Re: A PHP management interface for OpenBSD ?
I really like the concept- but something you must remember when developing any web app- Input Validation. Ideally you would have a mysql database or file that just enables or disables something ( literally a 1 or a 0 or true/false, then a secondary program that creates config files from that with very little that is used as input- maybe an IP address, or small flags. Again limiting the input so as to remove the possibility for command injections. If done well, this could be great! Done poorly anyone could own you box via SQL or command injections. Check out OWASP for php filters, and other programing nuggets. chefren wrote: On 1/25/07 1:34 AM, Passeur wrote: We are in the process of developing a PHP framework with a web frontend to manage the OpenBSD settings through a web browser. It should be handy, I presume =all= configs, logins, groups, passwords and for example the settings for Apache and PHP itself included? A friend advised me not to do that because of all the security holes I will introduce on OpenBSD. He advised me rather using PHP to use CGI/PERL. What is your opinion ? Let's punch through all carefully designed security layers of OpenBSD with a 'program' based on the most insecure language of the planet. Clueless +++chefren
Re: Soekris box crashing... drops to ddb
Thanks for looking at this, I think that you are correct... someone had plugged in the wrong power adapter into this box, and thusly ( 6-8 Volts @ 800ma ) goofed up the CF card... I think that the extra power of the CF disk IO from the find command caused this box to crash every day. Oh well, live an learn, and smack those that plug in the wrong power cord! I'm CCing misc for the archive so that if someone else runs into these issues they may also have a clue as to what may be going on. Igor Sobrado wrote: Hello. It looks like a problem in the CF card. Would it be possible reinstalling the operating system on the Soekris? Does this problem always happen in the same inode? Or, even better, would it be possible trying a new CF card on the Soekris? If you do not have a need for a specific CF card, I would suggest trying a SanDISK CF. These cards are not expensive at all and work fine on the Soekris appliances. Hopefully, it looks like a bad CF card, not a bad Soekris. Cheers, Igor.
Re: CGI Scripts in OpenBSD
Once your scripts are working you could try to copy the files that are need for the CGI script into the chrooted directory. If the cgi script is a pre-compiled binary that has been linked to other library's your can run the following to find out what it needs. ldd /var/www/cgi-bin/your-prog If it's just a cgi script with regular commands, you will have to copy each command into the /var/www directory. So lets say your script runs the banner command- so the following will show what could be done to run the command with-in a chrooted apache server. $ ldd /usr/bin/banner /usr/bin/banner: StartEnd Type Open Ref GrpRef Name exe 10 0 /usr/bin/banner 0c54d000 2c57e000 rlib 01 0 /usr/lib/libc.so.39.0 0b67a000 0b67a000 rtld 01 0 /usr/libexec/ld.so So we need libc and ld.so with the same paths in /var/www... so: First- create some of the standard files that many binaries look for- mkdir /var/www/etc grep www /etc/passwd /var/www/etc/passwd grep localhost /etc/hosts /var/www/etc/hosts cp /etc/resolv.conf /var/www/etc Next- we will copy the files in place. mkdir /var/www/usr/bin mkdir /var/www/usr/lib mkdir /var/www/usr/libexec # Do the following as root, or sudo cp -p /usr/bin/banner /var/www/bin cp -p /usr/lib/libc.so.39.0 /var/www/lib cp -p /usr/libexec/ld.so /var/www/libexec # you may or may not need this... cp -p /bin/sh /var/www/bin There are plenty of FAQs on setting up binaries and script to run in a chrooted environment, and I would highly recommend that people start making this stuff work, rather then going for a less secure web server and scripts. It's just a matter of time before apache has a major flaw, or something in a script fails. Have fun! Francisco Valladolid wrote: hi, .. if you are new to OpenBSD, enabling chroot maybe difficult for you, i recommended run apache without chroot. disable it in /etc/rc.conf httpd_flags=-u # the -u option disable chroot then you can run your cgi scripts from /var/www/cgi-bin/ only doing chmod 755 script Regards. On 11/20/06, Hannah Broughton [EMAIL PROTECTED] wrote: Hi, I'm completely new to openBSD and have been trying to configure apache to run some CGI scripts. I have apache working fine, but the CGI scripts are failing with error 500 and the log file reports Premature end of script header. I am very sure that this is not the script that is wrong, I have the content-type header and have read many articles on the net about this error and still can't fix the problem. I have a feeling there may be some config specific to OpenBSD that I may have missed in order to enable the running of CGI scripts? Thanks for any help, Hannah This message has been checked for viruses but the contents of an attachment may still contain software viruses, which could damage your computer system: you are advised to perform your own checks. Email communications with the University of Nottingham may be monitored as permitted by UK legislation.
Soekris box crashing... drops to ddb
I'm assuming that this is a bad Soekris box, but I just would like someone else to review the debug output, and maybe shed some light on what happened to cause this kernel panic. This is a base install of OpenBSD with root mounted with noatime, and an mfs mount for the /var partition as this is running off of a CF card. If anyone has an idea, please let me know, thanks! --- dmesg and debug output --- ddb dmesg OpenBSD 3.9 (GENERIC) #617: Thu Mar 2 02:26:48 MST 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Geode(TM) Integrated Processor by National Semi (Geode by NSC 586-class ) 267 MHz cpu0: FPU,TSC,MSR,CX8,CMOV,MMX cpu0: TSC disabled real mem = 133799936 (130664K) avail mem = 115367936 (112664K) using 1658 buffers containing 6791168 bytes (6632K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(00) BIOS, date 20/50/29, BIOS32 rev. 0 @ 0xf7840 pcibios0 at bios0: rev 2.0 @ 0xf/0x1 pcibios0: pcibios_get_intr_routing - function not supported pcibios0: PCI IRQ Routing information unavailable. pcibios0: PCI bus #0 is the last bus bios0: ROM list: 0xc8000/0x9000 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 Cyrix GXm PCI rev 0x00 sis0 at pci0 dev 6 function 0 NS DP83815 10/100 rev 0x00, DP83816A: irq 10, a ddress 00:00:24:c1:ce:7c nsphyter0 at sis0 phy 0: DP83815 10/100 PHY, rev. 1 sis1 at pci0 dev 7 function 0 NS DP83815 10/100 rev 0x00, DP83816A: irq 10, a ddress 00:00:24:c1:ce:7d nsphyter1 at sis1 phy 0: DP83815 10/100 PHY, rev. 1 sis2 at pci0 dev 8 function 0 NS DP83815 10/100 rev 0x00, DP83816A: irq 10, a ddress 00:00:24:c1:ce:7e nsphyter2 at sis2 phy 0: DP83815 10/100 PHY, rev. 1 gscpcib0 at pci0 dev 18 function 0 NS SC1100 ISA rev 0x00 gpio0 at gscpcib0: 64 pins NS SC1100 SMI rev 0x00 at pci0 dev 18 function 1 not configured pciide0 at pci0 dev 18 function 2 NS SCx200 IDE rev 0x01: DMA, channel 0 wire d to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 1: TOSHIBA THNCF1G02QG wd0: 1-sector PIO, LBA, 976MB, 2000880 sectors wd0(pciide0:0:1): using PIO mode 4 geodesc0 at pci0 dev 18 function 5 NS SC1100 X-Bus rev 0x00: iid 6 revision 3 wdstatus 0 ohci0 at pci0 dev 19 function 0 Compaq USB OpenHost rev 0x08: irq 11, version 1.0, legacy support usb0 at ohci0: USB revision 1.0 uhub0 at usb0 uhub0: Compaq OHCI root hub, rev 1.00/1.00, addr 1 uhub0: 3 ports with 3 removable, self powered isa0 at gscpcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 nsclpcsio0 at isa0 port 0x2e/2: NSC PC87366 rev 9: GPIO VLM TMS gpio1 at nsclpcsio0: 29 pins gscsio0 at isa0 port 0x15c/2: SC1100 SIO rev 1: npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pccom0: console pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo biomask fbe5 netmask ffe5 ttymask ffe7 pctr: no performance counters in CPU dkcsum: wd0 matches BIOS drive 0x80 root on wd0a rootdev=0x0 rrootdev=0x300 rawdev=0x302 cleaned vnode: type VBAD, usecount 0, writecount 0, holdcount 0, tag VT_UFS, ino 44465, on dev 0, 0 flags 0x0, effnlink -1, nlink -1 mode 017, owner -1, group -1, size -1 not locked panic: cleaned vnode isn't Stopped at Debugger+0x4: leave RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS PANIC! DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT INFORMATION! ddb ddb machine print examine x search set write w delete d break dwatch watch steps continuec until nextmatch trace callps callout showboothelphangman dmesg ddb all breaks extents malloc map object pagepanic poolprocregisters uvmexp watches ddb show panic cleaned vnode isn't ddb No breakpoints set ddb ddb Debugger(1646d722,d3c48f40,dab54c60,d3c01a5c,d3c00888) at Debugger+0x 4 panic(d051d2e7,d3c01a5c,0,0,dab54c7c) at panic+0x63 getnewvnode(1,d0a57a00,d0a48e00,dab54c90) at getnewvnode+0x1e4 ffs_vget(d0a57a00,adb2,dab54d20,d3b9b5f8) at ffs_vget+0x50 ufs_lookup(dab54d58,30042,d3ac1b48,0,d05a6ea0) at ufs_lookup+0x756 VOP_LOOKUP(d3b9caf8,dab54e48,dab54e5c,20) at VOP_LOOKUP+0x2e lookup(dab54e38,d3bfe800,400,dab54e50) at lookup+0x1d0 namei(dab54e38,dab54e88,d3ac1b48,0) at namei+0x180 sys_lstat(d3ac1b48,dab54f68,dab54f58,804b2000,8de) at sys_lstat+0x4a syscall() at syscall+0x2ea --- syscall (number 293) --- 0x86d6491: ddbPID PPID PGRPUID S FLAGS WAIT COMMAND 32522 17911 29125 0 3 0x4084 piperd sort 13724 17911 29125 0 3 0x4084 piperd xargs *24091 17911 29125 0 7 0x4004 find 17911
Re: Custom kernel for Soekris net4801-50
Richard P. Koett wrote: I'm setting up a Soekris net4801-50 (128 Mb RAM) for use as a firewall. For storage it has a 40Gb IDE drive rather than compact flash. For my first attempt I used a generic install of OpenBSD 3.9. The user complained that Internet access seemed slow, however. I'm planning to try again using a custom kernel based on the config file included with Chris Cappuccio's Flashdist installer. (A copy is provided below for reference). Is this a good idea? If I go this route I expect I should comment out the MFS option in the Flashdist config since I'm not using compact flash, and uncomment FFS_SOFTUPDATES. Would anyone care to suggest other changes I should make this config file for my scenario? Any other advice would be appreciated. I have no previous experience with Soekris products and very little experience with custom kernels. I realize that this list is not for supporting people using custom kernels but I hope it's okay to ask a few general questions like this. Thanks, RPK. [snip] My comments fall into the Any other advice would be appreciated One thing that I would really recommend is looking into using the compact flash with the memory file system. For a first install or if you have phyiscal access to the box, a laptop HD is just fine, but when it is sent to a far away place, where power- or heat can effect it, always use a CF or solid state type device. My wife has swaped about 6 Net4801's with laptop HDs for compact flash because the drives fail so quickly. Soekris did create a new case design for the Net4801 with bigger vent holes that may allow for better heat disapation, but without a fan, the box becomes an oven. Something else to keep in mind is that if the power fails, the sytem will have to fsck partitions that were mounted read/write, whereas readonly partitions will not need to be fscked. We had several stupid user tricks where the power failed, and the user would keep cycling the soekris box before it finished fscking, very annoying! Then just create a cron job to sync the logs to disk (CF or HD) every night. The other reason for not mounting the CF in a read/write mode is that CF has a limited number of write cycles (~10,000 gate transisitions). Aside from these restrictions, the soekris boxes just work, and I really like them.
Re: IPSec routing problem when using UDP
You may want to include some more information, like what version of OpenBSD your running, and one version of OpenVPN your running. One thing you must remember is that IPSec does not route, packets must match an IPSec profile and are then that packet is wraped up in an IPSec header and sent across to the remote end. If you can get to it with TCP, but not UDP you may have either an ARP issue (EG: UDP tosses the packet, and does not try again, and generally it does not get status messages) or a CARP/PF rule set issue. More info is needed before questions can be answered. Martmn Coco wrote: Hello misc! We are experiencing what seems to be a routing problem when using ipsec flows and udp traffic. We are using OpenVPN for the employees to connect from the outside world to our network. It is configured to use UDP. At the same time, this box has an ipsec tunnel configured to talk between different offices in different countries. The problem seems to be that, at some point in time, all the udp packets coming from anywhere end up being routed through the enc0 interface, when some of them (the ones coming through the Internet and not from our other office) should be routed normally, without using any ipsec flow. This of course causes all OpenVPN connection attempts coming from the Internet to fail, as they will never receive an aswer from the server. This is not the first time we've encountered this behaviour. I've also seen this happening when using named together with ipsec tunnels. The very same thing would happen (ie, packets that should go to the Internet being routed via enc0). We have just realised that in both cases, OpenVPN and named, UDP might be in use. When the OpenVPN server begins to misbehave, I can still connect via ssh from the Internet (thus discarding TCP issues). To solve this we have to flush the ipsec tunnels. This seems to solve the issue. The pf rules seem to be alright, keeping state for udp connections. The only thing that we may be doing wrong is the ipsec flow configuration, but why would it work for some time, to show the detailed behaviour only after a couple of hours? I'll appreciate your input, Martmn.
Sparc64 3.9 issue
This may or may not be related to the NIC adaptor, but I will try to describe the problem as best I can. Hardware: SunBlade 100- Sparc64 NIC: Gem0 Issue: About every 2-3 weeks the NIC stops working, issueing an ifconfig down followed by an ifconfig up does something to wake the interface up, and all works... for another coupple of weeks. The last time this happend was about 9-10 days ago. Ideas? Let me know! Dmesg output follows: console is keyboard/display Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved. Copyright (c) 1995-2006 OpenBSD. All rights reserved. http://www.OpenBSD.org OpenBSD 3.9 (GENERIC) #759: Wed Mar 1 01:32:54 MST 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/sparc64/compile/GENERIC total memory = 536870912 avail memory = 478429184 using 3276 buffers containing 26836992 bytes of memory bootpath: /[EMAIL PROTECTED],0/[EMAIL PROTECTED],0/[EMAIL PROTECTED],0 mainbus0 (root): Sun Blade 100 (UltraSPARC-IIe) cpu0 at mainbus0: SUNW,UltraSPARC-IIe @ 502 MHz, version 0 FPU cpu0: physical 32K instruction (32 b/l), 16K data (32 b/l), 1024K external (64 b/l) psycho0 at mainbus0 pci108e,a001: impl 0, version 0: ign 7c0 bus range 0 to 1; PCI bus 0 DVMA map: c000 to e000 IOTDB: 26a8000 to 2728000 pci0 at psycho0 ebus0 at pci0 dev 12 function 0 Sun PCIO Ebus2 (US III) rev 0x01 flashprom at ebus0 addr 0-f not configured clock1 at ebus0 addr 0-1fff: mk48t59: hostid 830b72de ebus_attach: idprom: incomplete gem0 at pci0 dev 12 function 1 Sun ERI Ether rev 0x01: ivec 3006, address 00:03:ba:0b:72:de ukphy0 at gem0 phy 1: Generic IEEE 802.3u media interface, rev. 1: OUI 0x0010dd, model 0x0002 Sun FireWire rev 0x01 at pci0 dev 12 function 2 not configured ohci0 at pci0 dev 12 function 3 Sun USB rev 0x01: ivec 24, version 1.0, legacy support usb0 at ohci0: USB revision 1.0 uhub0 at usb0 uhub0: Sun OHCI root hub, rev 1.00/1.00, addr 1 uhub0: 4 ports with 4 removable, self powered ebus1 at pci0 dev 7 function 0 Acer Labs M1533 ISA rev 0x00 dma at ebus1 addr 0- ipl 42 not configured power at ebus1 addr 800-82f ipl 32 not configured com0 at ebus1 addr 3f8-3ff ipl 43: ns16550a, 16 byte fifo com1 at ebus1 addr 2e8-2ef ipl 43: ns16550a, 16 byte fifo alipm0 at pci0 dev 3 function 0 Acer Labs M7101 Power rev 0x00: 223KHz clock, disabling to avoid hardware failure autri0 at pci0 dev 8 function 0 Acer Labs M5451 Audio rev 0x01: ivec 23 ac97: codec id 0x41445348 (Analog Devices AD1881A) ac97: codec features headphone, Analog Devices Phat Stereo audio0 at autri0 midi0 at autri0: 4DWAVE MIDI UART pciide0 at pci0 dev 13 function 0 Acer Labs M5229 UDMA IDE rev 0xc3: DMA, channel 0 configured to native-PCI, channel 1 configured to native-PCI pciide0: using ivec 180c for native-PCI interrupt wd0 at pciide0 channel 0 drive 0: IC35L060AVV207-0 wd0: 16-sector PIO, LBA48, 38146MB, 78125000 sectors atapiscsi0 at pciide0 channel 0 drive 1 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: LITEON, CD-ROM LTN486S, YSU1 SCSI0 5/cdrom removable wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 cd0(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 2 pciide0: channel 1 disabled (no drives) vgafb0 at pci0 dev 19 function 0 ATI Rage XL rev 0x27 wsdisplay0 at vgafb0: console (std, sun emulation) ppb0 at pci0 dev 5 function 0 DEC 21152 PCI-PCI rev 0x03 pci1 at ppb0 bus 1 pcons at mainbus0 not configured No counter-timer -- using %tick at 502MHz as system clock. uhub1 at uhub0 port 4 uhub1: Texas Instruments TUSB2046 hub, rev 1.10/1.25, addr 2 uhub1: 4 ports with 4 removable, self powered uhidev0 at uhub1 port 1 configuration 1 interface 0 uhidev0: ATEN 4 Port USB KVM B V1.30, rev 1.10/1.00, addr 3, iclass 3/1 ukbd0 at uhidev0: 8 modifier keys, 6 key codes wskbd0 at ukbd0: console keyboard, using wsdisplay0 uhidev1 at uhub1 port 1 configuration 1 interface 1 uhidev1: ATEN 4 Port USB KVM B V1.30, rev 1.10/1.00, addr 3, iclass 3/1 ums0 at uhidev1: 5 buttons and Z dir. wsmouse0 at ums0 root on wd0a rootdev=0xc00 rrootdev=0x1a00 rawdev=0x1a02 WARNING: / was not properly unmounted gem0: receive error: CRC error gem0: receive error: CRC error uhub1: at uhub0 port 4 (addr 2) disconnected uhidev0: at uhub1 port 1 (addr 3) disconnected ukbd0: was console keyboard wskbd0 detached ukbd0 detached uhidev0 detached uhidev1: at uhub1 port 1 (addr 3) disconnected wsmouse0 detached ums0 detached uhidev1 detached uhub1 detached gem0: receive error: CRC error gem0: receive error: CRC error gem0: receive error: CRC error gem0: receive error: CRC error gem0: receive error: CRC error gem0: receive error: CRC error gem0: receive error: CRC error gem0: receive error: CRC error gem0: receive error: CRC error gem0: receive error: CRC error gem0: receive error: CRC error gem0: receive error: CRC error gem0: receive error: CRC error gem0: receive error: CRC error gem0: receive error: CRC error gem0: receive error: CRC error gem0: receive error: CRC
Re: Sparc64 3.9 issue
I have replaced the network cable, and the hub that it is attached to... Do we have case of bit rot here? Or maybe different NIC chip sets... I'm getting a lot of CRC errors, but nothing shows up in netstat -ni... gem01500 Link 00:03:ba:0b:72:de 9525295 0 1733115 0 167809 gem01500 fe80::%gem0 fe80::203:baff:fe 9525295 0 1733115 0 167809 gem01500 192.168.0/ 192.168.0.52 9525295 0 1733115 0 167809 fv wrote: Hello, I'im using the same hardware (sun blade 100) and obsd version 3.9. I have no such problem. Maybe it's your network cable. Have you other strange problems. Maybe it can be your RAM. Here is my dmesg: [EMAIL PROTECTED]/var/log% dmesg console is keyboard/display Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved. Copyright (c) 1995-2006 OpenBSD. All rights reserved. http://www.OpenBSD.org OpenBSD 3.9-stable (GENERIC) #0: Wed Jul 5 11:55:19 CEST 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/sparc64/compile/GENERIC total memory = 1342177280 avail memory = 1212760064 using 8192 buffers containing 67108864 bytes of memory bootpath: /[EMAIL PROTECTED],0/[EMAIL PROTECTED],0/[EMAIL PROTECTED],0 mainbus0 (root): Sun Blade 100 (UltraSPARC-IIe) cpu0 at mainbus0: SUNW,UltraSPARC-IIe @ 502 MHz, version 0 FPU cpu0: physical 32K instruction (32 b/l), 16K data (32 b/l), 1024K external (64 b/l) psycho0 at mainbus0 pci108e,a001: impl 0, version 0: ign 7c0 bus range 0 to 1; PCI bus 0 DVMA map: c000 to e000 IOTDB: 61b8000 to 6238000 pci0 at psycho0 ebus0 at pci0 dev 12 function 0 Sun PCIO Ebus2 (US III) rev 0x01 flashprom at ebus0 addr 0-f not configured clock1 at ebus0 addr 0-1fff: mk48t59: hostid 830ced19 ebus_attach: idprom: incomplete gem0 at pci0 dev 12 function 1 Sun ERI Ether rev 0x01: ivec 3006, address 00:03:ba:0c:ed:19 ukphy0 at gem0 phy 1: Generic IEEE 802.3u media interface, rev. 1: OUI 0x0010dd, model 0x0002 Sun FireWire rev 0x01 at pci0 dev 12 function 2 not configured ohci0 at pci0 dev 12 function 3 Sun USB rev 0x01: ivec 24, version 1.0, legacy support usb0 at ohci0: USB revision 1.0 uhub0 at usb0 uhub0: Sun OHCI root hub, rev 1.00/1.00, addr 1 uhub0: 4 ports with 4 removable, self powered ebus1 at pci0 dev 7 function 0 Acer Labs M1533 ISA rev 0x00 dma at ebus1 addr 0- ipl 42 not configured power at ebus1 addr 800-82f ipl 32 not configured com0 at ebus1 addr 3f8-3ff ipl 43: ns16550a, 16 byte fifo com1 at ebus1 addr 2e8-2ef ipl 43: ns16550a, 16 byte fifo alipm0 at pci0 dev 3 function 0 Acer Labs M7101 Power rev 0x00: 223KHz clock, disabling to avoid hardware failure autri0 at pci0 dev 8 function 0 Acer Labs M5451 Audio rev 0x01: ivec 23 ac97: codec id 0x41445348 (Analog Devices AD1881A) ac97: codec features headphone, Analog Devices Phat Stereo audio0 at autri0 midi0 at autri0: 4DWAVE MIDI UART pciide0 at pci0 dev 13 function 0 Acer Labs M5229 UDMA IDE rev 0xc3: DMA, channel 0 configured to native-PCI, channel 1 configured to native-PCI pciide0: using ivec 180c for native-PCI interrupt wd0 at pciide0 channel 0 drive 0: ST320414A wd0: 16-sector PIO, LBA, 19458MB, 39851760 sectors atapiscsi0 at pciide0 channel 0 drive 1 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: LITEON, CD-ROM LTN486S, YSU1 SCSI0 5/cdrom removable wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 cd0(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 2 pciide0: channel 1 disabled (no drives) ppb0 at pci0 dev 5 function 0 DEC 21152 PCI-PCI rev 0x03 pci1 at ppb0 bus 1 vr0 at pci1 dev 1 function 0 VIA VT6105 RhineIII rev 0x86: ivec a, address 00:11:95:e4:2c:79 ukphy1 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 4: OUI 0x004063, model 0x0034 vgafb0 at pci0 dev 19 function 0 ATI Rage XL rev 0x27 wsdisplay0 at vgafb0: console (std, sun emulation) pcons at mainbus0 not configured No counter-timer -- using %tick at 502MHz as system clock. uhidev0 at uhub0 port 4 configuration 1 interface 0 uhidev0: Sun Microsystems Type 6 Keyboard, rev 1.00/1.01, addr 2, iclass 3/1 ukbd0 at uhidev0: 8 modifier keys, 6 key codes wskbd0 at ukbd0: console keyboard, using wsdisplay0 root on wd0a rootdev=0xc00 rrootdev=0x1a00 rawdev=0x1a02 WARNING: / was not properly unmounted ural0 at uhub0 port 1 ural0: ANI 802.11g W, rev 2.00/0.01, addr 3 ural0: MAC/BBP RT2570 (rev 0x03), RF RT2526, address 00:11:95:86:e3:35 --- David Bryan wrote: This may or may not be related to the NIC adaptor, but I will try to describe the problem as best I can. Hardware: SunBlade 100- Sparc64 NIC: Gem0 Issue: About every 2-3 weeks the NIC stops working, issueing an ifconfig down followed by an ifconfig up does something to wake the interface up, and all works... for another
Re: openvpn to ipsec routing question
Christoph Leser wrote: Hello, the question is about how to route traffic from an openvpn tunnel to an ipsec tunnel. This is my setup: The OpenBSD gateway has an internal (10.0.1.1/24 ) and external (x.x.x.x/30) interface. The internal net is NAT'ed to the external interface to provide internet access to hosts on the internal net. Through the external interface an ipsec SA ( security association ) is established ( tunnel mode ) between my internal net ( 10.0.1/24 ) and another local net of a remote site ( 10.0.2/24 ). So hosts on the internal net can reach hosts on the internet (being NAT'ed ) as well as hosts on the remote private net 10.0.2/24 ( not being NAT'ed ). Now I have setup an openvpn server on this box. This openvpn server gives out addresses from yet another net ( 10.0.3/24 ) to the connected clients. Connections from openvpn clients are NAT'Ed to the internal interface to make them appear as being directly attached to the local private net ( 10.0.1/24 ). So far, it works. Now I want the clients on the openvpn subnet ( 10.0.3/24 ) to get access to the remote side of the ipsec sa ( 10.0.2/24 ). Here is an excerpt of my ipconfig and routing table # ifconfig lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33224 inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6 fxp0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 address: 00:a0:c9:43:07:20 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 10.0.1.1 netmask 0xff00 broadcast 10.0.1.255 inet6 fe80::2a0:c9ff:fe43:720%fxp0 prefixlen 64 scopeid 0x1 fxp1: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 address: 00:a0:c9:30:b3:34 media: Ethernet autoselect (10baseT) status: active inet x.x.x.254 netmask 0xfffc broadcast x.x.x.255 inet6 fe80::2a0:c9ff:fe30:b334%fxp1 prefixlen 64 scopeid 0x2 pflog0: flags=141UP,RUNNING,PROMISC mtu 33224 pfsync0: flags=0 mtu 2020 enc0: flags=0 mtu 1536 tun0: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST mtu 1500 inet 10.0.3.1 -- 10.0.3.2 netmask 0x # netstat -rn Routing tables Internet: DestinationGatewayFlags Refs UseMtu Interface defaultx.x.x.254 UGS11 1211734 - fxp1 10.0.3/24 10.0.3.2 UGS 031900 - tun0 10.0.3.2 10.0.3.1 UH 10 - tun0 x.x.x.x/30 link#2 UC 10 - fxp1 127/8 127.0.0.1 UGRS00 33224 lo0 127.0.0.1 127.0.0.1 UH 1 392 33224 lo0 10.0.1/24 link#1 UC 110 - fxp0 224/4 127.0.0.1 URS 00 33224 lo0 Encap: Source Port DestinationPort Proto SA(Address/Proto/Type/Direction) 10.0.2/24 0 10.0.1/24 0 0 y.y.y.y/50/use/in 10.0.1/24 0 10.0.2/24 0 0 y.y.y.y/50/require/out where x.x.x.x is the external address of my box, y.y.y.y is the external address of the remote side of the ipsec tunnel. I expected this to be sufficient for the routing from 10.0.3/24 to 10.0.2/24. But it is not. Using tcpdump I see that packets entering the gateway via the openvpn tun0 interface destined to some host on 10.0.2/24 do not get routed to the ipsec tunnel but are routed directly to the external interface, i.e. a packet with source ip = 10.0.3.10 and destination ip 10.0.2.1 is routed as is to the external interface. I assume that the route through the IPSEC SA is not taken into account, as the packet to be routed is not from the internal interface. If there were a way to source-nat the packet when it comes in via the tun interface, i.e. before the routing is done, maybe all would be fine. But I don't know a way to achieve this. The straight forward solution to setup another ipsec tunnel between 10.0.2/24 and 10.0.3/24 is out of reach due to weird administrative constraints. Any suggestions? Thanks Christoph Try something like... (This was goofy the first time I did it, at least it didn't quite make since to me..) route add -net 10.0.2.0/24 10.0.1.1 This will tell the local OS where to send traffic for the 10.0.2.0/24 network, where as isakmpd only will processes traffic inbound to match an SA. (as far as I can tell). Give it a shot, it should work... -Dave