Contributed by grey on from the way too many questions at once dept.
We're currently trying to set up a transparent firewall with PF on OpenBSD 3.5, and have almost gotten it working, except we can't get FTP working properly no matter what we do.
We have a large block of IPs that have FTP servers of various types (Microsoft, Gene6, VSFTP, ProFTPD, etc) and thus, making server changes is not really possible. Whatever changes are made have to be by the firewall or by the client.
We have this right now:
rdr on $EXT proto tcp from any to any port 21 -> <ipgroup> port 21
rdr on $EXT proto tcp from any to any port 20 -> <ipgroup> port 20
We can connect to FTP servers behind the firewall and log in, but after that, we get 425 errors stating a loss of connection.
Can anybody help us please? What are we missing?
Trying to deal with higher layer protocols with a layer2 firewalling bridge seems like it might be asking for trouble, still I seem to recall Lucent offering a plan9/Inferno OS based l2 filtering firewall that I think may have supported ftp. I've looked around and haven't turned anything up but perhaps one of our readers has some creative ideas that would make this work with a protocol which can be cumbersome to deal with even when keeping in mind with standard layer3 caveats with pf(4) and ftp-proxy(8).
yozo asks:
Is anyone working or planning to work on ACPI on OpenBSD?
my notePC is ACPI compliant one, I wish I can "sleep" instead of "shutdown" it.
searching with keywords "ACPI" and "OpenBSD", I found
there was a discussion on misc@ November 2003.
people talked mainly on Intel ACPI-CA;
which FreeBSD start importing, and
Intel's licence may be a problem.
now NetBSD implements ACPI,
I don't know whether they import from some project or
write code from scratch.
I suppose the right after the release of 3.6 is the good time to start implementing new functionalities.
I seem to recall that a developer was taking another stab at this quite recently, but I am unaware of a timeline or how well the effort might be going. (Developer's name withheld in case I completely got acronyms mixed up and don't want to cause unneeded grief --grey).
bob asks:
Hi folks,
I'm looking for a proof of concept "chroot" sftp solution:
the goal: a "webspace" user are able to manage this "webspace" via scp/sftp but only his "webspace"...
So far I've only found something along these lines:
An OpenBSD systrace() style jail for sftp.
here
and
CHRSH (a port form freebsd).
A chroot jail wrapper for ordinary Unix shells
here
So I'm asking for any opinions or best practices.
best bob
Some other directions I might offer would be restricted SCPonly shells e.g.: rssh and scponly, and you may want to look into a systraced shell, such as stsh as worked on by Jose Nazario since I'm not aware of any recent revisions of the version which Dug Song introduced.
magi asks:
I'm planning on building an OpenBSD firewall came accross this recently :drool:. This combined with the next gen VIA C5J Esther Processor (it will have on-die security and performance features that include support for execution (NX) protection, SHA Hashing, RSA encryption, AES encryption, and a HW RNG), can become the ultimate CARP enabled OpenBSD Firewall into a 1U rackmount case. Hopefully the C5Js motherboards will come with dual GigE and PCI-Express.
Now that I have all of you drooling, a question for the audience... What do you guys use for your current high bandwidth firewall needs? What do you recommend for firewall hardware that will be able to handle GigE bandwidth?
Personally I'm awfully tempted by some of the upcoming AMD64 based motherboards, and Intel makes a quad gigE card that doesn't look too shabby. That said, those are not yet released, or not too widespread products, so what do some of our readers use for gigE pf installations?Nick asks:
The OpenBSD project offers much in the way of cool merchandise - t-shirts, posters etc, but I would like to see a few more items. I own most of the t-shirts already, and am interested in offering different designs. I particularly like the Puffy from release 3.1.
What are the rules on using the artwork? Is it BSD licensed like the rest? Can I create derivative works and make my own shirt designs? I will of course be donating the profit from the sale to the project, with my time and effort in the design/procurement of the new gear as a donation (inspired by Jason Dixon's idea). I have also noted other comments on undeadly where folks are interested in branded but more subdued polo style shirts.
Thoughts and feedback appreciated.
You may want to start by culling through the mailing list archives, where I'm sure one could turn up many great ideas. However, keep in mind it's rare that people actually put action to words, which is what can make all the difference. I kept this question in the queue in hopes that more people might be inspired to act than just exchange thoughts.
And finally anonymous asks:
I'm thrilled that OpenBSD is starting to look more and more like a Cisco killer, what with CARP and advanced packet filtering features. Supposedly, even multipath routing is supported now (although I don't know anyone who's using it). I have a question for OpenBSD folks: are there any plans to implement any kind of bandwidth aggregation features? What standards currently exist for bandwidth aggregation, and what do developers think about their suitability (from both licensing and technical perspectives)?
Digging through the mailing list archives turns up some discussions of 802.3ad, but apropos on the term doesn't seem to yield any mention in the man pages. It sounds like it may be a case where the project will need some support for specific development efforts towards implementing this.
(Comments are closed)
By Venture37 (80.3.64.5) on
Comments
By Anthony (68.145.111.152) on
That's why you don't have to register to post. :)
By Anonymous Coward (207.58.193.61) on
Comments
By Alan DeWitt (70.56.192.138) on
Comments
By knomevol (198.231.23.240) on
By djm@ (61.95.66.134) on
Comments
By tedu (67.124.88.60) on
Comments
By djm@ (61.95.66.134) on
By Matt Van Mater (65.205.28.104) on
By tedu (67.124.88.60) on
By tedu (67.124.88.60) on
http://marc.theaimsgroup.com/?l=openbsd-misc&m=108363701400214&w=2
if you really want to know more, i can go on and on. there's plenty of examples why acpi is wrong. like ibm thinkpad t40s. freebsd 4.10 apm doesn't work on them, probably because they've abondoned it for acpi. build an acpi kernel, and guess what you get? a hard freeze up every time you pull or plug the power cable. add in a few spontaneous reboots as a side bonus. fortunately, openbsd on the same computer attaches apm, everything works fine, and all is right with the world.
my two favorite "features" of acpi:
1. devices which don't work unless the acpi os string is "windows nt". no other changes necessary, but the computer won't work without that magic string. see section 11.16.5.1 of first link below.
2. cool shit like dumping and decompiling the acpi tables provided by the bios. why the hell should anybody have to deal with this?
you sure you want acpi? two links to review (they're fun to read even if you don't want acpi :)):
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/acpi-debug.html
http://q.dyndns.org/~blc/html/laptops/dsdt5350/
Comments
By Peter Hessler (208.201.244.164) spambox+undeadly@theapt.org on
Comments
By mirabile (81.173.172.185) on http://mirbsd.de/
and amd64 laptops, too. In general, all laptops I've seen that have
been bought in the last two years, and didn't come with Pentium M
or Transmeta Crusoe.
By James Nobis (66.93.216.162) on
Comments
By tedu (67.124.88.60) on
By Stephan Tesch (84.245.190.2) stephan@tesch.cx on
I own a i8500 which runs OpenBSD. No problems so far with IRQs. But since you mentioned it: It seems like one IRQ is used for most of the devices. Certainly not what one wishes for. It's also true, that this notebook doesn't support APM. Thus I'm unable to do even basic stuff like a 'halt -p' :-(
Stephan
By grange (81.211.46.134) grange@openbsd.org on
By Anonymous Coward (208.252.48.163) on
By yozo (221.16.18.165) yozo@v007.vaio.ne.jp on
I read through this thread. my understanding is:
- implementation experience of a part of ACPI (related to CPU speed control) indicates that the full implementation is very tiresome. moreover, it is known that several hardware supports ACPI badly. hence people may be confusing even if ACPI is fully implemented. that's why I don't see "active" ACPI implementation effort.
- more and more (wintel) hardware supports ACPI, which cannot be controlled via APM. I suppose more and more people will ask about hybernation, cpucontrol, etc. I suppose OpenBSD should have certain functionality to support those hardware.
I'm not sure "supporting ACPI" is the right way, or there is alternative way...
By brad (81.173.18.2) on
http://www.sublimation.org/scponly/
Also does sftp, avail in gentoo ports aswell.
By canacar (195.175.37.10) on
1. you need to have an IP address on the bridge so that ftp_proxy can open connections and accept replies.
2. since the bridged packets do not make it to the IP stack unless they are destined to the machine itself, you need to explicitly route the redirected packets. The simplest is to use something like:
pass in proto tcp route-to lo0 from any to 127.0.0.1 port 8021
search the archives for details.
By Anonymous Coward (64.235.239.2) on
By SleighBoy (64.146.180.98) on http://www.code.cx/
This is a good starter pf.conf:
http://www.oswars.net/downloads/OpenBSD/pf.conf.oswars
If you're FTP client/server doesn't support passive FTP, its time for an upgrade.