Re: Domain redirections to Openbsd.org?

2017-05-18 Thread Aner Perez
No redirect and no ripping, he just added a DNS entry for nathanalexander.uk that points 
to the IP address for openbsd.org (129.128.5.194).


On 05/18/2017 09:46 AM, andrew fabbro wrote:

On Thu, May 18, 2017 at 8:13 AM, Wylie Bayes  wrote:


Just curious if is a normal thing for folks to be redirecting their domain
to Openbsd.org, in turn keeping their domain name in their browsers but
ultimately getting Openbsd.org's content?

Such as:  http://nathanalexander.uk/ ?



I don't think that's a redirect.  It looks like the owner of that site
simply ripped the OpenBSD main page and placed it on his site.

At least he was thorough - images are served from his site and not via
hotlink.

As to normal thing...I'd say not.





Re: Viewport for man.openbsd.org -- readability on phones

2018-05-17 Thread Aner Perez

On 05/17/2018 05:22 PM, x...@dr.com wrote:

"Ingo Schwarze"  wrote:

Absolutely not.
Mandoc output is not optimized for any device.

Which elements or rules in the current HTML or CSS code
make you think it is optimized or it discriminates against
any device?


I don't know which element or rule is the problem, however
if I delete mandoc.css the text does fill the screen.

I understand that what I am trying to do is not supported,
so I'll do something else instead.



First non-comment line of mandoc.css says:

html {  max-width: 100ex; }

Removing this line allows the use of the full browser width.  I'm sure that it was put 
there for a reason (maybe to approximate the width of a terminal?).


- Aner



Re: Ctrl+4 means SIGQUIT+coredump, where is this documented, what more shortcuts are there?

2018-10-31 Thread Aner Perez

On 10/31/18 10:54 AM, Stuart Henderson wrote:

On 2018-10-31, Tinker  wrote:

Hi,

When in "cat" or "dd if=/dev/zero of=/dev/zero" or "gzip < /dev/zero >
/dev/zero", if I press ctrl+4, the program coredumps.

Doing it in ksh or sh has no effect though.

This is in OpenBSD 6.4 AMD64 from Putty on Windows.

The console interaction looks like this:

$ cat
^\Quit (core dumped)

$


Is ctrl+4 a universal SIGQUIT+coredump shortcut?

Where are the other shortcuts apart from ctrl+C, ctrl+Z, ctrl+D,
documented?

Tinker




No idea how ^4 is mapped to ^\, but for some reason it is, and this
the default for "quit", see "stty -a".

This is a useful sequence to interrupt boot if you weren't quick enough
to "boot -s" to enter single-user mode.




You can also find more details in the termios(4) man page, specifically the Special 
Characters section.


- Aner



Re: Ctrl+4 means SIGQUIT+coredump, where is this documented, what more shortcuts are there?

2018-10-31 Thread Aner Perez

On 10/31/18 2:15 PM, Christian Weisgerber wrote:

On 2018-10-31, Stuart Henderson  wrote:


No idea how ^4 is mapped to ^\, but for some reason it is,


This goes back to the VT220, if not older terminals.  Ctrl-3 for
ESC aka ^[ is particularly handy if the Esc key is in some inconvenient
place as on most PC keyboards.

See "Table 3-5 Keys Used to Generate 7-Bit Control Characters" in
the VT220 Programmer Reference Manual:
https://vt100.net/docs/vt220-rm/table3-5.html



Looks like this is implemented by the different terminal emulators so it varies.  For vte 
(gnome-terminal, terminator, ...), it looks like this is the code that sets up this behavior:


https://github.com/GNOME/vte/blob/master/src/keymap.cc#L146

- Aner



Re: FAQ file sets missing cmdbox

2020-08-25 Thread Aner Perez

On 8/25/20 10:33 AM, jungle Boogie wrote:

On Tue, 25 Aug 2020 at 00:05, Greg Thomas  wrote:


I'm getting pretty old and struggle with stuff like this more and more these days but I 
don't see what is "very difficult to follow" about the current layout, and  I'm 
not sure what's weird about it either?


See if these photos illustrate the problem more clearly:
https://imgur.com/a/zT6hAxi



Looks like you may have been playing with the font sizes in your browser preferences (e.g. 
General > Fonts and Colors > Advanced... > Monospace > Size).  If I change my monospace 
font size to 17 (bigger than the Proportional font) I get the effect in your screenshot. 
The reason is that the "dt" tags are styled as "float: left" and if the "dt" is taller 
than the "dd" it will float left up to the previous "dt" instead of all the way to the 
left.  You could add a "clear: left" to the CSS for the "dt" but then the "dt" and 
corresponding "dd" do not line up.


Using CSS "float" for layout is a minefield.

- Aner



Re: can't run multiple instances of httpd, flags not visible in processes

2016-01-27 Thread Aner Perez

On 01/27/2016 06:12 AM, Jiri B wrote:

Hi,

I can't run multiple instances of httpd via rc.d as I can't distinguish
between httpd instances. ps aux never show flags passed to httpd.

Could httpd be extended to show flags like sshd does it?

root 15681  0.0  0.1  1196  2308 ??  Ssp   12:08PM0:00.05 httpd: parent 
(httpd)

vs

root 17247  0.0  0.1   920  1376 ??  Ss12:09PM0:00.03 
/usr/sbin/sshd -f /etc/ssh/test_sshd_config

Or is there any other way to distinguish between two httpd instances?

j.



You could always run fstat(1) on the pid to see which ports it has open.

- Aner



Re: pf looses skip on tun0 after OpenVPN startup

2013-06-20 Thread Aner Perez

On 06/20/2013 09:03 AM, Stuart Henderson wrote:

On 2013-06-19, Ryan Slack  wrote:

In pf.conf I've got skip on {lo,tun0}, however after openvpn starts,
skip is removed from tun0. Is there a way to avoid this?
In the mean time I've added "pass quick on tun0" to pf.conf.


You will probably need to reload pf.conf, I believe openvpn re-creates
the tun interface.



I believe the "persist-tun" option in server.conf can help in this case.

- Aner



Re: Adding a NIC into cramped micro itx board for firewall

2015-05-20 Thread Aner Perez

On 05/20/2015 04:13 PM, Armin Tanzarian wrote:

I have a dilemma, I need to add another Intel NIC to my embedded firewall
on a micro atx board. However, I can't seem to find a solution to get
another one in there.

Any help would be great.

Thanks
Azarian!



Does it have to be a NIC or would VLANs and a smart switch cover your needs?

- Aner



Re: Alternate Puffy Logo Design

2016-05-19 Thread Aner Perez

On 05/19/2016 03:18 PM, Ted Unangst wrote:

Mihai Popescu wrote:

First, the webpage design change suggestion, then the logo alternative ...
I guess a project name change suggestion will follow, I'm curious if
this will be till weekend.


We're changing version scheme instead. OpenBSD 6.0 will actually be OpenBSD 60.



Roman Numerals would look more distinguished.

OpenBSD LX

If it was good enough for the Romans and the Super Bowl...

- Aner



Re: booting

2014-09-18 Thread Aner Perez

On 09/18/2014 04:28 AM, Gregory Edigarov wrote:

Hello,

Is boot from zalman's virtual cd (a hard disc case that can store many ISO 
images and
then  represent itself as a cd) still unsupported?

nearly every other .iso works correctly, but not openbsd.

--
With best regards,
  Gregory Edigarov



I have used a zalman VE-300 to install OpenBSD 5.3 on several machines that had no 
built-in CD drive.  I think I have also installed 5.4 and 5.5 snapshots from the zalman.


The Zalman usually presents itself as a usb hard drive AND a usb cd drive.  For some Dell 
systems I have had problems booting up from a CD ISO unless I place the zalman into 
CD-only mode before booting from the ISO.


- Aner



tcpdump - ifname in filter expression

2022-03-21 Thread Aner Perez
I noticed that if I put an "ifname" (or "on") in a fllter expression for tcpdump, it will 
show all traffic that has an ifname that *starts with* the name I provided.  e.g.


# tcpdump -n -l -e -ttt -i pflog0 ifname vlan1

Will show packets for vlan1 but also for vlan110, vlan140, etc (but not for 
em0).

It's not clear from the man page if that is the intended behavior.

https://man.openbsd.org/tcpdump.8#ifname

|ifname|  interface
   True if the packet was logged as coming from the specified interface 
(applies only to
   packets logged by pf(4) ).

While testing I also tried using "ifname vlan" as the filter but it fails with a syntax 
error.  I'm thinking that is probably an unintended interaction with the "vlan" primitive 
since "ifname em" or "ifname bnx" seem to work with no error.


This is all tested on 6.7 so apologies if this is not the current behavior.

    - Aner


Re: tcpdump - ifname in filter expression

2022-03-23 Thread Aner Perez

On 3/22/22 00:37, David Gwynne wrote:

On Mon, Mar 21, 2022 at 04:37:59PM -0400, Aner Perez wrote:

I noticed that if I put an "ifname" (or "on") in a fllter expression for
tcpdump, it will show all traffic that has an ifname that *starts with* the
name I provided.?? e.g.

# tcpdump -n -l -e -ttt -i pflog0 ifname vlan1

Will show packets for vlan1 but also for vlan110, vlan140, etc (but not for 
em0).

It's not clear from the man page if that is the intended behavior.

https://man.openbsd.org/tcpdump.8#ifname

|ifname| <https://man.openbsd.org/tcpdump.8#ifname> interface
True if the packet was logged as coming from the specified interface 
(applies only to
packets logged by pf(4) <https://man.openbsd.org/pf.4>).

While testing I also tried using "ifname vlan" as the filter but it fails
with a syntax error.?? I'm thinking that is probably an unintended
interaction with the "vlan" primitive since "ifname em" or "ifname bnx" seem
to work with no error.

This is all tested on 6.7 so apologies if this is not the current behavior.

i think this behaviour with ifname is unintended. the diff below tries
to fix it by having the ifname comparison include the terminating nul
when doing a comparison of the supplied interface name and the one in
the pflog header.

the consequence is that it will not longer do string prefix matches,
only whole name matches.

the vlan thing is different because there's a "vlan" keyword in our
pcap filter language that lets you do things like "tcpdump vlan
123" when sniffing on a vlan parent interface to limit the packets
to those with tag 123. the parser is saying it didnt expect you to
talk about vlan when it's supposed to be a string (ie, not a keyword)
at that point.

Index: gencode.c
===
RCS file: /cvs/src/lib/libpcap/gencode.c,v
retrieving revision 1.60
diff -u -p -r1.60 gencode.c
--- gencode.c   13 Feb 2022 20:02:30 -  1.60
+++ gencode.c   22 Mar 2022 04:29:40 -
@@ -3230,7 +3246,7 @@ gen_pf_ifname(char *ifname)
len - 1);
/* NOTREACHED */
}
-   b0 = gen_bcmp(off, strlen(ifname), ifname);
+   b0 = gen_bcmp(off, strlen(ifname) + 1, ifname);
return (b0);
  }
  

That certainly seems like it would do the trick.  Would your diff make it into the 
official source tree for a future release or is this something that needs to be discussed 
by the powers that be?


Thanks for looking into it!

    - Aner



Re: Why is disk full?

2022-03-29 Thread Aner Perez
You may have large files with "holes" in them (i.e. sparse files).  Rsync has a --sparse 
(-S) flag that tries to create holes in the replicated files when it finds sequences of 
nulls in the source file.


The -a flag does not turn on this sparse file handling.

You can run "du" on different directories to narrow down where the file size difference is 
coming from.


    - Aner

On 3/29/22 10:58, F Bax wrote:

I used rsync to copy files.
sudo rsync -anv --delete /mnt/wd1l/ /mnt/wd2l/
reports no changes required (runtime under 3 minutes).
sudo diff -r /mnt/wd1l/ /mnt/wd2l/
reports no difference (runtime 10 hours)

$ sudo df -i /mnt/wd1l/ /mnt/wd2l/
Filesystem  512-blocks  Used Avail Capacity iused   ifree  %iused
  Mounted on
/dev/wd1l   2138940784 1997329632  3466412898%  483707 33313411 1%
   /mnt/wd1l
/dev/wd2l   2138951776 2033043696  -1039504   100%  483707 33313411 1%
   /mnt/wd2l

On Tue, Mar 29, 2022 at 10:49 AM F Bax  wrote:


I used rsync to copy files. df -i reports 483707 inodes used for both
partitions.
sudo rsync -anv --delete /mnt/wd1l/ /mnt/wd2l/
reports no changes required (runtime under 3 minutes).
sudo diff -r /mnt/wd1l/ /mnt/wd2l/
reports no difference (runtime 10 hours)

On Tue, Mar 29, 2022 at 10:39 AM Otto Moerbeek  wrote:


On Tue, Mar 29, 2022 at 10:25:34AM -0400, F Bax wrote:


I copied all files from /mnt/wd1l to /mnt/wd2l

wd2l is slightly larger than wd1l; yet wd2l is full!

$ df -h /mnt/wd1l /mnt/wd2l
Filesystem Size Used Avail Capacity Mounted on
/dev/wd1l 1020G 952G 16.5G 98% /mnt/wd1l
/dev/wd2l 1020G 969G -508M 100% /mnt/wd2l

How did you copy? Some forms of copy will cause hardlinked files to be
separate files on the destination. df -i will tell how many inodes you
have used. If wd2l has more inodes in use, I bet it's that.

 -Otto


Output from disklabel is almost identical:

type: SCSI
disk: SCSI disk
label: WDC WD2000FYYZ-0
flags:
bytes/sector: 512
sectors/track: 63
tracks/cylinder: 255
sectors/cylinder: 16065
cylinders: 243201
total sectors: 3907029168
rpm: 0
interleave: 1
trackskew: 0
cylinderskew: 0
headswitch: 0 # microseconds
track-to-track seek: 3907029168 # microseconds
drivedata: 0

Difference between wd1 and wd2:
wd1: interleave: 0
wd2: interleave: 1

Partition details (A added 'wd1/wd2' to beginning of line:
# size offset fstype [fsize bsize cpg]
wd1l: 2147472640 525486208 4.2BSD 8192 65536 1
wd2l: 2147483647 63 4.2BSD 8192 65536 1

  Why is wd2l full?




Re: Why is disk full?

2022-03-29 Thread Aner Perez

Delete them from the destination and resync with -S.

    - Aner

On 3/29/22 12:14, F Bax wrote:

Looks like sparse files are no longer sparse on /mnt/wd2l/ !! Thanks Otto &
Aner.
du reported different sizes for several dozen folders that contain files
created by scan to PDF. Not all of the scanned files were affected; but
some might contain mostly blank pages.
For one sample file; ls -l reports
-rw-rw  1 fbax fbax  6683710 Oct 21  2019
du reports
13056   /mnt/wd1/ ...
13184   /mnt/wd2l/ ...

rsync -anvS does NOT report these files! Is there an easy way to make these
files to be sparse on wd2l?

On Tue, Mar 29, 2022 at 11:32 AM Aner Perez  wrote:


You may have large files with "holes" in them (i.e. sparse files).  Rsync
has a --sparse
(-S) flag that tries to create holes in the replicated files when it finds
sequences of
nulls in the source file.

The -a flag does not turn on this sparse file handling.

You can run "du" on different directories to narrow down where the file
size difference is
coming from.

  - Aner

On 3/29/22 10:58, F Bax wrote:

I used rsync to copy files.
sudo rsync -anv --delete /mnt/wd1l/ /mnt/wd2l/
reports no changes required (runtime under 3 minutes).
sudo diff -r /mnt/wd1l/ /mnt/wd2l/
reports no difference (runtime 10 hours)

$ sudo df -i /mnt/wd1l/ /mnt/wd2l/
Filesystem  512-blocks  Used Avail Capacity iused   ifree  %iused
   Mounted on
/dev/wd1l   2138940784 1997329632  3466412898%  483707 33313411

  1%

/mnt/wd1l
/dev/wd2l   2138951776 2033043696  -1039504   100%  483707 33313411

  1%

/mnt/wd2l

On Tue, Mar 29, 2022 at 10:49 AM F Bax  wrote:


I used rsync to copy files. df -i reports 483707 inodes used for both
partitions.
sudo rsync -anv --delete /mnt/wd1l/ /mnt/wd2l/
reports no changes required (runtime under 3 minutes).
sudo diff -r /mnt/wd1l/ /mnt/wd2l/
reports no difference (runtime 10 hours)

On Tue, Mar 29, 2022 at 10:39 AM Otto Moerbeek  wrote:


On Tue, Mar 29, 2022 at 10:25:34AM -0400, F Bax wrote:


I copied all files from /mnt/wd1l to /mnt/wd2l

wd2l is slightly larger than wd1l; yet wd2l is full!

$ df -h /mnt/wd1l /mnt/wd2l
Filesystem Size Used Avail Capacity Mounted on
/dev/wd1l 1020G 952G 16.5G 98% /mnt/wd1l
/dev/wd2l 1020G 969G -508M 100% /mnt/wd2l

How did you copy? Some forms of copy will cause hardlinked files to be
separate files on the destination. df -i will tell how many inodes you
have used. If wd2l has more inodes in use, I bet it's that.

  -Otto


Output from disklabel is almost identical:

type: SCSI
disk: SCSI disk
label: WDC WD2000FYYZ-0
flags:
bytes/sector: 512
sectors/track: 63
tracks/cylinder: 255
sectors/cylinder: 16065
cylinders: 243201
total sectors: 3907029168
rpm: 0
interleave: 1
trackskew: 0
cylinderskew: 0
headswitch: 0 # microseconds
track-to-track seek: 3907029168 # microseconds
drivedata: 0

Difference between wd1 and wd2:
wd1: interleave: 0
wd2: interleave: 1

Partition details (A added 'wd1/wd2' to beginning of line:
# size offset fstype [fsize bsize cpg]
wd1l: 2147472640 525486208 4.2BSD 8192 65536 1
wd2l: 2147483647 63 4.2BSD 8192 65536 1

   Why is wd2l full?




Interpreting strange pflog output

2009-04-24 Thread Aner Perez

Hi,

We have an older OpenBSD 3.9 firewall which we will be upgrading to 4.5 and as a part of the upgrade, we will be locking 
down our outgoing connections.  As a first step, we have added some extra rules to log outgoing connections that are not 
specifically allowed by our current rule set.


While monitoring the pflog output, I occasionally see output that looks like 
this:

Apr 24 09:49:46.420762 rule 150/(match) pass in on fxp1: 107.6.96.0 > 
73.243.0.0: at-#0 18
Apr 24 09:49:46.420851 rule 150/(match) pass in on fxp1: 108.6.96.0 > 
73.37.0.0: at-#0 21
Apr 24 09:49:46.420901 rule 150/(match) pass in on fxp1: 108.6.96.0 > 
73.126.0.0: at-#0 15
Apr 24 09:49:46.420990 rule 150/(match) pass in on fxp1: 85.8.96.0 > 
73.229.0.0: at-#0 18
Apr 24 09:49:46.546277 rule 150/(match) pass in on fxp1: 106.8.96.0 > 
73.229.0.0: at-#0 96
Apr 24 09:49:46.551653 rule 150/(match) pass in on fxp1: 55.4.96.0 > 
73.174.0.0: at-#0 99

What first jumps out at me is the IP addresses which are not part of our network.  The second thing that jumps out is 
the "at-#0 18" notation.  What does this mean?  I'm assuming the number at the end is the packet size.  What is the 
"at-#0"?  Has anybody seen traffic like this?  Should I be worried?


Also, this output comes from "tcpdump -n -e -ttt -i pflog0 ifname fxp1".  Is there a way I can see the MAC address on 
these logged connections without doing a tcpdump on the physical interface?


This is on "3.9 GENERIC#617 i386" with pf turned on, NTP server enabled and an 
OpenVPN server running.

- Aner

--
Aner Perez
NCS Technologies, Inc



ipsec tunnel traffic getting icmp host unreachable

2012-01-31 Thread Aner Perez
We have a pair of VPN/firewall systems running 5.0 GENERIC.MP#59 i386 
(Lanner FW-7535B).  These machines are also running OpenBGP, OpenOSPF, 
CARP, pfsync, isakmpd and sasyncd.


Everything seems to be working fine except for VPN traffic.  We have 
33 active ipsec tunnels set up through isakmpd which are establishing 
fine (verified through ipsecctl -sa) and they are even passing traffic 
if it is originated on the internal interface IP of the firewall 
(xx.yy.zz.1 or xx.yy.zz.3).  Unfortunately, traffic from other hosts 
located on the internal network (e.g. xx.yy.zz.8) is getting ICMP Host 
Unreachable responses.


# tcpdump -ni em0
...
13:49:59.752891 xx.yy.zz.8 > vpn.net.1.1: icmp: echo request
13:49:59.752950 xx.yy.zz.3 > xx.yy.zz.8: icmp: host vpn.net.1.1 
unreachable

...


net.inet.ip.forwarding=1 is set in sysctl.conf and non-VPN traffic is 
traversing the firewalls with no problems.


I can see all the routes created by the ipsec flows using:

# netstat -rnf encap
Routing tables

Encap:
Source Port  DestinationPort  Proto 
SA(Address/Proto/Type/Direction)
vpn.net/16 0 xx.yy.zz.0/260 0 
vpn.peer.ip.addr/esp/use/in
xx.yy.zz.0/260 vpn.net/16 0 0 
vpn.peer.ip.addr/esp/require/out

.
.
.

Because of a mis-communication, these machines currently have a full 
set of internet routing tables through BGP (netstat -rn takes a 
while).  I'm not sure if this may have something to do with it.  The 
networks accessible through the VPN are not routable over the internet.


In pf.conf I have:
...
set block-policy return
set skip on { lo0 $pfsync_if enc0 }
block return log all
antispoof quick for { lo internal } inet
match out on egress scrub (no-df random-id)
match in on egress scrub (reassemble tcp)
pass on egress proto carp
pass on internal proto carp
pass in on egress proto esp from $vpn_peer to $external_carp_ip
pass in on egress proto udp from $vpn_peer to $external_carp_ip port 
{isakmp, ipsec-nat-t}

pass inet proto icmp all icmp-type echoreq
pass out on egress inet proto udp from any to any port 33433 >< 33626
pass in proto igmp all allow-opts
pass out
pass in on internal inet
pass in proto tcp from $dmz_net to (egress) port bgp keep state
pass on egress inet proto ospf
...

I would really appreciate any assistance in getting this traffic 
flowing since I'm running out of ideas on where to look.  I have seen 
some people suggesting that static routes need to be added to get 
traffic flowing through the tunnels but others have said this isn't so 
and the encap routing table on the machine seems to indicate that this 
should just work.


Thanks,

- Aner



== dmesg output 
# dmesg
OpenBSD 5.0 (GENERIC.MP) #59: Wed Aug 17 10:19:44 MDT 2011
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
cpu0: Intel(R) Atom(TM) CPU D510 @ 1.66GHz ("GenuineIntel" 686-class) 
1.67 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE

real mem  = 2137186304 (2038MB)
avail mem = 2092146688 (1995MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 10/06/10, BIOS32 rev. 0 @ 
0xf0010, SMBIOS rev. 2.6 @ 0xfc120 (24 entries)

bios0: vendor American Megatrends Inc. version "080015" date 10/06/2010
acpi0 at bios0: rev 0
acpi0: sleep states S0 S1 S4 S5
acpi0: tables DSDT FACP APIC MCFG OEMB HPET GSCI
acpi0: wakeup devices P0P1(S4) PS2K(S4) PS2M(S4) USB0(S4) USB1(S4) 
USB2(S4) USB3(S4) EUSB(S4) P0P4(S4) P0P5(S4) P0P6(S4) P0P7(S4) 
P0P8(S4) P0P9(S4) HDAC(S4) USB4(S4) USB5(S4) USBE(S4) GBEC(S4)

acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 166MHz
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Atom(TM) CPU D510 @ 1.66GHz ("GenuineIntel" 686-class) 
1.67 GHz
cpu1: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE

cpu2 at mainbus0: apid 1 (application processor)
cpu2: Intel(R) Atom(TM) CPU D510 @ 1.66GHz ("GenuineIntel" 686-class) 
1.67 GHz
cpu2: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE

cpu3 at mainbus0: apid 3 (application processor)
cpu3: Intel(R) Atom(TM) CPU D510 @ 1.66GHz ("GenuineIntel" 686-class) 
1.67 GHz
cpu3: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE

ioapic0 at mainbus0: apid 4 pa 0xfec0, version 20, 24 pins
ioapic0: misconfigured as apic 1, remapped to apid 4
acpimcfg0 at acpi0 addr 0xe000, bus 0-255
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 7 (P0P1)

Re: ipsec tunnel traffic getting icmp host unreachable

2012-02-01 Thread Aner Perez
Ok, to answer my own question, it seems like you need a non-encap 
route to the network on the other side of the VPN.  If you don't have 
a regular route to that network, you get host unreachable responses.


To test this, I tried adding a route for the specific network being 
accessed, pointing to our default gateway.  Doing this allowed the 
traffic to flow through the VPN.  Notice that the route I added was 
not pointing to the remote VPN peer, just to our regular gateway 
router to the internet.


Next, I removed the specific route to the remote VPN network, and 
added a default route pointing to our internet gateway.  This also 
worked and allowed traffic to flow through the VPN.


Is this expected behavior?  Do I need a static route to a remote 
network before I can pass traffic to it through an IPSEC tunnel?


Sounds to me like inbound packets are checked against the routing 
tables to make sure they can be routed but the encap routing table is 
not consulted to make this decision.


Luckily for me, I won't need to add 33 routes and maintain them as 
tunnels are added and removed since I can just add a default route in 
addition to all the routes provided by our BGP session.


- Aner

On 01/31/2012 03:08 PM, Aner Perez wrote:

We have a pair of VPN/firewall systems running 5.0 GENERIC.MP#59 i386
(Lanner FW-7535B). These machines are also running OpenBGP, OpenOSPF,
CARP, pfsync, isakmpd and sasyncd.

Everything seems to be working fine except for VPN traffic. We have 33
active ipsec tunnels set up through isakmpd which are establishing
fine (verified through ipsecctl -sa) and they are even passing traffic
if it is originated on the internal interface IP of the firewall
(xx.yy.zz.1 or xx.yy.zz.3). Unfortunately, traffic from other hosts
located on the internal network (e.g. xx.yy.zz.8) is getting ICMP Host
Unreachable responses.

# tcpdump -ni em0
...
13:49:59.752891 xx.yy.zz.8 > vpn.net.1.1: icmp: echo request
13:49:59.752950 xx.yy.zz.3 > xx.yy.zz.8: icmp: host vpn.net.1.1
unreachable
...


net.inet.ip.forwarding=1 is set in sysctl.conf and non-VPN traffic is
traversing the firewalls with no problems.

I can see all the routes created by the ipsec flows using:

# netstat -rnf encap
Routing tables

Encap:
Source Port Destination Port Proto SA(Address/Proto/Type/Direction)
vpn.net/16 0 xx.yy.zz.0/26 0 0 vpn.peer.ip.addr/esp/use/in
xx.yy.zz.0/26 0 vpn.net/16 0 0 vpn.peer.ip.addr/esp/require/out
.
.
.

Because of a mis-communication, these machines currently have a full
set of internet routing tables through BGP (netstat -rn takes a
while). I'm not sure if this may have something to do with it. The
networks accessible through the VPN are not routable over the internet.

In pf.conf I have:
...
set block-policy return
set skip on { lo0 $pfsync_if enc0 }
block return log all
antispoof quick for { lo internal } inet
match out on egress scrub (no-df random-id)
match in on egress scrub (reassemble tcp)
pass on egress proto carp
pass on internal proto carp
pass in on egress proto esp from $vpn_peer to $external_carp_ip
pass in on egress proto udp from $vpn_peer to $external_carp_ip port
{isakmp, ipsec-nat-t}
pass inet proto icmp all icmp-type echoreq
pass out on egress inet proto udp from any to any port 33433 >< 33626
pass in proto igmp all allow-opts
pass out
pass in on internal inet
pass in proto tcp from $dmz_net to (egress) port bgp keep state
pass on egress inet proto ospf
...

I would really appreciate any assistance in getting this traffic
flowing since I'm running out of ideas on where to look. I have seen
some people suggesting that static routes need to be added to get
traffic flowing through the tunnels but others have said this isn't so
and the encap routing table on the machine seems to indicate that this
should just work.

Thanks,

- Aner



== dmesg output 
# dmesg
OpenBSD 5.0 (GENERIC.MP) #59: Wed Aug 17 10:19:44 MDT 2011
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
cpu0: Intel(R) Atom(TM) CPU D510 @ 1.66GHz ("GenuineIntel" 686-class)
1.67 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE

real mem = 2137186304 (2038MB)
avail mem = 2092146688 (1995MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 10/06/10, BIOS32 rev. 0 @
0xf0010, SMBIOS rev. 2.6 @ 0xfc120 (24 entries)
bios0: vendor American Megatrends Inc. version "080015" date 10/06/2010
acpi0 at bios0: rev 0
acpi0: sleep states S0 S1 S4 S5
acpi0: tables DSDT FACP APIC MCFG OEMB HPET GSCI
acpi0: wakeup devices P0P1(S4) PS2K(S4) PS2M(S4) USB0(S4) USB1(S4)
USB2(S4) USB3(S4) EUSB(S4) P0P4(S4) P0P5(S4) P0P6(S4) P0P7(S4)
P0P8(S4) P0P9(S4) HDAC(S4) USB4(S4) USB5(S4) USBE(S4) GBEC(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cp

Re: IPSEC Site-to-Site not routing packages

2012-02-23 Thread Aner Perez
See the thread titled "ipsec tunnel traffic getting icmp host 
unreachable" on this same list.


In short, the answer is that you need a standard route (in addition to 
the encap route) to the destination networks.


Any route that covers your destination network will do.  In my case, 
instead of adding routes for each of my ipsec tunnels, I just added a 
default route and that fixed the problem.  It won't actually use the 
gateway listed on this route, for that it uses the encap route.


- Aner

On 02/22/2012 05:22 PM, Morten Christensen wrote:

Dear fellow OpenBSD friends.

I'm setting up 2 FW's that should form a VPN tunnel securing the net behind 
each FW - simple

NET x ->  FW x ->  WAN ->  FW y ->  NET y

I'm using ipsec.conf / ipsecctl. OpenBSD 5, pf is disabled.

On FW x
# cat /etc/ipsec.conf
ike esp from 10.21.35.0/24 to 10.20.0.0/16 peer 212.37.141.59 psk 
"lotsofFishs4meAndyou"

netstat -rn
Encap:
Source Port  DestinationPort  Proto 
SA(Address/Proto/Type/Direction)
10.20/16   0 10.21.35/240 0 212.37.141.59/esp/use/in
10.21.35/240 10.20/16   0 0 
212.37.141.59/esp/require/out

# ipsecctl -sa
FLOWS:
flow esp in from 10.20.0.0/16 to 10.21.35.0/24 peer 212.37.141.59 srcid 
212.37.141.60/32 dstid 212.37.141.59/32 type use
flow esp out from 10.21.35.0/24 to 10.20.0.0/16 peer 212.37.141.59 srcid 
212.37.141.60/32 dstid 212.37.141.59/32 type require

SAD:
esp tunnel from 212.37.141.59 to 212.37.141.60 spi 0xc2e3c650 auth 
hmac-sha2-256 enc aes
esp tunnel from 212.37.141.60 to 212.37.141.59 spi 0xc5853584 auth 
hmac-sha2-256 enc aes



On FW y
# cat /etc/ipsec.conf
ike esp from 10.20.0.0/16 to 10.21.35.0/24 peer 212.37.141.60 psk 
"lotsofFishs4meAndyou"

netstat -rn
Encap:
Source Port  DestinationPort  Proto 
SA(Address/Proto/Type/Direction)
10.21.35/240 10.20/16   0 0 212.37.141.60/esp/use/in
10.20/16   0 10.21.35/240 0 
212.37.141.60/esp/require/out

# ipsecctl -sa
FLOWS:
flow esp in from 10.21.35.0/24 to 10.20.0.0/16 peer 212.37.141.60 srcid 
212.37.141.59/32 dstid 212.37.141.60/32 type use
flow esp out from 10.20.0.0/16 to 10.21.35.0/24 peer 212.37.141.60 srcid 
212.37.141.59/32 dstid 212.37.141.60/32 type require

SAD:
esp tunnel from 212.37.141.59 to 212.37.141.60 spi 0xc2e3c650 auth 
hmac-sha2-256 enc aes
esp tunnel from 212.37.141.60 to 212.37.141.59 spi 0xc5853584 auth 
hmac-sha2-256 enc aes

Offcourse on both machines
net.inet.ip.forwarding=1

Pinging from a host on NET x
Request timeout for icmp_seq 1402
36 bytes from 10.21.35.1: Destination Host Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks  Src  Dst
  4  5  00 5400 736e   0   40  01 cfa4 10.21.35.100  10.20.0.10

The gateway clearly answers that it can't route the packet!?

Pinging directly from FWx to FWy WORKS !!! ???

# ping -I 10.21.35.1 10.20.0.1
PING 10.20.0.1 (10.20.0.1): 56 data bytes
64 bytes from 10.20.0.1: icmp_seq=0 ttl=255 time=1.185 ms
64 bytes from 10.20.0.1: icmp_seq=1 ttl=255 time=0.829 ms
Dump while ping
# tcpdump -i enc0 -n
tcpdump: listening on enc0, link-type ENC
13:52:24.297384 (authentic,confidential): SPI 0xc5853584: 10.21.35.1>  
10.20.0.1: icmp: echo request (encap)
13:52:24.297508 (authentic,confidential): SPI 0xc2e3c650: 10.20.0.1>  
10.21.35.1: icmp: echo reply (encap)
13:52:25.299664 (authentic,confidential): SPI 0xc5853584: 10.21.35.1>  
10.20.0.1: icmp: echo request (encap)
13:52:25.299760 (authentic,confidential): SPI 0xc2e3c650: 10.20.0.1>  
10.21.35.1: icmp: echo reply (encap)


Routing is the problem ? what is the cause ? It looks like each FW doesn't 
permit routing packets from LAN hosts.

Thanks for you help

Regards

Morten Bech Christensen




Re: Manual IPsec setup with ipsec.conf

2012-04-05 Thread Aner Perez

On 04/04/2012 08:23 PM, Girish Venkatachalam wrote:


# ipsecctl -sa -v
FLOWS:
flow esp in from 10.1.23.0/24 to 192.168.1.0/24 peer 173.167.82.52 type
require
flow esp out from 192.168.1.0/24 to 10.1.23.0/24 peer 173.167.82.52 type
require
flow esp in from 173.167.82.52 to 59.99.242.167 peer 173.167.82.52 type
require
flow esp out from 59.99.242.167 to 173.167.82.52 peer 173.167.82.52 type
require

SAD:
esp tunnel from 173.167.82.52 to 59.99.242.167 spi 0xbeefdead auth
hmac-sha1 enc aes
 sa: spi 0xbeefdead auth hmac-sha1 enc aes
 state mature replay 0 flags 4
 lifetime_cur: alloc 0 bytes 0 add 1333585275 first 0
 address_src: 173.167.82.52
 address_dst: 59.99.242.167
esp tunnel from 59.99.242.167 to 173.167.82.52 spi 0xdeadbeef auth
hmac-sha1 enc aes
 sa: spi 0xdeadbeef auth hmac-sha1 enc aes
 state mature replay 0 flags 4
 lifetime_cur: alloc 0 bytes 196 add 1333585275 first 1333585277
 address_src: 59.99.242.167
 address_dst: 173.167.82.52
 lifetime_lastuse: alloc 0 bytes 0 add 0 first 1333585277

I cannot ping between 192.168.1.50 and 10.1.23.2



Possibly just a routing issue (since the tunnels seem to be 
established).  See this thread:


http://comments.gmane.org/gmane.os.openbsd.misc/192986

It's kind of counter intuitive to have to specify a separate route for 
a tunnel, since it is adding no real information for the system to 
use, but it looks like it's a peculiarity of the current implementation.


- Aner



Re: sh/ksh replacement for the following bash command

2008-02-08 Thread Aner Perez

Michael wrote:

Hi,

I am looking for sh/ksh replacement for the following bash command:

$ X="abcdefghi"
$ echo ${X:0:2}
ab


Anyone got an idea?


Michael


How about this:

$ echo ${X%${X#??}}
ab

${X#??} is $X with the first 2 characters (??) removed.

${X%Z} is $X with Z removed from the end

So we removed from the end everything except the first 2 characters.  Sort of
convoluted but it works.

- Aner



Using interface group name in "set skip" directive of pf.conf

2008-05-06 Thread Aner Perez
I have 4.3 (clean install from CDs) running on a pair of Intel servers that will 
serve as a CARP firewall.  The 2 servers each have a separate interface which I 
am using for pfsync with a crossover cable.  I have added a group name to the 
pfsync interface called "pfsyncif".


If I add a "set skip on pfsyncif" to my pf.conf, the pfsync traffic is still 
blocked by pf (seen in tcpdump of pflog0).  If I use the actual interface name 
(i.e. "set skip on em3"), the "set skip" works perfectly and my pfsync traffic 
is not blocked.


I can see the group name in the output of ifconfig:

# ifconfig em3
em3: flags=8843 mtu 1500
lladdr 00:30:48:87:c6:b9
description: pfsync interface
groups: pfsyncif
media: Ethernet autoselect (1000baseT 
full-duplex,master,rxpause,txpause)
status: active
inet 192.168.7.2 netmask 0xff00 broadcast 192.168.7.255
inet6 fe80::230:48ff:fe87:c6b9%em3 prefixlen 64 scopeid 0x4

I am trying to use group names for my interfaces so that I can use the same 
pf.conf on multiple firewalls even if they have different hardware for the devices.


Am I missing something or does this just not work this way?

Thanks,

- Aner



CARP + pfsync firewall rejects ARP updates

2005-11-17 Thread Aner Perez
I am setting up a redundant OpenBSD firewall using CARP and pfsync.  I am using 
an OpenBSD 3.8 install from the CDs.


As part of the work being done, I am also configuring Solaris multipathing on 
some servers inside the firewall.  The way Solaris switches to a redundant 
interface in case of failure seems to be by advertising the shared IP address on 
the standby NIC when failing over.


When Solaris does its failover, I am seeing the following message in the 
firewall's logs:


/bsd: arp: attempt to overwrite entry for x.x.x.x on carp1 by nn:nn:nn:nn:nn:nn 
on fxp0


carp1 is my carp interface on the inside and fxp0 is the physical interface on 
the inside.  Basically this message is saying that the Solaris failover is 
happening exactly as expected, but the firewall is rejecting the arp update 
because it thinks carp1 and fxp0 are two completely different interfaces 
although with carp, I don't think this should be the case.


I am new to OpenBSD so I'm hoping I am misunderstanding the situation or there 
is a simple solution to this problem.


Any suggestions will be greatly appreciated.

- Aner



Re: Quad-Gigabit 1U mini-itx board recommendations?

2011-09-01 Thread Aner Perez

On 09/01/2011 06:20 AM, Stuart Henderson wrote:

Paul Suh  goodeast.com>  writes:

On Aug 30, 2011, at 2:34 AM, Martin Schrvder wrote:

2011/8/30 Paul Suh  goodeast.com>:

I'm looking for a mini-ITX motherboard with at least 4 x Gig-E ports.


Not a board, but full computers:


http://www.lannerinc.com/Embedded_Computing/All-Purpose_Box_Computers/LEC-2126
http://www.lannerinc.com/Embedded_Computing/All-Purpose_Box_Computers/LEC-2026
http://www.lannerinc.com/x86_Network_Appliances/x86_Desktop_Appliances/FW-7530
http://www.lannerinc.com/x86_Network_Appliances/x86_Desktop_Appliances/FW-7535

Martin,

These look very interesting, but I haven't been able to locate where to buy
any of them on a small scale. Do you know of a good distributor for them?


I tried asking Lanner about distributors directly a couple of times,
they didn't bother with even an automated reply and just added my address
to a marketing mailing list.

Netgate (US) and Bytemine (EU) have the 7535; also there's a 4x gig atom-
based soekris board (net6501) out soon.



We bought five FW-7535B from Lanner directly earlier this year.  They 
are very nice.  You can't fit 2 in 1U (they are too wide) but they do 
offer a rackmount kit if you're willing to give up 1U per appliance.


- Aner



Re: ksh: bad number (with leading zeroes) should not work for 0 - 7

2011-09-12 Thread Aner Perez

On 09/12/2011 05:45 PM, Abel Abraham Camarillo Ojeda wrote:

Some of our shell scripts that work with dates and do something like:

month=`date +%m`
something&&  month=$((month-1))

Suddenly started crashing on august... there seems to be a bug identifying
not-numbers (numbers with leading zeroes) before '08' (eigth), how to reproduce:

$ for i in 0{0,1,2,3,4,5,6,7,8,9}; do a=$i; a=$((a-1)); echo $a; done
-1
0
1
2
3
4
5
6
ksh: 08: bad number `08'
$



Seems like it's being interpreted as an octal number because of the 
leading zero.  ksh93 on Linux does not interpret this as octal and 
runs the snippet fine.  bash on linux does interpret it as octal and 
gives a similar error.


/bin/ksh on OpenBSD 4.5 gives the same error so it is not a recent 
behavior change in OpenBSD.


- Aner