intensive takes an order of magnitude longer than usual. would be nice to know if the KQEMU driver is the bottleneck. cheers, jake http://fabrice.bellard.free.fr/qemu/about.html On 10/4/07, Frank Bax [EMAIL PROTECTED] wrote: Indeed, this is a FoxPro program. I had tried changing the path; and tested it by starting program without using full path to EXE - although the program does startup this way; it still fails at the same point. I also tried QEMU; but was still researching options before bringing speed question here. I've read that it can be a bit slow; but I'm wondering HOW slow? I use the FoxPro program to convert a database from one format to another. Native Win98 on P3-600 the process takes 1:20 (min:sec). On a 2GHz Core2Duo, QEMU takes 6:00 minutes. Is this expected speed? On QEMU/BSD forum, it was suggested I compile from source, so I used ports instead of package, but there was no change to speed of this process. Files are currently inside a virtual disk. Is that fastest for disk i/o? Am I likely to speed it up if I have files on host and access them via samba? Is there another way to access host files from Win98 guest? Frank Richard Toohey wrote: I do not know much about wine, but the issue interested me ... I've built from ports and I am having a look. From the manual page, re. the wine configuration file, it has this: format: path = directories separated by semi-colons default: C:\WINDOWS;C:\WINDOWS\SYSTEM Used to specify the path which will be used to find exe- cutables and .DLL's. Can you add C:\ and/or C:\\LIBS to that list and see if it helps? A FLL looks like a FoxPro dynamic link library, so it should count as a DLL. Back to RTFMing ... On 3/10/2007, at 8:27 AM, Joachim Schipper wrote: On Mon, Oct 01, 2007 at 05:56:46PM -0400, Frank Bax wrote: I installed wine-990225p0 from packages on 4.1 and can run simple programs like sol and notepad. I have an old program I'm trying to run; but this program cannot find it's own files unless the current working directory is set to the directory where software was installed. It seems more recent wine versions support 'bat' files which would solve this; but this doesn't seem to work in this version. When I try: wine c://program.exe the software complains that it cannot open LIBS\FOXTOOLS.FLL This file is found at C:\\LIBS\FOXTOOLS.FLL Is there a way to run something like this on wine 990225?: cd program.exe If this is not workable on 990225; do current wine versions work on OpenBSD? I'm not sure if there is a way to 'cd' on OpenBSD's version of Wine. As to porting: more recent Wines do weird things with threads, if I understand the issue correctly. In short, don't expect an update soon. Qemu works fine, if you don't need to run a particularly demanding program. Joachim -- TFMotD: inet6 (4) - Internet protocol version 6 family --
Re: pf
ext_if =rl0 #macro for external interface
int_if =dc0 #macro for internal interface
localnet= $int_if:network
nat on $ext_if from $localnet to any - ($ext_if)
#block in
pass out keep state
pass out on $ext_if proto tcp all
pass inet proto tcp from {lo0, $localnet} to any keep state
I commented out block in for testing purposes. still, no success.
If you know what's wrong, please don' t just answer. I want to
understand the solution.
ip forwarding is set to 1 and pf is enabled.
On Oct 4, 2007, at 11:50 AM, Roman Strogin wrote:
On 10/4/07, a.padilla [EMAIL PROTECTED] wrote:
Hi, I'm a student trying to learn pf on my own. I'm trying to set up
a nat. I've read documentation yet I still can't get the internal
machine to communicate to the outside world.
I've been following this documentation: http://www.openbsd.org/faq/
pf/
nat.html
before I go any further, is this the correct place to ask this sort
of question?
1) Have you enabled IP forwarding or, in other words, have you
uncommented following lines in your /etc/sysctl.conf:
net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1
2) Show your pf.conf.
Roman.
Roman.
Re: qemu speed
On 10/5/07, Gerald Thornberry [EMAIL PROTECTED] wrote: I've been informed that I was talking out of my hat, as I suspected. KQEMU (QEMU accelerator) is a Linux kernel module and, therefore, not an option for the OpenBSD. I'll put my hat back on my head now. For whatever it's worth, I had to turn kqemu off when trying to run OpenBSD inside qemu on my fedora box. A helpful #openbsd denizen whose nick I've forgotten suggested that OpenBSD and most everything else fails with kqemu. -Josh
Enabling tidy in PHP?
Hello, Does anyone have any pointers for getting the HTML Tidy extensions working in PHP on OpenBSD? I am running a 4.0 system. According to PHP's website, I do not need to download the version of Tidy from PECL, because Tidy is supposed to be built-in in PHP 5 (I have the PHP 5.1.4 package). Attempting to actually call those functions, though, results in a broken script (though, strangely, no error messages). After checking phpinfo(), I was able to see that the OpenBSD-supplied version is not compiled --with-tidy. So I modified the Makefile in ports to include --with-tidy, and ran 'make'. No errors. But 'make install' fails. It appears that libphp5.so is never built-- all I have are libphp5.a and libphp5.la. Looking this stuff up on the web yields a lot of information about Linux and libtool, and frankly, I'm a little lost. I'd gladly forego recompiling PHP and just use the version from PECL, but that, too, fails; it does not put tisy.so into /var/www/lib/php/modules. Anyone have any suggestions? Apparently I don't know what I don't know. Thanks, Dan
Re: sign and timestamp
On Thu, Oct 04, 2007 at 05:03:41PM +0200, G?bri M?t? wrote: There'll be two main servers, a web server and a sql server. We have to insert a timestamp and a signature in the specified rows of tables. Periodically the sql server will make pdf documents from the data and we have to sign and timestamp these docs too. I also have to set up a firewall and a backup server, both of them will be OBSD. After what all of You wrote i guess one of the OBSD servers will act as the timestamping machine with the method of issuing a time file periodically, sign and hash it. I can setup a script for that, and another one for verification. Thats the easiest way i guess. As for why i dont want to use a public time stamping service: its much more flexible to do it on our own, and much more faster, and there are other reasons. Of course the results dont have to be verified buy total strangers, just those who work with the data from day-to-day. I'm not clear on what you will gain over just having all the boxes running ntp and having the SQL server inserting a time value on each row of the table, and having each row be non-alterable (other than, of course, by root), and having a time stamp put on the pdf document. Typical uses for real time stamps are for audit purposes. The only reason for an audit trail is to prove that records havnen't been altered either accidentally or intentionally/maliciously by someone within the organization. If this is for internal auditing only and your internal audit department requires something more than just a time-entry in an SQL file, then they should have sole controll over the server that does the time stamping. Nobody outside of the audit department should have any root privlidges. In which case, a dedicated dot-matrix printer that prints the file name, hash, and time stamp of files as they are received for stamping, would be prudent. Put multi-part paper in the printer and take a copy off-site (to the off-site auditors?) regularily. In any event, your system (policy, protocols, etc) should be approved by the people who will be needing to verify the veracity of the timestamps. Doug.
Re: pf
I commented out block in for testing purposes. still, no success. If you know what's wrong, please don' t just answer. I want to understand the solution. Start with nat routing, and then move to filtering. Keep your nat rule, get rid of the filter fules you have now, and put in a default pass rule. pass quick all. Are you able to move traffic through the box now? If yes, comment out the default pass and start writing down what kinds of traffic you want to allow. -- Joe
route-to performance problem
Previously posted to [EMAIL PROTECTED] Received no replies so trying here. Hello, I'm using route-to to allow specific systems to use different external interfaces and seeing a performance issue. The performance issue is that normal web access is horrifically slow, yet when doing a download test the results show the proper bandwidth. I'm not using route-to to create a round-robin scenario which is what most of the examples I found involve, which makes me not totally convinced I have everything set up properly. Basic scenario is 2 internal interfaces (2 separate subnets) and three external (gateway) interfaces (a T1 line - the default gateway, a 4Mb/s cable line, and an 8Mb/s cable line). My current testing is just using one system to route-to one of the non-default gateways. Simplified ruleset: == nat on $ext_if inet tag WOW_8_NAT tagged WOW_8 - $wow_8_ad1 nat on $ext_if inet from $s3_if:network to any - $ext_ad pass in on $s3_if inet from $s3_if:network to !$alt_if flags S/SA keep state pass in on $s3_if inet from $orion7 to !$alt_if flags S/SA keep state tag W OW_8 pass out on $s3_if from any to $s3_if:network flags S/SA keep state pass out on $ext_if all keep state flags S/SA pass out on $ext_if route-to ( $wow_8_if $wow_8_gw ) all keep state flags S/SA tagged WOW_8_NAT == Basically I'm tagging the system(s) that will use the alternate wow_8_if with the WOW_8 tag. Because they are tagged as such they get natted to the address of the wow_8_if, which is wow_8_ad1 (there are aliases but I'm not using them currently) and retagged WOW_8_NAT (although I'm not sure the nat statement is wholly correct). The packets that match the WOW_8_NAT tag are then routed through the wow_8_if to wow_8_gw and do not take the default route via the ext_if (T1 line). Seems to work correctly except for the performance issue noted - speed tests (voip performance tests) work fine but normal browsing is horrifically slow - pages that load via the default route in the blink of an eye take 30+ seconds to load when using route-to as I have (most likely improperly) done. Any assistance is greatly appreciated. Thank you. -- Chris
Re: pf
I commented everything out except the nat rule and pass out keep state still nothing. On Oct 5, 2007, at 11:04 AM, Joe Gibbens wrote: I commented out block in for testing purposes. still, no success. If you know what's wrong, please don' t just answer. I want to understand the solution. Start with nat routing, and then move to filtering. Keep your nat rule, get rid of the filter fules you have now, and put in a default pass rule. pass quick all. Are you able to move traffic through the box now? If yes, comment out the default pass and start writing down what kinds of traffic you want to allow. -- Joe
Perl/libc? segfault
While running spamassassin (the one in OpenBSD 4.0) my Perl (also OBSD 4.0)
happened to segfault when learning what is spam. There is no suspicion on bad
hardware, and this situation already happened in the past several times
ocassionally.
There were 9153 spam messages in the folder. I'll try if I can isolate a single
one that triggers it. It's actually segfaulting in libc in some hash
manipulation routine but it's clear to me this can be a delayed memory
corruption
bug caused by some Perl binding or Perl itself.
#0 0x00639d71 in memmove () from /usr/lib/libc.so.39.3
No symbol table info available.
#1 0x0062fcb4 in __delpair (hashp=0x7d5a5200, bufp=0x870d8040, ndx=1707) at
/usr/src/lib/libc/db/hash/hash_page.c:140
i = 2127618048
src = 0x7ed0e000
\232\b{?v?q?l?g?b?]?X?S\b{?v?q?l?g?b?]?X?S?N?I?D???:?5?0?+??!?\234?\227?\222?\215?\210?\203?~?y?t?o?j?e?`?[?V?Q?L?G?B?=?8?3?.?)?$?\037?\032?\025?\020?\v?\006?\001?|wrmhc^YTOJE@;61,'\235\230\223\216\211\204\177zupkfa\\WRMHC...
dst = 0xec1b Address 0xec1b out of bounds
bp = (u_int16_t *) 0x7d5a5200
newoff = 4107
pairlen = 18
n = 2202
#2 0x0062b812 in hash_access (hashp=0x7d5a5200, action=HASH_PUT,
key=0xcf7e2190, val=0xcf7e2188) at /usr/src/lib/libc/db/hash/hash.c:670
rbufp = (BUFHEAD *) 0x870d8040
bufp = (BUFHEAD *) 0x267a2a96
save_bufp = (BUFHEAD *) 0x870d8040
bp = (u_int16_t *) 0xec1b
n = 2202
ndx = 1707
off = -1953344059
size = 5
kp = 0x8b9255c0 \020\237^5u
pageno = 4107
#3 0x0557f083 in XS_DB_File_STORE () from
/usr/libdata/perl5/i386-openbsd/5.8.8/auto/DB_File/DB_File.so
No symbol table info available.
#4 0x067ddd08 in Perl_pp_entersub () at /usr/src/gnu/usr.bin/perl/pp_hot.c:2877
av = (AV * const) 0x267a81b0
items = 645610516
markix = 0
sp = (SV **) 0x859c428c
sv = (SV *) 0x876f43e4
gv = (GV *) 0x5
stash = (HV *) 0x0
cv = (CV *) 0x876f43e4
cx = (PERL_CONTEXT *) 0x267a81b0
gimme = 0
#5 0x068085b9 in Perl_runops_standard () at /usr/src/gnu/usr.bin/perl/run.c:37
No locals.
#6 0x067ef008 in S_call_body (myop=0xcf7e22f0, is_eval=27 '\033') at
/usr/src/gnu/usr.bin/perl/perl.c:2733
No locals.
#7 0x067eef2e in Perl_call_sv (sv=0x85062030, flags=66) at
/usr/src/gnu/usr.bin/perl/perl.c:2609
sp = (SV **) 0x859c428c
myop = {op_next = 0x0, op_sibling = 0x0, op_ppaddr = 0x67dda50
Perl_pp_entersub, op_targ = 0, op_type = 0, op_seq = 0, op_flags = 66 'B',
op_private = 0 '\0',
op_first = 0x0, op_other = 0x0}
method_op = {op_next = 0xcf7e22f0, op_sibling = 0x0, op_ppaddr =
0x67de738 Perl_pp_method, op_targ = 0, op_type = 0, op_seq = 0, op_flags = 0
'\0',
op_private = 0 '\0', op_first = 0x0}
oldmark = 0
retval = 0
oldscope = 23
oldcatch = 0 '\0'
oldop = (OP *) 0x7c774380
cur_env = {je_prev = 0x8b9255e0, je_buf = {-2063196112, -813817160,
108820867, -2063196112, 0, 116, 0, 0, 0, 0, 645598328}, je_ret = -2063196112,
je_mustcatch = 120 'x'}
#8 0x067ee93c in Perl_call_method (methname=0x26796ab5 STORE, flags=2) at
/usr/src/gnu/usr.bin/perl/perl.c:2542
No locals.
#9 0x067cc38c in S_magic_methcall (sv=0x876a4d98, mg=0x870d8420,
meth=0x26796ab5 STORE, flags=2, n=3, val=0x7ed1100b) at
/usr/src/gnu/usr.bin/perl/mg.c:1492
sp = (SV **) 0x859c428c
#10 0x067cc6e0 in Perl_magic_setpack (sv=0x876a4d98, mg=0x870d8420) at
/usr/src/gnu/usr.bin/perl/mg.c:1529
next = (PERL_SI *) 0x3402
sp = (SV **) 0x267b3578
#11 0x067ca62d in Perl_mg_set (sv=0x876a4d98) at
/usr/src/gnu/usr.bin/perl/mg.c:236
vtbl = (const MGVTBL *) 0x3402
mgs_ix = 792
mg = (MAGIC *) 0xec1b
nextmg = (MAGIC *) 0x0
#12 0x067d7535 in Perl_pp_sassign () at /usr/src/gnu/usr.bin/perl/pp_hot.c:125
sp = (SV **) 0x816e6004
right = (SV *) 0x876a4d98
left = (SV *) 0x8506212c
#13 0x068085b9 in Perl_runops_standard () at /usr/src/gnu/usr.bin/perl/run.c:37
No locals.
#14 0x067ee5df in S_run_body (oldscope=1) at
/usr/src/gnu/usr.bin/perl/perl.c:2368
No locals.
#15 0x067ee533 in perl_run (my_perl=0x7dcc3030) at
/usr/src/gnu/usr.bin/perl/perl.c:2285
oldscope = 1
ret = 1073738754
cur_env = {je_prev = 0x267b3740, je_buf = {108978918, 645598328,
-813816740, -813816616, -813816484, -813816560, -813816568, 0, -2025615324,
160, -813826009},
je_ret = 3, je_mustcatch = 1 '\001'}
#16 0x1c0012a6 in main ()
No symbol table info available.
CL
Re: pf
the bsd box is definitely online. quick ping to google gives 0 packet loss. On Oct 5, 2007, at 12:47 PM, James Mackinnon wrote: with pf enabled and using a pass out keep state from the BSD box, make sure it can hit the internet. this will remove it as being an interface issue to start. The NAT setup and the rules, based on the testing rules, should allow this to work at this point, if it is not, go back to square 1 and test without PF from the bsd box to make sure it is connecting to the internet properly to begin. Make sure the clients have gateways, make sure the bsd box has a gateway and all masks are correct. Try doing traceroute's and working your way up James - Original Message - From: a.padilla [EMAIL PROTECTED] To: Joe Gibbens [EMAIL PROTECTED] Cc: misc@openbsd.org Sent: Friday, October 05, 2007 1:10 PM Subject: Re: pf I commented everything out except the nat rule and pass out keep state still nothing. On Oct 5, 2007, at 11:04 AM, Joe Gibbens wrote: I commented out block in for testing purposes. still, no success. If you know what's wrong, please don' t just answer. I want to understand the solution. Start with nat routing, and then move to filtering. Keep your nat rule, get rid of the filter fules you have now, and put in a default pass rule. pass quick all. Are you able to move traffic through the box now? If yes, comment out the default pass and start writing down what kinds of traffic you want to allow. -- Joe
Re: pf
both do have IP's. dc0 has a private IP. rl0 is connected to the internet. On Oct 5, 2007, at 12:52 PM, ropers wrote: On 05/10/2007, a.padilla [EMAIL PROTECTED] wrote: I commented everything out except the nat rule and pass out keep state still nothing. Sorry to be basic, but do your NICs have IP addresses? What do their /etc/hostname.if(5) files say? What does ifconfig(8) say?
Enabling Tidy in PHP
Hello, Does anyone have any pointers for getting the HTML Tidy extensions working in PHP on OpenBSD? I am running a 4.0 system. According to PHP's website, I do not need to download the version of Tidy from PECL, because Tidy is supposed to be built-in in PHP 5 (I have the PHP 5.1.4 package). Attempting to actually call those functions, though, results in a broken script (though, strangely, no error messages). After checking phpinfo(), I was able to see that the OpenBSD-supplied version is not compiled --with-tidy. So I modified the Makefile in ports to include --with-tidy, and ran 'make'. No errors. But 'make install' fails. It appears that libphp5.so is never built-- all I have are libphp5.a and libphp5.la. Looking this stuff up on the web yields a lot of information about Linux and libtool, and frankly, I'm a little lost. I'd gladly forego recompiling PHP and just use the version from PECL, but that, too, fails; it does not put tidy.so into /var/www/lib/php/modules. Any suggestions? Apparently I don't know what I don't know. Thanks, Dan
Thank you developers... 4.2 arrived in the mail today
I'd like to say Thank you to all of the developers around the world who make OpenBSD what it is! If I had the skills to write code I would help, for now my contributions will have to be in other ways. My 4.2 CDs and t-shirt arrived in the mail today (near Buffalo, NY) and this has to be the earliest I've ever gotten mine. I hope that is more of an indication of my getting my order in early, than the number of CD orders being that low. Thank you again! Chad
Re: pf
On 05/10/2007, a.padilla [EMAIL PROTECTED] wrote: I commented everything out except the nat rule and pass out keep state still nothing. Sorry to be basic, but do your NICs have IP addresses? What do their /etc/hostname.if(5) files say? What does ifconfig(8) say?
Re: pf
with pf enabled and using a pass out keep state from the BSD box, make sure it can hit the internet. this will remove it as being an interface issue to start. The NAT setup and the rules, based on the testing rules, should allow this to work at this point, if it is not, go back to square 1 and test without PF from the bsd box to make sure it is connecting to the internet properly to begin. Make sure the clients have gateways, make sure the bsd box has a gateway and all masks are correct. Try doing traceroute's and working your way up James - Original Message - From: a.padilla [EMAIL PROTECTED] To: Joe Gibbens [EMAIL PROTECTED] Cc: misc@openbsd.org Sent: Friday, October 05, 2007 1:10 PM Subject: Re: pf I commented everything out except the nat rule and pass out keep state still nothing. On Oct 5, 2007, at 11:04 AM, Joe Gibbens wrote: I commented out block in for testing purposes. still, no success. If you know what's wrong, please don' t just answer. I want to understand the solution. Start with nat routing, and then move to filtering. Keep your nat rule, get rid of the filter fules you have now, and put in a default pass rule. pass quick all. Are you able to move traffic through the box now? If yes, comment out the default pass and start writing down what kinds of traffic you want to allow. -- Joe
Re: pf
rl0 is connected to the internet. On Oct 5, 2007, at 12:52 PM, ropers wrote: On 05/10/2007, a.padilla [EMAIL PROTECTED] wrote: I commented everything out except the nat rule and pass out keep state still nothing. delete pass out keep state This will not work alone. insert pass quick all as a temporary test. If you can move traffic from your internal net through your firewall with this rule enabled, comment it out and then start developing your ruleset. unless I'm missing a piece of your pf.conf, you have no rule that is allowing inbound traffic from your internal network to your internal interface. You must explicitly allow traffic into the firewall. pass out keep state would only allow a state to be created on traffic originating at the firewall itself. -- Joe
Re: pf
I commented out pass out keep state and added, after the nat rule, pass quick all. Still nothing. I cant even ping from the server the private IP which the client has I know the client is connected to the server, it shows up on dhcpd.leases. Do you think its my dhcpd server that's wrong? On Oct 5, 2007, at 1:59 PM, Joe Gibbens wrote: rl0 is connected to the internet. On Oct 5, 2007, at 12:52 PM, ropers wrote: On 05/10/2007, a.padilla [EMAIL PROTECTED] wrote: I commented everything out except the nat rule and pass out keep state still nothing. delete pass out keep state This will not work alone. insert pass quick all as a temporary test. If you can move traffic from your internal net through your firewall with this rule enabled, comment it out and then start developing your ruleset. unless I'm missing a piece of your pf.conf, you have no rule that is allowing inbound traffic from your internal network to your internal interface. You must explicitly allow traffic into the firewall. pass out keep state would only allow a state to be created on traffic originating at the firewall itself. -- Joe
Re: pf
ifconfig: lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33224 groups: lo inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 inet 127.0.0.1 netmask 0xff00 rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:18:4d:ea:33:0a groups: egress media: Ethernet autoselect (100baseTX full-duplex) status: active inet6 fe80::218:4dff:feea:330a%rl0 prefixlen 64 scopeid 0x1 inet 192.168.0.111 netmask 0xff00 broadcast 192.168.0.255 dc0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:14:bf:53:1e:fe media: Ethernet autoselect (100baseTX full-duplex) status: active inet6 fe80::214:bfff:fe53:1efe%dc0 prefixlen 64 scopeid 0x2 inet 10.0.0.0 netmask 0xff00 broadcast 255.255.255.0 pflog0: flags=141UP,RUNNING,PROMISC mtu 33224 enc0: flags=0 mtu 1536 pfctl TRANSLATION RULES: nat on rl0 inet from 10.0.0.0/8 to any - (rl0) round-robin FILTER RULES: pass quick all flags S/SA keep state No queue in use STATES: all udp 239.255.255.250:1900 - 192.168.0.1:1900 NO_TRAFFIC:SINGLE all udp 192.168.0.111:1026 - 24.64.244.238:33603 NO_TRAFFIC:SINGLE all udp 192.168.0.111:1027 - 24.64.244.238:33603 NO_TRAFFIC:SINGLE all udp 192.168.0.111:1028 - 24.64.244.238:33603 NO_TRAFFIC:SINGLE INFO: Status: Enabled for 0 days 00:25:29 Debug: Urgent State Table Total Rate current entries4 searches 19533 12.8/s inserts 1260.1/s removals 1220.1/s Counters match 136208.9/s bad-offset 00.0/s fragment 00.0/s short 00.0/s normalize 00.0/s memory 00.0/s bad-timestamp 00.0/s congestion 00.0/s ip-option 00.0/s proto-cksum 150.0/s state-mismatch 00.0/s state-insert 00.0/s state-limit00.0/s src-limit 00.0/s synproxy 00.0/s TIMEOUTS: tcp.first 120s tcp.opening 30s tcp.established 86400s tcp.closing 900s tcp.finwait 45s tcp.closed 90s tcp.tsdiff 30s udp.first60s udp.single 30s udp.multiple 60s icmp.first 20s icmp.error 10s other.first 60s other.single 30s other.multiple 60s frag 30s interval 10s adaptive.start 6000 states adaptive.end 12000 states src.track 0s LIMITS: stateshard limit1 src-nodes hard limit1 frags hard limit 5000 tableshard limit 1000 table-entries hard limit 20 TABLES: OS FINGERPRINTS: 696 fingerprints loaded I feel exposed ;) On Oct 5, 2007, at 2:30 PM, Chad M Stewart wrote: Ok, so it is something more basic than filtering. What is the output of the following ifconfig -A pfctl -s all sysctl -a|grep forward How are the obsd box and the client connected, from a networking perspective? Wired? Hub/Switch? direct with cross over cable? -Chad On Oct 5, 2007, at 2:21 PM, a.padilla wrote: I commented out pass out keep state and added, after the nat rule, pass quick all. Still nothing. I cant even ping from the server the private IP which the client has I know the client is connected to the server, it shows up on dhcpd.leases. Do you think its my dhcpd server that's wrong?
Re: Thank you developers... 4.2 arrived in the mail today
On 10/5/07, Chad M Stewart [EMAIL PROTECTED] wrote: My 4.2 CDs and t-shirt arrived in the mail today (near Buffalo, NY) drat, I was hoping for first the first post. you forgot the pic.
Re: pf
inet 10.0.0.0 netmask 0xff00 broadcast 255.255.255.0 John Without looking at anything else, that line jumps out at me. Are you certain that you want your broadcast set to '255.255.255.0'? Sounds like a netmask to me. On Fri, Oct 05, 2007 at 02:48:00PM -0400, a.padilla wrote: ifconfig: lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33224 groups: lo inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 inet 127.0.0.1 netmask 0xff00 rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:18:4d:ea:33:0a groups: egress media: Ethernet autoselect (100baseTX full-duplex) status: active inet6 fe80::218:4dff:feea:330a%rl0 prefixlen 64 scopeid 0x1 inet 192.168.0.111 netmask 0xff00 broadcast 192.168.0.255 dc0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:14:bf:53:1e:fe media: Ethernet autoselect (100baseTX full-duplex) status: active inet6 fe80::214:bfff:fe53:1efe%dc0 prefixlen 64 scopeid 0x2 inet 10.0.0.0 netmask 0xff00 broadcast 255.255.255.0 pflog0: flags=141UP,RUNNING,PROMISC mtu 33224 enc0: flags=0 mtu 1536 pfctl TRANSLATION RULES: nat on rl0 inet from 10.0.0.0/8 to any - (rl0) round-robin FILTER RULES: pass quick all flags S/SA keep state No queue in use STATES: all udp 239.255.255.250:1900 - 192.168.0.1:1900 NO_TRAFFIC:SINGLE all udp 192.168.0.111:1026 - 24.64.244.238:33603 NO_TRAFFIC:SINGLE all udp 192.168.0.111:1027 - 24.64.244.238:33603 NO_TRAFFIC:SINGLE all udp 192.168.0.111:1028 - 24.64.244.238:33603 NO_TRAFFIC:SINGLE INFO: Status: Enabled for 0 days 00:25:29 Debug: Urgent State Table Total Rate current entries4 searches 19533 12.8/s inserts 1260.1/s removals 1220.1/s Counters match 136208.9/s bad-offset 00.0/s fragment 00.0/s short 00.0/s normalize 00.0/s memory 00.0/s bad-timestamp 00.0/s congestion 00.0/s ip-option 00.0/s proto-cksum 150.0/s state-mismatch 00.0/s state-insert 00.0/s state-limit00.0/s src-limit 00.0/s synproxy 00.0/s TIMEOUTS: tcp.first 120s tcp.opening 30s tcp.established 86400s tcp.closing 900s tcp.finwait 45s tcp.closed 90s tcp.tsdiff 30s udp.first60s udp.single 30s udp.multiple 60s icmp.first 20s icmp.error 10s other.first 60s other.single 30s other.multiple 60s frag 30s interval 10s adaptive.start 6000 states adaptive.end 12000 states src.track 0s LIMITS: stateshard limit1 src-nodes hard limit1 frags hard limit 5000 tableshard limit 1000 table-entries hard limit 20 TABLES: OS FINGERPRINTS: 696 fingerprints loaded I feel exposed ;) On Oct 5, 2007, at 2:30 PM, Chad M Stewart wrote: Ok, so it is something more basic than filtering. What is the output of the following ifconfig -A pfctl -s all sysctl -a|grep forward How are the obsd box and the client connected, from a networking perspective? Wired? Hub/Switch? direct with cross over cable? -Chad On Oct 5, 2007, at 2:21 PM, a.padilla wrote: I commented out pass out keep state and added, after the nat rule, pass quick all. Still nothing. I cant even ping from the server the private IP which the client has I know the client is connected to the server, it shows up on dhcpd.leases. Do you think its my dhcpd server that's wrong? !DSPAM:1,4706873d263501130639322!
Re: Cisco 3002 VPN client to OpenBSD?
On Friday 05 October 2007 01:17, Claer wrote: The Cisco client license forbids explicitely to connect to anything but Cisco Hardware. If that's so, then legal forgot to tell marketing. ;-) The Cisco VPN 3002 Hardware Client works with all operating systems ... http://newsroom.cisco.com/dlls/prod_040401.html In addition, the VPN 3002 Hardware Client works with any operating system including Solaris, Mac and Linux. http://www.tribecaexpress.com/cisco_VPN_clients.htm And yes, knowing Cisco, I can come up with a bunch of fudge factors. IF you use our proprietary software. We meant any OS can USE one of our proprietary tunnels. Etc. I know that native OpenBSD tools (ipsecctl, isakmpd) work fine with the Cisco 3005 concentrator, I'm running several. I've got a 3002 loaner coming, I'll post the results. -- Jeff Simmons [EMAIL PROTECTED] Simmons Consulting - Network Engineering, Administration, Security You guys, I don't hear any noise. Are you sure you're doing it right? -- My Life With The Thrill Kill Kult
Re: route-to performance problem
On Fri, Oct 05, 2007 at 11:40:07AM -0400, Chris Smith wrote: SNIP The performance issue is that normal web access is horrifically slow, yet when doing a download test the results show the proper bandwidth. It takes a while for the packets to figure out how to get through the router, once they do, the states are set up and everything works as it should. I can see that. SNIP Basic scenario is 2 internal interfaces (2 separate subnets) and three external (gateway) interfaces (a T1 line - the default gateway, a 4Mb/s cable line, and an 8Mb/s cable line). My current testing is just using one system to route-to one of the non-default gateways. This means that each interface has a separate subnet with separate gateways and all that? What is $ext_if and what is $wow_8_if? You seem to use them kind of randomly in your ruleset below. I am guessing that $ext_if is the T1 (default gateway) and that $wow_8_if is one of the cable lines. I think your problem is that if you route-to on your outbound interface it happens after NAT. NAT and route-to on egress is I think a bad combination. That it works at all is to me more surprising than that it is slow. Simplified ruleset: == nat on $ext_if inet tag WOW_8_NAT tagged WOW_8 - $wow_8_ad1 nat on $ext_if inet from $s3_if:network to any - $ext_ad pass in on $s3_if inet from $s3_if:network to !$alt_if flags S/SA keep state pass in on $s3_if inet from $orion7 to !$alt_if flags S/SA keep state tag W OW_8 pass out on $s3_if from any to $s3_if:network flags S/SA keep state pass out on $ext_if all keep state flags S/SA pass out on $ext_if route-to ( $wow_8_if $wow_8_gw ) all keep state flags S/SA tagged WOW_8_NAT == Perhaps try this (I didn't): (and keep state is default now so that simplifies the rules) == nat on $ext_if inet from $s3_if:network to any - $ext_ad nat on $wow_8_if inet from $s3_if:network to any - $wow_8_ad1 pass in on $s3_if inet from $s3_if:network to !$alt_if pass in on $s3_if route-to ( $wow_8_if $wow_8_gw ) \ inet from $orion7 to !$alt_if pass out on $s3_if from any to $s3_if:network pass out on $ext_if pass out on $wow_8_if == You may also want some of the rules like are shown in the FAQ http://www.openbsd.org/faq/pf/pools.html To ensure that packets with a source address belonging to $ext_if1 are always routed to $ext_gw1 (and similarly for $ext_if2 and $ext_gw2), the following two lines should be included in the ruleset: pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 \ to any pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 \ to any I am NOT sure that I am correct, but this may give you something else to try. I also think tcpdump on the different external interfaces when you are trying this would probably help a lot. l8rZ, -- andrew - ICQ# 253198 - Jabber: [EMAIL PROTECTED] BOFH excuse of the day: Not enough interrupts
Re: Enabling Tidy in PHP
On 10/5/07, Daniel Barowy [EMAIL PROTECTED] wrote: Any suggestions? Apparently I don't know what I don't know. Well, this is a suggestion, not an answer, but I've saved myself a lot of pain by building ports of PHP related stuff on relatively clean systems (by relatively clean I mean NO packages installed that are later going to be required when building the ports), building the packages, and then installing the relevant packages on the target system with pkg_add, rather than directly from the ports tree. I think in my case most problems stemmed from conflicts between already installed packages and the ones that I was trying to build, and the subsequent wrangling and mangling of the ports tree that I tried to do to fix it. My rule for myself, at least until I have a much deeper understanding of the ports tree, is to never install ANY downloaded packages on the machine that I use to interact with the ports tree. If this isn't the solution to your problem, maybe we can help with some more details about the failure of make install Thanks, Dan Marti -- Systems Programmer, Principal Electrical Computer Engineering The University of Arizona [EMAIL PROTECTED]
SOLVED: Enabling Tidy in PHP
On Fri, 5 Oct 2007, Daniel Barowy wrote: Hello, Does anyone have any pointers for getting the HTML Tidy extensions working in PHP on OpenBSD? I am running a 4.0 system. In case anyone is looking to fix this particular problem, this is how I fixed it: http://secure.lv/~nikns/stuff/ports/tidy-051026.diff Apparently there was no shared version of libtidy. Found a note in CVS about this having been fixed in more recent releases with a pointer to a thread about the patch mentioned above. Just needed to patch the tidy Makefile, make, make install, remove my current PHP installation, build using the modified php5-core makefile (added --with-tidy), and then reinstall the PHP modules I just removed. Anyway, many thanks to the people who put the patch together. Dan
Re: pf
On 05/10/2007, a.padilla [EMAIL PROTECTED] wrote: ifconfig: (...) rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:18:4d:ea:33:0a groups: egress media: Ethernet autoselect (100baseTX full-duplex) status: active inet6 fe80::218:4dff:feea:330a%rl0 prefixlen 64 scopeid 0x1 inet 192.168.0.111 netmask 0xff00 broadcast 192.168.0.255 dc0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:14:bf:53:1e:fe media: Ethernet autoselect (100baseTX full-duplex) status: active inet6 fe80::214:bfff:fe53:1efe%dc0 prefixlen 64 scopeid 0x2 inet 10.0.0.0 netmask 0xff00 broadcast 255.255.255.0 I need to do a double-take on the above: Why do both of your NICs have private IPs? Is your ISP doing NAT as well and do they only give you private IPs or what's the story?
Re: Thank you developers... 4.2 arrived in the mail today
On Oct 5, 2007, at 2:53 PM, Karsten McMinn wrote: On 10/5/07, Chad M Stewart [EMAIL PROTECTED] wrote: My 4.2 CDs and t-shirt arrived in the mail today (near Buffalo, NY) drat, I was hoping for first the first post. you forgot the pic. Okay, well fresh from an install on my Sun X2100M2 my daughter wanted to check it out http://balius.com/openbsd.4.2.jpg The t-shirt is great but in the wash since I was doing in the middle of doing it. -Chad
Re: ipsec with carp
Heinrich Rebehn schrieb: Patrick Hemmen wrote: Ok. Before using carp/sasyncd the IPSEC tunnel had worked. The isakmpd daemon listen on all interfaces/ip addresses. I am illustrating my set up vpngw01: 10.10.10.101 carp: 10.10.10.1 -- INTERNET -- remote gateway: 192.168.1.1 vpngw02: 10.10.10.102 Remove the IP addresses from the physical interfaces. The master will then use 10.10.10.1 as source address. Use the carpdev clause in ifconfig to specify the physical interface used for carp. Note however that the machine will no longer respond to broadcast packets. -- Heinrich I fixed this problem by adding local 10.10.10.1 before peer 192.168.1.1 to the /etc/ipsec.conf file. I have to read the manual more thoroughly ;). I think the tunnel isn't available because of wrong lifetimes settings. The remote gateway returns a NO PROPOSAL CHOSEN and all other settings are correct. Now, I'm waiting for the lifetimes settings information of the remote site. Best regards. Patrick [demime 1.01d removed an attachment of type application/x-pkcs7-signature which had a name of smime.p7s]
Re: Cisco 3002 VPN client to OpenBSD?
On Fri, 2007-10-05 at 12:14 -0700, Jeff Simmons wrote: On Friday 05 October 2007 01:17, Claer wrote: The Cisco client license forbids explicitely to connect to anything but Cisco Hardware. If that's so, then legal forgot to tell marketing. ;-) The Cisco VPN 3002 Hardware Client works with all operating systems ... http://newsroom.cisco.com/dlls/prod_040401.html The hayday of Cisco making billions on the Cisco PIX 5xx is long over(*). The advent of SSL VPNs and other Windoze-specific crap. Something tells me they're not going to ante up for a fight to make their products more-interoperable. ipsec-tools and vpnc as examples. ~BAS * Back then you could recall the Cisco product line from memory.
Re: pf
Can you also send your routing table on both the firewall and the client on your internal network? netstat -r -f inet specifically, is the client's default route 10.0.0.0? If you can, it would be best to experiment with statically defined IPs at first. On 10/5/07, a.padilla [EMAIL PROTECTED] wrote: ifconfig: lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33224 groups: lo inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 inet 127.0.0.1 netmask 0xff00 rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:18:4d:ea:33:0a groups: egress media: Ethernet autoselect (100baseTX full-duplex) status: active inet6 fe80::218:4dff:feea:330a%rl0 prefixlen 64 scopeid 0x1 inet 192.168.0.111 netmask 0xff00 broadcast 192.168.0.255 dc0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:14:bf:53:1e:fe media: Ethernet autoselect (100baseTX full-duplex) status: active inet6 fe80::214:bfff:fe53:1efe%dc0 prefixlen 64 scopeid 0x2 inet 10.0.0.0 netmask 0xff00 broadcast 255.255.255.0 pflog0: flags=141UP,RUNNING,PROMISC mtu 33224 enc0: flags=0 mtu 1536 pfctl TRANSLATION RULES: nat on rl0 inet from 10.0.0.0/8 to any - (rl0) round-robin FILTER RULES: pass quick all flags S/SA keep state No queue in use STATES: all udp 239.255.255.250:1900 - 192.168.0.1:1900 NO_TRAFFIC:SINGLE all udp 192.168.0.111:1026 - 24.64.244.238:33603 NO_TRAFFIC:SINGLE all udp 192.168.0.111:1027 - 24.64.244.238:33603 NO_TRAFFIC:SINGLE all udp 192.168.0.111:1028 - 24.64.244.238:33603 NO_TRAFFIC:SINGLE INFO: Status: Enabled for 0 days 00:25:29 Debug: Urgent State Table Total Rate current entries4 searches 19533 12.8/s inserts 1260.1/s removals 1220.1/s Counters match 136208.9/s bad-offset 00.0/s fragment 00.0/s short 00.0/s normalize 00.0/s memory 00.0/s bad-timestamp 00.0/s congestion 00.0/s ip-option 00.0/s proto-cksum 150.0/s state-mismatch 00.0/s state-insert 00.0/s state-limit00.0/s src-limit 00.0/s synproxy 00.0/s TIMEOUTS: tcp.first 120s tcp.opening 30s tcp.established 86400s tcp.closing 900s tcp.finwait 45s tcp.closed 90s tcp.tsdiff 30s udp.first60s udp.single 30s udp.multiple 60s icmp.first 20s icmp.error 10s other.first 60s other.single 30s other.multiple 60s frag 30s interval 10s adaptive.start 6000 states adaptive.end 12000 states src.track 0s LIMITS: stateshard limit1 src-nodes hard limit1 frags hard limit 5000 tableshard limit 1000 table-entries hard limit 20 TABLES: OS FINGERPRINTS: 696 fingerprints loaded I feel exposed ;) On Oct 5, 2007, at 2:30 PM, Chad M Stewart wrote: Ok, so it is something more basic than filtering. What is the output of the following ifconfig -A pfctl -s all sysctl -a|grep forward How are the obsd box and the client connected, from a networking perspective? Wired? Hub/Switch? direct with cross over cable? -Chad On Oct 5, 2007, at 2:21 PM, a.padilla wrote: I commented out pass out keep state and added, after the nat rule, pass quick all. Still nothing. I cant even ping from the server the private IP which the client has I know the client is connected to the server, it shows up on dhcpd.leases. Do you think its my dhcpd server that's wrong? -- Joe
Re: pf
On 2007/10/05 14:48, a.padilla wrote: dc0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet 10.0.0.0 netmask 0xff00 broadcast 255.255.255.0 10.0.0.0 is not valid with a 255.0.0.0 netmask, it's reserved as the network address and shouldn't be used by a host. You could use 10.0.0.1. 255.255.255.0 is not a sensible broadcast address for the configured network. For 10.xxx with a 255.0.0.0 netmask, the normal broadcast address is 10.255.255.255. For 10.0.0.x with a 255.255.255.0 netmask, the normal broadcast address is 10.0.0.255. Try it with just 'inet 10.0.0.1 255.255.255.0' in hostname.dc0, adjust dhcpd.conf as necessary, and reboot. (you could do this on a running box, but this way you'll know it will come back up correctly next reboot). Note that the format of hostname.if(5) is different to that of the ifconfig(8) command line.
Re: Thank you developers... 4.2 arrived in the mail today
On 10/5/07, Chad M Stewart [EMAIL PROTECTED] wrote: Okay, well fresh from an install on my Sun X2100M2 my daughter wanted to check it out http://balius.com/openbsd.4.2.jpg Why does the packaging of an ultra secure UNIX-like operating system seem so apropos next to a child ;) ? If the cover of one of her children's books was in the same shot, it would be hard to tell which was which ;) .
Re: Thank you developers... 4.2 arrived in the mail today
Okay, well fresh from an install on my Sun X2100M2 my daughter wanted to check it out http://balius.com/openbsd.4.2.jpg Ok, that's a cool picture. Thanks daniel :) -Bob
Re: pf
padilla,
Perhaps if you take a step back and look at an example of pf everything
might make more sense. It might help if you had a working pf.conf to learn
from and a basic explanation of what each part of pf does.
OpenBSD Pf Firewall how to ( pf.conf )
http://calomel.org/pf_config.html
This example might be more than you really wanted for your machine, but it
should point you in the right direction for a secure nat'ed firewall. When
you become more fluent in pf, I have included a few of the more useful
options in the same example. If you have any questions I would be happy to
help.
--
Calomel @ http://calomel.org
On Fri, Oct 05, 2007 at 08:25:26AM -0400, a.padilla wrote:
ext_if =rl0 #macro for external interface
int_if =dc0 #macro for internal interface
localnet= $int_if:network
nat on $ext_if from $localnet to any - ($ext_if)
#block in
pass out keep state
pass out on $ext_if proto tcp all
pass inet proto tcp from {lo0, $localnet} to any keep state
I commented out block in for testing purposes. still, no success.
If you know what's wrong, please don' t just answer. I want to
understand the solution.
ip forwarding is set to 1 and pf is enabled.
On Oct 4, 2007, at 11:50 AM, Roman Strogin wrote:
On 10/4/07, a.padilla [EMAIL PROTECTED] wrote:
Hi, I'm a student trying to learn pf on my own. I'm trying to set up
a nat. I've read documentation yet I still can't get the internal
machine to communicate to the outside world.
I've been following this documentation: http://www.openbsd.org/faq/
pf/
nat.html
before I go any further, is this the correct place to ask this sort
of question?
1) Have you enabled IP forwarding or, in other words, have you
uncommented following lines in your /etc/sysctl.conf:
net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1
2) Show your pf.conf.
Roman.
Roman.
Re: Thank you developers... 4.2 arrived in the mail today
On Fri, Oct 05, 2007 at 03:20:27PM -0600, Bob Beck wrote: Okay, well fresh from an install on my Sun X2100M2 my daughter wanted to check it out http://balius.com/openbsd.4.2.jpg Ok, that's a cool picture. Thanks daniel :) -Bob I second that, definitely a cool picture! :)
Re: route-to performance problem
On Friday 05 October 2007, andrew fresh wrote: It takes a while for the packets to figure out how to get through the router, once they do, the states are set up and everything works as it should. I can see that. Seems that way. Basic scenario is 2 internal interfaces (2 separate subnets) and three external (gateway) interfaces (a T1 line - the default gateway, a 4Mb/s cable line, and an 8Mb/s cable line). My current testing is just using one system to route-to one of the non-default gateways. This means that each interface has a separate subnet with separate gateways and all that? Yes. What is $ext_if and what is $wow_8_if? You seem to use them kind of randomly in your ruleset below. I am guessing that $ext_if is the T1 (default gateway) and that $wow_8_if is one of the cable lines. Yes. I think your problem is that if you route-to on your outbound interface it happens after NAT. NAT and route-to on egress is I think a bad combination. That it works at all is to me more surprising than that it is slow. Perhaps try this (I didn't): (and keep state is default now so that simplifies the rules) == nat on $ext_if inet from $s3_if:network to any - $ext_ad nat on $wow_8_if inet from $s3_if:network to any - $wow_8_ad1 pass in on $s3_if inet from $s3_if:network to !$alt_if pass in on $s3_if route-to ( $wow_8_if $wow_8_gw ) \ inet from $orion7 to !$alt_if pass out on $s3_if from any to $s3_if:network pass out on $ext_if pass out on $wow_8_if == OK, I'm still tagging, but it does seem that doing the route-to on ingress is a working scenario. You may also want some of the rules like are shown in the FAQ http://www.openbsd.org/faq/pf/pools.html To ensure that packets with a source address belonging to $ext_if1 are always routed to $ext_gw1 (and similarly for $ext_if2 and $ext_gw2), the following two lines should be included in the ruleset: pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 \ to any pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 \ to any I am NOT sure that I am correct, but this may give you something else to try. I'm having trouble grokking that example, and also thinking that whatever it's doing may not be necessary for a non-pool setup. Any confirmation? I also think tcpdump on the different external interfaces when you are trying this would probably help a lot. That was I using to see what interface the packets were traversing. Thanks. -- Chris
Re: wine question - BAT2EXE?
Does know of a BAT2EXE program that produces an EXE which works under wine? First hit on google bat2exe wine indicates there is one that works on Linux (written in delphi), but the link is broken. I've tried several. Some actually create COM (not EXE) files which wine won't run. Others create EXE files that crash in various ways under wine. Frank Frank Bax wrote: I installed wine-990225p0 from packages on 4.1 and can run simple programs like sol and notepad. I have an old program I'm trying to run; but this program cannot find it's own files unless the current working directory is set to the directory where software was installed. It seems more recent wine versions support 'bat' files which would solve this; but this doesn't seem to work in this version. When I try: wine c://program.exe the software complains that it cannot open LIBS\FOXTOOLS.FLL This file is found at C:\\LIBS\FOXTOOLS.FLL Is there a way to run something like this on wine 990225?: cd program.exe If this is not workable on 990225; do current wine versions work on OpenBSD? Frank
Re: Thank you developers... 4.2 arrived in the mail today
On 10/5/07, Chad M Stewart [EMAIL PROTECTED] wrote: On Oct 5, 2007, at 2:53 PM, Karsten McMinn wrote: On 10/5/07, Chad M Stewart [EMAIL PROTECTED] wrote: My 4.2 CDs and t-shirt arrived in the mail today (near Buffalo, NY) drat, I was hoping for first the first post. you forgot the pic. Okay, well fresh from an install on my Sun X2100M2 my daughter wanted to check it out http://balius.com/openbsd.4.2.jpg Looks like she's getting ready to moisturize Puffy. Take care of the fish and it'll take care of you. ;) DS
Re: route-to performance problem
On Fri, Oct 05, 2007 at 06:49:31PM -0400, Chris Smith wrote: On Friday 05 October 2007, andrew fresh wrote: OK, I'm still tagging, but it does seem that doing the route-to on ingress is a working scenario. Oh good. I am glad that worked. You may also want some of the rules like are shown in the FAQ http://www.openbsd.org/faq/pf/pools.html To ensure that packets with a source address belonging to $ext_if1 are always routed to $ext_gw1 (and similarly for $ext_if2 and $ext_gw2), the following two lines should be included in the ruleset: pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 \ to any pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 \ to any I am NOT sure that I am correct, but this may give you something else to try. I'm having trouble grokking that example, and also thinking that whatever it's doing may not be necessary for a non-pool setup. Any confirmation? What this does is make sure that any packets coming from the IP of one of the interfaces (that are the NAT IPs) go out the correct interface. So you would add this in addition to the other rules. It probably won't do anything, but it might. pass out on $ext_if route-to ($wow_8_if $wow_8_gw) from $wow_8_if pass out on $wow_8_if route-to ($ext_if $ext_gw) from $ext_gw Adding the third interface gets slightly more confusing. I got it working in testing and I am going to install one (that does round-robin, but that isn't important) on Tuesday. Then I am going to have to work on an ifstated setup for failover and I am not looking forward to that :-) I also think tcpdump on the different external interfaces when you are trying this would probably help a lot. That was I using to see what interface the packets were traversing. Did you see any packets coming out the wrong interface? For example, packets with the $ext_if IP coming out of $wow_8_if? That is what I would have expected from your ruleset (mebbe). l8rZ, -- andrew - ICQ# 253198 - Jabber: [EMAIL PROTECTED] BOFH excuse of the day: your process is not ISO 9000 compliant
Re: Cisco 3002 VPN client to OpenBSD?
On Friday, October 5, 2007, 15:14:41, Jeff Simmons wrote: On Friday 05 October 2007 01:17, Claer wrote: The Cisco client license forbids explicitely to connect to anything but Cisco Hardware. If that's so, then legal forgot to tell marketing. ;-) The Cisco VPN 3002 Hardware Client works with all operating systems ... http://newsroom.cisco.com/dlls/prod_040401.html In addition, the VPN 3002 Hardware Client works with any operating system including Solaris, Mac and Linux. http://www.tribecaexpress.com/cisco_VPN_clients.htm Hummm... the way I read that is you can use any 'client' you want to connect to their 'Hardware', but, their 'client' may only be used to connect to their 'Hardware'. -- [EMAIL PROTECTED] The avalanche has already started, it is too Rod Dorman late for the pebbles to vote. - Ambassador Kosh
Web configure Firewall
I'm looking for a ready to install roll package for configureing and administering a OpenBSD firewall from the web. something along the lines of pfSense, but with OpenBSD base. Thanks, -- Adam
Re: Web configure Firewall
2007/10/6, Cyrus [EMAIL PROTECTED]: I'm looking for a ready to install roll package for configureing and administering a OpenBSD firewall from the web. something along the lines of pfSense, but with OpenBSD base. Thanks, http://www.undeadly.org/cgi?action=articlesid=20071003090749
Re: wine question - BAT2EXE?
Sorry if this is nosy and sounds stupid, but I'm intrigued: Why would you need your .bat to become a .exe file? Hiding your code is obviously not a valid reason, or you wouldn't be asking this on the OpenBSD mailing list. On 05/10/2007, Frank Bax [EMAIL PROTECTED] wrote: Does know of a BAT2EXE program that produces an EXE which works under wine? First hit on google bat2exe wine indicates there is one that works on Linux (written in delphi), but the link is broken. I've tried several. Some actually create COM (not EXE) files which wine won't run. Others create EXE files that crash in various ways under wine. Frank Frank Bax wrote: I installed wine-990225p0 from packages on 4.1 and can run simple programs like sol and notepad. I have an old program I'm trying to run; but this program cannot find it's own files unless the current working directory is set to the directory where software was installed. It seems more recent wine versions support 'bat' files which would solve this; but this doesn't seem to work in this version. When I try: wine c://program.exe the software complains that it cannot open LIBS\FOXTOOLS.FLL This file is found at C:\\LIBS\FOXTOOLS.FLL Is there a way to run something like this on wine 990225?: cd program.exe If this is not workable on 990225; do current wine versions work on OpenBSD? Frank -- www.ropersonline.com
Re: pf
On 10/5/07, Calomel [EMAIL PROTECTED] wrote: padilla, Perhaps if you take a step back and look at an example of pf everything might make more sense. It might help if you had a working pf.conf to learn from and a basic explanation of what each part of pf does. OpenBSD Pf Firewall how to ( pf.conf ) http://calomel.org/pf_config.html This example might be more than you really wanted for your machine, but it should point you in the right direction for a secure nat'ed firewall. When you become more fluent in pf, I have included a few of the more useful options in the same example. If you have any questions I would be happy to help. -- Calomel @ http://calomel.org hi, i read the reffered link and this as well http://calomel.org/pf_hfsc.html but if you let me, I do have a question. when you say: pass out on $ExtIf inet proto tcp from ($ExtIf) to any flags S/SA modulate state queue (bulk, ack) pass out on $ExtIf inet proto tcp from ($ExtIf) to any port ssh flags S/SA modulate state queue (ssh_bulk, ssh_login) The first rule is passing out bulk traffic on the external interface and prioritizing ack packets. The second rule is passing out data on port 22(ssh) and prioritizing the interactive ssh traffic. This traffic is originating on our internal network or on the firewall itself. you say the two queues are bound to that rule in that line ? I never got 100% this bindings from queues and rules. how will pf know that in the first rule, it will treat ack packets differente from bulk ones ? thats my main doubt ... is the order (bulk,ack) that does it ? or anything with the flags (S/SA) ? I really never got the mechanics of this ... if anyone could explain, thanks, matheus -- We will call you cygnus, The God of balance you shall be
Re: pf
matheus, It is the order. The fist queue is for bulk packets and the second is for ack packets. Daniel Hartmeier has a detailed page with examples that may make this clearer. Prioritizing empty TCP ACKs with pf and ALTQ http://www.benzedrine.cx/ackpri.html -- Calomel @ http://calomel.org On Sat, Oct 06, 2007 at 12:36:42AM -0300, Nenhum_de_Nos wrote: On 10/5/07, Calomel [EMAIL PROTECTED] wrote: padilla, Perhaps if you take a step back and look at an example of pf everything might make more sense. It might help if you had a working pf.conf to learn from and a basic explanation of what each part of pf does. OpenBSD Pf Firewall how to ( pf.conf ) http://calomel.org/pf_config.html This example might be more than you really wanted for your machine, but it should point you in the right direction for a secure nat'ed firewall. When you become more fluent in pf, I have included a few of the more useful options in the same example. If you have any questions I would be happy to help. -- Calomel @ http://calomel.org hi, i read the reffered link and this as well http://calomel.org/pf_hfsc.html but if you let me, I do have a question. when you say: pass out on $ExtIf inet proto tcp from ($ExtIf) to any flags S/SA modulate state queue (bulk, ack) pass out on $ExtIf inet proto tcp from ($ExtIf) to any port ssh flags S/SA modulate state queue (ssh_bulk, ssh_login) The first rule is passing out bulk traffic on the external interface and prioritizing ack packets. The second rule is passing out data on port 22(ssh) and prioritizing the interactive ssh traffic. This traffic is originating on our internal network or on the firewall itself. you say the two queues are bound to that rule in that line ? I never got 100% this bindings from queues and rules. how will pf know that in the first rule, it will treat ack packets differente from bulk ones ? thats my main doubt ... is the order (bulk,ack) that does it ? or anything with the flags (S/SA) ? I really never got the mechanics of this ... if anyone could explain, thanks, matheus -- We will call you cygnus, The God of balance you shall be
