Re: Printing to Windows
It would require Samba and Cups. Read more here http://www.faqs.org/docs/Linux-mini/Debian-and-Windows-Shared-Printing.html Should give you a headstart. Nils -Original Message- From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of eagir...@cox.net Sent: maandag 25 mei 2009 5:39 To: misc@openbsd.org Subject: Printing to Windows If anyone is printing successfully to an OfficeJet served on an XP box from OBSD 4.4 or later, I'd sure appreciate knowing how you do it. -- Ed Ahlsen-Girard Ft. Walton Beach FL = A disclaimer applies to this email and any attachments. Refer to http://www.sparkholland.com/emaildisclaimer for the full text of this disclaimer.
Re: spamd, blacklists and rc
I use this in my /etc/rc.local if [ -x /usr/libexec/spamd-setup ]; then echo -n ' spamd-setup'; /usr/libexec/spamd-setup -b -D fi Nils -Original Message- From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of Nancy Ketelaars-Marijnissen Sent: maandag 11 mei 2009 22:48 To: Bryan Irvine Cc: misc@openbsd.org Subject: Re: spamd, blacklists and rc Bryan Irvine wrote: Oh man, the amount of effort spent going in the wrong direction is staggering. ;-) Yes, you are missing something. man rc.conf hint: copy what you want to change into rc.conf.local. -Bryan Thanks Bryan! good point, however I can't find anything in rc.conf which enables the enduser to change the behaviour of spamd-setup. Bjvrn = A disclaimer applies to this email and any attachments. Refer to http://www.sparkholland.com/emaildisclaimer for the full text of this disclaimer.
Re: hw.sensor empty
How about: sysctl -a hw.sensors -Original Message- From: giovanni [mailto:[EMAIL PROTECTED] Sent: vrijdag 30 maart 2007 10:35 To: misc@openbsd.org Subject: hw.sensor empty hello, on my box, 4.1-current, sysctl -a hw.sensor is empty I've seen that the sensor land has been split in user and kernel one. Before posting I've searched and tried to understand the matter i.e the relevant part where the copy from kernel to userland is made. I've also tried to watch the results during the path from sysctl -a hw.sensor to the sysctl_sensors call where all is copied correctly I'm wrong I know, so could you explain where? thanks, giovanni = A disclaimer applies to this email and any attachments. Refer to http://www.sparkholland.com/emaildisclaimer for the full text of this disclaimer.
Re: squid and OBSD 4
I recently installed squid (squid-2.5.STABLE13-transparent-snmp) from packages on openbsd 4.0 -release -stable. My squid only uses 29M. 15707 _squid 20 27M 29M sleeppoll12:38 0.98% squid This top 'snapshot' has been taken at a peak moment. We have a 10Mbit/s internet connection and when using squid, no slow performance. I do not use the cache option of squid (just wanna log everything for now). So it might not be that strange for Squid to take 90M. When you disable squid, do you still have poor performance? When you disable the cache, do you still have poor performance? What is your definition of poor performance and how did you establish a baseline? Dmesg partial: OpenBSD 4.0 (GENERIC) #1107: Sat Sep 16 19:15:58 MDT 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Pentium III (GenuineIntel 686-class) 1 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36, MMX,FXSR,SSE real mem = 1072914432 (1047768K) avail mem = 970698752 (947948K) Nils -Original Message- Hi, i have a openbsd 4 box with squid-transparent. it seems like it have poors performance. investigating with `top' i saw squid using only 90M of ram, why? How can i use better my box resource? (Xeon CPU with 4GB of ram) top: PID USERNAME PRI NICE SIZE RES STATEWAIT TIMECPU COMMAND 27010 _squid 20 87M 90M sleeppoll 9:01 0.05% squid -- Cris, member of G.U.F.I Italian FreeBSD User Group http://www.gufi.org/ = A disclaimer applies to this email and any attachments. Refer to http://www.sparkholland.com/emaildisclaimer for the full text of this disclaimer.
Re: ftp-proxy problem using active ftp
Camiel, Thanks for all your help. It looks like it is something upstream, because all your hints check out. Today I tried to ssh externally to the OpenBSD firewall and what do you think; no packets arrive at the external interface. So it must be that damn IAS modem that is blocking everything. How on earth can they setup something like that? Cost me a day to find out (partially my fault of course). Thanks again. Nils -Original Message- From: Camiel Dobbelaar [mailto:[EMAIL PROTECTED] Sent: vrijdag 16 februari 2007 19:24 To: Reuvers, Nils Cc: misc@openbsd.org Subject: Re: ftp-proxy problem using active ftp On Fri, 16 Feb 2007, [EMAIL PROTECTED] wrote: #1 client: PORT 192,168,1,56,9,96\r\n #1 proxy: PORT 193,172,163,50,235,99\r\n 193.172.163.50 is the correct external IP ? Does the firewall have more then one external IP? #1 server: 200 PORT command successful - not using PASV eh?\r\n #1 active: server to client port 2400 via port 60259 #1 client: NLST\r\n This looks fine. At the point where it says active it has inserted the rules. You can check those like this: # pfctl -sA -v ftp-proxy ftp-proxy/27568.13 # pfctl -a ftp-proxy/27568.13 -sr pass in quick inet proto tcp from 129.128.5.191 to 192.168.28.28 port = 58202 flags S/SA keep state (max 1) rtable 0 pass out quick inet proto tcp from 129.128.5.191 to 192.168.28.28 port = 58202 flags S/SA keep state (max 1) rtable 0 and with -sn for the nat rules. Do those look correct? My PF log isn't showing anything useful regarding ftp. Make sure all the rules have the log option set, especially the block rules. You can also try tcpdump on the external interface to check if the SYN packets of the active connection are coming in. If nothing comes in, someone upstream may be blocking. -- Cam = A disclaimer applies to this email and any attachments. Refer to http://www.sparkholland.com/emaildisclaimer for the full text of this disclaimer.
ftp-proxy problem using active ftp
Hi all,
I'm about to turn nuts over ftp-proxy. I would greatly appreciate any
assistance. The problem is I can't get active FTP to work and I need it
for my clients to communicate with a bank. The clients are behind a pf
firewall which is doing nat and firewalling for the whole internal
subnet.
Running OpenBSD 4.0 -stable -release
I have taken the faq-example1 from /usr/share/pf and modified the
interfaces and removed the port 80 redirect (since I do not have a
webserver internally).
/usr/sbin/ftp-proxy is running with -r
#ps -xa
12876 ?? Is 0:00.06 /usr/sbin/ftp-proxy -r
Passive FTP works instantly, but active does not. I do get a control
connection, but it holds when I try to retrieve data.
My pf.conf:
# $OpenBSD: faq-example1,v 1.4 2006/06/16 17:26:59 jasper Exp $
#
# Firewall for Home or Small Office
# http://www.openbsd.org/faq/pf/example1.html
#
# macros
ext_if=pcn0
int_if=fxp0
icmp_types=echoreq
# options
set block-policy return
set loginterface $ext_if
set skip on lo
# scrub
scrub in
# nat/rdr
nat on $ext_if from !($ext_if) - ($ext_if:0)
nat-anchor ftp-proxy/*
rdr-anchor ftp-proxy/*
rdr pass on $int_if proto tcp to port ftp - 127.0.0.1 port 8021
# filter rules
block in
pass out keep state
anchor ftp-proxy/*
antispoof quick for { lo $int_if }
pass in inet proto icmp all icmp-type $icmp_types keep state
pass quick on $int_if
#end pf.conf
Thanks.
Nils Reuvers
=
A disclaimer applies to this email and any attachments.
Refer to http://www.sparkholland.com/emaildisclaimer for the full text of this
disclaimer.
Re: ftp-proxy problem using active ftp
Hi Camiel,
Thanks for your answer. I've also tried other ftp sites (for instance
ftp.openbsd.org).
I've started ftp-proxy like this: sudo /usr/sbin/ftp-proxy -d -D7 -r
Then I connected to ftp.openbsd.org using anonymous account and Active
mode
listening on 127.0.0.1 port 8021
#1 accepted connection from 192.168.1.56
#1 FTP session 1/100 started: client 192.168.1.56 to server
129.128.5.191 via proxy 193.172.163.50
#1 server: 220-\r\n
#1 server: 220- Welcome to SunSITE Alberta\r\n
#1 server: 220-\r\n
#1 server: 220- at the University of Alberta, in Edmonton, Alberta,
Canada\r\n
#1 server: 220-\r\n
#1 server: 220-All connections to and transfers from this server are
logged. If \r\n
#1 server: 220-you do not like this policy, please disconnect now.\r\n
#1 server: 220-\r\n
#1 server: 220-You may want to grab the index file called ls-lR.gz in
/pub. It is \r\n
#1 server: 220-updated nightly with the contents of the ftp tree. \r\n
#1 server: 220-\r\n
#1 server: 220-If you have any questions, hints, or requests, please
email\r\n
#1 server: 220-\r\n
#1 server: 220- [EMAIL PROTECTED]
#1 server: 220-\r\n
#1 server: 220 \r\n
#1 client: USER anonymous\r\n
#1 server: 331 Who are you impersonating today?\r\n
#1 client: PASS [EMAIL PROTECTED]
#1 server: 230-\r\n
#1 server: 230- Welcome to Sunsite Alberta\r\n
#1 server: 230- Login Successful.\r\n
#1 server: 230 Your data rate unrestricted\r\n
#1 client: PORT 192,168,1,56,9,96\r\n
#1 proxy: PORT 193,172,163,50,235,99\r\n
#1 server: 200 PORT command successful - not using PASV eh?\r\n
#1 active: server to client port 2400 via port 60259
#1 client: NLST\r\n
And then it hangs
After closing the session I get:
#1 server: 425 Timeout establishing data connection - Broke your packet
filters again eh?\r\n
#1 client: QUIT\r\n
#1 server: 221 Goodbye.\r\n
#1 client close
#1 ending session
I also put the anchors before any other ruling. No luck though.
My PF log isn't showing anything useful regarding ftp.
I just installed a new openbsd 4.0 system and it has the same problem.
I install everything from CD
After halting and rebooting:
Create a user account with sudo privileges
Edit rc.conf to enable pf and enable ftp-proxy with -r option
Then modify the example pf.conf file, so that it fits my interfaces
Uncomment net.inet.ip.forwarding into=1 in /etc/sysctl.conf
Reboot my system
Now, in my book I should have a working system with active ftp support.
But I don't.
Am I missing something?
Nils
-Original Message-
From: Camiel Dobbelaar [mailto:[EMAIL PROTECTED]
Sent: vrijdag 16 februari 2007 12:59
To: Reuvers, Nils
Subject: Re: ftp-proxy problem using active ftp
Try to move the anchors as high as possible in their sections. (the nat
and rdr anchor first in the nat section; the normal anchor first in the
filter rule section).
Crank up the logging like this: ftp-proxy -d -D7 -r
Watch your pf logging as well.
Doesn't the bank app. (ABN AMRO?) use a weird port like 40 or 41 or so?
On Fri, 16 Feb 2007, [EMAIL PROTECTED] wrote:
Hi all,
I'm about to turn nuts over ftp-proxy. I would greatly appreciate any
assistance. The problem is I can't get active FTP to work and I need
it
for my clients to communicate with a bank. The clients are behind a pf
firewall which is doing nat and firewalling for the whole internal
subnet.
Running OpenBSD 4.0 -stable -release
I have taken the faq-example1 from /usr/share/pf and modified the
interfaces and removed the port 80 redirect (since I do not have a
webserver internally).
/usr/sbin/ftp-proxy is running with -r
#ps -xa
12876 ?? Is 0:00.06 /usr/sbin/ftp-proxy -r
Passive FTP works instantly, but active does not. I do get a control
connection, but it holds when I try to retrieve data.
My pf.conf:
# $OpenBSD: faq-example1,v 1.4 2006/06/16 17:26:59 jasper Exp $
#
# Firewall for Home or Small Office
# http://www.openbsd.org/faq/pf/example1.html
#
# macros
ext_if=pcn0
int_if=fxp0
icmp_types=echoreq
# options
set block-policy return
set loginterface $ext_if
set skip on lo
# scrub
scrub in
# nat/rdr
nat on $ext_if from !($ext_if) - ($ext_if:0)
nat-anchor ftp-proxy/*
rdr-anchor ftp-proxy/*
rdr pass on $int_if proto tcp to port ftp - 127.0.0.1 port 8021
# filter rules
block in
pass out keep state
anchor ftp-proxy/*
antispoof quick for { lo $int_if }
pass in inet proto icmp all icmp-type $icmp_types keep state
pass quick on $int_if
#end pf.conf
Thanks.
Nils Reuvers
=
A disclaimer applies to this email and any attachments.
Refer to http://www.sparkholland.com/emaildisclaimer for the full text
of this
disclaimer.
Re: spamd - SPEWS status
I really think spammers don't give a damn about coming back to deliver e-mail properly. The new breed of spammers uses botnets to deliver their crap. And since those systems are not theirs and that bandwidth is not theirs, they write software to act as a proper mail server. That means, they come back when mail isn't properly delivered. Downside is: a) The botnet pc is getting whitelisted b) The system administrator has to manually take it off the whitelist and put it on the blacklist (I have written a shell script to take care of this) c) Your users are bothered with crap Agreed, not all spammers are using botnets, thank god. However, the spammers that do cause most of our and our users' irritation. One solution would be to check if the delivering IP Address has a logical name like: mail. smtp. mx. etcetera But..not all mail servers are setup like that. So, I will get a lot of users complaining e-mail doesn't reach them and it will cost me about the same amount of time to explain it to my users and whitelist the IP Address. A solution I think would be a step in the right direction is providers making international agreements. First rule would be: Home users should NOT have access to port 25 and may only use the provider's mail server. That would block a lot, and I do mean a lot, of the spam. Only on request, port 25 could be opened. Second rule: Those who do send spam should be blocked from sending e-mail until they have cleaned their system. And I know, most people that are infected by a Trojan sending spam, do not know how to get rid of it. Providers should deliver some kind of support to those people. Other upside is; you'll educate users. Well, there you have it my opinion. On Friday, February 2, 2007, 04:02:38, Gregory Edigarov wrote: ... Yeah, greylisting is good, but this is for only short while, I am afraid. My measurements telling me that spamers are adapting quicker then somebody expected. It seems like their soft started analyzing the return codes, and so they are resending their mail after a short while. So I think blacklisting is still in rule. But having to queue, wait, and resend a) cuts down on the crap/hour they can send b) their IP might be on a blacklist the second time they try -- [EMAIL PROTECTED] The avalanche has already started, it is too Rod Dorman late for the pebbles to vote. - Ambassador Kosh
Re: nokia IP120 problem
I've had some experience with the IP120. They're all bad. The IP330 however, had no problems at all. In my opinion, the IP120 has bad hardware. Nokia replaced our IP120's with other IP120's. That didn't solve anything. It kept locking up randomly. I don't know how their IP130 are, but the 120's sucked big time. Checkpoint rocks however. Nils -Original Message- From: Denis Doroshenko [mailto:[EMAIL PROTECTED] Sent: woensdag 18 oktober 2006 23:58 To: misc@openbsd.org Subject: nokia IP120 problem hello guys, have seen a few mails recently on the least about these routers. i have got my hands on one (sticker at the bottom says it is IP110, sticker at the top says it is IP120). i saw, the mails recently WRT software reboot, but that's the least problem with mine. the poor beast locks solid after random period of time (that's why it came to me). have thrown that bloody early-fbsd-hacked-into-ipso and put the latest snapshots. well it locks still, even at the boot prompt! ethernet leds go off and the box rests enlessly. no documentation is available and i didn't find much via googling either. may be somebody can help me with information for these? there is some kind of BIOS there, is it accessible via console or otherwise? is there any other settings (switches etc.) that can be causing the locking, may be it can be debugged somehow? thanks in any case...
Re: Can't install vim from ports
Something's off in your routing config or pf config. It seems something is blocking this connection, or like the message says: No route to host. Check your pf log. Nils -Original Message- From: Jerome Santos [mailto:[EMAIL PROTECTED] Sent: dinsdag 9 mei 2006 8:07 To: misc@openbsd.org Subject: Can't install vim from ports Hello I have tried to install vim from /usr/ports/editors/vim by doing: sudo make install and it ends up saying something like 6.3.069 doesn't seem to exist on this system. Attempting to fetch /usr/ports/distfiles/vim6/6.3.069 from ftp://ftp.vim.org/pub/vim/patches/6.3/. Trying 2001:610:1:80aa:192:87:102:36... ftp: connect to address 2001:610:1:80aa:192:87:102:36: No route to host Trying 192.87.102.36... 100% |*** |*| 1710 00:00 Size matches for /usr/ports/distfiles/vim6/6.3.069 6.3.070 doesn't seem to exist on this system. Attempting to fetch /usr/ports/distfiles/vim6/6.3.070 from ftp://ftp.vim.org/pub/vim/patches/6.3/. Trying 2001:610:1:80aa:192:87:102:36... ftp: connect to address 2001:610:1:80aa:192:87:102:36: No route to host Any help is much appreciated!!! Thanks, Jerome = A disclaimer applies to this email and any attachments. Refer to http://www.sparkholland.com/emaildisclaimer for the full text of this disclaimer.
Spews, spamhaus
Hi guys, What's with spews? Anyone else missing their spam entries? Also, why is spamhaus still in spamd.conf (at least it was in 3.8)? Since 2005 you have to pay for their service. Only thing left in the gz file is this: ## ## 2005-08-20: Spamhaus SBL dump not available anymore for free ## for rsync-subscription see http://www.spamhaus.org/datafeed/ ## 127.0.0.2/32 http://www.spamhaus.org/organization/funding.html And that's not very usefull. Are there any alternatives? Thanks. Nils Reuvers ICT Specialist - Spark Holland B.V. Pieter de Keyserstraat 8 7825VE Emmen The Netherlands Tel: +31(0)591 63 17 00 Fax: +31(0)591 63 00 35 Skype: nilsreuvers E-mail: [EMAIL PROTECTED] - = A disclaimer applies to this email and any attachments. Refer to http://www.sparkholland.com/emaildisclaimer for the full text of this disclaimer.
Re: Thank you my dear GOD bless you.
sigh -Original Message- From: Ms.KIMAEVE LIOUDMILA [mailto:[EMAIL PROTECTED] Sent: vrijdag 14 april 2006 12:30 To: misc@openbsd.org Subject: Thank you my dear GOD bless you. My Dear. I have a profiling amount in an excess of US$123M, which I seek your partnership in accommodating for me. You will be rewarded with 40% of the total sum for your partnership.Can you be my partner on this? INTRODUCTION OF MY SELF: I am Ms.KIMAEVA LIOUDMILA, a personal secretary to Mikhail Khodorkovsky the richest man in Russia and owner of the following companies: Chairman CEO: YUKOS OIL (Russian Most Largest Oil Company) Chairman CEO: Menatep SBP Bank (A well reputable financial institution with its branches all over the world) SOURCE OF FUNDS: The documents of the above funds in question was handed over to me to be used in payment of an American oil merchant for his last oil deal with my boss Mikhail Khodorkovsky. Already the funds have been deposited with GULF TRESURY SERVICES PLC UK ,where the final crediting is expected to be carried out. While I was on the process, My Boss got arrested for his involvement on politics in financing the leading and opposing political parties (the Union of Right Forces, led by Boris Nemtsov, and Yabloko, a liberal/social democratic party led by Gregor Yavlinsky) which poses treat to President Vladimir Putin second tenure as Russian president. You can catch more of the story on this http://newsfromrussia.com/main/2003/11/13/51215.html YOUR ROLE: All I need from you is to stand as the beneficiary of the above quoted sum and I will arrange for the documentation which will enable GULF TRESURY SERVICES PLC UK transfer the sum to you. I have decided to use this sum to relocate to American continent and never to be connected to any of Mikhail Khodorkovsky conglomerates. The transaction has to be concluded in 2 weeks before Mikhail Khodorkovsky is out from prison. As soon as I get your willingness to comply I will give you more details. Thank you very much Regards Ms.KIMAEVE LIOUDMILA = A disclaimer applies to this email and any attachments. Refer to http://www.sparkholland.com/emaildisclaimer for the full text of this disclaimer.
Re: FTP Issues
Read man pf.conf and ftp-proxy
# for proxying with ftp-proxy(8) running on port 8021.
rdr on $int_if proto tcp from any to any port 21 - 127.0.0.1 port 8021
pass in on $ext_if inet proto tcp from any to $ext_if \
user proxy keep state
Ofcourse you have to enable ftp-proxy in inetd:
127.0.0.1:8021 stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy
You WONT need:
# FTP Proxy Inbound
pass in on $ext_if inet proto tcp from port ftp-data to ($ext_if) \
user proxy flags S/SA keep state
Good luck.
Nils
-Original Message-
From: Hutger H. [mailto:[EMAIL PROTECTED]
Sent: vrijdag 24 maart 2006 14:38
To: misc@openbsd.org
Subject: FTP Issues
Hi all,
I've got a problem running ftp through my PF firewall. That is the
issue:
- I installed a new firewall (OpenBSD 3.9) in my network to connect some
users to the Internet through a new link. The users need to connect via
FTP to a server located externally (Internet), so the connections must
to pass by the PF firewall.
- The firewall is working fine, except when some of the users try to
establish a FTP connection to the outside. As soon as they connect and
try to list the directories, after a long wait, they get disconnected.
My firewall rules are showed at the end of the message.
- Analysing the firewall's traffic, I could notice that the problem
happens when the FTP server try to make a new connection back to the
client using I high port. I got some tutorials explaining how to solve
this problem using ftp-proxy and some PF rules/rdr, but none of the them
seem to work for me.
Does anyone here has an idea *how I can solve this question?
*Ps: Sorry if the question is basic ... I consider myself a PF newbie
since a I've worked until now only with Linux based firewalls.
Thanks in advance,
Hutger.
---
#--- Rules begin here
ext_if=pcn0
int_if=pcn1
ext_ip=172.21.28.20/32
int_ip=192.168.1.254/32
int_net=192.168.1.0/24
set skip on lo
set state-policy if-bound
scrub in all
nat on $ext_if from $int_net - $ext_ip
rdr pass on $int_if proto tcp from any to any port ftp - 127.0.0.1 port
8021
block in all
block out all
antispoof log quick for {$ext_if,$dmz_if,$int_if} inet
# Permitindo acesso ao firewall
pass in quick on $ext_if inet proto tcp from any to $ext_ip port ssh
keep state flags S/SA
# Acessos a partir da rede local p/ Internet pass in quick on $int_if
inet proto tcp from $int_net to any modulate state pass in quick on
$int_if inet proto {udp,icmp} from $int_net to any keep state
# Permitindo a saida de pacotes nas interfaces pass out quick on
{$ext_if,$int_if} inet proto {tcp,udp,icmp} all keep state
# FTP Proxy Inbound
pass in on $ext_if inet proto tcp from port ftp-data to ($ext_if) \
user proxy flags S/SA keep state
#--- Rules end here
=
A disclaimer applies to this email and any attachments.
Refer to http://www.sparkholland.com/emaildisclaimer for the full text of this
disclaimer.
Re: Ftp problem
What do your pflog say? Try tcpdump on both interfaces and see what's going on.
Also, you might want to pickup some reading on ftp-proxy(8) (reversed mode -R).
I run ftp-proxy like this:
ftp-proxy -R 192.168.3.2 -m 15000 -M 16000 -r
And my pf looks like this:
nat on $ext_if from 192.168.3.0/24 to any - ($ext_if)
block log all
#Traffic must be allowed to pass the loopback interface
pass quick on lo0 all
#FTP server
pass in log quick on $ext_if proto tcp from any to $ext_ip port 21 flags S/SA
keep state
pass in log quick on $ext_if proto tcp from any to $ext_ip port 15000:16000
flags S/SA keep state
Nils
-Original Message-
From: Pal Andras [mailto:[EMAIL PROTECTED]
Sent: dinsdag 21 maart 2006 19:32
To: misc
Subject: Ftp problem
Hello Misc!
I have a problem about ftp connections.
I made a server behind a firewall and i read the pf docs about the
configuration.
My external pf conf file looks like that:
ext_if=dc0
int_if=dc1
ftp_server=10.5.5.3
nat on $ext_if from $int_if:network to any - ($ext_if)
rdr on dc0 proto tcp from any to any port 80 - 10.5.5.3
rdr on dc0 proto {udp,tcp} from any to any port 143 - 10.5.5.3 rdr on dc0
proto {udp,tcp} from any to any port 993 - 10.5.5.3 rdr on dc0 proto tcp from
any to any port 25 - 10.5.5.3 rdr on dc0 proto tcp from any to any port 5432
- 10.5.5.3 rdr on dc0 proto tcp from any to any port 8821 - 10.5.5.1 rdr on
dc0 proto tcp from any to any port 61 - 10.5.5.4 rdr on dc0 proto tcp from any
to any port 2819 - 10.5.5.4 port 2818 rdr on dc0 proto tcp from any to any
port 2820 - 10.5.5.3 port 2818 rdr on dc0 proto tcp from any to any port 21 -
$ftp_server port 21 rdr on $ext_if proto tcp from any to any port 49152:65535
- $ftp_server port 49152:65535 pass in quick on $ext_if proto tcp from any to
$ftp_server port 21 keep state pass in quick on $ext_if proto tcp from any to
$ftp_server port 49152 keep state pass out quick on $ext_if proto tcp from
any to $ftp_server port 49152 keep state pass out quick on $int_if proto tcp
from any to $ftp_server port 21 keep state
I can connect to the server from my router but can't from the other machines
behind the router. I tried behind my neighbour's wireless router to it did the
same. My ftp client message was:
Data connection timed out.
Falling back to PORT instead of PASV mode.
List failed.
I think it means that the client connected the server but it couldn't list the
directory.
I can connect and list directories other ftp servers from anywhere.
Are there any other server side (pf side) configurations?
Thanks a lot for your help and sorry for that stupid question.
--
--
ANDRAS PAL D i g i t a l Influence
E-mail: [EMAIL PROTECTED] Hungary
Web:http://www.digitalinfluence.hu
http://www.fpower.hu
http://www.ifce.hu
=
A disclaimer applies to this email and any attachments.
Refer to http://www.sparkholland.com/emaildisclaimer for the full text of this
disclaimer.
Re: syslogd question
You could setup different facilities on the separate AIX boxes (local1, local2, local3, etc..) Then on your openbsd box add the following line to your syslogd.conf #AIX box 1 local1.*/var/log/aix1.log #AIX box 2 local2.*/var/log/aix2.log Don't forget to update the syslogd entry in rc.conf. You must enable the -u option. Nils -Original Message- From: eric [mailto:[EMAIL PROTECTED] Sent: vrijdag 10 februari 2006 19:54 To: [EMAIL PROTECTED] Cc: misc@openbsd.org Subject: Re: syslogd question On Fri, 2006-02-10 at 10:46:02 -0600, [EMAIL PROTECTED] proclaimed... I am setting up an openbsd box to be the catcher for a couple of AIX boxes to pitch their log files to. Using the standard syslogd, I am wondering if I can set it up so that each of the AIX boxes gets its own log file on the openbsd box. Something like /var/log/aix1.log and /var/log/aix2.log. Sure, check out the man page for syslogd.conf(5). = A disclaimer applies to this email and any attachments. Refer to http://www.sparkholland.com/emaildisclaimer for the full text of this disclaimer.
Re: Good SMTP and POP proxy for OpenBSD
And in addition to the stunnel lead: http://www.sysdesign.ca/guides/secure_pop3.html Nils -Original Message- From: Siju George [mailto:[EMAIL PROTECTED] Sent: dinsdag 7 februari 2006 14:20 To: Brandon Mercer Cc: Joachim Schipper; misc Subject: Good SMTP and POP proxy for OpenBSD On 2/6/06, Brandon Mercer [EMAIL PROTECTED] wrote: There is p3scan_pf for pop3 proxying... It can be found at www.undergroundsecurity.com. Brandon Thankyou so much Joachim, Brandon, Bill, Nils and Stuart for your responses. I tried p3scan. I configured everything clamav etc as said. At the last step launching p3scan it gave me a core dump :-( Is it because of the mmap, malloc changes in 3.8? http://www.undergroundsecurity.com/p3scan/installation.html describes the installation in 3.7 have you done it on 3.8?? Details # pwd /etc/p3scan # ls -l total 28 -rw-r--r-- 1 root _clamav 10661 Feb 7 18:20 p3scan.conf -rw-rw 1 _clamav _clamav758 Feb 7 18:07 p3scan.mail # p3scan # chown: mail: invalid group name # ls -l total 1276 -rw-r--r-- 1 root _clamav 10661 Feb 7 18:20 p3scan.conf -rw--- 1 root wheel614972 Feb 7 18:46 p3scan.core -rw-rw 1 _clamav _clamav 758 Feb 7 18:07 p3scan.mail # --- Core Dump file attached. Thankyou so much :-) Kind Regards Siju [demime 1.01d removed an attachment of type application/octet-stream which had a name of p3scan.core] = A disclaimer applies to this email and any attachments. Refer to http://www.sparkholland.com/emaildisclaimer for the full text of this disclaimer.
Re: Good SMTP and POP proxy for OpenBSD
Smtp proxy? You mean an emailserver. I have postfix running as my primary mailserver. It delivers mail to my backend Exchange server and relays e-mail voor the same exchange server. So, in a way, it's proxy-ing the e-mail. With postfix, you have almost unlimited control over the complete mail process. I thought stunnel could also proxy encrypted pop3 traffic. Nils -Original Message- From: Brandon Mercer [mailto:[EMAIL PROTECTED] Sent: maandag 6 februari 2006 14:19 To: Joachim Schipper Cc: misc Subject: Re: Good SMTP and POP proxy for OpenBSD Joachim Schipper wrote: On Mon, Feb 06, 2006 at 12:34:26PM +0530, Siju George wrote: Hi all, Till now I have been Simply NATing SMTP and POP connections form the LAN through the OpenBSD 3.8 Firewall. I would like to have some finer control of mails comming in and going out and would like to install a SMTP Proxy and also a POP proxy on my OpenBSD Firewall. Messagewall doesnot seem to be in ports. Could some one recommend a good Software for me in these two categories available for OpenBSD? There is p3scan_pf for pop3 proxying... It can be found at www.undergroundsecurity.com. Brandon = A disclaimer applies to this email and any attachments. Refer to http://www.sparkholland.com/emaildisclaimer for the full text of this disclaimer.
Re: SpamD, Postfix and mobile users
Thanks for all the advice. I've setup TLS on port 587 like Peter suggested and it's working great. Only thing you have to keep in mind when you use Microsoft Outlook. It needs a restart after the e-mail account settings change. Go figure :). Thanks again guys. Nils -Original Message- From: Peter Hessler [mailto:[EMAIL PROTECTED] Sent: vrijdag 3 februari 2006 20:44 To: [EMAIL PROTECTED] Subject: Re: SpamD, Postfix and mobile users Have them send to port 587. That will bypass greylisting, as well as port 25 blocking. enable the following line in your master.cf file. submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes On Fri, 3 Feb 2006 20:07:18 +0100 [EMAIL PROTECTED] wrote: : Hi all, : : I'm running Postfix 2.3.20050716-sasl2 (chrooted) and : cyrus-sasl-2.1.20p4 on OpenBSD 3.8 stable. Everything is running : peachy. My roaming users are able to connect and send e-mail. : Now I wish to enable the fantastic SpamD feature in OpenBSD. However, : I'm foreseeing a problem. I do not want my roaming users to be : greylisted every time they send e-mail. They are roaming and do not : have a static IP. : : Is there a way for SASL authenticated users to bypass the SpamD : daemon? : : Thanks for your thoughts. : : Nils : : = : A disclaimer applies to this email and any attachments. : Refer to http://www.sparkholland.com/emaildisclaimer for the full : text of this disclaimer. : -- The human mind ordinarily operates at only ten percent of its capacity -- the rest is overhead for the operating system.
SpamD, Postfix and mobile users
Hi all, I'm running Postfix 2.3.20050716-sasl2 (chrooted) and cyrus-sasl-2.1.20p4 on OpenBSD 3.8 stable. Everything is running peachy. My roaming users are able to connect and send e-mail. Now I wish to enable the fantastic SpamD feature in OpenBSD. However, I'm foreseeing a problem. I do not want my roaming users to be greylisted every time they send e-mail. They are roaming and do not have a static IP. Is there a way for SASL authenticated users to bypass the SpamD daemon? Thanks for your thoughts. Nils = A disclaimer applies to this email and any attachments. Refer to http://www.sparkholland.com/emaildisclaimer for the full text of this disclaimer.
Re: SpamD, Postfix and mobile users
Thanks for your quick response Maxim. Sure, I could enforce TLS connections for my roaming (outside/internet) users. That might be a good solution and I would bypass SpamD. I could also setup another postfix instance on another port and allow sasl_authenticated only. But I was hoping SpamD had some kind of understanding of SASL. As far as I know spamd catches incomming. Put a second postfix on SSL port - make it relay only. On Friday 03 February 2006 20:07, you wrote: Hi all, I'm running Postfix 2.3.20050716-sasl2 (chrooted) and cyrus-sasl-2.1.20p4 on OpenBSD 3.8 stable. Everything is running peachy. My roaming users are able to connect and send e-mail. Now I wish to enable the fantastic SpamD feature in OpenBSD. However, I'm foreseeing a problem. I do not want my roaming users to be greylisted every time they send e-mail. They are roaming and do not have a static IP. Is there a way for SASL authenticated users to bypass the SpamD daemon? Thanks for your thoughts. Nils == === A disclaimer applies to this email and any attachments. Refer to http://www.sparkholland.com/emaildisclaimer for the full text of this disclaimer. -- Best regards Maxim Bourmistrov
Re: SpamD, Postfix and mobile users
Thanks a bunch fella's. I got TLS working. Except for the fact that I cannot use port 587 in (yes I know) Outlook Express. If I keep it at port 25, everything runs like a charm. The server is listening on port tcp 587. However, the connection get's shut right after the first connect. Perhaps it's an Outlook Express bug. I'll test it with firefox tomorrow. Thanks again. Nils -Original Message- From: Kurt Mosiejczuk [mailto:[EMAIL PROTECTED] Sent: vrijdag 3 februari 2006 22:31 To: misc@openbsd.org Subject: Re: SpamD, Postfix and mobile users Bob Beck wrote: This is the right solution for roaming users, and is why I will *not* make spamd ever have a notion of sasl :) It is also, exactly, what we do here. Our users use port 587 for this, NOT port 25 Doing it this way also helps those users who have ISPs who block outbound port 25 traffic. (Of which I have a number) --Kurt = A disclaimer applies to this email and any attachments. Refer to http://www.sparkholland.com/emaildisclaimer for the full text of this disclaimer.
Re: Url checker
Thanks Jasper, I just thought of another solution. Stupid me not thinking of it earlier. I can log all http traffic with PF and write some perl to process the logfile. Can't believe I was staring blind on a 3rd party solution. Nils -Original Message- From: J. Lievisse Adriaanse [mailto:[EMAIL PROTECTED] Sent: maandag 3 oktober 2005 12:41 To: Reuvers, Nils; misc@openbsd.org Subject: Re: Url checker Maybe you mean something like: http://www.openbsd.org/cgi-bin/cvsweb/ports/www/linkchecker/ ? Cheers, Jasper Op 3/10/2005 schreef [EMAIL PROTECTED] [EMAIL PROTECTED]: Hi list, Anyone knows a good URL checker that runs on OpenBSD? My boss wants me to monitor web site traffic and present a report with all visits to all websites per user (pc). I've searched the internet but did not find an appropriate (free) solution. I have been playing with the idea to use snort, but that seems a lot of work to me. Any suggestions are more then welcome. Nils === == A disclaimer applies to this email and any attachments. Refer to http://www.sparkholland.com/emaildisclaimer for the full text of this disclaimer. = A disclaimer applies to this email and any attachments. Refer to http://www.sparkholland.com/emaildisclaimer for the full text of this disclaimer.
Re: Url checker
Good point. -Original Message- From: michael hamerski [mailto:[EMAIL PROTECTED] Sent: maandag 3 oktober 2005 15:46 To: Reuvers, Nils Subject: Re: Url checker be warned: depending on the number of clients on your network, logging all http traffic is a pretty good way of testing the reliability of your disk. when I was reluctantly asked to implement this a few years ago on a 100 client network, the aging disk failed within a week. if you want to do this on a long-term basis for more than a few clients, I would consider a dedicated disk. mike = A disclaimer applies to this email and any attachments. Refer to http://www.sparkholland.com/emaildisclaimer for the full text of this disclaimer.
Re: [OT]: Vulnerability Scanning Frustrations (Or: if you run nessus, how do you make it run faster?)
Isn't PF your problem? Do you have it enabled? It might be blocking your network traffic, causing this behavior. Check your logs and /etc/pf.conf. Nils -Original Message- From: eric [mailto:[EMAIL PROTECTED] Sent: woensdag 14 september 2005 5:22 To: Karsten McMinn Cc: misc@openbsd.org Subject: Re: [OT]: Vulnerability Scanning Frustrations (Or: if you run nessus, how do you make it run faster?) On Tue, 2005-09-13 at 17:09:19 -0700, Karsten McMinn proclaimed... tweaking syntax to this using nmap 3.50 on 3.6 completed in 343 seconds: nmap -P0 -T Insane -v -sT -p 1-65535 x.x.x.x (as root) It was definately slower using the same syntax on 3.7 though, I didn't have time to see how long it was going to take. Here's what I've been seeing for a looong time... $ nmap -sS -p 1-65535 172.81.141.197 Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-09-13 22:20 CDT sendto in send_ip_packet: sendto(3, packet, 40, 0, 172.81.141.197, 16) = No route to host That host is on the same subnet as the scanning machine. = A disclaimer applies to this email and any attachments. Refer to http://www.sparkholland.com/emaildisclaimer for the full text of this disclaimer.
Re: firewall products
squid -Original Message- From: Florian [mailto:[EMAIL PROTECTED] Sent: donderdag 8 september 2005 11:49 To: misc@openbsd.org Subject: firewall products good morning i'll have to build a complete firewall solution with OpenBSD. wich products do you prefer for sedcurity proxy integration for HTTP, FTP, POP, SMTP and GENERIC ? Thanks for answers florian = A disclaimer applies to this email and any attachments. Refer to http://www.sparkholland.com/emaildisclaimer for the full text of this disclaimer.
