Re: ntpd could not parse "pool.ntp.org"
The static route you'll need to add will be for your internal lan eg: 192.168.1.0 netmask 255.255.255.0 gateway 192.168.0.9 This'll tell your adsl router that to get to the 192.168.1. network it needs to go through the 192.168.0.9 interface of your openbsd box. Note this is outside interface IP address. A quick basic networking explanation - routers aren't too intelligent. They cannot find devices with IP addresses outside their ip and subnet mask range - eg your adsl router will automatically find devices with IP addresses 192.168.0.1 to 254 but to find any other devices with an IP address outside this range it needs help - this is where static routes and gateways come in. The gateway address is effectively a default place that the router can go to to find other IP addresses & devices, but it can be overridden by a static route. In your case the router doesn't know where the 192.168.1.0/24 network is so it goes to your ISP's router but as it's an reserved internal range, plus the fact that your ISP doesn't know your lan - the packets just get timed/dropped out as the ISP's router doesn't know what to do with them. The static route will point the adsl router to your openbsd box which as the internal interface is on the 192.168.1.0/24 network it knows where to route the packets. (Hopefully that makes sense - for a proper in depth explanation, google terms like mac addresses, arp packets, broadcasts) If it doesn't make sense let me know and I'll explain it again. This should allow your adsl router to return packets destined for your internal lan to the right place. I've just seen your reply to Diana so we know that pf isn't used. Once you add this static route to your adsl router your internal PC's should be able to access the internet. We've still got the dns resolving issue though. It's all a bit odd and I'm a bit stumped. Try the static route on the adsl router & test with a machine on your internal lan while I try to think what to do next. Your internal lan pc will need to have a gateway of the 192.168.1.3 address of your openbsd box. Note this is the internal ip address. The PC will need the DNS addresses from your ISP. This is how I understand it should be: ADSL Router 192.168.0.1 subnet 255.255.255.0 Static route 192.168.1.0 255.255.255.0 gateway 192.168.0.9 | | DMZ | OpenBSD box external interface 192.168.0.9 subnet 255.255.255.0 Default gateway in /etc/mygate of 192.168.0.1 DNS servers in /etc/resolv.conf of 194.224.52.6 and 194.225.52.4 internal interface 192.168.1.3 subnet 255.255.255.0 | | INTERNAL LAN | Your PC's 192.168.1.x addresses subnet 255.255.255.0 DNS servers of 194.224.52.6 and 194.225.52.4 Default gateway of 192.168.1.3 Cheers. Mike Henker wrote: Answering all the points: > Just type "nslookup www.google.com" and see what response you get. connection timed out; no servers could be reached > One of google's IPs is 66.102.7.99 if you want to test a traceroute. Traceroute works fine with google's IPs (66.102.7.99) but if I do a "traceroute www.google.com" says connection timed out; no servers could be reached > Just type "nslookup www.google.com" and see what response you get. says: "connection timed out; no servers could be reached" > Can you see if you can add static routes on your adsl router? Yes I can add static routes, I suppose then I must to add 192.168.1.3? >Your internal PC's will need to be configured with a 192.168.1.x >address (255.255.255.0 subnet) and a gateway of 192.168.1.3, and dns >server IP's of 194.224.52.6 and 194.225.52.4 >They should then be able to connect to the internet. Actually doesn t work I suppose when I add the static route to the router (192.168.1.3) will work right? Salutes, Mike Nick escribis: That all looks fine. Ping isn't really a great test of network connectivity outside of your own lan anymore. Most sites tend to block ping nowadays as a matter of course. What you can do is usually ping your ISP's router and you can find this from a "traceroute www.google.com" command - the first hop past your adsl router will tend to be your isps router. You can then use this as a ping test. One of google's IPs is 66.102.7.99 if you want to test a traceroute. Can you test your dns lookups now from your openbsd box please? I think it'll work as you're not getting the ntpd errors any longer. Just type "nslookup www.google.com" and see what response you get. To get your machines behind the openbsd box routing through it we'll either need to use nat'ing or get your adsl router to static route all 192.168.1.x traffic through the openbsd server. Can you see if you can add static routes on your adsl router? There's usually a configuration page somewhere. This is ideally what you should do as if you can't we'll be adding in more nat'ing( ie your openbsd box will nat once, then your adsl router will nat again - it'll work but it's not very
Re: ntpd could not parse "pool.ntp.org"
Congratulations!! I don't know what else we can try with getting dns lookups to work on your openbsd box. We've: Checked /etc/resolv.conf <--this should have been the likely cause Checked /etc/hostname.rl1 and rl0 <--subnets are ok Checked /etc/mygate <--this is the adsl router IP Checked that pf isn't running <--proved by running pfctl -vvsall We've not looked in /etc/hosts but its really unlikely this'd be a problem as we've been testing with different hosts. Is there anyone else on the mailing list with any suggestions? We know that the network is routing properly and that the dnsservers work as other machines are working both through the openbsd and without it. Cheers - Nick Mike Henker wrote: Something begin to work! Nick after add the static route: > 192.168.1.0 netmask 255.255.255.0 gateway 192.168.0.9 And put my wife PC with the config you said: > Your PC's 192.168.1.x addresses subnet 255.255.255.0 > DNS servers of 194.224.52.6 and 194.225.52.4 > Default gateway of 192.168.1.3 It works!! I m trying what Steve Williams said about to try nslookup from the firewall but doesn t work. I had an idea, I have a linux machine and used 2 different IPs and the nslookup works without probs, for this reason I suppose must to be a problem from the firewall, exactly what I did was: With the PC with Linux installed: - I used the IP 192.168.0.50 (conecting the PC directly to the router) - I used the IP 192.168.1.50 (conecting the PC directly to the hub -the internal LAN where is also connected my wife's PC) And with both IP the nslookup works correctly, I can t understand why if I do the nslookup from the firewall says all the time "connection timed out; no servers could be reached". Regards, Mike Nick Ryan escribis: The static route you'll need to add will be for your internal lan eg: 192.168.1.0 netmask 255.255.255.0 gateway 192.168.0.9 This'll tell your adsl router that to get to the 192.168.1. network it needs to go through the 192.168.0.9 interface of your openbsd box. Note this is outside interface IP address. A quick basic networking explanation - routers aren't too intelligent. They cannot find devices with IP addresses outside their ip and subnet mask range - eg your adsl router will automatically find devices with IP addresses 192.168.0.1 to 254 but to find any other devices with an IP address outside this range it needs help - this is where static routes and gateways come in. The gateway address is effectively a default place that the router can go to to find other IP addresses & devices, but it can be overridden by a static route. In your case the router doesn't know where the 192.168.1.0/24 network is so it goes to your ISP's router but as it's an reserved internal range, plus the fact that your ISP doesn't know your lan - the packets just get timed/dropped out as the ISP's router doesn't know what to do with them. The static route will point the adsl router to your openbsd box which as the internal interface is on the 192.168.1.0/24 network it knows where to route the packets. (Hopefully that makes sense - for a proper in depth explanation, google terms like mac addresses, arp packets, broadcasts) If it doesn't make sense let me know and I'll explain it again. This should allow your adsl router to return packets destined for your internal lan to the right place. I've just seen your reply to Diana so we know that pf isn't used. Once you add this static route to your adsl router your internal PC's should be able to access the internet. We've still got the dns resolving issue though. It's all a bit odd and I'm a bit stumped. Try the static route on the adsl router & test with a machine on your internal lan while I try to think what to do next. Your internal lan pc will need to have a gateway of the 192.168.1.3 address of your openbsd box. Note this is the internal ip address. The PC will need the DNS addresses from your ISP. This is how I understand it should be: ADSL Router 192.168.0.1 subnet 255.255.255.0 Static route 192.168.1.0 255.255.255.0 gateway 192.168.0.9 | | DMZ | OpenBSD box external interface 192.168.0.9 subnet 255.255.255.0 Default gateway in /etc/mygate of 192.168.0.1 DNS servers in /etc/resolv.conf of 194.224.52.6 and 194.225.52.4 internal interface 192.168.1.3 subnet 255.255.255.0 | | INTERNAL LAN | Your PC's 192.168.1.x addresses subnet 255.255.255.0 DNS servers of 194.224.52.6 and 194.225.52.4 Default gateway of 192.168.1.3 Cheers. Mike Henker wrote: Answering all the points: > Just type "nslookup www.google.com" and see what response you get. connection timed out; no servers could be reached > One of google's IPs is 66.102.7.99 if you want to tes
Re: is there a way to block sshd trolling?
You could use pf to block linux ssh access. block in log quick on $EXT_IF inet proto tcp from any os "Linux" to port 22 label "Blocked Linux ssh access: " That'll reduce it quite a lot. John Marten wrote: You know what i mean? Every day I get some script kiddie, or adult trying to guess usernames or passwords. I've installed the newest version of SSH, so i'm covered there. But I still get a dozen or 2 of the "sshd Invalid user somename from ###.##.##.###" "input_userauth_request: ivalid user somename" "Failed password for invalid user somename" "Recieved disconnect from ###.##.##.###" Someone told me to add a 'block in quick on $net inet proto {tcp,udp} from ###.##.##.### to any flags S/SA' entry in my pf.conf file. But if I had do that for every hacker my pf.conf would be huge! There's got to be a better way, and I'm open to suggestions. John F. Marten III Information Technology Specialist
Re: is there a way to block sshd trolling?
What you could also do is install swatch from ports or packages and have a table in your pf.conf like this: table persist and a rule #stop ssh trolls block in log quick on $EXT_IF inet proto {tcp,udp} from to $EXT_IF port ssh label "SSHDTrolls" A swatchrc file of: watchfor /Failed password for invalid user/ exec /sbin/pfctl -t sshdtrolls -T add $13 [EMAIL PROTECTED], --subject=woo. we have a troll throttle 02:00 exec echo $13 >> /root/swatchlog Then run swatch with: /usr/local/bin/swatch -c /root/swatchrc -t /var/log/authlog & (Note file locations and settings might need to be changed depending on your config) I also have the AllowUsers and use PubKeyAuthentication and PasswordAuthentication No settings enabled in sshd_config. This means that for a normal login the error "Failed password for invalid user" won't come up as it'll never get that far as it's expecting a key. If a troll tries to log in, they get one chance before the swatch picks it up and adds it to the block table.
Re: is there a way to block sshd trolling?
Strange. It's working for me - I've just tested my own setup again and it blocks me. Although the file logging isn't working though - not sure why that is... Can you confirm that your pf rules have the block line in before the permit rule and that it's correct for your firewall rules - ie. no other rule is overriding it and that you're testing it on the interface the rule is on - ie the external interface. You could change your permit ssh line to be something like this: pass in log quick inet proto tcp from ! to $EXT_IF port 22 modulate state label "ssh in" flags S/SA Change that line for whatever suits your rules - it's just an example of the ! bit. You probably don't even need the block rule in with this. Also check the IP address in the table with pfctl -t sshdtrolls -T show and make sure it's correct. The reason I think it's a firewall rule is that you said it said 1/1 address added which means that it's picking it up from the logs and adding it to the table - the only other place it can go wrong is in the block rule. Let me know how you get on. Cheers - Nick Rico wrote: Dear Nick I have tried your setup below. I too have the setup and file placement as you, but I am not using keys. When I try to log on as an illegal user, the atempt is logged by authlog, and having swatch runing from the console it says: 1/1 addresses added. I am using this 'table persist file "/root/pf/sshdhackers"' I don't get any entries in the sshdhackers file and I don't get blocked from the system. I also use AllowUsers Would you mind explaining a bit more about your setup? Friendly Rico. Nick Ryan wrote: What you could also do is install swatch from ports or packages and have a table in your pf.conf like this: table persist and a rule #stop ssh trolls block in log quick on $EXT_IF inet proto {tcp,udp} from to $EXT_IF port ssh label "SSHDTrolls" A swatchrc file of: watchfor /Failed password for invalid user/ exec /sbin/pfctl -t sshdtrolls -T add $13 [EMAIL PROTECTED], --subject=woo. we have a troll throttle 02:00 exec echo $13 >> /root/swatchlog Then run swatch with: /usr/local/bin/swatch -c /root/swatchrc -t /var/log/authlog & (Note file locations and settings might need to be changed depending on your config) I also have the AllowUsers and use PubKeyAuthentication and PasswordAuthentication No settings enabled in sshd_config. This means that for a normal login the error "Failed password for invalid user" won't come up as it'll never get that far as it's expecting a key. If a troll tries to log in, they get one chance before the swatch picks it up and adds it to the block table. .
Re: is there a way to block sshd trolling?
Hi Rico, I'd probably do that the other way - get rid of the log file bit out of the swatch config and let that update the pf table. Set up a separate cronjob to dump the table contents to a file every hour or so with a pfctl -t sshdtrolls -T show > LOGFILENAME This way the pf table is instantly updated as the person is scanning and the logfile is created later on. If you do it the other way you're back with the problem of how to import the logfile into the table quickly enough to stop the scanning. Cheers. Nick Rico wrote: Hi Nick Nick Ryan wrote: Strange. It's working for me - I've just tested my own setup again and it blocks me. Although the file logging isn't working though - not sure why that is... This, I think, is the interresting part because I want that very log file to be the "blacklist" file and then to have Swatch make pf grap that file. That way each time there is an "Illegal user" the log file is extended with the IP and pf add's that IP to the block rule. I will try to work on this before working more on the missing block part :-) Thanks for your reply! Kindly Rico. Can you confirm that your pf rules have the block line in before the permit rule and that it's correct for your firewall rules - ie. no other rule is overriding it and that you're testing it on the interface the rule is on - ie the external interface. You could change your permit ssh line to be something like this: pass in log quick inet proto tcp from ! to $EXT_IF port 22 modulate state label "ssh in" flags S/SA Change that line for whatever suits your rules - it's just an example of the ! bit. You probably don't even need the block rule in with this. Also check the IP address in the table with pfctl -t sshdtrolls -T show and make sure it's correct. The reason I think it's a firewall rule is that you said it said 1/1 address added which means that it's picking it up from the logs and adding it to the table - the only other place it can go wrong is in the block rule. Let me know how you get on. Cheers - Nick Rico wrote: Dear Nick I have tried your setup below. I too have the setup and file placement as you, but I am not using keys. When I try to log on as an illegal user, the atempt is logged by authlog, and having swatch runing from the console it says: 1/1 addresses added. I am using this 'table persist file "/root/pf/sshdhackers"' I don't get any entries in the sshdhackers file and I don't get blocked from the system. I also use AllowUsers Would you mind explaining a bit more about your setup? Friendly Rico. Nick Ryan wrote: What you could also do is install swatch from ports or packages and have a table in your pf.conf like this: table persist and a rule #stop ssh trolls block in log quick on $EXT_IF inet proto {tcp,udp} from to $EXT_IF port ssh label "SSHDTrolls" A swatchrc file of: watchfor /Failed password for invalid user/ exec /sbin/pfctl -t sshdtrolls -T add $13 [EMAIL PROTECTED], --subject=woo. we have a troll throttle 02:00 exec echo $13 >> /root/swatchlog Then run swatch with: /usr/local/bin/swatch -c /root/swatchrc -t /var/log/authlog & (Note file locations and settings might need to be changed depending on your config) I also have the AllowUsers and use PubKeyAuthentication and PasswordAuthentication No settings enabled in sshd_config. This means that for a normal login the error "Failed password for invalid user" won't come up as it'll never get that far as it's expecting a key. If a troll tries to log in, they get one chance before the swatch picks it up and adds it to the block table. . .
Re: Blocking web content
I second using PF and transparent squid. It works extremely well and is pretty much foolproof. This is what I use at work and it's blocking sites by domain name, regex matching, flash videos, mp3 sites and also limiting filetype downloads. The interesting bit of squid.conf is here: acl adclick dstdomain .doubleclick.net .valueclick.net .falkag.net .doubleclick.com .mediaplex.com .adbrite.com .linksynergy.com .adengage.com .yieldmanager .com .falkag.de pagead2.googlesyndication.com .adlog.com .tribalfusion.com .intellitxt.c om .fastclick.net .burstnet.com .casalemedia.com .atwola.com .serving- sys.com .atdmt.com .msads.net .blogads.com .overture.com .advertising.co m .chitika.net . 247realmedia.com .veoh.com .fmpub.net .adinterax.com .snap.com http_access deny adclick acl adminpc1 src 172.29.100.100/255.255.255.255 acl adminpc2 src 172.29.100.146/255.255.255.255 acl adminwsus src 172.29.100.30/255.255.255.255 acl blockfiles urlpath_regex \.flv(\?.*)?$ \.mp3(\?.*)?$ \.wmv(\?.*)? $ \.avi(\?.*)?$ \.mov(\?.*)?$ \.zip(\?.*)?$ \.exe(\?.*)?$ \.cab(\?.*)? $ \.vbs(\?.*)?$ http_access deny blockfiles !adminpc1 !adminpc2 !adminwsus acl adregex dstdom_regex -i (^)ads\. (^)ad1. (^)ad2. (^)adserver. (^) ad\. (^)ads1\. (^)ads2\. http_access deny adregex acl afterwork time MTWHF 18:00-22:10 acl streaming rep_mime_type -i ^video/x-ms-asf ^video/x-ms-sf ^audio/ mpeg ^audio/x-mpeg ^application/x-mms-framed ^application/vnd.ms.wms- hdr.asfv1 ^video/x-flv ^video/flv ^video/mpeg ^video/x-ms-wvx ^video/ x-ms-wmv ^video/vnd.divx ^video/quicktime http_reply_access deny streaming !afterwork !adminpc1 !adminpc2 It pretty much stops all streaming video. The only hole that there is is due to the transparent proxy and the fact that it has to let through https unfiltered. Luckily I've not found any sites that use https yet that I want to block... It doesn't block all ads either but it does get most of the ones from the sites I look at ;) These rules have changed my bandwidth usage from nearly 100% saturation to a much more reasonable 25-40%. Hope this might be of interest to someone. Oh yeah, one last thing. To stop IE6/IE7 from throwing a strop and putting stupid errors in pages, replace the file: /usr/local/share/ squid/errors/English/ERR_ACCESS_DENIED with: http://www.w3.org/TR/html4/loose.dtd";> I think I might have gone a bit overboard with this reply ah well. To answer the original email you could also just us a standard pf block command. Cheers - Nick On 18 Apr 2007, at 08:13, Siju George wrote: > On 4/18/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: >> I run an openbsd firewall. I want to block certain sites either >> by IP >> address or by domain name. How do I get more information on how >> to set >> this up? >> > > I use Squid Cache proxy because you can Block by URLs URL regular > expression, users , computers etc. thesre are lots of Re-director > Programs that provide more functionality if you are looking for more > than blocking By IP or Domain name > > http://www.squid-cache.org/related-software.html > > Squid is available both in packages and ports :-) > > kind Regards > > Siju
Re: PF rules2
err. Maybe it's me but to answer his original question - it's more than likely a DNS lookup issue. Have a look in /etc/ssh/sshd_config and add in: UseDNS no restart the sshd daemon with a kill -HUP command and you should have no problems. Alternatively, you could fix your dns lookup issues.. Cheers - nick On 4 May 2007, at 14:06, Fred Crowson wrote: Tang Tse wrote: Thanks for the answear, Is it secure to open DNS ports to outside world? Or you mean to open open outgoing DNS conections? If i want to redirect incomming ssh connections from internet to some inside server, should i open DNS incoming? Thanks!! Not necessarily - but how about a rule like: pass out on $ext_if proto { tcp, udp } from any to $my_nameserver \ port 53 keep state HTH Fred PS http://home.nuug.no/~peter/pf/ is well worth reading -- http://www.crowsons.net/puters/x41.php
Re: Redundant web servers
If you haven't already seen it on undeadly.org this might be what you're after: http://spootnik.org/hoststated/hoststated_introduction.html Cheers On 18 Jan 2007, at 18:08, Jeff Simmons wrote: I'm setting up some auto-failover web servers (load balancing isn't needed). CARP would seem ideal for the case where a machine fails, but I'd also like to failover if httpd stops responding for some reason. Some research has shown a couple of possible solutions, but there doesn't seem to be a 'standard' way of doing this. Does anyone have any recommendations? -- Jeff Simmons [EMAIL PROTECTED] Simmons Consulting - Network Engineering, Administration, Security Delirium: There must be a word for it ... the thing that lets you know that time is happening. Is there a word? Sandman: Change. Delirium: Oh. I was afraid of that. -- Neil Gaiman, "Brief Lives"
Re: Greylisting google's gmail servers
> We have a problem getting mail from gmail through spamd. Google's gmail > public mail service use a large number of smtp servers. The first time > gmail tries to contact our smtp, it is being greylisted on our spamd > server. The problem is the next time it tries to repeat the > transmission, it appears trying it from different IP and is greylisted > again. So the mail may get through after a very long time. > I understand this is not problem of spamd. However, is there any > solution for accepting mail from gmail? Eg. is there any list of IP > addresses they are using? > Thank you. > > Lukas Kubin > What I do is have a separate whitelist file that has exceptions in it for spamd. Add these two rules to your pf.conf and add a line to the whitelist.txt file that has the ip range of googles servers in it. pf.conf snippet: table persist table persist table persist file "/root/white.txt" <==add this line rdr pass on $EXT_IF inet proto tcp from to any port 25 -> 127.0.0.1 port smtp <== add this line rdr pass on $EXT_IF inet proto tcp from to any port 25 -> 127.0.0.1 port 8025 rdr pass on $EXT_IF inet proto tcp from ! to any port smtp -> 127.0.0.1 port 8025 /root/whitelist.txt: 216.239.32.0/19 #gmail servers It's a bit of an extreme allowance really... www.dnsstuff.com is good for looking up allocated IP ranges by the way. You should probably have the whitelist somewhere better than the root homedir although it works for me though as I only want root to access and update it. If you make a change to the whitelist file, update the table with: pfctl -t spamd-mywhite -T add -f /root/white.txt Cheers - Nick
Re: Erratic NAT behaviour
man 4 pppoe - you're missing part of the pf.conf file: MTU/MSS ISSUES Problems can arise on machines with private IPs connecting to the Inter- net via a machine running both Network Address Translation (NAT) and pppoe. Standard Ethernet uses a Maximum Transmission Unit (MTU) of 1500 bytes, whereas PPPoE mechanisms need a further 8 bytes of overhead. This leaves a maximum MTU of 1492. pppoe sets the MTU on its interface to 1492 as a matter of course. However, machines connecting on a private LAN will still have their MTUs set to 1500, causing conflict. While pppoe(8) has an internal option, ``mssfixup'', which is enabled by default and takes care of this, pppoe users have to rely on other meth- ods. Using a packet filter, the Maximum Segment Size (MSS) can be set (clamped) to the required value. The following rule in pf.conf(5) would set the MSS to 1440: scrub out on pppoe0 max-mss 1440 Although in theory the maximum MSS over a PPPoE interface is 1452 bytes, 1440 appears to be a safer bet. Note that setting the MSS this way can have undesirable effects, such as interfering with the OS detection fea- tures of pf(4). On Thu, 9 Oct 2008 10:11:38 +0100, gm_sjo <[EMAIL PROTECTED]> wrote: > Hi all, > > I am testing my new OpenBSD router in a simple NAT configuration but I > am getting some strange results. The client machine is a Windows XP > laptop and the behaviour is that only a handful of websites render > (google, for example), 99% that i've tried do not. FTP appears to be > working fine. It doesn't appear to be a local client configuration > issue as when I point to an alternate NAT gateway, there are no > problems. > > Here is my configuration :- > > -bash-3.2# ifconfig -A (stripped slightly) > pppoe1: flags=8851 mtu 1492 > dev: fxp2 state: session > sid: 0x6 PADI retries: 0 PADR retries: 0 time: 12:00:53 > sppp: phase network authproto chap authname "x" > groups: pppoe egress > inet6 fe80::204:23ff:fecb:1cde%pppoe1 -> prefixlen 64 scopeid 0x9 > inet 90.155.88.39 --> 81.187.81.72 netmask 0x > fxp2: flags=8843 mtu 1500 > lladdr 00:02:b3:13:fc:0d > media: Ethernet autoselect (100baseTX full-duplex) > status: active > inet6 fe80::202:b3ff:fe13:fc0d%fxp2 prefixlen 64 scopeid 0x5 > em0: flags=8943 mtu 1500 > lladdr 00:04:23:cb:1c:de > trunk: trunkdev trunk0 > media: Ethernet autoselect (1000baseT full-duplex) > status: active > inet6 fe80::204:23ff:fecb:1cde%em0 prefixlen 64 scopeid 0x1 > em1: flags=8943 mtu 1500 > lladdr 00:04:23:cb:1c:de > trunk: trunkdev trunk0 > media: Ethernet autoselect (1000baseT full-duplex) > status: active > inet6 fe80::204:23ff:fecb:1c7d%em1 prefixlen 64 scopeid 0x2 > trunk0: flags=8843 mtu 1500 > lladdr 00:04:23:cb:1c:de > trunk: trunkproto loadbalance > trunkport em1 active > trunkport em0 master,active > groups: trunk > media: Ethernet autoselect > status: active > inet6 fe80::204:23ff:fecb:1cde%trunk0 prefixlen 64 scopeid 0xb > vlan1020: flags=8843 mtu 1500 > lladdr 00:04:23:cb:1c:de > vlan: 1020 priority: 0 parent interface: trunk0 > groups: vlan > inet6 fe80::204:23ff:fecb:1cde%vlan1020 prefixlen 64 scopeid 0xe > inet 192.168.20.1 netmask 0xff00 broadcast 192.168.20.255 > > > -bash-3.2# route show -inet (stripped) > Routing tables > > Internet: > DestinationGatewayFlagsRefs UseMtu > Interface > defaultcareless.aaisp.net UGS 1 8539 - > pppoe1 > 0.0.0.1defaultUH 00 - > pppoe0 > careless.aaisp.net 90.155.88.39 UH 12 - > pppoe1 > > (pppoe0 is not currently in-use) > > > -bash-3.2# cat /etc/pf.conf > nat-anchor "ftp-proxy/*" > rdr-anchor "ftp-proxy/*" > nat on pppoe1 from vlan1020:network to any -> (pppoe1) > rdr pass on vlan1020 proto tcp from any to any port ftp -> 127.0.0.1 port > 8021 > anchor "ftp-proxy/*" > > > > > Scenario:- > > - Windows client sitting on a 802.1q tagged network. > - Vlan ID is 1020 and is set to be the default vlan on the switch port > its attached to. > - Default gw on client is 192.168.10.1 > - trunk0 on firewall is configured as a trunk on the switch (em0/em1), > albeit not 802.3ad (not sure on standard) > - Client can ping any host on the internet > - Client appears to be able to connect to any internet host on port > 80, and a 'GET /' works (albeit often to a http 1.1 error as you'd > expect) > - Only a couple of the website i've tried actually render in a > browser, google does for example. > - I can grab small text files (<1KB) from a site, but larger ones > don't work. Looks like size is relevant. >
Re: PPTP vpn with OBSD gateway (outgoing)
There's a tickbox on the windows vpn client to tick. It's quite well hidden. To get to it, do properties on your VPN connection, then click the networking tab. Then do properties on the TCPIP protocol, then click advanced and select the Use Default Gateway On Remote Network Option. It's handy to not have this ticked if you want all your non work traffic to go out via your normal connection, but in this case you want it ticked. Cheers - Nick On 29 May 2009, at 22:08, Juan Miscaro wrote: Hi, I'm trying to set up a PPTP tunnel for a Windows machine lying behind my OBSD 4.0 internet gateway. I can establish the tunnel but I'm missing the last piece in the puzzle. This is the routing of the RFC 1918 addresses. Locally I have 10.9.0.0/16 addresses and the windows machine wants to connect to a web server on the remote side that is using 192.168.0.0/16. I'm not familiar enough with Windows to say if there is some checkbox to fill in to make this work but the Firefox browser complains: Connection interrupted. The connection to the server was reset while the page was loading. The network link was interrupted while negotiating a connection. Please try again. Is there some particular route that needs to be set up for this to work? Thank you, /jm
Re: PPTP vpn with OBSD gateway (outgoing)
I've had a quick look at a virtual winxp I've got and it does seem to be the default unfortunately. I'd recommend quickly checking what the vpn client has selected and at the same time check that the routing from your web server can actually get back to the ip address that your vpn client is given. It's also worth checking if there's any firewall rules the other side has that could be interfering. Once you've got a vpn tunnel established through your openbsd firewall the openbsd firewall has no control over what is happening within the tunnel. The error is then either on your machine or on the thing you're trying to connect to the other side. It might be worth (and I will wash my mouth out with soap) trying using Internet Explorer instead of Firefox just in case it's your firefox browser having the problem. ( a quick telnet to port 80 on the webserver would also prove connectivity). I have assumed that you're doing a pptp tunnel to a windows server and only going through the firewall - not starting or terminating the tunnel on the firewall. If you are then the issue is with your openbsd firewall and you'd need to add routes and rules into that. Hope some of this helps. On 30 May 2009, at 21:19, patrick keshishian wrote: On Sat, May 30, 2009 at 11:09 AM, Nick Ryan wrote: There's a tickbox on the windows vpn client to tick. It's quite well hidden. To get to it, do properties on your VPN connection, then click the networking tab. Then do properties on the TCPIP protocol, then click advanced and select the Use Default Gateway On Remote Network Option. It's handy to not have this ticked if you want all your non work traffic to go out via your normal connection, but in this case you want it ticked. do you know if the Windows VPN client sets up a route for the remote network if this checkbox is not checked? Meaning, if the user does not select this option, is s/he required to set up the route manually? --patrick Cheers - Nick On 29 May 2009, at 22:08, Juan Miscaro wrote: Hi, I'm trying to set up a PPTP tunnel for a Windows machine lying behind my OBSD 4.0 internet gateway. I can establish the tunnel but I'm missing the last piece in the puzzle. This is the routing of the RFC 1918 addresses. Locally I have 10.9.0.0/16 addresses and the windows machine wants to connect to a web server on the remote side that is using 192.168.0.0/16. I'm not familiar enough with Windows to say if there is some checkbox to fill in to make this work but the Firefox browser complains: Connection interrupted. The connection to the server was reset while the page was loading. The network link was interrupted while negotiating a connection. Please try again. Is there some particular route that needs to be set up for this to work? Thank you, /jm
Re: OpenBSD 5.5 on mSATA SSD unit in PC Engines APU.1C - "bad dir ino 2 at offset 0: mangled entry" kernel panic
On 7 Jun 2014, at 23:35, Mattieu Baptiste wrote: > On Sat, Jun 7, 2014 at 8:51 PM, JB M wrote: > >> I'm having troubles installing OpenBSD 5.5 (amd64) on a mSATA SSD card ( >> http://pcengines.ch/msata16a.htm) PC Engines APU.1C device ( >> http://pcengines.ch/apu.htm) with the most recent BIOS version. >> >> I've made several attempts, using install55.fs copied to an SD card, with >> both 5.5-release and 5.5-current (June 6th snapshot). >> >> Most attempts have failed, either during the install (filesystem creation >> phase or during the sets extraction phase) or during the first boot after >> the initial install (case reported in this message). >> >> > Same thing for me with : > sd0 at scsibus1 targ 0 lun 0: SCSI3 0/direct > fixed t10.ATA_SuperSSpeed_mSATA_SSD_16GB_YTAF140500376_ > sd0: 15258MB, 512 bytes/sector, 31248704 sectors > > Installing on a USB drive solved the problem. > I know it’s no consolation to you but using a Kingston 30 GB mSATA from amazon works perfectly. The APU is on the May bios and I’ve had no issues. Didn’t the PCEngines mSATA drive have problems in general? There’s a mention on here about issues with the a version - is that yours? http://pcengines.ch/msata16b.htm Regards - Nick OpenBSD 5.5-current (GENERIC.MP) #150: Mon May 26 11:50:31 MDT 2014 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 2098520064 (2001MB) avail mem = 2033942528 (1939MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.7 @ 0x7e16d820 (6 entries) bios0: vendor coreboot version "SageBios_PCEngines_APU-45" date 04/05/2014 bios0: PC Engines APU acpi0 at bios0: rev 0 acpi0: sleep states S0 S1 S3 S4 S5 acpi0: tables DSDT FACP SPCR HPET APIC HEST SSDT SSDT SSDT acpi0: wakeup devices AGPB(S4) HDMI(S4) PBR4(S4) PBR5(S4) PBR6(S4) PBR7(S4) PE20(S4) PE21(S4) PE22(S4) PE23(S4) PIBR(S4) UOH1(S3) UOH2(S3) UOH3(S3) UOH4(S3) UOH5(S3) [...] acpitimer0 at acpi0: 3579545 Hz, 32 bits acpihpet0 at acpi0: 14318180 Hz acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: AMD G-T40E Processor, 1000.13 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,SSSE3,CX16,POPCNT,NXE,MMXX,FFXSR,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,IBS,SKINIT,ITSC cpu0: 32KB 64b/line 2-way I-cache, 32KB 64b/line 8-way D-cache, 512KB 64b/line 16-way L2 cache cpu0: 8 4MB entries fully associative cpu0: DTLB 40 4KB entries fully associative, 8 4MB entries fully associative cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 199MHz cpu0: mwait min=64, max=64, C-substates=0.0.0.0.0, IBE cpu1 at mainbus0: apid 1 (application processor) cpu1: AMD G-T40E Processor, 1000.00 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,SSSE3,CX16,POPCNT,NXE,MMXX,FFXSR,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,IBS,SKINIT,ITSC cpu1: 32KB 64b/line 2-way I-cache, 32KB 64b/line 8-way D-cache, 512KB 64b/line 16-way L2 cache cpu1: 8 4MB entries fully associative cpu1: DTLB 40 4KB entries fully associative, 8 4MB entries fully associative cpu1: smt 0, core 1, package 0 ioapic0 at mainbus0: apid 2 pa 0xfec0, version 21, 24 pins acpiprt0 at acpi0: bus -1 (AGPB) acpiprt1 at acpi0: bus -1 (HDMI) acpiprt2 at acpi0: bus 1 (PBR4) acpiprt3 at acpi0: bus 2 (PBR5) acpiprt4 at acpi0: bus 3 (PBR6) acpiprt5 at acpi0: bus -1 (PBR7) acpiprt6 at acpi0: bus 5 (PE20) acpiprt7 at acpi0: bus -1 (PE21) acpiprt8 at acpi0: bus -1 (PE22) acpiprt9 at acpi0: bus -1 (PE23) acpiprt10 at acpi0: bus 0 (PCI0) acpiprt11 at acpi0: bus 4 (PIBR) acpicpu0 at acpi0: C2, PSS acpicpu1 at acpi0: C2, PSS acpibtn0 at acpi0: PWRB cpu0: 1000 MHz: speeds: 1000 800 MHz pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 "AMD AMD64 14h Host" rev 0x00 ppb0 at pci0 dev 4 function 0 "AMD AMD64 14h PCIE" rev 0x00: msi pci1 at ppb0 bus 1 re0 at pci1 dev 0 function 0 "Realtek 8168" rev 0x06: RTL8168E/8111E (0x2c00), msi, address 00:0d:b9:33:06:c8 rgephy0 at re0 phy 7: RTL8169S/8110S PHY, rev. 4 ppb1 at pci0 dev 5 function 0 "AMD AMD64 14h PCIE" rev 0x00: msi pci2 at ppb1 bus 2 re1 at pci2 dev 0 function 0 "Realtek 8168" rev 0x06: RTL8168E/8111E (0x2c00), msi, address 00:0d:b9:33:06:c9 rgephy1 at re1 phy 7: RTL8169S/8110S PHY, rev. 4 ppb2 at pci0 dev 6 function 0 "AMD AMD64 14h PCIE" rev 0x00: msi pci3 at ppb2 bus 3 re2 at pci3 dev 0 function 0 "Realtek 8168" rev 0x06: RTL8168E/8111E (0x2c00), msi, address 00:0d:b9:33:06:ca rgephy2 at re2 phy 7: RTL8169S/8110S PHY, rev. 4 ahci0 at pci0 dev 17 function 0 "ATI SBx00 SATA" rev 0x40: apic 2 int 19, AHCI 1.2 scsibus1 at ahci0: 32 targets sd0 at scsibus1 targ 0 lun 0: SCSI3 0/direct fixed naa.50026b724116179f sd0: 28626MB, 512 bytes/sector, 58626288 sectors, thin ohci0 at pci0 dev 18 function
Re: OpenBSD 5.5 on mSATA SSD unit in PC Engines APU.1C - "bad dir ino 2 at offset 0: mangled entry" kernel panic
That seems to be normal. Mine is currently 61.5 degrees and it's currently not under any load. Mine runs cooler if it's standing on its edge vertically, it just seems to help the airflow around the case at the expense of looking a bit odd. Regards - Nick On 20/06/2014 10:40, Roger Wiklund wrote: No problems so far with Intel mSATA 525 30GB. On a side note I'm a bit worried about the CPU temperate, almost 70 degrees C during normal load. On Thu, Jun 12, 2014 at 9:49 PM, Chris Cappuccio wrote: Happy to report that Plextor M6M (msata) passes all the tests so far, unlike msata Sandisk X110.
Re: Apache box behind Openbsd
Make sure that the windows 2003 firewall isn't set up to block web access. It's caught me out before in the past, although that was on SBS2003. See if you can telnet to port 80 from the OpenBSD firewall to the external interface on the windows box. On 8 Jan 2008, at 17:04, Sewan wrote: i have rdr on $ext_if proto tcp to 212.175.219.188/32 port 80 -> 172.15.254.207 rule for this operation, if i use same rdr rule with changing destination ip to an iis web server inside LAN, it works, but when i change to this web server (2003-apache-php one) it don't work Johan Beisser wrote: On Jan 8, 2008, at 8:05 AM, Sewan wrote: Hi, I have an apache-php website running on windows server 2003 port 80, i have correct rdr rules that pointing my web server, i can view website inside my LAN, but i can't view page outside of my network. I've checked all dns- ip settings, everything's fine but problem continues. I've read at some forums that apache doesn't recognize rdr rules from openbsd, so how can i publish my site ? Thanks... You could give us more information. Perhaps a copy of your pf.conf. I'd also, if I were you, look at your pflog output. either "live" on pflog0, or through the logs in /var/log. -- View this message in context: http://www.nabble.com/Apache-box-behind-Openbsd-tp14692638p14693822.html Sent from the openbsd user - misc mailing list archive at Nabble.com.
Re: smtpd.conf new grammar
Hi Mark, viq, did either of you get it to work with the virtual table? Mine mostly works with: action "lmtp-local" mda "/usr/libexec/mail.lmtp -d unix:/var/dovecot/lmtp -f %{sender} %{rcpt}" virtual but it ignores the virtual table completely. If I miss out the ${rcpt}, I get a no recipient specified and if I have the {user.username} it gives a similar error. Did your virtual work or am I doing something daft? Regards - Nick On 27/05/2018 08:51, viq wrote: On 18-05-27 09:34:10, Mark Patruck wrote: For me it works with %{user.username} as mail.lmtp(8) user. See "FORMAT SPECIFIERS" in smtpd.conf(5) for details. Shows how well I read the man page With this it works, thank you! On Sun, May 27, 2018 at 09:04:56AM +0200, viq wrote: > On 18-05-26 19:18:56, Edgar Pettijohn III wrote: > > > > > Sorry, I've read the announcements, looked at man pages and examples, > > > but still didn't manage to figure out how to translate "deliver via dovecot > > > lmtp" > > > (to have sieve working) into the new syntax. So far my config was: > > > > > > table vusers ldap:/etc/mail/ldap.conf > > > table vdomains ldap:/etc/mail/ldap.conf > > > table passwd ldap:/etc/mail/ldap.conf > > > > > > accept from local for local virtual deliver to lmtp > > > "/var/dovecot/lmtp" > > > accept from any for domain virtual deliver to lmtp > > > "/var/dovecot/lmtp" > > > > > > > > > I tried changing those into: > > > > > > action "lmtp-local" mda "/usr/libexec/mail.lmtp -d /var/dovecot/lmtp" > > > > try: > > action "lmtp-local" mda "/usr/libexec/mail.lmtp -d unix:/var/dovecot/lmtp -f > > %{sender}" > > Well, this time I'm getting > result=TempFail stat=Error ("mail.lmtp: no recipient was specified") > so there's difference. So I tried > action "lmtp-local" mda "/usr/libexec/mail.lmtp -d unix:/var/dovecot/lmtp -f %{sender} %{recipient}" virtual > but that resulted in > result=TempFail stat=Error ("smtpd: mda command line could not be expanded: Interrupted system call") > same with %{rcpt-to} > > Where did you get the %{} syntax? I haven't seen it anywhere when > reading about this. > > > However, this does feel odd. I need to switch over as well, but still trying > > to wrap my brain around the new config. > > > virtual > > > action "relay" relay > > > match from local for local action "lmtp-local" > > > match from any for domain action "lmtp-local" > > > match from local for any action "relay" > > > > > > > > > but delivery attempts fail with Error ("mail.lmtp: sender must be specified > > > with -f") > > > > > > What would be the proper config for this? > > > -- > > > viq > > > -- Mark Patruck ( mark at wrapped.cx ) GPG key 0xF2865E51 / 187F F6D3 EE04 1DCE 1C74 F644 0D3C F66F F286 5E51 http://www.wrapped.cx
Re: smtpd.conf new grammar
Hi Edgar, this is the format: postmas...@nr.ie n...@nr.ie webmas...@nr.ien...@nr.ie n...@nr.ie vmail Is this where it's pulling the %{user.username} being vmail from? Dovecot is expecting u...@domain.tld Regards - Nick On 28/05/2018 18:28, Edgar Pettijohn III wrote: On 05/28/18 10:48, Nick Ryan wrote: Hi Mark, viq, did either of you get it to work with the virtual table? Mine mostly works with: action "lmtp-local" mda "/usr/libexec/mail.lmtp -d unix:/var/dovecot/lmtp -f %{sender} %{rcpt}" virtual but it ignores the virtual table completely. If I miss out the ${rcpt}, I get a no recipient specified and if I have the {user.username} it gives a similar error. Did your virtual work or am I doing something daft? Regards - Nick It really depends on how your dovecot is set up. Is it expecting a `u...@domain.tld' for the username or just the user part? How is your set up? Personally, I think its easier in the long run to either use a passwd-file from extras or an sql table of some sort. That way smtpd and dovecot can share more easily. Edgar On 27/05/2018 08:51, viq wrote: On 18-05-27 09:34:10, Mark Patruck wrote: For me it works with %{user.username} as mail.lmtp(8) user. See "FORMAT SPECIFIERS" in smtpd.conf(5) for details. Shows how well I read the man page With this it works, thank you! On Sun, May 27, 2018 at 09:04:56AM +0200, viq wrote: > On 18-05-26 19:18:56, Edgar Pettijohn III wrote: > > > > > Sorry, I've read the announcements, looked at man pages and examples, > > > but still didn't manage to figure out how to translate "deliver via dovecot > > > lmtp" > > > (to have sieve working) into the new syntax. So far my config was: > > > > > > table vusers ldap:/etc/mail/ldap.conf > > > table vdomains ldap:/etc/mail/ldap.conf > > > table passwd ldap:/etc/mail/ldap.conf > > > > > > accept from local for local virtual deliver to lmtp > > > "/var/dovecot/lmtp" > > > accept from any for domain virtual deliver to lmtp > > > "/var/dovecot/lmtp" > > > > > > > > > I tried changing those into: > > > > > > action "lmtp-local" mda "/usr/libexec/mail.lmtp -d /var/dovecot/lmtp" > > > > try: > > action "lmtp-local" mda "/usr/libexec/mail.lmtp -d unix:/var/dovecot/lmtp -f > > %{sender}" > > Well, this time I'm getting > result=TempFail stat=Error ("mail.lmtp: no recipient was specified") > so there's difference. So I tried > action "lmtp-local" mda "/usr/libexec/mail.lmtp -d unix:/var/dovecot/lmtp -f %{sender} %{recipient}" virtual > but that resulted in > result=TempFail stat=Error ("smtpd: mda command line could not be expanded: Interrupted system call") > same with %{rcpt-to} > > Where did you get the %{} syntax? I haven't seen it anywhere when > reading about this. > > > However, this does feel odd. I need to switch over as well, but still trying > > to wrap my brain around the new config. > > > virtual > > > action "relay" relay > > > match from local for local action "lmtp-local" > > > match from any for domain action "lmtp-local" > > > match from local for any action "relay" > > > > > > > > > but delivery attempts fail with Error ("mail.lmtp: sender must be specified > > > with -f") > > > > > > What would be the proper config for this? > > > -- > > > viq > > > -- Mark Patruck ( mark at wrapped.cx ) GPG key 0xF2865E51 / 187F F6D3 EE04 1DCE 1C74 F644 0D3C F66F F286 5E51 http://www.wrapped.cx
Re: smtpd.conf new grammar
Final update. I've been working with Edgar who has helped no end and I now have a working config. For me the working line is actually: action "lmtp-local" mda "/usr/libexec/mail.lmtp -d unix:/var/dovecot/lmtp -f %{sender} %{dest}" virtual and the corresponding match is: match tag "SPAM_IN" from any for domain action "lmtp-local" Hopefully this might help someone in the future. Regards - Nick On 28/05/2018 16:48, Nick Ryan wrote: Hi Mark, viq, did either of you get it to work with the virtual table? Mine mostly works with: action "lmtp-local" mda "/usr/libexec/mail.lmtp -d unix:/var/dovecot/lmtp -f %{sender} %{rcpt}" virtual but it ignores the virtual table completely. If I miss out the ${rcpt}, I get a no recipient specified and if I have the {user.username} it gives a similar error. Did your virtual work or am I doing something daft? Regards - Nick On 27/05/2018 08:51, viq wrote: On 18-05-27 09:34:10, Mark Patruck wrote: For me it works with %{user.username} as mail.lmtp(8) user. See "FORMAT SPECIFIERS" in smtpd.conf(5) for details. Shows how well I read the man page With this it works, thank you! On Sun, May 27, 2018 at 09:04:56AM +0200, viq wrote: > On 18-05-26 19:18:56, Edgar Pettijohn III wrote: > > > > > Sorry, I've read the announcements, looked at man pages and examples, > > > but still didn't manage to figure out how to translate "deliver via dovecot > > > lmtp" > > > (to have sieve working) into the new syntax. So far my config was: > > > > > > table vusers ldap:/etc/mail/ldap.conf > > > table vdomains ldap:/etc/mail/ldap.conf > > > table passwd ldap:/etc/mail/ldap.conf > > > > > > accept from local for local virtual deliver to lmtp > > > "/var/dovecot/lmtp" > > > accept from any for domain virtual deliver to lmtp > > > "/var/dovecot/lmtp" > > > > > > > > > I tried changing those into: > > > > > > action "lmtp-local" mda "/usr/libexec/mail.lmtp -d /var/dovecot/lmtp" > > > > try: > > action "lmtp-local" mda "/usr/libexec/mail.lmtp -d unix:/var/dovecot/lmtp -f > > %{sender}" > > Well, this time I'm getting > result=TempFail stat=Error ("mail.lmtp: no recipient was specified") > so there's difference. So I tried > action "lmtp-local" mda "/usr/libexec/mail.lmtp -d unix:/var/dovecot/lmtp -f %{sender} %{recipient}" virtual > but that resulted in > result=TempFail stat=Error ("smtpd: mda command line could not be expanded: Interrupted system call") > same with %{rcpt-to} > > Where did you get the %{} syntax? I haven't seen it anywhere when > reading about this. > > > However, this does feel odd. I need to switch over as well, but still trying > > to wrap my brain around the new config. > > > virtual > > > action "relay" relay > > > match from local for local action "lmtp-local" > > > match from any for domain action "lmtp-local" > > > match from local for any action "relay" > > > > > > > > > but delivery attempts fail with Error ("mail.lmtp: sender must be specified > > > with -f") > > > > > > What would be the proper config for this? > > > -- > > > viq > > > -- Mark Patruck ( mark at wrapped.cx ) GPG key 0xF2865E51 / 187F F6D3 EE04 1DCE 1C74 F644 0D3C F66F F286 5E51 http://www.wrapped.cx
Re: smptd - sslv3 alert handshake failure
Bjorn, have a look at this from the opensmtpd mailling list. https://www.mail-archive.com/misc@opensmtpd.org/msg05278.html The message from Eric has how to downgrade the smtpd listener to use all TLS and compatible ciphers. Regards. On 13/05/2021 07:31, Bjorn Ketelaars wrote: I have a smtpd config, which has been running for >1 year without a hitch until now. All outgoing mail is forwarded to a remote SMTP server using a config similar to an example in smtpd.conf(5). Forwarding is failing because of "handshake failed: error:1404B410:SSL routines:ST_CONNECT:sslv3 alert handshake failure" (see below for more information). I'm running current (amd64) with an update frequency of ~twice a week. This error started popping up this weekend - before the libssl/libtls/libcrypto bump. Error remains after the bump. $ cat /etc/mail/smtpd.conf table aliases file:/etc/mail/aliases table secrets file:/etc/mail/secrets listen on lo0 action "local" mbox alias action "relay" relay host smtp+tls://u...@smtp.ziggo.nl:587 auth match from local for local action "local" match from local for any action "relay" I bisected libssl/libtls/libcrypto (checked all changes of the last 2 months) without solving my issue. I also checked smtpd, and found that eric@'s work on moving smtpd to libtls [0] is related to my issue. Reverting smtpd to a version prior to March 5 fixes it for me. Best guess - probably a stupid one - is that the remote host changed something causing SNI related issues. Hints on how to further investigate the above are appreciated! [0] https://marc.info/?l=openbsd-cvs&m=161494786013059&w=2 debug: scheduler: scheduling evp:2b97a598686ca143 debug: scheduler: evp:2b97a598686ca143 scheduled (mta) debug: mta: querying smarthost for relay:... debug: mta: querying smarthost debug: mta: ... got smarthost for 2b97a598686ca143: smtp+tls://u...@smtp.ziggo.nl:587 debug: mta: received evp:2b97a598686ca143 for debug: mta: draining [relay:smtp.ziggo.nlort=587,smtp+tls,auth=secrets:ziggo,mx] refcount=1, ntask=1, nconnector=0, nconn=0 debug: mta: querying secret for [relay:smtp.ziggo.nlort=587,smtp+tls,auth=secrets:ziggo,mx]... debug: mta: querying MX for [relay:smtp.ziggo.nlort=587,smtp+tls,auth=secrets:ziggo,mx]... debug: mta: [relay:smtp.ziggo.nlort=587,smtp+tls,auth=secrets:ziggo,mx] waiting for MX secret debug: control -> client: pipe closed debug: clearing p=client, fd=11, pid=0 debug: mta: ... got secret for [relay:smtp.ziggo.nlort=587,smtp+tls,auth=secrets:ziggo,mx]: AGJrZXRAemlnZ28ubmwAREgmd2pQVyZkS3V3enA2a2wqKjM= debug: mta: draining [relay:smtp.ziggo.nlort=587,smtp+tls,auth=secrets:ziggo,mx] refcount=2, ntask=1, nconnector=0, nconn=0 debug: mta: [relay:smtp.ziggo.nlort=587,smtp+tls,auth=secrets:ziggo,mx] waiting for MX debug: MXs for domain smtp.ziggo.nl: 212.54.42.9 preference -1 debug: mta: ... got mx (0x4c260099920, smtp.ziggo.nl, [relay:smtp.ziggo.nlort=587,smtp+tls,auth=secrets:ziggo,mx]) debug: mta: draining [relay:smtp.ziggo.nlort=587,smtp+tls,auth=secrets:ziggo,mx] refcount=1, ntask=1, nconnector=0, nconn=0 debug: mta: querying source for [relay:smtp.ziggo.nlort=587,smtp+tls,auth=secrets:ziggo,mx]... debug: mta: ... got source for [relay:smtp.ziggo.nlort=587,smtp+tls,auth=secrets:ziggo,mx]: [] debug: mta: new [connector:[]->[relay:smtp.ziggo.nlort=587,smtp+tls,auth=secrets:ziggo,mx],0x1] debug: mta: connecting with [connector:[]->[relay:smtp.ziggo.nlort=587,smtp+tls,auth=secrets:ziggo,mx],0x0] debug: mta-routing: searching new route for [connector:[]->[relay:smtp.ziggo.nlort=587,smtp+tls,auth=secrets:ziggo,mx],0x0]... debug: mta-routing: selecting candidate route [] <-> 212.54.42.9 debug: mta-routing: spawning new connection on [] <-> 212.54.42.9 debug: mta: 0x4c2600b96d0: spawned for relay [relay:smtp.ziggo.nlort=587,smtp+tls,auth=secrets:ziggo,mx] debug: mta: connecting with [connector:[]->[relay:smtp.ziggo.nlort=587,smtp+tls,auth=secrets:ziggo,mx],0x0] debug: mta: cannot use [relay:smtp.ziggo.nlort=587,smtp+tls,auth=secrets:ziggo,mx] before 2s debug: mta-routing: no route available for [connector:[]->[relay:smtp.ziggo.nlort=587,smtp+tls,auth=secrets:ziggo,mx],0x0]: must wait a bit debug: mta: retrying to connect on [connector:[]->[relay:smtp.ziggo.nlort=587,smtp+tls,auth=secrets:ziggo,mx],0x0] in 2s... debug: mta: draining [relay:smtp.ziggo.nlort=587,smtp+tls,auth=secrets:ziggo,mx] refcount=3, ntask=1, nconnector=1, nconn=1 debug: mta: scheduling relay [relay:smtp.ziggo.nlort=587,smtp+tls,auth=secrets:ziggo,mx] in 1s... 9483c6637b224554 mta connecting address=smtp+tls://212.54.42.9:587 host=smtp.mail.gtm.iss.as9143.net 9483c6637b224554 mta connected debug: mta: 0x4c2600b96d0: IO error: handshake failed: error:1404B410:SSL routines:ST_CONNECT:sslv3 alert handshake failure 9483c6637b224554 mta error reason=IO Error: handshake failed: error:1404B410:SSL routines:ST_CONNECT:sslv3 alert handshake failure debug: mta: 0x4c2600b96d0: session done ...
Re: Failure to NAT
is pf enabled? sounds like it's just acting as a router at the mo to me... pf -ef /etc/pf.conf On 2 Dec 2008, at 15:10, - Tethys wrote: Hi... The hard drive on my firewall machine died overnight, so I rebuilt it with a new hard drive this morning. I grabbed the most recent OpenBSD CD I had to hand (which was 3.8 -- yes, I know, and the order for 4.4 followed as soon as I got to work and had net access again). The problem is that while I have net access from the firewall itself, I don't from any of the machines on my internal network. After playing with tcpdump, it seems that packets are coming in fine on the internal interface, and are leaving on the external interface, but are not being NATed on the way through. Nothing is being logged on pflog0. My internal interface is 192.168.8.1, and the external interface is 10.0.8.224/28. My minimal pf.conf[1] looks like: int = "fxp0" ext = "rl0" nat on rl0 from 192.168.8.4 to any -> 10.0.8.230 block in log pass in log quick on $int pass out log on $ext keep state 192.168.8.4 is the test machine I'm using on the internal network. Yet packets from that machine are leaving rl0 with a source IP of 192.168.8.4, not 10.0.8.230 as the NAT rule implies they should be. Obviously I'll reinstall with 4.4 when it arrives, but in the mean time, I'm stuck without net access for most of the machines in the house, and urgently need to sort this out. Any ideas on where I might be going wrong, and what I can do to fix it? Thanks, Tet [1] Obviously the real one will be somewhat more complex, but I need to get something working first, and then I'll build a pf.conf that does what I need. -- Perl is like vise grips. You can do anything with it but it is the wrong tool for every job. -- Bruce Eckel
Re: Firewall 4.3 is limiting bandwidth
I'd try manually changing the interface media type just in case it's that. I've seen odd things happen if you have it autodetect compared to manually setting it to 100mbTX full duplex... (and vice versa) Then I'd look at cables, try switching out the network card for another, that sort of thing. ifconfig vr0 media 100baseTX mediaopt full-duplex Change vr0 to whatever your network card is. Also I'm assuming you're not using PPPOE - if you are try setting the maximum mtu size in your pf.conf file... scrub out on pppoe0 max-mss 1440 anyway - if it's neither of these then we'll need more info on what your set up is. A dmesg would also help. On 29 Jan 2009, at 05:21, numb3rs1x wrote: I've aalso tried the sysctl adjustment listed in the man pages. net.inet.tcp.sendspace: 65536 net.inet.tcp.recvspace=65536 That seemed to make it worse if anything. -- View this message in context: http://www.nabble.com/Firewall-4.3-is-limiting-bandwidth-tp21720950p21721077.html Sent from the openbsd user - misc mailing list archive at Nabble.com.
Re: Firewall 4.3 is limiting bandwidth
Sorry pppoe in that example should have been $pppoe and it should correspond to the interface you're using for pppoe and declared in the pf.conf file. It's in the man pages anyway. On 29 Jan 2009, at 10:06, Nick Ryan wrote: I'd try manually changing the interface media type just in case it's that. I've seen odd things happen if you have it autodetect compared to manually setting it to 100mbTX full duplex... (and vice versa) Then I'd look at cables, try switching out the network card for another, that sort of thing. ifconfig vr0 media 100baseTX mediaopt full-duplex Change vr0 to whatever your network card is. Also I'm assuming you're not using PPPOE - if you are try setting the maximum mtu size in your pf.conf file... scrub out on pppoe0 max-mss 1440 anyway - if it's neither of these then we'll need more info on what your set up is. A dmesg would also help. On 29 Jan 2009, at 05:21, numb3rs1x wrote: I've aalso tried the sysctl adjustment listed in the man pages. net.inet.tcp.sendspace: 65536 net.inet.tcp.recvspace=65536 That seemed to make it worse if anything. -- View this message in context: http://www.nabble.com/Firewall-4.3-is-limiting-bandwidth-tp21720950p21721077.html Sent from the openbsd user - misc mailing list archive at Nabble.com.
Re: roundcubemail on openbsd 5.0
Apologies, I wasn't trying to be funny. There's a few bits of troubleshooting at http://trac.roundcube.net/wiki/Howto_Config#ConfiguringforVirtualUsers where it looks like they describe a similar issue to the one you're having. Can't help any more than that though. On 14/12/2011 10:20, Wesley M. wrote: > Hi, > Very funny, i already know this tips. > But when i add a new user and try to connect on, i always have @localhost. > At Roundcube login prompt : type username@specificdomainuser doesn't work. > And type just the username work, try to send a mail, it sends with > @localhost > I know i can modify manually this. But the goal is to have this > automatically > for new users. > > Wesley > > On Wed, 14 Dec 2011 08:38:18 +, nick wrote: > >> Wesley, I think once you've logged in with a user, you're stuck with whatever was in the config file as has been previously said as it's created the roundcube entries in the database. What you'll need to do now for that user is to log into roundcube, click Personal Settings at the top, then click identities and change the email address manually for them. If you've a lot of users you could probably open up the database manually and change the records directly. Regards. On 14/12/2011 06:33, Wesley M. wrote: >> >>> Hi, I use sendmail 8.14.15 with >> virtusertable and procmail for multiple >> >>> domains and dovecot 2.0; and >> Apache (chrooted in /var/www) I just want : At the Roundcube login page, type user1@domain1 and user1@localhost I tried this : $rcmail_config['virtuser_ >> ckquote> '/roundcubemail/virtusertable'; ages, a lot of >> n Intern >> >>> yle="padding-left:5px; border-lef >> solid; margin-left:5px; width:100%">replies, your helps. Wesley. www.mouedine.net [3][1] 2011 20:48:16 +, Stuart >> son wrote: 3 15:28, Michael W. Lucas wrote: >> lockquote> >> ff 2px solid; margin-left:5px; width:100%">I have Roundcube elsewhere. It basically runs like any other n't actually on my mail server. This leads m >> at copying system files into the chroot isn't going to help.It has some special support for looking up usernames from a file in virtusertable format. Can't say I've used it myself though..Usin >> >>> m user@domain? >> tyle="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px; width:100%"> See the config >> >>> ; existing users will need to be changed in the database. Links: -- [1] http://www.mouedine.net [1] [2] mailto:s...@spacehopper.org [2] >> >>> >> >>> Links: -- [1] http://www.mouedine.net [2] mailto:s...@spacehopper.org [3] http://www.mouedine.net [4] mailto:n...@njryan.com
Re: Remotely installing OpenBSD on dedicated server
I've a VPS OpenBSD server at www.arpnetworks.com [1] - they're a good price and I've had no problems with them if it helps. I know it's a VPS rather than a dedicated server but it might be worth a look. Regards - Nick On Wed, 27 Apr 2011 07:20:26 +, Nigel Horne wrote: > Hello the list. > > My company manages a few servers in behalf of client companies that don't want to do it themselves. > > We have specific appliances that run on OpenBSD and it is our intention to keep it that way because of the reliability of the platform. > > However, we want to move some of the services to remote dedicated servers (as can be hired at several places on internet). > I have been making a quick survey and it appears that OpenBSD is not widely offered as an operating system by such services. > Actually, I haven't found a single dedicated host provider that offers OpenBSD as a possible choice by default, event if a few mails > directed to support "suggest" that it might be possible to get a custom install (but no definitive answer on the matter...) . > > Has any of you ever tried to hire a dedicated server with OpenBSD installed on it? > If so, where did you hire your OpenBSD box? > If not, has any of you found a good way to install OpenBSD over a preinstalled OS remotely reliably (meaning that I don't have > to get the server reinstalled 10 times before getting OpenBSD up and running)? > > I hope I am posting to the right list. > > Thank you for the help to come. > Nigel. Links: -- [1] http://www.arpnetworks.com