Re: OpenBSD ipsec gateway behind a router
This basically works but there are incompatibilities between nat-t in OpenBSD and that from certain vendors, notably cisco. On 2011-11-13, Mik J mikyde...@yahoo.fr wrote: Hello, I would like to know if such configuration is possible. LAN1 (192.168.10.0/24) -- OpenBSD .99 -- .254 Router IPx -- Internet -- IPy IPSec_GW (Vendor) -- LAN2 (192.168.20.0/24) As you can see the OpenBSD 4.9 server sits on the LAN1 and has one physical interface. When it wants to access to the internet, its address 192.168.10.99 is natted in IPx and that's how the IPSec_GW(Vendor) sees the source packets. It's not really important now if other machines on LAN1 should ping machines on LAN2. I would like for now that the OpenBSD could ping machines on LAN2. I have search for examples on the internet for this particular case because the OpenBSD is behind a nat router. And I haven't found the proper way to do this. I don't even know if it's possible. I know some kind of nat-t should be used though. Does anyone have this configuration in place ? Thanks
spamd-setup in crontab
Hi, I've just set up a mail server with 5.0. I have put spamd in front (in default greylisting mode). It works great following the man pages but when I activate the spamd-setup entry in root's crontab, I receive the following error by mail: spamd-setup: ftp: Could not add blacklist uatrapsWriting -: : Illegal seek Broken pipe If i call spamd-setup as root i have no error message. (note: I've used the default /etc/mail/spamd.conf file). How can I sort this out? -- Manuel Giraud
Re: spamd-setup in crontab
Same error message since one week on an old 4.6 install. But i didn't find the origin yet... Le 14/11/2011 10:13, Manuel Giraud a C)crit : Hi, I've just set up a mail server with 5.0. I have put spamd in front (in default greylisting mode). It works great following the man pages but when I activate the spamd-setup entry in root's crontab, I receive the following error by mail: spamd-setup: ftp: Could not add blacklist uatrapsWriting -: : Illegal seek Broken pipe If i call spamd-setup as root i have no error message. (note: I've used the default /etc/mail/spamd.conf file). How can I sort this out?
Re: Burning DVDs
This has no 'make install' for some odd reason. I clearly should become a packager. On Mon, Nov 14, 2011 at 4:31 PM, Richard Toohey richardtoo...@paradise.net.nz wrote: On 14/11/2011, at 6:13 PM, John Tate wrote: Device seems to be: Generic mmc2 DVD-R/DVD-RW. cdrecord: This version of cdrecord does not include DVD-R/DVD-RW support code. cdrecord: If you need DVD-R/DVD-RW support, ask the Author for cdrecord-ProDVD. cdrecord: Free test versions and free keys for personal use are at ftp://ftp.berlios.de/pub/cdrecord/ProDVD/ Apparently this support code has been in cdrtools since 2009, the site it tells me to go to tells me I don't need it. It's like bureaucracy, lol. I could build their cdrtools, but the port must be ancient or something. Perhaps I could become a packager. Another port, gtk-gnutella, isn't even worth having if its not maintained. John Tate. http://openports.se/sysutils/dvd+rw-tools http://openports.se/search.php?so=dvd -- www.johntate.org -- www.johntate.org
Re: Burning DVDs
On Mon, 14 Nov 2011 22:07:06 +1100, John Tate wrote: This has no 'make install' for some odd reason. I clearly should become a packager. I don't see that happening soon given your confused posts here. It seems to be about time you did some learning. packages are provided and are installed by using pkg_add(1). They are pre-compiled and packaged for you. You don't need make install unless you are compiling ports and raw beginners are advised to use packages not ports. In fact the only people who should be compiling ports are those who are 1) competent in the art, 2) are doing it to test patches or upgrades reported by maintainers or 3) have the skills in (1) and need to upgrade to a published port for some technical reason and who know how to make sure that their kernel and userland are recent enough to match the new port version. On Mon, Nov 14, 2011 at 4:31 PM, Richard Toohey richardtoo...@paradise.net.nz wrote: On 14/11/2011, at 6:13 PM, John Tate wrote: Device seems to be: Generic mmc2 DVD-R/DVD-RW. cdrecord: This version of cdrecord does not include DVD-R/DVD-RW support code. cdrecord: If you need DVD-R/DVD-RW support, ask the Author for cdrecord-ProDVD. cdrecord: Free test versions and free keys for personal use are at ftp://ftp.berlios.de/pub/cdrecord/ProDVD/ Apparently this support code has been in cdrtools since 2009, the site it tells me to go to tells me I don't need it. It's like bureaucracy, lol. I could build their cdrtools, but the port must be ancient or something. Perhaps I could become a packager. Another port, gtk-gnutella, isn't even worth having if its not maintained. John Tate. http://openports.se/sysutils/dvd+rw-tools http://openports.se/search.php?so=dvd *** NOTE *** Please DO NOT CC me. I am subscribed to the list. Mail to the sender address that does not originate at the list server is tarpitted. The reply-to: address is provided for those who feel compelled to reply off list. Thankyou. Rod/ --- This life is not the real thing. It is not even in Beta. If it was, then OpenBSD would already have a man page for it.
Re: OpenBSD ipsec gateway behind a router
Hi :) I'm trying to do exactly this setup, between two OpenBSD boxes - 4.4 (central office) and 4.9 (branch office). With the following setup I can bring the tunnel up, but the networks can't talk to each other: Central ipsec.conf - ike passive esp tunnel from 10.20.0.0/16 to any \ srcid matriz.domain.com.br \ psk testefilial Branch ipsec.conf - matriz_net = 10.20.0.0/16 matriz_gw = 178.9.35.10 filial_net = 10.10.11.0/24 ike dynamic esp tunnel from $filial_net to $matriz_net peer $matriz_gw \ srcid filial.domain.com.br \ dstid matriz.domain.com.br \ psk testefilial --- # ipsecctl -sa FLOWS: flow esp in from 10.10.11.0/24 to 10.20.0.0/16 peer 185.53.27.23 srcid matriz.gruponp.com.br dstid filial.gruponp.com.br type use flow esp out from 10.20.0.0/16 to 10.10.11.0/24 peer 185.53.27.23 srcid matriz.gruponp.com.br dstid filial.gruponp.com.br type require SAD: esp tunnel from 178.9.35.10 to 185.53.27.23 spi 0x59f8b098 auth hmac-sha2-256 enc aes esp tunnel from 185.53.27.23 to 178.9.35.10 spi 0xda08a9c3 auth hmac-sha2-256 enc aes --- # route -n show -encap Routing tables Encap: Source Port DestinationPort Proto SA(Address/Proto/Type/Direction) 10.10.11/240 10.20/16 0 0 185.53.27.23/esp/use/in 10.20/16 0 10.10.11/240 0 185.53.27.23/esp/require/out Fabio Almeida Em 13/11/2011, `s 12:06, Mik J escreveu: Hello, I would like to know if such configuration is possible. LAN1 (192.168.10.0/24) -- OpenBSD .99 -- .254 Router IPx -- Internet -- IPy IPSec_GW (Vendor) -- LAN2 (192.168.20.0/24) As you can see the OpenBSD 4.9 server sits on the LAN1 and has one physical interface. When it wants to access to the internet, its address 192.168.10.99 is natted in IPx and that's how the IPSec_GW(Vendor) sees the source packets. It's not really important now if other machines on LAN1 should ping machines on LAN2. I would like for now that the OpenBSD could ping machines on LAN2. I have search for examples on the internet for this particular case because the OpenBSD is behind a nat router. And I haven't found the proper way to do this. I don't even know if it's possible. I know some kind of nat-t should be used though. Does anyone have this configuration in place ? Thanks [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: OpenBSD ipsec gateway behind a router
On Mon, Nov 14, 2011 at 2:00 PM, Mentesan mente...@gmail.com wrote: Hi :) I'm trying to do exactly this setup, between two OpenBSD boxes - 4.4 (central office) and 4.9 (branch office). With the following setup I can bring the tunnel up, but the networks can't talk to each other: Central ipsec.conf - ike passive esp tunnel from 10.20.0.0/16 to any \ srcid matriz.domain.com.br \ psk testefilial Branch ipsec.conf - matriz_net = 10.20.0.0/16 matriz_gw = 178.9.35.10 filial_net = 10.10.11.0/24 ike dynamic esp tunnel from $filial_net to $matriz_net peer $matriz_gw \ srcid filial.domain.com.br \ dstid matriz.domain.com.br \ psk testefilial --- # ipsecctl -sa FLOWS: flow esp in from 10.10.11.0/24 to 10.20.0.0/16 peer 185.53.27.23 srcid matriz.gruponp.com.br dstid filial.gruponp.com.br type use flow esp out from 10.20.0.0/16 to 10.10.11.0/24 peer 185.53.27.23 srcid matriz.gruponp.com.br dstid filial.gruponp.com.br type require SAD: esp tunnel from 178.9.35.10 to 185.53.27.23 spi 0x59f8b098 auth hmac-sha2-256 enc aes esp tunnel from 185.53.27.23 to 178.9.35.10 spi 0xda08a9c3 auth hmac-sha2-256 enc aes --- # route -n show -encap Routing tables Encap: Source Port DestinationPort Proto SA(Address/Proto/Type/Direction) 10.10.11/240 10.20/16 0 0 185.53.27.23/esp/use/in 10.20/16 0 10.10.11/240 0 185.53.27.23/esp/require/out Fabio Almeida Em 13/11/2011, `s 12:06, Mik J escreveu: Hello, I would like to know if such configuration is possible. LAN1 (192.168.10.0/24) -- OpenBSD .99 -- .254 Router IPx -- Internet -- IPy IPSec_GW (Vendor) -- LAN2 (192.168.20.0/24) As you can see the OpenBSD 4.9 server sits on the LAN1 and has one physical interface. When it wants to access to the internet, its address 192.168.10.99 is natted in IPx and that's how the IPSec_GW(Vendor) sees the source packets. It's not really important now if other machines on LAN1 should ping machines on LAN2. I would like for now that the OpenBSD could ping machines on LAN2. I have search for examples on the internet for this particular case because the OpenBSD is behind a nat router. And I haven't found the proper way to do this. I don't even know if it's possible. I know some kind of nat-t should be used though. Does anyone have this configuration in place ? Thanks [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc] Hi! I think the problem in your case is HMAC-SHA2 incompatibility between releases before 4.7 and 4.7(and upwards) releases. Please check this link http://www.openbsd.org/faq/upgrade47.html#hmac-sha2 regards, Joosep
Re: spamd-setup in crontab
I had the same problem, which I worked around by changing my spamd.conf to use a local file instead of FTP, and downloading the traplist.gz file in my daily.local. That is, my spamd.conf now looks like this: uatraps:\ :black:\ :msg=Your address %A has sent mail to a ualberta.ca spamtrap\n\ within the last 24 hours:\ :method=file:\ :file=/etc/mail/traplist.gz: And my daily.local now has this: echo Getting traplist.gz. /usr/bin/ftp -o /etc/mail/traplist.gz http://www.openbsd.org/spamd/traplist.gz -- Jim Lippardlippard-open...@discord.org http://www.discord.org/ GPG Key ID: 0xF8D42CFE On Mon, Nov 14, 2011 at 11:43:13AM +0100, Com??te wrote: Same error message since one week on an old 4.6 install. But i didn't find the origin yet... Le 14/11/2011 10:13, Manuel Giraud a C)crit : Hi, I've just set up a mail server with 5.0. I have put spamd in front (in default greylisting mode). It works great following the man pages but when I activate the spamd-setup entry in root's crontab, I receive the following error by mail: spamd-setup: ftp: Could not add blacklist uatrapsWriting -: : Illegal seek Broken pipe If i call spamd-setup as root i have no error message. (note: I've used the default /etc/mail/spamd.conf file). How can I sort this out?
ipsec.conf macros
Hello! In transitioning from isakmpd.conf to ipsec.conf I want to make the configuration file simple and readable by using macros. However, I seems like I can not make use of macros in the way that I want. Example: host_a=192.168.1.1 host_b=192.168.2.2 host_list={ $host_a $host_b } host_a_copy=$host_a list_copy=$host_list Gives errors: # ipsecctl -vnf ipsec_hosts.conf ipsec_hosts.conf: 5: syntax error ipsecctl: Syntax error in config file: ipsec rules not loaded host_a = 192.168.1.1 host_b = 192.168.2.2 host_list = { 192.168.1.1 192.168.2.2 } host_a_copy = 192.168.1.1 It gives me even more problem when I use macros with lists of networks: network_a=192.168.1.0/24 network_b=192.168.2.0/24 network_a_copy=$network_a network_list={ 192.168.1.0/24 192.168.2.0/24 } network_list_copy=$network_list network_list_1={ $network_a $network_b } network_list_1_copy=$network_list_1 # ipsecctl -vnf ipsec_networks.conf ipsec_networks.conf: 3: syntax error ipsec_networks.conf: 5: syntax error ipsec_networks.conf: 6: syntax error ipsec_networks.conf: 7: macro 'network_list_1' not defined ipsec_networks.conf: 7: syntax error ipsecctl: Syntax error in config file: ipsec rules not loaded network_a = 192.168.1.0/24 network_b = 192.168.2.0/24 network_list = { 192.168.1.0/24 192.168.2.0/24 } Is is supposed to work, or is it a bug? Or is there another way of doing it, am I doing it wrong? Thank you, Jakob Alvermark jakob.alverm...@bsdlabs.com BSDLabs AB Solna, Sweden 556759-7652
Re : OpenBSD ipsec gateway behind a router
Hello, Thanks to both of you for your answer. However I'm really confused regarding where I should configure the OpenBSD ipsec gateway to use nat-t or not. The only this I'm aware of is $ sysctl -a | grep udpencap net.inet.esp.udpencap=1 net.inet.esp.udpencap_port=4500 But it just states the kernel to support udp encapsulation for nat-t Fabio, in your configuration below I don't see anywhere you specified you wanted to use nat-t I'm going to try to test your configuration. - Mail original - De : Mentesan mente...@gmail.com @ : misc@openbsd.org Cc : Envoyi le : Lundi 14 Novembre 2011 13h00 Objet : Re: OpenBSD ipsec gateway behind a router Hi :) I'm trying to do exactly this setup, between two OpenBSD boxes - 4.4 (central office) and 4.9 (branch office). With the following setup I can bring the tunnel up, but the networks can't talk to each other: Central ipsec.conf - ike passive esp tunnel from 10.20.0.0/16 to any \ srcid matriz.domain.com.br \ psk testefilial Branch ipsec.conf - matriz_net = 10.20.0.0/16 matriz_gw = 178.9.35.10 filial_net = 10.10.11.0/24 ike dynamic esp tunnel from $filial_net to $matriz_net peer $matriz_gw \ srcid filial.domain.com.br \ dstid matriz.domain.com.br \ psk testefilial --- # ipsecctl -sa FLOWS: flow esp in from 10.10.11.0/24 to 10.20.0.0/16 peer 185.53.27.23 srcid matriz.gruponp.com.br dstid filial.gruponp.com.br type use flow esp out from 10.20.0.0/16 to 10.10.11.0/24 peer 185.53.27.23 srcid matriz.gruponp.com.br dstid filial.gruponp.com.br type require SAD: esp tunnel from 178.9.35.10 to 185.53.27.23 spi 0x59f8b098 auth hmac-sha2-256 enc aes esp tunnel from 185.53.27.23 to 178.9.35.10 spi 0xda08a9c3 auth hmac-sha2-256 enc aes --- # route -n show -encap Routing tables Encap: Source Port DestinationPort Proto SA(Address/Proto/Type/Direction) 10.10.11/24010.20/16 00 185.53.27.23/esp/use/in 10.20/16 010.10.11/24 00 185.53.27.23/esp/require/out Fabio Almeida Em 13/11/2011, `s 12:06, Mik J escreveu: Hello, I would like to know if such configuration is possible. LAN1 (192.168.10.0/24) -- OpenBSD .99 -- .254 Router IPx -- Internet -- IPy IPSec_GW (Vendor) -- LAN2 (192.168.20.0/24) As you can see the OpenBSD 4.9 server sits on the LAN1 and has one physical interface. When it wants to access to the internet, its address 192.168.10.99 is natted in IPx and that's how the IPSec_GW(Vendor) sees the source packets. It's not really important now if other machines on LAN1 should ping machines on LAN2. I would like for now that the OpenBSD could ping machines on LAN2. I have search for examples on the internet for this particular case because the OpenBSD is behind a nat router. And I haven't found the proper way to do this. I don't even know if it's possible. I know some kind of nat-t should be used though. Does anyone have this configuration in place ? Thanks [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: Burning DVDs
Make install does nothing in /usr/ports/sysutils/dvd+rw-tools/, and the ports is the tarball from ftp://ftp.openbsd.org/pub/OpenBSD/5.0/ports.tar.gz - it does not error there is simply no output. It does compile. I honestly think something has been missed. As for my confused posts, well, it happens I'm not perfect, but it has little baring on anything. On Mon, Nov 14, 2011 at 10:49 PM, Rod Whitworth glis...@witworx.com wrote: On Mon, 14 22:07:06 +1100, John Tate wrote: This has no 'make install' for some odd reason. I clearly should become a packager. I don't see that happening soon given your confused posts here. It seems to be about time you did some learning. packages are provided and are installed by using pkg_add(1). They are pre-compiled and packaged for you. You don't need make install unless you are compiling ports and raw beginners are advised to use packages not ports. In fact the only people who should be compiling ports are those who are 1) competent in the art, 2) are doing it to test patches or upgrades reported by maintainers or 3) have the skills in (1) and need to upgrade to a published port for some technical reason and who know how to make sure that their kernel and userland are recent enough to match the new port version. On Mon, Nov 14, 2011 at 4:31 PM, Richard Toohey richardtoo...@paradise.net.nz wrote: On 14/11/2011, at 6:13 PM, John Tate wrote: Device seems to be: Generic mmc2 DVD-R/DVD-RW. cdrecord: This version of cdrecord does not include DVD-R/DVD-RW support code. cdrecord: If you need DVD-R/DVD-RW support, ask the Author for cdrecord-ProDVD. cdrecord: Free test versions and free keys for personal use are at ftp://ftp.berlios.de/pub/cdrecord/ProDVD/ Apparently this support code has been in cdrtools since 2009, the site it tells me to go to tells me I don't need it. It's like bureaucracy, lol. I could build their cdrtools, but the port must be ancient or something. Perhaps I could become a packager. Another port, gtk-gnutella, isn't even worth having if its not maintained. John Tate. http://openports.se/sysutils/dvd+rw-tools http://openports.se/search.php?so=dvd *** NOTE *** Please DO NOT CC me. I am subscribed to the list. Mail to the sender address that does not originate at the list server is tarpitted. The reply-to: address is provided for those who feel compelled to reply off list. Thankyou. Rod/ --- This life is not the real thing. It is not even in Beta. If it was, then OpenBSD would already have a man page for it. -- www.johntate.org
Re: Burning DVDs
I have dvd+rw tools and cdrecord still gives me this message... cdrecord: This version of cdrecord does not include DVD-R/DVD-RW support code. cdrecord: If you need DVD-R/DVD-RW support, ask the Author for cdrecord-ProDVD. cdrecord: Free test versions and free keys for personal use are at ftp://ftp.berlios.de/pub/cdrecord/ProDVD/ On Tue, Nov 15, 2011 at 2:04 AM, John Tate j...@johntate.org wrote: Make install does nothing in /usr/ports/sysutils/dvd+rw-tools/, and the ports is the tarball from ftp://ftp.openbsd.org/pub/OpenBSD/5.0/ports.tar.gz - it does not error there is simply no output. It does compile. I honestly think something has been missed. As for my confused posts, well, it happens I'm not perfect, but it has little baring on anything. On Mon, Nov 14, 2011 at 10:49 PM, Rod Whitworth glis...@witworx.com wrote: On Mon, 14 22:07:06 +1100, John Tate wrote: This has no 'make install' for some odd reason. I clearly should become a packager. I don't see that happening soon given your confused posts here. It seems to be about time you did some learning. packages are provided and are installed by using pkg_add(1). They are pre-compiled and packaged for you. You don't need make install unless you are compiling ports and raw beginners are advised to use packages not ports. In fact the only people who should be compiling ports are those who are 1) competent in the art, 2) are doing it to test patches or upgrades reported by maintainers or 3) have the skills in (1) and need to upgrade to a published port for some technical reason and who know how to make sure that their kernel and userland are recent enough to match the new port version. On Mon, Nov 14, 2011 at 4:31 PM, Richard Toohey richardtoo...@paradise.net.nz wrote: On 14/11/2011, at 6:13 PM, John Tate wrote: Device seems to be: Generic mmc2 DVD-R/DVD-RW. cdrecord: This version of cdrecord does not include DVD-R/DVD-RW support code. cdrecord: If you need DVD-R/DVD-RW support, ask the Author for cdrecord-ProDVD. cdrecord: Free test versions and free keys for personal use are at ftp://ftp.berlios.de/pub/cdrecord/ProDVD/ Apparently this support code has been in cdrtools since 2009, the site it tells me to go to tells me I don't need it. It's like bureaucracy, lol. I could build their cdrtools, but the port must be ancient or something. Perhaps I could become a packager. Another port, gtk-gnutella, isn't even worth having if its not maintained. John Tate. http://openports.se/sysutils/dvd+rw-tools http://openports.se/search.php?so=dvd *** NOTE *** Please DO NOT CC me. I am subscribed to the list. Mail to the sender address that does not originate at the list server is tarpitted. The reply-to: address is provided for those who feel compelled to reply off list. Thankyou. Rod/ --- This life is not the real thing. It is not even in Beta. If it was, then OpenBSD would already have a man page for it. -- www.johntate.org -- www.johntate.org
Re: Burning DVDs
Out of curiosity, WHY should any make install in ports actually DO anything? Seems like the object of ports is to make packages and packages are installed by pkg_add. If you want to be something, say a packager, it helps if you have at least a slight clue what it is all about. -Original Message- From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of John Tate Sent: Monday, November 14, 2011 9:04 AM To: Fubar Cc: Richard Toohey; misc Subject: Re: Burning DVDs Make install does nothing in /usr/ports/sysutils/dvd+rw-tools/, and the ports is the tarball from ftp://ftp.openbsd.org/pub/OpenBSD/5.0/ports.tar.gz - it does not error there is simply no output. It does compile. I honestly think something has been missed. As for my confused posts, well, it happens I'm not perfect, but it has little baring on anything. On Mon, Nov 14, 2011 at 10:49 PM, Rod Whitworth glis...@witworx.com wrote: On Mon, 14 22:07:06 +1100, John Tate wrote: This has no 'make install' for some odd reason. I clearly should become a packager. I don't see that happening soon given your confused posts here. It seems to be about time you did some learning. packages are provided and are installed by using pkg_add(1). They are pre-compiled and packaged for you. You don't need make install unless you are compiling ports and raw beginners are advised to use packages not ports. In fact the only people who should be compiling ports are those who are 1) competent in the art, 2) are doing it to test patches or upgrades reported by maintainers or 3) have the skills in (1) and need to upgrade to a published port for some technical reason and who know how to make sure that their kernel and userland are recent enough to match the new port version. On Mon, Nov 14, 2011 at 4:31 PM, Richard Toohey richardtoo...@paradise.net.nz wrote: On 14/11/2011, at 6:13 PM, John Tate wrote: Device seems to be: Generic mmc2 DVD-R/DVD-RW. cdrecord: This version of cdrecord does not include DVD-R/DVD-RW support code. cdrecord: If you need DVD-R/DVD-RW support, ask the Author for cdrecord-ProDVD. cdrecord: Free test versions and free keys for personal use are at ftp://ftp.berlios.de/pub/cdrecord/ProDVD/ Apparently this support code has been in cdrtools since 2009, the site it tells me to go to tells me I don't need it. It's like bureaucracy, lol. I could build their cdrtools, but the port must be ancient or something. Perhaps I could become a packager. Another port, gtk-gnutella, isn't even worth having if its not maintained. John Tate. http://openports.se/sysutils/dvd+rw-tools http://openports.se/search.php?so=dvd *** NOTE *** Please DO NOT CC me. I am subscribed to the list. Mail to the sender address that does not originate at the list server is tarpitted. The reply-to: address is provided for those who feel compelled to reply off list. Thankyou. Rod/ --- This life is not the real thing. It is not even in Beta. If it was, then OpenBSD would already have a man page for it. -- www.johntate.org
Re: Burning DVDs
You might try reading your own message. -Original Message- From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of John Tate Sent: Monday, November 14, 2011 9:19 AM To: Fubar Cc: Richard Toohey; misc Subject: Re: Burning DVDs I have dvd+rw tools and cdrecord still gives me this message... cdrecord: This version of cdrecord does not include DVD-R/DVD-RW support code. cdrecord: If you need DVD-R/DVD-RW support, ask the Author for cdrecord-ProDVD. cdrecord: Free test versions and free keys for personal use are at ftp://ftp.berlios.de/pub/cdrecord/ProDVD/ On Tue, Nov 15, 2011 at 2:04 AM, John Tate j...@johntate.org wrote: Make install does nothing in /usr/ports/sysutils/dvd+rw-tools/, and the ports is the tarball from ftp://ftp.openbsd.org/pub/OpenBSD/5.0/ports.tar.gz - it does not error there is simply no output. It does compile. I honestly think something has been missed. As for my confused posts, well, it happens I'm not perfect, but it has little baring on anything. On Mon, Nov 14, 2011 at 10:49 PM, Rod Whitworth glis...@witworx.com wrote: On Mon, 14 22:07:06 +1100, John Tate wrote: This has no 'make install' for some odd reason. I clearly should become a packager. I don't see that happening soon given your confused posts here. It seems to be about time you did some learning. packages are provided and are installed by using pkg_add(1). They are pre-compiled and packaged for you. You don't need make install unless you are compiling ports and raw beginners are advised to use packages not ports. In fact the only people who should be compiling ports are those who are 1) competent in the art, 2) are doing it to test patches or upgrades reported by maintainers or 3) have the skills in (1) and need to upgrade to a published port for some technical reason and who know how to make sure that their kernel and userland are recent enough to match the new port version. On Mon, Nov 14, 2011 at 4:31 PM, Richard Toohey richardtoo...@paradise.net.nz wrote: On 14/11/2011, at 6:13 PM, John Tate wrote: Device seems to be: Generic mmc2 DVD-R/DVD-RW. cdrecord: This version of cdrecord does not include DVD-R/DVD-RW support code. cdrecord: If you need DVD-R/DVD-RW support, ask the Author for cdrecord-ProDVD. cdrecord: Free test versions and free keys for personal use are at ftp://ftp.berlios.de/pub/cdrecord/ProDVD/ Apparently this support code has been in cdrtools since 2009, the site it tells me to go to tells me I don't need it. It's like bureaucracy, lol. I could build their cdrtools, but the port must be ancient or something. Perhaps I could become a packager. Another port, gtk-gnutella, isn't even worth having if its not maintained. John Tate. http://openports.se/sysutils/dvd+rw-tools http://openports.se/search.php?so=dvd *** NOTE *** Please DO NOT CC me. I am subscribed to the list. Mail to the sender address that does not originate at the list server is tarpitted. The reply-to: address is provided for those who feel compelled to reply off list. Thankyou. Rod/ --- This life is not the real thing. It is not even in Beta. If it was, then OpenBSD would already have a man page for it. -- www.johntate.org -- www.johntate.org
Re: snort and pf - pflog vs if
Am Sun, 13 Nov 2011 09:51:05 -0600 schrieb Ted Wynnychenko ted@comcast.net: With 4.5, I had snort listening to pflog0, because I understood that listening to the interface directly (e.g. bge0) would not work since any packets dropped by pf would not be seen by snort. pflog0 only shows the packets that pf is told to log (e.g. in pf.conf: pass out log inet proto icmp all icmp-type echoreq). However, when I upgraded to 4.9 and snort 2.9.1.x, I have noticed that snort appears to see packets that are dropped by pf when it listens on the interface directly (bge0). snort's listening on interfaces just like tcpdump, wireshark, etc. does. This means that it puts ethernet interfaces in promiscous mode and just reads all incoming and outgoing traffic and interprets it. Of course it won't read outgoing traffic that pf drops before reaching the interface(s) but anything else will get monitored by snort. I doubt that snort ever worked in another way. RU, Tobias.
How to use relayd with reply-to ?
Hi all, I want to set-up a service redirector with relayd and the reply-to feature of pf.conf, but I meet a problem: The reply-to pf rule is matched, but there is no modification of the return traffic (the firewall send the reply to the default gateway and not to the gateway forced in the reply-to). I would to know if it's a problem with my configurations files or a bug ? (I'm using OpenBSD 5.0, default kernel) I've started with the example given on Example 5: Service Redirector on this web page: https://calomel.org/relayd.html. My firewall have 2 externals interfaces: em1 (10.254.12.253/24) and em4 (10.254.15.253/24). And in front of this interfaces I've got 2 routers (10.254.12.1@em1 and 10.254.15.2@em4). There are carp interfaces simulating virtual hosts on these externals interfaces and relayd listen on these IP (.6 on each interface). = I didn't know from where client traffic came from: This is why the reply-to feature of pf is used here. I'm using 10.254.15.2 as the default gateway on my firewall in my lab because for testing the reply-to because my test-client came from the 10.254.12.1 routers. Regarding my internal interface em3(10.254.12.253/24) there is only 2 web servers behind: 10.254.13.4 and 10.254.13.5. Relayd is used to load-balance traffic between them. My relayd.conf and pf.conf are pretty simple: --- [root@fw1]~# cat /etc/relayd.conf table web_srv { 10.254.13.4 10.254.13.5 } redirect www { listen on 10.254.12.6 port http interface em1 listen on 10.254.15.6 port http interface em4 match tag RELAYD forward to web_srv check http / code 200 } [root@fw1]~# cat /etc/pf.conf table web_srv { 10.254.13.4 10.254.13.5 } anchor relayd/* set skip on lo pass out block in log #Relayd 'hack' for forcing reply-to pass in log on em1 inet proto tcp from any to web_srv port 80 flags S/SA synproxy state tagged RELAYD reply-to (em1 10.254.12.1) pass in log on em2 inet proto tcp from any to web_srv port 80 flags S/SA synproxy state tagged RELAYD reply-to (em4 10.254.15.2) --- A client behind the router 10.254.12.1 that try to access the virtual server 10.254.12.6 (relayd) should have this forwarding path: client = router (12.1) = em1 of fw (return traffic marked for reply-to router 12.1 and not to the default router) = www server (.4 or .5) And I've got this problem when I try to initiate a TCP connection from a client (10.254.16.1) to the carp/relayd IP (10.254.12.6): --- [root@fw1]~# tcpdump -n -e -ttt -i pflog0 tcpdump: WARNING: snaplen raised from 116 to 160 tcpdump: listening on pflog0, link-type PFLOG Nov 14 17:33:57.323450 rule 3/(match) pass in on em1: 10.254.16.1.5838 10.254.12.6.80: S 2719125464:2719125464(0) win 16384 mss 1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 3417046797[|tcp] (DF) [root@fw1]/etc# pfctl -R 3 -s rules pass in log on em1 inet proto tcp from any to web_srv port = www flags S/SA synproxy state tagged RELAYD reply-to 10.254.12.1@em1 [root@fw1]/etc# tcpdump -i em4 tcpdump: listening on em4, link-type EN10MB tcpdump: WARNING: compensating for unaligned libpcap packets 17:33:57.323521 arp who-has 10.254.15.2 tell 10.254.15.253 17:33:57.323826 arp reply 10.254.15.2 is-at 08:00:27:6a:65:ee 17:33:57.323879 10.254.12.6.www 10.254.16.1.5838: S 4148897738:4148897738(0) ack 271912 5465 win 0 mss 1460 (DF) [tos 0x10] --- = The firewall send the reply (relayd 10.254.12.6 to client 10.254.16.1) to its default gateway (on em4) and didn't use its reply-to rule. How to fix that ? Thanks, Olivier
Re: spamd-setup in crontab
Op Mon, 14 Nov 2011 15:28:43 +0100 schreef James J. Lippard lippard-open...@discord.org: I had the same problem, which I worked around by changing my spamd.conf to use a local file instead of FTP, and downloading the traplist.gz file in my daily.local. That is, my spamd.conf now looks like this: uatraps:\ :black:\ :msg=Your address %A has sent mail to a ualberta.ca spamtrap\n\ within the last 24 hours:\ :method=file:\ :file=/etc/mail/traplist.gz: And my daily.local now has this: echo Getting traplist.gz. /usr/bin/ftp -o /etc/mail/traplist.gz http://www.openbsd.org/spamd/traplist.gz I have a slightly more complicated setup which fetches traplist and nixspam every two hours: root's crontab: # update spamd on :15 every two hours 15 */2 * * * /etc/mail/spamd-setup.sh spamd-setup.sh: #!/bin/sh # sleep 0..15 minutes /bin/sleep $(($RANDOM / 72)) /usr/local/bin/wget -o /dev/null -NxP /home/ftp/pub/mirrors -nv \ http://www.openbsd.org/spamd/{traplist,nixspam}.gz /usr/libexec/spamd-setup Also, china and korea are fetched in daily.local: # http://www.openbsd.org/spamd/{china,korea}cidr.txt.gz are not mirrored # regularly, so we use the original source /usr/local/bin/wget -NxP /home/ftp/pub/mirrors -nv \ http://www.okean.com/{china,korea}cidr.txt The advantage of using wget(1) (or curl(1) if you like) is that it will only fetch the file if the timestamp has changed. -- Gemaakt met Opera's revolutionaire e-mailprogramma: http://www.opera.com/mail/ (Remove the obvious prefix to reply.)
Re: Burning DVDs
First of all, you should have taken this to ports@, not to misc@. On Nov 14 16:13:34, John Tate wrote: Device seems to be: Generic mmc2 DVD-R/DVD-RW. cdrecord: This version of cdrecord does not include DVD-R/DVD-RW support code. cdrecord: If you need DVD-R/DVD-RW support, ask the Author for cdrecord-ProDVD. cdrecord: Free test versions and free keys for personal use are at ftp://ftp.berlios.de/pub/cdrecord/ProDVD/ Apparently this support code has been in cdrtools since 2009, May 15th 2006, to be precise. ftp://ftp.berlios.de/pub/cdrecord/ProDVD/README the site it tells me to go to tells me I don't need it. It's like bureaucracy, lol. lol indeed. I could build their cdrtools, but the port must be ancient or something. The version in ports is as recent as someone cared. Currently, sysutils/cdrtools has no MAINTAINER. You are very welcome to maintain an up-to-date port of cdrtools. (Please read all of the relevant documentation before attempting this.) My guess is it will never happen though. Perhaps I could become a packager. Absolutely. On Nov 14 22:07:06, John Tate wrote: I clearly should become a packager. That is your future. In fact, I would be willing to buy the filming rights to the heroic breakthrough that is hidden behind these four lines: On Nov 14 16:13:34, John Tate wrote: Perhaps I could become a packager. On Nov 14 22:07:06, John Tate wrote: I clearly should become a packager. FIND OUT ... WHAT HAPPENED IN THOSE SIX HOURS ... COMMING SOON! On Nov 15 02:04:16, John Tate wrote: Make install does nothing in /usr/ports/sysutils/dvd+rw-tools/, and the ports is the tarball from ftp://ftp.openbsd.org/pub/OpenBSD/5.0/ports.tar.gz - it does not error there is simply no output. It does compile. I honestly think something has been missed. It builds and installs just fine. As for my confused posts, well, it happens I'm not perfect, but it has little baring on anything. http://johntate.org/fact/johntate is almost perfect though, in a sense.
IPv6 not working over bridge
Hello, I have a router (Host B in following picture) running with OpenBSD 4.7. One phyiscal interface is bridged to a VLAN: A simplified picture of it is: (em2) v Host A---(vlan759)--Host B-Host C ^ ^ vlan759em0 \ / bridge0 vlan759 sits physically on interface em2, and vlan759 and interface em0 are bridged via bridge0. vlan759 has no IP addresses, nor em2. em0 has an IPv4 address and an IPv6 address. I can ping (IPv4) from Host B to Host A and to Host C. I can also ping from Host A to Host C and vice versa. I can ping6 (IPv6) from Host B to Host C (and vice versa), but I cannot ping6 between Host B and Host A. ndp -a shows several hosts running IPv6 addresses, but on Host A I cannot see the Host B or Host C with ndp -a, and on Host C and on Host B I cannot see Host A with ndp -a. I assume, the bridge is not passing NDP packets. Is this a known problem? Does anyone have an idea how to solve the problem? Roger.
Re: OpenBSD ipsec gateway behind a router
Hello Mik, Sunday, November 13, 2011, 8:06:32 AM, you wrote: MJ I would like to know if such configuration is possible. MJ LAN1 MJ (192.168.10.0/24) -- OpenBSD .99 -- .254 Router IPx -- Internet -- IPy MJ IPSec_GW (Vendor) -- LAN2 (192.168.20.0/24) MJ As you can see the OpenBSD 4.9 MJ server sits on the LAN1 and has one physical interface. MJ When it wants to MJ access to the internet, its address 192.168.10.99 is natted in IPx and that's MJ how the IPSec_GW(Vendor) sees the source packets. MJ It's not really important MJ now if other machines on LAN1 should ping machines on LAN2. I would like for MJ now that the OpenBSD could ping machines on LAN2. MJ I have search for examples MJ on the internet for this particular case because the OpenBSD is behind a nat MJ router. And I haven't found the proper way to do this. I don't even know if MJ it's possible. I know some kind of nat-t should be used though. MJ Does anyone MJ have this configuration in place ? There are two problems in that configuration: IPSEC behind a NAT and one physical interface. IPSEC behind a NAT more often works than not. I have similar working configuration myself (but with two interfaces). Would recommend to use UDP encapsulation if the other side supports it. I would recommend to get a computer with 2 network interfaces. Otherwise it's going to be very complicated at best. /24 (on the left) is for sure not going to work.
Re: OpenBSD ipsec gateway behind a router
Hello, Can anyone validate, or give some advice in this setup: LAN (10.20/16) OpenBSD (public fixed IP) -- (public dynamic IP) LAN ROUTER - OpenBSD - LAN (10.10.11/24) There's a *need* to have that LAN ROUTER on the client side. Let's call the first OpenBSD box Server and the other Client. The config I'm using is: Server - ike passive esp tunnel from 10.20.0.0/16 to any \ srcid matriz.gruponp.com.br \ psk testevpn Client ike dynamic esp tunnel from 10.10.11.0/24 to 10.20.0.0/16 peer 187.8.53.34 \ srcid filial.gruponp.com.br \ dstid matriz.gruponp.com.br \ psk testevpn This config can bring the tunnel up, even the routes, but the networks can't talk to each other. Do I need to redirect ports on the client side (LAN ROUTER redirect ports 500, 4500 to OpenBSD)? Is everything messed up and the tunnel is established by pure luck? Thanks in advance, Fabio Almeida Em 14/11/2011, `s 14:25, Boris Goldberg escreveu: Hello Mik, Sunday, November 13, 2011, 8:06:32 AM, you wrote: MJ I would like to know if such configuration is possible. MJ LAN1 MJ (192.168.10.0/24) -- OpenBSD .99 -- .254 Router IPx -- Internet -- IPy MJ IPSec_GW (Vendor) -- LAN2 (192.168.20.0/24) MJ As you can see the OpenBSD 4.9 MJ server sits on the LAN1 and has one physical interface. MJ When it wants to MJ access to the internet, its address 192.168.10.99 is natted in IPx and that's MJ how the IPSec_GW(Vendor) sees the source packets. MJ It's not really important MJ now if other machines on LAN1 should ping machines on LAN2. I would like for MJ now that the OpenBSD could ping machines on LAN2. MJ I have search for examples MJ on the internet for this particular case because the OpenBSD is behind a nat MJ router. And I haven't found the proper way to do this. I don't even know if MJ it's possible. I know some kind of nat-t should be used though. MJ Does anyone MJ have this configuration in place ? There are two problems in that configuration: IPSEC behind a NAT and one physical interface. IPSEC behind a NAT more often works than not. I have similar working configuration myself (but with two interfaces). Would recommend to use UDP encapsulation if the other side supports it. I would recommend to get a computer with 2 network interfaces. Otherwise it's going to be very complicated at best. /24 (on the left) is for sure not going to work. [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: Burning DVDs
Hi all, when dvdrecord or cdrecord doesn't work properly, you can use growisofs -dvd-compat -use-the-force-luke=dao -Z /dev/rcd1c=/home/francois/toto.iso command (juste adapt it to feel your needs) From: Tony Abernethy t...@servasoftware.com Sent: Mon Nov 14 16:28:02 CET 2011 To: John Tate j...@johntate.org, Fubar codsoil.z@xoxy.net Subject: Re: Burning DVDs You might try reading your own message. -Original Message- From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of John Tate Sent: Monday, November 14, 2011 9:19 AM To: Fubar Cc: Richard Toohey; misc Subject: Re: Burning DVDs I have dvd+rw tools and cdrecord still gives me this message... cdrecord: This version of cdrecord does not include DVD-R/DVD-RW support code. cdrecord: If you need DVD-R/DVD-RW support, ask the Author for cdrecord-ProDVD. cdrecord: Free test versions and free keys for personal use are at ftp://ftp.berlios.de/pub/cdrecord/ProDVD/ On Tue, Nov 15, 2011 at 2:04 AM, John Tate j...@johntate.org wrote: Make install does nothing in /usr/ports/sysutils/dvd+rw-tools/, and the ports is the tarball from ftp://ftp.openbsd.org/pub/OpenBSD/5.0/ports.tar.gz - it does not error there is simply no output. It does compile. I honestly think something has been missed. As for my confused posts, well, it happens I'm not perfect, but it has little baring on anything. On Mon, Nov 14, 2011 at 10:49 PM, Rod Whitworth glis...@witworx.com wrote: On Mon, 14 22:07:06 +1100, John Tate wrote: This has no 'make install' for some odd reason. I clearly should become a packager. I don't see that happening soon given your confused posts here. It seems to be about time you did some learning. packages are provided and are installed by using pkg_add(1). They are pre-compiled and packaged for you. You don't need make install unless you are compiling ports and raw beginners are advised to use packages not ports. In fact the only people who should be compiling ports are those who are 1) competent in the art, 2) are doing it to test patches or upgrades reported by maintainers or 3) have the skills in (1) and need to upgrade to a published port for some technical reason and who know how to make sure that their kernel and userland are recent enough to match the new port version. On Mon, Nov 14, 2011 at 4:31 PM, Richard Toohey richardtoo...@paradise.net.nz wrote: On 14/11/2011, at 6:13 PM, John Tate wrote: Device seems to be: Generic mmc2 DVD-R/DVD-RW. cdrecord: This version of cdrecord does not include DVD-R/DVD-RW support code. cdrecord: If you need DVD-R/DVD-RW support, ask the Author for cdrecord-ProDVD. cdrecord: Free test versions and free keys for personal use are at ftp://ftp.berlios.de/pub/cdrecord/ProDVD/ Apparently this support code has been in cdrtools since 2009, the site it tells me to go to tells me I don't need it. It's like bureaucracy, lol. I could build their cdrtools, but the port must be ancient or something. Perhaps I could become a packager. Another port, gtk-gnutella, isn't even worth having if its not maintained. John Tate. http://openports.se/sysutils/dvd+rw-tools http://openports.se/search.php?so=dvd *** NOTE *** Please DO NOT CC me. I am subscribed to the list. Mail to the sender address that does not originate at the list server is tarpitted. The reply-to: address is provided for those who feel compelled to reply off list. Thankyou. Rod/ --- This life is not the real thing. It is not even in Beta. If it was, then OpenBSD would already have a man page for it. -- www.johntate.org -- www.johntate.org Cordialement Francois Pussault 3701 - 8 rue Marcel Pagnol 31100 ToulouseB FranceB +33 6 17 230 820 B +33 5 34 365 269 fpussa...@contactoffice.fr
Re: Burning DVDs
On 2011-11-14, Tony Abernethy t...@servasoftware.com wrote: Out of curiosity, WHY should any make install in ports actually DO anything? The only reason it would do nothing, is if the package is already installed
Re: snort and pf - pflog vs if
* Tobias Crefeld t...@cataneo.eu [2011-11-14 17:13]: Am Sun, 13 Nov 2011 09:51:05 -0600 However, when I upgraded to 4.9 and snort 2.9.1.x, I have noticed that snort appears to see packets that are dropped by pf when it listens on the interface directly (bge0). snort's listening on interfaces just like tcpdump, wireshark, etc. does. This means that it puts ethernet interfaces in promiscous mode not necessarily promisc, doesn't make too much sense these days for the common setups anyway, but that's nitpicking. and just reads all incoming and outgoing traffic and interprets it. Of course it won't read outgoing traffic that pf drops before reaching the interface(s) but anything else will get monitored by snort. while this is all correct, let me try to pahse it in a way that i think is clearer. the bpf hooks (aka where bpf grabs the packets) are outside pf, i. e. inbound packets hit pf before bpf and outgoing pf before bpf. that leaves cases where packets traverse the stack more than once (e. g. some encapsulations, some cases where pf makes changes to the packet) aside for clarity. and pflog is special insofar that it is outgoing only, except that it sends nowhere and just feeds bpf - and as you noted, only sees packets pf is explicitely told to send there. I doubt that snort ever worked in another way. i can confirm that the bpf - pf order has always been like it is today. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: Burning DVDs
Yeah something else installed it, I guess cdrecord, which I believe is horribly out of date but I skipped part of the manual about burning an image with growisofs, I guess the name distracted. My problems are gone, but it remains a fact the more familiar cdrwtools is horridly out of date and should just be updated with the DVD support. On Tue, Nov 15, 2011 at 3:51 AM, Jan Stary h...@stare.cz wrote: First of all, you should have taken this to ports@, not to misc@. On Nov 14 16:13:34, John Tate wrote: Device seems to be: Generic mmc2 DVD-R/DVD-RW. cdrecord: This version of cdrecord does not include DVD-R/DVD-RW support code. cdrecord: If you need DVD-R/DVD-RW support, ask the Author for cdrecord-ProDVD. cdrecord: Free test versions and free keys for personal use are at ftp://ftp.berlios.de/pub/cdrecord/ProDVD/ Apparently this support code has been in cdrtools since 2009, May 15th 2006, to be precise. ftp://ftp.berlios.de/pub/cdrecord/ProDVD/README the site it tells me to go to tells me I don't need it. It's like bureaucracy, lol. lol indeed. I could build their cdrtools, but the port must be ancient or something. The version in ports is as recent as someone cared. Currently, sysutils/cdrtools has no MAINTAINER. You are very welcome to maintain an up-to-date port of cdrtools. (Please read all of the relevant documentation before attempting this.) My guess is it will never happen though. Perhaps I could become a packager. Absolutely. On Nov 14 22:07:06, John Tate wrote: I clearly should become a packager. That is your future. In fact, I would be willing to buy the filming rights to the heroic breakthrough that is hidden behind these four lines: On Nov 14 16:13:34, John Tate wrote: Perhaps I could become a packager. On Nov 14 22:07:06, John Tate wrote: I clearly should become a packager. FIND OUT ... WHAT HAPPENED IN THOSE SIX HOURS ... COMMING SOON! On Nov 15 02:04:16, John Tate wrote: Make install does nothing in /usr/ports/sysutils/dvd+rw-tools/, and the ports is the tarball from ftp://ftp.openbsd.org/pub/OpenBSD/5.0/ports.tar.gz - it does not error there is simply no output. It does compile. I honestly think something has been missed. It builds and installs just fine. As for my confused posts, well, it happens I'm not perfect, but it has little baring on anything. http://johntate.org/fact/johntate is almost perfect though, in a sense. -- www.johntate.org
Dual WAN with ftp-proxy
OpenBSD 5 i386 fxp0 - WAN interface to ISP - xxx.xxx.xxx.116 xl0 - WAN interface to head office via Cisco VPN - xxx.xxx.xxx.131 xl1 - LAN interface to internal network - 192.168.1.0/24 I need to route a small amount of FTP traffic to head office through a second WAN connection, which connects to the company VPN through a Cisco router over which I have no control. The remaining Internet traffic exits via a standard DSL link to the ISP. I do not need link aggregation of the two WAN interfaces. 1) Do I delete /etc/mygate and add routes instead to hostname.xl0 and hostname.fxp0? e.g., /etc/hostname.fxp0 inet xxx.xxx.xxx.116 255.255.255.240 !route add 0.0.0.0 xxx.xxx.xxx.113 /etc/hostname.xl0 inet xxx.xxx.xxx.131 255.255.255.192 !route add -net 123.456.789 xxx.xxx.xxx.129 2) I have two rules for NAT in pf.conf. match out on $ext_if1 from $lan_net nat-to ($ext_if1) match out on $ext_if2 from $lan_net nat-to ($ext_if2) What I am not clear about is how to deal with FTP to head office. I have ftp-proxy running. Do I use route-to on the internal interface before FTP traffic for head office from the LAN has been re-directed to ftp-proxy ... pass in on $int_if proto tcp from $lan_net to 123.456.789.xxx \ port ftp route-to ($ext_if1 $ext_gw1) pass in quick on $int_if inet proto tcp to port 21 \ divert-to 127.0.0.1 port 8021 ... or on the external interface, after it has been re-directed through ftp-proxy: pass in quick on $int_if inet proto tcp to port 21 \ divert-to 127.0.0.1 port 8021 pass out on $ext_if proto tcp from lo0 to 123.456.789.xxx \ port ftp route-to ($ext_if1 $ext_gw1) ? -- Gerard Lally [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: Dual WAN with ftp-proxy
Hi Gerard Lally i think it won't work like this as you said : match out on $ext_if1 from $lan_net nat-to ($ext_if1) pass in on $int_if proto tcp from $lan_net to 123.456.789.xxx \ port ftp route-to ($ext_if1 $ext_gw1) pass in quick on $int_if inet proto tcp to port 21 \ divert-to 127.0.0.1 port 8021 the problem is that when divert-to 127.0.0.1 port 8021 , the ftp-proxy just can only goes through the default gateway fxp0 - WAN interface to ISP - xxx.xxx.xxx.116 . so if you don't use the ftp-proxy ,it will work for you like that: match out on $ext_if1 from $lan_net nat-to ($ext_if1) pass in on $int_if proto tcp from $lan_net to 123.456.789.xxx \ port ftp route-to ($ext_if1 $ext_gw1) herein you must use the ftp passive mode OpenBSD 5 i386 fxp0 - WAN interface to ISP - xxx.xxx.xxx.116 xl0 - WAN interface to head office via Cisco VPN - xxx.xxx.xxx.131 xl1 - LAN interface to internal network - 192.168.1.0/24 I need to route a small amount of FTP traffic to head office through a second WAN connection, which connects to the company VPN through a Cisco router over which I have no control. The remaining Internet traffic exits via a standard DSL link to the ISP. I do not need link aggregation of the two WAN interfaces. 1) Do I delete /etc/mygate and add routes instead to hostname.xl0 and hostname.fxp0? e.g., /etc/hostname.fxp0 inet xxx.xxx.xxx.116 255.255.255.240 !route add 0.0.0.0 xxx.xxx.xxx.113 /etc/hostname.xl0 inet xxx.xxx.xxx.131 255.255.255.192 !route add -net 123.456.789 xxx.xxx.xxx.129 2) I have two rules for NAT in pf.conf. match out on $ext_if1 from $lan_net nat-to ($ext_if1) match out on $ext_if2 from $lan_net nat-to ($ext_if2) What I am not clear about is how to deal with FTP to head office. I have ftp-proxy running. Do I use route-to on the internal interface before FTP traffic for head office from the LAN has been re-directed to ftp-proxy ... pass in on $int_if proto tcp from $lan_net to 123.456.789.xxx \ port ftp route-to ($ext_if1 $ext_gw1) pass in quick on $int_if inet proto tcp to port 21 \ divert-to 127.0.0.1 port 8021 ... or on the external interface, after it has been re-directed through ftp-proxy: pass in quick on $int_if inet proto tcp to port 21 \ divert-to 127.0.0.1 port 8021 pass out on $ext_if proto tcp from lo0 to 123.456.789.xxx \ port ftp route-to ($ext_if1 $ext_gw1) ? -- Gerard Lally [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc] = = = = = = = = = = = = = = = = = = = = VB @q#! co...@tetrachina.com co...@tetrachina.com 2011-11-15
How to suggest a package?
I see that ii (FIFO-based 'irc it' IRC client) is in the packages, but sic (ii's younger brother) is not. How can I suggest that sic be made as a package for OpenBSD?
Re: How to suggest a package?
On 11/14/11 23:38, James Hozier wrote: I see that ii (FIFO-based 'irc it' IRC client) is in the packages, but sic (ii's younger brother) is not. How can I suggest that sic be made as a package for OpenBSD? You just did.Whether someone who creates ports will do it is another question. There is no formal mechanism to ask for a port. --STeve Andre'
Edición Especial Facebook Marketing este 25 de Noviembre
1328602 [IMAGE] Internet Marketing Evolution 2011 Znica presentacisn: Acompaqanos este 25 de Noviembre al evento que se ha posicionado como el mas efectivo a nivel nacional en marketing digital, en el cual conoceremos de manos de los expertos invitados la estrategia de Marketing Digital apropiada para nuestra empresa, la cual se enfoque a resultados a corto, mediano y largo plazo. Dma a dma el mercado del marketing digital requiere de estrategias novedosas para que nuestra empresa llegue a ser de las principales en el mercado de nuestro interis, o bien mantener el dominio ante la competencia. Empresa Registrada ante la STPS Smguenos en Twitter@pmscapacitacion o bien en Facebook PMS de Mixico. !Solicite Mayores Informes! Por favor responda este e-mail con los datos siguientes. Empresa: Nombre: Telifono: Email: Nzmero de Interesados: En breve recibira la informacisn completa de este inigualable evento. Comunmquese a los telifonos y con gusto uno de nuestros ejecutivos le atendera. Telifonos: (0133) 8851-2365, (0133) 8851-2741. 10 lmneas a su servicio. Copyright (C) 2011, PMS Capacitacisn Efectiva de Mixico S.C. Derechos Reservados. PMS de Mixico, El logo de PMS de Mixico son marcas registradas. ADVERTENCIA PMS de Mixico no cuenta con alianzas estratigicas de ningzn tipo dentro de la Republica Mexicana. NO SE DEJE ENGAQAR - DIGA NO A LA PIRATERIA. Todos los logotipos, marcas comerciales e imagenes son propiedad de sus respectivas corporaciones y se utilizan con fines informativos solamente. Este Mensaje ha sido enviado a misc@openbsd.org como usuario de Pms de Mixico o bien un usuario le refiris para recibir este boletmn. Como usuario de Pms de Mixico, en este acto autoriza de manera expresa que Pms de Mixico le puede contactar vma correo electrsnico u otros medios. Si usted ha recibido este mensaje por error, haga caso omiso de el y reporte su cuenta respondiendo este correo con el subject BAJAINTERNET Unsubscribe to this mailing list, reply a blank message with the subject UNSUBSCRIBE BAJAINTERNET Tenga en cuenta que la gestisn de nuestras bases de datos es de suma importancia y no es intencisn de la empresa la inconformidad del receptor. [demime 1.01d removed an attachment of type image/jpeg which had a name of wsi.jpg]
Re: How to suggest a package?
On 15/11/2011, at 6:03 PM, STeve Andre' wrote: On 11/14/11 23:38, James Hozier wrote: I see that ii (FIFO-based 'irc it' IRC client) is in the packages, but sic (ii's younger brother) is not. How can I suggest that sic be made as a package for OpenBSD? You just did.Whether someone who creates ports will do it is another question. There is no formal mechanism to ask for a port. --STeve Andre' And from what I've seen - your suggestion will carry more weight if you attach a port (or at least make a good at it) and mail it to ports@. But if you should ask on ports@ first - somebody *might* already be working on a port. HTH