Re: Firewall setup
This is my dmesg, if anyone is interested: OpenBSD 7.4 (GENERIC.MP) #3: Wed Feb 28 06:23:33 MST 2024 r...@syspatch-74-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 4047122432 (3859MB) avail mem = 3904729088 (3723MB) random: good seed from bootblocks mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 3.3 @ 0x74c77000 (117 entries) bios0: vendor American Megatrends International, LLC. version "JK4LV105" date 08/31/2022 bios0: Default string Default string efi0 at bios0: UEFI 2.7 efi0: American Megatrends rev 0x50013 acpi0 at bios0: ACPI 6.2 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP MCFG FIDT SSDT SSDT SSDT HPET APIC PRAM SSDT SSDT NHLT LPIT SSDT SSDT DBGP DBG2 DMAR SSDT TPM2 WSMT FPDT acpi0: wakeup devices PEGP(S4) PEGP(S4) PEGP(S4) PEGP(S4) SIO1(S3) RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) RP03(S4) PXSX(S4) RP04(S4) PXSX(S4) RP05(S4) PXSX(S4) RP06(S4) [...] acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimcfg0 at acpi0 acpimcfg0: addr 0xc000, bus 0-255 acpihpet0 at acpi0: 1920 Hz acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Celeron(R) N5105 @ 2.00GHz, 2893.74 MHz, 06-9c-00, patch 2424 cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SMEP,ERMS,RDSEED,SMAP,CLFLUSHOPT,CLWB,PT,SHA,UMIP,WAITPKG,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,IBRS_ALL,SKIP_L1DFL,MDS_NO,IF_PSCHANGE,MISC_PKG_CT,ENERGY_FILT,FB_CLEAR,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu0: 32KB 64b/line 8-way D-cache, 32KB 64b/line 8-way I-cache, 1MB 64b/line 12-way L2 cache, 4MB 64b/line 16-way L3 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges cpu0: apic clock running at 38MHz cpu0: mwait min=64, max=64, C-substates=0.2.0.2.2.1.1.1, IBE cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Celeron(R) N5105 @ 2.00GHz, 2893.74 MHz, 06-9c-00, patch 2424 cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SMEP,ERMS,RDSEED,SMAP,CLFLUSHOPT,CLWB,PT,SHA,UMIP,WAITPKG,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,IBRS_ALL,SKIP_L1DFL,MDS_NO,IF_PSCHANGE,MISC_PKG_CT,ENERGY_FILT,FB_CLEAR,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu1: 32KB 64b/line 8-way D-cache, 32KB 64b/line 8-way I-cache, 1MB 64b/line 12-way L2 cache, 4MB 64b/line 16-way L3 cache cpu1: smt 0, core 1, package 0 cpu2 at mainbus0: apid 4 (application processor) cpu2: Intel(R) Celeron(R) N5105 @ 2.00GHz, 2793.96 MHz, 06-9c-00, patch 2424 cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SMEP,ERMS,RDSEED,SMAP,CLFLUSHOPT,CLWB,PT,SHA,UMIP,WAITPKG,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,IBRS_ALL,SKIP_L1DFL,MDS_NO,IF_PSCHANGE,MISC_PKG_CT,ENERGY_FILT,FB_CLEAR,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu2: 32KB 64b/line 8-way D-cache, 32KB 64b/line 8-way I-cache, 1MB 64b/line 12-way L2 cache, 4MB 64b/line 16-way L3 cache cpu2: smt 0, core 2, package 0 cpu3 at mainbus0: apid 6 (application processor) cpu3: Intel(R) Celeron(R) N5105 @ 2.00GHz, 2793.95 MHz, 06-9c-00, patch 2424 cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SMEP,ERMS,RDSEED,SMAP,CLFLUSHOPT,CLWB,PT,SHA,UMIP,WAITPKG,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,IBRS_ALL,SKIP_L1DFL,MDS_NO,IF_PSCHANGE,MISC_PKG_CT,ENERGY_FILT,FB_CLEAR,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu3: 32KB 64b/line 8-way D-cache, 32KB 64b/line 8-way I-cache, 1MB 64b/line 12-way L2 cache, 4MB 64b/line 16-way L3 cache cpu3: smt 0, core 3, package 0 ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 120 pins acpiprt0 at acpi0: bus 0 (PC00) acpiprt1 at acpi0: bus -1 (RP01) acpiprt2 at acpi0: bus -1 (RP02) acpiprt3 at acpi0: bus 1 (RP03) acpiprt4 at acpi0: bus -1 (RP04) acpiprt5 at acpi0: bus 2 (RP05) acpiprt6 at acpi0: bus 3 (RP06) acpiprt7 at acpi0: bus 4 (RP07) acpiprt8 at acpi0: bus 5 (RP08) acpiprt9 at acpi0: bus -1 (RP09) acpiprt10 at acpi0: bus -1 (RP10) acpiprt11 at acpi0: bus -1 (RP11) acpiprt12 at acpi0
Re: Firewall setup
First and most importantly, I would like to apologize to anyone who was disturbed by my conversation. It is not my intention to offend people. I may be curt, but that's not because it's in my character. In daily life I work with electronics and computers and am much less familiar with networks. I don't need this knowledge for what I do in daily life. It is therefore difficult for me to estimate what is important to link back to this mailing list. So if I am curt, please try to remember that it is not intentional, but a matter of lack of knowledge. Again, I don't want to hurt anyone. Second, the firewall. This is set up as a bridge with the following hardware: https://www.amazon.nl/dp/B0B6J89MXJ?ref=ppx_pop_dt_b_asin_image&th=1. The Ethernet connections ETH1 ... ETH4 are translated by OpenBSD to igc0 ... igc3. Connection igc0 is the input that goes to the ISDN modem, and igc1 and igc2 are the two outputs that go to the internal network. These two connections are more flexible for the underlying network. This makes it possible to connect two different networks, if desired, albeit with one and the same IP range (192.168.2.0/24), or two different networks, if so configured. So two possibilities (which is best?). So there is no need to use two connections at the same time, although this should be possible. Finally, connection igc3. This is given the IP address 192.168.2.252, because it is intended for remote administration, including upgrades. This connection will therefore not be part of the firewall bridge, and will therefore not appear in pf.conf. The internal network consists mainly of regular clients, so no email, web or name servers. These clients will work with Linux, mac OSX, or OpenBSD, but not Windows, but there will be a small file server or NAS. This file server or NAS is only intended for the clients in the network and has no connection to the internet. For now it is important to get ping and traceroute working properly, after which work on normal internet traffic can be started. What I'm wondering is whether I need NAT for my firewall configuration. This is my plan for my firewall. It seems to me that there are much more difficult configurations than this one. I hope there are still people who are willing to help me. Op 16-04-2024 om 07:24 schreef Peter N. M. Hansteen: I give up. The obviously incomplete, hand edited ifconfig output shows three interfaces that are (or appear to be, judging from the excerpts that we are given) not configured with IP addresses, two of which have a link, while the last does not. For reasons unknown these three are joined in a three-way bridge. >From the tiny crumbs of information you have deigned to reveal to us, it is not at all clear what it is you are trying to achieve. That this configuration does not do anything useful is however no surprise at all. Once you can describe what it is your Rube Goldberg contraption is supposed to do, competent people here might offer some advice on how to make things work properly. Until that happens, I for one will simply ignore anything from that source.
Re: Firewall setup
Op 15-04-2024 om 22:20 schreef Peter N. M. Hansteen: On Mon, Apr 15, 2024 at 10:09:31PM +0200, Karel Lucas wrote: This gives the following error messages when booting: no IP address found for igc1:network /etc/pf.conf:41: could not parse host specification no IP address found for igc2:network /etc/pf.conf:42: could not parse host specification This sounds to me like those interfaces either do not exist or have not been correctly configured. Are those interfaces configured, as in do they have IP addresses? the output of ifconfig igc1 and ifconfig igc2 will show you. Output from ifconfig igc0: igc0: flags=8b43 mtu 1500 lladdr 7c:2b:e1:13:dd:f4 index 1 priority 0 llprio 3 media: Ethernet autoselect (1000baseT full-duplex) sratus: active Output from ifconfig igc1: igc1: flags=8b43 mtu 1500 lladdr 7c:2b:e1:13:dd:f5 index 2 priority 0 llprio 3 media: Ethernet autoselect (1000baseT full-duplex) sratus: active Output from ifconfig igc2: igc2: flags=8b43 mtu 1500 lladdr 7c:2b:e1:13:dd:f6 index 3 priority 0 llprio 3 media: Ethernet autoselect (none) status: no carrier /etc/hostname.bridge0: add igc0 add igc1 add igc2 blocknonip igc0 blocknonip igc1 blocknonip igc2 up /etc/hostname.igc0: up /etc/hostname.igc1: up /etc/hostname.igc2: up
Re: Firewall setup
That's a possibility I hadn't thought of yet. But how do I do that, and on which page can I find that in your book? Op 15-04-2024 om 22:17 schreef Peter N. M. Hansteen: The other option - if your network layout is such that it makes sense to treat them to the same rule criteria - would be to make an interface group with both interfaces as members, then use the interface group name in your rules.
Re: Firewall setup
Op 14-04-2024 om 21:57 schreef Jens Kaiser:
Hello Karel,
if you want to start simply, then I would recommend to remove all marcos
from your pf.conf which are not referenced. You can add them later if
needed. As already state by others, there is a syntax error in marco
martians. If there are syntax errors in pf.conf, the rules are not
loaded at all.
These have now been resolved, sse below.
Also correct the syntax errors in the rules "Letting ping through". The
key word "on" without interfacename, -group or keyword any looks
incorrect. Give it a parameter or remove it.
As far as I can see there are no errors in the ping rules. the key words
"on", "group" or "any" do not appear there. Moreover, I have copied
these rules, except the key words "log", exactly from Peter Hansteen's
book (The book of PF), just like the rules of the martians.
Please check your current running configuration with
> pfctl -sr
It prints out all currently active rules. If something behaves too
wired, it can help to proof that the ruleset in /etc/pf.conf is the same
as we assume to be active in the kernel. Because of the syntax errors I
would guest that this is not true in your case.
After correcting some errors, I reloaded pf.conf and found no errors.
Here I give the output of pfctl -sr:
match in all scrub (no-df max-mss 1440)
block return in all
block return in quick on igc0 inet from any to <__automatic_628bc734_1>
pass log inet proto icmp all icmp-type echoreq
pass log inet proto icmp all icmp-type echorep
pass log inet proto icmp all icmp-type unreach
pass log inet6 proto ipv6-icmp all icmp6-type echoreq
pass log inet6 proto ipv6-icmp all icmp6-type echorep
pass log inet6 proto ipv6-icmp all icmp6-type unreach
pass out all flags S/SA
/etc/pf.conf:
ext_if = igc0 # The interface to the outside
world
int_if = "{ igc1, igc2 }" # The interfaces to the private hosts
# localnet = "192.168.2.0/24" # Hosts on the screened LAN
# tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }"
# udp_services = "{ domain, ntp }"
# email = "{ smtp, imap, imaps, imap3, pop3, pop3s }"
icmp_types = "{ echoreq, echorep, unreach }"
icmp6_types = "{ echoreq, echorep, unreach }"
# nameservers = "{ 195.121.1.34, 195.121.1.66 }"
# client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, }"
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
0.0.0.0/8, 240.0.0.0/4 }"
# Options:
set block-policy return
set skip on lo
# Normalize packets:
match in all scrub ( no-df max-mss 1440 )
block in all # block stateless traffic
block in quick on $ext_if from $martians to any
block out quick on $ext_if from any to $martians
# Letting ping through:
pass log inet proto icmp icmp-type $icmp_types
pass log inet6 proto icmp6 icmp6-type $icmp6_types
pass out all
Re: Firewall setup
This gives the following error messages when booting:
no IP address found for igc1:network
/etc/pf.conf:41: could not parse host specification
no IP address found for igc2:network
/etc/pf.conf:42: could not parse host specification
Op 14-04-2024 om 19:59 schreef Peter N. M. Hansteen:
On Sun, Apr 14, 2024 at 05:09:01PM +0200, Karel Lucas wrote:
Hi all,
Everything about PF is all very confusing to me at the moment, so any help
is appreciated. So let's start simple and then proceed step by step. I want
to continue with ping so that I can test the connection to the internet.
This works: ping -c 10 195.121.1.34. But this doesn't work: ping -c 10
www.apple.com. As others have stated, I have a problem with using DNS
servers on the internet. The PF ruleset needs to be adjusted for this, but
it is still not clear to me how to do that. What else do I need to get ping
to work correctly? To get started simply, I created a new pf.conf file, see
below.
I'd put this somewhere after your block rules:
pass inet proto { tcp, udp } from igc1:network to port $client_out
pass inet proto { tcp, udp } from igc2:network to port $client_out
- that way you will actually use the macro. But the macro sitll references
the invalid service nportntp (you probably want ntp instead), and I would
think that the services "446, cvspserver, 2628, 5999, 8000, 8080" are unlikely
to be useful unless you *know* you need to pass traffic for those.
Re: Firewall setup
They both give a syntax error by booting. Op 14-04-2024 om 17:45 schreef Zé Loff: pass in on $int_if proto udp to port 53 pass in on $int_if proto udp to $nameservers port 53
Firewall setup
Hi all,
Everything about PF is all very confusing to me at the moment, so any
help is appreciated. So let's start simple and then proceed step by
step. I want to continue with ping so that I can test the connection to
the internet. This works: ping -c 10 195.121.1.34. But this doesn't
work: ping -c 10 www.apple.com. As others have stated, I have a problem
with using DNS servers on the internet. The PF ruleset needs to be
adjusted for this, but it is still not clear to me how to do that. What
else do I need to get ping to work correctly? To get started simply, I
created a new pf.conf file, see below.
/etc/pf.conf:
ext_if = igc0 # The interface to the
outside world
int_if = "{ igc1, igc2 }" # The interfaces to the private
hosts
localnet = "192.168.2.0/24" # Hosts on the screened LAN
tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }"
udp_services = "{ domain, ntp }"
email = "{ smtp, imap, imaps, imap3, pop3, pop3s }"
icmp_types = "{ echoreq, unreach }"
icmp6_types = "{ echoreq, unreach }"
nameservers = "{ 195.121.1.34, 195.121.1.66 }"
client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, \
446, cvspserver, 2628, 5999, 8000, 8080 }"
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \
0.0.0.0/8, 240.0.0.0/4 }"
# Options:
set block-policy return
set skip on lo
block log all # block stateless traffic
# Normalize packets:
match in all scrub ( no-df max-mss 1440 )
block in quick on $ext_if from $martians to any
block out quick on $ext_if from any to $martians
# Letting ping through:
pass log on inet proto icmp icmp-type $icmp_types
pass log on inet6 proto icmp6 icmp6-type $icmp6_types
pass out all
Re: No internet connection (firewall block)
Output from "tcpdump -neti pflog0":
tcpdump: WARNING: snaplen raised from 116 to 160
tcpdump: listening on pflog0, link-type PFLOG
...
rule 4/(match) pass in on igc1: 192.168.2.252 > 17.253.53.207: icmp:
echo request
...
output from "pfctl -sr -R 4":
pass log inet proto icmp all icmp-type echoreq
Op 12-04-2024 om 19:46 schreef Zé Loff:
On Fri, Apr 12, 2024 at 07:04:16PM +0200, Karel Lucas wrote:
Hi all,
Traceroute still won't work. I'm playing around with the rules and wondering
what's right and what's wrong with the traceroute rules. Can anyone give me
some starting points here?
/etc/pf.conf:
ext_if = igc0 # Extern interface
int_if = "{ igc1, igc2 }" # Intern interfaces
localnet = "192.168.2.0/24"
tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }"
udp_services = "{ domain, ntp }"
email = "{ smtp, imap, imaps, imap3, pop3, pop3s }"
icmp_types = "{ echoreq, unreach }"
icmp6_types = "{ echoreq, unreach }"
nameservers = "{ 195.121.1.34, 195.121.1.66 }"
client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, \
446, cvspserver, 2628, 5999, 8000, 8080 }"
Martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \
0.0.0.0/8, 240.0.0.0/4 }"
set skip on lo
# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010
block log all # block stateless traffic
block in quick on $ext_if from $martians to any
block out quick on $ext_if from any to $martians
# Letting ping through:
pass log on inet proto icmp icmp-type $icmp_types
pass log on inet6 proto icmp6 icmp6-type $icmp6_types
# Allow out the default range for traceroute(*):
# "base+nhops*nqueries-1" (3434+64*3-1)
pass in on $ext_if inet proto udp to port 33433:33626 # for IPv4
pass log out on $ext_if inet proto udp to port 33433:33626 # for IPv4
pass in on $ext_if inet6 proto udp to port 33433:33626 # for IPv6
pass log out on $ext_if inet6 proto udp to port 33433:33626 # for IPv6
Your final four rules (for traceroute) only apply to the $ext_if, so I
am assuming you are trying to traceroute _from_ the firewall itself to
some machine on the internet. If you want to start traceroute from
your local network, and to a machine on the internet, you'll need to
add $int_if to those rules (and perhaps NAT, but let's not get ahead of
ourselves).
Again, assuming you are trying to traceroute from the firewall to the
internet, I would use tcpdump to check if that traffic is being blocker,
and, if so, which rule is blocking it:
tcpdump -neti pflog0
(-n and -t are optional, but help to keep thing simpler in this case)
Then on another terminal try to traceroute an easily identifiable IP,
such as 1.1.1.1, and see what comes up on the tcpdump. It'll be
something like "rule 2/(match) block ..." or "rule 2/(match) pass ...",
and if you don't want to count the rules by hand, you can use pfctl to
tell you which:
pfctl -sr -R
where is the rule number.
Then, assuming it is being blocked, its time to figure out why the
"pass" rules aren't being matched.
Re: Ping blocked by firewall
This makes no difference.
Op 13-04-2024 om 22:06 schreef Peter J. Philipp:
On Sat, Apr 13, 2024 at 09:32:48PM +0200, Karel Lucas wrote:
What should I add then, considering my PF ruleset? To be honest, all of this
is very unclear to me at the moment, so any help is appreciated.
How about:
pass out inet proto { tcp, udp } from any to any port { 53, 853 } keep state
pass out inet6 proto { tcp, udp } from any to any port { 53, 853 } keep state
see if that will do it for you. You have a service called "domain" in your
rules but it's only a macro/alias and not active
Also if I remember it right (without looking) traceroute defaults to UDP mode
by default, with ports (32768 + 666) + (every "*" in every hop counting as 1)
so depending on how many hops outbound you want to traceroute you'll have to
open those udp ports outbound.
Of course you can be like windows and do traceroute -P1 to traceroute with
ICMP.
Remember, from your basic networking texts that each hop decrements (-1) the
time to live, or the hop count. When a router encounters an IP[46] packet
that would decrement to 0 it will not get forwarded and will reply an ICMP
time exceeded message aka timex reply.
Please familiarize yourself with tcpdump and for learning purposes wireshark
and really analyze the packet headers with RFC's 791, 792, 8200 found at
https://rfc-editor.org.
Best of Luck!
-pjp
Op 13-04-2024 om 02:39 schreef Alexis:
Karel Lucas writes:
Ping only works partially. For example, this works: ping -c 10
195.121.1.34. But this doesn't work: ping -c 10 www.apple.com. I
suspect this has to do with DNS servers, but I don't know where to
start troubleshooting.
Indeed, you appear to have no rules allowing outgoing requests to DNS
servers for name resolution.
Alexis.
Re: Ping blocked by firewall
What should I add to get it working? Op 13-04-2024 om 02:39 schreef Alexis: Karel Lucas writes: Ping only works partially. For example, this works: ping -c 10 195.121.1.34. But this doesn't work: ping -c 10 www.apple.com. I suspect this has to do with DNS servers, but I don't know where to start troubleshooting. Indeed, you appear to have no rules allowing outgoing requests to DNS servers for name resolution. Alexis.
Re: Ping blocked by firewall
What should I add then, considering my PF ruleset? To be honest, all of this is very unclear to me at the moment, so any help is appreciated. Op 13-04-2024 om 02:39 schreef Alexis: Karel Lucas writes: Ping only works partially. For example, this works: ping -c 10 195.121.1.34. But this doesn't work: ping -c 10 www.apple.com. I suspect this has to do with DNS servers, but I don't know where to start troubleshooting. Indeed, you appear to have no rules allowing outgoing requests to DNS servers for name resolution. Alexis.
No internet connection (firewall block)
Hi all,
Traceroute still won't work. I'm playing around with the rules and
wondering what's right and what's wrong with the traceroute rules. Can
anyone give me some starting points here?
/etc/pf.conf:
ext_if = igc0 # Extern interface
int_if = "{ igc1, igc2 }" # Intern interfaces
localnet = "192.168.2.0/24"
tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }"
udp_services = "{ domain, ntp }"
email = "{ smtp, imap, imaps, imap3, pop3, pop3s }"
icmp_types = "{ echoreq, unreach }"
icmp6_types = "{ echoreq, unreach }"
nameservers = "{ 195.121.1.34, 195.121.1.66 }"
client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, \
446, cvspserver, 2628, 5999, 8000, 8080 }"
Martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \
0.0.0.0/8, 240.0.0.0/4 }"
set skip on lo
# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010
block log all # block stateless traffic
block in quick on $ext_if from $martians to any
block out quick on $ext_if from any to $martians
# Letting ping through:
pass log on inet proto icmp icmp-type $icmp_types
pass log on inet6 proto icmp6 icmp6-type $icmp6_types
# Allow out the default range for traceroute(*):
# "base+nhops*nqueries-1" (3434+64*3-1)
pass in on $ext_if inet proto udp to port 33433:33626 # for IPv4
pass log out on $ext_if inet proto udp to port 33433:33626 # for IPv4
pass in on $ext_if inet6 proto udp to port 33433:33626 # for IPv6
pass log out on $ext_if inet6 proto udp to port 33433:33626 # for IPv6
Ping blocked by firewall
Hi all,
Ping only works partially. For example, this works: ping -c 10
195.121.1.34. But this doesn't work: ping -c 10 www.apple.com. I suspect
this has to do with DNS servers, but I don't know where to start
troubleshooting. Can someone help me?
/etc/pf.conf:
ext_if = igc0 # Extern interface
int_if = "{ igc1, igc2 }" # Intern interfaces
localnet = "192.168.2.0/24"
tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }"
udp_services = "{ domain, ntp }"
email = "{ smtp, imap, imaps, imap3, pop3, pop3s }"
icmp_types = "{ echoreq, unreach }"
icmp6_types = "{ echoreq, unreach }"
nameservers = "{ 195.121.1.34, 195.121.1.66 }"
client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, \
446, cvspserver, 2628, 5999, 8000, 8080 }"
Martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \
0.0.0.0/8, 240.0.0.0/4 }"
set skip on lo
# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010
block log all # block stateless traffic
# Letting ping through:
pass log on inet proto icmp icmp-type $icmp_types
pass log on inet6 proto icmp6 icmp6-type $icmp6_types
Re: No internet connection (firewall block)
PF's ruleset will be put under a magnifying glass.
Op 11-04-2024 om 11:09 schreef Peter N. M. Hansteen:
On Thu, Apr 11, 2024 at 09:34:15AM +0100, Zé Loff wrote:
pass log out on egress inet proto udp to port 33433:33626 # for IPv4
pass log out on egress inet6 proto udp to port 33433:33626 # for IPv6
pass log quick on $ext_if inet proto {tcp, udp} from $localnet \
to port $udp_services
pass log on $ext_if inet proto icmp all icmp-type $icmp_types
pass log on $ext_if inet proto tcp from $localnet to port $client_out
pass log out proto tcp to port $tcp_services # establish keep-stat
pass log log proto udp to port $udp_services # Establish keep-state
If I read this correctly, you are not allowing any "in" traffic, except
for the two "Letting ping through lines", which are just for ICMP, and
on the first two rules on the last part ("...$icmp_types" and
"...$client_out"). I am assuming "log log" on the last rule is a typo,
and it is actually "log out".
Those are as far as I can tell correct observations. There appears to be
no rule allowing traffic other than the selected icmp types to pass from
anywhere but the local host.
Re: No internet connection (firewall block)
The typos have been fixed, and PF's ruleset will be put under a
magnifying glass.
Op 11-04-2024 om 10:34 schreef Zé Loff:
On Wed, Apr 10, 2024 at 11:53:47PM +0200, Karel Lucas wrote:
Hi all,
With the new firewall I am setting up I cannot connect to the internet. That
starts with traceroute, so let's start there. Ping works fine. Below I have
listed my pf.conf file.
/etc/pf.conf:
ext_if = igc0 # Extern interface
int_if = "{ igc1, igc2 }" # Intern interfaces
localnet = "192.168.2.0/24"
tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }"
udp_services = "{ domain, ntp }"
email = "{ smtp, imap, imaps, imap3, pop3, pop3s }"
icmp_types = "{ echoreq, unreach }"
icmp6_types = "{ echoreq, unreach }"
nameservers = "{ 195.121.1.34, 195.121.1.66 }"
client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, \
446, cvspserver, 2628, 5999, 8000, 8080 }"
Martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \
0.0.0.0/8, 240.0.0.0/4 }"
set skip on lo
# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010
block log all # block stateless traffic
block in quick on $ext_if from $martians to any
block out quick on $ext_if from any to $martians
# Letting ping through:
pass log on inet proto icmp icmp-type $icmp_types
pass log on inet6 proto icmp6 icmp6-type $icmp6_types
# Allow out the default range for traceroute(*):
# "base+nhops*nqueries-1" (3434+64*3-1)
pass log out on egress inet proto udp to port 33433:33626 # for IPv4
pass log out on egress inet6 proto udp to port 33433:33626 # for IPv6
pass log quick on $ext_if inet proto {tcp, udp} from $localnet \
to port $udp_services
pass log on $ext_if inet proto icmp all icmp-type $icmp_types
pass log on $ext_if inet proto tcp from $localnet to port $client_out
pass log out proto tcp to port $tcp_services # establish keep-stat
pass log log proto udp to port $udp_services # Establish keep-state
If I read this correctly, you are not allowing any "in" traffic, except
for the two "Letting ping through lines", which are just for ICMP, and
on the first two rules on the last part ("...$icmp_types" and
"...$client_out"). I am assuming "log log" on the last rule is a typo,
and it is actually "log out".
Re: No internet connection (firewall block)
I do get the following error message: sysctl: toplevel name net/inet6 in net/inet6.ip6.forwarding is invalid Op 11-04-2024 om 09:49 schreef Peter N. M. Hansteen: On Wed, Apr 10, 2024 at 11:53:47PM +0200, Karel Lucas wrote: With the new firewall I am setting up I cannot connect to the internet. That starts with traceroute, so let's start there. Ping works fine. Below I have listed my pf.conf file. This sounds like you have a link to somewhere, at least. The first question would be, when you say "I cannot connect to the internet", where is this in relation to the host with the ruleset you quote? Start with the basics - is the gateway set up to forward packets? The output of $ sysctl net.inet | grep forward will reveal the truth there. And looking at the quoted ruleset, I find it rather unlikely that it will actually load -- you will get a "macro 'martians' not defined" and "unknown port nportntp" and likely a few "syntax error" messages as well. I would advise to take a few steps back, start from the basics and add only the things you know you need.
Re: No internet connection (firewall block)
Output van 'sysctl net.inet | grep forward': net.inet.ip.forwarding=1 net.inet.ip.mforwarding=0 This may sound strange, but I don't get an error message when booting. I did have that problem because the word 'log' appeared in some lines, but that has already been resolved. I'm going to apply a "step by step" approach to the rules in pf.conf. Op 11-04-2024 om 09:49 schreef Peter N. M. Hansteen: On Wed, Apr 10, 2024 at 11:53:47PM +0200, Karel Lucas wrote: With the new firewall I am setting up I cannot connect to the internet. That starts with traceroute, so let's start there. Ping works fine. Below I have listed my pf.conf file. This sounds like you have a link to somewhere, at least. The first question would be, when you say "I cannot connect to the internet", where is this in relation to the host with the ruleset you quote? Start with the basics - is the gateway set up to forward packets? The output of $ sysctl net.inet | grep forward will reveal the truth there. And looking at the quoted ruleset, I find it rather unlikely that it will actually load -- you will get a "macro 'martians' not defined" and "unknown port nportntp" and likely a few "syntax error" messages as well. I would advise to take a few steps back, start from the basics and add only the things you know you need.
No internet connection (firewall block)
Hi all,
With the new firewall I am setting up I cannot connect to the internet.
That starts with traceroute, so let's start there. Ping works fine.
Below I have listed my pf.conf file.
/etc/pf.conf:
ext_if = igc0 # Extern interface
int_if = "{ igc1, igc2 }" # Intern interfaces
localnet = "192.168.2.0/24"
tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }"
udp_services = "{ domain, ntp }"
email = "{ smtp, imap, imaps, imap3, pop3, pop3s }"
icmp_types = "{ echoreq, unreach }"
icmp6_types = "{ echoreq, unreach }"
nameservers = "{ 195.121.1.34, 195.121.1.66 }"
client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, \
446, cvspserver, 2628, 5999, 8000, 8080 }"
Martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \
0.0.0.0/8, 240.0.0.0/4 }"
set skip on lo
# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010
block log all # block stateless traffic
block in quick on $ext_if from $martians to any
block out quick on $ext_if from any to $martians
# Letting ping through:
pass log on inet proto icmp icmp-type $icmp_types
pass log on inet6 proto icmp6 icmp6-type $icmp6_types
# Allow out the default range for traceroute(*):
# "base+nhops*nqueries-1" (3434+64*3-1)
pass log out on egress inet proto udp to port 33433:33626 # for IPv4
pass log out on egress inet6 proto udp to port 33433:33626 # for IPv6
pass log quick on $ext_if inet proto {tcp, udp} from $localnet \
to port $udp_services
pass log on $ext_if inet proto icmp all icmp-type $icmp_types
pass log on $ext_if inet proto tcp from $localnet to port $client_out
pass log out proto tcp to port $tcp_services # establish keep-stat
pass log log proto udp to port $udp_services # Establish keep-state
Re: Ping blocked by firewall
The errors were caused by the word 'log' in lines where it apparently did not belong. Those errors have now been resolved. In Peter Hansteen's book, the rules are clearly stated on page 91, and there is no 'match' in them. Op 09-04-2024 om 17:12 schreef l...@trungnguyen.me: Still dont know whats happening because we dont know what those line errors mean. When you changed the macros to tables, did you also update the rules to to match? On April 9, 2024 9:32:06 AM UTC, Karel Lucas wrote: I moved the lines with the martians between the 'block log all' line and the ping lines. Furthermore, I changed the macro 'martians' to a table: table persist file "etc/martians". Messages during booting: /etc/pf.conf:29: syntax error /etc/pf.conf:29: macro 'martians' not defined /etc/pf.conf:30: macro 'martians' not defined /etc/pf.conf:38: syntax error /etc/pf.conf:39: syntax error /etc/pf.conf:46: syntax error Op 09-04-2024 om 11:13 schreef Otto Moerbeek: On Tue, Apr 09, 2024 at 10:52:45AM +0200, Karel Lucas wrote: I defined the table as stated in your book (3rd edition, page 42). However, that gives an error message. In the lines with that table: macro 'martians' not defined. Moreover, I now also have a Syntax error in lines 38, 39 and 46, causing the pf lines not to be loaded. How abot showing what you did, showing the actual error messages so people here can actually help you? Just saying "it does not work" does not get you anywhere. -Otto Op 09-04-2024 om 08:53 schreef Peter N. M. Hansteen: On Tue, Apr 09, 2024 at 08:39:08AM +0200, Karel Lucas wrote: Hi all, For the first time I tested my new firewall with ping, and it is blocked. I don't know what the reason is, you can find the information below. I have a network with only regular clients, so no servers. I'm still using OpenBSD V7.4, and will upgrade once the firewall is up and running so I can test the upgrade process. Upgrading to 7.5 will not affect this particular problem I think. Still low on caffeine I spot two likely factors - your $localnet range overlaps with one of the ranges in $martians (which I anyway would recommend converting into a table), and your block referencing $martians comes after the pass rules that would have let icmp through. With no previous matching quick, last match applies. - Peter
Re: Ping blocked by firewall
In /etc/pf.conf: table persist file "/etc/martians" In /etc/martians: 127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 169.254.0.0/16 192.0.2.0/24 0.0.0.0/8 240.0.0.0/4 Op 09-04-2024 om 16:06 schreef Peter N. M. Hansteen: On Tue, Apr 09, 2024 at 10:52:45AM +0200, Karel Lucas wrote: I defined the table as stated in your book (3rd edition, page 42). However, that gives an error message. In the lines with that table: macro 'martians' not defined. Moreover, I now also have a Syntax error in lines 38, 39 and 46, causing the pf lines not to be loaded. The martians example only appears on page 91, and if you had read that book or other PF references, you would have known full well that the syntax for defining and referencing macros differs from how you define and reference tables. Please actually read the advice offered by contributors to this thread.
Re: Ping blocked by firewall
The example I'm referring to is how to define a table (page 42), and I applied that to the martians example (page 91). Op 09-04-2024 om 16:06 schreef Peter N. M. Hansteen: On Tue, Apr 09, 2024 at 10:52:45AM +0200, Karel Lucas wrote: I defined the table as stated in your book (3rd edition, page 42). However, that gives an error message. In the lines with that table: macro 'martians' not defined. Moreover, I now also have a Syntax error in lines 38, 39 and 46, causing the pf lines not to be loaded. The martians example only appears on page 91, and if you had read that book or other PF references, you would have known full well that the syntax for defining and referencing macros differs from how you define and reference tables. Please actually read the advice offered by contributors to this thread.
Re: Ping blocked by firewall
I can assure you that I did not use capital letters in the macro names,
and used the '<' and '>'.
Op 09-04-2024 om 11:58 schreef Peter N. M. Hansteen:
On Tue, Apr 09, 2024 at 10:52:45AM +0200, Karel Lucas wrote:
I defined the table as stated in your book (3rd edition, page 42). However,
that gives an error message. In the lines with that table: macro 'martians'
not defined. Moreover, I now also have a Syntax error in lines 38, 39 and
46, causing the pf lines not to be loaded.
macro names are case sensitive, to wit
peter@kapet:~$ cat martians
Martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \
0.0.0.0/8, 240.0.0.0/4 }"
block from $martians
peter@skapet:~$ doas pfctl -vnf martians
Martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8,
169.254, 0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }"
martians:5: macro 'martians' not defined
martians:5: syntax error
for conversion to tables, keep in mind that references need the
surrounding '<' and '>'.
Re: Ping blocked by firewall
I managed to get ping through. The error was the "log" words in the lines. But this is just the beginning. Now I have another problem with traceroute, as well as with all the normal internet traffic that has to go through it. In the traceroute rules I replaced "$ext_if" with "egress", but that makes very little difference. Creating a table for the martians doesn't work either. I have restored the old situation, so that it does not cause an error message.
Re: Ping blocked by firewall
I moved the lines with the martians between the 'block log all' line and the ping lines. Furthermore, I changed the macro 'martians' to a table: table persist file "etc/martians". Messages during booting: /etc/pf.conf:29: syntax error /etc/pf.conf:29: macro 'martians' not defined /etc/pf.conf:30: macro 'martians' not defined /etc/pf.conf:38: syntax error /etc/pf.conf:39: syntax error /etc/pf.conf:46: syntax error Op 09-04-2024 om 11:13 schreef Otto Moerbeek: On Tue, Apr 09, 2024 at 10:52:45AM +0200, Karel Lucas wrote: I defined the table as stated in your book (3rd edition, page 42). However, that gives an error message. In the lines with that table: macro 'martians' not defined. Moreover, I now also have a Syntax error in lines 38, 39 and 46, causing the pf lines not to be loaded. How abot showing what you did, showing the actual error messages so people here can actually help you? Just saying "it does not work" does not get you anywhere. -Otto Op 09-04-2024 om 08:53 schreef Peter N. M. Hansteen: On Tue, Apr 09, 2024 at 08:39:08AM +0200, Karel Lucas wrote: Hi all, For the first time I tested my new firewall with ping, and it is blocked. I don't know what the reason is, you can find the information below. I have a network with only regular clients, so no servers. I'm still using OpenBSD V7.4, and will upgrade once the firewall is up and running so I can test the upgrade process. Upgrading to 7.5 will not affect this particular problem I think. Still low on caffeine I spot two likely factors - your $localnet range overlaps with one of the ranges in $martians (which I anyway would recommend converting into a table), and your block referencing $martians comes after the pass rules that would have let icmp through. With no previous matching quick, last match applies. - Peter
Re: Ping blocked by firewall
I defined the table as stated in your book (3rd edition, page 42). However, that gives an error message. In the lines with that table: macro 'martians' not defined. Moreover, I now also have a Syntax error in lines 38, 39 and 46, causing the pf lines not to be loaded. Op 09-04-2024 om 08:53 schreef Peter N. M. Hansteen: On Tue, Apr 09, 2024 at 08:39:08AM +0200, Karel Lucas wrote: Hi all, For the first time I tested my new firewall with ping, and it is blocked. I don't know what the reason is, you can find the information below. I have a network with only regular clients, so no servers. I'm still using OpenBSD V7.4, and will upgrade once the firewall is up and running so I can test the upgrade process. Upgrading to 7.5 will not affect this particular problem I think. Still low on caffeine I spot two likely factors - your $localnet range overlaps with one of the ranges in $martians (which I anyway would recommend converting into a table), and your block referencing $martians comes after the pass rules that would have let icmp through. With no previous matching quick, last match applies. - Peter
Ping blocked by firewall
Hi all,
For the first time I tested my new firewall with ping, and it is
blocked. I don't know what the reason is, you can find the information
below. I have a network with only regular clients, so no servers. I'm
still using OpenBSD V7.4, and will upgrade once the firewall is up and
running so I can test the upgrade process.
/etc/pf.conf:
ext_if = igc0 # Extern interface
int_if = "{ igc1, igc2 }" # Intern interfaces
localnet = "192.168.2.0/24"
tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }"
udp_services = "{ domain, ntp }"
email = "{ smtp, imap, imaps, imap3, pop3, pop3s }"
icmp_types = "{ echoreq, unreach }"
icmp6_types = "{ echoreq, unreach }"
nameservers = "{ 195.121.1.34, 195.121.1.66 }"
client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, \
446, cvspserver, 2628, 5999, 8000, 8080 }"
Martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \
0.0.0.0/8, 240.0.0.0/4 }"
set skip on lo
# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010
block log all # block stateless traffic
# Letting ping through:
pass log on inet proto icmp icmp-type $icmp_types
pass log on inet6 proto icmp6 icmp6-type $icmp6_types
# Allow out the default range for traceroute(*):
# "base+nhops*nqueries-1" (3434+64*3-1)
pass log out on ext_if inet proto udp to port 33433:33626 # for IPv4
pass log out on ext_if inet6 proto udp to port 33433:33626 # for IPv6
pass log quick on $ext_if inet proto {tcp, udp} from $localnet \
to port $udp_services
pass log on $ext_if inet proto icmp all icmp-type $icmp_types
pass log on $ext_if inet proto tcp from $localnet to port $client_out
block log in quick on $ext_if from $martians to any
block log out quick on $ext_if from any to $martians
pass log out proto tcp to port $tcp_services # establish keep-stat
pass log log proto udp to port $udp_services # Establish keep-state
/var/log/pflog:
tcpdump: WARNING: snaplen raised from 116 to 160
Apr 09 08:16:45.009497 :: > ff02::16: HBH multicast listener report v2,
2 group record(S) [hlim 1]
apr 09 08:16:45.009500 :: > ff02::16: HBH multicast listener report v2,
2 group record(S) [hlim 1]
Bridging firewall with online update/upgrade
Hi all, I am creating a bridging firewall with OpenBSD and the following hardware: https://www.amazon.nl/dp/B0B6J89MXJ?ref=ppx_pop_dt_b_asin_image&th=1. OpenBSD is already installed. I want to use ETH1 for the input from my ADSL modem, ETH2 and ETH3 for the output to my network. Furthermore, I would like to use ETH4 for the update/upgrade of the firewall. Remove the connection from ETH1, plug it into ETH4, and update/upgrade. Then the connection returns to ETH1. ETH4 therefore receives an IP address and ETH1,ETH2 and ETH3 not. But now the problem: as long as the network connection of the ADSL modem is in ETH4, my network, including the firewall, is no longer secured, and attackers can take advantage. I therefore wonder whether it is possible to let the data flow via ETH1 and ETH4 first pass through PF before an update/upgrade is done via ETH4. This means that the bridging firewall will have two entrances, one without and one with an IP address. I would like to know if that is possible, or if there is another option.
Bash instead of ksh
Hi all, Instead of ksh I want to use bash as a general shell. But how can I set it up that way? Bash is already installed.
Re: No coloring with colorls
This method also works! Instead of vt220 I now used xterm-256color. Thank you! Op 30-03-2024 om 11:51 schreef Stuart Henderson: On 2024-03-29, Karel Lucas wrote: What should I put in /etc/ttys, taking into account that I regularly use multiple virtual consoles? And where in that file do I place that? At the beginning or the end? Or somewhere in between? Replace "vt220" with your preferred option on "console" and "ttyC" lines.
Re: No coloring with colorls
What should I put in /etc/ttys, taking into account that I regularly use multiple virtual consoles? And where in that file do I place that? At the beginning or the end? Or somewhere in between? Op 29-03-2024 om 09:15 schreef Stuart Henderson: On 2024-03-28, Karel Lucas wrote: Op 28-03-2024 om 07:51 schreef Stuart Henderson: For the console, use /etc/ttys. For an X terminal, use whatever mechanism is correct for that terminal (.Xdefaults XTerm*termName for xterm). The file /etc/ttys is 22.5kB in size and is full of all kinds of "tty** ...". I don't think this is the right file to use something like that. It seems to me that you are making the system disrupted/unstable by doing so. Those "ttys**..." won't vouch for it for nothing. Yes that is exactly the right file. That is what the file is *for*. It sets the console type for various ways of accessing consoles on the system. The "console" and "ttyC*" lines are the ones you want (the additional ones are for various virtual consoles on ctrl-alt-f2, etc). (The "tty0*" are for serial consoles if you have them.)
Re: No coloring with colorls
Op 28-03-2024 om 07:51 schreef Stuart Henderson: For the console, use /etc/ttys. For an X terminal, use whatever mechanism is correct for that terminal (.Xdefaults XTerm*termName for xterm). The file /etc/ttys is 22.5kB in size and is full of all kinds of "tty** ...". I don't think this is the right file to use something like that. It seems to me that you are making the system disrupted/unstable by doing so. Those "ttys**..." won't vouch for it for nothing.
Re: No coloring with colorls
What is the correct setting, taking into account the coloring of the directory listing? Op 27-03-2024 om 14:02 schreef Stuart Henderson: On 2024-03-27, Karel Lucas wrote: It works correctly! My /etc/profile now looks like this: export TERM=xterm-256color That is not working correctly, because you forcibly override the correct TERM which is set for things like screen/tmux. For the console, use /etc/ttys. For an X terminal, use whatever mechanism is correct for that terminal (.Xdefaults XTerm*termName for xterm).
Re: No coloring with colorls
It works correctly! My /etc/profile now looks like this: export TERM=xterm-256color export CLICOLOR=yes export CLICOLOR_FORCE=yes export LSCOLORS=exfxcxdxbxegedabagacad And with colorls -Ghl I get the output in color. Thank you all very much! Op 25-03-2024 om 23:46 schreef Benjamin Stürz: On 25.03.24 23:40, Karel Lucas wrote: Hi all, After installing colorls and making some adjustments to the system, I still have no colored output from colorls. Below I have indicated the settings that have been made or are present by default. I would like to know what is wrong and what needs to be improved. Default environment: TERM=vt220 Added environment: CLICOLOR=yes CLICOLOR_FORCE=yes LSCOLORS=exfxcxdxbxegedabagacad Try CLICOLOR=1 (and TERM=xterm-256color, if it doesn't help).
Re: No coloring with colorls
Dear Benjamin, In which configuration file can I change TERM? Op 25-03-2024 om 23:46 schreef Benjamin Stürz: On 25.03.24 23:40, Karel Lucas wrote: Hi all, After installing colorls and making some adjustments to the system, I still have no colored output from colorls. Below I have indicated the settings that have been made or are present by default. I would like to know what is wrong and what needs to be improved. Default environment: TERM=vt220 Added environment: CLICOLOR=yes CLICOLOR_FORCE=yes LSCOLORS=exfxcxdxbxegedabagacad Try CLICOLOR=1 (and TERM=xterm-256color, if it doesn't help).
Re: No coloring with colorls
Dear Amelia, In which configuration file can I change this? Is 'wsvt25' universally suitable for use? Op 26-03-2024 om 00:03 schreef Amelia A Lewis: On Mon, 25 Mar 2024 23:40:52 +0100, Karel Lucas wrote: After installing colorls and making some adjustments to the system, I still have no colored output from colorls. Below I have indicated the settings that have been made or are present by default. I would like to know what is wrong and what needs to be improved. Default environment: TERM=vt220 $ pkg_info -q colorls ls(1) that can use color to display file attributes This is a simple hack, taken from FreeBSD, to OpenBSD's ls(1) to use ANSI sequences to display file attributes in color. There is a -G flag (somewhat similar to the -F flag). Take a look at the man page for details. The program is called "colorls", so you may want to use an alias such as ls=/usr/local/bin/colorls. Note that you need a color-capable terminal to enable colorls. This means you should set your TERM to "wsvt25" on the wscons(4) console and to "sun-color" when using the Sun console, not "vt220" and "sun", respectively, which are not color-capable in termcap(5). Maintainer: Christian Weisgerber Amy!
No coloring with colorls
Hi all, After installing colorls and making some adjustments to the system, I still have no colored output from colorls. Below I have indicated the settings that have been made or are present by default. I would like to know what is wrong and what needs to be improved. Default environment: TERM=vt220 Added environment: CLICOLOR=yes CLICOLOR_FORCE=yes LSCOLORS=exfxcxdxbxegedabagacad
Re: Bridging firewall and ntpd
Dear Mr. Henderson, From your answer I understand that to use the ntp daemon the interfaces still need an IP address. Unfortunately, a GPS unit is not available or desirable, so it seems to me that I will have to do it without a calibrated time, if there is no other option. Op 20-12-2023 om 00:04 schreef Stuart Henderson: On 2023-12-19, Karel Lucas wrote: Hi all, I am creating a bridging firewall, and am wondering if it is possible to use the ntp daemon to ensure that all log files are timed correctly. Is there a way to achieve that despite the fact that the network connections do not have an IP address? Yes, e.g. with a gps unit and nmea(4) If you want to fetch time over the network, however, the machine will need to have network access.
Bridging firewall and ntpd
Hi all, I am creating a bridging firewall, and am wondering if it is possible to use the ntp daemon to ensure that all log files are timed correctly. Is there a way to achieve that despite the fact that the network connections do not have an IP address?
Re: ls in color
Op 08-12-2023 om 19:42 schreef Theo de Raadt: Karel Lucas wrote: In openBSD V7.4 I would like to see the output of ls in color, and therefore would like to know how to configure that. The output of "man ls" provides no information about this. Can anyone give me a tip? Black and white are also colours. That is not what I had in mind!
ls in color
Hi all, In openBSD V7.4 I would like to see the output of ls in color, and therefore would like to know how to configure that. The output of "man ls" provides no information about this. Can anyone give me a tip?
Connecting a wireless keyboard via Bluetooth
Hi all, I have a computer with openBSD V7.4 without X11, to which I want to connect a wireless keyboard via Bluetooth. The keyboard is connected via a separate USB Bluetooth receiver. What software do I need for this, and how do I configure it? I hope someone responds to this.
Re: reorder_kernel: failed
Op 17-10-2023 om 16:50 schreef Janne Johansson:
Den tis 17 okt. 2023 kl 16:49 skrev Karel Lucas :
Hi all,
After a new installation of openBSD 7.4 I received the following
message: "reorder_kernel: failed -- see
/usr/share/relink/kernel/GENERIC.MP/relink.log
<http://GENERIC.MP/relink.log>". That turns out to be a
zlib compressed data file, and I don't know how to unpack or read it.
Does anyone know how I can do that?
If it actually is a zlib compressed file, then "zcat" or "zless"
should work fine.
--
May the most significant bit of your life be positive.
Content of relink.log:
(SHA256) /bsd: OK
LD="ld" sh makegap.sh 0x gapdummy.o
ld -T ld.script -X --warn-common -nopie -o newbsd ${SYSTEM_HEAD}
vers.o ${OBJS}
text data bss dec hex
21325291 403432 1241088 22969811 15e7dd3
mv newbsd newbsd.gdb
ctfstrip -S -o newbsd newbsd.gdb
rm -f bsd.gdb
mv -f newbsd bsd
install -F -m 700 bsd /bsd && sha256 -h /var/db/kernel.SHA256 /bsd
install: rename: INS@4erJJ3bo3 to /bsd: Operation not permitted
*** Error 1 in /usr/share/relink/kernel/GENERIC.MP (Makefile:2267
'newinstall')
Re: reorder_kernel: failed
Op 17-10-2023 om 16:53 schreef Jan Stary: On Oct 17 16:46:13, cahlu...@planet.nl wrote: Hi all, After a new installation of openBSD 7.4 I received the following message: "reorder_kernel: failed -- see /usr/share/relink/kernel/GENERIC.MP/relink.log". That turns out to be a zlib compressed data file, and I don't know how to unpack or read it. Does anyone know how I can do that? That's supposed to be a text file (a log, duh). Have you looked at it? What makes you think it's a zlib file? file /usr/share/relink/kernel/GENERIC.MP/relink.log
reorder_kernel: failed
Hi all, After a new installation of openBSD 7.4 I received the following message: "reorder_kernel: failed -- see /usr/share/relink/kernel/GENERIC.MP/relink.log". That turns out to be a zlib compressed data file, and I don't know how to unpack or read it. Does anyone know how I can do that?
OpenBSD 7.4
Is it already known when openBSD 7.4 will be released? I would like to know that, because of a project I am working on.
Re: Mouse not working via KVM switch
Dear Nick, I have now installed Linux on the same computer in place of openBSD and the mouse works fine via the KVM switch. This despite possible broken capacitors, wrong voltages and malfunctioning computers. Note that not all computers connected to the KVM switch will work at the same time. There appear to be other problems with openBSD's X-window system. The X session on openBSD is started manually with "startx". After stopping such a session with ctrl + alt + backspace I get the following error messages: WARNING: Kernel has no file descriptor comparison support: No such file or directory (EE) Failed to open authorization file "/root/.serverauth.xx": Permission denied (xx has different characters at each session) xterm: fatal IO error 35 (resource temporarily unavailable) or KillClient on X server ":0" I don't know what these error messages mean and how to fix them. Maybe someone can help me with that. It looks like it's not just a problem with the mouse, but there's more to it. Op 19-08-2023 om 03:58 schreef Chris Bennett: On Fri, Aug 18, 2023 at 07:58:03PM +0200, Karel Lucas wrote: Dear Nick, For more than ten years I have been working with an ATEN brand KVM switch together with several computers, including linux and openBSD (version 4.1). In all these years I have had no problems, not with my KVM switch, nor with any degree of disconnection. The keyboard works flawlessly via the switch, it's only the mouse that I have a problem with, and only with openBSD. This is not very clear at all. You have used the same KVM switch for ten years, but haven't considered it having hardware degradation over that time? Capacitors are well known for having limited lifetimes and are *usually* the first item looked at in repairs. Switches also fail due to dirty contacts. Or, are you saying that everything worked fine for OpenBSD 4.1, but not for OpenBSD 7.3? The changes over that time have been enormous. Op 17-08-2023 om 13:56 schreef Nick Holland: First of all, does your mouse work directly plugged into the OpenBSD computer? Yes, it does. If so, it's your KVM switch. As I mentioned above I have been working with my KVM switch and openBSD for over ten years with very good results. Second...if you boot the OpenBSD machine with the KVM pointed at the OpenBSD machine, does it work? No, even then it won't work. Have you swapped ports on the KVM switch to rule out a partial hardware failure on the switch? Have you also disconnected the other hardware and OS inputs to rule out them as the source of the problem? Have you checked that the other machines are producing the correct supply voltages? Power supply failures are a consistent problem with computers. High or low voltages don't mix well. Have you checked with your switch manufacturer to make sure there wasn't a problem with your switches model? It happens a lot. After ten years of service, if you insist that the switch isn't the problem, (Prove it) then you need to also prove that the other hardware is functioning properly. Do not believe what the BIOS or sensors say that the voltage is. A bad voltage will cause those readings to fail. Get a good voltmeter with excellent probes for this kind of work and check *everything*. Please use a great deal of care. You will need to measure voltages on the motherboards in addition to what the power supply puts out. Everything is running and you will need to check in many spots. Also, there are high voltages inside the power supply. Don't get electrocuted. Drain the voltages off the capacitors in there with a suitable tool for that purpose if you go inside there. Yes, even with the power off and power cable disconnected. And it's tricky. I have a power supply cable for two hard drives. Two connectors crimped across the same cable. One of the crimps is bad. Recognizing that saved me a trip to hell after about an hour. Easy to fix, damned hard to locate. Chris Bennett You might be able to improve how OpenBSD deals with KVM switched mice, because yes, it does seem to be a little more touchy than some other OSs, but someone with good programming and HW trouble shooting skills AND a cheap-*** POS KVM switch would have to care. Most people that skilled generally just buy a better KVM switch and move on. That more than ten years of loyal service proves that my KVM is of good quality. What does the dmesg show as you switch the KVM around? That would tell us how the KVM works. Some are equiv. of plugging and unplugging the mouse/keyboard/monitor, some do some kind of "keep alive" so the computer thinks the mouse is still there. Both can cause problems of different types (my "good" one seems to plug/unplug the mouse/keyboard, but has a great keep-alive for the monitor). What I've learned about my KVM swit
Re: Mouse not working via KVM switch
Dear Nick, For more than ten years I have been working with an ATEN brand KVM switch together with several computers, including linux and openBSD (version 4.1). In all these years I have had no problems, not with my KVM switch, nor with any degree of disconnection. The keyboard works flawlessly via the switch, it's only the mouse that I have a problem with, and only with openBSD. Op 17-08-2023 om 13:56 schreef Nick Holland: First of all, does your mouse work directly plugged into the OpenBSD computer? Yes, it does. If so, it's your KVM switch. As I mentioned above I have been working with my KVM switch and openBSD for over ten years with very good results. Second...if you boot the OpenBSD machine with the KVM pointed at the OpenBSD machine, does it work? No, even then it won't work. You might be able to improve how OpenBSD deals with KVM switched mice, because yes, it does seem to be a little more touchy than some other OSs, but someone with good programming and HW trouble shooting skills AND a cheap-*** POS KVM switch would have to care. Most people that skilled generally just buy a better KVM switch and move on. That more than ten years of loyal service proves that my KVM is of good quality. What does the dmesg show as you switch the KVM around? That would tell us how the KVM works. Some are equiv. of plugging and unplugging the mouse/keyboard/monitor, some do some kind of "keep alive" so the computer thinks the mouse is still there. Both can cause problems of different types (my "good" one seems to plug/unplug the mouse/keyboard, but has a great keep-alive for the monitor). What I've learned about my KVM switch over the past ten years is that both the mouse and keyboard are emulated when they are switched to another computer. Never have I had any problems with my computers when switching with my KVM switch.
Mouse not working via KVM switch
HI all, On a recent install of openBSD I can't get the mouse to work through my KVM switch. I work with various computers via a KVM switch on 1 monitor with a keyboard/mouse combination. Only on the PC with openBSD the mouse does not work, the keyboard on the other hand works fine. Both are connected to the KVM switch via USB, and the switch via USB to the computers. The brand of the mouse is Logitech. Does anyone know why the mouse doesn't work, but the keyboard does?
Unable to add packages
Hi all, Entered on a fresh install of openBSD : pkg_add bash. I got the following error: ftp: ftp.nluug.nl/pub/OpenBSD: no address associated with name. Not too long ago I did this on another machine and it worked. The correct site is listed in /etc/installurl: https://ftp.nluug.nl/pub/OpenBSD. Can someone give me a tip on how to solve this?
Re: Mouse does not work
dmesg: ... uhub5 at uhub0 port 1 configuration 1 interface 0 "NEC hub" rev 2.00/1.00 addr 2 uhidev0 at uhub5 port 1 configuration 1 interface 0 "Logitech HID compliant keyboard" rev 1.10/1.80 addr 3 uhidev0: iclass 3/1 ukbd0 at uhidev0: 8 variable keys, 6 key codes wskbd0 at ukbd0: console keyboard uhidev1 at uhub5 port 1 configuration 1 interface 1 "Logitech HID compliant keyboard" rev 1.10/1.80 addr 3 uhidev1: iclass 3/0, 2 report ids ... uhub6 at uhub5 port 4 configuration 1 interface 0 "ATEN International product 0x8021" rev 1.10/1.00 addr 4 uhidev2 at uhub6 port 1 configuration 1 interface 0 "Logitech USB Receiver" rev 2.00/12.11 addr 5 uhidev2: iclass 3/1 ukbd1 at uhidev2: 8 variable keys, 6 key codes wskbd2 at ukbd1 mux 1 uhidev3 at uhub6 port 1 configuration 1 interface 1 "Logitech USB Receiver" rev 2.00/12.11 addr 5 uhidev3: iclass 3/1, 8 report ids ums0 at uhidev3 reportid 2: 16 buttons, Z and W dir wsmouse0 at ums0 mux 0 ... usbdevs: Controller /dev/usb0: addr 01: 8086: Intel, EHCI root hub addr 02: 0409:005a NEC, hub addr 03: 046d:c30e Logitech, HID compliant keyboard addr 04: 0557:8021 ATEN International, product 0x8021 addr 05: 046d:c52b Logitech, USB Receiver addr 06: 04b4:6560 Cypress Semiconductor, USB2 Hub addr 07: 1221:3234 USB2.0, Flash Diskr Controller /dev/usb1: addr 01: 8086: Intel, UHCI root hub Controller /dev/usb2: addr 01: 8086: Intel, UHCI root hub Controller /dev/usb3: addr 01: 8086: Intel, UHCI root hub Controller /dev/usb4: addr 01: 8086: Intel, UHCI root hub Op 04-08-2023 om 16:41 schreef Peter J. Philipp: On Fri, Aug 04, 2023 at 04:24:09PM +0200, Karel Lucas wrote: Hi all, I have a few computers that I control with the same keyboard, mouse and monitor via an electronic switch. Namely a Linux PC and an Apple (macos x), but now also a PC with openBSD. Both Linux PC and Apple work fine with the switch, only with the PC with openBSD the mouse does not work. No problem with the keyboard and monitor. The mouse is of the wireless type, so radio controlled. What is the problem here, and what can I do about it? Hi Karel, I have a KVM switch too, though not sure if they are similar. I can control three computers and a possible fourth if I had it hooked up. There is USB inputs for keyboard and mouse and an extra USB port on a hub, as well as a built in sound card that has an on/off switch. I also have a selection button that toggles the PC # I want to switch to. This is also doable by pressing shift-lock twice and the number 1 through 4. This is a USB intercept and not passed through to the computer which was selected's hardware. The way I fathom your setup is similar to mine, with an adapter for the wireless mouse to go into USB? It is always good to post a dmesg with any hardware description so I'm gonna ask you for yours, it also doesn't hurt to give a usbdevs output. Best Regards, -peter
Mouse does not work
Hi all, I have a few computers that I control with the same keyboard, mouse and monitor via an electronic switch. Namely a Linux PC and an Apple (macos x), but now also a PC with openBSD. Both Linux PC and Apple work fine with the switch, only with the PC with openBSD the mouse does not work. No problem with the keyboard and monitor. The mouse is of the wireless type, so radio controlled. What is the problem here, and what can I do about it?
Two problems
Hi all, On a desktop PC on which I have openBSD, I installed KDE. When I start the X-window system, I still see Fvwm, and no KDE. I also want to start the X window system when I start this PC, and that is not yet the case. How can I solve both problems?
Re: Installing openBSD
Hi, My openBSD installation was successful! I first removed all partitions except for the EFI partition, which I left. Second I created one openBSD partition(type A6) on the freed space, after which I partitioned that partition with auto layout. Then I continued with the regular installation, and after reboot I got the login prompt. So in hindsight it was wise to leave the EFI partition. Perhaps others can benefit from this experience. Op 01-08-2023 om 07:04 schreef patric conant: Hitting enter in the installer to use the whole disk will take care of you. As pointed out repeatedly, there are no requirements from pfsense to install or maintain openbsd. In the same way that pfsense didn't need anything form OpenBSD to install, OpenBSD can create all the necessary partitions for successful EFI experience, and doesn't need anything from pfsense. On Sun, Jul 30, 2023 at 12:41 PM Karel Lucas wrote: Hi all, I'm going to install openBSD on a small PC that currently has PfSense on it. This PC boots this OS via (U)EFI, and therefore has an EFI partition on the existing SSD. The current partition table looks like, as shown by openBSD fdisk: 0: efiboot0 1: gptboot0 2: swap0 3: zfs0. Should I keep the (U)EFI partition? And if so, how do I mount the future openBSD root partition to this (U)EFI installation? Are there any other things I should watch out for? I look forward to receiving responses from this community. Sincerely, Karel. -- Patric Conant Mirage Computing Lead Consultant @MirageComputing <https://twitter.com/MirageComputing>on twitter https://m.facebook.com/MirageComputing/ 316 409 2424
Re: Installing openBSD
Hi, But fdisk also has an option to edit the existing partition table. This allows me to delete only the partitions related to PfSense without deleting the (U)EFI partition. The question here is whether I will need it to boot openBSD's root partition. Op 31-07-2023 om 16:10 schreef Theo de Raadt: Karel Lucas wrote: Multi-boot is not an option here. The intention is to replace the entire PfSense installation with openBSD. Eventually this computer becomes a firewall with PF, so the current installation is unnecessary. But my question remains whether I need the (U)EFI partition for that or not. Can anyone give me some helpful advice? you are overthinking it the default way through the installer reuses the whole disk.
Re: Installing openBSD
Hi, Multi-boot is not an option here. The intention is to replace the entire PfSense installation with openBSD. Eventually this computer becomes a firewall with PF, so the current installation is unnecessary. But my question remains whether I need the (U)EFI partition for that or not. Can anyone give me some helpful advice? Op 31-07-2023 om 14:33 schreef Peter N. M. Hansteen: On Mon, Jul 31, 2023 at 07:52:02AM -0400, Nick Holland wrote: IF you want to multiboot, just don't until you can answer questions like this yourself. Multibooting is very complicated, and requires a mastery of the boot process of ALL the OSs installed. People often consider it a way to "learn" a new OS, I disagree, it is a good way to get massively frustrated and lose a lot of data. I could not agree more. Unless you are specifically interested in learning how to develop bootloaders and that is something that yo consider essential to your career plan going forward, please do not mess with multibooting. If your plan is to learn anything besides bootloader internals, please do the sane thing and either run the one you are trying to learn on bare hardware (the best you can afford) or if you are comfortable with a virtualization platform, use that. Multibooting will always be a painful distraction unless bootloaders and their interactions with OSes and random hardware is what you want to spend the bulk of your time on. - Peter
Re: Installing openBSD
Hi, It is not intended to be a dual boot installation. Therefore, the PfSense installation must be replaced by open BSD. My question is what I should do with the (U)efi partition, and how I can possibly link open BSD to it. Does anyone have some good suggestions for me? Op 31-07-2023 om 00:06 schreef Saïd AARAB: Hi, It depends if you want to keep the existing psfsens install or if you want dual boot. If looking to install beside pfsens, I would beleive that installing OpenBSD along any existing OS should be no different than installing linux or windows along another OS, as you would need to prepare the block device (SDD) by making space if possible (and if you dont have any) for another partition in which you would install OpenBSD. so any documentation (explaining how to shrink existing partitions, create another partion, handle dual boot) that is not necessarily specific to OpenBSD should help. Im not very familiar with how pfsens work and if it did install a bootloader, if not you might need to install one like GRUB and configure it to be able to select between the two OS at startup. Overall installing dual boot is very tricky and you should be carefull to not wipe your existing data, a backup is advised On Jul 30, 2023 19:30, Karel Lucas wrote: Hi all, I'm going to install openBSD on a small PC that currently has PfSense on it. This PC boots this OS via (U)EFI, and therefore has an EFI partition on the existing SSD. The current partition table looks like, as shown by openBSD fdisk: 0: efiboot0 1: gptboot0 2: swap0 3: zfs0. Should I keep the (U)EFI partition? And if so, how do I mount the future openBSD root partition to this (U)EFI installation? Are there any other things I should watch out for? I look forward to receiving responses from this community. Sincerely, Karel.
Installing openBSD
Hi all, I'm going to install openBSD on a small PC that currently has PfSense on it. This PC boots this OS via (U)EFI, and therefore has an EFI partition on the existing SSD. The current partition table looks like, as shown by openBSD fdisk: 0: efiboot0 1: gptboot0 2: swap0 3: zfs0. Should I keep the (U)EFI partition? And if so, how do I mount the future openBSD root partition to this (U)EFI installation? Are there any other things I should watch out for? I look forward to receiving responses from this community. Sincerely, Karel.
Mounting an SD-card and an USB-stick
Dear all, For a fresh install of openBSD, I want to mount an SD card or a USB stick on an existing openBSD install, but don't know which device name to use. Maybe someone can help me out?
Which hardware for a firewall?
Hi all, I'm going to create a firewall with openBSD, and would like to use the ARM64 or ARMv7 distribution for that. Unfortunately I don't know what hardware I can get for this, and that's the reason for this mail. Can someone point me to a suitable platform for this? If this email does not belong on this mailing list, I offer my apology. This is my first post on this mailing list, and ask for understanding. Sincerely, Karel.
