Re: bridge segment LAN/DMZ
Joel Rees a icrit :
and what you are wanting to do is something like this
(internet) -[x]obsd firewall[i0][i1]
[x]obsd firewall[i0]- (private address range{A} LAN with no port
forewarding)
[x]obsd firewall[i1]- (private address range{B} LAN with port
forwarding)
but without assigning IP addresses to i0 and i1.
And you need bridging rules for the firewall to route from i0 to i1. Is
that right?
And you don't want to change the private range addresses assigned to the
boxes that are being port forewarded.
Yes, this is exactly what I want... :) Thanks for explaining my view.
Re: bridge segment LAN/DMZ
Jason Dixon a icrit : Yes, this sounds similar to what you want to do. So basically, you want to bridge $ext_if with $dmz_if, and NAT $lan_if:network to ($ext_if). The NAT will happen first, then the outbound packet should see the DMZ server announcing itself via the arp proxy. It sounds possible, although the filtering is bound to be tricky at best. Actually no, I would like to bridge $dmz_if and $lan_if so they could be in the same subnet while allowing me to filter (PF) between the two segments. Antoine
Re: Network performance
* Philip Olsson [EMAIL PROTECTED] [2005-05-20 21:34]: In the end, I'm just looking for advice about how to increase performance in the cheapest way possible :) More Mhz. Not crappy nics, get xl,fxp,dc etc. Or maybe gigabit nics like em(4). xl is crap. sk is probably the best you can get currently. and they are amazingly cheap. -- BS Web Services, http://www.bsws.de/ OpenBSD-based Webhosting, Mail Services, Managed Servers, ... Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: Alpha - floppy as root device ?
On Sat, 21 May 2005 14:05:45 +1000, Steve Murdoch [EMAIL PROTECTED] wrote: Hi all, Can someone throw me in the right direction. I have an Alphaserver 1000. The SCSI drives have failed so I have installed a PCI IDE contoller and IDE drive. The SRM doesnt recognise the IDE so after install I wont be able to boot from the drive. Is thee a way to have the floppy as the root device ? Thanks, Steve Since it's an alpha, I sort of doubt you'll be rebooting it often but either way, floppies are horribly unreliable. A better bet would be to netboot it or if possible CDROM. Failing either of those, a better bet would be a SCSI addin card. I have a few alphas over here and if memory serves me well, one them has a pair of SCSI cards (in a Digital Server 5000), so I can probably spare one of the cards. If you want, I could dust off the machine and look up the exact cards it has. JCR
Re: Network performance
I don't remember where I got it, but I always had the impression that at least some of the 3coms where good cards, like those with the 3c905B chip. Am I wrong here? Are all the xl-based cards crap without exceptions? xl is crap.
Re: ssh
On 2005.5.19, at 01:11 AM, J.C. Roberts wrote: On Thu, 19 May 2005 00:12:29 +0900, Joel Rees [EMAIL PROTECTED] wrote: This whole thread has me wondering if I haven't been kidnapped by aliens. No, not recently. Since the accident where you toasted the neural interface on the Enterprise, we've been just trying to get off this rock. Of course, you wouldn't remember any of this Darn. I've got to quit doing things like chmod -R 600 / home/me when logged on as root. but let me tell you, next time we visit, we are not letting you fly the ship, play with the transporter or test fire the Death Star... -sigh, what was High Commander Zaphod thinking? You seemed perfectly happy on the HoloDeck with that Blond Galactica Hottie Clone Not again? Crud. Don't anybody let my wife find out about this! Wait a minute. I don't dig blondes. Must have been my evil twin brother. He likes blondes. Hmm. If he was logged in as me, does that mean we need to check the remote holodeck for a keylogger again? but noo, Zaphod wanted to test your reflexes. Yeah, he should know by now I don't have any. ;-) JCR :-/ -- Joel Rees
Re: Booting OpenBSD without any console output
A couple of more direct questions: Have anyone successfully booted a kernel without any console output? What related kernel options can I play with? If not, where in the kernel source should I start digging? Thanks, Rickard. Rickard Dahlstrand wrote: Hi, I'm trying to connect a modem to the serial port on my PC Engines Wrap1E-board and I can't seem to boot a kernel without having anything sent to the com-port. This device doesn't have a screen controller so it uses the serial port for bios and boot messages. It seems like the bios are redirecting pc0 to com0 up until the kernel booting. There is a boot-option to disable this, but since there is no way for me to get a kernel to boot on pc0 it makes no difference. If I boots the a kernel without the PCCOMCONSOLE-option I can boot the kernel providing I set the tty to com0 in either the boot loader or /etc/boot.conf. But if I set the tty to pc0 and tries to boot it freezes just after the entry point message. I have even tried to set the tty to com1 in boot.conf to see if that made any difference, but it seems to freeze up in the same way. I need to find a way to boot a kernel without any messages on the serial-port. Thankful for any help, Rickard. --- Loading;. probing: pc0 com0 pci mem[640K 127M a20=on] disk: hd0 OpenBSD/i386 BOOT 2.06 boot set tty pc0 switching console to pc0 OpenBSD/i386 BOOT 2.06 boot bsd booting hd0a:bsd: 14062692+352328 [52+108048+95427]=0xdf1128 entry point at 0x100120 [FREEZE] Loading;. probing: pc0 com0 pci mem[640K 127M a20=on] disk: hd0 OpenBSD/i386 BOOT 2.06 boot set tty com0 switching console to com0 OpenBSD/i386 BOOT 2.06 boot stty com0 57600 com0: changing speed to 57600 baud in 5 seconds, change your terminal to match! com0: 57600 baud boot bsd booting hd0a:bsd: 14062692+352328 [52+108048+95427]=0xdf1128 entry point at 0x100120 [ using 203900 bytes of bsd ELF symbol table ] Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved. Copyright (c) 1995-2005 OpenBSD. All rights reserved. http://www.OpenBSD.org OpenBSD 3.7 (TILDECOS020) #0: Thu May 19 14:34:58 CEST 2005 [EMAIL PROTECTED]:/root/cvsflashboot/obj/TILDECOS020 RTC BIOS diagnostic error 80clock_battery cpu0: Geode(TM) Integrated Processor by National Semi (Geode by NSC 586-class) 267 MHz cpu0: FPU,TSC,MSR,CX8,CMOV,MMX cpu0: TSC disabled real mem = 133804032 (130668K) avail mem = 112906240 (110260K) using 331 buffers containing 1355776 bytes (1324K) of memory RTC BIOS diagnostic error 80clock_battery mainbus0 (root) bios0 at mainbus0: AT/286+(fa) BIOS, date 05/02/05, BIOS32 rev. 0 @ 0xfc5f2 pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: pcibios_get_intr_routing - function not supported pcibios0: PCI IRQ Routing information unavailable. pcibios0: PCI bus #0 is the last bus bios0: ROM list: 0xe/0x8000 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 Cyrix GXm PCI rev 0x00 sis0 at pci0 dev 14 function 0 NS DP83815 10/100 rev 0x00: DP83816A, irq 10, a ddress 00:0d:b9:01:94:e8 nsphyter0 at sis0 phy 0: DP83815 10/100 PHY, rev. 1 sis1 at pci0 dev 15 function 0 NS DP83815 10/100 rev 0x00: DP83816A, irq 9, ad dress 00:0d:b9:01:94:e9 nsphyter1 at sis1 phy 0: DP83815 10/100 PHY, rev. 1 sis2 at pci0 dev 16 function 0 NS DP83815 10/100 rev 0x00: DP83816A, irq 11, a ddress 00:0d:b9:01:94:ea nsphyter2 at sis2 phy 0: DP83815 10/100 PHY, rev. 1 gscpcib0 at pci0 dev 18 function 0 NS SC1100 ISA rev 0x00 gpio0 at gscpcib0: 64 pins NS SC1100 SMI/ACPI rev 0x00 at pci0 dev 18 function 1 not configured NS SCx200 IDE rev 0x01 at pci0 dev 18 function 2 not configured NS SCx200 AUDIO rev 0x00 at pci0 dev 18 function 3 not configured geodesc0 at pci0 dev 18 function 5 NS SC1100 X-Bus rev 0x00: iid 6 revision 3 wdstatus 0 isa0 at gscpcib0 isadma0 at isa0 wdc0 at isa0 port 0x1f0/8 irq 14 wd0 at wdc0 channel 0 drive 0: STI Flash 7.2.0 wd0: 1-sector PIO, LBA, 122MB, 250880 sectors wd0(wdc0:0:0): using BIOS timings gscsio0 at isa0 port 0x2e/2: SC1100 SIO rev 1: ACB1 ACB2 iic0 at gscsio0 iic1 at gscsio0 lmtemp0 at iic1 addr 0x48: LM77 npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pccom0: console biomask f1ef netmask ffef ttymask ffef rd0: fixed, 22528 blocks dkcsum: wd0 matched BIOS disk 80 root on rd0a rootdev=0x1100 rrootdev=0x2f00 rawdev=0x2f02 clock: unknown CMOS layout
xconsole customize.
i was not able to find any information from anywhere, how could i split long messages to many lines instead of one line in xconsole, so i don't have to scroll horizontal?
Re: Network performance
* Antonios Anastasiadis [EMAIL PROTECTED] [2005-05-21 11:27]: Are all the xl-based cards crap without exceptions? yes.
Re: Alpha - floppy as root device ?
Steve Murdoch [EMAIL PROTECTED] wrote: Hi all, Can someone throw me in the right direction. I have an Alphaserver 1000. The SCSI drives have failed so I have installed a PCI IDE contoller and IDE drive. The SRM doesnt recognise the IDE so after install I wont be able to boot from the drive. Is thee a way to have the floppy as the root device ? Nope, better get yourself some SCSI drive. Or put root on NFS, but that can be a pain on alpha. Martin
libiconv fails at ports - 3.7
I'm trying to build wget from ports, 3.7, fresh install. What has gone wrong ? (The same happens on pfstat, etc.) === wget-1.8.2 depends on: gmake-3.80p0 - not found === Verifying install for gmake-3.80p0 in devel/gmake === Checking files for gmake-3.80p0 `/usr/ports/distfiles/make-3.80.tar.gz' is up to date. Checksum OK for make-3.80.tar.gz. (sha1) === gmake-3.80p0 depends on: gettext-=0.10.38 - not found === Verifying install for gettext-=0.10.38 in devel/gettext === Checking files for gettext-0.10.40p2 `/usr/ports/distfiles/gettext-0.10.40.tar.gz' is up to date. Checksum OK for gettext-0.10.40.tar.gz. (sha1) === gettext-0.10.40p2 depends on: iconv.2 (libiconv-*) - iconv.2 missing... === Verifying install for iconv.2 (libiconv-*) in converters/libiconv === Building for libiconv-1.9.2 cd lib make all /bin/sh ../libtool --mode=link cc -o libiconv.la -rpath /usr/local/lib -version-info 4:0:2 -no-undefined iconv.lo localcharset.lo relocatable.lo *** Error code 1 Stop in /usr/ports/converters/libiconv/w-libiconv-1.9.2/build-i386/lib (line 59 of Makefile). *** Error code 1 Stop in /usr/ports/converters/libiconv/w-libiconv-1.9.2/build-i386 (line 32 of Makefile). *** Error code 1 Stop in /usr/ports/converters/libiconv (line 1769 of /usr/ports/infrastructure/mk/bsd.port.mk). *** Error code 1 Stop in /usr/ports/devel/gettext (line 1311 of /usr/ports/infrastructure/mk/bsd.port.mk). *** Error code 1 Stop in /usr/ports/devel/gettext (line 1596 of /usr/ports/infrastructure/mk/bsd.port.mk). *** Error code 1 Stop in /usr/ports/devel/gmake (line 1311 of /usr/ports/infrastructure/mk/bsd.port.mk). *** Error code 1 Stop in /usr/ports/devel/gmake (line 1596 of /usr/ports/infrastructure/mk/bsd.port.mk). *** Error code 1 Stop in /usr/ports/net/wget (line 1311 of /usr/ports/infrastructure/mk/bsd.port.mk).
Re: Network performance
* Antonios Anastasiadis [EMAIL PROTECTED] [2005-05-21 11:27]: Are all the xl-based cards crap without exceptions? yes. That's odd. I have a 3905tx-m in my openbsd box, but it isn't doing much, so that may be why it appears to work fine. I have the same card in FreeBSD boxes, and a few linux boxes and they perform great there. Are there maybe tweaks involved on an openbsd platform that are required?
Re: xconsole customize.
On Sat, May 21, 2005 at 10:15:10PM +0300, Mike wrote: i was not able to find any information from anywhere, how could i split long messages to many lines instead of one line in xconsole, so i don't have to scroll horizontal? Try this resource setting: XConsole.*.wrap:word Possible values are never, word, and line. Word breaks at word boundaries, and line breaks at the right edge. -- regards/mvh Stein B. Sylvarnes
Re: CART with multiple if_aliases?
On May 21, 2005, at 1:43 PM, Per olof Ljungmark wrote: Could somebody please enlighten me if it is possible to use CARP when one interface has several ip aliases? If it's in the docs I have missed it completely, sorry. Yes. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: DNS Configuration Problem
On 2005-05-21 at 16:02:46 Michael wrote: This is when I check again, and yes, /etc/rndc.key is there but /usr/sbin/named again tells me that it is not there. Read the named(8) manpage; it uses a chroot to /var/named by default. Put your rndc.key file in /var/named/etc, and you should be ok. Also, a symlink from /var/named/etc/namedb to /etc/namedb can be handy.
Re: DNS Configuration Problem
On Sat, May 21, 2005 at 07:02:46AM -0700, Michael wrote: I have recently installed OpenBSD 3.7 on my future router and I had the surpise to see that I am not able to properly config DNS (bind) on this box. I have generated /etc/rndc.key with the help of rndc-confgen. The file is successfully generated and I cat and see its content, it is nicely generated with no problem, but when I try to execute /usr/sbin/named I get tons of errors telling me that /etc/rndc.key doesn't really exist. This is when I check again, and yes, /etc/rndc.key is there but /usr/sbin/named again tells me that it is not there. $ sudo cmp /etc/rndc.key /var/named/etc/rndc.key $ named is chroot(8)ed by default. Read /etc/rc for more info.
Re: Network performance
Hi, More Mhz. Not crappy nics, get xl,fxp,dc etc. Or maybe gigabit nics like em(4). I think he has xl and sk in the machine, sk is probably the most decent thing one can get at the moment. xl I had quite mixed results in the past, so changing that one into another sk might be all the change needed. the high irq load points into that direction, sk is a lot better there. Dont have a crappy mobo chipset and anything over 800 mhz would be able to do plenty filterings. I guess a P2 450 could work also.. yes, but a P2-233 should have enough HP for standard stuff, routing of 100mbit + some not so complex filtering with normal packet sizes should be possible. one can still stick a celeron 500 into the box, they are very cheap on ebay, in case changing the xl to sk is not enough. bye, siggi.
DNS Configuration Problem
Hello. I have recently installed OpenBSD 3.7 on my future router and I had the surpise to see that I am not able to properly config DNS (bind) on this box. I have generated /etc/rndc.key with the help of rndc-confgen. The file is successfully generated and I cat and see its content, it is nicely generated with no problem, but when I try to execute /usr/sbin/named I get tons of errors telling me that /etc/rndc.key doesn't really exist. This is when I check again, and yes, /etc/rndc.key is there but /usr/sbin/named again tells me that it is not there. If someone could help me with this problem then I could carry on with the NAT ruleset research for pf, as I have never completed such a configuration before. Thank you all in advance for your help. Best regards. Mihai. Yahoo! Mail Stay connected, organized, and protected. Take the tour: http://tour.mail.yahoo.com/mailtour.html
Re: DNS Configuration Problem
I don't run bind on my openbsd box, but isn't it setup to chroot into /var/named? I believe that you need to put rndc.key relative to the chroot'd environment (/var/named/etc/...) ...of course, it's a shot in the dark, I don't know how you configured bind, if you changed anything at all etc... HTH, Sandro -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Sent: May 21, 2005 10:03 AM To: misc@openbsd.org Subject: DNS Configuration Problem Hello. I have recently installed OpenBSD 3.7 on my future router and I had the surpise to see that I am not able to properly config DNS (bind) on this box. I have generated /etc/rndc.key with the help of rndc-confgen. The file is successfully generated and I cat and see its content, it is nicely generated with no problem, but when I try to execute /usr/sbin/named I get tons of errors telling me that /etc/rndc.key doesn't really exist. This is when I check again, and yes, /etc/rndc.key is there but /usr/sbin/named again tells me that it is not there. If someone could help me with this problem then I could carry on with the NAT ruleset research for pf, as I have never completed such a configuration before. Thank you all in advance for your help. Best regards. Mihai. Yahoo! Mail Stay connected, organized, and protected. Take the tour: http://tour.mail.yahoo.com/mailtour.html
Looking for info re: IPSec MTU
OpenBSD is working great instead of the Cisco router that our VPN peer recommended. Thanks again to the developers who make it all possible. I notice that we're receiving some fragmented packets, however. It's not a big deal but I'd like to see if things can be better optimized (and learn a bit in the process). I understand the basic concept of MTU but it's not something I usually have to tinker with. I'm hoping someone might care to answer a couple of questions for me: 1) Can anyone recommend some good reference materials on this subject? 2) Given that I only have control over the OpenBSD end of this VPN connection, (the other end being a Cisco 7200 VXR), is it even possible to eliminate fragmentation issues? Thanks for any advice, RPK.
Re: DNS Configuration Problem
Silly question, but then so are mistakes. Did you put the second half of the rndc.key output into your /var/named/etc/named.conf file? I just configured bind for the first time yesterday, so its all very fresh in my mind. sbr. On Sat, 21 May 2005, Sandro wrote: I don't run bind on my openbsd box, but isn't it setup to chroot into /var/named? I believe that you need to put rndc.key relative to the chroot'd environment (/var/named/etc/...) ...of course, it's a shot in the dark, I don't know how you configured bind, if you changed anything at all etc... HTH, Sandro -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Sent: May 21, 2005 10:03 AM To: misc@openbsd.org Subject: DNS Configuration Problem Hello. I have recently installed OpenBSD 3.7 on my future router and I had the surpise to see that I am not able to properly config DNS (bind) on this box. I have generated /etc/rndc.key with the help of rndc-confgen. The file is successfully generated and I cat and see its content, it is nicely generated with no problem, but when I try to execute /usr/sbin/named I get tons of errors telling me that /etc/rndc.key doesn't really exist. This is when I check again, and yes, /etc/rndc.key is there but /usr/sbin/named again tells me that it is not there. If someone could help me with this problem then I could carry on with the NAT ruleset research for pf, as I have never completed such a configuration before. Thank you all in advance for your help. Best regards. Mihai. Yahoo! Mail Stay connected, organized, and protected. Take the tour: http://tour.mail.yahoo.com/mailtour.html
Re: Wifi frustration
Chris Zakelj wrote: So I suppose the best question to ask is, has anyone encountered a 2.1 friendly card, or am I up a creek? I believe my Compaq Deskpro 5233MMX is PCI 2.1, and it's worked with two different wi cards; a Netgear MA311 and a Sohoware NCP130. I did purchase a cheap ral card for it, and as soon as I get around to rebuilding it with 3.7 I'll know if it works with PCI 2.2... An old dmesg can be found at http://marc.theaimsgroup.com/?m=106703958525093. (That problem is long fixed.)
Re: Network performance
Sandro wrote: That's odd. I have a 3905tx-m in my openbsd box, but it isn't doing much, so that may be why it appears to work fine. I have the same card in FreeBSD boxes, and a few linux boxes and they perform great there. Are there maybe tweaks involved on an openbsd platform that are required? Well, they're probably not as bad as some of the NE2000 clones. They were also probably relatively good cards in 1995 (or whenever they were released), but why stick with 1995 technology? Besides, Buy.com sells the 3c905c-tx-m for $40, and the Belkin F5D5005 (sk) for $27.
Re: libiconv fails at ports - 3.7
On Sat, 21 May 2005 13:21:52 -0700, Jacob Meuser wrote: I'm trying to build wget from ports, 3.7, fresh install. What has gone wrong ? clean install or upgrade? is the ports tree clean? As clean as can be, after an install on a new harddisk, reboot, afterboot, tar xfvz ports.tar.gz, cd net/wget, make it really looks like you never did a 'make clean' in converters/libiconv after the last time you built it. See above. I guess something got wrong while installing dependencies, so I managed with packages. Thanks you, nevertheless ! Uwe
Re: Wifi frustration (SUCCESS)
Chris Zakelj wrote: I should probably add that I did check the archives, where the solutions tended to point towards Just buy an access point, they're just as cheap. I would (they're around), but that defeats the intent of learning how to do it, trying to reduce underdesk wire clutter, and rewarding Atheros/Ralink/Realtek for opening up their chip docs. Not sure if it was the slot juggling suggested by Sebastian and Constantine, or I just lucked out, but I seem to have found success with the Belkin F5D7000 v3001. This box's picture has a big white sticker over the entire card. I add this warning because in the picture of another version of the F5D7000 (v2000 I think it was), the PCB has a Broadcom chip clearly visible. Steve, I was looking for the one card you mentioned (MA311) as I had used it in a previous application, but neither card was in any of my local stores.
