Allowing i2p bittorrent traffic in a transparently proxied enviroment with pf
I have setup a transparent Tor proxy with the following pf ruleset:
https://paste.c-net.org/WharfSeasick
It routes most importantly all TCP and DNS traffic through the Tor network.
Now I want to have another rule for I2P bittorrent, meaning that there is a rule
for traffic that must be routed through I2P AND must be bittorrent traffic AND
doesn't
go through Tor. I got the I2P and Not-Tor part insofar, that I established:
pass out proto { tcp udp } _user i2pd
but my problem is, that I can't be sure if this traffic is bittorrent or a
hypothetical
attacker. Ideally, I thought, it would be to have tag for bittorrent like I
have for DNS
and TCP. A tag is no gurantee, that traffic is legit, but it would be an
approxmiation.
If my understanding of tags is correct, it would be safer to assume traffic
tagged
"bittorrent" is really bittorrent, as opposed to traffic only having a certain
port number.
If I'm mistaken and tags aren't safer and more practical, is there any other
solution?
Is there any way to make a rule to ensure traffic passed out by this rule will
be only bittorrent?
Thanks in advance
Re: NFS Server performance
The client is VMWare ESXi, so my options are limited. I tried enabling jumbo frames (used 9000) and this made very little difference. -Original Message- From: Zé Loff Sent: Tuesday, December 5, 2023 10:12 AM To: Steven Surdock Cc: misc@openbsd.org Subject: Re: NFS Server performance On Tue, Dec 05, 2023 at 02:06:44PM +, Steven Surdock wrote: > Using an OBSD 7.4 VM on VMware as an NFS server on HOST02. It is primarily > used to store VMWare VM backups from HOST01, so VMWare is the NFS client. > I'm seeing transfers of about 1.2 MB/s. > > SCP from HOST01 to OBSD VM (same filesystem) copies at 110 MB/s. > Iperf3 from a VM on HOST01 to OBSD on HOST02 gives me 900+ mbps. > OBSD is a stock install running -stable. > NFS is using v3 (according to VMWare) and using TCP During the NFS > transfer the RECV-Q on the OBSD interface runs either 64000+ or 0. > I tried both em and vmx interface types. > > /etc/rc.conf.local: > mountd_flags="" # for normal use: "" > nfsd_flags="-tun 4" # Crank the 4 for a busy NFS fileserver > ntpd_flags="" # enabled during install > portmap_flags=""# for normal use: "" > > Any clues on where to look to (greatly) improve NFS performance would be > appreciated. Increasing write size, read size and the read-ahead count on the client has helped me. E.g., on the client's fstab: 10.17.18.10:/shared/stuff /nfs/stuff nfs rw,nodev,nosuid,intr,tcp,bg,noatime,-a=4,-r=32768,-w=32768 0 0 Cheers Zé --
Re: NFS Server performance
Steven Surdock writes: > The client is VMWare ESXi, so my options are limited. I tried > enabling jumbo frames (used 9000) and this made very little > difference. > Is it possible that you confuse the network layers here ? Jumbo frames are layer 2, the read and write sizes referred to apply are layer 3. You can try to set them as suggested, indepently of the frame size.
Getting stuck on trying a fresh install to 7.4
Hi, Hopefully you may have a clue stick to offer me. I try to do a fresh install on servers that run 6.7 to 7.4, but no matter what I try, I get stuck. I tried previous version and I was able to load 7.3. DMESG below for the bsd.rd. I try BIOS change for EFI ONLY, or Legacy & EFI, or Legacy only. No eval. It's not the console issue either. I try to boot -c and disable the efi, no difference. I try to load the bdr.rd i386 to see, or the amd64, still on both case no eval and I put before the different output of each one. The i386 reboot after a few second, the amd64 get stuck until I force a reboot. I put the actual working dmesg of the current install s wlel for more info. On google I saw a few reference at the output I got saying may be the cpu doesn't support 64 bits, bnut it is and have been runnign the AMD for years. So that's not it either. That really shoildn't make a difference, but just for the records, I also run softradi on these servers as shown below. Could this be a cause may be? Any suggestion woudl be greattly appreciated. Thanks Daniel -- Try to boot with i386 bsd.rd -- I get this and the server reboot after a few seconds. [88+160+28]=0x9183001888\ entry point at 0xd02010003291667- Nothing after that -- Try to boot with amd64 bsd.rd -- I get this and stop, nothing happens after that. +444888+297417]=0xa7679847 entry point at 0x81001000808+3886664+0| -- Also I tried to load the 74 bsd. I know it wouldn't work, or shouldn't with the userland, etc but I just wanted to see if it start to boot anyway and it just display the below and reboot. -- +368672+0+1241088 [1340407+128+1321080+1013316]=0x1973738 entry point at 0x81001000142096| -- And I tried to load the 74 bsd.mp. Same results, reboot after displaying the following. -- +4137992+363792+0+1236992 [1342507+128+1317840+1011174]=0x1959a68 entry point at 0x81001000 -- Then I tried the 7.3 bsd.rd and it was able to load. I didn't a full install, nbut I sure can, I just want to do a fresh install of 7.4 and I can't. DMESG below of the working version 7.3 amd64 bsd.rd -- [109+440424+293778]=0xa667f0 entry point at 0x8100100047616- ?Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved. Copyright (c) 1995-2023 OpenBSD. All rights reserved. https://www.OpenBSD.org OpenBSD 7.3 (RAMDISK_CD) #1063: Sat Mar 25 10:41:49 MDT 2023 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/RAMDISK_CD real mem = 34306371584 (32717MB) avail mem = 33262641152 (31721MB) random: boothowto does not indicate good seed mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xeb4c0 (58 entries) bios0: vendor American Megatrends Inc. version "2.0c" date 04/30/2013 bios0: Supermicro X9SCD acpi0 at bios0: ACPI 5.0 acpi0: tables DSDT FACP APIC FPDT MCFG HPET SSDT PRAD SPMI SSDT SSDT EINJ ERST HEST BERT acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Xeon(R) CPU E3-1220 V2 @ 3.10GHz, 3100.55 MHz, 06-3a-09 cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,SENSOR,ARAT,XSAVEOPT,MELTDOWN cpu0: 32KB 64b/line 8-way D-cache, 32KB 64b/line 8-way I-cache, 256KB 64b/line 8-way L2 cache, 8MB 64b/line 16-way L3 cache cpu0: apic clock running at 100MHz cpu0: mwait min=64, max=64, C-substates=0.2.1.1, IBE cpu at mainbus0: not configured cpu at mainbus0: not configured cpu at mainbus0: not configured ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 2 (P0P1) acpiprt2 at acpi0: bus -1 (RP01) acpiprt3 at acpi0: bus -1 (RP02) acpiprt4 at acpi0: bus -1 (RP03) acpiprt5 at acpi0: bus -1 (RP04) acpiprt6 at acpi0: bus -1 (RP05) acpiprt7 at acpi0: bus -1 (RP06) acpiprt8 at acpi0: bus -1 (RP07) acpiprt9 at acpi0: bus -1 (RP08) acpiprt10 at acpi0: bus 1 (PEG0) acpiprt11 at acpi0: bus -1 (PEG1) acpiprt12 at acpi0: bus -1 (PEG2) acpiprt13 at acpi0: bus -1 (PEG3) acpiec0 at acpi0: not present acpipci0 at acpi0 PCI0: 0x0010 0x0011 0x acpicmos0 at acpi0 com0 at acpi0 UAR1 addr 0x3f8/0x8 irq 4: ns16550a, 16 byte fifo com1 at acpi0 UAR2 addr 0x2f8/0x8 irq 3: ns16550a, 16 byte fifo com1: console "IPI0001" at acpi0 not configured "PNP0C0C" at acpi0 not configured "PNP0C0B" at acpi0 not configured "PNP0C0B" at acpi0 not configured "PNP0C0B" at acpi0 not configured "PNP0C0B" at acpi0 not configured "PNP0C0B" at acpi0 not configured acpicpu at acpi0 not configured acpipwrres a
Re: Getting stuck on trying a fresh install to 7.4
On Wed, Dec 06, 2023 at 03:08:09PM -0500, Daniel Ouellet wrote: > Hi, > > Hopefully you may have a clue stick to offer me. > > I try to do a fresh install on servers that run 6.7 to 7.4, but no matter > what I try, I get stuck. > > I tried previous version and I was able to load 7.3. DMESG below for the > bsd.rd. > > I try BIOS change for EFI ONLY, or Legacy & EFI, or Legacy only. No eval. > > It's not the console issue either. > > I try to boot -c and disable the efi, no difference. > > I try to load the bdr.rd i386 to see, or the amd64, still on both case no > eval and I put before the different output of each one. The i386 reboot > after a few second, the amd64 get stuck until I force a reboot. > > I put the actual working dmesg of the current install s wlel for more info. > > On google I saw a few reference at the output I got saying may be the cpu > doesn't support 64 bits, bnut it is and have been runnign the AMD for years. > So that's not it either. > > That really shoildn't make a difference, but just for the records, I also > run softradi on these servers as shown below. > > Could this be a cause may be? > > Any suggestion woudl be greattly appreciated. Old boot loaders cannot boot 7.4 kernels. Upgrade your 6.7 system to 7.3 first (the usual advice to avoid skipping releases during upgrades applies). Then upgrade to 7.4. Or try booting fresh 7.4 install media from a USB stick.
Re: Getting stuck on trying a fresh install to 7.4
On Wed, Dec 06, 2023 at 03:08:09PM -0500, Daniel Ouellet wrote: > I try to do a fresh install on servers that run 6.7 to 7.4, but no matter > what I try, I get stuck. > > I tried previous version and I was able to load 7.3. DMESG below for the > bsd.rd. When you say, "fresh install", are you actually using the _bootloader_ from 7.4-release, or just trying to load the bsd.rd kernel from your existing installation? Or to put it another way, did you download the 7.4-release miniroot image or just bsd.rd?
Re: Getting stuck on trying a fresh install to 7.4
On 12/6/23 3:26 PM, Crystal Kolipe wrote: On Wed, Dec 06, 2023 at 03:08:09PM -0500, Daniel Ouellet wrote: I try to do a fresh install on servers that run 6.7 to 7.4, but no matter what I try, I get stuck. I tried previous version and I was able to load 7.3. DMESG below for the bsd.rd. When you say, "fresh install", are you actually using the _bootloader_ from 7.4-release, or just trying to load the bsd.rd kernel from your existing installation? Or to put it another way, did you download the 7.4-release miniroot image or just bsd.rd? I did jut the download of bsd.rd, but I am not doing a full install of 7.3 as suggested by Stefan and will try again and see. I should know in a few minutes form now. Thanks Daniel
Re: NFS Server performance
No confusion. The read and write buffer sizes would be above layer 3. VMware offers little ability to modify read and write sizes. It did inspire me to find this: https://kb.vmware.com/s/article/1007909 NFS.ReceiveBufferSize This is the size of the receive buffer for NFS sockets. This value is chosen based on internal performance testing. VMware does not recommend adjusting this value. NFS.SendBufferSize The size of the send buffer for NFS sockets. This value is chosen based on internal performance testing. VMware does not recommend adjusting this value. ... ESXi 6.0, 6.5, 6.7: Default Net.TcpipHeapMax is 512MB. Default send/receive socket buffer size of NFS is 256K each. So each socket consumes ~512K+.For 256 shares, it would be ~128M. The default TCPIPheapMax is sufficient even for 256 mounts. Its not required to increase. Also, the man page for mount_nfs implies -w is useful for UDP mounts. I have verified that this mount is using TCP. -w writesize Set the write data size to the specified value. Ditto the comments w.r.t. the -r option, but using the "fragments dropped after timeout" value on the server instead of the client. Note that both the -r and -w options should only be used as a last ditch effort at improving performance when mounting servers that do not support TCP mounts. -Steve S. -Original Message- From: owner-m...@openbsd.org On Behalf Of Carsten Reith Sent: Wednesday, December 6, 2023 11:41 AM To: misc@openbsd.org Subject: Re: NFS Server performance [You don't often get email from carsten.re...@t-online.de. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] Steven Surdock writes: > The client is VMWare ESXi, so my options are limited. I tried > enabling jumbo frames (used 9000) and this made very little > difference. > Is it possible that you confuse the network layers here ? Jumbo frames are layer 2, the read and write sizes referred to apply are layer 3. You can try to set them as suggested, indepently of the frame size.
Re: Getting stuck on trying a fresh install to 7.4
Any suggestion woudl be greattly appreciated. Old boot loaders cannot boot 7.4 kernels. Upgrade your 6.7 system to 7.3 first (the usual advice to avoid skipping releases during upgrades applies). Then upgrade to 7.4. I didn't care what's on it now. All fresh install will do. I have 22 to do. :( All fresh as docs are good on what's needed and it's time to wipe clean. Or try booting fresh 7.4 install media from a USB stick. I do one to 7.3 now and it boot, so will see if after that I can boot bsd.rd 7.4. Thank you for the clue stick, will know soon! Daniel
Re: Getting stuck on trying a fresh install to 7.4 (solved)
On 12/6/23 3:42 PM, Daniel Ouellet wrote: Any suggestion woudl be greattly appreciated. Old boot loaders cannot boot 7.4 kernels. Upgrade your 6.7 system to 7.3 first (the usual advice to avoid skipping releases during upgrades applies). Then upgrade to 7.4. I didn't care what's on it now. All fresh install will do. I have 22 to do. :( All fresh as docs are good on what's needed and it's time to wipe clean. Or try booting fresh 7.4 install media from a USB stick. I do one to 7.3 now and it boot, so will see if after that I can boot bsd.rd 7.4. Thank you for the clue stick, will know soon! Daniel Many thanks for the clue stick. Simple solution as usual. I wish I thought of it, but never the less done. All wipe out, fresh install, patch, configured, files restored and back in operation. Thanks again! 21 more to go... New dmesg - rebooting OpenBSD 7.4 (GENERIC.MP) #0: Sun Oct 22 12:13:42 MDT 2023 r...@syspatch-74-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 34306371584 (32717MB) avail mem = 33246916608 (31706MB) random: good seed from bootblocks mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xeb4c0 (54 entries) bios0: vendor American Megatrends Inc. version "2.0c" date 04/30/2013 bios0: Supermicro X9SCD acpi0 at bios0: ACPI 5.0 acpi0: sleep states S0 S1 S4 S5 acpi0: tables DSDT FACP APIC FPDT MCFG HPET SSDT PRAD SPMI SSDT SSDT EINJ ERST HEST BERT acpi0: wakeup devices UAR1(S4) P0P1(S4) USB1(S4) USB2(S4) USB3(S4) USB4(S4) USB5(S4) USB6(S4) USB7(S4) RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) RP03(S4) PXSX(S4) RP04(S4) [...] acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Xeon(R) CPU E3-1220 V2 @ 3.10GHz, 3100.18 MHz, 06-3a-09, patch 0021 cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN cpu0: 32KB 64b/line 8-way D-cache, 32KB 64b/line 8-way I-cache, 256KB 64b/line 8-way L2 cache, 8MB 64b/line 16-way L3 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges cpu0: apic clock running at 100MHz cpu0: mwait min=64, max=64, C-substates=0.2.1.1, IBE cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Xeon(R) CPU E3-1220 V2 @ 3.10GHz, 3100.17 MHz, 06-3a-09, patch 0021 cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN cpu1: 32KB 64b/line 8-way D-cache, 32KB 64b/line 8-way I-cache, 256KB 64b/line 8-way L2 cache, 8MB 64b/line 16-way L3 cache cpu1: smt 0, core 1, package 0 cpu2 at mainbus0: apid 4 (application processor) cpu2: Intel(R) Xeon(R) CPU E3-1220 V2 @ 3.10GHz, 3100.32 MHz, 06-3a-09, patch 0021 cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN cpu2: 32KB 64b/line 8-way D-cache, 32KB 64b/line 8-way I-cache, 256KB 64b/line 8-way L2 cache, 8MB 64b/line 16-way L3 cache cpu2: smt 0, core 2, package 0 cpu3 at mainbus0: apid 6 (application processor) cpu3: Intel(R) Xeon(R) CPU E3-1220 V2 @ 3.10GHz, 3100.30 MHz, 06-3a-09, patch 0021 cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN cpu3: 32KB 64b/line 8-way D-cache, 32KB 64b/line 8-way I-cache, 256KB 64b/line 8-way L2 cache, 8MB 64b/line 16-way L3 cache cpu3: smt 0, core 3, package 0 ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins acpimcfg0 at acpi0 acpimcfg0: addr 0xe000, bus 0-255 acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 2 (P0P1) acpiprt2 at acpi0: bus -1 (RP01) acpiprt3 at acpi0: bus -1 (RP02) acpiprt4 at acpi0: bus -1 (RP03) acpiprt5 at acpi0: bus -1 (RP04) acpiprt6 at acpi0: bus -1 (RP05) acpiprt7 at acpi0: bus -1 (RP06) acpipr
