question about CARP/Trunk

[Илья Шипицин]

Hello!

we are using linux bonding (thing called "trunk" in openbsd) and
there's very interesting feature called "arp_ip_target", custom ip is
being monitored via several links.

can OpenBSD CARP or trunk work in that way ?

cheers,
Ilya Shipitsin

Re: Jan

[Eric Oyen]

that is sage advice for any of us.

I, myself got more than a little help here and got some good suggestions
(including some hardware I forgot about). I think next month, I will get a
framegrabber device with built-in ethernet port and can also manage BIOS and
PCU tasks).

reading never hurts and it is never a dumb thing to ask questions, especially
if you are getting confused with some of the more technical prose that can
populate a man page. :)

-eric

On Dec 11, 2011, at 11:26 PM, Zeb Packard wrote:

> John Tate,
>
> Consider living a life of service, instead of complaining that the
> list has not helped you enough, try to figure out what you can do to
> better serve the list. So, work more before hitting the list, don't
> panic, give it a day or two. Read the archives and relevant man pages
> always, then if necessary make your question to the list as concise
> and accurate as possible, for people who might have the same problem
> in the future.
>
> Zeb

Re: Jan

[Zeb Packard]

John Tate,

Consider living a life of service, instead of complaining that the
list has not helped you enough, try to figure out what you can do to
better serve the list. So, work more before hitting the list, don't
panic, give it a day or two. Read the archives and relevant man pages
always, then if necessary make your question to the list as concise
and accurate as possible, for people who might have the same problem
in the future.

Zeb

Re: ccd(4) hangs system on two IDE disks concatenation attempt

[Pavel Shvagirev]

You are right. The more better way would be buying a bigger storage,
rather then waiting for that stripe to become dead =) Althought
concatenation was what I was intended to play with.

Anyway thank you all for participating. I have fully resolved all my
questions.

12.12.2011 04:53, Josh Grosse P?P8QP5Q:
> Obviously, an optimal solution would be concatenation.  Since that does not
> exist, the closest matching solution without ccd(4) is RAID0.  And no, I 
> haven't tried it; what I wrote was nothing more than a thought experiment.

-- 
Best regards,
Pavel Shvagirev
skype: pavel.shvagirev

Re: ccd(4) hangs system on two IDE disks concatenation attempt

[Josh Grosse]

On Fri, Dec 09, 2011 at 11:36:04AM +0100, Benny Lofgren wrote:
[snip]
> > wd1 =  80 GB, two 40GB partitions
> > wd2 = 120 GB, three 40GB partitions
> > Something like this should work:
> > # bioctl -c 0 -l /dev/wd1a,/dev/wd1d,/dev/wd2a,/dev/wd2d,/dev/wd2e softraid0
> 
> Out of curiosity, have you actually tried something like this? While I'm
> sure it works technically, I'd imagine the performance would be abysmal.

Obviously, an optimal solution would be concatenation.  Since that does not
exist, the closest matching solution without ccd(4) is RAID0.  And no, I 
haven't tried it; what I wrote was nothing more than a thought experiment.
 
> Think about it: When writing a chunk of data, the first part goes to one
> part of the first disk, the next part goes to another part, 40 gigs away,
> then the second disk gets three writes, all separated by long platter
> distances requiring large seek times for *every* write.

The optimal solution would be either a larger disk or an array of smaller
disks of the same size.  If this is a lightly loaded working set, the
abysmal performance might possibly be acceptable.  Interleaving the partitions
in the device list may give slightly better performance, though I would 
agree with you, with any significant I/O rate, this may not be a usable
solution.  As I wrote earlier in this thread, this may or may not meet the OP's
needs.  If not, the appropriate solution is either alternative hardware or 
an alternative OS.
 
> Also, striping or concatentation without redundancy is generally a very,
> very bad idea for anything but temporary data you can live without...

I agree with you.  I've never used RAID 0 arrays for anything other than 
temporary data space; nested arrays such as "RAID 10" provide availability 
and redundancy that RAID 0 does not, yet can provide similar performance
characteristics.  (Personally, I'd have preferred if Berkeley had come up
with some other term than "RAID 0", more indicative of it's purpose.)

Re: Jan

[Marcos Ariel Laufer]

I  guess you will have to learn the hardest and best way then. On your own


John Tate wrote:
> I will also add that if I am asking stupid questions then by axiom (look it
> up in a dictionary) I AM SAYING I AM LEARNING. You tool!
>
> On Mon, Dec 12, 2011 at 9:17 AM, John Tate  wrote:
>
>   
>> I never claimed to be an OpenBSD guru. Ever. I am an OpenBSD n00b. Here,
>> I'll put this on the list.
>>
>> I am John Norman Tate born September 1987 to two loving parents and the
>> only part of OpenBSD I think I am good with is using it in accordance to
>> the manuals when I read them properly. I also understand the security
>> principles pretty well, I've read Hacking: The Art of Exploitation and
>> understood it's content. I trust OpenBSD like a man of faith trusts his
>> religions guidance. I think that pisses you off, but you've imagined
>> everything else. I keep saying: I am learning, not learned. You're just
>> trying to assasinate my character by making arbitrary claims you hope
>> others will not check! It will not work.
>> --
>> www.johntate.org

Re: Jan

[Rod Whitworth]

On Mon, 12 Dec 2011 10:54:36 +1100, richo wrote:

Quoting the current resident full-of-himself little shit.

I have a filter that sends stuff from him to /dev/null but he keeps
getting answers that raise his google rating because you all go on
quoting him.

He is an oxygen thief - don't give him any more, please.
Zero replies will do the best job.

Thanks,

*** NOTE *** Please DO NOT CC me. I  subscribed to the list.
Mail to the sender address that does not originate at the list server is 
tarpitted. The reply-to: address is provided for those who feel compelled to 
reply off list. Thankyou.

Rod/
---
This life is not the real thing.
It is not even in Beta.
If it was, then OpenBSD would already have a man page for it.

Re: Jan

[richo]

>> On Mon, Dec 12, 2011 at 9:17 AM, John Tate  wrote:
>>> I never claimed to be an OpenBSD guru. Ever. I am an OpenBSD n00b. Here,
>>> I'll put this on the list.
>>> ^^

On 12/12/11 09:21 +1100, John Tate wrote:
>Whoops, I hate gmail sometimes. That was for Jan
>

orly?

I fixed your top post. Again.

Please stop making noise, your semi-legitimate technical if poorly thought
out question threads blowing up is one thing, but this and the narcisism
thread are purely masturbatory.

Please stop.

--
richo || Today's excuse:

A star wars satellite accidently blew up the WAN.
http://blog.psych0tik.net

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: What is wrong with this pf config

[richo]

On 12/12/11 05:43 +1100, John Tate wrote:
>It's just whining! Perhaps if should only do it if it has an Internet IP
>address not a LAN or WAN one involved.
>

Knowing what you're doing in the first place would help.

Alternately, if you're so hellbent on sanity checking your own config, I
would write a script that inspects a dump of your pf rules and yells at /you/
if you're missing what /you/ need.

Then make it configurable and send it to ports@

--
richo || Today's excuse:

doppler effect
http://blog.psych0tik.net

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: Jan

[John Tate]

I will also add that if I am asking stupid questions then by axiom (look it
up in a dictionary) I AM SAYING I AM LEARNING. You tool!

On Mon, Dec 12, 2011 at 9:17 AM, John Tate  wrote:

> I never claimed to be an OpenBSD guru. Ever. I am an OpenBSD n00b. Here,
> I'll put this on the list.
>
> I am John Norman Tate born September 1987 to two loving parents and the
> only part of OpenBSD I think I am good with is using it in accordance to
> the manuals when I read them properly. I also understand the security
> principles pretty well, I've read Hacking: The Art of Exploitation and
> understood it's content. I trust OpenBSD like a man of faith trusts his
> religions guidance. I think that pisses you off, but you've imagined
> everything else. I keep saying: I am learning, not learned. You're just
> trying to assasinate my character by making arbitrary claims you hope
> others will not check! It will not work.
> --
> www.johntate.org
>



-- 
www.johntate.org

Re: Jan

[John Tate]

Whoops, I hate gmail sometimes. That was for Jan

On Mon, Dec 12, 2011 at 9:21 AM, John Tate  wrote:

> In other words: stop wasting your breath I'm never leaving. If they kick
> me out, well, I'll use seven proxies!
>
>
> On Mon, Dec 12, 2011 at 9:17 AM, John Tate  wrote:
>
>> I never claimed to be an OpenBSD guru. Ever. I am an OpenBSD n00b. Here,
>> I'll put this on the list.
>>
>> I am John Norman Tate born September 1987 to two loving parents and the
>> only part of OpenBSD I think I am good with is using it in accordance to
>> the manuals when I read them properly. I also understand the security
>> principles pretty well, I've read Hacking: The Art of Exploitation and
>> understood it's content. I trust OpenBSD like a man of faith trusts his
>> religions guidance. I think that pisses you off, but you've imagined
>> everything else. I keep saying: I am learning, not learned. You're just
>> trying to assasinate my character by making arbitrary claims you hope
>> others will not check! It will not work.
>>  --
>> www.johntate.org
>>
>
>
>
> --
> www.johntate.org
>



-- 
www.johntate.org

Re: Jan

[John Tate]

In other words: stop wasting your breath I'm never leaving. If they kick me
out, well, I'll use seven proxies!

On Mon, Dec 12, 2011 at 9:17 AM, John Tate  wrote:

> I never claimed to be an OpenBSD guru. Ever. I am an OpenBSD n00b. Here,
> I'll put this on the list.
>
> I am John Norman Tate born September 1987 to two loving parents and the
> only part of OpenBSD I think I am good with is using it in accordance to
> the manuals when I read them properly. I also understand the security
> principles pretty well, I've read Hacking: The Art of Exploitation and
> understood it's content. I trust OpenBSD like a man of faith trusts his
> religions guidance. I think that pisses you off, but you've imagined
> everything else. I keep saying: I am learning, not learned. You're just
> trying to assasinate my character by making arbitrary claims you hope
> others will not check! It will not work.
> --
> www.johntate.org
>



-- 
www.johntate.org

Jan

[John Tate]

I never claimed to be an OpenBSD guru. Ever. I am an OpenBSD n00b. Here,
I'll put this on the list.

I am John Norman Tate born September 1987 to two loving parents and the
only part of OpenBSD I think I am good with is using it in accordance to
the manuals when I read them properly. I also understand the security
principles pretty well, I've read Hacking: The Art of Exploitation and
understood it's content. I trust OpenBSD like a man of faith trusts his
religions guidance. I think that pisses you off, but you've imagined
everything else. I keep saying: I am learning, not learned. You're just
trying to assasinate my character by making arbitrary claims you hope
others will not check! It will not work.
-- 
www.johntate.org

Re: What is wrong with this pf config

[Marc Espie]

On Mon, Dec 12, 2011 at 06:59:12AM +1100, John Tate wrote:
> I remember last time I was using OpenBSD (I  had a hiatus)
^^^

Sounds like a good idea.

Can you do the same thing with misc@ ?

okthxbye

Re: What is wrong with this pf config

[Andres Perera]

On Sun, Dec 11, 2011 at 4:29 PM, John Tate  wrote:
>
>
> On Mon, Dec 12, 2011 at 7:47 AM, Andres Perera  wrote:
>>
>> On Sun, Dec 11, 2011 at 3:29 PM, John Tate  wrote:
>> > I am not replying to every thread on the list. You either have me
>> > confused
>> > with someone else or there is some kind of imposter or person with a
>> > similar name. I'm confused I should say. This was something constructive
>> > to
>> > say regardless, it was an idea. I remember last time I was using OpenBSD
>> > (I
>> > had a hiatus) and mmap changes broke a lot of ports. There is supposed
>> > to
>> > be an emphasis on security, not your scripts. OpenBSD warns about
>> > mistakes,
>> > it emails you about your mistakes, and it could point out this mistake
>> > as
>> > well.
>>
>> not having "block" as default isn't really a mistake, unless pfctl can
>> read your mind
>>
>> if you don't have daemons listening then what's the point of blocking
>> ports?
>
> If you don't have deamons listening then why the hell are you using an
> operating system with so much security on networks.

because i might be a desktop user

i use obsd on my main machine and a netbook

the netbook normally doesn't have any daemons listening outside
localhost, but i still use pf for other reasons, such as managing
routing domains

pf has queue and logging functions aswell... not every config is going
to center around acl

even for those that have daemons facing hostile networks, their admins
may choose a black list policy instead

>>
>>
>> just an example of many situations that could occur
>>
>> >
>> > On Mon, Dec 12, 2011 at 5:55 AM, James Shupe  wrote:
>> >
>> >> No. Modifying a general purpose tool for a specific (albeit common) use
>> >> case is stupid. Any properly implemented warning would cause pfctl to
>> >> exit non-zero, which would break automated scripts that check the exit
>> >> code of pfctl. You would have to add a whole new option to ignore your
>> >> specific use case, and even that would require modifying existing
>> >> scripts.
>> >>
>> >> I wish they would ban you from this list already. I'm sick of seeing
>> >> your reply to every thread when you never have anything constructive to
>> >> say.
>> >>
>> >
>> > I am not replying to every thread on the list. You either have me
>> > confused
>> > with someone else or there is some kind of imposter or person with a
>> > similar name. I'm confused I should say. This was something constructive
>> > to
>> > say regardless, it was an idea. I remember last time I was using OpenBSD
>> > (I
>> > had a hiatus) and mmap changes broke a lot of ports. There is supposed
>> > to
>> > be an emphasis on security, not your scripts. OpenBSD warns about
>> > mistakes,
>> > it emails you about your mistakes, and it could point out this mistake
>> > as
>> > well.
>> >
>> > Perhaps it could be for security(8) to do instead actually. I don't
>> > know, I
>> > didn't design the fucking system, it was just a suggestion.
>> >
>> >
>> >> On Mon, 2011-12-12 at 05:43 +1100, John Tate wrote:
>> >> > It's just whining! Perhaps if should only do it if it has an Internet
>> >> > IP
>> >> > address not a LAN or WAN one involved.
>> >> >
>> >> > On Mon, Dec 12, 2011 at 5:17 AM, Janne Johansson > >> >wrote:
>> >> >
>> >> > > 2011/12/11 John Tate 
>> >> > >
>> >> > >>
>> >> > >> So I have a suggestion worth considering, if the line "block in
>> >> > >> all"
>> >> does
>> >> > >> not appear pfctl -nf should perhaps spit out a warning. Much like
>> >> you've
>> >> > >> done with your pretty compilers over there.
>> >> > >>
>> >> > >>
>> >> > > There are still lots of reasons to run PF even if you don't want
>> >> "block in
>> >> > > all" for a default, so whining on all the other uses you couldn't
>> >> imagine
>> >> > > would not be very productive.
>> >> > >
>> >> > > --
>> >> > > B To our sweethearts and wives. B May they never meet. -- 19th
>> >> > > century
>> >> toast
>> >>
>> >>
>> >
>> >
>> > --
>> > www.johntate.org
>> >
>
>
>
>
> --
> www.johntate.org

Re: What is wrong with this pf config

[Andres Perera]

On Sun, Dec 11, 2011 at 3:29 PM, John Tate  wrote:
> I am not replying to every thread on the list. You either have me confused
> with someone else or there is some kind of imposter or person with a
> similar name. I'm confused I should say. This was something constructive to
> say regardless, it was an idea. I remember last time I was using OpenBSD (I
> had a hiatus) and mmap changes broke a lot of ports. There is supposed to
> be an emphasis on security, not your scripts. OpenBSD warns about mistakes,
> it emails you about your mistakes, and it could point out this mistake as
> well.

not having "block" as default isn't really a mistake, unless pfctl can
read your mind

if you don't have daemons listening then what's the point of blocking ports?

just an example of many situations that could occur

>
> On Mon, Dec 12, 2011 at 5:55 AM, James Shupe  wrote:
>
>> No. Modifying a general purpose tool for a specific (albeit common) use
>> case is stupid. Any properly implemented warning would cause pfctl to
>> exit non-zero, which would break automated scripts that check the exit
>> code of pfctl. You would have to add a whole new option to ignore your
>> specific use case, and even that would require modifying existing
>> scripts.
>>
>> I wish they would ban you from this list already. I'm sick of seeing
>> your reply to every thread when you never have anything constructive to
>> say.
>>
>
> I am not replying to every thread on the list. You either have me confused
> with someone else or there is some kind of imposter or person with a
> similar name. I'm confused I should say. This was something constructive to
> say regardless, it was an idea. I remember last time I was using OpenBSD (I
> had a hiatus) and mmap changes broke a lot of ports. There is supposed to
> be an emphasis on security, not your scripts. OpenBSD warns about mistakes,
> it emails you about your mistakes, and it could point out this mistake as
> well.
>
> Perhaps it could be for security(8) to do instead actually. I don't know, I
> didn't design the fucking system, it was just a suggestion.
>
>
>> On Mon, 2011-12-12 at 05:43 +1100, John Tate wrote:
>> > It's just whining! Perhaps if should only do it if it has an Internet IP
>> > address not a LAN or WAN one involved.
>> >
>> > On Mon, Dec 12, 2011 at 5:17 AM, Janne Johansson > >wrote:
>> >
>> > > 2011/12/11 John Tate 
>> > >
>> > >>
>> > >> So I have a suggestion worth considering, if the line "block in all"
>> does
>> > >> not appear pfctl -nf should perhaps spit out a warning. Much like
>> you've
>> > >> done with your pretty compilers over there.
>> > >>
>> > >>
>> > > There are still lots of reasons to run PF even if you don't want
>> "block in
>> > > all" for a default, so whining on all the other uses you couldn't
>> imagine
>> > > would not be very productive.
>> > >
>> > > --
>> > > B To our sweethearts and wives. B May they never meet. -- 19th century
>> toast
>>
>>
>
>
> --
> www.johntate.org

Re: What is wrong with this pf config

[John Tate]

I am not replying to every thread on the list. You either have me confused
with someone else or there is some kind of imposter or person with a
similar name. I'm confused I should say. This was something constructive to
say regardless, it was an idea. I remember last time I was using OpenBSD (I
had a hiatus) and mmap changes broke a lot of ports. There is supposed to
be an emphasis on security, not your scripts. OpenBSD warns about mistakes,
it emails you about your mistakes, and it could point out this mistake as
well.

On Mon, Dec 12, 2011 at 5:55 AM, James Shupe  wrote:

> No. Modifying a general purpose tool for a specific (albeit common) use
> case is stupid. Any properly implemented warning would cause pfctl to
> exit non-zero, which would break automated scripts that check the exit
> code of pfctl. You would have to add a whole new option to ignore your
> specific use case, and even that would require modifying existing
> scripts.
>
> I wish they would ban you from this list already. I'm sick of seeing
> your reply to every thread when you never have anything constructive to
> say.
>

I am not replying to every thread on the list. You either have me confused
with someone else or there is some kind of imposter or person with a
similar name. I'm confused I should say. This was something constructive to
say regardless, it was an idea. I remember last time I was using OpenBSD (I
had a hiatus) and mmap changes broke a lot of ports. There is supposed to
be an emphasis on security, not your scripts. OpenBSD warns about mistakes,
it emails you about your mistakes, and it could point out this mistake as
well.

Perhaps it could be for security(8) to do instead actually. I don't know, I
didn't design the fucking system, it was just a suggestion.


> On Mon, 2011-12-12 at 05:43 +1100, John Tate wrote:
> > It's just whining! Perhaps if should only do it if it has an Internet IP
> > address not a LAN or WAN one involved.
> >
> > On Mon, Dec 12, 2011 at 5:17 AM, Janne Johansson  >wrote:
> >
> > > 2011/12/11 John Tate 
> > >
> > >>
> > >> So I have a suggestion worth considering, if the line "block in all"
> does
> > >> not appear pfctl -nf should perhaps spit out a warning. Much like
> you've
> > >> done with your pretty compilers over there.
> > >>
> > >>
> > > There are still lots of reasons to run PF even if you don't want
> "block in
> > > all" for a default, so whining on all the other uses you couldn't
> imagine
> > > would not be very productive.
> > >
> > > --
> > >  To our sweethearts and wives.  May they never meet. -- 19th century
> toast
>
>


-- 
www.johntate.org

Re: What is wrong with this pf config

[James Shupe]

No. Modifying a general purpose tool for a specific (albeit common) use
case is stupid. Any properly implemented warning would cause pfctl to
exit non-zero, which would break automated scripts that check the exit
code of pfctl. You would have to add a whole new option to ignore your
specific use case, and even that would require modifying existing
scripts.

I wish they would ban you from this list already. I'm sick of seeing
your reply to every thread when you never have anything constructive to
say.

On Mon, 2011-12-12 at 05:43 +1100, John Tate wrote:
> It's just whining! Perhaps if should only do it if it has an Internet IP
> address not a LAN or WAN one involved.
> 
> On Mon, Dec 12, 2011 at 5:17 AM, Janne Johansson wrote:
> 
> > 2011/12/11 John Tate 
> >
> >>
> >> So I have a suggestion worth considering, if the line "block in all" does
> >> not appear pfctl -nf should perhaps spit out a warning. Much like you've
> >> done with your pretty compilers over there.
> >>
> >>
> > There are still lots of reasons to run PF even if you don't want "block in
> > all" for a default, so whining on all the other uses you couldn't imagine
> > would not be very productive.
> >
> > --
> >  To our sweethearts and wives.  May they never meet. -- 19th century toast

Re: What is wrong with this pf config

[John Tate]

It's just whining! Perhaps if should only do it if it has an Internet IP
address not a LAN or WAN one involved.

On Mon, Dec 12, 2011 at 5:17 AM, Janne Johansson wrote:

> 2011/12/11 John Tate 
>
>>
>> So I have a suggestion worth considering, if the line "block in all" does
>> not appear pfctl -nf should perhaps spit out a warning. Much like you've
>> done with your pretty compilers over there.
>>
>>
> There are still lots of reasons to run PF even if you don't want "block in
> all" for a default, so whining on all the other uses you couldn't imagine
> would not be very productive.
>
> --
>  To our sweethearts and wives.  May they never meet. -- 19th century toast
>



-- 
www.johntate.org

Re: What is wrong with this pf config

[Janne Johansson]

2011/12/11 John Tate 

>
> So I have a suggestion worth considering, if the line "block in all" does
> not appear pfctl -nf should perhaps spit out a warning. Much like you've
> done with your pretty compilers over there.
>
>
There are still lots of reasons to run PF even if you don't want "block in
all" for a default, so whining on all the other uses you couldn't imagine
would not be very productive.

-- 
 To our sweethearts and wives.  May they never meet. -- 19th century toast

Re: using ssh to forward the install console

[Chris Bennett]

this is the setup I use to upgrade and install on my remote server.
It works great. This would probably be a good purchase since you
could use it again in the future on other, later systems.
Chris Bennett

On Sat, Dec 10, 2011 at 11:15:15PM -0600, Corey wrote:
> On 12/07/2011 01:47 PM, Eric Oyen wrote:
> >hello group.
> >
> >I have an interesting (and fairly technical) question.
> >
> >the question is: how can I forward the install screen via ssh to another
> >machine on my network? I ask this because I didn't see any specific
> >instructions that applied. my issue right now is that I need a sighted
> >assistant to read me the screen and help with  installing the base system 
> >(and
> >setting up ssh).
> >
> >I would like to run the install like from a serial port output (like the old
> >spark pizza boxes) but none of my current machines have a serial port to do
> >this on.
> >
> >comments? suggestions?
> >
> >-eric
> >
> If you don't require the serial console, maybe you can use an IP KVM
> appliance?
> 
> They still cost some money, but the cheapest one I've found is on
> sale for $200 US right now:
> 
> http://www.lantronix.com/it-management/kvm-over-ip/securelinx-spiderduo.html
> 
> It's basically an embedded OS (Linux, probably) running on an ARM or
> something with a frame grabber for the video and USB and legacy
> keyboard and mouse ports. Gives you BIOS-level access to the box

Re: What is wrong with this pf config

[John Tate]

Now you can all laugh at me!

After fixing this one, and getting everything working on my second attempt
from scratch I forgot to put 'block in all' so if you portscanned me just
an hour ago I had EVERYTHING open. I used nmap on myself from my virtual
private server. Oh shame.

So I have a suggestion worth considering, if the line "block in all" does
not appear pfctl -nf should perhaps spit out a warning. Much like you've
done with your pretty compilers over there.

The third attempt sure is nice though...

int_if="xl0"
ext_if="pppoe0"
mod_if="fxp0"

thenetwrk="10.0.0.0/8"
rothbard="10.0.0.10"
baal="10.0.0.2"
smass="10.0.0.1"

tcp_services = "{22}"
icmp_types = "echoreq"

ports_rothbard = "{17000,17001,17002,17003,17004,17005,2322}"
ports_smass = "{17100,17101,17102,17103,17104,17105,}"

set block-policy return #This might perform better as drop.
set loginterface $ext_if
set skip on lo
set skip on $mod_if #lets anything chat with the modem.

anchor "ftp-proxy/*"
pass in quick on $int_if inet proto tcp to any port ftp \
divert-to 127.0.0.1 port 8021

match out on $ext_if from $int_if:network to any nat-to ($ext_if)

block in
pass out quick
antispoof quick for { lo $int_if }

pass in on $ext_if inet proto tcp from any to (egress) \
port $tcp_services
pass in on egress inet proto tcp from any to (egress) \
port $ports_rothbard rdr-to $rothbard
pass in on egress inet proto tcp from any to (egress) \
port $ports_smass rdr-to $smass

pass in inet proto icmp all icmp-type $icmp_types

pass in on $int_if

-- 
www.johntate.org

Re: N2K8 Hackathon article - sshd - MaxSession

[Cani Miroslav]

Hello,
thank you very much, I appreciate your answer.
Yes, I've found additional config needed in ssh_conf (client) regarding
ControlMaster.
But generally speaking(just what I think), I cannot force every user to use
ControlMaster, because they dont have to.
And if they don't set ControlMaster they can establish more sessions within
one TCP session.
Another problem is, clients are using WIN stations and etc. putty
application so there is no ControlMaster option.
So whats my general purpose: Restrict number of sessions within one TCP
session for independent clients (mostly win) who are connecting to my
server.
It has come to my mind to use pf cause I know there is max-src-conn
parameter,
but i think this parameter just restrict tcp sessions, so pf doesnt see
channels inside tcp sessions.
I hope you understand. Thank you.

Miro





2011/12/11 Mark Uemura 

> Dear Miro,
>
> Sorry for the late reply on this.  The sshd_config man page shows:
>
>  MaxSessions
>  Specifies the maximum number of open sessions permitted per
>  network connection.  The default is 10.
>
> The above is per connection which is controlled by the "ControlMaster"
> keyword in the client.  So, if you don't want to have multiple sessions in
> the same TCP session, just make sure that you set:
>
> ControlMaster no
>
> in your ~/.ssh/config file.
>
> However, this doesn't stop you from creating another session.  The above
> just ensures that you don't use an existing network session.  If you want
> to restrict a user to just one network connection, you may want to look at
> "authpf" and/or "pf" can also do this sort of thing with "max-src-conn
> ".
>
> I hope that this helps.  If you need more help, please post a question to
> "misc@" as this the kind of question that should be asked there.
>
> Happy holidays!
>
> Best regards,
>
> Mark
>
> Begin forwarded message:
>
> *From: *Cani Miroslav 
> *Subject: **N2K8 Hackathon article - sshd - MaxSession*
> *Date: *30 November, 2011 3:00:23 AM GMT+09:00
> *To: *supp...@openbsd-support.com
>
> Hello,
>
> I'm sorry I write just like that. I had found* *Network Hackathon (Part
> 3) article when I was looking for my solution and there is a link connected
> with Mark Uemura.
> So I write to this email, i hope to the correct one.
> I have problem with "MaxSessions" parameter in sshd and I've found that
> you guys were talking about in this article.
> I would like to restrict number of sessions via one ssh connection. For
> example for tcp forwarding.
> When I set MaxSessions to 0, logons are not working (thats fine, it works)
> but when I set to 1 I can have multiple sessions via one ssh connection and
> set it to 2 or more has no effect as well then.
> Maybe you can direct me to right solution.
> I test it like this: Open ssh connection from putty(win) to server(BSD).
> Port forwarding is in use (http). So i use SOCKS in browser.
> I download two files simultaneously
> from
> two different websites and its working for both throught this tunnel but it
> should not (MaxSession is set to 1).
> sshd - OpenSSH 5.2 portable for FreeBSD
> OS - FBSD 6.2
> Thank you for any help.
>
> Miro
> * *

Re: Last Warning Notification

[Pavel Shvagirev]

:-D :-D
what a kind Webmaster of the Universe

(sorry for offtopic ;) )

11.12.2011 14:18, Webmaster P?P8QP5Q:
> that we have upgraded your server to a
> more reliable and efficient server to serve you better.

-- 
Best regards,
Pavel Shvagirev
skype: pavel.shvagirev

OpenSMTPD + milter

[Vadim Agarkov]

Hello,

according to one of replies on article at undeadly 
(http://undeadly.org/cgi?action=article&sid=20081112084647&pid=8) , 
there were plans on implementing sendmail-like "milter" capability in 
OpenSMTPD, could someone please provide any status/update on this ? 
Gilles ?


--
Thanks,
Vadim Agarkov