Re: Better security? Haha
On Sat, May 21, 2011 at 08:26:50AM +1000, Rod Whitworth wrote: Better tha iptables? http://www.esecurityplanet.com/news/article.php/3934151/Fedora-15-Boosts -Linux-Security.htm maybe... But apps opening pinholes? That's just asking for trouble! Oh dear. Those of us running pf for years know that being able to do rule changes on the fly is a Good Thing(tm). It's actually quite easy to make on the fly changes with iptables. The author may have misquoted. John And I think that we'd all laugh at unpriveleged apps messing with the rules. I just thought I'd share my amusement at this announcement. *** NOTE *** Please DO NOT CC me. I am subscribed to the list. Mail to the sender address that does not originate at the list server is tarpitted. The reply-to: address is provided for those who feel compelled to reply off list. Thankyou. Rod/ --- This life is not the real thing. It is not even in Beta. If it was, then OpenBSD would already have a man page for it.
Re: problem with download limit
Have you tried downloading from different sites? What is the latency to those sites? You may be running into an issue with bandwidth delay product though I thought recent OpenBSD releases autotuned the needed parameters. See http://www.psc.edu/networking/projects/tcptune/ for better understanding. Mind you, I'm not suggesting that you tweak knobs without understanding what they do, I'm just offering possible insight. John On Tue, May 10, 2011 at 10:44:50PM +0400, Wesley MOUEDINE ASSABY wrote: When PF is enabled on the box, there's no queuing limit. And disable PF, don't solve the problem. Really, i don't understand why i download the file at 32Ko/s instead of ~80Ko/s At work, connection used is SDSL 1M (128 Ko/s = upload and download); We have 5 Public Ip Adress; ORANGE is the ISP. At Home, my connection is ADSL 8M (upload is 800K). What i have tested : Put a laptop with Windows 7, configure it with a public ip address. I can download my file at 80 Ko/s Now, remove the laptop, take a pc, install OpenBSD 4.8, configure the network card with a public ip address, download the file at 32Ko/s;with the same RJ45 Cable* With the office' firewall, disable pf, same problem, i download at 32 Ko/s. I try also with an OpenBSD Appliance (soekris), download at 32Ko/s. Any idea ?? Thank you very much. Wesley. On Tue, 10 May 2011 13:11:14 +, Kevin Chadwick ma1l1i...@yahoo.co.uk wrote: Not sure, there's certainly not enough info here. PF won't cause that unless you have some queuing limit. Maybe you have an autonegotiation conflict. You could try setting all devices to 100baseTX full-duplex.
Re: XEN-Guest
On Mon, May 02, 2011 at 05:21:11PM +0200, Tobias Crefeld wrote: I think about installing an OpenBSD-guest on a XEN-Host (Debian Squeeze), all OS as 64bit-version alias amd64. Are there any experiences with OpenBSD as Dom-U? It's probably much more straightforward to run kvm-qemu instead of XEN. OpenBSD works fine as a guest using kvm/kvm-qemu and a CPU which supports hardware virtualization (egrep svm|vmx /proc/cpuinfo). On the first boot after install, boot into ukc and disable mpbios. Afterwards, disable mpbios in /bsd with 'config' and it should work fine. The guest will be a firewalling-router with ospfd, bind, openvpn and 6 ethernet-interfaces. I've successfully run IPSEC (iked and isakmpd both work), bridging and various network services this way. Any comments are welcome! Regards, Tobias. John
Re: What IRCD is preferred among true security minded folk?
On Thu, Apr 28, 2011 at 08:07:01PM -0400, Jean-Philippe Ouellet wrote: Dear Misc, This is somewhat off topic, but it's been on my mind for quite some time, and someone just brought up irc, so I thought I'd ask. I've been looking to set up an irc server for some time now. It would be mostly for personal use and I don't plan on having more than a handful of concurrent users nor connecting said server to any IRC network. My primary criteria are: - Good security track record - Runs on OpenBSD (port or package) - Clean code (Preferably C) - Supports encrypted connections I have a somewhat relevant private IRC server configuration. This is for a community of friends. All users have devices that have terminal emulation support and key based ssh authentication support. They ssh in and get dropped into an IRC session immediately. The big assumption is that they don't mind using a terminal based IRC client :) Use a locked down and immutable ~/.ssh/authorized_keys file with command='/usr/bin/someIRCclient', which allows only running the terminal based IRC client which has a per-user configuration file. Set other options in the authorized_keys file to limit agent forwarding and port forwarding as necessary. See the AUTHORIZED_KEYS FILE FORMAT of 'man sshd'. The 'Match' and 'ForceCommand' directives in sshd_config may be more suitable. Modify configuration directives in sshd_config as needed for your environment. Configure appropriate limits in login.conf (or limits.conf in Linux) to allow only necessary resource consumption and number of concurrent logins. Modify the source of chosen IRC client to prevent built-in command execution functionality. Configure appropriate filtering with PF, not only inbound but also outbound. Use per-user outbound block rules to easily determine which user attempts to make outbound connections. Follow other common server security practices. Set immutable flags on files as warranted. Which ever IRC daemon you choose, make an attempt to understand as much as you can about it's configuration. John I've read some atrocious IRCd source, I believe I even read one (an old version of hybrid?) where all configuration had to be done at compile time with #define statements instead of using a configuration file. I would prefer C over C++ (hence I'm not too fond of inspIRCd (also because they recently had an exploit in one of their default modules)). As I cannot trust the integrity of others' connections, I wish for connections to be encrypted in some form or another. Multiple irc servers support encryption via SSL, such a feature would be desirable. I would like to have channels guaranteed to be private, where private is defined by exclusively comprised of explicitly allowed users, (allowed by me, in some configuration file,) who must have authenticated via PASS or something to ensure that they are not impostors, and either be using *encrypted* connections from *unspecified*, changing, origins (as in the case of my phone, laptop, and friends' computers) or *unencrypted* connections from *known*, fixed, origins (as in the case of my bots). *IF THE ABOVE IS NOT POSSIBLE*, I want to prevent anyone from connecting to my server except for myself, my friends, and my bots. Normally I would accomplish this via PF, however in this case I cannot because I don't have a list of IPs to allow. I frequently use IRC via my phone whose IP very often changes and is in a range much bigger than I'd like to allow. The problem of my phone could be solved by using a bouncer, however such a service would also need to be locked down, thus bringing me back to block 0. My friends also use varying (unpredictable) locations, and whitelisting each one on an as-needed basis would be infeasible. One potential solution I have sought is preventing users from doing anything until a proper NICK/USER/PASS has been provided, with all accounts created by myself and told to the intended user in a secure/prearranged manner, and patching my bots to authenticate as such would be rather trivial. Features of the IRCd are not as important to me as its security. Sure, nickserv chanserv friends would be nice, but I'm more concerned about keeping outsiders/snoopers out of private channels and keeping my/friends connections secure, and less concerned about preventing chat flooding, opless channels, etc. So far I have looked into: * ngIRCd - so far my favorite * UnrealIRCd } * IRCD-Hybrid } - all forks from the same giant nightmare * Ratbox IRCd } * inspIRCd - written in C++, and doesn't have a great track-record but I am completely open to anything. Many thanks, Jean-Philippe
Re: ????????? how to viewing packet data?
On Wed, Sep 22, 2010 at 08:43:16AM +0800, jo...@wonghome.net wrote: you are looking for -X option to tcpdump(8). Read the man page for more details. Yes, i tried it before (-X). but that is not what i want to get. I want to get is something like that Data: Post /from.php?q=123 abc.com Can tcpdump -X do that? if yes, can you give me one example? Thank you. tcpflow does that: 'tcpflow -c -s port 80' Not sure if it's in ports or not.
Re: Download rate and sysctl settings
Read about bandwidth delay product: http://www.psc.edu/networking/projects/tcptune/ John On \!Thu, Feb 04, 2010 at 09:36:01PM +0100, Jean-Francois wrote: Le jeudi 04 fivrier 2010 20:00:54, Sebastiano Pomata a icrit : If I may ask, I post to the list this question (I have no purpose on creating flames/trolls/os wars, just for my personal knowledge). On the same box (Core 2 Duo, Realtek Gigabit ethernet) I've performed today this simple test, downloading a big file from wu-wien FTP site (it's one of OpenBSD main mirrors). With a clean, partially configured default install of Linux Slackware (kernel 2.6.25) I reached download speeds of about 2.5 MB/s, while the same file from same server (not a round robin server for sure) downloaded on OpenBSD default 4.6 install hardly reached 400 KB/s. I repeated the test again two times, and got the same results. Then I fell over a page (https://calomel.org/network_performance.html) that offers some tweaking to OpenBSD's sysctl, and I dumbly pasted them in my sysctl.conf and rebooted. As (not) expected, download rate in OpenBSD reached almost exactly the same results of Linux Slackware. The main question is why? Do I need to tweak something more to get even better results? Are those settings safe enough to be used? Or the default settings had a strong reason for being there? Why on the FAQ (chapter 6) it says that tweaking net.inet.tcp.recvspace and net.inet.tcp.sendspace won't led to great improvements, while actually I got them? Again, my intentions are *really* positive and I just want to learn more (a quick search on -misc archives didn't led me to much stuff). Thank you Sebastiano In my opinion, the server limits the bandwith. I've had same issue. Reason why you have 2.5 Mo is'nt clear, for me major openbsd ftp's are limited to approx 400 Ko/sec per session. Regards
Re: The insecurity of OpenBSD
On Fri, Jan 22, 2010 at 10:56:14AM +0800, Zamri Besar wrote: The insecurity of OpenBSD http://allthatiswrong.wordpress.com/2010/01/20/the-insecurity-of-openbsd/ -zamri- Sometimes the add-on security enhancements directly weaken system security: http://www.milw0rm.com/exploits/9191 Bypassing the null ptr dereference protection in the mainline kernel via two methods - if SELinux is enabled, it allows pulseaudio to map at 0 UPDATE: not just that, SELinux lets any user in unconfined_t map at 0, overriding the mmap_min_addr restriction! pulseaudio is not needed at all! Having SELinux enabled actually *WEAKENS* system security for these kinds of exploits! John
Re: Problems with 4.5 as a KVM guest
On Thu, Oct 29, 2009 at 12:18:40PM +0100, Toni Mueller wrote: Hi, On Tue, 14.07.2009 at 11:27:13 -0600, Bob Beck b...@openbsd.org wrote: and/or ask the linux people to fix KVM to make it really a PC. I'm running kvm 85+dfsg-4~bpo5 and see the following interesting behaviour with OpenBSD 4.6: * /bsd.rd runs just fine, using the ne(4) driver, but * /bsd (the uni-processor kernel) locks up hard during, or just after booting, showing ne3: timeout (or similar) messages white-on-blue in between. Any ideas about what specifically to ask the Linux folks, please? -- Kind regards, --Toni++ Try setting the nic to e1000 on your kvm commandline. John
Re: Script to ping, traceroute a destination and record the time
On Thu, Oct 29, 2009 at 04:26:49PM +0200, Kasper Adel wrote: Hi, I am trying to troubleshoot a problem that is totally random and the one idea that would help me is to have a bash script that will ping a few destinations every minute, then do a traceroute to these destinations, record the time and all that output in a file. then the whole process would repeat minute. You may want to look at 'mtr' or 'mtr-tiny'. They should be in ports. This way, i'll be able to look at the script at the end of each day and find out if these destinations were reachable when a problem was reported. The problem/disconnect happens for a few minutes only. Can any one help me get a script to do that? Thanks, Kim John
Re: managing authorized_keys
On Fri, Sep 18, 2009 at 10:29:54AM -0400, bofh wrote: Hi, Just wanted to see how you guys manage authorized_keys. I'm trying to move everyone off legacy protocols onto openssh, and one of my proposals will involve using authorized keys for scripts/automated processes. There's 400+ unix boxes. I know we can stick keys into authorized_keys, but managing it for a bunch of automated processes seems a bit unwieldy. Is there any way of pointing to an external source, say, ldap? Thanks for any pointers! I've been meaning to give this a try: http://code.google.com/p/openssh-lpk/ John -- http://www.glumbert.com/media/shift http://www.youtube.com/watch?v=tGvHNNOLnCk This officer's men seem to follow him merely out of idle curiosity. -- Sandhurst officer cadet evaluation. Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted. -- Gene Spafford learn french: http://www.youtube.com/watch?v=30v_g83VHK4
Re: 4.4 as a VBox guest?
If you're running Linux as the host OS anyway, you may want to look into kvm and kvm-qemu for virtualization duties. OpenBSD and other OSes have been running well for me as guests under Debian. Just make sure to use e1000 as the NIC model. John On Mon, Jan 26, 2009 at 09:59:59AM -0600, L. V. Lammert wrote: Successfully installed 4.4 (release) on VBox 2.1.2 (AMD64 OpenSuSE 11.1), however after installation I'm starting to see SegFaults whenever I try to do anything (like pkg_add). It also looks like some weird things are showing up in dmesg (softraid0?), .. sshd appears to work OK so I'd be happy to setup public keys should a developer wish to poke around. Lee drive config: /dev/wd0a on / type ffs (local) /dev/wd0g on /home type ffs (local, nodev, nosuid) /dev/wd0e on /tmp type ffs (local, nodev, nosuid) /dev/wd0h on /u type ffs (local, nodev, nosuid) /dev/wd0d on /usr type ffs (local, nodev) /dev/wd0f on /var type ffs (local, nodev, nosuid) = network config: lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33204 groups: lo inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 pcn0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 08:00:27:80:04:b5 groups: egress media: Ethernet none status: active inet6 fe80::a00:27ff:fe80:4b5%pcn0 prefixlen 64 scopeid 0x1 inet 206.197.251.50 netmask 0xff00 broadcast 206.197.251.255 enc0: flags=0 mtu 1536 dmesg: OpenBSD 4.4 (GENERIC) #1021: Tue Aug 12 17:16:55 MDT 2008 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC cpu0: AMD Athlon(tm) 64 Processor 3200+ (AuthenticAMD 686-class, 512KB L2 cache) 2 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,MCE,CX8,APIC,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3 cpu0: AMD erratum 89 present, BIOS upgrade may be required real mem = 469266432 (447MB) avail mem = 445194240 (424MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 06/23/99, BIOS32 rev. 0 @ 0xfbbe0, SMBIOS rev. 2.5 @ 0xe1000 (3 entries) bios0: vendor innotek GmbH version VirtualBox date 12/01/2006 bios0: innotek GmbH VirtualBox apm0 at bios0: Power Management spec V1.2 apm0: APM engage (device 1): unknown error code? (83) apm0: AC on, battery charge unknown acpi at bios0 function 0x0 not configured pcibios0 at bios0: rev 2.1 @ 0xf/0x0 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfbf30/192 (10 entries) pcibios0: PCI Interrupt Router at 000:01:0 (Intel 82371SB ISA rev 0x00) pcibios0: PCI bus #0 is the last bus bios0: ROM list: 0xc/0x9000 0xe2000/0x1000 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 Intel 82441FX rev 0x02 pcib0 at pci0 dev 1 function 0 Intel 82371SB ISA rev 0x00 pciide0 at pci0 dev 1 function 1 Intel 82371AB IDE rev 0x01: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: VBOX HARDDISK wd0: 128-sector PIO, LBA, 5120MB, 10485760 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets, initiator 7 cd0 at scsibus0 targ 0 lun 0: VBOX, CD-ROM, 1.0 ATAPI 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 vga1 at pci0 dev 2 function 0 InnoTek VirtualBox Graphics Adapter rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) drm at vga1 unsupported pcn0 at pci0 dev 3 function 0 AMD 79c970 PCnet-PCI rev 0x40, Am79c973, rev 0: irq 11, address 08:00:27:80:04:b5 acphy0 at pcn0 phy 0: AC101 10/100 PHY, rev. 11 ifmedia_set: no match for 0x20/0x InnoTek VirtualBox Guest Service rev 0x00 at pci0 dev 4 function 0 not configured piixpm0 at pci0 dev 7 function 0 Intel 82371AB Power rev 0x08: SMBus disabled isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pmsi0 at pckbc0 (aux slot) pckbc0: using irq 12 for aux slot wsmouse0 at pmsi0 mux 0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec fd1 at fdc0 drive 1: density unknown biomask e7fd netmask effd ttymask mtrr: CPU supports MTRRs but not enabled softraid0 at root root on wd0a swap on wd0b dump on wd0b
Re: Find - Sillyness
On Thu, Jan 22, 2009 at 02:54:21PM -0500, Morris, Roy wrote:
I know this is more of a general 'huh' kind of thing, but I figured someone
could kick start my brain for me. Anyone know why this doesn't work? It
appears to find the files ok but the -exec part thinks it can't?
spider:/var/log# find . -name daemon.*.gz -exec echo {} \;
find: echo ./daemon.2.gz: No such file or directory
find: echo ./daemon.1.gz: No such file or directory
find: echo ./daemon.5.gz: No such file or directory
find: echo ./daemon.4.gz: No such file or directory
find: echo ./daemon.3.gz: No such file or directory
find: echo ./daemon.0.gz: No such file or directory
Try:
find . -name daemon.*.gz -exec echo {} \;
without the double quotes after exec.
John
Re: Network challenge?
On Tue, Dec 09, 2008 at 07:49:04AM +1100, Rod Whitworth wrote: I have a friend who has two internet connections. Lucky B! He wants me to have a look at some of his operation without travelling to his site (lng way). I would need to be able to effectively duplicate some of his system and make it look like it was still at his site. Hopefully I can keep the ASCII art intelligible. ISP#1--/30 with /29 over it-Buddy's router-/30ISP#2 | 2 hosts on /29 He proposes that I work out how to use the second connection to route all of the traffic from ISP#1 to a spare global IP that I have via ISP#2 and the cloud and duplicate his setup here (the ISP#1 side and hosts). I think transport would have been better than route but that was his word. IOW the world needs to be able to get to my duplicate of his box and, apart from latency, it should be transparent. Is this even possible? I've been dreaming of binatting the /30 end point, but over a remote link? Don't think so. Some kind of tunnel? I've done some wierd things with networks* over the years but this request tops the Huh? list. Or it is really easy and I just need more sleep... * Not always intentionally. Anyone game? *** NOTE *** Please DO NOT CC me. I am subscribed to the list. Mail to the sender address that does not originate at the list server is tarpitted. The reply-to: address is provided for those who feel compelled to reply off list. Thankyou. Rod/ /earth: write failed, file system is full cp: /earth/creatures: No space left on device The layer 2 IPSEC bridge example here has worked well for me in the past for extending networks: http://www.openbsd.org/cgi-bin/man.cgi?query=brconfigapropos=0sektion=0manpath=OpenBSD+Currentarch=i386format=html John
Re: httpdump?
On Wed, Nov 19, 2008 at 08:18:00PM -0800, Jeff Simmons wrote: I need, at a minimum, which virtual server at a particular IP address is being accessed, and the contents of any GET commands (methods). If there's a way to get this via tcpdump I haven't found it yet. On Wednesday 19 November 2008 19:52, Pui Edylie wrote: why not tcpdump and filter it on port 80? Jeff Simmons wrote: Anyone know of a text-based program that will dump http protocol packets? Like tcpdump, but for http. Try netwox, tethereal, tcpflow. One of those should get you what you want. Not necessarily in that order though.
Re: VPN between Linux and OpenBSD with RSA
If you're using Debian you may have better luck just running OpenBSD's
isakmpd on the Debian host. Just read the docs, 'apt-get install
isakmpd' and proceed as normal. The standard Debian kernels have the
necessary modules enabled by default. I've had success with that
approach to a Debian-OpenBSD IPSec vpn.
John
On Mon, Nov 03, 2008 at 08:00:21PM -0200, Pedro David Netto Silveira wrote:
Hi!
I'm basically trying to setup a VPN between a linux box (debian) and an
OpenBSD one.
I'd like to use a RSA for that VPN.
With PSK, I can make the VPN, but looks so hard build a tunnel with RSA
keying.
I try this:
Linux Box:
##file: /etc/ipsec.conf
config setup
interfaces=%defaultroute
plutodebug=all
nat_traversal=yes
plutowait=yes
nhelpers=0
uniqueids=yes
conn OpenBSD
type=tunnel
left=172.20.82.65
leftrsasigkey=0sAQPKKAz...
right=172.20.82.57
rightsubnet=192.168.1.0/24
rightrsasigkey=0sAQPF5ZXJfL...
keyexchange=ike
esp=aes128-sha1
ike=aes128-sha1-modp1024
auto=route
auth=esp
authby=rsasig
pfs=yes
keyingtries=%forever
rekeymargin=4m
disablearrivalcheck=no
rekey=yes
aggrmode=no
##file: /etc/ipsec.secrets
:RSA{
# RSA 1024 bits ncdres09 Thu Oct 30 10:56:33 2008
# for signatures only, UNSAFE FOR ENCRYPTION
#pubkey=0sAQPKKAz...
.
.
.
.
}
--
OBSD box:
##file: /etc/ipsec.conf
ipv4_linux = 172.20.82.65
ipv4_addr = 172.20.82.57
ipv4_addr_subnet = 192.168.1.0/24
ike esp from $ipv4_addr to $ipv4_linux quick auth hmac-sha1 enc aes group
modp1024
ike esp from $ipv4_addr_subnet to $ipv4_linux quick auth hmac-sha1 enc aes
group modp1024
##file: /etc/isakmpd/local.pub
-BEGIN PUBLIC KEY-
0sAQPF5ZXJfL...
-END PUBLIC KEY-
##file: /etc/isakmpd/pubkeys/ipv4/172.20.82.65
0sAQPKKAz...
--
OBS: these IP's are fake.
Someone know if that would work?
Have some hint for me?
Thank you!
Pedro David
Re: file encrypyion
On Wed, Oct 29, 2008 at 03:48:25PM +1300, Paul M wrote: I'm looking for a way to encrypy backup files for secure storage. Gpg is an obvious candidate, but I'm wondering if there's anything in base, perhaps a creative use of ssh or some other tool, though not something liable to break, obviously. Any thoughts would be much appreciated. paulm Assuming you have a public key for '[EMAIL PROTECTED]' and corresponding private key to decrypt. Use this as a 'quick and dirty' example. Openssl can probably be substituted for gpg. cd / sudo tar cf - $(find . -maxdepth 1 ! -name './tmp' ! -name '.') 2/dev/null | gpg -r [EMAIL PROTECTED] | ssh somehost dd of=/space/obsd-kvm.`date +%`
Re: file encrypyion
On Tue, Oct 28, 2008 at 11:04:34PM -0500, John Jackson wrote: On Wed, Oct 29, 2008 at 03:48:25PM +1300, Paul M wrote: I'm looking for a way to encrypy backup files for secure storage. Gpg is an obvious candidate, but I'm wondering if there's anything in base, perhaps a creative use of ssh or some other tool, though not something liable to break, obviously. Any thoughts would be much appreciated. paulm Assuming you have a public key for '[EMAIL PROTECTED]' and corresponding private key to decrypt. Use this as a 'quick and dirty' example. Openssl can probably be substituted for gpg. Forgot the trailing double-quote below. cd / sudo tar cf - $(find . -maxdepth 1 ! -name './tmp' ! -name '.') 2/dev/null | gpg -r [EMAIL PROTECTED] | ssh somehost dd of=/space/obsd-kvm.`date +%`
Re: file encrypyion
On Tue, Oct 28, 2008 at 11:04:34PM -0500, John Jackson wrote: On Wed, Oct 29, 2008 at 03:48:25PM +1300, Paul M wrote: I'm looking for a way to encrypy backup files for secure storage. Gpg is an obvious candidate, but I'm wondering if there's anything in base, perhaps a creative use of ssh or some other tool, though not something liable to break, obviously. Any thoughts would be much appreciated. paulm Assuming you have a public key for '[EMAIL PROTECTED]' and corresponding private key to decrypt. Use this as a 'quick and dirty' example. Openssl can probably be substituted for gpg. cd / sudo tar cf - $(find . -maxdepth 1 ! -name './tmp' ! -name '.') 2/dev/null | gpg -r [EMAIL PROTECTED] | ssh somehost dd of=/space/obsd-kvm.`date +%` Would be helpful to add a decent extension: cd / sudo tar cf - $(find . -maxdepth 1 ! -name './tmp' ! -name '.') 2/dev/null | gpg -r [EMAIL PROTECTED] | ssh somehost dd of=/space/obsd-kvm.`date +%F`.tar
Re: slow network performance behind cisco
On Fri, Oct 24, 2008 at 03:54:01PM +0200, Christoph Leser wrote: If it is a buffer size problem, why can he transmit 500mb/sec between bsd and local linux? As Otto mentioned, read up on 'bandwidth delay product'. There's higher network latency between the remote sites vs hosts on the local LAN and buffer sizes become quite relevant in high(er) latency situations. http://en.wikipedia.org/wiki/Bandwidth_delay_product http://www.psc.edu/networking/projects/tcptune/ John -Urspr|ngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Otto Moerbeek Gesendet: Freitag, 24. Oktober 2008 13:11 An: Sebastian Reitenbach Cc: misc@openbsd.org Betreff: Re: slow network performance behind cisco On Fri, Oct 24, 2008 at 12:58:27PM +0200, Sebastian Reitenbach wrote: Hello everybody, I'm experiencing a very bad network performance, when I try to connect to a remote server. The point-to-point connection is a E3 line, with 34MBit/s, with a cisco 2800 router on each side, terminating the point-to-point connection. These cisco routers have two gigabit interfaces, and a serial point-to-point E3 controller. Below my network layout: +-+ |Remote Server| +-+ |GigaBit Ethernet ++ |Remote Cisco| ++ |Serial E3 Line | ++ GigaBit Ethernet+-+ |Local Cisco |-|Linux Box| ++ +-+ |GigaBit Ethernet +---+ |BSD Box| +---+ I use iperf to measure the connection speed. The OpenBSD box, and the Linux box are in two different networks, so the connection between these two is also routed. When I use iperf between the Linux-Box and the BSD-Box, then iperf measures about 500MBit/s, so thats fine. When I use iperf between the Linux Box and the remote server, then I get sth. about 32 MBits, that's fine too. When I use iperf between the BSD box and the remote server, I only get 2MBit/s. Then I thought, maybe the interface where the BSD box is connected is the problem, so I connected it to the interface on the cisco, where the Linux box was connected before, but still only the 2MBit/s speed to the remote host. I also tried different OpenBSD boxes, with different network adaptors, one with bge, another one with fxp, but also, no difference. With both BSD boxes, connection to the Linux box is fast, connections to the remote server is slow. Then I tried to fiddle around with pf, scrub rules on the BSD box. I tested with disabled firewall, with scrub no-df scrub set-tos lowdelay scrub set-tos throughput and some more, but without any observable difference in the speed. The Linux box and the BSD boxes both had the same MTU on their interfaces, and also no dropped packets, or errors on the interfaces. When I connect the Linux box behind the OpenBSD box, and then try to connect from the Linux box to the OpenBSD box, the performance becomes slow. So right now I'm a bit puzzled, and have no idea, why the connection to the remote host is fast when using a Linux box, but so slow when using OpenBSD. Are there any differences in the IP packets that OpenBSD and Linux creates? I'm going to capture the network traffic on the Linux and OpenBSD box to be able to compare the IP packets. Is there any tool where I can replay the packet sequence on OpenBSD that I have recorded with tcpdump on the Linux box? Unfortunately, I don't have access to the remote cisco, or remote server, so I cannot check anything there. any hint is greatly appreciated. OpenBSD uses a pretty low default send and receive buffer size for sockets. Try increasing net.inet.tcp.recvspace and net.inet.tcp.sendspace, after reading a bit about bandwidth * delay products. -Otto If there is more information needed from my side, to explain the problem, don't hesitate to ask. kind regards Sebastian __ _ Jetzt neu! Sch|tzen Sie Ihren PC mit McAfee und WEB.DE. 30 Tage kostenlos testen. http://www.pc-sicherheit.web.de/startseite/?mc=00 If it is a buffer size problem, why can he transmit 500mb/sec between bsd and local linux?
Re: reliable, dd over simple ip network
Maybe the simplest usage: tar cfz - /somedir | ssh somehost dd of=/somefile.tgz John On Thu, Oct 16, 2008 at 10:42:17AM -0400, Douglas A. Tutty wrote: On Wed, Oct 15, 2008 at 09:28:56PM -0700, Neko wrote: since my partitions have 16% free on all systems, i cant tarball the drive sent it to target machine and uncompress, Tarball it up, pipe the output somewhere, eg via ssh (disclaimer: untested; concept only) [tar commands, to stdout] | ssh [EMAIL PROTECTED] cat - [tar commands to untar the ball] or tarball.tgz Or use rsync? Doug.
Re: Need Help badly - PF related
Comments are inline.
On Sun, Sep 21, 2008 at 10:00:58PM -0700, Parvinder Bhasin wrote:
I have users that can access the website fine (75.44.229.18) and some
user that complain they can't access it. I don't know what gives. I
have asked on the list for help but haven't still resolved this. I
would really appreciate any help. Why is the user in the below pflog
getting blocked. Where as most of the user can access the website
just fine. I have spent countless hours on this. I really don't want
a PIX firewall. When I switch to the pix the access seems fine.
tcpdump: listening on pflog0, link-type PFLOG
Sep 21 21:53:21.903554 rule 0/(match) block in on fxp0:
172.16.10.11.80 75.18.177.36.1106: [|tcp] (DF)
Sep 21 21:53:34.570469 rule 0/(match) block in on fxp1:
75.18.177.36.1105 172.16.10.11.80: [|tcp] (DF)
Here is my pf.conf file:
# MACROS
ext_if=fxp1
int_if=fxp0
pf_log=pflog0
icmp_types=echoreq
OPTIONS #
set loginterface $ext_if
set loginterface $int_if
set block-policy return
set skip on lo
# scrub
scrub in
What are you trying to accomplish with the following? I assume
NAT'ing outbound traffic from internal networks? If so try creating a
macro for your internal networks and explicitly NAT that.
nat on $ext_if from !($ext_if) - ($ext_if:0)
Try this (put the table statement in the appropriate place with your
internal networks):
table internal_nets persist { 10.0.0.0/24, 172.16.0.0/24 }
nat on $ext_if from internal_nets to any - ($ext_if:0)
nat-anchor ftp-proxy/*
rdr-anchor ftp-proxy/*
You may gain some clarity by placing a 'pass' in your rdr instead of
a seperate pass rule down lower:
rdr pass on $ext_if inet proto tcp from any to 75.44.229.18 port 80 -
172.16.10.11 port 80
rdr on $ext_if proto tcp from any to 75.44.229.18 port 80 -
172.16.10.11 port 80
rdr on $ext_if proto tcp from any to 75.44.229.19 port 3128 -
172.16.10.12 port 3128
# filter
block in log (all, to pflog0)
pass out keep state
For the sake of troubleshooting try removing the $int_if in the
antispoof statement:
antispoof quick for { lo $int_if }
pass in on $ext_if inet proto tcp from any to 172.16.10.11 port 80
flags S/SA keep state
pass in on $ext_if inet proto tcp from any to 75.44.229.17 port 22
flags S/SA keep state
pass in on $ext_if inet proto tcp from any to 172.16.10.12 port 3128
flags S/SA synproxy state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in quick on $int_if
I'd try simplifying as much as possible while troubleshooting, like
commenting out the default 'block' rule and see if the 'antispoof' is
tripping you up and vice versa.
Re: PF cannot RDR connections
If that's the case the original poster should take a look:
http://openbsd.org/faq/pf/rdr.html#reflect
I've had to solve similar problems by NAT'ing the internal network(s) to
the firewalls internal interface IP so that traffic hitting the internal
server appears to come from the firewall itself.
On Tue, Sep 23, 2008 at 03:50:48PM -0400, Wade, Daniel wrote:
Your problem, as I stated off list, is that you are rdr to and from hosts on
the same subnet.
These are all 10.10/16 addresses.
10.10.100.254 is an address on the firewall
Here's what's happening.
10.10.0.135.4552 - 10.10.100.254.81
Which get's switched to
10.10.0.135.4552 - 10.10.0.2.81
Then 0.2 replies directly back to 0.135 because it's local, skipping your
firewall
10.10.0.2.81 - 10.10.0.135.4552
This is by passing your firewall and messing you up.
0.135 knows nothing about this 0.2 guy. It didn't connect to him.
It's looking for a reply from 100.254
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Ricardo Augusto de Souza
Sent: Tuesday, September 23, 2008 3:40 PM
To: misc@openbsd.org
Subject: RES: PF cannot RDR connections
No one can help me on this?
I have just one hour to finish this 'job'.
-Mensagem original-
De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome
de Ricardo
Augusto de Souza
Enviada em: terga-feira, 23 de setembro de 2008 16:21
Para: misc@openbsd.org
Assunto: RES: PF cannot RDR connections
I am lost.
Nat is working but I cant do any single rdr.
Any clue?
-Mensagem original-
De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome
de
Ricardo
Augusto de Souza
Enviada em: terga-feira, 23 de setembro de 2008 13:31
Para: misc@openbsd.org
Assunto: RES: PF cannot RDR connections
I was monitoring tcpdump -i xl0, disabled pf and I try to access
http://10.10.100.254:81 and I saw this:
13:30:38.976708 10.10.100.254.81 10.10.0.135.2321: R 0:0(0) ack 1
win
0
(DF)
13:30:40.007811 802.1d RSTP config
flags=7cLEARNING,FORWARDING,AGREED
role=DESIGNATED root=8000.0:f:cb:56:80:a0 rootcost=20004
bridge=8000.0:1e:c1:27:b0:80 port=9 ifcost=128 age=2/0 max=20/0
hello=2/0
fwdelay=15/0
13:32:20.254337 10.10.100.254.81 10.10.0.135.2331: R 0:0(0) ack
2046899144
win 0 (DF)
13:32:20.699272 10.10.0.135.2331 10.10.100.254.81: S
2046899143:2046899143(0) win 65535 mss 1460,nop,nop,sackOK (DF)
13:32:20.699297 10.10.100.254.81 10.10.0.135.2331: R 0:0(0) ack 1
win
0
(DF)
13:32:21.181005 10.10.100.254 10.10.0.135: icmp: echo reply
13:32:21.202344 10.10.0.135.2331 10.10.100.254.81: S
2046899143:2046899143(0) win 65535 mss 1460,nop,nop,sackOK (DF)
13:32:21.202368 10.10.100.254.81 10.10.0.135.2331: R 0:0(0) ack 1
win
0
(DF)
Now I turn pf on and I got this:
# tcpdump -i xl0|grep 81
tcpdump: listening on xl0, link-type EN10MB
13:34:44.554439 10.10.0.135.2378 10.10.100.254.81: S
3759662737:3759662737(0) win 65535 mss 1460,nop,nop,sackOK (DF)
13:34:47.497787 10.10.0.135.2378 10.10.100.254.81: S
3759662737:3759662737(0) win 65535 mss 1460,nop,nop,sackOK (DF)
13:34:49.816656 10.10.0.48.netbios-ns 10.10.255.255.netbios-ns:
udp 50
13:34:52.226812 10.10.100.254 10.10.0.135: icmp: echo reply
13:34:53.434122 10.10.0.135.2378 10.10.100.254.81: S
3759662737:3759662737(0) win 65535 mss 1460,nop,nop,sackOK (DF)
Help me please folks, I need this rdr working TODAY.
Thanks in advance!
-Mensagem original-
De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome
de
Ricardo
Augusto de Souza
Enviada em: terga-feira, 23 de setembro de 2008 11:30
Para: misc@openbsd.org
Assunto: PF cannot RDR connections
I was used to do this easily but it4s failing now.
Xl0 = 10.10.100.254
Xl1=internet
This is my /etc/pf.conf
# interface externa WAN
ext_if=xl1
# interface interna LAN
int_if=xl0
#set skip on lo
#scrub in
rdr on xl1 proto tcp from any to xl1 port 8101 - 10.10.100.21 port
8101
rdr on xl0 proto tcp from any to 10.10.100.254 port 81 - 10.10.0.2
port
80
#
# NAT
#
#nat on $ext_if from !($ext_if) - ($ext_if:0)
nat on $ext_if from 10.10.0.0/16 - $ext_if
pass in all
pass out all
#pass quick on $int_if no state
#antispoof quick for { lo $int_if }
Note:
I can access http://10.10.0.2
It fails when I try to access http://10.10.100.254:81
What4s wrong folks?
# pfctl -sn
nat on xl1 inet from 10.10.0.0/16 to any - 200.162.41.34
rdr on xl1 inet proto tcp from any to 200.162.41.34 port = 8101 -
10.10.100.21 port 8101
rdr on xl0 inet proto tcp from any to 10.10.100.254 port = 81 -
10.10.0.2
port 80
#
# dmesg
OpenBSD 4.3 (CMT) #1: Mon Sep 22 15:25:18 BRT 2008
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/CMT
cpu0: Intel(R) Pentium(R) 4
Re: IPSEC VPN between OpenBSD and Linux (OpenSwan)
It may also be worth noting that Debian has OpenBSD's isakmpd packaged, 'apt-get install isakmpd'. I've had success using isakmpd on Debian to create VPN's between OpenBSD and Debian gateways. John On Mon, Aug 25, 2008 at 03:52:42PM +0300, Imre Oolberg wrote: Hi! I'm basically trying to setup a VPN between a linux box (debian) and an OpenBSD one. I am not a seasoned IPSec user but i tried out couple of configurations and one of them was Debian with Racoon and OpenBSD's native isakmpd. I based my experimentation on article which is about FreeBSD's Racoon and OpenBSD http://it.toolbox.com/blogs/unix-sysadmin/ipsec-done-bsd-way-part-1-17355 I dont believe you read fluently Estonian but if you do, please :) http://kuutorvaja.eenet.ee/wiki/IPSec_kasutamine_Debianiga Maybe examples are of some use, still. Imre PS I am sorry if you insist using OpenSwan and i started talking about Racoon, havent tried OpenSwan out myself yet. And also havent built anything big with ipsec.
Re: have to add pass in rdr statement
Your pass rules need to reference the IP address after processing by the rdr rule. So it should be passing traffic destined to '10.0.0.17' See http://openbsd.org/faq/pf/rdr.html#filter for more info. John On Thu, Jun 05, 2008 at 03:46:57PM -0700, Lord Sporkton wrote: on OpenBSD fire.sporkton.com 4.3 GENERIC#698 i386 I have this pf.conf config, it does not work for vnc ext_if=xl0 lawrence=10.0.0.17 rdr on $ext_if proto tcp from any to $ext_if port vncweb - $lawrence port vncweb rdr on $ext_if proto tcp from any to $ext_if port vnc - $lawrence port vnc pass in on $ext_if inet proto tcp from any to $ext_if port vncweb \ modulate state (max-src-conn-rate 3/30, overload vnc-attack) pass in on $ext_if inet proto tcp from any to $ext_if port vnc \ modulate state (max-src-conn-rate 3/30, overload vnc-attack) If i use the pass keyword instead in the rdr statement(as below), it works fine. rdr pass on $ext_if proto tcp from any to $ext_if port vnc - $lawrence port vnc Does anyone see something worng with my pass statements? thanks -- -Lawrence
Re: 32G SSD - Poor Performance on 4.3
Keep in mind that all Solid State Disks are NOT the same. I made the same mistake and purchased a Transcend 8 GB model. My 8 GB model used old technology and not the newer, faster flash. It was noticeably slower than traditional spinning disks. Just check some of the published specs and benchmarks and compare: http://www.anandtech.com/storage/showdoc.aspx?i=3133p=5 http://www.transcendusa.com/support/dlcenter/datasheet/SSD25S%20Datasheet%20v1.03.pdf (look at page 3 of that pdf) More reading from a vendor: http://www.dvnation.com/ssdfaq.html John On Tue, Apr 29, 2008 at 09:35:15AM -0400, Morris, Roy wrote: I have been reading around the archives a bit and found a few references to using 4.3 to get the full performance out of a Transcend SSD but my results are showing that the drive is slower on all fronts. I am wondering if anyone has tried these tests and what the results might have been? Anyone know if there is a magic switch I can throw to make the OS use this type of drive at full speed? Thanks Roy Drive: Transcend TS32GSSD25-M (32G) OS - 4.3 snapshot from 04/28/2008 PE 350 - Regular HD (Write Time) roy:/home/rmorris$ dd if=/dev/zero of=testfile.blk bs=65536 count=16384 16384+0 records in 16384+0 records out 1073741824 bytes transferred in 55.392 secs (19384111 bytes/sec) PE 350 - SSD HD (Write Time) # dd if=/dev/zero of=testfile.blk bs=65536 count=16384 16384+0 records in 16384+0 records out 1073741824 bytes transferred in 176.273 secs (6091344 bytes/sec) PE 350 - Regular HD (Read time) roy:/home/rmorris$ dd if=testfile.blk of=/dev/null bs=65536 count=16384 16384+0 records in 16384+0 records out 1073741824 bytes transferred in 40.165 secs (26732730 bytes/sec) PE 350 - SSD HD (Read Time) # dd if=testfile.blk of=/dev/null bs=65536 count=16384 16384+0 records in 16384+0 records out 1073741824 bytes transferred in 50.842 secs (21118975 bytes/sec)
Re: OpenBSD as Xen domU
OpenBSD as DomU works using hardware virtualization for me. There's
the occasional lockup that I haven't looked into too much. You can
launch vncviewer to get a console. My working config is at the bottom.
John
On Wed, Feb 06, 2008 at 11:55:05PM +0100, Julien Cabillot wrote:
It's work but I had really bad performances with the network (timeout on
the interface re).
Dmesg: http://www.openbsd-france.org/ml/archives/msg02494.html
I found that setting the vif interface to 'model=ne2k_pci' helps with
the timeouts.
On jeu, 2008-02-07 at 00:29 +0200, NetOne - Doichin Dokov wrote:
I'm looking to replace a Linux domU with a BSD one, preferably OpenBSD.
Anyone any success running stable OpenBSD (FreeBSD would also suffice)
as domU in a Xen system? If so, willing to share config / how-to /
experience?
Kind regards,
Doichin
Here's a working Xen config:
=
import os, re
arch = os.uname()[4]
if re.search('64', arch):
arch_libdir = 'lib64'
else:
arch_libdir = 'lib'
kernel = /usr/lib/xen/boot/hvmloader
builder='hvm'
memory = 256
name = obsd
pae=0
vif = [ 'type=ioemu, mac=00:16:3e:7d:be:ef, model=ne2k_pci' ]
disk = [
'file:/disk/homer.disk,hda,w','file:/disk/obsd42_amd64.iso,ioemu:hdc:cdrom,r' ]
device_model = '/usr/' + arch_libdir + '/xen/bin/qemu-dm'
boot='cd'
sdl=0
vnc=1
vncviewer=0
nographic=0
stdvga=0
serial='pty'
ne2000=1
audio=0
localtime=1
=
Re: A necessary evil: snmpd(8) and snmpctl(8)
This is great news! Hopefully I'll find the time to help test. John On Wed, Dec 05, 2007 at 11:52:12AM +0100, Reyk Floeter wrote: Hi! I just imported snmpd(8) and snmpctl(8), an initial attempt to implement a new SNMP daemon for OpenBSD. SNMP is the Simple Network Management Protocol and it is still very commonly used in corporate networks, by network vendors, and in network management systems (NMS). SNMP is very essential for me since I'm using it at work; our security appliances based on OpenBSD need to integrate into various SNMP scenarios. We had to use net-snmp for this; the BSD license is good but the code is very bad and full of ancient cruft and portability glue. Then there were many problems with the net-snmp port in OpenBSD, people reported 90% CPU usage on -misc, crashes, bugs, ...it was just a pain. So I decided to have a look at SNMP to implement something new. When we don't like the existing alternatives or ports, we tend to re-implement it in OpenBSD, right? Having a new snmpd(8) using privilege separation, the imsg framework from ospfd/bgpd, knf, security in mind, and a nice control program like snmpctl(8) would be really nice and solve some of our problems. And I knew that claudio@ already started working on a little ASN.1 BER implementation for another project; this was the perfect base for handling the annoying BER-encoding of SNMP messages. I talked to some people during OpenCON (http://www.openbsd.org/) about my idea and the initial code that I was working on. The expected reaction was always like This is nice, but I don't like SNMP. SNMP is a necessary evil. People are upset and happy at the same time; will it be possible to implement a sane SNMP? Will it be possible to make it secure? The code is still in a very early stage, snmpctl(8) is mostly a stub without any functionality, and the implemented MIBs are limited to (most of) the MIB-2, SNMPv3-MIB, and the IF-MIB. I plan to implement the IP-MIB, TCP-MIB, UDP-MIB, and BRIDGE-MIB next and continue with working on the daemon's infrastructure. There needs to be a way to talk to other daemons in OpenBSD without using SNMP BER messages: IMSG. snmpd(8) may connect to the daemons, query some IMSG information, and provide the SNMP MIBs for the outside world. I also plan to export some useful information like sensor status in an OpenBSD-specific MIB. I DON'T want to provide a plug-in or module API, people can use net-snmp if they need a hyper-extensible codebase. The daemon is currently based on the SNMPv2/3 RFCs, supporting SNMPv1/2 messages and a very simple community-based security model (SNMPv2c). The User-based Security Model (USM) will be added later, but the complexity of the new SNMPv3 standards is a little bit scary; they turned a simple protocol into a mess of layers, modules, and abstractions. There is also a very interesting draft about a SSH-based security model for SNMP (draft-ietf-isms-secshell), but it is defined by Cisco and Huawai... Sure, I'm looking for volunteers to test and to contribute to snmpd(8), have a look at the src/usr.sbin/snmpd/README file and the code in the OpenBSD source tree. It is not enabled in the builds yet and it will take some time before we are satisfied enough to enable it. Again, please don't propose any useless features XYZ, it is good to have net-snmp for all the additional foo. reyk # client: snmpwalk from net-snmp, server: new OpenBSD snmpd(8) sysDescr = STRING: OpenBSD john.hq.vantronix.net 4.2 GENERIC.MP#6 amd64 sysObjectID = OID: enterprises.26766.42.2.1.42 sysUpTime = Timeticks: (2472) 0:00:24.72 sysContact = STRING: [EMAIL PROTECTED] sysName = STRING: john.hq.vantronix.net sysLocation = STRING: sysServices = INTEGER: 74 sysORLastChange = Timeticks: (0) 0:00:00.00 sysORIndex.1 = INTEGER: 1 sysORIndex.2 = INTEGER: 2 sysORIndex.3 = INTEGER: 3 sysORID.1 = OID: mib-2 sysORID.2 = OID: snmp sysORID.3 = OID: ifMIB sysORDescr.1 = STRING: iso.org.dod.internet.mgmt.mib-2 sysORDescr.2 = STRING: iso.org.dod.internet.mgmt.mib-2.snmp sysORDescr.3 = STRING: iso.org.dod.internet.mgmt.mib-2.ifMIB sysORUpTime.1 = Timeticks: (0) 0:00:00.00 sysORUpTime.2 = Timeticks: (0) 0:00:00.00 sysORUpTime.3 = Timeticks: (0) 0:00:00.00 ifNumber = INTEGER: 4 ifIndex.1 = INTEGER: 1 ifIndex.2 = INTEGER: 2 ifIndex.3 = INTEGER: 3 ifIndex.4 = INTEGER: 4 ifDescr.1 = STRING: em0 ifDescr.2 = STRING: ath0 ifDescr.3 = STRING: enc0 ifDescr.4 = STRING: lo0 ifType.1 = INTEGER: ethernetCsmacd(6) ifType.2 = INTEGER: ethernetCsmacd(6) ifType.3 = INTEGER: other(1) ifType.4 = INTEGER: softwareLoopback(24) ifMtu.1 = INTEGER: 1500 ifMtu.2 = INTEGER: 1500 ifMtu.3 = INTEGER: 1536 ifMtu.4 = INTEGER: 33168 ifSpeed.1 = Gauge32: 10 ifSpeed.2 = Gauge32: 5400 ifSpeed.3 = Gauge32: 0 ifSpeed.4 = Gauge32: 0 ifPhysAddress.1 = STRING: 0:1a:6b:36:2e:5 ifPhysAddress.2 = STRING: 0:16:cf:ab:4c:97
Re: GPRS/EDGE modems to use with a notebook
I've had success with the Sierra Wireless Aircard 860 on a Thinkpad X40. Lately though the card seems to be acting flakey and causing hard lockups. That could be a combination of the firmware which on the Aircard and the carrier which is ATT. From what I've read, it's recommended to keep the firmware updated to keep in step with the carrier's infrastructure updates. Unfortunately I haven't found a way to upgrade the cards firmware under OpenBSD or Linux. http://www.sierrawireless.com/estore/Default.aspx?SKU=1100521CID=1 John On Fri, Nov 02, 2007 at 05:01:16PM +0100, Daniel wrote: Hi! I'm looking for a mobile device which I could use for connecting to the internet with a notebook. I've read the www.openbsd.org/i386.html page and found some devices, but those are rather hard to find here in Hungary. Could someone inform me about some other GPRS/EDGE capable devices which will work with OpenBSD? (be it a pc-card or a mobile phone). Thanks! Daniel
Re: pf
inet 10.0.0.0 netmask 0xff00 broadcast 255.255.255.0 John Without looking at anything else, that line jumps out at me. Are you certain that you want your broadcast set to '255.255.255.0'? Sounds like a netmask to me. On Fri, Oct 05, 2007 at 02:48:00PM -0400, a.padilla wrote: ifconfig: lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33224 groups: lo inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 inet 127.0.0.1 netmask 0xff00 rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:18:4d:ea:33:0a groups: egress media: Ethernet autoselect (100baseTX full-duplex) status: active inet6 fe80::218:4dff:feea:330a%rl0 prefixlen 64 scopeid 0x1 inet 192.168.0.111 netmask 0xff00 broadcast 192.168.0.255 dc0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:14:bf:53:1e:fe media: Ethernet autoselect (100baseTX full-duplex) status: active inet6 fe80::214:bfff:fe53:1efe%dc0 prefixlen 64 scopeid 0x2 inet 10.0.0.0 netmask 0xff00 broadcast 255.255.255.0 pflog0: flags=141UP,RUNNING,PROMISC mtu 33224 enc0: flags=0 mtu 1536 pfctl TRANSLATION RULES: nat on rl0 inet from 10.0.0.0/8 to any - (rl0) round-robin FILTER RULES: pass quick all flags S/SA keep state No queue in use STATES: all udp 239.255.255.250:1900 - 192.168.0.1:1900 NO_TRAFFIC:SINGLE all udp 192.168.0.111:1026 - 24.64.244.238:33603 NO_TRAFFIC:SINGLE all udp 192.168.0.111:1027 - 24.64.244.238:33603 NO_TRAFFIC:SINGLE all udp 192.168.0.111:1028 - 24.64.244.238:33603 NO_TRAFFIC:SINGLE INFO: Status: Enabled for 0 days 00:25:29 Debug: Urgent State Table Total Rate current entries4 searches 19533 12.8/s inserts 1260.1/s removals 1220.1/s Counters match 136208.9/s bad-offset 00.0/s fragment 00.0/s short 00.0/s normalize 00.0/s memory 00.0/s bad-timestamp 00.0/s congestion 00.0/s ip-option 00.0/s proto-cksum 150.0/s state-mismatch 00.0/s state-insert 00.0/s state-limit00.0/s src-limit 00.0/s synproxy 00.0/s TIMEOUTS: tcp.first 120s tcp.opening 30s tcp.established 86400s tcp.closing 900s tcp.finwait 45s tcp.closed 90s tcp.tsdiff 30s udp.first60s udp.single 30s udp.multiple 60s icmp.first 20s icmp.error 10s other.first 60s other.single 30s other.multiple 60s frag 30s interval 10s adaptive.start 6000 states adaptive.end 12000 states src.track 0s LIMITS: stateshard limit1 src-nodes hard limit1 frags hard limit 5000 tableshard limit 1000 table-entries hard limit 20 TABLES: OS FINGERPRINTS: 696 fingerprints loaded I feel exposed ;) On Oct 5, 2007, at 2:30 PM, Chad M Stewart wrote: Ok, so it is something more basic than filtering. What is the output of the following ifconfig -A pfctl -s all sysctl -a|grep forward How are the obsd box and the client connected, from a networking perspective? Wired? Hub/Switch? direct with cross over cable? -Chad On Oct 5, 2007, at 2:21 PM, a.padilla wrote: I commented out pass out keep state and added, after the nat rule, pass quick all. Still nothing. I cant even ping from the server the private IP which the client has I know the client is connected to the server, it shows up on dhcpd.leases. Do you think its my dhcpd server that's wrong? !DSPAM:1,4706873d263501130639322!
Re: VPN site to site with ipsec
Have you tried tcpdumping on the enc0 interface on both gateways to see
what happens on when pinging? tcpdump -n -s 1600 -i enc0
Is there a firewall enabled on the non-responsive end hosts? I've seen
recent versions of Windows block or drop icmp echo requests, maybe some
recent service pack release? I know our Windows admins swear they
didn't do it themselves.
On Mon, Jul 23, 2007 at 04:40:40PM +0700, sonjaya wrote:
thx daniel , i have follow the link and still get ping reply from
pc(a) to pc(b) , below my ipsec.conf and pf.conf
in host(a)
# cat /etc/ipsec.conf
ike esp from 192.168.0.0/24 to 192.168.2.0/24 peer host(b)
ike esp from host(a) to 192.168.2.0/24 peer host(b)
ike esp from host(a) to host(b)
#
# cat /etc/pf.conf
ext_if=xl0
int_if=xl1
set skip on { lo0 $int_if enc0 }
nat on $ext_if from !($ext_if) - ($ext_if:0)
block in
pass out keep state
pass quick on $ext_if from host(b)
in host(b)
# cat /etc/ipsec.conf
ike esp from 192.168.2.0/24 to 192.168.0.0/24 peer host(a)
ike esp from host(b) to 192.168.0.0/24 peer host(a)
ike esp from host(b) to host(a)
#
# cat /etc/pf.conf
ext_if=xl0
int_if=xl1
set skip on { lo0 $int_if enc0 }
nat on $ext_if from !($ext_if) - ($ext_if:0)
block in
pass out keep state
pass quick on $ext_if from host(a)
i try traceroute at both host
#pc(b) to pc(a)
c:\Document and Settings\User.notebook\tracert 192.168.0.4
Tracing route to 192.168.0.4 over a maximun of 30 hops
1. 1ms1ms 1ms 192.168.2.1
2. 2 ms 1 ms 1 ms host(b) [219.83.xx.xx]
3. 2 ms 1 ms 2 ms 192.168.0.4
#pc(a) to pc(b)
[EMAIL PROTECTED] root]# traceroute 192.168.2.12
traceroute to 192.168.2.12 (192.168.2.12), 30 hops max, 38 byte packets
1 192.168.0.151 (192.168.0.151) 0.226 ms 0.181 ms 0.136 ms
2 host(b) (219.83.xx.xx) 1.742 ms 1.736 ms 1.591 ms
3 * *
so where is wrong , my pf / my ipsect ...?
all fresh installed from obsd 4.1 .
On 7/23/07, Daniel Ouellet [EMAIL PROTECTED] wrote:
sonjaya wrote:
http://www.openbsdsupport.org/vpn-ipsec.html
May be you could also have a look at this nice presentation that show
many changes done on OpenBSD.
You can start here to see some OpenBSD suggestions, but you can look it
all as well as it's nice. (;
http://openbsd.org/papers/asiabsdcon07-ipsec/mgp00057.html
--
sonjaya
http://sicute.blogspot.com
!DSPAM:1,46a479a0220011806319350!
