Re: pf doesn't filter at all on bge(4)

[Stuart Henderson]

On 2011-07-27, Christopher Zimmermann  wrote:
> Ok, solved this one. bge0 was in group "local", which is matched by
>
> set skip on lo
>
> is this the desired behavior? It can catch you by surprise easily!

It's not desired behaviour, I think this should fix it but have
no time to test today

Index: pf_if.c
===
RCS file: /cvs/src/sys/net/pf_if.c,v
retrieving revision 1.62
diff -u -p -u -7 -r1.62 pf_if.c
--- pf_if.c 20 May 2011 22:50:44 -  1.62
+++ pf_if.c 28 Jul 2011 07:11:30 -
@@ -724,15 +724,16 @@ pfi_skip_if(const char *filter, struct p
n = strlen(filter);
if (n < 1 || n >= IFNAMSIZ)
return (1); /* sanity check */
if (filter[n-1] >= '0' && filter[n-1] <= '9')
return (1); /* group names may not end in a digit */
if (p->pfik_ifp != NULL)
TAILQ_FOREACH(i, &p->pfik_ifp->if_groups, ifgl_next)
-   if (!strncmp(i->ifgl_group->ifg_group, filter, n))
+   if (!strncmp(i->ifgl_group->ifg_group,
+   filter, IFNAMSIZ))
return (0); /* iface is in group "filter" */
return (1);
 }
 
 int
 pfi_set_flags(const char *name, int flags)
 {

Re: Problem pf 4.9 ( grrrrr )

[Stuart Henderson]

On 2011-07-27, hvom .org  wrote:
> Hi
>
> I very problem with packet-filter OpenBSD 4.9 !
>
> I read in /etc/pf.conf :
>
> scrub in all  > syntax error
>
> scrub in > syntax error
>
> match in all scrub > syntax error
>
> scrub in all on $re0 > syntax error
>
>
> I become crazy, help me please !!!
>
>

http://www.openbsd.org/faq/upgrade46.html#newPF
http://www.openbsd.org/faq/upgrade47.html#newPFnat

And for 5.0 there will be more changes currently detailed in
http://www.openbsd.org/faq/current.html

Re: Samples for your test

[Ivan]

Good morning! This is Ivan from China. Recently, we launched some new LED
bulbs, so I'm in a hurry to share with you.The lumen is up to 90lm/w,
CRI>80Ra. If any designs apeal to you, don't forget to give me a feed
back!Meanwhile, I also work in this field over years, so I'm quite
familiar with the Chinese LED market. If you need any help,pls kindly let
me know. I'm very pleased to lend a hand. Just remember: Ivan---always at
your service 24 hours! o<0086-18664351678o< Best regards Ivan ;
;&nbs p;   SmartgreenWeb: http://www.smtgreen.comContact:
IvanTEL:0086-755-88856336Mobile:0086-18664351678Skype:ivan_binfengAddress:
2nd block, ChaoHuiLou Industrial & Technology Park, HuaTing Road, Baoan
District,Shenzhen City, China

Re: Samples for your test

[Ivan]

 Web: http://www.smtgreen.com

Good morning! This is Ivan from China. Recently, we launched some new LED
bulbs, so I'm in a hurry to share with you.The lumen is up to 90lm/w,
CRI>80Ra. If any designs apeal to you, don't forget to give me a feed
back!Meanwhile, I also work in this field over years, so I'm quite
familiar with the Chinese LED market. If you need any help,pls kindly let
me know. I'm very pleased to lend a hand. Just remember: Ivan---always at
your service 24 hours! o<0086-15112504704o< Best regards Ivan ;
;&nbs p;   SmartgreenContact: 
IvanTEL:0086-755-88856336Mobile:0086-15112504704Skype:ivan_binfengAddress:
2nd block, ChaoHuiLou Industrial & Technology Park, HuaTing Road, Baoan
District,Shenzhen City, China

Re: IPsec 4.9>4.9 VPN

[Axel Rau]

Am 22.07.2011 um 00:13 schrieb Mikeal Clark:

> 163350.058716 Default ike_phase_1_recv_ID: received remote ID other than
> expected 1.2.3.4
I think, you need
 srcid 1.2.3.4 dstid 5.6.7.8
on site A ike.

Axel
---
PGP-Key:29E99DD6  b +49 151 2300 9283  b computing @ chaos claudius

Problem : no traffic on on a second network interface card

[wp10596728-4]

Hi all,
B 
I have a machine with 4.8 OpenBSD, which I want to use as a gateway.
But I can not get any traffic on the 2nd nic.
Forwarding for inet and inet6 is set =1
It is not a problem of the nics. If I install nic2 first then it works and
nic1
doesn't work.
It is also not a problem of PF, which disabled for testing.
B 
Can anybody tell me what else do I need to mlook at?
B 
B 
Klaus

Re: No sound with ATI SBx00 HD Audio

[Greg Jones]

On 07/27/11 16:42, Christiano F. Haesbaert wrote:

I found out the datasheet for 0x4383

http://developer.amd.com/assets/43009_sb7xx_rrg_pub_1.00.pdf

I've no knowledge of PCI to debug it though.


Try something like this in rc.local and see if it works.

# Setting "Mother Board Audio Device" as Default Audio Device

echo '.'

echo -n ' Setting /dev/{audio,sound,audioctl,mixer} to Azalia0'

p=1

ln -sf /dev/audio$p /dev/audio
ln -sf /dev/sound$p /dev/sound
ln -sf /dev/audioctl$p /dev/audioctl
ln -sf /dev/mixer$p /dev/mixer

echo '.'

routing problem with 2nd default route via ipsec

[Axel Rau]

Hi all,

I have a routing firewall, which is also a ipsec client like this:

   ppp uplink (IPv4)
  |
   dc3|pppoe0
 +++
 |+|dc1
 |   enc0  +- DMZ2
 | |
 | |dc0
 | +- DMZ1
 | |
 +++
  | em0
  Intranet

DMZ2 has public address space (here named 11.222.33.128/25). Outgoing traffic
from this net should go through the ipsec tunnel.

IPv4 traffic from Intranet and DMZ1 to none-local and none 11.222.33/24 uses
default route via NAT and pppoe0 as expected.

What drives me nuts is: All traffic to  11.222.33/24 from em0 and dc1
(including
all CARP traffic from its carp2) go to enc0, like this:

11:10:19.428653 rule 18/(match) [uid 0, pid 15367] block out on enc0: \
carp 11.222.33.132 > 224.0.0.18: CARPv2-advertise 36: vhid=3 advbase=1 \
advskew=0 demote=0 (DF) [tos 0x10] (ttl 255, id 59211, len 56, bad cksum 0!)


What's going on here?

route-to in pf.conf seem of no influence.


Encap:
Source Port  DestinationPort  Proto
SA(Address/Proto/Type/Direction)
11.222.33.64/260 172.16.9/240 0
111.222.111.222/esp/use/in
172.16.9/240 11.222.33.64/260 0
111.222.111.222/esp/require/out
11.222.33.16/280 192.168.110/24 0 0
111.222.111.222/esp/use/in
192.168.110/24 0 11.222.33.16/280 0
111.222.111.222/esp/require/out
default0 2001:a12:d:10::/60 0
0 111.222.111.222/esp/use/in
2001:a12:d:10::/60 0 default0
0 111.222.111.222/esp/require/out
default0 11.222.33.128/25   0 0
111.222.111.222/esp/use/in
11.222.33.128/25   0 default0 0
111.222.111.222/esp/require/out
11.222.33.64/260 192.168.110/24 0 0
111.222.111.222/esp/use/in
192.168.110/24 0 11.222.33.64/260 0
111.222.111.222/esp/require/out

root# ifconfig dc1
dc1: flags=8943 mtu 1500
lladdr 00:80:c8:b9:04:ce
priority: 0
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 11.222.33.132 netmask 0xff80 broadcast 11.222.33.255
inet6 fe80::280:c8ff:feb9:4ce%dc1 prefixlen 64 scopeid 0x3
inet6 2001:a12:d:18::b prefixlen 64

carp2: flags=8843 mtu 1500
lladdr 00:00:5e:00:01:03
priority: 0
carp: MASTER carpdev dc1 vhid 3 advbase 1 advskew 0
groups: carp
status: master
inet6 fe80::200:5eff:fe00:103%carp2 prefixlen 64 scopeid 0xd
inet 11.222.33.139 netmask 0xff80 broadcast 11.222.33.255
inet6 2001:a12:d:18::c prefixlen 64

This is a GENERIC snapshot from about 2011-06-08.
I have net.inet.ip.multipath=1

What am I doing wrong?
Time to start using rdomains / multiple rtables?

Axel
---
PGP-Key:29E99DD6  b +49 151 2300 9283  b computing @ chaos claudius

Re: Problem : no traffic on on a second network interface card

[rancor]

Well, it would be nice to have some more info like dmesg, hostname.? and
other info to help you solve the problem.

// rancor
Den 28 jul 2011 12:51 skrev "wp10596728-4" :
> Hi all,
> B
> I have a machine with 4.8 OpenBSD, which I want to use as a gateway.
> But I can not get any traffic on the 2nd nic.
> Forwarding for inet and inet6 is set =1
> It is not a problem of the nics. If I install nic2 first then it works and
> nic1
> doesn't work.
> It is also not a problem of PF, which disabled for testing.
> B
> Can anybody tell me what else do I need to mlook at?
> B
> B
> Klaus

Re: routing problem with 2nd default route via ipsec

[Gregory Edigarov]

On Thu, 28 Jul 2011 13:23:02 +0200
Axel Rau  wrote:

> Hi all,
> 
> I have a routing firewall, which is also a ipsec client like this:
> 
>ppp uplink (IPv4)
>   |
>dc3|pppoe0
>  +++
>  |+|dc1
>  |   enc0  +- DMZ2
>  | |
>  | |dc0
>  | +- DMZ1
>  | |
>  +++
>   | em0
>   Intranet
> 
> DMZ2 has public address space (here named 11.222.33.128/25). Outgoing
> traffic from this net should go through the ipsec tunnel.
> 
> IPv4 traffic from Intranet and DMZ1 to none-local and none
> 11.222.33/24 uses default route via NAT and pppoe0 as expected.
> 
> What drives me nuts is: All traffic to  11.222.33/24 from em0 and dc1
> (including
> all CARP traffic from its carp2) go to enc0, like this:
> 
> 11:10:19.428653 rule 18/(match) [uid 0, pid 15367] block out on enc0:
> \ carp 11.222.33.132 > 224.0.0.18: CARPv2-advertise 36: vhid=3
> advbase=1 \ advskew=0 demote=0 (DF) [tos 0x10] (ttl 255, id 59211,
> len 56, bad cksum 0!)
> 
> 
> What's going on here?
> 
> route-to in pf.conf seem of no influence.

let me guess
I think you just need to allow traffic on enc0

set skip on enc0 

should be enough

Re: routing problem with 2nd default route via ipsec

[Axel Rau]

Am 28.07.2011 um 16:06 schrieb Gregory Edigarov:

> let me guess
> I think you just need to allow traffic on enc0
>
> set skip on enc0
No, its not that easy. (-;
I block carp multicast messages on enc0 and just showed that.
A tcpdump on enc0 would have shown the same.
The problem is that those multicasts should go out on dc1 not come in.

Axel
---
PGP-Key:29E99DD6  b +49 151 2300 9283  b computing @ chaos claudius

Re: No sound with ATI SBx00 HD Audio

[Christiano F. Haesbaert]

On 28 July 2011 07:50, Greg Jones  wrote:
> On 07/27/11 16:42, Christiano F. Haesbaert wrote:
>>
>> I found out the datasheet for 0x4383
>>
>> http://developer.amd.com/assets/43009_sb7xx_rrg_pub_1.00.pdf
>>
>> I've no knowledge of PCI to debug it though.
>>
> Try something like this in rc.local and see if it works.
>
> # Setting "Mother Board Audio Device" as Default Audio Device
>
> echo '.'
>
> echo -n ' Setting /dev/{audio,sound,audioctl,mixer} to Azalia0'
>
> p=1
>
> ln -sf /dev/audio$p /dev/audio
> ln -sf /dev/sound$p /dev/sound
> ln -sf /dev/audioctl$p /dev/audioctl
> ln -sf /dev/mixer$p /dev/mixer
>
> echo '.'
>

The links were fine, I checked them.
Also although I had an azalia0, I had no audio at azalia0, so the
audio links couldn't be wrong I suppose.

Re: amd64 snapshot mp drops on ibm X3560 M2

[Dorian Büttner]

Am 28.07.2011 08:01, schrieb Matthew Dempsky:

On Wed, Jul 27, 2011 at 2:44 PM, Dorian B|ttner  wrote:

Actually gotten fingers on a somewhat powerful machine and I thought why not
test a snapshot on it.
Leading is bsd with ps and trace, followed by bsd.sp which boots ok.
Hope this is not a maloperation?

Looks like acpicpu(4) doesn't like the DSDT's _PSS value.

Run "acpidump -o ibm-x3560-m2" as root and it will generate a bunch of
ibm-x3560-m2.* files.  Tar these up and upload them somewhere so the
ACPI hackers can take a look and figure out what's wrong.

Posted the tar over here:

http://www.2shared.com/file/-XMSjFgY/ibm-x3560-m2.html

Thanks again,
Dorian

Re: nat-to broken: (if) notation increments nat-to ip by one

[Claudio Jeker]

On Wed, Jul 27, 2011 at 10:37:30PM +0200, Christopher Zimmermann wrote:
> Hi,
> 
> pppoe0 has 92.203.101.134.
> this works fine:
> 
> match out log on egress inet from 192.168.23.0/24 nat-to pppoe0
> 
> tcpdump while pinging:
> 92.203.101.134 > 74.125.39.147: icmp: echo request
> 74.125.39.147 > 92.203.101.134: icmp: echo reply
> 92.203.101.134 > 74.125.39.147: icmp: echo request
> 74.125.39.147 > 92.203.101.134: icmp: echo reply
> 
> 
> But this doesn't:
> 
> match out log on egress inet from 192.168.23.0/24 nat-to (pppoe0)
> 
> tcpdump while pinging:
> 92.203.101.135 > 74.125.39.147: icmp: echo request
> 92.203.101.135 > 74.125.39.147: icmp: echo request
> 
> in the (pppoe0) mode the IP address is always incremented by one.
> This also happens to other ips, not just 92.203.101.134.
> 
> 
> pppoe0: flags=8851 mtu 1492
> priority: 0
> dev: ep1 state: session
> sid: 0x166f PADI retries: 1 PADR retries: 0 time: 00:11:21
> sppp: phase network authproto pap
> groups: pppoe egress
> status: active
> inet6 fe80::211:25ff:feae:e0c%pppoe0 ->  prefixlen 64 scopeid 0x6
> inet 92.203.101.134 --> 213.148.133.4 netmask 0x
 
What kernel did you use? A few things happend lately in pf(4) that could
affect nat-to. Please include a dmesg so we have an idea how old your
kernel is.

I will play a bit tonight and see if I see the porblem as well.
-- 
:wq Claudio

Re: nat-to broken: (if) notation increments nat-to ip by one

[Claudio Jeker]

On Thu, Jul 28, 2011 at 08:51:41PM +0200, Claudio Jeker wrote:
> On Wed, Jul 27, 2011 at 10:37:30PM +0200, Christopher Zimmermann wrote:
> > Hi,
> > 
> > pppoe0 has 92.203.101.134.
> > this works fine:
> > 
> > match out log on egress inet from 192.168.23.0/24 nat-to pppoe0
> > 
> > tcpdump while pinging:
> > 92.203.101.134 > 74.125.39.147: icmp: echo request
> > 74.125.39.147 > 92.203.101.134: icmp: echo reply
> > 92.203.101.134 > 74.125.39.147: icmp: echo request
> > 74.125.39.147 > 92.203.101.134: icmp: echo reply
> > 
> > 
> > But this doesn't:
> > 
> > match out log on egress inet from 192.168.23.0/24 nat-to (pppoe0)
> > 
> > tcpdump while pinging:
> > 92.203.101.135 > 74.125.39.147: icmp: echo request
> > 92.203.101.135 > 74.125.39.147: icmp: echo request
> > 
> > in the (pppoe0) mode the IP address is always incremented by one.
> > This also happens to other ips, not just 92.203.101.134.
> > 
> > 
> > pppoe0: flags=8851 mtu 1492
> > priority: 0
> > dev: ep1 state: session
> > sid: 0x166f PADI retries: 1 PADR retries: 0 time: 00:11:21
> > sppp: phase network authproto pap
> > groups: pppoe egress
> > status: active
> > inet6 fe80::211:25ff:feae:e0c%pppoe0 ->  prefixlen 64 scopeid 0x6
> > inet 92.203.101.134 --> 213.148.133.4 netmask 0x
>  
> What kernel did you use? A few things happend lately in pf(4) that could
> affect nat-to. Please include a dmesg so we have an idea how old your
> kernel is.
> 
> I will play a bit tonight and see if I see the porblem as well.

Yup. The weighted round-robin stuff broke it. Here is a diff to fix the
problem. To be honest, I'm not even sure it makes sense to enter the
weight loop in the PF_ADDR_DYNIFTL case since there is no way to specify
a weight on a dynamic table. Ryan, Hennning, Jorg what is you're opinion?

Quick testing seems to indicate that least-state is not affected.

-- 
:wq Claudio

Index: pf_lb.c
===
RCS file: /cvs/src/sys/net/pf_lb.c,v
retrieving revision 1.16
diff -u -p -r1.16 pf_lb.c
--- pf_lb.c 27 Jul 2011 00:26:10 -  1.16
+++ pf_lb.c 28 Jul 2011 20:29:45 -
@@ -416,7 +416,10 @@ pf_map_addr(sa_family_t af, struct pf_ru
return (1);
 
/* iterate over table if it contains entries which are weighted 
*/
-   if (rpool->addr.p.tbl->pfrkt_refcntcost > 0) {
+   if ((rpool->addr.type == PF_ADDR_TABLE &&
+   rpool->addr.p.tbl->pfrkt_refcntcost > 0) ||
+   (rpool->addr.type == PF_ADDR_DYNIFTL &&
+   rpool->addr.p.dyn->pfid_kt->pfrkt_refcntcost > 0)) {
do {
if (rpool->addr.type == PF_ADDR_TABLE) {
if (pfr_pool_get(rpool->addr.p.tbl,
@@ -434,11 +437,15 @@ pf_map_addr(sa_family_t af, struct pf_ru
&rpool->curweight, af,
pf_islinklocal))
return (1);
-   } else if (pf_match_addr(0, raddr, rmask,
-   &rpool->counter, af))
+   } else {
+   log(LOG_ERR, "pf: pf_map_addr: "
+   "weighted RR failure");
return (1);
+   }
+   if (rpool->weight >= rpool->curweight)
+   break;
PF_AINC(&rpool->counter, af);
-   } while (rpool->weight < rpool->curweight);
+   } while (1);
  
weight = rpool->weight;
}

Transparent smtp/pop3 proxy

[R0me0 ***]

Hello misc.

I would like to know if is possible do the following:

clients--OpenBSD_FWExternal_mail_server

when clients send or receive an email, OpenBSD catch this mail and send a
copy of this to another email account, it must be transparently to user.

Please, anybody, can indicate the correctly way to do this?

Thanks in advanced

Cheers,

Re: Transparent smtp/pop3 proxy

[Johan Beisser]

On Thu, Jul 28, 2011 at 2:00 PM, R0me0 ***  wrote:
> Hello misc.
>
> I would like to know if is possible do the following:
>
> clients--OpenBSD_FWExternal_mail_server
>
> when clients send or receive an email, OpenBSD catch this mail and send a
> copy of this to another email account, it must be transparently to user.

Yes it's possible. And trivial.

> Please, anybody, can indicate the correctly way to do this?

No.

Re: Incorrect NAT translation for sip traffic ?

[Stuart Henderson]

Whatever this is (and I don't have the slightest clue what that
might be), I noticed it on a 4.9 box the other day, upgraded to
-current, still see it there.

$ sysctl kern.version
kern.version=OpenBSD 5.0-beta (GENERIC) #22: Tue Jul 26 06:24:05 MDT 2011
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC

$ head -1 messages;date;grep 187.170.255.239 message
Jul 28 19:00:01 bath-gw newsyslog[19970]: logfile turned over
Thu Jul 28 23:07:26 BST 2011
Jul 28 19:46:36 bath-gw /bsd: pf: state key linking mismatch! dir=OUT, if=em3, 
stored af=2, a0: 85.158.44.147:2048, a1: 192.168.0.253:5060, proto=17, found 
af=2, a0: 99.160.113.24:28952, a1: 187.170.255.239:25504, proto=17
Jul 28 19:54:34 bath-gw /bsd: pf: state key linking mismatch! dir=OUT, if=em3, 
stored af=2, a0: 85.158.44.147:2048, a1: 192.168.0.253:5060, proto=17, found 
af=2, a0: 99.160.113.24:28952, a1: 187.170.255.239:25504, proto=17
Jul 28 19:56:36 bath-gw /bsd: pf: state key linking mismatch! dir=OUT, if=em3, 
stored af=2, a0: 85.158.44.147:2048, a1: 192.168.0.253:5060, proto=17, found 
af=2, a0: 99.160.113.24:28952, a1: 187.170.255.239:25504, proto=17
Jul 28 20:19:33 bath-gw /bsd: pf: state key linking mismatch! dir=OUT, if=em3, 
stored af=2, a0: 85.158.44.147:2048, a1: 192.168.0.253:5060, proto=17, found 
af=2, a0: 99.160.113.24:28952, a1: 187.170.255.239:25504, proto=17
Jul 28 20:21:36 bath-gw /bsd: pf: state key linking mismatch! dir=OUT, if=em3, 
stored af=2, a0: 85.158.44.147:2048, a1: 192.168.0.253:5060, proto=17, found 
af=2, a0: 99.160.113.24:28952, a1: 187.170.255.239:25504, proto=17
Jul 28 21:48:33 bath-gw /bsd: pf: state key linking mismatch! dir=OUT, 
if=trunk0, stored af=2, a0: 85.158.44.147:2048, a1: 192.168.0.253:5060, 
proto=17, found af=2, a0: 192.168.0.253:5060, a1: 187.170.255.239:2048, proto=17
Jul 28 22:40:35 bath-gw /bsd: pf: state key linking mismatch! dir=OUT, 
if=trunk0, stored af=2, a0: 85.158.44.147:2048, a1: 192.168.0.253:5060, 
proto=17, found af=2, a0: 192.168.0.253:5060, a1: 187.170.255.239:2048, proto=17
Jul 28 22:57:35 bath-gw /bsd: pf: state key linking mismatch! dir=OUT, 
if=trunk0, stored af=2, a0: 85.158.44.147:2048, a1: 192.168.0.253:5060, 
proto=17, found af=2, a0: 192.168.0.253:5060, a1: 187.170.255.239:2048, proto=17

bath-gw is rdr'ing traffic from 85.158.44.147, a snom 360 on an
external network, to 192.168.0.253 which is an asterisk box.

99.160.113.24 is nothing to do with me, 187.170.255.239 (the same
address Magnus sees) is also nothing to do with me.


On 2011-06-23, Magnus Rixtorp  wrote:
> Lets get some standard stuff out of the way first.
>
> # uname -a
> OpenBSD pbxfw 4.9 GENERIC#671 i386
>
> # dmesg
> OpenBSD 4.9 (GENERIC) #671: Wed Mar  2 07:09:00 MST 2011
> dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
> cpu0: Intel(R) Pentium(R) 4 CPU 3.00GHz ("GenuineIntel" 686-class) 3 GHz
> cpu0: 
> FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,CNXT-ID,xTPR
> real mem  = 2137120768 (2038MB)
> avail mem = 2092023808 (1995MB)
> mainbus0 at root
> bios0 at mainbus0: AT/286+ BIOS, date 02/09/05, BIOS32 rev. 0 @ 0xffe90, 
> SMBIOS rev. 2.3 @ 0xf0450 (74 entries)
> bios0: vendor Dell Inc. version "A04" date 02/09/2005
> bios0: Dell Inc. OptiPlex GX280
> acpi0 at bios0: rev 0
> acpi0: sleep states S0 S1 S3 S4 S5
> acpi0: tables DSDT FACP SSDT APIC BOOT ASF! MCFG HPET
> acpi0: wakeup devices VBTN(S4) PCI0(S5) PCI1(S5) PCI2(S5) PCI3(S5) 
> PCI4(S5) MOU_(S3) USB0(S3) USB1(S3) USB2(S3) USB3(S3)
> acpitimer0 at acpi0: 3579545 Hz, 24 bits
> acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
> cpu0 at mainbus0: apid 0 (boot processor)
> cpu0: apic clock running at 199MHz
> ioapic0 at mainbus0: apid 8 pa 0xfec0, version 20, 24 pins
> ioapic0: misconfigured as apic 0, remapped to apid 8
> acpimcfg0 at acpi0 addr 0xe000, bus 0-255
> acpihpet0 at acpi0: 14318179 Hz
> acpiprt0 at acpi0: bus 4 (PCI1)
> acpiprt1 at acpi0: bus 2 (PCI2)
> acpiprt2 at acpi0: bus 3 (PCI3)
> acpiprt3 at acpi0: bus 1 (PCI4)
> acpiprt4 at acpi0: bus 0 (PCI0)
> acpicpu0 at acpi0: C3
> acpibtn0 at acpi0: VBTN
> bios0: ROM list: 0xc/0xa800! 0xca800/0x1800!
> pci0 at mainbus0 bus 0: configuration mode 1 (bios)
> pchb0 at pci0 dev 0 function 0 "Intel 82915G Host" rev 0x04
> ppb0 at pci0 dev 1 function 0 "Intel 82915G PCIE" rev 0x04: apic 8 int 
> 16 (irq 11)
> pci1 at ppb0 bus 1
> vga1 at pci0 dev 2 function 0 "Intel 82915G Video" rev 0x04
> wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
> wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
> intagp0 at vga1
> agp0 at intagp0: aperture at 0xc000, size 0x1000
> inteldrm0 at vga1: apic 8 int 16 (irq 11)
> drm0 at inteldrm0
> "Intel 82915G Video" rev 0x04 at pci0 dev 2 function 1 not configured
> ppb1 at pci0 dev 28 function 0 "Intel 82801FB PCIE" rev 0x03: apic 8 int 
> 16 (irq 11)
> pci2 at ppb1 bus 2
> bge0 at pci2 dev 0 function 0 "Broadcom BCM5751" r

hola

[info]

Mayorista de Remeras Gorras y Chombas publicitarias para su empresa u
organizacion

Maxima Calidad con el mejor precio del mercado. Contamos con gran stock
disponible. Atendemos pedidos urgentes

Nuestros productos no pierden color con los lavados, no se estiran ni se
despega el estampado - No se encojen ni se deforman

Remeras con el estampado que quieras desde $21,90 x unidad

Chombas con el bordado que quieras $55 x unidad

Gorras de gabardina con el bordado que quieras $11,90 x unidad

Solo venta por mayorB  minimo 100 unidades

ATENDEMOS A GRANDES EMPRESAS, PARTIDOS POLITICOS, CLUBES, SINDICATOS,
ENTIDADES PUBLICAS, PYMES, ONG, ETC

En tu consulta enviar la imagen de logo o estampado que quieras en
formato jpg

Por favor envianos tu numero de telefono para poder contactarte

LLamanos al telefono 11-4225-4962 de 10 a 18 hs

ATENCION ENVIAR CONSULTAS UNICAMENTE A ESTE EMAIL:B B 
infoconsul...@mail.ru

Promocion partidos politicos y grandes empresas
B 
5000 Remeras Jersey algodon cardado 24/1 :$17,90 incluye el estampado
1 Remeras Jersey algodon cardado 24/1 $15,90 incluye el estampado

Tambien contamos con buzos, delantales, bolsos y mucho mas ...

Re: Transparent smtp/pop3 proxy

[roberth]

On Thu, 28 Jul 2011 18:00:03 -0300
"R0me0 ***"  wrote:

> when clients send or receive an email, OpenBSD catch this mail and
> send a copy of this to another email account, it must be
> transparently to user.

bad juju!

sooo, you want to intercept email not destined for yourself.
you are asking about it on a public mailinglist.
hmmm, hot water, bad karma.

ethically "you will be reborn as a snail and those that help you with it
won't even have a house on their backs".

if you have control over the clients that are sending mail, lets say in
a corporate enviroment, where the people sending mail are aware of the
"copying policy"...
you don't do it transparently, but by mandatory configuring the mail
clients to use one of your smarthosts to send mail. copy/duplicate it
there. that's a smtpd solution you are looking for.

otherwise, feel obligated to educate your "clients" to configure their
mailcients to use ssl/tls for receiving/sending mail.

if you are being presured into implementing that spy stuff, lets say by
your boss, just tell ver "i'll get to it". if you get fired over it,
get a lawyer and a hopefully satisfying settlement.

blub,
- Robert

Re: Transparent smtp/pop3 proxy

[R0me0 ***]

Hello Robert,

I appreciated your email:

I would like explain:

Yes is corporate organization, all employees are aware that a copy of sended
and received email.
All employees sign a document which they are aware. Here, in Brazil, since
that exists a document, signed, it is valid, of course.
Nothing ilegal.
Thank you, you help me so much,

Cheers,



2011/7/28 roberth 

> On Thu, 28 Jul 2011 18:00:03 -0300
> "R0me0 ***"  wrote:
>
> > when clients send or receive an email, OpenBSD catch this mail and
> > send a copy of this to another email account, it must be
> > transparently to user.
>
> bad juju!
>
> sooo, you want to intercept email not destined for yourself.
> you are asking about it on a public mailinglist.
> hmmm, hot water, bad karma.
>
> ethically "you will be reborn as a snail and those that help you with it
> won't even have a house on their backs".
>
> if you have control over the clients that are sending mail, lets say in
> a corporate enviroment, where the people sending mail are aware of the
> "copying policy"...
> you don't do it transparently, but by mandatory configuring the mail
> clients to use one of your smarthosts to send mail. copy/duplicate it
> there. that's a smtpd solution you are looking for.
>
> otherwise, feel obligated to educate your "clients" to configure their
> mailcients to use ssl/tls for receiving/sending mail.
>
> if you are being presured into implementing that spy stuff, lets say by
> your boss, just tell ver "i'll get to it". if you get fired over it,
> get a lawyer and a hopefully satisfying settlement.
>
> blub,
>- Robert

Re: Transparent smtp/pop3 proxy

[roberth]

On Thu, 28 Jul 2011 19:39:20 -0300
"R0me0 ***"  wrote:

> Yes is corporate organization, all employees are aware that a copy of
> sended and received email.
> All employees sign a document which they are aware. Here, in Brazil,
> since that exists a document, signed, it is valid, of course.
> Nothing ilegal.
> Thank you, you help me so much,

So the incoming mail allready touches "your own" smtpd.
For outgoing mail, as i said, _smarthost_ and do the best you can to
block any mail that isn't going out through there. (eg via pf rules)
You will only catch the low hanging fruits as there are too many
possible ways to deceive by any determined person.
Blocking all webmail websites from work? :)

It only works if the people are not trying to get around the set
limitations. Even with deep packet inspection, you won't get that one
mail you setup all that hupla-di-do up for.

Cheers,
- Robert

Re: nat-to broken: (if) notation increments nat-to ip by one

[C. Bensend]

> On Thu, Jul 28, 2011 at 08:51:41PM +0200, Claudio Jeker wrote:
>> On Wed, Jul 27, 2011 at 10:37:30PM +0200, Christopher Zimmermann wrote:
>> > Hi,
>> >
>> > pppoe0 has 92.203.101.134.
>> > this works fine:
>> >
>> > match out log on egress inet from 192.168.23.0/24 nat-to pppoe0
>> >
>> > tcpdump while pinging:
>> > 92.203.101.134 > 74.125.39.147: icmp: echo request
>> > 74.125.39.147 > 92.203.101.134: icmp: echo reply
>> > 92.203.101.134 > 74.125.39.147: icmp: echo request
>> > 74.125.39.147 > 92.203.101.134: icmp: echo reply
>> >
>> >
>> > But this doesn't:
>> >
>> > match out log on egress inet from 192.168.23.0/24 nat-to (pppoe0)
>> >
>> > tcpdump while pinging:
>> > 92.203.101.135 > 74.125.39.147: icmp: echo request
>> > 92.203.101.135 > 74.125.39.147: icmp: echo request
>> >
>> > in the (pppoe0) mode the IP address is always incremented by one.
>> > This also happens to other ips, not just 92.203.101.134.
>> >
>> >
>> > pppoe0: flags=8851 mtu 1492
>> > priority: 0
>> > dev: ep1 state: session
>> > sid: 0x166f PADI retries: 1 PADR retries: 0 time: 00:11:21
>> > sppp: phase network authproto pap
>> > groups: pppoe egress
>> > status: active
>> > inet6 fe80::211:25ff:feae:e0c%pppoe0 ->  prefixlen 64 scopeid
>> 0x6
>> > inet 92.203.101.134 --> 213.148.133.4 netmask 0x
>>
>> What kernel did you use? A few things happend lately in pf(4) that could
>> affect nat-to. Please include a dmesg so we have an idea how old your
>> kernel is.
>>
>> I will play a bit tonight and see if I see the porblem as well.
>
> Yup. The weighted round-robin stuff broke it. Here is a diff to fix the
> problem. To be honest, I'm not even sure it makes sense to enter the
> weight loop in the PF_ADDR_DYNIFTL case since there is no way to specify
> a weight on a dynamic table. Ryan, Hennning, Jorg what is you're opinion?

I had a firewall die on me last night, so I rebuilt with the
current i386 snapshot.  I also experienced NAT failure - it parsed
and loaded my pf.conf, but refused to NAT anything.  And yes, I
had net.inet.ip.forwarding enabled.  :)

I found a Soekris in my lab that had the following snapshot on it:

OpenBSD 4.9-current (GENERIC) #8: Wed Jul 13 09:47:42 MDT 2011

Putting that one into service *worked*, I have my internet
connection back.  So, that narrows it down a bit hopefully - it
broke between July 13th and July 27th.

Hope this helps.  If not, sorry for the noise.

Benny


-- 
"Open your door, or I open your wall."
 -- Seen on an image on fukung.net

Re: Transparent smtp/pop3 proxy

[R0me0 ***]

Again, thank you
I know that an user very determined can do some things, but he don't know
what I can do with PF
People should be educated like you :)

Best regards and Thank you !



2011/7/28 roberth 

> On Thu, 28 Jul 2011 19:39:20 -0300
> "R0me0 ***"  wrote:
>
> > Yes is corporate organization, all employees are aware that a copy of
> > sended and received email.
> > All employees sign a document which they are aware. Here, in Brazil,
> > since that exists a document, signed, it is valid, of course.
> > Nothing ilegal.
> > Thank you, you help me so much,
>
> So the incoming mail allready touches "your own" smtpd.
> For outgoing mail, as i said, _smarthost_ and do the best you can to
> block any mail that isn't going out through there. (eg via pf rules)
> You will only catch the low hanging fruits as there are too many
> possible ways to deceive by any determined person.
> Blocking all webmail websites from work? :)
>
> It only works if the people are not trying to get around the set
> limitations. Even with deep packet inspection, you won't get that one
> mail you setup all that hupla-di-do up for.
>
> Cheers,
>- Robert