Re: vpn performance - C2750 vs C2758
On Tue, Jan 27, 2015 at 2:24 PM, Stuart Henderson s...@spacehopper.org wrote: On 2015-01-27, Adam Thompson athom...@athompso.net wrote: On 2015-01-27 02:58 AM, Stuart Henderson wrote: On 2015-01-26, Christian Weisgerber na...@mips.inka.de wrote: I don't think we support Quick Assist, whatever that is. correct. [...] It doesn't look like something we can use easily. FWIW, I just read that Netgate (i.e. pfSense) committed QuickAssist crypto accel support into FreeBSD 10.2 [possibly a private branch??] for some ciphers. Apologies, but I'm completely failing to find the message that mentioned it on the pfSense mailing list, right now. I don't know enough about FreeBSD's cryptodev engine to know if any of that work can be used here. One problem with that codebase is that it's US crypto. This pdf from Intel makes reference to OCF-Linux, a Linux port of the OpenBSD/FreeBSD Cryptographic Framework (OCF) as it relates to QuickAssist. http://www.intel.com/content/dam/www/public/us/en/documents/white-papers/communications-quick-assist-paper.pdf From what I am seeing, there is a Kernel module and userland pieces available for Linux and FreeBSD to support this capability. In addition to Stuart's point on the US crypto code base as it relates to export restrictions, it is also hardware designed by a US company for strong crypto. Axton
Re: Hardware hunting
Intel EHCI root hub rev 2.00/1.00 addr 1 ppb0 at pci0 dev 28 function 0 Intel 82801I PCIE rev 0x02: apic 3 int 17 pci1 at ppb0 bus 1 ppb1 at pci0 dev 28 function 4 Intel 82801I PCIE rev 0x02: apic 3 int 17 pci2 at ppb1 bus 2 em0 at pci2 dev 0 function 0 Intel PRO/1000 MT (82574L) rev 0x00: msi, address 00:25:90:09:9b:80 ppb2 at pci0 dev 28 function 5 Intel 82801I PCIE rev 0x02: apic 3 int 16 pci3 at ppb2 bus 3 em1 at pci3 dev 0 function 0 Intel PRO/1000 MT (82574L) rev 0x00: msi, address 00:25:90:09:9b:81 uhci3 at pci0 dev 29 function 0 Intel 82801I USB rev 0x02: apic 3 int 23 uhci4 at pci0 dev 29 function 1 Intel 82801I USB rev 0x02: apic 3 int 19 uhci5 at pci0 dev 29 function 2 Intel 82801I USB rev 0x02: apic 3 int 18 ehci1 at pci0 dev 29 function 7 Intel 82801I USB rev 0x02: apic 3 int 23 usb1 at ehci1: USB revision 2.0 uhub1 at usb1 Intel EHCI root hub rev 2.00/1.00 addr 1 ppb3 at pci0 dev 30 function 0 Intel 82801BA Hub-to-PCI rev 0x92 pci4 at ppb3 bus 4 vga1 at pci4 dev 4 function 0 Matrox MGA G200eW rev 0x0a wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) ichpcib0 at pci0 dev 31 function 0 Intel 82801IR LPC rev 0x02: PM disabled pciide0 at pci0 dev 31 function 2 Intel 82801I SATA rev 0x02: DMA, channel 0 configured to native-PCI, channel 1 configured to native -PCI pciide0: using apic 3 int 19 for native-PCI interrupt wd0 at pciide0 channel 0 drive 0: Hitachi HDS721010CLA332 wd0: 16-sector PIO, LBA48, 953869MB, 1953525168 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 6 ichiic0 at pci0 dev 31 function 3 Intel 82801I SMBus rev 0x02: apic 3 int 18 iic0 at ichiic0 lm1 at iic0 addr 0x2d: W83627DHG spdmem0 at iic0 addr 0x50: 2GB DDR2 SDRAM non-parity PC2-5300CL5 SO-DIMM spdmem1 at iic0 addr 0x51: 2GB DDR2 SDRAM non-parity PC2-5300CL5 SO-DIMM usb2 at uhci0: USB revision 1.0 uhub2 at usb2 Intel UHCI root hub rev 1.00/1.00 addr 1 usb3 at uhci1: USB revision 1.0 uhub3 at usb3 Intel UHCI root hub rev 1.00/1.00 addr 1 usb4 at uhci2: USB revision 1.0 uhub4 at usb4 Intel UHCI root hub rev 1.00/1.00 addr 1 usb5 at uhci3: USB revision 1.0 uhub5 at usb5 Intel UHCI root hub rev 1.00/1.00 addr 1 usb6 at uhci4: USB revision 1.0 uhub6 at usb6 Intel UHCI root hub rev 1.00/1.00 addr 1 usb7 at uhci5: USB revision 1.0 uhub7 at usb7 Intel UHCI root hub rev 1.00/1.00 addr 1 isa0 at ichpcib0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo com2 at isa0 port 0x3e8/8 irq 5: ns16550a, 16 byte fifo pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 spkr0 at pcppi0 wbsio0 at isa0 port 0x2e/2: W83627DHG rev 0x25 lm2 at wbsio0 port 0xca0/8: W83627DHG npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 mtrr: Pentium Pro MTRR support lm1: disabling sensors uhidev0 at uhub4 port 2 configuration 1 interface 0 Winbond Electronics Corp Hermon USB hidmouse Device rev 1.10/0.01 addr 2 uhidev0: iclass 3/1 ums0 at uhidev0: 3 buttons, Z dir wsmouse0 at ums0 mux 0 uhidev1 at uhub4 port 2 configuration 1 interface 1 Winbond Electronics Corp Hermon USB hidmouse Device rev 1.10/0.01 addr 2 uhidev1: iclass 3/1 ukbd0 at uhidev1: 8 modifier keys, 6 key codes wskbd1 at ukbd0 mux 1 wskbd1: connecting to wsdisplay0 vscsi0 at root scsibus0 at vscsi0: 256 targets softraid0 at root scsibus1 at softraid0: 256 targets root on wd0a (4dcb2d0a1b8a2fe9.a) swap on wd0b dump on wd0b Axton Grams
Re: Intel ICH9R compatibility with OpenBSD
On Tue, Mar 13, 2012 at 4:37 AM, lilit-aibolit lilit-aibo...@mail.ru wrote: 12.03.2012 18:01, Axton PI[ET: On Mon, Mar 12, 2012 at 9:44 AM, lilit-aibolitlilit-aibo...@mail.ru wrote: Hello misc, please give me some advice to buy low-power and low-noise HW. My selection - is: http://www.supermicro.nl/products/system/1U/5015/SYS-5015A-PHF.cfm?typ=E that have Intel ICH9R chipset. But in supported hardware it is absent: - Intel 82801 (ICH/ICH0/ICH2/ICH3/ICH4/ICH4-M/ICH5/ICH5R/ICH6/ICH6/ICH6/ICH7) I am using a 5015A (I think 5015A-EHF) without any issues. I don't use the ICH9R or any other ICHxx RAID capabilities, so that chipset does not matter to me. I think the whole architecture of using allowing the chipset to use the kernel for RAID capabilities/offloading is garbage. The design has too many points of failure (kernel driver, chipset implementation and firmware, userland software for raid management, etc.). It's an unreliable implementation that allows people who do not understand what they are doing to say I have a RAID array and gives them a pretty GUI to manage the array. Software based raid in OpenBSD is fine, but lacks some capabilities for setting up a raid array for the root partition, though I admit I lack in depth knowledge in this area, so I could be wrong with this statement. I'm sure others will chime in if I'm mistaken. Note these bits: pciide0 at pci0 dev 31 function 2 Intel 82801I SATA rev 0x02: DMA, channel 0 configured to native-PCI, channel 1 configured to native-PCI pciide0: using apic 3 int 19 for native-PCI interrupt That's the important part. OpenBSD seems to work well with this chipset. The network hardware/driver for this machine results in high interrupt rates under heavy load. This is my only complaint with the box. For my needs it works just fine though. I can move traffic through the box at a rate that is acceptable for my needs. OpenBSD 5.0 (GENERIC.MP) #59: Wed Aug 17 10:19:44 MDT 2011 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: Intel(R) Atom(TM) CPU D510 @ 1.66GHz (GenuineIntel 686-class) 1.67 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,TM2,SSSE3,CX16,xT PR,PDCM,MOVBE real mem = 3220283392 (3071MB) avail mem = 3157540864 (3011MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 05/26/10, BIOS32 rev. 0 @ 0xf0010, SMBIOS rev. 2.6 @ 0x9ac00 (19 entries) bios0: vendor American Megatrends Inc. version 1.0c date 05/26/2010 bios0: Supermicro X7SPA-HF acpi0 at bios0: rev 2 acpi0: sleep states S0 S1 S4 S5 acpi0: tables DSDT FACP APIC MCFG SLIC OEMB HPET acpi0: wakeup devices P0P1(S4) PS2K(S4) PS2M(S4) USB0(S4) USB1(S4) USB2(S4) USB5(S4) EUSB(S4) USB3(S4) USB4(S4) USB6(S4) USBE(S4) P0P4(S4) P0P5(S4) P0P6(S4) P0P7(S4) P0P8(S4) P0P9(S4) GBE_(S4) SLPB(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 168MHz cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Atom(TM) CPU D510 @ 1.66GHz (GenuineIntel 686-class) 1.69 GHz cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,TM2,SSSE3,CX16,xT PR,PDCM,MOVBE ioapic0 at mainbus0: apid 3 pa 0xfec0, version 20, 24 pins ioapic0: misconfigured as apic 1, remapped to apid 3 acpimcfg0 at acpi0 addr 0xe000, bus 0-255 acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 4 (P0P1) acpiprt2 at acpi0: bus 1 (P0P4) acpiprt3 at acpi0: bus -1 (P0P5) acpiprt4 at acpi0: bus -1 (P0P6) acpiprt5 at acpi0: bus -1 (P0P7) acpiprt6 at acpi0: bus 2 (P0P8) acpiprt7 at acpi0: bus 3 (P0P9) acpicpu0 at acpi0 acpicpu1 at acpi0 acpibtn0 at acpi0: SLPB acpibtn1 at acpi0: PWRB bios0: ROM list: 0xc/0x8000 ipmi at mainbus0 not configured pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 Intel Pineview DMI rev 0x02 uhci0 at pci0 dev 26 function 0 Intel 82801I USB rev 0x02: apic 3 int 16 uhci1 at pci0 dev 26 function 1 Intel 82801I USB rev 0x02: apic 3 int 21 uhci2 at pci0 dev 26 function 2 Intel 82801I USB rev 0x02: apic 3 int 19 ehci0 at pci0 dev 26 function 7 Intel 82801I USB rev 0x02: apic 3 int 18 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1 ppb0 at pci0 dev 28 function 0 Intel 82801I PCIE rev 0x02: apic 3 int 17 pci1 at ppb0 bus 1 ppb1 at pci0 dev 28 function 4 Intel 82801I PCIE rev 0x02: apic 3 int 17 pci2 at ppb1 bus 2 em0 at pci2 dev 0 function 0 Intel PRO/1000 MT (82574L) rev 0x00: msi, address 00:25:90:09:9b:80 ppb2 at pci0 dev 28 function 5 Intel 82801I PCIE rev 0x02: apic 3 int 16 pci3 at ppb2 bus 3 em1 at pci3 dev 0 function 0 Intel PRO/1000 MT (82574L) rev 0x00: msi, address 00
Re: Intel ICH9R compatibility with OpenBSD
82801I USB rev 0x02: apic 3 int 18 ehci1 at pci0 dev 29 function 7 Intel 82801I USB rev 0x02: apic 3 int 23 usb1 at ehci1: USB revision 2.0 uhub1 at usb1 Intel EHCI root hub rev 2.00/1.00 addr 1 ppb3 at pci0 dev 30 function 0 Intel 82801BA Hub-to-PCI rev 0x92 pci4 at ppb3 bus 4 vga1 at pci4 dev 4 function 0 Matrox MGA G200eW rev 0x0a wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) ichpcib0 at pci0 dev 31 function 0 Intel 82801IR LPC rev 0x02: PM disabled pciide0 at pci0 dev 31 function 2 Intel 82801I SATA rev 0x02: DMA, channel 0 configured to native-PCI, channel 1 configured to native-PCI pciide0: using apic 3 int 19 for native-PCI interrupt wd0 at pciide0 channel 0 drive 0: Hitachi HDS721010CLA332 wd0: 16-sector PIO, LBA48, 953869MB, 1953525168 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 6 ichiic0 at pci0 dev 31 function 3 Intel 82801I SMBus rev 0x02: apic 3 int 18 iic0 at ichiic0 lm1 at iic0 addr 0x2d: W83627DHG spdmem0 at iic0 addr 0x50: 2GB DDR2 SDRAM non-parity PC2-5300CL5 SO-DIMM spdmem1 at iic0 addr 0x51: 2GB DDR2 SDRAM non-parity PC2-5300CL5 SO-DIMM usb2 at uhci0: USB revision 1.0 uhub2 at usb2 Intel UHCI root hub rev 1.00/1.00 addr 1 usb3 at uhci1: USB revision 1.0 uhub3 at usb3 Intel UHCI root hub rev 1.00/1.00 addr 1 usb4 at uhci2: USB revision 1.0 uhub4 at usb4 Intel UHCI root hub rev 1.00/1.00 addr 1 usb5 at uhci3: USB revision 1.0 uhub5 at usb5 Intel UHCI root hub rev 1.00/1.00 addr 1 usb6 at uhci4: USB revision 1.0 uhub6 at usb6 Intel UHCI root hub rev 1.00/1.00 addr 1 usb7 at uhci5: USB revision 1.0 uhub7 at usb7 Intel UHCI root hub rev 1.00/1.00 addr 1 isa0 at ichpcib0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo com2 at isa0 port 0x3e8/8 irq 5: ns16550a, 16 byte fifo pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 spkr0 at pcppi0 wbsio0 at isa0 port 0x2e/2: W83627DHG rev 0x25 lm2 at wbsio0 port 0xca0/8: W83627DHG npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 mtrr: Pentium Pro MTRR support lm1: disabling sensors uhidev0 at uhub4 port 2 configuration 1 interface 0 Winbond Electronics Corp Hermon USB hidmouse Device rev 1.10/0.01 addr 2 uhidev0: iclass 3/1 ums0 at uhidev0: 3 buttons, Z dir wsmouse0 at ums0 mux 0 uhidev1 at uhub4 port 2 configuration 1 interface 1 Winbond Electronics Corp Hermon USB hidmouse Device rev 1.10/0.01 addr 2 uhidev1: iclass 3/1 ukbd0 at uhidev1: 8 modifier keys, 6 key codes wskbd1 at ukbd0 mux 1 wskbd1: connecting to wsdisplay0 uhidev2 at uhub5 port 1 configuration 1 interface 0 Logitech Logitech Illuminated Keyboard rev 2.00/55.01 addr 2 uhidev2: iclass 3/1 ukbd1 at uhidev2: 8 modifier keys, 6 key codes wskbd2 at ukbd1 mux 1 wskbd2: connecting to wsdisplay0 uhidev3 at uhub5 port 1 configuration 1 interface 1 Logitech Logitech Illuminated Keyboard rev 2.00/55.01 addr 2 uhidev3: iclass 3/0, 16 report ids uhid0 at uhidev3 reportid 3: input=7, output=0, feature=0 uhid1 at uhidev3 reportid 16: input=6, output=6, feature=0 vscsi0 at root scsibus0 at vscsi0: 256 targets softraid0 at root scsibus1 at softraid0: 256 targets root on wd0a (4dcb2d0a1b8a2fe9.a) swap on wd0b dump on wd0b Axton Grams
Re: Packet Tagging issues with NAT in pf OBSD 4.9
On Thu, Nov 3, 2011 at 12:26 PM, Bentley, Dain dbent...@nas.edu wrote: Hello Stuart and thanks for your reply. It still doesn't help, this seems to work but I'm not sure if this is a good config: # NAT RULES match out on $ext tagged LAN nat-to ($ext) # BLOCKING AND PACKET TAGGING pass in on $int from $int_net tag LAN #pass in on $int tag LAN block out on $ext from any to any pass out quick on $ext tagged LAN From: owner-m...@openbsd.org [owner-m...@openbsd.org] On Behalf Of Stuart Henderson [s...@spacehopper.org] Sent: Thursday, November 03, 2011 6:53 AM To: misc@openbsd.org Subject: Re: Packet Tagging issues with NAT in pf OBSD 4.9 you aren't using tagging in your sample. On 2011-11-03, Wesley M. open...@e-solutions.re wrote: Hi, try this sample _int = re0 _ext = fxp1 int_net = 192.168.200.0/24 set block-policy drop set skip on lo match in all scrub (no-df max-mss 1440) match out on $_ext inet from $int_net to any nat-to (egress) block log all pass in on $_int inet proto udp from $int_net to any port domain pass in on $_int inet proto tcp from $int_net to any port \ { www, https, ssh, pop3, imap, imaps, pop3s, submission, smtps } pass out on $_ext inet proto tcp all pass out on $_ext inet proto udp all All the best, Wesley MOUEDINE ASSABY. _int = re0 _ext = fxp1 int_net = 192.168.200.0/24 pass out on $_ext tag LAN_NAT_TO_INET tagged LAN_TO_INET pass in on $_int from $int_net tag LAN_TO_INET .. pass out quick on $_ext tagged LAN_NAT_TO_INET nat-to ($_ext) Any reason why at the bottom of my .conf file where nat-to is in my quick rule it would work but when it's at the first filter rule it does not? I've read over the man page and have the book of pf v.2 and still am confused. Any tought is greatly appreciated. Regards, Dain I use something like this. The ruleset has been modified before posting, so no guarantees that I didn't mess something up. # interfaces if_lo=lo if_enc=enc0 if_gif=gif0 if_ext=vlan3 if_int=vlan20 if_srv=vlan40 # interface ip's ip4_int=10.0.0.1 ip6_int=2001:::20::10 ip4_srv=10.0.20.1 ip6_srv=2001:::40::10 # networks net4_int=10.0.0.0/22 net6_int=2001:::20::/64 net4_srv=10.0.20.0/22 net6_srv=2001:::40::/64 # other macros icmp_types=echoreq # default policy block log all # TRANSLATION match out on $if_ext inet tag INT_INET_NAT tagged INT_INET nat-to ($if_ext) static-port match out on $if_ext inet tag SRV_INET_NAT tagged SRV_INET nat-to ($if_ext) # allow router access to all nets (ipv4) pass out on $if_ext proto tcp from $if_ext to any pass out on $if_ext proto udp from $if_ext to any keep state pass out on $if_ext inet proto icmp from $if_ext to any keep state pass out on $if_int proto tcp from $if_int to any pass out on $if_int proto udp from $if_int to any keep state pass out on $if_int inet proto icmp from $if_int to any keep state pass out on $if_int inet6 proto ipv6-icmp from $if_int to any keep state pass out on $if_srv proto tcp from $if_srv to any pass out on $if_srv proto udp from $if_srv to any keep state pass out on $if_srv inet proto icmp from $if_srv to any keep state pass out on $if_srv inet6 proto ipv6-icmp from $if_srv to any keep state # tag packets per network pass in on $if_int proto tcp from { $net4_int, $net6_int } tag INT_INET pass in on $if_int proto udp from { $net4_int, $net6_int } tag INT_INET keep state pass in on $if_int inet proto icmp from $net4_int icmp-type $icmp_types tag INT_INET keep state pass in on $if_int inet6 proto ipv6-icmp tag INT_INET keep state pass in on $if_srv proto tcp from { $net4_srv, $net6_srv } tag SRV_INET pass in on $if_srv proto udp from { $net4_srv, $net6_srv } tag SRV_INET keep state pass in on $if_srv inet proto icmp from $net4_srv icmp-type $icmp_types tag SRV_INET keep state pass in on $if_srv inet6 proto ipv6-icmp tag SRV_INET keep state # policy enforcement # networks to internet (ipv4) pass out quick on $if_ext tagged INT_INET_NAT pass out quick on $if_ext tagged SRV_INET_NAT # internal network to other networks (ipv4) pass out quick on $if_srv tagged INT_INET # server networks to other networks (ipv4) pass out quick on $if_int tagged SRV_INET Axton Grams
Re: Packet Tagging issues with NAT in pf OBSD 4.9
On Thu, Nov 3, 2011 at 1:33 PM, Bentley, Dain dbent...@nas.edu wrote: Hello Axton...cool name by the way. I noticed the match statements work for me as well, Perhaps it is required? This changed with 4.7: http://openbsd.org/faq/upgrade47.html#newPFnat More details available here: http://marc.info/?l=openbsd-miscm=125181847818600w=2 It may be that the FAQ you used is out of date. What FAQ page were you looking at while setting this up? Axton Grams
Patch for FAQ - PF: Packet Tagging (Policy Filtering) - New NAT Syntax
This is a patch to update the FAQ at http://www.openbsd.org/faq/pf/tagging.html with the nat syntax changes introduced in 4.7 (http://openbsd.org/faq/upgrade47.html#newPFnat): $ diff -ub tagging.html.bak tagging.html --- tagging.html.bak2011-11-03 17:40:01.596053714 -0500 +++ tagging.html2011-11-03 17:47:07.696539268 -0500 @@ -199,7 +199,7 @@ blockquote tt block allbr -pass out on $ext_if tag LAN_INET_NAT tagged LAN_INET nat-to ($ext_if)br +match out on $ext_if tag LAN_INET_NAT tagged LAN_INET nat-to ($ext_if)br pass in on $int_if from $int_net tag LAN_INETbr pass in on $int_if from $int_net to $dmz_net tag LAN_DMZbr pass in on $ext_if proto tcp to $www_server port 80 tag INET_DMZbr @@ -256,7 +256,7 @@ # classification -- classify packets based on the defined firewall # policy. block all -pass out on $ext_if tag LAN_INET_NAT tagged LAN_INET nat-to ($ext_if)br +match out on $ext_if tag LAN_INET_NAT tagged LAN_INET nat-to ($ext_if)br pass in on $int_if from $int_net tag LAN_INETbr pass in on $int_if from $int_net to $dmz_net tag LAN_DMZbr pass in on $ext_if proto tcp to $www_server port 80 tag INET_DMZ There is a rule on the page that may also require changes: pass in on $ext_if proto tcp from spamd to port smtp \ tag SPAMD rdr-to 127.0.0.1 port 8025 I'm not familiar enough with rdr-to to know if this requires changes. Based on my reading it does not appear to require a change, but someone needs to check me on this. Axton Grams
Re: openbsd,keberos,windows
On Thu, May 26, 2011 at 4:43 PM, Vijay Sankar vsan...@foretell.ca wrote: I have some experience, not all of it good. Currently I am using Samba and LDAP for MS Clients in production mode. I am experimenting with AFS etc., and that does work well but only on i386. Ideally I would like to have a solution that keeps OpenBSD on amd64 at the centre and have all users on Mac, MS Clients, mobile devices, and Linux all get authenticated by their OpenBSD accounts. So I am still looking ... I am not sure whether this topic is of much interest to people on misc@ so please feel free to send me private email. On 2011-05-26, at 3:27 PM, Friedrich Locke wrote: Hi, i would like to get in touch with ones that have experience implementing kerberos in heterogenous networks (OpenBSD server, heimdal and MS clients). If you are one, would you mind sending me a note? Thanks in advance. Fried. Vijay Sankar vsan...@foretell.ca I use MIT Kerberos and authenticate to that from Windows 7. I imagine a lot of the same applies to the Heimdal implementation. Basically, it consists of these steps: 1. Get the KDC running and operational, including kadmin 2. Create a principal for the Windows host: kadmin addprinc -pw somepasswd host/hostname.domain.org@REALM 3. Create a user principal: kadmin.local addprinc username/admin@REALM addprinc username@REALM 4. Configure Windows to use the KDC: ksetup /setrealm REALM ksetup /setdomain DNSDOMAIN ksetup /addkdc REALM kdcdnsname ksetup /setcomputerpassword somepasswd ksetup /mapuser krbuserprincipal@REALM localusername ksetup /mapuser * * ksetup /addkpasswd HOME.ARSWIKI.ORG galadriel.home.arswiki.org 5. Reboot You can check the configuration like this: C:\Windows\system32 ksetup default realm = REALM (external) REALM: kdc = kdcdnsname Realm Flags = 0x0No Realm Flags Mapping krbuserprincipal@REALM to localusername. Mapping all users (*) to a local account by the same name (*). On Windows, for whatever reason, the dnsdomain needs to match the REALM name. If they are different, things didn't seem to work. When you log into windows, log in using REALM\username. The net effect is that Windows will have a Kerberos TGT and a host ticket upon login. These are usable by Windows applications that are Kerberos enabled (i.e., Firefox, Chrome, IE, etc.). The MS kerbtray.exe is useful for verifying that everything is working. It will show your client principal and tickets. This is available from the MS website. I require pre-auth to request a TGT. This works. Different versions of Windows support different levels of encryption. Whether the default configuration of Heimdal supports what different versions of Windows supports I can't say. Get ready to read through lots of logs. Troubleshooting on Windows is akin to walking in the dark. I had issues at first where I could not get apps (browsers) to use the Kerberos TGT to authentication to Apache servers using mod_auth_kerb. I got this working, but there are still some unknowns. I installed the MIT kfw, things started working, then it stopped, then I uninstalled kfw because I didn't care to have another process running. Things have been working since then (I can auth to apache via mod_auth_kerb through FF, IE, Chrome). I plan to test on another machine to verify, but still some unknowns. This was on Windows 7. Axton Grams
Re: hostname.if(5)/ifconfig(8) configuration for gif(4)
On Sun, May 15, 2011 at 6:18 PM, Mark Felder f...@feld.me wrote: On Sun, 15 May 2011 16:10:21 -0500, Andreas Bartelt o...@bartula.de wrote: Is there a way to do this correctly via /etc/hostname.gif0 ? Best regards Andreas Not sure if this helps, but as far as I know this is the way you're supposed to do it for a 6to4 tunnel: Sanitized, but you'll get the point: $ cat /etc/hostname.gif0 tunnel LOCAL_IP DEST_IP inet6 alias IPV6_NETWORK PREFIXLEN My issue is that it still doesn't work 100% correctly on boot. If I sh /etc/netstart again, it begins working. Strange. Regards, Mark For a 6to4 tunnel, you can use something like this in your hostname.gif so that it works on boot: $ cat /etc/hostname.gif0 tunnel LOCAL_IP4 DEST_IP4 inet6 LOCAL_IP6 dest DEST_IP6 !/sbin/route -n add -inet6 default LOCAL_IP6 !/sbin/route change -inet6 default -ifp gif0 Axton Grams
Re: FYI: OpenBSD 4.9 CDs arriving
On Mon, Apr 25, 2011 at 1:46 PM, Denny White denny...@cableone.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mon, Apr 25, 2011 at 10:39:49AM -0400, Dave Anderson spoke thusly: My set just showed up (near Boston, Mass.) Dave -- Dave Anderson d...@daveanderson.com And in Biloxi, MS. Perfect, unscathed in transit. Cool stickers. Sweet! - -- A lot of money is tainted - Taint yours and taint mine. === Denny White - denny...@cableone.net GnuPG key : 0x1644E79A | http://wwwkeys.de.pgp.net Fingerprint: D0A9 AD44 1F10 E09E 0E67 EC25 CB44 F2E5 1644 E79A === () ASCII ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments === iEYEARECAAYFAk21wZUACgkQy0Ty5RZE55qbIgCgk1NAdF5W75ey/knLCfB9TKi0 wmgAn3D9heKrZoXiAeKK3BeM22OUX3w9 =B24i -END PGP SIGNATURE- US/TX on 4-23
Re: Newbie Network/PF Question
On Wed, Jan 5, 2011 at 10:14 AM, Mike. the.li...@mgm51.com wrote: On 1/4/2011 at 10:57 PM Josh Smith wrote: | |pass in on $int_if0 # pass all incomming traffic on our internal interface |pass in on $int_if1 # pass all incomming traffic on our internal interface from the test network = I have two internal subnetworks, one for standard frames and one for jumbo frames. Instead of the two rules you cite, I use the following: # macros std_if = em1 jum_if = em0 loc_if = lo0 # let internal traffic flow unimpeded pass quick on $loc_if pass quick on $std_if pass quick on $jum_if set skip is probably more efficient.
Re: soekris + openbsd server buy question
On Fri, Dec 3, 2010 at 8:13 AM, gimes...@gmail.com wrote: On Fri, 3 Dec 2010, Patrick Lamaiziere wrote: Le Fri, 3 Dec 2010 19:28:19 +0800 (CST), shweg...@gmail.com a C)crit : Hello, I'm considering buying a Soekris net5501-70 and install OpenBSD on it to make myself a small server and use it as a proxy (ssh tunnel), it might serve as backup file sever as well. I guess at the most there will be two-three computers connnected at the same time, and there might be some streaming video going through, like the videos you find on online newspapers. I have googled around, and read that this kind of hardware is fine as a router but not so much as a server. Is it true? Thank you for any suggestions. It depends on the connection, do not expect a 100M/bits link. I use a net5501 for my all-in-one box (file server (samba), printers share, router, ...). The file server is not very speed but is enougth for doing backups. (From time to time, backup the server to an external usb disk). I was also considering using a netbook for the task. What about it? I don't think a netbook will be reliable running 24/24. This was my only concern on the net5501, the reliablity of the internal 2.5 disk drive, looks good after 3 years. Check the soekris-tech mailing list, questions about performances are often asked. Thank you all, I don't need cutting-edge speed, and from what you say, Soekris should just be fine. For file server I have not been clear, in fact I meant a backup server, so it should probably handle all of it quite fine. I'm also checking out a few fanless Atom mini-pcs, but at about the same price soekris is probably more fit for the job. I've been using one of these for the last couple of months and have been happy with it's performance. The IPMI capabilities are very nice. http://www.supermicro.com/products/system/1U/#Atom http://www.supermicro.com/products/system/1U/#Atom http://www.supermicro.com/products/system/1U/5015/SYS-5015A-PHF.cfm The only thing I don't care for on it is the trusted platform module chip. The boards have a jumper to disable the chip, but the pins on the motherboard have been removed, so you can not disable it without some soldering.
Re: vlan + em driver
If I understand your message correctly, you have the port on the switch tagged for vlan 30. This means that all packets you send to that port need to be tagged for vlan30. I have a vlan for internal (2), dmz (5), and isp(3). The line from my ISP is plugged into an untagged port on the switch, which is set up for the isp vlan(3) and the router has a tagged pseudo interface (vlan3) for the isp connection. This allow routing to all networks over a single interface. I use an em interface on my router but I connect the em interface to a trunk port (accepts packets tagged for vlans 2, 3, and 5, and discards all other packets); I then have a series of vlan pseudo-devices on top of em, where each vlan device specifies a tag. Note that em0 does not get an ip address. # cat /etc/hostname.em0 up media autoselect # cat /etc/hostname.vlan2 inet 10.107.208.1 255.255.255.0 NONE vlan 2 vlandev em0 inet6 alias 2001:xxx::2::10 64 vlan 2 vlandev em0 # cat /etc/hostname.vlan3 dhcp vlan 3 vlandev em0 # cat /etc/hostname.vlan5 inet 10.180.16.1 255.255.255.0 NONE vlan 5 vlandev em0 inet6 alias 2001:xxx::5::10 64 vlan 5 vlandev em0 vlan3 is from my ISP and they provision an IP using dhcp. My ifconfig looks like this: # ifconfig -a lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33152 priority: 0 groups: lo inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 gem0: flags=8863UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:03:ba:04:b2:1d priority: 0 media: Ethernet autoselect (none) status: no carrier inet6 fe80::203:baff:fe04:b21d%gem0 prefixlen 64 scopeid 0x1 em0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:02:b3:ed:68:89 priority: 0 media: Ethernet autoselect (1000baseT full-duplex,master,rxpause,txpause) status: active inet6 fe80::202:b3ff:feed:6889%em0 prefixlen 64 scopeid 0x2 enc0: flags=0 mtu 1536 priority: 0 vlan2: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:02:b3:ed:68:89 priority: 0 vlan: 2 priority: 0 parent interface: em0 groups: vlan inet6 fe80::202:b3ff:feed:6889%vlan2 prefixlen 64 scopeid 0x5 inet 10.107.208.1 netmask 0xff00 broadcast 10.107.208.255 inet6 2001:xxx::2::10 prefixlen 64 vlan3: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:02:b3:ed:68:89 priority: 0 vlan: 3 priority: 0 parent interface: em0 groups: vlan egress inet6 fe80::202:b3ff:feed:6889%vlan3 prefixlen 64 scopeid 0x6 inet x.x.x.x netmask 0xf800 broadcast 255.255.255.255 vlan5: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:02:b3:ed:68:89 priority: 0 vlan: 5 priority: 0 parent interface: em0 groups: vlan inet6 fe80::202:b3ff:feed:6889%vlan5 prefixlen 64 scopeid 0x7 inet 10.180.16.1 netmask 0xff00 broadcast 10.180.16.255 inet6 2001:xxx::5::10 prefixlen 64 gif0: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST mtu 1280 priority: 0 groups: gif egress physical address inet x.x.x.x -- y.y.y.y inet6 fe80::203:baff:fe04:b21d%gif0 - prefixlen 64 scopeid 0x8 inet6 2001:xxx:x:xxx::2 - 2001:xxx:x:xxx::1 prefixlen 128 pflog0: flags=141UP,RUNNING,PROMISC mtu 33152 priority: 0 groups: pflog I used to use a trunk device between the physical interfaces and vlan devices as well, but I moved to 1gb instead of 4x100mb interfaces. Axton Grams On Thu, May 13, 2010 at 6:52 AM, Marcus Larsson k...@mindwipe.org wrote: Hello! I have a server acting as a router and firewall running 4.6-stable from Apr 24 with an Intel quad port NIC. In short I have problems with traffic going to or from the server itself via a vlan interface. It works fine via em0 which is the uplink to the ISP and doesn't use any vlan and also traffic passing through the server is ok. It doesn't matter whether PF is enabled or disabled, the problem still appears. em0 at pci5 dev 0 function 0 Intel PRO/1000 QP (82576) rev 0x01: apic 0 int 11 (irq 5), address 00:1b:21:63:74:d8 em1 at pci5 dev 0 function 1 Intel PRO/1000 QP (82576) rev 0x01: apic 0 int 12 (irq 10), address 00:1b:21:63:74:d9 # cat /etc/hostname.em0 inet X.X.X.X 255.255.255.252 NONE # cat /etc/hostname.em1 up # cat /etc/hostname.vlan30 inet 10.46.196.1 255.255.255.0 NONE vlan 30 vlandev em1 em1 is connected to a port in a switch, vlan 30 is tagged on that port, the switch has IP 10.46.196.8 I can ping 10.46.196.8 but I cannot ssh to it, the ssh attempt hangs at: debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP and then I get a connection closed. I thought this was MTU related somehow because pings work with small packets, actually ping -s 1472 10.46.196.8 works but anything larger than
ATI Device Documentation - Evergreen
If these docs are in line with what is needed to develop a usable driver and there are any developers @openbsd.org out there interested in developing a driver for this card and in need of a hardware donation, let me know. http://developer.amd.com/gpu/ATIStreamSDK/assets/AMD_Evergreen-Family_ISA_Instructions_and_Microcode.pdf - Axton Grams
Invalid 802.1q vlan id using em0 (Intel PRO/1000T) on 4.5
# permit console to do a nice halt rc.conf.local starts a few services, nothing out of the ordinary: # cat /etc/rc.conf.local pf=YES dhcpd_flags= named_flags= ntpd_flags= ftpproxy_flags= isakmpd_flags=-K ipsec=YES Let me know if anyone needs any more information or if this is in fact a bug and I will submit a bug report. Here is my dmesg: console is keyboard/display Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved. Copyright (c) 1995-2009 OpenBSD. All rights reserved. http://www.OpenBSD.org OpenBSD 4.5 (GENERIC) #1898: Sat Feb 28 17:42:44 MST 2009 dera...@sparc64.openbsd.org:/usr/src/sys/arch/sparc64/compile/GENERIC real mem = 805306368 (768MB) avail mem = 765681664 (730MB) mainbus0 at root: Sun Blade 100 (UltraSPARC-IIe) cpu0 at mainbus0: SUNW,UltraSPARC-IIe (rev 1.4) @ 502 MHz cpu0: physical 16K instruction (32 b/l), 16K data (32 b/l), 256K external (64 b/l) psycho0 at mainbus0: pci108e,a001, impl 0, version 0, ign 7c0 psycho0: bus range 0-1, PCI bus 0 psycho0: dvma map c000-dfff pci0 at psycho0 ebus0 at pci0 dev 12 function 0 Sun RIO EBus rev 0x01 flashprom at ebus0 addr 0-f not configured clock1 at ebus0 addr 0-1fff: mk48t59 ebus1 at pci0 dev 7 function 0 Acer Labs M1533 ISA rev 0x00 dma at ebus1 addr 0- ivec 0x2a not configured power0 at ebus1 addr 800-82f ivec 0x20 com0 at ebus1 addr 3f8-3ff ivec 0x2b: ns16550a, 16 byte fifo com1 at ebus1 addr 2e8-2ef ivec 0x2b: ns16550a, 16 byte fifo alipm0 at pci0 dev 3 function 0 Acer Labs M7101 Power rev 0x00: 223KHz clock iic0 at alipm0 max1617 at alipm0 addr 0x18 skipped due to alipm0 bugs scm001 at alipm0 addr 0x20 skipped due to alipm0 bugs spdmem0 at iic0 addr 0x50: 256MB SDRAM ECC PC133CL2 spdmem1 at iic0 addr 0x51: 256MB SDRAM ECC PC133CL2 spdmem2 at iic0 addr 0x52: 256MB SDRAM ECC PC133CL2 gem0 at pci0 dev 12 function 1 Sun ERI Ether rev 0x01: ivec 0x7c6, address 00:03:ba:04:b2:1d ukphy0 at gem0 phy 1: Generic IEEE 802.3u media interface, rev. 1: OUI 0x0010dd, model 0x0002 Sun FireWire rev 0x01 at pci0 dev 12 function 2 not configured ohci0 at pci0 dev 12 function 3 Sun USB rev 0x01: ivec 0x7e4, version 1.0, legacy support autri0 at pci0 dev 8 function 0 Acer Labs M5451 Audio rev 0x01: ivec 0x7e3 ac97: codec id 0x41445348 (Analog Devices AD1881A) ac97: codec features headphone, Analog Devices Phat Stereo audio0 at autri0 midi0 at autri0: 4DWAVE MIDI UART pciide0 at pci0 dev 13 function 0 Acer Labs M5229 UDMA IDE rev 0xc3: DMA, channel 0 configured to native-PCI, channel 1 configured to native-PCI pciide0: using ivec 0x7cc for native-PCI interrupt wd0 at pciide0 channel 0 drive 0: WDC WD1600AAJB-56WRA0 wd0: 16-sector PIO, LBA48, 152627MB, 312581808 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: LITEON, CD-ROM LTN486S, YSU1 ATAPI 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 ppb0 at pci0 dev 5 function 0 DEC 21152 PCI-PCI rev 0x03 pci1 at ppb0 bus 1 em0 at pci1 dev 0 function 0 Intel PRO/1000T (82544GC) rev 0x02: ivec 0x7d9, address 00:02:b3:ed:68:89 vgafb0 at pci0 dev 19 function 0 ATI Rage XL rev 0x27 wsdisplay0 at vgafb0 mux 1: console (std, sun emulation) usb0 at ohci0: USB revision 1.0 uhub0 at usb0 Sun OHCI root hub rev 1.00/1.00 addr 1 uhidev0 at uhub0 port 4 configuration 1 interface 0 Sun Microsystems Type 6 Keyboard rev 1.00/1.02 addr 2 uhidev0: iclass 3/1 ukbd0 at uhidev0: 8 modifier keys, 6 key codes, country code 33 wskbd0 at ukbd0: console keyboard, using wsdisplay0 softraid0 at root bootpath: /p...@1f,0/i...@d,0/d...@0,0 root on wd0a swap on wd0b dump on wd0b Thanks, Axton Grams
Re: Invalid 802.1q vlan id using em0 (Intel PRO/1000T) on 4.5
On Sun, May 24, 2009 at 2:52 PM, Axton axton.gr...@gmail.com wrote: The vlan id for my em0 interface is not reading properly after upgrading to 4.5. Tcpdump shows some wild vid values in the traffic when using em0: * This traffic should be on vlan2 (lan) 00:21:70:c5:3d:4f ff:ff:ff:ff:ff:ff 8100 64: 802.1Q vid 512 pri 0 arp who-has 10.107.208.1 tell 10.107.208.50 * This traffic should be on vlan3 (egress vlan) 00:1e:be:fe:f3:05 ff:ff:ff:ff:ff:ff 8100 64: 802.1Q vid 768 pri 0 arp who-has 98.196.101.152 tell 98.196.100.1 00:1e:be:fe:f3:05 ff:ff:ff:ff:ff:ff 8100 64: 802.1Q vid 768 pri 0 arp who-has 98.196.88.115 tell 98.196.88.1 * This traffic should be on vlan4, it is correct: 00:02:b3:ed:68:89 01:00:5e:7f:ff:fa 8100 308: 802.1Q vid 4 pri 0 10.0.0.1.29275 239.255.255.250.1900: udp 262 [ttl 1] 00:02:b3:ed:68:89 01:00:5e:7f:ff:fa 8100 380: 802.1Q vid 4 pri 0 10.0.0.1.29275 239.255.255.250.1900: udp 334 [ttl 1] It seems as though the vlan id is being multiplied by 256 for vlans 2 and 3. When I use the gem0 interface on the same machine, things work: * This traffic should be on vlan2 (lan), it is correct: 00:03:ba:04:b2:1d 00:50:8d:95:39:17 8100 110: 802.1Q vid 2 pri 0 10.107.208.1.22 10.107.208.102.2692: P 920030:920082(52) ack 11189 win 17520 (DF) [tos 0x10] 00:03:ba:04:b2:1d 00:50:8d:95:39:17 8100 110: 802.1Q vid 2 pri 0 10.107.208.1.22 10.107.208.102.2692: P 920082:920134(52) ack 11189 win 17520 (DF) [tos 0x10] * This traffic should be on vlan3 (egress vlan), it is correct: 00:1e:be:fe:f3:05 ff:ff:ff:ff:ff:ff 8100 64: 802.1Q vid 3 pri 0 arp who-has 98.194.104.216 tell 98.194.104.1 00:1e:be:fe:f3:05 ff:ff:ff:ff:ff:ff 8100 64: 802.1Q vid 3 pri 0 arp who-has 76.31.110.47 tell 76.31.108.1 * This traffic should be on vlan4, it is correct: 00:03:ba:04:b2:1d 01:00:5e:7f:ff:fa 8100 373: 802.1Q vid 4 pri 0 10.0.0.1.10117 239.255.255.250.1900: udp 327 [ttl 1] 00:03:ba:04:b2:1d 01:00:5e:7f:ff:fa 8100 373: 802.1Q vid 4 pri 0 10.0.0.1.10117 239.255.255.250.1900: udp 327 [ttl 1] The em0 interface worked without an issue using 4.4 as did gem0. Here are my interface configurations using gem0: # ifconfig -a lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33160 priority: 0 groups: lo inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 gem0: flags=8863UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:03:ba:04:b2:1d priority: 0 media: Ethernet autoselect (100baseTX full-duplex) status: active inet6 fe80::203:baff:fe04:b21d%gem0 prefixlen 64 scopeid 0x1 em0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:02:b3:ed:68:89 priority: 0 media: Ethernet autoselect (none) status: no carrier inet6 fe80::202:b3ff:feed:6889%em0 prefixlen 64 scopeid 0x2 enc0: flags=0 mtu 1536 priority: 0 vlan2: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:03:ba:04:b2:1d priority: 0 vlan: 2 priority: 0 parent interface: gem0 groups: vlan inet6 fe80::203:baff:fe04:b21d%vlan2 prefixlen 64 scopeid 0x5 inet 10.107.208.1 netmask 0xff00 broadcast 10.107.208.255 vlan3: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:03:ba:04:b2:1d priority: 0 vlan: 3 priority: 0 parent interface: gem0 groups: vlan egress inet6 fe80::203:baff:fe04:b21d%vlan3 prefixlen 64 scopeid 0x6 inet x.x.x.x netmask 0xfc00 broadcast 255.255.255.255 vlan4: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:03:ba:04:b2:1d priority: 0 vlan: 4 priority: 0 parent interface: gem0 groups: vlan inet6 fe80::203:baff:fe04:b21d%vlan4 prefixlen 64 scopeid 0x7 inet 10.0.0.1 netmask 0xff00 broadcast 10.0.0.255 vlan5: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:03:ba:04:b2:1d priority: 0 vlan: 5 priority: 0 parent interface: gem0 groups: vlan inet6 fe80::203:baff:fe04:b21d%vlan5 prefixlen 64 scopeid 0x8 inet 10.180.16.1 netmask 0xff00 broadcast 10.180.16.255 pflog0: flags=141UP,RUNNING,PROMISC mtu 33160 priority: 0 groups: pflog Here are my interface configurations using em0: lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33160 priority: 0 groups: lo inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 gem0: flags=8863UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:03:ba:04:b2:1d priority: 0 media: Ethernet autoselect (none) status: no carrier inet6 fe80::203:baff:fe04:b21d%gem0 prefixlen 64 scopeid 0x1 em0: flags=8843UP
Re: Redirect traffic based on sub-domain?
On Sun, Apr 27, 2008 at 5:44 PM, Markus Bergkvist [EMAIL PROTECTED] wrote: Hi, Is it possible to have PF redirecting traffic based on sub-domains? I.e. I want traffic to a.mydomain.nu to be redirected to machine 'a and traffic to b.mydomain.nu to be redirected to machine 'b'.' No. From the pf.conf man page (http://www.openbsd.org/cgi-bin/man.cgi?query=pf.confapropos=0sektion=0manpath=OpenBSD+Currentarch=i386format=html) pf(4) has the ability to block and pass packets based on attributes of their layer 3 (see ip(4) and ip6(4)) and layer 4 (see icmp(4), icmp6(4), tcp(4), udp(4)) headers. In addition, packets may also be assigned to queues for the purpose of bandwidth control. /Markus Look into reverse proxies: http://www.sans.org/reading_room/whitepapers/webservers/302.php Axton Grams
Re: PoPToP Vulnerability Question
On Jan 28, 2008 11:05 PM, Richard P. Koett [EMAIL PROTECTED] wrote: Dear Misc: I've been asked to look into an issue on a i386 system running OpenBSD 3.7. I realize this is rather out-of-date, so feel free to ignore this question if it's inappropriate... The machine is running poptop-1.1.4.b4p1. Someone did an audit and declared PoPToP servers prior to version 1.1.4-bs are vulnerable to a buffer overflow. I notice that even the current version of OpenBSD has a package for poptop-1.1.4.b4p1, so I find it hard to believe that this version contains a known buffer overflow. My question is - what information can I provide the auditor to assure them of this? Thanks in advance for any comments. For what it's worth I am aware of alternatives to PoPToP such as OpenVPN. RPK. http://www.openbsd.org/faq/faq15.html#Intro See the third paragraph in this section.
Re: rouge IPs / user
On Dec 7, 2007 12:51 PM, badeguruji [EMAIL PROTECTED] wrote: I am getting constant hacking attempt into my computer from following IPs. Although, I have configured my ssh config and tcp-wrappers to deny such attempts. But I wish some expert soul in this community 'fix' this rouge hacker for ever, for everyones good. This hacker could be spoofing the IPs, but i have only the IPs in my message logs(and a url)... 218.6.16.30 195.187.33.66 202.29.21.6 60.28.201.57 218.24.162.85 wpc4643.amenworld.com 202.22.251.23 219.143.232.131 220.227.218.21 124.30.42.36 -for community. -BG ~~Kalyan-mastu~~ Afraid it's a fact of life when running things on the open net. Don't worry about it. Make sure the way you authenticate to ssh isn't weak. I use key based authentication and don't use passwords. This gives me peace of mind. It's a bit harder to guess and I don't have to worry about accounts with weak passwords. I also only allow specific users to authenticate to ssh. The DoS hits I get periodically are the ones that bother me. Axton Grams
PF Changes in 4.2
I remember reading some changes to the defaults for pf in how states are tracked in pf.conf rules (default is now keep state flags S/SA). For the life of me I can not find any official reference to it on the internet or in my mail. Can someone give me a pointer? The only reference I can find on the net (nothing from openbsd.org): http://home.nuug.no/~peter/pf/en/long-firewall.html#AEN415 Thanks, Axton Grams
ntpd question - double free?
In parse.y for OpenBSD's ntpd, would/could this result in a double free: number : STRING{ u_long ulval; const char*errstr; ulval = strtonum($1, 0, INT_MAX, errstr); if (errstr) { yyerror(\%s\ invalid: %s, $1, errstr); free($1); YYERROR; } else $$ = ulval; free($1); } ; From http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/ntpd/parse.y?rev=1.30content-type=text/x-cvsweb-markup The if statement will free($1) if it is not a valid u_long, then at the end of the block, there is a subsequent free($1). I'm a C newbie and I'm trying to learn, so don't beat me with the clue stick too hard. Axton
Re: another dumb vlan question
: vlan egress inet6 y::y:y:y:y%vlan3 prefixlen 64 scopeid 0xd inet x.x.x.x netmask 0xf800 broadcast 255.255.255.255 vlan30: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:03:ba:04:b2:1d vlan: 30 priority: 0 parent interface: trunk0 groups: vlan inet6 fe80::203:baff:fe04:b21d%vlan30 prefixlen 64 scopeid 0xe inet 10.180.17.1 netmask 0xff00 broadcast 10.180.17.255 The routing tables then look like this: # route -n show Routing tables Internet: DestinationGatewayFlagsRefs UseMtu Interface defaultx.x.x.xUGS 9 6034124 - vlan3 10.107.208/24 link#12UC 50 - vlan2 10.180.16/24 link#11UC 10 - vlan10 10.180.17/24 link#14UC 10 - vlan30 x.x.x/21 link#13UC 10 - vlan3 127/8 127.0.0.1 UGRS00 33192 lo0 127.0.0.1 127.0.0.1 UH 2 708 33192 lo0 224/4 127.0.0.1 URS 00 33192 lo0 Axton
Re: Promise PDC20621 support
On 3/4/07, j sidabras [EMAIL PROTECTED] wrote: Hello All, I know promise hasn't been the most forthcoming company when releasing specifications for their hardware. But it seems the first hardware docs for the promise SX4 (PDC20621) have been released: http://gkernel.sourceforge.net/specs/promise/pdc20621-pguide-dimm-1.6.pdf.bz2 http://gkernel.sourceforge.net/specs/promise/pdc20621-pguide-pll-ata-timing-1.2.pdf.bz2 Shamefully I do not have the ability to write drivers, but I was wondering if the openbsd team knows about these specifications and if anyone is working on implementing these drivers. Thanks Jason If there are any interested developers, I have one card I can donate; it does not have a dimm installed and one is required for the card to operate. Email me privately if you are interested. I am in the US and I can cover shipping costs. Card details: 32-bit PCI Promise FastTrack sx4000 Chip Num: Promise ATARAID5 PDC20621 Chip Num: MX MO20750 29LV400BTC-90 2F502800 ASSY 0116-00 REV A5 Axton Grams
Re: VPN solutions for OpenBSD to Windows
On 12/22/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi gang, I'm looking for peoples' experiences and advice for setting up a VPN between OpenBSD (I will be using 4.0) and Windows XP/2000 systems. I have tested the Greenbow client and it seems ok. What of the built-in VPN client for the Windows OS? I am mostly interested in ease of configuration and reliability of the tunnel. I am ok on IPSEC theory. Thanks in advance for any comments, Peter The greenbow client is definitely easier to use than the built-in MS IPSec client, and offers a lot more in terms of capabilities. There are some limitations on the MS client as far as what types of encryption you can use with the Phase1/2 negotiations. With the Windows client, there are two approaches I've used to establish IPSec tunnels: (1) the IPSec MMC Snap-in and (2) the command line method (via the windows support tools). In either case, there is no clear way to see that a tunnel is established or to close the tunnel. It's clear to the savvy user on how to close a tunnel, but if you are looking to deploy it to a regular user-base, it probably won't be so clear. With the MMC snap-in, you can export the settings, then another user can import those settings, at which point only minor changes are required to make it work (configure the ip for your end of the tunnel). The same applies to the command line approach. Axton Grams
Vlans using a trunk device
- vlan2 10.180.16/24 link#11 UC 0 0 - vlan10 10.180.17/24 link#14 UC 0 0 - vlan30 x.x.x.x/y link#13 UC 0 0 - vlan3 127/8 127.0.0.1 UGRS 0 0 33192 lo0 127.0.0.1 127.0.0.1 UH 0 0 33192 lo0 224/4 127.0.0.1 URS 0 0 33192 lo0 Also, anything that looks off in the config provided, please chime in. Read some postings about changing mtu on vlan devices, but don't know enough to know what to do. I do know that vlan ids are 12-bit numbers, so not sure if an mtu of 1503 is appropriate or not. Thanks for any insight, Axton Grams
Re: Vlans using a trunk device
Stuart Henderson wrote: On 2006/10/08 15:31, Axton Grams wrote: While working with the trunk and vlan features of OpenBSD, I ran into one thing that I do not understand. In order to use a trunk device for multiple vlan's, the trunk device must have an ip address assigned. Your ifconfig output is from when it's working, isn't it? Start from not-working and diff the two (ifconfig /tmp/broken; ifconfig trunk0 \ 10.1.1.1; ifconfig | diff -u /tmp/broken -) and see what changed. You'll probably see that before you added the address it wasn't configured UP. If that's the case, you just need to add the word up on a line in /etc/hostname.trunk0 Read some postings about changing mtu on vlan devices, but don't know enough to know what to do. If changing mtu makes a difference to vlans, you're probably better off searching for better NICs. Stuart, Thanks for the info. It must have been some other config problem that I misinterpreted as the trunk interface needing an ip. Altered the hostname.trunk0 with the appropriate parameters (no ip, just up and trunkdevs) and all is well. Started this this morning and changed a lot in that time frame. Works like a charm. Axton Grams
Re: VPN(8) pf settings
Gustavo Rios wrote: Dear friends, I am starting to learn VPN, and i am very confused with some points. For instance, concerning firewall rules. It is not clear right now, on which interface i should see the protocol esp, ipencap, ah, etc. I could not figure it out on which interface, should i filter tcp, udp and application layer traffic like dns, http, ftp, ftp-data, etc between the both networks i am connecting ... Thanks in advance. Started learning this myself recently. Many of the examples require a lot of thinking to straighten out because they do not offer a topology of the networks the example config files are against. I have a vpn working where lan machines can access the dmz network. Clients are XP and the Router is OpenBSD. The pf.conf was the last trick after getting isakmpd to negotiate the main and quick mode sa's. The network is like this: DMZ Net: 10.180.16/24 LAN Net: 10.107.208/24 The pf.conf reads like this: # interfaces if_lo= lo0 if_ext= hme0 if_int= hme1 if_dmz= hme2 if_enc= enc0 # interface ip's ip_ext= x.x.x.x ip_int= 10.107.208.1 ip_dmz= 10.180.16.1 # interface networks net_int= 10.107.208.0/24 net_dmz= 10.180.16.0/24 # OPTIONS set block-policy drop set loginterface $if_ext set require-order yes set optimization normal set state-policy if-bound set skip on {$if_lo } set debug none # NORMALIZATION scrub all reassemble tcp random-id fragment reassemble \ no-df min-ttl 24 max-mss 1460 # TRANSLATION nat on $if_ext inet tag INT_NAT tagged LAN_INET - ($if_ext) nat on $if_ext inet tag DMZ_NAT tagged DMZ_INET - ($if_ext) nat-anchor ftp-proxy/* # REDIRECTION rdr-anchor ftp-proxy/* # PACKET FILTERING block log all anchor ftp-proxy/* antispoof log quick for $if_ext inet # allowable traffic to outside networks pass in on $if_int from $net_int to !reserved tag \ LAN_INET keep state pass in on $if_dmz from $net_dmz to !reserved tag \ DMZ_INET keep state # allowable traffic to router from lan pass in on $if_int proto udp from $net_int to $ip_int \ port $proto_router_udp_int_in keep state pass in on $if_int proto tcp from $net_int to $ip_int \ port $proto_router_tcp_int_in modulate state flags S/SA # allow router access to some external services pass out on $if_ext from ($if_ext) to any tag RTR_INET # VPN access for LAN-to-DMZ ipsec # Passing in encrypted traffic from security gateways pass in on $if_int proto esp from $net_int to $ip_int \ keep state pass out on $if_int proto esp from $ip_int to $net_int \ keep state # Need to allow ipencap traffic on enc0. pass in on $if_enc proto ipencap all keep state # Passing in traffic from the designated subnets. # (only allow traffic into dmz, prevent traffic from dmz to lan) pass in on $if_enc from $net_int to $net_dmz tag VPN_INT \ keep state #pass out quick on $if_enc from $net_dmz to $net_int tag VPN_NET # Passing in isakmpd(8) traffic from the security gateways pass in on $if_int proto udp from $net_int to $ip_int \ port isakmp keep state pass out on $if_int proto udp from $ip_int to $net_int \ port isakmp keep state # policy enforcement pass out on $if_ext inet proto tcp tagged RTR_INET modulate \ state flags S/SA pass out on $if_ext inet proto udp tagged RTR_INET keep state pass out on $if_ext inet proto tcp tagged INT_NAT modulate \ state flags S/SA pass out on $if_ext inet proto udp tagged INT_NAT keep state pass out on $if_ext inet proto tcp tagged DMZ_NAT modulate \ state flags S/SA pass out on $if_ext inet proto udp tagged DMZ_NAT keep state pass out on $if_dmz inet proto tcp tagged VPN_INT modulate \ state flags S/SA pass out on $if_dmz inet proto udp tagged VPN_INT keep state pass out on $if_int inet proto tcp tagged VPN_EXT modulate \ state flags S/SA pass out on $if_int inet proto udp tagged VPN_EXT keep state Some things were removed, but this should give the general idea. Still knocking around to make sure things aren't slipping through that shouldn't, but working good so far. You should be able to block/allow whatever traffic you want between the two networks with rules that follow this format, just specify the dports: pass in on $if_enc from $net_int to $net_dmz tag VPN_INT \ keep state pass out quick on $if_enc from $net_dmz to $net_int tag VPN_NET Axton
Re: IPsec Configuration Questions
Hans-Joerg Hoexer wrote: what ipsec software is running on the clients? What does your ipsec.conf on the firewall look like? On Sat, Sep 02, 2006 at 04:01:51PM -0400, Axton Grams wrote: Hoping someone can point me in the right direction to get isakmpd working. The scenario: - the router drops all traffic directed to it from the dmz net - the router drops all traffic destined for the lan from the dmz - the router drops all traffic destined for the dmz from the lan - vlan1 (dmz) has linux hosts - vlan2 (lan) has windows and linux hosts, for the purpose of this exercise, I am using a windows host The goals: - create a way by which hosts in the lan can connect to the dmz network using ipsec/isakmpd - starting off with simple auth, shared secret passphrase The problem: - I am unable to establish a SA between the router and the lan hosts isakmpd returns the following: 155359.461787 Default message_recv: cleartext phase 2 message 155359.462366 Default dropped message from 10.107.208.20 port 500 due to notification type INVALID_FLAGS Some background Info: My network is as follows: (trunking is next on my list, but for now, I have separate interfaces on the router for each vlan) | Internet (dynamic ip) |1.1.1.2 ++ | router/fw/isakmpd| ++ 10.180.16.1 | |10.107.208.1 dmz | | lan ++ ++ | | +-+ | switch| | vlan1 | vlan2 | +-+ || || +---+ +---+ | www server| | workstation 1 + | 10.180.16.250 | | 10.107.208.20 + +---+ +---+ I have the ipsec working between the two networks, but I wanted to get a sanity check on my pf.conf. I could not find any examples of the ipsec/enc rules that used tagging for policy enforcement and wanted to make sure there are no issues with doing so. ## # MACROS # interfaces if_lo= lo0 if_ext= hme0 if_int= hme1 if_dmz= hme2 if_von= hme3 if_enc= enc0 # interface ip's ip_ext= x.x.x.x ip_int= 10.107.208.1 ip_dmz= 10.180.16.1 ip_von= 10.180.17.1 # interface networks net_int= 10.107.208.0/24 net_dmz= 10.180.16.0/24 net_von= 10.180.17.0/24 # DMZ Host 1 ip_dmzhost1= 10.180.16.250 proto_in_inet_tcp_dmzhost1= { 443 } proto_in_inet_udp_dmzhost1= proto_in_inet_icmp_dmzhost1= # TABLES # OPTIONS set block-policy drop set loginterface $if_ext set require-order yes set optimization normal set state-policy if-bound set skip on {$if_lo } set debug none # NORMALIZATION scrub all reassemble tcp random-id fragment reassemble no-df\ min-ttl 24 max-mss 1460 # QUEUEING # TRANSLATION nat on $if_ext inet tag INT_NAT tagged LAN_INET - ($if_ext) nat on $if_ext inet tag DMZ_NAT tagged DMZ_INET - ($if_ext) nat on $if_ext inet tag VON_NAT tagged VON_INET - ($if_ext) nat-anchor ftp-proxy/* # REDIRECTION # External access to DMZ rdr on $if_ext inet proto tcp from any to port 443 tag\ TAG_HTTPS - $ip_dmzhost1 port 443 # FTP Proxy rdr-anchor ftp-proxy/* # PACKET FILTERING # implicit first rule block log all anchor ftp-proxy/* # MISC: silently drop broadcasts (cable modem noise) block in quick on $if_ext from any to {255.255.255.255,\ 0.0.0.0} # ANTISPOOFING antispoof log quick for $if_ext inet # HOST: ROUTER # allowable incoming traffic pass in on $if_int from $net_int tag LAN_INET keep state pass in on $if_dmz from $net_dmz tag DMZ_INET keep state pass in on $if_von from $net_von tag VON_INET keep state # allow incoming traffic to dmz pass in on $if_ext tagged TAG_HTTPS keep state # allow router access to internet pass out on $if_ext from ($if_ext) to any tag RTR_INET # ipsec access for LAN-to-DMZ # Passing in encrypted traffic from security gateways pass in on $if_int proto esp from $net_int to $ip_int\ keep state pass out on $if_int proto esp from $ip_int to $net_int\ keep state # Need to allow ipencap traffic on enc0. pass in on $if_enc proto ipencap all keep state # Passing in traffic from the designated subnets. # (only allow traffic into dmz, prevent tunnel in) pass in on $if_enc from $net_int to $net_dmz tag VPN_INT
Re: IPsec Configuration Questions
Hans-Joerg Hoexer wrote: what ipsec software is running on the clients? What does your ipsec.conf on the firewall look like? On Sat, Sep 02, 2006 at 04:01:51PM -0400, Axton Grams wrote: Hoping someone can point me in the right direction to get isakmpd working. The scenario: - the router drops all traffic directed to it from the dmz net - the router drops all traffic destined for the lan from the dmz - the router drops all traffic destined for the dmz from the lan - vlan1 (dmz) has linux hosts - vlan2 (lan) has windows and linux hosts, for the purpose of this exercise, I am using a windows host The goals: - create a way by which hosts in the lan can connect to the dmz network using ipsec/isakmpd - starting off with simple auth, shared secret passphrase Some background Info: My network is as follows: (trunking is next on my list, but for now, I have separate interfaces on the router for each vlan) | Internet (dynamic ip) |1.1.1.2 ++ | router/fw/isakmpd| ++ 10.180.16.1 | |10.107.208.1 dmz | | lan ++ ++ | | +-+ | switch| | vlan1 | vlan2 | +-+ || || +---+ +---+ | www server| | workstation 1 + | 10.180.16.250 | | 10.107.208.20 + +---+ +---+ - OpenBSD Router: - relevant ifconfig ** internet hme0: flags=8b63UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST mtu 1500 lladdr xxx groups: egress media: Ethernet 100baseTX full-duplex status: active inet6 xxx%hme0 prefixlen 64 scopeid 0x2 inet 1.1.1.2 netmask 0xe000 broadcast 1.1.1.255 ** lan hme1: flags=8363UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,ALLMULTI,MULTICAST mtu 1500 lladdr 08:00:20:ca:7d:c5 media: Ethernet 100baseTX status: active inet 10.107.208.1 netmask 0xff00 broadcast 10.107.208.255 inet6 fe80::a00:20ff:feca:7dc5%hme1 prefixlen 64 scopeid 0x3 ** dmz hme2: flags=8b63UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST mtu 1500 lladdr 08:00:20:ca:7d:c6 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 10.180.16.1 netmask 0xff00 broadcast 10.180.16.255 inet6 fe80::a00:20ff:feca:7dc6%hme2 prefixlen 64 scopeid 0x4 I see the SA established on both machines when I generate traffic from the lan machine to the dmz machine: # ipsecctl -s all FLOWS: flow esp in from 10.107.208.20 to 10.180.0.0/16 peer 10.107.208.20 flow esp out from 10.180.0.0/16 to 10.107.208.20 peer 10.107.208.20 SADB: esp tunnel from 10.107.208.1 to 10.107.208.20 spi 0x6a1e4b88 enc 3des-cbc auth hmac-sha1 esp tunnel from 10.107.208.20 to 10.107.208.1 spi 0x2f9e0f0b enc 3des-cbc auth hmac-sha1 C:\Program Files\Support Toolsipseccmd show sas Main Mode SAs -- Main Mode SA #1: From 10.107.208.20 To 10.107.208.1 Policy Id : {F692F46D-7E01-4929-9DA3-AAEFD79B7A97} Offer Used : 3DES SHA1 DH Group 2 Quickmode limit : 0, Lifetime 0Kbytes/28800seconds Auth Used : Preshared Key Initiator cookie 4d9a6c5aa8ea5bf1 Responder cookie ef0f72aba9f15fc8 Source UDP Encap port : 500 Dest UDP Encap port: 500 Quick Mode SAs -- Quick Mode SA #1: Filter Id : {22A8F939-89C3-4978-9F9A-BEA0B46B4163} Tunnel Filter From 10.107.208.20 To subnet 10.180.0.0 mask 255.255.0.0 Protocol : 0 Src Port : 0 Des Port : 0 Direction : Outbound Tunnel From 10.107.208.20 Tunnel To 10.107.208.1 Policy Id : {F7161316-2A79-495C-8FB8-DC7662246113} Offer Used : Algo #1 : Encryption 3DES SHA1 (24bytes/0rounds) (20secbytes/0secrounds) MySpi 1780370312 PeerSpi 798887691 PFS : False, Lifetime 10Kbytes/3600seconds Initiator cookie 4d9a6c5aa8ea5bf1 Responder cookie ef0f72aba9f15fc8 The command completed successfully. The ipsec settings are configured using the following: ipseccmd.exe -u ipseccmd.exe -f 0=10.180.16.0/255.255.255.0 -n ESP[3DES,SHA] -t 10.107.208.1 -a PRESHARE:sharedsecret -1s 3DES-SHA-2 ipseccmd.exe -f 10.180.16.0/255.255.255.0=0 -n ESP[3DES,SHA] -t 10.107.208.20 -a PRESHARE:sharedsecret -1s 3DES-SHA-2 For some reason though, traffic from the lan machine to the dmz machine is going into a black hole. pflog0 shows no dropped packets, nothing odd in messages. C:\WINDOWSping 10.180.16.250 Pinging 10.180.16.250 with 32 bytes of data: Negotiating IP Security. Request timed out. Request timed out. Request timed out. These are the stats from the client side. You can see the outgoing traffic
Re: IPsec Configuration Questions
6 141649.571484 Exch 10 exchange_finalize: icookie b713c39cd0c47724 rcookie 56a69eddda558c2b 141649.571895 Exch 10 exchange_finalize: msgid 141649.572567 Exch 10 exchange_finalize: phase 1 done: initiator id 0a6bd014: 10.107.208.20, responder id 0a6bd001: 10.107.208.1, src: 10.107.208.1 dst: 10.107.208.20 141649.573066 Timr 10 timer_add_event: event sa_soft_expire(0x47987000) added last, expiration in 27100s 141649.573700 Timr 10 timer_add_event: event sa_hard_expire(0x47987000) added last, expiration in 28800s 141649.578955 Timr 10 timer_add_event: event exchange_free_aux(0x47986c00) added before sa_soft_expire(0x47987000), expiration in 120s 141649.579558 Exch 10 exchange_setup_p2: 0x47986c00 unnamed no policy policy responder phase 2 doi 1 exchange 32 step 0 141649.579991 Exch 10 exchange_setup_p2: icookie b713c39cd0c47724 rcookie 56a69eddda558c2b 141649.580495 Exch 10 exchange_setup_p2: msgid 63ba711f sa_list 141649.585479 Timr 10 timer_add_event: event message_send_expire(0x43fb5000) added before exchange_free_aux(0x47986e00), expiration in 7s 141649.586872 Timr 10 timer_remove_event: removing event message_send_expire(0x43fb5000) 141649.588331 Exch 10 exchange_finalize: 0x47986c00 unnamed no policy policy responder phase 2 doi 1 exchange 32 step 2 141649.588933 Exch 10 exchange_finalize: icookie b713c39cd0c47724 rcookie 56a69eddda558c2b 141649.589361 Exch 10 exchange_finalize: msgid 63ba711f sa_list 0x47987200 141649.590025 Sdep 10 pf_key_v2_set_spi: satype 2 dst 10.107.208.20 SPI 0x1086163f 141649.590493 Timr 10 timer_add_event: event sa_soft_expire(0x47987200) added before sa_soft_expire(0x47987000), expiration in 3279s 141649.591070 Timr 10 timer_add_event: event sa_hard_expire(0x47987200) added before sa_soft_expire(0x47987000), expiration in 3600s 141649.592114 Sdep 10 pf_key_v2_set_spi: satype 2 dst 10.107.208.1 SPI 0x633b612e 141649.593627 Timr 10 timer_remove_event: removing event exchange_free_aux(0x47986c00) Thanks, Axton Grams Hans-Joerg Hoexer wrote: what ipsec software is running on the clients? What does your ipsec.conf on the firewall look like? On Sat, Sep 02, 2006 at 04:01:51PM -0400, Axton Grams wrote: Hoping someone can point me in the right direction to get isakmpd working. The scenario: - the router drops all traffic directed to it from the dmz net - the router drops all traffic destined for the lan from the dmz - the router drops all traffic destined for the dmz from the lan - vlan1 (dmz) has linux hosts - vlan2 (lan) has windows and linux hosts, for the purpose of this exercise, I am using a windows host The goals: - create a way by which hosts in the lan can connect to the dmz network using ipsec/isakmpd - starting off with simple auth, shared secret passphrase The problem: - I am unable to establish a SA between the router and the lan hosts isakmpd returns the following: 155359.461787 Default message_recv: cleartext phase 2 message 155359.462366 Default dropped message from 10.107.208.20 port 500 due to notification type INVALID_FLAGS Some background Info: My network is as follows: (trunking is next on my list, but for now, I have separate interfaces on the router for each vlan) | Internet (dynamic ip) |1.1.1.2 ++ | router/fw/isakmpd| ++ 10.180.16.1 | |10.107.208.1 dmz | | lan ++ ++ | | +-+ | switch| | vlan1 | vlan2 | +-+ || || +---+ +---+ | www server| | workstation 1 + | 10.180.16.250 | | 10.107.208.20 + +---+ +---+ - OpenBSD Router: - relavent ifconfig ** internet hme0: flags=8b63UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST mtu 1500 lladdr xxx groups: egress media: Ethernet 100baseTX full-duplex status: active inet6 xxx%hme0 prefixlen 64 scopeid 0x2 inet 1.1.1.2 netmask 0xe000 broadcast 1.1.1.255 ** lan hme1: flags=8363UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,ALLMULTI,MULTICAST mtu 1500 lladdr 08:00:20:ca:7d:c5 media: Ethernet 100baseTX status: active inet 10.107.208.1 netmask 0xff00 broadcast 10.107.208.255 inet6 fe80::a00:20ff:feca:7dc5%hme1 prefixlen 64 scopeid 0x3 ** dmz hme2: flags=8b63UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST mtu 1500 lladdr 08:00:20:ca:7d:c6 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 10.180.16.1 netmask 0xff00 broadcast 10.180.16.255 inet6 fe80::a00:20ff:feca:7dc6%hme2 prefixlen 64 scopeid 0x4 # cat isakmpd.policy
Re: IPsec Configuration Questions
Hans-Joerg Hoexer wrote: what ipsec software is running on the clients? What does your ipsec.conf on the firewall look like? ipsecctl shows the following during the negotiation, but the vpn client ends the connection. # ipsecctl -s all FLOWS: flow esp in from 10.107.208.20 to 10.107.208.1 peer 10.107.208.20 flow esp out from 10.107.208.1 to 10.107.208.20 peer 10.107.208.20 SADB: esp transport from 10.107.208.20 to 10.107.208.1 spi 0x546b7788 enc 3des-cbc auth hmac-md5 esp transport from 10.107.208.1 to 10.107.208.20 spi 0x85cdd5a3 enc 3des-cbc auth hmac-md5 On Sat, Sep 02, 2006 at 04:01:51PM -0400, Axton Grams wrote: Hoping someone can point me in the right direction to get isakmpd working. The scenario: - the router drops all traffic directed to it from the dmz net - the router drops all traffic destined for the lan from the dmz - the router drops all traffic destined for the dmz from the lan - vlan1 (dmz) has linux hosts - vlan2 (lan) has windows and linux hosts, for the purpose of this exercise, I am using a windows host The goals: - create a way by which hosts in the lan can connect to the dmz network using ipsec/isakmpd - starting off with simple auth, shared secret passphrase The problem: - I am unable to establish a SA between the router and the lan hosts isakmpd returns the following: 155359.461787 Default message_recv: cleartext phase 2 message 155359.462366 Default dropped message from 10.107.208.20 port 500 due to notification type INVALID_FLAGS Some background Info: My network is as follows: (trunking is next on my list, but for now, I have separate interfaces on the router for each vlan) | Internet (dynamic ip) |1.1.1.2 ++ | router/fw/isakmpd| ++ 10.180.16.1 | |10.107.208.1 dmz | | lan ++ ++ | | +-+ | switch| | vlan1 | vlan2 | +-+ || || +---+ +---+ | www server| | workstation 1 + | 10.180.16.250 | | 10.107.208.20 + +---+ +---+ - OpenBSD Router: - relavent ifconfig ** internet hme0: flags=8b63UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST mtu 1500 lladdr xxx groups: egress media: Ethernet 100baseTX full-duplex status: active inet6 xxx%hme0 prefixlen 64 scopeid 0x2 inet 1.1.1.2 netmask 0xe000 broadcast 1.1.1.255 ** lan hme1: flags=8363UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,ALLMULTI,MULTICAST mtu 1500 lladdr 08:00:20:ca:7d:c5 media: Ethernet 100baseTX status: active inet 10.107.208.1 netmask 0xff00 broadcast 10.107.208.255 inet6 fe80::a00:20ff:feca:7dc5%hme1 prefixlen 64 scopeid 0x3 ** dmz hme2: flags=8b63UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST mtu 1500 lladdr 08:00:20:ca:7d:c6 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 10.180.16.1 netmask 0xff00 broadcast 10.180.16.255 inet6 fe80::a00:20ff:feca:7dc6%hme2 prefixlen 64 scopeid 0x4 # cat isakmpd.policy KeyNote-Version: 2 Authorizer: POLICY Licensees: passphrase:foobar Conditions: app_domain == IPsec policy esp_present == yes esp_enc_alg == 3des esp_auth_alg == hmac-md5 - true; # isakmpd -d -4 -DA=10 155358.773509 Default log_debug_cmd: log level changed from 0 to 10 for class 0 [priv] 155358.775093 Default log_debug_cmd: log level changed from 0 to 10 for class 1 [priv] 155358.775757 Default log_debug_cmd: log level changed from 0 to 10 for class 2 [priv] 155358.776153 Default log_debug_cmd: log level changed from 0 to 10 for class 3 [priv] 155358.776672 Default log_debug_cmd: log level changed from 0 to 10 for class 4 [priv] 155358.777056 Default log_debug_cmd: log level changed from 0 to 10 for class 5 [priv] 155358.777524 Default log_debug_cmd: log level changed from 0 to 10 for class 6 [priv] 155358.777914 Default log_debug_cmd: log level changed from 0 to 10 for class 7 [priv] 155358.778416 Default log_debug_cmd: log level changed from 0 to 10 for class 8 [priv] 155358.778794 Default log_debug_cmd: log level changed from 0 to 10 for class 9 [priv] 155358.779267 Default log_debug_cmd: log level changed from 0 to 10 for class 10 [priv] 155358.788915 Misc 10 monitor_init: privileges dropped for child process 155359.444597 Timr 10 timer_add_event: event connection_checker(0x4fe41420) added last, expiration in 0s 155359.451947 Timr 10 timer_handle_expirations: event connection_checker(0x4fe41420) 155359.452947 Timr 10 timer_add_event: event
Re: IPsec Configuration Questions
Hans-Joerg Hoexer wrote: what ipsec software is running on the clients? What does your ipsec.conf on the firewall look like? Some updated info: For whatever reason, the last two packets in the packet capture show a DELETE action: 20:14:24.117160 10.107.208.20.isakmp router.arswiki.org.isakmp: [udp sum ok] isakmp v1.0 exchange QUICK_MODE cookie: 5ad2b89593ca41af-acd59e7bdeb12259 msgid: 44aa1cd7 len: 52 payload: HASH len: 24 [ttl 0] (id 1, len 80) 20:15:06.955703 10.107.208.1.isakmp 10.107.208.20.isakmp: [udp sum ok] isakmp v1.0 exchange INFO cookie: 5ad2b89593ca41af-acd59e7bdeb12259 msgid: 8c2a671f len: 68 payload: HASH len: 24 payload: DELETE len: 16 DOI: 1(IPSEC) proto: IPSEC_ESP nspis: 1 SPI: 0xa3ee9768 [ttl 0] (id 1, len 96) 20:15:06.958120 10.107.208.1.isakmp 10.107.208.20.isakmp: [udp sum ok] isakmp v1.0 exchange INFO cookie: 5ad2b89593ca41af-acd59e7bdeb12259 msgid: b81113d3 len: 80 payload: HASH len: 24 payload: DELETE len: 28 DOI: 1(IPSEC) proto: ISAKMP nspis: 1 cookie: 5ad2b89593ca41af-acd59e7bdeb12259 [ttl 0] (id 1, len 108) *** ipsecctl output: # date Sun Sep 3 20:14:33 EDT 2006 # ipsecctl -s all FLOWS: flow esp in from 10.107.208.20 to 10.107.208.1 peer 10.107.208.20 flow esp out from 10.107.208.1 to 10.107.208.20 peer 10.107.208.20 SADB: esp transport from 10.107.208.1 to 10.107.208.20 spi 0xbb351f90 enc 3des-cbc auth hmac-md5 esp transport from 10.107.208.20 to 10.107.208.1 spi 0xa3ee9768 enc 3des-cbc auth hmac-md5 *** isakmpd output: # isakmpd -L -d -4 -DA=10 201358.608890 Default log_debug_cmd: log level changed from 0 to 10 for class 0 [priv] 201358.610514 Default log_debug_cmd: log level changed from 0 to 10 for class 1 [priv] 201358.611163 Default log_debug_cmd: log level changed from 0 to 10 for class 2 [priv] 201358.611570 Default log_debug_cmd: log level changed from 0 to 10 for class 3 [priv] 201358.612056 Default log_debug_cmd: log level changed from 0 to 10 for class 4 [priv] 201358.612448 Default log_debug_cmd: log level changed from 0 to 10 for class 5 [priv] 201358.612928 Default log_debug_cmd: log level changed from 0 to 10 for class 6 [priv] 201358.613299 Default log_debug_cmd: log level changed from 0 to 10 for class 7 [priv] 201358.613755 Default log_debug_cmd: log level changed from 0 to 10 for class 8 [priv] 201358.614134 Default log_debug_cmd: log level changed from 0 to 10 for class 9 [priv] 201358.614628 Default log_debug_cmd: log level changed from 0 to 10 for class 10 [priv] 201358.624595 Misc 10 monitor_init: privileges dropped for child process 201359.285220 Default log_packet_init: starting IKE packet capture to file /var/run/isakmpd.pcap 201423.864748 Timr 10 timer_add_event: event exchange_free_aux(0x4af26c00) added last, expiration in 120s 201423.865819 Exch 10 exchange_setup_p1: 0x4af26c00 client Default-main-mode policy responder phase 1 doi 1 exchange 2 step 0 201423.866355 Exch 10 exchange_setup_p1: icookie 5ad2b89593ca41af rcookie acd59e7bdeb12259 201423.866923 Exch 10 exchange_setup_p1: msgid 201423.867580 Exch 10 nat_t_check_vendor_payload: NAT-T capable peer detected 201423.868493 Exch 10 exchange_handle_leftover_payloads: unexpected payload VENDOR 201423.869011 Exch 10 exchange_handle_leftover_payloads: unexpected payload VENDOR 201423.869577 Exch 10 exchange_handle_leftover_payloads: unexpected payload VENDOR 201423.871151 Timr 10 timer_add_event: event message_send_expire(0x45a64e00) added before exchange_free_aux(0x4af26c00), expiration in 7s 201423.906614 Timr 10 timer_remove_event: removing event message_send_expire(0x45a64e00) 201423.996634 Timr 10 timer_add_event: event message_send_expire(0x45a64a00) added before exchange_free_aux(0x4af26c00), expiration in 7s 201424.097443 Timr 10 timer_remove_event: removing event message_send_expire(0x45a64a00) 201424.099859 Exch 10 exchange_finalize: 0x4af26c00 client Default-main-mode policy responder phase 1 doi 1 exchange 2 step 6 201424.100502 Exch 10 exchange_finalize: icookie 5ad2b89593ca41af rcookie acd59e7bdeb12259 201424.100925 Exch 10 exchange_finalize: msgid 201424.101661 Exch 10 exchange_finalize: phase 1 done: initiator id 0a6bd014: 10.107.208.20, responder id 0a6bd001: 10.107.208.1, src: 10.107.208.1 dst: 10.107.208.20 201424.102202 Timr 10 timer_add_event: event sa_soft_expire(0x4af26e00) added last, expiration in 27302s 201424.102757 Timr 10 timer_add_event: event sa_hard_expire(0x4af26e00) added last, expiration in 28800s 201424.107976 Timr 10 timer_add_event: event exchange_free_aux(0x4af27000) added before sa_soft_expire(0x4af26e00), expiration in 120s 201424.108592 Exch 10 exchange_setup_p2: 0x4af27000 unnamed no policy policy responder phase 2 doi 1 exchange 32 step 0 201424.109035 Exch 10 exchange_setup_p2: icookie 5ad2b89593ca41af rcookie acd59e7bdeb12259 201424.109560 Exch 10 exchange_setup_p2: msgid 44aa1cd7 sa_list 201424.114593 Timr 10 timer_add_event:
IPsec Configuration Questions
exchange_setup_p2: 0x44909000 unnamed no policy policy responder phase 2 doi 1 exchange 5 step 0 155359.460737 Exch 10 exchange_setup_p2: icookie 4d18594e523695f1 rcookie a6af81ffd3a2d153 155359.461263 Exch 10 exchange_setup_p2: msgid e5eb6990 sa_list 155359.461787 Default message_recv: cleartext phase 2 message 155359.462366 Default dropped message from 10.107.208.20 port 500 due to notification type INVALID_FLAGS 155359.462856 Timr 10 timer_add_event: event exchange_free_aux(0x44909200) added last, expiration in 120s 155359.463566 Exch 10 exchange_establish_p1: 0x44909200 unnamed no policy policy initiator phase 1 doi 1 exchange 5 step 0 155359.464001 Exch 10 exchange_establish_p1: icookie e82be37d8c1ae997 rcookie 155359.464539 Exch 10 exchange_establish_p1: msgid 155359.465751 Exch 10 exchange_finalize: 0x44909200 unnamed no policy policy initiator phase 1 doi 1 exchange 5 step 1 155359.466300 Exch 10 exchange_finalize: icookie e82be37d8c1ae997 rcookie 155359.466708 Exch 10 exchange_finalize: msgid 155359.467220 Timr 10 timer_remove_event: removing event exchange_free_aux(0x44909200) 155406.461707 Timr 10 timer_handle_expirations: event message_send_expire(0x4d2dab00) 155406.463417 Timr 10 timer_add_event: event message_send_expire(0x4d2dab00) added before connection_checker(0x4fe41420), expiration in 9s Thanks, Axton Grams
Re: Default PF policy
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Joco Salvatti wrote: Hi all, I have a OpenBSD 3.9 machine acting as a firewall. It has two network interface cards, one connected to my local network and the other one connected to Internet. My default policy is blocking all traffic using block all I don't want anyone from my local network to connect to MSN and P2P programs, so I haven't created any rule to permit those kind of packet traffic. But I'm facing a lot of problems due to this, because I have to specify packets that should pass through my internal and external interfaces. I'd like any ideas or tips from PF gurus about how to improve my firewall policies. I have an idea: allow everything at my internal NIC and block all at my external NIC, so all I had to do was specifying allowed incoming and outcomming traffics only at my external NIC. But I'll be waiting for (better) proposals. By now thanks for the time spent reading with this e-mail. You can approach this several different ways. If going the route where you plan to pass all traffic in the internal interface, use the 'skip' option: set skip on $if_int If you want to allow access out for certain ports, create a macro to store the list of ports you want to allow, then use that macro in your filters. This makes maintenance easy because you can add/remove tcp/udp ports as needed. If you need to restrict access on a per host/port basis, you will need separate rules for each designated host. # MACROS lan_tcp_out = { 22, 25, 80, 443 } lan_udp_out = { 53, 123 } # TABLES table bogon const { 2/8, 5/8, 7/8, ... } # FILTERS pass out on $if_ext inet proto tcp from $net_int to !bogon \ port $lan_tcp_out modulate state flags S/SA pass out on $if_ext inet proto udp from $net_int to !bogon \ port $lan_udp_out keep state In the snippets above, I use the reserved table to store certain bogon nets. See http://www.completewhois.com/bogons/ for a list of current bogon nets. Instructions on automating the load of this data is available on http://www.completewhois.com/bogons/bogons_usage.htm. If you want to not allow all traffic from the internal network, you can extend the above snippet to handle the traffic from your lan to your router: # MACROS lan_tcp_out = { 22, 25, 80, 443 } lan_udp_out = { 53, 123 } # TABLES table bogon { 0/8, 10/8, 20.20.20.0/24, 127/8, \ 169.254/16, 172.16/12, 192.0.2/24, 192.168/16, 224/3, \ 255.255.255.255/32 } table reserved const { 0/8, 10/8, 20.20.20.0/24, 127/8, \ 169.254/16, 172.16/12, 192.0.2/24, 192.168/16, 224/3, \ 255.255.255.255/32 } table net_ext const { !reserved, !bogon } # FILTERS pass in on $if_int inet proto tcp from $net_int to net_ext \ port $lan_tcp_out keep state pass out on $if_ext inet proto tcp from $net_int to net_ext \ port $lan_tcp_out modulate state flags S/SA pass in on $if_int inet proto udp from $net_int to net_ext \ port $lan_udp_out keep state pass out on $if_ext inet proto udp from $net_int to net_ext \ port $lan_udp_out keep state I just typed those up, so there may be inaccuracies. Hopefully you get the idea behind the structure. Axton Grams iD8DBQFEjHZG2VxhVxhm8jIRAgT/AJ9DeGvQ56qK4H2coasV4X3zMzJ/2gCgqUni 5PowDKgZC+VscKI4R5RHFmE= =hwvS -END PGP SIGNATURE-
Re: openbsd and the money -solutions
I fail to see why there aren't at least 2000 people/organizations/OS's/OS projects willing to donate at a dollar a day. That should give the projects what they need to evolve at a healthy pace. ~5,000/mo for power, internet connection, and other overhead ~25,000/mo for hackathons ~10,000/mo for hardware ~20,000/mo for a team of developers You all write good software, count me at a dollar a day payed monthly. Surely more people can afford the same? Axton Grams
Re: OpenBSD/Linux centralized authentication
On 3/19/06, Joachim Schipper [EMAIL PROTECTED] wrote: On Sun, Mar 19, 2006 at 10:42:53AM +0400, Bruno Carnazzi wrote: Hi misc, At work, we are running a Microsoft Active Directory for our Windows Domain, who mainly provided Windows Desktop for our customers and centralized authentication. We have also several OpenBSD Linux boxes for some DNS, SFTP, Squid, CVS and also several Web-apps. We'd like to centralize these Unix authentication... Is there a way to authenticate directly over a MS Domain Controller ? How can this be achieved (Kerberos, LDAP..?) ? Also, is it a good idea ? :) What are the alternatives (building an OpenLDAP server, Kerberos, (we don't wan't NIS !)) ? Hope somebody has some advice to share, There are many, many solutions. If it's just servers with a limited number of accounts, rdist(8) works just fine, and saves a lot of complicated stuff that takes time to set up and breaks occasionally. It could be scripted if you want to fully automate something. For a more complete solution, I am pretty sure there is a Linux PAM module to authenticate against their AD implementation (it's part of SAMBA, IIRC). Not sure about OpenBSD. Also, once the user accounts are synchronized, you'd probably be able to tell a Kerberos client to talk to the AD server. I've never tried it, but it should work - more or less. See the info pages for heimdal on OpenBSD. Joachim Active Directory has an LDAP interface on the domain controllers. You could opt to authenticate directory against the AD tree or replicate the tree entirely or partially to openldap and manage/use that tree. Seems that some LDAP implementations have problem replicating password information, though I can't remember the specifics. This page a little info that may help: http://www.wlug.org.nz/ActiveDirectoryAuthenticationNotes Axton Grams
Re: OpenBSD has bad security
In the html, there is a reference to an easter egg: !-- Here's the WideOpenBSD.ORG easter egg $ dig quote.wideopenbsd.org txt -- The output is (thanks B for the output, meant to reply to the list originally): ; DiG 9.2.2 quote.wideopenbsd.org txt ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 41571 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;quote.wideopenbsd.org. IN TXT ;; ANSWER SECTION: quote.wideopenbsd.org. 3600IN TXT [xxx] goddamn I love openssh [xxx] it never takes more than 2-6 lines to turn the client into an exploit ;; AUTHORITY SECTION: wideopenbsd.org.2005IN NS ns14.zoneedit.com. wideopenbsd.org.2005IN NS ns15.zoneedit.com. ;; ADDITIONAL SECTION: ns14.zoneedit.com. 119162 IN A 209.126.137.108 ns15.zoneedit.com. 134976 IN A 69.10.134.195 ;; Query time: 301 msec ;; SERVER: 10.0.0.1#53(10.0.0.1) ;; WHEN: Mon Mar 6 10:39:00 2006 ;; MSG SIZE rcvd: 238 Am I missing something? Was expecting to find an openssh/openbsd exploit since he touts how numerous/easy they are. Axton Grams On 3/6/06, Bryan Brake [EMAIL PROTECTED] wrote: Bryan Irvine wrote: For a laugh go here. http://wideopenbsd.org/ How much does it cost to register a domain these days? Is it registered to Dave Feustel? The author of the site appears to go above and beyond to spread FUD... I mean, he uses HTML and even has an image. sarcasmI think he's serious folks/sarcasm Bryan Brake
BSD Boot Problems
Ran into an issue last night where my bsd (sparc64) would not boot. The boot stalled very close to the beginning of the boot process, right after it listed the available devices, followed by some number (address?) with the /-|\/-|/ spinner. The boot hung at this point. I was able to correct the problem by booting from cd and running the upgrade install back to the hd. Any insight as to why this would happen? Thanks, Axton Grams
Re: sun quad hme performance
I am able to max out my sun qfe at around 9.3MB/second on my lan when passing through the interface twice (two seperate subnets where the qfe is used as the router interfaces). Used http to test the speed of the interface. The part number/model of my interface is SUN QUAD FAST ETHERNET PCS X1034A 501-5406; Using a 32bit pci slot though the card is 64-bit. Machine is a sunblade 100 with a 500mhz ultrasparc [EMAIL PROTECTED] w/ 768mb ram. pf was managing 25 states at the time of the test. Axton Grams -- Miguel wrote Hi, i read in the archives a lot of references about poor performance with the sun quad ethernet (hme) on diferent servers (netras and sunfires), is this still an issue or has been addressed in 3.8 or 3.9-current, i have two sunfire v120 that are losing packets between their ports, when i activate the pf rules the ping response time si very high, around 1253 ms,so our whatsup monitor report then down, the cpu load is very low (0.12) and the memory usage is 70mb, total memory of 512 mb , so this is not a resource problem,. What can i check? --- thanks
Re: Hardware+OpenBSD wiki
Does anyone see a problem if the wiki server were hosted in the US? Axton Grams On 1/22/06, Srebrenko Sehic [EMAIL PROTECTED] wrote: There is OpenBSD Server Hardware Compatibility List (OSCL). But that only covers stock hardware from major vendors. But it's constantly being updated. http://www.armorlogic.com/openbsd_information_server_compatibility_list.html Contribute if you have something. On 1/22/06, Darrin Chandler [EMAIL PROTECTED] wrote: Travers Buda wrote: In light of all the recent activity on misc about will OpenBSD run on X? perhaps someone would like to host a wiki for strange/new hardware? Travers Are you volunteering? It wasn't long ago that the OpenBSD Metastore got going, amid some controversy. I haven't heard anything about it lately. Last I looked, there were a handful of useful things there that you could look at, and links to online sources to buy them. As long as you weren't from Taiwan, that is. Anyway, I think it's not as easy task. And also it's not something that you do once and move on. It would be an ongoing, substantial commitment for someone. Personally, I wish there were such a resource, but I can understand why there isn't. -- Darrin Chandler| Phoenix BSD Users Group [EMAIL PROTECTED] | http://bsd.phoenix.az.us/ http://www.stilyagin.com/ |
pf queue
Is there a capability with pf to send packets to userspace for handling/manipulation, whereby they can be returned back to the kernel, similar to the queue facilities available in iptables? Axton