Re: Creating route tables

2011-07-27 Thread Egbert Krook 
On Tue, 26 Jul 2011 21:33:14 +0200, Claudio Jeker
cje...@diehard.n-r-g.com wrote:
 On Thu, Jul 21, 2011 at 10:20:38PM +0200, Claudio Jeker wrote:
 On Thu, Jul 21, 2011 at 01:57:10PM -0500, Josh Hoppes wrote:
  Thanks for the help and for the better understanding of routing
  domains and tables. In the end I was over thinking the problem and
  didn't actually need the additional routing table.
  
  On Thu, Jul 21, 2011 at 10:17 AM, Claudio Jeker
  cje...@diehard.n-r-g.com wrote:
   On Thu, Jul 21, 2011 at 09:40:44AM +0300, Gregory Edigarov wrote:
   Josh,
  
   the table needs to be created and an interface need to be assigned
   to
   the rdomain like:
  
   ifconfig  em0 a.b.c.d/24 rdomain 1
  
   then you can use it like, just for example, this:
   route -T 1 add e.f.g.h/24 a.b.c.x
  
   that does the trick.
  
   Nope. Something sneaked in that makes it impossible to create
   alternative
   tables. I will have a look.
  
   --
   :wq Claudio
  
 
 Still here is a diff to fix the porblem. route(8) was failing too
early.
 Maybe someone has a better idea on how to solve the gettable() issue in
a
 nicer way.
 
 
 Is nobody interested in this?
 
 route -T 1 add 127.0.0.1 127.0.0.1 should work. This is how routing
tables
 are supposed to be created. It would suck to be unable to do this.
 
 Sending it to tech@ as well.
 -- 
 :wq Claudio
 -snip

We're using this diff on two staging systems that will eventually go into
production. Definitely makes creating additional routing tables a lot
easier for us. Thanks, Claudio!

pfctl no longer showing table details in 4.5

2009-06-21 Thread Egbert Krook 
Hi,

I've just finished upgrading one of our systems from OpenBSD 4.2 to 4.5.

I've run into a small problem with pfctl as it's no longer showing the
details for each individual IP address in our tables, just the date the
table was last cleared.

/etc/pf.conf:
=

table test { 1.1.1.1/32 1.1.1.2/32 }

pass in from test
pass out to test


# pfctl -T show -t test
   1.1.1.1
   1.1.1.2

# pfctl -T show -t test -vv
   1.1.1.1
Cleared: Sun Jun 21 15:07:38 2009
   1.1.1.2
Cleared: Sun Jun 21 15:07:38 2009

On OpenBSD 4.2 typing the last command would show more details, such as the
number of states, in/out pass, in/out block, etc. for each IP address in
the table.

-- 
Egbert Krook
System/Network Engineer
Amarin Printing and Publishing Public Co., Ltd.

Trouble using :peer modifier correctly

2008-03-30 Thread Egbert Krook 
Hello,

We're trying to use the :peer modifier to minimize the number of macros
in our pf configuration files.

For some reason we can't get it to work:

# cat /etc/pf.conf
set skip on lo

block log

pass in quick on fxp0 inet proto tcp from fxp0:peer to fxp0 port ssh

# pfctl -n -f /etc/pf.conf
no IP address found for fxp0:peer
/etc/pf.conf:5: could not parse host specification

# ifconfig fxp0
fxp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:a0:c9:5c:a6:72
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 192.168.1.1 netmask 0xfffc broadcast 192.168.1.3
inet6 fe80::2a0:c9ff:fe5c:a672%fxp0 prefixlen 64 scopeid 0x2

We're testing with OpenBSD 4.2 (Release).

Kind regards,

-- 
Egbert Krook
System/Network Engineer
Amarin Printing and Publishing Public Co., Ltd.

Re: pfstatd crash?

2008-03-27 Thread Egbert Krook 
On Thu, Mar 27, 2008 at 08:43:56AM +, clifford bailey wrote:
 Thanks Daniel, I'll give that a go!
 
 I'm surprised no-one has come across this before, is pfstatd not widely 
 used? I'm looking at using custom snmp traps to gather this information 
 instead, but that also looks like a non-standard method. What do most 
 people use for pf performance monitoring?
 
 
 Cliff.
 
 -snip

In our environment we parse the pfctl -vv -s Interfaces -i interface
output with a simpe 20+-line Perl script and feed that to rrdtool running
on another machine through ssh.

No need for a daemon to run on the firewall and Perl is already included
in the base install.

-- 
Egbert Krook
System/Network Engineer
Amarin Printing and Publishing Public Co., Ltd.

Typo in 007_kroute.patch

2007-05-01 Thread Egbert Krook 
Hi,

The paths in the build instructions are wrong:

cd /usr/src/usr/usr.sbin/ospfd
-should be-
cd /usr/src/usr.sbin/ospfd

cd /usr/src/usr/usr.sbin/ripd
-should be-
cd /usr/src/usr.sbin/ripd

Kind regards,

-- 
Egbert Krook
System/Network Engineer
Amarin Printing and Publishing Public Co., Ltd.

Re: Apache Log Rotation - FAQ 10.16

2005-12-09 Thread Egbert Krook 
We're using the following in our newsyslog.conf file:

(/usr/sbin/apachectl stop; (while `/usr/bin/pgrep httpd  /dev/null 21`; do 
/bin/sleep 1; done); /usr/sbin/apachectl start)  /dev/null 21

On Fri, Dec 09, 2005 at 01:45:51PM +0800, Uwe Dippel wrote:
 There are many posts on this problem; and the reason is understood.
 
 To me, the FAQ 10.16 seems wrong:
 
 Log Rotation: Normally, logs are rotated by renaming the old files, 
 then sending httpd(8) a SIGUSR1 signal to cause Apache to close its old
 log files and open new ones. This is no longer possible, as httpd(8) has
 no ability to open log files for writing once privileges are dropped.
 httpd(8) must be stopped and restarted:
 # apachectl stop  apachectl start
 
 This is all I get here:
 # apachectl stop  
 /usr/sbin/apachectl stop: httpd stopped
 /usr/sbin/apachectl start: httpd (pid 18132) already running
 
 In the end, it doesn't restart; leaving the users out until I wait and
 restart httpd
 
 And the log isn't rotated neither. Chances are, the author meant something
 like
 # apachectl stop
 # [newsyslog or similar]
 # apachectl start
 
 If the text in the FAQ just kills httpd, it ought to be corrected, AFAICS.
 
 Could you please share your preferred methods to rotate the
 /var/www/logs/, ?
 
 Thanks,
 
 Uwe
 

-- 
Egbert Krook
System/Network Engineer
Amarin Printing and Publishing Public Co., Ltd.

And that's why we were unable to move the process forward.

Cryptographic authentication ospfd not working?

2005-10-28 Thread Egbert Krook 
Hi,

Does anyone know if MD5 authentication in ospfd is known to be broken? In
our test environment things work fine without authentication or simple
authentication turned on, but as soon as we turn on MD5 authentication
things break.

We're using the snapshot of October 13th and a Cisco 3640 router (IOS
12.1(5)). If this is an unknown problem I will submit a bug report.

Without authentication:
===

Cisco:
--

Router#sh run
-snip
!
interface Loopback0
 ip address 192.168.255.1 255.255.255.255
! 
interface FastEthernet0/0
 ip address 192.168.0.1 255.255.255.0
 duplex auto
 speed auto
!
-snip
!
router ospf 1
 log-adjacency-changes
 network 192.168.0.0 0.0.255.255 area 0
!
-snip
end

Router#sh ip ospf nei

Neighbor ID Pri   State   Dead Time   Address Interface
192.168.0.2   1   FULL/BDR00:00:32192.168.0.2 
FastEthernet0/0


OpenBSD:


# cat /etc/ospfd.conf  
router-id 192.168.0.2

area 0 {
interface xl0 {
router-priority 1   
}
}

# ospfctl sh nei  
ID  Pri State DeadTime  Address Interface
192.168.255.1   1   FULL/DR   00:00:37  192.168.0.1 xl0


With MD5 authentication enabled:


Cisco:
--

Router#sh run 
-snip
!
interface Loopback0
 ip address 192.168.255.1 255.255.255.255
!
interface FastEthernet0/0
 ip address 192.168.0.1 255.255.255.0
 ip ospf message-digest-key 1 md5 openbsd 
 duplex auto
 speed auto
!
-snip
!
router ospf 1
 log-adjacency-changes
 area 0 authentication message-digest
 network 192.168.0.0 0.0.255.255 area 0
!
-snip
end

Router#sh ip ospf nei

Router#
Router#debug ip ospf adj
OSPF adjacency events debugging is on
Router#
01:34:47: OSPF: Rcv pkt from 192.168.0.2, FastEthernet0/0 : Mismatch 
Authentication Key - Message Digest Key 1
01:34:57: OSPF: Rcv pkt from 192.168.0.2, FastEthernet0/0 : Mismatch 
Authentication Key - Message Digest Key 1
01:34:57: OSPF: Send with youngest Key 1
01:35:07: OSPF: Rcv pkt from 192.168.0.2, FastEthernet0/0 : Mismatch 
Authentication Key - Message Digest Key 1
01:35:07: OSPF: Send with youngest Key 1
01:35:17: OSPF: Rcv pkt from 192.168.0.2, FastEthernet0/0 : Mismatch 
Authentication Key - Message Digest Key 1
01:35:17: OSPF: Send with youngest Key 1
01:35:27: OSPF: Rcv pkt from 192.168.0.2, FastEthernet0/0 : Mismatch 
Authentication Key - Message Digest Key 1
01:35:27: OSPF: Send with youngest Key 1
01:35:37: OSPF: Rcv pkt from 192.168.0.2, FastEthernet0/0 : Mismatch 
Authentication Key - Message Digest Key 1
01:35:37: OSPF: end of Wait on interface FastEthernet0/0
01:35:37: OSPF: DR/BDR election on FastEthernet0/0 
01:35:37: OSPF: Elect BDR 192.168.255.1
01:35:37: OSPF: Elect DR 192.168.255.1
01:35:37: OSPF: Elect BDR 0.0.0.0
01:35:37: OSPF: Elect DR 192.168.255.1
01:35:37:DR: 192.168.255.1 (Id)   BDR: none 
01:35:37: OSPF: Send with youngest Key 1
01:35:37: OSPF: No full nbrs to build Net Lsa for interface FastEthernet0/0


OpenBSD:


# cat /etc/ospfd.conf
router-id 192.168.0.2

area 0 {
interface xl0 {
router-priority 1   
auth-type crypt
auth-md 1 openbsd
}
}

# ospfd -d -v 
startup
rde: new announced net 0.0.0.0/0
rde: new announced net 192.168.0.0/24
orig_rtr_lsa: area 0.0.0.0
orig_rtr_lsa: stub net, interface xl0
if_fsm: event UP resulted in action START and changing state for interface xl0 
from DOWN to WAITING
start_spf_timer: IDLE - DELAY
spf_calc: calculation started, area ID 0.0.0.0
spf_calc: calculation ended, area ID 0.0.0.0
spf_start_holdtimer: DELAY - HOLD
auth_validate: invalid MD5 digest, interface xl0
recv_packet: authentication error, interface xl0
spf_timer: state HOLD - IDLE
auth_validate: invalid MD5 digest, interface xl0
recv_packet: authentication error, interface xl0
auth_validate: invalid MD5 digest, interface xl0
recv_packet: authentication error, interface xl0
auth_validate: invalid MD5 digest, interface xl0
recv_packet: authentication error, interface xl0
if_act_elect: interface xl0 old dr none new dr 192.168.0.2, old bdr none new 
bdr none
orig_rtr_lsa: area 0.0.0.0
orig_rtr_lsa: stub net, interface xl0
orig_rtr_lsa: area 0.0.0.0
orig_rtr_lsa: stub net, interface xl0
if_fsm: event WAITTIMER resulted in action ELECT and changing state for 
interface xl0 from WAITING to DR
auth_validate: invalid MD5 digest, interface xl0
recv_packet: authentication error, interface xl0
^Ckernel routing table decoupled
route decision engine exiting
orig_rtr_lsa: area 0.0.0.0
orig_rtr_lsa: stub net, interface xl0
if_fsm: event DOWN resulted in action RESET and changing state for interface 
xl0 from DR to DOWN
if_del: interface xl0
terminating
#

-- 
Egbert Krook
System/Network Engineer
Amarin Printing and Publishing Public Co., Ltd.

Re: Cryptographic authentication ospfd not working?

2005-10-28 Thread Egbert Krook 
On Fri, Oct 28, 2005 at 10:33:52AM +0159, Claudio Jeker wrote:
 On Fri, Oct 28, 2005 at 02:15:24PM +0700, Egbert Krook wrote:
  Hi,
  
  Does anyone know if MD5 authentication in ospfd is known to be broken? In
  our test environment things work fine without authentication or simple
  authentication turned on, but as soon as we turn on MD5 authentication
  things break.
  
  We're using the snapshot of October 13th and a Cisco 3640 router (IOS
  12.1(5)). If this is an unknown problem I will submit a bug report.
  
 
 ...
 
  OpenBSD:
  
  
  # cat /etc/ospfd.conf
  router-id 192.168.0.2
  
  area 0 {
  interface xl0 {
  router-priority 1   
  auth-type crypt
  auth-md 1 openbsd
 
 Here a auth-md-keyid 1 is missing.
 Have to look what happens in that case but I guess it is not using
 the right key.

No, go. I didn't include the statement because the man page mentions that
the default key-is is 1. I've tried with a Cisco 2501, running IOS 11.2,
and the same problem occurs. Is there anything else you can suggest me to
try?

 
  }
  }
  
 
 -- 
 :wq Claudio
 

-- 
Egbert Krook
System/Network Engineer
Amarin Printing and Publishing Public Co., Ltd.