Problems with static vpn
Hello, my OpenBSD 3.7 box at home establishes a static pptp connection to my companies vpn server. From any client at home, I can ping any server in the company. But I can't ping any client at home from the company. I have to ping a client at work, from any client at home, in order to access my clients at home from the company. PF is not enabled on the box. It seems, that the vpn is static for clients from outside, my home net. Can anyone help? Perhaps it is just a missing parameter in the config file?!? Thanks in advance! Kind regards, Andreas
OPENVPN - openssl question
hello, For the past week, I am trying to get information to setup a sceure way for my obsd(3.8)AP --- XP. I find the following document: http://www50.brinkster.com/dachee/OpenVPN.htm Is there anyone try this out successfully ? As I was stopped at the OpenSSL CA Certificates. The error is like this === openssl req -new -x509 -keyout private/CA_key.pem -out CA_cert.pem -days 9125 Error Loading extension section CA_extensions 12446:error:2207C082:X509 V3 routines:DO_EXT_CONF:unknown extension name:/usr/src/lib/libssl/src/crypto/x509v3/v3_conf.c:123: 12446:error:2206B080:X509 V3 routines:X509V3_EXT_conf:error in extension:/usr/src/lib/libssl/src/crypto/x509v3/v3_conf.c:92:name=default_days, value=9125 The openssl.cnf is --- [ ca ] # Default directives for ca command default_ca=CA_default # reference to a new section name [ CA_default ] # Default directives for the ca command # referred from [ ca ] section dir =/etc/ssl # openssl working directory crl_dir =$dir/crl # directory for certificate revoke file database =$dir/index.txt # index file for every issued certificate new_certs_dir =$dir/certs # where copies of each certificate is stored. # each copy is identified as nn.pem # nn corresponds with the index number in index.txt certificate =$dir/CA_cert.pem # Name of the Certificate Authority#161;#166;s Certificate # File is used in signing or revoking a certificate serial=$dir/serial # The serial number to use for the next certificate # Same as #161;#165;serialfile#161;#166; option and serials text. crl =$dir/crl/crl.pem # File that contains the list of revoked certificates. private_key =$dir/private/CA_key.pem # Private key of the Certificate Authority RANDFILE =$dir/private/.rand # Private random number file default_days =9125 # Days a signed cert is valid default_crl_days =30 # Days before the next certificate revocation list default_md=md5 # Message digest algorithm- md5, sh1 or mdc2 unique_subject=yes # All certificates must have a unique, distinguished name policy=policy_any # Reference section for policy enforced when signing a request x509_extensions =user_extensions # reference section when ca command signs certificate [ policy_any ] # Default directives while signing a request # Referenced from [ CA_default ] section organizationName=match # organizationName must match CA_cert organizationalUnitName =optional # certificate does not have to have organizationalUnitName commonName =supplied # certificate must have commonName but is supplied by user [ req ] # Default directives for the req command # (Public Key is contained in the certificate request) default_bits=2048 default_keyfile =privkey.pem # default key file location but #161;Vkeyout command overrides distinguished_name =req_distinguished_name # Reference section for assembling the distinguished name x509_extensions =CA_extensions # Reference section when req #161;Vx509 commands are invoked [ req_distinguished_name ] # Default directives for the req command # referenced from [ req ] section # Presents user prompts to assemble the distinguish name organizationName=Organization Name (must match CA) organizationName_default=ORGNAME # REPLACE VALUE AS PROMPT DEFAULT FOR YOUR ORG organizationalUnitName =Location Name commonName =Common User or Org Name # These two values above can be changed but not required. # their values will appear as prompts when creating certs/keys. # Max characters in common name. commonName_max =64 [ user_extensions ] # default directives when ca command signs a certificate # referenced from [ CA_default ] basicConstraints=CA:FALSE # The certificate is not allowed to sign other objects [ CA_extensions ] # default directives for req #161;Vx509 command # referenced from [ req ] section # added extensions when request creates self signed certificate basicConstraints=CA:TRUE # Certificate is allowed to sign other new certificates. default_days =9125 # Days a self sign cert is valid. If not used, the default # of 30 days may be applied and VPN clients will not be able # to connect after it expires. [ server ] # Optional directives for ca #161;Vextensions server commands # Overrides [ user_extensions ] section normally referenced # by the ca command alone. basicConstraints=CA:FALSE nsCertType =server # signing a server certificate requires this extension to # prevent man in the middle attacks. Allows OpenVPN clients # to use ns-cert-type server in OpenVPN configuration file. --- Thanks clarence
Ralink 802.11g PCI wireless cards
In case anyone from .uk is interested, www.scan.co.uk are currently selling a couple of Ralink RT2560 based 802.11g wireless cards (supported under OpenBSD by ral(4)): Edimax EW-7128G 54Mbps Wireless PCI Card (http://www.scan.co.uk/Products/ProductInfo.asp?WebProductID=152539) Gigabyte GN WPKG - Wireless PCI Card Ralink 64/128Web Roaming (http://www.scan.co.uk/Products/ProductInfo.asp?WebProductID=219714) The Edimax card is slightly cheaper and has a remote antenna with about a metre of lead, but otherwise they're identical. :) ach -- This message may contain mild peril.
Re: PPTP in 3.7
/usr/ports/net/poptop works excellently. pf needs to allow protocol 47 and tcp 1723 plus need to allow traffic for specific tunnels created tun0 tun1 etc. Generally the client will determine whether to use the created link as default route. If using windows check the tcp/ip properties and advanced tab to deselect it as the default route. Logical One wrote: I am trying to find some current documentation or pointers on how to setup a PPTP connection from my OpenBSD 3.7 firewall to my work VPN running PPTP. I've seen quite a few things, but most are outdated or conflicting in the instructions they give. I have seen some references to the kernel supporting this functionality natively while other say that recompiling the kernel is necessary and still others say a third party program is needed. I am just looking for somewhere to start that has current information or maybe even a copy of the configs from someone who has set this up before. I'd also like to find information on what settings are needed in pf if a PPTP connection is used, but the networks is bridges are using the same addressing scheme. I also need to know how to configure the router (OpenBSD) to pass traffic to certain addresses out the VPN connection, others back into the LAN, and the rest out my cable connection. I need to know how to configure the VPN so that it is not my default gateway out since my home connection is much faster than the T1 at my office where the VPN connects. Thanks for any pointers, hints, advice, configs or whatever else anyone has to contribute and I'm sorry for being a bother, but while the information is out there, I have been unable to find what is relevant to my config. Thanks, Logical_1
USB ralink vs. PCMCIA ralink
I have a hard time making up my mind which is better: a USB ralink wireless (Surecom EP-9001G) or a PCMCIA ralink wireless (Surecom EP-9428G). According to man ral they're both supported so this question isnt about diffrent chipset but about what bus type is preferable: USB or PCMCIA. Or if the Surecom USB (or PCMCIA) sucks and is crap please let me know. --- Lars Hansson
Re: perl interface to pf?
John N. Brahy wrote: Is there a perl interface to pf? No, and it would be totally insane to build one. PF is not a low-level assembly language for expressing ioctl(2) calls. It is an LALR(1) grammar for specifying firewall policies. Because of its high abstraction level compared to said assembly languages, chances are you do not need perl(1) at all for anything. Hopefully, this shuts up the thread.
Re: bgpd.conf md5sig, iBGP and redistributing routes to/from ospf
per engelbrecht wrote: Q: setting up iBGP I've used our own AS as 'remote-as' but can't find a 'no synchronization' option for this connection. Do I need it at all. Been poking around in /usr/src/usr.sbin/bgpd without solving it, but it's needed in zebra and Cisco IOS hence the question. A: ? Using your own AS as an remote ASn will, per definition, make your BGP session into an internal BGP session. In the Ciscoeee world, no synchronization means to begin announcing your networks before higher priority network protocols are up and stabilized. Without you will wait for OSPF/IS-IS to stabilize first (For OSPF, there is a certain state in its state machine it has to reach for all broadcast clouds etc). However, in modern BGP setups, you screw OSPF/IS-IS royally and ignore the stabilization. This is viable, since you ``nail down'' your networks as CIDR aggregates (to minimize the number of BGP prefixes you announce) and give a heck about internal reachability. Oh, and while we are at Zebra: Its crap, kill it as soon as possible or install quagga. Case in point: mirah% pwd /usr/ports/net/zebra/w-zebra-0.93ap3/zebra-0.93a/ospfd mirah% grep OSPF_LSA_HEADER ospf_lsa.c ospf_output_forward (s, OSPF_LSA_HEADER_SIZE); assert (l1-data-length OSPF_LSA_HEADER_SIZE); if (memcmp (p1 + OSPF_LSA_HEADER_SIZE, p2 + OSPF_LSA_HEADER_SIZE, ntohs( l1-data-length ) - OSPF_LSA_HEADER_SIZE) != 0) mirah% Lets see... On the last line, we have identified that l1-data-length is in network byte order. But in the assert 2 lines up, we do _not_ have a ntohs() call. This took a medium sized ISP down in Denmark because Zebra suddenly died due to the fact, that certain packets, if certain size, will be caught by the assertion and ospfd gets to say hello to the kernel thread known as reaper man. Q: running ospf with all peers + carp intfaces in area 0.0.0.0 and internal intfaces in area 0.0.0.1 (and from ospfd.conf) [...] fib-update yes redistribute connected [...] This is about redistributing routes - will the above let BGP and OSPF play along in the same way a 'redistribute ospf' in Zebra/Cisco IOS A: ? It will push directly connected routes into OSPF. That is, if the machine has a network to which it has a direct connection in the routing table, then the rest of your OSPF speakers will learn that this network is reachable by going through this router. redistribute ospf in Ciscoee in the BGP section of the router configuration tells the IOS to take all OSPF learned routes and push them into BGP. This can be extremely dangerous to do, depending on the configuration. Q: default gateway is added to the routing table after all interfaces are configured. BGP is adding information into the routing table and so does OSPF (updates). That's 3 times redistributing of routes between different protocols and with 3 different administrative distances but still in/from the same table. Since directly connected (0) or static (1) connections are superior to e.g. eBGP (20) and OSPF (110) then should or shouldn't /etc/mygate be removed from a BGP router before putting it into production. Will it/can it mock the routing decision despite 'weight' in bgpd.conf due to the lower distance. A: ? A more specific route will always match. Normally, you do not need to redistribute routes between the protocols at all, considered all of your routers are running BGP as well as OSPF. BGP will then handle prefixes for external networks and OSPF will handle prefixes for internal ones in the case both BGP and OSPF have the route then BGP wins -- but note the note about specific matches ;)
回覆: OPENVPN - openssl question
Is there any difference between openssl 0.9.7d and openssl 0.9.7g. ? The said http used 0.9.7d but mine is 0.9.7g. clarence --- man Chan [EMAIL PROTECTED] ;!!G hello, For the past week, I am trying to get information to setup a sceure way for my obsd(3.8)AP --- XP. I find the following document: http://www50.brinkster.com/dachee/OpenVPN.htm Is there anyone try this out successfully ? As I was stopped at the OpenSSL CA Certificates. The error is like this === openssl req -new -x509 -keyout private/CA_key.pem -out CA_cert.pem -days 9125 Error Loading extension section CA_extensions 12446:error:2207C082:X509 V3 routines:DO_EXT_CONF:unknown extension name:/usr/src/lib/libssl/src/crypto/x509v3/v3_conf.c:123: 12446:error:2206B080:X509 V3 routines:X509V3_EXT_conf:error in extension:/usr/src/lib/libssl/src/crypto/x509v3/v3_conf.c:92:name=default_days, value=9125 The openssl.cnf is --- [ ca ] # Default directives for ca command default_ca=CA_default # reference to a new section name [ CA_default ] # Default directives for the ca command # referred from [ ca ] section dir =/etc/ssl # openssl working directory crl_dir =$dir/crl # directory for certificate revoke file database =$dir/index.txt # index file for every issued certificate new_certs_dir =$dir/certs # where copies of each certificate is stored. # each copy is identified as nn.pem # nn corresponds with the index number in index.txt certificate =$dir/CA_cert.pem # Name of the Certificate Authority#161;#166;s Certificate # File is used in signing or revoking a certificate serial=$dir/serial # The serial number to use for the next certificate # Same as #161;#165;serialfile#161;#166; option and serials text. crl =$dir/crl/crl.pem # File that contains the list of revoked certificates. private_key =$dir/private/CA_key.pem # Private key of the Certificate Authority RANDFILE =$dir/private/.rand # Private random number file default_days =9125 # Days a signed cert is valid default_crl_days =30 # Days before the next certificate revocation list default_md=md5 # Message digest algorithm- md5, sh1 or mdc2 unique_subject=yes # All certificates must have a unique, distinguished name policy=policy_any # Reference section for policy enforced when signing a request x509_extensions =user_extensions # reference section when ca command signs certificate [ policy_any ] # Default directives while signing a request # Referenced from [ CA_default ] section organizationName=match # organizationName must match CA_cert organizationalUnitName =optional # certificate does not have to have organizationalUnitName commonName =supplied # certificate must have commonName but is supplied by user [ req ] # Default directives for the req command # (Public Key is contained in the certificate request) default_bits=2048 default_keyfile =privkey.pem # default key file location but #161;Vkeyout command overrides distinguished_name =req_distinguished_name # Reference section for assembling the distinguished name x509_extensions =CA_extensions # Reference section when req #161;Vx509 commands are invoked [ req_distinguished_name ] # Default directives for the req command # referenced from [ req ] section # Presents user prompts to assemble the distinguish name organizationName=Organization Name (must match CA) organizationName_default=ORGNAME # REPLACE VALUE AS PROMPT DEFAULT FOR YOUR ORG organizationalUnitName =Location Name commonName =Common User or Org Name # These two values above can be changed but not required. # their values will appear as prompts when creating certs/keys. # Max characters in common name. commonName_max =64 [ user_extensions ] # default directives when ca command signs a certificate # referenced from [ CA_default ] basicConstraints=CA:FALSE # The certificate is not allowed to sign other objects [ CA_extensions ] # default directives for req #161;Vx509 command # referenced from [ req ] section # added extensions when request creates self signed certificate basicConstraints=CA:TRUE # Certificate is allowed to sign other new certificates. default_days =9125 # Days a self sign cert is valid. If not used, the default # of 30 days may be applied and VPN clients will not be able # to connect after it expires. [ server ] # Optional directives for ca #161;Vextensions server commands # Overrides [ user_extensions ] section normally referenced
Re: perl interface to pf?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jesper Louis Andersen wrote: John N. Brahy wrote: Is there a perl interface to pf? No, and it would be totally insane to build one. Well, the only use that came to my mind was a perl daemon running on the FW that accepts rule updates from a remote client. While that can be done with other means (ssh, sh scripts), i can imagine that a perl class for manipulating pf rules would come in handy for that. /m iD8DBQFDag3a8BX/d8pVi/cRAlftAKCv+6AfnHbabfPk3NV7ixi7BHsmwQCfQzEa vR9EvOJvXz6nFqS4r+CD5Jg= =oCHu -END PGP SIGNATURE-
Re: bgpd.conf md5sig, iBGP and redistributing routes to/from ospf
Jesper Louis Andersen wrote: per engelbrecht wrote: Q: setting up iBGP I've used our own AS as 'remote-as' but can't find a 'no synchronization' option for this connection. Do I need it at all. Been poking around in /usr/src/usr.sbin/bgpd without solving it, but it's needed in zebra and Cisco IOS hence the question. A: ? Using your own AS as an remote ASn will, per definition, make your BGP session into an internal BGP session. In the Ciscoeee world, no synchronization means to begin announcing your networks before higher priority network protocols are up and stabilized. Without you will wait for OSPF/IS-IS to stabilize first (For OSPF, there is a certain state in its state machine it has to reach for all broadcast clouds etc). Hi jlouis It was more of a what_can_option_[a-z] from Zebra be put on par with in OpenBGPD and/or do I need these options at all (different implementation) but thank you for your explanation. However, in modern BGP setups, you screw OSPF/IS-IS royally and ignore the stabilization. This is viable, since you ``nail down'' your networks as CIDR aggregates (to minimize the number of BGP prefixes you announce) and give a heck about internal reachability. Screwing IGP's from whitin EGP's keep things apart, buy they are (conceptually, at least in my head) still manipulating the same routing table. And yes of course I only announce our own net. Returning 120.000+ prefixes (at that time) to a eBGP peer with inferior Cisco hw works like magic - the phone rings within minutes .. and they're not returning a call :) Oh, and while we are at Zebra: Its crap, kill it as soon as possible or install quagga. Case in point: .. install quagga ? Nooope. mirah% pwd /usr/ports/net/zebra/w-zebra-0.93ap3/zebra-0.93a/ospfd mirah% grep OSPF_LSA_HEADER ospf_lsa.c ospf_output_forward (s, OSPF_LSA_HEADER_SIZE); assert (l1-data-length OSPF_LSA_HEADER_SIZE); if (memcmp (p1 + OSPF_LSA_HEADER_SIZE, p2 + OSPF_LSA_HEADER_SIZE, ntohs( l1-data-length ) - OSPF_LSA_HEADER_SIZE) != 0) mirah% Lets see... On the last line, we have identified that l1-data-length is in network byte order. But in the assert 2 lines up, we do _not_ have a ntohs() call. This took a medium sized ISP down in Denmark because Zebra suddenly died due to the fact, that certain packets, if certain size, will be caught by the assertion and ospfd gets to say hello to the kernel thread known as reaper man. Q: running ospf with all peers + carp intfaces in area 0.0.0.0 and internal intfaces in area 0.0.0.1 (and from ospfd.conf) [...] fib-update yes redistribute connected [...] This is about redistributing routes - will the above let BGP and OSPF play along in the same way a 'redistribute ospf' in Zebra/Cisco IOS A: ? It will push directly connected routes into OSPF. That is, if the machine has a network to which it has a direct connection in the routing table, then the rest of your OSPF speakers will learn that this network is reachable by going through this router. Which is also what I want. redistribute ospf in Ciscoee in the BGP section of the router configuration tells the IOS to take all OSPF learned routes and push them into BGP. This can be extremely dangerous to do, depending on the configuration. Yes that could easily have disaster written all over it. Q: default gateway is added to the routing table after all interfaces are configured. BGP is adding information into the routing table and so does OSPF (updates). That's 3 times redistributing of routes between different protocols and with 3 different administrative distances but still in/from the same table. Since directly connected (0) or static (1) connections are superior to e.g. eBGP (20) and OSPF (110) then should or shouldn't /etc/mygate be removed from a BGP router before putting it into production. Will it/can it mock the routing decision despite 'weight' in bgpd.conf due to the lower distance. A: ? A more specific route will always match. Normally, you do not need to redistribute routes between the protocols at all, considered all of your routers are running BGP as well as OSPF. BGP will then handle prefixes for external networks and OSPF will handle prefixes for internal ones in the case both BGP and OSPF have the route then BGP wins -- but note the note about specific matches ;) Thank you for joining in jlouis. /per [EMAIL PROTECTED]
Re: USB ralink vs. PCMCIA ralink
You should prefer the PCMCIA one. The RT2500USB chipset has poor support for per-node tx rate adaptation and is thus a bad choice for hostap mode. Damien | I have a hard time making up my mind which is better: | a USB ralink wireless (Surecom EP-9001G) or a PCMCIA ralink | wireless (Surecom EP-9428G). | According to man ral they're both supported so this question isnt about | diffrent chipset but about what bus type is preferable: USB or PCMCIA. | Or if the Surecom USB (or PCMCIA) sucks and is crap please let me know. | | --- | Lars Hansson
Re: perl interface to pf?
On Nov 3, 2005, at 8:17 AM, Markus Wernig wrote: Well, the only use that came to my mind was a perl daemon running on the FW that accepts rule updates from a remote client. While that can be done with other means (ssh, sh scripts), i can imagine that a perl class for manipulating pf rules would come in handy for that. /m Putting something listening on the network means now you've got to do encryption, authentication, verification, etc.. Seems like a lot of work for potentially not a lot of gain, at least IMO. I'd rather rely on ssh, keys, sudo, and scripts to do it. -Chad
3.8 -- svnserve on inet6 only
Hi, I have just installed 3.8 from the CD :-) and FTPed all packages from ftp.kd85.com. It all went well but I am having a strange problem with subversion. svnserve does not seem to bind to inet but only to inet6. I do a simple sudo svnserve -d -r /my/repos netstat -a -n -f inet | grep :3960 nothing netstat -a -n -f inet6 | grep :3960 tcp6 0 0 *.3690 *.*LISTEN I can confirm that telnet 127.0.0.1 3690 Trying 127.0.0.1... telnet: connect to address 127.0.0.1: Connection refused telnet ::1 3690 Trying ::1... Connected to ::1. Escape character is '^]'. ( success ( 1 2 ( ANONYMOUS ) ( edit-pipeline ) ) ) I am running 3.7 and 3.8 inside Vmware and this problem only appears in 3.8. Under 3.7, svnserve is quite happy to respond through IPv4. Have I missed something here? How do I force svnserve to use IPv4 as well as/instead of IPv6? help would be appreciated :-) Thanks. Dom.
OpenBSD Metastore
http://www.linuxdevices.com/news/NS8464432110.html This looks like something cool to add. The AOpen MiniPC measures 6.5 x 6.5 x 2 inches, is powered by an Intel Pentium M or Celeron M processor -- The only way to keep your health is to eat what you don't want, drink what you don't like, and do what you'd rather not. - Mark Twain
smartmontools (smartd) kills system
Hi all [20051019 snap i386] Running smartd on a SCSI/U320 based single-disk system kills the system at once! - dmesg further down. (sysctl hw.disknames=sd0,cd0,fd0) Snip of /etc/smartd.conf [...] #DEVICESCAN /dev/sd0c /dev/sd0c -m [EMAIL PROTECTED] -M test /dev/sd0c -d scsi -H -l error -l selftest -t -m [EMAIL PROTECTED] /dev/sd0c -d scsi -s L/../../7/01 -m [EMAIL PROTECTED] [...] I can run: smartctl -i /dev/sd0c Device: SEAGATE ST336607LW Version: 0007 Serial number: 3JA6X87D7426SUX6 Device type: disk Transport protocol: Parallel SCSI (SPI-4) Local Time is: Thu Nov 3 15:07:14 2005 CEST Device supports SMART and is Enabled Temperature Warning Enabled smartctl -r scsiioctl /dev/sd0c [inquriy: 12 00 00 00 24 00 ] status=0 Incoming data, len=36: 00 00 00 03 12 8b 00 01 3e 53 45 41 47 41 54 45 20 10 53 54 33 33 36 36 30 37 4c 57 20 20 20 20 20 20 20 30 30 30 37 I can not run: smartctl -a /dev/sd0c *crash* smartctl -l selftest /dev/sd0c Device does not support Self Test logging ( and then locks up hard). Have added entries in syslog.conf and newsyslog.conf but the logfile is of course empty since the (damn) tool kills the server. Anybody with a clue (any) ? TIA Kernel have these changes: maxusers 64 option DUMMY_NOPS (that's it) dmesg: OpenBSD 3.8-current (BGP) #1: Thu Oct 20 18:06:54 CEST 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/BGP cpu0: Intel(R) Xeon(TM) CPU 2.80GHz (GenuineIntel 686-class) 2.80 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID real mem = 3220807680 (3145320K) avail mem = 2931445760 (2862740K) using 4278 buffers containing 161144832 bytes (157368K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(00) BIOS, date 09/18/03, BIOS32 rev. 0 @ 0xf0010 pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf3000/176 (9 entries) pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82801CA LPC rev 0x00) pcibios0: PCI bus #4 is the last bus bios0: ROM list: 0xc/0x8000 0xc8000/0x8e00 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel E7501 MCH Host rev 0x01 ppb0 at pci0 dev 2 function 0 Intel E7500 MCH rev 0x01 pci1 at ppb0 bus 1 Intel 82870P2 IOxAPIC rev 0x04 at pci1 dev 28 function 0 not configured ppb1 at pci1 dev 29 function 0 Intel 82870P2 PCI-PCI rev 0x04 pci2 at ppb1 bus 2 em0 at pci2 dev 1 function 0 Intel PRO/1000MT (82546GB) rev 0x03: irq 10, address 00:04:23:bb:29:fa em1 at pci2 dev 1 function 1 Intel PRO/1000MT (82546GB) rev 0x03: irq 10, address 00:04:23:bb:29:fb em2 at pci2 dev 2 function 0 Intel PRO/1000MT (82546GB) rev 0x03: irq 10, address 00:04:23:bb:27:94 em3 at pci2 dev 2 function 1 Intel PRO/1000MT (82546GB) rev 0x03: irq 10, address 00:04:23:bb:27:95 ahd0 at pci2 dev 3 function 0 Adaptec AIC-7902B U320 rev 0x10: irq 10 aic7902: U320 Wide Channel A, SCSI Id=7, PCI-X 67-100Mhz, 512 SCBs scsibus0 at ahd0: 16 targets ahd1 at pci2 dev 3 function 1 Adaptec AIC-7902B U320 rev 0x10: irq 10 aic7902: U320 Wide Channel B, SCSI Id=7, PCI-X 67-100Mhz, 512 SCBs scsibus1 at ahd1: 16 targets sd0 at scsibus1 targ 0 lun 0: SEAGATE, ST336607LW, 0007 SCSI3 0/direct fixed sd0: 35003MB, 49855 cyl, 2 head, 718 sec, 512 bytes/sec, 71687372 sec total Intel 82870P2 IOxAPIC rev 0x04 at pci1 dev 30 function 0 not configured ppb2 at pci1 dev 31 function 0 Intel 82870P2 PCI-PCI rev 0x04 pci3 at ppb2 bus 3 em4 at pci3 dev 1 function 0 Intel PRO/1000MT (82541GI) rev 0x00: irq 10, address 00:30:48:70:d7:30 em5 at pci3 dev 2 function 0 Intel PRO/1000MT (82541GI) rev 0x00: irq 10, address 00:30:48:70:d7:31 ppb3 at pci0 dev 30 function 0 Intel 82801BA AGP rev 0x42 pci4 at ppb3 bus 4 vga1 at pci4 dev 4 function 0 ATI Rage XL rev 0x27 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) ichpcib0 at pci0 dev 31 function 0 Intel 82801CA LPC rev 0x02 pciide0 at pci0 dev 31 function 1 Intel 82801CA IDE rev 0x02: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility atapiscsi0 at pciide0 channel 0 drive 0 scsibus2 at atapiscsi0: 2 targets cd0 at scsibus2 targ 0 lun 0: LITEON, CD-ROM LTN526, YH0X SCSI0 5/cdrom removable cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 pciide0: channel 1 disabled (no drives) Intel 82801CA/CAM SMBus rev 0x02 at pci0 dev 31 function 3 not configured isa0 at ichpcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pms0 at pckbc0 (aux slot) pckbc0: using irq 12 for aux slot wsmouse0 at pms0 mux 0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 sysbeep0 at pcppi0 lm0 at isa0 port 0x290/8: W83627HF npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4:
preventing OS fingerprint
Dear gentleman, i have an obsd firewall and would like to prevent external entities discovering that firewall is openbsd, is that possible? Thanks a lot for your time and cooperation.
Re: Problems with static vpn
On Thu, Nov 03, 2005 at 10:24:15AM +0100, Andreas Krummrich wrote: Hello, my OpenBSD 3.7 box at home establishes a static pptp connection to my companies vpn server. From any client at home, I can ping any server in the company. But I can't ping any client at home from the company. I have to ping a client at work, from any client at home, in order to access my clients at home from the company. PF is not enabled on the box. It seems, that the vpn is static for clients from outside, my home net. I don't know pptp at all, but from your description, it seems the office router does not (manage to) establish a connection, it only accepts them. Either change the configuration of said router, configure your home machine to keep the tunnel up at all times (no clue how that would be done, or even what piece of software you're using...), or - the simplest - just start ping before leaving. ;-) Joachim
Re: Problems with static vpn
Zitat von Joachim Schipper [EMAIL PROTECTED]: On Thu, Nov 03, 2005 at 10:24:15AM +0100, Andreas Krummrich wrote: Hello, my OpenBSD 3.7 box at home establishes a static pptp connection to my companies vpn server. From any client at home, I can ping any server in the company. But I can't ping any client at home from the company. I have to ping a client at work, from any client at home, in order to access my clients at home from the company. PF is not enabled on the box. It seems, that the vpn is static for clients from outside, my home net. I don't know pptp at all, but from your description, it seems the office router does not (manage to) establish a connection, it only accepts them. Either change the configuration of said router, configure your home machine to keep the tunnel up at all times (no clue how that would be done, or even what piece of software you're using...), or - the simplest - just start ping before leaving. ;-) The office router is a windows 2003 ras server. Isn't there something like a keep alive in ppp? Or just a cron controled ping to the other site? Joachim Regards Andreas iunius.org Webmail
Re: OpenBSD Metastore
On 2005-11-03 08:20:47 -0600, Jared Solomon wrote: The AOpen MiniPC measures 6.5 x 6.5 x 2 inches, is powered by an Intel Pentium M or Celeron M processor http://www.heise.de/newsticker/meldung/65660 A MacMini is cheaper and runs OBSD. Best Martin -- http://www.tm.oneiros.de
Re: preventing OS fingerprint
Gustavo Rios wrote: Dear gentleman, i have an obsd firewall and would like to prevent external entities discovering that firewall is openbsd, is that possible? Thanks a lot for your time and cooperation. I use the following line in pf to prevent nmap scan, including -O: block in quick log on $inet_if from any os NMAP But why would you want to hide the fact you run the most secure OS in the world? Hans
Re: preventing OS fingerprint
Right now, i am running into bussiness. I would like my client to get focused into the solution only. I don't want to give him a chance to compare my proposal to other. that's why. 2005/11/3, Hans van Leeuwen [EMAIL PROTECTED]: Gustavo Rios wrote: Dear gentleman, i have an obsd firewall and would like to prevent external entities discovering that firewall is openbsd, is that possible? Thanks a lot for your time and cooperation. I use the following line in pf to prevent nmap scan, including -O: block in quick log on $inet_if from any os NMAP But why would you want to hide the fact you run the most secure OS in the world? Hans
Problems with HP dx5150/ATI Xpress 200 chipset
I have recently purchased a number HP DX5150 SFF desktops with idea of using them as basic infrastructure servers (e.g. DNS, DHCP, and firewall). I prefer to use -stable versions of FreeBSD and OpenBSD. Following are the specs on the boxes: HP dx5150 AMD Sempron 3000+ ATI Radeon Xpress 200 chipset ATI SATA/100 hdd ATI USB ATI Integrated Graphics Broadcom BCM5751 network HP/ATI specific Award bios, v1.06 I have tried installs with fbsd 4.11, 5.4 and obsd 3.7 and 3.8. I have done enough searching of mailing lists and google to know that this chipset is problematic at the moment for BSD and for that matter linux, however I hoping that someone can suggest fixes, work arounds, and expected upcoming releases that will allow me to run these boxes reliably on stable versions of fbsd and obsd. For all the installs I made the following changes to the default BIOS settings: Advanced Chipset features: GFX Multi-Function Mode: disabled UMA Frame Buffer Size: 16M Video Display Devices: CRT only Init Display First: Onboard fbsd 4.11 was the only one I was able to get to install fully and with basic functionality, including network working. Although I am not confident in its long term stability (continuous stray IRQ errors, incorrect drive geometry detection which is not correctable via fdisk, disfunctional APM) fbsd 5.4 boot fails unless APIC mode is completely disabled under Advanced BIOS Features, I tried it active with both MPS versions 1.1 and 1.4. It will boot fully with APIC disabled but the bge driver fails to initialize and drive geometry is incorrectly detected as in 4.11, and the install invariably fails with a panic at various point during the copying of files to the new volumes (possibly to bad drive geometry?). APM driver(s) also seem to fail initialization. obsd 3.7 boots and installs, but unless USB Legacy support under Integrated Perifpherals/OnChip USB Controller is disabled the PS/2 attached keyboard ceases to function (stalling install at the install/upgrade/shell prompt unless using serial console). As with fbsd5.4 the bge driver and apm driver(s) fail to initialize. obsd also incorrectly detects drive geometry but gets closer to the actual numbers fbsd, I did not try to manually correct, I am not as familiar/comfortable with openbsd's disklabel, the drive did seem more stable. obsd 3.8 boot fails completely unless USB Legacy support is disabled, with it disabled I was able to complete the install, however as with 3.7 and fbsd5.4 the bge and apm drivers fail to initialize. APIC settings did not seem to affect obsd boot or installs, also there are no specific BIOS settings specifically identifying the installed OS as PNP or not. The PNP settings consist of Reset Confifuration Data [enable/disable], Resources Controlled By [Auto(ESCD)/Manual] with a Manual sub-menu of IRQ x [PCI/reserved], Assign IRQ for VGA [enable/disable], and Assign IRQ for USB [enable/disable]. Manipulation of these settings had no apparent effect on the obsd or fbsd booting. Attached are the dmesg dumps from the various boot/install attempts, if you need any other info to help diagnose please let me know. I am hoping someone can help me get these to work, as I am not looking for forward to trying to return them to the vendor. Thanks Jeffrey Williams [EMAIL PROTECTED] dmesgs for fbsd4.11, fbsd5.4-APIC1.1, fbsd5.4-APIC1.4, fbsd5.4-noAPIC, obsd3.7-legUSB, obsd3.7-nolegUSB, obsd3.8-legUSB, obsd3.8-nolegUSB * ** fbsd 4.11 * Copyright (c) 1992-2005 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD 4.11-RELEASE #0: Fri Jan 21 17:21:22 GMT 2005 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/GENERIC Timecounter i8254 frequency 1193182 Hz CPU: AMD Sempron(tm) Processor 3000+ (1790.84-MHz 686-class CPU) Origin = AuthenticAMD Id = 0x10ff0 Stepping = 0 Features=0x78bfbffFPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,MMX,FXSR,SSE,SSE2 AMD Features=0xc050b20,AMIE,DSP,3DNow! real memory = 233766912 (228288K bytes) avail memory = 221896704 (216696K bytes) Preloaded elf kernel kernel at 0xc055c000. Pentium Pro MTRR support enabled md0: Malloc disk npx0: math processor on motherboard npx0: INT 16 interface pcib0: Host to PCI bridge on motherboard pci0: PCI bus on pcib0 pcib5: PCI to PCI bridge (vendor=1002 device=5a3f) at device 1.0 on pci0 pci1: PCI bus on pcib5 pci1: ATI model 5954 graphics accelerator at 5.0 irq 11 pcib6: PCI to PCI bridge (vendor=1002 device=5a37) at device 5.0 on pci0 pci2: PCI bus on pcib6 bge0: Broadcom BCM5751 Gigabit Ethernet, ASIC rev. 0x4200 mem 0xfdef-0xfdef irq 11 at device 0.0 on pci2 bge0: Ethernet address: 00:13:d3:95:43:b9 miibus0: MII bus on bge0 brgphy0: BCM5750
Re: 3.8 -- svnserve on inet6 only
Dominique Jacquel wrote:
Hi,
I have just installed 3.8 from the CD :-) and FTPed all packages from
ftp.kd85.com. It all went well but I am having a strange problem with
subversion. svnserve does not seem to bind to inet but only to inet6.
Yes, this is known. By default svnserve will only listen on IPv6 on OpenBSD.
The workaround is to supply an IPv4 address to the --listen-host option
to svnserve. To listen on all IPv4:
$ svnserve -d --listen-host 0.0.0.0 -r /my/repos
I do a simple
sudo svnserve -d -r /my/repos
You don't need root privileges to run svnserve. You
may add to /etc/rc.local something like
if [ -x /usr/local/bin/svnserve ]; then
if [ X${svnserve_flags} != XNO ]; then
echo -n 'svnserve '; /usr/bin/sudo -u _svnserve
/usr/local/bin/svnserve ${svnserve_flags}
fi
fi
And in /etc/rc.conf.local add:
svnserve_flags=--listen-host 0.0.0.0 -d -r /my/repos
The user _svnserve you may add as follows (change as appropiate):
$ sudo useradd -u980 -g=uid -csvnserve daemon -d/my/repos -s/sbin/nologin
_svnserve
I am running 3.7 and 3.8 inside Vmware and this problem only appears in
3.8. Under 3.7, svnserve is quite happy to respond through IPv4. Have I
missed something here? How do I force svnserve to use IPv4 as well
as/instead of IPv6?
The Subversion team added IPv6 support
You may run both IPv6 and IPv4 svnserve at the same time. Just give
an IPv6 adress to listen-host to one svnserve process, and an IPv4 adress to
the another svnserve process.
/Sigfred
Commell Systems: EMB-564 Series, distributor in Europe?
Hello, Does someone know if this product can be purchased in europe: http://www.commell-sys.com/Product/IPC/EMB-564.htm I recently saw this boxes in a presentation available on www.openbsd-support.com. Thanks for replying Didier
smartmontools (smartd) kills system [trace/gdb]
Hi again Followup on first mail with only trace/gdb info: GNU gdb 6.3 Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type show copying to see the conditions. There is absolutely no warranty for GDB. Type show warranty for details. This GDB was configured as i386-unknown-openbsd3.8. Core was generated by `smartctl'. Program terminated with signal 11, Segmentation fault. #0 0x06485b22 in ?? () (gdb) quit Running 'smartctl -t long /dev/sd0c | tee test.txt' gives: [...] smartctl version 5.33 [i386-unknown-openbsd3.8] Copyright (C) 2002-4 Bruce Allen Home page is http://smartmontools.sourceforge.net/ sd0(ahd1:0:0): host adapter code inconsistency Extended Background Self Test has begun Please wait 12 minutes for test to complete. Estimated completion time: Thu Nov 3 17:54:14 2005 Use smartctl -X to abort test [...] NB the 'sd0(ahd1...' line only appears on stdout, not in test.txt file and the test is not executed (seem obvious from the line). I have a ktrace file that's quite long (844 lines) but I think it's too long for a list mail. If anybody is interested I'll be happy to mail it. So fare smartd will not be running on this box. I'm a litte concerned about the 'adapter code inconsistency' part though. /per [EMAIL PROTECTED]
Re: 3.8 -- svnserve on inet6 only
Dominique Jacquel [EMAIL PROTECTED] writes: Hi, I have just installed 3.8 from the CD :-) and FTPed all packages from ftp.kd85.com. It all went well but I am having a strange problem with subversion. svnserve does not seem to bind to inet but only to inet6. This is a known issue with svnserve, the svn mailing lists are/were talking about it. Until they fix it, supposedly adding --listen-host IPv4_address should fix it. If you want to listen on both v4, and v6, you probably need to run two instances of svnserve. -- Brent Graveland [EMAIL PROTECTED]
Re: perl interface to pf?
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Wernig Sent: den 3 november 2005 14:17 To: Jesper Louis Andersen Cc: John N. Brahy; misc@openbsd.org Subject: Re: perl interface to pf? -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jesper Louis Andersen wrote: John N. Brahy wrote: Is there a perl interface to pf? No, and it would be totally insane to build one. Well, the only use that came to my mind was a perl daemon running on the FW that accepts rule updates from a remote client. While that can be done with other means (ssh, sh scripts), i can imagine that a perl class for manipulating pf rules would come in handy for that. /m iD8DBQFDag3a8BX/d8pVi/cRAlftAKCv+6AfnHbabfPk3NV7ixi7BHsmwQCfQzEa vR9EvOJvXz6nFqS4r+CD5Jg= =oCHu -END PGP SIGNATURE- Hello, I am working on a program similar to that but written in c++ and php. However slightly different functionality, uses token based OTP authentication via SMS, and and a PHP interface to create the new rules. However the reason I am doing this is not because there is a need but more to learn c++ and encryption. There are much simpler and safer ways to achieve this with pre-existing tools, but sure it's possible although maybe not wise. One problem is parsing and syntax checking of pf rules so that garbage isn't fed to for example pfctl if that is the method one chooses. One problem of many. Like a previous poster said, it'a a lot of work for very little gain, but if like me you have the extra time and have something else to gain from the excerise then it could be worthwhile. // jpb ** Jorgen Boberg ** ** Managing Director Senior Consultant ** ** Intellibit Consulting SIA ** ** Krisjana Barona Iela 37/30 ** ** LV-1011, Riga ** ** Latvia ** ** Tel: +371 83 80 803**
Re: perl interface to pf?
On Thursday 03 November 2005 13:49, you wrote: I'd rather rely on ssh, keys, sudo, and scripts to do it. Erm, perl scripts ARE scripts!
Re: Problems with HP dx5150/ATI Xpress 200 chipset
--On 02 November 2005 15:19 -0800, Jeffrey Williams wrote: I have recently purchased a number HP DX5150 SFF desktops with idea of using them as basic infrastructure servers (e.g. DNS, DHCP, and firewall). I prefer to use -stable versions of FreeBSD and OpenBSD. A few general thoughts (no knowledge of the hardware, but worth a go): - for OpenBSD, try -current snapshots (may fix bge). Ok it's not named stable but if it works and -stable doesn't, there's no loss... - for FreeBSD, try 6.0RC1. ditto. - if these options fail, is using a PCI nic an option? cards supported by sk(4) can be found reasonably cheaply and work well. From what I read, vge(4) aren't bad either. - does the machine have apm anyway? obsd also incorrectly detects drive geometry but gets closer to the actual numbers fbsd, I did not try to manually correct, I am not as familiar/comfortable with openbsd's disklabel, the drive did seem more stable. $ sudo disklabel -E sd0 # Inside MBR partition 3: type A6 start 63 size 1562353317 Treating sectors 63-1562353380 as the OpenBSD portion of the disk. You can use the 'b' command to change this. Initial label editor (enter '?' for help at any prompt) ? Available commands: [...] g [b|d|u] - use [b]ios, [d]isk or [u]ser geometry. APIC settings did not seem to affect obsd boot or installs $ grep apic /usr/src/sys/arch/i386/conf/GENERIC* /usr/src/sys/arch/i386/conf/GENERIC.MP:ioapic* at mainbus? i.e. it's only used on the MP kernel.
Re: preventing OS fingerprint
On Thu, Nov 03, 2005 at 01:48:56PM -0200, Gustavo Rios wrote: Right now, i am running into bussiness. I would like my client to get focused into the solution only. I don't want to give him a chance to compare my proposal to other. that's why. Now *there*'s a noble goal... Anyway, you do know that there are plenty of other ways to discover this? You should at least mess with the setting until p0f doesn't identify it either. (For one, I seem to recall OpenBSD and some Cisco stuff (IOS?) being the only two more-or-less common operating systems, if you can call IOS that, to use TTL 64 - and since it's obviously not Cisco, that would nail it down quickly. I might be wrong, though - I was never much interested in preventing fingerprinting. Removing some banners is fine, but that'll be all.) But that's the technical point. I wouldn't be very likely to trust someone who has apparently gone to the crutch of blocking nmap. (After all, if the system was secure, such crutches wouldn't be necessary would they?) Joachim
Re: quad ethernet on netra x1 (SOLVED)
Miguel wrote: Miguel wrote: Hi, i have some problems with my quad ethernet in a netra x1 firewall, this is not the first time i face this, some months ago i had the very same problem, i was able to fix it following this excelent instructions: http://marc.theaimsgroup.com/?l=openbsd-sparcm=108890209508001w=2 Howerver, after the upgrade from 3.5 to 3.7 (a full new install, format disks, etc), the problem is there again, these the dmseg log: hme0 at pci3 dev 0 function 1 Sun HME rev 0x01: address 00:03:ba:39:bf:9a ukphy2 at hme0 phy 1: Generic IEEE 802.3u media interface ukphy2: OUI 0x00601d, model 0x000c, rev. 1 hme0: using ivec 3005 for interrupt Sun PCIO Ebus2 rev 0x01 at pci3 dev 1 function 0 not configured hme1 at pci3 dev 1 function 1 Sun HME rev 0x01: address 00:03:ba:39:bf:9b ukphy3 at hme1 phy 1: Generic IEEE 802.3u media interface ukphy3: OUI 0x00601d, model 0x000c, rev. 1 hme1: using ivec 3004 for interrupt Sun PCIO Ebus2 rev 0x01 at pci3 dev 2 function 0 not configured hme2 at pci3 dev 2 function 1 Sun HME rev 0x01: address 00:03:ba:39:bf:9c ukphy4 at hme2 phy 1: Generic IEEE 802.3u media interface ukphy4: OUI 0x00601d, model 0x000c, rev. 1 hme2: using ivec 3005 for interrupt Sun PCIO Ebus2 rev 0x01 at pci3 dev 3 function 0 not configured hme3 at pci3 dev 3 function 1 Sun HME rev 0x01: address 00:03:ba:39:bf:9d ukphy5 at hme3 phy 1: Generic IEEE 802.3u media interface ukphy5: OUI 0x00601d, model 0x000c, rev. 1 hme3: using ivec 3004 for interrupt pcons at mainbus0 not configured hme0 is using 3005 for interrupt, the same that hme2, hme1 is using 3004 for interrupt, the same that hme3, etc I havent changed anything, i only booted from the 3.7 cd and started from scratch. what can i do? thanks Hi, the problem has gone away after installing the lastest release (3.8), without the nvramrc workaround, so , i configured : setenv use-nvramrc? false on the ok prompt. dmesg: ppb2 at pci2 dev 5 function 0 Intel S21154AE/BE PCI-PCI rev 0x00 pci3 at ppb2 bus 3 Sun PCIO Ebus2 rev 0x01 at pci3 dev 0 function 0 not configured hme0 at pci3 dev 0 function 1 Sun HME rev 0x01: address 00:03:ba:39:bf:9a luphy0 at hme0 phy 1: LU6612 10/100 PHY, rev. 1 hme0: using ivec 3005 for interrupt Sun PCIO Ebus2 rev 0x01 at pci3 dev 1 function 0 not configured hme1 at pci3 dev 1 function 1 Sun HME rev 0x01: address 00:03:ba:39:bf:9b luphy1 at hme1 phy 1: LU6612 10/100 PHY, rev. 1 hme1: using ivec 3014 for interrupt Sun PCIO Ebus2 rev 0x01 at pci3 dev 2 function 0 not configured hme2 at pci3 dev 2 function 1 Sun HME rev 0x01: address 00:03:ba:39:bf:9c luphy2 at hme2 phy 1: LU6612 10/100 PHY, rev. 1 hme2: using ivec 3004 for interrupt Sun PCIO Ebus2 rev 0x01 at pci3 dev 3 function 0 not configured hme3 at pci3 dev 3 function 1 Sun HME rev 0x01: address 00:03:ba:39:bf:9d luphy3 at hme3 phy 1: LU6612 10/100 PHY, rev. 1 hme3: using ivec 3015 for interrupt pcons at mainbus0 not configured thanks, great work, --- Miguel
After installing scsi card, cdrecord stops working.
I have been running 3.6 for about a year on my server. I have a backup solution that writes to an ide-cdrw 4 times a day. A month ago I installed a scsi card to hook up a newly acquired tape drive. My cdrw backups have been failing since. I did not change any kernel settings (that I recall), I'm still using Generic, and I didn't have to change any sysctl settings. I've done some tests against the tape drive and it all works ok. $ sudo mt rewind $ echo $? 0 When I try to -scanbus I get the following. $ sudo cdrecord -scanbus Cdrecord 2.00.3 (i386-unknown-openbsd3.6) Copyright (C) 1995-2002 Jrg Schilling cdrecord: No such file or directory. Cannot open SCSI driver. cdrecord: For possible targets try 'cdrecord -scanbus'. Make sure you are root. cdrecord: For possible transport specifiers try 'cdrecord dev=help'. I used to have dev=/dev/cd0c:0,0,0 but looking at my dmesg I thought I might have to change it to dev=/dev/cd0c:0,1,1. Providing different options to cdrecord does not help, it still bails $ sudo cdrecord dev=/dev/cd0c:0,1,1 speed=4 blank=fast Cdrecord 2.00.3 (i386-unknown-openbsd3.6) Copyright (C) 1995-2002 Jrg Schilling scsidev: '/dev/cd0c:0,1,1' devname: '/dev/cd0c' scsibus: 0 target: 1 lun: 1 cdrecord: No such file or directory. Cannot open SCSI driver. cdrecord: For possible targets try 'cdrecord -scanbus'. Make sure you are root. cdrecord: For possible transport specifiers try 'cdrecord dev=help'. I can mount and read the last good backup of my cd, it happened 17 Oct 05 at 18:00. $ sudo mount /dev/cd0c /mnt $ ls -l /mnt total 447724 -rw-r--r-- 1 marc users475 Jul 7 22:11 backups.rc -rwxr-xr-x 1 marc users963 Jul 7 22:11 burnbackups.ksh -rwxr-xr-x 1 marc users936 May 7 09:15 homes.ksh -rw-r--r-- 1 root users 198488314 Oct 17 18:01 homes.tgz -rw-r--r-- 1 root wheel106 Oct 17 18:02 index.txt -rw-r--r-- 1 root users 30739621 Oct 17 18:00 mailserver-20051017-1800.tgz -rwxr-xr-x 1 marc users 1138 May 5 18:50 mailserver.ksh -rw-r--r-- 1 marc users 1966 Jan 19 2005 osbkup.log -rw-r--r-- 1 marc users 1274 Jan 19 2005 osbkup.rc -rwxr-xr-x 1 marc users 2584 Jan 19 2005 osbkup.sh $ sudo umount /mnt $ ls -l /mnt $ I've tried searching google and archives, but I find it difficult to make a search query that doesn't just tell me that I need to find the right dev= using -scanbus. Finally, here's my dmesg. TIA. I'd provide my dmesg from before the scsi card install, but I don't have it around. I did send it to [EMAIL PROTECTED] though, so it might be there if it can be found. $ dmesg OpenBSD 3.6 (GENERIC) #59: Fri Sep 17 12:32:57 MDT 2004 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: AMD Sempron(tm) 2200+ (AuthenticAMD 686-class) 1.50 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE real mem = 527867904 (515496K) avail mem = 474603520 (463480K) using 4278 buffers containing 26497024 bytes (25876K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(00) BIOS, date 08/06/04, BIOS32 rev. 0 @ 0xf0010 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf41b0/208 (11 entries) pcibios0: no compatible PCI ICU found: ICU vendor 0x10de product 0x0060 pcibios0: Warning, unable to fix up PCI interrupt routing pcibios0: PCI bus #2 is the last bus bios0: ROM list: 0xc/0xdc00 0xce000/0x1000 0xcf000/0x800 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Nvidia nForce2 PCI rev 0xa2 Nvidia nForce2 rev 0xa2 at pci0 dev 0 function 1 not configured Nvidia nForce2 rev 0xa2 at pci0 dev 0 function 2 not configured Nvidia nForce2 rev 0xa2 at pci0 dev 0 function 3 not configured Nvidia nForce2 rev 0xa2 at pci0 dev 0 function 4 not configured Nvidia nForce2 rev 0xa2 at pci0 dev 0 function 5 not configured pcib0 at pci0 dev 1 function 0 Nvidia nForce2 ISA rev 0xa4 Nvidia nForce2 SMBus rev 0xa2 at pci0 dev 1 function 1 not configured ohci0 at pci0 dev 2 function 0 Nvidia nForce2 USB rev 0xa4: irq 11, version 1.0, legacy support usb0 at ohci0: USB revision 1.0 uhub0 at usb0 uhub0: Nvidia OHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub0: 3 ports with 3 removable, self powered ohci1 at pci0 dev 2 function 1 Nvidia nForce2 USB rev 0xa4: irq 7, version 1.0, legacy support usb1 at ohci1: USB revision 1.0 uhub1 at usb1 uhub1: Nvidia OHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub1: 3 ports with 3 removable, self powered ehci0 at pci0 dev 2 function 2 Nvidia nForce2 USB2 rev 0xa4: irq 5 ehci0: EHCI version 1.0 ehci0: companion controllers, 4 ports each: ohci0 ohci1 usb2 at ehci0: USB revision 2.0 uhub2 at usb2 uhub2: Nvidia EHCI root hub, class 9/0, rev 2.00/1.00, addr 1 uhub2: 6 ports with 6 removable, self powered auich0 at pci0 dev 6 function 0 Nvidia nForce2
Re: preventing OS fingerprint
Gustavo Rios wrote: Dear gentleman, i have an obsd firewall and would like to prevent external entities discovering that firewall is openbsd, is that possible? Thanks a lot for your time and cooperation. Or you can take the complicated approach and use the Wafter. A kernel module to do what pf does. Albeit with more knobs. http://www.linbsd.org/nmapd.c
Re: Commell Systems: EMB-564 Series, distributor in Europe?
--On 03 November 2005 18:12 +0100, Didier Wiroth wrote: Does someone know if this product can be purchased in europe: http://www.commell-sys.com/Product/IPC/EMB-564.htm I recently saw this boxes in a presentation available on www.openbsd-support.com. http://www.tcommate.com.tw/distributor.htm is probably a good starting point, I noticed one of these in the photos on kd85.com as well, so Wim probably has better clues.
[Straying OT] Re: preventing OS fingerprint
Hi Gustavo, Right now, i am running into bussiness. I would like my client to get focused into the solution only. I don't want to give him a chance to compare my proposal to other. In the years I have been in business myself, I have noticed that unless you are as open as you can be about what you do and with what you do it, you will not get the respect from your clients (and sometimes peers) you would otherwise. Respect means business. Most of my clients know the tools are there and that they could do it themselves. Some even know how. Yet, they don't. They trust me and my Open tools to get the job done. Hiding information from your client (out of fear of competition) will not enable them to make a valid judgement and eventually you will lose that client. This is not a moral statement, just one of life's lessons I've had to learn. Be proud of your proposal and be proud of the fact you're using OpenBSD to handle the job. Do as you see fit, of course... Nico :-) P.S. Try and sell your client the two OpenBSD cd's a year. Works miracles.
Re: After installing scsi card, cdrecord stops working.
I have been running 3.6 for about a year on my server. I have a backup solution that writes to an ide-cdrw 4 times a day. A month ago I installed a scsi card to hook up a newly acquired tape drive. My cdrw backups have been failing since. I did not change any kernel settings (that I recall), I'm still using Generic, and I didn't have to change any sysctl settings. I've done some tests against the tape drive and it all works ok. $ sudo mt rewind $ echo $? 0 When I try to -scanbus I get the following. $ sudo cdrecord -scanbus Cdrecord 2.00.3 (i386-unknown-openbsd3.6) Copyright (C) 1995-2002 Jrg Schilling cdrecord: No such file or directory. Cannot open SCSI driver. cdrecord: For possible targets try 'cdrecord -scanbus'. Make sure you are root. cdrecord: For possible transport specifiers try 'cdrecord dev=help'. I used to have dev=/dev/cd0c:0,0,0 but looking at my dmesg I thought I might have to change it to dev=/dev/cd0c:0,1,1. Providing different options to cdrecord does not help, it still bails I know this may sound to crazy but have you tried dev=/dev/cd0c (without the rest) I have never had to use the additional items for mine.
Re: After installing scsi card, cdrecord stops working.
On Thu, 3 Nov 2005, Marc L'Heureux wrote: I have been running 3.6 for about a year on my server. I have a backup solution that writes to an ide-cdrw 4 times a day. A month ago I installed a scsi card to hook up a newly acquired tape drive. My cdrw backups have been failing since. I did not change any kernel settings (that I recall), I'm still using Generic, and I didn't have to change any sysctl settings. I've done some tests against the tape drive and it all works ok. $ sudo mt rewind $ echo $? 0 When I try to -scanbus I get the following. $ sudo cdrecord -scanbus Cdrecord 2.00.3 (i386-unknown-openbsd3.6) Copyright (C) 1995-2002 Jrg Schilling cdrecord: No such file or directory. Cannot open SCSI driver. cdrecord: For possible targets try 'cdrecord -scanbus'. Make sure you are root. cdrecord: For possible transport specifiers try 'cdrecord dev=help'. I used to have dev=/dev/cd0c:0,0,0 but looking at my dmesg I thought I might have to change it to dev=/dev/cd0c:0,1,1. Providing different options to cdrecord does not help, it still bails It should be dev=/dev/rcd0c:$BUS,0,0 - where $BUS is the scsi bus number, 1 in your case. -Otto
Re: After installing scsi card, cdrecord stops working
I have been running 3.6 for about a year on my server. I have a backup solution that writes to an ide-cdrw 4 times a day. A month ago I installed a scsi card to hook up a newly acquired tape drive. My cdrw backups have been failing since. I did not change any kernel settings (that I recall), I'm still using Generic, and I didn't have to change any sysctl settings. I've done some tests against the tape drive and it all works ok. $ sudo mt rewind $ echo $? 0 When I try to -scanbus I get the following. $ sudo cdrecord -scanbus Cdrecord 2.00.3 (i386-unknown-openbsd3.6) Copyright (C) 1995-2002 Jrg Schilling cdrecord: No such file or directory. Cannot open SCSI driver. cdrecord: For possible targets try 'cdrecord -scanbus'. Make sure you are root. cdrecord: For possible transport specifiers try 'cdrecord dev=help'. I used to have dev=/dev/cd0c:0,0,0 but looking at my dmesg I thought I might have to change it to dev=/dev/cd0c:0,1,1. Providing different options to cdrecord does not help, it still bails I know this may sound to crazy but have you tried dev=/dev/cd0c (without the rest) I have never had to use the additional items for mine. This is a good point ^, I don't have any problems burning CD with or without a SCSI Adapter. An even better point is to RTFM! http://www.openbsd.org/faq/faq13.html#burnCD Regards, ahb
Re: After installing scsi card, cdrecord stops working.
From: Marc L'Heureux [mailto:[EMAIL PROTECTED] I used to have dev=/dev/cd0c:0,0,0 but looking at my dmesg I thought I might have to change it to dev=/dev/cd0c:0,1,1. Providing different options to cdrecord does not help, it still bails It should be dev=/dev/rcd0c:$BUS,0,0 - where $BUS is the scsi bus number, 1 in your case. -Otto Ok, so this works, thanks. I thought it was 0,1,1 because of the follwing dmesg line, but I see my error with the scsibus1 id. cd0(pciide0:1:1): using PIO mode 4, Ultra-DMA mode 2 Anyways, now that my problem is fixed, I'd like some help understanding why '# cdrecord -scanbus' doesn't work? Any thoughts? Should be clear from the FAQ entry. DS
Re: preventing OS fingerprint
On Thu, 03 Nov 2005 16:32:13 +0100 Hans van Leeuwen [EMAIL PROTECTED] wrote: Gustavo Rios wrote: Dear gentleman, i have an obsd firewall and would like to prevent external entities discovering that firewall is openbsd, is that possible? Thanks a lot for your time and cooperation. I use the following line in pf to prevent nmap scan, including -O: block in quick log on $inet_if from any os NMAP But why would you want to hide the fact you run the most secure OS in the world? Hans Haha, I sort of want to reveal that fact, but Netcraft keeps thinking I'm running FreeBSD or Linux :'( Cheers, Jasper -- Security is decided by quality -- Theo de Raadt
Re: IBM xSeries 336 - atapiscsi/pciide bug
On Thu, 03 Nov 2005 16:22:53 +1300 Stephen Nelson [EMAIL PROTECTED] wrote: Thanks for your prompt reply. I misunderstood you last time, I thought you were suggesting that one of the drives was defective. I tried swapping the CDROM, but the x336 are 1U rackmounted servers, and they use custom IDE cables. As I don't have access to any other IBM rackmounted servers, I don't have any other devices to swap in. I could order another drive from IBM, but as I know this problem exists for others I think it's unlikely that this is the source and I don't think that it's worth the cost. It's been a while since I last opened up one of our x336's (don't like them, x335s are much more stable in my experience), I thought they had a standard IDE port somewhere on the motherboard next to the PSU. Perhaps you can give that one a shot. // nick
Can't make 3.7-stable release
Hello! ...Same problem, again (it was already covered some time ago). When I run the last step in building a release (see http://www.openbsd.org/faq/faq5.html) , i.e. # make release I get a message informing me that /dev/svnd0a is full. This occurs while make is working with ramdiskC (exactly as the messages posted last July). Tried also on different hardware, same result. I've been struggling with this for a couple of weeks now. Three quick questions: A) Solution is the same as previously suggested (removing a non critical driver, such as axe, from ramdiskC) or has anything changed? B) After commenting out the axe driver, you have to start over and rebuild the kernel, right? Userland as well? (I'm asking since I'm working on a not-so-fast machine, the whole process takes quite some time...) C) Please don't flame--I'm just curious: In the mailing list archives, I noticed this sort of problem has been around since March (messages dated March 30). Why hasn't it yet been fixed? Thanks in advance for any suggestions. --Rob
Re: ibook+openbsd3.8
On Thu, 3 Nov 2005 08:24:25 +0100 Han Boetes [EMAIL PROTECTED] spake: Otto Moerbeek wrote: On Thu, 3 Nov 2005, Eder M. G. A. wrote: I have installed OpenBSD 3.8 on my ibook G4, all fine, but i can't switch to another console, just can use ttyC0, i tried different methods but without results. macppc uses vgafb(4) and does not support multiple consoles. Therefor most people use screen in the console. Sample screen-session for beginners: $ screen c-a c (that's control-a and then press c) $ echo hello world c-a c-a $ echo first window c-a c-a c-d c-d # Han Screen is wonderful, even if you don't use it for this... Here are two resources I found helpful in learning it... http://www.delorie.com/gnu/docs/screen/screen_toc.html http://gentoo-wiki.com/TIP_Using_screen -- Bill Chmura Director of Internet Technology Explosivo ITG Wolcott, CT p: 860.621.8693 e: [EMAIL PROTECTED] w. http://www.explosivo.com
FYI: new mailing list anti-spam measures
The mailing list server is now using several blacklists from the SORBS project (http://www.sorbs.net) to prevent spam. So far it is using the SORBS zombie, spam, web form and dialup blacklists. This does mean that people sending mail from a dynamic IP address (cable modem, dynamic DSL or dialup) will need to relay messages through their ISP's mail server. This will probably have the biggest impact on cable modem users running their own SMTP servers. - todd
Re: ibook+openbsd3.8
Thanks for everything guys :) Best regards Atte. Eder
PERC4/DC Error
I have a backup server (Dell PowerEdge 1850) attached to the Dell PowerVault 220S. The only function this server does is backing up remote servers throughout the day via rsync. The 1850 uses RAID 1 via the embedded RAID controller (PERC 4e/Si, ami0). On this RAID 1 is a generic install of OpenBSD plus the rsync package. The storage is connected via the expansion RAID controller (PERC 4/DC, ami1), and utilizes RAID 5 across 4 SCSI disks. Unfortunately I am having areoccurring problem, the connection with the Dual Channel RAID controller hangs, and I am unable to access the disks. There is no kernel panic, I am able to log in and do anything, except access ami1. I have tried 4 different snapshots from October, and an install from the 3.8 CD, all ending with the same result. The hang takes anywhere from 12 hours to 48 hours. Also, each time it hangs I can't do a proper shutdown as the command shutdown -h now never completes. For the mean time I just aggressively monitor is status and cold reboot it each time it hangs. Is there any thing I can do for better system stability? Is there any further information I can give that will allow developers insight into the problem? Thanks. ERROR LOGGED TO /var/log/messages (this is the same error logged every time, sometimes the ccb # is different) (sometimes it is ... ccb 58) Nov 3 01:08:17 backup /bsd: ami1: timeout ccb 126 Nov 3 01:08:33 backup last message repeated 2 times Nov 3 01:08:33 backup /bsd: ses0: status read error DMESG (from snapshot Oct 31) OpenBSD 3.8-current (GENERIC) #203: Fri Oct 21 12:35:57 MDT 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Xeon(TM) CPU 3.00GHz (GenuineIntel 686-class) 3 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,CNXT-ID real mem = 1073065984 (1047916K) avail mem = 972574720 (949780K) using 4278 buffers containing 53755904 bytes (52496K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(00) BIOS, date 09/22/05, BIOS32 rev. 0 @ 0xffe90 pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfb140/272 (15 entries) pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82801EB/ER LPC rev 0x00) pcibios0: PCI bus #9 is the last bus bios0: ROM list: 0xc/0xb000! 0xcb000/0x1000 0xcc000/0x1000 0xcd000/0x2200 0xcf800/0x2600 0xec000/0x4000! ipmi0 at mainbus0: version 1.5 interface KCS iobase 0xca8/8 spacing 4 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel E7710 SMCH rev 0x09 ppb0 at pci0 dev 2 function 0 Intel E7710 MCH PCIE rev 0x09 pci1 at ppb0 bus 1 ppb1 at pci1 dev 0 function 0 Intel IOP331 Channel 0 rev 0x06 pci2 at ppb1 bus 2 ami0 at pci2 dev 14 function 0 Dell PERC 4e/Di rev 0x06: irq 7 Dell 16c/32b ami0: FW 521S, BIOS vH430, 256MB RAM ami0: 1 channels, 0 FC loops, 1 logical drives scsibus0 at ami0: 40 targets sd0 at scsibus0 targ 0 lun 0: AMI, Host drive #00, SCSI2 0/direct fixed sd0: 69880MB, 69880 cyl, 64 head, 32 sec, 512 bytes/sec, 143114240 sec total scsibus1 at ami0: 16 targets safte0 at scsibus1 targ 6 lun 0: PE/PV, 1x2 SCSI BP, 1.0 SCSI2 3/processor fixed ppb2 at pci1 dev 0 function 2 Intel IOP331 Channel 1 rev 0x06 pci3 at ppb2 bus 3 ami1 at pci3 dev 11 function 0 Symbios Logic MegaRAID rev 0x01: irq 3 Dell 518/64b/lhc ami1: FW 351S, BIOS v1.10, 128MB RAM ami1: 2 channels, 0 FC loops, 1 logical drives scsibus2 at ami1: 40 targets sd1 at scsibus2 targ 0 lun 0: AMI, Host drive #00, SCSI2 0/direct fixed sd1: 419700MB, 419700 cyl, 64 head, 32 sec, 512 bytes/sec, 859545600 sec total scsibus3 at ami1: 16 targets scsibus4 at ami1: 16 targets ses0 at scsibus4 targ 6 lun 0: DELL, PV22XS, E.17 SCSI3 3/processor fixed ppb3 at pci0 dev 4 function 0 Intel E7710 MCH PCIE rev 0x09 pci4 at ppb3 bus 4 ppb4 at pci0 dev 5 function 0 Intel E7710 MCH PCIE rev 0x09 pci5 at ppb4 bus 5 ppb5 at pci5 dev 0 function 0 Intel PCIE-PCIE rev 0x09 pci6 at ppb5 bus 6 em0 at pci6 dev 7 function 0 Intel PRO/1000MT (82541GI) rev 0x05: irq 11, address 00:14:22:17:c9:76 ppb6 at pci5 dev 0 function 2 Intel PCIE-PCIE rev 0x09 pci7 at ppb6 bus 7 em1 at pci7 dev 8 function 0 Intel PRO/1000MT (82541GI) rev 0x05: irq 3, address 00:14:22:17:c9:77 ppb7 at pci0 dev 6 function 0 Intel E7710 MCH PCIE rev 0x09 pci8 at ppb7 bus 8 uhci0 at pci0 dev 29 function 0 Intel 82801EB/ER USB rev 0x02: irq 11 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1 at pci0 dev 29 function 1 Intel 82801EB/ER USB rev 0x02: irq 10 usb1 at uhci1: USB revision 1.0 uhub1 at usb1 uhub1: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered uhci2 at pci0 dev 29 function 2 Intel 82801EB/ER USB rev 0x02: irq 7 usb2 at uhci2: USB revision 1.0 uhub2 at usb2 uhub2: Intel UHCI root hub, rev 1.00/1.00,
Problems booting with floppyC38.fs on Latitude CPx
I'm unable to use floppyC38.fs to boot my laptop. It is a Dell latitude CPx J650GT with bios A16 I've tried different floppy disks with the same results. I've tried floppyC38.fs from 3.8 release I've tried floppyC38.fs from snapshots date 11/2/05 Using the exact same floppy i can boot my pc just fine. Any ideas on what i need to do to get this laptop going? Loading;.. probing: pc0 com0 com1 apm mem[639K 510M a20=on] disk: fd0 hd0+* OpenBSD/i386 BOOT 2.10 boot booting fd0a:/bsd: 3306020+195116=0x356d74 entry point at 0x100120 complete freeze at this point, can't hit the caps lock button I only got this once. All other times have been as follows. Loading;.. probing: pc0 com0 com1 apm mem[639K 510M a20=on] disk: fd0 hd0+* OpenBSD/i386 BOOT 2.10 boot booting fd0a:/bsd: 3306020read text failed(0). will try /obsd boot booting fd0a:/obsd: open fd0a:/obsd: No such file or directory failed(2). will try /bsd.old boot booting fd0a:/bsd.old: open fd0a:/bsd.old: No such file or directory failed(2). will try /bsd boot booting fd0a:/bsd: 3306020read text failed(0). will try /obsd boot booting fd0a:/obsd: open fd0a:/obsd: No such file or directory failed(2). will try /bsd.old boot booting fd0a:/bsd.old: open fd0a:/bsd.old: No such file or directory failed(2). will try /bsd Turning timeout off. boot
Re: OpenBSD Metastore
On Thursday 03 November 2005 08:59, Martin Schrvder wrote: On 2005-11-03 08:20:47 -0600, Jared Solomon wrote: The AOpen MiniPC measures 6.5 x 6.5 x 2 inches, is powered by an Intel Pentium M or Celeron M processor http://www.heise.de/newsticker/meldung/65660 A MacMini is cheaper and runs OBSD. That's not entirely accurate; though a Mac Mini will run OpenBSD, it is not cheaper. The original article that was posted gave a $399 price for the A-Open MiniPC. Apple lists their Mac Mini at $499. But, if you know a way to (legally) acquire a new Mac Mini for less than the $399 MiniPC price, i'd be very interested in hearing about it. Dan Ramaley Network Programmer/Analyst (515) 271-4540 Dial Center 118, Drake University
carp incorrect hash debugging
Greetings, We've all probably had or seen the carp error similar to: carp0: incorrect hash In most cases that I've seen on this and other lists it was because of something obvious like a mismatched pass or two supposed carp partners using different vhid's. I've taken a look at the code but wanted to verify. What pieces of information are: 1) used to determine that a particular carp packet is intended for you carp host? 2) given that a carp host knows that a particular carp packet is one that it cares about, how does it verify that all of the parameters contained within are legit? I believe the answer to 1 is the version, type and vhid from the carp packet. 2 I'm not so sure about, but I'm assuming that at least part of this decision is based on the pass. I had a situation earlier today that I could not explain. Put simply, I had hosts A, B, C and D all on the same /24. Hosts A and B where a carp pair for 192.168.0.1 and hosts C and D were a carp pair for 192.168.0.4. If A and B were using the same vhid as C and D, both ends would complain about an incorrect hash. Having never been in that situation before, I figured the vhid's were clashing since the pass happened to be the same on all 4 machines. I destroyed carp0 and did a 'sh /etc/netstart carp0'. I was still getting the messages but they seemed less frequent. I worked on other things which required a reboot and from then on, the messages were gone. The two carp pairs have functioned as expected ever since. Was my fix (prior to rebooting) the correct one? If so, why did I continue to get the incorrect hash messages? Gremlins or operator error? If the answer to all this is to just ensure that if I ever have more than one carp pair on the same network to ensure that I have different vhids, does anyone have a vhid numbering scheme that they've found workable? I had been using interface number +1 (so the carp for em0 would be vhid 1, etc). Any input would be much appreciated! -jon
Re: PERC4/DC Error
I'll start looking into this ASAP. On Thu, Nov 03, 2005 at 02:17:12PM -0700, Tom Geman wrote: I have a backup server (Dell PowerEdge 1850) attached to the Dell PowerVault 220S. The only function this server does is backing up remote servers throughout the day via rsync. The 1850 uses RAID 1 via the embedded RAID controller (PERC 4e/Si, ami0). On this RAID 1 is a generic install of OpenBSD plus the rsync package. The storage is connected via the expansion RAID controller (PERC 4/DC, ami1), and utilizes RAID 5 across 4 SCSI disks. Unfortunately I am having areoccurring problem, the connection with the Dual Channel RAID controller hangs, and I am unable to access the disks. There is no kernel panic, I am able to log in and do anything, except access ami1. I have tried 4 different snapshots from October, and an install from the 3.8 CD, all ending with the same result. The hang takes anywhere from 12 hours to 48 hours. Also, each time it hangs I can't do a proper shutdown as the command shutdown -h now never completes. For the mean time I just aggressively monitor is status and cold reboot it each time it hangs. Is there any thing I can do for better system stability? Is there any further information I can give that will allow developers insight into the problem? Thanks. ERROR LOGGED TO /var/log/messages (this is the same error logged every time, sometimes the ccb # is different) (sometimes it is ... ccb 58) Nov 3 01:08:17 backup /bsd: ami1: timeout ccb 126 Nov 3 01:08:33 backup last message repeated 2 times Nov 3 01:08:33 backup /bsd: ses0: status read error DMESG (from snapshot Oct 31) OpenBSD 3.8-current (GENERIC) #203: Fri Oct 21 12:35:57 MDT 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Xeon(TM) CPU 3.00GHz (GenuineIntel 686-class) 3 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,CNXT-ID real mem = 1073065984 (1047916K) avail mem = 972574720 (949780K) using 4278 buffers containing 53755904 bytes (52496K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(00) BIOS, date 09/22/05, BIOS32 rev. 0 @ 0xffe90 pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfb140/272 (15 entries) pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82801EB/ER LPC rev 0x00) pcibios0: PCI bus #9 is the last bus bios0: ROM list: 0xc/0xb000! 0xcb000/0x1000 0xcc000/0x1000 0xcd000/0x2200 0xcf800/0x2600 0xec000/0x4000! ipmi0 at mainbus0: version 1.5 interface KCS iobase 0xca8/8 spacing 4 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel E7710 SMCH rev 0x09 ppb0 at pci0 dev 2 function 0 Intel E7710 MCH PCIE rev 0x09 pci1 at ppb0 bus 1 ppb1 at pci1 dev 0 function 0 Intel IOP331 Channel 0 rev 0x06 pci2 at ppb1 bus 2 ami0 at pci2 dev 14 function 0 Dell PERC 4e/Di rev 0x06: irq 7 Dell 16c/32b ami0: FW 521S, BIOS vH430, 256MB RAM ami0: 1 channels, 0 FC loops, 1 logical drives scsibus0 at ami0: 40 targets sd0 at scsibus0 targ 0 lun 0: AMI, Host drive #00, SCSI2 0/direct fixed sd0: 69880MB, 69880 cyl, 64 head, 32 sec, 512 bytes/sec, 143114240 sec total scsibus1 at ami0: 16 targets safte0 at scsibus1 targ 6 lun 0: PE/PV, 1x2 SCSI BP, 1.0 SCSI2 3/processor fixed ppb2 at pci1 dev 0 function 2 Intel IOP331 Channel 1 rev 0x06 pci3 at ppb2 bus 3 ami1 at pci3 dev 11 function 0 Symbios Logic MegaRAID rev 0x01: irq 3 Dell 518/64b/lhc ami1: FW 351S, BIOS v1.10, 128MB RAM ami1: 2 channels, 0 FC loops, 1 logical drives scsibus2 at ami1: 40 targets sd1 at scsibus2 targ 0 lun 0: AMI, Host drive #00, SCSI2 0/direct fixed sd1: 419700MB, 419700 cyl, 64 head, 32 sec, 512 bytes/sec, 859545600 sec total scsibus3 at ami1: 16 targets scsibus4 at ami1: 16 targets ses0 at scsibus4 targ 6 lun 0: DELL, PV22XS, E.17 SCSI3 3/processor fixed ppb3 at pci0 dev 4 function 0 Intel E7710 MCH PCIE rev 0x09 pci4 at ppb3 bus 4 ppb4 at pci0 dev 5 function 0 Intel E7710 MCH PCIE rev 0x09 pci5 at ppb4 bus 5 ppb5 at pci5 dev 0 function 0 Intel PCIE-PCIE rev 0x09 pci6 at ppb5 bus 6 em0 at pci6 dev 7 function 0 Intel PRO/1000MT (82541GI) rev 0x05: irq 11, address 00:14:22:17:c9:76 ppb6 at pci5 dev 0 function 2 Intel PCIE-PCIE rev 0x09 pci7 at ppb6 bus 7 em1 at pci7 dev 8 function 0 Intel PRO/1000MT (82541GI) rev 0x05: irq 3, address 00:14:22:17:c9:77 ppb7 at pci0 dev 6 function 0 Intel E7710 MCH PCIE rev 0x09 pci8 at ppb7 bus 8 uhci0 at pci0 dev 29 function 0 Intel 82801EB/ER USB rev 0x02: irq 11 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1 at pci0 dev 29 function 1 Intel 82801EB/ER USB rev 0x02: irq 10 usb1 at uhci1: USB revision 1.0 uhub1 at usb1 uhub1: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub1: 2 ports
Re: Can't make 3.7-stable release
[EMAIL PROTECTED] wrote: Hello! ...Same problem, again (it was already covered some time ago). When I run the last step in building a release (see http://www.openbsd.org/faq/faq5.html) , i.e. # make release I get a message informing me that /dev/svnd0a is full. This occurs while make is working with ramdiskC (exactly as the messages posted last July). C) Please don't flame--I'm just curious: In the mailing list archives, I noticed this sort of problem has been around since March (messages dated March 30). Why hasn't it yet been fixed? In the strictest of terms, a fix is impossible. Think about it a bit. The problem could be mitigated a bit by dropping a driver, but then its not the same release is it. And then there are the changes to the documentation, etc ... I'm not going to take time to go back and check, but I think I am the OP of the Mar 30 msg you refer to. Just do what I did, find a suitable work around (there are several) and get on with the show. Regards, Ray
Re: Problems booting with floppyC38.fs on Latitude CPx
On Thu, Nov 03, 2005 at 04:56:34PM -0500, daniel wrote: I'm unable to use floppyC38.fs to boot my laptop. It is a Dell latitude CPx J650GT with bios A16 I've tried different floppy disks with the same results. I've tried floppyC38.fs from 3.8 release I've tried floppyC38.fs from snapshots date 11/2/05 Using the exact same floppy i can boot my pc just fine. Any ideas on what i need to do to get this laptop going? Loading;.. probing: pc0 com0 com1 apm mem[639K 510M a20=on] disk: fd0 hd0+* OpenBSD/i386 BOOT 2.10 boot booting fd0a:/bsd: 3306020+195116=0x356d74 entry point at 0x100120 complete freeze at this point, can't hit the caps lock button I only got this once. All other times have been as follows. Loading;.. probing: pc0 com0 com1 apm mem[639K 510M a20=on] disk: fd0 hd0+* OpenBSD/i386 BOOT 2.10 boot booting fd0a:/bsd: 3306020read text failed(0). will try /obsd boot booting fd0a:/obsd: open fd0a:/obsd: No such file or directory failed(2). will try /bsd.old It's always possible there is some weird kernel bug around, but I remember seeing that when trying to boot with a defective floppy drive. I.e., the floppy *drive* was shot. I binned quite a lot of floppies before finally binning the drive. It was only 1-2 years old. I put in an oldie (no clue just how old, scavenged it from a Pentium I system or somesuch), and it booted just fine. Of course, trying other floppies first might be cheaper... If you already have OpenBSD on there, just get a new bsd.rd and boot that - it's much easier. Joachim
DNSSEC/SSHFP, getrrsetbyname(3), and resolv.conf(5)
holy hell this OS f'ckin rocks. so i waste a day and a half because i forgot to do a 'dnssec-enable yes;' in named.conf, totally my fault. after i turn that on and setup named and my keys/zones right ( or unbreak them, after the day and a half of barking up the wrong tree... ), i find i have DNSSEC working for my SSHFP records, as tested by dig ( i have 'ad' in the reply, and i get RRSIG records printed in my Answer Sections ). ssh, otoh, is still saying to me found NUM insecure fingerprints in DNS. i spend more time on it and read [1], and get to thinking, ok, how the hell does ssh know if my resolver verified the SSHFP/RRSIG/DNSSEC crap or not? i thought it has to be in the data given back to ssh by the resolver. so i peek in /usr/src/usr.sbin/dns.c, and find the verify_host_key_dns function (?) and see it does some error checking and then it runs 'getrrsetbyname' so, what the hell i say, 'man getrrsetbyname'. oh. look. there's a manpage. so in getrsetbyname(3) i find: --- If the EDNS0 option is activated in resolv.conf(5), getrrsetbyname() will request DNSSEC authentication using the EDNS0 DNSSEC OK (DO) bit. --- ok, so i check resolv.conf(5) and find: --- options Allows certain internal resolver variables to be modified. The syntax is: options option ... where option is one of the following: debug Sets RES_DEBUG in _res.options. edns0 attach OPT pseudo-RR for ENDS0 extension specified in RFC 2671, to inform DNS server of our receive buffer size. The option will allow DNS servers to take advantage of non-default receive buffer size, and to send larger replies. DNS query packets with EDNS0 extension are not compatible with non- EDNS0 DNS servers. The option must be used only when all the DNS servers listed in nameserver lines are able to handle EDNS0 extension. ... The options keyword of a system's resolv.conf or resolv.conf.tail file can be amended on a per-process basis by setting the environment variable RES_OPTIONS to a space-separated list of resolver options as explained above. --- so i 'export RES_OPTIONS=edns0' and then: --- $ ssh -vo verifyhostkeydns\ yes hk4801.hklocal.nodeless.net OpenSSH_4.2, OpenSSL 0.9.7g 11 Apr 2005 ... debug1: found 1 secure fingerprints in DNS debug1: matching host key fingerprint found in DNS --- ! thank you Jakob Schlyter [1] - http://www.ietf.org/internet-drafts/draft-ietf-secsh-dns-05.txt ( i checked ftp://ftp.win.tue.nl/pub/linux-local/manpages/man-pages-2.13.tar.gz and it doesn't seem to have getrrsetbyname(3), though perhaps it goes by a different name over there.. ? ) -- jared [ openbsd 3.8 GENERIC ( oct 15 ) // i386 ]
/ never unmounts properly
I just installed 3.8 on a server that never had OpenBSD on it. Whenever I reboot, I get a warning that / wasn't unmounted properly. This is followed by an fsck of / and bootup goes on as normal. All other filesystems are clean. I've tried reboot, halt, even sync sync sync reboot. The bootup sequence still shows that / wasn't unmounted properly. Am I doing something wrong? Is there anything that can be done to deal with this? OpenBSD 3.8 (GENERIC) #138: Sat Sep 10 15:41:37 MDT 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Pentium II (GenuineIntel 686-class, 512KB L2 cache) 399 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX, FXSR real mem = 267952128 (261672K) avail mem = 237613056 (232044K) using 3296 buffers containing 13500416 bytes (13184K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(62) BIOS, date 08/07/00, BIOS32 rev. 0 @ 0xfd83c pcibios0 at bios0: rev 2.1 @ 0xfd740/0x8c0 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf40/160 (8 entries) pcibios0: PCI Exclusive IRQs: 9 pcibios0: PCI Interrupt Router at 000:04:0 (Intel 82371FB ISA rev 0x00) pcibios0: PCI bus #2 is the last bus bios0: ROM list: 0xc/0x8000 0xc8000/0x800 0xc8800/0x1000 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82443BX rev 0x03 pcib0 at pci0 dev 4 function 0 Intel 82371AB PIIX4 ISA rev 0x02 pciide0 at pci0 dev 4 function 1 Intel 82371AB IDE rev 0x01: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility atapiscsi0 at pciide0 channel 0 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: TEAC, CD-224E, 1.5A SCSI0 5/cdrom removable cd0(pciide0:0:0): using PIO mode 4, DMA mode 2 pciide0: channel 1 ignored (disabled) uhci0 at pci0 dev 4 function 2 Intel 82371AB USB rev 0x01: irq 11 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered Intel 82371AB Power rev 0x02 at pci0 dev 4 function 3 not configured ppb0 at pci0 dev 7 function 0 DEC 21152 PCI-PCI rev 0x03 pci1 at ppb0 bus 1 fxp0 at pci1 dev 3 function 0 Intel 82557 rev 0x05, i82558: irq 11, address 00:90:27:87:61:16 inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 0 siop0 at pci1 dev 4 function 0 Symbios Logic 53c895 rev 0x01: irq 15, using 4K of on-board RAM scsibus1 at siop0siop0: switching to single-ended mode : 16 targets ppb1 at pci0 dev 9 function 0 Intel i960 RP PCI-PCI rev 0x03 pci2 at ppb1 bus 2 ami0 at pci0 dev 9 function 1 Intel 80960RP ATU rev 0x03: irq 10 HP 438/32b ami0: FW C.02.08, BIOS vB.02.04, 16MB RAM ami0: 3 channels, 16 targets, 1 logical drives scsibus2 at ami0: 1 targets sd0 at scsibus2 targ 0 lun 0: AMI, Host drive #00, SCSI2 0/direct fixed sd0: 4066MB, 518 cyl, 255 head, 63 sec, 512 bytes/sec, 8327168 sec total scsibus3 at ami0: 16 targets scsibus4 at ami0: 16 targets scsibus5 at ami0: 16 targets vga1 at pci0 dev 13 function 0 Cirrus Logic CL-GD5446 rev 0x45 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pms0 at pckbc0 (aux slot) pckbc0: using irq 12 for aux slot wsmouse0 at pms0 mux 0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 sysbeep0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec biomask ef65 netmask ef65 ttymask ffe7 pctr: 686-class user-level performance counters enabled mtrr: Pentium Pro MTRR support dkcsum: sd0 matches BIOS drive 0x80 root on sd0a rootdev=0x400 rrootdev=0xd00 rawdev=0xd02 WARNING: / was not properly unmounted
Re: / never unmounts properly
Michael Favinsky wrote: I just installed 3.8 on a server that never had OpenBSD on it. Whenever I reboot, I get a warning that / wasn't unmounted properly. This is followed by an fsck of / and bootup goes on as normal. All other filesystems are clean. I've tried reboot, halt, even sync sync sync reboot. The bootup sequence still shows that / wasn't unmounted properly. Am I doing something wrong? Is there anything that can be done to deal with this? /snipped dmesg Does: #shutdown -r now Give the same problem? Fred
Re: / never unmounts properly
Michael Favinsky wrote: I just installed 3.8 on a server that never had OpenBSD on it. OpenBSD 3.8 (GENERIC) #138: Sat Sep 10 15:41:37 MDT 2005 That's not 3.8: 3.8-stable was compiled on september the 26th. # Han
Re: / never unmounts properly
On 11/3/05, Michael Favinsky [EMAIL PROTECTED] wrote: I just installed 3.8 on a server that never had OpenBSD on it. Whenever I reboot, I get a warning that / wasn't unmounted properly. This is followed by an fsck of / and bootup goes on as normal. All other filesystems are clean. I've tried reboot, halt, even sync sync sync reboot. The bootup sequence still shows that / wasn't unmounted properly. running fsck -fy / in single user mode should fix it. i never tracked down why this seems to happen.
Re: / never unmounts properly
On Thu, Nov 03, 2005 at 06:13:22PM -0700, jared r r spiegel wrote: On Thu, Nov 03, 2005 at 04:31:56PM -0800, Michael Favinsky wrote: I've tried reboot, halt, even sync sync sync reboot. The bootup sequence still shows that / wasn't unmounted properly. Am I doing something wrong? Is there anything that can be done to deal with this? it may help in diagnosis to also see contents of /etc/fstab and maybe outputs of fdisk/disklabel on the drive in question. please let me defer to tedu@ jared
error : pkg_add analog-6.0.tgz / webalizer-2.01.10p2.tgz
hi all: I use OpenBSD 3.8 release,but download packages from ftp://ftp.openbsd.org/pub/OpenBSD/snapshots/i386/;. When i install analog-6.0.tgz and webalizer-2.01.10p2.tgz,i got the same error message. i run pkg_info -K -L PKGNAME ,but not found lib ttf.1.3. Is there something wrong with my system? # pkg_add analog-6.0.tgz analog-6.0:libiconv-1.9.2p1: complete analog-6.0:pcre-4.5p1: complete analog-6.0:jpeg-6bp2: complete analog-6.0:png-1.2.8: complete analog-6.0:gd-2.0.33p2: complete Can't install analog-6.0.tgz: lib not found ttf.1.3 Even by looking in the dependency tree: libiconv-1.9.2p1, jpeg-6bp2, png-1.2.8, gd-2.0.33p2, pcre-4.5p1 Maybe it's in a dependent package, but not tagged with @lib ? (check with pkg_info -K -L) If you are still running 3.6 packages, update them. # # pkg_add webalizer-2.01.10p2.tgz Can't install webalizer-2.01.10p2.tgz: lib not found ttf.1.3 Even by looking in the dependency tree: jpeg-6bp2, libiconv-1.9.2p1, png-1.2.8, gd-2.0.33p2 Maybe it's in a dependent package, but not tagged with @lib ? (check with pkg_info -K -L) If you are still running 3.6 packages, update them. #
Re: error : pkg_add analog-6.0.tgz / webalizer-2.01.10p2.tgz
On Fri, Nov 04, 2005 at 09:22:41AM +0800, MichaelBibby wrote: hi all: I use OpenBSD 3.8 release,but download packages from ftp://ftp.openbsd.org/pub/OpenBSD/snapshots/i386/;. You've missed FAQ 15.4.1: --- 15.4.1 - I'm getting all kinds of crazy errors. I just can't seem to get this ports stuff working at all. It is very likely that you are using a system and ports tree which are not in sync. Sorry? ... * Do not check out a -current ports tree and expect it to work on a -release or -stable system. This is one of the most common errors and you will irritate people when you ask for help about why nothing seems to work! * Because this is important to get right, we will rephrase it once more. If your system is -release, use the -release version of the ports tree. If your system is -stable, you need the -stable version of the ports tree. And finally, if you follow -current, you need both a -current system and a -current ports tree. If you use X11 as part of your system, it must also follow the corresponding branch! Yes, this really does mean a wonderful new port will typically not work on your older system -- even if that system was -current just a few weeks ago.
Re: error : pkg_add analog-6.0.tgz / webalizer-2.01.10p2.tgz
MichaelBibby wrote: hi all: I use OpenBSD 3.8 release,but download packages from ftp://ftp.openbsd.org/pub/OpenBSD/snapshots/i386/;. When i install analog-6.0.tgz and webalizer-2.01.10p2.tgz,i got the same error message. i run pkg_info -K -L PKGNAME ,but not found lib ttf.1.3. Is there something wrong with my system? Yes. You're using snapshot packages with 3.8 Release. Remove all your packages and reinstall from ftp://ftp.openbsd.org/pub/OpenBSD/3.8/packages/i386/ or a closer mirror.
Re: error : pkg_add analog-6.0.tgz / webalizer-2.01.10p2.tgz
sorry ,what a stupid question :( and thanks Steve Shockley[EMAIL PROTECTED] Josh Grosse[EMAIL PROTECTED] ^_^
Re: carp incorrect hash debugging
On Thu, Nov 03, 2005 at 06:11:20PM -0500, Jon Hart wrote: 1) used to determine that a particular carp packet is intended for you carp host? carp(4) does a number of validity checks before treating the packet a real carp packet: - was the device recieved on a interface that has a carp device on it? - is the ttl 255 (prevents routed carp packets from being accepted) - packet length - crc32 checksum - VHID - Is the carp interface UP and RUNNING? - version - SHA-1 HMAC 2) given that a carp host knows that a particular carp packet is one that it cares about, how does it verify that all of the parameters contained within are legit? It checks the HMAC, which contains the password, version, counter, type, and the addresses. [snip] If the answer to all this is to just ensure that if I ever have more than one carp pair on the same network to ensure that I have different vhids, Yes, you MUST use a different vhid for different carp clusters on the same link-local network; the MAC address for the carp interface is generated from the vhid, and if you don't keep this unique your switch will likely get confused. does anyone have a vhid numbering scheme that they've found workable? I had been using interface number +1 (so the carp for em0 would be vhid 1, etc). In many situations, I use the last octet of the first virtual IP address. (If your virtual IP is 192.168.0.23, use 23 as your vhid)
Re: / never unmounts properly
Han Boetes wrote: Michael Favinsky wrote: I just installed 3.8 on a server that never had OpenBSD on it. OpenBSD 3.8 (GENERIC) #138: Sat Sep 10 15:41:37 MDT 2005 That's not 3.8: 3.8-stable was compiled on september the 26th. Yes, that *is* 3.8. That *is* what is on the CDs. I have no idea what you are babbling about here, 3.8-stable is only started to be maintained on release day, Nov. 1, and running 3.8-release is very acceptable. $ ftp -a ftp://rt.fm/pub/OpenBSD/3.8/i386/bsd ... 150 Opening BINARY mode data connection for 'bsd' (5281094 bytes). 100% |**| 5157 KB ... $ config -ef bsd OpenBSD 3.8 (GENERIC) #138: Sat Sep 10 15:41:37 MDT 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC Enter 'help' for information ukc (yeah, a demo off the CD would be more impressive, but I seem to have already misplaced my 3.8 CDs... 8-/ D'oh, there it is!) $ sudo mount /dev/cd0a /mnt $ cp /mnt/3.8/i386/bsd . $ config -ef bsd OpenBSD 3.8 (GENERIC) #138: Sat Sep 10 15:41:37 MDT 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC Enter 'help' for information ukc Nick.
Re: / never unmounts properly
Nick Holland wrote: Han Boetes wrote: Michael Favinsky wrote: I just installed 3.8 on a server that never had OpenBSD on it. OpenBSD 3.8 (GENERIC) #138: Sat Sep 10 15:41:37 MDT 2005 That's not 3.8: 3.8-stable was compiled on september the 26th. Yes, that *is* 3.8. That *is* what is on the CDs. Odd, the timestamps on the ftp-servers say september the 26th. I have no idea what you are babbling about here, 3.8-stable is only started to be maintained on release day, Nov. 1, and running 3.8-release is very acceptable. What's that got to do with anything? # Han
Re: / never unmounts properly
Nick Holland wrote: Han Boetes wrote: Michael Favinsky wrote: I just installed 3.8 on a server that never had OpenBSD on it. OpenBSD 3.8 (GENERIC) #138: Sat Sep 10 15:41:37 MDT 2005 That's not 3.8: 3.8-stable was compiled on september the 26th. Yes, that *is* 3.8. That *is* what is on the CDs. Odd, the timestamps on the ftp-servers say september the 26th. I have no idea what you are babbling about here, 3.8-stable is only started to be maintained on release day, Nov. 1, and running 3.8-release is very acceptable. What's that got to do with anything? # Han
Re: preventing OS fingerprint
Hi Damien, On 04/11/2005, at 9:56 AM, Damien Miller wrote: why care? fingerprinting is such a non-issue, and spending effort to avoid it is just security through obscurity. Ignoring whether blocking NMAP scans is effective or not... I agree that it is not good to rely on obscurity. But I don't see anything wrong with obscuring a detail which people don't need to know. What do you have to gain and what do you have to loose from holding that info back? And what do you have to gain and what do you have to loose from advertising it? If someone wants to know what you are running, to ease their attack. Then why not make it a little harder for them? That extra time could help you or a process detect the random attacks and work against the attacker. Not that there is much likelihood of a patched OpenBSD getting rooted though. Conversely, I guess advertising OpenBSD could make them go away. ; ) Shane J Pearson
arpbalance bug?
Is this anything to be concerned about? http://www.isrc.qut.edu.au/people/mbradfor/openbsd-carp-arpbalance.html
pf beginner: my firewall passes tcp but not icmp
I'm setting up an OpenBSD 3.7 firewall for the first time. I've been flailing at this all afternoon and have exhausted my ideas. My ruleset looks like this (from pfctl -s rules): [var/[EMAIL PROTECTED] pfctl -s rules block return all pass quick proto tcp from any to any port = ssh flags S/SA keep state pass in quick proto icmp all keep state It was more complex, but this is as simple as I can get it and demo the problem. (I have also tried pass quick proto icmp all with no useful effect.) With these rules in place and enabled, existing ssh sessions continue thanks to their kept state, and new ssh connections work also. However my pings, which work fine with pf disabled, get nothing back when I enable pf (pfctl -e) and of course spring back into life with pfctl -d. Does anyone have any idea what I'm doing wrong here? Also, I have seen elsewhere in list archives debug output showing what rules got applied. I have not found out how to produce such debugging myself. I'm loading up the rules like this: pfctl -F rules -v pfctl -xm -f /etc/pf.conf -v echo YES What else can I do to further debug this? -- Cameron Simpson [EMAIL PROTECTED] DoD#743 http://www.cskk.ezoshosting.com/cs/ What the hell, it's only 4 month's grant - I can live in a cardboard box, and catch pigeons for food. After all, I've got raytracing to do! - [EMAIL PROTECTED]
Re: / never unmounts properly
On 11/3/05, Han Boetes [EMAIL PROTECTED] wrote: Nick Holland wrote: Han Boetes wrote: That's not 3.8: 3.8-stable was compiled on september the 26th. I have no idea what you are babbling about here, 3.8-stable is only started to be maintained on release day, Nov. 1, and running 3.8-release is very acceptable. What's that got to do with anything? it means that 3.8-stable was compiled on september the 26th is wrong. i also fail to see how this relates to fsck running after reboot.
OpenBSD CDROM layout definition, Copyright Infringement.
Hi, I been asked about http://www.openbsd.org/faq/faq3.html#ISO How is the Layout defined??? maybe Nick or Theo or some other responsible person could give an authoritative answer so I can give it back to the person who asked me. If the md5 sum of the ISO image of a custom made OpenBSD CD is different form that of the md5 sum of the ISO image of official CDROM then can it be considered different in lay out??? Thankyou so much Kind Regards Siju
Re: arpbalance bug?
On Sat, Nov 05, 2005 at 04:05:17AM +1300, Josh wrote: Is this anything to be concerned about? http://www.isrc.qut.edu.au/people/mbradfor/openbsd-carp-arpbalance.html Only if you use arpbalance in a situation where it really matters (as opposed to a situation where you use it because you think it's cool) It will be fixed shortly: http://marc.theaimsgroup.com/?l=openbsd-techm=113098794012511w=2
Re: pf beginner: my firewall passes tcp but not icmp
On Fri, Nov 04, 2005 at 05:16:22PM +1100, Cameron Simpson wrote: [var/[EMAIL PROTECTED] pfctl -s rules block return all pass quick proto tcp from any to any port = ssh flags S/SA keep state pass in quick proto icmp all keep state ^^ How are the packets supposed to get OUT of the firewall? You have to think of the traffic crossing both interfaces. (I have also tried pass quick proto icmp all with no useful effect.) With the simple ruleset above, or something more complicated? This should work (as should the above without the direction) Also, I have seen elsewhere in list archives debug output showing what rules got applied. I have not found out how to produce such debugging myself. Add the 'log' keyword to at least your block rule, and maybe your pass rules as well. Then do: # tcpdump -vvvpleni pflog0 -s 1518 I'm loading up the rules like this: pfctl -F rules -v pfctl -xm -f /etc/pf.conf -v echo YES Don't explicitly flush the ruleset like this, pf does that for you and with such a command you're running without any ruleset at all for at least a moment, more if your new ruleset is buggy and fails to load. What else can I do to further debug this? tcpdump on the pflog interface is probably the most powerful tool; you can also look at pfctl -si to see if packets are being dropped for some other reason than ruleset evaluation, and perhaps do tcpdump on the physical interfaces you think the traffic should be crossing, to see if it's maybe actually coming out on the other side but being dropped elsewhere on your network.
