Hi,

Thank you very much.

netstat -ni will not show a single error on any of the three interfaces.

I do not think it has anything to do with PF, because the problem
happens even with a pass quick rule.

I use dlink DGE-530T nics and one onboard vr0.

sk0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:13:46:71:f2:fa
media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause)
status: active
inet 200.232.120.1 netmask 0xfffff...

Hi,

I keep getting these "punt RTM_ADD without gateway" in my /var/log/messages
from the routed daemon. Once in a while, I get RTM_LOSING as well.

I noticed that, even with a static default route, every now and then I
try to ping the default gateway, I get ping: sendto: No route to host.

I saw a mention of this message in the list archive, but in that case
the felow managed to stop these messages by changing the rdr rule.

The only rdr rule I use is the default spamd rules:

no rdr on $ext_i...

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

What is the longest v4 prefix length CARP supports?

In the example given here:

http://www.openbsd.org/faq/pf/carp.html

Each physical interface has two IPv4 addresses, one for a shared IP and
one for the interface address. That would require a /29 or shorter to
accommodate these two addresses, plus at least one address on the other
side of the link.

Is there some means of getting CARP to work where one side of the pf box
sits on a /30?

than...

You don't actually need an address for each physical interface. It is
nice but really not essential. This is the way I understand it.
Someone can correct me if I am wrong. I can't remember positively but
I think I did this kind of setup about a year ago for a little while.
I am actually going to put this configuration back into production in
the next month or two.

Bryan

Hi,

I suddenly had a weird wlan lockup during a big file transfer over wlan.
The access point is a WRAP.2E, 1 LAN, 128 MB with a ral0 card. See dmesg
below for more infos.

The client is an IBM X41 notebook with iwi0 and I am using an IPsec VPN
between the two machines. Just after the lockup I had the following
message in the wraps logfile:

Jun 13 20:04:02 wrap isakmpd[32542]: sendmsg (10, 0xcfbd9bc0, 0): No
buffer space available
Jun 13 20:04:29 wrap last message repeated 6 times
Jun 13 20:0...

Well, not a small order for sure, but to sustain 1000 Mbit throughput on
two interface, I would suggest first to find a way to make sure PF will
be able to do this! So, if your business can do this and have that much
bandwidth and needs like that, then I may be wrong and I apologies in
advance if I am, but I would suggest then to help with the request that
just came up on your screen as well not to long ago to make sure your
boxes would do what you want.

Meaning, can't you help with this on...

I just got this from a Dell 2950 a couple of days ago. I unplugged the
keyboard and plugged it back after a few seconds and it worked. You
could also maybe try to boot without keyboard and plug it afterwards.

And I got tip offlist from someone too ;)

And I second that it works:
ral0 at pci2 dev 2 function 0 "Ralink RT2561S" rev 0x00: irq 11,
address 00:16:e6:36:92:11
ral0: MAC/BBP RT2561C, RF RT2527

--
viq

Thanks Jen. I have switched to GENERIC kernel too (without any modification) and
I am waiting to reproduce this problem ....

--
CL Martinez
carlopmart {at} gmail {d0t} com

hmm, no I don't think so.

'available ports' is taken from ports used by the machine itself
_and_ ports used by NAT, they're all from the same pool, so it's not
'NAT port consumption' as such - could it be processes on the machine
as Peter suggested? netstat -nfinet -ptcp should have a long list

Should just be 'pfctl -sn -v' and look at states..(or parse
pfctl -ss output).

Hello,

My ultimate goal is to run both php4 and php5 concurrently on a single
machine and I have been looking at the various options.
Easiest way seems to be to install something like LightHTTPd or Apache2
on the side, along with php4.
But I do not like the idea of non-chrooted webservers running php.
So I am trying to have another instance of the OpenBSD version of Apache
1.3 - chrooted and all.

I *think* it can be done by downloading src.tar.gz and compile it again
from there with instruc...

both lighttpd and apache allow you to have both php4 and php5 side by
side. in apache one has to be a FCGI process the other can be either
FCGI or mod_php (and you just AddHandler in
Directory/Location/VirtualHost/.../).

i am NOT too paranoid about security, so my setup includes lighttpd
and each site that wants php get's own FCGI process, so that standard
unix permissions apply.

--
almir

Well I can't find anything that could block it. There is no ftp daemon or ftp
proxy or whatever running on the box. What does the pf do when it tries to
allocate a nat port and doesn't succeed, doesn't it do the nat at all or does
it try again? It could explain the behavior that we see that sometimes packets
aren't natted as they should be. So then can I enlarge the range?

Thanks,

Andy.

No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.472 / Virus Databa...

I don't know anything about that 3Com card. If you can't get it working,
I do know that the following two (fairly old) PCMCIA modems work well for
me with OpenBSD in a couple of laptops that I use:

- "Megahertz by USRobotics" model XJ4288

- IBM 56K PC Card Modem (FRU 02K4249)

--
"Perfection [in design] is achieved not when there is nothing left to add,
but rather when there is nothing left to take away."
-- Antoine de Saint-Exupery

Hello,

I have one of these cards. It won't work unless you use the 3Com
drivers on Windows, and even then it doesn't work right. If you use a
standard US Robotics external modem, preferably a Sportster, or even
possibly a Zoom PCMCIA modem, they should work.

Mitch

-----Original Message-----
From: owner-misc@openbsd.org [mailto:owner-misc@openbsd.org] On Behalf
Of Raimo Niskanen
Sent: Wednesday, June 13, 2007 5:22 AM
To: misc@openbsd.org
Subject: Troubleshooting PCMCIA modem 3Com 3CXM756
...

Brian,

Jun 13 11:05:01 spock /bsd: pf: NAT proxy port allocation (50001-65535)
failed

Can this be the cause of my errors?

Andy.

-----Oorspronkelijk bericht-----
Van: Brian A. Seklecki [mailto:lavalamp@spiritual-machines.org]
Verzonden: dinsdag 12 juni 2007 22:03
Aan: Geraerts Andy
CC: misc@openbsd.org
Onderwerp: RE: Sometime NAT, sometimes NOT?

pfctl -x loud && tail -f /var/log/messages

~BAS

interface without NAT. So the ip packet contains the source ip address of my
...

this almost sounds like you have something else which grabs these
ports. do you, intentionally?

--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
"First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

How about leaving them both running, and binding syslog-ng to just
the relevant IP address?

modify /etc/rc (this looks questionable anyway -- looks like someone
snook the named stuff in there because it needs aprivate log device in
the chroot):

echo 'starting system logger'
rm -f /dev/log

if [ X"${named_flags}" != X"NO" ]; then
rm -f /var/named/dev/log
syslogd_flags="${syslogd_flags} -a /var/named/dev/log"
fi
if [ -d /var/empty ]; then
rm -f /var/empty/dev/log
mkdir -p -m 0555 /var/empty/dev
syslogd_flags="${syslogd_flags} -a /var/empty/...

I assume the changes that you're making will show up in OpenBSD 4.2?
Or what's the timeframe for including these changes in a "stable" branch
of the code? (i.e. ready for production)

--
Florin Andrei

http://florin.myip.org/

Thanks a lot.

However I wish there were some large companies out there using and
relying in pf, who could just decide (right now) to ship Henning two
machines. Not because it is the right thing to do, but because they
will directly benefit, immediately. They could do so completely out
of self-interest.

But perhaps there are no large companies using pf? That's entirely
possible, I suppose.

Supporting requests like Henning's out of the pocket change that our
private user community has is r...

I'm probably going to lose a friend over this, but I'd like to challenge iXsystems to step up and donate a couple systems for this purpose. It would benefit everyone for you guys to donate the hardware to further optimize PF. We all know that PF has become as ubiquitous as OpenSSH, at least in the BSD world.

How about it Matt, is iXsystems up to the challenge?

Thanks,

--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net

Damn you. Let me see what I can do. But yes, we had planned to do some OpenBSD
support after the BSD Mall merger and integration.

What kind of specs are we looking for? And remember, we're not a huge
company!
I just req'd a few systems for work on FreeBSD 10 GigE support, a system for
BSD Cert (plus cash), and I'm sure that I am forgetting a few we recently
handed around.

Where is Henning located? Shipping free stuff out of country is sometimes a
pain and takes longer.

We just did a network...

Suggestion for tapping the Large Company resource for OpenBSD:

1) Create an OpenBSD User Survey
a) should include questions that identifies user classes such as
Private Dude and Large Company
b) should allow user to self-identify if willing for
followup surveys and appeals
2) Place survey
a) on website
b) on the next CDROM
3) Use info garnered through survey to
a) craft appeals on website
b) create email appeals to self-identified users ...

Don't need a survey for this. we have a pretty good idea what biggies

Oh, a directed spam campaign. perfect. that will endear us to our
users. Please return to marketing school from whence you came, and think
before you suggest such things.

-Bob