Re: vpn performance - C2750 vs C2758

[Axton]

On Tue, Jan 27, 2015 at 2:24 PM, Stuart Henderson s...@spacehopper.org
wrote:

 On 2015-01-27, Adam Thompson athom...@athompso.net wrote:
  On 2015-01-27 02:58 AM, Stuart Henderson wrote:
  On 2015-01-26, Christian Weisgerber na...@mips.inka.de wrote:
  I don't think we support Quick Assist, whatever that is.
  correct.
  [...]
  It doesn't look like something we can use easily.
 
  FWIW, I just read that Netgate (i.e. pfSense) committed QuickAssist
  crypto accel support into FreeBSD 10.2 [possibly a private branch??] for
  some ciphers.  Apologies, but I'm completely failing to find the message
  that mentioned it on the pfSense mailing list, right now.
 
  I don't know enough about FreeBSD's cryptodev engine to know if any of
  that work can be used here.

 One problem with that codebase is that it's US crypto.


This pdf from Intel makes reference to OCF-Linux, a Linux port of the
OpenBSD/FreeBSD Cryptographic Framework (OCF) as it relates to QuickAssist.
http://www.intel.com/content/dam/www/public/us/en/documents/white-papers/communications-quick-assist-paper.pdf

From what I am seeing, there is a Kernel module and userland pieces
available for Linux and FreeBSD to support this capability.  In addition to
Stuart's point on the US crypto code base as it relates to export
restrictions, it is also hardware designed by a US company for strong
crypto.

Axton

Re: Hardware hunting

[Axton]

 Intel EHCI root hub rev 2.00/1.00 addr 1
ppb0 at pci0 dev 28 function 0 Intel 82801I PCIE rev 0x02: apic 3 int 17
pci1 at ppb0 bus 1
ppb1 at pci0 dev 28 function 4 Intel 82801I PCIE rev 0x02: apic 3 int 17
pci2 at ppb1 bus 2
em0 at pci2 dev 0 function 0 Intel PRO/1000 MT (82574L) rev 0x00: msi,
address 00:25:90:09:9b:80
ppb2 at pci0 dev 28 function 5 Intel 82801I PCIE rev 0x02: apic 3 int 16
pci3 at ppb2 bus 3
em1 at pci3 dev 0 function 0 Intel PRO/1000 MT (82574L) rev 0x00: msi,
address 00:25:90:09:9b:81
uhci3 at pci0 dev 29 function 0 Intel 82801I USB rev 0x02: apic 3 int 23
uhci4 at pci0 dev 29 function 1 Intel 82801I USB rev 0x02: apic 3 int 19
uhci5 at pci0 dev 29 function 2 Intel 82801I USB rev 0x02: apic 3 int 18
ehci1 at pci0 dev 29 function 7 Intel 82801I USB rev 0x02: apic 3 int 23
usb1 at ehci1: USB revision 2.0
uhub1 at usb1 Intel EHCI root hub rev 2.00/1.00 addr 1
ppb3 at pci0 dev 30 function 0 Intel 82801BA Hub-to-PCI rev 0x92
pci4 at ppb3 bus 4
vga1 at pci4 dev 4 function 0 Matrox MGA G200eW rev 0x0a
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
ichpcib0 at pci0 dev 31 function 0 Intel 82801IR LPC rev 0x02: PM disabled
pciide0 at pci0 dev 31 function 2 Intel 82801I SATA rev 0x02: DMA,
channel 0 configured to native-PCI, channel 1 configured to native

 -PCI
pciide0: using apic 3 int 19 for native-PCI interrupt
wd0 at pciide0 channel 0 drive 0: Hitachi HDS721010CLA332
wd0: 16-sector PIO, LBA48, 953869MB, 1953525168 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 6
ichiic0 at pci0 dev 31 function 3 Intel 82801I SMBus rev 0x02: apic 3 int
18
iic0 at ichiic0
lm1 at iic0 addr 0x2d: W83627DHG
spdmem0 at iic0 addr 0x50: 2GB DDR2 SDRAM non-parity PC2-5300CL5 SO-DIMM
spdmem1 at iic0 addr 0x51: 2GB DDR2 SDRAM non-parity PC2-5300CL5 SO-DIMM
usb2 at uhci0: USB revision 1.0
uhub2 at usb2 Intel UHCI root hub rev 1.00/1.00 addr 1
usb3 at uhci1: USB revision 1.0
uhub3 at usb3 Intel UHCI root hub rev 1.00/1.00 addr 1
usb4 at uhci2: USB revision 1.0
uhub4 at usb4 Intel UHCI root hub rev 1.00/1.00 addr 1
usb5 at uhci3: USB revision 1.0
uhub5 at usb5 Intel UHCI root hub rev 1.00/1.00 addr 1
usb6 at uhci4: USB revision 1.0
uhub6 at usb6 Intel UHCI root hub rev 1.00/1.00 addr 1
usb7 at uhci5: USB revision 1.0
uhub7 at usb7 Intel UHCI root hub rev 1.00/1.00 addr 1
isa0 at ichpcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
com2 at isa0 port 0x3e8/8 irq 5: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
wbsio0 at isa0 port 0x2e/2: W83627DHG rev 0x25
lm2 at wbsio0 port 0xca0/8: W83627DHG
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
mtrr: Pentium Pro MTRR support
lm1: disabling sensors
uhidev0 at uhub4 port 2 configuration 1 interface 0 Winbond Electronics
Corp Hermon USB hidmouse Device rev 1.10/0.01 addr 2
uhidev0: iclass 3/1
ums0 at uhidev0: 3 buttons, Z dir
wsmouse0 at ums0 mux 0
uhidev1 at uhub4 port 2 configuration 1 interface 1 Winbond Electronics
Corp Hermon USB hidmouse Device rev 1.10/0.01 addr 2
uhidev1: iclass 3/1
ukbd0 at uhidev1: 8 modifier keys, 6 key codes
wskbd1 at ukbd0 mux 1
wskbd1: connecting to wsdisplay0
vscsi0 at root
scsibus0 at vscsi0: 256 targets
softraid0 at root
scsibus1 at softraid0: 256 targets
root on wd0a (4dcb2d0a1b8a2fe9.a) swap on wd0b dump on wd0b

Axton Grams

Re: Intel ICH9R compatibility with OpenBSD

[Axton]

On Tue, Mar 13, 2012 at 4:37 AM, lilit-aibolit lilit-aibo...@mail.ru wrote:
 12.03.2012 18:01, Axton PI[ET:

 On Mon, Mar 12, 2012 at 9:44 AM, lilit-aibolitlilit-aibo...@mail.ru
 wrote:

 Hello misc, please give me some advice
 to buy low-power and low-noise HW.
 My selection - is:
 http://www.supermicro.nl/products/system/1U/5015/SYS-5015A-PHF.cfm?typ=E
 that have Intel ICH9R chipset.
 But in supported hardware it is absent:
 - Intel 82801
 (ICH/ICH0/ICH2/ICH3/ICH4/ICH4-M/ICH5/ICH5R/ICH6/ICH6/ICH6/ICH7)


 I am using a 5015A (I think 5015A-EHF) without any issues. I don't
 use the ICH9R or any other ICHxx RAID capabilities, so that chipset
 does not matter to me. I think the whole architecture of using
 allowing the chipset to use the kernel for RAID
 capabilities/offloading is garbage. The design has too many points of
 failure (kernel driver, chipset implementation and firmware, userland
 software for raid management, etc.). It's an unreliable
 implementation that allows people who do not understand what they are
 doing to say I have a RAID array and gives them a pretty GUI to
 manage the array. Software based raid in OpenBSD is fine, but lacks
 some capabilities for setting up a raid array for the root partition,
 though I admit I lack in depth knowledge in this area, so I could be
 wrong with this statement. I'm sure others will chime in if I'm
 mistaken.

 Note these bits:
 pciide0 at pci0 dev 31 function 2 Intel 82801I SATA rev 0x02: DMA,
 channel 0 configured to native-PCI, channel 1 configured to native-PCI
 pciide0: using apic 3 int 19 for native-PCI interrupt

 That's the important part. OpenBSD seems to work well with this
 chipset. The network hardware/driver for this machine results in high
 interrupt rates under heavy load. This is my only complaint with the
 box. For my needs it works just fine though. I can move traffic
 through the box at a rate that is acceptable for my needs.

 OpenBSD 5.0 (GENERIC.MP) #59: Wed Aug 17 10:19:44 MDT 2011
   dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
 cpu0: Intel(R) Atom(TM) CPU D510 @ 1.66GHz (GenuineIntel 686-class) 1.67
 GHz
 cpu0:

FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,TM2,SSSE3,CX16,xT
PR,PDCM,MOVBE
 real mem = 3220283392 (3071MB)
 avail mem = 3157540864 (3011MB)
 mainbus0 at root
 bios0 at mainbus0: AT/286+ BIOS, date 05/26/10, BIOS32 rev. 0 @
 0xf0010, SMBIOS rev. 2.6 @ 0x9ac00 (19 entries)
 bios0: vendor American Megatrends Inc. version 1.0c date 05/26/2010
 bios0: Supermicro X7SPA-HF
 acpi0 at bios0: rev 2
 acpi0: sleep states S0 S1 S4 S5
 acpi0: tables DSDT FACP APIC MCFG SLIC OEMB HPET
 acpi0: wakeup devices P0P1(S4) PS2K(S4) PS2M(S4) USB0(S4) USB1(S4)
 USB2(S4) USB5(S4) EUSB(S4) USB3(S4) USB4(S4) USB6(S4) USBE(S4)
 P0P4(S4) P0P5(S4) P0P6(S4) P0P7(S4) P0P8(S4) P0P9(S4) GBE_(S4)
 SLPB(S4)
 acpitimer0 at acpi0: 3579545 Hz, 24 bits
 acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
 cpu0 at mainbus0: apid 0 (boot processor)
 cpu0: apic clock running at 168MHz
 cpu1 at mainbus0: apid 2 (application processor)
 cpu1: Intel(R) Atom(TM) CPU D510 @ 1.66GHz (GenuineIntel 686-class) 1.69
 GHz
 cpu1:

FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,TM2,SSSE3,CX16,xT
PR,PDCM,MOVBE
 ioapic0 at mainbus0: apid 3 pa 0xfec0, version 20, 24 pins
 ioapic0: misconfigured as apic 1, remapped to apid 3
 acpimcfg0 at acpi0 addr 0xe000, bus 0-255
 acpihpet0 at acpi0: 14318179 Hz
 acpiprt0 at acpi0: bus 0 (PCI0)
 acpiprt1 at acpi0: bus 4 (P0P1)
 acpiprt2 at acpi0: bus 1 (P0P4)
 acpiprt3 at acpi0: bus -1 (P0P5)
 acpiprt4 at acpi0: bus -1 (P0P6)
 acpiprt5 at acpi0: bus -1 (P0P7)
 acpiprt6 at acpi0: bus 2 (P0P8)
 acpiprt7 at acpi0: bus 3 (P0P9)
 acpicpu0 at acpi0
 acpicpu1 at acpi0
 acpibtn0 at acpi0: SLPB
 acpibtn1 at acpi0: PWRB
 bios0: ROM list: 0xc/0x8000
 ipmi at mainbus0 not configured
 pci0 at mainbus0 bus 0: configuration mode 1 (bios)
 pchb0 at pci0 dev 0 function 0 Intel Pineview DMI rev 0x02
 uhci0 at pci0 dev 26 function 0 Intel 82801I USB rev 0x02: apic 3 int 16
 uhci1 at pci0 dev 26 function 1 Intel 82801I USB rev 0x02: apic 3 int 21
 uhci2 at pci0 dev 26 function 2 Intel 82801I USB rev 0x02: apic 3 int 19
 ehci0 at pci0 dev 26 function 7 Intel 82801I USB rev 0x02: apic 3 int 18
 usb0 at ehci0: USB revision 2.0
 uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1
 ppb0 at pci0 dev 28 function 0 Intel 82801I PCIE rev 0x02: apic 3 int 17
 pci1 at ppb0 bus 1
 ppb1 at pci0 dev 28 function 4 Intel 82801I PCIE rev 0x02: apic 3 int 17
 pci2 at ppb1 bus 2
 em0 at pci2 dev 0 function 0 Intel PRO/1000 MT (82574L) rev 0x00:
 msi, address 00:25:90:09:9b:80
 ppb2 at pci0 dev 28 function 5 Intel 82801I PCIE rev 0x02: apic 3 int 16
 pci3 at ppb2 bus 3
 em1 at pci3 dev 0 function 0 Intel PRO/1000 MT (82574L) rev 0x00:
 msi, address 00

Re: Intel ICH9R compatibility with OpenBSD

[Axton]

 82801I USB rev 0x02: apic 3 int 18
ehci1 at pci0 dev 29 function 7 Intel 82801I USB rev 0x02: apic 3 int 23
usb1 at ehci1: USB revision 2.0
uhub1 at usb1 Intel EHCI root hub rev 2.00/1.00 addr 1
ppb3 at pci0 dev 30 function 0 Intel 82801BA Hub-to-PCI rev 0x92
pci4 at ppb3 bus 4
vga1 at pci4 dev 4 function 0 Matrox MGA G200eW rev 0x0a
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
ichpcib0 at pci0 dev 31 function 0 Intel 82801IR LPC rev 0x02: PM disabled
pciide0 at pci0 dev 31 function 2 Intel 82801I SATA rev 0x02: DMA,
channel 0 configured to native-PCI, channel 1 configured to native-PCI
pciide0: using apic 3 int 19 for native-PCI interrupt
wd0 at pciide0 channel 0 drive 0: Hitachi HDS721010CLA332
wd0: 16-sector PIO, LBA48, 953869MB, 1953525168 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 6
ichiic0 at pci0 dev 31 function 3 Intel 82801I SMBus rev 0x02: apic 3 int 18
iic0 at ichiic0
lm1 at iic0 addr 0x2d: W83627DHG
spdmem0 at iic0 addr 0x50: 2GB DDR2 SDRAM non-parity PC2-5300CL5 SO-DIMM
spdmem1 at iic0 addr 0x51: 2GB DDR2 SDRAM non-parity PC2-5300CL5 SO-DIMM
usb2 at uhci0: USB revision 1.0
uhub2 at usb2 Intel UHCI root hub rev 1.00/1.00 addr 1
usb3 at uhci1: USB revision 1.0
uhub3 at usb3 Intel UHCI root hub rev 1.00/1.00 addr 1
usb4 at uhci2: USB revision 1.0
uhub4 at usb4 Intel UHCI root hub rev 1.00/1.00 addr 1
usb5 at uhci3: USB revision 1.0
uhub5 at usb5 Intel UHCI root hub rev 1.00/1.00 addr 1
usb6 at uhci4: USB revision 1.0
uhub6 at usb6 Intel UHCI root hub rev 1.00/1.00 addr 1
usb7 at uhci5: USB revision 1.0
uhub7 at usb7 Intel UHCI root hub rev 1.00/1.00 addr 1
isa0 at ichpcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
com2 at isa0 port 0x3e8/8 irq 5: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
wbsio0 at isa0 port 0x2e/2: W83627DHG rev 0x25
lm2 at wbsio0 port 0xca0/8: W83627DHG
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
mtrr: Pentium Pro MTRR support
lm1: disabling sensors
uhidev0 at uhub4 port 2 configuration 1 interface 0 Winbond
Electronics Corp Hermon USB hidmouse Device rev 1.10/0.01 addr 2
uhidev0: iclass 3/1
ums0 at uhidev0: 3 buttons, Z dir
wsmouse0 at ums0 mux 0
uhidev1 at uhub4 port 2 configuration 1 interface 1 Winbond
Electronics Corp Hermon USB hidmouse Device rev 1.10/0.01 addr 2
uhidev1: iclass 3/1
ukbd0 at uhidev1: 8 modifier keys, 6 key codes
wskbd1 at ukbd0 mux 1
wskbd1: connecting to wsdisplay0
uhidev2 at uhub5 port 1 configuration 1 interface 0 Logitech Logitech
Illuminated Keyboard rev 2.00/55.01 addr 2
uhidev2: iclass 3/1
ukbd1 at uhidev2: 8 modifier keys, 6 key codes
wskbd2 at ukbd1 mux 1
wskbd2: connecting to wsdisplay0
uhidev3 at uhub5 port 1 configuration 1 interface 1 Logitech Logitech
Illuminated Keyboard rev 2.00/55.01 addr 2
uhidev3: iclass 3/0, 16 report ids
uhid0 at uhidev3 reportid 3: input=7, output=0, feature=0
uhid1 at uhidev3 reportid 16: input=6, output=6, feature=0
vscsi0 at root
scsibus0 at vscsi0: 256 targets
softraid0 at root
scsibus1 at softraid0: 256 targets
root on wd0a (4dcb2d0a1b8a2fe9.a) swap on wd0b dump on wd0b

Axton Grams

Re: Packet Tagging issues with NAT in pf OBSD 4.9

[Axton]

On Thu, Nov 3, 2011 at 12:26 PM, Bentley, Dain dbent...@nas.edu wrote:

 Hello Stuart and thanks for your reply.

 It still doesn't help, this seems to work but I'm not sure if this is a
 good
 config:

 # NAT RULES
 match out on $ext tagged LAN nat-to ($ext)

 # BLOCKING AND PACKET TAGGING
 pass in on $int from $int_net tag LAN
 #pass in on $int tag LAN

 block out on $ext from any to any

 pass out quick on $ext tagged LAN

 
 From: owner-m...@openbsd.org [owner-m...@openbsd.org] On Behalf Of Stuart
 Henderson [s...@spacehopper.org]
 Sent: Thursday, November 03, 2011 6:53 AM
 To: misc@openbsd.org
 Subject: Re: Packet Tagging issues with NAT in pf OBSD 4.9

 you aren't using tagging in your sample.

 On 2011-11-03, Wesley M. open...@e-solutions.re wrote:
  Hi, try this sample
 
  _int = re0
  _ext = fxp1
  int_net = 192.168.200.0/24
  set block-policy drop
  set skip on lo
  match in all scrub (no-df max-mss 1440)
  match out on $_ext inet from $int_net to any nat-to (egress)
  block log all
  pass in on $_int inet proto udp from $int_net to any port domain
  pass in on $_int inet proto tcp from $int_net to any port \
  { www, https, ssh, pop3, imap, imaps, pop3s, submission, smtps }
  pass out on $_ext inet proto tcp all
  pass out on $_ext inet proto udp all
 
 
  All the best,
 
  Wesley MOUEDINE ASSABY.
 
 
  _int = re0
  _ext = fxp1
  int_net = 192.168.200.0/24
 
  pass out on $_ext tag LAN_NAT_TO_INET tagged LAN_TO_INET
  pass in on $_int from $int_net tag LAN_TO_INET
 
  ..
 
  pass out quick on $_ext tagged LAN_NAT_TO_INET  nat-to ($_ext)
 
 
 
  Any reason why at the bottom of my .conf file where nat-to is in my
  quick
  rule it would work but when it's at the first filter rule it does not?
  I've
  read over the man page and have the book of pf v.2 and still am
  confused.
  Any
  tought is greatly appreciated.
 
 
 
  Regards,
 
  Dain

 I use something like this.  The ruleset has been modified before posting,
so no guarantees that I didn't mess something up.

# interfaces
if_lo=lo
if_enc=enc0
if_gif=gif0
if_ext=vlan3
if_int=vlan20
if_srv=vlan40

# interface ip's
ip4_int=10.0.0.1
ip6_int=2001:::20::10
ip4_srv=10.0.20.1
ip6_srv=2001:::40::10

# networks
net4_int=10.0.0.0/22
net6_int=2001:::20::/64
net4_srv=10.0.20.0/22
net6_srv=2001:::40::/64

# other macros
icmp_types=echoreq

# default policy
block log all

# TRANSLATION
match out on $if_ext inet tag INT_INET_NAT tagged INT_INET nat-to ($if_ext)
static-port
match out on $if_ext inet tag SRV_INET_NAT tagged SRV_INET nat-to ($if_ext)

# allow router access to all nets (ipv4)
pass out on $if_ext  proto tcp from $if_ext to any
pass out on $if_ext  proto udp from $if_ext to any keep state
pass out on $if_ext  inet  proto icmp from $if_ext to any keep state
pass out on $if_int  proto tcp from $if_int to any
pass out on $if_int  proto udp from $if_int to any keep state
pass out on $if_int  inet  proto icmp from $if_int to any keep state
pass out on $if_int  inet6 proto ipv6-icmp from $if_int to any keep state
pass out on $if_srv  proto tcp from $if_srv to any
pass out on $if_srv  proto udp from $if_srv to any keep state
pass out on $if_srv  inet  proto icmp from $if_srv to any keep state
pass out on $if_srv  inet6 proto ipv6-icmp from $if_srv to any keep state

# tag packets per network
pass in on $if_int  proto tcp from { $net4_int, $net6_int } tag INT_INET
pass in on $if_int  proto udp from { $net4_int, $net6_int } tag INT_INET
keep state
pass in on $if_int  inet  proto icmp from $net4_int  icmp-type $icmp_types
tag INT_INET   keep state
pass in on $if_int  inet6 proto ipv6-icmp tag INT_INET keep state
pass in on $if_srv  proto tcp from { $net4_srv, $net6_srv } tag SRV_INET
pass in on $if_srv  proto udp from { $net4_srv, $net6_srv } tag SRV_INET
keep state
pass in on $if_srv  inet  proto icmp from $net4_srv  icmp-type $icmp_types
tag SRV_INET keep state
pass in on $if_srv  inet6 proto ipv6-icmp tag SRV_INET keep state

# policy enforcement

# networks to internet (ipv4)
pass out quick on $if_ext tagged INT_INET_NAT
pass out quick on $if_ext tagged SRV_INET_NAT

# internal network to other networks (ipv4)
pass out quick on $if_srv tagged INT_INET

# server networks to other networks (ipv4)
pass out quick on $if_int tagged SRV_INET

Axton Grams

Re: Packet Tagging issues with NAT in pf OBSD 4.9

[Axton]

On Thu, Nov 3, 2011 at 1:33 PM, Bentley, Dain dbent...@nas.edu wrote:

 Hello Axton...cool name by the way.

 I noticed the match statements work for me as well,  Perhaps it is
 required?


This changed with 4.7: http://openbsd.org/faq/upgrade47.html#newPFnat
More details available here:
http://marc.info/?l=openbsd-miscm=125181847818600w=2

It may be that the FAQ you used is out of date.  What FAQ page were you
looking at while setting this up?

Axton Grams

Patch for FAQ - PF: Packet Tagging (Policy Filtering) - New NAT Syntax

[Axton]

This is a patch to update the FAQ at
http://www.openbsd.org/faq/pf/tagging.html with the nat syntax changes
introduced in 4.7 (http://openbsd.org/faq/upgrade47.html#newPFnat):

$ diff -ub tagging.html.bak tagging.html
--- tagging.html.bak2011-11-03 17:40:01.596053714 -0500
+++ tagging.html2011-11-03 17:47:07.696539268 -0500
@@ -199,7 +199,7 @@
 blockquote
 tt
 block allbr
-pass out on $ext_if tag LAN_INET_NAT tagged LAN_INET nat-to ($ext_if)br
+match out on $ext_if tag LAN_INET_NAT tagged LAN_INET nat-to ($ext_if)br
 pass in on $int_if from $int_net tag LAN_INETbr
 pass in on $int_if from $int_net to $dmz_net tag LAN_DMZbr
 pass in on $ext_if proto tcp to $www_server port 80 tag INET_DMZbr
@@ -256,7 +256,7 @@
 # classification -- classify packets based on the defined firewall
 # policy.
 block all
-pass out on $ext_if tag LAN_INET_NAT tagged LAN_INET nat-to ($ext_if)br
+match out on $ext_if tag LAN_INET_NAT tagged LAN_INET nat-to ($ext_if)br
 pass in on $int_if from $int_net tag LAN_INETbr
 pass in on $int_if from $int_net to $dmz_net tag LAN_DMZbr
 pass in on $ext_if proto tcp to $www_server port 80 tag INET_DMZ

There is a rule on the page that may also require changes:

pass in on $ext_if proto tcp from spamd to port smtp \
   tag SPAMD rdr-to 127.0.0.1 port 8025

I'm not familiar enough with rdr-to to know if this requires changes.
Based on my reading it does not appear to require a change, but
someone needs to check me on this.

Axton Grams

Re: openbsd,keberos,windows

[Axton]

On Thu, May 26, 2011 at 4:43 PM, Vijay Sankar vsan...@foretell.ca wrote:
 I have some experience, not all of it good. Currently I am using Samba and
 LDAP for MS Clients in production mode. I am experimenting with AFS etc., and
 that does work well but only on i386. Ideally I would like to have a solution
 that keeps OpenBSD on amd64 at the centre and have all users on Mac, MS
 Clients, mobile devices, and Linux all get authenticated by their OpenBSD
 accounts. So I am still looking ...

 I am not sure whether this topic is of much interest to people on misc@ so
 please feel free to send me private email.

 On 2011-05-26, at 3:27 PM, Friedrich Locke wrote:

 Hi,

 i would like to get in touch with ones that have experience
 implementing kerberos in heterogenous networks (OpenBSD server,
 heimdal and MS clients). If you are one, would you mind sending me a
 note?

 Thanks in advance.

 Fried.


 Vijay Sankar
 vsan...@foretell.ca



I use MIT Kerberos and authenticate to that from Windows 7.  I imagine
a lot of the same applies to the Heimdal implementation.  Basically,
it consists of these steps:

1. Get the KDC running and operational, including kadmin

2. Create a principal for the Windows host:

kadmin
addprinc -pw somepasswd host/hostname.domain.org@REALM

3. Create a user principal:

kadmin.local
addprinc username/admin@REALM
addprinc username@REALM

4. Configure Windows to use the KDC:

ksetup /setrealm REALM
ksetup /setdomain DNSDOMAIN
ksetup /addkdc REALM kdcdnsname
ksetup /setcomputerpassword somepasswd
ksetup /mapuser krbuserprincipal@REALM localusername
ksetup /mapuser * *
ksetup /addkpasswd HOME.ARSWIKI.ORG galadriel.home.arswiki.org

5. Reboot


You can check the configuration like this:

C:\Windows\system32 ksetup
default realm = REALM (external)
REALM:
   kdc = kdcdnsname
   Realm Flags = 0x0No Realm Flags
Mapping krbuserprincipal@REALM to localusername.
Mapping all users (*) to a local account by the same name (*).


On Windows, for whatever reason, the dnsdomain needs to match the
REALM name.  If they are different, things didn't seem to work.

When you log into windows, log in using REALM\username.

The net effect is that Windows will have a Kerberos TGT and a host
ticket upon login.  These are usable by Windows applications that are
Kerberos enabled (i.e., Firefox, Chrome, IE, etc.).

The MS kerbtray.exe is useful for verifying that everything is
working.  It will show your client principal and tickets.  This is
available from the MS website.

I require pre-auth to request a TGT.  This works.

Different versions of Windows support different levels of encryption.
Whether the default configuration of Heimdal supports what different
versions of Windows supports I can't say.

Get ready to read through lots of logs.  Troubleshooting on Windows is
akin to walking in the dark.

I had issues at first where I could not get apps (browsers) to use the
Kerberos TGT to authentication to Apache servers using mod_auth_kerb.
I got this working, but there are still some unknowns.  I installed
the MIT kfw, things started working, then it stopped, then I
uninstalled kfw because I didn't care to have another process running.
 Things have been working since then (I can auth to apache via
mod_auth_kerb through FF, IE, Chrome).  I plan to test on another
machine to verify, but still some unknowns.  This was on Windows 7.

Axton Grams

Re: hostname.if(5)/ifconfig(8) configuration for gif(4)

[Axton]

On Sun, May 15, 2011 at 6:18 PM, Mark Felder f...@feld.me wrote:

 On Sun, 15 May 2011 16:10:21 -0500, Andreas Bartelt o...@bartula.de
wrote:

 Is there a way to do this correctly via /etc/hostname.gif0 ?

 Best regards
 Andreas


 Not sure if this helps, but as far as I know this is the way you're supposed
to do it for a 6to4 tunnel:

 Sanitized, but you'll get the point:

 $ cat /etc/hostname.gif0
 tunnel LOCAL_IP DEST_IP
 inet6 alias IPV6_NETWORK PREFIXLEN


 My issue is that it still doesn't work 100% correctly on boot. If I sh
/etc/netstart again, it begins working. Strange.


 Regards,


 Mark


For a 6to4 tunnel, you can use something like this in your
hostname.gif so that it works on boot:

$ cat /etc/hostname.gif0
tunnel LOCAL_IP4 DEST_IP4
inet6 LOCAL_IP6
dest DEST_IP6
!/sbin/route -n add -inet6 default LOCAL_IP6
!/sbin/route change -inet6 default -ifp gif0

Axton Grams

Re: FYI: OpenBSD 4.9 CDs arriving

[Axton]

On Mon, Apr 25, 2011 at 1:46 PM, Denny White denny...@cableone.net wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1


  On Mon, Apr 25, 2011 at 10:39:49AM -0400, Dave Anderson spoke thusly:
  My set just showed up (near Boston, Mass.)
 
Dave
 
  --
  Dave Anderson
  d...@daveanderson.com

 And in Biloxi, MS. Perfect, unscathed in transit. Cool stickers. Sweet!


 - --

 A lot of money is tainted - Taint yours and taint mine.

 ===
 Denny White - denny...@cableone.net
 GnuPG key  : 0x1644E79A  |  http://wwwkeys.de.pgp.net
 Fingerprint: D0A9 AD44 1F10 E09E 0E67  EC25 CB44 F2E5 1644 E79A
 ===
 () ASCII ribbon campaign - against html e-mail
 /\ www.asciiribbon.org - against proprietary attachments
 ===
 iEYEARECAAYFAk21wZUACgkQy0Ty5RZE55qbIgCgk1NAdF5W75ey/knLCfB9TKi0
 wmgAn3D9heKrZoXiAeKK3BeM22OUX3w9
 =B24i
 -END PGP SIGNATURE-

 US/TX on 4-23

Re: Newbie Network/PF Question

[Axton]

On Wed, Jan 5, 2011 at 10:14 AM, Mike. the.li...@mgm51.com wrote:

 On 1/4/2011 at 10:57 PM Josh Smith wrote:

 |
 |pass in on $int_if0 # pass all incomming traffic on our internal
 interface
 |pass in on $int_if1 # pass all incomming traffic on our internal
 interface from the test network
  =




 I have two internal subnetworks, one for standard frames and one for
 jumbo frames.

 Instead of the two rules you cite, I use the following:




 # macros
 std_if = em1
 jum_if = em0
 loc_if = lo0


 # let internal traffic flow unimpeded
 pass  quick on $loc_if
 pass  quick on $std_if
 pass  quick on $jum_if


set skip is probably more efficient.

Re: soekris + openbsd server buy question

[Axton]

On Fri, Dec 3, 2010 at 8:13 AM, gimes...@gmail.com wrote:

 On Fri, 3 Dec 2010, Patrick Lamaiziere wrote:

  Le Fri, 3 Dec 2010 19:28:19 +0800 (CST),
  shweg...@gmail.com a C)crit :
 
  Hello, I'm considering buying a Soekris net5501-70 and install
  OpenBSD on it to make myself a small server and use it as a proxy
  (ssh tunnel), it might serve as backup file sever as well. I guess at
  the most there will be two-three computers connnected at the same
  time, and there might be some streaming video going through, like the
  videos you find on online newspapers. I have googled around, and read
  that this kind of hardware is fine as a router but not so much as a
  server. Is it true? Thank you for any
  suggestions.
 
  It depends on the connection, do not expect a 100M/bits link.
  I use a net5501 for my all-in-one box (file server (samba), printers
  share, router, ...). The file server is not very speed but is enougth
  for doing backups. (From time to time, backup the server to an external
  usb disk).
 
  I was also considering using a netbook for the task. What
  about it?
 
  I don't think a netbook will be reliable running 24/24.
 
  This was my only concern on the net5501, the reliablity of the internal
  2.5 disk drive, looks good after 3 years.
 
  Check the soekris-tech mailing list, questions about performances are
  often asked.
 

 Thank you all, I don't need cutting-edge speed, and from what
 you say, Soekris should just be fine. For file server I have not been
 clear, in fact I meant a backup server, so it should probably handle all
 of it quite fine. I'm also checking out a few fanless Atom mini-pcs, but
 at about the same price soekris is probably more fit for the job.

 I've been using one of these for the last couple of months and have been
happy with it's performance.  The IPMI capabilities are very nice.

http://www.supermicro.com/products/system/1U/#Atom
http://www.supermicro.com/products/system/1U/#Atom
http://www.supermicro.com/products/system/1U/5015/SYS-5015A-PHF.cfm

The only thing I don't care for on it is the trusted platform module chip.
 The boards have a jumper to disable the chip, but the pins on the
motherboard have been removed, so you can not disable it without some
soldering.

Re: vlan + em driver

[Axton]

If I understand your message correctly, you have the port on the
switch tagged for vlan 30.  This means that all packets you send to
that port need to be tagged for vlan30.

I have a vlan for internal (2), dmz (5), and isp(3).  The line from my
ISP is plugged into an untagged port on the switch, which is set up
for the isp vlan(3) and the router has a tagged pseudo interface
(vlan3) for the isp connection.  This allow routing to all networks
over a single interface.

I use an em interface on my router but I connect the em interface to a
trunk port (accepts packets tagged for vlans 2, 3, and 5, and discards
all other packets); I then have a series of vlan pseudo-devices on top
of em, where each vlan device specifies a tag.  Note that em0 does not
get an ip address.

# cat /etc/hostname.em0
up media autoselect
# cat /etc/hostname.vlan2
inet 10.107.208.1 255.255.255.0 NONE vlan 2 vlandev em0
inet6 alias 2001:xxx::2::10 64 vlan 2 vlandev em0
# cat /etc/hostname.vlan3
dhcp vlan 3 vlandev em0
# cat /etc/hostname.vlan5
inet 10.180.16.1 255.255.255.0 NONE vlan 5 vlandev em0
inet6 alias 2001:xxx::5::10 64 vlan 5 vlandev em0

vlan3 is from my ISP and they provision an IP using dhcp.

My ifconfig looks like this:
# ifconfig -a
lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33152
priority: 0
groups: lo
inet 127.0.0.1 netmask 0xff00
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
gem0: flags=8863UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:03:ba:04:b2:1d
priority: 0
media: Ethernet autoselect (none)
status: no carrier
inet6 fe80::203:baff:fe04:b21d%gem0 prefixlen 64 scopeid 0x1
em0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:02:b3:ed:68:89
priority: 0
media: Ethernet autoselect (1000baseT
full-duplex,master,rxpause,txpause)
status: active
inet6 fe80::202:b3ff:feed:6889%em0 prefixlen 64 scopeid 0x2
enc0: flags=0 mtu 1536
priority: 0
vlan2: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:02:b3:ed:68:89
priority: 0
vlan: 2 priority: 0 parent interface: em0
groups: vlan
inet6 fe80::202:b3ff:feed:6889%vlan2 prefixlen 64 scopeid 0x5
inet 10.107.208.1 netmask 0xff00 broadcast 10.107.208.255
inet6 2001:xxx::2::10 prefixlen 64
vlan3: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:02:b3:ed:68:89
priority: 0
vlan: 3 priority: 0 parent interface: em0
groups: vlan egress
inet6 fe80::202:b3ff:feed:6889%vlan3 prefixlen 64 scopeid 0x6
inet x.x.x.x netmask 0xf800 broadcast 255.255.255.255
vlan5: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:02:b3:ed:68:89
priority: 0
vlan: 5 priority: 0 parent interface: em0
groups: vlan
inet6 fe80::202:b3ff:feed:6889%vlan5 prefixlen 64 scopeid 0x7
inet 10.180.16.1 netmask 0xff00 broadcast 10.180.16.255
inet6 2001:xxx::5::10 prefixlen 64
gif0: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST mtu 1280
priority: 0
groups: gif egress
physical address inet x.x.x.x -- y.y.y.y
inet6 fe80::203:baff:fe04:b21d%gif0 -  prefixlen 64 scopeid 0x8
inet6 2001:xxx:x:xxx::2 - 2001:xxx:x:xxx::1 prefixlen 128
pflog0: flags=141UP,RUNNING,PROMISC mtu 33152
priority: 0
groups: pflog

I used to use a trunk device between the physical interfaces and vlan
devices as well, but I moved to 1gb instead of 4x100mb interfaces.

Axton Grams

On Thu, May 13, 2010 at 6:52 AM, Marcus Larsson k...@mindwipe.org wrote:

 Hello!

 I have a server acting as a router and firewall running 4.6-stable
 from Apr 24 with an Intel quad port NIC.

 In short I have problems with traffic going to or from the
 server itself via a vlan interface. It works fine via em0 which
 is the uplink to the ISP and doesn't use any vlan and also
 traffic passing through the server is ok.

 It doesn't matter whether PF is enabled or disabled, the problem
 still appears.

 em0 at pci5 dev 0 function 0 Intel PRO/1000 QP (82576) rev 0x01: apic 0
int 11 (irq 5), address 00:1b:21:63:74:d8
 em1 at pci5 dev 0 function 1 Intel PRO/1000 QP (82576) rev 0x01: apic 0
int 12 (irq 10), address 00:1b:21:63:74:d9

 # cat /etc/hostname.em0
 inet X.X.X.X 255.255.255.252 NONE

 # cat /etc/hostname.em1
 up
 # cat /etc/hostname.vlan30
 inet 10.46.196.1 255.255.255.0 NONE vlan 30 vlandev em1

 em1 is connected to a port in a switch, vlan 30 is tagged on
 that port, the switch has IP 10.46.196.8

 I can ping 10.46.196.8 but I cannot ssh to it, the ssh attempt
 hangs at: debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP and then I
 get a connection closed.

 I thought this was MTU related somehow because pings work with
 small packets, actually ping -s 1472 10.46.196.8 works but
 anything larger than

ATI Device Documentation - Evergreen

[Axton]

If these docs are in line with what is needed to develop a usable driver and
there are any developers @openbsd.org out there interested in developing a
driver for this card and in need of a hardware donation, let me know.

http://developer.amd.com/gpu/ATIStreamSDK/assets/AMD_Evergreen-Family_ISA_Instructions_and_Microcode.pdf

- Axton Grams

Invalid 802.1q vlan id using em0 (Intel PRO/1000T) on 4.5

[Axton]

# permit console to do a nice halt


rc.conf.local starts a few services, nothing out of the ordinary:
# cat /etc/rc.conf.local
pf=YES
dhcpd_flags=
named_flags=
ntpd_flags=
ftpproxy_flags=
isakmpd_flags=-K
ipsec=YES


Let me know if anyone needs any more information or if this is in fact a bug
and I will submit a bug report.


Here is my dmesg:

console is keyboard/display
Copyright (c) 1982, 1986, 1989, 1991, 1993
The Regents of the University of California.  All rights reserved.
Copyright (c) 1995-2009 OpenBSD. All rights reserved.
http://www.OpenBSD.org

OpenBSD 4.5 (GENERIC) #1898: Sat Feb 28 17:42:44 MST 2009
dera...@sparc64.openbsd.org:/usr/src/sys/arch/sparc64/compile/GENERIC
real mem = 805306368 (768MB)
avail mem = 765681664 (730MB)
mainbus0 at root: Sun Blade 100 (UltraSPARC-IIe)
cpu0 at mainbus0: SUNW,UltraSPARC-IIe (rev 1.4) @ 502 MHz
cpu0: physical 16K instruction (32 b/l), 16K data (32 b/l), 256K external
(64 b/l)
psycho0 at mainbus0: pci108e,a001, impl 0, version 0, ign 7c0
psycho0: bus range 0-1, PCI bus 0
psycho0: dvma map c000-dfff
pci0 at psycho0
ebus0 at pci0 dev 12 function 0 Sun RIO EBus rev 0x01
flashprom at ebus0 addr 0-f not configured
clock1 at ebus0 addr 0-1fff: mk48t59
ebus1 at pci0 dev 7 function 0 Acer Labs M1533 ISA rev 0x00
dma at ebus1 addr 0- ivec 0x2a not configured
power0 at ebus1 addr 800-82f ivec 0x20
com0 at ebus1 addr 3f8-3ff ivec 0x2b: ns16550a, 16 byte fifo
com1 at ebus1 addr 2e8-2ef ivec 0x2b: ns16550a, 16 byte fifo
alipm0 at pci0 dev 3 function 0 Acer Labs M7101 Power rev 0x00: 223KHz
clock
iic0 at alipm0
max1617 at alipm0 addr 0x18 skipped due to alipm0 bugs
scm001 at alipm0 addr 0x20 skipped due to alipm0 bugs
spdmem0 at iic0 addr 0x50: 256MB SDRAM ECC PC133CL2
spdmem1 at iic0 addr 0x51: 256MB SDRAM ECC PC133CL2
spdmem2 at iic0 addr 0x52: 256MB SDRAM ECC PC133CL2
gem0 at pci0 dev 12 function 1 Sun ERI Ether rev 0x01: ivec 0x7c6, address
00:03:ba:04:b2:1d
ukphy0 at gem0 phy 1: Generic IEEE 802.3u media interface, rev. 1: OUI
0x0010dd, model 0x0002
Sun FireWire rev 0x01 at pci0 dev 12 function 2 not configured
ohci0 at pci0 dev 12 function 3 Sun USB rev 0x01: ivec 0x7e4, version 1.0,
legacy support
autri0 at pci0 dev 8 function 0 Acer Labs M5451 Audio rev 0x01: ivec 0x7e3
ac97: codec id 0x41445348 (Analog Devices AD1881A)
ac97: codec features headphone, Analog Devices Phat Stereo
audio0 at autri0
midi0 at autri0: 4DWAVE MIDI UART
pciide0 at pci0 dev 13 function 0 Acer Labs M5229 UDMA IDE rev 0xc3: DMA,
channel 0 configured to native-PCI, channel 1 configured to native-PCI
pciide0: using ivec 0x7cc for native-PCI interrupt
wd0 at pciide0 channel 0 drive 0: WDC WD1600AAJB-56WRA0
wd0: 16-sector PIO, LBA48, 152627MB, 312581808 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: LITEON, CD-ROM LTN486S, YSU1 ATAPI 5/cdrom
removable
cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
ppb0 at pci0 dev 5 function 0 DEC 21152 PCI-PCI rev 0x03
pci1 at ppb0 bus 1
em0 at pci1 dev 0 function 0 Intel PRO/1000T (82544GC) rev 0x02: ivec
0x7d9, address 00:02:b3:ed:68:89
vgafb0 at pci0 dev 19 function 0 ATI Rage XL rev 0x27
wsdisplay0 at vgafb0 mux 1: console (std, sun emulation)
usb0 at ohci0: USB revision 1.0
uhub0 at usb0 Sun OHCI root hub rev 1.00/1.00 addr 1
uhidev0 at uhub0 port 4 configuration 1 interface 0 Sun Microsystems Type 6
Keyboard rev 1.00/1.02 addr 2
uhidev0: iclass 3/1
ukbd0 at uhidev0: 8 modifier keys, 6 key codes, country code 33
wskbd0 at ukbd0: console keyboard, using wsdisplay0
softraid0 at root
bootpath: /p...@1f,0/i...@d,0/d...@0,0
root on wd0a swap on wd0b dump on wd0b

Thanks,
Axton Grams

Re: Invalid 802.1q vlan id using em0 (Intel PRO/1000T) on 4.5

[Axton]

On Sun, May 24, 2009 at 2:52 PM, Axton axton.gr...@gmail.com wrote:
 The vlan id for my em0 interface is not reading properly after upgrading to
 4.5.

 Tcpdump shows some wild vid values in the traffic when using em0:

 * This traffic should be on vlan2 (lan)
 00:21:70:c5:3d:4f ff:ff:ff:ff:ff:ff 8100 64: 802.1Q vid 512 pri 0 arp
 who-has 10.107.208.1 tell 10.107.208.50

 * This traffic should be on vlan3 (egress vlan)
 00:1e:be:fe:f3:05 ff:ff:ff:ff:ff:ff 8100 64: 802.1Q vid 768 pri 0 arp
 who-has 98.196.101.152 tell 98.196.100.1
 00:1e:be:fe:f3:05 ff:ff:ff:ff:ff:ff 8100 64: 802.1Q vid 768 pri 0 arp
 who-has 98.196.88.115 tell 98.196.88.1

 * This traffic should be on vlan4, it is correct:
 00:02:b3:ed:68:89 01:00:5e:7f:ff:fa 8100 308: 802.1Q vid 4 pri 0
 10.0.0.1.29275  239.255.255.250.1900: udp 262 [ttl 1]
 00:02:b3:ed:68:89 01:00:5e:7f:ff:fa 8100 380: 802.1Q vid 4 pri 0
 10.0.0.1.29275  239.255.255.250.1900: udp 334 [ttl 1]

 It seems as though the vlan id is being multiplied by 256 for vlans 2 and
3.


 When I use the gem0 interface on the same machine, things work:

 * This traffic should be on vlan2 (lan), it is correct:
 00:03:ba:04:b2:1d 00:50:8d:95:39:17 8100 110: 802.1Q vid 2 pri 0
 10.107.208.1.22  10.107.208.102.2692: P 920030:920082(52) ack 11189 win
 17520 (DF) [tos 0x10]
 00:03:ba:04:b2:1d 00:50:8d:95:39:17 8100 110: 802.1Q vid 2 pri 0
 10.107.208.1.22  10.107.208.102.2692: P 920082:920134(52) ack 11189 win
 17520 (DF) [tos 0x10]

 * This traffic should be on vlan3 (egress vlan), it is correct:
 00:1e:be:fe:f3:05 ff:ff:ff:ff:ff:ff 8100 64: 802.1Q vid 3 pri 0 arp who-has
 98.194.104.216 tell 98.194.104.1
 00:1e:be:fe:f3:05 ff:ff:ff:ff:ff:ff 8100 64: 802.1Q vid 3 pri 0 arp who-has
 76.31.110.47 tell 76.31.108.1

 * This traffic should be on vlan4, it is correct:
 00:03:ba:04:b2:1d 01:00:5e:7f:ff:fa 8100 373: 802.1Q vid 4 pri 0
 10.0.0.1.10117  239.255.255.250.1900: udp 327 [ttl 1]
 00:03:ba:04:b2:1d 01:00:5e:7f:ff:fa 8100 373: 802.1Q vid 4 pri 0
 10.0.0.1.10117  239.255.255.250.1900: udp 327 [ttl 1]


 The em0 interface worked without an issue using 4.4 as did gem0.


 Here are my interface configurations using gem0:
 # ifconfig -a
 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33160
 priority: 0
 groups: lo
 inet 127.0.0.1 netmask 0xff00
 inet6 ::1 prefixlen 128
 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
 gem0: flags=8863UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST mtu
1500
 lladdr 00:03:ba:04:b2:1d
 priority: 0
 media: Ethernet autoselect (100baseTX full-duplex)
 status: active
 inet6 fe80::203:baff:fe04:b21d%gem0 prefixlen 64 scopeid 0x1
 em0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
 lladdr 00:02:b3:ed:68:89
 priority: 0
 media: Ethernet autoselect (none)
 status: no carrier
 inet6 fe80::202:b3ff:feed:6889%em0 prefixlen 64 scopeid 0x2
 enc0: flags=0 mtu 1536
 priority: 0
 vlan2: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
 lladdr 00:03:ba:04:b2:1d
 priority: 0
 vlan: 2 priority: 0 parent interface: gem0
 groups: vlan
 inet6 fe80::203:baff:fe04:b21d%vlan2 prefixlen 64 scopeid 0x5
 inet 10.107.208.1 netmask 0xff00 broadcast 10.107.208.255
 vlan3: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
 lladdr 00:03:ba:04:b2:1d
 priority: 0
 vlan: 3 priority: 0 parent interface: gem0
 groups: vlan egress
 inet6 fe80::203:baff:fe04:b21d%vlan3 prefixlen 64 scopeid 0x6
 inet x.x.x.x netmask 0xfc00 broadcast 255.255.255.255
 vlan4: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
 lladdr 00:03:ba:04:b2:1d
 priority: 0
 vlan: 4 priority: 0 parent interface: gem0
 groups: vlan
 inet6 fe80::203:baff:fe04:b21d%vlan4 prefixlen 64 scopeid 0x7
 inet 10.0.0.1 netmask 0xff00 broadcast 10.0.0.255
 vlan5: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
 lladdr 00:03:ba:04:b2:1d
 priority: 0
 vlan: 5 priority: 0 parent interface: gem0
 groups: vlan
 inet6 fe80::203:baff:fe04:b21d%vlan5 prefixlen 64 scopeid 0x8
 inet 10.180.16.1 netmask 0xff00 broadcast 10.180.16.255
 pflog0: flags=141UP,RUNNING,PROMISC mtu 33160
 priority: 0
 groups: pflog

 Here are my interface configurations using em0:
 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33160
 priority: 0
 groups: lo
 inet 127.0.0.1 netmask 0xff00
 inet6 ::1 prefixlen 128
 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
 gem0: flags=8863UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST mtu
1500
 lladdr 00:03:ba:04:b2:1d
 priority: 0
 media: Ethernet autoselect (none)
 status: no carrier
 inet6 fe80::203:baff:fe04:b21d%gem0 prefixlen 64 scopeid 0x1
 em0: flags=8843UP

Re: Redirect traffic based on sub-domain?

[Axton]

On Sun, Apr 27, 2008 at 5:44 PM, Markus Bergkvist
[EMAIL PROTECTED] wrote:
 Hi,

  Is it possible to have PF redirecting traffic based on sub-domains? I.e. I
 want traffic to a.mydomain.nu to be redirected to machine 'a and traffic to
 b.mydomain.nu to be redirected to machine 'b'.'
No.

From the pf.conf man page
(http://www.openbsd.org/cgi-bin/man.cgi?query=pf.confapropos=0sektion=0manpath=OpenBSD+Currentarch=i386format=html)

pf(4) has the ability to block and pass packets based on attributes of
their layer 3 (see ip(4) and ip6(4)) and layer 4 (see icmp(4),
icmp6(4), tcp(4), udp(4)) headers.  In addition, packets may also be
assigned to queues for the purpose of bandwidth control.

  /Markus


Look into reverse proxies:
http://www.sans.org/reading_room/whitepapers/webservers/302.php

Axton Grams

Re: PoPToP Vulnerability Question

[Axton]

On Jan 28, 2008 11:05 PM, Richard P. Koett [EMAIL PROTECTED] wrote:
 Dear Misc:

 I've been asked to look into an issue on a i386 system running OpenBSD 3.7. I
 realize this is rather out-of-date, so feel free to ignore this question if
 it's inappropriate...

 The machine is running poptop-1.1.4.b4p1. Someone did an audit and declared
 PoPToP servers prior to version 1.1.4-bs are vulnerable to a buffer
 overflow. I notice that even the current version of OpenBSD has a package for
 poptop-1.1.4.b4p1, so I find it hard to believe that this version contains a
 known buffer overflow. My question is - what information can I provide the
 auditor to assure them of this?

 Thanks in advance for any comments. For what it's worth I am aware of
 alternatives to PoPToP such as OpenVPN.

 RPK.

http://www.openbsd.org/faq/faq15.html#Intro

See the third paragraph in this section.

Re: rouge IPs / user

[Axton]

On Dec 7, 2007 12:51 PM, badeguruji [EMAIL PROTECTED] wrote:
 I am getting constant hacking attempt into my computer
 from following IPs. Although, I have configured my ssh
 config and tcp-wrappers to deny such attempts. But I
 wish some expert soul in this community 'fix' this
 rouge hacker for ever, for everyones good.

 This hacker could be spoofing the IPs, but i have only
 the IPs in my message logs(and a url)...

 218.6.16.30
 195.187.33.66
 202.29.21.6
 60.28.201.57
 218.24.162.85
 wpc4643.amenworld.com
 202.22.251.23
 219.143.232.131
 220.227.218.21
 124.30.42.36

 -for community.

 -BG

 
 ~~Kalyan-mastu~~



Afraid it's a fact of life when running things on the open net.  Don't
worry about it.  Make sure the way you authenticate to ssh isn't weak.
 I use key based authentication and don't use passwords.  This gives
me peace of mind.  It's a bit harder to guess and I don't have to
worry about accounts with weak passwords.  I also only allow specific
users to authenticate to ssh.  The DoS hits I get periodically are the
ones that bother me.

Axton Grams

PF Changes in 4.2

[Axton]

I remember reading some changes to the defaults for pf in how states
are tracked in pf.conf rules (default is now keep state flags S/SA).
For the life of me I can not find any official reference to it on the
internet or in my mail.  Can someone give me a pointer?

The only reference I can find on the net (nothing from openbsd.org):
http://home.nuug.no/~peter/pf/en/long-firewall.html#AEN415

Thanks,
Axton Grams

ntpd question - double free?

[Axton]

In parse.y for OpenBSD's ntpd, would/could this result in a double free:

number  : STRING{
   u_long ulval;
   const char*errstr;

   ulval = strtonum($1, 0, INT_MAX, errstr);
   if (errstr) {
   yyerror(\%s\ invalid: %s, $1, errstr);
   free($1);
   YYERROR;
   } else
   $$ = ulval;
   free($1);
   }
   ;


From 
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/ntpd/parse.y?rev=1.30content-type=text/x-cvsweb-markup


The if statement will free($1) if it is not a valid u_long, then at
the end of the block, there is a subsequent free($1).

I'm a C newbie and I'm trying to learn, so don't beat me with the clue
stick too hard.

Axton

Re: another dumb vlan question

[Axton]

: vlan egress
   inet6 y::y:y:y:y%vlan3 prefixlen 64 scopeid 0xd
   inet x.x.x.x netmask 0xf800 broadcast 255.255.255.255
vlan30: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
   lladdr 00:03:ba:04:b2:1d
   vlan: 30 priority: 0 parent interface: trunk0
   groups: vlan
   inet6 fe80::203:baff:fe04:b21d%vlan30 prefixlen 64 scopeid 0xe
   inet 10.180.17.1 netmask 0xff00 broadcast 10.180.17.255


The routing tables then look like this:

# route -n show
Routing tables

Internet:
DestinationGatewayFlagsRefs  UseMtu  Interface
defaultx.x.x.xUGS 9  6034124  -   vlan3
10.107.208/24  link#12UC  50  -   vlan2
10.180.16/24   link#11UC  10  -   vlan10
10.180.17/24   link#14UC  10  -   vlan30
x.x.x/21   link#13UC  10  -   vlan3
127/8  127.0.0.1  UGRS00  33192   lo0
127.0.0.1  127.0.0.1  UH  2  708  33192   lo0
224/4  127.0.0.1  URS 00  33192   lo0

Axton

Re: Promise PDC20621 support

[Axton]

On 3/4/07, j sidabras [EMAIL PROTECTED] wrote:

Hello All,

I know promise hasn't been the most forthcoming company when releasing
specifications for their hardware. But it seems the first hardware docs for
the promise SX4 (PDC20621) have been released:

http://gkernel.sourceforge.net/specs/promise/pdc20621-pguide-dimm-1.6.pdf.bz2
http://gkernel.sourceforge.net/specs/promise/pdc20621-pguide-pll-ata-timing-1.2.pdf.bz2

Shamefully I do not have the ability to write drivers, but I was wondering
if the openbsd team knows about these specifications and if anyone is
working on implementing these drivers.

Thanks

Jason




If there are any interested developers, I have one card I can donate;
it does not have a dimm installed and one is required for the card to
operate.  Email me privately if you are interested.  I am in the US
and I can cover shipping costs.

Card details:
32-bit PCI
Promise FastTrack sx4000
Chip Num: Promise ATARAID5 PDC20621
Chip Num: MX MO20750 29LV400BTC-90 2F502800
ASSY 0116-00 REV A5

Axton Grams

Re: VPN solutions for OpenBSD to Windows

[Axton]

On 12/22/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:

 Hi gang,

 I'm looking for peoples' experiences and advice for setting up a VPN
 between OpenBSD (I will be using 4.0) and Windows XP/2000 systems.  I have
 tested the Greenbow client and it seems ok.  What of the built-in VPN client
 for the Windows OS?  I am mostly interested in ease of configuration and
 reliability of the tunnel.  I am ok on IPSEC theory.

 Thanks in advance for any comments,

 Peter


The greenbow client is definitely easier to use than the built-in MS IPSec
client, and offers a lot more in terms of capabilities.  There are some
limitations on the MS client as far as what types of encryption you can use
with the Phase1/2 negotiations.

With the Windows client, there are two approaches I've used to establish
IPSec tunnels: (1) the IPSec MMC Snap-in and (2) the command line method
(via the windows support tools).  In either case, there is no clear way to
see that a tunnel is established or to close the tunnel.  It's clear to the
savvy user on how to close a tunnel, but if you are looking to deploy it to
a regular user-base, it probably won't be so clear.

With the MMC snap-in, you can export the settings, then another user can
import those settings, at which point only minor changes are required to
make it work (configure the ip for your end of the tunnel).  The same
applies to the command line approach.

Axton Grams

Vlans using a trunk device

[Axton Grams]

 - vlan2
10.180.16/24  link#11   UC   0  0 - vlan10
10.180.17/24  link#14   UC   0  0 - vlan30
x.x.x.x/y link#13   UC   0  0 - vlan3
127/8 127.0.0.1 UGRS 0  0 33192 lo0
127.0.0.1 127.0.0.1 UH   0  0 33192 lo0
224/4 127.0.0.1 URS  0  0 33192 lo0


Also, anything that looks off in the config provided, please chime in.
Read some postings about changing mtu on vlan devices, but don't know
enough to know what to do.  I do know that vlan ids are 12-bit numbers,
so not sure if an mtu of 1503 is appropriate or not.

Thanks for any insight,
Axton Grams

Re: Vlans using a trunk device

[Axton Grams]

Stuart Henderson wrote:
 On 2006/10/08 15:31, Axton Grams wrote:
 While working with the trunk and vlan features of OpenBSD, I ran into
 one thing that I do not understand.  In order to use a trunk device for
 multiple vlan's, the trunk device must have an ip address assigned.
 
 Your ifconfig output is from when it's working, isn't it? Start from
 not-working and diff the two (ifconfig  /tmp/broken; ifconfig trunk0 \
 10.1.1.1; ifconfig | diff -u /tmp/broken -) and see what changed.
 
 You'll probably see that before you added the address it wasn't
 configured UP. If that's the case, you just need to add the word
 up on a line in /etc/hostname.trunk0
 
 Read some postings about changing mtu on vlan devices, but don't know
 enough to know what to do.
 
 If changing mtu makes a difference to vlans, you're probably better
 off searching for better NICs.
 
 
Stuart,

Thanks for the info.  It must have been some other config problem that I
misinterpreted as the trunk interface needing an ip.  Altered the
hostname.trunk0 with the appropriate parameters (no ip, just up and
trunkdevs) and all is well.  Started this this morning and changed a lot
in that time frame.

Works like a charm.

Axton Grams

Re: VPN(8) pf settings

[Axton Grams]

Gustavo Rios wrote:
 Dear friends,
 
 I am starting to learn VPN, and i am very confused with some points.
 For instance, concerning firewall rules.
 
 It is not clear right now, on which interface i should see the
 protocol esp, ipencap, ah, etc. I could not figure it out on which
 interface, should i filter tcp, udp and application layer traffic like
 dns, http, ftp, ftp-data, etc between the both networks i am
 connecting ...
 
 Thanks in advance.
 
 
Started learning this myself recently.  Many of the examples require a
lot of thinking to straighten out because they do not offer a topology
of the networks the example config files are against.

I have a vpn working where lan machines can access the dmz network.
Clients are XP and the Router is OpenBSD.

The pf.conf was the last trick after getting isakmpd to negotiate the
main and quick mode sa's.

The network is like this:
DMZ Net: 10.180.16/24
LAN Net: 10.107.208/24

The pf.conf reads like this:

# interfaces
if_lo=   lo0
if_ext=  hme0
if_int=  hme1
if_dmz=  hme2
if_enc=  enc0

# interface ip's
ip_ext=  x.x.x.x
ip_int=  10.107.208.1
ip_dmz=  10.180.16.1

# interface networks
net_int= 10.107.208.0/24
net_dmz= 10.180.16.0/24

# OPTIONS
set block-policy drop
set loginterface $if_ext
set require-order yes
set optimization normal
set state-policy if-bound
set skip on {$if_lo }
set debug none

# NORMALIZATION
scrub all reassemble tcp random-id fragment reassemble \
 no-df min-ttl 24 max-mss 1460

# TRANSLATION
nat on $if_ext inet tag INT_NAT tagged LAN_INET - ($if_ext)
nat on $if_ext inet tag DMZ_NAT tagged DMZ_INET - ($if_ext)
nat-anchor ftp-proxy/*

# REDIRECTION
rdr-anchor ftp-proxy/*

# PACKET FILTERING
block log all
anchor ftp-proxy/*
antispoof log quick for $if_ext inet
# allowable traffic to outside networks
pass in  on $if_int from $net_int to !reserved tag \
 LAN_INET keep state
pass in  on $if_dmz from $net_dmz to !reserved tag \
 DMZ_INET keep state
# allowable traffic to router from lan
pass in  on $if_int proto udp from $net_int to $ip_int \
 port $proto_router_udp_int_in keep state
pass in  on $if_int proto tcp from $net_int to $ip_int \
 port $proto_router_tcp_int_in modulate state flags S/SA
# allow router access to some external services
pass out on $if_ext from ($if_ext) to any tag RTR_INET
# VPN access for LAN-to-DMZ ipsec
# Passing in encrypted traffic from security gateways
pass in  on $if_int proto esp from $net_int to $ip_int \
 keep state
pass out on $if_int proto esp from $ip_int  to $net_int \
 keep state
# Need to allow ipencap traffic on enc0.
pass in  on $if_enc proto ipencap all keep state
# Passing in traffic from the designated subnets.
# (only allow traffic into dmz, prevent traffic from dmz to lan)
pass in  on $if_enc from $net_int to $net_dmz tag VPN_INT \
 keep state
#pass out quick on $if_enc from $net_dmz to $net_int tag VPN_NET
# Passing in isakmpd(8) traffic from the security gateways
pass in  on $if_int proto udp from $net_int to $ip_int \
 port isakmp keep state
pass out on $if_int proto udp from $ip_int  to $net_int \
 port isakmp keep state

# policy enforcement
pass out on $if_ext inet proto tcp tagged RTR_INET  modulate \
 state flags S/SA
pass out on $if_ext inet proto udp tagged RTR_INET  keep state
pass out on $if_ext inet proto tcp tagged INT_NAT   modulate \
 state flags S/SA
pass out on $if_ext inet proto udp tagged INT_NAT   keep state
pass out on $if_ext inet proto tcp tagged DMZ_NAT   modulate \
 state flags S/SA
pass out on $if_ext inet proto udp tagged DMZ_NAT   keep state
pass out on $if_dmz inet proto tcp tagged VPN_INT   modulate \
 state flags S/SA
pass out on $if_dmz inet proto udp tagged VPN_INT   keep state
pass out on $if_int inet proto tcp tagged VPN_EXT   modulate \
 state flags S/SA
pass out on $if_int inet proto udp tagged VPN_EXT   keep state



Some things were removed, but this should give the general idea.  Still
knocking around to make sure things aren't slipping through that
shouldn't, but working good so far.

You should be able to block/allow whatever traffic you want between the
two networks with rules that follow this format, just specify the dports:

pass in  on $if_enc from $net_int to $net_dmz tag VPN_INT \
 keep state
pass out quick on $if_enc from $net_dmz to $net_int tag VPN_NET

Axton

Re: IPsec Configuration Questions

[Axton Grams]

Hans-Joerg Hoexer wrote:
 what ipsec software is running on the clients?  What does your
 ipsec.conf on the firewall look like?
 
 On Sat, Sep 02, 2006 at 04:01:51PM -0400, Axton Grams wrote:
 Hoping someone can point me in the right direction to get isakmpd working.

 The scenario:
 - the router drops all traffic directed to it from the dmz net
 - the router drops all traffic destined for the lan from the dmz
 - the router drops all traffic destined for the dmz from the lan
 - vlan1 (dmz) has linux hosts
 - vlan2 (lan) has windows and linux hosts, for the purpose of this
 exercise, I am using a windows host

 The goals:
 - create a way by which hosts in the lan can connect to the dmz network
 using ipsec/isakmpd
 - starting off with simple auth, shared secret passphrase

 The problem:
 - I am unable to establish a SA between the router and the lan hosts
   isakmpd returns the following:
 155359.461787 Default message_recv: cleartext phase 2 message
 155359.462366 Default dropped message from 10.107.208.20 port 500 due to
 notification type INVALID_FLAGS

 Some background Info:

 My network is as follows:
 (trunking is next on my list, but for now, I have separate interfaces on
 the router for each vlan)

 |
 Internet (dynamic ip)
 |1.1.1.2
++
|   router/fw/isakmpd|
++
 10.180.16.1 | |10.107.208.1
dmz  | |  lan
++ ++
|   |
 +-+
 |   switch|
 |  vlan1   |  vlan2   |
 +-+
||
||
 +---+ +---+
 | www server| |   workstation 1   +
 | 10.180.16.250 | |   10.107.208.20   +
 +---+ +---+

 
I have the ipsec working between the two networks, but I wanted to get a
sanity check on my pf.conf.  I could not find any examples of the
ipsec/enc rules that used tagging for policy enforcement and wanted to
make sure there are no issues with doing so.

##
# MACROS

# interfaces
if_lo=   lo0
if_ext=  hme0
if_int=  hme1
if_dmz=  hme2
if_von=  hme3
if_enc=  enc0

# interface ip's
ip_ext=  x.x.x.x
ip_int=  10.107.208.1
ip_dmz=  10.180.16.1
ip_von=  10.180.17.1

# interface networks
net_int= 10.107.208.0/24
net_dmz= 10.180.16.0/24
net_von= 10.180.17.0/24

# DMZ Host 1
ip_dmzhost1= 10.180.16.250
proto_in_inet_tcp_dmzhost1=  { 443 }
proto_in_inet_udp_dmzhost1=  
proto_in_inet_icmp_dmzhost1= 


# TABLES


# OPTIONS

set block-policy drop
set loginterface $if_ext
set require-order yes
set optimization normal
set state-policy if-bound
set skip on {$if_lo }
set debug none


# NORMALIZATION

scrub all reassemble tcp random-id fragment reassemble no-df\
 min-ttl 24 max-mss 1460


# QUEUEING


# TRANSLATION

nat on $if_ext inet tag INT_NAT tagged LAN_INET - ($if_ext)
nat on $if_ext inet tag DMZ_NAT tagged DMZ_INET - ($if_ext)
nat on $if_ext inet tag VON_NAT tagged VON_INET - ($if_ext)

nat-anchor ftp-proxy/*


# REDIRECTION

# External access to DMZ
rdr on $if_ext inet proto tcp from any to port 443 tag\
TAG_HTTPS - $ip_dmzhost1 port 443

# FTP Proxy
rdr-anchor ftp-proxy/*


# PACKET FILTERING

# implicit first rule
block log all
anchor ftp-proxy/*

# MISC: silently drop broadcasts (cable modem noise)
block in quick on $if_ext from any to {255.255.255.255,\
 0.0.0.0}

# ANTISPOOFING
antispoof log quick for $if_ext inet

# HOST: ROUTER
# allowable incoming traffic
pass in  on $if_int from $net_int tag LAN_INET keep state
pass in  on $if_dmz from $net_dmz tag DMZ_INET keep state
pass in  on $if_von from $net_von tag VON_INET keep state

# allow incoming traffic to dmz
pass in  on $if_ext tagged TAG_HTTPS keep state

# allow router access to internet
pass out on $if_ext from ($if_ext) to any tag RTR_INET

# ipsec access for LAN-to-DMZ
# Passing in encrypted traffic from security gateways
pass in  on $if_int proto esp from $net_int to $ip_int\
 keep state
pass out on $if_int proto esp from $ip_int  to $net_int\
 keep state
# Need to allow ipencap traffic on enc0.
pass in  on $if_enc proto ipencap all keep state
# Passing in traffic from the designated subnets.
# (only allow traffic into dmz, prevent tunnel in)
pass in  on $if_enc from $net_int to $net_dmz tag VPN_INT

Re: IPsec Configuration Questions

[Axton Grams]

Hans-Joerg Hoexer wrote:
 what ipsec software is running on the clients?  What does your
 ipsec.conf on the firewall look like?
 
 On Sat, Sep 02, 2006 at 04:01:51PM -0400, Axton Grams wrote:
 Hoping someone can point me in the right direction to get isakmpd working.

 The scenario:
 - the router drops all traffic directed to it from the dmz net
 - the router drops all traffic destined for the lan from the dmz
 - the router drops all traffic destined for the dmz from the lan
 - vlan1 (dmz) has linux hosts
 - vlan2 (lan) has windows and linux hosts, for the purpose of this
 exercise, I am using a windows host

 The goals:
 - create a way by which hosts in the lan can connect to the dmz network
 using ipsec/isakmpd
 - starting off with simple auth, shared secret passphrase

 Some background Info:

 My network is as follows:
 (trunking is next on my list, but for now, I have separate interfaces on
 the router for each vlan)

 |
 Internet (dynamic ip)
 |1.1.1.2
++
|   router/fw/isakmpd|
++
 10.180.16.1 | |10.107.208.1
dmz  | |  lan
++ ++
|   |
 +-+
 |   switch|
 |  vlan1   |  vlan2   |
 +-+
||
||
 +---+ +---+
 | www server| |   workstation 1   +
 | 10.180.16.250 | |   10.107.208.20   +
 +---+ +---+

 - OpenBSD Router:
 - relevant ifconfig
 ** internet
 hme0:
 flags=8b63UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST
 mtu 1500
 lladdr xxx
 groups: egress
 media: Ethernet 100baseTX full-duplex
 status: active
 inet6 xxx%hme0 prefixlen 64 scopeid 0x2
 inet 1.1.1.2 netmask 0xe000 broadcast 1.1.1.255
 ** lan
 hme1:
 flags=8363UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,ALLMULTI,MULTICAST
 mtu 1500
 lladdr 08:00:20:ca:7d:c5
 media: Ethernet 100baseTX
 status: active
 inet 10.107.208.1 netmask 0xff00 broadcast 10.107.208.255
 inet6 fe80::a00:20ff:feca:7dc5%hme1 prefixlen 64 scopeid 0x3
 ** dmz
 hme2:
 flags=8b63UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST
 mtu 1500
 lladdr 08:00:20:ca:7d:c6
 media: Ethernet autoselect (100baseTX full-duplex)
 status: active
 inet 10.180.16.1 netmask 0xff00 broadcast 10.180.16.255
 inet6 fe80::a00:20ff:feca:7dc6%hme2 prefixlen 64 scopeid 0x4

 

I see the SA established on both machines when I generate traffic from
the lan machine to the dmz machine:

# ipsecctl -s all
FLOWS:
flow esp in from 10.107.208.20 to 10.180.0.0/16 peer 10.107.208.20
flow esp out from 10.180.0.0/16 to 10.107.208.20 peer 10.107.208.20

SADB:
esp tunnel from 10.107.208.1 to 10.107.208.20 spi 0x6a1e4b88 enc
3des-cbc auth hmac-sha1
esp tunnel from 10.107.208.20 to 10.107.208.1 spi 0x2f9e0f0b enc
3des-cbc auth hmac-sha1

C:\Program Files\Support Toolsipseccmd show sas

Main Mode SAs
--

Main Mode SA #1:
 From 10.107.208.20
  To  10.107.208.1
 Policy Id : {F692F46D-7E01-4929-9DA3-AAEFD79B7A97}
 Offer Used :
3DES SHA1  DH Group 2
Quickmode limit : 0, Lifetime 0Kbytes/28800seconds
 Auth Used : Preshared Key
 Initiator cookie 4d9a6c5aa8ea5bf1
 Responder cookie ef0f72aba9f15fc8
 Source UDP Encap port : 500  Dest UDP Encap port: 500

Quick Mode SAs
--

Quick Mode SA #1:
 Filter Id : {22A8F939-89C3-4978-9F9A-BEA0B46B4163}
  Tunnel Filter
  From 10.107.208.20
   To  subnet 10.180.0.0 mask 255.255.0.0
  Protocol : 0  Src Port : 0  Des Port : 0
  Direction : Outbound
  Tunnel From 10.107.208.20
  Tunnel  To  10.107.208.1
 Policy Id : {F7161316-2A79-495C-8FB8-DC7662246113}
 Offer Used :
Algo #1 : Encryption 3DES SHA1 (24bytes/0rounds)
(20secbytes/0secrounds)
  MySpi 1780370312 PeerSpi 798887691
PFS : False, Lifetime 10Kbytes/3600seconds
 Initiator cookie 4d9a6c5aa8ea5bf1
 Responder cookie ef0f72aba9f15fc8

The command completed successfully.

The ipsec settings are configured using the following:
ipseccmd.exe -u
ipseccmd.exe -f 0=10.180.16.0/255.255.255.0 -n ESP[3DES,SHA] -t
10.107.208.1 -a PRESHARE:sharedsecret -1s 3DES-SHA-2
ipseccmd.exe -f 10.180.16.0/255.255.255.0=0 -n ESP[3DES,SHA] -t
10.107.208.20 -a PRESHARE:sharedsecret -1s 3DES-SHA-2


For some reason though, traffic from the lan machine to the dmz machine
is going into a black hole.  pflog0 shows no dropped packets, nothing
odd in messages.

C:\WINDOWSping 10.180.16.250

Pinging 10.180.16.250 with 32 bytes of data:

Negotiating IP Security.
Request timed out.
Request timed out.
Request timed out.

These are the stats from the client side.  You can see the outgoing
traffic

Re: IPsec Configuration Questions

[Axton Grams]

 6
141649.571484 Exch 10 exchange_finalize: icookie b713c39cd0c47724
rcookie 56a69eddda558c2b
141649.571895 Exch 10 exchange_finalize: msgid 
141649.572567 Exch 10 exchange_finalize: phase 1 done: initiator id
0a6bd014: 10.107.208.20, responder id 0a6bd001: 10.107.208.1, src:
10.107.208.1 dst: 10.107.208.20
141649.573066 Timr 10 timer_add_event: event sa_soft_expire(0x47987000)
added last, expiration in 27100s
141649.573700 Timr 10 timer_add_event: event sa_hard_expire(0x47987000)
added last, expiration in 28800s
141649.578955 Timr 10 timer_add_event: event
exchange_free_aux(0x47986c00) added before sa_soft_expire(0x47987000),
expiration in 120s
141649.579558 Exch 10 exchange_setup_p2: 0x47986c00 unnamed no
policy policy responder phase 2 doi 1 exchange 32 step 0
141649.579991 Exch 10 exchange_setup_p2: icookie b713c39cd0c47724
rcookie 56a69eddda558c2b
141649.580495 Exch 10 exchange_setup_p2: msgid 63ba711f sa_list
141649.585479 Timr 10 timer_add_event: event
message_send_expire(0x43fb5000) added before
exchange_free_aux(0x47986e00), expiration in 7s
141649.586872 Timr 10 timer_remove_event: removing event
message_send_expire(0x43fb5000)
141649.588331 Exch 10 exchange_finalize: 0x47986c00 unnamed no
policy policy responder phase 2 doi 1 exchange 32 step 2
141649.588933 Exch 10 exchange_finalize: icookie b713c39cd0c47724
rcookie 56a69eddda558c2b
141649.589361 Exch 10 exchange_finalize: msgid 63ba711f sa_list 0x47987200
141649.590025 Sdep 10 pf_key_v2_set_spi: satype 2 dst 10.107.208.20 SPI
0x1086163f
141649.590493 Timr 10 timer_add_event: event sa_soft_expire(0x47987200)
added before sa_soft_expire(0x47987000), expiration in 3279s
141649.591070 Timr 10 timer_add_event: event sa_hard_expire(0x47987200)
added before sa_soft_expire(0x47987000), expiration in 3600s
141649.592114 Sdep 10 pf_key_v2_set_spi: satype 2 dst 10.107.208.1 SPI
0x633b612e
141649.593627 Timr 10 timer_remove_event: removing event
exchange_free_aux(0x47986c00)

Thanks,
Axton Grams


Hans-Joerg Hoexer wrote:
 what ipsec software is running on the clients?  What does your
 ipsec.conf on the firewall look like?
 
 On Sat, Sep 02, 2006 at 04:01:51PM -0400, Axton Grams wrote:
 Hoping someone can point me in the right direction to get isakmpd working.

 The scenario:
 - the router drops all traffic directed to it from the dmz net
 - the router drops all traffic destined for the lan from the dmz
 - the router drops all traffic destined for the dmz from the lan
 - vlan1 (dmz) has linux hosts
 - vlan2 (lan) has windows and linux hosts, for the purpose of this
 exercise, I am using a windows host

 The goals:
 - create a way by which hosts in the lan can connect to the dmz network
 using ipsec/isakmpd
 - starting off with simple auth, shared secret passphrase

 The problem:
 - I am unable to establish a SA between the router and the lan hosts
   isakmpd returns the following:
 155359.461787 Default message_recv: cleartext phase 2 message
 155359.462366 Default dropped message from 10.107.208.20 port 500 due to
 notification type INVALID_FLAGS

 Some background Info:

 My network is as follows:
 (trunking is next on my list, but for now, I have separate interfaces on
 the router for each vlan)

 |
 Internet (dynamic ip)
 |1.1.1.2
++
|   router/fw/isakmpd|
++
 10.180.16.1 | |10.107.208.1
dmz  | |  lan
++ ++
|   |
 +-+
 |   switch|
 |  vlan1   |  vlan2   |
 +-+
||
||
 +---+ +---+
 | www server| |   workstation 1   +
 | 10.180.16.250 | |   10.107.208.20   +
 +---+ +---+

 - OpenBSD Router:
 - relavent ifconfig
 ** internet
 hme0:
 flags=8b63UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST
 mtu 1500
 lladdr xxx
 groups: egress
 media: Ethernet 100baseTX full-duplex
 status: active
 inet6 xxx%hme0 prefixlen 64 scopeid 0x2
 inet 1.1.1.2 netmask 0xe000 broadcast 1.1.1.255
 ** lan
 hme1:
 flags=8363UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,ALLMULTI,MULTICAST
 mtu 1500
 lladdr 08:00:20:ca:7d:c5
 media: Ethernet 100baseTX
 status: active
 inet 10.107.208.1 netmask 0xff00 broadcast 10.107.208.255
 inet6 fe80::a00:20ff:feca:7dc5%hme1 prefixlen 64 scopeid 0x3
 ** dmz
 hme2:
 flags=8b63UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST
 mtu 1500
 lladdr 08:00:20:ca:7d:c6
 media: Ethernet autoselect (100baseTX full-duplex)
 status: active
 inet 10.180.16.1 netmask 0xff00 broadcast 10.180.16.255
 inet6 fe80::a00:20ff:feca:7dc6%hme2 prefixlen 64 scopeid 0x4

 # cat isakmpd.policy

Re: IPsec Configuration Questions

[Axton Grams]

Hans-Joerg Hoexer wrote:
 what ipsec software is running on the clients?  What does your
 ipsec.conf on the firewall look like?
 

ipsecctl shows the following during the negotiation, but the vpn client
ends the connection.

# ipsecctl -s all
FLOWS:
flow esp in from 10.107.208.20 to 10.107.208.1 peer 10.107.208.20
flow esp out from 10.107.208.1 to 10.107.208.20 peer 10.107.208.20

SADB:
esp transport from 10.107.208.20 to 10.107.208.1 spi 0x546b7788 enc
3des-cbc auth hmac-md5
esp transport from 10.107.208.1 to 10.107.208.20 spi 0x85cdd5a3 enc
3des-cbc auth hmac-md5

 On Sat, Sep 02, 2006 at 04:01:51PM -0400, Axton Grams wrote:
 Hoping someone can point me in the right direction to get isakmpd working.

 The scenario:
 - the router drops all traffic directed to it from the dmz net
 - the router drops all traffic destined for the lan from the dmz
 - the router drops all traffic destined for the dmz from the lan
 - vlan1 (dmz) has linux hosts
 - vlan2 (lan) has windows and linux hosts, for the purpose of this
 exercise, I am using a windows host

 The goals:
 - create a way by which hosts in the lan can connect to the dmz network
 using ipsec/isakmpd
 - starting off with simple auth, shared secret passphrase

 The problem:
 - I am unable to establish a SA between the router and the lan hosts
   isakmpd returns the following:
 155359.461787 Default message_recv: cleartext phase 2 message
 155359.462366 Default dropped message from 10.107.208.20 port 500 due to
 notification type INVALID_FLAGS

 Some background Info:

 My network is as follows:
 (trunking is next on my list, but for now, I have separate interfaces on
 the router for each vlan)

 |
 Internet (dynamic ip)
 |1.1.1.2
++
|   router/fw/isakmpd|
++
 10.180.16.1 | |10.107.208.1
dmz  | |  lan
++ ++
|   |
 +-+
 |   switch|
 |  vlan1   |  vlan2   |
 +-+
||
||
 +---+ +---+
 | www server| |   workstation 1   +
 | 10.180.16.250 | |   10.107.208.20   +
 +---+ +---+

 - OpenBSD Router:
 - relavent ifconfig
 ** internet
 hme0:
 flags=8b63UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST
 mtu 1500
 lladdr xxx
 groups: egress
 media: Ethernet 100baseTX full-duplex
 status: active
 inet6 xxx%hme0 prefixlen 64 scopeid 0x2
 inet 1.1.1.2 netmask 0xe000 broadcast 1.1.1.255
 ** lan
 hme1:
 flags=8363UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,ALLMULTI,MULTICAST
 mtu 1500
 lladdr 08:00:20:ca:7d:c5
 media: Ethernet 100baseTX
 status: active
 inet 10.107.208.1 netmask 0xff00 broadcast 10.107.208.255
 inet6 fe80::a00:20ff:feca:7dc5%hme1 prefixlen 64 scopeid 0x3
 ** dmz
 hme2:
 flags=8b63UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST
 mtu 1500
 lladdr 08:00:20:ca:7d:c6
 media: Ethernet autoselect (100baseTX full-duplex)
 status: active
 inet 10.180.16.1 netmask 0xff00 broadcast 10.180.16.255
 inet6 fe80::a00:20ff:feca:7dc6%hme2 prefixlen 64 scopeid 0x4

 # cat isakmpd.policy
 KeyNote-Version: 2
 Authorizer: POLICY
 Licensees: passphrase:foobar
 Conditions: app_domain == IPsec policy 
 esp_present == yes 
 esp_enc_alg == 3des 
 esp_auth_alg == hmac-md5 - true;

 # isakmpd -d -4 -DA=10
 155358.773509 Default log_debug_cmd: log level changed from 0 to 10 for
 class 0 [priv]
 155358.775093 Default log_debug_cmd: log level changed from 0 to 10 for
 class 1 [priv]
 155358.775757 Default log_debug_cmd: log level changed from 0 to 10 for
 class 2 [priv]
 155358.776153 Default log_debug_cmd: log level changed from 0 to 10 for
 class 3 [priv]
 155358.776672 Default log_debug_cmd: log level changed from 0 to 10 for
 class 4 [priv]
 155358.777056 Default log_debug_cmd: log level changed from 0 to 10 for
 class 5 [priv]
 155358.777524 Default log_debug_cmd: log level changed from 0 to 10 for
 class 6 [priv]
 155358.777914 Default log_debug_cmd: log level changed from 0 to 10 for
 class 7 [priv]
 155358.778416 Default log_debug_cmd: log level changed from 0 to 10 for
 class 8 [priv]
 155358.778794 Default log_debug_cmd: log level changed from 0 to 10 for
 class 9 [priv]
 155358.779267 Default log_debug_cmd: log level changed from 0 to 10 for
 class 10 [priv]
 155358.788915 Misc 10 monitor_init: privileges dropped for child process
 155359.444597 Timr 10 timer_add_event: event
 connection_checker(0x4fe41420) added last, expiration in 0s
 155359.451947 Timr 10 timer_handle_expirations: event
 connection_checker(0x4fe41420)
 155359.452947 Timr 10 timer_add_event: event

Re: IPsec Configuration Questions

[Axton Grams]

Hans-Joerg Hoexer wrote:
 what ipsec software is running on the clients?  What does your
 ipsec.conf on the firewall look like?
 

Some updated info:

For whatever reason, the last two packets in the packet capture show a
DELETE action:

20:14:24.117160 10.107.208.20.isakmp  router.arswiki.org.isakmp:  [udp
sum ok] isakmp v1.0 exchange QUICK_MODE
cookie: 5ad2b89593ca41af-acd59e7bdeb12259 msgid: 44aa1cd7 len: 52
payload: HASH len: 24 [ttl 0] (id 1, len 80)
20:15:06.955703 10.107.208.1.isakmp  10.107.208.20.isakmp:  [udp sum
ok] isakmp v1.0 exchange INFO
cookie: 5ad2b89593ca41af-acd59e7bdeb12259 msgid: 8c2a671f len: 68
payload: HASH len: 24
payload: DELETE len: 16 DOI: 1(IPSEC) proto: IPSEC_ESP nspis: 1
SPI: 0xa3ee9768 [ttl 0] (id 1, len 96)
20:15:06.958120 10.107.208.1.isakmp  10.107.208.20.isakmp:  [udp sum
ok] isakmp v1.0 exchange INFO
cookie: 5ad2b89593ca41af-acd59e7bdeb12259 msgid: b81113d3 len: 80
payload: HASH len: 24
payload: DELETE len: 28 DOI: 1(IPSEC) proto: ISAKMP nspis: 1
cookie: 5ad2b89593ca41af-acd59e7bdeb12259 [ttl 0] (id 1,
len 108)




*** ipsecctl output:
# date
Sun Sep  3 20:14:33 EDT 2006
# ipsecctl -s all
FLOWS:
flow esp in from 10.107.208.20 to 10.107.208.1 peer 10.107.208.20
flow esp out from 10.107.208.1 to 10.107.208.20 peer 10.107.208.20

SADB:
esp transport from 10.107.208.1 to 10.107.208.20 spi 0xbb351f90 enc
3des-cbc auth hmac-md5
esp transport from 10.107.208.20 to 10.107.208.1 spi 0xa3ee9768 enc
3des-cbc auth hmac-md5


*** isakmpd output:
# isakmpd -L -d -4 -DA=10
201358.608890 Default log_debug_cmd: log level changed from 0 to 10 for
class 0 [priv]
201358.610514 Default log_debug_cmd: log level changed from 0 to 10 for
class 1 [priv]
201358.611163 Default log_debug_cmd: log level changed from 0 to 10 for
class 2 [priv]
201358.611570 Default log_debug_cmd: log level changed from 0 to 10 for
class 3 [priv]
201358.612056 Default log_debug_cmd: log level changed from 0 to 10 for
class 4 [priv]
201358.612448 Default log_debug_cmd: log level changed from 0 to 10 for
class 5 [priv]
201358.612928 Default log_debug_cmd: log level changed from 0 to 10 for
class 6 [priv]
201358.613299 Default log_debug_cmd: log level changed from 0 to 10 for
class 7 [priv]
201358.613755 Default log_debug_cmd: log level changed from 0 to 10 for
class 8 [priv]
201358.614134 Default log_debug_cmd: log level changed from 0 to 10 for
class 9 [priv]
201358.614628 Default log_debug_cmd: log level changed from 0 to 10 for
class 10 [priv]
201358.624595 Misc 10 monitor_init: privileges dropped for child process
201359.285220 Default log_packet_init: starting IKE packet capture to
file /var/run/isakmpd.pcap
201423.864748 Timr 10 timer_add_event: event
exchange_free_aux(0x4af26c00) added last, expiration in 120s
201423.865819 Exch 10 exchange_setup_p1: 0x4af26c00 client
Default-main-mode policy responder phase 1 doi 1 exchange 2 step 0
201423.866355 Exch 10 exchange_setup_p1: icookie 5ad2b89593ca41af
rcookie acd59e7bdeb12259
201423.866923 Exch 10 exchange_setup_p1: msgid 
201423.867580 Exch 10 nat_t_check_vendor_payload: NAT-T capable peer
detected
201423.868493 Exch 10 exchange_handle_leftover_payloads: unexpected
payload VENDOR
201423.869011 Exch 10 exchange_handle_leftover_payloads: unexpected
payload VENDOR
201423.869577 Exch 10 exchange_handle_leftover_payloads: unexpected
payload VENDOR
201423.871151 Timr 10 timer_add_event: event
message_send_expire(0x45a64e00) added before
exchange_free_aux(0x4af26c00), expiration in 7s
201423.906614 Timr 10 timer_remove_event: removing event
message_send_expire(0x45a64e00)
201423.996634 Timr 10 timer_add_event: event
message_send_expire(0x45a64a00) added before
exchange_free_aux(0x4af26c00), expiration in 7s
201424.097443 Timr 10 timer_remove_event: removing event
message_send_expire(0x45a64a00)
201424.099859 Exch 10 exchange_finalize: 0x4af26c00 client
Default-main-mode policy responder phase 1 doi 1 exchange 2 step 6
201424.100502 Exch 10 exchange_finalize: icookie 5ad2b89593ca41af
rcookie acd59e7bdeb12259
201424.100925 Exch 10 exchange_finalize: msgid 
201424.101661 Exch 10 exchange_finalize: phase 1 done: initiator id
0a6bd014: 10.107.208.20, responder id 0a6bd001: 10.107.208.1, src:
10.107.208.1 dst: 10.107.208.20
201424.102202 Timr 10 timer_add_event: event sa_soft_expire(0x4af26e00)
added last, expiration in 27302s
201424.102757 Timr 10 timer_add_event: event sa_hard_expire(0x4af26e00)
added last, expiration in 28800s
201424.107976 Timr 10 timer_add_event: event
exchange_free_aux(0x4af27000) added before sa_soft_expire(0x4af26e00),
expiration in 120s
201424.108592 Exch 10 exchange_setup_p2: 0x4af27000 unnamed no
policy policy responder phase 2 doi 1 exchange 32 step 0
201424.109035 Exch 10 exchange_setup_p2: icookie 5ad2b89593ca41af
rcookie acd59e7bdeb12259
201424.109560 Exch 10 exchange_setup_p2: msgid 44aa1cd7 sa_list
201424.114593 Timr 10 timer_add_event: 

IPsec Configuration Questions

[Axton Grams]

 exchange_setup_p2: 0x44909000 unnamed no
policy policy responder phase 2 doi 1 exchange 5 step 0
155359.460737 Exch 10 exchange_setup_p2: icookie 4d18594e523695f1
rcookie a6af81ffd3a2d153
155359.461263 Exch 10 exchange_setup_p2: msgid e5eb6990 sa_list
155359.461787 Default message_recv: cleartext phase 2 message
155359.462366 Default dropped message from 10.107.208.20 port 500 due to
notification type INVALID_FLAGS
155359.462856 Timr 10 timer_add_event: event
exchange_free_aux(0x44909200) added last, expiration in 120s
155359.463566 Exch 10 exchange_establish_p1: 0x44909200 unnamed no
policy policy initiator phase 1 doi 1 exchange 5 step 0
155359.464001 Exch 10 exchange_establish_p1: icookie e82be37d8c1ae997
rcookie 
155359.464539 Exch 10 exchange_establish_p1: msgid 
155359.465751 Exch 10 exchange_finalize: 0x44909200 unnamed no
policy policy initiator phase 1 doi 1 exchange 5 step 1
155359.466300 Exch 10 exchange_finalize: icookie e82be37d8c1ae997
rcookie 
155359.466708 Exch 10 exchange_finalize: msgid 
155359.467220 Timr 10 timer_remove_event: removing event
exchange_free_aux(0x44909200)
155406.461707 Timr 10 timer_handle_expirations: event
message_send_expire(0x4d2dab00)
155406.463417 Timr 10 timer_add_event: event
message_send_expire(0x4d2dab00) added before
connection_checker(0x4fe41420), expiration in 9s

Thanks,
Axton Grams

Re: Default PF policy

[Axton Grams]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Joco Salvatti wrote:
 Hi all,
 
 I have a OpenBSD 3.9 machine acting as a firewall. It has two network
 interface cards, one connected to my local network and the other one
 connected to Internet. My default policy is blocking all traffic using
 
 block all
 
 I don't want anyone from my local network to connect to MSN and P2P
 programs, so I haven't created any rule to permit those kind of
 packet traffic. But I'm facing a lot of problems due to this, because
 I have to specify packets that should pass through my internal and external
 interfaces. I'd like any ideas or tips from PF gurus about how to
 improve my firewall policies. I have an idea: allow everything at my
 internal NIC and block all at my external NIC, so all I had to do was
 specifying allowed incoming and outcomming traffics only at my external
 NIC. But I'll be waiting for (better) proposals.
 
 By now thanks for the time spent reading with this e-mail.
 

You can approach this several different ways.

If going the route where you plan to pass all traffic in the internal
interface, use the 'skip' option:

set skip on $if_int


If you want to allow access out for certain ports, create a macro to
store the list of ports you want to allow, then use that macro in your
filters.  This makes maintenance easy because you can add/remove tcp/udp
ports as needed.  If you need to restrict access on a per host/port
basis, you will need separate rules for each designated host.

# MACROS
lan_tcp_out = { 22, 25, 80, 443 }
lan_udp_out = { 53, 123 }

# TABLES
table bogon const { 2/8, 5/8, 7/8, ... }

# FILTERS
pass out on $if_ext inet proto tcp from $net_int to !bogon \
 port $lan_tcp_out modulate state flags S/SA
pass out on $if_ext inet proto udp from $net_int to !bogon \
 port $lan_udp_out keep state



In the snippets above, I use the reserved table to store certain bogon
nets.  See http://www.completewhois.com/bogons/ for a list of current
bogon nets.  Instructions on automating the load of this data is
available on http://www.completewhois.com/bogons/bogons_usage.htm.


If you want to not allow all traffic from the internal network, you can
extend the above snippet to handle the traffic from your lan to your router:

# MACROS
lan_tcp_out = { 22, 25, 80, 443 }
lan_udp_out = { 53, 123 }

# TABLES
table bogon { 0/8, 10/8, 20.20.20.0/24, 127/8, \
169.254/16, 172.16/12, 192.0.2/24, 192.168/16, 224/3, \
255.255.255.255/32 }
table reserved const { 0/8, 10/8, 20.20.20.0/24, 127/8, \
169.254/16, 172.16/12, 192.0.2/24, 192.168/16, 224/3, \
255.255.255.255/32 }
table net_ext const { !reserved, !bogon }



# FILTERS
pass in  on $if_int inet proto tcp from $net_int to net_ext \
 port $lan_tcp_out keep state
pass out on $if_ext inet proto tcp from $net_int to net_ext \
 port $lan_tcp_out modulate state flags S/SA

pass in  on $if_int inet proto udp from $net_int to net_ext \
 port $lan_udp_out keep state
pass out on $if_ext inet proto udp from $net_int to net_ext \
 port $lan_udp_out keep state


I just typed those up, so there may be inaccuracies.  Hopefully you get
the idea behind the structure.

Axton Grams
iD8DBQFEjHZG2VxhVxhm8jIRAgT/AJ9DeGvQ56qK4H2coasV4X3zMzJ/2gCgqUni
5PowDKgZC+VscKI4R5RHFmE=
=hwvS
-END PGP SIGNATURE-

Re: openbsd and the money -solutions

[Axton]

I fail to see why there aren't at least 2000
people/organizations/OS's/OS projects willing to donate at a dollar a
day.  That should give the projects what they need to evolve at a
healthy pace.

~5,000/mo for power, internet connection, and other overhead
~25,000/mo for hackathons
~10,000/mo for hardware
~20,000/mo for a team of developers

You all write good software, count me at a dollar a day payed monthly.
 Surely more people can afford the same?


Axton Grams

Re: OpenBSD/Linux centralized authentication

[Axton]

On 3/19/06, Joachim Schipper [EMAIL PROTECTED] wrote:
 On Sun, Mar 19, 2006 at 10:42:53AM +0400, Bruno Carnazzi wrote:
Hi misc,
 
  At work, we are running a Microsoft Active Directory for our Windows
  Domain, who mainly provided Windows Desktop for our customers and
  centralized authentication. We have also several OpenBSD  Linux boxes
  for some DNS, SFTP, Squid, CVS and also several Web-apps. We'd like to
  centralize these Unix authentication... Is there a way to authenticate
  directly over a MS Domain Controller ? How can this be achieved
  (Kerberos, LDAP..?) ? Also, is it a good idea ? :) What are the
  alternatives (building an OpenLDAP server, Kerberos, (we don't wan't
  NIS !)) ?
 
  Hope somebody has some advice to share,

 There are many, many solutions. If it's just servers with a limited
 number of accounts, rdist(8) works just fine, and saves a lot of
 complicated stuff that takes time to set up and breaks occasionally. It
 could be scripted if you want to fully automate something.

 For a more complete solution, I am pretty sure there is a Linux PAM
 module to authenticate against their AD implementation (it's part of
 SAMBA, IIRC). Not sure about OpenBSD.

 Also, once the user accounts are synchronized, you'd probably be able to
 tell a Kerberos client to talk to the AD server. I've never tried it,
 but it should work - more or less. See the info pages for heimdal on
 OpenBSD.

Joachim



Active Directory has an LDAP interface on the domain controllers.  You
could opt to authenticate directory against the AD tree or replicate
the tree entirely or partially to openldap and manage/use that tree. 
Seems that some LDAP implementations have problem replicating password
information, though I can't remember the specifics.

This page a little info that may help:
http://www.wlug.org.nz/ActiveDirectoryAuthenticationNotes

Axton Grams

Re: OpenBSD has bad security

[Axton]

In the html, there is a reference to an easter egg:

!--
Here's the WideOpenBSD.ORG easter egg
$ dig quote.wideopenbsd.org txt
--

The output is (thanks B for the output, meant to reply to the list originally):

;  DiG 9.2.2  quote.wideopenbsd.org txt
;; global options:  printcmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 41571
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;quote.wideopenbsd.org. IN  TXT

;; ANSWER SECTION:
quote.wideopenbsd.org.  3600IN  TXT [xxx] goddamn I love
openssh [xxx] it never takes more than 2-6 lines to turn the client
into an exploit

;; AUTHORITY SECTION:
wideopenbsd.org.2005IN  NS  ns14.zoneedit.com.
wideopenbsd.org.2005IN  NS  ns15.zoneedit.com.

;; ADDITIONAL SECTION:
ns14.zoneedit.com.  119162  IN  A   209.126.137.108
ns15.zoneedit.com.  134976  IN  A   69.10.134.195

;; Query time: 301 msec
;; SERVER: 10.0.0.1#53(10.0.0.1)
;; WHEN: Mon Mar  6 10:39:00 2006
;; MSG SIZE  rcvd: 238

Am I missing something?  Was expecting to find an openssh/openbsd
exploit since he touts how numerous/easy they are.

Axton Grams

On 3/6/06, Bryan Brake [EMAIL PROTECTED] wrote:
 Bryan Irvine wrote:
  For a laugh go here.
 
  http://wideopenbsd.org/
 

 How much does it cost to register a domain these
 days?  Is it registered to Dave Feustel?  The
 author of the site appears to go above and beyond
 to spread FUD...  I mean, he uses HTML and even
 has an image.

 sarcasmI think he's serious folks/sarcasm

 Bryan Brake

BSD Boot Problems

[Axton]

Ran into an issue last night where my bsd (sparc64) would not boot. 
The boot stalled very close to the beginning of the boot process,
right after it listed the available devices, followed by some number
(address?) with the /-|\/-|/ spinner.  The boot hung at this point.

I was able to correct the problem by booting from cd and running the
upgrade install back to the hd.

Any insight as to why this would happen?

Thanks,
Axton Grams

Re: sun quad hme performance

[Axton]

I am able to max out my sun qfe at around 9.3MB/second on my lan when
passing through the interface twice (two seperate subnets where the
qfe is used as the router interfaces).  Used http to test the speed of
the interface.

The part number/model of my interface is SUN QUAD FAST ETHERNET PCS
X1034A 501-5406; Using a 32bit pci slot though the card is 64-bit. 
Machine is a sunblade 100 with a 500mhz ultrasparc [EMAIL PROTECTED] w/ 768mb
ram.

pf was managing 25 states at the time of the test.

Axton Grams


-- Miguel wrote

Hi, i read in the archives a lot of references about poor performance
with the sun quad ethernet (hme) on diferent servers (netras and
sunfires), is this still an issue or has been addressed in 3.8 or
3.9-current, i have two sunfire v120 that are losing packets between
their ports, when i activate the pf rules the ping response time si
very high, around 1253 ms,so our whatsup monitor report then down, the
cpu load is very low (0.12) and the memory usage is 70mb, total memory
of 512 mb , so this is not a resource problem,.
What can i check?
---
thanks

Re: Hardware+OpenBSD wiki

[Axton]

Does anyone see a problem if the wiki server were hosted in the US?

Axton Grams

On 1/22/06, Srebrenko Sehic [EMAIL PROTECTED] wrote:
 There is OpenBSD Server Hardware Compatibility List (OSCL). But that
 only covers stock hardware from major vendors. But it's constantly
 being updated.

 http://www.armorlogic.com/openbsd_information_server_compatibility_list.html

 Contribute if you have something.

 On 1/22/06, Darrin Chandler [EMAIL PROTECTED] wrote:
  Travers Buda wrote:
 
  In light of all the recent activity on misc about will OpenBSD run on
  X? perhaps someone would like to host a wiki for strange/new hardware?
  
  Travers
  
  
 
  Are you volunteering?
 
  It wasn't long ago that the OpenBSD Metastore got going, amid some
  controversy. I haven't heard anything about it lately. Last I looked,
  there were a handful of useful things there that you could look at, and
  links to online sources to buy them. As long as you weren't from Taiwan,
  that is. Anyway, I think it's not as easy task. And also it's not
  something that you do once and move on. It would be an ongoing,
  substantial commitment for someone. Personally, I wish there were such a
  resource, but I can understand why there isn't.
 
  --
  Darrin Chandler|  Phoenix BSD Users Group
  [EMAIL PROTECTED]   |  http://bsd.phoenix.az.us/
  http://www.stilyagin.com/  |

pf queue

[Axton]

Is there a capability with pf to send packets to userspace for
handling/manipulation, whereby they can be returned back to the
kernel, similar to the queue facilities available in iptables?

Axton