Re: Limit number of login sessions
just curious why the pf solution would not work for you? On Sun, Sep 21, 2008 at 2:16 AM, Maximo Pech [EMAIL PROTECTED] wrote: Hi I'm looking for a way to configure a limit for the maximum number of simultaneous login sessions for a user. I want to do this for preventing users to create multiple ssh sessions. I think something similar can be done trough pf, but that's not the approach I'm looking for.
Re: alix help
Kendall Shaw schrieb: If I were able to upgrade the bios, I don't know how I will actually install openbsd on the disk. Aside from transfering files using Xmodem, what is the procedure for actually installing an image onto the CF card? I have tried two methods for installing OpenBSD, and haven't decided yet which one of the two I like better. First, there's Flashdist from http://www.nmedia.net/flashdist/ which is well optimized for flash enviroments and is installed by writing out an image to a CF card. This has a somewhat bullet-proof appearance, but it's not simple to customize. Second, I have recently received a shipment of Microdrives, allowing for a regular install that doesn't need to be optimized for read-only operation. The PXE environment needs to be set up as described in http://www.openbsd.org/faq/faq6.html#PXE and the bsd.rd kernel needs to be booted for installation. This has the big advantage that it works just like any OpenBSD installer. Kind regards, -martin -- Martin Schmitt / Schmitt Systemberatung / www.scsy.de -- http://www.pug.org/index.php/Benutzer:Martin --
Re: perl/CGI getting SIGSEGV *occasionally*, called by apache in chrooted env
On Sun, Sep 21, 2008 at 03:40:09AM +0200, Robert Urban wrote: | Hi folks, | | OS Env: OBSD4.3 running on a dual-PIII (ProLiant 380). | | I've got a perl/CGI script doing a bunch of stuff (talking to PostgreSQL, | writing files, etc) which is dying with SIGSEGV, but only occasionally. I'm | unable to reproduce the death outside of the chrooted env manually. I did, | however, manage to get a ktrace of a good and a bad run. (see below). I | set up the chroot environment by copying all relevent files for perl to | /var/www. The SIGSEGV's started after I made some minor changes to the | script, and if I make yet other changes, such as adding debugging code, the | nasty behaviour stops. I doubt the script (and modules it uses) are | relevent, but someone thinks they might shed some light on the problem, I | can make them available. Naturally, I can make the complete ktrace/kdump | files available as well, if anybody wants to see them. Access to the | machine is also no problem. | | Is there any hope of tracking down this kind of error? A shot in the dark here .. but can you verify you have enough memory available for use ? Check ulimit .. maybe the chrooted env is running as a user with lower ulimits. Try upping those. Other than that, SIGSEGV's are often caused by bad hardware (bad memory, notably), but I'd be surprised if you only hit that in the chroot case. You may still want to check your machine though. Cheers, Paul 'WEiRD' de Weerd -- [++-]+++.+++[---].+++[+ +++-].++[-]+.--.[-] http://www.weirdnet.nl/
Re: UFS on OpenBSD
Beavis wrote: thanks for the reply ted... i guess even if i try to forman the drive on HFS I won't be able to mount it on openbsd. If you have PPC architecture you can work with HFS just fine: http://www.openbsd.org/4.3_packages/powerpc/hfsplus-1.0.4p2.tgz-long.html Regards, -Lars
Re: Limit number of login sessions
On Sunday 21 September 2008 02:16:58 Maximo Pech wrote: Hi I'm looking for a way to configure a limit for the maximum number of simultaneous login sessions for a user. I want to do this for preventing users to create multiple ssh sessions. I think something similar can be done trough pf, but that's not the approach I'm looking for. Hi how about the sessionlimit in login.conf? Haven't ever used it myself but sounds quite promising.
Re: Limit number of login sessions
On Sunday 21 September 2008 02:16:58 Maximo Pech wrote: Hi I'm looking for a way to configure a limit for the maximum number of simultaneous login sessions for a user. I want to do this for preventing users to create multiple ssh sessions. I think something similar can be done trough pf, but that's not the approach I'm looking for. Hi how about the sessionlimit in login.conf? Haven't ever used it myself but sounds quite promising. Or just forget that, I was in a FreeBSD console :-/
Re: broken disk?
It seems that it runs fine but I don't get output from the long test... Any hint? ?Why? It's very easy: $ smartctl -h -t long /dev/wd0c ... wait the needed time and next $ smartctl -l selftest /dev/wd0c PD. Adromina it's a funny name (divertit, vaja) :P -- Thanks, Jordi Espasa Clofent
Re: broken disk?
i have a fracture in my spine, does that answer your question? tel : +61431 823 603 'Worry looks around, sorry looks back, faith looks up'. --- On Sun, 21/9/08, Pau [EMAIL PROTECTED] wrote: From: Pau [EMAIL PROTECTED] Subject: broken disk? To: misc misc@openbsd.org Received: Sunday, 21 September, 2008, 1:04 AM Hi, I recently posted in ports some problems I am having with an i386 laptop http://marc.info/?l=openbsd-portsm=122191620826430w=2 and especially http://marc.info/?l=openbsd-portsm=122189105726930w=2 Nikolay suggested it could be a hardware problem. To be sure, I made a clean install of the system and the problems (not same, but similar) were still there. Therefore I booted into memtest86 from a linux live CD. The test went fine; then I tried smartcl (messages attached to this message below). It seems that it runs fine but I don't get output from the long test... Any hint? I have tried /dev/rwd0c too... but same result. How can I check my problem?? Thanks, Pau andromina# smartctl -i /dev/wd0c zsh: command not found: smartctl andromina# /usr/local/sbin/smartctl -i /dev/wd0c smartctl version 5.37 [i386-unknown-openbsd4.3] Copyright (C) 2002-6 Bruce Allen Home page is http://smartmontools.sourceforge.net/ === START OF INFORMATION SECTION === Model Family: Fujitsu MHT series Device Model: FUJITSU MHT2080AT Serial Number:NN7CT4A15HPM Firmware Version: 0022 User Capacity:80,026,361,856 bytes Device is:In smartctl database [for details use: -P show] ATA Version is: 6 ATA Standard is: ATA/ATAPI-6 T13 1410D revision 3a Local Time is:Sat Sep 20 15:18:00 2008 CEST SMART support is: Available - device has SMART capability. SMART support is: Enabled andromina# /usr/local/sbin/smartctl -s on -d ata /dev/wd0c smartctl version 5.37 [i386-unknown-openbsd4.3] Copyright (C) 2002-6 Bruce Allen Home page is http://smartmontools.sourceforge.net/ === START OF ENABLE/DISABLE COMMANDS SECTION === SMART Enabled. andromina# /usr/local/sbin/smartctl -d ata -a /dev/wd0c smartctl version 5.37 [i386-unknown-openbsd4.3] Copyright (C) 2002-6 Bruce Allen Home page is http://smartmontools.sourceforge.net/ === START OF INFORMATION SECTION === Model Family: Fujitsu MHT series Device Model: FUJITSU MHT2080AT Serial Number:NN7CT4A15HPM Firmware Version: 0022 User Capacity:80,026,361,856 bytes Device is:In smartctl database [for details use: -P show] ATA Version is: 6 ATA Standard is: ATA/ATAPI-6 T13 1410D revision 3a Local Time is:Sat Sep 20 15:18:41 2008 CEST SMART support is: Available - device has SMART capability. SMART support is: Enabled === START OF READ SMART DATA SECTION === SMART overall-health self-assessment test result: PASSED General SMART Values: Offline data collection status: (0x00) Offline data collection activity was never started. Auto Offline Data Collection: Disabled. Self-test execution status: ( 0) The previous self-test routine completed without error or no self-test has ever been run. Total time to complete Offline data collection: ( 587) seconds. Offline data collection capabilities:(0x7b) SMART execute Offline immediate. Auto Offline data collection on/off support. Suspend Offline collection upon new command. Offline surface scan supported. Self-test supported. Conveyance Self-test supported. Selective Self-test supported. SMART capabilities:(0x0003) Saves SMART data before entering power-saving mode. Supports SMART auto save timer. Error logging capability:(0x01) Error logging supported. No General Purpose Logging support. Short self-test routine recommended polling time:( 2) minutes. Extended self-test routine recommended polling time:( 80) minutes. Conveyance self-test routine recommended polling time:( 2) minutes. SMART Attributes Data Structure revision number: 16 Vendor Specific SMART Attributes with Thresholds: ID# ATTRIBUTE_NAME FLAG VALUE WORST THRESH TYPE UPDATED WHEN_FAILED RAW_VALUE 1 Raw_Read_Error_Rate 0x000f 100 100 046Pre-fail Always - 41054 2 Throughput_Performance 0x0005 100 100 030Pre-fail Offline - 31064064 3 Spin_Up_Time0x0003 100 100 025Pre-fail Always - 1 4 Start_Stop_Count0x0032 098 098 000Old_age Always - 7953 5
Re: Can one dd to /dev/rwd0c?
On Sat, Sep 20, 2008 at 10:28:07PM -0700, Aaron Stellman wrote: On Sun, Sep 21, 2008 at 06:02:37AM +0100, Sunnz wrote: OK I am trying to completely erase the data of a hard disk so I though I can just do `dd if=/dev/arandom of=/dev/rwd0c` as to my understanding that is the entire hard disk (slice c) of wd0 in 'raw' mode? But that dd refuse to do it. security(7): Once you have set the security level to 1, write access to raw devices will be denied I guess you're quoting from a FreeBSD man page. On OpenBSD, securelevel(7) says that in securelevel 1, raw disk devices of mounted file systems are read-only. It's securelevel 2 that denies write access to all devices. Sunnz says he's running off an install CD so he should not run into problems related to securelevel. I guess he's root too. Sunnz, you don't say exactly what error dd reports. Have you created the arandom character device file? It is not available by default on the install CD. So now I am doing the same thing but to wd0c instead. Is this any worse? This is the character device right? Does that mean dd won't write random bits as low as going to the raw device? This is running off a OpenBSD 4.3 CD, there are no intention to actually destroy the hard disk in any way, just erasing the data off the hard disk so that it can be reused, re-sold, whatever. The data are not some military top secret, but it is interesting to know of what can be done in a home/small office environment when it comes to erasing the hard drive. Thanks. -- This e-mail may be confidential. You may not copy, forward, distribute, or, use any part of it. Note, like all disclaimers on the net, there are no effective legal binding on your part and disclaimers can be ignored. For more information about disclaimers, please see: http://www.goldmark.org/jeff/stupid-disclaimers/
Re: Can one dd to /dev/rwd0c?
2008/9/21 Pierre Riteau [EMAIL PROTECTED]: Sunnz says he's running off an install CD so he should not run into problems related to securelevel. I guess he's root too. It is just the official OpenBSD 4.3 CD that I brought, which on start up it asks Install/Upgrade/Shell. I am just using Shell from there. Sunnz, you don't say exactly what error dd reports. Have you created the arandom character device file? It is not available by default on the install CD. If I could I would recreate the error... but somehow it works just now when I attempt that once again!!! From my vague memory the error dd throws earlier today was something like invalid argument... I press the UP key to ge the exact command I entered, removed the 'r' in rwd0 and that worked. BTW I was able to do a `cat /dev/arandom` on the install CD... -- This e-mail may be confidential. You may not copy, forward, distribute, or, use any part of it. Note, like all disclaimers on the net, there are no effective legal binding on your part and disclaimers can be ignored. For more information about disclaimers, please see: http://www.goldmark.org/jeff/stupid-disclaimers/
Re: alix help
Le Sun, 21 Sep 2008 00:51:23 + (UTC) Stuart Henderson [EMAIL PROTECTED] a pris sa plume: On 2008-09-20, Kendall Shaw [EMAIL PROTECTED] wrote: I got an alix2c2 which I'm hoping to install openbsd on. Is there a way to upgrade it's bios and install openbsd on it from openbsd? someone mentioned working on it, but nothing further.. i'v got and alix 2b2 and that's work easily just install openbsd with the compact flash reader with the CF attach to your pc as u install openbsd normaly but choose the disk u see on the CF reader. then modify the installation, three files to change: /etc/boot.conf: set tty com0 stty com0 38400 set timeout 5 /etc/ttys like that: tty00 /usr/libexec/getty std.38400 vt100 on secure and /etc/fstab /dev/wd0a / ffs rw,softdep 1 1 /dev/wd0d /var ffs rw,softdep,nodev,nosuid 1 2 cause when u install on the card reader and when u put it on the alix, the openbsd doesn't see the disk as the same mount point. just put the CF in the alix and that is working. for the bios try again with documentation on pc engines (u need a CF for that) thanks again to pascal that give me a chance to have an alix to test openbsd on it
Re: Help with CARP
Le Sat, 20 Sep 2008 22:18:08 +0200 Jonathan Carter [EMAIL PROTECTED] a pris sa plume: I have it set to (1) on the promary and (100) on the backup. How high did you set yours? Jonathan mine in test phase is nothing on first and 100 on the second firewall
Re: Can one dd to /dev/rwd0c?
On Sep 21, 2008, at 7:02 AM, Sunnz wrote: OK I am trying to completely erase the data of a hard disk so I though I can just do `dd if=/dev/arandom of=/dev/rwd0c` as to my understanding that is the entire hard disk (slice c) of wd0 in 'raw' mode? But that dd refuse to do it. If you just want to erase the disk securely and don't really need to run OpenBSD, check out http://www.dban.org/ -- Johan
Re: alix help
On 12:55 Sun 21 Sep, [EMAIL PROTECTED] wrote: /etc/boot.conf: set tty com0 stty com0 38400 I think it's better to set com speed _before_ setting com0 as tty, it can start throwing garbage into console, as it was spectated on soekris net4801: stty com0 38400 set tty com0 ... -- Vladimir Kirillov
Re: alix help
On 2008/09/21 12:55, [EMAIL PROTECTED] wrote: Le Sun, 21 Sep 2008 00:51:23 + (UTC) Stuart Henderson [EMAIL PROTECTED] a pris sa plume: On 2008-09-20, Kendall Shaw [EMAIL PROTECTED] wrote: I got an alix2c2 which I'm hoping to install openbsd on. Is there a way to upgrade it's bios and install openbsd on it from openbsd? someone mentioned working on it, but nothing further.. i'v got and alix 2b2 and that's work easily what, upgrading the bios from openbsd? just install openbsd with the compact flash reader with the CF attach to your pc as u install openbsd normaly Many people find pxeboot(8) simpler.
Re: broken disk?
Hi Jordi, thanks. I have looked also in the bios. SART is enabled per default. It seems that the disk is fine. Could it be the RAM? How to test? Pau # /usr/local/sbin/smartctl -d ata -t long /dev/wd0c smartctl version 5.37 [i386-unknown-openbsd4.3] Copyright (C) 2002-6 Bruce Allen Home page is http://smartmontools.sourceforge.net/ === START OF OFFLINE IMMEDIATE AND SELF-TEST SECTION === Sending command: Execute SMART Extended self-test routine immediately in off-line mode. Drive command Execute SMART Extended self-test routine immediately in off-line mode successful. Testing has begun. Please wait 80 minutes for test to complete. Test will complete after Sun Sep 21 13:30:47 2008 Use smartctl -X to abort test. # /usr/local/sbin/smartctl -l selftest /dev/wd0c smartctl version 5.37 [i386-unknown-openbsd4.3] Copyright (C) 2002-6 Bruce Allen Home page is http://smartmontools.sourceforge.net/ === START OF READ SMART DATA SECTION === SMART Self-test log structure revision number 1 Num Test_DescriptionStatus Remaining LifeTime(hours) LBA_of_first_error # 1 Extended offlineCompleted without error 00% 7704 - # 2 Extended offlineCompleted without error 00% 7698 - # 3 Short offline Completed without error 00% 7694 - # 4 Short offline Completed without error 00% 7694 - # 5 Extended offlineCompleted without error 00% 7693 - 2008/9/21 Jordi Espasa Clofent [EMAIL PROTECTED]: It seems that it runs fine but I don't get output from the long test... Any hint? ?Why? It's very easy: $ smartctl -h -t long /dev/wd0c ... wait the needed time and next $ smartctl -l selftest /dev/wd0c PD. Adromina it's a funny name (divertit, vaja) :P -- Thanks, Jordi Espasa Clofent
New scheduler, same problem (ALTQ questions)
Hi guys-
I've been using an OpenBSD firewall on my home network for about 10
years. I recently upgraded the hardware to a retired gaming machine and
went to OpenBSD 4.3 (woo!).
I'm playing with the new scheduler in altq, and I like the way that it
works, but the documentation is iffy and it still doesn't look like it
solves one problem that priq and cbq couldn't solve... prioritizing
outbound traffic on a variable-bandwidth link. (Yes, I've got a cable
modem. =D)
Here's the problem I'm trying to solve: My cable modem allows around
750kb/s when traffic is really ugly, and about 2100kb/s in the dead of the
night. In order for the scheduler to know when to start limiting traffic,
I have to tell it how fast the link is but I don't *know* how fast the
link is, because it varies.
I've been trying the following rules:
altq on $ext_if bandwidth 2048Kb hfsc queue { ack, dns, games, def, bt }
queue ack bandwidth 80% priority 6 qlimit 500 hfsc (realtime 50%
ecn)
queue dns bandwidth 5% priority 5 qlimit 500 hfsc (realtime 5%
ecn)
queue games bandwidth 5% priority 3 qlimit 500 hfsc (realtime 5% ecn)
queue def bandwidth 5% priority 2 qlimit 500 hfsc (realtime 10%
ecn default)
queue bt bandwidth 5% priority 1 qlimit 500 hfsc (upperlimit 80%
red)
(the ack queue is TCP ack's, the dns queue is DNS requests, high priority
user traffic and VOIP goes in games, and the rest is regular and
low-priority user traffic.
When I'm usually using the internet connection, my outbound bandwidth is
probably around 1200kb. Cranking the bandwidth down to 750 or so is one
solution, but then I'm artificially limiting my own upstream to the worst
case scenario.
My questions are:
1) Is there a more effective way I could be doing the above?
2) Regarding hfsc, what is the old bandwidth statement used for? It seems
like it would be obsolete. Changing it doesn't seem to affect anything,
either. The manpage doesn't say. :)
3) Another hfsc question- exactly what does the linkshare statement do? The
manpage says : linkshare sc The bandwidth share of a backlogged
queue.).
Thanks :)
--Chris
Re: alix help
Le Sun, 21 Sep 2008 12:49:49 +0100 Stuart Henderson [EMAIL PROTECTED] a pris sa plume: what, upgrading the bios from openbsd? nop just install openbsd for the bios i don't remenber exactly it was easy for what i remenber
OpenBSD + isakmpd + VPN concentrator 3060
Hello, Firstly i want to mention that it's my begining with ipsec/isakmpd tunneling. My problem is about making connection from OpenBSD 4.3 to Cisco VPN concentrator 3060. Cisco concentrator is out of my range so i can't check log there and i only wish that configuration there is done well. Here it is my example: a.a.a.a_net obsd b.b.b.b_public_ip --- c.c.c.c_public_ip cisco d.d.d.d_net What i wan't to achiev is: - comunication from a.a.a.a_net to d.d.d.d_net What i know about cisco configuration: - VPN concentrator 3060 - c.c.c.c_public_ip - d.d.d.d_net - VPN Method: IPSec - Encryption: 3DES - Key exchange IKE - Pre-Shared Key: somekey - Perfect Forward Secrecy: Yes - Group 2 (1024 bits) - Hashing: SHA-1 - Diffie-Hellman: Yes - Group 2 - Time Lifetime: 28800 seconds - Encapsulation Mode: Tunnel - Negotiation Mode: Main OpenBSD: - clean instalation of 4.3 - no pf yet - em0: a.a.a.a_net - em1: b.b.b.b_public_ip After couple hours of reading stuff on internet and reading some configuration files i achivied this configuration: -- isakmpd.conf -- [General] Listen-on= b.b.b.b_public_ip [Phase 1] c.c.c.c_public_ip= CONN [Phase 2] Connections = LINK [CONN] Phase= 1 Transport= udp Address = c.c.c.c_public_ip Configuration= Default-Main-Mode Authentication = somekey [LINK] Phase= 2 ISAKMP-Peer = HP Configuration= Default-Quick-Mode Local-ID = LAN-1 Remote-ID= LAN-2 [LAN-1] ID-Type = IPV4_ADDR_SUBNET Network = a.a.a.a_net Netmask = a.a.a.a_netmask [LAN-2] ID-Type = IPV4_ADDR_SUBNET Network = d.d.d.d_net Netmask = d.d.d.d_netmask [Default-Main-Mode] DOI = IPSEC Exchange_Type= ID_PROT Transforms = 3DES-SHA [Default-Quick-Mode] DOI = IPSEC Exchange_Type= QUICK_MODE Suites = QM-ESP-3DES-SHA-SUITE [3DES-SHA] ENCRYPTION_ALGORITHM = 3DES_CBC HASH_ALGORITHM = SHA AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= MODP_1024 Life = LIFE_3600_SECS [QM-ESP-3DES-SHA-SUITE] Protocols= QM-ESP-3DES-SHA [QM-ESP-3DES-SHA-PFS-SUITE] Protocols= QM-ESP-3DES-SHA-PFS [QM-ESP-3DES-SHA] PROTOCOL_ID = IPSEC_ESP Transforms = QM-ESP-3DES-SHA-XF [QM-ESP-3DES-SHA-PFS] PROTOCOL_ID = IPSEC_ESP Transforms = QM-ESP-3DES-SHA-PFS-XF [QM-ESP-3DES-SHA-TRP] PROTOCOL_ID = IPSEC_ESP Transforms = QM-ESP-3DES-SHA-TRP-XF [QM-ESP-3DES-SHA-XF] TRANSFORM_ID = 3DES ENCAPSULATION_MODE = TUNNEL AUTHENTICATION_ALGORITHM = HMAC_SHA Life = LIFE_28800_SECS [QM-ESP-3DES-SHA-PFS-XF] TRANSFORM_ID = 3DES ENCAPSULATION_MODE = TUNNEL AUTHENTICATION_ALGORITHM = HMAC_SHA GROUP_DESCRIPTION= MODP_1024 Life = LIFE_28800_SECS [QM-ESP-3DES-SHA-TRP-XF] TRANSFORM_ID = 3DES ENCAPSULATION_MODE = TRANSPORT AUTHENTICATION_ALGORITHM = HMAC_SHA Life = LIFE_28800_SECS [LIFE_3600_SECS] LIFE_TYPE= SECONDS LIFE_DURATION= 3600,1800:7200 [LIFE_28800_SECS] LIFE_TYPE = SECONDS LIFE_DURATION = 28800 -- isakmpd.conf -- After this i am able to get threw first phase. But i am unable to get the second. Here it is my debug: -- isakmpd -d -DA=10 -- 164003.690124 Default log_debug_cmd: log level changed from 0 to 10 for class 0 [priv] 164003.690315 Default log_debug_cmd: log level changed from 0 to 10 for class 1 [priv] 164003.690379 Default log_debug_cmd: log level changed from 0 to 10 for class 2 [priv] 164003.690437 Default log_debug_cmd: log level changed from 0 to 10 for class 3 [priv] 164003.690493 Default log_debug_cmd: log level changed from 0 to 10 for class 4 [priv] 164003.690554 Default log_debug_cmd: log level changed from 0 to 10 for class 5 [priv] 164003.690610 Default log_debug_cmd: log level changed from 0 to 10 for class 6 [priv] 164003.690670 Default log_debug_cmd: log level changed from 0 to 10 for class 7 [priv] 164003.690726 Default log_debug_cmd: log level changed from 0 to 10 for class 8 [priv] 164003.690787 Default log_debug_cmd: log level changed from 0 to 10 for class 9 [priv] 164003.690844 Default log_debug_cmd: log level changed from 0 to 10 for class 10 [priv] 164003.691747 Misc 10 monitor_init: privileges dropped for child process 164003.839514 Timr 10 timer_add_event: event connection_checker(0x8848bdf0) added last, expiration in 0s 164003.841346 Timr 10 timer_handle_expirations: event connection_checker(0x8848bdf0) 164003.841426 Timr 10 timer_add_event: event connection_checker(0x8848bdf0) added last,
Re: UFS on OpenBSD
On Sun, Sep 21, 2008 at 3:44 AM, Lars Noodin [EMAIL PROTECTED] wrote: Beavis wrote: thanks for the reply ted... i guess even if i try to forman the drive on HFS I won't be able to mount it on openbsd. If you have PPC architecture you can work with HFS just fine: http://www.openbsd.org/4.3_packages/powerpc/hfsplus-1.0.4p2.tgz-long.html That still fails the mount it on openbsd test, which is probably a requirement for a shared filesystem one intends to use regularly.
Re: Can one dd to /dev/rwd0c?
2008/9/21 Johan StrC6m [EMAIL PROTECTED]: If you just want to erase the disk securely and don't really need to run OpenBSD, check out http://www.dban.org/ -- Johan Oh I just thought that I have OpenBSD CD lying around, but thanks that seem like a good tool for my personal utility kit. :D -- This e-mail may be confidential. You may not copy, forward, distribute, or, use any part of it. Note, like all disclaimers on the net, there are no effective legal binding on your part and disclaimers can be ignored. For more information about disclaimers, please see: http://www.goldmark.org/jeff/stupid-disclaimers/
Re: alix help
Whatever you do, do NOT attempt to update bios by sending a file over a console session. Screwed up my bios and had to have pc engines send me a rescue bios chip and bootable cf card. Once obtaining the latest bios I just plugged in a cf to ide converter and continued as if it was a normal install. http://www.copyandwaste.com/2008/05/26/alix-2c3-openbsd-43/ -a On Sun, Sep 21, 2008 at 6:49 AM, Stuart Henderson [EMAIL PROTECTED]wrote: On 2008/09/21 12:55, [EMAIL PROTECTED] wrote: Le Sun, 21 Sep 2008 00:51:23 + (UTC) Stuart Henderson [EMAIL PROTECTED] a pris sa plume: On 2008-09-20, Kendall Shaw [EMAIL PROTECTED] wrote: I got an alix2c2 which I'm hoping to install openbsd on. Is there a way to upgrade it's bios and install openbsd on it from openbsd? someone mentioned working on it, but nothing further.. i'v got and alix 2b2 and that's work easily what, upgrading the bios from openbsd? just install openbsd with the compact flash reader with the CF attach to your pc as u install openbsd normaly Many people find pxeboot(8) simpler.
Re: broken disk?
thanks. I have looked also in the bios. SART is enabled per default. It seems that the disk is fine. Could it be the RAM? How to test? Could be. A deep memtest test should be enough. -- Thanks, Jordi Espasa Clofent
Re: OpenBSD + isakmpd + VPN concentrator 3060
Mariusz Makowski wrote: Hello, Firstly i want to mention that it's my begining with ipsec/isakmpd tunneling. My problem is about making connection from OpenBSD 4.3 to Cisco VPN concentrator 3060. Cisco concentrator is out of my range so i can't check log there and i only wish that configuration there is done well. Here it is my example: a.a.a.a_net obsd b.b.b.b_public_ip --- c.c.c.c_public_ip cisco d.d.d.d_net What i wan't to achiev is: - comunication from a.a.a.a_net to d.d.d.d_net What i know about cisco configuration: - VPN concentrator 3060 - c.c.c.c_public_ip - d.d.d.d_net - VPN Method: IPSec - Encryption: 3DES - Key exchange IKE - Pre-Shared Key: somekey - Perfect Forward Secrecy: Yes - Group 2 (1024 bits) - Hashing: SHA-1 - Diffie-Hellman: Yes - Group 2 - Time Lifetime: 28800 seconds - Encapsulation Mode: Tunnel - Negotiation Mode: Main OpenBSD: - clean instalation of 4.3 - no pf yet - em0: a.a.a.a_net - em1: b.b.b.b_public_ip After couple hours of reading stuff on internet and reading some configuration files i achivied this configuration: -- isakmpd.conf -- [General] Listen-on= b.b.b.b_public_ip [Phase 1] c.c.c.c_public_ip= CONN [Phase 2] Connections = LINK [CONN] Phase= 1 Transport= udp Address = c.c.c.c_public_ip Configuration= Default-Main-Mode Authentication = somekey [LINK] Phase= 2 ISAKMP-Peer = HP Configuration= Default-Quick-Mode Local-ID = LAN-1 Remote-ID= LAN-2 [LAN-1] ID-Type = IPV4_ADDR_SUBNET Network = a.a.a.a_net Netmask = a.a.a.a_netmask [LAN-2] ID-Type = IPV4_ADDR_SUBNET Network = d.d.d.d_net Netmask = d.d.d.d_netmask [Default-Main-Mode] DOI = IPSEC Exchange_Type= ID_PROT Transforms = 3DES-SHA [Default-Quick-Mode] DOI = IPSEC Exchange_Type= QUICK_MODE Suites = QM-ESP-3DES-SHA-SUITE [3DES-SHA] ENCRYPTION_ALGORITHM = 3DES_CBC HASH_ALGORITHM = SHA AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= MODP_1024 Life = LIFE_3600_SECS [QM-ESP-3DES-SHA-SUITE] Protocols= QM-ESP-3DES-SHA [QM-ESP-3DES-SHA-PFS-SUITE] Protocols= QM-ESP-3DES-SHA-PFS [QM-ESP-3DES-SHA] PROTOCOL_ID = IPSEC_ESP Transforms = QM-ESP-3DES-SHA-XF [QM-ESP-3DES-SHA-PFS] PROTOCOL_ID = IPSEC_ESP Transforms = QM-ESP-3DES-SHA-PFS-XF [QM-ESP-3DES-SHA-TRP] PROTOCOL_ID = IPSEC_ESP Transforms = QM-ESP-3DES-SHA-TRP-XF [QM-ESP-3DES-SHA-XF] TRANSFORM_ID = 3DES ENCAPSULATION_MODE = TUNNEL AUTHENTICATION_ALGORITHM = HMAC_SHA Life = LIFE_28800_SECS [QM-ESP-3DES-SHA-PFS-XF] TRANSFORM_ID = 3DES ENCAPSULATION_MODE = TUNNEL AUTHENTICATION_ALGORITHM = HMAC_SHA GROUP_DESCRIPTION= MODP_1024 Life = LIFE_28800_SECS [QM-ESP-3DES-SHA-TRP-XF] TRANSFORM_ID = 3DES ENCAPSULATION_MODE = TRANSPORT AUTHENTICATION_ALGORITHM = HMAC_SHA Life = LIFE_28800_SECS [LIFE_3600_SECS] LIFE_TYPE= SECONDS LIFE_DURATION= 3600,1800:7200 [LIFE_28800_SECS] LIFE_TYPE = SECONDS LIFE_DURATION = 28800 -- isakmpd.conf -- After this i am able to get threw first phase. But i am unable to get the second. Here it is my debug: -- isakmpd -d -DA=10 -- 164003.690124 Default log_debug_cmd: log level changed from 0 to 10 for class 0 [priv] 164003.690315 Default log_debug_cmd: log level changed from 0 to 10 for class 1 [priv] 164003.690379 Default log_debug_cmd: log level changed from 0 to 10 for class 2 [priv] 164003.690437 Default log_debug_cmd: log level changed from 0 to 10 for class 3 [priv] 164003.690493 Default log_debug_cmd: log level changed from 0 to 10 for class 4 [priv] 164003.690554 Default log_debug_cmd: log level changed from 0 to 10 for class 5 [priv] 164003.690610 Default log_debug_cmd: log level changed from 0 to 10 for class 6 [priv] 164003.690670 Default log_debug_cmd: log level changed from 0 to 10 for class 7 [priv] 164003.690726 Default log_debug_cmd: log level changed from 0 to 10 for class 8 [priv] 164003.690787 Default log_debug_cmd: log level changed from 0 to 10 for class 9 [priv] 164003.690844 Default log_debug_cmd: log level changed from 0 to 10 for class 10 [priv] 164003.691747 Misc 10 monitor_init: privileges dropped for child process 164003.839514 Timr 10 timer_add_event: event connection_checker(0x8848bdf0) added last, expiration in 0s 164003.841346 Timr 10 timer_handle_expirations: event connection_checker(0x8848bdf0) 164003.841426 Timr 10 timer_add_event: event
Re: Can one dd to /dev/rwd0c?
Afaik, erasing a disk 7x7 times using a truly random source of entrophy, using the proton decay multiplexed with the frequency of solar flares on alpha centauri, and just dd'ing /dev/zero to the drive *ONE* time makes no difference to data retrieval/forensics. Please kill this urban legend about the fantastical methods of retrieval using a scanning electron microscope and read individual atoms - ok, that may work, but damnit, how many of you have shit that requires that level of protection? If you do, just apply thermite judiciously. On 9/21/08, Johan Strvm [EMAIL PROTECTED] wrote: On Sep 21, 2008, at 7:02 AM, Sunnz wrote: OK I am trying to completely erase the data of a hard disk so I though I can just do `dd if=/dev/arandom of=/dev/rwd0c` as to my understanding that is the entire hard disk (slice c) of wd0 in 'raw' mode? But that dd refuse to do it. If you just want to erase the disk securely and don't really need to run OpenBSD, check out http://www.dban.org/ -- Johan -- http://www.glumbert.com/media/shift http://www.youtube.com/watch?v=tGvHNNOLnCk This officer's men seem to follow him merely out of idle curiosity. -- Sandhurst officer cadet evaluation. Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted. -- Gene Spafford learn french: http://www.youtube.com/watch?v=j1G-3laJJP0feature=related
Re: Can one dd to /dev/rwd0c?
I can't say that I know if that is true or not, but I do however know that it is probably easier to slap a DBAN CD in to a drive and press enter to make it wipe my disks, compared to start up OpenBSD from CD and perform dd operations (depending on what you got at hand). But if it makes any actual difference with regards to data retrieval if you use dd, the DBAN quick-erase function or their government approved erase functions, that I don't know. And as you say, most of us (the OP for example) probably just want to clean out their drives prior to selling them or something like that and don't really need that kind of security (however real it is). But it is still simpler :) -- Johan On Sep 21, 2008, at 7:41 PM, bofh wrote: Afaik, erasing a disk 7x7 times using a truly random source of entrophy, using the proton decay multiplexed with the frequency of solar flares on alpha centauri, and just dd'ing /dev/zero to the drive *ONE* time makes no difference to data retrieval/forensics. Please kill this urban legend about the fantastical methods of retrieval using a scanning electron microscope and read individual atoms - ok, that may work, but damnit, how many of you have shit that requires that level of protection? If you do, just apply thermite judiciously. On 9/21/08, Johan Strvm [EMAIL PROTECTED] wrote: On Sep 21, 2008, at 7:02 AM, Sunnz wrote: OK I am trying to completely erase the data of a hard disk so I though I can just do `dd if=/dev/arandom of=/dev/rwd0c` as to my understanding that is the entire hard disk (slice c) of wd0 in 'raw' mode? But that dd refuse to do it. If you just want to erase the disk securely and don't really need to run OpenBSD, check out http://www.dban.org/ -- Johan -- http://www.glumbert.com/media/shift http://www.youtube.com/watch?v=tGvHNNOLnCk This officer's men seem to follow him merely out of idle curiosity. -- Sandhurst officer cadet evaluation. Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted. -- Gene Spafford learn french: http://www.youtube.com/watch?v=j1G-3laJJP0feature=related
Re: broken disk?
2008/9/21 Jordi Espasa Clofent [EMAIL PROTECTED]: thanks. I have looked also in the bios. SART is enabled per default. It seems that the disk is fine. Could it be the RAM? How to test? Could be. A deep memtest test should be enough. Apologies if you already know this and/or did this, but since you (Pau) asked: Deep memtest = burn-in test. memtest86 has an option for this. Launch it, and leave it running for 24hrs. If memtest86 hasn't found any errors after that many passes, then you can be virtually certain that it's not the RAM that is faulty. (I've never encountered faulty RAM that a 24h burn-in memtest86 check didn't detect as such, but I have more than once seen memtest86 fail to detect faulty RAM during a single-pass test.) regards, --ropers
Re: perl/CGI getting SIGSEGV *occasionally*, called by apache in chrooted env
Paul de Weerd wrote: On Sun, Sep 21, 2008 at 03:40:09AM +0200, Robert Urban wrote: | Hi folks, | | OS Env: OBSD4.3 running on a dual-PIII (ProLiant 380). | | I've got a perl/CGI script doing a bunch of stuff (talking to PostgreSQL, | writing files, etc) which is dying with SIGSEGV, but only occasionally. I'm | unable to reproduce the death outside of the chrooted env manually. I did, | however, manage to get a ktrace of a good and a bad run. (see below). I | set up the chroot environment by copying all relevent files for perl to | /var/www. The SIGSEGV's started after I made some minor changes to the | script, and if I make yet other changes, such as adding debugging code, the | nasty behaviour stops. I doubt the script (and modules it uses) are | relevent, but someone thinks they might shed some light on the problem, I | can make them available. Naturally, I can make the complete ktrace/kdump | files available as well, if anybody wants to see them. Access to the | machine is also no problem. | | Is there any hope of tracking down this kind of error? A shot in the dark here .. but can you verify you have enough memory available for use ? Check ulimit .. maybe the chrooted env is running as a user with lower ulimits. Try upping those. Other than that, SIGSEGV's are often caused by bad hardware (bad memory, notably), but I'd be surprised if you only hit that in the chroot case. You may still want to check your machine though. thanks for your suggestion. I checked resource limits, and they're ok. The HW is ok too. Before I ever install an OS on intel hardware I always run memtest86+ at least over night. That includes this box, so mem is ok. Could have been, but wasn't :) cheers, Robert Urban
making man(1) to open a file
Hi! I think there is a way for this but I can not find it in man's man :) Like in Linux there is a `-l' option to man(1) which opens a Local file, like man -l /usr/local/man/man1/somemanpage.1. I'm in trouble opening net-snmp package's snmpd(8) or snmpd.conf(5) man page, because it conflicts with the base's snmpd's man pages. Now I'm reading it with less, but it is less convenient :) Thanks for the help! Daniel -- LEVAI Daniel PGP key ID = 0x4AC0A4B1 Key fingerprint = D037 03B9 C12D D338 4412 2D83 1373 917A 4AC0 A4B1
Re: making man(1) to open a file
On 2008-09-21, LIVAI Daniel [EMAIL PROTECTED] wrote: Like in Linux there is a `-l' option to man(1) which opens a Local file, like man -l /usr/local/man/man1/somemanpage.1. I'm in trouble opening net-snmp package's snmpd(8) or snmpd.conf(5) man page, because it conflicts with the base's snmpd's man pages. Now I'm reading it with less, but it is less convenient :) man -M /usr/local/man snmpd
Re: making man(1) to open a file
Hi! On Sun, Sep 21, 2008 at 09:22:24PM +0200, LIVAI Daniel wrote: I think there is a way for this but I can not find it in man's man :) Like in Linux there is a `-l' option to man(1) which opens a Local file, like man -l /usr/local/man/man1/somemanpage.1. I'm in trouble opening net-snmp package's snmpd(8) or snmpd.conf(5) man page, because it conflicts with the base's snmpd's man pages. Now I'm reading it with less, but it is less convenient :) No, but in your case, you can use the option -M /usr/local/man (or -m /usr/local/man) probably. Kind regards, Hannah.
eSATA support?
I'm thinking about picking up an eSATA pci card and backing up my data to an external hd over eSATA using rsync. Is this supported? Thanks, Brian
Re: making man(1) to open a file
On Sunday 21 September 2008 21.51.48 Hannah Schroeter wrote: No, but in your case, you can use the option -M /usr/local/man (or -m /usr/local/man) probably. On Sunday 21 September 2008 21.45.59 Stuart Henderson wrote: man -M /usr/local/man snmpd Argh, thanks, thanks! Sorry, I knew I read it too fast... Daniel -- LEVAI Daniel PGP key ID = 0x4AC0A4B1 Key fingerprint = D037 03B9 C12D D338 4412 2D83 1373 917A 4AC0 A4B1
Re: Help with CARP - more advice needed
Just so the newsgroup knows - I tried this and I still have the problem, so suggestions with commands / techniques for debugging my problem would be gratefully received. Jonathan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 21 September 2008 12:58 To: Jonathan Carter Cc: 'Jose Quinteiro'; misc@openbsd.org Subject: Re: Help with CARP Le Sat, 20 Sep 2008 22:18:08 +0200 Jonathan Carter [EMAIL PROTECTED] a pris sa plume: I have it set to (1) on the promary and (100) on the backup. How high did you set yours? Jonathan mine in test phase is nothing on first and 100 on the second firewall
Re: making man(1) to open a file
On Sun, Sep 21, 2008 at 09:22:24PM +0200, L?VAI D?niel wrote: | Hi! | | I think there is a way for this but I can not find it in man's man :) | | Like in Linux there is a `-l' option to man(1) which opens a Local file, | like man -l /usr/local/man/man1/somemanpage.1. I'm in trouble opening | net-snmp package's snmpd(8) or snmpd.conf(5) man page, because it | conflicts with the base's snmpd's man pages. Now I'm reading it with | less, but it is less convenient :) | | Thanks for the help! Next to the useful suggestions you've received so far, you can try groff -man -Tascii /path/to/manpage.X | less to render the specific page. Cheers, Paul 'WEiRD' de Weerd -- [++-]+++.+++[---].+++[+ +++-].++[-]+.--.[-] http://www.weirdnet.nl/
Getting the Thinkpad X200 working fully under OpenBSD
Hi all, got me a Thinkpad X200. Not everything is supported right now. Lots of this stuff might apply to any Centrino 2 notebook. This mail is more like a headsup for those looking into running OpenBSD on the newer Thinkpads. dmesg (amd64 GENERIC.MP, snapshot 2008-09-10) at the bottom of this mail. Perhaps someone can give me some pointers or advice on following points, or might find this info interesting. 1.) dmesg / memory allocation 2.) onboard ethernet 3.) wlan 4.) speedstep 5.) Xorg / intel(4) === 1.) The dmesg is partialy copied by hand. That's because I don't have a dockingstation/serial console and: WARNING: 16384 bytes not available for msgbuf in last cluster (4096 used) [ using 682848 bytes of bsd ELF symbol table ] My kernel-C-foo doesn't seem to be strong enough to comprehend where to go with/from the malloc.c code. fwiw, the output from DEBUG_MEMLOAD: loading 0xcc9000-0x100 (0xcc9-0x1000) loading 0x100-0x7b6a1000 (0x1000-0x7b6a1) loading 0x7b6a7000-0x7b7b7000 (0x7b6a7-0x7b7b7) loading 0x7b80f000-0x7b8c7000 (0x7b80f-0x7b8c7) loading 0x7bbff000-0x7bc0 (0x7bbff-0x7bc00) avail_start = 0x6000 avail_end = 0x7bc0 first_avail = 0xcc9000 Having to reboot so the dmesg is in the scrollback buffer, when i want to look at it, isn't so elegant. This one i realy would like to get fixed somehow. Anyone? === 2.) The onboard em(4) is not picked up. ICH9_IGP_M_AMT seems to be an 82567LM. Intel added support for those chips just recently to to their driver, not in OpenBSD yet. Not having anything to bribe Brad with right now, I'll try to get my head around that freebsd codebase and see if I can find the necessary quirks to add. === 3.) Fyi, the SKU I got has an Intel 5100 Mini-PCI. No driver support for those. I don't complain about that. If I wanted to use wlan I'd just switch it out for something working. === 4.) The P8600 Core2Duo is not regognized by the speedstep code. Adding the model 0x7 to est.c results in: cpu0: unknown Enhanced SpeedStep CPU, msr 0x0617091f0691f cpu0: using only highest and lowest powerstates cpu0: Enhanced SpeedStep 2400 MHz (1196mV): speeds: 2400, 2600 MHz Now i just have to find out how to populate fqlist with the right data. (I tried amd64/est.c v1.6 with coresponding acpicpu.c but that gave me no hw.setperf either.) === 5.) The X200 uses the GM45 chipset. Graphics controller is the GMA 4500MHD, which isn't supported by intel(4)/version 2.4.2(stable) which is in xenocara right now. With 2.4.2 X complains about the controller and produces small artefacts near the mouse cursor- Support is in Intels unstable tree. Estemating when they will release their next stable, I might even get around to try get the code compiling on my system myself. On a sidenote, the X200 seems to drive only the internal _or_ external display. Depending on if a screen is connectect to the VGA port at boot or not. (The BIOS is set to use the internal screen, but still uses the VGA port if a screen is connected.) === So far I'm very happy with the X200. Small, silent and fast. It's not build like a tank as the older Thinkpads are. The lid has some flex to it and if you look for it you kind find it on the sides of the keyboard too. Otherwise the Lenovo engs learned their lesson from IBMs bluesheets. Except for the points mentioned above OpenBSD runs flawlessly. With an Express Card msk(4) i can work around any of those. Even without speedstep the 4-cell battery delivers over 2 hours of power. Cheers - Robert [1] dmesg [2] hw.sensors === [1] OpenBSD 4.4-current (GENERIC.MP) #1839: Wed Sep 10 12:29:50 MDT 2008 [EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 2059067392 (1963MB) avail mem = 1999065088 (1906MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xe0010 (62 entries) bios0: vendor LENOVO version 6DET28WW (1.05 ) date 07/30/2008 bios0: LENOVO 74542GU acpi0 at bios0: rev 2 acpi0: tables DSDT FACP SSDT ECDT APIC MCFG HPET SLIC BOOT ASF! SSDT TCPA SSDT SSDT SSDT acpi0: wakeup devices LID_(S3) SLPB(S3) IGBE(S4) EXP0(S4) EXP1(S4) EXP2(S4) EXP3(S4) USB0(S3) USB1(S3) USB2(S3) USB3(S3) USB4(S3) USB5(S3) EHC0(S3) EHC1(S3) HDEF(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Core(TM)2 Duo CPU P8600 @ 2.40GHz, 2394.29 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,CX16,xTPR,NXE,LONG cpu0: 3MB 64b/line 8-way L2 cache cpu0: apic clock running at 266MHz cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Core(TM)2 Duo CPU P8600 @ 2.40GHz, 2394.00 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,CX16,xTPR,NXE,LONG cpu1: 3MB 64b/line 8-way L2 cache ioapic0 at mainbus0 apid 1 pa 0xfec0, version
Re: Can one dd to /dev/rwd0c?
The original question was really asking where to write to, that is, rwd0c vs. wd0c; the source that was used in the example (urandom/arandom) wasn't any kind of true random entropy anyway, AFAIK, they are non-blocking pseudo-random stuff that the kernel spills out... I mean, as far as usability goes, it is just a matter of typing if=/dev/urandom vs. if=/dev/zero, virtually no extra work needs to be done by the human... and as far as the computational difference, I think the delay for using pseudo random source is negligible when people are probably have to leave this thing running overnight anyway. So I don't see any big fuss about which source to use here, surely no one is asking what's the best entropy to be used, but just how to actually write to every bit of the hard drive.
Re: Getting the Thinkpad X200 working fully under OpenBSD
Fyi -- Similar issues with a new T400. The dmesg is below (I had a better/cleaner dmesg with an i386/4.4 install (09/10/2008)). OpenBSD 4.4-current (RAMDISK_CD) #882: Wed Sep 10 12:33:01 MDT 2008 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/RAMDISK_CD cpu0: Intel(R) Core(TM)2 Duo CPU P8600 @ 2.40GHz (GenuineIntel 686-class) 2.40 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,CX16,xTPR real mem = 2071982080 (1975MB) avail mem = 1996824576 (1904MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 08/19/08, BIOS32 rev. 0 @ 0xfdc80, SMBIOS rev. 2.4 @ 0xe0010 (74 entries) bios0: vendor LENOVO version 7UET43WW (1.13 ) date 08/19/2008 bios0: LENOVO 7417CTO acpi0 at bios0: rev 2 acpi0: tables DSDT FACP SSDT ECDT APIC MCFG HPET SLIC BOOT ASF! SSDT TCPA SSDT SSDT SSDT acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus -1 (AGP_) acpiprt2 at acpi0: bus 2 (EXP0) acpiprt3 at acpi0: bus 3 (EXP1) acpiprt4 at acpi0: bus -1 (EXP2) acpiprt5 at acpi0: bus 5 (EXP3) acpiprt6 at acpi0: bus 13 (EXP4) acpiprt7 at acpi0: bus 21 (PCI1) bios0: ROM list: 0xc/0x1! 0xd/0x1000 0xd1000/0x1000 0xd2000/0x1000 0xde000/0x1800! 0xe/0x1 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 vendor Intel, unknown product 0x2a40 rev 0x07 vga1 at pci0 dev 2 function 0 vendor Intel, unknown product 0x2a42 rev 0x07 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) vendor Intel, unknown product 0x2a43 (class display subclass miscellaneous, rev 0x07) at pci0 dev 2 function 1 not configured vendor Intel, unknown product 0x2a44 (class communications subclass miscellaneous, rev 0x07) at pci0 dev 3 function 0 not configured Intel ICH9 IGP M AMT rev 0x03 at pci0 dev 25 function 0 not configured uhci0 at pci0 dev 26 function 0 Intel 82801I USB rev 0x03: irq 11 uhci1 at pci0 dev 26 function 1 Intel 82801I USB rev 0x03: irq 11 uhci2 at pci0 dev 26 function 2 Intel 82801I USB rev 0x03: irq 11 ehci0 at pci0 dev 26 function 7 Intel 82801I USB rev 0x03: irq 11 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1 Intel 82801I HD Audio rev 0x03 at pci0 dev 27 function 0 not configured ppb0 at pci0 dev 28 function 0 Intel 82801I PCIE rev 0x03: irq 11 pci1 at ppb0 bus 2 ppb1 at pci0 dev 28 function 1 Intel 82801I PCIE rev 0x03: irq 11 pci2 at ppb1 bus 3 ath0 at pci2 dev 0 function 0 Atheros AR5424 rev 0x01: irq 11 ath0: AR5424 14.2 phy 7.0 rf 0.0, WOR02W, address 00:22:69:86:96:77 ppb2 at pci0 dev 28 function 3 Intel 82801I PCIE rev 0x03: irq 11 pci3 at ppb2 bus 5 ppb3 at pci0 dev 28 function 4 Intel 82801I PCIE rev 0x03: irq 11 pci4 at ppb3 bus 13 uhci3 at pci0 dev 29 function 0 Intel 82801I USB rev 0x03: irq 11 uhci4 at pci0 dev 29 function 1 Intel 82801I USB rev 0x03: irq 11 uhci5 at pci0 dev 29 function 2 Intel 82801I USB rev 0x03: irq 11 ehci1 at pci0 dev 29 function 7 Intel 82801I USB rev 0x03: irq 11 usb1 at ehci1: USB revision 2.0 uhub1 at usb1 Intel EHCI root hub rev 2.00/1.00 addr 1 ppb4 at pci0 dev 30 function 0 Intel 82801BAM Hub-to-PCI rev 0x93 pci5 at ppb4 bus 21 cbb0 at pci5 dev 0 function 0 Ricoh 5C476 CardBus rev 0xba: irq 11 Ricoh 5C832 Firewire rev 0x04 at pci5 dev 0 function 1 not configured cardslot0 at cbb0 slot 0 flags 0 cardbus0 at cardslot0: bus 22 device 0 cacheline 0x0, lattimer 0xb0 pcmcia0 at cardslot0 pcib0 at pci0 dev 31 function 0 vendor Intel, unknown product 0x2917 rev 0x03 ahci0 at pci0 dev 31 function 2 vendor Intel, unknown product 0x2929 rev 0x03: irq 11, AHCI 1.2 scsibus0 at ahci0: 32 targets, initiator 32 sd0 at scsibus0 targ 0 lun 0: ATA, HITACHI HTS72201, DCDZ SCSI3 0/direct fixed sd0: 152627MB, 512 bytes/sec, 312581808 sec total cd0 at scsibus0 targ 1 lun 0: HL-DT-ST, RW/DVD MU10N, 1.05 ATAPI 5/cdrom removable Intel 82801I SMBus rev 0x03 at pci0 dev 31 function 3 not configured usb2 at uhci0: USB revision 1.0 uhub2 at usb2 Intel UHCI root hub rev 1.00/1.00 addr 1 usb3 at uhci1: USB revision 1.0 uhub3 at usb3 Intel UHCI root hub rev 1.00/1.00 addr 1 usb4 at uhci2: USB revision 1.0 uhub4 at usb4 Intel UHCI root hub rev 1.00/1.00 addr 1 usb5 at uhci3: USB revision 1.0 uhub5 at usb5 Intel UHCI root hub rev 1.00/1.00 addr 1 usb6 at uhci4: USB revision 1.0 uhub6 at usb6 Intel UHCI root hub rev 1.00/1.00 addr 1 usb7 at uhci5: USB revision 1.0 uhub7 at usb7 Intel UHCI root hub rev 1.00/1.00 addr 1 isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 biomask fffd netmask fffd ttymask rd0: fixed, 3800 blocks softraid0 at root root on rd0a swap on rd0b dump on rd0b ath0: unable to reset hardware; hal status 1 ath0: unable to reset hardware; hal status 3737542104 ath0: unable to reset hardware; hal status
Need Help badly - PF related
I have users that can access the website fine (75.44.229.18) and some
user that complain they can't access it. I don't know what gives. I
have asked on the list for help but haven't still resolved this. I
would really appreciate any help. Why is the user in the below pflog
getting blocked. Where as most of the user can access the website
just fine. I have spent countless hours on this. I really don't want
a PIX firewall. When I switch to the pix the access seems fine.
tcpdump: listening on pflog0, link-type PFLOG
Sep 21 21:53:21.903554 rule 0/(match) block in on fxp0:
172.16.10.11.80 75.18.177.36.1106: [|tcp] (DF)
Sep 21 21:53:34.570469 rule 0/(match) block in on fxp1:
75.18.177.36.1105 172.16.10.11.80: [|tcp] (DF)
Here is my pf.conf file:
# MACROS
ext_if=fxp1
int_if=fxp0
pf_log=pflog0
icmp_types=echoreq
OPTIONS #
set loginterface $ext_if
set loginterface $int_if
set block-policy return
set skip on lo
# scrub
scrub in
nat on $ext_if from !($ext_if) - ($ext_if:0)
nat-anchor ftp-proxy/*
rdr-anchor ftp-proxy/*
rdr on $ext_if proto tcp from any to 75.44.229.18 port 80 -
172.16.10.11 port 80
rdr on $ext_if proto tcp from any to 75.44.229.19 port 3128 -
172.16.10.12 port 3128
# filter
block in log (all, to pflog0)
pass out keep state
antispoof quick for { lo $int_if }
pass in on $ext_if inet proto tcp from any to 172.16.10.11 port 80
flags S/SA keep state
pass in on $ext_if inet proto tcp from any to 75.44.229.17 port 22
flags S/SA keep state
pass in on $ext_if inet proto tcp from any to 172.16.10.12 port 3128
flags S/SA synproxy state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in quick on $int_if
Re: pf to block against DDoS?
From: Redd Vinylene [EMAIL PROTECTED]
To: [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: pf to block against DDoS?
Date: Thursday, September 4, 2008 - 3:23 pm
Hello hello!
I was quite shocked today when I heard I could use pf to block
against DDoS
attacks, using Stateful Tracking Options,
http://www.openbsd.org/faq/pf/filter.html#stateopts.
But does anybody have any nice setups of this they'd want to share?
From: Oliver Peter [EMAIL PROTECTED]
To: Redd Vinylene [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: Re: pf to block against DDoS?
Date: Thursday, September 4, 2008 - 4:20 pm
... nice cross-post.
I can recommend reading through this as well:
http://www.bgnett.no/~peter/pf/en/bruteforce.html
--
Oliver PETER, email: [EMAIL PROTECTED], ICQ# 113969174
If it feels good, you're doing something wrong.
-- Coach McTavish
From: Peter N. M. Hansteen [EMAIL PROTECTED]
To: Oliver Peter [EMAIL PROTECTED]
Cc: Redd Vinylene [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL
PROTECTED]
Subject: Re: pf to block against DDoS?
Date: Friday, September 5, 2008 - 1:54 am
Thanks for recommending that! However I would generally recommend the
maintained version which is up at lt;http://home.nuug.no/~peter/pf/gt
;,
with the direct link to the part about state tracking and bruteforcers
at lt;http://home.nuug.no/~peter/pf/en/bruteforce.htmlgt;.
(and of course there's the book, nudge, nudge)
- P
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
Remember to set the evil bit on all malicious network traffic
From: Lars Noodin [EMAIL PROTECTED]
To: Oliver Peter [EMAIL PROTECTED]
Cc: Redd Vinylene [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: Re: pf to block against DDoS?
Date: Thursday, September 4, 2008 - 4:50 pm
You can also use two tables so that the first overload gets shunted to a
slow queue and given a second chance before ending up in the second
table which gets blocked.
-Lars
Much obliged to all y'all gentlemen for your valuable design insight.
Now, is there anything more I can do to secure my webserver from attacks? Or
perhaps my pf.conf can be simplified / beautified?
Peter N. M. Hansteen: Did I follow your tutorial correctly?
Lars Noodin: Would you happen to have an example of that?
My pf.conf now looks like this:
-
ext_if = rl0
int_if = ep0
set block-policy return
set skip on { lo0 }
scrub in
table bruteforce persist
nat on $ext_if from $int_if:network to any - ($ext_if)
rdr on $ext_if proto tcp from any to any port 3 - 192.168.187.2 port
3
pass out keep state
pass quick on $int_if
block in
block quick from bruteforce
pass in on $ext_if inet proto tcp from any to any port { 20, 21, 25, 53,
113, 3:35000 } keep state (max-src-conn 100, max-src-conn-rate 15/5,
overload bruteforce flush global)
pass in on $ext_if inet proto tcp from any to any port 22 keep state
(max-src-conn 15, max-src-conn-rate 5/3, overload bruteforce flush global)
pass in on $ext_if inet proto udp from any to any port 53 keep state
pass in on $ext_if inet proto icmp from any to any keep state
-
Have a great week! Cheers!
--
http://www.home.no/reddvinylene
Re: pf to block against DDoS?
From: Redd Vinylene [EMAIL PROTECTED]
To: [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: pf to block against DDoS?
Date: Thursday, September 4, 2008 - 3:23 pm
Hello hello!
I was quite shocked today when I heard I could use pf to block
against DDoS
attacks, using Stateful Tracking Options,
http://www.openbsd.org/faq/pf/filter.html#stateopts.
But does anybody have any nice setups of this they'd want to share?
From: Oliver Peter [EMAIL PROTECTED]
To: Redd Vinylene [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: Re: pf to block against DDoS?
Date: Thursday, September 4, 2008 - 4:20 pm
... nice cross-post.
I can recommend reading through this as well:
http://www.bgnett.no/~peter/pf/en/bruteforce.html
--
Oliver PETER, email: [EMAIL PROTECTED], ICQ# 113969174
If it feels good, you're doing something wrong.
-- Coach McTavish
From: Peter N. M. Hansteen [EMAIL PROTECTED]
To: Oliver Peter [EMAIL PROTECTED]
Cc: Redd Vinylene [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL
PROTECTED]
Subject: Re: pf to block against DDoS?
Date: Friday, September 5, 2008 - 1:54 am
Thanks for recommending that! However I would generally recommend the
maintained version which is up at lt;http://home.nuug.no/~peter/pf/gt
;,
with the direct link to the part about state tracking and bruteforcers
at lt;http://home.nuug.no/~peter/pf/en/bruteforce.htmlgt;.
(and of course there's the book, nudge, nudge)
- P
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
Remember to set the evil bit on all malicious network traffic
From: Lars Noodin [EMAIL PROTECTED]
To: Oliver Peter [EMAIL PROTECTED]
Cc: Redd Vinylene [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: Re: pf to block against DDoS?
Date: Thursday, September 4, 2008 - 4:50 pm
You can also use two tables so that the first overload gets shunted to a
slow queue and given a second chance before ending up in the second
table which gets blocked.
-Lars
Sorry, _this_ is my webserver's pf.conf (the other one was my home
firewall's):
-
mad = 80.202.2.3
doom = { 80.202.2.4 - 80.202.2.127 }
ext_if = rl0
set block-policy return
set skip on { lo0 }
scrub in
table bruteforce persist
pass out keep state
block in
block quick from bruteforce
pass in on $ext_if inet proto tcp from any to any port 22 keep state
(max-src-conn 15, max-src-conn-rate 5/3, overload bruteforce flush global)
pass in on $ext_if inet proto tcp from any to $mad port { 25, 53, 80, 110 }
keep state (max-src-conn 100, max-src-conn-rate 15/5, overload bruteforce
flush global)
pass in on $ext_if inet proto udp from any to $mad port 53 keep state
pass in on $ext_if inet proto tcp from any to $doom port { 20, 21, 113,
6000: } keep state (max-src-conn 100, max-src-conn-rate 15/5, overload
bruteforce flush global)
pass in on $ext_if inet proto icmp from any to any keep state
-
I hope the design adheres to: http://en.wikipedia.org/wiki/KISS_principle
--
http://www.home.no/reddvinylene
PPTP stopped working, need a little help
I spent the evening reworking my pf.conf file in order to get AltQ working.
I successfully have that working, but somewhere along the line I broke PPTP
and can no longer connect back to the office. I have compared by old and new
pf.conf files but have not quite found the problem. I also ran a tcpdump on
the connection but am honestly not sure what I'm looking for. Could I
trouble someone to look over this of.conf file and see if they can tell me
why PPTP will not work?
Macros ###
### Interfaces ###
ext_if=fxp0
wire_if=fxp1
### Global Variables ###
ext_ip=a.b.c.d
wire_network=192.168.1.0/24
wire_gw=192.168.1.1/32
ftp_server=192.168.1.5
workstation=192.168.1.100
Tables
table blacklist persist file /etc/tables/blacklist
table ftp-auth persist file /etc/tables/ftp-auth
table sinokorea const file /etc/tables/sinokorea
table ssh-bruteforce persist
table voipservers const file /etc/tables/voipservers
Options ##
# Misc Options
set require-order yes
set block-policy drop
set loginterface $ext_if
set state-policy if-bound
set fingerprints /etc/pf.os
set ruleset-optimization none
Normalization #
scrub on $ext_if all random-id reassemble tcp fragment reassemble
Queueing ##
altq on $ext_if hfsc bandwidth 768Kb queue { ack, voip, stream, web, email,
p2p, general }
queue ackbandwidth 60% priority 7 qlimit 500 hfsc (realtime 50%)
queue voip bandwidth 10% priority 6 qlimit 500 hfsc (realtime 10%)
queue stream bandwidth 10% priority 5 qlimit 500 hfsc (realtime 10%)
queue webbandwidth 10% priority 4 qlimit 500 hfsc
queue email bandwidth 4% priority 3 qlimit 500 hfsc
queue p2pbandwidth 1% priority 3 qlimit 500 hfsc (upperlimit
99%)
queue generalbandwidth 5% priority 2 qlimit 500 hfsc (realtime 5%
default)
Translation ###
no rdr on lo0 from any to any
nat on egress from (self) to any tag EGRESS - ($ext_if:0)
nat on egress from $wire_if:network to any tag EGRESS - ($ext_if:0)
# DENY rouge redirections
no rdr
Filtering #
# Deny spoofed packets
antispoof log quick for { lo0 $wire_if ($ext_if) }
# Block to/from illegal sources/destinations
block drop quick inet6
blockin log quick from no-route to any
blockin quick on $ext_if from blacklist to any
blockin quick on $ext_if from sinokorea to any
blockin quick on $ext_if from ssh-bruteforce to any
blockin quick on $ext_if from any to 255.255.255.255
block return in quick on $wire_if from any to blacklist
block return in quick on $wire_if from any to 224.0.0.1
# BLOCK all in/out on all interfaces by default
blocklog on $ext_if
block return log on $wire_if
# $ext_if inbound
pass in on $ext_if inet proto icmp from any to ($ext_if) icmp-type 8 code 0
keep state
pass in on $ext_if inet proto tcp from any to ($ext_if) port 21 flags S/SA
keep state queue (general) tagged FTPPROXY
pass in quick log on $ext_if inet proto tcp from any to $ext_if port ssh
flags S/SA synproxy state (max 10, source-track rule, max-src-conn 10,
max-src-nodes 5, max-src-conn-rate 3/30, overload ssh-bruteforce flush
global)
# $wire_if outbound
pass out on $wire_if inet proto tcp from $wire_if to $wire_if:network
flags S/SAFR modulate state
pass out on $wire_if inet proto tcpto $ftp_server port 21
user proxy flags S/SA keep state
pass out on $wire_if inet proto udp from $wire_if to $wire_if:network keep
state
pass out on $wire_if inet proto icmp from $wire_if to $wire_if:network
icmp-type 8 code 0 keep state
# $wire_if inbound
pass in on $wire_if inet proto tcp from $wire_if:network to $wire_if
flags S/SAFR modulate state
pass in on $wire_if inet proto tcp from $wire_if:network to !$wire_if
flags S/SAFR modulate state
pass in on $wire_if inet proto udp from $wire_if:network to $wire_if keep
state
pass in on $wire_if inet proto udp from $wire_if:network to !$wire_if keep
state
pass in on $wire_if inet proto icmp from $wire_if:network to $wire_if
icmp-type 8 code 0 keep state
# $ext_if outbound
pass out on $ext_if inet proto tcp from ($ext_if) to any flags S/SAFR
modulate state queue (general, ack) tagged EGRESS
pass out on $ext_if inet proto tcp from ($ext_if) to any port 25 flags
S/SAFR modulate state queue (email) tagged EGRESS
pass out on $ext_if inet proto tcp from ($ext_if) to any port 80 flags
S/SAFR modulate state queue (web) tagged EGRESS
pass out on $ext_if inet proto tcp from ($ext_if) to any port 110 flags
S/SAFR modulate state queue (email) tagged EGRESS
pass out on
