Re: OpenBSD ipsec gateway behind a router

[Stuart Henderson]

This basically works but there are incompatibilities between nat-t in OpenBSD
and that from certain vendors, notably cisco.


On 2011-11-13, Mik J mikyde...@yahoo.fr wrote:
 Hello,

 I would like to know if such configuration is possible.

 LAN1
 (192.168.10.0/24) -- OpenBSD .99 -- .254 Router IPx -- Internet -- IPy
 IPSec_GW (Vendor) -- LAN2 (192.168.20.0/24)

 As you can see the OpenBSD 4.9
 server sits on the LAN1 and has one physical interface.
 When it wants to
 access to the internet, its address 192.168.10.99 is natted in IPx and that's
 how the IPSec_GW(Vendor) sees the source packets.

 It's not really important
 now if other machines on LAN1 should ping machines on LAN2. I would like for
 now that the OpenBSD could ping machines on LAN2.

 I have search for examples
 on the internet for this particular case because the OpenBSD is behind a nat
 router. And I haven't found the proper way to do this. I don't even know if
 it's possible. I know some kind of nat-t should be used though.

 Does anyone
 have this configuration in place ?

 Thanks

spamd-setup in crontab

[Manuel Giraud]

Hi,

I've just set up a mail server with 5.0. I have put spamd in front (in
default greylisting mode). It works great following the man pages but
when I activate the spamd-setup entry in root's crontab, I receive the
following error by mail:

spamd-setup: ftp: Could not add blacklist uatrapsWriting -: : Illegal seek
Broken pipe

If i call spamd-setup as root i have no error message. (note: I've used
the default /etc/mail/spamd.conf file). How can I sort this out?
-- 
Manuel Giraud

Re: spamd-setup in crontab

[Comète]

Same error message since one week on an old 4.6 install. But i didn't 
find the origin yet...


Le 14/11/2011 10:13, Manuel Giraud a C)crit :

Hi,

I've just set up a mail server with 5.0. I have put spamd in front (in
default greylisting mode). It works great following the man pages but
when I activate the spamd-setup entry in root's crontab, I receive the
following error by mail:

spamd-setup: ftp: Could not add blacklist uatrapsWriting -: : Illegal seek
Broken pipe

If i call spamd-setup as root i have no error message. (note: I've used
the default /etc/mail/spamd.conf file). How can I sort this out?

Re: Burning DVDs

[John Tate]

This has no 'make install' for some odd reason. I clearly should
become a packager.

On Mon, Nov 14, 2011 at 4:31 PM, Richard Toohey
richardtoo...@paradise.net.nz wrote:
 On 14/11/2011, at 6:13 PM, John Tate wrote:

 Device seems to be: Generic mmc2 DVD-R/DVD-RW.

 cdrecord: This version of cdrecord does not include DVD-R/DVD-RW support 
 code.
 cdrecord: If you need DVD-R/DVD-RW support, ask the Author for 
 cdrecord-ProDVD.
 cdrecord: Free test versions and free keys for personal use are at
 ftp://ftp.berlios.de/pub/cdrecord/ProDVD/

 Apparently this support code has been in cdrtools since 2009, the site
 it tells me to go to tells me I don't need it. It's like bureaucracy,
 lol.

 I could build their cdrtools, but the port must be ancient or something.

 Perhaps I could become a packager. Another port, gtk-gnutella, isn't
 even worth having if its not maintained.

 John Tate.


 http://openports.se/sysutils/dvd+rw-tools

 http://openports.se/search.php?so=dvd

 --
 www.johntate.org






-- 
www.johntate.org

Re: Burning DVDs

[Rod Whitworth]

On Mon, 14 Nov 2011 22:07:06 +1100, John Tate wrote:

This has no 'make install' for some odd reason. I clearly should
become a packager.

I don't see that happening soon given your confused posts here.
It seems to be about time you did some learning.
packages are provided and are installed by using pkg_add(1). They are
pre-compiled and packaged for you.
You don't need make install unless you are compiling ports and raw
beginners are advised to use packages not ports.
In fact the only people who should be compiling ports are those who are
1) competent in the art, 2) are doing it to test patches or upgrades
reported by maintainers or 3) have the skills in (1) and need to
upgrade to a published port for some technical reason and who know how
to make sure that their kernel and userland are recent enough to match
the new port version.


On Mon, Nov 14, 2011 at 4:31 PM, Richard Toohey
richardtoo...@paradise.net.nz wrote:
 On 14/11/2011, at 6:13 PM, John Tate wrote:

 Device seems to be: Generic mmc2 DVD-R/DVD-RW.

 cdrecord: This version of cdrecord does not include DVD-R/DVD-RW support 
 code.
 cdrecord: If you need DVD-R/DVD-RW support, ask the Author for 
 cdrecord-ProDVD.
 cdrecord: Free test versions and free keys for personal use are at
 ftp://ftp.berlios.de/pub/cdrecord/ProDVD/

 Apparently this support code has been in cdrtools since 2009, the site
 it tells me to go to tells me I don't need it. It's like bureaucracy,
 lol.

 I could build their cdrtools, but the port must be ancient or something.

 Perhaps I could become a packager. Another port, gtk-gnutella, isn't
 even worth having if its not maintained.

 John Tate.


 http://openports.se/sysutils/dvd+rw-tools

 http://openports.se/search.php?so=dvd


*** NOTE *** Please DO NOT CC me. I am subscribed to the list.
Mail to the sender address that does not originate at the list server is 
tarpitted. The reply-to: address is provided for those who feel compelled to 
reply off list. Thankyou.

Rod/
---
This life is not the real thing.
It is not even in Beta.
If it was, then OpenBSD would already have a man page for it.

Re: OpenBSD ipsec gateway behind a router

[Mentesan]

Hi :)

I'm trying to do exactly this setup, between two OpenBSD boxes - 4.4 (central
office) and 4.9 (branch office).
With the following setup I can bring the tunnel up, but the networks can't
talk to each other:

Central ipsec.conf
-
ike passive esp tunnel from 10.20.0.0/16 to any \
srcid matriz.domain.com.br \
psk testefilial


Branch ipsec.conf
-
matriz_net = 10.20.0.0/16
matriz_gw = 178.9.35.10
filial_net =  10.10.11.0/24

ike dynamic esp tunnel from $filial_net to $matriz_net peer $matriz_gw \
srcid filial.domain.com.br \
dstid matriz.domain.com.br \
psk testefilial
---

# ipsecctl -sa
FLOWS:
flow esp in from 10.10.11.0/24 to 10.20.0.0/16 peer 185.53.27.23 srcid
matriz.gruponp.com.br dstid filial.gruponp.com.br type use
flow esp out from 10.20.0.0/16 to 10.10.11.0/24 peer 185.53.27.23 srcid
matriz.gruponp.com.br dstid filial.gruponp.com.br type require

SAD:
esp tunnel from 178.9.35.10 to 185.53.27.23 spi 0x59f8b098 auth hmac-sha2-256
enc aes
esp tunnel from 185.53.27.23 to 178.9.35.10 spi 0xda08a9c3 auth hmac-sha2-256
enc aes

---

# route -n show -encap
Routing tables

Encap:
Source Port  DestinationPort  Proto
SA(Address/Proto/Type/Direction)
10.10.11/240 10.20/16   0 0
185.53.27.23/esp/use/in
10.20/16   0 10.10.11/240 0
185.53.27.23/esp/require/out


Fabio Almeida

Em 13/11/2011, `s 12:06, Mik J escreveu:

 Hello,

 I would like to know if such configuration is possible.

 LAN1
 (192.168.10.0/24) -- OpenBSD .99 -- .254 Router IPx -- Internet --
IPy
 IPSec_GW (Vendor) -- LAN2 (192.168.20.0/24)

 As you can see the OpenBSD 4.9
 server sits on the LAN1 and has one physical interface.
 When it wants to
 access to the internet, its address 192.168.10.99 is natted in IPx and
that's
 how the IPSec_GW(Vendor) sees the source packets.

 It's not really important
 now if other machines on LAN1 should ping machines on LAN2. I would like
for
 now that the OpenBSD could ping machines on LAN2.

 I have search for examples
 on the internet for this particular case because the OpenBSD is behind a
nat
 router. And I haven't found the proper way to do this. I don't even know if
 it's possible. I know some kind of nat-t should be used though.

 Does anyone
 have this configuration in place ?

 Thanks

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: OpenBSD ipsec gateway behind a router

[Joosep]

On Mon, Nov 14, 2011 at 2:00 PM, Mentesan mente...@gmail.com wrote:

 Hi :)

 I'm trying to do exactly this setup, between two OpenBSD boxes - 4.4
 (central
 office) and 4.9 (branch office).
 With the following setup I can bring the tunnel up, but the networks can't
 talk to each other:

 Central ipsec.conf
 -
 ike passive esp tunnel from 10.20.0.0/16 to any \
srcid matriz.domain.com.br \
psk testefilial
 

 Branch ipsec.conf
 -
 matriz_net = 10.20.0.0/16
 matriz_gw = 178.9.35.10
 filial_net =  10.10.11.0/24

 ike dynamic esp tunnel from $filial_net to $matriz_net peer $matriz_gw \
srcid filial.domain.com.br \
dstid matriz.domain.com.br \
psk testefilial
 ---

 # ipsecctl -sa
 FLOWS:
 flow esp in from 10.10.11.0/24 to 10.20.0.0/16 peer 185.53.27.23 srcid
 matriz.gruponp.com.br dstid filial.gruponp.com.br type use
 flow esp out from 10.20.0.0/16 to 10.10.11.0/24 peer 185.53.27.23 srcid
 matriz.gruponp.com.br dstid filial.gruponp.com.br type require

 SAD:
 esp tunnel from 178.9.35.10 to 185.53.27.23 spi 0x59f8b098 auth
 hmac-sha2-256
 enc aes
 esp tunnel from 185.53.27.23 to 178.9.35.10 spi 0xda08a9c3 auth
 hmac-sha2-256
 enc aes

 ---

 # route -n show -encap
 Routing tables

 Encap:
 Source Port  DestinationPort  Proto
 SA(Address/Proto/Type/Direction)
 10.10.11/240 10.20/16   0 0
 185.53.27.23/esp/use/in
 10.20/16   0 10.10.11/240 0
 185.53.27.23/esp/require/out


 Fabio Almeida

 Em 13/11/2011, `s 12:06, Mik J escreveu:

  Hello,
 
  I would like to know if such configuration is possible.
 
  LAN1
  (192.168.10.0/24) -- OpenBSD .99 -- .254 Router IPx -- Internet
 --
 IPy
  IPSec_GW (Vendor) -- LAN2 (192.168.20.0/24)
 
  As you can see the OpenBSD 4.9
  server sits on the LAN1 and has one physical interface.
  When it wants to
  access to the internet, its address 192.168.10.99 is natted in IPx and
 that's
  how the IPSec_GW(Vendor) sees the source packets.
 
  It's not really important
  now if other machines on LAN1 should ping machines on LAN2. I would like
 for
  now that the OpenBSD could ping machines on LAN2.
 
  I have search for examples
  on the internet for this particular case because the OpenBSD is behind a
 nat
  router. And I haven't found the proper way to do this. I don't even know
 if
  it's possible. I know some kind of nat-t should be used though.
 
  Does anyone
  have this configuration in place ?
 
  Thanks

 [demime 1.01d removed an attachment of type application/pgp-signature
 which had a name of signature.asc]


Hi!

I think the problem in your case is HMAC-SHA2 incompatibility between
releases before 4.7 and 4.7(and upwards) releases. Please check this link
http://www.openbsd.org/faq/upgrade47.html#hmac-sha2

regards,
Joosep

Re: spamd-setup in crontab

[James J. Lippard]

I had the same problem, which I worked around by changing my
spamd.conf to use a local file instead of FTP, and downloading the
traplist.gz file in my daily.local.

That is, my spamd.conf now looks like this:

uatraps:\
:black:\
:msg=Your address %A has sent mail to a ualberta.ca spamtrap\n\
within the last 24 hours:\
:method=file:\
:file=/etc/mail/traplist.gz:

And my daily.local now has this:

echo Getting traplist.gz.
/usr/bin/ftp -o /etc/mail/traplist.gz http://www.openbsd.org/spamd/traplist.gz

-- 
Jim Lippardlippard-open...@discord.org   http://www.discord.org/
GPG Key ID: 0xF8D42CFE

On Mon, Nov 14, 2011 at 11:43:13AM +0100, Com??te wrote:
 Same error message since one week on an old 4.6 install. But i didn't 
 find the origin yet...
 
 Le 14/11/2011 10:13, Manuel Giraud a C)crit :
 Hi,
 
 I've just set up a mail server with 5.0. I have put spamd in front (in
 default greylisting mode). It works great following the man pages but
 when I activate the spamd-setup entry in root's crontab, I receive the
 following error by mail:
 
 spamd-setup: ftp: Could not add blacklist uatrapsWriting -: : Illegal seek
 Broken pipe
 
 If i call spamd-setup as root i have no error message. (note: I've used
 the default /etc/mail/spamd.conf file). How can I sort this out?

ipsec.conf macros

[Jakob Alvermark]

Hello!

In transitioning from isakmpd.conf to ipsec.conf I want to make the
configuration file simple and readable by using macros.
However, I seems like I can not make use of macros in the way that I want.
Example:
host_a=192.168.1.1
host_b=192.168.2.2
host_list={ $host_a $host_b }
host_a_copy=$host_a
list_copy=$host_list

Gives errors:
# ipsecctl -vnf ipsec_hosts.conf
ipsec_hosts.conf: 5: syntax error
ipsecctl: Syntax error in config file: ipsec rules not loaded
host_a = 192.168.1.1
host_b = 192.168.2.2
host_list = { 192.168.1.1 192.168.2.2 }
host_a_copy = 192.168.1.1

It gives me even more problem when I use macros with lists of networks:
network_a=192.168.1.0/24
network_b=192.168.2.0/24
network_a_copy=$network_a
network_list={ 192.168.1.0/24 192.168.2.0/24 }
network_list_copy=$network_list
network_list_1={ $network_a $network_b }
network_list_1_copy=$network_list_1

# ipsecctl -vnf ipsec_networks.conf
ipsec_networks.conf: 3: syntax error
ipsec_networks.conf: 5: syntax error
ipsec_networks.conf: 6: syntax error
ipsec_networks.conf: 7: macro 'network_list_1' not defined
ipsec_networks.conf: 7: syntax error
ipsecctl: Syntax error in config file: ipsec rules not loaded
network_a = 192.168.1.0/24
network_b = 192.168.2.0/24
network_list = { 192.168.1.0/24 192.168.2.0/24 }

Is is supposed to work, or is it a bug? Or is there another way of doing it,
am I doing it wrong?

Thank you,

Jakob Alvermark
jakob.alverm...@bsdlabs.com
BSDLabs AB
Solna, Sweden
556759-7652

Re : OpenBSD ipsec gateway behind a router

[Mik J]

Hello,

Thanks to both of you for your answer.
However I'm really confused
regarding where I should configure the OpenBSD ipsec gateway to use nat-t or
not.

The only this I'm aware of is
$ sysctl -a | grep udpencap
net.inet.esp.udpencap=1
net.inet.esp.udpencap_port=4500
But it just states the
kernel to support udp encapsulation for nat-t

Fabio, in your configuration
below I don't see anywhere you specified you wanted to use nat-t

I'm going to
try to test your configuration.


- Mail original -
 De : Mentesan
mente...@gmail.com
 @ : misc@openbsd.org
 Cc : 
 Envoyi le : Lundi 14
Novembre 2011 13h00
 Objet : Re: OpenBSD ipsec gateway behind a router
 

Hi :)
 
 I'm trying to do exactly this setup, between two OpenBSD boxes -
4.4 
 (central
 office) and 4.9 (branch office).
 With the following setup
I can bring the tunnel up, but the networks can't
 talk to each other:
 

Central ipsec.conf
 -
 ike passive esp tunnel from
10.20.0.0/16 to any \
 srcid matriz.domain.com.br \

psk testefilial
 
 
 Branch ipsec.conf

-
 matriz_net = 10.20.0.0/16
 matriz_gw =
178.9.35.10
 filial_net =  10.10.11.0/24
 
 ike dynamic esp tunnel from
$filial_net to $matriz_net peer $matriz_gw \
 srcid
filial.domain.com.br \
 dstid matriz.domain.com.br \
 psk
testefilial
 ---
 
 # ipsecctl -sa
 FLOWS:
 flow esp in from
10.10.11.0/24 to 10.20.0.0/16 peer 185.53.27.23 srcid
 matriz.gruponp.com.br
dstid filial.gruponp.com.br type use
 flow esp out from 10.20.0.0/16 to
10.10.11.0/24 peer 185.53.27.23 srcid
 matriz.gruponp.com.br dstid
filial.gruponp.com.br type require
 
 SAD:
 esp tunnel from 178.9.35.10 to
185.53.27.23 spi 0x59f8b098 auth hmac-sha2-256
 enc aes
 esp tunnel from
185.53.27.23 to 178.9.35.10 spi 0xda08a9c3 auth hmac-sha2-256
 enc aes
 

---
 
 # route -n show -encap
 Routing tables
 
 Encap:
 Source 
  Port  DestinationPort  Proto

SA(Address/Proto/Type/Direction)
 10.10.11/24010.20/16 
00
 185.53.27.23/esp/use/in
 10.20/16  010.10.11/24   
00
 185.53.27.23/esp/require/out
 
 
 Fabio Almeida
 
 Em
13/11/2011, `s 12:06, Mik J escreveu:
 
 Hello,
 
 I would like to know
if such configuration is possible.
 
 LAN1
 (192.168.10.0/24) --
OpenBSD .99 -- .254 Router IPx 
 -- Internet --
 IPy
 IPSec_GW
(Vendor) -- LAN2 (192.168.20.0/24)
 
 As you can see the OpenBSD 4.9

server sits on the LAN1 and has one physical interface.
 When it wants to

access to the internet, its address 192.168.10.99 is natted in IPx and

that's
 how the IPSec_GW(Vendor) sees the source packets.
 
 It's not
really important
 now if other machines on LAN1 should ping machines on
LAN2. I would like
 for
 now that the OpenBSD could ping machines on LAN2.
 
 I have search for examples
 on the internet for this particular case
because the OpenBSD is behind a
 nat
 router. And I haven't found the
proper way to do this. I don't even 
 know if
 it's possible. I know some
kind of nat-t should be used though.
 
 Does anyone
 have this
configuration in place ?
 
 Thanks
 
 [demime 1.01d removed an
attachment of type application/pgp-signature which had 
 a name of
signature.asc]

Re: Burning DVDs

[John Tate]

Make install does nothing in /usr/ports/sysutils/dvd+rw-tools/, and
the ports is the tarball from
ftp://ftp.openbsd.org/pub/OpenBSD/5.0/ports.tar.gz - it does not error
there is simply no output. It does compile. I honestly think something
has been missed. As for my confused posts, well, it happens I'm not
perfect, but it has little baring on anything.

On Mon, Nov 14, 2011 at 10:49 PM, Rod Whitworth glis...@witworx.com wrote:
 On Mon, 14  22:07:06 +1100, John Tate wrote:

This has no 'make install' for some odd reason. I clearly should
become a packager.

 I don't see that happening soon given your confused posts here.
 It seems to be about time you did some learning.
 packages are provided and are installed by using pkg_add(1). They are
 pre-compiled and packaged for you.
 You don't need make install unless you are compiling ports and raw
 beginners are advised to use packages not ports.
 In fact the only people who should be compiling ports are those who are
 1) competent in the art, 2) are doing it to test patches or upgrades
 reported by maintainers or 3) have the skills in (1) and need to
 upgrade to a published port for some technical reason and who know how
 to make sure that their kernel and userland are recent enough to match
 the new port version.


On Mon, Nov 14, 2011 at 4:31 PM, Richard Toohey
richardtoo...@paradise.net.nz wrote:
 On 14/11/2011, at 6:13 PM, John Tate wrote:

 Device seems to be: Generic mmc2 DVD-R/DVD-RW.

 cdrecord: This version of cdrecord does not include DVD-R/DVD-RW support 
 code.
 cdrecord: If you need DVD-R/DVD-RW support, ask the Author for 
 cdrecord-ProDVD.
 cdrecord: Free test versions and free keys for personal use are at
 ftp://ftp.berlios.de/pub/cdrecord/ProDVD/

 Apparently this support code has been in cdrtools since 2009, the site
 it tells me to go to tells me I don't need it. It's like bureaucracy,
 lol.

 I could build their cdrtools, but the port must be ancient or something.

 Perhaps I could become a packager. Another port, gtk-gnutella, isn't
 even worth having if its not maintained.

 John Tate.


 http://openports.se/sysutils/dvd+rw-tools

 http://openports.se/search.php?so=dvd


 *** NOTE *** Please DO NOT CC me. I am subscribed to the list.
 Mail to the sender address that does not originate at the list server is 
 tarpitted. The reply-to: address is provided for those who feel compelled to 
 reply off list. Thankyou.

 Rod/
 ---
 This life is not the real thing.
 It is not even in Beta.
 If it was, then OpenBSD would already have a man page for it.






-- 
www.johntate.org

Re: Burning DVDs

[John Tate]

I have dvd+rw tools and cdrecord still gives me this message...

cdrecord: This version of cdrecord does not include DVD-R/DVD-RW support
code.
cdrecord: If you need DVD-R/DVD-RW support, ask the Author for
cdrecord-ProDVD.
cdrecord: Free test versions and free keys for personal use are at
ftp://ftp.berlios.de/pub/cdrecord/ProDVD/

On Tue, Nov 15, 2011 at 2:04 AM, John Tate j...@johntate.org wrote:
 Make install does nothing in /usr/ports/sysutils/dvd+rw-tools/, and
 the ports is the tarball from
 ftp://ftp.openbsd.org/pub/OpenBSD/5.0/ports.tar.gz - it does not error
 there is simply no output. It does compile. I honestly think something
 has been missed. As for my confused posts, well, it happens I'm not
 perfect, but it has little baring on anything.

 On Mon, Nov 14, 2011 at 10:49 PM, Rod Whitworth glis...@witworx.com
wrote:
 On Mon, 14  22:07:06 +1100, John Tate wrote:

This has no 'make install' for some odd reason. I clearly should
become a packager.

 I don't see that happening soon given your confused posts here.
 It seems to be about time you did some learning.
 packages are provided and are installed by using pkg_add(1). They are
 pre-compiled and packaged for you.
 You don't need make install unless you are compiling ports and raw
 beginners are advised to use packages not ports.
 In fact the only people who should be compiling ports are those who are
 1) competent in the art, 2) are doing it to test patches or upgrades
 reported by maintainers or 3) have the skills in (1) and need to
 upgrade to a published port for some technical reason and who know how
 to make sure that their kernel and userland are recent enough to match
 the new port version.


On Mon, Nov 14, 2011 at 4:31 PM, Richard Toohey
richardtoo...@paradise.net.nz wrote:
 On 14/11/2011, at 6:13 PM, John Tate wrote:

 Device seems to be: Generic mmc2 DVD-R/DVD-RW.

 cdrecord: This version of cdrecord does not include DVD-R/DVD-RW support
code.
 cdrecord: If you need DVD-R/DVD-RW support, ask the Author for
cdrecord-ProDVD.
 cdrecord: Free test versions and free keys for personal use are at
 ftp://ftp.berlios.de/pub/cdrecord/ProDVD/

 Apparently this support code has been in cdrtools since 2009, the site
 it tells me to go to tells me I don't need it. It's like bureaucracy,
 lol.

 I could build their cdrtools, but the port must be ancient or
something.

 Perhaps I could become a packager. Another port, gtk-gnutella, isn't
 even worth having if its not maintained.

 John Tate.


 http://openports.se/sysutils/dvd+rw-tools

 http://openports.se/search.php?so=dvd


 *** NOTE *** Please DO NOT CC me. I am subscribed to the list.
 Mail to the sender address that does not originate at the list server is
tarpitted. The reply-to: address is provided for those who feel compelled to
reply off list. Thankyou.

 Rod/
 ---
 This life is not the real thing.
 It is not even in Beta.
 If it was, then OpenBSD would already have a man page for it.






 --
 www.johntate.org




--
www.johntate.org

Re: Burning DVDs

[Tony Abernethy]

Out of curiosity, WHY should any make install in ports actually DO anything?
Seems like the object of ports is to make packages and packages are installed
by pkg_add.
If you want to be something, say a packager, it helps if you have at least a
slight clue what it is all about.

-Original Message-
From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of John
Tate
Sent: Monday, November 14, 2011 9:04 AM
To: Fubar
Cc: Richard Toohey; misc
Subject: Re: Burning DVDs

Make install does nothing in /usr/ports/sysutils/dvd+rw-tools/, and
the ports is the tarball from
ftp://ftp.openbsd.org/pub/OpenBSD/5.0/ports.tar.gz - it does not error
there is simply no output. It does compile. I honestly think something
has been missed. As for my confused posts, well, it happens I'm not
perfect, but it has little baring on anything.

On Mon, Nov 14, 2011 at 10:49 PM, Rod Whitworth glis...@witworx.com wrote:
 On Mon, 14  22:07:06 +1100, John Tate wrote:

This has no 'make install' for some odd reason. I clearly should
become a packager.

 I don't see that happening soon given your confused posts here.
 It seems to be about time you did some learning.
 packages are provided and are installed by using pkg_add(1). They are
 pre-compiled and packaged for you.
 You don't need make install unless you are compiling ports and raw
 beginners are advised to use packages not ports.
 In fact the only people who should be compiling ports are those who are
 1) competent in the art, 2) are doing it to test patches or upgrades
 reported by maintainers or 3) have the skills in (1) and need to
 upgrade to a published port for some technical reason and who know how
 to make sure that their kernel and userland are recent enough to match
 the new port version.


On Mon, Nov 14, 2011 at 4:31 PM, Richard Toohey
richardtoo...@paradise.net.nz wrote:
 On 14/11/2011, at 6:13 PM, John Tate wrote:

 Device seems to be: Generic mmc2 DVD-R/DVD-RW.

 cdrecord: This version of cdrecord does not include DVD-R/DVD-RW support
code.
 cdrecord: If you need DVD-R/DVD-RW support, ask the Author for
cdrecord-ProDVD.
 cdrecord: Free test versions and free keys for personal use are at
 ftp://ftp.berlios.de/pub/cdrecord/ProDVD/

 Apparently this support code has been in cdrtools since 2009, the site
 it tells me to go to tells me I don't need it. It's like bureaucracy,
 lol.

 I could build their cdrtools, but the port must be ancient or something.

 Perhaps I could become a packager. Another port, gtk-gnutella, isn't
 even worth having if its not maintained.

 John Tate.


 http://openports.se/sysutils/dvd+rw-tools

 http://openports.se/search.php?so=dvd


 *** NOTE *** Please DO NOT CC me. I am subscribed to the list.
 Mail to the sender address that does not originate at the list server is
tarpitted. The reply-to: address is provided for those who feel compelled to
reply off list. Thankyou.

 Rod/
 ---
 This life is not the real thing.
 It is not even in Beta.
 If it was, then OpenBSD would already have a man page for it.






--
www.johntate.org

Re: Burning DVDs

[Tony Abernethy]

You might try reading your own message.

-Original Message-
From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of John
Tate
Sent: Monday, November 14, 2011 9:19 AM
To: Fubar
Cc: Richard Toohey; misc
Subject: Re: Burning DVDs

I have dvd+rw tools and cdrecord still gives me this message...

cdrecord: This version of cdrecord does not include DVD-R/DVD-RW support
code.
cdrecord: If you need DVD-R/DVD-RW support, ask the Author for
cdrecord-ProDVD.
cdrecord: Free test versions and free keys for personal use are at
ftp://ftp.berlios.de/pub/cdrecord/ProDVD/

On Tue, Nov 15, 2011 at 2:04 AM, John Tate j...@johntate.org wrote:
 Make install does nothing in /usr/ports/sysutils/dvd+rw-tools/, and
 the ports is the tarball from
 ftp://ftp.openbsd.org/pub/OpenBSD/5.0/ports.tar.gz - it does not error
 there is simply no output. It does compile. I honestly think something
 has been missed. As for my confused posts, well, it happens I'm not
 perfect, but it has little baring on anything.

 On Mon, Nov 14, 2011 at 10:49 PM, Rod Whitworth glis...@witworx.com
wrote:
 On Mon, 14  22:07:06 +1100, John Tate wrote:

This has no 'make install' for some odd reason. I clearly should
become a packager.

 I don't see that happening soon given your confused posts here.
 It seems to be about time you did some learning.
 packages are provided and are installed by using pkg_add(1). They are
 pre-compiled and packaged for you.
 You don't need make install unless you are compiling ports and raw
 beginners are advised to use packages not ports.
 In fact the only people who should be compiling ports are those who are
 1) competent in the art, 2) are doing it to test patches or upgrades
 reported by maintainers or 3) have the skills in (1) and need to
 upgrade to a published port for some technical reason and who know how
 to make sure that their kernel and userland are recent enough to match
 the new port version.


On Mon, Nov 14, 2011 at 4:31 PM, Richard Toohey
richardtoo...@paradise.net.nz wrote:
 On 14/11/2011, at 6:13 PM, John Tate wrote:

 Device seems to be: Generic mmc2 DVD-R/DVD-RW.

 cdrecord: This version of cdrecord does not include DVD-R/DVD-RW
support
code.
 cdrecord: If you need DVD-R/DVD-RW support, ask the Author for
cdrecord-ProDVD.
 cdrecord: Free test versions and free keys for personal use are at
 ftp://ftp.berlios.de/pub/cdrecord/ProDVD/

 Apparently this support code has been in cdrtools since 2009, the site
 it tells me to go to tells me I don't need it. It's like bureaucracy,
 lol.

 I could build their cdrtools, but the port must be ancient or
something.

 Perhaps I could become a packager. Another port, gtk-gnutella, isn't
 even worth having if its not maintained.

 John Tate.


 http://openports.se/sysutils/dvd+rw-tools

 http://openports.se/search.php?so=dvd


 *** NOTE *** Please DO NOT CC me. I am subscribed to the list.
 Mail to the sender address that does not originate at the list server is
tarpitted. The reply-to: address is provided for those who feel compelled to
reply off list. Thankyou.

 Rod/
 ---
 This life is not the real thing.
 It is not even in Beta.
 If it was, then OpenBSD would already have a man page for it.






 --
 www.johntate.org




--
www.johntate.org

Re: snort and pf - pflog vs if

[Tobias Crefeld]

Am Sun, 13 Nov 2011 09:51:05 -0600
schrieb Ted Wynnychenko ted@comcast.net:

 With 4.5, I had snort listening to pflog0, because I understood that
 listening to the interface directly (e.g. bge0) would not work
 since any packets dropped by pf would not be seen by snort.

pflog0 only shows the packets that pf is told to log (e.g. in pf.conf:
pass out log inet proto icmp all icmp-type echoreq).

 However, when I upgraded to 4.9 and snort 2.9.1.x, I have noticed
 that snort appears to see packets that are dropped by pf when it
 listens on the interface directly (bge0).

snort's listening on interfaces just like tcpdump, wireshark, etc.
does. This means that it puts ethernet interfaces in promiscous mode
and just reads all incoming and outgoing traffic and interprets it.
Of course it won't read outgoing traffic that pf drops before reaching
the interface(s) but anything else will get monitored by snort.

I doubt that snort ever worked in another way.


RU,
 Tobias.

How to use relayd with reply-to ?

[Olivier Cochard-Labbé]

Hi all,
I want to set-up a service redirector with relayd and the reply-to
feature of pf.conf, but I meet a problem: The reply-to pf rule is
matched, but there is no modification of the return traffic (the
firewall send the reply to the default gateway and not to the gateway
forced in the reply-to).
I would to know if it's a problem with my configurations files or a
bug ? (I'm using OpenBSD 5.0, default kernel)

I've started with the example given on Example 5: Service Redirector
on this web page: https://calomel.org/relayd.html.

My firewall have 2 externals interfaces: em1 (10.254.12.253/24) and
em4 (10.254.15.253/24). And in front of this interfaces I've got 2
routers (10.254.12.1@em1 and 10.254.15.2@em4).
There are carp interfaces simulating virtual hosts on these
externals interfaces and relayd listen on these IP (.6 on each
interface).

= I didn't know from where client traffic came from: This is why the
reply-to feature of pf is used here.
I'm using 10.254.15.2 as the default gateway on my firewall in my lab
because for testing the reply-to because my test-client came from the
10.254.12.1 routers.

Regarding my internal interface em3(10.254.12.253/24) there is only 2
web servers behind: 10.254.13.4 and 10.254.13.5.
Relayd is used to load-balance traffic between them.

My relayd.conf and pf.conf are pretty simple:
---
[root@fw1]~# cat /etc/relayd.conf
table web_srv { 10.254.13.4 10.254.13.5 }
redirect www {
listen on 10.254.12.6 port http interface em1
listen on 10.254.15.6 port http interface em4
match tag RELAYD
forward to web_srv check http / code 200
}

[root@fw1]~# cat /etc/pf.conf
table web_srv { 10.254.13.4 10.254.13.5 }
anchor relayd/*
set skip on lo
pass out
block in log
#Relayd 'hack' for forcing reply-to
pass in log on em1 inet proto tcp from any to web_srv port 80 flags
S/SA synproxy state tagged RELAYD reply-to (em1 10.254.12.1)
pass in log on em2 inet proto tcp from any to web_srv port 80 flags
S/SA synproxy state tagged RELAYD reply-to (em4 10.254.15.2)
---
A client behind the router 10.254.12.1 that try to access the virtual
server 10.254.12.6 (relayd) should have this forwarding path:
client = router (12.1) = em1 of fw (return traffic marked for
reply-to router 12.1 and not to the default router) = www server
(.4 or .5)

And I've got this problem when I try to initiate a TCP connection from
a client (10.254.16.1) to the carp/relayd IP (10.254.12.6):

---
[root@fw1]~# tcpdump -n -e -ttt -i pflog0
tcpdump: WARNING: snaplen raised from 116 to 160
tcpdump: listening on pflog0, link-type PFLOG
Nov 14 17:33:57.323450 rule 3/(match) pass in on em1: 10.254.16.1.5838
 10.254.12.6.80: S 2719125464:2719125464(0) win 16384 mss
1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 3417046797[|tcp]
(DF)

[root@fw1]/etc# pfctl -R 3 -s rules
pass in log on em1 inet proto tcp from any to web_srv port = www
flags S/SA synproxy state tagged RELAYD reply-to 10.254.12.1@em1

[root@fw1]/etc# tcpdump -i em4
tcpdump: listening on em4, link-type EN10MB
tcpdump: WARNING: compensating for unaligned libpcap packets
17:33:57.323521 arp who-has 10.254.15.2 tell 10.254.15.253
17:33:57.323826 arp reply 10.254.15.2 is-at 08:00:27:6a:65:ee
17:33:57.323879 10.254.12.6.www  10.254.16.1.5838: S
4148897738:4148897738(0) ack 271912
5465 win 0 mss 1460 (DF) [tos 0x10]
---

= The firewall send the reply (relayd 10.254.12.6 to client
10.254.16.1) to its default gateway (on em4) and didn't use its
reply-to rule.

How to fix that ?

Thanks,

Olivier

Re: spamd-setup in crontab

[Boudewijn Dijkstra]

Op Mon, 14 Nov 2011 15:28:43 +0100 schreef James J. Lippard  
lippard-open...@discord.org:

I had the same problem, which I worked around by changing my
spamd.conf to use a local file instead of FTP, and downloading the
traplist.gz file in my daily.local.

That is, my spamd.conf now looks like this:

uatraps:\
:black:\
:msg=Your address %A has sent mail to a ualberta.ca spamtrap\n\
within the last 24 hours:\
:method=file:\
:file=/etc/mail/traplist.gz:

And my daily.local now has this:

echo Getting traplist.gz.
/usr/bin/ftp -o /etc/mail/traplist.gz  
http://www.openbsd.org/spamd/traplist.gz


I have a slightly more complicated setup which fetches traplist and  
nixspam every two hours:


root's crontab:
# update spamd on :15 every two hours
15  */2 *   *   *   /etc/mail/spamd-setup.sh


spamd-setup.sh:
#!/bin/sh
# sleep 0..15 minutes
/bin/sleep $(($RANDOM / 72))
/usr/local/bin/wget -o /dev/null -NxP /home/ftp/pub/mirrors -nv \
http://www.openbsd.org/spamd/{traplist,nixspam}.gz
/usr/libexec/spamd-setup


Also, china and korea are fetched in daily.local:
# http://www.openbsd.org/spamd/{china,korea}cidr.txt.gz are not mirrored
# regularly, so we use the original source
/usr/local/bin/wget -NxP /home/ftp/pub/mirrors -nv \
http://www.okean.com/{china,korea}cidr.txt


The advantage of using wget(1) (or curl(1) if you like) is that it will  
only fetch the file if the timestamp has changed.




--
Gemaakt met Opera's revolutionaire e-mailprogramma:  
http://www.opera.com/mail/

(Remove the obvious prefix to reply.)

Re: Burning DVDs

[Jan Stary]

First of all, you should have taken this to ports@, not to misc@.

On Nov 14 16:13:34, John Tate wrote:
 Device seems to be: Generic mmc2 DVD-R/DVD-RW.
 
 cdrecord: This version of cdrecord does not include DVD-R/DVD-RW support code.
 cdrecord: If you need DVD-R/DVD-RW support, ask the Author for 
 cdrecord-ProDVD.
 cdrecord: Free test versions and free keys for personal use are at
 ftp://ftp.berlios.de/pub/cdrecord/ProDVD/
 
 Apparently this support code has been in cdrtools since 2009,

May 15th 2006, to be precise.
ftp://ftp.berlios.de/pub/cdrecord/ProDVD/README

 the site
 it tells me to go to tells me I don't need it. It's like bureaucracy,
 lol.

lol indeed.

 I could build their cdrtools, but the port must be ancient or something.

The version in ports is as recent as someone cared.
Currently, sysutils/cdrtools has no MAINTAINER.
You are very welcome to maintain an up-to-date port of cdrtools.
(Please read all of the relevant documentation before attempting this.)
My guess is it will never happen though.

 Perhaps I could become a packager.

Absolutely.

On Nov 14 22:07:06, John Tate wrote:
 I clearly should become a packager.

That is your future.

In fact, I would be willing to buy the filming rights
to the heroic breakthrough that is hidden behind these four lines:

On Nov 14 16:13:34, John Tate wrote:
 Perhaps I could become a packager.

On Nov 14 22:07:06, John Tate wrote:
 I clearly should become a packager.

FIND OUT ... WHAT HAPPENED  IN THOSE SIX HOURS ... COMMING SOON!

On Nov 15 02:04:16, John Tate wrote:
 Make install does nothing in /usr/ports/sysutils/dvd+rw-tools/,
 and the ports is the tarball from
 ftp://ftp.openbsd.org/pub/OpenBSD/5.0/ports.tar.gz - it does not error
 there is simply no output. It does compile. I honestly think something
 has been missed.

It builds and installs just fine.

 As for my confused posts, well, it happens I'm not
 perfect, but it has little baring on anything.

http://johntate.org/fact/johntate is almost perfect though, in a sense.

IPv6 not working over bridge

[Roger Schreiter]

Hello,

I have a router (Host B in following picture) running with OpenBSD 4.7.
One phyiscal interface is bridged to a VLAN:

A simplified picture of it is:


(em2)
  v
Host A---(vlan759)--Host B-Host C
  ^  ^
  vlan759em0
  \  /
   bridge0

vlan759 sits physically on interface em2,
and vlan759 and interface em0 are bridged via bridge0.

vlan759 has no IP addresses, nor em2.

em0 has an IPv4 address and an IPv6 address.

I can ping (IPv4) from Host B to Host A and to Host C.
I can also ping from Host A to Host C and vice versa.

I can ping6 (IPv6) from Host B to Host C (and vice versa),
but I cannot ping6 between Host B and Host A.

ndp -a shows several hosts running IPv6 addresses, but on
Host A I cannot see the Host B or Host C with ndp -a,
and on Host C and on Host B I cannot see Host A with ndp -a.


I assume, the bridge is not passing NDP packets.

Is this a known problem?

Does anyone have an idea how to solve the problem?


Roger.

Re: OpenBSD ipsec gateway behind a router

[Boris Goldberg]

Hello Mik,

Sunday, November 13, 2011, 8:06:32 AM, you wrote:

MJ I would like to know if such configuration is possible.

MJ LAN1
MJ (192.168.10.0/24) -- OpenBSD .99 -- .254 Router IPx -- Internet -- 
IPy
MJ IPSec_GW (Vendor) -- LAN2 (192.168.20.0/24)

MJ As you can see the OpenBSD 4.9
MJ server sits on the LAN1 and has one physical interface.
MJ When it wants to
MJ access to the internet, its address 192.168.10.99 is natted in IPx and 
that's
MJ how the IPSec_GW(Vendor) sees the source packets.

MJ It's not really important
MJ now if other machines on LAN1 should ping machines on LAN2. I would like for
MJ now that the OpenBSD could ping machines on LAN2.

MJ I have search for examples
MJ on the internet for this particular case because the OpenBSD is behind a nat
MJ router. And I haven't found the proper way to do this. I don't even know if
MJ it's possible. I know some kind of nat-t should be used though.

MJ Does anyone
MJ have this configuration in place ?

  There are two problems in that configuration: IPSEC behind a NAT and one
physical interface.

  IPSEC behind a NAT more often works than not. I have similar working
configuration myself (but with two interfaces). Would recommend to use UDP
encapsulation if the other side supports it.

  I would recommend to get a computer with 2 network interfaces. Otherwise
it's going to be very complicated at best. /24 (on the left) is for sure
not going to work.

Re: OpenBSD ipsec gateway behind a router

[Mentesan]

Hello,

Can anyone validate, or give some advice in this setup:

LAN (10.20/16)  OpenBSD (public fixed IP) -- (public dynamic IP)
LAN ROUTER - OpenBSD - LAN (10.10.11/24)

There's a *need* to have that LAN ROUTER on the client side.
Let's call the first OpenBSD box Server and the other Client.

The config I'm using is:
Server
-
ike passive esp tunnel from 10.20.0.0/16 to any \
srcid matriz.gruponp.com.br \
psk testevpn

Client

ike dynamic esp tunnel from 10.10.11.0/24 to 10.20.0.0/16 peer 187.8.53.34 \
srcid filial.gruponp.com.br \
dstid matriz.gruponp.com.br \
psk testevpn


This config can bring the tunnel up, even the routes, but the networks can't
talk to each other.

Do I need to redirect ports on the client side (LAN ROUTER redirect ports 500,
4500 to OpenBSD)?
Is everything messed up and the tunnel is established by pure luck?

Thanks in advance,
Fabio Almeida

Em 14/11/2011, `s 14:25, Boris Goldberg escreveu:

 Hello Mik,

 Sunday, November 13, 2011, 8:06:32 AM, you wrote:

 MJ I would like to know if such configuration is possible.

 MJ LAN1
 MJ (192.168.10.0/24) -- OpenBSD .99 -- .254 Router IPx -- Internet
-- IPy
 MJ IPSec_GW (Vendor) -- LAN2 (192.168.20.0/24)

 MJ As you can see the OpenBSD 4.9
 MJ server sits on the LAN1 and has one physical interface.
 MJ When it wants to
 MJ access to the internet, its address 192.168.10.99 is natted in IPx and
that's
 MJ how the IPSec_GW(Vendor) sees the source packets.

 MJ It's not really important
 MJ now if other machines on LAN1 should ping machines on LAN2. I would like
for
 MJ now that the OpenBSD could ping machines on LAN2.

 MJ I have search for examples
 MJ on the internet for this particular case because the OpenBSD is behind a
nat
 MJ router. And I haven't found the proper way to do this. I don't even know
if
 MJ it's possible. I know some kind of nat-t should be used though.

 MJ Does anyone
 MJ have this configuration in place ?

  There are two problems in that configuration: IPSEC behind a NAT and one
 physical interface.

  IPSEC behind a NAT more often works than not. I have similar working
 configuration myself (but with two interfaces). Would recommend to use UDP
 encapsulation if the other side supports it.

  I would recommend to get a computer with 2 network interfaces. Otherwise
 it's going to be very complicated at best. /24 (on the left) is for sure
 not going to work.

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: Burning DVDs

[Francois Pussault]

Hi all,

when dvdrecord or cdrecord doesn't work properly, you can use
growisofs -dvd-compat -use-the-force-luke=dao -Z
/dev/rcd1c=/home/francois/toto.iso command (juste adapt it to feel your
needs)


 
 From: Tony Abernethy t...@servasoftware.com
 Sent: Mon Nov 14 16:28:02 CET 2011
 To: John Tate j...@johntate.org, Fubar codsoil.z@xoxy.net
 Subject: Re: Burning DVDs


 You might try reading your own message.

 -Original Message-
 From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of
John
 Tate
 Sent: Monday, November 14, 2011 9:19 AM
 To: Fubar
 Cc: Richard Toohey; misc
 Subject: Re: Burning DVDs

 I have dvd+rw tools and cdrecord still gives me this message...

 cdrecord: This version of cdrecord does not include DVD-R/DVD-RW support
 code.
 cdrecord: If you need DVD-R/DVD-RW support, ask the Author for
 cdrecord-ProDVD.
 cdrecord: Free test versions and free keys for personal use are at
 ftp://ftp.berlios.de/pub/cdrecord/ProDVD/

 On Tue, Nov 15, 2011 at 2:04 AM, John Tate j...@johntate.org wrote:
  Make install does nothing in /usr/ports/sysutils/dvd+rw-tools/, and
  the ports is the tarball from
  ftp://ftp.openbsd.org/pub/OpenBSD/5.0/ports.tar.gz - it does not error
  there is simply no output. It does compile. I honestly think something
  has been missed. As for my confused posts, well, it happens I'm not
  perfect, but it has little baring on anything.
 
  On Mon, Nov 14, 2011 at 10:49 PM, Rod Whitworth glis...@witworx.com
 wrote:
  On Mon, 14  22:07:06 +1100, John Tate wrote:
 
 This has no 'make install' for some odd reason. I clearly should
 become a packager.
 
  I don't see that happening soon given your confused posts here.
  It seems to be about time you did some learning.
  packages are provided and are installed by using pkg_add(1). They are
  pre-compiled and packaged for you.
  You don't need make install unless you are compiling ports and raw
  beginners are advised to use packages not ports.
  In fact the only people who should be compiling ports are those who are
  1) competent in the art, 2) are doing it to test patches or upgrades
  reported by maintainers or 3) have the skills in (1) and need to
  upgrade to a published port for some technical reason and who know how
  to make sure that their kernel and userland are recent enough to match
  the new port version.
 
 
 On Mon, Nov 14, 2011 at 4:31 PM, Richard Toohey
 richardtoo...@paradise.net.nz wrote:
  On 14/11/2011, at 6:13 PM, John Tate wrote:
 
  Device seems to be: Generic mmc2 DVD-R/DVD-RW.
 
  cdrecord: This version of cdrecord does not include DVD-R/DVD-RW
 support
 code.
  cdrecord: If you need DVD-R/DVD-RW support, ask the Author for
 cdrecord-ProDVD.
  cdrecord: Free test versions and free keys for personal use are at
  ftp://ftp.berlios.de/pub/cdrecord/ProDVD/
 
  Apparently this support code has been in cdrtools since 2009, the
site
  it tells me to go to tells me I don't need it. It's like bureaucracy,
  lol.
 
  I could build their cdrtools, but the port must be ancient or
 something.
 
  Perhaps I could become a packager. Another port, gtk-gnutella, isn't
  even worth having if its not maintained.
 
  John Tate.
 
 
  http://openports.se/sysutils/dvd+rw-tools
 
  http://openports.se/search.php?so=dvd
 
 
  *** NOTE *** Please DO NOT CC me. I am subscribed to the list.
  Mail to the sender address that does not originate at the list server is
 tarpitted. The reply-to: address is provided for those who feel compelled
to
 reply off list. Thankyou.
 
  Rod/
  ---
  This life is not the real thing.
  It is not even in Beta.
  If it was, then OpenBSD would already have a man page for it.
 
 
 
 
 
 
  --
  www.johntate.org
 



 --
 www.johntate.org



Cordialement
Francois Pussault
3701 - 8 rue Marcel Pagnol
31100 ToulouseB 
FranceB 
+33 6 17 230 820 B  +33 5 34 365 269
fpussa...@contactoffice.fr

Re: Burning DVDs

[Stuart Henderson]

On 2011-11-14, Tony Abernethy t...@servasoftware.com wrote:
 Out of curiosity, WHY should any make install in ports actually DO anything?

The only reason it would do nothing, is if the package is already installed

Re: snort and pf - pflog vs if

[Henning Brauer]

* Tobias Crefeld t...@cataneo.eu [2011-11-14 17:13]:
 Am Sun, 13 Nov 2011 09:51:05 -0600
  However, when I upgraded to 4.9 and snort 2.9.1.x, I have noticed
  that snort appears to see packets that are dropped by pf when it
  listens on the interface directly (bge0).
 snort's listening on interfaces just like tcpdump, wireshark, etc.
 does. This means that it puts ethernet interfaces in promiscous mode

not necessarily promisc, doesn't make too much sense these days for
the common setups anyway, but that's nitpicking.

 and just reads all incoming and outgoing traffic and interprets it.
 Of course it won't read outgoing traffic that pf drops before reaching
 the interface(s) but anything else will get monitored by snort.

while this is all correct, let me try to pahse it in a way that i
think is clearer. the bpf hooks (aka where bpf grabs the packets) are
outside pf, i. e. inbound packets hit pf before bpf and outgoing pf
before bpf.
that leaves cases where packets traverse the stack more than once
(e. g. some encapsulations, some cases where pf makes changes to the
packet) aside for clarity. and pflog is special insofar that it is
outgoing only, except that it sends nowhere and just feeds bpf -
and as you noted, only sees packets pf is explicitely told to send
there.

 I doubt that snort ever worked in another way.

i can confirm that the bpf - pf order has always been like it is today.

-- 
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/

Re: Burning DVDs

[John Tate]

Yeah something else installed it, I guess cdrecord, which I believe is
horribly out of date but I skipped part of the manual about burning an
image with growisofs, I guess the name distracted. My problems are
gone, but it remains a fact the more familiar cdrwtools is horridly
out of date and should just be updated with the DVD support.

On Tue, Nov 15, 2011 at 3:51 AM, Jan Stary h...@stare.cz wrote:
 First of all, you should have taken this to ports@, not to misc@.

 On Nov 14 16:13:34, John Tate wrote:
 Device seems to be: Generic mmc2 DVD-R/DVD-RW.

 cdrecord: This version of cdrecord does not include DVD-R/DVD-RW support 
 code.
 cdrecord: If you need DVD-R/DVD-RW support, ask the Author for 
 cdrecord-ProDVD.
 cdrecord: Free test versions and free keys for personal use are at
 ftp://ftp.berlios.de/pub/cdrecord/ProDVD/

 Apparently this support code has been in cdrtools since 2009,

 May 15th 2006, to be precise.
 ftp://ftp.berlios.de/pub/cdrecord/ProDVD/README

 the site
 it tells me to go to tells me I don't need it. It's like bureaucracy,
 lol.

 lol indeed.

 I could build their cdrtools, but the port must be ancient or something.

 The version in ports is as recent as someone cared.
 Currently, sysutils/cdrtools has no MAINTAINER.
 You are very welcome to maintain an up-to-date port of cdrtools.
 (Please read all of the relevant documentation before attempting this.)
 My guess is it will never happen though.

 Perhaps I could become a packager.

 Absolutely.

 On Nov 14 22:07:06, John Tate wrote:
 I clearly should become a packager.

 That is your future.

 In fact, I would be willing to buy the filming rights
 to the heroic breakthrough that is hidden behind these four lines:

 On Nov 14 16:13:34, John Tate wrote:
 Perhaps I could become a packager.

 On Nov 14 22:07:06, John Tate wrote:
 I clearly should become a packager.

 FIND OUT ... WHAT HAPPENED  IN THOSE SIX HOURS ... COMMING SOON!

 On Nov 15 02:04:16, John Tate wrote:
 Make install does nothing in /usr/ports/sysutils/dvd+rw-tools/,
 and the ports is the tarball from
 ftp://ftp.openbsd.org/pub/OpenBSD/5.0/ports.tar.gz - it does not error
 there is simply no output. It does compile. I honestly think something
 has been missed.

 It builds and installs just fine.

 As for my confused posts, well, it happens I'm not
 perfect, but it has little baring on anything.

 http://johntate.org/fact/johntate is almost perfect though, in a sense.





-- 
www.johntate.org

Dual WAN with ftp-proxy

[Gerard Lally]

OpenBSD 5 i386

fxp0 - WAN interface to ISP - xxx.xxx.xxx.116
xl0 - WAN interface to head office via Cisco VPN - xxx.xxx.xxx.131
xl1 - LAN interface to internal network - 192.168.1.0/24

I need to route a small amount of FTP traffic to head office through a
second WAN connection, which connects to the company VPN through a
Cisco router over which I have no control. The remaining Internet
traffic exits via a standard DSL link to the ISP.

I do not need link aggregation of the two WAN interfaces.

1) Do I delete /etc/mygate and add routes instead to hostname.xl0 and
hostname.fxp0?

e.g.,
/etc/hostname.fxp0
inet xxx.xxx.xxx.116 255.255.255.240
!route add 0.0.0.0 xxx.xxx.xxx.113

/etc/hostname.xl0
inet xxx.xxx.xxx.131 255.255.255.192
!route add -net 123.456.789 xxx.xxx.xxx.129

2) I have two rules for NAT in pf.conf.

match out on $ext_if1 from $lan_net nat-to ($ext_if1)
match out on $ext_if2 from $lan_net nat-to ($ext_if2)

What I am not clear about is how to deal with FTP to head office. I
have ftp-proxy running. Do I use route-to on the internal interface
before FTP traffic for head office from the LAN has been re-directed to
ftp-proxy ...


pass in on $int_if proto tcp from $lan_net to 123.456.789.xxx \
port ftp route-to ($ext_if1 $ext_gw1)

pass in quick on $int_if inet proto tcp to port 21 \
divert-to 127.0.0.1 port 8021


... or on the external interface, after it has been re-directed
through ftp-proxy:


pass in quick on $int_if inet proto tcp to port 21 \
divert-to 127.0.0.1 port 8021

pass out on $ext_if proto tcp from lo0 to 123.456.789.xxx \
port ftp route-to ($ext_if1 $ext_gw1)


?

--
Gerard Lally

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: Dual WAN with ftp-proxy

[co...@tetrachina.com]

Hi Gerard Lally

 i think it won't work like this as you said :



match out on $ext_if1 from $lan_net nat-to ($ext_if1)



pass in on $int_if proto tcp from $lan_net to 123.456.789.xxx \

port ftp route-to ($ext_if1 $ext_gw1)



pass in quick on $int_if inet proto tcp to port 21 \

divert-to 127.0.0.1 port 8021



the problem is that when divert-to 127.0.0.1 port 8021 , the ftp-proxy just can 
only goes through the

default gateway fxp0 - WAN interface to ISP - xxx.xxx.xxx.116 .



so if you don't use the ftp-proxy ,it will work for you like that:



match out on $ext_if1 from $lan_net nat-to ($ext_if1)



pass in on $int_if proto tcp from $lan_net to 123.456.789.xxx \

port ftp route-to ($ext_if1 $ext_gw1)



herein you must use the ftp passive mode







OpenBSD 5 i386



fxp0 - WAN interface to ISP - xxx.xxx.xxx.116

xl0 - WAN interface to head office via Cisco VPN - xxx.xxx.xxx.131

xl1 - LAN interface to internal network - 192.168.1.0/24



I need to route a small amount of FTP traffic to head office through a

second WAN connection, which connects to the company VPN through a

Cisco router over which I have no control. The remaining Internet

traffic exits via a standard DSL link to the ISP.



I do not need link aggregation of the two WAN interfaces.



1) Do I delete /etc/mygate and add routes instead to hostname.xl0 and

hostname.fxp0?



e.g.,

/etc/hostname.fxp0

inet xxx.xxx.xxx.116 255.255.255.240

!route add 0.0.0.0 xxx.xxx.xxx.113



/etc/hostname.xl0

inet xxx.xxx.xxx.131 255.255.255.192

!route add -net 123.456.789 xxx.xxx.xxx.129



2) I have two rules for NAT in pf.conf.



match out on $ext_if1 from $lan_net nat-to ($ext_if1)

match out on $ext_if2 from $lan_net nat-to ($ext_if2)



What I am not clear about is how to deal with FTP to head office. I

have ftp-proxy running. Do I use route-to on the internal interface

before FTP traffic for head office from the LAN has been re-directed to

ftp-proxy ...





pass in on $int_if proto tcp from $lan_net to 123.456.789.xxx \

   port ftp route-to ($ext_if1 $ext_gw1)



pass in quick on $int_if inet proto tcp to port 21 \

   divert-to 127.0.0.1 port 8021





... or on the external interface, after it has been re-directed

through ftp-proxy:





pass in quick on $int_if inet proto tcp to port 21 \

   divert-to 127.0.0.1 port 8021



pass out on $ext_if proto tcp from lo0 to 123.456.789.xxx \

   port ftp route-to ($ext_if1 $ext_gw1)





?



--

Gerard Lally



[demime 1.01d removed an attachment of type application/pgp-signature which 
had a name of signature.asc]





= = = = = = = = = = = = = = = = = = = =





VB

@q#!

 

 

co...@tetrachina.com

co...@tetrachina.com

2011-11-15

How to suggest a package?

[James Hozier]

I see that ii (FIFO-based 'irc it' IRC client) is in the packages,
but sic (ii's younger brother) is not. How can I suggest that
sic be made as a package for OpenBSD?

Re: How to suggest a package?

[STeve Andre']

On 11/14/11 23:38, James Hozier wrote:

I see that ii (FIFO-based 'irc it' IRC client) is in the packages,
but sic (ii's younger brother) is not. How can I suggest that
sic be made as a package for OpenBSD?



You just did.Whether someone who creates ports will do it
is another question.  There is no formal mechanism to ask
for a port.

--STeve Andre'

Edición Especial Facebook Marketing este 25 de Noviembre

[Susana Hernandez]

1328602

[IMAGE]

Internet Marketing Evolution 2011 Znica presentacisn:

Acompaqanos este 25 de Noviembre al evento que se ha posicionado como el
mas efectivo a nivel nacional en marketing digital, en el cual
conoceremos de manos de los expertos invitados la estrategia de Marketing
Digital apropiada para nuestra empresa, la cual se enfoque a resultados a
corto, mediano y largo plazo.

Dma a dma el mercado del marketing digital requiere de estrategias
novedosas para que nuestra empresa llegue a ser de las principales en el
mercado de nuestro interis, o bien mantener el dominio ante la
competencia.

Empresa Registrada ante la STPS

Smguenos en Twitter@pmscapacitacion o bien en Facebook PMS de Mixico.

!Solicite Mayores Informes! Por favor responda este e-mail con los datos
siguientes.

Empresa:

Nombre:
Telifono:
Email:

Nzmero de Interesados:

En breve recibira la informacisn completa de este inigualable evento.

Comunmquese a los telifonos y con gusto uno de nuestros ejecutivos le
atendera.

Telifonos: (0133) 8851-2365, (0133) 8851-2741. 10 lmneas a su servicio.

Copyright (C) 2011, PMS Capacitacisn Efectiva de Mixico  S.C. Derechos
Reservados. PMS de Mixico, El logo de PMS de Mixico son marcas
registradas. ADVERTENCIA PMS de Mixico no cuenta con alianzas
estratigicas de ningzn tipo dentro de la Republica Mexicana. NO SE DEJE
ENGAQAR - DIGA NO A LA PIRATERIA. Todos los logotipos, marcas comerciales
e imagenes son propiedad de sus respectivas corporaciones y se utilizan
con fines informativos solamente.

Este Mensaje ha sido enviado a misc@openbsd.org como usuario de Pms de
Mixico o bien un usuario le refiris para recibir este boletmn.
Como usuario de Pms de Mixico, en este acto autoriza de manera expresa
que Pms de Mixico le puede contactar vma correo electrsnico u otros
medios.
Si usted ha recibido este mensaje por error, haga caso omiso de el y
reporte su cuenta respondiendo este correo con el subject BAJAINTERNET

Unsubscribe to this mailing list, reply a blank message with the subject
UNSUBSCRIBE BAJAINTERNET
Tenga en cuenta que la gestisn de nuestras bases de datos es de suma
importancia y no es intencisn de la empresa la inconformidad del
receptor.

[demime 1.01d removed an attachment of type image/jpeg which had a name of 
wsi.jpg]

Re: How to suggest a package?

[Richard Toohey]

On 15/11/2011, at 6:03 PM, STeve Andre' wrote:

 On 11/14/11 23:38, James Hozier wrote:
 I see that ii (FIFO-based 'irc it' IRC client) is in the packages,
 but sic (ii's younger brother) is not. How can I suggest that
 sic be made as a package for OpenBSD?


 You just did.Whether someone who creates ports will do it
 is another question.  There is no formal mechanism to ask
 for a port.

 --STeve Andre'


And from what I've seen - your suggestion will carry more weight if you attach
a port (or at least make a good at it) and mail it to ports@.

But if you should ask on ports@ first - somebody *might* already be working on
a port.

HTH