Re: RAID management support coming in OpenBSD 3.8
On 9/10/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > >> how does openbsd's RAID support stack up to the other *BSDs? > > > >on a scale of 1 to 10, it's an awesome. > > > >-- > >And that's why your software sucks. > > > > just how awesome is it? > > when i read theo's anouncement i thought to myself "this is > missing something". your having mentioned how awesome it is > makes me suspect theo edited out something at the end. i was > totally expecting a ninja to flip out and kill someone on the > mailing list I hate it when that happens. > at the end of the announcement since it was so > extreme i almost crapped my pants. > > -- John Kintaro Tate Mobile: 0413 348 815 (Yep, old number, but I have a new phone) Free OpenBSD shell accounts for all with no gimmicks. Just send your desired username and password to me, and I will create it. Personal Website: http://kintaro.noobify.com
Re: OpenBSD website Design.
On Fri, Sep 09, 2005 at 09:10:59PM -0500, Dave Feustel wrote: > On Friday 09 September 2005 15:12, Alexander Hall wrote: > > http://www.openbsd.org/cgi-bin/cvsweb/www/ > > Hmm. Interesting. I'm not quite sure yet just what this is, You can learn more about it here: http://www.freebsd.org/projects/cvsweb.html#about but in short the link to http://www.openbsd.org/cgi-bin/cvsweb/www/ above references an HTTP interface for viewing the CVS repository where the OpenBSD website files are kept. -Rick > but it looks useful and I'm putting the link in my OpenBSD > link file and will spend some time examining it. > > Thanks, > Dave Feustel > -- > Tired of having to defend against Malware? > (You know: trojans, viruses, SPYWARE, ADWARE, > KEYLOGGERS, rootkits, worms and popups) > Then Switch to OpenBSD with a KDE desktop!!!
Re: adsl ppp tun questions and routing questions
Hello Stuart, I'll check those files. On routed I cannot figure out how to get the 2nd nic to allow other computers to connect to the OpenBSD firewall. Should be pretty simple but I can't figure it out. internet ext_if de1 OpenBSD int_if de2 ppp -ddial -unit0 pppoe I'll keep working on this over the weekend. Thanks for your help, rogern John 3:16 From: Stuart Henderson <[EMAIL PROTECTED]> To: Roger Neth Jr <[EMAIL PROTECTED]> CC: [EMAIL PROTECTED], misc@openbsd.org Subject: Re: adsl ppp tun questions and routing questions Date: Fri, 09 Sep 2005 09:54:31 +0100 --On 09 September 2005 10:38 +0200, Eric Dillenseger wrote: You may want to check in /etc/ppp/ppp.link{up|down} or /etc/rc.conf(.local). Do you start ppp in /etc/rc ? as I can see, it starts before /etc/rc initializes the network and then another time Maybe in rc.local and hostname.tun0. --On 09 September 2005 00:07 -0700, Roger Neth Jr wrote: I have routed in rc.conf as routed="-q" but don't understand how to configure any further to have the internet shared with other computers. routed is for RIP. Unless you already know what that is, you probably don't need it. I can't figure out how to set the gateway to show an inet address that is static to use at a mygateway or option routers with dhcpd on a different server. For the setup you've shown, the gateway address to use on the other computers is 192.168.1.1. You also need edit sysctl.conf if you haven't already. _ Dont just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/
Re: adsl ppp tun questions and routing questions
Hello Eric, I tried to figure out why it is starting in two places. I have placed in rc.conf.local up de1 ppp -ddial -unit0 pppoe as suggested by someone and I get the adsl to stay on tun0 but when booting stills shows twice. I tried removing from ppp.conf redial from Default: and dial from pppoe: without any effect. I checked my rc.conf file and cannot see a flag for ppp. I have pf=YES and routed="-q", inet=NO I can connect to the internet from the firewall but the connected OpenBSD's are unable to connect through the OpenBSD firewall. I did a tcpdump -i on de1 and when I ping 10.0.0.1 I see activity on the ext_if but the pinging computer shows no route to host. Will keep digging into this over the weekend. Thanks again for your help, rogern John 3:16 From: Eric Dillenseger <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] To: misc@openbsd.org Subject: Re: adsl ppp tun questions and routing questions Date: Fri, 9 Sep 2005 10:38:08 +0200 On 9/9/05, Roger Neth Jr <[EMAIL PROTECTED]> wrote: > Hello List, > > > > I don't know how to have ppp pppoe stay on one tun as it is switching > between tun0 and tun1 on reboots. > (snip) > Hi Roger, I'm wondering if you're not starting ppp in 2 places during startup as, it looks like ppp starts once with tun0 and then it starts again with tun1. You may want to check in /etc/ppp/ppp.link{up|down} or /etc/rc.conf(.local). Do you start ppp in /etc/rc ? as I can see, it starts before /etc/rc initializes the network and then another time >Working in ddial mode >Using interface: tun0 >setting tty flags >stray isa irq 3 >pf enabled >net.inet.ip.forwarding: 0 -> 1 >vm.swapencrypt.enable: 1 -> 0 >starting network >Working in ddial mode >Using interface: tun1 Regards, Eric Dillenseger _ Dont just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/
Re: RAID management support coming in OpenBSD 3.8
>> how does openbsd's RAID support stack up to the other *BSDs? > >on a scale of 1 to 10, it's an awesome. > >-- >And that's why your software sucks. > just how awesome is it? when i read theo's anouncement i thought to myself "this is missing something". your having mentioned how awesome it is makes me suspect theo edited out something at the end. i was totally expecting a ninja to flip out and kill someone on the mailing list at the end of the announcement since it was so extreme i almost crapped my pants.
Re: OpenBSD website Design.
On Friday 09 September 2005 15:12, Alexander Hall wrote: > http://www.openbsd.org/cgi-bin/cvsweb/www/ Hmm. Interesting. I'm not quite sure yet just what this is, but it looks useful and I'm putting the link in my OpenBSD link file and will spend some time examining it. Thanks, Dave Feustel -- Tired of having to defend against Malware? (You know: trojans, viruses, SPYWARE, ADWARE, KEYLOGGERS, rootkits, worms and popups) Then Switch to OpenBSD with a KDE desktop!!!
Re: RAID management support coming in OpenBSD 3.8
On Sat, 10 Sep 2005, John Kintaro Tate wrote: > how does openbsd's RAID support stack up to the other *BSDs? on a scale of 1 to 10, it's an awesome. -- And that's why your software sucks.
Re: Anything in need of research?
On Fri, 9 Sep 2005, Tim wrote: > Is there anything related to OpenBSD that would be worth investigating or > researching? what are you interested in? -- And that's why the brain is a differential or logical phenomenon instead of a material phenomenon like a concrete block.
Re: RAID management support coming in OpenBSD 3.8
how does openbsd's RAID support stack up to the other *BSDs? On 9/10/05, Theo de Raadt <[EMAIL PROTECTED]> wrote: > I thought it was time to give some details about the (minimal) RAID > management stuff coming in OpenBSD 3.8. Most of this code has been > written by Marco Peereboom with some help from David Gwynne and > Michael Shalayeff. Moral support and direction from me and Bob Beck > who has a pile of these AMI setups. > > Here is a demonstration. First, a piece of dmesg output, so that we can > see which device is going to be handled: > > ami0 at pci1 dev 8 function 0 "Symbios Logic MegaRAID" rev 0x01: apic 9 int 8 > (irq 10) Dell 518/64b/lhc > ami0: FW 350O, BIOS v1.09, 128MB RAM > ami0: 2 channels, 0 FC loops, 2 logical drives > scsibus2 at ami0: 40 targets > sd0 at scsibus2 targ 0 lun 0: SCSI2 0/direct fixed > sd0: 349400MB, 44542 cyl, 255 head, 63 sec, 512 bytes/sec, 715571200 sec total > sd1 at scsibus2 targ 1 lun 0: SCSI2 0/direct fixed > sd1: 349400MB, 44542 cyl, 255 head, 63 sec, 512 bytes/sec, 715571200 sec total > scsibus3 at ami0: 16 targets > ses0 at scsibus3 targ 6 lun 0: SCSI3 3/processor fixed > scsibus4 at ami0: 16 targets > ses1 at scsibus4 targ 6 lun 0: SCSI3 3/processor fixed > > OK, this is an AMI raid controller. It has come up with 3 scsi > busses; one for the virtual RAID volumes which there are two of, and > two SCSI busses which match the real SCSI busses that are on the > controller (to expose the SES or SAFTE enclosure management > controllers, and so that we can talk pass-through to the real disks). > > If we wish to probe further details, we use > > # bioctl ami0 > Volume Status Size Device > ami0 0 Online 366372454400 sd0 RAID5 > 0 Online73403465728 0:0.0 ses0JNZ6> > 1 Online73403465728 0:2.0 ses0JNZ6> > 2 Online73403465728 0:4.0 ses0JNZ6> > 3 Online73403465728 0:8.0 ses0JNZ6> > 4 Online73403465728 1:10.0 ses1JNZ6> > 5 Online73403465728 1:12.0 ses1JNZ6> > ami0 1 Online 366372454400 sd1 RAID5 > 0 Online73403465728 0:1.0 ses0JNZ6> > 1 Online73403465728 0:3.0 ses0JNZ6> > 2 Online73403465728 0:5.0 ses0JNZ6> > 3 Online73403465728 1:9.0 ses1JNZ6> > 4 Online73403465728 1:11.0 ses1JNZ6> > 5 Online73403465728 1:13.0 ses1JNZ6> > ami0 2 Unused73403465728 1:14.0 ses1JNZ6> > ami0 3 Hot spare 73403465728 1:15.0 ses1JNZ6> > > Here we can see which physical drives are on the controller, and how > they are configured into volumes. Two volumes have been created, both > of which are rather large. The drives are on two scsi busses, for > instance, 1:12.0 means SCSI bus 1, scsi target 12, lun 0. With > additional options to bioctl(4), we could find out some more (mostly > irrelevant) information. > > There are also two additional devices which we know about: one is > unused (ie. not registered with the AMI firmware at the moment), and > one is a Hot Spare. > > Let's cause some havoc. First, I want to pick a drive that I am going > to unplug, to mimic a failure. Let's see... 1:9.0 looks good to me. > > # bioctl -b 1.9 ami0 > > When I look at the array, one of the drives is now blinking. I made > it blink just because I prefer to pull drives out of my sd1 > filesystems rather than the sd0 filesystems. And otherwise I wouldn't > be able to show off the blink support. Anyways, I pull that > particular drive. > > Immediately some churning starts, and if I re-run bioctl I can see what > has happened: > > # bioctl ami0 > Volume Status Size Device > ami0 0 Online 366372454400 sd0 RAID5 > 0 Online73403465728 0:0.0 ses0JNZ6> > 1 Online73403465728 0:2.0 ses0JNZ6> > 2 Online73403465728 0:4.0 ses0JNZ6> > 3 Online73403465728 0:8.0 ses0JNZ6> > 4 Online73403465728 1:10.0 ses1JNZ6> > 5 Online73403465728 1:12.0 ses1JNZ6> > ami0 1 Degraded 366372454400 sd1 RAID5 > 0 Online73403465728 0:1.0 ses0JNZ6> > 1 Online73403465728 0:3.0 ses0JNZ6> > 2 Online73403465728 0:5.0 ses0JNZ6> > 3 Rebuild 73403465728 1:15.0 ses1JNZ6> > 4 Online73403465728 1:11.0 ses1JNZ6> > 5 Online73403465728 1:13.0 ses1JNZ6> > ami0 2 Unused73403465728 1:14.0 ses1JNZ6> > > Drive 1:15 automatically became a part of the "sd1" volume, and is > currently rebuilding. If I access a filesysdtem on sd1, I will notice > that it is a little bit slower. > > Of course the RAID array is beeping so loudly I think my ears are going to > burst, so I must shut it up: > > # bioctl -a quiet ami0 > > When I reinsert the drive that I previously unplugged, I see: >
3.8 only sees 16MB on Proliant 800, 3.7 saw 256MB
Just an FYI for some Compaq users out there who might run into this: 3.8 (GENERIC.MP, self-compiled from sources a few days or couple of weeks back) sees only 16MB RAM on a Proliant 800 that I am using (Dual Pentium Pro 200, 256MB, dmesg below). 3.7-stable saw all of the physically installed (and BIOS recognized) 256MB without changes. Remedy is well documented in FAQ (4.12.1). -Jason # dmesg OpenBSD 3.8 (GENERIC.MP) #6: Wed Sep 7 01:08:02 EDT 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: Intel Pentium Pro ("GenuineIntel" 686-class, 256KB L2 cache) 199 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV real mem = 268017664 (261736K) avail mem = 237621248 (232052K) using 3297 buffers containing 13504512 bytes (13188K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(00) BIOS, date 12/31/99, BIOS32 rev. 0 @ 0xf pcibios0 at bios0: rev 2.1 @ 0xf/0x2000 pcibios0: PCI BIOS has 7 Interrupt Routing table entries pcibios0: PCI Interrupt Router at 000:20:0 ("Intel 82371SB ISA" rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0x8000 0xe8000/0x6000 0xee000/0x2000! mainbus0: Intel MP Specification (Version 1.4) (COMPAQ PROLIANT) cpu0 at mainbus0: apid 1 (boot processor) cpu0: apic clock running at 66 MHz cpu1 at mainbus0: apid 0 (application processor) cpu1: Intel Pentium Pro ("GenuineIntel" 686-class, 256KB L2 cache) 199 MHz cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV mainbus0: bus 0 is type PCI mainbus0: bus 1 is type PCI mainbus0: bus 9 is type ISA ioapic0 at mainbus0: apid 2 pa 0xfec0, version 11, 24 pins ioapic0: misconfigured as apic 0, remapped to apic 2 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 "Intel 82441FX" rev 0x02 ppb0 at pci0 dev 8 function 0 "IBM 82351 PCI-PCI" rev 0x01 pci1 at ppb0 bus 1 siop0 at pci1 dev 4 function 0 "Symbios Logic 53c875" rev 0x04: apic 2 int 5 (irq 5), using 4K of on-board RAM scsibus0 at siop0: 16 targets sd0 at scsibus0 targ 0 lun 0: SCSI2 0/direct fixed sd0: 4339MB, 6576 cyl, 8 head, 168 sec, 512 bytes/sec, 8887200 sec total sis0 at pci1 dev 8 function 0 "NS DP83815 10/100" rev 0x00: DP83815C, apic 2 int 5 (irq 5), address 00:02:e3:03:7e:f2 nsphyter0 at sis0 phy 0: DP83815 10/100 PHY, rev. 1 vga1 at pci1 dev 9 function 0 "Cirrus Logic CL-GD5430" rev 0x47 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) tl0 at pci0 dev 16 function 0 "Compaq Integrated NetFlex 3/P" rev 0x10: apic 2 int 9 (irq 9) address 00:80:5f:ef:e2:d0 ukphy0 at tl0 phy 31: Generic IEEE 802.3u media interface ukphy0: OUI 0x100014, model 0x0001, rev. 5 pcib0 at pci0 dev 20 function 0 "Intel 82371SB ISA" rev 0x01 pciide0 at pci0 dev 20 function 1 "Intel 82371SB IDE" rev 0x00: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility atapiscsi0 at pciide0 channel 0 drive 0 scsibus1 at atapiscsi0: 2 targets cd0 at scsibus1 targ 0 lun 0: SCSI0 5/cdrom removable cd0(pciide0:0:0): using PIO mode 0, DMA mode 1 pciide0: channel 1 ignored (disabled) isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: spkr0 at pcppi0 sysbeep0 at pcppi0 lpt2 at isa0 port 0x3bc/4: polled npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec biomask 0 netmask 0 ttymask 0 ioapic0: pin 5 shares different IPL interrupts (40..50), degraded performance pctr: 686-class user-level performance counters enabled mtrr: Pentium Pro MTRR support siop0: target 0 now using tagged 16 bit 20.0 MHz 15 REQ/ACK offset xfers root on sd0a rootdev=0x400 rrootdev=0xd00 rawdev=0xd02 # cat /etc/boot.conf machine mem [EMAIL PROTECTED] #
lockups, crashes on a Compaq Presario 5304
I installed OpenBSD 3.7 on a Compaq Presario 5304. That is an old (about 7 years old I believe) PC. The dmesg is appended to this email. I noticed two rather strange problems during the installation and the post-installation. During the installation, at the disklabeling step, I entered "a a" to add the root partition. The computer just froze. I had to turn it off. I redid the exact same steps and on the second time it just worked. Strange. BTW, I believe this machine is reliable. It has been running Windows 2000 day and night for more than a year without a crash. I understand that shit can happen though. Maybe the RAM went kaput or. The other problem I encountered was while I tried to setup my laser printer. To check if I OpenBSD was able to talk to the printer, I typed "lptest > /dev/lpt0". On the first try, the computer just rebooted. On the second, it froze. (lptd was enabled in rc.conf.local) Any idea? Thanks, Pascal p.s.: sorry about the possible bad English. It ain't my native tongue. p.p.s.: I read the afterboot(8), the whole FAQ, the FreeBSD Handbook printer section and a whole lot of pages found through Google. It seems I am one of a kind (well, the PC is..) :) the dmesg output: OpenBSD 3.7 (GENERIC) #50: Sun Mar 20 00:01:57 MST 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Cyrix 6x86MX ("CyrixInstead" 686-class) 250 MHz cpu0: FPU,DE,TSC,MSR,CX8,PGE,CMOV,MMX,TM2,CNXT-ID real mem = 62431232 (60968K) avail mem = 49500160 (48340K) using 787 buffers containing 3223552 bytes (3148K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(7b) BIOS, date 05/08/99, BIOS32 rev. 0 @ 0xfb470 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown pcibios0 at bios0: rev 2.1 @ 0xf/0xb90c pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf00/144 (7 entries) pcibios0: PCI Exclusive IRQs: 3 5 10 11 pcibios0: PCI Interrupt Router at 000:01:0 ("SIS 85C503 System" rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0x8000 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 "SIS 530 PCI" rev 0x02 pciide0 at pci0 dev 0 function 1 "SIS 5513 EIDE" rev 0xd0: 530: DMA, channel 0 w ired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: wd0: 16-sector PIO, LBA, 4112MB, 8421840 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: SCSI0 5/cdrom remova ble cd0(pciide0:1:0): using PIO mode 4, DMA mode 2 pcib0 at pci0 dev 1 function 0 "SIS 85C503 System" rev 0xb1 "SIS 5595 System" rev 0x00 at pci0 dev 1 function 1 not configured ohci0 at pci0 dev 1 function 2 "SIS 5597/5598 USB" rev 0x11: irq 3, version 1.0, legacy support usb0 at ohci0: USB revision 1.0 uhub0 at usb0 uhub0: SIS OHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered ppb0 at pci0 dev 2 function 0 "SIS 86C201 AGP" rev 0x00 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 "SIS 530 VGA" rev 0xa2: aperture at 0xe500, si ze 0x40 wsdisplay0 at vga1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) rl0 at pci0 dev 11 function 0 "Realtek 8139" rev 0x10: irq 11 address 00:50:ba:8 c:dc:42 rlphy0 at rl0 phy 0: RTL internal phy vr0 at pci0 dev 13 function 0 "VIA Rhine/RhineII" rev 0x06: irq 10 address 00:50 :ba:e7:fa:ba amphy0 at vr0 phy 8: Am79C873 10/100 PHY, rev. 0 eso0 at pci0 dev 15 function 0 "ESS SOLO-1 AudioDrive" rev 0x01: ES1946, irq 5 audio0 at eso0 opl0 at eso0: model OPL3 midi0 at opl0: isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0 (mux 1 ignored for console): console keyboard, using wsdisplay0 pmsi0 at pckbc0 (aux slot) pckbc0: using irq 12 for aux slot wsmouse0 at pmsi0 mux 0 pcppi0 at isa0 port 0x61 midi1 at pcppi0: sysbeep0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 lm0 at isa0 port 0x290/8: LM78 npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec eso0: mapping Audio 1 DMA using I/O space at 0x410 biomask e34d netmask ef4d ttymask ffcf pctr: user-level cycle counter enabled dkcsum: wd0 matched BIOS disk 80 root on wd0a rootdev=0x0 rrootdev=0x3
Re: max-mss/max-ttl question
On Fri, Sep 09, 2005 at 03:18:24PM +0200, Stephan A. Rickauer wrote: > That's probably a quick one: > > mtu - IPheader - TCPheader = max-mss? > > E.g. for ethernet: > > 1500 - 20 - 20 = 1460? i use the max-mss like this: scrub on $t all fragment reassemble reassemble tcp no-df random-id max-mss 1200 as $t is used on this machine for VPN to work, which is a cisco concentrator(that might not matter). some things between me and it choke royally if the mss the endpoints agree on is greater than something between 1200-1300 ( segments greater than that never arrive at the other destination ). smells like something at the remote end is setting DF, and then it goes through a hop who wants to fragment it but honours the DF. me cinching down my mss is the only way i've been able to make everything work consistently. > Thanks! BTW: What's a good value for max-ttl? I do understand what it > does but I don't see the reason behind it ... you could set max-ttl to a very high number if you'd like traceroutes to become very unuseful :P i'm not certain of a good reason to restrict max-ttl to a lower-than-typical number other than enforcing a local policy where for one reason or another, it is the case that you have a machine who should never be talking to machines more than X hops away.. i've thought about it for trivia's sake, but haven't been exposed to a scenario where it was a factor in a solution ( tho am interested in examples ). jared - [ openbsd 3.7 GENERIC ( sep 1 ) // i386 ]
Re: RAID management support coming in OpenBSD 3.8
Theo, this is cool stuff! Very elegant solution. In Linux you have to hope your vendor has some kind of management tool, and if there is one, you have to hope it works. I hope more devices will be supported soon. Wijnand
Re: Anything in need of research?
Martin Schrvder wrote: On 2005-09-09 17:39:37 +0200, Tim wrote: Is there anything related to OpenBSD that would be worth investigating or researching? Yes: Is there anything related to OpenBSD that would be worth investigating or researching? :-) How about http://openbsd.org/query-pr.html
RAID management support coming in OpenBSD 3.8
I thought it was time to give some details about the (minimal) RAID management stuff coming in OpenBSD 3.8. Most of this code has been written by Marco Peereboom with some help from David Gwynne and Michael Shalayeff. Moral support and direction from me and Bob Beck who has a pile of these AMI setups. Here is a demonstration. First, a piece of dmesg output, so that we can see which device is going to be handled: ami0 at pci1 dev 8 function 0 "Symbios Logic MegaRAID" rev 0x01: apic 9 int 8 (irq 10) Dell 518/64b/lhc ami0: FW 350O, BIOS v1.09, 128MB RAM ami0: 2 channels, 0 FC loops, 2 logical drives scsibus2 at ami0: 40 targets sd0 at scsibus2 targ 0 lun 0: SCSI2 0/direct fixed sd0: 349400MB, 44542 cyl, 255 head, 63 sec, 512 bytes/sec, 715571200 sec total sd1 at scsibus2 targ 1 lun 0: SCSI2 0/direct fixed sd1: 349400MB, 44542 cyl, 255 head, 63 sec, 512 bytes/sec, 715571200 sec total scsibus3 at ami0: 16 targets ses0 at scsibus3 targ 6 lun 0: SCSI3 3/processor fixed scsibus4 at ami0: 16 targets ses1 at scsibus4 targ 6 lun 0: SCSI3 3/processor fixed OK, this is an AMI raid controller. It has come up with 3 scsi busses; one for the virtual RAID volumes which there are two of, and two SCSI busses which match the real SCSI busses that are on the controller (to expose the SES or SAFTE enclosure management controllers, and so that we can talk pass-through to the real disks). If we wish to probe further details, we use # bioctl ami0 Volume Status Size Device ami0 0 Online 366372454400 sd0 RAID5 0 Online73403465728 0:0.0 ses0 1 Online73403465728 0:2.0 ses0 2 Online73403465728 0:4.0 ses0 3 Online73403465728 0:8.0 ses0 4 Online73403465728 1:10.0 ses1 5 Online73403465728 1:12.0 ses1 ami0 1 Online 366372454400 sd1 RAID5 0 Online73403465728 0:1.0 ses0 1 Online73403465728 0:3.0 ses0 2 Online73403465728 0:5.0 ses0 3 Online73403465728 1:9.0 ses1 4 Online73403465728 1:11.0 ses1 5 Online73403465728 1:13.0 ses1 ami0 2 Unused73403465728 1:14.0 ses1 ami0 3 Hot spare 73403465728 1:15.0 ses1 Here we can see which physical drives are on the controller, and how they are configured into volumes. Two volumes have been created, both of which are rather large. The drives are on two scsi busses, for instance, 1:12.0 means SCSI bus 1, scsi target 12, lun 0. With additional options to bioctl(4), we could find out some more (mostly irrelevant) information. There are also two additional devices which we know about: one is unused (ie. not registered with the AMI firmware at the moment), and one is a Hot Spare. Let's cause some havoc. First, I want to pick a drive that I am going to unplug, to mimic a failure. Let's see... 1:9.0 looks good to me. # bioctl -b 1.9 ami0 When I look at the array, one of the drives is now blinking. I made it blink just because I prefer to pull drives out of my sd1 filesystems rather than the sd0 filesystems. And otherwise I wouldn't be able to show off the blink support. Anyways, I pull that particular drive. Immediately some churning starts, and if I re-run bioctl I can see what has happened: # bioctl ami0 Volume Status Size Device ami0 0 Online 366372454400 sd0 RAID5 0 Online73403465728 0:0.0 ses0 1 Online73403465728 0:2.0 ses0 2 Online73403465728 0:4.0 ses0 3 Online73403465728 0:8.0 ses0 4 Online73403465728 1:10.0 ses1 5 Online73403465728 1:12.0 ses1 ami0 1 Degraded 366372454400 sd1 RAID5 0 Online73403465728 0:1.0 ses0 1 Online73403465728 0:3.0 ses0 2 Online73403465728 0:5.0 ses0 3 Rebuild 73403465728 1:15.0 ses1 4 Online73403465728 1:11.0 ses1 5 Online73403465728 1:13.0 ses1 ami0 2 Unused73403465728 1:14.0 ses1 Drive 1:15 automatically became a part of the "sd1" volume, and is currently rebuilding. If I access a filesysdtem on sd1, I will notice that it is a little bit slower. Of course the RAID array is beeping so loudly I think my ears are going to burst, so I must shut it up: # bioctl -a quiet ami0 When I reinsert the drive that I previously unplugged, I see: # bioctl ami0 Volume Status Size Device ami0 0 Online 366372454400 sd0 RAID5 0 Online73403465728 0:0.0 ses0 1 Online73403465728 0:2.0 ses0 2 Online73403465728 0:4.0 ses0 3 Online73403465728 0:8.0 ses0 4 Online73403465728 1:10.0 ses1 5 Online73403465728 1:12.0 ses1 ami0 1 Degraded 366372454400 sd1 RAID5 0 Online7340
Re: OpenBSD website Design.
Dave Feustel wrote: I have not seen a sitemap for openbsd.org. Is there one? If not, how hard would it be to create one and add a link to the website for it? What about http://www.openbsd.org/cgi-bin/cvsweb/www/ ? :-)
Re: OpenBSD website Design.
I have not seen a sitemap for openbsd.org. Is there one? If not, how hard would it be to create one and add a link to the website for it? Thanks, Dave Feustel
Re: Anything in need of research?
On 2005-09-09 17:39:37 +0200, Tim wrote: > Is there anything related to OpenBSD that would be worth investigating or > researching? Yes: Is there anything related to OpenBSD that would be worth investigating or researching? :-) SCNR Martin -- http://www.tm.oneiros.de
Re: the joys of spamd
On Fri, 9 Sep 2005, Chad M Stewart wrote: > On Sep 9, 2005, at 1:05 PM, Hans van Leeuwen wrote: > > > <..snip..> > >> My all-time record is 3726 seconds. >> That's not chuckling, that's rolling on the floor laughing out loud :-) >> > > I had to check my logs and I found > [...] > 19511 seconds. My record: 13 "simultaneous" of 71++K seconds! Mar 30 09:38:50 discada spamd[5067]: 65.77.106.34: connected (8/8), lists: mylot Mar 30 09:46:19 discada spamd[5067]: (BLACK) 65.77.106.34: <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]> Mar 30 09:56:06 discada spamd[5067]: 65.77.106.34: connected (14/14), lists: mylot Mar 30 10:03:32 discada spamd[5067]: (BLACK) 65.77.106.34: <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]> Mar 30 10:26:46 discada spamd[5067]: 65.77.106.34: connected (21/21), lists: mylot Mar 30 10:34:16 discada spamd[5067]: (BLACK) 65.77.106.34: <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]> Mar 30 11:10:44 discada spamd[5067]: 65.77.106.34: connected (24/23), lists: mylot Mar 30 11:18:07 discada spamd[5067]: (BLACK) 65.77.106.34: <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]> Mar 30 12:12:09 discada spamd[5067]: 65.77.106.34: connected (29/28), lists: mylot Mar 30 12:19:35 discada spamd[5067]: (BLACK) 65.77.106.34: <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]> Mar 30 13:22:37 discada spamd[5067]: 65.77.106.34: connected (38/35), lists: mylot Mar 30 13:29:59 discada spamd[5067]: (BLACK) 65.77.106.34: <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]> Mar 30 14:47:21 discada spamd[5067]: 65.77.106.34: connected (42/42), lists: mylot Mar 30 14:54:47 discada spamd[5067]: (BLACK) 65.77.106.34: <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]> Mar 30 16:25:17 discada spamd[5067]: 65.77.106.34: connected (44/43), lists: mylot Mar 30 16:32:41 discada spamd[5067]: (BLACK) 65.77.106.34: <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]> Mar 30 18:16:51 discada spamd[5067]: 65.77.106.34: connected (51/51), lists: mylot Mar 30 18:24:13 discada spamd[5067]: (BLACK) 65.77.106.34: <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]> Mar 30 20:21:18 discada spamd[5067]: 65.77.106.34: connected (57/53), lists: mylot Mar 30 20:28:42 discada spamd[5067]: (BLACK) 65.77.106.34: <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]> Mar 30 22:39:17 discada spamd[5067]: 65.77.106.34: connected (56/55), lists: mylot Mar 30 22:46:41 discada spamd[5067]: (BLACK) 65.77.106.34: <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]> Mar 31 01:10:37 discada spamd[5067]: 65.77.106.34: connected (48/48), lists: mylot Mar 31 01:18:01 discada spamd[5067]: (BLACK) 65.77.106.34: <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]> Mar 31 03:55:17 discada spamd[5067]: 65.77.106.34: connected (44/44), lists: mylot Mar 31 04:02:40 discada spamd[5067]: (BLACK) 65.77.106.34: <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]> Mar 31 05:36:31 discada spamd[5067]: 65.77.106.34: disconnected after 71861 seconds. lists: mylot Mar 31 05:53:36 discada spamd[5067]: 65.77.106.34: disconnected after 71850 seconds. lists: mylot Mar 31 06:23:54 discada spamd[5067]: 65.77.106.34: disconnected after 71828 seconds. lists: mylot Mar 31 07:09:31 discada spamd[5067]: 65.77.106.34: disconnected after 71927 seconds. lists: mylot Mar 31 08:07:44 discada spamd[5067]: 65.77.106.34: disconnected after 71735 seconds. lists: mylot Mar 31 09:17:44 discada spamd[5067]: 65.77.106.34: disconnected after 71707 seconds. lists: mylot Mar 31 10:42:29 discada spamd[5067]: 65.77.106.34: disconnected after 71708 seconds. lists: mylot Mar 31 12:20:25 discada spamd[5067]: 65.77.106.34: disconnected after 71708 seconds. lists: mylot Mar 31 14:12:39 discada spamd[5067]: 65.77.106.34: disconnected after 71748 seconds. lists: mylot Mar 31 16:17:57 discada spamd[5067]: 65.77.106.34: disconnected after 71799 seconds. lists: mylot Mar 31 18:38:29 discada spamd[5067]: 65.77.106.34: disconnected after 71952 seconds. lists: mylot Mar 31 21:08:06 discada spamd[5067]: 65.77.106.34: disconnected after 71849 seconds. lists: mylot Mar 31 23:53:03 discada spamd[5067]: 65.77.106.34: disconnected after 71866 seconds. lists: mylot
Re: OpenBSD website Design.
On 9/8/05, Nick Holland <[EMAIL PROTECTED]> wrote: > Siju George wrote: > > Hi, > > > > One of my friends sent me this new OpenBSD website design he created. > > Please have a look at it :-D > > > > http://mayuresh.freeshell.org/openbsd/ > > > > Thankyou so much > > > > Kind Regards > > > > Siju > > Changing the basic website look isn't something we are going to do > lightly. Unfortunately, there are an almost unlimited number of ways to > present the content on the front page, and while a lot of those are > clearly "bad", that still leaves a lot of very usable, and even very > good options. > > If we switch from one usable solution to another, we'll end up with > dozens of people sending us competing solutions to what really isn't a > problem at this point. > > Someday, perhaps, Theo will say, "I'm tired of this look, I want to do > THIS", and boom, things will change, but until then (and after then!), > I'd suggest working on the content, rather than the layout. > > That's not to say the suggested layout was bad in any way (in fact, I > rather like it), but I don't think it solves any problem, and some of us > are attached to the current layout. :) > I understand Nick :-) good luck! kind regards Siju
Re: the joys of spamd
On Sep 9, 2005, at 1:05 PM, Hans van Leeuwen wrote: <..snip..> My all-time record is 3726 seconds. That's not chuckling, that's rolling on the floor laughing out loud :-) I had to check my logs and I found # grep 81.71.83.132 daemon* daemon.62:Jul 8 11:13:21 zeus spamd[13726]: 81.71.83.132: connected (7/5) daemon.62:Jul 8 11:13:22 zeus spamd[13726]: (GREY) 81.71.83.132: <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]> daemon.62:Jul 8 11:13:22 zeus spamd[13726]: 81.71.83.132: disconnected after 1 seconds. daemon.68:Jul 2 11:33:57 zeus spamd[13726]: 81.71.83.132: connected (1/0) daemon.68:Jul 2 16:59:08 zeus spamd[13726]: 81.71.83.132: disconnected after 19511 seconds. Wow, too funny. I had another one that 18K+ seconds. -Chad
Re: the joys of spamd
Kevin wrote: >Sep 8 11:47:11 mail spamd[19133]: 61.159.253.63: disconnected after >408 seconds. lists: china >Sep 8 12:10:16 mail spamd[19133]: 211.193.204.4: disconnected after >77 seconds. lists: korea >Sep 8 14:22:23 mail spamd[2121]: 61.100.12.105: disconnected after 54 >seconds. lists: korea > >What can you do but chuckle? > > Just from yesterdays log: Sep 8 06:59:22 fortress-maximus spamd[22851]: 218.25.172.18: disconnected after 1000 seconds. lists: china My all-time record is 3726 seconds. That's not chuckling, that's rolling on the floor laughing out loud :-) For more entertainment see http://hanz.nl/p/spamd Hans
Anything in need of research?
Is there anything related to OpenBSD that would be worth investigating or researching?
Re: Volume based internet restrictions
On 9/5/05, Fletch <[EMAIL PROTECTED]> wrote: > Greets > > I am setting up an openbsd router to manage a companies intenet access, > and would like to deploy volume based internet usage. I have setup > squid, but it doesn't seem to have any options to limit a user by volume > of traffic, only bandwidth. > > Is there any solution to do this? I pretty much want to limit volume to > may 50mb a day per user and have it refresh each day. I don;t care what > they look at or how fast they get it, only that its no more that 50mb > per day. don't know if anybody has replied to you privately or not, but you probably want to take a look at the pf(4) man page, specifically the bits about queueing. I'm sure you can probably get pf(4) to do what you want with a little time, thought and testing. -- [EMAIL PROTECTED],darkuncle.net} || 0x5537F527 encrypted email to the latter address please http://darkuncle.net/pubkey.asc for public key
max-mss/max-ttl question
That's probably a quick one: mtu - IPheader - TCPheader = max-mss? E.g. for ethernet: 1500 - 20 - 20 = 1460? Thanks! BTW: What's a good value for max-ttl? I do understand what it does but I don't see the reason behind it ... -- Stephan A. Rickauer Institut f|r Neuroinformatik Universitdt / ETH Z|rich Winterthurerstriasse 190 CH-8057 Z|rich Tel: +41 44 635 30 50 Sek: +41 44 635 30 52 Fax: +41 44 635 30 53 http://www.ini.ethz.ch
Re: nsswitch and/or hesiod support
Damien Miller wrote: As in unauthenticated distribution of private account data via DNS? I strongly doubt it. Well, that's what NIS does (unauthenticated distribution of private account), right ? And if you use kerberos for storing passwords, it does not look like such an issue... or am I wrong ? Besides, it is much easier to filter DNS traffic than NIS... Regards, Antoine
Re: nsswitch and/or hesiod support
Antoine Jacoutot wrote: And what about hesiod ? Was it ever considered to be included ? As in unauthenticated distribution of private account data via DNS? I strongly doubt it. -d
undeadly.org - too many blackouts
Hello This is a little bit offtopic but, I like website OpenBSD Journal, and recently the site had many troubles. For this month I have not seen one week without "blackout". For now the site is unreachable again. Maybe it would be great to have other webhosting for it. MK
Re: nsswitch and/or hesiod support
Damien Miller wrote: Lots of us would like something like nsswitch, but none of us want an implementation that uses shared libraries to do it. It should be fairly easy to delegate getpw* and getgr* via a local unix domain socket (which works nicely for chroot apps too), but there are some subleties especially around fallback behaviour. To my knowledge, one person (Eric Alata, search the misc@ and tech@ archives) has looked at this and has started by writing a better LDAP client API than openldap's, but IIRC he is tied up completing his thesis. And what about hesiod ? Was it ever considered to be included ? Regards, Antoine
Re: adsl ppp tun questions and routing questions
On 09/09/2005, at 5:07 PM, Roger Neth Jr wrote: Hello List, I don't know how to have ppp pppoe stay on one tun as it is switching between tun0 and tun1 on reboots. andrew# page rc.conf.local config de1 up ppp -ddial pppoe you want to use the -unit argument to ppp to bind it to a particular tun device. eg ppp -ddial -unit0 pppoe that will cause it to always use tun0. also, i recommend you use rc.local to start up local programs, not rc.conf.local. or you could do what i do to bring ppp up on boot (hme0 is the device with the adsl modem on it): $ cat /etc/hostname.hme0 up $ cat /etc/hostname.tun0 !/usr/sbin/ppp -ddial -unit0 pppoe
Re: nsswitch and/or hesiod support
Lukasz Sztachanski wrote: On Sat, Sep 03, 2005 at 10:11:51PM +0200, Antoine Jacoutot wrote: Hi... Some months ago, a patch to import nsswitch into OpenBSD was post on tech@ : http://marc.theaimsgroup.com/?l=openbsd-tech&m=110098242313143&w=2 I was wondering if there was any ongoing work on nsswitch or equivalent. If not, it there a way to have hesiod support on OpenBSD ? I've been silently looking for any reply :> Lack of nsswitch is the most annoying thing in OpenBSD for me. Anyway, in next few weeks i`ll have to play with nsswitch( especially for distributing 1k accounts via ldap); probably i`ll try to import this patch to 3_7 or 3_8. Lots of us would like something like nsswitch, but none of us want an implementation that uses shared libraries to do it. It should be fairly easy to delegate getpw* and getgr* via a local unix domain socket (which works nicely for chroot apps too), but there are some subleties especially around fallback behaviour. To my knowledge, one person (Eric Alata, search the misc@ and tech@ archives) has looked at this and has started by writing a better LDAP client API than openldap's, but IIRC he is tied up completing his thesis. If you want to pick this up, consider contacting him (he is in the Cc list) and reporting your progress to tech@ -d
Re: adsl ppp tun questions and routing questions
--On 09 September 2005 10:38 +0200, Eric Dillenseger wrote: You may want to check in /etc/ppp/ppp.link{up|down} or /etc/rc.conf(.local). Do you start ppp in /etc/rc ? as I can see, it starts before /etc/rc initializes the network and then another time Maybe in rc.local and hostname.tun0. --On 09 September 2005 00:07 -0700, Roger Neth Jr wrote: I have routed in rc.conf as routed="-q" but don't understand how to configure any further to have the internet shared with other computers. routed is for RIP. Unless you already know what that is, you probably don't need it. I can't figure out how to set the gateway to show an inet address that is static to use at a mygateway or option routers with dhcpd on a different server. For the setup you've shown, the gateway address to use on the other computers is 192.168.1.1. You also need edit sysctl.conf if you haven't already.
Re: adsl ppp tun questions and routing questions
On 9/9/05, Roger Neth Jr <[EMAIL PROTECTED]> wrote: > Hello List, > > > > I don't know how to have ppp pppoe stay on one tun as it is switching > between tun0 and tun1 on reboots. > (snip) > Hi Roger, I'm wondering if you're not starting ppp in 2 places during startup as, it looks like ppp starts once with tun0 and then it starts again with tun1. You may want to check in /etc/ppp/ppp.link{up|down} or /etc/rc.conf(.local). Do you start ppp in /etc/rc ? as I can see, it starts before /etc/rc initializes the network and then another time >Working in ddial mode >Using interface: tun0 >setting tty flags >stray isa irq 3 >pf enabled >net.inet.ip.forwarding: 0 -> 1 >vm.swapencrypt.enable: 1 -> 0 >starting network >Working in ddial mode >Using interface: tun1 Regards, Eric Dillenseger
Re: nsswitch and/or hesiod support
On Sat, Sep 03, 2005 at 10:11:51PM +0200, Antoine Jacoutot wrote: > Hi... > > Some months ago, a patch to import nsswitch into OpenBSD was post on tech@ : > > http://marc.theaimsgroup.com/?l=openbsd-tech&m=110098242313143&w=2 > > I was wondering if there was any ongoing work on nsswitch or equivalent. > If not, it there a way to have hesiod support on OpenBSD ? > I've been silently looking for any reply :> Lack of nsswitch is the most annoying thing in OpenBSD for me. Anyway, in next few weeks i`ll have to play with nsswitch( especially for distributing 1k accounts via ldap); probably i`ll try to import this patch to 3_7 or 3_8. -- Lukasz Sztachanski ...proud user of C8H10N4O2 :) http://szati.blogspot.com http://rudy.mif.pg.gda.pl/~szati/szati.asc
BOUNCE [EMAIL PROTECTED]: Non-member submission from [EMAIL PROTECTED]
>From [EMAIL PROTECTED] Fri Sep 9 02:04:40 2005 Received: from mtl-smtpgw2.global.avidww.com (mtl-smtpgw2.global.avidww.com [172.24.33.104]) by paperboy.global.avidww.com (8.12.9/8.12.6) with ESMTP id j8964dvQ000723 for <[EMAIL PROTECTED]>; Fri, 9 Sep 2005 02:04:40 -0400 Received: from softgate1.softimage.com ([172.24.33.30]) by mtl-smtpgw2.global.avidww.com with Microsoft SMTPSVC(5.0.2195.6713); Fri, 9 Sep 2005 02:04:52 -0400 Received: from softimage.com (IDENT:U2FsdGVkX19OpJIq9lD3/[EMAIL PROTECTED] [127.0.0.1]) by softgate1.softimage.com (8.12.11/8.12.1) with SMTP id j894vclk028343 for <[EMAIL PROTECTED]>; Fri, 9 Sep 2005 00:57:39 -0400 Message-Id: <[EMAIL PROTECTED]> From: misc@openbsd.org To: [EMAIL PROTECTED] Subject: Important Date: Fri, 9 Sep 2005 07:58:20 +0200 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=_NextPart_000_0006_367B.0D07" X-Priority: 1 X-MSMail-Priority: High X-OriginalArrivalTime: 09 Sep 2005 06:04:52.0257 (UTC) FILETIME=[649F1110:01C5B504] This is a multi-part message in MIME format. --=_NextPart_000_0006_367B.0D07 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit The uncleanable file is deleted. - --=_NextPart_000_0006_367B.0D07 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit Important informations! --=_NextPart_000_0006_367B.0D07 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit - --=_NextPart_000_0006_367B.0D07--
Re: Migration to PF - some questions
On Fri, 09 Sep 2005 09:39:00 +0200, Guido Tschakert wrote: >Stephan A. Rickauer wrote: >> Gaby vanhegan wrote: >> >>> Yes, correct, my bad... Or perhaps this would work also: >>> >>> block out on $if_dmz keep state >>> pass out on $if_dmz from {$if_lan, $if_inet} to 1.2.3.4 port smtp >>> keep state >>> >>> Maybe that was what I intended to write... :) >> >> >> Ok, I am now playing with 'fwbuilder' to see how the generated pf rules >> look like. Presumably, they won't be structured as efficiently as if one >> writes them by hand - but managing hundreds of rules manually is a >> nightmare ... >> >> Thanks so far, >> >Hello, > >I think you know the following, but nevertheless its important if you >port your rules from netfilter to pf. > >In netfilter nat and filter rules are checked with: >first match wins. > >In pf nat rules also the first match wins > >__but__ > >in pf filter rules the __last__ match wins. > >In fact that is the one thing I don't like in pf, but to have a "first >match win" you can use the magic word quick in all your pass and block >rules. (e.g "pass in quick") And thereby end up with yards of quick rules that can catch you later. You should think of it this way: Default security is best with block everything and then pass what selected few things you need. So: block all pass in on $int_if from $safe1 to $ok2 keep state pass in on $ext_if from any to $ext_if port ssh keep state really makes a readable and logical arrangement to those of us who were taught the block all, pass few security policy. Now the example above is waay briefer than most useful rulesets but working from the principle I described adding necessary rules is not difficult and thoughtful grouping with whitespace between grouped rules makes for easier reading. I have a firewall with 3 ethernet NICs and a wi-fi card. There is a DMZ with servers in it, there are restrictions on some LAN hosts and the wi-fi has authpf statements. The spamd rules and tables needed to do greylisting and tarpitting are in there too. The total line count is 71 with many blank lines for readability and about 16 macro definitions. There are (IIRC) about 3 "quicks" in it, 2 of which are for the loopback and one just blocks a single IP that tries DOS attacks now and then. I'd hate to see it written with a yard of "quick" pass rules terminated with a block all. Forget to write that rule and you are wide open. Put it at the top and it is pretty hard to leave it out. See the default pf.conf where all you need to do is uncomment it at the top of the filter rules. > >guido > > >From the land "down under": Australia. Do we look from up over? Do NOT CC me - I am subscribed to the list. Replies to the sender address will fail except from the list-server.
adsl ppp tun questions and routing questions
Hello List, I don't know how to have ppp pppoe stay on one tun as it is switching between tun0 and tun1 on reboots. I have routed in rc.conf as routed="-q" but don't understand how to configure any further to have the internet shared with other computers. I can't figure out how to set the gateway to show an inet address that is static to use at a mygateway or option routers with dhcpd on a different server. Internet -- ppp.conf de1 OpenBSD firewall de0 dhcp---Hubstatic inet 192.168.1.1 255.255.255.0 hme0 server running dhcpd | dhcp fxp0 Computer 3 On the learning curve with all this new stuff, thanks for any help. Best regards, rogern John 3:16 Script started on Thu Sep 8 23:36:28 2005 luke# cu -l tty00 Connected login: root Password: Last login: Thu Sep 8 23:36:08 on tty00 OpenBSD 3.8 (GENERIC) #586: Fri Sep 2 00:32:30 MDT 2005 Welcome to OpenBSD: The proactively secure Unix-like operating system. Please use the sendbug(1) utility to report bugs in the system. Before reporting a bug, please try to reproduce it with the latest version of the code. With bug reports, please try to ensure that enough information to reproduce the problem is enclosed, and if a known fix for it exists, include that as well. You have new mail. Terminal type? [vt220] Read the afterboot(8) man page for administration advice. andrew# cd /etc/ppp andrew# page ppp.conf default: set log Phase Chat LCP IPCP CCP tun command set redial 15 0 set reconnect 15 1 pppoe: set device "!/usr/sbin/pppoe -i de1" set mtu max 1492 set mru max 1492 set speed sync enable lqr set lqrperiod 5 set dial set timeout 0 disable acfcomp protocomp deny acfcomp set authname xx set authkey xx set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0 add! default HISADDR enable dns enable mssfixup andrew# page rc.conf.local config de1 up ppp -ddial pppoe andrew# page pf.conf # macros int_if = "de0" ext_if = "tun0" tcp_services = "{ 22, 113 }" icmp_types = "echoreq" priv_nets = "{ 127.0.0.0/8, 192.168.1.0/16, 10.0.0.0/8 }" comp3 = "192.168.1.36" # options set block-policy return set loginterface $ext_if # scrub scrub in all # nat/rdr nat on $ext_if from $int_if:network to any -> ($ext_if) rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021 rdr on $ext_if proto tcp from any to any port 80 -> $comp3 andrew# route show Routing tables Internet: DestinationGatewayFlagsRefs UseMtu Interface default64.164.115.254 UGS 0 36 - tun0 64.164.114.133 localhost UH 0 48 33192 lo0 64.164.115.254 64.164.114.133 UH 00 1492 tun0 loopback localhost UGRS00 33192 lo0 localhost localhost UH 00 33192 lo0 192.168.1/24 link#1 UC 00 - de0 192.168.1.108:00:20:86:4e:b6 UHLc04 - de0 192.168.1.32 localhost UGHS00 33192 lo0 192.168.1.36 00:02:55:d4:d4:fa UHLc0 11 - de0 BASE-ADDRESS.MCAST localhost URS 00 33192 lo0 Internet6: DestinationGatewayFlagsRefs UseMtu Interface ::/104 localhost.Joshua.l UGRS00 - lo0 ::/96 localhost.Joshua.l UGRS00 - lo0 localhost.Joshua.l localhost.Joshua.l UH 00 33192 lo0 ::127.0.0.0/104localhost.Joshua.l UGRS00 - lo0 ::224.0.0.0/100localhost.Joshua.l UGRS00 - lo0 ::255.0.0.0/104localhost.Joshua.l UGRS00 - lo0 :::0.0.0.0/96 localhost.Joshua.l UGRS00 - lo0 2002::/24 localhost.Joshua.l UGRS00 - lo0 2002:7f00::/24 localhost.Joshua.l UGRS00 - lo0 2002:e000::/20 localhost.Joshua.l UGRS00 - lo0 2002:ff00::/24 localhost.Joshua.l UGRS00 - lo0 fe80::/10 localhost.Joshua.l UGRS00 - lo0 fe80::%de0/64 link#1 UC 00 - de0 fe80::200:f8ff:fe7 00:00:f8:76:73:52 UHL 00 - lo0 fe80::%de1/64 link#2 UC 00 - de1 fe80::a00:2bff:fec 08:00:2b:c3:c9:01 UHL 00 - lo0 fe80::%lo0/64 fe80::1%lo0U 00 - lo0 fe80::1%lo0link#7 UHL 00 - lo0 fec0::/10 localhost.Joshua.l UGRS00 - lo0 ff01::/32 localhost.Joshua.l UC 00 - lo0 ff02::%de0/32 link#1 UC 00 - de0 ff02::%de1
Re: Migration to PF - some questions
Stephan A. Rickauer wrote: Gaby vanhegan wrote: Yes, correct, my bad... Or perhaps this would work also: block out on $if_dmz keep state pass out on $if_dmz from {$if_lan, $if_inet} to 1.2.3.4 port smtp keep state Maybe that was what I intended to write... :) Ok, I am now playing with 'fwbuilder' to see how the generated pf rules look like. Presumably, they won't be structured as efficiently as if one writes them by hand - but managing hundreds of rules manually is a nightmare ... Thanks so far, Hello, I think you know the following, but nevertheless its important if you port your rules from netfilter to pf. In netfilter nat and filter rules are checked with: first match wins. In pf nat rules also the first match wins __but__ in pf filter rules the __last__ match wins. In fact that is the one thing I don't like in pf, but to have a "first match win" you can use the magic word quick in all your pass and block rules. (e.g "pass in quick") guido
Re: ntpd "dispatch_imsg in main: pipe closed"
Ray cyth.net> writes: > Oct 11 09:29:24 sparky ntpd[30592]: dispatch_imsg in main: pipe closed I've encountered this on several GNU/Linux boxen and tracked it down to | listen on * When I replace this by | listen on :: everything works fine. On BSD systems, you have to use | listen on :: | listen on 0.0.0.0 instead because itojun sadly still doesn't believe in V4_MAPPED. I also had a similar problem on BSD once, when setting up ntpd on a box which had two interfaces connected to a bridge, and I was using the same IP subnet (/64) on both physical interfaces (sis0, sis2 - Soekris net4801, thanks Wim). Probably this post will help people encountering the same problems in the future (can you spell Redhat 5, Knoppix-HDINSTALL and OpenWRT?). bye, //mirabile -- > emacs als auch vi zum Kotzen finde (joe rules) und pine fC bedienbaren textmode-mailclient halte (und ich hab sie alle ausprobiert). ;) Hallo, ich bin der Holger ("Hallo Holger!"), und ich bin ebenfalls ... pine-User, und das auch noch gewohnheitsmC$Cig ("Oooohhh"). [aus dasr]
Re: Migration to PF - some questions
Gaby vanhegan wrote: Yes, correct, my bad... Or perhaps this would work also: block out on $if_dmz keep state pass out on $if_dmz from {$if_lan, $if_inet} to 1.2.3.4 port smtp keep state Maybe that was what I intended to write... :) Ok, I am now playing with 'fwbuilder' to see how the generated pf rules look like. Presumably, they won't be structured as efficiently as if one writes them by hand - but managing hundreds of rules manually is a nightmare ... Thanks so far, -- Stephan A. Rickauer Institut f|r Neuroinformatik Universitdt / ETH Z|rich Winterthurerstriasse 190 CH-8057 Z|rich Tel: +41 44 635 30 50 Sek: +41 44 635 30 52 Fax: +41 44 635 30 53 http://www.ini.ethz.ch
Re: Migration to PF - some questions
Nico Meijer wrote: Well, if I suggested to port netfilter to OpenBSD I would most probably be killed in seconds. ;) If you're lucky. ;-) You might want to check http://openbsd.unixtech.be/books.html and more specifically get a hold of Jacek's book. Thanks, Nico - I'll have a look. -- Stephan A. Rickauer Institut f|r Neuroinformatik Universitdt / ETH Z|rich Winterthurerstriasse 190 CH-8057 Z|rich Tel: +41 44 635 30 50 Sek: +41 44 635 30 52 Fax: +41 44 635 30 53 http://www.ini.ethz.ch