Re: Creating route tables
On Tue, 26 Jul 2011 21:33:14 +0200, Claudio Jeker cje...@diehard.n-r-g.com wrote: On Thu, Jul 21, 2011 at 10:20:38PM +0200, Claudio Jeker wrote: On Thu, Jul 21, 2011 at 01:57:10PM -0500, Josh Hoppes wrote: Thanks for the help and for the better understanding of routing domains and tables. In the end I was over thinking the problem and didn't actually need the additional routing table. On Thu, Jul 21, 2011 at 10:17 AM, Claudio Jeker cje...@diehard.n-r-g.com wrote: On Thu, Jul 21, 2011 at 09:40:44AM +0300, Gregory Edigarov wrote: Josh, the table needs to be created and an interface need to be assigned to the rdomain like: ifconfig em0 a.b.c.d/24 rdomain 1 then you can use it like, just for example, this: route -T 1 add e.f.g.h/24 a.b.c.x that does the trick. Nope. Something sneaked in that makes it impossible to create alternative tables. I will have a look. -- :wq Claudio Still here is a diff to fix the porblem. route(8) was failing too early. Maybe someone has a better idea on how to solve the gettable() issue in a nicer way. Is nobody interested in this? route -T 1 add 127.0.0.1 127.0.0.1 should work. This is how routing tables are supposed to be created. It would suck to be unable to do this. Sending it to tech@ as well. -- :wq Claudio -snip We're using this diff on two staging systems that will eventually go into production. Definitely makes creating additional routing tables a lot easier for us. Thanks, Claudio!
pfctl no longer showing table details in 4.5
Hi, I've just finished upgrading one of our systems from OpenBSD 4.2 to 4.5. I've run into a small problem with pfctl as it's no longer showing the details for each individual IP address in our tables, just the date the table was last cleared. /etc/pf.conf: = table test { 1.1.1.1/32 1.1.1.2/32 } pass in from test pass out to test # pfctl -T show -t test 1.1.1.1 1.1.1.2 # pfctl -T show -t test -vv 1.1.1.1 Cleared: Sun Jun 21 15:07:38 2009 1.1.1.2 Cleared: Sun Jun 21 15:07:38 2009 On OpenBSD 4.2 typing the last command would show more details, such as the number of states, in/out pass, in/out block, etc. for each IP address in the table. -- Egbert Krook System/Network Engineer Amarin Printing and Publishing Public Co., Ltd.
Trouble using :peer modifier correctly
Hello, We're trying to use the :peer modifier to minimize the number of macros in our pf configuration files. For some reason we can't get it to work: # cat /etc/pf.conf set skip on lo block log pass in quick on fxp0 inet proto tcp from fxp0:peer to fxp0 port ssh # pfctl -n -f /etc/pf.conf no IP address found for fxp0:peer /etc/pf.conf:5: could not parse host specification # ifconfig fxp0 fxp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:a0:c9:5c:a6:72 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 192.168.1.1 netmask 0xfffc broadcast 192.168.1.3 inet6 fe80::2a0:c9ff:fe5c:a672%fxp0 prefixlen 64 scopeid 0x2 We're testing with OpenBSD 4.2 (Release). Kind regards, -- Egbert Krook System/Network Engineer Amarin Printing and Publishing Public Co., Ltd.
Re: pfstatd crash?
On Thu, Mar 27, 2008 at 08:43:56AM +, clifford bailey wrote: Thanks Daniel, I'll give that a go! I'm surprised no-one has come across this before, is pfstatd not widely used? I'm looking at using custom snmp traps to gather this information instead, but that also looks like a non-standard method. What do most people use for pf performance monitoring? Cliff. -snip In our environment we parse the pfctl -vv -s Interfaces -i interface output with a simpe 20+-line Perl script and feed that to rrdtool running on another machine through ssh. No need for a daemon to run on the firewall and Perl is already included in the base install. -- Egbert Krook System/Network Engineer Amarin Printing and Publishing Public Co., Ltd.
Typo in 007_kroute.patch
Hi, The paths in the build instructions are wrong: cd /usr/src/usr/usr.sbin/ospfd -should be- cd /usr/src/usr.sbin/ospfd cd /usr/src/usr/usr.sbin/ripd -should be- cd /usr/src/usr.sbin/ripd Kind regards, -- Egbert Krook System/Network Engineer Amarin Printing and Publishing Public Co., Ltd.
Re: Apache Log Rotation - FAQ 10.16
We're using the following in our newsyslog.conf file: (/usr/sbin/apachectl stop; (while `/usr/bin/pgrep httpd /dev/null 21`; do /bin/sleep 1; done); /usr/sbin/apachectl start) /dev/null 21 On Fri, Dec 09, 2005 at 01:45:51PM +0800, Uwe Dippel wrote: There are many posts on this problem; and the reason is understood. To me, the FAQ 10.16 seems wrong: Log Rotation: Normally, logs are rotated by renaming the old files, then sending httpd(8) a SIGUSR1 signal to cause Apache to close its old log files and open new ones. This is no longer possible, as httpd(8) has no ability to open log files for writing once privileges are dropped. httpd(8) must be stopped and restarted: # apachectl stop apachectl start This is all I get here: # apachectl stop /usr/sbin/apachectl stop: httpd stopped /usr/sbin/apachectl start: httpd (pid 18132) already running In the end, it doesn't restart; leaving the users out until I wait and restart httpd And the log isn't rotated neither. Chances are, the author meant something like # apachectl stop # [newsyslog or similar] # apachectl start If the text in the FAQ just kills httpd, it ought to be corrected, AFAICS. Could you please share your preferred methods to rotate the /var/www/logs/, ? Thanks, Uwe -- Egbert Krook System/Network Engineer Amarin Printing and Publishing Public Co., Ltd. And that's why we were unable to move the process forward.
Cryptographic authentication ospfd not working?
Hi, Does anyone know if MD5 authentication in ospfd is known to be broken? In our test environment things work fine without authentication or simple authentication turned on, but as soon as we turn on MD5 authentication things break. We're using the snapshot of October 13th and a Cisco 3640 router (IOS 12.1(5)). If this is an unknown problem I will submit a bug report. Without authentication: === Cisco: -- Router#sh run -snip ! interface Loopback0 ip address 192.168.255.1 255.255.255.255 ! interface FastEthernet0/0 ip address 192.168.0.1 255.255.255.0 duplex auto speed auto ! -snip ! router ospf 1 log-adjacency-changes network 192.168.0.0 0.0.255.255 area 0 ! -snip end Router#sh ip ospf nei Neighbor ID Pri State Dead Time Address Interface 192.168.0.2 1 FULL/BDR00:00:32192.168.0.2 FastEthernet0/0 OpenBSD: # cat /etc/ospfd.conf router-id 192.168.0.2 area 0 { interface xl0 { router-priority 1 } } # ospfctl sh nei ID Pri State DeadTime Address Interface 192.168.255.1 1 FULL/DR 00:00:37 192.168.0.1 xl0 With MD5 authentication enabled: Cisco: -- Router#sh run -snip ! interface Loopback0 ip address 192.168.255.1 255.255.255.255 ! interface FastEthernet0/0 ip address 192.168.0.1 255.255.255.0 ip ospf message-digest-key 1 md5 openbsd duplex auto speed auto ! -snip ! router ospf 1 log-adjacency-changes area 0 authentication message-digest network 192.168.0.0 0.0.255.255 area 0 ! -snip end Router#sh ip ospf nei Router# Router#debug ip ospf adj OSPF adjacency events debugging is on Router# 01:34:47: OSPF: Rcv pkt from 192.168.0.2, FastEthernet0/0 : Mismatch Authentication Key - Message Digest Key 1 01:34:57: OSPF: Rcv pkt from 192.168.0.2, FastEthernet0/0 : Mismatch Authentication Key - Message Digest Key 1 01:34:57: OSPF: Send with youngest Key 1 01:35:07: OSPF: Rcv pkt from 192.168.0.2, FastEthernet0/0 : Mismatch Authentication Key - Message Digest Key 1 01:35:07: OSPF: Send with youngest Key 1 01:35:17: OSPF: Rcv pkt from 192.168.0.2, FastEthernet0/0 : Mismatch Authentication Key - Message Digest Key 1 01:35:17: OSPF: Send with youngest Key 1 01:35:27: OSPF: Rcv pkt from 192.168.0.2, FastEthernet0/0 : Mismatch Authentication Key - Message Digest Key 1 01:35:27: OSPF: Send with youngest Key 1 01:35:37: OSPF: Rcv pkt from 192.168.0.2, FastEthernet0/0 : Mismatch Authentication Key - Message Digest Key 1 01:35:37: OSPF: end of Wait on interface FastEthernet0/0 01:35:37: OSPF: DR/BDR election on FastEthernet0/0 01:35:37: OSPF: Elect BDR 192.168.255.1 01:35:37: OSPF: Elect DR 192.168.255.1 01:35:37: OSPF: Elect BDR 0.0.0.0 01:35:37: OSPF: Elect DR 192.168.255.1 01:35:37:DR: 192.168.255.1 (Id) BDR: none 01:35:37: OSPF: Send with youngest Key 1 01:35:37: OSPF: No full nbrs to build Net Lsa for interface FastEthernet0/0 OpenBSD: # cat /etc/ospfd.conf router-id 192.168.0.2 area 0 { interface xl0 { router-priority 1 auth-type crypt auth-md 1 openbsd } } # ospfd -d -v startup rde: new announced net 0.0.0.0/0 rde: new announced net 192.168.0.0/24 orig_rtr_lsa: area 0.0.0.0 orig_rtr_lsa: stub net, interface xl0 if_fsm: event UP resulted in action START and changing state for interface xl0 from DOWN to WAITING start_spf_timer: IDLE - DELAY spf_calc: calculation started, area ID 0.0.0.0 spf_calc: calculation ended, area ID 0.0.0.0 spf_start_holdtimer: DELAY - HOLD auth_validate: invalid MD5 digest, interface xl0 recv_packet: authentication error, interface xl0 spf_timer: state HOLD - IDLE auth_validate: invalid MD5 digest, interface xl0 recv_packet: authentication error, interface xl0 auth_validate: invalid MD5 digest, interface xl0 recv_packet: authentication error, interface xl0 auth_validate: invalid MD5 digest, interface xl0 recv_packet: authentication error, interface xl0 if_act_elect: interface xl0 old dr none new dr 192.168.0.2, old bdr none new bdr none orig_rtr_lsa: area 0.0.0.0 orig_rtr_lsa: stub net, interface xl0 orig_rtr_lsa: area 0.0.0.0 orig_rtr_lsa: stub net, interface xl0 if_fsm: event WAITTIMER resulted in action ELECT and changing state for interface xl0 from WAITING to DR auth_validate: invalid MD5 digest, interface xl0 recv_packet: authentication error, interface xl0 ^Ckernel routing table decoupled route decision engine exiting orig_rtr_lsa: area 0.0.0.0 orig_rtr_lsa: stub net, interface xl0 if_fsm: event DOWN resulted in action RESET and changing state for interface xl0 from DR to DOWN if_del: interface xl0 terminating # -- Egbert Krook System/Network Engineer Amarin Printing and Publishing Public Co., Ltd.
Re: Cryptographic authentication ospfd not working?
On Fri, Oct 28, 2005 at 10:33:52AM +0159, Claudio Jeker wrote: On Fri, Oct 28, 2005 at 02:15:24PM +0700, Egbert Krook wrote: Hi, Does anyone know if MD5 authentication in ospfd is known to be broken? In our test environment things work fine without authentication or simple authentication turned on, but as soon as we turn on MD5 authentication things break. We're using the snapshot of October 13th and a Cisco 3640 router (IOS 12.1(5)). If this is an unknown problem I will submit a bug report. ... OpenBSD: # cat /etc/ospfd.conf router-id 192.168.0.2 area 0 { interface xl0 { router-priority 1 auth-type crypt auth-md 1 openbsd Here a auth-md-keyid 1 is missing. Have to look what happens in that case but I guess it is not using the right key. No, go. I didn't include the statement because the man page mentions that the default key-is is 1. I've tried with a Cisco 2501, running IOS 11.2, and the same problem occurs. Is there anything else you can suggest me to try? } } -- :wq Claudio -- Egbert Krook System/Network Engineer Amarin Printing and Publishing Public Co., Ltd.