Re: Routing issue with VPN tunnel
On Mon, 2008-12-15 at 00:06 +, Danial wrote: I don't like responding to my own thread but I really need help with this one, so I'll try to rephrase the question: Just about every userland utility has the ability to specify source transmit addresses (bind(4) function) If not, we can add it. It's probably the second-most-asked question on the Net-SNMP mailing lists (because of all of the embedding, likely) ~BAS The remote tunnel endpoint expects traffic originating from IMPORTANT: This message contains confidential information and is intended only for the individual named. If the reader of this message is not an intended recipient (or the individual responsible for the delivery of this message to an intended recipient), please be advised that any re-use, dissemination, distribution or copying of this message is prohibited. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.
Re: make build fails for OPENBSD_4_4 on i386
On Fri, 2008-08-08 at 13:59 +0200, Miod Vallat wrote: Until the cd-rom are actually created and the release is announced, tags are Just trying to be helpful in reporting a build-problem during the releng cycle. If there's a better venue for such reports, lets have it :) ~BAS IMPORTANT: This message contains confidential information and is intended only for the individual named. If the reader of this message is not an intended recipient (or the individual responsible for the delivery of this message to an intended recipient), please be advised that any re-use, dissemination, distribution or copying of this message is prohibited. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.
Re: Simple OBSD/Samba sharing/restart question
On Mon, 2008-03-31 at 12:36 -0400, Dan Brosemer wrote: But should you need to stop and start it, just kill off the [sn]mbd processes and fire them off manually. Use /etc/rc.local as your command line flag/switch reference point. ~BAS IMPORTANT: This message contains confidential information and is intended only for the individual named. If the reader of this message is not an intended recipient (or the individual responsible for the delivery of this message to an intended recipient), please be advised that any re-use, dissemination, distribution or copying of this message is prohibited. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.
Re: openbsd router hardware
On Mon, 2007-12-24 at 13:29 +0100, Joerg Zinke wrote: Hi, I'm looking for hardware to install an openbsd based dsl-router. I already searched the list archives and looked at WRAP and Soekris, but it seems that they do not match my requirements: - fanless - as small as possible - Soekris - Routerboard - Axiomtek - ARInfotek - Nexcom - Advantech - Acrosser - Win Enterprises I think that we can agree that you really want to avoid VIA-anything. You really get what you pay for. Some set top models I've looked at: http://www.axiomtek.com/products/ViewProduct.asp?view=470 http://www.nexcom.com/product/productshow.jsp?iid=11pid=919 http://www.advantech.com/products/Tabletop-Intel-Pentium-MProcessor-based-Platformwith-4-PCIe-LAN-Ports-MINIPCI-Expansion-Onboard/mod_1-2JKJKY.aspx http://www.acrosser.com/Product/Networking% 20applicance/VPN-V-Series/Firewall_eden_m9923.html http://www.arinfotek.com/product/product.asp?idx=2002pid=11 ~BAS - at least 2, better 3 ethernet ports - a wlan-card (as access point in hostap mode) - mainboard and other hardware should work with openbsd of course, would be nice to see output from hw.sensors* - storage should have at least 10GB, I think this leads to a real ide/sata-disk (maybe 2.5) - vga-output (because I have no other machine with a serial port to do the installation) - lcd-display (something that is supported by lcdproc, which seems to work fine on openbsd) Not a requirement, but nice-to-have: usb-2.0 port(s). Does anyone know a company or vendor which builds such an (openbsd-)ready system fulfilling the above requirements? Or did I need to start buying all pieces (maybe mini-itx based?) and assembly them on my own? Any hints? Regards, Joerg IMPORTANT: This message contains confidential information and is intended only for the individual named. If the reader of this message is not an intended recipient (or the individual responsible for the delivery of this message to an intended recipient), please be advised that any re-use, dissemination, distribution or copying of this message is prohibited. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.
Re: Watching the prgress of dd if=drive1 of=drive2
On Sat, 2008-02-23 at 12:15 -0800, Jon wrote: I'm using dd to clone a drive. How can I watch the progress of this or see the transfer rate in real time? It should accept SIGINFO (control+G) on most terminals. You may also be able to compile progress(1) ~BAS IMPORTANT: This message contains confidential information and is intended only for the individual named. If the reader of this message is not an intended recipient (or the individual responsible for the delivery of this message to an intended recipient), please be advised that any re-use, dissemination, distribution or copying of this message is prohibited. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.
Re: Thank you: Re: Watching the prgress of dd if=drive1 of=drive2
On Sat, 2008-02-23 at 13:46 -0800, Jon wrote: on some learning paths here. This mailing list is awesome. Thank you. just remember that when 4.3 CD pre-release-sales are announced :) IMPORTANT: This message contains confidential information and is intended only for the individual named. If the reader of this message is not an intended recipient (or the individual responsible for the delivery of this message to an intended recipient), please be advised that any re-use, dissemination, distribution or copying of this message is prohibited. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.
Re: vlan configuration: off-topic
On Fri, 2008-01-18 at 11:49 -0200, John Nietzsche wrote: Dear gentleman, i am starting with vlan topic right now. I am in need to get two dell powerconnect 2724 switches to implement 3 vlan. I know how to The Dee PC2724 cant move its mgmnt vlan from VLAN1, and *BSD vlan(1) wont transmit VLAN 1 as tagged (per spec). The work around is to assign VLAN1's IP on your *BSD gear to the physical interface of your VLAN trunk. I'm about to remove the last of any/all Dell switches from my network -- an announcement which I'm sure Dell will censure from their forums. Ass - Holes. ~BAS
Re: How to test if pfsync is working?
On Sun, 2007-12-02 at 01:14 -0800, Jake Conk wrote: Hello, I have pfsync setup between two servers and they're connected to each The command that you're look for is: $ sudo netstat -s state | grep -A 17 pfsync pfsync: 0 packets received (IPv4) 0 packets received (IPv6) 0 packets discarded for bad interface 0 packets discarded for bad ttl 0 packets shorter than header 0 packets discarded for bad version 0 packets discarded for bad HMAC 0 packets discarded for bad action 0 packets discarded for short packet 0 states discarded for bad values 0 stale states 0 failed state lookup/inserts 0 packets sent (IPv4) 0 packets sent (IPv6) 0 send failed due to mbuf memory error 0 send error As for keeping your config in sync, I recommend bracket-expanding and scp(1)'ing the file over using a periodic script. ~BAS
Re: IPSEC bridge and pf
On Sun, 2007-12-02 at 19:08 -0500, tim wrote: my current pf configuration and add the use of the IPSEC bridge to that set up. Just check tcpdump -vvv -n -s 192 -i pflog0. Probably pass quick proto ipencap all etc.
Re: 4.1 fresh install dc0: failed to force tx and rx to idle state
I have cut and pasted the output from ifconfig and dmesg below. I do have a non tulip nic I might try tomorrow. Try a -current kernel. If it occurs, obtain a backtrace / kernel core dump and post it. Possibly file a PR if it is warranted. It might not get fixed quickly, so grab an xl(4)/fxp(4) from the 100-stack. ~BAS
Re: PF problems
On Tue, 2007-11-13 at 14:17 -0200, Kleber Rocha wrote: 10.1.1.78 tries to access the ip 10.1.100.210 on port 8080, the If xl0 faces 10.1.1.0 (outside) and bge0 faces your local (inside) 10.1.100.0/24, then your pass in statement will create a state associated with inbound traffic. However, it will not automatically create an associated stateful outbound connection out/in your bge0. This is a common misunderstanding with pf(4) as a transit device. Default-block in policy routers have to have a default pass out keep state rule to get this PIX/ASA style behavior that most are used to. ~BAS
Re: Clamav
On Mon, 2007-11-05 at 10:49 -0500, Peter Fraser wrote: get updates on the virus signatures. I was going to put Well how many local patches are there? Did you try to bump the port to the version you want? Just update the Makefile distinfo and see if the patches apply cleanly. ~BAS
Re: 4.2 won't boot after fresh installation
Ok, just tried rebooting with your suggestion of: boot -c disable fdc* boot Actually, I had to quit instead of boot It stopped at the same place: fd0 at fdc0 drive 0: 1.44MB 80cyl, 2 head, 18 sec Enable verbose in ukc. It often shows silent probes that fail and lock the system before they can print out that they've failed. ~BAS Perhaps I should say that is the last line visible. This box is just a home pc on a single hd, 1 primary partition for openbsd and 3 logical partitions for linux. It is not a server to/for anything. This one is just for home stuff connected to internet on cable. I will try another fresh install and save the dmesg after installation and after rebooting (if successful). Thanks again.
Re: OpenBSD isakmpd and pf vs Cisco PIX or ASA
On Mon, 2007-11-05 at 07:23 +0100, Martin Toft wrote: On Mon, Nov 05, 2007 at 01:29:05AM +0100, Cabillot Julien wrote: Have you try openbsd 4.2 ? PF have been really improved in this release. pf(4) has nothing to do with isakmpd(8), except as it relates to recent addition of routing tags. - PIX/ASA is going to get you a default packet ASA forwarding based on interface weights - PIX/ASA is going to guarantee easily setup and functional Hybrid-XAUTH VPN Road-warrior clients - PIX has functional object-groups/group-object inheritance - PIX/ASA has proprietary serial console fail-over (which is marginally faster than waiting for CARP) - PIX/ASA has some magical black-box inline transparent protocol fixups - PIX has a 4 hour SmartNet support contract option - PIX/ASA has a SNMP MIB tree (Which we are working to catch up on) I don't know about ASA, but the 5xx PIX doesn't support IPv6 Otherwise they're both software-based stateful IP packet forwarding engines running on i386 with NAT and IPSec and 802.1q support. OpenBSD will always scale better because you can run it on the harwdare platform of your choice. ~BAS 1. VPN is computationally heavy -- is your hardware fast enough? 2. Try playing with queueing in PF to handle some types of traffic faster than others. AFAIK, it is normal to find this kind of configuration in commercial, black-box solutions, disguised as buzzy slogans like Built-in QoS Super-Routing :-) Just my two cents. Martin
Re: OpenBSD 4.2 hardware recommendation
On Sat, 2007-11-03 at 00:20 +0300, VP wrote: Hello! I have a network with 100 users and 7 servers and current firewall need to be replaced. I want to by brand server due to company policy. Brand as in put your company name on the hardware It can be SPARC or x86. But vendors don't officially support OpenBSD with their hardware. We need tower server with 1 proccessor, 2 gigs of RAM, 2 SCSI disks and 2 power supply. Does anyone recommend brand server which supports For a _firewall_ ?! Are you sure you don't want something more opt for forwarding packets? Or is this a multi-function system? ~BAS OpenBSD?
Re: Custom Kernel for 4.2 upgrade
On Fri, 2007-11-02 at 20:21 +, Stuart Henderson wrote: On 2007/11/02 14:45, Jason Murray wrote: I have a 4.1 box that uses RAIDFrame so I need to compile a customer kernel in order to upgrade. I know this is not supported, but it has worked (minus the one gotcha) for me from 3.6 until 4.1 so I expect it will work for 4.2. I can build you a custom 4.2 release with bsd.rd install images w/ RAIDFrame support, if needed. I need to put together a 4.2 build box anyway ~BAS
Re: OpenBSD 4.2 hardware recommendation
On Sat, 2007-11-03 at 00:42 +0300, VP wrote: It can be SPARC or x86. But vendors don't officially support OpenBSD with their hardware. We need tower server with 1 proccessor, 2 gigs of RAM, 2 SCSI disks and 2 power supply. Does anyone recommend brand server which supports For a _firewall_ ?! Are you sure you don't want something more opt for forwarding packets? Or is this a multi-function system? If you can live w/o RAID, i recommend advantech.com or nexcom.com Network Security Appliance product lines. ~BAS Of course, server must have min 2 good integrated NIC's. It will be firewall with IDS. Which options you mean?
Re: OpenBSD Sound
On Wed, 2007-10-31 at 14:51 +, Tomas Bodzar wrote: And still one thing When I was try OpenBSD (I think that was 3.8),I use WindowMaker,Xmms and lots Some *BSD systems are adjusting PCM driver support to allow multiple process to open /dev/dsp / /dev/audio multiple times in-exclusively, mitigating the needs for piss-poor software API multiplex'ing solutions a-la ARTS/ESD. ~BAS
Re: CEF / MLS (WAS: Re: em(4) - IFCAP_VLAN_MTU IFCAP_VLAN_HWTAGGING ?)
On Mon, 2007-10-22 at 12:04 +0200, Henning Brauer wrote: * Claudio Jeker [EMAIL PROTECTED] [2007-10-22 08:17]: Fragment Reassembly does not happen in the forwarding plane, it happens on the end system. By doing flow based forwarding on the router you're no longer able to do all the additional checks that pf(4) is doing in its stateful forwarding path. and we don't actually need these on a non-edge router. I'd go so far to say they hurt in that case. I agree. Just to confirm... you do not encourage the use of fragment reassembly at forwarding points other than the network periphery? We recently ran into some intermittent TCP connection stalls in a network where end point systems were behind as many a three PF systems end-point to end-point. pfctl -x loud had a direct correlation to the stalls and reassemble debug activity output. We didn't debug it too much because there was a mix of 3.7, 3.9, and 4.1 systems and we wanted to standardize on 4.2 before filing any superfluous bug reports. ~BAS There is probably a huge market out there for a commodity standards based hardware (if it could be done) I doubt it, the necessary HW is just to expensive and complex. I totlly agree with the statement that there is a huge market for that - but getting supported, fully working hardware at reasonable prices for it is indeed a gigantic challenge.
Re: Problem with MP on 4.2
first try to enable acpi and see what happens. Thanks. Enabling acpi did not make a difference, but then I disabled apm and it's working. Right -- all of the example ukc output shows how to enable acpi0 but no one ever shows how to disable apm0. ~BAS Abdul HTH, Stijn
Re: OpenBSD 4.2 RAIDFrame mirror
On Thu, 2007-10-25 at 10:50 +0200, Dominik Zalewski wrote: Dear All, I have a machine with two Maxtor 160GB hard disks. I've installed OpenBSD 4.2 on first one and I would like to use second one as a mirror. If you really want to kick as the dead horse, I can probably roll a 4.2 install image that has RAIDFrame in the RD, so you can set it up property at install time. You best bet is an entry-level bio(4) manageable hardware RAID Controller. ~BAS As far as I understood I will have to repartition and reinstall whole system to enable second disk as a mirror. All I want is to have software RAID 1.
Re: SUMMARY: Still unable to get Cyclades Z serial ports working with OpenBSD
On Thu, 2007-10-25 at 14:39 -0700, Don Jackson wrote: no channels at tached Well, no channels attached tells me its a hardware issue (cables`n`shit), or the software failing to properly probe the hardware. Does it work in another system under another platform (Linux LiveCD, etc.). I use the Y-Series on NetBSD and its finiky. There are times when my systems refuse to post the BIOS until I re-seat the card. cy0 at pci0 dev 15 function 0: Cyclades-Y multiport serial cy0: interrupting at irq 7 cy0: 16 channels (ttyCY000..ttyCY015) -- !!! NOTE THIS !!! ~BAS
Re: Installing the latest snapshot freezes on i386
On Tue, 2007-10-23 at 01:42 -0700, Reza Muhammad wrote: Hi all, I just recently purchased a brand new HP Pavilion G3035L Desktop PC (spec: http://www.anugrahpratama.com/product/21/1092/HP-Pavilion-G3035L-Desktop-PC). It's using Intel Core Duo processor. I tried to install OpenBSD's latest snapshot to this machine last night. The thing is it freezes and it wouldn't install. Here's the messages I got from my screen: Try interrupting boot and booting into the real-time kernel config [OpenBSD banner] boot boot -c ukc verbose ukc enable apci0 ukc disable apm0 ukc exit ~BAS ehci0: timed out waiting for BIOS usb0 at ehci0: USB revision 2.0 Does anyone know what the problem is? Are some of the hardware aren't supported by OpenBSD? What should I do so this machine can run OpenBSD? Thanks for the help. I appreciate it. -Reza Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
CEF / MLS (WAS: Re: em(4) - IFCAP_VLAN_MTU IFCAP_VLAN_HWTAGGING ?)
On Mon, 2007-10-22 at 00:12 +0100, Tony Sarendal wrote: On 10/21/07, Henning Brauer [EMAIL PROTECTED] wrote: I'll throw this out there since its been something on my mind for a while: Hardware VLAN tagging, TOE offload, IP/UDP/TCP Checksum offload, interface polling are all ways to accelerate packet forwarding. How about a standards-based hardware-software API equivalent to Cisco's CEF or MLS? The basics: - layer 3 or layer 4 state (flow) is identified and established using software IP-forwarding. - the software dynamically programs the switching hardware backplane ASIC to accelerate forwarding the flow w/o software further inspection (Including Fragment Reassembly, etc.) There is probably a huge market out there for a commodity standards based hardware (if it could be done) ~BAS
Re: ipsec(4) routing for a branch offices
On Thu, 2007-10-18 at 09:35 +0200, Mitja MuEeniD wrote: This is the correct behaviour, as ipsec tunnel selection happens earlier in the process than route selection, the traffic for 192.168.64.0/24 enters the tunnel because it matches the remote subnet 192.168.0.0/16. Use this on the 192.168.64.1 machine to create a bypass flow in ipsec.conf: This works exceptionally well! Thank very much. Beers on us. As for correct behavior, that may be accurate from a pragmatic source code ip_output()/ip_output() standpoint, but very few IP stacks give Directly Connected routes lower priority than IPSec SAs. IMHO, it is important to follow the precedent set. ~BAS flow esp from 192.168.64.0/24 to 192.168.64.0/24 type bypass This will prevent the traffic from 192.168.64.0/24 to 192.168.64.0/24 from entering the tunnel. Mitja -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian A. Seklecki Sent: Thursday, October 18, 2007 2:02 AM To: misc@openbsd.org Subject: ipsec(4) routing for a branch offices On a variety of 3rd party platforms, I often establish an SA between two IPSec devices with a /16 of RFC 1918 space on one side and a /24 on the other (sometimes as much as a /19). This uneven size subnet arrangement prevents the need for full-mesh in a large corporate network. It allows for hub spoke. I remember an OpenBSD 3.6-era bug, which I was certain was PR'd and fixed, that caused this configuration to fail. On a remote branch office policy router, I have the following ENCAP family routes (below) Here's the problem: 1) Traffic sourced from the internal interface (192.168.64.1/24) for the directly connected subnet 192.168.64.0/24 is transmitted accross the tunnel in ESP 2) Traffic from the locally connected subnet reaches the interface of the internal (64.1/24), but reply packets are attempted to forward accross the tunnel instead of back out of the physical interface Routing tables # netstat -rn -rf encap Encap: Source Port DestinationPort Proto SA(Address/Proto/Type/Direction) 192.168/16 0 192.168.64/24 0 0 206.210.89.200/esp/use/in 192.168.64/24 0 192.168/16 0 0 206.210.89.200/esp/require/out # netstat -rn -f inet Internet: DestinationGatewayFlagsRefs Use Mtu Interface default71.166.xxx.xxx UGS11 173981 - em2 71.166.245/24 link#3 UC 10 - em2 192.168.64/24 link#1 UC 40 - em0 Strange as hell $ sudo tcpdump -i em0 -s 256 !port 22 $ ping 192.168.64.100 PING 192.168.64.100 (192.168.64.100): 56 data bytes [but, what is seen on another terminal] [1] sudo tcpdump -i em2 -s 256 !port 22 20:00:28.610672 esp x.east.verizon.net vpncxxx.pub.collaborativefusion.com spi 0x0ACAEE17 seq 89 len 116 ICMP packets giving me the old slip-a-roo out the back door :} -- Brian A. Seklecki [EMAIL PROTECTED] IMPORTANT: This message contains confidential information and is intended only for the individual named. If the reader of this message is not an intended recipient (or the individual responsible for the delivery of this message to an intended recipient), please be advised that any re-use, dissemination, distribution or copying of this message is prohibited. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.
