Simple question on routing for IPSEC
Hi, Sorry for the dumb question but I'm suffering from config-writer's block ! OpenBSD6 if it makes any difference to the answers. Let's say I've got the following in ipsec.conf on my local gateway : "ike esp from 198.51.100.0/24 to any" Given that "any" is a catch-all, how do I, for example specify to route "203.0.113.0/24" via the ipsec gateway ? e.g. something like the below (where 192.0.2.1 is the remote gateway) doas route add -inet 203.0.113.0/24 192.0.2.1 add net 203.0.113.0/24: gateway 192.0.2.1: Network is unreachable Bob
Re: simple question about ppp
On Fri, Aug 13, 2010 at 10:12 PM, patrick keshishian pkesh...@gmail.com wrote: I have been struggling to figure out how to make ppp initiate negotiation unsuccessfully. Can someone help me with a simple ppp.conf that does a 'set device !/path/to/some/prog' that will initiate negotiation? I have a prog that waits for input from stdin and logs any input into a /tmp/logfile, but ppp doesn't seem to be spitting anything out. When I type dial at the ppp-prompt the prog is executed but ppp isn't sending it any data. A simple ppp.conf and command line ppp invocation and any ppp commands at the ppp-prompt would be most helpful. A kind soul replied privately and gave me a very bare-bones example that helped me figure out my mistake. I've been messing with different ppp.conf settings for three evenings now. I started out reading ppp.conf.sample, and I misunderstood the sample section with ssh and was using openmode passive. The comment Passive mode allows ssh plenty of time to establish the connection threw me off. I read it to mean gives the program enough time to establish connection with peer before ppp starts doing its thing. The man page is very clear about this option, however. Thank you again! --patrick
simple question about ppp
I have been struggling to figure out how to make ppp initiate negotiation unsuccessfully. Can someone help me with a simple ppp.conf that does a 'set device !/path/to/some/prog' that will initiate negotiation? I have a prog that waits for input from stdin and logs any input into a /tmp/logfile, but ppp doesn't seem to be spitting anything out. When I type dial at the ppp-prompt the prog is executed but ppp isn't sending it any data. A simple ppp.conf and command line ppp invocation and any ppp commands at the ppp-prompt would be most helpful. Thanks, --patrick
[ot] Re: Simple question about ./configure
On Fri, Jul 17, 2009 at 10:23:31PM -0500, Marco Peereboom wrote: run! if you have to do ./configure your personal hell has started... If you call running ./configure a `personal hell', what do you call it when you have to modify configure.ac and re-run autoconf? enterprise hell? (SCNR) Kili
Simple question about ./configure
I am trying to compile freetds-stable with iodbc and used the following env CPPFLAGS=-I/usr/local/include LDFLAGS=-L/usr/local/lib ./configure --with-iodbc --disable-threadsafe Even though isql.h is in /usr/local/include I get the error saying isql.h not found. How can I resolve this? (I am trying to compile the source to see if I can get libtdsodbc, so using the standard package will not work) Appreciate any clues. Thanks very much, Vijay -- Vijay Sankar, M.Eng., P.Eng. ForeTell Technologies Limited 59 Flamingo Avenue, Winnipeg, MB, Canada R3J 0X6 Phone: (204) 885-9535, E-Mail: vsan...@foretell.ca
Re: Simple question about ./configure
On Fri, Jul 17, 2009 at 02:55:53PM -0500, Vijay Sankar wrote: I am trying to compile freetds-stable with iodbc and used the following env CPPFLAGS=-I/usr/local/include LDFLAGS=-L/usr/local/lib ./configure --with-iodbc --disable-threadsafe Even though isql.h is in /usr/local/include I get the error saying isql.h not found. How can I resolve this? (I am trying to compile the source to see if I can get libtdsodbc, so using the standard package will not work) Appreciate any clues. Thanks very much, Vijay -- Vijay Sankar, M.Eng., P.Eng. ForeTell Technologies Limited 59 Flamingo Avenue, Winnipeg, MB, Canada R3J 0X6 Phone: (204) 885-9535, E-Mail: vsan...@foretell.ca I think that it will be a lot easier to change the port to reflect you changes. try looking a the port and see what it does. -- DISCLAIMER: http://goldmark.org/jeff/stupid-disclaimers/ This message will self-destruct in 3 seconds.
Re: Simple question about ./configure
Abel Camarillo wrote: On Fri, Jul 17, 2009 at 02:55:53PM -0500, Vijay Sankar wrote: I am trying to compile freetds-stable with iodbc and used the following env CPPFLAGS=-I/usr/local/include LDFLAGS=-L/usr/local/lib ./configure --with-iodbc --disable-threadsafe Even though isql.h is in /usr/local/include I get the error saying isql.h not found. How can I resolve this? (I am trying to compile the source to see if I can get libtdsodbc, so using the standard package will not work) Appreciate any clues. Thanks very much, Vijay -- Vijay Sankar, M.Eng., P.Eng. ForeTell Technologies Limited 59 Flamingo Avenue, Winnipeg, MB, Canada R3J 0X6 Phone: (204) 885-9535, E-Mail: vsan...@foretell.ca I think that it will be a lot easier to change the port to reflect you changes. try looking a the port and see what it does. By changing the port I was able to get libtdsodbc (this was a few days ago and I had sent the modified Makefile to misc@) but I had problems setting up a DSN through iodbcadm (as well as through text files). Also, when I tried to compile pyodbc, I got errors saying that -liodbc not recognized. My sense is that I am missing some fundamental knowledge and so this was just an attempt to learn as well as see if compiling from source gives me any clues on setting up pyodbc or if there are any changes with the newer freetds. I know this can work on other platforms but if at all possible I want to stick with OpenBSD. Thanks, Vijay -- Vijay Sankar, M.Eng., P.Eng. ForeTell Technologies Limited 59 Flamingo Avenue, Winnipeg, MB, Canada R3J 0X6 Phone: (204) 885-9535, E-Mail: vsan...@foretell.ca
Re: Simple question about ./configure
On 2009-07-17, Vijay Sankar vsan...@foretell.ca wrote: Abel Camarillo wrote: On Fri, Jul 17, 2009 at 02:55:53PM -0500, Vijay Sankar wrote: I am trying to compile freetds-stable with iodbc and used the following env CPPFLAGS=-I/usr/local/include LDFLAGS=-L/usr/local/lib ./configure --with-iodbc --disable-threadsafe Even though isql.h is in /usr/local/include I get the error saying isql.h not found. How can I resolve this? (I am trying to compile the source to see if I can get libtdsodbc, so using the standard package will not work) Appreciate any clues. Thanks very much, Vijay -- Vijay Sankar, M.Eng., P.Eng. ForeTell Technologies Limited 59 Flamingo Avenue, Winnipeg, MB, Canada R3J 0X6 Phone: (204) 885-9535, E-Mail: vsan...@foretell.ca I think that it will be a lot easier to change the port to reflect you changes. try looking a the port and see what it does. By changing the port I was able to get libtdsodbc (this was a few days ago and I had sent the modified Makefile to misc@) but I had problems setting up a DSN through iodbcadm (as well as through text files). Also, when I tried to compile pyodbc, I got errors saying that -liodbc not recognized. My sense is that I am missing some fundamental knowledge and so this was just an attempt to learn as well as see if compiling from source gives me any clues on setting up pyodbc or if there are any changes with the newer freetds. I know this can work on other platforms but if at all possible I want to stick with OpenBSD. Thanks, Vijay since you have produced a libtdsodbc.so, try something like this. it won't work with the in-tree port as things stand at the moment. $ cat /etc/iodbc/odbc.ini [ODBC Data Sources] MSSQL-asterisk = FreeTDS [MSSQL-asterisk] description = Asterisk ODBC for MSSQL driver = FreeTDS server = blahblahblah port= 1433 database= virtualreceptionist tds_version = 7.0 language= us_english $ cat /etc/iodbc/odbcinst.ini [ODBC Drivers] FreeTDS = Installed [FreeTDS] Driver = /usr/local/lib/libtdsodbc.so Setup = /usr/local/lib/libtdsodbc.so $ iodbctest 'DSN=MSSQL-asterisk;UID=sa;PWD=blahblahblah' iODBC Demonstration program This program shows an interactive SQL processor Driver Manager: 03.52.0406.0126 Driver: 0.82 (libtdsodbc.so) SQLselect @@VERSION; Microsoft SQL Server 2000 - 8.00.2039 (Intel X86) May 3 2005 23:18:38 Copyright (c) 1988-2003 Microsoft Corporation Standard Edition on Windows NT 5.2 (Build 3790: Service Pack 2) result set 1 returned 1 rows. SQL^D Have a nice day. DBI::Sybase is much easier to use, but this proves that you can get ODBC/FreeTDS working on OpenBSD...
Re: Simple question about ./configure
Stuart Henderson wrote: On 2009-07-17, Vijay Sankar vsan...@foretell.ca wrote: Abel Camarillo wrote: On Fri, Jul 17, 2009 at 02:55:53PM -0500, Vijay Sankar wrote: I am trying to compile freetds-stable with iodbc and used the following env CPPFLAGS=-I/usr/local/include LDFLAGS=-L/usr/local/lib ./configure --with-iodbc --disable-threadsafe Even though isql.h is in /usr/local/include I get the error saying isql.h not found. How can I resolve this? (I am trying to compile the source to see if I can get libtdsodbc, so using the standard package will not work) Appreciate any clues. Thanks very much, Vijay -- Vijay Sankar, M.Eng., P.Eng. ForeTell Technologies Limited 59 Flamingo Avenue, Winnipeg, MB, Canada R3J 0X6 Phone: (204) 885-9535, E-Mail: vsan...@foretell.ca I think that it will be a lot easier to change the port to reflect you changes. try looking a the port and see what it does. By changing the port I was able to get libtdsodbc (this was a few days ago and I had sent the modified Makefile to misc@) but I had problems setting up a DSN through iodbcadm (as well as through text files). Also, when I tried to compile pyodbc, I got errors saying that -liodbc not recognized. My sense is that I am missing some fundamental knowledge and so this was just an attempt to learn as well as see if compiling from source gives me any clues on setting up pyodbc or if there are any changes with the newer freetds. I know this can work on other platforms but if at all possible I want to stick with OpenBSD. Thanks, Vijay since you have produced a libtdsodbc.so, try something like this. it won't work with the in-tree port as things stand at the moment. $ cat /etc/iodbc/odbc.ini [ODBC Data Sources] MSSQL-asterisk = FreeTDS [MSSQL-asterisk] description = Asterisk ODBC for MSSQL driver = FreeTDS server = blahblahblah port= 1433 database= virtualreceptionist tds_version = 7.0 language= us_english $ cat /etc/iodbc/odbcinst.ini [ODBC Drivers] FreeTDS = Installed [FreeTDS] Driver = /usr/local/lib/libtdsodbc.so Setup = /usr/local/lib/libtdsodbc.so $ iodbctest 'DSN=MSSQL-asterisk;UID=sa;PWD=blahblahblah' iODBC Demonstration program This program shows an interactive SQL processor Driver Manager: 03.52.0406.0126 Driver: 0.82 (libtdsodbc.so) SQLselect @@VERSION; Microsoft SQL Server 2000 - 8.00.2039 (Intel X86) May 3 2005 23:18:38 Copyright (c) 1988-2003 Microsoft Corporation Standard Edition on Windows NT 5.2 (Build 3790: Service Pack 2) result set 1 returned 1 rows. SQL^D Have a nice day. DBI::Sybase is much easier to use, but this proves that you can get ODBC/FreeTDS working on OpenBSD... This is very helpful information and your comments all along have helped solve this. Thanks very much. I retraced all the steps and repeated the installation on a clean system. That was when I realized that even though I had modified the Makefile to include with-iodbc, I did not have a LIBDEPENDS += iodbc::databases/iodbc. As a result, the ODBC driver was not loaded and that was the root cause of the problem. Now MSSQL 2000 DSN and MSSQL2005 DSNs seem to work properly. server11# iodbctest 'DSN=MSSQL-new;UID=sa;PWD=sql2005' iODBC Demonstration program This program shows an interactive SQL processor Driver Manager: 03.52.0406.0126 Driver: 0.63 (libtdsodbc.so) SQLselect @@version Microsoft SQL Server 2005 - 9.00.4035.00 (Intel X86) Nov 24 2008 13:01:59 Copyright (c) 1988-2005 Microsoft Corporation Developer
Re: Simple question about ./configure
run! if you have to do ./configure your personal hell has started... On Fri, Jul 17, 2009 at 02:55:53PM -0500, Vijay Sankar wrote: I am trying to compile freetds-stable with iodbc and used the following env CPPFLAGS=-I/usr/local/include LDFLAGS=-L/usr/local/lib ./configure --with-iodbc --disable-threadsafe Even though isql.h is in /usr/local/include I get the error saying isql.h not found. How can I resolve this? (I am trying to compile the source to see if I can get libtdsodbc, so using the standard package will not work) Appreciate any clues. Thanks very much, Vijay -- Vijay Sankar, M.Eng., P.Eng. ForeTell Technologies Limited 59 Flamingo Avenue, Winnipeg, MB, Canada R3J 0X6 Phone: (204) 885-9535, E-Mail: vsan...@foretell.ca
Re: PF: very simple question...
Limaunion wrote: Hi, for some reason my OpenBSD 4.4 firewall is been able to negotiate dhcp request although there are no rules that allow this operation. Thanks everyone for the explanation, I wasn't sure what was wrong with my configuration. Now it's clear. Best regards. JC
Re: PF: very simple question...
On 2008-11-06, Can Erkin Acar [EMAIL PROTECTED] wrote: Parsing raw network data, even from a file, provides an opportunity to inject incredible amounts of malicious input to the parser. That is also one reason we do not have ethereal/wireshark in ports. The last time I looked, they had a lot of parsers and an incredible amount of complex code tied to that stream of malicious input. wireshark now has support to run only the packet capture as a privileged user (by installing dumpcap setuid to a user with read access to /dev/bpf, typically root but can be another if you change permissions). the dissectors and UI are run as whichever user started it. unfortunately, they haven't gone as far as we did with tcpdump - wireshark's dissectors are run as the normal user starting it, not jailed in an unprivileged process. anyone considering running it should still take a lot of care...
PF: very simple question...
Hi, for some reason my OpenBSD 4.4 firewall is been able to negotiate dhcp request although there are no rules that allow this operation. If I issue a 'dhclient vr0' I get the following: $sudo dhclient vr0 DHCPREQUEST on vr0 to 255.255.255.255 port 67 DHCPACK from 190.18.xx.yy bound to 190.18.xx.yy -- renewal in 10628 seconds. Here's my testing ruleset (I've flushed everything before loading it): ### MACROS ### extif = vr0 intif = vr1 loop = lo0 ### OPTIONS # set block-policy return set loginterface $extif set skip on $loop ### SCRUB ### scrub in on $extif all fragment reassemble min-ttl 15 max-mss 1400 no-df scrub out on $extif all fragment reassemble random-id no-df ### PACKET FILTERING RULES ### antispoof log quick for { $extif $intif $loop } block log all # HOST:::PFIRE # # VR1:INBOUND:TCP pass in on $intif inet proto tcp from $intif:network to 192.168.1.1 port 22 (EOF) So, why isn't the broadcast blocked by 'block all' ? Thanks for answering (probably) this silly question. JC.
Re: PF: very simple question...
On 2008-11-05, Limaunion [EMAIL PROTECTED] wrote: Hi, for some reason my OpenBSD 4.4 firewall is been able to negotiate dhcp request although there are no rules that allow this operation. dhcp uses BPF (like tcpdump does), this is below PF and is not restricted by PF.
Re: PF: very simple question...
On Wed, Nov 05, 2008 at 09:47:55PM -0200, Limaunion wrote: Hi, for some reason my OpenBSD 4.4 firewall [has] been able to [send a] dhcp request although there are no [pf] rules that allow this operation. Because dhclient uses a low-level interface, accessible only to root, that gets around PF. This is the same low-level interface that enables dhclient to access the network before it is properly configured, so there is not really a way around this. Since root can disable pf anyway, this is not a security problem. But it is indeed surprising. Joachim
Re: PF: very simple question...
On 2008-11-06, Stuart Henderson wrote: On 2008-11-05, Limaunion [EMAIL PROTECTED] wrote: Hi, for some reason my OpenBSD 4.4 firewall is been able to negotiate dhcp request although there are no rules that allow this operation. dhcp uses BPF (like tcpdump does), this is below PF and is not restricted by PF. Fortunately, the OpenBSD dhclient goes into a lot of pains to reduce the impact of a security vulnerability in itself. It employs privilege separation, using two processes one privileged and one running with no privileges, chrooted to an empty directory. The privileged process does configuration of IP addresses, routes, DNS configuration etc, by communicating with the unprivileged process. The unprivileged process has a connection (file descriptor) to the BPF interface. Before dropping privileges, it first sets up filters that restrict the kind of packets it can receive *and send* through the BPF interface, and locks in these filter settings so that they can not be changed. If the unprivileged process gets compromised while doing its dirty work of parsing network packets it can only send and receive DHCP packets on a specific interface, as restricted by the filter (it can not even spoof its MAC address). This is much better than full network sniffing and arbitrary packet injection on *any* interface, that an unfiltered/unlocked BPF descriptor allows. A compromised process can also modify interface settings, routes or DNS configuration through the privileged process, but by using DHCP you already give this power over to some unauthenticated entity on your local network anyway. Enjoy Can PS: We tried to restrict (and audit) every BPF using program in the base system using the mechanisms described above. Even tcpdump requires root to run so that it can properly drop privileges. Parsing raw network data, even from a file, provides an opportunity to inject incredible amounts of malicious input to the parser. That is also one reason we do not have ethereal/wireshark in ports. The last time I looked, they had a lot of parsers and an incredible amount of complex code tied to that stream of malicious input.
Simple Question
My name is Raven and I recently visited your website innerewut.de. After browsing around I was quite impressed with your website and would like to add it to my links page. I am trying to add as many good websites as possible to my site for the benefit of my users. Some website owners do not like when other sites link to them so I thought I might ask first. I think the information on your website could be useful to my visitors; and unlike many other websites online your site was quite appealing to me. Please get back to me when you have a chance. Thanks. Raven No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.467 / Virus Database: 269.6.1/778 - Release Date: 4/27/2007 1:39 PM
kernel debug simple question
hi there, i am trying to troubleshoot a usb external disk. the disk detaches while mounted and used. how can i umount / before i am going to reboot? syncing cannot work in this case of course, but that leaves only the external disk in a dirty state, not my /, hence the question. is it possible to do it before getting dropped into ddb? or is it possible to do it from ddb? some posts past implied that anything is possible from ddb :D -f -- why is the alphabet in that order? is it because of that song?
pf multicast address: very simple question
Dear list members, i am setting up a firewall and would like to block any packet destinated to a multicast address with a protocol not equal to udp. Is this a sound rule? Is it possible? Thanks.
Re: pf multicast address: very simple question
On Fri, Feb 09, 2007 at 04:27:26PM -0200, Gustavo Rios wrote: Dear list members, i am setting up a firewall and would like to block any packet destinated to a multicast address with a protocol not equal to udp. Is this a sound rule? Is it possible? Sure it is possible if it is sound is up to you. e.g. OSPF does not use UDP. Btw. unless you enable multicast forwarding and add some multicast routes no multicast traffic will traverse your firewall. -- :wq Claudio
Re: Simple question
Guilherme: I tested bandwithd... looks good, there was a non official port to openbsd in previous versions... I installed it, but from source, here is the tricky install history (spanish)... http://www.fathersfate.com.mx/wordpress/?p=188 and a screenshoot here http://i70.photobucket.com/albums/i91/cash_jhonny/band.jpg If u have problems lemme know Tip: try to use a more explicative subject on your messages to the list.
Simple question
I wonder if there is a tool that focus on network bandwidth monitoring such as NTOP, that runs on OpenBSD. I've tried to get NTOP running on my OpenBSD 3.9 server but no further success - I know there is an old version of NTOP on ports but I need something able to generate also web monitoring... That's all. Regards
Re: Simple question
On 9 Sep 2006, at 17:25, Guilherme wrote: I wonder if there is a tool that focus on network bandwidth monitoring such as NTOP, that runs on OpenBSD. I've tried to get NTOP running on my OpenBSD 3.9 server but no further success - I know there is an old version of NTOP on ports but I need something able to generate also web monitoring... That's all. Regards Trafshow
Re: Simple question
On Sat, Sep 09, 2006 at 01:25:35PM -0300, Guilherme wrote: I wonder if there is a tool that focus on network bandwidth monitoring such as NTOP, that runs on OpenBSD. I've tried to get NTOP running on my OpenBSD 3.9 server but no further success - I know there is an old version of NTOP on ports but I need something able to generate also web monitoring... Try /usr/ports/*/pf* - net/pfstat seems particularly suited. Joachim
environment variables: simple question, sorry!
Dear folks, i am trying to get the following line in my /etc/rc.local file: csh -cf '$ASDROOT/thr/svscanboot ' And in my /etc/rc.conf.local i added: ASDROOT=/asd During the system boot, all i get is the ASDROOT variable is undefined. How could it be accomplished? thanks in advance. best regards.
Re: environment variables: simple question, sorry!
On Jul 12, 2006, at 2:33 PM, Gustavo Rios wrote: Dear folks, i am trying to get the following line in my /etc/rc.local file: csh -cf '$ASDROOT/thr/svscanboot ' And in my /etc/rc.conf.local i added: ASDROOT=/asd During the system boot, all i get is the ASDROOT variable is undefined. Yes, because it isn't exported and you've surrounded it with single quotes, so it's passed to CSH for interp, and CSH doesn't have it in its env. --- Jack J. Woehr Director of Development Absolute Performance, Inc. [EMAIL PROTECTED] 303-443-7000 ext. 527
Re: Simple question about appletalk
Bryan Irvine [EMAIL PROTECTED] wrote: If the laptop only needs www access no appletalk is needed. Appletalk is purely a file serving mechanism, like samba or nfs. If you need appletalk it's pretty easy to set up on OpenBSD. Well... Appletalk itself is a lower-level protocol than samba or nfs; it's a network protocol which is an alternative to IP. That is, it uses link protocols - these days almost always Ethernet; in the last century often also Localtalk, a 230kbps serial protocol - for transport, and carries upper-level protocols, such as AFP (Apple File Protocol) in turn. A similar protocol (in terms of where it sits in the networking stack) would be IPX. In 'modern' Mac usage, Appletalk is still used in some environments for file sharing and for printing. Unless you have bits of kit in place which are happy to route Appletalk, it'll only be carried on one LAN segment. From what I can glean from manpages and Google (and I'll be trying this live in the next month or so, but have no first-hand experience currently) OpenBSD support for Appletalk is available (good) but not turned on in the GENERIC kernel (less good). atalk(4) describes the kernel interface; documentation suggests (but doesn't state authorititavely?) that OpenBSD will route Appletalk among multiple network interfaces; if you want to serve files and/or print, you'll want the netatalk package. There's a 1.6 version in the ports collection; a web page at http://www.doink.org/geeklog/public_html/article.php?story=20051212224355152 describes a recent instance of 'manual' (i.e. outwith the ports collection) compilation of the 2.0 version. HTH - Stefek
Simple question about appletalk
I need to put a laptop running Mac OS X (10.3 I think) in my OpenBSD powered network - OpenBSD router/firewall. The problem is that I don't know if I need Appletalk or not installed (I have an urgent problem that must be solved with this laptop, but it's not mine and I haven't worked too much with Apple computers). At this moment I don't have the laptop, but I need it up and running in the second when it appears so I need to know in advance if I need to enable Appletalk in the network (this laptop needs only www access). And another problem: in /etc/pf.conf I have scrub in all reassembe tcp - is this a problem with Mac OS X (I have some problems with some Mandriva Linux machines here and I think this is the problem). Thank you very much in advance. Respectfully yours, Gabriel George POPA
Re: Simple question about appletalk
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Feb 23, 2006, at 1:52 PM, Gabriel George POPA wrote: I need to put a laptop running Mac OS X (10.3 I think) in my OpenBSD powered network - OpenBSD router/firewall. The problem is that I don't know if I need Appletalk or not installed Mac OS X is based on FreeBSD. It is just another commercial UNIX. AppleTalk has not been required for Mac OS general use networking in quite some time. - -- Bryan Allen [EMAIL PROTECTED] http://bda.mirrorshades.net Cyberpunk is dead. Long live cyberpunk. iD8DBQFD/ge88DRlpnH/NmoRArKQAJwLLAzp2iIzktppXQGRWy6IleHPPQCfTIuR nclfAzmrEYt8xbsovVX4fhM= =64W3 -END PGP SIGNATURE-
Re: Simple question about appletalk
Sorry for the top-post but there jsut wasn't anywhere appropriate for a snip type of thing. If the laptop only needs www access no appletalk is needed. Appletalk is purely a file serving mechanism, like samba or nfs. If you need appletalk it's pretty easy to set up on OpenBSD. --Bryan On 2/23/06, Gabriel George POPA [EMAIL PROTECTED] wrote: I need to put a laptop running Mac OS X (10.3 I think) in my OpenBSD powered network - OpenBSD router/firewall. The problem is that I don't know if I need Appletalk or not installed (I have an urgent problem that must be solved with this laptop, but it's not mine and I haven't worked too much with Apple computers). At this moment I don't have the laptop, but I need it up and running in the second when it appears so I need to know in advance if I need to enable Appletalk in the network (this laptop needs only www access). And another problem: in /etc/pf.conf I have scrub in all reassembe tcp - is this a problem with Mac OS X (I have some problems with some Mandriva Linux machines here and I think this is the problem). Thank you very much in advance. Respectfully yours, Gabriel George POPA
Re: [unclassified] Simple Question about PF
Giancarlo Razzolini wrote: Thanks for the prompt reply. I had some luck yesterday with altq. I've put 300kb as bandwidht limit in my internal iface and 150Kb in my external iface. And assigned traffic to the download queue (300Kb) and it worked. The only problem is that i'm using keep state in all of my rules, and i'll have to change this behavior to filter the incoming and the outcoming packets. I only run into one problem, the connections to the firewall itself (ssh, for example) ended being queued to. And 300Kb is a very little bandwidth if you have 2 simultaneous downloads. But i believe that no using keep state for some of my rules will do the trick. Keeping state has nothing to do with ALTQ, apart from making things go faster because the rules (and thus, the queue) don't need constant re-evaluation.
Simple Question about PF
Hello folks, I finally did took some time and did my pf.conf firewall from scratch, actually learning it (i did my first using fwbuilder. It worked, but i wanted to do a hands on approach). And know i must say i'm almost proficient in pf. I must confess i found it much simpler than iptables. And more secure, since you can do full state inspection. But know i have 2 questions about traffic shaping. I want do limit my downloads, to make every one im my house to have a fair slice and to limit my uploads, to make my ssh connections not to hang up every time some ones start a upload. I have a ADSL line with 300Kb inbound and 150Kb outbound. I just want to make clear 3 things: 1) To limit my uploads i have to filter my external interface, using my upload bandwidth as the parameter to the altq (150Kb ) ? 2) And to limit my downloads i have to limit my internal interface (that have a 10Mbps link with the internal net, and can perform 4.5Mbit/sec) and if so, how to limit my firewall's downloads 3) I'm using CBQ for both queues with ecn activated. Just wanna know if it's viable, or it's better to use CBQ on the internal interface and PRIQ on the external. I would be glad if some of you could clear the things up for me. Thanks in advance, -- Giancarlo Razzolini Linux User 172199 Moleque Sem Conteudo Numero #002 Slackware Current Snike Tecnologia em Informatica 4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85
Re: [unclassified] Simple Question about PF
Giancarlo Razzolini wrote: Hello folks, I finally did took some time and did my pf.conf firewall from scratch, actually learning it (i did my first using fwbuilder. It worked, but i wanted to do a hands on approach). And know i must say i'm almost proficient in pf. I must confess i found it much simpler than iptables. And more secure, since you can do full state inspection. But know i have 2 questions about traffic shaping. I want do limit my downloads, to make every one im my house to have a fair slice and to limit my uploads, to make my ssh connections not to hang up every time some ones start a upload. I have a ADSL line with 300Kb inbound and 150Kb outbound. I just want to make clear 3 things: 1) To limit my uploads i have to filter my external interface, using my upload bandwidth as the parameter to the altq (150Kb ) ? 2) And to limit my downloads i have to limit my internal interface (that have a 10Mbps link with the internal net, and can perform 4.5Mbit/sec) and if so, how to limit my firewall's downloads 3) I'm using CBQ for both queues with ecn activated. Just wanna know if it's viable, or it's better to use CBQ on the internal interface and PRIQ on the external. I would be glad if some of you could clear the things up for me. Thanks in advance, Welcome to the crew. Sounds like you're doing pretty much the exact same thing I was doing last year on an ADSL line shared between myself and two roomies. If you haven't gotten all the way through it yet, read the PF user's guide at http://www.openbsd.org/faq/pf/index.html, and pay special attention to the examples in the Packet Queueing and Prioritization section. While leaving the particular rules up to you, I'll make the following suggestions: 1: Set your upload bandwidth to about 125% of your advertised rate 2: Unless it was just dumb luck, there's nothing wrong with using the full bandwidth of your internal interface. 3: I've had better results using CBQ on internal interfaces, and PRIQ on the external. In my 3-person condo last year, using your 300k downstream, I'd set 100k (borrow) to each person internally, so that if someone's not using their straw, the others could borrow from it. Likewise, my outbound priority was something along the lines of ACK, DNS, SSH, HTTP, SMTP/POP, bulk (one was an anime freak, and forcing his habit into the 'bulk' queue allowed the rest of us to surf in peace). Obviously, what worked best for me may not be best for you.