Re: ftps?
On 2012-11-28, Chris Smith wrote: > Having some issues with a client system attempting to use a product called > MoveItFreely to connect to server via FTPS (FTP with TLS). The firewall is > running a snapshot from April, 3 2011 of version 4.9. > > I have added a pass rule for the additional (to port 21) requested ports of > 989, 990, and 5:52000 but still having connection problems. Just > wondering if the ftp-proxy would be interfering this. If the control connection is encrypted as with ftp+tls, then ftp-proxy *cannot* work, as it cannot read the commands. So, if this is with NAT, you can't rely on ftp-proxy to fix things up, you will need ftp+tls software where you can manually set the external address. > Also wonder why anyone in their right mind would use FTPS!? Because they can just hack it on top of their crusty old ftp server software, whereas using sftp would need much bigger changes?
restart relayd with new config
Scenario: I'm using relayd as transparent proxy
and block some sites in work time, so I have two configs:
# cat /etc/relayd.conf
prefork 5
http protocol httpfilter {
tcp { nodelay, sack, socket buffer 65536, backlog 1000 }
return error
request header filter "*youtube.com*" from "Host"
header change "Connection" to "close"
}
relay httpproxy {
listen on 127.0.0.1 port 8080
protocol httpfilter
forward to destination
}
# cat /etc/relaydfree.conf
prefork 5
http protocol httpfilter {
tcp { nodelay, sack, socket buffer 65536, backlog 1000 }
}
relay httpproxy {
listen on 127.0.0.1 port 8080
protocol httpfilter
forward to destination
}
Executing "relayd -f /newconfig" at specified time have not the same
result as for example "pfctl -f /newconfig".
New number of relayd process were started instead of apply new config.
I've add this to cron:
0 9 * * 1-5 /usr/bin/pkill relayd && sleep 3
&& /usr/sbin/relayd -f /etc/relayd.conf
0 12 * * 1-5 /usr/bin/pkill relayd && sleep 3
&& /usr/sbin/relayd -f /etc/relaydfree.conf
0 13 * * 1-5 /usr/bin/pkill relayd && sleep 3
&& /usr/sbin/relayd -f /etc/relayd.conf
0 18 * * 1-5 /usr/bin/pkill relayd && sleep 3
&& /usr/sbin/relayd -f /etc/relaydfree.conf
But unfortunately this cause a trouble due pkill can't shutdown all
relayd instances.
"relayctl stop" and "kill -15 `pgrep relayd`" also don't work and have
same result:
# ps -aux | grep relayd
_relayd 30639 99.0 0.3 6960 5192 ?? R/11:00PM 10:09.65
relayd: relay (relayd)
_relayd 25093 50.1 0.3 7200 5568 ?? R/01:00PM 26:29.77
relayd: relay (relayd)
_relayd 4696 49.0 0.3 6936 5432 ?? R/01:00PM 48:01.41
relayd: relay (relayd)
root 18847 0.0 0.1 1236 1876 ?? Is 1:00PM0:00.01
relayd: parent (relayd)
_relayd 1306 0.0 0.1 808 1648 ?? I 1:00PM0:00.00
relayd: hce (relayd)
_relayd 4036 0.0 0.3 7176 5596 ?? S 1:00PM0:02.17
relayd: relay (relayd)
_relayd 32523 0.0 0.1 2280 2552 ?? S 1:00PM0:00.21
relayd: relay (relayd)
_relayd636 0.0 0.1 1132 2020 ?? S 1:00PM0:00.01
relayd: pfe (relayd)
root 29834 0.0 0.0 876 4 p0 R+/1 3:29PM0:00.00 grep
relayd (ksh)
# kill -15 `pgrep relayd`
# ps ax | grep relayd
30639 ?? R/012:32.21 relayd: relay (relayd)
4696 ?? R/049:31.75 relayd: relay (relayd)
25093 ?? R/127:54.53 relayd: relay (relayd)
Is there a way to don't use:
kill -9 `pgrep relayd` && relayd -f /newconfig
or it's a normal to use kill -9 for relayd.
Re: Recommended ANSI C language coding standard compliance checker
2012/11/28, Tito Mari Francis Escaño : > More than just using GCC, since my idea is to also consider LLVM and PCC. > Thanks for the advise. Looking forward for other options, especially what > the OpenBSD dev team does to ensure every file complies with the coding > standard. LLVM also has -ansi -pedantic. Not sure about PCC.
Re: ftps?
On Wed, Nov 28, 2012 at 7:29 AM, Stuart Henderson wrote: > If the control connection is encrypted as with ftp+tls, then ftp-proxy > *cannot* work, as it cannot read the commands. So, if this is with NAT, > you can't rely on ftp-proxy to fix things up, you will need ftp+tls > software where you can manually set the external address. Yes, it's ftp+tls. This works with a standard home router (don't know what they're doing to allow it and ftp to work fine), but not with the OpenBSD firewall. It is only one server that I have to deal with so if I skip ftp-proxy for that one target address should it work OK then? Thanks, Chris
PRIMERGY RX200 S2 installation problems
Dear group, I was trying to install OBSD 5.2 on a Fujitsu-Siemens PRIMERGY RX200 S2 (dual CPU) and I get following errors: mpi0: timeout mpi0: phys disk Async at 0 MHz width 8bit offset 0 QAS 0 DT 0 IU 0 em1 at pci3 dev 6 function 0 "Intel PRO/100MT (82546GB)" rev 0x03: apic 2 int 16uvm_fault (0xd07f31d8, 0x0, 0, 1) -> e fatal page fault (6) in supervisor mode trap type 6 code 0 eip 0 cs 50 eflags 10282 cr2 0 cpl 50 panic: trap type 6, code=0, pc=0 The operating system has halted Please press any key to reboot --- I aslo saw that the bsd.rd kernel was used during the boot process. Meaning that the smp mode is not used? Thanks Tony
Re: PRIMERGY RX200 S2 installation problems
2012/11/28 Tony Berth : > I aslo saw that the bsd.rd kernel was used during the boot process. Meaning > that the smp mode is not used? No. http://openbsd.org/faq/faq4.html#bsd.rd -- Michał Markowski
Re: ftps?
On 2012-11-28 14:33, Chris Smith wrote: > On Wed, Nov 28, 2012 at 7:29 AM, Stuart Henderson > wrote: >> If the control connection is encrypted as with ftp+tls, then ftp-proxy >> *cannot* work, as it cannot read the commands. So, if this is with NAT, >> you can't rely on ftp-proxy to fix things up, you will need ftp+tls >> software where you can manually set the external address. > > Yes, it's ftp+tls. > This works with a standard home router (don't know what they're doing > to allow it and ftp to work fine), but not with the OpenBSD firewall. > It is only one server that I have to deal with so if I skip ftp-proxy > for that one target address should it work OK then? > > Thanks, > > Chris > Since you say this works with a standard home router, have you checked if maybe the server software uses nat pmp or something similar for port redirection? -- Hugo Osvaldo Barrera
Re: ftps?
On Wed, Nov 28, 2012 at 1:43 PM, Hugo Osvaldo Barrera wrote: > Since you say this works with a standard home router, have you checked > if maybe the server software uses nat pmp or something similar for port > redirection? I tested it with an Asus RT-AC66U with its UPnP feature disabled and it worked fine, as does standard ftp. But no outbound ports were being blocked. Bypassing ftp-proxy for the target server seems to work for the OpenBSD box. Although I needed the extra ports open.
Re: PRIMERGY RX200 S2 installation problems
On Wed, Nov 28, 2012 at 6:55 PM, Tony Berth wrote: > Dear group, > > I was trying to install OBSD 5.2 on a Fujitsu-Siemens PRIMERGY RX200 S2 > (dual CPU) and I get following errors: By any chance ability to try current? > > > mpi0: timeout > mpi0: phys disk Async at 0 MHz width 8bit offset 0 QAS 0 DT 0 IU 0 > em1 at pci3 dev 6 function 0 "Intel PRO/100MT (82546GB)" rev 0x03: apic 2 > int 16uvm_fault (0xd07f31d8, 0x0, 0, 1) -> e > fatal page fault (6) in supervisor mode > trap type 6 code 0 eip 0 cs 50 eflags 10282 cr2 0 cpl 50 > panic: trap type 6, code=0, pc=0 > The operating system has halted > Please press any key to reboot Is there a way for you to get full report? http://www.openbsd.org/faq/faq2.html#Bugs > --- > > I aslo saw that the bsd.rd kernel was used during the boot process. Meaning > that the smp mode is not used? > > Thanks > > Tony
Re: connection redirection
On 2012-11-28, Friedrich Locke wrote: > Some time ago, if i can remenber, i saw on this list a message about a > program we install into a box and then it accepts connection from a group > of hosts and redirects it. The ideia was that if i want to connect to from > host a to host b, the connection would from > > from a to x; > from x to k; > from k to z; > ... > ... > from y to b > > So we could make it harder for outsiders know where a coonection is really > coming from! > Does anybody here know anything about such tool ? > > Thanks in advance. > > Sounds like tor..
Re: restart relayd with new config
lilit-aibolit(lilit-aibo...@mail.ru) on 2012.11.28 15:58:42 +0200:
> Scenario: I'm using relayd as transparent proxy
> and block some sites in work time, so I have two configs:
>
> # cat /etc/relayd.conf
> prefork 5
> http protocol httpfilter {
> tcp { nodelay, sack, socket buffer 65536, backlog 1000 }
> return error
> request header filter "*youtube.com*" from "Host"
>
> header change "Connection" to "close"
> }
> relay httpproxy {
> listen on 127.0.0.1 port 8080
> protocol httpfilter
> forward to destination
> }
> # cat /etc/relaydfree.conf
> prefork 5
> http protocol httpfilter {
> tcp { nodelay, sack, socket buffer 65536, backlog 1000 }
> }
> relay httpproxy {
> listen on 127.0.0.1 port 8080
> protocol httpfilter
> forward to destination
> }
>
You are starting relayd a second time here, you are not reloading the
configuration:
> Executing "relayd -f /newconfig" at specified time have not the same
> result as for example "pfctl -f /newconfig".
Use 'relayctl reload'.
/Benno
Re: OpenBSD Cloud Offerings
On 28/11/2012, at 11:31, "C. Bensend" wrote: > Small price to pay, though - ARP is fantastic and I've had nothing > but good experiences with them. +1. Also, a suggestion: if a VPS provider doesn't explicitly offer the OS you want, ask - even if they don't list the OS at all. When I setup my VPS with ARP last year they listed OpenBSD 4.7 or some similarly old release, but were more than happy to organise a newer ISO. Also before you sign up, ask how you get access to the console. One provider I tried was evidently using VMware, and no amount of dicking about in Linux or even OSX would give me a working console. Gave up and switched to ARP. ARP provide serial console emulation, which is MUCH nicer for out-of-band admin than VGA emulation (they do this too, of course) if your internets have high RTT. Not all providers do this John
Re: OpenBSD Cloud Offerings
On Tue, 27 Nov 2012 at 14:18:56 -0800, Constantine A. Murenin wrote: > Don't necessarily look at the OpenBSD version numbers that are > offered, or whether OpenBSD is specifically supported; at least with > KVM and Xen HVM, it's almost always possible to get console-based > access and install whichever version of OpenBSD you please. Some > providers offer ssh-based serial console access; some offer VNC-based > access; installing OpenBSD yourself is a breeze! Even if you can't get remote console access, it can be possible to buy a Linux or FreeBSD VPS (or dedicated server), note the IP and gateway settings, and then generate and dd a Yaifo[0] image directly to the hard drive. Remotely reboot the server and it'll (hopefully) come back online with an SSH interface to the OpenBSD installer. I've done this with a FreeBSD dedicated server when the provider wouldn't give me remote console access. It can be tricky and you only get one shot at it, but it opens up a lot of possibilities for cheaper providers that don't directly offer OpenBSD support. 0. https://github.com/jedisct1/yaifo
Re: OpenBSD Cloud Offerings
On Tue, Nov 27, 2012 at 11:47:13AM -0500, Research wrote: > Hello, > > I was wondering if anyone had any experience with reputable cloud providers > that currently offer OpenBSD 5.2. > > I was able to find out some information based on the OpenBSD Journal posting > from Sunday, February 13, 2011 titled "OpenBSD Private Cloud Computing". The > two vendors mentioned included ARP Networks and RootBSD. > > Since this time period (preferably over 2012), has anyone used any other > cloud service offerings hosting OpenBSD ? I am hoping to hear some positive > reviews for a provider I can go with. > > Stipulations > > - Preferable a North American provider for geography > - OpenBSD 5.2 > > Thanks Just a side note to the other comments. If you want use the VM for to compile software 24/7, ask to the provider before of pay for some plan. Some providers consider this a bad use of their servers and will cancel your account. Cheers. -- Juan Francisco Cantero Hurtado http://juanfra.info
softraid to encrypt _AND_ raid?
Hi, I'm using 5.2 and trying to use 2 mirrored disks as RAID1, but also encrypt them. I can use softraid to either raid1 _OR_ encrypt, but not both. I've RTFM'd and UTFSE to no avail. I'm not sure it's doable Did I miss a magic incantation somewhere? Thanks in advance. Cheers! -- Greg -- View this message in context: http://openbsd.7691.n7.nabble.com/softraid-to-encrypt-AND-raid-tp219721.html Sent from the openbsd user - misc mailing list archive at Nabble.com.
Re: OpenBGPd / Juniper 'bug' / BGP session flapping
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 8/6/2012 4:15 PM, Claudio Jeker wrote: > On Mon, Aug 06, 2012 at 10:34:22PM +0200, Laurent CARON wrote: >> Hi, >> >> I'm hit by a rather nasty OpenBGPd 'bug' causing sessions to >> flap (basically go down/up/...). >> >> One of the prefixes is: 81.169.0.0/17 >> >> Description of bug >> https://puck.nether.net/pipermail/juniper-nsp/2012-July/023774.html >> >> >> Is the included fix >> (((s & 0xf0) & ~(ATTR_EXTLEN | (m))) == (t)) instead of just >> (((s) & ~(ATTR_EXTLEN | (m))) == (t)) >> >> sufficient ? >> > > I would prefer something like this. Since then we ensure that we do > not forward crap (as in we regard the RFC and send nothing with > reserved bits set). AFAIK there is nothing out there that started > to use the reserved bits so I'm curious how that happend again. > > Only compile tested for now. > I ran across this today after AboveNET upgraded some routers (I would have appreciated a maintenance notice...) I applied Claudio's patch and the sessions came back up and have been stable for the last half hour. I'll check back in if there are any issues. We have both IPv4 and IPv6 sessions with them, and the IPv6 sessions were unaffected (for what it's worth.) This patch is running on two of our routers. Thank you, - -- James Shupe Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQIcBAEBAgAGBQJQtwhLAAoJECPibMsISQ9adq0QANQIPOXa7yqyDhRs4poH2Tis AlPZBhRTPHtn54rCVKRMcqGJk/xy0bGHSiwgsZMXj29lxrkFPKG312SXT9VgSMnC XqKfV0c9NDA9NDD57K7z0bFUvmO0MKr6S4v5/jZTDddikpDjcuGzFTdLpbE+8DfN 4VAXEUu/Ug8h6ZuR9TNYSkup78dQP9W7han+cBsW5PNqa40CM3T944D/QiZiTuP2 kpmEWPyALWzQMldPXaVTLoSyaI3ijxu6tC9iEXMKtQ/IEuF5z/xBHtwj7Vkmc/La lkL5muRv862eSONdVPvCf4atbUivSTvV3ZjYyOCldzQiVQlZPUf9XdkfAx8FxIrR ycMMDMCJC0IYtGdjnkJtEP4fgvjGY4/Uxzw2PaYRY6QxWJ09v2mLOfEeA70uZNFy L2+cBouR3l/8fMPfRwTdqR65JEfkke5TRwtsBi6wWsMla7gK3/2Z4vHLp0LdD5Pu sIWirQqoE9tCiDzFLyn49Xpfk+M42kJu3cXiDGvdDep3taE/zSHBbCiimgVMPxK7 9eO6o14W9yZxL0C/NTV2f7z1k3wJCG4tvcGznuw5M5K0LdpW89Wy7uBQ1KZstU3p PlnqVBhBbpcrO+/rOSPiV/AuGMJPfKNnrJSF6Bncdu4dA2i3xWE3taa9JQ7A3JqA 0CojuAbNFQml66wsTJv4 =/Xzi -END PGP SIGNATURE-
Re: restart relayd with new config
On 11/29/2012 01:04 AM, Sebastian Benoit wrote:
lilit-aibolit(lilit-aibo...@mail.ru) on 2012.11.28 15:58:42 +0200:
Scenario: I'm using relayd as transparent proxy
and block some sites in work time, so I have two configs:
# cat /etc/relayd.conf
prefork 5
http protocol httpfilter {
tcp { nodelay, sack, socket buffer 65536, backlog 1000 }
return error
request header filter "*youtube.com*" from "Host"
header change "Connection" to "close"
}
relay httpproxy {
listen on 127.0.0.1 port 8080
protocol httpfilter
forward to destination
}
# cat /etc/relaydfree.conf
prefork 5
http protocol httpfilter {
tcp { nodelay, sack, socket buffer 65536, backlog 1000 }
}
relay httpproxy {
listen on 127.0.0.1 port 8080
protocol httpfilter
forward to destination
}
You are starting relayd a second time here, you are not reloading the
configuration:
Executing "relayd -f /newconfig" at specified time have not the same
result as for example "pfctl -f /newconfig".
Use 'relayctl reload'.
/Benno
Good. I have two configs. And in specified time I need to *reload* to
new config-file,
not reload same config-file.
How 'relayctl reload' help me?
