Need some suggestions abt application inside chroot

[Stefan N]

Hi All,

I need some suggestions/feedback about application on OpenBSD whether it should 
or should not be installed inside chroot environment.
For example,apache webserver is installed in chroot environment by default.

Are there specific guidelines to check and verify whether the application 
should or should not be installed in chroot environment?

Many thanks.

Stefan

Re: Diskless Install using PXEboot

[Stefan N]

Hi David,

You can setup TFTP and DHCP server to install OpenBSD using PXE
boot.

1.Setup the BIOS so that it will boot up from LAN as the first
priority.
2.Download these files below:
B B B  pxeboot
B B B  bsd.rd (rd
stands for ramdisk)

With these two files,you need to setup a pxe boot
environment.

2.Next step is,you need to set up a DHCP server that recognize
the MAC address of the card and set the option filename and next-server.

This
is an example for a linux dhcpd :

B B B  host app {
B B B B B B B B B B B B B  hardware ethernet 00:00:AB:CD:EF:1A;
B B B B B B B B B B B B B  fixed-address 192.168.1.100;
B B B B B B B B B B B B B  filename pxeboot;
B B B B B B B B B B B B B 
next-server 192.168.1.99;

B B B  }

Note: your nextserver is a tftp server
serving the files /pxeboot and /bsd.rd
3.Prepare the TFTP Server for serving
the files pxeboot and bsd.rd
4.Activate only the TFTP option and set the
directory to the one containing both of your files and start it.
5.Now boot
your machine with PXE enabled. Make sure your dhcpd is serving the right
address and the right information (check for DHCPACK in the logs)
6.The
filename option will instructs your machine to load and run the pxeboot which
is the first stage (somewhat equivalent to grub). 
Then, at the prompt, you
may type bsd.rd and press enter. This file will be downloaded from the TFTP
server also and will starts the installation procedure.
7.Continue to install
OpenBSD (disk partition etc etc)

I hope it helps you.

Rgds,
Stefan

From: Li, David l...@cloudshield.com
To:
Stefan N stefanbsd...@yahoo.com
Cc: misc@openbsd.org misc@openbsd.org
Sent: Thursday, November 10, 2011 6:58 AM
Subject: RE: Diskless Install using
PXEboot


Hi Stefan,
B 
No,B  the external storage is the DHCP server and the
OpenBSD machine can NFS-mount the directories from the DHCP server once itbs
booted - This is my plan.B  
B 
I am new to BSD. I have done this in Linux
(RedHat) but not sure if OpenBSD can be done the same way. In Redhat, I would
have to install it on a disk first and then copy the directory structure, the
kernel and ram disk file to the DHCP server. 
B 
David
B 
B 
From:Stefan N
[mailto:stefanbsd...@yahoo.com] 
Sent: Wednesday, November 09, 2011 2:48 PM
To: Li, David
Cc: misc@openbsd.org
Subject: Re: Diskless Install using PXEboot
B 
Hi David,
B 
As you intend to boot up OpenBSD via PXE, I assume that you
have external storage.
Will you install the OpenBSD in the iSCSI Storage?
B 
Regards,
Stefan



From:Li, David
l...@cloudshield.com
To: misc@openbsd.org misc@openbsd.org
Sent:
Thursday, November 10, 2011 5:34 AM
Subject: Diskless Install using PXEboot
Hi,

My goal is to use pxeboot to boot up a diskless x86_64 machine with
openbsd.
I am aware of this page: http://www.openbsd.org/faq/faq6.html#PXE and
followed
the instructions.B  The bsd.rd was successfully downloaded. But the
kernel
crashed on booting up. I might have missed some steps here prior to
this.B  Do
I need to install it on a disk first and then use the bsd.rd from
the disk
install?

Anyone can give me any pointers?

Thanks.

David

Re: Diskless Install using PXEboot

[Stefan N]

Hi David,

As you intend to boot up OpenBSD via PXE, I assume that you have
external storage.

Will you install the OpenBSD in the iSCSI Storage?
Regards,
Stefan



From: Li, David
l...@cloudshield.com
To: misc@openbsd.org misc@openbsd.org
Sent:
Thursday, November 10, 2011 5:34 AM
Subject: Diskless Install using PXEboot
Hi,

My goal is to use pxeboot to boot up a diskless x86_64 machine with
openbsd.
I am aware of this page: http://www.openbsd.org/faq/faq6.html#PXE and
followed
the instructions.  The bsd.rd was successfully downloaded. But the
kernel
crashed on booting up. I might have missed some steps here prior to
this.  Do
I need to install it on a disk first and then use the bsd.rd from
the disk
install?

Anyone can give me any pointers?

Thanks.

David

Re: Question: c_config.sh and symon.conf on symon for OpenBSD PF

[Stefan N]

Hi Hassan,
Okay thanks. I will try again.

Regards,
Stefan




From: Hassan Monfared hmonfa...@gmail.com
To: Stefan N stefanbsd...@yahoo.com
Cc: misc@openbsd.org misc@openbsd.org
Sent: Wednesday, October 26, 2011 2:07 PM
Subject: Re: Question: c_config.sh and symon.conf on symon for OpenBSD PF


Hi, Stefan,
there is no need to any change other than symon.conf. its enough.


On Wed, Oct 26, 2011 at 6:59 AM, Stefan N stefanbsd...@yahoo.com wrote:

Hi Guys,

This is the first time I tried to install symon on OpenBSD and my main goal is 
to monitor OpenBSD interface,disk,cpu as well as PF statistic.
As per symon documentation on 
http://wpd.home.xs4all.nl/symon/documentation.html, the symon config file is 
located in /etc/symon.conf
However, I found another file (c_config.sh) contains an example of shell 
script for collecting info of interface and io. Before I move forward to 
install and configure symux, I have the following doubts about symon.conf and 
c_config.sh script/

My questions about symon:
1.Do I need to configure symon.conf only? Do I need to customize c_config.sh 
to meet my specific requirement because c_config.sh file contains and collect 
interface and io information only?
2.The default location of firewall rule file will be read from /etc/pf.conf. 
How do I change the setting if my firewall config is located in different 
folder(for example on /etc/fw/pf.conf?)

Thank you in advance.

Regards,
Stefan

Re: Question: c_config.sh and symon.conf on symon for OpenBSD PF

[Stefan N]

Hi Hassan,

Thanks. I'll try again.

Regards,
Stefanus

From: Hassan Monfared hmonfa...@gmail.com
To: Stefan N stefanbsd...@yahoo.com
Cc: OpenBSD misc misc@openbsd.org
Sent: Wednesday, October 26, 2011 9:30 PM
Subject: Re: Question: c_config.sh
and symon.conf on symon for OpenBSD PF

Hi Stefan,
in my case all symon 
symux  syweb are on the same machie, you can change
127.0.0.1 t your desired
machine address.
--
$ cat /etc/symon.conf
monitor
{ cpu(0),cpu(1),cpu(2),cpu(3),  mem,
  if(bnx0), if(bnx1),
   
pf,pfq(bnx1),
 mbuf,
 sensor(cpu0.temp0),
#   
proc(httpd),
# if(xl0), if(de0), if(wi0),
 io(sd0),df(sd0h)

}
stream to 127.0.0.1 2100

--
$ cat
/etc/symux.conf

mux 127.0.0.1 2100

source 127.0.0.1 {
accept {
cpu(0),cpu(1),cpu(2),cpu(3),  mem,
  if(bnx0), if(bnx1),
   
pf,pfq(bnx1),
 mbuf,
 sensor(cpu0.temp0),
#   
proc(httpd),
# if(xl0), if(de0), if(wi0),
 io(sd0),df(sd0h)

}
datadir /var/www/symon/rrds/localhost
}

---
don't forget to run following commands ( from the documentation )

(cd
/usr/ports/net/rrdtool  make install) 
make 
make
install 
vi /etc/symux.conf /etc/symon.conf 
   
~symon/symux/c_smrrds.sh all 
/usr/local/libexec/symux 
   
useradd -d /var/empty -L daemon -c 'symon Account' -s
/sbin/nologin _symon
   
/usr/local/libexec/symon


Regards,



On Wed, Oct 26, 2011 at 2:43 PM,
Stefan N stefanbsd...@yahoo.com wrote:

 Hi Hassan,

 I could see the
traffic going out(using tcpdump) from my OpenBSD machine
 with symon
installed.
 I am in the midst doing the configuration of symux, syweb and
rrdtool on
 another machine(linux)
 Do you have the sample configuration of
symux, syweb and rrdtool?

 Thank you in advance.

 Regards,
 Stefan


--
 *From:* Hassan Monfared hmonfa...@gmail.com
 *To:* Stefan N stefanbsd...@yahoo.com
 *Cc:* misc@openbsd.org
misc@openbsd.org
 *Sent:* Wednesday, October 26, 2011 5:08 PM


*Subject:* Re: Question: c_config.sh and symon.conf on symon for OpenBSD
 PF

 sure,
 I can send my sample configuration to you if you needed.

 On
Wed, Oct 26, 2011 at 12:09 PM, Stefan N stefanbsd...@yahoo.com wrote:

 
Hi Hassan,
 
  Okay thanks. I will try again.
 
  Regards,
  Stefan
 
  --
  *From:* Hassan Monfared
hmonfa...@gmail.com
  *To:* Stefan N stefanbsd...@yahoo.com
  *Cc:*
misc@openbsd.org misc@openbsd.org
  *Sent:* Wednesday, October 26, 2011
2:07 PM
  *Subject:* Re: Question: c_config.sh and symon.conf on symon for
OpenBSD

  PF
 
  Hi, Stefan,
  there is no need to any change other
than symon.conf. its enough.
 
  On Wed, Oct 26, 2011 at 6:59 AM, Stefan N
stefanbsd...@yahoo.com
 wrote:
 
  Hi Guys,
 
  This is the first
time I tried to install symon on OpenBSD and my main
 goal
  is to monitor
OpenBSD interface,disk,cpu as well as PF statistic.
  As per symon
documentation on
  http://wpd.home.xs4all.nl/symon/documentation.html, the
symon config
 file
  is located in /etc/symon.conf
  However, I found
another file (c_config.sh) contains an example of shell
  script for
collecting info of interface and io. Before I move forward to
  install and
configure symux, I have the following doubts about symon.conf
  and
c_config.sh script/
 
  My questions about symon:
  1.Do I need to
configure symon.conf only? Do I need to customize
  c_config.sh to meet my
specific requirement because c_config.sh file
  contains and collect
interface and io information only?
  2.The default location of firewall rule
file will be read from
  /etc/pf.conf. How do I change the setting if my
firewall config is
 located
  in different folder(for example on
/etc/fw/pf.conf?)
 
  Thank you in advance.
 
  Regards,
  Stefan

Question: c_config.sh and symon.conf on symon for OpenBSD PF

[Stefan N]

Hi Guys,

This is the first time I tried to install symon on OpenBSD and my main goal is 
to monitor OpenBSD interface,disk,cpu as well as PF statistic.
As per symon documentation on 
http://wpd.home.xs4all.nl/symon/documentation.html, the symon config file is 
located in /etc/symon.conf
However, I found another file (c_config.sh) contains an example of shell script 
for collecting info of interface and io. Before I move forward to install and 
configure symux, I have the following doubts about symon.conf and c_config.sh 
script/

My questions about symon:
1.Do I need to configure symon.conf only? Do I need to customize c_config.sh to 
meet my specific requirement because c_config.sh file contains and collect 
interface and io information only?
2.The default location of firewall rule file will be read from /etc/pf.conf. 
How do I change the setting if my firewall config is located in different 
folder(for example on /etc/fw/pf.conf?)

Thank you in advance.

Regards,
Stefan

Need suggestion about Firewall Reporter for OpenBSD PF

[Stefan N]

Hi guys,

Have you ever used firewall reporting tool  for OpenBSD PF which is
able to do some comprehensive reporting for example:
showing in a pie chart
how many allowed and blocked connections based on services(http,https etc),
incoming and outgoing user traffic,destination,connection etc.

I found
firewall reporting tool: stoneylake firewall reporting tool,but unfortunately
OpenBSD PF is not on the supported list
yet.http://www.stonylakesolutions.com/sls/about%20sfr.jsp

Thank you.

Rgds,
Stefan

Re: Need suggestion about Firewall Reporter for OpenBSD PF

[Stefan N]

Hi Erling,

Thanks. I will try and test it.

Regards,
Stefan

From: Erling Westenvik
erling.westen...@gmail.com
To: Stefan N stefanbsd...@yahoo.com
Sent:
Friday, October 14, 2011 7:46 AM
Subject: Re: Need suggestion about Firewall
Reporter for OpenBSD PF

You might consider trying out hatchet 0.9.2 which is
in ports/packages:

$ sudo pkg_add -iv hatchet

I haven't tried it myself.
Check http://www.dixongroup.net/hatchet/. It
doesn't have pie charts or other
nifty presentations, but it stores the
pf logs in a sqlite database and it
should be possible to extract the
data and display statistics the way you like
using suitable tools.

Regards,
Erling

On Fri, Oct 14, 2011 at 12:40 AM,
Stefan N stefanbsd...@yahoo.com
wrote:
 Have you ever used firewall
reporting tool  for OpenBSD PF which is
 able to do some comprehensive
reporting for example: showing in a pie
 chart how many allowed and blocked
connections based on
 services(http,https etc), incoming and outgoing user

traffic,destination,connection etc.

 I found firewall reporting tool:
stoneylake firewall reporting
 tool,but unfortunately OpenBSD PF is not on
the supported list
 yet.http://www.stonylakesolutions.com/sls/about%20sfr.jsp
You might consider trying out hatchet 0.9.2 which is in ports/packages:

$
sudo pkg_add -iv hatchet

I haven't tried it myself. Check
http://www.dixongroup.net/hatchet/. It
doesn't have pie charts or other nifty
presentations, but it stores the
pf logs in a sqlite database and it should be
possibile to extract the
data and display statistics the way you like using
suitable tools.

Regards, Erling

On Fri, Oct 14, 2011 at 12:40 AM, Stefan N
stefanbsd...@yahoo.com
wrote:
 Have you ever used firewall reporting tool 
for OpenBSD PF which is
 able to do some comprehensive reporting for example:
showing in a pie
 chart how many allowed and blocked connections based on

services(http,https etc), incoming and outgoing user

traffic,destination,connection etc.

 I found firewall reporting tool:
stoneylake firewall reporting
 tool,but unfortunately OpenBSD PF is not on
the supported list
 yet.http://www.stonylakesolutions.com/sls/about%20sfr.jsp
You might consider trying out hatchet 0.9.2 which is in ports/packages:

$
sudo pkg_add -iv hatchet

I haven't tried it myself. Check
http://www.dixongroup.net/hatchet/. It
doesn't have pie charts or other nifty
presentations, but it stores the
pf logs in a sqlite database and it should be
possibile to extract the
data and display statistics the way you like using
suitable tools.

Regards, Erling

On Fri, Oct 14, 2011 at 12:40 AM, Stefan N
stefanbsd...@yahoo.com
wrote:
 Have you ever used firewall reporting tool 
for OpenBSD PF which is
 able to do some comprehensive reporting for example:
showing in a pie
 chart how many allowed and blocked connections based on

services(http,https etc), incoming and outgoing user

traffic,destination,connection etc.

 I found firewall reporting tool:
stoneylake firewall reporting
 tool,but unfortunately OpenBSD PF is not on
the supported list
 yet.http://www.stonylakesolutions.com/sls/about%20sfr.jsp

 Thank you.

 Rgds,
 Stefan

Re: Help setting up a PF NAT gateway

[Stefan N]

Okay. If you're going to give access to internet users to be able to access
your system inside your LAN/DMZ(eg webserver), you will need to do NAT.
If you
want the server which is configured by private ip address is reachable from
internet users, you will need NAT.

The way you do NAT might depend on your
network infra setup and how you design and plan the traffic flow.
IP aliasing
is associating more than one IP address to a network interface. With this, one
node on a network can have multiple connections to a network, each serving a
different purpose.Now I will explain you with an example so that you can
visualize it in a better way:

I have web server with IP address 192.168.1.100
My firewall has 2 NICs, one internal(192.168.1.1) and one external using
public IP(50.50.50.59).
I would like to allow users from the internet to
access my webserver. Since I configured webserver using private IP, internet
users can not access my webserver directly, that is why NAT is needed.
For
this example I have 2 scenarios doing NAT.
1.If I have limited public IP
address assigned to me by ISP
any http traffic from internet accessing  to
firewallexternalIPaddress will be redirected to my webserver
internet user
port 80 --- FW ext IP address -- Web server

In this case I don't need to
use additional IP address as an alias, because internet users will access my
website via: http://50.50.50.59
and the traffic will be redirected to the
webserver which is located inside LAN(192.168.1.100)

2.If I have spare public
IP address. this where IP alias can play the role.
I have another public IP
(let say 50.50.50.58) and I would like to assign it to webserver.
The
webserver is still located inside my LAN with IP 192.168.1.100. But I want to
assign the IP 50.50.50.58 only for application server services purpose,
because I don't want to mix it up with firewall service.
So the same concept
applies here.
any http traffic from internet accessing  IP 50.50.50.58 will be
redirected to my webserver
internet user port 80 --- 50.50.50.58 -- Web
server
As the 50.50.50.58 and 50.50.50.59 are within the same subnet ( and
also assigned for my business from ISP), then I need to assign it on the
external firewall interface. If I didn't assign it on the external firewall
interface, the http incoming traffic will not be able to pass through because
neither router nor firewall know how and where to redirect the incoming packet
and also neither router nor firewall take the ownership of 50.50.50.58
although 50.50.50.58 is assigned for my business by ISP. By assigning
50.50.50.58 on the external firewall interface as an IP alias, the firewall
will know how and where to redirect the incoming traffic.When the http traffic
on 50.50.50.58 is coming in, firewall will take the ownership,check the
routing table and then PF engine will check from the rule list whether the
incoming traffic to the webserver is alllowed or not. Once the rule is
matched, then the packet will be redirected to the destination. You can do
the
 same by creating the rule for email server etc.internet user port 25 ---
50.50.50.58 -- my email server.

The same IP alias concept also applies if
you want to implement many to one NAT. For example to alllow your LAN users to
access internet access.
You can use IP alias or use firewall ext int IP as a
NAT IP. All depends on how your infra is configured and planned.
In which
scenario your setup is? If you're using 1st scenario, you don't need to use IP
alias, because the external ip addr for firewall which is accessed by the
public users for http traffic is belong to firewall. If you used  2nd
scenario, you will need to use IP alias configured on ext firewall interface.
Please also check the routing table in the router and the default gateway on
your destination node.

I hope it helps.

Regards,
Stefan

From: Stefan Midjich sweh...@gmail.com
To:
Stefan N stefanbsd...@yahoo.com
Cc: misc@openbsd.org misc@openbsd.org
Sent: Tuesday, October 11, 2011 1:25 PM
Subject: Re: Help setting up a PF NAT
gateway

No I was not aware of this. Could you please explain the meaning of
an
alias address on the external interface for NAT?

There is no mention of
using an alias for NAT in this document for
example
http://www.openbsd.org/faq/pf/nat.html

Just to be clear, I already have an
external and internal physical
interface to work with, so I am unclear as to
why I need an alias.

2011/10/11 Stefan N stefanbsd...@yahoo.com:
 Hi
Stefan,
 As you mentioned that the IP forwarding is already enabled on your
system.
 Have you configured the IP alias on the network interface for the
NAT
 purpose?
 If the NAT is done on external interface then you'll need to
add in the IP
 alias on /etc/hostname.vic2
 Please read the guide from
openbsd url below:

http://www.openbsd.org/cgi-bin/man.cgi?query=hostname.ifapropos=0sektion=0;
manpath=OpenBSD+4.9arch=i386format=html
 Sample of hostname.if config with
IP alias:

  A typical file contains only one

Re: Help setting up a PF NAT gateway

[Stefan N]

Hi Stefan,

As you mentioned that the IP forwarding is already enabled on your
system.
Have you configured the IP alias on the network interface for the NAT
purpose?
If the NAT is done on external interface then you'll need to add in
the IP alias on /etc/hostname.vic2

Please read the guide from openbsd url
below:http://www.openbsd.org/cgi-bin/man.cgi?query=hostname.ifapropos=0sekt
ion=0manpath=OpenBSD+4.9arch=i386format=html

Sample of hostname.if config
with IP alias: 

A typical file contains only one line, but more extensive
files are possible, for example: inet 10.0.1.12 255.255.255.0 10.0.1.255 media
100baseTX description Uplink inet alias 10.0.1.13 255.255.255.255 10.0.1.13
inet alias 10.0.1.14 255.255.255.255 NONE inet alias 10.0.1.15 255.255.255.255
inet alias 10.0.1.16 0x # This is an example comment line. inet6 alias
fec0::1 64 inet6 alias fec0::2 64 anycast !route add 65.65.65.65 10.0.1.13 up
I hope it helps.

Regards,
Stefan




From:
Stefan Midjich sweh...@gmail.com
To: Mark (obsd) openbsd-l...@nerdish.us
Cc: misc@openbsd.org
Sent: Tuesday, October 11, 2011 2:06 AM
Subject: Re: Help
setting up a PF NAT gateway

Yes forwarding is enabled. I have followed the
Book of PF 2nd Edition so far.

2011/10/10 Mark (obsd)
openbsd-l...@nerdish.us:
 Hi Stefan,

 On Mon, Oct 10, 2011 at 10:38 AM,
Stefan Midjich sweh...@gmail.com wrote:

 Simplest of things but I'm
failing miserably.

 ...

 With tcpdump I can see packets going to
vic3, but no further.


 Do you definitely have forwarding enabled?
 #
sysctl net.inet.ip.forwarding
 net.inet.ip.forwarding=1
 It that were 0
instead of 1, you'd get your symptoms.  Edit
/etc/sysctl.conf
 to enable
forwarding if you haven't.
 Regards,
 Mark



--


Med vdnliga hdlsningar /
With kind regards

Stefan Midjich

Re: Problem with installing OpenBSD

[Stefan N]

What is the problem? Can you share with us the detail of the problems you are
facing? 
Did you install via network or CD? Which type of CD installation did
you use?
 
Regards,
Stefan



From: Sales -
OrangeWebsite.com sa...@orangewebsite.com
To: misc@openbsd.org
Sent:
Thursday, September 29, 2011 10:07 AM
Subject: Problem with installing OpenBSD
Hey,

We are experiencing problem with installing OpenBSD on our VPS servers.
We'd
hope you provided us some assistance how we could fix this. You can see
our
VPS details here at http://www.orangewebsite.com/docs/vps.php.


Best
greetings,
- Henry K. Johannes
Orangewebsite.com - 'Your solid business
partner'

Time interval based pf rule

[Stefan N]

Hi all,

Does OpenBSD PF engine have the feature to create time interval based rule?
I have tried to do that but I could not find any relevant documentation. 
Is time interval based rule supported to be created on OpenBSD PF?

Regards,
Stefan

Re: Time interval based pf rule

[Stefan N]

Hi Jim,

If I used anchor to create pf rules which means there is another configuration 
needs to be taken care.
Beside /etc/pf.conf, we need to take care and maintain crontab for schedulling.

Regards,
Stefan




From: James Hartley jjhart...@gmail.com
To: Stefan N stefanbsd...@yahoo.com
Cc: misc@openbsd.org misc@openbsd.org
Sent: Friday, September 2, 2011 7:47 PM
Subject: Re: Time interval based pf rule

On Fri, Sep 2, 2011 at 4:21 AM, Stefan N stefanbsd...@yahoo.com wrote:

 Does OpenBSD PF engine have the feature to create time interval based rule?


See how to dynamically add rules via anchors:

http://www.openbsd.org/faq/pf/anchors.html

... scheduling scripts via crontab(5).

Jim

Re: Time interval based pf rule

[Stefan N]

Actually I would like to limit the access during office hour.
So Time interval base rule means:
user is only allowed to access specific application and destination based from 
the time interval.
For example: Finance Department user is only allowed to access facebook 
website after office hour (after 6PM onwards) and only on friday.

If I didn't add the time interval, they can spend their time for browsing and 
chatting on facebook instead of working.
What do you mean by one-hit rules?


Regards,
Stefan





From: Christiano F. Haesbaert haesba...@openbsd.org
To: Stefan N stefanbsd...@yahoo.com
Cc: misc@openbsd.org misc@openbsd.org
Sent: Friday, September 2, 2011 8:14 PM
Subject: Re: Time interval based pf rule

On 2 September 2011 09:11, Stefan N stefanbsd...@yahoo.com wrote:
 Hi Jim,

 If I used anchor to create pf rules which means there is another 
 configuration needs to be taken care.
 Beside /etc/pf.conf, we need to take care and maintain crontab for 
 schedulling.


What are you trying to accomplish with timer based rules ?
Recently one-hit rules were added, depending on your problem that
might solve it.

Re: Time interval based pf rule

[Stefan N]

Okay guys. Thanks for the suggestion.

Regards,
Stefan




From: Christiano F. Haesbaert haesba...@openbsd.org
To: Stefan N stefanbsd...@yahoo.com
Cc: misc@openbsd.org misc@openbsd.org
Sent: Friday, September 2, 2011 8:34 PM
Subject: Re: Time interval based pf rule

On 2 September 2011 09:26, Stefan N stefanbsd...@yahoo.com wrote:
 Actually I would like to limit the access during office hour.
 So Time interval base rule means:
 user is only allowed to access specific application and destination based 
 from the time interval.
 For example: Finance Department user is only allowed to access facebook
 website after office hour (after 6PM onwards) and only on friday.

 If I didn't add the time interval, they can spend their time for browsing and 
 chatting on facebook instead of working.
 What do you mean by one-hit rules?

Rules that get destroyed after a first match, but that's not what you want.

anchors + crontab as Peter suggested is an easy alternative.

Re: static IP

[Stefan N]

First, check the syntax refering to hostname.if(5) openbsd manual guide

Did you configure it during installation process or after installation process 
was done?

What do you mean by giving you login and password?
Which user did you use to configure IP address? Did you login as root or as 
another user and use sudo to configure it? 





From: igor denisov denisovigor1...@rambler.ru
To: misc@openbsd.org
Sent: Wednesday, August 31, 2011 6:04 PM
Subject: static IP

Cannot configure internet with static IP address

hostname.fc0

inet IP mask

and nothing works. They gave me login and password, may be this is the case?


--
igor denisov.

Gigabit Ethernet Controller compatibility with OpenBSD 4.9

[Stefan N]

Hi All,

Have anyone of you ever installed OpenBSD 4.9(i386/amd64 platform) on a machine 
using Gigabit Ethernet Controller  as follows:
1.Realtek 8111C Gigabit Ethernet Controller
2.Intel 82574L Gigabit Ethernet Controller
3.Intel 82567V Gigabit Ethernet Controller
4.Intel 82583V Gigabit Ethernet Controller
5.Intel 82574E Gigabit Ethernet Controller
6.Intel 82576 Gigabit Ethernet Controller
7.Intel 82599ES 10Gigabit Ethernet Controller

Is there any compatibility issue?

The reason I am asking because those gigabit and 10G ethernet controllers 
mentioned above are not listed on:
http://www.openbsd.org/i386.html
http://www.openbsd.org/amd64.html

Regards,
Stefan

Question: IP NAT syntax on CARP interface

[Stefan N]

Hi guys,

I am in the midst of configuring the OpenBSD 4.9 PF using ip balancing and 
active-passive solution.
Every interface was configured successfully but I hit the problem when I am 
going to add IP Alias/NAT IP on carp interface.

1)For active-passive scenario:
Let say I am going to configure carp1 interface and I edit  /etc/hostname.carp1 
with 172.16.2.216 as virtual IP and 172.16.2.222 as  NAT IP
inet 172.16.2.216 255.255.255.0 172.16.2.255 vhid 2 advbase 20 advskew 0 
carpdev 
em1 pass p455w0rd
inet 172.16.2.222 255.255.255.255 vhid 2 advbase 20 advskew 0 carpdev em1 pass 
p455w0rd

Then I save the config and restart carp1 interface: sh /etc/netstart carp1
but the output is ifconfig: vhid: bad value.

2)For ip balancing scenario, carp1 will have the virtual IP and some NAT IP 
addresses :
Let say I am going to configure carp1 interface and I edit /etc/hostname.carp1 
with 172.16.1.216 as virtual IP and 172.16.1.222 as NAT IP
inet 172.16.1.216 255.255.255.0 172.16.1.255 balancing ip carpnodes 3:0,4:100 
pass p455w0rd
inet 172.16.1.222 255.255.255.255 balancing ip carpnodes 3:0,4:100 pass p455w0rd

Then I save the config and restart carp1 interface: sh /etc/netstart carp1
but the output is ifconfig: balancing: bad value.

How is the right syntax to configure and add NAT IP on carp interface?
Is the concept to add NAT IP(s) on carp interface(s) on active-active and ip 
balancing scenario correct?

Thank you in advance.

Stefan

Re: what's with Open Source Fanshop - CDs T-shirts

[Stefan N]

Hi Cheng,

Perhaps the owner of the domain and website configured the website to do URL 
redirection to www.openbsd.org.
You can follow up with the registration service provider below:

   Domain Name: OSWEBSHOP.COMRegistrar: TUCOWS.COM CO.Whois Server: 
whois.tucows.comReferral URL: http://domainhelp.opensrs.netName Server: 
NS1.R4L.COMName Server: NS2.R4L.COMStatus: clientTransferProhibited
Status: clientUpdateProhibitedUpdated Date: 23-mar-2011Creation Date: 
23-oct-2008Expiration Date: 23-oct-2011   Last update of whois database: 
Wed, 15 Jun 2011 04:49:53 UTC  

Queried whois.tucows.com with oswebshop.com...
Registrant:  NA  5802 Bob Bullock C1 Unit 328C-195  Laredo, TX 78041-8813  US  
Domain name: OSWEBSHOP.COM   Registration Service Provider: Register4less, 
supp...@r4l.com (514) 905-6500 http://register4less.com

Stefan



From: CHENG ACHENG bsdp...@gmail.com
To: misc@openbsd.org
Sent: Wed, June 15, 2011 11:14:12 AM
Subject: what's with Open Source Fanshop - CDs  T-shirts

Hello list,

I tried to order T-shirts and CD set from Open Source Fanshop (
http://www.oswebshop.com/), but found it's been down for quite some time.
Now its URL is pointing to www.openbsd.org.
Anybody knows what's going on with this site?

thanks,
Alan Cheng

Re: Need some input about: OpenBSD 4.9/amd64 and Dell PowerEdge Server R210,R410,R610,R710

[Stefan N]

Hi guys,

Thank you so much for all of the replies.

Regards,
Stefan





From: Paul de Weerd we...@weirdnet.nl
To: Stefan N stefanbsd...@yahoo.com
Cc: misc@openbsd.org
Sent: Wed, June 8, 2011 5:42:04 PM
Subject: Re: Need some input about: OpenBSD 4.9/amd64 and Dell PowerEdge Server 
R210,R410,R610,R710

On Tue, Jun 07, 2011 at 08:49:50PM -0700, Stefan N wrote:
| Hi All,
| 
| Have you ever tried to install OpenBSD 4.9/amd64 on the Dell
| PowerEdge Server 
| R210,R410,R610,R710 (2.5 SAS Disk) with additional Intel.
| Gigabit ET Quad Port 
| Server Adapter? If yes, are those servers fully
| compatible with OpenBSD 
| 4.9/amd64?

Anyone with a dmesg for the newer Dell PowerEdge R210 II ? The below
is for a 'regular' R210 (yes, I need to upgrade that machine).

Paul 'WEiRD' de Weerd

OpenBSD 4.8-current (GENERIC.MP) #433: Thu Sep 30 00:20:40 MDT 2010
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 3210317824 (3061MB)
avail mem = 3111002112 (2966MB)
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.6 @ 0xbf79c000 (63 entries)
bios0: vendor Dell Inc. version 1.3.4 date 05/24/2010
bios0: Dell Inc. PowerEdge R210
acpi0 at bios0: rev 2
acpi0: sleep states S0 S4 S5
acpi0: tables DSDT FACP APIC SPCR HPET DMAR MCFG WDAT SLIC ERST HEST BERT EINJ 
TCPA SSDT
acpi0: wakeup devices PCI0(S5) USBA(S0) USBB(S0)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Xeon(R) CPU X3430 @ 2.40GHz, 2394.27 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,POPCNT,NXE,LONG

cpu0: 256KB 64b/line 8-way L2 cache
cpu0: apic clock running at 132MHz
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Xeon(R) CPU X3430 @ 2.40GHz, 2393.98 MHz
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,POPCNT,NXE,LONG

cpu1: 256KB 64b/line 8-way L2 cache
cpu2 at mainbus0: apid 4 (application processor)
cpu2: Intel(R) Xeon(R) CPU X3430 @ 2.40GHz, 2393.98 MHz
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,POPCNT,NXE,LONG

cpu2: 256KB 64b/line 8-way L2 cache
cpu3 at mainbus0: apid 6 (application processor)
cpu3: Intel(R) Xeon(R) CPU X3430 @ 2.40GHz, 2393.98 MHz
cpu3: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,POPCNT,NXE,LONG

cpu3: 256KB 64b/line 8-way L2 cache
ioapic0 at mainbus0: apid 0 pa 0xfec0, version 20, 24 pins
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (LYD0)
acpiprt2 at acpi0: bus -1 (LYD2)
acpiprt3 at acpi0: bus -1 (HVD0)
acpiprt4 at acpi0: bus -1 (HVD2)
acpiprt5 at acpi0: bus 2 (PEX0)
acpiprt6 at acpi0: bus -1 (PEX4)
acpiprt7 at acpi0: bus -1 (PEX5)
acpiprt8 at acpi0: bus 3 (COMP)
acpicpu0 at acpi0: C3, C1
acpicpu1 at acpi0: C3, C1
acpicpu2 at acpi0: C3, C1
acpicpu3 at acpi0: C3, C1
ipmi at mainbus0 not configured
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 Intel Core DMI rev 0x11
ppb0 at pci0 dev 3 function 0 Intel Core PCIE rev 0x11: apic 0 int 16 (irq 0)
pci1 at ppb0 bus 1
Intel Core Management rev 0x11 at pci0 dev 8 function 0 not configured
Intel Core Scratch rev 0x11 at pci0 dev 8 function 1 not configured
Intel Core Control rev 0x11 at pci0 dev 8 function 2 not configured
Intel Core Misc rev 0x11 at pci0 dev 8 function 3 not configured
Intel Core QPI Link rev 0x11 at pci0 dev 16 function 0 not configured
Intel Core QPI Routing rev 0x11 at pci0 dev 16 function 1 not configured
ehci0 at pci0 dev 26 function 0 Intel 3400 USB rev 0x05: apic 0 int 22 (irq 
14)
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1
ppb1 at pci0 dev 28 function 0 Intel 3400 PCIE rev 0x05
pci2 at ppb1 bus 2
bnx0 at pci2 dev 0 function 0 Broadcom BCM5716 rev 0x20: apic 0 int 16 (irq 
15)
bnx1 at pci2 dev 0 function 1 Broadcom BCM5716 rev 0x20: apic 0 int 17 (irq 
10)
ehci1 at pci0 dev 29 function 0 Intel 3400 USB rev 0x05: apic 0 int 22 (irq 
14)
usb1 at ehci1: USB revision 2.0
uhub1 at usb1 Intel EHCI root hub rev 2.00/1.00 addr 1
ppb2 at pci0 dev 30 function 0 Intel 82801BA Hub-to-PCI rev 0xa5
pci3 at ppb2 bus 3
vga1 at pci3 dev 3 function 0 Matrox MGA G200eW rev 0x0a
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
pcib0 at pci0 dev 31 function 0 Intel 3420 LPC rev 0x05
ahci0 at pci0 dev 31 function 2 Intel 3400 AHCI rev 0x05: apic 0 int 20 (irq 
11), AHCI

Need some input about: OpenBSD 4.9/amd64 and Dell PowerEdge Server R210,R410,R610,R710

[Stefan N]

Hi All,

Have you ever tried to install OpenBSD 4.9/amd64 on the Dell
PowerEdge Server 
R210,R410,R610,R710 (2.5 SAS Disk) with additional Intel.
Gigabit ET Quad Port 
Server Adapter? If yes, are those servers fully
compatible with OpenBSD 
4.9/amd64?

Regards,
Stefan

Re: Routing Issue

[Stefan N]

Hey David,

I was doing the testing more less the same scenario with yours and having the 
source NAT issue.
Below is my diagram:
There are 2 scenarios that I did:
1.without nat (successfull) - can ping from notebook --webserver, notebook 
can 
access webserver/tcp-443 successfully
2.With source NAT(not successfull)

The diagram is:

notebookem0[OpenBSD 4.9 PF]em1-webserver(TCP/443)

Detail:
em0 is 192.168.1.216/24
notebook is 192.168.1.21/24
em1 is 192.168.2.216/24
webserver is 192.168.2.80/24
IP alias for source NAT on em1 is 192.168.2.232/32
ip forwarding on sysctl =1

Notebook's gateway is firewall internal IP: 192.168.1.216
Firewall's gateway is webserver :192.168.2.80
Webserver's gateway is firewall external IP: 192.168.2.216

I have tried to do source NAT testing to allow traffic from notebook to 
webserver using source NAT on em1.
192.168.1.21--192.168.2.232--192.168.2.80

For the routing table,I don't have other static routes. Only default gateway 
which is pointing to 192.168.2.80(webserver) 


Unfortunately it hasn't worked at all. I have tried to monitor the traffic using
1.tcpdump on em1(external int) but there are no packets pass through em1 at all.
2.tcpdump on em0(internal int), there are some packets from 192.168.1.21  to 
192.168.2.80 (syn) but no reply at all from webserver.

Below is the rule of the scenario above using NAT:

# Tables: (2)
table tbl.r0.d { 192.168.1.216 , 192.168.2.216 } 
table tbl.r0.dx { 192.168.1.216 , 192.168.2.80 , 192.168.2.216 } 

# 
# Rule  0 (NAT)
match out on em1 proto {tcp udp icmp} from 192.168.1.21 to 192.168.2.80 nat-to 
192.168.2.232


#ssh access rule 
pass in   quick inet proto tcp  from 192.168.1.21  to tbl.r0.d port 22  label 
RULE -1 -- ACCEPT  

# 
# Rule  0
pass  log  quick on { em0 em1 ) inet proto icmp  from any  to tbl.r0.dx

# Rule  1 (em1,em0)
pass  log  quick on em1 inet proto tcp  from 192.168.2.232  to 192.168.2.80 
port 
443

block  quick inet  from any  to any no state

Stefan





From: David Gwynne l...@animata.net
To: David Schulz mailingli...@ironwhale.com
Cc: misc@openbsd.org
Sent: Tue, May 17, 2011 9:29:13 PM
Subject: Re: Routing Issue

hey david,

pf is run twice on packets going through a box, once before the network stack
and again as it leaves it. this means you have to allow a packet in one side
as well as when it goes out the other.

dlg

On 17/05/2011, at 10:16 PM, David Schulz wrote:

 Hi all,

 i have a LAN within a LAN and the setup is as follows:

 192.168.1.0/24 -- OpenBSD 4.9 Router with 2 NICS -- 10.1.0.0/21

 My goal is to get both Sides talking to each other (lets start with making
 them be able to ping each other). I got it working by using the following
 pf.conf, however i thought i should not need to have those match out
 statements, because OpenBSD routes packets between interfaces by default as
 long sysctl net.inet.ip.forwarding=1 is set.

 From inside my OpenBSD Box i can ping Devices on either Side just fine. From
a
 machine sitting on either Side, i can ping the OpenBSD Box just fine. But i
 simply cannot get Side A Machines to talk to Side B Machines unless i
 uncomment the two below match out statements inside my pf.conf.

 If someone could share some insight, id be most thankful.

 regards,
 D

 Here my simplified pf.conf which again does not work unless i uncomment the
 two match out Rules:
  pf.conf
 int_if=sis0
 ext_if=sis1

 icmp_types = { echoreq, unreach }

 set require-order yes
 set block-policy return
 set optimization normal
 set loginterface $ext_if

 match in all scrub (no-df)

 set skip on lo

 #match out on $int_if from 192.168.1.0/24 to any nat-to ($int_if)
 #match out on $ext_if from 10.1.0.0/21 to any nat-to ($ext_if)

 block log all

 #Simplified for 'making it work purposes'
 pass out quick
 pass in quick

 antispoof quick for { lo0 $int_if $ext_if } inet

 # allow ICMP
 pass in quick on { $int_if $ext_if } inet proto icmp all icmp-type
$icmp_types
 keep state
 

  route -n
 cndlne001'root(~) route -n show | grep default
 default10.1.3.1   UGS023106 - 8
sis0

 cndlne001'root(~) route -n show | grep 192.168.1
 192.168.1/24   link#2 UC 20 - 4
sis1

Source NAT using PF on OpenBSD 4.9

[Stefan N]

Hi All,

I have done some testing using PF Open BSD 4.9.
There are 2 testing:
1. without nat (successfull)
2.With source NAT(not successfull)

The diagram is

notebook--em0[OpenBSD 4.9 PF]em1-webserver(TCP/443)
em0 is 192.168.1.216/24
notebook is 192.168.1.21/24
em1 is 192.168.2.216/24
webserver is 192.168.2.80/24
IP alias for NAT on em1 is 192.168.2.232/32
ip forwarding on sysctl =1

Notebook's gateway is firewall internal IP: 192.168.1.216
Firewall's gateway is webserver :192.168.2.80
Webserver's gateway is firewall external IP: 192.168.2.216

I have tried to do source NAT testing to allow traffic from notebook to 
webserver so that the webserver knows that the incoming traffic is coming from 
192.168.2.232(NAT IP) instead of 192.168.1.21.
192.168.1.21--192.168.2.232--192.168.2.80

Unfortunately it hasn't worked at all. I have tried to monitor the traffic 
using 
tcpdump on em1(external int) but there are no packets pass through em1 at all.

Below is the rule of the scenario above using NAT:
 
# Tables: (1)
table tbl.r0.d { 192.168.1.216 , 192.168.2.216 , 192.168.2.232 , 
192.168.3.216 
} 


# Rule  0 (NAT) (192.168.2.232 is NAT IP for notebook/192.168.1.21)
match out on em0 proto {tcp udp icmp} from 192.168.1.21 to 192.168.2.80 nat-to 
192.168.2.232 


# Rule  backup ssh access rule
pass in   quick inet proto tcp  from 192.168.1.21  to tbl.r0.d port 22 
# 
# Rule  0 (em0) notebook access webserver
pass out  log  quick on em0 inet proto tcp  from 192.168.1.21  to 192.168.2.80 
port 443 keep state ( max 1, max-src-conn 10 ) 

# 
# Rule  1
block  log  quick inet  from any  to any no state 
#block all
block  quick inet  from any  to any no state

What else is missing or isn't configured correctly? There was no error while I 
reload the rule using pfctl -f /etc/pf.conf

Thanks

Regards,
Stefan

Re: Source NAT using PF on OpenBSD 4.9

[Stefan N]

Hi Rodrigo,

I tried to change the rule
from --- pass out  log  quick on em0 inet proto tcp  from 192.168.1.21  to 
192.168.2.80
port 443 keep state ( max 1, max-src-conn 10 )

to -- pass out log quick on em1 all

and still doesn't work

Stefan





From: Rodrigo Mosconi open...@mosconi.mat.br
To: Stefan N stefanbsd...@yahoo.com
Sent: Mon, May 16, 2011 9:25:55 PM
Subject: Re: Source NAT using PF on OpenBSD 4.9

2011/5/16 Stefan N stefanbsd...@yahoo.com:
 Hi All,

 I have done some testing using PF Open BSD 4.9.
 There are 2 testing:
 1. without nat (successfull)
 2.With source NAT(not successfull)

 The diagram is

 notebook--em0[OpenBSD 4.9 PF]em1-webserver(TCP/443)
 em0 is 192.168.1.216/24
 notebook is 192.168.1.21/24
 em1 is 192.168.2.216/24
 webserver is 192.168.2.80/24
 IP alias for NAT on em1 is 192.168.2.232/32
 ip forwarding on sysctl =1

 Notebook's gateway is firewall internal IP: 192.168.1.216
 Firewall's gateway is webserver :192.168.2.80
 Webserver's gateway is firewall external IP: 192.168.2.216

 I have tried to do source NAT testing to allow traffic from notebook to
 webserver so that the webserver knows that the incoming traffic is coming from
 192.168.2.232(NAT IP) instead of 192.168.1.21.
 192.168.1.21--192.168.2.232--192.168.2.80

 Unfortunately it hasn't worked at all. I have tried to monitor the traffic 
using
 tcpdump on em1(external int) but there are no packets pass through em1 at all.

 Below is the rule of the scenario above using NAT:

 # Tables: (1)
 table tbl.r0.d { 192.168.1.216 , 192.168.2.216 , 192.168.2.232 , 
192.168.3.216
 }


 # Rule  0 (NAT) (192.168.2.232 is NAT IP for notebook/192.168.1.21)
 match out on em0 proto {tcp udp icmp} from 192.168.1.21 to 192.168.2.80 nat-to
 192.168.2.232


 # Rule  backup ssh access rule
 pass in   quick inet proto tcp  from 192.168.1.21  to tbl.r0.d port 22
 #
 # Rule  0 (em0) notebook access webserver
 pass out  log  quick on em0 inet proto tcp  from 192.168.1.21  to 192.168.2.80
 port 443 keep state ( max 1, max-src-conn 10 )

pass out log quick on em1 all

 #
 # Rule  1
 block  log  quick inet  from any  to any no state
 #block all
 block  quick inet  from any  to any no state

 What else is missing or isn't configured correctly? There was no error while I
 reload the rule using pfctl -f /etc/pf.conf

 Thanks

 Regards,
 Stefan

Re: Source NAT using PF on OpenBSD 4.9

[Stefan N]

Hi Hwei Woo,

I tried using em1 and it doesn't work.
I have tried to create ping test rules, pinging from em0 -- em1 and em1 
em0, both without NAT and it works perfectly. When I implement simple NAT, 
it doesn't work.


Regards,
Stefan



From: Han Hwei Woo h...@pce-net.com
To: misc@openbsd.org
Cc: Stefan N stefanbsd...@yahoo.com
Sent: Tue, May 17, 2011 3:34:32 AM
Subject: Re: Source NAT using PF on OpenBSD 4.9

On 5/16/2011 3:29 AM, Stefan N wrote:
 Hi All,

 I have done some testing using PF Open BSD 4.9.
 There are 2 testing:
 1. without nat (successfull)
 2.With source NAT(not successfull)

 The diagram is

 notebook--em0[OpenBSD 4.9 PF]em1-webserver(TCP/443)
 em0 is 192.168.1.216/24
 notebook is 192.168.1.21/24
 em1 is 192.168.2.216/24
 webserver is 192.168.2.80/24
 IP alias for NAT on em1 is 192.168.2.232/32
 ip forwarding on sysctl =1

 Notebook's gateway is firewall internal IP: 192.168.1.216
 Firewall's gateway is webserver :192.168.2.80
 Webserver's gateway is firewall external IP: 192.168.2.216

 I have tried to do source NAT testing to allow traffic from notebook to
 webserver so that the webserver knows that the incoming traffic is coming from
 192.168.2.232(NAT IP) instead of 192.168.1.21.
 192.168.1.21--192.168.2.232--192.168.2.80

 Unfortunately it hasn't worked at all. I have tried to monitor the traffic 
using
 tcpdump on em1(external int) but there are no packets pass through em1 at all.

 Below is the rule of the scenario above using NAT:

 # Tables: (1)
 tabletbl.r0.d  { 192.168.1.216 , 192.168.2.216 , 192.168.2.232 , 
192.168.3.216
 }


 # Rule  0 (NAT) (192.168.2.232 is NAT IP for notebook/192.168.1.21)
 match out on em0 proto {tcp udp icmp} from 192.168.1.21 to 192.168.2.80 nat-to
 192.168.2.232


 # Rule  backup ssh access rule
 pass in   quick inet proto tcp  from 192.168.1.21  totbl.r0.d  port 22
 #
 # Rule  0 (em0) notebook access webserver
 pass out  log  quick on em0 inet proto tcp  from 192.168.1.21  to 192.168.2.80
 port 443 keep state ( max 1, max-src-conn 10 )

 #
 # Rule  1
 block  log  quick inet  from any  to any no state
 #block all
 block  quick inet  from any  to any no state

 What else is missing or isn't configured correctly? There was no error while I
 reload the rule using pfctl -f /etc/pf.conf

 Thanks

 Regards,
 Stefan


Based on your diagram, your outbound traffic and nat rule should be on 
em1 instead of em0. Outbound traffic on em0 would be traffic from the 
webserver going to the notebook.


Han

Re: Creating release using site48.tgz

[Stefan N]

Hi Ingo,

I tried using install.site, sudoers and backup script inside site48.tgz and it 
still didn't work as expected.
I was trying again to create site48.tgz with etc/rc.firsttime, /etc/sudoers and 
/etc/backup.sh inside.
For the rc.firsttime, I wrote the command:
groupadd -g 1011 fwadmin and other commands

once it is done,I made it as bootable iso file and try to install to the pc and 
it works as expected.

Regards,
Stefan





From: Stefan N stefanbsd...@yahoo.com
To: Ingo Schwarze schwa...@usta.de
Cc: misc@openbsd.org
Sent: Tue, May 10, 2011 11:47:34 PM
Subject: Re: Creating release using site48.tgz

Hi Ingo,

Thanks a lot. I will try again.

Regards,
Stefanus





From: Ingo Schwarze schwa...@usta.de
To: Stefan N stefanbsd...@yahoo.com
Cc: misc@openbsd.org
Sent: Tue, May 10, 2011 11:31:53 PM
Subject: Re: Creating release using site48.tgz

Hi Stefanus,

Stefan N wrote on Tue, May 10, 2011 at 08:11:53AM -0700:

 So what you meant is:
 I need to create the install.site script with the content of some
 commands that I made for rc.firsttime.

No, that is not what i meant and not what the FAQ says.
However, in your particular case, it might work as well,
given that you only want to run groupadd and useradd.
That will probably work even before the first reboot.

What the FAQ says it that the install.site script can write commands
to /etc/rc.firsttime, keeping any existing content, appending them
at the end, as in

  echo 'groupadd -g 1011 fwadmin'  /etc/rc.firsttime

 After that I need to put install.site script inside site48.tgz?

Yes.

 I am quite confused with the explanation from FAQ.

Suggestions for improvement are always welcome; however, i don't see
anything right now that might cause confusion.

[...]
 For customized /etc/sudoers, I will add in inside site48.tgz.

Yes.

Yours,
  Ingo

Re: Creating release using site48.tgz

[Stefan N]

I was making the site48.tgz for testing and there is only /etc/rc.firsttime. 
There is a command line to create some new users for this purpose.

The next step was I put the site48.tgz on /home/OpenBSD/4.8/amd64 (the same 
folder where base48.tgz, etc48.tgz etc there) and make iso file using mkhybrid.

During the installation using the new iso file, the site48.tgz is displayed on 
the menu and I was able to include in as a set (by clicking +site48.tgz) and 
the 
installation was successfull.

However, after I log in to the new system, the new users that I created (using 
some command line on /etc/rc.firsttime file inside site48.tgz) do not exist at 
all. I have tested /etc/rc.firsttime on another machine by copying rc.firsttime 
on /etc folder and reboot manually and it works normally.

Is there a way to check what went wrong here?

Below is the sample of the content of rc.firsttime:
#!/bin/ksh

#creating the detail for fwadmin account
groupadd -g 1011 fwadmin
useradd -p '$2a$06$rJ5kpL.4nZ.qQPHnbO' -u 1011 -s /bin/ksh -m -g fwadmin fwadmin

Regards,
Stefanus






From: Andrew Fresh and...@afresh1.com
To: misc@openbsd.org
Sent: Tue, May 10, 2011 8:40:28 AM
Subject: Re: Creating release using site48.tgz

On Mon, May 09, 2011 at 05:28:12PM -0700, Stefan N wrote:
 Thanks. By the way, I don't see the release directory inside the source 
 file(/usr/src) directory.
 Does it mean that I need to create directory mkdir /usr/release first  if my 
 source files is at /usr/src?

The release man page does describe creating RELEASEDIR

# mkdir -p ${DESTDIR} ${RELEASEDIR}

I generally set RELEASEDIR=/usr/release, but it can really be a path
anywhere you want your sets.  The important part is that site48.tgz is
in the same directory as the rest of the install sets.


l8rZ,
-- 
andrew - http://afresh1.com

Computer Science: solving today's problems tomorrow.

Re: Creating release using site48.tgz

[Stefan N]

Hi Ingo,

So what you meant is:
I need to create the install.site script with the content of some commands that 
I made for rc.firsttime.
After that I need to put install.site script inside site48.tgz?

I am quite confused with the explanation from FAQ.
In this case, I can create site48.tgz with the content of (install.site, 
sudoers 
etc etc)
For the install.site script , I can write some commands like:
#!/bin/ksh

#creating the detail for fwadmin account
groupadd -g 1011 fwadmin
useradd -p '$2a$06$rJ5kpL.4nZ.qQPHnbO' -u 1011 -s /bin/ksh -m -g fwadmin fwadmin

For customized /etc/sudoers, I will add in inside site48.tgz.

Regards,
Stefanus





From: Ingo Schwarze schwa...@usta.de
To: Stefan N stefanbsd...@yahoo.com
Cc: misc@openbsd.org
Sent: Tue, May 10, 2011 10:50:58 PM
Subject: Re: Creating release using site48.tgz

Hi Stefanus,

Stefan N wrote on Tue, May 10, 2011 at 06:51:53AM -0700:

 I was making the site48.tgz for testing
 and there is only /etc/rc.firsttime. 

That's the one file you don't want to put in there.

[...]
 However, after I log in to the new system, the new users
 that I created (using some command line on /etc/rc.firsttime
 file inside site48.tgz) do not exist at all.

Quoting from

  http://www.openbsd.org/faq/faq4.html#site

  This will happen if install.site is used to append any such commands
   to an rc.firsttime(8) file (appending to this file is neccessary since
   the installer itself may write to this file).

I guess your rc.firsttime was overwritten by the installer.

Yours,
  Ingo

Re: Creating release using site48.tgz

[Stefan N]

Hi Ingo,

Thanks a lot. I will try again.

Regards,
Stefanus





From: Ingo Schwarze schwa...@usta.de
To: Stefan N stefanbsd...@yahoo.com
Cc: misc@openbsd.org
Sent: Tue, May 10, 2011 11:31:53 PM
Subject: Re: Creating release using site48.tgz

Hi Stefanus,

Stefan N wrote on Tue, May 10, 2011 at 08:11:53AM -0700:

 So what you meant is:
 I need to create the install.site script with the content of some
 commands that I made for rc.firsttime.

No, that is not what i meant and not what the FAQ says.
However, in your particular case, it might work as well,
given that you only want to run groupadd and useradd.
That will probably work even before the first reboot.

What the FAQ says it that the install.site script can write commands
to /etc/rc.firsttime, keeping any existing content, appending them
at the end, as in

  echo 'groupadd -g 1011 fwadmin'  /etc/rc.firsttime

 After that I need to put install.site script inside site48.tgz?

Yes.

 I am quite confused with the explanation from FAQ.

Suggestions for improvement are always welcome; however, i don't see
anything right now that might cause confusion.

[...]
 For customized /etc/sudoers, I will add in inside site48.tgz.

Yes.

Yours,
  Ingo

Creating release using site48.tgz

[Stefan N]

Hi All,

The OpenBSD version that I am using is 4.8 and the default source file is at 
/usr/src

I was trying to make a new release using site48.tgz. I have plan to put 
/etc/pf.conf, /etc/rc.firsttime and /etc/backup.sh inside site48.tgz

Below is my steps:

1.I need to prepare of /etc/rc.firsttime and /etc/pf.conf  and /etc/backup.sh.
2.After that I compress and zip using tar and gzip:
tar -czf  site48.tgz pf.conf rc.firsttime backup.sh

3.Once site48.tgz is done, I will copy it inside /usr/src and follow the 
instruction to make release (http://www.openbsd.org/faq/faq5.html#Release).

Are my steps correct?

Regards,
Stefan

Re: Creating release using site48.tgz

[Stefan N]

Hi Andrew,

Thanks. By the way, I don't see the release directory inside the source 
file(/usr/src) directory.
Does it mean that I need to create directory mkdir /usr/release first  if my 
source files is at /usr/src?

Regards.
Stefan





From: Andrew Fresh and...@afresh1.com
To: misc@openbsd.org
Sent: Tue, May 10, 2011 8:15:53 AM
Subject: Re: Creating release using site48.tgz

On Mon, May 09, 2011 at 04:59:17PM -0700, Stefan N wrote:
 Are my steps correct?

Close, but install sets are created in /usr/release and extracted
relative to root so you need something more like this:

tar -czf /usr/release/site48.tgz etc/pf.conf etc/rc.firsttime etc/backup.sh

Although I would also recommend creating site49.tgz and installing 4.9.

l8rZ,
-- 
andrew - http://afresh1.com

There are two ways to write error-free programs;
only the third one works.

Re: Creating release using site48.tgz

[Stefan N]

Ok, I got it. The siteXX.tgz must be placed inside release directory.

Thanks.

Regards,
Stefan





From: Andrew Fresh and...@afresh1.com
To: misc@openbsd.org
Sent: Tue, May 10, 2011 8:40:28 AM
Subject: Re: Creating release using site48.tgz

On Mon, May 09, 2011 at 05:28:12PM -0700, Stefan N wrote:
 Thanks. By the way, I don't see the release directory inside the source 
 file(/usr/src) directory.
 Does it mean that I need to create directory mkdir /usr/release first  if my 
 source files is at /usr/src?

The release man page does describe creating RELEASEDIR

# mkdir -p ${DESTDIR} ${RELEASEDIR}

I generally set RELEASEDIR=/usr/release, but it can really be a path
anywhere you want your sets.  The important part is that site48.tgz is
in the same directory as the rest of the install sets.


l8rZ,
-- 
andrew - http://afresh1.com

Computer Science: solving today's problems tomorrow.

Re: Creating release using site48.tgz

[Stefan N]

Hi Stuart,

It sounds that is the faster way instead of creating from the scratch.
Thanks!

Regards,
Stefan





From: Stuart Henderson s...@spacehopper.org
To: misc@openbsd.org
Sent: Tue, May 10, 2011 8:39:13 AM
Subject: Re: Creating release using site48.tgz

you don't need to build your own release for this, just put the siteXX.tgz
file with the base*.tgz man*.tgz and other files from a normal release on
an ftp/http server / burned CD / etc.


On 2011-05-09, Stefan N stefanbsd...@yahoo.com wrote:
 Hi All,

 The OpenBSD version that I am using is 4.8 and the default source file is at 
 /usr/src

 I was trying to make a new release using site48.tgz. I have plan to put 
 /etc/pf.conf, /etc/rc.firsttime and /etc/backup.sh inside site48.tgz

 Below is my steps:

 1.I need to prepare of /etc/rc.firsttime and /etc/pf.conf  and /etc/backup.sh.
 2.After that I compress and zip using tar and gzip:
 tar -czf  site48.tgz pf.conf rc.firsttime backup.sh

 3.Once site48.tgz is done, I will copy it inside /usr/src and follow the 
 instruction to make release (http://www.openbsd.org/faq/faq5.html#Release).

 Are my steps correct?

 Regards,
 Stefan

Need Suggestion: To limit the access of root account

[Stefan N]

Hi All,

I would need some suggestions from you. Currently I am setting up OpenBSD 
Firewall using PF at my working place.
However, some of my colleagues are not so familiar with the OpenBSD and we 
would 
like to take turn to do that. I have the intention that I would like to limit 
the usage and access the root account.

I have intention to give them the 'more than enough' access for them to do 
daily 
administrative tasks as firewall admin like:
1.View/Configure IP Address, Subnet of network interface,VLAN and CARP
2.View/Configure default gateway and static route
3.View/Change the entry of DNS Server IP
4.Configure Syslog
5.Add/Remove PF rule
6.Backup/Restore
8.Viewing traffic using tcpdump

Is that possible to make some CLI Menu which will appear to the fw admin after 
the login as long as they can do their job.
Example:

OpenBSD/i386

login:bob
password:

Please select the task below:

1View/Configure IP Address, Subnet of network interface,VLAN and CARP
2View/Configure default gateway and static route
3View/Change the entry of DNS Server IP
4Configure Syslog
5Add/Remove PF rule
6Backup/Restore
7Viewing traffic using tcpdump
8Logout

Or is there a better way to limit the usage and access of root account by fw 
admin?

My intention is: I would like to give enough access for the fw admin to do 
their 
job using a simple way.

Thank you in advance.

Regards,
Stefan

Re: Need Suggestion: To limit the access of root account

[Stefan N]

Hi guys,

Noted and thanks for your suggestions.

Regards,
Stefan






From: Stefan N stefanbsd...@yahoo.com
To: misc@openbsd.org
Sent: Fri, April 29, 2011 10:52:32 AM
Subject: Need Suggestion: To limit the access of root account


Hi All,

I would need some suggestions from you. Currently I am setting up OpenBSD 
Firewall using PF at my working place.
However, some of my colleagues are not so familiar with the OpenBSD and we 
would 
like to take turn to do that. I have the intention that I would like to limit 
the usage and access the root account.

I have intention to give them the 'more than enough' access for them to do 
daily 
administrative tasks as firewall admin like:
1.View/Configure IP Address, Subnet of network interface,VLAN and CARP
2.View/Configure default gateway and static route
3.View/Change the entry of DNS Server IP
4.Configure Syslog
5.Add/Remove PF rule
6.Backup/Restore
8.Viewing traffic using tcpdump

Is that possible to make some CLI Menu which will appear to the  fw admin after 
the login as long as they can do their job.
Example:

OpenBSD/i386

login:bob
password:

Please select the task below:

1View/Configure IP Address, Subnet of network interface,VLAN and CARP
2View/Configure default gateway and static route
3View/Change the entry of DNS Server IP
4Configure Syslog
5Add/Remove PF rule
6Backup/Restore
7Viewing traffic using tcpdump
8Logout

Or is there a better way to limit the usage and access of root account by fw 
admin?

My intention is: I would like to give enough access for the fw admin to do 
their 
job using a simple way.

Thank you in advance.

Regards,
Stefan 

Compiling OpenBSD source in order to get the customized 'uname' version.

[Stefan N]

Hi All,

I have a plan to do some testing to compile and build release of OpenBSD from 
the source code.
My question is which part of the source code do I need to modify 
in order to get and use the my own and customized 'uname' (eg: TestBSD)?

# uname -a
TestBSD server.lab.com 1.0-RELEASE GENERIC.MP#0 amd64


Thank you in advance.

Regards,
Stefanus