Re: Multi-domain DKIM signature with OpenSMTPd
On 19/03/2020 8:45 am, Martijn van Duren wrote: On 3/18/20 8:41 PM, Matthieu wrote: Le 18/03/2020 à 19:39, Hiltjo Posthuma a écrit : On Wed, Mar 18, 2020 at 06:23:30PM +0100, Matthieu wrote: Hi everybody I'm looking to use OpenDKIM with OpenSMTPd. Has anyone ever done it before ? My first intention is to sign mails from different domains on a single mail server. So the OpenDKIM works with a socket and I don't know how and if it works with the smptd filter. I've seen the «opensmptd-filter-dkimsign» packet, but we can only specify one domaine. Otherwise I'd be looking at the side of dkimproxy if it can do the job or not. Thx for any help. Hi, Theres an example described in the smtpd.conf(5) man page. opensmtpd filters are in ports as a package: opensmtpd-filter-dkimsign The source-code is at: https://imperialat.at/dev/filter-dkimsign/ in main.c It's relatively small and also privilege-separated. It has a parameter to set the domain name (-d). In smtpd.conf you can define multiple filters. See also the man page filter-dkimsign(8) for detailed information. I've replaced dkimproxy (Perl-based and complex) with opensmtpd-filter-dkimsign. It works well for my needs. Hi Hiltjo, Currently I already use opensmtpd-filter-dkimsign, but I didn't understand how to use it for multiple domains at once. I've seen the example in the man page : https://man.openbsd.org/smtpd.conf#opensmtpd-filter-dkimsign I thought was to be replaced by only one domain to sign. Is a domain a table like Alias? If so, what is the format of the file? But I doubt it since in the filter code it doesn't look like a list. static char *domain = NULL; […] box 'd': domain = optarg; […] if (!dkim_signature_printf(message, "DKIM-Signature: v=%s; a=%s-%s; c=%s/%s; d=%s; s=%s; ", "1", cryptalg, hashalg, canonheader == CANON_SIMPLE ? "simple": "relaxed." canonbody == CANON_SIMPLE ? "simple": "relaxed." domain, selector)) Finally in the example given in this presentation it is indeed a single domain: https://fosdem.org/2020/schedule/event/opensmtpd_in_the_cloud/attachments/slides/3736/export/events/attachments/opensmtpd_in_the_cloud/slides/3736/OpenSMTPD_Slides.pdf That's because filter-dkimsign doesn't support multiple domains, and unless someone can give me a good reason to do so it probably is going to stay that way. I'm using dkimproxy for this. I host multiple domain names. dkimproxy is pretty easy to configure to sign outbound on a per domain basis. /etc/dkimproxy_out.conf listen 127.0.0.1: relay 127.0.0.1: sender_map /etc/mail/dkim/sender_map /etc/dmail/dkim/sender_map example.com dkim(key=/etc/mail/dkim/example.com.key,d=example.com,c=relaxed,s=selector1) example.org dkim(key=/etc/mail/dkim/example.org.key,d=example.org,c=simple,s=selector1) ... I can send the smtpdconf through if you're stuck. If the domain being relayed is not in the map, it isn't signed. dkimproxy is not doing any inbound processing. It would be awesome to pull this from a pgsql db source, which is how I manage what smtpd can and cannot relay. I know that some mail providers add an additional positive score to your spam rating if you have DKIM, but I reckon this is BS, because DKIM is nothing more than a glorified debugging tool to tell you which server butchered the content of your mail if every server in the chain adds a DKIM signature. To be precise: it only tells you that a particular domain owner (d-option) knows what server(s) a particular key (s-option) belongs to, so that if a signature fails it it could only have happened before the last server which has a valid signature. Could you explain why you (think you) need to have multiple domain support? I own (and manage) multiple domains. Why would I not take advantage of virtual domains on 1 host? Graeme
Re: opensmtpd forwarding sent mail and extras-pgsql
On 6/06/2019 6:50 am, Gilles Chehade wrote: On Mon, Jun 03, 2019 at 05:44:41PM +, Benny wrote: Hi, Hi, I am planning a mail server of opensmtpd and dovecot. I'd be glad to know if there is any way to save a copy of mail to dovecot's "Sent" mail box before relaying them out. sorry, I don't know dovecot enough for tricks and hacks. it's possible that it's doable through some weird trick when smtpd would notify dovecot somehow of messages that were sent, but I doubt it and it is generally the mail user agent that does the link between mails it did send over SMTP and copies it stores through IMAP. I am also not about find any docs on opensmtpd-extra-pgsql. Is there any guide to link postgresql up with smtpd for virtual users? There's a man page but no guide no. There are several tutorials for using SQLite and MySQL if you google and they are pretty much identical in terms of configuration. Hi Benny. I use Cyrus and Postgresql with smtpd. Everything you need for virtual users is in table-sqlite(5), but you will want to use IDENTITY or SERIAL for the ID column. (There is a man page for table-postgres(5) in the source, but it isn't installed) I can't speak for Dovecot. But I use LMTP to deliver locally to the cyrus mailer. Two actions are needed (below) to route to the local mail store. is /etc/mail/aliases, is the database table. # incoming email action "cyrus" lmtp "127.0.0.1:2003" rcpt-to virtual # locally generated email (system /etc/mail/aliases - alias root to a some...@your.local.domain.com) action "cyrus_internal" lmtp "127.0.0.1:2003" rcpt-to alias match from local for local action "cyrus_internal" match from any for domain action "cyrus"
Re: IPSEC with Juniper SRX220
On 27-Sep 14:42, Alexandre Westfahl wrote:
Hi,
I have trouble configuring ipsec with my sokeris 6501 (OBSD 5.7) with a
carrier router (Juniper).
SA seems to work well, I see packets going out on em0 and also see them on
enc0. However, the other side said nothing come but they also see SA
working and can see traffic going out.
There may be explanation for this situation:
- I have another IPSEC tunnel on same public IP (both on em0/enc0)
- the carrier IPs seems to be on same network so OBSD may be lost with it
*network*
dmz network (DDD.EEE.FFF.0/28) <--(AAA.BBB.CCC.192)-->Internet<--(
GGG.HHH.III.150)--> server (GGG.HHH.III.149)
*ipsec.conf:*
//working ipsec tunnel
ike passive esp from {192.168.10.0/24, 192.168.11.0/24 192.168.12.0/24} to
192.168.1.0/24 \
local AAA.BBB.CCC.192 \
main auth hmac-sha1 enc 3des group modp1024 lifetime 28800 \
quick auth hmac-sha1 enc aes-256 group none lifetime 28800 \
srcid "gtfwpo192" dstid "pojimusho169" \
psk secret
//carrier ipsec (not working)
ike esp from DDD.EEE.FFF.0/28 to GGG.HHH.III.149/32 \
local AAA.BBB.CCC.192 peer GGG.HHH.III.150 \
main auth hmac-sha1 enc aes group modp1024 lifetime 86400 \
quick auth hmac-sha2-256 enc aes group none lifetime 86400 \
srcid "AAA.BBB.CCC.192" dstid "GGG.HHH.III.150" \
psk secret2
Hi Alex.
That looks overly complex. Try simplifying it first (the OpenBSD config
is so easy!):
ike esp from to { } \
peer \
psk secret
However! On the juniper, many things are needed. IKE policy and
gateway, and IPSec proposal, a policy and a VPN
please excuse my indentation and inline comments.
ike policy alex {
mode main
proposal-set standard
pre-shared-key ascii-text secret
}
ike gateway alex {
ike policy alex # (the above policy name)
address
external-interface <- this will be ge-0/0/x but NOT a sub-interface
- always the root. I happen to be using one over a gre tunnel through
NAT so I have dead-pear-detection running as well
}
ipsec proposal phase2-alex {
protocol esp
authentication-algorithm hmac-sha-256-128
encryption-algorithm aes-128-cbc
}
ipsec policy phase2-alex (you can get away with the same name)
ipsec vpn alex
ike {
gateway ales
ipsec-policy phase2-alex
}
establish-tunnels immediately
}
but wait! There's more!
you will also need policies on the SRX to apply security associations.
Let's assume that the SRX local network is trust, and your vpn runs
across the untrust zone. zone names are arbitrary
edit security polices from-zone trust to-zone untrust
policy alex-local-to-vpn {
match {
source-address local-ips < You will need address book entries
for these
destination-address remote-ips < more address book entries
application [ allowed-application-sets or any ]
}
then {
permit {
tunnel {
ipsec-vpn ales
pair-policy alex-vpn-to-local < this is the same policy in
reverse. yep. enter it twice.
}
}
}
}
I actually have these deployed. It does work.
Regards,
Graeme
I tried to enable or disable PF and use super permissive rules but nothing
change.
Do you have some ideas on what it could be?
Thanks by advance!
Re: Does OpenBGPd suffer collateral damage with this?
The cause is Cisco routers with a max 512k entries in their FIB on some older units. http://www.bgpmon.net/what-caused-todays-internet-hiccup/ Graeme On 18-Aug 10:27, Rod Whitworth wrote: http://www.smh.com.au/technology/technology-news/how-flakey-is-the-inter net-20140816-104t8p.html I would love to hear that our beloved BGP routers are the only ones that don't get screwed or at least we are one of the few. I haven't heard any noises from the hosting site that I look after. *** NOTE *** Please DO NOT CC me. I subscribed to the list. Mail to the sender address that does not originate at the list server is tarpitted. The reply-to: address is provided for those who feel compelled to reply off list. Thankyou. Rod/ --- This life is not the real thing. It is not even in Beta. If it was, then OpenBSD would already have a man page for it.
Re: USB mouse
On 27/10/2011 10:22 AM, Zantgo wrote: WTF? I use OpenBSD and hate the other operating systems Zantgo It's like this: Ask a stupid question, get a stupid answer. El 26-10-2011, a las 20:11, Bryan Irvine escribiC3: On Wed, Oct 26, 2011 at 3:52 PM, Zantgo wrote: How I can run USB mouse? You have to extract the drivers from the ubuntu linux installation CD.
Re: Howto set an IPv6 route?
route add -inet6 2a00:1ff8:101:: -prefixlen 48 2a00:1ff8:102:ac01::1 Have a look at /etc/netstart for some guidance On 21/04/2011 9:57 AM, Roger Schreiter wrote: Hello, I tried: route add -inet6 2a00:1ff8:101::/48 2a00:1ff8:102:ac01::1 and got: route: 2a00:1ff8:101::/48: bad value I do not understand, what is wrong with that net? Can anyone give me a hint? Roger.
Re: Easy money with OpenBSD & OpenBGPd?
FreeBSD and Linux The routing is done on FreeBSD. UI on Linux It's hardly rocket science either. It could easily be done on OpenBSD, but we would need to add a "strip private" or similar to make it implementable. On 14/03/2010 2:24 AM, Sevan / Venture37 wrote: Hi guys, I was reading the arstechnica article on the internet filtering that's now in place in New Zealand & they mentioned that the appliance they're using called a "Whitebox" which uses a "BSD-Unix" Anyone know more about the OS used in this system?? Sevan / Venture37 http://arstechnica.com/tech-policy/news/2010/03/new-zealand-relies-on-bgp-router-protocol-to-filter-the-net.ars http://www.watchdoginternational.net/images/stories/ncwb2.pdf
Re: VLANs, OpenBSD, Cisco HP
On 15/01/2010 1:25 PM, Stuart Henderson wrote: On 2010-01-15, Graeme Lee wrote: Either syntax works. However, had a re-read of your initial email, and you were missing the "vlan 301" in your configuration line. It's no longer necessary, it defaults to the number that's part of the interface name (e.g. vlan301 defaults to vlan 301).. Cool. And anyway, he corrected himself in a later email I noticed
Re: VLANs, OpenBSD, Cisco HP
On 15/01/2010 3:13 AM, James Peltier wrote: --- On Thu, 1/14/10, Graeme Lee wrote: From: Graeme Lee Subject: Re: VLANs, OpenBSD, Cisco HP To: misc@openbsd.org Received: Thursday, January 14, 2010, 3:27 AM inet 1.2.3.4 255.255.255.0 NONE vlan 301 vlandev em0 description "Uplink" Like this: # cat /etc/hostname.vlan0 vlan 301 vlandev em0 inet 192.168.1.2 255.255.255.0 192.168.1.255 description "Uplink" # cat /etc/hostname.em0 up From everything I have read in the man pages, FAQ and the great oracle Google, my chosen syntax works too. See http://www.openbsd.org/faq/faq6.html "Or, you may want to use special flags specific to a certain interface. The format of the hostname file doesn't change much! $ cat /etc/hostname.vlan0 inet 172.21.0.31 255.255.255.0 NONE vlan 2 vlandev fxp1 " You caught me with a migraine. Either syntax works. However, had a re-read of your initial email, and you were missing the "vlan 301" in your configuration line. /etc/hostname.vlan301 -- inet 1.2.3.4 255.255.255.0 NONE vlandev em0 description "Uplink" Check that you are not tagging the incoming traffic as vlan 301. The ports need to be in trunk mode. if your vlan interface is up, and you get the following: # ifconfig vlan0 vlan0: flags=8843 mtu 1500 lladdr 00:c0:9f:4b:6f:38 description: test link vlan: 301 priority: 0 parent interface: em0 groups: vlan inet 1.2.3.4 netmask 0xff00 broadcast 1.2.3.255 inet6 fe80::2c0:9fff:fe4b:6f38%vlan0 prefixlen 64 scopeid 0x7 Then you'll need to re-visit the configuration of your procurve. Also, tcpdump is your friend. If your interfaces aren't doing hardware vlan tagging/untagging, you'll get to see # tcpdump -ni em0 10:33:13.588159 802.1Q vid 301 pri 0 .. Have fun! g
Re: VLANs, OpenBSD, Cisco HP
On 14/01/2010 5:33 PM, James Peltier wrote: --- On Thu, 1/14/10, James Peltier wrote: /etc/hostname.vlan301 -- inet 1.2.3.4 255.255.255.0 NONE vlandev em0 description "Uplink" Please note that I've typed this wrong and it actually has inet 1.2.3.4 255.255.255.0 NONE vlan 301 vlandev em0 description "Uplink" in /etc/hostname.em0 and doesn't work. Just wanted to make sure people don't jump to the "your sytax is wrong" theory. ;) Like this: # cat /etc/hostname.vlan0 vlan 301 vlandev em0 inet 192.168.1.2 255.255.255.0 192.168.1.255 description "Uplink" # cat /etc/hostname.em0 up
Re: bgpd fails to install ipv6 routes in kernel routing table
Claudio Jeker wrote: On Mon, Feb 09, 2009 at 11:43:10AM +0100, Claudio Jeker wrote: On Mon, Feb 09, 2009 at 02:22:08AM -0800, patrick keshishian wrote: On Mon, Feb 9, 2009 at 12:53 AM, Claudio Jeker wrote: On a hunch, I tried a 64bit and a 32 bit machine with 1 prefix each. The 32bit machine adds routes to the kernel without complaint. The 64bit machine complained with send_rtmsg Arrg. IPv6 is once again broken by design. For some ridiculous reason struct sockaddr_in6's size is 28 bytes. So IPv6 fucks up alignment on 64 bit archs. All hail link local addressing and all the crappy workarounds needed for it. Maybe it is too late for me to be thinking about this ... but could you explain the diff below? Unless I'm missing something obvious, it looks like it changes behavior for non-64bit archs as well. Hmm. I think your right. I think a different approach would be better. Will cook up something later today. I think this is better. Just compile tested and no real time to test until later today. Hi Claudio Tested on i386 and amd64 test bgp sessions ok Tested on amd64 production w/2 x ipv4 feeds and 1 x ipv6. Full ipv6 table is installed in the kernel. daemon log shows Feb 10 09:06:14 gw-nextgen bgpd[8598]: neighbor 2001:470:17:7f::1 (HurricaneHK): state change Connect -> OpenSent, reason: Connection opened Feb 10 09:06:14 gw-nextgen bgpd[8598]: neighbor 2001:470:17:7f::1 (HurricaneHK): state change OpenSent -> OpenConfirm, reason: OPEN message received Feb 10 09:06:14 gw-nextgen bgpd[8598]: neighbor 2001:470:17:7f::1 (HurricaneHK): state change OpenConfirm -> Established, reason: KEEPALIVE message received Feb 10 09:06:18 gw-nextgen bgpd[15752]: nexthop 2001:470:17:7f::1 now valid: directly connected No errors.
Re: bgpd fails to install ipv6 routes in kernel routing table
Claudio Jeker wrote: On Mon, Feb 09, 2009 at 04:51:12PM +1100, Graeme Lee wrote: Graeme Lee wrote: Graeme Lee wrote: tico wrote: Graeme Lee wrote: tico wrote: Graeme Lee wrote: <> Ok forget bgp configs for a minute. I've been quickly scanning over the code, and notable is that the log displays: Feb 9 13:00:15 gw-nextgen bgpd[17223]: send_rtmsg: action 1, prefix 2001:7fb:fe07::/48: Network is unreachable but shouldn't it be a send_rt6msg call in kroute.c? Yes. The waning message had the wrong function name in it. well I was looking at least. On a hunch, I tried a 64bit and a 32 bit machine with 1 prefix each. The 32bit machine adds routes to the kernel without complaint. The 64bit machine complained with send_rtmsg Arrg. IPv6 is once again broken by design. For some ridiculous reason struct sockaddr_in6's size is 28 bytes. So IPv6 fucks up alignment on 64 bit archs. All hail link local addressing and all the crappy workarounds needed for it. Please try the attached diff. You are altogether a legend. I now have the full ipv6 table in the kernel.
Re: bgpd fails to install ipv6 routes in kernel routing table
Graeme Lee wrote: Graeme Lee wrote: tico wrote: Graeme Lee wrote: tico wrote: Graeme Lee wrote: <> Network layout is somewhat complicated. 1 x ebgp and 1 x ibgp session receive ipv4 world tables. Gif tunnel to a hurricane router in Hong Kong. I'm receiving ipv6 world bgp tables from this peer. Connectivity to the peer is fine. Just can't get past it. I can see that my prefix is announced via looking glasses. I'm receiving about 1.6k prefixes from hurricane. I'm speaking BGP over v6 with HE.net as well (albeit in Fremont, not HK), and I can see you just fine, and apparently you can see me (AS30708) as well, since I can ping you from both my Hurricane /64 as well as from an IP within my own /32. $ ping6 -c1 -S 2607:f618:1::1 2001:470:17:7f::2 PING6(56=40+8+8 bytes) 2607:f618:1::1 --> 2001:470:17:7f::2 16 bytes from 2001:470:17:7f::2, icmp_seq=0 hlim=59 time=442.275 ms --- 2001:470:17:7f::2 ping6 statistics --- 1 packets transmitted, 1 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 442.275/442.275/442.275/0.000 ms $ ping6 -c1 2001:470:17:7f::2 PING6(56=40+8+8 bytes) 2001:470:1:53::2 --> 2001:470:17:7f::2 16 bytes from 2001:470:17:7f::2, icmp_seq=0 hlim=59 time=441.775 ms --- 2001:470:17:7f::2 ping6 statistics --- 1 packets transmitted, 1 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 441.775/441.775/441.775/0.000 ms $ bgpctl sho ip bgp 2400:6800::/32 flags: * = Valid, > = Selected, I = via IBGP, A = Announced origin: i = IGP, e = EGP, ? = Incomplete flags destination gateway lpref med aspath origin *>2400:6800::/32 2001:470:1:53::1100 0 6939 10105 i $ uname -mr 4.4 i386 What does your "bgpctl sho nex" give you? -tico Ok forget bgp configs for a minute. I've been quickly scanning over the code, and notable is that the log displays: Feb 9 13:00:15 gw-nextgen bgpd[17223]: send_rtmsg: action 1, prefix 2001:7fb:fe07::/48: Network is unreachable but shouldn't it be a send_rt6msg call in kroute.c? On a hunch, I tried a 64bit and a 32 bit machine with 1 prefix each. The 32bit machine adds routes to the kernel without complaint. The 64bit machine complained with send_rtmsg
Re: bgpd fails to install ipv6 routes in kernel routing table
Graeme Lee wrote: tico wrote: Graeme Lee wrote: tico wrote: Graeme Lee wrote: <> Network layout is somewhat complicated. 1 x ebgp and 1 x ibgp session receive ipv4 world tables. Gif tunnel to a hurricane router in Hong Kong. I'm receiving ipv6 world bgp tables from this peer. Connectivity to the peer is fine. Just can't get past it. I can see that my prefix is announced via looking glasses. I'm receiving about 1.6k prefixes from hurricane. I'm speaking BGP over v6 with HE.net as well (albeit in Fremont, not HK), and I can see you just fine, and apparently you can see me (AS30708) as well, since I can ping you from both my Hurricane /64 as well as from an IP within my own /32. $ ping6 -c1 -S 2607:f618:1::1 2001:470:17:7f::2 PING6(56=40+8+8 bytes) 2607:f618:1::1 --> 2001:470:17:7f::2 16 bytes from 2001:470:17:7f::2, icmp_seq=0 hlim=59 time=442.275 ms --- 2001:470:17:7f::2 ping6 statistics --- 1 packets transmitted, 1 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 442.275/442.275/442.275/0.000 ms $ ping6 -c1 2001:470:17:7f::2 PING6(56=40+8+8 bytes) 2001:470:1:53::2 --> 2001:470:17:7f::2 16 bytes from 2001:470:17:7f::2, icmp_seq=0 hlim=59 time=441.775 ms --- 2001:470:17:7f::2 ping6 statistics --- 1 packets transmitted, 1 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 441.775/441.775/441.775/0.000 ms $ bgpctl sho ip bgp 2400:6800::/32 flags: * = Valid, > = Selected, I = via IBGP, A = Announced origin: i = IGP, e = EGP, ? = Incomplete flags destination gateway lpref med aspath origin *>2400:6800::/32 2001:470:1:53::1100 0 6939 10105 i $ uname -mr 4.4 i386 What does your "bgpctl sho nex" give you? -tico Ok forget bgp configs for a minute. I've been quickly scanning over the code, and notable is that the log displays: Feb 9 13:00:15 gw-nextgen bgpd[17223]: send_rtmsg: action 1, prefix 2001:7fb:fe07::/48: Network is unreachable but shouldn't it be a send_rt6msg call in kroute.c?
Re: bgpd fails to install ipv6 routes in kernel routing table
tico wrote:
Graeme Lee wrote:
tico wrote:
Graeme Lee wrote:
<>
Network layout is somewhat complicated. 1 x ebgp and 1 x ibgp
session receive ipv4 world tables. Gif tunnel to a hurricane
router in Hong Kong. I'm receiving ipv6 world bgp tables from this
peer. Connectivity to the peer is fine. Just can't get past it.
I can see that my prefix is announced via looking glasses. I'm
receiving about 1.6k prefixes from hurricane.
I'm speaking BGP over v6 with HE.net as well (albeit in Fremont, not
HK), and I can see you just fine, and apparently you can see me
(AS30708) as well, since I can ping you from both my Hurricane /64
as well as from an IP within my own /32.
$ ping6 -c1 -S 2607:f618:1::1 2001:470:17:7f::2
PING6(56=40+8+8 bytes) 2607:f618:1::1 --> 2001:470:17:7f::2
16 bytes from 2001:470:17:7f::2, icmp_seq=0 hlim=59 time=442.275 ms
--- 2001:470:17:7f::2 ping6 statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 442.275/442.275/442.275/0.000 ms
$ ping6 -c1 2001:470:17:7f::2 PING6(56=40+8+8
bytes) 2001:470:1:53::2 --> 2001:470:17:7f::2
16 bytes from 2001:470:17:7f::2, icmp_seq=0 hlim=59 time=441.775 ms
--- 2001:470:17:7f::2 ping6 statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 441.775/441.775/441.775/0.000 ms
$ bgpctl sho ip bgp 2400:6800::/32 flags: * = Valid, > =
Selected, I = via IBGP, A = Announced
origin: i = IGP, e = EGP, ? = Incomplete
flags destination gateway lpref med aspath origin
*>2400:6800::/32 2001:470:1:53::1100 0 6939 10105 i
$ uname -mr
4.4 i386
What does your "bgpctl sho nex" give you?
-tico
Hi Tico.
# bgpctl show next
Nexthop State
2001:470:17:7f::1valid gif0UP
203.143.64.133 valid em1 UP, Ethernet, active, 100 MBit/s
121.200.227.93 valid em0 UP, Ethernet, active, 100 MBit/s
However, the only reason you can see me is because i've manually
stuck in a default route just to get things working
# netstat -rnf inet6
Routing tables
Internet6:
DestinationGateway
Flags Refs Use Mtu Prio Iface
::/104 ::1
UGRS 00 - 8 lo0
::/96 ::1
UGRS 00 - 8 lo0
default2001:470:17:7f::1
UGS0 19 - 8 gif0
::1::1
UH140 33160 4 lo0
::127.0.0.0/104::1
UGRS 00 - 8 lo0
::224.0.0.0/100::1
UGRS 00 - 8 lo0
::255.0.0.0/104::1
UGRS 00 - 8 lo0
:::0.0.0.0/96 ::1
UGRS 00 - 8 lo0
2001:470:17:7f::/64link#6
UC 10 - 4 gif0
2001:470:17:7f::1 link#6
UHLc 2 3397 - 4 gif0
2001:470:17:7f::2 link#6
UHL10 - 4 lo0
I see. And what do your filters (bgpd, not PF) look like?
What changes from a default bgpd.conf have you made?
Is there anything peculiar about your gif0 interface?
-tico
There's only one line difference (plus a coment)
allow from any inet6 prefixlen 12 - 64
neighbor "2001:470:17:7f::1" {
remote-as 6939
descr "HurricaneHK"
local-address 2001:470:17:7f::2
announceIPv4 none
announceIPv6 unicast
set nexthop self
}
# filter out prefixes longer than 24 or shorter than 8 bits
deny from any
allow from any inet prefixlen 8 - 24
# IPv6 Routing
allow from any inet6 prefixlen 12 - 64
# do not accept a default route
deny from any prefix 0.0.0.0/0
# filter bogus networks
deny from any prefix 10.0.0.0/8 prefixlen >= 8
deny from any prefix 172.16.0.0/12 prefixlen >= 12
deny from any prefix 192.168.0.0/16 prefixlen >= 16
deny from any prefix 169.254.0.0/16 prefixlen >= 16
deny from any prefix 192.0.2.0/24 prefixlen >= 24
deny from any prefix 224.0.0.0/4 prefixlen >= 4
deny from any prefix 240.0.0.0/4 prefixlen >= 4
# ifconfig gif0
gif0: flags=8051 mtu 1280
priority: 0
groups: gif egress
physical address inet 121.200.227.94 --> 216.218.221.2
inet6 fe80::21f:d0ff:fe32:3d58%gif0 -> prefixlen 64 scopeid 0x6
inet6 2001:470:17:7f::2 -> prefixlen 64
Re: bgpd fails to install ipv6 routes in kernel routing table
tico wrote: Graeme Lee wrote: <> Network layout is somewhat complicated. 1 x ebgp and 1 x ibgp session receive ipv4 world tables. Gif tunnel to a hurricane router in Hong Kong. I'm receiving ipv6 world bgp tables from this peer. Connectivity to the peer is fine. Just can't get past it. I can see that my prefix is announced via looking glasses. I'm receiving about 1.6k prefixes from hurricane. I'm speaking BGP over v6 with HE.net as well (albeit in Fremont, not HK), and I can see you just fine, and apparently you can see me (AS30708) as well, since I can ping you from both my Hurricane /64 as well as from an IP within my own /32. $ ping6 -c1 -S 2607:f618:1::1 2001:470:17:7f::2 PING6(56=40+8+8 bytes) 2607:f618:1::1 --> 2001:470:17:7f::2 16 bytes from 2001:470:17:7f::2, icmp_seq=0 hlim=59 time=442.275 ms --- 2001:470:17:7f::2 ping6 statistics --- 1 packets transmitted, 1 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 442.275/442.275/442.275/0.000 ms $ ping6 -c1 2001:470:17:7f::2 PING6(56=40+8+8 bytes) 2001:470:1:53::2 --> 2001:470:17:7f::2 16 bytes from 2001:470:17:7f::2, icmp_seq=0 hlim=59 time=441.775 ms --- 2001:470:17:7f::2 ping6 statistics --- 1 packets transmitted, 1 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 441.775/441.775/441.775/0.000 ms $ bgpctl sho ip bgp 2400:6800::/32 flags: * = Valid, > = Selected, I = via IBGP, A = Announced origin: i = IGP, e = EGP, ? = Incomplete flags destination gateway lpref med aspath origin *>2400:6800::/32 2001:470:1:53::1100 0 6939 10105 i $ uname -mr 4.4 i386 What does your "bgpctl sho nex" give you? -tico Hi Tico. # bgpctl show next Nexthop State 2001:470:17:7f::1valid gif0UP 203.143.64.133 valid em1 UP, Ethernet, active, 100 MBit/s 121.200.227.93 valid em0 UP, Ethernet, active, 100 MBit/s However, the only reason you can see me is because i've manually stuck in a default route just to get things working # netstat -rnf inet6 Routing tables Internet6: DestinationGateway Flags Refs Use Mtu Prio Iface ::/104 ::1 UGRS 00 - 8 lo0 ::/96 ::1 UGRS 00 - 8 lo0 default2001:470:17:7f::1 UGS0 19 - 8 gif0 ::1::1 UH140 33160 4 lo0 ::127.0.0.0/104::1 UGRS 00 - 8 lo0 ::224.0.0.0/100::1 UGRS 00 - 8 lo0 ::255.0.0.0/104::1 UGRS 00 - 8 lo0 :::0.0.0.0/96 ::1 UGRS 00 - 8 lo0 2001:470:17:7f::/64link#6 UC 10 - 4 gif0 2001:470:17:7f::1 link#6 UHLc 2 3397 - 4 gif0 2001:470:17:7f::2 link#6 UHL10 - 4 lo0
Re: bgpd fails to install ipv6 routes in kernel routing table
Rogier Krieger wrote: On Sun, Feb 8, 2009 at 02:09, Graeme Lee wrote: The bgpd log shows this: bgpd: send_rtmsg: action 1, prefix 2001:dc8:c000::/36: Network is unreachable bgpd: send_rtmsg: action 1, prefix 2a01:a8::/32: Network is unreachable for every network received via my peer. Are there intermediate hops that you receive from the peer but cannot reach? If your nexthop is unreachable, that may explain the message. If you go back far enough in the logs (before the first prefixes you receive, the log may provide more insight as well as I don't know how many peers you have/prefixes you get). Nope. Here's the first few lines from bgpctl show ip bgp inet6 flags: * = Valid, > = Selected, I = via IBGP, A = Announced origin: i = IGP, e = EGP, ? = Incomplete flags destination gateway lpref med aspath origin *>2001::/32 2001:470:17:7f::1100 0 6939 12859 i *>2001:200::/32 2001:470:17:7f::1100 0 6939 2500 i *>2001:200:136::/48 2001:470:17:7f::1100 0 6939 2516 7660 9367 i *>2001:200:600::/40 2001:470:17:7f::1100 0 6939 2516 7667 i *>2001:200:900::/40 2001:470:17:7f::1100 0 6939 2516 7660 i *>2001:200:a000::/35 2001:470:17:7f::1100 0 6939 3257 2497 4690 i *>2001:200:c000::/35 2001:470:17:7f::1100 0 6939 2500 23634 i *>2001:200:e000::/35 2001:470:17:7f::1100 0 6939 4635 7660 i *>2001:208::/32 2001:470:17:7f::1100 0 6939 23911 9800 38035 7610 i *>2001:218::/32 2001:470:17:7f::1100 0 6939 2914 i *>2001:220::/35 2001:470:17:7f::1100 0 6939 2516 7660 9270 i *>2001:220:2000::/35 2001:470:17:7f::1100 0 6939 2516 7660 9270 38128 i *>2001:220:8000::/33 2001:470:17:7f::1100 0 6939 2516 7660 9270 38128 i 2001:470:17:7f::1 is my bgp peer from hurricane. The bgp table looks fine. It just doesn't translate to the kernel routing table. ergo, I cannot see or be seen. my prefix is advertised fine (2400:6800::/32) I can talk to and directly ping6 2001:470:17:7f::1 Adding static routes works (eg a default). It's just that bgpd isn't translating what it knows into the kernel. A clue to what I'm missing would be really appreciated. Other than checking the nexthop above, it'll help to include your network layout (what interfaces, uplink, addresses), bgpd configuration and a non-chopped dmesg. Dmesg was there to demonstrate I really was running -current and not something from somewhere random. Network layout is somewhat complicated. 1 x ebgp and 1 x ibgp session receive ipv4 world tables. Gif tunnel to a hurricane router in Hong Kong. I'm receiving ipv6 world bgp tables from this peer. Connectivity to the peer is fine. Just can't get past it. I can see that my prefix is announced via looking glasses. I'm receiving about 1.6k prefixes from hurricane. # bgpctl show ip bgp sum Neighbor ASMsgRcvdMsgSent OutQ Up/Down State/PrfRcvd HurricaneHK 6939 3220 1428 0 11:52:11 1588 Optus Peer 10105 104321 43663 0 11:58:08 222487 NextGen 38809 78041 1439 0 11:58:08 274913 complete restart of bgpd shows this: Feb 8 23:43:47 gw-nexgen bgpd[23344]: neighbor 2001:470:17:7f::1 (HurricaneHK): state change Connect -> OpenSent, reason: Connection opened Feb 8 23:43:47 gw-nexgen bgpd[23344]: neighbor 2001:470:17:7f::1 (HurricaneHK): state change OpenSent -> OpenConfirm, reason: OPEN message received Feb 8 23:43:47 gw-nexgen bgpd[23344]: neighbor 2001:470:17:7f::1 (HurricaneHK): state change OpenConfirm -> Established, reason: KEEPALIVE message received Feb 8 23:44:13 gw-nexgen bgpd[4481]: nexthop 2001:470:17:7f::1 now valid: directly connected Feb 8 23:44:13 gw-nexgen bgpd[4481]: send_rtmsg: action 1, prefix 2a01:7b0::/32: Network is unreachable Feb 8 23:44:13 gw-nexgen bgpd[4481]: send_rtmsg: action 1, prefix 2404:1b0::/32: Network is unreachable Feb 8 23:44:13 gw-nexgen bgpd[4481]: send_rtmsg: action 1, prefix 2400:3000::/32: Network is unreachable etc etc for all 1.6k prefixes Hope it helps, Rogier
bgpd fails to install ipv6 routes in kernel routing table
Hi all. I'm having problems with ipv6 on openbgpd, in that it isn't installing received ipv6 routes into the kernel's routing table. It receives them. I can advertise my own prefix just fine. But netstat -rnf inet6 shows only the basic static table. The bgpd log shows this: bgpd: send_rtmsg: action 1, prefix 2001:dc8:c000::/36: Network is unreachable bgpd: send_rtmsg: action 1, prefix 2a01:a8::/32: Network is unreachable for every network received via my peer. I believe I've done a good job searching through the archives, but I've turned up nothing useful. I'm running -current as of about 2 hours ago. A clue to what I'm missing would be really appreciated. Thanks, g OpenBSD 4.4-current (GENERIC) #11: Sun Feb 8 10:29:07 EST 2009 r...@gw-nexgen.omniconnect.com.au:/usr/src/sys/arch/amd64/compile/GENERIC real mem = 2145255424 (2045MB) avail mem = 2071248896 (1975MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xf0100 (55 entries) bios0: vendor Award Software International, Inc. version "F3" date 03/04/2008 bios0: Gigabyte Technology Co., Ltd. GA-MA770-S3 acpi0 at bios0: rev 0 acpi0: tables DSDT FACP SSDT HPET MCFG APIC acpi0: wakeup devices USB0(S3) USB1(S3) USB2(S3) USB3(S3) USB4(S3) USB5(S3) SBAZ(S4) P2P_(S5) PCE2(S4) PCE3(S4) PCE4(S4) P CE5(S4) PCE6(S4) PCE7(S4) PCE8(S4) PCE9(S4) PCEA(S4) PCEB(S4) PCEC(S4) PS2M(S5) PS2K(S5) PCI0(S5) acpitimer0 at acpi0: 3579545 Hz, 32 bits acpihpet0 at acpi0: 14318180 Hz acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: AMD Athlon(tm) 64 X2 Dual Core Processor 5200+, 2712.70 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,CX16,NXE,M MXX,FFXSR,LONG,3DNOW2,3DNOW cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 16-way L2 cache cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu0: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu0: apic clock running at 200MHz
Re: OpenBGPD Flaps, 32bit ASn in the wild.
tico wrote: Claudio Jeker wrote: On Wed, Dec 10, 2008 at 04:47:31PM -0500, Ted Unangst wrote: On Wed, Dec 10, 2008 at 4:38 PM, Claudio Jeker wrote: I looked at the porblem and I'm currently unsure what the best way is to handle such bad AS4_* attributes. The RFC in all its glory does not mention how to handle errors. So at the moment I'm in favor of just dropping/ignoring the bad optional attribute but I need to recheck with the BGP RFC to see if this is valid. Another solution is to ignore the full update but I have a bad feeling about that. Can you ignore just the route with the bad attribute? We don't want to propagate it more. The best thing we can do is to mark the update as ineligible so it will not propaget further and will not be used but this is a quite radical measure. On the other hand this is porbably the safest way to handle this error. Comments? My thinking is in line with yours. RFC4271 doesn't appear to specify how to handle this scenario gracefully, as already mentioned here: http://www.merit.edu/mail.archives/nanog/msg13422.html Apparently there are already enough BGP speakers on the net that don't check for a valid AS4_PATH before announcing it onwards to cause problems for OpenBGPd users, if not others. I'd rather be missing a route than missing an entire feed and/or propagating attributes that will kill others' BGP sessions. -tico I concur.
Re: bgpd extension handling capabilities
I have applied the patch supplied by Henning, and now get the following in my bgpctl show neighbor Neighbor capabilities: Multiprotocol extensions: IPv4 Unicast (previously was unknown (128)) yes, with my patch, we simply ignore the annoucement and show the default. Can this patch (along with IPv6) be considered for current? Thanks, g
Re: bgpd extension handling capabilities
Henning Brauer wrote:
* Claudio Jeker <[EMAIL PROTECTED]> [2008-08-25 17:27]:
On Mon, Aug 25, 2008 at 03:54:27PM +0200, Henning Brauer wrote:
* Graeme Lee <[EMAIL PROTECTED]> [2008-08-25 03:28]:
Yes but the safi's are handled during capability negotiation (in function
parse_capabilities in session.c)
Do I need to do more than just ignore the unknown safi's? Currently, the
return (-1) in the mp_safi test never allows the connection to establish.
Removing this at least allows the bgp session to function, but I'm not sure
if that's all that's needed, or even if it's safe to do so.
I don't remember exactly what the RFCs demanded. IThere is one for
capabilties negotiation and one for the multiprotocol extensions. I
guess the latter is the relevant one. if you could check what it says
about the unknown safi case and it allows us to ingore them I am very
willing to make that change :)
RFC 2858 Section 7:
A speaker that supports multiple tuples includes them as
multiple Capabilities in the Capabilities Optional Parameter.
To have a bi-directional exchange of routing information for a
particular between a pair of BGP speakers, each such
speaker must advertise to the other (via the Capability Advertisement
mechanism) the capability to support that particular
routes.
I would say that unknown safi should be accepted in the capabilities but
not during a bgp update. That would mean that your diff is not correct.
huh? that is exactly wgat my diff does. it doesn't change the way we
handle safis in updates - which means we might have to ignore unknown
safis there too, didn't check wether we do that already.
Previously the check (and subsequent return (-1)) was a show stopper.
bgpd works fine for the rest of the time.
Reading over RFC3397, section 3 covers the error handling. This is how
I read it:
If you don't understand capabilities advertisements at all, you should
terminate, and re-establish with no capabilities options.
If you don't understand a particular capability, you may choose to
terminate, and send a message back to say which capability isn't
supported (goto section 7). However, any particular capability is only
supported if both peers advertise the same capability to each other.
I have applied the patch supplied by Henning, and now get the following
in my bgpctl show neighbor
Neighbor capabilities:
Multiprotocol extensions: IPv4 Unicast (previously was unknown (128))
Route Refresh
Re: bgpd extension handling capabilities
Henning Brauer wrote:
* Graeme Lee <[EMAIL PROTECTED]> [2008-08-21 03:31]:
Henning Brauer wrote:
* Graeme Lee <[EMAIL PROTECTED]> [2008-08-21 01:51]:
I've had to connect to a new upstream peer which is advertising an IPv4
safi of 128 (MPLS-labelled VPN address)
see http://www.iana.org/assignments/safi-namespace
I've modified the source to temporarily ignore this (actually anything
over 127) as it currently only accepts 1 thru 3. Once the session is
established, everything works well. What I really need to know is if
this is potentially A Huge Mistake, or should bgpd be able to ignore
unsupported capabilities being advertised to it?
the standards are pretty unclear about it, but the most logical
interpretation is that we have to send back a notification telling the
peer that we don't support this so capability negotiation actually works.
what is the peer? first time i hear sth doens't work w/ capa negitiation...
The peer is NexGen networks. I gather they're using an Alcatel OS/R.
All I've done to work around this at present is extended the test in
session.c to ignore mp_safi < 128 after the first test fails. Otherwise I
just get this in the log every 30 seconds:
Aug 19 11:01:30 gw-nexgen bgpd[22795]: neighbor 121.200.227.93 (NexGen):
state change Idle -> Active, reason: Start
Aug 19 11:01:30 gw-nexgen bgpd[22795]: neighbor 121.200.227.93 (NexGen):
state change Active -> OpenSent, reason: Connection opened
Aug 19 11:01:30 gw-nexgen bgpd[22795]: neighbor 121.200.227.93 (NexGen):
parse_capabilities: AFI IPv4, mp_safi 128 illegal
Aug 19 11:01:30 gw-nexgen bgpd[22795]: neighbor 121.200.227.93 (NexGen):
state change OpenSent -> Idle, reason: OPEN message received
oh. you're not talking about a capability but a safi. otoh i don't
really remember the what the standards demand about that. we can
probably ignore unknown safis there since that is just the neighbor
telling us he would accept prefixes of that safi.
Yes but the safi's are handled during capability negotiation (in
function parse_capabilities in session.c)
Do I need to do more than just ignore the unknown safi's? Currently,
the return (-1) in the mp_safi test never allows the connection to
establish. Removing this at least allows the bgp session to function,
but I'm not sure if that's all that's needed, or even if it's safe to do so.
BGP neighbor is 121.200.227.93, remote AS 38809
Description: NexGen
BGP version 4, remote router-id
BGP state = Established, up for 5d00h00m
Last read 00:00:02, holdtime 90s, keepalive interval 30s
Neighbor capabilities:
Multiprotocol extensions: IPv4 unknown (128)
Route Refresh
Re: bgpd extension handling capabilities
Henning Brauer wrote: * Graeme Lee <[EMAIL PROTECTED]> [2008-08-21 01:51]: I've had to connect to a new upstream peer which is advertising an IPv4 safi of 128 (MPLS-labelled VPN address) see http://www.iana.org/assignments/safi-namespace I've modified the source to temporarily ignore this (actually anything over 127) as it currently only accepts 1 thru 3. Once the session is established, everything works well. What I really need to know is if this is potentially A Huge Mistake, or should bgpd be able to ignore unsupported capabilities being advertised to it? the standards are pretty unclear about it, but the most logical interpretation is that we have to send back a notification telling the peer that we don't support this so capability negotiation actually works. what is the peer? first time i hear sth doens't work w/ capa negitiation... The peer is NexGen networks. I gather they're using an Alcatel OS/R. All I've done to work around this at present is extended the test in session.c to ignore mp_safi < 128 after the first test fails. Otherwise I just get this in the log every 30 seconds: Aug 19 11:01:30 gw-nexgen bgpd[22795]: neighbor 121.200.227.93 (NexGen): state change Idle -> Active, reason: Start Aug 19 11:01:30 gw-nexgen bgpd[22795]: neighbor 121.200.227.93 (NexGen): state change Active -> OpenSent, reason: Connection opened Aug 19 11:01:30 gw-nexgen bgpd[22795]: neighbor 121.200.227.93 (NexGen): parse_capabilities: AFI IPv4, mp_safi 128 illegal Aug 19 11:01:30 gw-nexgen bgpd[22795]: neighbor 121.200.227.93 (NexGen): state change OpenSent -> Idle, reason: OPEN message received Changing the test allows bgpd to continue, and I can get the following at least: # bgpctl show neigh BGP neighbor is x, remote AS 38809 Description: NexGen BGP version 4, remote router-id BGP state = Established, up for 1d01h50m Last read 00:00:04, holdtime 90s, keepalive interval 30s Neighbor capabilities: Multiprotocol extensions: IPv4 unknown (128) Route Refresh Message statistics: Sent Received Opens1 1 Notifications0 0 Updates 4 92476 Keepalives2522 3107 Route Refresh0 0 Total 2527 95584 Update statistics: Sent Received Updates 4 351083 Withdraws3 17886 Local host:121.200.227.94, Local port: 41277 Remote host: 121.200.227.93, Remote port: 179
bgpd extension handling capabilities
I've had to connect to a new upstream peer which is advertising an IPv4 safi of 128 (MPLS-labelled VPN address) see http://www.iana.org/assignments/safi-namespace I've modified the source to temporarily ignore this (actually anything over 127) as it currently only accepts 1 thru 3. Once the session is established, everything works well. What I really need to know is if this is potentially A Huge Mistake, or should bgpd be able to ignore unsupported capabilities being advertised to it? Any advice would be appreciated. g
Re: rc.local command for postgres
David B. wrote: trying to get postgres to start up at boot. found this at postgresql's site On OpenBSD, add the following lines to the file /etc/rc.local: if [ -x /usr/local/pgsql/bin/pg_ctl -a -x /usr/local/pgsql/bin/postmaster ]; then su - -c '/usr/local/pgsql/bin/pg_ctl start -l /var/postgresql/log -s' postgres echo -n ' postgresql' fi my pg_ctl and postmaster executables are at /usr/local/bin, and have modified the script accordingly. my script reads as follows: if [ -x /usr/local/bin/pg_ctl -a -x /usr/local/bin/postmaster ]; then su - -c '/usr/local/bin/pg_ctl -D /WEBSITE/DATADIRECTORY start' postgres fi at boot the error thrown is "No such login class: /usr/local/bin/pg_ctl -D /WEBSITE/DATADIRECTORY start" You may need to use su postgres -c '/usr/local/bin/pg_ctl -D start' g the command I usually use after su'ing into postgres is: pg_ctl -D /WEBSITE/DATADIRECTORY start as /usr/local/bin is obviously in my PATH. Any Ideas? thanks _ Stay in touch with old friends and meet new ones with Windows Live Spaces http://clk.atdmt.com/MSN/go/msnnkwsp007001msn/direct/01/?href=http://spaces.live.com/spacesapi.aspx?wx_action=create&wx_url=/friends.aspx&mkt=en-us
Re: t-shirts
frantisek holop wrote: hi there, it is not my intention to pick a fight again about t-shirts, size, color, etc. but i was just wondering... the other day i went out in my puffy wireframe t-shirt and people who never heard of openbsd noticed it and expressed how nice and catchy it was. My wire frame t-shirt was pilfered... What more can I say? g
Re: Squid not starting on boot with ADSL
Luke Fogarty wrote: Hi Since moving from Cable to DSL, squid no longer starts on boot. I have the following entry in /etc/rc.local #start squid if [ -f /usr/local/squid/sbin/squid ]; then echo -n ' Squid' /usr/local/sbin/squid I've also tried just having /usr/local/sbin/squid in there For DSL I'm using a modem, and the OpenBSD box is creating a virtual tun0 interface and is making the PPPOE connection, I'm assuming it has something to do with this? I have the squid startup line AFTER the PPPOE connection line in rc.local? Squid starts fine once the machine has completely booted. I've checked /var/log/messages and /var/log/daemon but nothing of use in there as far as I can tell Any guidance is appreciated! Regards Luke Check the squid cache.log (/var/squid/cache.log for ports, /usr/local/squid/var/log for default prefix install) You may find out that it's not finding the dns when it starts up. If so, have a look at starting it with the -D switch. g
Re: Binat and if-bound
Jason Dixon wrote: I'm working with a fairly sizable ruleset with a lot of inter-VLAN routing, so I've chosen to implement if-bound stateful tracking with anchors and tagging. For some reason, PF is failing to route the binat traffic to the internal host. In a typical case, the firewall itself accepts SSH connections for a binat alias on carp0 that it *should* be passing on into the internal address instead. What's really strange is that I can see the state counter increment for the filter rule, but not the binat. Because binat changes the dest ip to your internal network, you need to pass based upon the internal ip destination The relevant anchor file: # Filter rules pass in on $ext_if inet proto tcp from any to $shell_ext port $shell_tcp_svcs flags S/SA tag DMZ_IN modulate state pass in on $ext_if inet proto tcp from any to $shell_int port $shell_tcp_svcs . pass in on $ext_if inet proto icmp from any to $shell_ext icmp-type echoreq tag DMZ_IN keep state pass out quick on $int_if tagged DMZ_IN keep state pass in on $int_if tag DMZ keep state Thanks, -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: radius on openbsd
man Chan wrote: Hello, I would like t know where can I get the authentication users using LDAP via Radius as it seems unavailable at the openbsd journel. Any pointers ? Thanks. Not sure about the ones in the ports tree, but freeradius works well http://www.freeradius.org/ ___ 7Q'Y.I&,(l7s email 3q*>!H $U8| Yahoo! Messenger http://messenger.yahoo.com.hk
Re: Shared memory / SQL
Fine. If the pg team want to call their shared memory space a disk buffer, let them. And you can too. Anything committed to disk still has to traverse the os disk cache. So in reality, it depends upon how you balance parameters such as your os disk cache and your sql disk cache etc etc. I think we've now flogged this enough now. This is absolute nonsense. The shared buffer cache is well understood, and the only way you will hurt performance by making it too big is by using up so much RAM that you start hitting swap, or by making it larger than your data plus the other usage. Unless perhaps your OS performs poorly with large shared memory allocations (does openbsd?). Which is what the original poster asked, because "they" are saying that FreeBSD's shared memory management is superior (compared with what?) So, does OpenBSD page shared memory to disk if ram becomes full? If it does, can it be prevented? G
Re: Shared memory / SQL
Adam wrote: On Fri, 19 Aug 2005 17:08:36 +1000 Graeme Lee <[EMAIL PROTECTED]> wrote: This is very much off topic, but you seem to be misunderstanding me. The shared buffer is used by all the postmaster processes as a shared memory pool for selects/inserts/updates on the table space. The disk buffer is next stage where the os decides what to do with reads/ writes etc. The shared buffer cache is use to cache data read from disk. In what way is that not a disk cache? Yes, the filesystem buffer cache is a disk cache too, I never said it wasn't. But your statement that postgresql does not maintain its own disk cache is simply wrong, the shared buffer cache is a disk cache, it caches data read from disk, to prevent future reads from disk. And the advice to increase BUFCACHEPERCENT is misguided. For a dedicated postgresql database server you are better off using extra RAM for postgresql's cache, not the filesystem's. It was a suggestion. And the shared buffer cache is still not a disk cache. http://www.varlena.com/varlena/GeneralBits/Tidbits/perf.html http://www.powerpostgresql.com/PerfList/ Postgresql does have a disk cache. See above links G
Re: Shared memory / SQL
Adam wrote: On Fri, 19 Aug 2005 15:01:12 +1000 Graeme Lee <[EMAIL PROTECTED]> wrote: I think I was talking about the disk buffer, not the shared buffer. You said it "uses the os disk buffer" and doesn't maintain its own. its own disk buffer Everything that reads data from the filesystem uses the OS's buffer. Postgresql's shared buffer cache is used to cache data read from disk, so it is a disk cache maintained by on its own. I think postgresql stores and purges data in the shared buffer cache with an understanding of table/column access, so you should get more benefit from using extra RAM there than increasing BUFCACHEPERCENT, not positive though. The shared buffer is used by all the postmaster processes as a shared memory pool for selects/inserts/updates on the table space. The disk buffer is next stage where the os decides what to do with reads/writes etc. Both are important, but you need to decide to how to implement each caching scheme depending on the requirements of your application. Yes, but its only the write-ahead log that is being flushed to disk, not the actual data files. So the performance hit isn't that bad, and its needed to ensure that your data is not lost or corrupted if an Almost. It needs to sync everything to disk at each checkpoint too. unclean shutdown happens. Also keep in mind that its only flushed per transaction, so if you need to insert 10,000 rows, start a transaction first, do your inserts, then commit it and you will only get 1 fsync() instead of 10,000. Adam Oh if only every transaction were that easy! :-) Look, there are more buttons and knobs that you can twirl and fiddle with in any database application than you can poke a stick at. There are pro's and con's for all of them. The original question was "is OBSD's shared memory performance good enough?" which I think it is in my case, but David may decide otherwise. G
Re: Shared memory / SQL
Adam wrote: On Fri, 19 Aug 2005 12:28:20 +1000 Graeme Lee <[EMAIL PROTECTED]> wrote: Postgresql uses the os disk buffer. It does not maintain its own. Yes it does. Postgresql uses a shared buffer cache, and increasing the number of shared buffers in your postgresql.conf can make a huge difference in performance. If your postgresql server has alot of free RAM, you should be giving it more for its cache. The link you provided even talks about this quite a bit. Adam I think I was talking about the disk buffer, not the shared buffer. My bad for not being explicit enough. Also, back-peddling here a bit... 'twould seem that fsync = true is the default setting flushing data to disk, which will always be a bit of a hit for writes. No? G
Re: Shared memory / SQL
David Hill wrote:
Hello -
I need to build a server that will run PostgreSQL 8, handling up to 150
connections. The current database size is roughly 2GB now with 2.8 million
rows in it's biggest table. This is expected to continue to grow steadily over
time.
The hardware I have to work with is a single 3Ghz p4 processor, 1GB RAM, and 2
36.7GB SCSI drives with a Dell Perc for doing RAID.
How is OpenBSD's shared memory performance? Could it handle this type of load
well? Many people suggest I go with FreeBSD instead because they say FreeBSD's
shared memory performance is superior, something about a sysctl called
kern.ipc.shm_use_phys to stop shared memory from swapping out and to use the
physical ram instead, among a few other reasons.
If OpenBSD would work just as well, I am sure I will have to increase the SHM*
options in the kernel. Does OpenBSD have any barriers when it comes to that?
Thanks for any help.
David
Difficult to say. I run a Postgresql database server (dmesg at end)
Similar specs, 2 x 2.4G Xeon, 1GB RAM, 2 x 36.7 GB SCSI (RAID 1)
I run 2 separate database clusters (bound to separate ips) each with
their connection limit set to 100 without issue. The biggest database
is only 600 MB though. It's largest table has over 7.5 million lines
(it's a log) which hardly ever gets searched. The rest is quite fast.
So far I've never even come close to using swap space. The biggest
bottle neck is raid 1. It should have been raid 0 imho
Postgresql uses the os disk buffer. It does not maintain its own. You
may benefit by increasing the buffcachepct. Here's a decent link on
hardware performance tuning:
http://www.postgresql.org/files/documentation/books/aw_pgsql/hw_performance/
Graeme
OpenBSD 3.6-stable (GENERIC.MP) #2: Fri Jul 8 11:39:20 EST 2005
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC.MP
cpu0: Intel(R) Xeon(TM) CPU 2.40GHz ("GenuineIntel" 686-class) 2.40 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID
real mem = 1073197056 (1048044K)
avail mem = 757547008 (739792K)
using 4278 buffers containing 268820480 bytes (262520K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(00) BIOS, date 04/11/04, BIOS32 rev. 0 @ 0xffe90
pcibios0 at bios0: rev 2.1 @ 0xf/0x1
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfc410/176 (9 entries)
pcibios0: PCI Interrupt Router at 000:15:0 ("ServerWorks CSB5
SouthBridge" rev 0x00)
pcibios0: PCI bus #0 is the last bus
bios0: ROM list: 0xc/0x8000 0xc8000/0x4000 0xcc000/0x600 0xec000/0x4000!
mainbus0: Intel MP Specification (Version 1.4) (DELL PE 0121 )
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 132 MHz
cpu1 at mainbus0: apid 6 (application processor)
cpu1: Intel(R) Xeon(TM) CPU 2.40GHz ("GenuineIntel" 686-class) 2.40 GHz
cpu1:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID
mainbus0: bus 0 is type PCI
mainbus0: bus 1 is type PCI
mainbus0: bus 2 is type PCI
mainbus0: bus 3 is type PCI
mainbus0: bus 4 is type PCI
mainbus0: bus 5 is type PCI
mainbus0: bus 6 is type ISA
ioapic0 at mainbus0: apid 8 pa 0xfec0, version 11, 16 pins
ioapic0: misconfigured as apic 0, remapped to apic 8
ioapic1 at mainbus0: apid 9 pa 0xfec01000, version 11, 16 pins
ioapic1: misconfigured as apic 0, remapped to apic 9
ioapic2 at mainbus0: apid 10 pa 0xfec02000, version 11, 16 pins
ioapic2: misconfigured as apic 0, remapped to apic 10
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "ServerWorks CNB20-HE" rev 0x33
pchb1 at pci0 dev 0 function 1 "ServerWorks CNB20-HE" rev 0x00
pci1 at pchb1 bus 3
bge0 at pci1 dev 6 function 0 "Broadcom BCM5703X" rev 0x02: apic 9 int
12 (irq 7) address 00:0f:1f:6e:2d:af
brgphy0 at bge0 phy 1: BCM5703 10/100/1000baseT PHY, rev. 2
bge1 at pci1 dev 8 function 0 "Broadcom BCM5703X" rev 0x02: apic 9 int
13 (irq 11) address 00:0f:1f:6e:2d:b1
brgphy1 at bge1 phy 1: BCM5703 10/100/1000baseT PHY, rev. 2
pchb2 at pci0 dev 0 function 2 "ServerWorks CNB20-HE" rev 0x00
pci2 at pchb2 bus 1
vendor "Dell", unknown product 0xc (class undefined unknown subclass
0x00, rev 0x00) at pci0 dev 4 function 0 not configured
"Dell PERC 3/Di" rev 0x00 at pci0 dev 4 function 1 not configured
vendor "Dell", unknown product 0xd (class undefined unknown subclass
0x00, rev 0x00) at pci0 dev 4 function 2 not configured
vga1 at pci0 dev 14 function 0 "ATI Rage XL" rev 0x27
wsdisplay0 at vga1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
pchb3 at pci0 dev 15 function 0 "ServerWorks CSB5 SouthBridge" rev 0x93
pciide0 at pci0 dev 15 function 1 "ServerWorks CSB5 IDE" rev 0x93: DMA
atapiscsi0 at pciide0 channel 0 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: SCSI0 5/cdrom removable
cd0(pciide0:0:0): using PIO mode 4, DMA mod
Re: 2 internet links
Roberto Pereyra wrote: Hi Look http://www.openbsd.org/faq/pf/es/pools.html Or you could potentially use the route-to option eg pass in on $link1_if reply-to ($link1_if $link1_defroute) proto icmp keep state pass in on $link2_if reply-to ($link2_if $link2_defroute) proto icmp keep state I used this to route between 2 adsl links with 2 different assigned ip address ranges through 1 firewall running different services (citrix on one link and www/smtp/ftp etc on the other) I honestly never thought of pools. Must check into it :-) G roberto (saludos) 2005/8/13, Diego Augusto Dalmolin <[EMAIL PROTECTED]>: Hi... I4ve got a obsd 3.7 firewall and have 2 internet links on it I don4t want to make a load balance... just "what comes from link#1 goes out with link#1" && "what comes from link#2 goes out with link#2" from an outside box I4m trying to ping link#2 IP.. the icmp echorequest comes from link#2 and the echoreply is trying to go out on link#1(the default gateway) what can be made on pf.conf to fix this? -- Diego Augusto Dalmolin (41) 9648-0882
Re: Ammunition needed to defend OpenBSD/pf
Rod.. Whitworth wrote: Somebody sent me a query asking for a justification for my proposal to supply a firewall/router using OpenBSD when there was thsi device: http://www.dlink.com/products/?pid=327 , with all its claimed bells and whistles. Well, I we connected a new client with straight ethernet via a Dlink DL-600 (which their previous isp made them buy). It just wouldn't work. I could see it's mac address, but that was it. So I went there (7pm on Saturday night) and stuffed around with it for 1/2 an hour. Reset it. Reconfigured it etc. Zip. Nup. Nada. I plugged in a workstation and configured it and yep, it worked. I had a completely new OBSD firewall configured for them within 1/2 an hour. On a Saturday night. Oh, and the user interface on the dlink? Brain-dead would be a compliment. Anybody know what, if anything, it does that an OBSD solution doesn't/ cannot, that may be important? Or alternatively the reverse. I've started with SSL VPNs (OpenVPN based) which I have found to be very easy for clients to add to road-warrior machines. I'll be doing a bit more research on it too but hopefully somebody has some knowledge of the beast. Thanks, Rod/ >From the land "down under": Australia. Do we look from up over? Do NOT CC me - I am subscribed to the list. Replies to the sender address will fail except from the list-server.
Re: ADSL connection (PPPoE)
Clint Pachl wrote: Is there any issues I should consider before buying this modem? Will it work with Open3.7? I know it works fine with Linux. I highly doubt there will be any issues. The communication between the switch (built-in to the modem) and your OpenBSD box uses the TCP/IP protocol. The OS is not even an issue. Also, you will communicate with the modem via the http protocol for config stuff. BTW, I do not own and have never used this modem, so YMMV. Does the modem support bridging? Is there any issues I should consider before taking the connection from the service prodiver? Any other technical details? None serious enough to mention. I really want my ADSL connection to work with Open3.7. It will. Does this guy even need a modem? Don't you need a modem if you want to do ordinary 56k dialup? (I know I should start a new thread with this, but here we go) Can't an OpenBSD box handle a PPPoE/PPPoA connection directly? I recently setup a VPN between two networks with DSL connections where the modems make a PPPoA connection. An OpenBSD box resides behind each modem. Basically, the modem gets an IP address dynamically, does the authentication, and gets the block of static IPs, one of which the OBSD box gets. So I was thinking, couldn't the OBSD box theoretically make the connection and eliminate the modem all together? If your adsl modem supports bridging, you may most likely be able to run pppoe directly from OpenBSD. Telstra Internet Direct works really well. Here's the ppp.conf entry pppoe: set device "!/usr/sbin/pppoe -i " set mtu max 1492 set mru max 1492 set speed sync disable acfcomp protocomp deny acfcomp set authname "" set authkey "" set ifaddr add! default HISADDR The modem's a d-link 504g. Nothing exiting. But it bridges and I do everything else on my obsd box Regards, Clint Pachl
