Migrating users from one machine to another
I want to migrate users from one machine to another, I was hoping someone had a script. I basically want to copy every user with a UID = 1000 and their password to the new system. I have copied their home directories with rsync, so it would be good if it could also chmod the permissions back. -- www.johntate.org
Re: Migrating users from one machine to another
That worked, easier than I thought. On Fri, Nov 15, 2013 at 11:42 PM, Nick Holland n...@holland-consulting.net wrote: On 11/15/13 05:10, John Tate wrote: I want to migrate users from one machine to another, I was hoping someone had a script. I basically want to copy every user with a UID = 1000 and their password to the new system. I have copied their home directories with rsync, so it would be good if it could also chmod the permissions back. not sure why you need a script... The exact details depends on what is different between the systems currently and desired to be different ultimately. Start with the old /etc/master.passwd file, fix things that are missing, remove things you don't want, copy it over and and run pwd_mkdb. If the starting and ending machines are supposed to be identical, no fixing should be needed. Nick. -- www.johntate.org
adduser setting permissions wrong
adduser is setting permissions so everyone can read a users home directory. I've never done much configuration of this tool so I can't seem to find where to change this, I thought there would be an option in adduser.conf. Here is a new user: drwxr-xr-x 3 test test 512 Oct 26 20:42 test I'd really like them to be 770 -- www.johntate.org
Re: I can't figure out how to change the php-fpm memory limit
This is no longer an issue, it was a result of having things in the wrong place in wp-config.php On Sun, Oct 6, 2013 at 8:25 AM, John Tate j...@johntate.org wrote: php-fpm is running the scripts as a user in default login class, so login.conf should be fine. On Sun, Oct 6, 2013 at 7:32 AM, Ville Valkonen weezeld...@gmail.com wrote: On 5 October 2013 12:06, John Tate j...@johntate.org wrote: I am trying to increase the memory limit on my nginx php-fpm server for wordpress. I've set the following in wp-config.php... define('WP_MEMORY_LIMIT', '128M'); define('WP_MAX_MEMORY_LIMIT', '128M'); php.ini has the following... memory_limit = 128M ;suhosin.memory_limit = 0 The fpm server is also set to change this. php_admin_value[memory_limit] = 128M Yet wordpress claims it only has 40MB, how can this be? I believe it might be suhosin but I am unsure how to change this on an OpenBSD server. I've tried changing it in the settings for the php-fpm server pool. php_admin_value[suhosin.memory_limit] = 128M If someone can tell me how to change the limit that would be good. The changes I've made don't seem to effect anything. -- www.johntate.org Hi, take a look into man login.conf -- Regards, Ville -- www.johntate.org -- www.johntate.org
I can't figure out how to change the php-fpm memory limit
I am trying to increase the memory limit on my nginx php-fpm server for wordpress. I've set the following in wp-config.php... define('WP_MEMORY_LIMIT', '128M'); define('WP_MAX_MEMORY_LIMIT', '128M'); php.ini has the following... memory_limit = 128M ;suhosin.memory_limit = 0 The fpm server is also set to change this. php_admin_value[memory_limit] = 128M Yet wordpress claims it only has 40MB, how can this be? I believe it might be suhosin but I am unsure how to change this on an OpenBSD server. I've tried changing it in the settings for the php-fpm server pool. php_admin_value[suhosin.memory_limit] = 128M If someone can tell me how to change the limit that would be good. The changes I've made don't seem to effect anything. -- www.johntate.org
Re: I can't figure out how to change the php-fpm memory limit
php-fpm is running the scripts as a user in default login class, so login.conf should be fine. On Sun, Oct 6, 2013 at 7:32 AM, Ville Valkonen weezeld...@gmail.com wrote: On 5 October 2013 12:06, John Tate j...@johntate.org wrote: I am trying to increase the memory limit on my nginx php-fpm server for wordpress. I've set the following in wp-config.php... define('WP_MEMORY_LIMIT', '128M'); define('WP_MAX_MEMORY_LIMIT', '128M'); php.ini has the following... memory_limit = 128M ;suhosin.memory_limit = 0 The fpm server is also set to change this. php_admin_value[memory_limit] = 128M Yet wordpress claims it only has 40MB, how can this be? I believe it might be suhosin but I am unsure how to change this on an OpenBSD server. I've tried changing it in the settings for the php-fpm server pool. php_admin_value[suhosin.memory_limit] = 128M If someone can tell me how to change the limit that would be good. The changes I've made don't seem to effect anything. -- www.johntate.org Hi, take a look into man login.conf -- Regards, Ville -- www.johntate.org
SSH as root with specific IP
I want to be able to log in as root by SSH with a specific IP address. This is so rsync can log in to the server easily and backup many files owned by many different users and groups. Rather than a script on the server logging into the server with the backups with many files and many different users. Can it be done? -- www.johntate.org
OpenBSD not forwarding to specific sites
I am having trouble with IP forwarding to specific sites on a very typical configuration. The router itself can access these sites but clients can not. I have looked in obvious places on the clients, but I cannot find a cause. I reinstalled OpenBSD on the router after getting SSL errors where SSL servers could not be reached from clients, and I bought a cheap Netgear router to use which works fine ruling out that my ISP is causing problems. I really need to find out what is causing these issues with my Internet it is something bizarre. My server I've literally only changed the following files... /etc/hostname.fxp0 /etc/hostname.athn0 /etc/hostname.pppoe0 /etc/hostname.xl0 /var/named/etc/named.conf /etc/rndc.conf /etc/resolv.conf /etc/pf.conf /etc/dhcpd.conf These are all pretty straight forward so I don't understand what the problem is. The existing SSL problem just came out of nowhere with no changes. # cat /etc/hostname.athn0 inet 192.168.1.1 255.255.255.0 192.168.1.255 up media autoselect mode 11g mediaopt hostap nwid KintaroAP chan 11 \ wpa wpakey FallInLove2013 wpaprotos wpa2 # cat /etc/hostname.pppoe0 inet 0.0.0.0 255.255.255.255 NONE \ pppoedev xl0 authproto pap \ authname 'x...@eftel.net.au' authkey '' up dest 0.0.0.1 !/sbin/route add default -ifp pppoe0 0.0.0.1 # cat /etc/hostname.xl0 up # cat /var/named/etc/named.conf // $OpenBSD: named-simple.conf,v 1.10 2009/11/02 21:12:56 jakob Exp $ // // Example file for a simple named configuration, processing both // recursive and authoritative queries using one cache. // Update this list to include only the networks for which you want // to execute recursive queries. The default setting allows all hosts // on any IPv4 networks for which the system has an interface, and // the IPv6 localhost address. // acl clients { localnets; ::1; }; options { version ; // remove this to allow version queries listen-on{ 192.168.0.1; 192.168.1.1; 127.0.0.1; }; listen-on-v6 { any; }; forwarders { 8.8.8.8; 8.8.4.4; }; empty-zones-enable yes; allow-recursion { clients; }; }; logging { category lame-servers { null; }; }; // Standard zones // #zone . { # type hint; # file db.cache; #}; zone localhost { type master; file standard/localhost; allow-transfer { localhost; }; }; zone 127.in-addr.arpa { type master; file standard/loopback; allow-transfer { localhost; }; }; zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa { type master; file standard/loopback6.arpa; allow-transfer { localhost; }; }; #zone kab.loc { # type master; # file master/kab.loc; #}; #zone 0.168.192.in-addr.arpa { # type master; # file master/db.0.168.192; #}; #zone 1.168.192.in-addr-arpa { # type master; # file master/db.1.168.192; #}; // Master zones // //zone myzone.net { // type master; // file master/myzone.net; //}; // Slave zones // //zone otherzone.net { // type slave; // file slave/otherzone.net; // masters { 192.0.2.1; [...;] }; //}; key rndc-key { algorithm hmac-md5; secret XXX; }; controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { rndc-key; }; }; # cat /etc/pf.conf #Firewall ruleset for KintaroABODE router. int_if=fxp0 wifi_if = athn0 tcp_services={ 22, 113 } icmp_types=echoreq fekete=192.168.0.3 fekete_tcp={ 17001, 8333 } fekete_udp={ 8333 } mises=192.168.0.4 mises_tcp={ 25565 } #options set block-policy drop set loginterface egress set skip on lo anchor ftp-proxy/* pass in on $int_if inet proto tcp to any port ftp \ divert-to 127.0.0.1 port 8021 table sshguard persist #match rules match out on egress inet from !(egress:network) to any nat-to (egress:0) #filter rules block in log pass out quick antispoof quick for { lo $int_if $wifi_if } pass in on egress inet proto tcp from any to (egress) \ port $tcp_services block in quick on egress proto tcp from sshguard \ to any port ssh label ssh bruteforce pass in on egress inet proto tcp from any to (egress) port $fekete_tcp rdr-to $fekete pass in on egress inet proto tcp from any to (egress) port $fekete_udp rdr-to $fekete pass in on egress inet proto tcp from any to (egress) port $mises_tcp rdr-to $mises pass in inet proto icmp all icmp-type $icmp_types pass in on $int_if pass in on $wifi_if There is nothing related in the messages or daemon log. # cat /var/log/daemon Sep 30 22:23:08 menger savecore: no core dump Sep 30 22:24:12 menger dhclient[31387]: DHCPREQUEST on fxp0 to 255.255.255.255 port 67 Sep 30 22:24:19 menger last message repeated 3 times Sep 30 22:24:26 menger dhclient[31387]: DHCPDISCOVER on fxp0 to 255.255.255.255 port 67 interval 1 Sep 30 22:24:27 menger dhclient[31387]: DHCPDISCOVER on fxp0 to 255.255.255.255 port 67 interval 2 Sep 30 22:24:29 menger
Re: OpenBSD not forwarding to specific sites
It would help if you told me how to do this... # ifconfig pppoe max-mms 1400 ifconfig: max-mms: bad value # ifconfig pppoe0 max-mms 1440 ifconfig: max-mms: bad value On Mon, Sep 30, 2013 at 11:53 PM, James Shupe jsh...@hermetek.com wrote: On 2013-09-30 08:18, John Tate wrote: I am having trouble with IP forwarding to specific sites on a very typical configuration. The router itself can access these sites but clients can not. I have looked in obvious places on the clients, but I cannot find a cause. I reinstalled OpenBSD on the router after getting SSL errors where SSL servers could not be reached from clients, and I bought a cheap Netgear router to use which works fine ruling out that my ISP is causing problems. Have you tried setting your max-mss to something like 1440 or 1400? Usually that's necessary with DSL... or else you end up with very selective browsing. -- www.johntate.org
Re: OpenBSD not forwarding to specific sites
Found it: While pppoe(8) has an internal option, ``mssfixup'', which is enabled by default and takes care of this, pppoe users have to rely on other methods. Using a packet filter, the maximum segment size (MSS) can be set (clamped) to the required value. The following rule in pf.conf(5) would set the MSS to 1440: match on pppoe0 scrub (max-mss 1440) On Mon, Sep 30, 2013 at 11:53 PM, James Shupe jsh...@hermetek.com wrote: On 2013-09-30 08:18, John Tate wrote: I am having trouble with IP forwarding to specific sites on a very typical configuration. The router itself can access these sites but clients can not. I have looked in obvious places on the clients, but I cannot find a cause. I reinstalled OpenBSD on the router after getting SSL errors where SSL servers could not be reached from clients, and I bought a cheap Netgear router to use which works fine ruling out that my ISP is causing problems. Have you tried setting your max-mss to something like 1440 or 1400? Usually that's necessary with DSL... or else you end up with very selective browsing. -- www.johntate.org
Re: OpenBSD not forwarding to specific sites
This part of the manual is out of date and the syntax does not work with pf in OpenBSD 5.3: While pppoe(8) has an internal option, ``mssfixup'', which is enabled by default and takes care of this, pppoe users have to rely on other methods. Using a packet filter, the maximum segment size (MSS) can be set (clamped) to the required value. The following rule in pf.conf(5) would set the MSS to 1440: match on pppoe0 scrub (max-mss 1440) The documentation on pf.conf suggests doing much the same in it's example and it doesn't work. On Tue, Oct 1, 2013 at 2:07 AM, John Tate j...@johntate.org wrote: Found it: While pppoe(8) has an internal option, ``mssfixup'', which is enabled by default and takes care of this, pppoe users have to rely on other methods. Using a packet filter, the maximum segment size (MSS) can be set (clamped) to the required value. The following rule in pf.conf(5) would set the MSS to 1440: match on pppoe0 scrub (max-mss 1440) On Mon, Sep 30, 2013 at 11:53 PM, James Shupe jsh...@hermetek.com wrote: On 2013-09-30 08:18, John Tate wrote: I am having trouble with IP forwarding to specific sites on a very typical configuration. The router itself can access these sites but clients can not. I have looked in obvious places on the clients, but I cannot find a cause. I reinstalled OpenBSD on the router after getting SSL errors where SSL servers could not be reached from clients, and I bought a cheap Netgear router to use which works fine ruling out that my ISP is causing problems. Have you tried setting your max-mss to something like 1440 or 1400? Usually that's necessary with DSL... or else you end up with very selective browsing. -- www.johntate.org -- www.johntate.org
Re: OpenBSD not forwarding to specific sites
Well max-mss doesn't seem to help I can still only access gmail and not google.com.au. Also it has become suddenly selective after months with no problem so I wonder if this is the default these days. Still problems. On Tue, Oct 1, 2013 at 2:02 AM, James Shupe jsh...@hermetek.com wrote: On 2013-09-30 10:58, John Tate wrote: It would help if you told me how to do this... # ifconfig pppoe max-mms 1400 ifconfig: max-mms: bad value # ifconfig pppoe0 max-mms 1440 ifconfig: max-mms: bad value match on $ext scrub (max-mss 1400) in /etc/pf.conf Also, don't top post. -- James Shupe -- www.johntate.org
Re: OpenBSD not forwarding to specific sites
On Tue, Oct 1, 2013 at 2:29 AM, Luis Coronado lcoron...@ticoit.com wrote: set reassemble yes no-df I tried using match and scrub rules without luck, but the 'reassemble yes no-df' solved my problems with the GRE tunnels we use among networks. Just make sure you dont have set skip on pppoe0 -luis Just trying this, something got through for a second but once again queries to google and other sites don't work. It is still unreliable. On Mon, Sep 30, 2013 at 10:26 AM, John Tate j...@johntate.org wrote: Well max-mss doesn't seem to help I can still only access gmail and not google.com.au. Also it has become suddenly selective after months with no problem so I wonder if this is the default these days. Still problems. On Tue, Oct 1, 2013 at 2:02 AM, James Shupe jsh...@hermetek.com wrote: On 2013-09-30 10:58, John Tate wrote: It would help if you told me how to do this... # ifconfig pppoe max-mms 1400 ifconfig: max-mms: bad value # ifconfig pppoe0 max-mms 1440 ifconfig: max-mms: bad value match on $ext scrub (max-mss 1400) in /etc/pf.conf Also, don't top post. -- James Shupe -- www.johntate.org -- www.johntate.org
Re: OpenBSD not forwarding to specific sites
Things are working fine from another one of my computers, it must be something to do with the computer I'm using. Sorry about that everyone. On Tue, Oct 1, 2013 at 2:48 AM, John Tate j...@johntate.org wrote: Yeah I am using my lan not the wlan. I've not got to even seeing if the wlan even works yet, though it used to with that configuration. The worst thing is the hosts occasionally manage to work for a split second, and stop again. I'm certain there is nothing wrong with my ISP unless they have trouble with this particular setup. It worked for months with no problems, and then they started happening. On Tue, Oct 1, 2013 at 2:44 AM, Luis Coronado lcoron...@ticoit.com wrote: Im afraid I only read the last post of the email thread about match/scrub/mtu. That is why I suggested the set option in my previous email. The fact that your router can contact the destination hosts without issues but not the internal hosts forces me to believe that there isnt, at least at this stage a mtu related problem. I see that you serve your LAN over athn0. You can find out if there are issues with your wireless setup by running ifconfig athn0 debug and watching /var/log/messages. athn0 power savings fix was submitted almost a year ago but how knows you could be the happy owner of a particular card that doesnt work as expected. Have you tried running your lan from the ethernet card instead? -luis On Mon, Sep 30, 2013 at 10:32 AM, John Tate j...@johntate.org wrote: On Tue, Oct 1, 2013 at 2:29 AM, Luis Coronado lcoron...@ticoit.com wrote: set reassemble yes no-df I tried using match and scrub rules without luck, but the 'reassemble yes no-df' solved my problems with the GRE tunnels we use among networks. Just make sure you dont have set skip on pppoe0 -luis Just trying this, something got through for a second but once again queries to google and other sites don't work. It is still unreliable. On Mon, Sep 30, 2013 at 10:26 AM, John Tate j...@johntate.org wrote: Well max-mss doesn't seem to help I can still only access gmail and not google.com.au. Also it has become suddenly selective after months with no problem so I wonder if this is the default these days. Still problems. On Tue, Oct 1, 2013 at 2:02 AM, James Shupe jsh...@hermetek.com wrote: On 2013-09-30 10:58, John Tate wrote: It would help if you told me how to do this... # ifconfig pppoe max-mms 1400 ifconfig: max-mms: bad value # ifconfig pppoe0 max-mms 1440 ifconfig: max-mms: bad value match on $ext scrub (max-mss 1400) in /etc/pf.conf Also, don't top post. -- James Shupe -- www.johntate.org -- www.johntate.org -- www.johntate.org -- www.johntate.org
Re: OpenBSD not forwarding to specific sites
It worked for a while but since rebooting my router now none of my computers work to access google.com, gmail.com works. Many other sites are not working, it is very frustrating. Clients on the wireless also don't work, it is the same problem. I can ping all the sites I can't access the problem appears to be with HTTP. Since starting the thread I have changed my pf.conf on advice of other users to have these lines... set reassemble yes no-df match in on pppoe0 scrub (max-mss 1440 no-df reassemble tcp) Any more ideas? On Tue, Oct 1, 2013 at 2:51 AM, John Tate j...@johntate.org wrote: Things are working fine from another one of my computers, it must be something to do with the computer I'm using. Sorry about that everyone. On Tue, Oct 1, 2013 at 2:48 AM, John Tate j...@johntate.org wrote: Yeah I am using my lan not the wlan. I've not got to even seeing if the wlan even works yet, though it used to with that configuration. The worst thing is the hosts occasionally manage to work for a split second, and stop again. I'm certain there is nothing wrong with my ISP unless they have trouble with this particular setup. It worked for months with no problems, and then they started happening. On Tue, Oct 1, 2013 at 2:44 AM, Luis Coronado lcoron...@ticoit.com wrote: Im afraid I only read the last post of the email thread about match/scrub/mtu. That is why I suggested the set option in my previous email. The fact that your router can contact the destination hosts without issues but not the internal hosts forces me to believe that there isnt, at least at this stage a mtu related problem. I see that you serve your LAN over athn0. You can find out if there are issues with your wireless setup by running ifconfig athn0 debug and watching /var/log/messages. athn0 power savings fix was submitted almost a year ago but how knows you could be the happy owner of a particular card that doesnt work as expected. Have you tried running your lan from the ethernet card instead? -luis On Mon, Sep 30, 2013 at 10:32 AM, John Tate j...@johntate.org wrote: On Tue, Oct 1, 2013 at 2:29 AM, Luis Coronado lcoron...@ticoit.com wrote: set reassemble yes no-df I tried using match and scrub rules without luck, but the 'reassemble yes no-df' solved my problems with the GRE tunnels we use among networks. Just make sure you dont have set skip on pppoe0 -luis Just trying this, something got through for a second but once again queries to google and other sites don't work. It is still unreliable. On Mon, Sep 30, 2013 at 10:26 AM, John Tate j...@johntate.org wrote: Well max-mss doesn't seem to help I can still only access gmail and not google.com.au. Also it has become suddenly selective after months with no problem so I wonder if this is the default these days. Still problems. On Tue, Oct 1, 2013 at 2:02 AM, James Shupe jsh...@hermetek.com wrote: On 2013-09-30 10:58, John Tate wrote: It would help if you told me how to do this... # ifconfig pppoe max-mms 1400 ifconfig: max-mms: bad value # ifconfig pppoe0 max-mms 1440 ifconfig: max-mms: bad value match on $ext scrub (max-mss 1400) in /etc/pf.conf Also, don't top post. -- James Shupe -- www.johntate.org -- www.johntate.org -- www.johntate.org -- www.johntate.org -- www.johntate.org
Re: OpenBSD not forwarding to specific sites
I've done this, now Google works, but Facebook is still not working and probably some other sites. On Tue, Oct 1, 2013 at 3:34 AM, Luis Coronado lcoron...@ticoit.com wrote: if you keep set reassemble yes no-df you can (must?) remove the match in on pppoe0 scrut (max-mss 1440 no-df reassemble tcp) -luis On Mon, Sep 30, 2013 at 11:30 AM, John Tate j...@johntate.org wrote: It worked for a while but since rebooting my router now none of my computers work to access google.com, gmail.com works. Many other sites are not working, it is very frustrating. Clients on the wireless also don't work, it is the same problem. I can ping all the sites I can't access the problem appears to be with HTTP. Since starting the thread I have changed my pf.conf on advice of other users to have these lines... set reassemble yes no-df match in on pppoe0 scrub (max-mss 1440 no-df reassemble tcp) Any more ideas? On Tue, Oct 1, 2013 at 2:51 AM, John Tate j...@johntate.org wrote: Things are working fine from another one of my computers, it must be something to do with the computer I'm using. Sorry about that everyone. On Tue, Oct 1, 2013 at 2:48 AM, John Tate j...@johntate.org wrote: Yeah I am using my lan not the wlan. I've not got to even seeing if the wlan even works yet, though it used to with that configuration. The worst thing is the hosts occasionally manage to work for a split second, and stop again. I'm certain there is nothing wrong with my ISP unless they have trouble with this particular setup. It worked for months with no problems, and then they started happening. On Tue, Oct 1, 2013 at 2:44 AM, Luis Coronado lcoron...@ticoit.com wrote: Im afraid I only read the last post of the email thread about match/scrub/mtu. That is why I suggested the set option in my previous email. The fact that your router can contact the destination hosts without issues but not the internal hosts forces me to believe that there isnt, at least at this stage a mtu related problem. I see that you serve your LAN over athn0. You can find out if there are issues with your wireless setup by running ifconfig athn0 debug and watching /var/log/messages. athn0 power savings fix was submitted almost a year ago but how knows you could be the happy owner of a particular card that doesnt work as expected. Have you tried running your lan from the ethernet card instead? -luis On Mon, Sep 30, 2013 at 10:32 AM, John Tate j...@johntate.org wrote: On Tue, Oct 1, 2013 at 2:29 AM, Luis Coronado lcoron...@ticoit.com wrote: set reassemble yes no-df I tried using match and scrub rules without luck, but the 'reassemble yes no-df' solved my problems with the GRE tunnels we use among networks. Just make sure you dont have set skip on pppoe0 -luis Just trying this, something got through for a second but once again queries to google and other sites don't work. It is still unreliable. On Mon, Sep 30, 2013 at 10:26 AM, John Tate j...@johntate.org wrote: Well max-mss doesn't seem to help I can still only access gmail and not google.com.au. Also it has become suddenly selective after months with no problem so I wonder if this is the default these days. Still problems. On Tue, Oct 1, 2013 at 2:02 AM, James Shupe jsh...@hermetek.com wrote: On 2013-09-30 10:58, John Tate wrote: It would help if you told me how to do this... # ifconfig pppoe max-mms 1400 ifconfig: max-mms: bad value # ifconfig pppoe0 max-mms 1440 ifconfig: max-mms: bad value match on $ext scrub (max-mss 1400) in /etc/pf.conf Also, don't top post. -- James Shupe -- www.johntate.org -- www.johntate.org -- www.johntate.org -- www.johntate.org -- www.johntate.org -- www.johntate.org
Re: OpenBSD not forwarding to specific sites
Looks like I just had to remove the match line and just use set reassemble yes no-df and restart my interfaces on clients. Everything appears to work now. Still amazes me this wasn't a problem for months. On Tue, Oct 1, 2013 at 4:34 AM, John Tate j...@johntate.org wrote: I've done this, now Google works, but Facebook is still not working and probably some other sites. On Tue, Oct 1, 2013 at 3:34 AM, Luis Coronado lcoron...@ticoit.com wrote: if you keep set reassemble yes no-df you can (must?) remove the match in on pppoe0 scrut (max-mss 1440 no-df reassemble tcp) -luis On Mon, Sep 30, 2013 at 11:30 AM, John Tate j...@johntate.org wrote: It worked for a while but since rebooting my router now none of my computers work to access google.com, gmail.com works. Many other sites are not working, it is very frustrating. Clients on the wireless also don't work, it is the same problem. I can ping all the sites I can't access the problem appears to be with HTTP. Since starting the thread I have changed my pf.conf on advice of other users to have these lines... set reassemble yes no-df match in on pppoe0 scrub (max-mss 1440 no-df reassemble tcp) Any more ideas? On Tue, Oct 1, 2013 at 2:51 AM, John Tate j...@johntate.org wrote: Things are working fine from another one of my computers, it must be something to do with the computer I'm using. Sorry about that everyone. On Tue, Oct 1, 2013 at 2:48 AM, John Tate j...@johntate.org wrote: Yeah I am using my lan not the wlan. I've not got to even seeing if the wlan even works yet, though it used to with that configuration. The worst thing is the hosts occasionally manage to work for a split second, and stop again. I'm certain there is nothing wrong with my ISP unless they have trouble with this particular setup. It worked for months with no problems, and then they started happening. On Tue, Oct 1, 2013 at 2:44 AM, Luis Coronado lcoron...@ticoit.com wrote: Im afraid I only read the last post of the email thread about match/scrub/mtu. That is why I suggested the set option in my previous email. The fact that your router can contact the destination hosts without issues but not the internal hosts forces me to believe that there isnt, at least at this stage a mtu related problem. I see that you serve your LAN over athn0. You can find out if there are issues with your wireless setup by running ifconfig athn0 debug and watching /var/log/messages. athn0 power savings fix was submitted almost a year ago but how knows you could be the happy owner of a particular card that doesnt work as expected. Have you tried running your lan from the ethernet card instead? -luis On Mon, Sep 30, 2013 at 10:32 AM, John Tate j...@johntate.org wrote: On Tue, Oct 1, 2013 at 2:29 AM, Luis Coronado lcoron...@ticoit.com wrote: set reassemble yes no-df I tried using match and scrub rules without luck, but the 'reassemble yes no-df' solved my problems with the GRE tunnels we use among networks. Just make sure you dont have set skip on pppoe0 -luis Just trying this, something got through for a second but once again queries to google and other sites don't work. It is still unreliable. On Mon, Sep 30, 2013 at 10:26 AM, John Tate j...@johntate.org wrote: Well max-mss doesn't seem to help I can still only access gmail and not google.com.au. Also it has become suddenly selective after months with no problem so I wonder if this is the default these days. Still problems. On Tue, Oct 1, 2013 at 2:02 AM, James Shupe jsh...@hermetek.com wrote: On 2013-09-30 10:58, John Tate wrote: It would help if you told me how to do this... # ifconfig pppoe max-mms 1400 ifconfig: max-mms: bad value # ifconfig pppoe0 max-mms 1440 ifconfig: max-mms: bad value match on $ext scrub (max-mss 1400) in /etc/pf.conf Also, don't top post. -- James Shupe -- www.johntate.org -- www.johntate.org -- www.johntate.org -- www.johntate.org -- www.johntate.org -- www.johntate.org -- www.johntate.org
Re: OpenBSD not forwarding to specific sites
Alright at the moment things are mostly working but I've found I can't access Google Plus and Facebook never finishes loading, though at least now it loads a bit. Connections like ssh generally seem to be staying open. Is there something unusual about Facebook that anyone knows about? -- www.johntate.org
Re: OpenBSD not forwarding to specific sites
Less worked last night using that than when using set reassemble yes no-df Now it isn't working again and what you suggest doesn't seem to work either. Though gmail still works. There must be something else wrong. On Tue, Oct 1, 2013 at 6:15 AM, James Shupe jsh...@hermetek.com wrote: Try just match on pppoe0 scrub (max-mss 1400 no-df) and remove the reassemble line. -- James Shupe -- www.johntate.org
Re: OpenBSD not forwarding to specific sites
Actually match on pppoe0 scrub (max-mss 1400 no-df) seems to also work I had 1440 entered in. Though Facebook doesn't finish loading still, and sometimes things don't work. So as I said, something else must be wrong. On Tue, Oct 1, 2013 at 10:13 AM, John Tate j...@johntate.org wrote: Less worked last night using that than when using set reassemble yes no-df Now it isn't working again and what you suggest doesn't seem to work either. Though gmail still works. There must be something else wrong. On Tue, Oct 1, 2013 at 6:15 AM, James Shupe jsh...@hermetek.com wrote: Try just match on pppoe0 scrub (max-mss 1400 no-df) and remove the reassemble line. -- James Shupe -- www.johntate.org -- www.johntate.org
Re: OpenBSD not forwarding to specific sites
Did some reading, my ISP seems to require a specific not default mtu of 1454. Facebook actually finishes loading now, things might be okay. On Tue, Oct 1, 2013 at 10:29 AM, John Tate j...@johntate.org wrote: Actually match on pppoe0 scrub (max-mss 1400 no-df) seems to also work I had 1440 entered in. Though Facebook doesn't finish loading still, and sometimes things don't work. So as I said, something else must be wrong. On Tue, Oct 1, 2013 at 10:13 AM, John Tate j...@johntate.org wrote: Less worked last night using that than when using set reassemble yes no-df Now it isn't working again and what you suggest doesn't seem to work either. Though gmail still works. There must be something else wrong. On Tue, Oct 1, 2013 at 6:15 AM, James Shupe jsh...@hermetek.com wrote: Try just match on pppoe0 scrub (max-mss 1400 no-df) and remove the reassemble line. -- James Shupe -- www.johntate.org -- www.johntate.org -- www.johntate.org
OpenBSD not forwarding SSL, strange.
I am having trouble accessing anything which uses SSL behind my NAT, though I can access the same services from the firewall itself. There is nothing unusual in /var/log/messages, dmesg, etc. I don't know why this is happening. The system has been running fine for months, and nothing I am aware of has changed. # cat /etc/pf.conf #Firewall ruleset for KintaroABODE router. int_if=fxp0 wifi_if = athn0 tcp_services={ 22, 113 } icmp_types=echoreq fekete=192.168.0.3 fekete_tcp={ 17001, 8333 } fekete_udp={ 8333 } mises=192.168.0.4 mises_tcp={ 25565 } #options set block-policy drop set loginterface egress set skip on lo anchor ftp-proxy/* pass in on $int_if inet proto tcp to any port ftp \ divert-to 127.0.0.1 port 8021 table sshguard persist #match rules match out on egress inet from !(egress:network) to any nat-to (egress:0) #filter rules block in log pass out quick antispoof quick for { lo $int_if $wifi_if } pass in on egress inet proto tcp from any to (egress) \ port $tcp_services block in quick on egress proto tcp from sshguard \ to any port ssh label ssh bruteforce pass in on egress inet proto tcp from any to (egress) port $fekete_tcp rdr-to $fekete pass in on egress inet proto tcp from any to (egress) port $fekete_udp rdr-to $fekete pass in on egress inet proto tcp from any to (egress) port $mises_tcp rdr-to $mises pass in inet proto icmp all icmp-type $icmp_types pass in on $int_if pass in on $wifi_if If anyone could help and tell me where to start looking that would be good. Some SSL services appear to work fine, such as gmail which I'm using to send this. -- www.johntate.org
Re: OpenBSD not forwarding SSL, strange.
mounted instance vfs.ffs.doclusterread=1 vfs.ffs.doclusterwrite=1 vfs.ffs.doreallocblks=1 vfs.ffs.doasyncfree=1 vfs.ffs.max_softdeps=23704 vfs.ffs.sd_tickdelay=2 vfs.ffs.sd_worklist_push=0 vfs.ffs.sd_blk_limit_push=0 vfs.ffs.sd_ino_limit_push=0 vfs.ffs.sd_blk_limit_hit=0 vfs.ffs.sd_ino_limit_hit=0 vfs.ffs.sd_sync_limit_hit=0 vfs.ffs.sd_indir_blk_ptrs=0 vfs.ffs.sd_inode_bitmap=0 vfs.ffs.sd_direct_blk_ptrs=0 vfs.ffs.sd_dir_entry=0 vfs.ffs.dirhash_dirsize=2560 vfs.ffs.dirhash_maxmem=2097152 vfs.ffs.dirhash_mem=27522 vfs.nfs.iothreads=-1 On Tue, Sep 17, 2013 at 11:32 PM, Jiri B ji...@devio.us wrote: On Tue, Sep 17, 2013 at 10:42:55PM +1000, John Tate wrote: I am having trouble accessing anything which uses SSL behind my NAT, though I can access the same services from the firewall itself. There is nothing unusual in /var/log/messages, dmesg, etc. I don't know why this is happening. The system has been running fine for months, and nothing I am aware of has changed. # cat /etc/pf.conf #Firewall ruleset for KintaroABODE router. int_if=fxp0 wifi_if = athn0 tcp_services={ 22, 113 } icmp_types=echoreq fekete=192.168.0.3 fekete_tcp={ 17001, 8333 } fekete_udp={ 8333 } mises=192.168.0.4 mises_tcp={ 25565 } #options set block-policy drop set loginterface egress set skip on lo anchor ftp-proxy/* pass in on $int_if inet proto tcp to any port ftp \ divert-to 127.0.0.1 port 8021 table sshguard persist #match rules match out on egress inet from !(egress:network) to any nat-to (egress:0) #filter rules block in log pass out quick antispoof quick for { lo $int_if $wifi_if } pass in on egress inet proto tcp from any to (egress) \ port $tcp_services block in quick on egress proto tcp from sshguard \ to any port ssh label ssh bruteforce pass in on egress inet proto tcp from any to (egress) port $fekete_tcp rdr-to $fekete pass in on egress inet proto tcp from any to (egress) port $fekete_udp rdr-to $fekete pass in on egress inet proto tcp from any to (egress) port $mises_tcp rdr-to $mises pass in inet proto icmp all icmp-type $icmp_types pass in on $int_if pass in on $wifi_if If anyone could help and tell me where to start looking that would be good. Some SSL services appear to work fine, such as gmail which I'm using to send this. sysctl -a ? j. -- www.johntate.org
802.11n support
I have an Atheros AR9227, there is at the moment no support for 802.11n in the patch branch. Is there support in current or some unoffical patch I can apply to the source code? Support for this would be good. -- www.johntate.org
dhcp devices getting the wrong default route on one subnet
I am trying to serve addresses to two subnets, for two ethernet devices for my wired and wireless lan. Devices on the wireless lan are getting the default route 192.168.0.1 instead of 192.168.1.1 so wireless devices at the moment cannot access the Internet unless I manually configure them. Interface configurations.. # cat /etc/hostname.fxp0 inet 192.168.0.1 255.255.255.0 192.168.0.255 up # cat /etc/hostname.athn0 inet 192.168.1.1 255.255.255.0 192.168.1.255 up media autoselect mode 11g mediaopt hostap nwid KintaroABODE chan 11 wpa wpakey wpaprotos wpa2 I have the following dhcpd.conf... shared-network kab { subnet 192.168.0.0 netmask 255.255.255.0 { range 192.168.0.65 192.168.0.254; option routers 192.168.0.1; option domain-name kab.loc; option static-routes 192.168.1.0 192.168.0.1; option domain-name-servers 192.168.0.1; } subnet 192.168.1.0 netmask 255.255.255.0 { range 192.168.1.65 192.168.1.254; option routers 192.168.1.1; option domain-name wifi.kab.loc; option static-routes 192.168.0.0 192.168.1.1; option domain-name-servers 192.168.1.1; } } There are a bunch of hosts but nothing before the subnets, and no special options for hosts just static addresses. Here is a host in dhpd.conf receiving the wrong default route... host weiner.wifi.kab.loc { hardware ethernet ac:81:12:98:de:f3; fixed-address 192.168.1.2; } Devices are getting the right IP, domain name, and static routes, just not the default route. -- www.johntate.org
Re: dhcp devices getting the wrong default route on one subnet
It doesn't complain about it but I've never done much with routing before. If I wanted to do it on the machine I'd do # route add -net 192.168.0.0/24 192.168.1.1 I can't seem to find how to do this in dhcp-options(5) Named won't even start with this... option static-routes 192.168.1/24 192.168.0.1; Or this... option static-routes 192.168.1.0/24 192.168.0.1; So I'm kind of lost with the static routes, but why should this effect the default route? On Fri, Jun 14, 2013 at 5:16 PM, Михаил Швецов mishve...@rambler.ru wrote: may be option static-routes 192.168.0.0 192.168.1.1; 192.168.0.0 - wrong? Михаил Швецов. 14.6.2013 10:10:30 пользователь John Tate (j...@johntate.org) написал: I am trying to serve addresses to two subnets, for two ethernet devices for my wired and wireless lan. Devices on the wireless lan are getting the default route 192.168.0.1 instead of 192.168.1.1 so wireless devices at the moment cannot access the Internet unless I manually configure them. Interface configurations.. # cat /etc/hostname.fxp0 inet 192.168.0.1 255.255.255.0 192.168.0.255 up # cat /etc/hostname.athn0 inet 192.168.1.1 255.255.255.0 192.168.1.255 up media autoselect mode 11g mediaopt hostap nwid KintaroABODE chan 11 wpa wpakey wpaprotos wpa2 I have the following dhcpd.conf... shared-network kab { subnet 192.168.0.0 netmask 255.255.255.0 { range 192.168.0.65 192.168.0.254; option routers 192.168.0.1; option domain-name kab.loc; option static-routes 192.168.1.0 192.168.0.1; option domain-name-servers 192.168.0.1; } subnet 192.168.1.0 netmask 255.255.255.0 { range 192.168.1.65 192.168.1.254; option routers 192.168.1.1; option domain-name wifi.kab.loc; option static-routes 192.168.0.0 192.168.1.1; option domain-name-servers 192.168.1.1; } } There are a bunch of hosts but nothing before the subnets, and no special options for hosts just static addresses. Here is a host in dhpd.conf receiving the wrong default route... host weiner.wifi.kab.loc { hardware ethernet ac:81:12:98:de:f3; fixed-address 192.168.1.2; } Devices are getting the right IP, domain name, and static routes, just not the default route. -- www.johntate.org -- www.johntate.org
Re: dhcp devices getting the wrong default route on one subnet
It has a routers option and a static-routes option. subnet 192.168.1.0 netmask 255.255.255.0 { range 192.168.1.65 192.168.1.254; option routers 192.168.1.1; option domain-name wifi.kab.loc; option static-routes 192.168.0.0 192.168.1.1; option domain-name-servers 192.168.1.1; } On Fri, Jun 14, 2013 at 7:36 PM, James Griffin j...@kontrol.kode5.net wrote: Fri 14.Jun'13 at 17:22:44 +1000, John Tate It doesn't complain about it but I've never done much with routing before. If I wanted to do it on the machine I'd do # route add -net 192.168.0.0/24 192.168.1.1 I can't seem to find how to do this in dhcp-options(5) Named won't even start with this... option static-routes 192.168.1/24 192.168.0.1; Or this... option static-routes 192.168.1.0/24 192.168.0.1; So I'm kind of lost with the static routes, but why should this effect the default route? In man dhcp-options(5) under options static-routes, in the last sentence it states to use the routers option for the default route. Have you checked/tried this? -- James Griffin: jmz at kontrol.kode5.net A4B9 E875 A18C 6E11 F46D B788 BEE6 1251 1D31 DC38 -- www.johntate.org
Re: dhcp devices getting the wrong default route on one subnet
On Fri, Jun 14, 2013 at 9:16 PM, Stuart Henderson s...@spacehopper.org wrote: On 2013-06-14, John Tate j...@johntate.org wrote: It doesn't complain about it but I've never done much with routing before. If I wanted to do it on the machine I'd do # route add -net 192.168.0.0/24 192.168.1.1 Why would you need to do this at all, it seems you are already using 192.168.1.1 as your default route? I thought I needed it so 192.168.0/24 can access 192.168.1/24 I can't seem to find how to do this in dhcp-options(5) Named won't even start with this... option static-routes 192.168.1/24 192.168.0.1; Or this... option static-routes 192.168.1.0/24 192.168.0.1; option static-routes is for classful (class A/B/C) addresses, you may not specify a subnet mask there. I have the following dhcpd.conf... shared-network kab { Why do you have shared-network? Can't remember why I did that so I just got rid of it. I added option routers 192.168.0.1, 192.168.1.1; before the subnets at the top of the file and now I am getting the right default gateway. I got rid of the static routes, they were not working anyway. I must need to add something to pf to route between subnets 192.168.0/24 and 192.168.1.1/24 and visa-versa. -- www.johntate.org
Re: dhcp devices getting the wrong default route on one subnet
On Sat, Jun 15, 2013 at 12:23 AM, Kenneth R Westerback kwesterb...@rogers.com wrote: On Fri, Jun 14, 2013 at 02:38:48PM +0100, Stuart Henderson wrote: On 2013/06/14 21:49, John Tate wrote: On Fri, Jun 14, 2013 at 9:16 PM, Stuart Henderson s...@spacehopper.org wrote: On 2013-06-14, John Tate j...@johntate.org wrote: It doesn't complain about it but I've never done much with routing before. If I wanted to do it on the machine I'd do # route add -net 192.168.0.0/24 192.168.1.1 Why would you need to do this at all, it seems you are already using 192.168.1.1 as your default route? I thought I needed it so 192.168.0/24 can access 192.168.1/24 Try e.g. route -n get 192.168.1.5 with and without a route to the subnet. In one case there will be a default route pointing at 192.168.0.1 and in the other case there will be a 192.168.1.0/24 route pointing at 192.168.0.1. It seems you are right about this, it seems to be working in one direction already, I noticed working on your advise below that packets are going from 192.168.1.0/24 to 192.168.0.0/24 but not the other way, so all that is left to work on is pf. I can't seem to find how to do this in dhcp-options(5) Named won't even start with this... option static-routes 192.168.1/24 192.168.0.1; Or this... option static-routes 192.168.1.0/24 192.168.0.1; option static-routes is for classful (class A/B/C) addresses, you may not specify a subnet mask there. I have the following dhcpd.conf... shared-network kab { Why do you have shared-network? Can't remember why I did that so I just got rid of it. I added option routers 192.168.0.1, 192.168.1.1; before the subnets at the top of the file and now I am getting the right default gateway. Routers should be set in the subnet block, you shouldn't hand 192.168.1.1 as a possible router to hosts which are in 192.168.0.x. The subnet blocks each have the appropriate routers, before I was putting them both before and outside the subnet block systems were getting the router from the other subnet. The default route is working on both systems, without it the subnet 192.168.1.1/24 was getting the default route 192.168.0.1 which didn't work. I got rid of the static routes, they were not working anyway. I must need to add something to pf to route between subnets 192.168.0/24 and 192.168.1.1/24 and visa-versa. This is usually easy enough to work out. Add 'log' in relevant places in pf.conf and watch tcpdump -neipflog0 It seems it was working in the first place just I was pinging a Windoze 8 machine that is blocking icmp packets. I then pinged my phone which is on the wifi subnet as well and worked out it was working both ways. Thanks again Microsoft. Windows ate my time. Also, support for static-routes was just added in the last week or so and you've not mentioned what versions of OpenBSD/dhcpd/dhclient you are running. It looks like I don't even need it. I just assumed it would. Ken -- www.johntate.org
Re: Wireless access point not appearing to clients.
So I've got a supported Atheros card, I think something is wrong with my config for the adapter because it's still not showing up in scans on my Samsung Galaxy Ace. There are a lot of media options, I'm using the defaults which I assumed would be right but could be wrong. I might have to do a lot of research into the various media options but a quick answer would be nice. # cat /etc/hostname.fxp0 up # cat /etc/hostname.athn0 up media autoselect mode 11g mediaopt hostap nwid KintaroADOBE chan 12 wpa wpakey wpaprotos wpa2 # cat /etc/hostname.vether0 inet 10.0.0.1 255.0.0.0 10.0.0.255 up # cat /etc/hostname.bridge0 add vether0 add fxp0 add athn0 up # ifconfig athn0 athn0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 lladdr f8:1a:67:d6:28:40 priority: 4 groups: wlan media: IEEE802.11 autoselect (DS1) status: no network ieee80211: nwid KintaroADOBE chan 12 wpaprotos wpa1,wpa2 wpaakms psk wpaciphers tkip,ccmp wpagroupcipher tkip inet6 fe80::fa1a:67ff:fed6:2840%athn0 prefixlen 64 scopeid 0x1 # ifconfig athn0 scan athn0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 lladdr f8:1a:67:d6:28:40 priority: 4 groups: wlan media: IEEE802.11 autoselect (DS1) status: no network ieee80211: nwid KintaroADOBE chan 12 wpaprotos wpa1,wpa2 wpaakms psk wpaciphers tkip,ccmp wpagroupcipher tkip nwid lvfs chan 6 bssid 00:1d:b3:4c:61:d5 18dB 54M privacy,spectrum_mgmt,short_slottime nwid N 2.4 GHz chan 2 bssid 00:22:3f:5a:8b:4a 32dB 54M privacy,short_slottime nwid NETGEAR chan 6 bssid 00:24:b2:fa:64:da 45dB 54M short_preamble,short_slottime nwid Allan-PC chan 7 bssid 00:25:9c:6e:94:fa 16dB 54M privacy,short_preamble,short_slottime nwid BigPond655C85 chan 1 bssid 58:98:35:65:5c:85 17dB 54M privacy,short_slottime I really want to get this running. John. On Fri, Jun 7, 2013 at 4:41 PM, John Tate j...@johntate.org wrote: I just configured a wireless device for hostap and put it on a bridge with my wired network and a virtual ethernet device to give it an address. The wired network is working fine, so if I solve this problem the wireless should work fine, but the access point is not appearing in scans. I might have missed an option for it to do this. menger:root # cat /etc/hostname.run0 up media autoselect mediaopt hostap nwid KintaroADOBE chan 12 wpa wpakey XXX wpaprotos wpa2 menger:root # cat /etc/hostname.fxp0 up menger:root # cat /etc/hostname.vether0 inet 10.0.0.1 255.0.0.0 10.0.0.255 up menger:root # cat /etc/hostname.bridge0 add vether0 add fxp0 add run0 up menger:root # ifconfig run0 run0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 lladdr 00:22:75:8e:f2:f8 priority: 4 groups: wlan media: IEEE802.11 autoselect (DS1 mode 11g) status: no network ieee80211: nwid KintaroADOBE chan 12 wpakey wpaprotos wpa2 wpaakms psk wpaciphers tkip,ccmp wpagroupcipher tkip inet6 fe80::222:75ff:fe8e:f2f8%run0 prefixlen 64 tentative scopeid 0x5 What have I missed? -- www.johntate.org -- www.johntate.org
Re: Wireless access point not appearing to clients.
Someone has helped me resolve this, the hacked MIUI v4 firmware I'm using does not support channel 12. All help has been greatly appreciated. On Thu, Jun 13, 2013 at 8:00 PM, John Tate j...@johntate.org wrote: So I've got a supported Atheros card, I think something is wrong with my config for the adapter because it's still not showing up in scans on my Samsung Galaxy Ace. There are a lot of media options, I'm using the defaults which I assumed would be right but could be wrong. I might have to do a lot of research into the various media options but a quick answer would be nice. # cat /etc/hostname.fxp0 up # cat /etc/hostname.athn0 up media autoselect mode 11g mediaopt hostap nwid KintaroADOBE chan 12 wpa wpakey wpaprotos wpa2 # cat /etc/hostname.vether0 inet 10.0.0.1 255.0.0.0 10.0.0.255 up # cat /etc/hostname.bridge0 add vether0 add fxp0 add athn0 up # ifconfig athn0 athn0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 lladdr f8:1a:67:d6:28:40 priority: 4 groups: wlan media: IEEE802.11 autoselect (DS1) status: no network ieee80211: nwid KintaroADOBE chan 12 wpaprotos wpa1,wpa2 wpaakms psk wpaciphers tkip,ccmp wpagroupcipher tkip inet6 fe80::fa1a:67ff:fed6:2840%athn0 prefixlen 64 scopeid 0x1 # ifconfig athn0 scan athn0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 lladdr f8:1a:67:d6:28:40 priority: 4 groups: wlan media: IEEE802.11 autoselect (DS1) status: no network ieee80211: nwid KintaroADOBE chan 12 wpaprotos wpa1,wpa2 wpaakms psk wpaciphers tkip,ccmp wpagroupcipher tkip nwid lvfs chan 6 bssid 00:1d:b3:4c:61:d5 18dB 54M privacy,spectrum_mgmt,short_slottime nwid N 2.4 GHz chan 2 bssid 00:22:3f:5a:8b:4a 32dB 54M privacy,short_slottime nwid NETGEAR chan 6 bssid 00:24:b2:fa:64:da 45dB 54M short_preamble,short_slottime nwid Allan-PC chan 7 bssid 00:25:9c:6e:94:fa 16dB 54M privacy,short_preamble,short_slottime nwid BigPond655C85 chan 1 bssid 58:98:35:65:5c:85 17dB 54M privacy,short_slottime I really want to get this running. John. On Fri, Jun 7, 2013 at 4:41 PM, John Tate j...@johntate.org wrote: I just configured a wireless device for hostap and put it on a bridge with my wired network and a virtual ethernet device to give it an address. The wired network is working fine, so if I solve this problem the wireless should work fine, but the access point is not appearing in scans. I might have missed an option for it to do this. menger:root # cat /etc/hostname.run0 up media autoselect mediaopt hostap nwid KintaroADOBE chan 12 wpa wpakey XXX wpaprotos wpa2 menger:root # cat /etc/hostname.fxp0 up menger:root # cat /etc/hostname.vether0 inet 10.0.0.1 255.0.0.0 10.0.0.255 up menger:root # cat /etc/hostname.bridge0 add vether0 add fxp0 add run0 up menger:root # ifconfig run0 run0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 lladdr 00:22:75:8e:f2:f8 priority: 4 groups: wlan media: IEEE802.11 autoselect (DS1 mode 11g) status: no network ieee80211: nwid KintaroADOBE chan 12 wpakey wpaprotos wpa2 wpaakms psk wpaciphers tkip,ccmp wpagroupcipher tkip inet6 fe80::222:75ff:fe8e:f2f8%run0 prefixlen 64 tentative scopeid 0x5 What have I missed? -- www.johntate.org -- www.johntate.org -- www.johntate.org
Wireless access point not appearing to clients.
I just configured a wireless device for hostap and put it on a bridge with my wired network and a virtual ethernet device to give it an address. The wired network is working fine, so if I solve this problem the wireless should work fine, but the access point is not appearing in scans. I might have missed an option for it to do this. menger:root # cat /etc/hostname.run0 up media autoselect mediaopt hostap nwid KintaroADOBE chan 12 wpa wpakey XXX wpaprotos wpa2 menger:root # cat /etc/hostname.fxp0 up menger:root # cat /etc/hostname.vether0 inet 10.0.0.1 255.0.0.0 10.0.0.255 up menger:root # cat /etc/hostname.bridge0 add vether0 add fxp0 add run0 up menger:root # ifconfig run0 run0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 lladdr 00:22:75:8e:f2:f8 priority: 4 groups: wlan media: IEEE802.11 autoselect (DS1 mode 11g) status: no network ieee80211: nwid KintaroADOBE chan 12 wpakey wpaprotos wpa2 wpaakms psk wpaciphers tkip,ccmp wpagroupcipher tkip inet6 fe80::222:75ff:fe8e:f2f8%run0 prefixlen 64 tentative scopeid 0x5 What have I missed? -- www.johntate.org
Re: Compiler error building 5.3
I didn't think I had to, 5.3 is stable not current or am I wrong about that? Confusing. I ended up just upgrading using the sets and everything is fine now. On Wed, Jun 5, 2013 at 11:03 PM, Marc Espie es...@nerim.net wrote: On Wed, Jun 05, 2013 at 07:01:27PM +1000, John Tate wrote: I am having trouble building 5.3, I ran cvs a second time just be to be sure everything was right. ../../../../arch/i386/i386/locore.s ../../../../arch/i386/i386/locore.s: Assembler messages: ../../../../arch/i386/i386/locore.s:1755: Error: no such instruction: `stac' ../../../../arch/i386/i386/locore.s:1759: Error: no such instruction: `clac' *** Error code 1 You didn't read the FAQ, did you ? especially the part about following current... -- www.johntate.org
Re: Wireless access point not appearing to clients.
Is there a card commonly on the market today that this list would recommend that supports hostap for under $100? On Fri, Jun 7, 2013 at 5:11 PM, David Coppa dco...@gmail.com wrote: On Fri, Jun 7, 2013 at 9:06 AM, Otto Moerbeek o...@drijf.net wrote: What have I missed? Reading the man page rum(4) it doesn't say it supports hostap mode. s/rum/run/ Indeed, run(4) does not support hostap mode. cheers, David -- www.johntate.org
Re: Compiler error building 5.3
Just curious would have going into /usr/src/gnu/usr.bin/binutils and doing make and make install have made it possible to build 5.3 on 5.2? On Fri, Jun 7, 2013 at 4:47 PM, Marc Espie es...@nerim.net wrote: On Fri, Jun 07, 2013 at 04:43:24PM +1000, John Tate wrote: I didn't think I had to, 5.3 is stable not current or am I wrong about that? Confusing. I ended up just upgrading using the sets and everything is fine now. Lol, but you were trying to build from src, without having done any normal binary update first. -- www.johntate.org
Compiler error building 5.3
I am having trouble building 5.3, I ran cvs a second time just be to be sure everything was right. # make clean make rm -f eddep *bsd *bsd.gdb tags *.[dio] [a-z]*.s [Ee]rrs linterrs assym.h cat ../../../../arch/i386/i386/genassym.cf ../../../../arch/i386/i386/ genassym.cf | sh ../../../../kern/genassym.sh cc -Werror -Wall -Wstrict-prototypes -Wmissing-prototypes -Wno-main -Wno-uninitialized -Wno-format -Wstack-larger-than-2047 -fno-builtin-printf -fno-builtin-snprintf -fno-builtin-vsnprintf -fno-builtin-log -fno-builtin-log2 -fno-builtin-malloc -O2 -pipe -nostdinc -I. -I../../../.. -I../../../../arch -DDDB -DDIAGNOSTIC -DKTRACE -DACCOUNTING -DKMEMSTATS -DPTRACE -DCRYPTO -DSYSVMSG -DSYSVSEM -DSYSVSHM -DUVM_SWAP_ENCRYPT -DCOMPAT_43 -DCOMPAT_O51 -DLKM -DFFS -DFFS2 -DFFS_SOFTUPDATES -DUFS_DIRHASH -DQUOTA -DEXT2FS -DMFS -DNFSCLIENT -DNFSSERVER -DCD9660 -DUDF -DMSDOSFS -DFIFO -DSOCKET_SPLICE -DTCP_SACK -DTCP_ECN -DTCP_SIGNATURE -DINET -DALTQ -DINET6 -DIPSEC -DPPP_BSDCOMP -DPPP_DEFLATE -DPIPEX -DMROUTING -DMPLS -DBOOT_CONFIG -DUSER_PCICONF -DKVM86 -DUSER_LDT -DAPERTURE -DCOMPAT_LINUX -DPROCFS -DNTFS -DHIBERNATE -DPCIVERBOSE -DEISAVERBOSE -DUSBVERBOSE -DWSDISPLAY_COMPAT_USL -DWSDISPLAY_COMPAT_RAWKBD -DWSDISPLAY_DEFAULTSCREENS=6 -DWSDISPLAY_COMPAT_PCVT -DX86EMU -DONEWIREVERBOSE -DMAXUSERS=80 -D_KERNEL -MD -MP -MF assym.P assym.h.tmp sed '1s/.*/assym.h: \\/' assym.P assym.d sort -u assym.h.tmp assym.h cc -D_LOCORE -x assembler-with-cpp -fno-builtin-printf -fno-builtin-snprintf -fno-builtin-vsnprintf -fno-builtin-log -fno-builtin-log2 -fno-builtin-malloc -nostdinc -I. -I../../../.. -I../../../../arch -DDDB -DDIAGNOSTIC -DKTRACE -DACCOUNTING -DKMEMSTATS -DPTRACE -DCRYPTO -DSYSVMSG -DSYSVSEM -DSYSVSHM -DUVM_SWAP_ENCRYPT -DCOMPAT_43 -DCOMPAT_O51 -DLKM -DFFS -DFFS2 -DFFS_SOFTUPDATES -DUFS_DIRHASH -DQUOTA -DEXT2FS -DMFS -DNFSCLIENT -DNFSSERVER -DCD9660 -DUDF -DMSDOSFS -DFIFO -DSOCKET_SPLICE -DTCP_SACK -DTCP_ECN -DTCP_SIGNATURE -DINET -DALTQ -DINET6 -DIPSEC -DPPP_BSDCOMP -DPPP_DEFLATE -DPIPEX -DMROUTING -DMPLS -DBOOT_CONFIG -DUSER_PCICONF -DKVM86 -DUSER_LDT -DAPERTURE -DCOMPAT_LINUX -DPROCFS -DNTFS -DHIBERNATE -DPCIVERBOSE -DEISAVERBOSE -DUSBVERBOSE -DWSDISPLAY_COMPAT_USL -DWSDISPLAY_COMPAT_RAWKBD -DWSDISPLAY_DEFAULTSCREENS=6 -DWSDISPLAY_COMPAT_PCVT -DX86EMU -DONEWIREVERBOSE -DMAXUSERS=80 -D_KERNEL -MD -MP -c ../../../../arch/i386/i386/locore.s ../../../../arch/i386/i386/locore.s: Assembler messages: ../../../../arch/i386/i386/locore.s:1755: Error: no such instruction: `stac' ../../../../arch/i386/i386/locore.s:1759: Error: no such instruction: `clac' *** Error code 1 Stop in /usr/src/sys/arch/i386/compile/KINTARO (line 165 of /usr/share/mk/ sys.mk). KINTARO is just GENERIC with a pretty name. -- www.johntate.org
I can't find what is wrong with these PF rules
I am trying to set up a simple nat on OpenBSD 5.3, I copied from another config that is working. ext_if=em0 int_if=em1 ipv6=2607:f2f8:aa18::2 ipv4=208.79.92.130 local_net=192.168.1.0/24 cyrus=192.168.1.2 cyrus_ports = { 2022 } tcp_serv = { ftp, ssh, http, https, 1, , 8080, 8022, 49151 } icmp_types=echoreq set skip on lo0 #ftp proxy anchor ftp-proxy/* pass in quick on $int_if inet proto tcp to port ftp divert-to 127.0.0.1 port 8021 match out on egress inet from !(egress:network) to any nat-to (egress:0) pass block in on ! lo0 proto tcp to port 6000:6010 #block in quick from urpf-failed block in log pass out quick antispoof quick for { lo $int_if } pass in on egress inet proto tcp from any to (egress) port $tcp_serv #FTP pass in on $ext_if proto tcp to port 21 pass in on $ext_if proto tcp to port 49151 pass in on egress inet proto { tcp udp } to (egress) port $cyrus_ports rdr-to $cyrus pass in inet proto icmp all icmp-type $icmp_types pass in on $int_if -- www.johntate.org
Re: I can't find what is wrong with these PF rules
I forgot to sysctl net.inet.ip.forwarding=1 lol. On Sun, Jun 2, 2013 at 8:36 AM, John Tate j...@johntate.org wrote: I am trying to set up a simple nat on OpenBSD 5.3, I copied from another config that is working. ext_if=em0 int_if=em1 ipv6=2607:f2f8:aa18::2 ipv4=208.79.92.130 local_net=192.168.1.0/24 cyrus=192.168.1.2 cyrus_ports = { 2022 } tcp_serv = { ftp, ssh, http, https, 1, , 8080, 8022, 49151 } icmp_types=echoreq set skip on lo0 #ftp proxy anchor ftp-proxy/* pass in quick on $int_if inet proto tcp to port ftp divert-to 127.0.0.1 port 8021 match out on egress inet from !(egress:network) to any nat-to (egress:0) pass block in on ! lo0 proto tcp to port 6000:6010 #block in quick from urpf-failed block in log pass out quick antispoof quick for { lo $int_if } pass in on egress inet proto tcp from any to (egress) port $tcp_serv #FTP pass in on $ext_if proto tcp to port 21 pass in on $ext_if proto tcp to port 49151 pass in on egress inet proto { tcp udp } to (egress) port $cyrus_ports rdr-to $cyrus pass in inet proto icmp all icmp-type $icmp_types pass in on $int_if -- www.johntate.org -- www.johntate.org
Sendmail not working on 5.3
I upgraded to OpenBSD 5.3 on the release day, I've since updated to the latest patch branch (not that there is any related errata to this question). I can't seem to send mail out with a server, it is not my pf rules. It was indicated by phpmailer not working. I can't find my sendmail logs. John -- www.johntate.org
Re: Sendmail not working on 5.3
Ignore this, I made a silly mistake. On Wed, May 29, 2013 at 6:07 AM, John Tate j...@johntate.org wrote: I upgraded to OpenBSD 5.3 on the release day, I've since updated to the latest patch branch (not that there is any related errata to this question). I can't seem to send mail out with a server, it is not my pf rules. It was indicated by phpmailer not working. I can't find my sendmail logs. John -- www.johntate.org -- www.johntate.org
init disappeared on my OpenBSD VPS
I have an OpenBSD VPS, I just built the latest kernel from the 5.3 patch branch, and the new kernel can't find init, but neither can the old kernel, they both make this output: OpenBSD/amd64 BOOT 3.01 boot obsd booting hd0a:obsd: 8404228+1102404 [52+381152+367486]=0x9c7d50 entry point at 0x200120 [7205c766, 3404, 24448b12, 2494a304] [ using 749064 bytes of bsd ELF symbol table ] Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved. Copyright (c) 1995-2013 OpenBSD. All rights reserved. http://www.OpenBSD.org OpenBSD 5.3-stable (SECUSRVR) #0: Wed May 22 10:07:51 PDT 2013 r...@elijah.secusrvr.com:/usr/src/sys/arch/i386/compile/SECUSRVR cpu0: QEMU Virtual CPU version 0.9.1 (GenuineIntel 686-class) 2.65 GHz cpu0: FPU,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,NXE,LONG,SSE3,PERF real mem = 804777984 (767MB) avail mem = 780640256 (744MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 02/13/10, BIOS32 rev. 0 @ 0xfb4d0, SMBIOS rev. 2.4 @ 0xfbd3f (10 entries) bios0: vendor QEMU version QEMU date 01/01/2007 acpi0 at bios0: rev 0 acpi0: sleep states S3 S4 S5 acpi0: tables DSDT FACP APIC acpi0: wakeup devices acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat acpiprt0 at acpi0: bus 0 (PCI0) acpicpu0 at acpi0 mpbios0 at bios0: Intel MP Specification 1.4 cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 999MHz mpbios0: bus 0 is type ISA ioapic0 at mainbus0: apid 1 pa 0xfec0, version 11, 24 pins ioapic0: misconfigured as apic 0, remapped to apid 1 bios0: ROM list: 0xc/0x8c00 0xd/0x600! pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82441FX rev 0x02 pcib0 at pci0 dev 1 function 0 Intel 82371SB ISA rev 0x00 pciide0 at pci0 dev 1 function 1 Intel 82371SB IDE rev 0x00: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: QEMU HARDDISK wd0: 16-sector PIO, LBA48, 20480MB, 41943040 sectors atapiscsi0 at pciide0 channel 0 drive 1 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: QEMU, QEMU DVD-ROM, 0.9. ATAPI 5/cdrom removable wd0(pciide0:0:0): using PIO mode 0, DMA mode 2 cd0(pciide0:0:1): using PIO mode 0 atapiscsi1 at pciide0 channel 1 drive 0 scsibus1 at atapiscsi1: 2 targets cd1 at scsibus1 targ 0 lun 0: QEMU, QEMU DVD-ROM, 0.9. ATAPI 5/cdrom removable cd1(pciide0:1:0): using PIO mode 0 uhci0 at pci0 dev 1 function 2 Intel 82371SB USB rev 0x01: apic 1 int 11 piixpm0 at pci0 dev 1 function 3 Intel 82371AB Power rev 0x03: apic 1 int 10 iic0 at piixpm0 iic0: addr 0x19 3e=00 48=00 4a=00 4e=00 fc=00 fe=00 words 00= 01= 02= 03= 04= 05= 06= 07= iic0: addr 0x1b 3e=00 48=00 4a=00 4e=00 fc=00 fe=00 words 00= 01= 02= 03= 04= 05= 06= 07= iic0: addr 0x1c 0f=00 3e=00 48=00 4a=00 4e=00 fc=00 fe=00 words 00= 01= 02= 03= 04= 05= 06= 07= iic0: addr 0x1d 0f=00 3e=00 48=00 4a=00 4e=00 fc=00 fe=00 words 00= 01= 02= 03= 04= 05= 06= 07= iic0: addr 0x1e 3e=00 48=00 4a=00 4e=00 fc=00 fe=00 words 00= 01= 02= 03= 04= 05= 06= 07= iic0: addr 0x1f 3e=00 48=00 4a=00 4e=00 fc=00 fe=00 words 00= 01= 02= 03= 04= 05= 06= 07= iic0: addr 0x29 00=d0 01=d0 02=d0 03=d0 04=d0 05=d0 06=d0 07=d0 08=d0 words 00= 01= 02= 03= 04= 05= 06= 07= iic0: addr 0x2b 00=d0 01=d0 02=d0 03=d0 04=d0 05=d0 06=d0 07=d0 08=d0 words 00= 01= 02= 03= 04= 05= 06= 07= iic0: addr 0x4c 00=d0 01=d0 02=d0 03=d0 04=d0 05=d0 06=d0 07=d0 08=d0 words 00= 01= 02= 03= 04= 05= 06= 07= iic0: addr 0x4e 00=d0 01=d0 02=d0 03=d0 04=d0 05=d0 06=d0 07=d0 08=d0 words 00= 01= 02= 03= 04= 05= 06= 07= vga1 at pci0 dev 2 function 0 Cirrus Logic CL-GD5446 rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) em0 at pci0 dev 3 function 0 Intel PRO/1000MT (82540EM) rev 0x03: apic 1 int 11, address 52:54:00:27:26:84 em1 at pci0 dev 4 function 0 Intel PRO/1000MT (82540EM) rev 0x03: apic 1 int 11, address 52:54:00:3b:26:84 virtio0 at pci0 dev 5 function 0 Qumranet Virtio Memory rev 0x00: Virtio Memory Balloon Device viomb0 at virtio0 virtio0: apic 1 int 10 virtio1 at pci0 dev 6 function 0 Qumranet Virtio Console rev 0x00: Virtio Console Device virtio1: no matching child driver; not configured isa0 at pcib0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo com0: console pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pms0 at pckbc0 (aux slot) pckbc0: using irq 12 for aux slot wsmouse0 at pms0 mux 0 pcppi0 at isa0 port 0x61 spkr0
Re: init disappeared on my OpenBSD VPS
I have since ran the OpenBSD 5.3 media for an upgrade and got the system running. However, I accidentally built the i386 kernel when the machine is amd64, which might have replaced init or something in the process which might be why obsd didn't work. On Thu, May 23, 2013 at 3:25 AM, John Tate j...@johntate.org wrote: I have an OpenBSD VPS, I just built the latest kernel from the 5.3 patch branch, and the new kernel can't find init, but neither can the old kernel, they both make this output: OpenBSD/amd64 BOOT 3.01 boot obsd booting hd0a:obsd: 8404228+1102404 [52+381152+367486]=0x9c7d50 entry point at 0x200120 [7205c766, 3404, 24448b12, 2494a304] [ using 749064 bytes of bsd ELF symbol table ] Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved. Copyright (c) 1995-2013 OpenBSD. All rights reserved. http://www.OpenBSD.org OpenBSD 5.3-stable (SECUSRVR) #0: Wed May 22 10:07:51 PDT 2013 r...@elijah.secusrvr.com:/usr/src/sys/arch/i386/compile/SECUSRVR cpu0: QEMU Virtual CPU version 0.9.1 (GenuineIntel 686-class) 2.65 GHz cpu0: FPU,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,NXE,LONG,SSE3,PERF real mem = 804777984 (767MB) avail mem = 780640256 (744MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 02/13/10, BIOS32 rev. 0 @ 0xfb4d0, SMBIOS rev. 2.4 @ 0xfbd3f (10 entries) bios0: vendor QEMU version QEMU date 01/01/2007 acpi0 at bios0: rev 0 acpi0: sleep states S3 S4 S5 acpi0: tables DSDT FACP APIC acpi0: wakeup devices acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat acpiprt0 at acpi0: bus 0 (PCI0) acpicpu0 at acpi0 mpbios0 at bios0: Intel MP Specification 1.4 cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 999MHz mpbios0: bus 0 is type ISA ioapic0 at mainbus0: apid 1 pa 0xfec0, version 11, 24 pins ioapic0: misconfigured as apic 0, remapped to apid 1 bios0: ROM list: 0xc/0x8c00 0xd/0x600! pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82441FX rev 0x02 pcib0 at pci0 dev 1 function 0 Intel 82371SB ISA rev 0x00 pciide0 at pci0 dev 1 function 1 Intel 82371SB IDE rev 0x00: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: QEMU HARDDISK wd0: 16-sector PIO, LBA48, 20480MB, 41943040 sectors atapiscsi0 at pciide0 channel 0 drive 1 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: QEMU, QEMU DVD-ROM, 0.9. ATAPI 5/cdrom removable wd0(pciide0:0:0): using PIO mode 0, DMA mode 2 cd0(pciide0:0:1): using PIO mode 0 atapiscsi1 at pciide0 channel 1 drive 0 scsibus1 at atapiscsi1: 2 targets cd1 at scsibus1 targ 0 lun 0: QEMU, QEMU DVD-ROM, 0.9. ATAPI 5/cdrom removable cd1(pciide0:1:0): using PIO mode 0 uhci0 at pci0 dev 1 function 2 Intel 82371SB USB rev 0x01: apic 1 int 11 piixpm0 at pci0 dev 1 function 3 Intel 82371AB Power rev 0x03: apic 1 int 10 iic0 at piixpm0 iic0: addr 0x19 3e=00 48=00 4a=00 4e=00 fc=00 fe=00 words 00= 01= 02= 03= 04= 05= 06= 07= iic0: addr 0x1b 3e=00 48=00 4a=00 4e=00 fc=00 fe=00 words 00= 01= 02= 03= 04= 05= 06= 07= iic0: addr 0x1c 0f=00 3e=00 48=00 4a=00 4e=00 fc=00 fe=00 words 00= 01= 02= 03= 04= 05= 06= 07= iic0: addr 0x1d 0f=00 3e=00 48=00 4a=00 4e=00 fc=00 fe=00 words 00= 01= 02= 03= 04= 05= 06= 07= iic0: addr 0x1e 3e=00 48=00 4a=00 4e=00 fc=00 fe=00 words 00= 01= 02= 03= 04= 05= 06= 07= iic0: addr 0x1f 3e=00 48=00 4a=00 4e=00 fc=00 fe=00 words 00= 01= 02= 03= 04= 05= 06= 07= iic0: addr 0x29 00=d0 01=d0 02=d0 03=d0 04=d0 05=d0 06=d0 07=d0 08=d0 words 00= 01= 02= 03= 04= 05= 06= 07= iic0: addr 0x2b 00=d0 01=d0 02=d0 03=d0 04=d0 05=d0 06=d0 07=d0 08=d0 words 00= 01= 02= 03= 04= 05= 06= 07= iic0: addr 0x4c 00=d0 01=d0 02=d0 03=d0 04=d0 05=d0 06=d0 07=d0 08=d0 words 00= 01= 02= 03= 04= 05= 06= 07= iic0: addr 0x4e 00=d0 01=d0 02=d0 03=d0 04=d0 05=d0 06=d0 07=d0 08=d0 words 00= 01= 02= 03= 04= 05= 06= 07= vga1 at pci0 dev 2 function 0 Cirrus Logic CL-GD5446 rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) em0 at pci0 dev 3 function 0 Intel PRO/1000MT (82540EM) rev 0x03: apic 1 int 11, address 52:54:00:27:26:84 em1 at pci0 dev 4 function 0 Intel PRO/1000MT (82540EM) rev 0x03: apic 1 int 11, address 52:54:00:3b:26:84 virtio0 at pci0 dev 5 function 0 Qumranet Virtio Memory rev 0x00: Virtio Memory Balloon Device viomb0 at virtio0 virtio0: apic 1 int 10 virtio1 at pci0 dev 6 function 0 Qumranet Virtio Console rev 0x00: Virtio
Updating ports via anoncvs hangs
When I go to update ports by anoncvs it just hangs, it's been like this for hours. Something doesn't seem right. elijah:usr # cvs -qd anon...@anoncvs.ca.openbsd.org:/cvs get -rOPENBSD_5_3 -P ports -- www.johntate.org
Forwarding to a proxy on a different system with pf
I have a squid proxy listening in transparent mode on another faster system, but I can't seem to get packets there with pf. I tried simply modifying the other divert-to rule to use the IP address of that system. It doesn't seem to work, packets don't reach that system. #pass in quick on $int_if inet proto tcp to port http divert-to 127.0.0.1 port 3128 pass in quick on $int_if inet proto tcp to port http divert-to 10.0.0.10 port 3128 How should I be doing this? I couldn't find anything on Google. -- www.johntate.org
PHP fastcgi, suexec
I want to use fastcgi and suexec to run php programs as particular users from Apache in a chroot. I've found documentation on running suexec, but I can't find anything OpenBSD specific on getting fastcgi and php into the chroot so I can use them. If you could at least please just point me in the direction of documentation it would be good but some simple directions would suffice. I've installed php-5.3-fastcgi, how do I put the wrapper in the chroot? I know where the wrapper is but I'm not sure about all the required files. How do I put all the files related to my php in the chroot? Once again I'm not sure about the required files. -- www.johntate.org
PF blocking something it seems it shouldn't
My pflog interface shows something being blocked that simply shouldn't be blocked as far as I understand my pf rules... 11:35:40.461658 rule 6/(match) block in on fxp0: 10.0.0.4.40926 141.101.113.245.443: FP 0:253(253) ack 1 win 2540 nop,nop,timestamp 3483320 114932434 (DF) My pf.conf... menger:root # cat /etc/pf.conf # $OpenBSD: pf.conf,v 1.50 2011/04/28 00:19:42 mikeb Exp $ # # See pf.conf(5) for syntax and examples. # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1 # in /etc/sysctl.conf if packets are to be forwarded between interfaces. #interfaces int_if=fxp0 ext_if=pppoe0 #networks local_net=10.0.0.0/8 #hosts menger=10.0.0.1 murphy=10.0.0.2 fekete=10.0.0.3 #host port forwarding murphy_ports = { 8333 } fekete_ports = { 17001, 39191, 5938, } #other tcp_services={ 22 } icmp_types=echoreq #queue ports ssh_ports = { 22, } im_ports = { 1863, 5190, 5222 } game_ports = { 27000:27050, 4380 } altq on $ext_if cbq bandwidth 375Kb queue { std, ssh_im, dns, game } queue std on $ext_if bandwidth 100Kb cbq(default borrow) queue ssh_im on $ext_if bandwidth 50Kb priority 3 cbq(red) queue dns on $ext_if bandwidth 25Kb priority 4 queue game on $ext_if bandwidth 200Kb priority 5 cbq(red) altq on $int_if cbq bandwidth 100Mb queue { lan, int } queue lan on $int_ifbandwidth 92Mb cbq(default) queue int on $int_ifbandwidth 7500Kb { std, ssh_im, dns, game } queue std on $int_if bandwidth 6500Kb cbq(borrow) queue ssh_im on $int_ifbandwidth 200Kb priority 4 queue dns on $int_if bandwidth 200Kb priority 5 queue game on $int_if bandwidth 600Kb priority 6 cbq(red) set skip on lo # this is the squid proxy line pass in quick on $int_if inet proto tcp to port http divert-to 127.0.0.1 port 3128 # filter rules and anchor for ftp-proxy(8) anchor ftp-proxy/* pass in quick on $int_if inet proto tcp to port ftp divert-to 127.0.0.1 port 8021 #nat rule for all interfaces match out on egress inet from !(egress:network) to any nat-to (egress:0) pass# to establish keep-state # By default, do not permit remote connections to X11 block in on ! lo0 proto tcp to port 6000:6010 block in log #RULE 6 pass out quick match inet proto { tcp udp } queue(std) match inet proto { tcp udp } to port domain queue dns match inet proto tcp to port $ssh_ports queue(std, ssh_im) match inet proto tcp to port $im_ports queue(ssh_im) match inet proto udp to port $game_ports queue game match inet from $menger queue lan match inet to $menger queue lan antispoof quick for { lo $int_if } pass in on egress inet proto tcp from any to (egress) \ port $tcp_services #FTP pass in on $ext_if proto tcp to port 21 pass in on $ext_if proto tcp to port 49151 #nat port redirects #pass in on egress inet proto tcp to (egress) port 80 rdr-to $comp3 pass in on egress inet proto { tcp udp } to (egress) port $murphy_ports rdr-to $murphy pass in on egress inet proto { tcp udp } to (egress) port $fekete_ports rdr-to $fekete pass in inet proto icmp all icmp-type $icmp_types pass in on $int_if -- www.johntate.org
Re: pf queueing and nat
I can't find any description of the match rules here: http://openbsd.org/faq/pf/filter.html Are they the same syntax as block and pass rules? On Wed, Apr 17, 2013 at 4:56 AM, Peter N. M. Hansteen pe...@bsdly.netwrote: John Tate j...@johntate.org writes: I think I understand, can someone give me a look at a pf.conf with queueing and nat rules. With an existing rule set in place, it's probably easier to do the queue assignment with a block of match rules. That way at least you don't affect the pass or block decision. - P -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. -- www.johntate.org
Re: pf queueing and nat
Found it in the manpage pretty quick;y, silly me, apparently is the same. On Wed, Apr 17, 2013 at 5:16 PM, John Tate j...@johntate.org wrote: I can't find any description of the match rules here: http://openbsd.org/faq/pf/filter.html Are they the same syntax as block and pass rules? On Wed, Apr 17, 2013 at 4:56 AM, Peter N. M. Hansteen pe...@bsdly.netwrote: John Tate j...@johntate.org writes: I think I understand, can someone give me a look at a pf.conf with queueing and nat rules. With an existing rule set in place, it's probably easier to do the queue assignment with a block of match rules. That way at least you don't affect the pass or block decision. - P -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. -- www.johntate.org -- www.johntate.org
Re: pf queueing and nat
Well the ruleset loads, can anyone do a quick check of this in case I've done something stupid. I've never used match rules before. I'm not really sure how to test queueing to see if it works. # $OpenBSD: pf.conf,v 1.50 2011/04/28 00:19:42 mikeb Exp $ # # See pf.conf(5) for syntax and examples. # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1 # in /etc/sysctl.conf if packets are to be forwarded between interfaces. #interfaces int_if=fxp0 ext_if=pppoe0 #networks local_net=10.0.0.0/8 #hosts murphy=10.0.0.2 fekete=10.0.0.3 #host port forwarding murphy_ports = { 8333 } fekete_ports = { 17001, 39191, 5938, } #other tcp_services={ 22 } icmp_types=echoreq #queue ports ssh_ports = { 22, } im_ports = { 1863, 5190, 5222 } #queues altq on $ext_if priq bandwidth 7500Kb queue { std_out, ssh_im_out, dns_out, tcp_ack_out } queue std_out priq(default) queue ssh_im_outpriority 4 priq(red) queue dns_out priority 5 queue tcp_ack_out priority 6 altq on $int_if cbq bandwidth 350Kb queue { std_in, ssh_im_in, dns_in, fekete_in } queue std_inbandwidth 175Kb cbq(default) queue ssh_im_in bandwidth 75Kb priority 4 queue dns_inbandwidth 50Kb priority 5 queue fekete_in bandwidth 50Kb cbq(borrow) set skip on lo # this is the squid proxy line pass in quick on $int_if inet proto tcp to port http divert-to 127.0.0.1 port 3128 # filter rules and anchor for ftp-proxy(8) anchor ftp-proxy/* pass in quick on $int_if inet proto tcp to port ftp divert-to 127.0.0.1 port 8021 # anchor for relayd(8) #anchor relayd/* #nat rule for all interfaces match out on egress inet from !(egress:network) to any nat-to (egress:0) pass# to establish keep-state # rules for spamd(8) #table spamd-white persist #table nospamd persist file /etc/mail/nospamd #pass in on egress proto tcp from any to any port smtp \ #rdr-to 127.0.0.1 port spamd #pass in on egress proto tcp from nospamd to any port smtp #pass in log on egress proto tcp from spamd-white to any port smtp #pass out log on egress proto tcp to any port smtp #block in quick from urpf-failed to any # use with care # By default, do not permit remote connections to X11 block in on ! lo0 proto tcp to port 6000:6010 block in log pass out quick match out on $ext_if inet proto tcp from ($ext_if) queue(std_out, tcp_ack_out) match out on $ext_if inet proto { tcp udp } from ($ext_if) to port domain \ queue dns_out match out on $ext_if inet proto tcp from ($ext_if) to port $ssh_ports \ queue(std_out, ssh_im_out) match out on $ext_if inet proto tcp from ($ext_if) to port $im_ports \ queue(ssh_im_out, tcp_ack_out) match out on $int_if proto { tcp udp } from port domain to $local_net queue dns_in match out on $int_if proto tcp from port $ssh_ports to $local_net \ queue(std_in, ssh_im_in) match out on $int_if proto tcp from port $im_ports to $local_net \ queue ssh_im_in match out on $int_if to $fekete queue fekete_in antispoof quick for { lo $int_if } pass in on egress inet proto tcp from any to (egress) \ port $tcp_services #FTP pass in on $ext_if proto tcp to port 21 pass in on $ext_if proto tcp to port 49151 #nat port redirects #pass in on egress inet proto tcp to (egress) port 80 rdr-to $comp3 pass in on egress inet proto tcp to (egress) port $murphy_ports rdr-to $murphy pass in on egress inet proto tcp to (egress) port $fekete_ports rdr-to $fekete pass in inet proto icmp all icmp-type $icmp_types pass in on $int_i On Wed, Apr 17, 2013 at 5:17 PM, John Tate j...@johntate.org wrote: Found it in the manpage pretty quick;y, silly me, apparently is the same. On Wed, Apr 17, 2013 at 5:16 PM, John Tate j...@johntate.org wrote: I can't find any description of the match rules here: http://openbsd.org/faq/pf/filter.html Are they the same syntax as block and pass rules? On Wed, Apr 17, 2013 at 4:56 AM, Peter N. M. Hansteen pe...@bsdly.netwrote: John Tate j...@johntate.org writes: I think I understand, can someone give me a look at a pf.conf with queueing and nat rules. With an existing rule set in place, it's probably easier to do the queue assignment with a block of match rules. That way at least you don't affect the pass or block decision. - P -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. -- www.johntate.org -- www.johntate.org -- www.johntate.org
Re: pf queueing and nat
Well I had the bandwidth the wrong way around for my internet connection. I've been trying the other changes and now I have problems, I'm pretty sure I need to put _out and _in on the end... # pfctl -nf /etc/pf.conf /etc/pf.conf:39: exactly one scheduler type per interface allowed /etc/pf.conf:39: errors in queue definition /etc/pf.conf:40: priq doesn't take bandwidth /etc/pf.conf:40: errors in queue definition /etc/pf.conf:41: priq doesn't take bandwidth /etc/pf.conf:41: errors in queue definition /etc/pf.conf:42: priq doesn't take bandwidth /etc/pf.conf:42: errors in queue definition # cat /etc/pf.conf # $OpenBSD: pf.conf,v 1.50 2011/04/28 00:19:42 mikeb Exp $ # # See pf.conf(5) for syntax and examples. # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1 # in /etc/sysctl.conf if packets are to be forwarded between interfaces. #interfaces int_if=fxp0 ext_if=pppoe0 #networks local_net=10.0.0.0/8 #hosts murphy=10.0.0.2 fekete=10.0.0.3 #host port forwarding murphy_ports = { 8333 } fekete_ports = { 17001, 39191, 5938, } #other tcp_services={ 22 } icmp_types=echoreq #queue ports ssh_ports = { 22, } im_ports = { 1863, 5190, 5222 } #queues altq on $ext_if priq bandwidth 350Kb queue { std, ssh_im, dns, tcp_ack, game } queue std priq(default) queue ssh_impriority 4 priq(red) queue dns priority 5 queue game priority 6 queue tcp_ack priority 7 altq on $int_if cbq bandwidth 7500Kb queue { std, ssh_im, dns, fekete, game } queue std bandwidth 5000Kb cbq(default) queue ssh_imbandwidth 200Kb priority 4 queue dns bandwidth 200Kb priority 5 queue game bandwidth 200Kb priority 6 queue feketebandwidth 1900Kb cbq(borrow) set skip on lo # this is the squid proxy line pass in quick on $int_if inet proto tcp to port http divert-to 127.0.0.1 port 3128 # filter rules and anchor for ftp-proxy(8) anchor ftp-proxy/* pass in quick on $int_if inet proto tcp to port ftp divert-to 127.0.0.1 port 8021 # anchor for relayd(8) #anchor relayd/* #nat rule for all interfaces match out on egress inet from !(egress:network) to any nat-to (egress:0) pass# to establish keep-state # rules for spamd(8) #table spamd-white persist #table nospamd persist file /etc/mail/nospamd #pass in on egress proto tcp from any to any port smtp \ #rdr-to 127.0.0.1 port spamd #pass in on egress proto tcp from nospamd to any port smtp #pass in log on egress proto tcp from spamd-white to any port smtp #pass out log on egress proto tcp to any port smtp #block in quick from urpf-failed to any # use with care # By default, do not permit remote connections to X11 block in on ! lo0 proto tcp to port 6000:6010 block in log pass out quick match inet proto tcp queue(std, tcp_ack) match inet proto { tcp udp } to port domain queue dns match inet proto tcp to port $ssh_ports queue(std, ssh_im) match inet proto tcp to port $im_ports queue(ssh_im, tcp_ack) match inet proto tcp to port 27000:27050 queue game match from $fekete queue fekete match to $fekete queue fekete antispoof quick for { lo $int_if } pass in on egress inet proto tcp from any to (egress) \ port $tcp_services #FTP pass in on $ext_if proto tcp to port 21 pass in on $ext_if proto tcp to port 49151 #nat port redirects #pass in on egress inet proto tcp to (egress) port 80 rdr-to $comp3 pass in on egress inet proto tcp to (egress) port $murphy_ports rdr-to $murphy pass in on egress inet proto tcp to (egress) port $fekete_ports rdr-to $fekete pass in inet proto icmp all icmp-type $icmp_types pass in on $int_if On Wed, Apr 17, 2013 at 8:32 PM, Stuart Henderson s...@spacehopper.orgwrote: On 2013-04-17, John Tate j...@johntate.org wrote: Well the ruleset loads, can anyone do a quick check of this in case I've done something stupid. I've never used match rules before. I'm not really sure how to test queueing to see if it works. see systat queue; run it as root. #queues altq on $ext_if priq bandwidth 7500Kb queue { std_out, ssh_im_out, dns_out, tcp_ack_out } queue std_out priq(default) queue ssh_im_outpriority 4 priq(red) queue dns_out priority 5 queue tcp_ack_out priority 6 altq on $int_if cbq bandwidth 350Kb queue { std_in, ssh_im_in, dns_in, fekete_in } queue std_inbandwidth 175Kb cbq(default) queue ssh_im_in bandwidth 75Kb priority 4 queue dns_inbandwidth 50Kb priority 5 queue fekete_in bandwidth 50Kb cbq(borrow) Using separate queue names for _in and _out is really awkward when you use stateful firewall rules; try something along these lines instead: altq on $ext_if priq bandwidth 7500Kb queue { std, ssh_im, dns, tcp_ack } queue std on $ext_if priq(default) queue ssh_im on $ext_ifpriority 4 priq(red) queue dns on $ext_if priority 5 queue tcp_ack
Re: pf queueing and nat
Oh wait I've forgot to specify the interface. On Thu, Apr 18, 2013 at 5:45 AM, John Tate j...@johntate.org wrote: Well I had the bandwidth the wrong way around for my internet connection. I've been trying the other changes and now I have problems, I'm pretty sure I need to put _out and _in on the end... # pfctl -nf /etc/pf.conf /etc/pf.conf:39: exactly one scheduler type per interface allowed /etc/pf.conf:39: errors in queue definition /etc/pf.conf:40: priq doesn't take bandwidth /etc/pf.conf:40: errors in queue definition /etc/pf.conf:41: priq doesn't take bandwidth /etc/pf.conf:41: errors in queue definition /etc/pf.conf:42: priq doesn't take bandwidth /etc/pf.conf:42: errors in queue definition # cat /etc/pf.conf # $OpenBSD: pf.conf,v 1.50 2011/04/28 00:19:42 mikeb Exp $ # # See pf.conf(5) for syntax and examples. # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1 # in /etc/sysctl.conf if packets are to be forwarded between interfaces. #interfaces int_if=fxp0 ext_if=pppoe0 #networks local_net=10.0.0.0/8 #hosts murphy=10.0.0.2 fekete=10.0.0.3 #host port forwarding murphy_ports = { 8333 } fekete_ports = { 17001, 39191, 5938, } #other tcp_services={ 22 } icmp_types=echoreq #queue ports ssh_ports = { 22, } im_ports = { 1863, 5190, 5222 } #queues altq on $ext_if priq bandwidth 350Kb queue { std, ssh_im, dns, tcp_ack, game } queue std priq(default) queue ssh_impriority 4 priq(red) queue dns priority 5 queue game priority 6 queue tcp_ack priority 7 altq on $int_if cbq bandwidth 7500Kb queue { std, ssh_im, dns, fekete, game } queue std bandwidth 5000Kb cbq(default) queue ssh_imbandwidth 200Kb priority 4 queue dns bandwidth 200Kb priority 5 queue game bandwidth 200Kb priority 6 queue feketebandwidth 1900Kb cbq(borrow) set skip on lo # this is the squid proxy line pass in quick on $int_if inet proto tcp to port http divert-to 127.0.0.1 port 3128 # filter rules and anchor for ftp-proxy(8) anchor ftp-proxy/* pass in quick on $int_if inet proto tcp to port ftp divert-to 127.0.0.1 port 8021 # anchor for relayd(8) #anchor relayd/* #nat rule for all interfaces match out on egress inet from !(egress:network) to any nat-to (egress:0) pass# to establish keep-state # rules for spamd(8) #table spamd-white persist #table nospamd persist file /etc/mail/nospamd #pass in on egress proto tcp from any to any port smtp \ #rdr-to 127.0.0.1 port spamd #pass in on egress proto tcp from nospamd to any port smtp #pass in log on egress proto tcp from spamd-white to any port smtp #pass out log on egress proto tcp to any port smtp #block in quick from urpf-failed to any # use with care # By default, do not permit remote connections to X11 block in on ! lo0 proto tcp to port 6000:6010 block in log pass out quick match inet proto tcp queue(std, tcp_ack) match inet proto { tcp udp } to port domain queue dns match inet proto tcp to port $ssh_ports queue(std, ssh_im) match inet proto tcp to port $im_ports queue(ssh_im, tcp_ack) match inet proto tcp to port 27000:27050 queue game match from $fekete queue fekete match to $fekete queue fekete antispoof quick for { lo $int_if } pass in on egress inet proto tcp from any to (egress) \ port $tcp_services #FTP pass in on $ext_if proto tcp to port 21 pass in on $ext_if proto tcp to port 49151 #nat port redirects #pass in on egress inet proto tcp to (egress) port 80 rdr-to $comp3 pass in on egress inet proto tcp to (egress) port $murphy_ports rdr-to $murphy pass in on egress inet proto tcp to (egress) port $fekete_ports rdr-to $fekete pass in inet proto icmp all icmp-type $icmp_types pass in on $int_if On Wed, Apr 17, 2013 at 8:32 PM, Stuart Henderson s...@spacehopper.orgwrote: On 2013-04-17, John Tate j...@johntate.org wrote: Well the ruleset loads, can anyone do a quick check of this in case I've done something stupid. I've never used match rules before. I'm not really sure how to test queueing to see if it works. see systat queue; run it as root. #queues altq on $ext_if priq bandwidth 7500Kb queue { std_out, ssh_im_out, dns_out, tcp_ack_out } queue std_out priq(default) queue ssh_im_outpriority 4 priq(red) queue dns_out priority 5 queue tcp_ack_out priority 6 altq on $int_if cbq bandwidth 350Kb queue { std_in, ssh_im_in, dns_in, fekete_in } queue std_inbandwidth 175Kb cbq(default) queue ssh_im_in bandwidth 75Kb priority 4 queue dns_inbandwidth 50Kb priority 5 queue fekete_in bandwidth 50Kb cbq(borrow) Using separate queue names for _in and _out is really awkward when you use stateful firewall rules; try something along these lines instead: altq on $ext_if
pf queueing and nat
I am adding queueing to my pf based nat for my home network. Since there isn't a complete example involving nat and queuing I am not entirely sure where to put things. I've read the manual and I think I put things before the rdr-to rules. I also have a transparent ftp and http proxy. I am not entirely sure if I put it before or after the divert-to rules. I just need someone to show me where in the pf.conf I've already done I should put things. I need to add the lines like these... block out on $ext_if all pass out on $ext_if inet proto tcp from ($ext_if) queue (std_out, tcp_ack_out) (And so on, including for incoming traffic on $int_if) My current pf.conf... # grep -v '^#' /etc/pf.conf int_if=fxp0 ext_if=pppoe0 murphy=10.0.0.2 fekete=10.0.0.3 murphy_ports = { 8333 } fekete_ports = { 17001, 39191, 5938, } tcp_services={ 22 } icmp_types=echoreq set skip on lo pass in quick on $int_if inet proto tcp to port http divert-to 127.0.0.1 port 3128 anchor ftp-proxy/* pass in quick on $int_if inet proto tcp to port ftp divert-to 127.0.0.1 port 8021 match out on egress inet from !(egress:network) to any nat-to (egress:0) pass# to establish keep-state block in on ! lo0 proto tcp to port 6000:6010 block in log pass out quick antispoof quick for { lo $int_if } pass in on egress inet proto tcp from any to (egress) \ port $tcp_services pass in on $ext_if proto tcp to port 21 pass in on $ext_if proto tcp to port 49151 pass in on egress inet proto tcp to (egress) port $murphy_ports rdr-to $murphy pass in on egress inet proto tcp to (egress) port $fekete_ports rdr-to $fekete pass in inet proto icmp all icmp-type $icmp_types pass in on $int_if -- www.johntate.org
Re: pf queueing and nat
I think I understand, can someone give me a look at a pf.conf with queueing and nat rules. It's hard to experiment because I'm logged in via ssh and would lose my connection every time I make a change. Unfortunately the machine connected to the firewall via null modem for a serial console has died :-(. On Wed, Apr 17, 2013 at 4:05 AM, Christopher Zimmermann madro...@gmerlin.de wrote: On Wed, 17 Apr 2013 03:32:52 +1000 John Tate j...@johntate.org wrote: I am adding queueing to my pf based nat for my home network. Since there isn't a complete example involving nat and queuing I am not entirely sure where to put things. I've read the manual and I think I put things before the rdr-to rules. I also have a transparent ftp and http proxy. I am not entirely sure if I put it before or after the divert-to rules. I just need someone to show me where in the pf.conf I've already done I should put things. I need to add the lines like these... block out on $ext_if all Before everything else. Last match wins! pass out on $ext_if inet proto tcp from ($ext_if) queue (std_out, tcp_ack_out) (And so on, including for incoming traffic on $int_if) I'm not sure whether queue rules are sticky, but later matching ones will overwrite earlier ones I'd guess, so put them as late as possible. I'd also put the nat rules as match rules at the very end, so you don't forget the real source address/port too early. Christopher My current pf.conf... # grep -v '^#' /etc/pf.conf int_if=fxp0 ext_if=pppoe0 murphy=10.0.0.2 fekete=10.0.0.3 murphy_ports = { 8333 } fekete_ports = { 17001, 39191, 5938, } tcp_services={ 22 } icmp_types=echoreq set skip on lo pass in quick on $int_if inet proto tcp to port http divert-to 127.0.0.1 port 3128 anchor ftp-proxy/* pass in quick on $int_if inet proto tcp to port ftp divert-to 127.0.0.1 port 8021 match out on egress inet from !(egress:network) to any nat-to (egress:0) pass# to establish keep-state block in on ! lo0 proto tcp to port 6000:6010 block in log pass out quick antispoof quick for { lo $int_if } pass in on egress inet proto tcp from any to (egress) \ port $tcp_services pass in on $ext_if proto tcp to port 21 pass in on $ext_if proto tcp to port 49151 pass in on egress inet proto tcp to (egress) port $murphy_ports rdr-to $murphy pass in on egress inet proto tcp to (egress) port $fekete_ports rdr-to $fekete pass in inet proto icmp all icmp-type $icmp_types pass in on $int_if -- www.johntate.org -- www.johntate.org
Re: httpd.conf problem with defaults
Removed all the NameVirtualHost lines and it still isn't working. I can't make sense of it everything looks fine, I get some errors about _default_ VirtualHost. # apachectl startssl [Sat Apr 6 02:53:57 2013] [warn] module mod_php5.c is already added, skipping [Sat Apr 6 02:53:57 2013] [warn] module php5_module is already loaded, skipping [Sat Apr 6 02:53:57 2013] [warn] _default_ VirtualHost overlap on port 80, the first has precedence [Sat Apr 6 02:53:57 2013] [warn] _default_ VirtualHost overlap on port 80, the first has precedence On Fri, Apr 5, 2013 at 7:25 PM, Stuart Henderson s...@spacehopper.orgwrote: On 2013-04-05, John Tate j...@johntate.org wrote: NameVirtualHost 127.0.0.1:443 NameVirtualHost 208.79.92.130:443 NameVirtualHost 127.0.0.1:80 NameVirtualHost 127.0.0.1:80 NameVirtualHost 127.0.0.1:80 NameVirtualHost 208.79.92.130:80 NameVirtualHost 208.79.92.130:80 NameVirtualHost 208.79.92.130:80 remove the duplicate lines and see if it helps. -- www.johntate.org
Re: httpd.conf problem with defaults
Thanks, that worked. On Sun, Apr 7, 2013 at 6:45 AM, Zé Loff zel...@zeloff.org wrote: On Sat, Apr 06, 2013 at 08:55:53PM +1100, John Tate wrote: Removed all the NameVirtualHost lines and it still isn't working. I can't make sense of it everything looks fine, I get some errors about _default_ VirtualHost. # apachectl startssl [Sat Apr 6 02:53:57 2013] [warn] module mod_php5.c is already added, skipping [Sat Apr 6 02:53:57 2013] [warn] module php5_module is already loaded, skipping [Sat Apr 6 02:53:57 2013] [warn] _default_ VirtualHost overlap on port 80, the first has precedence [Sat Apr 6 02:53:57 2013] [warn] _default_ VirtualHost overlap on port 80, the first has precedence On Fri, Apr 5, 2013 at 7:25 PM, Stuart Henderson s...@spacehopper.org wrote: On 2013-04-05, John Tate j...@johntate.org wrote: NameVirtualHost 127.0.0.1:443 NameVirtualHost 208.79.92.130:443 NameVirtualHost 127.0.0.1:80 NameVirtualHost 127.0.0.1:80 NameVirtualHost 127.0.0.1:80 NameVirtualHost 208.79.92.130:80 NameVirtualHost 208.79.92.130:80 NameVirtualHost 208.79.92.130:80 remove the duplicate lines and see if it helps. -- www.johntate.org Apache is telling you what is wrong. You have several default VHs, and the first (for port 80 it's johntate.org) has precedence, so that's why you always get redirected to it. Try changing the NameVirtualHost directives to *:80 and *:443. You are specifying IP addresses on those directives, but then define virtual hosts on *:80 and *:443, and maybe that's the problem (I've moved from apache to nginx, so I'm not testing any of this...). Here's a (very trimmed) known-to-work config: ServerName www.phistat.com DocumentRoot /var/www/htdocs UseCanonicalName On NameVirtualHost *:80 NameVirtualHost *:443 VirtualHost *:80 ServerAdmin webmas...@zeloff.org DocumentRoot/var/www/htdocs ServerName www.zeloff.org ErrorLoglogs/error_log CustomLog logs/access_log combined Directory /var/www/htdocs/fdm Options Multiviews FollowSymLinks AllowOverride None Order allow,deny Allow from all /Directory /VirtualHost VirtualHost *:80 ServerAdmin webmas...@phistat.com DocumentRoot/var/www/htdocs/phiStat ServerName www.phistat.com ErrorLog logs/www.phistat.com-error_log CustomLog logs/www.phistat.com-access_log combined /VirtualHost Additionally you are adding the php modules twice: in your httpd.conf file and most likely on *.conf files present on the /var/www/conf/modules folder, which you are including with the Include /var/www/conf/modules/*.conf line, but this has nothing to do with the redirections. -- -- www.johntate.org
Re: Can't get FTP through pf
Thanks! On Thu, Apr 4, 2013 at 4:29 PM, David Diggles da...@elven.com.au wrote: Looks like these are your conflicting rules. pass in quick inet proto tcp to port ftp divert-to 127.0.0.1 port 8021 pass in on $ext_if proto tcp to port 21 The first rule needs to be on $int_if - you didn't specify an interface so it then defaults to all interfaces. -- www.johntate.org
httpd.conf problem with defaults
I think I have a problem with my defaults. I used to just have a default a secusrvr.com. The default would point to /var/www/htdocs which redirects to /var/www/sites/secusrvr.com which is for the virtualhost secusrvr.com. I added johntate.org and www.johntate.org both under /var/www/sites/ www.johntate.org and /var/www/sites/johntate.org but somehow even after adding www.secusrvr.com, that domain through a browser redirects to johntate.org. I'm getting these warnings: # apachectl startssl [Thu Apr 4 20:17:56 2013] [warn] module mod_php5.c is already added, skipping [Thu Apr 4 20:17:56 2013] [warn] module php5_module is already loaded, skipping [Thu Apr 4 20:17:56 2013] [warn] _default_ VirtualHost overlap on port 80, the first has precedence [Thu Apr 4 20:17:56 2013] [warn] _default_ VirtualHost overlap on port 80, the first has precedence [Thu Apr 4 20:17:56 2013] [warn] NameVirtualHost 208.79.92.130:443 has no VirtualHosts [Thu Apr 4 20:17:56 2013] [warn] NameVirtualHost 208.79.92.130:80 has no VirtualHosts [Thu Apr 4 20:17:56 2013] [warn] NameVirtualHost 208.79.92.130:80 has no VirtualHosts [Thu Apr 4 20:17:56 2013] [warn] NameVirtualHost 208.79.92.130:80 has no VirtualHosts [Thu Apr 4 20:17:56 2013] [warn] NameVirtualHost 127.0.0.1:443 has no VirtualHosts [Thu Apr 4 20:17:56 2013] [warn] NameVirtualHost 127.0.0.1:80 has no VirtualHosts [Thu Apr 4 20:17:56 2013] [warn] NameVirtualHost 127.0.0.1:80 has no VirtualHosts [Thu Apr 4 20:17:56 2013] [warn] NameVirtualHost 127.0.0.1:80 has no VirtualHosts /usr/sbin/apachectl startssl: httpd started Here is my /var/www/conf/httpd.conf # $OpenBSD: httpd.conf,v 1.26 2009/06/03 18:28:21 robert Exp $ # # Based upon the NCSA server configuration files originally by Rob McCool. # # This is the main Apache server configuration file. It contains the # configuration directives that give the server its instructions. # See URL:http://www.apache.org/docs/ for detailed information about # the directives. # # Do NOT simply read the instructions in here without understanding # what they do. They're here only as hints or reminders. If you are unsure # consult the online docs. You have been warned. # # After this file is processed, the server will look for and process # /var/www/conf/srm.conf and then /var/www/conf/access.conf # unless you have overridden these with ResourceConfig and/or # AccessConfig directives here. # # The configuration directives are grouped into three basic sections: # 1. Directives that control the operation of the Apache server process as a # whole (the 'global environment'). # 2. Directives that define the parameters of the 'main' or 'default' server, # which responds to requests that aren't handled by a virtual host. # These directives also provide default values for the settings # of all virtual hosts. # 3. Settings for virtual hosts, which allow Web requests to be sent to # different IP addresses or hostnames and have them handled by the # same Apache server process. # # Configuration and logfile names: If the filenames you specify for many # of the server's control files begin with / (or drive:/ for Win32), the # server will use that explicit path. If the filenames do *not* begin # with /, the value of ServerRoot is prepended -- so logs/foo.log # with ServerRoot set to /usr/local/apache will be interpreted by the # server as /usr/local/apache/logs/foo.log. # ### Section 1: Global Environment # # The directives in this section affect the overall operation of Apache, # such as the number of concurrent requests it can handle or where it # can find its configuration files. # # # ServerType is either inetd, or standalone. Inetd mode is only supported on # Unix platforms. # ServerType standalone # # ServerTokens is either Full, OS, Minimal, or ProductOnly. # The values define what version information is returned in the # Server header in HTTP responses. # # ServerTokens ProductOnly # # ServerRoot: The top of the directory tree under which the server's # configuration, error, and log files are kept. # # NOTE! If you intend to place this on an NFS (or otherwise network) # mounted filesystem then please read the LockFile documentation # (available at URL:http://www.apache.org/docs/mod/core.html#lockfile); # you will save yourself a lot of trouble. # # Do NOT add a slash at the end of the directory path. # ServerRoot /var/www # # The LockFile directive sets the path to the lockfile used when Apache # is compiled with either USE_FCNTL_SERIALIZED_ACCEPT or # USE_FLOCK_SERIALIZED_ACCEPT. This directive should normally be left at # its default value. The main reason for changing it is if the logs # directory is NFS mounted, since the lockfile MUST BE STORED ON A LOCAL # DISK. The PID of the main server process is automatically appended to # the filename. # #LockFile logs/accept.lock # # PidFile: The file in which the server should record its process # identification number when it starts. # PidFile
Re: httpd.conf problem with defaults
:80 VirtualHost *:80 DocumentRoot /var/www/sites/www.secusrvr.com ServerName www.secusrvr.com Directory /var/www/sites/www.seucsrvr.com allow from all Options +Indexes AllowOverride All /Directory /VirtualHost On Fri, Apr 5, 2013 at 2:18 PM, John Tate j...@johntate.org wrote: I think I have a problem with my defaults. I used to just have a default a secusrvr.com. The default would point to /var/www/htdocs which redirects to /var/www/sites/secusrvr.com which is for the virtualhost secusrvr.com. I added johntate.org and www.johntate.org both under /var/www/sites/ www.johntate.org and /var/www/sites/johntate.org but somehow even after adding www.secusrvr.com, that domain through a browser redirects to johntate.org. I'm getting these warnings: # apachectl startssl [Thu Apr 4 20:17:56 2013] [warn] module mod_php5.c is already added, skipping [Thu Apr 4 20:17:56 2013] [warn] module php5_module is already loaded, skipping [Thu Apr 4 20:17:56 2013] [warn] _default_ VirtualHost overlap on port 80, the first has precedence [Thu Apr 4 20:17:56 2013] [warn] _default_ VirtualHost overlap on port 80, the first has precedence [Thu Apr 4 20:17:56 2013] [warn] NameVirtualHost 208.79.92.130:443 has no VirtualHosts [Thu Apr 4 20:17:56 2013] [warn] NameVirtualHost 208.79.92.130:80 has no VirtualHosts [Thu Apr 4 20:17:56 2013] [warn] NameVirtualHost 208.79.92.130:80 has no VirtualHosts [Thu Apr 4 20:17:56 2013] [warn] NameVirtualHost 208.79.92.130:80 has no VirtualHosts [Thu Apr 4 20:17:56 2013] [warn] NameVirtualHost 127.0.0.1:443 has no VirtualHosts [Thu Apr 4 20:17:56 2013] [warn] NameVirtualHost 127.0.0.1:80 has no VirtualHosts [Thu Apr 4 20:17:56 2013] [warn] NameVirtualHost 127.0.0.1:80 has no VirtualHosts [Thu Apr 4 20:17:56 2013] [warn] NameVirtualHost 127.0.0.1:80 has no VirtualHosts /usr/sbin/apachectl startssl: httpd started Here is my /var/www/conf/httpd.conf # $OpenBSD: httpd.conf,v 1.26 2009/06/03 18:28:21 robert Exp $ # # Based upon the NCSA server configuration files originally by Rob McCool. # # This is the main Apache server configuration file. It contains the # configuration directives that give the server its instructions. # See URL:http://www.apache.org/docs/ for detailed information about # the directives. # # Do NOT simply read the instructions in here without understanding # what they do. They're here only as hints or reminders. If you are unsure # consult the online docs. You have been warned. # # After this file is processed, the server will look for and process # /var/www/conf/srm.conf and then /var/www/conf/access.conf # unless you have overridden these with ResourceConfig and/or # AccessConfig directives here. # # The configuration directives are grouped into three basic sections: # 1. Directives that control the operation of the Apache server process as a # whole (the 'global environment'). # 2. Directives that define the parameters of the 'main' or 'default' server, # which responds to requests that aren't handled by a virtual host. # These directives also provide default values for the settings # of all virtual hosts. # 3. Settings for virtual hosts, which allow Web requests to be sent to # different IP addresses or hostnames and have them handled by the # same Apache server process. # # Configuration and logfile names: If the filenames you specify for many # of the server's control files begin with / (or drive:/ for Win32), the # server will use that explicit path. If the filenames do *not* begin # with /, the value of ServerRoot is prepended -- so logs/foo.log # with ServerRoot set to /usr/local/apache will be interpreted by the # server as /usr/local/apache/logs/foo.log. # ### Section 1: Global Environment # # The directives in this section affect the overall operation of Apache, # such as the number of concurrent requests it can handle or where it # can find its configuration files. # # # ServerType is either inetd, or standalone. Inetd mode is only supported on # Unix platforms. # ServerType standalone # # ServerTokens is either Full, OS, Minimal, or ProductOnly. # The values define what version information is returned in the # Server header in HTTP responses. # # ServerTokens ProductOnly # # ServerRoot: The top of the directory tree under which the server's # configuration, error, and log files are kept. # # NOTE! If you intend to place this on an NFS (or otherwise network) # mounted filesystem then please read the LockFile documentation # (available at URL:http://www.apache.org/docs/mod/core.html#lockfile); # you will save yourself a lot of trouble. # # Do NOT add a slash at the end of the directory path. # ServerRoot /var/www # # The LockFile directive sets the path to the lockfile used when Apache # is compiled with either USE_FCNTL_SERIALIZED_ACCEPT or # USE_FLOCK_SERIALIZED_ACCEPT. This directive should normally be left
Can't get FTP through pf
I've got a gateway computer I also I want to be an ftp server. I've put everything through pf as per http://openbsd.org/faq/pf/ftp.html Can anyone see something I've missed in this config? I can't access it remotely. # grep -v -e ^# -e ^$ /etc/vsftpd.conf anonymous_enable=NO local_enable=YES dirmessage_enable=YES xferlog_enable=YES connect_from_port_20=YES nopriv_user=_vsftpd ftpd_banner=Welcome to Kintaro's home. Where the downstream is small but the system enourmous. chroot_list_enable=YES chroot_list_file=/etc/ftpchroot userlist_enable=YES userlist_file=/etc/ftpusers secure_chroot_dir=/var/vsftpd pasv_min_port=49152 pasv_max_port=65535 text_userdb_names=YES listen=YES background=YES log_ftp_protocol=YES xferlog_enable=YES pasv_enable=YES pasv_min_port=49151 pasv_max_port=65535 # grep -v -e ^# -e ^$ /etc/pf.conf int_if=fxp0 ext_if=pppoe0 murphy=10.0.0.2 fekete=10.0.0.3 murphy_ports = { 8333 } fekete_ports = { 17001, 39191, 5938 } tcp_services={ 22 } icmp_types=echoreq set skip on lo anchor ftp-proxy/* pass in quick inet proto tcp to port ftp divert-to 127.0.0.1 port 8021 match out on egress inet from !(egress:network) to any nat-to (egress:0) pass# to establish keep-state block in on ! lo0 proto tcp to port 6000:6010 block in log pass out quick antispoof quick for { lo $int_if } pass in on egress inet proto tcp from any to (egress) \ port $tcp_services pass in on $ext_if proto tcp to port 21 pass in on $ext_if proto tcp to port 49151 pass in on egress inet proto tcp to (egress) port $murphy_ports rdr-to $murphy pass in on egress inet proto tcp to (egress) port $fekete_ports rdr-to $fekete pass in inet proto icmp all icmp-type $icmp_types pass in on $int_if -- www.johntate.org
Re: Can't get vsftpd to run
) #banned_email_file=/etc/vsftpd.banned_emails # # You may specify an explicit list of local users to chroot() to their home # directory. If chroot_local_user is YES, then this list becomes a list of # users to NOT chroot(). #chroot_local_user=YES chroot_list_enable=YES # (default follows) chroot_list_file=/etc/ftpchroot # # You may activate the -R option to the builtin ls. This is disabled by # default to avoid remote users being able to cause excessive I/O on large # sites. However, some broken FTP clients such as ncftp and mirror assume # the presence of the -R option, so there is a strong case for enabling it. #ls_recurse_enable=YES # # # If enabled, vsftpd will load a list of usernames from the filename # given by userlist_file. If a user tries to log in using a name in this # file, they will be denied before they are asked for a password. # This may be useful in preventing clear text passwords being transmitted. userlist_enable=YES # # This option is the name of the file loaded when the userlist_enable # option is active. userlist_file=/etc/ftpusers # # This option should be the name of a directory which is empty. Also, # the directory should not be writable by the ftp user. This directory # is used as a secure chroot() jail at times vsftpd does not require # filesystem access. secure_chroot_dir=/var/vsftpd # # The minimum port to allocate for PASV style data connections. # Can be used to specify a narrow port range to assist firewalling. pasv_min_port=49152 # # The maximum port to allocate for PASV style data connections. # Can be used to specify a narrow port range to assist firewalling. pasv_max_port=65535 # # By default, numeric IDs are shown in the user and group fields of # directory listings. You can get textual names by enabling this parameter. # It is off by default for performance reasons. text_userdb_names=YES # When listen directive is enabled, vsftpd runs in standalone mode and # listens on IPv4 sockets. This directive cannot be used in conjunction # with the listen_ipv6 directive. listen=YES # # This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6 # sockets, you must run two copies of vsftpd with two configuration files. # Make sure, that one of the listen options is commented !! #listen_ipv6=YES background=YES log_ftp_protocol=YES xferlog_enable=YES pasv_enable=YES pasv_min_port=49151 pasv_max_port=65535 On Tue, Apr 2, 2013 at 4:53 PM, John Tate j...@johntate.org wrote: Nevermind, found it. On Tue, Apr 2, 2013 at 4:45 PM, John Tate j...@johntate.org wrote: Where do I set ports in vsftpd.conf for incoming data, I've just looked around that link you provided and I can't find the option. I can't get through to vsftpd or pure_ftpd, probably because I didn't have incoming data ports open. I can get through on localhost and my local network so I assume it's pf. pass in on egress inet proto tcp from any to (egress) \ port 49151 I've added that line but where do I set the ports on vsftpd? On Tue, Apr 2, 2013 at 4:30 PM, Richard Toohey richardtoo...@paradise.net.nz wrote: On 04/02/13 18:13, John Tate wrote: I can't find that config option. I think Stuart is talking about the background option from here: https://security.appspot.com/**vsftpd/vsftpd_conf.htmlhttps://security.appspot.com/vsftpd/vsftpd_conf.html Also look at listen, etc. For logging - log_ftp_protocol syslog_enable xferlog_enable vsftpd_log_file xferlog_file options. On Tue, Apr 2, 2013 at 9:52 AM, Stuart Henderson s...@spacehopper.org wrote: On 2013-04-01, John Tate j...@johntate.org wrote: I've not used it in a while and I can't get it to run. I can't find any logging options or anything. # vsftpd ... (It just sits there doing nothing) How do I get it to work? I'm using the default config with only my own banner. It is waiting for a connection (there is a config option to run it in the background). We should probably add an rc.d script to the port to make it easier. -- www.johntate.org -- www.johntate.org -- www.johntate.org
Can't get vsftpd to run
I've not used it in a while and I can't get it to run. I can't find any logging options or anything. # vsftpd ... (It just sits there doing nothing) How do I get it to work? I'm using the default config with only my own banner. -- www.johntate.org
Re: Can't get vsftpd to run
I can't find that config option. On Tue, Apr 2, 2013 at 9:52 AM, Stuart Henderson s...@spacehopper.orgwrote: On 2013-04-01, John Tate j...@johntate.org wrote: I've not used it in a while and I can't get it to run. I can't find any logging options or anything. # vsftpd ... (It just sits there doing nothing) How do I get it to work? I'm using the default config with only my own banner. It is waiting for a connection (there is a config option to run it in the background). We should probably add an rc.d script to the port to make it easier. -- www.johntate.org
Re: Can't get vsftpd to run
I found it but it wasn't in there commented out, I added background=yes, but the server isn't accepting connections for some reason. On Tue, Apr 2, 2013 at 4:13 PM, John Tate j...@johntate.org wrote: I can't find that config option. On Tue, Apr 2, 2013 at 9:52 AM, Stuart Henderson s...@spacehopper.orgwrote: On 2013-04-01, John Tate j...@johntate.org wrote: I've not used it in a while and I can't get it to run. I can't find any logging options or anything. # vsftpd ... (It just sits there doing nothing) How do I get it to work? I'm using the default config with only my own banner. It is waiting for a connection (there is a config option to run it in the background). We should probably add an rc.d script to the port to make it easier. -- www.johntate.org -- www.johntate.org
Re: Can't get vsftpd to run
Where do I set ports in vsftpd.conf for incoming data, I've just looked around that link you provided and I can't find the option. I can't get through to vsftpd or pure_ftpd, probably because I didn't have incoming data ports open. I can get through on localhost and my local network so I assume it's pf. pass in on egress inet proto tcp from any to (egress) \ port 49151 I've added that line but where do I set the ports on vsftpd? On Tue, Apr 2, 2013 at 4:30 PM, Richard Toohey richardtoo...@paradise.net.nz wrote: On 04/02/13 18:13, John Tate wrote: I can't find that config option. I think Stuart is talking about the background option from here: https://security.appspot.com/**vsftpd/vsftpd_conf.htmlhttps://security.appspot.com/vsftpd/vsftpd_conf.html Also look at listen, etc. For logging - log_ftp_protocol syslog_enable xferlog_enable vsftpd_log_file xferlog_file options. On Tue, Apr 2, 2013 at 9:52 AM, Stuart Henderson s...@spacehopper.org wrote: On 2013-04-01, John Tate j...@johntate.org wrote: I've not used it in a while and I can't get it to run. I can't find any logging options or anything. # vsftpd ... (It just sits there doing nothing) How do I get it to work? I'm using the default config with only my own banner. It is waiting for a connection (there is a config option to run it in the background). We should probably add an rc.d script to the port to make it easier. -- www.johntate.org
Re: Can't get vsftpd to run
Nevermind, found it. On Tue, Apr 2, 2013 at 4:45 PM, John Tate j...@johntate.org wrote: Where do I set ports in vsftpd.conf for incoming data, I've just looked around that link you provided and I can't find the option. I can't get through to vsftpd or pure_ftpd, probably because I didn't have incoming data ports open. I can get through on localhost and my local network so I assume it's pf. pass in on egress inet proto tcp from any to (egress) \ port 49151 I've added that line but where do I set the ports on vsftpd? On Tue, Apr 2, 2013 at 4:30 PM, Richard Toohey richardtoo...@paradise.net.nz wrote: On 04/02/13 18:13, John Tate wrote: I can't find that config option. I think Stuart is talking about the background option from here: https://security.appspot.com/**vsftpd/vsftpd_conf.htmlhttps://security.appspot.com/vsftpd/vsftpd_conf.html Also look at listen, etc. For logging - log_ftp_protocol syslog_enable xferlog_enable vsftpd_log_file xferlog_file options. On Tue, Apr 2, 2013 at 9:52 AM, Stuart Henderson s...@spacehopper.org wrote: On 2013-04-01, John Tate j...@johntate.org wrote: I've not used it in a while and I can't get it to run. I can't find any logging options or anything. # vsftpd ... (It just sits there doing nothing) How do I get it to work? I'm using the default config with only my own banner. It is waiting for a connection (there is a config option to run it in the background). We should probably add an rc.d script to the port to make it easier. -- www.johntate.org -- www.johntate.org
resize disklabel partitions and ffs filesystems
I had a problem building something in ports ports with a default 2.0gb /usr. I tried moving ports to /home/usr/ports to /usr/ports but I get... Fatal: /usr/ports is a symlink. Please set to the real directory Can I resize disklabel partitions and ffs filesystems? If I can't I'm going to have to reinstall :-(. -- www.johntate.org
Re: Squid not working for connections from ssh-tunnel
It seems the version of squid in ports for 5.2 doesn't support SSL or doesn't support it the same way. What changed? The errors: 2013/03/16 00:33:30| The request CONNECT bitomat.pl:443 is DENIED, because it matched 'Safe_ports' 2013/03/16 00:33:30| The reply for CONNECT bitomat.pl:443 is ALLOWED, because it matched 'Safe_ports' It only started doing this after I upgraded from 5.1 to 5.2 and rebuilt squid in ports. On Sat, Mar 16, 2013 at 9:26 AM, Stuart Henderson s...@spacehopper.orgwrote: On 2013-03-15, John Tate j...@johntate.org wrote: I have a server I use to serve a squid proxy only accessible via ssh tunnel, which has worked fine for over a year. I upgraded from OpenBSD 5.1 to OpenBSD 5.2 and I've also rebuilt squid in ports. It has stopped working for ssh tunnel connections. It works for the elinks browser, but both should be from localhost and be no different as far as I know. I get these errors in the log: [15/Mar/2013:04:01:40 -0700] elijah.secusrvr.com mail.google.comCONNECT mail.google.com:443 HTTP/1.1 403 1323 - Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.172 Safari/537.22 TCP_DENIED:NONE iirc TCP_DENIED/403 is due to acl, try following this about getting some more logging: http://wiki.squid-cache.org/SquidFaq/SquidAcl#I_set_up_my_access_controls.2C_but_they_don.27t_work.21__why.3F localhost can be all sorts of things: 127.0.0.1, ::1, or even some other address, depending on what's set in /etc/resolv.conf and /etc/hosts. -- www.johntate.org
Squid not working for connections from ssh-tunnel
I have a server I use to serve a squid proxy only accessible via ssh tunnel, which has worked fine for over a year. I upgraded from OpenBSD 5.1 to OpenBSD 5.2 and I've also rebuilt squid in ports. It has stopped working for ssh tunnel connections. It works for the elinks browser, but both should be from localhost and be no different as far as I know. I get these errors in the log: [15/Mar/2013:04:01:40 -0700] elijah.secusrvr.com mail.google.com CONNECT mail.google.com:443 HTTP/1.1 403 1323 - Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.172 Safari/537.22 TCP_DENIED:NONE My squid.conf: hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY hosts_file /etc/hosts refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl purge method PURGE acl CONNECT method CONNECT acl Safe_ports port 21 80 acl SSL_ports port 443 cache_mem 256 MB http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !Safe_ports http_access deny CONNECT !SSL_ports acl lan src 127.0.0.1 http_access allow localhost http_access allow lan http_access deny all http_reply_access allow all icp_access allow all visible_hostname secusrvr.com coredump_dir /var/squid http_port 127.0.0.1:3128 https_port 127.0.0.1:3128 cert=/etc/ssl/private/secusrvr.com.crt key=/etc/ssl/private/server.key logformat combined [%tl] %A %{Host}h %rm %ru HTTP/%rv %Hs %st %{Referer}h %{User-Agent}h %Ss:%Sh access_log /var/squid/logs/access.log combined cache_store_log /var/squid/logs/store.log cache_log /var/squid/logs/cache.log logfile_rotate 8 cache_dir ufs /var/squid/cache 4096 64 256 I tried googling the error and looking in the manual but still don't fully understand it. -- www.johntate.org
dhcpd issues with Android phone
I have an android phone that requests a least regularly from my dhcpd server on OpenBSD 5.2 which eventually starts failing with this error in /var/log/daemon Mar 14 21:40:42 menger dhcpd[7088]: DHCPREQUEST for 10.0.0.4 from 0c:14:20:6b:08:e5 via fxp0 Mar 14 21:40:42 menger dhcpd[7088]: DHCPNAK on 10.0.0.4 to 0c:14:20:6b:08:e5 via fxp0 Mar 14 21:40:43 menger dhcpd[7088]: DHCPDISCOVER from 0c:14:20:6b:08:e5 via fxp0 Mar 14 21:40:43 menger dhcpd[7088]: DHCPOFFER on 10.0.0.4 to 0c:14:20:6b:08:e5 via fxp0 Mar 14 21:40:43 menger dhcpd[7088]: Both dynamic and static leases present for 10.0.0.4. If I remove the entry for 10.0.0.4 from /var/db/dhcpd.leases and restart it works again but only for a few hours. lease 10.0.0.4 { starts 4 2013/03/14 10:08:12; ends 4 2013/03/14 22:08:12; hardware ethernet ac:81:12:98:de:f3; uid 01:ac:81:12:98:de:f3; client-hostname MURPHY; } I think I've done something wrong and I have very little experience with dhcpd. -- www.johntate.org
Re: dhcpd issues with Android phone
I did exactly what you said, thanks! On Thu, Mar 14, 2013 at 11:16 PM, Kenneth R Westerback kwesterb...@rogers.com wrote: On Thu, Mar 14, 2013 at 09:46:04PM +1100, John Tate wrote: I have an android phone that requests a least regularly from my dhcpd server on OpenBSD 5.2 which eventually starts failing with this error in /var/log/daemon Mar 14 21:40:42 menger dhcpd[7088]: DHCPREQUEST for 10.0.0.4 from 0c:14:20:6b:08:e5 via fxp0 Mar 14 21:40:42 menger dhcpd[7088]: DHCPNAK on 10.0.0.4 to 0c:14:20:6b:08:e5 via fxp0 Mar 14 21:40:43 menger dhcpd[7088]: DHCPDISCOVER from 0c:14:20:6b:08:e5 via fxp0 Mar 14 21:40:43 menger dhcpd[7088]: DHCPOFFER on 10.0.0.4 to 0c:14:20:6b:08:e5 via fxp0 Mar 14 21:40:43 menger dhcpd[7088]: Both dynamic and static leases present for 10.0.0.4. If I remove the entry for 10.0.0.4 from /var/db/dhcpd.leases and restart it works again but only for a few hours. lease 10.0.0.4 { starts 4 2013/03/14 10:08:12; ends 4 2013/03/14 22:08:12; hardware ethernet ac:81:12:98:de:f3; uid 01:ac:81:12:98:de:f3; client-hostname MURPHY; } I think I've done something wrong and I have very little experience with dhcpd. -- www.johntate.org Your /etc/dhcpd.conf file might be useful. Off the top of my head you have static leases set up in the same range as your dynamic leases. Ken -- www.johntate.org
PHP mini_sendmail problems
I've been trying to get PHP to be able to email from a chrooted apache server. Running without chroot is not an option. I can't find clear documentation on doing this, and the logs don't contain any errors I can find about the problem. I've put mini_sendmail in /var/www/usr/sbin/sendmail and /bin/sh in /var/www/bin/sh and /etc/resolv.conf in /var/www/etc/resolv.conf but email from PHP is still not working. -- www.johntate.org
Re: PHP mini_sendmail problems
Strange port, I did make and then make install but there was no output from make install, but it seems to run anyway, but I can't find it in whereis. # make clean === Cleaning for femail-0.98 # make === Verifying specs: c === found c.65.0 === Checking files for femail-0.98 `/usr/ports/distfiles/femail-0.98.tgz' is up to date. (SHA256) femail-0.98.tgz: OK === Extracting for femail-0.98 === Patching for femail-0.98 === Configuring for femail-0.98 === Building for femail-0.98 cc -O2 -pipe -DHAS_FGETLN -DHAS_STRLCPY -c femail.c cc -O2 -pipe -DHAS_FGETLN -DHAS_STRLCPY -c openbsd_compat.c cc femail.o openbsd_compat.o -o femail cc -static femail.o openbsd_compat.o -o femail-static # make install # femail j...@johntate.org Hello, john. # whereis femail # How do I put femail into my /var/www? On Fri, Mar 15, 2013 at 5:51 AM, Alexey E. Suslikov alexey.susli...@gmail.com wrote: John Tate john at johntate.org writes: I've been trying to get PHP to be able to email from a chrooted apache server. Running without chroot is not an option. I can't find clear documentation on doing this, and the logs don't contain any errors I can find about the problem. you need femail from ports. -- www.johntate.org
Re: PHP mini_sendmail problems
I installed femail-chroot and put /usr/libexec/ld.so in /var/www/usr/libexec/ld.so and updated /etc/php-5.2.ini but it still doesn't work. On Fri, Mar 15, 2013 at 6:14 AM, Alexey Suslikov alexey.susli...@gmail.comwrote: On Thu, Mar 14, 2013 at 9:12 PM, Stefan Sperling s...@openbsd.org wrote: On Thu, Mar 14, 2013 at 06:51:54PM +, Alexey E. Suslikov wrote: John Tate john at johntate.org writes: I've been trying to get PHP to be able to email from a chrooted apache server. Running without chroot is not an option. I can't find clear documentation on doing this, and the logs don't contain any errors I can find about the problem. you need femail from ports. More precisely, the femail-chroot package. And you need /usr/libexec/ld.so inside of the /var/www chroot dir. Else, femail won't run inside chroot (on 5.3, not sure if 5.2 requires this). hmmm... older setups I have seen didn't require ld.so... why it is needed? -- www.johntate.org
Re: PHP mini_sendmail problems
From the end of error_log: femail: no recipients On Fri, Mar 15, 2013 at 6:31 AM, John Tate j...@johntate.org wrote: I installed femail-chroot and put /usr/libexec/ld.so in /var/www/usr/libexec/ld.so and updated /etc/php-5.2.ini but it still doesn't work. On Fri, Mar 15, 2013 at 6:14 AM, Alexey Suslikov alexey.susli...@gmail.com wrote: On Thu, Mar 14, 2013 at 9:12 PM, Stefan Sperling s...@openbsd.org wrote: On Thu, Mar 14, 2013 at 06:51:54PM +, Alexey E. Suslikov wrote: John Tate john at johntate.org writes: I've been trying to get PHP to be able to email from a chrooted apache server. Running without chroot is not an option. I can't find clear documentation on doing this, and the logs don't contain any errors I can find about the problem. you need femail from ports. More precisely, the femail-chroot package. And you need /usr/libexec/ld.so inside of the /var/www chroot dir. Else, femail won't run inside chroot (on 5.3, not sure if 5.2 requires this). hmmm... older setups I have seen didn't require ld.so... why it is needed? -- www.johntate.org -- www.johntate.org
Re: PHP mini_sendmail problems
It seems to be a problem with drupal, I wrote my own php script that could send mail without issues. I have no idea how such a problem is possible unless drupal doesn't use php's mail() but I can't find anyone with similar problems. I didn't notice the log entries because they don't have a timestamp and I thought they were just wrap around when I first posted here. Sorry for wasting everyone's time. On Fri, Mar 15, 2013 at 6:57 AM, Pascal Stumpf pascal.stu...@cubes.dewrote: On Thu, 14 Mar 2013 20:12:52 +0100, Stefan Sperling wrote: On Thu, Mar 14, 2013 at 06:51:54PM +, Alexey E. Suslikov wrote: John Tate john at johntate.org writes: I've been trying to get PHP to be able to email from a chrooted apache server. Running without chroot is not an option. I can't find clear documentation on doing this, and the logs don't contain any errors I can find about the problem. you need femail from ports. More precisely, the femail-chroot package. And you need /usr/libexec/ld.so inside of the /var/www chroot dir. Not any more. -static now implies -nopie when linking. Else, femail won't run inside chroot (on 5.3, not sure if 5.2 requires this). -- www.johntate.org
No schizophrenia
Just an idiot, Jan Stary, who turned the sentence 7 years of FreeBSD/OpenBSD experience into OpenBSD Guru. I wish I had more time and less faith in minds like hers. What an embarrassment... oh dear. She should learn to read. I'm back, healthy as can be. I had a nice holiday. I NEVER SAID THE WORD GURU I NEVER SAID THE WORD GURU I NEVER SAID THE WORD GURU I NEVER SAID THE WORD GURU I NEVER SAID THE WORD GURU I NEVER SAID THE WORD GURU I NEVER SAID THE WORD GURU I NEVER SAID THE WORD GURU I NEVER SAID THE WORD GURU I NEVER SAID THE WORD GURU I NEVER SAID THE WORD GURU I NEVER SAID THE WORD GURU John Tate -- www.johntate.org
Re: Misc Toughts
On Wed, Jan 11, 2012 at 2:33 AM, p...@bell.net wrote: # 4 # PF: Example: Firewall for Home or Small Office One of the stated objective is: - Make the ruleset as simple and easy to maintain as possible. In the example provided, 4 macros are provided: int_if=xl0 tcp_services={ 22, 113 } icmp_types=echoreq comp3=192.168.0.3 For maintenance sake, would it not be appropriate to define the other mysterious outgoing interface fxp0 as well, as declared in the following options section? I'm the stupidest one here as I've proven over the last couple of months, and it was obvious to me that I needed to write my own. The ruleset migh suffer a little bit of complications by adding one more macro. Who knows, perhaps the fxp0 network interface does not want to get all the attention... You don't just copy from the manuals, we are higher creatures than parrots. If you read the manual correctly, write your rules as you go, you will have a working ruleset with maybe a few typos in it. The only thing I've ever thought could be added to the examples is idiots English so kids could join in on the rule writing. I'm kidding of course. OpenBSD just takes the right mindset, which is an independent mindset. This list is more like a support group where we remind each other to read the documentation and not be lazy. -- www.johntate.org
Re: No schizophrenia
On Wed, Jan 11, 2012 at 12:11 PM, STeve Andre' and...@msu.edu wrote: On 01/10/12 18:19, John Tate wrote: Just an idiot, Jan Stary, who turned the sentence 7 years of FreeBSD/OpenBSD experience into OpenBSD Guru. I wish I had more time and less faith in minds like hers. What an embarrassment... oh dear. She should learn to read. I'm back, healthy as can be. I had a nice holiday. I NEVER SAID THE WORD GURU I NEVER SAID THE WORD GURU I NEVER SAID THE WORD GURU I NEVER SAID THE WORD GURU I NEVER SAID THE WORD GURU I NEVER SAID THE WORD GURU I NEVER SAID THE WORD GURU I NEVER SAID THE WORD GURU I NEVER SAID THE WORD GURU I NEVER SAID THE WORD GURU I NEVER SAID THE WORD GURU I NEVER SAID THE WORD GURU John Tate John, Really--please stop trying to defend yourself like this. You aren't doing yourself any good. --STeve Yes but I just never used the word guru to describe myself - she is delusional or playing head-games. I came back after I noticed that on my own website and had a break. At the same time I was seriously considering that I might have schizophrenia or something developing because I've been getting confused by simple things and misreading manuals, etc. I was experiencing cognitive impairment, and for that I simply got abused, doubted, and ridiculed. They would do it to Theo the day after he had a stroke if it happened. It's not hard to spot someone who needs help because they're having a bad brain day rather than someone who is trying to parrot (copy paste) their way around OpenBSD. It's not gaining anyone anything, and pointless insults over things like this are a symptom of a very tragic personality disorder, narcissistic personality disorder. My theory is that some people here with good skills to boot are addicted to picking on people for their mistakes, and they call it altruism if you complain about it to hide behind a moral highground. This is textbook stuff folks, so read the manual on NPD, being able to detect it enables a massive gain free personal time. All of these people, every single one, is a troll by nature. Enjoy a splendid boost in productivity by spotting this disorder and filtering them away out of sight and out of mind. I'm completely serious! I think that those with that disorder are social parasites which must be rejected. Quite frankly there is a bug left in OpenBSD, the bug up many on this lists ass. So many of you are going to die of stress related illness because you have spaz attacks every time a lesser hacker writes anything, it's tragic and sad. It's your life god dammit, it has value! Treat your arteries better, read the manual on your bodies! This is not healthy, and everytime I see it I grieve for my dead racist uncle who had a stick in his ass that he tried to removed by getting in others business. He died of a heart attack, the punishment for not being relaxed about others. Because there are six billion people, letting people bother is likely going to kill you because for every type of bother there are millions of people that commit them. For the love of yourself, stop killing yourselves over stress. John -- www.johntate.org
Re: No schizophrenia
Oh and I wanted to stick around to help people with pf, I'd appreciate a hand spotting a typo myself once in a while. On Wed, Jan 11, 2012 at 2:44 PM, John Tate j...@johntate.org wrote: On Wed, Jan 11, 2012 at 12:11 PM, STeve Andre' and...@msu.edu wrote: On 01/10/12 18:19, John Tate wrote: Just an idiot, Jan Stary, who turned the sentence 7 years of FreeBSD/OpenBSD experience into OpenBSD Guru. I wish I had more time and less faith in minds like hers. What an embarrassment... oh dear. She should learn to read. I'm back, healthy as can be. I had a nice holiday. I NEVER SAID THE WORD GURU I NEVER SAID THE WORD GURU I NEVER SAID THE WORD GURU I NEVER SAID THE WORD GURU I NEVER SAID THE WORD GURU I NEVER SAID THE WORD GURU I NEVER SAID THE WORD GURU I NEVER SAID THE WORD GURU I NEVER SAID THE WORD GURU I NEVER SAID THE WORD GURU I NEVER SAID THE WORD GURU I NEVER SAID THE WORD GURU John Tate John, Really--please stop trying to defend yourself like this. You aren't doing yourself any good. --STeve Yes but I just never used the word guru to describe myself - she is delusional or playing head-games. I came back after I noticed that on my own website and had a break. At the same time I was seriously considering that I might have schizophrenia or something developing because I've been getting confused by simple things and misreading manuals, etc. I was experiencing cognitive impairment, and for that I simply got abused, doubted, and ridiculed. They would do it to Theo the day after he had a stroke if it happened. It's not hard to spot someone who needs help because they're having a bad brain day rather than someone who is trying to parrot (copy paste) their way around OpenBSD. It's not gaining anyone anything, and pointless insults over things like this are a symptom of a very tragic personality disorder, narcissistic personality disorder. My theory is that some people here with good skills to boot are addicted to picking on people for their mistakes, and they call it altruism if you complain about it to hide behind a moral highground. This is textbook stuff folks, so read the manual on NPD, being able to detect it enables a massive gain free personal time. All of these people, every single one, is a troll by nature. Enjoy a splendid boost in productivity by spotting this disorder and filtering them away out of sight and out of mind. I'm completely serious! I think that those with that disorder are social parasites which must be rejected. Quite frankly there is a bug left in OpenBSD, the bug up many on this lists ass. So many of you are going to die of stress related illness because you have spaz attacks every time a lesser hacker writes anything, it's tragic and sad. It's your life god dammit, it has value! Treat your arteries better, read the manual on your bodies! This is not healthy, and everytime I see it I grieve for my dead racist uncle who had a stick in his ass that he tried to removed by getting in others business. He died of a heart attack, the punishment for not being relaxed about others. Because there are six billion people, letting people bother is likely going to kill you because for every type of bother there are millions of people that commit them. For the love of yourself, stop killing yourselves over stress. John -- www.johntate.org -- www.johntate.org
Re: No schizophrenia
On Wed, Jan 11, 2012 at 5:02 PM, STeve Andre' and...@msu.edu wrote: On 01/10/12 22:44, John Tate wrote: On Wed, Jan 11, 2012 at 12:11 PM, STeve Andre'and...@msu.edu wrote: On 01/10/12 18:19, John Tate wrote: Just an idiot, Jan Stary, who turned the sentence 7 years of FreeBSD/OpenBSD experience into OpenBSD Guru. I wish I had more time and less faith in minds like hers. What an embarrassment... oh dear. She should learn to read. I'm back, healthy as can be. I had a nice holiday. I NEVER SAID THE WORD GURU I NEVER SAID THE WORD GURU I NEVER SAID THE WORD GURU I NEVER SAID THE WORD GURU I NEVER SAID THE WORD GURU I NEVER SAID THE WORD GURU I NEVER SAID THE WORD GURU I NEVER SAID THE WORD GURU I NEVER SAID THE WORD GURU I NEVER SAID THE WORD GURU I NEVER SAID THE WORD GURU I NEVER SAID THE WORD GURU John Tate John, Really--please stop trying to defend yourself like this. You aren't doing yourself any good. --STeve Yes but I just never used the word guru to describe myself - she is delusional or playing head-games. I came back after I noticed that on my own website and had a break. At the same time I was seriously considering that I might have schizophrenia or something developing because I've been getting confused by simple things and misreading manuals, etc. I was experiencing cognitive impairment, and for that I simply got abused, doubted, and ridiculed. They would do it to Theo the day after he had a stroke if it happened. It's not hard to spot someone who needs help because they're having a bad brain day rather than someone who is trying to parrot (copy paste) their way around OpenBSD. It's not gaining anyone anything, and pointless insults over things like this are a symptom of a very tragic personality disorder, narcissistic personality disorder. My theory is that some people here with good skills to boot are addicted to picking on people for their mistakes, and they call it altruism if you complain about it to hide behind a moral highground. This is textbook stuff folks, so read the manual on NPD, being able to detect it enables a massive gain free personal time. All of these people, every single one, is a troll by nature. Enjoy a splendid boost in productivity by spotting this disorder and filtering them away out of sight and out of mind. I'm completely serious! I think that those with that disorder are social parasites which must be rejected. Quite frankly there is a bug left in OpenBSD, the bug up many on this lists ass. So many of you are going to die of stress related illness because you have spaz attacks every time a lesser hacker writes anything, it's tragic and sad. It's your life god dammit, it has value! Treat your arteries better, read the manual on your bodies! This is not healthy, and everytime I see it I grieve for my dead racist uncle who had a stick in his ass that he tried to removed by getting in others business. He died of a heart attack, the punishment for not being relaxed about others. Because there are six billion people, letting people bother is likely going to kill you because for every type of bother there are millions of people that commit them. For the love of yourself, stop killing yourselves over stress. John And you have just dug a deeper hole. That was private email that I sent, not that I mind--I stand behind the things I say. But you are making it clear that you don't get it. Strawman! I'm making it clear that I don't give a hoot. --STeve Andre' -- www.johntate.org
Re: What is wrong with this pf config
Now you can all laugh at me! After fixing this one, and getting everything working on my second attempt from scratch I forgot to put 'block in all' so if you portscanned me just an hour ago I had EVERYTHING open. I used nmap on myself from my virtual private server. Oh shame. So I have a suggestion worth considering, if the line block in all does not appear pfctl -nf should perhaps spit out a warning. Much like you've done with your pretty compilers over there. The third attempt sure is nice though... int_if=xl0 ext_if=pppoe0 mod_if=fxp0 thenetwrk=10.0.0.0/8 rothbard=10.0.0.10 baal=10.0.0.2 smass=10.0.0.1 tcp_services = {22} icmp_types = echoreq ports_rothbard = {17000,17001,17002,17003,17004,17005,2322} ports_smass = {17100,17101,17102,17103,17104,17105,} set block-policy return #This might perform better as drop. set loginterface $ext_if set skip on lo set skip on $mod_if #lets anything chat with the modem. anchor ftp-proxy/* pass in quick on $int_if inet proto tcp to any port ftp \ divert-to 127.0.0.1 port 8021 match out on $ext_if from $int_if:network to any nat-to ($ext_if) block in pass out quick antispoof quick for { lo $int_if } pass in on $ext_if inet proto tcp from any to (egress) \ port $tcp_services pass in on egress inet proto tcp from any to (egress) \ port $ports_rothbard rdr-to $rothbard pass in on egress inet proto tcp from any to (egress) \ port $ports_smass rdr-to $smass pass in inet proto icmp all icmp-type $icmp_types pass in on $int_if -- www.johntate.org
Re: What is wrong with this pf config
It's just whining! Perhaps if should only do it if it has an Internet IP address not a LAN or WAN one involved. On Mon, Dec 12, 2011 at 5:17 AM, Janne Johansson icepic...@gmail.comwrote: 2011/12/11 John Tate j...@johntate.org So I have a suggestion worth considering, if the line block in all does not appear pfctl -nf should perhaps spit out a warning. Much like you've done with your pretty compilers over there. There are still lots of reasons to run PF even if you don't want block in all for a default, so whining on all the other uses you couldn't imagine would not be very productive. -- To our sweethearts and wives. May they never meet. -- 19th century toast -- www.johntate.org
Re: What is wrong with this pf config
I am not replying to every thread on the list. You either have me confused with someone else or there is some kind of imposter or person with a similar name. I'm confused I should say. This was something constructive to say regardless, it was an idea. I remember last time I was using OpenBSD (I had a hiatus) and mmap changes broke a lot of ports. There is supposed to be an emphasis on security, not your scripts. OpenBSD warns about mistakes, it emails you about your mistakes, and it could point out this mistake as well. On Mon, Dec 12, 2011 at 5:55 AM, James Shupe jsh...@osre.org wrote: No. Modifying a general purpose tool for a specific (albeit common) use case is stupid. Any properly implemented warning would cause pfctl to exit non-zero, which would break automated scripts that check the exit code of pfctl. You would have to add a whole new option to ignore your specific use case, and even that would require modifying existing scripts. I wish they would ban you from this list already. I'm sick of seeing your reply to every thread when you never have anything constructive to say. I am not replying to every thread on the list. You either have me confused with someone else or there is some kind of imposter or person with a similar name. I'm confused I should say. This was something constructive to say regardless, it was an idea. I remember last time I was using OpenBSD (I had a hiatus) and mmap changes broke a lot of ports. There is supposed to be an emphasis on security, not your scripts. OpenBSD warns about mistakes, it emails you about your mistakes, and it could point out this mistake as well. Perhaps it could be for security(8) to do instead actually. I don't know, I didn't design the fucking system, it was just a suggestion. On Mon, 2011-12-12 at 05:43 +1100, John Tate wrote: It's just whining! Perhaps if should only do it if it has an Internet IP address not a LAN or WAN one involved. On Mon, Dec 12, 2011 at 5:17 AM, Janne Johansson icepic...@gmail.com wrote: 2011/12/11 John Tate j...@johntate.org So I have a suggestion worth considering, if the line block in all does not appear pfctl -nf should perhaps spit out a warning. Much like you've done with your pretty compilers over there. There are still lots of reasons to run PF even if you don't want block in all for a default, so whining on all the other uses you couldn't imagine would not be very productive. -- To our sweethearts and wives. May they never meet. -- 19th century toast -- www.johntate.org
Jan
I never claimed to be an OpenBSD guru. Ever. I am an OpenBSD n00b. Here, I'll put this on the list. I am John Norman Tate born September 1987 to two loving parents and the only part of OpenBSD I think I am good with is using it in accordance to the manuals when I read them properly. I also understand the security principles pretty well, I've read Hacking: The Art of Exploitation and understood it's content. I trust OpenBSD like a man of faith trusts his religions guidance. I think that pisses you off, but you've imagined everything else. I keep saying: I am learning, not learned. You're just trying to assasinate my character by making arbitrary claims you hope others will not check! It will not work. -- www.johntate.org
Re: Jan
In other words: stop wasting your breath I'm never leaving. If they kick me out, well, I'll use seven proxies! On Mon, Dec 12, 2011 at 9:17 AM, John Tate j...@johntate.org wrote: I never claimed to be an OpenBSD guru. Ever. I am an OpenBSD n00b. Here, I'll put this on the list. I am John Norman Tate born September 1987 to two loving parents and the only part of OpenBSD I think I am good with is using it in accordance to the manuals when I read them properly. I also understand the security principles pretty well, I've read Hacking: The Art of Exploitation and understood it's content. I trust OpenBSD like a man of faith trusts his religions guidance. I think that pisses you off, but you've imagined everything else. I keep saying: I am learning, not learned. You're just trying to assasinate my character by making arbitrary claims you hope others will not check! It will not work. -- www.johntate.org -- www.johntate.org
Re: Jan
Whoops, I hate gmail sometimes. That was for Jan On Mon, Dec 12, 2011 at 9:21 AM, John Tate j...@johntate.org wrote: In other words: stop wasting your breath I'm never leaving. If they kick me out, well, I'll use seven proxies! On Mon, Dec 12, 2011 at 9:17 AM, John Tate j...@johntate.org wrote: I never claimed to be an OpenBSD guru. Ever. I am an OpenBSD n00b. Here, I'll put this on the list. I am John Norman Tate born September 1987 to two loving parents and the only part of OpenBSD I think I am good with is using it in accordance to the manuals when I read them properly. I also understand the security principles pretty well, I've read Hacking: The Art of Exploitation and understood it's content. I trust OpenBSD like a man of faith trusts his religions guidance. I think that pisses you off, but you've imagined everything else. I keep saying: I am learning, not learned. You're just trying to assasinate my character by making arbitrary claims you hope others will not check! It will not work. -- www.johntate.org -- www.johntate.org -- www.johntate.org
Re: Jan
I will also add that if I am asking stupid questions then by axiom (look it up in a dictionary) I AM SAYING I AM LEARNING. You tool! On Mon, Dec 12, 2011 at 9:17 AM, John Tate j...@johntate.org wrote: I never claimed to be an OpenBSD guru. Ever. I am an OpenBSD n00b. Here, I'll put this on the list. I am John Norman Tate born September 1987 to two loving parents and the only part of OpenBSD I think I am good with is using it in accordance to the manuals when I read them properly. I also understand the security principles pretty well, I've read Hacking: The Art of Exploitation and understood it's content. I trust OpenBSD like a man of faith trusts his religions guidance. I think that pisses you off, but you've imagined everything else. I keep saying: I am learning, not learned. You're just trying to assasinate my character by making arbitrary claims you hope others will not check! It will not work. -- www.johntate.org -- www.johntate.org
Re: What generates the OpenBSD page?
Is it info2www being used? On Sat, Dec 10, 2011 at 2:21 PM, Richard Toohey richardtoo...@paradise.net.nz wrote: On 10/12/2011, at 3:02 PM, John Tate wrote: I am wondering what software if any generates the OpenBSD and similar websites. It appears to be a static page generated by some software, that software doesn't seem to be mentioned. What is it? Or is it just hand made? You might find some answers here http://www.openbsd.org/cgi-bin/cvsweb/www/ John Tate -- www.johntate.org -- www.johntate.org
Re: What generates the OpenBSD page?
Where did I state I think I am a genius? I want an actual quote, nothing less. Your grammar indicates rage rather than humor. My actual expertise is philosophy and psychology, you have narcissistic personality disorder. That is what the world calls it. In Objectivism, we call it misplaced self-esteem. Now where exactly did I say I was a genius? I mean, I have some genius, but I'm a C naive lover of OpenBSD - I'm a Redstone genius. I wouldn't mind a ports related project to prove myself with. I've not tried to prove anything. I've not been cocky. I've not been anything but inquisitive and curious. John On Sat, Dec 10, 2011 at 7:03 PM, Eric Furman ericfur...@fastmail.netwrote: The only reason I haven't added you to my kill file is your questions and responses are sooo idiotically moronic that you are hilarious! You are so fucking stupid you are falling down hilarious. What makes it even more funny is how smart you think you are! LMFAO! God, if I had a nickle for every fucking retard like you I've met that thought that they were a genius Oh yea, I sent this to the list also to humiliate you. Please keep posting though, you really crack me up. On Sat, Dec 10, 2011, at 06:15 PM, John Tate wrote: No, I'm an idiot. Not kidding at all. Is that a yes for Or is it just hand made? On Sat, Dec 10, 2011 at 2:31 PM, Theo de Raadt dera...@cvs.openbsd.orgwrote: I am wondering what software if any generates the OpenBSD and similar websites. It appears to be a static page generated by some software, that software doesn't seem to be mentioned. What is it? Or is it just hand made? Are you kidding? -- www.johntate.org -- www.johntate.org
Re: What generates the OpenBSD page?
On Sat, Dec 10, 2011 at 11:42 PM, richo ri...@psych0tik.net wrote: On 10/12/11 23:34 +1100, John Tate wrote: On Sat, Dec 10, 2011 at 7:03 PM, Eric Furman ericfur...@fastmail.net** wrote: The only reason I haven't added you to my kill file is your questions and responses are sooo idiotically moronic that you are hilarious! You are so fucking stupid you are falling down hilarious. What makes it even more funny is how smart you think you are! LMFAO! God, if I had a nickle for every fucking retard like you I've met that thought that they were a genius Oh yea, I sent this to the list also to humiliate you. Please keep posting though, you really crack me up. Where did I state I think I am a genius? I want an actual quote, nothing less. Your grammar indicates rage rather than humor. My actual expertise is philosophy and psychology, you have narcissistic personality disorder. That is what the world calls it. In Objectivism, we call it misplaced self-esteem. Now where exactly did I say I was a genius? I mean, I have some genius, but I'm a C naive lover of OpenBSD - I'm a Redstone genius. I wouldn't mind a ports related project to prove myself with. I've not tried to prove anything. I've not been cocky. I've not been anything but inquisitive and curious. John You throw the words hacker and guru about in relation to yourself a lot on your blog, in the world of FOSS they translate fairly literally to genius, or potentially represent a subset thereof. I am a guru of Linux systems with an immense respect for OpenBSD. Stay off my website, I wish I could make it Objectivists only, because what you are all doing is a STRAWMAN of my blog. I did not intend for it to be that way, you had to, in your words *translate*. In my words that means strawman. Don't enter a logical debate with me. I am not interested. While I don't necessarily support the personal attacks, I can't say I totally disagree with the vibe of it. Please don't presume to psycho-analyse members of the list, and please develop some modesty. If you want hand holding and someone to explain something which is already documented, I would recommend one of the more newby friendly linuxes. -- richo || Today's excuse: The vendor put the bug there. http://blog.psych0tik.net -- www.johntate.org
Re: What generates the OpenBSD page?
On Sun, Dec 11, 2011 at 12:04 AM, richo ri...@psych0tik.net wrote: On 10/12/11 23:56 +1100, John Tate wrote: On Sat, Dec 10, 2011 at 11:42 PM, richo ri...@psych0tik.net wrote: While I don't necessarily support the personal attacks, I can't say I totally disagree with the vibe of it. Please don't presume to psycho-analyse members of the list, and please develop some modesty. If you want hand holding and someone to explain something which is already documented, I would recommend one of the more newby friendly linuxes. I am a guru of Linux systems with an immense respect for OpenBSD. Stay off my website, I wish I could make it Objectivists only, because what you are all doing is a STRAWMAN of my blog. I did not intend for it to be that way, you had to, in your words translate. In my words that means strawman. Don't enter a logical debate with me. I am not interested. Please don't top post. It makes it hard to read. If you must top post, please post at the top of the message and not randomly halfway through. It makes it impossible to read and a pain to fix (which I have done again). The term guru, hacker and wizard are not generally applied to oneself. There aren't many people I'd take seriously when they claimed it; and you're not one of the. A cursory google suggests that you've never written anything, so you'll forgive my doubts. Similarly, unless you're planning a one line post with links to what you've written, I'm uninterested in this debate. Demanding that I stay off your website, and then suggesting that you wish you could make it accessible only to people who share your world view is in my opinion retarded. I'm not convinced you really understand what freedom is. In the name of helping the fellow man though, I recommend disconnecting that machine from the internet immediately and mailing hardcopies of it's source to parties you approave though, ideally encrypted such that character assassins such as myself can't get hold of it's content in transit. Finally, screaming strawman to redirect an argument away from it's original point is delightfully poetic, but ultimately stupid. If people on the list repeatedly take issue with your posts, it stands to reason that there is an issue with your posts. If the people of the list, are disconnected from the abstract concept of people as in groups of people, and considered individuals - then actually I'm having a good time because actually most the messages are not that bad, some are helpful, and some like this thread are a little humiliating. Some modesty would do you well, and unless you can populate 5 points of reference that you've read throroughly in the footer of a I need help or how does this work post, I would suggest that you have some more reading to do. Not a bad idea actually, but I do look around but you only have my word. richo -- richo || Today's excuse: monitor resolution too high http://blog.psych0tik.net Psychosis is a terrible illness. -- www.johntate.org
Re: What generates the OpenBSD page?
A simple Google of your email address shows something extremely humiliating. You know as little as I do! -- Forwarded message -- From: Eric Furman ericfur...@fastmail.net Date: Sat, Dec 10, 2011 at 7:03 PM Subject: Re: What generates the OpenBSD page? To: John Tate j...@johntate.org, OpenBSD Misc misc@openbsd.org The only reason I haven't added you to my kill file is your questions and responses are sooo idiotically moronic that you are hilarious! You are so fucking stupid you are falling down hilarious. What makes it even more funny is how smart you think you are! LMFAO! God, if I had a nickle for every fucking retard like you I've met that thought that they were a genius Oh yea, I sent this to the list also to humiliate you. Please keep posting though, you really crack me up. On Sat, Dec 10, 2011, at 06:15 PM, John Tate wrote: No, I'm an idiot. Not kidding at all. Is that a yes for Or is it just hand made? On Sat, Dec 10, 2011 at 2:31 PM, Theo de Raadt dera...@cvs.openbsd.orgwrote: I am wondering what software if any generates the OpenBSD and similar websites. It appears to be a static page generated by some software, that software doesn't seem to be mentioned. What is it? Or is it just hand made? Are you kidding? -- www.johntate.org -- www.johntate.org
Re: What generates the OpenBSD page?
On Sun, Dec 11, 2011 at 5:06 AM, Nomen Nescio nob...@dizum.com wrote: Oh man, you are drastically reducing the average intelligence of any group you join. But I liked this admission on your blog: Just for the record, I make no illusions about being a complete jerk. Nor have I ever tried to be nice to a stranger once in my life, unless it was a homeless person whom could buy me alcohol or cigarettes as a teenager. I am a callous, rude, and unforgiving person. To the accusations against me I will plead: guilty as charged. I am an arsehole. Source: http://old.johntate.org/node/316?page=1 Considering that you proudly admit to being an asshole, with zero consideration for your fellow man, don't you think that you are sometimes expecting too much from others? You asshole! John Tate j...@johntate.org wrote: Where did I state I think I am a genius? I want an actual quote, nothing less. Your grammar indicates rage rather than humor. My actual expertise is philosophy and psychology, you have narcissistic personality disorder. That is what the world calls it. In Objectivism, we call it misplaced self-esteem. [snip] You are projecting, you really are the one with the most obvious disorders on this list. And although I can't bring myself to read through the diarrhea on your site, it seems that the majority of your philosophy posts are about bashing an Objectivist Ph.D in philosophy. Your level is ...? And yet you pretend to speak for Objectivists. Please don't think this guy understands Objectivism better than he understands OpenBSD, C++, psychology, or anything. Why is it so important that you must plead the list for this? You are a people-obsessed loser. -- www.johntate.org
Re: Mplayer vo on loongson, change resolution
On Fri, Dec 9, 2011 at 4:34 AM, alies pub...@omega.hopto.org wrote: Hello What mplayer -vo I need to use for best performance in loongson Yeeloong netbook? Can I use full fullscreen in mplayer? What about sdl games (quake, doom etc), can I change resolution? I could change resolution with OpenBSD 5.0 in Openarena (Quake III Arena with community made textures and stuff) but for whatever reason (probably OpenBSD's crazy mmap() - because I had direct rendering) it was incredibly laggy and unplayable. If OpenBSD was more popular it might have games written for it, since its far less of a moving target for developers than most Linux distros. -- www.johntate.org
What generates the OpenBSD page?
I am wondering what software if any generates the OpenBSD and similar websites. It appears to be a static page generated by some software, that software doesn't seem to be mentioned. What is it? Or is it just hand made? John Tate -- www.johntate.org
Re: ALIX 2 Hangs on boot at date/time
In single user mode you often need to mount some partitions, and remount root as read-write to do much of anything. # mount -o rw / and # mount -o rw /usr and so on for anything else you need. vi I believe resides in /usr so you will need to mount that partition. If it's not that, your system is screwed and you need to reinstall. On Sat, Dec 10, 2011 at 12:31 PM, Dave Beckstrom db...@atving.com wrote: David, Thanks for the suggestion. I'm 99% of the way there. Basically all I need to do is edit /etc/ttys to configure something like: tty00 /usr/libexec/getty std.38400 vt220 on secure and I'll be all set. I've discovered that I can boot into single user mode. That leaves me at the sh# shell. But I haven't had success at remounting root as read write yet. Basic commands like ls don't even work. Not doing something right. Can't get an editor to run either (it doesn't find vi). If I can't solve this I'll go the PXE route. Not quite ready to give up yet. If anything, it's a good learning process. :) Thanks, Dave -Original Message- From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of David Walker Sent: Friday, December 09, 2011 3:07 PM To: misc@openbsd.org Subject: [SPAM]- Score (15)Re: ALIX 2 Hangs on boot at date/time Get an old PC or somesuch, run tftp and install directly onto the ALIX via ethernet. See here: http://www.openbsd.org/faq/faq6.html#PXE Problem(s) solved. Best wishes. -- www.johntate.org
Re: What generates the OpenBSD page?
No, I'm an idiot. Not kidding at all. Is that a yes for Or is it just hand made? On Sat, Dec 10, 2011 at 2:31 PM, Theo de Raadt dera...@cvs.openbsd.orgwrote: I am wondering what software if any generates the OpenBSD and similar websites. It appears to be a static page generated by some software, that software doesn't seem to be mentioned. What is it? Or is it just hand made? Are you kidding? -- www.johntate.org
OpenBSD PF tables
Misc, I have sucessfully got an OpenBSD machine to connect via ADSL and forward packets, I am gradually upgrading my pf.conf. I am having trouble with this configuration (ignore some obvious bugs related to table names where tables are defined and the rules I have seen them). At the moment I am working on doing some things as tables. I want tables to hold the ports, but it appears perhaps they can only hold IP addresses. The following tables do not work from line 10-11... table etcpserv { 22 } table itcpserv { 22, 53 } The whole thing is here: http://pastebin.com/VuLNW9Ph John Tate -- www.johntate.org
Re: OpenBSD PF tables
Is there a way to have it so I can add ports from the command line if I can't use tables? On Thu, Dec 8, 2011 at 10:14 PM, Peter Hessler phess...@theapt.org wrote: Yes, tables in PF only support IP addresses. On 2011 Dec 08 (Thu) at 22:11:19 +1100 (+1100), John Tate wrote: :At the moment I am working on doing some things as tables. I want tables to :hold the ports, but it appears perhaps they can only hold IP addresses. The :following tables do not work from line 10-11... -- Renning's Maxim: Man is the highest animal. Man does the classifying. -- www.johntate.org
Re: OpenBSD PF tables
Is there a way to control ports on a filter from the command line? I guess I just have manually adding and deleting rules. On Thu, Dec 8, 2011 at 10:19 PM, Andres Perera andre...@zoho.com wrote: the documentation is pretty clear by saying that tables can only hold addresses, not a random set of numbers On Thu, Dec 8, 2011 at 6:41 AM, John Tate j...@johntate.org wrote: Misc, I have sucessfully got an OpenBSD machine to connect via ADSL and forward packets, I am gradually upgrading my pf.conf. I am having trouble with this configuration (ignore some obvious bugs related to table names where tables are defined and the rules I have seen them). At the moment I am working on doing some things as tables. I want tables to hold the ports, but it appears perhaps they can only hold IP addresses. The following tables do not work from line 10-11... table etcpserv { 22 } table itcpserv { 22, 53 } The whole thing is here: http://pastebin.com/VuLNW9Ph John Tate -- www.johntate.org -- www.johntate.org