Re: starting nsd via rc.d shows OK but not running
On Thu, Feb 16, 2012 at 06:47:05PM -0500, Jiri B wrote:
> On Sat, Feb 04, 2012 at 09:27:53PM +, Stuart Henderson wrote:
> > as to the rc.d thing; the daemon *does* start and is running when
> > rc_check examines it, but exits afterwards.
>
> # cat -n /etc/rc.d/rc.subr | sed -n '117,129p'
>117 while true; do # no real loop, only needed to break
>118 if type rc_pre >/dev/null; then
>119 rc_do rc_pre || break
>120 fi
>121 # XXX only checks the status of the return
> code,
>122 # and _not_ that the daemon is actually
> running
>123 rc_do rc_start || break
>124 if [ -n "${_bg}" ]; then
>125 sleep 1
>126 rc_do rc_wait start || break
>127 fi
>128 rc_do rc_write_runfile
>129 rc_exit ok
>
> Not true, there's no rc_check at all. Any idea what's the logic behind?
>
> Reporting 'ok' has no real sense. I understand that my own problem was
> configuration, true, but having no check and just echoing 'ok' is strange
> to me.
It is impossible to report whether start was OK in a _timely_ fashion and
without false positive.
Some daemons can run for like 20 or 30 seconds spawning stuffs, making
checks... then exiting because there is in fact a problem.
See comments line 121 and 122. "ok" means the daemon was started and return
code was ok.
--
Antoine
Re: Re : vpn isakmpd ipsec, one side with only one interface
I know ssh works also very well. But the company has requierements : ipsec vpn with specific phase 1 and 2... Wesley. On Thu, 16 Feb 2012 19:18:09 + (GMT), Mik J wrote: > Hello, > > I have this configuration working without any bridge. > Openbsd rl0 <- > LAN1 -> Router <- Internet -> RemoteFW <- LAN 2 -> SomeDevice > My PC is > connected to a LAN1 switch, and it's able to ssh SomeDevice. As you can > see my > OpenBSD has just one interface and the VPN is mounted between OpenBSD and > RemoteFW. > > > > - Mail original - >> De : Wesley M. > >> @ : Markus Wernig >> Cc : > misc@openbsd.org >> Envoyi le : Jeudi 16 fivrier 2012 15h59 >> Objet : Re: vpn > isakmpd ipsec, one side with only one interface >> >> I have it working ;-) >> > What i have done : >> Create a vether0 with : inet 172.17.2.21 255.255.255.0 >> > Create a bridge0, add to it vether0 and the physical card... >> PF : filter the > bridge >> Create the vpn, i can reach the ftp :-) Pretty cool >> Thank's to > vether !! >> >> Cheers, >> >> Wesley MOUEDINE ASSABY >> >> >> On Thu, 16 Feb 2012 > 14:03:54 +0100, Markus Wernig >> wrote: >>> Hi >>> >>> > I'm not sure if this will work, but you could try creating a loopback >>> > interface (lo2) on FWC with the IP address that the FTP server should be >>> > reachable on and then set up a regular VPN between FWA and FWC just for >>> > that one IP address: >>> ike esp from 172.17.2.21/32 to 192.168.0.0/24 peer > ip_fwA ... >>> >>> Then tell the FTP server to listen on the IP of the lo2 > interface >>> (172.17.2.21?) >>> >>> >>> /m >>> >>> On 02/13/12 14:43, Wesley > M. wrote: o;?Hi, I was using ipsec vpn between 2 OpenBSD > Gateway. It worked very well. Here : > ---rl0---[fwA]---rl1(internet)-sis1---[fwB with > ftpd]---sis0--- Now we remove ftp services from fwB and put it on > an other machine fwC with an internet connection (only one network card). >> is it possible to keep a vpn online from fwA and fwC, and so computersA >> can reach again ftp using vpn (provided by fwC). Perhaps i need to use >> vether on fwC so briged pf ? Here the old ipsec.conf from > fwB: ike esp from 172.17.2.0/24 to 192.168.0.0/24 peer ip_fwA > main auth hmac-sha1 enc aes-256 group modp1024 quick auth > hmac-sha1 enc aes-256 group modp1024 psk "demopassword" > My idea on fwC : add verther0 with : "inet 172.17.2.21 > 255.255.255.0"
CURSOS Y CONFERENCIAS PRESENCIALES - SIMCA CAPACITACION
CURSOS Y CONFERENCIAS PRESENCIALES - incompany - in house - SIMCA CAPACITACION CURSOS Y CONFERENCIAS PRESENCIALES de forma privada en su empresa Contamos con 12 areas a su servicio [IMAGE] Cursos - SeminariosCredito y Cobranzas [IMAGE] Cursos - SeminariosRecursos Humanos Listado de Cursos Privados de Click Aqui Listado de Cursos Privados de Click Aqui [IMAGE] Cursos - SeminariosManufactura y Produccion [IMAGE] Cursos - SeminariosAdquisiciones y Obras Publicas Listado de Cursos Privados de Click Aqui Listado de Cursos Privados de Click Aqui [IMAGE] Cursos - SeminariosSeguridad e Higiene [IMAGE] Cursos - SeminariosDesarrollo Humano Listado de Cursos Privados de Click Aqui Listado de Cursos Privados de Click Aqui [IMAGE] Cursos - SeminariosNegociacion y Compras [IMAGE] Cursos - SeminariosVentas Listado de Cursos Privados de Click Aqui Listado de Cursos Privados de Click Aqui [IMAGE] Cursos - SeminariosFinanzas [IMAGE] Cursos - SeminariosAlimentos y Bebidas Listado de Cursos Privados de Click Aqui Listado de Cursos Privados de Click Aqui [IMAGE] Cursos - SeminariosAsistentes y Secretarias [IMAGE] Cursos - SeminariosNuevas Tecnologias Listado de Cursos Privados de Click Aqui Listado de Cursos Privados de Click Aqui Consulte la Programacion por Area Credito y Cobranza Recursos Humanos Manufactura y Produccion Adquisiciones y Obras Publicas Seguridad e Higiene Desarrollo Humano Negociacion y Compras Ventas Finanzas Alimentos y Bebidas Asistentes y Secretarias Nuevas Tecnologias Diseqamos el curso a la medida de sus necesidades..!Impartimos CURSOS de forma PRIVADA en su empresa, envienos un correo especificando el numero de participantes, el lugar donde se impartira, su nombre, cargo, empresa y telefono.SOLICITE COTIZACION de Click Aqui Comentanos ?Que Curso necesitas? Envianos un correo Da Click Aqui Solicitalo a tu Asesor. Si necesita mayor informacion, comuniquese un Asesor lo atendera de inmediato. SIMCA CAPACITACION Entrenamiento Especializado E-MAIL: simca_capacitac...@hotmail.com Messenger: simca_capacitac...@hotmail.com Lada sin costo: 01 800 543 32 30 TEL: (999) 941 51 68 Si usted no desea que le enviemos mas invitaciones, de Click Aqui, gracias.
Cannot upgrade Sony Vaio VPCCA using the amd64 RAM kernel
Grabbed the 15 February snapshot, but booting bsd.rd results in this: Using drive 0, partition 3 Loading... probing: pc0 mem[634K 511M 510M 2474M 12K 1M 12K 84K 4606M a20=on] disk: hd0+ >> OpenBSD/amd64 BOOT 3.18 boot> bsd.rd booting hd0a:bsd.rd: 2986868+717388+2861496+0+504624=0xaef670 entry point at 0x1001e0 [7205c766, 3404, 24448b12, 1608a304] after which fans turn, and that's about it. Dmesg below sig. -- Ed Ahlsen-Girard Ft. Walton Beach FL OpenBSD 5.1 (GENERIC.MP) #206: Sat Feb 11 12:24:58 MST 2012 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 8496082944 (8102MB) avail mem = 8255754240 (7873MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xeb3a0 (17 entries) bios0: vendor American Megatrends Inc. version "R1100V2" date 04/15/2011 bios0: Sony Corporation VPCCA25FX acpi0 at bios0: rev 2 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP APIC HPET SSDT SLIC MCFG SSDT SSDT ECDT SSDT acpi0: wakeup devices B0D4(S4) USB1(S3) USB2(S3) USB3(S3) USB4(S3)\ USB5(S3) USB6(S3) USB7(S3) EHC1(S3) EHC2(S3) PXSX(S3) PXSX(S3)\ PXSX(S3) RP03(S3) PXSX(S3) RP04(S3) PWRB(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Core(TM) i5-2410M CPU @ 2.30GHz, 2295.11 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,\ PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,PCLMUL,\ MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,\ POPCNT,XSAVE,AVX,NXE,LONG,LAHF cpu0: 256KB 64b/line 8-way L2 cache cpu0: apic clock running at 99MHz cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Core(TM) i5-2410M CPU @ 2.30GHz, 2294.79 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,\ PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,\ PCLMUL,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,\ x2APIC,POPCNT,XSAVE,AVX,NXE,LONG,LAHF cpu1: 256KB 64b/line 8-way L2 cache cpu2 at mainbus0: apid 1 (application processor) cpu2: Intel(R) Core(TM) i5-2410M CPU @ 2.30GHz, 2294.79 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,\ PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,\ PCLMUL,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,\ x2APIC,POPCNT,XSAVE,AVX,NXE,LONG,LAHF cpu2: 256KB 64b/line 8-way L2 cache cpu3 at mainbus0: apid 3 (application processor) cpu3: Intel(R) Core(TM) i5-2410M CPU @ 2.30GHz, 2294.79 MHz cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,\ CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,\ PCLMUL,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2\ ,x2APIC,POPCNT,XSAVE,AVX,NXE,LONG,LAHF cpu3: 256KB 64b/line 8-way L2 cache ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins acpihpet0 at acpi0: 14318179 Hz acpimcfg0 at acpi0 addr 0xf800, bus 0-63 acpiec0 at acpi0 acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus -1 (PEG0) acpiprt2 at acpi0: bus 1 (RP01) acpiprt3 at acpi0: bus 2 (RP02) acpiprt4 at acpi0: bus 3 (RP03) acpiprt5 at acpi0: bus 4 (RP04) acpicpu0 at acpi0: C1, PSS acpicpu1 at acpi0: C1, PSS acpicpu2 at acpi0: C1, PSS acpicpu3 at acpi0: C1, PSS acpitz0 at acpi0: critical temperature is 96 degC acpitz1 at acpi0: critical temperature is 96 degC acpibat0 at acpi0: BAT0 type LiOn oem "Sony Corp." acpiac0 at acpi0: AC unit online acpibtn0 at acpi0: LID0 acpibtn1 at acpi0: PWRB acpivideo0 at acpi0: GFX0 acpivout0 at acpivideo0: DD02 cpu0: Enhanced SpeedStep 2294 MHz: speeds: 2301, 2300, 1800, \ 1600, 1400, 1200, 1000, 800 MHz pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 "Intel Core 2G Host" rev 0x09 vga1 at pci0 dev 2 function 0 "Intel GT2 Video" rev 0x09 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) intagp0 at vga1 agp0 at intagp0: aperture at 0xe000, size 0x1000 inteldrm0 at vga1: apic 2 int 16 drm0 at inteldrm0 "Intel 6 Series MEI" rev 0x04 at pci0 dev 22 function 0 not configured ehci0 at pci0 dev 26 function 0 "Intel 6 Series USB" rev 0x04: apic 2 int 16 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1 azalia0 at pci0 dev 27 function 0 "Intel 6 Series HD Audio" rev 0x04: msi azalia0: codecs: Realtek ALC269, Intel/0x2805, using Realtek ALC269 audio0 at azalia0 ppb0 at pci0 dev 28 function 0 "Intel 6 Series PCIE" rev 0xb4: msi pci1 at ppb0 bus 1 iwn0 at pci1 dev 0 function 0 "Intel WiFi Link 1000" rev 0x00: msi, MIMO \ 1T2R, BGS, address 74:e5:0b:51:4c:4e ppb1 at pci0 dev 28 function 1 "Intel 6 Series PCIE" rev 0xb4: msi pci2 at ppb1 bus 2 sdhc0 at pci2 dev 0 function 0 "Ricoh 5U823 SD/MMC" rev 0x04: apic 2 int 17 sdmmc0 at sdhc0 vendor "Ricoh", unknown product 0xe232 (class system subclass \ miscellaneous, rev 0x04) at pci2 dev 0 function 1 not configured ppb2 at pci0 dev 28 function 2 "Intel 6 Series PCIE" rev 0xb4: msi pci3 at ppb
Re: Anybody interested in upgrading eclipse port?
On 2012-02-15, lbvvbooo lbvvbooo wrote: > I'm a user of eclipse, now I'm trying to work on openbsd 5. But I found the > eclipse version is 3.2, which doesn't have support for some newer server > version of tomcat/jboss etc; and some other new plugins doesn't work on this > version of eclipse. > > > > Anybody interested in upgrading eclipse port? Maybe the "Eclipse IDE for Java > EE Developers" version? I believe a lot of eclipse users like me > > need this version. I'm sure a working port diff would be looked at. It's probably going to need to be done by somebody who wants it themselves as it's likely to be a bit fiddly.
Authen::bsd_auth - does it exist?
Hi, I found an interesting tool[1] and it depends on Authen::PAM. This obviously doesn't exist so I was searching for bsd_auth version, no success. But maybe it exists in a drawer of a person on this list ? :) [1] http://code.google.com/p/enterprise-log-search-and-archive/ jirib
Re: starting nsd via rc.d shows OK but not running
On Sat, Feb 04, 2012 at 09:27:53PM +, Stuart Henderson wrote:
> as to the rc.d thing; the daemon *does* start and is running when
> rc_check examines it, but exits afterwards.
# cat -n /etc/rc.d/rc.subr | sed -n '117,129p'
117 while true; do # no real loop, only needed to break
118 if type rc_pre >/dev/null; then
119 rc_do rc_pre || break
120 fi
121 # XXX only checks the status of the return code,
122 # and _not_ that the daemon is actually running
123 rc_do rc_start || break
124 if [ -n "${_bg}" ]; then
125 sleep 1
126 rc_do rc_wait start || break
127 fi
128 rc_do rc_write_runfile
129 rc_exit ok
Not true, there's no rc_check at all. Any idea what's the logic behind?
Reporting 'ok' has no real sense. I understand that my own problem was
configuration, true, but having no check and just echoing 'ok' is strange
to me.
jirib
Re: Anybody interested in upgrading eclipse port?
I believe we're talking about the same version of Eclipse. "I prefer to use the Eclipse available from eclipse.org (EE version)." So do I. The question is u can't use it directly in openbsd, u need a suitable port. > Date: Thu, 16 Feb 2012 18:22:25 +0200 > From: bsdlis...@gmail.com > To: lbvvb...@live.com > CC: misc@openbsd.org > Subject: Re: Anybody interested in upgrading eclipse port? > > On 02/16/2012 01:33 AM, lbvvbooo lbvvbooo wrote: > > I'm a user of eclipse, now I'm trying to work on openbsd 5. But I found the > > eclipse version is 3.2, which doesn't have support for some newer server > > version of tomcat/jboss etc; and some other new plugins doesn't work on > > this version of eclipse. > > > > > > > > Anybody interested in upgrading eclipse port? Maybe the "Eclipse IDE for > > Java EE Developers" version? I believe a lot of eclipse users like me > > > > need this version. > > > > Best regards > > > > > Not a direct answer to your question, but I prefer to use the Eclipse > available from eclipse.org (EE version). Of course, YMMV. > > Best, > > -- > Rares Aioanei
Re: /etc/netstart diff
On Thu, 16 16:53 , Jan Stary wrote: > > > What's the > > > advantage over symlinking /etc/hostname.athn0 appropriately, if you want > > > to use netstart? > > > > It's easier to issue a "sh /etc/netstart athn0.home" on the > > commandline than unlinking and relinking files before calling > > netstart. > > So, you find it a reasonable price to have an unsupported /etc/netstart > for not having to painstakingly type this? > > # ln -sf /etc/hostname.athn0.here /etc/hstanme.athn0 > # sh /etc/netstart Well, as you might have gathered by the fact that I sent a diff, I took into account that this small change could go into netstart to just support such operations out of the box. It's however not up to me to decide this. If the majority of relevant people do think this is bloat, I can get along with it. Consider it a suggestion. On the other hand, it would not harm nor complicate netstart really. Regards, /Markus
Re: Keeping installed ports up-to-date
On Wed, Feb 15, 2012 at 12:12:39AM +0100, Marc Espie wrote: > > (Unless you're a *developer*, or you want to *downgrade* ports, > you should never ever have to run make clean=plist > that's stupid. register-plist catches *bugs*.) > > Nope, won't work. You haven't de-installed the troublesome package, so a > new build will still break. (e.g., it doesn't have > make clean=install). > > > That's the crux of the matter. > > Eventually, we'll solve most of these. Not all of them, not ever. Because > the number of combinations old package installed/new package build is very > very large, so the best we can hope is to fix the most common ones > (having our own libtool for most of the tree does help a great deal). > > There are so many things to do... this is not a huge priority. We don't > fix the ports tree, we fix binary packages. Once they're all perfect > (ah ! :) ) we'll fix every little remaining bug in ports. > > Promise ! :) > > (I'm not promising anything, actually, since there's always always more > polishing to do for binary packages proper). > I do see how complicated things are. My attempts to upgrade a perl port with other ports depending on it has been very helpful in seeing how tough it can be to upgrade something since it fans out into a bunch of other stuff. I have not been able to make out how to deal with existing ports depending on my upgrade that fail many regress test, both before and after my updates. If a new port I am trying to build does the same, seems difficult to decide what to make of the failures (unless its something obvious such as requiring a newer perl than is in base). CPAN shows many modules with multiple failures in testing. My attempts to bring in some new perl ports also shows a long chain of dependencies, which when someone else updates them, might break my work. And I find a lot of regress depends that are not in ports at all. I am not even sure whether I should then add those also, which adds up to a lot of new ports just to regress one new port. Studying existing perl ports shows some requiring regress stuff such as p5-Pod-Coverage, while others do not, even though that shows up as test dependencies in the build directories. I am also frequently finding that perl modules require other modules that are NOT listed in Makefile.PL or Pod manuals. I have been grepping use and require in the build directories to search for dependencies. Is there a less eye straining command sequence to use? Thanks, Chris Bennett
Re : vpn isakmpd ipsec, one side with only one interface
Hello, I have this configuration working without any bridge. Openbsd rl0 <- LAN1 -> Router <- Internet -> RemoteFW <- LAN 2 -> SomeDevice My PC is connected to a LAN1 switch, and it's able to ssh SomeDevice. As you can see my OpenBSD has just one interface and the VPN is mounted between OpenBSD and RemoteFW. - Mail original - > De : Wesley M. > @ : Markus Wernig > Cc : misc@openbsd.org > Envoyi le : Jeudi 16 fivrier 2012 15h59 > Objet : Re: vpn isakmpd ipsec, one side with only one interface > > I have it working ;-) > What i have done : > Create a vether0 with : inet 172.17.2.21 255.255.255.0 > Create a bridge0, add to it vether0 and the physical card... > PF : filter the bridge > Create the vpn, i can reach the ftp :-) Pretty cool > Thank's to vether !! > > Cheers, > > Wesley MOUEDINE ASSABY > > > On Thu, 16 Feb 2012 14:03:54 +0100, Markus Wernig > wrote: >> Hi >> >> I'm not sure if this will work, but you could try creating a loopback >> interface (lo2) on FWC with the IP address that the FTP server should be >> reachable on and then set up a regular VPN between FWA and FWC just for >> that one IP address: >> ike esp from 172.17.2.21/32 to 192.168.0.0/24 peer ip_fwA ... >> >> Then tell the FTP server to listen on the IP of the lo2 interface >> (172.17.2.21?) >> >> >> /m >> >> On 02/13/12 14:43, Wesley M. wrote: >>> o;?Hi, >>> >>> I was using ipsec vpn between 2 OpenBSD Gateway. It worked very >>> well. >>> >>> Here : >>> >>> ---rl0---[fwA]---rl1(internet)-sis1---[fwB >>> with ftpd]---sis0--- >>> >>> Now we remove ftp services from fwB and put it on an >>> other machine fwC with an internet connection (only one network card). > is >>> it possible to keep a vpn online from fwA and fwC, and so computersA > can >>> reach again ftp using vpn (provided by fwC). Perhaps i need to use > vether >>> on fwC so briged pf ? >>> >>> Here the old ipsec.conf from fwB: >>> ike esp from >>> 172.17.2.0/24 to 192.168.0.0/24 peer ip_fwA >>> main auth hmac-sha1 enc >>> aes-256 group modp1024 >>> quick auth hmac-sha1 enc aes-256 group modp1024 >>> >>> psk "demopassword" >>> >>> My idea on fwC : >>> >>> add verther0 with : "inet >>> 172.17.2.21 255.255.255.0"
Re: Anybody interested in upgrading eclipse port?
On 02/16/2012 01:33 AM, lbvvbooo lbvvbooo wrote: I'm a user of eclipse, now I'm trying to work on openbsd 5. But I found the eclipse version is 3.2, which doesn't have support for some newer server version of tomcat/jboss etc; and some other new plugins doesn't work on this version of eclipse. Anybody interested in upgrading eclipse port? Maybe the "Eclipse IDE for Java EE Developers" version? I believe a lot of eclipse users like me need this version. Best regards Not a direct answer to your question, but I prefer to use the Eclipse available from eclipse.org (EE version). Of course, YMMV. Best, -- Rares Aioanei
Re: /etc/netstart diff
On Feb 16 15:16:51, Markus wrote: > On Thu, 16 13:03 , Joachim Schipper wrote: > > > > I'm sorry, but how does this work? It reads as if netstart now > > recognizes /etc/hostname.athn0.home as an alternative to > > /etc/hostname.athn0, but how does it figure out whether to use > > /etc/hostname.athn0.home or /etc/hostname.athn0.work? > > The idea is to be able to issue "sh /etc/netstart athn0.home" > and start the interface in question with the configuration > preseent in /etc/hostname.athn0.home. > > It does not find out anything by itself. Unless you call > netstart explicitly with those suffixed names, it will always take > hostname.athn0 by default. This way, this approach doesn't > interfere with the expected behaviour, yet provides a way to use > subconfigurations of interfaces in a convenient way. > > > What's the > > advantage over symlinking /etc/hostname.athn0 appropriately, if you want > > to use netstart? > > It's easier to issue a "sh /etc/netstart athn0.home" on the > commandline than unlinking and relinking files before calling > netstart. So, you find it a reasonable price to have an unsupported /etc/netstart for not having to painstakingly type this? # ln -sf /etc/hostname.athn0.here /etc/hstanme.athn0 # sh /etc/netstart > > > @@ -104,7 +112,7 @@ > > > else > > > alias= > > > fi > > > - cmd="ifconfig $if $af $alias $name" > > > + cmd="ifconfig 4raw $if4 $af $alias $name" > > ^ ^ > > > case "$dt" in > > > dest) > > > cmd="$cmd $dtaddr" > > > > > > Those should be `, obviously. > > Interesting. That must have been wrapped up after I attached the > diff. See the original at http://flash.target23.de/doc/netstart.diff > > Regards, > /Markus
Re: vpn isakmpd ipsec, one side with only one interface
I have it working ;-) What i have done : Create a vether0 with : inet 172.17.2.21 255.255.255.0 Create a bridge0, add to it vether0 and the physical card... PF : filter the bridge Create the vpn, i can reach the ftp :-) Pretty cool Thank's to vether !! Cheers, Wesley MOUEDINE ASSABY On Thu, 16 Feb 2012 14:03:54 +0100, Markus Wernig wrote: > Hi > > I'm not sure if this will work, but you could try creating a loopback > interface (lo2) on FWC with the IP address that the FTP server should be > reachable on and then set up a regular VPN between FWA and FWC just for > that one IP address: > ike esp from 172.17.2.21/32 to 192.168.0.0/24 peer ip_fwA ... > > Then tell the FTP server to listen on the IP of the lo2 interface > (172.17.2.21?) > > > /m > > On 02/13/12 14:43, Wesley M. wrote: >> o;?Hi, >> >> I was using ipsec vpn between 2 OpenBSD Gateway. It worked very >> well. >> >> Here : >> >> ---rl0---[fwA]---rl1(internet)-sis1---[fwB >> with ftpd]---sis0--- >> >> Now we remove ftp services from fwB and put it on an >> other machine fwC with an internet connection (only one network card). is >> it possible to keep a vpn online from fwA and fwC, and so computersA can >> reach again ftp using vpn (provided by fwC). Perhaps i need to use vether >> on fwC so briged pf ? >> >> Here the old ipsec.conf from fwB: >> ike esp from >> 172.17.2.0/24 to 192.168.0.0/24 peer ip_fwA >> main auth hmac-sha1 enc >> aes-256 group modp1024 >> quick auth hmac-sha1 enc aes-256 group modp1024 >> >> psk "demopassword" >> >> My idea on fwC : >> >> add verther0 with : "inet >> 172.17.2.21 255.255.255.0"
Re: nat-to source-hash strangeness
On 09/02/12 17:39, Kapetanakis Giannis wrote:
Hi,
source-hash gives me different IP when used on different rules
pass out quick log on $ext_if proto tcp from 10.0.0.1 to 203.0.113.1
port 80 nat-to 192.0.2.0/24 source-hash
pass out quick log on $ext_if proto tcp from 10.0.0.1 to 203.0.113.1
port 443 nat-to 192.0.2.0/24 source-hash
With this I get:
Feb 09 17:32:29.467431 rule 133/(match) pass out on vlanxxx:
192.0.2.1.64386 > 203.0.113.1.80: S 2151338718:2151338718(0) win 14600
Feb 09 17:32:33.464448 rule 134/(match) pass out on vlanxxx:
192.0.2.2.57614 > 203.0.113.1.443: S 2121037714:2121037714(0) win
14600
If I change the firewall rule to:
pass out quick log on $ext_if proto tcp from 10.0.0.1 to 203.0.113.1
port {80, 443} nat-to 192.0.2.0/24 source-hash
although this is evaluated in 2 rules (at least in pfctl -sr) I always
get the same IP 192.0.2.1
Is this normal?
thanks,
Giannis
Hi,
Is this normal behavior?
Shouldn't the hashed IP be always the same? Could this be related to key?
regards,
Giannis
Re: /etc/netstart diff
On Thu, 16 13:03 , Joachim Schipper wrote: > > I'm sorry, but how does this work? It reads as if netstart now > recognizes /etc/hostname.athn0.home as an alternative to > /etc/hostname.athn0, but how does it figure out whether to use > /etc/hostname.athn0.home or /etc/hostname.athn0.work? The idea is to be able to issue "sh /etc/netstart athn0.home" and start the interface in question with the configuration preseent in /etc/hostname.athn0.home. It does not find out anything by itself. Unless you call netstart explicitly with those suffixed names, it will always take hostname.athn0 by default. This way, this approach doesn't interfere with the expected behaviour, yet provides a way to use subconfigurations of interfaces in a convenient way. > What's the > advantage over symlinking /etc/hostname.athn0 appropriately, if you want > to use netstart? It's easier to issue a "sh /etc/netstart athn0.home" on the commandline than unlinking and relinking files before calling netstart. > > @@ -104,7 +112,7 @@ > > else > > alias= > > fi > > - cmd="ifconfig $if $af $alias $name" > > + cmd="ifconfig 4raw $if4 $af $alias $name" > ^ ^ > > case "$dt" in > > dest) > > cmd="$cmd $dtaddr" > > > Those should be `, obviously. Interesting. That must have been wrapped up after I attached the diff. See the original at http://flash.target23.de/doc/netstart.diff Regards, /Markus
Re: vpn isakmpd ipsec, one side with only one interface
Hi I'm not sure if this will work, but you could try creating a loopback interface (lo2) on FWC with the IP address that the FTP server should be reachable on and then set up a regular VPN between FWA and FWC just for that one IP address: ike esp from 172.17.2.21/32 to 192.168.0.0/24 peer ip_fwA ... Then tell the FTP server to listen on the IP of the lo2 interface (172.17.2.21?) /m On 02/13/12 14:43, Wesley M. wrote: > o;?Hi, > > I was using ipsec vpn between 2 OpenBSD Gateway. It worked very > well. > > Here : > > ---rl0---[fwA]---rl1(internet)-sis1---[fwB > with ftpd]---sis0--- > > Now we remove ftp services from fwB and put it on an > other machine fwC with an internet connection (only one network card). is > it possible to keep a vpn online from fwA and fwC, and so computersA can > reach again ftp using vpn (provided by fwC). Perhaps i need to use vether > on fwC so briged pf ? > > Here the old ipsec.conf from fwB: > ike esp from > 172.17.2.0/24 to 192.168.0.0/24 peer ip_fwA > main auth hmac-sha1 enc > aes-256 group modp1024 > quick auth hmac-sha1 enc aes-256 group modp1024 > > psk "demopassword" > > My idea on fwC : > > add verther0 with : "inet > 172.17.2.21 255.255.255.0"
Re: /etc/netstart diff
On Thu, Feb 16, 2012 at 11:49:03AM +0100, Markus wrote: > occasionally I'm in the situation where having multiple > configurations for a single network interface are handy to have. > Most seamlessly, [multiple wifi networks] could be handled by using an > arbitrary extension to the hostname.if files, separated by and > additional dot (e.g. hostname.athn0.home, hostname.em0.bak20120223). > > Below a diff to /etc/netstart is attached, that strips the > suffix including the dot from hostname.if.suffix (if it is > present) and otherwise allows such files to be used. I tried > to change the code of netstart as minimally as possible. > > An interesting side-effect is the ease with which wifi cell > changes can now be handled by ifstated. > > I'd suppose that this must scratch the itch of other users, too. > However as this is only a rough guess, I'm curious to hear some > opinions on it. I'm sorry, but how does this work? It reads as if netstart now recognizes /etc/hostname.athn0.home as an alternative to /etc/hostname.athn0, but how does it figure out whether to use /etc/hostname.athn0.home or /etc/hostname.athn0.work? What's the advantage over symlinking /etc/hostname.athn0 appropriately, if you want to use netstart? Maybe I just don't get it. > @@ -104,7 +112,7 @@ > else > alias= > fi > - cmd="ifconfig $if $af $alias $name" > + cmd="ifconfig 4raw $if4 $af $alias $name" ^ ^ > case "$dt" in > dest) > cmd="$cmd $dtaddr" Those should be `, obviously. Joachim -- PotD: graphics/libkexiv2 - kde wrapper around exiv2 http://www.joachimschipper.nl/
/etc/netstart diff
Hi list,
occasionally I'm in the situation where having multiple
configurations for a single network interface are handy to have.
Admittedly, this doesn't affect servers as much as notebooks,
where using severals wifi nets/logins is the average case.
Most seamlessly, this could be handled by using an
arbitrary extension to the hostname.if files, separated by
and additional dot (e.g. hostname.athn0.home,
hostname.em0.bak20120223).
Below a diff to /etc/netstart is attached, that strips the
suffix including the dot from hostname.if.suffix (if it is
present) and otherwise allows such files to be used. I tried
to change the code of netstart as minimally as possible.
An interesting side-effect is the ease with which wifi cell
changes can now be handled by ifstated.
I'd suppose that this must scratch the itch of other users, too.
However as this is only a rough guess, I'm curious to hear some
opinions on it.
All the best,
/Markus
--- /etc/netstart Tue Dec 20 18:54:07 2011
+++ netstartThu Feb 16 11:15:14 2012
@@ -18,7 +18,7 @@
_n=$1
while [ ${#_n} != 0 ]; do
case $_n in
- [A-Za-z0-9]*) ;;
+ [A-Za-z0-9.]*) ;;
*) return 1;;
esac
_n=${_n#?}
@@ -26,6 +26,14 @@
return 0
}
+# Strips everything from the first dot, if applicable
+raw() {
+ local_r
+ _r=$1
+ _r=${_r%%.*}
+ echo $_r
+}
+
# Start the $1 interface
ifstart() {
if=$1
@@ -47,9 +55,9 @@
chmod -LR o-rwx $file
chown -LR root.wheel $file
fi
- if ! ifconfig $if > /dev/null 2>&1; then
+ if ! ifconfig `raw $if` > /dev/null 2>&1; then
# Try to create interface if it does not exist
- if ! ifconfig $if create > /dev/null 2>&1; then
+ if ! ifconfig `raw $if` create > /dev/null 2>&1; then
return
fi
fi
@@ -83,13 +91,13 @@
[ "$name" = "NONE" ] && name=
[ "$mask" = "NONE" ] && mask=
[ "$bcaddr" = "NONE" ] && bcaddr=
- cmd="ifconfig $if $name $mask $bcaddr $ext1 $ext2 down"
- cmd="$cmd;dhclient $if"
- dhcpif="$dhcpif $if"
+ cmd="ifconfig `raw $if` $name $mask $bcaddr $ext1 $ext2
down"
+ cmd="$cmd;dhclient `raw $if`"
+ dhcpif="$dhcpif `raw $if`"
;;
"rtsol")
- rtsolif="$rtsolif $if"
- cmd="ifconfig $if $name $mask $bcaddr $ext1 $ext2 up"
+ rtsolif="$rtsolif `raw $if`"
+ cmd="ifconfig `raw $if` $name $mask $bcaddr $ext1 $ext2
up"
;;
*)
read dt dtaddr
@@ -104,7 +112,7 @@
else
alias=
fi
- cmd="ifconfig $if $af $alias $name"
+ cmd="ifconfig 4raw $if4 $af $alias $name"
case "$dt" in
dest)
cmd="$cmd $dtaddr"
@@ -149,7 +157,8 @@
# don't start "$2" interfaces
ifmstart() {
for sif in ${1:-ALL}; do
- for hn in /etc/hostname.*; do
+ # Only loop over real interfaces
+ for hn in /etc/hostname.*([A-Za-z0-9]); do
# Strip off /etc/hostname. prefix
if=${hn#/etc/hostname.}
test "$if" = "*" && continue
