Multiple paths and two IPSec connections to one host.
Hi I want to set VPN failover between two internet links. I plan to use gre over IPSec and ospf over gre to dynamically change routes on failure. I've started with creating IPSec transport mode connection between two hosts and I got stuck. Let say I have HostA - which has two internet connections HostA1 - public IP from ISP1 HostA2 - public IP from ISP1 HostB - which has only one public IP HostB Now I want to make two tunnels from HostB to HostA. I figured I have to use passive and dynamic mode. on HostA I have --- ike passive esp transport from any to any \ quick group modp1024 \ psk xxx --- on HostB --- ike dynamic esp transport from HostB to HostA2 \ quick group modp1024 \ psk xxx ike dynamic esp transport from HostB to HostA1 \ quick group modp1024 \ psk xxx --- and it doesn't work. I get errors pasted below. I've tried many combinations but can't get it right and I guess I'm tired with this. I tried adding srcid and dstid to ike rules but had no luck. Can anyone please point me in right direction ? Aug 18 15:34:56 HostB isakmpd[13542]: isakmpd: exit Aug 18 15:35:33 HostB isakmpd[4827]: transport_send_messages: giving up on exchange peer-HostA1, no response from peer HostA1:500 Aug 18 15:35:33 HostB isakmpd[4827]: transport_send_messages: giving up on exchange peer-HostA2, no response from peer HostA2:500 Aug 18 15:37:33 HostB isakmpd[4827]: transport_send_messages: giving up on exchange peer-HostA1, no response from peer HostA1:500 Aug 18 15:37:33 HostB isakmpd[4827]: transport_send_messages: giving up on exchange peer-HostA2, no response from peer HostA2:500 Aug 18 15:34:53 HostA isakmpd[13928]: isakmpd: shutting down... Aug 18 15:34:53 HostA isakmpd[13928]: isakmpd: exit Aug 18 15:35:06 HostA isakmpd[15052]: message_parse_payloads: reserved field non-zero: 78 Aug 18 15:35:06 HostA isakmpd[15052]: dropped message from HostB port 500 due to notification type PAYLOAD_MALFORMED Aug 18 15:35:06 HostA isakmpd[15052]: message_parse_payloads: invalid next payload type Unknown 43 in payload of type 5 Aug 18 15:35:06 HostA isakmpd[15052]: dropped message from HostB port 500 due to notification type INVALID_PAYLOAD_TYPE Aug 18 15:35:13 HostA isakmpd[15052]: message_parse_payloads: reserved field non-zero: 78 Aug 18 15:35:13 HostA isakmpd[15052]: dropped message from HostB port 500 due to notification type PAYLOAD_MALFORMED Aug 18 15:35:13 HostA isakmpd[15052]: message_parse_payloads: invalid next payload type Unknown 43 in payload of type 5 Aug 18 15:35:13 HostA isakmpd[15052]: dropped message from HostB port 500 due to notification type INVALID_PAYLOAD_TYPE Aug 18 15:35:22 HostA isakmpd[15052]: message_parse_payloads: reserved field non-zero: 78 Aug 18 15:35:22 HostA isakmpd[15052]: dropped message from HostB port 500 due to notification type PAYLOAD_MALFORMED Aug 18 15:35:22 HostA isakmpd[15052]: message_parse_payloads: invalid next payload type Unknown 43 in payload of type 5 Aug 18 15:35:22 HostA isakmpd[15052]: dropped message from HostB port 500 due to notification type INVALID_PAYLOAD_TYPE Aug 18 15:35:33 HostA isakmpd[15052]: message_parse_payloads: reserved field non-zero: 78 Aug 18 15:35:33 HostA isakmpd[15052]: dropped message from HostB port 500 due to notification type PAYLOAD_MALFORMED Aug 18 15:35:33 HostA isakmpd[15052]: message_parse_payloads: invalid next payload type Unknown 43 in payload of type 5 Aug 18 15:35:33 HostA isakmpd[15052]: dropped message from HostB port 500 due to notification type INVALID_PAYLOAD_TYPE Aug 18 15:37:06 HostA isakmpd[15052]: message_parse_payloads: invalid next payload type Unknown 62 in payload of type 5 Aug 18 15:37:06 HostA isakmpd[15052]: dropped message from HostB port 500 due to notification type INVALID_PAYLOAD_TYPE Aug 18 15:37:06 HostA isakmpd[15052]: message_parse_payloads: invalid next payload type Unknown 42 in payload of type 5 Aug 18 15:37:06 HostA isakmpd[15052]: dropped message from HostB port 500 due to notification type INVALID_PAYLOAD_TYPE
Re: Realtek urtw(4) driver and hostap mode
2009/8/11 damien.bergam...@free.fr: | [...] | AFAIK, hostap mode is crappy with most drivers, since they doesn't vary | the sending strength (AKA 'power saving') and the clients expect this. | [...] Actually, power saving at the AP has nothing to do with sending strength. It is about buffering frames in the AP for clients that are sleeping. And yes, OpenBSD does not currently do that, so clients that are sleeping will never wake up (actually they will wake up at regular interval but will immediately return to sleep) because the AP does not inform them that they have buffered frames. This is something that is being worked on but that is not easy to implement properly. USB devices are usually a bad choice for building an AP anyway, since they have some restrictions (usually, they do not give per-frame feedback about TX retries, making it difficult to do per-client rate control, or they don't provide a way to update beacons content atomically, making it difficult to support anything but 802.11b or plain 802.11a for instance). Some drivers (ural(4), rum(4), maybe others as well) provide some very limited AP support that can be handy sometimes but you can't rely on this for everyday use. The situation is a little bit better for PCI/CardBus devices, but we don't support AP mode power-saving for them either. Thanks you very much for explaining this. It's very valuable information and it might save me some time and money. I have PCENGINES ALIX hardware. I have a choice between MiniPCI and USB only. I guess it's best to get some ral(4) device on MiniPCI then. It's only for home use, but I want it to be stable. Can you recommend anything ? -- Regards Piotrek Kapczuk
Realtek urtw(4) driver and hostap mode
Hi I was trying to set up access point with Realtek RTL8187 wireless card on 4.5. After looking into the manpage I thought it has mediaopt hostap capability, The following hostname.if(5) example creates a host-based access point on boot: inet 192.168.1.1 255.255.255.0 NONE media autoselect \ mediaopt hostap nwid my_net chan 11 but, according to this ... # ifconfig urtw0 media|grep hostap || echo nope nope and this ... http://en.wikipedia.org/wiki/Comparison_of_open_source_wireless_drivers it simply does not. (sic!) Are there any plans to add hostap mode to urtw(4) driver ? May I suggest to delete those lines from the manpage. It misled me. Regards Piotr Kapczuk
Re: Realtek urtw(4) driver and hostap mode
Hi 2009/8/11 Theo de Raadt dera...@cvs.openbsd.org: I was trying to set up access point with B Realtek RTL8187 wireless card on 4.5. After looking into the manpage I thought it has mediaopt hostap capability, B B B The following hostname.if(5) example creates a host-based access point on B B B boot: B B B B B B inet 192.168.1.1 255.255.255.0 NONE media autoselect \ B B B B B B B B B B mediaopt hostap nwid my_net chan 11 That is a driver independent page. B It suggests what might be capable. Errr ... Maybe I was not specific enough. I'm talking about 'man 4 urtw'. How can it be driver independent ? [...] Are there any plans to add hostap mode to urtw(4) driver ? Perhaps. I guess it means nothing changed in -current. Well, I have to find some other USB card then. Can you recommend something ? The urtw man page does not currently include those features. May I suggest to delete those lines from the manpage. It misled me. Certainly not. I've just checked and I also see in 'urtw(4)' manpage that driver can operate in IBSS ad-hoc mode, but I can't do it. mycastle:~ # ifconfig urtw0 media|grep -i ibss || echo nope nope mycastle:~ # ifconfig urtw0 urtw0: flags=8b02BROADCAST,PROMISC,ALLMULTI,SIMPLEX,MULTICAST mtu 1500 lladdr 00:e0:4c:03:38:86 priority: 0 groups: wlan media: IEEE802.11 autoselect (DS1 mode 11b) status: no network ieee80211: nwid 100dBm mycastle:~ # ifconfig urtw0 nwid test mediaopt ibss mycastle:~ # ifconfig urtw0 urtw0: flags=8b02BROADCAST,PROMISC,ALLMULTI,SIMPLEX,MULTICAST mtu 1500 lladdr 00:e0:4c:03:38:86 priority: 0 groups: wlan media: IEEE802.11 autoselect (DS1) status: no network ieee80211: nwid test 100dBm Am I doing something wrong or is it mistake in the manpage ? -- Regards Piotr Kapczuk
No buffer space available.
Hi I have a problem. Lately I start seeing No buffer space available errors. Server worked flawlessly for a few months and now it drops packets. Hardware is PCENGINES ALIX Geode CPU. More information you may find here http://89.161.133.197/pub/x/problem.txt It doesn't seem like it's over utilised. I can't narrow it down. Please advise , where else should I look. What can cause that behaviour ? -- Regards Piotrek
Re: No buffer space available.
2009/4/9 ropers rop...@gmail.com: 2009/4/9 Piotrek Kapczuk piotr.kapc...@gmail.com: More information you may find here http://89.161.133.197/pub/x/problem.txt No I can't. I'm getting a HTTP 404 on that link. Yeah sorry. Forget about it. I think I figured this out. I think it is a queuing problem. Sorry and thanks for you interest. -- Regards Piotr
ksh set -o pipefail
$ uname -r 4.2 $ set -o pipefail /bin/ksh: set: pipefail: bad option $ echo $KSH_VERSION @(#)PD KSH v5.2.14 99/07/13.2 $ echo $0 /bin/ksh $ (exit 2) $ echo $? 2 $ (exit 2) |tee aa.txt $ echo $? 0 Is there another way to get what I want ? Are there any plans to implement this option ? -- Regards Piotrek Kapczuk
Re: Openbsd 4.2 : vr driver problem and CF card slow
2008/2/28, Alexandre Epinat [EMAIL PROTECTED]: Hi, I have a OPENBSD 4.2 installed on an Alix2c3. I use it for a fw. Same here. I have 3 vr interfaces. My throughputs on the vr interfaces are slow (400Kb/s to 600 Kb/s) although they are configured 100BaseTX Full Duplex.. I have no probem saturating 20Mb link. I tested it by transfering a file to a freebsd machine directly connected via cross cable. Did you send file from mfs or from wd0 ? Is there a problem with the vr driver ?. Any chance you use vlans ? Support was added after 4.2 release. Maybe you have MTU problem. -- Regards Piotr Kapczuk
Re: kernel naming proposal
2008/2/25, Don Jackson [EMAIL PROTECTED]: The issue is that when building and installing new kernels (eg, when a new security patch is released), it is not totally obvious to the (automated) build script what the file /bsd really is, is it the uniprocessor kernel, or a link to the multiprocessor kernel? If the latter, than blindly copying the new uniprocessor kenel to /bsd is probably not what you want to do. With my proposal, new kernels can be safely copied to /, since they have unique and distinct names. Just use links. Works great for me. # ls -1i /flash/bsd* 6 /flash/bsd 5 /flash/bsd.old 5 /flash/bsd_large_42_PCENGINES_CUST2_vrpatch_err05_cvs24-01-2008 6 /flash/bsdl42_PCENGINES_err08_cvs25-02-2008-patch_vr-pach_ike P.K.
Re: building a kernel for net4801 from dmassage
2008/1/16, Henning Brauer [EMAIL PROTECTED]: * Piotrek Kapczuk [EMAIL PROTECTED] [2008-01-16 18:59]: Hi 2008/1/16, Henning Brauer [EMAIL PROTECTED]: * Piotrek Kapczuk [EMAIL PROTECTED] [2008-01-16 15:51]: 2008/1/16, Henning Brauer [EMAIL PROTECTED]: * Piotrek Kapczuk [EMAIL PROTECTED] [2008-01-16 14:18]: Didn't know it is exactly the same as options. I found it in flashboot. I'll look more in to other flashboot customisations. Thanks for pointing this out. flash boot and teh like are obsolete ways to complicate your life. Let me disagree with you. Actually it's fantastic to have one system image which you can deploy on dozen of firewalls remotely. Upgrade procedure from 4.1 to 4.2 ? scp bsd [EMAIL PROTECTED]:/ ssh [EMAIL PROTECTED] reboot Total downtime = reboot time. in-place updates are trivial enough to be scripted if you can make a few assumptions for your environment. Really ? More trivial script than something like this ? more trivial? who gives a f***? I said trivial enough. Sending base42.tgz over 512Kb WAN link - 12 minutes. Extracting base42.tgz on Soekris NET4801 to flash - 16 minutes Estimated total upgrade time - looong. Knowing it's not painful - it's trivial enough - priceless (-; if you add the time it takes you to bake your kernel, I am probably already at the 5th beer after beeing done. If you add your time spent on writing,testing, modifying that script of yours ... well, I don't think so. Besides I don't treat building a kernel as engaging work . Imagine you have a customer. This customer has 18 carp'ed firewalls. You have to upgrade them. Boxes are in 3 different towns each town 100km far from you. You have only ssh access and no remote console. How can you remotely upgrade a box ? (without using bsd.rd) How long will it take ? how? read the upgrade-minifaq, it is in there. I though you do it in some other way. i have it scripted. i manage way over a hundred openbsd machines, many remote, and the local ones I don't touch either (i. e. i treat them like they were remote). it takes me about 2 minutes per reasonably fast machine. You look like you're really happy with that method ... well, you've convinced me. I have a few fast machines. I definitely have to give a try with upgrade by scripting. I'd really love to see your scripts. How do you do it ? Could you please send me something off the list ? Please. Really, in this kind of setups I don't think bsd.rd is something evil. well, I am absolutely certain it is evil in that scenario. Well, it saves a lot of time for me. For that scenario - flash storage, slow links, slow constrained machines it's better to stay with it - at least for me. my update downtime is no more than that reboot, no matter what machine, flash or not. Update or upgrade ? 4.1 to 4.2 is not an update? I've used to think: update - changes within major version - following -stable upgrade - changes between major versions- 4.1 - 4.2 -- Regards Piotr Kapczuk
Re: building a kernel for net4801 from dmassage
2008/1/16, Henning Brauer [EMAIL PROTECTED]: * Lars Noodin [EMAIL PROTECTED] [2008-01-15 17:42]: What is recommended for using a second machine to compile a kernel for the soekris? nothing. there is no need to compile a kernel for the soekris. further, there is no use in compiling a !GENERIC kernel for soekris either. (ok, rare exceptions exist, but that is not even soekris specific) IMHO every embedded device should have console speed synced between bios and the kernel. These options are very helpful. # WRAP console settings option PCCOMCONSOLE option CONSPEED=38400 -- Regards Piotr Kapczuk
Re: building a kernel for net4801 from dmassage
2008/1/16, Henning Brauer [EMAIL PROTECTED]: * Piotrek Kapczuk [EMAIL PROTECTED] [2008-01-16 12:05]: 2008/1/16, Henning Brauer [EMAIL PROTECTED]: * Lars Noodin [EMAIL PROTECTED] [2008-01-15 17:42]: What is recommended for using a second machine to compile a kernel for the soekris? nothing. there is no need to compile a kernel for the soekris. further, there is no use in compiling a !GENERIC kernel for soekris either. (ok, rare exceptions exist, but that is not even soekris specific) IMHO every embedded device should have console speed synced between bios and the kernel. These options are very helpful. # WRAP console settings option PCCOMCONSOLE option CONSPEED=38400 oh, of ocurse, that is s much easier and straightforward than stty com0 38400 set tty com0 in /etc/boot.conf Didn't know it is exactly the same as options. I found it in flashboot. I'll look more in to other flashboot customisations. Thanks for pointing this out. -- Regards Piotr Kapczuk
Re: building a kernel for net4801 from dmassage
2008/1/16, Henning Brauer [EMAIL PROTECTED]: * Piotrek Kapczuk [EMAIL PROTECTED] [2008-01-16 14:18]: Didn't know it is exactly the same as options. I found it in flashboot. I'll look more in to other flashboot customisations. Thanks for pointing this out. flash boot and teh like are obsolete ways to complicate your life. Let me disagree with you. Actually it's fantastic to have one system image which you can deploy on dozen of firewalls remotely. Upgrade procedure from 4.1 to 4.2 ? scp bsd [EMAIL PROTECTED]:/ ssh [EMAIL PROTECTED] reboot Total downtime = reboot time. Also, everything is on ramdisk so stupid users or power outages doesn't concern you. Routers reboot and work unattended. -- Regards Piotr Kapczuk
Re: building a kernel for net4801 from dmassage
Hi 2008/1/16, Richard Daemon [EMAIL PROTECTED]: On Jan 16, 2008 9:42 AM, Piotrek Kapczuk [EMAIL PROTECTED] wrote: 2008/1/16, Henning Brauer [EMAIL PROTECTED]: * Piotrek Kapczuk [EMAIL PROTECTED] [2008-01-16 14:18]: Didn't know it is exactly the same as options. I found it in flashboot. I'll look more in to other flashboot customisations. Thanks for pointing this out. flash boot and teh like are obsolete ways to complicate your life. Let me disagree with you. Actually it's fantastic to have one system image which you can deploy on dozen of firewalls remotely. Upgrade procedure from 4.1 to 4.2 ? scp bsd [EMAIL PROTECTED]:/ ssh [EMAIL PROTECTED] reboot Total downtime = reboot time. Also, everything is on ramdisk so stupid users or power outages doesn't concern you. Routers reboot and work unattended. Just curious, scp bsd means just scp'ing the kernel and not 4.2_userlandtoo? No. /bsd file contains kernel + userland image man 4 rd http://tilde.se/flashboot/download/4.2/README # df -h Filesystem SizeUsed Avail Capacity Mounted on /dev/rd0a 19.2M 15.6M3.6M81%/ mfs:21283 12.2M9.6M1.9M83%/usr/local /dev/wd0a 244M 14.7M217M 6%/flash -- Regards Piotr Kapczuk
Re: building a kernel for net4801 from dmassage
Hi 2008/1/16, Henning Brauer [EMAIL PROTECTED]: * Piotrek Kapczuk [EMAIL PROTECTED] [2008-01-16 15:51]: 2008/1/16, Henning Brauer [EMAIL PROTECTED]: * Piotrek Kapczuk [EMAIL PROTECTED] [2008-01-16 14:18]: Didn't know it is exactly the same as options. I found it in flashboot. I'll look more in to other flashboot customisations. Thanks for pointing this out. flash boot and teh like are obsolete ways to complicate your life. Let me disagree with you. Actually it's fantastic to have one system image which you can deploy on dozen of firewalls remotely. Upgrade procedure from 4.1 to 4.2 ? scp bsd [EMAIL PROTECTED]:/ ssh [EMAIL PROTECTED] reboot Total downtime = reboot time. in-place updates are trivial enough to be scripted if you can make a few assumptions for your environment. Really ? More trivial script than something like this ? $scp bsd [EMAIL PROTECTED]:/bsd.new $ssh [EMAIL PROTECTED] mv /bsd /bsd.old mv /bsd.new /bsd reboot even if not scripted, they're easy enough. No, they are not enough :) Imagine you have a customer. This customer has 18 carp'ed firewalls. You have to upgrade them. Boxes are in 3 different towns each town 100km far from you. You have only ssh access and no remote console. How can you remotely upgrade a box ? (without using bsd.rd) How long will it take ? Really, in this kind of setups I don't think bsd.rd is something evil. I agree thou, that if it's only possible one should use GENERIC+MINIROOT instead CUSTOM+MINIROOT. my update downtime is no more than that reboot, no matter what machine, flash or not. Update or upgrade ? Remotely ? Also, everything is on ramdisk so stupid users or power outages doesn't concern you. Routers reboot and work unattended. boohoo. /tmp /var /dev in mfs w/ the last two prepopulated from flash and the rest mounted readonly, same thing. Been there, done that. I've started with flashdist. Now IMVHO I use something easier maintainable. -- Regards Piotr Kapczuk
Re: FW: About Xen: maybe a reiterative question but ..
2007/10/25, L. V. Lammert [EMAIL PROTECTED]: At 05:08 PM 10/25/2007 -0400, Stuart VanZee wrote: I finally get it... LEE! YOU ARE A FUCKING GENIUS! [+] you mean security from those bad guys, apparently you are talking about security from the damn sheep who couldn't break the system if their lives depended on it so they don't even try. [+] if you take security in the context of people trying to break the system (and we always are, fuck the sheep) ROTFL Beautiful! I concur ;) You just don't get it, do you ? Maybe you understand the word 'security' in a some different way that others here. Security is like a chain. You wrote about 'viewpoint'. Your 'viewpoint' - 'application domain' is just one link in this chain. People here are thinking about whole chain. Virtualization in theory may strengthen this 'chain'. But, in reality it makes whole 'chain' weaker. That's because you add one link 'application domain separation' (which is OK), but you automatically *have* to add another link 'VM implementation bugs'. The latter make this 'chain' weaker that it is without it. How much worse is it ? That's another question. I use VMware ESX and IBM pSeries virtualization products. The first is unacceptable for mission critical tasks the latter is (for my specific 'chain' ) You clearly are not a security expert, so please, do not make statements as one. Piotr Kapczuk
Re: About Xen: maybe a reiterative question but ..
2007/10/26, Adam Getchell [EMAIL PROTECTED]: On 10/25/07, Theo de Raadt [EMAIL PROTECTED] wrote: You're also a sysadm who refuses to read a paper written by a google researcher, who's team found massive bugs in every VM. That's not quite correct. Restating (yet) again: 1. Ormandy [1] states that Xen's design is congruent with good security [...] And your point is ? Xen is good enough. (?) Well, you may want to read this white paper more carefully. [1] http://taviso.decsystem.org/virtsec.pdf The results obtained demonstrate the need for further research into virtualisation security and prove that virtualisation is no security panacea. Piotr Kapczuk
Re: Network Time Synchronization using timed or ntpd or a Combination?
2007/10/25, Boris Goldberg [EMAIL PROTECTED]: Hello Mark, Thursday, October 25, 2007, 4:13:09 PM, you wrote: MZ On Thu, Oct 25, 2007 at 11:19:21AM -0500, Boris Goldberg wrote: Thank you very much for that (valuable) reply! BTW, this is an argument for making an OpenNTPD ntpdate tool or adding one_time_synchronization functionality into ntpd. :) MZ From ntpd(8): MZ -s Set the time immediately at startup if the local clock is off MZ by more than 180 seconds. Allows for a large time correc- MZ tion, eliminating the need to run rdate(8) before starting MZ ntpd. MZ Or is that not what you meant? MZ Just put ntpd_flags=-s into /etc/rc.conf.local. No, I mean synchronize_and_exit - like rdate -ncav, but more secure (with a privilege separation, like Brian explained above in a thread). ntpd -s; sleep 300; pkill ntpd Piotr Kapczuk
Re: vic(4) on ESX 3.0.2
2007/10/16, Fernando Braga [EMAIL PROTECTED]: On 10/15/07, Piotrek Kapczuk [EMAIL PROTECTED] wrote: 2007/10/15, Fernando Braga [EMAIL PROTECTED]: I'm failing to use vic(4) driver on ESX 3.0.2 and OpenBSD 4.2. I've configuredethernet0.virtualDev = vmxnet as instructed on vic(4) man page. dmesg follows: OpenBSD 4.2 (GENERIC) #1: Fri Oct 12 16:00:29 BRT 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC [...] pcn0 at pci0 dev 17 function 0 AMD 79c970 PCnet-PCI rev 0x10, pcn1 at pci0 dev 18 function 0 AMD 79c970 PCnet-PCI rev 0x10, [...] pcn (!!) Vmware still starts your VM with AMD NIC. I wrote a quick solution to this. http://communities.vmware.com/thread/31256 Bulls eye! But... Does it mean VirtualCenter never will be able to start this VM without changing back to vlance ? No. I've shutdown the VM while connected to ESX server, and then started again with VIC conected back to VI3, and vmxnet has remained. I hope it stays like this. It will. This happens because VI server does some weird caching. When you edit manually .vmx file and start VM VI server compares it with repository and does sync. So you have to do that trick to override VI smartness trying to be bullet proof. Regards Piotr
Re: vic(4) on ESX 3.0.2
Hi 2007/10/15, Fernando Braga [EMAIL PROTECTED]: Hi, I'm failing to use vic(4) driver on ESX 3.0.2 and OpenBSD 4.2. I've configuredethernet0.virtualDev = vmxnet as instructed on vic(4) man page. dmesg follows: OpenBSD 4.2 (GENERIC) #1: Fri Oct 12 16:00:29 BRT 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC [...] pcn0 at pci0 dev 17 function 0 AMD 79c970 PCnet-PCI rev 0x10, pcn1 at pci0 dev 18 function 0 AMD 79c970 PCnet-PCI rev 0x10, [...] pcn (!!) Vmware still starts your VM with AMD NIC. I wrote a quick solution to this. http://communities.vmware.com/thread/31256 Regards Piotrek
Re: Web configure Firewall
2007/10/6, Cyrus [EMAIL PROTECTED]: I'm looking for a ready to install roll package for configureing and administering a OpenBSD firewall from the web. something along the lines of pfSense, but with OpenBSD base. Thanks, http://www.undeadly.org/cgi?action=articlesid=20071003090749
Re: hardware for vpn
2007/10/4, Brian A. Seklecki [EMAIL PROTECTED]: I'm demo'ing some 1U P4-class network appliance hardware that will probably fit your needs well. See URLs below. [...] http://code.google.com/p/bsd-appliance/wiki/HardwareVendorsAxiomtekNA820 http://code.google.com/p/bsd-appliance/wiki/HardwareVendorsNexcomNSA1085 Can you please tell how do these boxes perform ? I can't find anything similiar here in Poland. Regards Piotrek
PF state limits and logs
Hello Recently I've had problems because my firewall (4.1-stable) has hit states limit. I was surprised when I found nothing in logs (debug urgent) . Is it intented or is it an oversight ? Regards Piotrek
Re: PF overload table
Hi 2007/6/19, Alberich de megres [EMAIL PROTECTED]: Thanks that helps me. which is better ( less cpu overwelm )? pfctl -x misc or loud? Taking a look at pflog, i see something like: match rule 6 block in em0 How can i see which rule is rule 6? man pfctl pfctl -vvsr
Re: wireless support with OpenBSD vmware guest
2007/6/18, Juan Miscaro [EMAIL PROTECTED]: Hi gang, I would like to run VMware on Linux and use OpenBSD as a VM to act as my Internet gateway (pf, postfix, spamfilter). I will have another Linux VM or two that will act as fileserver and lan services. I would like to provide internet access to my lan using wireless protocols. Is this possible? That is, will I be able to use a wireless network card with an OpenBSD VM? No.
STP and RSTP - mixing vlans with physical interfaces.
Hi Before I loose another night on this, Does OpenBSD 4.1-stable supports mixing vlans with physical interfaces when using STP or Rapid STP bridge ? All I want to achieve is to get discarding role alternate. If I use physical interfaces it works. When I replace one physical int with a vlan it doesn't work. This is bridge between two openbsd boxes. Can anyone point me to the right direction ? sis1 - Connected to stupid unmanaged switch sis5 , Connected to cisco switch vlan4 = vlan 301 pirx2:~ # brconfig bridge0 bridge0: flags=41UP,RUNNING priority 40960 hellotime 2 fwddelay 4 maxage 6 holdcnt 6 proto rstp designated: id 00:00:24:c7:49:90 priority 36864 sis5 flags=ebLEARNING,DISCOVER,STP,AUTOEDGE,PTP,AUTOPTP port 6 ifpriority 128 ifcost 20 discarding role alternate sis1 flags=ebLEARNING,DISCOVER,STP,AUTOEDGE,PTP,AUTOPTP port 2 ifpriority 128 ifcost 20 forwarding role root Addresses (max cache: 100, timeout: 240): pirx2:~ # brconfig bridge0 down pirx2:~ # brconfig bridge0 del sis5 pirx2:~ # brconfig bridge0 add vlan4 stp vlan4 pirx2:~ # brconfig bridge0 flushall pirx2:~ # brconfig bridge0 bridge0: flags=0 priority 40960 hellotime 2 fwddelay 4 maxage 6 holdcnt 6 proto rstp designated: id 00:00:24:c7:49:90 priority 36864 vlan4 flags=ebLEARNING,DISCOVER,STP,AUTOEDGE,PTP,AUTOPTP port 14 ifpriority 128 ifcost 20 discarding role designated sis1 flags=ebLEARNING,DISCOVER,STP,AUTOEDGE,PTP,AUTOPTP port 2 ifpriority 128 ifcost 20 forwarding role root Addresses (max cache: 100, timeout: 240): pirx2:~ # brconfig bridge0 up pirx2:~ # brconfig bridge0 bridge0: flags=41UP,RUNNING priority 40960 hellotime 2 fwddelay 4 maxage 6 holdcnt 6 proto rstp designated: id 00:00:24:c7:49:90 priority 36864 vlan4 flags=ebLEARNING,DISCOVER,STP,AUTOEDGE,PTP,AUTOPTP port 14 ifpriority 128 ifcost 20 forwarding role designated sis1 flags=ebLEARNING,DISCOVER,STP,AUTOEDGE,PTP,AUTOPTP port 2 ifpriority 128 ifcost 20 forwarding role root Addresses (max cache: 100, timeout: 240): 00:1a:6c:48:4b:92 vlan4 1 flags=0 Important parts from cisco config - Current configuration : 3933 bytes ! version 12.2 no service pad service timestamps debug uptime service timestamps log uptime ! no aaa new-model system mtu routing 1500 ip subnet-zero ! spanning-tree mode rapid-pvst spanning-tree extend system-id no spanning-tree vlan 301 spanning-tree vlan 301 hello-time 1 spanning-tree vlan 301 forward-time 4 spanning-tree vlan 301 max-age 6 ! vlan internal allocation policy ascending ! interface GigabitEthernet1/0/6 description Connected to pirx2 sis5 switchport access vlan 301 switchport mode access no cdp enable spanning-tree portfast ! interface GigabitEthernet1/0/18 description Connected to pirx2 sis3 - vlan4 switchport trunk encapsulation dot1q switchport trunk allowed vlan 300-302 switchport mode trunk no cdp enable ! interface GigabitEthernet1/0/23 description Connected to AP radio switchport access vlan 301 switchport mode access shutdown spanning-tree portfast ! interface Vlan1 no ip address no ip route-cache ! interface Vlan10 ip address 10.0.0.95 255.255.255.0 no ip route-cache ! interface Vlan301 no ip address no ip route-cache ! ip classless ip http server ip http secure-server ! control-plane ! mac-address-table aging-time 10 vlan 301 end -- Regards Piotrek Kapczuk
Re: vhid on carp interfaces
Hi
2007/5/20, Philipp GaschCtz [EMAIL PROTECTED]:
Hi,
I am currently revising a pair of openbsd routers we are running (and
btw running them quite happily for a while now!).
[...]
Ideally - I guess - since all the mentioned carp interfaces share a
physical interface, I would want the backup machine to switch into
master state for all carp interfaces on em1, and not only one.
If I understand the documentation on carp's vhid correctly, interfaces
sharing the same vhid, share the same virtual MAC address, and, in turn,
if one of them fails or is being shutdown, all interfaces with the same
vhid are being transferred to the backup machine.
Is this correct?
Yes, but...
You have to physically unplug em1 from network. It's not enough to just do
ifconfig {em1,carp1,vlan1} down
Are there any good reasons for not sharing the same vhid across all carp
interfaces in the described scenario?
I've just made a test. With same vhid 'ifconfig carp down' still
changes nothing
ifconfig vlan1 down works the way you want.
Per VLAN RSTP
Hi Before I loose another night on this, I'd like to know. Does OpenBSD 4.1-stable supports per VLAN RSTP ? It doesn't have to be Cisco's SSTP. All I want to achieve is to get discarding role alternate. When I use physical interfaces in bridge it works. When I replace one physical int with a vlan it stops working. This is bridge between two openbsd boxes. Can anyone point me to the right direction ? sis1 - Connected to stupid unmanaged switch sis5 , Connected to cisco switch vlan4 = vlan 301 pirx2:~ # brconfig bridge0 bridge0: flags=41UP,RUNNING priority 40960 hellotime 2 fwddelay 4 maxage 6 holdcnt 6 proto rstp designated: id 00:00:24:c7:49:90 priority 36864 sis5 flags=ebLEARNING,DISCOVER,STP,AUTOEDGE,PTP,AUTOPTP port 6 ifpriority 128 ifcost 20 discarding role alternate sis1 flags=ebLEARNING,DISCOVER,STP,AUTOEDGE,PTP,AUTOPTP port 2 ifpriority 128 ifcost 20 forwarding role root Addresses (max cache: 100, timeout: 240): pirx2:~ # brconfig bridge0 down pirx2:~ # brconfig bridge0 del sis5 pirx2:~ # brconfig bridge0 add vlan4 stp vlan4 pirx2:~ # brconfig bridge0 flushall pirx2:~ # brconfig bridge0 bridge0: flags=0 priority 40960 hellotime 2 fwddelay 4 maxage 6 holdcnt 6 proto rstp designated: id 00:00:24:c7:49:90 priority 36864 vlan4 flags=ebLEARNING,DISCOVER,STP,AUTOEDGE,PTP,AUTOPTP port 14 ifpriority 128 ifcost 20 discarding role designated sis1 flags=ebLEARNING,DISCOVER,STP,AUTOEDGE,PTP,AUTOPTP port 2 ifpriority 128 ifcost 20 forwarding role root Addresses (max cache: 100, timeout: 240): pirx2:~ # brconfig bridge0 up pirx2:~ # brconfig bridge0 bridge0: flags=41UP,RUNNING priority 40960 hellotime 2 fwddelay 4 maxage 6 holdcnt 6 proto rstp designated: id 00:00:24:c7:49:90 priority 36864 vlan4 flags=ebLEARNING,DISCOVER,STP,AUTOEDGE,PTP,AUTOPTP port 14 ifpriority 128 ifcost 20 forwarding role designated sis1 flags=ebLEARNING,DISCOVER,STP,AUTOEDGE,PTP,AUTOPTP port 2 ifpriority 128 ifcost 20 forwarding role root Addresses (max cache: 100, timeout: 240): 00:1a:6c:48:4b:92 vlan4 1 flags=0 Important parts from cisco config - Current configuration : 3933 bytes ! version 12.2 no service pad service timestamps debug uptime service timestamps log uptime ! no aaa new-model system mtu routing 1500 ip subnet-zero ! spanning-tree mode rapid-pvst spanning-tree extend system-id no spanning-tree vlan 301 spanning-tree vlan 301 hello-time 1 spanning-tree vlan 301 forward-time 4 spanning-tree vlan 301 max-age 6 ! vlan internal allocation policy ascending ! interface GigabitEthernet1/0/6 description Connected to pirx2 sis5 switchport access vlan 301 switchport mode access no cdp enable spanning-tree portfast ! interface GigabitEthernet1/0/18 description Connected to pirx2 sis3 - vlan4 switchport trunk encapsulation dot1q switchport trunk allowed vlan 300-302 switchport mode trunk no cdp enable ! interface GigabitEthernet1/0/23 description Connected to AP radio switchport access vlan 301 switchport mode access shutdown spanning-tree portfast ! interface Vlan1 no ip address no ip route-cache ! interface Vlan10 ip address 10.0.0.95 255.255.255.0 no ip route-cache ! interface Vlan301 no ip address no ip route-cache ! ip classless ip http server ip http secure-server ! control-plane ! mac-address-table aging-time 10 vlan 301 end -- Regards Piotrek Kapczuk
SSE instructions on OpenBSD
Hello Does anything in OpenBSD use SSE instructions by default ? I mean kernel, userland, ports. Particularly I need to know if SSE3 instructions are/may be used and by what part of the system. Anyone ? -- Regards Piotr Kapczuk
Re: OpenBSD 3.9 stable from cvs
Hi 2006-04-14, 10:37:47, you wrote: On Thu, Apr 13, 2006 at 10:19:28PM -0400, John L. Scarfone wrote: On Fri, Apr 14, 2006 at 02:05:37AM +0200, Joachim Schipper stated: On Thu, Apr 13, 2006 at 08:09:20PM +0200, Piotrek Kapczuk wrote: So, where do these commits go now ? To OPENBSD_3_9_BASE ? People say they received CD's. The CD's were burned with frozen OPENBSD_3_9_BASE. Right ? So, how one should follow -stable if commits aren't in -stable ? [...] (hint: sendmail bug). Thanks for hint. It rings some bells, but poorly. I can't recall the details. What rel was then ? I can't find it on google. It was a couple of days ago. It was fixed in -current, 3.7 and 3.8, though, so fixing it in 3.9 might not be too difficult. It was fixed. First time I've seen it happen before official release though. Well, security problems just before releases are not that common. ;-) If I understand this right. This commit is in OPENBSD_3_9_BASE in cvs but it's not on CD's. Isn't it ? Anyway, to answer the original question: download a src.tgz from somewhere, the 3.8 version from your local mirror should do, and cvs up it to OPENBSD_3_9. Instead of this, can I checkout full src with tag OPENBSD_3_9_BASE ? The result should be the same. -- Regards Piotrek Kapczuk
Re: OpenBSD 3.9 stable from cvs
Hi 2006-04-13, 03:24:29, you wrote: Ted Unangst wrote: On 4/12/06, Geof Crowl [EMAIL PROTECTED] wrote: Unless I am reading something wrong, isn't this: If you had started from a 3.9-beta, you might have got lucky. But jumping from 3.8 to 3.9 is NOT an easy process, and is completely unsupported. [...] yeah, and one of these days, Nick will learn what everyone else has long figured out: don't give long, detailed answers, as someone will try to pick it apart and take it out of context, analyzing the text as if it were a fine novel, rather than a quick I need a break from helping people at work, let's see if I can help someone on the mail list posting. No, no, no. Don't you dare ! ;) Your answer was perfect. Long enough. It's not your fault that someone reads too fast. [...] Nick Holland wrote: No, you completely ignored the Install or upgrade to closest available binary step. You can't do that. I based on http://www.openbsd.org/faq/upgrade39.html There isn't any explicit sentence which says I can't do it. I guess I've misunderstood Upgrading without install media. I thought it says it's not absolutely necessary to have install sets. I was hoping I can build them by 'make release'. Hey, you can build it on your own just read FAQ 5 - Building the system from source ;) No I know I was wrong, and I know _why_. My mistake. Thank you very much Nick for willing to explain, and for willing to give solutions. Last questions. [...] Further, what happens if there is a critical security issue in 3.9-rel before 3.9 is officially released? -stable commits do NOT get made until 3.9 is official So, where do these commits go now ? To OPENBSD_3_9_BASE ? People say they received CD's. The CD's were burned with frozen OPENBSD_3_9_BASE. Right ? So, how one should follow -stable if commits aren't in -stable ? (hint: sendmail bug). Thanks for hint. It rings some bells, but poorly. I can't recall the details. What rel was then ? I can't find it on google. -- Regards Piotrek Kapczuk
