Re: OpenBSD Router woes
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf > Of BradenM - Sonoma Computer > Sent: Monday, February 05, 2007 4:37 PM > To: misc@openbsd.org > Subject: OpenBSD Router woes > > So, it goes like this; > OpenBSD is installed and functional and in the process of becoming a > PF/Router > box. My problem is this, I have three ethernet cards, each assigned the > names > rl0 - rl2. rl0 is the ethernet card that is recieving an IPv4 address > from my > SBC router, rl1 will be listening to dhcp requests which I have already > setup > using dhcpd, and rl2 will be listening for dhcp requests but will not > be > connected to a computer but a wireless access point. My question, and > thus my > problem, is this: I have setup ip fowarding using sysctl and am now > wondering > how I am to distribute my internet connection from rl0 to rl1 and 2? > Are PF > rules required or do I have to write to the configuration file for the > ethernet adapters? Check the Network Address Translation section of the PF User's Guide. That should help.
Re: OT Was: Wanted: OpenBSD Systems Administrator
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf > Of Diana Eichert > Sent: Wednesday, January 03, 2007 9:03 AM > To: OpenBSD > Subject: OT Was: Wanted: OpenBSD Systems Administrator > > On Tue, 2 Jan 2007, Jack J. Woehr wrote: > > > Tom Bombadil wrote: > > > The just guy sent one single e-mail asking if a bsd user wanted a > job, > > > which I bet many among us might be interested. > > > > I've certainly heard from consulting customers who got my info from > the > > consultants page at OpenBSD ... It's hard to understand why one can't > > post a job req on misc ... there's a jobs@ list for apache.org and > it's > > busy ... There's a fine line between job postings and headhunter poop > of > > course ... Why should we chase away employers looking for experts in > our > > slightly arcane and recondite OBSD environment? > > > > -- > > Jack J. Woehr > > Director of Development > > Absolute Performance, Inc. > > [EMAIL PROTECTED] > > 303-443-7000 ext. 527 > > See Jack ( see jack run, see jack talk ;) ) > > You make my point in your reply, apache.org has a jobs@ list as so do > several other projects. There's a reason. > > As far as "slightly arcane and recondite" I disagree, I consider the > "OBSD > environment" to be one of clarity and foresight. > > In regards to "Tom Bombadil", when you stop using characters from > Tolkien > to post I'll begin to listen. > > g.day to y'all > > diana I personally think that job postings help the community more than it hurts. The line between genuine job opportunities and "headhunter poop" should be easy to spot. I certainly think it could fall under the purview of "misc". Of course, having a jobs list would indeed make the issue even more clear-cut. I wonder how you'll poke fun at my name? :) Peter
Re: VPN solutions for OpenBSD to Windows
I second that -- OpenVPN is great. Easy and quick to set up, clients for most OSes (and you can re-use the config files across OSes. that was a nice bonus when the boss wanted his Mac to connect to the VPN). Unless there's another requirement that means you can't use OpenVPN, you should check it out. > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Peter Hopfgartner > Sent: Friday, December 22, 2006 6:09 AM > To: misc@openbsd.org > Subject: Re: VPN solutions for OpenBSD to Windows > > Can you better define your set up? > > If you want to connect from a Windows road warrior which may or may not > be behind a NAT, OpenVPN can hardly be beat in ease of use, robustness > etc. It runs fine as a service or on demand, has optionally a nice GUI > and I had no issues with packet length etc. > > If the Windows machine is not behind a NAT and is directly connected to > the Internet Greenbow is really a fine product. > > Regards > > Peter > > http://www.hopfgartner.it > > Edy wrote: > > Hi Peter, > > > > Have you look at OpenVPN? > > > > Please check out this document > > > > http://blog.innerewut.de/articles/2005/07/04/openvpn-2-0-on-openbsd > > > > Cheers, > > Edy > > > > [EMAIL PROTECTED] wrote: > >> Hi gang, > >> > >> I'm looking for peoples' experiences and advice for setting up a VPN > >> between OpenBSD (I will be using 4.0) and Windows XP/2000 systems. I > >> have tested the Greenbow client and it seems ok. What of the built-in > >> VPN client for the Windows OS? I am mostly interested in ease of > >> configuration and reliability of the tunnel. I am ok on IPSEC theory. > >> > >> Thanks in advance for any comments, > >> > >> Peter
Re: [OT] OpenBSD AJAX
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of ropers > Sent: Wednesday, November 01, 2006 6:44 PM > To: L. V. Lammert > Cc: Mark Bucciarelli; David Terrell; Damien Miller; Sam > Fourman Jr.; OpenBSD > Subject: Re: [OT] OpenBSD AJAX > > On 01/11/06, L. V. Lammert <[EMAIL PROTECTED]> wrote: > > On Wed, 1 Nov 2006, Mark Bucciarelli wrote: > > > > > Do you have a recommendation for a client-side Ajax lib > to use with > > > C? > > > > > Huh? How can you run C code in a browser? > > > > Lee > > The short answer: You don't. > > The long answer: > Ok, so here goes -- for the benefit of the archives: > Read http://www.webpasties.com/xmlHttpRequest/ . > Note how XMLHttpRequest is key here. > It links the client side (where we have HTML/CSS/ECMAscript > and possibly other clientside stuff) with whatever code is > running on the server. > I'm using the word "link" very loosely here: XMLHttpRequest > can make the browser request data without page reloads. That > data doesn't really have to be in XML format (cf. JSON). > The code on the server (that talks to XMLHttpRequest) could > effectively be just about anything: PHP, Perl, Python, Ruby, > Java/JSP, even C. > > /* begin increasingly off-topic techno-giddy mullarkey */ > > And while I don't know that it has been done, in theory at > least, there's nothing to stop you from writing the server > side logic in pure assembly language. > Oh, don't just write it in assembly language. Write it in > assembly language by hand editing in a hex editing > environment inside vi (:%!xxd / :%!xxd -r) via a 2400 baud > teletype using this programming technique when writing your > loops: http://tinyurl.com/y65oeu > > PS: I once read that Google allegedly, allegedly generated > their fancy-schmancy AJAXian Javascript code by first writing > Java code and then using some kind of cross-converter to turn > the Java code into JavaScript code. > Either the person who wrote that was seriously confused and > STILL didn't get that Java and JS are completely different > animals, or Google is doing something that I can only marvel > and awe at. > > PPS: Someplace else I read that reportedly, reportedly most > people who code for a living do so in Java. No idea if that's > true, though if it is, it could explain what Google is > reportedly doing... > > That's exactly what they do: http://code.google.com/webtoolkit/
usable winxp ipsec client... referenced in a message but I can't find the archive
Hello, http://marc.theaimsgroup.com/?l=openbsd-misc&m=115409112232227&w=2 references a "usable" ipsec client for winxp in the archives, but I can't find what it's referring to. Can anyone point me in the right direction? I'm tired of banging my head against ipseccmd.exe... Thanks, Peter L.
Re: Doubts about OpenBSD security.
I think that when you've given an attacker physical access to a machine with a root session open, there's not a whole lot OpenBSD (or any OS) can do... The attacker could also, with physical, attach a keystroke logger, unplug your machine, or any number of other bad/humorous things I'm not clever enough to think of -- no matter what OS is running on the system. Hope that allays some of your fears regarding OpenBSD in particular... Peter L. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joco Salvatti Sent: Wednesday, June 21, 2006 1:23 PM To: Misc OpenBSD Subject: Doubts about OpenBSD security. My doubts may seem fool, so thanks in advance for those who will read this e-mail and may help me with my doubts. 1. Why doesn't passwd ask superuser's current password when it's run by the superuser to change its own password? May not it be considered a serious security flaw? 2. Why doesn't the system ask the password, as a default action, to log in the system, when entering in single user mode? May not it also be considered a serious security flaw? And why doesn't exist a different password to log in single user mode, instead of using root's password? An real example: Let's suppose an attacker entered the room where an OpenBSD server is located in, and by mistake the system administrator has forgotten to logout the root login session. So the attacker could enter in single user mode, without the need for the root password, and load a malicious kernel module. He also could do millions of other things, but changing root's password, because the system administrator would notice it immediatelly. I believe it could be more difficult for the attacker if there were a different password to log in the system in single user mode. Thanks for the time wasted reading this e-mail and I'm sorry if my questions are too silly. -- Joco Salvatti Undergraduating in Computer Science Federal University of Para - UFPA web: http://www.openbsd-pa.org e-mail: [EMAIL PROTECTED]
Re: (newbie) a network related question
>> Third, if you live in a house with a single address, you cannot >> publicly start announcing different addresses without the postal >> service knowing about it. If packets should arrive at your home, then >> you better make sure you write your street and number on the >> announcement, other things just won't work. >> > >No but I use the following format: address+office1 ... address+officeN! >That's what I try to achieve with the IPs as well but without having to use >port numbers! While this analogy is probably starting to get a little stretched, address + officeN is analogous to ip:port. IP address is like a postal service address, it tells where a packet should physically go to. once it gets to that address, its up to the receiving computer to figure out which program is listening to the port the packet arrived on. When you send a letter to address + officeN, the post office doesn't care about the officeN part, it just looks at the address to get the packet there. >> Last but not least: _if_ your ADSL provider will assign and route >> multiple addresses to your router (for example a complete C network), >> then you can - of course - translate the different numbers into >> different numbers in your internal network. But then: why you are not >> using these IPs for your internal network directly? >> > >well, that's not case. But even then, how can a ISP assign a complete C >network just like this? What's behind that? the ISP is assigning IPs based on a block of IPs they already own, they don't just "create" them. They'll block off part of their own class A or B network and allow you to use them. All IPs get assigned by a naming authority, such as ARIN.
Re: DHS Grant to analye OpenBSD (and other OSS) for Bugs
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ted Unangst Sent: Wednesday, January 11, 2006 3:51 PM To: [EMAIL PROTECTED] Cc: misc@openbsd.org Subject: Re: DHS Grant to analye OpenBSD (and other OSS) for Bugs >On 1/11/06, John R. Shannon <[EMAIL PROTECTED]> wrote: >> It's probably worse. Any vulnerabilities found will almost assuredly be >> classified or at least FOUO. > >pt! Maybe I'm misreading the situation -- but won't this just give Open projects an even better chance to outpace closed system not subject to the same reviews in terms of security and reliability?
Re: ftp-proxy help needed...
We don't (yet) do any egress filtering pass out on $ext_if proto tcp all modulate state flags S/SA tcpdump on the pflog0 interface as you suggested returns nothing being blocked when trying to connect -- not the internal IP, external IP, or ftp server. So I think the problem is with my config of ftp-proxy. There are currently 7 IP aliases on the external interface. I'm using -a and -S to specify which alias ftp-proxy should use, and I'm passing the -n flag to indicate we're using NAT. Is there something else I'm missing somewhere? >-Original Message- >From: Bob Beck [mailto:[EMAIL PROTECTED] >Sent: Monday, January 09, 2006 6:31 PM >To: Peter Landry >Cc: misc@openbsd.org >Subject: Re: ftp-proxy help needed... > > > Judging by the error message, likely you are either blocking the >outbound data channel connection to the real server, or the server >itself is filtering it. The first place I'd start looking >is in your "other" pf rules to see what's getting blocked. > > set your block rules to log stuff, and then tcpdump the pflog >interface looking for anything blocked that involves the real server >or your test client - then you'll see if one of your rules is >spanking something. > > i.e. > >tcpdump -n -i pflog0 host ftp.server.ip.addr or host client.machine.ip.addr > > -Bob > >* Peter Landry <[EMAIL PROTECTED]> [2006-01-09 15:20]: >> Hello list, >> I'm working on getting Active FTP Connections working (a requirement of >> an app used by a client) through our 3.8 firewall. Following the PF FAQ, >> I was able to get passive FTP working fine with the following pf.conf >> lines: >> >> rdr pass on $int_usr_if proto tcp from $int_usr_if:network to any port >> 21 -> \ >> 127.0.0.1 port 8021 >> and >> >> pass in on $ext_if inet proto tcp from any port 20 to any \ >> user proxy flags S/SA keep state >> >> When I attempt to make an outgoing connection, everything goes fine up >> until the data connection is attempted. >> >> (xxx.xxx.xxx.xxx is the ftp server IP) >> (yyy.yyy.yyy.yyy is our externally visible IP) >> >> pflog, as far as I can tell, doesn't show anything being blocked. >> tcpdump during the session produces a bunch of packets on port 21 for >> the control connection, and the following for ftp-data: >> 16:00:03.825620 xxx.xxx.xxx.xxx.ftp-data > yyy.yyy.yyy.yyy.50463: S >> 1112717906:1112717906(0) win 16384 (DF) >> 16:00:03.825648 yyy.yyy.yyy.yyy.50463 > xxx.xxx.xxx.xxx.ftp-data: S >> 399002834:399002834(0) ack 1112717907 win 16384 > 1460,nop,nop,sackOK> (DF) >> 16:00:03.831991 xxx.xxx.xxx.xxx.ftp-data > yyy.yyy.yyy.yyy.50463: . ack >> 1 win 16560 (DF) >> 16:00:03.838487 xxx.xxx.xxx.xxx.ftp-data > yyy.yyy.yyy.yyy.50463: P >> 1:1081(1080) ack 1 win 16560 (DF) >> 16:00:03.838611 xxx.xxx.xxx.xxx.ftp-data > yyy.yyy.yyy.yyy.50463: F >> 1081:1081(0) ack 1 win 16560 (DF) >> 16:00:03.838628 yyy.yyy.yyy.yyy.50463 > xxx.xxx.xxx.xxx.ftp-data: . ack >> 1082 win 15480 (DF) >> >> tail /var/log/daemon: >> Jan 9 15:55:27 maverick ftp-proxy[20164]: accepted connection from >> 192.168.0.37:4713 to xxx.xxx.xxx.xxx:21 >> Jan 9 15:55:27 maverick ftp-proxy[20164]: client: USER username\^M >> Jan 9 15:56:10 maverick ftp-proxy[17000]: cannot connect data channel >> (Connection timed out) >> >> >> The relevant /etc/inetd.conf line is as follows: >> 127.0.0.1:8021 stream tcp nowait root /usr/libexec/ftp-proxy >> ftp-proxy -n -a yyy.yyy.yyy.yyy -V -S yyy.yyy.yyy.yyy >> (yyy.yyy.yyy.yyy is the IP we nat from, it's an alias on em0) >> >> Just to clarify -- the ftp server isn't on our network, it's at a client >> site. >> >> >> Can anyone see anything I've missed in the config? I've tried many >> different options in both pf.conf and inetd.conf to no avail. Also, I >> realize ftp-proxy is being replaced in -current, but I'd like to get >> this working with the old ftp-proxy before trying -current (which I've >> never done before... could be dangerous). >> >> Any advice at all would be helpful. Thanks! >> Peter L. >> >> PS -- is posting tcpdump and logfile like I have done considered bad >> form? >> PPS -- a dmesg wouldn't really be helpful here, would it? >> > >-- >| | |The ASCII Fork Campaign > \|/ against gratuitous use of threads. > |
ftp-proxy help needed...
Hello list, I'm working on getting Active FTP Connections working (a requirement of an app used by a client) through our 3.8 firewall. Following the PF FAQ, I was able to get passive FTP working fine with the following pf.conf lines: rdr pass on $int_usr_if proto tcp from $int_usr_if:network to any port 21 -> \ 127.0.0.1 port 8021 and pass in on $ext_if inet proto tcp from any port 20 to any \ user proxy flags S/SA keep state When I attempt to make an outgoing connection, everything goes fine up until the data connection is attempted. (xxx.xxx.xxx.xxx is the ftp server IP) (yyy.yyy.yyy.yyy is our externally visible IP) pflog, as far as I can tell, doesn't show anything being blocked. tcpdump during the session produces a bunch of packets on port 21 for the control connection, and the following for ftp-data: 16:00:03.825620 xxx.xxx.xxx.xxx.ftp-data > yyy.yyy.yyy.yyy.50463: S 1112717906:1112717906(0) win 16384 (DF) 16:00:03.825648 yyy.yyy.yyy.yyy.50463 > xxx.xxx.xxx.xxx.ftp-data: S 399002834:399002834(0) ack 1112717907 win 16384 (DF) 16:00:03.831991 xxx.xxx.xxx.xxx.ftp-data > yyy.yyy.yyy.yyy.50463: . ack 1 win 16560 (DF) 16:00:03.838487 xxx.xxx.xxx.xxx.ftp-data > yyy.yyy.yyy.yyy.50463: P 1:1081(1080) ack 1 win 16560 (DF) 16:00:03.838611 xxx.xxx.xxx.xxx.ftp-data > yyy.yyy.yyy.yyy.50463: F 1081:1081(0) ack 1 win 16560 (DF) 16:00:03.838628 yyy.yyy.yyy.yyy.50463 > xxx.xxx.xxx.xxx.ftp-data: . ack 1082 win 15480 (DF) tail /var/log/daemon: Jan 9 15:55:27 maverick ftp-proxy[20164]: accepted connection from 192.168.0.37:4713 to xxx.xxx.xxx.xxx:21 Jan 9 15:55:27 maverick ftp-proxy[20164]: client: USER username\^M Jan 9 15:56:10 maverick ftp-proxy[17000]: cannot connect data channel (Connection timed out) The relevant /etc/inetd.conf line is as follows: 127.0.0.1:8021 stream tcp nowait root/usr/libexec/ftp-proxy ftp-proxy -n -a yyy.yyy.yyy.yyy -V -S yyy.yyy.yyy.yyy (yyy.yyy.yyy.yyy is the IP we nat from, it's an alias on em0) Just to clarify -- the ftp server isn't on our network, it's at a client site. Can anyone see anything I've missed in the config? I've tried many different options in both pf.conf and inetd.conf to no avail. Also, I realize ftp-proxy is being replaced in -current, but I'd like to get this working with the old ftp-proxy before trying -current (which I've never done before... could be dangerous). Any advice at all would be helpful. Thanks! Peter L. PS -- is posting tcpdump and logfile like I have done considered bad form? PPS -- a dmesg wouldn't really be helpful here, would it?
Re: Just confirming: no way to do a pf rdr based on hostname?
>-Original Message- >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of >Jens Teglhus >Mxller >Sent: Monday, December 12, 2005 5:16 PM >To: misc@openbsd.org >Subject: Re: Just confirming: no way to do a pf rdr based on hostname? > >Peter Landry wrote: >> Hi All, >> We're migrating an old Microsoft ISA Server system to OpenBSD pf. First >> off, before I ask any questions, kudos to everyone -- Installing OpenBSD >> 3.8 was a very pleasant, painless experience for someone who's never >> used it before. Setting up pf/nat was also extraordinarily easy. The >> docs are great. >> >> That aside, the only thing that I haven't been able to migrate yet is >> ISA's ability to redirect web requests coming in on the same IP to >> different machines based on the host name. IE- www.a.com (IP >> 123.123.0.1) gets redirected to the internal IP 192.168.0.1 while >> www.b.com (also IP 123.123.0.1) gets redirected to the internal IP >> 192.168.0.2. >> >> I haven't found anything in the docs, and all the list archive questions >> I've found were specific to ipnat, not pf. >> >> I'm thinking that I can't do it. In that case, my options seem to be 1) >> use different external IP's for each website, and redirect to different >> internal servers based on IP 2) redirect all web traffic to the legacy >> ISA system, which will then redirect based on hostname. I'm hesitant to >> use up all our IPs for option 1, but I'm thinking option 2 is even >> worse... Are there any options I haven't thought of? >> >> Thanks for any advice... >> Peter L. >This can not be achieved with pf (since pf does not know about the http >protocol, where name based virtual hosting happends), but you could use >apache with mod_proxy or perhaps squid (perhaps other http proxies exists). > > >/jtm Thanks for all the suggestions. In the interests of getting this all working, I'm going to stick with using different external IPs for now. After we get everything moved and settled, I'm going to look into running squid, both for this, and also general http proxying. Thanks again all, Peter L.
Just confirming: no way to do a pf rdr based on hostname?
Hi All, We're migrating an old Microsoft ISA Server system to OpenBSD pf. First off, before I ask any questions, kudos to everyone -- Installing OpenBSD 3.8 was a very pleasant, painless experience for someone who's never used it before. Setting up pf/nat was also extraordinarily easy. The docs are great. That aside, the only thing that I haven't been able to migrate yet is ISA's ability to redirect web requests coming in on the same IP to different machines based on the host name. IE- www.a.com (IP 123.123.0.1) gets redirected to the internal IP 192.168.0.1 while www.b.com (also IP 123.123.0.1) gets redirected to the internal IP 192.168.0.2. I haven't found anything in the docs, and all the list archive questions I've found were specific to ipnat, not pf. I'm thinking that I can't do it. In that case, my options seem to be 1) use different external IP's for each website, and redirect to different internal servers based on IP 2) redirect all web traffic to the legacy ISA system, which will then redirect based on hostname. I'm hesitant to use up all our IPs for option 1, but I'm thinking option 2 is even worse... Are there any options I haven't thought of? Thanks for any advice... Peter L.
Anyone with experience on a dell poweredge 850?
Hi everyone, I'm just wondering if anyone knows anything about OpenBSD on a Dell Poweredge 850. List archives returned no hits, and google returned only a dmesg of the machine from FreeBSD (http://nycbug.org/?NAV=dmesgd&dmesgd_criteria=&dmesgid=700#700 for those interested). Dells seem relatively well supported, I'm mostly worried about the dual on-board NIC. Any light anyone could shed on compatibility would be great -- I'm making a case for using OpenBSD with this, which was purchased to be a firewall machine, instead of Microsoft and ISA server. Thanks in advance, Peter L.
Routing and firewall performance on older machines?
Hi, We're going to be doing some network restructuring, splitting our internal network into 2 separate IP networks (192.168.1.0 and 192.168.2.0). We currently have a Microsoft ISA firewall for our whole network (since it's just 1 ip network right now, 192.168.0.0). I've suggested replacing the ISA firewall with an OpenBSD machine with 3 NICs, to handle both routing between the two internet networks, and firewall out to the internet. It will just be a static route between the two internal networks, in addition to whatever routing is necessary for firewall/NAT (I'm not sure on this?). As far as the firewall is concerned, I don't think it will be a problem as far as performance goes (our internet connect is 2mbit, which shouldn't be hard to saturate). For the internal routing though, what kind of hardware would we need to keep the 2 gigabit networks connected at a decent speed? We're looking at a p4 with a gig of ram - does that sound like it'll be a bottleneck? I figured that OpenBSD would lower the requirements for our firewall machine (less bloat) as well as increase security. Sorry if this is too general or vague a question - I did some searching on the archives and could only find references to performance of IPSec implementations, which we won't be using Thanks, I appreciate any responses/links/feedback, Peter L.
