Need some suggestions abt application inside chroot
Hi All, I need some suggestions/feedback about application on OpenBSD whether it should or should not be installed inside chroot environment. For example,apache webserver is installed in chroot environment by default. Are there specific guidelines to check and verify whether the application should or should not be installed in chroot environment? Many thanks. Stefan
Re: Diskless Install using PXEboot
Hi David, You can setup TFTP and DHCP server to install OpenBSD using PXE boot. 1.Setup the BIOS so that it will boot up from LAN as the first priority. 2.Download these files below: B B B pxeboot B B B bsd.rd (rd stands for ramdisk) With these two files,you need to setup a pxe boot environment. 2.Next step is,you need to set up a DHCP server that recognize the MAC address of the card and set the option filename and next-server. This is an example for a linux dhcpd : B B B host app { B B B B B B B B B B B B B hardware ethernet 00:00:AB:CD:EF:1A; B B B B B B B B B B B B B fixed-address 192.168.1.100; B B B B B B B B B B B B B filename pxeboot; B B B B B B B B B B B B B next-server 192.168.1.99; B B B } Note: your nextserver is a tftp server serving the files /pxeboot and /bsd.rd 3.Prepare the TFTP Server for serving the files pxeboot and bsd.rd 4.Activate only the TFTP option and set the directory to the one containing both of your files and start it. 5.Now boot your machine with PXE enabled. Make sure your dhcpd is serving the right address and the right information (check for DHCPACK in the logs) 6.The filename option will instructs your machine to load and run the pxeboot which is the first stage (somewhat equivalent to grub). Then, at the prompt, you may type bsd.rd and press enter. This file will be downloaded from the TFTP server also and will starts the installation procedure. 7.Continue to install OpenBSD (disk partition etc etc) I hope it helps you. Rgds, Stefan From: Li, David l...@cloudshield.com To: Stefan N stefanbsd...@yahoo.com Cc: misc@openbsd.org misc@openbsd.org Sent: Thursday, November 10, 2011 6:58 AM Subject: RE: Diskless Install using PXEboot Hi Stefan, B No,B the external storage is the DHCP server and the OpenBSD machine can NFS-mount the directories from the DHCP server once itbs booted - This is my plan.B B I am new to BSD. I have done this in Linux (RedHat) but not sure if OpenBSD can be done the same way. In Redhat, I would have to install it on a disk first and then copy the directory structure, the kernel and ram disk file to the DHCP server. B David B B From:Stefan N [mailto:stefanbsd...@yahoo.com] Sent: Wednesday, November 09, 2011 2:48 PM To: Li, David Cc: misc@openbsd.org Subject: Re: Diskless Install using PXEboot B Hi David, B As you intend to boot up OpenBSD via PXE, I assume that you have external storage. Will you install the OpenBSD in the iSCSI Storage? B Regards, Stefan From:Li, David l...@cloudshield.com To: misc@openbsd.org misc@openbsd.org Sent: Thursday, November 10, 2011 5:34 AM Subject: Diskless Install using PXEboot Hi, My goal is to use pxeboot to boot up a diskless x86_64 machine with openbsd. I am aware of this page: http://www.openbsd.org/faq/faq6.html#PXE and followed the instructions.B The bsd.rd was successfully downloaded. But the kernel crashed on booting up. I might have missed some steps here prior to this.B Do I need to install it on a disk first and then use the bsd.rd from the disk install? Anyone can give me any pointers? Thanks. David
Re: Diskless Install using PXEboot
Hi David, As you intend to boot up OpenBSD via PXE, I assume that you have external storage. Will you install the OpenBSD in the iSCSI Storage? Regards, Stefan From: Li, David l...@cloudshield.com To: misc@openbsd.org misc@openbsd.org Sent: Thursday, November 10, 2011 5:34 AM Subject: Diskless Install using PXEboot Hi, My goal is to use pxeboot to boot up a diskless x86_64 machine with openbsd. I am aware of this page: http://www.openbsd.org/faq/faq6.html#PXE and followed the instructions. The bsd.rd was successfully downloaded. But the kernel crashed on booting up. I might have missed some steps here prior to this. Do I need to install it on a disk first and then use the bsd.rd from the disk install? Anyone can give me any pointers? Thanks. David
Re: Question: c_config.sh and symon.conf on symon for OpenBSD PF
Hi Hassan, Okay thanks. I will try again. Regards, Stefan From: Hassan Monfared hmonfa...@gmail.com To: Stefan N stefanbsd...@yahoo.com Cc: misc@openbsd.org misc@openbsd.org Sent: Wednesday, October 26, 2011 2:07 PM Subject: Re: Question: c_config.sh and symon.conf on symon for OpenBSD PF Hi, Stefan, there is no need to any change other than symon.conf. its enough. On Wed, Oct 26, 2011 at 6:59 AM, Stefan N stefanbsd...@yahoo.com wrote: Hi Guys, This is the first time I tried to install symon on OpenBSD and my main goal is to monitor OpenBSD interface,disk,cpu as well as PF statistic. As per symon documentation on http://wpd.home.xs4all.nl/symon/documentation.html, the symon config file is located in /etc/symon.conf However, I found another file (c_config.sh) contains an example of shell script for collecting info of interface and io. Before I move forward to install and configure symux, I have the following doubts about symon.conf and c_config.sh script/ My questions about symon: 1.Do I need to configure symon.conf only? Do I need to customize c_config.sh to meet my specific requirement because c_config.sh file contains and collect interface and io information only? 2.The default location of firewall rule file will be read from /etc/pf.conf. How do I change the setting if my firewall config is located in different folder(for example on /etc/fw/pf.conf?) Thank you in advance. Regards, Stefan
Re: Question: c_config.sh and symon.conf on symon for OpenBSD PF
Hi Hassan, Thanks. I'll try again. Regards, Stefanus From: Hassan Monfared hmonfa...@gmail.com To: Stefan N stefanbsd...@yahoo.com Cc: OpenBSD misc misc@openbsd.org Sent: Wednesday, October 26, 2011 9:30 PM Subject: Re: Question: c_config.sh and symon.conf on symon for OpenBSD PF Hi Stefan, in my case all symon symux syweb are on the same machie, you can change 127.0.0.1 t your desired machine address. -- $ cat /etc/symon.conf monitor { cpu(0),cpu(1),cpu(2),cpu(3), mem, if(bnx0), if(bnx1), pf,pfq(bnx1), mbuf, sensor(cpu0.temp0), # proc(httpd), # if(xl0), if(de0), if(wi0), io(sd0),df(sd0h) } stream to 127.0.0.1 2100 -- $ cat /etc/symux.conf mux 127.0.0.1 2100 source 127.0.0.1 { accept { cpu(0),cpu(1),cpu(2),cpu(3), mem, if(bnx0), if(bnx1), pf,pfq(bnx1), mbuf, sensor(cpu0.temp0), # proc(httpd), # if(xl0), if(de0), if(wi0), io(sd0),df(sd0h) } datadir /var/www/symon/rrds/localhost } --- don't forget to run following commands ( from the documentation ) (cd /usr/ports/net/rrdtool make install) make make install vi /etc/symux.conf /etc/symon.conf ~symon/symux/c_smrrds.sh all /usr/local/libexec/symux useradd -d /var/empty -L daemon -c 'symon Account' -s /sbin/nologin _symon /usr/local/libexec/symon Regards, On Wed, Oct 26, 2011 at 2:43 PM, Stefan N stefanbsd...@yahoo.com wrote: Hi Hassan, I could see the traffic going out(using tcpdump) from my OpenBSD machine with symon installed. I am in the midst doing the configuration of symux, syweb and rrdtool on another machine(linux) Do you have the sample configuration of symux, syweb and rrdtool? Thank you in advance. Regards, Stefan -- *From:* Hassan Monfared hmonfa...@gmail.com *To:* Stefan N stefanbsd...@yahoo.com *Cc:* misc@openbsd.org misc@openbsd.org *Sent:* Wednesday, October 26, 2011 5:08 PM *Subject:* Re: Question: c_config.sh and symon.conf on symon for OpenBSD PF sure, I can send my sample configuration to you if you needed. On Wed, Oct 26, 2011 at 12:09 PM, Stefan N stefanbsd...@yahoo.com wrote: Hi Hassan, Okay thanks. I will try again. Regards, Stefan -- *From:* Hassan Monfared hmonfa...@gmail.com *To:* Stefan N stefanbsd...@yahoo.com *Cc:* misc@openbsd.org misc@openbsd.org *Sent:* Wednesday, October 26, 2011 2:07 PM *Subject:* Re: Question: c_config.sh and symon.conf on symon for OpenBSD PF Hi, Stefan, there is no need to any change other than symon.conf. its enough. On Wed, Oct 26, 2011 at 6:59 AM, Stefan N stefanbsd...@yahoo.com wrote: Hi Guys, This is the first time I tried to install symon on OpenBSD and my main goal is to monitor OpenBSD interface,disk,cpu as well as PF statistic. As per symon documentation on http://wpd.home.xs4all.nl/symon/documentation.html, the symon config file is located in /etc/symon.conf However, I found another file (c_config.sh) contains an example of shell script for collecting info of interface and io. Before I move forward to install and configure symux, I have the following doubts about symon.conf and c_config.sh script/ My questions about symon: 1.Do I need to configure symon.conf only? Do I need to customize c_config.sh to meet my specific requirement because c_config.sh file contains and collect interface and io information only? 2.The default location of firewall rule file will be read from /etc/pf.conf. How do I change the setting if my firewall config is located in different folder(for example on /etc/fw/pf.conf?) Thank you in advance. Regards, Stefan
Question: c_config.sh and symon.conf on symon for OpenBSD PF
Hi Guys, This is the first time I tried to install symon on OpenBSD and my main goal is to monitor OpenBSD interface,disk,cpu as well as PF statistic. As per symon documentation on http://wpd.home.xs4all.nl/symon/documentation.html, the symon config file is located in /etc/symon.conf However, I found another file (c_config.sh) contains an example of shell script for collecting info of interface and io. Before I move forward to install and configure symux, I have the following doubts about symon.conf and c_config.sh script/ My questions about symon: 1.Do I need to configure symon.conf only? Do I need to customize c_config.sh to meet my specific requirement because c_config.sh file contains and collect interface and io information only? 2.The default location of firewall rule file will be read from /etc/pf.conf. How do I change the setting if my firewall config is located in different folder(for example on /etc/fw/pf.conf?) Thank you in advance. Regards, Stefan
Need suggestion about Firewall Reporter for OpenBSD PF
Hi guys, Have you ever used firewall reporting tool for OpenBSD PF which is able to do some comprehensive reporting for example: showing in a pie chart how many allowed and blocked connections based on services(http,https etc), incoming and outgoing user traffic,destination,connection etc. I found firewall reporting tool: stoneylake firewall reporting tool,but unfortunately OpenBSD PF is not on the supported list yet.http://www.stonylakesolutions.com/sls/about%20sfr.jsp Thank you. Rgds, Stefan
Re: Need suggestion about Firewall Reporter for OpenBSD PF
Hi Erling, Thanks. I will try and test it. Regards, Stefan From: Erling Westenvik erling.westen...@gmail.com To: Stefan N stefanbsd...@yahoo.com Sent: Friday, October 14, 2011 7:46 AM Subject: Re: Need suggestion about Firewall Reporter for OpenBSD PF You might consider trying out hatchet 0.9.2 which is in ports/packages: $ sudo pkg_add -iv hatchet I haven't tried it myself. Check http://www.dixongroup.net/hatchet/. It doesn't have pie charts or other nifty presentations, but it stores the pf logs in a sqlite database and it should be possible to extract the data and display statistics the way you like using suitable tools. Regards, Erling On Fri, Oct 14, 2011 at 12:40 AM, Stefan N stefanbsd...@yahoo.com wrote: Have you ever used firewall reporting tool for OpenBSD PF which is able to do some comprehensive reporting for example: showing in a pie chart how many allowed and blocked connections based on services(http,https etc), incoming and outgoing user traffic,destination,connection etc. I found firewall reporting tool: stoneylake firewall reporting tool,but unfortunately OpenBSD PF is not on the supported list yet.http://www.stonylakesolutions.com/sls/about%20sfr.jsp You might consider trying out hatchet 0.9.2 which is in ports/packages: $ sudo pkg_add -iv hatchet I haven't tried it myself. Check http://www.dixongroup.net/hatchet/. It doesn't have pie charts or other nifty presentations, but it stores the pf logs in a sqlite database and it should be possibile to extract the data and display statistics the way you like using suitable tools. Regards, Erling On Fri, Oct 14, 2011 at 12:40 AM, Stefan N stefanbsd...@yahoo.com wrote: Have you ever used firewall reporting tool for OpenBSD PF which is able to do some comprehensive reporting for example: showing in a pie chart how many allowed and blocked connections based on services(http,https etc), incoming and outgoing user traffic,destination,connection etc. I found firewall reporting tool: stoneylake firewall reporting tool,but unfortunately OpenBSD PF is not on the supported list yet.http://www.stonylakesolutions.com/sls/about%20sfr.jsp You might consider trying out hatchet 0.9.2 which is in ports/packages: $ sudo pkg_add -iv hatchet I haven't tried it myself. Check http://www.dixongroup.net/hatchet/. It doesn't have pie charts or other nifty presentations, but it stores the pf logs in a sqlite database and it should be possibile to extract the data and display statistics the way you like using suitable tools. Regards, Erling On Fri, Oct 14, 2011 at 12:40 AM, Stefan N stefanbsd...@yahoo.com wrote: Have you ever used firewall reporting tool for OpenBSD PF which is able to do some comprehensive reporting for example: showing in a pie chart how many allowed and blocked connections based on services(http,https etc), incoming and outgoing user traffic,destination,connection etc. I found firewall reporting tool: stoneylake firewall reporting tool,but unfortunately OpenBSD PF is not on the supported list yet.http://www.stonylakesolutions.com/sls/about%20sfr.jsp Thank you. Rgds, Stefan
Re: Help setting up a PF NAT gateway
Okay. If you're going to give access to internet users to be able to access your system inside your LAN/DMZ(eg webserver), you will need to do NAT. If you want the server which is configured by private ip address is reachable from internet users, you will need NAT. The way you do NAT might depend on your network infra setup and how you design and plan the traffic flow. IP aliasing is associating more than one IP address to a network interface. With this, one node on a network can have multiple connections to a network, each serving a different purpose.Now I will explain you with an example so that you can visualize it in a better way: I have web server with IP address 192.168.1.100 My firewall has 2 NICs, one internal(192.168.1.1) and one external using public IP(50.50.50.59). I would like to allow users from the internet to access my webserver. Since I configured webserver using private IP, internet users can not access my webserver directly, that is why NAT is needed. For this example I have 2 scenarios doing NAT. 1.If I have limited public IP address assigned to me by ISP any http traffic from internet accessing to firewallexternalIPaddress will be redirected to my webserver internet user port 80 --- FW ext IP address -- Web server In this case I don't need to use additional IP address as an alias, because internet users will access my website via: http://50.50.50.59 and the traffic will be redirected to the webserver which is located inside LAN(192.168.1.100) 2.If I have spare public IP address. this where IP alias can play the role. I have another public IP (let say 50.50.50.58) and I would like to assign it to webserver. The webserver is still located inside my LAN with IP 192.168.1.100. But I want to assign the IP 50.50.50.58 only for application server services purpose, because I don't want to mix it up with firewall service. So the same concept applies here. any http traffic from internet accessing IP 50.50.50.58 will be redirected to my webserver internet user port 80 --- 50.50.50.58 -- Web server As the 50.50.50.58 and 50.50.50.59 are within the same subnet ( and also assigned for my business from ISP), then I need to assign it on the external firewall interface. If I didn't assign it on the external firewall interface, the http incoming traffic will not be able to pass through because neither router nor firewall know how and where to redirect the incoming packet and also neither router nor firewall take the ownership of 50.50.50.58 although 50.50.50.58 is assigned for my business by ISP. By assigning 50.50.50.58 on the external firewall interface as an IP alias, the firewall will know how and where to redirect the incoming traffic.When the http traffic on 50.50.50.58 is coming in, firewall will take the ownership,check the routing table and then PF engine will check from the rule list whether the incoming traffic to the webserver is alllowed or not. Once the rule is matched, then the packet will be redirected to the destination. You can do the same by creating the rule for email server etc.internet user port 25 --- 50.50.50.58 -- my email server. The same IP alias concept also applies if you want to implement many to one NAT. For example to alllow your LAN users to access internet access. You can use IP alias or use firewall ext int IP as a NAT IP. All depends on how your infra is configured and planned. In which scenario your setup is? If you're using 1st scenario, you don't need to use IP alias, because the external ip addr for firewall which is accessed by the public users for http traffic is belong to firewall. If you used 2nd scenario, you will need to use IP alias configured on ext firewall interface. Please also check the routing table in the router and the default gateway on your destination node. I hope it helps. Regards, Stefan From: Stefan Midjich sweh...@gmail.com To: Stefan N stefanbsd...@yahoo.com Cc: misc@openbsd.org misc@openbsd.org Sent: Tuesday, October 11, 2011 1:25 PM Subject: Re: Help setting up a PF NAT gateway No I was not aware of this. Could you please explain the meaning of an alias address on the external interface for NAT? There is no mention of using an alias for NAT in this document for example http://www.openbsd.org/faq/pf/nat.html Just to be clear, I already have an external and internal physical interface to work with, so I am unclear as to why I need an alias. 2011/10/11 Stefan N stefanbsd...@yahoo.com: Hi Stefan, As you mentioned that the IP forwarding is already enabled on your system. Have you configured the IP alias on the network interface for the NAT purpose? If the NAT is done on external interface then you'll need to add in the IP alias on /etc/hostname.vic2 Please read the guide from openbsd url below: http://www.openbsd.org/cgi-bin/man.cgi?query=hostname.ifapropos=0sektion=0; manpath=OpenBSD+4.9arch=i386format=html Sample of hostname.if config with IP alias: A typical file contains only one
Re: Help setting up a PF NAT gateway
Hi Stefan, As you mentioned that the IP forwarding is already enabled on your system. Have you configured the IP alias on the network interface for the NAT purpose? If the NAT is done on external interface then you'll need to add in the IP alias on /etc/hostname.vic2 Please read the guide from openbsd url below:http://www.openbsd.org/cgi-bin/man.cgi?query=hostname.ifapropos=0sekt ion=0manpath=OpenBSD+4.9arch=i386format=html Sample of hostname.if config with IP alias: A typical file contains only one line, but more extensive files are possible, for example: inet 10.0.1.12 255.255.255.0 10.0.1.255 media 100baseTX description Uplink inet alias 10.0.1.13 255.255.255.255 10.0.1.13 inet alias 10.0.1.14 255.255.255.255 NONE inet alias 10.0.1.15 255.255.255.255 inet alias 10.0.1.16 0x # This is an example comment line. inet6 alias fec0::1 64 inet6 alias fec0::2 64 anycast !route add 65.65.65.65 10.0.1.13 up I hope it helps. Regards, Stefan From: Stefan Midjich sweh...@gmail.com To: Mark (obsd) openbsd-l...@nerdish.us Cc: misc@openbsd.org Sent: Tuesday, October 11, 2011 2:06 AM Subject: Re: Help setting up a PF NAT gateway Yes forwarding is enabled. I have followed the Book of PF 2nd Edition so far. 2011/10/10 Mark (obsd) openbsd-l...@nerdish.us: Hi Stefan, On Mon, Oct 10, 2011 at 10:38 AM, Stefan Midjich sweh...@gmail.com wrote: Simplest of things but I'm failing miserably. ... With tcpdump I can see packets going to vic3, but no further. Do you definitely have forwarding enabled? # sysctl net.inet.ip.forwarding net.inet.ip.forwarding=1 It that were 0 instead of 1, you'd get your symptoms. Edit /etc/sysctl.conf to enable forwarding if you haven't. Regards, Mark -- Med vdnliga hdlsningar / With kind regards Stefan Midjich
Re: Problem with installing OpenBSD
What is the problem? Can you share with us the detail of the problems you are facing? Did you install via network or CD? Which type of CD installation did you use? Regards, Stefan From: Sales - OrangeWebsite.com sa...@orangewebsite.com To: misc@openbsd.org Sent: Thursday, September 29, 2011 10:07 AM Subject: Problem with installing OpenBSD Hey, We are experiencing problem with installing OpenBSD on our VPS servers. We'd hope you provided us some assistance how we could fix this. You can see our VPS details here at http://www.orangewebsite.com/docs/vps.php. Best greetings, - Henry K. Johannes Orangewebsite.com - 'Your solid business partner'
Time interval based pf rule
Hi all, Does OpenBSD PF engine have the feature to create time interval based rule? I have tried to do that but I could not find any relevant documentation. Is time interval based rule supported to be created on OpenBSD PF? Regards, Stefan
Re: Time interval based pf rule
Hi Jim, If I used anchor to create pf rules which means there is another configuration needs to be taken care. Beside /etc/pf.conf, we need to take care and maintain crontab for schedulling. Regards, Stefan From: James Hartley jjhart...@gmail.com To: Stefan N stefanbsd...@yahoo.com Cc: misc@openbsd.org misc@openbsd.org Sent: Friday, September 2, 2011 7:47 PM Subject: Re: Time interval based pf rule On Fri, Sep 2, 2011 at 4:21 AM, Stefan N stefanbsd...@yahoo.com wrote: Does OpenBSD PF engine have the feature to create time interval based rule? See how to dynamically add rules via anchors: http://www.openbsd.org/faq/pf/anchors.html ... scheduling scripts via crontab(5). Jim
Re: Time interval based pf rule
Actually I would like to limit the access during office hour. So Time interval base rule means: user is only allowed to access specific application and destination based from the time interval. For example: Finance Department user is only allowed to access facebook website after office hour (after 6PM onwards) and only on friday. If I didn't add the time interval, they can spend their time for browsing and chatting on facebook instead of working. What do you mean by one-hit rules? Regards, Stefan From: Christiano F. Haesbaert haesba...@openbsd.org To: Stefan N stefanbsd...@yahoo.com Cc: misc@openbsd.org misc@openbsd.org Sent: Friday, September 2, 2011 8:14 PM Subject: Re: Time interval based pf rule On 2 September 2011 09:11, Stefan N stefanbsd...@yahoo.com wrote: Hi Jim, If I used anchor to create pf rules which means there is another configuration needs to be taken care. Beside /etc/pf.conf, we need to take care and maintain crontab for schedulling. What are you trying to accomplish with timer based rules ? Recently one-hit rules were added, depending on your problem that might solve it.
Re: Time interval based pf rule
Okay guys. Thanks for the suggestion. Regards, Stefan From: Christiano F. Haesbaert haesba...@openbsd.org To: Stefan N stefanbsd...@yahoo.com Cc: misc@openbsd.org misc@openbsd.org Sent: Friday, September 2, 2011 8:34 PM Subject: Re: Time interval based pf rule On 2 September 2011 09:26, Stefan N stefanbsd...@yahoo.com wrote: Actually I would like to limit the access during office hour. So Time interval base rule means: user is only allowed to access specific application and destination based from the time interval. For example: Finance Department user is only allowed to access facebook website after office hour (after 6PM onwards) and only on friday. If I didn't add the time interval, they can spend their time for browsing and chatting on facebook instead of working. What do you mean by one-hit rules? Rules that get destroyed after a first match, but that's not what you want. anchors + crontab as Peter suggested is an easy alternative.
Re: static IP
First, check the syntax refering to hostname.if(5) openbsd manual guide Did you configure it during installation process or after installation process was done? What do you mean by giving you login and password? Which user did you use to configure IP address? Did you login as root or as another user and use sudo to configure it? From: igor denisov denisovigor1...@rambler.ru To: misc@openbsd.org Sent: Wednesday, August 31, 2011 6:04 PM Subject: static IP Cannot configure internet with static IP address hostname.fc0 inet IP mask and nothing works. They gave me login and password, may be this is the case? -- igor denisov.
Gigabit Ethernet Controller compatibility with OpenBSD 4.9
Hi All, Have anyone of you ever installed OpenBSD 4.9(i386/amd64 platform) on a machine using Gigabit Ethernet Controller as follows: 1.Realtek 8111C Gigabit Ethernet Controller 2.Intel 82574L Gigabit Ethernet Controller 3.Intel 82567V Gigabit Ethernet Controller 4.Intel 82583V Gigabit Ethernet Controller 5.Intel 82574E Gigabit Ethernet Controller 6.Intel 82576 Gigabit Ethernet Controller 7.Intel 82599ES 10Gigabit Ethernet Controller Is there any compatibility issue? The reason I am asking because those gigabit and 10G ethernet controllers mentioned above are not listed on: http://www.openbsd.org/i386.html http://www.openbsd.org/amd64.html Regards, Stefan
Question: IP NAT syntax on CARP interface
Hi guys, I am in the midst of configuring the OpenBSD 4.9 PF using ip balancing and active-passive solution. Every interface was configured successfully but I hit the problem when I am going to add IP Alias/NAT IP on carp interface. 1)For active-passive scenario: Let say I am going to configure carp1 interface and I edit /etc/hostname.carp1 with 172.16.2.216 as virtual IP and 172.16.2.222 as NAT IP inet 172.16.2.216 255.255.255.0 172.16.2.255 vhid 2 advbase 20 advskew 0 carpdev em1 pass p455w0rd inet 172.16.2.222 255.255.255.255 vhid 2 advbase 20 advskew 0 carpdev em1 pass p455w0rd Then I save the config and restart carp1 interface: sh /etc/netstart carp1 but the output is ifconfig: vhid: bad value. 2)For ip balancing scenario, carp1 will have the virtual IP and some NAT IP addresses : Let say I am going to configure carp1 interface and I edit /etc/hostname.carp1 with 172.16.1.216 as virtual IP and 172.16.1.222 as NAT IP inet 172.16.1.216 255.255.255.0 172.16.1.255 balancing ip carpnodes 3:0,4:100 pass p455w0rd inet 172.16.1.222 255.255.255.255 balancing ip carpnodes 3:0,4:100 pass p455w0rd Then I save the config and restart carp1 interface: sh /etc/netstart carp1 but the output is ifconfig: balancing: bad value. How is the right syntax to configure and add NAT IP on carp interface? Is the concept to add NAT IP(s) on carp interface(s) on active-active and ip balancing scenario correct? Thank you in advance. Stefan
Re: what's with Open Source Fanshop - CDs T-shirts
Hi Cheng, Perhaps the owner of the domain and website configured the website to do URL redirection to www.openbsd.org. You can follow up with the registration service provider below: Domain Name: OSWEBSHOP.COMRegistrar: TUCOWS.COM CO.Whois Server: whois.tucows.comReferral URL: http://domainhelp.opensrs.netName Server: NS1.R4L.COMName Server: NS2.R4L.COMStatus: clientTransferProhibited Status: clientUpdateProhibitedUpdated Date: 23-mar-2011Creation Date: 23-oct-2008Expiration Date: 23-oct-2011 Last update of whois database: Wed, 15 Jun 2011 04:49:53 UTC Queried whois.tucows.com with oswebshop.com... Registrant: NA 5802 Bob Bullock C1 Unit 328C-195 Laredo, TX 78041-8813 US Domain name: OSWEBSHOP.COM Registration Service Provider: Register4less, supp...@r4l.com (514) 905-6500 http://register4less.com Stefan From: CHENG ACHENG bsdp...@gmail.com To: misc@openbsd.org Sent: Wed, June 15, 2011 11:14:12 AM Subject: what's with Open Source Fanshop - CDs T-shirts Hello list, I tried to order T-shirts and CD set from Open Source Fanshop ( http://www.oswebshop.com/), but found it's been down for quite some time. Now its URL is pointing to www.openbsd.org. Anybody knows what's going on with this site? thanks, Alan Cheng
Re: Need some input about: OpenBSD 4.9/amd64 and Dell PowerEdge Server R210,R410,R610,R710
Hi guys, Thank you so much for all of the replies. Regards, Stefan From: Paul de Weerd we...@weirdnet.nl To: Stefan N stefanbsd...@yahoo.com Cc: misc@openbsd.org Sent: Wed, June 8, 2011 5:42:04 PM Subject: Re: Need some input about: OpenBSD 4.9/amd64 and Dell PowerEdge Server R210,R410,R610,R710 On Tue, Jun 07, 2011 at 08:49:50PM -0700, Stefan N wrote: | Hi All, | | Have you ever tried to install OpenBSD 4.9/amd64 on the Dell | PowerEdge Server | R210,R410,R610,R710 (2.5 SAS Disk) with additional Intel. | Gigabit ET Quad Port | Server Adapter? If yes, are those servers fully | compatible with OpenBSD | 4.9/amd64? Anyone with a dmesg for the newer Dell PowerEdge R210 II ? The below is for a 'regular' R210 (yes, I need to upgrade that machine). Paul 'WEiRD' de Weerd OpenBSD 4.8-current (GENERIC.MP) #433: Thu Sep 30 00:20:40 MDT 2010 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 3210317824 (3061MB) avail mem = 3111002112 (2966MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.6 @ 0xbf79c000 (63 entries) bios0: vendor Dell Inc. version 1.3.4 date 05/24/2010 bios0: Dell Inc. PowerEdge R210 acpi0 at bios0: rev 2 acpi0: sleep states S0 S4 S5 acpi0: tables DSDT FACP APIC SPCR HPET DMAR MCFG WDAT SLIC ERST HEST BERT EINJ TCPA SSDT acpi0: wakeup devices PCI0(S5) USBA(S0) USBB(S0) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Xeon(R) CPU X3430 @ 2.40GHz, 2394.27 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,POPCNT,NXE,LONG cpu0: 256KB 64b/line 8-way L2 cache cpu0: apic clock running at 132MHz cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Xeon(R) CPU X3430 @ 2.40GHz, 2393.98 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,POPCNT,NXE,LONG cpu1: 256KB 64b/line 8-way L2 cache cpu2 at mainbus0: apid 4 (application processor) cpu2: Intel(R) Xeon(R) CPU X3430 @ 2.40GHz, 2393.98 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,POPCNT,NXE,LONG cpu2: 256KB 64b/line 8-way L2 cache cpu3 at mainbus0: apid 6 (application processor) cpu3: Intel(R) Xeon(R) CPU X3430 @ 2.40GHz, 2393.98 MHz cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,POPCNT,NXE,LONG cpu3: 256KB 64b/line 8-way L2 cache ioapic0 at mainbus0: apid 0 pa 0xfec0, version 20, 24 pins acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 1 (LYD0) acpiprt2 at acpi0: bus -1 (LYD2) acpiprt3 at acpi0: bus -1 (HVD0) acpiprt4 at acpi0: bus -1 (HVD2) acpiprt5 at acpi0: bus 2 (PEX0) acpiprt6 at acpi0: bus -1 (PEX4) acpiprt7 at acpi0: bus -1 (PEX5) acpiprt8 at acpi0: bus 3 (COMP) acpicpu0 at acpi0: C3, C1 acpicpu1 at acpi0: C3, C1 acpicpu2 at acpi0: C3, C1 acpicpu3 at acpi0: C3, C1 ipmi at mainbus0 not configured pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 Intel Core DMI rev 0x11 ppb0 at pci0 dev 3 function 0 Intel Core PCIE rev 0x11: apic 0 int 16 (irq 0) pci1 at ppb0 bus 1 Intel Core Management rev 0x11 at pci0 dev 8 function 0 not configured Intel Core Scratch rev 0x11 at pci0 dev 8 function 1 not configured Intel Core Control rev 0x11 at pci0 dev 8 function 2 not configured Intel Core Misc rev 0x11 at pci0 dev 8 function 3 not configured Intel Core QPI Link rev 0x11 at pci0 dev 16 function 0 not configured Intel Core QPI Routing rev 0x11 at pci0 dev 16 function 1 not configured ehci0 at pci0 dev 26 function 0 Intel 3400 USB rev 0x05: apic 0 int 22 (irq 14) usb0 at ehci0: USB revision 2.0 uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1 ppb1 at pci0 dev 28 function 0 Intel 3400 PCIE rev 0x05 pci2 at ppb1 bus 2 bnx0 at pci2 dev 0 function 0 Broadcom BCM5716 rev 0x20: apic 0 int 16 (irq 15) bnx1 at pci2 dev 0 function 1 Broadcom BCM5716 rev 0x20: apic 0 int 17 (irq 10) ehci1 at pci0 dev 29 function 0 Intel 3400 USB rev 0x05: apic 0 int 22 (irq 14) usb1 at ehci1: USB revision 2.0 uhub1 at usb1 Intel EHCI root hub rev 2.00/1.00 addr 1 ppb2 at pci0 dev 30 function 0 Intel 82801BA Hub-to-PCI rev 0xa5 pci3 at ppb2 bus 3 vga1 at pci3 dev 3 function 0 Matrox MGA G200eW rev 0x0a wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) pcib0 at pci0 dev 31 function 0 Intel 3420 LPC rev 0x05 ahci0 at pci0 dev 31 function 2 Intel 3400 AHCI rev 0x05: apic 0 int 20 (irq 11), AHCI
Need some input about: OpenBSD 4.9/amd64 and Dell PowerEdge Server R210,R410,R610,R710
Hi All, Have you ever tried to install OpenBSD 4.9/amd64 on the Dell PowerEdge Server R210,R410,R610,R710 (2.5 SAS Disk) with additional Intel. Gigabit ET Quad Port Server Adapter? If yes, are those servers fully compatible with OpenBSD 4.9/amd64? Regards, Stefan
Re: Routing Issue
Hey David, I was doing the testing more less the same scenario with yours and having the source NAT issue. Below is my diagram: There are 2 scenarios that I did: 1.without nat (successfull) - can ping from notebook --webserver, notebook can access webserver/tcp-443 successfully 2.With source NAT(not successfull) The diagram is: notebookem0[OpenBSD 4.9 PF]em1-webserver(TCP/443) Detail: em0 is 192.168.1.216/24 notebook is 192.168.1.21/24 em1 is 192.168.2.216/24 webserver is 192.168.2.80/24 IP alias for source NAT on em1 is 192.168.2.232/32 ip forwarding on sysctl =1 Notebook's gateway is firewall internal IP: 192.168.1.216 Firewall's gateway is webserver :192.168.2.80 Webserver's gateway is firewall external IP: 192.168.2.216 I have tried to do source NAT testing to allow traffic from notebook to webserver using source NAT on em1. 192.168.1.21--192.168.2.232--192.168.2.80 For the routing table,I don't have other static routes. Only default gateway which is pointing to 192.168.2.80(webserver) Unfortunately it hasn't worked at all. I have tried to monitor the traffic using 1.tcpdump on em1(external int) but there are no packets pass through em1 at all. 2.tcpdump on em0(internal int), there are some packets from 192.168.1.21 to 192.168.2.80 (syn) but no reply at all from webserver. Below is the rule of the scenario above using NAT: # Tables: (2) table tbl.r0.d { 192.168.1.216 , 192.168.2.216 } table tbl.r0.dx { 192.168.1.216 , 192.168.2.80 , 192.168.2.216 } # # Rule 0 (NAT) match out on em1 proto {tcp udp icmp} from 192.168.1.21 to 192.168.2.80 nat-to 192.168.2.232 #ssh access rule pass in quick inet proto tcp from 192.168.1.21 to tbl.r0.d port 22 label RULE -1 -- ACCEPT # # Rule 0 pass log quick on { em0 em1 ) inet proto icmp from any to tbl.r0.dx # Rule 1 (em1,em0) pass log quick on em1 inet proto tcp from 192.168.2.232 to 192.168.2.80 port 443 block quick inet from any to any no state Stefan From: David Gwynne l...@animata.net To: David Schulz mailingli...@ironwhale.com Cc: misc@openbsd.org Sent: Tue, May 17, 2011 9:29:13 PM Subject: Re: Routing Issue hey david, pf is run twice on packets going through a box, once before the network stack and again as it leaves it. this means you have to allow a packet in one side as well as when it goes out the other. dlg On 17/05/2011, at 10:16 PM, David Schulz wrote: Hi all, i have a LAN within a LAN and the setup is as follows: 192.168.1.0/24 -- OpenBSD 4.9 Router with 2 NICS -- 10.1.0.0/21 My goal is to get both Sides talking to each other (lets start with making them be able to ping each other). I got it working by using the following pf.conf, however i thought i should not need to have those match out statements, because OpenBSD routes packets between interfaces by default as long sysctl net.inet.ip.forwarding=1 is set. From inside my OpenBSD Box i can ping Devices on either Side just fine. From a machine sitting on either Side, i can ping the OpenBSD Box just fine. But i simply cannot get Side A Machines to talk to Side B Machines unless i uncomment the two below match out statements inside my pf.conf. If someone could share some insight, id be most thankful. regards, D Here my simplified pf.conf which again does not work unless i uncomment the two match out Rules: pf.conf int_if=sis0 ext_if=sis1 icmp_types = { echoreq, unreach } set require-order yes set block-policy return set optimization normal set loginterface $ext_if match in all scrub (no-df) set skip on lo #match out on $int_if from 192.168.1.0/24 to any nat-to ($int_if) #match out on $ext_if from 10.1.0.0/21 to any nat-to ($ext_if) block log all #Simplified for 'making it work purposes' pass out quick pass in quick antispoof quick for { lo0 $int_if $ext_if } inet # allow ICMP pass in quick on { $int_if $ext_if } inet proto icmp all icmp-type $icmp_types keep state route -n cndlne001'root(~) route -n show | grep default default10.1.3.1 UGS023106 - 8 sis0 cndlne001'root(~) route -n show | grep 192.168.1 192.168.1/24 link#2 UC 20 - 4 sis1
Source NAT using PF on OpenBSD 4.9
Hi All, I have done some testing using PF Open BSD 4.9. There are 2 testing: 1. without nat (successfull) 2.With source NAT(not successfull) The diagram is notebook--em0[OpenBSD 4.9 PF]em1-webserver(TCP/443) em0 is 192.168.1.216/24 notebook is 192.168.1.21/24 em1 is 192.168.2.216/24 webserver is 192.168.2.80/24 IP alias for NAT on em1 is 192.168.2.232/32 ip forwarding on sysctl =1 Notebook's gateway is firewall internal IP: 192.168.1.216 Firewall's gateway is webserver :192.168.2.80 Webserver's gateway is firewall external IP: 192.168.2.216 I have tried to do source NAT testing to allow traffic from notebook to webserver so that the webserver knows that the incoming traffic is coming from 192.168.2.232(NAT IP) instead of 192.168.1.21. 192.168.1.21--192.168.2.232--192.168.2.80 Unfortunately it hasn't worked at all. I have tried to monitor the traffic using tcpdump on em1(external int) but there are no packets pass through em1 at all. Below is the rule of the scenario above using NAT: # Tables: (1) table tbl.r0.d { 192.168.1.216 , 192.168.2.216 , 192.168.2.232 , 192.168.3.216 } # Rule 0 (NAT) (192.168.2.232 is NAT IP for notebook/192.168.1.21) match out on em0 proto {tcp udp icmp} from 192.168.1.21 to 192.168.2.80 nat-to 192.168.2.232 # Rule backup ssh access rule pass in quick inet proto tcp from 192.168.1.21 to tbl.r0.d port 22 # # Rule 0 (em0) notebook access webserver pass out log quick on em0 inet proto tcp from 192.168.1.21 to 192.168.2.80 port 443 keep state ( max 1, max-src-conn 10 ) # # Rule 1 block log quick inet from any to any no state #block all block quick inet from any to any no state What else is missing or isn't configured correctly? There was no error while I reload the rule using pfctl -f /etc/pf.conf Thanks Regards, Stefan
Re: Source NAT using PF on OpenBSD 4.9
Hi Rodrigo, I tried to change the rule from --- pass out log quick on em0 inet proto tcp from 192.168.1.21 to 192.168.2.80 port 443 keep state ( max 1, max-src-conn 10 ) to -- pass out log quick on em1 all and still doesn't work Stefan From: Rodrigo Mosconi open...@mosconi.mat.br To: Stefan N stefanbsd...@yahoo.com Sent: Mon, May 16, 2011 9:25:55 PM Subject: Re: Source NAT using PF on OpenBSD 4.9 2011/5/16 Stefan N stefanbsd...@yahoo.com: Hi All, I have done some testing using PF Open BSD 4.9. There are 2 testing: 1. without nat (successfull) 2.With source NAT(not successfull) The diagram is notebook--em0[OpenBSD 4.9 PF]em1-webserver(TCP/443) em0 is 192.168.1.216/24 notebook is 192.168.1.21/24 em1 is 192.168.2.216/24 webserver is 192.168.2.80/24 IP alias for NAT on em1 is 192.168.2.232/32 ip forwarding on sysctl =1 Notebook's gateway is firewall internal IP: 192.168.1.216 Firewall's gateway is webserver :192.168.2.80 Webserver's gateway is firewall external IP: 192.168.2.216 I have tried to do source NAT testing to allow traffic from notebook to webserver so that the webserver knows that the incoming traffic is coming from 192.168.2.232(NAT IP) instead of 192.168.1.21. 192.168.1.21--192.168.2.232--192.168.2.80 Unfortunately it hasn't worked at all. I have tried to monitor the traffic using tcpdump on em1(external int) but there are no packets pass through em1 at all. Below is the rule of the scenario above using NAT: # Tables: (1) table tbl.r0.d { 192.168.1.216 , 192.168.2.216 , 192.168.2.232 , 192.168.3.216 } # Rule 0 (NAT) (192.168.2.232 is NAT IP for notebook/192.168.1.21) match out on em0 proto {tcp udp icmp} from 192.168.1.21 to 192.168.2.80 nat-to 192.168.2.232 # Rule backup ssh access rule pass in quick inet proto tcp from 192.168.1.21 to tbl.r0.d port 22 # # Rule 0 (em0) notebook access webserver pass out log quick on em0 inet proto tcp from 192.168.1.21 to 192.168.2.80 port 443 keep state ( max 1, max-src-conn 10 ) pass out log quick on em1 all # # Rule 1 block log quick inet from any to any no state #block all block quick inet from any to any no state What else is missing or isn't configured correctly? There was no error while I reload the rule using pfctl -f /etc/pf.conf Thanks Regards, Stefan
Re: Source NAT using PF on OpenBSD 4.9
Hi Hwei Woo, I tried using em1 and it doesn't work. I have tried to create ping test rules, pinging from em0 -- em1 and em1 em0, both without NAT and it works perfectly. When I implement simple NAT, it doesn't work. Regards, Stefan From: Han Hwei Woo h...@pce-net.com To: misc@openbsd.org Cc: Stefan N stefanbsd...@yahoo.com Sent: Tue, May 17, 2011 3:34:32 AM Subject: Re: Source NAT using PF on OpenBSD 4.9 On 5/16/2011 3:29 AM, Stefan N wrote: Hi All, I have done some testing using PF Open BSD 4.9. There are 2 testing: 1. without nat (successfull) 2.With source NAT(not successfull) The diagram is notebook--em0[OpenBSD 4.9 PF]em1-webserver(TCP/443) em0 is 192.168.1.216/24 notebook is 192.168.1.21/24 em1 is 192.168.2.216/24 webserver is 192.168.2.80/24 IP alias for NAT on em1 is 192.168.2.232/32 ip forwarding on sysctl =1 Notebook's gateway is firewall internal IP: 192.168.1.216 Firewall's gateway is webserver :192.168.2.80 Webserver's gateway is firewall external IP: 192.168.2.216 I have tried to do source NAT testing to allow traffic from notebook to webserver so that the webserver knows that the incoming traffic is coming from 192.168.2.232(NAT IP) instead of 192.168.1.21. 192.168.1.21--192.168.2.232--192.168.2.80 Unfortunately it hasn't worked at all. I have tried to monitor the traffic using tcpdump on em1(external int) but there are no packets pass through em1 at all. Below is the rule of the scenario above using NAT: # Tables: (1) tabletbl.r0.d { 192.168.1.216 , 192.168.2.216 , 192.168.2.232 , 192.168.3.216 } # Rule 0 (NAT) (192.168.2.232 is NAT IP for notebook/192.168.1.21) match out on em0 proto {tcp udp icmp} from 192.168.1.21 to 192.168.2.80 nat-to 192.168.2.232 # Rule backup ssh access rule pass in quick inet proto tcp from 192.168.1.21 totbl.r0.d port 22 # # Rule 0 (em0) notebook access webserver pass out log quick on em0 inet proto tcp from 192.168.1.21 to 192.168.2.80 port 443 keep state ( max 1, max-src-conn 10 ) # # Rule 1 block log quick inet from any to any no state #block all block quick inet from any to any no state What else is missing or isn't configured correctly? There was no error while I reload the rule using pfctl -f /etc/pf.conf Thanks Regards, Stefan Based on your diagram, your outbound traffic and nat rule should be on em1 instead of em0. Outbound traffic on em0 would be traffic from the webserver going to the notebook. Han
Re: Creating release using site48.tgz
Hi Ingo, I tried using install.site, sudoers and backup script inside site48.tgz and it still didn't work as expected. I was trying again to create site48.tgz with etc/rc.firsttime, /etc/sudoers and /etc/backup.sh inside. For the rc.firsttime, I wrote the command: groupadd -g 1011 fwadmin and other commands once it is done,I made it as bootable iso file and try to install to the pc and it works as expected. Regards, Stefan From: Stefan N stefanbsd...@yahoo.com To: Ingo Schwarze schwa...@usta.de Cc: misc@openbsd.org Sent: Tue, May 10, 2011 11:47:34 PM Subject: Re: Creating release using site48.tgz Hi Ingo, Thanks a lot. I will try again. Regards, Stefanus From: Ingo Schwarze schwa...@usta.de To: Stefan N stefanbsd...@yahoo.com Cc: misc@openbsd.org Sent: Tue, May 10, 2011 11:31:53 PM Subject: Re: Creating release using site48.tgz Hi Stefanus, Stefan N wrote on Tue, May 10, 2011 at 08:11:53AM -0700: So what you meant is: I need to create the install.site script with the content of some commands that I made for rc.firsttime. No, that is not what i meant and not what the FAQ says. However, in your particular case, it might work as well, given that you only want to run groupadd and useradd. That will probably work even before the first reboot. What the FAQ says it that the install.site script can write commands to /etc/rc.firsttime, keeping any existing content, appending them at the end, as in echo 'groupadd -g 1011 fwadmin' /etc/rc.firsttime After that I need to put install.site script inside site48.tgz? Yes. I am quite confused with the explanation from FAQ. Suggestions for improvement are always welcome; however, i don't see anything right now that might cause confusion. [...] For customized /etc/sudoers, I will add in inside site48.tgz. Yes. Yours, Ingo
Re: Creating release using site48.tgz
I was making the site48.tgz for testing and there is only /etc/rc.firsttime. There is a command line to create some new users for this purpose. The next step was I put the site48.tgz on /home/OpenBSD/4.8/amd64 (the same folder where base48.tgz, etc48.tgz etc there) and make iso file using mkhybrid. During the installation using the new iso file, the site48.tgz is displayed on the menu and I was able to include in as a set (by clicking +site48.tgz) and the installation was successfull. However, after I log in to the new system, the new users that I created (using some command line on /etc/rc.firsttime file inside site48.tgz) do not exist at all. I have tested /etc/rc.firsttime on another machine by copying rc.firsttime on /etc folder and reboot manually and it works normally. Is there a way to check what went wrong here? Below is the sample of the content of rc.firsttime: #!/bin/ksh #creating the detail for fwadmin account groupadd -g 1011 fwadmin useradd -p '$2a$06$rJ5kpL.4nZ.qQPHnbO' -u 1011 -s /bin/ksh -m -g fwadmin fwadmin Regards, Stefanus From: Andrew Fresh and...@afresh1.com To: misc@openbsd.org Sent: Tue, May 10, 2011 8:40:28 AM Subject: Re: Creating release using site48.tgz On Mon, May 09, 2011 at 05:28:12PM -0700, Stefan N wrote: Thanks. By the way, I don't see the release directory inside the source file(/usr/src) directory. Does it mean that I need to create directory mkdir /usr/release first if my source files is at /usr/src? The release man page does describe creating RELEASEDIR # mkdir -p ${DESTDIR} ${RELEASEDIR} I generally set RELEASEDIR=/usr/release, but it can really be a path anywhere you want your sets. The important part is that site48.tgz is in the same directory as the rest of the install sets. l8rZ, -- andrew - http://afresh1.com Computer Science: solving today's problems tomorrow.
Re: Creating release using site48.tgz
Hi Ingo, So what you meant is: I need to create the install.site script with the content of some commands that I made for rc.firsttime. After that I need to put install.site script inside site48.tgz? I am quite confused with the explanation from FAQ. In this case, I can create site48.tgz with the content of (install.site, sudoers etc etc) For the install.site script , I can write some commands like: #!/bin/ksh #creating the detail for fwadmin account groupadd -g 1011 fwadmin useradd -p '$2a$06$rJ5kpL.4nZ.qQPHnbO' -u 1011 -s /bin/ksh -m -g fwadmin fwadmin For customized /etc/sudoers, I will add in inside site48.tgz. Regards, Stefanus From: Ingo Schwarze schwa...@usta.de To: Stefan N stefanbsd...@yahoo.com Cc: misc@openbsd.org Sent: Tue, May 10, 2011 10:50:58 PM Subject: Re: Creating release using site48.tgz Hi Stefanus, Stefan N wrote on Tue, May 10, 2011 at 06:51:53AM -0700: I was making the site48.tgz for testing and there is only /etc/rc.firsttime. That's the one file you don't want to put in there. [...] However, after I log in to the new system, the new users that I created (using some command line on /etc/rc.firsttime file inside site48.tgz) do not exist at all. Quoting from http://www.openbsd.org/faq/faq4.html#site This will happen if install.site is used to append any such commands to an rc.firsttime(8) file (appending to this file is neccessary since the installer itself may write to this file). I guess your rc.firsttime was overwritten by the installer. Yours, Ingo
Re: Creating release using site48.tgz
Hi Ingo, Thanks a lot. I will try again. Regards, Stefanus From: Ingo Schwarze schwa...@usta.de To: Stefan N stefanbsd...@yahoo.com Cc: misc@openbsd.org Sent: Tue, May 10, 2011 11:31:53 PM Subject: Re: Creating release using site48.tgz Hi Stefanus, Stefan N wrote on Tue, May 10, 2011 at 08:11:53AM -0700: So what you meant is: I need to create the install.site script with the content of some commands that I made for rc.firsttime. No, that is not what i meant and not what the FAQ says. However, in your particular case, it might work as well, given that you only want to run groupadd and useradd. That will probably work even before the first reboot. What the FAQ says it that the install.site script can write commands to /etc/rc.firsttime, keeping any existing content, appending them at the end, as in echo 'groupadd -g 1011 fwadmin' /etc/rc.firsttime After that I need to put install.site script inside site48.tgz? Yes. I am quite confused with the explanation from FAQ. Suggestions for improvement are always welcome; however, i don't see anything right now that might cause confusion. [...] For customized /etc/sudoers, I will add in inside site48.tgz. Yes. Yours, Ingo
Creating release using site48.tgz
Hi All, The OpenBSD version that I am using is 4.8 and the default source file is at /usr/src I was trying to make a new release using site48.tgz. I have plan to put /etc/pf.conf, /etc/rc.firsttime and /etc/backup.sh inside site48.tgz Below is my steps: 1.I need to prepare of /etc/rc.firsttime and /etc/pf.conf and /etc/backup.sh. 2.After that I compress and zip using tar and gzip: tar -czf site48.tgz pf.conf rc.firsttime backup.sh 3.Once site48.tgz is done, I will copy it inside /usr/src and follow the instruction to make release (http://www.openbsd.org/faq/faq5.html#Release). Are my steps correct? Regards, Stefan
Re: Creating release using site48.tgz
Hi Andrew, Thanks. By the way, I don't see the release directory inside the source file(/usr/src) directory. Does it mean that I need to create directory mkdir /usr/release first if my source files is at /usr/src? Regards. Stefan From: Andrew Fresh and...@afresh1.com To: misc@openbsd.org Sent: Tue, May 10, 2011 8:15:53 AM Subject: Re: Creating release using site48.tgz On Mon, May 09, 2011 at 04:59:17PM -0700, Stefan N wrote: Are my steps correct? Close, but install sets are created in /usr/release and extracted relative to root so you need something more like this: tar -czf /usr/release/site48.tgz etc/pf.conf etc/rc.firsttime etc/backup.sh Although I would also recommend creating site49.tgz and installing 4.9. l8rZ, -- andrew - http://afresh1.com There are two ways to write error-free programs; only the third one works.
Re: Creating release using site48.tgz
Ok, I got it. The siteXX.tgz must be placed inside release directory. Thanks. Regards, Stefan From: Andrew Fresh and...@afresh1.com To: misc@openbsd.org Sent: Tue, May 10, 2011 8:40:28 AM Subject: Re: Creating release using site48.tgz On Mon, May 09, 2011 at 05:28:12PM -0700, Stefan N wrote: Thanks. By the way, I don't see the release directory inside the source file(/usr/src) directory. Does it mean that I need to create directory mkdir /usr/release first if my source files is at /usr/src? The release man page does describe creating RELEASEDIR # mkdir -p ${DESTDIR} ${RELEASEDIR} I generally set RELEASEDIR=/usr/release, but it can really be a path anywhere you want your sets. The important part is that site48.tgz is in the same directory as the rest of the install sets. l8rZ, -- andrew - http://afresh1.com Computer Science: solving today's problems tomorrow.
Re: Creating release using site48.tgz
Hi Stuart, It sounds that is the faster way instead of creating from the scratch. Thanks! Regards, Stefan From: Stuart Henderson s...@spacehopper.org To: misc@openbsd.org Sent: Tue, May 10, 2011 8:39:13 AM Subject: Re: Creating release using site48.tgz you don't need to build your own release for this, just put the siteXX.tgz file with the base*.tgz man*.tgz and other files from a normal release on an ftp/http server / burned CD / etc. On 2011-05-09, Stefan N stefanbsd...@yahoo.com wrote: Hi All, The OpenBSD version that I am using is 4.8 and the default source file is at /usr/src I was trying to make a new release using site48.tgz. I have plan to put /etc/pf.conf, /etc/rc.firsttime and /etc/backup.sh inside site48.tgz Below is my steps: 1.I need to prepare of /etc/rc.firsttime and /etc/pf.conf and /etc/backup.sh. 2.After that I compress and zip using tar and gzip: tar -czf site48.tgz pf.conf rc.firsttime backup.sh 3.Once site48.tgz is done, I will copy it inside /usr/src and follow the instruction to make release (http://www.openbsd.org/faq/faq5.html#Release). Are my steps correct? Regards, Stefan
Need Suggestion: To limit the access of root account
Hi All, I would need some suggestions from you. Currently I am setting up OpenBSD Firewall using PF at my working place. However, some of my colleagues are not so familiar with the OpenBSD and we would like to take turn to do that. I have the intention that I would like to limit the usage and access the root account. I have intention to give them the 'more than enough' access for them to do daily administrative tasks as firewall admin like: 1.View/Configure IP Address, Subnet of network interface,VLAN and CARP 2.View/Configure default gateway and static route 3.View/Change the entry of DNS Server IP 4.Configure Syslog 5.Add/Remove PF rule 6.Backup/Restore 8.Viewing traffic using tcpdump Is that possible to make some CLI Menu which will appear to the fw admin after the login as long as they can do their job. Example: OpenBSD/i386 login:bob password: Please select the task below: 1View/Configure IP Address, Subnet of network interface,VLAN and CARP 2View/Configure default gateway and static route 3View/Change the entry of DNS Server IP 4Configure Syslog 5Add/Remove PF rule 6Backup/Restore 7Viewing traffic using tcpdump 8Logout Or is there a better way to limit the usage and access of root account by fw admin? My intention is: I would like to give enough access for the fw admin to do their job using a simple way. Thank you in advance. Regards, Stefan
Re: Need Suggestion: To limit the access of root account
Hi guys, Noted and thanks for your suggestions. Regards, Stefan From: Stefan N stefanbsd...@yahoo.com To: misc@openbsd.org Sent: Fri, April 29, 2011 10:52:32 AM Subject: Need Suggestion: To limit the access of root account Hi All, I would need some suggestions from you. Currently I am setting up OpenBSD Firewall using PF at my working place. However, some of my colleagues are not so familiar with the OpenBSD and we would like to take turn to do that. I have the intention that I would like to limit the usage and access the root account. I have intention to give them the 'more than enough' access for them to do daily administrative tasks as firewall admin like: 1.View/Configure IP Address, Subnet of network interface,VLAN and CARP 2.View/Configure default gateway and static route 3.View/Change the entry of DNS Server IP 4.Configure Syslog 5.Add/Remove PF rule 6.Backup/Restore 8.Viewing traffic using tcpdump Is that possible to make some CLI Menu which will appear to the fw admin after the login as long as they can do their job. Example: OpenBSD/i386 login:bob password: Please select the task below: 1View/Configure IP Address, Subnet of network interface,VLAN and CARP 2View/Configure default gateway and static route 3View/Change the entry of DNS Server IP 4Configure Syslog 5Add/Remove PF rule 6Backup/Restore 7Viewing traffic using tcpdump 8Logout Or is there a better way to limit the usage and access of root account by fw admin? My intention is: I would like to give enough access for the fw admin to do their job using a simple way. Thank you in advance. Regards, Stefan
Compiling OpenBSD source in order to get the customized 'uname' version.
Hi All, I have a plan to do some testing to compile and build release of OpenBSD from the source code. My question is which part of the source code do I need to modify in order to get and use the my own and customized 'uname' (eg: TestBSD)? # uname -a TestBSD server.lab.com 1.0-RELEASE GENERIC.MP#0 amd64 Thank you in advance. Regards, Stefanus