Re: Nfsen and php problems...?
Already i configured short_open_tag=On.
I am using Nfsen+Nfdump on Fedora Core 6 and with Apache/2.2.6 (Unix) DAV/2
PHP/5.1.6 mod_python/3.2.8 Python/2.4.4 mod_ssl/2.2.6 OpenSSL/0.9.8b
mod_perl/2.0.2 Perl/v5.8.8 configured -- resuming normal operations
I found that when chmod 0775 to /home/netflow, which is BASEDIR for NfSen
then it working.
Is it possible to existing already running Nfcapd collected database?
I tried to use Stager + Nfdump and spend full day, but can't work give lot
of error message.
Richard Daemon wrote:
>
> Looks exactly like what I had, Tasmanian Devil's suggestion fixed it:
>
> I changed the short_open_tag=Off to On:
> "short_open_tag = On" in the php.ini.
>
> Also, are you doing this in a chroot apache? If so, try with 'httpd
> -u' instead to see if that fixes it (outside the chroot). I haven't
> tried to get it working while running the httpd in a chroot myself yet
> so that could another cause to it as I've also seen.
>
> If not, might be something with the path somewhere, perhaps nfsen.conf?
>
> Hope this helps.
>
> On Mon, Mar 3, 2008 at 4:21 PM, Balgaa <[EMAIL PROTECTED]> wrote:
>> hello,
>>
>> I have problem similiar but it says about permission.
>> ERROR: nfsend connect() error: Permission denied!
>>
>> ERROR: nfsend - connection failed!!
>> ERROR: Can not initialize globals!
>>
>> Is there anything wrong with directory or file permission?
>>
>>
>>
>>
>>
>> Richard Daemon wrote:
>> >
>> > Hi,
>> >
>> > I'm really stumped on this and any help would be greatly appreciated.
>> >
>> > When trying to load the nfsen/nfsen.php page I get:
>> >
>> > ERROR: nfsend connect() error: No such file or directory!
>> > ERROR: nfsend - connection failed!!
>> > ERROR: Can not initialize globals!
>> >
>> > I'm sure I have it configured properly and started properly as the
>> > documentation states, I've read over and over and over again...
>> >
>> > I've used the default ./etc/nfsen-dist.conf > ./etc/nfsen.conf (tried
>> > with and without changing HTMLDIR)
>> >
>> > I'm running httpd -u (non-chroot), php enabled, configured in
>> > httpd.conf and tested ok - httpd chrooted works less, for now.
>> >
>> > I did the mkdir /data then ran the ./install.pl etc/nfsen.conf
>> >
>> > Started it with: ./nfsen start and it starts ok.
>> >
>> > in nfsen.conf I tried with /var/www/nfsen and /var/www/htdocs/nfsen
>> > (same results)...
>> >
>> > %sources = (
>> > #'upstream1'=> { 'port'=> '9995', 'col' => '#ff',
>> > 'type' => 'netflow' },
>> > 'slacker'=> { 'port'=> '9995', 'col' => '#ff', 'type'
>> > => 'netflow' },
>> > #'peer1'=> { 'port'=> '9996', 'col' => '#ff' },
>> > );
>> >
>> > Then when I try http://slacker/nfsen/nfsen.php I get:
>> >
>> > ERROR: nfsend connect() error: No such file or directory!
>> > ERROR: nfsend - connection failed!!
>> > ERROR: Can not initialize globals!in red.
>> >
>> > pfflowd -d -n 192.168.0.10 running from remote host.
>> >
>> > I tried 1.3 and 1.3b, including nfsen -r live.
>> >
>> > I also get this in /var/log/messages:
>> > Feb 16 22:50:15 slacker nfsen[689]: Error reading channel stat
>> > information. Missing key 'first'
>> >
>> > $ netstat -anf inet |grep 995
>> > udp0 0 *.9995 *.*
>> >
>> > Running OpenBSD 4.2-stable.
>> >
>> > Did I miss anything? Am I doing something wrong?
>> >
>> > Any help is greatly appreciated!
>> >
>> >
>> >
>>
>> --
>> View this message in context:
>> http://www.nabble.com/Nfsen-and-php-problems...--tp15526200p15814259.html
>> Sent from the openbsd user - misc mailing list archive at Nabble.com.
>
>
>
--
View this message in context:
http://www.nabble.com/Nfsen-and-php-problems...--tp15526200p15820196.html
Sent from the openbsd user - misc mailing list archive at Nabble.com.
Kernel panic (-current) AMD64 GENERIC.MP
Hello, today one of my freshly upgraded machines after one week of normal work hanged up. Don't think it's hardware related, machine was working with 4.2- stable for last 3 months without doubt. Any idea what caused that hangup ? I saw the following on the console and could only touch reset button. After reset everything works as it should, but don't know how long. I looked through http://www.openbsd.com/plus.html but didn't find anything related to that issue. panic: pool_do_get(knotepl): free list modified: magic=765eeab8; page0xfe80735dc000; item addr 0xfe80735dc688 Starting stack trace... panic() at panic+0x136 pool_do_get() at pool_do_get+0x371 pool_get() at pool_get_+0x2a kqueue_register() at kqueue_register+0x1d8 sys_kevent() at sys_kevent+0x157 syscall() at syscall+0x2a3 --- syscall (number 270) --- end of kernel end trace frame: 0x48cac040, count: 251 0x4b0906ea: End of stack trace. syncing disks... and dmesg: OpenBSD 4.3-beta (GENERIC.MP) #1569: Wed Feb 27 13:01:06 MST 2008 [EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/ GENERIC.MP real mem = 2145902592 (2046MB) avail mem = 2072178688 (1976MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.34 @ 0x7fee8000 (67 entries) bios0: vendor FUJITSU SIEMENS // Phoenix Technologies Ltd. version "4.06 Rev. 1.06.2300" date 05/16/2007 bios0: FUJITSU SIEMENS PRIMERGY RX200 S3 acpi0 at bios0: rev 2 acpi0: tables DSDT FACP SPCR MCFG HPET APIC BOOT acpi0: wakeup devices PE2_(S4) PXH0(S5) PE4_(S4) PE6_(S4) PXH1(S4) CBD_(S4) USB1(S4) USB2(S4) USB3(S4) USB4(S4) USB5(S4) KEYB(S4) PS2M(S4) COM1(S1) COM2(S1) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpihpet0 at acpi0: 14318179 Hz acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Xeon(R) CPU 5120 @ 1.86GHz, 1862.19 MHz cpu0: FPU ,VME ,DE ,PSE ,TSC ,MSR ,PAE ,MCE ,CX8 ,APIC ,SEP ,MTRR ,PGE ,MCA ,CMOV ,PAT ,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS- CPL,VMX,EST,TM2,CX16,xTPR,NXE,LONG cpu0: 4MB 64b/line 16-way L2 cache cpu0: apic clock running at 265MHz cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Xeon(R) CPU 5120 @ 1.86GHz, 1861.92 MHz cpu1: FPU ,VME ,DE ,PSE ,TSC ,MSR ,PAE ,MCE ,CX8 ,APIC ,SEP ,MTRR ,PGE ,MCA ,CMOV ,PAT ,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS- CPL,VMX,EST,TM2,CX16,xTPR,NXE,LONG cpu1: 4MB 64b/line 16-way L2 cache ioapic0 at mainbus0 apid 2 pa 0xfec0, version 20, 24 pins ioapic1 at mainbus0 apid 3 pa 0xfec8, version 20, 24 pins acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 1 (PE2_) acpiprt2 at acpi0: bus 2 (PSU_) acpiprt3 at acpi0: bus 3 (PSD1) acpiprt4 at acpi0: bus 4 (PSD2) acpiprt5 at acpi0: bus 5 (PXH0) acpiprt6 at acpi0: bus 7 (PE4_) acpiprt7 at acpi0: bus -1 (PXH1) acpiprt8 at acpi0: bus -1 (CBD_) acpiprt9 at acpi0: bus 12 (PCIH) acpicpu0 at acpi0 acpicpu1 at acpi0 acpibtn0 at acpi0: PWRB ipmi at mainbus0 not configured pci0 at mainbus0 bus 0: configuration mode 1 pchb0 at pci0 dev 0 function 0 "Intel 5000P Host" rev 0x92 ppb0 at pci0 dev 2 function 0 "Intel 5000 PCIE x8" rev 0x92 pci1 at ppb0 bus 1 ppb1 at pci1 dev 0 function 0 "Intel 6321ESB PCIE" rev 0x01 pci2 at ppb1 bus 2 ppb2 at pci2 dev 0 function 0 "Intel 6321ESB PCIE" rev 0x01 pci3 at ppb2 bus 3 ppb3 at pci2 dev 1 function 0 "Intel 6321ESB PCIE" rev 0x01 pci4 at ppb3 bus 4 ppb4 at pci1 dev 0 function 3 "Intel 6321ESB PCIE-PCIX" rev 0x01 pci5 at ppb4 bus 5 mpi0 at pci5 dev 5 function 0 "Symbios Logic SAS1068" rev 0x01: apic 3 int 0 (irq 11) scsibus0 at mpi0: 112 targets sd0 at scsibus0 targ 1 lun 0: SCSI2 0/ direct fixed sd0: 75340MB, 75340 cyl, 16 head, 128 sec, 512 bytes/sec, 154296320 sec total ppb5 at pci0 dev 3 function 0 "Intel 5000 PCIE" rev 0x92 pci6 at ppb5 bus 6 ppb6 at pci0 dev 4 function 0 "Intel 5000 PCIE" rev 0x92 pci7 at ppb6 bus 7 ppb7 at pci7 dev 0 function 0 "ServerWorks PCIE-PCIX" rev 0xb5 pci8 at ppb7 bus 8 bge0 at pci8 dev 4 function 0 "Broadcom BCM5715" rev 0xa3, BCM5715 A3 (0x9003): apic 2 int 16 (irq 11), address 00:0a:e4:83:14:c6 brgphy0 at bge0 phy 1: BCM5714 10/100/1000baseT PHY, rev. 0 bge1 at pci8 dev 4 function 1 "Broadcom BCM5715" rev 0xa3, BCM5715 A3 (0x9003): apic 2 int 17 (irq 9), address 00:0a:e4:83:14:c7 brgphy1 at bge1 phy 1: BCM5714 10/100/1000baseT PHY, rev. 0 ppb8 at pci0 dev 5 function 0 "Intel 5000 PCIE" rev 0x92 pci9 at ppb8 bus 9 ppb9 at pci0 dev 6 function 0 "Intel 5000 PCIE x8" rev 0x92 pci10 at ppb9 bus 10 ppb10 at pci0 dev 7 function 0 "Intel 5000 PCIE" rev 0x92 pci11 at ppb10 bus 11 pchb1 at pci0 dev 16 function 0 "Intel 5000 Error Reporting" rev 0x92 pchb2 at pci0 dev 16 function 1 "Intel 5000 Error Reporting" rev 0x92 pchb3 at pci0 dev 16 function 2 "Intel 5000 Error Reporting" rev 0x92 pchb4 at pci0 dev 17 function 0 "Intel 5000 Reserved" rev 0x92 pchb5 at pci0 dev 19 function 0 "Intel 5000 Reserved" rev 0x92 pchb6 at pci0 dev 21 functio
Re: OpenBSD poster
On Sunday 02 March 2008, Stijn wrote: > Wow cool drawing... Is that SSDRAM? Nope, not enough pins.
Re: Nfsen and php problems...?
Looks exactly like what I had, Tasmanian Devil's suggestion fixed it:
I changed the short_open_tag=Off to On:
"short_open_tag = On" in the php.ini.
Also, are you doing this in a chroot apache? If so, try with 'httpd
-u' instead to see if that fixes it (outside the chroot). I haven't
tried to get it working while running the httpd in a chroot myself yet
so that could another cause to it as I've also seen.
If not, might be something with the path somewhere, perhaps nfsen.conf?
Hope this helps.
On Mon, Mar 3, 2008 at 4:21 PM, Balgaa <[EMAIL PROTECTED]> wrote:
> hello,
>
> I have problem similiar but it says about permission.
> ERROR: nfsend connect() error: Permission denied!
>
> ERROR: nfsend - connection failed!!
> ERROR: Can not initialize globals!
>
> Is there anything wrong with directory or file permission?
>
>
>
>
>
> Richard Daemon wrote:
> >
> > Hi,
> >
> > I'm really stumped on this and any help would be greatly appreciated.
> >
> > When trying to load the nfsen/nfsen.php page I get:
> >
> > ERROR: nfsend connect() error: No such file or directory!
> > ERROR: nfsend - connection failed!!
> > ERROR: Can not initialize globals!
> >
> > I'm sure I have it configured properly and started properly as the
> > documentation states, I've read over and over and over again...
> >
> > I've used the default ./etc/nfsen-dist.conf > ./etc/nfsen.conf (tried
> > with and without changing HTMLDIR)
> >
> > I'm running httpd -u (non-chroot), php enabled, configured in
> > httpd.conf and tested ok - httpd chrooted works less, for now.
> >
> > I did the mkdir /data then ran the ./install.pl etc/nfsen.conf
> >
> > Started it with: ./nfsen start and it starts ok.
> >
> > in nfsen.conf I tried with /var/www/nfsen and /var/www/htdocs/nfsen
> > (same results)...
> >
> > %sources = (
> > #'upstream1'=> { 'port'=> '9995', 'col' => '#ff',
> > 'type' => 'netflow' },
> > 'slacker'=> { 'port'=> '9995', 'col' => '#ff', 'type'
> > => 'netflow' },
> > #'peer1'=> { 'port'=> '9996', 'col' => '#ff' },
> > );
> >
> > Then when I try http://slacker/nfsen/nfsen.php I get:
> >
> > ERROR: nfsend connect() error: No such file or directory!
> > ERROR: nfsend - connection failed!!
> > ERROR: Can not initialize globals!in red.
> >
> > pfflowd -d -n 192.168.0.10 running from remote host.
> >
> > I tried 1.3 and 1.3b, including nfsen -r live.
> >
> > I also get this in /var/log/messages:
> > Feb 16 22:50:15 slacker nfsen[689]: Error reading channel stat
> > information. Missing key 'first'
> >
> > $ netstat -anf inet |grep 995
> > udp0 0 *.9995 *.*
> >
> > Running OpenBSD 4.2-stable.
> >
> > Did I miss anything? Am I doing something wrong?
> >
> > Any help is greatly appreciated!
> >
> >
> >
>
> --
> View this message in context:
> http://www.nabble.com/Nfsen-and-php-problems...--tp15526200p15814259.html
> Sent from the openbsd user - misc mailing list archive at Nabble.com.
Nfsen and php problem
Hello, I have similiar error on nfsen, but it says permission denied. ERROR: nfsend connect() error: Permission denied! ERROR: nfsend - connection failed!! ERROR: Can not initialize globals! Anything I made wrong with directory or file permission? -- View this message in context: http://www.nabble.com/Nfsen-and-php-problem-tp15814300p15814300.html Sent from the openbsd user - misc mailing list archive at Nabble.com.
Re: Nfsen and php problems...?
hello,
I have problem similiar but it says about permission.
ERROR: nfsend connect() error: Permission denied!
ERROR: nfsend - connection failed!!
ERROR: Can not initialize globals!
Is there anything wrong with directory or file permission?
Richard Daemon wrote:
>
> Hi,
>
> I'm really stumped on this and any help would be greatly appreciated.
>
> When trying to load the nfsen/nfsen.php page I get:
>
> ERROR: nfsend connect() error: No such file or directory!
> ERROR: nfsend - connection failed!!
> ERROR: Can not initialize globals!
>
> I'm sure I have it configured properly and started properly as the
> documentation states, I've read over and over and over again...
>
> I've used the default ./etc/nfsen-dist.conf > ./etc/nfsen.conf (tried
> with and without changing HTMLDIR)
>
> I'm running httpd -u (non-chroot), php enabled, configured in
> httpd.conf and tested ok - httpd chrooted works less, for now.
>
> I did the mkdir /data then ran the ./install.pl etc/nfsen.conf
>
> Started it with: ./nfsen start and it starts ok.
>
> in nfsen.conf I tried with /var/www/nfsen and /var/www/htdocs/nfsen
> (same results)...
>
> %sources = (
> #'upstream1'=> { 'port'=> '9995', 'col' => '#ff',
> 'type' => 'netflow' },
> 'slacker'=> { 'port'=> '9995', 'col' => '#ff', 'type'
> => 'netflow' },
> #'peer1'=> { 'port'=> '9996', 'col' => '#ff' },
> );
>
> Then when I try http://slacker/nfsen/nfsen.php I get:
>
> ERROR: nfsend connect() error: No such file or directory!
> ERROR: nfsend - connection failed!!
> ERROR: Can not initialize globals!in red.
>
> pfflowd -d -n 192.168.0.10 running from remote host.
>
> I tried 1.3 and 1.3b, including nfsen -r live.
>
> I also get this in /var/log/messages:
> Feb 16 22:50:15 slacker nfsen[689]: Error reading channel stat
> information. Missing key 'first'
>
> $ netstat -anf inet |grep 995
> udp0 0 *.9995 *.*
>
> Running OpenBSD 4.2-stable.
>
> Did I miss anything? Am I doing something wrong?
>
> Any help is greatly appreciated!
>
>
>
--
View this message in context:
http://www.nabble.com/Nfsen-and-php-problems...--tp15526200p15814259.html
Sent from the openbsd user - misc mailing list archive at Nabble.com.
Problems with wireless network
Hello
I've setup an computer to work as a wired/wireless router and it has
been working quite fine. But today I can no longer connect to the
wireless network, I get no signal. If I stand about one metre from the
router I can get a very weak signal but that is all. How can I determine
if it is a hardware or software problem? System specs below:
$ uname -a
OpenBSD lyraluthuin 4.2 GENERIC#375 i386
$ dmesg
OpenBSD 4.2 (GENERIC) #375: Tue Aug 28 10:38:44 MDT 2007
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Pentium(R) 4 CPU 3.20GHz ("GenuineIntel" 686-class) 3.21 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CF
LUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID,xTPR
real mem = 536375296 (511MB)
avail mem = 511008768 (487MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 08/27/03, BIOS32 rev. 0 @ 0xfb2e0,
SMBIOS rev. 2.2 @
0xf0800 (34 entries)
bios0: vendor Phoenix Technologies, LTD version "6.00 PG" date 08/27/2003
bios0: \^DShuttle Inc FB71
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
apm0: flags 70102 dobusy 1 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xf/0xdf64
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfded0/144 (7 entries)
pcibios0: PCI Exclusive IRQs: 5 7 10 11 12 14
pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 82371SB ISA" rev 0x00)
pcibios0: PCI bus #2 is the last bus
bios0: ROM list: 0xc/0xc800 0xd/0x8000!
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82875P Host" rev 0x02
ppb0 at pci0 dev 1 function 0 "Intel 82875P AGP" rev 0x02
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 "NVIDIA GeForce2 MX" rev 0xb2
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
uhci0 at pci0 dev 29 function 0 "Intel 82801EB/ER USB" rev 0x02: irq 12
uhci1 at pci0 dev 29 function 1 "Intel 82801EB/ER USB" rev 0x02: irq 11
uhci2 at pci0 dev 29 function 2 "Intel 82801EB/ER USB" rev 0x02: irq 14
uhci3 at pci0 dev 29 function 3 "Intel 82801EB/ER USB" rev 0x02: irq 12
ehci0 at pci0 dev 29 function 7 "Intel 82801EB/ER USB2" rev 0x02: irq 5
usb0 at ehci0: USB revision 2.0
uhub0 at usb0: Intel EHCI root hub, rev 2.00/1.00, addr 1
ppb1 at pci0 dev 30 function 0 "Intel 82801BA AGP" rev 0xc2
pci2 at ppb1 bus 2
"VIA VT6306 FireWire" rev 0x80 at pci2 dev 6 function 0 not configured
bge0 at pci2 dev 7 function 0 "Broadcom BCM5788" rev 0x03, BCM5705 A3
(0x3003): irq 11,
address 00:30:1b:b0:ad:71
brgphy0 at bge0 phy 1: BCM5705 10/100/1000baseT PHY, rev. 2
ral0 at pci2 dev 8 function 0 "Ralink RT2561" rev 0x00: irq 10, address
00:08:a1 :b5:ac:13
ral0: MAC/BBP RT2561C, RF RT2527
ichpcib0 at pci0 dev 31 function 0 "Intel 82801EB/ER LPC" rev 0x02:
24-bit timer at
3579545Hz
pciide0 at pci0 dev 31 function 1 "Intel 82801EB/ER IDE" rev 0x02: DMA,
channel 0
configured to compatibility, channel 1 configured to compatibility
pciide0: channel 0 ignored (disabled)
wd0 at pciide0 channel 1 drive 0:
wd0: 16-sector PIO, LBA, 117246MB, 240121728 sectors
atapiscsi0 at pciide0 channel 1 drive 1
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: SCSI0 5/cdrom
removabl e
wd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 5
cd0(pciide0:1:1): using PIO mode 4, Ultra-DMA mode 2
ichiic0 at pci0 dev 31 function 3 "Intel 82801EB/ER SMBus" rev 0x02: irq 7
iic0 at ichiic0
"it8712" at iic0 addr 0x2d not configured
iic0: addr 0x2d 00=11 01=10 02=00 03=00 04=00 05=00 06=00 07=00 08=00
09=00 0a=0 c 0b=64
0c=5d 0d=2c 0f=22 13=71 14=f7 15=81 16=00 17=81 18=5d 19=5d 1a=5d 1b=5d
1c=5d 1d=5d 1e=5d
1f=5d 20=5d 21=5d 22=cd 23=b7 24=b9 25=3c 26=a1 27=b9 29=24 2a
=2c 2b=27 2c=5d 2d=5d 2e=5d
2f=5d 48=2d 51=2a 52=7f 53=71 54=f7 58=90 59=65 5a=f
9 5b=12 5c=80 5d=00 5e=00 5f=00 60=01
61=02 62=40 63=50 64=50 65=05 66=05 67=05
68=01 69=02 6a=40 6b=50 6c=50 6d=05 6e=05 6f=05
70=01 71=02 72=40 73=50 74=50 75
=7f 76=7f 77=7f 80=11 81=10 82=00 83=00 84=00 85=00 86=00
87=00 88=00 89=00 8a=0
c 8b=64 8c=5c 8d=2c 8f=22 93=71 94=f7 95=81 96=00 97=81 98=5c 99=5c
9a=5c 9b=5c 9c=5c
9d=5c 9e=5c 9f=5c a0=5c a1=5e a2=cd a3=b9 a4=b9 a5=3b a6=a1 a7=b8 a9=24
aa =2c ab=27 ac=5c
ad=5c ae=5c af=5c c8=2d d1=2a d2=7f d3=71 d4=f7 d8=90 d9=65 da=f
9 db=12
spamd flooded, problem solved [was: Re: : : : Zombie Network Spam Attack]
Top posting, for the archives...
Problem probably solved. There has been a new spam backscatter
flood, and this time it had no impact on my server's network
connectivity. Spamd did just fine. It now runs with the
flags -B 300 -c 400 -S 30 -s 3 (among others) and they
brought down the network load to a totally acceptable level.
Thank you all that contributed to the solution!
PS: It appears the spammers have got new software for
generating names. My mailserver logs show lots of
fake names I have not seen before in a new style a'la:
Abdul.Hutchison
AbdulballastBender
AbdulballastJoyner
AbdulboxwoodRowland
AbdulboxwoodStein
AbdulcivilianGalloway
AbdulconvairBenjamin
AbdulcoordinateGalloway
AbdulcoordinateHester
AbdulcummingsMercer
AbduldebtorStein
AbduldrownMelendez
AbduleggshellRowland
AbdulforcefulSykes
AbdulgastronomeSykes
AbdulgenreMercer
AbdulharvestMelendez
AbduljudiciaryDillon
AbduljudiciaryMelendez
AbduljugoslaviaHester
AbdulmattockHester
AbdulphilosophySykes
AbdulpulsarOsborn
AbdulrepertoireStout
AbdulshoreMercer
AbdulshorePotts
AbdulsophomoricStein
AbdultraffickingFranco
AbdulutrechtSykes
AbdulvacationlandHester
AbdulvaliantAguirre
On Wed, Feb 13, 2008 at 11:32:28AM +0100, Raimo Niskanen wrote:
> On Mon, Feb 11, 2008 at 11:33:47AM -0500, Calomel wrote:
> > On Mon, Feb 11, 2008 at 11:17:35AM +0100, Raimo Niskanen wrote:
> > >On Fri, Feb 08, 2008 at 11:20:31AM -0500, Calomel wrote:
> > >> Raimo,
> > >>
> > >> Can you use the spamd.alloweddomains to whitelist email addresses and
> > >> domains you accept mail for? Any email sent to your mail server that is
> > >> not
> > >> on the list will only goto spamd and never get the chance to be
> > >> greylisted/whitelisted. Then you could write a simple script to look
> > >> through the spamd logs of BLACK entries.
> > >>
> > >
> > >Well, that was already done. All incoming backscatter was to a valid
> > >domain.
> >
> > If you can compile a list of valid email address this might help. Instead
> > of @example.com you could list [EMAIL PROTECTED], [EMAIL PROTECTED] Any
> > server
> > sending to an invalid address would be blacklisted and a script could add
> > those ips to a pf block table.
> >
>
> I have now improved the greyscanner script to look up hosts that
> send a DSN (sender is empty) and check that they resolves through
> DNS both back and forth again to the right IP address.
>
> It is just at little improvement, but catches a few more hosts.
>
> > >
> > >> cat /var/log/daemon | grep spamd | grep BLACK | awk '{print $7}' | sort
> > >> | uniq
> > >>
> > >
> > >The problem seemed to be that spamd overloaded the network connection.
> >
> > If spamd is sending to many packets back try increasing the stutter time
> > "-S90" and the stutter speed "-s5". At 600 connections total and 600
> > packets per 5 seconds the network would need to handle 120 packets per
> > second each direction; around 180 kilobytes in each direction. This might
> > still need be too much bandwidth, but you could increase the values as
> > needed or decrease the amount of connections spamd will accept with "-c".
> > maxcon may not exceed kern.maxfiles - 200, and defaults to 800.
> >
>
> I will certainly try this. I guess -S90 will not do much since most of
> the conversion tail (after stutter) will go in one packet anyway, but
> -s2 should halve the packet load, and -s5 fiftve(? i.e 1/5). -c 400
> should also decrease the load, but I have a firewall rule for that
> now that should do the same but more lightweight since the
> TCP stack is not involved.
>
> > >
> > >> ...and add the offending ips to a block table with a cron job running a
> > >> few
> > >> times a day. This page might give you some more ideas:
> > >>
> > >> Spamd tarpit/greylisting anti-spam "how to" (spamdb)
> > >> http://calomel.org/spamd_config.html
> > >
> > >I will have a look at it. Thank you for the ideas.
> > >
> > >
> > >> --
> > >> Calomel @ http://calomel.org
> > >> Open Source Research and Reference
> > >>
> > >>
> > >> On Fri, Feb 08, 2008 at 11:07:15AM +0100, Raimo Niskanen wrote:
> > >> >Apparently we (our mail server) got targeted by a zombie network
> > >> >since suddenly there were some 3 hosts on spamd's whitelist,
> > >> >continously some 600 connections to spamd, and only mails to
> > >> >unknown users coming in. The network connection was flooded,
> > >> >the web server sluggish, downloads creeped, basically
> > >> >nothing worked.
> > >> >
> > >> >Can spamd do anything about zombie hosts? They behave like
> > >> >normal MTAs so they will pass spamd's behavioural tests, right?
> > >> >
> > >> >Now I analyze the greylist, do some heuristics on the
> > >> >sender address (among other things) and trap the bad hosts.
> > >> >The trapped hosts are then copied to a pf table to be blocked
> > >> >in the firewall. Tarpitting them through spamd is simply
> > >> >too much work for the mail server, but blocking works fine.
> > >> >
> > >> >Here come the questions
Re: problems with hoststated and relayd
Hi Reyk,
thank you for your reply.
Reyk Floeter schreef:
On Mon, Mar 03, 2008 at 10:29:30AM +0100, Wijnand Wiersma wrote:
Sebastian Reitenbach wrote:
Also a http redirect did not work. I get a timeout in the browser. With
tcpdump I see incoming SYN packets to port 80, but they are not answered:
I am having the same problem with Feb 25 snapshot.
It seems no rdr rules are getting loaded into PF.
? the previous bug report was about relays only, it does not load any
rdr rules into PF.
I quoted the part where Sebastian mentioned ordinary redirects failing
too. Maybe I cut too much. Correct Sebastian?
in your case, have you added the relayd anchor to pf.conf?
rdr-anchor "relayd/*"
Yes, sure I did.
Here is the full config:
# grep -v ^# /etc/relayd.conf
ext_addr="85.158.207.27"
webhost1="10.10.11.36"
webhost2="10.10.11.37"
table { $webhost1 $webhost2 }
table { 127.0.0.1 }
redirect www {
listen on $ext_addr port http interface carp0
# tag every packet that goes thru the rdr rule with RELAYD
tag RELAYD
forward to timeout 200 check http "/" code 200
forward to check icmp
}
# grep -v ^# /etc/pf.conf
ext_if="pcn0"
int_if="pcn1"
set skip on lo
scrub in
rdr-anchor "relayd/*"
nat on $ext_if from (carp1:network) -> (carp0:0)
block in log
pass out
pass quick on $int_if
pass quick on carp1
antispoof quick for { lo $int_if carp1}
pass quick proto carp
pass quick proto icmp
pass in on $ext_if proto tcp to ($ext_if) port ssh
pass quick proto tcp from any to any port http
I am using the 1 March snapshot now.
Wijnand
Re: problems with hoststated and relayd
Reyk Floeter <[EMAIL PROTECTED]> wrote:
> hi!
>
> it tested your config and it works fine without problems, there is no
> bug in relayd here...
>
> ...you seem to make a common mistake:
>
> > forward to port http mode hash \
> > check http "/" code 200
>
> you expect that the webservers always return the HTTP error code 200
> OK. this is not how HTTP works. your webserver may return another
> error based on the site, state, or configuration (moved, not allowed,
> not found, server error, ...).
>
> please test the following:
>
> $ lynx -head http://10.0.0.121/
This was done on the host running relayd:
HTTP/1.1 200 OK
Date: Mon, 03 Mar 2008 18:22:37 GMT
Server: Apache
Last-Modified: Tue, 28 Aug 2007 16:00:16 GMT
ETag: "fccbb0109d4b4b44b551e2fe7cc156404b93a785"
Accept-Ranges: bytes
Content-Length: 2216
Connection: close
Content-Type: text/html
On the 4.2 host, this check works also well with hoststated, there its
embedded in the table definition, see last configuration snippet. But with
hoststated, I have the other problem mentioned below.
The / on the apache instances is just serving the apache index page.
The application itself sits behind a location, but I think checking just the
apache availability, and then assuming the application is there too, is fine
for testing.
>
> and you will see the HTTP header. for example, the following header
> would require you to change your check to 'check http "/" code 302'
> (or even 'check http "/oxid/" code 200'):
>
> HTTP/1.1 302 Found
> Date: Mon, 03 Mar 2008 17:24:10 GMT
> Server: Apache
> Location: /oxid/
> Connection: close
> Content-Type: text/html
>
> i normally use a special monitor script to check the state on the
> webservers, for example the Zend platform provides the following
> self-test:
>
> check http '/ZendPlatform/client/getPing.php' code 200
there is unfortunately no such thing in the app I want to use, at least not
that I am aware of, but I think the ordinary http check is ok for now.
Sebastian
>
> reyk
>
> On Mon, Mar 03, 2008 at 07:45:00AM +0100, Sebastian Reitenbach wrote:
> > Hi,
> >
> > this is the first time I play around with hoststated/relayd.
> > I have a stateful web application, and try to use hoststated/relayd in
front
> > of it. Because the application is stateful, the client has to be
redirected
> > to the same instance for the session lifetime. The session id is encoded
as
> > GET parameter "wosid". Further I have the problem that many of the users
are
> > either sitting behind a proxy or a NAT'ed IP address, so these should
not be
> > redirected to the same application instance.
> > I tried with hoststated on OpenBSD 4.2 i386 and with relayd on
> > OpenBSD -snapshot sparc64 from beginning of February 08.
> >
> > I'm not sure, whether I see the same problems, as described here in that
> > thread:
> >
http://www.nabble.com/relayd-http-check-connection-failures--hoststated-operates-correctly-to15646508.html
> >
> > Well, I do not fiddle around with carp interfaces, and I also tried the
> > patch with the timeout, that did not fixed my problem.
> >
> > First I tried to use relayd, until I came across above mentioned thread,
> > however, first I tried to setup a ssl accelerator as in the example:
> >
> > ext_addr="10.0.0.24"
> > ogo1="10.0.0.121"
> > ogo2="10.0.0.122"
> > ogo3="10.0.0.123"
> > ogo4="10.0.0.124"
> > ogo5="10.0.0.125"
> >
> > timeout
> >
> > table { $ogo1 $ogo2 $ogo3 $ogo4 $ogo5 }
> >
> > http protocol httpssl {
> > header append "$REMOTE_ADDR" to "X-Forwarded-For"
> > header append "$SERVER_ADDR:$SERVER_PORT" to "X-Forwarded-By"
> > header change "Connection" to "close"
> > cookie hash "wosid"
> > url hash "wosid"
> > url log "wosid"
> >
> > # Various TCP performance options
> > # tcp { nodelay, sack, socket buffer 65536, backlog 128 }
> >
> > # ssl { no sslv2, sslv3, tlsv1, ciphers HIGH }
> > # ssl session cache disable
> > }
> >
> > relay wwwssl {
> > # Run as a SSL accelerator
> > listen on $ext_addr port 443 ssl
> > protocol httpssl
> >
> > # Forward to hosts in the webhosts table using a src/dst hash
> > forward to port http mode hash \
> > check http "/" code 200
> > }
> >
> > # relayd -d -vv -f /etc/relayd.conf
> > startup
> > init_filter: filter init done
> > init_tables: created 0 tables
> > relay_privinit: adding relay wwwssl
> > protocol 0: name httpssl
> > flags: 0x0004
> > type: http
> > request change "Connection" to "close"
> > request cookie hash "wosid"
> > request url hash "wosid"
> > request url log "wosid"
> > request append "$SERVER_ADDR:$SERVER_PORT"
> > to "X-Forwarded-By"
> > request append "$REMOTE_ADDR" to "X-Forwarded-For"
> > hce_notify_done: 10.0.0.121 (tcp_send_req: timeout)
routing/gateway woes.... help needed
I'm having some major woes with an OBSD 4.2 stable system and routing.
I've racked my brain over the weekend trying to figure it out and haven't
come up with anything.. hopefully someone here can shed some light.
I have 5 interfaces, fxp0-3 and rl0. fxp0-3 are all primary interfaces
for a corresponding carp interface. I need to have two /28 networks on my
carp0 interface and one /27 network on carp1. Whenever I add an alias to
my carp 0 or 1 interfaces i get the following error:
Mar 2 22:03:32 fw1 /bsd: arp_rtrequest: bad gateway value
Mar 2 22:03:32 fw1 /bsd: arp_rtrequest: bad gateway value
Here are the contents of my hostname.if files.
fxp0: inet 192.168.3.130 255.255.255.240 NONE
fxp1: inet 192.168.2.162 255.255.255.224 NONE
fxp2: inet 10.57.23.2 255.255.255.0 NONE
fxp3: inet 10.181.247.2 255.255.255.0 NONE
rl0: inet 10.23.183.1 255.255.255.252 NONE
hostname.carp0:
inet 192.168.3.129 255.255.255.240 192.168.3.143 vhid 1 carpdev fxp0 pass
testing0
hostname.carp1
inet 192.168.2.161 255.255.255.224 192.168.2.191 vhid 2 carpdev fxp1 pass
testing1
inet alias 192.168.2.164 255.255.255.255
hostname.carp2
inet 10.57.23.254 255.255.255.0 10.57.23.255 vhid 3 carpdev fxp2 pass
testing2
hostname.carp3: inet 10.181.247.136 255.255.255.0 204.181.247.255 vhid 4
carpdev fxp3 pass testing3
here is the output from netstat -rnf inet:
Routing tables
Internet:
DestinationGatewayFlagsRefs UseMtu
Interface
default192.168.3.142 UGS 2 148 - fxp0
10.23.183.0/30 link#5 UC 00 - rl0
10.57.23/24link#3 UC 00 - fxp2
10.57.23.254 10.57.23.254 UH 00 - carp2
127/8 127.0.0.1 UGRS00 33208 lo0
127.0.0.1 127.0.0.1 UH 2 20 33208 lo0
192.168.2.160/27 link#2 UC 00 - fxp1
192.168.2.161 192.168.2.161 UH 00 - carp1
192.168.2.164 192.168.2.164 UH 00 - carp1
192.168.2.164/32 192.168.2.164 U 00 - carp1
192.168.3.128/28 link#1 UC 10 - fxp0
192.168.3.129 192.168.3.129 UH 00 - carp0
192.168.3.142 00:40:f4:76:3d:d3 UHLc10 - fxp0
10.181.247/24 link#4 UC 10 - fxp3
10.181.247.25 00:08:02:0b:63:59 UHLc11 - fxp3
10.181.247.13610.181.247.136UH 00 - carp3
224/4 127.0.0.1 URS 00 33208 lo0
I think this looks right.. I'm wondering however why there are two
instances of the 192.168.2.164. one with and one without the /32. This
happens for every address i have as an inet alias.
When i remove the alias line from the above hostname.carp1 and then run
"sh /etc/netstart" i don't get the arp_rtrequest errors in messages, but
the odd thing is that when i issue the netstat -rnf inet command again,
the routes for 192.168.2.164 are still there. Isn't running /etc/netstart
supposed to essentially flush everything and restart the networking?
Also, it doesn't matter which (hostname.carp0 or hostname.carp1) I put the
aliases in, I still get the error. The same error occurs when i have the
following for hostname.carp0 and hostname.carp1:
hostname.carp0:
inet 192.168.3.129 255.255.255.240 192.168.3.143 vhid 1 carpdev fxp0 pass
testing0
inet alias 192.168.3.132 255.255.255.255
hostname.carp1
inet 192.168.2.161 255.255.255.224 192.168.2.191 vhid 2 carpdev fxp1 pass
testing1
Any help with this would be _greatly_ appreciated as i've beat my head
against the wall trying to see what I'm doing wrong and I can't seem to
figure it out. I googled for the error but what was returned seemed
really old and even that i read but it didn't seem pertinent to my
situation.
Any other information needed please ask ask and I will provide it.
Thanks in advance,
Aaron Martinez
DMESG:
Mar 3 05:26:15 fw1 /bsd: OpenBSD 4.2-stable (GENERIC) #0: Fri Dec 28
19:29:04 CST 2007
Mar 3 05:26:15 fw1 /bsd:
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
Mar 3 05:26:15 fw1 /bsd: cpu0: Intel(R) Celeron(R) CPU 2.00GHz
("GenuineIntel" 686-class) 2 GHz
Mar 3 05:26:15 fw1 /bsd: cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID
Mar 3 05:26:15 fw1 /bsd: real mem = 268005376 (255MB)
Mar 3 05:26:15 fw1 /bsd: avail mem = 251502592 (239MB)
Mar 3 05:26:15 fw1 /bsd: mainbus0 at root
Mar 3 05:26:15 fw1 /bsd: bios0 at mainbus0: AT/286+ BIOS, date 07/22/03,
BIOS32 rev. 0 @ 0xfb160, SMBIOS rev. 2.3 @ 0xf0800 (38 entries)
Mar 3 05:26:15 fw1 /bsd: bios0: vendor Award Software International, Inc.
version "6.00 PG" date 07/22/2003
Mar 3 05:26:15 fw1 /bsd: bios0: Supermi
Re: problems with hoststated and relayd
Hi,
Reyk Floeter <[EMAIL PROTECTED]> wrote:
> On Mon, Mar 03, 2008 at 10:29:30AM +0100, Wijnand Wiersma wrote:
> > Sebastian Reitenbach wrote:
> > >
> > >
> > Also a http redirect did not work. I get a timeout in the browser. With
> > >tcpdump I see incoming SYN packets to port 80, but they are not
answered:
> > >
> > >
> >
> >
> > I am having the same problem with Feb 25 snapshot.
> > It seems no rdr rules are getting loaded into PF.
> >
>
> ? the previous bug report was about relays only, it does not load any
> rdr rules into PF.
>
> in your case, have you added the relayd anchor to pf.conf?
>
> rdr-anchor "relayd/*"
yeah, I have, below my pf.conf:
ext_if="hme0"
table persist { 10.0.0.121, 10.0.0.122, 10.0.0.123,
10.0.0.124, 10.0.0.125 }
set skip on lo
scrub in
rdr-anchor "relayd/*"
block in log
pass out log
antispoof quick for { lo }
pass in log on $ext_if proto tcp to ($ext_if) port ssh
pass in log on $ext_if proto tcp to ($ext_if) port https
pass in log on $ext_if proto tcp to ($ext_if) port http
pass in log on $ext_if proto tcp to port http
the table, and the last pass rule is because these connections got blocked,
without that rule. But I assume, if everything would work correctly, I
wouldn't need it.
Sebastian
Re: pf tag goes missing post sshd tcp decapsulization
scott escreveu: > RE: Also, "...new chroot functionally off ssh that > is shipping with open 4.3, will help on doing this." > > I'll look into this. It's my understanding, flawed asit may be, that > (i) sshd runs as root and (ii) there can be one instance only. (i) Yes, it runs as root (because of tty alocation, and other things). The exception is that if the UsePrivilegeSeparation (default to yes) setting is being used, the sshd will drop the privilege to the user logging in. (ii) There can be as many instances of sshd as you want. Just need to start then pointing to different config files (-f). > > Do you know if the sshd in 4.3 via chroot affords (i) sshd as a user or > group id and (ii) would multiple instances (with different user/group > ids) be possible. If these other-then-root user or group ids are > filterable in pf it might work. (i)Yes. Chroot can be set on a per user/group basis with the MatchUser/MatchGroup directive. (ii) Yes, you can use the user keyword or the group keyword on pf to filter based on user and group, respectively. The only problem is that the connection must be made from the machine. Or you should use the authpf functionality. > > If this is the favorable case, then my problem may be solvable by > running two sshd instances -- one for the outside to inside sessions and > an other handling the (inside) wifi sessions, each with the pf rules > peculiar to the desired traffic flows. > > Or am I doing the exotic "zebra" instead of plain "horse" thing? > No, this is something that can be done. But instead i would recommend some kind of captive portal (wicap) or authpf to the wifi sessions. > Thx. > > -Original Message- > From: Giancarlo Razzolini <[EMAIL PROTECTED]> > Reply-To: [EMAIL PROTECTED] > To: misc@openbsd.org > Subject: Re: pf tag goes missing post sshd tcp decapsulization > Date: Mon, 03 Mar 2008 13:02:02 -0300 > Mailer: Thunderbird 1.5.0.14pre (X11/20071023) > Delivered-To: [EMAIL PROTECTED] > > Henning Brauer escreveu: >> * Giancarlo Razzolini <[EMAIL PROTECTED]> [2008-03-03 14:35]: >>> Tags are only visible while in the kernel. Once you send them to a >>> application, unless it has the ability to set a tag, the tag will be >>> lost. The ftp-proxy(8) AFAICR, since 4.1 has the ability to set a tag on >>> the packet. It would be nice if more userland applications like sshd, >>> spamd, hoststated, etc, could set tags too. >> actually, it is not ftp-proxy that sets tags. ftp-proxy dynamically >> inserts rules and makes THEM tag the packets. that concept doesn't >> translate all that well to the other usage cases you mention. >> > And, as the packets passes by the rules that ftp-proxy inserted, they > can be filtered on using the tag inserted with ftp-proxy. But it would > be really nice to have other applications being able to "see" tags and > set them too in the packets passing through them. But i don't see it > much as a limitation. I do use the user keyword or other means to filter > based on the application. Also, a very good thing is the ability to use > the authpf. I also think that the new chroot functionally off ssh that > is shipping with open 4.3, will help on doing this. > > My regards, > -- > Giancarlo Razzolini > Linux User 172199 > Red Hat Certified Engineer no:804006389722501 > Moleque Sem Conteudo Numero #002 > Slackware Current > OpenBSD Stable > Ubuntu 7.04 Feisty Fawn > Snike Tecnologia em Informatica > 4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85 > > [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc] > > -- Giancarlo Razzolini Linux User 172199 Red Hat Certified Engineer no:804006389722501 Moleque Sem Conteudo Numero #002 Slackware Current OpenBSD Stable Ubuntu 7.04 Feisty Fawn Snike Tecnologia em Informatica 4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85 [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: problems with hoststated and relayd
hi!
it tested your config and it works fine without problems, there is no
bug in relayd here...
...you seem to make a common mistake:
> forward to port http mode hash \
> check http "/" code 200
you expect that the webservers always return the HTTP error code 200
OK. this is not how HTTP works. your webserver may return another
error based on the site, state, or configuration (moved, not allowed,
not found, server error, ...).
please test the following:
$ lynx -head http://10.0.0.121/
and you will see the HTTP header. for example, the following header
would require you to change your check to 'check http "/" code 302'
(or even 'check http "/oxid/" code 200'):
HTTP/1.1 302 Found
Date: Mon, 03 Mar 2008 17:24:10 GMT
Server: Apache
Location: /oxid/
Connection: close
Content-Type: text/html
i normally use a special monitor script to check the state on the
webservers, for example the Zend platform provides the following
self-test:
check http '/ZendPlatform/client/getPing.php' code 200
reyk
On Mon, Mar 03, 2008 at 07:45:00AM +0100, Sebastian Reitenbach wrote:
> Hi,
>
> this is the first time I play around with hoststated/relayd.
> I have a stateful web application, and try to use hoststated/relayd in front
> of it. Because the application is stateful, the client has to be redirected
> to the same instance for the session lifetime. The session id is encoded as
> GET parameter "wosid". Further I have the problem that many of the users are
> either sitting behind a proxy or a NAT'ed IP address, so these should not be
> redirected to the same application instance.
> I tried with hoststated on OpenBSD 4.2 i386 and with relayd on
> OpenBSD -snapshot sparc64 from beginning of February 08.
>
> I'm not sure, whether I see the same problems, as described here in that
> thread:
> http://www.nabble.com/relayd-http-check-connection-failures--hoststated-operates-correctly-to15646508.html
>
> Well, I do not fiddle around with carp interfaces, and I also tried the
> patch with the timeout, that did not fixed my problem.
>
> First I tried to use relayd, until I came across above mentioned thread,
> however, first I tried to setup a ssl accelerator as in the example:
>
> ext_addr="10.0.0.24"
> ogo1="10.0.0.121"
> ogo2="10.0.0.122"
> ogo3="10.0.0.123"
> ogo4="10.0.0.124"
> ogo5="10.0.0.125"
>
> timeout
>
> table { $ogo1 $ogo2 $ogo3 $ogo4 $ogo5 }
>
> http protocol httpssl {
> header append "$REMOTE_ADDR" to "X-Forwarded-For"
> header append "$SERVER_ADDR:$SERVER_PORT" to "X-Forwarded-By"
> header change "Connection" to "close"
> cookie hash "wosid"
> url hash "wosid"
> url log "wosid"
>
> # Various TCP performance options
> # tcp { nodelay, sack, socket buffer 65536, backlog 128 }
>
> # ssl { no sslv2, sslv3, tlsv1, ciphers HIGH }
> # ssl session cache disable
> }
>
> relay wwwssl {
> # Run as a SSL accelerator
> listen on $ext_addr port 443 ssl
> protocol httpssl
>
> # Forward to hosts in the webhosts table using a src/dst hash
> forward to port http mode hash \
> check http "/" code 200
> }
>
> # relayd -d -vv -f /etc/relayd.conf
> startup
> init_filter: filter init done
> init_tables: created 0 tables
> relay_privinit: adding relay wwwssl
> protocol 0: name httpssl
> flags: 0x0004
> type: http
> request change "Connection" to "close"
> request cookie hash "wosid"
> request url hash "wosid"
> request url log "wosid"
> request append "$SERVER_ADDR:$SERVER_PORT"
> to "X-Forwarded-By"
> request append "$REMOTE_ADDR" to "X-Forwarded-For"
> hce_notify_done: 10.0.0.121 (tcp_send_req: timeout)
> relay_init: max open files 1024
> relay_init: max open files 1024
> host 10.0.0.121, check http code (9ms), state unknown -> down, availability
> 0.00%
> hce_notify_done: 10.0.0.122 (tcp_send_req: timeout)
> host 10.0.0.122, check http code (51ms), state unknown -> down, availability
> 0.00%
> hce_notify_done: 10.0.0.123 (tcp_send_req: timeout)
> host 10.0.0.123, check http code (52ms), state unknown -> down, availability
> 0.00%
> hce_notify_done: 10.0.0.124 (tcp_send_req: timeout)
> host 10.0.0.124, check http code (53ms), state unknown -> down, availability
> 0.00%
> hce_notify_done: 10.0.0.125 (tcp_send_req: timeout)
> host 10.0.0.125, check http code (53ms), state unknown -> down, availability
> 0.00%
> pfe_dispatch_imsg: state -1 for host 9 10.0.0.121
> pfe_dispatch_imsg: state -1 for host 8 10.0.0.122
> pfe_dispatch_imsg: state -1 for host 7 10.0.0.123
> pfe_dispatch_imsg: state -1 for host 6 10.0.0.124
> pfe_dispatch_imsg: state -1 for host 5 10.0.0.125
> relay_ssl_ctx_create: loading certificate
> relay_init: max open files 1024
> relay_ssl_ctx_create: loading certificate
> relay_ssl_ctx_create: loading certificate
> relay_ssl_
Re: problems with hoststated and relayd
On Mon, Mar 03, 2008 at 10:29:30AM +0100, Wijnand Wiersma wrote: > Sebastian Reitenbach wrote: > > > > > Also a http redirect did not work. I get a timeout in the browser. With > >tcpdump I see incoming SYN packets to port 80, but they are not answered: > > > > > > > I am having the same problem with Feb 25 snapshot. > It seems no rdr rules are getting loaded into PF. > ? the previous bug report was about relays only, it does not load any rdr rules into PF. in your case, have you added the relayd anchor to pf.conf? rdr-anchor "relayd/*" > And I was just about to showcase and brag about a very hip setup ;-) > > Wijnand
Pass spécial réduction pour la Foire du Trône.
[IMAGE] Foire du Trtne 2008 [IMAGE] Du samedi 22 mars au dimanche 18 mai Un cadeau idial pour un printemps festif ` partir de 32â¬uros seulement Le rendez-vous ensoleilli et magique ` ne pas manquer ! Chaque annie, la Foire du Trtne accueille plusieurs milliers de visiteurs Vous aussi offrez ` vos binificiaires, les privilhges exclusifs du PASS OFFREZ LE PASS FOIRE DU TRONE 2008 1 PASS = 24 TICKETS DONT 1 DE TOMBOLA u10 tickets NOMINATIFS chacun donnant droit ` un tour gratuit sur lâattraction pridifinie (consultez la liste ci-dessous) u 4 tickets SUPER BONUS chacun donnant droit ` 1 tour gratuit au choix parmi la trentaine dâattractions participant ` lâopiration PASS (logo pass affichi en caisse) u 2 tickets 1 PARTIE ACHETEE = 1 PARTIE OFFERTE valable dans les stands de jeux (logo pass affichi en caisse) u 1 ticket â 15 % valable chez les confiseurs et dans les buvettes participants ` lâopiration PASS (logo pass affichi en caisse) u 1 ticket (1 pihce de 1 â¬) valable pour 1 ⬠de riduction pour le manhge + LE MAXIMUM ; u 5 tickets 1 PLACE ACHETEE = 1 PLACE OFFERTE sur les attractions : LâAUTOROUTE â LA PETITE SIRENE â TOY LAND â LE TAGADA â LE NEW COMER u 1 ticket de TOMBOLA, qui vous permet de participer ` un tirage au sort, remplissez-le et glissez-le dans la boite privue ` cet effet prhs du bureau dâaccueil PASS et gagnez un des nombreux lots mis en jeu [IMAGE] [IMAGE] LISTE DES 10 TICKETS NOMINATIFS u LE KING u LA ROUE u LâINSIDER u LâEXTREME u LE BOOMERANG u LE SUPER TOP DANCE u LE TOP SPIN u LâINCAS u LE TRAIN FANTOME (logo PASS affichi en caisse) u LE JUMBO CIRCUS (nouveauti 2008) [IMAGE] Cliquez ICI pour commander sur le site et payer par CB securisie www.promo-pass.fr Cliquez ICI pour tilicharger le Bon de Commande PDF et payer par chhque ou virement [IMAGE] Foire du Trtne 2008 Lâivinement familial ` ne pas manquer ! [IMAGE] u Plus de 350 attractions u Un parc de 100 000 m2 u 4 millions de visiteurs La magie du Pass u Pratique et simple ` utiliser u Pour les petits et les grands u Valable durant toute la durie de la Foire du Trtne u Utilisable en 1 ou plusieurs fois u Pour les manhges les plus prestigieux u Des offres commerciales et des riductions Profitez de notre offre TREIZE ` la DOUZAINE 12 PASS ACHETIS = 1 PASS OFFERT Cliquez ICI pour commander sur le site et payer par CB securisie www.promo-pass.fr Cliquez ICI pour tilicharger le Bon de Commande PDF et payer par chhque ou virement [IMAGE] www.avantages-multiples.com Multi spicialiste de la billetterie Cinima 3 rue Jean Jaurhs - 91860 Epinay sous Sinart SARL au Capital de 32 600⬠- R.C. B 485070635 Til : 01 75 43 42 50 - Fax : 01 75 43 88 70 Si vous ne souhaitez plus recevoir d'email de notre part, suivez ce lien .
Re: pf tag goes missing post sshd tcp decapsulization
RE: Also, "...new chroot functionally off ssh that is shipping with open 4.3, will help on doing this." I'll look into this. It's my understanding, flawed asit may be, that (i) sshd runs as root and (ii) there can be one instance only. Do you know if the sshd in 4.3 via chroot affords (i) sshd as a user or group id and (ii) would multiple instances (with different user/group ids) be possible. If these other-then-root user or group ids are filterable in pf it might work. If this is the favorable case, then my problem may be solvable by running two sshd instances -- one for the outside to inside sessions and an other handling the (inside) wifi sessions, each with the pf rules peculiar to the desired traffic flows. Or am I doing the exotic "zebra" instead of plain "horse" thing? Thx. -Original Message- From: Giancarlo Razzolini <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] To: misc@openbsd.org Subject: Re: pf tag goes missing post sshd tcp decapsulization Date: Mon, 03 Mar 2008 13:02:02 -0300 Mailer: Thunderbird 1.5.0.14pre (X11/20071023) Delivered-To: [EMAIL PROTECTED] Henning Brauer escreveu: > * Giancarlo Razzolini <[EMAIL PROTECTED]> [2008-03-03 14:35]: >> Tags are only visible while in the kernel. Once you send them to a >> application, unless it has the ability to set a tag, the tag will be >> lost. The ftp-proxy(8) AFAICR, since 4.1 has the ability to set a tag on >> the packet. It would be nice if more userland applications like sshd, >> spamd, hoststated, etc, could set tags too. > > actually, it is not ftp-proxy that sets tags. ftp-proxy dynamically > inserts rules and makes THEM tag the packets. that concept doesn't > translate all that well to the other usage cases you mention. > And, as the packets passes by the rules that ftp-proxy inserted, they can be filtered on using the tag inserted with ftp-proxy. But it would be really nice to have other applications being able to "see" tags and set them too in the packets passing through them. But i don't see it much as a limitation. I do use the user keyword or other means to filter based on the application. Also, a very good thing is the ability to use the authpf. I also think that the new chroot functionally off ssh that is shipping with open 4.3, will help on doing this. My regards, -- Giancarlo Razzolini Linux User 172199 Red Hat Certified Engineer no:804006389722501 Moleque Sem Conteudo Numero #002 Slackware Current OpenBSD Stable Ubuntu 7.04 Feisty Fawn Snike Tecnologia em Informatica 4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85 [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: pf tag goes missing post sshd tcp decapsulization
Thanks, everyone, for the user- vs kernel-land info. As soon as I read it, I got it. Disappointed but I got it. ipsec/isakpmd is, I think, kernel-land and it has some very flexible (per ipsec rule, not just daemon level, as in user or group filtering) pf+visible tag capabilities. As he crosses his fingers and starts the please-please-please dance ... Respecting the differences between sshd and ipsec implementations and, now that I get it, their respective run space, it certainly would be nice to see as a "futures" sshd inherit what ever may be inheritable in these regards. This ssh -w option is sooo very cool!!! It just needs a little more something from the supporting cast of daemons. Thx. -Original Message- From: Giancarlo Razzolini <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] To: misc@openbsd.org Subject: Re: pf tag goes missing post sshd tcp decapsulization Date: Mon, 03 Mar 2008 13:02:02 -0300 Mailer: Thunderbird 1.5.0.14pre (X11/20071023) Delivered-To: [EMAIL PROTECTED] Henning Brauer escreveu: > * Giancarlo Razzolini <[EMAIL PROTECTED]> [2008-03-03 14:35]: >> Tags are only visible while in the kernel. Once you send them to a >> application, unless it has the ability to set a tag, the tag will be >> lost. The ftp-proxy(8) AFAICR, since 4.1 has the ability to set a tag on >> the packet. It would be nice if more userland applications like sshd, >> spamd, hoststated, etc, could set tags too. > > actually, it is not ftp-proxy that sets tags. ftp-proxy dynamically > inserts rules and makes THEM tag the packets. that concept doesn't > translate all that well to the other usage cases you mention. > And, as the packets passes by the rules that ftp-proxy inserted, they can be filtered on using the tag inserted with ftp-proxy. But it would be really nice to have other applications being able to "see" tags and set them too in the packets passing through them. But i don't see it much as a limitation. I do use the user keyword or other means to filter based on the application. Also, a very good thing is the ability to use the authpf. I also think that the new chroot functionally off ssh that is shipping with open 4.3, will help on doing this. My regards, -- Giancarlo Razzolini Linux User 172199 Red Hat Certified Engineer no:804006389722501 Moleque Sem Conteudo Numero #002 Slackware Current OpenBSD Stable Ubuntu 7.04 Feisty Fawn Snike Tecnologia em Informatica 4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85 [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: pf tag goes missing post sshd tcp decapsulization
Henning Brauer escreveu: > * Giancarlo Razzolini <[EMAIL PROTECTED]> [2008-03-03 14:35]: >> Tags are only visible while in the kernel. Once you send them to a >> application, unless it has the ability to set a tag, the tag will be >> lost. The ftp-proxy(8) AFAICR, since 4.1 has the ability to set a tag on >> the packet. It would be nice if more userland applications like sshd, >> spamd, hoststated, etc, could set tags too. > > actually, it is not ftp-proxy that sets tags. ftp-proxy dynamically > inserts rules and makes THEM tag the packets. that concept doesn't > translate all that well to the other usage cases you mention. > And, as the packets passes by the rules that ftp-proxy inserted, they can be filtered on using the tag inserted with ftp-proxy. But it would be really nice to have other applications being able to "see" tags and set them too in the packets passing through them. But i don't see it much as a limitation. I do use the user keyword or other means to filter based on the application. Also, a very good thing is the ability to use the authpf. I also think that the new chroot functionally off ssh that is shipping with open 4.3, will help on doing this. My regards, -- Giancarlo Razzolini Linux User 172199 Red Hat Certified Engineer no:804006389722501 Moleque Sem Conteudo Numero #002 Slackware Current OpenBSD Stable Ubuntu 7.04 Feisty Fawn Snike Tecnologia em Informatica 4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85 [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: pf tag goes missing post sshd tcp decapsulization
* Giancarlo Razzolini <[EMAIL PROTECTED]> [2008-03-03 14:35]: > Tags are only visible while in the kernel. Once you send them to a > application, unless it has the ability to set a tag, the tag will be > lost. The ftp-proxy(8) AFAICR, since 4.1 has the ability to set a tag on > the packet. It would be nice if more userland applications like sshd, > spamd, hoststated, etc, could set tags too. actually, it is not ftp-proxy that sets tags. ftp-proxy dynamically inserts rules and makes THEM tag the packets. that concept doesn't translate all that well to the other usage cases you mention. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
Re: pf tag goes missing post sshd tcp decapsulization
scott escreveu: > openBSD(4.2) and 4.3-beta > > /etc/pf.conf fragment > # ---v--- > pass in log quick on em0 inet proto tcp \ > from ! to (em0:0) port 22 \ > tag SSHVPN flags S/SA keep state \ > (max-src-conn-rate 3/120, overload flush global) \ > label R1 > # > pass out log quick on em1 tagged SSHVPN keep state \ > label R2 > # > block log all label R3 > # ---^--- > > In the above rule set, "R2" does not "matches" anything/ever. It is > silent to pflog0. The traffic that should be passed by R2 instead posts > in pflog0 as blocked by R3. > > Something about the sshd's tcp decapsulization or pf's relationship with > it is loosing the tag SSHVPN. > > Without the ability to tag the ssh tunneled traffic post > decapsulization, I don't know how to do the differentiated handling I > need. e.g. sshd -w from inside via my wifi vs. sshd -w from outside to > inside. > > I've posted a form of this question before but I've focused it further > here. The ssh mail-list folks allege it's a pf issue. > > Now, I know that ssh -w flows via tun(n) interfaces. The following > rules set flows the outside to inside traffic BUT THERE'S NO LINKAGE > BETWEEN R1 AND R2. Putting "tagged SSHVPN" on R2 will cause R2 to "not > match" and therefore "not pass" the tun traffic. > # ---v--- > pass in log quick on em0 inet proto tcp \ > from ! to (em0:0) port 443 \ > tag SSHVPN flags S/SA keep state \ > (max-src-conn-rate 3/120, overload flush global) \ > label R1 > # > pass in log quick on tun inet \ > from (tun:peer) to any \ > tag VTUNPKTS keep state label R2 > # > pass out log quick on inside inet \ > tagged VTUNPKTS keep state label R3 > # ---^--- > > Is is this a bug or is there a way that R2 can "know" where the tun > traffic is ingressing from. > > What I think I want to be able to effect is... > # ---v--- > pass in log quick on em0 inet proto tcp \ > from ! to (em0:0) port 443 \ > tag SSHVPN flags S/SA keep state \ > (max-src-conn-rate 3/120, overload flush global) \ > label R1 > # > pass in log quick on tun inet \ > tagged SSHVPN \ > tag VTUNPKTS keep state label R2 > # > pass out log quick on inside inet \ > tagged VTUNPKTS keep state label R3 > # ---^--- > > > Thanks, > > Tags are only visible while in the kernel. Once you send them to a application, unless it has the ability to set a tag, the tag will be lost. The ftp-proxy(8) AFAICR, since 4.1 has the ability to set a tag on the packet. It would be nice if more userland applications like sshd, spamd, hoststated, etc, could set tags too. In this case (sshd) you can't do much thing as it runs with root privileges. You can't classify it with the user keyword from pf. So i believe you will have to redesign your rules in this case. My regards, -- Giancarlo Razzolini Linux User 172199 Red Hat Certified Engineer no:804006389722501 Moleque Sem Conteudo Numero #002 Slackware Current OpenBSD Stable Ubuntu 7.04 Feisty Fawn Snike Tecnologia em Informatica 4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85 [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: pf tag goes missing post sshd tcp decapsulization
* scott <[EMAIL PROTECTED]> [2008-03-03 10:10]: > Something about the sshd's tcp decapsulization or pf's relationship with > it is loosing the tag SSHVPN. yes, since that happens in userland, tags are lost. nothing you can do about it... it would be nice if userland apps could mark a socket such that everything send via that socket gets a specified tag, but that functionality isn't there. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
Re: write pf rules for acces concentrator server (pppoe)
* Fratiman Vladut <[EMAIL PROTECTED]> [2008-03-01 23:16]: > I have an pppoe server. How i can write pf rules for this situation, in > order to specify any interface, ng0, ng1, . > I see that isn't any possibility to use wildcard in macros, something like > this: ng_if="ng*". > Obviously isn't very easy to have an rule for every ng interface. > How can be resolved? since there is no ng interface on OpenBSD I assume you use some other OS. which probably means you are doomed. On OpenBSD, you use interface groups for that, and clonable interfaces by default are in a group named by the interface base name, i. e. "ppp" for ppp0, ppp1, .. pppN. I don't know if and to which extend other OSs that ported pf have picked up interface groups. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
Re: bgpd again
* Erich <[EMAIL PROTECTED]> [2008-03-01 22:21]: > Mar 1 21:00:58 interoute bgpd[30449]: neighbor 10.65.0.6 (iBGP): received > notification: HoldTimer expired, unknown subcode 0 the peer 10.65.0.6 did not send any UPDATE or KEEPALIVE message for $holdtime. "bgpctl show neighbor 10.65.0.6" while the session is established will show it, like Last read 00:00:01, holdtime 90s, keepalive interval 30s In this case, the negotiated holdtime is 90 seconds (rather typical) and we will send a KEEPALIVE every 30s, unless UPDATEs happen which will reset the timer. You can have a closer look at the timers using bgpctl show neighbor 10.65.0.6 timer Whenever the hold timer expires the connection is considered dead and is reset. When that happens, a NOTIFICATION is sent. That happened here. Why the peer didn't send (or you didn't received) anything for $holdtime is the question you need to answer. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
Re: /etc/ttys fields for reading from tty00
On 02/03/2008, Hannah Schroeter <[EMAIL PROTECTED]> wrote: Hannah, IMO you don't need /etc/ttys entries for terminals unless you need the > terminal to be managed by init(8) or tty flags to be set by ttyflags(8) > at boot, or your own program wants to read information from the ttys > file using the ttyent family of functions (getttyent(), getttynam(), > setttyent(), endttyend()). Oh, I see. For normal tty access, you need open/close/read/write, perhaps adorned > by O_NONBLOCK (if you need to open the terminal line even though no > carrier is detected) and probably a few terminal controls (see tty(4) > and termios(4), using ioctl(2) and/or the functions described in the > tcsetattr(3) manual page). Yes, these are very useful; especially the O_NONBLOCK note - thank you. On 02/03/2008, Marc Balmer <[EMAIL PROTECTED]> wrote: Marc, you don't need to edit /etc/ttys, your C program has to open > /dev/cua00 (not /dev/tty00) and everything will just work. > Thank you for the very direct answer. This is exactly what I needed. Really thank you for your fast responses and your time. Vova
Re: XForwarding problem: SOLVED
On Fri, 29 Feb 2008, Denny White wrote: > 4AM, but that's okay. Problem solved. Had previously done some > experimenting around with ~/.profile and ~/.kshrc when I'd been > having history file problems in ksh. As soon as I reverted back > to my old ~/.profile instead of the newer short one that just > exported HISTSIZE, HISTFILE, and ENV=$HOME/.kshrc the XForwarding > problem disappeared. Don't try this at home, kids, especially at > 4AM when you're not only old and senile, but tired as hell too. :-) So what was the fix? What is in the one .profile that was not in the erroneous one? Thanks, Dave -- The future isn't what it used to be. -- G'kar
Re: problems with hoststated and relayd
On Mon Mar 03, 2008 at 07:45:00 +0100, Sebastian Reitenbach wrote:
> Hi,
>
> this is the first time I play around with hoststated/relayd.
> I have a stateful web application, and try to use hoststated/relayd in front
> of it. Because the application is stateful, the client has to be redirected
> to the same instance for the session lifetime. The session id is encoded as
> GET parameter "wosid". Further I have the problem that many of the users are
> either sitting behind a proxy or a NAT'ed IP address, so these should not be
> redirected to the same application instance.
> I tried with hoststated on OpenBSD 4.2 i386 and with relayd on
> OpenBSD -snapshot sparc64 from beginning of February 08.
>
> I'm not sure, whether I see the same problems, as described here in that
> thread:
> http://www.nabble.com/relayd-http-check-connection-failures--hoststated-operates-correctly-to15646508.html
>
> Well, I do not fiddle around with carp interfaces, and I also tried the
> patch with the timeout, that did not fixed my problem.
>
> First I tried to use relayd, until I came across above mentioned thread,
> however, first I tried to setup a ssl accelerator as in the example:
>
> ext_addr="10.0.0.24"
> ogo1="10.0.0.121"
> ogo2="10.0.0.122"
> ogo3="10.0.0.123"
> ogo4="10.0.0.124"
> ogo5="10.0.0.125"
>
> timeout
>
> table { $ogo1 $ogo2 $ogo3 $ogo4 $ogo5 }
>
> http protocol httpssl {
> header append "$REMOTE_ADDR" to "X-Forwarded-For"
> header append "$SERVER_ADDR:$SERVER_PORT" to "X-Forwarded-By"
> header change "Connection" to "close"
> cookie hash "wosid"
> url hash "wosid"
> url log "wosid"
>
> # Various TCP performance options
> # tcp { nodelay, sack, socket buffer 65536, backlog 128 }
>
> # ssl { no sslv2, sslv3, tlsv1, ciphers HIGH }
> # ssl session cache disable
> }
>
> relay wwwssl {
> # Run as a SSL accelerator
> listen on $ext_addr port 443 ssl
> protocol httpssl
>
> # Forward to hosts in the webhosts table using a src/dst hash
> forward to port http mode hash \
> check http "/" code 200
> }
>
> # relayd -d -vv -f /etc/relayd.conf
> startup
> init_filter: filter init done
> init_tables: created 0 tables
> relay_privinit: adding relay wwwssl
> protocol 0: name httpssl
> flags: 0x0004
> type: http
> request change "Connection" to "close"
> request cookie hash "wosid"
> request url hash "wosid"
> request url log "wosid"
> request append "$SERVER_ADDR:$SERVER_PORT"
> to "X-Forwarded-By"
> request append "$REMOTE_ADDR" to "X-Forwarded-For"
> hce_notify_done: 10.0.0.121 (tcp_send_req: timeout)
> relay_init: max open files 1024
> relay_init: max open files 1024
> host 10.0.0.121, check http code (9ms), state unknown -> down, availability
> 0.00%
> hce_notify_done: 10.0.0.122 (tcp_send_req: timeout)
> host 10.0.0.122, check http code (51ms), state unknown -> down, availability
> 0.00%
> hce_notify_done: 10.0.0.123 (tcp_send_req: timeout)
> host 10.0.0.123, check http code (52ms), state unknown -> down, availability
> 0.00%
> hce_notify_done: 10.0.0.124 (tcp_send_req: timeout)
> host 10.0.0.124, check http code (53ms), state unknown -> down, availability
> 0.00%
> hce_notify_done: 10.0.0.125 (tcp_send_req: timeout)
> host 10.0.0.125, check http code (53ms), state unknown -> down, availability
> 0.00%
> pfe_dispatch_imsg: state -1 for host 9 10.0.0.121
> pfe_dispatch_imsg: state -1 for host 8 10.0.0.122
> pfe_dispatch_imsg: state -1 for host 7 10.0.0.123
> pfe_dispatch_imsg: state -1 for host 6 10.0.0.124
> pfe_dispatch_imsg: state -1 for host 5 10.0.0.125
> relay_ssl_ctx_create: loading certificate
> relay_init: max open files 1024
> relay_ssl_ctx_create: loading certificate
> relay_ssl_ctx_create: loading certificate
> relay_ssl_ctx_create: loading private key
> relay_init: max open files 1024
> adding 5 hosts from table ogohosts:80
> relay_init: max open files 1024
> relay_launch: running relay wwwssl
> relay_ssl_ctx_create: loading private key
> adding 5 hosts from table ogohosts:80
> relay_ssl_ctx_create: loading private key
> relay_launch: running relay wwwssl
> adding 5 hosts from table ogohosts:80
> relay_ssl_ctx_create: loading certificate
> relay_launch: running relay wwwssl
> relay_ssl_ctx_create: loading certificate
> relay_ssl_ctx_create: loading private key
> adding 5 hosts from table ogohosts:80
> relay_ssl_ctx_create: loading private key
> relay_launch: running relay wwwssl
> adding 5 hosts from table ogohosts:80
> relay_launch: running relay wwwssl
> relay wwwssl, session 1 established (1 active)
> relay_from_table: no active hosts
> relay wwwssl, session 1 (1 active), 0, 10.0.0.9 -> :80, session failed
> relay wwwssl, session 2 established (1 active)
> relay_from_table: no active hosts
> relay wwwssl, session 2 (1 active), 0, 10.0.0.9 -> :80,
Re: bgpd again
On 2008-03-03, Erich <[EMAIL PROTECTED]> wrote: > there was nothing in the logs of the peer router. > any other ideas howto debug/solve this? How about some more information. dmesg, what's the peer router, configs, a description of what actually happens...
ifstated
Dear all i have been implentated equal-cost multipath routing , i see the manual more efficient combine with ifstated. i read manual , ifstated sample is using crap . my question is do i must implentation carp too if want using ifstated to chek link ? also anybody have a sample ifstated for equal-cost multipath routing ? thq a lot
Re: problems with hoststated and relayd
Sebastian Reitenbach wrote: Also a http redirect did not work. I get a timeout in the browser. With tcpdump I see incoming SYN packets to port 80, but they are not answered: I am having the same problem with Feb 25 snapshot. It seems no rdr rules are getting loaded into PF. And I was just about to showcase and brag about a very hip setup ;-) Wijnand
pf tag goes missing post sshd tcp decapsulization
openBSD(4.2) and 4.3-beta /etc/pf.conf fragment # ---v--- pass in log quick on em0 inet proto tcp \ from ! to (em0:0) port 22 \ tag SSHVPN flags S/SA keep state \ (max-src-conn-rate 3/120, overload flush global) \ label R1 # pass out log quick on em1 tagged SSHVPN keep state \ label R2 # block log all label R3 # ---^--- In the above rule set, "R2" does not "matches" anything/ever. It is silent to pflog0. The traffic that should be passed by R2 instead posts in pflog0 as blocked by R3. Something about the sshd's tcp decapsulization or pf's relationship with it is loosing the tag SSHVPN. Without the ability to tag the ssh tunneled traffic post decapsulization, I don't know how to do the differentiated handling I need. e.g. sshd -w from inside via my wifi vs. sshd -w from outside to inside. I've posted a form of this question before but I've focused it further here. The ssh mail-list folks allege it's a pf issue. Now, I know that ssh -w flows via tun(n) interfaces. The following rules set flows the outside to inside traffic BUT THERE'S NO LINKAGE BETWEEN R1 AND R2. Putting "tagged SSHVPN" on R2 will cause R2 to "not match" and therefore "not pass" the tun traffic. # ---v--- pass in log quick on em0 inet proto tcp \ from ! to (em0:0) port 443 \ tag SSHVPN flags S/SA keep state \ (max-src-conn-rate 3/120, overload flush global) \ label R1 # pass in log quick on tun inet \ from (tun:peer) to any \ tag VTUNPKTS keep state label R2 # pass out log quick on inside inet \ tagged VTUNPKTS keep state label R3 # ---^--- Is is this a bug or is there a way that R2 can "know" where the tun traffic is ingressing from. What I think I want to be able to effect is... # ---v--- pass in log quick on em0 inet proto tcp \ from ! to (em0:0) port 443 \ tag SSHVPN flags S/SA keep state \ (max-src-conn-rate 3/120, overload flush global) \ label R1 # pass in log quick on tun inet \ tagged SSHVPN \ tag VTUNPKTS keep state label R2 # pass out log quick on inside inet \ tagged VTUNPKTS keep state label R3 # ---^--- Thanks,
Re: bgpd again
there was nothing in the logs of the peer router. any other ideas howto debug/solve this? Stuart Henderson schrieb: On 2008-03-01, Erich <[EMAIL PROTECTED]> wrote: Mar 1 21:00:58 interoute bgpd[30449]: neighbor 10.65.0.6 (iBGP): received notification: HoldTimer expired, unknown subcode 0 Mar 1 21:10:26 interoute bgpd[30449]: neighbor 10.65.0.6 (iBGP): received notification: HoldTimer expired, unknown subcode 0 what does this mean? can't really say from this, try looking at the logs on the peer router.
Re: Dell PE1950 III - Perc 6i
2008/2/29, Marco Peereboom <[EMAIL PROTECTED]>: > There is no 4.3 release just yet. You'll have to check it out of cvs. > You need to grab sys/dev/pci/mfi_pci.c & sys/dev/ic/mfi* and rebuild > your kernel. > > Or you can simply use a snapshot. > > On Feb 28, 2008, at 2:50 PM, "[EMAIL PROTECTED]" <[EMAIL PROTECTED] > > wrote: > > > Many, many thanks Marco, but please help me again. > > > > I cannot find 4.3 release sys.tar.gz (I think I need it to find the > > new > > driver, or there is a patch ?) where can I download it. ? > > > > The last question ( I hope :blush: ), which is the file that I > > need? mfi.c, > > mfi_pci.c, both or more ? > > > > Thanks again. Sorry being so late. I've installed the OpenBSD snapshot from 10-02-2008 and it worked like a charm on a Dell PowerEdge 1950 III with Perc6i. Thanks! Jan Willem
