pf - altq shaping http download
Hi, I am thinking to implement altq to limit the download speed to our web server. Ideally I would like to limit everyone let's say to 30Kbps/thread and every source IP is allowed to open 1 download connection only. Is it possible to differentiate between normal browsing and downloading using PF? So let's say I am dedicating 4Mbps to the web server and would like to assign 3Mbps for download pool and 1Mbs for surfing,ftp and other network traffics. Even tho we limit the users to 30Kbps/thread but if we have extra bandwidth in the 3Mbps pool, we would like to distribute it evenly. Thanks! Edy
Re: pf - altq shaping http download
Please disregard this email. Sent to wrong mailing list :) Edy wrote: Hi, I am thinking to implement altq to limit the download speed to our web server. Ideally I would like to limit everyone let's say to 30Kbps/thread and every source IP is allowed to open 1 download connection only. Is it possible to differentiate between normal browsing and downloading using PF? So let's say I am dedicating 4Mbps to the web server and would like to assign 3Mbps for download pool and 1Mbs for surfing,ftp and other network traffics. Even tho we limit the users to 30Kbps/thread but if we have extra bandwidth in the 3Mbps pool, we would like to distribute it evenly. Thanks! Edy
create an ISO based on the running system
Good Day, I have setup a box OpenBSD 4.0 with bridge firewall, spamd, snort with mysql + BASE and snort2pf. I would like to create an ISO image of the box so that I could install the exact setup on any system. Is there a document which explains on how to achieve this? Thank you -e PS. Wishing everyone have a wonderful New Year!!!
Re: auto start mysql and snort OpenBSD 4.0
Thanks for those who has replied :) The following is the working version: if [ -x /usr/local/bin/mysqld_safe ]; then su -c _mysql root -c '/usr/local/bin/mysqld_safe &' > /dev/null & echo -n ' mysql' sleep 20; fi # Start Snort after waiting for Mysql to complete (set it to 20seconds) if [ -x /usr/local/bin/snort ]; then /usr/local/bin/snort -D -d -i fxp0 -c /etc/snort/snort.conf -u _snort -g _snort > /dev/null & echo -n ' snort' fi Cheers, -e Edy wrote: Daniel, I have been to that site already and it does not start mysql when the system rebooted but i could start mysql by using the command. Cheers, -e Daniel Ouellet wrote: Edy wrote: Hi I have googled and read on the man pages but something is missing here. For example i have the following in my /etc/rc.local if [ X"${mysql}" == X"YES" -a -x /usr/local/bin/safe_mysqld ]; then echo -n ' mysqld'; /usr/local/share/mysql/mysql.server start fi if [ X"${snort}" == X"YES" -a -x /usr/local/bin/snort ]; then echo -n ' snort'; /usr/local/bin/snort -D -d -i fxp0 -c /etc/snort/snort.conf -u _snort -g _snort fi and in my /etc/rc.conf.local mysql=YES snort=YES When the system rebooted, both processes are not started. If i were to execute example echo -n ' mysqld'; /usr/local/share/mysql/mysql.server start from command line, mysql started successfully. Any clue? I don't know about snort, but as far as MySQL is concern, why don't you do it right. http://www.openbsdsupport.org/mysql.htm#/etc/rc.local Then adjust it for your snort needs. Best, Daniel
Re: auto start mysql and snort OpenBSD 4.0
Daniel, I have been to that site already and it does not start mysql when the system rebooted but i could start mysql by using the command. Cheers, -e Daniel Ouellet wrote: Edy wrote: Hi I have googled and read on the man pages but something is missing here. For example i have the following in my /etc/rc.local if [ X"${mysql}" == X"YES" -a -x /usr/local/bin/safe_mysqld ]; then echo -n ' mysqld'; /usr/local/share/mysql/mysql.server start fi if [ X"${snort}" == X"YES" -a -x /usr/local/bin/snort ]; then echo -n ' snort'; /usr/local/bin/snort -D -d -i fxp0 -c /etc/snort/snort.conf -u _snort -g _snort fi and in my /etc/rc.conf.local mysql=YES snort=YES When the system rebooted, both processes are not started. If i were to execute example echo -n ' mysqld'; /usr/local/share/mysql/mysql.server start from command line, mysql started successfully. Any clue? I don't know about snort, but as far as MySQL is concern, why don't you do it right. http://www.openbsdsupport.org/mysql.htm#/etc/rc.local Then adjust it for your snort needs. Best, Daniel
auto start mysql and snort OpenBSD 4.0
Hi I have googled and read on the man pages but something is missing here. For example i have the following in my /etc/rc.local if [ X"${mysql}" == X"YES" -a -x /usr/local/bin/safe_mysqld ]; then echo -n ' mysqld'; /usr/local/share/mysql/mysql.server start fi if [ X"${snort}" == X"YES" -a -x /usr/local/bin/snort ]; then echo -n ' snort'; /usr/local/bin/snort -D -d -i fxp0 -c /etc/snort/snort.conf -u _snort -g _snort fi and in my /etc/rc.conf.local mysql=YES snort=YES When the system rebooted, both processes are not started. If i were to execute example echo -n ' mysqld'; /usr/local/share/mysql/mysql.server start from command line, mysql started successfully. Any clue? Thanks!!!
Re: brconfig: bridge0: Operation not permitted
Issue resolved! It seems like in 4.0 current you are not allowed to have hellotime parameter in /etc/bridgename.bridge0 by removing that sentence from the file stops the error message. Cheers, Edy Edy wrote: Hi I am trying to execute the following command from CLI (as root user) brconfig bridge0 add fxp0 add fxp1 stp fxp0 stp fxp1 hellotime 2 maxage 20 fwdelay 15 up but it says the following brconfig: bridge0: Operation not permitted After that I executed brconfig bridge0 and it shows that bridge is up??!! shu:/root# brconfig bridge0 bridge0: flags=0<> priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp designated: id 00:03:47:08:a3:66 priority 32768 fxp1 flags=ab port 2 ifpriority 128 ifcost 20 discarding role designated fxp0 flags=ab port 1 ifpriority 128 ifcost 20 discarding role designated Addresses (max cache: 100, timeout: 240): any idea? Thanks, edy
brconfig: bridge0: Operation not permitted
Hi I am trying to execute the following command from CLI (as root user) brconfig bridge0 add fxp0 add fxp1 stp fxp0 stp fxp1 hellotime 2 maxage 20 fwdelay 15 up but it says the following brconfig: bridge0: Operation not permitted After that I executed brconfig bridge0 and it shows that bridge is up??!! shu:/root# brconfig bridge0 bridge0: flags=0<> priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp designated: id 00:03:47:08:a3:66 priority 32768 fxp1 flags=ab port 2 ifpriority 128 ifcost 20 discarding role designated fxp0 flags=ab port 1 ifpriority 128 ifcost 20 discarding role designated Addresses (max cache: 100, timeout: 240): any idea? Thanks, edy
Anyone setup mod_security on bridge PF (transparent firewall) ?
Hi, I am wondering if anyone has configured PF transparent firewall to perform mod_security? Assuming you have 4 interfaces ext_if and int_if setup as bridge state_if is for pfsync mgmt_if has an IP address and able to route to internet Cheers, Edy
Re: spamd deny users from using the SMTP
Good Day, port 587 (submission) has been working great and it is enabled on Qmail :) Thank you. Edy Mike Erdely wrote: Edy wrote: Spamd is running fine now but when an user trying to send out email using the SMTP he is getting Server temporary failure please try again later error message. They have to retry many times before the IP address is whitelisted. Any workaround to that? Making many, many assumptions here. You're running sendmail. MSA is enabled (port 587). Make sure you're not filtering port 587 in pf. Tell your users to submit to port 587 instead of 25. We would not be able to add the IP address into the whitelist before hand because users could be connected from anywhere. Thanks, Edy -ME
Re: spamd deny users from using the SMTP
Hi Mike, MTA is Qmail and it is running on a separate server ... Thanks, Edy Mike Erdely wrote: Edy wrote: Spamd is running fine now but when an user trying to send out email using the SMTP he is getting Server temporary failure please try again later error message. They have to retry many times before the IP address is whitelisted. Any workaround to that? Making many, many assumptions here. You're running sendmail. MSA is enabled (port 587). Make sure you're not filtering port 587 in pf. Tell your users to submit to port 587 instead of 25. We would not be able to add the IP address into the whitelist before hand because users could be connected from anywhere. Thanks, Edy -ME
Re: VPN solutions for OpenBSD to Windows
Hi Peter, Have you look at OpenVPN? Please check out this document http://blog.innerewut.de/articles/2005/07/04/openvpn-2-0-on-openbsd Cheers, Edy [EMAIL PROTECTED] wrote: Hi gang, I'm looking for peoples' experiences and advice for setting up a VPN between OpenBSD (I will be using 4.0) and Windows XP/2000 systems. I have tested the Greenbow client and it seems ok. What of the built-in VPN client for the Windows OS? I am mostly interested in ease of configuration and reliability of the tunnel. I am ok on IPSEC theory. Thanks in advance for any comments, Peter
spamd deny users from using the SMTP
Hi, Spamd is running fine now but when an user trying to send out email using the SMTP he is getting Server temporary failure please try again later error message. They have to retry many times before the IP address is whitelisted. Any workaround to that? We would not be able to add the IP address into the whitelist before hand because users could be connected from anywhere. Thanks, Edy
pf http reporting tool
Hi, I am wondering if there is any tool which is able to show the attacks that has passed through PF and present it on a web based? Thank you Edy
Re: Bridge PF with spamd but getting RST packet
Hi Can, Thank you for your reply. I have tried it one whole day but it did not work per expectation so right now this is how it is setup Internet --> PF --> Load Balancer --> Mail Servers This PF box has 4 interfaces (ext_if(fxp0), int_if(fxp1), state_if(fxp2) and mgmt_if(fxp3) ext_if and int_if is a bridge and ext_if is facing the internet where as int_if is connected to the internal vlan. state_if is connected to another pf box using cross over cable. mgmt_if is connected to a mgmt vlan. In that vlan we also have the load balancer connected to it. $mgmt_if has an IP address of 192.168.1.36 and default gateway is pointing to the load balancer vlan IP address which is 192.168.1.1 In order to route the traffic, I have to tell the PF to RDR the "unknown" SMTP traffic to Load Balancer VIP on port 8025. In the load balancer virtual server we have 2 members. These members are the mgmt_if IP address for the two PF box. I guess now the limiation is, I cant have a single rule says that if the requested destination is x, rdr to x The following is my PF rules #SPAMD config spamvip = "192.168.1.254/32" solmail = "103.81.46.73/32" aromail174 = "103.81.46.74/32" aromail180 = "103.81.46.80/32" ## Spamd Stuff # Table that spamd updates # grey host list table persist # white host lists table persist # This whitelist we are manually maintaining. table persist file "/etc/whitelist.txt" rdr pass on $ext_if proto tcp from to $solmail port smtp -> $solmail port smtp rdr pass on $ext_if proto tcp from to $solmail port smtp -> $solmail port smtp rdr pass on $ext_if proto tcp from to $aromail174 port smtp -> $aromail174 port smtp rdr pass on $ext_if proto tcp from to $aromail174 port smtp -> $aromail174 port smtp rdr pass on $ext_if proto tcp from to $aromail180 port smtp -> $aromail180 port smtp rdr pass on $ext_if proto tcp from to $aromail180 port smtp -> $aromail180 port smtp rdr pass on $ext_if proto tcp from ! to any port smtp -> $spamvip port 8025 rdr pass on $ext_if proto tcp from to any port smtp -> $spamvip port 8025 rdr pass on $ext_if proto tcp from ! to any port smtp -> $spamvip port 8025 Thanks, Edy Can Erkin Acar wrote: Edy <[EMAIL PROTECTED]> wrote: Hi, I am trying to configure spamd on the current bridge PF firewall which is running on OpenBSD 4.0 fxp0 and fxp1 both are setup as bridge interfaces the following is the rdr rule for spamd ## Spamd Stuff # Table that spamd updates table persist table persist file "/etc/whitelist.txt" # If not on whitelist, redirect to spamd rdr pass on $ext_if inet proto tcp from ! to any \ port smtp -> 127.0.0.1 port spamd # Because this is a bridge, explicit route to this machine pass out route-to lo0 proto tcp from any to 127.0.0.1 port spamd try this fragment instead, note that there is no pass in rdr and the route-to is applied to an incoming packet. Using tags to match nat/rdr rules to filter rules is much easier. # If not on whitelist, redirect to spamd rdr on $ext_if inet proto tcp from ! to any \ port smtp tag SPAMD -> 127.0.0.1 port spamd pass in route-to lo0 tagged SPAMD keep state Can
Bridge PF with spamd but getting RST packet
Hi, I am trying to configure spamd on the current bridge PF firewall which is running on OpenBSD 4.0 fxp0 and fxp1 both are setup as bridge interfaces the following is the rdr rule for spamd ## Spamd Stuff # Table that spamd updates table persist table persist file "/etc/whitelist.txt" # If not on whitelist, redirect to spamd rdr pass on $ext_if inet proto tcp from ! to any \ port smtp -> 127.0.0.1 port spamd # Because this is a bridge, explicit route to this machine pass out route-to lo0 proto tcp from any to 127.0.0.1 port spamd ## Spamlogd Stuff # Keep whitelist hosts from expiring pass in log inet proto tcp from to any \ port smtp keep state # Eventually I'll have a line to whitelist servers that my server talks to. the abovementioned PF rule was obtained from http://cisx1.uma.maine.edu/~wbackman/spamd.html I have noticed the following when i did a tcpdump on fxp1 02:18:13.451441 61.65.255.238.13868 > 127.0.0.1.8025: S 3447735838:3447735838(0) win 16384 0,nop,nop,timestamp 470257134 0> 02:18:13.451566 127.0.0.1.8025 > 61.65.255.238.13868: R 0:0(0) ack 3447735839 win 0 Any idea?. Thanks, Edy
help: pf & pop3
hi, trying to: block all pop3 to outbound connection BUT allow one client AND inbound (local mail server) connection. any suggestion ? -edy-
help: smmsp
hi, i keep having the "smmsp" daemon shows on the ps aux list. so it fills up my clientmqueue directory. how to rid off this thing ? i've sendmail disabled already. thanks in advance. -edy-
iptables vs pf
i suggested to my friend to replace his linux box to openbsd. he uses mailnly for internet gateway : pf + squid proxy after 2 weeks later he switched it back linux and said : linux much faster to respond the http requests (he had a same configuration on openbsd, pf + squid proxy). is there any program that can proof what he says ? thanks. -edy-
Re: pkg_create error
i'm not sure that i can do that smoothly. the server is our firewall and it's running : - mrtg - squid - openntp anyone has a reference site about upgrading 3.4 -> current ? i don't confidence after i messed up with FBSD 4.11 tia From: Marc Espie <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] To: Edy Purnomo <[EMAIL PROTECTED]> CC: misc@openbsd.org Subject: Re: pkg_create error Date: Thu, 22 Sep 2005 09:23:02 +0200 On Thu, Sep 22, 2005 at 02:08:39AM +, Edy Purnomo wrote: > argh! > > yes, it's true, i did update the ports by typing cvsup -g -L 2 cvs-supfile > with conf: > ># Defaults that apply to all the collections >*default host=cvsup.uk.openbsd.org >*default base=/var >*default prefix=/usr >*default release=cvs >*default delete use-rel-suffix compress > ># Ports Collection. >OpenBSD-ports tag=. > > is there anyway to get the old ports back to its place ? e.g. extract > ports.tar.gz from the CD-ROM ? > > tia. Why don't you simply just bite the bullet and go to current, or 3.7, or 3.8 ? 3.4 is fairly old by now...
Re: pkg_create error
argh! yes, it's true, i did update the ports by typing cvsup -g -L 2 cvs-supfile with conf: # Defaults that apply to all the collections *default host=cvsup.uk.openbsd.org *default base=/var *default prefix=/usr *default release=cvs *default delete use-rel-suffix compress # Ports Collection. OpenBSD-ports tag=. is there anyway to get the old ports back to its place ? e.g. extract ports.tar.gz from the CD-ROM ? tia. From: Stuart Henderson <[EMAIL PROTECTED]> To: Edy Purnomo <[EMAIL PROTECTED]>, misc@openbsd.org Subject: Re: pkg_create error Date: Wed, 21 Sep 2005 10:40:38 +0100 --On 21 September 2005 06:21 +, Edy Purnomo wrote: Recently, my OBSD 3.4 can not do any of port installation. Please advice. Looks like you're trying to use -current ports on an old OS, which won't work. A huge amount of work has been done on ports/package infrastructure between 3.7 and 3.8. There might be unsupported ways around it, but really, just update the OS. There are many improvements between 3.4 and 3.7, and you'll be setup for an easier move to 3.8.
pkg_create error
Hi all, Recently, my OBSD 3.4 can not do any of port installation. Please advice. -edy- ===> Faking installation for ntop-1.1 /usr/bin/install -c -o root -g bin -m 6550 ntop /usr/ports/net/ntop/w-ntop-1.1/fake-i386/usr/local/sbin/ntop /usr/bin/install -c -o root -g bin -m 444 ntop.8 /usr/ports/net/ntop/w-ntop-1.1/fake-i386/usr/local/man/man8/ntop.8 ===> Building package for ntop-1.1 pkg_create: unknown option -- W usage: pkg_create [-Ohv] [-P dpkgs] [-C cpkgs] [-p prefix] [-f contents] [-i iscript] [-k dscript] [-r rscript] [-t template] [-X excludefile] [-D displayfile] [-m mtreefile] -c comment -d description -f packlist -S basedir pkg-name ===> Cleaning for ntop-1.1 rm -f /usr/ports/packages/i386/all/ntop-1.1.tgz *** Error code 1 Stop in /usr/ports/net/ntop (line 1972 of /usr/ports/infrastructure/mk/bsd.port.mk). *** Error code 1 Stop in /usr/ports/net/ntop (line 1242 of /usr/ports/infrastructure/mk/bsd.port.mk).
OpenNTPD on OBSD 3.4
Hi, How to install OpenNTPD on OBSD 3.4 ? I've read this from newsgroup but can't understand. Please advice. the native OpenBSD version needs yo live in the src tree under usr.sbin/ntpd/ for make install to work. you can just manually copy binary and manpages into place tho.