4.9 build problems
server is 4.9/amd64 source is CVS/4.9 cd /usr/src make build is it ok that system cannot build itself from source ? building shared object objc library ranlib libobjc_pic.a building shared objc library (version 5.0) cc -shared -fpic -o libobjc.so.5.0 `lorder archive.so class.so encoding.so gc.so hash.so init.so linking.so misc.so nil_method.so NXConstStr.so Object.so objects.so Protocol.so sarray.so selector.so sendmsg.so thr.so thr-objc.so exception.so|tsort -q` === libstdc++-v3 c++ -O2 -pipe -g -DIN_GLIBCPP_V3 -DHAVE_CONFIG_H -I/usr/src/gnu/lib/libstdc++-v3/../libstdc++-v3/ -I/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/libsupc++ -I/usr/src/gnu/lib/libstdc++-v3/../../gcc/gcc -I/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include -I/usr/src/gnu/lib/libstdc++-v3/../../gcc/gcc/gcc/include -I/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include -I/usr/src/gnu/lib/libstdc++-v3/../libiberty/include -I. -frandom-seed=RepeatabilityConsideredGood -DIN_GLIBCPP_V3 -DHAVE_CONFIG_H -I/usr/src/gnu/lib/libstdc++-v3 -I/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/libsupc++ -I/usr/src/gnu/lib/libstdc++-v3/../../gcc/gcc -I/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include -I/usr/src/gnu/lib/libstdc++-v3/../../gcc/gcc/gcc/include -I/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include -I/usr/src/gnu/lib/libstdc++-v3/../libiberty/include -I. -frandom-seed=RepeatabilityConsideredGood -fno-implicit-templates -ffunction-sections -fdata-sections -Wno-deprecated -fno-implicit-templates -ffunction-sections -fdata-sections -Wno-deprecated -idirafter /home/dest/usr/include/g++ -nostdinc -idirafter /home/dest/usr/include -c /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/src/bitmap_allocator.cc -o bitmap_allocator.o In file included from /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/ext/bitmap_allocator.h:37, from /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/src/bitmap_allocator.cc:30: /home/dest/usr/include/g++/cstddef:50:28: error: bits/c++config.h: No such file or directory In file included from /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/ext/bitmap_allocator.h:43, from /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/src/bitmap_allocator.cc:30: /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/ext/concurrence.h:41:24: error: bits/gthr.h: No such file or directory In file included from /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/ext/bitmap_allocator.h:37, from /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/src/bitmap_allocator.cc:30: /home/dest/usr/include/g++/cstddef:53: error: expected constructor, destructor, or type conversion before '(' token /home/dest/usr/include/g++/cstddef:58: error: '_GLIBCXX_END_NAMESPACE' does not name a type In file included from /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/ext/bitmap_allocator.h:38, from /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/src/bitmap_allocator.cc:30: /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/bits/functexcept.h:93: error: '_GLIBCXX_END_NAMESPACE' does not name a type In file included from /home/dest/usr/include/g++/utility:66, from /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/ext/bitmap_allocator.h:39, from /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/src/bitmap_allocator.cc:30: /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/bits/stl_relops.h:136: error: '_GLIBCXX_END_NAMESPACE' does not name a type In file included from /home/dest/usr/include/g++/utility:67, from /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/ext/bitmap_allocator.h:39, from /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/src/bitmap_allocator.cc:30: /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/bits/stl_pair.h:94: error: template with C linkage /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/bits/stl_pair.h:96: error: expected ',' or '...' before '' token /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/bits/stl_pair.h:96: error: 'bool operator==(int)' must have an argument of class or enumerated type /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/bits/stl_pair.h:100: error: template with C linkage /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/bits/stl_pair.h:102: error: expected ',' or '...' before '' token /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/bits/stl_pair.h:102: error: 'bool operator(int)' must have an argument of class or enumerated type /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/bits/stl_pair.h:107: error: template with C linkage /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/bits/stl_pair.h:109: error: expected ',' or '...' before '' token
Re: 4.9 build problems
On Mon, Oct 10, 2011 at 8:39 AM, PP;QQ P(P8P?P8QP8P= chipits...@gmail.com wrote: server is 4.9/amd64 source is CVS/4.9 cd /usr/src make build is it ok that system cannot build itself from source ? No. But it's also not okay to not read the documentation on the subject. -- chs,
Re: smtpd and virtuals
On Sat, Oct 08, 2011 at 02:40:04PM +0300, Henri Kemppainen wrote: [...] There's something odd about virtuals; though the code I'm running is no longer current (5.0-BETA, to be precise). Here's what makemap.8 says: Virtual domains are kept in maps. To create single virtual address, add ``u...@example.com user'' to the virtual map. To handle all mail destined to any user at example.com, add ``@example.com user'' to the virtual map. [...] I added some debug printfs, and they show that map_stdio_lookup is called with key=virtual.domain. There is no such key, and the mail is rejected. Out of curiosity, I added a matching line to virtual just to see what happens: virtual.domain duclare somebody@virtual.domain duclare [...] I hope Gilles can tell whether this is a documentation bug or code bug. Or maybe I just missed something obvious (such as a sufficiently recent snapshot) :-). Hi, This is actually a feature, not a bug ;-) At RCPT time, smtpd needs to take a decision based on the domain itself before it starts looking at user-parts and take individual decisions. If the map has a key for the domain, then that lookup can be done efficiently for backends that have indexes of some kind. If the map doesn't, then smtpd will have to loop through all keys, comparing their domain parts, until one key matches. A few months ago, when we only supported the db(3) backend, makemap had some code to automagically insert a domain key if you had a virtual entry for a domain. But now that we support various backends, this can't be done anymore as there is just no way of doing it for the stdio(3) (plaintext) backend. This behavior is not specific to OpenSMTPD, at least Postfix has the same need of a domain key as you can observe from man virtual(5): Without this entry, mail is rejected with relay access denied, or bounces with mail loops back to myself. Gilles -- Gilles Chehade http://www.poolp.org/http://u.poolp.org/~gilles/
spamd.black pfctl
hello misc. I have spamd before mail server. and it's work nice with liberal setting like this: spamd_flags=-v -l 127.0.0.1 -G 10:4:864 -h mail.server pf.conf: table spamd-white persist table spamd-bypass file /etc/mail/spamd.bypass table spamd-black file /etc/mail/spamd.black match in on $ext_if_a inet proto tcp from { spamd-bypass, spamd-white } to $ext_if_a port { smtp, smtps } rdr-to mail match in on $ext_if_a inet proto tcp from { !spamd-bypass, !spamd-white } to $ext_if_a port { smtp, smtps } tag MAIL_A rdr-to 127.0.0.1 port spamd block in log quick on { $ext_if_a, $ext_if_b } from { bruteforce, private, spamd-black } to any pass in on $ext_if_a inet proto tcp from any to mail port { smtp, smtps } synproxy state reply-to ($ext_if_a $ext_gw_a) pass in quick reply-to ($ext_if_a $ext_gw_a) tagged MAIL_A Periodically I receive mail from spammers throuch spamd and antispam setting on mail server. Then I copy-paste IP-adress of spam-sender from field Received to spam.txt file on router and do something like this: #cat spam.txt | uniq | sort /etc/mail/spamd.black or #sort -u spam.txt /etc/mail/spamd.black and #pfctl -f /etc/pf.conf but I won't want to reload all rules. In best way I want to add in pf spamd-black table only new IP, that I past in the top of spam.txt file. Also I try to use pfctl -t spamd-black -T flush pfctl -t spamd-black -T add -f /etc/mail/spamd.black to do not touch all pf.conf, but I think when spamd.black table will have big size, the better way is add a new IP in table without reloading or loading big table.
Re: smtpd and virtuals
On Mon, Oct 10, 2011 at 12:11:28PM +0200, Gilles Chehade wrote: [...] I forgot to mention that this also allows you to very easily disable a virtual domain by simply commenting / uncommenting the domain key Gilles -- Gilles Chehade http://www.poolp.org/http://u.poolp.org/~gilles/
Re: 4.9 build problems
You polluted your source directory by building without 'make obj'. Simplest is to wipe it, make a fresh checkout, and this time follow section 5.3.5 from http://www.openbsd.org/faq/faq5.html On 2011-10-10, ??? chipits...@gmail.com wrote: server is 4.9/amd64 source is CVS/4.9 cd /usr/src make build is it ok that system cannot build itself from source ? building shared object objc library ranlib libobjc_pic.a building shared objc library (version 5.0) cc -shared -fpic -o libobjc.so.5.0 `lorder archive.so class.so encoding.so gc.so hash.so init.so linking.so misc.so nil_method.so NXConstStr.so Object.so objects.so Protocol.so sarray.so selector.so sendmsg.so thr.so thr-objc.so exception.so|tsort -q` === libstdc++-v3 c++ -O2 -pipe -g -DIN_GLIBCPP_V3 -DHAVE_CONFIG_H -I/usr/src/gnu/lib/libstdc++-v3/../libstdc++-v3/ -I/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/libsupc++ -I/usr/src/gnu/lib/libstdc++-v3/../../gcc/gcc -I/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include -I/usr/src/gnu/lib/libstdc++-v3/../../gcc/gcc/gcc/include -I/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include -I/usr/src/gnu/lib/libstdc++-v3/../libiberty/include -I. -frandom-seed=RepeatabilityConsideredGood -DIN_GLIBCPP_V3 -DHAVE_CONFIG_H -I/usr/src/gnu/lib/libstdc++-v3 -I/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/libsupc++ -I/usr/src/gnu/lib/libstdc++-v3/../../gcc/gcc -I/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include -I/usr/src/gnu/lib/libstdc++-v3/../../gcc/gcc/gcc/include -I/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include -I/usr/src/gnu/lib/libstdc++-v3/../libiberty/include -I. -frandom-seed=RepeatabilityConsideredGood -fno-implicit-templates -ffunction-sections -fdata-sections -Wno-deprecated -fno-implicit-templates -ffunction-sections -fdata-sections -Wno-deprecated -idirafter /home/dest/usr/include/g++ -nostdinc -idirafter /home/dest/usr/include -c /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/src/bitmap_allocator.cc -o bitmap_allocator.o In file included from /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/ext/bitmap_allocator.h:37, from /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/src/bitmap_allocator.cc:30: /home/dest/usr/include/g++/cstddef:50:28: error: bits/c++config.h: No such file or directory In file included from /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/ext/bitmap_allocator.h:43, from /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/src/bitmap_allocator.cc:30: /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/ext/concurrence.h:41:24: error: bits/gthr.h: No such file or directory In file included from /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/ext/bitmap_allocator.h:37, from /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/src/bitmap_allocator.cc:30: /home/dest/usr/include/g++/cstddef:53: error: expected constructor, destructor, or type conversion before '(' token /home/dest/usr/include/g++/cstddef:58: error: '_GLIBCXX_END_NAMESPACE' does not name a type In file included from /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/ext/bitmap_allocator.h:38, from /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/src/bitmap_allocator.cc:30: /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/bits/functexcept.h:93: error: '_GLIBCXX_END_NAMESPACE' does not name a type In file included from /home/dest/usr/include/g++/utility:66, from /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/ext/bitmap_allocator.h:39, from /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/src/bitmap_allocator.cc:30: /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/bits/stl_relops.h:136: error: '_GLIBCXX_END_NAMESPACE' does not name a type In file included from /home/dest/usr/include/g++/utility:67, from /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/ext/bitmap_allocator.h:39, from /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/src/bitmap_allocator.cc:30: /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/bits/stl_pair.h:94: error: template with C linkage /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/bits/stl_pair.h:96: error: expected ',' or '...' before '' token /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/bits/stl_pair.h:96: error: 'bool operator==(int)' must have an argument of class or enumerated type /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/bits/stl_pair.h:100: error: template with C linkage /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/bits/stl_pair.h:102: error: expected ',' or '...' before '' token /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/bits/stl_pair.h:102: error: 'bool operator(int)' must have an argument of
Re: 4.9 build problems
DESTDIR was the reason of mess. unset DESTDIR solved the problem 2011/10/10 Stuart Henderson s...@spacehopper.org: You polluted your source directory by building without 'make obj'. Simplest is to wipe it, make a fresh checkout, and this time follow section 5.3.5 from http://www.openbsd.org/faq/faq5.html On 2011-10-10, ??? chipits...@gmail.com wrote: server is 4.9/amd64 source is CVS/4.9 cd /usr/src make build is it ok that system cannot build itself from source ? building shared object objc library ranlib libobjc_pic.a building shared objc library (version 5.0) cc -shared -fpic -o libobjc.so.5.0 `lorder archive.so class.so encoding.so gc.so hash.so init.so linking.so misc.so nil_method.so NXConstStr.so Object.so objects.so Protocol.so sarray.so selector.so sendmsg.so thr.so thr-objc.so exception.so|tsort -q` === libstdc++-v3 c++ -O2 -pipe -g -DIN_GLIBCPP_V3 -DHAVE_CONFIG_H -I/usr/src/gnu/lib/libstdc++-v3/../libstdc++-v3/ -I/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/libsupc++ -I/usr/src/gnu/lib/libstdc++-v3/../../gcc/gcc -I/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include -I/usr/src/gnu/lib/libstdc++-v3/../../gcc/gcc/gcc/include -I/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include -I/usr/src/gnu/lib/libstdc++-v3/../libiberty/include -I. -frandom-seed=RepeatabilityConsideredGood -DIN_GLIBCPP_V3 -DHAVE_CONFIG_H -I/usr/src/gnu/lib/libstdc++-v3 -I/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/libsupc++ -I/usr/src/gnu/lib/libstdc++-v3/../../gcc/gcc -I/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include -I/usr/src/gnu/lib/libstdc++-v3/../../gcc/gcc/gcc/include -I/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include -I/usr/src/gnu/lib/libstdc++-v3/../libiberty/include -I. -frandom-seed=RepeatabilityConsideredGood -fno-implicit-templates -ffunction-sections -fdata-sections -Wno-deprecated -fno-implicit-templates -ffunction-sections -fdata-sections -Wno-deprecated -idirafter /home/dest/usr/include/g++ -nostdinc -idirafter /home/dest/usr/include -c /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/src/bitmap_allocator.cc -o bitmap_allocator.o In file included from /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/ext/bitmap_alloc ator.h:37, from /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/src/bitmap_allocator.cc: 30: /home/dest/usr/include/g++/cstddef:50:28: error: bits/c++config.h: No such file or directory In file included from /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/ext/bitmap_alloc ator.h:43, from /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/src/bitmap_allocator.cc: 30: /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/ext/concurrence. h:41:24: error: bits/gthr.h: No such file or directory In file included from /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/ext/bitmap_alloc ator.h:37, from /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/src/bitmap_allocator.cc: 30: /home/dest/usr/include/g++/cstddef:53: error: expected constructor, destructor, or type conversion before '(' token /home/dest/usr/include/g++/cstddef:58: error: '_GLIBCXX_END_NAMESPACE' does not name a type In file included from /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/ext/bitmap_alloc ator.h:38, from /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/src/bitmap_allocator.cc: 30: /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/bits/functexcept .h:93: error: '_GLIBCXX_END_NAMESPACE' does not name a type In file included from /home/dest/usr/include/g++/utility:66, from /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/ext/bitmap_alloc ator.h:39, from /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/src/bitmap_allocator.cc: 30: /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/bits/stl_relops. h:136: error: '_GLIBCXX_END_NAMESPACE' does not name a type In file included from /home/dest/usr/include/g++/utility:67, from /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/ext/bitmap_alloc ator.h:39, from /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/src/bitmap_allocator.cc: 30: /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/bits/stl_pair.h: 94: error: template with C linkage /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/bits/stl_pair.h: 96: error: expected ',' or '...' before '' token /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/bits/stl_pair.h: 96: error: 'bool operator==(int)' must have an argument of class or enumerated type /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/bits/stl_pair.h: 100: error: template with C linkage /usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/bits/stl_pair.h: 102: error: expected ',' or '...' before ''
Re: The OpenBSD user community needs to shake things up
* Loganaden Velvindron logana...@gmail.com [111009 12:45]: Fellow OpenBSD users, I've noticed a disturbing trend: Very few users are testing patches that developers/contributors are posting. You raised some good points. Thanks for the reminder to help out the devs. :-) -- W. Steven Schneider w.steven.schnei...@ualberta.net
Re: spamd.black pfctl
Op Mon, 10 Oct 2011 12:12:23 +0200 schreef pavel pocheptsov lilit-aibo...@mail.ru: hello misc. I have spamd before mail server. and it's work nice with liberal setting like this: spamd_flags=-v -l 127.0.0.1 -G 10:4:864 -h mail.server pf.conf: [...] block in log quick on { $ext_if_a, $ext_if_b } from { bruteforce, private, spamd-black } to any [...] but I won't want to reload all rules. In best way I want to add in pf spamd-black table only new IP, that I past in the top of spam.txt file. [...] I also employ a manual blacklist, but I import it through spamd.conf(5). This way, the entries are not blocked by pf, but enter spamd's tarpit. This will keep the spammer's machine busy and delay the delivery of other spam. -- Gemaakt met Opera's revolutionaire e-mailprogramma: http://www.opera.com/mail/ (Remove the obvious prefix to reply.)
Help setting up a PF NAT gateway
Simplest of things but I'm failing miserably. $ sudo cat /etc/hostname.vic2 # External NIC with static public IPv4 address inet 50.50.50.59 255.255.255.0 50.50.50.255 $ sudo cat /etc/hostname.vic3 # Internal NIC used as gateway by two machines on same network inet 10.221.181.10 255.255.255.0 10.221.181.255 For troubleshooting I have removed the block all rule, to confirm that it is in fact my NAT related rules that don't work. These are my first and only NAT rules. The other rules work fine and are just to allow SSH to my management interface and ICMP response from the external IP and from the internal gateway IP. Besides I've removed the block all so the other rules don't matter much now. match out on vic2 inet from 10.221.181.0/24 to any nat-to (vic2) round-robin pass inet from 10.221.181.0/24 to any flags S/SA keep state With tcpdump I can see packets going to vic3, but no further. With block all commented out I can fully test the network around and everything is working just fine, I can nc -kl 50.50.50.59 65535 and connect to that port from anywhere on the internet. I just can't connect out from the private network through the gateway. The systems in the private network have 10.221.181.10 as their default gateway. I even have the Book of PF 2nd edition here but it's of no use, the rules are mostly from there. Just for troubleshooting I can also nc -kl 10.221.181.10 65535 on the gateway and connect to that port from the private network machines without issues. So please tell me, what am I missing in this nat-to rule? -- Med vdnliga hdlsningar / With kind regards Stefan Midjich
Re: The OpenBSD user community needs to shake things up
On Sun, Oct 09, 2011 at 09:10:16PM +, Alexey E. Suslikov wrote: Loganaden Velvindron loganaden at gmail.com writes: If we don't shake things up, things will not change ! Running -current and testing diffs _helps_ OpenBSD development significantly. The problem, IMO, how process is organized. Mailing lists are not designed for commenting and reviewing diffs. Patches simply gets forgotten and than reinvented. We have *number* of oh, I forgot to ok. Isn't it because of people receive *tons* of mail nowadays? Nah, mailing-lists work just fine. It's just a question of being organized. In most cases, it's like a football game. Spectator sport, pass the chips, and oh ? actually save that diff somewhere, try it out and report back to the list/the corresponding developer ? no way, too much work ! So, get off your lazy asses, and start trying out stuff (not speaking for you, Alexey, just speaking for our user community in general) For crying out loud, it's not as if interesting *technical* threads kill those mailing-lists. When there's too much tech chatter going on, then we can worry about better tools. Don't blame the tools. Blame the *people* who don't test.
Re: Help setting up a PF NAT gateway
On 10 October 2011 12:38, Stefan Midjich sweh...@gmail.com wrote: Simplest of things but I'm failing miserably. $ sudo cat /etc/hostname.vic2 # External NIC with static public IPv4 address inet 50.50.50.59 255.255.255.0 50.50.50.255 $ sudo cat /etc/hostname.vic3 # Internal NIC used as gateway by two machines on same network inet 10.221.181.10 255.255.255.0 10.221.181.255 For troubleshooting I have removed the block all rule, to confirm that it is in fact my NAT related rules that don't work. These are my first and only NAT rules. The other rules work fine and are just to allow SSH to my management interface and ICMP response from the external IP and from the internal gateway IP. Besides I've removed the block all so the other rules don't matter much now. match out on vic2 inet from 10.221.181.0/24 to any nat-to (vic2) round-robin pass inet from 10.221.181.0/24 to any flags S/SA keep state With tcpdump I can see packets going to vic3, but no further. With block all commented out I can fully test the network around and everything is working just fine, I can nc -kl 50.50.50.59 65535 and connect to that port from anywhere on the internet. I just can't connect out from the private network through the gateway. The systems in the private network have 10.221.181.10 as their default gateway. I even have the Book of PF 2nd edition here but it's of no use, the rules are mostly from there. Just for troubleshooting I can also nc -kl 10.221.181.10 65535 on the gateway and connect to that port from the private network machines without issues. So please tell me, what am I missing in this nat-to rule? Hi, can you paste your pf.conf ? The output of ifconfig would be good too.
New project
Hi, A Call Center in the Netherlands starts a new project and likes to host it under OpenBSD / PostgreSQL. I am writing software for it, but could maybe get some help in setting up the infrastructure. If anybody is interested I would love to know this. Please contact me off-list and only if you are experienced in running and maintaining an OpenBSD infrastructure for a mid-range company. Regards, Ludo Smissaert
Re: Help setting up a PF NAT gateway
match out on vic2 inet from 10.221.181.0/24 to any nat-to (vic2) round-robin in what reason you paste round-robin? also you need pass in on $local_if from $localnet to any pass out on $ext_if from $localnet to any 10 PP:QQP1QQ 2011, 19:42 PQ Stefan Midjich sweh...@gmail.com: Simplest of things but I'm failing miserably. $ sudo cat /etc/hostname.vic2 # External NIC with static public IPv4 address inet 50.50.50.59 255.255.255.0 50.50.50.255 $ sudo cat /etc/hostname.vic3 # Internal NIC used as gateway by two machines on same network inet 10.221.181.10 255.255.255.0 10.221.181.255 For troubleshooting I have removed the block all rule, to confirm that it is in fact my NAT related rules that don't work. These are my first and only NAT rules. The other rules work fine and are just to allow SSH to my management interface and ICMP response from the external IP and from the internal gateway IP. Besides I've removed the block all so the other rules don't matter much now. match out on vic2 inet from 10.221.181.0/24 to any nat-to (vic2) round-robin pass inet from 10.221.181.0/24 to any flags S/SA keep state With tcpdump I can see packets going to vic3, but no further. With block all commented out I can fully test the network around and everything is working just fine, I can nc -kl 50.50.50.59 65535 and connect to that port from anywhere on the internet. I just can't connect out from the private network through the gateway. The systems in the private network have 10.221.181.10 as their default gateway. I even have the Book of PF 2nd edition here but it's of no use, the rules are mostly from there. Just for troubleshooting I can also nc -kl 10.221.181.10 65535 on the gateway and connect to that port from the private network machines without issues. So please tell me, what am I missing in this nat-to rule? -- Med vdnliga hdlsningar / With kind regards Stefan Midjich
Re: Help setting up a PF NAT gateway
Hi Stefan, On Mon, Oct 10, 2011 at 10:38 AM, Stefan Midjich sweh...@gmail.com wrote: Simplest of things but I'm failing miserably. ... With tcpdump I can see packets going to vic3, but no further. Do you definitely have forwarding enabled? # sysctl net.inet.ip.forwarding net.inet.ip.forwarding=1 It that were 0 instead of 1, you'd get your symptoms. Edit /etc/sysctl.conf to enable forwarding if you haven't. Regards, Mark
Re: smtpd and virtuals
Hi. In manXX.tgz (since 4.8) and also on web-cgi, the smtpd.conf(5) man page references makemap(8) more than once ... ... with explicit instructions to use that man page as a guide when making db maps and/or understanding the format of plain maps. The web-cgi page obviously hyperlinks to the other page. The makemap(8) man page - again in manXX.tgz and also on web-cgi - contains the following ... NAME makemap - create database maps for sendmail ... and references another associated man page - editmap ... NAME editmap - query and edit records in database maps for sendmail ... both of which reference Sendmail ... ... both of which also reference the sendmail(8) man page ... These breadcrumbs (implicitly and explicitly) eventually also lead to looking at the Sendmail README ... This has been the case for over a year every single time I've looked at web-cgi and on multiple iterations of base ... ... and I've been trying very hard to exhaust myself there before coming here. Suffice to say this is not optimum. http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/smtpd/makemap.8 - smtpd's db maps are incompatible with sendmail's and needs a distinct makemap utility, this is needed for virtual users support amongst other things. links to smtpd's aliases.c and only provides a frontent to parse map descriptions. contains code from pyr@, chl@ and I. Should have also been imported with smtpd. Etcetera. I feel ill. It's somewhat obvious when you do the math between /etc/mailwrapper and /usr/share/man but not obvious enough apparently ... On 10/10/2011, Gilles Chehade gil...@poolp.org wrote: This behavior is not specific to OpenSMTPD, at least Postfix ... That came as quite a surprise. So I go read this ... http://www.postfix.org/virtual.5.html ... and it's quite different from the OpenBSD man pages ... obviously ... ... but it answers a lot of questions ... ... such as why users who are probably much smarter than me (such as Henri) struggle to get this going ... ... and more importantly are apparently asking the wrong questions ... If that's reminiscent of iRobot (Arthur C. Clarke) ... that's exactly how it feels. Asking the wrong questions ... Is this known (AKA are developers installing from source and not seeing this)? Should this be fixed for some definition of fixed? If so, what's a good course of action? - outline it for me, and if I can do, it I will, help me get rid of some of the disappointment. If not, what can be done about users who read the man pages and have issues as a result? - presumably at some point, Sendmail will no longer be in base, man pages will get rotated, this will cease to be an issue. In the interim ... I've apparently wasted a lot of time and enthusiasm on this ... ... but perhaps more importantly I've wasted a opportunities to ask questions about what's really going on and instead I've been asking about things that are irrelevant ... ... the real makemap man page is somewhat cryptic to me and I need to be asking about that. Best wishes.
Re: Help setting up a PF NAT gateway
Hi, see my sample, it is well explained. http://mouedine.net/ruleset49.aspx All the best, Wesley MOUEDINE ASSABY www.mouedine.net On Mon, 10 Oct 2011 17:38:26 +0200, Stefan Midjich sweh...@gmail.com wrote: Simplest of things but I'm failing miserably. $ sudo cat /etc/hostname.vic2 # External NIC with static public IPv4 address inet 50.50.50.59 255.255.255.0 50.50.50.255 $ sudo cat /etc/hostname.vic3 # Internal NIC used as gateway by two machines on same network inet 10.221.181.10 255.255.255.0 10.221.181.255 For troubleshooting I have removed the block all rule, to confirm that it is in fact my NAT related rules that don't work. These are my first and only NAT rules. The other rules work fine and are just to allow SSH to my management interface and ICMP response from the external IP and from the internal gateway IP. Besides I've removed the block all so the other rules don't matter much now. match out on vic2 inet from 10.221.181.0/24 to any nat-to (vic2) round-robin pass inet from 10.221.181.0/24 to any flags S/SA keep state With tcpdump I can see packets going to vic3, but no further. With block all commented out I can fully test the network around and everything is working just fine, I can nc -kl 50.50.50.59 65535 and connect to that port from anywhere on the internet. I just can't connect out from the private network through the gateway. The systems in the private network have 10.221.181.10 as their default gateway. I even have the Book of PF 2nd edition here but it's of no use, the rules are mostly from there. Just for troubleshooting I can also nc -kl 10.221.181.10 65535 on the gateway and connect to that port from the private network machines without issues. So please tell me, what am I missing in this nat-to rule? -- Med vdnliga hdlsningar / With kind regards Stefan Midjich
Re: smtpd and virtuals
Hi Gilles. If my previous is hostile ... sorry. Without the context of the makemap man page in src/usr.sbin/smtpd/ there's no correlation between your first and second mails which creates more confusion. With that man page, however, pennies start to drop ... I spent 4= hours glued to my screen reading and drafting before I understood the full import of what was going on and found some hopefully constructive questions. I was angry about various things but that's down to me. You've done work here. I haven't. Best wishes.
Re: Help setting up a PF NAT gateway
Yes forwarding is enabled. I have followed the Book of PF 2nd Edition so far. 2011/10/10 Mark (obsd) openbsd-l...@nerdish.us: Hi Stefan, On Mon, Oct 10, 2011 at 10:38 AM, Stefan Midjich sweh...@gmail.com wrote: Simplest of things but I'm failing miserably. ... With tcpdump I can see packets going to vic3, but no further. Do you definitely have forwarding enabled? # sysctl net.inet.ip.forwarding net.inet.ip.forwarding=1 It that were 0 instead of 1, you'd get your symptoms. Edit /etc/sysctl.conf to enable forwarding if you haven't. Regards, Mark -- Med vdnliga hdlsningar / With kind regards Stefan Midjich
Re: Help setting up a PF NAT gateway
That was from the output of pfctl -vf /etc/pf.conf so it expands the rules and adds all that is implied, like keep state for example. 2011/10/10 pavel pocheptsov lilit-aibo...@mail.ru: match out on vic2 inet from 10.221.181.0/24 to any nat-to (vic2) round-robin in what reason you paste round-robin? also you need pass in on $local_if from $localnet to any pass out on $ext_if from $localnet to any 10 PP:QQP1QQ 2011, 19:42 PQ Stefan Midjich sweh...@gmail.com: Simplest of things but I'm failing miserably. $ sudo cat /etc/hostname.vic2 # External NIC with static public IPv4 address inet 50.50.50.59 255.255.255.0 50.50.50.255 $ sudo cat /etc/hostname.vic3 # Internal NIC used as gateway by two machines on same network inet 10.221.181.10 255.255.255.0 10.221.181.255 For troubleshooting I have removed the block all rule, to confirm that it is in fact my NAT related rules that don't work. These are my first and only NAT rules. The other rules work fine and are just to allow SSH to my management interface and ICMP response from the external IP and from the internal gateway IP. Besides I've removed the block all so the other rules don't matter much now. match out on vic2 inet from 10.221.181.0/24 to any nat-to (vic2) round-robin pass inet from 10.221.181.0/24 to any flags S/SA keep state With tcpdump I can see packets going to vic3, but no further. With block all commented out I can fully test the network around and everything is working just fine, I can nc -kl 50.50.50.59 65535 and connect to that port from anywhere on the internet. I just can't connect out from the private network through the gateway. The systems in the private network have 10.221.181.10 as their default gateway. I even have the Book of PF 2nd edition here but it's of no use, the rules are mostly from there. Just for troubleshooting I can also nc -kl 10.221.181.10 65535 on the gateway and connect to that port from the private network machines without issues. So please tell me, what am I missing in this nat-to rule? -- Med vdnliga hdlsningar / With kind regards Stefan Midjich -- Med vC$nliga hC$lsningar / With kind regards Stefan Midjich
Re: Help setting up a PF NAT gateway
ManagementIF = vic0 PFsyncIF = vic1 LocalIF = lo0 ManagementPorts = { 1022, 22 } UDPManagementPorts = { domain } ICMPTypes = { echorep, echoreq, unreach } set skip on { lo0 vic1 } OutIF = vic2 InIF = vic3 pass quick on vic0 inet proto tcp from any to any port = 1022 flags S/SA keep state label PassMGMTSSH pass quick on vic0 inet proto tcp from any to any port = ssh flags S/SA keep state label PassMGMTSSH pass on vic0 proto udp from any to any port = domain keep state label PassMGMTDNS pass on vic0 inet proto icmp all icmp-type echorep keep state label PassMGMTICMP pass on vic0 inet proto icmp all icmp-type echoreq keep state label PassMGMTICMP pass on vic0 inet proto icmp all icmp-type unreach keep state label PassMGMTICMP pass quick on vic2 proto carp all keep state label PassCarp pass quick on vic3 proto carp all keep state label PassCarp pass quick inet proto icmp from any to 50.50.50.0/24 icmp-type echoreq keep state label PingOut pass quick inet proto icmp from any to 50.50.50.0/24 icmp-type echorep keep state label PingOut pass quick inet proto icmp from any to 50.50.50.0/24 icmp-type unreach keep state label PingOut pass quick inet proto icmp from 10.221.181.0/24 to 10.221.181.10 icmp-type echoreq keep state label PingIn pass quick inet proto icmp from 10.221.181.0/24 to 10.221.181.10 icmp-type echorep keep state label PingIn pass quick inet proto icmp from 10.221.181.0/24 to 10.221.181.10 icmp-type unreach keep state label PingIn match in on vic3 inet from 10.221.181.0/24 to any label NATOut nat-to (vic2) round-robin pass inet from 10.221.181.0/24 to any flags S/SA keep state vic2: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:50X priority: 0 groups: egress media: Ethernet autoselect status: active inet 50.50.50.59 netmask 0xff00 broadcast 50.50.50.255 inet6 fe80::250:56ff:fe8e:63%vic2 prefixlen 64 scopeid 0x3 vic3: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:50:X priority: 0 media: Ethernet autoselect status: active inet 10.221.181.10 netmask 0xff00 broadcast 10.221.181.255 inet6 fe80::250:56ff:fe8e:64%vic3 prefixlen 64 scopeid 0x4 Routing tables Internet: DestinationGatewayFlags Refs Use Mtu Prio Iface default50.50.50.1 UGS0 80 - 8 vic2 10/8 10.220.100.1 UGS2 2869 - 8 vic0 10.90.100/24 link#2 UC 10 - 4 vic1 10.90.100.10 X:00:62 UHLc 02 - 4 lo0 10.220.100/24 link#1 UC 30 - 4 vic0 10.220.100.1 X07:ac:00 UHLc 10 - 4 vic0 10.220.100.10 X:49:16 UHLc 0 489 - 4 vic0 10.220.100.209 X:26:05 UHLc 1 5010 - 4 vic0 10.221.181/24 link#4 UC 00 - 4 vic3 127/8 127.0.0.1 UGRS 00 33160 8 lo0 127.0.0.1 127.0.0.1 UH 10 33160 4 lo0 50.50.50/24 link#3 UC 30 - 4 vic2 50.50.50.1 Xf:d4:20 UHLc 10 - 4 vic2 50.50.50.6 X81:86:b6 UHLc 00 - 4 vic2 50.50.50.7 XX:50:87:14 UHLc 00 - 4 vic2 224/4 127.0.0.1 URS00 33160 8 lo0 Please note that I have removed public ip-address and other private details. 2011/10/10 Christiano F. Haesbaert haesba...@haesbaert.org: On 10 October 2011 12:38, Stefan Midjich sweh...@gmail.com wrote: Simplest of things but I'm failing miserably. $ sudo cat /etc/hostname.vic2 # External NIC with static public IPv4 address inet 50.50.50.59 255.255.255.0 50.50.50.255 $ sudo cat /etc/hostname.vic3 # Internal NIC used as gateway by two machines on same network inet 10.221.181.10 255.255.255.0 10.221.181.255 For troubleshooting I have removed the block all rule, to confirm that it is in fact my NAT related rules that don't work. These are my first and only NAT rules. The other rules work fine and are just to allow SSH to my management interface and ICMP response from the external IP and from the internal gateway IP. Besides I've removed the block all so the other rules don't matter much now. match out on vic2 inet from 10.221.181.0/24 to any nat-to (vic2) round-robin pass inet from 10.221.181.0/24 to any flags S/SA keep state With tcpdump I can see packets going to vic3, but no further. With block all commented out I can fully test the network around and everything is working just fine, I can nc -kl 50.50.50.59 65535 and connect to that port from anywhere on the internet. I just can't connect out from the private network through the gateway. The systems in the private network have 10.221.181.10 as their default
Re: Help setting up a PF NAT gateway
$ sudo pfctl -sr |grep nat-to match in on vic3 inet from 10.221.181.0/24 to any label NATOut nat-to (vic2) round-robin pfctl -vsl shows only evaluated packets for all my rules, which worries me, it never increments the counter of packets gone through any of the nat rules. Only the first rules for management network and of course the block rule when it was in place. 2011/10/10 James Shupe jsh...@osre.org: What does `pfctl -sr | grep nat-to` say? On 10/10/11 10:38 AM, Stefan Midjich wrote: Simplest of things but I'm failing miserably. $ sudo cat /etc/hostname.vic2 # External NIC with static public IPv4 address inet 50.50.50.59 255.255.255.0 50.50.50.255 $ sudo cat /etc/hostname.vic3 # Internal NIC used as gateway by two machines on same network inet 10.221.181.10 255.255.255.0 10.221.181.255 For troubleshooting I have removed the block all rule, to confirm that it is in fact my NAT related rules that don't work. These are my first and only NAT rules. The other rules work fine and are just to allow SSH to my management interface and ICMP response from the external IP and from the internal gateway IP. Besides I've removed the block all so the other rules don't matter much now. match out on vic2 inet from 10.221.181.0/24 to any nat-to (vic2) round-robin pass inet from 10.221.181.0/24 to any flags S/SA keep state With tcpdump I can see packets going to vic3, but no further. With block all commented out I can fully test the network around and everything is working just fine, I can nc -kl 50.50.50.59 65535 and connect to that port from anywhere on the internet. I just can't connect out from the private network through the gateway. The systems in the private network have 10.221.181.10 as their default gateway. I even have the Book of PF 2nd edition here but it's of no use, the rules are mostly from there. Just for troubleshooting I can also nc -kl 10.221.181.10 65535 on the gateway and connect to that port from the private network machines without issues. So please tell me, what am I missing in this nat-to rule? -- Med vdnliga hdlsningar / With kind regards Stefan Midjich -- James Shupe, OSRE developer/ engineer jsh...@osre.org | 866.235.1288 BSD/ Linux Support | Metro Ethernet | Hosting check out our site at www.osre.org -- Med vdnliga hdlsningar / With kind regards Stefan Midjich
Re: Help setting up a PF NAT gateway
Stefan Midjich sweh...@gmail.com writes: $ sudo cat /etc/hostname.vic2 # External NIC with static public IPv4 address inet 50.50.50.59 255.255.255.0 50.50.50.255 $ sudo cat /etc/hostname.vic3 # Internal NIC used as gateway by two machines on same network inet 10.221.181.10 255.255.255.0 10.221.181.255 Are both of those those point to point links? I have a feeling this is the source of your problem, see man ifconfig -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Help setting up a PF NAT gateway
Not sure what you mean but they're both in switched vlans, two different vlans. Point to Point is a crossover cable right? I'm not sure what it means in English. This is all a virtual environment I use for training so there are no cables as such. 2011/10/10 Peter N. M. Hansteen pe...@bsdly.net: Stefan Midjich sweh...@gmail.com writes: $ sudo cat /etc/hostname.vic2 # External NIC with static public IPv4 address inet 50.50.50.59 255.255.255.0 50.50.50.255 $ sudo cat /etc/hostname.vic3 # Internal NIC used as gateway by two machines on same network inet 10.221.181.10 255.255.255.0 10.221.181.255 Are both of those those point to point links? I have a feeling this is the source of your problem, see man ifconfig -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. -- Med vdnliga hdlsningar / With kind regards Stefan Midjich
Re: Help setting up a PF NAT gateway
On 10 October 2011 15:05, Stefan Midjich sweh...@gmail.com wrote: That was from the output of pfctl -vf /etc/pf.conf so it expands the rules and adds all that is implied, like keep state for example. I think that is not what you want: match in on vic3 inet from 10.221.181.0/24 to any label NATOut nat-to (vic2) round-robin You want to match packets going out your external interface, and then nat-to the external interface address, so try something like: match out on vic2 inet from 10.221/181.0/24 nat-to (vic2) Considering vic2 as your external interface.
Re: Help setting up a PF NAT gateway
Stefan Midjich sweh...@gmail.com writes: Not sure what you mean but they're both in switched vlans, two different vlans. Point to Point is a crossover cable right? I'm not sure what it means in English. This is all a virtual environment I use for training so there are no cables as such. take a step back. with PF disabled (pfctl -d), do you have connectivity, does traffic pass where you want it to? -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Help setting up a PF NAT gateway
match out on egress inet from vic3:network nat-to (egress:0) This is the new rule then, as it appears in pfctl -v match out on egress inet from 10.221.181.0/24 to any nat-to (egress:0) round-robin vic2 is only NIC in egress group in ifconfig. nc -vv cvs.openbsd.org 25 from 10.221.181.20 does not connect even though there is no block rule now. 2011/10/10 Christiano F. Haesbaert haesba...@haesbaert.org: On 10 October 2011 15:05, Stefan Midjich sweh...@gmail.com wrote: That was from the output of pfctl -vf /etc/pf.conf so it expands the rules and adds all that is implied, like keep state for example. I think that is not what you want: match in on vic3 inet from 10.221.181.0/24 to any label NATOut nat-to (vic2) round-robin You want to match packets going out your external interface, and then nat-to the external interface address, so try something like: match out on vic2 inet from 10.221/181.0/24 nat-to (vic2) Considering vic2 as your external interface. -- Med vdnliga hdlsningar / With kind regards Stefan Midjich
Re: Help setting up a PF NAT gateway
I have taken away the block all rule, but pfctl -d makes no difference. The gateway itself behaves just like any server connected to multiple vlans. You can reach the world around it, through its default gateway you can reach the internet. The servers connected to its private vlan, vic3, cannot connect to anything but themselves and the gateway ip 10.221.181.10. They cannot go further. The gateway can ping them and connect to them just like on a vlan. 2011/10/10 Peter N. M. Hansteen pe...@bsdly.net: Stefan Midjich sweh...@gmail.com writes: Not sure what you mean but they're both in switched vlans, two different vlans. Point to Point is a crossover cable right? I'm not sure what it means in English. This is all a virtual environment I use for training so there are no cables as such. take a step back. with PF disabled (pfctl -d), do you have connectivity, does traffic pass where you want it to? -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. -- Med vdnliga hdlsningar / With kind regards Stefan Midjich
Re: Help setting up a PF NAT gateway
A couple of general comments, keep state is the default, no need to specify from any to any port = - to port does the same thing quick means if we match this, we do no more evaluation for this one. I suspect your quick rules before the nat-to match rules mean that anything that matches the quicks pass without hitting the match with the nat-to. fine if it's your intention, if not, check what really happens (tcpdump is your friend). But again, please check that you have a basic network config and connectivity to eliminate. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: The OpenBSD user community needs to shake things up
Marc Espie espie at nerim.net writes: Don't blame the tools. Blame the *people* who don't test. I wonder why jasper@ went to github if mailing lists are good enough. And you didn't respond on dead bug-tracker issue: if people test where is a place to put results? Alexey
Re: smtpd and virtuals
On Tue, Oct 11, 2011 at 03:14:26AM +1030, David Walker wrote: Hi. Hi, In manXX.tgz (since 4.8) and also on web-cgi, the smtpd.conf(5) man page references makemap(8) more than once ... ... with explicit instructions to use that man page as a guide when making db maps and/or understanding the format of plain maps. The web-cgi page obviously hyperlinks to the other page. The makemap(8) man page - again in manXX.tgz and also on web-cgi - contains the following ... [...] ... both of which reference Sendmail ... ... both of which also reference the sendmail(8) man page ... Seems sensible to me, considering that: ! The *default* MTA for OpenBSD is Sendmail, NOT OpenSMTPD. ! When we switch, the *default* man pages will be updated, but until then the *default* man pages are those of the *default* MTA which you should be running if you can't cope with glitches caused by coexistence of man pages and utilities instaled by the *default* MTA and the one you chose to run ... and that is not the *default* MTA. I hope to have hinted you that you're not running the *default* MTA. http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/smtpd/makemap.8 - smtpd's db maps are incompatible with sendmail's and needs a distinct makemap utility, this is needed for virtual users support amongst other things. links to smtpd's aliases.c and only provides a frontent to parse map descriptions. contains code from pyr@, chl@ and I. Should have also been imported with smtpd. Etcetera. I feel ill. Please, don't read the commit logs then. That message was not intended to be read, let alone understood, by you. It is a comment from a developer to other developers. I fail to understand what point you are trying to make here anyways ... On 10/10/2011, Gilles Chehade gil...@poolp.org wrote: This behavior is not specific to OpenSMTPD, at least Postfix ... That came as quite a surprise. [...] There is a documentation bug. Someone ran into it, kindly asked if it was a documentation bug, which I confirmed along with an explanation of why domain keys are required, and a quote from Postfix's http://www.postfix.org/virtual.5.html (see VIRTUAL ALIAS DOMAINS) to outline that this is not an OpenSMTPD-specific thingie. Man page will be updated to fix the bug, live with it. If so, what's a good course of action? - outline it for me, and if I can do, it I will, help me get rid of some of the disappointment. You can *easily* get rid of the disappointment by running the *default* MTA. If not, what can be done about users who read the man pages and have issues as a result? - presumably at some point, Sendmail will no longer be in base, man pages will get rotated, this will cease to be an issue. In the interim ... In the interim, run the *default* MTA. I've apparently wasted a lot of time and enthusiasm on this ... I've clearly wasted too much time on this mail. -- Gilles Chehade http://www.poolp.org/http://u.poolp.org/~gilles/
Re: smtpd and virtuals
On Tue, Oct 11, 2011 at 04:17:11AM +1030, David Walker wrote: Hi Gilles. Hi, If my previous is hostile ... sorry. [...] I was angry about various things but that's down to me. You've done work here. I haven't. You've outlined it. You've been hostile, you've been angry. We've done the work, you haven't. I'm sure I'll enjoy answering your questions in the future ... -- Gilles Chehade http://www.poolp.org/http://u.poolp.org/~gilles/
Re: smtpd and virtuals
Hi Henri. On 11/10/2011, Henri Kemppainen ducl...@guu.fi wrote: I agree this isn't ideal. On the other hand, having a system ship with two overlapping incompatible alternatives is a rather exceptional case, and there's no way to automagically please everyone. One could suggest renaming the manuals (and binaries?) and installing them both, but that's nasty and ugly, and probably not worth it, if one of the daemons is to be axed anyway. There's surely a good reason smtpd isn't the default yet, and there's a good reason I kept hearing that smtpd isn't considered ready for production yet, back when I started using it. The message is rather clear to me: you may play with it, as long as you know what you're doing, and are okay with the possibility of problems. Finding the manual is a part of knowing what you're doing :-) I can see why one could get confused though, even if the title lines for these (installed) manuals contain sendmail. You are 100% correct about all of that. Including this ... finding the manual is part of knowing what you're doing. It seems to me though, that unless people are actively looking through src for makemap(8) it will easily go unnoticed even for the patch senders. I've been through there maybe a hundred times in the last few months and never noticed it. I go there to look for something specific, find it, move on. Whenever I want documentation I start at man smtpd and go from there. Again though you are 100% correct and we've all been warned. This is why I've tried to understand the situation and tried to laugh about it. I've started drinking now which is helping somewhat ... If not, what can be done about users who read the man pages and have issues as a result? I don't know what can be done about users, but I know what the users can do: try figure out what is lacking or misleading, maybe contact the developer(s), and propose a change. Something like this: Index: makemap.8 === RCS file: /cvs/src/usr.sbin/smtpd/makemap.8,v retrieving revision 1.14 diff -u -p -r1.14 makemap.8 --- makemap.8 3 Sep 2010 11:22:36 - 1.14 +++ makemap.8 10 Oct 2011 19:10:51 - @@ -90,11 +90,14 @@ accept for domain map primary deliver .Ed .Sh VIRTUAL DOMAINS Virtual domains are kept in maps. -To create single virtual address, add -.Dq u...@example.com user +To create a virtual domain, add +.Dq example.com kittens to the virtual map. -To handle all mail destined to any user at example.com, add -.Dq @example.com user +To create a virtual address for one user under that domain, add +.Dq u...@example.com user +to the virtual map. +To catch all mail destined to the domain, add +.Dq @example.com user to the virtual map. .Pp In addition to adding an entry to the virtual map, I'll have a look at that in a minute, well maybe after a good sleep but I don't see any reason not to make some adjustment to smtpd.conf(5) ... That's where the smtpd man pages start to go to makemap(8) ... The next best and as far as I can see other deviation into the Sendmail man pages is from smtpd(8) into mailwrapper. Changing /etc/mailer.conf is discussed there and I don't see any reason not to make it obvious not to follow the breadcrumbs too blindly (i.e.caveats) or maybe a BUGS section. I would like to see smtpd.conf include some warning also and I think it's warranted there more than anywhere. As you say smtpd is known non-production, transitional, so on. Under these circumstances it seems reasonable to me that this information is clearly outlined in all the smtpd specific man pages which it currently isn't. not in any of them that I can see. You and I know this but there are others. Whether or not that happens I see no reason under the same circumstance to be careful when pointing to other man pages that are irrelevant and/or harmful. For instance if I see smtpd and smtpd.conf man pages included can I assume that other included man pages they point to and reference without warning are pointed to and referenced for a reason ... That's what I've assumed. Absent input from Gilles I'll get up tomorrow and do this. It's 7am here ... The need to have a value for the domain key is a bit ugly. I noticed the stdio backend is happy with empty values, allowing for a pretty list under a colon terminated domain name: virtual.domain: user1@virtual.domainuser1 user2@virtual.domainuser2 another.domain: user3@another.domainuser3 user4@another.domainuser4 .. Makemap doesn't like it, though. You're talking a very different language from me. These terms don't appear outside of makemap(8) and maybe newaliases(8) which again I notice is in src ... I pulled makemap(8) from the web last night and had a couple of reads but I really need to take my time with it ... ... but your previous examples were exactly my reaction ... I put this in a draft ... example.com
Re: smtpd and virtuals
On Mon, Oct 10, 2011 at 10:45:37PM +0300, Henri Kemppainen wrote: I don't know what can be done about users, but I know what the users can do: try figure out what is lacking or misleading, maybe contact the developer(s), and propose a change. Something like this: Index: makemap.8 === RCS file: /cvs/src/usr.sbin/smtpd/makemap.8,v retrieving revision 1.14 diff -u -p -r1.14 makemap.8 --- makemap.8 3 Sep 2010 11:22:36 - 1.14 +++ makemap.8 10 Oct 2011 19:10:51 - @@ -90,11 +90,14 @@ accept for domain map primary deliver .Ed .Sh VIRTUAL DOMAINS Virtual domains are kept in maps. -To create single virtual address, add -.Dq u...@example.com user +To create a virtual domain, add +.Dq example.com kittens to the virtual map. -To handle all mail destined to any user at example.com, add -.Dq @example.com user +To create a virtual address for one user under that domain, add +.Dq u...@example.com user +to the virtual map. +To catch all mail destined to the domain, add +.Dq @example.com user to the virtual map. .Pp In addition to adding an entry to the virtual map, As much as I love kittend, a variation of this will be committed shortly :-) The need to have a value for the domain key is a bit ugly. I noticed the stdio backend is happy with empty values, allowing for a pretty list under a colon terminated domain name: virtual.domain: user1@virtual.domainuser1 user2@virtual.domainuser2 another.domain: user3@another.domainuser3 user4@another.domainuser4 .. Makemap doesn't like it, though. Maybe we can solve that -- Gilles Chehade http://www.poolp.org/http://u.poolp.org/~gilles/
Re: smtpd and virtuals
In manXX.tgz (since 4.8) and also on web-cgi, the smtpd.conf(5) man page references makemap(8) more than once ... ... with explicit instructions to use that man page as a guide when making db maps and/or understanding the format of plain maps. [..] This has been the case for over a year every single time I've looked at web-cgi and on multiple iterations of base ... ... and I've been trying very hard to exhaust myself there before coming here. Suffice to say this is not optimum. I agree this isn't ideal. On the other hand, having a system ship with two overlapping incompatible alternatives is a rather exceptional case, and there's no way to automagically please everyone. One could suggest renaming the manuals (and binaries?) and installing them both, but that's nasty and ugly, and probably not worth it, if one of the daemons is to be axed anyway. There's surely a good reason smtpd isn't the default yet, and there's a good reason I kept hearing that smtpd isn't considered ready for production yet, back when I started using it. The message is rather clear to me: you may play with it, as long as you know what you're doing, and are okay with the possibility of problems. Finding the manual is a part of knowing what you're doing :-) I can see why one could get confused though, even if the title lines for these (installed) manuals contain sendmail. If not, what can be done about users who read the man pages and have issues as a result? I don't know what can be done about users, but I know what the users can do: try figure out what is lacking or misleading, maybe contact the developer(s), and propose a change. Something like this: Index: makemap.8 === RCS file: /cvs/src/usr.sbin/smtpd/makemap.8,v retrieving revision 1.14 diff -u -p -r1.14 makemap.8 --- makemap.8 3 Sep 2010 11:22:36 - 1.14 +++ makemap.8 10 Oct 2011 19:10:51 - @@ -90,11 +90,14 @@ accept for domain map primary deliver .Ed .Sh VIRTUAL DOMAINS Virtual domains are kept in maps. -To create single virtual address, add -.Dq u...@example.com user +To create a virtual domain, add +.Dq example.com kittens to the virtual map. -To handle all mail destined to any user at example.com, add -.Dq @example.com user +To create a virtual address for one user under that domain, add +.Dq u...@example.com user +to the virtual map. +To catch all mail destined to the domain, add +.Dq @example.com user to the virtual map. .Pp In addition to adding an entry to the virtual map, The need to have a value for the domain key is a bit ugly. I noticed the stdio backend is happy with empty values, allowing for a pretty list under a colon terminated domain name: virtual.domain: user1@virtual.domainuser1 user2@virtual.domainuser2 another.domain: user3@another.domainuser3 user4@another.domainuser4 .. Makemap doesn't like it, though.
SATA RAID card suggestions?
I'm looking to possibly use a SATA RAID card instead of softraid(4) on a new amd64 PCIx or PCI express machine build. I'm tired of rebooting into the bios for other machines with mfi(4). So I want to build something manageable via bio(4), bioctl(4), and maybe sensorsd(8). That'll either be softraid, or some kind of supported SATA RAID card. However, most of the card models listed in the man pages for ami(4), ciss(4), ips(4), and arc(4) are older discontinued SCSI and PCI beasts. ami(4) also is limited to 2TB logical volumes. Given the whole go dark and produce driver blobs only trend in the RAID controller business, I'm not getting my hopes up too much for a hardware SATA RAID option, and will certainly be OK with softraid(4). However, if you have any ideas, I'd appreciate suggestions about manufacturers to look at for SATA RAID cards that might provide for drive status and maintenance commands via bio(4) and bioctl(4) in OpenBSD. Richard
Infracciones de transito pendientes
Lunes 10 de octubre del 2011, Buenos Aires Republica Argentina Estimado contribuyente: Detectamos en nuestro Sistema Integrado de Multas de transito (SIMT) varias infracciones cometidas por su vehiculo. Debido a que usted no se notifico en el tribunal de faltas correspondiente le reenviamos las Foto-multas via internet Si usted no regulariza las infracciones correspondientes en los proximos 90 dias a partir de la fecha de emision de este comunicado, su vehiculo sera informado como deudor y pasara a formar parte del Veraz, conforme Ley n 12.799 de 1/04/2009 La inclusion de su vehiculo en el Veraz le impedira la venta regular de su vehiculo por 2 aqos en la Republica Argentina Adjuntamos en este informe las infracciones realizadas: FOTO 1- FOTO 2 - FOTO 3 (Articulo 157, 7 de Afip y articulo 2 y 7 de Resolucion n 149/03 - ARBA) El propietario del vehiculo queda notificado por este medio Todas aquellas actas labradas con anterioridad a las fechas especificadas seguiran bajo la orbita de la Unidad Administrativa de Control de Faltas
Re: SATA RAID card suggestions?
On Mon, Oct 10, 2011 at 02:16:47PM -0600, Richard Johnson wrote: | I'm looking to possibly use a SATA RAID card instead of softraid(4) on a | new amd64 PCIx or PCI express machine build. | | I'm tired of rebooting into the bios for other machines with mfi(4). So I | want to build something manageable via bio(4), bioctl(4), and maybe | sensorsd(8). That'll either be softraid, or some kind of supported SATA | RAID card. | | However, most of the card models listed in the man pages for ami(4), | ciss(4), ips(4), and arc(4) are older discontinued SCSI and PCI beasts. | ami(4) also is limited to 2TB logical volumes. I've had great success with the Areca ARC-1210. http://www.areca.com.tw/products/pcie.htm -- Ryan Corder || () ASCII ribbon campaign ryanc at greengrey.org || /\ against HTML email http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xBEE37813 [demime 1.01d removed an attachment of type application/pgp-signature]
Foro Empresarial 2da Edición. Estrategias Empresariales rumbo al 2012.
[IMAGE] Pms de Mixico prestigiada firma de Capacitacisn presenta: Foro Empresarial 2011 2da Edicisn Personal Branding, MKT y Medios Creativos, Planeacisn Un foro donde convergen lmderes de Marketing, Management, P.E., Coaching. Engel Fonseca Liderazgo 2.0, Eframn Mendicuti Personal Branding, Ariel Valero Planeacisn Estratigica, Sergio Villalobos Marketing para nuevos consumidores. Presentacisn Exclusiva: 28 de Noviembre Ciudad de Mixico Tarifa de Preventa hasta 31 Octubre 2011. Empresa Registrada ante la STPS Smguenos en Twitter@pmscapacitacion o bien en Facebook PMS de Mixico, Neuronadigital Radio. !Solicite Mayores Informes! Por favor responda este e-mail con los datos siguientes. Empresa: Nombre: Telifono: Email: Nzmero de Interesados: En breve recibira la informacisn completa de este inigualable evento. Comunmquese a los telifonos y con gusto uno de nuestros ejecutivos le atendera. Telifonos: (0133) 8851-2365, (0133) 8851-2741. Copyright (C) 2011, PMS Capacitacisn Efectiva de Mixico S.C. Derechos Reservados. PMS de Mixico, El logo de PMS de Mixico son marcas registradas. ADVERTENCIA PMS de Mixico no cuenta con alianzas estratigicas de ningzn tipo dentro de la Republica Mexicana. NO SE DEJE ENGAQAR - DIGA NO A LA PIRATERIA. Todos los logotipos, marcas comerciales e imagenes son propiedad de sus respectivas corporaciones y se utilizan con fines informativos solamente. Este Mensaje ha sido enviado a misc@openbsd.org /span como usuario de Pms de Mixico o bien un usuario le refiris para recibir este boletmn. Como usuario de Pms de Mixico, en este acto autoriza de manera expresa que Pms de Mixico le puede contactar vma correo electrsnico u otros medios. Si usted ha recibido este mensaje por error, haga caso omiso de el y reporte su cuenta respondiendo este correo con el subject BAJAFORO2 Unsubscribe to this mailing list, reply a blank message with the subject UNSUBSCRIBE BAJAFORO2 Tenga en cuenta que la gestisn de nuestras bases de datos es de suma importancia y no es intencisn de la empresa la inconformidad del receptor. [demime 1.01d removed an attachment of type image/jpeg which had a name of imageforo nov001.jpg]
Re: 4.9 build problems
On 2011-10-10, ??? chipits...@gmail.com wrote: DESTDIR was the reason of mess. unset DESTDIR solved the problem Ah yes, DESTDIR is not supported for building (and doesn't work on the gcc4 arches). Next time you show your process it helps if you don't miss out important things like that.. On 2011-10-10, ??? chipits...@gmail.com wrote: server is 4.9/amd64 source is CVS/4.9 cd /usr/src make build
Re: Help setting up a PF NAT gateway
Hi Stefan, As you mentioned that the IP forwarding is already enabled on your system. Have you configured the IP alias on the network interface for the NAT purpose? If the NAT is done on external interface then you'll need to add in the IP alias on /etc/hostname.vic2 Please read the guide from openbsd url below:http://www.openbsd.org/cgi-bin/man.cgi?query=hostname.ifapropos=0sekt ion=0manpath=OpenBSD+4.9arch=i386format=html Sample of hostname.if config with IP alias: A typical file contains only one line, but more extensive files are possible, for example: inet 10.0.1.12 255.255.255.0 10.0.1.255 media 100baseTX description Uplink inet alias 10.0.1.13 255.255.255.255 10.0.1.13 inet alias 10.0.1.14 255.255.255.255 NONE inet alias 10.0.1.15 255.255.255.255 inet alias 10.0.1.16 0x # This is an example comment line. inet6 alias fec0::1 64 inet6 alias fec0::2 64 anycast !route add 65.65.65.65 10.0.1.13 up I hope it helps. Regards, Stefan From: Stefan Midjich sweh...@gmail.com To: Mark (obsd) openbsd-l...@nerdish.us Cc: misc@openbsd.org Sent: Tuesday, October 11, 2011 2:06 AM Subject: Re: Help setting up a PF NAT gateway Yes forwarding is enabled. I have followed the Book of PF 2nd Edition so far. 2011/10/10 Mark (obsd) openbsd-l...@nerdish.us: Hi Stefan, On Mon, Oct 10, 2011 at 10:38 AM, Stefan Midjich sweh...@gmail.com wrote: Simplest of things but I'm failing miserably. ... With tcpdump I can see packets going to vic3, but no further. Do you definitely have forwarding enabled? # sysctl net.inet.ip.forwarding net.inet.ip.forwarding=1 It that were 0 instead of 1, you'd get your symptoms. Edit /etc/sysctl.conf to enable forwarding if you haven't. Regards, Mark -- Med vdnliga hdlsningar / With kind regards Stefan Midjich
Re: android's adb
(this should probably be on ports@) with more and more android phones around, it would be nice to have a working 'adb' to make backups and push custom ROMs on the devices. i found an older adb linux exectuble in their SDK archives. it can be started under linux emulation, but that's about it: i just looked at the code and was able to get most of it to compile on openbsd, except the usb stub (usb_libusb.c) which requires libusb-1.0. we only have libusb-0.1 in our ports tree, which uses the old api, and the new api has changed pretty much everything.
Re: SATA RAID card suggestions?
On Mon, 10 Oct 2011 14:50:45 -0700, Ryan Corder wrote: On Mon, Oct 10, 2011 at 02:16:47PM -0600, Richard Johnson wrote: I've had great success with the Areca ARC-1210. http://www.areca.com.tw/products/pcie.htm Wups, I was apparently too tired last night to find the Areca cards, though I could have sworn I'd studied the arc(4) man page. That is, until I reviewed it again this evening after receiving your response. Thanks for getting me pointed in the right direction. Now to find one in stock. Richard
Re: The OpenBSD user community needs to shake things up
On Mon, Oct 10, 2011, Alexey E. Suslikov wrote: Marc Espie espie at nerim.net writes: Don't blame the tools. Blame the *people* who don't test. I wonder why jasper@ went to github if mailing lists are good enough. ports and base are different enough I don't think we should immediately draw any conclusions. ports didn't use the bug tracker even when there was one And you didn't respond on dead bug-tracker issue: if people test where is a place to put results? That has an easy answer. If it works, mail the author. If it doesn't work, mail the list.
Wichtig: Ihr ClickandBuy-Konto ist zeitlich begrenzt!
Sehr geehrtes Mitglied ClickandBuy, Aufgrund der Online-Betrug, erhvhter ClickandBuy Sicherheitssysteme f|r alle Benutzer. So aktualisieren Sie Ihr Konto mit der neuen Sicherheitsma_nahmen laden Sie bitte das beigef|gte Formular aus und befolgen Sie alle Schritte. Wichtig: Wenn Sie nicht ausf|llen des Formulars, wird Ihr Konto eingeschrdnkt werden. Danke f|r Ihr Verstdndnis, Copyright 2011 ClickandBuy. Alle Rechte vorbehalten. [demime 1.01d removed an attachment of type APPLICATION/DEFANGED which had a name of ClickandBuy_Form.17965DEFANGED-html]
Only noise from Azalia
I can get only noise from the audio of a notebook Acer Aspire 5820T-6825. dmesg, audioctl and mixerctl are attached. Any advice? Thank you. --Jairo dmesg OpenBSD 4.9 (GENERIC.MP) #819: Wed Mar 2 06:57:49 MST 2011 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP RTC BIOS diagnostic error 80clock_battery real mem = 3008843776 (2869MB) avail mem = 2914725888 (2779MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.6 @ 0xe9460 (51 entries) bios0: vendor INSYDE version V1.23 date 12/21/2010 bios0: Acer Aspire 5820T acpi0 at bios0: rev 2 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP ASF! HPET APIC MCFG SLIC BOOT ASPT WDAT SSDT acpi0: wakeup devices EHC1(S3) EHC2(S3) PXSX(S4) RP01(S4) PXSX(S4) PXSX(S4) PXSX(S4) PXSX(S4) PXSX(S4) PXSX(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpihpet0 at acpi0: 14318179 Hz acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Core(TM) i5 CPU M 480 @ 2.67GHz, 2660.90 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,POPCNT,NXE,LONG cpu0: 256KB 64b/line 8-way L2 cache cpu0: apic clock running at 133MHz cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Core(TM) i5 CPU M 480 @ 2.67GHz, 2660.46 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,POPCNT,NXE,LONG cpu1: 256KB 64b/line 8-way L2 cache cpu2 at mainbus0: apid 4 (application processor) cpu2: Intel(R) Core(TM) i5 CPU M 480 @ 2.67GHz, 2660.46 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,POPCNT,NXE,LONG cpu2: 256KB 64b/line 8-way L2 cache cpu3 at mainbus0: apid 5 (application processor) cpu3: Intel(R) Core(TM) i5 CPU M 480 @ 2.67GHz, 2660.46 MHz cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,POPCNT,NXE,LONG cpu3: 256KB 64b/line 8-way L2 cache ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins ioapic0: misconfigured as apic 0, remapped to apid 2 acpimcfg0 at acpi0 addr 0xf000, bus 0-127 acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus -1 (P0P2) acpiprt2 at acpi0: bus 3 (P0P1) acpiprt3 at acpi0: bus 1 (RP01) acpiprt4 at acpi0: bus -1 (RP02) acpiprt5 at acpi0: bus -1 (RP03) acpiprt6 at acpi0: bus -1 (RP04) acpiprt7 at acpi0: bus -1 (RP05) acpiprt8 at acpi0: bus -1 (RP07) acpiprt9 at acpi0: bus -1 (RP08) acpiprt10 at acpi0: bus -1 (PEG3) acpiprt11 at acpi0: bus -1 (PEG5) acpiec0 at acpi0 acpicpu0 at acpi0: C3, C1, PSS acpicpu1 at acpi0: C3, C1, PSS acpicpu2 at acpi0: C3, C1, PSS acpicpu3 at acpi0: C3, C1, PSS acpitz0 at acpi0: critical temperature 105 degC acpibat0 at acpi0: BAT1 model AS10B3E serial 7F5A type LION oem SANYO acpiac0 at acpi0: AC unit online acpibtn0 at acpi0: PWRB acpibtn1 at acpi0: LID0 acpibtn2 at acpi0: SLPB acpivideo0 at acpi0: GFX0 acpivout0 at acpivideo0: LCD_ acpivideo1 at acpi0: VGA_ cpu0: Enhanced SpeedStep 2660 MHz: speeds: 2667, 2666, 2533, 2399, 2266, 2133, 1999, 1866, 1733, 1599, 1466, 1333, 1199 MHz pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 Intel Core Host rev 0x18 vga1 at pci0 dev 2 function 0 Intel Mobile HD graphics rev 0x18 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) intagp0 at vga1 agp0 at intagp0: aperture at 0xc000, size 0x1000 inteldrm0 at vga1: apic 2 int 16 (irq 7) drm0 at inteldrm0 Intel 3400 MEI rev 0x06 at pci0 dev 22 function 0 not configured ehci0 at pci0 dev 26 function 0 Intel 3400 USB rev 0x05: apic 2 int 16 (irq 7) usb0 at ehci0: USB revision 2.0 uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1 azalia0 at pci0 dev 27 function 0 Intel 3400 HD Audio rev 0x05: apic 2 int 22 (irq 11) azalia0: codecs: Realtek ALC269, Intel/0x2804, using Realtek ALC269 audio0 at azalia0 ppb0 at pci0 dev 28 function 0 Intel 3400 PCIE rev 0x05: apic 2 int 17 (irq 255) pci1 at ppb0 bus 1 Attansic Technology L1D rev 0xc0 at pci1 dev 0 function 0 not configured ppb1 at pci0 dev 28 function 5 Intel 3400 PCIE rev 0x05: apic 2 int 16 (irq 255) pci2 at ppb1 bus 2 Broadcom BCM43225 rev 0x01 at pci2 dev 0 function 0 not configured ehci1 at pci0 dev 29 function 0 Intel 3400 USB rev 0x05: apic 2 int 23 (irq 11) usb1 at ehci1: USB revision 2.0 uhub1 at usb1 Intel EHCI root hub rev 2.00/1.00 addr 1 ppb2 at pci0 dev 30 function 0 Intel 82801BAM Hub-to-PCI rev 0xa5 pci3 at ppb2 bus 3 pcib0 at pci0 dev 31 function 0 Intel HM55 LPC rev 0x05 ahci0 at pci0 dev 31 function 2 Intel 3400 AHCI rev 0x05: apic 2 int 19
Re: Help setting up a PF NAT gateway
No I was not aware of this. Could you please explain the meaning of an alias address on the external interface for NAT? There is no mention of using an alias for NAT in this document for example http://www.openbsd.org/faq/pf/nat.html Just to be clear, I already have an external and internal physical interface to work with, so I am unclear as to why I need an alias. 2011/10/11 Stefan N stefanbsd...@yahoo.com: Hi Stefan, As you mentioned that the IP forwarding is already enabled on your system. Have you configured the IP alias on the network interface for the NAT purpose? If the NAT is done on external interface then you'll need to add in the IP alias on /etc/hostname.vic2 Please read the guide from openbsd url below: http://www.openbsd.org/cgi-bin/man.cgi?query=hostname.ifapropos=0sektion=0; manpath=OpenBSD+4.9arch=i386format=html Sample of hostname.if config with IP alias: A typical file contains only one line, but more extensive files are possible, for example: inet 10.0.1.12 255.255.255.0 10.0.1.255 media 100baseTX description Uplink inet alias 10.0.1.13 255.255.255.255 10.0.1.13 inet alias 10.0.1.14 255.255.255.255 NONE inet alias 10.0.1.15 255.255.255.255 inet alias 10.0.1.16 0x # This is an example comment line. inet6 alias fec0::1 64 inet6 alias fec0::2 64 anycast !route add 65.65.65.65 10.0.1.13 up I hope it helps. Regards, Stefan From: Stefan Midjich sweh...@gmail.com To: Mark (obsd) openbsd-l...@nerdish.us Cc: misc@openbsd.org Sent: Tuesday, October 11, 2011 2:06 AM Subject: Re: Help setting up a PF NAT gateway Yes forwarding is enabled. I have followed the Book of PF 2nd Edition so far. 2011/10/10 Mark (obsd) openbsd-l...@nerdish.us: Hi Stefan, On Mon, Oct 10, 2011 at 10:38 AM, Stefan Midjich sweh...@gmail.com wrote: Simplest of things but I'm failing miserably. ... With tcpdump I can see packets going to vic3, but no further. Do you definitely have forwarding enabled? # sysctl net.inet.ip.forwarding net.inet.ip.forwarding=1 It that were 0 instead of 1, you'd get your symptoms. Edit /etc/sysctl.conf to enable forwarding if you haven't. Regards, Mark -- Med vdnliga hdlsningar / With kind regards Stefan Midjich -- Med vdnliga hdlsningar / With kind regards Stefan Midjich
CVS
Why does it say on http://www.openbsd.org/anoncvs.html a.. NOTE: If you are updating a source tree that you initially fetched from a different server, or from a CD, you must add the -d anon...@anoncvs.ca.openbsd.org:/cvs options to cvs. # cd /usr/src # cvs -d anon...@anoncvs.ca.openbsd.org:/cvs -q up -Pd Why But this is not mentioned on http://www.openbsd.org/faq/faq5.html#BldGetSrc in the section on Pre-loading the tree ?