OpenBSD 6.7 - uncommon behavior
Hello guys. Today, I've installed OpenBSD 6.7 on Windows 10 pro ( Hyper-V ) which I already has 6.6 running very well. So, the planning was: Migrate my conf's, turn off my 6.6 and make use of 6.7. 1 - By default hyper-v add's one processor. In the end of my fresh install it doesn't work ( tried two times ) ( My NTFS has 1M alignment ) - doesn't work = not boot 2 - I've recreated the VM and add two processors. It booted and I have installed some packages: pkg_add vim pkg_add tor pkg_add curl and pkg_add openvpn shutdown ( disks were synced ) Add additional network card and then Power ON again. ( with a lot of errors on filesystem ) My /etc/group file just get blank. Regards,
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
That Talk of isopen ... is a joke! He start agreeing with puffy supremacy. All these years I have made jokes with fbsd guys and some "hax0rs" during event's. The reason is simple, they attack OpenBSD community and then always end with a lack of arguments. Even with Qualys recent discoveries, which in my personal opinion they could send all issues together, they preferred to do on that way. That said, I still asking, why the other projects do not try at least start to make their operating system more secure by default? OpenBSD since the begin the main focus is paranoid security. They will take years to have a solid rock like OpenBSD. Also that said, all mothafuckaaa which keep send posts like this, put your head within your ass and just accept: you are OpenBSD user! Em dom., 10 de mai. de 2020 às 01:45, Stéphane Aulery escreveu: > Hello, > > Le 07/05/2020 à 16:00, i...@aulix.com a écrit : > > > > Can you please comment negative appraisal from the following website: > > > > https://isopenbsdsecu.re/quotes/ > > > > I did not want to hurt anyone, just looking for a secure OS and OpenBSD > looked very nice to me before I have found this website. > > > > This explanation [1] from the author of the site should be enough for you: > > > Why was this website created? > > Someone was bragging on IRC about how secure OpenBSD is compared to > everything else, but this came without concrete evidences. > > Tired of having to endure this once too often, time was spent > documenting OpenBSD’s security features: > > where are they coming from? > against what are they defending? > how successful are they? > > Because, in the words of Ryan Mallon: > > Threat modelling rule of thumb: if you don’t explain exactly what > you are securing against and how you secure against it, the answers can > be assumed to be: “bears” and “not very well”. > > > The quotes were chosen to be especially aggressive but we could find as > many against other operating systems. > > For me it's on the same level as "The UNIX-HATERS Handbook" [2], just a > big ball of hate and FUD. > > After full reading, out of 52 exposed points there are 4 frankly against > OpenBSD, 12 for OpenBSD and all the rest is opinion and filling. > > It wants to be impressive, but it’s just swank of a meticulous hater. > > Regards, > > > > [1] https://isopenbsdsecu.re/about/ > [2] https://web.mit.edu/~simsong/www/ugh.pdf > > > > Mitigations > > Arc4random > > [...] Nowadays, arc4random in userland is available on various > platforms, even when not being natively implemented, thanks to libbsd. > NetBSD, FreeBSD, Linux, … have all moved to a ChaCha20-based CSPRNG. > Even Tor is now using some of its code, for performance reasons. > > OpenBSD took inspiration from Linux two decades ago, but nowadays, it’s > the other way around, OpenBSD is driving the CSRPNG game! > > OK. > > ASLR > > [...] OpenBSD randomizing everything is neat, and forces attackers to > find/create better leaks. But nowadays, all the modern operating systems > have those kind of mitigations, are are now focusing on killing bugs > exploitable when an attacker has some reading capabilities. > > And what are these modern OSes? OpenBSD is a fossilized and archived OS > on archive.org? > > Atexit hardening > > [...] In the glibc, the pointers to the function are obfuscated with a > rol+xor via the PTR_MANGLE macro against a secret, which is roughly > equivalent to what Windows is doing. This mitigation is completely > bypassed with an arbitrary read: get the secret, obfuscate the pointer > to your payload, done. > > Musl has no hardening at all > > On OpenBSD, the pointers are stored in a read-only memory zone, only > made writeable when __cxa_atexit is called. To bypass this, an attacker > would need to get code execution to modify the permissions of the memory > zone. > > Where is the point? > > > Development practises - Development practises > > OpenBSD got no continuous integration system, and apparently build > breakage are, according to the FAQ, happening from time to time [...] > > There is a code style, but since it’s not automatically enforced, if > only because there is no CI. > > The VCS used is CVS, the Concurrent Versions System [...] > > This is not what makes security! > > Development practises - Code reviews > > OpenBSD claims that they have “between six and twelve members who > continue to search for and fix new security holes”, but it seems that > this doesn’t prevent low-hanging bugs from entering the codebase, for > example: [...] > > Ah, because those who don't read their code are more likely to find errors? > > Development practises - Security advisories > > OpenBSD is publishing security issues on its Errata pages, but doesn’t > provide much context nor analysis. [...] > >
Re: Unable to create IKEv2 VPN using strongSwan to iked
Ajust as your necessity * ( Don't forget to adjust your pf rules accordingly ) * OpenBSD 6.X ( Works with IPHONE AND STRONGSWAN ) ikev2 "roadwarrior" passive esp from 0.0.0.0/0 to 10.20.30.0/24 \ local egress peer any \ ikesa enc aes-256 auth hmac-sha2-256 group modp2048 \ childsa enc aes-256 auth hmac-sha2-256 group modp2048 \ dstid r...@openbsd.org psk "psk_passphrase" config address 10.20.30.32 Iphone = just disable certificates and set psk Interoperability with StrongSwan # cat /etc/ipsec.conf ipsec.conf – strongSwan IPsec configuration file # basic configuration config setup conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev2 authby=secret ike=aes256-sha256-modp2048! esp=aes256-sha256-modp2048! conn strongswan left=%any leftfirewall=yes leftsourceip=%config right=REMOTE_PEER_IP rightid=puffymagic.ikedvpn.com rightsubnet=192.168.0.0/24,172.8.50.0/24 ( networks you want access on other side ) ( behind magic puffer fish ) auto=add # cat /etc/ipsec.secrets # ipsec.secrets – strongSwan IPsec secrets file : PSK “strongopeniked” PS: Magic Puffer Fish Rock! Em seg., 20 de abr. de 2020 às 09:49, Jona Joachim escreveu: > Hi, > > I am trying to connect to iked running on OpenBSD 6.6 from a strongSwan > 5.7.2 initiator running on Ubuntu 19.10 (which is behind NAT). I am > using x509 certificates generated by ikectl. > > The tunnel cannot be established. It is hard for me to see what's going > on. strongswan seems to be sending the same IKE_AUTH packet again and > again and iked does not seem to respond even though it receives the > packet and does not show an error. The only thing fishy I see in iked > output is "sa_state: cannot switch: AUTH_SUCCESS -> VALID", not sure why > it "cannot switch". > > Does anybody have a working setup between iked and strongSwan or any > insights? Config files and logs below. > > Thanks, > > Jona > > > iked.conf: > > ikev2 passive esp \ > from 0.0.0.0/0 to 10.201.201.0/24 \ > from 192.168.0.0/16 to 10.244.244.0/24 \ > from 10.244.244.0/24 to 192.168.0.0/16 \ > local 1.2.3.4 peer any \ > srcid vpn.example.com \ > config address 10.201.201.0/24 \ > config name-server 10.201.201.1 \ > tag "IKED" > > > ipsec.conf (strongSwan): > > config setup > # strictcrlpolicy=yes > # uniqueids = no > > conn puffvpn > keyexchange=ikev2 > dpddelay=5s > dpdtimeout=60s > dpdaction=restart > > left=%defaultroute > leftcert=wookie.crt > leftsubnet=192.168.0.0/16 > leftfirewall=yes > leftid="wookie" > > right=vpn.example.com > rightsubnet=10.201.201.0/24 > rightid="vpn.example.com" > > auto=start > > strongswan log: > > # ipsec up puffvpn > initiating IKE_SA puffvpn[5] to 1.2.3.4 > generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) > N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] > sending packet: from 192.168.4.103[500] to 1.2.3.4[500] (928 bytes) > received packet: from 1.2.3.4[500] to 192.168.4.103[500] (38 bytes) > parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ] > peer didn't accept DH group ECP_256, it requested MODP_2048 > initiating IKE_SA puffvpn[5] to 1.2.3.4 > generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) > N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] > sending packet: from 192.168.4.103[500] to 1.2.3.4[500] (1120 bytes) > retransmit 1 of request with message ID 0 > sending packet: from 192.168.4.103[500] to 1.2.3.4[500] (1120 bytes) > retransmit 2 of request with message ID 0 > sending packet: from 192.168.4.103[500] to 1.2.3.4[500] (1120 bytes) > received packet: from 1.2.3.4[500] to 192.168.4.103[500] (471 bytes) > parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) > CERTREQ N(HASH_ALG) ] > selected proposal: > IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 > local host is behind NAT, sending keep alives > received 1 cert requests for an unknown ca > sending cert request for "CN=35.180.187.116" > sending cert request for "C=FR, ST=Ile-de-France, L=Paris, O=OpenBSD, > OU=iked, CN=VPN CA, E=j...@joachim.cc" > authentication of 'wookie' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful > sending end entity cert "C=FR, ST=Ile-de-France, L=Paris, O=puffvpn, > OU=iked, CN=wookie, E=j...@joachim.cc" > establishing CHILD_SA puffvpn{7} > generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr > AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] > sending packet: from 192.168.4.103[4500] to 1.2.3.4[4500] (1568 bytes) > retransmit 1 of request with message ID 1 > sending packet: from 192.168.4.103[4500] to 1.2.3.4[4500] (1568 bytes) > retransmit 2 of request with message ID 1 > sending packet: from 192.168.4.103[4500] to 1.2.3.4[4500] (1568 bytes) > retransmit 3 of request with message ID 1 > sending packet: from 192.168.4.103[4500] to 1.2.3.4[4500] (1568 bytes) > sending keep alive to 1.2.3.4[4500] > retransmit 4
Re: Security of OpenBSD
I think the OpenBSD code review is taken so seriously thank is more than a good practice matter. https://www.openbsd.org/security.html Em seg, 3 de jun de 2019 às 22:33, Josef Pospisil escreveu: > Hey, thank you all for this mailing list. > > I have a question regarding the security of OpebBSD. > > I am asuming that linux has some mathematics and logic that lets you > get into every system just for e.g. because of portknocking! > That opens an Interface for people that know the system to do > everything! I also think that linux is not beeing verified ragarding > these paid programer backholes. > > Can someone be that kind and explain to me if the whole code of OpenBSD > was checked at least once since the openBSD was founded? That there are > no backholes like i was describing? > > It would be beautifull if someone could answer me! > > Greetings > > Josef Pospisil > > >
Re: OpenBSD on VMware ESXi
Vmware ESXI detects as FreeBSD 32bit. Set network interface to vmxnet3. Also you can use pvscsi driver ( I had some issues with filesystem corruption, there is a weird bug, but there is a workaround.) In general buslogic is more resilient. Regards, Em qua, 22 de mai de 2019 às 14:26, mxb escreveu: > I think FreeBSD or any Linux template will work just fine and add vmxnet3. > However, last I checked (1year ago) vmxnet3 been less stable than e1000 > under pressure. > > Sent from my iDevice > > > 22 мая 2019 г., в 13:47, Reyk Floeter написал(а): > > > >> On Wed, May 22, 2019 at 01:43:35PM +0200, Janne Johansson wrote: > >> Den ons 22 maj 2019 kl 12:52 skrev Roderick : > >> > >>> Hallo! > >>> As far as I read in WWW, OpenBSD do run on VMware ESXi out of the box. > >>> What does run better on amd64 virtual machine? i386 or amd64? > >>> Are there reasons to preffer one to the other? > >>> > >> > >> The ESX template for 64-bit comes with more recent "hardware" in the > >> environment IIRC, so it will be less tweaking the supplied virtualized > >> hardware if you select 64bit guest instead of 32bit. > >> Apart from that, 64bit is better on both virtual and real hw. > >> > > > > But unfortunately, there is no openbsd template. So use "Other 64bit" > > and enable vmxnet3 manually, as mentioned in vmx(4): > > > > The following entry must be added to the VMware configuration file to > > provide the vmx device: > > > > ethernet0.virtualDev = "vmxnet3" > > > > This is much better than the e1000 emulation. > > > > Reyk > > > >
Re: Firefox bug: 66.0.3 disables all extensions
They already fixed it a couple of hours after the issue. Em seg, 6 de mai de 2019 às 11:45, Juan Francisco Cantero Hurtado < i...@juanfra.info> escreveu: > On Mon, May 06, 2019 at 11:54:04AM +0300, Dumitru Moldovan wrote: > > On Sat, May 04, 2019 at 10:13:39PM +0200, Juan Francisco Cantero Hurtado > wrote: > > > On Sat, May 04, 2019 at 07:01:55PM +0100, Anthony Campbell wrote: > > > > After upgrading Firefox today to 66.0.3 in -current, all my add-ons > > > > were inactivated. A quick search showed that this is a widespread > > > > problem, apparently due to a bug in FF. I was able to fix it > > > > temporarily by means of a suggestion on ghacks.net to change > > > > > > > > xpinstall.signatures.required > > > > > > > > in about.config to "false". > > > > > > > > Presumably it will be fixed soon upstream. > > > > > > Disabling signature checks is almost always a bad idea. > > > > > > Open this url with firefox and install the extension. > > > > > > > https://storage.googleapis.com/moz-fx-normandy-prod-addons/extensions/hotfix-update-xpi-intermediate%40mozilla.com-1.0.2-signed.xpi > > > > > > Installing random extensions from the big bad Internet is almost always > > a bad idea. :-D > > The extension is signed by Mozilla. Just in case someone doesn't know, > the xpi extensions are just zip files. If you're worried about what > you're installing, unzip the file and check the content. The changes are > in the file "experiments/skeleton/api.js". > > > > > > This issue was fixed upstream in Firefox 66.0.4. Use Landry Breuil's > > repo to keep Firefox updated in -stable or -release. More at > > https://undeadly.org/cgi?action=article=20170425173917. > > > > Final result from pkg_add should be: > > > >firefox-66.0.2->66.0.4: ok > > > > -- > Juan Francisco Cantero Hurtado http://juanfra.info > >
Re: packet loss when > 1000 clients connect
+1 Em ter, 16 de abr de 2019 às 09:44, Torsten escreveu: > > Check with pfctl -si if you reach a limit > > Thanks, will do. > > Marc Peters also suggested to check pf state limit, upon digging into > that I found > > https://serverascode.com/2011/09/12/openbsd-pf-set-limit-states.html > > and therefore added > > set limit states 20 > > to pf.conf. > >
Re: hacked for the second time
you can block connections from tor, the ssh keys must be replaced and of course, are you using a passphrase for them? Regards, Em qua, 3 de abr de 2019 às 16:12, Zeb Packard escreveu: > If you've got money go here: https://www.openbsd.org/support.html > > If you don't have money go ask here: http://daemonforums.org/ > > Generally, msp, isp, it requests don't go on this list. You've posted no > evidence - a big no no. You need a high level of forensic verification > before you bring this problem to the list. > > Good luck, > > Zeb > > On Wed, Apr 3, 2019 at 11:59 AM Cord wrote: > > > Hi, > > I have some heavy suspect that my openbsd box was been hacked for the > > second time in few weeks. The first time was been some weeks ago, I have > > got some suspects and after few checks I have found that someone was been > > connected to my vps via ssh on a non-standard port using my ssh key. The > > connection came from a tor exit node. There were been 2 connections and > up > > since 5 days. Now I have some other new suspects because some private > email > > seems knew from others. Also I have found other open sessions on the web > > gui of my email provider, but I am abolutely sure I have done the logout > > always. > > I am using just chrome+unveil and I haven't used any other script or > > opened pdf (maybe I have opened 1 or 2 pdf from inside of chrome). I have > > used epiphany *only* to open the webmail because chrome crash. My email > > provider support html (obviously) but generally photo are not loaded. > > Ofcourse I have pf enable and few service. > > I also use a vpn and I visit very few web site with chrome.. maybe 20 or > > 25 website just to read news. Sometimes I search things about openbsd. > > Anyone could help me ? > > Cord. > > > > > > > > >
OpenBSD HTTPD and yourls
Hello guys, Please anyone already deployed yourls with OpenBSD HTTPD? I´m having issues with url rewrite. Any direction will be appreciated. Thanks in advance.
relayd websocket issue
Hello misc, I am trying to perform a relay on webapp that uses websocket. I am able to use the app, but when websocket is requested it does not work .Any direction will be appreciated Here is my config: # cat /etc/relayd.conf http protocol "https" { match request header append "X-Forwarded-For" value "$REMOTE_ADDR" match request header append "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT" match header set "Upgrade" value "$HTTP_UPGRADE" match header set "Connection" value "upgrade" match request header set "Connection" value "close" # tcp tunnings tcp { nodelay, sack, socket buffer 65536, backlog 100 } pass request quick header "Host" value "example.com \ forward to tls { no tlsv1.0, ciphers "HIGH" } } relay "webservices" { listen on egress port 443 tls protocol "https" forward with tls to port 443 }
Re: IKEDv2 OpenBSD Roadwarrior
Puffy to puffy # cat /etc/iked.conf ikev2 “virtualmachine” passive esp from 172.0.16.0/24 to 192.168.10.0/24 \ local egress peer any psk “secret” # cat /etc/iked.conf ikev2 “openbsdgw” active esp from 192.168.10.0/24 to 172.0.16.0/24 \ local egress peer 10.20.30.10 psk “secret” OpenBSD 6.X ( IPHONE AND STRONGSWAN ) ikev2 "roadwarrior" passive esp from 0.0.0.0/0 to 10.20.30.0/24 \ local egress peer any \ ikesa enc aes-256 auth hmac-sha2-256 group modp2048 \ childsa enc aes-256 auth hmac-sha2-256 group modp2048 \ dstid r...@openbsd.org psk "psk_passphrase" config address 10.20.30.32 Iphone = just disable certificates and set psk Interoperability with StrongSwan # cat /etc/ipsec.conf ipsec.conf – strongSwan IPsec configuration file # basic configuration config setup conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev2 authby=secret ike=aes256-sha256-modp2048! esp=aes256-sha256-modp2048! conn strongswan left=%any leftfirewall=yes leftsourceip=%config right=REMOTE_PEER_IP rightid=puffymagic.ikedvpn.com rightsubnet=192.168.0.0/24,172.8.50.0/24 ( networks you want access on other side ) ( behind magic puffer fish ) auto=add # cat /etc/ipsec.secrets # ipsec.secrets – strongSwan IPsec secrets file : PSK “strongopeniked” Hope it helps You welcome ! 2018-05-29 9:42 GMT-03:00 Jan : > Hi Christophe, > > i think i’ve got it now. I removed the „config“ Options from the Server > config and things started working. > (for what interface should they be applied at all ?) > Since then my home lan (192.168.1.0/24) stoped working for other devices > at home. When this is working again i will post my Setup. > I think now everything from 192.168.1.0/24 gets routed through vpn to my > Notebook and others are not allowed anymore. Maybe putting vpn ips and > local ips in different address ranges is a good idea… > > Jan > >
Re: RPI3 fails to relink kernel
thanks for that [] 's 2017-10-17 22:22 GMT-02:00 Jonathan Gray: > On Tue, Oct 17, 2017 at 04:48:19PM -0700, Carlos Cardenas wrote: > > Howdy. > > > > I found a working USB (Sandisk Cruzer Fit 8GB) to install 6.2 on a RPI3. > > > > Install went fine and so was first boot, then I noticed that relinking > > the kernel failed. > > > > Below is my dmesg and error log. > > > > I thought it might have been due to the clock being way skewed by I > > sync'ed it manually and still run into the same error. > > > > Any pointers on how to proceed? > > The version of lld (4.0.0) in 6.2 could not handle the linker script > required for that. Snapshots have llvm/lld 5.0.0 and relinking should > work there. > > > > > +--+ > > Carlos > > OpenBSD 6.2 (GENERIC) #34: Tue Oct 3 23:53:05 MDT 2017 > > dera...@arm64.openbsd.org:/usr/src/sys/arch/arm64/compile/GENERIC > > real mem = 964972544 (920MB) > > avail mem = 909017088 (866MB) > > mainbus0 at root: Raspberry Pi 3 Model B Rev 1.2 > > cpu0 at mainbus0: ARM Cortex-A53 r0p4 > > simplefb0 at mainbus0: 656x416 > > wsdisplay0 at simplefb0 mux 1 > > wsdisplay0: screen 0 added (std, vt100 emulation) > > simplebus0 at mainbus0: "soc" > > bcmintc0 at simplebus0 > > bcmdog0 at simplebus0 > > pluart0 at simplebus0 > > bcmaux0 at simplebus0 > > com0 at simplebus0: ns16550, no working fifo > > com0: console > > dwctwo0 at simplebus0 > > agtimer0 at simplebus0: tick rate 19200 KHz > > syscon0 at simplebus0 > > simplebus1 at mainbus0: "clocks" > > usb0 at dwctwo0: USB revision 2.0 > > uhub0 at usb0 configuration 1 interface 0 "Broadcom DWC2 root hub" rev > 2.00/1.00 addr 1 > > uhub1 at uhub0 port 1 configuration 1 interface 0 "Standard Microsystems > product 0x9514" rev 2.00/2.00 addr 2 > > smsc0 at uhub1 port 1 configuration 1 interface 0 "Standard Microsystems > SMSC9512/14" rev 2.00/2.00 addr 3 > > smsc0: address b8:27:eb:1c:06:b7 > > ukphy0 at smsc0 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI > 0x0001f0, model 0x000c > > umass0 at uhub1 port 5 configuration 1 interface 0 "SanDisk Cruzer Fit" > rev 2.10/1.00 addr 4 > > umass0: using SCSI over Bulk-Only > > scsibus0 at umass0: 2 targets, initiator 0 > > sd0 at scsibus0 targ 1 lun 0: SCSI4 0/direct > removable serial.07815571040905110075 > > sd0: 7632MB, 512 bytes/sector, 15630336 sectors > > vscsi0 at root > > scsibus1 at vscsi0: 256 targets > > softraid0 at root > > scsibus2 at softraid0: 256 targets > > bootfile: sd0a:/bsd > > boot device: sd0 > > root on sd0a (b045dd5058980495.a) swap on sd0b dump on sd0b > > WARNING: CHECK AND RESET THE DATE! > > > > > > # cat /usr/share/compile/GENERIC/relink.log > > (SHA256) /bsd: OK > > LD="ld" sh makegap.sh 0xd4d4d4d4 gapdummy.o > > ld: error: gap.link:11: unknown command ; > > ld: error: gap.link:11: LONG(0xd4d4d4d4); > > ld: error: gap.link:11: ^ > > ld: error: cannot open gapdummy.o: No such file or directory > > ld: error: target emulation unknown: -m or at least one .o file required > > *** Error 1 in /usr/share/compile/GENERIC (Makefile:529 'newbsd') > > > >
Re: About WPA2 compromised protocol
Stefan Sperling r0x :D Cheers 2017-10-17 15:19 GMT-02:00 Christoph R. Murauer: > The patch is there since 6.1 027 on the errata page. > > Saw the comic yesterday at Libertree. > > > On Tue, 17 Oct 2017 19:09:29 +0200 > > "Stephane HUC \"PengouinBSD\"" wrote: > > > >> Just for the fun: > >> http://www.commitstrip.com/en/2017/10/16/wpa2-vulnerability- > just-a-small-update/ > > > > I saw somebody share that on Mastodon this morning. :) > > > > On a more serious note; am I correct in assuming that the patch is > > already in 6.2? > > > > >
Re: OpenBSD IPsec/L2TP to Android VPN?
https://www.authbsd.com/blog/?p=20 2017-08-07 14:54 GMT-03:00 aaron marcher: > hi dan, > > i recently set up something like that using the following two tutorials > (note that this is l2tp/ipsec instead of raw ipsec): > > - http://bluepilltech.blogspot.co.at/2017/02/openbsd-l2tp- > over-ipsec-android-601-ios.html > - http://blog.fuckingwith.it/2016/04/openbsd-l2tpipsec-vpn- > for-android.html > > regards, > drkhsh > > On 17-08-07 Mon, Daniel Mumford wrote: > > > > First post on mail list. Hope I do it correctly. > > > > Is there anyone able to assist setting up an IPsec VPN between Openbsd > machine and an android device? > > > > I have worked on for a week or so to no avail. I would like to get a > good understanding of the necessary configuration. > > > > Thanks in advance. > > Dan > > -- > web: https://drkhsh.at/ or http://drkhsh5rv6pnahas.onion/ > gpg: 0x435BF54B > >
Question from Dummies about FreeBSD PF VS Magic Puffer Fish
Hello Misc, I already used currently FreeBSD PF grammar on OpenBSD during years and AFAIK and I remember this always worked ( On Magic Puffer Fish of course ) My case is simple: FreeBSD RPI3/AMD64 ( That I tested ) - ( DNS REQUESTS TO LOCALHOST port 1053 running TOR) rdr pass on ue0 inet proto udp to port domain -> 127.0.0.1 port 1053 RPI3 just has ethernet and lo interface. NOT WORK, I NEED explicitly set 127 to IP address of ue0 interface. and then works ( tried set skip on lo and all magic route-to does ) NOT WORK ( ip forwarding enabled too ) AND then On magic puffer fish as simple it its works ! not matter's if match or pass rule/ divert-to or rdr-to WORKS JUST WORKS Anyone, Please can tell me why it does not work on FreeBSD? What kind of black magic is needed? Thanks in advance,
Re: Recommendation on OpenBSD host
Vultr/Linode I already tested and are good choices. DigitalOcean - If you used disk encryption, they corrupt your disk 2017-07-25 22:01 GMT-03:00: > Hey list. I need a server to host a very simple website. > I've been looking for a OpenBSD host that offers 'full' control > over the machine though SSH. Anyone has recommendations? > My needs: simple low traffic httpd(8) website (no javascript), > even a Core2Duo, 2GB of RAM and a HDD with space to install > base system (without Xenocara, of course) would be enough. > I can't do it on some random laptop because I need it to be > anonymous (it will have sensitive journalistic information[*]). > Ideally that accept cryptocoins (dashcoin or plain bitcoin) and > from a country like Romania or Iceland, because of their historic > free-speech protection (again, *ideally*). > I see the people from Libreboot have a project to build a host, > but I don't think they support OpenBSD yet and I think they never > will... because of Stallmanism BS ("closed firmware == blob"). > > > Regards. > > > > ps. Yes, I've searched the marc.info archive. > ps2. please don't reply directly to this mail, but to the list. > > [*] nothing illegal, btw, it will just possibly make some political > people very angry. > >
Re: vmd: routing problem
Hetzner routes additional subnets through a specified mac address on robots page. ( Some cases you need to open a trouble ticket ) Also, all related information is provided there. Cheers, 2017-07-25 10:26 GMT-03:00 Stuart Henderson: > On 2017-07-20, Mike Larkin wrote: > > On Thu, Jul 20, 2017 at 02:19:29PM +0200, Leo Unglaub wrote: > >> Hey, > >> > >> On 07/20/17 13:05, Mischa Peters wrote: > >> > Can you ask them how they route the separate subnet to you? > >> > >> as far as i understand it they route the subnet on my main ip address. > >> > >> > >> From there documentation: > >> > Newly assigned IPv4 subnets are statically routed on the main IP > address of the server, so no gateway is required. > >> > >> I hope that answers your question. > >> Thanks and greetings > >> Leo > > > > > > Like I said before, I'm not a networking expert, but what you've said > there > > doesn't make sense (at least to me). You'll probably need to explain to > them > > what you are trying to do and have them help you. I don't think this is > a vmd > > related network issue. > > It's a common setup at large-scale colo hosts to conserve IP addresses > while > still keeping each customer on their own L2 network. Given a gateway > address > of 192.0.2.1 you should be able to use something like this: > > route add -inet 192.0.2.1/32 -link -iface em0 > route add -inet default 192.0.2.1 > > To run these commands automatically at boot, you can prefix the lines > with ! and add them to hostname.em0. > > >
Httpd Content-Length with NextCloud
Hello guys, not sure if its a bug or not. But trying to contribute. I am running OpenBSD 6.1 stable branch When downloading a large file with from poor connection ie: 100 kbps ( I don't have time remaining ) I notice that OpenBSD HTTPD does not set Content-Lenght and connections is unexpectable closed. I tried to move to Nginx just to test. The Content-Lenght is set and the file is downloaded normally. Any thoughts/directions and workarounds are very appreciated. Thanks in advance
Re: Can I use OpenBSD in a virtual machine, for example, VirtualBox?
@Reyk Yes on ESXi ahci(4) hangs as you described, the procedure is to remove, since "sata" is a default to cdrom device. A great feedback you provided! Long life to magic puffer fish Cheers, 2017-07-04 9:21 GMT-03:00 Reyk Floeter: > On Mon, Jul 03, 2017 at 02:36:20PM -0400, J Doe wrote: > > > > >> On 27 Jun 2017 10:45 am, "Stuart Henderson" > wrote: > > >> > > >>> On 2017-06-26, Josh Stephens wrote: > > >>> I could be wrong when I say this but the only gotcha that you will > run > > >> into > > >>> with virtual box will be the guest additions. > > >> > > >> Does virtualbox still do that thing where it patches the running > > >> kernel when it detects OpenBSD? > > > > Hi, > > > > > > Just thought I'd chime in that I've had success with OpenBSD 5.x to > > 6.0 running under VMware Fusion (Mac OS X version of VMware). There > > isn't support for guest additions with the most recent version of > > Fusion (8.x), but I haven't had any issues. > > > > I don't know what you mean with "there isn't support for guest > additions". We don't support VMware's 3rd party tools but we use our > own drivers. > > VMware Fusion Pro 8.5.8 with version 12 VMs works fine, vmt(4) > attaches, provides guest services such as shutdown/reboot, timedelta > sensor, and access to VMware's guestinfo key/value via hostctl(8) (eg. > hostctl guestinfo.ip). X11-related features are provide by vmwh in > ports, but I've never tested it. We also have vmx(4) for vmxnet3 > networking but you manually have to edit the .vmx file and change > ethernetX.virtualDev = "vmxnet3" (VMware has ignored all of our > requests to add a device profile for OpenBSD). > > The only issue that I just saw with -current is that ahci(4) > initialization hangs on boot - I had to disable ahci and use SCSI or > IDE. I haven't noticed this on ESXi. > > I mostly used Fusion for testing and development for ESXi/vSphere but > I switched to OpenBSD VMM for most of the testing. > > > I saw in the thread that someone was mentioning full screen support. > > There's no problem with that under Fusion, but you are limited to > > legacy style video output (ie: not a high res display). The easiest > > way around that is I run OpenBSD minimized and SSH in from Terminal on > > Mac OS X, then use the full-screen mode on OS X Terminal. > > > > If you're interested in OpenBSD in virtual machines in the cloud, I > > have nothing but praise for the people at RootBSD [1], which have > > supported OpenBSD for a while. IIRC they run OpenBSD on top of Xen, > > so the previous comments about security not being the same as running > > it natively do apply, but it's definitely an option. > > > > I believe Undeadly recently posted about partial support for Hyper-V > > has been committed, which also opens up the future possibly of running > > OpenBSD on Azure. Seems like the only holdout is AWS, but there is > > now official support for FreeBSD on it, so here's hoping its' more > > secure cousin will make it's way to Amazon. > > You cannot really compare FreeBSD in Azure or AWS to OpenBSD. We have > totally different drivers for Hyper-V and Xen. But Hyper-V is "fully" > supported on OpenBSD, the latest hvs(4) driver adds support for > StorVSC paravirtual SCSI. mikeb@ has done some great work to > implement all the missing drivers and I helped where I could and > focussed on the part to get it from Hyper-V/Xen to the "cloud". > > The situation in Azure is about the same as in AWS: we don't provide > OpenBSD images in the marketplaces or community images yet, but there > are scripts and howtos to create your OpenBSD VMs in Azure. This > might change as soon as we feel confident enough with the VM "layout" > and the (mandatory) agent. But, for now, use the tools from > unofficial external github projects: > > For AWS: > https://github.com/ajacoutot/aws-openbsd > > For Azure (also works in AWS and under VMM): > https://github.com/reyk/cloud-openbsd (create images with cloud-agent) > https://github.com/reyk/cloud-agent (an alternative to waagent in > ports) > https://github.com/reyk/meta-data (test + boot cloud images under > VMM) > > We also have VirtIO drivers for OpenBSD VMM and KVM, as used by most > other clouds, and I'm planning to add support for OpenStack (JSON) and > OpenNebula (contexts) to my cloud-agent. > > But please note that we're currently trying to find ways to create VM > images that still provide the benefits of OpenBSD-style things like > KARL. The problem with pre-provisioned VM images is that they all > have the "same random values" in the filesystem, kernel, and libraries > where the installer usually makes each installation unique. A > pre-provisioned image is always the same, at least on first boot, > unless we create something that prepares or installs everything before > getting a new VM instance online. The first real* OpenBSD image on > Azure will probably be fully pre-provisioned,
Re: DHCP in vmm guest
Hello guys, I am testing Nested OpenBSD VMM -current under Vmware ESXI 6.5 and the console aleatory freezes ( the VM still working as well as "~^D" ( reattach to console but can't interact through ) Error is: Jun 16 18:55:08 vmm vmd[94945]: vcpu_process_com_data: guest reading com1 when not ready Jun 16 18:56:21 vmm last message repeated 22 times Also "local interface" -> vm.conf" or -L -> vmcl works with OpenBSD guest and linux guest running dhcpcd ( http://roy.marples.name/projects/dhcpcd/) but dns resolution does not work ( pointing another DNS works ) . Furthermore, udhcpc ( tested with Alpine Linux ) does not get address Error: localhost:~# udhcpc eth0 udhcpc: started, v1.26.2 udhcpc: sending discover udhcpc: no message type option, ignoring packet * Just trying to contribute * Best, dmesg: OpenBSD 6.1-current (GENERIC.MP) #0: Fri Jun 16 16:25:18 CEST 2017 r...@vmm.nested.com:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 6425608192 (6127MB) avail mem = 6225076224 (5936MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xe0010 (248 entries) bios0: vendor Phoenix Technologies LTD version "6.00" date 04/05/2016 bios0: VMware, Inc. VMware Virtual Platform acpi0 at bios0: rev 2 acpi0: sleep states S0 S1 S4 S5 acpi0: tables DSDT FACP BOOT APIC MCFG SRAT HPET WAET acpi0: wakeup devices PCI0(S3) USB_(S1) P2P0(S3) S1F0(S3) S2F0(S3) S8F0(S3) S16F(S3) S18F(S3) S22F(S3) S23F(S3) S24F(S3) S25F(S3) PE40(S3) S1F0(S3) PE50(S3) S1F0(S3) [...] acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Xeon(R) CPU E3-1275 v5 @ 3.60GHz, 3600.42 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,MMX,FXSR,SSE,SSE2,SS,SSE3,PCLMUL,VMX,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,X SAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,SENSOR,ARAT cpu0: 256KB 64b/line 8-way L2 cache cpu0: TSC frequency 3600415280 Hz cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 65MHz cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Xeon(R) CPU E3-1275 v5 @ 3.60GHz, 3600.15 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,MMX,FXSR,SSE,SSE2,SS,SSE3,PCLMUL,VMX,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,X SAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,SENSOR,ARAT cpu1: 256KB 64b/line 8-way L2 cache cpu1: smt 0, core 0, package 2 cpu2 at mainbus0: apid 4 (application processor) cpu2: Intel(R) Xeon(R) CPU E3-1275 v5 @ 3.60GHz, 3600.16 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,MMX,FXSR,SSE,SSE2,SS,SSE3,PCLMUL,VMX,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,X SAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,SENSOR,ARAT cpu2: 256KB 64b/line 8-way L2 cache cpu2: smt 0, core 0, package 4 cpu3 at mainbus0: apid 6 (application processor) cpu3: Intel(R) Xeon(R) CPU E3-1275 v5 @ 3.60GHz, 3600.12 MHz cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,MMX,FXSR,SSE,SSE2,SS,SSE3,PCLMUL,VMX,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,X SAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,SENSOR,ARAT cpu3: 256KB 64b/line 8-way L2 cache cpu3: smt 0, core 0, package 6 ioapic0 at mainbus0: apid 1 pa 0xfec0, version 11, 24 pins acpimcfg0 at acpi0 addr 0xf000, bus 0-127 acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpicpu0 at acpi0: C1(@1 halt!) acpicpu1 at acpi0: C1(@1 halt!) acpicpu2 at acpi0: C1(@1 halt!) acpicpu3 at acpi0: C1(@1 halt!) "PNP0001" at acpi0 not configured "PNP0303" at acpi0 not configured "VMW0003" at acpi0 not configured "PNP0A05" at acpi0 not configured acpiac0 at acpi0: AC unit online pvbus0 at mainbus0: VMware vmt0 at pvbus0 pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 "Intel 82443BX AGP" rev 0x01 ppb0 at pci0 dev 1 function 0 "Intel 82443BX AGP" rev 0x01 pci1 at ppb0 bus 1 pcib0 at pci0 dev 7 function 0 "Intel 82371AB PIIX4 ISA" rev 0x08 pciide0 at pci0 dev 7 function 1 "Intel 82371AB IDE" rev 0x01: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility pciide0: channel 0 disabled (no drives) pciide0: channel 1 disabled (no drives) piixpm0 at pci0 dev 7 function 3 "Intel 82371AB Power" rev 0x08: SMBus disabled "VMware VMCI" rev 0x10 at pci0 dev 7
Re: httpd and Wordpress
+1 Wordpress must be installed on the desired path, if you are moving from previous scheme like site/wordpress to wordpress, you have a problem. Refer to wordpress manual and you find how to fix. The best bet is like Todd said: Deploy again. 2017-06-10 20:56 GMT-03:00 Todd: > What is in your httpd error log? > My guess is that WP is trying to pull some content from /wordpress which no > longer exists since you moved the docroot. > > My suggestion for having your WP site available without going to the > /wordpress URL is to redeploy the WordPress files to /var/www/html instead > of /var/www/html/wordpress. > Or add a 301 redirect from / to /wordpress > > On Sat, Jun 10, 2017 at 2:32 PM, Jan Betlach wrote: > > > Hi guys, > > > > I have a small problem with httpd and Wordpress. > > When I go to https://myipaddress I get "Access denied". If I go to > > https://myipaddress/wordpress, everything works as expected. > > I have tried to change the appropriate line in the httpd.conf to: > > root "/htdocs/wordpress". In that case the webpage is loaded, but in the > > "broken" form. > > > > My current httpd.conf: > > > > # $OpenBSD: httpd.conf,v 1.16 2016/09/17 20:05:59 tj Exp $ > > # Macros > > ext_addr="*" > > # Global Options > > # prefork 3 > > # Servers > > # A minimal default server > > server "default" { > > listen on $ext_addr port 80 > > listen on $ext_addr tls port 443 block return 301 "https:// > > $SERVER_NAME$REQUEST_URI" > > tls { > > key "/etc/ssl/private/server.key" > > certificate "/etc/ssl/server.crt" > > } > > directory { > > no auto index, index "index.php" > > } > > location "*.php" { > > fastcgi socket "/run/php-fpm.sock" > > } > > root "/htdocs" > > } > > # Include MIME types instead of the built-in ones > > types { > > include "/usr/share/misc/mime.types" > > } > > > > > > Any ideas where I am making a mistake? > > > > Thank you > > > > Jan > > >
Re: /etc/mygate equivalent for IPv6?
That's it: magic puffer fish 2017-06-06 16:53 GMT-03:00 mabi: > Fantastic, that was an easy one. Somehow I missed that from the OpenBSD > FAQ, must have skimmed it too fast... > > So I guess here that I can have my IPv4 default gw and IPv6 default gw > both on two different lines in the /etc/mygate file. > > > > Original Message > Subject: Re: /etc/mygate equivalent for IPv6? > Local Time: June 6, 2017 9:50 PM > UTC Time: June 6, 2017 7:50 PM > From: knight@gmail.com > To: Janne Johansson > mabi , openbsd-misc > > for example: > > fe80::1%carp0 > > :) > > 2017-06-06 16:48 GMT-03:00 Janne Johansson : > >> Just add the ipv6 gw ip to /etc/mygate. >> >> >> >> 2017-06-06 21:45 GMT+02:00 mabi : >> >> > Hi, >> > >> > What is the "standard" approach for adding an IPv6 default gateway to an >> > OpenBSD 6.1 machine analog to the /etc/mygate file for an IPv4 default >> > route? >> > >> > There are no /etc/mygate6 file and as such for now I manually run: >> > >> > route -n add -inet6 default >> > >> > Regards, >> > Mabi >> >> >> >> >> -- >> May the most significant bit of your life be positive. >> > >
Re: /etc/mygate equivalent for IPv6?
for example: fe80::1%carp0 :) 2017-06-06 16:48 GMT-03:00 Janne Johansson: > Just add the ipv6 gw ip to /etc/mygate. > > > 2017-06-06 21:45 GMT+02:00 mabi : > > > Hi, > > > > What is the "standard" approach for adding an IPv6 default gateway to an > > OpenBSD 6.1 machine analog to the /etc/mygate file for an IPv4 default > > route? > > > > There are no /etc/mygate6 file and as such for now I manually run: > > > > route -n add -inet6 default > > > > Regards, > > Mabi > > > > > -- > May the most significant bit of your life be positive. >
Re: OpenBSD and you
Peter, With a presentation like that, everyone is tempt to met Mr. Puffy Thank you for keep it uptated ! ( ~6.1 ) It's amazing job ! You rock . Cheers, 2017-05-10 7:20 GMT-03:00 Manolis Tzanidakis: > On Wed (10/05/17), Peter N. M. Hansteen wrote: > > That was the first option that came to mind, and the one I may go for as > > a supplemental format *if* I can find a way to generate PDFs from this > > source format *and* get the page breaks right. The print preview is > > available browsers does not leave much hope of that actually happening, > > however. > > You can give wkhtmltopdf (https://wkhtmltopdf.org/) a shot; it's in > packages. > > A quick test I ran: > > $ wkhtmltopdf "https://home.nuug.no/~peter/openbsd_and_you/; output.pdf > > produces nice results, but omits the titles. I guess adding ", sans-serif" > in > the "font-family" lines in your css should fix that, eg: > > - body { font-family: 'Droid Serif'; } > + body { font-family: 'Droid Serif', sans-serif; } > >
Re: Arch and vmd
Thanks Karl Your instructions saved a lot of research. Running funtoo linux -current with minimal kernel ( compiled by hand ) adjusted root partition to vda disk. Tests performed with OpenBSD 6.0 with binary patches applied . Cheers, 2017-04-26 13:47 GMT-03:00 Karl Pettersson: > Arch Linux works well as a vmd guest. Some notes about my experiences > installing the system: > > * The Arch installation can be started from the serial console, see: > https://wiki.archlinux.org/index.php/Working_with_the_serial_console > #Installing_Arch_Linux_using_the_serial_console > However, the installation still tends to be unstable, due to unreliable > downloads (which has been discussed earlier). Until this is fixed, the > installation can be run in QEMU, or in a guest under Linux/KVM (as is > currently required by distributions with graphical install). > > * Syslinux has to be used as bootloader, and serial console should be > enabled: https://wiki.archlinux.org/index.php/Syslinux#Serial_console > Moreover, the generated config has to be edited to point to the > correct root device, and if Ext4 is used as root file system, it must > not be 64bit (which is enabled by default when the file system is > created): http://www.syslinux.org/wiki/index.php?title=Filesystem > >
OpenBSD 6.1 - Song released
Great work ! Bryan Adams - Summer of 69 - Parody Long Life to Puffy Cheers
Re: Topics for revised PF and networking tutorial
+1 Queue Prioritization and ToS ( set prio / set tos combinations ) by examples will be great 2017-04-07 13:00 GMT-03:00 I love OpenBSD: > I second to more IPv6 related information. > I am curious about blocking port scanning in IPv6 Web. Does pf let me put > a CIDR into the named table based on offending IPv6 address and 64-bit > mask? I mean something similar to 'overload ' option.
vmwpvs driver
Hello misc, Some days ago , I tried to install OpenBSD 6.0 using vmwpvs ( Vmware Paravirtual ) When obsd installer finish, I received a message that the boot could not been done using my disk. So I did a research on OBSD mailing lists and found: "There's a problem with vmwpvs(4) where the first write gets lost. IIRC if you shell out from the installer and run fdisk -iy sd0 manually once, then resume installing, it then works. " I follow it and solved ! I was able to boot my new OpenBSD fresh install. * I performed it using full disk encryption Is there any workaround beside this or is it a legit bug ? Thank you
Re: IPv6 Setup not working on Hetzner server
+1 ping -c 1 fe80::1%em0 > /dev/null 2016-12-05 11:05 GMT-02:00 Marc Peters: > Am 12/02/16 um 13:39 schrieb Leo Unglaub: > > I just found out that since i changed my mygate up to your suggestion > > that i now have to ping6 fe80::1%em0 first and then i am able to > > connecto to other hosts via IPv6. But not before i pinged the > > fe80::1%em0. WTF? > > i have the same setup at hetzner and as someone suggested, i am using in > my root crontab: > > @reboot sleep 10 && ping6 -c 10 fe80::1\%em0 > /dev/null > > works for me, at least.
OpenBSD and you
Hello everybody, As I did see any mention around here, I was boosted to post this great presentation by Peter N . M. Hansteen. https://home.nuug.no/~peter/blug2016/ Individually my sincerely grateful for each developer of OpenBSD the true reliable and high secure operating system. Regards,
Re: OpenBSD 6-stable vmd
Hey @Peter, one more time thank so much for the heads up :) For those that interest. I'm running OpenBSD-Current under VMware-Workstation 12 ( just need to set processor proprieties to virtualize intel VT-x/EPT or AMD-V/RVI ) And have fun to test VMD :) Thank you 2016-10-22 8:43 GMT-02:00 R0me0 *** <knight@gmail.com>: > Hey Peter , > > Thank you for the advice, I'll get current > > Cheers dude ! > > (: > > > 2016-10-22 6:44 GMT-02:00 Peter Hessler <phess...@theapt.org>: > >> This isn't expected to work at all. That is why it was disabled. >> You'll need to upgrade the Hypervisor to -current, or to 6.1 when it is >> released. >> >> >> >> On 2016 Oct 22 (Sat) at 00:06:08 -0200 (-0200), R0me0 *** wrote: >> :Hello misc. >> : >> :For testing purposes >> : >> :I compiled kernel with vmd support. >> : >> :After start the vm -> vmctl start "myvm" -m 512M -i 1 -d disk.img -k >> /bsd.rd >> : >> :I created a bridge and added vether0 and tap0 >> : >> :In the vm I have configured an ip 192.168.1.30 >> : >> :If I perform ping from OpenBSD Hypervisor -> ping 192.168.1.30 all >> packages >> :are send and received "on the fly" >> : >> :But if I perform the same step from "myvm", there is no packet loss but >> the >> :packets take so long to be send and consecutively replied >> : >> :I am performing this tests on Linux running Vmware Workstation 12 . >> : >> :Is this behavior expected ? >> : >> :Any directions will be appreciated. >> : >> :Thank you >> : >> :myvm dmesg: >> : >> :OpenBSD 6.0 (RAMDISK_CD) #2100: Tue Jul 26 13:05:59 MDT 2016 >> : dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/RAMDISK_CD >> :RTC BIOS diagnostic error 20 >> :real mem = 520093696 (496MB) >> :avail mem = 502673408 (479MB) >> :mainbus0 at root >> :bios0 at mainbus0 >> :acpi at bios0 not configured >> :cpu0 at mainbus0: (uniprocessor) >> :cpu0: Intel(R) Core(TM) i7-4810MQ CPU @ 2.80GHz, 14335.74 MHz >> :cpu0: >> :FPU,VME,DE,PSE,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV, >> PAT,PSE36,CFLUSH,DS,MMX,FXSR,SSE,SSE2,SS,SSE3,PCLMUL,SSSE3, >> FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,AVX,F1 >> :6C,RDRAND,HV,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,ARAT >> :pvbus0 at mainbus0: OpenBSD >> :pci0 at mainbus0 bus 0 >> :pchb0 at pci0 dev 0 function 0 "OpenBSD VMM PCI Host Bridge" rev 0x00 >> :virtio0 at pci0 dev 1 function 0 "Qumranet Virtio RNG" rev 0x00 >> :viornd0 at virtio0 >> :virtio0: irq 3 >> :virtio1 at pci0 dev 2 function 0 "Qumranet Virtio Storage" rev 0x00 >> :vioblk0 at virtio1 >> :scsibus0 at vioblk0: 2 targets >> :sd0 at scsibus0 targ 0 lun 0: <VirtIO, Block Device, > SCSI3 0/direct >> fixed >> :sd0: 5120MB, 512 bytes/sector, 10485760 sectors >> :virtio1: irq 5 >> :virtio2 at pci0 dev 3 function 0 "Qumranet Virtio Network" rev 0x00 >> :vio0 at virtio2: address fe:e1:ba:d0:d0:94 >> :virtio2: irq 9 >> :isa0 at mainbus0 >> :com0 at isa0 port 0x3f8/8 irq 4: ns8250, no fifo >> :com0: console >> :softraid0 at root >> :scsibus1 at softraid0: 256 targets >> :root on rd0a swap on rd0b dump on rd0b >> :WARNING: invalid time in clock chip >> :WARNING: CHECK AND RESET THE DATE! >> : >> :openbsd hypervisor : >> : >> : >> :OpenBSD 6.0-stable (GENERIC.MP) #0: Fri Oct 21 20:07:42 BRST 2016 >> : root@puffysor.localdomain:/usr/src/sys/arch/amd64/compile/GENERIC.MP >> :real mem = 2130640896 (2031MB) >> :avail mem = 2061631488 (1966MB) >> :mpath0 at root >> :scsibus0 at mpath0: 256 targets >> :mainbus0 at root >> :bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xe0010 (242 entries) >> :bios0: vendor Phoenix Technologies LTD version "6.00" date 07/02/2015 >> :bios0: VMware, Inc. VMware Virtual Platform >> :acpi0 at bios0: rev 2 >> :acpi0: sleep states S0 S1 S4 S5 >> :acpi0: tables DSDT FACP BOOT APIC MCFG SRAT HPET WAET >> :acpi0: wakeup devices PCI0(S3) USB_(S1) P2P0(S3) S1F0(S3) S2F0(S3) >> S3F0(S3) >> :S4F0(S3) S5F0(S3) S6F0(S3) S7F0(S3) S8F0(S3) S9F0(S3) S10F(S3) S11F(S3) >> :S12F(S3) S13F(S3) [...] >> :acpitimer0 at acpi0: 3579545 Hz, 24 bits >> :acpimadt0 at acpi0 addr 0xfee0: PC-AT compat >> :cpu0 at mainbus0: apid 0 (boot processor) >> :cpu0: Intel(R) Core(TM) i7-4810MQ CPU @ 2.80GHz, 3800.69 MHz >> :cpu0: >> :FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,P
Re: pf rule for openvpn
Assuming you block the traffic by default pf.conf block log all # tcpdump -e -ttt -ni pflog0 action block You will be able to see what exactly is being blocked :) -Regards 2016-10-24 12:19 GMT-02:00 Kenneth Gober: > On Sun, Oct 23, 2016 at 4:46 PM, Thuban wrote: > > Here are the relevant parts of my pf.conf : > > > > ext_if = "re0" > > tcp_pass = "{ gopher ipp 8000 }" > > udp_pass = "{ 1194 }" > > > > pass in quick on $ext_if proto tcp to any port $tcp_pass keep state > > pass in quick on $ext_if proto udp to any port $udp_pass keep state > > > > pass out on $ext_if from 10.8.0.0/24 to any nat-to $ext_if > > > > pass out on $ext_if proto { tcp udp icmp } all modulate state > > Do you have rules that allow traffic in from tun0? Something like: > > pass in quick on tun0 keep state > > Otherwise traffic will reach OpenVPN but get no further, being blocked > coming out of the tunnel. > > -ken
Re: OpenBSD 6-stable vmd
Hey Peter , Thank you for the advice, I'll get current Cheers dude ! (: 2016-10-22 6:44 GMT-02:00 Peter Hessler <phess...@theapt.org>: > This isn't expected to work at all. That is why it was disabled. > You'll need to upgrade the Hypervisor to -current, or to 6.1 when it is > released. > > > > On 2016 Oct 22 (Sat) at 00:06:08 -0200 (-0200), R0me0 *** wrote: > :Hello misc. > : > :For testing purposes > : > :I compiled kernel with vmd support. > : > :After start the vm -> vmctl start "myvm" -m 512M -i 1 -d disk.img -k > /bsd.rd > : > :I created a bridge and added vether0 and tap0 > : > :In the vm I have configured an ip 192.168.1.30 > : > :If I perform ping from OpenBSD Hypervisor -> ping 192.168.1.30 all > packages > :are send and received "on the fly" > : > :But if I perform the same step from "myvm", there is no packet loss but > the > :packets take so long to be send and consecutively replied > : > :I am performing this tests on Linux running Vmware Workstation 12 . > : > :Is this behavior expected ? > : > :Any directions will be appreciated. > : > :Thank you > : > :myvm dmesg: > : > :OpenBSD 6.0 (RAMDISK_CD) #2100: Tue Jul 26 13:05:59 MDT 2016 > : dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/RAMDISK_CD > :RTC BIOS diagnostic error 20 > :real mem = 520093696 (496MB) > :avail mem = 502673408 (479MB) > :mainbus0 at root > :bios0 at mainbus0 > :acpi at bios0 not configured > :cpu0 at mainbus0: (uniprocessor) > :cpu0: Intel(R) Core(TM) i7-4810MQ CPU @ 2.80GHz, 14335.74 MHz > :cpu0: > :FPU,VME,DE,PSE,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA, > CMOV,PAT,PSE36,CFLUSH,DS,MMX,FXSR,SSE,SSE2,SS,SSE3,PCLMUL, > SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,AVX,F1 > :6C,RDRAND,HV,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,ARAT > :pvbus0 at mainbus0: OpenBSD > :pci0 at mainbus0 bus 0 > :pchb0 at pci0 dev 0 function 0 "OpenBSD VMM PCI Host Bridge" rev 0x00 > :virtio0 at pci0 dev 1 function 0 "Qumranet Virtio RNG" rev 0x00 > :viornd0 at virtio0 > :virtio0: irq 3 > :virtio1 at pci0 dev 2 function 0 "Qumranet Virtio Storage" rev 0x00 > :vioblk0 at virtio1 > :scsibus0 at vioblk0: 2 targets > :sd0 at scsibus0 targ 0 lun 0: <VirtIO, Block Device, > SCSI3 0/direct > fixed > :sd0: 5120MB, 512 bytes/sector, 10485760 sectors > :virtio1: irq 5 > :virtio2 at pci0 dev 3 function 0 "Qumranet Virtio Network" rev 0x00 > :vio0 at virtio2: address fe:e1:ba:d0:d0:94 > :virtio2: irq 9 > :isa0 at mainbus0 > :com0 at isa0 port 0x3f8/8 irq 4: ns8250, no fifo > :com0: console > :softraid0 at root > :scsibus1 at softraid0: 256 targets > :root on rd0a swap on rd0b dump on rd0b > :WARNING: invalid time in clock chip > :WARNING: CHECK AND RESET THE DATE! > : > :openbsd hypervisor : > : > : > :OpenBSD 6.0-stable (GENERIC.MP) #0: Fri Oct 21 20:07:42 BRST 2016 > : root@puffysor.localdomain:/usr/src/sys/arch/amd64/compile/GENERIC.MP > :real mem = 2130640896 (2031MB) > :avail mem = 2061631488 (1966MB) > :mpath0 at root > :scsibus0 at mpath0: 256 targets > :mainbus0 at root > :bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xe0010 (242 entries) > :bios0: vendor Phoenix Technologies LTD version "6.00" date 07/02/2015 > :bios0: VMware, Inc. VMware Virtual Platform > :acpi0 at bios0: rev 2 > :acpi0: sleep states S0 S1 S4 S5 > :acpi0: tables DSDT FACP BOOT APIC MCFG SRAT HPET WAET > :acpi0: wakeup devices PCI0(S3) USB_(S1) P2P0(S3) S1F0(S3) S2F0(S3) > S3F0(S3) > :S4F0(S3) S5F0(S3) S6F0(S3) S7F0(S3) S8F0(S3) S9F0(S3) S10F(S3) S11F(S3) > :S12F(S3) S13F(S3) [...] > :acpitimer0 at acpi0: 3579545 Hz, 24 bits > :acpimadt0 at acpi0 addr 0xfee0: PC-AT compat > :cpu0 at mainbus0: apid 0 (boot processor) > :cpu0: Intel(R) Core(TM) i7-4810MQ CPU @ 2.80GHz, 3800.69 MHz > :cpu0: > :FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA, > CMOV,PAT,PSE36,CFLUSH,DS,MMX,FXSR,SSE,SSE2,SS,HTT,SSE3, > PCLMUL,VMX,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLIN > :E,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,LONG,LAHF,ABM, > PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT > : > :cpu0: 256KB 64b/line 8-way L2 cache > :cpu0: smt 0, core 0, package 0 > :mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges > :cpu0: apic clock running at 65MHz > :cpu1 at mainbus0: apid 1 (application processor) > :cpu1: Intel(R) Core(TM) i7-4810MQ CPU @ 2.80GHz, 3810.50 MHz > :cpu1: > :FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA, > CMOV,PAT,PSE36,CFLUSH,DS,MMX,FXSR,SSE,SSE2,SS,HTT,SSE3, > PCLMUL,VMX,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEAD
OpenBSD 6-stable vmd
Hello misc. For testing purposes I compiled kernel with vmd support. After start the vm -> vmctl start "myvm" -m 512M -i 1 -d disk.img -k /bsd.rd I created a bridge and added vether0 and tap0 In the vm I have configured an ip 192.168.1.30 If I perform ping from OpenBSD Hypervisor -> ping 192.168.1.30 all packages are send and received "on the fly" But if I perform the same step from "myvm", there is no packet loss but the packets take so long to be send and consecutively replied I am performing this tests on Linux running Vmware Workstation 12 . Is this behavior expected ? Any directions will be appreciated. Thank you myvm dmesg: OpenBSD 6.0 (RAMDISK_CD) #2100: Tue Jul 26 13:05:59 MDT 2016 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/RAMDISK_CD RTC BIOS diagnostic error 20 real mem = 520093696 (496MB) avail mem = 502673408 (479MB) mainbus0 at root bios0 at mainbus0 acpi at bios0 not configured cpu0 at mainbus0: (uniprocessor) cpu0: Intel(R) Core(TM) i7-4810MQ CPU @ 2.80GHz, 14335.74 MHz cpu0: FPU,VME,DE,PSE,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,MMX,FXSR,SSE,SSE2,SS,SSE3,PCLMUL,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,AVX,F1 6C,RDRAND,HV,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,ARAT pvbus0 at mainbus0: OpenBSD pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 "OpenBSD VMM PCI Host Bridge" rev 0x00 virtio0 at pci0 dev 1 function 0 "Qumranet Virtio RNG" rev 0x00 viornd0 at virtio0 virtio0: irq 3 virtio1 at pci0 dev 2 function 0 "Qumranet Virtio Storage" rev 0x00 vioblk0 at virtio1 scsibus0 at vioblk0: 2 targets sd0 at scsibus0 targ 0 lun 0:SCSI3 0/direct fixed sd0: 5120MB, 512 bytes/sector, 10485760 sectors virtio1: irq 5 virtio2 at pci0 dev 3 function 0 "Qumranet Virtio Network" rev 0x00 vio0 at virtio2: address fe:e1:ba:d0:d0:94 virtio2: irq 9 isa0 at mainbus0 com0 at isa0 port 0x3f8/8 irq 4: ns8250, no fifo com0: console softraid0 at root scsibus1 at softraid0: 256 targets root on rd0a swap on rd0b dump on rd0b WARNING: invalid time in clock chip WARNING: CHECK AND RESET THE DATE! openbsd hypervisor : OpenBSD 6.0-stable (GENERIC.MP) #0: Fri Oct 21 20:07:42 BRST 2016 root@puffysor.localdomain:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 2130640896 (2031MB) avail mem = 2061631488 (1966MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xe0010 (242 entries) bios0: vendor Phoenix Technologies LTD version "6.00" date 07/02/2015 bios0: VMware, Inc. VMware Virtual Platform acpi0 at bios0: rev 2 acpi0: sleep states S0 S1 S4 S5 acpi0: tables DSDT FACP BOOT APIC MCFG SRAT HPET WAET acpi0: wakeup devices PCI0(S3) USB_(S1) P2P0(S3) S1F0(S3) S2F0(S3) S3F0(S3) S4F0(S3) S5F0(S3) S6F0(S3) S7F0(S3) S8F0(S3) S9F0(S3) S10F(S3) S11F(S3) S12F(S3) S13F(S3) [...] acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Core(TM) i7-4810MQ CPU @ 2.80GHz, 3800.69 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,MMX,FXSR,SSE,SSE2,SS,HTT,SSE3,PCLMUL,VMX,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLIN E,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT cpu0: 256KB 64b/line 8-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 65MHz cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Core(TM) i7-4810MQ CPU @ 2.80GHz, 3810.50 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,MMX,FXSR,SSE,SSE2,SS,HTT,SSE3,PCLMUL,VMX,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLIN E,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT cpu1: 256KB 64b/line 8-way L2 cache cpu1: smt 0, core 1, package 0 ioapic0 at mainbus0: apid 2 pa 0xfec0, version 11, 24 pins acpimcfg0 at acpi0 addr 0xf000, bus 0-127 acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpicpu0 at acpi0: C1(@1 halt!) acpicpu1 at acpi0: C1(@1 halt!) "PNP0001" at acpi0 not configured "PNP0303" at acpi0 not configured "VMW0003" at acpi0 not configured "PNP0A05" at acpi0 not configured acpiac0 at acpi0: AC unit online pvbus0 at mainbus0: VMware vmt0 at pvbus0 pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 "Intel 82443BX AGP" rev 0x01 ppb0 at pci0 dev 1 function 0 "Intel 82443BX AGP" rev 0x01 pci1 at ppb0 bus 1 pcib0 at pci0 dev 7 function 0 "Intel 82371AB PIIX4 ISA" rev 0x08 pciide0 at pci0 dev 7 function 1 "Intel 82371AB IDE" rev 0x01: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility pciide0: channel 0 disabled (no drives) atapiscsi0 at pciide0 channel 1 drive 0 scsibus1 at atapiscsi0: 2 targets cd0 at scsibus1 targ 0 lun
Re: what all touches the carp demote counter?
Hello sorry my bad english So, Let's debug Review carp/pfsync ( NODE1-carp0/NODE2-carp0 samepassword and same vhid for each pair ) ( pfsync syncdev ) ( /etc/hostname.pfsync0 = up syndev IFACE ) check default gateway on both ( /etc/mygate) / sysctl ip.forwarding=1 and carp.preempt=1 ( /etc/sysctl.conf ) ( pf rules ) put carp and pfsync rules on the TOP of your rules ( for debug purpose set skip on { lo0 $pfsyncdev } => pass quick on { $carpdev $carpdev2 $carpdev3 } proto carp keep state (no-sync) <= - Check with tcpdump pflog if carp packets are being dropped - Check if all carps interfaces are as MASTER in the current node and check if all is as BACKUP on another - Check if in the current backup node the states are syncing ( systat states ) ( compare on both pfctl -ss | wc -l ) almost the same quantity . Bring up to MASTER the primary node ( ifconfig -g carp carpdemote 30 on current master node ) the slave need to have a lower value of carpdemote and NOT DEFINE advskew in the Primary leave default ( 0 ) just on backup set advskew and put a high value ( advskew 100 ) ( hostname.carp ) - Check carpdemote on the new primary master ( ifconfig -g carp ) if the value is not 0 set to - Reboot the slave node ... and when back check if keep as slave ( check systat states ) ( compare on both pfctl -ss | wc -l ) must be almost equal. - Check carpdemote on slave should be 0 Reboot the Primary/Master and when back its supposed to be Master * if you have a huge traffic ( the node you rebooted must delay until states be syncronized ) About ospf I have no experience working with carp. one more time sorry any typo []'s 2016-10-10 22:58 GMT-03:00 Paul B. Henson <hen...@acm.org>: > On Mon, Oct 10, 2016 at 09:43:56PM -0300, R0me0 *** wrote: > > > Did you adjust advskew value on the machine you want to be Backup ? > > Yes, the backup has an advskew of 5 and the primary an advskew of 1. As > I mentioned, when I first configured the interfaces by hand the two > systems properly negotiated master/backup roles, it was only after I > rebooted the one that was supposed to be primary on this interface that > it came up as backup, and I traced it to the fact the the carp demote value > was set to 2. When I manually changed the carp demote value to 0, the > system once again pre-empted the master role on the interface. > > I'm just not sure what is twiddling with the carp demotion value. Unless > ospdf does it by default? The man page for the config file reads like it > would only do it if you explicitly include the demote keyword in the > area or interface section. > > Thanks for the suggestion though.
Re: what all touches the carp demote counter?
Hello Paul, Did you adjust advskew value on the machine you want to be Backup ? For example: Primary/Master # cat hostname.carp0 vhid 1 cardev em0 pass THEPASSWORD inet 10.20.30.40 255.255.255.0 Slave/Backup # cat hostname.carp0 vhid 1 cardev em0 advskew 100 pass THEPASSWORD inet 10.20.30.40 255.255.255.0 I think could be it Regards, 2016-10-10 20:30 GMT-03:00 Paul B. Henson: > I'm setting up a second router that's going to sit next to an existing > one and become a redundant failover system. The current one is in > production, and I've been converting some of the existing LAN subnets on it > to use carp interfaces and making them primary and the new box > secondary. I also set up a carp interface on the WAN side and made the > new box primary for testing as that didn't exist before. That all > worked fine when I set it up by hand, but when I rebooted the new box, > the old box stayed primary for everything including the WAN interface, > which I tracked down to the carp demote counter, which ended up at 2 on > the new box after the reboot: > > bash-4.3# ifconfig -g carp > carp: carp demote count 2 > > After I manually decreased the demote counter by 2 back to 0 the WAN > interface master switched back to the new box. > > I'm not sure what's doing that at boot? I am running ospfd on the box, > but I don't have any demote statements in my configuration. I'm also > running npppd, but I don't see anything about that and carp demotion. > What else might be setting carp demotion values? > > Thanks...
Re: OpenBSD 6 + CARP + PFSYNC + vmware esxi 6 - stalled nat connections
Just a plus After performed a ton of test's I bring up debian linux freebsd and Windows . freebsd : with fetch tool no issue using ftp causes the stalled OpenBSD: wget and ftp tool causes connection stalled linux debian: wget works Windows: works I tested the retrieve with http://mirrors.slackware.com/slackware/ slackware-iso/slackware64-14.2-iso/slackware64-14.2-install-dvd.iso Workaround to solve "ifconfig pfsync0 down" was use "no-sync" on nat rule pass out (no-sync) nat-to 10.20.30.40 Thanks 2016-10-08 18:54 GMT-03:00 R0me0 *** <knight@gmail.com>: > Hello Misc, > > I kindly would like to ask if anyone already faced something like this: > > I have the follow setup > > VMware 6 ( one physical interface ) > > 2x OpenBSD 6 ( cloned machine) ( using E1000 ) ( was using vmxnet3 ) > > OpenBSD Router running 3 carps ( ext / dmz / lan ) > > Physical Carp interfaces has no IP > > em0 up > em1 up > em2 up > em3 192.168.0.1/30 ( vmware virtual machine port VLAN ) ( tried with > separeted vswitch ) > > pfsync0 up syncdev em3 ( tried using syncpeer ) > > DMZ (carped ) has 4 hosts running OpenBSD 6 > > > ifconfig -g carp carpdemote 20 > > Failover works as expected ( no issue ) > > Issue : OpenBSD'S on DMZ to internet > > ftp -d openbsd.iso ( I have stalled connection ) > > pkg_add -u ( in the middle way connect goes stalled ) > > It just happen when performing NAT > > > OpenBSD CARP Backup > > ifconfig pfsync0 down > > connections stop to be stalled > > This behavior is happening with OpenBSD hosts and http traffic > > > Thanks in advance
OpenBSD 6 + CARP + PFSYNC + vmware esxi 6 - stalled nat connections
Hello Misc, I kindly would like to ask if anyone already faced something like this: I have the follow setup VMware 6 ( one physical interface ) 2x OpenBSD 6 ( cloned machine) ( using E1000 ) ( was using vmxnet3 ) OpenBSD Router running 3 carps ( ext / dmz / lan ) Physical Carp interfaces has no IP em0 up em1 up em2 up em3 192.168.0.1/30 ( vmware virtual machine port VLAN ) ( tried with separeted vswitch ) pfsync0 up syncdev em3 ( tried using syncpeer ) DMZ (carped ) has 4 hosts running OpenBSD 6 ifconfig -g carp carpdemote 20 Failover works as expected ( no issue ) Issue : OpenBSD'S on DMZ to internet ftp -d openbsd.iso ( I have stalled connection ) pkg_add -u ( in the middle way connect goes stalled ) It just happen when performing NAT OpenBSD CARP Backup ifconfig pfsync0 down connections stop to be stalled This behavior is happening with OpenBSD hosts and http traffic Thanks in advance
Re: Building OpenBSD 6.0 -stable - Error
Hello Teno, I have successfully updated five OpenBSD 5.9 to 6.0 on release day , following https://www.openbsd.org/faq/upgrade60.html After, I rebuilt all them to stable branch from: $ cd /usr $ cvs -qd anon...@anoncvs.ca.openbsd.org:/cvs get -rOPENBSD_6_0 -P src Was magical as expected. Regards, 2016-09-03 8:11 GMT-03:00 Teno Deuter: > meaning I shall try at a later time? > > Thank you > > On Sat, Sep 3, 2016 at 12:40 PM, Ted Unangst wrote: > > Teno Deuter wrote: > >> installed a fresh 6.0 AMD64 and tried to build 'stable' from source. > >> > >> Here is what I did as 'root' (as described in: > >> http://www.openbsd.org/stable.html): > >> > >> export CVSROOT=anon...@anoncvs1.ca.openbsd.org:/cvs > >> cd /usr; cvs checkout -P -rOPENBSD_6_0 src > > > > there's some repo surgery in progress. it should be fixed eventually.
Re: OpenBSD 6.0 release and errata60.html
Howdy ! Thanks for quick reply Really appreciated. Regards, 2016-09-01 16:06 GMT-03:00 Francois Pussault <fpussa...@contactoffice.fr>: > hello, no apply patches new if you want to > > > ---- > > From: R0me0 *** <knight@gmail.com> > > Sent: Thu Sep 01 20:59:43 CEST 2016 > > To: OpenBSD Misc <misc@openbsd.org> > > Subject: OpenBSD 6.0 release and errata60.html > > > > > > Hello misc, > > > > I have a little doubt > > > > Today was a Official Release of 6.0 > > > > This release already include errata60.html patches or I need to apply ? > > > > Thanks in advance, > > > > > Cordialement > Francois Pussault > 10 chemin de négo saoumos > apt 202 - bat 2 > 31300 Toulouse > +33 6 17 230 820 > fpussa...@contactoffice.fr
OpenBSD 6.0 release and errata60.html
Hello misc, I have a little doubt Today was a Official Release of 6.0 This release already include errata60.html patches or I need to apply ? Thanks in advance,
Re: DigitalOcean and OpenBSD
Work, BUT I have experienced at least 3 droplet corruptions in 3 different locations in less than 1 month. I know OpenBSD isn't officially supported by DigitalOcean. At this moment I have several thoughts. The droplet keep running but if you intend to reboot, and have an encrypted OpenBSD installtion consider to have a freesh backup before reboot LoL :) That's my point 2016-08-25 11:35 GMT-03:00 ds <d...@bitmail.cc>: > On Thu, 25 Aug 2016 11:28:19 -0300 > "R0me0 ***" <knight@gmail.com> wrote: > > > http://www.elnur.pro/digitalocean-droplet-corruption > > > > so what's your point? that openbsd doesn't work on DI?
Re: DigitalOcean and OpenBSD
http://www.elnur.pro/digitalocean-droplet-corruption 2016-08-25 11:18 GMT-03:00 ds <d...@bitmail.cc>: > On Wed, 24 Aug 2016 10:40:38 -0300 > "R0me0 ***" <knight@gmail.com> wrote: > > > Hello everybody ! > > > > Please, > > > > Anyone already had a disk corruption running OpenBSD @ DigitalOcean > > with disk encryption ? > > > > I had this issue for the third time running OpenBSD 5.9 stable branch > > and a simple "reboot" == No O/S > > > > > > Thanks in advance, > > > > if you're installing OpenBSD on a random VPS, i usually do this: boot > up their ubuntu linux rescue image, and: > > apt-get update; apt-get -y install qemu > > download your OpenBSD iso and do this: > > qemu-system-x86_64 -nographic -curses -smp 4 -m 2G -drive > file=/dev/sda,cache=none,if=virtio -boot d -cdrom $THEISO > > (assuming /dev/sda is your drive)
Re: DigitalOcean and OpenBSD
Hey James, Thank you for your reply . I have OpenBSD running on Vultr almost thirty days with the same setup and everything is going very well. Also I bring up a OpenBSD on Linode today and seems ok as well :) Cheers, 2016-08-24 21:42 GMT-03:00 James Pole <ja...@pole.net.nz>: > I second the recommendation for Vultr. Loading an OpenBSD ISO and using > that to install OpenBSD is a very straightforward process and it works very > well in my experience. I have had a Vultr VPS running OpenBSD 5.9 for the > last few months. It is part of a test to see whether it will function as a > replacement for my exisiting FreeBSD and Debian VPS instances. I have been > impressed enough that I plan to replace my FreeBSD and Debian instances > with OpenBSD instances before the end of the year. > > - James > > > On 25/08/2016, at 8:25 AM, Pedro Tender <mascar...@sailormoon.pt> wrote: > > > > Not helping to the question but... > > > > Regarding similar cheap vps service you could try vultr where one can > > install a custom ISO and have a clean OpenBSD install without > > pre-installing other OSes - from what I can see it makes everything a big > > mess. > > I run a 5.9 stable (updated since original 5.7 install) there without any > > problems but I don't have HD encryption so I don't have any idea and can > > only suppose it should work without problems being a clean install. > > While installing with their webKVM I can only have my keyboard layout > (PT) > > working if I use MSWindows, nor OSX nor OpenBSD make correct keyboard > > attribution (and I cannot remove X packages on install because I don't > have > > the - key anywhere). I don't know if other keyboards will have similar > > problems. > > > > Just wanted to share my experience so you could try alternatives if you > > DOcean experience leaves you hanging. > > > > On Aug 24, 2016 20:52, "R0me0 ***" <knight@gmail.com> wrote: > > > >> Hey Adam, > >> > >> I have had this issue for the third time in different regions on the > last > >> 30 days and my procedure was getting minirootfs like Tubsta procedure. > >> > >> the only thing different was get openbsd 5.9 stable branch, recompiled > >> kernel, rebooted and then recompiled userland tools and rebooted . ( > Works > >> like a charm ) and as expected :P > >> > >> Procedures from here https://www.openbsd.org/stable.html > >> > >> But suddenly like today the same # reboot > >> I have NO O/S found . > >> > >> That's it > >> > >> > >> > >> > >> > >> 2016-08-24 16:12 GMT-03:00 Adam Taylor <artay...@gmail.com>: > >> > >>> I have not run into any issues with reboots on my encrypted OpenBSD > >>> droplet on DO. > >>> > >>> It's running a 5.9 snapshot, not quite current. > >>> > >>> I followed the Tubsta instructions on getting it running. But deviated > >>> since I wanted encryption just for fun. > >>> > >>> On Aug 24, 2016 9:42 AM, "R0me0 ***" <knight@gmail.com> wrote: > >>> > >>>> Hello everybody ! > >>>> > >>>> Please, > >>>> > >>>> Anyone already had a disk corruption running OpenBSD @ DigitalOcean > >> with > >>>> disk encryption ? > >>>> > >>>> I had this issue for the third time running OpenBSD 5.9 stable branch > >> and > >>>> a > >>>> simple "reboot" == No O/S > >>>> > >>>> > >>>> Thanks in advance,
Re: DigitalOcean and OpenBSD
Hello misc Unfortunately even copying raw disk and writing it to a local vm, Disklabel isn't able to "see" labels, the only thing is partitioning scheme. Thank you everyone that gime directions really appreciated ( all those in pvt as well ) Cheers guys ! 2016-08-24 15:37 GMT-03:00 Martin Schröder: > 2016-08-24 16:48 GMT+02:00 : > > You did not provide any sensible detail, so consider this guess work. > > You're not helping.
Re: DigitalOcean and OpenBSD
Hey Cris I don't think so, because everything was going very well. The OpenBSD there just run a unbound , dnscrypt ( pkg_add ) and ipsec vpn. I rebooted today just for curiosity ( because I already faced ) and for my surprise happened again. I guess is something there as cited by @Troy Resume: The Problem is not with OpenBSD but something on DigitalOcean. Thank you man ! 2016-08-24 17:00 GMT-03:00 Chris Cappuccio <ch...@nmedia.net>: > R0me0 *** [knight@gmail.com] wrote: > > > > I have NO O/S found . > > > > That's it > > > > Is it possible that the instructions you are using are incomplete and/or > incompatible with the software ? Have you tried this on a standalone > machine?
Re: DigitalOcean and OpenBSD
Hey Anton ! I didn't ask for support ! You are miss understanding ! If I need a support from OpenBSD will be related with some kernel panic or something related as I already reported in the past. In my point of view, I could be wrong sorry if it the case, I see a lot of people sharing experiences here in misc dot openbsd dot org . I always dig before ask . So you need be more smooth and as I said better the silence through a useless shit . If you have a experience to share like "Hey dude I already faced" OK nice you welcome ! but if no, why you guys are writing. Come on dude grow up ! 2016-08-24 16:50 GMT-03:00: > Wed, 24 Aug 2016 20:37:22 +0200 Martin Schröder > > 2016-08-24 16:48 GMT+02:00 : > > > You did not provide any sensible detail, so consider this guess work. > > > > You're not helping. > > > > Hi Martin, > > Neither are you, of course, needless to say. Because you just won't get > it. OpenBSD worked anywhere I've tried before on any KVM set up cheaper > than on these toy virtual server offers. You have to do it yourself, so > that you actually can support yourself. There is "NO"body doing support > for you in these self service providers. Not for peanuts monthly, add 5 > bucks more and get a dedicated server, then choose bare metal or any KVM > and be done with it, eliminating entirely the weak spot: lame VPS offer. > > This is why, the person in trouble can't get you any technical feedback, > because he can't get sensible feedback from the provider technical team. > The truth is: this is a misplaced support call, you can't help that guy. > Because the target audience for such providers are not technical people. > > Read again, ask others, you will get pretty good picture of these facts. > You can help other guys by giving them an idea what actually would work. > Of course cut one sentence and start your interpretations, just perfect. > Well now, let me expand the sentence back again to what I actually said. > > Yet one other way to proceed, would be to seek support from the provider > & be ready to pass tech info back and forth so OpenBSD help is possible. > > Kind regards, > Anton
Re: DigitalOcean and OpenBSD
Hey Adam, I have had this issue for the third time in different regions on the last 30 days and my procedure was getting minirootfs like Tubsta procedure. the only thing different was get openbsd 5.9 stable branch, recompiled kernel, rebooted and then recompiled userland tools and rebooted . ( Works like a charm ) and as expected :P Procedures from here https://www.openbsd.org/stable.html But suddenly like today the same # reboot I have NO O/S found . That's it 2016-08-24 16:12 GMT-03:00 Adam Taylor <artay...@gmail.com>: > I have not run into any issues with reboots on my encrypted OpenBSD > droplet on DO. > > It's running a 5.9 snapshot, not quite current. > > I followed the Tubsta instructions on getting it running. But deviated > since I wanted encryption just for fun. > > On Aug 24, 2016 9:42 AM, "R0me0 ***" <knight@gmail.com> wrote: > >> Hello everybody ! >> >> Please, >> >> Anyone already had a disk corruption running OpenBSD @ DigitalOcean with >> disk encryption ? >> >> I had this issue for the third time running OpenBSD 5.9 stable branch and >> a >> simple "reboot" == No O/S >> >> >> Thanks in advance,
Re: DigitalOcean and OpenBSD
Hey Troy, thank you for your reply At this moment I am performing a dd over ssh. I was able to check with recovery iso provided by DigitalOcean the partition table of OpenBSD seems be there. After that I will try to restore MBR. and hope a obsd boot :) I will post the results. 2016-08-24 15:18 GMT-03:00 Troy Frericks <troy.freri...@gmail.com>: > -- Forwarded message -- > From: Troy Frericks <troy.freri...@gmail.com> > Date: Wed, Aug 24, 2016 at 1:17 PM > Subject: Re: DigitalOcean and OpenBSD > To: Daniel Ouellet <dan...@presscom.net> > > > OpenBSD is not supported on/by DigitalOcean. > > https://www.google.com/search?q=site%3Awww.digitalocean.com+ > openbsd=utf-8=utf-8 > > There are some tricks you can play... install FreeBSD, then put OpenBSD > very carefully over it. > > http://www.tubsta.com/2015/04/openbsd-on-digital-ocean/ > > You need to be careful of what you do. You can not backup the droplet and > then restore it. There is something about what is stored on the first few > tracks (I believe) of the disk that is not backed up nor restored... but if > changed, can make the droplet unbootable. > > Suggest working from a hosting service that is OpenBSD friendly. You'll > have an easier time things that manipulate the disk. > > Troy. > # > > > On Wed, Aug 24, 2016 at 11:41 AM, Daniel Ouellet <dan...@presscom.net> > wrote: > > > On 8/24/16 12:24 PM, R0me0 *** wrote: > > > Ok, here is a reply for you and all other motherfuckers that think and > > > answer like you. > > > > Love you too. > > > > But note that someone wanted to help you. Quote: > > > > "A dmesg would be nice. And maybe a less snarky attitude." > > > > As I said we have no clue what you run, version and all. How do you > > frankly expect an answer? > > > > Have a nice day. > > > > Peace, > > > > Daniel > > > > PS: No, your mother told you we had a date last week? Holy shit... I > > didn't remember that one
Re: DigitalOcean and OpenBSD
Ok, here is a reply for you and all other motherfuckers that think and answer like you. No so close, OpenBSD and EC2 just is running not more than one year. ( I know very well EC2 ) Based on success history of OpenBSD and KVM in places like DigitalOcean and others why not use a shit place to run a decent OS ? OK , Not control over hardware there and all other stuff, and unfortunately this shits happens. Did I ask you to open a ticket or guess what is happening or I asked if someone faced ? Big difference Humm? Do you need a draw ? I guess so ! but I won't , Here answer who wants and a at least the silence its better that write a holy fucking shift . 2016-08-24 13:00 GMT-03:00 Daniel Ouellet <dan...@presscom.net>: > On 8/24/16 10:52 AM, R0me0 *** wrote: > > Just asked if someone already faced this issue after a simple reboot > > > > # reboot > > > > Do you need a draw ? > > > > KIND Regards, > > OK here is an answer as good as your question. > > Not so far. My son use Digital Ocean, only because they are cheap and he > put up with shit more then I do. Not that they are shit, but his word, > is "not the easier place to install and run quickly weird setup", but no > problem or crash so far. When he needs more serious space, EC2 is where > he goes. > > So, no issue so far, but he also keep installing current on Digital > Ocean when/if he install it. No ne have a clue what you run there, so > why bother to answer you! > > So, do you also " Do you need a draw ?"? > > Peace, > > Daniel
Re: DigitalOcean and OpenBSD
Just asked if someone already faced this issue after a simple reboot # reboot Do you need a draw ? KIND Regards, 2016-08-24 11:48 GMT-03:00 <li...@wrant.com>: > Wed, 24 Aug 2016 10:40:38 -0300 "R0me0 ***" <knight@gmail.com> > > Hello everybody ! > > > > Please, > > > > Anyone already had a disk corruption running OpenBSD @ DigitalOcean with > > disk encryption ? > > > > I had this issue for the third time running OpenBSD 5.9 stable branch > and a > > simple "reboot" == No O/S > > > > > > Thanks in advance, > > > > Hi R0me0, > > You did not provide any sensible detail, so consider this guess work. > The rest of the feedback is your guess work, so consider this solved. > > On a more helpful side, have you tried contacting their tech support? > Commercial providers are typically servicing offered products by SLA. > > Kind regards, > Anton
DigitalOcean and OpenBSD
Hello everybody ! Please, Anyone already had a disk corruption running OpenBSD @ DigitalOcean with disk encryption ? I had this issue for the third time running OpenBSD 5.9 stable branch and a simple "reboot" == No O/S Thanks in advance,
relayd as transparent reverse proxy
Hello misc, I'm trying to use relayd as transparent reverse proxy with httpd. The goal is keep source IP I'am using OBSD 5.9 stable branch relayd and httpd coexist in the same machine. pf.conf ( tried with rdr and divert-to ) pass in on egress divert-to localhost port 8080 relayd.conf relay "proxyrelay" listen on 127.0.0.1 port 8080 protocol "httpfilter" transparent forward to destination ( used accordingly rdr/divert-to ) works great , but if I use the word "transparent" doesn't work. Using tcpdump I am able to see the traffic being blocked from my egress and source port of httpd. Ok I take a look on this https://marc.info/?l=openbsd-misc=130479125318862=2 Removed from pf.conf "set skip on lo0" and tried to perform rules like the thread above The grammar in relay section doesn't accept "interface" keyword but debuging with tcpdump, now I see a "loop" and the client never get a response. Is there a way to get it working in the same host ? Thanks in advance.
Re: How to configure OpenBSD L2TP/IPSEC VPN to work with Windows 10?
Take a look on router config. Some routers you need enable "VPN passthrough" "ipsec" something like that, get the router manual. In the worst case perform DMZ pointing everything to OpenBSD box ( I particularly prefer this one ) 2016-08-06 16:43 GMT-03:00 Sebastian Wain <sebastian.w...@nektra.com>: > That ipsec.conf works perfectly if I am connecting to the VPN from the LAN > but doesn't work if I put the VPN behind a router doing NAT and redirecting > ports 500 and 4500 to the VPN server. In this case this is logged: > > 192.168.1.35 is the IP of the machine behind the router at 221.12.3.4 which > is trying to connect to the VPN through the router at 200.1.32.22) > > Aug 6 10:10:19 fw isakmpd[7947]: responder_recv_HASH_SA_NONCE: peer > proposed invalid phase 2 IDs: initiator id 192.168.1.35, responder id > 200.1.32.22 > Aug 6 10:10:19 fw isakmpd[7947]: dropped message from 221.12.3.4 port > 4500 due to notification type INVALID_ID_INFORMATION > Aug 6 10:10:34 fw isakmpd[7947]: responder_recv_HASH_SA_NONCE: peer > proposed invalid phase 2 IDs: initiator id 192.168.1.35, responder id > 200.1.32.22 > Aug 6 10:10:34 fw isakmpd[7947]: dropped message from 221.12.3.4 port > 4500 due to notification type INVALID_ID_INFORMATION > Aug 6 10:11:16 fw isakmpd[7947]: transport_send_messages: giving up > on > exchange peer-default, no response from peer 221.12.3.4:500 > > Thanks, > Sebastian > > -Original Message- > From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of > R0me0 *** > Sent: Thursday, August 4, 2016 1:57 PM > To: Sebastian Wain <sebastian.w...@nektra.com> > Cc: OpenBSD misc <misc@openbsd.org> > Subject: Re: How to configure OpenBSD L2TP/IPSEC VPN to work with Windows > 10? > > ike passive esp transport proto udp from egress to 0.0.0.0/0 port 1701 \ >main auth hmac-sha1 enc 3des group modp2048 \ >quick auth hmac-sha1 enc 3des psk "YOURSECRET" > > > You are welcome > > (: > > 2016-08-04 13:15 GMT-03:00 Sebastian Wain <sebastian.w...@nektra.com>: > > > I can't figure out how to make an OpenBSD VPN work. I followed the > > guide at [1] to set up a VPN, modified the network interface there to > > tun0 instead of pppoe0, and didn't configure the pf.conf. When I tried > > to connect from Win10 using the "L2TP/IPsec with pre-shared key" VPN > > type I see the issues below in phase > > 2: > > > > Thanks > > Sebastian > > > > [1] http://blog.fuckingwith.it/2015/08/openbsd-l2tpipsec-vpn- > > works-with.html > > > > Aug 3 responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 > IDs: > > initiator id 192.168.0.129, responder id 192.168.0.253 > > Aug 3 11:17:13 fw isakmpd[7947]: dropped message from > > 192.168.0.129 port 500 due to notification type INVALID_ID_INFORMATION > > Aug 3 11:17:14 fw isakmpd[7947]: responder_recv_HASH_SA_NONCE: > > peer proposed invalid phase 2 IDs: initiator id 192.168.0.129, > > responder id > > 192.168.0.253 > > Aug 3 11:17:14 fw isakmpd[7947]: dropped message from > > 192.168.0.129 port 500 due to notification type INVALID_ID_INFORMATION > > Aug 3 11:17:15 fw isakmpd[7947]: responder_recv_HASH_SA_NONCE: > > peer proposed invalid phase 2 IDs: initiator id 192.168.0.129, > > responder id > > 192.168.0.253 > > Aug 3 11:17:15 fw isakmpd[7947]: dropped message from > > 192.168.0.129 port 500 due to notification type INVALID_ID_INFORMATION > > Aug 3 11:17:18 fw isakmpd[7947]: responder_recv_HASH_SA_NONCE: > > peer proposed invalid phase 2 IDs: initiator id 192.168.0.129, > > responder id > > 192.168.0.253 > > Aug 3 11:17:18 fw isakmpd[7947]: dropped message from > > 192.168.0.129 port 500 due to notification type INVALID_ID_INFORMATION > > Aug 3 11:17:25 fw isakmpd[7947]: responder_recv_HASH_SA_NONCE: > > peer proposed invalid phase 2 IDs: initiator id 192.168.0.129, > > responder id > > 192.168.0.253 > > Aug 3 11:17:25 fw isakmpd[7947]: dropped message from > > 192.168.0.129 port 500 due to notification type INVALID_ID_INFORMATION > > Aug 3 11:17:40 fw isakmpd[7947]: responder_recv_HASH_SA_NONCE: > > peer proposed invalid phase 2 IDs: initiator id 192.168.0.129, > > responder id > > 192.168.0.253 > > Aug 3 11:17:40 fw isakmpd[7947]: dropped message from > > 192.168.0.129 port 500 due to notification type INVALID_ID_INFORMATION > > Aug 3 11:17:55 fw isakmpd[7947]: responder_recv_HASH_SA_NONCE: > > peer proposed invalid phase 2 IDs: initiator id 192.168.0.129, > > responder id > > 192.168.0.253 > > Aug 3 11:17:55 fw isakmpd[7947]: dropped message from > > 192.168.0.129 port 500 due to notification type INVALID_ID_INFORMATION > > Aug 3 11:18:38 fw isakmpd[7947]: transport_send_messages: giving > > up on exchange peer-default, no response from peer 192.168.0.129:500
Re: How to configure OpenBSD L2TP/IPSEC VPN to work with Windows 10?
ike passive esp transport proto udp from egress to 0.0.0.0/0 port 1701 \ main auth hmac-sha1 enc 3des group modp2048 \ quick auth hmac-sha1 enc 3des psk "YOURSECRET" You are welcome (: 2016-08-04 13:15 GMT-03:00 Sebastian Wain: > I can't figure out how to make an OpenBSD VPN work. I followed the guide at > [1] to set up > a VPN, modified the network interface there to tun0 instead of pppoe0, and > didn't > configure the pf.conf. When I tried to connect from Win10 using the > "L2TP/IPsec with pre-shared key" VPN type I see the issues below in phase > 2: > > Thanks > Sebastian > > [1] http://blog.fuckingwith.it/2015/08/openbsd-l2tpipsec-vpn- > works-with.html > > Aug 3 responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: > initiator id 192.168.0.129, responder id 192.168.0.253 > Aug 3 11:17:13 fw isakmpd[7947]: dropped message from 192.168.0.129 > port 500 due to notification type INVALID_ID_INFORMATION > Aug 3 11:17:14 fw isakmpd[7947]: responder_recv_HASH_SA_NONCE: peer > proposed invalid phase 2 IDs: initiator id 192.168.0.129, responder id > 192.168.0.253 > Aug 3 11:17:14 fw isakmpd[7947]: dropped message from 192.168.0.129 > port 500 due to notification type INVALID_ID_INFORMATION > Aug 3 11:17:15 fw isakmpd[7947]: responder_recv_HASH_SA_NONCE: peer > proposed invalid phase 2 IDs: initiator id 192.168.0.129, responder id > 192.168.0.253 > Aug 3 11:17:15 fw isakmpd[7947]: dropped message from 192.168.0.129 > port 500 due to notification type INVALID_ID_INFORMATION > Aug 3 11:17:18 fw isakmpd[7947]: responder_recv_HASH_SA_NONCE: peer > proposed invalid phase 2 IDs: initiator id 192.168.0.129, responder id > 192.168.0.253 > Aug 3 11:17:18 fw isakmpd[7947]: dropped message from 192.168.0.129 > port 500 due to notification type INVALID_ID_INFORMATION > Aug 3 11:17:25 fw isakmpd[7947]: responder_recv_HASH_SA_NONCE: peer > proposed invalid phase 2 IDs: initiator id 192.168.0.129, responder id > 192.168.0.253 > Aug 3 11:17:25 fw isakmpd[7947]: dropped message from 192.168.0.129 > port 500 due to notification type INVALID_ID_INFORMATION > Aug 3 11:17:40 fw isakmpd[7947]: responder_recv_HASH_SA_NONCE: peer > proposed invalid phase 2 IDs: initiator id 192.168.0.129, responder id > 192.168.0.253 > Aug 3 11:17:40 fw isakmpd[7947]: dropped message from 192.168.0.129 > port 500 due to notification type INVALID_ID_INFORMATION > Aug 3 11:17:55 fw isakmpd[7947]: responder_recv_HASH_SA_NONCE: peer > proposed invalid phase 2 IDs: initiator id 192.168.0.129, responder id > 192.168.0.253 > Aug 3 11:17:55 fw isakmpd[7947]: dropped message from 192.168.0.129 > port 500 due to notification type INVALID_ID_INFORMATION > Aug 3 11:18:38 fw isakmpd[7947]: transport_send_messages: giving up on > exchange peer-default, no response from peer 192.168.0.129:500
Re: HTTPD location index issue
Solved location "/app/" { directory index index.php } location "/app/*.php" { fastcgi socket "/run/php-fpm.sock" } Thanks 2016-07-28 18:17 GMT-03:00 R0me0 *** <knight@gmail.com>: > Yes that's what I intend > > I noticed directory index grammar just works out of location grammar and I > cant setup more than one time > > > > 2016-07-28 18:00 GMT-03:00 Alexander Hall <alexan...@beard.se>: > >> >> >> On July 28, 2016 10:33:04 PM GMT+02:00, R0me0 *** <knight@gmail.com> >> wrote: >> >Howdy ! >> > >> >I'm running OpenBSD 5.9 stable branch >> > >> >I can't setup two different locations with different index files >> > >> >Sample: >> > >> > >> >server "example.com" >> > listen on egress port 80 >> ># Root path and directory index is already index.php >> >root "/htdocs/example.com" >> > >> >location "/app/*.php" { >> >> I doubt location "/app/*.php" will match the /app directory itself. >> >> /Alexander >> >> ># setting new index for /app directory >> >directory index "index.php" >> >fastcgi socket "/run/php-fpm.sock" >> >} >> > >> >Even configuring diferent locations / and /app and put index.html and >> >index.php respectively I can't to have the expected behavior. >> > >> >Just able to set one or another not both. >> > >> >Any ideas ? >> > >> >Thanks in advance
Re: HTTPD location index issue
Yes that's what I intend I noticed directory index grammar just works out of location grammar and I cant setup more than one time 2016-07-28 18:00 GMT-03:00 Alexander Hall <alexan...@beard.se>: > > > On July 28, 2016 10:33:04 PM GMT+02:00, R0me0 *** <knight@gmail.com> > wrote: > >Howdy ! > > > >I'm running OpenBSD 5.9 stable branch > > > >I can't setup two different locations with different index files > > > >Sample: > > > > > >server "example.com" > > listen on egress port 80 > ># Root path and directory index is already index.php > >root "/htdocs/example.com" > > > >location "/app/*.php" { > > I doubt location "/app/*.php" will match the /app directory itself. > > /Alexander > > ># setting new index for /app directory > >directory index "index.php" > >fastcgi socket "/run/php-fpm.sock" > >} > > > >Even configuring diferent locations / and /app and put index.html and > >index.php respectively I can't to have the expected behavior. > > > >Just able to set one or another not both. > > > >Any ideas ? > > > >Thanks in advance
Re: HTTPD location index issue
diiff < # Root path and directory index is already index.php > # Root path and directory index is already index.hml 2016-07-28 17:33 GMT-03:00 R0me0 *** <knight@gmail.com>: > Howdy ! > > I'm running OpenBSD 5.9 stable branch > > I can't setup two different locations with different index files > > Sample: > > > server "example.com" > listen on egress port 80 > # Root path and directory index is already index.php > root "/htdocs/example.com" > > location "/app/*.php" { > # setting new index for /app directory > directory index "index.php" > fastcgi socket "/run/php-fpm.sock" > } > > Even configuring diferent locations / and /app and put index.html and > index.php respectively I can't to have the expected behavior. > > Just able to set one or another not both. > > Any ideas ? > > Thanks in advance
HTTPD location index issue
Howdy ! I'm running OpenBSD 5.9 stable branch I can't setup two different locations with different index files Sample: server "example.com" listen on egress port 80 # Root path and directory index is already index.php root "/htdocs/example.com" location "/app/*.php" { # setting new index for /app directory directory index "index.php" fastcgi socket "/run/php-fpm.sock" } Even configuring diferent locations / and /app and put index.html and index.php respectively I can't to have the expected behavior. Just able to set one or another not both. Any ideas ? Thanks in advance
Gource
http://www.echothrust.com/blogs/monitoring-pf-logs-gource
Re: DNS over IPSec weirdness
Hey man, I'm not sure about what is happening, but pflog is your best friend ever ! http://www.openbsd.org/faq/pf/logging.html Try find out if a specific rule is blocking traffic in one of endpoints ( both ? ) Cheers, 2014-12-11 14:13 GMT-02:00 Zé Loff zel...@zeloff.org: TL,DR: Queries to DNS server over IPSec made using host or dig work OK, requests made by e.g. ping exit the enc0 interface but don't show up on enc0 on the other end. Hi all I'm puzzled by some weird stuff happening with DNS queries over IPSec. I have a fully working tunnel over a roaming laptop and our network. The laptop gets its IP and DNS resolvers via DHCP and sets up a route to 192.168.16.0/22 over IPSec with NAT: ike dynamic esp from 192.168.19.3 (egress) to 192.168.16.0/22 \ peer vpn.foo.bar \ srcid laptop.foo.bar dstid vpn.foo.bar All works fine, I can ping, SSH, http, etc machines on 192.168.16.0/22, as long as I use their IP addresses. However, if I change the laptop's resolv.conf to use our DNS server (nameserver 192.168.16.2) weird things happen. If I use host or dig to query our server, I can see the DNS requests and answers pass correctly on the enc0 interfaces of both endpoints. However, if I try to do something like ping -c 1 www_lan.foo.bar (or e.g. ssh) I can see the packets with the DNS request pass through enc0 on the tunnel (and on the physical interface too) but nothing traffic shows up on enc0 on the other endpoint (I do believe they show up on the physical interface on that end, but my tcpdump foo isn't good enough to be sure). Again, all other traffic works fine, routing tables look ok, AFAICT pf isn't blocking anything, the laptop is running Dec 9 -current (amd64) and the other endpoint is running 5.4-release w/ mtier binpatches (i386) (planning to upgrade within a couple of days), and most importantly, both host and dig have their queries properly answered. Does anyone have any idea of what is going on? Apologies in advance if important information is missing, and/or this is a known problem and an upgrade to 5.6 is enough (I briefly STFA and didn't find it, though). Cheers Zé --
Re: CARP cluster: howto keep pf.conf in sync?
I wrote a little script sometime ago and it run from crontab every 5 min and do: check and generate md5 of important files like hostname.if , pf include files, etc ... All necessaries modification is monitored natively by OpenBSD, but there is an ossec in deployment as well. ifstated is used to invert from/to ( always from master to slave ) I hope this help you =) 2014-07-28 8:50 GMT-03:00 Peus, Christoph christoph.p...@uni-wh.de: Hi all, is there a standard or recommended way to keep the pf.conf on the CARP cluster members in sync? Thanks! Regards Christoph -- Christoph Peus Universität Witten/Herdecke Bereich Informationstechnologie Tel: +49 2302 926-212 Fax: +49 2302 926-44857 mailto:christoph.p...@uni-wh.de Private Universität Witten/Herdecke gGmbH Alfred-Herrhausen-StraÃe 50 D - 58448 Witten Homepage: http://www.uni-wh.de Twitter: http://twitter.com/UniWH Facebook: http://www.facebook.com/UniWH Geschäftsführung: Prof. Dr. Martin Butzlaff (Präsident), Dipl. oec. Jan Peter Nonnenkamp (Kanzler) Sitz der Gesellschaft: Witten Handelsregister des Amtsgerichts Bochum Nr. HRB 8671
Re: CARP cluster: howto keep pf.conf in sync?
Hi Giancarlo, I would like to thank your background (: Yes the important files is included @changelist and it's sha256, but as firewall rules has modifications during all time, another nodes need be updated. So, it's because of this I run the script every 5 min and I sync it using SCP. * My script runs independent of daily scripts * and the hash is md5. Thank you @misc . 2014-08-01 9:22 GMT-03:00 Giancarlo Razzolini grazzol...@gmail.com: On 01-08-2014 09:07, sven falempin wrote: doh ! this is done in daily/security look at /etc/changelist It's not md5, it's sha256. md5 should not be used anymore. But what Romeo does is to run a script from cron every 5 minutes. Daily runs, obviously, daily. It's not suited for the task at hand. But if you ask me, I don't like this reactive approach. I use git repo with hooks to apply changes as they are pushed to the central repository. But that's the nicest about *unix. There are lots of ways of doing things. You can copy things manually, create scripts to semi-automate things, use version control, use puppet and friends, etc. It's all about what you are most comfortably with. Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC
Happy New Year
Hi there ! I would like to wish a Happy New Year for all. Sincerely Guilherme Hakme
Re: OpenBSD, ipsec and sasyncd issue
mxb - my em's not have any ip only inside hostname.emX up my advskew is 100 on backup node 2013/4/24 mxb m...@alumni.chalmers.se Then there is also a question regarding how quick your CARP will fail over, eg. what is your advskew on the backup node? On 24 apr 2013, at 22:30, mxb m...@alumni.chalmers.se wrote: I'd start by looking at sasyncd and if it actually works. If it works 'netstat -rn' should show flows at the end of its output on the backup node. Encap: Source Port DestinationPort Proto SA(Address/Proto/Type/Direction) flows should be printed here Next thing is to 'tcpdump -i em0 port 500' while your VPN endpoints do initial handshake and check their IP-adresses. Are you sure your carp0 IP is talking and NOT em0 IP? I'd also force isakmpd to bind to specific IP (/etc/isakmpd/isakmpd.conf): [General] Listen-on= your carp0 IP goes here DPD-check-interval= 60 Default-phase-1-lifetime= 3600,360:86400 Default-phase-2-lifetime= 1200,160:86400 If you do above you might need to specify srcid in your ipsec.conf: local_gw=your carp0 IP goes here ike active esp main quick .. srcid $local_gw //mxb On 24 apr 2013, at 20:33, R0me0 *** knight@gmail.com wrote: Hello misc, A couple of days, I'm fighting with OpenBSD+Ipsec+sasyncd. I searching at google and misc, read the man pages and I do a review of configurations many times to do work something that apparently is very very simple. my simple pf.conf on both firewalls in HA ( OpenBSD 5.2 and tests with OpenBSD current too ) match out on em0 from 10.50.60.0/24 nat-to (carp0:0) pass log ipsec.conf ( both firewalls in HA) ( local 10.10.20.29 is address of carp0 ) ike esp from 10.50.60.0/24 to 192.168.12.0/24 local 10.10.20.29 \ peer 10.15.1.33 main auth hmac-sha2-256 enc blowfish \ quick auth hmac-sha2-256 enc blowfish psk 'sapeca' sasyncd.conf ( firewall Master ) network 10.20.30.0/30 on interface dedicate to firewalls comunicate between self interface carp0 group carp listen on 10.20.30.1 inet peer 10.20.30.2 sharedkey 0x1aab92f9e646be974301b4ed107d3ad39794ce0e7426bc462bad3eb5de979ae5 sasyncd.conf ( firewall slave ) interface carp0 group carp listen on 10.20.30.2 inet peer 10.20.30.1 sharedkey 0x1aab92f9e646be974301b4ed107d3ad39794ce0e7426bc462bad3eb5de979ae5 ip forward and carp preempt enabled on both firewalls steps to initiate on both firewalls isakmpd -K -S ipsecctl -f /etc/ipsec.conf sasyncd other openbsd peer without HA ( OpenBSD 5.2 ) ike esp from 192.168.12.0/24 to 10.50.60.0/24 local 10.15.1.33 peer 10.10.20.29 \ main auth hmac-sha2-256 enc blowfish \ quick auth hmac-sha2-256 enc blowfish \ psk 'sapeca' Alright, Let me explain what is ocurring: VPN work perfectly, I access other resources behind 10.15.1.33 peer, and in OpenBSD slave I see SA'S syncronized from the Master ( ipsecctl -sa ) if I force a FailOver ( OpenBSD Master ) with: ifconfig -g carp carpdemote 10 Another Node assume, connections continues working perfectly ( example download of OpenBSD ISO, continue beautifull :) ) but: ipsec VPN not , it freezes and take between 25s to 30s to vpn reestablish connection and if I move the service again to old OpenBSD master ( ifconfig -g carp -carpdemote 10) VPN freezes completely and not back, I need kill isakmpd and start again I expected it to be transparent like as beautifull failover and without IPSEC disruption. In my configuration, Am I doing something wrong ? Am I forgeting something ? Please, someone can put me on correctly way ? Regards,
Re: OpenBSD, ipsec and sasyncd issue
I think that this is not needed :) 2013/4/25 mxb m...@alumni.chalmers.se According to the carp(4): Assume that host A is the preferred master and 192.168.1.x/24 is configured on one physical interface and 192.168.2.y/24 on another. This is the setup for host A: Eg, this means that you have to configure em0 with IP, if em0 is physical NIC used for carp0. On 25 apr 2013, at 13:16, R0me0 *** knight@gmail.com wrote: mxb - my em's not have any ip only inside hostname.emX up my advskew is 100 on backup node 2013/4/24 mxb m...@alumni.chalmers.se Then there is also a question regarding how quick your CARP will fail over, eg. what is your advskew on the backup node? On 24 apr 2013, at 22:30, mxb m...@alumni.chalmers.se wrote: I'd start by looking at sasyncd and if it actually works. If it works 'netstat -rn' should show flows at the end of its output on the backup node. Encap: Source Port DestinationPort Proto SA(Address/Proto/Type/Direction) flows should be printed here Next thing is to 'tcpdump -i em0 port 500' while your VPN endpoints do initial handshake and check their IP-adresses. Are you sure your carp0 IP is talking and NOT em0 IP? I'd also force isakmpd to bind to specific IP (/etc/isakmpd/isakmpd.conf): [General] Listen-on= your carp0 IP goes here DPD-check-interval= 60 Default-phase-1-lifetime= 3600,360:86400 Default-phase-2-lifetime= 1200,160:86400 If you do above you might need to specify srcid in your ipsec.conf: local_gw=your carp0 IP goes here ike active esp main quick .. srcid $local_gw //mxb On 24 apr 2013, at 20:33, R0me0 *** knight@gmail.com wrote: Hello misc, A couple of days, I'm fighting with OpenBSD+Ipsec+sasyncd. I searching at google and misc, read the man pages and I do a review of configurations many times to do work something that apparently is very very simple. my simple pf.conf on both firewalls in HA ( OpenBSD 5.2 and tests with OpenBSD current too ) match out on em0 from 10.50.60.0/24 nat-to (carp0:0) pass log ipsec.conf ( both firewalls in HA) ( local 10.10.20.29 is address of carp0 ) ike esp from 10.50.60.0/24 to 192.168.12.0/24 local 10.10.20.29 \ peer 10.15.1.33 main auth hmac-sha2-256 enc blowfish \ quick auth hmac-sha2-256 enc blowfish psk 'sapeca' sasyncd.conf ( firewall Master ) network 10.20.30.0/30 on interface dedicate to firewalls comunicate between self interface carp0 group carp listen on 10.20.30.1 inet peer 10.20.30.2 sharedkey 0x1aab92f9e646be974301b4ed107d3ad39794ce0e7426bc462bad3eb5de979ae5 sasyncd.conf ( firewall slave ) interface carp0 group carp listen on 10.20.30.2 inet peer 10.20.30.1 sharedkey 0x1aab92f9e646be974301b4ed107d3ad39794ce0e7426bc462bad3eb5de979ae5 ip forward and carp preempt enabled on both firewalls steps to initiate on both firewalls isakmpd -K -S ipsecctl -f /etc/ipsec.conf sasyncd other openbsd peer without HA ( OpenBSD 5.2 ) ike esp from 192.168.12.0/24 to 10.50.60.0/24 local 10.15.1.33 peer 10.10.20.29 \ main auth hmac-sha2-256 enc blowfish \ quick auth hmac-sha2-256 enc blowfish \ psk 'sapeca' Alright, Let me explain what is ocurring: VPN work perfectly, I access other resources behind 10.15.1.33 peer, and in OpenBSD slave I see SA'S syncronized from the Master ( ipsecctl -sa ) if I force a FailOver ( OpenBSD Master ) with: ifconfig -g carp carpdemote 10 Another Node assume, connections continues working perfectly ( example download of OpenBSD ISO, continue beautifull :) ) but: ipsec VPN not , it freezes and take between 25s to 30s to vpn reestablish connection and if I move the service again to old OpenBSD master ( ifconfig -g carp -carpdemote 10) VPN freezes completely and not back, I need kill isakmpd and start again I expected it to be transparent like as beautifull failover and without IPSEC disruption. In my configuration, Am I doing something wrong ? Am I forgeting something ? Please, someone can put me on correctly way ? Regards,
OpenBSD, ipsec and sasyncd issue
Hello misc, A couple of days, I'm fighting with OpenBSD+Ipsec+sasyncd. I searching at google and misc, read the man pages and I do a review of configurations many times to do work something that apparently is very very simple. my simple pf.conf on both firewalls in HA ( OpenBSD 5.2 and tests with OpenBSD current too ) match out on em0 from 10.50.60.0/24 nat-to (carp0:0) pass log ipsec.conf ( both firewalls in HA) ( local 10.10.20.29 is address of carp0 ) ike esp from 10.50.60.0/24 to 192.168.12.0/24 local 10.10.20.29 \ peer 10.15.1.33 main auth hmac-sha2-256 enc blowfish \ quick auth hmac-sha2-256 enc blowfish psk 'sapeca' sasyncd.conf ( firewall Master ) network 10.20.30.0/30 on interface dedicate to firewalls comunicate between self interface carp0 group carp listen on 10.20.30.1 inet peer 10.20.30.2 sharedkey 0x1aab92f9e646be974301b4ed107d3ad39794ce0e7426bc462bad3eb5de979ae5 sasyncd.conf ( firewall slave ) interface carp0 group carp listen on 10.20.30.2 inet peer 10.20.30.1 sharedkey 0x1aab92f9e646be974301b4ed107d3ad39794ce0e7426bc462bad3eb5de979ae5 ip forward and carp preempt enabled on both firewalls steps to initiate on both firewalls isakmpd -K -S ipsecctl -f /etc/ipsec.conf sasyncd other openbsd peer without HA ( OpenBSD 5.2 ) ike esp from 192.168.12.0/24 to 10.50.60.0/24 local 10.15.1.33 peer 10.10.20.29 \ main auth hmac-sha2-256 enc blowfish \ quick auth hmac-sha2-256 enc blowfish \ psk 'sapeca' Alright, Let me explain what is ocurring: VPN work perfectly, I access other resources behind 10.15.1.33 peer, and in OpenBSD slave I see SA'S syncronized from the Master ( ipsecctl -sa ) if I force a FailOver ( OpenBSD Master ) with: ifconfig -g carp carpdemote 10 Another Node assume, connections continues working perfectly ( example download of OpenBSD ISO, continue beautifull :) ) but: ipsec VPN not , it freezes and take between 25s to 30s to vpn reestablish connection and if I move the service again to old OpenBSD master ( ifconfig -g carp -carpdemote 10) VPN freezes completely and not back, I need kill isakmpd and start again I expected it to be transparent like as beautifull failover and without IPSEC disruption. In my configuration, Am I doing something wrong ? Am I forgeting something ? Please, someone can put me on correctly way ? Regards,
Microsoft VPN PPTP
Hello misc, I've the follow situation: WAN --OBSD---LAN | |__DMZ 192.168.1.0/24 ---Windows 2003 - RRAS -- 10.20.30.x/27- VPN IP's CLIENT Clients connect to RRAS server and pf, filter traffic from VPN clients to LAN services. The problem is: when vpn clients die, PF keep state of connections and I've a storm of tcp packets with PSH flag or RST , and bandwidth traffic increase incredibly. when storm occurs, if executed : 'pfctl -k 10.20.30.7' , by example, storm stop instantly. I'm searching by incidentes, but i no founded nothing. Someone would could show me a correct direction to solve this issue ? Regards,
Re: Microsoft VPN PPTP
In future I will migrate, but for now, i need solve this issue. I' ve tried to change tcp.closed and tcp.closing timeout but without success. Thanks for replies. Any tips will be apprecited, Regards 2013/1/31 Aaron Mason simplersolut...@gmail.com If you can, change to a different type of VPN. Not because of the storm, but because PPTP has been broken security-wise. Good results have been achieved with OpenVPN. On Thu, Jan 31, 2013 at 11:56 PM, R0me0 *** knight@gmail.com wrote: Hello misc, I've the follow situation: WAN --OBSD---LAN | |__DMZ 192.168.1.0/24 ---Windows 2003 - RRAS -- 10.20.30.x/27- VPN IP's CLIENT Clients connect to RRAS server and pf, filter traffic from VPN clients to LAN services. The problem is: when vpn clients die, PF keep state of connections and I've a storm of tcp packets with PSH flag or RST , and bandwidth traffic increase incredibly. when storm occurs, if executed : 'pfctl -k 10.20.30.7' , by example, storm stop instantly. I'm searching by incidentes, but i no founded nothing. Someone would could show me a correct direction to solve this issue ? Regards, -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
CARP compatibility between 5.1 and 5.2
Hello misc, I've a OpenBSD 5.1 in production and I will put another OpenBSD 5.2 and then configure CARP. will I have some compatibility issue ? Thanks in advanced
Re: No route to host
Look for states of pf the default is 1 if the maximum is reached pf will block # systat pf If needed increase this 2012/11/27 Laurent Caron (Mobile) lca...@unix-scripts.info Loïc BLOT loic.b...@frostsapphirestudios.com a écrit : Hello to OpenBSD users, i have a little problem, i think it's linked with PF, but i have no proofs. System is OpenBSD 5.1 but OpenBSD 5.2 get the same things (with different card, 5.1 uses bnx and 5.2 use em) I have a router with squid proxy, named and isc-dhcpd. The problem is, sometimes i get no route to host for some transmissions (often on the proxy), but randomly. Our connexion is perfectly stable (Renater 1Gbit fiber connection), and the routes are static and right. When squid says no route to host and i refresh the page, it works. I think it's a packet filter problem. Nmap has sometimes the same problem and says no route to host when i try to scan. Example: Starting Nmap 5.51 ( http://nmap.org ) at 2012-11-26 23:56 CET sendto in send_ip_packet_sd: sendto(4, packet, 44, 0, aaa.bbb.ccc.20, 16) = No route to host Offending packet: TCP xxx.yyy.zzz.1:42282 aaa.bbb.ccc.20:5200 S ttl=37 id=32702 iplen=44 seq=2453102157 win=2048 mss 1460 Sleeping 15 seconds then retrying This scan was realized in two differents networks, but in this capture, this is the same networks Starting Nmap 5.51 ( http://nmap.org ) at 2012-11-26 23:58 CET sendto in send_ip_packet_sd: sendto(4, packet, 44, 0, xxx.yyy.zzz.50, 16) = No route to host Offending packet: TCP xxx.yyy.zzz.1:49053 xxx.yyy.zzz.50:161 S ttl=52 id=62248 iplen=44 seq=3073961720 win=1024 mss 1460 Sleeping 15 seconds then retrying if don't have the problem with pf disabled. All my outgoing packets are allowed and somes are nated. Where do you think the problem comes ? Thanks for Advance. Lo��c Blot, UNIX systems engineer. Hello Loïc What does your ruleset look like ? Do.you have à .log of rejected packets (tcpdump on pflog 0)?
Re: Carp doubt
I tried this: ifconfig -g carp carpdemote 50 , and all carps are moved to another node :) that is sorry 2012/10/31 R0me0 *** knight@gmail.com Hello misc, I' ve a simple setup to test carp my setup is follow: - Frw A # cat /etc/hostname.carp0 inet 192.168.28.128 255.255.255.0 192.168.28.255 vhid 1 carpdev vic0 pass secret # cat /etc/hostname.vic0 up # cat /etc/hostname.carp1 inet 192.168.12.130 255.255.255.0 192.168.12.255 vhid 2 carpdev vic1 pass othersecret # cat /etc/hostname.vic1 up # cat /etc/hostname.pfsync0 up syncdev vlan13 # cat /etc/hostname.vlan13 inet 10.20.30.1 255.255.255.252 10.20.30.255 vlan 13 vlandev vic1 - Frw B # cat /etc/hostname.carp0 inet 192.168.28.128 255.255.255.0 192.168.28.255 vhid 1 carpdev vic0 pass secret advskew 100 # cat /etc/hostname.vic0 up # cat /etc/hostname.carp1 inet 192.168.12.130 255.255.255.0 192.168.12.255 vhid 2 carpdev vic1 pass othersecret advskew 100 # cat /etc/hostname.vic1 up # cat /etc/hostname.pfsync0 up syncdev vlan13 # cat /etc/hostname.vlan13 inet 10.20.30.2 255.255.255.252 10.20.30.255 vlan 13 vlandev vic1 net.inet.carp.preempt=1 on both nodes pf.conf ( equal on both frw's ) # cat /etc/pf.conf ext_if = vic0 int_if = vic1 pfsync_if = vlan13 set skip on lo match out on $ext_if from 192.168.12.0/24 nat-to (carp0) # Carp and Pfsync pass log quick on $pfsync_if proto pfsync keep state (no-sync) pass in log quick on {vic0 vic1} proto carp keep state (no-sync) block log all pass in log (to pflog1) quick on { vic0 vic1 } inet proto tcp to port 22 keep state (no-sync) pass in quick on $int_if from 192.168.12.0/24 pass out Tests: ifconfig carp0 down or ifconfig advskew100 on MASTER node Only carp0 is transfered to another node But if executed ifconfig vic0 down All carp nodes ( carp0 and carp1 ) are transferred to another node as expected I tried this setup on real machines and the results are the same. My doubt, To do maintenance on master node, i will need execute : ifconfig advskew 128 on both carp interfaces ? Which the better pratice to move all carp groups to another node ? I will appreciate the sugestions of misc Regards,
Re: Carp doubt
My doubt persists, from FAQ To failover a particular CARP group, shut down the carp(4) interface on the master node .. I think that if execute ifconfig carp0 down, all carps would be moved , because default carp group is carp 2012/10/31 R0me0 *** knight@gmail.com I tried this: ifconfig -g carp carpdemote 50 , and all carps are moved to another node :) that is sorry 2012/10/31 R0me0 *** knight@gmail.com Hello misc, I' ve a simple setup to test carp my setup is follow: - Frw A # cat /etc/hostname.carp0 inet 192.168.28.128 255.255.255.0 192.168.28.255 vhid 1 carpdev vic0 pass secret # cat /etc/hostname.vic0 up # cat /etc/hostname.carp1 inet 192.168.12.130 255.255.255.0 192.168.12.255 vhid 2 carpdev vic1 pass othersecret # cat /etc/hostname.vic1 up # cat /etc/hostname.pfsync0 up syncdev vlan13 # cat /etc/hostname.vlan13 inet 10.20.30.1 255.255.255.252 10.20.30.255 vlan 13 vlandev vic1 - Frw B # cat /etc/hostname.carp0 inet 192.168.28.128 255.255.255.0 192.168.28.255 vhid 1 carpdev vic0 pass secret advskew 100 # cat /etc/hostname.vic0 up # cat /etc/hostname.carp1 inet 192.168.12.130 255.255.255.0 192.168.12.255 vhid 2 carpdev vic1 pass othersecret advskew 100 # cat /etc/hostname.vic1 up # cat /etc/hostname.pfsync0 up syncdev vlan13 # cat /etc/hostname.vlan13 inet 10.20.30.2 255.255.255.252 10.20.30.255 vlan 13 vlandev vic1 net.inet.carp.preempt=1 on both nodes pf.conf ( equal on both frw's ) # cat /etc/pf.conf ext_if = vic0 int_if = vic1 pfsync_if = vlan13 set skip on lo match out on $ext_if from 192.168.12.0/24 nat-to (carp0) # Carp and Pfsync pass log quick on $pfsync_if proto pfsync keep state (no-sync) pass in log quick on {vic0 vic1} proto carp keep state (no-sync) block log all pass in log (to pflog1) quick on { vic0 vic1 } inet proto tcp to port 22 keep state (no-sync) pass in quick on $int_if from 192.168.12.0/24 pass out Tests: ifconfig carp0 down or ifconfig advskew100 on MASTER node Only carp0 is transfered to another node But if executed ifconfig vic0 down All carp nodes ( carp0 and carp1 ) are transferred to another node as expected I tried this setup on real machines and the results are the same. My doubt, To do maintenance on master node, i will need execute : ifconfig advskew 128 on both carp interfaces ? Which the better pratice to move all carp groups to another node ? I will appreciate the sugestions of misc Regards,
Re: Can't install rrdtool on OpenBSD 5.0
Hello Nick, I understand your their point of view. But Nicolas, shared a thing very cool, and I believe that there, many mates that watch the list, sometimes, learn something new, with the experience of each one. Regards Guilherme Hakme 2012/5/2 Nick Holland n...@holland-consulting.net On 05/02/12 16:47, Nicolas Pence wrote: Hi, if you upgrade to 5.1 you'll have the same problem (but for libfreetype.so.18.1). You don't really need to install the complete xbase, oh, please don't. just that specific library, you can do it like this (change the values for your release and libfreetype version): tar -C / -xzphf xbase51.tgz ./usr/X11R6/lib/libfreetype.so.18.1 you can check yours with: tar tvzf xbase${RELEASE}.tgz | grep libfreetype.so why? You can also chop your leg off with a chain saw, and I'm sure the weight savings would increase your car's fuel economy a bit. Good administration is not about showing what kind of pain you can inflict on yourself, or convince others to do to themselves. Just do it simple...install xbase, if not all of X. On a modern system, there's no reason not to, and I suspect you aren't running rrdtool on a resource-starved system. Nick.
Can't install rrdtool on OpenBSD 5.0
Hello misc, I'm trying to install: pkg_add -vi ftp://ftp.openbsd.org/pub/OpenBSD/5.0/packages/i386/rrdtool-1.2.30p3.tgz but I got this error: Can't install rrdtool-1.2.30p3 because of libraries |library freetype.18.0 not found | not found anywhere Direct dependencies for rrdtool-1.2.30p3 resolve to png-1.5.4 libart-2.3.21 Full dependency tree is png-1.5.4 libart-2.3.21 png and libart are installed, ( I tried install X sets too without success ) Any directions are appreciated, Regards,
Re: Can't install rrdtool on OpenBSD 5.0
Installing xbase solve problem =/ 2012/5/2 R0me0 *** knight@gmail.com Hello misc, I'm trying to install: pkg_add -vi ftp://ftp.openbsd.org/pub/OpenBSD/5.0/packages/i386/rrdtool-1.2.30p3.tgz but I got this error: Can't install rrdtool-1.2.30p3 because of libraries |library freetype.18.0 not found | not found anywhere Direct dependencies for rrdtool-1.2.30p3 resolve to png-1.5.4 libart-2.3.21 Full dependency tree is png-1.5.4 libart-2.3.21 png and libart are installed, ( I tried install X sets too without success ) Any directions are appreciated, Regards,
Re: Can't install rrdtool on OpenBSD 5.0
Hello Nicolas, Installing xbase50.tgz , solved the problem :) Regards 2012/5/2 Nicolas Pence nico...@pence.com.uy Hi, if you upgrade to 5.1 you'll have the same problem (but for libfreetype.so.18.1). You don't really need to install the complete xbase, just that specific library, you can do it like this (change the values for your release and libfreetype version): tar -C / -xzphf xbase51.tgz ./usr/X11R6/lib/libfreetype.so.18.1 you can check yours with: tar tvzf xbase${RELEASE}.tgz | grep libfreetype.so good luck! El 02/05/12 17:30, R0me0 *** escribis: Installing xbase solve problem =/ 2012/5/2 R0me0 *** knight@gmail.com Hello misc, I'm trying to install: pkg_add -vi ftp://ftp.openbsd.org/pub/OpenBSD/5.0/packages/i386/rrdtool-1.2.30p3.tgz but I got this error: Can't install rrdtool-1.2.30p3 because of libraries |library freetype.18.0 not found | not found anywhere Direct dependencies for rrdtool-1.2.30p3 resolve to png-1.5.4 libart-2.3.21 Full dependency tree is png-1.5.4 libart-2.3.21 png and libart are installed, ( I tried install X sets too without success ) Any directions are appreciated, Regards,
time exceeded in-transit
Hello misc, I have an OpenBSD 5.0 running with outgoing load balance and ifstated to check link status I've pf.conf with rules for outgoing load balance for link 1 and link 2 , pf.link1 and pf.link2 respectively ifstated.conf link1_test = '(ping -q -c 3 74.125.234.212 /dev/null every 20)' link2_test = '(ping -q -c 3 74.125.234.208 /dev/null every 20)' at pf.conf pass out log quick on $link1_if inet proto icmp to 74.125.234.208 nat-to 192.168.20.2 route-to ($link2_if $link2_gw) pass out log quick on $link1_if inet proto icmp from $link1_if to 74.125.234.212 and I do the same tests when link status change and I load the pf to corresponding link Ok, it works great, but if one of interfaces change status do down example: ifconfig em1 down the follow rule stop to working pass out log quick on $link1_if inet proto icmp to 74.125.234.208 nat-to 192.168.20.2 route-to ($link2_if $link2_gw) and the ifstated not work correctly. # tcpdump -vvni em0 host 74.125.234.208 tcpdump: listening on em0, link-type EN10MB 23:24:56.762984 192.168.20.2 74.125.234.208: icmp: echo request (id:ae4c seq:0) (ttl 255, id 13722, len 84, bad cksum 0! differs by 7c16) 23:24:56.774130 74.125.234.208 192.168.20.2: icmp: echo reply (id:ae4c seq:0) (ttl 57, id 42659, len 84)23 :24:56.774295 192.168.20.2 74.125.234.208: icmp: time exceeded in-transit for 74.125.234.208 192.168.20.2: icmp: echo reply (id:ae4c seq:0) [ttl 1] (id 42659, len 84) (ttl 255, id 58775, len 56, bad cksum 0! differs by cc34) But if interface stay UP, work very well Other thing, I'm doing ping at google servers, because sometimes some gateways respond to a ping but the problem is ISP. Please, someone can show to me the correctly form to do this? Regards,
Re: My OpenBSD 5.0 installation experience (long rant)
*UNIX was not designed to stop its users from doing stupid things, as that would also stop them from doing clever things.* Doug Gwynhttp://pt.wikipedia.org/w/index.php?title=Doug_Gwynaction=editredlink= 1 Em 7 de margo de 2012 11:27, Leonardo Sabino dos Santos leonardo.sab...@gmail.com escreveu: On Wed, Mar 7, 2012 at 2:44 PM, Russell Garrison russell.garri...@gmail.com wrote: I am absolutely intrigued by this story despite my better judgement. You were able to cook your own full OpenBSD installer on a USB stick with GRUB instead of downloading an ISO or using PXE, but you failed disk setup in the installer? It really would be interesting to see if you can read just http://www.openbsd.org/faq/faq4.html , particularly 4.5.3 and then come back to us with anything other than a mea culpa. I admit to pressing Enter at some of the questions without reading carefully. It simply never crossed my mind that the default action for the installer is to erase the whole disk without chance for review. I still think that's a disaster waiting to happen. On Wed, Mar 7, 2012 at 3:04 PM, Christer Solskogen christer.solsko...@gmail.com wrote: What if you mistyped there as well? Do you want a Are you REALLY REALLY sure?? Then again, partitioning your disk is a bit more serious than What's your hostname? or What time zone are you in?. Maybe that one question deserves an extra confirmation, or a less dangerous default. Just saying.
Re: OpenBSD 4.4
Hello misc, I've appreciated all answers. the kernel is GENERIC. My complex setup is many networks, pf rules , Vans and a route to all. ( route add ) If I execute: - nmap -sV -T4 -O -F 10.20.0/16 ( I'm at 10.20.76 ) the follow error ocurs: http://img41.imageshack.us/img41/9500/20120123213213394.jpg After read all comments, I only am writing to show the error and share the information. As soon as possible, I will upgrade. Thank's to all Em 24 de janeiro de 2012 20:46, Peter N. M. Hansteen pe...@bsdly.netescreveu: R0me0 *** knight@gmail.com writes: I'm running a full patched OpenBSD 4.4 with very complex setup, and I'm planning an upgrade to 5.0. That's a seriously long jump, but then again, that upgrade may very well be a blessing in disguise -- an opportunity to identify what parts of your complex setup are actually just cascades of accidents that followed quasi-logically from other earlier accidents (no worries, this should sound familiar to most of the people who've been around for a while) and what actually matters and needs to be that way for a reason. Do take the time for proper preparations, though: at the very least read through the upgrade steps for each of the versions, starting from http://www.openbsd.org/faq/upgrade45.html and proceeding through http://www.openbsd.org/faq/upgrade50.html. The only *supported* method is to go through all of those upgrade steps, but you might find it easier to back up your data and config, do a clean install, restore data and then introduce those configuration elements that are in fact essential or at least useful for your particular environment. At this moment, if I execute nmap 10.20.0/16, I have a dbg . I've limited the number of max connections and connections per seconds, that solved the problem. When dbg occurs, I cannot do a trace because it completely hangs. Others have offered as useful input as can be had on those. Good luck with the upgrade! All the best, Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
OpenBSD 4.4
Hello misc :) I'm running a full patched OpenBSD 4.4 with very complex setup, and I'm planning an upgrade to 5.0. At this moment, if I execute nmap 10.20.0/16, I have a dbg . I've limited the number of max connections and connections per seconds, that solved the problem. When dbg occurs, I cannot do a trace because it completely hangs. Following is a dmesg, any directions will be appreciated OpenBSD 4.4 (TENMA.MP) #3: Tue Jan 24 00:46:50 BRST 2012 r...@ns1.mycompany.com:/home/src/sys/arch/amd64/compile/TENMA.MP real mem = 2132389888 (2033MB) avail mem = 2070573056 (1974MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xee000 (68 entries) bios0: vendor HP version P58 date 08/03/2008 bios0: HP ProLiant DL360 G5 acpi0 at bios0: rev 2 acpi0: tables DSDT FACP SPCR MCFG HPET SPMI ERST APIC BERT HEST SSDT acpi0: wakeup devices PCI0(S5) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpihpet0 at acpi0: 14318179 Hz acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Xeon(R) CPU E5440 @ 2.83GHz, 2833.79 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,xTPR,LONG cpu0: 6MB 64b/line 16-way L2 cache cpu0: apic clock running at 333MHz cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Xeon(R) CPU E5440 @ 2.83GHz, 2833.44 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,xTPR,LONG cpu1: 6MB 64b/line 16-way L2 cache cpu2 at mainbus0: apid 1 (application processor) cpu2: Intel(R) Xeon(R) CPU E5440 @ 2.83GHz, 2833.44 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,xTPR,LONG cpu2: 6MB 64b/line 16-way L2 cache cpu3 at mainbus0: apid 3 (application processor) cpu3: Intel(R) Xeon(R) CPU E5440 @ 2.83GHz, 2833.44 MHz cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,xTPR,LONG cpu3: 6MB 64b/line 16-way L2 cache ioapic0 at mainbus0 apid 8 pa 0xfec0, version 20, 24 pins ioapic1 at mainbus0 apid 9 pa 0xfec8, version 20, 24 pins acpiprt0 at acpi0: bus 1 (IP2P) acpiprt1 at acpi0: bus 11 (IPE1) acpiprt2 at acpi0: bus 10 (IPE4) acpiprt3 at acpi0: bus 17 (P2P2) acpiprt4 at acpi0: bus 9 (PT02) acpiprt5 at acpi0: bus 6 (PT03) acpiprt6 at acpi0: bus 20 (PT04) acpiprt7 at acpi0: bus 3 (NB01) acpiprt8 at acpi0: bus 5 (NB02) acpiprt9 at acpi0: bus 0 (PCI0) acpicpu0 at acpi0: C3 acpicpu1 at acpi0: C3 acpicpu2 at acpi0: C3 acpicpu3 at acpi0: C3 acpitz0 at acpi0: critical temperature 31 degC ipmi at mainbus0 not configured cpu0: unknown i686 model 7, can't get bus clockcpu0: EST: unknown system bus clock pci0 at mainbus0 bus 0: configuration mode 1 pchb0 at pci0 dev 0 function 0 Intel 5000P Host rev 0xb1 ppb0 at pci0 dev 2 function 0 Intel 5000 PCIE rev 0xb1 pci1 at ppb0 bus 9 ppb1 at pci1 dev 0 function 0 Intel 6321ESB PCIE rev 0x01 pci2 at ppb1 bus 10 ppb2 at pci2 dev 0 function 0 Intel 6321ESB PCIE rev 0x01 pci3 at ppb2 bus 11 ppb3 at pci3 dev 0 function 0 vendor IDT, unknown product 0x8018 rev 0x0e pci4 at ppb3 bus 12 ppb4 at pci4 dev 2 function 0 vendor IDT, unknown product 0x8018 rev 0x0e pci5 at ppb4 bus 13 em0 at pci5 dev 0 function 0 Intel PRO/1000 QP (82571EB) rev 0x06: apic 8 int 19 (irq 10), address 00:1f:29:5f:fe:b5 em1 at pci5 dev 0 function 1 Intel PRO/1000 QP (82571EB) rev 0x06: apic 8 int 18 (irq 10), address 00:1f:29:5f:fe:b4 ppb5 at pci4 dev 4 function 0 vendor IDT, unknown product 0x8018 rev 0x0e pci6 at ppb5 bus 14 em2 at pci6 dev 0 function 0 Intel PRO/1000 QP (82571EB) rev 0x06: apic 8 int 17 (irq 7), address 00:1f:29:5f:fe:b7 em3 at pci6 dev 0 function 1 Intel PRO/1000 QP (82571EB) rev 0x06: apic 8 int 16 (irq 5), address 00:1f:29:5f:fe:b6 ppb6 at pci2 dev 1 function 0 Intel 6321ESB PCIE rev 0x01 pci7 at ppb6 bus 15 ppb7 at pci2 dev 2 function 0 Intel 6321ESB PCIE rev 0x01 pci8 at ppb7 bus 16 ppb8 at pci1 dev 0 function 3 Intel 6321ESB PCIE-PCIX rev 0x01 pci9 at ppb8 bus 17 ppb9 at pci0 dev 3 function 0 Intel 5000 PCIE rev 0xb1 pci10 at ppb9 bus 6 ciss0 at pci10 dev 0 function 0 Hewlett-Packard Smart Array rev 0x04: apic 8 int 16 (irq 5) ciss0: 1 LD, HW rev 4, FW 4.12/4.12 scsibus0 at ciss0: 1 targets, initiator 1 sd0 at scsibus0 targ 0 lun 0: HP, LOGICAL VOLUME, 4.12 SCSI3 0/direct fixed sd0: 139979MB, 17844 cyl, 255 head, 63 sec, 512 bytes/sec, 286677120 sec total ppb10 at pci0 dev 4 function 0 Intel 5000 PCIE x8 rev 0xb1 pci11 at ppb10 bus 20 ppb11 at pci11 dev 0 function 0 vendor IDT, unknown product 0x8018 rev 0x0e pci12 at ppb11 bus 21 ppb12 at pci12 dev 2 function 0 vendor IDT, unknown product 0x8018 rev 0x0e pci13 at ppb12 bus 22 em4 at pci13 dev 0 function 0 Intel PRO/1000 QP
Re: OpenBSD 4.4
It is a GENERIC kernel, the name is only copy of GENERIC.MP :) . As I said, it is a complex setup and I'm planning an upgrade. Cheers, Em 24 de janeiro de 2012 16:10, Rares Aioanei bsdlis...@gmail.comescreveu: On 01/24/2012 07:48 PM, R0me0 *** wrote: Hello misc :) I'm running a full patched OpenBSD 4.4 with very complex setup, and I'm planning an upgrade to 5.0. At this moment, if I execute nmap 10.20.0/16, I have a dbg . I've limited the number of max connections and connections per seconds, that solved the problem. When dbg occurs, I cannot do a trace because it completely hangs. Following is a dmesg, any directions will be appreciated OpenBSD 4.4 (TENMA.MP) #3: Tue Jan 24 00:46:50 BRST 2012 r...@ns1.mycompany.com:/home/**src/sys/arch/amd64/compile/TEN**MA.MPhttp://TENMA.MP real mem = 2132389888 (2033MB) avail mem = 2070573056 (1974MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xee000 (68 entries) bios0: vendor HP version P58 date 08/03/2008 bios0: HP ProLiant DL360 G5 acpi0 at bios0: rev 2 acpi0: tables DSDT FACP SPCR MCFG HPET SPMI ERST APIC BERT HEST SSDT acpi0: wakeup devices PCI0(S5) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpihpet0 at acpi0: 14318179 Hz acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Xeon(R) CPU E5440 @ 2.83GHz, 2833.79 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,**MCE,CX8,APIC,SEP,MTRR,PGE,MCA,** CMOV,PAT,PSE36,CFLUSH,DS,ACPI,**MMX,FXSR,SSE,SSE2,SS,HTT,TM,** SBF,SSE3,MWAIT,DS-CPL,VMX,EST,**TM2,CX16,xTPR,LONG cpu0: 6MB 64b/line 16-way L2 cache cpu0: apic clock running at 333MHz cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Xeon(R) CPU E5440 @ 2.83GHz, 2833.44 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,**MCE,CX8,APIC,SEP,MTRR,PGE,MCA,** CMOV,PAT,PSE36,CFLUSH,DS,ACPI,**MMX,FXSR,SSE,SSE2,SS,HTT,TM,** SBF,SSE3,MWAIT,DS-CPL,VMX,EST,**TM2,CX16,xTPR,LONG cpu1: 6MB 64b/line 16-way L2 cache cpu2 at mainbus0: apid 1 (application processor) cpu2: Intel(R) Xeon(R) CPU E5440 @ 2.83GHz, 2833.44 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,**MCE,CX8,APIC,SEP,MTRR,PGE,MCA,** CMOV,PAT,PSE36,CFLUSH,DS,ACPI,**MMX,FXSR,SSE,SSE2,SS,HTT,TM,** SBF,SSE3,MWAIT,DS-CPL,VMX,EST,**TM2,CX16,xTPR,LONG cpu2: 6MB 64b/line 16-way L2 cache cpu3 at mainbus0: apid 3 (application processor) cpu3: Intel(R) Xeon(R) CPU E5440 @ 2.83GHz, 2833.44 MHz cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,**MCE,CX8,APIC,SEP,MTRR,PGE,MCA,** CMOV,PAT,PSE36,CFLUSH,DS,ACPI,**MMX,FXSR,SSE,SSE2,SS,HTT,TM,** SBF,SSE3,MWAIT,DS-CPL,VMX,EST,**TM2,CX16,xTPR,LONG cpu3: 6MB 64b/line 16-way L2 cache ioapic0 at mainbus0 apid 8 pa 0xfec0, version 20, 24 pins ioapic1 at mainbus0 apid 9 pa 0xfec8, version 20, 24 pins acpiprt0 at acpi0: bus 1 (IP2P) acpiprt1 at acpi0: bus 11 (IPE1) acpiprt2 at acpi0: bus 10 (IPE4) acpiprt3 at acpi0: bus 17 (P2P2) acpiprt4 at acpi0: bus 9 (PT02) acpiprt5 at acpi0: bus 6 (PT03) acpiprt6 at acpi0: bus 20 (PT04) acpiprt7 at acpi0: bus 3 (NB01) acpiprt8 at acpi0: bus 5 (NB02) acpiprt9 at acpi0: bus 0 (PCI0) acpicpu0 at acpi0: C3 acpicpu1 at acpi0: C3 acpicpu2 at acpi0: C3 acpicpu3 at acpi0: C3 acpitz0 at acpi0: critical temperature 31 degC ipmi at mainbus0 not configured cpu0: unknown i686 model 7, can't get bus clockcpu0: EST: unknown system bus clock pci0 at mainbus0 bus 0: configuration mode 1 pchb0 at pci0 dev 0 function 0 Intel 5000P Host rev 0xb1 ppb0 at pci0 dev 2 function 0 Intel 5000 PCIE rev 0xb1 pci1 at ppb0 bus 9 ppb1 at pci1 dev 0 function 0 Intel 6321ESB PCIE rev 0x01 pci2 at ppb1 bus 10 ppb2 at pci2 dev 0 function 0 Intel 6321ESB PCIE rev 0x01 pci3 at ppb2 bus 11 ppb3 at pci3 dev 0 function 0 vendor IDT, unknown product 0x8018 rev 0x0e pci4 at ppb3 bus 12 ppb4 at pci4 dev 2 function 0 vendor IDT, unknown product 0x8018 rev 0x0e pci5 at ppb4 bus 13 em0 at pci5 dev 0 function 0 Intel PRO/1000 QP (82571EB) rev 0x06: apic 8 int 19 (irq 10), address 00:1f:29:5f:fe:b5 em1 at pci5 dev 0 function 1 Intel PRO/1000 QP (82571EB) rev 0x06: apic 8 int 18 (irq 10), address 00:1f:29:5f:fe:b4 ppb5 at pci4 dev 4 function 0 vendor IDT, unknown product 0x8018 rev 0x0e pci6 at ppb5 bus 14 em2 at pci6 dev 0 function 0 Intel PRO/1000 QP (82571EB) rev 0x06: apic 8 int 17 (irq 7), address 00:1f:29:5f:fe:b7 em3 at pci6 dev 0 function 1 Intel PRO/1000 QP (82571EB) rev 0x06: apic 8 int 16 (irq 5), address 00:1f:29:5f:fe:b6 ppb6 at pci2 dev 1 function 0 Intel 6321ESB PCIE rev 0x01 pci7 at ppb6 bus 15 ppb7 at pci2 dev 2 function 0 Intel 6321ESB PCIE rev 0x01 pci8 at ppb7 bus 16 ppb8 at pci1 dev 0 function 3 Intel 6321ESB PCIE-PCIX rev 0x01 pci9 at ppb8 bus 17 ppb9 at pci0 dev 3 function 0 Intel 5000 PCIE rev 0xb1 pci10 at ppb9 bus 6 ciss0 at pci10 dev 0 function 0 Hewlett-Packard Smart Array rev 0x04: apic 8 int 16 (irq 5) ciss0: 1 LD, HW rev 4, FW 4.12/4.12 scsibus0 at ciss0: 1 targets, initiator 1 sd0 at scsibus0 targ 0 lun 0:HP, LOGICAL
Re: essential reading for beginning OpenBSD users
http://www.amazon.com/Absolute-OpenBSD-Unix-Practical-Paranoid/dp/1886411999 ! 2011/9/6 Daniel Villarreal yclwebmas...@gmail.com I consider the following to be essential reading for beginning OpenBSD users... Absolute FreeBSD, 2nd Edition information by Michael W. Lucas... http://www.nostarch.com/abs_bsd2.htm Don't forget the Book of PF, 2nd Edition by Peter N.M. Hansteen ... http://nostarch.com/pf2.htm Over the years I've spent a lot of money on O'Reilly GNU/Linux books, but the 1st ed. versions of the above books astound me with their clarity in explaining very technical concepts in an easy-to-understand manner. I never before considered technical computer writing to be elegantly handled, but combined with the man pages, the documentation is simply superb. Usually I wouldn't even consider buying a newer version of a computer book I already have, but I will be buying the second editions of said books when I can. Thanks for your efforts! Daniel Villarreal On Tue, Sep 6, 2011 at 7:12 AM, Amit Kulkarni amitk...@gmail.com wrote: Lucas is bringing out a 2nd edition of absolute openbsd, which i am gonna buy ...
change pciide0 native-pci to compatibility mode
Hello, misc, I'm with a problem pluggin pci ethernet card which is suported by Openbsd I have a machine that: channel 0 configured to compatibility, and this machine the network card is recognized. On another machine : channel 0 configured to native-PCI , on this machine the network card not is recognized. My question : It's possible i change native-pci to use compatibility mode ? It is done through boot -c ? Best Regards,
Re: Transparent smtp/pop3 proxy
Hy Stuart, Is always very good read your mails here at misc :) a friend has done it, and he say to me the same that you, to me use ( always_bcc ) Thank you, I'm read a little more, but the ideias now are fixed Best regards, 2011/7/29 Stuart Henderson s...@spacehopper.org On 2011-07-28, R0me0 *** knight@gmail.com wrote: Hello misc. I would like to know if is possible do the following: clients--OpenBSD_FWExternal_mail_server when clients send or receive an email, OpenBSD catch this mail and send a copy of this to another email account, it must be transparently to user. Please, anybody, can indicate the correctly way to do this? Thanks in advanced Cheers, dsniff has mailsnarf which claims to do this, it won't handle encrypted sessions even if you have the key material and I have no idea how well it can handle recent SMTP implementations. For SMTP you can run a standard MTA like Postfix and divert all connections to it and use always_bcc or similar. In some places intercepting communications will likely be illegal (at least without consent from one or possibly both parties), so do your own research as to whether you're allowed to do this. Intercepting mail like this is *very easy*. People who want to avoid having their mail intercepted in this way should 1) use encryption and 2) carefully check that they're connecting to the server which they're expecting (check certificates etc).
Transparent smtp/pop3 proxy
Hello misc. I would like to know if is possible do the following: clients--OpenBSD_FWExternal_mail_server when clients send or receive an email, OpenBSD catch this mail and send a copy of this to another email account, it must be transparently to user. Please, anybody, can indicate the correctly way to do this? Thanks in advanced Cheers,
Re: Transparent smtp/pop3 proxy
Hello Robert, I appreciated your email: I would like explain: Yes is corporate organization, all employees are aware that a copy of sended and received email. All employees sign a document which they are aware. Here, in Brazil, since that exists a document, signed, it is valid, of course. Nothing ilegal. Thank you, you help me so much, Cheers, 2011/7/28 roberth rob...@openbsd.pap.st On Thu, 28 Jul 2011 18:00:03 -0300 R0me0 *** knight@gmail.com wrote: when clients send or receive an email, OpenBSD catch this mail and send a copy of this to another email account, it must be transparently to user. bad juju! sooo, you want to intercept email not destined for yourself. you are asking about it on a public mailinglist. hmmm, hot water, bad karma. ethically you will be reborn as a snail and those that help you with it won't even have a house on their backs. if you have control over the clients that are sending mail, lets say in a corporate enviroment, where the people sending mail are aware of the copying policy... you don't do it transparently, but by mandatory configuring the mail clients to use one of your smarthosts to send mail. copy/duplicate it there. that's a smtpd solution you are looking for. otherwise, feel obligated to educate your clients to configure their mailcients to use ssl/tls for receiving/sending mail. if you are being presured into implementing that spy stuff, lets say by your boss, just tell ver i'll get to it. if you get fired over it, get a lawyer and a hopefully satisfying settlement. blub, - Robert
Re: Transparent smtp/pop3 proxy
Again, thank you I know that an user very determined can do some things, but he don't know what I can do with PF People should be educated like you :) Best regards and Thank you ! 2011/7/28 roberth rob...@openbsd.pap.st On Thu, 28 Jul 2011 19:39:20 -0300 R0me0 *** knight@gmail.com wrote: Yes is corporate organization, all employees are aware that a copy of sended and received email. All employees sign a document which they are aware. Here, in Brazil, since that exists a document, signed, it is valid, of course. Nothing ilegal. Thank you, you help me so much, So the incoming mail allready touches your own smtpd. For outgoing mail, as i said, _smarthost_ and do the best you can to block any mail that isn't going out through there. (eg via pf rules) You will only catch the low hanging fruits as there are too many possible ways to deceive by any determined person. Blocking all webmail websites from work? :) It only works if the people are not trying to get around the set limitations. Even with deep packet inspection, you won't get that one mail you setup all that hupla-di-do up for. Cheers, - Robert
RTL8169SC OpenBSD 4.8 to 4.9 issue
Hello misc, I Have a ethernet RTL8169SC based chipset and it work very well with OpenBSD 4.8, the same card not work with 4.9 The motherboard of 4.9 is Intel DP43BF in attach dmesg.boot of 4.9 Regards, [demime 1.01d removed an attachment of type application/octet-stream which had a name of dmesg.boot]
Re: RTL8169SC OpenBSD 4.8 to 4.9 issue
Sorry, The link of dmesg on pastebin : http://pastebin.com/fK9HSrfY Regards, 2011/7/7 Sergey Bronnikov este...@gmail.com Hi The only mailing list that allows attachments is the _ports_ list, they will be removed from messages on the other mailing lists. http://www.openbsd.org/mail.html you can upload your dmesg to pastebin and provide link in email. On 14:53 Thu 07 Jul , R0me0 *** wrote: Hello misc, I Have a ethernet RTL8169SC based chipset and it work very well with OpenBSD 4.8, the same card not work with 4.9 The motherboard of 4.9 is Intel DP43BF in attach dmesg.boot of 4.9 Regards, [demime 1.01d removed an attachment of type application/octet-stream which had a name of dmesg.boot] -- sergeyb@
Re: RTL8169SC OpenBSD 4.8 to 4.9 issue
Allright, I disabled bge0 on BIOS SETUP but the error continues: pciide0 at pci2 dev 0 function 0 Marvell 88SE6101 IDE rev 0xb2: DMA (unsupported), channel 0 configured to native-PCI, channel 1 configured to native-PCI 2011/7/7 Zeb Packard zeb.pack...@gmail.com *Sorry about the direct response Nick. :0 These two lines make me think it's a configuration problem. bge0 at pci7 dev 0 function 0 Broadcom BCM57788 rev 0x01, BCM57780 A1 (0x57780001): apic 0 int 17 (irq 10), address 00:22:4d:4c:40:ee brgphy0 at bge0 phy 1: BCM57780 10/100/1000baseT PHY, rev. 1 Dmesg below. penBSD 4.9 (GENERIC.MP) #794: Wed Mar 2 07:19:02 MST 2011 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: Pentium(R) Dual-Core CPU E5700 @ 3.00GHz (GenuineIntel 686-class) 3 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,XSAVE real mem = 2135498752 (2036MB) avail mem = 2090401792 (1993MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 05/10/10, SMBIOS rev. 2.6 @ 0xe9230 (58 entries) bios0: vendor Intel Corp. version RKG4310H.86A.0082.2010.0510.1954 date 05/10/2010 bios0: Intel Corporation DP43BF acpi0 at bios0: rev 2 acpi0: sleep states S0 S1 S3 S4 S5 acpi0: tables DSDT FACP APIC MCFG HPET acpi0: wakeup devices P0P1(S3) PS2K(S4) PS2M(S4) UAR1(S3) P0P2(S4) USB0(S3) USB1(S3) USB2(S3) USB5(S3) USB6(S3) EUSB(S3) USB3(S3) USB4(S3) USBE(S3) PEX0(S4) PEX1(S4) PEX2(S4) PEX3(S4) PEX4(S4) PEX5(S4) SLPB(S4) PWRB(S3) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 199MHz cpu1 at mainbus0: apid 1 (application processor) cpu1: Pentium(R) Dual-Core CPU E5700 @ 3.00GHz (GenuineIntel 686-class) 3 GHz cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,XSAVE ioapic0 at mainbus0: apid 0 pa 0xfec0, version 20, 24 pins acpimcfg0 at acpi0 addr 0xf000, bus 0-127 acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 32 (P0P2) acpiprt2 at acpi0: bus 2 (PEX0) acpiprt3 at acpi0: bus 3 (PEX1) acpiprt4 at acpi0: bus 4 (PEX2) acpiprt5 at acpi0: bus 5 (PEX3) acpiprt6 at acpi0: bus 6 (PEX4) acpiprt7 at acpi0: bus 7 (PEX5) acpicpu0 at acpi0:, C3, C2, C1, PSS acpicpu1 at acpi0:, C3, C2, C1, PSS acpibtn0 at acpi0: SLPB acpibtn1 at acpi0: PWRB bios0: ROM list: 0xc/0xe600! 0xce800/0x400 0xcf000/0x2400 cpu0: Enhanced SpeedStep 2993 MHz: speeds: 3000, 2800, 2600, 2400, 2200, 2000, 1800, 1600, 1400, 1200 MHz pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 Intel G45 Host rev 0x03 ppb0 at pci0 dev 1 function 0 Intel G45 PCIE rev 0x03: apic 0 int 16 (irq 11) pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 vendor NVIDIA, unknown product 0x10c3 rev 0xa2 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) azalia0 at pci1 dev 0 function 1 vendor NVIDIA, unknown product 0x0be3 rev 0xa1: apic 0 int 17 (irq 10) azalia0: no supported codecs azalia0: initialization failure, detaching uhci0 at pci0 dev 26 function 0 Intel 82801JI USB rev 0x00: apic 0 int 16 (irq 11) uhci1 at pci0 dev 26 function 1 Intel 82801JI USB rev 0x00: apic 0 int 21 (irq 5) uhci2 at pci0 dev 26 function 2 Intel 82801JI USB rev 0x00: apic 0 int 18 (irq 3) ehci0 at pci0 dev 26 function 7 Intel 82801JI USB rev 0x00: apic 0 int 18 (irq 3) ehci0: timed out waiting for BIOS usb0 at ehci0: USB revision 2.0 uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1 azalia1 at pci0 dev 27 function 0 Intel 82801JI HD Audio rev 0x00: apic 0 int 22 (irq 7) azalia1: codecs: Realtek ALC888 audio0 at azalia1 ppb1 at pci0 dev 28 function 0 Intel 82801JI PCIE rev 0x00: apic 0 int 17 (irq 10) pci2 at ppb1 bus 2 pciide0 at pci2 dev 0 function 0 Marvell 88SE6101 IDE rev 0xb2: DMA (unsupported), channel 0 configured to native-PCI, channel 1 configured to native-PCI pciide0: using apic 0 int 16 (irq 11) for native-PCI interrupt pciide0: channel 0 ignored (not responding; disabled or no drives?) pciide0: channel 1 ignored (not responding; disabled or no drives?) ppb2 at pci0 dev 28 function 1 Intel 82801JI PCIE rev 0x00: apic 0 int 16 (irq 11) pci3 at ppb2 bus 3 ppb3 at pci0 dev 28 function 2 Intel 82801JI PCIE rev 0x00: apic 0 int 18 (irq 3) pci4 at ppb3 bus 4 ppb4 at pci0 dev 28 function 3 Intel 82801JI PCIE rev 0x00: apic 0 int 19 (irq 11) pci5 at ppb4 bus 5 ppb5 at pci0 dev 28 function 4 Intel 82801JI PCIE rev 0x00: apic 0 int 17 (irq 10) pci6 at ppb5 bus 6 vendor VIA, unknown product 0x3403 (class serial bus subclass Firewire, rev 0x00) at pci6 dev 0 function 0 not configured ppb6 at pci0
Re: RTL8169SC OpenBSD 4.8 to 4.9 issue
I booted OBSD 4.8 on this motherboard and I have the same error: can be this error related with BUG as described on man page of re driver ? Regards, 2011/7/7 R0me0 *** knight@gmail.com Allright, I disabled bge0 on BIOS SETUP but the error continues: pciide0 at pci2 dev 0 function 0 Marvell 88SE6101 IDE rev 0xb2: DMA (unsupported), channel 0 configured to native-PCI, channel 1 configured to native-PCI 2011/7/7 Zeb Packard zeb.pack...@gmail.com *Sorry about the direct response Nick. :0 These two lines make me think it's a configuration problem. bge0 at pci7 dev 0 function 0 Broadcom BCM57788 rev 0x01, BCM57780 A1 (0x57780001): apic 0 int 17 (irq 10), address 00:22:4d:4c:40:ee brgphy0 at bge0 phy 1: BCM57780 10/100/1000baseT PHY, rev. 1 Dmesg below. penBSD 4.9 (GENERIC.MP) #794: Wed Mar 2 07:19:02 MST 2011 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: Pentium(R) Dual-Core CPU E5700 @ 3.00GHz (GenuineIntel 686-class) 3 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,XSAVE real mem = 2135498752 (2036MB) avail mem = 2090401792 (1993MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 05/10/10, SMBIOS rev. 2.6 @ 0xe9230 (58 entries) bios0: vendor Intel Corp. version RKG4310H.86A.0082.2010.0510.1954 date 05/10/2010 bios0: Intel Corporation DP43BF acpi0 at bios0: rev 2 acpi0: sleep states S0 S1 S3 S4 S5 acpi0: tables DSDT FACP APIC MCFG HPET acpi0: wakeup devices P0P1(S3) PS2K(S4) PS2M(S4) UAR1(S3) P0P2(S4) USB0(S3) USB1(S3) USB2(S3) USB5(S3) USB6(S3) EUSB(S3) USB3(S3) USB4(S3) USBE(S3) PEX0(S4) PEX1(S4) PEX2(S4) PEX3(S4) PEX4(S4) PEX5(S4) SLPB(S4) PWRB(S3) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 199MHz cpu1 at mainbus0: apid 1 (application processor) cpu1: Pentium(R) Dual-Core CPU E5700 @ 3.00GHz (GenuineIntel 686-class) 3 GHz cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,XSAVE ioapic0 at mainbus0: apid 0 pa 0xfec0, version 20, 24 pins acpimcfg0 at acpi0 addr 0xf000, bus 0-127 acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 32 (P0P2) acpiprt2 at acpi0: bus 2 (PEX0) acpiprt3 at acpi0: bus 3 (PEX1) acpiprt4 at acpi0: bus 4 (PEX2) acpiprt5 at acpi0: bus 5 (PEX3) acpiprt6 at acpi0: bus 6 (PEX4) acpiprt7 at acpi0: bus 7 (PEX5) acpicpu0 at acpi0:, C3, C2, C1, PSS acpicpu1 at acpi0:, C3, C2, C1, PSS acpibtn0 at acpi0: SLPB acpibtn1 at acpi0: PWRB bios0: ROM list: 0xc/0xe600! 0xce800/0x400 0xcf000/0x2400 cpu0: Enhanced SpeedStep 2993 MHz: speeds: 3000, 2800, 2600, 2400, 2200, 2000, 1800, 1600, 1400, 1200 MHz pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 Intel G45 Host rev 0x03 ppb0 at pci0 dev 1 function 0 Intel G45 PCIE rev 0x03: apic 0 int 16 (irq 11) pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 vendor NVIDIA, unknown product 0x10c3 rev 0xa2 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) azalia0 at pci1 dev 0 function 1 vendor NVIDIA, unknown product 0x0be3 rev 0xa1: apic 0 int 17 (irq 10) azalia0: no supported codecs azalia0: initialization failure, detaching uhci0 at pci0 dev 26 function 0 Intel 82801JI USB rev 0x00: apic 0 int 16 (irq 11) uhci1 at pci0 dev 26 function 1 Intel 82801JI USB rev 0x00: apic 0 int 21 (irq 5) uhci2 at pci0 dev 26 function 2 Intel 82801JI USB rev 0x00: apic 0 int 18 (irq 3) ehci0 at pci0 dev 26 function 7 Intel 82801JI USB rev 0x00: apic 0 int 18 (irq 3) ehci0: timed out waiting for BIOS usb0 at ehci0: USB revision 2.0 uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1 azalia1 at pci0 dev 27 function 0 Intel 82801JI HD Audio rev 0x00: apic 0 int 22 (irq 7) azalia1: codecs: Realtek ALC888 audio0 at azalia1 ppb1 at pci0 dev 28 function 0 Intel 82801JI PCIE rev 0x00: apic 0 int 17 (irq 10) pci2 at ppb1 bus 2 pciide0 at pci2 dev 0 function 0 Marvell 88SE6101 IDE rev 0xb2: DMA (unsupported), channel 0 configured to native-PCI, channel 1 configured to native-PCI pciide0: using apic 0 int 16 (irq 11) for native-PCI interrupt pciide0: channel 0 ignored (not responding; disabled or no drives?) pciide0: channel 1 ignored (not responding; disabled or no drives?) ppb2 at pci0 dev 28 function 1 Intel 82801JI PCIE rev 0x00: apic 0 int 16 (irq 11) pci3 at ppb2 bus 3 ppb3 at pci0 dev 28 function 2 Intel 82801JI PCIE rev 0x00: apic 0 int 18 (irq 3) pci4 at ppb3 bus 4 ppb4 at pci0 dev 28 function 3 Intel 82801JI PCIE rev 0x00: apic 0 int 19 (irq 11) pci5 at ppb4 bus 5 ppb5 at pci0 dev 28 function 4 Intel 82801JI
Re: RTL8169SC OpenBSD 4.8 to 4.9 issue
the ethernet that I'm plugging work very well on old hardware and work very well ( OBSD 4.8 ) the same ethernet accurs this error: ( re(4) chip ) pciide0 at pci2 dev 0 function 0 Marvell 88SE6101 IDE rev 0xb2: DMA :(unsupported), channel 0 configured to native-PCI, channel 1 :configured to native-PCI The bge is onboard ethernet, and it will be disabled As I said, I booted obsd 4.8 on new hardware and the error is the same as described up, Regards 2011/7/7 Peter Hessler phess...@theapt.org This machine does not have an re(4) chip in it. You need to use bge0 for your ethernet device. On 2011 Jul 07 (Thu) at 11:39:20 -0700 (-0700), Zeb Packard wrote: :*Sorry about the direct response Nick. :0 : :These two lines make me think it's a configuration problem. : :bge0 at pci7 dev 0 function 0 Broadcom BCM57788 rev 0x01, BCM57780 :A1 (0x57780001): apic 0 int 17 (irq 10), address 00:22:4d:4c:40:ee :brgphy0 at bge0 phy 1: BCM57780 10/100/1000baseT PHY, rev. 1 : : : : :Dmesg below. : :penBSD 4.9 (GENERIC.MP) #794: Wed Mar 2 07:19:02 MST 2011 : dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP :cpu0: Pentium(R) Dual-Core CPU E5700 @ 3.00GHz (GenuineIntel 686-class) 3 GHz :cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,XSAVE :real mem = 2135498752 (2036MB) :avail mem = 2090401792 (1993MB) :mainbus0 at root :bios0 at mainbus0: AT/286+ BIOS, date 05/10/10, SMBIOS rev. 2.6 @ :0xe9230 (58 entries) :bios0: vendor Intel Corp. version RKG4310H.86A.0082.2010.0510.1954 :date 05/10/2010 :bios0: Intel Corporation DP43BF :acpi0 at bios0: rev 2 :acpi0: sleep states S0 S1 S3 S4 S5 :acpi0: tables DSDT FACP APIC MCFG HPET :acpi0: wakeup devices P0P1(S3) PS2K(S4) PS2M(S4) UAR1(S3) P0P2(S4) :USB0(S3) USB1(S3) USB2(S3) USB5(S3) USB6(S3) EUSB(S3) USB3(S3) :USB4(S3) USBE(S3) PEX0(S4) PEX1(S4) PEX2(S4) PEX3(S4) PEX4(S4) :PEX5(S4) SLPB(S4) PWRB(S3) :acpitimer0 at acpi0: 3579545 Hz, 24 bits :acpimadt0 at acpi0 addr 0xfee0: PC-AT compat :cpu0 at mainbus0: apid 0 (boot processor) :cpu0: apic clock running at 199MHz :cpu1 at mainbus0: apid 1 (application processor) :cpu1: Pentium(R) Dual-Core CPU E5700 @ 3.00GHz (GenuineIntel 686-class) 3 GHz :cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,XSAVE :ioapic0 at mainbus0: apid 0 pa 0xfec0, version 20, 24 pins :acpimcfg0 at acpi0 addr 0xf000, bus 0-127 :acpihpet0 at acpi0: 14318179 Hz :acpiprt0 at acpi0: bus 0 (PCI0) :acpiprt1 at acpi0: bus 32 (P0P2) :acpiprt2 at acpi0: bus 2 (PEX0) :acpiprt3 at acpi0: bus 3 (PEX1) :acpiprt4 at acpi0: bus 4 (PEX2) :acpiprt5 at acpi0: bus 5 (PEX3) :acpiprt6 at acpi0: bus 6 (PEX4) :acpiprt7 at acpi0: bus 7 (PEX5) :acpicpu0 at acpi0:, C3, C2, C1, PSS :acpicpu1 at acpi0:, C3, C2, C1, PSS :acpibtn0 at acpi0: SLPB :acpibtn1 at acpi0: PWRB :bios0: ROM list: 0xc/0xe600! 0xce800/0x400 0xcf000/0x2400 :cpu0: Enhanced SpeedStep 2993 MHz: speeds: 3000, 2800, 2600, 2400, :2200, 2000, 1800, 1600, 1400, 1200 MHz :pci0 at mainbus0 bus 0: configuration mode 1 (bios) :pchb0 at pci0 dev 0 function 0 Intel G45 Host rev 0x03 :ppb0 at pci0 dev 1 function 0 Intel G45 PCIE rev 0x03: apic 0 int 16 (irq 11) :pci1 at ppb0 bus 1 :vga1 at pci1 dev 0 function 0 vendor NVIDIA, unknown product 0x10c3 rev 0xa2 :wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) :wsdisplay0: screen 1-5 added (80x25, vt100 emulation) :azalia0 at pci1 dev 0 function 1 vendor NVIDIA, unknown product :0x0be3 rev 0xa1: apic 0 int 17 (irq 10) :azalia0: no supported codecs :azalia0: initialization failure, detaching :uhci0 at pci0 dev 26 function 0 Intel 82801JI USB rev 0x00: apic 0 :int 16 (irq 11) :uhci1 at pci0 dev 26 function 1 Intel 82801JI USB rev 0x00: apic 0 :int 21 (irq 5) :uhci2 at pci0 dev 26 function 2 Intel 82801JI USB rev 0x00: apic 0 :int 18 (irq 3) :ehci0 at pci0 dev 26 function 7 Intel 82801JI USB rev 0x00: apic 0 :int 18 (irq 3) :ehci0: timed out waiting for BIOS :usb0 at ehci0: USB revision 2.0 :uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1 :azalia1 at pci0 dev 27 function 0 Intel 82801JI HD Audio rev 0x00: :apic 0 int 22 (irq 7) :azalia1: codecs: Realtek ALC888 :audio0 at azalia1 :ppb1 at pci0 dev 28 function 0 Intel 82801JI PCIE rev 0x00: apic 0 :int 17 (irq 10) :pci2 at ppb1 bus 2 :pciide0 at pci2 dev 0 function 0 Marvell 88SE6101 IDE rev 0xb2: DMA :(unsupported), channel 0 configured to native-PCI, channel 1 :configured to native-PCI :pciide0: using apic 0 int 16 (irq 11) for native-PCI interrupt :pciide0: channel 0 ignored (not responding; disabled or no drives?) :pciide0: channel 1 ignored (not responding; disabled or no drives?) :ppb2 at pci0 dev 28 function 1 Intel 82801JI PCIE
Re: RTL8169SC OpenBSD 4.8 to 4.9 issue
dmesg.boot of old hardware: ( same ethernet ) OpenBSD 4.8 (GENERIC.MP) #359: Mon Aug 16 09:16:26 MDT 2010 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: Intel(R) Pentium(R) 4 CPU 3.00GHz (GenuineIntel 686-class) 3.01 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,CNXT-ID,CX16,xTPR real mem = 1069051904 (1019MB) avail mem = 1041580032 (993MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 04/25/06, BIOS32 rev. 0 @ 0xfad90, SMBIOS rev. 2.3 @ 0xf0100 (34 entries) bios0: vendor Award Software International, Inc. version F3e DB date 04/25/2006 bios0: Gigabyte Technology Co., Ltd. 8I865GME-775 acpi0 at bios0: rev 0 acpi0: sleep states S0 S1 S4 S5 acpi0: tables DSDT FACP APIC acpi0: wakeup devices HUB0(S4) USB0(S1) USB1(S1) USB2(S1) USB3(S1) USBE(S1) PCI0(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 200MHz cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Pentium(R) 4 CPU 3.00GHz (GenuineIntel 686-class) 3.01 GHz cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,CNXT-ID,CX16,xTPR ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins ioapic0: misconfigured as apic 0, remapped to apid 2 acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 1 (HUB0) acpicpu0 at acpi0 acpicpu1 at acpi0 acpitz0 at acpi0: critical temperature 75 degC acpibtn0 at acpi0: PWRB bios0: ROM list: 0xc/0xa400! 0xcc000/0x8000! pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 Intel 82865G Host rev 0x02 vga1 at pci0 dev 2 function 0 Intel 82865G Video rev 0x02 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) intagp0 at vga1 agp0 at intagp0: aperture at 0xf000, size 0x800 inteldrm0 at vga1: apic 2 int 16 (irq 3) drm0 at inteldrm0 uhci0 at pci0 dev 29 function 0 Intel 82801EB/ER USB rev 0x02: apic 2 int 16 (irq 3) uhci1 at pci0 dev 29 function 1 Intel 82801EB/ER USB rev 0x02: apic 2 int 19 (irq 11) uhci2 at pci0 dev 29 function 2 Intel 82801EB/ER USB rev 0x02: apic 2 int 18 (irq 11) uhci3 at pci0 dev 29 function 3 Intel 82801EB/ER USB rev 0x02: apic 2 int 16 (irq 3) ehci0 at pci0 dev 29 function 7 Intel 82801EB/ER USB2 rev 0x02: apic 2 int 23 (irq 6) usb0 at ehci0: USB revision 2.0 uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1 ppb0 at pci0 dev 30 function 0 Intel 82801BA Hub-to-PCI rev 0xc2 pci1 at ppb0 bus 1 rl0 at pci1 dev 1 function 0 Realtek 8139 rev 0x10: apic 2 int 21 (irq 12), address 00:1a:3f:51:46:59 rlphy0 at rl0 phy 0: RTL internal PHY rl1 at pci1 dev 2 function 0 Realtek 8139 rev 0x10: apic 2 int 22 (irq 10), address 00:1a:3f:52:34:4f rlphy1 at rl1 phy 0: RTL internal PHY re0 at pci1 dev 3 function 0 Realtek 8169 rev 0x10: RTL8169/8110SB (0x1000), apic 2 int 18 (irq 11), address 00:08:54:69:13:54 rgephy0 at re0 phy 7: RTL8169S/8110S PHY, rev. 3 fxp0 at pci1 dev 8 function 0 Intel PRO/100 VE rev 0x02, i82562: apic 2 int 20 (irq 5), address 00:0f:ea:2a:56:2f inphy0 at fxp0 phy 1: i82562G 10/100 PHY, rev. 0 ichpcib0 at pci0 dev 31 function 0 Intel 82801EB/ER LPC rev 0x02 pciide0 at pci0 dev 31 function 2 Intel 82801EB SATA rev 0x02: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: SAMSUNG HD082GJ wd0: 16-sector PIO, LBA48, 76318MB, 156299375 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 6 atapiscsi0 at pciide0 channel 1 drive 1 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: TSSTcorp, CD/DVDW SH-S182D, SB04 ATAPI 5/cdrom removable cd0(pciide0:1:1): using PIO mode 4, Ultra-DMA mode 2 ichiic0 at pci0 dev 31 function 3 Intel 82801EB/ER SMBus rev 0x02: apic 2 int 17 (irq 9) iic0 at ichiic0 spdmem0 at iic0 addr 0x50: 1GB DDR SDRAM non-parity PC3200CL3.0 usb1 at uhci0: USB revision 1.0 uhub1 at usb1 Intel UHCI root hub rev 1.00/1.00 addr 1 usb2 at uhci1: USB revision 1.0 uhub2 at usb2 Intel UHCI root hub rev 1.00/1.00 addr 1 usb3 at uhci2: USB revision 1.0 uhub3 at usb3 Intel UHCI root hub rev 1.00/1.00 addr 1 usb4 at uhci3: USB revision 1.0 uhub4 at usb4 Intel UHCI root hub rev 1.00/1.00 addr 1 isa0 at ichpcib0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 spkr0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 it0 at isa0 port 0x2e/2: IT8712F rev 8, EC port 0x290 npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 mtrr: Pentium Pro MTRR support softraid0 at root root on wd0a swap on wd0b dump on wd0b 2011/7/7 Nick Holland n...@holland-consulting.net On
Re: RTL8169SC OpenBSD 4.8 to 4.9 issue
# uname -smr OpenBSD 4.8 i386 # ifconfig re0 re0: flags=8b43UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST mtu 1500 lladdr 00:08:54:69:13:54 priority: 0 media: Ethernet 100baseTX full-duplex status: active inet 192.168.0.1 netmask 0xff00 broadcast 192.168.0.255 inet6 fe80::208:54ff:fe69:1354%re0 prefixlen 64 scopeid 0x3 2011/7/7 Zeb Packard zeb.pack...@gmail.com I'd like to see the output from ifconfig.
Re: RTL8169SC OpenBSD 4.8 to 4.9 issue
Yes, the machine are different, I'm doing upgrade of hardware, I buy tp-link model n. TG-3269 and have the same chipset and work very well on this machine that have OBSD 4.8, but I tested the SAME ethernet that I'm running on 4.8 in new hardware with 4.9 2011/7/7 Miod Vallat m...@online.fr dmesg.boot of old hardware: ( same ethernet ) [...] bios0 at mainbus0: AT/286+ BIOS, date 04/25/06, BIOS32 rev. 0 @ 0xfad90, SMBIOS rev. 2.3 @ 0xf0100 (34 entries) bios0: vendor Award Software International, Inc. version F3e DB date 04/25/2006 bios0: Gigabyte Technology Co., Ltd. 8I865GME-775 [...] bios0 at mainbus0: AT/286+ BIOS, date 05/10/10, SMBIOS rev. 2.6 @ 0xe9230 (58 entries) bios0: vendor Intel Corp. version RKG4310H.86A.0082.2010.0510.**1954 date 05/10/2010 bios0: Intel Corporation DP43BF These are not the same machines. Are you trying to waste people's time?
Re: RTL8169SC OpenBSD 4.8 to 4.9 issue
Other thing, I have others servers, that are running OBSD 4.8 with the same ethernet model, and it work very well. The ethernet is ENLGA-1320 ( encore electronics ) ( YES, is a generic network card ) 2011/7/7 R0me0 *** knight@gmail.com Yes, the machine are different, I'm doing upgrade of hardware, I buy tp-link model n. TG-3269 and have the same chipset and work very well on this machine that have OBSD 4.8, but I tested the SAME ethernet that I'm running on 4.8 in new hardware with 4.9 2011/7/7 Miod Vallat m...@online.fr dmesg.boot of old hardware: ( same ethernet ) [...] bios0 at mainbus0: AT/286+ BIOS, date 04/25/06, BIOS32 rev. 0 @ 0xfad90, SMBIOS rev. 2.3 @ 0xf0100 (34 entries) bios0: vendor Award Software International, Inc. version F3e DB date 04/25/2006 bios0: Gigabyte Technology Co., Ltd. 8I865GME-775 [...] bios0 at mainbus0: AT/286+ BIOS, date 05/10/10, SMBIOS rev. 2.6 @ 0xe9230 (58 entries) bios0: vendor Intel Corp. version RKG4310H.86A.0082.2010.0510.**1954 date 05/10/2010 bios0: Intel Corporation DP43BF These are not the same machines. Are you trying to waste people's time?
Re: Routing Issue
Put a route !? 2011/5/18 David Schulz mailingli...@ironwhale.com Hi there, if i disable pf, it will not work (except when trying from router itself via ssh). Here some output from hostname.ifs and mygate, my routing table. Would be most grateful for any tips that help solving this. Best regards, D cndlne001'root(~) cat /etc/hostname.sis0 inet 10.1.3.19 255.255.254.0 NONE cndlne001'root(~) cat /etc/hostname.sis1 inet 192.168.1.1 255.255.255.0 NONE cndlne001'root(~) cat /etc/mygate 10.1.3.1 cndlne001'root(~) route -n show Routing tables Internet: DestinationGatewayFlags Refs Use Mtu Prio Iface default10.1.3.1 UGS03 - 8 sis0 10.1.2/23 link#1 UC 40 - 4 sis0 10.1.3.1 00:18:4d:33:e3:df UHLc 10 - 4 sis0 10.1.3.7 f4:ce:46:b1:a6:26 UHLc 1 10 - 4 sis0 10.1.3.37 20:cf:30:56:15:80 UHLc 1 107 - 4 sis0 10.1.3.46 1c:af:f7:0e:17:20 UHLc 0 41 - 4 sis0 127/8 127.0.0.1 UGRS 00 33200 8 lo0 127.0.0.1 127.0.0.1 UH 10 33200 4 lo0 192.168.1/24 link#2 UC 10 - 4 sis1 192.168.1.200:14:97:02:2b:b2 UHLc 0 41 - 4 sis1 224/4 127.0.0.1 URS00 33200 8 lo0 cndlne001'root(~) sysctl net.inet.ip.forwarding net.inet.ip.forwarding=1 sis0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:24:ca:a9:f4 priority: 0 groups: egress media: Ethernet autoselect (100baseTX full-duplex) status: active inet 10.1.3.19 netmask 0xfe00 broadcast 10.1.3.255 inet6 fe80::200:24ff:feca:a9f4%sis0 prefixlen 64 scopeid 0x1 cndlne001'root(~) ifconfig sis1 sis1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:24:ca:a9:f5 priority: 0 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255 inet6 fe80::200:24ff:feca:a9f5%sis1 prefixlen 64 scopeid 0x2 cndlne001'root(~) On May 18, 2011, at 2:29 PM, Aaron Mason wrote: If you've disabled pf and it doesn't, then yes, possibly. If the network is configured like this: 192.168.1.0/24]192.168.1.1(em0)[Router]10.1.0.1(em1)[10.1.0.0/21 Setting the default routes to the required interface on each side should allow packets to flow freely from end to end. There should be no need for PF trickery unless you wish to restrict access to certain machines on either side. Your best test is a traceroute. Perform a traceroute from one side to the other, and see what the last step is before you get a string of timeouts. All said, I see rules in your PF that allow certain ICMP types, but haven't included the echo response - that's probably why you can't ping across the router. On Wed, May 18, 2011 at 3:29 PM, David Schulz mailingli...@ironwhale.com wrote: Basically i am just trying to verify whether i actually do need the match out statements in pf.conf in order for both Sides on each Network Cards to talk to each other. Say i do not, and it should all just work, does the fact that it does not work suggest that i most likely have a routing issue? best regards, D On May 17, 2011, at 9:29 PM, David Gwynne wrote: hey david, pf is run twice on packets going through a box, once before the network stack and again as it leaves it. this means you have to allow a packet in one side as well as when it goes out the other. dlg On 17/05/2011, at 10:16 PM, David Schulz wrote: Hi all, i have a LAN within a LAN and the setup is as follows: 192.168.1.0/24 -- OpenBSD 4.9 Router with 2 NICS -- 10.1.0.0/21 My goal is to get both Sides talking to each other (lets start with making them be able to ping each other). I got it working by using the following pf.conf, however i thought i should not need to have those match out statements, because OpenBSD routes packets between interfaces by default as long sysctl net.inet.ip.forwarding=1 is set. From inside my OpenBSD Box i can ping Devices on either Side just fine. From a machine sitting on either Side, i can ping the OpenBSD Box just fine. But i simply cannot get Side A Machines to talk to Side B Machines unless i uncomment the two below match out statements inside my pf.conf. If someone could share some insight, id be most thankful. regards, D Here my simplified pf.conf which again does not work unless i uncomment the two match out Rules: pf.conf int_if=sis0 ext_if=sis1 icmp_types = { echoreq, unreach } set require-order yes set
Re: Squid on LAN
You can too try this: pass in on $int proto tcp from $int:network to port www route-to ( $dmz $ip_of_squid ) pass out on $dmz proto tcp to $ip_of_squid to port www Cheers 2011/5/9 Stuart Henderson s...@spacehopper.org If possible, put the proxy server on a different vlan. If you can't, try the method in http://www.openbsd.org/faq/pf/rdr.html#rdrnat It works, but your proxy logs will then only show the firewall's address rather than the original client addresses. On 2011-05-09, Alessandro Baggi alessandro.ba...@gmail.com wrote: Hi list. I've a question about positioning a proxy server into the LAN. I've tried this in dmz (also in transparent mode + rdr pf), and works great, but now I'm trying to put this proxy in LAN. Also in this case it works, but when I try to set it in transparent mode, and put rdr rules on the firewall (OpenBSD 4.8): match in on $int proto tcp from $int:network to any port 80 rdr-to $proxy port 3128 it does not work, and the request seems not be redirected on the proxy. I've ridden this: http://www.openbsd.org/faq/pf/rdr.html I'm trying to get solution only with pf rules without no results. Could some point me in the right direction? Thanks in advance
Re: Squid on LAN
Yes, You have the reason, I put DMZ because of this :) 2011/5/9 Stuart Henderson s...@spacehopper.org On 2011/05/09 16:31, R0me0 *** wrote: You can too try this: pass in on $int proto tcp from $int:network to port www route-to ( $dmz $ip_of_squid ) pass out on $dmz proto tcp to $ip_of_squid to port www This won't work for machines on the same subnet as the proxy. In that case the return traffic (proxy-client) will bypass the firewall so PF only sees half of the packets so state tracking will break things. (It might initially appear to work but try a larger download and watch for the connection breaking).