OpenBSD Journal

Ask undeadly: one post, six queries.

Contributed by grey on from the way too many questions at once dept.

We had a lot of reader submissions last week, which was quite nice - but while some were news related, quite a number of them were actually questions. Though there is no written rule, tried to keep to a question a week, and we've been following along mostly. However, after some discussion (basically me telling the other editors of this hair brained scheme),I'm going to give a shotgun/six shooter approach and roll all these into one post. Some questions may be better than others, and maybe this attempt will prove to be a misguided experiment, but here goes! Mike asks:

We're currently trying to set up a transparent firewall with PF on OpenBSD 3.5, and have almost gotten it working, except we can't get FTP working properly no matter what we do.

We have a large block of IPs that have FTP servers of various types (Microsoft, Gene6, VSFTP, ProFTPD, etc) and thus, making server changes is not really possible. Whatever changes are made have to be by the firewall or by the client.

We have this right now:

rdr on $EXT proto tcp from any to any port 21 -> <ipgroup> port 21
rdr on $EXT proto tcp from any to any port 20 -> <ipgroup> port 20

We can connect to FTP servers behind the firewall and log in, but after that, we get 425 errors stating a loss of connection.

Can anybody help us please? What are we missing?

Trying to deal with higher layer protocols with a layer2 firewalling bridge seems like it might be asking for trouble, still I seem to recall Lucent offering a plan9/Inferno OS based l2 filtering firewall that I think may have supported ftp. I've looked around and haven't turned anything up but perhaps one of our readers has some creative ideas that would make this work with a protocol which can be cumbersome to deal with even when keeping in mind with standard layer3 caveats with pf(4) and ftp-proxy(8).

yozo asks:

Is anyone working or planning to work on ACPI on OpenBSD?
my notePC is ACPI compliant one, I wish I can "sleep" instead of "shutdown" it.

searching with keywords "ACPI" and "OpenBSD", I found
there was a discussion on misc@ November 2003.
people talked mainly on Intel ACPI-CA;
which FreeBSD start importing, and
Intel's licence may be a problem.
now NetBSD implements ACPI,
I don't know whether they import from some project or
write code from scratch.

I suppose the right after the release of 3.6 is the good time to start implementing new functionalities.

I seem to recall that a developer was taking another stab at this quite recently, but I am unaware of a timeline or how well the effort might be going. (Developer's name withheld in case I completely got acronyms mixed up and don't want to cause unneeded grief --grey).

bob asks:

Hi folks,

I'm looking for a proof of concept "chroot" sftp solution:
the goal: a "webspace" user are able to manage this "webspace" via scp/sftp but only his "webspace"...

So far I've only found something along these lines:

An OpenBSD systrace() style jail for sftp.

CHRSH (a port form freebsd).
A chroot jail wrapper for ordinary Unix shells

So I'm asking for any opinions or best practices.

best bob

Some other directions I might offer would be restricted SCPonly shells e.g.: rssh and scponly, and you may want to look into a systraced shell, such as stsh as worked on by Jose Nazario since I'm not aware of any recent revisions of the version which Dug Song introduced.

magi asks:

I'm planning on building an OpenBSD firewall came accross this recently :drool:. This combined with the next gen VIA C5J Esther Processor (it will have on-die security and performance features that include support for execution (NX) protection, SHA Hashing, RSA encryption, AES encryption, and a HW RNG), can become the ultimate CARP enabled OpenBSD Firewall into a 1U rackmount case. Hopefully the C5Js motherboards will come with dual GigE and PCI-Express.

Now that I have all of you drooling, a question for the audience... What do you guys use for your current high bandwidth firewall needs? What do you recommend for firewall hardware that will be able to handle GigE bandwidth?

Personally I'm awfully tempted by some of the upcoming AMD64 based motherboards, and Intel makes a quad gigE card that doesn't look too shabby. That said, those are not yet released, or not too widespread products, so what do some of our readers use for gigE pf installations?

Nick asks:

The OpenBSD project offers much in the way of cool merchandise - t-shirts, posters etc, but I would like to see a few more items. I own most of the t-shirts already, and am interested in offering different designs. I particularly like the Puffy from release 3.1.

What are the rules on using the artwork? Is it BSD licensed like the rest? Can I create derivative works and make my own shirt designs? I will of course be donating the profit from the sale to the project, with my time and effort in the design/procurement of the new gear as a donation (inspired by Jason Dixon's idea). I have also noted other comments on undeadly where folks are interested in branded but more subdued polo style shirts.

Thoughts and feedback appreciated.

You may want to start by culling through the mailing list archives, where I'm sure one could turn up many great ideas. However, keep in mind it's rare that people actually put action to words, which is what can make all the difference. I kept this question in the queue in hopes that more people might be inspired to act than just exchange thoughts.

And finally anonymous asks:

I'm thrilled that OpenBSD is starting to look more and more like a Cisco killer, what with CARP and advanced packet filtering features. Supposedly, even multipath routing is supported now (although I don't know anyone who's using it). I have a question for OpenBSD folks: are there any plans to implement any kind of bandwidth aggregation features? What standards currently exist for bandwidth aggregation, and what do developers think about their suitability (from both licensing and technical perspectives)?

Digging through the mailing list archives turns up some discussions of 802.3ad, but apropos on the term doesn't seem to yield any mention in the man pages. It sounds like it may be a case where the project will need some support for specific development efforts towards implementing this.

(Comments are closed)

  1. By Venture37 ( on

    I know this sound sh177y but its not how I mean it! arent there the mailing lists & several forums where these questions can be asked???

    1. By Anthony ( on

      misc@ has a pretty broad definition of what constitutes a "stupid question". It can be an intimidating place to ask, and a lot of people just forget about it. Having a well known website publish Q's and A's can get to people that otherwise wouldn't bother.

      That's why you don't have to register to post. :)

    2. By Anonymous Coward ( on

      i don't mind seeing these technical questions on undeadly ... but will say that i really don't like the "shotgun" approach. reading through the replies will be tedious if you care about 1 post, and not the other X

      1. By Alan DeWitt ( on

        I agree. One question per thread would make it a heck of a lot easier to read. I don't have any problem at all with people asking questions here, at least until the article volume gets too large. (Too large > 5/day or thereabouts?)

        1. By knomevol ( on

          instead of putting these in the regular post section, create a tabbed QA forum and link it up. neve teg, dam teg t'nod

  2. By djm@ ( on

    I'm interested in implementing 802.3ad, but have only progressed as far as printing out the relevant bit of the spec :) It doesn't look too hard and I think that much of the bridge interface code could be reused.

    1. By tedu ( on

      then again, with falling gigabit prices, it's usually cheaper to go that way. unless you need multi-gigabit speeds.

      1. By djm@ ( on

        It is also useful for automagic link redundancy - .1ad includes a protocol for detecting failed links, though you can do this now with bridge interfaces and STP.

      2. By Matt Van Mater ( on

        I agree with DJM, this would be more useful to me as a means of automatic failover if a ciruit ever dies. Aggregating more than one link is definitely useful, but I would appreciate the sameless failover aspect of it.

  3. By tedu ( on

    quoting right from the art page. "Most images provided here are copyright by OpenBSD, by Theo de Raadt, or by other members or developers of the OpenBSD group. However, it is our intent that anyone be able to use these images to represent OpenBSD in a positive light. So enjoy them and let the world see them, if that is your wish."

  4. By tedu ( on

    after you implement it, you know what you find out? it doesn't work as well as apm.

    if you really want to know more, i can go on and on. there's plenty of examples why acpi is wrong. like ibm thinkpad t40s. freebsd 4.10 apm doesn't work on them, probably because they've abondoned it for acpi. build an acpi kernel, and guess what you get? a hard freeze up every time you pull or plug the power cable. add in a few spontaneous reboots as a side bonus. fortunately, openbsd on the same computer attaches apm, everything works fine, and all is right with the world.

    my two favorite "features" of acpi:
    1. devices which don't work unless the acpi os string is "windows nt". no other changes necessary, but the computer won't work without that magic string. see section of first link below.
    2. cool shit like dumping and decompiling the acpi tables provided by the bios. why the hell should anybody have to deal with this?

    you sure you want acpi? two links to review (they're fun to read even if you don't want acpi :)):

    1. By Peter Hessler ( on

      Unfortunatly, some crap likes acpi and not apm. (I don't have any of those devices, but I've seen many postings to mailing lists)

      1. By mirabile ( on

        My laptop's one of these, for instance. Most of my friends' i386
        and amd64 laptops, too. In general, all laptops I've seen that have
        been bought in the last two years, and didn't come with Pentium M
        or Transmeta Crusoe.

    2. By James Nobis ( on

      Try running without acpi on a dell inspiron 8500. I unfortunately didn't learn the horror of acpi until I purchased this laptop. Well, I can get it to boot without acpi...if I display serial, parallel, usb, and firewire...not exactly an optimal solution. This laptop uses acpi for irq assignment...without acpi it runs out of irqs...yipee! It's running freebsd 5.2 and I plan to move over to netbsd 2.0 when it gets released later this month. Frankly all new x86 laptops have this crap and I'm ready to jump over to ppc hardware.

      1. By tedu ( on

        the aforementioned t40 works perfectly with openbsd. this is why it's important to keep the laptop page up to date. :)

      2. By Stephan Tesch ( on


        I own a i8500 which runs OpenBSD. No problems so far with IRQs. But since you mentioned it: It seems like one IRQ is used for most of the devices. Certainly not what one wishes for. It's also true, that this notebook doesn't support APM. Thus I'm unable to do even basic stuff like a 'halt -p' :-(


    3. By grange ( on

      Of course you better stay with legacy hardware that doesn't require ACPI as long as possible, but I'm not sure you'll be able to ignore it on i386/amd64/ia64 forever.

    4. By Anonymous Coward ( on

      I fail to see why it's ACPI's fault that you have broken hardware. Stop buying junk. ACPI is far superior to APM.

    5. By yozo ( on


      I read through this thread. my understanding is:
      - implementation experience of a part of ACPI (related to CPU speed control) indicates that the full implementation is very tiresome. moreover, it is known that several hardware supports ACPI badly. hence people may be confusing even if ACPI is fully implemented. that's why I don't see "active" ACPI implementation effort.

      - more and more (wintel) hardware supports ACPI, which cannot be controlled via APM. I suppose more and more people will ask about hybernation, cpucontrol, etc. I suppose OpenBSD should have certain functionality to support those hardware.
      I'm not sure "supporting ACPI" is the right way, or there is alternative way...

  5. By brad ( on

    Also try scponly, works great in linux

    Also does sftp, avail in gentoo ports aswell.

  6. By canacar ( on

    the bridge+ftp_proxy problem has been discussed many times on both misc@ and pf@benzedrine lists:

    1. you need to have an IP address on the bridge so that ftp_proxy can open connections and accept replies.

    2. since the bridged packets do not make it to the IP stack unless they are destined to the machine itself, you need to explicitly route the redirected packets. The simplest is to use something like:

    pass in proto tcp route-to lo0 from any to port 8021

    search the archives for details.

  7. By Anonymous Coward ( on

    ...if someone were willing to fund (as best they could) development on cPCI gear, would anyone be interested? an employer of mine was looking to develop a sort of custom OC-3 router using hot-swappable cPCI gear and PMC cards. Signifigant amount of cheesy embedded linux support....nary a mention of (Free/Open/Net)BSD support. thoughts?

  8. By SleighBoy ( on

    Passive FTP works like a dream in and out through a OpenBSD transparent firewall.

    This is a good starter pf.conf:

    If you're FTP client/server doesn't support passive FTP, its time for an upgrade.


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]