Re: pf issues with a web-server
Hi!
If i understood correctly all your stuff behind pf firewall is in the
192.168.0.0/24 subnet and when trying to access your webserver from one
of the workstations it doesnt work. My guess is that you are using
public nameserver which resolves webserver's name to the ip address
which is your firewall's public address and thats because packets aint
getting from internal clients to the destination. Here could be two
solutions
1. use separate name resolution for internal clients, so that when
resolving your webservers name, they get 192.168.0.4. Then traffic
doenst even go thru firewall between clients and webserver, they can
communicate directly.
2. rewrite packets in firewall. Essentially you need to rewrite src ja
dst addresses of the packets that come from local clients into the
firewall so that firewall routes them to the 192.168.0.4 and replies get
routed back. It could be done with the similar rules
rdr on $int_if proto tcp from 192.168.0.0/24 to web.server.public.ip
port 80 -> 192.168.0.4
no nat on $int_if proto tcp from firewall.internat.ip to 192.168.0.0/24
nat on $int_if proto tcp from 192.168.0.0/24 to 192.168.0.4 port 443 ->
firewall.internal.ip
rdr says to write dst address, and nat says to rewrite src address. no
nat says not to touch packets that originate from firewall itself.
This should be done along the lines of
http://www.openbsd.org/faq/pf/rdr.html#rdrnat
3. make your workstations use some http proxy from public internet
In term of traffic generation and speed the last options is worst but
requires least effort, second is better and first is the best.
I hope i didnt mix something inadverntanly up!
Best regards
Imre
PS First of all you could just try to access your webserver with its ip
address instead of domainname, or put temporarily into one of your unix
laptop's /etc/hosts line like that and test
192.168.0.4 webservers.domainname
Bales, Tracy wrote:
I have the following network configuration:
InternetFirewallNetwork SwitchWeb-Server
Windows XP Desktop #1
Windows XP Desktop #2
Windows XP Desktop #3
Wireless AP.Windows XP Laptop #1
Windows XP Laptop #2
Ubuntu Laptop
Windows XP Work Laptop
My firewall is a Sun Netra X1 running OpenBSD 4.2 Stable, and has pf
with NAT and RDR rules and I have dhcpd running on the internal network
on the 192.168.0.0/24 subnet.
My web-server is a Sun Netra T1 running OpenBSD 4.2 Release. My
firewall assigns a fixed IP address via DHCP to the web-server which is
192.168.0.4.
My wireless access point is a DLink 800+. My firewall assigns a fixed
IP address via DHCP to the access point which is 192.168.0.2.
Here's my dilemma. All of my desktops and laptops can access the
internet including accessing a VPN server for my work laptop. BUT I
CANNOT access my internal web-server at 192.168.0.4!!!
I've looked on the internet for pf rules but they only offer solutions
that can access either the internet or the web-server only but not both.
I've looked at the OpenBSD pf FAQ and tried the inetd(8) with nc(1)
suggestion but...it blocks web access to the internet.
Does anyone have a suggestion on how I can get my desktops and
laptops to get access to the internet AND my web-server?
Here's my pf.conf setup that allows all of my desktops and laptops to
get to the internet but not my web-server...
# macros
ext_if="dc0"
int_if="dc1"
web_server="192.168.0.4"
# scrub
scrub in
# nat
nat on $ext_if from !($ext_if) to any -> ($ext_if:0)
# redirection
rdr on $ext_if proto tcp from any to any port 80 -> $web_server
# filter rules
block in
pass out keep state
antispoof for { lo $int_if }
## take care of lo traffic
pass quick on lo all
## block inet6 traffic
block in quick inet6
## block broadcast noise
block in quick on $ext_if from any to 255.255.255.255
## take care of VPN
pass in quick proto gre all
pass out quick proto gre all
## pass out all UDP connections and keep state
pass out on $ext_if proto udp from ($ext_if) to any keep state
## pass out all ICMP connections and keep state
pass out on $ext_if inet proto icmp from ($ext_if) to any keep state
## pass SSH traffic to firewall
pass in quick on $ext_if inet proto tcp from any to ($ext_if) port 22
flags S/SA keep state
## pass web traffic to web_server
pass in on $ext_if inet proto tcp from any to $web_server port 80 flags
S/SA synproxy state
## pass everything else
pass in quick on $int_if
Re: pf issues with a web-server
You need a triad of rdr-pass in-pass out. tag/tagged is better way to do it, because rdr does its thing on the packets "to" before the pass in and out rules are evaluated. tag/tagged means you don't need to "adjust" the in/out rules. # --- rdr on $ext_if inet proto tcp \ from any to any ($ext_if:0) port 80 \ tag "OKWEB" -> $web_server # ## pass web traffic to web_server pass in log quick on $ext_if inet proto tcp \ tagged OKWEB \ flags S/SA synproxy state # ## pass out log quick on $int_if inet proto tcp \ tagged OKWEB \ keep state # --- -Original Message- From: Bales, Tracy <[EMAIL PROTECTED]> To: misc@openbsd.org Subject: pf issues with a web-server Date: Mon, 4 Feb 2008 00:31:33 -0600 rdr on $ext_if proto tcp from any to any port 80 -> $web_server
Re: pf issues with a web-server
Your pass rule for the web server is screwed up, so it won't match.
The rule after it matches and should permit it to pass.
On Feb 3, 2008, at 10:31 PM, Bales, Tracy wrote:
# macros
ext_if="dc0"
int_if="dc1"
web_server="192.168.0.4"
# scrub
scrub in
# nat
nat on $ext_if from !($ext_if) to any -> ($ext_if:0)
# redirection
rdr on $ext_if proto tcp from any to any port 80 -> $web_server
This is slightly wrong, although it may not throw an error.
rdr on $ext_if proto tcp from any to ($ext_if) port 80 -> $web_server
port 80
# filter rules
block in
pass out keep state
antispoof for { lo $int_if }
## take care of lo traffic
pass quick on lo all
## block inet6 traffic
block in quick inet6
## block broadcast noise
block in quick on $ext_if from any to 255.255.255.255
## take care of VPN
pass in quick proto gre all
pass out quick proto gre all
## pass out all UDP connections and keep state
pass out on $ext_if proto udp from ($ext_if) to any keep state
## pass out all ICMP connections and keep state
pass out on $ext_if inet proto icmp from ($ext_if) to any keep state
## pass SSH traffic to firewall
pass in quick on $ext_if inet proto tcp from any to ($ext_if) port 22
flags S/SA keep state
## pass web traffic to web_server
pass in on $ext_if inet proto tcp from any to $web_server port 80
flags
S/SA synproxy state
First, that would be to the external IP address of your firewall. This
may work better for you:
pass in quick on $ext_if inet proto tcp from any to ($ext_if) port 80
synproxy state
## pass everything else
pass in quick on $int_if
This should let it work as well, pf does a "last match" lookup. So,
"pass in quick" is pointless here, and it also means your previous
rule won't match, ever.
Minor changes, overall. let me know if these work.
Re: async and softdep
yeah, I read the man page of my system and the phrase: "The options async and softdep are mutually exclusive." does not appear. I always try to find the awnser in man pages, but from now it's a good tip to look the man page in the web. Thanks for all. >On Sun, Feb 03, 2008 at 07:37:58PM +0001, Jason McIntyre wrote: >> On Sun, Feb 03, 2008 at 08:06:28PM +0100, ZeXeL Zexelut wrote: >> > I am working with OpenBSD 4.1 on a macppc >> > and I have partitions with asyn and others >> > with softdep. For some dirs like ftp homes >> > I don't care if a power failure affects the files >> > but trying to mount a partition with softdep >> > and async I get errors. There is a known >> > incompatibility with each other? >> > >> >> what does the man page say? >> jmc >a note from another developer made me think a little more...it is >clearly documented, but only since revision 1.63 (about 3 months ago). >so a general note for people reading man pages - if you're not using >-current, it may be worth checking the online man pages to see if >anything has been changed since the revision you're looking at. the date >at the bottom of your man page will tell you the date of the last >change, without having to resort to cvs. >jmc - Registra tu dominio en http://dominios.ya.com/. Con cada registro te regalamos 20 cuentas de correo de 100MB cada una. Ya.com ADSL 24h + Llamadas Nacionales y Locales 24h + Llamadas a MSVILES. Desde 9,95 /mes+IVA. http://acceso.ya.com/ADSLllamadas/3mbvoz/
Authenticate squid in Active Directory
Hi all,
i'm have very little experienced on squid.
I would like to authenticate user and password of users in an Active
Directory based network (windows Server 2003) in order to assign
specific ACL to each of them. I do not nead to read group membership...
I founded on the internet this tutorial:
https://tiifp.org/quentin/squid.html
and i'm trying it on a 4.2 machine.
Kerberos configuration went smooth, without any problem. Them I
downloaded this patch:
https://www.tiifp.org/quentin/samba_winbind.patch
as stated in the howto for systems newer than 4.0 -current. I patched
samba makefile, but when I run make I got this error:
# env FLAVOR=winbind make install
"Makefile", line 107: Need an operator
Fatal errors encountered -- cannot continue
The lines generating this error are:
.if ${FLAVOR:L:Mwinbind}
post-extract:
@cp ${FILESDIR}/krb5-config ${WRKDIR}/bin
@chmod a+x ${WRKDIR}/bin/krb5-config
%%winbind%%
.endif
specifically the %%winbind%%.
I pasted right below the complete patched makefile.
Am I following the right procedure? Is there any other alternative? I
found out many tutorial about this but they are all for linux...
Thanks to all.
Ciao, Luca.
# $OpenBSD: Makefile,v 1.85 2007/07/02 21:56:57 mbalmer Exp $
COMMENT-main= "SMB and CIFS client and server for UNIX"
COMMENT-docs= "documentation and examples for samba"
DISTNAME= samba-3.0.25b
PKGNAME-main= ${DISTNAME}
FULLPKGNAME-docs= ${DISTNAME:S/-/-docs-/}
SHARED_LIBS=smbclient 1.0 \
msrpc 1.0
CATEGORIES= net
HOMEPAGE= http://www.samba.org/
MAINTAINER= Marc Balmer <[EMAIL PROTECTED]>
# GPL
PERMIT_PACKAGE_CDROM= Yes
PERMIT_PACKAGE_FTP= Yes
PERMIT_DISTFILES_CDROM= Yes
PERMIT_DISTFILES_FTP= Yes
WANTLIB=c ncurses readline
MASTER_SITES= http://download.samba.org/samba/ftp/ \
http://us2.samba.org/samba/ftp/ \
http://us2.samba.org/samba/ftp/old-versions/
MODULES=converters/libiconv
LIB_DEPENDS=popt::devel/popt
MAKE_FLAGS= PASSWD_PROGRAM="/usr/bin/passwd" \
LIBsmbclient_VERSION=${LIBsmbclient_VERSION} \
LIBmsrpc_VERSION=${LIBmsrpc_VERSION}
FAKE_FLAGS= DESTDIR="${DESTDIR}" \
LIBsmbclient_VERSION=${LIBsmbclient_VERSION} \
LIBmsrpc_VERSION=${LIBmsrpc_VERSION}
CONFDIR=${SYSCONFDIR}/samba
SAMBA_LOGDIR= /var/log
SUBST_VARS= CONFDIR LOCALBASE SYSCONFDIR
SEPARATE_BUILD= concurrent
CONFIGURE_STYLE= gnu
CONFIGURE_ARGS= --localstatedir="/var" \
--sbindir="${PREFIX}/libexec" \
--with-configdir="${CONFDIR}" \
--with-libdir="${PREFIX}/lib/samba" \
--with-lockdir="/var/spool/samba" \
--with-piddir="/var/run" \
--with-logfilebase="${SAMBA_LOGDIR}" \
--with-privatedir="${CONFDIR}" \
--with-libsmbclient \
--with-swatdir="${PREFIX}/share/swat" \
--with-ssl \
--with-sslinc="/usr/include/ssl" \
--with-ssllib="/usr/lib" \
--with-syslog \
--with-utmp
CONFIGURE_ENV= CPPFLAGS="-I${LOCALBASE}/include" \
LDFLAGS="-L${LOCALBASE}/lib -Wl,--export-dynamic"
FLAVORS=cups ldap winbind
FLAVOR?=
MULTI_PACKAGES= -main -docs
.if ${FLAVOR:L:Mcups}
CONFIGURE_ARGS+= --enable-cups
LIB_DEPENDS+= cups::print/cups
WANTLIB+= ssl crypto m pthread z
.else
CONFIGURE_ARGS+= --disable-cups
.endif
.if ${FLAVOR:L:Mldap}
CONFIGURE_ARGS+= --with-ldap --without-ads
LIB_DEPENDS+= ldap,lber::databases/openldap
BUILD_DEPENDS+= ::misc/libutf8
.else
CONFIGURE_ARGS+= --without-ldap --without-ads .endif
PKG_ARCH-docs= *
LIB_DEPENDS-docs=
WANTLIB-docs=
RUN_DEPENDS-docs=
NO_REGRESS= Yes
WRKDIST=${WRKDIR}/${DISTNAME}/source
SAMBA_DOCS=${WRKSRC}/../README \
${WRKSRC}/../docs/THANKS \
${WRKSRC}/../docs/history \
${WRKSRC}/../docs/registry/*.reg
SAMPLE_CONFIG= ${PREFIX}/share/examples/samba/smb.conf.default
.if ${FLAVOR:L:Mwinbind}
post-extract:
@cp ${FILESDIR}/krb5-config ${WRKDIR}/bin
@chmod a+x ${WRKDIR}/bin/krb5-config
%%winbind%%
.endif
pre-configure:
@perl -pi -e 's,!!SYSCONFDIR!!,${SYSCONFDIR},g;' \
-e 's,!!LOCALBASE!!,${LOCALBASE},g' \
${WRKSRC}/../docs/manpages/swat.8
post-install:
${INSTALL_DATA_DIR} ${PREFIX}/share/doc/samba/pdf
${INSTALL_DATA_DIR} ${PREFIX}/share/doc/samba/htmldocs
${INSTALL_DATA_DIR} ${PREFIX}/share/examples/samba
@cp -R ${WRKSRC}/../examples/* ${PREFIX}/share/examples/samba
@chown -R ${SHAREOWN}:${SHAREGRP} ${PREFIX}/share/examples/samba
${INSTALL_DATA} ${FILESDIR}/README.OpenBSD
${PREFIX}/share/doc/samba
@for i in ${SAMBA_DOCS}; do \
${INSTALL_DATA} $$i ${PREFIX}/share/doc/samba ;
Re: : booting openbsd on eee without cd-rom
hmm, on Thu, Jan 31, 2008 at 04:40:58PM +0100, frantisek holop said that > hmm, on Thu, Jan 31, 2008 at 02:26:17PM +0100, Raimo Niskanen said that > > Since you probably will need the install sets as well, I have > > posted a compressed filesystem image of size 199864838 bytes at > > http://www.erlang.org/~raimo/OpenBSD/snapshots/i386/hd.fs.gz > > It contains the same as install42.iso snapshot Jan 29. > > will try asap, thanks a lot. it works, thanks very much! now i can experiment some more. -f -- i'm feeling rather blonde today.
auto responder broken
Hi Misc, I'm very sorry about my autoresponder for my society email address :( I didn't realise the problem of my mailing lists when I set it. It's a function of our mail server and I have no control on the difference between a "classic mail" and a mail from a ML...stupid tool. My apologies for the pollution. -- jean-marc Harang, France
pf scrub max-mss question
Hi Using OpenBSD as a firewall and NAT box, OpenBSD 4.2: I have this rule: 'scrub in all max-mss 1400' When when two peers on opposite sides of this firewall attempt to connect, a TCP SYN packet passes in from peer-1 though one interface, with it's MSS field set to 1360, through a bi-nat rule and the above scrub rule, and exits another interface, and onwards to peer-2, it's MSS field value having been raised to 1400. (This effect observed using tcpdump on both interfaces at the same time). This causes problems, as the packets returned from the peer-2 are often too big for peer-1 to handle. Is the raising of the MSS field value expected behavior? The man page and FAQ, and the option name itself, indicated the max-mss value should set an upper limit, not an absolute value. So what am I doing wrong? How do I use max-mss to set an upper limit, rather than an absolute value? Regards Richard Get the name you always wanted with the new y7mail email address. www.yahoo7.com.au/y7mail
Re: Authenticate squid in Active Directory
Luca Dell'Oca wrote: I would like to authenticate user and password of users in an Active Directory No. You wouldn't.
pf rtable, bgpd, and route (8) (was: Anyone lucky with pf rtable ?)
On Fri, 25 Jan 2008 16:28:42 +0700, Henning Brauer <[EMAIL PROTECTED]> wrote: * Insan Praja SW <[EMAIL PROTECTED]> [2008-01-24 18:43]: Hi Misc@, I'm currently setup bgp router using openbgp. Routes learned from openbgpd are stored in routing table 1. So, I got this client from NET2, coming from the same interface that my ibgp peer coming from, and I want to pass client from NET2 going to regional exchange to QUAGGA router. I got no luck with: "pass on $ext_if from $NET2 to any modulate state rtable 1", NET2 always use the default route via $ext_if when going to regional exchange I appreciate any input and suggestion regarding this. assigning an rtable decision on the outbond interface is too late, since the routang decision has already been taken then. yu have to do it in the inbound direction. that is true for the reverse path too. Hi Misc@, finally figured out how to use bgpd rtable into pf, and pftable and I get more curious. When I use route table 1, should all routes learned from default route copied to rtable 1 or I had to build it on my own? and when I did, I'm having problem with directly connected network, which I cannot insert mac address as default gateway, while using default rtable I see some of directly connected system/host had its default gateway in mac address. Anyone had any experience with this?. I Also like to ask, maybe a stupid question, how to display route label (from bgpd.conf) using "netstat" or "route show"? Thanks, Insan
חדרי חזרות חדשים בכפ"ס
dii xvipe ldfnio `ezj lwentlwq dgcy ylpe akt"q wiinim gcxi gfxez, gcxi zetim e`elto `pe nvirim yrz pqieo ll` zylem txhim peqtim a`zx http://www.2all.co.il/web/Sites/roomlive/ pyng lx`ezj
4.1 panic: bogus long slot station count 0
Greetings,
Not sure if this is worthy of reporting, but Google hasn't turned up
any other reports and there's nothing in 42.html or plus.html so just
in case.
ral(4) has been running on this machine without incident for about a
year, some changes to dhcpd.conf(5) are the only notable occurence in
recent days.
ddb> dmesg
OpenBSD 4.1 (RAL_DEBUG) #0: Fri Sep 28 18:06:09 CST 2007
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/RAL_DEBUG
cpu0: Intel Pentium III ("GenuineIntel" 686-class, 512KB L2 cache)
499 MHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,
M
MX,FXSR,SSE
real mem = 200773632 (196068K)
avail mem = 175525888 (171412K)
using 2481 buffers containing 10162176 bytes (9924K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+ BIOS, date 07/11/02, BIOS32 rev. 0 @
0xfd7b1, SMBIOS
rev. 2.3 @ 0xf8386 (38 entries)
bios0: IBM 656345A
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
apm0: flags 30102 dobusy 0 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xf/0x1
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf1e60/160 (8 entries)
pcibios0: PCI Interrupt Router at 000:02:0 ("VIA VT82C596A ISA" rev
0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc/0xa000 0xca000/0x1000
acpi at mainbus0 not configured
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "VIA VT82C691 PCI" rev 0x82
ppb0 at pci0 dev 1 function 0 "VIA VT82C598 AGP" rev 0x00
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 "S3 Savage 4" rev 0x03
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
pcib0 at pci0 dev 2 function 0 "VIA VT82C596A ISA" rev 0x12
pciide0 at pci0 dev 2 function 1 "VIA VT82C571 IDE" rev 0x06: ATA66,
channel 0 c
onfigured to compatibility, channel 1 configured to compatibility
wd0 at pciide0 channel 0 drive 0:
wd0: 16-sector PIO, LBA, 12949MB, 26520480 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 4
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: SCSI0 5/
cdrom remova
ble
cd0(pciide0:1:0): using PIO mode 4, DMA mode 2
uhci0 at pci0 dev 2 function 2 "VIA VT83C572 USB" rev 0x08: irq 10
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: VIA UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
"VIA VT82C596 Power" rev 0x20 at pci0 dev 2 function 3 not configured
fxp0 at pci0 dev 14 function 0 "Intel 8255x" rev 0x08, i82559: irq 9,
address 0
0:04:ac:8b:51:11
inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 4
ral0 at pci0 dev 15 function 0 "Ralink RT2560" rev 0x01: irq 5,
address 00:13:d
3:6a:bb:9d
ral0: MAC/BBP RT2560 (rev 0x04), RF RT2525
esa0 at pci0 dev 18 function 0 "ESS ES1989" rev 0x10: irq 9
ac97: codec id 0x45838308 (ESS Technology ES1921)
ac97: codec features 20 bit DAC, 20 bit ADC, ESS Technology
audio0 at esa0
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0:
spkr0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom0: console
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
biomask fd45 netmask ff65 ttymask ffe7
pctr: 686-class user-level performance counters enabled
mtrr: Pentium Pro MTRR support
dkcsum: wd0 matches BIOS drive 0x80
root on wd0a
rootdev=0x0 rrootdev=0x300 rawdev=0x302
WARNING: / was not properly unmounted
setting slottime to 20us
setting MAC address to 00:13:d3:6a:bb:9d
setting slottime to 9us
updating PLCP for short preamble
updating PLCP for short preamble
setting slottime to 9us
setting BSSID to 00:13:d3:6a:bb:9d
enabling TSF synchronization
leaving promiscuous mode
leaving promiscuous mode
setting slottime to 9us
leaving promiscuous mode
leaving promiscuous mode
leaving promiscuous mode
leaving promiscuous mode
leaving promiscuous mode
leaving promiscuous mode
leaving promiscuous mode
leaving promiscuous mode
leaving promiscuous mode
leaving promiscuous mode
leaving promiscuous mode
leaving promiscuous mode
leaving promiscuous mode
leaving promiscuous mode
leaving promiscuous mode
leaving promiscuous mode
leaving promiscuous mode
leaving promiscuous mode
leaving promiscuous mode
leaving promiscuous mode
leaving promiscuous mode
leaving promiscuous mode
leaving promiscuous mode
leaving promiscuous mode
leaving promiscuous mode
leaving promiscuous mode
leaving promiscuous mode
leaving promiscuous mode
leaving promiscuous mode
leaving promiscuous mode
setting slottime to 20us
entering promiscuous mode
leaving promiscuous mode
entering promiscuous mode
leaving promiscuous mode
ral0: device timeout
settin
Re: ftp.openbsd.org?
man pages too On Feb 4, 2008 3:23 PM, Alexey Vatchenko <[EMAIL PROTECTED]> wrote: > Hi! > > I can't get into ftp.openbsd.org and > http://www.openbsd.org/cgi-bin/cvsweb/ shows me "Internal Server Error" > page. > > Is it OK? > > -- > Alexey Vatchenko > http://www.bsdua.org
Re: ftp.openbsd.org?
On Mon, Feb 04, 2008 at 03:40:50PM +0100, xavier brinon wrote: > man pages too www.openbsd.org too. That'd explain spamd-setup ftp connect timeouts all over the place :-) -- joe. Every single day we have to wait at Edgware Road.
Re: pf scrub max-mss question
On 2/4/08, Richard Green <[EMAIL PROTECTED]> wrote: > I have this rule: > > 'scrub in all max-mss 1400' > > When when two peers on opposite sides of this firewall attempt to connect, a > TCP SYN packet passes in from peer-1 though one interface, with it's MSS > field set to 1360, through a bi-nat rule and the above scrub rule, and exits > another interface, and onwards to peer-2, it's MSS field value having been > raised to 1400. (This effect observed using tcpdump on both interfaces at the > same time) > > This causes problems, as the packets returned from the peer-2 are often too > big for peer-1 to handle. > > Is the raising of the MSS field value expected behaviour? > > The man page and FAQ, and the option name itself, indicated the max-mss value > should set an upper limit, not an absolute value. > > So what am I doing wrong? How do I use max-mss to set an upper limut, rather > than an absolute value? I am uncertain what it is you want to accomplish, but if one host is telling you its max-mss is 1360 and you change this to 1400, you will break connectivity with that host. When two hosts do a TCP handshake, they will use the lower max-mss supported between them. FWIW, if you must change it at all, you should probably only change the max-mss on packets going out of your network/from your hosts.
Re: : : booting openbsd on eee without cd-rom
On Mon, Feb 04, 2008 at 10:48:15AM +0100, frantisek holop wrote: > hmm, on Thu, Jan 31, 2008 at 04:40:58PM +0100, frantisek holop said that > > hmm, on Thu, Jan 31, 2008 at 02:26:17PM +0100, Raimo Niskanen said that > > > Since you probably will need the install sets as well, I have > > > posted a compressed filesystem image of size 199864838 bytes at > > > http://www.erlang.org/~raimo/OpenBSD/snapshots/i386/hd.fs.gz > > > It contains the same as install42.iso snapshot Jan 29. > > > > will try asap, thanks a lot. > > it works, thanks very much! > now i can experiment some more. Great! Good for you. What kind of USB stick did you use? I used an old 265MByte stick I found in a pile of dust at home and mimiced its C/H/S values, so I am a bit curious to know how generally usable this image is. That it only works for BIOSes that are capable of booting from "USB hard drive" I know, but if it works for any size (>= 256MByte) USB sticks I do not know. > > -f > -- > i'm feeling rather blonde today. -- / Raimo Niskanen, Erlang/OTP, Ericsson AB
slow network
Hey there! I've installed OpenBSD 4.2 on a Compaq DL580 machine and i dunno why but the initial phase of the network connections are really slow. The machine is behing a linksys router with fix ip address, resolv.conf set up correclty. It has an intel pro 100 ethernet card. PF is disabled. If i try to reach it with ssh from the local network i have to wait for the password prompt for 30 seconds but after that the data flow is normal. When i give the netstat command i only see the columns name and then it halts. Though other machines on the network can be accessed normally. Do You know why can this be happening? Thank You! -- Gabri Mate [EMAIL PROTECTED] DUOSOL Bt. http://www.duosol.hu [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: pf rtable, bgpd, and route (8) (was: Anyone lucky with pf rtable ?)
* Insan Praja SW <[EMAIL PROTECTED]> [2008-02-04 11:48]: > On Fri, 25 Jan 2008 16:28:42 +0700, Henning Brauer <[EMAIL PROTECTED]> > wrote: > >> * Insan Praja SW <[EMAIL PROTECTED]> [2008-01-24 18:43]: >>> Hi Misc@, >>> I'm currently setup bgp router using openbgp. Routes learned from >>> openbgpd >>> are stored in routing table 1. So, I got this client from NET2, coming >>> from >>> the same interface that my ibgp peer coming from, and I want to pass >>> client >>> from NET2 going to regional exchange to QUAGGA router. I got no luck >>> with: >>> "pass on $ext_if from $NET2 to any modulate state rtable 1", NET2 always >>> use the default route via $ext_if when going to regional exchange >>> I appreciate any input and suggestion regarding this. >> >> assigning an rtable decision on the outbond interface is too late, >> since the routang decision has already been taken then. yu have to do >> it in the inbound direction. that is true for the reverse path too. >> > Hi Misc@, > finally figured out how to use bgpd rtable into pf, and pftable and I get > more curious. When I use route table 1, should all routes learned from > default route copied to rtable 1 or I had to build it on my own? and when I > did, I'm having problem with directly connected network, which I cannot > insert mac address as default gateway, while using default rtable I see > some of directly connected system/host had its default gateway in mac > address. Anyone had any experience with this?. all arp happens in table 0 so far, no need to copy. > I Also like to ask, maybe a stupid question, how to display route label > (from bgpd.conf) using "netstat" or "route show"? route get shows the label if it is there -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
3G/UMTS/HSDPA: best device(s)
am looking for a device that works with openbsd and will give "broadband" internet over cellular networks. it would be preferable that this device work in most of the jurisdictions listed in http://www.wireless.att.com/learn/international/dataconnect-global.jsp i am not sure about the extent of the support here and see that a number of devices are supported but advice on which gets best performance / coverage would be appreciated. if there are phones that can provide the service, i welcome those recommendations as well. cheers, jake
ftp.openbsd.org?
Hi! I can't get into ftp.openbsd.org and http://www.openbsd.org/cgi-bin/cvsweb/ shows me "Internal Server Error" page. Is it OK? -- Alexey Vatchenko http://www.bsdua.org
Re: 3G/UMTS/HSDPA: best device(s)
Jacob Yocom-Piatt ??: am looking for a device that works with openbsd and will give "broadband" internet over cellular networks. it would be preferable that this device work in most of the jurisdictions listed in http://www.wireless.att.com/learn/international/dataconnect-global.jsp i am not sure about the extent of the support here and see that a number of devices are supported but advice on which gets best performance / coverage would be appreciated. if there are phones that can provide the service, i welcome those recommendations as well. cheers, jake Have a look at www.2n.cz and www.topex.ro , both companies are well known with their 3G routers.
Re: slow network
Mon, 4 Feb 2008 20:48:21 +0100 -n GC!bri MC!tC) <[EMAIL PROTECTED]> C-rta: > Hey there! > > I've installed OpenBSD 4.2 on a Compaq DL580 machine and i dunno why > but the initial phase of the network connections are really slow. The > machine is behing a linksys router with fix ip address, resolv.conf > set up correclty. It has an intel pro 100 ethernet card. PF is > disabled. If i try to reach it with ssh from the local network i have > to wait for the password prompt for 30 seconds but after that the > data flow is normal. When i give the netstat command i only see the > columns name and then it halts. Though other machines on the network > can be accessed normally. > Do You know why can this be happening? > > Thank You! > > -- > Gabri Mate > [EMAIL PROTECTED] > DUOSOL Bt. > http://www.duosol.hu > > [demime 1.01d removed an attachment of type application/pgp-signature > which had a name of signature.asc] > Thank You everyone! It seems that problems accessing my OpenBSD machine are because of rDNS lookup. But why is it slow to access anything, even on the internet from OpenBSD? Is it also related to the DNS issue? -- Gabri Mate [EMAIL PROTECTED] DUOSOL Bt. http://www.duosol.hu [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: slow network
On Mon, 4 Feb 2008 21:18:50 +0100, Gabri Mati wrote > > Then why is it slow on the local network using ip addresses? :) It "sounds" like FAQ 8.22 applies -- since some services still attempt reverse DNS. You might review that section of the FAQ for applicability to your specific config.
Re: slow network
On Feb 4, 2008 3:18 PM, GC!bri MC!tC) <[EMAIL PROTECTED]> wrote: > Mon, 4 Feb 2008 14:10:37 -0600 (CST) -n > "L. V. Lammert" <[EMAIL PROTECTED]> C-rta: > > > On Mon, 4 Feb 2008, [UTF-8] GC!bri MC!tC) wrote: > > > > > Hey there! > > > > > > I've installed OpenBSD 4.2 on a Compaq DL580 machine and i dunno why > > > but the initial phase of the network connections are really slow. > > > The machine is behing a linksys router with fix ip address, > > > resolv.conf set up correclty. It has an intel pro 100 ethernet > > > card. PF is disabled. If i try to reach it with ssh from the local > > > network i have to wait for the password prompt for 30 seconds but > > > after that the data flow is normal. When i give the netstat command > > > i only see the columns name and then it halts. Though other > > > machines on the network can be accessed normally. > > > Do You know why can this be happening? > > > > > > Thank You! > > > > > Sounds like your DNS server is not resolving? > > > > Lee > > > Then why is it slow on the local network using ip addresses? :) > > -- > Gabri Mate > [EMAIL PROTECTED] > DUOSOL Bt. > http://www.duosol.hu > > [demime 1.01d removed an attachment of type application/pgp-signature > which had a name of signature.asc] > > http://cvs.openbsd.org/openssh/faq.html#3.3 Most likely reason when using IP could also be because of 'reverse lookup' DNS. Confirm with UseDNS no and restart sshd; if so, then either set up DNS (forward and reverse) or keep that option set.
Re: slow network
On 2008/02/04 21:18, Gabri Mati wrote: > Mon, 4 Feb 2008 14:10:37 -0600 (CST) -n > "L. V. Lammert" <[EMAIL PROTECTED]> C-rta: > > > On Mon, 4 Feb 2008, [UTF-8] GC!bri MC!tC) wrote: > > > > > Hey there! > > > > > > I've installed OpenBSD 4.2 on a Compaq DL580 machine and i dunno why > > > but the initial phase of the network connections are really slow. > > > The machine is behing a linksys router with fix ip address, > > > resolv.conf set up correclty. It has an intel pro 100 ethernet > > > card. PF is disabled. If i try to reach it with ssh from the local > > > network i have to wait for the password prompt for 30 seconds but > > > after that the data flow is normal. When i give the netstat command > > > i only see the columns name and then it halts. Though other > > > machines on the network can be accessed normally. > > > Do You know why can this be happening? > > > > > > Thank You! > > > > > Sounds like your DNS server is not resolving? > > > > Lee > > > Then why is it slow on the local network using ip addresses? :) It's trying to lookup reverse DNS. Do you have a resolver for RFC1918 addresses, if that's what you use on the lan?
Re: package tools misbehaving
Edd Barrett wrote on Mon, Feb 04, 2008 at 12:24:22AM +:
> On Feb 4, 2008 12:03 AM, Ingo Schwarze <[EMAIL PROTECTED]> wrote:
>> When you request a non-existant package,
>> printing an error message and exiting is OK imho.
>
> Agree, but it did not exit directly after the error,
> it continued to query me.
It looks like this is done on purpose,
see /usr/src/usr.sbin/pkg_add/pkg_add:
my $bad = 0;
[...]
[ inside some loop ]
my $result = OpenBSD::Interactive::choose1(
$pkgname, $state->{interactive}, sort @l);
if (defined $result) { [...] } else { $bad = 1; }
[...]
if ($bad) { exit(1); }
The error message is printed in OpenBSD::Interactive::choose1.
Thus, the design of pkg_add apparently is:
"In interactive mode, first figure out everything you can.
In case some question still remains unsolved at the end,
bail out just before you would otherwise start the real work."
This might even be useful.
When you see the fatal message, decide yourself
either to interrupt (in order to save time)
or to continue (in order to see all the questions).
--
my $bad = 0; # Marc Espie in /usr/src/usr.sbin/pkg_add/pkg_add
# This ^ is bold, but not too far from truth. :)
Re: slow network
Mon, 4 Feb 2008 14:10:37 -0600 (CST) -n "L. V. Lammert" <[EMAIL PROTECTED]> C-rta: > On Mon, 4 Feb 2008, [UTF-8] GC!bri MC!tC) wrote: > > > Hey there! > > > > I've installed OpenBSD 4.2 on a Compaq DL580 machine and i dunno why > > but the initial phase of the network connections are really slow. > > The machine is behing a linksys router with fix ip address, > > resolv.conf set up correclty. It has an intel pro 100 ethernet > > card. PF is disabled. If i try to reach it with ssh from the local > > network i have to wait for the password prompt for 30 seconds but > > after that the data flow is normal. When i give the netstat command > > i only see the columns name and then it halts. Though other > > machines on the network can be accessed normally. > > Do You know why can this be happening? > > > > Thank You! > > > Sounds like your DNS server is not resolving? > > Lee > Then why is it slow on the local network using ip addresses? :) -- Gabri Mate [EMAIL PROTECTED] DUOSOL Bt. http://www.duosol.hu [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: slow network
On 2008/02/04 20:35, Stuart Henderson wrote: > On 2008/02/04 21:18, Gabri Mati wrote: > > Mon, 4 Feb 2008 14:10:37 -0600 (CST) -n > > "L. V. Lammert" <[EMAIL PROTECTED]> C-rta: > > > > > On Mon, 4 Feb 2008, [UTF-8] GC!bri MC!tC) wrote: > > > > > > > Hey there! > > > > > > > > I've installed OpenBSD 4.2 on a Compaq DL580 machine and i dunno why > > > > but the initial phase of the network connections are really slow. > > > > The machine is behing a linksys router with fix ip address, > > > > resolv.conf set up correclty. It has an intel pro 100 ethernet > > > > card. PF is disabled. If i try to reach it with ssh from the local > > > > network i have to wait for the password prompt for 30 seconds but > > > > after that the data flow is normal. When i give the netstat command > > > > i only see the columns name and then it halts. Though other > > > > machines on the network can be accessed normally. > > > > Do You know why can this be happening? > > > > > > > > Thank You! > > > > > > > Sounds like your DNS server is not resolving? > > > > > > Lee > > > > > Then why is it slow on the local network using ip addresses? :) > > It's trying to lookup reverse DNS. Do you have a resolver for > RFC1918 addresses, if that's what you use on the lan? s/resolver/youknowwhatimean/
Re: slow network
On Mon, 4 Feb 2008, [UTF-8] GC!bri MC!tC) wrote: > Hey there! > > I've installed OpenBSD 4.2 on a Compaq DL580 machine and i dunno why > but the initial phase of the network connections are really slow. The > machine is behing a linksys router with fix ip address, resolv.conf > set up correclty. It has an intel pro 100 ethernet card. PF is disabled. > If i try to reach it with ssh from the local network i have to wait for > the password prompt for 30 seconds but after that the data flow is > normal. When i give the netstat command i only see the columns name and > then it halts. Though other machines on the network can be accessed > normally. > Do You know why can this be happening? > > Thank You! > Sounds like your DNS server is not resolving? Lee
Re: OpenBSD 4.2 - Netgear WG511 pcmcia wireless card - not respondiing
Did you install the firmware ? cf. http://www.nabble.com/OpenBSD-4.2---Netgear-WG511-pcmcia-wireless-card---not-respondiing-td15232095.html On lun, 2008-02-04 at 15:21 -0600, Theodore Wynnychenko wrote: > Hi: > Last week I asked about the failure of OpenBSD to work with a wireless > pcmcia network card (WG511). > I hope the question is not too basic, but, is the misc list the wrong place > to ask the question? > Does anyone have any advice for me about this? > It seems the kernel correctly identifies the card on insertion, but then the > pgt firmware gives me a "not responding" message. Is the card dead? Am I > doing something wrong? Did I miss something during the install? > I have spent the better part of a week going through the man pages, the > mailing list archive, the faq, and searching with google; but, am unable to > even come up with a direction to go. > If anyone has any ideas, I would really appreciate it. Is this the wrong > place to ask my question? If so, could someone let me know that is the > case. > Thanks again
Re: OpenBSD 4.2 - Netgear WG511 pcmcia wireless card - not respondiing
Hi: Last week I asked about the failure of OpenBSD to work with a wireless pcmcia network card (WG511). I hope the question is not too basic, but, is the misc list the wrong place to ask the question? Does anyone have any advice for me about this? It seems the kernel correctly identifies the card on insertion, but then the pgt firmware gives me a "not responding" message. Is the card dead? Am I doing something wrong? Did I miss something during the install? I have spent the better part of a week going through the man pages, the mailing list archive, the faq, and searching with google; but, am unable to even come up with a direction to go. If anyone has any ideas, I would really appreciate it. Is this the wrong place to ask my question? If so, could someone let me know that is the case. Thanks again
Re: Authenticate squid in Active Directory
On 04/02/2008, at 8:13 PM, Lars Noodin wrote: Luca Dell'Oca wrote: I would like to authenticate user and password of users in an Active Directory No. You wouldn't. pretty sure he would. it's useful.
Re: pf scrub max-mss question
On 2008/02/04 18:12, Richard Green wrote: > When when two peers on opposite sides of this firewall attempt to connect, a > TCP SYN packet passes in from peer-1 though one interface, with it's MSS > field set to 1360, through a bi-nat rule and the above scrub rule, and exits > another interface, and onwards to peer-2, it's MSS field value having been > raised to 1400. (This effect observed using tcpdump on both interfaces at the > same time) I can't replicate this with pf/binat/scrub max-mss...think you'll need some more information to track it down (but I'm not sure what exactly).
Re: slow network
On Feb 4, 2008 9:18 PM, Gabri Mati <[EMAIL PROTECTED]> wrote: > Mon, 4 Feb 2008 14:10:37 -0600 (CST) -n > "L. V. Lammert" <[EMAIL PROTECTED]> C-rta: > > > > On Mon, 4 Feb 2008, [UTF-8] GC!bri MC!tC) wrote: > > > > > Hey there! > > > > > > I've installed OpenBSD 4.2 on a Compaq DL580 machine and i dunno why > > > but the initial phase of the network connections are really slow. > > > The machine is behing a linksys router with fix ip address, > > > resolv.conf set up correclty. It has an intel pro 100 ethernet > > > card. PF is disabled. If i try to reach it with ssh from the local > > > network i have to wait for the password prompt for 30 seconds but > > > after that the data flow is normal. When i give the netstat command > > > i only see the columns name and then it halts. Though other > > > machines on the network can be accessed normally. > > > Do You know why can this be happening? > > > > > > Thank You! > > > > > Sounds like your DNS server is not resolving? > > > > Lee > > > Then why is it slow on the local network using ip addresses? :) > > > -- > Gabri Mate > [EMAIL PROTECTED] > DUOSOL Bt. > http://www.duosol.hu > > [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc] > > I suspect DNS not resolving too. And for your ssh connection freezing when using an IP address, maybe because of UseDNS Specifies whether sshd should lookup the remote host name and check that the resolved host name for the remote IP address maps back to the very same IP address. The default is ``yes''. -- Pierre Riteau
Lean to Sustainability Article
Article: From Lean to Sustainability Gary Langenwalter takes a thorough and practical look at sustainability in this AME Target article. In the article he contends that, like lean principles, sustainability has a positive impact on finances because emphasis is placed on reducing waste. Read the article on the Lean and Green Summit website. http://www.leanandgreensummit.com/sustainability/default.asp --- Lean and Green Summit Picking Up Steam As announced in January, the Lean and Green Summit is moving forward and is now accepting registrations for the July 17-18 event. Register in February for the early bird savings of $200. The Summit will be held at St. Julien Hotel and Spa, known as a progressive, "green" hotel, and will offer 2 days of presentations and workshops with an optional day of tours prior to the Summit. Visit the Lean and Green Summit website and sign up for future updates as the Summit planning committee finalizes keynote presenters, tour selections, sponsorships, and more. Agenda... Optional Tour The area in and around Boulder offers many examples of companies that are well on there way toward sustainability. In the coming weeks, organizers will announce optional tours the day before the Summit convenes. Day 1 Participants will experience a day of presentations by leading-edge companies who have actuated on their company's ability to be sustainable. Specific presentations will include... Design for the environment: Operational and product design for cradle-to-grave responsibility. Engineering sustainable operational processes. Performance measurement: principles and practical applications of environmental performance measurement in a green company. People in a green organization: Managing and developing people as you move toward sustainability including those associated with the company: suppliers, bankers, auditors, and others. Day 2 The second day of the event will offer an intense, hands-on workshop designed to give attendees a roadmap for moving toward sustainability. Workshop will be conducted as a "World Cafe." www.leanandgreensummit.com - --- Click to Opt Out: https://www.regonline.com/emailonline/members/memberoptout.asp?MemberId=yYleW A8qMfmRui1BwLM8sQ%3D%3D Click to Respond: https://www.regonline.com/eventInfo.asp?MemberId=yYleWA8qMfmRui1BwLM8sQ%3D%3D &JobId=1267672&EventId=182453 Click to Tell a Friend: https://www.regonline.com/Registrations/tellafriend.asp?EventId=182453&encAtt endeeId=yYleWA8qMfmRui1BwLM8sQ%3D%3D Dwayne Butcher, Lean and Green Summit 9128 Technology Lane, Fishers, IN 46038 317.813.5455
Re: OpenBSD 4.2 - Netgear WG511 pcmcia wireless card - notrespondiing
Yes, I installed the firmware as it directs in the pgt man page (http://www.nazgul.ch/pgt/pgt-firmware-1.2.tgz - actually, the man page links to the 1.1 version of the firmware, but there is a 1.2 version available - which is what i used - i had the same problem (with the "not responding" message) when i installed the 1.1 version of the firmware earlier last week) I posted my dmesg in a post last week (on 2/1) thanks -Original Message- From: Julien Cabillot [mailto:[EMAIL PROTECTED] Sent: Monday, February 04, 2008 3:32 PM To: [EMAIL PROTECTED] Subject: Re: OpenBSD 4.2 - Netgear WG511 pcmcia wireless card - notrespondiing Did you install the firmware ? cf. http://www.nabble.com/OpenBSD-4.2---Netgear-WG511-pcmcia-wireless-card---not -respondiing-td15232095.html On lun, 2008-02-04 at 15:21 -0600, Theodore Wynnychenko wrote: > Hi: > Last week I asked about the failure of OpenBSD to work with a wireless > pcmcia network card (WG511). > I hope the question is not too basic, but, is the misc list the wrong place > to ask the question? > Does anyone have any advice for me about this? > It seems the kernel correctly identifies the card on insertion, but then the > pgt firmware gives me a "not responding" message. Is the card dead? Am I > doing something wrong? Did I miss something during the install? > I have spent the better part of a week going through the man pages, the > mailing list archive, the faq, and searching with google; but, am unable to > even come up with a direction to go. > If anyone has any ideas, I would really appreciate it. Is this the wrong > place to ask my question? If so, could someone let me know that is the > case. > Thanks again
Sysadmin vacancy Edmonton area, AB
I've told my boss that I'm not renewing my contract. The Job: 20 hours per week as the entire IT department for the school. Optional half time teaching position. (Must have teaching certificate) Optional average 5 hours per week Outdoor Program Instructor. The computers: 3 Freebsd boxes 1 openbsd box. 60 Win2K clients. Upcoming challenges. Upgrade servers. Cover main building with wireless. User authenitcation at firewall. Pay: $28,000 year for Sysadmin+Outdoor. (Nominal 25 hours/week) + low rent housing if you choose to live on site. Hours: Boss is extremely flexible. The Location: Saint John's School of Alberta (http://www.sjsa.ab.ca). The school is 75 km south-west of Edmonton, on the banks of the North Saskatchewan River. Equipment tends to be old. "We the unwilling, lead by the unknowing, have done so much with so little for so long we now can do anything with nothing." Let me know if you have questions.
WAP setup problems
Hi,
Here's my problem and my current understanding:
I have 3 interfaces in my WAP box, external, internal and wireless.
I'd like to have MAC filtering for addresses with access to the external
network, but allow guests to connect to the wireless network to help
with copying files around in the same room.
I need to run dhcpd on both the internal interface and the wireless
interface as guests might not have wireless. ALL clients on the wireless
network MUST use DHCP to obtain their address.
My dhcpd.conf is as follows:
--
shared-network LOCAL-NET {
option domain-name "example.org";
option domain-name-servers 192.168.1.1;
subnet 192.168.1.0 netmask 255.255.255.0 {
option routers 192.168.1.1;
range 192.168.1.32 192.168.1.127;
}
host laptop {
hardware ethernet 00:de:ad:be:ef:00;
fixed-address 192.168.1.10;
}
}
shared-network WIRELESS-NET {
option domain-name "example.org";
option domain-name-servers 192.168.1.1;
subnet 192.168.2.0 netmask 255.255.255.0 {
option routers 192.168.2.1;
range 192.168.2.32 192.168.2.127;
}
host laptop-wireless {
hardware ethernet 11:de:ad:be:ef:11;
fixed-address 192.168.2.10;
}
}
--
So, the problem is that dhcpd listens on both ends of the bridge that
would be used for MAC filtering. DHCPDISCOVER requests are acknowledged
on both interfaces, and the wireless client will receive a random
address from either the internal or wireless network. laptop does not
consistently receive its fixed address. I understand why this is so, as
the DHCPDISCOVER/DHCPOFFER packets cannot be filtered in BPF. HOWEVER, I
have been unable to find dhcpd configuration which will prevent the
request from being processed on both interfaces. If I turn off the
bridge, I lose the MAC filtering. Is there any way I can have the setup
I desire? Not all registered MAC addresses will have a fixed-address, so
I can allow a guest access to the external network by simply adding
their MAC address to the bridge.
Thanks,
Brian
Re: Authenticate squid in Active Directory
I am the patch author. It's working since it's first implementation. Maybe it's time for the maintainers to consider committing it. 2008/2/4, David Gwynne <[EMAIL PROTECTED]>: > On 04/02/2008, at 8:13 PM, Lars Noodin wrote: > > > Luca Dell'Oca wrote: > >> I would like to authenticate user and password of users in an Active > >> Directory > > > > No. You wouldn't. > > pretty sure he would. it's useful. > > -- Eduardo Alvarenga
Re: pf scrub max-mss question (solved)
On Tuesday 05 February 2008 07:18:34 Stuart Henderson wrote: > On 2008/02/04 18:12, Richard Green wrote: > > When when two peers on opposite sides of this firewall attempt to > > connect, a TCP SYN packet passes in from peer-1 though one interface, > > with it's MSS field set to 1360, through a bi-nat rule and the above > > scrub rule, and exits another interface, and onwards to peer-2, it's MSS > > field value having been raised to 1400. (This effect observed using > > tcpdump on both interfaces at the same time) > > I can't replicate this with pf/binat/scrub max-mss...think you'll need > some more information to track it down (but I'm not sure what exactly). Thanks for your responses. After further testing and experimentation, I deduced my problem lay with my use of the 'synproxy' option on subequent filter rules (the mss value is not passed fom peer-1's initial connection, to the proxy's connection to peer-2). Cheers Richard
Re: WAP setup problems
On Feb 4, 2008 10:12 PM, Brian Richardson <[EMAIL PROTECTED]> wrote:
> Hi,
>
> Here's my problem and my current understanding:
>
> I have 3 interfaces in my WAP box, external, internal and wireless.
>
> I'd like to have MAC filtering for addresses with access to the external
> network, but allow guests to connect to the wireless network to help
> with copying files around in the same room.
>
> I need to run dhcpd on both the internal interface and the wireless
> interface as guests might not have wireless. ALL clients on the wireless
> network MUST use DHCP to obtain their address.
>
> My dhcpd.conf is as follows:
>
> --
> shared-network LOCAL-NET {
> option domain-name "example.org";
> option domain-name-servers 192.168.1.1;
>
> subnet 192.168.1.0 netmask 255.255.255.0 {
> option routers 192.168.1.1;
> range 192.168.1.32 192.168.1.127;
> }
>
> host laptop {
> hardware ethernet 00:de:ad:be:ef:00;
> fixed-address 192.168.1.10;
> }
> }
>
> shared-network WIRELESS-NET {
> option domain-name "example.org";
> option domain-name-servers 192.168.1.1;
>
> subnet 192.168.2.0 netmask 255.255.255.0 {
> option routers 192.168.2.1;
> range 192.168.2.32 192.168.2.127;
> }
>
> host laptop-wireless {
> hardware ethernet 11:de:ad:be:ef:11;
> fixed-address 192.168.2.10;
> }
> }
> --
>
> So, the problem is that dhcpd listens on both ends of the bridge that
> would be used for MAC filtering. DHCPDISCOVER requests are acknowledged
> on both interfaces, and the wireless client will receive a random
> address from either the internal or wireless network. laptop does not
> consistently receive its fixed address. I understand why this is so, as
> the DHCPDISCOVER/DHCPOFFER packets cannot be filtered in BPF. HOWEVER, I
> have been unable to find dhcpd configuration which will prevent the
> request from being processed on both interfaces. If I turn off the
> bridge, I lose the MAC filtering. Is there any way I can have the setup
> I desire? Not all registered MAC addresses will have a fixed-address, so
> I can allow a guest access to the external network by simply adding
> their MAC address to the bridge.
>
> Thanks,
> Brian
First, I don't see your fixed-address hosts getting a router option.
Also, my fixed-address hosts are part of the subnet, not outside it.
Lastly, I don't have the shared-network "wrappers" around my subnet
definitions, but that seems like an ommission on my part.
Anyways, I've effectively got this same physical setup and it works
perfectly in 4.1. Your laptop has two interfaces and a different MAC
for each; assuming everything is configured right, dhcpd will give out
the fixed IP mapped to the requesting MAC address. If you don't want
both LAN and WLAN addresses, shut down the interface you don't care
about.
Good luck.
--david
Re: OpenBSD 4.2 - Netgear WG511 pcmcia wireless card - notrespondiing
Hi, On Mon, Feb 04, 2008 at 03:55:37PM -0600, Theodore Wynnychenko wrote: > Yes, > I installed the firmware as it directs in the pgt man page > (http://www.nazgul.ch/pgt/pgt-firmware-1.2.tgz - actually, the man page > links to the 1.1 version of the firmware, but there is a 1.2 version > available - which is what i used - i had the same problem (with the "not > responding" message) when i installed the 1.1 version of the firmware > earlier last week) > > I posted my dmesg in a post last week (on 2/1) > thanks Are you sure your CardBus WG511 device is a Taiwanese model as stated in the man page (you will find this information on the back-side of the device)? NETGEAR WG511 (Taiwanese, not Chinese) ISL3890CardBus We saw this "not responding" issue exactly with the WG511 devices produced in China. Marcus
FW: OpenBSD 4.2 - Netgear WG511 pcmcia wireless card - notrespondiing
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Marcus Glocker Sent: Monday, February 04, 2008 11:56 PM Are you sure your CardBus WG511 device is a Taiwanese model as stated in the man page (you will find this information on the back-side of the device)? NETGEAR WG511 (Taiwanese, not Chinese) ISL3890CardBus We saw this "not responding" issue exactly with the WG511 devices produced in China. Marcus Hello: Nope, that doesn't seem to be it. I noted the "Taiwanese, not Chinese" restriction in the man page. While I can't find "ISL3890" anywhere on the card; at the bottom, on the back, it says "Made in Taiwan." Your info is interesting. I notice that on the netgear site, they have a "Firmware" update for this card (what they call 2.04.12.00). Now, reading the man page, I would assume that this "firmware" update (from netgear) doesn't actually flash the card, but is only a software change. Or does it mean that the card's programing has been changed? And, if so, should I try to find a MSwindows laptop, and "install" an older version of netgear's "firmware"? Thanks for the advice. Ted
