init disappeared on my OpenBSD VPS
I have an OpenBSD VPS, I just built the latest kernel from the 5.3 patch
branch, and the new kernel can't find init, but neither can the old kernel,
they both make this output:
>> OpenBSD/amd64 BOOT 3.01
boot> obsd
booting hd0a:obsd: 8404228+1102404 [52+381152+367486]=0x9c7d50
entry point at 0x200120 [7205c766, 3404, 24448b12, 2494a304]
[ using 749064 bytes of bsd ELF symbol table ]
Copyright (c) 1982, 1986, 1989, 1991, 1993
The Regents of the University of California. All rights reserved.
Copyright (c) 1995-2013 OpenBSD. All rights reserved.
http://www.OpenBSD.org
OpenBSD 5.3-stable (SECUSRVR) #0: Wed May 22 10:07:51 PDT 2013
r...@elijah.secusrvr.com:/usr/src/sys/arch/i386/compile/SECUSRVR
cpu0: QEMU Virtual CPU version 0.9.1 ("GenuineIntel" 686-class) 2.65 GHz
cpu0:
FPU,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,NXE,LONG,SSE3,PERF
real mem = 804777984 (767MB)
avail mem = 780640256 (744MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 02/13/10, BIOS32 rev. 0 @ 0xfb4d0,
SMBIOS rev. 2.4 @ 0xfbd3f (10 entries)
bios0: vendor QEMU version "QEMU" date 01/01/2007
acpi0 at bios0: rev 0
acpi0: sleep states S3 S4 S5
acpi0: tables DSDT FACP APIC
acpi0: wakeup devices
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
acpiprt0 at acpi0: bus 0 (PCI0)
acpicpu0 at acpi0
mpbios0 at bios0: Intel MP Specification 1.4
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 999MHz
mpbios0: bus 0 is type ISA
ioapic0 at mainbus0: apid 1 pa 0xfec0, version 11, 24 pins
ioapic0: misconfigured as apic 0, remapped to apid 1
bios0: ROM list: 0xc/0x8c00 0xd/0x600!
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82441FX" rev 0x02
pcib0 at pci0 dev 1 function 0 "Intel 82371SB ISA" rev 0x00
pciide0 at pci0 dev 1 function 1 "Intel 82371SB IDE" rev 0x00: DMA, channel
0 wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0:
wd0: 16-sector PIO, LBA48, 20480MB, 41943040 sectors
atapiscsi0 at pciide0 channel 0 drive 1
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: ATAPI 5/cdrom
removable
wd0(pciide0:0:0): using PIO mode 0, DMA mode 2
cd0(pciide0:0:1): using PIO mode 0
atapiscsi1 at pciide0 channel 1 drive 0
scsibus1 at atapiscsi1: 2 targets
cd1 at scsibus1 targ 0 lun 0: ATAPI 5/cdrom
removable
cd1(pciide0:1:0): using PIO mode 0
uhci0 at pci0 dev 1 function 2 "Intel 82371SB USB" rev 0x01: apic 1 int 11
piixpm0 at pci0 dev 1 function 3 "Intel 82371AB Power" rev 0x03: apic 1 int
10
iic0 at piixpm0
iic0: addr 0x19 3e=00 48=00 4a=00 4e=00 fc=00 fe=00 words 00= 01=
02= 03= 04= 05= 06= 07=
iic0: addr 0x1b 3e=00 48=00 4a=00 4e=00 fc=00 fe=00 words 00= 01=
02= 03= 04= 05= 06= 07=
iic0: addr 0x1c 0f=00 3e=00 48=00 4a=00 4e=00 fc=00 fe=00 words 00=
01= 02= 03= 04= 05= 06= 07=
iic0: addr 0x1d 0f=00 3e=00 48=00 4a=00 4e=00 fc=00 fe=00 words 00=
01= 02= 03= 04= 05= 06= 07=
iic0: addr 0x1e 3e=00 48=00 4a=00 4e=00 fc=00 fe=00 words 00= 01=
02= 03= 04= 05= 06= 07=
iic0: addr 0x1f 3e=00 48=00 4a=00 4e=00 fc=00 fe=00 words 00= 01=
02= 03= 04= 05= 06= 07=
iic0: addr 0x29 00=d0 01=d0 02=d0 03=d0 04=d0 05=d0 06=d0 07=d0 08=d0 words
00= 01= 02= 03= 04= 05= 06= 07=
iic0: addr 0x2b 00=d0 01=d0 02=d0 03=d0 04=d0 05=d0 06=d0 07=d0 08=d0 words
00= 01= 02= 03= 04= 05= 06= 07=
iic0: addr 0x4c 00=d0 01=d0 02=d0 03=d0 04=d0 05=d0 06=d0 07=d0 08=d0 words
00= 01= 02= 03= 04= 05= 06= 07=
iic0: addr 0x4e 00=d0 01=d0 02=d0 03=d0 04=d0 05=d0 06=d0 07=d0 08=d0 words
00= 01= 02= 03= 04= 05= 06= 07=
vga1 at pci0 dev 2 function 0 "Cirrus Logic CL-GD5446" rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
em0 at pci0 dev 3 function 0 "Intel PRO/1000MT (82540EM)" rev 0x03: apic 1
int 11, address 52:54:00:27:26:84
em1 at pci0 dev 4 function 0 "Intel PRO/1000MT (82540EM)" rev 0x03: apic 1
int 11, address 52:54:00:3b:26:84
virtio0 at pci0 dev 5 function 0 "Qumranet Virtio Memory" rev 0x00: Virtio
Memory Balloon Device
viomb0 at virtio0
virtio0: apic 1 int 10
virtio1 at pci0 dev 6 function 0 "Qumranet Virtio Console" rev 0x00: Virtio
Console Device
virtio1: no matching child driver; not configured
isa0 at pcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: console
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pms0 mux 0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
npx0 at isa0 port 0xf0/16
Re: init disappeared on my OpenBSD VPS
I have since ran the OpenBSD 5.3 media for an upgrade and got the system
running. However, I accidentally built the i386 kernel when the machine is
amd64, which might have replaced init or something in the process which
might be why obsd didn't work.
On Thu, May 23, 2013 at 3:25 AM, John Tate wrote:
> I have an OpenBSD VPS, I just built the latest kernel from the 5.3 patch
> branch, and the new kernel can't find init, but neither can the old kernel,
> they both make this output:
>
> >> OpenBSD/amd64 BOOT 3.01
> boot> obsd
> booting hd0a:obsd: 8404228+1102404 [52+381152+367486]=0x9c7d50
> entry point at 0x200120 [7205c766, 3404, 24448b12, 2494a304]
>
> [ using 749064 bytes of bsd ELF symbol table ]
> Copyright (c) 1982, 1986, 1989, 1991, 1993
> The Regents of the University of California. All rights reserved.
> Copyright (c) 1995-2013 OpenBSD. All rights reserved.
> http://www.OpenBSD.org
>
> OpenBSD 5.3-stable (SECUSRVR) #0: Wed May 22 10:07:51 PDT 2013
> r...@elijah.secusrvr.com:/usr/src/sys/arch/i386/compile/SECUSRVR
> cpu0: QEMU Virtual CPU version 0.9.1 ("GenuineIntel" 686-class) 2.65 GHz
> cpu0:
> FPU,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,NXE,LONG,SSE3,PERF
> real mem = 804777984 (767MB)
> avail mem = 780640256 (744MB)
> mainbus0 at root
> bios0 at mainbus0: AT/286+ BIOS, date 02/13/10, BIOS32 rev. 0 @ 0xfb4d0,
> SMBIOS rev. 2.4 @ 0xfbd3f (10 entries)
> bios0: vendor QEMU version "QEMU" date 01/01/2007
> acpi0 at bios0: rev 0
> acpi0: sleep states S3 S4 S5
> acpi0: tables DSDT FACP APIC
> acpi0: wakeup devices
> acpitimer0 at acpi0: 3579545 Hz, 24 bits
> acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
> acpiprt0 at acpi0: bus 0 (PCI0)
> acpicpu0 at acpi0
> mpbios0 at bios0: Intel MP Specification 1.4
> cpu0 at mainbus0: apid 0 (boot processor)
> cpu0: apic clock running at 999MHz
> mpbios0: bus 0 is type ISA
> ioapic0 at mainbus0: apid 1 pa 0xfec0, version 11, 24 pins
> ioapic0: misconfigured as apic 0, remapped to apid 1
> bios0: ROM list: 0xc/0x8c00 0xd/0x600!
> pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
> pchb0 at pci0 dev 0 function 0 "Intel 82441FX" rev 0x02
> pcib0 at pci0 dev 1 function 0 "Intel 82371SB ISA" rev 0x00
> pciide0 at pci0 dev 1 function 1 "Intel 82371SB IDE" rev 0x00: DMA,
> channel 0 wired to compatibility, channel 1 wired to compatibility
> wd0 at pciide0 channel 0 drive 0:
> wd0: 16-sector PIO, LBA48, 20480MB, 41943040 sectors
> atapiscsi0 at pciide0 channel 0 drive 1
> scsibus0 at atapiscsi0: 2 targets
> cd0 at scsibus0 targ 0 lun 0: ATAPI 5/cdrom
> removable
> wd0(pciide0:0:0): using PIO mode 0, DMA mode 2
> cd0(pciide0:0:1): using PIO mode 0
> atapiscsi1 at pciide0 channel 1 drive 0
> scsibus1 at atapiscsi1: 2 targets
> cd1 at scsibus1 targ 0 lun 0: ATAPI 5/cdrom
> removable
> cd1(pciide0:1:0): using PIO mode 0
> uhci0 at pci0 dev 1 function 2 "Intel 82371SB USB" rev 0x01: apic 1 int 11
> piixpm0 at pci0 dev 1 function 3 "Intel 82371AB Power" rev 0x03: apic 1
> int 10
> iic0 at piixpm0
> iic0: addr 0x19 3e=00 48=00 4a=00 4e=00 fc=00 fe=00 words 00= 01=
> 02= 03= 04= 05= 06= 07=
> iic0: addr 0x1b 3e=00 48=00 4a=00 4e=00 fc=00 fe=00 words 00= 01=
> 02= 03= 04= 05= 06= 07=
> iic0: addr 0x1c 0f=00 3e=00 48=00 4a=00 4e=00 fc=00 fe=00 words 00=
> 01= 02= 03= 04= 05= 06= 07=
> iic0: addr 0x1d 0f=00 3e=00 48=00 4a=00 4e=00 fc=00 fe=00 words 00=
> 01= 02= 03= 04= 05= 06= 07=
> iic0: addr 0x1e 3e=00 48=00 4a=00 4e=00 fc=00 fe=00 words 00= 01=
> 02= 03= 04= 05= 06= 07=
> iic0: addr 0x1f 3e=00 48=00 4a=00 4e=00 fc=00 fe=00 words 00= 01=
> 02= 03= 04= 05= 06= 07=
> iic0: addr 0x29 00=d0 01=d0 02=d0 03=d0 04=d0 05=d0 06=d0 07=d0 08=d0
> words 00= 01= 02= 03= 04= 05= 06= 07=
> iic0: addr 0x2b 00=d0 01=d0 02=d0 03=d0 04=d0 05=d0 06=d0 07=d0 08=d0
> words 00= 01= 02= 03= 04= 05= 06= 07=
> iic0: addr 0x4c 00=d0 01=d0 02=d0 03=d0 04=d0 05=d0 06=d0 07=d0 08=d0
> words 00= 01= 02= 03= 04= 05= 06= 07=
> iic0: addr 0x4e 00=d0 01=d0 02=d0 03=d0 04=d0 05=d0 06=d0 07=d0 08=d0
> words 00= 01= 02= 03= 04= 05= 06= 07=
> vga1 at pci0 dev 2 function 0 "Cirrus Logic CL-GD5446" rev 0x00
> wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
> wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
> em0 at pci0 dev 3 function 0 "Intel PRO
Updating ports via anoncvs hangs
When I go to update ports by anoncvs it just hangs, it's been like this for hours. Something doesn't seem right. elijah:usr # cvs -qd anon...@anoncvs.ca.openbsd.org:/cvs get -rOPENBSD_5_3 -P ports -- www.johntate.org
Sendmail not working on 5.3
I upgraded to OpenBSD 5.3 on the release day, I've since updated to the latest patch branch (not that there is any related errata to this question). I can't seem to send mail out with a server, it is not my pf rules. It was indicated by phpmailer not working. I can't find my sendmail logs. John -- www.johntate.org
Re: Sendmail not working on 5.3
Ignore this, I made a silly mistake. On Wed, May 29, 2013 at 6:07 AM, John Tate wrote: > I upgraded to OpenBSD 5.3 on the release day, I've since updated to the > latest patch branch (not that there is any related errata to this > question). I can't seem to send mail out with a server, it is not my pf > rules. It was indicated by phpmailer not working. I can't find my sendmail > logs. > > John > > -- > www.johntate.org > -- www.johntate.org
I can't find what is wrong with these PF rules
I am trying to set up a simple nat on OpenBSD 5.3, I copied from another
config that is working.
ext_if="em0"
int_if="em1"
ipv6="2607:f2f8:aa18::2"
ipv4="208.79.92.130"
local_net="192.168.1.0/24"
cyrus="192.168.1.2"
cyrus_ports = "{ 2022 }"
tcp_serv = "{ ftp, ssh, http, https, 1, , 8080, 8022, > 49151 }"
icmp_types="echoreq"
set skip on lo0
#ftp proxy
anchor "ftp-proxy/*"
pass in quick on $int_if inet proto tcp to port ftp divert-to 127.0.0.1
port 8021
match out on egress inet from !(egress:network) to any nat-to (egress:0)
pass
block in on ! lo0 proto tcp to port 6000:6010
#block in quick from urpf-failed
block in log
pass out quick
antispoof quick for { lo $int_if }
pass in on egress inet proto tcp from any to (egress) port $tcp_serv
#FTP
pass in on $ext_if proto tcp to port 21
pass in on $ext_if proto tcp to port > 49151
pass in on egress inet proto { tcp udp } to (egress) port $cyrus_ports
rdr-to $cyrus
pass in inet proto icmp all icmp-type $icmp_types
pass in on $int_if
--
www.johntate.org
Re: I can't find what is wrong with these PF rules
I forgot to sysctl net.inet.ip.forwarding=1 lol.
On Sun, Jun 2, 2013 at 8:36 AM, John Tate wrote:
> I am trying to set up a simple nat on OpenBSD 5.3, I copied from another
> config that is working.
>
> ext_if="em0"
> int_if="em1"
> ipv6="2607:f2f8:aa18::2"
> ipv4="208.79.92.130"
>
> local_net="192.168.1.0/24"
>
> cyrus="192.168.1.2"
>
> cyrus_ports = "{ 2022 }"
>
> tcp_serv = "{ ftp, ssh, http, https, 1, , 8080, 8022, > 49151 }"
> icmp_types="echoreq"
>
> set skip on lo0
>
> #ftp proxy
> anchor "ftp-proxy/*"
> pass in quick on $int_if inet proto tcp to port ftp divert-to 127.0.0.1
> port 8021
>
> match out on egress inet from !(egress:network) to any nat-to (egress:0)
>
> pass
>
> block in on ! lo0 proto tcp to port 6000:6010
>
> #block in quick from urpf-failed
>
> block in log
> pass out quick
>
> antispoof quick for { lo $int_if }
>
> pass in on egress inet proto tcp from any to (egress) port $tcp_serv
>
> #FTP
> pass in on $ext_if proto tcp to port 21
> pass in on $ext_if proto tcp to port > 49151
>
> pass in on egress inet proto { tcp udp } to (egress) port $cyrus_ports
> rdr-to $cyrus
>
> pass in inet proto icmp all icmp-type $icmp_types
>
> pass in on $int_if
>
>
> --
> www.johntate.org
>
--
www.johntate.org
Compiler error building 5.3
I am having trouble building 5.3, I ran cvs a second time just be to be sure everything was right. # make clean && make rm -f eddep *bsd *bsd.gdb tags *.[dio] [a-z]*.s [Ee]rrs linterrs assym.h cat ../../../../arch/i386/i386/genassym.cf ../../../../arch/i386/i386/ genassym.cf | sh ../../../../kern/genassym.sh cc -Werror -Wall -Wstrict-prototypes -Wmissing-prototypes -Wno-main -Wno-uninitialized -Wno-format -Wstack-larger-than-2047 -fno-builtin-printf -fno-builtin-snprintf -fno-builtin-vsnprintf -fno-builtin-log -fno-builtin-log2 -fno-builtin-malloc -O2 -pipe -nostdinc -I. -I../../../.. -I../../../../arch -DDDB -DDIAGNOSTIC -DKTRACE -DACCOUNTING -DKMEMSTATS -DPTRACE -DCRYPTO -DSYSVMSG -DSYSVSEM -DSYSVSHM -DUVM_SWAP_ENCRYPT -DCOMPAT_43 -DCOMPAT_O51 -DLKM -DFFS -DFFS2 -DFFS_SOFTUPDATES -DUFS_DIRHASH -DQUOTA -DEXT2FS -DMFS -DNFSCLIENT -DNFSSERVER -DCD9660 -DUDF -DMSDOSFS -DFIFO -DSOCKET_SPLICE -DTCP_SACK -DTCP_ECN -DTCP_SIGNATURE -DINET -DALTQ -DINET6 -DIPSEC -DPPP_BSDCOMP -DPPP_DEFLATE -DPIPEX -DMROUTING -DMPLS -DBOOT_CONFIG -DUSER_PCICONF -DKVM86 -DUSER_LDT -DAPERTURE -DCOMPAT_LINUX -DPROCFS -DNTFS -DHIBERNATE -DPCIVERBOSE -DEISAVERBOSE -DUSBVERBOSE -DWSDISPLAY_COMPAT_USL -DWSDISPLAY_COMPAT_RAWKBD -DWSDISPLAY_DEFAULTSCREENS="6" -DWSDISPLAY_COMPAT_PCVT -DX86EMU -DONEWIREVERBOSE -DMAXUSERS=80 -D_KERNEL -MD -MP -MF assym.P > assym.h.tmp sed '1s/.*/assym.h: \\/' assym.P > assym.d sort -u assym.h.tmp > assym.h cc -D_LOCORE -x assembler-with-cpp -fno-builtin-printf -fno-builtin-snprintf -fno-builtin-vsnprintf -fno-builtin-log -fno-builtin-log2 -fno-builtin-malloc -nostdinc -I. -I../../../.. -I../../../../arch -DDDB -DDIAGNOSTIC -DKTRACE -DACCOUNTING -DKMEMSTATS -DPTRACE -DCRYPTO -DSYSVMSG -DSYSVSEM -DSYSVSHM -DUVM_SWAP_ENCRYPT -DCOMPAT_43 -DCOMPAT_O51 -DLKM -DFFS -DFFS2 -DFFS_SOFTUPDATES -DUFS_DIRHASH -DQUOTA -DEXT2FS -DMFS -DNFSCLIENT -DNFSSERVER -DCD9660 -DUDF -DMSDOSFS -DFIFO -DSOCKET_SPLICE -DTCP_SACK -DTCP_ECN -DTCP_SIGNATURE -DINET -DALTQ -DINET6 -DIPSEC -DPPP_BSDCOMP -DPPP_DEFLATE -DPIPEX -DMROUTING -DMPLS -DBOOT_CONFIG -DUSER_PCICONF -DKVM86 -DUSER_LDT -DAPERTURE -DCOMPAT_LINUX -DPROCFS -DNTFS -DHIBERNATE -DPCIVERBOSE -DEISAVERBOSE -DUSBVERBOSE -DWSDISPLAY_COMPAT_USL -DWSDISPLAY_COMPAT_RAWKBD -DWSDISPLAY_DEFAULTSCREENS="6" -DWSDISPLAY_COMPAT_PCVT -DX86EMU -DONEWIREVERBOSE -DMAXUSERS=80 -D_KERNEL -MD -MP -c ../../../../arch/i386/i386/locore.s ../../../../arch/i386/i386/locore.s: Assembler messages: ../../../../arch/i386/i386/locore.s:1755: Error: no such instruction: `stac' ../../../../arch/i386/i386/locore.s:1759: Error: no such instruction: `clac' *** Error code 1 Stop in /usr/src/sys/arch/i386/compile/KINTARO (line 165 of /usr/share/mk/ sys.mk). KINTARO is just GENERIC with a pretty name. -- www.johntate.org
Wireless access point not appearing to clients.
I just configured a wireless device for hostap and put it on a bridge with my wired network and a virtual ethernet device to give it an address. The wired network is working fine, so if I solve this problem the wireless should work fine, but the access point is not appearing in scans. I might have missed an option for it to do this. menger:root # cat /etc/hostname.run0 up media autoselect mediaopt hostap nwid KintaroADOBE chan 12 wpa wpakey XXX wpaprotos wpa2 menger:root # cat /etc/hostname.fxp0 up menger:root # cat /etc/hostname.vether0 inet 10.0.0.1 255.0.0.0 10.0.0.255 up menger:root # cat /etc/hostname.bridge0 add vether0 add fxp0 add run0 up menger:root # ifconfig run0 run0: flags=8943 mtu 1500 lladdr 00:22:75:8e:f2:f8 priority: 4 groups: wlan media: IEEE802.11 autoselect (DS1 mode 11g) status: no network ieee80211: nwid KintaroADOBE chan 12 wpakey wpaprotos wpa2 wpaakms psk wpaciphers tkip,ccmp wpagroupcipher tkip inet6 fe80::222:75ff:fe8e:f2f8%run0 prefixlen 64 tentative scopeid 0x5 What have I missed? -- www.johntate.org
Re: Compiler error building 5.3
I didn't think I had to, 5.3 is stable not current or am I wrong about that? Confusing. I ended up just upgrading using the sets and everything is fine now. On Wed, Jun 5, 2013 at 11:03 PM, Marc Espie wrote: > On Wed, Jun 05, 2013 at 07:01:27PM +1000, John Tate wrote: > > I am having trouble building 5.3, I ran cvs a second time just be to be > > sure everything was right. > > ../../../../arch/i386/i386/locore.s > > ../../../../arch/i386/i386/locore.s: Assembler messages: > > ../../../../arch/i386/i386/locore.s:1755: Error: no such instruction: > `stac' > > ../../../../arch/i386/i386/locore.s:1759: Error: no such instruction: > `clac' > > *** Error code 1 > > You didn't read the FAQ, did you ? especially the part about > "following current"... > -- www.johntate.org
Re: Wireless access point not appearing to clients.
Is there a card commonly on the market today that this list would recommend that supports hostap for under $100? On Fri, Jun 7, 2013 at 5:11 PM, David Coppa wrote: > On Fri, Jun 7, 2013 at 9:06 AM, Otto Moerbeek wrote: > > >> What have I missed? > > > > Reading the man page rum(4) it doesn't say it supports hostap mode. > > s/rum/run/ > > Indeed, run(4) does not support hostap mode. > > cheers, > David > -- www.johntate.org
Re: Compiler error building 5.3
Just curious would have going into /usr/src/gnu/usr.bin/binutils and doing make and make install have made it possible to build 5.3 on 5.2? On Fri, Jun 7, 2013 at 4:47 PM, Marc Espie wrote: > On Fri, Jun 07, 2013 at 04:43:24PM +1000, John Tate wrote: > > > >I didn't think I had to, 5.3 is stable not current or am I wrong about > >that? Confusing. > >I ended up just upgrading using the sets and everything is fine now. > > Lol, but you were trying to build from src, without having done any > normal binary update first. > > -- www.johntate.org
Re: Wireless access point not appearing to clients.
So I've got a supported Atheros card, I think something is wrong with my config for the adapter because it's still not showing up in scans on my Samsung Galaxy Ace. There are a lot of media options, I'm using the defaults which I assumed would be right but could be wrong. I might have to do a lot of research into the various media options but a quick answer would be nice. # cat /etc/hostname.fxp0 up # cat /etc/hostname.athn0 up media autoselect mode 11g mediaopt hostap nwid KintaroADOBE chan 12 wpa wpakey wpaprotos wpa2 # cat /etc/hostname.vether0 inet 10.0.0.1 255.0.0.0 10.0.0.255 up # cat /etc/hostname.bridge0 add vether0 add fxp0 add athn0 up # ifconfig athn0 athn0: flags=8943 mtu 1500 lladdr f8:1a:67:d6:28:40 priority: 4 groups: wlan media: IEEE802.11 autoselect (DS1) status: no network ieee80211: nwid KintaroADOBE chan 12 wpaprotos wpa1,wpa2 wpaakms psk wpaciphers tkip,ccmp wpagroupcipher tkip inet6 fe80::fa1a:67ff:fed6:2840%athn0 prefixlen 64 scopeid 0x1 # ifconfig athn0 scan athn0: flags=8943 mtu 1500 lladdr f8:1a:67:d6:28:40 priority: 4 groups: wlan media: IEEE802.11 autoselect (DS1) status: no network ieee80211: nwid KintaroADOBE chan 12 wpaprotos wpa1,wpa2 wpaakms psk wpaciphers tkip,ccmp wpagroupcipher tkip nwid lvfs chan 6 bssid 00:1d:b3:4c:61:d5 18dB 54M privacy,spectrum_mgmt,short_slottime nwid "N 2.4 GHz" chan 2 bssid 00:22:3f:5a:8b:4a 32dB 54M privacy,short_slottime nwid NETGEAR chan 6 bssid 00:24:b2:fa:64:da 45dB 54M short_preamble,short_slottime nwid Allan-PC chan 7 bssid 00:25:9c:6e:94:fa 16dB 54M privacy,short_preamble,short_slottime nwid BigPond655C85 chan 1 bssid 58:98:35:65:5c:85 17dB 54M privacy,short_slottime I really want to get this running. John. On Fri, Jun 7, 2013 at 4:41 PM, John Tate wrote: > I just configured a wireless device for hostap and put it on a bridge with > my wired network and a virtual ethernet device to give it an address. The > wired network is working fine, so if I solve this problem the wireless > should work fine, but the access point is not appearing in scans. I might > have missed an option for it to do this. > > menger:root # cat /etc/hostname.run0 > up media autoselect mediaopt hostap nwid KintaroADOBE chan 12 wpa wpakey > XXX wpaprotos wpa2 > > menger:root # cat /etc/hostname.fxp0 > up > > menger:root # cat /etc/hostname.vether0 > inet 10.0.0.1 255.0.0.0 10.0.0.255 > up > > menger:root # cat /etc/hostname.bridge0 > add vether0 > add fxp0 > add run0 > up > > menger:root # ifconfig run0 > run0: flags=8943 mtu 1500 > lladdr 00:22:75:8e:f2:f8 > priority: 4 > groups: wlan > media: IEEE802.11 autoselect (DS1 mode 11g) > status: no network > ieee80211: nwid KintaroADOBE chan 12 wpakey wpaprotos wpa2 > wpaakms psk wpaciphers tkip,ccmp wpagroupcipher tkip > inet6 fe80::222:75ff:fe8e:f2f8%run0 prefixlen 64 tentative scopeid > 0x5 > > What have I missed? > > -- > www.johntate.org -- www.johntate.org
Re: Wireless access point not appearing to clients.
Someone has helped me resolve this, the hacked MIUI v4 firmware I'm using does not support channel 12. All help has been greatly appreciated. On Thu, Jun 13, 2013 at 8:00 PM, John Tate wrote: > So I've got a supported Atheros card, I think something is wrong with > my config for the adapter because it's still not showing up in scans > on my Samsung Galaxy Ace. There are a lot of media options, I'm using > the defaults which I assumed would be right but could be wrong. I > might have to do a lot of research into the various media options but > a quick answer would be nice. > > # cat /etc/hostname.fxp0 > up > # cat /etc/hostname.athn0 > up media autoselect mode 11g mediaopt hostap nwid KintaroADOBE chan 12 > wpa wpakey wpaprotos wpa2 > # cat /etc/hostname.vether0 > inet 10.0.0.1 255.0.0.0 10.0.0.255 > up > # cat /etc/hostname.bridge0 > add vether0 > add fxp0 > add athn0 > up > # ifconfig athn0 > athn0: flags=8943 mtu 1500 > lladdr f8:1a:67:d6:28:40 > priority: 4 > groups: wlan > media: IEEE802.11 autoselect (DS1) > status: no network > ieee80211: nwid KintaroADOBE chan 12 wpaprotos wpa1,wpa2 > wpaakms psk wpaciphers tkip,ccmp wpagroupcipher tkip > inet6 fe80::fa1a:67ff:fed6:2840%athn0 prefixlen 64 scopeid 0x1 > # ifconfig athn0 scan > athn0: flags=8943 mtu 1500 > lladdr f8:1a:67:d6:28:40 > priority: 4 > groups: wlan > media: IEEE802.11 autoselect (DS1) > status: no network > ieee80211: nwid KintaroADOBE chan 12 wpaprotos wpa1,wpa2 > wpaakms psk wpaciphers tkip,ccmp wpagroupcipher tkip > nwid lvfs chan 6 bssid 00:1d:b3:4c:61:d5 18dB 54M > privacy,spectrum_mgmt,short_slottime > nwid "N 2.4 GHz" chan 2 bssid 00:22:3f:5a:8b:4a 32dB > 54M privacy,short_slottime > nwid NETGEAR chan 6 bssid 00:24:b2:fa:64:da 45dB 54M > short_preamble,short_slottime > nwid Allan-PC chan 7 bssid 00:25:9c:6e:94:fa 16dB 54M > privacy,short_preamble,short_slottime > nwid BigPond655C85 chan 1 bssid 58:98:35:65:5c:85 17dB > 54M privacy,short_slottime > > I really want to get this running. > > John. > > On Fri, Jun 7, 2013 at 4:41 PM, John Tate wrote: >> I just configured a wireless device for hostap and put it on a bridge with >> my wired network and a virtual ethernet device to give it an address. The >> wired network is working fine, so if I solve this problem the wireless >> should work fine, but the access point is not appearing in scans. I might >> have missed an option for it to do this. >> >> menger:root # cat /etc/hostname.run0 >> up media autoselect mediaopt hostap nwid KintaroADOBE chan 12 wpa wpakey >> XXX wpaprotos wpa2 >> >> menger:root # cat /etc/hostname.fxp0 >> up >> >> menger:root # cat /etc/hostname.vether0 >> inet 10.0.0.1 255.0.0.0 10.0.0.255 >> up >> >> menger:root # cat /etc/hostname.bridge0 >> add vether0 >> add fxp0 >> add run0 >> up >> >> menger:root # ifconfig run0 >> run0: flags=8943 mtu 1500 >> lladdr 00:22:75:8e:f2:f8 >> priority: 4 >> groups: wlan >> media: IEEE802.11 autoselect (DS1 mode 11g) >> status: no network >> ieee80211: nwid KintaroADOBE chan 12 wpakey wpaprotos wpa2 >> wpaakms psk wpaciphers tkip,ccmp wpagroupcipher tkip >> inet6 fe80::222:75ff:fe8e:f2f8%run0 prefixlen 64 tentative scopeid >> 0x5 >> >> What have I missed? >> >> -- >> www.johntate.org > > > > -- > www.johntate.org -- www.johntate.org
dhcp devices getting the wrong default route on one subnet
I am trying to serve addresses to two subnets, for two ethernet
devices for my wired and wireless lan. Devices on the wireless lan are
getting the default route 192.168.0.1 instead of 192.168.1.1 so
wireless devices at the moment cannot access the Internet unless I
manually configure them.
Interface configurations..
# cat /etc/hostname.fxp0
inet 192.168.0.1 255.255.255.0 192.168.0.255
up
# cat /etc/hostname.athn0
inet 192.168.1.1 255.255.255.0 192.168.1.255
up media autoselect mode 11g mediaopt hostap nwid KintaroABODE chan 11
wpa wpakey wpaprotos wpa2
I have the following dhcpd.conf...
shared-network kab {
subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.65 192.168.0.254;
option routers 192.168.0.1;
option domain-name "kab.loc";
option static-routes 192.168.1.0 192.168.0.1;
option domain-name-servers 192.168.0.1;
}
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.65 192.168.1.254;
option routers 192.168.1.1;
option domain-name "wifi.kab.loc";
option static-routes 192.168.0.0 192.168.1.1;
option domain-name-servers 192.168.1.1;
}
}
There are a bunch of hosts but nothing before the subnets, and no
special options for hosts just static addresses.
Here is a host in dhpd.conf receiving the wrong default route...
host weiner.wifi.kab.loc {
hardware ethernet ac:81:12:98:de:f3;
fixed-address 192.168.1.2;
}
Devices are getting the right IP, domain name, and static routes, just
not the default route.
--
www.johntate.org
Re: dhcp devices getting the wrong default route on one subnet
It doesn't complain about it but I've never done much with routing
before. If I wanted to do it on the machine I'd do
# route add -net 192.168.0.0/24 192.168.1.1
I can't seem to find how to do this in dhcp-options(5)
Named won't even start with this...
option static-routes 192.168.1/24 192.168.0.1;
Or this...
option static-routes 192.168.1.0/24 192.168.0.1;
So I'm kind of lost with the static routes, but why should this effect
the default route?
On Fri, Jun 14, 2013 at 5:16 PM, Михаил Швецов wrote:
>
>
>
> may be
> option static-routes 192.168.0.0 192.168.1.1;
> 192.168.0.0 - wrong?
> Михаил Швецов.
>
>> 14.6.2013 10:10:30 пользователь John Tate (j...@johntate.org) написал:
>>
>>
>> I am trying to serve addresses to two subnets, for two ethernet
>> devices for my wired and wireless lan. Devices on the wireless lan are
>> getting the default route 192.168.0.1 instead of 192.168.1.1 so
>> wireless devices at the moment cannot access the Internet unless I
>> manually configure them.
>>
>> Interface configurations..
>> # cat /etc/hostname.fxp0
>> inet 192.168.0.1 255.255.255.0 192.168.0.255
>> up
>> # cat /etc/hostname.athn0
>> inet 192.168.1.1 255.255.255.0 192.168.1.255
>> up media autoselect mode 11g mediaopt hostap nwid KintaroABODE chan 11
>> wpa wpakey wpaprotos wpa2
>>
>> I have the following dhcpd.conf...
>> shared-network kab {
>> subnet 192.168.0.0 netmask 255.255.255.0 {
>> range 192.168.0.65 192.168.0.254;
>> option routers 192.168.0.1;
>> option domain-name "kab.loc";
>> option static-routes 192.168.1.0 192.168.0.1;
>> option domain-name-servers 192.168.0.1;
>> }
>>
>> subnet 192.168.1.0 netmask 255.255.255.0 {
>> range 192.168.1.65 192.168.1.254;
>> option routers 192.168.1.1;
>> option domain-name "wifi.kab.loc";
>> option static-routes 192.168.0.0 192.168.1.1;
>> option domain-name-servers 192.168.1.1;
>> }
>> }
>>
>> There are a bunch of hosts but nothing before the subnets, and no
>> special options for hosts just static addresses.
>>
>> Here is a host in dhpd.conf receiving the wrong default route...
>> host weiner.wifi.kab.loc {
>> hardware ethernet ac:81:12:98:de:f3;
>> fixed-address 192.168.1.2;
>> }
>>
>> Devices are getting the right IP, domain name, and static routes, just
>> not the default route.
>>
>> --
>> www.johntate.org
>>
>
--
www.johntate.org
Re: dhcp devices getting the wrong default route on one subnet
It has a "routers" option and a "static-routes" option.
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.65 192.168.1.254;
option routers 192.168.1.1;
option domain-name "wifi.kab.loc";
option static-routes 192.168.0.0 192.168.1.1;
option domain-name-servers 192.168.1.1;
}
On Fri, Jun 14, 2013 at 7:36 PM, James Griffin wrote:
> Fri 14.Jun'13 at 17:22:44 +1000, John Tate
>> It doesn't complain about it but I've never done much with routing
>> before. If I wanted to do it on the machine I'd do
>> # route add -net 192.168.0.0/24 192.168.1.1
>>
>> I can't seem to find how to do this in dhcp-options(5)
>>
>> Named won't even start with this...
>> option static-routes 192.168.1/24 192.168.0.1;
>> Or this...
>> option static-routes 192.168.1.0/24 192.168.0.1;
>>
>> So I'm kind of lost with the static routes, but why should this effect
>> the default route?
>
> In man dhcp-options(5) under "options static-routes", in the last sentence it
> states to use the "routers" option for the default route. Have you
> checked/tried this?
>
>
> --
>
>
> James Griffin: jmz at kontrol.kode5.net
>
> A4B9 E875 A18C 6E11 F46D B788 BEE6 1251 1D31 DC38
>
--
www.johntate.org
Re: dhcp devices getting the wrong default route on one subnet
On Fri, Jun 14, 2013 at 9:16 PM, Stuart Henderson wrote:
> On 2013-06-14, John Tate wrote:
>> It doesn't complain about it but I've never done much with routing
>> before. If I wanted to do it on the machine I'd do
>> # route add -net 192.168.0.0/24 192.168.1.1
>
> Why would you need to do this at all, it seems you are already using
> 192.168.1.1 as your default route?
I thought I needed it so 192.168.0/24 can access 192.168.1/24
>
>> I can't seem to find how to do this in dhcp-options(5)
>>
>> Named won't even start with this...
>> option static-routes 192.168.1/24 192.168.0.1;
>> Or this...
>> option static-routes 192.168.1.0/24 192.168.0.1;
>
> "option static-routes" is for classful (class A/B/C) addresses, you may
> not specify a subnet mask there.
>
>>>> I have the following dhcpd.conf...
>>>> shared-network kab {
>
> Why do you have shared-network?
>
Can't remember why I did that so I just got rid of it. I added "option
routers 192.168.0.1, 192.168.1.1;" before the subnets at the top of
the file and now I am getting the right default gateway.
I got rid of the static routes, they were not working anyway. I must
need to add something to pf to route between subnets 192.168.0/24 and
192.168.1.1/24 and visa-versa.
--
www.johntate.org
Re: dhcp devices getting the wrong default route on one subnet
On Sat, Jun 15, 2013 at 12:23 AM, Kenneth R Westerback
wrote:
> On Fri, Jun 14, 2013 at 02:38:48PM +0100, Stuart Henderson wrote:
>> On 2013/06/14 21:49, John Tate wrote:
>> > On Fri, Jun 14, 2013 at 9:16 PM, Stuart Henderson
>> > wrote:
>> > > On 2013-06-14, John Tate wrote:
>> > >> It doesn't complain about it but I've never done much with routing
>> > >> before. If I wanted to do it on the machine I'd do
>> > >> # route add -net 192.168.0.0/24 192.168.1.1
>> > >
>> > > Why would you need to do this at all, it seems you are already using
>> > > 192.168.1.1 as your default route?
>> > I thought I needed it so 192.168.0/24 can access 192.168.1/24
>>
>> Try e.g. "route -n get 192.168.1.5" with and without a route to the subnet.
>> In one case there will be a default route pointing at 192.168.0.1 and in the
>> other case there will be a 192.168.1.0/24 route pointing at 192.168.0.1.
It seems you are right about this, it seems to be working in one
direction already, I noticed working on your advise below that packets
are going from 192.168.1.0/24 to 192.168.0.0/24 but not the other way,
so all that is left to work on is pf.
>>
>>
>> > >
>> > >> I can't seem to find how to do this in dhcp-options(5)
>> > >>
>> > >> Named won't even start with this...
>> > >> option static-routes 192.168.1/24 192.168.0.1;
>> > >> Or this...
>> > >> option static-routes 192.168.1.0/24 192.168.0.1;
>> > >
>> > > "option static-routes" is for classful (class A/B/C) addresses, you may
>> > > not specify a subnet mask there.
>> > >
>> > >>>> I have the following dhcpd.conf...
>> > >>>> shared-network kab {
>> > >
>> > > Why do you have shared-network?
>> > >
>> > Can't remember why I did that so I just got rid of it. I added "option
>> > routers 192.168.0.1, 192.168.1.1;" before the subnets at the top of
>> > the file and now I am getting the right default gateway.
>>
>> Routers should be set in the "subnet" block, you shouldn't hand
>> 192.168.1.1 as a possible router to hosts which are in 192.168.0.x.
The subnet blocks each have the appropriate routers, before I was
putting them both before and outside the subnet block systems were
getting the router from the other subnet. The default route is working
on both systems, without it the subnet 192.168.1.1/24 was getting the
default route 192.168.0.1 which didn't work.
>>
>> > I got rid of the static routes, they were not working anyway. I must
>> > need to add something to pf to route between subnets 192.168.0/24 and
>> > 192.168.1.1/24 and visa-versa.
>>
>> This is usually easy enough to work out. Add 'log' in relevant places
>> in pf.conf and watch tcpdump -neipflog0
It seems it was working in the first place just I was pinging a
Windoze 8 machine that is blocking icmp packets. I then pinged my
phone which is on the wifi subnet as well and worked out it was
working both ways. Thanks again Microsoft. Windows ate my time.
>>
>
> Also, support for static-routes was just added in the last week or so
> and you've not mentioned what versions of OpenBSD/dhcpd/dhclient you
> are running.
It looks like I don't even need it. I just assumed it would.
>
> Ken
--
www.johntate.org
802.11n support
I have an Atheros AR9227, there is at the moment no support for 802.11n in the patch branch. Is there support in current or some unoffical patch I can apply to the source code? Support for this would be good. -- www.johntate.org
OpenBSD not forwarding SSL, strange.
I am having trouble accessing anything which uses SSL behind my NAT,
though I can access the same services from the firewall itself. There
is nothing unusual in /var/log/messages, dmesg, etc. I don't know why
this is happening. The system has been running fine for months, and
nothing I am aware of has changed.
# cat /etc/pf.conf
#Firewall ruleset for KintaroABODE router.
int_if="fxp0"
wifi_if = "athn0"
tcp_services="{ 22, 113 }"
icmp_types="echoreq"
fekete="192.168.0.3"
fekete_tcp="{ 17001, 8333 }"
fekete_udp="{ 8333 }"
mises="192.168.0.4"
mises_tcp="{ 25565 }"
#options
set block-policy drop
set loginterface egress
set skip on lo
anchor "ftp-proxy/*"
pass in on $int_if inet proto tcp to any port ftp \
divert-to 127.0.0.1 port 8021
table persist
#match rules
match out on egress inet from !(egress:network) to any nat-to (egress:0)
#filter rules
block in log
pass out quick
antispoof quick for { lo $int_if $wifi_if }
pass in on egress inet proto tcp from any to (egress) \
port $tcp_services
block in quick on egress proto tcp from \
to any port ssh label "ssh bruteforce"
pass in on egress inet proto tcp from any to (egress) port $fekete_tcp
rdr-to $fekete
pass in on egress inet proto tcp from any to (egress) port $fekete_udp
rdr-to $fekete
pass in on egress inet proto tcp from any to (egress) port $mises_tcp
rdr-to $mises
pass in inet proto icmp all icmp-type $icmp_types
pass in on $int_if
pass in on $wifi_if
If anyone could help and tell me where to start looking that would be
good. Some SSL services appear to work fine, such as gmail which I'm
using to send this.
--
www.johntate.org
Re: OpenBSD not forwarding SSL, strange.
.ffs has 1 mounted instance
vfs.ffs.doclusterread=1
vfs.ffs.doclusterwrite=1
vfs.ffs.doreallocblks=1
vfs.ffs.doasyncfree=1
vfs.ffs.max_softdeps=23704
vfs.ffs.sd_tickdelay=2
vfs.ffs.sd_worklist_push=0
vfs.ffs.sd_blk_limit_push=0
vfs.ffs.sd_ino_limit_push=0
vfs.ffs.sd_blk_limit_hit=0
vfs.ffs.sd_ino_limit_hit=0
vfs.ffs.sd_sync_limit_hit=0
vfs.ffs.sd_indir_blk_ptrs=0
vfs.ffs.sd_inode_bitmap=0
vfs.ffs.sd_direct_blk_ptrs=0
vfs.ffs.sd_dir_entry=0
vfs.ffs.dirhash_dirsize=2560
vfs.ffs.dirhash_maxmem=2097152
vfs.ffs.dirhash_mem=27522
vfs.nfs.iothreads=-1
On Tue, Sep 17, 2013 at 11:32 PM, Jiri B wrote:
> On Tue, Sep 17, 2013 at 10:42:55PM +1000, John Tate wrote:
>> I am having trouble accessing anything which uses SSL behind my NAT,
>> though I can access the same services from the firewall itself. There
>> is nothing unusual in /var/log/messages, dmesg, etc. I don't know why
>> this is happening. The system has been running fine for months, and
>> nothing I am aware of has changed.
>>
>> # cat /etc/pf.conf
>> #Firewall ruleset for KintaroABODE router.
>>
>> int_if="fxp0"
>> wifi_if = "athn0"
>>
>> tcp_services="{ 22, 113 }"
>> icmp_types="echoreq"
>>
>> fekete="192.168.0.3"
>> fekete_tcp="{ 17001, 8333 }"
>> fekete_udp="{ 8333 }"
>> mises="192.168.0.4"
>> mises_tcp="{ 25565 }"
>>
>> #options
>>
>> set block-policy drop
>> set loginterface egress
>> set skip on lo
>>
>> anchor "ftp-proxy/*"
>> pass in on $int_if inet proto tcp to any port ftp \
>> divert-to 127.0.0.1 port 8021
>>
>> table persist
>>
>> #match rules
>> match out on egress inet from !(egress:network) to any nat-to (egress:0)
>>
>> #filter rules
>> block in log
>> pass out quick
>>
>> antispoof quick for { lo $int_if $wifi_if }
>>
>> pass in on egress inet proto tcp from any to (egress) \
>> port $tcp_services
>>
>> block in quick on egress proto tcp from \
>> to any port ssh label "ssh bruteforce"
>>
>> pass in on egress inet proto tcp from any to (egress) port $fekete_tcp
>> rdr-to $fekete
>> pass in on egress inet proto tcp from any to (egress) port $fekete_udp
>> rdr-to $fekete
>> pass in on egress inet proto tcp from any to (egress) port $mises_tcp
>> rdr-to $mises
>>
>> pass in inet proto icmp all icmp-type $icmp_types
>> pass in on $int_if
>> pass in on $wifi_if
>>
>> If anyone could help and tell me where to start looking that would be
>> good. Some SSL services appear to work fine, such as gmail which I'm
>> using to send this.
>
> sysctl -a ?
>
> j.
>
>
--
www.johntate.org
SSH as root with specific IP
I want to be able to log in as root by SSH with a specific IP address. This is so rsync can log in to the server easily and backup many files owned by many different users and groups. Rather than a script on the server logging into the server with the backups with many files and many different users. Can it be done? -- www.johntate.org
OpenBSD not forwarding to specific sites
I am having trouble with IP forwarding to specific sites on a very
typical configuration. The router itself can access these sites but
clients can not. I have looked in obvious places on the clients, but I
cannot find a cause. I reinstalled OpenBSD on the router after getting
SSL errors where SSL servers could not be reached from clients, and I
bought a cheap Netgear router to use which works fine ruling out that
my ISP is causing problems.
I really need to find out what is causing these issues with my
Internet it is something bizarre. My server I've literally only
changed the following files...
/etc/hostname.fxp0
/etc/hostname.athn0
/etc/hostname.pppoe0
/etc/hostname.xl0
/var/named/etc/named.conf
/etc/rndc.conf
/etc/resolv.conf
/etc/pf.conf
/etc/dhcpd.conf
These are all pretty straight forward so I don't understand what the
problem is. The existing SSL problem just came out of nowhere with no
changes.
# cat /etc/hostname.athn0
inet 192.168.1.1 255.255.255.0 192.168.1.255
up media autoselect mode 11g mediaopt hostap nwid KintaroAP chan 11 \
wpa wpakey FallInLove2013 wpaprotos wpa2
# cat /etc/hostname.pppoe0
inet 0.0.0.0 255.255.255.255 NONE \
pppoedev xl0 authproto pap \
authname 'x...@eftel.net.au' authkey '' up
dest 0.0.0.1
!/sbin/route add default -ifp pppoe0 0.0.0.1
# cat /etc/hostname.xl0
up
# cat /var/named/etc/named.conf
// $OpenBSD: named-simple.conf,v 1.10 2009/11/02 21:12:56 jakob Exp $
//
// Example file for a simple named configuration, processing both
// recursive and authoritative queries using one cache.
// Update this list to include only the networks for which you want
// to execute recursive queries. The default setting allows all hosts
// on any IPv4 networks for which the system has an interface, and
// the IPv6 localhost address.
//
acl clients {
localnets;
::1;
};
options {
version ""; // remove this to allow version queries
listen-on{ 192.168.0.1; 192.168.1.1; 127.0.0.1; };
listen-on-v6 { any; };
forwarders { 8.8.8.8; 8.8.4.4; };
empty-zones-enable yes;
allow-recursion { clients; };
};
logging {
category lame-servers { null; };
};
// Standard zones
//
#zone "." {
# type hint;
# file "db.cache";
#};
zone "localhost" {
type master;
file "standard/localhost";
allow-transfer { localhost; };
};
zone "127.in-addr.arpa" {
type master;
file "standard/loopback";
allow-transfer { localhost; };
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa"
{
type master;
file "standard/loopback6.arpa";
allow-transfer { localhost; };
};
#zone "kab.loc" {
# type master;
# file "master/kab.loc";
#};
#zone "0.168.192.in-addr.arpa" {
# type master;
# file "master/db.0.168.192";
#};
#zone "1.168.192.in-addr-arpa" {
# type master;
# file "master/db.1.168.192";
#};
// Master zones
//
//zone "myzone.net" {
// type master;
// file "master/myzone.net";
//};
// Slave zones
//
//zone "otherzone.net" {
// type slave;
// file "slave/otherzone.net";
// masters { 192.0.2.1; [...;] };
//};
key "rndc-key" {
algorithm hmac-md5;
secret "XXX";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
# cat /etc/pf.conf
#Firewall ruleset for KintaroABODE router.
int_if="fxp0"
wifi_if = "athn0"
tcp_services="{ 22, 113 }"
icmp_types="echoreq"
fekete="192.168.0.3"
fekete_tcp="{ 17001, 8333 }"
fekete_udp="{ 8333 }"
mises="192.168.0.4"
mises_tcp="{ 25565 }"
#options
set block-policy drop
set loginterface egress
set skip on lo
anchor "ftp-proxy/*"
pass in on $int_if inet proto tcp to any port ftp \
divert-to 127.0.0.1 port 8021
table persist
#match rules
match out on egress inet from !(egress:network) to any nat-to (egress:0)
#filter rules
block in log
pass out quick
antispoof quick for { lo $int_if $wifi_if }
pass in on egress inet proto tcp from any to (egress) \
port $tcp_services
block in quick on egress proto tcp from \
to any port ssh label "ssh bruteforce"
pass in on egress inet proto tcp from any to (egress) port $fekete_tcp
rdr-to $fekete
pass in on egress inet proto tcp from any to (egress) port $fekete_udp
rdr-to $fekete
pass in on egress inet proto tcp from any to (egress) port $mises_tcp
rdr-to $mises
pass in inet proto icmp all icmp-type $icmp_types
pass in on $int_if
pass in on $wifi_if
There is nothing related in the messages or daemon log.
# cat /var/log/daemon
Sep 30 22:23:08 menger savecore: no core dump
Sep 30 22:24:12 menger dhclient[31387]: DHCPREQUEST on fxp0 to
255.255.255.255 port 67
Sep 30 22:24:19 menger last message repeated 3 times
Sep 30 22:24:26 menger dhclient[31387]: DHCPDISCOVER on fxp0 to
255.255.255.255 port 67 interval 1
Sep 30 22:24:27 menger dhclient[31387]: DHCPDISCOVER on fxp0 to
255.255.255.255 p
Re: OpenBSD not forwarding to specific sites
It would help if you told me how to do this... # ifconfig pppoe max-mms 1400 ifconfig: max-mms: bad value # ifconfig pppoe0 max-mms 1440 ifconfig: max-mms: bad value On Mon, Sep 30, 2013 at 11:53 PM, James Shupe wrote: > On 2013-09-30 08:18, John Tate wrote: >> >> I am having trouble with IP forwarding to specific sites on a very >> typical configuration. The router itself can access these sites but >> clients can not. I have looked in obvious places on the clients, but I >> cannot find a cause. I reinstalled OpenBSD on the router after getting >> SSL errors where SSL servers could not be reached from clients, and I >> bought a cheap Netgear router to use which works fine ruling out that >> my ISP is causing problems. >> > > Have you tried setting your max-mss to something like 1440 or 1400? > > Usually that's necessary with DSL... or else you end up with very selective > browsing. > -- www.johntate.org
Re: OpenBSD not forwarding to specific sites
Found it: While pppoe(8) has an internal option, ``mssfixup'', which is enabled by default and takes care of this, pppoe users have to rely on other methods. Using a packet filter, the maximum segment size (MSS) can be set (clamped) to the required value. The following rule in pf.conf(5) would set the MSS to 1440: match on pppoe0 scrub (max-mss 1440) On Mon, Sep 30, 2013 at 11:53 PM, James Shupe wrote: > On 2013-09-30 08:18, John Tate wrote: >> >> I am having trouble with IP forwarding to specific sites on a very >> typical configuration. The router itself can access these sites but >> clients can not. I have looked in obvious places on the clients, but I >> cannot find a cause. I reinstalled OpenBSD on the router after getting >> SSL errors where SSL servers could not be reached from clients, and I >> bought a cheap Netgear router to use which works fine ruling out that >> my ISP is causing problems. >> > > Have you tried setting your max-mss to something like 1440 or 1400? > > Usually that's necessary with DSL... or else you end up with very selective > browsing. > -- www.johntate.org
Re: OpenBSD not forwarding to specific sites
This part of the manual is out of date and the syntax does not work with pf in OpenBSD 5.3: While pppoe(8) has an internal option, ``mssfixup'', which is enabled by default and takes care of this, pppoe users have to rely on other methods. Using a packet filter, the maximum segment size (MSS) can be set (clamped) to the required value. The following rule in pf.conf(5) would set the MSS to 1440: match on pppoe0 scrub (max-mss 1440) The documentation on pf.conf suggests doing much the same in it's example and it doesn't work. On Tue, Oct 1, 2013 at 2:07 AM, John Tate wrote: > Found it: > While pppoe(8) has an internal option, ``mssfixup'', which is enabled by > default and takes care of this, pppoe users have to rely on other > methods. Using a packet filter, the maximum segment size (MSS) can be > set (clamped) to the required value. The following rule in pf.conf(5) > would set the MSS to 1440: > > match on pppoe0 scrub (max-mss 1440) > > On Mon, Sep 30, 2013 at 11:53 PM, James Shupe wrote: >> On 2013-09-30 08:18, John Tate wrote: >>> >>> I am having trouble with IP forwarding to specific sites on a very >>> typical configuration. The router itself can access these sites but >>> clients can not. I have looked in obvious places on the clients, but I >>> cannot find a cause. I reinstalled OpenBSD on the router after getting >>> SSL errors where SSL servers could not be reached from clients, and I >>> bought a cheap Netgear router to use which works fine ruling out that >>> my ISP is causing problems. >>> >> >> Have you tried setting your max-mss to something like 1440 or 1400? >> >> Usually that's necessary with DSL... or else you end up with very selective >> browsing. >> > > > > -- > www.johntate.org -- www.johntate.org
Re: OpenBSD not forwarding to specific sites
Well max-mss doesn't seem to help I can still only access gmail and not google.com.au. Also it has become suddenly selective after months with no problem so I wonder if this is the default these days. Still problems. On Tue, Oct 1, 2013 at 2:02 AM, James Shupe wrote: > On 2013-09-30 10:58, John Tate wrote: >> >> It would help if you told me how to do this... >> >> # ifconfig pppoe max-mms 1400 >> ifconfig: max-mms: bad value >> # ifconfig pppoe0 max-mms 1440 >> ifconfig: max-mms: bad value >> > > match on $ext scrub (max-mss 1400) > > in /etc/pf.conf > > Also, don't top post. > > -- > James Shupe > > -- www.johntate.org
Re: OpenBSD not forwarding to specific sites
On Tue, Oct 1, 2013 at 2:29 AM, Luis Coronado wrote: > set reassemble yes no-df > > I tried using match and scrub rules without luck, but the 'reassemble yes > no-df' solved my problems with the GRE tunnels we use among networks. > > Just make sure you dont have set skip on pppoe0 > > -luis Just trying this, something got through for a second but once again queries to google and other sites don't work. It is still unreliable. > > > > On Mon, Sep 30, 2013 at 10:26 AM, John Tate wrote: >> >> Well max-mss doesn't seem to help I can still only access gmail and >> not google.com.au. Also it has become suddenly selective after months >> with no problem so I wonder if this is the default these days. Still >> problems. >> >> On Tue, Oct 1, 2013 at 2:02 AM, James Shupe wrote: >> > On 2013-09-30 10:58, John Tate wrote: >> >> >> >> It would help if you told me how to do this... >> >> >> >> # ifconfig pppoe max-mms 1400 >> >> ifconfig: max-mms: bad value >> >> # ifconfig pppoe0 max-mms 1440 >> >> ifconfig: max-mms: bad value >> >> >> > >> > match on $ext scrub (max-mss 1400) >> > >> > in /etc/pf.conf >> > >> > Also, don't top post. >> > >> > -- >> > James Shupe >> > >> > >> >> >> >> -- >> www.johntate.org >> > -- www.johntate.org
Re: OpenBSD not forwarding to specific sites
Things are working fine from another one of my computers, it must be something to do with the computer I'm using. Sorry about that everyone. On Tue, Oct 1, 2013 at 2:48 AM, John Tate wrote: > Yeah I am using my lan not the wlan. I've not got to even seeing if > the wlan even works yet, though it used to with that configuration. > The worst thing is the hosts occasionally manage to work for a split > second, and stop again. I'm certain there is nothing wrong with my ISP > unless they have trouble with this particular setup. It worked for > months with no problems, and then they started happening. > > On Tue, Oct 1, 2013 at 2:44 AM, Luis Coronado wrote: >> Im afraid I only read the last post of the email thread about >> match/scrub/mtu. That is why I suggested the set option in my previous >> email. >> >> The fact that your router can contact the destination hosts without issues >> but not the internal hosts forces me to believe that there isnt, at least at >> this stage a mtu related problem. >> >> I see that you serve your LAN over athn0. You can find out if there are >> issues with your wireless setup by running ifconfig athn0 debug and watching >> /var/log/messages. athn0 power savings fix was submitted almost a year ago >> but how knows you could be the happy owner of a particular card that doesnt >> work as expected. >> >> Have you tried running your lan from the ethernet card instead? >> >> -luis >> >> >> >> On Mon, Sep 30, 2013 at 10:32 AM, John Tate wrote: >>> >>> On Tue, Oct 1, 2013 at 2:29 AM, Luis Coronado >>> wrote: >>> > set reassemble yes no-df >>> > >>> > I tried using match and scrub rules without luck, but the 'reassemble >>> > yes >>> > no-df' solved my problems with the GRE tunnels we use among networks. >>> > >>> > Just make sure you dont have set skip on pppoe0 >>> > >>> > -luis >>> Just trying this, something got through for a second but once again >>> queries to google and other sites don't work. It is still unreliable. >>> > >>> > >>> > >>> > On Mon, Sep 30, 2013 at 10:26 AM, John Tate wrote: >>> >> >>> >> Well max-mss doesn't seem to help I can still only access gmail and >>> >> not google.com.au. Also it has become suddenly selective after months >>> >> with no problem so I wonder if this is the default these days. Still >>> >> problems. >>> >> >>> >> On Tue, Oct 1, 2013 at 2:02 AM, James Shupe >>> >> wrote: >>> >> > On 2013-09-30 10:58, John Tate wrote: >>> >> >> >>> >> >> It would help if you told me how to do this... >>> >> >> >>> >> >> # ifconfig pppoe max-mms 1400 >>> >> >> ifconfig: max-mms: bad value >>> >> >> # ifconfig pppoe0 max-mms 1440 >>> >> >> ifconfig: max-mms: bad value >>> >> >> >>> >> > >>> >> > match on $ext scrub (max-mss 1400) >>> >> > >>> >> > in /etc/pf.conf >>> >> > >>> >> > Also, don't top post. >>> >> > >>> >> > -- >>> >> > James Shupe >>> >> > >>> >> > >>> >> >>> >> >>> >> >>> >> -- >>> >> www.johntate.org >>> >> >>> > >>> >>> >>> >>> -- >>> www.johntate.org >> >> > > > > -- > www.johntate.org -- www.johntate.org
Re: OpenBSD not forwarding to specific sites
It worked for a while but since rebooting my router now none of my computers work to access google.com, gmail.com works. Many other sites are not working, it is very frustrating. Clients on the wireless also don't work, it is the same problem. I can ping all the sites I can't access the problem appears to be with HTTP. Since starting the thread I have changed my pf.conf on advice of other users to have these lines... set reassemble yes no-df match in on pppoe0 scrub (max-mss 1440 no-df reassemble tcp) Any more ideas? On Tue, Oct 1, 2013 at 2:51 AM, John Tate wrote: > Things are working fine from another one of my computers, it must be > something to do with the computer I'm using. Sorry about that > everyone. > > On Tue, Oct 1, 2013 at 2:48 AM, John Tate wrote: >> Yeah I am using my lan not the wlan. I've not got to even seeing if >> the wlan even works yet, though it used to with that configuration. >> The worst thing is the hosts occasionally manage to work for a split >> second, and stop again. I'm certain there is nothing wrong with my ISP >> unless they have trouble with this particular setup. It worked for >> months with no problems, and then they started happening. >> >> On Tue, Oct 1, 2013 at 2:44 AM, Luis Coronado wrote: >>> Im afraid I only read the last post of the email thread about >>> match/scrub/mtu. That is why I suggested the set option in my previous >>> email. >>> >>> The fact that your router can contact the destination hosts without issues >>> but not the internal hosts forces me to believe that there isnt, at least at >>> this stage a mtu related problem. >>> >>> I see that you serve your LAN over athn0. You can find out if there are >>> issues with your wireless setup by running ifconfig athn0 debug and watching >>> /var/log/messages. athn0 power savings fix was submitted almost a year ago >>> but how knows you could be the happy owner of a particular card that doesnt >>> work as expected. >>> >>> Have you tried running your lan from the ethernet card instead? >>> >>> -luis >>> >>> >>> >>> On Mon, Sep 30, 2013 at 10:32 AM, John Tate wrote: >>>> >>>> On Tue, Oct 1, 2013 at 2:29 AM, Luis Coronado >>>> wrote: >>>> > set reassemble yes no-df >>>> > >>>> > I tried using match and scrub rules without luck, but the 'reassemble >>>> > yes >>>> > no-df' solved my problems with the GRE tunnels we use among networks. >>>> > >>>> > Just make sure you dont have set skip on pppoe0 >>>> > >>>> > -luis >>>> Just trying this, something got through for a second but once again >>>> queries to google and other sites don't work. It is still unreliable. >>>> > >>>> > >>>> > >>>> > On Mon, Sep 30, 2013 at 10:26 AM, John Tate wrote: >>>> >> >>>> >> Well max-mss doesn't seem to help I can still only access gmail and >>>> >> not google.com.au. Also it has become suddenly selective after months >>>> >> with no problem so I wonder if this is the default these days. Still >>>> >> problems. >>>> >> >>>> >> On Tue, Oct 1, 2013 at 2:02 AM, James Shupe >>>> >> wrote: >>>> >> > On 2013-09-30 10:58, John Tate wrote: >>>> >> >> >>>> >> >> It would help if you told me how to do this... >>>> >> >> >>>> >> >> # ifconfig pppoe max-mms 1400 >>>> >> >> ifconfig: max-mms: bad value >>>> >> >> # ifconfig pppoe0 max-mms 1440 >>>> >> >> ifconfig: max-mms: bad value >>>> >> >> >>>> >> > >>>> >> > match on $ext scrub (max-mss 1400) >>>> >> > >>>> >> > in /etc/pf.conf >>>> >> > >>>> >> > Also, don't top post. >>>> >> > >>>> >> > -- >>>> >> > James Shupe >>>> >> > >>>> >> > >>>> >> >>>> >> >>>> >> >>>> >> -- >>>> >> www.johntate.org >>>> >> >>>> > >>>> >>>> >>>> >>>> -- >>>> www.johntate.org >>> >>> >> >> >> >> -- >> www.johntate.org > > > > -- > www.johntate.org -- www.johntate.org
Re: OpenBSD not forwarding to specific sites
I've done this, now Google works, but Facebook is still not working and probably some other sites. On Tue, Oct 1, 2013 at 3:34 AM, Luis Coronado wrote: > if you keep set reassemble yes no-df you can (must?) remove the match in on > pppoe0 scrut (max-mss 1440 no-df reassemble tcp) > > -luis > > > > On Mon, Sep 30, 2013 at 11:30 AM, John Tate wrote: >> >> It worked for a while but since rebooting my router now none of my >> computers work to access google.com, gmail.com works. Many other sites >> are not working, it is very frustrating. >> >> Clients on the wireless also don't work, it is the same problem. I can >> ping all the sites I can't access the problem appears to be with HTTP. >> >> Since starting the thread I have changed my pf.conf on advice of other >> users to have these lines... >> set reassemble yes no-df >> match in on pppoe0 scrub (max-mss 1440 no-df reassemble tcp) >> >> Any more ideas? >> >> On Tue, Oct 1, 2013 at 2:51 AM, John Tate wrote: >> > Things are working fine from another one of my computers, it must be >> > something to do with the computer I'm using. Sorry about that >> > everyone. >> > >> > On Tue, Oct 1, 2013 at 2:48 AM, John Tate wrote: >> >> Yeah I am using my lan not the wlan. I've not got to even seeing if >> >> the wlan even works yet, though it used to with that configuration. >> >> The worst thing is the hosts occasionally manage to work for a split >> >> second, and stop again. I'm certain there is nothing wrong with my ISP >> >> unless they have trouble with this particular setup. It worked for >> >> months with no problems, and then they started happening. >> >> >> >> On Tue, Oct 1, 2013 at 2:44 AM, Luis Coronado >> >> wrote: >> >>> Im afraid I only read the last post of the email thread about >> >>> match/scrub/mtu. That is why I suggested the set option in my previous >> >>> email. >> >>> >> >>> The fact that your router can contact the destination hosts without >> >>> issues >> >>> but not the internal hosts forces me to believe that there isnt, at >> >>> least at >> >>> this stage a mtu related problem. >> >>> >> >>> I see that you serve your LAN over athn0. You can find out if there >> >>> are >> >>> issues with your wireless setup by running ifconfig athn0 debug and >> >>> watching >> >>> /var/log/messages. athn0 power savings fix was submitted almost a year >> >>> ago >> >>> but how knows you could be the happy owner of a particular card that >> >>> doesnt >> >>> work as expected. >> >>> >> >>> Have you tried running your lan from the ethernet card instead? >> >>> >> >>> -luis >> >>> >> >>> >> >>> >> >>> On Mon, Sep 30, 2013 at 10:32 AM, John Tate wrote: >> >>>> >> >>>> On Tue, Oct 1, 2013 at 2:29 AM, Luis Coronado >> >>>> wrote: >> >>>> > set reassemble yes no-df >> >>>> > >> >>>> > I tried using match and scrub rules without luck, but the >> >>>> > 'reassemble >> >>>> > yes >> >>>> > no-df' solved my problems with the GRE tunnels we use among >> >>>> > networks. >> >>>> > >> >>>> > Just make sure you dont have set skip on pppoe0 >> >>>> > >> >>>> > -luis >> >>>> Just trying this, something got through for a second but once again >> >>>> queries to google and other sites don't work. It is still unreliable. >> >>>> > >> >>>> > >> >>>> > >> >>>> > On Mon, Sep 30, 2013 at 10:26 AM, John Tate >> >>>> > wrote: >> >>>> >> >> >>>> >> Well max-mss doesn't seem to help I can still only access gmail >> >>>> >> and >> >>>> >> not google.com.au. Also it has become suddenly selective after >> >>>> >> months >> >>>> >> with no problem so I wonder if this is the default these days. >> >>>> >> Still >> >>>> >> problems. >> >>>> >> >> >>>> >> On Tue, Oct 1, 2013 at 2:02 AM, James Shupe >> >>>> >> wrote: >> >>>> >> > On 2013-09-30 10:58, John Tate wrote: >> >>>> >> >> >> >>>> >> >> It would help if you told me how to do this... >> >>>> >> >> >> >>>> >> >> # ifconfig pppoe max-mms 1400 >> >>>> >> >> ifconfig: max-mms: bad value >> >>>> >> >> # ifconfig pppoe0 max-mms 1440 >> >>>> >> >> ifconfig: max-mms: bad value >> >>>> >> >> >> >>>> >> > >> >>>> >> > match on $ext scrub (max-mss 1400) >> >>>> >> > >> >>>> >> > in /etc/pf.conf >> >>>> >> > >> >>>> >> > Also, don't top post. >> >>>> >> > >> >>>> >> > -- >> >>>> >> > James Shupe >> >>>> >> > >> >>>> >> > >> >>>> >> >> >>>> >> >> >>>> >> >> >>>> >> -- >> >>>> >> www.johntate.org >> >>>> >> >> >>>> > >> >>>> >> >>>> >> >>>> >> >>>> -- >> >>>> www.johntate.org >> >>> >> >>> >> >> >> >> >> >> >> >> -- >> >> www.johntate.org >> > >> > >> > >> > -- >> > www.johntate.org >> >> >> >> -- >> www.johntate.org >> > -- www.johntate.org
Re: OpenBSD not forwarding to specific sites
Looks like I just had to remove the match line and just use "set reassemble yes no-df" and restart my interfaces on clients. Everything appears to work now. Still amazes me this wasn't a problem for months. On Tue, Oct 1, 2013 at 4:34 AM, John Tate wrote: > I've done this, now Google works, but Facebook is still not working > and probably some other sites. > > On Tue, Oct 1, 2013 at 3:34 AM, Luis Coronado wrote: >> if you keep set reassemble yes no-df you can (must?) remove the match in on >> pppoe0 scrut (max-mss 1440 no-df reassemble tcp) >> >> -luis >> >> >> >> On Mon, Sep 30, 2013 at 11:30 AM, John Tate wrote: >>> >>> It worked for a while but since rebooting my router now none of my >>> computers work to access google.com, gmail.com works. Many other sites >>> are not working, it is very frustrating. >>> >>> Clients on the wireless also don't work, it is the same problem. I can >>> ping all the sites I can't access the problem appears to be with HTTP. >>> >>> Since starting the thread I have changed my pf.conf on advice of other >>> users to have these lines... >>> set reassemble yes no-df >>> match in on pppoe0 scrub (max-mss 1440 no-df reassemble tcp) >>> >>> Any more ideas? >>> >>> On Tue, Oct 1, 2013 at 2:51 AM, John Tate wrote: >>> > Things are working fine from another one of my computers, it must be >>> > something to do with the computer I'm using. Sorry about that >>> > everyone. >>> > >>> > On Tue, Oct 1, 2013 at 2:48 AM, John Tate wrote: >>> >> Yeah I am using my lan not the wlan. I've not got to even seeing if >>> >> the wlan even works yet, though it used to with that configuration. >>> >> The worst thing is the hosts occasionally manage to work for a split >>> >> second, and stop again. I'm certain there is nothing wrong with my ISP >>> >> unless they have trouble with this particular setup. It worked for >>> >> months with no problems, and then they started happening. >>> >> >>> >> On Tue, Oct 1, 2013 at 2:44 AM, Luis Coronado >>> >> wrote: >>> >>> Im afraid I only read the last post of the email thread about >>> >>> match/scrub/mtu. That is why I suggested the set option in my previous >>> >>> email. >>> >>> >>> >>> The fact that your router can contact the destination hosts without >>> >>> issues >>> >>> but not the internal hosts forces me to believe that there isnt, at >>> >>> least at >>> >>> this stage a mtu related problem. >>> >>> >>> >>> I see that you serve your LAN over athn0. You can find out if there >>> >>> are >>> >>> issues with your wireless setup by running ifconfig athn0 debug and >>> >>> watching >>> >>> /var/log/messages. athn0 power savings fix was submitted almost a year >>> >>> ago >>> >>> but how knows you could be the happy owner of a particular card that >>> >>> doesnt >>> >>> work as expected. >>> >>> >>> >>> Have you tried running your lan from the ethernet card instead? >>> >>> >>> >>> -luis >>> >>> >>> >>> >>> >>> >>> >>> On Mon, Sep 30, 2013 at 10:32 AM, John Tate wrote: >>> >>>> >>> >>>> On Tue, Oct 1, 2013 at 2:29 AM, Luis Coronado >>> >>>> wrote: >>> >>>> > set reassemble yes no-df >>> >>>> > >>> >>>> > I tried using match and scrub rules without luck, but the >>> >>>> > 'reassemble >>> >>>> > yes >>> >>>> > no-df' solved my problems with the GRE tunnels we use among >>> >>>> > networks. >>> >>>> > >>> >>>> > Just make sure you dont have set skip on pppoe0 >>> >>>> > >>> >>>> > -luis >>> >>>> Just trying this, something got through for a second but once again >>> >>>> queries to google and other sites don't work. It is still unreliable. >>> >>>> > >>> >>>> > >>> >>>> &g
Re: OpenBSD not forwarding to specific sites
Alright at the moment things are mostly working but I've found I can't access Google Plus and Facebook never finishes loading, though at least now it loads a bit. Connections like ssh generally seem to be staying open. Is there something unusual about Facebook that anyone knows about? -- www.johntate.org
Re: OpenBSD not forwarding to specific sites
Less worked last night using that than when using "set reassemble yes no-df" Now it isn't working again and what you suggest doesn't seem to work either. Though gmail still works. There must be something else wrong. On Tue, Oct 1, 2013 at 6:15 AM, James Shupe wrote: > Try just "match on pppoe0 scrub (max-mss 1400 no-df)" and remove the > reassemble line. > > > -- > James Shupe > -- www.johntate.org
Re: OpenBSD not forwarding to specific sites
Actually "match on pppoe0 scrub (max-mss 1400 no-df)" seems to also work I had 1440 entered in. Though Facebook doesn't finish loading still, and sometimes things don't work. So as I said, something else must be wrong. On Tue, Oct 1, 2013 at 10:13 AM, John Tate wrote: > Less worked last night using that than when using "set reassemble yes no-df" > > Now it isn't working again and what you suggest doesn't seem to work > either. Though gmail still works. > > There must be something else wrong. > > > > On Tue, Oct 1, 2013 at 6:15 AM, James Shupe wrote: >> Try just "match on pppoe0 scrub (max-mss 1400 no-df)" and remove the >> reassemble line. >> >> >> -- >> James Shupe >> > > > > -- > www.johntate.org -- www.johntate.org
Re: OpenBSD not forwarding to specific sites
Did some reading, my ISP seems to require a specific not default mtu of 1454. Facebook actually finishes loading now, things might be okay. On Tue, Oct 1, 2013 at 10:29 AM, John Tate wrote: > Actually "match on pppoe0 scrub (max-mss 1400 no-df)" seems to also > work I had 1440 entered in. Though Facebook doesn't finish loading > still, and sometimes things don't work. So as I said, something else > must be wrong. > > On Tue, Oct 1, 2013 at 10:13 AM, John Tate wrote: >> Less worked last night using that than when using "set reassemble yes no-df" >> >> Now it isn't working again and what you suggest doesn't seem to work >> either. Though gmail still works. >> >> There must be something else wrong. >> >> >> >> On Tue, Oct 1, 2013 at 6:15 AM, James Shupe wrote: >>> Try just "match on pppoe0 scrub (max-mss 1400 no-df)" and remove the >>> reassemble line. >>> >>> >>> -- >>> James Shupe >>> >> >> >> >> -- >> www.johntate.org > > > > -- > www.johntate.org -- www.johntate.org
I can't figure out how to change the php-fpm memory limit
I am trying to increase the memory limit on my nginx php-fpm server
for wordpress.
I've set the following in wp-config.php...
define('WP_MEMORY_LIMIT', '128M');
define('WP_MAX_MEMORY_LIMIT', '128M');
php.ini has the following...
memory_limit = 128M
;suhosin.memory_limit = 0
The fpm server is also set to change this.
php_admin_value[memory_limit] = 128M
Yet wordpress claims it only has 40MB, how can this be?
I believe it might be suhosin but I am unsure how to change this on an
OpenBSD server. I've tried changing it in the settings for the php-fpm
server pool.
php_admin_value[suhosin.memory_limit] = 128M
If someone can tell me how to change the limit that would be good. The
changes I've made don't seem to effect anything.
--
www.johntate.org
Re: I can't figure out how to change the php-fpm memory limit
php-fpm is running the scripts as a user in default login class, so
login.conf should be fine.
On Sun, Oct 6, 2013 at 7:32 AM, Ville Valkonen wrote:
> On 5 October 2013 12:06, John Tate wrote:
>> I am trying to increase the memory limit on my nginx php-fpm server
>> for wordpress.
>>
>> I've set the following in wp-config.php...
>>
>> define('WP_MEMORY_LIMIT', '128M');
>> define('WP_MAX_MEMORY_LIMIT', '128M');
>>
>> php.ini has the following...
>>
>> memory_limit = 128M
>> ;suhosin.memory_limit = 0
>>
>> The fpm server is also set to change this.
>>
>> php_admin_value[memory_limit] = 128M
>>
>> Yet wordpress claims it only has 40MB, how can this be?
>>
>> I believe it might be suhosin but I am unsure how to change this on an
>> OpenBSD server. I've tried changing it in the settings for the php-fpm
>> server pool.
>>
>> php_admin_value[suhosin.memory_limit] = 128M
>>
>> If someone can tell me how to change the limit that would be good. The
>> changes I've made don't seem to effect anything.
>>
>>
>> --
>> www.johntate.org
>
> Hi,
>
> take a look into man login.conf
>
> --
> Regards,
> Ville
--
www.johntate.org
Re: I can't figure out how to change the php-fpm memory limit
This is no longer an issue, it was a result of having things in the
wrong place in wp-config.php
On Sun, Oct 6, 2013 at 8:25 AM, John Tate wrote:
> php-fpm is running the scripts as a user in default login class, so
> login.conf should be fine.
>
> On Sun, Oct 6, 2013 at 7:32 AM, Ville Valkonen wrote:
>> On 5 October 2013 12:06, John Tate wrote:
>>> I am trying to increase the memory limit on my nginx php-fpm server
>>> for wordpress.
>>>
>>> I've set the following in wp-config.php...
>>>
>>> define('WP_MEMORY_LIMIT', '128M');
>>> define('WP_MAX_MEMORY_LIMIT', '128M');
>>>
>>> php.ini has the following...
>>>
>>> memory_limit = 128M
>>> ;suhosin.memory_limit = 0
>>>
>>> The fpm server is also set to change this.
>>>
>>> php_admin_value[memory_limit] = 128M
>>>
>>> Yet wordpress claims it only has 40MB, how can this be?
>>>
>>> I believe it might be suhosin but I am unsure how to change this on an
>>> OpenBSD server. I've tried changing it in the settings for the php-fpm
>>> server pool.
>>>
>>> php_admin_value[suhosin.memory_limit] = 128M
>>>
>>> If someone can tell me how to change the limit that would be good. The
>>> changes I've made don't seem to effect anything.
>>>
>>>
>>> --
>>> www.johntate.org
>>
>> Hi,
>>
>> take a look into man login.conf
>>
>> --
>> Regards,
>> Ville
>
>
>
> --
> www.johntate.org
--
www.johntate.org
adduser setting permissions wrong
adduser is setting permissions so everyone can read a users home directory. I've never done much configuration of this tool so I can't seem to find where to change this, I thought there would be an option in adduser.conf. Here is a new user: drwxr-xr-x 3 test test 512 Oct 26 20:42 test I'd really like them to be 770 -- www.johntate.org
Diskless 4.4 machines.
Is it possible to have OpenBSD diskless or almost diskless? By almost diskless I mean an incredibly small amount installed locally and the rest over NFS or something. John. -- Faced with the fact that Intelligent Design doesn't meet the criteria for a scientific theory, leading proponent redefines what a scientific theory is. Result: Astrology now a scientific theory.
dhcpd issues with Android phone
I have an android phone that requests a least regularly from my dhcpd
server on OpenBSD 5.2 which eventually starts failing with this error in
/var/log/daemon
Mar 14 21:40:42 menger dhcpd[7088]: DHCPREQUEST for 10.0.0.4 from
0c:14:20:6b:08:e5 via fxp0
Mar 14 21:40:42 menger dhcpd[7088]: DHCPNAK on 10.0.0.4 to
0c:14:20:6b:08:e5 via fxp0
Mar 14 21:40:43 menger dhcpd[7088]: DHCPDISCOVER from 0c:14:20:6b:08:e5 via
fxp0
Mar 14 21:40:43 menger dhcpd[7088]: DHCPOFFER on 10.0.0.4 to
0c:14:20:6b:08:e5 via fxp0
Mar 14 21:40:43 menger dhcpd[7088]: Both dynamic and static leases present
for 10.0.0.4.
If I remove the entry for 10.0.0.4 from /var/db/dhcpd.leases and restart it
works again but only for a few hours.
lease 10.0.0.4 {
starts 4 2013/03/14 10:08:12;
ends 4 2013/03/14 22:08:12;
hardware ethernet ac:81:12:98:de:f3;
uid 01:ac:81:12:98:de:f3;
client-hostname "MURPHY";
}
I think I've done something wrong and I have very little experience with
dhcpd.
--
www.johntate.org
Re: dhcpd issues with Android phone
I did exactly what you said, thanks!
On Thu, Mar 14, 2013 at 11:16 PM, Kenneth R Westerback <
kwesterb...@rogers.com> wrote:
> On Thu, Mar 14, 2013 at 09:46:04PM +1100, John Tate wrote:
> > I have an android phone that requests a least regularly from my dhcpd
> > server on OpenBSD 5.2 which eventually starts failing with this error in
> > /var/log/daemon
> >
> > Mar 14 21:40:42 menger dhcpd[7088]: DHCPREQUEST for 10.0.0.4 from
> > 0c:14:20:6b:08:e5 via fxp0
> > Mar 14 21:40:42 menger dhcpd[7088]: DHCPNAK on 10.0.0.4 to
> > 0c:14:20:6b:08:e5 via fxp0
> > Mar 14 21:40:43 menger dhcpd[7088]: DHCPDISCOVER from 0c:14:20:6b:08:e5
> via
> > fxp0
> > Mar 14 21:40:43 menger dhcpd[7088]: DHCPOFFER on 10.0.0.4 to
> > 0c:14:20:6b:08:e5 via fxp0
> > Mar 14 21:40:43 menger dhcpd[7088]: Both dynamic and static leases
> present
> > for 10.0.0.4.
> >
> > If I remove the entry for 10.0.0.4 from /var/db/dhcpd.leases and restart
> it
> > works again but only for a few hours.
> >
> > lease 10.0.0.4 {
> > starts 4 2013/03/14 10:08:12;
> > ends 4 2013/03/14 22:08:12;
> > hardware ethernet ac:81:12:98:de:f3;
> > uid 01:ac:81:12:98:de:f3;
> > client-hostname "MURPHY";
> > }
> >
> > I think I've done something wrong and I have very little experience with
> > dhcpd.
> >
> > --
> > www.johntate.org
> >
>
> Your /etc/dhcpd.conf file might be useful. Off the top of my head you
> have static leases set up in the same range as your dynamic leases.
>
> Ken
>
--
www.johntate.org
PHP & mini_sendmail problems
I've been trying to get PHP to be able to email from a chrooted apache server. Running without chroot is not an option. I can't find clear documentation on doing this, and the logs don't contain any errors I can find about the problem. I've put mini_sendmail in /var/www/usr/sbin/sendmail and /bin/sh in /var/www/bin/sh and /etc/resolv.conf in /var/www/etc/resolv.conf but email from PHP is still not working. -- www.johntate.org
Re: PHP & mini_sendmail problems
Strange port, I did make and then make install but there was no output from make install, but it seems to run anyway, but I can't find it in whereis. # make clean ===> Cleaning for femail-0.98 # make ===> Verifying specs: c ===> found c.65.0 ===> Checking files for femail-0.98 `/usr/ports/distfiles/femail-0.98.tgz' is up to date. >> (SHA256) femail-0.98.tgz: OK ===> Extracting for femail-0.98 ===> Patching for femail-0.98 ===> Configuring for femail-0.98 ===> Building for femail-0.98 cc -O2 -pipe -DHAS_FGETLN -DHAS_STRLCPY -c femail.c cc -O2 -pipe -DHAS_FGETLN -DHAS_STRLCPY -c openbsd_compat.c cc femail.o openbsd_compat.o -o femail cc -static femail.o openbsd_compat.o -o femail-static # make install # femail j...@johntate.org Hello, john. # whereis femail # How do I put femail into my /var/www? On Fri, Mar 15, 2013 at 5:51 AM, Alexey E. Suslikov < alexey.susli...@gmail.com> wrote: > John Tate johntate.org> writes: > > > > > I've been trying to get PHP to be able to email from a chrooted apache > > server. Running without chroot is not an option. I can't find clear > > documentation on doing this, and the logs don't contain any errors I can > > find about the problem. > > you need femail from ports. > > -- www.johntate.org
Re: PHP & mini_sendmail problems
I installed femail-chroot and put /usr/libexec/ld.so in /var/www/usr/libexec/ld.so and updated /etc/php-5.2.ini but it still doesn't work. On Fri, Mar 15, 2013 at 6:14 AM, Alexey Suslikov wrote: > On Thu, Mar 14, 2013 at 9:12 PM, Stefan Sperling wrote: > > On Thu, Mar 14, 2013 at 06:51:54PM +, Alexey E. Suslikov wrote: > >> John Tate johntate.org> writes: > >> > >> > > >> > I've been trying to get PHP to be able to email from a chrooted apache > >> > server. Running without chroot is not an option. I can't find clear > >> > documentation on doing this, and the logs don't contain any errors I > can > >> > find about the problem. > >> > >> you need femail from ports. > > > > More precisely, the femail-chroot package. > > > > And you need /usr/libexec/ld.so inside of the /var/www chroot dir. > > Else, femail won't run inside chroot (on 5.3, not sure if 5.2 requires > this). > > hmmm... older setups I have seen didn't require ld.so... > > why it is needed? > -- www.johntate.org
Re: PHP & mini_sendmail problems
>From the end of error_log: femail: no recipients On Fri, Mar 15, 2013 at 6:31 AM, John Tate wrote: > I installed femail-chroot and put /usr/libexec/ld.so in > /var/www/usr/libexec/ld.so and updated /etc/php-5.2.ini but it still > doesn't work. > > > On Fri, Mar 15, 2013 at 6:14 AM, Alexey Suslikov < > alexey.susli...@gmail.com> wrote: > >> On Thu, Mar 14, 2013 at 9:12 PM, Stefan Sperling >> wrote: >> > On Thu, Mar 14, 2013 at 06:51:54PM +, Alexey E. Suslikov wrote: >> >> John Tate johntate.org> writes: >> >> >> >> > >> >> > I've been trying to get PHP to be able to email from a chrooted >> apache >> >> > server. Running without chroot is not an option. I can't find clear >> >> > documentation on doing this, and the logs don't contain any errors I >> can >> >> > find about the problem. >> >> >> >> you need femail from ports. >> > >> > More precisely, the femail-chroot package. >> > >> > And you need /usr/libexec/ld.so inside of the /var/www chroot dir. >> > Else, femail won't run inside chroot (on 5.3, not sure if 5.2 requires >> this). >> >> hmmm... older setups I have seen didn't require ld.so... >> >> why it is needed? >> > > > > -- > www.johntate.org > -- www.johntate.org
Re: PHP & mini_sendmail problems
It seems to be a problem with drupal, I wrote my own php script that could send mail without issues. I have no idea how such a problem is possible unless drupal doesn't use php's mail() but I can't find anyone with similar problems. I didn't notice the log entries because they don't have a timestamp and I thought they were just wrap around when I first posted here. Sorry for wasting everyone's time. On Fri, Mar 15, 2013 at 6:57 AM, Pascal Stumpf wrote: > On Thu, 14 Mar 2013 20:12:52 +0100, Stefan Sperling wrote: > > On Thu, Mar 14, 2013 at 06:51:54PM +0000, Alexey E. Suslikov wrote: > > > John Tate johntate.org> writes: > > > > > > > > > > > I've been trying to get PHP to be able to email from a chrooted > apache > > > > server. Running without chroot is not an option. I can't find clear > > > > documentation on doing this, and the logs don't contain any errors I > can > > > > find about the problem. > > > > > > you need femail from ports. > > > > More precisely, the femail-chroot package. > > > > And you need /usr/libexec/ld.so inside of the /var/www chroot dir. > > Not any more. -static now implies -nopie when linking. > > > Else, femail won't run inside chroot (on 5.3, not sure if 5.2 requires > this). > -- www.johntate.org
Squid not working for connections from ssh-tunnel
I have a server I use to serve a squid proxy only accessible via ssh
tunnel, which has worked fine for over a year. I upgraded from OpenBSD 5.1
to OpenBSD 5.2 and I've also rebuilt squid in ports. It has stopped working
for ssh tunnel connections. It works for the elinks browser, but both
should be from localhost and be no different as far as I know.
I get these errors in the log:
[15/Mar/2013:04:01:40 -0700] elijah.secusrvr.com mail.google.com "CONNECT
mail.google.com:443 HTTP/1.1" 403 1323 "-" "Mozilla/5.0 (X11; Linux x86_64)
AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.172 Safari/537.22"
TCP_DENIED:NONE
My squid.conf:
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
hosts_file /etc/hosts
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl purge method PURGE
acl CONNECT method CONNECT
acl Safe_ports port 21 80
acl SSL_ports port 443
cache_mem 256 MB
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl lan src 127.0.0.1
http_access allow localhost
http_access allow lan
http_access deny all
http_reply_access allow all
icp_access allow all
visible_hostname secusrvr.com
coredump_dir /var/squid
http_port 127.0.0.1:3128
https_port 127.0.0.1:3128 cert=/etc/ssl/private/secusrvr.com.crt
key=/etc/ssl/private/server.key
logformat combined [%tl] %>A %{Host}>h "%rm %ru HTTP/%rv" %Hs %h" "%{User-Agent}>h" %Ss:%Sh
access_log /var/squid/logs/access.log combined
cache_store_log /var/squid/logs/store.log
cache_log /var/squid/logs/cache.log
logfile_rotate 8
cache_dir ufs /var/squid/cache 4096 64 256
I tried googling the error and looking in the manual but still don't fully
understand it.
--
www.johntate.org
Re: Squid not working for connections from ssh-tunnel
It seems the version of squid in ports for 5.2 doesn't support SSL or doesn't support it the same way. What changed? The errors: 2013/03/16 00:33:30| The request CONNECT bitomat.pl:443 is DENIED, because it matched 'Safe_ports' 2013/03/16 00:33:30| The reply for CONNECT bitomat.pl:443 is ALLOWED, because it matched 'Safe_ports' It only started doing this after I upgraded from 5.1 to 5.2 and rebuilt squid in ports. On Sat, Mar 16, 2013 at 9:26 AM, Stuart Henderson wrote: > On 2013-03-15, John Tate wrote: > > I have a server I use to serve a squid proxy only accessible via ssh > > tunnel, which has worked fine for over a year. I upgraded from OpenBSD > 5.1 > > to OpenBSD 5.2 and I've also rebuilt squid in ports. It has stopped > working > > for ssh tunnel connections. It works for the elinks browser, but both > > should be from localhost and be no different as far as I know. > > > > I get these errors in the log: > > [15/Mar/2013:04:01:40 -0700] elijah.secusrvr.com mail.google.com"CONNECT > > mail.google.com:443 HTTP/1.1" 403 1323 "-" "Mozilla/5.0 (X11; Linux > x86_64) > > AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.172 > Safari/537.22" > > TCP_DENIED:NONE > > > > iirc TCP_DENIED/403 is due to acl, try following this about getting > some more logging: > > > http://wiki.squid-cache.org/SquidFaq/SquidAcl#I_set_up_my_access_controls.2C_but_they_don.27t_work.21__why.3F > > "localhost" can be all sorts of things: 127.0.0.1, ::1, or even some > other address, depending on what's set in /etc/resolv.conf and /etc/hosts. > > -- www.johntate.org
resize disklabel partitions and ffs filesystems
I had a problem building something in ports ports with a default 2.0gb /usr. I tried moving ports to /home/usr/ports to /usr/ports but I get... Fatal: /usr/ports is a symlink. Please set to the real directory Can I resize disklabel partitions and ffs filesystems? If I can't I'm going to have to reinstall :-(. -- www.johntate.org
Can't get vsftpd to run
I've not used it in a while and I can't get it to run. I can't find any logging options or anything. # vsftpd ... (It just sits there doing nothing) How do I get it to work? I'm using the default config with only my own banner. -- www.johntate.org
Re: Can't get vsftpd to run
I can't find that config option. On Tue, Apr 2, 2013 at 9:52 AM, Stuart Henderson wrote: > On 2013-04-01, John Tate wrote: > > I've not used it in a while and I can't get it to run. I can't find any > > logging options or anything. > > > > # vsftpd > > > > ... > > (It just sits there doing nothing) > > > > How do I get it to work? > > > > I'm using the default config with only my own banner. > > > > It is waiting for a connection (there is a config option to run > it in the background). > > We should probably add an rc.d script to the port to make it easier. > > -- www.johntate.org
Re: Can't get vsftpd to run
I found it but it wasn't in there commented out, I added background=yes, but the server isn't accepting connections for some reason. On Tue, Apr 2, 2013 at 4:13 PM, John Tate wrote: > I can't find that config option. > > > On Tue, Apr 2, 2013 at 9:52 AM, Stuart Henderson wrote: > >> On 2013-04-01, John Tate wrote: >> > I've not used it in a while and I can't get it to run. I can't find any >> > logging options or anything. >> > >> > # vsftpd >> > >> > ... >> > (It just sits there doing nothing) >> > >> > How do I get it to work? >> > >> > I'm using the default config with only my own banner. >> > >> >> It is waiting for a connection (there is a config option to run >> it in the background). >> >> We should probably add an rc.d script to the port to make it easier. >> >> > > > -- > www.johntate.org > -- www.johntate.org
Re: Can't get vsftpd to run
Where do I set ports in vsftpd.conf for incoming data, I've just looked around that link you provided and I can't find the option. I can't get through to vsftpd or pure_ftpd, probably because I didn't have incoming data ports open. I can get through on localhost and my local network so I assume it's pf. pass in on egress inet proto tcp from any to (egress) \ port > 49151 I've added that line but where do I set the ports on vsftpd? On Tue, Apr 2, 2013 at 4:30 PM, Richard Toohey < richardtoo...@paradise.net.nz> wrote: > On 04/02/13 18:13, John Tate wrote: > >> I can't find that config option. >> > I think Stuart is talking about the background option from here: > > https://security.appspot.com/**vsftpd/vsftpd_conf.html<https://security.appspot.com/vsftpd/vsftpd_conf.html> > > Also look at listen, etc. > > For logging - log_ftp_protocol & syslog_enable & xferlog_enable & > vsftpd_log_file & xferlog_file options. > > >> >> On Tue, Apr 2, 2013 at 9:52 AM, Stuart Henderson > >wrote: >> >> On 2013-04-01, John Tate wrote: >>> >>>> I've not used it in a while and I can't get it to run. I can't find any >>>> logging options or anything. >>>> >>>> # vsftpd >>>> >>>> ... >>>> (It just sits there doing nothing) >>>> >>>> How do I get it to work? >>>> >>>> I'm using the default config with only my own banner. >>>> >>>> It is waiting for a connection (there is a config option to run >>> it in the background). >>> >>> We should probably add an rc.d script to the port to make it easier. >>> >> > -- www.johntate.org
Re: Can't get vsftpd to run
Nevermind, found it. On Tue, Apr 2, 2013 at 4:45 PM, John Tate wrote: > Where do I set ports in vsftpd.conf for incoming data, I've just looked > around that link you provided and I can't find the option. > > I can't get through to vsftpd or pure_ftpd, probably because I didn't have > incoming data ports open. I can get through on localhost and my local > network so I assume it's pf. > > pass in on egress inet proto tcp from any to (egress) \ > port > 49151 > > I've added that line but where do I set the ports on vsftpd? > > > > On Tue, Apr 2, 2013 at 4:30 PM, Richard Toohey < > richardtoo...@paradise.net.nz> wrote: > >> On 04/02/13 18:13, John Tate wrote: >> >>> I can't find that config option. >>> >> I think Stuart is talking about the background option from here: >> >> https://security.appspot.com/**vsftpd/vsftpd_conf.html<https://security.appspot.com/vsftpd/vsftpd_conf.html> >> >> Also look at listen, etc. >> >> For logging - log_ftp_protocol & syslog_enable & xferlog_enable & >> vsftpd_log_file & xferlog_file options. >> >> >>> >>> On Tue, Apr 2, 2013 at 9:52 AM, Stuart Henderson >> >wrote: >>> >>> On 2013-04-01, John Tate wrote: >>>> >>>>> I've not used it in a while and I can't get it to run. I can't find any >>>>> logging options or anything. >>>>> >>>>> # vsftpd >>>>> >>>>> ... >>>>> (It just sits there doing nothing) >>>>> >>>>> How do I get it to work? >>>>> >>>>> I'm using the default config with only my own banner. >>>>> >>>>> It is waiting for a connection (there is a config option to run >>>> it in the background). >>>> >>>> We should probably add an rc.d script to the port to make it easier. >>>> >>> >> > > > -- > www.johntate.org > -- www.johntate.org
Re: Can't get vsftpd to run
le of disallowed anonymous e-mail addresses. Apparently # useful for combatting certain DoS attacks. #deny_email_enable=YES # (default follows) #banned_email_file=/etc/vsftpd.banned_emails # # You may specify an explicit list of local users to chroot() to their home # directory. If chroot_local_user is YES, then this list becomes a list of # users to NOT chroot(). #chroot_local_user=YES chroot_list_enable=YES # (default follows) chroot_list_file=/etc/ftpchroot # # You may activate the "-R" option to the builtin ls. This is disabled by # default to avoid remote users being able to cause excessive I/O on large # sites. However, some broken FTP clients such as "ncftp" and "mirror" assume # the presence of the "-R" option, so there is a strong case for enabling it. #ls_recurse_enable=YES # # # If enabled, vsftpd will load a list of usernames from the filename # given by userlist_file. If a user tries to log in using a name in this # file, they will be denied before they are asked for a password. # This may be useful in preventing clear text passwords being transmitted. userlist_enable=YES # # This option is the name of the file loaded when the userlist_enable # option is active. userlist_file=/etc/ftpusers # # This option should be the name of a directory which is empty. Also, # the directory should not be writable by the ftp user. This directory # is used as a secure chroot() jail at times vsftpd does not require # filesystem access. secure_chroot_dir=/var/vsftpd # # The minimum port to allocate for PASV style data connections. # Can be used to specify a narrow port range to assist firewalling. pasv_min_port=49152 # # The maximum port to allocate for PASV style data connections. # Can be used to specify a narrow port range to assist firewalling. pasv_max_port=65535 # # By default, numeric IDs are shown in the user and group fields of # directory listings. You can get textual names by enabling this parameter. # It is off by default for performance reasons. text_userdb_names=YES # When "listen" directive is enabled, vsftpd runs in standalone mode and # listens on IPv4 sockets. This directive cannot be used in conjunction # with the listen_ipv6 directive. listen=YES # # This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6 # sockets, you must run two copies of vsftpd with two configuration files. # Make sure, that one of the listen options is commented !! #listen_ipv6=YES background=YES log_ftp_protocol=YES xferlog_enable=YES pasv_enable=YES pasv_min_port=49151 pasv_max_port=65535 On Tue, Apr 2, 2013 at 4:53 PM, John Tate wrote: > Nevermind, found it. > > > On Tue, Apr 2, 2013 at 4:45 PM, John Tate wrote: > >> Where do I set ports in vsftpd.conf for incoming data, I've just looked >> around that link you provided and I can't find the option. >> >> I can't get through to vsftpd or pure_ftpd, probably because I didn't >> have incoming data ports open. I can get through on localhost and my local >> network so I assume it's pf. >> >> pass in on egress inet proto tcp from any to (egress) \ >> port > 49151 >> >> I've added that line but where do I set the ports on vsftpd? >> >> >> >> On Tue, Apr 2, 2013 at 4:30 PM, Richard Toohey < >> richardtoo...@paradise.net.nz> wrote: >> >>> On 04/02/13 18:13, John Tate wrote: >>> >>>> I can't find that config option. >>>> >>> I think Stuart is talking about the background option from here: >>> >>> https://security.appspot.com/**vsftpd/vsftpd_conf.html<https://security.appspot.com/vsftpd/vsftpd_conf.html> >>> >>> Also look at listen, etc. >>> >>> For logging - log_ftp_protocol & syslog_enable & xferlog_enable & >>> vsftpd_log_file & xferlog_file options. >>> >>> >>>> >>>> On Tue, Apr 2, 2013 at 9:52 AM, Stuart Henderson >>> >wrote: >>>> >>>> On 2013-04-01, John Tate wrote: >>>>> >>>>>> I've not used it in a while and I can't get it to run. I can't find >>>>>> any >>>>>> logging options or anything. >>>>>> >>>>>> # vsftpd >>>>>> >>>>>> ... >>>>>> (It just sits there doing nothing) >>>>>> >>>>>> How do I get it to work? >>>>>> >>>>>> I'm using the default config with only my own banner. >>>>>> >>>>>> It is waiting for a connection (there is a config option to run >>>>> it in the background). >>>>> >>>>> We should probably add an rc.d script to the port to make it easier. >>>>> >>>> >>> >> >> >> -- >> www.johntate.org >> > > > > -- > www.johntate.org > -- www.johntate.org
Can't get FTP through pf
I've got a gateway computer I also I want to be an ftp server. I've put
everything through pf as per http://openbsd.org/faq/pf/ftp.html
Can anyone see something I've missed in this config? I can't access it
remotely.
# grep -v -e ^# -e ^$ /etc/vsftpd.conf
anonymous_enable=NO
local_enable=YES
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
nopriv_user=_vsftpd
ftpd_banner=Welcome to Kintaro's home. Where the downstream is small but
the system enourmous.
chroot_list_enable=YES
chroot_list_file=/etc/ftpchroot
userlist_enable=YES
userlist_file=/etc/ftpusers
secure_chroot_dir=/var/vsftpd
pasv_min_port=49152
pasv_max_port=65535
text_userdb_names=YES
listen=YES
background=YES
log_ftp_protocol=YES
xferlog_enable=YES
pasv_enable=YES
pasv_min_port=49151
pasv_max_port=65535
# grep -v -e ^# -e ^$ /etc/pf.conf
int_if="fxp0"
ext_if="pppoe0"
murphy="10.0.0.2"
fekete="10.0.0.3"
murphy_ports = "{ 8333 }"
fekete_ports = "{ 17001, 39191, 5938 }"
tcp_services="{ 22 }"
icmp_types="echoreq"
set skip on lo
anchor "ftp-proxy/*"
pass in quick inet proto tcp to port ftp divert-to 127.0.0.1 port 8021
match out on egress inet from !(egress:network) to any nat-to (egress:0)
pass# to establish keep-state
block in on ! lo0 proto tcp to port 6000:6010
block in log
pass out quick
antispoof quick for { lo $int_if }
pass in on egress inet proto tcp from any to (egress) \
port $tcp_services
pass in on $ext_if proto tcp to port 21
pass in on $ext_if proto tcp to port > 49151
pass in on egress inet proto tcp to (egress) port $murphy_ports rdr-to
$murphy
pass in on egress inet proto tcp to (egress) port $fekete_ports rdr-to
$fekete
pass in inet proto icmp all icmp-type $icmp_types
pass in on $int_if
--
www.johntate.org
Re: Can't get FTP through pf
Thanks! On Thu, Apr 4, 2013 at 4:29 PM, David Diggles wrote: > Looks like these are your conflicting rules. > > > pass in quick inet proto tcp to port ftp divert-to 127.0.0.1 port 8021 > > pass in on $ext_if proto tcp to port 21 > > The first rule needs to be on $int_if - you didn't specify an interface > so it then defaults to all interfaces. > > -- www.johntate.org
httpd.conf problem with defaults
I think I have a problem with my defaults. I used to just have a default a secusrvr.com. The default would point to /var/www/htdocs which redirects to /var/www/sites/secusrvr.com which is for the virtualhost secusrvr.com. I added johntate.org and www.johntate.org both under /var/www/sites/ www.johntate.org and /var/www/sites/johntate.org but somehow even after adding www.secusrvr.com, that domain through a browser redirects to johntate.org. I'm getting these warnings: # apachectl startssl [Thu Apr 4 20:17:56 2013] [warn] module mod_php5.c is already added, skipping [Thu Apr 4 20:17:56 2013] [warn] module php5_module is already loaded, skipping [Thu Apr 4 20:17:56 2013] [warn] _default_ VirtualHost overlap on port 80, the first has precedence [Thu Apr 4 20:17:56 2013] [warn] _default_ VirtualHost overlap on port 80, the first has precedence [Thu Apr 4 20:17:56 2013] [warn] NameVirtualHost 208.79.92.130:443 has no VirtualHosts [Thu Apr 4 20:17:56 2013] [warn] NameVirtualHost 208.79.92.130:80 has no VirtualHosts [Thu Apr 4 20:17:56 2013] [warn] NameVirtualHost 208.79.92.130:80 has no VirtualHosts [Thu Apr 4 20:17:56 2013] [warn] NameVirtualHost 208.79.92.130:80 has no VirtualHosts [Thu Apr 4 20:17:56 2013] [warn] NameVirtualHost 127.0.0.1:443 has no VirtualHosts [Thu Apr 4 20:17:56 2013] [warn] NameVirtualHost 127.0.0.1:80 has no VirtualHosts [Thu Apr 4 20:17:56 2013] [warn] NameVirtualHost 127.0.0.1:80 has no VirtualHosts [Thu Apr 4 20:17:56 2013] [warn] NameVirtualHost 127.0.0.1:80 has no VirtualHosts /usr/sbin/apachectl startssl: httpd started Here is my /var/www/conf/httpd.conf # $OpenBSD: httpd.conf,v 1.26 2009/06/03 18:28:21 robert Exp $ # # Based upon the NCSA server configuration files originally by Rob McCool. # # This is the main Apache server configuration file. It contains the # configuration directives that give the server its instructions. # See http://www.apache.org/docs/> for detailed information about # the directives. # # Do NOT simply read the instructions in here without understanding # what they do. They're here only as hints or reminders. If you are unsure # consult the online docs. You have been warned. # # After this file is processed, the server will look for and process # /var/www/conf/srm.conf and then /var/www/conf/access.conf # unless you have overridden these with ResourceConfig and/or # AccessConfig directives here. # # The configuration directives are grouped into three basic sections: # 1. Directives that control the operation of the Apache server process as a # whole (the 'global environment'). # 2. Directives that define the parameters of the 'main' or 'default' server, # which responds to requests that aren't handled by a virtual host. # These directives also provide default values for the settings # of all virtual hosts. # 3. Settings for virtual hosts, which allow Web requests to be sent to # different IP addresses or hostnames and have them handled by the # same Apache server process. # # Configuration and logfile names: If the filenames you specify for many # of the server's control files begin with "/" (or "drive:/" for Win32), the # server will use that explicit path. If the filenames do *not* begin # with "/", the value of ServerRoot is prepended -- so "logs/foo.log" # with ServerRoot set to "/usr/local/apache" will be interpreted by the # server as "/usr/local/apache/logs/foo.log". # ### Section 1: Global Environment # # The directives in this section affect the overall operation of Apache, # such as the number of concurrent requests it can handle or where it # can find its configuration files. # # # ServerType is either inetd, or standalone. Inetd mode is only supported on # Unix platforms. # ServerType standalone # # ServerTokens is either Full, OS, Minimal, or ProductOnly. # The values define what version information is returned in the # Server header in HTTP responses. # # ServerTokens ProductOnly # # ServerRoot: The top of the directory tree under which the server's # configuration, error, and log files are kept. # # NOTE! If you intend to place this on an NFS (or otherwise network) # mounted filesystem then please read the LockFile documentation # (available at http://www.apache.org/docs/mod/core.html#lockfile>); # you will save yourself a lot of trouble. # # Do NOT add a slash at the end of the directory path. # ServerRoot "/var/www" # # The LockFile directive sets the path to the lockfile used when Apache # is compiled with either USE_FCNTL_SERIALIZED_ACCEPT or # USE_FLOCK_SERIALIZED_ACCEPT. This directive should normally be left at # its default value. The main reason for changing it is if the logs # directory is NFS mounted, since the lockfile MUST BE STORED ON A LOCAL # DISK. The PID of the main server process is automatically appended to # the filename. # #LockFile logs/accept.lock # # PidFile: The file in which the server should record its process # identification number when it starts. # PidFi
Re: httpd.conf problem with defaults
Nice and short httpd.conf...
ServerType standalone
ServerRoot "/var/www"
PidFile logs/httpd.pid
ScoreBoardFile logs/apache_runtime_status
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 15
MinSpareServers 5
MaxSpareServers 10
StartServers 5
MaxClients 150
MaxRequestsPerChild 0
MaxCPUPerChild 0
MaxDATAPerChild 0
MaxNOFILEPerChild 0
MaxRSSPerChild 0
MaxSTACKPerChild 0
LoadModule rewrite_module /usr/lib/apache/modules/mod_rewrite.so
LoadModule php5_module /usr/local/lib/php-5.3/libphp5.so
AddModule mod_php5.c
Include /var/www/conf/modules/*.conf
Port 80
Listen 80
Listen 443
User www
Group www
ServerAdmin j...@secusrvr.com
ServerName www.secusrvr.com
DocumentRoot "/var/www/htdocs"
Options FollowSymLinks
AllowOverride None
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
UserDir disabled
DirectoryIndex index.php index.html
AccessFileName .htaccess
Order allow,deny
Deny from all
UseCanonicalName On
TypesConfig conf/mime.types
DefaultType text/plain
MIMEMagicFile conf/magic
HostnameLookups Off
ErrorLog logs/error_log
LogLevel warn
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""
combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
CustomLog logs/access_log common
Alias /icons/ "/var/www/icons/"
Options Indexes MultiViews
AllowOverride None
Order allow,deny
Allow from all
ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
AllowOverride None
Options None
Order allow,deny
Allow from all
IndexOptions FancyIndexing
AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip
AddIconByType (TXT,/icons/text.gif) text/*
AddIconByType (IMG,/icons/image2.gif) image/*
AddIconByType (SND,/icons/sound2.gif) audio/*
AddIconByType (VID,/icons/movie.gif) video/*
AddIcon /icons/binary.gif .bin .exe
AddIcon /icons/binhex.gif .hqx
AddIcon /icons/tar.gif .tar
AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
AddIcon /icons/a.gif .ps .ai .eps
AddIcon /icons/layout.gif .html .shtml .htm .pdf
AddIcon /icons/text.gif .txt
AddIcon /icons/c.gif .c
AddIcon /icons/p.gif .pl .py
AddIcon /icons/f.gif .for
AddIcon /icons/dvi.gif .dvi
AddIcon /icons/uuencoded.gif .uu
AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
AddIcon /icons/tex.gif .tex
AddIcon /icons/bomb.gif core
AddIcon /icons/back.gif ..
AddIcon /icons/hand.right.gif README
AddIcon /icons/folder.gif ^^DIRECTORY^^
AddIcon /icons/blank.gif ^^BLANKICON^^
DefaultIcon /icons/unknown.gif
ReadmeName README
HeaderName HEADER
IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t
AddEncoding x-compress Z
AddEncoding x-gzip gz
AddLanguage en .en
AddLanguage fr .fr
AddLanguage de .de
AddLanguage da .da
AddLanguage el .el
AddLanguage it .it
LanguagePriority en fr de
AddType application/x-httpd-php .php
BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
BrowserMatch "RealPlayer 4\.0" force-response-1.0
BrowserMatch "Java/1\.0" force-response-1.0
BrowserMatch "JDK/1\.0" force-response-1.0
SetHandler server-status
Order deny,allow
Deny from all
Allow from 127.0.0.1
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl.crl
SSLPassPhraseDialog builtin
SSLSessionCache dbm:logs/ssl_scache
SSLSessionCacheTimeout 300
SSLMutex sem
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLRandomSeed startup file:/dev/arandom 512
SSLLog logs/ssl_engine_log
SSLLogLevel info
NameVirtualHost 208.79.92.130:443
NameVirtualHost 127.0.0.1:443
DocumentRoot "/var/www/sites/secusrvr.com"
ServerName secusrvr.com
SSLEngine on
SSLCertificateFile/etc/ssl/private/secusrvr.com.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
SSLCACertificateFile/etc/ssl/private/gd_bundle.crt
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
allow from all
Options +Indexes
AllowOverride All
NameVirtualHost 208.79.92.130:80
NameVirtualHost 127.0.0.1:80
DocumentRoot "/var/www/sites/johntate.org"
ServerName johntate.org
allow from all
Options +Indexes
AllowOverride All
NameVirtualHost 208.79.92.130:80
NameVirtualHost 127.0.0.1:80
DocumentRoot "/var/www/sites/www.johntate.org"
ServerName www.johntate.org
allow from all
Options +Indexes
AllowOverride All
NameVirtualHost 208.79.92.130:80
NameVirtualHost 127.0.0.1:80
DocumentRoot "/var/www/sites/www.secusrvr.com"
ServerName www.secusrvr.com
allow from all
Options +Indexes
AllowOverride All
On Fri, Apr 5, 2013 at 2:18 PM, John Tate wrote:
> I think I have a problem with my
Re: httpd.conf problem with defaults
Removed all the NameVirtualHost lines and it still isn't working. I can't make sense of it everything looks fine, I get some errors about _default_ VirtualHost. # apachectl startssl [Sat Apr 6 02:53:57 2013] [warn] module mod_php5.c is already added, skipping [Sat Apr 6 02:53:57 2013] [warn] module php5_module is already loaded, skipping [Sat Apr 6 02:53:57 2013] [warn] _default_ VirtualHost overlap on port 80, the first has precedence [Sat Apr 6 02:53:57 2013] [warn] _default_ VirtualHost overlap on port 80, the first has precedence On Fri, Apr 5, 2013 at 7:25 PM, Stuart Henderson wrote: > On 2013-04-05, John Tate wrote: > > NameVirtualHost 127.0.0.1:443 > > NameVirtualHost 208.79.92.130:443 > > NameVirtualHost 127.0.0.1:80 > > NameVirtualHost 127.0.0.1:80 > > NameVirtualHost 127.0.0.1:80 > > NameVirtualHost 208.79.92.130:80 > > NameVirtualHost 208.79.92.130:80 > > NameVirtualHost 208.79.92.130:80 > > remove the duplicate lines and see if it helps. > > -- www.johntate.org
Re: httpd.conf problem with defaults
Thanks, that worked. On Sun, Apr 7, 2013 at 6:45 AM, Zé Loff wrote: > On Sat, Apr 06, 2013 at 08:55:53PM +1100, John Tate wrote: > > Removed all the NameVirtualHost lines and it still isn't working. I can't > > make sense of it everything looks fine, I get some errors about _default_ > > VirtualHost. > > > > # apachectl startssl > > [Sat Apr 6 02:53:57 2013] [warn] module mod_php5.c is already added, > > skipping > > [Sat Apr 6 02:53:57 2013] [warn] module php5_module is already loaded, > > skipping > > [Sat Apr 6 02:53:57 2013] [warn] _default_ VirtualHost overlap on port > 80, > > the first has precedence > > [Sat Apr 6 02:53:57 2013] [warn] _default_ VirtualHost overlap on port > 80, > > the first has precedence > > > > > > > > On Fri, Apr 5, 2013 at 7:25 PM, Stuart Henderson >wrote: > > > > > On 2013-04-05, John Tate wrote: > > > > NameVirtualHost 127.0.0.1:443 > > > > NameVirtualHost 208.79.92.130:443 > > > > NameVirtualHost 127.0.0.1:80 > > > > NameVirtualHost 127.0.0.1:80 > > > > NameVirtualHost 127.0.0.1:80 > > > > NameVirtualHost 208.79.92.130:80 > > > > NameVirtualHost 208.79.92.130:80 > > > > NameVirtualHost 208.79.92.130:80 > > > > > > remove the duplicate lines and see if it helps. > > > > > > > > > > > > -- > > www.johntate.org > > > > Apache is telling you what is wrong. You have several default VHs, and > the first (for port 80 it's johntate.org) has precedence, so that's why > you always get redirected to it. > > Try changing the NameVirtualHost directives to *:80 and *:443. You are > specifying IP addresses on those directives, but then define > virtual hosts on *:80 and *:443, and maybe that's the problem (I've > moved from apache to nginx, so I'm not testing any of this...). Here's > a (very trimmed) known-to-work config: > > ServerName www.phistat.com > DocumentRoot "/var/www/htdocs" > UseCanonicalName On > > NameVirtualHost *:80 > NameVirtualHost *:443 > > > ServerAdmin webmas...@zeloff.org > DocumentRoot/var/www/htdocs > ServerName www.zeloff.org > ErrorLoglogs/error_log > CustomLog logs/access_log combined > > Options Multiviews > FollowSymLinks > AllowOverride None > Order > allow,deny > Allow from all > > > > > ServerAdmin > webmas...@phistat.com > DocumentRoot/var/www/htdocs/phiStat > ServerName www.phistat.com > ErrorLog > logs/www.phistat.com-error_log > CustomLog > logs/www.phistat.com-access_log combined > > > Additionally you are adding the php modules twice: in your httpd.conf file > and > most likely on *.conf files present on the /var/www/conf/modules folder, > which you are including with the "Include /var/www/conf/modules/*.conf" > line, but this has nothing to do with the redirections. > > > -- > > -- www.johntate.org
pf queueing and nat
I am adding queueing to my pf based nat for my home network. Since there
isn't a complete example involving nat and queuing I am not entirely sure
where to put things. I've read the manual and I think I put things before
the rdr-to rules. I also have a transparent ftp and http proxy. I am not
entirely sure if I put it before or after the divert-to rules. I just need
someone to show me where in the pf.conf I've already done I should put
things.
I need to add the lines like these...
block out on $ext_if all
pass out on $ext_if inet proto tcp from ($ext_if) queue (std_out,
tcp_ack_out)
(And so on, including for incoming traffic on $int_if)
My current pf.conf...
# grep -v '^#' /etc/pf.conf
int_if="fxp0"
ext_if="pppoe0"
murphy="10.0.0.2"
fekete="10.0.0.3"
murphy_ports = "{ 8333 }"
fekete_ports = "{ 17001, 39191, 5938, }"
tcp_services="{ 22 }"
icmp_types="echoreq"
set skip on lo
pass in quick on $int_if inet proto tcp to port http divert-to 127.0.0.1
port 3128
anchor "ftp-proxy/*"
pass in quick on $int_if inet proto tcp to port ftp divert-to 127.0.0.1
port 8021
match out on egress inet from !(egress:network) to any nat-to (egress:0)
pass# to establish keep-state
block in on ! lo0 proto tcp to port 6000:6010
block in log
pass out quick
antispoof quick for { lo $int_if }
pass in on egress inet proto tcp from any to (egress) \
port $tcp_services
pass in on $ext_if proto tcp to port 21
pass in on $ext_if proto tcp to port > 49151
pass in on egress inet proto tcp to (egress) port $murphy_ports rdr-to
$murphy
pass in on egress inet proto tcp to (egress) port $fekete_ports rdr-to
$fekete
pass in inet proto icmp all icmp-type $icmp_types
pass in on $int_if
--
www.johntate.org
Re: pf queueing and nat
I think I understand, can someone give me a look at a pf.conf with queueing
and nat rules.
It's hard to experiment because I'm logged in via ssh and would lose my
connection every time I make a change. Unfortunately the machine connected
to the firewall via null modem for a serial console has died :-(.
On Wed, Apr 17, 2013 at 4:05 AM, Christopher Zimmermann wrote:
> On Wed, 17 Apr 2013 03:32:52 +1000
> John Tate wrote:
>
> > I am adding queueing to my pf based nat for my home network. Since
> > there isn't a complete example involving nat and queuing I am not
> > entirely sure where to put things. I've read the manual and I think I
> > put things before the rdr-to rules. I also have a transparent ftp and
> > http proxy. I am not entirely sure if I put it before or after the
> > divert-to rules. I just need someone to show me where in the pf.conf
> > I've already done I should put things.
> >
> > I need to add the lines like these...
> > block out on $ext_if all
>
> Before everything else. Last match wins!
>
> > pass out on $ext_if inet proto tcp from ($ext_if) queue (std_out,
> > tcp_ack_out)
> > (And so on, including for incoming traffic on $int_if)
>
> I'm not sure whether queue rules are sticky, but later matching ones
> will overwrite earlier ones I'd guess, so put them as late as possible.
> I'd also put the nat rules as "match" rules at the very end, so you
> don't "forget" the real source address/port too early.
>
> Christopher
>
> >
> > My current pf.conf...
> > # grep -v '^#' /etc/pf.conf
> >
> > int_if="fxp0"
> > ext_if="pppoe0"
> >
> > murphy="10.0.0.2"
> > fekete="10.0.0.3"
> >
> > murphy_ports = "{ 8333 }"
> > fekete_ports = "{ 17001, 39191, 5938, }"
> >
> > tcp_services="{ 22 }"
> > icmp_types="echoreq"
> >
> > set skip on lo
> >
> > pass in quick on $int_if inet proto tcp to port http divert-to
> > 127.0.0.1 port 3128
> >
> > anchor "ftp-proxy/*"
> > pass in quick on $int_if inet proto tcp to port ftp divert-to
> > 127.0.0.1 port 8021
> >
> >
> > match out on egress inet from !(egress:network) to any nat-to
> > (egress:0)
> >
> > pass# to establish keep-state
> >
> >
> >
> >
> > block in on ! lo0 proto tcp to port 6000:6010
> >
> > block in log
> > pass out quick
> >
> > antispoof quick for { lo $int_if }
> >
> > pass in on egress inet proto tcp from any to (egress) \
> > port $tcp_services
> >
> > pass in on $ext_if proto tcp to port 21
> > pass in on $ext_if proto tcp to port > 49151
> >
> > pass in on egress inet proto tcp to (egress) port $murphy_ports rdr-to
> > $murphy
> > pass in on egress inet proto tcp to (egress) port $fekete_ports rdr-to
> > $fekete
> >
> > pass in inet proto icmp all icmp-type $icmp_types
> >
> > pass in on $int_if
> >
> >
> > --
> > www.johntate.org
> >
>
--
www.johntate.org
Re: pf queueing and nat
I can't find any description of the match rules here: http://openbsd.org/faq/pf/filter.html Are they the same syntax as block and pass rules? On Wed, Apr 17, 2013 at 4:56 AM, Peter N. M. Hansteen wrote: > John Tate writes: > > > I think I understand, can someone give me a look at a pf.conf with > queueing > > and nat rules. > > With an existing rule set in place, it's probably easier to do the queue > assignment with a block of match rules. That way at least you don't > affect the pass or block decision. > > - P > > -- > Peter N. M. Hansteen, member of the first RFC 1149 implementation team > http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ > "Remember to set the evil bit on all malicious network traffic" > delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. > -- www.johntate.org
Re: pf queueing and nat
Found it in the manpage pretty quick;y, silly me, apparently is the same. On Wed, Apr 17, 2013 at 5:16 PM, John Tate wrote: > I can't find any description of the match rules here: > http://openbsd.org/faq/pf/filter.html > > Are they the same syntax as block and pass rules? > > > On Wed, Apr 17, 2013 at 4:56 AM, Peter N. M. Hansteen wrote: > >> John Tate writes: >> >> > I think I understand, can someone give me a look at a pf.conf with >> queueing >> > and nat rules. >> >> With an existing rule set in place, it's probably easier to do the queue >> assignment with a block of match rules. That way at least you don't >> affect the pass or block decision. >> >> - P >> >> -- >> Peter N. M. Hansteen, member of the first RFC 1149 implementation team >> http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ >> "Remember to set the evil bit on all malicious network traffic" >> delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. >> > > > > -- > www.johntate.org > -- www.johntate.org
Re: pf queueing and nat
Well the ruleset loads, can anyone do a quick check of this in case I've
done something stupid. I've never used match rules before. I'm not really
sure how to test queueing to see if it works.
# $OpenBSD: pf.conf,v 1.50 2011/04/28 00:19:42 mikeb Exp $
#
# See pf.conf(5) for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
#interfaces
int_if="fxp0"
ext_if="pppoe0"
#networks
local_net="10.0.0.0/8"
#hosts
murphy="10.0.0.2"
fekete="10.0.0.3"
#host port forwarding
murphy_ports = "{ 8333 }"
fekete_ports = "{ 17001, 39191, 5938, }"
#other
tcp_services="{ 22 }"
icmp_types="echoreq"
#queue ports
ssh_ports = "{ 22, }"
im_ports = "{ 1863, 5190, 5222 }"
#queues
altq on $ext_if priq bandwidth 7500Kb queue { std_out, ssh_im_out, dns_out,
tcp_ack_out }
queue std_out priq(default)
queue ssh_im_outpriority 4 priq(red)
queue dns_out priority 5
queue tcp_ack_out priority 6
altq on $int_if cbq bandwidth 350Kb queue { std_in, ssh_im_in, dns_in,
fekete_in }
queue std_inbandwidth 175Kb cbq(default)
queue ssh_im_in bandwidth 75Kb priority 4
queue dns_inbandwidth 50Kb priority 5
queue fekete_in bandwidth 50Kb cbq(borrow)
set skip on lo
# this is the squid proxy line
pass in quick on $int_if inet proto tcp to port http divert-to 127.0.0.1
port 3128
# filter rules and anchor for ftp-proxy(8)
anchor "ftp-proxy/*"
pass in quick on $int_if inet proto tcp to port ftp divert-to 127.0.0.1
port 8021
# anchor for relayd(8)
#anchor "relayd/*"
#nat rule for all interfaces
match out on egress inet from !(egress:network) to any nat-to (egress:0)
pass# to establish keep-state
# rules for spamd(8)
#table persist
#table persist file "/etc/mail/nospamd"
#pass in on egress proto tcp from any to any port smtp \
#rdr-to 127.0.0.1 port spamd
#pass in on egress proto tcp from to any port smtp
#pass in log on egress proto tcp from to any port smtp
#pass out log on egress proto tcp to any port smtp
#block in quick from urpf-failed to any # use with care
# By default, do not permit remote connections to X11
block in on ! lo0 proto tcp to port 6000:6010
block in log
pass out quick
match out on $ext_if inet proto tcp from ($ext_if) queue(std_out,
tcp_ack_out)
match out on $ext_if inet proto { tcp udp } from ($ext_if) to port domain \
queue dns_out
match out on $ext_if inet proto tcp from ($ext_if) to port $ssh_ports \
queue(std_out, ssh_im_out)
match out on $ext_if inet proto tcp from ($ext_if) to port $im_ports \
queue(ssh_im_out, tcp_ack_out)
match out on $int_if proto { tcp udp } from port domain to $local_net queue
dns_in
match out on $int_if proto tcp from port $ssh_ports to $local_net \
queue(std_in, ssh_im_in)
match out on $int_if proto tcp from port $im_ports to $local_net \
queue ssh_im_in
match out on $int_if to $fekete queue fekete_in
antispoof quick for { lo $int_if }
pass in on egress inet proto tcp from any to (egress) \
port $tcp_services
#FTP
pass in on $ext_if proto tcp to port 21
pass in on $ext_if proto tcp to port > 49151
#nat port redirects
#pass in on egress inet proto tcp to (egress) port 80 rdr-to $comp3
pass in on egress inet proto tcp to (egress) port $murphy_ports rdr-to
$murphy
pass in on egress inet proto tcp to (egress) port $fekete_ports rdr-to
$fekete
pass in inet proto icmp all icmp-type $icmp_types
pass in on $int_i
On Wed, Apr 17, 2013 at 5:17 PM, John Tate wrote:
> Found it in the manpage pretty quick;y, silly me, apparently is the same.
>
>
> On Wed, Apr 17, 2013 at 5:16 PM, John Tate wrote:
>
>> I can't find any description of the match rules here:
>> http://openbsd.org/faq/pf/filter.html
>>
>> Are they the same syntax as block and pass rules?
>>
>>
>> On Wed, Apr 17, 2013 at 4:56 AM, Peter N. M. Hansteen wrote:
>>
>>> John Tate writes:
>>>
>>> > I think I understand, can someone give me a look at a pf.conf with
>>> queueing
>>> > and nat rules.
>>>
>>> With an existing rule set in place, it's probably easier to do the queue
>>> assignment with a block of match rules. That way at least you don't
>>> affect the pass or block decision.
>>>
>>> - P
>>>
>>> --
>>> Peter N. M. Hansteen, member of the first RFC 1149 implementation team
>>> http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
>>> "Remember to set the evil bit on all malicious network traffic"
>>> delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
>>>
>>
>>
>>
>> --
>> www.johntate.org
>>
>
>
>
> --
> www.johntate.org
>
--
www.johntate.org
Re: pf queueing and nat
Well I had the bandwidth the wrong way around for my internet connection.
I've been trying the other changes and now I have problems, I'm pretty sure
I need to put _out and _in on the end...
# pfctl -nf /etc/pf.conf
/etc/pf.conf:39: exactly one scheduler type per interface allowed
/etc/pf.conf:39: errors in queue definition
/etc/pf.conf:40: priq doesn't take bandwidth
/etc/pf.conf:40: errors in queue definition
/etc/pf.conf:41: priq doesn't take bandwidth
/etc/pf.conf:41: errors in queue definition
/etc/pf.conf:42: priq doesn't take bandwidth
/etc/pf.conf:42: errors in queue definition
# cat /etc/pf.conf
# $OpenBSD: pf.conf,v 1.50 2011/04/28 00:19:42 mikeb Exp $
#
# See pf.conf(5) for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
#interfaces
int_if="fxp0"
ext_if="pppoe0"
#networks
local_net="10.0.0.0/8"
#hosts
murphy="10.0.0.2"
fekete="10.0.0.3"
#host port forwarding
murphy_ports = "{ 8333 }"
fekete_ports = "{ 17001, 39191, 5938, }"
#other
tcp_services="{ 22 }"
icmp_types="echoreq"
#queue ports
ssh_ports = "{ 22, }"
im_ports = "{ 1863, 5190, 5222 }"
#queues
altq on $ext_if priq bandwidth 350Kb queue { std, ssh_im, dns, tcp_ack,
game }
queue std priq(default)
queue ssh_impriority 4 priq(red)
queue dns priority 5
queue game priority 6
queue tcp_ack priority 7
altq on $int_if cbq bandwidth 7500Kb queue { std, ssh_im, dns, fekete, game
}
queue std bandwidth 5000Kb cbq(default)
queue ssh_imbandwidth 200Kb priority 4
queue dns bandwidth 200Kb priority 5
queue game bandwidth 200Kb priority 6
queue feketebandwidth 1900Kb cbq(borrow)
set skip on lo
# this is the squid proxy line
pass in quick on $int_if inet proto tcp to port http divert-to 127.0.0.1
port 3128
# filter rules and anchor for ftp-proxy(8)
anchor "ftp-proxy/*"
pass in quick on $int_if inet proto tcp to port ftp divert-to 127.0.0.1
port 8021
# anchor for relayd(8)
#anchor "relayd/*"
#nat rule for all interfaces
match out on egress inet from !(egress:network) to any nat-to (egress:0)
pass# to establish keep-state
# rules for spamd(8)
#table persist
#table persist file "/etc/mail/nospamd"
#pass in on egress proto tcp from any to any port smtp \
#rdr-to 127.0.0.1 port spamd
#pass in on egress proto tcp from to any port smtp
#pass in log on egress proto tcp from to any port smtp
#pass out log on egress proto tcp to any port smtp
#block in quick from urpf-failed to any # use with care
# By default, do not permit remote connections to X11
block in on ! lo0 proto tcp to port 6000:6010
block in log
pass out quick
match inet proto tcp queue(std, tcp_ack)
match inet proto { tcp udp } to port domain queue dns
match inet proto tcp to port $ssh_ports queue(std, ssh_im)
match inet proto tcp to port $im_ports queue(ssh_im, tcp_ack)
match inet proto tcp to port 27000:27050 queue game
match from $fekete queue fekete
match to $fekete queue fekete
antispoof quick for { lo $int_if }
pass in on egress inet proto tcp from any to (egress) \
port $tcp_services
#FTP
pass in on $ext_if proto tcp to port 21
pass in on $ext_if proto tcp to port > 49151
#nat port redirects
#pass in on egress inet proto tcp to (egress) port 80 rdr-to $comp3
pass in on egress inet proto tcp to (egress) port $murphy_ports rdr-to
$murphy
pass in on egress inet proto tcp to (egress) port $fekete_ports rdr-to
$fekete
pass in inet proto icmp all icmp-type $icmp_types
pass in on $int_if
On Wed, Apr 17, 2013 at 8:32 PM, Stuart Henderson wrote:
> On 2013-04-17, John Tate wrote:
> > Well the ruleset loads, can anyone do a quick check of this in case I've
> > done something stupid. I've never used match rules before. I'm not really
> > sure how to test queueing to see if it works.
>
> see "systat queue"; run it as root.
>
> > #queues
> > altq on $ext_if priq bandwidth 7500Kb queue { std_out, ssh_im_out,
> dns_out,
> > tcp_ack_out }
> > queue std_out priq(default)
> > queue ssh_im_outpriority 4 priq(red)
> > queue dns_out priority 5
> > queue tcp_ack_out priority 6
> >
> > altq on $int_if cbq bandwidth 350Kb queue { std_in, ssh_im_in, dns_in,
> > fekete_in }
> > queue std_inbandwidth 175Kb cbq(default)
> > queue ssh_im_in bandwidth 75Kb priority 4
> > queue dns_inbandwidth 50Kb priority 5
> > queue fekete_in bandwidth 50Kb cbq(borrow)
>
> Using separate queue names for _in and _out is really awk
Re: pf queueing and nat
Oh wait I've forgot to specify the interface.
On Thu, Apr 18, 2013 at 5:45 AM, John Tate wrote:
> Well I had the bandwidth the wrong way around for my internet connection.
>
> I've been trying the other changes and now I have problems, I'm pretty
> sure I need to put _out and _in on the end...
> # pfctl -nf /etc/pf.conf
> /etc/pf.conf:39: exactly one scheduler type per interface allowed
> /etc/pf.conf:39: errors in queue definition
> /etc/pf.conf:40: priq doesn't take bandwidth
> /etc/pf.conf:40: errors in queue definition
> /etc/pf.conf:41: priq doesn't take bandwidth
> /etc/pf.conf:41: errors in queue definition
> /etc/pf.conf:42: priq doesn't take bandwidth
> /etc/pf.conf:42: errors in queue definition
>
> # cat /etc/pf.conf
> # $OpenBSD: pf.conf,v 1.50 2011/04/28 00:19:42 mikeb Exp $
> #
> # See pf.conf(5) for syntax and examples.
> # Remember to set net.inet.ip.forwarding=1 and/or
> net.inet6.ip6.forwarding=1
> # in /etc/sysctl.conf if packets are to be forwarded between interfaces.
>
> #interfaces
> int_if="fxp0"
> ext_if="pppoe0"
>
> #networks
> local_net="10.0.0.0/8"
>
> #hosts
> murphy="10.0.0.2"
> fekete="10.0.0.3"
>
> #host port forwarding
> murphy_ports = "{ 8333 }"
> fekete_ports = "{ 17001, 39191, 5938, }"
>
> #other
> tcp_services="{ 22 }"
> icmp_types="echoreq"
>
> #queue ports
> ssh_ports = "{ 22, }"
> im_ports = "{ 1863, 5190, 5222 }"
>
> #queues
> altq on $ext_if priq bandwidth 350Kb queue { std, ssh_im, dns, tcp_ack,
> game }
> queue std priq(default)
> queue ssh_impriority 4 priq(red)
> queue dns priority 5
> queue game priority 6
> queue tcp_ack priority 7
>
> altq on $int_if cbq bandwidth 7500Kb queue { std, ssh_im, dns, fekete,
> game }
> queue std bandwidth 5000Kb cbq(default)
> queue ssh_imbandwidth 200Kb priority 4
> queue dns bandwidth 200Kb priority 5
> queue game bandwidth 200Kb priority 6
> queue feketebandwidth 1900Kb cbq(borrow)
>
> set skip on lo
>
> # this is the squid proxy line
> pass in quick on $int_if inet proto tcp to port http divert-to 127.0.0.1
> port 3128
>
> # filter rules and anchor for ftp-proxy(8)
> anchor "ftp-proxy/*"
> pass in quick on $int_if inet proto tcp to port ftp divert-to 127.0.0.1
> port 8021
>
> # anchor for relayd(8)
> #anchor "relayd/*"
>
> #nat rule for all interfaces
> match out on egress inet from !(egress:network) to any nat-to (egress:0)
>
> pass# to establish keep-state
>
> # rules for spamd(8)
> #table persist
> #table persist file "/etc/mail/nospamd"
> #pass in on egress proto tcp from any to any port smtp \
> #rdr-to 127.0.0.1 port spamd
> #pass in on egress proto tcp from to any port smtp
> #pass in log on egress proto tcp from to any port smtp
> #pass out log on egress proto tcp to any port smtp
>
> #block in quick from urpf-failed to any # use with care
>
> # By default, do not permit remote connections to X11
> block in on ! lo0 proto tcp to port 6000:6010
>
> block in log
> pass out quick
>
> match inet proto tcp queue(std, tcp_ack)
> match inet proto { tcp udp } to port domain queue dns
> match inet proto tcp to port $ssh_ports queue(std, ssh_im)
> match inet proto tcp to port $im_ports queue(ssh_im, tcp_ack)
> match inet proto tcp to port 27000:27050 queue game
> match from $fekete queue fekete
> match to $fekete queue fekete
>
> antispoof quick for { lo $int_if }
>
> pass in on egress inet proto tcp from any to (egress) \
> port $tcp_services
>
> #FTP
> pass in on $ext_if proto tcp to port 21
> pass in on $ext_if proto tcp to port > 49151
>
> #nat port redirects
> #pass in on egress inet proto tcp to (egress) port 80 rdr-to $comp3
> pass in on egress inet proto tcp to (egress) port $murphy_ports rdr-to
> $murphy
> pass in on egress inet proto tcp to (egress) port $fekete_ports rdr-to
> $fekete
>
> pass in inet proto icmp all icmp-type $icmp_types
>
> pass in on $int_if
>
>
>
> On Wed, Apr 17, 2013 at 8:32 PM, Stuart Henderson wrote:
>
>> On 2013-04-17, John Tate wrote:
>> > Well the ruleset loads, can anyone do a quick check of this in case I've
>> > done something stupid. I've never used match rules before. I'm not
>> really
>> > sure how to test queueing to see if it works.
>>
>> see "systat queue"; run it as root.
>
PF blocking something it seems it shouldn't
My pflog interface shows something being blocked that simply shouldn't be
blocked as far as I understand my pf rules...
11:35:40.461658 rule 6/(match) block in on fxp0: 10.0.0.4.40926 >
141.101.113.245.443: FP 0:253(253) ack 1 win 2540 (DF)
My pf.conf...
menger:root # cat /etc/pf.conf
# $OpenBSD: pf.conf,v 1.50 2011/04/28 00:19:42 mikeb Exp $
#
# See pf.conf(5) for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
#interfaces
int_if="fxp0"
ext_if="pppoe0"
#networks
local_net="10.0.0.0/8"
#hosts
menger="10.0.0.1"
murphy="10.0.0.2"
fekete="10.0.0.3"
#host port forwarding
murphy_ports = "{ 8333 }"
fekete_ports = "{ 17001, 39191, 5938, }"
#other
tcp_services="{ 22 }"
icmp_types="echoreq"
#queue ports
ssh_ports = "{ 22, }"
im_ports = "{ 1863, 5190, 5222 }"
game_ports = "{ 27000:27050, 4380 }"
altq on $ext_if cbq bandwidth 375Kb queue { std, ssh_im, dns, game }
queue std on $ext_if bandwidth 100Kb cbq(default borrow)
queue ssh_im on $ext_if bandwidth 50Kb priority 3 cbq(red)
queue dns on $ext_if bandwidth 25Kb priority 4
queue game on $ext_if bandwidth 200Kb priority 5 cbq(red)
altq on $int_if cbq bandwidth 100Mb queue { lan, int }
queue lan on $int_ifbandwidth 92Mb cbq(default)
queue int on $int_ifbandwidth 7500Kb { std, ssh_im, dns, game }
queue std on $int_if bandwidth 6500Kb cbq(borrow)
queue ssh_im on $int_ifbandwidth 200Kb priority 4
queue dns on $int_if bandwidth 200Kb priority 5
queue game on $int_if bandwidth 600Kb priority 6 cbq(red)
set skip on lo
# this is the squid proxy line
pass in quick on $int_if inet proto tcp to port http divert-to 127.0.0.1
port 3128
# filter rules and anchor for ftp-proxy(8)
anchor "ftp-proxy/*"
pass in quick on $int_if inet proto tcp to port ftp divert-to 127.0.0.1
port 8021
#nat rule for all interfaces
match out on egress inet from !(egress:network) to any nat-to (egress:0)
pass# to establish keep-state
# By default, do not permit remote connections to X11
block in on ! lo0 proto tcp to port 6000:6010
block in log #RULE 6
pass out quick
match inet proto { tcp udp } queue(std)
match inet proto { tcp udp } to port domain queue dns
match inet proto tcp to port $ssh_ports queue(std, ssh_im)
match inet proto tcp to port $im_ports queue(ssh_im)
match inet proto udp to port $game_ports queue game
match inet from $menger queue lan
match inet to $menger queue lan
antispoof quick for { lo $int_if }
pass in on egress inet proto tcp from any to (egress) \
port $tcp_services
#FTP
pass in on $ext_if proto tcp to port 21
pass in on $ext_if proto tcp to port > 49151
#nat port redirects
#pass in on egress inet proto tcp to (egress) port 80 rdr-to $comp3
pass in on egress inet proto { tcp udp } to (egress) port $murphy_ports
rdr-to $murphy
pass in on egress inet proto { tcp udp } to (egress) port $fekete_ports
rdr-to $fekete
pass in inet proto icmp all icmp-type $icmp_types
pass in on $int_if
--
www.johntate.org
Forwarding to a proxy on a different system with pf
I have a squid proxy listening in transparent mode on another faster system, but I can't seem to get packets there with pf. I tried simply modifying the other divert-to rule to use the IP address of that system. It doesn't seem to work, packets don't reach that system. #pass in quick on $int_if inet proto tcp to port http divert-to 127.0.0.1 port 3128 pass in quick on $int_if inet proto tcp to port http divert-to 10.0.0.10 port 3128 How should I be doing this? I couldn't find anything on Google. -- www.johntate.org
PHP fastcgi, suexec
I want to use fastcgi and suexec to run php programs as particular users from Apache in a chroot. I've found documentation on running suexec, but I can't find anything OpenBSD specific on getting fastcgi and php into the chroot so I can use them. If you could at least please just point me in the direction of documentation it would be good but some simple directions would suffice. I've installed php-5.3-fastcgi, how do I put the wrapper in the chroot? I know where the wrapper is but I'm not sure about all the required files. How do I put all the files related to my php in the chroot? Once again I'm not sure about the required files. -- www.johntate.org
Migrating users from one machine to another
I want to migrate users from one machine to another, I was hoping someone had a script. I basically want to copy every user with a UID >= 1000 and their password to the new system. I have copied their home directories with rsync, so it would be good if it could also chmod the permissions back. -- www.johntate.org
Re: Migrating users from one machine to another
That worked, easier than I thought. On Fri, Nov 15, 2013 at 11:42 PM, Nick Holland wrote: > On 11/15/13 05:10, John Tate wrote: >> I want to migrate users from one machine to another, I was hoping >> someone had a script. I basically want to copy every user with a UID >>>= 1000 and their password to the new system. I have copied their home >> directories with rsync, so it would be good if it could also chmod the >> permissions back. >> > > not sure why you need a script... > The exact details depends on what is different between the systems > currently and desired to be different ultimately. > > Start with the old /etc/master.passwd file, fix things that are missing, > remove things you don't want, copy it over and and run pwd_mkdb. If the > starting and ending machines are supposed to be "identical", no fixing > should be needed. > > Nick. > -- www.johntate.org
John Tate has invited you to join Updown.com
Your friend, John Tate, has invited you to join Updown.com, the fantasy investing site that gives away $3,000 every month to the best investors who manage a virtual portfolio of $1,000,000. Join Updown.com & Become John Tate's Friend. (http://www.updown.com/create-account.do?_refer=132362&_code_2=_invite&_invite=229236) -- Here is John Tate's personal message to you: Hi. I've been using this site to become a better investor. It's a lot of fun. I think you'd like it. -- Sincerely, The Updown Team Please ensure you'll continue to receive e-mails from Updown.com: * Outlook Users: From the Actions menu, select Junk E-mail and "Add Sender to Safe Senders List" * Hotmail, Yahoo and AOL Users: Click the "Add Address" or "Save Address" button or link beside the "From" address at the top of this message * Users of Other Email Systems: Please follow the software or service-provider's instructions for adding Updown.com to your "safe senders list" or "whitelist." Updown.com respects your right to privacy. You can view our privacy policy by visiting: http://www.updown.com/privacy-policy If you are a member and wish to turn off this email, you can update your email settings by visiting: http://www.updown.com/edit-email-notifications To unsubscribe to all future emails, visit: http://www.updown.com/unsubscribe?mail=11985449&email=m...@openbsd.org
John Tate has invited you to join Updown.com
Your friend, John Tate, has invited you to join Updown.com, the fantasy investing site that gives away $3,000 every month to the best investors who manage a virtual portfolio of $1,000,000. Join Updown.com & Become John Tate's Friend. (http://www.updown.com/create-account.do?_refer=132362&_code_2=_invite&_invite=229235) -- Here is John Tate's personal message to you: Hi. I've been using this site to become a better investor. It's a lot of fun. I think you'd like it. -- Sincerely, The Updown Team Please ensure you'll continue to receive e-mails from Updown.com: * Outlook Users: From the Actions menu, select Junk E-mail and "Add Sender to Safe Senders List" * Hotmail, Yahoo and AOL Users: Click the "Add Address" or "Save Address" button or link beside the "From" address at the top of this message * Users of Other Email Systems: Please follow the software or service-provider's instructions for adding Updown.com to your "safe senders list" or "whitelist." Updown.com respects your right to privacy. You can view our privacy policy by visiting: http://www.updown.com/privacy-policy If you are a member and wish to turn off this email, you can update your email settings by visiting: http://www.updown.com/edit-email-notifications To unsubscribe to all future emails, visit: http://www.updown.com/unsubscribe?mail=11985448&email=m...@cvs.openbsd.org
Re: Removing content from misc
A lot of those archives are private and independent of the OpenBSD project. You might want to contact those sites. -Original Message- From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of Ricardo Augusto de Souza Sent: Tuesday, July 14, 2009 2:52 AM To: majord...@openbsd.org. Cc: misc@openbsd.org Subject: Removing content from misc Hi, I sent an email to misc few months ago. It is a private content. I found it at http://archive.netbsd.se/?ml=openbsd-misc&a=2009-05&t=10605255 I do need to remove it. Is it possible? Thanks
Packet filter log tools
OpenBSD Misc, What tools can you guys recommend for browsing through a pf log? GUI not needed, ideally, something a bit like webalizer that spits out HTML. If no such thing exists, perhaps I should make one, I am looking for a project. John Tate -- www.johntate.org
Re: Packet filter log tools
On Thu, Dec 1, 2011 at 5:32 PM, Jan Stary wrote: > On Dec 01 12:23:30, John Tate wrote: > > If no such thing exists, perhaps I should make one, > > Absolutely. Let us know when it is done. > > > I am looking for a project. > > Ah, so sysutils/cdrtools is already up to the latest release? > Here I'll write a patch: rm -rf /usr/ports/sysutils/cdrutils Nobody needs that tool, I'm putting this back on the list hoping you are removed, troll. -- www.johntate.org
Narcicism?
I think I've found a bug in the OpenBSD crowd. They bug the hell out of me and my little mistakes. I am not talking about people who actually have a solution, but I can't seem to ask anything on this list without parrots coming along picking on me. I think some people just hang out here because it's the most anal bunch of hackers ever, in recorded history. What are your experiences? Is it true that occasionally we attract people who either love bullying or are just lazy and pretending to be one of the clever? It just figures some of these people sit on the list, and email you poorly researched crap with no answers contain. If you hate a question, it truly doesn't belong, bug me. But if you just can't answer a question, ignore it. John Tate. Note: Yes, it's not my list. -- www.johntate.org
Re: Narcicism?
On Thu, Dec 1, 2011 at 7:20 PM, Scott McEachern wrote: > On 12/01/11 02:28, John Tate wrote: > >> I think I've found a bug in the OpenBSD crowd. They bug the hell out of me >> and my little mistakes. >> >> I am not talking about people who actually have a solution, but I can't >> seem to ask anything on this list without parrots coming along picking on >> me. I think some people just hang out here because it's the most anal >> bunch >> of hackers ever, in recorded history. What are your experiences? >> > I'm 24 years old. I was a Linux hacker since I was 13. I am a bit of a guru and do my own Kerberos and such on an all BSD/Linux network. OpenBSD and Debian Linux. I love OpenBSD, I'm a bit weird because I use bash. I can put up with being made fun of. At 13 I didn't just start learning Linux I started learning C++ as well. I failed to apprehend it properly at that age, but at an older age I relearned it well. I am the guru sort of guy, I know a hell of a lot but I'm still connecting it and in that sense still learning. > >> Is it true that occasionally we attract people who either love bullying or >> are just lazy and pretending to be one of the clever? >> > Well I get messages that are worthless and seem to be insults. > >> It just figures some of these people sit on the list, and email you poorly >> researched crap with no answers contain. >> >> If you hate a question, it truly doesn't belong, bug me. >> >> But if you just can't answer a question, ignore it. >> >> John Tate. >> >> Note: Yes, it's not my list. >> >> > John, if you don't mind, I'll give you some advice: Do your homework > before posting to the list. Your basic instinct is to click "Send" instead > of thinking first. I've lost count of how many of your posts were > retracted by yourself, with a big "oops, my bad" or were replied to with > RTFM-type responses. I got a kick out of one retraction where you said > something like "Sorry, I was drunk." > > You're obviously new here. Sure, it's a tough crowd at times, but that > only happens when people don't bother reading the FAQ, or the man pages, or > trying things out for themselves. A lot of people have asked "stupid" > questions or said something "dumb" -- myself included -- and got painful > responses. I've had my share of facepalm experiences and had my ass handed > to me plenty of times, but I deserved it. > > But you know what? I try to not make a regular occasion of it. It seems > you do. > > I help a lot of people off-list, and I know for a fact many others do the > same. I've found through years of experience there are two kinds of people > on this list: those that need a little help and pointed in the right > direction, and those that need their hands held for every step. Guess > which category I put you in? And that's exactly why I've helped you a > grand total of zero times. > > Now you have the gall to come on this list and insult the people that are > trying to help you. I don't think there's anyone on this list that sits > idly, waiting for an opportunity to "pick on" or "bully" someone. Get a > grip, get some thicker skin, and most of all, RTFM first. > > I guarantee that if you take my advice, you'll find this list to be a > very, very valuable resource. Remember, there is a difference between > *reading* and *comprehension*. Work a little harder on the latter and I > think you'll find you won't be "picked on". > > Stop playing the victim. You're not the first and it's old. > > -- > Scott McEachern > > https://www.blackstaff.ca > > -- www.johntate.org
Re: pppoe
Using userland ppp, this pf configuration is preventing proper pppoe
connections. The same would happen with pppoe(4). I know how to accept, but
I'm not sure about (a) pppoe only (2) the order and position of where it
should go, though i didn't plagiarize these filters except from the manual.
I generally understand them.
# cat
/etc/pf.conf
int_if="xl0"
ext_if="tun0" #has to be changed to pppoe(4)
thenetwrk="10.0.0.0/8"
rothbard="10.0.0.10"
baal="10.0.0.2"
smass="10.0.0.1"
etcp_services="{22}"
itcp_services="{22,53}"
icmp_types="echoreq"
ports_rothbard="{17000,17001,17002,17003,17004,17005,2322}"
ports_smass="{17100,17101,17102,17103,17104,17105,}"
set block-policy
return
set loginterface
$ext_if
set skip on
lo
anchor
"ftp-proxy/*"
pass in quick on $int_if inet proto tcp to any port ftp
\
divert-to 127.0.0.1 port
8021
match out on $ext_if from 10.0.0.0/8 to any nat-to
$int_if
pass on $ext_if from 10.0.0.0/8 to
any
pass out on $ext_if proto tcp from any to
any
pass in on $ext_if proto tcp from any to any port $ports_rothbard rdr-to
$rothba
rd
pass in on $ext_if proto tcp from any to any port $ports_smass rdr-to
$smass
antispoof quick for { lo $int_if
}
pass in on egress inet proto tcp from any to (egress)
\
port
$etcp_services
pass in on egress inet proto tcp from any to $baal port
$itcp_services
pass in inet proto icmp all icmp-type $icmp_types
On Mon, Nov 21, 2011 at 8:46 PM, Eric Furman wrote:
> On Monday, November 21, 2011 7:57 AM, "Jan Stary" wrote:
> > On Nov 21 12:37:37, John Tate wrote:
> > > I am setting up an OpenBSD firewall, and have everything working but I
> > > am using userland pppoe. I am not sure if it ever became an official
> > > part of OpenBSD, but I've heard there might be kernel level pppoe
> > > support.
> > >
> > > Is there kernel level pppoe support? Or is the cybersphere filling my
> > > head with dreams?
> >
> > Is http://www.openbsd.org/faq/faq6.html#PPP a part of "cybersphere"?
>
> PPP?!?!?!?
> Aughugh, hsss, hs. It hurts usss it hurts uss!
> Take it away take it away!!!
> LOL
>
> Sorry, you have my sympathy...
>
--
www.johntate.org
Re: Narcicism?
I should lie and make this statement smaller? There is nothing even that big about it. I don't know why I should leave anything other than the facts. It's your choice to guess my intentions for doing so. On Fri, Dec 2, 2011 at 2:43 AM, Rares Aioanei wrote: > On 12/01/2011 05:25 PM, John Tate wrote: > >> On Thu, Dec 1, 2011 at 7:20 PM, Scott McEachern >> wrote: >> >> I'm 24 years old. I was a Linux hacker since I was 13. I am a bit of a >> guru >> and do my own Kerberos and such on an all BSD/Linux network. OpenBSD and >> Debian Linux. I love OpenBSD, I'm a bit weird because I use bash. I can >> put >> up with being made fun of. At 13 I didn't just start learning Linux I >> started learning C++ as well. I failed to apprehend it properly at that >> age, but at an older age I relearned it well. I am the guru sort of guy, I >> know a hell of a lot but I'm still connecting it and in that sense still >> learning. >> > > You forgot to list modesty there as well, John. > > -- > Rares Aioanei > > -- www.johntate.org
Re: Phone openBSD ?
Some ways of answering this yourself... * What processor does the phone have? * What does the page on the OpenBSD wesbite say about that processor? Is the phone listed? To answer it for you: No, it isn't supported. On Wed, Nov 30, 2011 at 7:45 AM, hvom .org wrote: > Hi > > I want a smartphone compatible openbsd, you return with the Nokia N7 and > E7. > > best regards > > -- www.johntate.org
OpenBSD PF tables
Misc,
I have sucessfully got an OpenBSD machine to connect via ADSL and forward
packets, I am gradually upgrading my pf.conf. I am having trouble with this
configuration (ignore some obvious bugs related to table names where tables
are defined and the rules I have seen them).
At the moment I am working on doing some things as tables. I want tables to
hold the ports, but it appears perhaps they can only hold IP addresses. The
following tables do not work from line 10-11...
table { 22 }
table { 22, 53 }
The whole thing is here: http://pastebin.com/VuLNW9Ph
John Tate
--
www.johntate.org
Re: OpenBSD PF tables
Is there a way to have it so I can add ports from the command line if I can't use tables? On Thu, Dec 8, 2011 at 10:14 PM, Peter Hessler wrote: > Yes, tables in PF only support IP addresses. > > > On 2011 Dec 08 (Thu) at 22:11:19 +1100 (+1100), John Tate wrote: > :At the moment I am working on doing some things as tables. I want tables > to > :hold the ports, but it appears perhaps they can only hold IP addresses. > The > :following tables do not work from line 10-11... > > -- > Renning's Maxim: >Man is the highest animal. Man does the classifying. > -- www.johntate.org
Re: OpenBSD PF tables
Is there a way to control ports on a filter from the command line? I guess
I just have manually adding and deleting rules.
On Thu, Dec 8, 2011 at 10:19 PM, Andres Perera wrote:
> the documentation is pretty clear by saying that tables can only hold
> addresses, not a random set of numbers
>
> On Thu, Dec 8, 2011 at 6:41 AM, John Tate wrote:
> > Misc,
> >
> > I have sucessfully got an OpenBSD machine to connect via ADSL and forward
> > packets, I am gradually upgrading my pf.conf. I am having trouble with
> this
> > configuration (ignore some obvious bugs related to table names where
> tables
> > are defined and the rules I have seen them).
> >
> > At the moment I am working on doing some things as tables. I want tables
> to
> > hold the ports, but it appears perhaps they can only hold IP addresses.
> The
> > following tables do not work from line 10-11...
> >
> > table { 22 }
> > table { 22, 53 }
> >
> > The whole thing is here: http://pastebin.com/VuLNW9Ph
> >
> > John Tate
> >
> > --
> > www.johntate.org
> >
>
--
www.johntate.org
Re: OpenBSD PF tables
On Thu, Dec 8, 2011 at 11:00 PM, Peter N. M. Hansteen wrote:
> On Thu, Dec 08, 2011 at 10:11:19PM +1100, John Tate wrote:
> > I have sucessfully got an OpenBSD machine to connect via ADSL and forward
> > packets, I am gradually upgrading my pf.conf. I am having trouble with
> this
> > configuration (ignore some obvious bugs related to table names where
> tables
> > are defined and the rules I have seen them).
>
> what are those obvious bugs? please describe in detail.
>
Ignore them, that refers to mistakes of mine (the names on the tables
differs from the names in the rules)
>
> > At the moment I am working on doing some things as tables. I want tables
> to
> > hold the ports, but it appears perhaps they can only hold IP addresses.
> The
> > following tables do not work from line 10-11...
>
> from man pf.conf:
>
> TABLES
> Tables are named structures which can hold a collection of addresses
> and
> networks. Lookups against tables in pf(4) are relatively fast, making
> a
> single rule with tables much more efficient, in terms of processor
> usage
> and memory consumption, than a large number of rules which differ only
> in
> IP address (either created explicitly or automatically by rule
> expansion).
>
>
> > table { 22 }
> > table { 22, 53 }
>
> this is what macros are for:
>
> etcpserv = { 22 }
> itcpserv = { 22, 53 }
>
> Other parts of your config uses tables correctly. You may want to browse
> the PF faq, with http://home.nuug.no/~peter/pf/en/ or the book it spawned
> (http://www.nostarch.com/pf2.htm) as a useful supplement.
>
> --
> Peter N. M. Hansteen, member of the first RFC 1149 implementation team
> http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
> "Remember to set the evil bit on all malicious network traffic"
> delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
>
>
--
www.johntate.org
What generates the OpenBSD page?
I am wondering what software if any generates the OpenBSD and similar websites. It appears to be a static page generated by some software, that software doesn't seem to be mentioned. What is it? Or is it just hand made? John Tate -- www.johntate.org
Re: ALIX 2 Hangs on boot at date/time
In single user mode you often need to mount some partitions, and remount root as read-write to do much of anything. # mount -o rw / and # mount -o rw /usr and so on for anything else you need. vi I believe resides in /usr so you will need to mount that partition. If it's not that, your system is screwed and you need to reinstall. On Sat, Dec 10, 2011 at 12:31 PM, Dave Beckstrom wrote: > David, > > Thanks for the suggestion. I'm 99% of the way there. Basically all I need > to do is edit "/etc/ttys" to configure something like: > > tty00 "/usr/libexec/getty std.38400" vt220 on secure > > and I'll be all set. > > I've discovered that I can boot into single user mode. That leaves me at > the sh# shell. But I haven't had success at remounting root as read write > yet. Basic commands like ls don't even work. Not doing something right. > Can't get an editor to run either (it doesn't find vi). > > > If I can't solve this I'll go the PXE route. Not quite ready to give up > yet. If anything, it's a good learning process. :) > > Thanks, > > Dave > > > -Original Message- > From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of > David Walker > Sent: Friday, December 09, 2011 3:07 PM > To: misc@openbsd.org > Subject: [SPAM]- Score (15)Re: ALIX 2 Hangs on boot at date/time > > Get an old PC or somesuch, run tftp and install directly onto the ALIX via > ethernet. > See here: > http://www.openbsd.org/faq/faq6.html#PXE > > Problem(s) solved. > > Best wishes. > > -- www.johntate.org
Re: What generates the OpenBSD page?
No, I'm an idiot. Not kidding at all. Is that a yes for "Or is it just hand made?" On Sat, Dec 10, 2011 at 2:31 PM, Theo de Raadt wrote: > > I am wondering what software if any generates the OpenBSD and similar > > websites. It appears to be a static page generated by some software, that > > software doesn't seem to be mentioned. What is it? Or is it just hand > made? > > Are you kidding? > -- www.johntate.org
Re: What generates the OpenBSD page?
Is it info2www being used? On Sat, Dec 10, 2011 at 2:21 PM, Richard Toohey < richardtoo...@paradise.net.nz> wrote: > On 10/12/2011, at 3:02 PM, John Tate wrote: > > > I am wondering what software if any generates the OpenBSD and similar > > websites. It appears to be a static page generated by some software, that > > software doesn't seem to be mentioned. What is it? Or is it just hand > made? > > > > You might find some answers here > > http://www.openbsd.org/cgi-bin/cvsweb/www/ > > > John Tate > > > > -- > > www.johntate.org > > > > -- www.johntate.org
Re: What generates the OpenBSD page?
Where did I state I think I am a genius? I want an actual quote, nothing less. Your grammar indicates rage rather than humor. My actual expertise is philosophy and psychology, you have narcissistic personality disorder. That is what the world calls it. In Objectivism, we call it misplaced self-esteem. Now where exactly did I say I was a genius? I mean, I have some genius, but I'm a C naive lover of OpenBSD - I'm a Redstone genius. I wouldn't mind a ports related project to prove myself with. I've not tried to prove anything. I've not been cocky. I've not been anything but inquisitive and curious. John On Sat, Dec 10, 2011 at 7:03 PM, Eric Furman wrote: > The only reason I haven't added you to my kill file is your > questions and responses are sooo idiotically moronic that > you are hilarious! You are so fucking stupid you are falling > down hilarious. What makes it even more funny is how smart > you think you are! LMFAO! > God, if I had a nickle for every fucking retard like you > I've met that thought that they were a genius > Oh yea, I sent this to the list also to humiliate you. > Please keep posting though, you really crack me up. > > On Sat, Dec 10, 2011, at 06:15 PM, John Tate wrote: > > No, I'm an idiot. Not kidding at all. Is that a yes for "Or is it just > > hand > > made?" > > > > On Sat, Dec 10, 2011 at 2:31 PM, Theo de Raadt > > wrote: > > > > > > I am wondering what software if any generates the OpenBSD and similar > > > > websites. It appears to be a static page generated by some software, > that > > > > software doesn't seem to be mentioned. What is it? Or is it just hand > > > made? > > > > > > Are you kidding? > > > > > > > > > > > -- > > www.johntate.org > > > > > -- www.johntate.org
Re: What generates the OpenBSD page?
On Sat, Dec 10, 2011 at 11:42 PM, richo wrote: > On 10/12/11 23:34 +1100, John Tate wrote: > >> On Sat, Dec 10, 2011 at 7:03 PM, Eric Furman ** >> wrote: >> >> The only reason I haven't added you to my kill file is your >>> questions and responses are sooo idiotically moronic that >>> you are hilarious! You are so fucking stupid you are falling >>> down hilarious. What makes it even more funny is how smart >>> you think you are! LMFAO! >>> God, if I had a nickle for every fucking retard like you >>> I've met that thought that they were a genius >>> Oh yea, I sent this to the list also to humiliate you. >>> Please keep posting though, you really crack me up. >>> >>> Where did I state I think I am a genius? I want an actual quote, nothing >> less. >> >> Your grammar indicates rage rather than humor. >> >> My actual expertise is philosophy and psychology, you have narcissistic >> personality disorder. That is what the world calls it. In Objectivism, we >> call it misplaced self-esteem. >> >> Now where exactly did I say I was a genius? I mean, I have some genius, >> but >> I'm a C naive lover of OpenBSD - I'm a Redstone genius. I wouldn't mind a >> ports related project to prove myself with. I've not tried to prove >> anything. I've not been cocky. I've not been anything but inquisitive and >> curious. >> >> John >> >> You throw the words hacker and guru about in relation to yourself a lot > on > your blog, in the world of FOSS they translate fairly literally to genius, > or > potentially represent a subset thereof. > I am a guru of Linux systems with an immense respect for OpenBSD. Stay off my website, I wish I could make it Objectivists only, because what you are all doing is a STRAWMAN of my blog. I did not intend for it to be that way, you had to, in your words *translate*. In my words that means strawman. Don't enter a logical debate with me. I am not interested. > > While I don't necessarily support the personal attacks, I can't say I > totally > disagree with the vibe of it. > > Please don't presume to psycho-analyse members of the list, and please > develop some modesty. If you want hand holding and someone to explain > something which is already documented, I would recommend one of the more > newby friendly linuxes. > > -- > richo || Today's excuse: > > The vendor put the bug there. > http://blog.psych0tik.net > -- www.johntate.org
Re: What generates the OpenBSD page?
On Sun, Dec 11, 2011 at 12:04 AM, richo wrote: > On 10/12/11 23:56 +1100, John Tate wrote: > >> On Sat, Dec 10, 2011 at 11:42 PM, richo wrote: >> >>> While I don't necessarily support the personal attacks, I can't say I >>> totally >>> disagree with the vibe of it. >>> >> >>Please don't presume to psycho-analyse members of the list, and please >>> develop some modesty. If you want hand holding and someone to explain >>> something which is already documented, I would recommend one of the >>> more >>> newby friendly linuxes. >>> >> I am a guru of Linux systems with an immense respect for OpenBSD. >> >> Stay off my website, I wish I could make it Objectivists only, because >> what you are all doing is a STRAWMAN of my blog. I did not intend for it >> to be that way, you had to, in your words translate. In my words that >> means strawman. >> >> Don't enter a logical debate with me. I am not interested. >> >> > Please don't top post. It makes it hard to read. If you must top post, > please > post at the top of the message and not randomly halfway through. It makes > it > impossible to read and a pain to fix (which I have done again). > > The term guru, hacker and wizard are not generally applied to oneself. > There > aren't many people I'd take seriously when they claimed it; and you're not > one of the. A cursory google suggests that you've never written anything, > so > you'll forgive my doubts. Similarly, unless you're planning a one line post > with links to what you've written, I'm uninterested in this debate. > > Demanding that I stay off your website, and then suggesting that you wish > you > could make it accessible only to people who share your world view is in my > opinion retarded. I'm not convinced you really understand what freedom is. > In > the name of helping the fellow man though, I recommend disconnecting that > machine from the internet immediately and mailing hardcopies of it's source > to parties you approave though, ideally encrypted such that character > assassins such as myself can't get hold of it's content in transit. > > Finally, screaming strawman to redirect an argument away from it's original > point is delightfully poetic, but ultimately stupid. If people on the list > repeatedly take issue with your posts, it stands to reason that there is an > issue with your posts. > If the people of the list, are disconnected from the abstract concept of people as in groups of people, and considered individuals - then actually I'm having a good time because actually most the messages are not that bad, some are helpful, and some like this thread are a little humiliating. > > Some modesty would do you well, and unless you can populate 5 points of > reference that you've read throroughly in the footer of a "I need help" or > "how does this work" post, I would suggest that you have some more reading > to > do. > Not a bad idea actually, but I do look around but you only have my word. > > richo > > > -- > richo || Today's excuse: > > monitor resolution too high > http://blog.psych0tik.net > Psychosis is a terrible illness. -- www.johntate.org
Re: What generates the OpenBSD page?
A simple Google of your email address shows something extremely humiliating. You know as little as I do! -- Forwarded message -- From: Eric Furman Date: Sat, Dec 10, 2011 at 7:03 PM Subject: Re: What generates the OpenBSD page? To: John Tate , OpenBSD Misc The only reason I haven't added you to my kill file is your questions and responses are sooo idiotically moronic that you are hilarious! You are so fucking stupid you are falling down hilarious. What makes it even more funny is how smart you think you are! LMFAO! God, if I had a nickle for every fucking retard like you I've met that thought that they were a genius Oh yea, I sent this to the list also to humiliate you. Please keep posting though, you really crack me up. On Sat, Dec 10, 2011, at 06:15 PM, John Tate wrote: > No, I'm an idiot. Not kidding at all. Is that a yes for "Or is it just > hand > made?" > > On Sat, Dec 10, 2011 at 2:31 PM, Theo de Raadt > wrote: > > > > I am wondering what software if any generates the OpenBSD and similar > > > websites. It appears to be a static page generated by some software, that > > > software doesn't seem to be mentioned. What is it? Or is it just hand > > made? > > > > Are you kidding? > > > > > > -- > www.johntate.org > > -- www.johntate.org
Re: What generates the OpenBSD page?
On Sun, Dec 11, 2011 at 5:06 AM, Nomen Nescio wrote: > Oh man, you are drastically reducing the average intelligence of any > group you join. > > But I liked this admission on your blog: > > "Just for the record, I make no illusions about being a complete jerk. Nor > have I ever tried to be nice to a stranger once in my life, unless it was > a homeless person whom could buy me alcohol or cigarettes as a teenager. > I am a callous, rude, and unforgiving person. To the accusations against > me I will plead: guilty as charged. I am an arsehole." > > Source: http://old.johntate.org/node/316?page=1 > > Considering that you proudly admit to being an asshole, with zero > consideration for your fellow man, don't you think that you are sometimes > expecting too much from others? You asshole! > > John Tate wrote: > > > Where did I state I think I am a genius? I want an actual quote, nothing > > less. > > > > Your grammar indicates rage rather than humor. > > > > My actual expertise is philosophy and psychology, you have narcissistic > > personality disorder. That is what the world calls it. In Objectivism, we > > call it misplaced self-esteem. > > [snip] > > You are projecting, you really are the one with the most obvious disorders > on this list. > > And although I can't bring myself to read through the diarrhea on your > site, it seems that the majority of your "philosophy" posts are about > bashing an Objectivist Ph.D in philosophy. Your level is ...? And yet you > pretend to speak for Objectivists. > > Please don't think this guy understands Objectivism better than he > understands OpenBSD, C++, psychology, or anything. > Why is it so important that you must plead the list for this? You are a people-obsessed loser. -- www.johntate.org
Re: Mplayer vo on loongson, change resolution
On Fri, Dec 9, 2011 at 4:34 AM, alies wrote: > Hello > > What mplayer -vo I need to use for best performance in loongson Yeeloong > netbook? Can I use full fullscreen in mplayer? > > What about sdl games (quake, doom etc), can I change resolution? > > I could change resolution with OpenBSD 5.0 in Openarena (Quake III Arena with community made textures and stuff) but for whatever reason (probably OpenBSD's crazy mmap() - because I had direct rendering) it was incredibly laggy and unplayable. If OpenBSD was more popular it might have games written for it, since its far less of a moving target for developers than most Linux distros. -- www.johntate.org
