OpenBSD Journal

OpenBSD 4.3 released

Contributed by johan on from the out-and-about dept.

The OpenBSD team is pleased to announce the release of OpenBSD 4.3. See the announcement for more information.

Place an order worldwide or order in Europe, or if you only download from FTP then make a donation. If you do FTP your release, be sure to use a local mirror and not the main ftp server:

o ftp.kd85.com  Austria       o ftp.eu.openbsd.org  Sweden
o ftp2.usa.openbsd.org  NYC, USA       o ftp3.usa.openbsd.org  CO, USA
o ftp5.usa.openbsd.org  CA, USA       o rt.fm  IL, USA

Highlights of OpenBSD 4.3 are listed below.

  • New/extended platforms:
    • OpenBSD/sparc64.
      SMP support. This should work on all supported systems, with the exception of the Sun Enterprise 10000.
    • OpenBSD/hppa.
      K-class servers like the K200 and K410 are supported now.
    • OpenBSD/mvme88k
      SMP support on MVME188 and MVME188A systems. 88110 processor, and thus MVME197LE/SP/DP boards, are supported now.
    • OpenBSD/sgi.
      Contains many new drivers, however the kernel requires an important errata fix.


  • Improved hardware support, including:
    • The bge(4) driver now supports BCM5906/BCM5906M 10/100 and BCM5755 10/100/Gigabit Ethernet devices.
    • The cas(4) driver now supports Cassini+ 10/100/Gigabit Ethernet devices.
    • The em(4) driver now supports ICH9 10/100 and 10/100/Gigabit Ethernet devices.
    • The gem(4) driver now supports the onboard 1000base-SX interface on the Sun Fire V880 server.
    • The ixgb(4) driver now supports the Sun 10Gb PCI-X Ethernet devices.
    • The msk(4) driver now supports Yukon FE+ 10/100 and Yukon Supreme 10/100/Gigabit Ethernet devices.
    • The nfe(4) driver now supports MCP73, MCP77 and MCP79 10/100/Gigabit Ethernet devices.
    • The ral(4) driver now supports RT2800 based wireless network devices.
    • The cmpci(4) driver now supports CMI8768 based audio adapters.
    • The it(4) driver now supports ITE IT8705F/8712F/8716F/8718F/8726F and SiS SiS950 ICs. Watchdog timer functionality added.
    • The mfi(4) driver now supports Dell CERC6/PERC6 and LSI SAS1078 RAID controllers.
    • The viapm(4) driver now supports the VIA VT8237S south bridges SMBus controller.
    • Support for hotplugging ExpressCard devices has been added.
    • New amdpcib(4) driver for the AMD-8111 series LPC bridge and timecounter on amd64.
    • New pctr(4) driver for the CPU performance counters on amd64.
    • New bwi(4) driver for the Broadcom AirForce IEEE 802.11b/g wireless network device.
    • New envy(4) driver for the VIA Envy24 audio device.
    • New et(4) driver for the Agere/LSI ET1310 10/100/Gigabit Ethernet device.
    • New etphy(4) driver for the Agere/LSI ET1011 TruePHY Gigabit Ethernet PHY.
    • New amdpcib(4) driver for the AMD-8111 series LPC bridge and timecounter on i386.
    • New glxpcib(4) driver for the AMD CS5536 PCI-ISA bridge with timecounter, watchdog timer, and GPIO on i386.
    • New iwn(4) driver for the Intel Wireless WiFi Link 4965AGN IEEE 802.11a/b/g/Draft-N wireless network device.
    • New msts(4) line discipline to interface Meinberg Standard Time String devices and to provide a timedelta sensor.
    • New gbe(4) driver for the SGI Graphics Back End (GBE) Frame Buffer on sgi.
    • New mkbc(4) driver for the Moosehead PS/2 Controller on sgi.
    • New power(4) driver for the power button on sgi.
    • New ecadc(4) driver for the Environmental Monitoring Subsystem temperature sensor on sparc64.
    • New tda(4) driver for the fan controller on the Sun Blade 1000/2000, making these machines much less noisy.
    • New spdmem(4) driver retrieves information about memory modules.
    • New thmc(4) driver for the TI THMC50, Analog ADM1022/1028 temperature sensor.
    • New uchcom(4) driver for the WinChipHead CH341/340 based USB serial adapter.
    • New umbg(4) driver for the Meinberg Funkuhren USB5131 radio clock to provide a timedelta sensor.
    • New upgt(4) driver for the Conexant/Intersil PrismGT SoftMAC USB IEEE 802.11b/g wireless network device.
    • New wbng(4) driver for the Winbond W83793G temperature, voltage, and, fan sensor.
    • New wbsio(4) driver for the Winbond LPC Super I/O ICs.
    • New adl(4) driver for the Andigilog aSC7621 temperature, voltage, and fan sensor.
    • The siop(4) driver now supports the (non-PCI) NCR 53c720/770 in big-endian mode.
    • New lmn(4) driver for the National Semiconductor LM93 sensor.


  • New tools:
    • snmpd(8), implementing the Simple Network Management Protocol.
    • The snmpctl(8) program controls the SNMP daemon.
    • The pcidump(8) utility displays the device address, vendor, and product name of PCI devices.
    • ldattach(8) ldattach(8) is used to attach a line discipline to a serial line to allow for in-kernel processing of the received and/or sent data.


  • New functionality:
    • eeprom(8) is now able to display the OpenPROM device tree on systems that have it.
    • Support for X11 on sgi has been added.
    • The periodic security(8) reports now include package changes.
    • The cmpci(4) driver now supports multichannel audio playback if the hardware supports it.
    • The auvia(4) driver now supports multichannel audio playback if the hardware supports it.
    • The auich(4) driver now supports recording from the microphone as well as full-duplex mode.
    • The eso(4) driver now supports recording as well as full-duplex mode.
    • The ffs layer is now 64-bit disk block address clean. This means that disks, partitions and filesystems larger than 2TB are now supported, with the exception of statfs(2) and quotas.
    • DMA is now enabled for 1-sector devices such as flash drives, providing significant speed improvement.
    • Sparc and Sparc64 disklabels now provide automatic recognition of ext2fs partitions.
    • Filesystems on USB devices are automatically dismounted if the device is disconnected.
    • The configuration of carp(4) load balancing has been vastly simplified.
    • fstab(5) entries referring to non-existent mount points are now ignored, allowing subsequent entries to be processed.
    • Additional configuration files can now be included in pf.conf(5).
    • sppp(4) now has IPv6 support.
    • ipsec.conf(5) now supports defining 192 and 256 bit keysizes for AES.


  • Assorted improvements and code cleanup:
    • Improved support for an lkm(4) subsystem on amd64.
    • ossaudio(3) received several bug fixes and enhancements including but not limited to improved recording and full-duplex support.
    • audio(4) received several bug fixes and enhancements including but not limited to improved recording and full-duplex support.
    • make(1) was heavily modified, mostly to improve support for parallel build. Parallel builds now run commands in the same way the sequential builds do, and the output from commands is more readable. A large part of the source tree, xenocara, and quite a few ports now build correctly with make -j.
    • rcs tools improvements and bug fixes.
    • RTM_VERSION was increased so that all routing messages could be modified to include additional fields for upcoming networking features.
    • sendbug(1) has stricter comment parsing, to avoid mangling diffs.
    • umass(4) devices no longer detect bogus LUNs.
    • USB st(4) devices can now successfully disconnect.
    • More deviant umass devices accommodated.
    • svnd(4) devices now work on block devices.
    • disklabel(8) is now aware of NTFS partitions.
    • raidctl(8) now correctly handles trailing whitespace in configuration files.
    • mt(4) no longer triggers panics when processing the 'rewoffl' command.
    • raid(4) devices no longer hang when searching for components during boot.
    • sd(4) devices no longer receive spurious SYNCHRONIZE CACHE commands that confuse some hardware.
    • sd(4) no longer claim that SYNCHRONIZE CACHE commands are 16 bytes long when they are actually 10 bytes. Some devices took this too literally.
    • dhcpd(8) now always issues packets equal or larger than the minimum IP MTU.
    • disklabel(8) -E mode does not allow manual editing of the 'c' partition, which is always set to cover the entire disk.
    • disklabel(8) -E mode does not allow changing the cpg value of a partition.
    • disklabel(8) -E mode no longer permits assigning arbitrary sizes to FS_BOOT and FS_UNUSED partitions.
    • The bge(4) driver problems receiving jumbo frames have been resolved.
    • Many dangerous unsigned comparisons with -1 when checking the results of read and write calls have been eliminated.
    • The new M_ZERO flag for malloc(9) replaces many malloc+bzero/memset combinations, fixing a number of bugs in memory initialization and shrinking the kernel.
    • dhcpd(8) now correctly constructs response packets that use the overflow buffers to store options.
    • SCSI drivers are more reliable in MP machines due to better locking around command completion.
    • TCP responses to highly fragmented packets are now constructed without risking corruption of kernel memory.
    • Sockets now allow 4095 multicast group memberships.


  • Install/Upgrade process changes:
    • All platforms now have serial console support when installing.
    • Serial console speed is detected and appropriate /etc/ttys entries automatically created.
    • OpenBSD/vax now also has both kinds of install ISO CD images.
    • DNS server addresses are remembered if an install is restarted.
    • OpenBSD/sgi can now be installed using the glass console.


  • OpenBGPD 4.3:
    • Correctly handle prefixes which would cause a routing loop.
    • bgpctl's detailed RIB output shows additional attributes like extended communities or the cluster id list.


  • OpenNTPD 4.3:
    • Handle IP changes of clients more gracefully.
    • Log peer and sensor status to syslog if the majority of either is bad, or if a SIGINFO signal is received.
    • Allow offsetting of time sensors that have a systematic error.


  • OpenOSPFD 4.3:
    • Equal cost multipath support -- don't forget to set the right sysctls.
    • Parser and commandline options are now in sync with bgpd.


  • relayd 4.3:
    • hoststated(8)/hoststatectl(8) were renamed to relayd(8)/relayctl(8).
    • Improved configuration grammar for relayd.conf(5).
    • Allow to send SNMP traps via snmpd(8) when host states change.
    • Improved support for URL filtering and protocol actions.
    • Added support for UDP-based DNS relaying with request ID randomisation.
    • Various bug fixes, optimisations, and cleanups.
    • Improved reload support.


  • OpenSSH 4.8:
    • Added chroot(2) support for sshd(8), controlled by a new option "ChrootDirectory". Please refer to sshd_config(5) for details, and please use this feature carefully.
    • Linked sftp-server(8) into sshd(8). The internal sftp server is used when the command "internal-sftp" is specified in a Subsystem or ForceCommand declaration. When used with ChrootDirectory, the internal sftp server requires no special configuration of files inside the chroot environment. Please refer to sshd_config(5) for more information.
    • Added a protocol extension method "posix-rename@openssh.com" for sftp-server(8) to perform POSIX atomic rename() operations.
    • Removed the fixed limit of 100 file handles in sftp-server(8). The server will now dynamically allocate handles up to the number of available file descriptors.
    • ssh(1) will now skip generation of SSH protocol 1 ephemeral server keys when in inetd mode and protocol 2 connections are negotiated. This speeds up protocol 2 connections to inetd-mode servers that also allow Protocol 1.
    • Accept the PermitRootLogin directive in a sshd_config(5) Match block. Allows for, e.g. permitting root only from the local network.
    • Reworked sftp(1) argument splitting and escaping to be more internally consistent (i.e. between sftp commands) and more consistent with sh(1). Please note that this will change the interpretation of some quoted strings, especially those with embedded backslash escape sequences.
    • Support "Banner=none" in sshd_config(5) to disable sending of a pre-login banner (e.g. in a Match block).
    • ssh(1) ProxyCommands are now executed with $SHELL rather than /bin/sh.
    • ssh(1)'s ConnectTimeout option is now applied to both the TCP connection and the SSH banner exchange (previously it just covered the TCP connection). This allows callers of ssh(1) to better detect and deal with stuck servers that accept a TCP connection but don't progress the protocol, and also makes ConnectTimeout useful for connections via a ProxyCommand.
    • Many new regression tests, including interop tests against PuTTY's plink.
    • SSH2_MSG_UNIMPLEMENTED packets did not correctly reset the client keepalive logic, causing disconnections on servers that did not explicitly implement "keepalive@openssh.com".
    • ssh(1) used the obsolete SIG DNS RRtype for host keys in DNS, instead of the current standard RRSIG.
    • Correctly drain ACKs when a sftp(1) upload write fails midway, avoids a fatal(1) exit from what should be a recoverable condition.
    • Fixed packet size advertisements. Previously TCP and agent forwarding incorrectly advertised the channel window size as the packet size, causing fatal errors under some conditions.
    • Many more bugfixes. Please refer to the Release Notes.


  • Over 4,500 ports, minor robustness improvements in package tools:
    • i386: 4782 sparc64: 4613 alpha: 4233 sh: 2046
    • amd64: 4708 powerpc: 4634 sparc: 3159 m68k: 830
    • arm: 3377 hppa: 3971 m88k: 27 mips64: 1897
    • vax: 296
    • Highlights include:
    • Gnome 2.20.3.
    • GNUstep 1.14.2.
    • KDE 3.5.8.
    • Mozilla Firefox 2.0.0.12.
    • Mozilla Thunderbird 2.0.0.12.
    • MySQL 5.0.51a.
    • OpenMotif 2.3.0.
    • OpenOffice.org 2.3.1.
    • PostgreSQL 8.2.6.
    • Xfce 4.4.2.


  • As usual, steady improvements in manual pages and other documentation.


  • The system includes the following major components from outside suppliers:
    • Xenocara (based on X.Org 7.3 + patches, freetype 2.3.5, fontconfig 2.4.2, Mesa 7.0.2, xterm 232 and more)
    • Gcc 2.95.3 (+ patches) and 3.3.5 (+ patches)
    • Perl 5.8.8 (+ patches)
    • Our improved and secured version of Apache 1.3, with SSL/TLS and DSO support
    • OpenSSL 0.9.7j (+ patches)
    • Groff 1.15
    • Sendmail 8.14.1, with libmilter
    • Bind 9.4.2 (+ patches)
    • Lynx 2.8.5rel.4 with HTTPS and IPv6 support (+ patches)
    • Sudo 1.6.9p12
    • Ncurses 5.2
    • Latest KAME IPv6
    • Heimdal 0.7.2 (+ patches)
    • Arla 0.35.7
    • Binutils 2.15 (+ patches)
    • Gdb 6.3 (+ patches)

    If you'd like to see a list of what has changed between OpenBSD 4.2 and 4.3, look at http://www.OpenBSD.org/plus43.html.

    Thank you to all of the developers who make OpenBSD possible. Please be sure to make a donation to continue to make OpenBSD releases possible.

(Comments are closed)


Comments
  1. By Anonymous Coward (74.13.30.211) on

    > The new M_ZERO flag for malloc(9) replaces many malloc+bzero/memset combinations, fixing a number of bugs in memory initialization and shrinking the kernel.

    Is listed twice.

    Comments
    1. By Johan M:son Lindman (johan) on http://frink.mine.nu/~jl/dancing_johan.png

      > > The new M_ZERO flag for malloc(9) replaces many malloc+bzero/memset combinations, fixing a number of bugs in memory initialization and shrinking the kernel.
      >
      > Is listed twice.

      Not anymore...
      Thanks!

      Comments
      1. By Anonymous Coward (74.13.30.211) on

        > disklabel(8) -E mode no longer permits assigning arbitrary sizes to FS_BOOT and FS_UNUSED partitions.

        Too.

        Comments
        1. By Johan M:son Lindman (johan) on http://frink.mine.nu/~jl/dancing_johan.png

          > > disklabel(8) -E mode no longer permits assigning arbitrary sizes to FS_BOOT and FS_UNUSED partitions.
          >
          > Too.

          Your dup parser is working well, thanks again.

  2. By Kevin (163.192.21.63) on http://openbsd.somedomain.net/

    I've just downloaded the install43.iso files for Sparc64 and i386 and a few packages. Throughput from 'ftp.openbsd.org' was quite good.
    Tomorrow (5/1) I expect even the mirrors to be slow :)

    The best known torrents have been updated, but at the moment there are not nearly sufficient seeders.

    Comments
    1. By Anonymous Coward (64.253.108.203) on

      > I've just downloaded the install43.iso files for Sparc64 and i386 and a few packages. Throughput from 'ftp.openbsd.org' was quite good.
      > Tomorrow (5/1) I expect even the mirrors to be slow :)
      >
      > The best known torrents have been updated, but at the moment there are not nearly sufficient seeders.

      Very strange.. the torrents don't work with Transmission. Ktorrent is fine, though.

    2. By Anonymous Coward (213.185.19.190) on

      > I've just downloaded the install43.iso files for Sparc64 and i386 and a few packages. Throughput from 'ftp.openbsd.org' was quite good.
      > Tomorrow (5/1) I expect even the mirrors to be slow :)
      >
      > The best known torrents have been updated, but at the moment there are not nearly sufficient seeders.

      I just stopped seeding 4.2...

      Comments
      1. By Anonymous Coward (64.191.56.200) on

        > > I've just downloaded the install43.iso files for Sparc64 and i386 and a few packages. Throughput from 'ftp.openbsd.org' was quite good.
        > > Tomorrow (5/1) I expect even the mirrors to be slow :)
        > >
        > > The best known torrents have been updated, but at the moment there are not nearly sufficient seeders.
        >
        > I just stopped seeding 4.2...
        >

        The Torrent-Tracker should get listed at the Website for a place to get the install sets and co!

        Everybody could download the thins he/she wants via torrent and later update (in case you ever see a package update :D)

    3. By Janne Johansson (2001:6b0:5:988:8584:23d6:69d2:4769) jj@inet6.se on .

      > I've just downloaded the install43.iso files for Sparc64 and i386 and a few packages. Throughput from 'ftp.openbsd.org' was quite good.
      > Tomorrow (5/1) I expect even the mirrors to be slow :)
      >
      > The best known torrents have been updated, but at the moment there are not nearly sufficient seeders.

      Working on it.

      Comments
      1. By Anonymous Coward (96.28.230.179) on

        > > I've just downloaded the install43.iso files for Sparc64 and i386 and a few packages. Throughput from 'ftp.openbsd.org' was quite good.
        > > Tomorrow (5/1) I expect even the mirrors to be slow :)
        > >
        > > The best known torrents have been updated, but at the moment there are not nearly sufficient seeders.
        >
        > Working on it.

        The transmission problem is really troubling, since transmissioncli is the best way to seed from OpenBSD servers in our data center. :(

        Hopefully someone will look into it. I am always thrilled to seed 100% legal torrents ;)


        Comments
        1. By Andrew Fresh (andrew) andrew@mad-techies.org on http://openbsd.somedomain.net

          > The transmission problem is really troubling, since transmissioncli is
          > the best way to seed from OpenBSD servers in our data center. :(

          It should work now. Transmission was sending the Host header with :80 at the end, but I think I solved that now.

          -RewriteCond ${lowercase:%{HTTP_HOST}} ^(.+)$
          +RewriteCond ${lowercase:%{HTTP_HOST}} ^([^:]*).*$

          > Hopefully someone will look into it. I am always thrilled to seed 100% legal torrents ;)

          Well, I finally figured it out, so go for it!

  3. By Anonymous Coward (87.72.215.200) on

    It should be OpenOSPFD not OpenSPFD.

    Comments
  4. By Bayu Krisnawan (krisna) krisna@infobsd.org on http://www.infobsd.org

    Congrate & Thanks.

    It's Time.. to upgrade.

  5. By Anonymous Coward (89.102.94.11) on

    What a great job !

    Thanks for this cool piece of software.

  6. By Frederick Yanos (ntmyd8) fred.fredyanos@gmail.com on

    Great work guys!
    Congratulations for another release of OpenBSD. Long live Puffy!
    :)

  7. By EU Shop down? (80.216.212.174) on

    My wallet is ready and willing ;)
    But https://https.OpenBSD.org/cgi-bin/order.eu is down for me.

    Comments
    1. By Wim (88.82.33.37) wim@kd85.com on https://kd85.com/notforsale.html

      > My wallet is ready and willing ;)
      > But https://https.OpenBSD.org/cgi-bin/order.eu is down for me. 
      
      Bob's machine moved IP address a month ago and there are some people who can't seem to reach the new IP.

      What does a traceroute tell you? Do you get to Shawcable?

      It seems that if you are in JANET (the UK Academic Network) border routers filter outgoing trafic to 96.52.0.246 ;-)

      Or it could be just a temporary thing for you, try again.

      If everything fails, use my backup webform at https://kd85.com/notforsale.html

      Comments
      1. By sthen@ (2a01:348:108:155:20a:e4ff:fe2d:99ee) on http://spacehopper.org/up2date.html

        > Bob's machine moved IP address a month ago and there are some people who can't seem to reach the new IP.

        If you can't reach the new IP address, complain to your ISP with a traceroute. They or their upstream are almost certainly using an old bogon filter list. 96/8 was allocated in October 2006, anybody using this list _must_ track changes to it.

        Comments
        1. By sthen (2a01:348:108:155:20a:e4ff:fe2d:99ee) on http://spacehopper.org/up2date.html

          > > Bob's machine moved IP address a month ago and there are some people who can't seem to reach the new IP.
          >
          > If you can't reach the new IP address, complain to your ISP with a traceroute. They or their upstream are almost certainly using an old bogon filter list. 96/8 was allocated in October 2006, anybody using this list _must_ track changes to it.

          And if doesn't reach your ISP, please check your own firewall rules for the same problem :-)

          Comments
          1. By Anonymous Coward (88.191.80.98) on

            > > > Bob's machine moved IP address a month ago and there are some people who can't seem to reach the new IP.
            > >
            > > If you can't reach the new IP address, complain to your ISP with a traceroute. They or their upstream are almost certainly using an old bogon filter list. 96/8 was allocated in October 2006, anybody using this list _must_ track changes to it.
            >
            > And if doesn't reach your ISP, please check your own firewall rules for the same problem :-)

            Well I have a familiar problem.
            I can visit some websites just via Tor.
            From my FW directly it works perfectly but the clients in my LAN can't get a connection.

            If you claim that some PF-Rules could bring up this issue please explain me this in detail because it seams I missed something.

            my pf-conf:

            ext = "pppoe0"
            int = "xl0"
            loop = "lo0"
            intnet = "192.168.1.0/24"
            router = "192.168.1.1"

            inservicestcp = "{ ssh }"
            set loginterface $ext
            set optimization aggressive
            set block-policy drop
            scrub on $ext all fragment reassemble random-id

            nat on $ext from $intnet to any -> $ext static-port

            #block on $ext
            block quick inet6
            pass quick on $loop
            pass out quick on $ext


            Also I face the problem that I get diconnected every 24 hours by my provider. I can then surf from the Firewall but always have to do a pfctl -F all -f /etc/pf.conf to "reset" the FIrewall. I didn't found a solution for this during reading the manuals.

            Btw: Yes the filtering WAS disabled by purpose!
            But even with a quick pass in the clients wont be able to visit some websites event he FW can visit these sites without a problem.

            Thanks for every hint!


            Comments
            1. By Anonymous Coward (88.192.76.90) on

              > > > > Bob's machine moved IP address a month ago and there are some people who can't seem to reach the new IP.
              > > >
              > > > If you can't reach the new IP address, complain to your ISP with a traceroute. They or their upstream are almost certainly using an old bogon filter list. 96/8 was allocated in October 2006, anybody using this list _must_ track changes to it.
              > >
              > > And if doesn't reach your ISP, please check your own firewall rules for the same problem :-)
              >
              > Well I have a familiar problem.
              > I can visit some websites just via Tor.
              > From my FW directly it works perfectly but the clients in my LAN can't get a connection.
              >
              > If you claim that some PF-Rules could bring up this issue please explain me this in detail because it seams I missed something.
              >
              > my pf-conf:
              >
              > ext = "pppoe0"
              > int = "xl0"
              > loop = "lo0"
              > intnet = "192.168.1.0/24"
              > router = "192.168.1.1"
              >
              > inservicestcp = "{ ssh }"
              > set loginterface $ext
              > set optimization aggressive
              > set block-policy drop
              > scrub on $ext all fragment reassemble random-id
              >
              > nat on $ext from $intnet to any -> $ext static-port
              >
              > #block on $ext
              > block quick inet6
              > pass quick on $loop
              > pass out quick on $ext
              >
              >
              > Also I face the problem that I get diconnected every 24 hours by my provider. I can then surf from the Firewall but always have to do a pfctl -F all -f /etc/pf.conf to "reset" the FIrewall. I didn't found a solution for this during reading the manuals.
              >
              > Btw: Yes the filtering WAS disabled by purpose!
              > But even with a quick pass in the clients wont be able to visit some websites event he FW can visit these sites without a problem.
              >
              > Thanks for every hint!
              >


              Try to use : tcpdump -i pflog0 -e -vv -t -s 1600
              There should read for which block rule the packet will hit.

              Comments
              1. By Anonymous Coward (89.248.169.109) on

                > > > > > Bob's machine moved IP address a month ago and there are some people who can't seem to reach the new IP.
                > > > >
                > > > > If you can't reach the new IP address, complain to your ISP with a traceroute. They or their upstream are almost certainly using an old bogon filter list. 96/8 was allocated in October 2006, anybody using this list _must_ track changes to it.
                > > >
                > > > And if doesn't reach your ISP, please check your own firewall rules for the same problem :-)
                > >
                > > Well I have a familiar problem.
                > > I can visit some websites just via Tor.
                > > From my FW directly it works perfectly but the clients in my LAN can't get a connection.
                > >
                > > If you claim that some PF-Rules could bring up this issue please explain me this in detail because it seams I missed something.
                > >
                > > my pf-conf:
                > >
                > > ext = "pppoe0"
                > > int = "xl0"
                > > loop = "lo0"
                > > intnet = "192.168.1.0/24"
                > > router = "192.168.1.1"
                > >
                > > inservicestcp = "{ ssh }"
                > > set loginterface $ext
                > > set optimization aggressive
                > > set block-policy drop
                > > scrub on $ext all fragment reassemble random-id
                > >
                > > nat on $ext from $intnet to any -> $ext static-port
                > >
                > > #block on $ext
                > > block quick inet6
                > > pass quick on $loop
                > > pass out quick on $ext
                > >
                > >
                > > Also I face the problem that I get diconnected every 24 hours by my provider. I can then surf from the Firewall but always have to do a pfctl -F all -f /etc/pf.conf to "reset" the FIrewall. I didn't found a solution for this during reading the manuals.
                > >
                > > Btw: Yes the filtering WAS disabled by purpose!
                > > But even with a quick pass in the clients wont be able to visit some websites event he FW can visit these sites without a problem.
                > >
                > > Thanks for every hint!
                > >
                >
                >
                > Try to use : tcpdump -i pflog0 -e -vv -t -s 1600
                > There should read for which block rule the packet will hit.

                Well I may understood something wrong but: Wich rule should have ANY effect? I don't filter anything.
                It should just "route" and it doesn't. :-(

                tcpdump -i pflog0 -e -vv -t -s 1600 shows nothing so far.

                I can visit google but not undeadly, visiting slashdot but not some other websites (like windowsupdate.microsoft.com). And I don't know what I could have been made wrong with PF
                Everything works if I do it on the router itself. :-(

                Also the problems after 24hrs are not connected to any "pf rule" I think. I'm still happy for any hints!

                Comments
                1. By Mitja (89.212.42.176) on

                  > > > nat on $ext from $intnet to any -> $ext static-port


                  > Also the problems after 24hrs are not connected to any "pf rule" I think. I'm still happy for any hints!

                  Sebastian,

                  instead of complaining for as long as I can remember that pf is not working with kernel pppoe - put brackets around your external interface in the nat line. You were told this many times, even by pppoe(4) author and the use of brackets in pf.conf is well documented.

                  So there will not be any misunderstanding, your nat rule should be

                  nat on $ext from $intnet to any -> ($ext)


                  This will cause pf to reload the nat rule every time the IP address on your external interface changes. It works.

            2. By sthen@ (85.158.45.32) on

              > Well I have a familiar problem.
              > I can visit some websites just via Tor.
              > From my FW directly it works perfectly but the clients in my LAN can't get a connection.
              >
              > If you claim that some PF-Rules could bring up this issue please explain me this in detail because it seams I missed something.

              > ext = "pppoe0"
              > scrub on $ext all fragment reassemble random-id

              Read pppoe(4) (section 4 not section 8, i.e. "man 4 pppoe") about max-mss.

              Comments
              1. By Anonymous Coward (61.133.87.226) on

                > > Well I have a familiar problem.
                > > I can visit some websites just via Tor.
                > > From my FW directly it works perfectly but the clients in my LAN can't get a connection.
                > >
                > > If you claim that some PF-Rules could bring up this issue please explain me this in detail because it seams I missed something.
                >
                > > ext = "pppoe0"
                > > scrub on $ext all fragment reassemble random-id
                >
                > Read pppoe(4) (section 4 not section 8, i.e. "man 4 pppoe") about max-mss.
                >

                It has nothing to do with the max-mss
                I used ifconfig to do it but I added your rules as well (it has no effect):

                vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1440
                lladdr
                media: Ethernet autoselect (100baseTX full-duplex)
                status: active
                inet6 fe80::216:17ff:feba:eb06%vr0 prefixlen 64 scopeid 0x1
                #


                Trying to visit f.e. http://marc.info/ from the client (fw sniffs the traffic):

                1210011377.572526 82.175.78.36.61118 > 63.238.77.253.www: . [tcp sum ok] 1:1(0) ack 1 win 65535 (DF) (ttl 127, id 5231, len 40)
                1210011377.572671 82.175.78.36.61118 > 63.238.77.253.www: P [tcp sum ok] 1:467(466) ack 1 win 65535 (DF) (ttl 127, id 8589, len 506)
                1210011377.754395 63.238.77.253.www > 82.175.78.36.61118: . [tcp sum ok] 1:1(0) ack 467 win 6432 (DF) (ttl 55, id 1692, len 40)
                1210011377.756430 63.238.77.253.www > 82.175.78.36.61118: P [tcp sum ok] 1:246(245) ack 467 win 6432 (DF) (ttl 55, id 1693, len 285)
                1210011377.868387 82.175.78.36.61118 > 63.238.77.253.www: . [tcp sum ok] 467:467(0) ack 246 win 65290 (DF) (ttl 127, id 7502, len 40)

                As you can see: no response
                It's the same for some, but not all nor the most websites.
                undeadly and windowsupdate are two others. That are the only sites I am aware of where it happens.

                and now I visit the site via lynx from the firewall:
                1210011323.325808 82.175.78.36.34071 > 63.238.77.253.www: . [tcp sum ok] 216:216(0) ack 167286 win 16384 <nop,nop,timestamp 1104546988 3290521592> (DF) (ttl 64, id 17137, len 52)
                1210011323.327965 63.238.77.253.www > 82.175.78.36.34071: . [tcp sum ok] 167286:168726(1440) ack 216 win 215 <nop,nop,timestamp 3290521592 1104546988> (DF) (ttl 55, id 53144, len 1492)
                1210011323.327978 63.238.77.253.www > 82.175.78.36.34071: FP [tcp sum ok] 168726:168771(45) ack 216 win 215 <nop,nop,timestamp 3290521592 1104546988> (DF) (ttl 55, id 53145, len 97)
                1210011323.328009 82.175.78.36.34071 > 63.238.77.253.www: . [tcp sum ok] 216:216(0) ack 168772 win 14899 <nop,nop,timestamp 1104546988 3290521592> (DF) (ttl 64, id 58348, len 52)
                1210011323.331180 82.175.78.36.34071 > 63.238.77.253.www: F [tcp sum ok] 216:216(0) ack 168772 win 16384 <nop,nop,timestamp 1104546988 3290521592> (DF) (ttl 64, id 28861, len 52)
                1210011323.505623 63.238.77.253.www > 82.175.78.36.34071: . [tcp sum ok] 168772:168772(0) ack 217 win 215 <nop,nop,timestamp 3290521611 1104546988> (DF) (ttl 55, id 53146, len 52)

                Please enlight me if I may did overlooked something in the manpages...

                Comments
                1. By Anonymous Coward (61.133.87.226) on

                  Correction: No response -> "endless loading" in a browser until a timeout. Sorry I choosed the wrong word.

  8. By Shane J Pearson (203.20.79.132) on

    Another fantastic release! Thank you to all the devs and OpenBSD supporters!

  9. By Anonymous Coward (24.37.242.64) on

    Is it really meant to read 22nd and 23rd or 23rd and 24th instead of 23nd and 24rd? =)

    Comments
    1. By Anonymous Coward (89.24.71.145) on

      > Is it really meant to read 22nd and 23rd or 23rd and 24th instead of 23nd and 24rd? =)

      What about skipping one FTP release just to simplify the releases counting?

      Comments
      1. By girarde (204.49.40.232) girarde@alum.rpi.edu on

        > > Is it really meant to read 22nd and 23rd or 23rd and 24th instead of 23nd and 24rd? =)
        >
        > What about skipping one FTP release just to simplify the releases counting?
        >
        >
        Sometimes, editing with s/23/24/ and s/22/23/ doesn't quite work the way you wanted. :-)

  10. By Andrés Delfino (190.188.174.126) adelfino@gmail.com on

    Thanks!!!

  11. By Fred Noz (69.200.225.109) fred@noz.net on

    The ftp2.usa.openbsd.org mirror is missing the packages directory under 4.3. Must be an oversight.

  12. By Anonymous Coward (85.97.19.146) on

    This is not acutally news because OpenBSD is released every first of May and every first of November. If an OpenBSD release is delayed, well, that's news :-) Another unique feature of OpenBSD, thank you developers!

  13. By Anonymous Coward (198.175.14.193) on

    The software versions listed look like they're for 4.2 and not 4.3

    Comments
    1. By bud (63.227.26.49) on

      > The software versions listed look like they're for 4.2 and not 4.3

      Which is why Firefox is listed as 2.0.0.6, not 2.0.0.12, good catch!

    2. By Johan M:son Lindman (johan) on http://frink.mine.nu/~jl/dancing_johan.png

      > The software versions listed look like they're for 4.2 and not 4.3

      That was a copy-n-pasto by me, now fixed.
      Thanks.

  14. By Jeroen Janssen (J.Janssen) on http://opennsd.net

    If there is anyone who've not downloaded the ISO yet, but are wanting to, here's a quick mirror in Amsterdam:

    http://openbsd.cc

  15. By Peter Curran (2001:4b10:100d:1:230:1bff:feb5:defb) peter@closeconsultants.com on

    Whereabouts is some documentation for the IPv6 support in sppp(4)? The man page says that IPv4 only is supported.

    Peter

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]