Re: vpn performance - C2750 vs C2758

-paper.pdf >From what I am seeing, there is a Kernel module and userland pieces available for Linux and FreeBSD to support this capability. In addition to Stuart's point on the US crypto code base as it relates to export restrictions, it is also hardware designed by a US company for strong crypto. Axton

Re: Hardware hunting

npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 mtrr: Pentium Pro MTRR support lm1: disabling sensors uhidev0 at uhub4 port 2 configuration 1 interface 0 "Winbond Electronics Corp Hermon USB hidmouse Device" rev 1.10/0.01 addr 2 uhidev0: iclass 3/1 ums0 at uhidev0: 3 buttons, Z dir wsmouse0 at ums0 mux 0 uhidev1 at uhub4 port 2 configuration 1 interface 1 "Winbond Electronics Corp Hermon USB hidmouse Device" rev 1.10/0.01 addr 2 uhidev1: iclass 3/1 ukbd0 at uhidev1: 8 modifier keys, 6 key codes wskbd1 at ukbd0 mux 1 wskbd1: connecting to wsdisplay0 vscsi0 at root scsibus0 at vscsi0: 256 targets softraid0 at root scsibus1 at softraid0: 256 targets root on wd0a (4dcb2d0a1b8a2fe9.a) swap on wd0b dump on wd0b Axton Grams

Re: Intel ICH9R compatibility with OpenBSD

On Tue, Mar 13, 2012 at 4:37 AM, lilit-aibolit wrote: > 12.03.2012 18:01, Axton PI[ET: > >> On Mon, Mar 12, 2012 at 9:44 AM, lilit-aibolit >> wrote: >>> >>> Hello misc, please give me some advice >>> to buy low-power and low-noise HW. >>> My

Re: Intel ICH9R compatibility with OpenBSD

port 1 configuration 1 interface 1 "Logitech Logitech Illuminated Keyboard" rev 2.00/55.01 addr 2 uhidev3: iclass 3/0, 16 report ids uhid0 at uhidev3 reportid 3: input=7, output=0, feature=0 uhid1 at uhidev3 reportid 16: input=6, output=6, feature=0 vscsi0 at root scsibus0 at vscsi0: 256 targets softraid0 at root scsibus1 at softraid0: 256 targets root on wd0a (4dcb2d0a1b8a2fe9.a) swap on wd0b dump on wd0b Axton Grams

Patch for FAQ - PF: Packet Tagging (Policy Filtering) - New NAT Syntax

tcp from to port smtp \ tag SPAMD rdr-to 127.0.0.1 port 8025 I'm not familiar enough with rdr-to to know if this requires changes. Based on my reading it does not appear to require a change, but someone needs to check me on this. Axton Grams

Re: Packet Tagging issues with NAT in pf OBSD 4.9

On Thu, Nov 3, 2011 at 1:33 PM, Bentley, Dain wrote: > Hello Axton...cool name by the way. > > I noticed the match statements work for me as well, Perhaps it is > required? This changed with 4.7: http://openbsd.org/faq/upgrade47.html#newPFnat More details available here: http://

Re: Packet Tagging issues with NAT in pf OBSD 4.9

INT_INET keep state pass in on $if_int inet6 proto ipv6-icmp tag INT_INET keep state pass in on $if_srv proto tcp from { $net4_srv, $net6_srv } tag SRV_INET pass in on $if_srv proto udp from { $net4_srv, $net6_srv } tag SRV_INET keep state pass in on $if_srv inet proto icmp from $net4_srv icmp-type $icmp_types tag SRV_INET keep state pass in on $if_srv inet6 proto ipv6-icmp tag SRV_INET keep state # policy enforcement # networks to internet (ipv4) pass out quick on $if_ext tagged INT_INET_NAT pass out quick on $if_ext tagged SRV_INET_NAT # internal network to other networks (ipv4) pass out quick on $if_srv tagged INT_INET # server networks to other networks (ipv4) pass out quick on $if_int tagged SRV_INET Axton Grams

Re: openbsd,keberos,windows

dn't care to have another process running. Things have been working since then (I can auth to apache via mod_auth_kerb through FF, IE, Chrome). I plan to test on another machine to verify, but still some unknowns. This was on Windows 7. Axton Grams

Re: hostname.if(5)/ifconfig(8) configuration for gif(4)

7;t work 100% correctly on boot. If I "sh /etc/netstart" again, it begins working. Strange. > > > Regards, > > > Mark > For a 6to4 tunnel, you can use something like this in your hostname.gif so that it works on boot: $ cat /etc/hostname.gif0 tunnel LOCAL_IP4 DEST_IP4 inet6 LOCAL_IP6 dest DEST_IP6 !/sbin/route -n add -inet6 default LOCAL_IP6 !/sbin/route change -inet6 default -ifp gif0 Axton Grams

Re: FYI: OpenBSD 4.9 CDs arriving

On Mon, Apr 25, 2011 at 1:46 PM, Denny White wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > > On Mon, Apr 25, 2011 at 10:39:49AM -0400, Dave Anderson spoke thusly: > > My set just showed up (near Boston, Mass.) > > > > Dave > > > > -- > > Dave Anderson > > > > And in Biloxi,

Re: Newbie Network/PF Question

On Wed, Jan 5, 2011 at 10:14 AM, Mike. wrote: > On 1/4/2011 at 10:57 PM Josh Smith wrote: > > | > |pass in on $int_if0 # pass all incomming traffic on our internal > interface > |pass in on $int_if1 # pass all incomming traffic on our internal > interface from the test network > = >

Re: soekris + openbsd server buy question

On Fri, Dec 3, 2010 at 8:13 AM, wrote: > On Fri, 3 Dec 2010, Patrick Lamaiziere wrote: > > > Le Fri, 3 Dec 2010 19:28:19 +0800 (CST), > > shweg...@gmail.com a C)crit : > > > >> Hello, I'm considering buying a Soekris net5501-70 and install > >> OpenBSD on it to make myself a small server and use

Re: vlan + em driver

en the physical interfaces and vlan devices as well, but I moved to 1gb instead of 4x100mb interfaces. Axton Grams On Thu, May 13, 2010 at 6:52 AM, Marcus Larsson wrote: > > Hello! > > I have a server acting as a router and firewall running 4.6-stable > from Apr 24 with an Intel

ATI Device Documentation - Evergreen

-Family_ISA_Instructions_and_Microcode.pdf - Axton Grams

Re: Invalid 802.1q vlan id using em0 (Intel PRO/1000T) on 4.5

On Sun, May 24, 2009 at 2:52 PM, Axton wrote: > The vlan id for my em0 interface is not reading properly after upgrading to > 4.5. > > Tcpdump shows some wild vid values in the traffic when using em0: > > * This traffic should be on vlan2 (lan) > 00:21:70:c5:3d:4f ff:f

Invalid 802.1q vlan id using em0 (Intel PRO/1000T) on 4.5

XL" rev 0x27 wsdisplay0 at vgafb0 mux 1: console (std, sun emulation) usb0 at ohci0: USB revision 1.0 uhub0 at usb0 "Sun OHCI root hub" rev 1.00/1.00 addr 1 uhidev0 at uhub0 port 4 configuration 1 interface 0 "Sun Microsystems Type 6 Keyboard" rev 1.00/1.02 addr 2 uhidev0: iclass 3/1 ukbd0 at uhidev0: 8 modifier keys, 6 key codes, country code 33 wskbd0 at ukbd0: console keyboard, using wsdisplay0 softraid0 at root bootpath: /p...@1f,0/i...@d,0/d...@0,0 root on wd0a swap on wd0b dump on wd0b Thanks, Axton Grams

Re: Redirect traffic based on sub-domain?

(see ip(4) and ip6(4)) and layer 4 (see icmp(4), icmp6(4), tcp(4), udp(4)) headers. In addition, packets may also be assigned to queues for the purpose of bandwidth control. > > /Markus > > Look into reverse proxies: http://www.sans.org/reading_room/whitepapers/webservers/302.php Axton Grams

Re: PoPToP Vulnerability Question

On Jan 28, 2008 11:05 PM, Richard P. Koett <[EMAIL PROTECTED]> wrote: > Dear Misc: > > I've been asked to look into an issue on a i386 system running OpenBSD 3.7. I > realize this is rather out-of-date, so feel free to ignore this question if > it's inappropriate... > > The machine is running popto

Re: rouge IPs / user

e way you authenticate to ssh isn't weak. I use key based authentication and don't use passwords. This gives me peace of mind. It's a bit harder to guess and I don't have to worry about accounts with weak passwords. I also only allow specific users to authenticate to ssh. The DoS hits I get periodically are the ones that bother me. Axton Grams

PF Changes in 4.2

the net (nothing from openbsd.org): http://home.nuug.no/~peter/pf/en/long-firewall.html#AEN415 Thanks, Axton Grams

ntpd question - double free?

). I'm a C newbie and I'm trying to learn, so don't beat me with the clue stick too hard. Axton

Re: another dumb vlan question

C 50 - vlan2 10.180.16/24 link#11UC 10 - vlan10 10.180.17/24 link#14UC 10 - vlan30 x.x.x/21 link#13UC 10 - vlan3 127/8 127.0.0.1 UGRS00 33192 lo0 127.0.0.1 127.0.0.1 UH 2 708 33192 lo0 224/4 127.0.0.1 URS 00 33192 lo0 Axton

Re: Promise PDC20621 support

32-bit PCI Promise FastTrack sx4000 Chip Num: Promise ATARAID5 PDC20621 Chip Num: MX MO20750 29LV400BTC-90 2F502800 ASSY 0116-00 REV A5 Axton Grams

Re: VPN solutions for OpenBSD to Windows

-base, it probably won't be so clear. With the MMC snap-in, you can export the settings, then another user can import those settings, at which point only minor changes are required to make it work (configure the ip for your end of the tunnel). The same applies to the command line approach. Axton Grams

Re: Vlans using a trunk device

Stuart Henderson wrote: > On 2006/10/08 15:31, Axton Grams wrote: >> While working with the trunk and vlan features of OpenBSD, I ran into >> one thing that I do not understand. In order to use a trunk device for >> multiple vlan's, the trunk device must have an ip a

Vlans using a trunk device

vided, please chime in. Read some postings about changing mtu on vlan devices, but don't know enough to know what to do. I do know that vlan ids are 12-bit numbers, so not sure if an mtu of 1503 is appropriate or not. Thanks for any insight, Axton Grams

Re: VPN(8) pf settings

d to make sure things aren't slipping through that shouldn't, but working good so far. You should be able to block/allow whatever traffic you want between the two networks with rules that follow this format, just specify the dports: pass in on $if_enc from $net_int to $net_dmz tag VPN_INT \ keep state pass out quick on $if_enc from $net_dmz to $net_int tag VPN_NET Axton

Re: IPsec Configuration Questions

Hans-Joerg Hoexer wrote: > what ipsec software is running on the clients? What does your > ipsec.conf on the firewall look like? > > On Sat, Sep 02, 2006 at 04:01:51PM -0400, Axton Grams wrote: >> Hoping someone can point me in the right direction to get isakmpd working.

Re: IPsec Configuration Questions

Hans-Joerg Hoexer wrote: > what ipsec software is running on the clients? What does your > ipsec.conf on the firewall look like? > > On Sat, Sep 02, 2006 at 04:01:51PM -0400, Axton Grams wrote: >> Hoping someone can point me in the right direction to get isakmpd working.

Re: IPsec Configuration Questions

Hans-Joerg Hoexer wrote: > what ipsec software is running on the clients? What does your > ipsec.conf on the firewall look like? > Some updated info: For whatever reason, the last two packets in the packet capture show a DELETE action: 20:14:24.117160 10.107.208.20.isakmp > router.arswiki.org.

Re: IPsec Configuration Questions

Sep 02, 2006 at 04:01:51PM -0400, Axton Grams wrote: >> Hoping someone can point me in the right direction to get isakmpd working. >> >> The scenario: >> - the router drops all traffic directed to it from the dmz net >> - the router drops all traffic destined for the

Re: IPsec Configuration Questions

p 10 pf_key_v2_set_spi: satype 2 dst 10.107.208.1 SPI 0x633b612e 141649.593627 Timr 10 timer_remove_event: removing event exchange_free_aux(0x47986c00) Thanks, Axton Grams Hans-Joerg Hoexer wrote: > what ipsec software is running on the clients? What does your > ipsec.conf on the firewall look like? >

IPsec Configuration Questions

emoving event exchange_free_aux(0x44909200) 155406.461707 Timr 10 timer_handle_expirations: event message_send_expire(0x4d2dab00) 155406.463417 Timr 10 timer_add_event: event message_send_expire(0x4d2dab00) added before connection_checker(0x4fe41420), expiration in 9s Thanks, Axton Grams

Re: Default PF policy

t inet proto udp from $net_int to \ port $lan_udp_out keep state pass out on $if_ext inet proto udp from $net_int to \ port $lan_udp_out keep state I just typed those up, so there may be inaccuracies. Hopefully you get the idea behind the structure. Axton Grams iD8DBQFEjHZG2VxhVxhm8jIRAgT/AJ9DeGvQ56qK4H2coasV4X3zMzJ/2gCgqUni 5PowDKgZC+VscKI4R5RHFmE= =hwvS -END PGP SIGNATURE-

Re: openbsd and the money -solutions

000/mo for hardware ~20,000/mo for a team of developers You all write good software, count me at a dollar a day payed monthly. Surely more people can afford the same? Axton Grams

Re: IDS solution

plement the VRT rules. The one thing that is missing while using snort on BSD is the ability to run snort inline, where you can have snort block certain network traffic based on rules (aka IPS). There is a project, pq - http://www.openbeer.it/?open=pq that is attempting to address this for BSD. You have to request an oink code to get the VRT rules using oinkmaster. This is free with a registered account. Axton Grams

Re: OpenBSD/Linux centralized authentication

st the AD tree or replicate the tree entirely or partially to openldap and manage/use that tree. Seems that some LDAP implementations have problem replicating password information, though I can't remember the specifics. This page a little info that may help: http://www.wlug.org.nz/ActiveDirectoryAuthenticationNotes Axton Grams

Re: Why packets are not blocked

pfctl -Fs flushes the state table. Bear in mind this will drop your current ssh session to the firewall if that is how you access it. pftop has a nice layout of the state table if you want to see which rules/stats are allowing traffic. Axton Grams On 3/8/06, Stuart Henderson <[EMAIL PROTEC

Re: OpenBSD has bad security

.108 ns15.zoneedit.com. 134976 IN A 69.10.134.195 ;; Query time: 301 msec ;; SERVER: 10.0.0.1#53(10.0.0.1) ;; WHEN: Mon Mar 6 10:39:00 2006 ;; MSG SIZE rcvd: 238 Am I missing something? Was expecting to find an openssh/openbsd exploit since he touts how numerous/easy they are. Axton Grams On

Re: sun quad hme performance

X1034A 501-5406; Using a 32bit pci slot though the card is 64-bit. Machine is a sunblade 100 with a 500mhz ultrasparc [EMAIL PROTECTED] w/ 768mb ram. pf was managing 25 states at the time of the test. Axton Grams -- Miguel wrote Hi, i read in the archives a lot of references about poor performance

BSD Boot Problems

problem by booting from cd and running the upgrade install back to the hd. Any insight as to why this would happen? Thanks, Axton Grams

Re: Hardware+OpenBSD wiki

Does anyone see a problem if the wiki server were hosted in the US? Axton Grams On 1/22/06, Srebrenko Sehic <[EMAIL PROTECTED]> wrote: > There is OpenBSD Server Hardware Compatibility List (OSCL). But that > only covers stock hardware from major vendors. But it's constantl

pf queue

Is there a capability with pf to send packets to userspace for handling/manipulation, whereby they can be returned back to the kernel, similar to the queue facilities available in iptables? Axton

DHS Grant to analye OpenBSD (and other OSS) for Bugs

check for security bugs includes Apache, BIND, Ethereal, KDE, Linux, Firefox, FreeBSD, OpenBSD, OpenSSL and MySQL..." http://news.com.com/Homeland+Security+helps+secure+open-source+code/2100-1002_3-6025579.html Axton