Re: Routing problem?
Hey, Try a bridge. man brconfig(8) says: he brconfig utility retrieves kernel state of bridge interfaces and al- lows user control of these bridges. Bridge devices create a logical link between two or more Ethernet interfaces or encapsulation interfaces (see gif(4)), which will selectively forward frames from each interface on the bridge to every other interface on the bridge. This can be used to iso- late traffic between sets of machines on the same segment and to provide a transparent filter for ip(4) datagrams. Which pretty much what you want to do (e,g. isolate traffic between the router and the DMZ). T he put its interface into promiscuous mode all see all traffic. THe DMZ keeps in own adddress. Take a look at BRCONFIG(8) Respectfully, Tony Sterrett [EMAIL PROTECTED] Consultant in Open Source Software, featuring OpenBSD and Linux. www.sterrett.net On Jan 22, 2006, at 10:07 AM, Jonas Lindskog wrote: > Hello, > > We are running Open BSD 3.8 as a firewall router. The router has > two internal networks to handle; a DMZ with "real" > ip adresses and a NAT network to which our workstations are > connected. The problem I have is that its not possible to > connect to the server on the DMZ (ip 38.87.5.122, netmask > 255.255.255.252) from the outside (but from the inside). > I guess that I somehow has to make the external interface listen to > the same adress as the server (they are on the same net), but if I add > an alias to the external interface it doesn't (of course) route > packages to the DMZ. How do I make OpenBSD route packages to the > server > (and the DMZ subnet)? > > Our ISP has given us a net that has the following data: > > Net segment: 38.87.5.112 /28 net address: 38.87.5.112 > gw address: 38.87.5.113 > firewall: 38.87.5.114 > free ip ip: 38.87.5.115-126 > broadcast address:38.87.5.127 > netmask: 255.255.255.240 > > the server has the following interfaces configured: > ### interfaces > #external interface > inet 38.87.5.114 255.255.255.240 NONE > > #internal interface > inet 192.168.97.254 255.255.255.0 NONE > > # dmz > inet 38.87.5.121 255.255.255.252 NONE > > Thanks in advance > > Jonas
Re: PF or BPF
Hey, BPF is a really cool pseudo device (software that's access like a device, you'll see it in /dev). It is programmed with a assembly like load/store instruction set. This is a very efficient way of filtering incoming packets. It used by tcpdump, pcap and ppp. Its neat but it doesn't know about state which PF does. BPF is used (or can be used ) on a lot of systems but its is a BSD Native as the named indicates. There has been some research on adding state and performance enhancement in projects named BPF+ and DBPF. I'm looking at the tradeoff of porting bpf with states from linux to OpenBSD from linux. Daniel Hartmeier in Design and Performance of the "OpenBSD Stateful Packet Filter (pf)" says that pf is more efficient than bpf, so it may be pointless. On the other hand having this facility would increase the richness of our toolkit. BTW tcpdump can be used to produce a bpf program and pcap is a convent way of using BPF. Here's an example. mail# tcpdump -d host 192.142.1.1 and dst port 80 (000) ldh [12] (001) jeq #0x800 jt 2jf 15 (002) ld [26] (003) jeq #0xc08e0101 jt 6jf 4 (004) ld [30] (005) jeq #0xc08e0101 jt 6jf 15 (006) ldb [23] (007) jeq #0x6 jt 9jf 8 (008) jeq #0x11jt 9jf 15 (009) ldh [20] (010) jset #0x1fff jt 15 jf 11 (011) ldxb 4*([14]&0xf) (012) ldh [x + 16] (013) jeq #0x50jt 14 jf 15 (014) ret #96 (015) ret #0 mail# Respectfully, Tony Sterrett [EMAIL PROTECTED] Consultant in Open Source Software, featuring OpenBSD and Linux. www.sterrett.net (858) 433-1467 San Diego (408) 705-2135 San Jose On Feb 13, 2006, at 3:17 PM, Ray Lai wrote: On Mon, Feb 13, 2006 at 05:28:22PM -0500, Jason Crawford wrote: Well in the case of /usr/src, I think you must MIGHT hit the maximum argument length for the shell by using xargs, unless you did it inside of each directory in /usr/src. That and well, explaining xargs to Dave will end up leading to another 20+ mail thread xargs runs the command multiple times when it hits this limit: [EMAIL PROTECTED] jot 0 | xargs echo | sed 's/ .*//' 1 5001 10001 15001 20001 25001 ^C The manual tries to describe this behavior: Any arguments specified on the command line are given to the utility upon each invocation, followed by some number of the arguments read from stan- dard input. The utility is repeatedly executed one or more times until standard input is exhausted. -Ray-
Re: PF or BPF
On Feb 13, 2006, at 5:16 PM, Ted Unangst wrote: On 2/13/06, Tony Sterrett <[EMAIL PROTECTED]> wrote: I'm looking at the tradeoff of porting bpf with states from linux to OpenBSD from linux. Daniel Hartmeier in Design and Performance of the "OpenBSD Stateful Packet Filter (pf)" says that pf is more efficient than bpf, so it may be pointless. On the other hand having this facility would increase the richness of our toolkit. what you want to do is add the ability to attach a bpf filter to a pf rule, though i wouldn't try to wedge this functionality into pf.conf's grammar. i still haven't come up with much reason why you need bpf to express a rule pattern that can't be done with pf. I'm not sure I'd do it in that way. I'm thinking if BPF provided stateful inspection is would be more useful. There are a few BPF enhancement projects like FFPF: Fairly Fast Packet Filters Vrije Universiteit Amsterdam, The Netherlands. that add stateful packet inspection. I think this only runs in linux and it uses linux kernel hooks and therefore would need porting. So the notion was to port. My reasoning for stateful BPF is mainly in the sprit of providing a rich toolset. Provide primitives not solutions. It will just provided an additional means of packet inspection. Also there is a lot of research that uses BPF in various ways packet classifier, packet switching for grid, NIDS, reconfigurable networks, etc. Some of this may be useful in the future to a creative designer in ways unknown. Respectfully, Tony Sterrett [EMAIL PROTECTED] Consultant in Open Source Software, featuring OpenBSD and Linux. www.sterrett.net (858) 433-1467 San Diego (408) 705-2135 San Jose
Re: PF or BPF
I'm not sure I'd do it in that way. I'm thinking if BPF provided stateful inspection is would be more useful. Asking for stateful inspection in bpf(4) is like wanting a carburettor for a pushbike. You might be able to shoehorn it in there, but it won't be pretty, will ruin its simplicity and probably won't be much use. Yeah this would be something in addition to BPF and not to alter BPF. I like the simple functionary but I think it would be hard to management complex rule (s). The language is a little clunky. Just think is doing something when you have to check protocol #, source and dst address and TCP flags. I guess the fact that BPF branches only forward does both simplify and limit its scope. FFPF is a different approach, and they (rightly) didn't use bpf(4) as their base implementation. Some of their ideas look pretty good, but if you are interested in pursuing them the you had probably best do it in parallel to the existing bpf(4) infrastructure. -d I'm at the survey stage. I know about a number of efforts which apply BPF-like technology to lots of applications. As you say, FFPF has some neat ideas, and it is efficient (context switching, number of copies) , more scalability (BPF is a little clunky no loops) and able to handle more complex situations. Its even has backward compatibility of BPF. However, It doesn't support BSD that as far as I know, I hadn't looked that closely for that reason. Might in interesting if its no overly dependent some linux kernel feature. Respectfully, Tony Sterrett [EMAIL PROTECTED] Consultant in Open Source Software, featuring OpenBSD and Linux. www.sterrett.net (858) 433-1467 San Diego (408) 705-2135 San Jose
python2.4 glitch
I just compiled python2.4 which recommended for Zope 2.9.0. There a small glitch in configure. You'll get an error like below. Its late so just all reference to define_xopen_source starting around 1488. this has to do with select. But the configure file is not set up to handle kqueue/kqueue declartion of u_short and u_long. This configuration file doesn't handle 3.8 either. After removing define_xopen_source it compiled and tested. --- OpenBSD/2.* | OpenBSD/3.@<:@0123456@:>@) define_xopen_source=no;; # On Solaris 2.6, sys/wait.h is inconsistent in the usage # of union __?sigval. Reported by Stuart Bishop. SunOS/5.6) - mail# gmake gcc -pthread -c -fno-strict-aliasing -DNDEBUG -g -O3 -Wall -Wstrict- prototypes -I. -I./Include -DPy_BUILD_CORE -o Modules/python.o Modules/python.c In file included from /usr/include/sys/select.h:38, from Include/pyport.h:116, from Include/Python.h:55, from Modules/python.c:3: /usr/include/sys/event.h:53: error: syntax error before "u_int" /usr/include/sys/event.h:55: error: syntax error before "u_short" gmake: *** [Modules/python.o] Error 1 Respectfully, Tony Sterrett [EMAIL PROTECTED] Consultant in Open Source Software, featuring OpenBSD and Linux. www.sterrett.net (858) 433-1467 San Diego (408) 705-2135 San Jose
Re: python2.4 glitch
> On Wed, Feb 22, 2006 at 03:21:38AM -0800, Tony Sterrett wrote: >> I just compiled python2.4 which recommended for Zope 2.9.0. There a >> small glitch in configure. You'll get an error like below. Its late >> so just all reference to define_xopen_source starting around 1488. >> this has to do with select. But the configure file is not set up to >> handle kqueue/kqueue declartion of u_short and u_long. This >> configuration file doesn't handle 3.8 either. After removing >> define_xopen_source it compiled and tested. >> >> --- >> OpenBSD/2.* | OpenBSD/3.@<:@0123456@:>@) >> define_xopen_source=no;; > > why don't you use the python-2.4 packages, or the ports system? This was the python version recommended. The last python available from ports was installed at the time it was recognized by the build script and gave me the option of forcing the use of the older version. How's that for service. I'm just trying to reduce the space which i will have to search when a problem occurs. Respectfully, Tony Sterrett [EMAIL PROTECTED] Consultant in Open Source Software, featuring OpenBSD and Linux. www.sterrett.net (858) 433-1467 San Diego (408) 705-2135 San Jose
booter Re: help me
Somebody should gave him the boot. Respectfully, Tony Sterrett [EMAIL PROTECTED] Consultant in Open Source Software, featuring OpenBSD and Linux. www.sterrett.net (858) 433-1467 San Diego (408) 705-2135 San Jose On Feb 24, 2006, at 5:06 PM, julio perez wrote: > hey, umm..i need help. Umm..can u send me the booter, so i could > boot people. Cause it sucks. Alot of people keep bothering me. And > some are really rude. Can u help me.plz.
