eRacks Forums: Last 35 Posts

eRacks Forums: Last 35 Posts http://forums.eracks.net/ eRacks Forums: Last 35 Posts en Mon, 08 Sep 2008 12:07:29 +0000 sean on "Can't map mbuf" http://forums.eracks.net/topic.php?id=24&page#post-122 Wed, 13 Aug 2008 03:39:00 +0000 sean 122@http://forums.eracks.net/ the realtek cards, in my experience, are garbage. you might try upgrading to the latest version of obsd and see if the bug in the driver has been fixed, but I would just swap it out with another vendor's gige card. joe on "replacing exchange server" http://forums.eracks.net/topic.php?id=27&page#post-121 Sat, 29 Mar 2008 01:27:36 +0000 joe 121@http://forums.eracks.net/ Randy, In order to better answer your question, we need a clearer picture of your network, including the network diagram, and what changes you'd like to make, specifically, and how our server fits in to your network, and where and what it is used for. (Even an ascii-art network diagram is OK.) Also note although we will certainly do our best to help you out, we are not your MS Exchange and OWA (Outlook Web Access) providers, certainly (We are an Open-Source shop) - so configuration of those would be best asked of your Windows service provider (Or move away from Windows altogether :). Let us know, Joe randyg on "replacing exchange server" http://forums.eracks.net/topic.php?id=27&page#post-120 Thu, 27 Mar 2008 20:24:23 +0000 randyg 120@http://forums.eracks.net/ we are currently replacing our exchange server with a new server.This exchange service will run on the new server and the primary domain server will stay the same. Can you please provide me with the instructions to change the owa config as well as the the smtp out.Also there is a spam filter between the firewall and the servers.all pop info is going to the spam filter first . Thank you randy grijalva El Cortez hotal MaxeRacks on "Links to some projects!" http://forums.eracks.net/topic.php?id=26&page#post-119 Fri, 18 Jan 2008 18:06:24 +0000 MaxeRacks 119@http://forums.eracks.net/ 64 Studio - a great open source pro-audio software package <a href="http://64studio.com/" rel="nofollow">http://64studio.com/</a> Ubuntu Studio - Another great open source pro-audio software package, very clean looking. <a href="http://ubuntustudio.org/" rel="nofollow">http://ubuntustudio.org/</a> and their forum <a href="http://64studio.com/forum/11" rel="nofollow">http://64studio.com/forum/11</a> LMMS - a Linux Multimedia studio setup <a href="http://lmms.sourceforge.net/" rel="nofollow">http://lmms.sourceforge.net/</a> kenneth2k1 on "I need a rule, but I don't know what..." http://forums.eracks.net/topic.php?id=25&page#post-118 Tue, 11 Dec 2007 17:23:52 +0000 kenneth2k1 118@http://forums.eracks.net/ Thanks for the reply. The typo on the ext_if should be $ext_if, sorry about that. using synproxy is because I saw it on another site, I assume I don't need it with my version of OpenBSD. The tags are because one other guy told me to do it that way, and I know you said it doesn't need to be like that. I can modify my rules to show rdr pass, eliminate the tags and... which pass out rules to get rid of? I am guessing all except pass out on $ext_if inet from self to any (should I get rid of modulate state also? the big question.... will my RDR Filtered SMTP work? I really need the mail up. joe on "I need a rule, but I don't know what..." http://forums.eracks.net/topic.php?id=25&page#post-117 Tue, 11 Dec 2007 17:02:51 +0000 joe 117@http://forums.eracks.net/ Firstly, you shouldn't type in your rules, which is of course very error-prone - use ftp and/or scp, a pastebin, etc. Please also include the results of your "ifconfig -A" command. (redirect it to a file and ftp that as well). This rule is not proper syntax and will not compile: > # RDR ATI > on $ext_if inet proto tcp from any to (ext_if:0) tag OK_RDR_ATI -> 172.20.255.82 I see other suspicious syntax errors which look like they may have been typos introduced by the manual copy. Why are you not using the pass feature in your translation rules? ("rdr pass" feature, etc)? This would completely eliminate the need for all the tagging, and most of the pass out rules. Why are you using synproxy? admin on "Can't map mbuf" http://forums.eracks.net/topic.php?id=24&page#post-116 Tue, 11 Dec 2007 16:34:53 +0000 admin 116@http://forums.eracks.net/ This looks like a traffic-volume related error. We are looking into the issue - let us know if you have any occurrences of this at the 100Mbits/sec speed. kenneth2k1 on "I need a rule, but I don't know what..." http://forums.eracks.net/topic.php?id=25&page#post-115 Mon, 10 Dec 2007 19:57:14 +0000 kenneth2k1 115@http://forums.eracks.net/ ruleset for 172.20.255.1 #Macros ext_if="re0" int_if="re1" # ---- table <badnets> persist const { \ 0/8 10/8 127/8 172.16/12 192.168/16 192.254/16 \ $ext_if:0 \ } # ---- set state-policy if-bound set skip on {lo0} set block-policy drop # ---- #NAT Rules nat on $ext_if inet from ($int_if:network) to any -> ($ext_if:0) # RDR ATI on $ext_if inet proto tcp from any to (ext_if:0) tag OK_RDR_ATI -> 172.20.255.82 #RDR CIS rdr on $ext_if inet proto tcp from any to ($ext_if:0) tag OK_RDR -> 172.20.115.10 #RDR EXTS rdr on $ext_if inet proto tcp from any to ($ext_if:0) port 3389 tag OK_RDR -> 172.20.255.127 #RDR Filtered_SMTP rdr on $ext_if inet proto tcp from any to ($ext_if:0) port { 25 } tag OK_RDR -> 172.20.1.3 #RDR FMT GreatPlains rdr on $ext_if inet proto tcp from any to ($ext_if:0) port 3391 tag OK_RDR -> 172.20.255.27 # RDR GreatPlains rdr on $ext_if inet proto tcp from any to (#ext_if:0) tag OK_RDR -> 172.20.255.27 # RDR CIS_Telnet rdr on $ext_if inet proto tcp from any to ($ext_if:0) port 23 tag OK_RDR -> 172.20.115.10 # RDR HTTP out of DNS server rdr on $ext_if inet proto tcp from any to ($ext_if:0) port 80 tag OK_RDR -> 172.20.99.6 #RDR HTTPS_OWS rdr on $ext_if inet proto tcp from any to ($ext_if:0) port 443 tag OK_RDR -> 172.20.255.188 #RDR INFOGENESIS_IN rdr on $ext_if inet proto tcp from any to ($ext_if:0) tag OK_RDR_IG -> 172.20.99.200 # RDR LVSC_IN rdr on $ext_if inet proto tcp from any to ($ext_if:0) tag OK_RDR_SC -> 172.20.10.100 # RDR POP3 ---- 127 is dead rdr on $ext_if inet proto tcp from any to ($ext_if:0) port 110 tag OK_RDR -> 172.20.255.127 # RDR RDP rdr on $ext_if inet proto tcp from any to ($ext_if:0) port 3389 tag OK_RDR -> 172.20.99.1 # RDR SAFLOK_IN rdr on $ext_if inet proto tcp from any to ($ext_if:0) tag OK_RDR_SAFLOK -> 172.20.6.5 # # ---- # Filter Rules block log all pass out log quick on $ext_if inet from self to any modulate state # pass out log quick on $ext_if inet tagged OKPKTS keep state # pass in log quick on $int_if inet from ($int_if:network) to any tag OKPKTS modulate state # pass in log quick on $ext_if inet proto tcp tagged OK_RDR flags S/SA synproxy state # pass in log quick on $ext_if inet proto tcp tagged OK_RDR_ATI flags S/SA synproxy state # pass in log quick on $ext_if inet proto tcp tagged OK_RDR_IG flags S/SA synproxy state # pass in log quick on $ext_if inet proto tcp tagged OK_RDR_SC flags S/SA synproxy state # pass in log quick on $ext_if inet proto tcp tagged OK_RDR_SAFLOK flags S/SA synproxy state # pass out log quick on $int_if inet proto tcp tagged OK_RDR_ATI # pass out log quick on $int_if inet proto tcp tagged OK_RDR keep state # pass out log quick on $int_if inet proto tcp tagged OK_RDR_IG keep state # pass out log quick on $int_if inet proto tcp tagged OK_RDR_SC keep state # pass out log quick on $int_if inet proto tcp tagged OK_RDR_SAFLOK keep state # pass in log quick on $ext_if inet proto tcp from any to ($ext_if:0) port { ssh https } flags S/SA keep state #Allow admin of the firewall # End of ruleset kenneth2k1 on "I need a rule, but I don't know what..." http://forums.eracks.net/topic.php?id=25&page#post-114 Mon, 10 Dec 2007 19:56:33 +0000 kenneth2k1 114@http://forums.eracks.net/ Here are my rules. I had to type them out because I created them by modifying the pf.conf file, I didn't use pfw because it reports an old ruleset!!!!! ruleset for 172.20.1.1 #Macros ext_if="re0" int_if="re1" # ---- table <badnets> persist const { \ 0/8 10/8 127/8 172.16/12 192.168/16 192.254/16 \ $ext_if:0 \ } # ---- set state-policy if-bound set skip on {lo0} set block-policy drop # ---- # NAT Rules nat on $ext_if inet from ($int_if:network) to any -> ($ext_if:0) # # RDR ATI_IN rdr on $ext_if inet proto tcp from any to ($ext_if:0) tag OK_RDR_ATI -> 172.20.231.41 # RDR Filtered HTTP rdr on $ext_if inet proto tcp from any to ($ext_if:0) port 80 tag OK_RDR -> 172.20.99.6 # RDR Filtered SMTP rdr on $ext_if inet proto tcp from any to ($ext_if:0) port 25 tag OK_RDR -> 172.20.1.3 # RDR FTP rdr on $ext_if inet proto tcp from any to ($ext_if:0) port 21 tag OK_RDR -> 172.20.99.6 # RDR HTTPS_Synxis rdr on $ext_if inet proto tcp from any to ($ext_if:0) port 443 tag OK_RDR -> 172.20.255.189 RDR TCPIP 20_UDP rdr on $ext_if inet proto tcp from any to ($ext_if:0) port { 20 21 22 23 } tag OK_RDR_UDP -> 172.20.255.187 # ---- # Filter Rules block log all pass out log quick on $ext_if inet from self to any modulate state # pass out log quick on $ext_if inet tagged OKPKTS keep state # pass in log quick on $int_if inet from ($int_if:network) to any tag OKPKTS modulate state # pass in log quick on $ext_if inet proto tcp tagged OK_RDR flags S/SA synproxy state # pass in log quick on $ext_if inet proto tcp tagged OK_RDR_ATI flags S/SA synproxy state # pass in log quick on $ext_if inet proto tcp tagged OK_RDR_UDP keep state # pass out log quick on $int_if inet proto tcp tagged OK_RDR keep state # pass out log quick on $int_if inet proto tcp tagged OK_RDR_ATI keep state # pass out log quick on $int_if inet proto tcp tagged OK_RDR_UDP keep state # Allow admin of the firewall pass in log quick on $ext_if inet proto tcp from any to ($ext_if:0) port {ssh https } flags S/SA keep state # ---- # End of Ruleset kenneth2k1 on "I need a rule, but I don't know what..." http://forums.eracks.net/topic.php?id=25&page#post-113 Mon, 10 Dec 2007 19:53:28 +0000 kenneth2k1 113@http://forums.eracks.net/ So we have the twinguard set up: Twin1 re0: 24.120.60.58 re1: 172.20.1.1 Some computers have the re1 address of 172.20.1.1 as their gateway. those people do not work to get internet access, however I can still access network drives. I cannot ping the fw. Twin2 re0: 24.120.60.59 re1: 172.20.255.1 Many of our servers and other PCs have the re1 address of 172.20.255.1 as their gateway. those computers DO work. I can ping 255.1. My LAN does has one subnet. /16 We have two IPs assigned from our ISP. We use all static, there is no DHCP. It just had a different rule set. The rules were pulled from two watchguard fireboxes which we replaced with the Open BSD ones. The default gateway for some machines is set to 255.1, but not all. The remaining machines use the default gateway of 1.1. The 255.1 works, but not the 1.1 to get to the Internet. We also have a spam filter that sits at 172.20.1.3, and it does not appear to be working. I have set a rule to do rdr of incoming on port 25 to the spam filter, I think that's how it's already config'd.It has not received incoming mail since I switched over this morning. I suspect it also is using 1.1 as the default gateway. So... in short.... what am I missing here? I need to be able to get those who have 172.20.1.1 set as their default gateway get to the Internet? My guess is something that needs to pass to the other gateway in order to get out?? Maybe?? kenneth2k1 on "Can't map mbuf" http://forums.eracks.net/topic.php?id=24&page#post-112 Fri, 07 Dec 2007 17:52:21 +0000 kenneth2k1 112@http://forums.eracks.net/ I thought I got my firewall going, and then I still get an error in blue seemingly randomly, which says: re1: can't map mbuf (error 22). It will make the firewall inoperable and I have to reboot it. I asked another forum regarding this error, and nobody has much of a fix except that it seems to be related to the Realtek gigabit NIC. One guy set his back down to 100 base T and it worked okay. I have done the same to both NICs, and no troubles yet, however I am concerned about this error when I put it on my network. Any experience with this error? Is there anywhere I can look in the system to try and resolve it? joe on "kernel oopses with ipw3945 driver v1.2.0" http://forums.eracks.net/topic.php?id=23&page#post-111 Wed, 05 Dec 2007 18:13:56 +0000 joe 111@http://forums.eracks.net/ I guess we should point out to our FreeBSD and *BSD laptop and tablet users that this fix is for Linux only, but that if the BSD-based drivers are based on the Linux drivers, as they often are (although more often the other way around!), that the fact the bug is fixed in Linux means that it may soon propagate over to the BSD-based drivers as well, soon. james on "kernel oopses with ipw3945 driver v1.2.0" http://forums.eracks.net/topic.php?id=23&page#post-110 Wed, 05 Dec 2007 07:39:39 +0000 james 110@http://forums.eracks.net/ It should be independent of the OS (if you're using v1.2.0 of the driver, you'll suffer from the bug no matter which version of the kernel you use.) joe on "kernel oopses with ipw3945 driver v1.2.0" http://forums.eracks.net/topic.php?id=23&page#post-109 Wed, 05 Dec 2007 01:38:39 +0000 joe 109@http://forums.eracks.net/ What OS and version? james on "kernel oopses with ipw3945 driver v1.2.0" http://forums.eracks.net/topic.php?id=23&page#post-108 Tue, 04 Dec 2007 23:54:06 +0000 james 108@http://forums.eracks.net/ If you're using the Intel ipw3945 driver version 1.2.0 or below, this likely applies to you. I was running into a pretty serious issue with my laptop, where the ipw3945 driver (with version 2.6.23.1 of the Linux kernel) caused random kernel oopses every now and then. I was starting to suspect a hardware issue, but googling around revealed that this was actually a known bug in 1.2.0 (the version I had installed), and that it has been fixed since 1.2.1. If you suspect you have this same problem, it can be fixed by installing v1.2.1 or newer. James joe on "Toshiba Tablet FreeBSD 6.2 install" http://forums.eracks.net/topic.php?id=19&page#post-107 Wed, 21 Nov 2007 20:06:52 +0000 joe 107@http://forums.eracks.net/ Texas Instruments (TI) is vendor 104c, and those devices are 803a, 803b, and 803c. According to: <a href="http://www.pcidatabase.com/vendor_details.php?id=308," rel="nofollow">http://www.pcidatabase.com/vendor_details.php?id=308,</a> the 803c appears to be an SD controller. Further searching/googling around for "104c 803c BSD" (or FreeBSD or linux, too) reveals further enlightening info on this, and the starting point for further searches.. Here's some partial success on Ubuntu Feisty (one release old): <a href="http://ubuntuforums.org/showthread.php?t=459987" rel="nofollow">http://ubuntuforums.org/showthread.php?t=459987</a> BTW, to boot from a live Ubuntu Gutsy CD, simply download a CDImage for your platform (i386 first or x86-64 second choice) from <a href="http://ubuntu.com" rel="nofollow">http://ubuntu.com</a> and burn it to a blank CD! For that matter, they'll even mail you one for free, as I recall.. Alan on "Toshiba Tablet FreeBSD 6.2 install" http://forums.eracks.net/topic.php?id=19&page#post-106 Wed, 21 Nov 2007 18:21:51 +0000 Alan 106@http://forums.eracks.net/ Is it one of the none[012] devices listed in pciconf? Alan on "Toshiba Tablet FreeBSD 6.2 install" http://forums.eracks.net/topic.php?id=19&page#post-105 Wed, 21 Nov 2007 18:19:49 +0000 Alan 105@http://forums.eracks.net/ Hi. I'm afraid I'm completely ignorant about Linux. Where can I get a bootable Ubuntu CD? Do they sell these shrinkwrapped, like at Fry's or Computer Center? Meanwhile, here is output from pciconf -lv: <code> <a href="mailto:hostb0@pci0:0:0:">hostb0@pci0:0:0:</a> class=0x060000 card=0x00011179 chip=0x27a08086 rev=0x03 hdr=0x00 vendor = 'Intel Corporation' class = bridge subclass = HOST-PCI <a href="mailto:agp0@pci0:2:0:">agp0@pci0:2:0:</a> class=0x030000 card=0x00011179 chip=0x27a28086 rev=0x03 hdr=0x00 vendor = 'Intel Corporation' class = display subclass = VGA <a href="mailto:none0@pci0:2:1:">none0@pci0:2:1:</a> class=0x038000 card=0x00011179 chip=0x27a68086 rev=0x03 hdr=0x00 vendor = 'Intel Corporation' class = display <a href="mailto:pcm0@pci0:27:0:">pcm0@pci0:27:0:</a> class=0x040300 card=0x00011179 chip=0x27d88086 rev=0x02 hdr=0x00 vendor = 'Intel Corporation' device = '82801G (ICH7 Family) High Definition Audio' class = multimedia <a href="mailto:pcib1@pci0:28:0:">pcib1@pci0:28:0:</a> class=0x060400 card=0x00000040 chip=0x27d08086 rev=0x02 hdr=0x01 vendor = 'Intel Corporation' device = '82801G (ICH7 Family) PCI Express Root Port' class = bridge subclass = PCI-PCI <a href="mailto:pcib2@pci0:28:2:">pcib2@pci0:28:2:</a> class=0x060400 card=0x00000040 chip=0x27d48086 rev=0x02 hdr=0x01 vendor = 'Intel Corporation' device = '82801G (ICH7 Family) PCI Express Root Port' class = bridge subclass = PCI-PCI <a href="mailto:uhci0@pci0:29:0:">uhci0@pci0:29:0:</a> class=0x0c0300 card=0x00011179 chip=0x27c88086 rev=0x02 hdr=0x00 vendor = 'Intel Corporation' device = '82801G (ICH7 Family) USB Universal Host Controller' class = serial bus subclass = USB <a href="mailto:uhci1@pci0:29:1:">uhci1@pci0:29:1:</a> class=0x0c0300 card=0x00011179 chip=0x27c98086 rev=0x02 hdr=0x00 vendor = 'Intel Corporation' device = '82801G (ICH7 Family) USB Universal Host Controller' class = serial bus subclass = USB <a href="mailto:uhci2@pci0:29:2:">uhci2@pci0:29:2:</a> class=0x0c0300 card=0x00011179 chip=0x27ca8086 rev=0x02 hdr=0x00 vendor = 'Intel Corporation' device = '82801G (ICH7 Family) USB Universal Host Controller' class = serial bus subclass = USB <a href="mailto:uhci3@pci0:29:3:">uhci3@pci0:29:3:</a> class=0x0c0300 card=0x00011179 chip=0x27cb8086 rev=0x02 hdr=0x00 vendor = 'Intel Corporation' device = '82801G (ICH7 Family) USB Universal Host Controller' class = serial bus subclass = USB <a href="mailto:ehci0@pci0:29:7:">ehci0@pci0:29:7:</a> class=0x0c0320 card=0x00011179 chip=0x27cc8086 rev=0x02 hdr=0x00 vendor = 'Intel Corporation' device = '82801G (ICH7 Family) USB 2.0 Enhanced Host Controller' class = serial bus subclass = USB <a href="mailto:pcib3@pci0:30:0:">pcib3@pci0:30:0:</a> class=0x060401 card=0x00000050 chip=0x24488086 rev=0xe2 hdr=0x01 vendor = 'Intel Corporation' device = '82801BAM/CAM/DBM (ICH2-M/3-M/4-M) Hub Interface to PCI Bridge' class = bridge subclass = PCI-PCI <a href="mailto:isab0@pci0:31:0:">isab0@pci0:31:0:</a> class=0x060100 card=0x00011179 chip=0x27b98086 rev=0x02 hdr=0x00 vendor = 'Intel Corporation' device = '82801GBM (ICH7-M) LPC Interface Controller' class = bridge subclass = PCI-ISA <a href="mailto:atapci0@pci0:31:1:">atapci0@pci0:31:1:</a> class=0x01018a card=0x00011179 chip=0x27df8086 rev=0x02 hdr=0x00 vendor = 'Intel Corporation' device = '82801G (ICH7 Family) Ultra ATA Storage Controller' class = mass storage subclass = ATA <a href="mailto:atapci1@pci0:31:2:">atapci1@pci0:31:2:</a> class=0x010601 card=0x0f001179 chip=0x27c58086 rev=0x02 hdr=0x00 vendor = 'Intel Corporation' device = '82801GB Mobile I/O Controller Hub SATA cc=AHCI' class = mass storage <a href="mailto:em0@pci1:0:0:">em0@pci1:0:0:</a> class=0x020000 card=0x00011179 chip=0x109a8086 rev=0x00 hdr=0x00 vendor = 'Intel Corporation' class = network subclass = ethernet <a href="mailto:wpi0@pci2:0:0:">wpi0@pci2:0:0:</a> class=0x028000 card=0x10408086 chip=0x42228086 rev=0x02 hdr=0x00 vendor = 'Intel Corporation' class = network <a href="mailto:cbb0@pci3:11:0:">cbb0@pci3:11:0:</a> class=0x060700 card=0x00011179 chip=0x8039104c rev=0x00 hdr=0x02 vendor = 'Texas Instruments (TI)' class = bridge subclass = PCI-CardBus <a href="mailto:fwohci0@pci3:11:1:">fwohci0@pci3:11:1:</a> class=0x0c0010 card=0x00011179 chip=0x803a104c rev=0x00 hdr=0x00 vendor = 'Texas Instruments (TI)' class = serial bus subclass = FireWire <a href="mailto:none1@pci3:11:2:">none1@pci3:11:2:</a> class=0x018000 card=0x00011179 chip=0x803b104c rev=0x00 hdr=0x00 vendor = 'Texas Instruments (TI)' class = mass storage <a href="mailto:none2@pci3:11:3:">none2@pci3:11:3:</a> class=0x080501 card=0x00011179 chip=0x803c104c rev=0x00 hdr=0x00 vendor = 'Texas Instruments (TI)' class = base peripheral </code> And here is output from pcitweak -l: <code> PCI: Probing config type using method 1 PCI: Config type is 1 PCI: PCI scan (all values are in hex) PCI: 00:00:0: chip 8086,27a0 card 1179,0001 rev 03 class 06,00,00 hdr 00 PCI: 00:02:0: chip 8086,27a2 card 1179,0001 rev 03 class 03,00,00 hdr 80 PCI: 00:02:1: chip 8086,27a6 card 1179,0001 rev 03 class 03,80,00 hdr 80 PCI: 00:1b:0: chip 8086,27d8 card 1179,0001 rev 02 class 04,03,00 hdr 00 PCI: 00:1c:0: chip 8086,27d0 card 0000,0000 rev 02 class 06,04,00 hdr 81 PCI: 00:1c:2: chip 8086,27d4 card 0000,0000 rev 02 class 06,04,00 hdr 81 PCI: 00:1d:0: chip 8086,27c8 card 1179,0001 rev 02 class 0c,03,00 hdr 80 PCI: 00:1d:1: chip 8086,27c9 card 1179,0001 rev 02 class 0c,03,00 hdr 00 PCI: 00:1d:2: chip 8086,27ca card 1179,0001 rev 02 class 0c,03,00 hdr 00 PCI: 00:1d:3: chip 8086,27cb card 1179,0001 rev 02 class 0c,03,00 hdr 00 PCI: 00:1d:7: chip 8086,27cc card 1179,0001 rev 02 class 0c,03,20 hdr 00 PCI: 00:1e:0: chip 8086,2448 card 0000,0000 rev e2 class 06,04,01 hdr 01 PCI: 00:1f:0: chip 8086,27b9 card 1179,0001 rev 02 class 06,01,00 hdr 80 PCI: 00:1f:1: chip 8086,27df card 1179,0001 rev 02 class 01,01,8a hdr 00 PCI: 00:1f:2: chip 8086,27c5 card 1179,0f00 rev 02 class 01,06,01 hdr 00 PCI: 01:00:0: chip 8086,109a card 1179,0001 rev 00 class 02,00,00 hdr 00 PCI: 02:00:0: chip 8086,4222 card 8086,1040 rev 02 class 02,80,00 hdr 00 PCI: 03:0b:0: chip 104c,8039 card fffc,ffff rev 00 class 06,07,00 hdr 82 PCI: 03:0b:1: chip 104c,803a card 1179,0001 rev 00 class 0c,00,10 hdr 80 PCI: 03:0b:2: chip 104c,803b card 1179,0001 rev 00 class 01,80,00 hdr 80 PCI: 03:0b:3: chip 104c,803c card 1179,0001 rev 00 class 08,05,01 hdr 80 PCI: End of PCI scan </code> joe on "Toshiba Tablet FreeBSD 6.2 install" http://forums.eracks.net/topic.php?id=19&page#post-104 Wed, 21 Nov 2007 17:40:48 +0000 joe 104@http://forums.eracks.net/ Hmm... I don't see the SD/MMC card in the dmesg you send. Two things we can do, next: 1) List the PCI bus details with "pciconf -lv" and/or pcitweak, and look for the SD/MMC card or the 'unknown' entries 2) Boot up from a Ubuntu Gutsy Gibbon Live CD, and read the dmesg (and post it here!), and see if it possibly is recognized and works under Gutsy. Alan on "Change BSD/Linux terminology @ login screen" http://forums.eracks.net/topic.php?id=20&page#post-103 Wed, 21 Nov 2007 08:20:50 +0000 Alan 103@http://forums.eracks.net/ Try editing the /etc/gettytab file. I'm running FreeBSD, not OpenBSD but I suspect it's the same. If you can't figure out the gettytab file, you can run the command "man 5 gettytab". joe on "Setting PFW Rules" http://forums.eracks.net/topic.php?id=22&page#post-102 Sat, 17 Nov 2007 22:17:58 +0000 joe 102@http://forums.eracks.net/ You need the "->" to set the destination - Assuming the following macros: external_ip = 208.57.255.188 internal_ip = 208.57.255.188 And assuming that the old fw rule you show above intends to redirect both 5632 and 5631 to the new internal IP (rather than remap 5632 to 5631), the rdr rule would be something like: rdr on $ext_if proto tcp from any to $external_ip port { 5632 5631 } -> $internal_ip And if you wanted to remap 5632 to 5631, it would be something like: rdr on $ext_if proto tcp from any to $external_ip port 5632 -> $internal_ip port 5631 ANd if you want to declare a filter rule to pass the traffic related to this NAT rule, just add 'pass', thusly: rdr pass on $ext_if proto tcp from any to $external_ip port { 5632 5631 } -> $internal_ip We rarely/seldom need to use tags except for the most esoteric/complex setups, which it does not sound like you need. Also, pfw does indeed handle rdr rules - not sure why you think it doesn't! Here's the pfw page, see 'nat rules': <a href="http://www.allard.nu/pfw" rel="nofollow">http://www.allard.nu/pfw</a> And here's a screenshot showing an rdr rule - it's near the bottom of the list: <a href="http://www.allard.nu/pfw/pics/nat1.png" rel="nofollow">http://www.allard.nu/pfw/pics/nat1.png</a> kenneth2k1 on "Setting PFW Rules" http://forums.eracks.net/topic.php?id=22&page#post-101 Fri, 16 Nov 2007 18:57:39 +0000 kenneth2k1 101@http://forums.eracks.net/ Thanks for the reply. I have been reading a lot of the manual, and I have a better understanding of what is going on. I also found another good resource: <a href="http://home.nuug.no/~peter/pf/" rel="nofollow">http://home.nuug.no/~peter/pf/</a> But, none of them deal specifically with pfw. And, bumping around in it, it seems to not have the "rdr" command, which I apparently need. There are rules on my current fw that allow incoming connections to internal IPs. They look something like: Incoming from Any to 208.57.255.188 -> 172.20.255.82 port tcp:5632 tcp:5631. These rules are set because our hotel system talks to an external server that sends reservation information. After doing some research, I think my rule should look like: rdr on $ext_if inet proto tcp from any to ($ext_if:0) port { 5632 5631 } THEN from what I understand I need to tag them, and then the pass rules will evaluate them. tag OPERAOWS -> 172.20.255.82 #OPERAOWS is what I want to use because Opera is our hotel system. THEN the pass rule can evaluate it: pass in on $ext_if inet proto tcp tagged OKPKTS synproxy state So am I completely off? I appreciate you taking the time to help. I am really trying to learn. joe on "Setting PFW Rules" http://forums.eracks.net/topic.php?id=22&page#post-100 Fri, 16 Nov 2007 17:52:10 +0000 joe 100@http://forums.eracks.net/ Ken, 1) As a rule, you want to apply your incoming filter rules to the external interface. Unless you want to restrict or filter the outbound traffic from your internal LAN users, you usually want to just pass all outbound traffic on the internal interface. 2) You can put the port number in both the source/dest matching expression ("Pass in on $ext_if from any to $mail_server port 25"), or in the destination expression (the part after the "->"), which will remap the port. Question 1 is covered in the "PACKET FILTERING" section of the pf.conf maunal, and question 2 is covered in the "TRANSLATION" section. See also the FILTERING EXAMPLES and TRANSLATION EXAMPLES sections for handy cut/pasteable examples for common usage scenarios. Many of your questions show that you could really benefit from close scrutiny of the manuals - Remember the "man pf.conf" and "man pfctl" commands are your friend. Here is a great "Getting started" guide for pf: <a href="http://home.nyc.rr.com/computertaijutsu/pf.html" rel="nofollow">http://home.nyc.rr.com/computertaijutsu/pf.html</a> And here is a great OpenBSD example for SOHO use: <a href="http://www.openbsd.org/faq/pf/example1.html" rel="nofollow">http://www.openbsd.org/faq/pf/example1.html</a> kenneth2k1 on "Setting PFW Rules" http://forums.eracks.net/topic.php?id=22&page#post-99 Thu, 08 Nov 2007 15:43:27 +0000 kenneth2k1 99@http://forums.eracks.net/ Well after reading about PF, I answered a few of my own questions. ext_if is a macro for my interfaces. "Any" will work as a valid source/destination according to the literature. It said a protocol will be assumed based on the transmission if I don't specify Family address is inet for IPv4, inet6 for IPv6 _____________________________________________________________ But I still have questions!! 1. I have specified my external interface in my macro. When do I need to specify my internal interface? 2. If I need to put in a port number, what makes it dependent upon whether I put it in the source or destination section? Thanks. kenneth2k1 on "Setting PFW Rules" http://forums.eracks.net/topic.php?id=22&page#post-98 Fri, 02 Nov 2007 00:39:39 +0000 kenneth2k1 98@http://forums.eracks.net/ # ruleset automatically generated by pfw # ext_if = "re0" # External interface int_if = "re1" # Internal interface block log all # Default block rule pass in on re0 all # Allow everything on localhost # Antispoof rules antispoof for $ext_if # General rules pass in log on $ext_if inet proto tcp from any to $ext_if port { ssh https } keep state # Allow administration of the firewall # Network Rules pass in log on $ext_if from ipsec_users to 172.20.0.0 # Any in pass out log on $ext_if from 172.20.0.0 to ipsec_users # Any out pass in on $ext_if proto tcp from any to 172.20.255.108 port 5190 # AOL in pass out log on $ext_if proto tcp from 172.20.255.108 to any port 5190 # AOL out pass in on $ext_if from any to 172.20.255.108 port 5190 # AOL in pass out log on $ext_if proto tcp from 172.20.1.110 port 80 to any # Filtered-HTTP pass in on $ext_if proto tcp from any to 172.20.255.108 port 25 # Filtered-SMTP in pass out log on $ext_if proto tcp from 172.20.255.108 port 25 to any # Filtered-SMTP out pass in log on $ext_if proto FTP from 208.57.255.187 port 21 to 172.20.99.6 # FTP in pass out log on $ext_if proto FTP from 172.20.99.6 to any port 21 # FTP out pass in log on $ext_if proto tcp from 208.57.255.187 port 443 to 172.20.255.189 # HTTPS_Synxis in kenneth2k1 on "Setting PFW Rules" http://forums.eracks.net/topic.php?id=22&page#post-97 Fri, 02 Nov 2007 00:37:34 +0000 kenneth2k1 97@http://forums.eracks.net/ So, I am getting into this pfw now, and I have some questions about setting these rules. 1. I assume "interface" means my network card. Part of the basic configuration involved setting a macro, where ext_if was set as the lo0. If I am translating this right, does the ext_if stand for the network interface lo0? In my case, my net adapters are re0 and re1. If so, why do I set the interface to $ext_if instead of just using the re0? And what does the $ mean? 2. Does the syntax "any" work as a source or destination? 3. If I need to put in a port number, what makes it dependent upon whether I put it in the source or destination section? 4. Is a protocol always necessary? 5. What does the Family Address represent? What does inet mean and when should I use it? 6 What would be the rule if I wanted to block incoming pings? In the next post, I will show you what I have. I know there are errors, but perhaps I could get some pointers? Thanks!!! kenneth2k1 on "What's the process for running this pfw" http://forums.eracks.net/topic.php?id=12&page#post-96 Tue, 23 Oct 2007 19:56:58 +0000 kenneth2k1 96@http://forums.eracks.net/ ... and everything on the LAN, both the 172.20.255 and the 172.20.1 have the same netmasks. kenneth2k1 on "What's the process for running this pfw" http://forums.eracks.net/topic.php?id=12&page#post-95 Tue, 23 Oct 2007 19:55:42 +0000 kenneth2k1 95@http://forums.eracks.net/ So I will change the broadcast back to 172.20.255.255 kenneth2k1 on "What's the process for running this pfw" http://forums.eracks.net/topic.php?id=12&page#post-94 Tue, 23 Oct 2007 19:51:58 +0000 kenneth2k1 94@http://forums.eracks.net/ I changed it because I thought I read somewhere that the broadcast would just be what that adapter was seen at for identification. I changed it in the hostname.re0 file, and rebooted. It had the unresponsive behavior regardless of the broadcast ID, however. joe on "What's the process for running this pfw" http://forums.eracks.net/topic.php?id=12&page#post-93 Tue, 23 Oct 2007 19:48:34 +0000 joe 93@http://forums.eracks.net/ Right - if you set the IP and netmask, it will set the broadcast for you. But remember, this netmask (a /16) should match all the other systems on the same LAN! kenneth2k1 on "What's the process for running this pfw" http://forums.eracks.net/topic.php?id=12&page#post-92 Tue, 23 Oct 2007 19:44:52 +0000 kenneth2k1 92@http://forums.eracks.net/ When I type in ifconfig re0, it told me my broadcast was 172.20.255.255 joe on "What's the process for running this pfw" http://forums.eracks.net/topic.php?id=12&page#post-91 Tue, 23 Oct 2007 18:59:47 +0000 joe 91@http://forums.eracks.net/ Your broadcast address is always the inverse of your netmask applied to your IP - in other words, if you have a /24, with a netmask of 255.255.255.0, and an IP of 1.2.3.4, your broadcast address should be 1.2.3.255 - the same IP with a /16 (a netmask of 255.255.0.0) would have a broadcast address of 1.2.255.255. - Machines on the same network, but with mismatched netmasks, may not communicate correctly even though they appear to be on the same network. Especially with hubs and switches involved, which can get confused more easily because of this. - incorrectly configured broadcast addresses can cause strange and unpredictable responses, and interact poorly with routers, filters, hubs, switches, firewalls, and other networking hardware. kenneth2k1 on "What's the process for running this pfw" http://forums.eracks.net/topic.php?id=12&page#post-90 Tue, 23 Oct 2007 18:17:12 +0000 kenneth2k1 90@http://forums.eracks.net/ It is broadcasting the same as the IP: 172.20.255.16. I think that the problem is on our network however. I pulled it off our network and connected my PC directly to it, and it worked fine. My "uneducated" guess is that our current FW saw something being transmitted by the Twinguard fw and locked it up. I don't really know how, and there's nothing in the logs, but still when it was taken off the network it behaved fine. My concern is when I get this thing back on the network and take the other firewalls off, will it do it again? Well, either way it works to this point. Next I will have questions about setting up rules on pfw joe on "What's the process for running this pfw" http://forums.eracks.net/topic.php?id=12&page#post-89 Tue, 23 Oct 2007 00:15:07 +0000 joe 89@http://forums.eracks.net/ What is your broadcast address? kenneth2k1 on "What's the process for running this pfw" http://forums.eracks.net/topic.php?id=12&page#post-88 Mon, 22 Oct 2007 21:53:47 +0000 kenneth2k1 88@http://forums.eracks.net/ As I stated before, I am plugged into only one NIC - re0. That's it. Also, the settings that I input were from your cookbook, and if you see anything in there that looks bad, I will gladly change it. I have the current firewall monitor up, and it gives me a bandwidth meter. At it's highest point, sending traffic was at 400kbps and receiving traffic was at about 700kbps. That isn't that much traffic at all.