Re: Packet Filter router i368 vs 64bit
On 11/28/2014 06:01 AM, Brad Smith wrote: > On 11/27/14 23:50, jungle Boogie wrote: >> Hi, >> On 27 November 2014 at 20:38, wrote: >>> >>> you can just use old hardware for these purposes. >>> >>> from the man who literally wrote the book on pf (from pf tutorial via >>> http://home.nuug.no/~peter/pf/en/long-firewall.html): >>> >>>I have not seen comparable tests performed recently [3.1 era], >>> but in my >>>own experience and that of others, the PF filtering overhead is >>> pretty >>>much negligible. As one data point, the machine which gateways >>> between >>>one of the networks where I've done a bit of work and the world is a >>>Pentium III 450MHz with 384MB of RAM. When I've remembered to >>> check, I've >>>never seen the machine at less than 96 percent 'idle' according >>> to top. >>> >> >> Yes, that's true! But less fun. ;) >> >> I do have some Dell dimensions machine with OpenBSD -current running >> now that I could easily get two NICs but its kinda old and slow to >> update current. I'll measure the power to see how much it uses. >> >> With the fact that old hardware, why would the APU be "OK" and not good? > > I don't see anyone claiming it would not be good. It's more like if you > happen to have some old hw around that it would probably be good enough > for what you're describing but the APU system would also do the job just > fine. > > I run the previous generation ALIX 2D13 with OpenBSD 5.6 on it for a home firewall with 10MB WAN broadband and 100MB between computers. All is fine: low temperature, low consumption, same speed as with a basic 100MBB switch. So I guess the APU1C is fast enought for a home network.
Re: Packet Filter router i368 vs 64bit
On 11/28/2014 06:21 PM, trondd wrote: > On Fri, Nov 28, 2014 at 12:00 AM, Edgar Pettijohn > wrote: > >> This is something I've been interested in trying, but I would want it as a >> wireless access point as well and not sure what cards are supported and >> work well. Does anyone know of any good choices? >> >> > I went with an athn card in my APU: > http://www.amazon.com/gp/r.html?R=1VP5WEM85ZPGN&C=3JNG5JOTKOGN0&H=TKW2F041FODZDC3VUWNULCCNSVUA&T=C&U=http%3A%2F%2Fwww.amazon.com%2Fdp%2FB005HMZ8B2%2Fref%3Dpe_385040_121528360_TE_dp_3 > > It's half sized, so it'll need an adapter to full size to mount in the APU. > > > There are other usable options if you check the wifi man pages and make > sure Host AP mode is supported. > > Tim. > You can also use an external wifi router from any vendor and plug it on an interface of the APU. Then route the traffic from the wifi router to the APU and filter it by the dedicated interface. You can maybe bridge the wifi and apu.
Re: 5.5 bsd.rd fails to boot on alix
Hello, I have an Alix 2d13 booting fine OpenBSD 5.5. If there is no error messages, maybe you just lost connection with serial line. Did you set "set tty com0" at the boot prompt? I have this from my root tftp: $ cat ./etc/boot.conf set tty com0 boot bsd.rd The default alix work at 38400, but I set it to 9600 to be directly compatible with OpenBSD default. (but you can change it from boot.conf to run OpenBSD at 38400) Try to set "set tty com0" or change the speed rate. On 06/29/14 08:09, Dewey Hylton wrote: > i have 3 alix 2d13 machines, all currently running something between 5.1 and > 5.3. each of these fails to boot the 5.5 bsd.rd (i386). bsd.rd checksums > match. each time i attempt to boot the 5.5 bsd.rd on any of these 3 machines, > i see the following two lines: > > booting tftp:bsd.rd: > entry point at 0x200120 > > i've also booted the machines to their current openbsd install, downloaded > the bsd.rd file locally, rebooted, and attempted to boot the new bsd.rd from > the boot prompt. i get the same thing doing that, excepting for the tftp: > blurb. for this reason i don't believe networking has anything to do with the > failure. because i see the same thing via pxe, i don't believe the on-disk > code has anything to do with the failure either. > > i've run memtest, nothing bad to report. i've tried different serial speeds > (9600, 38400, 115200), no changes. the 5.4 bsd.rd works just fine, while the > latest snapshot yields the same problem. > > i'm hoping this is a known behavior resulting from a change for which i've > simply missed the clue. has something changed, and i am simply doing > something wrong for the newer version of openbsd?
Re: openssh
Le 03/07/2014 15:17, Dennis Davis a écrit : > On Thu, 3 Jul 2014, Peter N. M. Hansteen wrote: > >> From: Peter N. M. Hansteen >> To: misc@openbsd.org >> Date: Thu, 3 Jul 2014 09:41:12 >> Subject: Re: openssh >> >> On Thu, Jul 03, 2014 at 10:32:42AM +0200, Henning Brauer wrote: >>> * Mihai Popescu [2014-07-02 17:05]: Better buy a hardisk, copy your data and mail it abroad. Seriously. >>> A truck full of harddisks is a transport link with fantastic >>> bandwidth. Latency kinda sucks, tho. >> And if the hard disks are small enough, you can attach them to >> pigeons, or swallows, even! (African or European) > Sounds to me like this means that RFC1149[1] should be updated. > Technology has improved somewhat since this RFC was written. > > [1] http://tools.ietf.org/html/rfc1149 It was: https://tools.ietf.org/html/rfc2549
Re: openssh
Le 03/07/2014 22:49, Chris Cappuccio a écrit : > Peter N. M. Hansteen [pe...@bsdly.net] wrote: >> On Thu, Jul 03, 2014 at 10:32:42AM +0200, Henning Brauer wrote: >>> * Mihai Popescu [2014-07-02 17:05]: Better buy a hardisk, copy your data and mail it abroad. Seriously. >>> A truck full of harddisks is a transport link with fantastic bandwidth. >>> Latency kinda sucks, tho. >> And if the hard disks are small enough, you can attach them to pigeons, or >> swallows, even! (African or European) >> > Drones. > Burrito. http://tools.ietf.org/html/draft-lohsen-ip-burrito-00
Minor outdated link in faq
Hello, I found a link in the FAQ about upgrading to -stable branch pointing on the upgrade guide 5.3 -> 5.4. I think this should point on 5.4 -> 5.5. Here is a patch. --- stable.html.old Mon Jul 14 00:30:30 2014 +++ stable.html Mon Jul 14 00:31:08 2014 @@ -90,7 +90,7 @@ Do not attempt to go from one release to another via source. -Instead, please visit the upgrade guide. +Instead, please visit the upgrade guide. Also, you cannot go backwards, from -current back to -stable, because of library versioning problems and other changes.
Memory checker
Hello, I saw the valgrind port in GSOC 2014, there is someone working on it actually? Is there an alternative to valgrind in OpenBSD to check for memory leak and invalid read/write? If no, do you have some clues to implement a little basic layer to hook malloc / free and track block size? Thanks.
Re: Memory checker
Le 31/07/2014 14:45, Stuart Henderson a écrit : > On 2014-07-31, Blaise Hizded wrote: >> If no, do you have some clues to implement a little basic layer to hook >> malloc / free and track block size? > malloc has some useful code hidden behind MALLOC_STATS - see > http://www.drijf.net/malloc/ > Oh thanks, It's interesting. I will test this.
Re: pf rdr-to and access from internal network
On 10/28/2014 07:57 PM, Julian Smith wrote:
> On Tue, 28 Oct 2014 13:40:52 -0400
> trondd wrote:
>
>> Are you telnetting to the external IP of the server from the internal
>> client?
> Yes. Actually i've tried using the external IP and the internal IP.
> Both have the same result - telnet says 'telnet: Unable to connect to
> remote host: Connection refused'.
>
> Telneting from an external machine works fine.
>
>> Have you enabled logging in pf? Are the packets blocked or are they passed
>> by a different rule that doesn't give the expected results?
> Yes, i've enabled logging and i see various items such as:
>
> ju...@server-55.my.domain:~ > sudo tcpdump -v -i pflog0
> tcpdump: WARNING: snaplen raised from 116 to 160
> tcpdump: listening on pflog0, link-type PFLOG
> 18:51:26.909339 142-93-134-95.pool.ukrtel.net.4758 >
> 82-68-48-10.dsl.in-addr.zen.co.uk.microsoft-ds: S [tcp sum ok]
> 3330667214:3330667214(0) win 65535 (DF) [tos 0xc]
> (ttl 117, id 29686, len 48)
> 18:51:27.465183 142-93-134-95.pool.ukrtel.net.4758 >
> 82-68-48-10.dsl.in-addr.zen.co.uk.microsoft-ds: S [tcp sum ok]
> 3330667214:3330667214(0) win 65535 (DF) [tos 0xc]
> (ttl 117, id 29765, len 48)
> 18:51:27.909397 142-93-134-95.pool.ukrtel.net.4758 >
> 82-68-48-10.dsl.in-addr.zen.co.uk.microsoft-ds: S [tcp sum ok]
> 3330667214:3330667214(0) win 65535 (DF) [tos 0xc]
> (ttl 117, id 29841, len 48)
>
> But i don't see anything when the internal
> connection is refused.
>
> I enabled logging with:
>
> sudo ifconfig pflog0 up
> sudo tcpdump -v -i pflog0
>
> For completeness, here's my pf.conf:
>
>
> int_if="sk0"
> ext_if="rl0"
>
> tcp_services="{ 22, 80, 113 }"
> icmp_types="echoreq"
>
> # options
>
> set block-policy return
> set loginterface egress
> set skip on lo
>
> # match rules
>
> match out on egress inet from !(egress:network) to any nat-to (egress:0)
>
> # filter rules
>
> block in log
> pass out quick
>
> antispoof quick for { lo $int_if }
>
> pass in on egress inet proto tcp from any to (egress) \
> port $tcp_services
>
> pass in inet proto icmp all icmp-type $icmp_types
>
> # Redirect Undo keyserver connections to pc5:
> pass in on egress proto tcp from any to any port 5281 rdr-to pc5 port 5281
>
> # Attempting to allow 5281 to forward to pc5 from internal network. But
> doesn't
> # work...
> pass in on $int_if proto tcp from $int_if:network to $ext_if port 5281 rdr-to
> pc5
> pass out on $int_if proto tcp to pc5 port 5281 received-on $int_if nat-to
> $int_if
> #pass out on egress proto tcp from any to any port 5281 received-on $int_if
> nat-to $int_if
>
> pass in on $int_if
>
> # for our ftp server.
> pass in on egress proto tcp to port 21
> pass in on egress proto tcp to port > 49151
>
> pass in on rl0 proto tcp to port 21
> pass in on rl0 proto tcp to port > 49151
>
>
>
> Many thanks,
>
> - Julian
>
You can try the match keyword to redirect and then pass rule
Didn't try and long time I havn't wrote pf rule, but you can try
something like that:
# change the dest ip of any packet from 5281 to pc5
match in on $ext_if inet proto tcp from port 5281 rdr-to pc5
...
pass on egress inet proto tcp from port 5281
Nginx security patch build fail
Hello,
I just installed a fresh OpenBSD 5.4 release and I want to apply all the
errata security patch.
Everything worked well except the 004 patch for Nginx.
I apply the patch without problem, but when I try to recompile:
# rm -rf
/usr/obj/*
# cd /usr/src/
# make -f Makefile.bsd-wrapper obj
/usr/src/usr.sbin/nginx/obj -> /usr/obj/usr.sbin/nginx
# make -f Makefile.bsd-wrapper depend
# Nothing here so far...
# make -f Makefile.bsd-wrapper
/usr/bin/lndir -s -e obj -e obj.i386 -e Makefile.bsd-wrapper
/usr/src/usr.sbin/nginx
checking for OS
+ OpenBSD 5.4 i386
checking for C compiler ... found but is not working
configure: error: C compiler cc is not found
*** Error 1 in /usr/src/usr.sbin/nginx (Makefile.bsd-wrapper:49
'/usr/src/usr.sbin/nginx/obj/objs/ngx_auto_config.h': @cd
/usr/src/usr.sbin/...)
This is weird, my compiler worked fine for the other build..
OpenBSD 5.4 i386. dmesg attached.
AMD Athlon(tm) 64 X2 Dual Core Processor 4200+ ("AuthenticAMD" 686-class,
512KB L2 cache) 2.21 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW,SSE3,CX16,LAHF,CMPLEG,SVM,EAPICSP,AMCR8
real mem = 2011623424 (1918MB)
avail mem = 1967292416 (1876MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 10/02/06, BIOS32 rev. 0 @ 0xfae60, SMBIOS
rev. 2.4 @ 0xf (63 entries)
bios0: vendor Dell Inc version "1.0.3" date 10/02/2006
bios0: Dell Inc Dimension E521
acpi0 at bios0: rev 0
acpi0: sleep states S0 S1 S3 S4 S5
acpi0: tables DSDT FACP BOOT SSDT HPET MCFG SLIC APIC
acpi0: wakeup devices HUB0(S5) XVRA(S5) XVRB(S5) XVRC(S5) USB0(S3) USB2(S3)
AZAD(S5) MMAC(S5) MMCI(S5)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpihpet0 at acpi0: disabled
acpimcfg0 at acpi0 addr 0xf000, bus 0-255
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 200MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: AMD Athlon(tm) 64 X2 Dual Core Processor 4200+ ("AuthenticAMD" 686-class,
512KB L2 cache) 2.21 GHz
cpu1:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW,SSE3,CX16,LAHF,CMPLEG,SVM,EAPICSP,AMCR8
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 11, 24 pins
ioapic0: misconfigured as apic 0, remapped to apid 2
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 4 (HUB0)
acpicpu0 at acpi0: PSS
acpicpu1 at acpi0: PSS
acpibtn0 at acpi0: PWRB
bios0: ROM list: 0xc/0xec00
cpu0: PowerNow! K8 2205 MHz: speeds: 2200 2000 1800 1000 MHz
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
"NVIDIA C51 Host" rev 0xa2 at pci0 dev 0 function 0 not configured
"NVIDIA C51 Memory" rev 0xa2 at pci0 dev 0 function 1 not configured
"NVIDIA C51 Memory" rev 0xa2 at pci0 dev 0 function 2 not configured
"NVIDIA C51 Memory" rev 0xa2 at pci0 dev 0 function 3 not configured
"NVIDIA C51 Memory" rev 0xa2 at pci0 dev 0 function 4 not configured
"NVIDIA C51 Memory" rev 0xa2 at pci0 dev 0 function 5 not configured
"NVIDIA C51 Memory" rev 0xa2 at pci0 dev 0 function 6 not configured
"NVIDIA C51 Memory" rev 0xa2 at pci0 dev 0 function 7 not configured
ppb0 at pci0 dev 2 function 0 "NVIDIA C51 PCIE" rev 0xa1
pci1 at ppb0 bus 1
ppb1 at pci0 dev 3 function 0 "NVIDIA C51 PCIE" rev 0xa1
pci2 at ppb1 bus 2
ppb2 at pci0 dev 4 function 0 "NVIDIA C51 PCIE" rev 0xa1
pci3 at ppb2 bus 3
vga1 at pci0 dev 5 function 0 "NVIDIA GeForce 6150 LE" rev 0xa2
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
"NVIDIA MCP51 Host" rev 0xa2 at pci0 dev 9 function 0 not configured
pcib0 at pci0 dev 10 function 0 "NVIDIA MCP51 ISA" rev 0xa3
nviic0 at pci0 dev 10 function 1 "NVIDIA MCP51 SMBus" rev 0xa3
iic0 at nviic0
spdmem0 at iic0 addr 0x51: 1GB DDR2 SDRAM non-parity PC2-5300CL5
spdmem1 at iic0 addr 0x52: 512MB DDR2 SDRAM non-parity PC2-4200CL5
spdmem2 at iic0 addr 0x53: 512MB DDR2 SDRAM non-parity PC2-4200CL5
iic1 at nviic0
"NVIDIA MCP51 Memory" rev 0xa3 at pci0 dev 10 function 2 not configured
ohci0 at pci0 dev 11 function 0 "NVIDIA MCP51 USB" rev 0xa3: apic 2 int 15,
version 1.0, legacy support
ehci0 at pci0 dev 11 function 1 "NVIDIA MCP51 USB" rev 0xa3: apic 2 int 7
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "NVIDIA EHCI root hub" rev 2.00/1.00 addr 1
pciide0 at pci0 dev 14 function 0 "NVIDIA MCP51 SATA" rev 0xa1: DMA
pciide0: using apic 2 int 11 for native-PCI interrupt
wd0 at pciide0 channel 0 drive 0:
wd0: 16-sector PIO, LBA48, 305245MB, 625142448 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 6
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: ATAPI 5/cdrom
removable
cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
pciide1 at pci0 dev 15 function 0 "NVIDIA MCP51 SATA" rev 0xa1: DMA
pciide1: using apic 2 int 10 for native-PCI
Re: Nginx security patch build fail
On 04/24/14 17:38, Pablo Méndez Hernández wrote: > Hi Blaise, > > On Thu, Apr 24, 2014 at 4:03 PM, Blaise Hizded wrote: >> Hello, >> I just installed a fresh OpenBSD 5.4 release and I want to apply all the >> errata security patch. >> Everything worked well except the 004 patch for Nginx. >> I apply the patch without problem, but when I try to recompile: >> >> # rm -rf >> /usr/obj/* >> # cd /usr/src/ >> # make -f Makefile.bsd-wrapper obj >> /usr/src/usr.sbin/nginx/obj -> /usr/obj/usr.sbin/nginx >> # make -f Makefile.bsd-wrapper depend >> # Nothing here so far... >> # make -f Makefile.bsd-wrapper >> /usr/bin/lndir -s -e obj -e obj.i386 -e Makefile.bsd-wrapper >> /usr/src/usr.sbin/nginx >> checking for OS >> + OpenBSD 5.4 i386 >> checking for C compiler ... found but is not working >> >> configure: error: C compiler cc is not found > Which packages did you choose at install time? > > > Regards. > I didn't install the X sets. Everything else are installed (comp54.tgz...)
Re: Nginx security patch build fail
On 04/25/14 09:29, Pablo Méndez Hernández wrote: > On Thu, Apr 24, 2014 at 6:32 PM, Blaise Hizded wrote: >> On 04/24/14 17:38, Pablo Méndez Hernández wrote: >>> Hi Blaise, >>> >>> On Thu, Apr 24, 2014 at 4:03 PM, Blaise Hizded wrote: >>>> Hello, >>>> I just installed a fresh OpenBSD 5.4 release and I want to apply all the >>>> errata security patch. >>>> Everything worked well except the 004 patch for Nginx. >>>> I apply the patch without problem, but when I try to recompile: >>>> >>>> # rm -rf >>>> /usr/obj/* >>>> # cd /usr/src/ >>>> # make -f Makefile.bsd-wrapper obj >>>> /usr/src/usr.sbin/nginx/obj -> /usr/obj/usr.sbin/nginx >>>> # make -f Makefile.bsd-wrapper depend >>>> # Nothing here so far... >>>> # make -f Makefile.bsd-wrapper >>>> /usr/bin/lndir -s -e obj -e obj.i386 -e Makefile.bsd-wrapper >>>> /usr/src/usr.sbin/nginx >>>> checking for OS >>>> + OpenBSD 5.4 i386 >>>> checking for C compiler ... found but is not working >>>> >>>> configure: error: C compiler cc is not found >>> Which packages did you choose at install time? >>> >> I didn't install the X sets. Everything else are installed (comp54.tgz...) > Can you check if /usr/bin/cc is there? > > Hello, Yes cc is here and it's GCC 4.2.1 $ ls /usr/bin/cc /usr/bin/cc $ /usr/bin/cc -v Reading specs from /usr/lib/gcc-lib/i386-unknown-openbsd5.4/4.2.1/specs Target: i386-unknown-openbsd5.4 Configured with: OpenBSD/i386 system compiler Thread model: posix gcc version 4.2.1 20070719
Re: pf multiple match rules
On 05/06/2014 12:54 PM, Marko Cupać wrote: > Hi, > > with the following two match lines: > > match out on $ext_if from 192.168.1.0/24 to any nat-to X.X.X.X > match out on $ext_if from 192.168.1.55 to any nat-to Y.Y.Y.Y > > and the following pass line: > > pass in on $int_if inet proto tcp from 192.168.1.55 to any > > will the packets be translated to X.X.X.X or Y.Y.Y.Y? > > Regards, > I think the first thing happening is to let pass the packet from 192.168.1.55 in the router, then the first match rule will be applied, translating the packet to X.X.X.X and the second will never match. A simple way to know is to add 2 rules: pass log out on $ext_if inet proto tcp from X.X.X.X pass log out on $ext_if inet proto tcp from Y.Y.Y.Y then tcpdump -i pflog0.
Re: pf multiple match rules
On 05/07/2014 12:17 PM, Marko Cupać wrote: > Thank you for reply. > > I have been trying some trial and error tests, and I came to similar > conclusion, but I would like to understand the design idea behind match > rule. > > Who wins, the first or the last matching rule? Or do they all stick > together? What if they are conflicting, like in this case? > > Thank you in advance, As Henning Brauer said, the rewrite are applied immediately. So the first match rule will rewrite IP from the packet and the second match will be evaluated on the new IP rewritten. There is no win, the packet is passed thru all match rules and the action is applied directly if it match, from first to last.
Re: pf multiple match rules
On 05/07/2014 12:41 PM, Marko Cupać wrote: > On Wed, 07 May 2014 12:23:12 +0200 > Blaise Hizded wrote: > >> As Henning Brauer said, the rewrite are applied immediately. So the >> first match rule will rewrite IP from the packet and the second match >> will be evaluated on the new IP rewritten. >> There is no win, the packet is passed thru all match rules and the >> action is applied directly if it match, from first to last. > Oh, I understand now, thank you for your explanation. Second match rule > would not trigger simply because source address of every request from > 192.168.1.0/24 is already rewritten with the first match rule, so > packet coming from 192.168.1.55 is actualy already counted as coming > from translated public address X.X.X.X. Yes exactly, except if X.X.X.X is 192.168.1.55, then the second match rule will rewrite it to Y.Y.Y.Y. But it's the only case where your second rule can match.
