Re: RAID management support coming in OpenBSD 3.8
On 9/10/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > >> how does openbsd's RAID support stack up to the other *BSDs? > > > >on a scale of 1 to 10, it's an awesome. > > > >-- > >And that's why your software sucks. > > > > just how awesome is it? > > when i read theo's anouncement i thought to myself "this is > missing something". your having mentioned how awesome it is > makes me suspect theo edited out something at the end. i was > totally expecting a ninja to flip out and kill someone on the > mailing list I hate it when that happens. > at the end of the announcement since it was so > extreme i almost crapped my pants. > > -- John Kintaro Tate Mobile: 0413 348 815 (Yep, old number, but I have a new phone) Free OpenBSD shell accounts for all with no gimmicks. Just send your desired username and password to me, and I will create it. Personal Website: http://kintaro.noobify.com
Re: OpenBSD website Design.
On Fri, Sep 09, 2005 at 09:10:59PM -0500, Dave Feustel wrote: > On Friday 09 September 2005 15:12, Alexander Hall wrote: > > http://www.openbsd.org/cgi-bin/cvsweb/www/ > > Hmm. Interesting. I'm not quite sure yet just what this is, You can learn more about it here: http://www.freebsd.org/projects/cvsweb.html#about but in short the link to http://www.openbsd.org/cgi-bin/cvsweb/www/ above references an HTTP interface for viewing the CVS repository where the OpenBSD website files are kept. -Rick > but it looks useful and I'm putting the link in my OpenBSD > link file and will spend some time examining it. > > Thanks, > Dave Feustel > -- > Tired of having to defend against Malware? > (You know: trojans, viruses, SPYWARE, ADWARE, > KEYLOGGERS, rootkits, worms and popups) > Then Switch to OpenBSD with a KDE desktop!!!
Re: adsl ppp tun questions and routing questions
Hello Stuart, I'll check those files.
On routed I cannot figure out how to get the 2nd nic to allow other
computers to connect to the OpenBSD firewall.
Should be pretty simple but I can't figure it out. internet ext_if de1
OpenBSD int_if de2
ppp -ddial -unit0 pppoe
I'll keep working on this over the weekend.
Thanks for your help,
rogern
John 3:16
From: Stuart Henderson <[EMAIL PROTECTED]>
To: Roger Neth Jr <[EMAIL PROTECTED]>
CC: [EMAIL PROTECTED], misc@openbsd.org
Subject: Re: adsl ppp tun questions and routing questions
Date: Fri, 09 Sep 2005 09:54:31 +0100
--On 09 September 2005 10:38 +0200, Eric Dillenseger wrote:
You may want to check in /etc/ppp/ppp.link{up|down} or
/etc/rc.conf(.local). Do you start ppp in /etc/rc ? as I can see, it
starts before /etc/rc initializes the network and then another time
Maybe in rc.local and hostname.tun0.
--On 09 September 2005 00:07 -0700, Roger Neth Jr wrote:
I have routed in rc.conf as routed="-q" but don't understand how to
configure any further to have the internet shared with other
computers.
routed is for RIP. Unless you already know what that is, you probably don't
need it.
I can't figure out how to set the gateway to show an inet address that
is static to use at a mygateway or option routers with dhcpd on a
different server.
For the setup you've shown, the gateway address to use on the other
computers is 192.168.1.1. You also need edit sysctl.conf if you haven't
already.
_
Dont just search. Find. Check out the new MSN Search!
http://search.msn.click-url.com/go/onm00200636ave/direct/01/
Re: adsl ppp tun questions and routing questions
Hello Eric, I tried to figure out why it is starting in two places. I have
placed in rc.conf.local
up de1
ppp -ddial -unit0 pppoe
as suggested by someone and I get the adsl to stay on tun0 but when booting
stills shows twice.
I tried removing from ppp.conf
redial from Default:
and
dial from pppoe:
without any effect.
I checked my rc.conf file and cannot see a flag for ppp. I have pf=YES and
routed="-q", inet=NO
I can connect to the internet from the firewall but the connected OpenBSD's
are unable to connect through the OpenBSD firewall.
I did a tcpdump -i on de1 and when I ping 10.0.0.1 I see activity on the
ext_if but the pinging computer shows no route to host.
Will keep digging into this over the weekend.
Thanks again for your help,
rogern
John 3:16
From: Eric Dillenseger <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
To: misc@openbsd.org
Subject: Re: adsl ppp tun questions and routing questions
Date: Fri, 9 Sep 2005 10:38:08 +0200
On 9/9/05, Roger Neth Jr <[EMAIL PROTECTED]> wrote:
> Hello List,
>
>
>
> I don't know how to have ppp pppoe stay on one tun as it is switching
> between tun0 and tun1 on reboots.
>
(snip)
>
Hi Roger,
I'm wondering if you're not starting ppp in 2 places during startup
as, it looks like ppp starts once with tun0 and then it starts again
with tun1.
You may want to check in /etc/ppp/ppp.link{up|down} or
/etc/rc.conf(.local).
Do you start ppp in /etc/rc ? as I can see, it starts before /etc/rc
initializes the network and then another time
>Working in ddial mode
>Using interface: tun0
>setting tty flags
>stray isa irq 3
>pf enabled
>net.inet.ip.forwarding: 0 -> 1
>vm.swapencrypt.enable: 1 -> 0
>starting network
>Working in ddial mode
>Using interface: tun1
Regards,
Eric Dillenseger
_
Dont just search. Find. Check out the new MSN Search!
http://search.msn.click-url.com/go/onm00200636ave/direct/01/
Re: RAID management support coming in OpenBSD 3.8
>> how does openbsd's RAID support stack up to the other *BSDs? > >on a scale of 1 to 10, it's an awesome. > >-- >And that's why your software sucks. > just how awesome is it? when i read theo's anouncement i thought to myself "this is missing something". your having mentioned how awesome it is makes me suspect theo edited out something at the end. i was totally expecting a ninja to flip out and kill someone on the mailing list at the end of the announcement since it was so extreme i almost crapped my pants.
Re: OpenBSD website Design.
On Friday 09 September 2005 15:12, Alexander Hall wrote: > http://www.openbsd.org/cgi-bin/cvsweb/www/ Hmm. Interesting. I'm not quite sure yet just what this is, but it looks useful and I'm putting the link in my OpenBSD link file and will spend some time examining it. Thanks, Dave Feustel -- Tired of having to defend against Malware? (You know: trojans, viruses, SPYWARE, ADWARE, KEYLOGGERS, rootkits, worms and popups) Then Switch to OpenBSD with a KDE desktop!!!
Re: RAID management support coming in OpenBSD 3.8
On Sat, 10 Sep 2005, John Kintaro Tate wrote: > how does openbsd's RAID support stack up to the other *BSDs? on a scale of 1 to 10, it's an awesome. -- And that's why your software sucks.
Re: Anything in need of research?
On Fri, 9 Sep 2005, Tim wrote: > Is there anything related to OpenBSD that would be worth investigating or > researching? what are you interested in? -- And that's why the brain is a differential or logical phenomenon instead of a material phenomenon like a concrete block.
Re: RAID management support coming in OpenBSD 3.8
how does openbsd's RAID support stack up to the other *BSDs? On 9/10/05, Theo de Raadt <[EMAIL PROTECTED]> wrote: > I thought it was time to give some details about the (minimal) RAID > management stuff coming in OpenBSD 3.8. Most of this code has been > written by Marco Peereboom with some help from David Gwynne and > Michael Shalayeff. Moral support and direction from me and Bob Beck > who has a pile of these AMI setups. > > Here is a demonstration. First, a piece of dmesg output, so that we can > see which device is going to be handled: > > ami0 at pci1 dev 8 function 0 "Symbios Logic MegaRAID" rev 0x01: apic 9 int 8 > (irq 10) Dell 518/64b/lhc > ami0: FW 350O, BIOS v1.09, 128MB RAM > ami0: 2 channels, 0 FC loops, 2 logical drives > scsibus2 at ami0: 40 targets > sd0 at scsibus2 targ 0 lun 0: SCSI2 0/direct fixed > sd0: 349400MB, 44542 cyl, 255 head, 63 sec, 512 bytes/sec, 715571200 sec total > sd1 at scsibus2 targ 1 lun 0: SCSI2 0/direct fixed > sd1: 349400MB, 44542 cyl, 255 head, 63 sec, 512 bytes/sec, 715571200 sec total > scsibus3 at ami0: 16 targets > ses0 at scsibus3 targ 6 lun 0: SCSI3 3/processor fixed > scsibus4 at ami0: 16 targets > ses1 at scsibus4 targ 6 lun 0: SCSI3 3/processor fixed > > OK, this is an AMI raid controller. It has come up with 3 scsi > busses; one for the virtual RAID volumes which there are two of, and > two SCSI busses which match the real SCSI busses that are on the > controller (to expose the SES or SAFTE enclosure management > controllers, and so that we can talk pass-through to the real disks). > > If we wish to probe further details, we use > > # bioctl ami0 > Volume Status Size Device > ami0 0 Online 366372454400 sd0 RAID5 > 0 Online73403465728 0:0.0 ses0JNZ6> > 1 Online73403465728 0:2.0 ses0JNZ6> > 2 Online73403465728 0:4.0 ses0JNZ6> > 3 Online73403465728 0:8.0 ses0JNZ6> > 4 Online73403465728 1:10.0 ses1JNZ6> > 5 Online73403465728 1:12.0 ses1JNZ6> > ami0 1 Online 366372454400 sd1 RAID5 > 0 Online73403465728 0:1.0 ses0JNZ6> > 1 Online73403465728 0:3.0 ses0JNZ6> > 2 Online73403465728 0:5.0 ses0JNZ6> > 3 Online73403465728 1:9.0 ses1JNZ6> > 4 Online73403465728 1:11.0 ses1JNZ6> > 5 Online73403465728 1:13.0 ses1JNZ6> > ami0 2 Unused73403465728 1:14.0 ses1JNZ6> > ami0 3 Hot spare 73403465728 1:15.0 ses1JNZ6> > > Here we can see which physical drives are on the controller, and how > they are configured into volumes. Two volumes have been created, both > of which are rather large. The drives are on two scsi busses, for > instance, 1:12.0 means SCSI bus 1, scsi target 12, lun 0. With > additional options to bioctl(4), we could find out some more (mostly > irrelevant) information. > > There are also two additional devices which we know about: one is > unused (ie. not registered with the AMI firmware at the moment), and > one is a Hot Spare. > > Let's cause some havoc. First, I want to pick a drive that I am going > to unplug, to mimic a failure. Let's see... 1:9.0 looks good to me. > > # bioctl -b 1.9 ami0 > > When I look at the array, one of the drives is now blinking. I made > it blink just because I prefer to pull drives out of my sd1 > filesystems rather than the sd0 filesystems. And otherwise I wouldn't > be able to show off the blink support. Anyways, I pull that > particular drive. > > Immediately some churning starts, and if I re-run bioctl I can see what > has happened: > > # bioctl ami0 > Volume Status Size Device > ami0 0 Online 366372454400 sd0 RAID5 > 0 Online73403465728 0:0.0 ses0JNZ6> > 1 Online73403465728 0:2.0 ses0JNZ6> > 2 Online73403465728 0:4.0 ses0JNZ6> > 3 Online73403465728 0:8.0 ses0JNZ6> > 4 Online73403465728 1:10.0 ses1JNZ6> > 5 Online73403465728 1:12.0 ses1JNZ6> > ami0 1 Degraded 366372454400 sd1 RAID5 > 0 Online73403465728 0:1.0 ses0JNZ6> > 1 Online73403465728 0:3.0 ses0JNZ6> > 2 Online73403465728 0:5.0 ses0JNZ6> > 3 Rebuild 73403465728 1:15.0 ses1JNZ6> > 4 Online73403465728 1:11.0 ses1JNZ6> > 5 Online73403465728 1:13.0 ses1JNZ6> > ami0 2 Unused73403465728 1:14.0 ses1JNZ6> > > Drive 1:15 automatically became a part of the "sd1" volume, and is > currently rebuilding. If I access a filesysdtem on sd1, I will notice > that it is a little bit slower. > > Of course the RAID array is beeping so loudly I think my ears are going to > burst, so I must shut it up: > > # bioctl -a quiet ami0 > > When I reinsert the drive that I previously unplugged, I see: >
3.8 only sees 16MB on Proliant 800, 3.7 saw 256MB
Just an FYI for some Compaq users out there who might run into this:
3.8 (GENERIC.MP, self-compiled from sources a few days or couple of
weeks back) sees only 16MB RAM on a Proliant 800 that I am using (Dual
Pentium Pro 200, 256MB, dmesg below).
3.7-stable saw all of the physically installed (and BIOS recognized)
256MB without changes.
Remedy is well documented in FAQ (4.12.1).
-Jason
# dmesg
OpenBSD 3.8 (GENERIC.MP) #6: Wed Sep 7 01:08:02 EDT 2005
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC.MP
cpu0: Intel Pentium Pro ("GenuineIntel" 686-class, 256KB L2 cache) 199
MHz
cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV
real mem = 268017664 (261736K)
avail mem = 237621248 (232052K)
using 3297 buffers containing 13504512 bytes (13188K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(00) BIOS, date 12/31/99, BIOS32 rev. 0 @
0xf
pcibios0 at bios0: rev 2.1 @ 0xf/0x2000
pcibios0: PCI BIOS has 7 Interrupt Routing table entries
pcibios0: PCI Interrupt Router at 000:20:0 ("Intel 82371SB ISA" rev
0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc/0x8000 0xe8000/0x6000 0xee000/0x2000!
mainbus0: Intel MP Specification (Version 1.4) (COMPAQ PROLIANT)
cpu0 at mainbus0: apid 1 (boot processor)
cpu0: apic clock running at 66 MHz
cpu1 at mainbus0: apid 0 (application processor)
cpu1: Intel Pentium Pro ("GenuineIntel" 686-class, 256KB L2 cache) 199
MHz
cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV
mainbus0: bus 0 is type PCI
mainbus0: bus 1 is type PCI
mainbus0: bus 9 is type ISA
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 11, 24 pins
ioapic0: misconfigured as apic 0, remapped to apic 2
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82441FX" rev 0x02
ppb0 at pci0 dev 8 function 0 "IBM 82351 PCI-PCI" rev 0x01
pci1 at ppb0 bus 1
siop0 at pci1 dev 4 function 0 "Symbios Logic 53c875" rev 0x04: apic 2
int 5 (irq 5), using 4K of on-board RAM
scsibus0 at siop0: 16 targets
sd0 at scsibus0 targ 0 lun 0: SCSI2 0/direct
fixed
sd0: 4339MB, 6576 cyl, 8 head, 168 sec, 512 bytes/sec, 8887200 sec total
sis0 at pci1 dev 8 function 0 "NS DP83815 10/100" rev 0x00: DP83815C,
apic 2 int 5 (irq 5), address 00:02:e3:03:7e:f2
nsphyter0 at sis0 phy 0: DP83815 10/100 PHY, rev. 1
vga1 at pci1 dev 9 function 0 "Cirrus Logic CL-GD5430" rev 0x47
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
tl0 at pci0 dev 16 function 0 "Compaq Integrated NetFlex 3/P" rev 0x10:
apic 2 int 9 (irq 9) address 00:80:5f:ef:e2:d0
ukphy0 at tl0 phy 31: Generic IEEE 802.3u media interface
ukphy0: OUI 0x100014, model 0x0001, rev. 5
pcib0 at pci0 dev 20 function 0 "Intel 82371SB ISA" rev 0x01
pciide0 at pci0 dev 20 function 1 "Intel 82371SB IDE" rev 0x00: DMA,
channel 0 wired to compatibility, channel 1 wired to compatibility
atapiscsi0 at pciide0 channel 0 drive 0
scsibus1 at atapiscsi0: 2 targets
cd0 at scsibus1 targ 0 lun 0: SCSI0 5/cdrom
removable
cd0(pciide0:0:0): using PIO mode 0, DMA mode 1
pciide0: channel 1 ignored (disabled)
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0:
spkr0 at pcppi0
sysbeep0 at pcppi0
lpt2 at isa0 port 0x3bc/4: polled
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
biomask 0 netmask 0 ttymask 0
ioapic0: pin 5 shares different IPL interrupts (40..50), degraded
performance
pctr: 686-class user-level performance counters enabled
mtrr: Pentium Pro MTRR support
siop0: target 0 now using tagged 16 bit 20.0 MHz 15 REQ/ACK offset xfers
root on sd0a
rootdev=0x400 rrootdev=0xd00 rawdev=0xd02
# cat /etc/boot.conf
machine mem [EMAIL PROTECTED]
#
lockups, crashes on a Compaq Presario 5304
I installed OpenBSD 3.7 on a Compaq Presario 5304. That is an old
(about 7 years old I believe) PC. The dmesg is appended to this
email.
I noticed two rather strange problems during the installation and the
post-installation.
During the installation, at the disklabeling step, I entered "a a" to
add the root partition. The computer just froze. I had to turn it
off. I redid the exact same steps and on the second time it just
worked. Strange.
BTW, I believe this machine is reliable. It has been running Windows
2000 day and night for more than a year without a crash. I understand
that shit can happen though. Maybe the RAM went kaput or.
The other problem I encountered was while I tried to setup my laser
printer. To check if I OpenBSD was able to talk to the printer, I
typed "lptest > /dev/lpt0". On the first try, the computer just
rebooted. On the second, it froze. (lptd was enabled in
rc.conf.local)
Any idea?
Thanks,
Pascal
p.s.: sorry about the possible bad English. It ain't my native
tongue.
p.p.s.: I read the afterboot(8), the whole FAQ, the FreeBSD Handbook
printer section and a whole lot of pages found through Google. It
seems I am one of a kind (well, the PC is..) :)
the dmesg output:
OpenBSD 3.7 (GENERIC) #50: Sun Mar 20 00:01:57 MST 2005
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Cyrix 6x86MX ("CyrixInstead" 686-class) 250 MHz
cpu0: FPU,DE,TSC,MSR,CX8,PGE,CMOV,MMX,TM2,CNXT-ID
real mem = 62431232 (60968K)
avail mem = 49500160 (48340K)
using 787 buffers containing 3223552 bytes (3148K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(7b) BIOS, date 05/08/99, BIOS32 rev. 0 @
0xfb470
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
pcibios0 at bios0: rev 2.1 @ 0xf/0xb90c
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf00/144 (7 entries)
pcibios0: PCI Exclusive IRQs: 3 5 10 11
pcibios0: PCI Interrupt Router at 000:01:0 ("SIS 85C503 System" rev
0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc/0x8000
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "SIS 530 PCI" rev 0x02
pciide0 at pci0 dev 0 function 1 "SIS 5513 EIDE" rev 0xd0: 530: DMA,
channel 0 w
ired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0:
wd0: 16-sector PIO, LBA, 4112MB, 8421840 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: SCSI0
5/cdrom remova
ble
cd0(pciide0:1:0): using PIO mode 4, DMA mode 2
pcib0 at pci0 dev 1 function 0 "SIS 85C503 System" rev 0xb1
"SIS 5595 System" rev 0x00 at pci0 dev 1 function 1 not configured
ohci0 at pci0 dev 1 function 2 "SIS 5597/5598 USB" rev 0x11: irq 3,
version 1.0,
legacy support
usb0 at ohci0: USB revision 1.0
uhub0 at usb0
uhub0: SIS OHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
ppb0 at pci0 dev 2 function 0 "SIS 86C201 AGP" rev 0x00
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 "SIS 530 VGA" rev 0xa2: aperture at
0xe500, si
ze 0x40
wsdisplay0 at vga1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
rl0 at pci0 dev 11 function 0 "Realtek 8139" rev 0x10: irq 11 address
00:50:ba:8
c:dc:42
rlphy0 at rl0 phy 0: RTL internal phy
vr0 at pci0 dev 13 function 0 "VIA Rhine/RhineII" rev 0x06: irq 10
address 00:50
:ba:e7:fa:ba
amphy0 at vr0 phy 8: Am79C873 10/100 PHY, rev. 0
eso0 at pci0 dev 15 function 0 "ESS SOLO-1 AudioDrive" rev 0x01: ES1946,
irq 5
audio0 at eso0
opl0 at eso0: model OPL3
midi0 at opl0:
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0 (mux 1 ignored for console): console keyboard, using
wsdisplay0
pmsi0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pmsi0 mux 0
pcppi0 at isa0 port 0x61
midi1 at pcppi0:
sysbeep0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
lm0 at isa0 port 0x290/8: LM78
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
eso0: mapping Audio 1 DMA using I/O space at 0x410
biomask e34d netmask ef4d ttymask ffcf
pctr: user-level cycle counter enabled
dkcsum: wd0 matched BIOS disk 80
root on wd0a
rootdev=0x0 rrootdev=0x3
Re: max-mss/max-ttl question
On Fri, Sep 09, 2005 at 03:18:24PM +0200, Stephan A. Rickauer wrote: > That's probably a quick one: > > mtu - IPheader - TCPheader = max-mss? > > E.g. for ethernet: > > 1500 - 20 - 20 = 1460? i use the max-mss like this: scrub on $t all fragment reassemble reassemble tcp no-df random-id max-mss 1200 as $t is used on this machine for VPN to work, which is a cisco concentrator(that might not matter). some things between me and it choke royally if the mss the endpoints agree on is greater than something between 1200-1300 ( segments greater than that never arrive at the other destination ). smells like something at the remote end is setting DF, and then it goes through a hop who wants to fragment it but honours the DF. me cinching down my mss is the only way i've been able to make everything work consistently. > Thanks! BTW: What's a good value for max-ttl? I do understand what it > does but I don't see the reason behind it ... you could set max-ttl to a very high number if you'd like traceroutes to become very unuseful :P i'm not certain of a good reason to restrict max-ttl to a lower-than-typical number other than enforcing a local policy where for one reason or another, it is the case that you have a machine who should never be talking to machines more than X hops away.. i've thought about it for trivia's sake, but haven't been exposed to a scenario where it was a factor in a solution ( tho am interested in examples ). jared - [ openbsd 3.7 GENERIC ( sep 1 ) // i386 ]
Re: RAID management support coming in OpenBSD 3.8
Theo, this is cool stuff! Very elegant solution. In Linux you have to hope your vendor has some kind of management tool, and if there is one, you have to hope it works. I hope more devices will be supported soon. Wijnand
Re: Anything in need of research?
Martin Schrvder wrote: On 2005-09-09 17:39:37 +0200, Tim wrote: Is there anything related to OpenBSD that would be worth investigating or researching? Yes: Is there anything related to OpenBSD that would be worth investigating or researching? :-) How about http://openbsd.org/query-pr.html
RAID management support coming in OpenBSD 3.8
I thought it was time to give some details about the (minimal) RAID management stuff coming in OpenBSD 3.8. Most of this code has been written by Marco Peereboom with some help from David Gwynne and Michael Shalayeff. Moral support and direction from me and Bob Beck who has a pile of these AMI setups. Here is a demonstration. First, a piece of dmesg output, so that we can see which device is going to be handled: ami0 at pci1 dev 8 function 0 "Symbios Logic MegaRAID" rev 0x01: apic 9 int 8 (irq 10) Dell 518/64b/lhc ami0: FW 350O, BIOS v1.09, 128MB RAM ami0: 2 channels, 0 FC loops, 2 logical drives scsibus2 at ami0: 40 targets sd0 at scsibus2 targ 0 lun 0: SCSI2 0/direct fixed sd0: 349400MB, 44542 cyl, 255 head, 63 sec, 512 bytes/sec, 715571200 sec total sd1 at scsibus2 targ 1 lun 0: SCSI2 0/direct fixed sd1: 349400MB, 44542 cyl, 255 head, 63 sec, 512 bytes/sec, 715571200 sec total scsibus3 at ami0: 16 targets ses0 at scsibus3 targ 6 lun 0: SCSI3 3/processor fixed scsibus4 at ami0: 16 targets ses1 at scsibus4 targ 6 lun 0: SCSI3 3/processor fixed OK, this is an AMI raid controller. It has come up with 3 scsi busses; one for the virtual RAID volumes which there are two of, and two SCSI busses which match the real SCSI busses that are on the controller (to expose the SES or SAFTE enclosure management controllers, and so that we can talk pass-through to the real disks). If we wish to probe further details, we use # bioctl ami0 Volume Status Size Device ami0 0 Online 366372454400 sd0 RAID5 0 Online73403465728 0:0.0 ses0 1 Online73403465728 0:2.0 ses0 2 Online73403465728 0:4.0 ses0 3 Online73403465728 0:8.0 ses0 4 Online73403465728 1:10.0 ses1 5 Online73403465728 1:12.0 ses1 ami0 1 Online 366372454400 sd1 RAID5 0 Online73403465728 0:1.0 ses0 1 Online73403465728 0:3.0 ses0 2 Online73403465728 0:5.0 ses0 3 Online73403465728 1:9.0 ses1 4 Online73403465728 1:11.0 ses1 5 Online73403465728 1:13.0 ses1 ami0 2 Unused73403465728 1:14.0 ses1 ami0 3 Hot spare 73403465728 1:15.0 ses1 Here we can see which physical drives are on the controller, and how they are configured into volumes. Two volumes have been created, both of which are rather large. The drives are on two scsi busses, for instance, 1:12.0 means SCSI bus 1, scsi target 12, lun 0. With additional options to bioctl(4), we could find out some more (mostly irrelevant) information. There are also two additional devices which we know about: one is unused (ie. not registered with the AMI firmware at the moment), and one is a Hot Spare. Let's cause some havoc. First, I want to pick a drive that I am going to unplug, to mimic a failure. Let's see... 1:9.0 looks good to me. # bioctl -b 1.9 ami0 When I look at the array, one of the drives is now blinking. I made it blink just because I prefer to pull drives out of my sd1 filesystems rather than the sd0 filesystems. And otherwise I wouldn't be able to show off the blink support. Anyways, I pull that particular drive. Immediately some churning starts, and if I re-run bioctl I can see what has happened: # bioctl ami0 Volume Status Size Device ami0 0 Online 366372454400 sd0 RAID5 0 Online73403465728 0:0.0 ses0 1 Online73403465728 0:2.0 ses0 2 Online73403465728 0:4.0 ses0 3 Online73403465728 0:8.0 ses0 4 Online73403465728 1:10.0 ses1 5 Online73403465728 1:12.0 ses1 ami0 1 Degraded 366372454400 sd1 RAID5 0 Online73403465728 0:1.0 ses0 1 Online73403465728 0:3.0 ses0 2 Online73403465728 0:5.0 ses0 3 Rebuild 73403465728 1:15.0 ses1 4 Online73403465728 1:11.0 ses1 5 Online73403465728 1:13.0 ses1 ami0 2 Unused73403465728 1:14.0 ses1 Drive 1:15 automatically became a part of the "sd1" volume, and is currently rebuilding. If I access a filesysdtem on sd1, I will notice that it is a little bit slower. Of course the RAID array is beeping so loudly I think my ears are going to burst, so I must shut it up: # bioctl -a quiet ami0 When I reinsert the drive that I previously unplugged, I see: # bioctl ami0 Volume Status Size Device ami0 0 Online 366372454400 sd0 RAID5 0 Online73403465728 0:0.0 ses0 1 Online73403465728 0:2.0 ses0 2 Online73403465728 0:4.0 ses0 3 Online73403465728 0:8.0 ses0 4 Online73403465728 1:10.0 ses1 5 Online73403465728 1:12.0 ses1 ami0 1 Degraded 366372454400 sd1 RAID5 0 Online7340
Re: OpenBSD website Design.
Dave Feustel wrote: I have not seen a sitemap for openbsd.org. Is there one? If not, how hard would it be to create one and add a link to the website for it? What about http://www.openbsd.org/cgi-bin/cvsweb/www/ ? :-)
Re: OpenBSD website Design.
I have not seen a sitemap for openbsd.org. Is there one? If not, how hard would it be to create one and add a link to the website for it? Thanks, Dave Feustel
Re: Anything in need of research?
On 2005-09-09 17:39:37 +0200, Tim wrote: > Is there anything related to OpenBSD that would be worth investigating or > researching? Yes: Is there anything related to OpenBSD that would be worth investigating or researching? :-) SCNR Martin -- http://www.tm.oneiros.de
Re: the joys of spamd
On Fri, 9 Sep 2005, Chad M Stewart wrote: > On Sep 9, 2005, at 1:05 PM, Hans van Leeuwen wrote: > > > <..snip..> > >> My all-time record is 3726 seconds. >> That's not chuckling, that's rolling on the floor laughing out loud :-) >> > > I had to check my logs and I found > [...] > 19511 seconds. My record: 13 "simultaneous" of 71++K seconds! Mar 30 09:38:50 discada spamd[5067]: 65.77.106.34: connected (8/8), lists: mylot Mar 30 09:46:19 discada spamd[5067]: (BLACK) 65.77.106.34: <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]> Mar 30 09:56:06 discada spamd[5067]: 65.77.106.34: connected (14/14), lists: mylot Mar 30 10:03:32 discada spamd[5067]: (BLACK) 65.77.106.34: <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]> Mar 30 10:26:46 discada spamd[5067]: 65.77.106.34: connected (21/21), lists: mylot Mar 30 10:34:16 discada spamd[5067]: (BLACK) 65.77.106.34: <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]> Mar 30 11:10:44 discada spamd[5067]: 65.77.106.34: connected (24/23), lists: mylot Mar 30 11:18:07 discada spamd[5067]: (BLACK) 65.77.106.34: <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]> Mar 30 12:12:09 discada spamd[5067]: 65.77.106.34: connected (29/28), lists: mylot Mar 30 12:19:35 discada spamd[5067]: (BLACK) 65.77.106.34: <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]> Mar 30 13:22:37 discada spamd[5067]: 65.77.106.34: connected (38/35), lists: mylot Mar 30 13:29:59 discada spamd[5067]: (BLACK) 65.77.106.34: <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]> Mar 30 14:47:21 discada spamd[5067]: 65.77.106.34: connected (42/42), lists: mylot Mar 30 14:54:47 discada spamd[5067]: (BLACK) 65.77.106.34: <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]> Mar 30 16:25:17 discada spamd[5067]: 65.77.106.34: connected (44/43), lists: mylot Mar 30 16:32:41 discada spamd[5067]: (BLACK) 65.77.106.34: <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]> Mar 30 18:16:51 discada spamd[5067]: 65.77.106.34: connected (51/51), lists: mylot Mar 30 18:24:13 discada spamd[5067]: (BLACK) 65.77.106.34: <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]> Mar 30 20:21:18 discada spamd[5067]: 65.77.106.34: connected (57/53), lists: mylot Mar 30 20:28:42 discada spamd[5067]: (BLACK) 65.77.106.34: <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]> Mar 30 22:39:17 discada spamd[5067]: 65.77.106.34: connected (56/55), lists: mylot Mar 30 22:46:41 discada spamd[5067]: (BLACK) 65.77.106.34: <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]> Mar 31 01:10:37 discada spamd[5067]: 65.77.106.34: connected (48/48), lists: mylot Mar 31 01:18:01 discada spamd[5067]: (BLACK) 65.77.106.34: <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]> Mar 31 03:55:17 discada spamd[5067]: 65.77.106.34: connected (44/44), lists: mylot Mar 31 04:02:40 discada spamd[5067]: (BLACK) 65.77.106.34: <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]> Mar 31 05:36:31 discada spamd[5067]: 65.77.106.34: disconnected after 71861 seconds. lists: mylot Mar 31 05:53:36 discada spamd[5067]: 65.77.106.34: disconnected after 71850 seconds. lists: mylot Mar 31 06:23:54 discada spamd[5067]: 65.77.106.34: disconnected after 71828 seconds. lists: mylot Mar 31 07:09:31 discada spamd[5067]: 65.77.106.34: disconnected after 71927 seconds. lists: mylot Mar 31 08:07:44 discada spamd[5067]: 65.77.106.34: disconnected after 71735 seconds. lists: mylot Mar 31 09:17:44 discada spamd[5067]: 65.77.106.34: disconnected after 71707 seconds. lists: mylot Mar 31 10:42:29 discada spamd[5067]: 65.77.106.34: disconnected after 71708 seconds. lists: mylot Mar 31 12:20:25 discada spamd[5067]: 65.77.106.34: disconnected after 71708 seconds. lists: mylot Mar 31 14:12:39 discada spamd[5067]: 65.77.106.34: disconnected after 71748 seconds. lists: mylot Mar 31 16:17:57 discada spamd[5067]: 65.77.106.34: disconnected after 71799 seconds. lists: mylot Mar 31 18:38:29 discada spamd[5067]: 65.77.106.34: disconnected after 71952 seconds. lists: mylot Mar 31 21:08:06 discada spamd[5067]: 65.77.106.34: disconnected after 71849 seconds. lists: mylot Mar 31 23:53:03 discada spamd[5067]: 65.77.106.34: disconnected after 71866 seconds. lists: mylot
Re: OpenBSD website Design.
On 9/8/05, Nick Holland <[EMAIL PROTECTED]> wrote: > Siju George wrote: > > Hi, > > > > One of my friends sent me this new OpenBSD website design he created. > > Please have a look at it :-D > > > > http://mayuresh.freeshell.org/openbsd/ > > > > Thankyou so much > > > > Kind Regards > > > > Siju > > Changing the basic website look isn't something we are going to do > lightly. Unfortunately, there are an almost unlimited number of ways to > present the content on the front page, and while a lot of those are > clearly "bad", that still leaves a lot of very usable, and even very > good options. > > If we switch from one usable solution to another, we'll end up with > dozens of people sending us competing solutions to what really isn't a > problem at this point. > > Someday, perhaps, Theo will say, "I'm tired of this look, I want to do > THIS", and boom, things will change, but until then (and after then!), > I'd suggest working on the content, rather than the layout. > > That's not to say the suggested layout was bad in any way (in fact, I > rather like it), but I don't think it solves any problem, and some of us > are attached to the current layout. :) > I understand Nick :-) good luck! kind regards Siju
Re: the joys of spamd
On Sep 9, 2005, at 1:05 PM, Hans van Leeuwen wrote: <..snip..> My all-time record is 3726 seconds. That's not chuckling, that's rolling on the floor laughing out loud :-) I had to check my logs and I found # grep 81.71.83.132 daemon* daemon.62:Jul 8 11:13:21 zeus spamd[13726]: 81.71.83.132: connected (7/5) daemon.62:Jul 8 11:13:22 zeus spamd[13726]: (GREY) 81.71.83.132: <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]> daemon.62:Jul 8 11:13:22 zeus spamd[13726]: 81.71.83.132: disconnected after 1 seconds. daemon.68:Jul 2 11:33:57 zeus spamd[13726]: 81.71.83.132: connected (1/0) daemon.68:Jul 2 16:59:08 zeus spamd[13726]: 81.71.83.132: disconnected after 19511 seconds. Wow, too funny. I had another one that 18K+ seconds. -Chad
Re: the joys of spamd
Kevin wrote: >Sep 8 11:47:11 mail spamd[19133]: 61.159.253.63: disconnected after >408 seconds. lists: china >Sep 8 12:10:16 mail spamd[19133]: 211.193.204.4: disconnected after >77 seconds. lists: korea >Sep 8 14:22:23 mail spamd[2121]: 61.100.12.105: disconnected after 54 >seconds. lists: korea > >What can you do but chuckle? > > Just from yesterdays log: Sep 8 06:59:22 fortress-maximus spamd[22851]: 218.25.172.18: disconnected after 1000 seconds. lists: china My all-time record is 3726 seconds. That's not chuckling, that's rolling on the floor laughing out loud :-) For more entertainment see http://hanz.nl/p/spamd Hans
Anything in need of research?
Is there anything related to OpenBSD that would be worth investigating or researching?
Re: Volume based internet restrictions
On 9/5/05, Fletch <[EMAIL PROTECTED]> wrote: > Greets > > I am setting up an openbsd router to manage a companies intenet access, > and would like to deploy volume based internet usage. I have setup > squid, but it doesn't seem to have any options to limit a user by volume > of traffic, only bandwidth. > > Is there any solution to do this? I pretty much want to limit volume to > may 50mb a day per user and have it refresh each day. I don;t care what > they look at or how fast they get it, only that its no more that 50mb > per day. don't know if anybody has replied to you privately or not, but you probably want to take a look at the pf(4) man page, specifically the bits about queueing. I'm sure you can probably get pf(4) to do what you want with a little time, thought and testing. -- [EMAIL PROTECTED],darkuncle.net} || 0x5537F527 encrypted email to the latter address please http://darkuncle.net/pubkey.asc for public key
max-mss/max-ttl question
That's probably a quick one: mtu - IPheader - TCPheader = max-mss? E.g. for ethernet: 1500 - 20 - 20 = 1460? Thanks! BTW: What's a good value for max-ttl? I do understand what it does but I don't see the reason behind it ... -- Stephan A. Rickauer Institut f|r Neuroinformatik Universitdt / ETH Z|rich Winterthurerstriasse 190 CH-8057 Z|rich Tel: +41 44 635 30 50 Sek: +41 44 635 30 52 Fax: +41 44 635 30 53 http://www.ini.ethz.ch
Re: nsswitch and/or hesiod support
Damien Miller wrote: As in unauthenticated distribution of private account data via DNS? I strongly doubt it. Well, that's what NIS does (unauthenticated distribution of private account), right ? And if you use kerberos for storing passwords, it does not look like such an issue... or am I wrong ? Besides, it is much easier to filter DNS traffic than NIS... Regards, Antoine
Re: nsswitch and/or hesiod support
Antoine Jacoutot wrote: And what about hesiod ? Was it ever considered to be included ? As in unauthenticated distribution of private account data via DNS? I strongly doubt it. -d
undeadly.org - too many blackouts
Hello This is a little bit offtopic but, I like website OpenBSD Journal, and recently the site had many troubles. For this month I have not seen one week without "blackout". For now the site is unreachable again. Maybe it would be great to have other webhosting for it. MK
Re: nsswitch and/or hesiod support
Damien Miller wrote: Lots of us would like something like nsswitch, but none of us want an implementation that uses shared libraries to do it. It should be fairly easy to delegate getpw* and getgr* via a local unix domain socket (which works nicely for chroot apps too), but there are some subleties especially around fallback behaviour. To my knowledge, one person (Eric Alata, search the misc@ and tech@ archives) has looked at this and has started by writing a better LDAP client API than openldap's, but IIRC he is tied up completing his thesis. And what about hesiod ? Was it ever considered to be included ? Regards, Antoine
Re: adsl ppp tun questions and routing questions
On 09/09/2005, at 5:07 PM, Roger Neth Jr wrote: Hello List, I don't know how to have ppp pppoe stay on one tun as it is switching between tun0 and tun1 on reboots. andrew# page rc.conf.local config de1 up ppp -ddial pppoe you want to use the -unit argument to ppp to bind it to a particular tun device. eg ppp -ddial -unit0 pppoe that will cause it to always use tun0. also, i recommend you use rc.local to start up local programs, not rc.conf.local. or you could do what i do to bring ppp up on boot (hme0 is the device with the adsl modem on it): $ cat /etc/hostname.hme0 up $ cat /etc/hostname.tun0 !/usr/sbin/ppp -ddial -unit0 pppoe
Re: nsswitch and/or hesiod support
Lukasz Sztachanski wrote: On Sat, Sep 03, 2005 at 10:11:51PM +0200, Antoine Jacoutot wrote: Hi... Some months ago, a patch to import nsswitch into OpenBSD was post on tech@ : http://marc.theaimsgroup.com/?l=openbsd-tech&m=110098242313143&w=2 I was wondering if there was any ongoing work on nsswitch or equivalent. If not, it there a way to have hesiod support on OpenBSD ? I've been silently looking for any reply :> Lack of nsswitch is the most annoying thing in OpenBSD for me. Anyway, in next few weeks i`ll have to play with nsswitch( especially for distributing 1k accounts via ldap); probably i`ll try to import this patch to 3_7 or 3_8. Lots of us would like something like nsswitch, but none of us want an implementation that uses shared libraries to do it. It should be fairly easy to delegate getpw* and getgr* via a local unix domain socket (which works nicely for chroot apps too), but there are some subleties especially around fallback behaviour. To my knowledge, one person (Eric Alata, search the misc@ and tech@ archives) has looked at this and has started by writing a better LDAP client API than openldap's, but IIRC he is tied up completing his thesis. If you want to pick this up, consider contacting him (he is in the Cc list) and reporting your progress to tech@ -d
Re: adsl ppp tun questions and routing questions
--On 09 September 2005 10:38 +0200, Eric Dillenseger wrote:
You may want to check in /etc/ppp/ppp.link{up|down} or
/etc/rc.conf(.local). Do you start ppp in /etc/rc ? as I can see, it
starts before /etc/rc initializes the network and then another time
Maybe in rc.local and hostname.tun0.
--On 09 September 2005 00:07 -0700, Roger Neth Jr wrote:
I have routed in rc.conf as routed="-q" but don't understand how to
configure any further to have the internet shared with other
computers.
routed is for RIP. Unless you already know what that is, you probably
don't need it.
I can't figure out how to set the gateway to show an inet address that
is static to use at a mygateway or option routers with dhcpd on a
different server.
For the setup you've shown, the gateway address to use on the other
computers is 192.168.1.1. You also need edit sysctl.conf if you haven't
already.
Re: adsl ppp tun questions and routing questions
On 9/9/05, Roger Neth Jr <[EMAIL PROTECTED]> wrote:
> Hello List,
>
>
>
> I don't know how to have ppp pppoe stay on one tun as it is switching
> between tun0 and tun1 on reboots.
>
(snip)
>
Hi Roger,
I'm wondering if you're not starting ppp in 2 places during startup
as, it looks like ppp starts once with tun0 and then it starts again
with tun1.
You may want to check in /etc/ppp/ppp.link{up|down} or /etc/rc.conf(.local).
Do you start ppp in /etc/rc ? as I can see, it starts before /etc/rc
initializes the network and then another time
>Working in ddial mode
>Using interface: tun0
>setting tty flags
>stray isa irq 3
>pf enabled
>net.inet.ip.forwarding: 0 -> 1
>vm.swapencrypt.enable: 1 -> 0
>starting network
>Working in ddial mode
>Using interface: tun1
Regards,
Eric Dillenseger
Re: nsswitch and/or hesiod support
On Sat, Sep 03, 2005 at 10:11:51PM +0200, Antoine Jacoutot wrote: > Hi... > > Some months ago, a patch to import nsswitch into OpenBSD was post on tech@ : > > http://marc.theaimsgroup.com/?l=openbsd-tech&m=110098242313143&w=2 > > I was wondering if there was any ongoing work on nsswitch or equivalent. > If not, it there a way to have hesiod support on OpenBSD ? > I've been silently looking for any reply :> Lack of nsswitch is the most annoying thing in OpenBSD for me. Anyway, in next few weeks i`ll have to play with nsswitch( especially for distributing 1k accounts via ldap); probably i`ll try to import this patch to 3_7 or 3_8. -- Lukasz Sztachanski ...proud user of C8H10N4O2 :) http://szati.blogspot.com http://rudy.mif.pg.gda.pl/~szati/szati.asc
BOUNCE [EMAIL PROTECTED]: Non-member submission from [EMAIL PROTECTED]
>From [EMAIL PROTECTED] Fri Sep 9 02:04:40 2005 Received: from mtl-smtpgw2.global.avidww.com (mtl-smtpgw2.global.avidww.com [172.24.33.104]) by paperboy.global.avidww.com (8.12.9/8.12.6) with ESMTP id j8964dvQ000723 for <[EMAIL PROTECTED]>; Fri, 9 Sep 2005 02:04:40 -0400 Received: from softgate1.softimage.com ([172.24.33.30]) by mtl-smtpgw2.global.avidww.com with Microsoft SMTPSVC(5.0.2195.6713); Fri, 9 Sep 2005 02:04:52 -0400 Received: from softimage.com (IDENT:U2FsdGVkX19OpJIq9lD3/[EMAIL PROTECTED] [127.0.0.1]) by softgate1.softimage.com (8.12.11/8.12.1) with SMTP id j894vclk028343 for <[EMAIL PROTECTED]>; Fri, 9 Sep 2005 00:57:39 -0400 Message-Id: <[EMAIL PROTECTED]> From: misc@openbsd.org To: [EMAIL PROTECTED] Subject: Important Date: Fri, 9 Sep 2005 07:58:20 +0200 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=_NextPart_000_0006_367B.0D07" X-Priority: 1 X-MSMail-Priority: High X-OriginalArrivalTime: 09 Sep 2005 06:04:52.0257 (UTC) FILETIME=[649F1110:01C5B504] This is a multi-part message in MIME format. --=_NextPart_000_0006_367B.0D07 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit The uncleanable file is deleted. - --=_NextPart_000_0006_367B.0D07 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit Important informations! --=_NextPart_000_0006_367B.0D07 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit - --=_NextPart_000_0006_367B.0D07--
Re: Migration to PF - some questions
On Fri, 09 Sep 2005 09:39:00 +0200, Guido Tschakert wrote:
>Stephan A. Rickauer wrote:
>> Gaby vanhegan wrote:
>>
>>> Yes, correct, my bad... Or perhaps this would work also:
>>>
>>> block out on $if_dmz keep state
>>> pass out on $if_dmz from {$if_lan, $if_inet} to 1.2.3.4 port smtp
>>> keep state
>>>
>>> Maybe that was what I intended to write... :)
>>
>>
>> Ok, I am now playing with 'fwbuilder' to see how the generated pf rules
>> look like. Presumably, they won't be structured as efficiently as if one
>> writes them by hand - but managing hundreds of rules manually is a
>> nightmare ...
>>
>> Thanks so far,
>>
>Hello,
>
>I think you know the following, but nevertheless its important if you
>port your rules from netfilter to pf.
>
>In netfilter nat and filter rules are checked with:
>first match wins.
>
>In pf nat rules also the first match wins
>
>__but__
>
>in pf filter rules the __last__ match wins.
>
>In fact that is the one thing I don't like in pf, but to have a "first
>match win" you can use the magic word quick in all your pass and block
>rules. (e.g "pass in quick")
And thereby end up with yards of quick rules that can catch you later.
You should think of it this way:
Default security is best with block everything and then pass what
selected few things you need.
So:
block all
pass in on $int_if from $safe1 to $ok2 keep state
pass in on $ext_if from any to $ext_if port ssh keep state
really makes a readable and logical arrangement to those of us who were
taught the block all, pass few security policy.
Now the example above is waay briefer than most useful rulesets but
working from the principle I described adding necessary rules is not
difficult and thoughtful grouping with whitespace between grouped rules
makes for easier reading.
I have a firewall with 3 ethernet NICs and a wi-fi card. There is a DMZ
with servers in it, there are restrictions on some LAN hosts and the
wi-fi has authpf statements. The spamd rules and tables needed to do
greylisting and tarpitting are in there too.
The total line count is 71 with many blank lines for readability and
about 16 macro definitions. There are (IIRC) about 3 "quicks" in it, 2
of which are for the loopback and one just blocks a single IP that
tries DOS attacks now and then.
I'd hate to see it written with a yard of "quick" pass rules
terminated with a block all. Forget to write that rule and you are wide
open. Put it at the top and it is pretty hard to leave it out. See the
default pf.conf where all you need to do is uncomment it at the top of
the filter rules.
>
>guido
>
>
>From the land "down under": Australia.
Do we look from up over?
Do NOT CC me - I am subscribed to the list.
Replies to the sender address will fail except from the list-server.
adsl ppp tun questions and routing questions
Hello List,
I don't know how to have ppp pppoe stay on one tun as it is switching
between tun0 and tun1 on reboots.
I have routed in rc.conf as routed="-q" but don't understand how to
configure any further to have the internet shared with other computers.
I can't figure out how to set the gateway to show an inet address that
is static to use at a mygateway or option routers with dhcpd on a
different server.
Internet -- ppp.conf de1 OpenBSD firewall de0
dhcp---Hubstatic inet 192.168.1.1 255.255.255.0 hme0
server running dhcpd
|
dhcp
fxp0
Computer 3
On the learning curve with all this new stuff, thanks for any help.
Best regards,
rogern
John 3:16
Script started on Thu Sep 8 23:36:28 2005
luke# cu -l tty00
Connected
login: root
Password:
Last login: Thu Sep 8 23:36:08 on tty00
OpenBSD 3.8 (GENERIC) #586: Fri Sep 2 00:32:30 MDT 2005
Welcome to OpenBSD: The proactively secure Unix-like operating system.
Please use the sendbug(1) utility to report bugs in the system.
Before reporting a bug, please try to reproduce it with the latest
version of the code. With bug reports, please try to ensure that
enough information to reproduce the problem is enclosed, and if a
known fix for it exists, include that as well.
You have new mail.
Terminal type? [vt220]
Read the afterboot(8) man page for administration advice.
andrew# cd /etc/ppp
andrew# page ppp.conf
default:
set log Phase Chat LCP IPCP CCP tun command
set redial 15 0
set reconnect 15 1
pppoe:
set device "!/usr/sbin/pppoe -i de1"
set mtu max 1492
set mru max 1492
set speed sync
enable lqr
set lqrperiod 5
set dial
set timeout 0
disable acfcomp protocomp
deny acfcomp
set authname xx
set authkey xx
set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
add! default HISADDR
enable dns
enable mssfixup
andrew# page rc.conf.local
config de1 up
ppp -ddial pppoe
andrew# page pf.conf
# macros
int_if = "de0"
ext_if = "tun0"
tcp_services = "{ 22, 113 }"
icmp_types = "echoreq"
priv_nets = "{ 127.0.0.0/8, 192.168.1.0/16, 10.0.0.0/8 }"
comp3 = "192.168.1.36"
# options
set block-policy return
set loginterface $ext_if
# scrub
scrub in all
# nat/rdr
nat on $ext_if from $int_if:network to any -> ($ext_if)
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
rdr on $ext_if proto tcp from any to any port 80 -> $comp3
andrew# route show
Routing tables
Internet:
DestinationGatewayFlagsRefs UseMtu
Interface
default64.164.115.254 UGS 0 36 -
tun0
64.164.114.133 localhost UH 0 48 33192
lo0
64.164.115.254 64.164.114.133 UH 00 1492
tun0
loopback localhost UGRS00 33192
lo0
localhost localhost UH 00 33192
lo0
192.168.1/24 link#1 UC 00 -
de0
192.168.1.108:00:20:86:4e:b6 UHLc04 -
de0
192.168.1.32 localhost UGHS00 33192
lo0
192.168.1.36 00:02:55:d4:d4:fa UHLc0 11 -
de0
BASE-ADDRESS.MCAST localhost URS 00 33192
lo0
Internet6:
DestinationGatewayFlagsRefs UseMtu
Interface
::/104 localhost.Joshua.l UGRS00 -
lo0
::/96 localhost.Joshua.l UGRS00 -
lo0
localhost.Joshua.l localhost.Joshua.l UH 00 33192
lo0
::127.0.0.0/104localhost.Joshua.l UGRS00 -
lo0
::224.0.0.0/100localhost.Joshua.l UGRS00 -
lo0
::255.0.0.0/104localhost.Joshua.l UGRS00 -
lo0
:::0.0.0.0/96 localhost.Joshua.l UGRS00 -
lo0
2002::/24 localhost.Joshua.l UGRS00 -
lo0
2002:7f00::/24 localhost.Joshua.l UGRS00 -
lo0
2002:e000::/20 localhost.Joshua.l UGRS00 -
lo0
2002:ff00::/24 localhost.Joshua.l UGRS00 -
lo0
fe80::/10 localhost.Joshua.l UGRS00 -
lo0
fe80::%de0/64 link#1 UC 00 -
de0
fe80::200:f8ff:fe7 00:00:f8:76:73:52 UHL 00 -
lo0
fe80::%de1/64 link#2 UC 00 -
de1
fe80::a00:2bff:fec 08:00:2b:c3:c9:01 UHL 00 -
lo0
fe80::%lo0/64 fe80::1%lo0U 00 -
lo0
fe80::1%lo0link#7 UHL 00 -
lo0
fec0::/10 localhost.Joshua.l UGRS00 -
lo0
ff01::/32 localhost.Joshua.l UC 00 -
lo0
ff02::%de0/32 link#1 UC 00 -
de0
ff02::%de1
Re: Migration to PF - some questions
Stephan A. Rickauer wrote:
Gaby vanhegan wrote:
Yes, correct, my bad... Or perhaps this would work also:
block out on $if_dmz keep state
pass out on $if_dmz from {$if_lan, $if_inet} to 1.2.3.4 port smtp
keep state
Maybe that was what I intended to write... :)
Ok, I am now playing with 'fwbuilder' to see how the generated pf rules
look like. Presumably, they won't be structured as efficiently as if one
writes them by hand - but managing hundreds of rules manually is a
nightmare ...
Thanks so far,
Hello,
I think you know the following, but nevertheless its important if you
port your rules from netfilter to pf.
In netfilter nat and filter rules are checked with:
first match wins.
In pf nat rules also the first match wins
__but__
in pf filter rules the __last__ match wins.
In fact that is the one thing I don't like in pf, but to have a "first
match win" you can use the magic word quick in all your pass and block
rules. (e.g "pass in quick")
guido
Re: ntpd "dispatch_imsg in main: pipe closed"
Ray cyth.net> writes:
> Oct 11 09:29:24 sparky ntpd[30592]: dispatch_imsg in main: pipe closed
I've encountered this on several GNU/Linux boxen and tracked it down to
| listen on *
When I replace this by
| listen on ::
everything works fine.
On BSD systems, you have to use
| listen on ::
| listen on 0.0.0.0
instead because itojun sadly still doesn't believe in V4_MAPPED.
I also had a similar problem on BSD once, when setting up ntpd on a box
which had two interfaces connected to a bridge, and I was using the same
IP subnet (/64) on both physical interfaces (sis0, sis2 - Soekris net4801,
thanks Wim).
Probably this post will help people encountering the same problems in
the future (can you spell Redhat 5, Knoppix-HDINSTALL and OpenWRT?).
bye,
//mirabile
--
> emacs als auch vi zum Kotzen finde (joe rules) und pine fC bedienbaren textmode-mailclient halte (und ich hab sie alle ausprobiert). ;)
Hallo, ich bin der Holger ("Hallo Holger!"), und ich bin ebenfalls
... pine-User, und das auch noch gewohnheitsmC$C ig ("Oooohhh"). [aus dasr]
Re: Migration to PF - some questions
Gaby vanhegan wrote:
Yes, correct, my bad... Or perhaps this would work also:
block out on $if_dmz keep state
pass out on $if_dmz from {$if_lan, $if_inet} to 1.2.3.4 port smtp
keep state
Maybe that was what I intended to write... :)
Ok, I am now playing with 'fwbuilder' to see how the generated pf rules
look like. Presumably, they won't be structured as efficiently as if one
writes them by hand - but managing hundreds of rules manually is a
nightmare ...
Thanks so far,
--
Stephan A. Rickauer
Institut f|r Neuroinformatik
Universitdt / ETH Z|rich
Winterthurerstriasse 190
CH-8057 Z|rich
Tel: +41 44 635 30 50
Sek: +41 44 635 30 52
Fax: +41 44 635 30 53
http://www.ini.ethz.ch
Re: Migration to PF - some questions
Nico Meijer wrote: Well, if I suggested to port netfilter to OpenBSD I would most probably be killed in seconds. ;) If you're lucky. ;-) You might want to check http://openbsd.unixtech.be/books.html and more specifically get a hold of Jacek's book. Thanks, Nico - I'll have a look. -- Stephan A. Rickauer Institut f|r Neuroinformatik Universitdt / ETH Z|rich Winterthurerstriasse 190 CH-8057 Z|rich Tel: +41 44 635 30 50 Sek: +41 44 635 30 52 Fax: +41 44 635 30 53 http://www.ini.ethz.ch
