HI and God bless you today
Mom of 3 weeks old children beg for help. My family are poor, I am not able to work as my baby is only 3 weeks old and I need to baby care my baby. We want to buy a house considering the kid deserve steady home, but face fostering kid with huge house debt, that is huge burden for us. I build Mother's Million Dollar Homepage. It's a powerful way of your promotion, promotion and donating meanwhile. You can buy promotion place. I am honest, you can get your refund if it is within first one week. Would you kindly visit my site? Thanks for your reading. Best Regards, Chris Email: [EMAIL PROTECTED]
Re: sk or em
On Monday 16 April 2007 10:27, Ronnie Garcia wrote: > Chris C. a icrit : > > I'm in the need to replace my two 100mbit fxp nic's in my firewall with a > > 1000mbit one. The hardware is kinda old. (PIII) > > I'm looking for an inexpensive but not bad (so I think no realtek chips) > > nic. Have looked at sk and bge, but couldn't find any bge nics at my > > local vendors. So... which driver to go? sk? em? > > Do you expect doing more than 100mbits with this hadware (with PF anabled) > ? I'm maxing a P4 2.4Ghz at 40mbits, with a dual em, and a ~300 lines > pf.conf I am doing ~190mbit throughput with my current nics (PIII 1000MHz, CPU is at 20% idle) with pf disabled, but I usually only have large nfs or ftp packets and some http and ssh traffic. Greetings Chris
Re: sk or em
On Sunday 15 April 2007 22:30, Stuart Henderson wrote: > On 2007/04/15 20:27, Chris C. wrote: > > I'm in the need to replace my two 100mbit fxp nic's in my firewall with a > > 1000mbit one. The hardware is kinda old. (PIII) > > I'm looking for an inexpensive but not bad (so I think no realtek chips) > > nic. Have looked at sk and bge, but couldn't find any bge nics at my > > local vendors. So... which driver to go? sk? em? > > Modern Realtek re(4) are not really a problem, they do IPv4 TCP > checksum offload, HW vlan tagging, and are a better design than the > rl(4). They only handle jumbo frames up to 7.5k, but if jumbo > support was a big issue you'd probably have mentioned it already > (and even 2k would cover many of the reasons you'd want jumbos). > > I'd still go for the sk(4) if they were the same price - this is > fairly possible, unlike em(4) which will almost certainly cost more > than re(4) - but don't worry about it, pretty much anything you > pick up is likely to work fine. Thanks, will go and get some sk's. Greetings Chris
Re: sk or em
On Monday 16 April 2007 01:26, Chris Cappuccio wrote: > Chris C. [EMAIL PROTECTED] wrote: > > Hi, > > > > I'm in the need to replace my two 100mbit fxp nic's in my firewall with a > > 1000mbit one. The hardware is kinda old. (PIII) > > I'm looking for an inexpensive but not bad (so I think no realtek chips) > > nic. Have looked at sk and bge, but couldn't find any bge nics at my > > local vendors. So... which driver to go? sk? em? > > I really think this has been discussed before so if someone could just > > give me some keywords to search for in the archives I'd be lucky. > > > Get a server board from Asus, Supermicro or Tyan that has dual on-board > gigabit NICs. They will link back to the main bus with separate, PtP PCIe > links to each NIC and you will have a screaming system. I use one NIC on > an Asus P5MT-M connected to a vlan-capable switch for some higher volume > routers and it works great. Each NIC has one 1x PCIe link to the chipset, > which provides plenty of bandwidth for full-duplex gigabit ethernet > communication. Well... that is totally out of budget. That is a private system, we don't need full line speed. Thanks Chris
sk or em
Hi, I'm in the need to replace my two 100mbit fxp nic's in my firewall with a 1000mbit one. The hardware is kinda old. (PIII) I'm looking for an inexpensive but not bad (so I think no realtek chips) nic. Have looked at sk and bge, but couldn't find any bge nics at my local vendors. So... which driver to go? sk? em? I really think this has been discussed before so if someone could just give me some keywords to search for in the archives I'd be lucky. Thanks Chris
Re: PF + rsync trouble
On Thursday 15 February 2007 00:17, Darren Spruell wrote: > On 2/14/07, Chris C. <[EMAIL PROTECTED]> wrote: > > On Wednesday 14 February 2007 21:59, Chris C. wrote: > > > Hi > > > > > > I'm having issues with rsyncing ftp.rfc-editor.org through a PF > > > firewall, other connections (also other rsync connections) work well. > > > > > > rsync -avz --delete ftp.rfc-editor.org::rfcs-text-only my-rfc-mirror > > > receiving file list ... done > > > ./ > > > rfc-index.xml > > > ... > > > rfc1591.txt > > > rfc1592.txt > > > nothing is going to happen... will timeout in a few minutes > > > any suggestions? thanks! > > > > Have to reply to my own post... > > The rsync process completes on the gateway itself, but not on any device > > behind it. > > Enable debugging in PF and see if you get any error conditions in your > kernel logs. > > # pfctl -x loud > > (set back to normal with 'pfctl -x urgent') thanks, but that didn't help I enabled debugging, added flags S/SA to all my rules and have block in log all / pass out log all rules. /var/log/messages doesn't say anything except adding ospf tcpdump -n -e -ttt -i pflog0 also doesn't say anything special: Feb 15 08:58:26.289011 rule 7/(match) pass out on pppoe0: 217.95.254.251.62376 > 128.9.176.20.873: [|tcp] but rsync still aborts with: rsync error: timeout in data send/receive (code 30) at io.c(171) [sender=2.6.8] rsync: connection unexpectedly closed (168446 bytes received so far) [receiver] rsync error: error in rsync protocol data stream (code 12) at io.c(453) [receiver=2.6.9] _exit_cleanup(code=12, file=io.c, line=453): about to call exit(12) rsync: connection unexpectedly closed (168446 bytes received so far) [generator] rsync error: error in rsync protocol data stream (code 12) at io.c(453) [generator=2.6.9] _exit_cleanup(code=12, file=io.c, line=453): about to call exit(12) anything left I can do? My other rsyncs (e.g. gentoo-portage) still work very well.
Re: PF + rsync trouble
On Wednesday 14 February 2007 21:59, Chris C. wrote: > Hi > > I'm having issues with rsyncing ftp.rfc-editor.org through a PF firewall, > other connections (also other rsync connections) work well. > > rsync -avz --delete ftp.rfc-editor.org::rfcs-text-only my-rfc-mirror > receiving file list ... done > ./ > rfc-index.xml > ... > rfc1591.txt > rfc1592.txt > nothing is going to happen... will timeout in a few minutes > > > my setup is LAN --> OBSDGW2 -> PPPOE -> Internet > > fxp1: flags=8843 mtu 1500 > lladdr 00:50:8b:95:a4:d3 > description: WLan uplink > media: Ethernet autoselect (100baseTX full-duplex) > status: active > inet6 fe80::250:8bff:fe95:a4d3%fxp1 prefixlen 64 scopeid 0x3 > inet 10.1.16.1 netmask 0xfffc broadcast 10.1.16.3 > > pppoe0: flags=8851 mtu 1492 > dev: rl0 state: session > sid: 0xe682 PADI retries: 49 PADR retries: 0 time: 09:51:14 > > I've played with scrub (out on pppoe0 max-mss 1440, +no-df, + fragment > reassemble, ...) but doesnt solve my problem. > I'm using nat on pppoe0 (nat on $extif from to any -> (pppoe0)) > I would provide a full tcpdump, but that would make my message a bit big... > > Currently my pf.conf looks as follows: > > set block-policy return > set skip on { lo, enc0 } > #scrub in all no-df random-id fragment reassemble > #scrub out on pppoe0 max-mss 1492 no-df > scrub out on pppoe0 max-mss 1440 > nat on $extif from to any -> (pppoe0) > nat-anchor "ftp-proxy/*" > rdr-anchor "ftp-proxy/*" > rdr on $allif inet proto tcp from > to ! port ftp -> 127.0.0.1 port 8021 > rdr on $extif inet proto tcp from any to ($extif) > port http -> 10.0.0.200 port 80 > #rdron $extif inet proto tcp from any to ($extif) > port ftp -> 10.0.0.200 port ftp > #rdron $extif inet proto tcp from any to any > port 49152:65535 -> 10.0.0.200 port 49152:65535 > norouteips and allow local traffic on trusted interfaces > antispoof quick for { $extif, $wlanif } > block in all > passout all keep state flags S/SA > block in quick on $extif inet from to any > block return out quick on $extif inet proto icmp from any to > > block dropout quick on $extif inet from any to > passin quick on $allif inet from to ! > keep state > passin quick inet proto icmp from any to { > ($extif) } icmp-type echoreq code 0 > passin quick inet proto tcp from any to { > ($extif) } port ssh keep state > [some rules for other subnets] > passin on $wlanif inet from 10.1.16.200 to > any keep state flags S/SA > > > > [tcpdump] > > any suggestions? thanks! Have to reply to my own post... The rsync process completes on the gateway itself, but not on any device behind it.
PF + rsync trouble
Hi I'm having issues with rsyncing ftp.rfc-editor.org through a PF firewall, other connections (also other rsync connections) work well. rsync -avz --delete ftp.rfc-editor.org::rfcs-text-only my-rfc-mirror receiving file list ... done ./ rfc-index.xml ... rfc1591.txt rfc1592.txt nothing is going to happen... will timeout in a few minutes my setup is LAN --> OBSDGW2 -> PPPOE -> Internet fxp1: flags=8843 mtu 1500 lladdr 00:50:8b:95:a4:d3 description: WLan uplink media: Ethernet autoselect (100baseTX full-duplex) status: active inet6 fe80::250:8bff:fe95:a4d3%fxp1 prefixlen 64 scopeid 0x3 inet 10.1.16.1 netmask 0xfffc broadcast 10.1.16.3 pppoe0: flags=8851 mtu 1492 dev: rl0 state: session sid: 0xe682 PADI retries: 49 PADR retries: 0 time: 09:51:14 I've played with scrub (out on pppoe0 max-mss 1440, +no-df, + fragment reassemble, ...) but doesnt solve my problem. I'm using nat on pppoe0 (nat on $extif from to any -> (pppoe0)) I would provide a full tcpdump, but that would make my message a bit big... Currently my pf.conf looks as follows: set block-policy return set skip on { lo, enc0 } #scrub in all no-df random-id fragment reassemble #scrub out on pppoe0 max-mss 1492 no-df scrub out on pppoe0 max-mss 1440 nat on $extif from to any -> (pppoe0) nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" rdr on $allif inet proto tcp from to ! port ftp -> 127.0.0.1 port 8021 rdr on $extif inet proto tcp from any to ($extif) port http -> 10.0.0.200 port 80 #rdron $extif inet proto tcp from any to ($extif) port ftp -> 10.0.0.200 port ftp #rdron $extif inet proto tcp from any to any port 49152:65535 -> 10.0.0.200 port 49152:65535 norouteips and allow local traffic on trusted interfaces antispoof quick for { $extif, $wlanif } block in all passout all keep state flags S/SA block in quick on $extif inet from to any block return out quick on $extif inet proto icmp from any to block dropout quick on $extif inet from any to passin quick on $allif inet from to ! keep state passin quick inet proto icmp from any to { ($extif) } icmp-type echoreq code 0 passin quick inet proto tcp from any to { ($extif) } port ssh keep state [some rules for other subnets] passin on $wlanif inet from 10.1.16.200 to any keep state flags S/SA 18:28:07.899188 128.9.176.20.rsync > 10.1.16.200.1701: . 9777343:9778583(1240) ack 100609 win 0 (DF) 18:28:07.901084 10.1.16.200.1701 > 128.9.176.20.rsync: . ack 9778583 win 23552 (DF) 18:28:07.902910 128.9.176.20.rsync > 10.1.16.200.1701: . 9778583:9780011(1428) ack 100609 win 0 (DF) 18:28:07.906844 128.9.176.20.rsync > 10.1.16.200.1701: . 9780011:9781439(1428) ack 100609 win 0 (DF) 18:28:07.908805 10.1.16.200.1701 > 128.9.176.20.rsync: . ack 9781439 win 23552 (DF) 18:28:07.910276 128.9.176.20.rsync > 10.1.16.200.1701: . 9781439:9782679(1240) ack 100609 win 0 (DF) 18:28:07.913469 10.1.16.200.1701 > 128.9.176.20.rsync: . ack 9782679 win 23552 (DF) 18:28:07.914486 128.9.176.20.rsync > 10.1.16.200.1701: . 9782679:9784107(1428) ack 100609 win 0 (DF) 18:28:07.918422 128.9.176.20.rsync > 10.1.16.200.1701: . 9784107:9785535(1428) ack 100609 win 0 (DF) 18:28:07.920355 10.1.16.200.1701 > 128.9.176.20.rsync: . ack 9785535 win 23552 (DF) 18:28:07.921610 128.9.176.20.rsync > 10.1.16.200.1701: . 9785535:9786775(1240) ack 100609 win 0 (DF) 18:28:07.923453 10.1.16.200.1701 > 128.9.176.20.rsync: . ack 9786775 win 23552 (DF) 18:28:07.925819 128.9.176.20.rsync > 10.1.16.200.1701: . 9786775:9788203(1428) ack 100609 win 0 (DF) 18:28:07.929512 128.9.176.20.rsync > 10.1.16.200.1701: . 9788203:9789631(1428) ack 100609 win 0 (DF) 18:28:07.931435 10.1.16.200.1701 > 128.9.176.20.rsync: . ack 9789631 win 23552 (DF) 18:28:07.933195 128.9.176.20.rsync > 10.1.16.200.1701: . 9789631:9790871(1240) ack 100609 win 0 (DF) 18:28:07.936777 10.1.16.200.1701 > 128.9.176.20.rsync: . ack 9790871 win 23552 (DF) 18:28:07.937141 10.1.16.200.ssh > 192.168.0.12.58575: P 29809:29873(64) ack 144 win 1972 (DF) [tos 0x10] 18:28:07.937358 192.168.0.12.58575 > 10.1.16.200.ssh: . ack 29873 win 3252 (DF) [tos 0x10] 18:28:07.949505 128.9.176.20.rsync > 10.1.16.200.1701: . 9790871:9792299(1428) ack 100609 win 0 (DF) 18:28:07.953422 128.9.176.20.rsync > 10.1.16.200.1701: . 9792299:9793727(1428) ack 100609 win 0 (DF) 18:28:07.955343 10.1.16.200.1701 > 128.9.176.20.rsync: . ack 9793727 win 23552 (DF) 18:28:07.956881 128.9.176.20.rsync > 10.1.16.200.1701: . 9793727:9794967(1240) ack 100609 win 0 (DF) 18:28:07.959626 10.1.16.200.1701 > 128.9.176.20.rsync: . ack 9794967 win 23552 (DF)
bridge ip
Hi I've got a ne2000 based Card which shows up as ne1 (BNC) and ne3 (RJ45). Unter linux I can assign an ip address to a bridge: brctl show bridge name bridge id STP enabled interfaces br0 8000.0016b6a3ee35 no vlan0 eth1 ifconfig br0 br0 Link encap:Ethernet HWaddr 00:16:B6:A3:EE:35 inet addr:10.0.0.2 Bcast:10.0.0.255 Mask:255.255.255.0 inet6 addr: fe80::216:b6ff:fea3:ee35/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:6276 errors:0 dropped:0 overruns:0 frame:0 TX packets:4805 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:395441 (386.1 KiB) TX bytes:617692 (603.2 KiB) route -n Kernel IP routing table Destination Gateway Genmask Flags Metric RefUse Iface 10.0.0.00.0.0.0 255.255.255.0 U 0 00 br0 0.0.0.0 10.0.0.10.0.0.0 UG0 00 br0 so there's no routing issue with having eg. 10.0.0.100 connected via BNC and 10.0.0.101 via RJ45. But under 4.0 I am not allowed to assign an ip: # ifconfig bridge0 create # brconfig bridge0 add ne1 add ne3 # ifconfig bridge0 10.4.19.1 ifconfig: SIOCAIFADDR: Invalid argument Is my idea totally wrong? -- Greetings Chris
Re: don't beat me... IPSec and wlan
On Sunday 17 December 2006 14:41, Jacob Yocom-Piatt wrote: > Original message > > >Date: Sun, 17 Dec 2006 14:00:14 +0100 > >From: "Chris C." <[EMAIL PROTECTED]> > >Subject: Re: don't beat me... IPSec and wlan > >To: misc@openbsd.org > > > >Is this even possilbe? I've done some more homework and as I understand it > >right now I have to add one configuration per client. > > search the archives, they contain all the info you need: > > http://marc.theaimsgroup.com/?l=openbsd-misc&r=1&w=2 > > reading the man pages sounds like it would be a good exercise for ya. FYI, > openbsd tends to not be a howto-driven OS. google will likely cough up such > a howto if you bother to search more thoroughly. thanks... did a little more testing and got it working using a pre-shared key and a static ip. I'll try to figure out how to configure it using dynamic ip (I've already seen I need to config a srcid... but what is the srcid? the mailadress I'll have to give during creation of the certificate?) and X-509 next weekend. -- Greetings Chris
Re: don't beat me... IPSec and wlan
Is this even possilbe? I've done some more homework and as I understand it right now I have to add one configuration per client. On Saturday 16 December 2006 18:33, Chris C. wrote: > Hi, > > We're currently (since 4 hours :() building a new wlan for my home network. > My confuguration is as follows: > > re0: link to my router (juniper) which is connected to a private line... > fxp0: link to my workstations > fxp1: link to my accespoint (Linksys WRT54GL, acting as a bridge) > fxp2: optical link to my servers switch > fxp3: connected to a via board > ne1: link to a very old device using bnc > ne3: currently unused > brige0: sould be ne1 + ne3 in the future... > > I want to protect my wlan using ipsec, I've already tried openvpn but it > don't like the way it works... > wlan clients get their ip's using dhcp on the 10.0.0.0/24 subnet, it works > great. I've blocked all incoming traffic in fxp1 using pf, but what I don't > get to work is ipsec :( > as I've more than one laptop/wireless devices and there are one or two > devices added dynamically (usually some firends laptop...) I need to be > able to allow multiple peers to connect at the same time. > > I've read man 5 ipsec.conf and also some guides on the net (mostly > outdated...), but don't understand the whole stuff. What do I have to > configure in ipsec.conf to allow multiple connections from 10.0.0.0/24 to > my internal LAN and the Internet? > Could someone guide me to an up-to-date howto/manpage or an example? > > Thanks!
don't beat me... IPSec and wlan
Hi, We're currently (since 4 hours :() building a new wlan for my home network. My confuguration is as follows: re0: link to my router (juniper) which is connected to a private line... fxp0: link to my workstations fxp1: link to my accespoint (Linksys WRT54GL, acting as a bridge) fxp2: optical link to my servers switch fxp3: connected to a via board ne1: link to a very old device using bnc ne3: currently unused brige0: sould be ne1 + ne3 in the future... I want to protect my wlan using ipsec, I've already tried openvpn but it don't like the way it works... wlan clients get their ip's using dhcp on the 10.0.0.0/24 subnet, it works great. I've blocked all incoming traffic in fxp1 using pf, but what I don't get to work is ipsec :( as I've more than one laptop/wireless devices and there are one or two devices added dynamically (usually some firends laptop...) I need to be able to allow multiple peers to connect at the same time. I've read man 5 ipsec.conf and also some guides on the net (mostly outdated...), but don't understand the whole stuff. What do I have to configure in ipsec.conf to allow multiple connections from 10.0.0.0/24 to my internal LAN and the Internet? Could someone guide me to an up-to-date howto/manpage or an example? Thanks! -- greetings chris
Re: Home networking for an amateur
On Friday 15 December 2006 06:00, Darrin Chandler wrote: > On Thu, Dec 14, 2006 at 07:09:22PM -0800, Greg Thomas wrote: > > On 12/14/06, L. V. Lammert <[EMAIL PROTECTED]> wrote: > > >At 09:22 PM 12/14/2006 +0100, Erik Wikstrvm wrote: > > >>I've get an box laying in my basement running OpenBSD 3.7 (probably > > >> should upgrade that some time but I've never taken the time) acting as > > >> gateway for both wired and wireless networks. Everything has been > > >> working flawlessly except one thing; I can not access computers on the > > >> wireless network from the wired one or vice versa. This has not been > > >> much of a problem since I'm mostly connecting via the wired network > > >> but now my mother has gotten herself a laptop and she wishes to be > > >> able to access another computer to print. Most computers (are not > > >> mine) and run Windows. > > > > > >Your wireless router is probably blocking port 139 (Windows SMB) - > > > standard practice. Go to the router configuration page and unblock. > > > > I didn't know that OpenBSD had a router configuration page. > > Unfortunately I've looked at his pf.conf for a little bit now and in > > my caffeine deprived state I don't see anything preventing access > > between rl0 and ath0. > > > > A little detail from the OP on how he is trying to reach the other > > computers would help. Can he ping by IP? Can he ping by name? Is > > his mother trying to print via name or IP address? > > I can't see anything obviously wrong, either. Then again I'm about 2 > seconds away from falling asleep. tcpdump pflog0 and ping tests seems > like a good place to start. I'm pretty new to pf, but isn't nat on rl1 from ath0:network to any -> (rl1) nat on rl1 from rl0:network to any -> (rl1) his problem? In my understanding this will also nat connections from ath0 to rl0. -- Greetings Chris
CF boot and Ramdisk
Hi, we're going to build a simple Wlan between a friends apartment and my house. We decided to run obsd 4.0 as we want to use ipsec for encryption. One of these systems will have to boot from a CF Card (or any other really silent media if you have suggestions). Since flash media only has limited write cycles and we will need to modify some files from time to time (Port forwards in pf.conf, some files in /var and so on..., logging isn't that important) we want to use a ramdisk (or tmpfs, don't know the exact name) and then sync the data to disk every hour or so. Is there a Howto for booting openbsd from a CF-Card (using an IDE adapter) and then mounting a ramdisk over /var? (I think we could just symlink files in /etc which we will need to modify to the ramdisk). -- Greetings Chris
Multiple pppoe sessionst through one nic (howto fake mac)
Hi, I've two dsl providers but only one line and only one nic in my router. I want to switch this router from Linux to OpenBSD (I've been using OpenBSD for 1 year before as my Mailserver). But there's one question apparently no one could answer: Is it possible to send different MAC-Addresses through only one nic? I've one DSL-modem and no PCI slot left for a second NIC. Under Linux i used a patch agains rp-pppoe and it worked fine. (option -H xx.xx.xx.xx.xx.xx) I've found absolutley nothing similary in the ppp/pppoe manpages about it and google found actually one thread, but that was started by me :-) Any suggestions? Greetings Chris