Re: Can't get carp to fail over all interfaces with pfsync
On Tue, Nov 10, 2009 at 7:25 PM, Otto Moerbeek o...@drijf.net wrote: On Tue, Nov 10, 2009 at 06:36:24PM +1100, Mikel Lindsaar wrote: Shouldn't you run different vhid ID of carp on different carp instance. Here you have Carp0 and carp 1 both running with vhid 1, so how will the system see them as different one? Initially I had them running as different VHIDs. carp0 was vhid 1 and carp1 was vhid 2, however, this did not work either... plus I would get unknown vhid errors in the netstat -s -p pfsync output if I had different vhids. Mikel Then you did something else wrong, like forgetting to change them on both hosts. Different carp interfaces should have different vhids. Also, a common error is to have (slightly) different ip's, netmasks or aliases on the the carp interfaces for the two hosts. Not disputing the fact that I have done something wrong, but perhaps my reply should have been more succinct, in that: I tried with different VHIDs and the error was the same, ie, CARP still worked, however it did not increase the advskew on all carp interfaces on the same host when one carp interface was taken off line preventing the backup firewall from preempting all interfaces. To clarify, CARP is working in terms of redundancy, what does not seem to be working is the preempting of the primary firewall interfaces by the backup firewall should _one_ of the primary interfaces be taken off line. I returned the interfaces to carp0 = VHID 1 and carp1 = VHID 2 on both firewalls... still the same preempting problem. Mikel
Re: Can't get carp to fail over all interfaces with pfsync
On Tue, Nov 10, 2009 at 8:09 PM, Camiel Dobbelaar c...@sentia.nl wrote: To clarify, CARP is working in terms of redundancy, what does not seem to be working is the preempting of the primary firewall interfaces by the backup firewall should _one_ of the primary interfaces be taken off line Use carpdemote. (man ifconfig and see also /etc/rc) Yes, that works. I think the FAQ needs updating then. This part specifically does not seem correct: http://www.openbsd.org/faq/pf/carp.html#forcefail If you take the physical interface down with ifconfig, then pfsync will take all the other carp interfaces and take them off line. If you take a carp interface off line, then pfsync will not take the other carp interfaces off line. To clarify. Primary firewall with two carp interfaces. Backup firewall with the same two carp interfaces. If you do: Primrary Firewall # ifconfig carp1 down then the result is: Primary Firewall: carp0 MASTER carp1 INIT Backup Firewall: carp0 BACKUP carp1 MASTER And no traffic flows. If you do: Primrary Firewall # ifconfig vr1 down (vr1 is the interface carp1 is on) then the result is: Primary Firewall: carp0 BACKUP carp1 INIT Backup Firewall: carp0 MASTER carp1 MASTER So that works as expected. I will write a change for the FAQ. Mikel
Can't get carp to fail over all interfaces with pfsync
Hi list, So googled, went through http://www.openbsd.org/faq/pf/carp.html a few times as well as the archives including one large thread which seemed to deal with this exact issue, but the solution was setting the VHID to the same on all carp interfaces (which I have already tried), and I can't see where I am screwing up. CARP works, in terms of if I take one router down, the other router becomes master and when the first router comes back online, it preempts the master role back to itself. This is expected behaviour and works fine, I can reboot routers with impunity. What is not working, is if I stand on the master firewall, and ifconfig carp0 down, then the carp0 goes into INIT, and the backup firewall carp0 goes into MASTER, however, the primary firewall carp1 still stays MASTER and the backup carp1 stays as BACKUP. As a consequence, traffic does not flow across the routers as you end up with: FW1 CARP0 - INIT FW1 CARP1 - MASTER FW2 CARP0 - MASTER FW2 CARP1 - BACKUP If I then ifconfig carp1 down on the master firewall I get: FW1 CARP0 - INIT FW1 CARP1 - INIT FW2 CARP0 - MASTER FW2 CARP1 - MASTER And traffic flows again. This seems contrary to http://www.openbsd.org/faq/pf/carp.html which states if you init one interface, then all carp interfaces on that redundancy group will advertise an infinite advskew. I have a pair of Soekris Net5501 routers with the following setup: +| WAN/Internet |+ || |vr0| |vr0| +-+ +-+ | fw1 |-vr3--vr3-| fw2 | +-+ +-+ || |trunk1| |trunk1| || ---+---Shared LAN---+--- Trunk1 on both routers are two NICs (vr1 vr2) bonded in a trunk group Both routers are running 4.6 GENERIC#58 i386 On both firewalls, in pf.conf there is: # Top of pf.conf is: pfsync_if=vr3 carp_ext_if=carp0 carp_int_if=carp1 carpdevs={ vr0 vr1 vr2 carp0_ext_if carp1_ext_if } # .. skip tables, rdr, nat etc ... #near the top of the ruleset is: set skip on lo set skip on $pfsync_if pass quick on $carpdevs proto carp On both firewalls sysctl for carp is: $ sysctl | grep carp net.inet.carp.allow=1 net.inet.carp.preempt=1 net.inet.carp.log=2 FW1 hostname.if files are: $ cat /etc/hostname.carp0 inet 192.168.167.54 255.255.255.248 192.168.167.55 vhid 1 advskew 0 pass password $ cat /etc/hostname.carp1 inet 192.168.110.254 255.255.255.224 192.168.110.255 vhid 1 advskew 0 pass password $ cat /etc/hostname.pfsync0 up syncdev vr3 $ cat /etc/hostname.vr0 inet 192.168.167.52 255.255.255.248 NONE $ cat /etc/hostname.vr1 up $ cat /etc/hostname.vr2 up $ cat /etc/hostname.vr3 inet 172.16.0.1 255.255.255.252 NONE FW2 hostname.if files are: $ cat /etc/hostname.carp0 inet 192.168.167.54 255.255.255.248 192.168.167.55 vhid 1 advskew 128 pass password $ cat /etc/hostname.carp1 inet 192.168.110.254 255.255.255.224 192.168.110.255 vhid 1 advskew 128 pass password $ cat /etc/hostname.pfsync0 up syncdev vr3 $ cat /etc/hostname.vr0 inet 192.168.167.53 255.255.255.248 $ cat /etc/hostname.vr1 up $ cat /etc/hostname.vr2 up $ cat /etc/hostname.vr3 inet 172.16.0.2 255.255.255.252 NONE Netstat Returns: fw1 $ netstat -s -p carp carp: 34 packets received (IPv4) 0 packets received (IPv6) 0 packets discarded for bad interface 0 packets discarded for wrong TTL 0 packets shorter than header 0 discarded for bad checksums 0 discarded packets with a bad version 0 discarded because packet too short 0 discarded for bad authentication 0 discarded for unknown vhid 0 discarded because of a bad address list 580 packets sent (IPv4) 0 packets sent (IPv6) 0 send failed due to mbuf memory error 2 transitions to master fw1 $ netstat -s -p pfsync pfsync: 378 packets received (IPv4) 0 packets received (IPv6) 0 packets discarded for bad interface 0 packets discarded for bad ttl 0 packets shorter than header 0 packets discarded for bad version 0 packets discarded for bad HMAC 0 packets discarded for bad action 0 packets discarded for short packet 0 states discarded for bad values 0 stale states 290 failed state lookup/inserts 488 packets sent (IPv4) 0 packets sent (IPv6) 0 send failed due to mbuf memory error 0 send error fw2 $ netstat -s -p carp carp: 799 packets received (IPv4) 0 packets received (IPv6) 0 packets discarded for bad interface 0 packets discarded for wrong TTL 0 packets shorter
Re: Can't get carp to fail over all interfaces with pfsync
On Tue, Nov 10, 2009 at 5:37 PM, Daniel Ouellet dan...@presscom.net wrote: FW1 hostname.if files are: $ cat /etc/hostname.carp0 inet 192.168.167.54 255.255.255.248 192.168.167.55 vhid 1 advskew 0 pass password $ cat /etc/hostname.carp1 inet 192.168.110.254 255.255.255.224 192.168.110.255 vhid 1 advskew 0 pass password $ cat /etc/hostname.pfsync0 Shouldn't you run different vhid ID of carp on different carp instance. Here you have Carp0 and carp 1 both running with vhid 1, so how will the system see them as different one? Initially I had them running as different VHIDs. carp0 was vhid 1 and carp1 was vhid 2, however, this did not work either... plus I would get unknown vhid errors in the netstat -s -p pfsync output if I had different vhids. Mikel
HP DL360 Fan Control
I am looking at working out how to control the fans in a HP DL360. Right now, the fans start low, but if the room gets warm, they go to high (Boeing 747) volume, and the only way to put them back down to low, is a reboot, PITA. It looks like the HP website mentions OS specific system health drivers, which doesn't help too much as it is for Windows and precompiled. Does anyone have any idea on where to start? I am willing to dive into the source, but have never hacked on OpenBSD or an OS before, and not sure where to begin. I am willing to learn and have a system I can crash with abandon. Or even if there is a budding hacker out there, I can provide access to a freshly formatted box. Mikel
Re: HP DL360 Fan Control
You could start here: http://people.freebsd.org/~jcagle/#ilo You could try to fiddle with the Web-based iLO (configure the 3rd ethernet port in the setup) and connect with a web browser... I'll check that out, but from memory, couldn't find that setting last time I looked. BTW, HP (proliant?) DL360, which Generation? (Just curious) HP DL360 G3 I work for a non profit and we have about 10 of these reconditioned. They do the job very well and are quite speedy for what we need... just very noisy, especially when they don't shut up :) Mikel
On 4.4, ls /path/tabtab apparently hanging disk subsystem
Hi all, I have two HP DL380 G3 servers with two 36Gb SAS drives on it in a hardware RAID 1 mirror using the inbuilt raid controller. When I do an ls /path/filetabtab to get a possible match list, the server disk subsystem hangs. If I do ls /dev/tabtab it always hangs, keyboard does not respond, can not ctrl-c or crtl-alt-del. Have to cold reboot system. The systems otherwise work fine except I have some problems using the com port. Which leads me to think it might be some sort of IRQ conflict in the system, but can't see what it might be. The server will continue to route traffic over the network cards and PF continues to function, however, the only way to regain control of the system is by a full reboot. I have done this from both remote console and on the system console with the same consequences. These are both production systems and so my testing has been sporadic. FWIW i have two other systems running OpenBSD 4.3 and I have never had this problem. Googling did not turn up any results. Any ideas? Mikel $ dmesg OpenBSD 4.4 (GENERIC) #1021: Tue Aug 12 17:16:55 MDT 2008 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Xeon(TM) CPU 2.80GHz (GenuineIntel 686-class) 2.79 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID,xTPR real mem = 1073287168 (1023MB) avail mem = 1029394432 (981MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 12/31/99, BIOS32 rev. 0 @ 0xf, SMBIOS rev. 2.3 @ 0xec000 (49 entries) bios0: vendor HP version P29 date 03/25/2003 bios0: HP ProLiant DL380 G3 acpi0 at bios0: rev 0 acpi0: tables DSDT FACP APIC SPCR acpi0: wakeup devices acpitimer0 at acpi0: 3579545 Hz, 32 bits acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 1 (PCI1) acpiprt2 at acpi0: bus 2 (PCI2) acpiprt3 at acpi0: bus 3 (PCI3) acpiprt4 at acpi0: bus 6 (PCI4) acpicpu0 at acpi0 acpitz0 at acpi0: critical temperature 31 degC bios0: ROM list: 0xc/0x8000 0xc8000/0x4000 0xee000/0x2000! cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 ServerWorks CMIC-WS Host (GC-LE) rev 0x13 pchb1 at pci0 dev 0 function 1 ServerWorks CMIC-WS Host (GC-LE) rev 0x00 pci1 at pchb1 bus 3 pchb2 at pci0 dev 0 function 2 ServerWorks CMIC-LE rev 0x00 pci2 at pchb2 bus 1 ciss0 at pci2 dev 3 function 0 Compaq Smart Array 5i/532 rev.2 rev 0x01: irq 10 ciss0: 1 LD, HW rev 1, FW 2.76/2.76 scsibus0 at ciss0: 1 targets, initiator 1 sd0 at scsibus0 targ 0 lun 0: COMPAQ, LOGICAL VOLUME, 2.76 SCSI2 0/direct fixed sd0: 34727MB, 4427 cyl, 255 head, 63 sec, 512 bytes/sec, 71122560 sec total vga1 at pci0 dev 3 function 0 ATI Rage XL rev 0x27 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) drm at vga1 unsupported Compaq iLO rev 0x01 at pci0 dev 4 function 0 not configured Compaq iLO rev 0x01 at pci0 dev 4 function 2 not configured piixpm0 at pci0 dev 15 function 0 ServerWorks CSB5 rev 0x93: polling iic0 at piixpm0 spdmem0 at iic0 addr 0x51: 256MB DDR SDRAM registered ECC PC2100CL2.5 spdmem1 at iic0 addr 0x52: 256MB DDR SDRAM registered ECC PC2100CL2.5 spdmem2 at iic0 addr 0x53: 256MB DDR SDRAM registered ECC PC2100CL2.5 spdmem3 at iic0 addr 0x54: 256MB DDR SDRAM registered ECC PC2100CL2.5 pciide0 at pci0 dev 15 function 1 ServerWorks CSB5 IDE rev 0x93: DMA atapiscsi0 at pciide0 channel 0 drive 0 scsibus1 at atapiscsi0: 2 targets, initiator 7 cd0 at scsibus1 targ 0 lun 0: Compaq, DVD-ROM DV28EB01, D.2F ATAPI 5/cdrom removable cd0(pciide0:0:0): using PIO mode 4, DMA mode 2 ohci0 at pci0 dev 15 function 2 ServerWorks OSB4/CSB5 USB rev 0x05: couldn't establish interrupt at irq 15 pchb3 at pci0 dev 15 function 3 ServerWorks CSB5 LPC rev 0x00 pchb4 at pci0 dev 16 function 0 ServerWorks CIOB-X2 PCIX rev 0x05 pchb5 at pci0 dev 16 function 2 ServerWorks CIOB-X2 PCIX rev 0x05 pci3 at pchb5 bus 6 em0 at pci3 dev 2 function 0 Intel PRO/1000MT (82546GB) rev 0x03: irq 7, address 00:12:79:9e:1a:8a em1 at pci3 dev 2 function 1 Intel PRO/1000MT (82546GB) rev 0x03: irq 11, address 00:12:79:9e:1a:8b Compaq PCI Hotplug rev 0x14 at pci3 dev 30 function 0 not configured pchb6 at pci0 dev 17 function 0 ServerWorks CIOB-X2 PCIX rev 0x05 pchb7 at pci0 dev 17 function 2 ServerWorks CIOB-X2 PCIX rev 0x05 pci4 at pchb7 bus 2 bge0 at pci4 dev 1 function 0 Broadcom BCM5703X rev 0x02, BCM5703 A2 (0x1002): irq 7, address 00:0b:cd:2a:3a:51 brgphy0 at bge0 phy 1: BCM5703 10/100/1000baseT PHY, rev. 2 bge1 at pci4 dev 2 function 0 Broadcom BCM5703X rev 0x02, BCM5703 A2 (0x1002): irq 11, address 00:0b:cd:2a:3a:50 brgphy1 at bge1 phy 1: BCM5703 10/100/1000baseT PHY, rev. 2 isa0 at mainbus0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pms0 at pckbc0 (aux slot) pckbc0: using irq
spamd handling multiple sending servers
Hi all, New user to spamd, love it. In getting our low traffic email server running, the first thing I noticed while following the logs that sites like gmail et al will retry a message from a different host. Sometimes gmail will send once, try again very soon again from the same host and then queue it, but the queued email might be sent by a different server. I understand that spamd is tracking messages based on sender, receiver and IP address, and then this can cause the problem. Has anyone looked at using the message ID in deciding to whitelist a host? ie, track the hosts by IP address, but if a previously greylisted host has sent message id 1234 and another host tries to redeliver 1234 within the passtime requirements, whitelist both? Obviously it would be an optional flag, but it seems the likely hood of some spam bot being able to guess the message id and who has just sent you a message to bypass this would be low. Open to ideas and if it is already on the cards great, if not, willing to look into the source myself. Mikel
heartbeating Carp ?
Hi all, I have a pair of firewalls using carp between them in front of some servers. Works really nice. Today, however, I got an edge case on the firewalls. Firewall one was not accessible, and I couldn't access any firewall behind it. Getting into firewall 2 directly, I found that firewall 1 internal interface was up, but the external was unreachable. I checked the carp interfaces and found that firewall 2 was advertising as a master on the external interface, but as a backup on the internal interface. sshing over to firewall 1 on the dedicated cross over carp link, I found that firewall 1 was also advertising master on the external interface and master on the internal interface. Firewall 1 could not ping past it's external interface, though the network layer was up. Due to this, carp on Firewall 1 did not think it was down, and so, seemed to be ignoring the pre-emption being attempted by firewall 2. So I ended up having packets going into firewall 2, but then trying to get out through firewall 1. Both firewalls have the preempt option set in sysctl.conf Manually failing firewall 1 did the trick and firewall 2 took over master on external and internal and all is good now. We are still resolving why firewall 1 can't get out to the Internet, might be a specific routing or acl problem on the switch it is connected to, might be a hardware problem, not sure yet. However, the question I have is how do others deal with this? I was thinking a cron entry that periodically checks for connectivity both ways and sets the carp state to backup if the checks fail, but this sounds a bit off the cuff and hackish and could be prone to a race condition or ending up setting BOTH firewalls to backup at the same time... not so good I am thinking. So needed is some sort of heartbeat. In this case, Carp didn't see anything wrong (interface was up, link was good, traffic being received... just no route anywhere and every packet sent got blackholed). A bit of googling around didn't turn up anything obvious. Any ideas? Mikel
Re: [OT] soekris4801: CF and hard disk ?
On Wed, Nov 26, 2008 at 8:27 AM, jul [EMAIL PROTECTED] wrote: is it possible to have both Compact Flash and Hard disk in this soekris at the same time? Yes. Here is my dmesg for a net5501 I don't recall doing anything special. But I do think I installed OpenBSD on the sandisk first, then plugged in the HDD. Don't know if this actually affected anything. Either way, I have two of these running in production, so I doubt it was a fluke :) Mikel OpenBSD 4.3 (GENERIC) #698: Wed Mar 12 11:07:05 MDT 2008 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Geode(TM) Integrated Processor by AMD PCS (AuthenticAMD 586-class) 500 MHz cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX real mem = 536440832 (511MB) avail mem = 510664704 (487MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 20/70/03, BIOS32 rev. 0 @ 0xfac40 pcibios0 at bios0: rev 2.0 @ 0xf/0x1 pcibios0: pcibios_get_intr_routing - function not supported pcibios0: PCI IRQ Routing information unavailable. pcibios0: PCI bus #0 is the last bus bios0: ROM list: 0xc8000/0xa800 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 1 function 0 AMD Geode LX rev 0x30 glxsb0 at pci0 dev 1 function 2 AMD Geode LX Crypto rev 0x00: RNG AES vr0 at pci0 dev 6 function 0 VIA VT6105M RhineIII rev 0x96: irq 11, address 00:00:24:c9:a8:b8 ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, model 0x0034 vr1 at pci0 dev 7 function 0 VIA VT6105M RhineIII rev 0x96: irq 5, address 00:00:24:c9:a8:b9 ukphy1 at vr1 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, model 0x0034 vr2 at pci0 dev 8 function 0 VIA VT6105M RhineIII rev 0x96: irq 9, address 00:00:24:c9:a8:ba ukphy2 at vr2 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, model 0x0034 vr3 at pci0 dev 9 function 0 VIA VT6105M RhineIII rev 0x96: irq 12, address 00:00:24:c9:a8:bb ukphy3 at vr3 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, model 0x0034 glxpcib0 at pci0 dev 20 function 0 AMD CS5536 ISA rev 0x03: rev 0, 32-bit 3579545Hz timer, watchdog, gpio gpio0 at glxpcib0: 32 pins pciide0 at pci0 dev 20 function 2 AMD CS5536 IDE rev 0x01: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: SanDisk SDCFH-1024 wd0: 4-sector PIO, LBA, 977MB, 2001888 sectors wd1 at pciide0 channel 0 drive 1: ST9250827AS wd1: 16-sector PIO, LBA48, 238475MB, 488397168 sectors wd0(pciide0:0:0): using PIO mode 4, DMA mode 2 wd1(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 2 pciide0: channel 1 ignored (disabled) ohci0 at pci0 dev 21 function 0 AMD CS5536 USB rev 0x02: irq 15, version 1.0, legacy support ehci0 at pci0 dev 21 function 1 AMD CS5536 USB rev 0x02: irq 15 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 AMD EHCI root hub rev 2.00/1.00 addr 1 isa0 at glxpcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 nsclpcsio0 at isa0 port 0x2e/2: NSC PC87366 rev 10: GPIO VLM TMS gpio1 at nsclpcsio0: 29 pins npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pccom0: console pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo usb1 at ohci0: USB revision 1.0 uhub1 at usb1 AMD OHCI root hub rev 1.00/1.00 addr 1 biomask e5c5 netmask ffe5 ttymask ffe7 mtrr: K6-family MTRR support (2 registers) uplcom0 at uhub1 port 1 Prolific Technology Inc. USB-Serial Controller rev 1.10/3.00 addr 2 ucom0 at uplcom0 softraid0 at root root on wd0a swap on wd0b dump on wd0b
Re: PF and the old SIP issue
On Thu, Nov 20, 2008 at 1:44 AM, marrandy [EMAIL PROTECTED]wrote: On Wednesday 19 November 2008 09:07:31 you wrote: OpenBSD PF firewall consisting of ext, DMZ, internal/private interfaces. VOIP server sitting in the DMZ. Multiple (pick any number, 5, 10, 100) SIP phones in the private LAN. Multiple mobile (pick any number, 5, 10, 100) SIP phones anywhere in the USA. (NOTE: Mobile means they are carried and plugged in anywhere, but are programmed with the static IP gateway address. How would you create a working pf.conf file so everything 'just works'. Sounds like a lot of work. I need to go and hit the asterisk list. I'll let you know if I find anything out. FWIW I run about 8 asterisk servers behind openbsd firewalls. I have found the most non-problematic way to run them has been by using the asterisk servers as a SIP proxy for your SIP clients and making sure that canreinvite in asterisk is turned off, this increases your load on the asterisk server, but I haven't found that to be a real problem. Your external SIP clients are going to have to connect to something. You need to define what you want to say are valid RTP ports, it's usually in the 1-2 range, but you need to set this up on your asterisk server appropriately. Then on the firewall, using rdr rules you can redirect incomming SIP and RTP ports to your asterisk box internally. Outgoing from the asterisk server is usually a no brainer, you might want to set pf to be conservative on reclaiming idle states though, I've found on occasion a disconnected sip line as all the activity happens on the RTP side. You'll need incomming redirections on your SIP from your sip provider, or if you can, use IAX2, it handles firewalls much more gracefully. Something like authpf can be used to open up the allow rules on the redirect. Or you could use VPNs and make the external sip clients appear on your internal network avoiding the whole redirect problem all together. Though you would want to test this for phone quality. I haven't tried this myself, but can't see why it wouldn't work. YMMV and of course... tweak it to your own requirements. Mikel
Re: Multipath to CISCO
On Wed, Nov 5, 2008 at 2:11 PM, Jussi Peltola [EMAIL PROTECTED] wrote: The other option I believe would be using PF to round robin the packets on both destinations using route-to rules. Would this work? Why wouldn't it? Not that I can think of, I guess that is why I am emailing the list :) Just more wondering if anyone has had experience on this specifically. I'm really trying to avoid having to buy an 1841. Don't have the budget or inclination to spend that much money for a little green box when I think my OpenBSD box can handle it. If you have two ethernets and you want to round-robin, trunk(4) might work too. Yeah, that would work I guess, if I could get the modems into bridge mode and then talk directly to the central cisco. not a bad idea. -- http://lindsaar.net/ Rails, RSpec and Life blog
Re: Multipath to CISCO
On Thu, Nov 6, 2008 at 5:45 AM, andrew fresh [EMAIL PROTECTED] wrote: On Wed, Nov 05, 2008 at 09:40:02AM +, Stuart Henderson wrote: On 2008-11-05, Mikel Lindsaar [EMAIL PROTECTED] wrote: The other option I believe would be using PF to round robin the packets on both destinations using route-to rules. Would this work? it should, but you might need to make the rules stateless (no state). It works, and you do. SNIP EXAMPLE Thanks heaps Andrew. Mikel -- http://lindsaar.net/ Rails, RSpec and Life blog
Multipath to CISCO
Hi all, I am trying to get 4mb/s of IAX2 voice traffic to a single VOIP provider using an IAX2 trunk down here in Australia. One of the options we have is getting a 4mb SHDSL connection with an ISP. The ISP usually want to install a CISCO 1841 with two WIC1-SHDSL cards at a lease rate of $2,400 per annum. I don't want to spend that much money on a router, especially one that I won't own at the end. Unfortunately purchasing a $4,500 router is not really an option right now. So I spoke with the ISP and they are willing to help me work out a more cost effective solution. The plan is to terminate two SHDSL connections on two separate SHDSL ethernet modems, which will just forward the packets to the other end. The network between the OpenBSD box and the modems will be a publicly routeable /29. The ISP will then round robin the packets down to me, and I want to round robin the packets back to them. After reading http://www.openbsd.org/faq/faq6.html it looks that equal cost routing will not do what I want as it looks like each destination is mapped to one possible route out of a pool, which I believe means I'll only ever get 2mb/s per VOIP peer I connect to. The other option I believe would be using PF to round robin the packets on both destinations using route-to rules. Would this work? At the ISP end we will be terminating into the back of a CISCO. The ISP is willing to work out what we need to make it work. I'm really trying to avoid having to buy an 1841. Don't have the budget or inclination to spend that much money for a little green box when I think my OpenBSD box can handle it. Has anyone done something like this? Any pointers? Thanks Mikel
Re: newbie network segment routing query
On Wed, Nov 5, 2008 at 3:16 AM, John . [EMAIL PROTECTED] wrote: fxp0 to the speedtouch fxp1 for a network that I want to be unfiltered, in other words, real IPs (wired) fxp2 the top usable real IP - this I want to nat behind, it is for wireless fxp3 is unused. Is this a DMZ for fxp1? I don't need this traffic to be processed by the openbsd box, I just want it to go down the right interface. From what I've read, a DMZ involves some queuing/processing. Not sure if my nomenclature is right for what I'm describing. Is there a howto for what I'm trying to do? Do I have to split the /28? Basically you need to make a bridge between fxp0 and fxp1. I do this exact setup in one of our locations. The basic steps run like this: 1) Put one address from the /28 on the Speedtouch ethernet interface. 2) Put one address from the /28 on the OpenBSD box 3) Disable pf (pfctl -d) 4) Make sure you can ping the speedtouch and get out to the Internet. 5) Setup a bridge on fxp0 to fxp1 per the OpenBSD FAQ 6) Setup a computer on the fxp1 network and give it an IP from the /28 7) Make the default gateway on the computer on the fxp1 network equal the speed touch IP address 8) Make sure you can get out to the Internet on the computer on the fxp1 network. 9) Open your pf.conf file and add 'skip on fxp0 fxp1' for now 10) Put pass all in your pf.conf for now 11) Enable pf and make sure you can still ping the internet from your OpenBSD box and the computer on your network 12) Setup NAT on fxp2 per the FAQs 13) Setup a computer on the fxp2 network and make sure you can ping and get out to the internet 14) Go back through your pf.conf and put in the firewall rules you need. Hope that helps. Mikel -- http://lindsaar.net/ Rails, RSpec and Life blog
Re: Sensor data and RAID notifications help wanted
On Sun, Nov 2, 2008 at 3:28 PM, Mikel Lindsaar [EMAIL PROTECTED] wrote: 2008/11/2 Constantine A. Murenin [EMAIL PROTECTED]: Have you tried enabling ipmi (boot -c enable ipmi quit)? It is disabled mostly due to some problems with IBM servers, AFAIK... Thank you very much! This handled it! For googles sake, here is a write up on how to enable it step by step... http://www.lindsaar.net/2008/11/1/openbsd-raid-and-temp-sensors-on-hp-proliant-dl-360-and-380-series -- http://lindsaar.net/ Rails, RSpec and Life blog
Re: OpenBSD 4.4 released, Nov 1. Enjoy!
On Sat, Nov 1, 2008 at 6:11 PM, my mail [EMAIL PROTECTED] wrote: --- On Fri, 10/31/08, Theo de Raadt [EMAIL PROTECTED] wrote: We are pleased to announce the official release of OpenBSD 4.4. Thanks again for your work Theo et all...
Sensor data and RAID notifications help wanted
Hi all, I want to help get the HP Proliant sensors working with OpenBSD. I work with several non-profit organizations and so, as a group, we have gotten some HP Proliant G3 servers. 12 of them. They are nice and cheap (being 2 years old) and have proven to be quite a reliable unit so far. We have OpenBSD on 6 of these. However, I can't get much data out of them. The two scary things that I want to handle is getting temperature data of the system and also alerts / notifications of failing RAID sets. I have two units that are not being used right now (one DL360 G3 and one DL380 G3) and I could put both of these on the Internet with an ILO connection to it (provides console access and ability to reboot the unit remotely, access the BIOS etc) with OpenBSD 4.4 on it if anyone is interested in playing with it to help get this implemented. I would love to help and if a developer feels like diving in and doing some work on it, I should be able to gather some funds or goods together to help pay for the trouble. The servers and myself are in Sydney Australia FWIW. From what I know, there are hpasm drivers for FreeBSD available that might be able to be ported across. The FreeBSD RAID drivers do detect RAID set changes in the units and log to syslog these changes which I can capture and raise SNMP traps with. This might be a good place to start. However, unfortunately, my knowledge of C is no where near the ballpark of coding system drivers, though I would love to learn. If anyone is interested, please email me on or off list. Your choice. Mikel Lindsaar
Re: Sensor data and RAID notifications help wanted
2008/11/2 Constantine A. Murenin [EMAIL PROTECTED]: Have you tried enabling ipmi (boot -c enable ipmi quit)? It is disabled mostly due to some problems with IBM servers, AFAIK... Thank you very much! This handled it! Mikel
How to debug IPSec and PF problem
Hi all, I've got a VPN running between two networks. Works fine for basically everything and very easy to setup, kudos to the guys that worked on ipsecctl and isakmpd. I have one problem though that I am trying to debug. Network looks like this: 192.168.11.250# Asterisk1 | | 192.168.11.1# OpenBSD1 4.3 | | # VPN | 192.168.4.1 # OpenBSD2 4.3 | | 192.168.4.250 # Asterisk2 Firstly, I can ssh from any box to any box over the VPN. This works fine. So the basic VPN is functional. Secondly, 192.168.4.1 has several different routes out of it and a fairly complex setup in pf.conf and this is what I think I have misconfigured. I am trying to setup an IAX2 (port 4569) from asterisk1 to asterisk2. The traffic is running and I get the traffic flowing from one end to the other, but return traffic is getting blocked or misrouted. Tcpdump on 192.168.4.250 eth0 I see the packets from 192.168.11.250 arriving and packets from 192.168.4.250 leaving. Tcpdump on 192.168.4.1 enc0 I see the packets from 192.168.11.250 arriving and packets from 192.168.4.250 leaving. Tcpdump on 192.168.11.1 enc0 I only see the 192.168.11.250 packets. Tcpdump on 192.168.11.250 eth0 I only see the 192.168.11.250 packets. I have disabled any firewalls on both asterisk boxes, but this makes no change. Disabling pf on the 192.168.11.1 box makes no change. I can't disable pf on 192.168.4.1 right now (could schedule a time later) I believe the problem is somewhere in 192.168.4.1's pf.conf or route table. Now, I know this email contains no where near all the data needed to debug this by someone on list, but I want to work it out myself and I have a few questions. 1) Is the ipsec tunnel just treated like a standard interface by PF? 2) how and when does the ipsec tunnel grab packets to send through the tunnel? I can't see any route entries or the like. I assume it attaches somehow the same way PF does and intercepts packets. And probably most importantly: 3) What is the best way to find what rule in PF is matching the IAX UDP packet stream? I'm not getting anywhere with eyeballing it. If I can find how the packet is moving through the stack, I am sure I can fix the darn thing. Thanks Mikel
Re: How to debug IPSec and PF problem
On Wed, Oct 29, 2008 at 8:06 PM, Christoph Leser [EMAIL PROTECTED] wrote: On Wed, 29 Oct 2008 17:01:21 +1100, Mikel Lindsaar wrote: I've got a VPN running between two networks. Works fine for basically If so why would traffic from one LAN host at the 192.168.4. end be any different to the others? There is nothing magic about asterisk. 3. tcpdump on the other interfaces of your bsd boxed might help to discover the missing packets ( if, as Rod suspects, they are just routed into the cloud OK, turns out the problem was a state entry. I did pfctl -k 0.0.0.0/0 -k 192.168.11.250 and all was good. Thanks for your pointers though. Mikel
Management of HP Proliant DL and BL Series
I've got a few (10) HP DL and BL servers running OpenBSD. These are spread out over several sites and run our firewalls and monitoring servers. Trying to find the best way to monitor them for drive, psu failures etc. Has anyone had any success along this line? Looking at the various sites, the best option seems to be trying to get the HP Linux health drivers working to generate traps, but don't know if trying to do this is pie in the sky. What tools / options would you recommend? Mikel
Re: Shutdown with the power button
On Thu, Oct 16, 2008 at 11:54 PM, [EMAIL PROTECTED] wrote: On Thu, Oct 16, 2008 at 11:30:02PM +1100, Mikel Lindsaar wrote: Hmm... here is the dmesg then any ideas? looks like you're missing an acpibtn (man acpibtn). Thanks Peter, that is the case and it looks like the why on the problem. Any pointers on how to get it enabled? Looking through the BIOS settings, there isn't an APM section at all that I can see, this is a 1RU server, so that doesn't really surprise me. Mikel
Shutdown with the power button
Hi list, Wondering if anyone knows how (or if it is possible) to be able to gracefully power down an OpenBSD box by hitting the power button on the server. Useful when you need someone to power down a system (like in a power failure situation) but there is no console attached. FreeBSD and linux provide what I am talking about, hit the power button and it looks like the equiv of a halt -p - But I don't want to use linux or FreeBSD on these firewall boxes. Not something I would use very often, but two nights ago really needed it. The OpenBSD box ended up having a hard power switch off instead of a clean shutdown. The server in question is a HP DL 360. Thanks, Mikel
Re: Shutdown with the power button
On Thu, Oct 16, 2008 at 11:22 PM, Gregory Edigarov [EMAIL PROTECTED] wrote: Mikel Lindsaar wrote: Wondering if anyone knows how (or if it is possible) to be able to gracefully power down an OpenBSD box by hitting the power button on the server. Mine does clean shutdown on power button just from the box Hmm... here is the dmesg then any ideas? OpenBSD 4.3 (GENERIC) #698: Wed Mar 12 11:07:05 MDT 2008 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Xeon(TM) CPU 3.06GHz (GenuineIntel 686-class) 3.07 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID,xTPR real mem = 2147028992 (2047MB) avail mem = 2068054016 (1972MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 12/31/99, BIOS32 rev. 0 @ 0xf, SMBIOS rev. 2.3 @ 0xec000 (42 entries) bios0: vendor HP version P31 date 03/03/2005 bios0: HP ProLiant DL360 G3 acpi0 at bios0: rev 0 acpi0: tables DSDT FACP APIC SPCR acpi0: wakeup devices acpitimer0 at acpi0: 3579545 Hz, 32 bits acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 1 (PCI1) acpiprt2 at acpi0: bus 4 (PCI2) acpicpu0 at acpi0 acpitz0 at acpi0: critical temperature 31 degC bios0: ROM list: 0xc/0x8000 0xc8000/0x4000 0xee000/0x2000! cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 ServerWorks CNB20-HE Host (GC-LE) rev 0x31 pchb1 at pci0 dev 0 function 1 ServerWorks CNB20-HE Host (GC-LE) rev 0x00 pchb2 at pci0 dev 0 function 2 ServerWorks CNB20-HE Host (GC-LE) rev 0x00 pci1 at pchb2 bus 1 em0 at pci1 dev 1 function 0 Intel PRO/1000MT (82546EB) rev 0x01: irq 15, address 00:04:23:c8:03:f6 em1 at pci1 dev 1 function 1 Intel PRO/1000MT (82546EB) rev 0x01: irq 11, address 00:04:23:c8:03:f7 bge0 at pci1 dev 2 function 0 Broadcom BCM5703X rev 0x02, BCM5703 A2 (0x1002): irq 11, address 00:0b:cd:83:67:89 brgphy0 at bge0 phy 1: BCM5703 10/100/1000baseT PHY, rev. 2 vga1 at pci0 dev 3 function 0 ATI Rage XL rev 0x27 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) ciss0 at pci0 dev 4 function 0 Compaq Smart Array 5i/532 rev.2 rev 0x01: irq 3 ciss0: 1 LD, HW rev 1, FW 2.76/2.76 scsibus0 at ciss0: 1 targets sd0 at scsibus0 targ 0 lun 0: COMPAQ, LOGICAL VOLUME, 2.76 SCSI2 0/direct fixed sd0: 34727MB, 4427 cyl, 255 head, 63 sec, 512 bytes/sec, 71122560 sec total Compaq iLO rev 0x01 at pci0 dev 5 function 0 not configured Compaq iLO rev 0x01 at pci0 dev 5 function 2 not configured piixpm0 at pci0 dev 15 function 0 ServerWorks CSB5 rev 0x93: polling iic0 at piixpm0 spdmem0 at iic0 addr 0x50: 512MB DDR SDRAM registered ECC PC2300CL2.5 spdmem1 at iic0 addr 0x52: 512MB DDR SDRAM registered ECC PC2100CL2.5 spdmem2 at iic0 addr 0x54: 512MB DDR SDRAM registered ECC PC2100CL2.5 spdmem3 at iic0 addr 0x56: 512MB DDR SDRAM registered ECC PC2100CL2.5 pciide0 at pci0 dev 15 function 1 ServerWorks CSB5 IDE rev 0x93: DMA atapiscsi0 at pciide0 channel 0 drive 0 scsibus1 at atapiscsi0: 2 targets cd0 at scsibus1 targ 0 lun 0: COMPAQ, CRN-8245B, 2.19 SCSI0 5/cdrom removable cd0(pciide0:0:0): using PIO mode 4, DMA mode 2 pciide0: no compatibility interrupt for use by channel 1 ohci0 at pci0 dev 15 function 2 ServerWorks OSB4/CSB5 USB rev 0x05: irq 10, version 1.0, legacy support pchb3 at pci0 dev 15 function 3 ServerWorks CSB5 LPC rev 0x00 pchb4 at pci0 dev 17 function 0 ServerWorks CIOB-X2 PCIX rev 0x05 pchb5 at pci0 dev 17 function 2 ServerWorks CIOB-X2 PCIX rev 0x05 pci2 at pchb5 bus 4 bge1 at pci2 dev 2 function 0 Broadcom BCM5703X rev 0x02, BCM5703 A2 (0x1002): irq 15, address 00:0b:cd:83:67:ab brgphy1 at bge1 phy 1: BCM5703 10/100/1000baseT PHY, rev. 2 usb0 at ohci0: USB revision 1.0 uhub0 at usb0 ServerWorks OHCI root hub rev 1.00/1.00 addr 1 isa0 at mainbus0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pmsi0 at pckbc0 (aux slot) pckbc0: using irq 12 for aux slot wsmouse0 at pmsi0 mux 0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec biomask 65ed netmask eded ttymask ffef mtrr: Pentium Pro MTRR support softraid0 at root root on sd0a swap on sd0b dump on sd0b
PF rule evaluation
Hello list, I have purchased and read the book of PF (good book by the way) as well as the man pages, and I have a question that I have not been able to find a definitive answer on: Does PF only evaluate every packet against the ruleset once on all interfaces, or does it evaluate once for each interface? What I mean is, does a matching pass quick rule on one interface (say $int_if) then also guarantee egress on another interface that has a block rule? Per pf.conf(5): For each packet processed by the packet filter, the filter rules are evaluated in sequential order, from first to last. The last matching rule decides what action is taken. If no rule matches the packet, the default action is to pass the packet. . If a packet matches a rule which has the quick option set, this rule is considered the last matching rule, and evaluation of subse- quent rules is skipped. But this only says 'for each packet processed' not how many times it may or may not process that packet. I assume it does it just once, but I have been wrong before :) For a contrived example: 1 pass in quick on $int_if route-to ($ext_if, $ext_gw) from any to any 2 block out quick on $ext_if from any to any Given a packet comming in on $int_if, rule(1) matches so rule(2) would not be evaluated. Given a packet originating from localhost, rule(1) does not match so rule(2) would be matched. Am I correct on this understanding? Mikel
Re: PF rule evaluation
On Mon, Aug 25, 2008 at 11:33 AM, Aaron Stellman [EMAIL PROTECTED] wrote: On Mon, Aug 25, 2008 at 11:05:38AM +1000, Mikel Lindsaar wrote: I have purchased and read the book of PF (good book by the way) as well as the man pages, and I have a question that I have not been able to find a definitive answer on: Does PF only evaluate every packet against the ruleset once on all interfaces, or does it evaluate once for each interface? If you default action is `block' and you want to allow a packet to be routed through 2 interfaces on a multihomed box, you'd need two rules: 1st rule to allow packet `in' on the first interface 2nd rule to allow packet `out' from the second interface I hope this answers your question. Thanks for your answer. That mostly answers it. Might be a good thing to modify the man page on the quick keyword... So instead of this in pf.conf(5): quick If a packet matches a rule which has the quick option set, this rule is considered the last matching rule, and evaluation of subse- quent rules is skipped. We should change it to something like this: ? quick If a packet matches a rule which has the quick option set, this rule is considered the last matching rule, and evaluation of subse- quent rules is skipped. Note, if the rule using the quick directive states a specific interface, then using quick on a packet does not guarantee that the packet will make it through the rule set of a different interface. If using quick on a specific interface, then you will need additional rules on other interfaces to approve or block the packet. If you want a packet to be globally affected as the last matching rule, then be sure not to specify an interface when using the quick directive. Although it is a bit wordy, is that the correct idea? If that is the case, then this shows a perfect use of the tagging features of PF. I could tag a packet as 'approved' and then do pass quick on the other interfaces for these packets. Mikel
4.3 Install HP BL10eG2 Blade - panic: revarp failed, error=51
I had OpenBSD 4.2 Running on these blades, installed via PXE fine. Seems though, in running the 4.3 pxeboot and kernel, it dies on trying to send RARP packets out? Anyone have some ideas on how to get this to install? Boot sequence and then DMESG attached (with PS and TRACE) at the end. === OpenBSD/i386 PXEBOOT 2.02 switching console to com0 OpenBSD/i386 PXEBOOT 2.02 com0: changing speed to 115200 baud in 5 seconds, change your terminal to match! com0: 115200 baud boot boot tftp:/bsd booting tftp:/bsd: 5913424+1004644 [52+306864+287943]=0x72a4d4 entry point at 0x200120 # [ using 595232 bytes of bsd ELF symbol table ] Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved. Copyright (c) 1995-2008 OpenBSD. All rights reserved. http://www.OpenBSD.org OpenBSD 4.3 (GENERIC) #698: Wed Mar 12 11:07:05 MDT 2008 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Pentium(R) M processor 1000MHz (GenuineIntel 686-class) 1 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,TM,SBF,EST,TM2 real mem = 1073287168 (1023MB) avail mem = 1029779456 (982MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 12/31/99, BIOS32 rev. 0 @ 0xf, SMBIOS rev. 2.3 @ 0xec000 (29 entries) bios0: vendor HP version I07 date 06/10/2003 bios0: HP ProLiant BL10e G2 acpi0 at bios0: rev 0 acpi0: tables DSDT FACP SPCR acpi0: wakeup devices acpitimer0 at acpi0: 3579545 Hz, 32 bits acpiprt0 at acpi0: bus 0 (PCI0) acpicpu0 at acpi0 acpitz0 at acpi0: critical temperature 31 degC acpibtn0 at acpi0: PBTN bios0: ROM list: 0xc/0x8000 0xc8000/0x1800 0xe/0x8000! cpu0 at mainbus0 cpu0: Enhanced SpeedStep 1000 MHz (1004 mV): speeds: 1000, 900, 800, 600 MHz pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 ServerWorks GCNB-LE Host rev 0x32 pchb1 at pci0 dev 0 function 1 ServerWorks GCNB-LE Host rev 0x00 Compaq Netelligent ASMC rev 0x00 at pci0 dev 1 function 0 not configured vga1 at pci0 dev 2 function 0 ATI Rage XL rev 0x27 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) fxp0 at pci0 dev 3 function 0 Intel 8255x rev 0x08, i82559: irq 7, address 00:0b:cd:d2:f0:b5 inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 4 fxp1 at pci0 dev 4 function 0 Intel 8255x rev 0x08, i82559: irq 10, address 00:0b:cd:d2:f0:b4 inphy1 at fxp1 phy 1: i82555 10/100 PHY, rev. 4 piixpm0 at pci0 dev 15 function 0 ServerWorks CSB6 rev 0xa0: polling iic0 at piixpm0 spdmem0 at iic0 addr 0x51: 512MB DDR SDRAM registered ECC PC2300CL2.5 spdmem1 at iic0 addr 0x52: 512MB DDR SDRAM registered ECC PC2100CL2.5 pciide0 at pci0 dev 15 function 1 ServerWorks CSB6 RAID/IDE rev 0xa0: DMA wd0 at pciide0 channel 0 drive 0: HITACHI_DK23FB-40 wd0: 16-sector PIO, LBA, 38154MB, 78140160 sectors wd0(pciide0:0:0): using PIO mode 4, DMA mode 2, Ultra-DMA mode 5 ohci0 at pci0 dev 15 function 2 ServerWorks CSB6 USB rev 0x05: irq 11, version 1.0, legacy support pchb2 at pci0 dev 15 function 3 ServerWorks GCLE-2 Host rev 0x00 usb0 at ohci0: USB revision 1.0 uhub0 at usb0 ServerWorks OHCI root hub rev 1.00/1.00 addr 1 isa0 at mainbus0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pccom0: console pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 biomask f965 netmask fde5 ttymask ffe7 mtrr: Pentium Pro MTRR support softraid0 at root PXE boot MAC address 00:0b:cd:d2:f0:b5, interface fxp0 nfs_boot: using interface fxp0, with revarp bootparams fxp0: error 5, could not read firmware fxp-d101ma panic: revarp failed, error=51 Stopped at Debugger+0x4: leave RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS PANIC! DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT INFORMATION! ddb ps PID PPID PGRPUID S FLAGS WAIT COMMAND 8 0 0 0 30x100200 pftm pfpurge 7 0 0 0 30x100200 usbtskusbtask 6 0 0 0 30x100200 usbevtusb0 5 0 0 0 30x100200 acpi_idle acpi0 4 0 0 0 30x100200 bored syswq 3 0 0 0 30x100200idle0 2 0 0 0 30x100200 kmalloc kmthread 1 0 0 0 3 0 initexec swapper *0 -1 0 0 7 0x80200swapper ddb trace Debugger(d1985040,d092cca4,d092ccd8,33,d092ccf0) at Debugger+0x4
Re: [SOLVED] 4.3 Install HP BL10eG2 Blade - panic: revarp failed, error=51
On Thu, May 1, 2008 at 8:32 PM, Stuart Henderson [EMAIL PROTECTED] wrote: On 2008-05-01, Mikel Lindsaar [EMAIL PROTECTED] wrote: I had OpenBSD 4.2 Running on these blades, installed via PXE fine. Seems though, in running the 4.3 pxeboot and kernel, it dies on trying to send RARP packets out? boot boot tftp:/bsd Did you actually mean to boot bsd.rd? Well, actually, I used bsd to boot install 4.2 OpenBSD onto these blades. About half an hour ago, I thought I would try bsd.rd and it worked fine. Misread the FAQ. Thanks for the pointer though! Mikel
Re: Apache VirtualHost permissions
On Fri, Apr 18, 2008 at 7:37 AM, David Newman [EMAIL PROTECTED] wrote: but I'm confused about the 'chown nobody:www' part. I don't get how users would be able to upload files with those permissions. Depends. If they are uploading via a web interface, then you need your web server to be able to write to the file system not the user. In this case it would be up to your web interface to work out if they have access to different files or not. One of the other ways is letting them FTP into the box the files the need. In this case, simply FTP chrooting them to their home directory (see /etc/ftpchroot ) and then having this directory accessible read only by your web server would be fine. In which case the permissions would be user_name:www Make sense? Mikel
Re: 4.3 song and lyrics and commentary
On Sat, Apr 12, 2008 at 4:03 PM, Pau [EMAIL PROTECTED] wrote: are the pictures real?? Isn't it amazing what you can do with some free time and some photo editing tools? Mikel
Re: carp and STP and layer2 security
On Fri, Apr 11, 2008 at 10:04 PM, Henning Brauer [EMAIL PROTECTED] wrote: i have finally taken the time to quickly write up what you need to do on your switches when using carp and/or STP. comments welcome. http://bulabula.org/carp-and-stp-meet-switch-security.html Short and sharp, thanks. Mikel
4.2 still has X tree dependency?
I am running 4.1 on several servers, one thing I found was the surprise on needing the X package to install some of the non x-windows ports due to dependencies within that tree. I think it was for the graphics libraries, either way, I installed the x packages and all is well. But I remember reading in a FAQ or release notes somewhere that this was a mistake and would be fixed in the next version of OpenBSD (ie, remove the dependency on the x-windows system for these libraries). I am about to install a bunch of 4.2 servers, is this dependency fixed in 4.2? Or is that a 4.3 target? Regards Mikel
PCI ADSL Card on OpenBSD
I have been googling around and found various answers, but some of them conflict and so I wanted to ask the list: What PCI ADSL card do you use in your OpenBSD box? The use case will be a rack mounted firewall (thus the wish for a PCI card to sit inside the server) handling an ADSL connection for backup access and bulk traffic. The card and drivers need to be reliable and just handle the line as this will be the backup way in. Preferably I want a card that is going to do the ADSL protocol layer itself and not hand anything off to the CPU which will be handling a transparent firewall. Should be able to support PPPoE, ADSL2+ would be good to have, though plain v1 ADSL is also fine if the driver / card combination is more robust. Regards Mikel
Best way to automate administration of multiple servers
Hello all, I've been googling around for some answers and I thought I would ask the list as well. In the past I have used different compters for different tasks. I would have many different installs of OpenBSD on many different platforms. However, i am moving some stuff into a data center and am getting a blade server with 10 blades (up to 20 total). I have been playing with this and it is running great, but as each blade has exactly the same specs (same drive, ram, processor etc) I was wondering about improving my skills on handling a lot of identical computers on the administration side. There are basically three types of blade, database, app server and front end world facing (proxy, mail, dns). I want to automate handling them as much as possible and would like some list suggestions on reading materials, software, or web howtos. Examples of what I am after: 1) Create images or post install diffs so that if I need to add a blade to expand, I put it in, connect via the console, install via PXE and then download the diff - I know you can do this wth the post install scrips in OpenBSD's install script, but any real world use of this, things to avoid or good things to do? 2) Keeping 10 - 20 copies of OpenBSD up to the latest patch levels without having to do more than trial on one (for each type) and then for the rest type something as trivial as /bin/sh -x update.sh rotating through the servers and testing as you go? I can see myself spending two days a month otherwise doing upgrades on all the servers. 3) Guides on how to manage the logs of this many servers. Any experiences with splunk on this sort of environment, other options? 4) Anything else I should think about / avoid? I know this is a bit of a broad ranging question, but I am looking for general gaps in my sys admin knowledge at the moment so I apologise for any vagueness. Regards Mikel
OK... I broke something - can't load library 'libpcre.so.1.0'
Hello list :) I was getting ImageMagick working with Rails on OpenBSD and was running into problems. In the process of installing it, somehow I nuked the libpcre library. I went into /usr/ports/devel/pcre/ and did a make clean, make, make install. However I am still getting the error. I tried doing an ldconfig -R (not sure if this was needed or not) but no change. I am getting the can't find the library libpcre errors when I try to start postfix or bash. libpcre.so.1.0 is in the /usr/local/lib/ directory. What do I have to do to get everything to see the library again? Thanks guys. Mikel
TLS/FTP via OpenBSD NAT
Hello all, I have a few OpenBSD servers faithfully running NAT in various spots. One of these firewalls is doing VERY simple NAT on an interface, almost a cut and past from the PF pages (only really the IP addresses got changed). However, the client wants to be able to connect to an FTP server that is using TLS. My first thought of this was you can't. however, I was quickly disabused of this idea by connecting to their server using the program they use (FileZilla) within a Windows XP instance running inside Parrallels through a Netlink ADSL modem. That is two sets of translation happening! This got me confused as everything I have read about TLS says this can't be done. At least not with NAT. So I am wondering if anyone has had any experience with this and can point me in the right direction? The only way I can think that the Netlink is doing it is by doing some sort of Dynamic IP Address forwarding (setting up some rule that just dumps all traffic directly...) but I don't know. Regards Mikel