Re: I want copy pf.conf from FreeBSD 8.2 to OpenBSD 5 and use it
2011/11/8 Mostaf Faridi > Sorry for my bad English I , only understand is this pf.conf work in > openbsd 5 or no .? Which part I must edit and change it > The part where you hope someone else will do the work so you don't have to know what your own firewall is doing, and why. -- To our sweethearts and wives. May they never meet. -- 19th century toast
Compranet 5.0 Actualización Obligatoria
1328602 [IMAGE] Pms de Mixico prestigiada firma de Capacitacisn presenta: Manejo Sptimo de la Plataforma Compranet 5.0 25 de Noviembre, Ciudad de Mixico. Experto consultor Master Alberto Ledesma. !Internet Gratuito! Obtenga las herramientas necesarias para alcanzar un sptimo desempeqo en su funcisn. Empresa Registrada ante la STPS Smguenos en Twitter@pmscapacitacion o bien en Facebook PMS de Mixico. !Solicite Mayores Informes! Por favor responda este e-mail con los datos siguientes. Empresa: Nombre: Telifono: Email: Nzmero de Interesados: En breve recibira la informacisn completa de este inigualable evento. Comunmquese a los telifonos y con gusto uno de nuestros ejecutivos le atendera. Telifonos: (0133) 8851-2365, (0133) 8851-2741. Copyright (C) 2011, PMS Capacitacisn Efectiva de Mixico S.C. Derechos Reservados. PMS de Mixico, El logo de PMS de Mixico son marcas registradas. ADVERTENCIA PMS de Mixico no cuenta con alianzas estratigicas de ningzn tipo dentro de la Republica Mexicana. NO SE DEJE ENGAQAR - DIGA NO A LA PIRATERIA. Todos los logotipos, marcas comerciales e imagenes son propiedad de sus respectivas corporaciones y se utilizan con fines informativos solamente. Este Mensaje ha sido enviado a misc@openbsd.org como usuario de Pms de Mixico o bien un usuario le refiris para recibir este boletmn. Como usuario de Pms de Mixico, en este acto autoriza de manera expresa que Pms de Mixico le puede contactar vma correo electrsnico u otros medios. Si usted ha recibido este mensaje por error, haga caso omiso de el y reporte su cuenta respondiendo este correo con el subject BAJACOMP Unsubscribe to this mailing list, reply a blank message with the subject UNSUBSCRIBE BAJACOMP Tenga en cuenta que la gestisn de nuestras bases de datos es de suma importancia y no es intencisn de la empresa la inconformidad del receptor. [demime 1.01d removed an attachment of type image/jpeg which had a name of compranet 5.jpg]
Re: I want copy pf.conf from FreeBSD 8.2 to OpenBSD 5 and use it
Thanks all guys
Sorry for my bad English I , only understand is this pf.conf work in
openbsd 5 or no .? Which part I must edit and change it
Is this pf.conf is correct ?
Thanks in advance
On Nov 8, 2011 7:35 AM, "John Tate" wrote:
> There is only one way to do a job like this: Write down what it does in
> clear English (or your own language), and do the whole thing from scratch.
> It will only be tediously slow for the first half of the job.
>
> On Wed, Nov 2, 2011 at 10:29 AM, Gholam Mostafa Faridi <
> mostafafar...@gmail.com> wrote:
>
>> Hi
>> In work place , we have over 24 computer and all of them are windows and
>> , I have NAT server . this NAT server use FreeBSD 8.2 AMD 64 , and I use PF
>> for NAT with FreeBSD 8.2 . after many search in google , I find this pf.conf
>>
>>
>> ns# cat /usr/local/pf/pf.conf
>> # $FreeBSD: src/share/examples/pf/faq-example1,v 1.1 2004/09/14 01:07:18
>> mlaier Exp $
>> # $OpenBSD: faq-example1,v 1.2 2003/08/06 16:04:45 henning Exp $
>> # Edited by: mfaridi
>>
>> MACROS
>>
>>
>> ext_if = "sk0"
>> int_if = "re0"
>> External_net= "10.10.10.192/27"
>> Local_net = "192.168.0.0/24"
>> Local_Web = "192.168.0.10"
>> Local_Srv = "192.168.0.1"
>> Prtcol = "{ tcp, udp }"
>> Admin_IP= "{ 10.10.10.192/27, 11.11.11.0/21, 12.12.12.0/18 }"
>> ICMP_Types = "{ echorep, unreach, squench, echoreq, timex }"
>>
>> #Define ports for common internet services
>> #TCP_SRV = "{ 25, 53, 80, 110, 143, 443, 465, 587, 993, 995, 8443
>> }"
>> #UDP_SRV = "{ 53 }"
>> TCP_SRV = "{ 80, 443 }"
>> UDP_SRV = "{ }"
>> Samba_TCP = "{ 139, 445 }"
>> Samba_UDP = "{ 137, 138 }"
>>
>>
>> SERVER = "10.10.10.200"
>> NAT1= "10.10.10.194"
>> NAT2= "10.10.10.195"
>> NAT3= "10.10.10.196"
>> NAT4= "10.10.10.197"
>> NAT5= "10.10.10.198"
>> NAT6= "10.10.10.199"
>> NAT7= "10.10.10.201"
>> NAT8= "10.10.10.202"
>> NAT9= "10.10.10.203"
>> NAT10 = "10.10.10.204"
>> NAT11 = "10.10.10.205"
>> NAT12 = "10.10.10.206"
>> NAT13 = "10.10.10.207"
>> NAT14 = "10.10.10.208"
>> NAT15 = "10.10.10.209"
>> NAT16 = "10.10.10.210"
>> NAT17 = "10.10.10.211"
>> NAT18 = "10.10.10.212"
>> NAT19 = "10.10.10.213"
>> NAT20 = "10.10.10.214"
>> NAT21 = "10.10.10.215"
>> NAT22 = "10.10.10.216"
>> NAT23 = "10.10.10.217"
>> NAT24 = "10.10.10.218"
>> NAT25 = "10.10.10.219"
>>
>> All IP of Groups which can be connect to Internet
>> paltalk1= "{ 192.168.0.20, 192.168.0.21, 192.168.0.22 }"
>> paltalk2= "{ 192.168.0.23, 192.168.0.24, 192.168.0.25 }"
>> paltalk3= "{ 192.168.0.26, 192.168.0.27, 192.168.0.28,
>> 192.168.0.29 }"
>> webdsgn1= "{ 192.168.0.30, 192.168.0.31, 192.168.0.32 }"
>> webdsgn2= "{ 192.168.0.33, 192.168.0.34, 192.168.0.35 }"
>> webdsgn3= "{ 192.168.0.36, 192.168.0.37, 192.168.0.38 }"
>> webdsgn4= "{ 192.168.0.39, 192.168.0.40, 192.168.0.41 }"
>> webdsgn5= "{ 192.168.0.42, 192.168.0.43, 192.168.0.44 }"
>> webdsgn6= "{ 192.168.0.45, 192.168.0.46, 192.168.0.47 }"
>> webdsgn7= "{ 192.168.0.48, 192.168.0.49, 192.168.0.50 }"
>> webdsgn8= "{ 192.168.0.51, 192.168.0.52, 192.168.0.53,
>> 192.168.0.54 }"
>> rased1 = "{ 192.168.0.60, 192.168.0.61, 192.168.0.62 }"
>> rased2 = "{ 192.168.0.63, 192.168.0.64, 192.168.0.65 }"
>> rased3 = "{ 192.168.0.66, 192.168.0.67, 192.168.0.68 }"
>> rased4 = "{ 192.168.0.69, 192.168.0.70 }"
>> rased5 = "{ 192.168.0.200, 192.168.0.201, 192.168.0.202,
>> 192.168.0.203, 192.168.0.204, 192.168.0.205 }"
>> rased6 = "{ 192.168.0.206, 192.168.0.207, 192.168.0.208,
>> 192.168.0.209, 192.168.0.210, 192.168.0.211 }"
>> rased7 = "{ 192.168.0.212, 192.168.0.213, 192.168.0.214,
>> 192.168.0.215, 192.168.0.216, 192.168.0.217 }"
>> rased8 = "{ 192.168.0.218, 192.168.0.219, 192.168.0.220,
>> 192.168.0.221, 192.168.0.222, 192.168.0.223, 192.168.0.224, 192.168.0.225
>> }"
>> admin1 = "{ 192.168.0.55, 192.168.0.56, 192.168.0.57 }"
>> admin2 = "{ 192.168.0.58, 192.168.0.59 }"
>>
>> ### TABLES
>>
>>
>> #Define privileged network address sets
>> table const { 127.0.0.0/8, 192.168.0.0/16, 13.13.0.0/12,
>> 10.0.0.0/8, 0.0.0.0/8, \
>> 14.14.0.0/16, 192.0.2.0/24, 15.15.15.0/23,
>> 224.0.0.0/3 }
>> table persist file "/usr/local/pf/Network/blocklist.lst"
>> table persist file "/usr/local/pf/Network/hackers.lst"
>>
>> #Define Favou
Re: I want copy pf.conf from FreeBSD 8.2 to OpenBSD 5 and use it
There is only one way to do a job like this: Write down what it does in
clear English (or your own language), and do the whole thing from scratch.
It will only be tediously slow for the first half of the job.
On Wed, Nov 2, 2011 at 10:29 AM, Gholam Mostafa Faridi <
mostafafar...@gmail.com> wrote:
> Hi
> In work place , we have over 24 computer and all of them are windows and ,
> I have NAT server . this NAT server use FreeBSD 8.2 AMD 64 , and I use PF
> for NAT with FreeBSD 8.2 . after many search in google , I find this pf.conf
>
>
> ns# cat /usr/local/pf/pf.conf
> # $FreeBSD: src/share/examples/pf/faq-example1,v 1.1 2004/09/14 01:07:18
> mlaier Exp $
> # $OpenBSD: faq-example1,v 1.2 2003/08/06 16:04:45 henning Exp $
> # Edited by: mfaridi
>
> MACROS
>
>
> ext_if = "sk0"
> int_if = "re0"
> External_net= "10.10.10.192/27"
> Local_net = "192.168.0.0/24"
> Local_Web = "192.168.0.10"
> Local_Srv = "192.168.0.1"
> Prtcol = "{ tcp, udp }"
> Admin_IP= "{ 10.10.10.192/27, 11.11.11.0/21, 12.12.12.0/18 }"
> ICMP_Types = "{ echorep, unreach, squench, echoreq, timex }"
>
> #Define ports for common internet services
> #TCP_SRV = "{ 25, 53, 80, 110, 143, 443, 465, 587, 993, 995, 8443
> }"
> #UDP_SRV = "{ 53 }"
> TCP_SRV = "{ 80, 443 }"
> UDP_SRV = "{ }"
> Samba_TCP = "{ 139, 445 }"
> Samba_UDP = "{ 137, 138 }"
>
>
> SERVER = "10.10.10.200"
> NAT1= "10.10.10.194"
> NAT2= "10.10.10.195"
> NAT3= "10.10.10.196"
> NAT4= "10.10.10.197"
> NAT5= "10.10.10.198"
> NAT6= "10.10.10.199"
> NAT7= "10.10.10.201"
> NAT8= "10.10.10.202"
> NAT9= "10.10.10.203"
> NAT10 = "10.10.10.204"
> NAT11 = "10.10.10.205"
> NAT12 = "10.10.10.206"
> NAT13 = "10.10.10.207"
> NAT14 = "10.10.10.208"
> NAT15 = "10.10.10.209"
> NAT16 = "10.10.10.210"
> NAT17 = "10.10.10.211"
> NAT18 = "10.10.10.212"
> NAT19 = "10.10.10.213"
> NAT20 = "10.10.10.214"
> NAT21 = "10.10.10.215"
> NAT22 = "10.10.10.216"
> NAT23 = "10.10.10.217"
> NAT24 = "10.10.10.218"
> NAT25 = "10.10.10.219"
>
> All IP of Groups which can be connect to Internet
> paltalk1= "{ 192.168.0.20, 192.168.0.21, 192.168.0.22 }"
> paltalk2= "{ 192.168.0.23, 192.168.0.24, 192.168.0.25 }"
> paltalk3= "{ 192.168.0.26, 192.168.0.27, 192.168.0.28,
> 192.168.0.29 }"
> webdsgn1= "{ 192.168.0.30, 192.168.0.31, 192.168.0.32 }"
> webdsgn2= "{ 192.168.0.33, 192.168.0.34, 192.168.0.35 }"
> webdsgn3= "{ 192.168.0.36, 192.168.0.37, 192.168.0.38 }"
> webdsgn4= "{ 192.168.0.39, 192.168.0.40, 192.168.0.41 }"
> webdsgn5= "{ 192.168.0.42, 192.168.0.43, 192.168.0.44 }"
> webdsgn6= "{ 192.168.0.45, 192.168.0.46, 192.168.0.47 }"
> webdsgn7= "{ 192.168.0.48, 192.168.0.49, 192.168.0.50 }"
> webdsgn8= "{ 192.168.0.51, 192.168.0.52, 192.168.0.53,
> 192.168.0.54 }"
> rased1 = "{ 192.168.0.60, 192.168.0.61, 192.168.0.62 }"
> rased2 = "{ 192.168.0.63, 192.168.0.64, 192.168.0.65 }"
> rased3 = "{ 192.168.0.66, 192.168.0.67, 192.168.0.68 }"
> rased4 = "{ 192.168.0.69, 192.168.0.70 }"
> rased5 = "{ 192.168.0.200, 192.168.0.201, 192.168.0.202,
> 192.168.0.203, 192.168.0.204, 192.168.0.205 }"
> rased6 = "{ 192.168.0.206, 192.168.0.207, 192.168.0.208,
> 192.168.0.209, 192.168.0.210, 192.168.0.211 }"
> rased7 = "{ 192.168.0.212, 192.168.0.213, 192.168.0.214,
> 192.168.0.215, 192.168.0.216, 192.168.0.217 }"
> rased8 = "{ 192.168.0.218, 192.168.0.219, 192.168.0.220,
> 192.168.0.221, 192.168.0.222, 192.168.0.223, 192.168.0.224, 192.168.0.225
> }"
> admin1 = "{ 192.168.0.55, 192.168.0.56, 192.168.0.57 }"
> admin2 = "{ 192.168.0.58, 192.168.0.59 }"
>
> ### TABLES
>
>
> #Define privileged network address sets
> table const { 127.0.0.0/8, 192.168.0.0/16, 13.13.0.0/12,
> 10.0.0.0/8, 0.0.0.0/8, \
> 14.14.0.0/16, 192.0.2.0/24, 15.15.15.0/23,
> 224.0.0.0/3 }
> table persist file "/usr/local/pf/Network/blocklist.lst"
> table persist file "/usr/local/pf/Network/hackers.lst"
>
> #Define Favoured client hosts
> tablepersist file "/usr/local/pf/Network/Admin.lst"
> table persist file "/usr/local/pf/Network/Paltalk.lst"
> table persist file "/usr/local/pf/Network/WebDsgn.lst"
> tablepersist file "/usr/local/pf/Network/Rased.lst"
> table const { self }
>
> ### OPTIONS
> ##
Magna Conferencia Facebook Marketing este 25 de Noviembre
[IMAGE] WSI lmder mundial en soluciones por internet, Pms de Mixico la firma de capacitacisn mas reconocida a nivel nacional & Adsmedia le presentan: Congreso Nacional Internet Marketing Evolution, el evento mas importante de Internet digital en Mixico y Latinoamirica. 3ra y zltima edicisn Anual. Mas de 1,200 empresas participantes nos respaldan. Presentando las tematicas y tendencias mas innovadoras que le permitan desarrollar una estrategia de MKT Digital apropiada a su necesidad. Presentacisn Exclusiva: 25 de Noviembre Ciudad de Mixico. !Solicite Mayores Informes! Por favor responda este e-mail con los datos siguientes. Empresa: Nombre: Telifono: Email: Nzmero de Interesados: En breve recibira la informacisn completa de este inigualable evento. Comunmquese a los telifonos y con gusto uno de nuestros ejecutivos le atendera. Telifonos: (0133) 8851-2365, (0133) 8851-2741. Traemos los mejores eventos para usted, conozca los beneficios de capacitarse con los mejores! Empresa Registrada ante la STPS Reg. COLG640205CP30005 Smguenos en Twitter@pmscapacitacion o bien en Facebook PMS de Mixico Copyright (C) 2011, PMS Capacitacisn Efectiva de Mixico S.C. Derechos Reservados. PMS de Mixico, El logo de PMS de Mixico son marcas registradas. ADVERTENCIA PMS de Mixico no cuenta con alianzas estratigicas de ningzn tipo dentro de la Republica Mexicana. NO SE DEJE ENGAQAR - DIGA NO A LA PIRATERIA. Todos los logotipos, marcas comerciales e imagenes son propiedad de sus respectivas corporaciones y se utilizan con fines informativos solamente. Este Mensaje ha sido enviado a misc@openbsd.org como usuario de Pms de Mixico o bien un usuario le refiris para recibir este boletmn. Como usuario de Pms de Mixico, en este acto autoriza de manera expresa que Pms de Mixico le puede contactar vma correo electrsnico u otros medios. Si usted ha recibido este mensaje por error, haga caso omiso de el y reporte su cuenta respondiendo este correo con el subject BAJAMKT Unsubscribe to this mailing list, reply a blank message with the subject UNSUBSCRIBE BAJAMKT Tenga en cuenta que la gestisn de nuestras bases de datos es de suma importancia y no es intencisn de la empresa la inconformidad del receptor. [demime 1.01d removed an attachment of type image/jpeg which had a name of imagemarketing001.jpg]
Re: cvs is the project's VCS (Was: Re: Updating plus.html)
I have a mail of someone who is actively fought by the henchmen of No. 43! Theo de Raadt wrote [2011-11-07 18:52+0100]: > > Even if there would have been a note that the project itself has > > chosen to use cvs(1) and that git clones are unofficial. > > wow, that's backwards. History is very important. > if anything is official, we mention it. > if anything is not unofficial, we don't mention it. With time, dedication and a whole lotta love CVS sure will do fine. Even though i'm deaf most of the time, i've noted that git (i really doesn't like it, maybe libgit2 will someday even do transport and garbage-collection, and then) comes up once in a while, also on tech. Time will surely bring a lot of OpenBSD Mercurial and git full-history clones on the various large (free) hosters. In the first world internet is cheap today, and a background rlog which takes a week doesn't hurt (one may think). Would i like an official git repo? Yes, i would. And that's it for me on this now, really. Thanks for listening and good night, steffen
Re: PF.CONF - with DMZ and packet tagging example
Would I need the quick though? I would think you want pf to keep evaluating the rules after they enter the int interface. From: Adriaan [misc.adri...@gmail.com] Sent: Monday, November 07, 2011 6:09 PM To: Bentley, Dain Cc: Patrick Lamaiziere; misc@openbsd.org Subject: Re: PF.CONF - with DMZ and packet tagging example On Mon, Nov 7, 2011 at 11:59 PM, Bentley, Dain wrote: > I guess I should add quick to the following: > block in on $ext from $RFC1918 to any > block out on $ext from any to $RFC1918 > block in on $ext from > > > > From: Patrick Lamaiziere [patf...@davenulle.org] > Sent: Monday, November 07, 2011 5:37 PM > To: misc@openbsd.org; Bentley, Dain > Subject: Re: PF.CONF - with DMZ and packet tagging example > > Le Mon, 7 Nov 2011 16:58:29 -0500, > "Bentley, Dain" a icrit : > > Hello, > >> block in on $ext from >> #NAT INBOUND TO DMZ >> pass in on $ext proto tcp from any to any port $web_services rdr-to >> $webserver tag INET_TO_DMZ >> pass in on $ext proto tcp from any to any port $mail_services rdr-to >> $mailserver tag INET_TO_DMZ > > Looks not good, missing quick in the block rule? > > Regards. > You should also consider the advice I gave in http://www.daemonforums.org/showthread.php?t=6483#post41274 Adriaan
Re: PF.CONF - with DMZ and packet tagging example
On Mon, Nov 7, 2011 at 11:59 PM, Bentley, Dain wrote: > I guess I should add quick to the following: > block in on $ext from $RFC1918 to any > block out on $ext from any to $RFC1918 > block in on $ext from > > > > From: Patrick Lamaiziere [patf...@davenulle.org] > Sent: Monday, November 07, 2011 5:37 PM > To: misc@openbsd.org; Bentley, Dain > Subject: Re: PF.CONF - with DMZ and packet tagging example > > Le Mon, 7 Nov 2011 16:58:29 -0500, > "Bentley, Dain" a icrit : > > Hello, > >> block in on $ext from >> #NAT INBOUND TO DMZ >> pass in on $ext proto tcp from any to any port $web_services rdr-to >> $webserver tag INET_TO_DMZ >> pass in on $ext proto tcp from any to any port $mail_services rdr-to >> $mailserver tag INET_TO_DMZ > > Looks not good, missing quick in the block rule? > > Regards. > You should also consider the advice I gave in http://www.daemonforums.org/showthread.php?t=6483#post41274 Adriaan
Re: PF.CONF - with DMZ and packet tagging example
I guess I should add quick to the following it does make sense: block in on $ext from $RFC1918 to any block out on $ext from any to $RFC1918 block in on $ext from From: Patrick Lamaiziere [patf...@davenulle.org] Sent: Monday, November 07, 2011 5:37 PM To: misc@openbsd.org; Bentley, Dain Subject: Re: PF.CONF - with DMZ and packet tagging example Le Mon, 7 Nov 2011 16:58:29 -0500, "Bentley, Dain" a icrit : Hello, > block in on $ext from > #NAT INBOUND TO DMZ > pass in on $ext proto tcp from any to any port $web_services rdr-to > $webserver tag INET_TO_DMZ > pass in on $ext proto tcp from any to any port $mail_services rdr-to > $mailserver tag INET_TO_DMZ Looks not good, missing quick in the block rule? Regards.
Re: PF.CONF - with DMZ and packet tagging example
I guess I should add quick to the following: block in on $ext from $RFC1918 to any block out on $ext from any to $RFC1918 block in on $ext from From: Patrick Lamaiziere [patf...@davenulle.org] Sent: Monday, November 07, 2011 5:37 PM To: misc@openbsd.org; Bentley, Dain Subject: Re: PF.CONF - with DMZ and packet tagging example Le Mon, 7 Nov 2011 16:58:29 -0500, "Bentley, Dain" a icrit : Hello, > block in on $ext from > #NAT INBOUND TO DMZ > pass in on $ext proto tcp from any to any port $web_services rdr-to > $webserver tag INET_TO_DMZ > pass in on $ext proto tcp from any to any port $mail_services rdr-to > $mailserver tag INET_TO_DMZ Looks not good, missing quick in the block rule? Regards.
Re: PF.CONF - with DMZ and packet tagging example
Le Mon, 7 Nov 2011 16:58:29 -0500, "Bentley, Dain" a icrit : Hello, > block in on $ext from > #NAT INBOUND TO DMZ > pass in on $ext proto tcp from any to any port $web_services rdr-to > $webserver tag INET_TO_DMZ > pass in on $ext proto tcp from any to any port $mail_services rdr-to > $mailserver tag INET_TO_DMZ Looks not good, missing quick in the block rule? Regards.
Re: cvs is the project's VCS (Was: Re: Updating plus.html)
Philip Guenther wrote [2011-11-07 19:03+0100]: > On Mon, Nov 7, 2011 at 5:37 PM, Steffen Daode Nurpmeso > wrote: > ... > > That is to say, to end this lengthy thing, i would have > > appreciated it if i would have found some URL to a trusted git > > clone on the official OpenBSD homepage at that time. > > Even if there would have been a note that the project itself has > > chosen to use cvs(1) and that git clones are unofficial. > > "Here's a link to something that the project doesn't control, doesn't > use, and doesn't monitor." AFAIK this is a chain of trust anyway. Or are there any bots around that check the actual content of the mirrors? And here we (me, that is) talk of a service that is provided by a trusted mirror, FTP and AnonCVS. But wait - it seems to be located in the U.S.A... You're right!!! > Right, because no one will complain to the project when that's out of > date or backdoored. "It's right there on your webpage!" Anything > unofficial is strictly between you and the entity providing it, so why > would you trust that more than the result of a google search? In support.html i read The following individuals and organizations have indicated that they are able to provide support as indicated. However, the OpenBSD Project does not necessarily endorse any of these. Please contact each site directly. ..murmur.. (And the entry there which claims to be in my hometown actually moved to Ginsheim-Gustavsburg, the phone number seems to be completely out-of-date, at least if i compare support.html with his own webpage. No joke! Will mail him after this here.) > Philip Guenther steffen (Trying to be [me], though deaf)
PF.CONF - with DMZ and packet tagging example
Hello all,
With the help of the PF Faq on the OpenBSD website, The Book of PF (2nd
Edition) and of course from the nice folks here on this mailing list I have a
pf.conf someone might find useful.
This configuration file is for an OpenBSD box with three interfaces assuming
you want one interface for internal, external and DMZ. I really wanted to use
packet tagging to keep things a little easier to manage and visualize in my
head.
It allows all traffic from the LAN out - which you can filter obviously -
filters DMZ traffic outbound and provides some basic services inbound from the
internet to some DMZ servers. It will also allow users from the internal LAN
to access the DMZ services which one might also want to restrict if they
wish.
It's taken me a few days to get it configured with a lot of watching TCPDump
on the screen. I've run multiple NMAP scans against my network just to ensure
no unwanted ports were open. I also ran TCPDump on the dmz interface and
tried to access the internet with some unwanted protocols to ensure they would
be filtered and so far so good.
Also, on the outbound DMZ traffic I decided to log all traffic so I could see
where my servers were going when they left my network.
##MACROS
int = "re0"
dmz = "fxp0"
ext = "fxp1"
int_net = "192.168.1.0/24"
dmz_net = "192.168.10.0/24"
RFC1918="{ 10/8 172.16/12 192.168/16 }"
webserver = "192.168.10.1"
mailserver = "192.168.10.5"
dmz_services = "{ 80, 25, 53, 443 }"
web_services = "{ 80, 3000, 4567 }"
mail_services = "{ 25, 110, 443 }"
##TABLES
table persist file "/etc/spammers"
table persist file "/etc/bastards"
##OPTIONS
set skip on lo
set block-policy drop
set loginterface fxp1
##NORMALIZE TRAFFIC
match in all scrub ( no-df max-mss 1440 )
# NAT RULES
match out on $ext tag LAN_TO_INET tagged LAN nat-to ($ext)
match out on $ext tag DMZ_TO_INET tagged DMZ nat-to ($ext)
match out on $ext tag FTP_PROXY nat-to ($ext)
### BLOCKING AND PACKET TAGGING
block log all
antispoof for { lo0 re0 fxp0 fxp1 }
block in on $ext from $RFC1918 to any
block out on $ext from any to $RFC1918
block in on $ext from
#LAN OUT
pass in on $int from $int_net tag LAN
pass in on $int from $int_net to $dmz_net tag LAN_TO_DMZ
#DMZ OUT
#pass in log on $dmz from $dmz_net tag DMZ
pass in log on $dmz proto { tcp, udp } from $dmz_net to any port $dmz_services
tag DMZ
#Allow FTP from DMZ to install programs from ports collection
anchor "ftp-proxy/*"
pass in log quick on $dmz proto tcp from $dmz_net to any port 21 rdr-to
127.0.0.1 port 8021 tag FTP_PROXY
#SPAMD AND FTP PROXY
pass in on $ext proto tcp from to port smtp tag SPAMD rdr-to 127.0.0.1
port 8025 tag SPAMD
#NAT INBOUND TO DMZ
pass in on $ext proto tcp from any to any port $web_services rdr-to $webserver
tag INET_TO_DMZ
pass in on $ext proto tcp from any to any port $mail_services rdr-to
$mailserver tag INET_TO_DMZ
#POLICY ENFORCEMENT
pass in quick on $ext tagged SPAMD
pass out quick on $ext tagged FTP_PROXY
pass out quick on $ext tagged LAN_TO_INET
pass out quick on $ext tagged DMZ_TO_INET
pass out quick on $dmz tagged LAN_TO_DMZ
pass out quick on $dmz tagged INET_TO_DMZ
I've been running the firewall on an OpenBSD 4.9 box with an Atom 330 and the
performance has been fantastic. I was tired of dealing with Cisco and having
to pay money just to get access to download new software.
In any case, I hope someone might find this useful in someway and since I
received some help from here I'd thought I post back my results...
regards,
Dain
Re: cvs is the project's VCS (Was: Re: Updating plus.html)
On Mon, Nov 7, 2011 at 5:37 PM, Steffen Daode Nurpmeso wrote: ... > That is to say, to end this lengthy thing, i would have > appreciated it if i would have found some URL to a trusted git > clone on the official OpenBSD homepage at that time. > Even if there would have been a note that the project itself has > chosen to use cvs(1) and that git clones are unofficial. "Here's a link to something that the project doesn't control, doesn't use, and doesn't monitor." Right, because no one will complain to the project when that's out of date or backdoored. "It's right there on your webpage!" Anything unofficial is strictly between you and the entity providing it, so why would you trust that more than the result of a google search? Philip Guenther
Re: cvs is the project's VCS (Was: Re: Updating plus.html)
> Even if there would have been a note that the project itself has > chosen to use cvs(1) and that git clones are unofficial. wow, that's backwards. if anything is official, we mention it. if anything is not unofficial, we don't mention it.
cvs is the project's VCS (Was: Re: Updating plus.html)
Stuart Henderson wrote [2011-11-07 9:47:53+0100]: > the three public cvs->git imports of OpenBSD are separate efforts I desperately searched for some OpenBSD git(1) repository and couldn't find one, but remembered one post of yours and so i ended up at anoncvs.estpak.ee, having no problem ever since. I don't even like that program at all (yeah, *only* because i have been "toggled off" the git mailing list, hm), i like the concept, which git also implements, and in C. I do (and even regular OpenBSD developers seem to) work with git locally; being able to use topic branches, stashing data away, cherry-picking changesets from different topics, being able to look at some history without an internet connection) etc. - these are tasks i've dreamed of in the past, maybe even wet. Etc. etc. etc. That is to say, to end this lengthy thing, i would have appreciated it if i would have found some URL to a trusted git clone on the official OpenBSD homepage at that time. Even if there would have been a note that the project itself has chosen to use cvs(1) and that git clones are unofficial. --steffen
Re: small subnet with a carp an non-carp device
Ip forwarding? Sent via BlackBerry -Original Message- From: ML mail Sender: owner-misc@openbsd.orgDate: Mon, 7 Nov 2011 05:16:50 To: misc@openbsd.org Reply-To: ML mail Subject: small subnet with a carp an non-carp device Hi, I have a small subnet (/29) where the carrier router and my firewall is connected. The firewall is an OpenBSD 5.0 amd64 firewall which uses the carrier router as default gateway and which has my own routable /24 network behind it. Now I have already configured my firewall for CARP but didn't add a second CARP firewall yet on that subnet. Now if on that very same subnet I plug another device/laptop, I am unable to ping the carrier's router. For me this is totally weird, as I am able to ping my firewall and the firewall can also ping the carrier's router. So I was wondering if this might have something to do with my firewall using CARP on that subnet? Looking at the arp table on that other device or laptop I have plugged in on that same subnet I see the following entry for the carrier's router (IP address masked out): ? (xxx.xxx.xxx.xxx) at (incomplete) on em0 So it looks like it is unable to get the hardware/MAC address of the carrier's router... but why? I can't explain it myself. Anyone has an idea? Regards, ML
Re: vim and CTRL+] doesnt work
Thanks for answering but the problem is already solved: I have used the wrong ctags program (ctags from base) which is not working with vim. The ctags from the ports (ectags) is working properly with vim.
Re: Copy root partition to another machine
On Mon, Nov 07, 2011 at 04:03:37PM +0100, Otto Moerbeek wrote: > On Mon, Nov 07, 2011 at 03:54:14PM +0100, Benny Lofgren wrote: > > > On 2011-11-06 21.42, David Vasek wrote: > > > On Sun, 6 Nov 2011, Benny Lofgren wrote: > > >> On 2011-11-06 18.00, Bambero wrote: > > >>> Thanks, but without skip=1 dd will copy partition table and mbr too > > >>> (first block 521b). > > >>> So it may damage my partition table on second machine. I'm I wrong ? > > >> > > >> No, you will not copy the partition table with your command, since > > >> you are using wd0a. That partition starts after the boot sector(s) > > >> and partition table, so what you're in fact doing is skipping the > > >> first blocks of the file system that is on partition a of wd0. Which > > >> you don't want to do. (If you had used wd0c on the other hand, you > > >> would have gotten the disk partition metadata as well. But you don't > > >> want that either.) > > >> > > [...] > > > > > > Benny, with this you will overwrite the disklabel of whole target disk, > > > as the disklabel in a typical case indeed resides at the beginning of > > > the wd0a. See disklabel(5). > > > > Ah, you are absolutely correct, thanks. Please ignore my previous advice! > > > > (Except the part about seek= and skip= not operating on 512 byte block > > sizes but on the block size set by bs=/ibs=/obs=, that one will bite > > anyone not paying attention to detail.) > > > > Sorry for spreading FUD. (Although I can't really seem to find this out > > from just reading disklabel(5) (I did check prior to my last comment), but > > then again my brain's English language center might very well be somewhat > > deficient...) > > > > The best bet is probably to either go the dump/restore route like someone > > suggested or simply save the target disk's label to file using something > > like "disklabel wd1 >/tmp/disklabel.wd1" and then restoring it after dd > > with "disklabel -R wd1 /tmp/disklabel.wd1" (since the in-core copy of the > > original disk label will keep the working layout, there is no risk involved > > with temporarily overwriting the label as long as it is restored prior to > > the new disk's partitions being used). > > There's also /etc/daily, you can get some inspiration from the > ROOTBACKUP part of it. Especially these lines: sync dd if=/dev/r$rootdev of=/dev/r$rootbak bs=16b seek=1 skip=1 \ conv=noerror fsck -y /dev/r$rootbak that looks very much like what triggered the OP's question. Note; sync before, dd that skips disklabel on filesystem mounted read-write, fsck -y after to fix inconsistencies due to that. Dirty but practical. I am myself curious to know if the 16 sectors are unused by all 4.2BSD filesystem partitions or if this is true only for partition 'a'. Also, what if 'a' is RAID, or if e.g 'd' is the first used partition? > > -Otto > > > > > > > Regards, > > /Benny > > > > -- > > internetlabbet.se / work: +46 8 551 124 80 / "Words must > > Benny Lofgren/ mobile: +46 70 718 11 90 / be weighed, > > / fax:+46 8 551 124 89/not counted." > >/email: benny -at- internetlabbet.se -- / Raimo Niskanen, Erlang/OTP, Ericsson AB
Re: 5.0 vmt0 kernel panic in Linux KVM
* Walter Haidinger [07 14:15]: > ioapic0 at mainbus0: apid 1 pa 0xfec0, version 11, 24 pins > ioapic0: misconfigured as apic 0, remapped to apid 1 > bios0: ROM list: 0xc/0x9e00 0xca000/0xa00 0xcb000/0xa00 0xcc000/0x600 > 0xcc800/0x2400 > vmt0 at mainbus0 > vmware: open failed, eax=564d5868, ecx=001e, edx=5658 > vmt0: failed to open backdoor RPC channel (TCLO protocol) > kernel: protection fault trap, code=0 > Stopped at k1x_init+0x56: rdmsr > k1x_init(d0ad7540,d09ae620,d0b8ce58,d059ce20,3002) at k1x_init+0x56 k1x_init() is not related to vmt, it is from k1x-pstate.c, which is cpu power state driver for K10 processors. I don't know of an easy way to disable it but recompiling the kernel with this: Index: sys/arch/i386/i386/machdep.c === RCS file: /cvs/src/sys/arch/i386/i386/machdep.c,v retrieving revision 1.506 diff -u -p -r1.506 machdep.c --- sys/arch/i386/i386/machdep.c2 Nov 2011 23:53:44 - 1.506 +++ sys/arch/i386/i386/machdep.c7 Nov 2011 15:04:49 - @@ -1347,8 +1347,10 @@ amd_family6_setperf_setup(struct cpu_inf k8_powernow_init(); break; } +#if 0 if (ci->ci_family >= 0x10) k1x_init(ci); +#endif } #endif > mainbus_attach(0,d130bfc0,0,d09aafc0,0) at mainbus_attach+0xc1 > config_attach(0,d09aafc0,0,0,d0a1bc40) at config_attach+0x1bb > config_rootfound(d08cde8c,0,0,d03d8b51,0) at config_rootfound+0x46 > cpu_configure(d0ad7540,1,1000,cff3f000,1) at cpu_configure+0x29 > main(d02004ba,d02004c2,0,0,0) at main+0x3ea > ddb> -- Alexander Polakov | plhk.ru
Re: Copy root partition to another machine
On Mon, Nov 07, 2011 at 03:54:14PM +0100, Benny Lofgren wrote: > On 2011-11-06 21.42, David Vasek wrote: > > On Sun, 6 Nov 2011, Benny Lofgren wrote: > >> On 2011-11-06 18.00, Bambero wrote: > >>> Thanks, but without skip=1 dd will copy partition table and mbr too > >>> (first block 521b). > >>> So it may damage my partition table on second machine. I'm I wrong ? > >> > >> No, you will not copy the partition table with your command, since > >> you are using wd0a. That partition starts after the boot sector(s) > >> and partition table, so what you're in fact doing is skipping the > >> first blocks of the file system that is on partition a of wd0. Which > >> you don't want to do. (If you had used wd0c on the other hand, you > >> would have gotten the disk partition metadata as well. But you don't > >> want that either.) > >> > [...] > > > > Benny, with this you will overwrite the disklabel of whole target disk, > > as the disklabel in a typical case indeed resides at the beginning of > > the wd0a. See disklabel(5). > > Ah, you are absolutely correct, thanks. Please ignore my previous advice! > > (Except the part about seek= and skip= not operating on 512 byte block > sizes but on the block size set by bs=/ibs=/obs=, that one will bite > anyone not paying attention to detail.) > > Sorry for spreading FUD. (Although I can't really seem to find this out > from just reading disklabel(5) (I did check prior to my last comment), but > then again my brain's English language center might very well be somewhat > deficient...) > > The best bet is probably to either go the dump/restore route like someone > suggested or simply save the target disk's label to file using something > like "disklabel wd1 >/tmp/disklabel.wd1" and then restoring it after dd > with "disklabel -R wd1 /tmp/disklabel.wd1" (since the in-core copy of the > original disk label will keep the working layout, there is no risk involved > with temporarily overwriting the label as long as it is restored prior to > the new disk's partitions being used). There's also /etc/daily, you can get some inspiration from the ROOTBACKUP part of it. -Otto > > > Regards, > /Benny > > -- > internetlabbet.se / work: +46 8 551 124 80 / "Words must > Benny Lofgren/ mobile: +46 70 718 11 90 / be weighed, > / fax:+46 8 551 124 89/not counted." >/email: benny -at- internetlabbet.se
Re: Copy root partition to another machine
On 2011-11-06 21.42, David Vasek wrote: > On Sun, 6 Nov 2011, Benny Lofgren wrote: >> On 2011-11-06 18.00, Bambero wrote: >>> Thanks, but without skip=1 dd will copy partition table and mbr too >>> (first block 521b). >>> So it may damage my partition table on second machine. I'm I wrong ? >> >> No, you will not copy the partition table with your command, since >> you are using wd0a. That partition starts after the boot sector(s) >> and partition table, so what you're in fact doing is skipping the >> first blocks of the file system that is on partition a of wd0. Which >> you don't want to do. (If you had used wd0c on the other hand, you >> would have gotten the disk partition metadata as well. But you don't >> want that either.) >> [...] > > Benny, with this you will overwrite the disklabel of whole target disk, > as the disklabel in a typical case indeed resides at the beginning of > the wd0a. See disklabel(5). Ah, you are absolutely correct, thanks. Please ignore my previous advice! (Except the part about seek= and skip= not operating on 512 byte block sizes but on the block size set by bs=/ibs=/obs=, that one will bite anyone not paying attention to detail.) Sorry for spreading FUD. (Although I can't really seem to find this out from just reading disklabel(5) (I did check prior to my last comment), but then again my brain's English language center might very well be somewhat deficient...) The best bet is probably to either go the dump/restore route like someone suggested or simply save the target disk's label to file using something like "disklabel wd1 >/tmp/disklabel.wd1" and then restoring it after dd with "disklabel -R wd1 /tmp/disklabel.wd1" (since the in-core copy of the original disk label will keep the working layout, there is no risk involved with temporarily overwriting the label as long as it is restored prior to the new disk's partitions being used). Regards, /Benny -- internetlabbet.se / work: +46 8 551 124 80 / "Words must Benny Lofgren/ mobile: +46 70 718 11 90 / be weighed, / fax:+46 8 551 124 89/not counted." /email: benny -at- internetlabbet.se
Re: 5.0 vmt0 kernel panic in Linux KVM
Am 07.11.2011 15:34, schrieb Norman Golisz:
> I don't know either. But, you could try to disable the vmt(4) driver at
> boot. At the boot prompt, type "boot -c" to trigger the UKC. At the UKC
> prompt,
> type "disable vmt". Then type "quit". If your system boots up without errors,
> you can preserve this setting by using config(8):
Thanks. Unfortunately I get a "protection fault trap" now.
Anything else to disable?
Walter
boot -c
booting hd0a:/bsd: 8192892+1088776 [61+367888+353319]=0x98a398
entry point at 0x200120
[ using 721684 bytes of bsd ELF symbol table ]
Copyright (c) 1982, 1986, 1989, 1991, 1993
The Regents of the University of California. All rights reserved.
Copyright (c) 1995-2011 OpenBSD. All rights reserved. http://www.OpenBSD.org
OpenBSD 5.0 (GENERIC) #43: Wed Aug 17 10:10:52 MDT 2011
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: AMD Phenom(tm) II X6 1100T Processor ("AuthenticAMD" 686-class, 512KB L2
cache) 3.31 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,CX16,POPCNT
real mem = 402178048 (383MB)
avail mem = 385548288 (367MB)
User Kernel Config
UKC> disable vmt
disable vmt
488 vmt0 disabled
UKC> quit
quit
Continuing...
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 06/23/99, BIOS32 rev. 0 @ 0xff046, SMBIOS
rev. 2.4 @ 0x17fffef0 (10 entries)
bios0: vendor Bochs version "Bochs" date 01/01/2007
bios0: Bochs Bochs
acpi0 at bios0: rev 0
acpi0: sleep states S3 S4 S5
acpi0: tables DSDT FACP SSDT APIC HPET
acpi0: wakeup devices
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
acpihpet0 at acpi0: 1 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpicpu0 at acpi0
mpbios0 at bios0: Intel MP Specification 1.4
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 1000MHz
mpbios0: bus 0 is type PCI
mpbios0: bus 1 is type ISA
ioapic0 at mainbus0: apid 1 pa 0xfec0, version 11, 24 pins
ioapic0: misconfigured as apic 0, remapped to apid 1
bios0: ROM list: 0xc/0x9e00 0xca000/0xa00 0xcb000/0xa00 0xcc000/0x600
0xcc800/0x2400
vmt at mainbus0 not configured
kernel: protection fault trap, code=0
Stopped at k1x_init+0x56: rdmsr
k1x_init(d0ad7540,d0b8ce58,d059ce20,0,3002) at k1x_init+0x56
mainbus_attach(0,d130bfc0,0,d09aafc0,0) at mainbus_attach+0xc1
config_attach(0,d09aafc0,0,0,d0a1bc40) at config_attach+0x1bb
config_rootfound(d08cde8c,0,0,d03d8b51,0) at config_rootfound+0x46
cpu_configure(d0ad7540,1,1000,cff3f000,1) at cpu_configure+0x29
main(d02004ba,d02004c2,0,0,0) at main+0x3ea
ddb>
Re: 5.0 vmt0 kernel panic in Linux KVM
On Mon Nov 7 2011 11:10, Walter Haidinger wrote: > Hi! > > Trying to upgrade to 5.0 fails with a kernel panic > (vmt0, see dmesg below). Previous 4.9 worked fine, > also 5.0 bsd.rd boots (dmesg below too). > > The VMware Tools driver seems to miss something - > "vmt0: failed to open backdoor RPC channel (TCLO protocol)" - > which is correct, as OpenBSD is _not_ run inside a VMware > virtual machine but in a Linux KVM (Kernel 3.0.4, > qemu-kvm 0.15.1). > > Is this a known problem? Searching for vmt on misc@ > did not show anything. I don't know either. But, you could try to disable the vmt(4) driver at boot. At the boot prompt, type "boot -c" to trigger the UKC. At the UKC prompt, type "disable vmt". Then type "quit". If your system boots up without errors, you can preserve this setting by using config(8): sudo /usr/sbin/config -e -f /bsd and typing "disable vmt" again. Save this by typing "quit". Good luck, Norman.
Re: small subnet with a carp an non-carp device
Afaik, I don't need to have IP forwarding turned on on my laptop or other device connected to that subnet in order to ping the carrier's router which is located on that very same subnet. Regards, ML - Original Message - From: "em...@edylie.net" To: ML mail ; "misc@openbsd.org" Cc: Sent: Monday, November 7, 2011 2:40 PM Subject: Re: small subnet with a carp an non-carp device Ip forwarding? Sent via BlackBerry -Original Message- From: ML mail Sender: owner-misc@openbsd.orgDate: Mon, 7 Nov 2011 05:16:50 To: misc@openbsd.org Reply-To: ML mail Subject: small subnet with a carp an non-carp device Hi, I have a small subnet (/29) where the carrier router and my firewall is connected. The firewall is an OpenBSD 5.0 amd64 firewall which uses the carrier router as default gateway and which has my own routable /24 network behind it. Now I have already configured my firewall for CARP but didn't add a second CARP firewall yet on that subnet. Now if on that very same subnet I plug another device/laptop, I am unable to ping the carrier's router. For me this is totally weird, as I am able to ping my firewall and the firewall can also ping the carrier's router. So I was wondering if this might have something to do with my firewall using CARP on that subnet? Looking at the arp table on that other device or laptop I have plugged in on that same subnet I see the following entry for the carrier's router (IP address masked out): ? (xxx.xxx.xxx.xxx) at (incomplete) on em0 So it looks like it is unable to get the hardware/MAC address of the carrier's router... but why? I can't explain it myself. Anyone has an idea? Regards, ML
Re: I want copy pf.conf from FreeBSD 8.2 to OpenBSD 5 and use it
On Mon, 07 Nov 2011 21:53:20 +1100 "Rod Whitworth" wrote: > as they all should. ^^^ His clock of course should be right but what's wrong with sorting by Maildir number (occassional mis-order but guaranteed aproximate order/receipt order vs spammers or forged messages floating to the top)
small subnet with a carp an non-carp device
Hi, I have a small subnet (/29) where the carrier router and my firewall is connected. The firewall is an OpenBSD 5.0 amd64 firewall which uses the carrier router as default gateway and which has my own routable /24 network behind it. Now I have already configured my firewall for CARP but didn't add a second CARP firewall yet on that subnet. Now if on that very same subnet I plug another device/laptop, I am unable to ping the carrier's router. For me this is totally weird, as I am able to ping my firewall and the firewall can also ping the carrier's router. So I was wondering if this might have something to do with my firewall using CARP on that subnet? Looking at the arp table on that other device or laptop I have plugged in on that same subnet I see the following entry for the carrier's router (IP address masked out): ? (xxx.xxx.xxx.xxx) at (incomplete) on em0 So it looks like it is unable to get the hardware/MAC address of the carrier's router... but why? I can't explain it myself. Anyone has an idea? Regards, ML
Re: ping: Could only allocate a receive buffer of 8191 bytes (default 65535)
Christiano F. Haesbaert openbsd.org> writes: > > He fixed it by increasing kern.maxclusters. Thanks for including the solution, it helped me out!
misc-Solicitamos autorizaci�n para enviar programa de capacitaci�n en Control de Gestion para no Especialistas-himntk
Estimado/a misc De nuestra mayor consideracisn. Por el presente queremos solicitarle nos autorice para hacerle llegar nuestro programa de capacitacisn profesional. En este caso, el curso que hemos organizado es: Control de Gestisn para no Especialistas, esta dirigido a personas que por sus funciones o actividades necesiten incorporar conocimientos sobre Planeamiento Econsmico-Financiero, Presupuestos, Contabilidad Gerencial e Indicadores Financieros. El desarrollo de la actividad esta orientado a personas no especialistas en esta materia, es conveniente pero no excluyente el uso basico de Excel. Se dicta en Microcentro, Ciudad Autsnoma de Buenos Aires, Argentina los dmas 22,24,29 de Noviembre y 1: de Diciembre en el horario de 18:15 a 22:15hs. Por favor si desea autorizarnos el envmo hagalo NO respondiendo el presente mail ya que la direccisn utilizada es solo para envmos. Escrmbanos un mail a: cgestion01(arroba)gmail(punto)com Desde ya muchas gracias Atentamente Docencia Ciencias Econsmicas Buenos Aires - Argentina 4733-1885 34Docencia34 misc@openbsd.org
Re: I want copy pf.conf from FreeBSD 8.2 to OpenBSD 5 and use it
On Thu, 03 Nov 2011 03:16:52 +0330, Gholam Mostafa Faridi wrote: >> Gholam Mostafa Faridi writes: Fix your clock. You are several days slow and it fux up mailers that sort by date/time as they all should. OpenBSD has ntpd to do it for you. R/ Rod/ "Write a wise saying and your name will live on forever." - Anonymous
Re: I want copy pf.conf from FreeBSD 8.2 to OpenBSD 5 and use it
On 11/07/2011 02:47 AM, Peter N. M. Hansteen wrote:
Gholam Mostafa Faridi writes:
In work place , we have over 24 computer and all of them are windows
and , I have NAT server . this NAT server use FreeBSD 8.2 AMD 64 , and
I use PF for NAT with FreeBSD 8.2 . after many search in google , I
find this pf.conf
FreeBSD 8's PF uses the old NAT and scrub syntax, so you will have to
change those.
This block is superfluous (assuming you do not actually tweak, only
stating defaults)
### OPTIONS
#Default behaviour
set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 1, frags 5000 }
set loginterface $ext_if
set optimization normal
set block-policy drop
set require-order yes
set fingerprints "/etc/pf.os"
set skip on lo0
#set state-policy if-bound
#Filter traffic for unusual packets
scrub in all
match in all (no-df max-mss 1440) # or whatever fits your setup
#NAT for the external traffic
#Mask internal ip addresses with actual external ip address
#nat pass on $ext_if from $Local_net to any -> $SERVER
nat pass on $ext_if from $paltalk1 to any -> $NAT1
all of these would be in the new syntax something like
pass on $ext_if from $theonething nat-to $NATtheother
or you could rewrite to use match rules.
- Peter
thanks
all guys.
So I must change my pf.conf like this
%%%
cat /usr/local/pf/pf.conf
# $FreeBSD: src/share/examples/pf/faq-example1,v 1.1 2004/09/14 01:07:18
mlaier Exp $
# $OpenBSD: faq-example1,v 1.2 2003/08/06 16:04:45 henning Exp $
# Edited by: mfaridi
MACROS
ext_if = "sk0"
int_if = "re0"
External_net= "10.10.10.192/27"
Local_net = "192.168.0.0/24"
Local_Web = "192.168.0.10"
Local_Srv = "192.168.0.1"
Prtcol = "{ tcp, udp }"
Admin_IP= "{ 10.10.10.192/27, 11.11.11.0/21, 12.12.12.0/18 }"
ICMP_Types = "{ echorep, unreach, squench, echoreq, timex }"
#Define ports for common internet services
#TCP_SRV = "{ 25, 53, 80, 110, 143, 443, 465, 587, 993, 995,
8443 }"
#UDP_SRV = "{ 53 }"
TCP_SRV = "{ 80, 443 }"
UDP_SRV = "{ }"
Samba_TCP = "{ 139, 445 }"
Samba_UDP = "{ 137, 138 }"
SERVER = "10.10.10.200"
NAT1= "10.10.10.194"
NAT2= "10.10.10.195"
NAT3= "10.10.10.196"
NAT4= "10.10.10.197"
NAT5= "10.10.10.198"
NAT6= "10.10.10.199"
NAT7= "10.10.10.201"
NAT8= "10.10.10.202"
NAT9= "10.10.10.203"
NAT10 = "10.10.10.204"
NAT11 = "10.10.10.205"
NAT12 = "10.10.10.206"
NAT13 = "10.10.10.207"
NAT14 = "10.10.10.208"
NAT15 = "10.10.10.209"
NAT16 = "10.10.10.210"
NAT17 = "10.10.10.211"
NAT18 = "10.10.10.212"
NAT19 = "10.10.10.213"
NAT20 = "10.10.10.214"
NAT21 = "10.10.10.215"
NAT22 = "10.10.10.216"
NAT23 = "10.10.10.217"
NAT24 = "10.10.10.218"
NAT25 = "10.10.10.219"
All IP of Groups which can be connect to Internet
paltalk1= "{ 192.168.0.20, 192.168.0.21, 192.168.0.22 }"
paltalk2= "{ 192.168.0.23, 192.168.0.24, 192.168.0.25 }"
paltalk3= "{ 192.168.0.26, 192.168.0.27, 192.168.0.28,
192.168.0.29 }"
webdsgn1= "{ 192.168.0.30, 192.168.0.31, 192.168.0.32 }"
webdsgn2= "{ 192.168.0.33, 192.168.0.34, 192.168.0.35 }"
webdsgn3= "{ 192.168.0.36, 192.168.0.37, 192.168.0.38 }"
webdsgn4= "{ 192.168.0.39, 192.168.0.40, 192.168.0.41 }"
webdsgn5= "{ 192.168.0.42, 192.168.0.43, 192.168.0.44 }"
webdsgn6= "{ 192.168.0.45, 192.168.0.46, 192.168.0.47 }"
webdsgn7= "{ 192.168.0.48, 192.168.0.49, 192.168.0.50 }"
webdsgn8= "{ 192.168.0.51, 192.168.0.52, 192.168.0.53,
192.168.0.54 }"
rased1 = "{ 192.168.0.60, 192.168.0.61, 192.168.0.62 }"
rased2 = "{ 192.168.0.63, 192.168.0.64, 192.168.0.65 }"
rased3 = "{ 192.168.0.66, 192.168.0.67, 192.168.0.68 }"
rased4 = "{ 192.168.0.69, 192.168.0.70 }"
rased5 = "{ 192.168.0.200, 192.168.0.201, 192.168.0.202,
192.168.0.203, 192.168.0.204, 192.168.0.205 }"
rased6 = "{ 192.168.0.206, 192.168.0.207, 192.168.0.208,
192.168.0.209, 192.168.0.210, 192.168.0.211 }"
rased7 = "{ 192.168.0.212, 192.168.0.213, 192.168.0.214,
192.168.0.215, 192.168.0.216, 192.168.0.217 }"
rased8 = "{ 192.168.0.218,
Re: 5.0 vmt0 kernel panic in Linux KVM
On 07/11/11 12:10, Walter Haidinger wrote: Hi! Trying to upgrade to 5.0 fails with a kernel panic (vmt0, see dmesg below). Previous 4.9 worked fine, also 5.0 bsd.rd boots (dmesg below too). The VMware Tools driver seems to miss something - "vmt0: failed to open backdoor RPC channel (TCLO protocol)" - which is correct, as OpenBSD is _not_ run inside a VMware virtual machine but in a Linux KVM (Kernel 3.0.4, qemu-kvm 0.15.1). Is this a known problem? Searching for vmt on misc@ did not show anything. Below is the dmesg output, captured via a virtual serial device. Regards, Walter This might be relevant. At least this is what I do with 4.9 http://marc.info/?l=openbsd-misc&m=126073393528435&w=2 Giannis
5.0 vmt0 kernel panic in Linux KVM
Hi!
Trying to upgrade to 5.0 fails with a kernel panic
(vmt0, see dmesg below). Previous 4.9 worked fine,
also 5.0 bsd.rd boots (dmesg below too).
The VMware Tools driver seems to miss something -
"vmt0: failed to open backdoor RPC channel (TCLO protocol)" -
which is correct, as OpenBSD is _not_ run inside a VMware
virtual machine but in a Linux KVM (Kernel 3.0.4,
qemu-kvm 0.15.1).
Is this a known problem? Searching for vmt on misc@
did not show anything.
Below is the dmesg output, captured via a virtual
serial device.
Regards,
Walter
dmesg of failed boot of GENERIC 5.0 (i386):
booting hd0a:/bsd: 8192892+1088776 [61+367888+353319]=0x98a398
entry point at 0x200120
[ using 721684 bytes of bsd ELF symbol table ]
Copyright (c) 1982, 1986, 1989, 1991, 1993
The Regents of the University of California. All rights reserved.
Copyright (c) 1995-2011 OpenBSD. All rights reserved. http://www.OpenBSD.org
OpenBSD 5.0 (GENERIC) #43: Wed Aug 17 10:10:52 MDT 2011
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: AMD Phenom(tm) II X6 1100T Processor ("AuthenticAMD" 686-class, 512KB L2
cache) 3.31 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,CX16,POPCNT
real mem = 402178048 (383MB)
avail mem = 385548288 (367MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 06/23/99, BIOS32 rev. 0 @ 0xff046, SMBIOS
rev. 2.4 @ 0x17fffef0 (10 entries)
bios0: vendor Bochs version "Bochs" date 01/01/2007
bios0: Bochs Bochs
acpi0 at bios0: rev 0
acpi0: sleep states S3 S4 S5
acpi0: tables DSDT FACP SSDT APIC HPET
acpi0: wakeup devices
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
acpihpet0 at acpi0: 1 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpicpu0 at acpi0
mpbios0 at bios0: Intel MP Specification 1.4
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 1000MHz
mpbios0: bus 0 is type PCI
mpbios0: bus 1 is type ISA
ioapic0 at mainbus0: apid 1 pa 0xfec0, version 11, 24 pins
ioapic0: misconfigured as apic 0, remapped to apid 1
bios0: ROM list: 0xc/0x9e00 0xca000/0xa00 0xcb000/0xa00 0xcc000/0x600
0xcc800/0x2400
vmt0 at mainbus0
vmware: open failed, eax=564d5868, ecx=001e, edx=5658
vmt0: failed to open backdoor RPC channel (TCLO protocol)
kernel: protection fault trap, code=0
Stopped at k1x_init+0x56: rdmsr
k1x_init(d0ad7540,d09ae620,d0b8ce58,d059ce20,3002) at k1x_init+0x56
mainbus_attach(0,d130bfc0,0,d09aafc0,0) at mainbus_attach+0xc1
config_attach(0,d09aafc0,0,0,d0a1bc40) at config_attach+0x1bb
config_rootfound(d08cde8c,0,0,d03d8b51,0) at config_rootfound+0x46
cpu_configure(d0ad7540,1,1000,cff3f000,1) at cpu_configure+0x29
main(d02004ba,d02004c2,0,0,0) at main+0x3ea
ddb>
dmesg of successful boot of RAMDISK_CD 5.0 (i386),
just as a system configuration reference.
booting hd0a:bsd.rd: 5961320+946088 [61+228000+215962]=0x702e28
entry point at 0x200120
Copyright (c) 1982, 1986, 1989, 1991, 1993
The Regents of the University of California. All rights reserved.
Copyright (c) 1995-2011 OpenBSD. All rights reserved. http://www.OpenBSD.org
OpenBSD 5.0 (RAMDISK_CD) #36: Wed Aug 17 10:27:31 MDT 2011
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/RAMDISK_CD
cpu0: AMD Phenom(tm) II X6 1100T Processor ("AuthenticAMD" 686-class, 512KB L2
cache) 3.31 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,CX16,POPCNT
real mem = 402178048 (383MB)
avail mem = 388599808 (370MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 06/23/99, BIOS32 rev. 0 @ 0xff046, SMBIOS
rev. 2.4 @ 0x17fffef0 (10 entries)
bios0: vendor Bochs version "Bochs" date 01/01/2007
bios0: Bochs Bochs
acpi0 at bios0: rev 0
acpi0: sleep states S3 S4 S5
acpi0: tables DSDT FACP SSDT APIC HPET
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
acpiprt0 at acpi0: bus 0 (PCI0)
mpbios at bios0 function 0x0 not configured
bios0: ROM list: 0xc/0x9e00 0xca000/0xa00 0xcb000/0xa00 0xcc000/0x600
0xcc800/0x2400
cpu0 at mainbus0: (uniprocessor)
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 "Intel 82441FX" rev 0x02
pcib0 at pci0 dev 1 function 0 "Intel 82371SB ISA" rev 0x00
pciide0 at pci0 dev 1 function 1 "Intel 82371SB IDE" rev 0x00: DMA, channel 0
wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0:
wd0: 16-sector PIO, LBA48, 12288MB, 25165824 sectors
wd0(pciide0:0:0): using PIO mode 4, DMA mode 2
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: ATAPI 5/cdrom removable
cd0(pciide0:1:0): using PIO mode 4, DMA mode 2
uhci0 at pci0 dev 1 function 2 "Intel 82371SB USB" rev 0x01: irq 11
"Intel 82371AB Power" rev 0x03 at pci0 dev 1 function 3 not configured
vga1 at pci0 dev 2 function 0 unknown vendor 0x1234 product 0x rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt1
Are LRO and GRO configurables under OpenBSD 5.0?
Hi all,
Maybe it is a stupid question, but I didn't found response ... can I
configure LRO (Large Receive Offload) and GRO (Generic Receieve Offload)
params under OpenBSD like ethtool does in linux world??
Thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: Updating plus.html
On 2011-11-04, Steffen Daode Nurpmeso wrote: > But it turns out that the two repos only have three heads in common: > BOOTBLOCKS, BRIAN and graichen (from the 19-hundreds). the three public cvs->git imports of OpenBSD are separate efforts (and at least the github one is done with a different conversion tool), so don't switch between them for a single tree.
Ihre PayLife Karte ist aus Sicherheitsgr�nden begrenzt.
Sehr geehrte Mitglieder PayLife Bank, Ihre PayLife Karte ist aus Sicherheitsgr|nden begrenzt. Wir glauben, dass jemand sich mit Ihrer Karte f|r betr|gerische Nutzung. Um Beschrdnkung zu entfernen und zu sichern Ihre Karte laden Sie bitte das beigef|gte Formular aus und folgen Sie den Schritten. Wenn Sie nicht abgeschlossen haben alle Schritte Ihrer Karte endg|ltig gesperrt werden. Wir bedauern die Unannehmlichkeiten, PayLife Bank GmbH Postfach 574, 1011 Wien [demime 1.01d removed an attachment of type APPLICATION/DEFANGED which had a name of PayLife_Bank.19196DEFANGED-html]
Re: The keyboard doesn't work in X after the most recent update
On 2011-11-05, Norman Golisz wrote:
> On Sat Nov 5 2011 22:39, tkdchen wrote:
>> Hi all,
>>
>> My keyboard does not work in fvwm, GNOME or KDE after the most recent
>> update. No key response except the Fn+brightness-up and down.
>> I run 5.0-current on Thinkpad x201i. Thanks a lot for your help.
>
> This is a known bug in xkb. As suggested on tech@:
>
> _symbols_dir=/usr/X11R6/share/X11/xkb/symbols/srvr_ctrl/srvr_ctrl
> mv ${_symbols_dir}/srvr_ctrl ${_symbols_dir}/_srvr_ctrl
> mv ${_symbols_dir}/_srvr_ctrl/srvr_ctrl ${_symbols_dir}
> rmdir ${_symbols_dir}/_srvr_ctrl
As also suggested on tech@, the file you are mv'ing here is not the
right version. You should remove the directory and reinstall xshare50.tgz.
The simplest way on a system where you have console access is to boot
the install kernel and select 'upgrade'.
Re: I want copy pf.conf from FreeBSD 8.2 to OpenBSD 5 and use it
On 2011-11-06, Peter N. M. Hansteen wrote: > This block is superfluous (assuming you do not actually tweak, only > stating defaults) most of it, yes, but this could be important >> set skip on lo0 this may be wanted too >> set loginterface $ext_if
