Re: pfsync and rule specific state timeouts
> What if two systems being used as redundant firewalls had different network
> cards? This would make the names of the interfaces different, resulting in
> rule sets that were not the same, preventing per-rule state timeouts from
> being properly applied.
1) “egress” can be used to reference the external nic in a rule, instead of
having a specific IP. Egress is defined as the nic with the default route.
pass in quick log on egress inet proto tcp to (egress) port 22
2) Both of the firewall IP addresses can be in a rule if egress is not
suitable for your topology, something like this will sync over cleanly with
pfsync:
pass in quick log on $ext_if inet proto tcp to { $fw1_ext $fw2_ext } port 22
pfsync and rule specific state timeouts
Where is it documented that in order for pfsync to properly synchronize rule specific state timeouts that the rule sets on the systems being synchronized must be *exactly* the same? I have a pair of redundant firewalls synchronizing state, and recently added a couple rules that increase the default timeout for a UDP connection: pass out quick on $ext_if proto udp tagged VOIP_UDP keep state (udp.multiple 360) pass in quick on vlan110 proto udp from any to port = 9430 tag VOIP_UDP keep state (udp.multiple 360) Despite the timeout being set to six minutes, the states kept disappearing after approximately a minute of idle time. After spending a lot of time trying to debug it, I finally figured out that the states replicated to the backup firewall received the default one minute timeout rather than the six minute timeout specified by the rule, and when they expired on the backup firewall, they were deleted from the primary firewall. After further debugging, I discovered that pfsync on the receiving system only applies the rule specific timeout if the entire rule set is exactly identical on both systems. While my rule set was functionally identical on both systems, it was not exactly the same, having rules such as: pass in quick on $ext_if proto tcp from any to $ext_if port ssh which had the primary IP address on each system substituted, resulting in a rule set that was "different". This seems overly strict. What if two systems being used as redundant firewalls had different network cards? This would make the names of the interfaces different, resulting in rule sets that were not the same, preventing per-rule state timeouts from being properly applied. I can understand you wouldn't want to apply the wrong timeout, but it seems that validating a per rule checksum rather than an entire rule set checksum would be more flexible. Both the rule number and the rule content on both of these systems for these rules are exactly the same. It is just other rules that have a different IP address given that each system has its own separate IP address in addition to the virtual carp address...
Re: Realtek Edimax AC1750 USB gets properly detected but not configurable in ifconfig
On 2020-06-05, Tristan wrote: > Just plugged in a Realtek Edimax AC1750 USB card into a ASRock B450M board. > I can see the card being detected and registered properly in dmesg and > usbdevs, but cannot configure it. > Is this card supported? No. The only supported 11ac USB devices are the limited and fairly hard to get hold of bwfm(4) devices. (Some PCIe 11ac are supported but not in 11ac mode.)
Subscribe
Realtek Edimax AC1750 USB gets properly detected but not configurable in ifconfig
Hi, Just plugged in a Realtek Edimax AC1750 USB card into a ASRock B450M board. I can see the card being detected and registered properly in dmesg and usbdevs, but cannot configure it. Is this card supported? Thanks usbdevs output: Controller /dev/usb0: addr 01: 1022: AMD, xHCI root hub addr 02: 7392:a833 Realtek, Edimax AC1750 USB Controller /dev/usb1: addr 01: 1022: AMD, xHCI root hub addr 02: 0bc2:ab24 Seagate, BUP Slim BK Controller /dev/usb2: addr 01: 1022: AMD, xHCI root hub ifconfig only shows these: lo0: flags=8049 mtu 32768 em0: flags=8b43 mtu 1500 em1: flags=8b43 mtu 1500 em2: flags=8b43 mtu 1500 em3: flags=8b43 mtu 1500 re0: flags=808843 mtu 1500 bridge0: flags=41 tun0: flags=8051 mtu 1420 vether0: flags=8943 mtu 1500 pflog0: flags=141 mtu 33136 if it's any use also my sysctl hw hw.machine=amd64 hw.model=AMD Ryzen 5 3400G with Radeon Vega Graphics hw.ncpu=8 hw.byteorder=1234 hw.pagesize=4096 hw.disknames=sd0:11f200d7c36ede5d,sd1:44046d966725a401,sd2:eb4c6024594010f9 hw.diskcount=3 hw.sensors.ksmn0.temp0=35.50 degC hw.sensors.lm1.temp0=29.00 degC (MB Temperature) hw.sensors.lm1.temp1=32.00 degC (CPU Temperature) hw.sensors.lm1.temp2=93.00 degC (Aux Temp0) hw.sensors.lm1.temp3=99.00 degC (Aux Temp1) hw.sensors.lm1.temp4=22.50 degC (Aux Temp2) hw.sensors.lm1.temp5=-20.00 degC (Aux Temp3) hw.sensors.lm1.fan0=0 RPM (System Fan) hw.sensors.lm1.fan1=2008 RPM (CPU Fan) hw.sensors.lm1.fan2=0 RPM (Aux Fan0) hw.sensors.lm1.fan3=1112 RPM (Aux Fan1) hw.sensors.lm1.fan4=0 RPM (Aux Fan2) hw.sensors.lm1.volt0=0.93 VDC (VCore) hw.sensors.lm1.volt1=1.85 VDC (VIN1) hw.sensors.lm1.volt2=3.42 VDC (AVCC) hw.sensors.lm1.volt3=3.42 VDC (+3.3V) hw.sensors.lm1.volt4=21.66 VDC (VIN0) hw.sensors.lm1.volt5=1.06 VDC (VIN8) hw.sensors.lm1.volt6=0.30 VDC (VIN4) hw.sensors.lm1.volt7=3.46 VDC (+3.3VSB) hw.sensors.lm1.volt8=0.00 VDC (VBAT) hw.sensors.lm1.volt9=0.00 VDC (VTT) hw.sensors.lm1.volt10=0.22 VDC (VIN5) hw.sensors.lm1.volt11=1.06 VDC (VIN6) hw.sensors.lm1.volt12=3.38 VDC (VIN2) hw.sensors.lm1.volt13=5.08 VDC (VIN3) hw.sensors.lm1.volt14=1.78 VDC (VIN7) hw.cpuspeed=3693 hw.setperf=100 hw.vendor=ASRock hw.product=B450M Steel Legend hw.uuid=a8a1591a-3356--- hw.physmem=32120504320 hw.usermem=32120492032 hw.ncpufound=8 hw.allowpowerdown=1 hw.perfpolicy=manual hw.smt=1 hw.ncpuonline=8 Find my current dmesg. OpenBSD 6.7 (GENERIC.MP) #2: Thu Jun 4 09:55:08 MDT 2020 r...@syspatch-67-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 32120504320 (30632MB) avail mem = 31134412800 (29692MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 3.2 @ 0xe6cc0 (29 entries) bios0: vendor American Megatrends Inc. version "P2.90" date 11/27/2019 bios0: ASRock B450M Steel Legend acpi0 at bios0: ACPI 6.0 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP APIC FPDT FIDT SSDT SSDT SSDT MCFG AAFT HPET UEFI BGRT SSDT CRAT CDIT SSDT SSDT WSMT SSDT acpi0: wakeup devices GPP0(S4) GPP2(S4) GPP3(S4) GPP4(S4) GPP5(S4) GPP6(S4) GP17(S4) XHC0(S4) XHC1(S4) GP18(S4) GPP1(S4) PTXH(S4) acpitimer0 at acpi0: 3579545 Hz, 32 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: AMD Ryzen 5 3400G with Radeon Vega Graphics, 3693.67 MHz, 17-18-01 cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,SKINIT,TCE,TOPEXT,CPCTR,DBKP,PCTRL3,MWAITX,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,RDSEED,ADX,SMAP,CLFLUSHOPT,SHA,IBPB,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu0: 64KB 64b/line 4-way I-cache, 32KB 64b/line 8-way D-cache, 512KB 64b/line 8-way L2 cache, 4MB 64b/line 16-way L3 cache cpu0: ITLB 64 4KB entries fully associative, 64 4MB entries fully associative cpu0: DTLB 64 4KB entries fully associative, 64 4MB entries fully associative cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 24MHz cpu0: mwait min=64, max=64, C-substates=1.1, IBE cpu1 at mainbus0: apid 2 (application processor) cpu1: AMD Ryzen 5 3400G with Radeon Vega Graphics, 3693.02 MHz, 17-18-01 cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,SKINIT,TCE,TOPEXT,CPCTR,DBKP,PCTRL3,MWAITX,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,RDSEED,ADX,SMAP,CLFLUSHOPT,SHA,IBPB,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu1: 64KB 64b/line 4-way I-cache, 32KB 64b/line 8-way D-cache, 512KB 64b/line 8-way L2 cache, 4MB 64b/line 16-way L3 cache cpu1: ITLB 64 4KB entries fully associative, 64 4MB entries fully associative cpu1: DTLB 64 4KB entries fully ass
Some guides from an opensource guy.
Nice regards dudes! I've wrote some guides for OpenBSD: OpenBSD, Tor and the fourteen eyes: http://telecomlobby.com/opensource_guides/openbsd_tor_privoxy.htm OpenBSD, virtualization and privoxy: http://telecomlobby.com/opensource_guides/openbsd_virtualization_privoxy.htm OpenBSD and OpenPGP: http://telecomlobby.com/opensource_guides/openbsd_openpgp.htm Thank you all, RG. -- Name: Riccardo Giuntoli Email: tag...@gmail.com Location: sant Pere de Ribes, BCN, Spain PGP Key: 0x67123739 PGP Fingerprint: CE75 16B5 D855 842FAB54 FB5C DDC6 4640 6712 3739 Key server: hkp://wwwkeys.eu.pgp.net
Re: Filling a 4TB Disk with Random Data
On Mon, 01 Jun 2020 13:38:55 -0400 "Eric Furman" wrote: > On Mon, Jun 1, 2020, at 10:28 AM, Paul de Weerd wrote: > [...] > > This is why if you are serious you use a degausser. > The truly serious use a smelter. I am not making a joke. -- Edward Ahlsen-Girard Ft Walton Beach, FL
Re: How do I set up a Wi-Fi access point (using APU2)?
Am Fr., 5. Juni 2020 um 19:14 Uhr schrieb infoomatic : > it seems you skipped the firewall part of the document you were > referring, you need NAT connections. Or you do IPv6 instead of vintage-IP. Best Martin
[smartmontools] OpenBSD testers required
Greetings, There's been some changes in the OpenBSD port of smartmontools, tools for working with S.M.A.R.T diagnostic of hard drives and SSDs, the platform-specific code was modernized, so it would be quite useful if people could test these changes out to make sure they work on all systems, I tested them on a macppc system with an ATA drive. The developer doesn't currently have access to a physical system with OpenBSD running on it, so they wrote the changes in a virtual machine. You can find the changes here: https://github.com/smartmontools/smartmontools/pull/56
Re: How do I set up a Wi-Fi access point (using APU2)?
infoomatic wrote: > it seems you skipped the firewall part of the document you were > referring, you need NAT connections. Indeed I did, because I thought if I said `pass in log (all)`, all traffic would be allowed to pass. It seems like I have a lot to learn... With this pf.conf I can reach the internet: $ cat /etc/pf.conf match in all scrub (no-df random-id max-mss 1440) match out on egress inet from !(egress:network) to any nat-to (egress:0) pass out quick inet Thank you for taking the time to bother with my noobish question!
Re: How do I set up a Wi-Fi access point (using APU2)?
it seems you skipped the firewall part of the document you were
referring, you need NAT connections.
On 05.06.20 18:50, Richard Ulmer wrote:
> Hi,
> I got myself an APU2E2 and am trying to set it up as a router. To learn
> how to do this I'm mostly following the "Building a Router" FAQ [1]. For
> simplicity's sake I'm only using em0 and athn0. This is my setup:
>
> .---.
> .--. .. | APU2| ))) client1
> | Internet | <--> | ISP-Router | <--> | em0 athn0 | ))) client2
> `--' `' `---'
>
> I want the clients, that are connected to athn0 to be able to access the
> internet, but it doesn't work. What works is this:
>
> 1. I can connect my laptop to athn0, ping the IP of athn0 and even the
>IP of em0. Pinging the ISP-Router doesn't work.
> 2. If I connect my laptop to the ISP-Router, I can ping em0.
> 3. When I am on the router (via ssh or COM-Port) I can ping em0, athn0
>the ISP-Router, openbsd.org, ...
>
> So what I can't figure out is why I can't ping the ISP-Router and
> servers on the internet, when I'm connected to athn0. My APU2 setup is:
>
> $ sysctl net.inet.ip.forwarding
> net.inet.ip.forwarding=1
> $ cat /etc/mygate
> # This is the ISP-Router:
> 192.168.178.1
> $ cat /etc/hostname.em0
> inet 192.168.178.2 255.255.255.0 192.168.178.255
> up
> $ cat /etc/hostname.athn0
> media autoselect mode 11n mediaopt hostap chan 36
> nwid wpakey
> inet 192.168.3.1 255.255.255.0
> $ cat /etc/pf.conf
> pass in log (all)
> $ cat /etc/rc.conf.local
> dhcpd_flags=athn0
> $ cat /etc/dhcpd.conf
> subnet 192.168.3.0 netmask 255.255.255.0 {
> option routers 192.168.3.1;
> option domain-name-servers 192.168.178.1;
> range 192.168.3.20 192.168.3.100;
> }
>
> I'm an absolute noob when it comes to network configuration, so the
> problem is probably something really stupid, but I can't figure it out.
> I'll appreciate any hint!
>
> Greetings,
> Richard Ulmer
>
> [1] https://www.openbsd.org/faq/pf/example1.html
>
How do I set up a Wi-Fi access point (using APU2)?
Hi,
I got myself an APU2E2 and am trying to set it up as a router. To learn
how to do this I'm mostly following the "Building a Router" FAQ [1]. For
simplicity's sake I'm only using em0 and athn0. This is my setup:
.---.
.--. .. | APU2| ))) client1
| Internet | <--> | ISP-Router | <--> | em0 athn0 | ))) client2
`--' `' `---'
I want the clients, that are connected to athn0 to be able to access the
internet, but it doesn't work. What works is this:
1. I can connect my laptop to athn0, ping the IP of athn0 and even the
IP of em0. Pinging the ISP-Router doesn't work.
2. If I connect my laptop to the ISP-Router, I can ping em0.
3. When I am on the router (via ssh or COM-Port) I can ping em0, athn0
the ISP-Router, openbsd.org, ...
So what I can't figure out is why I can't ping the ISP-Router and
servers on the internet, when I'm connected to athn0. My APU2 setup is:
$ sysctl net.inet.ip.forwarding
net.inet.ip.forwarding=1
$ cat /etc/mygate
# This is the ISP-Router:
192.168.178.1
$ cat /etc/hostname.em0
inet 192.168.178.2 255.255.255.0 192.168.178.255
up
$ cat /etc/hostname.athn0
media autoselect mode 11n mediaopt hostap chan 36
nwid wpakey
inet 192.168.3.1 255.255.255.0
$ cat /etc/pf.conf
pass in log (all)
$ cat /etc/rc.conf.local
dhcpd_flags=athn0
$ cat /etc/dhcpd.conf
subnet 192.168.3.0 netmask 255.255.255.0 {
option routers 192.168.3.1;
option domain-name-servers 192.168.178.1;
range 192.168.3.20 192.168.3.100;
}
I'm an absolute noob when it comes to network configuration, so the
problem is probably something really stupid, but I can't figure it out.
I'll appreciate any hint!
Greetings,
Richard Ulmer
[1] https://www.openbsd.org/faq/pf/example1.html
RE: writing aucat output
Haai, "Peter J. Philipp" : Hi, I'm wondering how I can write to stdout on aucat? Here is what I have: beta$ /usr/bin/aucat -r 44100 -h wav -i ewhist2.wav -o - | hexdump -C stdout: failed to seek back to header beta$ /usr/bin/aucat -r 44100 -h wav -i ewhist2.wav -o /dev/stdout | hexdump - /dev/stdout: failed to seek back to header It doesn't seem to work for me. I'm a little distracted too. Anyone want to lift me on their shoulders? My intention is to resample input audio to 44100 and output it to a wav. Normally me'd recommend Sun format... but try the attached program: beta$ /usr/bin/aucat -r 44100 -h wav -i ewhist2.wav -o - | page hexdump -C You won't see it in real-time, but since you're using a static input (me'll presume that ewhist2.wav is *not* a named pipe :), that'll hopefully not be a problem for you. Cheers, -peter HTH, --zeurkous. -- Friggin' Machines! page.tar.gz Description: page.tar.gz
Re: Filling a 4TB Disk with Random Data
On 2020-06-05, Roderick wrote: >> I'd think that a degausser would also erase the servo tracks which will make >> the disk irrevocably unusable. If that's what you want then just drill holes >> through the disk - it's quicker. > > Or perhaps to put it on an induction cooktop? I always keep a vat of molten steel at hand so I can easily dispose of old disk drives, killer robots from the future, etc. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: Filling a 4TB Disk with Random Data
On Mon, 1 Jun 2020, Eike Lantzsch wrote: I'd think that a degausser would also erase the servo tracks which will make the disk irrevocably unusable. If that's what you want then just drill holes through the disk - it's quicker. Or perhaps to put it on an induction cooktop?
Re: writing aucat output
On Fri, Jun 05, 2020 at 12:06:54PM +0200, Peter J. Philipp wrote: > Hi, > > I'm wondering how I can write to stdout on aucat? Here is what I have: > > beta$ /usr/bin/aucat -r 44100 -h wav -i ewhist2.wav -o - | hexdump -C > stdout: failed to seek back to header > beta$ /usr/bin/aucat -r 44100 -h wav -i ewhist2.wav -o /dev/stdout | hexdump - > /dev/stdout: failed to seek back to header > > It doesn't seem to work for me. I'm a little distracted too. Anyone want > to lift me on their shoulders? > > My intention is to resample input audio to 44100 and output it to a wav. Hi, I think you need: aucat -n -i ewhist2.wav -r 44100 -o ewhist2_44100.wav If you need to pipe the result to another program, use the raw format, example: aucat -n -i fanza_mix_ter.wav -r 44100 -o - | lame -r -s 44.1 - ewhist2.mp3 Last point, I'd suggest using audio/sox port to resample files, you'll get much better quality, example: sox ewhist2.wav -r 44100 ewhist2_44100.wav
Re: writing aucat output
On Fri, Jun 05, 2020 at 01:02:18PM +0200, Peter J. Philipp wrote: > On Fri, Jun 05, 2020 at 12:50:53PM +0200, Marc Espie wrote: > > On Fri, Jun 05, 2020 at 12:06:54PM +0200, Peter J. Philipp wrote: > > > Hi, > > > > > > I'm wondering how I can write to stdout on aucat? Here is what I have: > > > > > > beta$ /usr/bin/aucat -r 44100 -h wav -i ewhist2.wav -o - | hexdump -C > > > stdout: failed to seek back to header > > > beta$ /usr/bin/aucat -r 44100 -h wav -i ewhist2.wav -o /dev/stdout | > > > hexdump - > > > /dev/stdout: failed to seek back to header > > > > That's a bug/limitation on aucat. It tries to seek on stdout right after > > setting it up, which is absurd. > > > > I'll have a look later, should be very easy to fix! > > Thanks... I spoke too soon, it's way more complicated because the wav header has to know how large the file will be... which means you would have to parse the input file and figure out the resulting size before writing anything out, so it's way more code than I hoped for. :(
Re: Filling a 4TB Disk with Random Data
On Monday, 1 June 2020 13:38:55 -04 Eric Furman wrote: > On Mon, Jun 1, 2020, at 10:28 AM, Paul de Weerd wrote: > > storage medium. Due to smart disks remapping your data in case of > > 'broken' sectors, some old data can never be properly overwritten. > > This is why if you are serious you use a degausser. I'd think that a degausser would also erase the servo tracks which will make the disk irrevocably unusable. If that's what you want then just drill holes through the disk - it's quicker. -- Eike Lantzsch ZP6CGE Paradox: Getting live-updates about fatalities
Re: writing aucat output
On Fri, Jun 05, 2020 at 12:06:54PM +0200, Peter J. Philipp wrote: > Hi, > > I'm wondering how I can write to stdout on aucat? Here is what I have: > > beta$ /usr/bin/aucat -r 44100 -h wav -i ewhist2.wav -o - | hexdump -C > stdout: failed to seek back to header > beta$ /usr/bin/aucat -r 44100 -h wav -i ewhist2.wav -o /dev/stdout | hexdump - > /dev/stdout: failed to seek back to header That's a bug/limitation on aucat. It tries to seek on stdout right after setting it up, which is absurd. I'll have a look later, should be very easy to fix!
writing aucat output
Hi, I'm wondering how I can write to stdout on aucat? Here is what I have: beta$ /usr/bin/aucat -r 44100 -h wav -i ewhist2.wav -o - | hexdump -C stdout: failed to seek back to header beta$ /usr/bin/aucat -r 44100 -h wav -i ewhist2.wav -o /dev/stdout | hexdump - /dev/stdout: failed to seek back to header It doesn't seem to work for me. I'm a little distracted too. Anyone want to lift me on their shoulders? My intention is to resample input audio to 44100 and output it to a wav. Cheers, -peter
Re: Filling a 4TB Disk with Random Data
On Fri, 5 Jun 2020, Janne Johansson wrote: Then again, if you count how many hours it will take to securely erase a disk, one might doubt the option of "just run this command and it will do the same in 10 seconds". Not 10 seconds, but there will be sure a difference if the task is done by the disk hardware/firmware instead of the CPU/OS/software. Rod.
Re: Filling a 4TB Disk with Random Data
Am Fr., 5. Juni 2020 um 09:21 Uhr schrieb Roderick : > Is not there a SCSI command "sanitize" for that? Secure erase: https://en.wikipedia.org/wiki/Parallel_ATA#HDD_passwords_and_security Or you encrypt your device and throw away the key. Best Martin
Re: Filling a 4TB Disk with Random Data
Den fre 5 juni 2020 kl 09:23 skrev Roderick : > Is not there a SCSI command "sanitize" for that? > Can be issued with OpenBSD? > Perhaps his disc supports it. > Then again, if you count how many hours it will take to securely erase a disk, one might doubt the option of "just run this command and it will do the same in 10 seconds". Might work, might not work. Both will result in a drive that is hard to read out old data from, but which option gives confidence? -- May the most significant bit of your life be positive.
Re: Filling a 4TB Disk with Random Data
Is not there a SCSI command "sanitize" for that? Can be issued with OpenBSD? Perhaps his disc supports it. Rod.
