From sgeorge.ml at gmail.com Thu Jul 1 06:22:35 2010 From: sgeorge.ml at gmail.com (Siju George) Date: Thu, 1 Jul 2010 09:52:35 +0530 Subject: pfctl anchors manipulation clarification Message-ID: Hi, I have been playing with anchors lately and I am missing some thing. The machine is "4.7 GENERIC#558 i386" The pf.conf is ======================================== int_if="vr0" ext_ifA="sk0" ext_ifT="vr1" set loginterface sk0 set skip on lo match out on $ext_ifA inet from $int_if:network \ ? ? ? ?to any nat-to ($ext_ifA) match out on $ext_ifT inet from $int_if:network \ ? ? ? ?to any nat-to ($ext_ifT) block in log (all) anchor atelonly load anchor atelonly from "/etc/pf-confs/anchor-atelonly" anchor tataonly anchor atelandtata pass in log (all, to pflog1) on $int_if ========================================= Now the firewall is running on these rules ============================================ # pfctl -sr match out on sk0 inet from 172.16.0.0/12 to any nat-to (sk0) round-robin match out on vr1 inet from 172.16.0.0/12 to any nat-to (vr1) round-robin block drop in log (all) all anchor "atelonly" all anchor "tataonly" all anchor "atelandtata" all pass in log (all, to pflog1) on vr0 all flags S/SA keep state # pfctl -sA ?atelandtata ?atelonly ?tataonly # pfctl -a atelandtata -sr # pfctl -a tataonly -sr # pfctl -a atelonly -sr pass out log (all, to pflog2) quick on sk0 all flags S/SA keep state # ============================================== I have the following pflog interfaces =============================================== pflog1: flags=41 mtu 33200 ? ? ? ?priority: 0 ? ? ? ?groups: pflog pflog2: flags=141 mtu 33200 ? ? ? ?priority: 0 ? ? ? ?groups: pflog pflog3: flags=141 mtu 33200 ? ? ? ?priority: 0 ? ? ? ?groups: pflog pflog4: flags=41 mtu 33200 ? ? ? ?priority: 0 ? ? ? ?groups: pflog pflog0: flags=141 mtu 33200 ? ? ? ?priority: 0 ? ? ? ?groups: pflog ================================================= in pflog2 I can see the traffic passing out through sk0 to the internet. Fine :-) now I run the following commands to stop traffic to the internet through sk0 and use the second internet connection instead. So my idea is to 1) change the default route to that of the second internet connection by #route change -inet default 1ss.2ee.1ff.1 2) Load the ahcnor tataonly with rules from ============================ # cat /etc/pf-confs/anchor-tataonly ext_ifT="vr1" pass out log (all, to pflog3) quick on $ext_ifT ============================= by #pfctl -a tataonly -f "/etc/pf-confs/anchor-tataonly" 3) clear rules and states created by them from anchor "atelonly" by #pfctl -a atelonly -F all Now ?I execute the following commands and these are the outputs =============================================== # route change -inet default 121.247.145.1 change net default: gateway 121.247.145.1 # pfctl -a tataonly -f "/etc/pf-confs/anchor-tataonly" # pfctl -a atelonly -F all rules cleared 0 tables deleted. # ================================================== Now according to the pfctl man page -F all ? ? ? ?Flush all of the above. ? ( i.e including states ) ?-a anchor ? ? ? ? ? ? Apply flags -f, -F, and -s only to the rules in the specified ? ? ? ? ? ? anchor. So as said the rules in the anchor atelonly is flushed ===================================================== # pfctl -sr match out on sk0 inet from 172.16.0.0/12 to any nat-to (sk0) round-robin match out on vr1 inet from 172.16.0.0/12 to any nat-to (vr1) round-robin block drop in log (all) all anchor "atelonly" all anchor "tataonly" all anchor "atelandtata" all pass in log (all, to pflog1) on vr0 all flags S/SA keep state # pfctl -a atelonly -sr # pfctl -a tataonly -sr pass out log (all, to pflog3) quick on vr1 all flags S/SA keep state # ========================================================= and I can see traffic going out to the internet through vr1 on pflog3 but there is still traffic going out through the insternet through sk0 which can be seen in pflog2. So I guess the states made by those rules in the anchor "atelonly" were not cleared? How do I clear only those states? I now tried doing a ## pfctl -a atelonly -F states 1469 states cleared before doing # pfctl -a atelonly -F all then I lose my ssh connection with the firewall :-( Is it because it clears all the states instead on the ones created by "-a atelonly" ? How do I flush just the states created by an anchor ruleset when I flush them? anchor "atelandtata" holds nothing now but if I do a #pfctl -a atelandtata -ss it shows all the states. but the man page says ?-a anchor ? ? ? ? ? ? Apply flags -f, -F, and -s only to the rules in the specified ? ? ? ? ? ? anchor. Am I misunderstanding the wordings by some means? Could some one please explain? Thanks :-) --Siju From montage9 at gmail.com Tue Jul 6 23:11:34 2010 From: montage9 at gmail.com (montmarte) Date: Tue, 6 Jul 2010 14:11:34 -0700 Subject: OpenBSD 4.7 problem with NETGEAR wireless router dhcp Message-ID: Hi All, I recently switched from ubuntu to OpenBSD 4.7 and trying to get the internet connection working through my Netgear wireless router. The computer has an Atheros 5212 wireless lan card and openbsd 4.7 just started supporting it I believe. Anyway, as part of CD based installation em0 (ethernet) and ath0 (wirelesss) network interfaces could not be initialized. Subsequently, completed the installation and after logon I read "man afterboot" as customary. Further, I performed the below set of steps ifconfig ath0 nwid nwkey ifconfig ath0 up After the above two I did, I saw wireless indicator on the machine turn green (good), then I did dhclient ath0 I saw DHCPDISCOVER messages going out, but no OFFER of DHCP was received. I made sure dhclient.conf file exists (as directed by openbsd man page) and also in that file uncommented the "request" line. Additionally, I created /etc/hostname.ath0 file and added the line dhcp 192.168.0.1 255.255.255.0 NONE nwid nwkey After the above, I did sh /etc/netstart but no avail. The DHCP client request timed out. Any ideas?. Thanks. -m -------------- next part -------------- An HTML attachment was scrubbed... URL: From wittig.robert at sbcglobal.net Wed Jul 7 15:27:05 2010 From: wittig.robert at sbcglobal.net (Robert C Wittig) Date: Wed, 07 Jul 2010 08:27:05 -0500 Subject: OpenBSD 4.7 problem with NETGEAR wireless router dhcp In-Reply-To: References: Message-ID: <4C3480A9.5090106@sbcglobal.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 montmarte wrote: > but no avail. The DHCP client request timed out. > > Any ideas?. Thanks. > I had the same problem with DHCPDISCOVER. I added one line to my dhclient.conf file: supersede domain-name-servers domain.name.server1, domain.name.server2; That fixed my problem. - -- - -wittig http://www.robertwittig.com/ http://robertwittig.net/ http://robertwittig.org/ . -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org/ iQEVAwUBTDSAqP9qkhAVPSgqAQIaqAf+NPCN9Rkqt1gqGEH5ZGgrRshpZhOoiyxu CxdxY9GI/1DbHAWljkd6kDMHCdcWFAbVUbBN969RRpddNBVbjC0pyzHvLvBaQPsa vBFa3CCuskOiPJtV/K/9RFek3Ds0Dq9/GhjJnBfivS4rlabafk4xui+fAuAWnuW9 JgBrpFj/J9EuRHLCFTpUDZUO2O1Q/pII/AYlff0R5SrtOFcymp2cmPNqfxAMgD/R Cz84mDjg6OgFtqNqLut25nha1zkHtqaYYLaM3nPYBVaK5aBmgZ9hfpSpDwTeBgXl +AXxtwjg38mOQbHlkJbIV/06IQ9jg5p7f8G4OmXpo5+EGv4DCMf3vw== =VMzN -----END PGP SIGNATURE----- From montage9 at gmail.com Mon Jul 12 07:59:51 2010 From: montage9 at gmail.com (montmarte) Date: Sun, 11 Jul 2010 22:59:51 -0700 Subject: OpenBSD 4.7 problem with NETGEAR wireless router dhcp In-Reply-To: <4C3480A9.5090106@sbcglobal.net> References: <4C3480A9.5090106@sbcglobal.net> Message-ID: Thanks. I tried that but doesn't seem to work. I have mucked around a little more, now I seem to be getting somewhere but not sure where?. In between I was able to get a dhcp bind with the netgear router. my /etc/resolv.conf looked like lookup file bind nameserver: 127.0.0.1 but then I still couldn't ping out of the box (my wireless indicator on laptop is green and ifconfig shows status as active). However, ping, nslookup are not working. Thanks. -m On Wed, Jul 7, 2010 at 6:27 AM, Robert C Wittig wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > montmarte wrote: > > > but no avail. The DHCP client request timed out. > > > > Any ideas?. Thanks. > > > > I had the same problem with DHCPDISCOVER. > > I added one line to my dhclient.conf file: > > supersede domain-name-servers domain.name.server1, domain.name.server2; > > That fixed my problem. > > - -- > - -wittig > http://www.robertwittig.com/ > http://robertwittig.net/ > http://robertwittig.org/ > . > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.5 (GNU/Linux) > Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org/ > > iQEVAwUBTDSAqP9qkhAVPSgqAQIaqAf+NPCN9Rkqt1gqGEH5ZGgrRshpZhOoiyxu > CxdxY9GI/1DbHAWljkd6kDMHCdcWFAbVUbBN969RRpddNBVbjC0pyzHvLvBaQPsa > vBFa3CCuskOiPJtV/K/9RFek3Ds0Dq9/GhjJnBfivS4rlabafk4xui+fAuAWnuW9 > JgBrpFj/J9EuRHLCFTpUDZUO2O1Q/pII/AYlff0R5SrtOFcymp2cmPNqfxAMgD/R > Cz84mDjg6OgFtqNqLut25nha1zkHtqaYYLaM3nPYBVaK5aBmgZ9hfpSpDwTeBgXl > +AXxtwjg38mOQbHlkJbIV/06IQ9jg5p7f8G4OmXpo5+EGv4DCMf3vw== > =VMzN > -----END PGP SIGNATURE----- > -------------- next part -------------- An HTML attachment was scrubbed... URL: From davidianwalker at gmail.com Mon Jul 12 10:29:05 2010 From: davidianwalker at gmail.com (David Walker) Date: Mon, 12 Jul 2010 17:59:05 +0930 Subject: OpenBSD 4.7 problem with NETGEAR wireless router dhcp In-Reply-To: References: <4C3480A9.5090106@sbcglobal.net> Message-ID: Hiya montmarte. First off I'm a noob myself and I also don't use wireless on OpenBSD. :] Still here's a couple of things. I'm sure at some point you'll find out the OpenBSD man pages are excellent, I think it can be helpful to specify which man pages you're reading (it lets people know you are reading the right ones). If you do have a driver issue, or anything remotely hardware related, append a dmesg to the bottom of your mail. In this case it might provide a clue about em0 and also make sure ath0 is correct. Have you read ath(4) - especially HARDWARE? Ditto hostname.if(5)? Ditto ifconfig(8) - especially nw* versus wpa*? I find when working out something new it can help to simplify the methodology in the interim. In this case maybe you could configure a static IP on your access point and set this in your hostname.if(5). Make sure pf is out of the way - pf is on by default in OpenBSD. >From memory an empty pf.conf will do it. I wouldn't worry about BIND, unless wireless land has changed since I used it you won't need to worry about naming to get IP connectivity. Further your resolv.conf(.tail) doesn't look right: lookup file bind nameserver: 127.0.0.1 The keywork lookup tells the resolver to use your host file first and then named. Having a nameserver address as a loopback is presumably to do lookups with named? See the redundancy there? If you use BIND (named) then a nameserver is a fallback and could point to your ISP nameservers for example. See resolv.conf(5). No doubt someone will come along and help you out better at some point but perhaps you could simplify for the moment, provide some answers: Are you using WEP or WPA? Where does em0 intend to go (was it only a fallback for ath0 not working and did you plug it into the same router)? Is your router configured correctly? Best wishes. dmesg attached: # dmesg OpenBSD 4.7 (GENERIC) #558: Wed Mar 17 20:46:15 MDT 2010 deraadt at i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Geode(TM) Integrated Processor by AMD PCS ("AuthenticAMD" 586-class) 499 z cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX real mem = 268009472 (255MB) avail mem = 250978304 (239MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 11/05/08, BIOS32 rev. 0 @ 0xfd088 pcibios0 at bios0: rev 2.1 @ 0xf0000/0x10000 pcibios0: pcibios_get_intr_routing - function not supported pcibios0: PCI IRQ Routing information unavailable. pcibios0: PCI bus #0 is the last bus bios0: ROM list: 0xe0000/0xa800 cpu0 at mainbus0: (uniprocessor) pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 1 function 0 "AMD Geode LX" rev 0x33 glxsb0 at pci0 dev 1 function 2 "AMD Geode LX Crypto" rev 0x00: RNG AES vr0 at pci0 dev 9 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 10, address 00 ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063,4 vr1 at pci0 dev 10 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 11, address 1 ukphy1 at vr1 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063,4 vr2 at pci0 dev 11 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 15, address 2 ukphy2 at vr2 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063,4 glxpcib0 at pci0 dev 15 function 0 "AMD CS5536 ISA" rev 0x03: rev 3, 32-bit 357o gpio0 at glxpcib0: 32 pins pciide0 at pci0 dev 15 function 2 "AMD CS5536 IDE" rev 0x01: DMA, channel 0 wiry wd0 at pciide0 channel 0 drive 0: wd0: 4-sector PIO, LBA, 245MB, 501760 sectors wd0(pciide0:0:0): using PIO mode 4, DMA mode 2 pciide0: channel 1 ignored (disabled) ohci0 at pci0 dev 15 function 4 "AMD CS5536 USB" rev 0x02: irq 12, version 1.0,t ehci0 at pci0 dev 15 function 5 "AMD CS5536 USB" rev 0x02: irq 12 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 "AMD EHCI root hub" rev 2.00/1.00 addr 1 isa0 at glxpcib0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo com0: console com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo pcppi0 at isa0 port 0x61 midi0 at pcppi0: spkr0 at pcppi0 npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 usb1 at ohci0: USB revision 1.0 uhub1 at usb1 "AMD OHCI root hub" rev 1.00/1.00 addr 1 biomask 73e7 netmask ffe7 ttymask ffff mtrr: K6-family MTRR support (2 registers) nvram: invalid checksum vscsi0 at root scsibus0 at vscsi0: 256 targets softraid0 at root root on wd0a swap on wd0b dump on wd0b clock: unknown CMOS layout From montage9 at gmail.com Thu Jul 15 23:27:51 2010 From: montage9 at gmail.com (montmarte) Date: Thu, 15 Jul 2010 21:27:51 +0000 (UTC) Subject: OpenBSD 4.7 problem with NETGEAR wireless router dhcp References: <4C3480A9.5090106@sbcglobal.net> Message-ID: David Walker gmail.com> writes: > I find when working out something new it can help to simplify the > methodology in the interim. In this case maybe you could configure a > static IP on your access point and set this in your hostname.if(5). > Thanks. As you suggested, I tried switching from dhcp to static ip, i.e, for ifconfig I gave #ifconfig ath0 192.168.1.3 255.255.255.0 nwid nwkey #more /etc/hostname.ath0 inet 192.168.1.3 255.255.255.0 NONE nwid nwkey #more /etc/gateway 192.168.1.1 #route flush #sh /etc/netstart ath0 The wireless indicator turns green and then I am also able to issue a scan #ifconfig ath0 scan However, ping to any ip-addr other 192.168.1.3 doesn't work. No internet connection :( I expected wireless configuration on openbsd to be much simpler but unfortunately I am not able to get past this :( -m From phessler at theapt.org Fri Jul 16 10:08:04 2010 From: phessler at theapt.org (Peter Hessler) Date: Fri, 16 Jul 2010 10:08:04 +0200 Subject: OpenBSD 4.7 problem with NETGEAR wireless router dhcp In-Reply-To: References: <4C3480A9.5090106@sbcglobal.net> Message-ID: <20100716080803.GZ3369@gir.theapt.org> On 2010 Jul 15 (Thu) at 21:27:51 +0000 (+0000), montmarte wrote: :David Walker gmail.com> writes: : : :> I find when working out something new it can help to simplify the :> methodology in the interim. In this case maybe you could configure a :> static IP on your access point and set this in your hostname.if(5). :> : : :Thanks. As you suggested, I tried switching from dhcp to static ip, i.e, for :ifconfig I gave : :#ifconfig ath0 192.168.1.3 255.255.255.0 nwid nwkey :#more /etc/hostname.ath0 :inet 192.168.1.3 255.255.255.0 NONE nwid nwkey :#more /etc/gateway :192.168.1.1 :#route flush :#sh /etc/netstart ath0 : :The wireless indicator turns green and then I am also able to issue a scan : :#ifconfig ath0 scan : :However, ping to any ip-addr other 192.168.1.3 doesn't work. No internet :connection :( : :I expected wireless configuration on openbsd to be much simpler but :unfortunately I am not able to get past this :( : :-m : Can you post your dmesg? -- Cold, adj.: When the politicians walk around with their hands in their own pockets. From montage9 at gmail.com Fri Jul 16 21:56:42 2010 From: montage9 at gmail.com (montmarte) Date: Fri, 16 Jul 2010 12:56:42 -0700 Subject: OpenBSD 4.7 problem with NETGEAR wireless router dhcp In-Reply-To: <20100716080803.GZ3369@gir.theapt.org> References: <4C3480A9.5090106@sbcglobal.net> <20100716080803.GZ3369@gir.theapt.org> Message-ID: > > > Can you post your dmesg? > > > -- > Cold, adj.: > When the politicians walk around with their hands in their own > pockets. > Great News at last!. Turns out that I was making a silly mistake but somehow went undetected. For the value as part of ifconifig, I was not giving a hex value, i.e., #ifconfig ath0 192.168.1.3 255.255.0. nwid nwkey 1234 whereas I should have been giving #ifconfig ath0 192.168.1.3 255.255.255.0 nwid nwkey 0x1234 then I do /etc/netstart, lo behold! everything starts working, dhclient starts working, ping google.com starts working. But what is puzzling to me why my error was never detected, should "ifconfig ath0 scan" work if I have given the wrong nwkey?. If it had thrown some error, then I could have been focusing my time on giving the right parameters for ifconfig, rather it made me look all over the system, until I stumbled upon the solution by having a N-th look at the man page for ifconfig. This problem literally drove me nuts. -m -------------- next part -------------- An HTML attachment was scrubbed... URL: From davidianwalker at gmail.com Sat Jul 17 10:42:32 2010 From: davidianwalker at gmail.com (David Walker) Date: Sat, 17 Jul 2010 18:12:32 +0930 Subject: OpenBSD 4.7 problem with NETGEAR wireless router dhcp In-Reply-To: References: <4C3480A9.5090106@sbcglobal.net> <20100716080803.GZ3369@gir.theapt.org> Message-ID: On 17/07/2010, montmarte wrote: > Great News at last!. Turns out that I was making a silly mistake but somehow > went undetected. For the value as part of ifconifig, I was not > giving a hex value, i.e., > > #ifconfig ath0 192.168.1.3 255.255.0. nwid nwkey 1234 > > whereas I should have been giving > > #ifconfig ath0 192.168.1.3 255.255.255.0 nwid nwkey 0x1234 > > then I do /etc/netstart, lo behold! everything starts working, dhclient > starts working, ping google.com starts working. Hooray. > But what is puzzling to me why my error was never detected, should "ifconfig > ath0 scan" work if I have given the wrong nwkey?. As far as my wireless knowledge goes a scan looks for SSIDs without connecting. Hence password not required. Even without knowing your neighbours WEP key you can see his network is up and running right? I guess OpenBSD scan is exactly the same. :] >From ifconfig(8): scan Show the results of an access point scan. In Host AP mode, this will dump the list of known nodes without scanning. > If it had thrown some > error, then I could have been focusing my time on giving the right > parameters for ifconfig, rather it made me look all over the system, until I > stumbled upon the solution by having a N-th look at the man page for > ifconfig. This problem literally drove me nuts. Welcome to the club of those who have at least one problem getting something working. All welcome. However also welcome to the club where membership is reading them there pages until you find the answer. Good for you. Sometimes it's a paper trail but the man pages are great. I think I'm getting a bit better at it. As far as ifconfig not doing everything for you, it might be a case of no-one seeing a deficiency before. Besides, adding every feature comes at a price. You could post to tech@ - apologize for your fat fingers and let people know you're almost as dopey as me (i.e. you have no skills and can't write a patch to save yourself). You'll either get told to buy a book on C, shut up and/or go away, someone might write a patch. What have you got to lose ... > -m Make sure you fix up your resolv.conf file. :] Best wishes.