nding on the interface in
> backup-state.
>
> Med Venlig Hilsen / Best Regards
> Henrik Dige Semark
>
> On 2018-07-26 22:57, Martin Gignac wrote:
> > Hi,
> >
> > How does one implement a redundant OpenBSD firewall pair with IPv6?
> >
> > With IPv4 I would
Hi,
How does one implement a redundant OpenBSD firewall pair with IPv6?
With IPv4 I would use CARP to have one of the boxes be the
master/active while the other one is backup/standby. But with IPv6 I
want to use Router Advertisements so that hosts on the internal
network can use SLAAC for IPv6 ad
> Not sure if it's going to be any use for your particular setup, but if
> these are coming in as AS External LSAs ("ospfctl sh da ext") and you
> have a way to get an "External route tag" set on them, you can have
> ospfd tag the routes with a route label, and then PF can match addresses
> on rout
> If you want PF, go back and read about it. Learn to handle it in the
> way it was designed, don't try to blend it to whatever you used
> before. It useless if you do that.
I get your point, I really do. I'm just trying to figure out a way
*not* to have to specify each and every subnet behind a f
Hello,
I'm currently running Windows 10 on an HP ZBook 15 G4 and I am trying
to install OpenBSD 6.3 to a USB key so that I can boot it on this
laptop during times when I need something better than Windows for
network troubleshooting (such as proper VLAN support).
Unfortunately, while the install
> It looks like 'received-on' would be a cleaner and shorter way to
> achieve my goal by allowing me to specify inbound and outbound
> interfaces in the same rule.
>
I think I spoke to quickly; it would be an alternative way, but not a
shorter one as I would still need the initial "pass in lab01"
> You could also replace the above with "pass in on $lab02 received-on $lab01".
Oh, I completely missed the 'received-on' statement in the OpenBSD
pf.conf man page! (I have to support a pfSense for the moment so I'm
alternating between the OpenBSD and FreeBSD man pages [the latter does
not support
> I imagine you meant "pass out on $lab02 tagged from_lab01".
You're absolutely right Ken!
Thanks,
-Martin
Hello,
In Juniper SRXes and Netscreen firewalls one defines security policies
(firewall rules) according to a "from" security zone, and a "to"
security zone. Rules within each "from-to" combo can then focus on
allowing or blocking individual IP subnets if required.
In Linux, the FORWARD chain is
Hello,
I am currently experimenting with OpenBGPD uing OpenBSD VMs on
VirtualBox.
I've noticed that, given interface em1 to which I've assigned address
192.168.1.1/24, if I either execute 'ifconfig em1 down' or virtually
unplug em1 from VirtualBox the following happens:
1. The 192.168.1.0/24 rou
Hi,
With a fresh install of a 5.7 snapshot on amd64 (OpenBSD 5.7-beta (GENERIC)
#805: Sun Feb 22 03:09:53 MST 2015) I have noticed the following:
With this pf ruleset:
$ sudo pfctl -s r
block drop all
pass all flags S/SA
block return in on ! lo0 proto tcp from any to any port 6000:6010
block dro
Hi,
This morning I installed the latest 5.7 snapshot from install57.fs and I've
noticed that, unless I disable "radeondrm" in the kernel, the boot process
hangs at "setting tty flags". By disabling "radeondrm" I can successfully
boot to the login prompt, but I am not able to start X.
Is there a w
> I am looking for an advice of which issue tracking system to use for a
> small team of admins (4 members)?
Roundup?
http://roundup.sourceforge.net/
-Martin
Someone contacted me off-list and suggested I disable acpi in the
bsd.rd kernel before booting it.
It worked.
boot> boot bsd.rd -c
UKC> disable acpi
EKC> quit
Thanks,
-Martin
Hi Misc,
I am trying to re-install an OpenBSD 4.0-current machine from scratch
by using the bsd.rd from a very recent 4.5 snapshot. However, during
booting the system "stalls" at the line:
rd0: fixed, 3800 blocks
and stays there forever. I have tried booting from my OpenBSD 4.5
release CD but it
I'm in Montreal as well and just order them from the Computer Shop:
http://www.openbsd.org/orders.html#ca/cshop
-Martin
> The Mitel phones complain that option 128 is missing (I take this to
> mean that it have the wrong format or type since it's obviously there)
> and goes no further.
Have you tried taking a packet capture of the DHCP dialog when using
Linux and when using OpenBSD, and then comparing the DHCP Offe
>> unless you anchor/proxy all media as well on the
>> Asterisk (I don't know Asterisk so I don't know if it does that).
>
> it does, and most people run it that way (canreinvite=no).
Good to know.
Thanks,
-Martin
>> What do you mean exactly by "just works"? Are the external phones
>> supposed to talk with the internal phones?
>
> Not directly, they go through the server
I'm guessing only the SIP signalling goes through the Asterisk server,
and not the RTP media (i.e. you don't do any kind of media anchorin
> OpenBSD PF firewall consisting of ext, DMZ, internal/private interfaces.
> VOIP server sitting in the DMZ.
> Multiple (pick any number, 5, 10, 100) SIP phones in the private LAN.
> Multiple mobile (pick any number, 5, 10, 100) SIP phones anywhere in the USA.
> (NOTE: Mobile means they are carried
> The upgrade43 guide does not mention that /etc/ftpusers shouldmust be
> changed.
Isn't it indicated here?:
http://www.openbsd.org/faq/upgrade43.html#etcUpgrade
-Martin
Hi all,
I have a question concerning some differences in pf rules diplay with
regards to pfctl, pftop, and systat (using a 4.4 snapshot downloaded
today).
My scrub, NAT and filter sections in my 'pf.conf' look like this:
scrub on $wan_if random-id reassemble tcp
nat on $wan_if from !($wan_if) -
On Tue, 20 May 2008, Kendall Shaw wrote:
Can you also help me understand these words about -current, from the
FAQ:
"There are also flag days and major system changes that the developers
navigate with one-time tools, which mean that source-based updating is
not possible."
There are changes that
On Tue, 20 May 2008, Kendall Shaw wrote:
I'm following -stable until I read some more, and I'm unclear on some
aspects of syncing source.
There was an earlier post about why there are no security patches for
4.3 listed at:
http://www.openbsd.org/pkg-stable.html
Is that different from:
http:/
Hi,
I've been trying to figure out how to change the indent length when
pressing the TAB key in mg from the standard 8 spaces to 4, but I haven't
been able to find any setting that would seem to achieve this.
The man page and Google didn't turn up anything.
Is this at all possible in mg?
Th
If that's what you meant, isn't that behavior normal? Considering that (as
the PF user's guide puts it):
"Note that queueing is only useful for packets in
the outbound direction. Once a packet arrives on an interface in the
inbound direction it's already too late to queue it -- it's alread
I will try, thanks for the info. Just to make sure I'm not dealing with
a bug can anyone try this??... just set a global limit to a interface
($int_if), then do a ftp transfer to the gateway ( the one with the
PF+ALTQ) and time the put and get transfers with a large file.
When I get a download
> For the installation file sets you can use the download script from
> http://www.bsdforums.org/forums/showthread.php?s=&threadid=22727
>
> Besides using these sets to create your own ISO you alternatively can use
> them in the environment friendly USB-mediazine method as described in
> http://www
As someone kindly pointed out I was using the term "packages" when I
should have used "file sets".
-Martin
Hi,
Yesterday evening I downloaded the install42.iso, cd42.iso and all
*.tgz packages from the i386 snapshots directory on the
ftp.openbsd.org website. All files had a timestamp of Sept. 24. I then
ran them through MD5 to make sure they matched the expected checksum.
This morning I performed two
Hi Maurice,
> Can you check whether this is fixed when you add 'weight 1' to each
> server line in ntpd.conf?
Yup, that did it. :-)
> There were some changes in ntpd a couple of weeks ago (new correction
> keyword to compensate the offset of radio clocks and some changes in the
> parser) and the
Hi,
I recently installed two OpenBSD systems from an i386 snapshot dated
September 13th; one in a VMware machine and one on actual physical
hardware.
A couple of days later I noticed that both servers were *not*
date/time synced with the NTP server in my lab, even though I run
OpenNTPD on all my
>One more just donated $100.
And here's another one.
Ditto.
-Martin
--
"Suburbia is where the developer bulldozes out the trees, then names
the streets after them."
--Bill Vaughan
On 3/15/07, Henning Brauer <[EMAIL PROTECTED]> wrote:
do everything else but that.
really.
this is never ever your problem, except you do weird things with
tunnels or the like.
Gotcha.
-Martin
--
"Suburbia is where the developer bulldozes out the trees, then names
the streets after them."
I think this can be explained by the default state policy (which is
floating) in pf. Consult the man page and look for 'set state-policy'.
I think that by default, because you're letting the packets through in
your first 'pass' rule you create state. When you get to the outside
interface you match
On 12/5/06, Ryan Corder <[EMAIL PROTECTED]> wrote:
I never said that ping wasn't a good test...if I could use ping I would.
However, in the setup where I have two machines, A and B that have
addresses 192.168.2.5 and 192.168.2.6 respectively and an IPSec tunnel
setup as so:
A - ike esp from
On 12/4/06, Jacob Yocom-Piatt <[EMAIL PROTECTED]> wrote:
>if anyone knows, what is a good way to test a host 2 host VPN? Since
>I'm not routing two different networks across the VPN, there is nothing
>easy to test like pinging a host on the other end of the tunnel.
this is easy enough to setup
On 10/23/06, z0mbix <[EMAIL PROTECTED]> wrote:
Also, OpenVPN
2.0.6 is quite old now. The latest release is 2.0.9.
Yes, but if you look at the changelog
(http://openvpn.net/changelog.html) you'll see that versions 2.0.7 -
2.0.9 only address Windows-specific issues, hence I think this is why
the
On 10/23/06, Heinrich Rebehn <[EMAIL PROTECTED]> wrote:
Shouldn't openvpn write to /var/db or /var/log?
I don't know if these locations can be hardcoded at compile time, but
from the stock OpenBSD OpenVPN package that I use (2.0.6) it seems
that files will be read/written relative to the CWD w
On 10/20/06, Bill Chmura <[EMAIL PROTECTED]> wrote:
I have set verbosity to 5 and watched it. I get lots of W (Writes) and
R's (Reads) while it is idle, which I was thinking was the pings. On the
client side I would see WRWRWRWRWRW... (drop and reset)
I've never had problems with Open
On 10/19/06, Bill <[EMAIL PROTECTED]> wrote:
The problem was with the "ping" that happens between OpenVPN endpoints
not being returned and the connection resetting every minute or so.
From the OpenVPN man page:
--ping n
Ping remote over the T
On 10/19/06, Martin Gignac <[EMAIL PROTECTED]> wrote:
Hey man, great idea! I'll try it out.
Yup, tried a restore(8) via HTTP and it worked fine!
Thanks again for the tip.
-Martin
--
"Suburbia is where the developer bulldozes out the trees, then names
the st
On 10/19/06, Bob Beck <[EMAIL PROTECTED]> wrote:
My typical way to do his is find my latest dump(s) on tape
or elsewhere - chuck them on an nfs server accesible to the machine
to be restored, boot from bsd.rd, mount the nfs location with the
dump files and proceed.
That's why I'd *like
On 10/19/06, Michal Soltys <[EMAIL PROTECTED]> wrote:
You can pipe ftp's output to restore.
Hey man, great idea! I'll try it out.
Thanks!
-Martin
--
"Suburbia is where the developer bulldozes out the trees, then names
the streets after them."
Hi,
I've been playing with dump(8) recently and have tried two different
ways of using it: backing up to a file on a USB drive, and backing up
to a remote box by specifying a remote file and using SSH in lieu of
RSH. I was also planning to try to write to a file on a remote machine
via NFS but I
I've just noticed that Daniel and Bryan have been discussing the
subject at some length in more detail than I have. I guess you can
forget about my post. :-)
-Martin
--
"Suburbia is where the developer bulldozes out the trees, then names
the streets after them."
Note: I have never used a Cisco 831. All I know about it is what I
just read off of the Internet a few minutes ago.
On 10/17/06, Bob Dobb <[EMAIL PROTECTED]> wrote:
Currently, my network just has a cheap intel box with OpenBSD doing
nat/firewall. My question is how do I make the openbsd nat/fi
On 10/13/06, Joachim Schipper <[EMAIL PROTECTED]> wrote:
> A quick fix that worked for me (don't know if it's "bad" to do this or
> not, though):
>
> # cd /usr/lib
> # ln -s libc.so.40.0 libc.so.39.3
It is, libc bumps happen when functions change in interesting ways.
A-ha. Good to know. :-)
On 10/13/06, Kian Mohageri <[EMAIL PROTECTED]> wrote:
Check out the 3 articles on PF by Daniel Hartmeier (OpenBSD developer). I
found them to be very clear and concise and I'm pretty sure his explanations
will help you out.
http://www.undeadly.org
Thanks for the suggestion! One of these artic
On 10/13/06, Bernd Schoeller <[EMAIL PROTECTED]> wrote:
Do I have to switch to using ports? Any other fix for the problem?
A quick fix that worked for me (don't know if it's "bad" to do this or
not, though):
# cd /usr/lib
# ln -s libc.so.40.0 libc.so.39.3
-Martin
--
"Suburbia is where the
On 10/13/06, Joe Gibbens <[EMAIL PROTECTED]> wrote:
I'm guessing its because the default state policy is floating. Just
looking at the rules provided, the traffic should be able to pass
through.
Funny you should mention that because this is what I initially thought
(that at #2 traffic should p
Consider the following setup (OpenBSD 4.0-current):
Win PC > (vlan1) [OpenSD FW] (vlan0) > Host
1. With the following pf ruleset:
set skip on { lo0 }
scrub all fragment reassemble
block drop all
A ping command on the Windows PC towards the Host (172.23.1.21) gives
the following (expect
On 10/12/06, Girish Venkatachalam <[EMAIL PROTECTED]> wrote:
2) My second question relates to vlan(4).
This link seem good:
http://wiki.openwrt.org/OpenWrtDocs/NetworkInterfaces
-Martin
--
"Suburbia is where the developer bulldozes out the trees, then names
the streets after them."
On 10/12/06, Martin Gignac <[EMAIL PROTECTED]> wrote:
Yeah, I'm familiar with 3261. However the SIP proxy that 3261 talks
about has a completely different function than what an ALG/SBC does.
Maybe I shouldn't have used the term "SIP proxy" in my previous
e-mails. My ba
On 10/11/06, Girish Venkatachalam <[EMAIL PROTECTED]> wrote:
On Wed, Oct 11, 2006 at 12:22:06PM -0400, Martin Gignac wrote:
> On 10/11/06, Girish Venkatachalam <[EMAIL PROTECTED]> wrote:
>
> >If my memory serves me right, SIP actually has ALG built into the standard
>
On 10/12/06, Girish Venkatachalam <[EMAIL PROTECTED]> wrote:
Very Sorry Martin. I was not in a good mood this morning and I also got angry
since I didn't know enough to help you out.
Have a nice day! Hope you don't take it to heart.
No sweat. :-)
--
"Suburbia is where the developer bulldo
Hi again Jens,
On 10/11/06, Stuart Henderson <[EMAIL PROTECTED]> wrote:
On 2006/10/12 01:15, ropers wrote:
> Or maybe I have gotten a small chunk off of that big fat 123.0.0.0/8
> network to play with. So let's say I have been allocated
> 123.123.123.0/24.
Normally, you get a separate address _
Hey Jens,
On 10/11/06, ropers <[EMAIL PROTECTED]> wrote:
OTOH, if you do have enough public IPs to play with, I'd still
consider bridging and using only public IPs (then you don't need to do
VLANs or NAT).
To satisfy my own curiosity, what are the advantages in your view that
bridging offers
On 10/11/06, Jon Radel <[EMAIL PROTECTED]> wrote:
>> If my memory serves me right, SIP actually has ALG built into the
>> standard itself and www.opensip.org might already give you what you want.
>
> Hmm, wasn't aware of that. Do you have any specific RFC or 3GPP spec
> number that I could check
Yes, I've tried siproxd, but my lack of knowledge has caused me to fail
to get this working properly.
Then using your available public IPs should be the ticket.
-Martin
--
"Suburbia is where the developer bulldozes out the trees, then names
the streets after them."
On 10/11/06, Girish Venkatachalam <[EMAIL PROTECTED]> wrote:
If my memory serves me right, SIP actually has ALG built into the standard
itself and www.opensip.org might already give you what you want.
Hmm, wasn't aware of that. Do you have any specific RFC or 3GPP spec
number that I could che
On 10/11/06, ropers <[EMAIL PROTECTED]> wrote:
I've just had another thought:
Why do the IP phones have to have public IPs?
Is this because giving them NATted, private range IPs previously
didn't work so well?
The VoIP phones Patrick is using are probably (my guess) using the
Session Initiati
We currently have a firewall using a Cisco PIX server. Everything on
this firewall is using a static ip of some sort. There is a range of IP
addresses inside the PIX firewall that are being used for DHCP.
Just to make sure: you say everything on this firewall is using a
static IP of some sort,
What other information can I provide you to help me come up with a solution?
A quick ASCII diagram of the PIX and the subnets in front and back
might help (I'm the visual type).
The only subnet you mention with public IPs in your first e-mail is
216.139.44.142/26, in which the IPs mentioned in
On 10/9/06, Patrick - South Valley Internet <[EMAIL PROTECTED]> wrote:
1) Get two NICS for the OpenBSD box.
2) Give the first NIC an external routeable IP address, ex.
216.139.44.142 subnet 255.255.255.192
3) Give the second NIC an internal IP address, ex. 10.30.1.1 subnet mask
255.255.255.0
4)
On 10/9/06, Patrick - South Valley Internet <[EMAIL PROTECTED]> wrote:
1) Get two NICS for the OpenBSD box.
2) Give the first NIC an external routeable IP address, ex.
216.139.44.142 subnet 255.255.255.192
3) Give the second NIC an internal IP address, ex. 10.30.1.1 subnet mask
255.255.255.0
4)
On 10/8/06, z0mbix <[EMAIL PROTECTED]> wrote:
You are supposed to use the -o option to optimise your ruleset, then
correct the ruleset in /etc/pf.conf so there should be no need to load
the ruleset with -o everytime.
Ok, thanks, my bad. I originally thought the intent of the flag was to
permit
Hi,
While playing around with pf I've gotten used to passing the '-o' flag
to pfctl to optimize my rulesets when loading them.
However, I've noticed that /etc/rc does not pass the '-o' flag when
loading the ruleset with pfctl during boot. Moreover, I couldn't find
any apparent variable in the /e
As always, make sure to subscribe to the 'ports-security' mailing
list, follow the stable ports tress, or at least visit
http://www.openbsd.org/pkg-stable.html once in a while to make sure
you've got the latest version (i.e. version with the most security
issues fixed) of the OpenVPN package insta
Mutt tries to open $MAIL (which is obviously /var/mail/grios), not
"folder". The reason "it only happens with openbsd installed version"
is probably that obsd didn't create /var/mail/$USER (which most other
system do, imho).I guess it's just different design philosphies.
Probably just different
What's the "OpenBSD way" to start up arpeatch (built from ports) uopn
system boot?
I think:
http://www.openbsd.org/faq/faq10.html#rc
will give you all you need.
-Martin
--
"Suburbia is where the developer bulldozes out the trees, then names
the streets after them."
IPsec is based on standards (RFCs) while OpenVPN is not (it is based
on "standard" SSL, though).
I guess the best way to make your mind up is to actually go to the
OpenVPN web site (http://openvpn.net/) and read up on it. There's some
good info there.
Also, a visit on Google with keywords "openv
I agree with you Han. If Kintaro finds that configuring an IPsec VPN
between a FreeBSD and an OpenBSD machine is too complicated, OpenVPN
installed on both machines may offer an easier alternative.
-Martin
On 10/2/06, Han Boetes <[EMAIL PROTECTED]> wrote:
kintaro oe wrote:
> I'm setting up ipse
"ipsec between freebsd and openbsd" didn't turn up anything on Google
directly related to what you seem to want to do (at least for me), so
I guess you'll have to look at the FreeBSD side of things:
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html
http://www.onlamp.com/
74 matches
Mail list logo
