Problems to compile squid with ldap auth on openBSD 4.3

2008-09-23 Thread Ricardo Augusto de Souza 
Hi,

I got some errors trying to compile squid with ldap auth on openbsd 4.3.

I used squid from ports and  compiled its source and I got same error
when I add "--enable-auth="basic digest LDAP" \  and
--enable-basic-auth-helpers="NCSA YP LDAP" \ to ./configure.



Note I have already installed OpenLDAP .



Can anyone help me please?

Thanks



Error is:



Making all in helpers

Making all in basic_auth

Making all in LDAP

if gcc -DHAVE_CONFIG_H -I. -I. -I../../../include -I../../../include
-Wall -g -O2 -D_REENTRANT -MT squid_ldap_auth.o -MD -MP -MF
".deps/squid_ldap_auth.Tpo" -c -o squid_ldap_auth.o squid_ldap_auth.c;
then mv -f ".deps/squid_ldap_auth.Tpo" ".deps/squid_ldap_auth.Po"; else
rm -f ".deps/squid_ldap_auth.Tpo"; exit 1; fi

squid_ldap_auth.c:123:18: lber.h: No such file or directory

squid_ldap_auth.c:124:18: ldap.h: No such file or directory

squid_ldap_auth.c:137: error: `LDAP_SCOPE_SUBTREE' undeclared here (not
in a function)

squid_ldap_auth.c:141: error: `LDAP_DEREF_NEVER' undeclared here (not in
a function)

squid_ldap_auth.c:147: error: `LDAP_NO_LIMIT' undeclared here (not in a
function)

squid_ldap_auth.c:154: error: syntax error before '*' token

squid_ldap_auth.c:208: error: syntax error before '*' token

squid_ldap_auth.c: In function `squid_ldap_errno':

squid_ldap_auth.c:210: error: `ld' undeclared (first use in this
function)

squid_ldap_auth.c:210: error: (Each undeclared identifier is reported
only once

squid_ldap_auth.c:210: error: for each function it appears in.)

squid_ldap_auth.c: At top level:

squid_ldap_auth.c:213: error: syntax error before '*' token

squid_ldap_auth.c: In function `squid_ldap_set_aliasderef':

squid_ldap_auth.c:215: error: `ld' undeclared (first use in this
function)

squid_ldap_auth.c:215: error: `deref' undeclared (first use in this
function)

squid_ldap_auth.c: At top level:

squid_ldap_auth.c:218: error: syntax error before '*' token

squid_ldap_auth.c: In function `squid_ldap_set_referrals':

squid_ldap_auth.c:220: error: `referrals' undeclared (first use in this
function)

squid_ldap_auth.c:221: error: `ld' undeclared (first use in this
function)

squid_ldap_auth.c:221: error: `LDAP_OPT_REFERRALS' undeclared (first use
in this function)

squid_ldap_auth.c: At top level:

squid_ldap_auth.c:226: error: syntax error before '*' token

squid_ldap_auth.c: In function `squid_ldap_set_timelimit':

squid_ldap_auth.c:228: error: `ld' undeclared (first use in this
function)

squid_ldap_auth.c: At top level:

squid_ldap_auth.c:231: error: syntax error before '*' token

squid_ldap_auth.c:249: error: syntax error before '*' token

squid_ldap_auth.c:251: warning: return type defaults to `int'

squid_ldap_auth.c: In function `open_ldap_connection':

squid_ldap_auth.c:252: error: `LDAP' undeclared (first use in this
function)

squid_ldap_auth.c:252: error: `ld' undeclared (first use in this
function)

squid_ldap_auth.c:278: warning: implicit declaration of function
`ldap_init'

squid_ldap_auth.c: In function `main':

squid_ldap_auth.c:348: error: `LDAP' undeclared (first use in this
function)

squid_ldap_auth.c:348: error: `ld' undeclared (first use in this
function)

squid_ldap_auth.c:350: error: `LDAP_PORT' undeclared (first use in this
function)

squid_ldap_auth.c:410: error: `LDAP_SCOPE_BASE' undeclared (first use in
this function)

squid_ldap_auth.c:412: error: `LDAP_SCOPE_ONELEVEL' undeclared (first
use in this function)

squid_ldap_auth.c:414: error: `LDAP_SCOPE_SUBTREE' undeclared (first use
in this function)

squid_ldap_auth.c:438: error: `LDAP_DEREF_NEVER' undeclared (first use
in this function)

squid_ldap_auth.c:440: error: `LDAP_DEREF_ALWAYS' undeclared (first use
in this function)

squid_ldap_auth.c:442: error: `LDAP_DEREF_SEARCHING' undeclared (first
use in this function)

squid_ldap_auth.c:444: error: `LDAP_DEREF_FINDING' undeclared (first use
in this function)

squid_ldap_auth.c:587: error: `LDAP_INVALID_CREDENTIALS' undeclared
(first use in this function)

squid_ldap_auth.c:589: warning: implicit declaration of function
`ldap_unbind'

squid_ldap_auth.c:593: warning: implicit declaration of function
`ldap_err2string'

squid_ldap_auth.c:593: warning: format argument is not a pointer (arg 2)

squid_ldap_auth.c:597: error: `LDAP_SUCCESS' undeclared (first use in
this function)

squid_ldap_auth.c: At top level:

squid_ldap_auth.c:639: error: syntax error before '*' token

squid_ldap_auth.c: In function `checkLDAP':

squid_ldap_auth.c:643: error: `LDAP' undeclared (first use in this
function)

squid_ldap_auth.c:643: error: `bind_ld' undeclared (first use in this
function)

squid_ldap_auth.c:645: error: `password' undeclared (first use in this
function)

squid_ldap_auth.c:656: error: `LDAPMessage' undeclared (first use in
this function)

squid_ldap_auth.c:656: error: `res' undeclared (first use in this
function)

squid_ldap_auth.c:657: error: `entry' undeclared (first use in this
function)

squid_ldap_auth.c:662: error: `search_ld' undeclared (firs

PF cannot RDR connections

2008-09-23 Thread Ricardo Augusto de Souza 
I was used to do this easily but it4s failing now.



Xl0 = 10.10.100.254

Xl1=internet



This is my /etc/pf.conf



# interface externa WAN

ext_if="xl1"

# interface interna LAN

int_if="xl0"

#set skip on lo

#scrub in

rdr on xl1 proto tcp from any to xl1 port 8101 -> 10.10.100.21 port 8101

rdr on xl0 proto tcp from any to 10.10.100.254 port 81 -> 10.10.0.2 port 80

#

# NAT

#

#nat on $ext_if from !($ext_if) -> ($ext_if:0)

nat on $ext_if from 10.10.0.0/16 -> $ext_if

pass in all

pass out all

#pass quick on $int_if no state

#antispoof quick for { lo $int_if }





Note:



I can access http://10.10.0.2

It fails when I try to access http://10.10.100.254:81

What4s wrong folks?





# pfctl  -sn

nat on xl1 inet from 10.10.0.0/16 to any -> 200.162.41.34

rdr on xl1 inet proto tcp from any to 200.162.41.34 port = 8101 ->
10.10.100.21 port 8101

rdr on xl0 inet proto tcp from any to 10.10.100.254 port = 81 -> 10.10.0.2
port 80

#





# dmesg

OpenBSD 4.3 (CMT) #1: Mon Sep 22 15:25:18 BRT 2008

[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/CMT

cpu0: Intel(R) Pentium(R) 4 CPU 2.13GHz ("GenuineIntel" 686-class) 2.13 GHz

cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CF
LUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,CNXT-ID,CX16,x
TPR

real mem  = 1072697344 (1023MB)

avail mem = 1033314304 (985MB)

mainbus0 at root

bios0 at mainbus0: AT/286+ BIOS, date 06/16/05, BIOS32 rev. 0 @ 0xfd5b6,
SMBIOS   rev. 2.33 @ 0x3ff77000
(46 entries)

bios0: vendor IBM version "-[KEE134AUS-1.34]-" date 06/16/2005

bios0: IBM CORPORATION -[84824RU]-

bios0: ROM list: 0xc/0x9000 0xc9000/0x1000 0xca000/0x1000 0xcb000/0x9c00
0xd  5000/0x2000 0xd7000/0x2000
0xd9000/0x800 0xd9800/0x800

cpu0 at mainbus0

pci0 at mainbus0 bus 0: configuration mode 1 (no bios)

pchb0 at pci0 dev 0 function 0 "Intel 82875P Host" rev 0x02

ppb0 at pci0 dev 3 function 0 "Intel 82875P CSA" rev 0x02

pci1 at ppb0 bus 2

em0 at pci1 dev 1 function 0 "Intel PRO/1000CT (82547GI)" rev 0x00: irq 5,
addre  ss 00:11:25:7f:86:28

ppb1 at pci0 dev 28 function 0 "Intel 6300ESB PCIX" rev 0x02

pci2 at ppb1 bus 3

bge0 at pci2 dev 1 function 0 "Broadcom BCM5703 Alt" rev 0x10, BCM5703 B0
(0x110  0): irq 11, address
00:10:18:16:14:1b

brgphy0 at bge0 phy 1: BCM5703 10/100/1000baseT PHY, rev. 3

bge1 at pci2 dev 2 function 0 "Broadcom BCM5703 Alt" rev 0x10, BCM5703 B0
(0x110  0): irq 11, address
00:10:18:16:0e:8a

brgphy1 at bge1 phy 1: BCM5703 10/100/1000baseT PHY, rev. 3

ahd0 at pci2 dev 4 function 0 vendor "Adaptec", unknown product 0x808f rev
0x10:   irq 11

ahd0: aic7901, U320 Wide Channel A, SCSI Id=7, PCI-X 50-66MHz, 512 SCBs

scsibus0 at ahd0: 16 targets

sd0 at scsibus0 targ 0 lun 0:  SCSI2
0/direct   fixed

sd0: 34715MB, 34401 cyl, 3 head, 688 sec, 512 bytes/sec, 71096640 sec total

sd1 at scsibus0 targ 6 lun 0:  SCSI2
0/direct   fixed

sd1: 34715MB, 34401 cyl, 3 head, 688 sec, 512 bytes/sec, 71096640 sec total

uhci0 at pci0 dev 29 function 0 "Intel 6300ESB USB" rev 0x02: irq 11

uhci1 at pci0 dev 29 function 1 "Intel 6300ESB USB" rev 0x02: irq 5

"Intel 6300ESB WDT" rev 0x02 at pci0 dev 29 function 4 not configured

"Intel 6300ESB APIC" rev 0x02 at pci0 dev 29 function 5 not configured

ehci0 at pci0 dev 29 function 7 "Intel 6300ESB USB" rev 0x02: irq 11

usb0 at ehci0: USB revision 2.0

uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1

ppb2 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0x0a

pci3 at ppb2 bus 4

vga0 at pci3 dev 2 function 0 "ATI Radeon VE QY" rev 0x00

wsdisplay0 at vga0 mux 1: console (80x25, vt100 emulation)

wsdisplay0: screen 1-5 added (80x25, vt100 emulation)

xl0 at pci3 dev 7 function 0 "3Com 3c905C 100Base-TX" rev 0x78: irq 5, address
0  0:0a:5e:63:7e:2e

exphy0 at xl0 phy 24: 3Com internal media interface

xl1 at pci3 dev 8 function 0 "3Com 3c905C 100Base-TX" rev 0x78: irq 11,
address   00:0a:5e:63:7d:72

exphy1 at xl1 phy 24: 3Com internal media interface

ichpcib0 at pci0 dev 31 function 0 "Intel 6300ESB LPC" rev 0x02: 24-bit timer
at   3579545Hz

pciide0 at pci0 dev 31 function 1 "Intel 6300ESB IDE" rev 0x02: DMA, channel 0
c  onfigured to compatibility,
channel 1 configured to compatibility

atapiscsi0 at pciide0 channel 0 drive 0

scsibus1 at atapiscsi0: 2 targets

cd0 at scsibus1 targ 0 lun 0:  SCSI0 5/cdrom
r  emovable

cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2

pciid

RES: Problems to compile squid with ldap auth on openBSD 4.3

2008-09-23 Thread Ricardo Augusto de Souza 
id' undeclared (first use in this
function)
/usr/ports/www/squid/w-squid-2.7.STABLE3/squid-2.7.STABLE3/helpers/basic_auth
/LDAP/squid_ldap_auth.c:670: error: `LDAP_SUCCESS' undeclared (first use in
this function)
/usr/ports/www/squid/w-squid-2.7.STABLE3/squid-2.7.STABLE3/helpers/basic_auth
/LDAP/squid_ldap_auth.c:681: error: `LDAP_PARTIAL_RESULTS' undeclared (first
use in this function)
/usr/ports/www/squid/w-squid-2.7.STABLE3/squid-2.7.STABLE3/helpers/basic_auth
/LDAP/squid_ldap_auth.c:706: warning: assignment makes pointer from integer
without a cast
/usr/ports/www/squid/w-squid-2.7.STABLE3/squid-2.7.STABLE3/helpers/basic_auth
/LDAP/squid_ldap_auth.c:742: error: `LDAP_COMPARE_TRUE' undeclared (first use
in this function)
*** Error code 1

Stop in
/usr/ports/www/squid/w-squid-2.7.STABLE3/build-i386/helpers/basic_auth/LDAP
(line 92 of /usr/share/mk/sys.mk).
*** Error code 1

Stop in /usr/ports/www/squid/w-squid-2.7.STABLE3/build-i386/helpers/basic_auth
(line 312 of Makefile).
*** Error code 1

Stop in /usr/ports/www/squid/w-squid-2.7.STABLE3/build-i386/helpers (line 307
of Makefile).
*** Error code 1

Stop in /usr/ports/www/squid/w-squid-2.7.STABLE3/build-i386 (line 365 of
Makefile).
*** Error code 1

Stop in /usr/ports/www/squid (line 2164 of
/usr/ports/infrastructure/mk/bsd.port.mk).
*** Error code 1

Stop in /usr/ports/www/squid (line 1422 of
/usr/ports/infrastructure/mk/bsd.port.mk).
*** Error code 1

Stop in /usr/ports/www/squid (line 1962 of
/usr/ports/infrastructure/mk/bsd.port.mk).
*** Error code 1

Stop in /usr/ports/www/squid (line 1452 of
/usr/ports/infrastructure/mk/bsd.port.mk).
#


-Mensagem original-
De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome de Stuart
Henderson
Enviada em: terga-feira, 23 de setembro de 2008 10:12
Para: misc@openbsd.org
Assunto: Re: Problems to compile squid with ldap auth on openBSD 4.3

On 2008-09-23, Ricardo Augusto de Souza <[EMAIL PROTECTED]> wrote:
> I got some errors trying to compile squid with ldap auth on openbsd 4.3.
>
> I used squid from ports and  compiled its source and I got same error
> when I add "--enable-auth="basic digest LDAP" \  and
> --enable-basic-auth-helpers="NCSA YP LDAP" \ to ./configure.

Use cvsweb and look at the -current version of the port, see how
that does things.

RES: PF cannot RDR connections

2008-09-23 Thread Ricardo Augusto de Souza 
I was monitoring tcpdump -i xl0, disabled pf and I try to access
http://10.10.100.254:81 and I saw this:

13:30:38.976708 10.10.100.254.81 > 10.10.0.135.2321: R 0:0(0) ack 1 win 0
(DF)
13:30:40.007811 802.1d RSTP config flags=7c
role=DESIGNATED root=8000.0:f:cb:56:80:a0 rootcost=20004
bridge=8000.0:1e:c1:27:b0:80 port=9 ifcost=128 age=2/0 max=20/0 hello=2/0
fwdelay=15/0

13:32:20.254337 10.10.100.254.81 > 10.10.0.135.2331: R 0:0(0) ack 2046899144
win 0 (DF)
13:32:20.699272 10.10.0.135.2331 > 10.10.100.254.81: S
2046899143:2046899143(0) win 65535  (DF)
13:32:20.699297 10.10.100.254.81 > 10.10.0.135.2331: R 0:0(0) ack 1 win 0
(DF)
13:32:21.181005 10.10.100.254 > 10.10.0.135: icmp: echo reply
13:32:21.202344 10.10.0.135.2331 > 10.10.100.254.81: S
2046899143:2046899143(0) win 65535  (DF)
13:32:21.202368 10.10.100.254.81 > 10.10.0.135.2331: R 0:0(0) ack 1 win 0
(DF)

Now I turn pf on and I got this:
# tcpdump -i xl0|grep 81
tcpdump: listening on xl0, link-type EN10MB
13:34:44.554439 10.10.0.135.2378 > 10.10.100.254.81: S
3759662737:3759662737(0) win 65535  (DF)
13:34:47.497787 10.10.0.135.2378 > 10.10.100.254.81: S
3759662737:3759662737(0) win 65535  (DF)
13:34:49.816656 10.10.0.48.netbios-ns > 10.10.255.255.netbios-ns: udp 50
13:34:52.226812 10.10.100.254 > 10.10.0.135: icmp: echo reply
13:34:53.434122 10.10.0.135.2378 > 10.10.100.254.81: S
3759662737:3759662737(0) win 65535  (DF)

Help me please folks, I need this rdr working TODAY.

Thanks in advance!

-Mensagem original-
De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome de Ricardo
Augusto de Souza
Enviada em: terga-feira, 23 de setembro de 2008 11:30
Para: misc@openbsd.org
Assunto: PF cannot RDR connections

I was used to do this easily but it4s failing now.



Xl0 = 10.10.100.254

Xl1=internet



This is my /etc/pf.conf



# interface externa WAN

ext_if="xl1"

# interface interna LAN

int_if="xl0"

#set skip on lo

#scrub in

rdr on xl1 proto tcp from any to xl1 port 8101 -> 10.10.100.21 port 8101

rdr on xl0 proto tcp from any to 10.10.100.254 port 81 -> 10.10.0.2 port 80

#

# NAT

#

#nat on $ext_if from !($ext_if) -> ($ext_if:0)

nat on $ext_if from 10.10.0.0/16 -> $ext_if

pass in all

pass out all

#pass quick on $int_if no state

#antispoof quick for { lo $int_if }





Note:



I can access http://10.10.0.2

It fails when I try to access http://10.10.100.254:81

What4s wrong folks?





# pfctl  -sn

nat on xl1 inet from 10.10.0.0/16 to any -> 200.162.41.34

rdr on xl1 inet proto tcp from any to 200.162.41.34 port = 8101 ->
10.10.100.21 port 8101

rdr on xl0 inet proto tcp from any to 10.10.100.254 port = 81 -> 10.10.0.2
port 80

#





# dmesg

OpenBSD 4.3 (CMT) #1: Mon Sep 22 15:25:18 BRT 2008

[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/CMT

cpu0: Intel(R) Pentium(R) 4 CPU 2.13GHz ("GenuineIntel" 686-class) 2.13 GHz

cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CF
LUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,CNXT-ID,CX16,x
TPR

real mem  = 1072697344 (1023MB)

avail mem = 1033314304 (985MB)

mainbus0 at root

bios0 at mainbus0: AT/286+ BIOS, date 06/16/05, BIOS32 rev. 0 @ 0xfd5b6,
SMBIOS   rev. 2.33 @ 0x3ff77000
(46 entries)

bios0: vendor IBM version "-[KEE134AUS-1.34]-" date 06/16/2005

bios0: IBM CORPORATION -[84824RU]-

bios0: ROM list: 0xc/0x9000 0xc9000/0x1000 0xca000/0x1000 0xcb000/0x9c00
0xd  5000/0x2000 0xd7000/0x2000
0xd9000/0x800 0xd9800/0x800

cpu0 at mainbus0

pci0 at mainbus0 bus 0: configuration mode 1 (no bios)

pchb0 at pci0 dev 0 function 0 "Intel 82875P Host" rev 0x02

ppb0 at pci0 dev 3 function 0 "Intel 82875P CSA" rev 0x02

pci1 at ppb0 bus 2

em0 at pci1 dev 1 function 0 "Intel PRO/1000CT (82547GI)" rev 0x00: irq 5,
addre  ss 00:11:25:7f:86:28

ppb1 at pci0 dev 28 function 0 "Intel 6300ESB PCIX" rev 0x02

pci2 at ppb1 bus 3

bge0 at pci2 dev 1 function 0 "Broadcom BCM5703 Alt" rev 0x10, BCM5703 B0
(0x110  0): irq 11, address
00:10:18:16:14:1b

brgphy0 at bge0 phy 1: BCM5703 10/100/1000baseT PHY, rev. 3

bge1 at pci2 dev 2 function 0 "Broadcom BCM5703 Alt" rev 0x10, BCM5703 B0
(0x110  0): irq 11, address
00:10:18:16:0e:8a

brgphy1 at bge1 phy 1: BCM5703 10/100/1000baseT PHY, rev. 3

ahd0 at pci2 dev 4 function 0 vendor "Adaptec", unknown product 0x808f rev
0x10:   irq 11

ahd0: aic7901, U320 Wide Channel A, SCSI Id=7, PCI-X 50-66MHz, 512 SCBs

scsibus0 at ahd0: 16 targets

sd0 at scsibus0 targ 0 lun 0:  SCSI2
0/direct   fixed

sd0: 34715MB, 34401 cyl, 3 head, 688 sec, 512 byt

RES: Problems to compile squid with ldap auth on openBSD 4.3

2008-09-23 Thread Ricardo Augusto de Souza 
I already  tryied the -current ports and I got the same error.
Please send me the patch you  used.


-Mensagem original-
De: Giancarlo Razzolini [mailto:[EMAIL PROTECTED] Em nome de Giancarlo
Razzolini
Enviada em: terga-feira, 23 de setembro de 2008 14:34
Para: Ricardo Augusto de Souza
Cc: misc@openbsd.org
Assunto: Re: Problems to compile squid with ldap auth on openBSD 4.3

Ricardo Augusto de Souza escreveu:
> Hi,
>
> I got some errors trying to compile squid with ldap auth on openbsd 4.3.
>
> I used squid from ports and  compiled its source and I got same error
> when I add "--enable-auth="basic digest LDAP" \  and
> --enable-basic-auth-helpers="NCSA YP LDAP" \ to ./configure.
>
>
>
> Note I have already installed OpenLDAP .
>
>
>
> Can anyone help me please?
>
> Thanks
>
I took a look at the -current tree of the ports and noticed they've
created a new flavor of squid called ldap. This solves a problem that i
had for a long time compiling ldap-auth on squid with openbsd. I did
make 2 patches, one for squid-ldap-auth and other for squid-group-auth.
I recommend that you checkout the -current version of ports, and try to
compile squid the following way:

FLAVOR="ldap" make install

If it works, then you're done. If it not works, i assume you might have
to compile the -current kernel and userland. Or, i could send you the
patches i made for it. Since on this list there is the demime, as me and
i sent to you the patches in private. But first, try with ports.

My regards,

--
Giancarlo Razzolini
http://lock.razzolini.adm.br
Linux User 172199
Red Hat Certified Engineer no:804006389722501
Verify:https://www.redhat.com/certification/rhce/current/
Moleque Sem Conteudo Numero #002
OpenBSD Stable
Ubuntu 8.04 Hardy Heron
4386 2A6F FFD4 4D5F 5842  6EA0 7ABE BBAB 9C0E 6B85

RES: PF cannot RDR connections

2008-09-23 Thread Ricardo Augusto de Souza 
# tcpdump
tcpdump: Failed to open bpf device for xl0: No such file or directory
# sync
#

PFFF

-Mensagem original-
De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome de Ricardo
Augusto de Souza
Enviada em: terga-feira, 23 de setembro de 2008 13:31
Para: misc@openbsd.org
Assunto: RES: PF cannot RDR connections

I was monitoring tcpdump -i xl0, disabled pf and I try to access
http://10.10.100.254:81 and I saw this:

13:30:38.976708 10.10.100.254.81 > 10.10.0.135.2321: R 0:0(0) ack 1 win 0
(DF)
13:30:40.007811 802.1d RSTP config flags=7c
role=DESIGNATED root=8000.0:f:cb:56:80:a0 rootcost=20004
bridge=8000.0:1e:c1:27:b0:80 port=9 ifcost=128 age=2/0 max=20/0 hello=2/0
fwdelay=15/0

13:32:20.254337 10.10.100.254.81 > 10.10.0.135.2331: R 0:0(0) ack 2046899144
win 0 (DF)
13:32:20.699272 10.10.0.135.2331 > 10.10.100.254.81: S
2046899143:2046899143(0) win 65535  (DF)
13:32:20.699297 10.10.100.254.81 > 10.10.0.135.2331: R 0:0(0) ack 1 win 0
(DF)
13:32:21.181005 10.10.100.254 > 10.10.0.135: icmp: echo reply
13:32:21.202344 10.10.0.135.2331 > 10.10.100.254.81: S
2046899143:2046899143(0) win 65535  (DF)
13:32:21.202368 10.10.100.254.81 > 10.10.0.135.2331: R 0:0(0) ack 1 win 0
(DF)

Now I turn pf on and I got this:
# tcpdump -i xl0|grep 81
tcpdump: listening on xl0, link-type EN10MB
13:34:44.554439 10.10.0.135.2378 > 10.10.100.254.81: S
3759662737:3759662737(0) win 65535  (DF)
13:34:47.497787 10.10.0.135.2378 > 10.10.100.254.81: S
3759662737:3759662737(0) win 65535  (DF)
13:34:49.816656 10.10.0.48.netbios-ns > 10.10.255.255.netbios-ns: udp 50
13:34:52.226812 10.10.100.254 > 10.10.0.135: icmp: echo reply
13:34:53.434122 10.10.0.135.2378 > 10.10.100.254.81: S
3759662737:3759662737(0) win 65535  (DF)

Help me please folks, I need this rdr working TODAY.

Thanks in advance!

-Mensagem original-
De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome de Ricardo
Augusto de Souza
Enviada em: terga-feira, 23 de setembro de 2008 11:30
Para: misc@openbsd.org
Assunto: PF cannot RDR connections

I was used to do this easily but it4s failing now.



Xl0 = 10.10.100.254

Xl1=internet



This is my /etc/pf.conf



# interface externa WAN

ext_if="xl1"

# interface interna LAN

int_if="xl0"

#set skip on lo

#scrub in

rdr on xl1 proto tcp from any to xl1 port 8101 -> 10.10.100.21 port 8101

rdr on xl0 proto tcp from any to 10.10.100.254 port 81 -> 10.10.0.2 port 80

#

# NAT

#

#nat on $ext_if from !($ext_if) -> ($ext_if:0)

nat on $ext_if from 10.10.0.0/16 -> $ext_if

pass in all

pass out all

#pass quick on $int_if no state

#antispoof quick for { lo $int_if }





Note:



I can access http://10.10.0.2

It fails when I try to access http://10.10.100.254:81

What4s wrong folks?





# pfctl  -sn

nat on xl1 inet from 10.10.0.0/16 to any -> 200.162.41.34

rdr on xl1 inet proto tcp from any to 200.162.41.34 port = 8101 ->
10.10.100.21 port 8101

rdr on xl0 inet proto tcp from any to 10.10.100.254 port = 81 -> 10.10.0.2
port 80

#





# dmesg

OpenBSD 4.3 (CMT) #1: Mon Sep 22 15:25:18 BRT 2008

[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/CMT

cpu0: Intel(R) Pentium(R) 4 CPU 2.13GHz ("GenuineIntel" 686-class) 2.13 GHz

cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CF
LUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,CNXT-ID,CX16,x
TPR

real mem  = 1072697344 (1023MB)

avail mem = 1033314304 (985MB)

mainbus0 at root

bios0 at mainbus0: AT/286+ BIOS, date 06/16/05, BIOS32 rev. 0 @ 0xfd5b6,
SMBIOS   rev. 2.33 @ 0x3ff77000
(46 entries)

bios0: vendor IBM version "-[KEE134AUS-1.34]-" date 06/16/2005

bios0: IBM CORPORATION -[84824RU]-

bios0: ROM list: 0xc/0x9000 0xc9000/0x1000 0xca000/0x1000 0xcb000/0x9c00
0xd  5000/0x2000 0xd7000/0x2000
0xd9000/0x800 0xd9800/0x800

cpu0 at mainbus0

pci0 at mainbus0 bus 0: configuration mode 1 (no bios)

pchb0 at pci0 dev 0 function 0 "Intel 82875P Host" rev 0x02

ppb0 at pci0 dev 3 function 0 "Intel 82875P CSA" rev 0x02

pci1 at ppb0 bus 2

em0 at pci1 dev 1 function 0 "Intel PRO/1000CT (82547GI)" rev 0x00: irq 5,
addre  ss 00:11:25:7f:86:28

ppb1 at pci0 dev 28 function 0 "Intel 6300ESB PCIX" rev 0x02

pci2 at ppb1 bus 3

bge0 at pci2 dev 1 function 0 "Broadcom BCM5703 Alt" rev 0x10, BCM5703 B0
(0x110  0): irq 11, address
00:10:18:16:14:1b

brgphy0 at bge0 phy 1: BCM5703 10/100/1000baseT PHY, rev. 3

bge1 at pci2 dev 2 function 0 "Broadcom BCM5703 Alt" rev 0x10, BCM5703 B0
(0x110  0): irq 11, address
00:10:18:16:0e:8a

brgphy1 at bge1 phy 1: BCM5703 10/100/1000baseT PHY, rev. 3

ahd0 at pci2 dev 4 function 0 vendor "Adapte

RES: PF cannot RDR connections

2008-09-23 Thread Ricardo Augusto de Souza 
I am lost.
Nat is working but I cant do any single rdr.
Any clue?


-Mensagem original-
De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome de
Ricardo
Augusto de Souza
Enviada em: terga-feira, 23 de setembro de 2008 13:31
Para: misc@openbsd.org
Assunto: RES: PF cannot RDR connections

I was monitoring tcpdump -i xl0, disabled pf and I try to access
http://10.10.100.254:81 and I saw this:

13:30:38.976708 10.10.100.254.81 > 10.10.0.135.2321: R 0:0(0) ack 1 win
0
(DF)
13:30:40.007811 802.1d RSTP config flags=7c
role=DESIGNATED root=8000.0:f:cb:56:80:a0 rootcost=20004
bridge=8000.0:1e:c1:27:b0:80 port=9 ifcost=128 age=2/0 max=20/0
hello=2/0
fwdelay=15/0

13:32:20.254337 10.10.100.254.81 > 10.10.0.135.2331: R 0:0(0) ack
2046899144
win 0 (DF)
13:32:20.699272 10.10.0.135.2331 > 10.10.100.254.81: S
2046899143:2046899143(0) win 65535  (DF)
13:32:20.699297 10.10.100.254.81 > 10.10.0.135.2331: R 0:0(0) ack 1 win
0
(DF)
13:32:21.181005 10.10.100.254 > 10.10.0.135: icmp: echo reply
13:32:21.202344 10.10.0.135.2331 > 10.10.100.254.81: S
2046899143:2046899143(0) win 65535  (DF)
13:32:21.202368 10.10.100.254.81 > 10.10.0.135.2331: R 0:0(0) ack 1 win
0
(DF)

Now I turn pf on and I got this:
# tcpdump -i xl0|grep 81
tcpdump: listening on xl0, link-type EN10MB
13:34:44.554439 10.10.0.135.2378 > 10.10.100.254.81: S
3759662737:3759662737(0) win 65535  (DF)
13:34:47.497787 10.10.0.135.2378 > 10.10.100.254.81: S
3759662737:3759662737(0) win 65535  (DF)
13:34:49.816656 10.10.0.48.netbios-ns > 10.10.255.255.netbios-ns: udp 50
13:34:52.226812 10.10.100.254 > 10.10.0.135: icmp: echo reply
13:34:53.434122 10.10.0.135.2378 > 10.10.100.254.81: S
3759662737:3759662737(0) win 65535  (DF)

Help me please folks, I need this rdr working TODAY.

Thanks in advance!

-Mensagem original-
De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome de
Ricardo
Augusto de Souza
Enviada em: terga-feira, 23 de setembro de 2008 11:30
Para: misc@openbsd.org
Assunto: PF cannot RDR connections

I was used to do this easily but it4s failing now.



Xl0 = 10.10.100.254

Xl1=internet



This is my /etc/pf.conf



# interface externa WAN

ext_if="xl1"

# interface interna LAN

int_if="xl0"

#set skip on lo

#scrub in

rdr on xl1 proto tcp from any to xl1 port 8101 -> 10.10.100.21 port 8101

rdr on xl0 proto tcp from any to 10.10.100.254 port 81 -> 10.10.0.2 port
80

#

# NAT

#

#nat on $ext_if from !($ext_if) -> ($ext_if:0)

nat on $ext_if from 10.10.0.0/16 -> $ext_if

pass in all

pass out all

#pass quick on $int_if no state

#antispoof quick for { lo $int_if }





Note:



I can access http://10.10.0.2

It fails when I try to access http://10.10.100.254:81

What4s wrong folks?





# pfctl  -sn

nat on xl1 inet from 10.10.0.0/16 to any -> 200.162.41.34

rdr on xl1 inet proto tcp from any to 200.162.41.34 port = 8101 ->
10.10.100.21 port 8101

rdr on xl0 inet proto tcp from any to 10.10.100.254 port = 81 ->
10.10.0.2
port 80

#





# dmesg

OpenBSD 4.3 (CMT) #1: Mon Sep 22 15:25:18 BRT 2008

[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/CMT

cpu0: Intel(R) Pentium(R) 4 CPU 2.13GHz ("GenuineIntel" 686-class) 2.13
GHz

cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,
CF
LUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,CNXT-ID,C
X16,x
TPR

real mem  = 1072697344 (1023MB)

avail mem = 1033314304 (985MB)

mainbus0 at root

bios0 at mainbus0: AT/286+ BIOS, date 06/16/05, BIOS32 rev. 0 @ 0xfd5b6,
SMBIOS   rev. 2.33 @
0x3ff77000
(46 entries)

bios0: vendor IBM version "-[KEE134AUS-1.34]-" date 06/16/2005

bios0: IBM CORPORATION -[84824RU]-

bios0: ROM list: 0xc/0x9000 0xc9000/0x1000 0xca000/0x1000
0xcb000/0x9c00
0xd  5000/0x2000
0xd7000/0x2000
0xd9000/0x800 0xd9800/0x800

cpu0 at mainbus0

pci0 at mainbus0 bus 0: configuration mode 1 (no bios)

pchb0 at pci0 dev 0 function 0 "Intel 82875P Host" rev 0x02

ppb0 at pci0 dev 3 function 0 "Intel 82875P CSA" rev 0x02

pci1 at ppb0 bus 2

em0 at pci1 dev 1 function 0 "Intel PRO/1000CT (82547GI)" rev 0x00: irq
5,
addre  ss 00:11:25:7f:86:28

ppb1 at pci0 dev 28 function 0 "Intel 6300ESB PCIX" rev 0x02

pci2 at ppb1 bus 3

bge0 at pci2 dev 1 function 0 "Broadcom BCM5703 Alt" rev 0x10, BCM5703
B0
(0x110  0): irq 11, address
00:10:18:16:14:1b

brgphy0 at bge0 phy 1: BCM5703 10/100/1000baseT PHY, rev. 3

bge1 at pci2 dev 2 function 0 "Broadcom BCM5703 Alt" rev 0x10, BCM5703
B0
(0x110  0): irq 11, address
00:10:18:16:0e:8a

brgphy1 at bge1 phy 1: BCM5703 10/100/1000baseT PHY, rev. 3

ahd0 at pci2 dev 4 function 0 vendor "Adaptec", unknown product 0x808f
rev
0x10:

RES: PF cannot RDR connections

2008-09-23 Thread Ricardo Augusto de Souza 
No one can help me on this?
I have just one hour to finish this 'job'.

-Mensagem original-
De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome de Ricardo
Augusto de Souza
Enviada em: terga-feira, 23 de setembro de 2008 16:21
Para: misc@openbsd.org
Assunto: RES: PF cannot RDR connections

I am lost.
Nat is working but I cant do any single rdr.
Any clue?


-Mensagem original-
De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome de
Ricardo
Augusto de Souza
Enviada em: terga-feira, 23 de setembro de 2008 13:31
Para: misc@openbsd.org
Assunto: RES: PF cannot RDR connections

I was monitoring tcpdump -i xl0, disabled pf and I try to access
http://10.10.100.254:81 and I saw this:

13:30:38.976708 10.10.100.254.81 > 10.10.0.135.2321: R 0:0(0) ack 1 win
0
(DF)
13:30:40.007811 802.1d RSTP config flags=7c
role=DESIGNATED root=8000.0:f:cb:56:80:a0 rootcost=20004
bridge=8000.0:1e:c1:27:b0:80 port=9 ifcost=128 age=2/0 max=20/0
hello=2/0
fwdelay=15/0

13:32:20.254337 10.10.100.254.81 > 10.10.0.135.2331: R 0:0(0) ack
2046899144
win 0 (DF)
13:32:20.699272 10.10.0.135.2331 > 10.10.100.254.81: S
2046899143:2046899143(0) win 65535  (DF)
13:32:20.699297 10.10.100.254.81 > 10.10.0.135.2331: R 0:0(0) ack 1 win
0
(DF)
13:32:21.181005 10.10.100.254 > 10.10.0.135: icmp: echo reply
13:32:21.202344 10.10.0.135.2331 > 10.10.100.254.81: S
2046899143:2046899143(0) win 65535  (DF)
13:32:21.202368 10.10.100.254.81 > 10.10.0.135.2331: R 0:0(0) ack 1 win
0
(DF)

Now I turn pf on and I got this:
# tcpdump -i xl0|grep 81
tcpdump: listening on xl0, link-type EN10MB
13:34:44.554439 10.10.0.135.2378 > 10.10.100.254.81: S
3759662737:3759662737(0) win 65535  (DF)
13:34:47.497787 10.10.0.135.2378 > 10.10.100.254.81: S
3759662737:3759662737(0) win 65535  (DF)
13:34:49.816656 10.10.0.48.netbios-ns > 10.10.255.255.netbios-ns: udp 50
13:34:52.226812 10.10.100.254 > 10.10.0.135: icmp: echo reply
13:34:53.434122 10.10.0.135.2378 > 10.10.100.254.81: S
3759662737:3759662737(0) win 65535  (DF)

Help me please folks, I need this rdr working TODAY.

Thanks in advance!

-Mensagem original-
De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome de
Ricardo
Augusto de Souza
Enviada em: terga-feira, 23 de setembro de 2008 11:30
Para: misc@openbsd.org
Assunto: PF cannot RDR connections

I was used to do this easily but it4s failing now.



Xl0 = 10.10.100.254

Xl1=internet



This is my /etc/pf.conf



# interface externa WAN

ext_if="xl1"

# interface interna LAN

int_if="xl0"

#set skip on lo

#scrub in

rdr on xl1 proto tcp from any to xl1 port 8101 -> 10.10.100.21 port 8101

rdr on xl0 proto tcp from any to 10.10.100.254 port 81 -> 10.10.0.2 port
80

#

# NAT

#

#nat on $ext_if from !($ext_if) -> ($ext_if:0)

nat on $ext_if from 10.10.0.0/16 -> $ext_if

pass in all

pass out all

#pass quick on $int_if no state

#antispoof quick for { lo $int_if }





Note:



I can access http://10.10.0.2

It fails when I try to access http://10.10.100.254:81

What4s wrong folks?





# pfctl  -sn

nat on xl1 inet from 10.10.0.0/16 to any -> 200.162.41.34

rdr on xl1 inet proto tcp from any to 200.162.41.34 port = 8101 ->
10.10.100.21 port 8101

rdr on xl0 inet proto tcp from any to 10.10.100.254 port = 81 ->
10.10.0.2
port 80

#





# dmesg

OpenBSD 4.3 (CMT) #1: Mon Sep 22 15:25:18 BRT 2008

[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/CMT

cpu0: Intel(R) Pentium(R) 4 CPU 2.13GHz ("GenuineIntel" 686-class) 2.13
GHz

cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,
CF
LUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,CNXT-ID,C
X16,x
TPR

real mem  = 1072697344 (1023MB)

avail mem = 1033314304 (985MB)

mainbus0 at root

bios0 at mainbus0: AT/286+ BIOS, date 06/16/05, BIOS32 rev. 0 @ 0xfd5b6,
SMBIOS   rev. 2.33 @
0x3ff77000
(46 entries)

bios0: vendor IBM version "-[KEE134AUS-1.34]-" date 06/16/2005

bios0: IBM CORPORATION -[84824RU]-

bios0: ROM list: 0xc/0x9000 0xc9000/0x1000 0xca000/0x1000
0xcb000/0x9c00
0xd  5000/0x2000
0xd7000/0x2000
0xd9000/0x800 0xd9800/0x800

cpu0 at mainbus0

pci0 at mainbus0 bus 0: configuration mode 1 (no bios)

pchb0 at pci0 dev 0 function 0 "Intel 82875P Host" rev 0x02

ppb0 at pci0 dev 3 function 0 "Intel 82875P CSA" rev 0x02

pci1 at ppb0 bus 2

em0 at pci1 dev 1 function 0 "Intel PRO/1000CT (82547GI)" rev 0x00: irq
5,
addre  ss 00:11:25:7f:86:28

ppb1 at pci0 dev 28 function 0 "Intel 6300ESB PCIX" rev 0x02

pci2 at ppb1 bus 3

bge0 at pci2 dev 1 function 0 "Broadcom BCM5703 Alt" rev 0x10, BCM5703
B0
(0x110  0): irq 11, address
00:10:18:16:14:1b

brgphy0 at bge0 phy 1: BCM5703 10/100/1000baseT PHY, rev. 3

bge1 at pci2 dev 2 func

RES: PF cannot RDR connections

2008-09-23 Thread Ricardo Augusto de Souza 
I  tryied to do this rdr Just to test.
Here is was I really need then:

# pfctl  -sn
nat on xl1 inet from 10.10.0.0/16 to any -> 200.162.41.34
rdr pass on xl1 inet proto tcp from any to (xl1) port = 8101 -> 10.10.100.21
port 8101
#

So?  Its not the problem as u related.



-Mensagem original-
De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome de Wade,
Daniel
Enviada em: terga-feira, 23 de setembro de 2008 16:51
Para: misc@openbsd.org
Assunto: Re: PF cannot RDR connections

Your problem, as I stated off list, is that you are rdr to and from hosts on
the same subnet.
These are all 10.10/16 addresses.
10.10.100.254 is an address on the firewall


Here's what's happening.

10.10.0.135.4552 -> 10.10.100.254.81
Which get's switched to
10.10.0.135.4552 -> 10.10.0.2.81

Then 0.2 replies directly back to 0.135 because it's local, skipping your
firewall

10.10.0.2.81 -> 10.10.0.135.4552
This is by passing your firewall and messing you up.

0.135 knows nothing about this 0.2 guy.  It didn't connect to him.
It's looking for a reply from 100.254




> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
> Behalf Of Ricardo Augusto de Souza
> Sent: Tuesday, September 23, 2008 3:40 PM
> To: misc@openbsd.org
> Subject: RES: PF cannot RDR connections
>
> No one can help me on this?
> I have just one hour to finish this 'job'.
>
> -----Mensagem original-----
> De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome
> de Ricardo
> Augusto de Souza
> Enviada em: terga-feira, 23 de setembro de 2008 16:21
> Para: misc@openbsd.org
> Assunto: RES: PF cannot RDR connections
>
> I am lost.
> Nat is working but I cant do any single rdr.
> Any clue?
>
>
> -Mensagem original-
> De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome
> de
> Ricardo
> Augusto de Souza
> Enviada em: terga-feira, 23 de setembro de 2008 13:31
> Para: misc@openbsd.org
> Assunto: RES: PF cannot RDR connections
>
> I was monitoring tcpdump -i xl0, disabled pf and I try to access
> http://10.10.100.254:81 and I saw this:
>
> 13:30:38.976708 10.10.100.254.81 > 10.10.0.135.2321: R 0:0(0) ack 1
> win
> 0
> (DF)
> 13:30:40.007811 802.1d RSTP config
> flags=7c
> role=DESIGNATED root=8000.0:f:cb:56:80:a0 rootcost=20004
> bridge=8000.0:1e:c1:27:b0:80 port=9 ifcost=128 age=2/0 max=20/0
> hello=2/0
> fwdelay=15/0
>
> 13:32:20.254337 10.10.100.254.81 > 10.10.0.135.2331: R 0:0(0) ack
> 2046899144
> win 0 (DF)
> 13:32:20.699272 10.10.0.135.2331 > 10.10.100.254.81: S
> 2046899143:2046899143(0) win 65535  (DF)
> 13:32:20.699297 10.10.100.254.81 > 10.10.0.135.2331: R 0:0(0) ack 1
> win
> 0
> (DF)
> 13:32:21.181005 10.10.100.254 > 10.10.0.135: icmp: echo reply
> 13:32:21.202344 10.10.0.135.2331 > 10.10.100.254.81: S
> 2046899143:2046899143(0) win 65535  (DF)
> 13:32:21.202368 10.10.100.254.81 > 10.10.0.135.2331: R 0:0(0) ack 1
> win
> 0
> (DF)
>
> Now I turn pf on and I got this:
> # tcpdump -i xl0|grep 81
> tcpdump: listening on xl0, link-type EN10MB
> 13:34:44.554439 10.10.0.135.2378 > 10.10.100.254.81: S
> 3759662737:3759662737(0) win 65535  (DF)
> 13:34:47.497787 10.10.0.135.2378 > 10.10.100.254.81: S
> 3759662737:3759662737(0) win 65535  (DF)
> 13:34:49.816656 10.10.0.48.netbios-ns > 10.10.255.255.netbios-ns:
> udp 50
> 13:34:52.226812 10.10.100.254 > 10.10.0.135: icmp: echo reply
> 13:34:53.434122 10.10.0.135.2378 > 10.10.100.254.81: S
> 3759662737:3759662737(0) win 65535  (DF)
>
> Help me please folks, I need this rdr working TODAY.
>
> Thanks in advance!
>
> -Mensagem original-
> De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome
> de
> Ricardo
> Augusto de Souza
> Enviada em: terga-feira, 23 de setembro de 2008 11:30
> Para: misc@openbsd.org
> Assunto: PF cannot RDR connections
>
> I was used to do this easily but it4s failing now.
>
>
>
> Xl0 = 10.10.100.254
>
> Xl1=internet
>
>
>
> This is my /etc/pf.conf
>
>
>
> # interface externa WAN
>
> ext_if="xl1"
>
> # interface interna LAN
>
> int_if="xl0"
>
> #set skip on lo
>
> #scrub in
>
> rdr on xl1 proto tcp from any to xl1 port 8101 -> 10.10.100.21 port
> 8101
>
> rdr on xl0 proto tcp from any to 10.10.100.254 port 81 -> 10.10.0.2
> port
> 80
>
> #
>
> # NAT
>
> #
>
> #nat on $ext_if from !($ext_if) -> ($ext_if:0)
>
> nat on $ext_if from 10.10.0.0/16 -> $ext_if
>
> pass in all
>
> pass out all
>
> #pass quick on $int_if no state
>
> #antispoof quick for { lo $int_if }
>
>
>
>
>
> Note:
>
>
>

ENC: PF cannot RDR connections

2008-09-23 Thread Ricardo Augusto de Souza 
I have to links to the internet.

I am testing it from other link and It4s not working.
As I told before, I had this rules working on oldest version of openBSD ( not
in the same hardware ).
Now my boss told me to replace openBSD cause I cant do a single rdr that
worked in the past.

That sucks.


-Mensagem original-
De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome de John
Jackson
Enviada em: terga-feira, 23 de setembro de 2008 17:46
Para: misc@openbsd.org
Assunto: Re: PF cannot RDR connections

If that's the case the original poster should take a look:
   http://openbsd.org/faq/pf/rdr.html#reflect

I've had to solve similar problems by NAT'ing the internal network(s) to
the firewalls internal interface IP so that traffic hitting the internal
server appears to come from the firewall itself.

On Tue, Sep 23, 2008 at 03:50:48PM -0400, Wade, Daniel wrote:
> Your problem, as I stated off list, is that you are rdr to and from hosts
on
> the same subnet.
> These are all 10.10/16 addresses.
> 10.10.100.254 is an address on the firewall
>
>
> Here's what's happening.
>
> 10.10.0.135.4552 -> 10.10.100.254.81
> Which get's switched to
> 10.10.0.135.4552 -> 10.10.0.2.81
>
> Then 0.2 replies directly back to 0.135 because it's local, skipping your
> firewall
>
> 10.10.0.2.81 -> 10.10.0.135.4552
> This is by passing your firewall and messing you up.
>
> 0.135 knows nothing about this 0.2 guy.  It didn't connect to him.
> It's looking for a reply from 100.254
>
>
>
>
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
> > Behalf Of Ricardo Augusto de Souza
> > Sent: Tuesday, September 23, 2008 3:40 PM
> > To: misc@openbsd.org
> > Subject: RES: PF cannot RDR connections
> >
> > No one can help me on this?
> > I have just one hour to finish this 'job'.
> >
> > -Mensagem original-
> > De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome
> > de Ricardo
> > Augusto de Souza
> > Enviada em: terga-feira, 23 de setembro de 2008 16:21
> > Para: misc@openbsd.org
> > Assunto: RES: PF cannot RDR connections
> >
> > I am lost.
> > Nat is working but I cant do any single rdr.
> > Any clue?
> >
> >
> > -Mensagem original-
> > De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome
> > de
> > Ricardo
> > Augusto de Souza
> > Enviada em: terga-feira, 23 de setembro de 2008 13:31
> > Para: misc@openbsd.org
> > Assunto: RES: PF cannot RDR connections
> >
> > I was monitoring tcpdump -i xl0, disabled pf and I try to access
> > http://10.10.100.254:81 and I saw this:
> >
> > 13:30:38.976708 10.10.100.254.81 > 10.10.0.135.2321: R 0:0(0) ack 1
> > win
> > 0
> > (DF)
> > 13:30:40.007811 802.1d RSTP config
> > flags=7c
> > role=DESIGNATED root=8000.0:f:cb:56:80:a0 rootcost=20004
> > bridge=8000.0:1e:c1:27:b0:80 port=9 ifcost=128 age=2/0 max=20/0
> > hello=2/0
> > fwdelay=15/0
> >
> > 13:32:20.254337 10.10.100.254.81 > 10.10.0.135.2331: R 0:0(0) ack
> > 2046899144
> > win 0 (DF)
> > 13:32:20.699272 10.10.0.135.2331 > 10.10.100.254.81: S
> > 2046899143:2046899143(0) win 65535  (DF)
> > 13:32:20.699297 10.10.100.254.81 > 10.10.0.135.2331: R 0:0(0) ack 1
> > win
> > 0
> > (DF)
> > 13:32:21.181005 10.10.100.254 > 10.10.0.135: icmp: echo reply
> > 13:32:21.202344 10.10.0.135.2331 > 10.10.100.254.81: S
> > 2046899143:2046899143(0) win 65535  (DF)
> > 13:32:21.202368 10.10.100.254.81 > 10.10.0.135.2331: R 0:0(0) ack 1
> > win
> > 0
> > (DF)
> >
> > Now I turn pf on and I got this:
> > # tcpdump -i xl0|grep 81
> > tcpdump: listening on xl0, link-type EN10MB
> > 13:34:44.554439 10.10.0.135.2378 > 10.10.100.254.81: S
> > 3759662737:3759662737(0) win 65535  (DF)
> > 13:34:47.497787 10.10.0.135.2378 > 10.10.100.254.81: S
> > 3759662737:3759662737(0) win 65535  (DF)
> > 13:34:49.816656 10.10.0.48.netbios-ns > 10.10.255.255.netbios-ns:
> > udp 50
> > 13:34:52.226812 10.10.100.254 > 10.10.0.135: icmp: echo reply
> > 13:34:53.434122 10.10.0.135.2378 > 10.10.100.254.81: S
> > 3759662737:3759662737(0) win 65535  (DF)
> >
> > Help me please folks, I need this rdr working TODAY.
> >
> > Thanks in advance!
> >
> > -Mensagem original-
> > De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome
> > de
> > Ricardo
> > Augusto de Souza
> > Enviada em: terga-feira, 23 de setembro de 2008 11:30
> > Para: misc@op

RES: PF cannot RDR connections

2008-09-23 Thread Ricardo Augusto de Souza 
Last tests:

# tcpdump  -i xl1 'port 8101'
tcpdump: listening on xl1, link-type EN10MB
18:20:52.383277 200217182188.user.veloxzone.com.br.49793 >
smtp.cmtsp.com.br.8101: S 2769173131:2769173131(0) win 8192  (DF)
18:20:55.417702 200217182188.user.veloxzone.com.br.49793 >
smtp.cmtsp.com.br.8101: S 2769173131:2769173131(0) win 8192  (DF)
18:21:02.480542 200217182188.user.veloxzone.com.br.49793 >
smtp.cmtsp.com.br.8101: S 2769173131:2769173131(0) win 8192  (DF)
18:21:53.613573 200217182188.user.veloxzone.com.br.49798 >
smtp.cmtsp.com.br.8101: S 1643268974:1643268974(0) win 8192  (DF)
18:21:55.627844 200217182188.user.veloxzone.com.br.49798 >
smtp.cmtsp.com.br.8101: S 1643268974:1643268974(0) win 8192  (DF)
18:22:01.644203 200217182188.user.veloxzone.com.br.49798 >
smtp.cmtsp.com.br.8101: S 1643268974:1643268974(0) win 8192  (DF)
^C
3783 packets received by filter
0 packets dropped by kernel
# ping  smtp.cmtsp.com.br
PING smtp.cmtsp.com.br (189.57.43.2): 56 data bytes
--- smtp.cmtsp.com.br ping statistics ---
7 packets transmitted, 0 packets received, 100.0% packet loss
# host 200.162.41.34
34.41.162.200.in-addr.arpa domain name pointer smtp.cmtsp.com.br.
# host smtp.cmtsp.com.br
smtp.cmtsp.com.br has address 189.57.43.2
# pfctl -sn
nat on xl1 from ! (xl1) to any -> (xl1:0)
rdr pass log (all, to pflog1) on xl1 inet proto tcp from any to 200.162.41.34
port = 8101 -> 10.10.0.2 port 80
#


WHAT IS WRONG WITH MY RDR NOW?



-Mensagem original-
De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome de Ricardo
Augusto de Souza
Enviada em: terga-feira, 23 de setembro de 2008 18:05
Para: misc@openbsd.org
Assunto: ENC: PF cannot RDR connections

I have to links to the internet.

I am testing it from other link and It4s not working.
As I told before, I had this rules working on oldest version of openBSD ( not
in the same hardware ).
Now my boss told me to replace openBSD cause I cant do a single rdr that
worked in the past.

That sucks.


-Mensagem original-
De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome de John
Jackson
Enviada em: terga-feira, 23 de setembro de 2008 17:46
Para: misc@openbsd.org
Assunto: Re: PF cannot RDR connections

If that's the case the original poster should take a look:
   http://openbsd.org/faq/pf/rdr.html#reflect

I've had to solve similar problems by NAT'ing the internal network(s) to
the firewalls internal interface IP so that traffic hitting the internal
server appears to come from the firewall itself.

On Tue, Sep 23, 2008 at 03:50:48PM -0400, Wade, Daniel wrote:
> Your problem, as I stated off list, is that you are rdr to and from hosts
on
> the same subnet.
> These are all 10.10/16 addresses.
> 10.10.100.254 is an address on the firewall
>
>
> Here's what's happening.
>
> 10.10.0.135.4552 -> 10.10.100.254.81
> Which get's switched to
> 10.10.0.135.4552 -> 10.10.0.2.81
>
> Then 0.2 replies directly back to 0.135 because it's local, skipping your
> firewall
>
> 10.10.0.2.81 -> 10.10.0.135.4552
> This is by passing your firewall and messing you up.
>
> 0.135 knows nothing about this 0.2 guy.  It didn't connect to him.
> It's looking for a reply from 100.254
>
>
>
>
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
> > Behalf Of Ricardo Augusto de Souza
> > Sent: Tuesday, September 23, 2008 3:40 PM
> > To: misc@openbsd.org
> > Subject: RES: PF cannot RDR connections
> >
> > No one can help me on this?
> > I have just one hour to finish this 'job'.
> >
> > -Mensagem original-
> > De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome
> > de Ricardo
> > Augusto de Souza
> > Enviada em: terga-feira, 23 de setembro de 2008 16:21
> > Para: misc@openbsd.org
> > Assunto: RES: PF cannot RDR connections
> >
> > I am lost.
> > Nat is working but I cant do any single rdr.
> > Any clue?
> >
> >
> > -Mensagem original-
> > De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome
> > de
> > Ricardo
> > Augusto de Souza
> > Enviada em: terga-feira, 23 de setembro de 2008 13:31
> > Para: misc@openbsd.org
> > Assunto: RES: PF cannot RDR connections
> >
> > I was monitoring tcpdump -i xl0, disabled pf and I try to access
> > http://10.10.100.254:81 and I saw this:
> >
> > 13:30:38.976708 10.10.100.254.81 > 10.10.0.135.2321: R 0:0(0) ack 1
> > win
> > 0
> > (DF)
> > 13:30:40.007811 802.1d RSTP config
> > flags=7c
> > role=DESIGNATED root=8000.0:f:cb:56:80:a0 rootcost=20004
> > bridge=8000.0:1e:c1:27:b0:80 port=9 ifcost=128 age=2/0 max=20/0
> > hello=2/0
> > fwdelay=15/0
> >
> > 13:32:20

RES: RES: PF cannot RDR connections

2008-09-23 Thread Ricardo Augusto de Souza 
Yes i am sure.
I am connected to internet using openbsd as geteway.


-Mensagem original-
De: Mark Rolen [mailto:[EMAIL PROTECTED]
Enviada em: terga-feira, 23 de setembro de 2008 18:42
Para: misc@openbsd.org; Ricardo Augusto de Souza
Assunto: Re: RES: PF cannot RDR connections

Ricardo Augusto de Souza wrote:
> Last tests:
>
> # tcpdump  -i xl1 'port 8101'
> tcpdump: listening on xl1, link-type EN10MB
> 18:20:52.383277 200217182188.user.veloxzone.com.br.49793 >
> smtp.cmtsp.com.br.8101: S 2769173131:2769173131(0) win 8192  1460,nop,wscale 2,nop,nop,sackOK> (DF)
> 
>
>
> WHAT IS WRONG WITH MY RDR NOW?
>

Dumb question perhaps, but if this is a newly built box, are you sure
you've turned on IP forwarding?

RES: RES: PF cannot RDR connections

2008-09-23 Thread Ricardo Augusto de Souza 
Thanks but i need to do that by myself.
As I Told u, I had those rules working on old versions.

# tcpdump -n -e -ttt -i pflog0
tcpdump: listening on pflog0, link-type PFLOG
Sep 23 19:19:23.465003 rule 0/(match) rdr in on xl1: 189.84.171.36.1439 >
10.10.100.21.8101: [|tcp] (DF)
Sep 23 19:20:04.079117 rule 1/(match) rdr in on xl1: 189.84.171.36.1447 >
10.10.0.2.80: [|tcp] (DF)

^Z[3] + Suspendedtcpdump -n -e -ttt -i pflog0
# pfctl  -sn
nat on xl1 inet from 10.10.0.0/16 to ! (xl1) -> 200.162.41.35
rdr log on xl1 inet proto tcp from any to 200.162.41.35 port = www ->
10.10.100.21 port 8101
rdr log on xl1 inet proto tcp from any to 200.162.41.35 port = 8101 ->
10.10.0.2 port 80
#


It4s all configured ok.



-Mensagem original-
De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome de Stuart
Henderson
Enviada em: terga-feira, 23 de setembro de 2008 18:58
Para: misc@openbsd.org
Assunto: Re: RES: PF cannot RDR connections

On 2008-09-23, Ricardo Augusto de Souza <[EMAIL PROTECTED]> wrote:
> No one can help me on this?
> I have just one hour to finish this 'job'.

Maybe someone from http://www.openbsd.org/support.html#Brazil

> Help me please folks, I need this rdr working TODAY.

Sorry, free voluntary support doesn't really work like this.

RES: Problems to compile squid with ldap auth on openBSD 4.3

2008-09-24 Thread Ricardo Augusto de Souza 
# FLAVOR="ldap" make install

test -z "/usr/local/bin" || mkdir -p --
"/usr/ports/www/squid/w-squid-2.7.STABLE3-ldap/fake-i386-ldap/usr/local/bin"
  install -c -s -o root -g bin -m 555 'squidclient'
'/usr/ports/www/squid/w-squid-2.7.STABLE3-ldap/fake-i386-ldap/usr/local/bin/s
quidclient'
test -z "/usr/local/libexec" || mkdir -p --
"/usr/ports/www/squid/w-squid-2.7.STABLE3-ldap/fake-i386-ldap/usr/local/libex
ec"
  install -c -s -o root -g bin -m 555 'cachemgr.cgi'
'/usr/ports/www/squid/w-squid-2.7.STABLE3-ldap/fake-i386-ldap/usr/local/libex
ec/cachemgr.cgi'
install -c -o root -g bin -m 444
/usr/ports/www/squid/w-squid-2.7.STABLE3-ldap/squid-2.7.STABLE3/tools/cachemg
r.conf
/usr/ports/www/squid/w-squid-2.7.STABLE3-ldap/fake-i386-ldap/etc/cachemgr.con
f
===>  Building package for squid-2.7.STABLE3-ldap
Create /usr/ports/packages/i386/all/squid-2.7.STABLE3-ldap.tgz
Unknown element: @bin bin/squidclient
===>  Cleaning for squid-2.7.STABLE3-ldap
rm -f /usr/ports/packages/i386/all/squid-2.7.STABLE3-ldap.tgz
/usr/ports/packages/i386/ftp/squid-2.7.STABLE3-ldap.tgz
/usr/ports/packages/i386/cdrom/squid-2.7.STABLE3-ldap.tgz
*** Error code 1

Stop in /usr/ports/www/squid (line 1422 of
/usr/ports/infrastructure/mk/bsd.port.mk).
*** Error code 1

Stop in /usr/ports/www/squid (line 1962 of
/usr/ports/infrastructure/mk/bsd.port.mk).
*** Error code 1

Stop in /usr/ports/www/squid (line 1452 of
/usr/ports/infrastructure/mk/bsd.port.mk).
#


Almost there.


thanks
-Mensagem original-
De: Giancarlo Razzolini [mailto:[EMAIL PROTECTED] Em nome de Giancarlo
Razzolini
Enviada em: terga-feira, 23 de setembro de 2008 14:34
Para: Ricardo Augusto de Souza
Cc: misc@openbsd.org
Assunto: Re: Problems to compile squid with ldap auth on openBSD 4.3

Ricardo Augusto de Souza escreveu:
> Hi,
>
> I got some errors trying to compile squid with ldap auth on openbsd 4.3.
>
> I used squid from ports and  compiled its source and I got same error
> when I add "--enable-auth="basic digest LDAP" \  and
> --enable-basic-auth-helpers="NCSA YP LDAP" \ to ./configure.
>
>
>
> Note I have already installed OpenLDAP .
>
>
>
> Can anyone help me please?
>
> Thanks
>
I took a look at the -current tree of the ports and noticed they've
created a new flavor of squid called ldap. This solves a problem that i
had for a long time compiling ldap-auth on squid with openbsd. I did
make 2 patches, one for squid-ldap-auth and other for squid-group-auth.
I recommend that you checkout the -current version of ports, and try to
compile squid the following way:

FLAVOR="ldap" make install

If it works, then you're done. If it not works, i assume you might have
to compile the -current kernel and userland. Or, i could send you the
patches i made for it. Since on this list there is the demime, as me and
i sent to you the patches in private. But first, try with ports.

My regards,

--
Giancarlo Razzolini
http://lock.razzolini.adm.br
Linux User 172199
Red Hat Certified Engineer no:804006389722501
Verify:https://www.redhat.com/certification/rhce/current/
Moleque Sem Conteudo Numero #002
OpenBSD Stable
Ubuntu 8.04 Hardy Heron
4386 2A6F FFD4 4D5F 5842  6EA0 7ABE BBAB 9C0E 6B85

Help with pf

2008-09-26 Thread Ricardo Augusto de Souza 
# pfctl -e

pf enabled

# ping www.terra.com.br

PING www.terra.com.br (200.176.3.142): 56 data bytes

ping: sendto: No route to host

ping: wrote www.terra.com.br 64 chars, ret=-1

ping: sendto: No route to host

ping: wrote www.terra.com.br 64 chars, ret=-1

--- www.terra.com.br ping statistics ---

2 packets transmitted, 0 packets received, 100.0% packet loss

# cat /etc/pf.conf

# interface externa WAN

ext_if="xl1"

# interface interna LAN

int_if="xl0"

# interface MPLS

mpls_if ="bge0"

#Default GW

gw="200.162.41.33"



# Variaveis

##



#

#1 - Redirecionamento ambiente de homologocao

###

ws_ip = "{ 10.10.100.21 }"

ws_ports = "{ 8101, 8102, 8103 }"





#2- Variaveis uteis



lan = "{ 10.10.0.0/16 }"

rede_mpls  = "{ 10.100.0.0/26 }"

ip_admin = "{ 10.10.0.135 }"

portas_saida_tcp = " {25, 80, 110 }"

portas_saida_udp = " { 53 }"

portas_entrada_tcp = " { 22} "



###

set skip on lo

scrub in



# redirecionamento para lan, foi necessario fazer nat tb.

rdr pass on xl1 inet proto tcp from any to xl1 port $ws_ports -> $ws_ip

nat on $int_if from any to $ws_ip -> $int_if



#

# NAT  ##

#



#nat para dar acesso a internet para a lan

#nat on bge0  from $lan to $rede_mpls -> 10.100.1.1# MPLS

nat on $ext_if from $lan to !($ext_if) -> $ext_if



# bloqueia a entrada de tudo e saida de tudo

block in all

block out all



#regras de entrada



# libera entrada de tudo na interface interna

pass in quick on $int_if proto udp from $lan to $int_if port 53

pass in quick on $int_if from $lan to any keep state



# libera a entrada na interface externa

pass in quick on $ext_if proto tcp from any to $ext_if port
$portas_entrada_tcp keep state

pass in quick on $ext_if proto tcp from any to $ext_if port $ws_ports
keep state



# regras de saida

pass out on $int_if

pass out on $mpls_if

pass out on lo

pass out on $ext_if from any to $gw

pass out on $ext_if proto tcp from $lan to any port $portas_saida_tcp

pass out on $ext_if from $ip_admin to any



Question 1 ) What I am doing wrong, cause  when I turn pf on I am not
able to connect the internet.

# pfctl -d

pf disabled

# ping www.terra.com.br

PING www.terra.com.br (200.176.3.142): 56 data bytes

64 bytes from 200.176.3.142: icmp_seq=0 ttl=250 time=33.663 ms

64 bytes from 200.176.3.142: icmp_seq=1 ttl=250 time=33.943 ms

--- www.terra.com.br ping statistics ---

2 packets transmitted, 2 packets received, 0.0% packet loss

round-trip min/avg/max/std-dev = 33.663/33.803/33.943/0.140 ms





Question 2) How do  I  set correct route to mpls network to my clients (
10.10.0.0/24 ) ?

# ping 10.100.1.1

PING 10.100.1.1 (10.100.1.1): 56 data bytes

64 bytes from 10.100.1.1: icmp_seq=0 ttl=255 time=2.980 ms

64 bytes from 10.100.1.1: icmp_seq=1 ttl=255 time=1.570 ms

--- 10.100.1.1 ping statistics ---

2 packets transmitted, 2 packets received, 0.0% packet loss

round-trip min/avg/max/std-dev = 1.570/2.275/2.980/0.705 ms

#



Thanks

How do I add nat to other subnet in pf

2008-09-26 Thread Ricardo Augusto de Souza 
 I have already have nat configured in pf.conf.

It4s working good and all my clients are connected to the internet.

I need to tell to openBSD route when my clients try to access subnet
10.100.0.0/26.

>From openbsd I can access this network.

I think when I add other nat rule in pf its missing something. Nat rule is
commented and has a mark called MPLS.



I have this:

# ifconfig

lo0: flags=8049 mtu 33208

groups: lo

inet 127.0.0.1 netmask 0xff00

inet6 ::1 prefixlen 128

inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7

em0: flags=8802 mtu 1500

lladdr 00:11:25:7f:86:28

media: Ethernet autoselect (none)

status: no carrier

bge0: flags=8843 mtu 1500

lladdr 00:10:18:16:14:1b

media: Ethernet autoselect (1000baseT full-duplex,master)

status: active

inet6 fe80::210:18ff:fe16:141b%bge0 prefixlen 64 scopeid 0x2

inet 10.100.1.3 netmask 0xff00 broadcast 255.255.255.192

bge1: flags=8802 mtu 1500

lladdr 00:10:18:16:0e:8a

media: Ethernet autoselect (none)

status: no carrier

xl0: flags=8943 mtu 1500

lladdr 00:0a:5e:63:7e:2e

media: Ethernet autoselect (100baseTX full-duplex)

status: active

inet 10.10.100.254 netmask 0x broadcast 10.10.255.255

inet6 fe80::20a:5eff:fe63:7e2e%xl0 prefixlen 64 scopeid 0x4

xl1: flags=8843 mtu 1500

lladdr 00:0a:5e:63:7d:72

groups: egress

media: Ethernet autoselect (100baseTX full-duplex)

status: active

inet 200.162.41.XX netmask 0xfff8 broadcast 200.162.41.39

inet6 fe80::20a:5eff:fe63:7d72%xl1 prefixlen 64 scopeid 0x5

enc0: flags=0<> mtu 1536

pflog0: flags=141 mtu 33208

groups: pflog

#





# cat /etc/pf.conf

# interface externa WAN

ext_if="xl1"

# interface interna LAN

int_if="xl0"

# interface MPLS

mpls_if ="bge0"

#Default GW

gw="200.162.41.1"



# Variaveis

##



#

#1 - Redirecionamento ambiente de homologocao

###

ws_ip = "{ 10.10.100.21 }"

ws_ports = "{ 8101, 8102, 8103 }"





#2- Variaveis uteis



lan = "{ 10.10.0.0/16 }"

rede_mpls  = "{ 10.100.0.0/26 }"

ip_admin = "{ 10.10.0.135 }"

portas_saida_tcp = " {25, 80, 110 }"

portas_saida_udp = " { 53 }"

portas_entrada_tcp = " { 22} "



###

#options

set block-policy return

set loginterface $ext_if

set skip on lo

scrub in



# redirecionamento para lan, foi necessario fazer nat tb.

rdr pass on $int_if inet proto tcp from $lan to any port 80 -> $int_if port
3128

rdr pass on $ext_if inet proto tcp from any to $ext_if port $ws_ports ->
$ws_ip

nat on $int_if from any to $ws_ip -> $int_if



#

# NAT  ##

#



#nat para dar acesso a internet para a lan

nat on $ext_if from $lan to !($ext_if) -> $ext_if

#nat on $ext_if  from $lan to $rede_mpls -> 10.100.1.1   #MPLS



# bloqueia a entrada de tudo e saida de tudo

block in on $ext_if



#regras de entrada



# libera entrada de tudo na interface interna

pass in quick on $int_if proto udp from $lan to $int_if port 53

pass in quick on $int_if from $lan to any keep state



# libera a entrada na interface externa

pass in quick on $ext_if proto tcp from any to $ext_if port
$portas_entrada_tcp keep state

pass in quick on $ext_if proto tcp from any to $ext_if port $ws_ports keep
state



# regras de saida

antispoof quick for { lo $int_if }

pass out on $int_if keep state



#

# proibe todo o trafego de saida

block out on $ext_if

pass out on $ext_if from $ext_if to any



pass out quick on $ext_if proto tcp from $lan to any port $portas_saida_tcp



#libera acesso total para os administradores

pass out on $ext_if from $ip_admin to any

#











Dmesg:





# dmesg

OpenBSD 4.3 (CMT) #0: Wed Sep 24 09:52:31 BRT 2008

[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/CMT

cpu0: Intel(R) Pentium(R) 4 CPU 2.13GHz ("GenuineIntel" 686-class) 2.13 GHz

cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,CNXT-ID,CX16,xTPR

real mem  = 1072697344 (1023MB)

avail mem = 1032876032 (985MB)

mainbus0 at root

bios0 at mainbus0: AT/286+ BIOS, date 06/16/05, BIOS32 rev. 0 @ 0xfd5b6,
SMBIOS rev. 2.33 @ 0x3ff77000 (46 entries)

bios0: vendor IBM version "-[KEE134AUS-1.34]-" date 06/16/2005

bios0: IBM CORPORATION -[84824RU]-

bios0: ROM list: 0xc/0x9000 0xc9000/0x1000 0xca000/0x1000 0xcb000/0x9c00
0xd5000/0x2000 0xd7000/0x2000 0xd9000/0x800 0xd9800/0x800

cpu0 at mainbus0

pci0 at mainbus0 bus 0: configuration mode 1 (no bios)

pchb0 at pci0 dev 0 function 0 "Intel 82875P Host" rev 0x02

ppb0 at pci0 dev 3 function 0 "Intel 82875P CSA" rev 0x02

pci1 at ppb0 bus 2

em0 at pci1 dev 1 function 0 "Intel PRO/1000CT (82547GI)" rev 0x00: irq 5,
address 00:11:25:7f:86:28

ppb

RES: LDAP and OpenBSD

2008-10-10 Thread Ricardo Augusto de Souza 
I4d like to do the same here.
I wanna integrate obsd with Microsoft AD.
Share with us your findings.
I will do the same if I got it.

-Mensagem original-
De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome de raven
Enviada em: sexta-feira, 10 de outubro de 2008 14:52
Para: OpenBSD misc mailing list
Assunto: LDAP and OpenBSD

Hi misc :)

I'm thinking how my users into an ldap db can login into my openbsd
machine as users. I try to use google but no clue at all.
Thanks guys :)

Francesco

Help PF/NAT rules

2009-03-25 Thread Ricardo Augusto de Souza 
Hi,



I have this enviroment:



  Server A ( OpenBSD 4.4 ), with poptop and PF and windows clients
connecting via pptp client.



Problem:  vpn clients cannot access network 10.10.0.0/24 but they are
able to access 10.100.0.0/24.

The rules are the same, just this is different:

# route show

Routing tables



Internet:

DestinationGatewayFlags   Refs  Use   Mtu  Prio
Iface

default189-57-43-1.custom UGS1  397 -48
vic0

10.10/16   link#3 UC 20 -48
vic2

10.10.0.2  00:11:0a:a0:a8:c4  UHLc   0   11 -48
vic2

10.10.100.254  00:0a:5e:63:7e:2e  UHLc   0   27 -48
vic2

10.100.0/2410.100.1.1 UGS0   86 -48
vic3

10.100.1/24link#4 UC 10 -48
vic3

10.100.1.1 00:60:2e:10:10:6b  UHLc   76 -48
vic3

10.100.2/2410.100.1.1 UGS00 -48
vic3

10.100.3/2410.100.1.1 UGS00 -48
vic3

10.100.4/2410.100.1.1 UGS00 -48
vic3

10.100.5/2410.100.1.1 UGS00 -48
vic3

10.100.6/2410.100.1.1 UGS00 -48
vic3

10.100.7/2410.100.1.1 UGS00 -48
vic3

loopback   localhost  UGRS   00 3320448
lo0

localhost  localhost  UH 10 3320448
lo0

172.16.0.2 172.16.0.1 UH 0   96  140048
tun0

189-57-43-0.custom link#1 UC 30 -48
vic0

189-57-43-1.custom 00:16:e0:33:3b:e4  UHLc   10 -48
vic0

189-57-43-3.custom 00:10:18:16:0e:8a  UHLc   1 1288 -48
vic0

189-57-43-5.custom 00:0c:29:4c:b2:d4  UHLc   2  473 -48
vic0

200.162.41.32/28   link#2 UC 10 -48
vic1

200.162.41.33  00:60:2e:10:1e:a3  UHLc   00 -48
vic1

BASE-ADDRESS.MCAST localhost  URS00 3320448
lo0





# ifconfig

lo0: flags=8049 mtu 33204

groups: lo

inet 127.0.0.1 netmask 0xff00

inet6 ::1 prefixlen 128

inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6

vic0: flags=8843 mtu 1500

lladdr 00:0c:29:92:4d:05

groups: egress

media: Ethernet autoselect

status: active

inet 189.57.XXX.XXX netmask 0xfff8 broadcast 189.57.43.7

inet6 fe80::20c:29ff:fe92:4d05%vic0 prefixlen 64 scopeid 0x1

vic1: flags=8843 mtu 1500

lladdr 00:0c:29:92:4d:0f

media: Ethernet autoselect

status: active

inet 200.162.XXX.XXX netmask 0xfff0 broadcast 200.162.41.47

inet6 fe80::20c:29ff:fe92:4d0f%vic1 prefixlen 64 scopeid 0x2

vic2: flags=8843 mtu 1500

lladdr 00:0c:29:92:4d:19

media: Ethernet autoselect

status: active

inet 10.10.100.252 netmask 0x broadcast 10.10.255.255

inet6 fe80::20c:29ff:fe92:4d19%vic2 prefixlen 64 scopeid 0x3

vic3: flags=8843 mtu 1500

lladdr 00:0c:29:92:4d:23

media: Ethernet autoselect

status: active

inet 10.100.1.33 netmask 0xff00 broadcast 10.100.1.255

inet6 fe80::20c:29ff:fe92:4d23%vic3 prefixlen 64 scopeid 0x4

enc0: flags=0<> mtu 1536

pflog0: flags=141 mtu 33204

groups: pflog



pf.conf:



# cat /etc/pf.conf

ext_if="vic0"

ext2_if="vic1"

int_if="vic2"

mpls_if="vic3"

vpn_net="{ 172.16.0.0/24 }"

vpn_if="{ tun0, tun1, tun2, tun3 }"

dtc_mpls="10.100.0.0/24"

dtc_internet="200.143.33.0/24"

rede_cmt="10.10.0.0/24"

set skip on { lo $int_if }

#

nat on $mpls_if from $vpn_net to $dtc_mpls tag VPN_DTC -> $mpls_if

nat on $int_if from $vpn_net to $rede_cmt -> $int_if

#

#block in

pass in all

pass out keep state



pptpd.conf:

speed 230400

debug

option /etc/ppp/ppp.conf

logfile /var/log/pptpd.log

localip 172.16.0.1

remoteip 172.16.0.2-10

listen 189.57.XXX.

nobsdcomp

+chapms-v2

mppe-40

mppe-128

mppe-stateless

noipparam



Logs:

# tcpdump -i vic3 'dst host 10.100.0.1'

tcpdump: listening on vic3, link-type EN10MB

09:28:56.888286 10.100.1.33 > 10.100.0.1: icmp: echo request

09:28:57.745042 10.100.1.33 > 10.100.0.1: icmp: echo request

09:28:58.754855 10.100.1.33 > 10.100.0.1: icmp: echo request

09:28:59.727557 10.100.1.33 > 10.100.0.1: icmp: echo request

09:29:00.725761 10.100.1.33 > 10.100.0.1: icmp: echo request

09:29:01.848215 10.100.1.33 > 10.100.0.1: icmp: echo request

09:29:02.822952 10.100.1.33 > 10.100.0.1: icmp: echo request



# tcpdump -i vic2 'dst host 10.10.0.2'

tcpdump: listening on vic2, link-type EN10MB

09:31:44.415521 172.16.0.2 > 10.10.0.2: icmp: echo request

09:31:46.452796 172.16.0.2 > 10.10.0.2: icmp: echo request

09:31:51.429198 172.16.0.2 > 10.10.0.2: icmp: echo req

RES: Help PF/NAT rules

2009-03-25 Thread Ricardo Augusto de Souza 
Can anyone help me please.

When I connect via vpn I got an ip 172.16.0.2 and I set it as default route.
I am able to ping 172.16.0.1 ( tun0 in openBSD).

When I ping 10.100/16 ip I  am able to reach it:
# tcpdump -i vic3 'dst host 10.100.0.1'
tcpdump: listening on vic3, link-type EN10MB
09:28:56.888286 10.100.1.33 > 10.100.0.1: icmp: echo request
09:28:57.745042 10.100.1.33 > 10.100.0.1: icmp: echo request
09:28:58.754855 10.100.1.33 > 10.100.0.1: icmp: echo request

When I try to ping 10.10.0.2 I see this in openBSD:
# tcpdump -i vic2 'dst host 10.10.0.2'
tcpdump: listening on vic2, link-type EN10MB
09:31:44.415521 172.16.0.2 > 10.10.0.2: icmp: echo request
09:31:46.452796 172.16.0.2 > 10.10.0.2: icmp: echo request
09:31:51.429198 172.16.0.2 > 10.10.0.2: icmp: echo request

Thanks


-Mensagem original-
De: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] Em nome de Ricardo
Augusto de Souza
Enviada em: quarta-feira, 25 de margo de 2009 12:18
Para: misc@openbsd.org
Assunto: Help PF/NAT rules

Hi,



I have this enviroment:



  Server A ( OpenBSD 4.4 ), with poptop and PF and windows clients
connecting via pptp client.



Problem:  vpn clients cannot access network 10.10.0.0/24 but they are
able to access 10.100.0.0/24.

The rules are the same, just this is different:

# route show

Routing tables



Internet:

DestinationGatewayFlags   Refs  Use   Mtu  Prio
Iface

default189-57-43-1.custom UGS1  397 -48
vic0

10.10/16   link#3 UC 20 -48
vic2

10.10.0.2  00:11:0a:a0:a8:c4  UHLc   0   11 -48
vic2

10.10.100.254  00:0a:5e:63:7e:2e  UHLc   0   27 -48
vic2

10.100.0/2410.100.1.1 UGS0   86 -48
vic3

10.100.1/24link#4 UC 10 -48
vic3

10.100.1.1 00:60:2e:10:10:6b  UHLc   76 -48
vic3

10.100.2/2410.100.1.1 UGS00 -48
vic3

10.100.3/2410.100.1.1 UGS00 -48
vic3

10.100.4/2410.100.1.1 UGS00 -48
vic3

10.100.5/2410.100.1.1 UGS00 -48
vic3

10.100.6/2410.100.1.1 UGS00 -48
vic3

10.100.7/2410.100.1.1 UGS00 -48
vic3

loopback   localhost  UGRS   00 3320448
lo0

localhost  localhost  UH 10 3320448
lo0

172.16.0.2 172.16.0.1 UH 0   96  140048
tun0

189-57-43-0.custom link#1 UC 30 -48
vic0

189-57-43-1.custom 00:16:e0:33:3b:e4  UHLc   10 -48
vic0

189-57-43-3.custom 00:10:18:16:0e:8a  UHLc   1 1288 -48
vic0

189-57-43-5.custom 00:0c:29:4c:b2:d4  UHLc   2  473 -48
vic0

200.162.41.32/28   link#2 UC 10 -48
vic1

200.162.41.33  00:60:2e:10:1e:a3  UHLc   00 -48
vic1

BASE-ADDRESS.MCAST localhost  URS00 3320448
lo0





# ifconfig

lo0: flags=8049 mtu 33204

groups: lo

inet 127.0.0.1 netmask 0xff00

inet6 ::1 prefixlen 128

inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6

vic0: flags=8843 mtu 1500

lladdr 00:0c:29:92:4d:05

groups: egress

media: Ethernet autoselect

status: active

inet 189.57.XXX.XXX netmask 0xfff8 broadcast 189.57.43.7

inet6 fe80::20c:29ff:fe92:4d05%vic0 prefixlen 64 scopeid 0x1

vic1: flags=8843 mtu 1500

lladdr 00:0c:29:92:4d:0f

media: Ethernet autoselect

status: active

inet 200.162.XXX.XXX netmask 0xfff0 broadcast 200.162.41.47

inet6 fe80::20c:29ff:fe92:4d0f%vic1 prefixlen 64 scopeid 0x2

vic2: flags=8843 mtu 1500

lladdr 00:0c:29:92:4d:19

media: Ethernet autoselect

status: active

inet 10.10.100.252 netmask 0x broadcast 10.10.255.255

inet6 fe80::20c:29ff:fe92:4d19%vic2 prefixlen 64 scopeid 0x3

vic3: flags=8843 mtu 1500

lladdr 00:0c:29:92:4d:23

media: Ethernet autoselect

status: active

inet 10.100.1.33 netmask 0xff00 broadcast 10.100.1.255

inet6 fe80::20c:29ff:fe92:4d23%vic3 prefixlen 64 scopeid 0x4

enc0: flags=0<> mtu 1536

pflog0: flags=141 mtu 33204

groups: pflog



pf.conf:



# cat /etc/pf.conf

ext_if="vic0"

ext2_if="vic1"

int_if="vic2"

mpls_if="vic3"

vpn_net="{ 172.16.0.0/24 }"

vpn_if="{ tun0, tun1, tun2, tun3 }"

dtc_mpls="10.100.0.0/24"

dtc_internet="200.143.33.0/24"

rede_cmt="10.10.0.0/24"

set skip on { lo $int_if }

#

nat on $mpls_if from $vpn_ne

OpenBSD on IBM 3550

2009-04-06 Thread Ricardo Augusto de Souza 
Hi,



I have an IBM 3550 with SAS disks and Adaptec ServeRAID 8k controller
and I AM NOT able to install openBSD on it.

Installation didn't find any hard disk during installation.



According with http://www.openbsd.org/i386.html
  it works with adaptec serveraid.



If I change SAS to SATA disks will openBSD recognize them at
installation ?





Thanks

RES: OpenBSD on IBM 3550

2009-04-06 Thread Ricardo Augusto de Souza 
Really?

So http://www.openbsd.org/i386.html is wrong?

Cause we can see this there:

"
RAID and Cache Controllers

ICP-Vortex and Intel GDT series (gdt) (A) (C)
Adaptec FSA-based RAID controllers (aac), including: (*)
Note: In the past years Adaptec has lied to us repeatedly about
forthcoming documentation which would have allowed us to stabilize,
improve and manage RAID support for these (rather buggy) raid
controllers.
As a result, we do not recommend the Adaptec cards for use.
Adaptec AAC-2622, AAC-364, AAC-3642, 2130S, 2200S, 2230SLP, 2410SA,
2610SA, 2810SA, 21610SA
Dell CERC-SATA, PERC 320/DC
Dell PERC 2/QC, PERC 2/Si, PERC 3/Si, PERC 3/D
HP NetRaid-4M
IBM ServeRAID-8i/8k/8s
"



As i cant install openbsd on  IBM 3550, I installed FreeBSD 7.1.
This is dmesg:
http://ti.cmtsp.com.br:810/logs/dmesg_FreeBSD7.1_IBM3550.txt

FreeBSD shows:
aac0:  port 0x4000-0x40ff mem
0xcce0-0xccff,0xcafe-0xcaff irq 17 at device 0.0 on pci2
aac0: Enable Raw I/O
aac0: Enable 64-bit array
aac0: New comm. interface enabled
aac0: [ITHREAD]
aac0: ServeRAID 8k-l  , aac driver 2.0.0-1



-Mensagem original-
De: Chris Cappuccio [mailto:ch...@nmedia.net]
Enviada em: segunda-feira, 6 de abril de 2009 19:07
Para: Ricardo Augusto de Souza
Cc: misc@openbsd.org
Assunto: Re: OpenBSD on IBM 3550

your controller isn't supported.
unless it has i2o mode, try something else

Ricardo Augusto de Souza [ricardo.so...@cmtsp.com.br] wrote:
> Hi,
>
>
>
> I have an IBM 3550 with SAS disks and Adaptec ServeRAID 8k controller
> and I AM NOT able to install openBSD on it.
>
> Installation didn't find any hard disk during installation.
>
>
>
> According with http://www.openbsd.org/i386.html
> <http://www.openbsd.org/i386.html>  it works with adaptec serveraid.
>
>
>
> If I change SAS to SATA disks will openBSD recognize them at
> installation ?
>
>
>
>
>
> Thanks

--
the conservative, sandwich-heavy portfolio pays off for the hungry
investor.

RES: OpenBSD on IBM 3550

2009-04-06 Thread Ricardo Augusto de Souza 
sdisplay0
uhidev1 at uhub4 port 3 configuration 1 interface 0 "vendor 0x15ca USB
Optical Mouse" rev 2.00/5.12 addr 4
uhidev1: iclass 3/1
uhid at uhidev1 not configured
softraid0 at root
root on rd0a swap on rd0b dump on rd0b
bnx1: address 00:1a:64:79:f1:5a
brgphy0 at bnx1 phy 1: BCM5708C 10/100/1000baseT PHY, rev. 6
bnx0: address 00:1a:64:79:f1:58
brgphy1 at bnx0 phy 1: BCM5708C 10/100/1000baseT PHY, rev. 6
umass0 at uhub0 port 3 configuration 1 interface 0 "LG Electronics USB
DISK" rev 2.00/11.00 addr 2
umass0: using SCSI over Bulk-Only



-Mensagem original-
De: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] Em nome de
Ricardo Augusto de Souza
Enviada em: segunda-feira, 6 de abril de 2009 19:12
Para: Chris Cappuccio; misc@openbsd.org
Assunto: RES: OpenBSD on IBM 3550

Really?

So http://www.openbsd.org/i386.html is wrong?

Cause we can see this there:

"
RAID and Cache Controllers

ICP-Vortex and Intel GDT series (gdt) (A) (C)
Adaptec FSA-based RAID controllers (aac), including: (*)
Note: In the past years Adaptec has lied to us repeatedly about
forthcoming documentation which would have allowed us to stabilize,
improve and manage RAID support for these (rather buggy) raid
controllers.
As a result, we do not recommend the Adaptec cards for use.
Adaptec AAC-2622, AAC-364, AAC-3642, 2130S, 2200S, 2230SLP, 2410SA,
2610SA, 2810SA, 21610SA
Dell CERC-SATA, PERC 320/DC
Dell PERC 2/QC, PERC 2/Si, PERC 3/Si, PERC 3/D
HP NetRaid-4M
IBM ServeRAID-8i/8k/8s
"



As i cant install openbsd on  IBM 3550, I installed FreeBSD 7.1.
This is dmesg:
http://ti.cmtsp.com.br:810/logs/dmesg_FreeBSD7.1_IBM3550.txt

FreeBSD shows:
aac0:  port 0x4000-0x40ff mem
0xcce0-0xccff,0xcafe-0xcaff irq 17 at device 0.0 on pci2
aac0: Enable Raw I/O
aac0: Enable 64-bit array
aac0: New comm. interface enabled
aac0: [ITHREAD]
aac0: ServeRAID 8k-l  , aac driver 2.0.0-1



-Mensagem original-
De: Chris Cappuccio [mailto:ch...@nmedia.net]
Enviada em: segunda-feira, 6 de abril de 2009 19:07
Para: Ricardo Augusto de Souza
Cc: misc@openbsd.org
Assunto: Re: OpenBSD on IBM 3550

your controller isn't supported.
unless it has i2o mode, try something else

Ricardo Augusto de Souza [ricardo.so...@cmtsp.com.br] wrote:
> Hi,
>
>
>
> I have an IBM 3550 with SAS disks and Adaptec ServeRAID 8k controller
> and I AM NOT able to install openBSD on it.
>
> Installation didn't find any hard disk during installation.
>
>
>
> According with http://www.openbsd.org/i386.html
> <http://www.openbsd.org/i386.html>  it works with adaptec serveraid.
>
>
>
> If I change SAS to SATA disks will openBSD recognize them at
> installation ?
>
>
>
>
>
> Thanks

--
the conservative, sandwich-heavy portfolio pays off for the hungry
investor.

Build a custom kernel to installation

2009-04-07 Thread Ricardo Augusto de Souza 
Hi,



I AM able to compile a custom kernel.

But now I need to install an OpenBSD 4.4 on a IBM 3550 with this custom
kernel*.

Is it work if after a build the custom kernel, I copy /newbsd to
installation cd and boot it during the installation?



Is there any documentation about this?


Thanks

RES: Build a custom kernel to installation

2009-04-07 Thread Ricardo Augusto de Souza 
Ok, i  just saw it few min ago.

Could you please tell me the steps I  must follow?
Is it possible enable it at boot -c?
I tried this:
Boot -c
Enable aac
Enable scsi
Disable acpi
Exit

It also failed.


thanks

-Mensagem original-
De: Alexander Yurchenko [mailto:gra...@disorder.ru]
Enviada em: terga-feira, 7 de abril de 2009 12:33
Para: Robert
Cc: Ricardo Augusto de Souza; misc@openbsd.org
Assunto: Re: Build a custom kernel to installation

On Tue, Apr 07, 2009 at 04:39:47PM +0200, Robert wrote:
> use -current, atm. Easiest way is to try a snapshot.

aac is not enabled in snapshots. you still need to build your own on
another machine.

> - Robert

--
Alexander Yurchenko

RES: Build a custom kernel to installation

2009-04-07 Thread Ricardo Augusto de Souza 
Hi,
4.5 snapshot  also failed to recognize ServeRaid on IBM 3550.


I also tried to boot 4.4 -current with my custom kernel ( with aac and scsi at
aac enabled) but it failed too.
At boot, I typed /raidbsd ( name of the file I created ) but it failed.

I think I should read more about booting my custom kernel at installation
process.

Thanks

-Mensagem original-
De: Robert [mailto:rob...@openbsd.pap.st]
Enviada em: terga-feira, 7 de abril de 2009 11:40
Para: Ricardo Augusto de Souza
Cc: misc@openbsd.org
Assunto: Re: Build a custom kernel to installation

On Tue, 7 Apr 2009 10:25:49 -0300
"Ricardo Augusto de Souza"  wrote:

> Hi,
>
>
>
> I AM able to compile a custom kernel.
>
> But now I need to install an OpenBSD 4.4 on a IBM 3550 with this
> custom kernel*.
>
> Is it work if after a build the custom kernel, I copy /newbsd to
> installation cd and boot it during the installation?
>
>
>
> Is there any documentation about this?
>
>
> Thanks

You can find all (most) you need to know concerning your situation in
the FAQ on the OpenBSD website.

More to the point of your email:
- All that wont help you get 4.4 running on the ServRaid controller.
- The code for that is not in 4.4.
- You could backport the driver to the 4.4 code, but then it isn't 4.4
  anymore and you are on your own with/after that.
- You can not run a 4.5 or -current kernel on a 4.4 userland.

If you want to run OpenBSD on the 3550 using the ServRaid you have to
use -current, atm. Easiest way is to try a snapshot.

But you were told all that before? So sorry if it was unnessasary to
point it out again.

- Robert

How can I create a custom ramdisk

2009-04-07 Thread Ricardo Augusto de Souza 
Hi,



I wanna find a documentation about creating/booting a custom ramdisk.



I need to install OpenBSD on a IBM 3550 and it requires aac* module.



Thanks

RES: How can I create a custom ramdisk

2009-04-08 Thread Ricardo Augusto de Souza 
HI,

I got some errors trying to create a new release with a custom openbsd
kernel.

Can anyone help me with the whole steps, after I create this new release, I
will need to install in on my IBM3550.

I follow this steps: http://www.openbsd.org/faq/faq5.html#Release

I reproduced this on my OpenBSD 4.4 ( kernel changed to aac support, this
isn't IBM355 yet ).
I also edited GENERIC and RAMDISK_CD files in /usr/src/sys/arch/i386/conf


# cd /usr/src/etc
# make release

install -C -o root -g bin -m 444  bfd/mybfd.h /usr/dest/usr/include/bfd.h
install: bfd/mybfd.h: No such file or directory
*** Error code 71

Stop in /usr/src/gnu/usr.bin/binutils (line 155 of
/usr/src/gnu/usr.bin/binutils/Makefile.bsd-wrapper).
*** Error code 1

Stop in /usr/src/include (line 89 of Makefile).
*** Error code 1

Stop in /usr/src (line 61 of Makefile).
*** Error code 1

Stop in /usr/src/etc (line 249 of Makefile).




-Mensagem original-
De: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] Em nome de Ricardo
Augusto de Souza
Enviada em: terga-feira, 7 de abril de 2009 14:19
Para: misc@openbsd.org
Assunto: How can I create a custom ramdisk

Hi,



I wanna find a documentation about creating/booting a custom ramdisk.



I need to install OpenBSD on a IBM 3550 and it requires aac* module.



Thanks
?

Who runs OpenBSD with Adaptec ?

2009-04-09 Thread Ricardo Augusto de Souza 
Hi,



I AM trying to install openBSD 4.4 on a IBM 3550 7978 B1U but OpenBSD didn4t
recognize Adaptec ServeRaid 8k.



I4d like to know if someone run it on a server with this raid controller.



I installed a custom openbsd kernel ( with aac* support)  on  a USB stick ,
boot it on IBM 3550 and this is the dmesg:

I also tried disabling acpi.



OpenBSD 4.4 (rox) #0: Wed Apr  8 16:27:08 BRT 2009

r...@tux:/usr/sys/arch/i386/compile/rox

cpu0: Intel(R) Core(TM)2 Duo CPU T7250 @ 2.00GHz ("GenuineIntel" 686-class) 2
GHz

cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,
xTPR

real mem  = 2137350144 (2038MB)

avail mem = 2058268672 (1962MB)

mainbus0 at root

bios0 at mainbus0: AT/286+ BIOS, date 07/25/08, BIOS32 rev. 0 @ 0xffa10,
SMBIOS rev. 2.4 @ 0xf6be0 (62 entries)

bios0: vendor Dell Inc. version "A07" date 07/25/2008

bios0: Dell Inc. Latitude D530

acpi0 at bios0: rev 2

acpi0: tables DSDT FACP HPET APIC ASF! MCFG TCPA SLIC SSDT

acpi0: wakeup devices PCI0(S5) PCIE(S4) USB1(S0) USB2(S0) USB3(S0) USB4(S0)
USB5(S0) EHC2(S0) EHCI(S0) AZAL(S3) RP01(S3) RP02(S4) RP03(S3) RP04(S3)
RP05(S3) RP06(S5) LID_(S3) PBTN(S4)

acpitimer0 at acpi0: 3579545 Hz, 24 bits

acpihpet0 at acpi0: 14318179 Hz

acpiprt0 at acpi0: bus 3 (PCIE)

acpiprt1 at acpi0: bus -1 (AGP_)

acpiprt2 at acpi0: bus 11 (RP01)

acpiprt3 at acpi0: bus 12 (RP02)

acpiprt4 at acpi0: bus -1 (RP03)

acpiprt5 at acpi0: bus -1 (RP04)

acpiprt6 at acpi0: bus -1 (RP05)

acpiprt7 at acpi0: bus 9 (RP06)

acpiprt8 at acpi0: bus 0 (PCI0)

acpicpu0 at acpi0: C3

acpitz0 at acpi0: critical temperature 99 degC

acpibtn0 at acpi0: LID_

acpibtn1 at acpi0: PBTN

acpibtn2 at acpi0: SBTN

acpiac0 at acpi0: AC unit offline

acpibat0 at acpi0: BAT0 model "DELL TT7108" serial 4001 type LION oem "Sanyo"

acpibat1 at acpi0: BAT1 not present

acpidock at acpi0 not configured

acpivideo at acpi0 not configured

acpivideo at acpi0 not configured

acpivideo at acpi0 not configured

bios0: ROM list: 0xc/0xf000! 0xcf000/0x1000

cpu0 at mainbus0

cpu0: unknown Enhanced SpeedStep CPU, msr 0x06170b2d06000a25

cpu0: using only highest, current and lowest power states

cpu0: Enhanced SpeedStep 2000 MHz (1292 mV): speeds: 2200, 2000, 1200 MHz

pci0 at mainbus0 bus 0: configuration mode 1 (no bios)

pchb0 at pci0 dev 0 function 0 "Intel GM965 Host" rev 0x0c

vga1 at pci0 dev 2 function 0 "Intel GM965 Video" rev 0x0c

wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)

wsdisplay0: screen 1-5 added (80x25, vt100 emulation)

agp0 at vga1: aperture at 0xe000, size 0x1000

drm at vga1 unsupported

"Intel GM965 Video" rev 0x0c at pci0 dev 2 function 1 not configured

uhci0 at pci0 dev 26 function 0 "Intel 82801H USB" rev 0x02: irq 10

uhci1 at pci0 dev 26 function 1 "Intel 82801H USB" rev 0x02: irq 9

ehci0 at pci0 dev 26 function 7 "Intel 82801H USB" rev 0x02: irq 5

usb0 at ehci0: USB revision 2.0

uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1

azalia0 at pci0 dev 27 function 0 "Intel 82801H HD Audio" rev 0x02: irq 9

azalia0: codec[s]: Sigmatel/0x76a0, Conexant/0x2c06, using Sigmatel/0x76a0

audio0 at azalia0

ppb0 at pci0 dev 28 function 0 "Intel 82801H PCIE" rev 0x02: irq 11

pci1 at ppb0 bus 11

ppb1 at pci0 dev 28 function 1 "Intel 82801H PCIE" rev 0x02: irq 3

pci2 at ppb1 bus 12

wpi0 at pci2 dev 0 function 0 "Intel PRO/Wireless 3945ABG" rev 0x02: irq 3,
MoW2, address 00:1f:3c:bf:c0:9d

ppb2 at pci0 dev 28 function 5 "Intel 82801H PCIE" rev 0x02: irq 3

pci3 at ppb2 bus 9

bge0 at pci3 dev 0 function 0 "Broadcom BCM5755M" rev 0x02, BCM5755 A2
(0xa002): irq 3, address 00:1e:c9:23:04:f0

brgphy0 at bge0 phy 1: BCM5755 10/100/1000baseT PHY, rev. 0

uhci2 at pci0 dev 29 function 0 "Intel 82801H USB" rev 0x02: irq 10

uhci3 at pci0 dev 29 function 1 "Intel 82801H USB" rev 0x02: irq 9

uhci4 at pci0 dev 29 function 2 "Intel 82801H USB" rev 0x02: irq 5

ehci1 at pci0 dev 29 function 7 "Intel 82801H USB" rev 0x02: irq 10

usb1 at ehci1: USB revision 2.0

uhub1 at usb1 "Intel EHCI root hub" rev 2.00/1.00 addr 1

ppb3 at pci0 dev 30 function 0 "Intel 82801BAM Hub-to-PCI" rev 0xf2

pci4 at ppb3 bus 3

cbb0 at pci4 dev 1 function 0 vendor "O2 Micro", unknown product 0x7135 rev
0x21: irq 11

"O2 Micro Firewire" rev 0x02 at pci4 dev 1 function 4 not configured

cardslot0 at cbb0 slot 0 flags 0

cardbus0 at cardslot0: bus 4 device 0 cacheline 0x0, lattimer 0x20

pcmcia0 at cardslot0

ichpcib0 at pci0 dev 31 function 0 "Intel 82801HBM LPC" rev 0x02: PM disabled

pciide0 at pci0 dev 31 function 1 "Intel 82801HBM IDE" rev 0x02: DMA, channel
0 configured to compatibility, channel 1 configured to compatibility

atapiscsi0 at pciide0 channel 0 drive 0

scsibus0 at atapiscsi0: 2 targets, initiator 7

cd0 at scsibus0 targ 0 lun 0:  ATAPI 5/cdrom
removable

cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2

pciide0: channel 1 ignored (disabled)

pciide1 at p

RES: Who runs OpenBSD with Adaptec ?

2009-04-09 Thread Ricardo Augusto de Souza 
v 29 function 2 "Intel 6321ESB USB" rev 0x09: irq 5
ehci0 at pci0 dev 29 function 7 "Intel 6321ESB USB" rev 0x09: irq 5
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
ppb19 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0xd9
pci20 at ppb19 bus 1
vga1 at pci20 dev 1 function 0 "ATI ES1000" rev 0x02
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
drm at vga1 unsupported
ichpcib0 at pci0 dev 31 function 0 "Intel 6321ESB LPC" rev 0x09: PM
disabled
pciide0 at pci0 dev 31 function 1 "Intel 6321ESB IDE" rev 0x09: DMA,
channel 0 configured to compatibility, channel 1 configured to
compatibility
atapiscsi0 at pciide0 channel 0 drive 0
scsibus0 at atapiscsi0: 2 targets, initiator 7
cd0 at scsibus0 targ 0 lun 0:  ATAPI
5/cdrom removable
cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 ignored (disabled)
ichiic0 at pci0 dev 31 function 3 "Intel 6321ESB SMBus" rev 0x09:
polling
iic0 at ichiic0
usb1 at uhci0: USB revision 1.0
uhub1 at usb1 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb2 at uhci1: USB revision 1.0
uhub2 at usb2 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb3 at uhci2: USB revision 1.0
uhub3 at usb3 "Intel UHCI root hub" rev 1.00/1.00 addr 1
isa0 at ichpcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: 
spkr0 at pcppi0
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
biomask f965 netmask fded ttymask 
mtrr: Pentium Pro MTRR support
umass0 at uhub0 port 3 configuration 1 interface 0 "Kingston
DataTraveler 2.0" rev 2.00/2.00 addr 2
umass0: using SCSI over Bulk-Only
scsibus1 at umass0: 2 targets, initiator 0
sd0 at scsibus1 targ 1 lun 0:  SCSI2
0/direct removable
sd0: 3858MB, 491 cyl, 255 head, 63 sec, 512 bytes/sec, 7902208 sec total
uhub4 at uhub2 port 2 "Silitek IBM USB HUB KEYBOARD" rev 1.10/1.00 addr
2
uhidev0 at uhub4 port 1 configuration 1 interface 0 "Silitek IBM USB HUB
KEYBOARD" rev 1.10/1.00 addr 3
uhidev0: iclass 3/1
ukbd0 at uhidev0: 8 modifier keys, 6 key codes
wskbd1 at ukbd0 mux 1
wskbd1: connecting to wsdisplay0
uhidev1 at uhub4 port 3 configuration 1 interface 0 "vendor 0x15ca USB
Optical Mouse" rev 2.00/5.12 addr 4
uhidev1: iclass 3/1
ums0 at uhidev1: 3 buttons, Z dir
wsmouse0 at ums0 mux 0
softraid0 at root
root on sd0a swap on sd0b dump on sd0b
bnx1: address 00:1a:64:79:f1:5a
brgphy0 at bnx1 phy 1: BCM5708C 10/100/1000baseT PHY, rev. 6
bnx0: address 00:1a:64:79:f1:58
brgphy1 at bnx0 phy 1: BCM5708C 10/100/1000baseT PHY, rev. 6

-Mensagem original-
De: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] Em nome de
Ricardo Augusto de Souza
Enviada em: quinta-feira, 9 de abril de 2009 18:16
Para: misc@openbsd.org
Assunto: Who runs OpenBSD with Adaptec ?

Hi,



I AM trying to install openBSD 4.4 on a IBM 3550 7978 B1U but OpenBSD
didn4t
recognize Adaptec ServeRaid 8k.



I4d like to know if someone run it on a server with this raid
controller.



I installed a custom openbsd kernel ( with aac* support)  on  a USB
stick ,
boot it on IBM 3550 and this is the dmesg:

I also tried disabling acpi.



OpenBSD 4.4 (rox) #0: Wed Apr  8 16:27:08 BRT 2009

r...@tux:/usr/sys/arch/i386/compile/rox

cpu0: Intel(R) Core(TM)2 Duo CPU T7250 @ 2.00GHz ("GenuineIntel"
686-class) 2
GHz

cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,
CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,
CX16,
xTPR

real mem  = 2137350144 (2038MB)

avail mem = 2058268672 (1962MB)

mainbus0 at root

bios0 at mainbus0: AT/286+ BIOS, date 07/25/08, BIOS32 rev. 0 @ 0xffa10,
SMBIOS rev. 2.4 @ 0xf6be0 (62 entries)

bios0: vendor Dell Inc. version "A07" date 07/25/2008

bios0: Dell Inc. Latitude D530

acpi0 at bios0: rev 2

acpi0: tables DSDT FACP HPET APIC ASF! MCFG TCPA SLIC SSDT

acpi0: wakeup devices PCI0(S5) PCIE(S4) USB1(S0) USB2(S0) USB3(S0)
USB4(S0)
USB5(S0) EHC2(S0) EHCI(S0) AZAL(S3) RP01(S3) RP02(S4) RP03(S3) RP04(S3)
RP05(S3) RP06(S5) LID_(S3) PBTN(S4)

acpitimer0 at acpi0: 3579545 Hz, 24 bits

acpihpet0 at acpi0: 14318179 Hz

acpiprt0 at acpi0: bus 3 (PCIE)

acpiprt1 at acpi0: bus -1 (AGP_)

acpiprt2 at acpi0: bus 11 (RP01)

acpiprt3 at acpi0: bus 12 (RP02)

acpiprt4 at acpi0: bus -1 (RP03)

acpiprt5 at acpi0: bus -1 (RP04)

acpiprt6 at acpi0: bus -1 (RP05)

acpiprt7 at acpi0: bus 9 (RP06)

acpiprt8 at acpi0: bus 0 (PCI0)

acpicpu0 at acpi0: C3

acpitz0 at acpi0: critical temperature 99 degC

acpibtn0 at acpi0: LID_

acpibtn1 at acpi0: PBTN

acpibtn2 at acpi0: SBTN

acpiac0 at acpi0: AC unit offline

acpibat0 at acpi0: BAT

Migration from IPTABLES to PF

2009-05-04 Thread Ricardo Augusto de Souza 
Hi,

I have a firewall running on a Fedora Core 4 (STentz) with iptables. The Guy
Who installed it left our company some months ago.
I spent some years far from iptables, now i have to migrate this firewall to
PF.
THere are some 'special' features on this firewall,  i need some documentation
or help about implementing this features at new firewall ( PF ).

This is the iptables scripts:

#!/bin/bash
FW=/sbin/iptables
LOAD=/sbin/modprobe
#__

# Carregando Modulo do IPTABLES
. /etc/rc.d/init.d/prodata/fw_modulos

# Carregando Variaveis
. /etc/rc.d/init.d/prodata/fw_variaveis

if [ $KERNEL = "sim" ]
   then . /etc/rc.d/init.d/prodata/fw_kernel
fi

#___
# Cria politicas de LOGs
#___

if [ $LOGS = "sim" ]
   then . /etc/rc.d/init.d/prodata/fw_politicas
fi

Normal rules here
 EOF



/etc/rc.d/init.d/prodata/fw_modulos
#$LOAD nfnetlink

$LOAD ip_conntrack
$LOAD ip_conntrack_ftp
#$LOAD ip_conntrack_pptp ##
#$LOAD ip_conntrack_netlink ##
#$LOAD ip_conntrack_tftp ##

#$LOAD ip_nat
$LOAD ip_nat_ftp
$LOAD ip_gre
#$LOAD ip_nat_pptp ##
#$LOAD ip_nat_tftp ##
$LOAD ip_queue ##
$LOAD ip_tables

$LOAD iptable_filter
$LOAD iptable_nat
$LOAD iptable_mangle

$LOAD ipt_helper
$LOAD ipt_LOG
$LOAD ipt_limit
$LOAD ipt_state
#$LOAD ipt_layer7 ##
$LOAD ipt_MASQUERADE
$LOAD ipt_multiport
#$LOAD ipt_string
$LOAD ipt_tcpmss
$LOAD ipt_TCPMSS
# EOF


/etc/rc.d/init.d/prodata/fw_kernel
#___
# Protecao do KERNEL
#___
#Enable forwarding in kernel
echo 1 > /proc/sys/net/ipv4/ip_forward

#Disabling IP Spoofing attacks.
if [ $IPSEC = "sim" ]
   then for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 > $f
   done
else for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 2 > $f
   done
fi

#Don't respond to broadcast pings (Smurf-Amplifier-Protection)
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

#Block source routing
echo 1 > /proc/sys/net/ipv4/conf/all/accept_source_route

#Kill timestamps
echo 0 > /proc/sys/net/ipv4/tcp_timestamps

#Enable SYN Cookies
#echo 1 > /proc/sys/net/ipv4/tcp_syncookies

#Kill redirects
echo 1 > /proc/sys/net/ipv4/conf/all/accept_redirects

#Enable bad error message protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

#Log martians (packets with impossible addresses)
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

#Set out local port range
echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range

#Reduce DoS'ing ability by reducing timeouts
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack
### EOF



/etc/rc.d/init.d/prodata/fw_politicas
#___
# LOG - Politica de Negacao de frames
#___

LOGLIMIT="2/s"
LOGLIMITBURST="10"
# Overall Limit for TCP-SYN-Flood detection
TCPSYNLIMIT="5/s"
# Burst Limit for TCP-SYN-Flood detection
TCPSYNLIMITBURST="10"
# Overall Limit for Ping-Flood-Detection
PINGLIMIT="5/s"
# Burst Limit for Ping-Flood-Detection
PINGLIMITBURST="1"

$FW -N LOG_DROP
$FW -A LOG_DROP -p tcp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST
-j LOG --log-prefix "fp=TCP:1 a=DROP "
$FW -A LOG_DROP -p udp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST
-j LOG --log-prefix "fp=UDP:2 a=DROP "
$FW -A LOG_DROP -p icmp -m limit --limit $LOGLIMIT --limit-burst
$LOGLIMITBURST -j LOG --log-prefix "fp=ICMP:3 a=DROP "
$FW -A LOG_DROP -p 47 -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST
-j LOG --log-prefix "fp=VPN:4 a=DROP "
$FW -A LOG_DROP -f -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j
LOG --log-prefix "fp=FRAGMENT:5 a=DROP "
$FW -A LOG_DROP -p tcp ! --syn -m state --state NEW -j LOG --log-prefix
"fp=NEW nao SYN: "
$FW -A LOG_DROP -j DROP

#___
# LOG - Politica de Liberacao de frames
#___

$FW -N LOG_OK
$FW -A LOG_OK  -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG
--log-level 3 --log-prefix "fp=LOG_OK:3 a=ACCEPT "
$FW -A LOG_OK -j ACCEPT

#___
# LOG - Politica de Negacao TCP-SYN-Flood
#___

$FW -N LSYNFLOOD
$FW -A LSYNFLOOD -m limit --limit $LO

ENC: Migration from IPTABLES to PF

2009-05-04 Thread Ricardo Augusto de Souza 
Thanks.
I already know those documentation.
I wish i could find a documentation about this on PF:


#___
# Protecao do KERNEL
#___
#Enable forwarding in kernel
echo 1 > /proc/sys/net/ipv4/ip_forward

#Disabling IP Spoofing attacks.
if [ $IPSEC = "sim" ]
   then for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 > $f
   done
else for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 2 > $f
   done
fi

#Don't respond to broadcast pings (Smurf-Amplifier-Protection)
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

#Block source routing
echo 1 > /proc/sys/net/ipv4/conf/all/accept_source_route

#Kill timestamps
echo 0 > /proc/sys/net/ipv4/tcp_timestamps

#Enable SYN Cookies
#echo 1 > /proc/sys/net/ipv4/tcp_syncookies

#Kill redirects
echo 1 > /proc/sys/net/ipv4/conf/all/accept_redirects

#Enable bad error message protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

#Log martians (packets with impossible addresses)
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

#Set out local port range
echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range

#Reduce DoS'ing ability by reducing timeouts
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack




I Will ask Eduardo Alvarenga.

Thanks anyway.


-Mensagem original-
De: Jason Dixon [mailto:ja...@dixongroup.net]
Enviada em: segunda-feira, 4 de maio de 2009 14:59
Para: Ricardo Augusto de Souza
Cc: misc@openBSD.org
Assunto: Re: Migration from IPTABLES to PF

On Mon, May 04, 2009 at 02:17:33PM -0300, Ricardo Augusto de Souza wrote:
> Hi,
>
> I have a firewall running on a Fedora Core 4 (STentz) with iptables. The
Guy
> Who installed it left our company some months ago.
> I spent some years far from iptables, now i have to migrate this firewall
to
> PF.
> THere are some 'special' features on this firewall,  i need some
documentation
> or help about implementing this features at new firewall ( PF ).

The documentation is available online:

http://www.openbsd.org/faq/pf/index.html
http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf

I made a quick review of your ruleset.  I gave up after a few PgDn's.  I
belive it's in your best interests to contact someone that provides
commercial support.

http://www.openbsd.org/support.html

On a good day, someone might step up and help you with this.  But I
wouldn't expect it.

Thanks,

--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/

RES: Migration from IPTABLES to PF

2009-05-04 Thread Ricardo Augusto de Souza 
o $INT_INTRANET -p tcp -s $IP_INTRANET --dport 22 -j
ACCEPT

#
___
# NAT - Da Rede_Intranet para INTERNET (TUDO)
#
___

#for NAT in `cat /etc/rc.d/init.d/fw_nat| awk 'BEGIN { FS = "#" } ; { print $1
}'`
#  do
$FW -t nat -A POSTROUTING -o $INT_INTERNET -p tcp -s $REDE_INTRANET -j
MASQUERADE
$FW -t nat -A POSTROUTING -o $INT_INTERNET -p 47 -s $REDE_INTRANET -j
MASQUERADE
$FW -t nat -A POSTROUTING -o $INT_INTERNET -p udp -s $REDE_INTRANET -j
MASQUERADE
#  done

#
___
# NAT - ACESSO FULL
#
___

for NAT_FULL in `cat /etc/rc.d/init.d/prodata/fw_nat_full| awk 'BEGIN { FS =
"#" } ; { print $1 }'`
  do
$FW -t nat -A PREROUTING -i $INT_INTERNET -p all -s $NAT_FULL -j
ACCEPT
$FW -A FORWARD -i $INT_INTERNET -p all -s $NAT_FULL -j ACCEPT
$FW -t nat -A PREROUTING -i $INT_INTERNET -p all -d $NAT_FULL -j
ACCEPT
$FW -A FORWARD -i $INT_INTERNET -p all -d $NAT_FULL -j ACCEPT

$FW -t nat -A PREROUTING -i $INT_INTRANET -p all -s $NAT_FULL -j
ACCEPT
$FW -A FORWARD -i $INT_INTRANET  -p all -s $NAT_FULL -j ACCEPT
$FW -t nat -A PREROUTING -i $INT_INTRANET -p all -d $NAT_FULL -j
ACCEPT
$FW -A FORWARD -i $INT_INTRANET  -p all -d $NAT_FULL -j ACCEPT
  done

#-APLIC. CLIENTES PERMITIDAS para REDE_INTRANET
(NAT)---

#-Regras para
INT_INTERNET--

#
TUDO_
___
#$FW -t nat -A PREROUTING -i $INT_INTERNET -p all  -j ACCEPT
#$FW -A FORWARD -i $INT_INTERNET -p all -j ACCEPT

for PORTS in `cat /etc/rc.d/init.d/prodata/fw_ports| awk 'BEGIN { FS = "#" } ;
{ print $1 }'`
  do
  $FW -t nat -A PREROUTING -i $INT_INTERNET -p tcp --sport $PORTS -j ACCEPT
  $FW -A FORWARD -i $INT_INTERNET -p tcp --sport $PORTS -j ACCEPT
  $FW -t nat -A PREROUTING -i $INT_INTERNET -p udp --sport $PORTS -j ACCEPT
  $FW -A FORWARD -i $INT_INTERNET -p udp --sport $PORTS -j ACCEPT
  done
#
TUDO_
_
#$FW -t nat -A PREROUTING -i $INT_INTRANET -p all -j ACCEPT
#$FW -A FORWARD -i $INT_INTRANET  -p all -j ACCEPT

for PORTS in `cat /etc/rc.d/init.d/prodata/fw_ports| awk 'BEGIN { FS = "#" } ;
{ print $1 }'`
  do
 $FW -t nat -A PREROUTING -i $INT_INTRANET -p tcp --dport $PORTS -j
ACCEPT
 $FW -A FORWARD -i $INT_INTRANET -p tcp --dport $PORTS -j ACCEPT
 $FW -t nat -A PREROUTING -i $INT_INTRANET -p udp --dport $PORTS -j
ACCEPT
 $FW -A FORWARD -i $INT_INTRANET -p udp --dport $PORTS -j ACCEPT
  done

#
___
# POLITICA FINAL - NEGA TUDO
#
___

#$FW -A OUTPUT -m state -p icmp --state INVALID -j DROP
#$FW -A INPUT -i $INT_INTERNET -j DROP
#$FW -A OUTPUT -o $INT_INTERNET -j DROP
#$FW -A FORWARD -i $INT_INTERNET -j DROP
#$FW -A FORWARD -o $INT_INTERNET -j DROP

#$FW -A INPUT -i $INT_INTRANET -j DROP
#$FW -A OUTPUT -o $INT_INTRANET -j DROP
#$FW -A FORWARD -i $INT_INTRANET -j DROP
#$FW -A FORWARD -o $INT_INTRANET -j DROP

#
___
# LOG de TODAS as Regras
#
___

#$FW -A FORWARD -j LOG --log-level 3 --log-prefix "PRODATA_FORWARD "
#$FW -A FORWARD -j DROP
#$FW -A INPUT -j LOG --log-level 3 --log-prefix "PRODATA_INPUT "
#$FW -A INPUT -j DROP
#$FW -A OUTPUT -j LOG --log-level 3 --log-prefix "PRODATA_OUTPUT "
#$FW -A OUTPUT -j DROP
#$FW -t nat -A POSTROUTING -j LOG --log-level 3 --log-prefix
"PRODATA_POSTROUTING "
#$FW -t nat -A POSTROUTING -j DROP
#$FW -t nat -A PREROUTING -j LOG --log-level 3 --log-prefix
"PRODATA_PREROUTING "
#$FW -t nat -A PREROUTING -j DROP
#$FW -t nat -A OUTPUT -j LOG --log-level 3 --log-prefix
"PRODATA_OUTPUT_ROUTING "
#$FW -t nat -A OUTPUT -j DROP

echo ""
echo "FIREWALLSTARTED"
;;
   *)
  echo "Uso: ./fw_prodata.com.br (start|stop|restart|status)"
  exit 1
  ;;
Esac


-Mensagem original-
De: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] Em nome de Mark
Shroyer
Enviada em: segunda-feira, 4 de maio de 2009 15:34
Para: misc@openBSD.org
Assunto: Re: Migration from IPTABLES to PF

On Mon, May 04, 2009 at 02:17:33PM -0300, Ricardo Augusto de Souza wrote:
> Hi,
>
> I have a firewall running on a Fedora Core 4 (STentz) with ipta

RES: Amsterdam OpenBSD 4.5 release party this Thursday, 7th of May.

2009-05-04 Thread Ricardo Augusto de Souza 
I wish i could be there.

Hail weed

-Mensagem original-
De: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] Em nome de chefren
Enviada em: segunda-feira, 4 de maio de 2009 18:40
Para: openbsd-users-nl; OpenBSD
Assunto: Amsterdam OpenBSD 4.5 release party this Thursday, 7th of May.

This Thursday 7th of May:

Cafe de Deugniet Oude Brugsteeg 12, 1012 JP Amsterdam




18:00 gathering in front of De Deugniet we will find some food in the
neighborhood that has lots of places where we can eat.

 From 20:00 on we will gather into De Deugniet itself and have a drink
on OpenBSD 4.5!

+++chefren

RES: Migration from IPTABLES to PF

2009-05-05 Thread Ricardo Augusto de Souza 
Thanks for this 'polite' reply.
As I Said i spent some years away from Unix/Linux world,
I worked with business intelligence this years.
Now i AM back to network administration and  i got this Project to  do.
I used openbsd before version 3. I do like  it.

This is my current senario.
-  2 firewalls with 2 carp+pfsync that  Will handle 2 internet connections,  1
mpls connection, 1 lan to handle around 60 bus company that transport 2
million users per Day, each user has your own myfair card. Each bus has a
system that store this data in a file. This files Will be imported to Oracle
later. After this import, there are a lot of specific applications that uses
this informations.
- behind this 2 firewalls   we have around 30 servers: ( most Windows) iis,
file transfer servers,ws, and some other servers like some red hat enterprise
running Oracle 10g.
- at the beginning the firewalls Will do Nat  + filter  + gateway + mpd5+squid
( the fucking operators Who need Access to the Windows servers were surfing on
web from there. )
- our applications has around 5,000 users per Day, but we have a lot of web
services and some etl process ( i dont have statistics about volume yet)

So that  is it.


-Mensagem original-
De: William Chivers [mailto:william.chiv...@newcastle.edu.au]
Enviada em: segunda-feira, 4 de maio de 2009 22:46
Para: Ricardo Augusto de Souza; misc@openbsd.org
Assunto: Re: Migration from IPTABLES to PF

This is a great advertisement for OpenBSD, PF, and keeping things simple in
general, mind if I use it Ricardo?

As for your original question, I wouldn't even try to convert your iptables,
especially using some magic tool to do it. Decide what you want your firewall
to do and start from scratch with PF. That way you will know it is working and
you will be able to maintain it reliably.

Cheers, Bill


-
William J. Chivers
Lecturer in Information Technology
School of DCIT
Faculty of Science and Information Technology
University of Newcastle---Ourimbah Campus
PO Box 127, Ourimbah, NSW 2259
Australia
CRICOS Provider Number: 00109J

phone:   +61 2 4349 4473
fax: +61 2 4349 4565
email:  william.chiv...@newcastle.edu.au
---------
>>> Ricardo Augusto de Souza  05/05/09 3:17 AM
>>>
Hi,

I have a firewall running on a Fedora Core 4 (STentz) with iptables. The Guy
Who installed it left our company some months ago.
I spent some years far from iptables, now i have to migrate this firewall to
PF.
THere are some 'special' features on this firewall,  i need some
documentation
or help about implementing this features at new firewall ( PF ).

This is the iptables scripts:

#!/bin/bash
FW=/sbin/iptables
LOAD=/sbin/modprobe
#__

# Carregando Modulo do IPTABLES
. /etc/rc.d/init.d/prodata/fw_modulos

# Carregando Variaveis
. /etc/rc.d/init.d/prodata/fw_variaveis

if [ $KERNEL = "sim" ]
   then . /etc/rc.d/init.d/prodata/fw_kernel
fi

#___
# Cria politicas de LOGs
#___

if [ $LOGS = "sim" ]
   then . /etc/rc.d/init.d/prodata/fw_politicas
fi

Normal rules here
 EOF



/etc/rc.d/init.d/prodata/fw_modulos
#$LOAD nfnetlink

$LOAD ip_conntrack
$LOAD ip_conntrack_ftp
#$LOAD ip_conntrack_pptp ##
#$LOAD ip_conntrack_netlink ##
#$LOAD ip_conntrack_tftp ##

#$LOAD ip_nat
$LOAD ip_nat_ftp
$LOAD ip_gre
#$LOAD ip_nat_pptp ##
#$LOAD ip_nat_tftp ##
$LOAD ip_queue ##
$LOAD ip_tables

$LOAD iptable_filter
$LOAD iptable_nat
$LOAD iptable_mangle

$LOAD ipt_helper
$LOAD ipt_LOG
$LOAD ipt_limit
$LOAD ipt_state
#$LOAD ipt_layer7 ##
$LOAD ipt_MASQUERADE
$LOAD ipt_multiport
#$LOAD ipt_string
$LOAD ipt_tcpmss
$LOAD ipt_TCPMSS
# EOF


/etc/rc.d/init.d/prodata/fw_kernel
#___
# Protecao do KERNEL
#___
#Enable forwarding in kernel
echo 1 > /proc/sys/net/ipv4/ip_forward

#Disabling IP Spoofing attacks.
if [ $IPSEC = "sim" ]
   then for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 > $f
   done
else for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 2 > $f
   done
fi

#Don't respond to broadcast pings (Smurf-Amplifier-Protection)
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

#Block source routing
echo 1 > /proc/sys/net/ipv4/conf/all/accept_source_route

#Kill timestamps
echo 0 > /proc/sys/net/ipv4/tcp_timestamps

#Enable SYN Cookies
#echo 1 > /proc/sys/net/ipv4/tcp_syncookies

#Kill redirects
echo 1 > /proc/sys/net/ipv4/conf/all/accept_redirects

#Enable bad err

Filtering outgoing connections in pf

2008-10-15 Thread Ricardo Augusto de Souza 
Hi,



I AM confused with some PF rules.

I am trying to allow just some ports to my local users.

I am using block out  on $ext_if but I think I would be able to choose
ports my lan users will access with rule

Pass out on $ext_if proto tcp from 10.10.0.0/16 to any port { 80, 25,
110 } keep state .



It seems to be ok, but I had to add this rule: Pass out on $ext_if  from
$ext_if  to any ( without this rule my box cannot connect to the
internet ).  With this rule, All users can connect to any out port.



Question: What is the right way to have my box at the internet and  my
users  can only access that selected ports?





Thanks







My pf.conf:



set loginterface xl1

set skip on lo0

scrub in



set require-order yes

set state-policy if-bound



altq on xl1 priq bandwidth 50Kb queue { q_pri, q_def }

queue q_pri priority 7

queue q_def priority 1 priq(default)





# interface externa WAN

ext_if="xl1"

# interface interna LAN

int_if="xl0"

# interface MPLS

mpls_if ="bge0"

#interfaces VPn tuneis

vpn_if ="{ tun0, tun1, tun2, tun3, tun4 }"

vpn_net ="{ 10.10.9.0/26 }"

#Default GW

gw="200.162.41.33"



table  persist file "/etc/badsites.txt"

winupdate = "{ 65.54.87.0/24 } "







# Variaveis

##



#

#1 - Redirecionamento ambiente de homologocao

###

ws_ip = "{ 10.10.100.21 }"

ws_ports = "{ 8101, 8102, 8103 }"





#2- Variaveis uteis



lan = "{ 10.10.0.0/16 }"

cmt_lan = "{ 10.10.0.0/24 }"

ti_lan = "{ 10.10.20.0/26 }"

call_center_lan = "{ 10.10.60.0/26 }"

rede_mpls  = "{ 10.100.0.0/16 }"

ip_admin = "{ 10.10.20.100 }"

msn = "207.46.0.0/16"



# portas



portas_saida_tcp = " {25, 80, 110,443 }"

portas_saida_udp = " { 53, 443 }"

portas_entrada_tcp = " { 22,1981, 810} "

portas_entrada_udp = " { 1194 }"

ip_rose = " { 10.10.0.56 } "

porta_rose = " { 2631 } "

oracle_desenv = "{ 10.10.100.13, 10.10.100.14 }"

ips_adm_ext = "{ 189.33.76.0/26 } "



#teste internet lojas MPLS

rdr pass on $mpls_if inet proto tcp from any to $mpls_if port 3128 ->
$int_if port 3128



#redirect para servidor NTP

rdr pass on $mpls_if inet proto udp from $rede_mpls to $mpls_if port 123
-> 10.10.100.254 port 123



#redirect para os servidores do DTC enviarem email pelo sol

rdr pass on $mpls_if inet proto tcp from $rede_mpls to $mpls_if port 25
-> 10.10.0.2 port 25

nat on $int_if from any to 10.10.0.2 -> $int_if





# squid trasparente

rdr pass on $int_if inet proto tcp from $lan to any port 80 -> $int_if
port 3128



rdr pass on $mpls_if inet proto tcp from any to $mpls_if port 1521 ->
10.10.100.13 port 1521

rdr pass on $mpls_if inet proto tcp from any to $mpls_if port 1522 ->
10.10.100.14 port 1521

nat on $int_if from any to $oracle_desenv port 1521 -> $int_if





# redirecionamento para lan, foi necessario fazer nat tb.

rdr pass on $ext_if inet proto tcp from any to $ext_if port $ws_ports ->
$ws_ip

nat on $int_if from any to $ws_ip -> $int_if





#

# NAT  ##

#



#nat para dar acesso a internet para a lan

nat on $ext_if from $lan to !($ext_if) -> $ext_if

nat on $mpls_if  from $lan to any -> $mpls_if





# bloqueia a entrada de tudo e saida de tudo

block in on $ext_if



#regras de entrada



# libera entrada de tudo na interface interna

pass in on $int_if proto udp from $lan to $int_if port 53

pass in on $int_if from any to $lan  modulate state

pass in on $int_if from $rede_mpls to $lan  modulate state



#liberar acesso rede mpls

pass in quick on $mpls_if from any to any

#pass in quick on $mpls_if from $rede_mpls to any



# libera a entrada na interface externa

pass in quick on $ext_if proto tcp from any to $ext_if port
$portas_entrada_tcp keep state

pass in quick on $ext_if proto tcp from any to $ext_if port $ws_ports
keep state

pass in quick on $ext_if proto udp from any to $ext_if port
$portas_entrada_udp keep state

pass in quick on $ext_if proto tcp from any to $int_if port 443 flags
S/SAFR keep state (max 256)



#VPN

pass in quick on $ext_if proto tcp from any to $ext_if port = 1723
modulate state

pass in quick on $ext_if proto gre from any to $ext_if keep state

pass out quick on $ext_if proto gre from $ext_if to any keep state

pass in quick on $vpn_if all

pass out quick on $vpn_if all



pass in quick on $int_if from $vpn_net to any modulate state

pass in quick on $mpls_if from $vpn_net to any modulate state





# regras de saida

antispoof quick for { lo $int_if }

pass out on $int_if from any to $lan  keep state

pass out on $mpls_if from $mpls_if to any modulate state

#

# proibe todo o trafego de saida

block out on $ext_if

#pass out on $ext_if from $ext_if to any modulate state



pass out quick on $ext_if proto tcp from any to any port
$portas_saida_tcp modulate state queue (q_def, q_pri)

pass out quick on $ext_if proto tcp from $ip_rose port 1024:65535 to
200.201.174.0/24 port { 80, 2631 } modula

RES: Filtering outgoing connections in pf

2008-10-15 Thread Ricardo Augusto de Souza 
Is is possible filter outgoing packets in $ext_if even doing NAT?
I mean, after  nat on $ext_if from 10.10.0.0/16 to any -> ($ext_if) all
packets from 10.10.0.0/16 will be translated to $ext_if.
I wish I could filter 10.10.0.0/16 packets in $ext_if.

Is is possible?

Thanks
-Mensagem original-
De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome de
Ricardo Augusto de Souza
Enviada em: quarta-feira, 15 de outubro de 2008 13:01
Para: misc@openbsd.org
Assunto: Filtering outgoing connections in pf

Hi,



I AM confused with some PF rules.

I am trying to allow just some ports to my local users.

I am using block out  on $ext_if but I think I would be able to choose
ports my lan users will access with rule

Pass out on $ext_if proto tcp from 10.10.0.0/16 to any port { 80, 25,
110 } keep state .



It seems to be ok, but I had to add this rule: Pass out on $ext_if  from
$ext_if  to any ( without this rule my box cannot connect to the
internet ).  With this rule, All users can connect to any out port.



Question: What is the right way to have my box at the internet and  my
users  can only access that selected ports?





Thanks







My pf.conf:



set loginterface xl1

set skip on lo0

scrub in



set require-order yes

set state-policy if-bound



altq on xl1 priq bandwidth 50Kb queue { q_pri, q_def }

queue q_pri priority 7

queue q_def priority 1 priq(default)





# interface externa WAN

ext_if="xl1"

# interface interna LAN

int_if="xl0"

# interface MPLS

mpls_if ="bge0"

#interfaces VPn tuneis

vpn_if ="{ tun0, tun1, tun2, tun3, tun4 }"

vpn_net ="{ 10.10.9.0/26 }"

#Default GW

gw="200.162.41.33"



table  persist file "/etc/badsites.txt"

winupdate = "{ 65.54.87.0/24 } "







# Variaveis

##



#

#1 - Redirecionamento ambiente de homologocao

###

ws_ip = "{ 10.10.100.21 }"

ws_ports = "{ 8101, 8102, 8103 }"





#2- Variaveis uteis



lan = "{ 10.10.0.0/16 }"

cmt_lan = "{ 10.10.0.0/24 }"

ti_lan = "{ 10.10.20.0/26 }"

call_center_lan = "{ 10.10.60.0/26 }"

rede_mpls  = "{ 10.100.0.0/16 }"

ip_admin = "{ 10.10.20.100 }"

msn = "207.46.0.0/16"



# portas



portas_saida_tcp = " {25, 80, 110,443 }"

portas_saida_udp = " { 53, 443 }"

portas_entrada_tcp = " { 22,1981, 810} "

portas_entrada_udp = " { 1194 }"

ip_rose = " { 10.10.0.56 } "

porta_rose = " { 2631 } "

oracle_desenv = "{ 10.10.100.13, 10.10.100.14 }"

ips_adm_ext = "{ 189.33.76.0/26 } "



#teste internet lojas MPLS

rdr pass on $mpls_if inet proto tcp from any to $mpls_if port 3128 ->
$int_if port 3128



#redirect para servidor NTP

rdr pass on $mpls_if inet proto udp from $rede_mpls to $mpls_if port 123
-> 10.10.100.254 port 123



#redirect para os servidores do DTC enviarem email pelo sol

rdr pass on $mpls_if inet proto tcp from $rede_mpls to $mpls_if port 25
-> 10.10.0.2 port 25

nat on $int_if from any to 10.10.0.2 -> $int_if





# squid trasparente

rdr pass on $int_if inet proto tcp from $lan to any port 80 -> $int_if
port 3128



rdr pass on $mpls_if inet proto tcp from any to $mpls_if port 1521 ->
10.10.100.13 port 1521

rdr pass on $mpls_if inet proto tcp from any to $mpls_if port 1522 ->
10.10.100.14 port 1521

nat on $int_if from any to $oracle_desenv port 1521 -> $int_if





# redirecionamento para lan, foi necessario fazer nat tb.

rdr pass on $ext_if inet proto tcp from any to $ext_if port $ws_ports ->
$ws_ip

nat on $int_if from any to $ws_ip -> $int_if





#

# NAT  ##

#



#nat para dar acesso a internet para a lan

nat on $ext_if from $lan to !($ext_if) -> $ext_if

nat on $mpls_if  from $lan to any -> $mpls_if





# bloqueia a entrada de tudo e saida de tudo

block in on $ext_if



#regras de entrada



# libera entrada de tudo na interface interna

pass in on $int_if proto udp from $lan to $int_if port 53

pass in on $int_if from any to $lan  modulate state

pass in on $int_if from $rede_mpls to $lan  modulate state



#liberar acesso rede mpls

pass in quick on $mpls_if from any to any

#pass in quick on $mpls_if from $rede_mpls to any



# libera a entrada na interface externa

pass in quick on $ext_if proto tcp from any to $ext_if port
$portas_entrada_tcp keep state

pass in quick on $ext_if proto tcp from any to $ext_if port $ws_ports
keep state

pass in quick on $ext_if proto udp from any to $ext_if port
$portas_entrada_udp keep state

pass in quick on $ext_if proto tcp from any to $int_if port 443 flags
S/SAFR keep state (max 256)



#VPN

pass in quick on $ext_if proto tcp from any to $ext_if port = 1723
modulate state

pass in quick on $ext_if proto g

RES: RES: RES: Filtering outgoing connections in pf

2008-10-16 Thread Ricardo Augusto de Souza 
Hi,



I wanna allow local users ( 10.10.0.0/24 ) to Access internet just using port 
80, 25 110 and 53 udp.

I wanna allow full access to 10.10.20.0/24 to the internet.  I mean, no 
restriction.





Easy like that.



I used openBSD 3.8 in the past and I was able to filter packets in $ext_if from 
my local network ( 10.10.0.0/24 ).



Tests:



1) 

Users_tcp_ports = "{ 25, 80, 110, 443 }"

Users_udp_ports = "{ 53, 123 }"

Normal_users = "10.10.0.0/24"

Power_users = "10.10.20.0/24"





nat on $ext_if from $normal_users to any port $users_tcp_ports  -> ($ext_if) 
tagged NORMAL_USERS_NAT

nat on $ext_if from $power_users to any -> ($ext_if) tagged POWER_USERS_NAT







#outgoing

Block out on $ext_if

Pass out quick on $ext_if from ($ext_if) to any 



#filtering on $int_if

Pass in quick on $int_if inet proto tcp from $normal_users to any port 
$users_tcp_ports

Pass In quick on $int_if inet proto tcp from $power_users to any



Should this solve my problem?

I still have no test enviroment. I have around 300 users already going to the 
internet and to other WAN sites trhough this openBSD.



Plz, post me your suggestios.



Thanks



-Mensagem original-

De: cgc [mailto:[EMAIL PROTECTED] 

Enviada em: quarta-feira, 15 de outubro de 2008 16:21

Para: Ricardo Augusto de Souza

Cc: misc@openbsd.org

Assunto: Re: RES: RES: Filtering outgoing connections in pf



What exactly are you trying to achieve? what pc's do you want to have

access to what ports? Are you just allowing every pc in the 10.10.0.0/16

network the same access or not? And access to what? Just web traffic?

pings? dns? ...  You will have to be abit more specific 

And any box that is doing packet filtering between 2 or more networks, eg.

a private network and the internet, is a router as far as I am aware



Regards,



Charlie



On Wed, 15 Oct 2008 16:06:16 -0300, "Ricardo Augusto de Souza"

<[EMAIL PROTECTED]> wrote:

> This sounds good.

> But my openBSD is working like a router.

> If I remove the rule pass in quick on $int_if I will have a lot of pcs

> that cannot access other subnets.

> Do u know what protocol I must allow to routes work?

> 

> thank

> 

> -Mensagem original-

> De: cgc [mailto:[EMAIL PROTECTED] 

> Enviada em: quarta-feira, 15 de outubro de 2008 15:49

> Para: Ricardo Augusto de Souza

> Cc: misc@openbsd.org

> Assunto: Re: RES: Filtering outgoing connections in pf

> 

> let me give you an example, if you just want 10.10.0.0/16 to have port 80

> access then you need 3 rules:

> 

> #the nat

> nat on $ext_if from 10.10.0.0/16 to any port 80 -> ($ext_if)

> 

> #allow through $int_if

> pass in quick on $int_if proto tcp from 10.10.0.0/16 to any port 80

> 

> #and finally allow through $ext_if

> pass out quick on $ext_if proto tcp from ($ext_if) to any

> 

> You can lock $ext_if down to just port 80 but the point is $int_if is

> where

> you do the filtering for 10.10.0.0/16

> 

> Correct me if I am wrong.

> 

> Regards,

> 

> Charlie

> 

> On Wed, 15 Oct 2008 14:44:43 -0300, "Ricardo Augusto de Souza"

> <[EMAIL PROTECTED]> wrote:

>> Is is possible filter outgoing packets in $ext_if even doing NAT?

>> I mean, after  nat on $ext_if from 10.10.0.0/16 to any -> ($ext_if) all

>> packets from 10.10.0.0/16 will be translated to $ext_if.

>> I wish I could filter 10.10.0.0/16 packets in $ext_if.

>> 

>> Is is possible?

>> 

>> Thanks

>> -Mensagem original-

>> De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome de

>> Ricardo Augusto de Souza

>> Enviada em: quarta-feira, 15 de outubro de 2008 13:01

>> Para: misc@openbsd.org

>> Assunto: Filtering outgoing connections in pf

>> 

>> Hi,

>> 

>> 

>> 

>> I AM confused with some PF rules.

>> 

>> I am trying to allow just some ports to my local users.

>> 

>> I am using block out  on $ext_if but I think I would be able to choose

>> ports my lan users will access with rule

>> 

>> Pass out on $ext_if proto tcp from 10.10.0.0/16 to any port { 80, 25,

>> 110 } keep state .

>> 

>> 

>> 

>> It seems to be ok, but I had to add this rule: Pass out on $ext_if 

> from

>> $ext_if  to any ( without this rule my box cannot connect to the

>> internet ).  With this rule, All users can connect to any out port.

>> 

>> 

>> 

>> Question: What is the right way to have my box at the internet and  my

>> users  can only access that selected ports?

>> 

>> 

>> 

>> 

>> 

>> Thanks

>> 

>> 

>> 

>> 

>> 

>&g

weird dmesg

2008-10-16 Thread Ricardo Augusto de Souza 
I was preparing some information about my system to post my questions
here and I saw that weird output in dmesg.

Take a look.

How can I avoid/fix this?



# dmesg  > info.txt

# vi info.txt

[4] + Suspendedvi info.txt

#





# cat info.txt

 speaker>

lpt0 at isa0 port 0x378/4 irq 7

npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16

pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo

pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo

fdc0 at isa0 port 0x3f0/6 irq 6 drq 2

fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec

biomask ff65 netmask ff65 ttymask ffe7

mtrr: Pentium Pro MTRR support

Kernelized RAIDframe activated

"Silitek IBM USB HUB KEYBOARD" rev 1.10/1.00 addr 2 at uhub2 port 1 not
configured

ahd0: target 0 synchronous with period = 0x8, offset =
0x7f(RDSTRM|DT|IU|RTI|QAS)

ahd0: target 6 synchronous with period = 0x8, offset =
0x7f(RDSTRM|DT|IU|RTI|QAS)

cd0(atapiscsi0:0:0): Check Condition (error 0x70) on opcode 0x0

SENSE KEY: Not Ready

 ASC/ASCQ: Medium Not Present

softraid0 at root

root on sd0a swap on sd0b dump on sd0b

arp: attempt to add entry for 10.10.100.253 on xl0 by 00:0a:5e:63:7e:2e
on bge0

arp: attempt to add entry for 10.10.0.94 on xl0 by 00:15:58:d8:80:1d on
bge0

arp: attempt to add entry for 10.10.0.39 on xl0 by 00:0e:a6:be:d9:9a on
bge0

arp: attempt to add entry for 10.10.0.86 on xl0 by 00:15:58:d8:7e:f3 on
bge0

"Silitek IBM USB HUB KEYBOARD" rev 1.10/1.00 addr 2 at uhub2 port 1 not
configured

arp info overwritten for 10.100.1.2 by 00:0d:88:53:31:1e on bge0

arp info overwritten for 10.100.1.2 by 00:0d:88:53:31:1d on bge0

arp: attempt to add entry for 10.10.0.82 on xl0 by 00:15:f2:5d:e7:74 on
bge0

arp: attempt to add entry for 10.10.0.108 on xl0 by 00:18:71:8c:29:83 on
bge0

arp info overwritten for 10.10.0.9 by 00:0d:88:53:31:1d on xl0

arp info overwritten for 10.10.0.9 by 00:0d:88:53:31:1e on xl0

arp info overwritten for 10.10.0.9 by 00:0d:88:53:31:1e on xl0

arp info overwritten for 10.10.0.9 by 00:0d:88:53:31:1d on xl0

arp info overwritten for 10.10.0.9 by 00:0d:88:53:31:1e on xl0

arp info overwritten for 10.10.0.9 by 00:0f:ea:d2:07:52 on xl0

arp: attempt to overwrite entry for 10.10.0.9 on xl0 by
00:0d:88:53:31:1e on bge0

arp info overwritten for 10.10.0.9 by 00:0d:88:53:31:1e on xl0

"Silitek IBM USB HUB KEYBOARD" rev 1.10/1.00 addr 2 at uhub2 port 1 not
configured

"Silitek IBM USB HUB KEYBOARD" rev 1.10/1.00 addr 2 at uhub2 port 2 not
configured

"Silitek IBM USB HUB KEYBOARD" rev 1.10/1.00 addr 2 at uhub2 port 1 not
configured

arp: attempt to add entry for 10.10.0.80 on xl0 by 00:1a:6b:59:42:cc on
bge0

arp: attempt to add entry for 10.10.0.61 on xl0 by 00:1c:25:c0:74:e6 on
bge0

arp info overwritten for 10.10.0.9 by 00:0d:88:53:31:1e on xl0

arp info overwritten for 10.10.0.9 by 00:0d:88:53:31:1d on xl0

arp info overwritten for 10.10.0.9 by 00:0d:88:53:31:1e on xl0

arp info overwritten for 10.10.0.9 by 00:0f:ea:d2:07:52 on xl0

arp info overwritten for 10.10.0.9 by 00:0d:88:53:31:1e on xl0

arp: attempt to add entry for 10.10.0.112 on xl0 by 00:1a:6b:59:05:25 on
bge0

arp info overwritten for 10.10.0.69 by 00:04:75:b1:71:ea on xl0

arp info overwritten for 10.10.0.69 by 00:1a:6b:59:09:9c on xl0

arp info overwritten for 10.10.0.69 by 00:04:75:b1:71:ea on xl0

arp info overwritten for 10.10.0.69 by 00:1a:6b:59:09:9c on xl0

ichiic0: exec: op 1, addr 0x2e, cmdlen 1, len 1, flags 0x00: timeout,
status 0x0

ichiic0: abort failed, status 0x40

arp info overwritten for 10.10.0.9 by 00:0d:88:53:31:1e on xl0

arp info overwritten for 10.10.0.9 by 00:0d:88:53:31:1d on xl0

arp info overwritten for 10.10.0.9 by 00:0d:88:53:31:1e on xl0

arp: attempt to add entry for 10.10.0.89 on xl0 by 00:1a:6b:59:44:59 on
bge0

arp: attempt to add entry for 10.10.0.40 on xl0 by 00:14:22:b4:29:0f on
bge0

arp info overwritten for 10.100.1.2 by 00:0d:88:53:31:1d on bge0

ichiic0: exec: op 1, addr 0x2d, cmdlen 1, len 1, flags 0x00: timeout,
status 0x0

ichiic0: abort failed, status 0x40

arp info overwritten for 10.10.0.9 by 00:0d:88:53:31:1d on xl0

arp info overwritten for 10.10.0.9 by 00:0d:88:53:31:1e on xl0

arp info overwritten for 10.100.1.11 by 00:09:6b:6b:d0:c2 on bge0

arp info overwritten for 10.100.1.11 by 00:09:6b:6b:d0:c3 on bge0

arp info overwritten for 10.100.1.11 by 00:09:6b:6b:d0:c2 on bge0

arp info overwritten for 10.100.1.11 by 00:09:6b:6b:d0:c3 on bge0

arp info overwritten for 10.100.1.11 by 00:09:6b:6b:d0:c2 on bge0

arp info overwritten for 10.100.1.11 by 00:09:6b:6b:d0:c2 on bge0

arp info overwritten for 10.10.0.9 by 00:0d:88:53:31:1d on xl0

arp info overwritten for 10.10.0.9 by 00:0d:88:53:31:1e on xl0

arp info overwritten for 10.100.1.11 by 00:09:6b:6b:d0:c3 on bge0

arp info overwritten for 10.100.1.11 by 00:09:6b:6b:d0:c2 on bge0

arp info overwritten for 10.100.1.11 by 00:09:6b:6b:d0:c3 on bge0

arp info overwritten for 10.100.1.11 by 00:09:6b:6b:d0:c2 on bge0

arp: attempt to add ent

RES: weird dmesg

2008-10-16 Thread Ricardo Augusto de Souza 
No ideas?


-Mensagem original-
De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome de
Ricardo Augusto de Souza
Enviada em: quinta-feira, 16 de outubro de 2008 12:08
Para: misc@openbsd.org
Assunto: weird dmesg

I was preparing some information about my system to post my questions
here and I saw that weird output in dmesg.

Take a look.

How can I avoid/fix this?



# dmesg  > info.txt

# vi info.txt

[4] + Suspendedvi info.txt

#





# cat info.txt

 speaker>

lpt0 at isa0 port 0x378/4 irq 7

npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16

pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo

pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo

fdc0 at isa0 port 0x3f0/6 irq 6 drq 2

fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec

biomask ff65 netmask ff65 ttymask ffe7

mtrr: Pentium Pro MTRR support

Kernelized RAIDframe activated

"Silitek IBM USB HUB KEYBOARD" rev 1.10/1.00 addr 2 at uhub2 port 1 not
configured

ahd0: target 0 synchronous with period = 0x8, offset =
0x7f(RDSTRM|DT|IU|RTI|QAS)

ahd0: target 6 synchronous with period = 0x8, offset =
0x7f(RDSTRM|DT|IU|RTI|QAS)

cd0(atapiscsi0:0:0): Check Condition (error 0x70) on opcode 0x0

SENSE KEY: Not Ready

 ASC/ASCQ: Medium Not Present

softraid0 at root

root on sd0a swap on sd0b dump on sd0b

arp: attempt to add entry for 10.10.100.253 on xl0 by 00:0a:5e:63:7e:2e
on bge0

arp: attempt to add entry for 10.10.0.94 on xl0 by 00:15:58:d8:80:1d on
bge0

arp: attempt to add entry for 10.10.0.39 on xl0 by 00:0e:a6:be:d9:9a on
bge0

arp: attempt to add entry for 10.10.0.86 on xl0 by 00:15:58:d8:7e:f3 on
bge0

"Silitek IBM USB HUB KEYBOARD" rev 1.10/1.00 addr 2 at uhub2 port 1 not
configured

arp info overwritten for 10.100.1.2 by 00:0d:88:53:31:1e on bge0

arp info overwritten for 10.100.1.2 by 00:0d:88:53:31:1d on bge0

arp: attempt to add entry for 10.10.0.82 on xl0 by 00:15:f2:5d:e7:74 on
bge0

arp: attempt to add entry for 10.10.0.108 on xl0 by 00:18:71:8c:29:83 on
bge0

arp info overwritten for 10.10.0.9 by 00:0d:88:53:31:1d on xl0

arp info overwritten for 10.10.0.9 by 00:0d:88:53:31:1e on xl0

arp info overwritten for 10.10.0.9 by 00:0d:88:53:31:1e on xl0

arp info overwritten for 10.10.0.9 by 00:0d:88:53:31:1d on xl0

arp info overwritten for 10.10.0.9 by 00:0d:88:53:31:1e on xl0

arp info overwritten for 10.10.0.9 by 00:0f:ea:d2:07:52 on xl0

arp: attempt to overwrite entry for 10.10.0.9 on xl0 by
00:0d:88:53:31:1e on bge0

arp info overwritten for 10.10.0.9 by 00:0d:88:53:31:1e on xl0

"Silitek IBM USB HUB KEYBOARD" rev 1.10/1.00 addr 2 at uhub2 port 1 not
configured

"Silitek IBM USB HUB KEYBOARD" rev 1.10/1.00 addr 2 at uhub2 port 2 not
configured

"Silitek IBM USB HUB KEYBOARD" rev 1.10/1.00 addr 2 at uhub2 port 1 not
configured

arp: attempt to add entry for 10.10.0.80 on xl0 by 00:1a:6b:59:42:cc on
bge0

arp: attempt to add entry for 10.10.0.61 on xl0 by 00:1c:25:c0:74:e6 on
bge0

arp info overwritten for 10.10.0.9 by 00:0d:88:53:31:1e on xl0

arp info overwritten for 10.10.0.9 by 00:0d:88:53:31:1d on xl0

arp info overwritten for 10.10.0.9 by 00:0d:88:53:31:1e on xl0

arp info overwritten for 10.10.0.9 by 00:0f:ea:d2:07:52 on xl0

arp info overwritten for 10.10.0.9 by 00:0d:88:53:31:1e on xl0

arp: attempt to add entry for 10.10.0.112 on xl0 by 00:1a:6b:59:05:25 on
bge0

arp info overwritten for 10.10.0.69 by 00:04:75:b1:71:ea on xl0

arp info overwritten for 10.10.0.69 by 00:1a:6b:59:09:9c on xl0

arp info overwritten for 10.10.0.69 by 00:04:75:b1:71:ea on xl0

arp info overwritten for 10.10.0.69 by 00:1a:6b:59:09:9c on xl0

ichiic0: exec: op 1, addr 0x2e, cmdlen 1, len 1, flags 0x00: timeout,
status 0x0

ichiic0: abort failed, status 0x40

arp info overwritten for 10.10.0.9 by 00:0d:88:53:31:1e on xl0

arp info overwritten for 10.10.0.9 by 00:0d:88:53:31:1d on xl0

arp info overwritten for 10.10.0.9 by 00:0d:88:53:31:1e on xl0

arp: attempt to add entry for 10.10.0.89 on xl0 by 00:1a:6b:59:44:59 on
bge0

arp: attempt to add entry for 10.10.0.40 on xl0 by 00:14:22:b4:29:0f on
bge0

arp info overwritten for 10.100.1.2 by 00:0d:88:53:31:1d on bge0

ichiic0: exec: op 1, addr 0x2d, cmdlen 1, len 1, flags 0x00: timeout,
status 0x0

ichiic0: abort failed, status 0x40

arp info overwritten for 10.10.0.9 by 00:0d:88:53:31:1d on xl0

arp info overwritten for 10.10.0.9 by 00:0d:88:53:31:1e on xl0

arp info overwritten for 10.100.1.11 by 00:09:6b:6b:d0:c2 on bge0

arp info overwritten for 10.100.1.11 by 00:09:6b:6b:d0:c3 on bge0

arp info overwritten for 10.100.1.11 by 00:09:6b:6b:d0:c2 on bge0

arp info overwritten for 10.100.1.11 by 00:09:6b:6b:d0:c3 on bge0

arp info overwritten for 10.100.1.11 by 00:09:6b:6b:d0:c2 on bge0

arp info overwritten for 10.100.1.11 by 00:09:6b:6b:d0:c2 on bge0

arp info overwritten for 10.10.0.9 by 00:0d:88:53:31:1d on xl0

arp info overwritten for 10.10.0.9 by 00:0d:88:53:31:1e on xl0

arp info

OpenBSD on IBM System X3550 7879

2008-10-23 Thread Ricardo Augusto de Souza 
Hi,



I am trying to install openBSD 4.3 -stable in a IBM System X3550 7879
(https://www-304.ibm.com/systems/support/supportsite.wss/docdisplay?lndocid=M
IGR-64315&brandind=508 ) but install didn4t found hard disks.



I used IBM Server Guide to create array.



My server has 4GB RAM.  HD is SATA 15000 RPM.



Anyone already run openBSD in a server like this? Suggestions?



Thanks

RES: OpenBSD on IBM System X3550 7879

2008-10-23 Thread Ricardo Augusto de Souza 
I got a mistake.
My hard drives are SAS, not SATA.



-Mensagem original-
De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome de
Ricardo Augusto de Souza
Enviada em: quinta-feira, 23 de outubro de 2008 14:49
Para: misc@openbsd.org
Assunto: OpenBSD on IBM System X3550 7879

Hi,



I am trying to install openBSD 4.3 -stable in a IBM System X3550 7879
(https://www-304.ibm.com/systems/support/supportsite.wss/docdisplay?lndo
cid=M
IGR-64315&brandind=508 ) but install didn4t found hard disks.



I used IBM Server Guide to create array.



My server has 4GB RAM.  HD is SATA 15000 RPM.



Anyone already run openBSD in a server like this? Suggestions?



Thanks

RES: OpenBSD on IBM System X3550 7879

2008-10-23 Thread Ricardo Augusto de Souza 
What do u mean with mini menu after post?
I created RAID  using IBM ServerGuide 7.4.13

I also tested with no RAID.. it also failed.


-Mensagem original-
De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome de
Marcin
Enviada em: quinta-feira, 23 de outubro de 2008 15:50
Para: misc@openbsd.org
Assunto: Re: OpenBSD on IBM System X3550 7879

2008/10/23 John Nietzsche <[EMAIL PROTECTED]>:
> I have tried on an IBM server, but could not get it working. If you
> succed, let me know.
>
> I believe raid controller is not supported.
>

Hello,

I'm not sure if this could be of any help, but I had very similar
problems with installation of Linux, until I found out that you HAVE
TO create raid array or the controller won't expose drives to the OS.
I expected it to work in a  kind of "pass-through" mode by default,
when you can access drives from the OS, but this wasn't the case.

So, please make sure you have created a RAID using mini menu after
POST, before you start OpenBSD installation process

Regards,
--
Marcin

RES: OpenBSD on IBM System X3550 7879

2008-10-23 Thread Ricardo Augusto de Souza 
terface 0 "vendor 0x04b3 USB
Optical M  ouse" rev
2.00/2.00 addr 2
uhidev0: iclass 3/1
uhid at uhidev0 not configured
uhidev1 at uhub1 port 2 configuration 1 interface 0 " USB Keyboard" rev
1.10/2.8  0 addr 3
uhidev1: iclass 3/1
ukbd0 at uhidev1
wskbd1 at ukbd0 mux 1
wskbd1: connecting to wsdisplay0
uhidev2 at uhub1 port 2 configuration 1 interface 1 " USB Keyboard" rev
1.10/2.8  0 addr 3
uhidev2: iclass 3/0, 2 report ids
uhid at uhidev2 reportid 1 not configured
uhid at uhidev2 reportid 2 not configured
root on rd0a swap on rd0b dump on rd0b
bnx1: address 00:1a:64:79:f1:5a
brgphy0 at bnx1 phy 1: BCM5708C 10/100/1000baseT PHY, rev. 6
bnx0: address 00:1a:64:79:f1:58
brgphy1 at bnx0 phy 1: BCM5708C 10/100/1000baseT PHY, rev. 6



-Mensagem original-
De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome de
Ricardo Augusto de Souza
Enviada em: quinta-feira, 23 de outubro de 2008 16:34
Para: Marcin; misc@openbsd.org
Assunto: RES: OpenBSD on IBM System X3550 7879

What do u mean with mini menu after post?
I created RAID  using IBM ServerGuide 7.4.13

I also tested with no RAID.. it also failed.


-Mensagem original-
De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome de
Marcin
Enviada em: quinta-feira, 23 de outubro de 2008 15:50
Para: misc@openbsd.org
Assunto: Re: OpenBSD on IBM System X3550 7879

2008/10/23 John Nietzsche <[EMAIL PROTECTED]>:
> I have tried on an IBM server, but could not get it working. If you
> succed, let me know.
>
> I believe raid controller is not supported.
>

Hello,

I'm not sure if this could be of any help, but I had very similar
problems with installation of Linux, until I found out that you HAVE
TO create raid array or the controller won't expose drives to the OS.
I expected it to work in a  kind of "pass-through" mode by default,
when you can access drives from the OS, but this wasn't the case.

So, please make sure you have created a RAID using mini menu after
POST, before you start OpenBSD installation process

Regards,
--
Marcin

RES: OpenBSD on IBM System X3550 7879

2008-10-23 Thread Ricardo Augusto de Souza 
I just got an email from Marcos Laufer and he already contacted Adaptec.
It seems he have some 'news'.
I hope they are good news.


I was reading his posts and I am very disappointed with Adaptec and IBM.
I will also email them about it.

I also found this:
http://www.adaptec.com/en-US/downloads/unix/sco_unix?productId=ASR-2120S&dn=A
daptec+SCSI+RAID+2120S
It4s adaptec driver to Unix SCO.

Is this usefull to solve this current problem?


-Mensagem original-
De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome de Ricardo
Augusto de Souza
Enviada em: quinta-feira, 23 de outubro de 2008 17:24
Para: misc@openbsd.org
Assunto: RES: OpenBSD on IBM System X3550 7879

Finally here is the dmesg


OpenBSD 4.3 (RAMDISK_CD) #645: Wed Mar 12 11:31:03 MDT 2008
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/RAMDISK_CD
cpu0: Intel(R) Xeon(R) CPU E5405 @ 2.00GHz ("GenuineIntel" 686-class) 2
GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,
CF
LUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,TM2,C
X16,xTPR
real mem  = 3220541440 (3071MB)
avail mem = 3122683904 (2978MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 02/08/08, BIOS32 rev. 0 @ 0xfd841,
SMBIOS   rev. 2.4 @
0xbffcee80 (86 entries)
bios0: vendor IBM version "-[GFE136BUS-1.09]-" date 02/08/2008
bios0: IBM IBM System x3550 -[7978B1U]-
acpi0 at bios0: rev 2, can't enable ACPI
bios0: ROM list: 0xc/0xb000 0xcb000/0x1800 0xcc800/0x1800
0xce000/0x5000!
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 5000X Host" rev 0x31
ppb0 at pci0 dev 2 function 0 "Intel 5000 PCIE x8" rev 0x31
pci1 at ppb0 bus 16
ppb1 at pci1 dev 0 function 0 "Intel 6321ESB PCIE" rev 0x01
pci2 at ppb1 bus 17
ppb2 at pci2 dev 0 function 0 "Intel 6321ESB PCIE" rev 0x01
pci3 at ppb2 bus 19
ppb3 at pci2 dev 1 function 0 "Intel 6321ESB PCIE" rev 0x01
pci4 at ppb3 bus 18
ppb4 at pci1 dev 0 function 3 "Intel 6321ESB PCIE-PCIX" rev 0x01
pci5 at ppb4 bus 20
ppb5 at pci0 dev 3 function 0 "Intel 5000 PCIE" rev 0x31
pci6 at ppb5 bus 35
ppb6 at pci0 dev 4 function 0 "Intel 5000 PCIE x8" rev 0x31
pci7 at ppb6 bus 7
ppb7 at pci0 dev 5 function 0 "Intel 5000 PCIE" rev 0x31
pci8 at ppb7 bus 34
ppb8 at pci0 dev 6 function 0 "Intel 5000 PCIE" rev 0x31
pci9 at ppb8 bus 3
ppb9 at pci9 dev 0 function 0 "ServerWorks PCIE-PCIX" rev 0xc3
pci10 at ppb9 bus 4
bnx0 at pci10 dev 0 function 0 "Broadcom BCM5708" rev 0x12: irq 7
ppb10 at pci0 dev 7 function 0 "Intel 5000 PCIE" rev 0x31
pci11 at ppb10 bus 2
"Adaptec ASR-2120S" rev 0x02 at pci11 dev 0 function 0 not configured
"Intel 5000 DMA" rev 0x31 at pci0 dev 8 function 0 not configured
pchb1 at pci0 dev 16 function 0 "Intel 5000 Error Reporting" rev 0x31
pchb2 at pci0 dev 16 function 1 "Intel 5000 Error Reporting" rev 0x31
pchb3 at pci0 dev 16 function 2 "Intel 5000 Error Reporting" rev 0x31
pchb4 at pci0 dev 17 function 0 "Intel 5000 Reserved" rev 0x31
pchb5 at pci0 dev 19 function 0 "Intel 5000 Reserved" rev 0x31
pchb6 at pci0 dev 21 function 0 "Intel 5000 FBD" rev 0x31
pchb7 at pci0 dev 22 function 0 "Intel 5000 FBD" rev 0x31
ppb11 at pci0 dev 28 function 0 "Intel 6321ESB PCIE" rev 0x09
pci12 at ppb11 bus 5
ppb12 at pci12 dev 0 function 0 "ServerWorks PCIE-PCIX" rev 0xc3
pci13 at ppb12 bus 6
bnx1 at pci13 dev 0 function 0 "Broadcom BCM5708" rev 0x12: irq 3
uhci0 at pci0 dev 29 function 0 "Intel 6321ESB USB" rev 0x09: irq 5
uhci1 at pci0 dev 29 function 1 "Intel 6321ESB USB" rev 0x09: irq 11
uhci2 at pci0 dev 29 function 2 "Intel 6321ESB USB" rev 0x09: irq 5
ehci0 at pci0 dev 29 function 7 "Intel 6321ESB USB" rev 0x09: irq 5
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
ppb13 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0xd9
pci14 at ppb13 bus 1
vga1 at pci14 dev 1 function 0 "ATI ES1000" rev 0x02
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
ichpcib0 at pci0 dev 31 function 0 "Intel 6321ESB LPC" rev 0x09: PM
disabled
pciide0 at pci0 dev 31 function 1 "Intel 6321ESB IDE" rev 0x09: DMA,
channel 0 c  onfigured to
compatibility, channel 1 configured to compatibility
atapiscsi0 at pciide0 channel 0 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0:  SCSI0
5/cdrom re  movable
cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 ignored (disabled)
"Intel 6321ESB SMBus" rev 0x09 at pci0 dev 31 function 3 not configured
usb1 at

RES: RES: OpenBSD on IBM System X3550 7879

2008-10-23 Thread Ricardo Augusto de Souza 
Theo,

I will keep bothering Adaptec and IBM then.

There is a popular speech in my country ( I am brazilian). It is: I am
brazilian and I WILL NEVER GIVE UP.

One day they will wake up and I hope to be alive to see it happening.

Btw, Is this true: http://mongers.org/openbsd/hardware

Cause there you said you use adaptec. Wow.. how come?
If it not work under openbsd, you should not even suggest/say their
name. right?

I tought my problem is due to my SAS hard drives.

If we wont able to have it working, I will replace my Adaptec
controller.
I already mailed my local IBM vendor about that.

I don't want cause any trouble. I just love using OpenBSD and I mailed
this list cause I bought a US$6000 server and its still off.  I don't
wanna see it running windows 2003( bleh ).

Peace.

-Mensagem original-
De: Theo de Raadt [mailto:[EMAIL PROTECTED]
Enviada em: quinta-feira, 23 de outubro de 2008 18:07
Para: Ricardo Augusto de Souza
Cc: misc@openbsd.org; Marcos Laufer - Ipv4networks.com
Assunto: Re: RES: OpenBSD on IBM System X3550 7879

> I just got an email from Marcos Laufer and he already contacted
Adaptec.
> It seems he have some 'news'.
> I hope they are good news.

If Adaptec had good news, they would probably have told us "here is
the documentation you asked for" in the last 6 years since we asked.

There is nothing they will tell you that has any benefit to us.  Don't
If you find something out, don't bother telling the mailing lists.
There would be no point, since it will just be nice words; nice, but
useful, and as lying and deceitful as their words for the last 6
years.

If Adaptec wanted to change the situation, they have had more than
enough time.

Zenoss on OpenBSD

2008-11-10 Thread Ricardo Augusto de Souza 
Hi,



 Did anyone run zenoss ( WWW.zenoss.com   )
under OpenBSD?

PF rule help

2008-11-19 Thread Ricardo Augusto de Souza 
Hi,

I AM getting some erros to apply this rule in my PF.



I am running OpenBSD 4.3.



winupdate = "{ 65.54.87.0/24 ,  207.46.112.0/24 } "

nat on $ext_if from $lan to   ! $winupdate port $portas_saida_tcp tag
INT_10.10.10.0 -> ($ext_if)

block inon $wan_uf from $winupdate to any

block out on $wan_if from any to $winupdate





I am getting error on nat on $ext_if from $lan to   ! $winupdate port
$portas_saida_tcp tag INT_10.10.10.0 -> ($ext_if)





I wanna NAT to ALL addresses different than 65.54.87.0/24 ,
207.46.112.0/24. What is the syntax to do that?


Thanks

How can I mount a NTFS( sharing) remote partition on openBSD?

2008-11-25 Thread Ricardo Augusto de Souza 
Hi,



 i need to Access a sharing on a Windows from a openBSD.

I did that in the past on linux using mount -t vfat or smbclient.

How can I do that on obsd 4.3 ?





thanks

4.4 arrives in Brazil

2008-12-02 Thread Ricardo Augusto de Souza 
OpenBSD 4.4 arrives in Brazil.

http://www.temporeal.com.br/produtos.php?id=172290


It4s just R$ 99,00

extend snmp mibs?

2008-12-03 Thread Ricardo Augusto de Souza 
Hi,

I am trying to configure snmpd in a openbsd 4.3 .
It4s running and i am able to collect some info from openbsd.
I am using zenoss ( www.zenoss.com ) to monitor all my enviroment.

zenoss can only show IpInterface.

At windows servers i had to install snmp informant to extend snmp mibs.


zenoss erros when try to get extra info from openbsd box:

Error reading value for "memBuffer" on Fw.cmtsp.com.br (oid
.1.3.6.1.4.1.2021.4.14.0 is bad)
Error reading value for "ssCpuRawSystem" on Fw.cmtsp.com.br (oid
.1.3.6.1.4.1.2021.11.52.0 is bad)
Error reading value for "memCached" on Fw.cmtsp.com.br (oid
.1.3.6.1.4.1.2021.4.15.0 is bad)
Error reading value for "ssCpuRawWait" on Fw.cmtsp.com.br (oid
.1.3.6.1.4.1.2021.11.54.0 is bad)
Error reading value for "memAvailSwap" on Fw.cmtsp.com.br (oid
.1.3.6.1.4.1.2021.4.4.0 is bad)
Error reading value for "sysUpTime" on Fw.cmtsp.com.br (oid
.1.3.6.1.2.1.25.1.1.0 is bad)
Error reading value for "ssCpuRawUser" on Fw.cmtsp.com.br (oid
.1.3.6.1.4.1.2021.11.50.0 is bad)
Error reading value for "laLoadInt5" on Fw.cmtsp.com.br (oid
.1.3.6.1.4.1.2021.10.1.5.2 is bad)
Error reading value for "ssCpuRawIdle" on Fw.cmtsp.com.br (oid
.1.3.6.1.4.1.2021.11.53.0 is bad)
Error reading value for "memAvailReal" on Fw.cmtsp.com.br (oid
.1.3.6.1.4.1.2021.4.6.0 is bad)

Do i need to extend this mibs? How?
I tryied to contact [EMAIL PROTECTED] but i got not reply.


thanks



my confs:

# cat /etc/snmpd.conf
# $OpenBSD: snmpd.conf,v 1.2 2008/01/30 10:21:05 reyk Exp $

listen_addr="10.10.100.254"

# Restrict daemon to listen on localhost only
listen on $listen_addr

# Specify a number of trap receivers
#trap reciever zenoss.cmtsp.com.br community public

# Adjust the local system information
system contact "Ricardo Augusto ([EMAIL PROTECTED])"
system description "Firewall Lorena. Powered by OpenBSD"
system location "CMT Lorena"
system oid 1.3.6.1.4.1.30155.23.1
system services 74


#mibs


# Provide static user-defined SNMP OIDs
#oid 1.3.6.1.4.1.30155.42.3.1 name testStringValue read-only string "Public"
#oid 1.3.6.1.4.1.30155.42.3.4 name testIntValue read-write integer 1
#

# cat /etc/snmp/snmpd.conf
com2sec notConfigUser  default   public

group   notConfigGroup v1   notConfigUser
group   notConfigGroup v2c   notConfigUser

viewallincluded  .1

access  notConfigGroup ""  any   noauthexact  allnone   none
#



# snmpwalk -v2c -cpublic 10.10.100.254 system
SNMPv2-MIB::sysDescr.0 = STRING: Firewall Lorena. Powered by OpenBSD
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.30155.23.1
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (11919) 0:01:59.19
SNMPv2-MIB::sysContact.0 = STRING: Ricardo Augusto
([EMAIL PROTECTED])
SNMPv2-MIB::sysName.0 = STRING: Fw.cmtsp.com.br
SNMPv2-MIB::sysLocation.0 = STRING: CMT Lorena
SNMPv2-MIB::sysServices.0 = INTEGER: 74
SNMPv2-MIB::sysORLastChange.0 = Timeticks: (0) 0:00:00.00
SNMPv2-MIB::sysORIndex.1 = INTEGER: 1
SNMPv2-MIB::sysORIndex.2 = INTEGER: 2
SNMPv2-MIB::sysORIndex.3 = INTEGER: 3
SNMPv2-MIB::sysORIndex.4 = INTEGER: 4
SNMPv2-MIB::sysORIndex.5 = INTEGER: 5
SNMPv2-MIB::sysORIndex.6 = INTEGER: 6
SNMPv2-MIB::sysORID.1 = OID: SNMPv2-SMI::mib-2
SNMPv2-MIB::sysORID.2 = OID: IP-MIB::ip
SNMPv2-MIB::sysORID.3 = OID: SNMPv2-MIB::snmp
SNMPv2-MIB::sysORID.4 = OID: SNMPv2-SMI::mib-2.17
SNMPv2-MIB::sysORID.5 = OID: IF-MIB::ifMIB
SNMPv2-MIB::sysORID.6 = OID: SNMPv2-SMI::enterprises.30155.2
SNMPv2-MIB::sysORDescr.1 = STRING: iso.org.dod.internet.mgmt.mib_2
SNMPv2-MIB::sysORDescr.2 = STRING: iso.org.dod.internet.mgmt.mib_2.ipMIB
SNMPv2-MIB::sysORDescr.3 = STRING: iso.org.dod.internet.mgmt.mib_2.snmp
SNMPv2-MIB::sysORDescr.4 = STRING:
iso.org.dod.internet.mgmt.mib_2.dot1dBridge
SNMPv2-MIB::sysORDescr.5 = STRING: iso.org.dod.internet.mgmt.mib_2.ifMIB
SNMPv2-MIB::sysORDescr.6 = STRING:
iso.org.dod.internet.private.enterprises.openBSD.sensorMIBObjects
SNMPv2-MIB::sysORUpTime.1 = Timeticks: (0) 0:00:00.00
SNMPv2-MIB::sysORUpTime.2 = Timeticks: (0) 0:00:00.00
SNMPv2-MIB::sysORUpTime.3 = Timeticks: (0) 0:00:00.00
SNMPv2-MIB::sysORUpTime.4 = Timeticks: (0) 0:00:00.00
SNMPv2-MIB::sysORUpTime.5 = Timeticks: (0) 0:00:00.00
SNMPv2-MIB::sysORUpTime.6 = Timeticks: (0) 0:00:00.00
#


# snmpwalk -v2c -cpublic 10.10.100.254 .1.3.6.1.2.1.2.2.1
IF-MIB::ifIndex.1 = INTEGER: 1
IF-MIB::ifIndex.2 = INTEGER: 2
IF-MIB::ifIndex.3 = INTEGER: 3
IF-MIB::ifIndex.4 = INTEGER: 4
IF-MIB::ifIndex.5 = INTEGER: 5
IF-MIB::ifIndex.6 = INTEGER: 6
IF-MIB::ifIndex.7 = INTEGER: 7
IF-MIB::ifIndex.8 = INTEGER: 8
IF-MIB::ifIndex.9 = INTEGER: 9
IF-MIB::ifDescr.1 = STRING: em0
IF-MIB::ifDescr.2 = STRING: bge0
IF-MIB::ifDescr.3 = STRING: bge1
IF-MIB::ifDescr.4 = STRING: xl0
IF-MIB::ifDescr.5 = STRING: xl1
IF-MIB::ifDescr.6 = STRING: enc0
IF-MIB::ifDescr.7 = STRING: lo0
IF-MIB::ifDescr.8 = STRING: tun0
IF-MIB::ifDescr.9 = STRING: pflog0
IF-MIB::ifType.1 = INTEGER: ethernetCsmacd(6)
IF-MIB::ifType.2 = INTEGER: ethernetCsmacd(6)
IF-MIB::ifType.3 = INTEGER: et

OpenBSD 4.4 load balance outgoing

2009-01-20 Thread Ricardo Augusto de Souza 
Hi,

I need a help to configure an openBSD server to load balance and failover
internet connection.
I have 2 connections to the internet.
I followed http://www.openbsd.org/faq/pf/pools.html#outgoing but i didn4t get
it working.
I added both routes with:
route add -mpath default 200.162.41.33
route add -mpath default 189.57.43.1




My confs are:

# cat sysctl.conf |grep inet
net.inet.ip.forwarding=1# 1=Permit forwarding (routing) of IPv4
packets
net.inet.ip.mforwarding=1   # 1=Permit forwarding (routing) of IPv4
multicast packets
net.inet.ip.multipath=1 # 1=Enable IP multipath routing
#net.inet6.ip6.forwarding=1 # 1=Permit forwarding (routing) of IPv6
packets
#net.inet6.ip6.mforwarding=1# 1=Permit forwarding (routing) of IPv6
multicast packets
#net.inet6.ip6.multipath=1  # 1=Enable IPv6 multipath routing
#net.inet6.ip6.accept_rtadv=1   # 1=Permit IPv6 autoconf (forwarding must be
0)
#net.inet.tcp.rfc1323=0 # 0=Disable TCP RFC1323 extensions (for if tcp
is slow)
#net.inet.tcp.rfc3390=0 # 0=Disable RFC3390 for TCP window increasing
#net.inet.esp.enable=0  # 0=Disable the ESP IPsec protocol
#net.inet.ah.enable=0   # 0=Disable the AH IPsec protocol
#net.inet.esp.udpencap=0# 0=Disable ESP-in-UDP encapsulation
#net.inet.ipcomp.enable=1   # 1=Enable the IPCOMP protocol
#net.inet.etherip.allow=1   # 1=Enable the Ethernet-over-IP protocol
#net.inet.tcp.ecn=1 # 1=Enable the TCP ECN extension
net.inet.carp.preempt=1 # 1=Enable carp(4) preemption
net.inet.carp.log=1 # 1=Enable logging of carp(4) packets
#net.inet.ip.mtudisc=0  # 0=Disable tcp mtu discovery
#

# cat /etc/mygate
#

# cat /etc/pf.conf
lan_net = "10.10.20.0/24"
int_if  = "vic0"
ext_if1 = "vic2"
ext_if2 = "vic3"
ext_gw1 = "189.57.43.1"
ext_gw2 = "200.162.41.33"

#  nat outgoing connections on each internet interface
nat on $ext_if1 from $lan_net to any -> ($ext_if1)
nat on $ext_if2 from $lan_net to any -> ($ext_if2)

#  default deny
#block in  from any to any
#block out from any to any

#  pass all outgoing packets on internal interface
pass out on $int_if from any to $lan_net
#  pass in quick any packets destined for the gateway itself
pass in quick on $int_if from $lan_net to $int_if
#  load balance outgoing tcp traffic from internal network.
pass in on $int_if route-to \
{ ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \
proto tcp from $lan_net to any flags S/SA modulate state
#  load balance outgoing udp and icmp traffic from internal network
pass in on $int_if route-to \
{ ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \
proto { udp, icmp } from $lan_net to any keep state

#  general "pass out" rules for external interfaces
pass out on $ext_if1 proto tcp from any to any flags S/SA modulate state
pass out on $ext_if1 proto { udp, icmp } from any to any keep state
pass out on $ext_if2 proto tcp from any to any flags S/SA modulate state
pass out on $ext_if2 proto { udp, icmp } from any to any keep state

#  route packets from any IPs on $ext_if1 to $ext_gw1 and the same for
#  $ext_if2 and $ext_gw2
pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any
pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any
#

I am able to surf at internet from my 10.10.20.0/24 machines, but when i turn
off vic3 my users lost connection.
It seems it4s using as default route the route  i added first.

Help me plz.



OpenBSD 4.4 (GENERIC) #1021: Tue Aug 12 17:16:55 MDT 2008
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Xeon(TM) CPU 3.20GHz ("GenuineIntel" 686-class) 3.24 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,SSE3,DS-CPL
real mem  = 536375296 (511MB)
avail mem = 510218240 (486MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 04/17/06, BIOS32 rev. 0 @ 0xfd880,
SMBIOS rev. 2.31 @ 0xe0010 (45
entries)
bios0: vendor Phoenix Technologies LTD version "6.00" date 04/17/2006
bios0: VMware, Inc. VMware Virtual Platform
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
acpi at bios0 function 0x0 not configured
pcibios0 at bios0: rev 2.1 @ 0xfd880/0x780
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf30/176 (9 entries)
pcibios0: PCI Interrupt Router at 000:07:0 ("Intel 82371FB ISA" rev 0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc/0x8000 0xc8000/0x1000 0xc9000/0x1000 0xca000/0x1000
0xcb000/0x1000 0xdc000/0x4000!
0xe/0x4000!
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82443BX AGP" rev 0x01
ppb0 at pci0 dev 1 function 0 "Intel 82443BX AGP" rev 0x01
pci1 at ppb0 bus 1
piixpcib0 at pci0 dev 7 function 0 "Intel 82371AB PIIX4 ISA" rev 0x08
pciide0 at pci0 dev 7 function 1 "Intel 82371AB IDE" rev 0x01: DMA,

RES: OpenBSD 4.4 load balance outgoing

2009-01-21 Thread Ricardo Augusto de Souza 
Thanks for reply.


Do you got it working Uwe ?

I am still reading about ifstated ad ospfd.conf




-Mensagem original-
De: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] Em nome de
u...@o3si.de
Enviada em: quarta-feira, 21 de janeiro de 2009 06:59
Para: misc@openbsd.org
Assunto: Re: OpenBSD 4.4 load balance outgoing

Am Tue, 20 Jan 2009 21:57:59 + (UTC) schrieb Stuart Henderson
:

> On 2009-01-20, u...@o3si.de  wrote:
> > as the FAQ http://www.openbsd.org/faq/faq6.html#Multipath states:
> >
> > "It's worth noting that if an interface used by a multipath route
> > goes down (i.e., loses carrier), the kernel will still try to
> > forward packets using the route that points to that interface.
>
> the FAQ refers to 4.4 (i.e. the last released version), but I'm pretty
> sure this particular thing (link down resulting in blackhole) is not a
> problem in -current.

Oh, I hope this. The same behaviour I already noticed like Ricardo so I give
-current a try.

> you may still have a need for some other way to kill the route if the
> link stays up but the nexthop is down, though.

I'll prefer ifstated but relayd for monitoring may bee a solution too.

> > So use ifstated to check the link of the interface and populate the
> > routing table accordingly.
>
> as an alternative to ifstated, you could take default routes from OSPF
> if your environment allows. (ospfd is ECMP capable).
>

Thanks @Claudio and @Stuart for Your advice!

Regards Uwe

VPN / Proxy arp issue

2009-02-26 Thread Ricardo Augusto de Souza 
Hi,



I have an openBSD 4.3  as firewall/router/vpn Server ( Server A
production)( local ip 10.10.100.254 mask 255.255.0.0 )

I just got it working when I give to pptp clients an IP of the same
subnet as VPN Server ( 10.10.9/24).



I know/read about proxy arp issue, so I installed an OpenBSD 4.4( server
B ) and I am trying to configure it but with no success yet.



All conf files are the same as I use on 4.3 ( production ).



# cat pptpd.conf

speed 230400

debug

option /etc/ppp/ppp.conf

logfile /var/log/pptpd.log

localip 172.16.0.1

remoteip 172.16.0.1-20

listen 189.57.43.4

nobsdcomp

+chapms-v2

mppe-40

mppe-128

mppe-stateless

noipparam

#



ppp.conf (http://189.57.43.4/ppp.conf   ) I
just paste here the changes I made.





loop:

 set timeout 0

 set log phase chat connect lcp ipcp command

 set device localhost:pptp

 set dial

 set login

 set mppe * stateful

 set ifaddr 172.16.0.1 255.255.255.0 255.255.255.0

 set server /var/tmp/loop "" 0177



loop-in:

 set timeout 0

 set log phase lcp ipcp command

 allow mode direct





pptp:

 set timeout 0

 set speed 115200

 set log phase chat connect lcp ipcp command

 set dial

 set login

 enable mssfixup

# set ifaddr 10.10.100.253 10.10.9.5-10.10.9.20 255.255.255.0
255.255.255.255

 set ifaddr 172.16.0.1 172.16.0.2-172.16.0.20 255.255.255.0
255.255.255.0

 enable chap

 disable pap

 enable mschapv2

 disable deflate pred1

 deny deflate pred1

 disable ipv6

 accept mppe

 enable proxy

 accept dns

set device !/etc/ppp/secure



# cat /etc/modules.conf

alias char-major-108 ppp_generic

alias tty-ldisc-3 ppp_async

alias tty-ldisc-14 ppp_synctty

alias ppp-compress-18 ppp_mppe

alias ppp-compress-21 bsd_comp

alias ppp-compress-24 ppp_deflate

alias ppp-compress-26 ppp_deflate

alias net-pf-47 ip_gre

#



# cat ppp.secret

# Authname Authkey  Peer's IP addressLabel   Callback

loja1   passwd172.16.0.2  loja1   *

#





I am able to connect using loja1.







/var/log/messages

Feb 26 11:26:02 Tico pptpd[9667]: CTRL: Ignored a SET LINK INFO packet
with real ACCMs!

Feb 26 11:26:02 Tico ppp[5686]: Warning: 172.16.0.8: Cannot determine
ethernet address for proxy ARP

Feb 26 11:26:02 Tico ppp[5686]: Warning: 172.16.0.2: Cannot determine
ethernet address for proxy ARP

Feb 26 11:26:02 Tico last message repeated 2 times

Feb 26 11:26:02 Tico ppp[5686]: Warning: ff01:a::/32: Change route
failed: errno: Network is unreachable

Feb 26 11:26:02 Tico ppp[5686]: Warning: ff02:a::/32: Change route
failed: errno: Network is unreachable

Feb 26 12:00:01 Tico syslogd: restart







Ifconfig:

tun0: flags=8051 mtu 1400

groups: tun

inet 255.255.255.0 --> 172.16.0.2 netmask 0xff00



# tcpdump  -i tun0

tcpdump: listening on tun0, link-type LOOP

12:06:08.075096 172.16.0.2 > 172.16.0.1: icmp: echo request

12:06:11.104257 172.16.0.2 > 172.16.0.1: icmp: echo request

12:06:16.618617 172.16.0.2 > 172.16.0.1: icmp: echo request





As I can see the packets are  arriving at my Server B but its still
'wrong'.

I read about proxy arp  (http://poptop.sourceforge.net/dox/qna.html
  )  but when I try to add
arp I got an error

# arp  -s 172.16.0.2 00:0c:29:22:bb:cf pub

cannot intuit interface index and type for 172.16.0.2

#





Can anyone help me please?




Thanks

RES: Route problem

2009-07-07 Thread Ricardo Augusto de Souza 
Wrong.

I AM Just able to ping it.
Clients Who have openBSD as default gateway cannot Access network
10.100.0.0/24 ( like HTTP and other services ).

Can anyone help me?

_
De: Ricardo Augusto de Souza
Enviada em: terga-feira, 7 de julho de 2009 10:45
Para: misc@openbsd.org
Assunto: Route problem


HI,

I use na OpenBSD 4.3 as gw + firewall.
I also have a Mikrotik as a backup gateway.
Now I lost the connectivity of one of my links . ( router 10.100.0.1 is down
)
>From  mikrotik i AM able to reach the target network ( 10.100.0.0/24 )
So I removed this route from OpenBSD and added new route to mikrotik .


At OpenBSD:
route add 10.100.0.0/24 10.10.0.1

# ping 10.100.0.8
PING 10.100.0.8 (10.100.0.8): 56 data bytes
ping: sendto: Host is down
ping: wrote 10.100.0.8 64 chars, ret=-1
ping: sendto: Host is down
ping: wrote 10.100.0.8 64 chars, ret=-1
--- 10.100.0.8 ping statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss

After around 5 min i was able to ping 10.100.0.0/24.

What I AM missing?


Thanks

Route problem

2009-07-07 Thread Ricardo Augusto de Souza 
HI,

I use na OpenBSD 4.3 as gw + firewall.
I also have a Mikrotik as a backup gateway.
Now I lost the connectivity of one of my links . ( router 10.100.0.1 is down
)
>From  mikrotik i AM able to reach the target network ( 10.100.0.0/24 )
So I removed this route from OpenBSD and added new route to mikrotik .


At OpenBSD:
route add 10.100.0.0/24 10.10.0.1

# ping 10.100.0.8
PING 10.100.0.8 (10.100.0.8): 56 data bytes
ping: sendto: Host is down
ping: wrote 10.100.0.8 64 chars, ret=-1
ping: sendto: Host is down
ping: wrote 10.100.0.8 64 chars, ret=-1
--- 10.100.0.8 ping statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss

After around 5 min i was able to ping 10.100.0.0/24.

What I AM missing?


Thanks

Removing content from misc

2009-07-13 Thread Ricardo Augusto de Souza 
Hi,

I sent an email  to misc few months ago.
It is a private content.
I found it at http://archive.netbsd.se/?ml=openbsd-misc&a=2009-05&t=10605255
I do need to remove it.

Is it possible?

Thanks

RES: Removing content from misc

2009-07-13 Thread Ricardo Augusto de Souza 
It was an emergency situation.
I tought only members from misc were able to query it content.


-Mensagem original-
De: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] Em nome de Han
Boetes
Enviada em: segunda-feira, 13 de julho de 2009 14:11
Para: misc@openbsd.org
Assunto: Re: Removing content from misc

Ricardo Augusto de Souza wrote:
> I sent an email  to misc few months ago.
> It is a private content.
> I found it at
http://archive.netbsd.se/?ml=openbsd-misc&a=2009-05&t=10605255
> I do need to remove it.

Actually it's also mirrored at various other locations and there
isn't anything you can do to remove it all. All you can do is
prevent further impact by giving it as little as possible public
attention and to change your settings incase they have security
impact.

Even by asking this question you draw attention upon yourself. Do
you realize that?



# Han

RES: Can be PF block skype?

2009-11-04 Thread Ricardo Augusto de Souza 
Excelent answer.

Also try blocking skype netblock.


-Mensagem original-
De: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] Em nome de Laurent
CARON
Enviada em: quarta-feira, 4 de novembro de 2009 18:08
Para: misc@openbsd.org
Cc: David Taveras
Assunto: Re: Can be PF block skype?

On 04/11/2009 20:48, David Taveras wrote:
> Greetings,
>
> Can PF be programmed to block skype ? Provided we have port 80 and 443
> Opened to the world, and perhaps DNS port too... skype finds any open
> port to connect to.
>
> Regards,
> David Taveras
>

Hi,

Why having your users directly natted to the 'evil' internet ?

Laurent

Internet as an ocean

2009-12-29 Thread Ricardo Augusto de Souza 
HI,

I saw some Nice pictures of openbsd showing internet as an ocean ( sea).

Can anyone send me the url of this Nice images.

I4d like to use them at a presentation.

Thanks

Ricardo Augusto
Infraestrutura
[cid:image001.png@01CA8877.BD45E280]



Conssrcio Metropolitano de Transportes
Alameda Lorena, 638 - 3: Andar
CEP: 01424-000 - Jardim Paulista - Sco Paulo - SP
Tel: +55 (11) 3888-2241
e-mail: ricardo.so...@cmtsp.com.br

Esta mensagem de correio eletrtnico e seus documentos anexos estco dirigidos
EXCLUSIVAMENTE aos destinatarios especificados. A informagco contida pode ser
CONFIDENCIAL e/ou estar LEGALMENTE PROTEGIDA e nco necessariamente reflete a
opinico do CMT. Se vocj receber esta mensagem por ENGANO, por favor
comunique-lhe imediatamente ao remetente e ELIMINE-O ja que vocj NCO ESTA
AUTORIZADO ao uso, revelagco, distribuigco, impressco ou cspia de toda ou
alguma parte da informagco contida. Obrigado.
This e-mail message and any attached files are intended SOLELY for the
addressee/s identified herein. It may contain CONFIDENTIAL and/or LEGALLY
PRIVILEGED information and may not necessarily represent the opinion of CMT.
If you receive this message in ERROR, please immediately notify the sender and
DELETE it since you ARE NOT UTHORIZED to use, disclose, distribute, print or
copy all or part of the contained information. Thank you.
P Antes de imprimir, pense em sua responsabilidade e compromisso com o meio
ambiente.

[demime 1.01d removed an attachment of type image/png which had a name of 
image001.png]

[demime 1.01d removed an attachment of type image/png which had a name of 
image002.png]