Re: Multiple FTP servers behind firewalls

[Joe Warren-Meeks]

On Wed, Jun 04, 2008 at 06:06:47PM -0400, Calomel wrote:
> Joe,
> 
> We have used a CARP firewall (two machines in failover and not
> load balancing) in front of a dozen ftp servers. We use 12 different
> ip addresses in total. One ftp-proxy for each CARP interface and
> forwarding the traffic to one of the 12 backend ftp server. This works
> fine.
> 
>   Ftp-Proxy (forward and reverse proxy)
>   https://calomel.org/ftp_proxy.html

Thanks, that is exactly what I'm looking for :)

Also, I've read through some of the papers on your site and it is
extremely useful! Thanks for a wonderful resource.

 -- joe.

Hasn't Shane Richie done well for himself?

Re: spamd sync question

[Jose Fragoso]

I forgot to mention that both bridges will run i386
kernel.

If anyone with experience in this kind of setup
would like to comment, I would appreciate.

Regards,

Jose

--
See Exclusive Videos: 10th Annual Young Hollywood Awards
http://www.hollywoodlife.net/younghollywoodawards2008/

saa7134 in OpenBSD ?

[Tomas Bodzar]

Hi,

Have someone running tv card with this chipset? I was looking throw google and
can't find useful info.I know,that it's not in HW supported list and dmesg
only detect it.

Thx

Re: NAT over internet & VPN?

[Almir Karic]

On Wed, Jun 4, 2008 at 5:49 AM, Matt Garman <[EMAIL PROTECTED]> wrote:
> What I'd like to do is have my OBSD box to NAT on the tun device
> (VPN tunnel).  I.e., so I can use the VPN connection seamlessly from
> any system on my home network.

basically you want to route your traffic encrypted to your home and
than let it to internet? to do this kind of a thing i'm using openvpn
in bridged mode and all NAT-ing is done on external interface, the
gateway does not differ between vpn client and local client). it
should be noted that people on this list tend to prefer ipsec over
openvpn.


-- 
For far too long, power has been concentrated in the hands of "root"
and his "wheel" oligarchy. We have instituted a dictatorship of the
users. All system administration functions will be handled by the
People's Committee for Democratically Organizing the System (PC-DOS).

Lost sensors info when upgraded from 4.2 to 4.3

[Per-Olov Sjöholm]

Hi

I did an upgrade (read reinstall) last week on a Dell PE830 server from 
OpenBSD 4.2 to 4.3. It is a 4.3 RELEASE std install, but a stable update of 
kernel and userland from May 29.

The sensors worked ok in 4.2. In 4.3 it looks like this where the sensor info 
is null..

[EMAIL PROTECTED]:~#sysctl -a|grep sens
hw.sensors.ami0.drive0=online (sd0), OK
hw.sensors.adt0.temp0=0.00 degC (Remote)
hw.sensors.adt0.temp1=0.00 degC (Internal)
hw.sensors.adt0.temp2=0.00 degC (Remote)
hw.sensors.adt0.volt0=0.00 VDC (+2.5Vin)
hw.sensors.adt0.volt1=0.00 VDC (Vccp)
hw.sensors.adt0.volt2=0.00 VDC (Vcc)
hw.sensors.adt0.volt3=0.00 VDC (+5V)
hw.sensors.adt0.volt4=0.00 VDC (+12V)

dmesg...
http://www.incedo.eu/~sjoholmp/830/dm830

(Btw... I do not remember that the the sensors name was "adt" as above on 4.2. 
I can however not verify that)


Did I miss anything in the docs or list searches? Bug? Suggestions 
appreciated...

Thanks in advance
Per-Olov
-- 
GPG keyID: 4DB283CE
GPG fingerprint: 45E8 3D0E DE05 B714 D549 45BC CFB4 BBE9 4DB2 83CE
GPG key: 
http://keyserv.nic-se.se:11371/pks/lookup?op=get&search=0xCFB4BBE94DB283CE

Re: Lost sensors info when upgraded from 4.2 to 4.3

[Stuart Henderson]

On 2008-06-05, Per-Olov Sjvholm <[EMAIL PROTECTED]> wrote:
> I did an upgrade (read reinstall) last week on a Dell PE830 server from 
> OpenBSD 4.2 to 4.3. It is a 4.3 RELEASE std install, but a stable update of 
> kernel and userland from May 29.
>
> The sensors worked ok in 4.2. In 4.3 it looks like this where the sensor info 
> is null..

They were probably from ipmi before, this was knocked out of
GENERIC until bad interactions with acpi on some machine are fixed.
See http://www.openbsd.org/cgi-bin/cvsweb/src/sys/arch/i386/conf/GENERIC
r1.589.

pciide and hot swapping disks?

[Harald Dunkel]

Hi folks,

I haven't seen this mentioned on the mailing list, and
the man page doesn't tell, either, so hopefully it is
allowed to ask:

Does pciide support hot-swapping hard disks? (I've got a
ServerWorks HT-1000 SATA2 controller and the appropriate
disks.)



Regards

Harri

PF, "self" keyword

[Yuri Spirin]

Hello, misc.

In pf.conf syntax there is a "self" keyword which means all addresses
assigned to all interfaces.

r1:/root# grep self /etc/pf.conf
table  persist { self }
r1:/root#
r1:/root# pfctl -T show -t this_box
   10.1.1.1
   10.3.3.3
   127.0.0.1
r1:/root# ifconfig tun2 10.3.3.5
r1:/root# pfctl -T show -t this_box
   10.1.1.1
   10.3.3.3
   127.0.0.1
r1:/root# ifconfig tun2 10.3.3.10
r1:/root# pfctl -T show -t this_box
   10.1.1.1
   10.3.3.3
   127.0.0.1
r1:/root#
r1:/root# pfctl -f /etc/pf.conf
r1:/root# pfctl -T show -t this_box
   10.1.1.1
   10.3.3.10
   127.0.0.1

Is it possible to automatically update rules and tables containing
"self" keyword when interface address changes (like "($ext_if)"
behaviour)? Did I missed something in manual?


-- 
Regards,
 Yuri A. Spirin
 mailto:[EMAIL PROTECTED]

Re: PF, "self" keyword

[viq]

On Thu, Jun 05, 2008 at 07:59:09PM +0400, Yuri Spirin wrote:
> Hello, misc.
> 
> In pf.conf syntax there is a "self" keyword which means all addresses
> assigned to all interfaces.
> 
> r1:/root# grep self /etc/pf.conf
> table  persist { self }
> r1:/root#
> r1:/root# pfctl -T show -t this_box
>10.1.1.1
>10.3.3.3
>127.0.0.1
> r1:/root# ifconfig tun2 10.3.3.5
> r1:/root# pfctl -T show -t this_box
>10.1.1.1
>10.3.3.3
>127.0.0.1
> r1:/root# ifconfig tun2 10.3.3.10
> r1:/root# pfctl -T show -t this_box
>10.1.1.1
>10.3.3.3
>127.0.0.1
> r1:/root#
> r1:/root# pfctl -f /etc/pf.conf
> r1:/root# pfctl -T show -t this_box
>10.1.1.1
>10.3.3.10
>127.0.0.1
> 
> Is it possible to automatically update rules and tables containing
> "self" keyword when interface address changes (like "($ext_if)"
> behaviour)? Did I missed something in manual?

grep self /etc/pf.conf
table  persist { (self) }

pfctl -f /etc/pf.conf -n 
/etc/pf.conf:21: dynamic addresses are not permitted inside tables

So, can't really put it in a table, but putting '(self)' in a rule should
work (when I tried it, pfctl -sr shows (self) and not an IP).

> -- 
> Regards,
>  Yuri A. Spirin
>  mailto:[EMAIL PROTECTED]

-- 
viq

Re: PF, "self" keyword

[Chris Kuethe]

On Thu, Jun 5, 2008 at 8:59 AM, Yuri Spirin <[EMAIL PROTECTED]> wrote:
> Is it possible to automatically update rules and tables containing
> "self" keyword when interface address changes (like "($ext_if)"
> behaviour)? Did I missed something in manual?

depending on what you're trying to accomplish, some of the automatic
interface groups (like "egress") might work for you.

CK

-- 
GDB has a 'break' feature; why doesn't it have 'fix' too?

Re: knowing spamd blacklist size

[Jim Razmus]

* Jose Fragoso <[EMAIL PROTECTED]> [080604 09:04]:
> Hi,
> 
> In OpenBSD 4.3, is there a way to find out via script the
> current size of the spamd blacklist?
> 
> Thanks in advance.
> 
> Regards,
> 
> Jose
> 
> --
> Mail.com Autos- Powered by Oncars.com: Drive By Today!
> http://www.oncars.com
> 

man 8 spamdb

perhaps:

spamdb | grep TRAPPED

HTH,
Jim

Re: knowing spamd blacklist size

[Juan Miscaro]

2008/6/5 Jim Razmus <[EMAIL PROTECTED]>:
> * Jose Fragoso <[EMAIL PROTECTED]> [080604 09:04]:
>> Hi,
>>
>> In OpenBSD 4.3, is there a way to find out via script the
>> current size of the spamd blacklist?
>>
>> Thanks in advance.
>>
>> Regards,
>>
>> Jose
>>
>> --
>> Mail.com Autos- Powered by Oncars.com: Drive By Today!
>> http://www.oncars.com
>>
>
> man 8 spamdb
>
> perhaps:
>
> spamdb | grep TRAPPED

That just gives connecting hosts that match an entry in the blacklist.

/juan

dhcrelay question

[Christopher Sean Hilton]

I'm running OpenBSD as an IP less bridge between a DMZ and a protected  
internet. The protection comes from using a set of pf rules on the  
exterior interface of the bridge. My pf rules block all traffic on UDP/ 
67 and UDP/68 from traversing the bridge so I currently run two DHCP  
servers, one in the DMZ and one on the protected network. I'd like to  
run dhcrelay on the bridge and add some sort of token to dhcp requests  
coming from the DMZ (From new and test servers) so I a can  
differentiate them from dhcp requests on the protected network.  
Basically I'd like to hand out addresses from one IP range on the DMZ  
and from another IP range on the protected network.


I'd imagine that to start I'd want to configure dhcrelay to startup  
similar to:


 # dhcrelay -i ${dmz_if} ${prot_dhcp_server}

but how do I set this up to differentiate the requests from one another.

Has anyone done this before?

-- Chris

Chris Hilton   tildeChris -- http://myblog.vindaloo.com
email -- chris/at/vindaloo/ 
dot/com
.~ 
~ 
.--.~ 
~.--.~~.--.~~.--.~~.--.~~.--.~~.--.~~.--.~~.--.~~.--.~~.--.~~.--.~~.
 "I'm on the outside looking inside, What do  
I see?
   Much confusion, disillution, all  
around me."
 -- Ian McDonald / Peter  
Sinfield

Re: NAT over internet & VPN?

[Matt Garman]

On Thu, Jun 05, 2008 at 03:07:30PM +0200, Almir Karic wrote:
> On Wed, Jun 4, 2008 at 5:49 AM, Matt Garman <[EMAIL PROTECTED]> wrote:
> > What I'd like to do is have my OBSD box to NAT on the tun device
> > (VPN tunnel).  I.e., so I can use the VPN connection seamlessly
> > from any system on my home network.
> 
> basically you want to route your traffic encrypted to your home
> and than let it to internet? to do this kind of a thing i'm using
> openvpn in bridged mode and all NAT-ing is done on external
> interface, the gateway does not differ between vpn client and
> local client). it should be noted that people on this list tend to
> prefer ipsec over openvpn.

I don't think that's exactly what I want... but perhaps I don't
fully understand you.

I believe, in the most general sense, I want to NAT across two
interfaces.  So, if I'm on one of my home computers, and I try to
access IP xxx.xxx.xxx.xxx, then:
if xxx.xxx.xxx.xxx is part of the VPN network, NAT on the VPN
device (tun0)
otherwise NAT to the Internet (vr0)

It seems like this ought to be pretty trivial, but I'm clearly
missing something!

Thank you,
Matt

have to add pass in rdr statement

[Lord Sporkton]

on OpenBSD fire.sporkton.com 4.3 GENERIC#698 i386
I have this pf.conf config, it does not work for vnc


ext_if="xl0"
lawrence="10.0.0.17"


rdr on $ext_if proto tcp from any to $ext_if port vncweb -> $lawrence
port vncweb
rdr on $ext_if proto tcp from any to $ext_if port vnc -> $lawrence port vnc

pass  in on $ext_if inet proto tcp  from any to $ext_if port vncweb \
modulate state (max-src-conn-rate 3/30, overload )
pass  in on $ext_if inet proto tcp  from any to $ext_if port vnc \
modulate state (max-src-conn-rate 3/30, overload )


If i use the pass keyword instead in the rdr statement(as below), it
works fine.


rdr pass on $ext_if proto tcp from any to $ext_if port vnc -> $lawrence port vnc




Does anyone see something worng with my pass statements?
thanks


-- 
-Lawrence

Re: have to add pass in rdr statement

[John Jackson]

Your "pass" rules need to reference the IP address after processing by
the "rdr" rule.  So it should be passing traffic destined to '10.0.0.17'

See http://openbsd.org/faq/pf/rdr.html#filter for more info.

John

On Thu, Jun 05, 2008 at 03:46:57PM -0700, Lord Sporkton wrote:
> on OpenBSD fire.sporkton.com 4.3 GENERIC#698 i386
> I have this pf.conf config, it does not work for vnc
> 
> 
> ext_if="xl0"
> lawrence="10.0.0.17"
> 
> 
> rdr on $ext_if proto tcp from any to $ext_if port vncweb -> $lawrence
> port vncweb
> rdr on $ext_if proto tcp from any to $ext_if port vnc -> $lawrence port vnc
> 
> pass  in on $ext_if inet proto tcp  from any to $ext_if port vncweb \
> modulate state (max-src-conn-rate 3/30, overload )
> pass  in on $ext_if inet proto tcp  from any to $ext_if port vnc \
> modulate state (max-src-conn-rate 3/30, overload )
> 
> 
> If i use the pass keyword instead in the rdr statement(as below), it
> works fine.
> 
> 
> rdr pass on $ext_if proto tcp from any to $ext_if port vnc -> $lawrence port 
> vnc
> 
> 
> 
> 
> Does anyone see something worng with my pass statements?
> thanks
> 
> 
> -- 
> -Lawrence

"remove any unwanted devices from the kernel. "

[Jon]

> I usually name the kernel to the machine hostname, but you can give it
> any name. Edit the kernel config file: 
> 
> Remove any hardware related options that are not relevant to your
> machine.
> 
http://www.muine.org/~hoang/openpf.html#customize

Why would someone want to do this? Is this nothing more than saving a
negligible amount of memory?

Are there any Open Source / Free Software vt220 / vt320 / vt400 terminal emulators out there?

[Jon]

Any that support the "status line" where the application thinks there is
an 80x24 terminal and some meta character tells the terminal to display
text after it in the "status line", which looks like a 25th line below
the 80x24 terminal?

Re: "remove any unwanted devices from the kernel. "

[Juan Miscaro]

2008/6/5 Jon <[EMAIL PROTECTED]>:
>> I usually name the kernel to the machine hostname, but you can give it
>> any name. Edit the kernel config file:
>>
>> Remove any hardware related options that are not relevant to your
>> machine.
>>
> http://www.muine.org/~hoang/openpf.html#customize
>
> Why would someone want to do this? Is this nothing more than saving a
> negligible amount of memory?

People do this mostly to feel good about themselves.  But, yes,
removing stuff saves a few kB.  There is also the thinking that
removing unnecessary stuff makes the system more secure.  This latter
approach is more pertinent to a modular kernel such as the Linux
kernel.  OpenBSD, of course, uses a classical monolithic kernel.  Let
it be known that user-customized OBSD kernels are unsupported by the
developers.  Do it only if you have a very good reason to do so
(activate a software feature or to get some special h/w to work).

/juan

Re: Are there any Open Source / Free Software vt220 / vt320 / vt400 terminal emulators out there?

[Josh Smith]

Screen?



On 6/5/08, Jon <[EMAIL PROTECTED]> wrote:
> Any that support the "status line" where the application thinks there is
> an 80x24 terminal and some meta character tells the terminal to display
> text after it in the "status line", which looks like a 25th line below
> the 80x24 terminal?
>
>

-- 
Sent from Gmail for mobile | mobile.google.com

Josh Smith
email/jabber:  [EMAIL PROTECTED]
phone:  304.237.9369(c)

()  ascii ribbon campaign - against html e-mail
/\  www.asciiribbon.org   - against proprietary attachments

Re: "remove any unwanted devices from the kernel. "

[Ted Unangst]

On 6/5/08, Jon <[EMAIL PROTECTED]> wrote:
> > I usually name the kernel to the machine hostname, but you can give it
>  > any name. Edit the kernel config file:
>  >
>  > Remove any hardware related options that are not relevant to your
>  > machine.
>  >
>  http://www.muine.org/~hoang/openpf.html#customize
>
>  Why would someone want to do this? Is this nothing more than saving a
>  negligible amount of memory?

I recommend reading the real FAQ: http://www.openbsd.org/faq/faq5.html#Why

Re: "remove any unwanted devices from the kernel. "

[Nick Holland]

Jon wrote:
>> I usually name the kernel to the machine hostname, but you can give it
>> any name. Edit the kernel config file: 
>> 
>> Remove any hardware related options that are not relevant to your
>> machine.
>> 
> http://www.muine.org/~hoang/openpf.html#customize
> 
> Why would someone want to do this? Is this nothing more than saving a
> negligible amount of memory?

The biggest reasons to do this are because you have too much time
on your hands, and you want to impress people by having things
break, then you swoop in to rescue everyone from your fabricated
disaster.  See, computers are supposed to be unreliable and
impossible to understand and take lots of effort just to keep
running and such.  If they Just Work, you haven't proven anything
other than your skill at careful design and planning,  People
don't appreciate that, they much prefer to see you in action.
Heroes rescue people from obvious danger, they don't avoid problems
proactively.  Hey, if you gotta encourage them out onto the ledge
so you can be a hero, whatever.

Fortunately, most computer people would rather be fighting with
existing computer systems than planning avoiding future problems
or documenting things.  After all, it's not the quality of job
that counts, it's the effort people see you putting into it.



Any fool can put up a website and say anything they want.  Just
because you saw it on the 'net doesn't make it true.  After that
crap of an introduction, I'm not going to bother reading the
rest of what this person has to say.

See FAQ5 for the official line on this topic.

(alternate response: a few k here, a few k there, soon you are
still talking about nothing of significance...)

Nick.

Can connect to some sites but not others

[Kareem Kazkaz]

Hello all.

I have an OpenBSD box running as my firewall (v4.2, PPPoE with AT&T over a
Netopia 2210). I am using pf to share the internet connection to the local
network, which is made up of two Mac laptops (one 10.5.3, one 10.4.6) and
one Mac Mini (10.5.3).

>From the local network, I can connect to some websites just fine. Other
websites, however, can't load and eventually time out. The sites that time
out are the same among all three Macs, and I get the same behavior on all
three Macs whether I use Safari or Firefox. I can nslookup all the websites
that don't load and I get IP addresses back, so I know it's not a DNS issue.
I've rebooted all machines, including the firewall, so it doesn't seem to be
a cache issue.

Compounding the problem is that I can connect to the firewall and run
Firefox (sending the X window to my mac laptop), and I can connect just fine
to every web site I can think of.

Websites I can't connect to include (but are not limited to)
www.washingtonpost.com, www.latimes.com, www.cnet.com,
www.chicagotribune.com.

So it appears as though the OpenBSD box is communicating to the internet
just fine, but for some reason it's not packetforwarding some of the
traffic.

I'm really stumped by this one. Does anybody have any idea of how to start
tracking down what's going wrong?


-- 
View this message in context: 
http://www.nabble.com/Can-connect-to-some-sites-but-not-others-tp17683557p17683557.html
Sent from the openbsd user - misc mailing list archive at Nabble.com.

Re: Can connect to some sites but not others

[Daniel Melameth]

On Thu, Jun 5, 2008 at 8:47 PM, Kareem Kazkaz <[EMAIL PROTECTED]> wrote:
> I have an OpenBSD box running as my firewall (v4.2, PPPoE with AT&T over a
> Netopia 2210). I am using pf to share the internet connection to the local
> network, which is made up of two Mac laptops (one 10.5.3, one 10.4.6) and
> one Mac Mini (10.5.3).
>
> From the local network, I can connect to some websites just fine. Other
> websites, however, can't load and eventually time out.

Sounds like an MTU issue.  man 4 pppoe and read the part about MTU/MSS ISSUES.

Re: Can connect to some sites but not others

[Aaron Stellman]

On Thu, Jun 05, 2008 at 07:47:22PM -0700, Kareem Kazkaz wrote:
> Hello all.
> 
> I have an OpenBSD box running as my firewall (v4.2, PPPoE with AT&T over a
> Netopia 2210). I am using pf to share the internet connection to the local
> network, which is made up of two Mac laptops (one 10.5.3, one 10.4.6) and
> one Mac Mini (10.5.3).
> 
> From the local network, I can connect to some websites just fine. Other
> websites, however, can't load and eventually time out. The sites that time
> out are the same among all three Macs, and I get the same behavior on all
> three Macs whether I use Safari or Firefox. I can nslookup all the websites
> that don't load and I get IP addresses back, so I know it's not a DNS issue.
> I've rebooted all machines, including the firewall, so it doesn't seem to be
> a cache issue.
> 
> Compounding the problem is that I can connect to the firewall and run
> Firefox (sending the X window to my mac laptop), and I can connect just fine
> to every web site I can think of.

It would be nice to see your pf.conf and other related settings.

> 
> Websites I can't connect to include (but are not limited to)
> www.washingtonpost.com, www.latimes.com, www.cnet.com,
> www.chicagotribune.com.
> 
> So it appears as though the OpenBSD box is communicating to the internet
> just fine, but for some reason it's not packetforwarding some of the
> traffic.
> 
> I'm really stumped by this one. Does anybody have any idea of how to start
> tracking down what's going wrong?
> 
> 
> -- 
> View this message in context: 
> http://www.nabble.com/Can-connect-to-some-sites-but-not-others-tp17683557p17683557.html
> Sent from the openbsd user - misc mailing list archive at Nabble.com.
> 

In any case, this has been discussed multiple times, check this one out
for example:
http://marc.info/?t=12085694341&r=1&w=2

Re: Can connect to some sites but not others

[Kareem Kazkaz]

This was indeed an MTU issue. Although it may lower my TCP/IP throughput, I
used the pf.conf fix so that when I have guests I don't have to worry about
changing their MTUs as well.

Thanks a bunch for the suggestion!


-- 
View this message in context: 
http://www.nabble.com/Can-connect-to-some-sites-but-not-others-tp17683557p17684849.html
Sent from the openbsd user - misc mailing list archive at Nabble.com.