This is getting close to OT but they are OpenBSD firewalls.
I am getting connections dropping out after being idle for exactly 5
minutes
The servers are 3.2 and 3.5 - (I know time to upgrade)
The dropouts occur on ssh as well as a redirected telnet session to an
internal server.
I am testing with
On Thu, 8 Sep 2005 16:07:27 -0400
"Monah Baki" <[EMAIL PROTECTED]> wrote:
> { $web_srvr1, $web_srvr2 } round-robin sticky-address
Try
rdr on $ext_if proto tcp from any to $carp5 port 80 \
-> { $web_srvr1, $web_srvr2 } round-robin source-hash
The above may be incorrect so you should check out t
Helo misc@
For those of you that haven't yet tried it, I love OpenBSD's spamd and
recommend it with two thumbs up.
At the behest of Jason Dixon, I (finally) set up spamd ~ a week ago,
and since then, it's *amazing* to see how many miscreants are getting
caught up in it. Our spam, previously ~
On Thu, 8 Sep 2005 20:10:48 -0300
Gustavo Rios <[EMAIL PROTECTED]> wrote:
> 0) Very high process overhead, i.e., each pair
> requires 2 other process for monitoring, and
Considering how small these processes are it's not a real problem on
any even remotely modern hardware.
> 1) djb license: i be
Siju George wrote:
> Hi,
>
> One of my friends sent me this new OpenBSD website design he created.
> Please have a look at it :-D
>
> http://mayuresh.freeshell.org/openbsd/
>
> Thankyou so much
>
> Kind Regards
>
> Siju
Changing the basic website look isn't something we are going to do
lightl
On Thu, 08 Sep 2005 11:14:20 -0400, Michel Hubert wrote:
> First there is 2 computers on 2 differents networks
>
> Computer1 (10.10.0.2) --- (10.10.0.5) OpenBSD 3.5 router --- (10.10.0.1)
> Novell router (10.0.0.1) --- Computer2 (10.0.0.11)
>
> 10.10.0.0/24 = ethernet
> 10.0.0.0/24 = Token-ring
On Thu, 8 Sep 2005, Uwe Dippel wrote:
> Any chance to see it in here; one day ?
if somebody does it..
--
And that's why we've come to you.
On Thu, 8 Sep 2005, Troex Nevelin wrote:
> This is not an ARP problem, because i change MAC before bringing up
> network and i tried "arp -da" but i didn't help, as i said NIC begins to work
> only in promiscuous mode
this is a good sign the driver needs to be fixed. (or the chip just can't
be g
On Thu, 8 Sep 2005, Gustavo Rios wrote:
Ok, i see! What, then, should i address more?
There is no guarantee that 3rd party code will be included in OpenBSD.
Frankly, the odds are against importing random software into base unless
it is quite wonderful, but getting software in to ports is som
On Sep 8, 2005, at 7:46 PM, Edd Barrett wrote:
Any chance to see it in here; one day ?
No. (CDDL)
how about as a port?
I don't mean this to be inflammatory, but that's a stupid question.
If someone writes a yet-to-exist port for some yet-to-exist software,
and the quality meets the p
Ok, i see! What, then, should i address more?
Thanks once more.
2005/9/8, Damien Miller <[EMAIL PROTECTED]>:
> On Thu, 8 Sep 2005, Gustavo Rios wrote:
>
> > By using BSD license, would i be able to confidently consider my tools
> > to be included wihtin OBSD?
>
> this is a necessary but by no m
> > Any chance to see it in here; one day ?
>
> No. (CDDL)
>
how about as a port?
regards
edd
On Thu, 8 Sep 2005, Jeff Ross wrote:
This morning httpd was failing to deliver files because of a "too many open
files" error. I'd previously bumped kern.maxfiles from the default 1772 to
2048 and kern.maxvnodes from its default 1310 to 2048, so this morning I
doubled them both to 4096.
You p
On Thu, 8 Sep 2005, Gustavo Rios wrote:
By using BSD license, would i be able to confidently consider my tools
to be included wihtin OBSD?
this is a necessary but by no means sufficient quality.
Hey folks,
i am using obsd for a shell server access. For monitoring daemons, i
use DJB daemontools. What i dislike about it, is:
0) Very high process overhead, i.e., each pair
requires 2 other process for monitoring, and
1) djb license: i believe the old abd good BSD one.
So, i decided to came
On Thu, 08 Sep 2005 15:05:11 -0600 "Jeff Ross" <[EMAIL PROTECTED]> wrote:
> I posted the following message to misc@ last May 31 but got no
> replies. The problem has gotten worse, even though I've now raised
>
> kern.maxfiles=16384
> kern.maxvnodes=16384.
Don't forget to make sure your login.con
fd leak in apache?
on one of our reverse proxies we have MaxKeepAliveRequests and
MaxRequestsPerChild set so as to make it difficult to leak. This made
our proxy go from running out of 4000 fds in a day to averaging about
120 fds in use.
From what I've seen it's usually MaxRequestsPerChild t
On 9/8/05, Jeff Ross <[EMAIL PROTECTED]> wrote:
> I posted the following message to misc@ last May 31 but got no replies.
> The problem has gotten worse, even though I've now raised
>
> kern.maxfiles=16384
> kern.maxvnodes=16384.
>
> Here is the original message, with a current dmesg and /etc/sys
I posted the following message to misc@ last May 31 but got no replies.
The problem has gotten worse, even though I've now raised
kern.maxfiles=16384
kern.maxvnodes=16384.
Here is the original message, with a current dmesg and /etc/sysctl.conf:
Hi all,
This morning httpd was failing to deliver
Does anyone know what is the max length of the preshared key in
Authentication= field? A pointer to a IKE RFC would be also nice, if the key
size is defined somewhere. Google told me some Ciscos accept up to 48
characters as PSK, but couldn't find anything more specific.
I'm trying to connect to a
Hi all,
I'm having problems implementing round-robin on a carp interface.
The rule that I have is
rdr on $ext_if proto tcp from any to $carp5 port 80 \
-> { $web_srvr1, $web_srvr2 } round-robin sticky-address
Does this look correct?, it works if I remove:
{ $web_srvr1, $web_srvr2 }
(pardon, this mail may become a dup)
On Wed 2005.09.07 at 19:27 -0401, yippy ya yah wrote:
> trying to get a ppp tunnel over ssh working
as you've received other replies, i've been using the inetd loopback
trick for sometime now. yes, as it was noted, ugly. but it was a quick
workaround for m
On 8 SEN 2005, at 21:10, ober wrote:
try running arp -da
This is not an ARP problem, because i change MAC before bringing up
network and i tried "arp -da" but i didn't help, as i said NIC begins
to work
only in promiscuous mode
--
born to create future
Troex Nevelin ([EMAIL
On Thursday 08 September 2005 01.28, yippy ya yah wrote:
> trying to get a ppp tunnel over ssh working
>
> server/gateway
> ---
> ip.inet.net.forwarding=1
>
> /etc/ppp/ppp.conf
> vpn:
> allow mode direct
> set ifaddr 10.1.1.1 10.1.1.2 255.255.255.255
>
> /etc/sudoers:
> pppus
try running arp -da
-Ober
On Thu, 8 Sep 2005, Troex Nevelin wrote:
I change MAC on current/macppc with "ifconfig gem0 lladdr MAC"
and networking stop working, i run tcpdump to see what happens
and networking works again while tcpdump is running, if i run
"tcpdump -p" network won't work.
Look
[ using 323864 bytes of bsd ELF symbol table ]
console out [ATY,Bee_A]console in [keyboard] ADB found
using parent ATY,BeeParent:: memaddr 9800 size 800, : consaddr
9c008000, : ioaddr 9002, size 2: memtag 8000, iotag 8000: width
1024 linebytes 1024 height 768 depth 8
Copyright (
I change MAC on current/macppc with "ifconfig gem0 lladdr MAC"
and networking stop working, i run tcpdump to see what happens
and networking works again while tcpdump is running, if i run
"tcpdump -p" network won't work.
Looks like after MAC change NIC works only in promiscuous mode.
Without MAC c
On Thu, Sep 08, 2005 at 07:25:52AM -0600, jared r r spiegel wrote:
mis-format on the two configs, please split them thus:
> -[peer a]
> [general]
> #default-phase-1-id=id1hklocal
>
> [phase 2]
> connections=cx
>
> [id1p54c]
> id-type=us
Roy Morris wrote:
I know this is not 'exactly' openbsd directly related but
I'll give it a go anyway. I am trying to copy remote 2
remote, basically to change the name of a file. It appears
that the first half of the command works fine but the
second half get an authentication failure. I am not s
On Sep 8, 2005, at 11:22 AM, Uwe Dippel wrote:
Just read :DTrace comes to FreeBSD.
(http://bsd.slashdot.org/article.pl?
sid=05/09/08/1217229&tid=102&tid=7&tid=218)
Is *coming to* and *comes to* are two different things. Devon just
started on this, there's no idea how long or if it will eve
Hi Stephan,
> Well, if I suggested to port netfilter to OpenBSD I would most
> probably be killed in seconds. ;)
If you're lucky. ;-)
You might want to check http://openbsd.unixtech.be/books.html and more
specifically get a hold of Jacek's book.
HTH... Nico
Hi,
Im running 3.5 (will install 3.7 soon) and I got slow transfer on a
computer since the last time I rebooted my router.
First there is 2 computers on 2 differents networks
Computer1 (10.10.0.2) --- (10.10.0.5) OpenBSD 3.5 router --- (10.10.0.1)
Novell router (10.0.0.1) --- Computer2 (10.0
On 8 Sep 2005, at 16:13, Erik Wikstrvm wrote:
>> # Put this macro at the top
>> if_dmz="xl2"
>> # Later on in the ruleset, deny everything but smtp to the DMZ
>> block in on $if_dmz keep state
>> pass in on $if_dmz from any to 1.2.3.4 port smtp keep state
>
> Wouldn't that block traffic from the
On 9/8/05, Roy Morris <[EMAIL PROTECTED]> wrote:
> I know this is not 'exactly' openbsd directly related but
> I'll give it a go anyway. I am trying to copy remote 2
> remote, basically to change the name of a file.
If you are working with remote files only, and you know they exist,
why not just
Stephan A. Rickauer wrote:
Gaby vanhegan wrote:
> $if_in="xl0"
$if_out="xl1"
pass in on $if_in keep state
pass out on $if_out keep state
Ok, let's stick to that example. Imagine a firewall having three
interfaces connecting Internet, LAN and DMZ. When I would like to
allow SMTP traffic t
i think the idea is that src-host has to have pubkey auth to
the dst-host and make sure src knows dst's hostkey too!
cu
what I did was use sftp with the -b option. As you mention
as long as the public key auth is in place, it all works as
expected.
Thanks
Rm
Just read :DTrace comes to FreeBSD.
(http://bsd.slashdot.org/article.pl?sid=05/09/08/1217229&tid=102&tid=7&tid=218)
Any chance to see it in here; one day ?
Would be cool ... wouldn't it ?
Or do we see licence problems ?
Just asking,
Uwe
On 2005-09-08 16:51, Gaby vanhegan wrote:
On 8 Sep 2005, at 15:32, Stephan A. Rickauer wrote:
Gaby vanhegan wrote:
$if_in="xl0"
$if_out="xl1"
pass in on $if_in keep state
pass out on $if_out keep state
Ok, let's stick to that example. Imagine a firewall having three
interfaces connecting In
The patch for tethereal(1) is at
http://www.linbsd.org/setuid_tethereal.patch
This only works for capture mode. It takes an extra -u option for the
user. So create user _ethereal then run
tethereal -Nn -tad -u _ethereal -w foo
or decode the output. Either way this should remove the issue of ro
Making, drinking tea and reading an opus magnum from Roy Morris:
[Charset ISO-8859-1 unsupported, filtering to ASCII...]
> I know this is not 'exactly' openbsd directly related but
> I'll give it a go anyway. I am trying to copy remote 2
> remote, basically to change the name of a file. It appears
> "Bruno" == Bruno Rohee <[EMAIL PROTECTED]> writes:
Bruno> Capturing traffic by some other mean then analysing it with
Bruno> Ethereal under an unprivileged account might be safe,
Bruno> actually capturing an analysing traffic with Ethereal is
Bruno> definitely not, given its
From: Stephan A. Rickauer [mailto:[EMAIL PROTECTED]
> Gaby vanhegan wrote:
> > $if_in="xl0"
> > $if_out="xl1"
> > pass in on $if_in keep state
> > pass out on $if_out keep state
>
> Ok, let's stick to that example. Imagine a firewall having three
> interfaces connecting Internet, LAN and DMZ. W
--On 08 September 2005 16:32 +0200, Stephan A. Rickauer wrote:
$if_in="xl0"
$if_out="xl1"
pass in on $if_in keep state
pass out on $if_out keep state
Ok, let's stick to that example. Imagine a firewall having three
interfaces connecting Internet, LAN and DMZ. When I would like to
allow SMTP tr
On 8 Sep 2005, at 15:32, Stephan A. Rickauer wrote:
Gaby vanhegan wrote:
$if_in="xl0"
$if_out="xl1"
pass in on $if_in keep state
pass out on $if_out keep state
Ok, let's stick to that example. Imagine a firewall having three
interfaces connecting Internet, LAN and DMZ. When I would like to
Gaby vanhegan wrote:
I came across the problem from the other direction. I found that I
needed to learn netfilter for use on a FreeBSD box. I grappled with
it for a couple of hours before finding out that it was quicker and
easier to build pf into the kernel and use that under FreeBSD. 2
9/8/2005, "Stephan A. Rickauer" <[EMAIL PROTECTED]>
napisa3(a):
>Micha3 Ful wrote:
>> I had similar problem few months ago. In my case I used fwbuilder to
>> check how my netfilter rules looks in pf syntax. It was very helpful.
>
>Good that you mention that. I also use fwbuilder to manage my rule
On 8 Sep 2005, at 15:18, Stephan A. Rickauer wrote:
>> I had similar problem few months ago. In my case I used fwbuilder to
>> check how my netfilter rules looks in pf syntax. It was very helpful.
>
> Good that you mention that. I also use fwbuilder to manage my rule
> sets with netfilter. I tho
Gaby vanhegan wrote:
> $if_in="xl0"
$if_out="xl1"
pass in on $if_in keep state
pass out on $if_out keep state
Ok, let's stick to that example. Imagine a firewall having three
interfaces connecting Internet, LAN and DMZ. When I would like to allow
SMTP traffic to my mail server in the DMZ, fr
Micha3 Ful wrote:
I had similar problem few months ago. In my case I used fwbuilder to
check how my netfilter rules looks in pf syntax. It was very helpful.
Good that you mention that. I also use fwbuilder to manage my rule sets
with netfilter. I thought I could simply 'compile' a pf rule set
I know this is not 'exactly' openbsd directly related but
I'll give it a go anyway. I am trying to copy remote 2
remote, basically to change the name of a file. It appears
that the first half of the command works fine but the
second half get an authentication failure. I am not sure
if this was by
On 8 Sep 2005, at 14:55, Stephan A. Rickauer wrote:
> Ok, I'll make it more concrete. If a machine has traffic going over
> two interfaces (router) a netfilter rule would look like this:
>
> iptables -A FORWARD -i in-iface -o out-iface ...
>
> It looks like with pf one achieves that with:
>
>
--On 08 September 2005 15:55 +0200, Stephan A. Rickauer wrote:
Ok, I'll make it more concrete. If a machine has traffic going over
two interfaces (router) a netfilter rule would look like this:
iptables -A FORWARD -i in-iface -o out-iface ...
It looks like with pf one achieves that with:
9/8/2005, "Stephan A. Rickauer" <[EMAIL PROTECTED]>
napisa3(a):
>Thanks to the kind help on this list, my test firewall successfully runs
>OpenBSD 3.7 and is basically configured. I now need to think about
>migrating my existing netfilter rule set to pf and would like to ask
>also some general que
Ok, I'll make it more concrete. If a machine has traffic going over two
interfaces (router) a netfilter rule would look like this:
iptables -A FORWARD -i in-iface -o out-iface ...
It looks like with pf one achieves that with:
pass in on in-iface ...
pass out on out-iface ...
Is that bas
--On 08 September 2005 14:53 +0200, Florian wrote:
ok, squid, but what about POP and SMTP ?
What are you looking for in POP or SMTP proxies?
pop-gw from fwtk might suit your POP requirement, but PF rdr might be
equally suitable (especially combined with authpf to give strong
authentication,
Hello
On 8 Sep 2005, at 13:55, Stephan A. Rickauer wrote:
Thanks to the kind help on this list, my test firewall successfully
runs OpenBSD 3.7 and is basically configured. I now need to think
about migrating my existing netfilter rule set to pf and would like
to ask also some general que
--On 08 September 2005 14:55 +0200, Stephan A. Rickauer wrote:
If I understand correctly, pf has no 'forward' chain like netfiler
(which is probably by design).
I'm guessing at what netfilter 'forward chain' means here since
(presumably like many people here) I don't have much need to admin
Florian wrote:
ok, squid, but what about POP and SMTP ?
Hmm, Proxy for smtp?
What about sendmail, postfix, qmail, etc?
Almost every MTA should work as a smtp proxy (i.e. is a smtp proxy)
Proxy for pop?
Never used one of them
but have you looked at
balance-2.33.tgz
nylon-1.2.tgz
proxy-suite
i've been trying to write an isakmpd.conf for two peers to establish
IPsec after using x509 certs for Phase 1. each peer has a copy of the
CA cert in /etc/isakmpd/ca, has their own public cert in /etc/isakmpd/certs,
and their private key in /etc/isakmpd/private. i used the procedure
doc
Thank you everyone
Sebastian .Rother schrieb:
Jakob Schlyter schrieb:
On Thu, 8 Sep 2005, Matt Jibson wrote:
I believe that Ethereal has improved greatly since when it was
removed from
ports.
surely, but has security improved? does it have privsep? until that
has changed, ethereal will not come back. sor
Hi,
You can use rdr pass rules so you only have 1 rule setting
I Don't know if you can use logging on that rule
Kind regards
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Gaby vanhegan
Sent: donderdag 8 september 2005 15:05
To: misc@openbsd.org
Subjec
On Thu, Sep 08, 2005 at 03:10:41PM +0200, Sebastian .Rother wrote:
> >
> >surely, but has security improved? does it have privsep? until that
> >has changed, ethereal will not come back. sorry.
> >
> >jakob
>
>
> Then drop all ports!
> Has Gnome Priv-Sep? hydra? nmap? KDE? xpdf? XMMS? mplaye
We use Postfix to handle incoming and outgoing mail routing (with some
cbl's). POP we just use dovecot on our mail server... we don't do
anything to proxy it...
On Thu, 8 Sep 2005 14:53:57 +0200
"Florian" <[EMAIL PROTECTED]> wrote:
> ok, squid, but what about POP and SMTP ?
>
--
Bill Chm
Jakob Schlyter schrieb:
On Thu, 8 Sep 2005, Matt Jibson wrote:
I believe that Ethereal has improved greatly since when it was
removed from
ports.
surely, but has security improved? does it have privsep? until that
has changed, ethereal will not come back. sorry.
jakob
Then drop a
On 8 Sep 2005, at 13:55, Stephan A. Rickauer wrote:
> Thanks to the kind help on this list, my test firewall successfully
> runs OpenBSD 3.7 and is basically configured. I now need to think
> about migrating my existing netfilter rule set to pf and would like
> to ask also some general quest
On Thu, Sep 08, 2005 at 02:53:57PM +0200, Florian wrote:
> ok, squid, but what about POP and SMTP ?
spamd(8) is something like a SMTP proxy
reyk
--
/* .vantronix|secure systems - (research & development)
* reyk floeter - friendly known free software engineer
* [EMAIL PROTECTED] - http://team.
I like the new design better. Looks better in Lynx too.
--ja
--
Thanks to the kind help on this list, my test firewall successfully runs
OpenBSD 3.7 and is basically configured. I now need to think about
migrating my existing netfilter rule set to pf and would like to ask
also some general questions to understand the concept(s) suffiently.
If I understand
ok, squid, but what about POP and SMTP ?
On 9/8/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> Quoting Siju George <[EMAIL PROTECTED]>:
>
> > Hi,
> >
> > One of my friends sent me this new OpenBSD website design he created.
> > Please have a look at it :-D
> >
> > http://mayuresh.freeshell.org/openbsd/
> >
> > Thankyou so much
> >
>
I'm using a spam blocking setup utilizing procmail, relaydb,
spamd-setup and pf.
The problem is that if I specify DROPPRIVS in my /etc/procmailrc:
DROPPRIVS=yes
:0fw
| /usr/local/bin/spamc
:0c
* ^X-Spam-Status: Yes
| /usr/local/bin/relaydb -b
:0:
* ^X-Spam-Status: Yes
in-x-spam
:0c
| /usr/loca
recompiling sshd with
includes.h:#define USE_PIPES 1
removed would also help.
i think it's better to fix ppp(8)
squid
-Original Message-
From: Florian [mailto:[EMAIL PROTECTED]
Sent: donderdag 8 september 2005 11:49
To: misc@openbsd.org
Subject: firewall products
good morning
i'll have to build a complete firewall solution with OpenBSD.
wich products do you prefer for sedcurity proxy integration
good morning
i'll have to build a complete firewall solution with OpenBSD.
wich products do you prefer for sedcurity proxy integration
for HTTP, FTP, POP, SMTP and GENERIC ?
Thanks for answers
florian
Quoting Siju George <[EMAIL PROTECTED]>:
> Hi,
>
> One of my friends sent me this new OpenBSD website design he created.
> Please have a look at it :-D
>
> http://mayuresh.freeshell.org/openbsd/
>
> Thankyou so much
>
> Kind Regards
>
> Siju
>
>
It's clean and far more viewable in (e)links.
I wo
On 09/08/05 06:29, Bruno S. Delbono wrote:
Siju George wrote:
Hi,
One of my friends sent me this new OpenBSD website design he created.
Please have a look at it :-D
http://mayuresh.freeshell.org/openbsd/
Fresh and neat. I like it.
Very well structured. A linear setup so people can read w
El mensaje que ha enviado a la lista 'Apc.lac' y que versa sobre:
(sin asunto)
Ha sido retenido en espera de que el moderador de la lista lo revise y
lo apruebe.
Ha sido retenido por:
Mensaje dirigido a una lista privada procedente de una direccisn
que no pertenece a la lista
O se mand
On Wed, Sep 07, 2005 at 07:27:24PM -0401, yippy ya yah wrote:
> trying to get a ppp tunnel over ssh working
>
> server/gateway
> ---
> ip.inet.net.forwarding=1
>
> /etc/ppp/ppp.conf
> vpn:
> allow mode direct
> set ifaddr 10.1.1.1 10.1.1.2 255.255.255.255
>
> /etc/sudoers:
79 matches
Mail list logo
