Quick OpenBSD question

Malus · Nov 6, 2007, 04:18 AM

Quote:

Originally Posted by H3X4D3C1M4L

OK I've been working off and on with it and now I've got it.

Bridging won't work with the two cards on the same subnet. I did try it the way the FAQ suggested but it didn't seem to work.

No matter, I'm using routing now vs. bridge. It's more efficient and seeing as I've got another 253 subnets to burn through before I run into issues, this'll work just fine

I just created a route between 192.168.0.x/24 and 192.168.1.x/24, made the default route whatever my PPPoE connection gets and ta-da. Magic.

Yeah, that's what I do. It works great.

H3X4D3C1M4L · Nov 21, 2007, 04:42 AM

Now my only gripe is just working on my pf ruleset and the 4.2 question

Seeing as I don't have xbase installed and I don't want to... it looks like I'll need to do a fresh install at 4.3 (You can read about the way they changed it on the OpenBSD 4.2 release notes).

On a side note, not sure if it works the same in FreeBSD but can you "skip" a release when you're upgrading? I.e. go from x.1 to x.3 or x.4 even?

Malus · Nov 24, 2007, 11:15 PM

Quote:

Originally Posted by H3X4D3C1M4L

On a side note, not sure if it works the same in FreeBSD but can you "skip" a release when you're upgrading? I.e. go from x.1 to x.3 or x.4 even?

Well, the version numbering in FreeBSD is different. The versioning scheme is major.minor (ie, 6.3, 7.0). Skipping minor number releases during an upgrade should not be a problem. Skipping major version number releases during an upgrade will probably not work. Considering that FreeBSD does not release major versions all too often, it is not usually as big of a deal.

H3X4D3C1M4L · Dec 23, 2007, 12:07 AM

Well thanks for all the input. It finally all works

Just tweaking pf and Samba now.

H3X4D3C1M4L · Feb 4, 2008, 08:24 PM

On that note got any experience with pf and/or rulesets?

Malus · Feb 16, 2008, 08:34 PM

Quote:

Originally Posted by H3X4D3C1M4L

On that note got any experience with pf and/or rulesets?

Yeah, I use it on all of my machines.

H3X4D3C1M4L · Apr 5, 2008, 07:47 AM

Quote:

Originally Posted by Malus

Yeah, I use it on all of my machines.

I had a question but I think I answered it myself.

Got a bit overzealous with some very nebulous "modulate state" statements

H3X4D3C1M4L · May 29, 2008, 07:47 AM

Everything has been working flawlessly so far but I can't figure out what the Memory statistic is in pf (nor does a quick Google realy reveal the answer)? I have 740 or so packets in the Memory counter. The heck does that mean?

Malus · Jul 4, 2008, 11:25 PM

Quote:

Originally Posted by H3X4D3C1M4L

Everything has been working flawlessly so far but I can't figure out what the Memory statistic is in pf (nor does a quick Google realy reveal the answer)? I have 740 or so packets in the Memory counter. The heck does that mean?

I have no clue. How do you even display that statistic? I did not see a knob for it in pfctl.

H3X4D3C1M4L · Jul 7, 2008, 07:36 AM

Quote:

Originally Posted by Malus

I have no clue. How do you even display that statistic? I did not see a knob for it in pfctl.

I just did pfctl -si and got this

Code:

Status: Enabled for 17 days 16:22:26          Debug: Urgent

Interface Stats for pppoe0            IPv4             IPv6
  Bytes In                     54493654946                0
  Bytes Out                    29893934037               64
  Packets In
    Passed                        68442593                0
    Blocked                         541727                0
  Packets Out
    Passed                        78674805                1
    Blocked                          26986                0

State Table                          Total             Rate
  current entries                      631               
  searches                       357947594          234.3/s
  inserts                          4855053            3.2/s
  removals                         4854422            3.2/s
Counters
  match                            5714925            3.7/s
  bad-offset                             0            0.0/s
  fragment                             378            0.0/s
  short                                  6            0.0/s
  normalize                              2            0.0/s
  memory                              4875            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                         30812            0.0/s
  ip-option                              0            0.0/s
  proto-cksum                         3864            0.0/s
  state-mismatch                    154604            0.1/s
  state-insert                           0            0.0/s
  state-limit                            0            0.0/s
  src-limit                              0            0.0/s
  synproxy                               0            0.0/s

Hopefully that comes out looking formatted well. I'm becoming increasingly worried about that because it keeps going up and up and up. Random checks when I SSH in keep showing it goes up as much as like 1000 in an hour.

Malus · Jul 14, 2008, 06:24 AM

Quote:

Originally Posted by H3X4D3C1M4L

Hopefully that comes out looking formatted well. I'm becoming increasingly worried about that because it keeps going up and up and up. Random checks when I SSH in keep showing it goes up as much as like 1000 in an hour.

Mine is at 0 on my router. Apparently, the counter goes up when memory cannot be allocated for a state entry. It does not look like you are even close to the default state limit, given the output you posted. Could be someone trying to brute force into your router, or perhaps some sort of short-coming in your hardware configuration.

H3X4D3C1M4L · Jul 14, 2008, 07:13 PM

Worrying as it may be, I'd lean towards someone brute forcing in. I'm highly skeptical that even the worst BitTorrent port thrashing I've dished out could choke the hardware (P3 1GHz with 1.5GB of RAM). I haven't done anything especially funky to the kernel and the memory counter hasn't gone up since I've posted that. I've also got aggressive state expiration on, so it should be flushing connections fairly quickly.

I'll have to keep a closer eye on the logs methinks.

Nov 21, 2007, 04:42 AM	Thread Starter #32
H3X4D3C1M4L DriverHeaven Extreme Member Join Date: May 2005 Posts: 6,794 Rep Power: 0	Now my only gripe is just working on my pf ruleset and the 4.2 question Seeing as I don't have xbase installed and I don't want to... it looks like I'll need to do a fresh install at 4.3 (You can read about the way they changed it on the OpenBSD 4.2 release notes). On a side note, not sure if it works the same in FreeBSD but can you "skip" a release when you're upgrading? I.e. go from x.1 to x.3 or x.4 even?

Dec 23, 2007, 12:07 AM	Thread Starter #34
H3X4D3C1M4L DriverHeaven Extreme Member Join Date: May 2005 Posts: 6,794 Rep Power: 0	Well thanks for all the input. It finally all works Just tweaking pf and Samba now.

Feb 4, 2008, 08:24 PM	Thread Starter #35
H3X4D3C1M4L DriverHeaven Extreme Member Join Date: May 2005 Posts: 6,794 Rep Power: 0	On that note got any experience with pf and/or rulesets?

May 29, 2008, 07:47 AM	Thread Starter #38
H3X4D3C1M4L DriverHeaven Extreme Member Join Date: May 2005 Posts: 6,794 Rep Power: 0	Everything has been working flawlessly so far but I can't figure out what the Memory statistic is in pf (nor does a quick Google realy reveal the answer)? I have 740 or so packets in the Memory counter. The heck does that mean?

Jul 14, 2008, 07:13 PM	Thread Starter #42
H3X4D3C1M4L DriverHeaven Extreme Member Join Date: May 2005 Posts: 6,794 Rep Power: 0	Worrying as it may be, I'd lean towards someone brute forcing in. I'm highly skeptical that even the worst BitTorrent port thrashing I've dished out could choke the hardware (P3 1GHz with 1.5GB of RAM). I haven't done anything especially funky to the kernel and the memory counter hasn't gone up since I've posted that. I've also got aggressive state expiration on, so it should be flushing connections fairly quickly. I'll have to keep a closer eye on the logs methinks.