Simple question on routing for IPSEC

[Bob Jones]

Hi,

Sorry for the dumb question but I'm suffering from config-writer's block !

OpenBSD6 if it makes any difference to the answers.

Let's say I've got the following in ipsec.conf on my local gateway :

"ike esp from 198.51.100.0/24 to any"

Given that "any" is a catch-all, how do I, for example specify to
route "203.0.113.0/24" via the ipsec gateway ?

e.g. something like the below (where 192.0.2.1 is the remote gateway)

doas route add -inet 203.0.113.0/24 192.0.2.1
add net 203.0.113.0/24: gateway 192.0.2.1: Network is unreachable

Bob

Re: simple question about ppp

[patrick keshishian]

On Fri, Aug 13, 2010 at 10:12 PM, patrick keshishian pkesh...@gmail.com wrote:
 I have been struggling to figure out how to make ppp initiate
 negotiation unsuccessfully. Can someone help me with a simple ppp.conf
 that does a 'set device !/path/to/some/prog' that will initiate
 negotiation? I have a prog that waits for input from stdin and logs
 any input into a /tmp/logfile, but ppp doesn't seem to be spitting
 anything out. When I type dial at the ppp-prompt the prog is
 executed but ppp isn't sending it any data.

 A simple ppp.conf and command line ppp invocation and any ppp commands
 at the ppp-prompt would be most helpful.

A kind soul replied privately and gave me a very bare-bones example
that helped me figure out my mistake.

I've been messing with different ppp.conf settings for three evenings
now. I started out reading ppp.conf.sample, and I misunderstood the
sample section with ssh and was using openmode passive. The comment
Passive mode allows ssh plenty of time to establish the connection
threw me off. I read it to mean gives the program enough time to
establish connection with peer before ppp starts doing its thing. The
man page is very clear about this option, however.

Thank you again!
--patrick

simple question about ppp

[patrick keshishian]

I have been struggling to figure out how to make ppp initiate
negotiation unsuccessfully. Can someone help me with a simple ppp.conf
that does a 'set device !/path/to/some/prog' that will initiate
negotiation? I have a prog that waits for input from stdin and logs
any input into a /tmp/logfile, but ppp doesn't seem to be spitting
anything out. When I type dial at the ppp-prompt the prog is
executed but ppp isn't sending it any data.

A simple ppp.conf and command line ppp invocation and any ppp commands
at the ppp-prompt would be most helpful.

Thanks,
--patrick

[ot] Re: Simple question about ./configure

[Matthias Kilian]

On Fri, Jul 17, 2009 at 10:23:31PM -0500, Marco Peereboom wrote:
 run!  if you have to do ./configure your personal hell has
 started...

If you call running ./configure a `personal hell', what do you call
it when you have to modify configure.ac and re-run autoconf?
enterprise hell?

(SCNR)

Kili

Simple question about ./configure

[Vijay Sankar]

I am trying to compile freetds-stable with iodbc and used the following

env CPPFLAGS=-I/usr/local/include LDFLAGS=-L/usr/local/lib 
./configure --with-iodbc --disable-threadsafe


Even though isql.h is in /usr/local/include I get the error saying 
isql.h not found.


How can I resolve this? (I am trying to compile the source to see if I 
can get libtdsodbc, so using the standard package will not work)


Appreciate any clues.

Thanks very much,

Vijay

--
Vijay Sankar, M.Eng., P.Eng.
ForeTell Technologies Limited
59 Flamingo Avenue, Winnipeg, MB, Canada R3J 0X6
Phone: (204) 885-9535, E-Mail: vsan...@foretell.ca

Re: Simple question about ./configure

[Abel Camarillo]

On Fri, Jul 17, 2009 at 02:55:53PM -0500, Vijay Sankar wrote:
 I am trying to compile freetds-stable with iodbc and used the following

 env CPPFLAGS=-I/usr/local/include LDFLAGS=-L/usr/local/lib  
 ./configure --with-iodbc --disable-threadsafe

 Even though isql.h is in /usr/local/include I get the error saying  
 isql.h not found.

 How can I resolve this? (I am trying to compile the source to see if I  
 can get libtdsodbc, so using the standard package will not work)

 Appreciate any clues.

 Thanks very much,

 Vijay

 -- 
 Vijay Sankar, M.Eng., P.Eng.
 ForeTell Technologies Limited
 59 Flamingo Avenue, Winnipeg, MB, Canada R3J 0X6
 Phone: (204) 885-9535, E-Mail: vsan...@foretell.ca


I think that it will be a lot easier to change the port to reflect you
changes.

try looking a the port and see what it does.

-- 
DISCLAIMER: http://goldmark.org/jeff/stupid-disclaimers/ 
This message will self-destruct in 3 seconds.

Re: Simple question about ./configure

[Vijay Sankar]

Abel Camarillo wrote:

On Fri, Jul 17, 2009 at 02:55:53PM -0500, Vijay Sankar wrote:
  

I am trying to compile freetds-stable with iodbc and used the following

env CPPFLAGS=-I/usr/local/include LDFLAGS=-L/usr/local/lib  
./configure --with-iodbc --disable-threadsafe


Even though isql.h is in /usr/local/include I get the error saying  
isql.h not found.


How can I resolve this? (I am trying to compile the source to see if I  
can get libtdsodbc, so using the standard package will not work)


Appreciate any clues.

Thanks very much,

Vijay

--
Vijay Sankar, M.Eng., P.Eng.
ForeTell Technologies Limited
59 Flamingo Avenue, Winnipeg, MB, Canada R3J 0X6
Phone: (204) 885-9535, E-Mail: vsan...@foretell.ca




I think that it will be a lot easier to change the port to reflect you
changes.

try looking a the port and see what it does.

  
By changing the port I was able to get libtdsodbc (this was a few days 
ago and I had sent the modified Makefile to misc@) but I had problems 
setting up a DSN through iodbcadm (as well as through text files). Also, 
when I tried to compile pyodbc, I got errors saying that -liodbc not 
recognized. My sense is that I am missing some fundamental knowledge and 
so this was just an attempt to learn as well as see if compiling from 
source gives me any clues on setting up pyodbc or if there are any 
changes with the newer freetds. I know this can work on other platforms 
but if at all possible I want to stick with OpenBSD.


Thanks,

Vijay

--
Vijay Sankar, M.Eng., P.Eng.
ForeTell Technologies Limited
59 Flamingo Avenue, Winnipeg, MB, Canada R3J 0X6
Phone: (204) 885-9535, E-Mail: vsan...@foretell.ca

Re: Simple question about ./configure

[Stuart Henderson]

On 2009-07-17, Vijay Sankar vsan...@foretell.ca wrote:
 Abel Camarillo wrote:
 On Fri, Jul 17, 2009 at 02:55:53PM -0500, Vijay Sankar wrote:
   
 I am trying to compile freetds-stable with iodbc and used the following

 env CPPFLAGS=-I/usr/local/include LDFLAGS=-L/usr/local/lib  
 ./configure --with-iodbc --disable-threadsafe

 Even though isql.h is in /usr/local/include I get the error saying  
 isql.h not found.

 How can I resolve this? (I am trying to compile the source to see if I  
 can get libtdsodbc, so using the standard package will not work)

 Appreciate any clues.

 Thanks very much,

 Vijay

 -- 
 Vijay Sankar, M.Eng., P.Eng.
 ForeTell Technologies Limited
 59 Flamingo Avenue, Winnipeg, MB, Canada R3J 0X6
 Phone: (204) 885-9535, E-Mail: vsan...@foretell.ca

 

 I think that it will be a lot easier to change the port to reflect you
 changes.

 try looking a the port and see what it does.

   
 By changing the port I was able to get libtdsodbc (this was a few days 
 ago and I had sent the modified Makefile to misc@) but I had problems 
 setting up a DSN through iodbcadm (as well as through text files). Also, 
 when I tried to compile pyodbc, I got errors saying that -liodbc not 
 recognized. My sense is that I am missing some fundamental knowledge and 
 so this was just an attempt to learn as well as see if compiling from 
 source gives me any clues on setting up pyodbc or if there are any 
 changes with the newer freetds. I know this can work on other platforms 
 but if at all possible I want to stick with OpenBSD.

 Thanks,

 Vijay


since you have produced a libtdsodbc.so, try something like this.
it won't work with the in-tree port as things stand at the moment.

$ cat /etc/iodbc/odbc.ini  
[ODBC Data Sources]
MSSQL-asterisk = FreeTDS

[MSSQL-asterisk]
description = Asterisk ODBC for MSSQL
driver  = FreeTDS
server  = blahblahblah
port= 1433
database= virtualreceptionist
tds_version = 7.0
language= us_english

$ cat /etc/iodbc/odbcinst.ini  
[ODBC Drivers]
FreeTDS = Installed

[FreeTDS]
Driver = /usr/local/lib/libtdsodbc.so
Setup = /usr/local/lib/libtdsodbc.so

$ iodbctest 'DSN=MSSQL-asterisk;UID=sa;PWD=blahblahblah'
iODBC Demonstration program
This program shows an interactive SQL processor
Driver Manager: 03.52.0406.0126
Driver: 0.82 (libtdsodbc.so)

SQLselect @@VERSION;






Microsoft SQL Server  2000 - 8.00.2039 (Intel X86) 
May  3 2005 23:18:38 
Copyright (c) 1988-2003 Microsoft Corporation
Standard Edition on Windows NT 5.2 (Build 3790: Service Pack 2)

 

 result set 1 returned 1 rows.


SQL^D
Have a nice day.

DBI::Sybase is much easier to use, but this proves that you can get
ODBC/FreeTDS working on OpenBSD...

Re: Simple question about ./configure

[Vijay Sankar]

Stuart Henderson wrote:

On 2009-07-17, Vijay Sankar vsan...@foretell.ca wrote:
  

Abel Camarillo wrote:


On Fri, Jul 17, 2009 at 02:55:53PM -0500, Vijay Sankar wrote:
  
  

I am trying to compile freetds-stable with iodbc and used the following

env CPPFLAGS=-I/usr/local/include LDFLAGS=-L/usr/local/lib  
./configure --with-iodbc --disable-threadsafe


Even though isql.h is in /usr/local/include I get the error saying  
isql.h not found.


How can I resolve this? (I am trying to compile the source to see if I  
can get libtdsodbc, so using the standard package will not work)


Appreciate any clues.

Thanks very much,

Vijay

--
Vijay Sankar, M.Eng., P.Eng.
ForeTell Technologies Limited
59 Flamingo Avenue, Winnipeg, MB, Canada R3J 0X6
Phone: (204) 885-9535, E-Mail: vsan...@foretell.ca




I think that it will be a lot easier to change the port to reflect you
changes.

try looking a the port and see what it does.

  
  
By changing the port I was able to get libtdsodbc (this was a few days 
ago and I had sent the modified Makefile to misc@) but I had problems 
setting up a DSN through iodbcadm (as well as through text files). Also, 
when I tried to compile pyodbc, I got errors saying that -liodbc not 
recognized. My sense is that I am missing some fundamental knowledge and 
so this was just an attempt to learn as well as see if compiling from 
source gives me any clues on setting up pyodbc or if there are any 
changes with the newer freetds. I know this can work on other platforms 
but if at all possible I want to stick with OpenBSD.


Thanks,

Vijay




since you have produced a libtdsodbc.so, try something like this.
it won't work with the in-tree port as things stand at the moment.

$ cat /etc/iodbc/odbc.ini  
[ODBC Data Sources]

MSSQL-asterisk = FreeTDS

[MSSQL-asterisk]
description = Asterisk ODBC for MSSQL
driver  = FreeTDS
server  = blahblahblah
port= 1433
database= virtualreceptionist
tds_version = 7.0
language= us_english

$ cat /etc/iodbc/odbcinst.ini  
[ODBC Drivers]

FreeTDS = Installed

[FreeTDS]
Driver = /usr/local/lib/libtdsodbc.so
Setup = /usr/local/lib/libtdsodbc.so

$ iodbctest 'DSN=MSSQL-asterisk;UID=sa;PWD=blahblahblah'
iODBC Demonstration program
This program shows an interactive SQL processor
Driver Manager: 03.52.0406.0126
Driver: 0.82 (libtdsodbc.so)

SQLselect @@VERSION;



Microsoft SQL Server  2000 - 8.00.2039 (Intel X86) 
May  3 2005 23:18:38 
Copyright (c) 1988-2003 Microsoft Corporation

Standard Edition on Windows NT 5.2 (Build 3790: Service Pack 2)
 


 result set 1 returned 1 rows.


SQL^D
Have a nice day.

DBI::Sybase is much easier to use, but this proves that you can get
ODBC/FreeTDS working on OpenBSD...

  
This is very helpful information and your comments all along have helped 
solve this. Thanks very much.


I retraced all the steps and repeated the installation on a clean 
system. That was when I realized that even though I had modified the 
Makefile to include with-iodbc, I did not have a LIBDEPENDS += 
iodbc::databases/iodbc. As a result, the ODBC driver was not loaded and 
that was the root cause of the problem.


Now MSSQL 2000 DSN and MSSQL2005 DSNs seem to work properly.

server11# iodbctest 'DSN=MSSQL-new;UID=sa;PWD=sql2005'
iODBC Demonstration program
This program shows an interactive SQL processor
Driver Manager: 03.52.0406.0126
Driver: 0.63 (libtdsodbc.so)

SQLselect @@version

   



Microsoft SQL Server 2005 - 9.00.4035.00 (Intel X86)
   Nov 24 2008 13:01:59
   Copyright (c) 1988-2005 Microsoft Corporation
   Developer 

Re: Simple question about ./configure

[Marco Peereboom]

run!  if you have to do ./configure your personal hell has
started...

On Fri, Jul 17, 2009 at 02:55:53PM -0500, Vijay Sankar wrote:
 I am trying to compile freetds-stable with iodbc and used the following

 env CPPFLAGS=-I/usr/local/include LDFLAGS=-L/usr/local/lib  
 ./configure --with-iodbc --disable-threadsafe

 Even though isql.h is in /usr/local/include I get the error saying  
 isql.h not found.

 How can I resolve this? (I am trying to compile the source to see if I  
 can get libtdsodbc, so using the standard package will not work)

 Appreciate any clues.

 Thanks very much,

 Vijay

 -- 
 Vijay Sankar, M.Eng., P.Eng.
 ForeTell Technologies Limited
 59 Flamingo Avenue, Winnipeg, MB, Canada R3J 0X6
 Phone: (204) 885-9535, E-Mail: vsan...@foretell.ca

Re: PF: very simple question...

[Limaunion]

Limaunion wrote:
Hi, for some reason my OpenBSD 4.4 firewall is been able to negotiate 
dhcp request although there are no rules that allow this operation.




Thanks everyone for the explanation, I wasn't sure what was wrong with 
my configuration. Now it's clear.

Best regards.
JC

Re: PF: very simple question...

[Stuart Henderson]

On 2008-11-06, Can Erkin Acar [EMAIL PROTECTED] wrote:
 Parsing raw network 
 data, even from a file, provides an opportunity to inject incredible 
 amounts of malicious input to the parser. That is also one reason we do 
 not have ethereal/wireshark in ports. The last time I looked, they had a 
 lot of parsers and an incredible amount of complex code tied to that 
 stream of malicious input.

wireshark now has support to run only the packet capture as a
privileged user (by installing dumpcap setuid to a user with read
access to /dev/bpf, typically root but can be another if you change
permissions). the dissectors and UI are run as whichever user
started it.

unfortunately, they haven't gone as far as we did with tcpdump -
wireshark's dissectors are run as the normal user starting it,
not jailed in an unprivileged process. anyone considering running
it should still take a lot of care...

PF: very simple question...

[Limaunion]

Hi, for some reason my OpenBSD 4.4 firewall is been able to negotiate 
dhcp request although there are no rules that allow this operation.


If I issue a 'dhclient vr0' I get the following:

$sudo dhclient vr0
DHCPREQUEST on vr0 to 255.255.255.255 port 67
DHCPACK from 190.18.xx.yy
bound to 190.18.xx.yy -- renewal in 10628 seconds.

Here's my testing ruleset (I've flushed everything before loading it):

### MACROS ###
extif  = vr0
intif  = vr1
loop   = lo0

### OPTIONS #
set block-policy return
set loginterface $extif
set skip on $loop

### SCRUB ###
scrub in on $extif all fragment reassemble min-ttl 15 max-mss 1400 no-df
scrub out on $extif all fragment reassemble random-id no-df

### PACKET FILTERING RULES ###
antispoof log quick for { $extif $intif $loop }

block log all

# HOST:::PFIRE #

# VR1:INBOUND:TCP
pass in on $intif inet proto tcp from $intif:network to 192.168.1.1 port 22
(EOF)

So, why isn't the broadcast blocked by 'block all' ?
Thanks for answering (probably) this silly question.
JC.

Re: PF: very simple question...

[Stuart Henderson]

On 2008-11-05, Limaunion [EMAIL PROTECTED] wrote:
 Hi, for some reason my OpenBSD 4.4 firewall is been able to negotiate 
 dhcp request although there are no rules that allow this operation.

dhcp uses BPF (like tcpdump does), this is below PF and is not
restricted by PF.

Re: PF: very simple question...

[Joachim Schipper]

On Wed, Nov 05, 2008 at 09:47:55PM -0200, Limaunion wrote:
 Hi, for some reason my OpenBSD 4.4 firewall [has] been able to [send
 a] dhcp request although there are no [pf] rules that allow this
 operation.

Because dhclient uses a low-level interface, accessible only to root,
that gets around PF. This is the same low-level interface that enables
dhclient to access the network before it is properly configured, so
there is not really a way around this.

Since root can disable pf anyway, this is not a security problem. But it
is indeed surprising.

Joachim

Re: PF: very simple question...

[Can Erkin Acar]

On 2008-11-06, Stuart Henderson wrote:

On 2008-11-05, Limaunion [EMAIL PROTECTED] wrote:
Hi, for some reason my OpenBSD 4.4 firewall is been able to negotiate 
dhcp request although there are no rules that allow this operation.


dhcp uses BPF (like tcpdump does), this is below PF and is not
restricted by PF.


Fortunately, the OpenBSD dhclient goes into a lot of pains to reduce the 
impact of a security vulnerability in itself.


It employs privilege separation, using two processes one privileged and 
one running with no privileges, chrooted to an empty directory.


The privileged process does configuration of IP addresses, routes, DNS 
configuration etc, by communicating with the unprivileged process.


The unprivileged process has a connection (file descriptor) to the BPF 
interface. Before dropping privileges, it first sets up filters that 
restrict the kind of packets it can receive *and send* through the BPF 
interface, and locks in these filter settings so that they can not be 
changed.


If the unprivileged process gets compromised while doing its dirty work 
of parsing network packets it can only send and receive DHCP packets on 
a specific interface, as restricted by the filter (it can not even spoof 
its MAC address). This is much better than full network sniffing and 
arbitrary packet injection on *any* interface, that an 
unfiltered/unlocked BPF descriptor allows. A compromised process can 
also modify interface settings, routes or DNS configuration through the 
privileged process, but by using DHCP you already give this power over 
to some unauthenticated entity on your local network anyway.



Enjoy

Can

PS: We tried to restrict (and audit) every BPF using program in the base 
system using the mechanisms described above. Even tcpdump requires root 
to run so that it can properly drop privileges. Parsing raw network 
data, even from a file, provides an opportunity to inject incredible 
amounts of malicious input to the parser. That is also one reason we do 
not have ethereal/wireshark in ports. The last time I looked, they had a 
lot of parsers and an incredible amount of complex code tied to that 
stream of malicious input.

Simple Question

[info]

My name is Raven and I recently visited your website innerewut.de. After
browsing around I was quite impressed with your website and would like to
add it to my links page. I am trying to add as many good websites as
possible to my site for the benefit of my users.

Some website owners do not like when other sites link to them so I thought I
might ask first. I think the information on your website could be useful to
my visitors; and unlike many other websites online your site was quite
appealing to me. Please get back to me when you have a chance. Thanks.

Raven 


No virus found in this outgoing message.
Checked by AVG Free Edition. 
Version: 7.5.467 / Virus Database: 269.6.1/778 - Release Date: 4/27/2007
1:39 PM

kernel debug simple question

[frantisek holop]

hi there,

i am trying to troubleshoot a usb external disk.
the disk detaches while mounted and used.

how can i umount / before i am going to reboot?
syncing cannot work in this case of course,
but that leaves only the external disk in a dirty
state, not my /, hence the question.

is it possible to do it before getting dropped
into ddb?  or is it possible to do it from ddb?
some posts past implied that anything is possible
from ddb :D

-f
-- 
why is the alphabet in that order?  is it because of that song?

pf multicast address: very simple question

[Gustavo Rios]

Dear list members,

i am setting up a firewall and would like to block any packet
destinated to a multicast address with a protocol not equal to udp. Is
this a sound rule? Is it possible?

Thanks.

Re: pf multicast address: very simple question

[Claudio Jeker]

On Fri, Feb 09, 2007 at 04:27:26PM -0200, Gustavo Rios wrote:
 Dear list members,
 
 i am setting up a firewall and would like to block any packet
 destinated to a multicast address with a protocol not equal to udp. Is
 this a sound rule? Is it possible?
 

Sure it is possible if it is sound is up to you. e.g. OSPF does not use
UDP. Btw. unless you enable multicast forwarding and add some multicast
routes no multicast traffic will traverse your firewall.

-- 
:wq Claudio

Re: Simple question

[Juan Pablo Feria Gomez]

Guilherme:

I tested bandwithd...

looks good, there was a non official port to openbsd in previous versions...

I installed it, but from source, here is the tricky install history (spanish)...

http://www.fathersfate.com.mx/wordpress/?p=188

and a screenshoot here

http://i70.photobucket.com/albums/i91/cash_jhonny/band.jpg


If u have problems lemme know



Tip: try to use a more explicative subject on your messages to the list.

Simple question

[Guilherme]

I wonder if there is a tool that focus on network bandwidth monitoring such
as NTOP, that runs on OpenBSD. I've tried to get NTOP running on my OpenBSD
3.9 server but no further success - I know there is an old version of NTOP
on ports but I need something able to generate also web monitoring...

That's all.
Regards

Re: Simple question

[Will Jenkins]

On 9 Sep 2006, at 17:25, Guilherme wrote:

I wonder if there is a tool that focus on network bandwidth  
monitoring such
as NTOP, that runs on OpenBSD. I've tried to get NTOP running on my  
OpenBSD
3.9 server but no further success - I know there is an old version  
of NTOP

on ports but I need something able to generate also web monitoring...

That's all.
Regards



Trafshow

Re: Simple question

[Joachim Schipper]

On Sat, Sep 09, 2006 at 01:25:35PM -0300, Guilherme wrote:
 I wonder if there is a tool that focus on network bandwidth monitoring such
 as NTOP, that runs on OpenBSD. I've tried to get NTOP running on my OpenBSD
 3.9 server but no further success - I know there is an old version of NTOP
 on ports but I need something able to generate also web monitoring...

Try /usr/ports/*/pf* - net/pfstat seems particularly suited.

Joachim

environment variables: simple question, sorry!

[Gustavo Rios]

Dear folks,

i am trying to get the following line in my /etc/rc.local file:

csh -cf '$ASDROOT/thr/svscanboot '

And in my /etc/rc.conf.local i added:

ASDROOT=/asd

During the system boot, all i get is the ASDROOT variable is undefined.

How could it be accomplished?

thanks in advance.

best regards.

Re: environment variables: simple question, sorry!

[Jack J. Woehr]

On Jul 12, 2006, at 2:33 PM, Gustavo Rios wrote:

 Dear folks,

 i am trying to get the following line in my /etc/rc.local file:

 csh -cf '$ASDROOT/thr/svscanboot '

 And in my /etc/rc.conf.local i added:

 ASDROOT=/asd

 During the system boot, all i get is the ASDROOT variable is  
 undefined.

Yes, because it isn't exported and you've surrounded it with single  
quotes,
so it's passed to CSH for interp, and CSH doesn't have it in its env.

---
Jack J. Woehr
Director of Development
Absolute Performance, Inc.
[EMAIL PROTECTED]
303-443-7000 ext. 527

Re: Simple question about appletalk

[Stefek Zaba]

Bryan Irvine [EMAIL PROTECTED] wrote:

 If the laptop only needs www access no appletalk is needed.  Appletalk
 is purely a file serving mechanism, like samba or nfs.  If you need
 appletalk it's pretty easy to set up on OpenBSD.

Well... Appletalk itself is a lower-level protocol than samba or nfs; it's a 
network protocol which is an alternative to IP. That is, it uses link 
protocols - these days almost always Ethernet; in the last century often 
also Localtalk, a 230kbps serial protocol - for transport, and carries 
upper-level protocols, such as AFP (Apple File Protocol) in turn. A similar 
protocol (in terms of where it sits in the networking stack) would be IPX.


In 'modern' Mac usage, Appletalk is still used in some environments for file 
sharing and for printing. Unless you have bits of kit in place which are 
happy to route Appletalk, it'll only be carried on one LAN segment.


From what I can glean from manpages and Google (and I'll be trying this 
live in the next month or so, but have no first-hand experience currently) 
OpenBSD support for Appletalk is available (good) but not turned on in the 
GENERIC kernel (less good). atalk(4) describes the kernel interface; 
documentation suggests (but doesn't state authorititavely?) that OpenBSD 
will route Appletalk among multiple network interfaces; if you want to serve 
files and/or print, you'll want the netatalk package. There's a 1.6 version 
in the ports collection; a web page at 
http://www.doink.org/geeklog/public_html/article.php?story=20051212224355152 
describes a recent instance of 'manual' (i.e. outwith the ports collection) 
compilation of the 2.0 version.


HTH - Stefek

Simple question about appletalk

[Gabriel George POPA]

   I need to put a laptop running Mac OS X (10.3 I think) in my 
OpenBSD powered network - OpenBSD router/firewall. The problem is that I 
don't know
if I need Appletalk or not installed (I have an urgent problem that must 
be solved with this laptop, but it's not mine and I haven't
worked too much with Apple computers). At this moment I don't have the 
laptop, but I need it up and running in the second when it
appears so I need to know in advance if I need to enable Appletalk in 
the network (this laptop needs only www access).
  And another problem: in /etc/pf.conf I have scrub in all reassembe 
tcp - is this a problem with Mac OS X (I have some problems

with some Mandriva Linux machines here and I think this is the problem).

  Thank you very much in advance.
 

   
Respectfully yours,
 
Gabriel George POPA

Re: Simple question about appletalk

[Bryan Allen]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On Feb 23, 2006, at 1:52 PM, Gabriel George POPA wrote:

   I need to put a laptop running Mac OS X (10.3 I think)  
in my OpenBSD powered network - OpenBSD router/firewall. The  
problem is that I don't know

if I need Appletalk or not installed


Mac OS X is based on FreeBSD. It is just another commercial UNIX.  
AppleTalk has not been required for Mac OS general use networking in  
quite some time.

- --
Bryan Allen
[EMAIL PROTECTED]
http://bda.mirrorshades.net
Cyberpunk is dead. Long live cyberpunk.
iD8DBQFD/ge88DRlpnH/NmoRArKQAJwLLAzp2iIzktppXQGRWy6IleHPPQCfTIuR
nclfAzmrEYt8xbsovVX4fhM=
=64W3
-END PGP SIGNATURE-

Re: Simple question about appletalk

[Bryan Irvine]

Sorry for the top-post but there jsut wasn't anywhere appropriate for
a snip type of thing.

If the laptop only needs www access no appletalk is needed.  Appletalk
is purely a file serving mechanism, like samba or nfs.  If you need
appletalk it's pretty easy to set up on OpenBSD.

--Bryan

On 2/23/06, Gabriel George POPA [EMAIL PROTECTED] wrote:
 I need to put a laptop running Mac OS X (10.3 I think) in my
 OpenBSD powered network - OpenBSD router/firewall. The problem is that I
 don't know
 if I need Appletalk or not installed (I have an urgent problem that must
 be solved with this laptop, but it's not mine and I haven't
 worked too much with Apple computers). At this moment I don't have the
 laptop, but I need it up and running in the second when it
 appears so I need to know in advance if I need to enable Appletalk in
 the network (this laptop needs only www access).
And another problem: in /etc/pf.conf I have scrub in all reassembe
 tcp - is this a problem with Mac OS X (I have some problems
 with some Mandriva Linux machines here and I think this is the problem).

Thank you very much in advance.



 Respectfully yours,

 Gabriel George POPA

Re: [unclassified] Simple Question about PF

[Chris Zakelj]

Giancarlo Razzolini wrote:

Thanks for the prompt reply. I had some luck yesterday with altq. I've
put 300kb as bandwidht limit in my internal iface and 150Kb in my
external iface. And assigned traffic to the download queue (300Kb) and
it worked. The only problem is that i'm using keep state in all of my
rules, and i'll have to change this behavior to filter the incoming and
the outcoming packets. I only run into one problem, the connections to
the firewall itself (ssh, for example) ended being queued to. And 300Kb
is a very little bandwidth if you have 2 simultaneous downloads. But i
believe that no using keep state for some of my rules will do the trick.

Keeping state has nothing to do with ALTQ, apart from making things go
faster because the rules (and thus, the queue) don't need constant
re-evaluation.

Simple Question about PF

[Giancarlo Razzolini]

Hello folks,

I finally did took some time and did my pf.conf firewall from scratch,
actually learning it (i did my first using fwbuilder. It worked, but i
wanted to do a hands on approach). And know i must say i'm almost
proficient in pf. I must confess i found it much simpler than iptables.
And more secure, since you can do full state inspection. But know i have
 2 questions about traffic shaping. I want do limit my downloads, to
make every one im my house to have a fair slice and to limit my uploads,
to make my ssh connections not to hang up every time some ones start a
upload. I have a ADSL line with 300Kb inbound and 150Kb outbound. I just
want to make clear 3 things:

1) To limit my uploads i have to filter my external interface, using my
upload bandwidth as the parameter to the altq (150Kb ) ?
2) And to limit my downloads i have to limit my internal interface (that
have a 10Mbps link with the internal net, and can perform 4.5Mbit/sec)
and if so, how to limit my firewall's downloads
3) I'm using CBQ for both queues with ecn activated. Just wanna know if
it's viable, or it's better to use CBQ on the internal interface and
PRIQ on the external.

I would be glad if some of you could clear the things up for me.

Thanks in advance,

-- 
Giancarlo Razzolini
Linux User 172199
Moleque Sem Conteudo Numero #002
Slackware Current
Snike Tecnologia em Informatica
4386 2A6F FFD4 4D5F 5842  6EA0 7ABE BBAB 9C0E 6B85

Re: [unclassified] Simple Question about PF

[Chris Zakelj]

Giancarlo Razzolini wrote:

   Hello folks,

I finally did took some time and did my pf.conf firewall from scratch,
actually learning it (i did my first using fwbuilder. It worked, but i
wanted to do a hands on approach). And know i must say i'm almost
proficient in pf. I must confess i found it much simpler than iptables.
And more secure, since you can do full state inspection. But know i have
 2 questions about traffic shaping. I want do limit my downloads, to
make every one im my house to have a fair slice and to limit my uploads,
to make my ssh connections not to hang up every time some ones start a
upload. I have a ADSL line with 300Kb inbound and 150Kb outbound. I just
want to make clear 3 things:

1) To limit my uploads i have to filter my external interface, using my
upload bandwidth as the parameter to the altq (150Kb ) ?
2) And to limit my downloads i have to limit my internal interface (that
have a 10Mbps link with the internal net, and can perform 4.5Mbit/sec)
and if so, how to limit my firewall's downloads
3) I'm using CBQ for both queues with ecn activated. Just wanna know if
it's viable, or it's better to use CBQ on the internal interface and
PRIQ on the external.

I would be glad if some of you could clear the things up for me.

Thanks in advance,

Welcome to the crew.  Sounds like you're doing pretty much the exact
same thing I was doing last year on an ADSL line shared between myself
and two roomies.  If you haven't gotten all the way through it yet, read
the PF user's guide at http://www.openbsd.org/faq/pf/index.html, and pay
special attention to the examples in the Packet Queueing and
Prioritization section.  While leaving the particular rules up to you,
I'll make the following suggestions:

1: Set your upload bandwidth to about 125% of your advertised rate
2: Unless it was just dumb luck, there's nothing wrong with using the
full bandwidth of your internal interface.
3: I've had better results using CBQ on internal interfaces, and PRIQ on
the external.  In my 3-person condo last year, using your 300k
downstream, I'd set 100k (borrow) to each person internally, so that if
someone's not using their straw, the others could borrow from it. 
Likewise, my outbound priority was something along the lines of ACK,
DNS, SSH, HTTP, SMTP/POP, bulk (one was an anime freak, and forcing his
habit into the 'bulk' queue allowed the rest of us to surf in peace).

Obviously, what worked best for me may not be best for you.