Re: Blocking web content
Thomas Mullins wrote: We have evaluated Dansguardian at work. It did really well. We've been using DG for years and it has proven stable, highly configurable and is actively developed. AV capabilities and so on. You would do well to give it a spin and read up on all the features, we found things to use we didn't know we needed In fact we took 5 minutes and upgraded to 2.9.8.5 less than an hour ago. We upgrade OpenBSD at each new release and have yet to have any DG issues. Bob [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: spamd - SPEWS status -- Fun results --
Greets Wouldn't distributing a traplist make it prone to being poisoned? i.e. a pissed off spammer adding a legit email to the traplist. I plugged in the traplist recently while mostly asleep ( late night ) at the keyboard. Next day I spen an hour and a half examining my mail server because my mail volume dropped so suddenly by 75%, I had forgot I reinitialized spamd etc. and thought the server had problems. Bob [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: ntp is blocked because of my pf.conf
Didier Wiroth wrote: rule 3/(match) block out on pppoe0: 158.64.137.18.5537 212.112.228.242.123: v4 client strat 0 poll 0 prec 0 [tos 0x10] I have the following rule (the entire pf.conf is below): pass out quick on $ext_if inet proto udp from ($ext_if) to any \ keep state I had a similar issue, entering a destination port 123 fixed it Bob D [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
VOIP NAT
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Greets I have been trying numerous configs trying to out smart the inability of VOIP to transfer to UDP encapsulated RTP. A very common problem as anyone who deals with NAT and VOIP knows. The outside G729 enabled phone connects nicely to the VOIP network when directly connected to it directly through the Internet. Through the firewall it of course does not work. This system worked previously using an IPsec VPN through the firewall as it handles all the NAT-T issues for the VOIP network, and is in fact one of the recommendations by the VOIP manufacturers. Although this solves a large number of problems, it is unfortunately by the clients choosing, off the table as a resolution. If anyone reading this understands the VOIP / NAT issue, preferably via experience, and has an answer to what is involved making VOIP work through a pf enabled OpenBSD 4.0 stable firewall, Could you please lend a hand, offer direction? I have tried everything I can come up with using pf.conf, google, huge numbers of my own ideas and everything is starting to look the same, or my brain is starting to smoke, I haven't figured out which yet. Bob D Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org iD8DBQFFp+G+KGD1vPUWdzIRAi5dAKCjQiztTHHhgQO8r+xLvJHEBOcD4QCfXJcl l+H179YBd3BED2+VGXnTH+g= =zH7E -END PGP SIGNATURE-
Re: VOIP NAT
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Demuel I. Bendano, R.E.E wrote: The major easy here is on how the voice traffic from OBSD-VPN-A to OBSD-VPN-B and vice versa encrypted. That is, an encryption of the voice traffic as full-duplex. Thanks for your response, unfortunately the client has excluded VPNs in the solution, at least for the time being. Bob D Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org iD8DBQFFqB6vKGD1vPUWdzIRAmcDAJ4nTK3sQbpAunCD26i7/zNomLmRtACdHGU7 q7mRs7EjZs2uug3ibRweFyM= =vCm6 -END PGP SIGNATURE-
Re: pftop question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Edy wrote: Hi Edy Even tho we limit the users to 30Kbps/thread but if we have extra bandwidth in the 3Mbps pool, we would like to distribute it evenly. You would want to be looking at load balancing Edy. Combined with QoS can do what you want Bob Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org iD8DBQFFoSnLKGD1vPUWdzIRAjEsAJ91Bbu7VjSIXAs5j3BgQLIXWDTAUACglX19 hx+9HUBfI5jW9kloiA963/Q= =K1ED -END PGP SIGNATURE-
Carp failover times
OpenBSD 4.0 stable Greets What are some of the failover times people are getting using carp / pfsync when the plug gets pulled from one of the units. BobD
Re: Extract IP to table
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Joachim Schipper wrote: Hi Joachim I don't really get what you want to do. What connects to what, and which IP address are we talking about (does the phone get an address from the firewall? The firewall from the ISP?)? From which traffic should the IP be extracted? Are you aware that this is almost certainly not very secure? The VOIP phone is connnected to a D-Link router which is connected to an ISP via DHCP. This is connected through the Internet to the head office firewall which uses a static IP specifically for the VOIP phone. The VOIP phone is hardwired to call home to the allocated firewall IP at head office and it uses specific ports to boot and stay alive so they are easily detected when the phone calls home. The address of the DHCP Dlink router will change at some point so I want to be able to detect the IP change at the firewall and automatically insert the new DLink router IP address into a table on the firewall so connnectivity is uninterrupted or a least minimized. What I am hoping to be able to do seamlessly is extract the IP from the phone traffic when it calls home, basing it on port number and insert the IP into a table. I would like to run something like authpf using the $userip macro but the workstation at the VOIP phone office is an HP terminal. I had setup an OpenVPN box which worked very well but it was unplugged for unknown reasons as it is not my network. A little extra info: Once the traffic gets through the firewall it is then connected to a control unit that reads the embedded MAC of the VOIP phone and if it matches it then moves on to setup a full connection. The VOIP phone MAC supplied by the phone during the phone boot phase. If the MAC doesn't match, no connection. Thanks for your response Joachim Bob D Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFja/9K35IA5yVGFsRAjFqAKDJMlR2n/DRl0j5mx45GADCQP40GQCeMSfl At6rfPKjF15mF1jAGpTZAE0= =8XHI -END PGP SIGNATURE-
Extract IP to table
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Greets I have a client with a single VOIP connection and a dynamic IP shared with the PC. It works. What I am looking for and I know I've seen it but haven't been able to find it again, is to extract the IP address from traffic and put it into a table to allow the VOIP phone to reestablish connectivity to the border firewall when the IP changes. I have looked through dynamic dns but the potential latency to restablish the correct IP is said to be up to 20 minutes, that won't do. Better ideas, documents, sites? Bob D Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFjBNUK35IA5yVGFsRAntKAKCLRLu2MK9XHwcgfqGQCSoPHjtxoACdHih8 79NTjQkAI64guFqsaOI7Y9A= =EcmC -END PGP SIGNATURE-
Re: dup-to work around
I need to get all traffic dup-to'd over to a graphing box using only the firewall, now dup-to works fine for the traffic that passes through the firewall but the blocked traffic doesn't get dup-to'd. route-to blocked traffic. Sold ! ... to the man with the funny hat!! That is the simplicity I was looking for ;-) Thanks to all who responded to my query. BobD
Re: Openbsd comparatives
On Monday 27 November 2006 10:43 am, you wrote: hi anyone know about openbsd vs other i have to show this information to be ablo to use openbsd in our networks Are there any speific issues you are addressing, i.e. Traffic managment, Desktop?? Bob D
Re: ip not forwarding after 4.0 rebuild.
On Monday 13 November 2006 7:53 pm, you wrote: But I don't know what I need to do differently to change the situations. Is pf enabled and blocking perhaps? Bob D
Oldest hardware running OpenBSD 4.0
I had forgotten about this dns cache my 20 PC lab uses. Did a reinstall last night. All is well OpenBSD 4.0-current (GENERIC) #1172: Sun Oct 22 20:45:57 MDT 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel OverDrive Pentium (P24T) (GenuineIntel 586-class) 84 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,CX8 cpu0: F00F bug workaround installed real mem = 41512960 (40540K) avail mem = 29241344 (28556K) using 537 buffers containing 2199552 bytes (2148K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(f2) BIOS, date 01/25/95 pcibios at bios0 function 0x1a not configured bios0: ROM list: 0xe/0x8000 cpu0 at mainbus0 isa0 at mainbus0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard vga0 at isa0 port 0x3b0/48 iomem 0xa/131072 wsdisplay0 at vga0 mux 1: console (80x25, vt100 emulation), using wskbd0 wsdisplay0: screen 1-5 added (80x25, vt100 emulation) wdc0 at isa0 port 0x1f0/8 irq 14 wd0 at wdc0 channel 0 drive 0: ST32132A wd0: 16-sector PIO, LBA, 2015MB, 4127760 sectors wd0(wdc0:0:0): using BIOS timings ep0 at isa0 port 0x300/16 irq 10: address 00:60:8c:b9:62:9a, utp/aui (default utp) pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 lpt2 at isa0 port 0x3bc/4: polled npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec biomask fbe5 netmask ffe5 ttymask ffe7 pctr: 586-class performance counters and user-level cycle counter enabled nvram: invalid checksum dkcsum: wd0 matches BIOS drive 0x80 root on wd0a rootdev=0x0 rrootdev=0x300 rawdev=0x302 clock: unknown CMOS layout Bob D
Re: OpenBSD 4.0 - Where is it?
I am new to the list and I do not fully understand the process either. However, I believe that the project gets a large portion of its funding from the sale of CDs. So to give added incentive to buy CDs, those who pre-order get the release early. I think this is how it works but I could be wrong.. You are correct and don't forget the cool T-shirts!! Mr D
Re: Soekris network problems - 48 hour deadline
On Saturday 14 October 2006 4:10 am, you wrote: Hi Richard I dealt with an ISP on behalf of a client that required a MSS of 1100 during one particular phase of troubleshooting. Funny thing (not) they forgot to notify everyone when said problem was corrected and the client ran with that MSS for 5 months.Thankfully the actual packets they used are consistently small. Anyway, have you done the ruleset adjustment to to pass out quick on your $ext_if to rule out a rule issue. I have used this many times and has been helpful and takes just a couple of minutes. Do a one to one NAT from your testing machine through the OBSD box and put pass in quick keep state on the $int_if and pass out quick keep state on the $ext_if at the top of your ruleset and see what happens. If things work correctly you add back you ruleset one at a time. Should I keep going lower, or try some other variation? Certainly try lower, you may find the magic bullet Sonicwall defaults to 1500 If your comfortable with sending your complete ruleset to the list or to me privately please do so. It is more often than not considerably more helpful. Thanks Richard -- Sincerely Bob DeBolt
Re: Pf que for voip
On Thursday 02 February 2006 04:20, you wrote: Greets You'd have to manually tune it. There's no way for altq/pf to know what speed you get on a given day/week/moment, it only knows about the physcial speed (or whatever you set manually) for the interface. Absolutely correct regarding manual tuning. One of my clients is at the end of the line regarding attenuation (114) and signal over noise of 2, both extremely poor readings. Good is in the range of 40 and 15 respectively. Talk to you ISP and they should be able to give you those line condition readings without issue. I haven't found one that doesn't. The ADSL service package my client has is 2.5Mb D/L and 1 U/L, however, due to the poor line conditions the slightest issue anywhere in the network circuit causes voice dropoff among other things. They have G729 on the voip system which has reduced the traffic by a huge amount 80kb down to 8kb per conversation. Tuning the queue for all of these conditions of course is best guess and go from there, the next step for us is to drop the service package down to 1.5Mb and 640kb allowing a much lower stress level on the line making it much less prone to breakdown as there is no way to change the attenuation and signall over noise ratios. Get to know your ISP and I sure you'll find they can be helpful. ( be nice to them even if they are clearly inexperienced ). Do the math on the amount of bandwidth you actually need for your phone(s) Do the math on how much bandwidth your remaining services require ( or can at least get by on) Make an educated guess on the initial settings and go from there. Try to make sure you get those line readings as you can waste a LOT of time tracking down queue gremlins that don't exist ;-) Hope this helps Bob
Unusual ping using IPSec
Greets OpenBSD 3.8 stable Cable connection to remote town Normal internal network IP's are DT 192.168.10/24, Remote 192.168.8/24 When pinging and endpoint from one end of an IPSec tunnel to the other, occasionally the ping returns with one of the 10.X.X.X IP's of a router along the path. The router IP shows up on traceroute and is more often than not the same one, last hop before the firewall . We see this happening when receiving a complaint from the small town users about not being able to login to the DT servers. After what is usually a brief period, they login and the pings return to normal. This can roll along for weeks without issue, (other than high latency issues), then a few days in a row this happens. As one would expect the cable company, when queried about this, never has any problems with their equipment. DSL is not available where they are at Main question is this, why does the 10.x.x.x address come back to us instead of timing out?? Bob D
Re: graphing pf stats
On Sunday 01 January 2006 18:52, you wrote: pfstat works well, it may be a nice starting point for you or it may do everything you want. Bob
Re: NAT/pf before IPSEC
On Wednesday 21 December 2005 02:09, you wrote: now I need to nat my internal network to appear to be coming from 10.0.20.254 Is this to accommodate a service of some type or what? Add some more information as there is likely a bunch of ways to do something depending of the expected or required results. Are both ends 3.8? Bob D
routing question
Greets I have a scenario that is simple but I am having trouble getting my head around. Inside a 192.168.10/24 network there exists a 10.4.6/24 network for VOIP. Everthing works fine. The issue I have is setting up a route for a third party VOIP management company who wants to access the VOIP control center via an SSL interface from the Internet thru the firewall to the VOIP control center. All of the data traffic on the data LAN has the router address of 192.168.10.1. The data side of the vlan router is 192.168.10.16 and the VOIP side on the vlan router is 10.4.6.253. To access the VOIP network one must go thru the 192.168.10.16 interface of he vlan router. Adding a route to a workstation on the 192.168.10 network to the 10.4.6 network using the 192.168.10.16 interface as the gateway works fine, thus allowing access to the SSL web interface. Adding a route on the firewall to the 10.4.6 network thru the 192.168.10.16 interface allows internal workstations to access the SSL web interface. The root of the problem I have is getting traffic from the Internet to the 10.4.6 SSL web interface thru the 192.168.10.16 interface of the vlan router. Anyone have experiece on this one? Bob D
find a file greater than X MB's
Greets I have had an issue with a hard drive filling up in a very short time after upgrading a software package. Although I resolved the issue and all is well now, I spent more time than I should have looking for files greater than a certain size. I tried numerous combinations of find switches using the find man page and on and on but couldn't get the simple result of files greater than a specified size, 2MB in my case. I had a document several weeks ago that used a piped cut command and was very cool indeed, can't find it now that I need it. I have come to realize there are so many more tools for openbsd ( unix in general ) than I had realized to process the ouput as well. Any takers? Bob
Re: quagga woes
I use it fine on 3.8, fresh cvs update for everything stable. Bob D
Re: isakmpd: invalid next payload type RESERVED_MIN in payload of type 10
Greets I too have the same issue. A straight upgrade, there were only a couple of 3.7 to 3.8 syntax corrections to make. I wonder if maybe there is a minor syntax change somewhere along the way. I am going through the isakmpd.conf and isakmpd man pages again to see if I may have missed something. Bob D
Re: isakmpd: invalid next payload type RESERVED_MIN in payload of type 10
On Friday 04 November 2005 14:47, Tobias Walkowiak wrote: Hi Tobias Other workaround, disable nat-t with the -T option. It works fine, I have multiple offices with data and VOIP traffic running through separate tunnels, the -T has allowed the other 3.8.upgrades to wait until Monday. Thanks Hans-Joerg Hoexer Bob D
A great article ( found on the OpenBSD site)
Greets I certainly found it worth a read. http://www.computerworld.com.au/index.php/id;1375194866;fp;16;fpid;0 Bob D
self induced dup-to setup problem
Greets Dell 866MHz 256MB RAM OpenBSD 3.8 snapshot, or 3.7 GENERIC or 3.5 GENERIC All three have shown me the same problem. Three interfaces rl0, rl1 are the internal and external bridge interfaces, the bridge works just fine on all three OS versions. FXP0 is the logging interface to another box. I have read what there is regarding dup-to and know it is straight forward, obviously I'm missing something. I also learned that log-all is now log (all). Not yet in the FAQ After not being able to dup-to on the snapshot I thought maybe there is an issue with it so the other two releases were tried with the same result. As stated the IPless bridge works fine ( otherwise you wouldn't be reading this email). Here is the simplest form of what I now have. pass in on $ext_if dup-to $log_if all pass out on $ext_if dup-to $log_if all I have tried pass quick on the log interface and on and on and on. TCPdump shows that nothing is hitting the log interface. I have Bob
Re: ALTQ: amount of queue rules
Greets maximum number of queues are in include files.For CBQ limit is 256, HFSC 64 per interface. Also you can use QoS only on outgoing interface. I am about to test something that I read very recently, written by D. Hartmeier?? (could be mistaken) When doing QOS on inbound, i.e. and inound ssh connection keep state you are then controlling outbound traffic based on an inbound connection. A search or the archives will reveal if it was Daniel or not. -- Sincerely Bob DeBolt
