Re: Broken pfctl ..... ? I not understand my
block in quick on msk0 proto tcp *to* port ssh whats this? instead of above wrong statement, you can use block in quick on msk0 proto tcp from any to any port ssh On Tue, Jul 24, 2012 at 2:27 AM, Peter N. M. Hansteen pe...@bsdly.netwrote: hvom .org hvom@gmail.com writes: I'm problem with pfctl and the syntax. Line error is : *block in quick on msk0 proto tcp port ssh* * pfctl -nf /etc/pf.conf * is broken, no exit Trying to reproduce here (changing only the interface name to one that exists on the test system) it says 'syntax error' and gives the line number before exiting. I suspect block in quick on msk0 proto tcp to port ssh is what you want, pfctl -vnf on that will give you the expanded version after parsing: $ sudo pfctl -vnf hvom block drop in quick on iwn0 proto tcp from any to any port = 22 My book is update is 15/05/2012, the site web update is 19/05/2012. it would be interesting to hear what book and web site you're referring to here. - P -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Does OpenBSD have any plan to support Netmap framework?
Hi y'all. I have a question about netmap - a novel framework for fast packet I/O. Does OpenBSD have any plan to support Netmap framework? I also have a technical question about netmap and firewall relation. As I read and understand we can work with nic interface almost directly form user land by netmap. what does mean that? We have to pass every packet through kernel (if we want to process by firewall and IPSec )? Am I wrong ? How can Netmap help us if kernel land processes such as firewall, routing(queuing), IPSec cryptography are needed?
Re: authpf bug and solution
Hi Dear Friendhs Im sorry I looked for about this problem and its solution. but i couldn't find any solution. If you commited the fix how can I access fixed authpf. Im using OpenBSD 5.1. On Sat, Jul 7, 2012 at 7:51 PM, Henning Brauer henn...@openbsd.org wrote: * Bahador NazariFard bahador.nazarif...@gmail.com [2012-06-26 20:35]: unfortunately authpf does not delete nat state when user disconnected. I believe I just committed the fix for this. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: Virtualizing firewalling scenarios in one physical OpenBSD host
search about rdomain or VRF in openbsd these can solve your problem but you should do some work by hand (or brain) if you can design good plan you can solve your problem. route -exec, pfctl, rdomain, rtable may help you On Wed, Jul 4, 2012 at 11:59 AM, C. L. Martinez carlopm...@gmail.comwrote: Hi all, I wonder if with OpenBSD is possible to create virtualized firewalled implementations of conventional physical topologies and designs such as central and remote DMZs (my question has nothing to do with virtualization platforms like ESXi/vSphere or Xen or KVM), like for example CheckPoint VSX does: http://www.checkpoint.com/products/vpn-1-power-vsx/index.html. The idea is to configure different security scenarios on a single system. Is it possible?? Some example?? Thanks.
authpf bug and solution
hi all
unfortunately authpf does not delete nat state when user disconnected.
I saw this problem and I couldnot find any good solution .
It looks there is a bug in authpf .
I wrote ksh script that can solve this problem in clean way.
I think this can be very useful temporary solution until OpenBSD can fix
this bug.
I named this script clean_authpf_natstate.sh and its content follows her
*#!/bin/ksh
old_users=;
(
while true; do
users=`pfctl -t authpf_users -T show 2 /dev/null`;
for old in $old_users; do
if ! echo $users|fgrep -q $old ; then
for ID in $(pfctl -ss -vv|grep -e ^[a-z] -e id\:|grep -A
1 $old|awk '/id:/{print $2}'); do
pfctl -k id -k $ID /dev/null 2 /dev/null
done
fi
done
sleep 1
old_users=$users
done ) *
two strange problems with ntpd (OpenBSD 5.1)
#echo servers pool.ntp.org /etc/ntpd.conf # ntpd this command never change local system time #ntpd -s change local system time but I have very strange problem in php #echo echo '?php `ntpd -s` ?'|php-5.3 above command never exit.
ifstated problem
#cat /etc/ifstated.conf
net1 = 'ping -q -c1 -w1 172.16.200.11 /dev/null every 3'
net2 = 'ping -q -c1 -w1 172.16.200.1 /dev/null every 3'
init-state one
state one {
init {
run route delete default
run route add default 172.16.200.11
}
if ! $net1 {
if $net2
set-state two
}
}
state two {
init {
run route delete default
run route add default 172.16.200.1
}
if ! $net2
set-state one
if $net1
set-state one
}
this configuration works properly but sometimes ifstated hangs and never
change default gateway
I watched top and I saw that ifstated is sleep and wait on kqread
howerver it works after sending HUP signal or restarting daemon
do you have any idea?
Re: dd command on a compact flash
Hi I think dd is not a good solution for you. I suggest you visiting this link. http://www.nmedia.net/flashdist/flashdist-20090216.tar.gz flashdist.sh and growimg.sh in this package are very very usefull for you. you can write your new script ;) You should read and save partition table Then you can careate a new On Wed, Apr 20, 2011 at 9:18 PM, OpenBSD Geek open...@e-solutions.rewrote: Hi, I prepared a file : disk.image(4GB sectors as my compact flash) ... doing it using dd/vnconfig/fdisk/disklabel/newfs/instalboot steps. (I followed this : http://glozer.net/soekris/cf-install.html) disk.image contain OpenBSD system 4.8-stable Now i want to put it on my compact flash (4GB 133x) using : dd if=disk.image of=/dev/rsd0c bs=512 ; doing it, process(top command ; 100% IDLE) dd STATE is SLEEP, and take a long time... doesn't finish. Any idea ? Thank you very much ! -- Gula_Gula =;=; BNF
Re: route show
On Mon, Dec 20, 2010 at 11:52 AM, Cristiano Deana cristiano.de...@gmail.com wrote: 2010/12/20 lilit-aibolit lilit-aibo...@mail.ru: I have a little problem with route show command. netstat -nr after I type this command and press Enter on first machine - all is done: But if I do it on second machine, output in console and terminal is very-very slow, try `netstat -nr', could be a dns problem. -- Cris, member of G.U.F.I Italian FreeBSD User Group http://www.gufi.org/ Hi You can use of -n parameter. Test agian with route -T 0 -n show -inet -gateway command. -- Gula_Gula =;=; BNF
Re: PF subdomain filtering
Hi. I think squid is better solution in this case. you can taste it ! On Fri, Dec 17, 2010 at 2:51 AM, Rafal Brodewicz b...@brodewicz.pl wrote: Hi. How can I pass with PF traffic from all subdomains, for example *.microsoft.com ? Thanks. -- Rafal Brodewicz -- Gula_Gula =;=; BNF
OpenBSD 4.8 crash unexpectedly (panic: trap type 6, code=0, pc=d056c5dd)
Hi , all dear friends My OpenBSD crashed and rebooted agian after panic: trap type 6, code=0, pc=d056c5dd. I am trying to find where is the origination of this problem but I could not find anything. I used from gdb and I run file /var/crash/bsd.0 and target kvm /var/crash/bsd.0.core commands. then I run where but gdb told No stack. In addition I tried to help of dmsg and iostat but it seems there is no information that help me. output both of them were empty. Here is the ouput of some commands that may help us # ls -lh /var/crash/ total 6816168 -rw--- 1 root wheel 2B Nov 30 01:47 bounds -rw--- 1 root wheel 8.5M Nov 30 01:53 bsd.0 -rw--- 1 root wheel 3.2G Nov 30 01:53 bsd.0.core -rw-r--r-- 1 root wheel 5B Aug 16 19:16 minfree ## grep savecore /var/log/messages Nov 27 18:35:40 BSD savecore: no core dump Nov 30 01:47:00 BSD savecore: reboot after panic: trap type 6, code=0, pc=d056c5dd Nov 30 01:47:00 BSD savecore: /var/crash/bounds: No such file or directory Nov 30 01:47:00 BSD savecore: writing core to /var/crash/bsd.0.core Nov 30 01:53:04 BSD savecore: writing kernel to /var/crash/bsd.0 # sysctl hw.physmem hw.physmem=3479662592 # swapctl -l -k Device 1K-blocks UsedAvail Capacity Priority swap_device 41929680 4192968 0%0 # sysctl vm.swapencrypt.enable vm.swapencrypt.enable=0 Also I am using of symon and rrdgraph that show usage of cpu , memory and hard disk is very normal before crash. can you help me why my core file seems empty? How can get useful information from core file and find problem? -- Gula_Gula =;=; BNF
OpenBSD 4.8 crash unexpectedly
Hi I am using of OpenBSD 4.8 as a firewall box but it is started to annoy me :(( My problem is OpenBSD crashes unexpectedly (specially when im not at my desk) How can I find the source of this problem. Also I have installed these packages: pkg_info -m clamav-0.96.1p0 virus scanner dansguardian-2.10.1.1 content scanning web filter gnuls-4.1p2 colorized GNU 'ls' oinkmaster-2.0 update your Snort rules php5-core-5.2.13p0 server-side HTML-embedded scripting language pmacct-0.12.2 IP accounting software snort-2.8.6 highly flexible sniffer/NIDS squid-2.7.STABLE9 WWW and FTP proxy cache and accelerator symon-2.82 active monitoring tool wget-1.12p0 retrieve files from the web via HTTP, HTTPS and FTP I am using of these hardwares: # sysctl hw hw.machine=i386 hw.model=Intel(R) Pentium(R) 4 CPU 3.40GHz (GenuineIntel 686-class) hw.ncpu=2 hw.byteorder=1234 hw.pagesize=4096 hw.disknames=wd0 hw.diskcount=1 hw.sensors.lm1.temp0=32.00 degC hw.sensors.lm1.fan1=8132 RPM hw.sensors.lm1.fan2=8437 RPM hw.sensors.lm1.volt0=1.20 VDC (VCore A) hw.sensors.lm1.volt1=1.22 VDC (VCore B) hw.sensors.lm1.volt2=0.61 VDC (+3.3V) hw.sensors.lm1.volt3=-5.75 VDC (-5V) hw.sensors.lm1.volt4=2.43 VDC (+12V) hw.sensors.lm1.volt5=-11.54 VDC (-12V) hw.sensors.lm1.volt6=5.78 VDC (+5V) hw.sensors.lm1.volt7=5.19 VDC (5VSB) hw.sensors.lm1.volt8=3.30 VDC (VBAT) hw.sensors.it0.temp0=12.00 degC hw.sensors.it0.temp1=30.00 degC hw.sensors.it0.temp2=33.00 degC hw.sensors.it0.fan0=24107 RPM hw.sensors.it0.fan1=24107 RPM hw.sensors.it0.volt0=1.26 VDC (VCORE_A) hw.sensors.it0.volt1=1.50 VDC (VCORE_B) hw.sensors.it0.volt2=3.23 VDC (+3.3V) hw.sensors.it0.volt3=5.08 VDC (+5V) hw.sensors.it0.volt4=12.22 VDC (+12V) hw.sensors.it0.volt5=-0.35 VDC (-12V) hw.sensors.it0.volt6=-2.95 VDC (-5V) hw.sensors.it0.volt7=5.13 VDC (+5VSB) hw.sensors.it0.volt8=3.14 VDC (VBAT) hw.cpuspeed=3401 hw.product=LakePort hw.uuid=Not Set hw.physmem=3479662592 hw.usermem=3479584768 hw.ncpufound=2 output of dmesg: OpenBSD 4.8 (GENERIC) #136: Mon Aug 16 09:06:23 MDT 2010 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Pentium(R) 4 CPU 3.40GHz (GenuineIntel 686-class) 3.41 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,EST,TM2,CNXT-ID,CX16,xTPR,PDCM real mem = 3479662592 (3318MB) avail mem = 3412791296 (3254MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 12/25/08, BIOS32 rev. 0 @ 0xf9cc0, SMBIOS rev. 2.2 @ 0xf0800 (38 entries) bios0: vendor Phoenix Technologies, LTD version 6.00 PG date 12/25/2008 acpi0 at bios0: rev 0 acpi0: sleep states S0 S1 S4 acpi0: tables DSDT FACP MCFG APIC acpi0: wakeup devices PEX0(S5) PEX1(S5) PEX2(S5) PEX3(S5) PEX4(S5) PEX5(S5) HUB0(S5) UAR1(S5) USB0(S1) USB1(S1) USB2(S1) USB3(S1) USBE(S1) AC97(S5) AZAL(S5) PCI0(S5) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 200MHz cpu at mainbus0: not configured ioapic0 at mainbus0: apid 4 pa 0xfec0, version 20, 24 pins ioapic0: misconfigured as apic 0, remapped to apid 4 acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 4 (PEX0) acpiprt2 at acpi0: bus 5 (PEX1) acpiprt3 at acpi0: bus 6 (PEX2) acpiprt4 at acpi0: bus 7 (PEX3) acpiprt5 at acpi0: bus 8 (PEX4) acpiprt6 at acpi0: bus 9 (PEX5) acpiprt7 at acpi0: bus 10 (HUB0) acpiprt8 at acpi0: bus 2 (PXHA) acpiprt9 at acpi0: bus 3 (PXHB) acpicpu0 at acpi0 acpibtn0 at acpi0: PWRB bios0: ROM list: 0xc/0xae00! 0xcc000/0x1000 0xef000/0x1000! cpu0: Enhanced SpeedStep disabled by BIOS pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 Intel 82945G Host rev 0x02 ppb0 at pci0 dev 1 function 0 Intel 82945G PCIE rev 0x02: apic 4 int 16 (irq 5) pci1 at ppb0 bus 1 ppb1 at pci1 dev 0 function 0 Intel PCIE-PCIE rev 0x09 pci2 at ppb1 bus 2 Intel IOxAPIC rev 0x09 at pci1 dev 0 function 1 not configured ppb2 at pci1 dev 0 function 2 Intel PCIE-PCIE rev 0x09 pci3 at ppb2 bus 3 Intel IOxAPIC rev 0x09 at pci1 dev 0 function 3 not configured vga1 at pci0 dev 2 function 0 Intel 82945G Video rev 0x02 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) intagp0 at vga1 agp0 at intagp0: aperture at 0xd000, size 0x1000 inteldrm0 at vga1: apic 4 int 16 (irq 5) drm0 at inteldrm0 ppb3 at pci0 dev 28 function 0 Intel 82801GB PCIE rev 0x01: apic 4 int 16 (irq 5) pci4 at ppb3 bus 4 em0 at pci4 dev 0 function 0 Intel PRO/1000MT (82573L) rev 0x00: apic 4 int 16 (irq 5), address 00:10:f3:17:6f:94 ppb4 at pci0 dev 28 function 1 Intel 82801GB PCIE rev 0x01: apic 4 int 17 (irq 11) pci5 at ppb4 bus 5 em1 at pci5 dev 0 function 0 Intel PRO/1000MT (82573L) rev 0x00: apic 4 int 17 (irq 11), address 00:10:f3:17:6f:95 ppb5 at pci0 dev 28 function 2 Intel 82801GB PCIE rev 0x01: apic 4 int 18 (irq 10) pci6
Re: OpenBSD 4.8 crash unexpectedly
Hi , dear friend Thank you so much for your reply But I told that I can not be always behind of FirewallBOX I stay long time since 8:00 to 16:00 behind my desk but this problem does not occur I can not be at work always. Is there anyway that i can redirect result of ddb ps and trace to logfile and I can analyze it then? How Can Force system at least reboot when it crashes ? On Sat, Nov 27, 2010 at 1:32 PM, Bret S. Lambert bret.lamb...@gmail.comwrote: You never once say what the symptoms are other than crash and I reboot. ddb ps and trace are a minimum to begin working the problem. On Sat, Nov 27, 2010 at 12:39:40PM +0330, Bahador NazariFard wrote: Hi I am using of OpenBSD 4.8 as a firewall box but it is started to annoy me :(( My problem is OpenBSD crashes unexpectedly (specially when im not at my desk) How can I find the source of this problem. Also I have installed these packages: pkg_info -m clamav-0.96.1p0 virus scanner dansguardian-2.10.1.1 content scanning web filter gnuls-4.1p2 colorized GNU 'ls' oinkmaster-2.0 update your Snort rules php5-core-5.2.13p0 server-side HTML-embedded scripting language pmacct-0.12.2 IP accounting software snort-2.8.6 highly flexible sniffer/NIDS squid-2.7.STABLE9 WWW and FTP proxy cache and accelerator symon-2.82 active monitoring tool wget-1.12p0 retrieve files from the web via HTTP, HTTPS and FTP I am using of these hardwares: # sysctl hw hw.machine=i386 hw.model=Intel(R) Pentium(R) 4 CPU 3.40GHz (GenuineIntel 686-class) hw.ncpu=2 hw.byteorder=1234 hw.pagesize=4096 hw.disknames=wd0 hw.diskcount=1 hw.sensors.lm1.temp0=32.00 degC hw.sensors.lm1.fan1=8132 RPM hw.sensors.lm1.fan2=8437 RPM hw.sensors.lm1.volt0=1.20 VDC (VCore A) hw.sensors.lm1.volt1=1.22 VDC (VCore B) hw.sensors.lm1.volt2=0.61 VDC (+3.3V) hw.sensors.lm1.volt3=-5.75 VDC (-5V) hw.sensors.lm1.volt4=2.43 VDC (+12V) hw.sensors.lm1.volt5=-11.54 VDC (-12V) hw.sensors.lm1.volt6=5.78 VDC (+5V) hw.sensors.lm1.volt7=5.19 VDC (5VSB) hw.sensors.lm1.volt8=3.30 VDC (VBAT) hw.sensors.it0.temp0=12.00 degC hw.sensors.it0.temp1=30.00 degC hw.sensors.it0.temp2=33.00 degC hw.sensors.it0.fan0=24107 RPM hw.sensors.it0.fan1=24107 RPM hw.sensors.it0.volt0=1.26 VDC (VCORE_A) hw.sensors.it0.volt1=1.50 VDC (VCORE_B) hw.sensors.it0.volt2=3.23 VDC (+3.3V) hw.sensors.it0.volt3=5.08 VDC (+5V) hw.sensors.it0.volt4=12.22 VDC (+12V) hw.sensors.it0.volt5=-0.35 VDC (-12V) hw.sensors.it0.volt6=-2.95 VDC (-5V) hw.sensors.it0.volt7=5.13 VDC (+5VSB) hw.sensors.it0.volt8=3.14 VDC (VBAT) hw.cpuspeed=3401 hw.product=LakePort hw.uuid=Not Set hw.physmem=3479662592 hw.usermem=3479584768 hw.ncpufound=2 output of dmesg: OpenBSD 4.8 (GENERIC) #136: Mon Aug 16 09:06:23 MDT 2010 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Pentium(R) 4 CPU 3.40GHz (GenuineIntel 686-class) 3.41 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,EST,TM2,CNXT-ID,CX16,xTPR,PDCM real mem = 3479662592 (3318MB) avail mem = 3412791296 (3254MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 12/25/08, BIOS32 rev. 0 @ 0xf9cc0, SMBIOS rev. 2.2 @ 0xf0800 (38 entries) bios0: vendor Phoenix Technologies, LTD version 6.00 PG date 12/25/2008 acpi0 at bios0: rev 0 acpi0: sleep states S0 S1 S4 acpi0: tables DSDT FACP MCFG APIC acpi0: wakeup devices PEX0(S5) PEX1(S5) PEX2(S5) PEX3(S5) PEX4(S5) PEX5(S5) HUB0(S5) UAR1(S5) USB0(S1) USB1(S1) USB2(S1) USB3(S1) USBE(S1) AC97(S5) AZAL(S5) PCI0(S5) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 200MHz cpu at mainbus0: not configured ioapic0 at mainbus0: apid 4 pa 0xfec0, version 20, 24 pins ioapic0: misconfigured as apic 0, remapped to apid 4 acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 4 (PEX0) acpiprt2 at acpi0: bus 5 (PEX1) acpiprt3 at acpi0: bus 6 (PEX2) acpiprt4 at acpi0: bus 7 (PEX3) acpiprt5 at acpi0: bus 8 (PEX4) acpiprt6 at acpi0: bus 9 (PEX5) acpiprt7 at acpi0: bus 10 (HUB0) acpiprt8 at acpi0: bus 2 (PXHA) acpiprt9 at acpi0: bus 3 (PXHB) acpicpu0 at acpi0 acpibtn0 at acpi0: PWRB bios0: ROM list: 0xc/0xae00! 0xcc000/0x1000 0xef000/0x1000! cpu0: Enhanced SpeedStep disabled by BIOS pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 Intel 82945G Host rev 0x02 ppb0 at pci0 dev 1 function 0 Intel 82945G PCIE rev 0x02: apic 4 int 16 (irq 5) pci1 at ppb0 bus 1 ppb1 at pci1 dev 0 function 0 Intel PCIE-PCIE rev 0x09 pci2 at ppb1 bus 2 Intel IOxAPIC rev 0x09 at pci1 dev 0 function 1 not configured ppb2 at pci1 dev 0 function 2 Intel PCIE-PCIE rev 0x09 pci3
Re: ipsec vpn unexpected flow
On Fri, Nov 26, 2010 at 8:50 AM, Andrea Parazzini a.parazz...@sirtisistemi.net wrote: Hi, from 10.1.0.0/16 is the network id that I would negotiate with the remote peer. (0.0.0.0/0) is our real network, we have a lot of networks behind this box. We perform NAT on traffic leaving through the VPN tunnel. 192.168.71/24 0 10.1/160 0 W.X.Y.Z/esp/use/in 10.1/160 192.168.71/24 0 0 W.X.Y.Z/esp/require/out Why this flow? I would only flows defined in the configuration files. Thanks Andrea On Thu, 25 Nov 2010 13:39:33 -0800 (PST), Damon Schlosser damons...@yahoo.com wrote: 1. what is the (0.0.0.0/0) good for?2. how are you inspecting traffic in the tunnel?3. is nat allowed in the tunnel? 4. you may have let in more networks than you realize -damon --- On Thu, 11/25/10, Andrea Parazzini a.parazz...@sirtisistemi.net wrote: From: Andrea Parazzini a.parazz...@sirtisistemi.net Subject: ipsec vpn unexpected flow To: misc@openbsd.org Date: Thursday, November 25, 2010, 2:40 PM Hi, we have a vpn connection with a customer. The remote peer is not under our management. Our box is an OpenBSD 4.7 i386. We have configured the vpn as follows: /etc/rc.conf.local ipsec=YES isakmpd_flags=-K -v /etc/ipsec.conf ike active esp tunnel \ from 10.1.0.0/16 (0.0.0.0/0) to 192.168.90.0/24 \ local A.B.C.D peer W.X.Y.Z \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des group modp1024 \ psk PRESHAREDKEY The vpn works fine, but there is a strange thing. Whith netstat -nrf encap I see something like: Source Port DestinationPort Proto SA 192.168.71/24 0 10.1/160 0 W.X.Y.Z/esp/use/in 10.1/160 192.168.71/24 0 0 W.X.Y.Z/esp/require/out 192.168.90/24 0 default0 0 W.X.Y.Z/esp/use/in default0 192.168.90/24 0 0 W.X.Y.Z/esp/require/out As you can see there is a flow that is not configured on our box. It is probably configured on the remote peer. Is a normal behavior? How can I protect myself from an incorrect configuration on the remote peer? Thanks. Regards, Andrea pleas read ipsec.conf manual page agian specially OUTGOING NETWORK ADDRESS TRANSLATION Section. 10.1.0.0/16 (0.0.0.0/0) means you want to nat anything from 10.1.0.0/16to 0.0.0.0/0 ! I think this is so strange .I can not understand your configuration rule. Are you sure your traffic really pass through your IPSec Tunnel. -- Gula_Gula =;=; BNF
OpenBSD 4.8 crash unexpectedly
Hi I am using of OpenBSD 4.8 as a firewall box but it is started to annoy me :(( My problem is OpenBSD crashes unexpectedly (specially when im not at my desk) How can I find the source of this problem. Also I have installed these packages: pkg_info -m clamav-0.96.1p0 virus scanner dansguardian-2.10.1.1 content scanning web filter gnuls-4.1p2 colorized GNU 'ls' oinkmaster-2.0 update your Snort rules php5-core-5.2.13p0 server-side HTML-embedded scripting language pmacct-0.12.2 IP accounting software snort-2.8.6 highly flexible sniffer/NIDS squid-2.7.STABLE9 WWW and FTP proxy cache and accelerator symon-2.82 active monitoring tool wget-1.12p0 retrieve files from the web via HTTP, HTTPS and FTP I am using of these hardwares: # sysctl hw hw.machine=i386 hw.model=Intel(R) Pentium(R) 4 CPU 3.40GHz (GenuineIntel 686-class) hw.ncpu=2 hw.byteorder=1234 hw.pagesize=4096 hw.disknames=wd0 hw.diskcount=1 hw.sensors.lm1.temp0=32.00 degC hw.sensors.lm1.fan1=8132 RPM hw.sensors.lm1.fan2=8437 RPM hw.sensors.lm1.volt0=1.20 VDC (VCore A) hw.sensors.lm1.volt1=1.22 VDC (VCore B) hw.sensors.lm1.volt2=0.61 VDC (+3.3V) hw.sensors.lm1.volt3=-5.75 VDC (-5V) hw.sensors.lm1.volt4=2.43 VDC (+12V) hw.sensors.lm1.volt5=-11.54 VDC (-12V) hw.sensors.lm1.volt6=5.78 VDC (+5V) hw.sensors.lm1.volt7=5.19 VDC (5VSB) hw.sensors.lm1.volt8=3.30 VDC (VBAT) hw.sensors.it0.temp0=12.00 degC hw.sensors.it0.temp1=30.00 degC hw.sensors.it0.temp2=33.00 degC hw.sensors.it0.fan0=24107 RPM hw.sensors.it0.fan1=24107 RPM hw.sensors.it0.volt0=1.26 VDC (VCORE_A) hw.sensors.it0.volt1=1.50 VDC (VCORE_B) hw.sensors.it0.volt2=3.23 VDC (+3.3V) hw.sensors.it0.volt3=5.08 VDC (+5V) hw.sensors.it0.volt4=12.22 VDC (+12V) hw.sensors.it0.volt5=-0.35 VDC (-12V) hw.sensors.it0.volt6=-2.95 VDC (-5V) hw.sensors.it0.volt7=5.13 VDC (+5VSB) hw.sensors.it0.volt8=3.14 VDC (VBAT) hw.cpuspeed=3401 hw.product=LakePort hw.uuid=Not Set hw.physmem=3479662592 hw.usermem=3479584768 hw.ncpufound=2 In addition, I am defined some vlan interface on one real interface. I guess this can be a problem of bsd.mp :(( How can I find the source of this problem? After this problem I can not do anything else reboot ! please help me :(( -- Gula_Gula =;=; BNF
Re: OpenBSD 4.8 crash unexpectedly
On Wed, Nov 24, 2010 at 6:35 PM, roberth rob...@openbsd.pap.st wrote: On Wed, 24 Nov 2010 18:21:14 +0330 Bahador NazariFard bahador.nazarif...@gmail.com wrote: please help me :(( start by sending a full dmesg to the list. sorry ! you are right! I forgot to include this important data. this is output of dmesg OpenBSD 4.8 (GENERIC.MP) #359: Mon Aug 16 09:16:26 MDT 2010 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: Intel(R) Pentium(R) 4 CPU 3.40GHz (GenuineIntel 686-class) 3.41 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,EST,TM2,CNXT-ID,CX16,xTPR,PDCM real mem = 3479662592 (3318MB) avail mem = 3412766720 (3254MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 12/25/08, BIOS32 rev. 0 @ 0xf9cc0, SMBIOS rev. 2.2 @ 0xf0800 (38 entries) bios0: vendor Phoenix Technologies, LTD version 6.00 PG date 12/25/2008 acpi0 at bios0: rev 0 acpi0: sleep states S0 S1 S4 acpi0: tables DSDT FACP MCFG APIC acpi0: wakeup devices PEX0(S5) PEX1(S5) PEX2(S5) PEX3(S5) PEX4(S5) PEX5(S5) HUB0(S5) UAR1(S5) USB0(S1) USB1(S1) USB2(S1) USB3(S1) USBE(S1) AC97(S5) AZAL(S5) PCI0(S5) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 200MHz cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Pentium(R) 4 CPU 3.40GHz (GenuineIntel 686-class) 3.41 GHz cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,EST,TM2,CNXT-ID,CX16,xTPR,PDCM ioapic0 at mainbus0: apid 4 pa 0xfec0, version 20, 24 pins ioapic0: misconfigured as apic 0, remapped to apid 4 acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 4 (PEX0) acpiprt2 at acpi0: bus 5 (PEX1) acpiprt3 at acpi0: bus 6 (PEX2) acpiprt4 at acpi0: bus 7 (PEX3) acpiprt5 at acpi0: bus 8 (PEX4) acpiprt6 at acpi0: bus 9 (PEX5) acpiprt7 at acpi0: bus 10 (HUB0) acpiprt8 at acpi0: bus 2 (PXHA) acpiprt9 at acpi0: bus 3 (PXHB) acpicpu0 at acpi0 acpicpu1 at acpi0 acpibtn0 at acpi0: PWRB bios0: ROM list: 0xc/0xae00! 0xcc000/0x1000 0xef000/0x1000! cpu0: Enhanced SpeedStep disabled by BIOS pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 Intel 82945G Host rev 0x02 ppb0 at pci0 dev 1 function 0 Intel 82945G PCIE rev 0x02: apic 4 int 16 (irq 5) pci1 at ppb0 bus 1 ppb1 at pci1 dev 0 function 0 Intel PCIE-PCIE rev 0x09 pci2 at ppb1 bus 2 Intel IOxAPIC rev 0x09 at pci1 dev 0 function 1 not configured ppb2 at pci1 dev 0 function 2 Intel PCIE-PCIE rev 0x09 pci3 at ppb2 bus 3 Intel IOxAPIC rev 0x09 at pci1 dev 0 function 3 not configured vga1 at pci0 dev 2 function 0 Intel 82945G Video rev 0x02 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) intagp0 at vga1 agp0 at intagp0: aperture at 0xd000, size 0x1000 inteldrm0 at vga1: apic 4 int 16 (irq 5) drm0 at inteldrm0 ppb3 at pci0 dev 28 function 0 Intel 82801GB PCIE rev 0x01: apic 4 int 16 (irq 5) pci4 at ppb3 bus 4 em0 at pci4 dev 0 function 0 Intel PRO/1000MT (82573L) rev 0x00: apic 4 int 16 (irq 5), address 00:10:f3:17:6f:94 ppb4 at pci0 dev 28 function 1 Intel 82801GB PCIE rev 0x01: apic 4 int 17 (irq 11) pci5 at ppb4 bus 5 em1 at pci5 dev 0 function 0 Intel PRO/1000MT (82573L) rev 0x00: apic 4 int 17 (irq 11), address 00:10:f3:17:6f:95 ppb5 at pci0 dev 28 function 2 Intel 82801GB PCIE rev 0x01: apic 4 int 18 (irq 10) pci6 at ppb5 bus 6 em2 at pci6 dev 0 function 0 Intel PRO/1000MT (82573L) rev 0x00: apic 4 int 18 (irq 10), address 00:10:f3:17:6f:96 ppb6 at pci0 dev 28 function 3 Intel 82801GB PCIE rev 0x01: apic 4 int 19 (irq 15) pci7 at ppb6 bus 7 em3 at pci7 dev 0 function 0 Intel PRO/1000MT (82573L) rev 0x00: apic 4 int 19 (irq 15), address 00:10:f3:17:6f:97 ppb7 at pci0 dev 28 function 4 Intel 82801G PCIE rev 0x01: apic 4 int 16 (irq 5) pci8 at ppb7 bus 8 em4 at pci8 dev 0 function 0 Intel PRO/1000MT (82573L) rev 0x00: apic 4 int 16 (irq 5), address 00:10:f3:17:c6:18 ppb8 at pci0 dev 28 function 5 Intel 82801G PCIE rev 0x01: apic 4 int 17 (irq 11) pci9 at ppb8 bus 9 em5 at pci9 dev 0 function 0 Intel PRO/1000MT (82573L) rev 0x00: apic 4 int 17 (irq 11), address 00:10:f3:17:c6:19 uhci0 at pci0 dev 29 function 0 Intel 82801GB USB rev 0x01: apic 4 int 23 (irq 9) uhci1 at pci0 dev 29 function 1 Intel 82801GB USB rev 0x01: apic 4 int 19 (irq 15) uhci2 at pci0 dev 29 function 2 Intel 82801GB USB rev 0x01: apic 4 int 18 (irq 10) uhci3 at pci0 dev 29 function 3 Intel 82801GB USB rev 0x01: apic 4 int 16 (irq 5) ehci0 at pci0 dev 29 function 7 Intel 82801GB USB rev 0x01: apic 4 int 23 (irq 9) usb0 at ehci0: USB revision 2.0 uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1 ppb9 at pci0 dev 30 function 0 Intel 82801BA Hub-to-PCI rev 0xe1 pci10 at ppb9 bus 10 em6 at pci10 dev 7 function 0 Intel PRO/1000MT
Re: Advice on learning C as first language
I agree with Marco Peereboom sl...@peereboom.us He told Learning C is easy; learning to using C right is the hard part. Read more code to learn from the experts. I think if you are sharp u can learn C during one week. But using C is not so easy. You should be able to think as a programmer. I think all parts of a program is important. you should pay attention to design, algorithm, debug, data structure, architecture and also libraries. you can not be a programmer by learning syntax of every computer language. I think programming is an art And there is only one way to learn an art, practice makes perfect. you can learn programming by reading and writing real projects codes. -- Gula_Gula =;=; BNF
Re: OT: Disadvantages of using virtual firewalls like OpenBSd
OK
You are right.
But you know in this case your security level is not higher than virtual
machine.
Because your security level in complex chained system is not higher than
weakest point.In fact you are accepting the risk of using virtual machine.
I think in this case if your virtual machine system is not stronger than
OpenBSD you should not use it.
If one can exploit virtual machine he/she can hurt your platform.
I think virtual systems are very very useful but they are not very good for
security box.
I think virtual machine is one of your assets that you should be able to
protect it.
because it may have many guest and provide several services for your client
.
For example in this senario you can not protect your network even your
firewall box against DoS or DDoS attack.
because your virtual machine has to get a lot of packet before your
firewall.
On Tue, Nov 23, 2010 at 4:47 PM, carlopmart carlopm...@gmail.com wrote:
On 11/23/2010 01:48 PM, carlopmart wrote:
On 11/23/2010 01:42 PM, Bret Lambert wrote:
Because you're still relying on your host's network stack, you aren't
actually firewalling it.
Uhmm .. I am not sure about this. For example: you can configure several
virtual
bridges under a ESXi host and then attach them to a virtual firewall like
OpenBSD.
If you configure some pf rules, you are doing firewalling ... In this case
you have
all network stack except layer 1, correct??
And one more thing: with latest releases of hypervisors like ESXi and KVM
(I don't know about xen), you can attach physical hardware to a specific
guest, like network interfaces. Then, you have all network stack asigned to
a virtual machine. Where are the disadvantages in scenarios like this??
Thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
--
Gula_Gula =;=; BNF
Re: OT: Disadvantages of using virtual firewalls like OpenBSd
At logical level who is responsible against layer two threats (vm or fw)?
You are using virtual machine and its network drivers aren't you?
I think it is so clear that in this solution health of VM is vital for
your network.
It seems you are concentrating and focus only about network layer
vulnerabilities.
but you VM may be vulnerable against application layer attacks even against
local guest system users.
for example VM may have a vulnerable web administration interface that can
be a good start point for your enemies!
eventually you have many guest system on your VM and your VM threats is
not limited only to network layer threats.
however I think even in this situam your firewall should process and filter
network traffic before than others(including VM).
On Tue, Nov 23, 2010 at 6:45 PM, carlopmart carlopm...@gmail.com wrote:
On 11/23/2010 04:03 PM, Stuart Henderson wrote:
On 2010-11-23, carlopmartcarlopm...@gmail.com wrote:
Hi all,
First of all, I don't want to start a flame. I will to know your
opinion about
using virtual firewalls in virtual infraestructures like vmware, kvm
,xen, etc ...
like OpenBSD.
Advantages are very clear for me: provisioning, administration tasks,
etc ... But
I will to know disadvantages. What is your opinion from the point of view
of security?
Thanks.
How will you protect your management interface if the firewall is
virtualised?
At logical level or physical level?? At logical level I can configure a
virtual bridge on this interface and apply firewall rules. Physically,
impossible, obvious.
--
CL Martinez
carlopmart {at} gmail {d0t} com
--
Gula_Gula =;=; BNF
