Problems with rsync over squid
Hi all,
I have installed a squid proxy to act as a transparent proxy for my
home network under an OpenBSD 5.2 fw. All works ok except for rsync port.
Every time squid reports these errors:
1356344923.836 0 myhost TCP_DENIED/400 1470 NONE NONE:// - NONE/-
text/html
1356344923.925 0 myhost TCP_DENIED/400 1470 NONE NONE:// - NONE/-
text/html
1356344924.044 0 myhost TCP_DENIED/400 1470 NONE NONE:// - NONE/-
text/html
1356344924.125 0 myhost TCP_DENIED/400 1470 NONE NONE:// - NONE/-
text/html
1356344924.214 0 myhost TCP_DENIED/400 236 NONE NONE:// - NONE/-
text/html
1356344924.294 0 myhost TCP_DENIED/400 1470 NONE NONE:// - NONE/-
text/html
I am using the following acls:
acl unixallow_ports port 80 873
acl genlinsrv src 172.25.50.5
http_access allow genlinsrv genlinsrvsites
http_access allow genlinsrv unixallow_ports
using same configuration under a linux vm with squid-2.7, configuration
works .. then, maybe is a problem with my transparent proxy configuration??
Thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: Using bridge and carp interfaces with pf rules
On 06/16/2012 12:24 PM, carlopmart wrote:
Hi all,
I have setup a bridge between two interfaces in a pair of OpenBSD fws.
This bridge needs to use an IP address and a carp interface to act as a
gateway for two physical nets using same network range, but it doesn't
works.
My config:
/etc/hostname.em6
up
/etc/hostname.em7
inet 172.25.60.1 255.255.255.240
/etc/hostname.bridge0
add em6 add em7 -blocknonip em6 -blocknonip em7 -stp em6 -stp em7
fwddelay 4 up
and my pf rules are simple:
pass in quick on em6 all
pass out quick on em6 all
block in on em7 all
block out on em7 all
pass in quick on em7 proto tcp from any to any port 80 \
flags S/SA keep state
and pfctl -vvsr:
@2 pass in quick on em6 all flags S/SA keep state
@3 pass out quick on em6 all flags S/SA keep state
@4 block drop in log quick on ! lo0 inet6 from ::1 to any
@5 block drop in log quick on ! lo0 inet from 127.0.0.0/8 to any
@6 block drop in log quick on ! em0 inet from 172.25.50.0/27 to any
@7 block drop in log quick inet from 172.25.50.3 to any prio 0
@8 block drop in log quick on em0 inet6 from fe80::250:56ff:fe2a:ac29 to
any prio 0
@9 block drop in log quick on ! em1 inet from 172.25.80.0/28 to any
@10 block drop in log quick inet from 172.25.80.1 to any prio 0
@11 block drop in log quick on em1 inet6 from fe80::250:56ff:fe38:9a33
to any prio 0
@12 block drop in log quick on ! em7 inet from 172.25.60.0/28 to any
@13 block drop in log quick inet from 172.25.60.1 to any prio 0
@14 block drop in log quick on em7 inet6 from fe80::250:56ff:fe16:8fb1
to any prio 0
@15 block drop quick inet6 all
I can see how packets flows vi em7 interface but not in em6, and in em6
are blocked by rule 13 (antispoof rule)...
What am I doing wrong??
Ok, problem soved... I need to enable stp in bridge interface.
--
CL Martinez
carlopmart {at} gmail {d0t} com
Using bridge and carp interfaces with pf rules
Hi all,
I have setup a bridge between two interfaces in a pair of OpenBSD fws.
This bridge needs to use an IP address and a carp interface to act as a
gateway for two physical nets using same network range, but it doesn't
works.
My config:
/etc/hostname.em6
up
/etc/hostname.em7
inet 172.25.60.1 255.255.255.240
/etc/hostname.bridge0
add em6 add em7 -blocknonip em6 -blocknonip em7 -stp em6 -stp em7
fwddelay 4 up
and my pf rules are simple:
pass in quick on em6 all
pass out quick on em6 all
block in on em7 all
block out on em7 all
pass in quick on em7 proto tcp from any to any port 80 \
flags S/SA keep state
and pfctl -vvsr:
@2 pass in quick on em6 all flags S/SA keep state
@3 pass out quick on em6 all flags S/SA keep state
@4 block drop in log quick on ! lo0 inet6 from ::1 to any
@5 block drop in log quick on ! lo0 inet from 127.0.0.0/8 to any
@6 block drop in log quick on ! em0 inet from 172.25.50.0/27 to any
@7 block drop in log quick inet from 172.25.50.3 to any prio 0
@8 block drop in log quick on em0 inet6 from fe80::250:56ff:fe2a:ac29 to
any prio 0
@9 block drop in log quick on ! em1 inet from 172.25.80.0/28 to any
@10 block drop in log quick inet from 172.25.80.1 to any prio 0
@11 block drop in log quick on em1 inet6 from fe80::250:56ff:fe38:9a33
to any prio 0
@12 block drop in log quick on ! em7 inet from 172.25.60.0/28 to any
@13 block drop in log quick inet from 172.25.60.1 to any prio 0
@14 block drop in log quick on em7 inet6 from fe80::250:56ff:fe16:8fb1
to any prio 0
@15 block drop quick inet6 all
I can see how packets flows vi em7 interface but not in em6, and in em6
are blocked by rule 13 (antispoof rule)...
What am I doing wrong??
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: Is not possible to disable sndiod process??
On 06/10/2012 05:40 PM, Henning Brauer wrote:
can you get over it now please instead of spamming the list with your
attempts to find someone but yourself to blame for your screwup? shit
happens, learn from it, done.
Sorry, but I am not trying to spam this list ... I have made a simple
question about a config file ... nothing more ...
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: Is not possible to disable sndiod process??
On 06/10/2012 04:34 PM, Jan Stary wrote:
Ok, I have restored original rc.conf file, and created rc.conf.local with
my options ... and works.
But then a doubt emerges. What files are not recommended to touch between
upgrades? Where can I found this info??
http://www.openbsd.org/faq/faq10.html
??? /etc/rc.conf - Configuration file used by /etc/rc to set startup
parameters for the system. Should not be edited.
??? /etc/rc.conf.local - Configuration file that overrides settings in
/etc/rc.conf so you don't have to touch /etc/rc.conf itself, which is
important when upgrading your system.
Yes I see this previosuly ... But exists another file apart of rc.conf??
Everything is in man rc on OpenBSD. On other systems it may differ
(and differ on a lot of them) so you need to read their docs.
Ok, I will try to explian: I have used OpenBSD until 4.0 version ..
After this, I have to use another OSes to accomplish my needs
(freebsd, solaris, AIX, linux, windows server, etc)... Until now,
that I can use OpenBSD another time ...
In those days (versions 2.x and 3.x until 4.0 version) you can
modify rc.conf for soft base and use rc.conf.local (if I remember
well in 3.x versions) for local processes,and faq recomends to do
this in this way ... and in man page it doesn't says nothing about
"Configuration file used by /etc/rc to set startup parameters for
the system. Should not be edited" in those days ...
Every version of the rc.conf manpage between 2.7 and 4.0
advises you to leave it alone and use rc.conf.local instead
http://www.openbsd.org/cgi-bin/man.cgi?query=rc.conf&apropos=0&sektion=0&manpath=OpenBSD+2.7&arch=i386&format=html
Where says here "Should not be edited."??? Says: "As an alternative, it
is also possible to leave the /etc/rc.conf file un-touched, and instead
create and edit a new /etc/rc.conf.local file. Variables set in this
file will override variables previously set in /etc/rc.conf." ...
Nothing about problems between upgrades ...
and I repeat "In those days (versions 2.x and 3.x until 4.0 version) you
can modify rc.conf for soft base and use rc.conf.local for local
processes,and faq recomends to do this in this way ..."
Yes, maybe I need to update my knowledge about OpenBSD, but I think
it is normal for a person who had previously used, that the
configuration of rc.conf went in the same manner (without having to
read the man page). Or not?
No, it is not normal to assume that things are the same as six years ago.
(But in this case they are: use rc.conf.local instead.)
Correct, but I didn't expect this type of change in rc.conf ...
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: Is not possible to disable sndiod process??
On 06/10/2012 12:45 PM, Tomas Bodzar wrote:
On Sun, Jun 10, 2012 at 11:50 AM, carlopmart wrote:
On 06/10/2012 10:46 AM, Richard Toohey wrote:
On 10/06/2012, at 8:25 PM, carlopmart wrote:
On 06/09/2012 12:56 PM, Alexandre Ratchov wrote:
On Sat, Jun 09, 2012 at 12:36:19PM +0200, carlopmart wrote:
On 06/09/2012 12:21 PM, Alexandre Ratchov wrote:
On Sat, Jun 09, 2012 at 11:48:29AM +0200, carlopmart wrote:
Hi all,
How can I disable sndiod process?? I have configured under rc.conf:
the recommended way to disable it by adding:
sndiod_flags=NO
in /etc/rc.conf.local
sndiod_flags=NO
but every time host is rebooted, sndiod starts ... Why??
indeed, it shouldn't start. May be you've multiple sndiod_flags
definitions, or your setting is overriden in rc.conf.local or
whatever else.
-- Alexandre
Nop, I don't have a rc.conf.local file ..
so, just do:
echo 'sndiod_flags=NO'>/etc/rc.conf.local
see rc.conf(5) man page as well.
-- Alexandre
Ok, I have restored original rc.conf file, and created rc.conf.local with
my options ... and works.
But then a doubt emerges. What files are not recommended to touch between
upgrades? Where can I found this info??
You didn't find this?
http://www.openbsd.org/faq/faq10.html
• /etc/rc.conf - Configuration file used by /etc/rc to set startup
parameters for the system. Should not be edited.
• /etc/rc.conf.local - Configuration file that overrides settings in
/etc/rc.conf so you don't have to touch /etc/rc.conf itself, which is
important when upgrading your system.
Yes I see this previosuly ... But exists another file apart of rc.conf??
Everything is in man rc on OpenBSD. On other systems it may differ
(and differ on a lot of them) so you need to read their docs.
Ok, I will try to explian: I have used OpenBSD until 4.0 version ..
After this, I have to use another OSes to accomplish my needs (freebsd,
solaris, AIX, linux, windows server, etc)... Until now, that I can use
OpenBSD another time ...
In those days (versions 2.x and 3.x until 4.0 version) you can modify
rc.conf for soft base and use rc.conf.local (if I remember well in 3.x
versions) for local processes,and faq recomends to do this in this way
... and in man page it doesn't says nothing about "Configuration file
used by /etc/rc to set startup parameters for the system. Should not be
edited" in those days ...
Yes, maybe I need to update my knowledge about OpenBSD, but I think it
is normal for a person who had previously used, that the configuration
of rc.conf went in the same manner (without having to read the man
page). Or not?
After all is not too complex to understand how rc.conf works.
Another thing is how I need to configure pf rules ...
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: Is not possible to disable sndiod process??
On 06/10/2012 10:46 AM, Richard Toohey wrote:
On 10/06/2012, at 8:25 PM, carlopmart wrote:
On 06/09/2012 12:56 PM, Alexandre Ratchov wrote:
On Sat, Jun 09, 2012 at 12:36:19PM +0200, carlopmart wrote:
On 06/09/2012 12:21 PM, Alexandre Ratchov wrote:
On Sat, Jun 09, 2012 at 11:48:29AM +0200, carlopmart wrote:
Hi all,
How can I disable sndiod process?? I have configured under rc.conf:
the recommended way to disable it by adding:
sndiod_flags=NO
in /etc/rc.conf.local
sndiod_flags=NO
but every time host is rebooted, sndiod starts ... Why??
indeed, it shouldn't start. May be you've multiple sndiod_flags
definitions, or your setting is overriden in rc.conf.local or
whatever else.
-- Alexandre
Nop, I don't have a rc.conf.local file ..
so, just do:
echo 'sndiod_flags=NO'>/etc/rc.conf.local
see rc.conf(5) man page as well.
-- Alexandre
Ok, I have restored original rc.conf file, and created rc.conf.local with my
options ... and works.
But then a doubt emerges. What files are not recommended to touch between
upgrades? Where can I found this info??
You didn't find this?
http://www.openbsd.org/faq/faq10.html
• /etc/rc.conf - Configuration file used by /etc/rc to set startup parameters
for the system. Should not be edited.
• /etc/rc.conf.local - Configuration file that overrides settings in
/etc/rc.conf so you don't have to touch /etc/rc.conf itself, which is important
when upgrading your system.
Yes I see this previosuly ... But exists another file apart of rc.conf??
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: Is not possible to disable sndiod process??
On 06/10/2012 11:41 AM, Eric Furman wrote: Stop reading HOWTOS on the Internet. Read an actual book on UNIX. (UNIX not Linux. there is a difference) (GNU is not UNIX) (No truer words have been spoken) This stuff is UNIX 101. Because it is UNIX 101 is the reason the replies you have gotten are either non existent or dismissive. However, you have been led in the right direction. Read man pages. If you don't understand the consequences of editing a config file then don't edit them. Stop reading HOWTOS. They do not lead to understanding. Sorry?? What howtos?? Whos is speaking about howtos??
Re: Is not possible to disable sndiod process??
On 06/09/2012 12:56 PM, Alexandre Ratchov wrote:
On Sat, Jun 09, 2012 at 12:36:19PM +0200, carlopmart wrote:
On 06/09/2012 12:21 PM, Alexandre Ratchov wrote:
On Sat, Jun 09, 2012 at 11:48:29AM +0200, carlopmart wrote:
Hi all,
How can I disable sndiod process?? I have configured under rc.conf:
the recommended way to disable it by adding:
sndiod_flags=NO
in /etc/rc.conf.local
sndiod_flags=NO
but every time host is rebooted, sndiod starts ... Why??
indeed, it shouldn't start. May be you've multiple sndiod_flags
definitions, or your setting is overriden in rc.conf.local or
whatever else.
-- Alexandre
Nop, I don't have a rc.conf.local file ..
so, just do:
echo 'sndiod_flags=NO'>/etc/rc.conf.local
see rc.conf(5) man page as well.
-- Alexandre
Ok, I have restored original rc.conf file, and created rc.conf.local
with my options ... and works.
But then a doubt emerges. What files are not recommended to touch
between upgrades? Where can I found this info??
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: Is not possible to disable sndiod process??
On 06/09/2012 12:21 PM, Alexandre Ratchov wrote:
On Sat, Jun 09, 2012 at 11:48:29AM +0200, carlopmart wrote:
Hi all,
How can I disable sndiod process?? I have configured under rc.conf:
the recommended way to disable it by adding:
sndiod_flags=NO
in /etc/rc.conf.local
sndiod_flags=NO
but every time host is rebooted, sndiod starts ... Why??
indeed, it shouldn't start. May be you've multiple sndiod_flags
definitions, or your setting is overriden in rc.conf.local or
whatever else.
-- Alexandre
Nop, I don't have a rc.conf.local file ..
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: Is not possible to disable sndiod process??
On 06/09/2012 12:19 PM, Jérémie Courrèges-Anglas wrote:
carlopmart writes:
Hi all,
How can I disable sndiod process?? I have configured under rc.conf:
sndiod_flags=NO
rc.conf isn't meant to be edited. use rc.conf.local
Uhmm why??
I use rc.conf.local for daemons or options outside of openbsd soft base ...
but every time host is rebooted, sndiod starts ... Why??
Thanks.
Without more details and given the non-standard setup...
What details do you need?? I use this openbsd box as a fw and I wnat ot
disable sndiod process ...
Here's a guess: you may have aucat_flags in rc.conf.local that override
your non-standard changes.
But there is not options for aucat_flags under rc.conf ... or maybe I
only need to put under rc.conf.local aucat_flags=NO??
--
CL Martinez
carlopmart {at} gmail {d0t} com
Is not possible to disable sndiod process??
Hi all,
How can I disable sndiod process?? I have configured under rc.conf:
sndiod_flags=NO
but every time host is rebooted, sndiod starts ... Why??
Thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: similar lvm tool on openbsd??
On 11/11/2011 03:40 PM, Nick Holland wrote:
On 11/11/11 04:34, carlopmart wrote:
On 11/11/2011 03:48 AM, Nick Holland wrote:
[bla bla bla]
Thanks Nick. growfs suites my needs. Is this the correct procedure??
http://wiki.arpnetworks.com/wiki/ResizeOpenBSDRootFilesystem
"the correct procedure" is a big phrase. :)
It's _A_ procedure, and for some people, it may be right. I'd not bet
that the ramdisk file system on bsd.rd has the space available to pull
over growfs on all platforms. And I don't like the step-by-step without
the discussion of why. Your needs will probably be different from the
author's, or mine, so make sure you understand, and if it is important,
practice on a non-critical machine first.
growfs has to be used on an idle file system.
If your goal is to enlarge root (or /usr, or /var or ...), you need to
be running in a strange mode -- single user with / unmounted, bsd.rd,
booted from another file system, etc.
Personally, I'd boot off my live USB disk, but since growfs is a static
binary and based closely on newfs, it will probably run just fine from
bsd.rd, so one could potentially boot from bsd.rd, mount / somewhere,
mount /tmp (or whatever) elsewhere, save a copy of growfs to this other
file system, unmount /, then do your twiddling. Exactly how you do this
will depend on your environment.
but again...when messing with your file systems, errors can be really
bad, so rather than asking my or google's advice...build up a test
machine, and practice on that before you do it on a production box.
Nick.
Thanks Nick. But my needs are only for filesystems with multiple data
files or configuration files, never for the root partition.
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: similar lvm tool on openbsd??
On 11/11/2011 03:48 AM, Nick Holland wrote:
On 11/10/11 14:49, carlopmart wrote:
Hi all,
is it possible to work under OpenBSD with disk volumes?? Like in linux
world does LVM... If not, how can I expand/resize a disk partition??
In the way LVM or Veritas products or some other systems do, no.
However, most use of resizing partitions is usually a way of saying, "I
screwed up, maybe I can fix it". May I instead suggest...not screwing
up in the first place, or designing the system knowing the unknowns you
will run into?
For enlarging a partition with space available after it, there is
growfs(8). You can't change the beginning of a partition with growfs,
you can't shrink a partition with growfs, but you can enlarge it at the
end, if you have space available.
On a modern hard disk, it is easy to have ten or more times the space
you will ever need. DON'T ALLOCATE IT! Fill your /usr partition? make
a new (bigger) one in the free space, copy over the old /usr to the new
one, change your /etc/fstab to point to the new one, reboot, done. Be
careful with it, you don't even need console.
If you have an app where you know you will be filling disks, plan ahead
there, too. A few years ago, I built an e-mail archive. We didn't try
to pretend we would make one file system that would hold years of data,
we made lots of 500GB partitions, filled 'em, moved on to the next one,
filled it, so on. Each partition filled after a few months. When we
ran out of empty disk space, we took entire arrays off the machine and
put them on the shelf (alternates: new machine, additional external
arrays, etc).
Sometimes, you just don't know exactly how needs are going to break
down, but even then, you can do some guessing. For example, I help run
an OpenBSD mirror. We opted to cut the array (about 420G) that holds
the primary things it deals out (anoncvs& FTP) into two chunks, one for
each of its primary functions. We opted to give about 20G to the
anoncvs repository and 350GB of OpenBSD FTP space. We figured at some
point, we'd run out of one or the other, but we weren't sure which. We
put the bigger, FTP slice at the beginning of the disk, and the anoncvs
chunk at the end, and 50GB of UNUSED SPACE in the middle. The plan is
this: if we run out of FTP space, we put the 50GB on FTP space, and
growfs it. If we run out of anoncvs space, we create another 20GB space
"under" the existing partition, fill it with data, delete the old one,
add the old one's space to the "new" anoncvs partition, growfs it,
ta-da, doubled space.
As it turned out, we are running tight on ftp space -- each OpenBSD
release has more than doubled in size since the mirror was installed,
and we'll probably need to add-in that 50GB before 5.1 comes out, but
that should hold us a while.
The biggest advantage I see to volume managers is the ability to grow a
mount point from one set of disks over to a new set of disks. However,
I really think you are usually better off organizing your data into
multiple chunks than to add new failure points and complexity to a
system. Plan on this from the beginning..."WHEN I run out of space, I
will do ...", as opposed to, "Oh, poo. I'm out of space...and my app
wasn't designed to be multiple storage space aware..."
In short...I just haven't found need for most of the things people do
with "volume managers". But the lack is hardly a show stopper for
anything I have tried to do. Plus...I've seen problems CAUSED by volume
managers: file systems made up of chunks here and there are more complex
and more likely to do something Really Unhappy than simple, single-chunk
file systems, and seen people try to reassembly very complex systems
from bits and pieces when a few cables got confused...
Nick.
Thanks Nick. growfs suites my needs. Is this the correct procedure??
http://wiki.arpnetworks.com/wiki/ResizeOpenBSDRootFilesystem
--
CL Martinez
carlopmart {at} gmail {d0t} com
similar lvm tool on openbsd??
Hi all,
is it possible to work under OpenBSD with disk volumes?? Like in linux
world does LVM... If not, how can I expand/resize a disk partition??
--
CL Martinez
carlopmart {at} gmail {d0t} com
Are LRO and GRO configurables under OpenBSD 5.0?
Hi all,
Maybe it is a stupid question, but I didn't found response ... can I
configure LRO (Large Receive Offload) and GRO (Generic Receieve Offload)
params under OpenBSD like ethtool does in linux world??
Thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: Performance problems with OpenBSD 4.9 under ESXi 5
On 11/01/2011 12:47 AM, Daniel Ouellet wrote:
ESXi 3.5?? Can you test with ESXi 4 U2??
I read his tests to be under 5.0
>> Hi, I setup four 4.9-RELEASE installs under ESXi 5.0.0:
Only the host was a 3.5 year old server.
You may want to read it again.
Best,
Daniel
Yes, yes ... was my fault. Sorry.
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: Performance problems with OpenBSD 4.9 under ESXi 5
On 10/31/2011 10:01 PM, Tyler Morgan wrote:
Hi, I setup four 4.9-RELEASE installs under ESXi 5.0.0:
amd64 as "Other"
amd64 as "FreeBSD"
i386 as "Other"
i386 as "FreeBSD"
All 4 got 512megs of RAM, unlimited use of the 8 available CPU cores,
and totally default installs other than stress from ports.
After installing I ran "stress --cpu 8 --io 4 --vm 2 --vm-bytes 128M
--hdd 4 --hdd-bytes 128M --timeout 60s" in an infinite loop for a few
hours. Then I let them sit for a couple days. Then I the stress loops
again for a few hours with 3 days of uptime. I verified the stress was
pegging 95%+ of all CPU, doing about 75% of what the RAID array is
capable of in disk read/write, and as much RAM as I'd let it have -- all
verified using ESXi's standard host monitoring.
At the end of testing, I have no unusual messages in dmesg, a normal
0.5ish load when idle, and no noticed performance issues on all four
virtual machines.
The ESXi host is a 3.5 year old SuperMicro server from Penguin Linux
with 2xXeon X5365s, 32Gigs of ECC DDR3, and an Adaptec RAID controller.
I can get a real dmesg out of the ESXi host if anyone wants it, and
someone already provided a dmesg of 4.9-RELEASE under VMWare, but I can
also provide those if desired.
ESXi 3.5?? Can you test with ESXi 4 U2??
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: dedicating a server to spamd
On 10/25/2011 11:09 AM, ML mail wrote:
Hello,
I am currently running spamd on an OpenBSD firewall which does greylisting to
protect a qmail linux mail server on a DMZ and was wondering if it would be
possible to have both tasks (firewalling and spamd/greylisting) on two
different physical machines so that the firewall would just do packet filtering
and another separate machine just greylisting?
The problem here what I see is that the dedicated greylisting machine would
have somehow to redirect IP addresses which are not on the greylist to the mail
server. As far as I know this is not possible with a machine having only one
NIC.
Any ideas on recommendation on how to achieve this?
Regards,
ML
Place another OpenBSD box on the DMZ area with greylisting tasks ... On
the OpenBSD firewall side, do only packet filtering ...
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: Performance problems with OpenBSD 4.9 under ESXi 5
ested, starting with
changing the guest OS type. Unfortunately it appears it can be days
apart when this problem occurs. I'll send an update when I have
something more concrete.
If anyone would like to try recreating this problem on their ESXi host
I'll make a .tar.gz of this vm guest for you to download.
Thanks again.
-Gene
It is really strange ... I have two OpenBSD 4.9 vms running under ESXi 5
without problems (one is i386 and another adm64), but with 768 MB RAM in
each one, using e1000 for nic interfaces and LSI Logic Parallell as a
scsi controller without any issue until now
Have you tried to change vic interface by em?? And what scsi controller
do you use in this vm???
And a very very important point: what type of storage do you use for
this ESXi5 server: local, nfs, iscsi?? If you use a local harddisk, it
is highly recommended that you use an specific storage hardware device
like an HP SmartArray, Dell PeRC, etc ...
For example: on a HP ML115 G5 with a MCP55 SATA controller, disk
performance is horrible. In this ESXi 5 server I use another box with
RHEL6 installed acting as an iscsi server and all works very very well ...
Bye.
--
CL Martinez
carlopmart {at} gmail {d0t} com
OT: Building a DNS blackhole server
Hi all,
Actually, I have two OpenBSD 4.9 servers one as a primary DNS server
and the second acting as a slave. I would like to implement a DNS
blackhole in both servers. Reading and searching docs about this topic I
have found this comparision table in wikipedia:
https://secure.wikimedia.org/wikipedia/en/wiki/Comparison_of_DNS_blacklists
But, what is your opinion about this table?? What are the most
reliable suppliers??? Which of these lists is sure to be deployed in a
production environment? I do not want to generate more false positives
than necessary.
Thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
Will be pv_scsi driver supported on obsd 4.9?
Hi all,
Will be vmware pv_scsi driver disk supported on OBSD 4.9??
Thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: OT: Disadvantages of using virtual firewalls like OpenBSd
On 11/24/2010 02:36 PM, SJP Lists wrote:
On 24 November 2010 19:34, SJP Lists wrote:
On 24 November 2010 01:12, Brad Tilley wrote:
carlopmart wrote:
Advantages are very clear for me: provisioning, administration tasks,
etc ... But I will to know disadvantages. What is your opinion from the
point of view of security?
I use virtualization for many things (mainly for the productivity
advantages that you list), but it has always bothered me because
virtualization is pretending.
In Java, for example, the VM pretends about a lot of things that are not
true in the physical world. This makes it easy and convenient for
programmers. The problem is that they come to believe that the pretend
things are real and then make assumptions (when dealing with physical
machines) that are incorrect.
Yes, the virtualization of the programmable interval timer is one
example where pretending makes for some crazy situations. Only a few
nights ago, I patched a Debian ESXi 4.1 VM and when it rebooted it
would not boot, stating that the PIT was not functioning.
Time keeping is weird in x86 virtualization. I've seen Windows ESX
VM's with time that not only stops and then suddenly jumps forwards,
but even goes back!
Seen the madness of a virtualized NTP server? VMware have a
Timekeeping whitepaper that is sugar coated to say the least.
All anyone need do is watch the advisories for VMware to soon realise
that the choice is a trade off, where the drawbacks (security and
weirdness) are as big as the benefits.
And again, I say look at the Google research that found all
implementations vulnerable. If security matters less than the cost of
dedicated hardware, then use it.
Oh and another thing, a colleague of mine and myself noticed on
separate occasions with different VM's and OS' under what probably
would have been ESX 3.5 at the time, that a scheduled task would not
run if the console was not open / have focus!
I also noticed that while time appeared to completely stand still in a
Windows VM under ESX, it could be made to tick again by generating
lots of interrupts. Vigorous mouse movement barely made a difference,
however performing a file system search got the clock counting faster
than realtime.
I now wonder if this is due to dropped interrupts or lost ticks as
VMware refer to in [1], a document which describes the time keeping
weirdness that needs to be dealt with to get around the fact that the
x86 architecture was not designed from the ground up for this type of
virtualization.
So what other weird complexities do that need to employ to get around
other quirks?
Sorry, but as far as I am concerned, virtualization presents a new and
complex attack surface that no guest OS could control. So if you're
using OpenBSD for a security focused role, I'd forget x86
virtualization.
Shane
[1] http://www.vmware.com/files/pdf/Timekeeping-In-VirtualMachines.pdf
Thank you all for your answers. Now I have a clearer idea of the downsides of
virtualization regarding security OS's, devices, etc..
Many thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: OT: Disadvantages of using virtual firewalls like OpenBSd
On 11/23/2010 04:03 PM, Stuart Henderson wrote:
On 2010-11-23, carlopmart wrote:
Hi all,
First of all, I don't want to start a flame. I will to know your opinion
about
using virtual firewalls in virtual infraestructures like vmware, kvm ,xen, etc
...
like OpenBSD.
Advantages are very clear for me: provisioning, administration tasks, etc
... But
I will to know disadvantages. What is your opinion from the point of view of
security?
Thanks.
How will you protect your management interface if the firewall is
virtualised?
At logical level or physical level?? At logical level I can configure a virtual
bridge on this interface and apply firewall rules. Physically, impossible, obvious.
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: OT: Disadvantages of using virtual firewalls like OpenBSd
On 11/23/2010 02:33 PM, Jim Razmus wrote:
* carlopmart [101123 08:22]:
On 11/23/2010 01:48 PM, carlopmart wrote:
On 11/23/2010 01:42 PM, Bret Lambert wrote:
Because you're still relying on your host's network stack, you aren't
actually firewalling it.
Uhmm .. I am not sure about this. For example: you can configure several virtual
bridges under a ESXi host and then attach them to a virtual firewall like
OpenBSD.
If you configure some pf rules, you are doing firewalling ... In this case you
have
all network stack except layer 1, correct??
And one more thing: with latest releases of hypervisors like ESXi
and KVM (I don't know about xen), you can attach physical hardware
to a specific guest, like network interfaces. Then, you have all
network stack asigned to a virtual machine. Where are the
disadvantages in scenarios like this??
Thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
You're still relying on software to the right thing and protect against
abuse. "attach physical hardware to a specific guest" is done via
software. Do you trust that software?
jim@
Uhmm ... good point Jim. But, but one question: can you compromise this virtual
firewall using a specific exploit, procedure, etc and don't do the same with a
physical firewall ??
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: OT: Disadvantages of using virtual firewalls like OpenBSd
On 11/23/2010 02:30 PM, Timo Schoeler wrote:
thus carlopmart spake:
On 11/23/2010 01:48 PM, carlopmart wrote:
On 11/23/2010 01:42 PM, Bret Lambert wrote:
Because you're still relying on your host's network stack, you aren't
actually firewalling it.
Uhmm .. I am not sure about this. For example: you can configure
several virtual
bridges under a ESXi host and then attach them to a virtual firewall
like OpenBSD.
If you configure some pf rules, you are doing firewalling ... In this
case you have
all network stack except layer 1, correct??
And one more thing: with latest releases of hypervisors like ESXi and
KVM (I don't know about xen), you can attach physical hardware to a
specific guest, like network interfaces. Then, you have all network
stack asigned to a virtual machine. Where are the disadvantages in
scenarios like this??
Thanks.
http://kerneltrap.org/mailarchive/openbsd-misc/2007/10/24/352059
Yes, but this question is three years old and hypervisors have changed
Thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: OT: Disadvantages of using virtual firewalls like OpenBSd
On 11/23/2010 01:48 PM, carlopmart wrote:
On 11/23/2010 01:42 PM, Bret Lambert wrote:
Because you're still relying on your host's network stack, you aren't
actually firewalling it.
Uhmm .. I am not sure about this. For example: you can configure several virtual
bridges under a ESXi host and then attach them to a virtual firewall like
OpenBSD.
If you configure some pf rules, you are doing firewalling ... In this case you
have
all network stack except layer 1, correct??
And one more thing: with latest releases of hypervisors like ESXi and KVM (I don't
know about xen), you can attach physical hardware to a specific guest, like network
interfaces. Then, you have all network stack asigned to a virtual machine. Where are
the disadvantages in scenarios like this??
Thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: OT: Disadvantages of using virtual firewalls like OpenBSd
On 11/23/2010 01:42 PM, Bret Lambert wrote:
Because you're still relying on your host's network stack, you aren't
actually firewalling it.
Uhmm .. I am not sure about this. For example: you can configure several virtual
bridges under a ESXi host and then attach them to a virtual firewall like OpenBSD.
If you configure some pf rules, you are doing firewalling ... In this case you have
all network stack except layer 1, correct??
--
CL Martinez
carlopmart {at} gmail {d0t} com
OT: Disadvantages of using virtual firewalls like OpenBSd
Hi all,
First of all, I don't want to start a flame. I will to know your opinion about
using virtual firewalls in virtual infraestructures like vmware, kvm ,xen, etc ...
like OpenBSD.
Advantages are very clear for me: provisioning, administration tasks, etc ... But
I will to know disadvantages. What is your opinion from the point of view of security?
Thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: iSCSI boot on OpenBSD
Aaron Mason wrote:
On Wed, Dec 2, 2009 at 8:44 AM, Robert wrote:
On Tue, 01 Dec 2009 19:30:27 +0100
carlopmart wrote:
Hi all,
I am trying to find some info to boot an openbsd from a SAN
(iSCSI). Is it possible with the latest openbsd release?
Thanks.
No.
- Robert
It would be possible with a RAM disk if OpenBSD had something like
pivot_root or switch_root for Linux, but AFAIK no such capability
exists. You could do PXE boot and mount NFS shares for root - this
process is well documented in the FAQ.
HTH
Maybe can I use pxe/nfs solution ... Ok, I will try it.
Many thanks to all for your help.
--
CL Martinez
carlopmart {at} gmail {d0t} com
iSCSI boot on OpenBSD
Hi all,
I am trying to find some info to boot an openbsd from a SAN (iSCSI). Is it
possible with the latest openbsd release?
Thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: Using ospfd to establish default routes with two outgoing connections (SOLVED)
Stuart Henderson wrote:
On 2009-05-07, carlopmart wrote:
Matthew Dempsky wrote:
On Thu, May 7, 2009 at 1:47 PM, carlopmart wrote:
Which is that sysctl param Stuart??
net.inet.ip.multipath
See http://www.openbsd.org/faq/faq6.html#Multipath
I have setup this param previously ... And I think I have found the problem. I
am using vlan on this OpenBSD box, and I have setup mtu to 1450. Maybe this can
be a problem to use OSPF??
You probably have an error in the logs on both sides telling you that
the MTU mismatches.
Why do you change the MTU? VLANs would be pretty useless if they meant
using different MTU all over the place.
Finnally, I have found my problem: MTU. I have changed mtu on OpenBSD box to
1492 and all works ok.
Many thanks to all.
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: Using ospfd to establish default routes with two outgoing connections
Matthew Dempsky wrote:
On Thu, May 7, 2009 at 1:47 PM, carlopmart wrote:
Which is that sysctl param Stuart??
net.inet.ip.multipath
See http://www.openbsd.org/faq/faq6.html#Multipath
I have setup this param previously ... And I think I have found the problem. I
am using vlan on this OpenBSD box, and I have setup mtu to 1450. Maybe this can
be a problem to use OSPF??
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: Using ospfd to establish default routes with two outgoing connections
Stuart Henderson wrote:
On 2009-05-07, carlopmart wrote:
Stuart Henderson wrote:
On 2009-05-07, carlopmart wrote:
Hi all,
I am trying to establish default routes on an openbsd firewall using ospfd
instead of use multipath+route to param under pf.conf without luck.
My topology is:
Internet --- ExtFw1 |
|
OpenBSDFw - Internal Network
|
Internet --- ExtFw2 |
ExtFw1 and ExtFw2 are commercial products with different versions. I have put
a rule to pass all traffic genereated by OpenBSD on both external firewalls.
ExtFw1 and ExtFw2 are running OSPF and announcing a default route
into it, right??
At this time yes. Extfw are commercial firewalls based on linux and I use quagga
to configure ospf on each one. But, any route is attached to openbsd via ospf ...
Then there's something basic wrong, because the routers aren't
forming adjacencies. Look at the logs everywhere, maybe look at
tcpdump.
OpenOSPFd does support ECMP providing the sysctl is set (otherwise
the kernel won't accept multiple routes to the same prefix with the
same routing priority).
Which is that sysctl param Stuart??
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: Using ospfd to establish default routes with two outgoing connections
Marco Fretz wrote:
Hi,
I'm not 100% clear if i got you right. but if I'm right you have to do the
"redistribute default" on your 2 external firewalls. because the openbsd box
needs the default route (to the internet) not the other way round...
ExtFw has (static?) route to the ISP. OpenBSDFw gets default route
dynamically via OSPF from ExtFw1 or from ExtFw2. that's it.
are ExtFw1, ExtFw2 and OpenBSDFw on the same subnet?
generally you have to run ospf on all 3 boxes. on ExtFw1 set metric lower
than on ExtFw2 so OpenBSDFw will use the default route from ExtFw1 as long
ExtFw1 is available and ospf adj are established.
ospf redistribution means that the local router will announce prefix
0.0.0.0/0 pointing to the address of the interface where the LSA is sent
out...
is that what you'r looking for?
greets
Marco
Extfw1 and Extfw2 are on different subnets:
- ExtFw1: 172.16.34.0/30
- ExtFw2: 172.16.55.0/30
OpenBSD connects to both subnets using two different interfaces.
And yes, both external firewalls has a static default route.
What I am trying to do is to load balance outgoing connections like
ifstated+multipath+ route to round robin on pf.conf does. But reading more
accurately about using OSPF I think that ospf only provides active/passive
default routes. Am I correct???
On Thu, May 7, 2009 at 3:40 PM, carlopmart wrote:
Stuart Henderson wrote:
On 2009-05-07, carlopmart wrote:
Hi all,
I am trying to establish default routes on an openbsd firewall using
ospfd instead of use multipath+route to param under pf.conf without luck.
My topology is:
Internet --- ExtFw1 |
|
OpenBSDFw - Internal Network
|
Internet --- ExtFw2 |
ExtFw1 and ExtFw2 are commercial products with different versions. I
have put a rule to pass all traffic genereated by OpenBSD on both external
firewalls.
ExtFw1 and ExtFw2 are running OSPF and announcing a default route
into it, right??
At this time yes. Extfw are commercial firewalls based on linux and I use
quagga to configure ospf on each one. But, any route is attached to openbsd
via ospf ...
--
CL Martinez
carlopmart {at} gmail {d0t} com
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: Using ospfd to establish default routes with two outgoing connections
Stuart Henderson wrote:
On 2009-05-07, carlopmart wrote:
Hi all,
I am trying to establish default routes on an openbsd firewall using ospfd
instead of use multipath+route to param under pf.conf without luck.
My topology is:
Internet --- ExtFw1 |
|
OpenBSDFw - Internal Network
|
Internet --- ExtFw2 |
ExtFw1 and ExtFw2 are commercial products with different versions. I have put
a rule to pass all traffic genereated by OpenBSD on both external firewalls.
ExtFw1 and ExtFw2 are running OSPF and announcing a default route
into it, right??
At this time yes. Extfw are commercial firewalls based on linux and I use quagga
to configure ospf on each one. But, any route is attached to openbsd via ospf ...
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: Using ospfd to establish default routes with two outgoing connections
carlopmart wrote:
Hi all,
I am trying to establish default routes on an openbsd firewall using
ospfd instead of use multipath+route to param under pf.conf without luck.
My topology is:
Internet --- ExtFw1 |
|
OpenBSDFw - Internal Network
|
Internet --- ExtFw2 |
ExtFw1 and ExtFw2 are commercial products with different versions. I
have put a rule to pass all traffic genereated by OpenBSD on both
external firewalls.
My interfaces config are:
em0: flags=8843 mtu 1500
lladdr 00:50:56:29:f2:2c
priority: 0
media: Ethernet autoselect (1000baseT full-duplex,master)
status: active
inet 172.25.50.1 netmask 0xffe0 broadcast 172.25.50.31
inet6 fe80::250:56ff:fe29:f22c%em0 prefixlen 64 scopeid 0x1
em1: flags=8843 mtu 1500
lladdr 00:50:56:0f:7b:b0
priority: 0
media: Ethernet autoselect (1000baseT full-duplex,master)
status: active
inet6 fe80::250:56ff:fe0f:7bb0%em1 prefixlen 64 scopeid 0x2
enc0: flags=0<> mtu 1536
priority: 0
vlan15: flags=8843 mtu 1500
lladdr 00:50:56:0f:7b:b0
description: Management Interface
priority: 0
vlan: 15 priority: 0 parent interface: em1
groups: vlan
inet6 fe80::250:56ff:fe0f:7bb0%vlan15 prefixlen 64 scopeid 0x5
inet 172.25.65.1 netmask 0xfff0 broadcast 172.25.65.15
vlan25: flags=8843 mtu 1500
lladdr 00:50:56:0f:7b:b0
description: VPN Interface
priority: 0
vlan: 25 priority: 0 parent interface: em1
groups: vlan
inet6 fe80::250:56ff:fe0f:7bb0%vlan25 prefixlen 64 scopeid 0x6
inet 172.25.85.1 netmask 0xfff8 broadcast 172.25.85.7
vlan35: flags=8843 mtu 1496
lladdr 00:50:56:0f:7b:b0
description: Primary Outgoing Interface
priority: 0
vlan: 35 priority: 0 parent interface: em1
groups: vlan egress
inet6 fe80::250:56ff:fe0f:7bb0%vlan35 prefixlen 64 scopeid 0x7
inet 192.168.100.66 netmask 0xfffc broadcast 192.168.100.67
vlan45: flags=8843 mtu 1496
lladdr 00:50:56:0f:7b:b0
description: Secondary Outgoing Interface
priority: 0
vlan: 45 priority: 0 parent interface: em1
groups: vlan
inet6 fe80::250:56ff:fe0f:7bb0%vlan45 prefixlen 64 scopeid 0x8
inet 10.10.10.201 netmask 0xfff8 broadcast 10.10.10.207
pflog0: flags=141 mtu 33204
priority: 0
groups: pflog
My ospfd.conf:
router-id 192.168.100.66
fib-update yes
redistribute connected
redistribute default
area 0.0.0.0 {
auth-type none
interface vlan35
interface vlan45 { metric 20 }
}
Output of "ospctl show database" command is:
Router Link States (Area 0.0.0.0)
Link ID Adv Router Age Seq# Checksum
192.168.100.66 192.168.100.66 641 0x8001 0x3bdc
Type-5 AS External Link States
Link ID Adv Router Age Seq# Checksum
0.0.0.0 192.168.100.66 641 0x8001 0x11cf
172.25.50.0 192.168.100.66 641 0x8001 0x3ccb
172.25.65.0 192.168.100.66 641 0x8001 0xf6f1
172.25.85.0 192.168.100.66 641 0x8001 0x4a82
Output of "ospctl show n" command is:
r...@obsdintfw:~# ospfctl show n
ID Pri StateDeadTime Address Iface Uptime
r...@obsdintfw:~#
Output of "ospctl show r" command is:
r...@obsdfwint:~# ospfctl show r
Destination Nexthop Path TypeType Cost
Uptime
r...@obsdfwint:~#
Is this configuration correct? Why can't I establish my default routes
with multipath using ospfd? Or I am wrong and only I can use
multipath+route to with pf.conf??
Many thanks.
Sorry I forgot to mention OpenBSD version: 4.5
Thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
Using ospfd to establish default routes with two outgoing connections
Hi all,
I am trying to establish default routes on an openbsd firewall using ospfd
instead of use multipath+route to param under pf.conf without luck.
My topology is:
Internet --- ExtFw1 |
|
OpenBSDFw - Internal Network
|
Internet --- ExtFw2 |
ExtFw1 and ExtFw2 are commercial products with different versions. I have put
a rule to pass all traffic genereated by OpenBSD on both external firewalls.
My interfaces config are:
em0: flags=8843 mtu 1500
lladdr 00:50:56:29:f2:2c
priority: 0
media: Ethernet autoselect (1000baseT full-duplex,master)
status: active
inet 172.25.50.1 netmask 0xffe0 broadcast 172.25.50.31
inet6 fe80::250:56ff:fe29:f22c%em0 prefixlen 64 scopeid 0x1
em1: flags=8843 mtu 1500
lladdr 00:50:56:0f:7b:b0
priority: 0
media: Ethernet autoselect (1000baseT full-duplex,master)
status: active
inet6 fe80::250:56ff:fe0f:7bb0%em1 prefixlen 64 scopeid 0x2
enc0: flags=0<> mtu 1536
priority: 0
vlan15: flags=8843 mtu 1500
lladdr 00:50:56:0f:7b:b0
description: Management Interface
priority: 0
vlan: 15 priority: 0 parent interface: em1
groups: vlan
inet6 fe80::250:56ff:fe0f:7bb0%vlan15 prefixlen 64 scopeid 0x5
inet 172.25.65.1 netmask 0xfff0 broadcast 172.25.65.15
vlan25: flags=8843 mtu 1500
lladdr 00:50:56:0f:7b:b0
description: VPN Interface
priority: 0
vlan: 25 priority: 0 parent interface: em1
groups: vlan
inet6 fe80::250:56ff:fe0f:7bb0%vlan25 prefixlen 64 scopeid 0x6
inet 172.25.85.1 netmask 0xfff8 broadcast 172.25.85.7
vlan35: flags=8843 mtu 1496
lladdr 00:50:56:0f:7b:b0
description: Primary Outgoing Interface
priority: 0
vlan: 35 priority: 0 parent interface: em1
groups: vlan egress
inet6 fe80::250:56ff:fe0f:7bb0%vlan35 prefixlen 64 scopeid 0x7
inet 192.168.100.66 netmask 0xfffc broadcast 192.168.100.67
vlan45: flags=8843 mtu 1496
lladdr 00:50:56:0f:7b:b0
description: Secondary Outgoing Interface
priority: 0
vlan: 45 priority: 0 parent interface: em1
groups: vlan
inet6 fe80::250:56ff:fe0f:7bb0%vlan45 prefixlen 64 scopeid 0x8
inet 10.10.10.201 netmask 0xfff8 broadcast 10.10.10.207
pflog0: flags=141 mtu 33204
priority: 0
groups: pflog
My ospfd.conf:
router-id 192.168.100.66
fib-update yes
redistribute connected
redistribute default
area 0.0.0.0 {
auth-type none
interface vlan35
interface vlan45 { metric 20 }
}
Output of "ospctl show database" command is:
Router Link States (Area 0.0.0.0)
Link ID Adv Router Age Seq# Checksum
192.168.100.66 192.168.100.66 641 0x8001 0x3bdc
Type-5 AS External Link States
Link ID Adv Router Age Seq# Checksum
0.0.0.0 192.168.100.66 641 0x8001 0x11cf
172.25.50.0 192.168.100.66 641 0x8001 0x3ccb
172.25.65.0 192.168.100.66 641 0x8001 0xf6f1
172.25.85.0 192.168.100.66 641 0x8001 0x4a82
Output of "ospctl show n" command is:
r...@obsdintfw:~# ospfctl show n
ID Pri StateDeadTime Address Iface Uptime
r...@obsdintfw:~#
Output of "ospctl show r" command is:
r...@obsdfwint:~# ospfctl show r
Destination Nexthop Path TypeType CostUptime
r...@obsdfwint:~#
Is this configuration correct? Why can't I establish my default routes with
multipath using ospfd? Or I am wrong and only I can use multipath+route to with
pf.conf??
Many thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: Setting time range and timeout for authpf rules
ropers wrote:
2008/12/13 carlopmart :
ropers wrote:
carlopmart wrote:
How can I establish a time range and timeout for an authpf rule?
For example I will to permit access from my windows servers access
(previous
ssh authentication) to windowsupdate servers from 10:00 am to 13:00 am
and block this traffic if any connection is established during 10
minutes.
Wade, Daniel wrote:
Crontab job to load a different pf.conf
2008/12/12 carlopmart :
Thanks Daniel, but I had already thought about this option but exists
some
problems:
a) I need to mantain several pf.conf files for every access
b) i can't control timeouts when servers doesn't generate traffic ...
About (a):
I guess if you're really worried about maintaining two pf.conf files,
you could write a script that will edit your one single pf.conf (so
that it would comment out/de-comment specific lines; by content, not
by line number) and call that script via crontab. It would however be
really easy to clobber your pf.conf when doing this, if you're not
careful.
About (b):
I understand you would prefer to only permit your Windows-based
servers to access Microsoft's windowsupdate servers if and only if
they will actually try to reach windowsupdate between 10 and 13 am.
I'm no Hansteen, Hartmeier or Henning, but it is my understanding that
Pf has no clairvoyance feature. Is it really harmful to allow your
servers to access windowsupdate from 10 to 13, whether they actually
will do it or not? Also, from what I understand you want to
dynamically change your active ruleset to allow access once traffic
starts flowing during that time. What is the difference between that
and allowing access during that time anyway? Or what am I missing? Am
I horribly misunderstanding you?
A somewhat confused
--ropers
many thaks for your answers ropers. About a) question. Ok, if I only need to
maintain two pf.conf files, crontab is the perfect solution as I can open
rules dynamically with pfctl, but I have other situations on I need to open
and close rules if traffic doesn't exists ... but if crontab is the only
solution at this moment, then I will use it.
About b) question, you have understand me perfectly ... and you are rigth in
this case it doesn't matter. But suppose that instead of being windows
servers, are remote users. I do not like the rules that were permanently
open in that time slot. How can I close this rules inmediatly??
Hm, have you looked at authpf?
http://www.openbsd.org/cgi-bin/man.cgi?query=authpf
regards,
--ropers
Yes, I see it, but can I define timeouts to authpf rule?? authpf it is a perfect
solution for my enviroment, only if i can assign timeouts ...
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: Setting time range and timeout for authpf rules
ropers wrote:
carlopmart wrote:
How can I establish a time range and timeout for an authpf rule?
For example I will to permit access from my windows servers access (previous
ssh authentication) to windowsupdate servers from 10:00 am to 13:00 am
and block this traffic if any connection is established during 10 minutes.
Wade, Daniel wrote:
Crontab job to load a different pf.conf
2008/12/12 carlopmart :
Thanks Daniel, but I had already thought about this option but exists some
problems:
a) I need to mantain several pf.conf files for every access
b) i can't control timeouts when servers doesn't generate traffic ...
About (a):
I guess if you're really worried about maintaining two pf.conf files,
you could write a script that will edit your one single pf.conf (so
that it would comment out/de-comment specific lines; by content, not
by line number) and call that script via crontab. It would however be
really easy to clobber your pf.conf when doing this, if you're not
careful.
About (b):
I understand you would prefer to only permit your Windows-based
servers to access Microsoft's windowsupdate servers if and only if
they will actually try to reach windowsupdate between 10 and 13 am.
I'm no Hansteen, Hartmeier or Henning, but it is my understanding that
Pf has no clairvoyance feature. Is it really harmful to allow your
servers to access windowsupdate from 10 to 13, whether they actually
will do it or not? Also, from what I understand you want to
dynamically change your active ruleset to allow access once traffic
starts flowing during that time. What is the difference between that
and allowing access during that time anyway? Or what am I missing? Am
I horribly misunderstanding you?
A somewhat confused
--ropers
many thaks for your answers ropers. About a) question. Ok, if I only need to
maintain two pf.conf files, crontab is the perfect solution as I can open rules
dynamically with pfctl, but I have other situations on I need to open and close
rules if traffic doesn't exists ... but if crontab is the only solution at this
moment, then I will use it.
About b) question, you have understand me perfectly ... and you are rigth in
this case it doesn't matter. But suppose that instead of being windows servers,
are remote users. I do not like the rules that were permanently open in that
time slot. How can I close this rules inmediatly??
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: Setting time range and timeout for authpf rules
Thanks Daniel, but I had already thought about this option but exists some
problems:
a) I need to mantain several pf.conf files for every access
b) i can't control timeouts when servers doesn't generate traffic ...
Wade, Daniel wrote:
Crontab job to load a different pf.conf
-Original Message-
From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On
Behalf Of carlopmart
Sent: Friday, December 12, 2008 1:30 PM
To: openbsd misc
Subject: Re: Setting time range and timeout for authpf rules
carlopmart wrote:
Hi all,
How can I establish a time range and timeout for an authpf rule?
For
example I will to permit access from my windows servers access
(previous
ssh authentication) to windowsupdate servers from 10:00 am to
13:00 am
and block this traffic if any connection is established during 10
minutes.
Many thanks.
Please, any hints?
--
CL Martinez
carlopmart {at} gmail {d0t} com
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: Setting time range and timeout for authpf rules
carlopmart wrote:
Hi all,
How can I establish a time range and timeout for an authpf rule? For
example I will to permit access from my windows servers access (previous
ssh authentication) to windowsupdate servers from 10:00 am to 13:00 am
and block this traffic if any connection is established during 10 minutes.
Many thanks.
Please, any hints?
--
CL Martinez
carlopmart {at} gmail {d0t} com
OT: Granting access from DMZ servers to iSCSI network
Hi all,
Sorry for the off-topic but I need some help with a specific implemantation. I
have two OpenBSD firewalls with 4 interfaces each one: one for internal lan, one
for sync lan, one for dmz lan and another for Internet access.
I need to grant access from dmz servers to iscsi storage servers located on
internal lan. Which can be the best form to accomplish this??
a) Connect DMZ servers directly to iscsi servers using another private lan.
b) connect DMZ servers to iscsi server using private lan but using openbsd
firewalls to grant access to iscsi network
c) Using a third openbsd firewall (with a snort IDS to control traffic
content) configured as a bridge between DMZ servers and iSCSI servers ..
Any other solution??
Many thanks for your help.
--
CL Martinez
carlopmart {at} gmail {d0t} com
Setting time range and timeout for authpf rules
Hi all,
How can I establish a time range and timeout for an authpf rule? For example I
will to permit access from my windows servers access (previous ssh
authentication) to windowsupdate servers from 10:00 am to 13:00 am and block
this traffic if any connection is established during 10 minutes.
Many thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: Altq doesn't works as I expect on OpenBSd 4.4
Stuart Henderson wrote:
I have a problem with altq on OpenBSD 4.4 firewall, but I can not be
properly understood how altq works.
...
I have attached my pf.conf
this is way too complicated for you to get a good understanding
of how altq works.
please start with something simpler.
I have tried with home network sample on aopenbsd's faq altq without luck.
Is this rule perhaps catching your traffic?
pass out quick on egress inet proto tcp from $ext_if to !
port { http smtp ssh } flags S/SA $ms tag fw_to_inet
No. When I download some iso image, traffic is catched by this rule:
pass in on $lan_if inet from $savannah to ! flags S/SA
$ks tag prodlan_to_inet.
I have tried to apply a queue to this rule, but result is the same. Bandwidth
isn't restricted.
If so, you should queue this, too.
also note you can queue the _inbound_ packets, which will associate
a queue with the state table entry, then the queue of this name will
be used when those packets are sent _out_.
Thanks Stuart. But I have tried to do the same using queues on inbound rules
without luck
You could monitor the traffic with pftop for a traffic match/rule analysis.
many of the views from pftop are also available in systat
(in the base OS) these days.
see "systat queues", "systat rules", "systat pf" etc.
--
CL Martinez
carlopmart {at} gmail {d0t} com
Altq doesn't works as I expect on OpenBSd 4.4
Hi all,
I have a problem with altq on OpenBSD 4.4 firewall, but I can not be properly
understood how altq works. I need to guarantee 80% bandwidth to http, smtp, etc
(not udp services) of my DSL line. And the rest of this bandwidth to use for
udp
or other protocols. Of course, if any udp service is requested, I would like to
use all bandwidth for tcp, but first I will know how to fix tcp outgoing
traffic
to 80% of bandwidth.
I am doing several tests like download and iso image file from public http
server and this action consumes all of bandwidth. And i don't understand why. I
have tested rules using hfsc and cbq and all results are the same. Every tcp or
udp service consumes all bandwidth.
I have attached my pf.conf
Many thanks to all and sorry for my poor english.
--
CL Martinez
carlopmart {at} gmail {d0t} com
# $OpenBSD: pf.conf,v 1.37 2008/05/09 06:04:08 reyk Exp $
#
# See pf.conf(5) for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
lo_if = "lo0"
ext_if = "em2"
lan_if = "em0"
honey_if = "vlan15"
sync_if = "em3"
mgmt_if = "vlan45"
ipsec_if = "vlan25"
vpn_if = "vlan35"
carpext_if = "carp2"
prodlan = "172.25.50.0/27"
pfsynclan = "172.25.85.0/30"
honeylan = "172.25.75.0/29"
ipseclan = "172.25.55.0/29"
vpnlan = "192.168.100.64/29"
mgmtlan = "172.25.65.0/28"
thranduil = "172.25.50.10"
santgraal = "172.25.50.11"
parsifal = "172.25.50.12"
savannah = "172.25.50.28"
imrahil = "172.25.50.29"
minastirith = "172.25.50.30"
mithlond = "172.25.65.6"
ks = "keep state"
ms = "modulate state"
ss = "synproxy state"
bruteforce_ssh = "(max-src-conn 10, max-src-conn-rate 3/3, overload
flush global)"
table const { $prodlan $honeylan $ipseclan $vpnlan $mgmtlan
}
table const { $prodlan $pfsynclan $honeylan $ipseclan
$vpnlan $mgmtlan }
table const { $thranduil $parsifal $savannah }
table const { $mithlond }
table const { $imrahil $minastirith }
table persist file "/etc/fwtables/dshield"
set skip on $lo_if
set block-policy drop
set fingerprints "/etc/pf.os"
set ruleset-optimization profile
set loginterface $ext_if
scrub on $ext_if reassemble tcp
scrub in on $ext_if all min-ttl 2
scrub out on $ext_if all no-df random-id max-mss 1440
altq on $ext_if bandwidth 310Kb hfsc queue { q_tcp, q_def, q_udp }
queue q_tcp bandwidth 80% priority 2 qlimit 100 hfsc (realtime 65%
upperlimit 80%)
queue q_udp bandwidth 17% priority 3 qlimit 100 hfsc (realtime 15%
upperlimit 17%)
queue q_def bandwidth 3% priority 1 qlimit 100 hfsc (upperlimit 10%
default)
nat on egress inet from to ! ->
($carpext_if:0) port 1024:65535
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $lan_if inet proto tcp from $savannah to !
port ftp -> 127.0.0.1 port 8021
no rdr
block drop log all label "Traffic Denied"
block drop in from no-route to any label "Traffic Denied"
block quick inet6 all label "IPV6 Traffic Denied"
antispoof quick for { $lo_if $lan_if $honey_if $sync_if $mgmt_if $ipsec_if
$vpn_if } inet label "AntiSpoofing Rule"
pass quick on $sync_if proto pfsync keep state (no-sync)
pass quick log on { $ext_if $lan_if $honey_if $mgmt_if $ipsec_if $vpn_if }
proto carp keep state (no-sync)
block in quick on egress inet proto tcp from any to any flags /S label "Traffic
Denied"
block in quick on egress inet proto tcp from any to any flags /SFRA label
"Traffic Denied"
block in quick on egress inet proto tcp from any to any flags /SFRAU label
"Traffic Denied"
block in quick on egress inet proto tcp from any to any flags A/A label
"Traffic Denied"
block in quick on egress inet proto tcp from any to any flags F/SFRA label
"Traffic Denied"
block in quick on egress inet proto tcp from any to any flags U/SFRAU label
"Traffic Denied"
block in quick on egress inet proto tcp from any to any flags SF/SF label
"Traffic Denied"
block in quick on egress inet proto tcp from any to any flags SF/SFRA label
"Traffic Denied"
block in quick on egress inet proto tcp from any to any flags SR/SR label
"Traffic Denied"
block in quick on egress inet proto tcp from any to any flags FUP/FUP label
"Traffic Denied"
block in quick on egress inet proto tcp from any to any flags FUP/SFRAUPEW
label "Traffic Denied"
block in quick on egress inet proto tcp from any to any flags SFRAU/SFRAU label
"Traffic Denied"
block in quick on egress inet proto tcp from any to any flags SFRAUP/SFRA
Enabling ipv6 in only one interface
Hi all,
Somebody knows how can I enable ipv6 in only one interface?? How can I do?? I
have an openbsd 4.3 server with 6 interfaces and I need to setup ipv6 only in
one interface to test some services.
Many thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
Problems when natting ipsec communications
Hi all,
I have a very strange problem related to use NAT rules with ipsec
communications. I have two StoneGate FWs nodes in front of public adsl lines.
Behind them, I have a pair of OpenBSD servers used only to serve VPN connections
over IPSec protocols familiy (we use isakmpd).
Ok, where is the problem? Problem appears when I need to nat isakmp and
isakmp-nat-t ports on stonegate firewalls. If we disable nat rule on stongate
firewalls, all works ok: clients can connect via IPSec clients. But if we enable
nat rule on stonegate firewalls, any client can connect via IPsec and returns
this error: UNEQUAL_PAYLOAD_LENGTHS.
My rules on SG firewalls are:
Access rule:
- Src: NOT internal networks, Dst: sgfw_public_ip, Ports:
isakmp,isakmp-nat-t, Action: allowed
Nat Rule:
- Src: NOT Internal networks, Dst: sgfw_public_ip, Ports: isakmp,
isakmp-nat-t, Destination: openbsd_fws (carp interface), Ports: same as source.
On OpenBSD sysctl.conf file i have enabled these options:
net.inet.esp.enable=1
net.inet.ah.enable=0
net.inet.esp.udpencap=1
net.inet.ipcomp.enable=1
Do I need to do something else?? I know that it isn't an openbsd problem,
almost I think. But I need to deploy these infraestructure as soon as possible.
Many thanks for your help.
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: IPsec problem: multiple CAs
Toni Mueller wrote:
Hi,
I'm trying to get a VPN running that uses X.509 certificates for
authentication. I have such beasts running with one CA with no problem:
CA1 -> server cert
CA1 -> clients certs
works w/o any problems. Now I want to have
CA1 -> server cert
CA2 -> clients certs
with CA1 distinctly different from CA2. On the client I get an error
because it seems to be unable to get the CA certificate for CA2
(referenced in the PKS#12 file that has the client cert).
Experimentation shows that after handling out the initial proposal, the
client exchanges some more packets with the server, apparently
requesting the CA cert for its own certificate, but doesn't get it
although the server has it (in /etc/isakmpd/ca). On server startup, it
also shows that it reads both CA certificates.
This is on OpenBSD 4.1 and with a huge and complex
isakmpd.{conf,policy} (making it not so easy to switch to ipsec.conf).
An upgrade to 4.2 could be possible if that would solve the problem.
Any ideas about what that could be, or how to cope with it?
TIA!
Best,
--Toni++
Good good question Toni .. Is this possible to use multiple CA's for new ipsec
and isakmpd?? I am really interested on this ... any hints???
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: About Xen: maybe a reiterative question but ..
Christoph Egger wrote:
On Wednesday 24 October 2007 17:25:25 Artur Grabowski wrote:
Christoph Egger <[EMAIL PROTECTED]> writes:
So I'm going to guess the answer is "No, integrating xen
paravirtualization is not a project priority at this time. Also, where
are your diffs?"
The OpenBSD/Xen source is at http://hg.recoil.org/openbsd-xen-sys.hg
Unfortunately, Anil has troubles with the availability of the server.
I rely on having a willing OpenBSD developer who commits the patches I
send to him. But as long as there is none, it doesn't go in.
I'm willing to stretch as far as saying: This might be interesting for
some testing purposes for kernel hackers if Xen could be hosted on
OpenBSD.
But this doesn't mean that I'm even close to volunteering doing the
job. It just would be cool to have if it doesn't break stuff.
//art
Actually it is good to find NULL-pointer (mostly use-after-free) bugs,
that are hard to find on real hardware.
Believe me or not: OpenBSD has tons of them.
Christoph
Christoph,
One question about your Xen port: is it possible to compile a xen
para-virtualized openbsd kernel to launch a clean OpenBSD 4.1 or 4.2 install??
Thanks for your great job Christoph.
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: About Xen: maybe a reiterative question but ..
Chris Kuethe wrote:
On 10/24/07, carlopmart <[EMAIL PROTECTED]> wrote:
Dear sirs please: I will return to my original question. I just wondered if xen
will be included into the OpenBSD's kernel to act as a para-virtualized DomU or
not. Nothing more. I will not go into issues of the type is insecure or not.
Theo, or somebody from developer team: Will be para-virtualized domU xen kernel
included on next OpenBSD release (4.3?) or not?? I only want to know this...
Not unless someone actually writes the code to do it. Notice the
extreme number of people with openbsd.org email addresses jumping up
and down, volunteering to do it (hint: none). Possibly not even if
someone writes the code. Diffs are not always merged. They should be
good diffs that improve OpenBSD. Notice the number of people with
openbsd.org email addresses who are not convinced that doing this a)
will improve OpenBSD and b) won't actually hurt.
So I'm going to guess the answer is "No, integrating xen
paravirtualization is not a project priority at this time. Also, where
are your diffs?"
CK
Many thanks Chris. A clear response. I am not a developer but I can offer to
test xen based OpenBSD kernels on my servers ...
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: About Xen: maybe a reiterative question but ..
Dear sirs please: I will return to my original question. I just wondered if xen
will be included into the OpenBSD's kernel to act as a para-virtualized DomU or
not. Nothing more. I will not go into issues of the type is insecure or not.
Theo, or somebody from developer team: Will be para-virtualized domU xen kernel
included on next OpenBSD release (4.3?) or not?? I only want to know this...
Many thanks to all.
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: About Xen: maybe a reiterative question but ..
ropers wrote:
On 23/10/2007, Jeff Quast <[EMAIL PROTECTED]> wrote:
I would like to vouch for openbsd working great as a guest, but my
guest has crashed a dozen times. However I think this is due to the
debian linux dom0 having broken sata code for the controller in use.
dom0's dmesg is filled with debug statements from sata related places
in the kernel that should never be printed. We're in a messy
de-centralized linux development world trying to get a stable dom0
patched together. It sucks.
This is what I meant to hint at earlier: Running an OpenBSD DomU in
connection with, say, a Linux Xen Dom0 possibly makes that OpenBSD
installation subject to bugs in the hypervisor/Dom0, and that may be
unavoidable. The question is, is that a worthwhile trade-off? Is this
a reason not to support Xen? Or should the user be given that option
regardless of the inherent limitations and consequences?
--ropers
IMHO I think that OpenBSD needs to capable to install and run as a
paravirtualized domU guest, with some limitations if you like.
Last year I have do the same question. Then it was said that only needed NetBSD
do the xen port, and from there just enough to carry to OpenBSD. The reality is
that NetBSD long ago that can be installed and run as domU and OpenBSD not.
And my question is why?? i think that only one developer can't maintain this
type of code ... needs more help. I am not developer but i can do tests if you
needed ....
--
CL Martinez
carlopmart {at} gmail {d0t} com
About Xen: maybe a reiterative question but ..
Hi all,
I know that time to time somebody do the same question, but I need to know it:
is it planned at some point to release a paravirtualized xen kernel for OpenBSD
4.3 or 4.4???
In March'08 I need to virtualize two openbsd servers under xen (host doesn't
supports HVM guests). But if it is not possible, I will migrate to NetBSD ...
Many thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: Encrypting partitions with openbsd 4.1 or 4.2
Jacob Yocom-Piatt wrote:
carlopmart wrote:
Guillaume Duali wrote:
Hello,
perhaps this HowTo will help you ?
http://geektechnique.org/projectlab/797/openbsd-encrypted-nas-howto
See you :)
Guillaume.
---
carlopmart a icrit :
Hi all,
How can I encrypt a whole partition with OpenBSD 4.1 or
4.2-current?? I only info about encrypt image files and not
partitions
many thanks.
In this howto only explains howto encrypt sparse files and not
partitions ..
the technique in the article does not only apply to sparse files. have
an encrypted /var on some of my webservers and the procedure is
identical to what's in the link further down (starts with the dd-ing of
an image file).
do note it's not possible to encrypt all partitions using vnconfig. for
the time being this is the best you can do: encrypt images and mount
them after using vnconfig.
Thanks jacob, but I have received an email from openbsd's developer
that it isn't possible to encrypt partitions or disks ... only image
files created by dd command ...
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: Encrypting partitions with openbsd 4.1 or 4.2
Guillaume Duali wrote:
Hello,
perhaps this HowTo will help you ?
http://geektechnique.org/projectlab/797/openbsd-encrypted-nas-howto
See you :)
Guillaume.
---
carlopmart a icrit :
Hi all,
How can I encrypt a whole partition with OpenBSD 4.1 or 4.2-current??
I only info about encrypt image files and not partitions
many thanks.
In this howto only explains howto encrypt sparse files and not partitions ..
--
CL Martinez
carlopmart {at} gmail {d0t} com
Encrypting partitions with openbsd 4.1 or 4.2
Hi all,
How can I encrypt a whole partition with OpenBSD 4.1 or 4.2-current??
I only info about encrypt image files and not partitions
many thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: Please it is urgent: new OpenBSD 4.1 crash
carlopmart wrote:
Stuart Henderson wrote:
On 2007/07/20 13:20, carlopmart wrote:
Stuart Henderson wrote:
On 2007/07/20 11:02, carlopmart wrote:
This is my third post about problems with OpenBSD 4.1 during last
two months ...
Yes, and someone replied with a PR (5508) they'd opened about it.
It's fixed already - src/sys/net/if_pfsync.c 1.83.
Maybe the question to ask is "can this be imported to -stable"...
Sorry but it isn't the same bug. Bug 5508 it is about pfsync bug, and
this crash doesn't it ...
hmm, ok, but you said it's the third post, which (at least to me)
implies that it's the third post about the same problem...
Yes sorry, second post about this problem ... I write another post about
bug 5508, total: three ... With OpenBSD 4.0 on the same servers all
works ok ... I don't understand it...
Please, any hints about this??
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: Please it is urgent: new OpenBSD 4.1 crash
Stuart Henderson wrote:
On 2007/07/20 13:20, carlopmart wrote:
Stuart Henderson wrote:
On 2007/07/20 11:02, carlopmart wrote:
This is my third post about problems with OpenBSD 4.1 during last two
months ...
Yes, and someone replied with a PR (5508) they'd opened about it.
It's fixed already - src/sys/net/if_pfsync.c 1.83.
Maybe the question to ask is "can this be imported to -stable"...
Sorry but it isn't the same bug. Bug 5508 it is about pfsync bug, and this
crash doesn't it ...
hmm, ok, but you said it's the third post, which (at least to me)
implies that it's the third post about the same problem...
Yes sorry, second post about this problem ... I write another post about
bug 5508, total: three ... With OpenBSD 4.0 on the same servers all
works ok ... I don't understand it...
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: Please it is urgent: new OpenBSD 4.1 crash
Stuart Henderson wrote:
On 2007/07/20 11:02, carlopmart wrote:
This is my third post about problems with OpenBSD 4.1 during last two
months ...
Yes, and someone replied with a PR (5508) they'd opened about it.
It's fixed already - src/sys/net/if_pfsync.c 1.83.
Maybe the question to ask is "can this be imported to -stable"...
Sorry but it isn't the same bug. Bug 5508 it is about pfsync bug, and
this crash doesn't it ...
--
CL Martinez
carlopmart {at} gmail {d0t} com
Please it is urgent: new OpenBSD 4.1 crash
chpcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pmsi0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pmsi0 mux 0
pcppi0 at isa0 port 0x61
midi0 at pcppi0:
spkr0 at pcppi0
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
biomask efe5 netmask efed ttymask ffef
pctr: user-level cycle counter enabled
ahc0: target 0 using 16bit transfers
ahc0: target 0 synchronous at 80.0MHz DT, offset = 0x3f
dkcsum: sd0 matches BIOS drive 0x80
root on sd0a
rootdev=0x400 rrootdev=0xd00 rawdev=0xd02
WARNING: / was not properly unmounted
How can I fix this?? I can find any bug report abot this on OpeBSD's
site
Please it is very urgent ...
Many thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: OpenBSD 4.1 crashed, pfsync problems??
Jens Mayer wrote:
Dear all,
sorry to break the thread, but I did not have the originating message in my
mailinglist folder anymore. Nonetheless, I want to reply to "carlopmart" who
wrote on 2007-Jun-07:
Last night my openbsd 4.1 has crashed and I don't know why. I am using
this openbsd as a part of two carped firewalls.
Crash dump:
kernel: page fault trap code=0
Stopped at pfsync_insert_net_state+0x451: movl 0(%eax,%edx,4),%edx
I experienced *exactly* the same problem.
As I'm using a modified kernel also, I'm not sure if this is an official
OpenBSD bug. Therefore, I switched the boxes back to GENERIC kernels for the
time being, waiting for one of them to possibly break down again. Since the
problem is not reproducable, it's hard to say if it only affects non-GENERIC
kernel builds.
We are running a classic carped firewall setup. As I can't file bugreports
with customized kernels, I just wanted to give you this note.
Differences between the customized kernel and GENERIC are:
# optionLKM # loadable kernel modules
# optionEXT2FS # Second Extended Filesystem
# optionMFS # memory file system
# optionXFS # xfs filesystem
# optionNFSCLIENT # Network File System client
# optionNFSSERVER # Network File System server
# optionINET6 # IPv6 (needs INET)
# optionPPP_BSDCOMP # PPP BSD compression
# optionPPP_DEFLATE
# pseudo-device sppp1 # Sync PPP/HDLC
# pseudo-device ppp # PPP
# pseudo-device sl # CSLI
# pseudo-device pppoe 1 # PPP over Ethernet (RFC 2516)
I also stripped down drivers I do not need, like soundcards, USB- and
firewiredevices or buses I do not have, pretty much just to the things that
are built into this box and really needed.
Kind regards,
Jens
Thanks Jen. I have switched to GENERIC kernel too (without any modification) and
I am waiting to reproduce this problem
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: OpenBSD 4.1 crashed, pfsync problems??
Marc Balmer wrote:
> * carlopmart wrote:
>> Hi all,
>>
>> Last night my openbsd 4.1 has crashed and I don't know why. I am using
>> this openbsd as a part of two carped firewalls.
>>
>> Crash dump:
>>
>> kernel: page fault trap code=0
>> Stopped at pfsync_insert_net_state+0x451: movl 0(%eax,%edx,4),%edx
>>
>> Show panic:
>> the kernel did not panic
>>
>> Trace log:
>>
>> pfsync_insert_net_state(da2ff926,1,1e0,d08d4d48) at
>> pfsync_insert_net_state+0x451
>> pfsync_input(da0e6d00,14,0,0,d2975030) at pfsync_input+0x3ef
>> ipv4_input(da0e6d00,d297bc80,0,d08d3000,30) at ipv4_input+0x511
>> ipintr(d0200058,10,d08d0010,d03c0010,d08d3000) at ipintr+0x7e
>> Bad frame pointer: 0xd08d4e24
>>
>> Dump shows a problem with pfsync interface, and I think on two posible
>> problems: network interface or problem with switches.
>>
>> Output of dmesg:
>>
>> OpenBSD 4.1 (FWCLUSTER02) #0: Thu May 3 09:38:24 CEST 2007
>
> this is not a GENERIC kernel, god knows what you have changed, but noone
> can support custom kernels.
>
>> [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/FWCLUSTER02
>> cpu0: Intel(R) Pentium(R) 4 CPU 3.20GHz ("GenuineIntel" 686-class) 3.21 GHz
>> cpu0:
>> FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID,xTPR
>> real mem = 2146795520 (2096480K)
>> avail mem = 1951932416 (1906184K)
>> using 4278 buffers containing 107462656 bytes (104944K) of memory
>> mainbus0 (root)
>> bios0 at mainbus0: AT/286+ BIOS, date 02/02/04, BIOS32 rev. 0 @ 0xffe90,
>> SMBIOS rev. 2.3 @ 0xfb030 (83 entries)
>> bios0: Dell Computer Corporation PowerEdge 750
>> pcibios0 at bios0: rev 2.1 @ 0xf/0x1
>> pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfc570/144 (7 entries)
>> pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 6300ESB LPC" rev 0x00)
>> pcibios0: PCI bus #4 is the last bus
>> bios0: ROM list: 0xc/0x8000 0xc8000/0x1000 0xc9000/0x5600
>> 0xce800/0x1000 0xec000/0x4000!
>> acpi at mainbus0 not configured
>> cpu0 at mainbus0
>> pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
>> pchb0 at pci0 dev 0 function 0 "Intel 82875P Host" rev 0x02
>> ppb0 at pci0 dev 3 function 0 "Intel 82875P PCI-CSA" rev 0x02
>> pci1 at ppb0 bus 1
>> em0 at pci1 dev 1 function 0 "Intel PRO/1000CT (82547GI)" rev 0x00: irq 3,
>> address 00:c0:9f:3d:0e:b5
>> ppb1 at pci0 dev 28 function 0 "Intel 6300ESB PCIX" rev 0x02
>> pci2 at ppb1 bus 2
>> ppb2 at pci2 dev 1 function 0 "IBM 133 PCIX-PCIX" rev 0x02
>> pci3 at ppb2 bus 3
>> em1 at pci3 dev 4 function 0 "Intel PRO/1000MT QP (82546EB)" rev 0x01: irq
>> 11, address 00:04:23:b8:4c:bc
>> em2 at pci3 dev 4 function 1 "Intel PRO/1000MT QP (82546EB)" rev 0x01: irq
>> 11, address 00:04:23:b8:4c:bd
>> em3 at pci3 dev 6 function 0 "Intel PRO/1000MT QP (82546EB)" rev 0x01: irq
>> 11, address 00:04:23:b8:4c:be
>> em4 at pci3 dev 6 function 1 "Intel PRO/1000MT QP (82546EB)" rev 0x01: irq
>> 11, address 00:04:23:b8:4c:bf
>> uhci0 at pci0 dev 29 function 0 "Intel 6300ESB USB" rev 0x02: irq 11
>> usb0 at uhci0: USB revision 1.0
>> uhub0 at usb0
>> uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1
>> uhub0: 2 ports with 2 removable, self powered
>> uhci1 at pci0 dev 29 function 1 "Intel 6300ESB USB" rev 0x02: irq 10
>> usb1 at uhci1: USB revision 1.0
>> uhub1 at usb1
>> uhub1: Intel UHCI root hub, rev 1.00/1.00, addr 1
>> uhub1: 2 ports with 2 removable, self powered
>> "Intel 6300ESB WDT" rev 0x02 at pci0 dev 29 function 4 not configured
>> "Intel 6300ESB APIC" rev 0x02 at pci0 dev 29 function 5 not configured
>> ehci0 at pci0 dev 29 function 7 "Intel 6300ESB USB" rev 0x02: irq 7
>> usb2 at ehci0: USB revision 2.0
>> uhub2 at usb2
>> uhub2: Intel EHCI root hub, rev 2.00/1.00, addr 1
>> uhub2: 4 ports with 4 removable, self powered
>> ppb3 at pci0 dev 30 function 0 "Intel 82801BA AGP" rev 0x0a
>> pci4 at ppb3 bus 4
>> em5 at pci4 dev 2 function 0 "Intel PRO/1000MT (82541GI)" rev 0x00: irq 10,
>> address 00:c0:9f:3d:0e:b6
>> ahc0 at pci4 dev 3 function 0 "Adaptec AHA-3960D U160" rev 0x01: irq 11
>> scsibus0 at ahc0: 16 targets
>> sd0 at scsibus0 targ 0 lun 0: SCSI3 0/direct
>> fixed
>> sd0: 34732MB, 49855 cyl, 2 head, 713 sec, 512 bytes/sec, 7113
OpenBSD 4.1 crashed, pfsync problems??
display0
pmsi0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pmsi0 mux 0
pcppi0 at isa0 port 0x61
midi0 at pcppi0:
spkr0 at pcppi0
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
biomask efe5 netmask efed ttymask ffef
pctr: user-level cycle counter enabled
ahc0: target 0 using 16bit transfers
ahc0: target 0 synchronous at 80.0MHz DT, offset = 0x3f
dkcsum: sd0 matches BIOS drive 0x80
root on sd0a
rootdev=0x400 rrootdev=0xd00 rawdev=0xd02
How can I fix this problem??
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: What is this: DIOCADDRULE: Device or resource busy? (problem is with multipath)
carlopmart wrote:
Hi all,
I have installed new openbsd 4.1 server with pf rules and latest
patches. When I try to load my pf.conf rules, returns me this error:
DIOCADDRULE: Device or resource busy. What does it means???
Many thanks.
Hi all,
I think that problem is related when I use multipath routing. I use two dsl
lines. On my external hostname.if i put entries to use multipath like this:
!route add -mpath default "gw.1" and !route add -mpath default "gw.2". Using
this config like on openbsd faq explains, pfctl doesn't load pf rules. But if I
assign routing id tables all works ... Somebody knows why ???
--
CL Martinez
carlopmart {at} gmail {d0t} com
What is this: DIOCADDRULE: Device or resource busy?
Hi all,
I have installed new openbsd 4.1 server with pf rules and latest patches. When
I try to load my pf.conf rules, returns me this error: DIOCADDRULE: Device or
resource busy. What does it means???
Many thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
OT: cacti, pfflowd and flowd
Hi all,
Somebody have tried to install cacti, pfflowd and flowd on two different
servers? OpenBSD with pfflowd and another Unix server with cacti and flowd ... I
am trying to do it without luck (principal problem is how can I do to parse from
cacti flowd log file)... and I can't find any doc about how to do it ...
Thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
OT: Monitoring tools and integration with SIM products
Hi all,
I need to know some opninons about existing monitoring tools for openbsd
carp/pf firewalls.
My requsities are:
- Monitor VPN conections betwwen three providers and roadwarriros clients (I
am using another pflogd process to this) using web front-end preferred.
- Monitor logs genereated by pf using web front-end prefered (real-time is a
must)
- Integrating OpenBSD events (logs, mails, etc) under an opensource SIM like
OpenSIMS (http://opensims.sourceforge.net/) or OSSIM (www.ossim.net)
Which tools do you recommends me? Somebdy have tested OpenSIMS or OSSIM with
OPenBSD??
Many thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: Problems with vpn roadwarriors using the same public ip
Heinrich Rebehn wrote:
carlopmart wrote:
Matthias Bertschy wrote:
carlopmart wrote:
Hi all,
I have a very strange problem. I am using an OpenBSD 4.1 with
isakmpd config (isakmpd.conf and isakmpd.policy) to establish vpn
connections for my roadwarriors clients.
When two roadwarriors clients that use the same public ip, only one
client can connect, the other no. Roadwarriors use the greenbow client.
Somebody knows how can I fix this???
Many thanks.
Hello,
I have the same problem with racoon on Linux 2.6, when a second
client connects to IPSEC thru NAT, the first one loses his connection.
I don't know if it is related to IPSEC, or a bug in both isakmpd and
racoon; but I haven't found a fix yet.
Matthias Bertschy
I think that I found a solution. I have put "Share-SADB = Define" on
"General" config on isakmpd.conf, and seems that now works ... But, is
this ok? somebody knows if using this option can produce a security
hole?? I believe that share SAs between clients could not be a good
solution
Thanks.
Where did you get this "Share-SADB = Define" from? I have not found it
in the manpage
--Heinrich
Sorry I would like to say "Shared-SADB" ...
--
CL Martinez
carlopmart {at} gmail {d0t} com
question about multiple pflog interfaces on openbsd 4.1
Hi all,
I have tried to setup a new pflog interface to monitor ipsec traffic and it
works ok. Afterwards I have setup another pflogd daemon to store logs on another
pcap file under /var/log. But I have one question: how do i to configure
newsyslog.conf entry for this new pflogd daemon? If I put /var/run/pflogd.pid
under newsyslog.conf configuration, this only affects to primary pflogd daemon
and I need to rotate this new log file avery midnight. I have search under man
pages but i don't see any param to assign another pid file ...
Thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: Problems with vpn roadwarriors using the same public ip
Matthias Bertschy wrote:
carlopmart wrote:
Hi all,
I have a very strange problem. I am using an OpenBSD 4.1 with isakmpd
config (isakmpd.conf and isakmpd.policy) to establish vpn connections
for my roadwarriors clients.
When two roadwarriors clients that use the same public ip, only one
client can connect, the other no. Roadwarriors use the greenbow client.
Somebody knows how can I fix this???
Many thanks.
Hello,
I have the same problem with racoon on Linux 2.6, when a second client
connects to IPSEC thru NAT, the first one loses his connection.
I don't know if it is related to IPSEC, or a bug in both isakmpd and
racoon; but I haven't found a fix yet.
Matthias Bertschy
I think that I found a solution. I have put "Share-SADB = Define" on "General"
config on isakmpd.conf, and seems that now works ... But, is this ok? somebody
knows if using this option can produce a security hole?? I believe that share
SAs between clients could not be a good solution ....
Thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
Problems with vpn roadwarriors using the same public ip
Hi all,
I have a very strange problem. I am using an OpenBSD 4.1 with isakmpd config
(isakmpd.conf and isakmpd.policy) to establish vpn connections for my
roadwarriors clients.
When two roadwarriors clients that use the same public ip, only one client can
connect, the other no. Roadwarriors use the greenbow client.
Somebody knows how can I fix this???
Many thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
Using login.conf to auth to KDC
Hi all,
I am trying to authenticate my openbsd users to a linux KDC server. To do this
i have setup a new login class on login.conf:
linkdc:\
:path=/usr/bin /bin /usr/sbin /sbin /usr/local/bin:\
:umask=022:\
:datasize-max=512M:\
:datasize-cur=512M:\
:maxproc-max=128:\
:maxproc-cur=64:\
:openfiles-cur=128:\
:stacksize-cur=4M:\
:auth=krb5:\
:auth-type=krb5:\
:auth-ftp=reject:
When I try to adduser using batch mode, I can not select linkdc login class.
If I do using useradd works, but users can not be authenticated. Error is
permission denied. I need to authenticate my users to this kdc and not to
master.passwd. Only root can use local passwd file.
Kerberos configuration works ok on this openbsd server.
What am I doing worng??
Thanks
--
CL Martinez
carlopmart {at} gmail {d0t} com
Openbsd ipsec with cisco vpn client
Hi all,
Somebody have tried to use cisco vpn client to connect to openbsd ipsec
gateway using user and pass or x509 certificates? Can somebody sends me some
examples ?
many thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
Scrub options for bridge interfaces
Hi all,
Somebody knows which scrub options do I need to put in pf.conf for bridge
interfaces? I have an OpenBSD 4.0 fw with one bridge interface and when I try to
launch cat command on a 18kb file, it stops.
Thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
Flusing rules for specific interface
Hi all,
Is it possible to flush rules for a specific interface under OpenBSD 4.0? For
example, I have two dsl lines and i would use only one pf.conf file with
ifstated. When one link comes down I would like to do something like this:
"pfctl -i ext2_if -F rules" (only flush actually rules for ext2_if).
I have tried but doesn't works ... Somebody knows if I could do it??
many thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: Dell 1950 under OpenBSD
[EMAIL PROTECTED] wrote:
[EMAIL PROTECTED] wrote: -
To: openbsd misc
From: carlopmart <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
Date: 02/04/2007 12:36PM
Subject: Dell 1950 under OpenBSD
Hi all,
Somebody have test it this Dell server under OpenBSD 4.0? this
server use SAS
or SATA disk with PERC 5/i controller, are they supported under
OpenBSD 4.0?
Many thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
OpenBSD 4.0 (GENERIC.MP) #936: Sat Sep 16 19:27:28 MDT 2006
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC.MP
cpu0: Intel(R) Xeon(R) CPU 5110 @ 1.60GHz ("GenuineIntel" 686-class) 1.60
GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,TM2,CX16
real mem = 1072955392 (1047808K)
avail mem = 970682368 (947932K)
using 4256 buffers containing 53751808 bytes (52492K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(00) BIOS, date 10/18/06, BIOS32 rev. 0 @
0xffe90, SMBIOS rev. 2.4 @ 0x3ffbc000 (62 entries)
bios0: Dell Inc. PowerEdge 1950
pcibios0 at bios0: rev 2.1 @ 0xf/0x1
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfada0/368 (21 entries)
pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 6321ESB LPC" rev 0x00)
pcibios0: PCI bus #15 is the last bus
bios0: ROM list: 0xc/0x9000! 0xc9000/0x4e00 0xec000/0x4000!
ipmi0 at mainbus0: version 2.0 interface KCS iobase 0xca8/8 spacing 4
mainbus0: Intel MP Specification (Version 1.4) (DELL PE 01B3 )
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: unknown Core FSB_FREQ value 0 (0xc188149f)
cpu0: apic clock running at 266 MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Xeon(R) CPU 5110 @ 1.60GHz ("GenuineIntel" 686-class) 1.60
GHz
cpu1:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,TM2,CX16
mainbus0: bus 0 is type PCI
mainbus0: bus 1 is type PCI
mainbus0: bus 2 is type PCI
mainbus0: bus 3 is type PCI
mainbus0: bus 4 is type PCI
mainbus0: bus 5 is type PCI
mainbus0: bus 6 is type PCI
mainbus0: bus 7 is type PCI
mainbus0: bus 8 is type PCI
mainbus0: bus 9 is type PCI
mainbus0: bus 10 is type PCI
mainbus0: bus 11 is type PCI
mainbus0: bus 12 is type PCI
mainbus0: bus 13 is type PCI
mainbus0: bus 14 is type PCI
mainbus0: bus 15 is type PCI
mainbus0: bus 16 is type ISA
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins
ioapic0: misconfigured as apic 0, remapped to apid 2
ioapic1 at mainbus0: apid 3 pa 0xfec81000, version 20, 24 pins
ioapic1: misconfigured as apic 0, remapped to apid 3
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 5000X Host" rev 0x12
ppb0 at pci0 dev 2 function 0 "Intel 5000 PCIE" rev 0x12
pci1 at ppb0 bus 5
ppb1 at pci1 dev 0 function 0 "Intel 6321ESB PCIE" rev 0x01
pci2 at ppb1 bus 6
ppb2 at pci2 dev 0 function 0 "Intel 6321ESB PCIE" rev 0x01
pci3 at ppb2 bus 7
ppb3 at pci3 dev 0 function 0 "ServerWorks PCIE-PCIX" rev 0xc3
pci4 at ppb3 bus 8
bnx0 at pci4 dev 0 function 0 "Broadcom BCM5708" rev 0x12: apic 2 int 16
(irq 5), address 00:15:c5:ef:2a:77
brgphy0 at bnx0 phy 1: BCM5708C 10/100/1000baseT PHY, rev. 6
ppb4 at pci2 dev 1 function 0 "Intel 6321ESB PCIE" rev 0x01
pci5 at ppb4 bus 9
ppb5 at pci1 dev 0 function 3 "Intel 6321ESB PCIE-PCIX" rev 0x01
pci6 at ppb5 bus 10
ppb6 at pci0 dev 3 function 0 "Intel 5000 PCIE" rev 0x12
pci7 at ppb6 bus 1
ppb7 at pci7 dev 0 function 0 "Intel PCIE-PCIE" rev 0x09
pci8 at ppb7 bus 2
mpi0 at pci8 dev 8 function 0 "Symbios Logic SAS1068" rev 0x01: apic 3 int
0 (irq 5)
scsibus0 at mpi0: 126 targets
sd0 at scsibus0 targ 0 lun 0: SCSI3 0/direct
fixed
sd0: 34732MB, 50824 cyl, 2 head, 699 sec, 512 bytes/sec, 71132959 sec total
ses0 at scsibus0 targ 8 lun 0: SCSI3 13/enclosure
services fixed
ppb8 at pci0 dev 4 function 0 "Intel 5000 PCIE" rev 0x12
pci9 at ppb8 bus 11
ppb9 at pci0 dev 5 function 0 "Intel 5000 PCIE" rev 0x12
pci10 at ppb9 bus 12
ppb10 at pci0 dev 6 function 0 "Intel 5000 PCIE" rev 0x12
pci11 at ppb10 bus 13
ppb11 at pci0 dev 7 function 0 "Intel 5000 PCIE" rev 0x12
pci12 at ppb11 bus 14
pchb1 at pci0 dev 16 function 0 "Intel 5000 Error Reporting" rev 0x12
pchb2 at pci0 dev 16 function 1 "Intel 5000 Error Reporting" rev 0x12
pchb3 at pci0 dev 16 function 2 "Intel 5000 Error Reporting" rev 0x12
pchb4 at pci0 dev 17 function 0 "Intel 5000 Reserved" rev 0x12
pchb5 at pci0 dev 19 function 0 "Intel 5000 Reserved" rev 0x12
pchb6 at pci0 dev 21 function 0 "Intel 5000 FBD" rev 0x12
pchb7 at pci0 dev 22 function 0 "Intel 5000 FBD" rev 0x12
ppb12 at pci0 dev 28 function 0 "Intel 6321ESB PCIE" rev 0x09
pci13 at ppb12 bus 3
ppb13 at p
Dell 1950 under OpenBSD
Hi all,
Somebody have test it this Dell server under OpenBSD 4.0? this server use SAS
or SATA disk with PERC 5/i controller, are they supported under OpenBSD 4.0?
Many thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: Problems with X11 traffic over ssh in pf.conf
Rogier Krieger wrote:
On 3/23/07, carlopmart <[EMAIL PROTECTED]> wrote:
Do I need to open additional ports or protocols??
Not so much additional ports or protocols, but are you sure you
enabled X11 forwarding?
A few suggestions for things to check:
+ in /etc/ssh/sshd_config, did you enable 'X11Forwarding' ?
Yes
+ for the ssh client(s), did you choose to enable X11 forwarding?
Yes
In ssh, you can use either the -X command line option or use settings
to that effect in your config file (see ssh_config(5) for more info).
Hope this helps,
Rogier
My problem is wih pf rules. If I put on pf.conf "pass all", all works ok.
--
CL Martinez
carlopmart {at} gmail {d0t} com
Problems with X11 traffic over ssh in pf.conf
Hi all,
I need to allow X11 services over ssh for my developers on one openbsd box.
Rule for ssh service works ok, but when I try to start a X11 app (like xterm for
example on destination host) doesn't works.
On openbsd side nothing is dropped. Somebody knows how can I debug this?? Do I
need to open additional ports or protocols??
Many thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
Will be 4.1 release ready for xen?
Hi all,
Somebody knows if 4.1 release will be ready for use as a
paravirtualized or fully virtualized guest under xen 3.x? (I know that
4.0 "works" under xen 3.x, but really with very poor performance
including under XenExpress or VirtualIron) I can't find anything about
this on 4.1's changelog ...
Many thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: Nic bridge doesn't forward packets
Maurice Janssen wrote:
On Thursday, March 8, 2007 at 18:58:00 +0100, carlopmart wrote:
Hi all,
I have a extrange problem. Last week, I have installed a new OpenBSD
server for our new datacenter. I had configured two nics to use as a
bridge and I assigned an IP to one of this interfaces, like this:
/etc/hostname.em2
up
/etc/hostname.em3
inet 172.18.45.1 255.255.255.240 NONE
/etc/hostname.bridge0
em2
em3
up
With this configuration, bridge doesn't forward packets between two
network segments (ip forwarding is enabled on sysctl.conf). Somebody
knows what I do wrong???
mv /etc/hostname.bridge0 /etc/bridgename.bridge0
and change the contents to
add em2
add em3
up
HTH,
Maurice
Oops ... Many thanks ...
--
CL Martinez
carlopmart {at} gmail {d0t} com
Nic bridge doesn't forward packets
Hi all,
I have a extrange problem. Last week, I have installed a new OpenBSD
server for our new datacenter. I had configured two nics to use as a
bridge and I assigned an IP to one of this interfaces, like this:
/etc/hostname.em2
up
/etc/hostname.em3
inet 172.18.45.1 255.255.255.240 NONE
/etc/hostname.bridge0
em2
em3
up
With this configuration, bridge doesn't forward packets between two
network segments (ip forwarding is enabled on sysctl.conf). Somebody
knows what I do wrong???
Many thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
Ifstated samples to control two dsl lines
Hi all,
Somebody can send me some samples of ifstated.conf using two dsl
lines? I have two redundant OpenBSD 4.0 firewalls on I need to implement
ifstated but with only man pages isn't very clear how can I configure
this to redirect all traffic to one line if another goes down and
another question is: can i use pfctl commands to load new rules (with
carp interfaces) every time that one line goes down??
Many thanks ..
--
CL Martinez
carlopmart {at} gmail {d0t} com
How can I view rule numbers under OpenBSD 4.0?
Hi all,
first of all, many to everybody helps me to block all ipv6 traffic (security
staff accept your option).
And now my question: how can I view rule numbers assigned by pf?? Under OpenBSD
3.7 using pfctl -ws display this info ... How can I do with OpenBSD 4.0??
Many thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: Disable IPv6 on OpenBSD 4.0
Jason Dixon wrote:
> On Dec 17, 2006, at 2:51 PM, carlopmart wrote:
>
>> Philip Guenther wrote:
>>> On 12/17/06, carlopmart <[EMAIL PROTECTED]> wrote:
>>>> Somebody knows if exists some option to put on rc.conf file like
>>>> FreeBSD does with ipv6_enable="NO" option to disable IPv6 support on
>>>> OpenBSD 4.0?
>>>
>>> Nope. No such option exists in OpenBSD.
>>>
>>>
>>>> Or do I need to recompile kernel, modify sendmail.cf, etc,
>>>> etc, etc ...?? In other owrds, do I need to reconfigure all process
>>>> that
>>>> need ipv6 to startup??
>>>
>>> Yeah, that's one way to end up with a system for which the developers
>>> will basically ignore you if you report a problem. Is that what
>>> you're trying to accomplish?
>>>
>>
>> Yes, my security staff orders to disable IPv6 protocol on all our
>> firewalls ...
>
> Your security staff is clueless. I bet they like to block icmp
> echo-request too.
>
je, je ..:) Sure jason, but I am only a simple administrator ...
> --
> Jason Dixon
> DixonGroup Consulting
> http://www.dixongroup.net
>
>
>
>
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: Disable IPv6 on OpenBSD 4.0
Dave Anderson wrote:
> ** Reply to message from Jason Dixon <[EMAIL PROTECTED]> on Sun, 17
> Dec 2006 15:17:01 -0500
>
>> On Dec 17, 2006, at 2:51 PM, carlopmart wrote:
>>
>>> Yes, my security staff orders to disable IPv6 protocol on all our
>>> firewalls ...
>> Your security staff is clueless. I bet they like to block icmp echo-
>> request too.
>
> Unfortunately, the fact that they're clueless doesn't make it possible
> to ignore their demands. Fortunately, it's almost trivial to configure
> PF to block all incoming and outgoing IPv6 on your external interface
> (or on all of your interfaces). The question is, can you convince the
> powers-that-be that doing this is sufficient? It clearly should be,
> since it prevents any possibility of communicating via IPv6.
>
> Good luck,
>
> Dave
>
I don't know Dave, but I could try it...
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: Disable IPv6 on OpenBSD 4.0
Philip Guenther wrote:
> On 12/17/06, carlopmart <[EMAIL PROTECTED]> wrote:
>> Somebody knows if exists some option to put on rc.conf file like
>> FreeBSD does with ipv6_enable="NO" option to disable IPv6 support on
>> OpenBSD 4.0?
>
> Nope. No such option exists in OpenBSD.
>
>
>> Or do I need to recompile kernel, modify sendmail.cf, etc,
>> etc, etc ...?? In other owrds, do I need to reconfigure all process that
>> need ipv6 to startup??
>
> Yeah, that's one way to end up with a system for which the developers
> will basically ignore you if you report a problem. Is that what
> you're trying to accomplish?
>
Yes, my security staff orders to disable IPv6 protocol on all our firewalls ...
>
> Philip Guenther
>
--
CL Martinez
carlopmart {at} gmail {d0t} com
Disable IPv6 on OpenBSD 4.0
Hi all,
Somebody knows if exists some option to put on rc.conf file like
FreeBSD does with ipv6_enable="NO" option to disable IPv6 support on
OpenBSD 4.0? Or do I need to recompile kernel, modify sendmail.cf, etc,
etc, etc ...?? In other owrds, do I need to reconfigure all process that
need ipv6 to startup??
many thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: Problem with roadwarriors vpn clients with x509 certs on OpenBSD 4.0
Sorry I forgot to mention that user1 and user2 has the same public ip.
many thanks ..
carlopmart wrote:
Hi all,
We have several problems with ipsec connections for roadwarriors clients
using x509 certificates. We use ipsec.conf to accomplish this
configuration:
ike passive proto tcp from 192.168.2.3 to { 129.31.0.0/16,
129.11.0.0/16, 129.61.0.0/16, 129.71.0.0/16 } port 5900 \
quick auth hmac-sha1 enc 3des group modp1024
ike passive proto tcp from 192.168.2.3 to { 129.31.0.0/16,
129.11.0.0/16, 129.61.0.0/16, 129.71.0.0/16 } port 3389 \
quick auth hmac-sha1 enc 3des group modp1024
ike passive esp from 192.168.0.3 to any main auth hmac-sha1 enc 3des \
srcid firewall.ourdomain.com dstid [EMAIL PROTECTED]
ike passive proto tcp from { 192.168.2.9, 192.168.2.10, 192.168.2.11 }
to { 129.42.0.0/16, 192.168.156.0/24 } port 5900 \
quick auth hmac-sha1 enc 3des group modp1024
ike passive proto tcp from { 192.168.2.9, 192.168.2.10, 192.168.2.11 }
to { 129.42.0.0/16, 192.168.156.0/24 } port 3389 \
quick auth hmac-sha1 enc 3des group modp1024
ike passive esp from 192.168.0.3 to any main auth hmac-sha1 enc 3des \
srcid firewall.ourdomain.com dstid [EMAIL PROTECTED]
Well, this configuration doesn't works. If user [EMAIL PROTECTED]
connects to our lans, [EMAIL PROTECTED] (if he is connected) lost
all connections.
If we change third and sixth lines with:
ike passive esp from 192.168.0.3 to any main auth hmac-sha1 enc 3des
srcid firewall.ourdomain.com
only one user can be authenticated. Somebody how can I resolve this
problem?? ipsec.conf man pages doesn't helps .
Many thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
Roadwarriors vpn clients with x509 certs on OpenBSD 4.0
Hi all,
We have several problems with ipsec connections for roadwarriors
clients using x509 certificates. We use ipsec.conf to accomplish this
configuration:
ike passive proto tcp from 192.168.2.3 to { 129.31.0.0/16,
129.11.0.0/16, 129.61.0.0/16, 129.71.0.0/16 } port 5900 \
quick auth hmac-sha1 enc 3des group modp1024
ike passive proto tcp from 192.168.2.3 to { 129.31.0.0/16,
129.11.0.0/16, 129.61.0.0/16, 129.71.0.0/16 } port 3389 \
quick auth hmac-sha1 enc 3des group modp1024
ike passive esp from 192.168.0.3 to any main auth hmac-sha1 enc 3des \
srcid firewall.ourdomain.com dstid [EMAIL PROTECTED]
ike passive proto tcp from { 192.168.2.9, 192.168.2.10, 192.168.2.11 }
to { 129.42.0.0/16, 192.168.156.0/24 } port 5900 \
quick auth hmac-sha1 enc 3des group modp1024
ike passive proto tcp from { 192.168.2.9, 192.168.2.10, 192.168.2.11 }
to { 129.42.0.0/16, 192.168.156.0/24 } port 3389 \
quick auth hmac-sha1 enc 3des group modp1024
ike passive esp from 192.168.0.3 to any main auth hmac-sha1 enc 3des \
srcid firewall.ourdomain.com dstid [EMAIL PROTECTED]
Well, this configuration doesn't works. If user [EMAIL PROTECTED]
connects to our lans, [EMAIL PROTECTED] (if he is connected) lost
all connections.
If we change third and sixth lines with:
ike passive esp from 192.168.0.3 to any main auth hmac-sha1 enc 3des
srcid firewall.ourdomain.com
only one user can be authenticated. Somebody how can I resolve this
problem?? ipsec.conf man pages doesn't helps .
Many thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
OT: Monitoring vpn tunnels on openbsd
hi all,
Actually we have five openbsd firewalls managed from a linux server
that acts a repository for firewall rules. Now we need to deploy vpn
tunnels between them and monitoring this tunnels.
My requeriments are:
- we need to know at what time clients connects to our infraestructure
- we need to know from which ip address (public) they connect.
- we need to deploy this using repository linux server that actually
works.
And my questions are:
- Can I assign ip's via dhcp on openbsd boxes to vpn clients?
- Which software do you recommends me to deploy this?
My openbsd boxes are 3.9 with carp configured.
Many thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
Deploying isakmp/vpn with PKI
Hi all,
i need to deploy a PKI Linux based infraestructure, including
authentication (single sign on) for several Linux and OpenBSD servers.
We have two openbsd firewall clusters (3.9) with vpn using isakmpd. Is
it possible to use x509 certs generated on a Fedora Directory Server (I
have used to deploy PKI) to authenticate VPN users?? Somebody knows if
these could be works?? If I need to upgrade to 4.0 is not a problem.
Many thanks and sorry for my bad english.
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: Xen?
Many thanks Berk.
Berk D. Demir wrote:
carlopmart wrote:
Sorry, I would like to say para-virtualized. I test it 4.0 beta under
VT hardware and works pretty well.
Then the answer is "no".
Xen port of OpenBSD is in an experimental stage AFAIK.
There's a mercurial repo. at http://hg.recoil.org/openbsd-xen-sys.hg
It seems pretty active. Latest change is 19 hours ago.
They're trying to sync with -current.
If a Xen port happens to jump into the tree and becomes usable at
minimum, you'll see its entry at http://www.openbsd.org/plat.html
And a lot of noise in the lists :)
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: Xen?
Sorry, I would like to say para-virtualized. I test it 4.0 beta under VT
hardware and works pretty well.
Berk D. Demir wrote:
carlopmart wrote:
One question: will be possible to install OpenBSD 4.0 as a domU under
a redhat/debian Xen based server???
Has nothing to do with OpenBSD version. Virtualization layer is mostly
managed by CPU (CPUs w/ Intel VT Extenstions or AMD's SVM extensions)
Have a look at
http://en.wikipedia.org/wiki/Xen#Hardware_assisted_virtualization_with_Xen
So it's perfectly possible to install any OpenBSD version. (of course
kernel has to support much of new hardware. Don't go for OpenBSD 3.0)
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: Xen?
One question: will be possible to install OpenBSD 4.0 as a domU under a
redhat/debian Xen based server???
Thanks.
Joachim Schipper wrote:
On Thu, Sep 28, 2006 at 11:07:33AM -0500, James Blasius wrote:
I listened to Christoph Egger's podcast on openbsd + xen. Yowza. Is this a
4.1 timeframe item?
I haven't seen code for Xen integration come by at source-changes, so I
presume so.
Host support may be further off.
Joachim
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: IPSec faq ??
Thanks Rogier for the info. But i need to do more accurate deploy. I
need to assign to each user a x509 cert and IP associated to this cert
(bassically I need to work with roadwarriors clients) and deploy
customized pf rules for every user based on this certs and IPs . Is this
possible with new ipsec feaures?? And also, xauth is implemented??
Rogier Krieger wrote:
On 5/5/06, carlopmart <[EMAIL PROTECTED]> wrote:
Somebody knows when ipsec faq will be published on openbsd website??
It used to be published there but it was taken down. A quick search
through the list archives should provide a more definite answer as to
why. Alternatively, look up the old version of FAQ #13 in CVS.
Somebody have some howto??
You really should look at the included documentation. For example,
sasyncd(8) and vpn(8) come to mind, but be sure to also look at the
pages listed under "SEE ALSO". The material is quite useful in getting
started.
I haven't tried out ipsecctl(8) and ipsec.conf(5) yet, so I can't tell
you whether that will provide you with an easier solution (easier than
setting up isakmpd(8), that is).
Cheers,
Rogier
--
If you don't know where you're going, any road will get you there.
--
CL Martinez
carlopmart {at} gmail {d0t} com
IPSec faq ??
Hi all,
Somebody knows when ipsec faq will be published on openbsd website?? i
need to deploy two openbsd 3.9 HA firewalls with vpn, dhcp and x509
certificates included? Somebody have some howto??
Thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
Carp load balanced firewall with only one public IP?
Hi all,
Somebody knows how can I setup two carp load balanced firewalls with
obsd 3.8 or 3.9beta with only one public IP?
Thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
