Although it's not well known TCP seriously depends on ICMP packets of type 3 code 4 for "Path MTU Discovery" (PTMTUD). Blocking of these packets lead to congested IP connections, broken transmissions and thus to frustrated users. Some documentation: http://en.wikipedia.org/wiki/Pmtud http://www.usenix.org/events/lisa02/tech/full_papers/vanderberg/vanderberg_html/ http://www.ietf.org/rfc/rfc2923.txt Various serious solutions: BSD: pass quick proto icmp from any to any icmp-typ...

Is there any changes on the support of the X4200, "specially the X4100 M2" and X2100 M2 with SAS version, not the SATA one? There wasn't much updates in the archive on the subject still. Any luck with may be new DMESG to look at for these? The one bellow is pretty old. Best.

oops sorry, X4100/4200 (not M2 version) are AMD8131, it is the M2 versions which are nvidia.

I am running an X4100 with -current and I see no issues at all.

Bull. Not allowing ICMP is just as bad. Worse actually, as you are violating RFCs. Quit spreading this FUD. -- [100~Plax]sb16i0A2172656B63616820636420726568746F6E61207473754A[dZ1!=b]salax

Don't forget to also configure your firewalls to block traffic with the evil bit set. :-) -- Mathieu Sauve-Frankel

On Wed, 25 Apr 2007 20:19:42 +0000 (UTC) hi, actually, me thinks the same about allowing/denying ICMP as you, tobias. however, we recently had a CCIE/NSA certified blahblah guy in our company, tuning our, err, Cizcoooeee equipment. guess what he did -- he violated 'the RFCs'. unfortunately, i wasn't able to find them on the net. do you have them handy? i'm very curious about that :) tia, -- Timo Schoeler | http://riscworks.net/~tis | timo.schoeler@riscworks.net RISCworks -- Perfectio...

In general, though, it will almost always be possible to get data in/out of the network. IP-over-DNS comes to mind. If this particular vector is used by a widely deployed worm, it might be worth it; but otherwise, just ignore it. Do you intend to ask where 'the RFCs' are? (If so, www.ietf.org is a good choice.) Or in what RFC this particular requirement is? (No real idea...) Joachim -- TFMotD: kadmin (8) - Kerberos administration utility

On Wed, 25 Apr 2007 23:56:50 +0200 yeah, i know -- that's why i watched him doing in my typical skeptical timo

i'm obviously missing something here. could you explain why it is a bad idea to have two files, the key and salt, which would be used to initially mount the regular file, then securely deleted from the host and only re-introduced to the host when decryption/remounting is required. and also, for us luddites, how do you read the password on stdin. in great expectations, poncenby

I have an i386 laptop with two NICs: xl(4) and an(4). For me, trunk(4) does not seem to be able to send any packets over the an(4) NIC. The xl(4) NIC works just fine. The an0 NIC never shows "active" as a child of the trunk. Viz.: When I set a single NIC in the trunk, just for testing as shown below, I see: trunkport xl0 master,active or trunkport an0 master I can watch packets flowing across the an0 NIC via tcpdump, but none originate from the laptop. Could someone pleas...

Greetings! Included below is my pf.conf set up to use dansguardian (proxyport 3128, filterport 8080) and tinyproxy (listen port 3128) as a transparent proxy. What changes do I need to make to keep someone on int_if/int_net from circumventing dansguardian by changing their browser to point to 3128? Thanks and take care, Allen ------8<------cut here------8<------ ext_if="rl0" int_if="xl0" int_net="192.168.0.0/24" proxy_server = "127.0.0.1" tcp_services="{ 113 }" icmp_typ...

I was redirected here from the tech group. I am trying to install OpenBSD 4.0 on a Dell OptiPlex 745. The computer has a SATA CD-ROM and a SATA hard drive. After the install/upgrade/shell part, I see a lot of kernel messages. Everything looks normal, and it looks like all of my hardware is detected. The install appears to go okay, but then it hangs after the file sets are copied. It doesn't matter if I select all, some, or the minimal file sets: the installation always hangs after the copy is fi...

Hi, I'm playing around with carp and routers. My scenario is the next: One ISP address ( for exemple: 10.2.2.1 ) Two openbsd 4.0 machines with 3 NICs Lan switch On LAN side, i set one NIC on every machine with private ip: Machine#1: 192.168.0.20 Machine#2: 192.168.0.21 And they share a virtual address: 192.168.0.30 The carp nics between both machines with 10.0.0.1 and 10.0.0.2 And my question is for ISP side: I got only one IP address, 10.2.2.1, how do share it? I mean, i can't set up ...

Hi, I readed the faq before. I know carp device needs to be the one i want to share. My question is not for the carp device, is just for the network interfaces ( in my case rl0 on both machines ). Which address should i gave them? anyone into the isp ip-mask rank?

thanks!!

Thanks!!!

I have a couple of Plextor PX-EH25L running a 4.1 snapshot from March 11, 2007 that panic when the power button is turned to the off position. If I type in "cont\r" the shutdown continues on properly, including powering off the system. OpenBSD/landisk (somesystem.bob.foo) (console) login: Stopped at Debugger+0x6: mov r14, r15 ddb> ps PID PPID PGRP UID S FLAGS WAIT COMMAND 5504 1 5504 0 3 0x4082 ttyin getty 8986 1 ...

thanks for the quick reply. I'll try a newer kernel went I get to the office diana

thanks, all working now though I have another question that I'll pose in a new thread diana

vnconfig in -current, at least, already accepts a -S option to specify the salt file. Changing vnconfig to read the password on stdin is easy, but you should really ask yourself if that is a good idea. Joachim -- TFMotD: ssh-keyscan (1) - gather ssh public keys

I use drop in most cases. Stealth mode isn't exactly going to add much, but I see no reason a host should receive any response at all when it is trying to talk to a host that doesn't exist or a port that isn't actually listening. Much of that activity is simply host/port scanning. I could argue either way, but my preference is 'block drop' most of the time. -- Kian Mohageri

It doesn't. -- Kian Mohageri

Well, when it comes to staying "safe," both return and drop both block unwanted traffic. Whether or not someone can determine if a host is up really won't do much for security. That being said, return is preferable. It reduces traffic (SYN retransmits,) and will improve responsiveness for other hosts. Now if someone is nmapping you with -sS for instance, block drop will reduce traffic in that specific case (no RST from you.) The amount is generally negligible though. I'd recommend using pf.os ...

Most people would maintain that drop vs. block+rst/icmp would be better, but I could see the arguments (that will no doubt come) that it really doesn't buy you any in the end and only attempts to obfuscate what can be mapped out anyhow (that a device somewhere in the network path is dropping traffic.) I use silent drops except where immediate reject response is required (e.g. ident, etc.) DS