passwd: /sbin/nologin --- not working for me
hello all, i just made up a second account on my box and wanted to prevent the old one from loging into it, due i want to keep it for email retrival. when i enter something like morla:*:1000:1000:morla:/home/morla:/sbin/nologin into /etc/passwd and a similary entry into /etc/master.passwd should'nt this keep me out??? please be carefull with me, i am realtily new to bsd... thanks all morla
Re: passwd: /sbin/nologin --- not working for me
Hi, #pwd_mkdb /etc/master.passwd to generate the new password database and try again. morla wrote: hello all, i just made up a second account on my box and wanted to prevent the old one from loging into it, due i want to keep it for email retrival. when i enter something like morla:*:1000:1000:morla:/home/morla:/sbin/nologin into /etc/passwd and a similary entry into /etc/master.passwd should'nt this keep me out??? please be carefull with me, i am realtily new to bsd... thanks all morla
Re: passwd: /sbin/nologin --- not working for me
On Fri, Oct 21, 2005 at 07:53:52AM +0200, morla wrote: hello all, i just made up a second account on my box and wanted to prevent the old one from loging into it, due i want to keep it for email retrival. when i enter something like morla:*:1000:1000:morla:/home/morla:/sbin/nologin into /etc/passwd and a similary entry into /etc/master.passwd should'nt this keep me out??? did you use vipw(8) ? this automatically updates the user database. Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm
Re: passwd: /sbin/nologin --- not working for me
On 2005-10-21T07:53, morla wrote: hello all, i just made up a second account on my box and wanted to prevent the old one from loging into it, due i want to keep it for email retrival. when i enter something like morla:*:1000:1000:morla:/home/morla:/sbin/nologin into /etc/passwd and a similary entry into /etc/master.passwd should'nt this keep me out??? please be carefull with me, i am realtily new to bsd... have you used vipw? Thats all you need to change settings in, and only in, the /etc/master.passwd! Otherwise you have to rebuild the passwd db by hand. Read VIPW(8) for more information. hth, Marcus.
Re: passwd: /sbin/nologin --- not working for me
On Fri, 21 Oct 2005, morla wrote: hello all, i just made up a second account on my box and wanted to prevent the old one from loging into it, due i want to keep it for email retrival. when i enter something like morla:*:1000:1000:morla:/home/morla:/sbin/nologin into /etc/passwd and a similary entry into /etc/master.passwd should'nt this keep me out??? please be carefull with me, i am realtily new to bsd... NEVER edit passwd or master.passwd directly. Use vipw or the various user management programs. The password entries are stored into a db that needs to be regenerated. The programs take care of that. -Otto
OpenBSD 3.8 on HP nx8220
Hi folks, is there anybody out there who can share some experiences with such a device ? I'm especially interested in reports about the X setup, as this device got a wide screen display. Thx in advance, Stefan Sonnenberg
[Fwd: Re: pf rules generation policy]
Kilaru Sambaiah wrote: Hello All, I am linux administrator and use iptables for firewall. I use shorewall, which you need to be setting up only policy based on your box is having one interface or two interfaces or three. Policy, zone, interfaces, rules these are all I need to edit. Is there any such tool for PF. I am not looking at GUI for generating rules. Hello Sam, fwbuilder is a GUI which vomits pf rules if you wish (and also iptables and some other kind of firewalls). It's easy to use, but the result is not ever ecactly what you want (therefore i used vomit). Its' nice to see what it produces with iptables and then what it produces with pf (at this point it can help you to see the differences between iptables rules and pf rules), but mostly it is better to edit pf.conf directly. So you know exactly what your firewall rulez does. And btw: pf rules are much more readable then a set of iptable commands. So give it a try. thanks, Sam guido
Re: congrats on OpenBSD SAN... one little question
Nick Holland wrote: Jason Dixon wrote: On Oct 20, 2005, at 1:49 PM, Joe Advisor wrote: Congrats on the cool OpenBSD SAN installation. I was wondering how you are dealing with the relatively large filesystem. By default, if you lose power to the server, OpenBSD will do a rather long fsck when coming back up. To alleviate this, there are numerous suggestions running around that involve mounting with softdep, commenting out the fsck portion of rc and doing mount -f. Are you doing any of these things, or are you just living with the long fsck? Thanks in advance for any insight into your installation you are willing to provide. This is just a subversion repository server for a bunch of developers. There are no dire uptime requirements, so I don't see a lengthy fsck being an issue. Not to mention the hefty UPS keeping it powered. Sorry if this doesn't help you out, but it's not a big problem on my end (thankfully). If it was, I would have just created many slices and distributed projects equally across them. I'm working on a couple big storage applications myself, and yes, this is what I'm planning on doing, as well. In fact, one app I'm going to be turning on soon will be (probably) using Accusys 7630 boxes with about 600G storage each, and I'll probably split that in two 300G pieces for a number of reasons: 1) shorter fsck 2) If a volume gets corrupted, less to restore (they will be backed up, but the restore will be a pain in the butt) 3) Smaller chunks to move around if I need to 4) Testing the storage rotation system more often (I really don't want my app bumping from volume to volume every six months...I'd rather see that the rotation system is Not Broke more often, with of course, enough slop in the margins to have time to fix it if something quit working.) 5) Cost benefit of modular storage. Today, I can populate an ACS7630 (three drive, RAID5 module) with 300G drives for probably $900. I could populate it with 400G drives for $1200. That's a lotta extra money for 200G more storage. Yet, if I buy the 300G drives in a couple storage modules today, and in about a year when those are nearing full, replace them with (then much cheaper) 500G (or 800G or ...) drives, I'll come out way ahead. Beats the heck out of buying a single 3+TB drive array now and watching people point and laugh at it in a couple years when it is still only partly full, and you can buy a bigger single drive at your local office supply store. :) With this system, I can easily add-on as we go, and more easily throw the whole thing away when I decide there is better technology available. Would I love to see the 1T limit removed? Sure. HOWEVER, I think I would handle this application the exact same way if it didn't exist (that might not be true: I might foolishly plowed ahead with the One Big Pile philosophy, and regretted it later). Hi Nick We can argue back and forth on the pros and cons of building 1TB partitions or not, but the need for these giant allocations are real enough and from a commen/broader view (small business) the demand is also moving closer and closer. At work we have a disk-to-disk backup server for (for customers) with one 1.5TB (SATA raid5) backup partition. The app works that way and if each customer start using it and used =20GB per customer, we would need at least 3.5TB more disk space. Breaking up in smaller chunks is not always possible/practical. I would appresiate an unlimited filesystem one day - but not at the cost of potentially losing data! I would also just love to see OpenBSD large-scale enterprise SAN/NAS solutions in the LISA program some day :) /per [EMAIL PROTECTED] For this application, the shorter fsck is not really an issue. In fact, as long as the archive gets back up within a week or two, it's ok -- the first stage system is the one that's time critical...and it is designed to be repairable VERY quickly, and it can temporarily hold a few weeks worth of data. :) Nick.
Re: passwd: /sbin/nologin --- not working for me
hmm, on Fri, Oct 21, 2005 at 07:53:52AM +0200, morla said that i just made up a second account on my box and wanted to prevent the old one from loging into it, due i want to keep it for email retrival. i am not 100% sure what retrival means, but if you want to keep the account only for receiving email, you might consider creating an email alias (/etc/aliases) instead... -f -- real programmers use copy com1 program.zip and whistle.
Re: congrats on OpenBSD SAN... one little question
per engelbrecht wrote: Nick Holland wrote: ... Would I love to see the 1T limit removed? Sure. HOWEVER, I think I would handle this application the exact same way if it didn't exist (that might not be true: I might foolishly plowed ahead with the One Big Pile philosophy, and regretted it later). Hi Nick We can argue back and forth on the pros and cons of building 1TB partitions or not, but the need for these giant allocations are real enough and from a commen/broader view (small business) the demand is also moving closer and closer. At work we have a disk-to-disk backup server for (for customers) with one 1.5TB (SATA raid5) backup partition. The app works that way and if each customer start using it and used =20GB per customer, we would need at least 3.5TB more disk space. Breaking up in smaller chunks is not always possible/practical. I would appresiate an unlimited filesystem one day - but not at the cost of potentially losing data! I would also just love to see OpenBSD large-scale enterprise SAN/NAS solutions in the LISA program some day :) No denying it is an annoying limit, but talking about it won't change it. Someone will have to be annoyed enough to sit down and devote their time to figuring out how to deal with it appropriately. No amount of begging by those of us who lack the skills (or in my case, the rigor -- I keep writing programs and finding stooopid bugs and say to myself, good thing I don't do file system code! ;) will change that. File system code is about as scary as it gets to work on. Mess up the memory allocation system, or who knows what else, you can always reboot after the panic, and most of your data is still there. Mess up the file system code in a subtle way...you could be writing slightly wrong data to disk for weeks before noticing that you have 2T of trash. In the mean time...while yes, there are apps where One Big Chunk is the only solution, there are lots of apps where Several Smaller Chunks is a tollerable solution, and some where it is even the PREFERED solution. In cases where One Big Chunk is the only solution, OpenBSD isn't a contender. In places where it is a tollerable or even prefered solution, OpenBSD's other advantages can still be leveraged. (did I just say leveraged?? oh my..the damned tie is cutting off oxygen to my brain!) Nick.
Re: SSH with more features
Spruell, Darren-Perot wrote: From: Rico [mailto:[EMAIL PROTECTED] Reading the last couple of days of sftp/scp's posts and reading up on the achives I just wanted to ask.. Would it be a bad idea to extend OpenSSH with some extra feaures like: 1. In sshd_config - making it possible to provide a sftp/scp only connection. Like AllowUsers having a SCPOnlyUsers. 2. Making it possible to jail some of the SCP only users with another option like SCPJailedUsers. I am not a developer and I am just asking about if this maybe is a bad idea. It is a fantastic idea. Nick just laid out the process for building and submitting patches, too, so I think your diffs can be sent in any time now... ;) If it was a simplistic task, and had a high chance of not being 100,000 lines worth of spaghetti mess code that lowered the security of OpenSSH, I'd guess it would have probably been implemented already. DS If I rememebr there is a shell rssh available exactly for this purpose, it implemnts user based scp/sftp permissions and it even has options for restricting cvs over ssh
Re: [Fwd: Re: Theo, I am truely sorry. You misunderstood me.]
hmm, on Thu, Oct 20, 2005 at 04:01:18PM -0800, Szechuan Death said that This has been a public service announcement, paid for by the Friends of Civilized Vendors economic-action committee. The FCV reminds you; FCV also stands for Fuck Closed Vendors! ;- and fuck closed www ports for half of the world. -f -- he has a train of thought. you have a tricycle...
Re: CARP states apparently not changing correctly (causes some connection drops)
Stephan A. Rickauer wrote: Ashley Moran wrote: fw1# cat /etc/hostname.carp0 inet 192.168.67.3 255.255.255.0 192.168.67.255 carpdev rl0 vhid 1 pass mycarp fw2# cat /etc/hostname.carp0 inet 192.168.67.3 255.255.255.0 192.168.67.255 carpdev rl0 vhid 1 advskew 10 pass mycarpstudio Could it be your inconsistent 'pass'? Just when I was about to give up I showed the problem to someone else in the office and it started working fine :-SI have no idea whatsoever why it wasn't working for a day and a half. Ashley
Carp / VLAN and net.inet.carp.preempt=1
Hello there, I have 2 openbsd box (that does as well openbgpd but this is not the aim of this mail). Question is that any problems to do sysctl net.inet.carp.preempt=1 and ifconfig em0 up ifconfig vlan0 vlan 11 vlandev em0 ifconfig carp0 inet 10.0.0.1 netmask 255.255.255.0 vhid 1 carpdev vlan0 In each routers / carp border machines to have full redondancy ? Thanks :) /Xavier -- Quand on essaye continuellement, on finit par y arriver. Donc, plus ca rate, plus on a de chance que ca marche... (Proverbe Shadok)
Re: Intel PRO/1000 MT Dual Port Server Adapter Issues
brad@ had committed a fix that worked for me, that allowed the dual port's to show up. (mine were PCI-Express). The fix should be in 3.8 em0 at pci5 dev 4 function 0 Intel PRO/1000MT (82546GB) rev 0x03: irq 10, address: 00:0e:0c:71:83:2c em1 at pci5 dev 4 function 1 Intel PRO/1000MT (82546GB) rev 0x03: irq 7, address: 00:0e:0c:71:83:2d
Re: congrats on OpenBSD SAN... one little question
per, We can argue back and forth on the pros and cons of building 1TB partitions or not, but the need for these giant allocations are real enough and from a commen/broader view (small business) the demand is also moving closer and closer. At work we have a disk-to-disk backup server for (for customers) with one 1.5TB (SATA raid5) backup partition. The app works that way and if each customer start using it and used =20GB per customer, we would need at least 3.5TB more disk space. Breaking up in smaller chunks is not always possible/practical. I would appresiate an unlimited filesystem one day - but not at the cost of potentially losing data! I would also just love to see OpenBSD large-scale enterprise SAN/NAS solutions in the LISA program some day :) i remember when i used to submit jobs to clusters that different users would have home directories on different nfs mounts. i fail to see why you couldn't do something along these lines with the setup you describe, i.e. make 5 300GB partitions and allocate some fixed amount of space to each user, limiting the number of user accounts on each partition. i can certainly see how this would be annoying from a scalability standpoint, but how often are you changing user storage limits? it would, however, be most convenient to just have one huge-ass partition :). cheers, jake
Re: Very high interrupts on a supermicro machine.
* dormando [EMAIL PROTECTED] [2005-10-21 01:08]: Did you make any other configuration changes? Right now my box is doing ~28,000pps per direction per interface (out public, in public, out internal, in internal), totalling around 112kpps. It doesn't seem to want to go any higher than that. I've just tried moving the internal connection off of the dualport PCI-X card and onto the internal nic, and it hasn't made a difference. I'd be a little confused if two syskonnect cards would have double the performance of what I have in the machine right now... at these packet rates I am not surprised by sk(4) performing more than twice as good as others. -- BS Web Services, http://www.bsws.de/ OpenBSD-based Webhosting, Mail Services, Managed Servers, ... Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: congrats on OpenBSD SAN... one little question
i can certainly see how this would be annoying from a scalability standpoint, but how often are you changing user storage limits? it would, however, be most convenient to just have one huge-ass partition :). Annoying from a scalability standpoint? gimme a break. one huge filesystem is annoying from a scalablility standpoint. I run lots of big raids here, and I do *not* make one big partition on them, even the ones not on OpenBSD - It's the same principles behind the reasons I don't like to run services by scaling to one bigger and bigger machine. Inevitably you hit one wall or another, and scaling up when you hit that wall is horrificly expensive, recovering from a disaster on something so monolithicly big is horrificly time consuming and/or expensive. I like to scale services by adding machines and storage by adding partitions. Doing otherwise is a sign of inexperience. something your raid/san vendor will love to hear when they talk to you as they reach into their salescritter bag for their handy-dandy bottle of extra-sandy lube. Now I didn't say I didn't tie multiple partitions into the APPEARANCE of a big filesystem with NFS/AFS and whatever (which I do) I just don't make monster chiller horror native partitions which then need to be backed up and recovered in non-geologic time. -Bob
Re: [Fwd: Re: pf rules generation policy]
On Fri, 21 Oct 2005 09:59:12 +0200 Guido Tschakert [EMAIL PROTECTED] spake: Kilaru Sambaiah wrote: Hello All, I am linux administrator and use iptables for firewall. I use shorewall, which you need to be setting up only policy based on your box is having one interface or two interfaces or three. Policy, zone, interfaces, rules these are all I need to edit. Is there any such tool for PF. I am not looking at GUI for generating rules. Hello Sam, fwbuilder is a GUI which vomits pf rules if you wish (and also iptables and some other kind of firewalls). It's easy to use, but the result is not ever ecactly what you want (therefore i used vomit). Its' nice to see what it produces with iptables and then what it produces with pf (at this point it can help you to see the differences between iptables rules and pf rules), but mostly it is better to edit pf.conf directly. So you know exactly what your firewall rulez does. And btw: pf rules are much more readable then a set of iptable commands. So give it a try. I've been playing with fwbuilder for a few years with iptables and now PF... its been useful as far as selling some clients on *nix firewalls (I used to push linux systems as firewalls). The Cisco sales guy basically shows them printouts of iptables code and tells them if they want a linux firewall that what they have to learn. Of course iptables code is not exactly fun to follow compared to pf. I actually sat down with a prospective client and before I could say anything they said nope we don't want it. When I found out why and showed them, they were a bit pissed at the cisco guy. Anyway, even if you definately want to go with the GUI, learn PF first and then look at the code output from fwbuilder. Once you understand how FWBuilder will output rules and have an understanding of how PF works best then getting the two to come together helps. That being said, you can only scratch the surface using Fwbuilder... QOS, Anchors, tables, etc... are not out yet in there. The next version from what I hear will be changing some other things. I've not done anything terribly large - most of my rule sets are under 100 rules... so the vomit part may be heading my way sometime soon. Actually the one thing I would not suggest doing is taking an existing fwbuilder iptables and switching it PF. It works with some tweaking, but the resulting rule set is a mess. Learn PF, start from scratch. In the end, learning and editing pf.conf by hand is the best way to go - its actually pretty easy. But if your alternative to a GUI like fwbuilder is getting some commerical over priced glossy POS - give it a whirl.
Re: keep state and PF Queues
I was just curious if any of the developers (or experts) would care to articulate officially :} ~BAS On Wed, 19 Oct 2005, William Bloom wrote: The PF queueing FAQ page at http://www.openbsd.org has a wealth of info that seems to nicely clarify the pf.conf man page. I recall that the FAQ contains an example much as you describe (as I recall, specifying a queue for -incoming- traffic will indeed cause that traffic to be processed through the named queue as it is -outgoing-). Bill Brian A. Seklecki wrote: Would anyone like to elaborate on the impacts of using keep state on conjunction with pass rules that assign traffic to queues? One might assume that inverted traffic flows would also be queued, however that would break the traffic can only be queued egress an interface rule... There should be some remarks on this in pf.conf(5) TIA, ~BAS -- William Bloom| Snr Systems Engineer|M P H A S I S Architecting Value | Eldorado Computing 5353 North 16th Street, Suite 400 Phoenix, Az 85016 | Direct: +11-602-604-3100 | Fax: +11-602-604-3115| http://www.eldocomp.com -- CONFIDENTIALITY NOTICE -- Information transmitted by this e-mail is proprietary to MphasiS and/or its Customers and is intended for use only by the individual or entity to which it is addressed, and may contain information that is privileged, confidential or exempt from disclosure under applicable law. If you are not the intended recipient or it appears that this mail has been forwarded to you without proper authority, you are notified that any use or dissemination of this information in any manner is strictly prohibited. In such cases, please notify us immediately at [EMAIL PROTECTED] and delete this mail from your records. l8* -lava x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8
OpenBSD hack for the ipod
Ever wanted to use the ipod whilst charging it via USB, on OpenBSD? I found a nice feature for scsi devices. I'm not sure if eject was designed with this in mind, but it works. $ eject /dev/rsd0c Why you may want do this? When an ipod is plugged in via USB, you cannot make use of it's menu. Ejecting the device makes this possible - after running the command, you can make use of the ipod's menu whilst it's being charged... that includes playing music!! See http://www.gnu.org/software/gnupod for a text based version of transferring data to and from. 3.8-current now provides scsi access for all ipods, including the nano. Ed.
Re: CARP states apparently not changing correctly (causes some connection drops)
Stephan A. Rickauer wrote: Ashley Moran wrote: fw1# cat /etc/hostname.carp0 inet 192.168.67.3 255.255.255.0 192.168.67.255 carpdev rl0 vhid 1 pass mycarp fw2# cat /etc/hostname.carp0 inet 192.168.67.3 255.255.255.0 192.168.67.255 carpdev rl0 vhid 1 advskew 10 pass mycarpstudio Could it be your inconsistent 'pass'? Just so everyone knows I'm not a moron (lol)... the e-mail was wrong and the carp passwords were the same on the servers. Presumably you get an error if this is not the case (I sure hope so) Ashley
Re: OpenBSD hack for the ipod
On 10/20/05, Ed Wandasiewicz [EMAIL PROTECTED] wrote: 3.8-current now provides scsi access for all ipods, including the nano. If apple only knew that I was waiting for this so that I could plug an ipod into my zaurus. What a great advertising campaign that would be... Mike
Re: keep state and PF Queues
well, I did numerous times in the past. th emisunderstanding most of you have is that queue assignment and th actual queueing are sepearate things. you assign a queue with the name X somewhere, be it by a rule in the inbound path or the outbound, or a state in either direction, and when we hit the enqueuing on the outbound interface we check wether the packet in question is tagged to be put in a specific queue. if so, and a queue by the desired name exists on the given interface, we do so, otherwise it goes to the default queue. * Brian A. Seklecki [EMAIL PROTECTED] [2005-10-21 17:59]: I was just curious if any of the developers (or experts) would care to articulate officially :} ~BAS On Wed, 19 Oct 2005, William Bloom wrote: The PF queueing FAQ page at http://www.openbsd.org has a wealth of info that seems to nicely clarify the pf.conf man page. I recall that the FAQ contains an example much as you describe (as I recall, specifying a queue for -incoming- traffic will indeed cause that traffic to be processed through the named queue as it is -outgoing-). Bill Brian A. Seklecki wrote: Would anyone like to elaborate on the impacts of using keep state on conjunction with pass rules that assign traffic to queues? One might assume that inverted traffic flows would also be queued, however that would break the traffic can only be queued egress an interface rule... There should be some remarks on this in pf.conf(5) TIA, ~BAS -- William Bloom| Snr Systems Engineer|M P H A S I S Architecting Value | Eldorado Computing 5353 North 16th Street, Suite 400 Phoenix, Az 85016 | Direct: +11-602-604-3100 | Fax: +11-602-604-3115| http://www.eldocomp.com -- CONFIDENTIALITY NOTICE -- Information transmitted by this e-mail is proprietary to MphasiS and/or its Customers and is intended for use only by the individual or entity to which it is addressed, and may contain information that is privileged, confidential or exempt from disclosure under applicable law. If you are not the intended recipient or it appears that this mail has been forwarded to you without proper authority, you are notified that any use or dissemination of this information in any manner is strictly prohibited. In such cases, please notify us immediately at [EMAIL PROTECTED] and delete this mail from your records. l8* -lava x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8 -- BS Web Services, http://www.bsws.de/ OpenBSD-based Webhosting, Mail Services, Managed Servers, ... Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: OpenBSD's 10th birthday -- how about a present?
Happy Birthday OpenBSD! My daughter almost has the same birthday at OpenBSD: My wife gave birth to a baby girl yesterday at 4:38pm!!! I bought a CD and the baby T-shirt (although it may take a while before she can wear it) Congrats to Theo and his gang for their hard work!!! Regards, Kevin R.
Re: OpenBSD's 10th birthday -- how about a present?
Hi OpenBSD fans! My 3.8 CD preorder is sent also! I am waiting nervous for the 3.8 release! Thanks to all guys! Ramiro.
C++ exceptions with OpenBSD 3.6 on amd64
I have a simple c++ program that throws an exception and tries to catch it. But when I run it, it crashes with segmentation faul. Looking and the stack trace, looks like the exception is thrown but no one catches it. Is this a bug? There's a workaround? The c++ file is: --- include iostream int main(void) { try { throw Exception; } catch(...) { std::cout Exception catched std::endl; } } --- more info: $ uname -mprsv OpenBSD 3.6 GENERIC#136 amd64 AMD Athlon(tm) 64 Processor 2800+ $ gcc -v Reading specs from /usr/lib/gcc-lib/x86_64-unknown-openbsd3.6/3.3.2/specs Configured with: Thread model: single gcc version 3.3.2 (propolice) $ g++ -g -o test test.cpp $ ./test Abort (core dumped) $ gdb test GNU gdb 6.1 Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type show copying to see the conditions. There is absolutely no warranty for GDB. Type show warranty for details. This GDB was configured as x86_64-unknown-openbsd3.6... (gdb) run Starting program: /home/scufre/test Program received signal SIGABRT, Aborted. 0x4a065c1a in kill () from /usr/lib/libc.so.34.1 (gdb) bt #0 0x4a065c1a in kill () from /usr/lib/libc.so.34.1 #1 0x4a092141 in abort () from /usr/lib/libc.so.34.1 #2 0x004021ce in uw_init_context_1 (context=0x7f7f6650, outer_cfa=0x7f7f6770, outer_ra=0x4ef294c6) at /usr/src/gnu/usr.bin/gcc/gcc/unwind-dw2.c:1177 #3 0x00402381 in _Unwind_RaiseException (exc=0x807050) at unwind.inc :84 #4 0x4ef294c6 in __cxa_throw () from /usr/lib/libstdc++.so.32.0 #5 0x0040105c in main () at test.cpp:7
Re: Very high interrupts on a supermicro machine.
Right now my box is doing ~28,000pps per direction per interface (out public, in public, out internal, in internal), totalling around 112kpps. It doesn't seem to want to go any higher than that. I've just tried moving the internal connection off of the dualport PCI-X card and onto the internal nic, and it hasn't made a difference. I'd be a little confused if two syskonnect cards would have double the performance of what I have in the machine right now... at these packet rates I am not surprised by sk(4) performing more than twice as good as others. I've got a different P4-based SuperMicro motherboard that I've been troubleshooting, too. It's not seeing the weird PCI interrupt routing error message that dormando described, I'm just getting heavy PF congestion with moderate 12Mb/s 12k pps traffic rates. In benchmarking with an sk card replacing one of the onboard em's, I saw a definite improvement, but still encountered congestion around 15~20Mb/s. Not to generalize, but in my case, evidence points to this SuperMicro motherboard being pretty craptastic. Incidentally, for the boxes based on this motherboard that I have in production, I used the Henning's recommended value for net.inet.ip.ifq.maxlen, and saw a significant reduction in my congestion counter rate. 15~30/s versus 100's. cheers, --Matt
Re: C++ exceptions with OpenBSD 3.6 on amd64
I have a simple c++ program that throws an exception and tries to catch it. But when I run it, it crashes with segmentation faul. Looking and the stack trace, looks like the exception is thrown but no one catches it. Is this a bug? There's a workaround? Not sure when, but this has been fixed (as well as many other things), use 3.8.
Re: OpenBSD's 10th birthday -- how about a present?
On 10/21/05, Ramiro Aceves [EMAIL PROTECTED] wrote: Hi OpenBSD fans! My 3.8 CD preorder is sent also! I am waiting nervous for the 3.8 release! Nervous? You must mean anxious :) One of the main reasons I love OpenBSD is because there is so much less to be nervous about! Mike
uaudio.c add_selector question
Looking at uaudio.c, uaudio_add_selector, it punts to printf(uaudio_add_selector: NOT IMPLEMENTED\n); Obviously not a cut and paste job, but it looks like NetBSD has added support in their recent uaudio.c. http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/dev/usb/uaudio.c?rev=1.99content -type=text/x-cvsweb-markup Is anyone already looking at trying to include their code, or should I start an adventure with trying to see how bad I can break my machine? -- Will
Re: Carp / VLAN and net.inet.carp.preempt=1
On Fri, 21 Oct 2005, Xavier Beaudouin wrote: Hello there, I have 2 openbsd box (that does as well openbgpd but this is not the aim of this mail). Question is that any problems to do sysctl net.inet.carp.preempt=1 and ifconfig em0 up ifconfig vlan0 vlan 11 vlandev em0 Each machine must have a trunk link from the single switch (or if you have reundant switch fabric, two switches that are themselves trunked). Effectivly in the same ethernet segment. Each OpenBSD machine will have a Vlan11 interface presented to it. Each must have an IP with in the subnet. Then, the CARP interface will share an other (3rd) IP in the same subnet. So if you've got a /24, the CARP VIP could be .1 and each Box's vlan11 could be .2 and .3. ~BAS I don't know how you plan to sync the BGP table between teh two. I know PF tables and ISAKMPd states are syncavble. Peace, ~BAS ifconfig carp0 inet 10.0.0.1 netmask 255.255.255.0 vhid 1 carpdev vlan0 In each routers / carp border machines to have full redondancy ? Thanks :) /Xavier -- Quand on essaye continuellement, on finit par y arriver. Donc, plus ca rate, plus on a de chance que ca marche... (Proverbe Shadok) l8* -lava x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8
Re: [Fwd: Re: Theo, I am truely sorry. You misunderstood me.]
On Thursday 20 October 2005 19:01, you wrote: Currently tracking 30+ pieces of hardware. However, I need help: I need people to email me supported hardware, or use the Submit New Kit link on the page to do it. It's pretty easy, and the only requirement is that you need to have personally witnessed its (correct) operation with some version of OpenBSD, and that it is possible to buy it new. Speaking of which: Which driver supports the Adaptec 1205SA? Anybody? Bueller? Manpages are not forthcoming. I submitted the Adaptec 1205 SA to your list. I put it in my OpenBSD 3.7 machine and it just worked. The drive plugged into the 1205 is wd1. I believe these are the relevant dmesg lines: pciide1 at pci0 dev 16 function 0 CMD Technology SiI3112 SATA rev 0x02: DMA pciide1: using irq 10 for native-PCI interrupt pciide1: port 0: device present, speed: 1.5Gb/s wd1 at pciide1 channel 0 drive 0: ST3400832AS wd1: 16-sector PIO, LBA48, 381554MB, 781422768 sectors wd1(pciide1:0:0): using BIOS timings, Ultra-DMA mode 6 The full dmesg follows, in case what i quoted above isn't sufficient: OpenBSD 3.7 (GENERIC) #50: Sun Mar 20 00:01:57 MST 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Pentium II (GenuineIntel 686-class, 512KB L2 cache) 451 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MM X,FXSR real mem = 536453120 (523880K) avail mem = 482713600 (471400K) using 4278 buffers containing 26927104 bytes (26296K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(00) BIOS, date 01/15/99, BIOS32 rev. 0 @ 0xfdb60 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: PCI BIOS has 10 Interrupt Routing table entries pcibios0: PCI Interrupt Router at 000:07:0 (Intel 82371AB PIIX4 ISA rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0x8000 0xc8000/0x4800 0xcc800/0x2800 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82443BX AGP rev 0x03 ppb0 at pci0 dev 1 function 0 Intel 82443BX AGP rev 0x03 pci1 at ppb0 bus 1 pcib0 at pci0 dev 7 function 0 Intel 82371AB PIIX4 ISA rev 0x02 pciide0 at pci0 dev 7 function 1 Intel 82371AB IDE rev 0x01: DMA, channel 0 wi red to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: Maxtor 5T010H1 wd0: 16-sector PIO, LBA, 9536MB, 19531250 sectors atapiscsi0 at pciide0 channel 0 drive 1 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: SONY, CD-ROM CDU55E, 1.0u SCSI0 5/cdrom removabl e wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 cd0(pciide0:0:1): using PIO mode 0 pciide0: channel 1 disabled (no drives) uhci0 at pci0 dev 7 function 2 Intel 82371AB USB rev 0x01: irq 11 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered Intel 82371AB Power Mgmt rev 0x02 at pci0 dev 7 function 3 not configured fxp0 at pci0 dev 15 function 0 Intel 82557 rev 0x02: irq 9, address 00:a0:c9:7 4:9a:a9 inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 0 pciide1 at pci0 dev 16 function 0 CMD Technology SiI3112 SATA rev 0x02: DMA pciide1: using irq 10 for native-PCI interrupt pciide1: port 0: device present, speed: 1.5Gb/s wd1 at pciide1 channel 0 drive 0: ST3400832AS wd1: 16-sector PIO, LBA48, 381554MB, 781422768 sectors wd1(pciide1:0:0): using BIOS timings, Ultra-DMA mode 6 pciide2 at pci0 dev 18 function 0 Promise PDC20269 rev 0x02: DMA, channel 0 co nfigured to native-PCI, channel 1 configured to native-PCI pciide2: using irq 5 for native-PCI interrupt wd2 at pciide2 channel 0 drive 0: Maxtor 6Y250P0 wd2: 16-sector PIO, LBA48, 239372MB, 490234752 sectors wd2(pciide2:0:0): using PIO mode 4, Ultra-DMA mode 6 vga1 at pci0 dev 20 function 0 S3 Trio32/64 rev 0x54 wsdisplay0 at vga1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0 (mux 1 ignored for console): console keyboard, using wsdisplay0 pms0 at pckbc0 (aux slot) pckbc0: using irq 12 for aux slot wsmouse0 at pms0 mux 0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker sysbeep0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 lm0 at isa0 port 0x290/8: W83781D npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec biomask ed65 netmask ef65 ttymask ffe7 pctr: 686-class user-level performance counters enabled mtrr: Pentium Pro MTRR support dkcsum: wd0 matched BIOS disk 80 dkcsum: wd1 matched BIOS disk 81 dkcsum: wd2 matched BIOS disk 82 root on wd0a rootdev=0x0 rrootdev=0x300 rawdev=0x302 --
Re: passwd: /sbin/nologin --- not working for me
You said you entered into those files. Did you vi(1) them mnaually? Did you rebuild the database afterward? When you finger the user, what does the shell show up as? Use either vipw(8) as root, to do this, or use chfn(1) as the user. ~BAS On Fri, 21 Oct 2005, morla wrote: hello all, i just made up a second account on my box and wanted to prevent the old one from loging into it, due i want to keep it for email retrival. when i enter something like morla:*:1000:1000:morla:/home/morla:/sbin/nologin into /etc/passwd and a similary entry into /etc/master.passwd should'nt this keep me out??? please be carefull with me, i am realtily new to bsd... thanks all morla l8* -lava x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8
Re: C++ exceptions with OpenBSD 3.6 on amd64
Well, the problem is that with OpenBSD 3.7 other thing doesn't work (php4-xslt makes apache crash when used), and OpenBSD 3.8 is no yet released officially. On 10/21/05, Peter Valchev [EMAIL PROTECTED] wrote: I have a simple c++ program that throws an exception and tries to catch it. But when I run it, it crashes with segmentation faul. Looking and the stack trace, looks like the exception is thrown but no one catches it. Is this a bug? There's a workaround? Not sure when, but this has been fixed (as well as many other things), use 3.8.
Carp scp loosing connection
Hi all, I have 2 Rasta 4801 (3.7 current) as a master and backup carp. One solaris 10 server is behind them. When I try to scp a 600MB file from 1 solaris server outside the network to the solaris server behind the net4801, I get network error: connection reset by peer error. If I halt the master carp and the backup becomes master, no problem all 600MB gets transfered. I then went ahead and deleted the file and rebooted the the master, the current Master switched to backup, and I did the copy a network error: connection reset by peer showed up. My pf.conf file on both machines are identical. Thank you. /etc/pf.conf - ext_if=sis0 int_if=sis1 ext_net=104.83.19.0/24 int_net=172.16.0.0/24 carp5=carp5 ross=172.16.0.3 ross_int_webzone=172.16.0.4 tcp_services={22, 80} dns_services={53} set timeout interval 10 set timeout frag 30 set block-policy return set loginterface sis0 set skip on lo0 # scrub in all nat on $ext_if from $int_net to any - $ext_if static-port rdr on $ext_if proto tcp from any to $carp5 port 22 - $ross_int_webzone port 22 # Deny all packets block in on sis0 all pass in quick on $int_if all pass out quick on $int_if all pass in quick on $ext_if inet proto tcp from any to any port $tcp_services flags S/SA keep state pass out quick on $ext_if inet proto tcp from any to any port $tcp_services flags S/SA keep state pass in quick on $carp5 inet proto tcp from any to any port $tcp_services keep state pass out quick on $carp5 inet proto tcp from any to any port $tcp_services keep state pass quick on lo0 all pass quick on { sis2 } proto pfsync pass in quick on { sis0 sis1 } proto carp keep state # Filter rules for sis0 outbound block out on sis0 all # pass in all # pass out all My master carp has the following: - ifconfig carp5 create ifconfig carp5 vhid 5 carpdev sis0 pass netpasswd advskew 0 104.83.19.244 netmask 255.255.255.0 My backup carp has the following: - ifconfig carp5 create ifconfig carp5 vhid 5 carpdev sis0 pass netpasswd advskew 128 104.83.19.244 netmask 255.255.255.0
Re: Patch and new file, machdep.c,files.i386,k7-powenow.c, adds k8-powernow.c
On 10/21/05, Gordon Willem Klok [EMAIL PROTECTED] wrote: Thorsten Glaser wrote: Gordon Willem Klok dixit: #define MSR_AMDK7_FIDVID_CTL 0xc0010041 #define MSR_AMDK7_FIDVID_STATUS 0xc0010042 /* Bitfields used by K8 */ Can't that be merged into powernow-k7.c ? Those values are also found in powernow-k7.c with a few other shared bits, the FreeBSD guys have their driver for both the K7 and K8 powernow features integrated into one file, I didn't think this was the appropriate way to do this, let me explain myself, first mixing the code makes it a lot messier (IMHO), second the K7 platform should remain pretty static since there wont be a new generations of product derived from that architecture, and it was my hope when I ported there code that powernow-k8.c eventually finds its way into the AMD64 port which as the file exists now wont need any of powernow-k7.c and finally well there are a lot of similarities between the two there are also big differences e.g. the way in which a fid/vid transition is undertaken. this is good. if they are different, then they should remain different.
Re: Statefull VPN failover a fork from Re: iptables vs pf
More to the point, how to find this info. 1: Go to http://www.openbsd.org/cgi-bin/man.cgi 2: click apropos 3: make sure current is selected 4: query sync 5: click on sasynchd(8) and sasychd.conf(5) http://www.openbsd.org/cgi-bin/man.cgi?query=sasyncdsektion=8apropos=0manpath=OpenBSD+Currentarch=i386 http://www.openbsd.org/cgi-bin/man.cgi?query=sasyncdsektion=8apropos=0manpath=OpenBSD+Currentarch=i386 6: Once intimately familar with the process, write some Docs and submit them for translation. Also, someone at NYC BSDcon 05 gave a presentation and had slides. Try to find those too. Best of luck. ~BAS On Thu, 20 Oct 2005, [EMAIL PROTECTED] wrote: I have been moving a single Linux FW to a pair of OBSD machines, lured by carp and pfsync. This has been working well in my test environment. This also lead me to vpns running with ISAKMPD, replaceing a Freeswan box, and forestalling purchasing proprietary products for site to site partner vpns. THE POINT: Where will I find docs that explains how this is done Oh, and when your 3.8 VPNs failover statefully, too. :) ? -Original Message- From: Jason Dixon [mailto:[EMAIL PROTECTED] Sent: Thursday, October 20, 2005 02:07 AM To: 'Edy Purnomo' Cc: misc@openbsd.org Subject: Re: iptables vs pf On Oct 19, 2005, at 6:21 PM, Edy Purnomo wrote: i suggested to my friend to replace his linux box to openbsd. he uses mailnly for internet gateway : pf + squid proxy after 2 weeks later he switched it back linux and said : linux much faster to respond the http requests (he had a same configuration on openbsd, pf + squid proxy). is there any program that can proof what he says ? thanks. Three points: 1) No way in hell is iptables faster than PF. 2) His box _may_ pass traffic faster, but this is almost certainly due to the support level of the hardware. Without real information, it's hard to qualify this. 3) Who cares? Why are you worried about what your friend uses? If it works for him, so be it. Rather than trying to bring him over cuz PF is l33t, just make sure you mention how cool it is when your stateful firewalls run 24x7. Oh, and when your 3.8 VPNs failover statefully, too. :) http://www.openbsd.org/goals.html -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net l8* -lava x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8
Carp scp loosing connection
Hi all, I have 2 Rasta 4801 (3.7 current) as a master and backup carp. One solaris 10 server is behind them. When I try to scp a 600MB file from 1 solaris server outside the network to the solaris server behind the net4801, I get network error: connection reset by peer error. If I halt the master carp and the backup becomes master, no problem all 600MB gets transfered. If I also halt the backup and the master is running by itself, no problem either. I then went ahead and deleted the file and rebooted the the master, the current Master switched to backup, and I did the copy a network error: connection reset by peer showed up. So far its a either this or that running but not both, I'm completely lost here. My pf.conf file on both machines are identical. Thank you. /etc/pf.conf - ext_if=sis0 int_if=sis1 ext_net=104.83.19.0/24 int_net=172.16.0.0/24 carp5=carp5 ross=172.16.0.3 ross_int_webzone=172.16.0.4 tcp_services={22, 80} dns_services={53} set timeout interval 10 set timeout frag 30 set block-policy return set loginterface sis0 set skip on lo0 # scrub in all nat on $ext_if from $int_net to any - $ext_if static-port rdr on $ext_if proto tcp from any to $carp5 port 22 - $ross_int_webzone port 22 # Deny all packets block in on sis0 all pass in quick on $int_if all pass out quick on $int_if all pass in quick on $ext_if inet proto tcp from any to any port $tcp_services flags S/SA keep state pass out quick on $ext_if inet proto tcp from any to any port $tcp_services flags S/SA keep state pass in quick on $carp5 inet proto tcp from any to any port $tcp_services keep state pass out quick on $carp5 inet proto tcp from any to any port $tcp_services keep state pass quick on lo0 all pass quick on { sis2 } proto pfsync pass in quick on { sis0 sis1 } proto carp keep state # Filter rules for sis0 outbound block out on sis0 all # pass in all # pass out all My master carp has the following: - ifconfig carp5 create ifconfig carp5 vhid 5 carpdev sis0 pass netpasswd advskew 0 104.83.19.244 netmask 255.255.255.0 My backup carp has the following: - ifconfig carp5 create ifconfig carp5 vhid 5 carpdev sis0 pass netpasswd advskew 128 104.83.19.244 netmask 255.255.255.0
Re: keep state and PF Queues
If a TCP flow is egressing an interface at 2000k/s (17-18mbps), it might be causing as much as 300kbps of ACK traffic. That traffic really doesn't get queued on return at the same inteface it's egressing. However, I have noticed that, if a traffic flow is passing through a router (say, the same flow as before, egressing an upstream inteface at 2000k/s) and a rule set exists on the interface the flow is inressing from (on it's way through to the previously mentioned egress interface), the ACK traffic will get queued leaving that sender facing interface, on its way back to the sender. So really, keep state has no impact? ~BAS On Fri, 21 Oct 2005, Henning Brauer wrote: well, I did numerous times in the past. th emisunderstanding most of you have is that queue assignment and th actual queueing are sepearate things. you assign a queue with the name X somewhere, be it by a rule in the inbound path or the outbound, or a state in either direction, and when we hit the enqueuing on the outbound interface we check wether the packet in question is tagged to be put in a specific queue. if so, and a queue by the desired name exists on the given interface, we do so, otherwise it goes to the default queue. * Brian A. Seklecki [EMAIL PROTECTED] [2005-10-21 17:59]: I was just curious if any of the developers (or experts) would care to articulate officially :} ~BAS On Wed, 19 Oct 2005, William Bloom wrote: The PF queueing FAQ page at http://www.openbsd.org has a wealth of info that seems to nicely clarify the pf.conf man page. I recall that the FAQ contains an example much as you describe (as I recall, specifying a queue for -incoming- traffic will indeed cause that traffic to be processed through the named queue as it is -outgoing-). Bill Brian A. Seklecki wrote: Would anyone like to elaborate on the impacts of using keep state on conjunction with pass rules that assign traffic to queues? One might assume that inverted traffic flows would also be queued, however that would break the traffic can only be queued egress an interface rule... There should be some remarks on this in pf.conf(5) TIA, ~BAS -- William Bloom| Snr Systems Engineer|M P H A S I S Architecting Value | Eldorado Computing 5353 North 16th Street, Suite 400 Phoenix, Az 85016 | Direct: +11-602-604-3100 | Fax: +11-602-604-3115| http://www.eldocomp.com -- CONFIDENTIALITY NOTICE -- Information transmitted by this e-mail is proprietary to MphasiS and/or its Customers and is intended for use only by the individual or entity to which it is addressed, and may contain information that is privileged, confidential or exempt from disclosure under applicable law. If you are not the intended recipient or it appears that this mail has been forwarded to you without proper authority, you are notified that any use or dissemination of this information in any manner is strictly prohibited. In such cases, please notify us immediately at [EMAIL PROTECTED] and delete this mail from your records. l8* -lava x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8 -- BS Web Services, http://www.bsws.de/ OpenBSD-based Webhosting, Mail Services, Managed Servers, ... Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie) l8* -lava x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8
Re: Statefull VPN failover a fork from Re: iptables vs pf
Please note that at this time, sasyncd can fail IPSEC associations to a 2nd machine But not yet fail them back, when the master recovers The developer of this stuff hasn't finished it yet.
Re: C++ exceptions with OpenBSD 3.6 on amd64
On Fri, Oct 21, 2005 at 03:16:13PM -0300, Sebastian Cufre wrote: Well, the problem is that with OpenBSD 3.7 other thing doesn't work (php4-xslt makes apache crash when used), and OpenBSD 3.8 is no yet released officially. On 10/21/05, Peter Valchev [EMAIL PROTECTED] wrote: I have a simple c++ program that throws an exception and tries to catch it. But when I run it, it crashes with segmentation faul. Looking and the stack trace, looks like the exception is thrown but no one catches it. Is this a bug? There's a workaround? Not sure when, but this has been fixed (as well as many other things), use 3.8. So ? we're not going to spend time fixing this kind of stuff NOW, considering the official release date for OpenBSD 3.8 is 10 days away...
tar(1) problem with long file names.
It seems that tar(1) is only able to archive filenames of 100 characters or less. However, ufs can handle (I've been testing using touch(1)) filenames up to 255 characters. I tried to modify the following in src/bin/pax/tar.h #define TNMSZ 100 /* size of name field */ to #define TNMSZ 255 /* size of name field */ But it didn't seem to work. Has anyone bumped into this and made a more reliable fix? The issue is that with NFS mounts of directories such as iTunes music directories, there's often longer file names than 100 characters. So doing backups or transporting the files is slightly difficult. Thanks. I'm using 3.7-STABLE. - Eric
Re: C++ exceptions with OpenBSD 3.6 on amd64
On Oct 21, 2005, at 2:16 PM, Sebastian Cufre wrote: Well, the problem is that with OpenBSD 3.7 other thing doesn't work (php4-xslt makes apache crash when used), and OpenBSD 3.8 is no yet released officially. And if you'd pre-ordered 3.8 then you might have gotten an email like I did today. :-) Now I just need enough revenue from my new company so I can replace all of my servers with real boxes like V20z and X4100. Funny now that I'm now longer an employee of Sun I'll potentially be purchasing more hardware from them than when I was an employee. From: OpenBSD Orders [EMAIL PROTECTED] Subject: Re: OpenBSD Order 2005/9/16-15:32:4-28387 To: [EMAIL PROTECTED] Hi, Your order was shipped today from Milk River, Alberta, Canada via small packet air. Shipping - OpenBSD -Chad
Re: tar(1) problem with long file names.
On Fri, Oct 21, 2005 at 02:07:16PM -0500, eric wrote: It seems that tar(1) is only able to archive filenames of 100 characters or less. However, ufs can handle (I've been testing using touch(1)) filenames up to 255 characters. I tried to modify the following in src/bin/pax/tar.h You can't do anything about it, it's a limitation of the ustar format. One possible approach is to store an extra table of contents in the archive that you will use to restore the file names from their shortened form. In fact, it's what the pkg tools do...
Re: C++ exceptions with OpenBSD 3.6 on amd64
Chad M Stewart wrote: And if you'd pre-ordered 3.8 then you might have gotten an email like I did today. :-) Now I just need enough revenue from my new company so I can replace all of my servers with real boxes like V20z and X4100. Funny now that I'm now longer an employee of Sun I'll potentially be purchasing more hardware from them than when I was an employee. Well, welcome to the self employed world! Just to things for you here! First, your business WILL be successful because you already maid the most important decision of all! You pick OpenBSD to run your business with! I did that 7 years ago after doing research for efficient OS and most importantly to me then and still now, security. Small business have limited resources and waisting your time trying to have your servers stay stable is not something that will be productive and help you! Many times, small business are one men game, or just a few friends at best, so all the time you have available needs to be put into making your business work! The last thing you need is spending it doing patches and rebuilt like with Micro$oft, God help me here! (: Now the second thing however, make sure you pick hardware that is fully supported and make your choices wisely. The X4100 is to new and now out yet, now do we know if it is supported yet. I love the box myself and I most likely will get one to test, but that's only because now I am able in limits obviously to get hardware and then put it on the self for a year if need be because it doesn't work now. For the V20z, as far as I know, it work well! So, welcome to the big OpenBSD small successful businesses! You already had done the most important work! Pick the right OS to get some most definitely needed good sleep in the months ahead! (: With OpenBSD on your server, you KNOW you can sleep at night when you actually have time to do so when you built your own business! Good luck to you and welcome to OpenBSD! I choose that OS 7 years ago and NEVER looked back! Daniel PS: Just a wise advise however, make it a policy to keep upgrading to the new OS when they release it as well and don't use the excuse that it work now, so why change it! I suffer this over confidence stage with the release 3.0 where I got bitten, by my own fault I have to admit, by the only bug ever known to OpenBSD and that Christmas, almost put me out of business! No one else to blame but myself on that one! I always been to busy doing business work and fell that I could wait a bit more to upgrade my server and why do it, it works well as it is now! If I can offer one advise, take it from my own stupidity and don't do that one! There is plenty of other one you will do! (:
Re: Statefull VPN failover a fork from
I'll see if I can cobble some docs together or at least submit an example sasync.conf file. I pre-ordered 3.8, and am _now_ eagerly looking forward to bringing this up. I was not asking the list for a howto, I really had not even heard about this feature. The man page seems pretty straight forward, in fact OBSD's man pages are in general very useable, making howto's in general unnecessary. Theo pointed out that sasync will not yet fail back after a dead peer has been brought back online. This could be a minor problem, i.e only bring failed units back online after hours. So I guess we would use ifstatd to sysctl net.inet.carp.allow=0 and keep the new master pegged until we can actually restart isakmpd Does that make sense?. if the SADB is being propagated around shouldn't we be able to run a tunnel from anyone who has a valid copy of the DB? I guess I have some poking to do, and interesting entries for November's TPS reports. -Original Message- From: Brian A. Seklecki [mailto:[EMAIL PROTECTED] Sent: Friday, October 21, 2005 06:22 PM To: [EMAIL PROTECTED] Cc: misc@openbsd.org, 'Jason Dixon' Subject: Re: Statefull VPN failover a fork from Re: iptables vs pf More to the point, how to find this info. 1: Go to http://www.openbsd.org/cgi-bin/man.cgi 2: click apropos 3: make sure current is selected 4: query sync 5: click on sasynchd(8) and sasychd.conf(5) http://www.openbsd.org/cgi-bin/man.cgi?query=sasyncdsektion=8apropos=0manpath=OpenBSD+Currentarch=i386 http://www.openbsd.org/cgi-bin/man.cgi?query=sasyncdsektion=8apropos=0manpath=OpenBSD+Currentarch=i386 6: Once intimately familar with the process, write some Docs and submit them for translation. Also, someone at NYC BSDcon 05 gave a presentation and had slides. Try to find those too. Best of luck. ~BAS On Thu, 20 Oct 2005, [EMAIL PROTECTED] wrote: I have been moving a single Linux FW to a pair of OBSD machines, lured by carp and pfsync. This has been working well in my test environment. This also lead me to vpns running with ISAKMPD, replaceing a Freeswan box, and forestalling purchasing proprietary products for site to site partner vpns. THE POINT: Where will I find docs that explains how this is done Oh, and when your 3.8 VPNs failover statefully, too. :) ? -Original Message- From: Jason Dixon [mailto:[EMAIL PROTECTED] Sent: Thursday, October 20, 2005 02:07 AM To: 'Edy Purnomo' Cc: misc@openbsd.org Subject: Re: iptables vs pf On Oct 19, 2005, at 6:21 PM, Edy Purnomo wrote: i suggested to my friend to replace his linux box to openbsd. he uses mailnly for internet gateway : pf + squid proxy after 2 weeks later he switched it back linux and said : linux much faster to respond the http requests (he had a same configuration on openbsd, pf + squid proxy). is there any program that can proof what he says ? thanks. Three points: 1) No way in hell is iptables faster than PF. 2) His box _may_ pass traffic faster, but this is almost certainly due to the support level of the hardware. Without real information, it's hard to qualify this. 3) Who cares? Why are you worried about what your friend uses? If it works for him, so be it. Rather than trying to bring him over cuz PF is l33t, just make sure you mention how cool it is when your stateful firewalls run 24x7. Oh, and when your 3.8 VPNs failover statefully, too. :) http://www.openbsd.org/goals.html -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net l8* -lava x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8
Fw: Carp scp loosing connection
Sorry all a soekris 4801 not rasta, my mistake. Hi all, I have 2 Rasta 4801 (3.7 current) as a master and backup carp. One solaris 10 server is behind them. When I try to scp a 600MB file from 1 solaris server outside the network to the solaris server behind the net4801, I get network error: connection reset by peer error. If I halt the master carp and the backup becomes master, no problem all 600MB gets transfered. If I also halt the backup and the master is running by itself, no problem either. I then went ahead and deleted the file and rebooted the the master, the current Master switched to backup, and I did the copy a network error: connection reset by peer showed up. So far its a either this or that running but not both, I'm completely lost here. My pf.conf file on both machines are identical. Thank you. /etc/pf.conf - ext_if=sis0 int_if=sis1 ext_net=104.83.19.0/24 int_net=172.16.0.0/24 carp5=carp5 ross=172.16.0.3 ross_int_webzone=172.16.0.4 tcp_services={22, 80} dns_services={53} set timeout interval 10 set timeout frag 30 set block-policy return set loginterface sis0 set skip on lo0 # scrub in all nat on $ext_if from $int_net to any - $ext_if static-port rdr on $ext_if proto tcp from any to $carp5 port 22 - $ross_int_webzone port 22 # Deny all packets block in on sis0 all pass in quick on $int_if all pass out quick on $int_if all pass in quick on $ext_if inet proto tcp from any to any port $tcp_services flags S/SA keep state pass out quick on $ext_if inet proto tcp from any to any port $tcp_services flags S/SA keep state pass in quick on $carp5 inet proto tcp from any to any port $tcp_services keep state pass out quick on $carp5 inet proto tcp from any to any port $tcp_services keep state pass quick on lo0 all pass quick on { sis2 } proto pfsync pass in quick on { sis0 sis1 } proto carp keep state # Filter rules for sis0 outbound block out on sis0 all # pass in all # pass out all My master carp has the following: - ifconfig carp5 create ifconfig carp5 vhid 5 carpdev sis0 pass netpasswd advskew 0 104.83.19.244 netmask 255.255.255.0 My backup carp has the following: - ifconfig carp5 create ifconfig carp5 vhid 5 carpdev sis0 pass netpasswd advskew 128 104.83.19.244 netmask 255.255.255.0 --- End of Forwarded Message ---
Re: [Fwd: Re: Theo, I am truely sorry. You misunderstood me.]
Daniel A. Ramaley wrote: I submitted the Adaptec 1205 SA to your list. I put it in my OpenBSD 3.7 machine and it just worked. The drive plugged into the 1205 is wd1. I believe these are the relevant dmesg lines: pciide1 at pci0 dev 16 function 0 CMD Technology SiI3112 SATA rev 0x02: DMA pciide1: using irq 10 for native-PCI interrupt pciide1: port 0: device present, speed: 1.5Gb/s wd1 at pciide1 channel 0 drive 0: ST3400832AS wd1: 16-sector PIO, LBA48, 381554MB, 781422768 sectors wd1(pciide1:0:0): using BIOS timings, Ultra-DMA mode 6 Thank you Daniel, that was what I needed to know. Thanks for the submission, too! Got any others? -- (c) 2005 Unscathed Haze via Central Plexus [EMAIL PROTECTED] I am Chaos. I am alive, and I tell you that you are Free. -Eris Big Brother is watching you. Learn to become Invisible. | Your message must be this wide to ride the Internet. |
Re: [Fwd: Re: Theo, I am truely sorry. You misunderstood me.]
frantisek holop wrote: hmm, on Thu, Oct 20, 2005 at 04:01:18PM -0800, Szechuan Death said that This has been a public service announcement, paid for by the Friends of Civilized Vendors economic-action committee. The FCV reminds you; FCV also stands for Fuck Closed Vendors! ;- and fuck closed www ports for half of the world. Wazzat? Please, Szechuan, I want to host the store? That's what it sounded like. Let me know the second _you_ want to have it on _your_ network, I'll pack it all up and forward it over to you. See, then _you_ can decide which ports and which countries you want to block. A new decoding for FWD just came to me, but in the interests of politeness, I'll forego sharing it with the rest of the class. -- (c) 2005 Unscathed Haze via Central Plexus [EMAIL PROTECTED] I am Chaos. I am alive, and I tell you that you are Free. -Eris Big Brother is watching you. Learn to become Invisible. | Your message must be this wide to ride the Internet. |
Re: tar(1) problem with long file names.
On Fri, Oct 21, 2005 at 02:07:16PM -0500, eric wrote: It seems that tar(1) is only able to archive filenames of 100 characters or less. However, ufs can handle (I've been testing using touch(1)) filenames up to 255 characters. I tried to modify the following in src/bin/pax/tar.h #define TNMSZ 100 /* size of name field */ to #define TNMSZ 255 /* size of name field */ But it didn't seem to work. Has anyone bumped into this and made a more reliable fix? The issue is that with NFS mounts of directories such as iTunes music directories, there's often longer file names than 100 characters. So doing backups or transporting the files is slightly difficult. GNU tar uses a variety of ugly hacks to get around the 100 (original tar) or 255 (ustar) character limit in file and path names. Unfortunatly, only gnu tar can correctly extract such archives. If you're willing to live with that restriction, it's in ports. Have fun. :-) -- JF
Re: [Fwd: Re: Theo, I am truely sorry. You misunderstood me.]
On 10/21/05, Szechuan Death [EMAIL PROTECTED] wrote: frantisek holop wrote: hmm, on Thu, Oct 20, 2005 at 04:01:18PM -0800, Szechuan Death said that This has been a public service announcement, paid for by the Friends of Civilized Vendors economic-action committee. The FCV reminds you; FCV also stands for Fuck Closed Vendors! ;- and fuck closed www ports for half of the world. Wazzat? Please, Szechuan, I want to host the store? That's what it sounded like. Let me know the second _you_ want to have it on _your_ network, I'll pack it all up and forward it over to you. See, then _you_ can decide which ports and which countries you want to block. A new decoding for FWD just came to me, but in the interests of politeness, I'll forego sharing it with the rest of the class. hehehe, I think the subject line is way overdue for a change on this thread. ;-)
ipmi(4)
Folks who keep track of cvs changes might have noticed a barrage of commits regarding ipmi(4). The driver is functionally complete but needs wide testing on both amd64 and i386 architectures. Jordan Hargrave (jordan@) wrote most of the code. Let's talk a bit about ipmi(4). What is it anyway? The ipmi term Intelligent Platform Management refers to autonomous monitoring and recovery features implemented directly in platform management hardware and firmware. The key characteristics of Intelligent Platform Management is that inventory, monitoring, logging, and recovery control functions are available independent of the main processor, BIOS, and operating system. (much more in ipmi(4)!) If your box supports IPMI you'll see a similar line in dmesg. ipmi0 at mainbus0: version 1.0 interface SMIC iobase 0xecf4/3 spacing 1 Great, now how does that help me? The driver retrieves ipmi readings and publishes them via the sysctl interface. Here is the output of a Dell PowerEdge 2650: # sysctl hw.sensors hw.sensors.0=ipmi0, ESM Frt I/O Temp, OK, temp, 24.00 degC / 75.20 degF hw.sensors.1=ipmi0, ESM Riser Temp, OK, temp, 26.00 degC / 78.80 degF hw.sensors.2=ipmi0, ESM CPU 1 Temp, OK, temp, 26.00 degC / 78.80 degF hw.sensors.3=ipmi0, ESM MB Bat Volt, OK, volts_dc, 3.18 V hw.sensors.4=ipmi0, ESM 3.3 FP Volt, OK, volts_dc, 3.23 V hw.sensors.5=ipmi0, ESM MB 3.3 Volt, OK, volts_dc, 3.27 V hw.sensors.6=ipmi0, ESM MB 5 Volt, OK, volts_dc, 4.99 V hw.sensors.7=ipmi0, ESM CPU Volt, OK, volts_dc, 1.47 V hw.sensors.8=ipmi0, ESM MB +12 Volt, OK, volts_dc, 11.90 V hw.sensors.9=ipmi0, ESM MB -12 Volt, OK, volts_dc, -11.97 V hw.sensors.10=ipmi0, ESM MB 2.5 Volt, OK, volts_dc, 2.52 V hw.sensors.11=ipmi0, ESM GB0 2.5 Volt, OK, volts_dc, 2.56 V hw.sensors.12=ipmi0, ESM GB1 2.5 Volt, OK, volts_dc, 2.56 V hw.sensors.13=ipmi0, ESM 5 AUX Volt, OK, volts_dc, 5.11 V hw.sensors.14=ipmi0, ESM ROMB PK Volt, OK, volts_dc, 3.96 V hw.sensors.15=ipmi0, ESM GB0 1.2 Volt, OK, volts_dc, 1.21 V hw.sensors.16=ipmi0, ESM GB1 1.2 Volt, OK, volts_dc, 1.22 V hw.sensors.17=ipmi0, ESM VTT Volt, OK, volts_dc, 1.27 V hw.sensors.18=ipmi0, ESM MB Fan1 RPM, OK, fanrpm, 4740 RPM hw.sensors.19=ipmi0, ESM MB Fan2 RPM, OK, fanrpm, 4800 RPM hw.sensors.20=ipmi0, ESM MB Fan4 RPM, OK, fanrpm, 7500 RPM hw.sensors.21=ipmi0, ESM MB Fan6 RPM, OK, fanrpm, 7140 RPM hw.sensors.22=ipmi0, ESM MB Fan7 RPM, OK, fanrpm, 7020 RPM hw.sensors.23=ipmi0, Power Supply - 1, OK, indicator, On hw.sensors.24=ipmi0, Power Supply - 2, CRITICAL, indicator, Off hw.sensors.25=ipmi0, Cover Intrusion, OK, indicator, Off hw.sensors.26=ipmi0, Bezel Intrusion, OK, indicator, Off hw.sensors.27=safte0, temp0, OK, temp, 22.78 degC / 73.00 degF hw.sensors.28=safte0, temp1, OK, temp, 24.44 degC / 76.00 degF Lots of stuff! In the list you'll find core voltage measurements, fan speeds, power supply readings etc. As you can see I do not have a 2nd power supply in this box. Nifty, now lets open up the chassis and see what happens. hw.sensors.25=ipmi0, Cover Intrusion, CRITICAL, indicator, On As you can see the Cover Intrusion went to critical. Now lets pull a fan. hw.sensors.18=ipmi0, ESM MB Fan1 RPM, CRITICAL, fanrpm, 0 RPM hw.sensors.19=ipmi0, ESM MB Fan2 RPM, OK, fanrpm, 7980 RPM hw.sensors.20=ipmi0, ESM MB Fan4 RPM, OK, fanrpm, 7380 RPM hw.sensors.21=ipmi0, ESM MB Fan6 RPM, OK, fanrpm, 7140 RPM hw.sensors.22=ipmi0, ESM MB Fan7 RPM, OK, fanrpm, 7020 RPM Fan1 went critical but also the speed of Fan2 went up to compensate. Lets pull another fan. hw.sensors.18=ipmi0, ESM MB Fan1 RPM, CRITICAL, fanrpm, 0 RPM hw.sensors.19=ipmi0, ESM MB Fan2 RPM, OK, fanrpm, 7980 RPM hw.sensors.20=ipmi0, ESM MB Fan4 RPM, CRITICAL, fanrpm, 0 RPM hw.sensors.21=ipmi0, ESM MB Fan6 RPM, OK, fanrpm, 7200 RPM hw.sensors.22=ipmi0, ESM MB Fan7 RPM, OK, fanrpm, 7020 RPM Now lets stick them back in. hw.sensors.18=ipmi0, ESM MB Fan1 RPM, OK, fanrpm, 4740 RPM hw.sensors.19=ipmi0, ESM MB Fan2 RPM, OK, fanrpm, 4800 RPM hw.sensors.20=ipmi0, ESM MB Fan4 RPM, OK, fanrpm, 7320 RPM hw.sensors.21=ipmi0, ESM MB Fan6 RPM, OK, fanrpm, 7140 RPM hw.sensors.22=ipmi0, ESM MB Fan7 RPM, OK, fanrpm, 7020 RPM Ah look at that, both fans are happy again and Fan2 slowed down. Lets put the cover back on. hw.sensors.25=ipmi0, Cover Intrusion, OK, indicator, Off And the box is all happy again. Combine this with sensorsd(8) and you can have email, pagers, sirens, fog horns and other alerting mechanisms go off. What's next? We'll continue to add sensor types that make sense to report. Another thing that needs to happen is the reporting of threshold values and a mechanism to change these values. All that is in the future though. Cool, what can I do? Test! We need wide testing on systems that have IPMI. I bet there has to be some tuning to work around timing differences between platforms. The current code was tested on Intel, Dell and Sun boards. dmesg of
OpenBSD MetaStore: Distributed hosting?
Okay, [EMAIL PROTECTED] Having heard the whining about my apparently unpopular policy WRT netblocks in certain filthy, spammer-ridden Third World shitholes that should be nuked from orbit to protect the Internet from their miserable spams, SSH scans, and generally bogus traffic, and after searching my soul to determine that a) yes, I would like the OpenBSD Metastore to be visible to these unwashed masses even if they do harbor poorly-socialized wankers who abuse their (and my) bandwidth, and that b) no, I am not going to change my policy about which netblocks I accept traffic from, I have decided that a compromise may be in order. I'm in the process of registering a domain name for this little project. With a little judicious DNS cooking, the use of my much-maligned cb netblock script, and a little secret sauce, it will be possible to RR this and distribute the hosting with preferences established by country (from TW, the site will go to the Taiwanese hosted version, etc.), meaning that the only issue is finding other people to host mirrors of it. The problem is going to be synchronization of the database; I'm working on that. While kit updates will be centralized and pushed out, dealing with comments is going to be, uh, interesting. I may deal with that by simply refusing to do so, making comments local-only. Any suggestions about the best way to deal with that are welcome. ;- This has the side-effect of making localization somewhat easier, for those who want to track prices locally and/or make descriptions available in the local language. What about it? Anybody out there want to host a copy of this? You, Mr. Holop, since you've been the most vocal so far? How about Rod Lips Wankworth or whatever your name is? Any other detractors willing to donate some bandwidth? Since there are no single big pipes stepping up to the plate, it seems to me that something similar can be synthesized from a large number of small pipes, and that this may in fact be a superior solution. Reply to misc@, if you're from one of the Forgotten Lands I won't see it for the obvious reason. It'll take me a little while to figure out the best way to set this up in any event, so it's not going to be instant (give me a week or so to get my shit together and my code worked out). -- (c) 2005 Unscathed Haze via Central Plexus [EMAIL PROTECTED] I am Chaos. I am alive, and I tell you that you are Free. -Eris Big Brother is watching you. Learn to become Invisible. | Your message must be this wide to ride the Internet. |
Re: ipmi(4)
On Oct 21, 2005, at 7:09 PM, Marco Peereboom wrote: If your box supports IPMI you'll see a similar line in dmesg. ipmi0 at mainbus0: version 1.0 interface SMIC iobase 0xecf4/3 spacing 1 Great, now how does that help me? The driver retrieves ipmi readings and publishes them via the sysctl interface. Here is the output of a Dell PowerEdge 2650: # sysctl hw.sensors hw.sensors.0=ipmi0, ESM Frt I/O Temp, OK, temp, 24.00 degC / 75.20 degF hw.sensors.1=ipmi0, ESM Riser Temp, OK, temp, 26.00 degC / 78.80 degF hw.sensors.2=ipmi0, ESM CPU 1 Temp, OK, temp, 26.00 degC / 78.80 degF hw.sensors.3=ipmi0, ESM MB Bat Volt, OK, volts_dc, 3.18 V This is what makes OpenBSD so great. Have you ever had the displeasure of working with Dell's IPMI support for Linux? OpenBSD's IPMI support appears to be trivially simple to work with. I'm already looking forward to 3.9. :) Thank you!!! -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: OpenBSD MetaStore: Distributed hosting?
On Fri, 2005-10-21 at 16:57:18 -0800, Szechuan Death proclaimed... Okay, [EMAIL PROTECTED] Having heard the whining about my apparently unpopular policy WRT netblocks in certain filthy, spammer-ridden Third World shitholes that should be nuked from orbit to protect the Internet from their miserable spams, SSH scans, and generally bogus traffic, Ah, but to someone else, it's not bogus traffic. To someone else, compromsing weak passwords is earning them a living. [snipped 58 other lines of bullshit]
Re: memtest86
On Friday 21 October 2005 18:07, Gareth Nelson wrote: Hi Any ideas on if this can be loaded by the OpenBSD bootloader or if it's possible to run a memory test in a booted system? (redirected to misc@ where it belongs) Sure, its possible, but why would you want to? Get the CD version of memtest and let it run on its own. If you suspect a system of bad ram let it run at least 24 hours. --STeve Andre'
Re: OpenBSD MetaStore: Distributed hosting?
Jason Dixon wrote: snip self-serving vitriol Good luck with that MetaStore thing. I'm sure it's going to be a huge success. Thank you, although the goal is not that it be a success for me, but rather that it will provide useful information to OpenBSD users and assistance to the OpenBSD development team in negotiating with vendors. I wish you luck in your endeavors as well. Again, if you would like to provide any information about hardware that can be purchased new, or suggestions about the design, feel free to submit them to me or post them via the Web form. Have a nice day! -- (c) 2005 Unscathed Haze via Central Plexus [EMAIL PROTECTED] I am Chaos. I am alive, and I tell you that you are Free. -Eris Big Brother is watching you. Learn to become Invisible. | Your message must be this wide to ride the Internet. |