Re: Unable to reach server in dmz. Whats wrong?

[Jonas Lindskog]

Abraham Al-Saleh wrote:

On 1/10/06, Jonas Lindskog [EMAIL PROTECTED] wrote:

Hello,

We are using OpenBSD 3.8 as a firewall/router. We have two internal
nets; one with workstations (NAT) and one DMZ with a single server. And
thus we have three network interfaces installed in the router: one for
the NAT, one for the DMZ and one for the external net.

Our ISP has given us a range of IP adresses (the ones below are
obfuscated ;)), which we cant change:

Segment: 38.87.5.112 /28
net address:   38.87.5.112
gateway adress:   38.87.5.113
firewall:  38.87.5.114
fria fasta ip: 38.87.5.115-126
broadcast address:38.87.5.127
netmask:  255.255.255.240

I have set up the DMZ with
net adress 38.87.5.120
Gateway: 38.87.5.121
Server: 38.87.5.122

netmask:  255.255.255.252

To ensure that routing worked properly I just entered pass (and nat of
course) in the /etc/pf.conf file.

I have no trouble connecting to the server at 38.87.5.122 from the
internal net where nat-addresses are used, but for some reason
I cant connect to the server from the outside. I thought it was a
routing problem but when I entered a port redirect from the gateway

(38.87.5.113) to the server at  38.87.5.122  for the ssh port I reached
the server. I haven't got a
clue whats wrong. Can anybody help to explain this or have an idea of a
workaround (I dont want the port
redirect)? Thanks in advance.

/Jonas


It would help if you attached your pf.conf, and relevant configuration
files (hostname.if, for example)

ok, finally :) this is how my pf.conf and interfaces look like.

# 1. macros
if_ext=fxp0
if_int=bce0
if_dmz=re0
if_lo=lo0

icmp_types = echoreq
dmz_servers = {38.87.5.122}
services = {22, 8080, 8081}
internal_services ={2401}
reserved= { 0.0.0.0/8, 10.0.0.0/8, 20.0.0.0/24 127.0.0.0/8, \
 169.254.0.0/16, 172.16.0.0/12, 192.0.2.0/24, 192.168.0.0/16,
\ 224.0.0.0/3, 255.255.255.255}

# 2. Tables
# No tables are defined

# 3. Options
# What should we do with blocked traffic? drop or return.
set block-policy return
# we can only gather statistics on one interface at a time
set loginterface $if_ext

# 4. Packet normalization
scrub in all

# 5. Queueing is not done

# 6. Adress translation
# The internal network has NAT-adresses
nat on $if_ext from $if_int:network to any - ($if_ext)

# Redirecting ports
# Port redirect to make ftp possible. See manual for OpenBSD
rdr on $if_int proto tcp from any to any port 21 - 127.0.0.1 port 8021

# temporary redirects
rdr on $if_ext proto tcp from any to any port 8080 - 38.87.5.122 port
8080 rdr on $if_ext proto tcp from any to any port 8081 - 38.87.5.122
port 8081 #rdr on $if_ext proto tcp from any to any port 22 - 38.87.5.122
port 22

# 7. Filtering
#allow loopback

# Block everything
block all

pass quick on if_lo all

# Antispoof
antispoof for { $if_lo, $if_ext, $if_int }

# Allow traffic in on our ssh-deamon
pass in log quick on $if_ext proto tcp from any to any port 22 flags S/SA
keep state

# Allow trafic to and from the internal interface
# are the lines below the same as
# pass quick on $if_int all
pass in  on $if_int from $if_int:network to any keep state
pass out on $if_int from any to $if_int:network keep state

# block all traffic from reserved nets to external interface
block in quick on $if_ext from $reserved to any

#allow pinging
pass in on $if_ext inet proto icmp all icmp-type 8 code 0 keep state

# Open ports 8080 and ssh to trused machines on the dmz
pass in on $if_ext proto tcp from any to any port 8081 keep state
pass in on $if_ext proto tcp from any to any port 8080 keep state

#Allow active ftp
pass in on $if_ext inet proto tcp from port 20 to ($if_ext) \
 user proxy flags S/SA keep state

# Users on the internal network is allowd to initate external contact pass
out on $if_ext proto tcp all modulate state flags S/SA
pass out on $if_ext proto {udp, icmp} all keep state

# DMZ rules. As default we stop all traffic in to the dmz.
# To open up a service we use port forwarding in the external if
# to the specific server in the dmz
block in on $if_dmz all
pass out on $if_dmz proto tcp from any to any port $services flags S/SA
keep state
pass out on $if_dmz proto tcp from any to any port internal_services flags
S/SA keep state
pass in quick on $if_dmz proto tcp from $if_int to $dmz_servers port
internal_services keep state

#pf.conf ends here

### interfaces 
hostname.fxp0
#external interface
inet 38.87.5.114 255.255.255.240 NONE


# more hostname.bce0
#internal interface
inet 192.168.97.254 255.255.255.0 NONE

# more hostname.re0
# dmz
inet 38.87.5.121 255.255.255.252 NONE

Re: windows - pf - inet - pf - ftpd [not working]

[Stefan Kell]

 --- Urspr|ngliche Nachricht ---
 Von: Price, Joe [EMAIL PROTECTED]
 An: misc@openbsd.org
 Betreff: windows - pf - inet - pf - ftpd  [not working]
 Datum: Thu, 19 Jan 2006 17:36:02 -0500
 
 I have a problem that when a Windows client tries to connect to this ftp
 site, windows explorer returns 'The operation timed out'.
 
 
 
 The setup is, windows box behind a openbsd PF (NAT enabled) through the
 public internet to another openbsd PF (NAT enabled) which has a rdr rule
 to redirect to another openbsd machine behind it running ftpd.
 
 
 
 I'm assuming the problem exists on one of the firewalls, or both.. Is
 this something that ftp-proxy can fix?
 
 
 
 I know the ftp works because I can connect to it form the far end's
 openbsd box, just seems that I can't go through two NATs of PFs or
 something like that.
 
 
 
 Any help is appreciated.
 
 
 
 Thanks!
 

Have you tried passive ftp-mode in Windows explorer: extras -internet
options - extended

Regards

Stefan Kell

Re: Is it possible to run OpenBSD on ASRock 775TWINS-HDTV S775?

[Joakim Roubert]

On 2006-01-19 18:49, Stuart Henderson wrote:

 CPU is fast enough that it wasn't horribly slow, but obviously not as
  good as it could be.  anything else - in my case, the next fastest
  is a celeron 2ghz (my asrock board has an opteron 146). I haven't
 seen any reliability problems with it, but I haven't worked it harder
 than a few cvs pulls and 'make build's.
[...]
 SuSE Linux seems to support the nic about the best. I don't see
 anything in FreeBSD cvsweb to indicate that their -current would be

First, I would like to say I am really grateful for your answers here!
Thanks a lot!
I managed to install FBSD on the machine (failed with OBSD, NBSD,
Debian, Knoppix and Trustix) which was good since I prefer a BSD on this
compared to e.g. SuSE.

Now I won't have to buy additional hardware for this one (but thanks
again for your ideas on that area), but I am about to choose H/W for a
server that _must_ run OpenBSD. Learning from the past, I am now
checking the M/B spec. and compare them to
http://www.openbsd.org/i386.html and http://www.openbsd.org/amd64.html.

I have found 4 available motherboards (socket 754, so the amd64 port
would be the best choice, I guess) at our provider, that might work;
the southbridges/all-in-one chips in those are, respectively:

* nVidia nForce 410 MCP
* nVidia nForce3 250
* VIA 8237R
* nVidia nForce4-4X

In the OBSD hardware list, I find

* NVIDIA nForce/nForce2/nForce2-400/nForce3/nForce3-250/nForce4
* VIA Technologies VT82C586/A/B, VT82C596A/B, VT82C686A/B, VT8231,
VT8366, VT8233, VT8235, VT8237

Which one do you think would be the safest bet here?

It would be good to be able to run the SATA disks, but perhaps the
safest bet of them all is to get regular ATA ones?

Regards,

/Joakim
-- 
 http://www.df.lth.se/~jokke/

CVSync servers not syncing?

[Matthias Kilian]

Hi,

is there some problem with the main CVSync? It seems that at least
some of the main CVSync servers don't sync since yesterday, about
21:00 GMT. I tried anoncvs{1,3}.usa.openbsd.org, cvsync.de.openbsd.org,
cvsync.openbsd.se.

Ciao,
Kili

Re: OpenBSD VMWare image too popular

[Constantine A. Murenin]

On 09/01/06, Shane J Pearson [EMAIL PROTECTED] wrote:
 Hello Julien,

 On 09/01/2006, at 7:26 PM, Julien Bonastre wrote:

  I can actually fully understand your disapproval at the idea of
  using a torrent to distribute this file, and I can also emphasise
  with your dislikening of trying to create some validation system
  for the image.

 But I don't disapprove of using BT for this. And I also don't disapprove
 of people using and enjoying that image. In fact, I think BT is great
 and is perfect for something that is large and popular.

 What I disapprove of, is seeing someone flaming someone else for a
 personal opinion. Especially when that someone being called an amateur
 is actually an OpenBSD developer.

And Bob is not just some long-away-in-the-cvs-tree developer, but a
system administrator of most official OpenBSD web-sites,
www.openbsd.org being an example of what he hosts (if my observations
are correct).

 Downloading OpenBSD in any form via BT is not for me. Unless of course
 the .torrent file, seed and checksums were from official OpenBSD
 sources. When I compare the checksum of the download, I want the source
 checksum to come from an authority. An email from Theo for example.

Hasn't there been some research which shows that checksum collisions
are entirely possible? :)

Cheers,
Constantine.

Re: OS FINGERPRINTS

[Alexander Farber]

http://www.openbsd.org/faq/pf/filter.html#osfp

On 1/20/06, G.Stefan [EMAIL PROTECTED] wrote:
   What i have to do if i want to allow o n l y  Windows OS to have acces
   on the internet ?
   I know that OS FINGERPRINTS can help me but how ?

Re: OS FINGERPRINTS

[Josh Grosse]

On Fri, Jan 20, 2006 at 04:37:53AM -0800, G.Stefan wrote:
 Hello misc,
 
   What i have to do if i want to allow o n l y  Windows OS to have acces
   on the internet ?
   I know that OS FINGERPRINTS can help me but how ?

From pf.conf(5), under OPERATING SYSTEM FINGERPRINTING:

 Passive OS Fingerprinting is a mechanism to inspect nuances of a TCP con-
  nection's initial SYN packet and guess at the host's operating system.
  Unfortunately these nuances are easily spoofed by an attacker so the fin-
  gerprint is not useful in making security decisions.  But the fingerprint
  is typically accurate enough to make policy decisions upon.

For more info, please see pf.conf(5), pf.os(5), pf(4), and the PF User's
Guide -- http://www.OpenBSD.org/faq/pf/index.html

IBM admits that Puffy is the best defense!

[Shane J Pearson]

Howdy,

http://www-8.ibm.com/e-business/au/operations/businesses.shtml? 
ca=auhomepageme=odbmet=051209defence


; )


Shane

Re: CVSync servers not syncing?

[Lukasz Sztachanski]

On Fri, Jan 20, 2006 at 01:31:06PM +0100, Matthias Kilian wrote:
 Hi,
 
 is there some problem with the main CVSync? It seems that at least
 some of the main CVSync servers don't sync since yesterday, about
 21:00 GMT. I tried anoncvs{1,3}.usa.openbsd.org, cvsync.de.openbsd.org,
 cvsync.openbsd.se.
 
as far as i see, main machine( anoncvs1.ca.openbsd.org) has locked up ;) 



- Lukasz Sztachanski


-- 
0x058B7133 // 16AB 4EBC 29DA D92D 8DBE  BC01 FC91 9EF7 058B 7133
http://szati.blogspot.com
http://szati.entropy.pl

Re: OpenBSD 3.8 and IBM Blade HS20 boot CD

[Bruno Carnazzi]

I've got exactly the same problem. It seems that BladeCenter have an
unusual keyboard controller (switchable). I tried to boot with all
floppy disk, with external keyboard (USB and PS/2), different BIOS
settings and it never worked. I think the internal KVM is not
hardware transparent. I'm not sure but I think that NetBSD/i386
2.0.2 didn't boot either (can't remember). Also, critical pieces of
hardware are detected and configured : buses, cpu, ram, nic, scsi,
video... It's raging to be blocked by... the keyboard !! Hope it will
be supported some days...

Best regards,

Bruno.

On 1/18/06, Martin R. Sxrensen [EMAIL PROTECTED] wrote:
 Hi... I hope that someone can help me, I'm new to OpenBSD and I'm trying to 
 install 3.8 on a IBM blade server HS20 Then I try to boot from the 
 install CD or floppy I get en error saying: pckbc_start: send error and then 
 it stops.

 I have disable USB, but that didn't chance anything

 Sow please help !!

 Regards
 Martin Sxrensen

Re: OpenBSD 3.8, fxp, device timeout

[Alexander Farber]

Hi,

for comparison I have a similar PC at the same provider and
it works fine (I have fxp at irq 11 though, and use -current).

Also I had used the original floppy image to install OpenBSD:

wget ftp://ftp.de.openbsd.org/pub/snapshots/i386/floppy38.fs
dd of=/dev/hda if=floppy38.fs bs=1k count=1440

Sven, are you sure your fxp is not working? Maybe just your
network settings are wrong? Here are mine (stolen from Kili):

/etc/hostname.fxp0:
inet 81.169.186.XXX 255.255.255.255 NONE
!route add 81.169.186.1 -link \$if: -interface

/etc/mygate:
81.169.186.1

/etc/resolv.conf:
lookup file bind
nameserver 81.169.163.106
nameserver 81.169.163.104

Regards
Alex

PS: Here is my dmesg, works ok:

OpenBSD 3.8-current (GENERIC) #0: Mon Jan 16 10:28:09 CET 2006
[EMAIL PROTECTED]:/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Celeron(R) CPU 2.40GHz (GenuineIntel 686-class) 2.40 GHz
cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,
ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID
real mem  = 402169856 (392744K)
avail mem = 359624704 (351196K)
using 4278 buffers containing 20209664 bytes (19736K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(d0) BIOS, date 02/03/04, BIOS32 rev. 0 @ 0xfb330
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
apm0: flags 70102 dobusy 1 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xf/0xdf84
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfde90/240 (13 entries)
pcibios0: PCI Exclusive IRQs: 5 9 10 11 12
pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82371SB ISA rev 0x00)
pcibios0: PCI bus #2 is the last bus
bios0: ROM list: 0xc/0x8000 0xc8000/0x1000 0xc9000/0x1000
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 Intel 82845 Host rev 0x04
ppb0 at pci0 dev 1 function 0 Intel 82845 AGP rev 0x04
pci1 at ppb0 bus 1
ppb1 at pci0 dev 30 function 0 Intel 82801BA AGP rev 0x05
pci2 at ppb1 bus 2
fxp0 at pci2 dev 6 function 0 Intel 8255x rev 0x08, i82559: irq 11, address 00
:30:48:53:3c:96
inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 4
fxp1 at pci2 dev 7 function 0 Intel 8255x rev 0x08, i82559: irq 10, address 00
:30:48:53:3c:97
inphy1 at fxp1 phy 1: i82555 10/100 PHY, rev. 4
vga1 at pci2 dev 8 function 0 ATI Rage XL rev 0x27
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
ichpcib0 at pci0 dev 31 function 0 Intel 82801BA LPC rev 0x05
pciide0 at pci0 dev 31 function 1 Intel 82801BA IDE rev 0x05: DMA, channel 0 w
ired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: IC35L060AVV207-0
wd0: 16-sector PIO, LBA48, 58644MB, 120103200 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
pciide0: channel 1 disabled (no drives)
ichiic0 at pci0 dev 31 function 3 Intel 82801BA SMBus rev 0x05: irq 9
iic0 at ichiic0
isa0 at ichpcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: PC speaker
spkr0 at pcppi0
sysbeep0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
lm0 at isa0 port 0x290/8: W83627HF
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom0: console
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
biomask f365 netmask ff65 ttymask ffe7
pctr: user-level cycle counter enabled
dkcsum: wd0 matches BIOS drive 0x80
root on wd0a
rootdev=0x0 rrootdev=0x300 rawdev=0x302
arpresolve: unresolved and rt_expire == 0


On 1/20/06, Sven Wolf [EMAIL PROTECTED] wrote:
 I've a server at the German hoster Strato and I try to install OpenBSD
 3.8 on this machine. But I always get a device timeout of the Intel Nic
 (because of a wrong irq assignment?)  :(

 Here is the dmesg output:

 OpenBSD 3.8 (RAMDISK) #9: Tue Jan  17 18:24:51 CET 2006
 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/RAMDISK
 cpu0: Intel(R) Celeron(R) CPU 2.40GHz (GenuineIntel 686-class) 2.40 GHz
 cpu0:
 FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,
 ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID
 real mem  = 536387584 (523816K)
 avail mem = 485179392 (473808K)
 using 4278 buffers containing 26923008 bytes (26292K) of memory
 mainbus0 (root)
 acpi0 at mainbus0: revision 0 attached
 acpitimer at acpi0 not configured
 acpi device at acpi0 from table DSDT not configured
 acpi device at acpi0 from table FACP not configured
 bios0 at mainbus0: AT/286+(c0) BIOS, date 05/27/03, BIOS32 rev. 0 @ 0xfb330
 apm0 at bios0: Power Management spec V1.2
 apm0: flags 70102 dobusy 1 doidle 1
 pcibios0 at bios0: rev 2.1 @ 0xf/0xdf84
 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfde90/240 (13 entries)
 pcibios0: PCI Exclusive IRQs: 5 10 11 12
 pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82371SB ISA rev 0x00)
 pcibios0: PCI bus #2 is the last bus
 bios0: ROM list: 0xc/0x8000 

[no subject]

[Jonas Lindskog]

Abraham Al-Saleh wrote:

On 1/10/06, Jonas Lindskog [EMAIL PROTECTED] wrote:

Hello,

We are using OpenBSD 3.8 as a firewall/router. We have two internal
nets; one with workstations (NAT) and one DMZ with a single server.
And thus we have three network interfaces installed in the router: one
for the NAT, one for the DMZ and one for the external net.

Our ISP has given us a range of IP adresses (the ones below are
obfuscated ;)), which we cant change:

Segment: 38.87.5.112 /28
net address:   38.87.5.112
gateway adress:   38.87.5.113
firewall:  38.87.5.114
fria fasta ip: 38.87.5.115-126
broadcast address:38.87.5.127
netmask:  255.255.255.240

I have set up the DMZ with
net adress 38.87.5.120
Gateway: 38.87.5.121
Server: 38.87.5.122

netmask:  255.255.255.252

To ensure that routing worked properly I just entered pass (and nat of
course) in the /etc/pf.conf file.

I have no trouble connecting to the server at 38.87.5.122 from the
internal net where nat-addresses are used, but for some reason
I cant connect to the server from the outside. I thought it was a
routing problem but when I entered a port redirect from the gateway

(38.87.5.113) to the server at  38.87.5.122  for the ssh port I reached
the server. I haven't got a
clue whats wrong. Can anybody help to explain this or have an idea of a
workaround (I dont want the port
redirect)? Thanks in advance.

/Jonas


It would help if you attached your pf.conf, and relevant configuration
files (hostname.if, for example)

ok, finally :) this is how my pf.conf and interfaces look like.

# 1. macros
if_ext=fxp0
if_int=bce0
if_dmz=re0
if_lo=lo0

icmp_types = echoreq
dmz_servers = {38.87.5.122}
services = {22, 8080, 8081}
internal_services ={2401}
reserved= { 0.0.0.0/8, 10.0.0.0/8, 20.0.0.0/24 127.0.0.0/8, \
 169.254.0.0/16, 172.16.0.0/12, 192.0.2.0/24, 192.168.0.0/16, \
 224.0.0.0/3, 255.255.255.255}

# 2. Tables
# No tables are defined

# 3. Options
# What should we do with blocked traffic? drop or return.
set block-policy return
# we can only gather statistics on one interface at a time
set loginterface $if_ext

# 4. Packet normalization
scrub in all

# 5. Queueing is not done

# 6. Adress translation
# The internal network has NAT-adresses
nat on $if_ext from $if_int:network to any - ($if_ext)

# Redirecting ports
# Port redirect to make ftp possible. See manual for OpenBSD
rdr on $if_int proto tcp from any to any port 21 - 127.0.0.1 port 8021

# temporary redirects
rdr on $if_ext proto tcp from any to any port 8080 - 38.87.5.122 port 8080
rdr on $if_ext proto tcp from any to any port 8081 - 38.87.5.122 port 8081
#rdr on $if_ext proto tcp from any to any port 22 - 38.87.5.122 port 22

# 7. Filtering
#allow loopback

# Block everything
block all

pass quick on if_lo all

# Antispoof
antispoof for { $if_lo, $if_ext, $if_int }

# Allow traffic in on our ssh-deamon
pass in log quick on $if_ext proto tcp from any to any port 22 flags S/SA
keep state

# Allow trafic to and from the internal interface
# are the lines below the same as
# pass quick on $if_int all
pass in  on $if_int from $if_int:network to any keep state
pass out on $if_int from any to $if_int:network keep state

# block all traffic from reserved nets to external interface
block in quick on $if_ext from $reserved to any

#allow pinging
pass in on $if_ext inet proto icmp all icmp-type 8 code 0 keep state

# Open ports 8080 and ssh to trused machines on the dmz
pass in on $if_ext proto tcp from any to any port 8081 keep state
pass in on $if_ext proto tcp from any to any port 8080 keep state

#Allow active ftp
pass in on $if_ext inet proto tcp from port 20 to ($if_ext) \
 user proxy flags S/SA keep state

# Users on the internal network is allowd to initate external contact
pass out on $if_ext proto tcp all modulate state flags S/SA
pass out on $if_ext proto {udp, icmp} all keep state

# DMZ rules. As default we stop all traffic in to the dmz.
# To open up a service we use port forwarding in the external if
# to the specific server in the dmz
block in on $if_dmz all
pass out on $if_dmz proto tcp from any to any port $services flags S/SA
keep state
pass out on $if_dmz proto tcp from any to any port internal_services flags
S/SA keep state
pass in quick on $if_dmz proto tcp from $if_int to $dmz_servers port
internal_services keep state

#pf.conf ends here

### interfaces 
hostname.fxp0
#external interface
inet 38.87.5.114 255.255.255.240 NONE


# more hostname.bce0
#internal interface
inet 192.168.97.254 255.255.255.0 NONE

# more hostname.re0
# dmz
inet 38.87.5.121 255.255.255.252 NONE

Re: OpenBSD 3.8, fxp, device timeout

[receive . mailinglists]

Hi Alex,

I've written the floppy38.fs to my server via:

wget -O- wget ftp://ftp.de.openbsd.org/pub/snapshots/i386/floppy38.fs 
/dev/hda (within the rescue system). I also tried some customized
floppy-images (with custom kernel options)

and it boots fine ;) But my problem is, that the fxp (dualport) nic has
irq 12 assigned:

fxp0 at pci2 dev 6 function 0 Intel 82557 rev 0x08, i82559: irq 12,
address 00:30:48:52:c9:fc
inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 4
fxp1 at pci2 dev 7 function 0 Intel 82557 rev 0x08, i82559: irq 12,
address 00:30:48:52:c9:fd

and on your server the nic has assigned irc 10 and 11:

fxp0 at pci2 dev 6 function 0 Intel 8255x rev 0x08, i82559: irq 11,
address 00:30:48:53:3c:96
inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 4
fxp1 at pci2 dev 7 function 0 Intel 8255x rev 0x08, i82559: irq 10,
address 00:30:48:53:3c:97

and that's the problem :(

I've the same problem like:
http://readlist.com/lists/openbsd.org/misc/0/2302.html

but option PCIBIOS_INTR_FIXUP_FORCE didn't resolve my problem :(

Best regards,
Sven


 Hi,

 for comparison I have a similar PC at the same provider and
 it works fine (I have fxp at irq 11 though, and use -current).

 Also I had used the original floppy image to install OpenBSD:

 wget ftp://ftp.de.openbsd.org/pub/snapshots/i386/floppy38.fs
 dd of=/dev/hda if=floppy38.fs bs=1k count=1440

 Sven, are you sure your fxp is not working? Maybe just your
 network settings are wrong? Here are mine (stolen from Kili):

 /etc/hostname.fxp0:
 inet 81.169.186.XXX 255.255.255.255 NONE
 !route add 81.169.186.1 -link \$if: -interface

 /etc/mygate:
 81.169.186.1

 /etc/resolv.conf:
 lookup file bind
 nameserver 81.169.163.106
 nameserver 81.169.163.104

 Regards
 Alex

 PS: Here is my dmesg, works ok:

 OpenBSD 3.8-current (GENERIC) #0: Mon Jan 16 10:28:09 CET 2006
 [EMAIL PROTECTED]:/sys/arch/i386/compile/GENERIC
 cpu0: Intel(R) Celeron(R) CPU 2.40GHz (GenuineIntel 686-class) 2.40 GHz
 cpu0:
 FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,
 ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID
 real mem  = 402169856 (392744K)
 avail mem = 359624704 (351196K)
 using 4278 buffers containing 20209664 bytes (19736K) of memory
 mainbus0 (root)
 bios0 at mainbus0: AT/286+(d0) BIOS, date 02/03/04, BIOS32 rev. 0 @
 0xfb330
 apm0 at bios0: Power Management spec V1.2
 apm0: AC on, battery charge unknown
 apm0: flags 70102 dobusy 1 doidle 1
 pcibios0 at bios0: rev 2.1 @ 0xf/0xdf84
 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfde90/240 (13 entries)
 pcibios0: PCI Exclusive IRQs: 5 9 10 11 12
 pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82371SB ISA rev 0x00)
 pcibios0: PCI bus #2 is the last bus
 bios0: ROM list: 0xc/0x8000 0xc8000/0x1000 0xc9000/0x1000
 cpu0 at mainbus0
 pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
 pchb0 at pci0 dev 0 function 0 Intel 82845 Host rev 0x04
 ppb0 at pci0 dev 1 function 0 Intel 82845 AGP rev 0x04
 pci1 at ppb0 bus 1
 ppb1 at pci0 dev 30 function 0 Intel 82801BA AGP rev 0x05
 pci2 at ppb1 bus 2
 fxp0 at pci2 dev 6 function 0 Intel 8255x rev 0x08, i82559: irq 11,
 address 00
 :30:48:53:3c:96
 inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 4
 fxp1 at pci2 dev 7 function 0 Intel 8255x rev 0x08, i82559: irq 10,
 address 00
 :30:48:53:3c:97
 inphy1 at fxp1 phy 1: i82555 10/100 PHY, rev. 4
 vga1 at pci2 dev 8 function 0 ATI Rage XL rev 0x27
 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
 wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
 ichpcib0 at pci0 dev 31 function 0 Intel 82801BA LPC rev 0x05
 pciide0 at pci0 dev 31 function 1 Intel 82801BA IDE rev 0x05: DMA,
 channel 0 w
 ired to compatibility, channel 1 wired to compatibility
 wd0 at pciide0 channel 0 drive 0: IC35L060AVV207-0
 wd0: 16-sector PIO, LBA48, 58644MB, 120103200 sectors
 wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
 pciide0: channel 1 disabled (no drives)
 ichiic0 at pci0 dev 31 function 3 Intel 82801BA SMBus rev 0x05: irq 9
 iic0 at ichiic0
 isa0 at ichpcib0
 isadma0 at isa0
 pckbc0 at isa0 port 0x60/5
 pckbd0 at pckbc0 (kbd slot)
 pckbc0: using irq 1 for kbd slot
 wskbd0 at pckbd0: console keyboard, using wsdisplay0
 pcppi0 at isa0 port 0x61
 midi0 at pcppi0: PC speaker
 spkr0 at pcppi0
 sysbeep0 at pcppi0
 lpt0 at isa0 port 0x378/4 irq 7
 lm0 at isa0 port 0x290/8: W83627HF
 npx0 at isa0 port 0xf0/16: using exception 16
 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
 pccom0: console
 pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
 biomask f365 netmask ff65 ttymask ffe7
 pctr: user-level cycle counter enabled
 dkcsum: wd0 matches BIOS drive 0x80
 root on wd0a
 rootdev=0x0 rrootdev=0x300 rawdev=0x302
 arpresolve: unresolved and rt_expire == 0


 On 1/20/06, Sven Wolf [EMAIL PROTECTED] wrote:
 I've a server at the German hoster Strato and I try to install OpenBSD
 3.8 on this machine. But I always get a device timeout of the Intel Nic
 (because of a wrong irq 

Re: connection to 3.8 box times out

[Joachim Schipper]

On Thu, Jan 19, 2006 at 05:41:11PM -0600, Igor Vilensky wrote:
 Greetings,
 
 This is my first post. Apologies if not everything is pro forma.
 
 I hope someone might help me with this issue.
 Ssh session and pinging 3.8 Generic running on Compaq Deskpro SB time out
 after 800 to 2400 when not actively using the box.
 You get 'No route to Host' message in ping or ssh session freezes.
 The box is connected to 4 port Belkin KVM switch on video and keyboard,
 regular PS2 mouse is plugged in.
 Re-plugging mouse wakes up the session/ping and it works for a little
 while.  Pressing keys on mouse makes no difference.
 Unplugging keyboard makes no difference, but connecting to Video and
 keyboard on KVM and hitting a key on a keyboard
 does wake up  OpenBSD so that it responds again.

Have you checked the BIOS for interesting options? This looks like the
BIOS shuts down the machine or some such.

Joachim

Ifstated question

[Steven S]

Greetings,

I'm trying to use ifstated to determine the state (up or down) of my two ISP
connections.  Currently I'm using ping, which I realize is imperfect, but
I'm getting some odd transitions.

For example, ISP2 is very unreliable and ifstated was in the ISP2down state.
From there, based on the config below, it transitioned to the IPS1down state
even though ISP2 was also down.  I would have expected it to transition to
the bothdown state.

Any thoughts or pointers would be appreciated.

-Steve S.

--- /etc/ifstated.conf 
init-state bothup

ISP1 = '( ping -q -c 1 -w 1 10.10.10.1  /dev/null every 15)'
ISP2 = '( ping -q -c 1 -w 2 10.20.20.1  /dev/null every 15)'

state bothup {
init {
run pfctl -a outbound -F rules -f /etc/pf.bothup.conf
run mail -s 'FW1 says both ISPs up' root /dev/null
}
if ! $ISP1
set-state ISP1down
if ! $ISP2
set-state ISP2down
}
state ISP1down {
init {
run pfctl -a outbound -F rules -f /etc/pf.ISP1down.conf
run mail -s 'FW1 says ISP1 is down' root /dev/null
}
if $ISP1
set-state bothup
if ! ($ISP1 || $ISP2)
set-state bothdown
if ! $ISP2
set-state ISP2down
}
state ISP2down {
init {
run pfctl -a outbound -F rules -f /etc/pf.ISP2down.conf
run mail -s 'FW1 says ISP2 is down' root /dev/null
}
if ! ($ISP1 || $ISP2)
set-state bothdown
if ! $ISP1
set-state ISP1down
if $ISP2
set-state bothup
}
state bothdown {
init {
run pfctl -a outbound -F rules
run mail -s 'FW1 says ALL Internet is down' root
/dev/null
}
if $ISP2  $ISP1
set-state bothup
if $ISP1
set-state ISP2down
if $ISP2
set-state ISP1down
}

Re: OpenBSD 3.8, fxp, device timeout

[receive . mailinglists]

Hi Alex again,

in my opinion it's a nic problem and not a network settings problem,
because i also have tried to obtain the network configuration via dhcp
(like in the rescue system) with the same result - fxp0: device timeout

Best regards,
Sven

 Hi,

 for comparison I have a similar PC at the same provider and
 it works fine (I have fxp at irq 11 though, and use -current).

 Also I had used the original floppy image to install OpenBSD:

 wget ftp://ftp.de.openbsd.org/pub/snapshots/i386/floppy38.fs
 dd of=/dev/hda if=floppy38.fs bs=1k count=1440

 Sven, are you sure your fxp is not working? Maybe just your
 network settings are wrong? Here are mine (stolen from Kili):

 /etc/hostname.fxp0:
 inet 81.169.186.XXX 255.255.255.255 NONE
 !route add 81.169.186.1 -link \$if: -interface

 /etc/mygate:
 81.169.186.1

 /etc/resolv.conf:
 lookup file bind
 nameserver 81.169.163.106
 nameserver 81.169.163.104

 Regards
 Alex

 PS: Here is my dmesg, works ok:

 OpenBSD 3.8-current (GENERIC) #0: Mon Jan 16 10:28:09 CET 2006
 [EMAIL PROTECTED]:/sys/arch/i386/compile/GENERIC
 cpu0: Intel(R) Celeron(R) CPU 2.40GHz (GenuineIntel 686-class) 2.40 GHz
 cpu0:
 FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,
 ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID
 real mem  = 402169856 (392744K)
 avail mem = 359624704 (351196K)
 using 4278 buffers containing 20209664 bytes (19736K) of memory
 mainbus0 (root)
 bios0 at mainbus0: AT/286+(d0) BIOS, date 02/03/04, BIOS32 rev. 0 @
 0xfb330
 apm0 at bios0: Power Management spec V1.2
 apm0: AC on, battery charge unknown
 apm0: flags 70102 dobusy 1 doidle 1
 pcibios0 at bios0: rev 2.1 @ 0xf/0xdf84
 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfde90/240 (13 entries)
 pcibios0: PCI Exclusive IRQs: 5 9 10 11 12
 pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82371SB ISA rev 0x00)
 pcibios0: PCI bus #2 is the last bus
 bios0: ROM list: 0xc/0x8000 0xc8000/0x1000 0xc9000/0x1000
 cpu0 at mainbus0
 pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
 pchb0 at pci0 dev 0 function 0 Intel 82845 Host rev 0x04
 ppb0 at pci0 dev 1 function 0 Intel 82845 AGP rev 0x04
 pci1 at ppb0 bus 1
 ppb1 at pci0 dev 30 function 0 Intel 82801BA AGP rev 0x05
 pci2 at ppb1 bus 2
 fxp0 at pci2 dev 6 function 0 Intel 8255x rev 0x08, i82559: irq 11,
 address 00
 :30:48:53:3c:96
 inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 4
 fxp1 at pci2 dev 7 function 0 Intel 8255x rev 0x08, i82559: irq 10,
 address 00
 :30:48:53:3c:97
 inphy1 at fxp1 phy 1: i82555 10/100 PHY, rev. 4
 vga1 at pci2 dev 8 function 0 ATI Rage XL rev 0x27
 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
 wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
 ichpcib0 at pci0 dev 31 function 0 Intel 82801BA LPC rev 0x05
 pciide0 at pci0 dev 31 function 1 Intel 82801BA IDE rev 0x05: DMA,
 channel 0 w
 ired to compatibility, channel 1 wired to compatibility
 wd0 at pciide0 channel 0 drive 0: IC35L060AVV207-0
 wd0: 16-sector PIO, LBA48, 58644MB, 120103200 sectors
 wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
 pciide0: channel 1 disabled (no drives)
 ichiic0 at pci0 dev 31 function 3 Intel 82801BA SMBus rev 0x05: irq 9
 iic0 at ichiic0
 isa0 at ichpcib0
 isadma0 at isa0
 pckbc0 at isa0 port 0x60/5
 pckbd0 at pckbc0 (kbd slot)
 pckbc0: using irq 1 for kbd slot
 wskbd0 at pckbd0: console keyboard, using wsdisplay0
 pcppi0 at isa0 port 0x61
 midi0 at pcppi0: PC speaker
 spkr0 at pcppi0
 sysbeep0 at pcppi0
 lpt0 at isa0 port 0x378/4 irq 7
 lm0 at isa0 port 0x290/8: W83627HF
 npx0 at isa0 port 0xf0/16: using exception 16
 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
 pccom0: console
 pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
 biomask f365 netmask ff65 ttymask ffe7
 pctr: user-level cycle counter enabled
 dkcsum: wd0 matches BIOS drive 0x80
 root on wd0a
 rootdev=0x0 rrootdev=0x300 rawdev=0x302
 arpresolve: unresolved and rt_expire == 0


 On 1/20/06, Sven Wolf [EMAIL PROTECTED] wrote:
 I've a server at the German hoster Strato and I try to install OpenBSD
 3.8 on this machine. But I always get a device timeout of the Intel Nic
 (because of a wrong irq assignment?)  :(

 Here is the dmesg output:

 OpenBSD 3.8 (RAMDISK) #9: Tue Jan  17 18:24:51 CET 2006
 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/RAMDISK
 cpu0: Intel(R) Celeron(R) CPU 2.40GHz (GenuineIntel 686-class) 2.40
 GHz
 cpu0:
 FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,
 ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID
 real mem  = 536387584 (523816K)
 avail mem = 485179392 (473808K)
 using 4278 buffers containing 26923008 bytes (26292K) of memory
 mainbus0 (root)
 acpi0 at mainbus0: revision 0 attached
 acpitimer at acpi0 not configured
 acpi device at acpi0 from table DSDT not configured
 acpi device at acpi0 from table FACP not configured
 bios0 at mainbus0: AT/286+(c0) BIOS, date 05/27/03, BIOS32 rev. 0 @
 0xfb330
 apm0 at bios0: Power Management 

Re: CVSync servers not syncing?

[Alexander Farber]

Maybe because they are tagging it 3.9?

Re: CVSync servers not syncing?

[Jason Crawford]

On 1/20/06, Alexander Farber [EMAIL PROTECTED] wrote:
 Maybe because they are tagging it 3.9?


Unless they decided to suddenly change how they release OpenBSD, they
most certainly are not. 3.9 has JUST moved to beta yesterday (or 2
days ago, I forget) and trust me, you don't want to tag early beta
code as release.

Jason

beginner question about faq 10.2

[Jose Fragoso]

Hi,

FAQ 10.2 explains how to duplicate a filesystem. I would like to put that 
one-liner in a shell script to be run periodically through crontab. I mean, I 
would like:

cd /SRC; dump 0f - . | (cd /DST; restore -rf - )

in a shell script.

Whenever this script is run, I see an error message like:

restore: cannot open /dev/tty: Device not configured

My question is:

Is there any way to do this dump/restore in a shell script without the use of a 
temporary filesystem?

Thanks in advance

Best regards,

Josi



-- 
___
Play 100s of games for FREE! http://games.mail.com/

Re: beginner question about faq 10.2

[Alexandre Ratchov]

On Fri, Jan 20, 2006 at 10:40:03AM -0500, Jose Fragoso wrote:
 Hi,
 
 FAQ 10.2 explains how to duplicate a filesystem. I would like to put
 that one-liner in a shell script to be run periodically through
 crontab. I mean, I would like:
 
 cd /SRC; dump 0f - . | (cd /DST; restore -rf - )
 
 in a shell script.
 
 Whenever this script is run, I see an error message like:
 
 restore: cannot open /dev/tty: Device not configured
 

imho, you can just ignore this message. However, sometimes dump tries
to interactively ask (on the terminal) to change the tape; but cron(8)
doesn't have a terminal. I'd suggest you to use the '-a' option of
dump(8) to avoid this problem.

 My question is:
 
 Is there any way to do this dump/restore in a shell script without
 the use of a temporary filesystem?


i don't think so.

-- 
Alexandre

Re: windows - pf - inet - pf - ftpd [not working]

[Price, Joe]

FYI, I am in passive mode.





From: Price, Joe
Sent: Thursday, January 19, 2006 5:36 PM
To: 'misc@openbsd.org'
Subject: windows - pf - inet - pf - ftpd [not working]





I have a problem that when a Windows client tries to connect to this ftp
site, windows explorer returns 'The operation timed out'.



The setup is, windows box behind a openbsd PF (NAT enabled) through the
public internet to another openbsd PF (NAT enabled) which has a rdr rule
to redirect to another openbsd machine behind it running ftpd.



I'm assuming the problem exists on one of the firewalls, or both.. Is
this something that ftp-proxy can fix?



I know the ftp works because I can connect to it form the far end's
openbsd box, just seems that I can't go through two NATs of PFs or
something like that.



Any help is appreciated.



Thanks!

Re: IBM admits that Puffy is the best defense!

[Roger Neth Jr]

On 1/20/06, Shane J Pearson [EMAIL PROTECTED] wrote:
 Howdy,

 http://www-8.ibm.com/e-business/au/operations/businesses.shtml?
 ca=auhomepageme=odbmet=051209defence

 ; )


 Shane



Hello, I think that ad is a negative connotation on puffy.

rogern

John 3:16

Re: beginner question about faq 10.2

[Roy Morris]

 Hi,
 
 FAQ 10.2 explains how to duplicate a filesystem. I would like 
 to put that one-liner in a shell script to be run 
 periodically through crontab. I mean, I would like:
 
 cd /SRC; dump 0f - . | (cd /DST; restore -rf - )
 
 in a shell script.
 
 Whenever this script is run, I see an error message like:
 
 restore: cannot open /dev/tty: Device not configured
 
 My question is:
 
 Is there any way to do this dump/restore in a shell script 
 without the use of a temporary filesystem?
 
 Thanks in advance
 
 Best regards,
 
 Josi
Hmm quick look it looks like you should use dump -0af - 

but do some testing yourself .. 

Rm

Partition sizing

[M...]

Hello.

I'm playing with OpenBSD 3.8 and would like some
comments/advice on partitioning.
I have a 500MHz test machine, 256MB RAM, 4GB H/D,
100/1Gb intel ethernet card.

Most of the examples show separate partitions for

/
/tmp
/var
/usr
/home

I want to run a mailsever (20 users),
(spamassasin/clamav) mailing list server (20 lists),
ftp and web servers, (maybe 100MB or so of data)
adding them in and seeing how it handles the load.

I was thinking of doing

/ = 500MB
/tmp - 100MB
/usr - 1GB
/var - 1GB
/home - 1.4GB

or should I just have a root and home partitions ?

I'm not really sure about the sizing for /tmp or /var
so I want to be economical with the limited space.

Opinions please.

Thanks in advance.
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Re: Is it possible to run OpenBSD on ASRock 775TWINS-HDTV S775?

[Travers Buda]

On Friday 20 January 2006 08:02, Stuart Henderson wrote:
 I'll defer to anyone that has one..! 8237_R_ isn't listed, though
 8237 is. I don't know whether the difference is enough to stop it
 from working...VIA usually get recommended when the topic of amd64
 boards comes up (you'll find a few posts in the archives about this).

I think the only real difference between the 8237 and the 8237R is the 
ability to asynchronously clock the cpu bus and the AGP/PCI busses. 

Travers Buda

Re: Partition sizing

[Nick Holland]

On Fri, Jan 20, 2006 at 10:29:51AM -0800, M... wrote:
 Hello.
 
 I'm playing with OpenBSD 3.8 and would like some
 comments/advice on partitioning.
 I have a 500MHz test machine, 256MB RAM, 4GB H/D,
 100/1Gb intel ethernet card.
 
 Most of the examples show separate partitions for
 
 /
 /tmp
 /var
 /usr
 /home
 
 I want to run a mailsever (20 users),

20 users of text mail?
20 users of PDF scanned legal documents?

 (spamassasin/clamav) mailing list server (20 lists),
 ftp and web servers, (maybe 100MB or so of data)
 adding them in and seeing how it handles the load.
 
 I was thinking of doing
 
 / = 500MB

too big.  150MB will do it VERY nicely.  200MB if you think I'm
being too tight.  70M will do fine, too. :)

 /tmp - 100MB

Paranoia makes me make that bigger, usually 200M, though I can't think
of a reason why on your app.

 /usr - 1GB

keep in mind, that's too small for building, but great for binaries.

 /var - 1GB

sounds big...

 /home - 1.4GB

sounds VERY big...
What are you putting in /home? 

 or should I just have a root and home partitions ?

Not if you are planning on doing something other than testing.

 I'm not really sure about the sizing for /tmp or /var
 so I want to be economical with the limited space.
 
 Opinions please.

Suggestion 1: Quit assuming your first install will be your last.
Install, look around, see how it works, adjust, try again, adjust,
try again. repeat until (done);

Figure out your OWN needs, don't ask others.  We don't know, and
more importantly, it's your job/reputation on the line.

Suggestion 2: Quit trying to allocate all your disk space.  Leave some
empty space at the end that you can move into if you need to.  Make var
and home 500M ea., leave a gig or so free, put /var at the end of
allocated space, if you find out you made /var too small (most likely),
growfs it.  If you find /home is too small, move into the 1G space. 

Nick.

Re: Partition sizing

[David Higgs]

See FAQ 4.6.
http://www.openbsd.org/faq/faq4.html#SpaceNeeded

You forgot the swap partition.  Also, your / is probably way overkill.
 I haven't run a production mail/list/ftp server, so I can't speak for
the remaining estimates.

--david

On 1/20/06, M... [EMAIL PROTECTED] wrote:
 Hello.

 I'm playing with OpenBSD 3.8 and would like some
 comments/advice on partitioning.
 I have a 500MHz test machine, 256MB RAM, 4GB H/D,
 100/1Gb intel ethernet card.

 Most of the examples show separate partitions for

 /
 /tmp
 /var
 /usr
 /home

 I want to run a mailsever (20 users),
 (spamassasin/clamav) mailing list server (20 lists),
 ftp and web servers, (maybe 100MB or so of data)
 adding them in and seeing how it handles the load.

 I was thinking of doing

 / = 500MB
 /tmp - 100MB
 /usr - 1GB
 /var - 1GB
 /home - 1.4GB

 or should I just have a root and home partitions ?

 I'm not really sure about the sizing for /tmp or /var
 so I want to be economical with the limited space.

 Opinions please.

 Thanks in advance.
 Tired of spam?  Yahoo! Mail has the best spam protection around
 http://mail.yahoo.com

Re: OpenBSD for Sun Cobalt Qube3

[Bob Bostwick \(Lists\)]

I've done several RAQ2 installs, and have them in production as well.  I
have a RAQ3 but could not get it to run anything but linux.  I have
rebuilt it several times, but only succeeded with RH.  I had to remove
the HD for this install, and I assume you could get OBSD installed in
the same way.  I failed in my attempts to do so, but still think it
could be done, maybe.  I seem to recall having to use a specialized
kernel in that box as well.  In any case, moving the hd to another pc
for install is the way to go. 

Good luck.

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Daniel Ouellet
Sent: Thursday, January 19, 2006 4:08 PM
To: Wolfgang Kess
Cc: misc@openbsd.org
Subject: Re: OpenBSD for Sun Cobalt Qube3

Wolfgang Kess wrote:
 Hi,
 
 can you give me some advice how to install OpenBSD 
 on a Sun Cobalt Qube 3, please?
 
 The Cube comes without cdrom or fd and no display
 
 I read about the PXE installation 
 http://www.openbsd.org/faq/faq6.html#PXE 
 
 
 What kind of installation method do you recommend?
 
 
 Regards
 Wolfgang
 
 The Cube outdated Linux dmesg:

I don't think it would work at all as the Cobalt always had their own 
hardware handling stuff. Plus to load it, you need a restore CD.

If you really want to play with this and see if that can even load, even

if I think it would not, you can start by making your restore CD based 
on the instructions here:

http://netbsd.org/Ports/cobalt/restorecd-howto.html

I did work with Denis and Alex to test it on the Cobalt RaQ 2. So, 
that's only a starts, but you are really on your own.

The thing is that for the Cobalt, after it is loaded, you rlogin in the 
box to finish the configuration, but that's because the kernel is design

that way for that box. In this case it wouldn't work. Assuming you can 
ever get the box to netboot and that it would actually detect the 
hardware properly, then you would need to built a configuration that 
would make the box in a working state for you to then access it. Usually

you can do this via the console, but again, I don't think it would work 
out of the box on the console, but the only way to know if to try it.

I loaded NetBSD on plenty of Cobalt RaQ2 box

http://openbsdsupport.org/netbsd/

But that's not going to do much for you in here. The Cobalt RaQ 2 is 
mips base and th4e RaQ 3 is i386 base.

Good luck however. Would be nice to have it working in in, but I don't
know.

Re: Partition sizing

[Eric Johnson]

On Fri, 20 Jan 2006 22:08:47 +0100
Matthias Kilian [EMAIL PROTECTED] wrote:

 What about /var/spool/mail or, for example, /var/spool/uucp? Yes,
 I may be oldfashioned, but IMHO the first filesystem that fills up
 is always /var.

For my mail server, I created a /var/mail partition of 10 GB.  It is
currently about 40% full.

We don't restrict mailbox size for our users, but if a mailbox is
getting too full, we back it up, remove it, and notify the user how he
can get a backup copy.  So far, noone has ever asked for a backup copy.

Eric Johnson

Re: Partition sizing

[M...]

--- Nick Holland [EMAIL PROTECTED]
wrote:


 Suggestion 2: Quit trying to allocate all your disk
 space.  Leave some
 empty space at the end that you can move into if you
 need to.  Make var
 and home 500M ea., leave a gig or so free, put /var
 at the end of
 allocated space, if you find out you made /var too
 small (most likely),
 growfs it.  If you find /home is too small, move
 into the 1G space. 
 
 Nick.

Thanks to Nick and others, I have an update.  I left
out SWAP as well.

/ - 200MB
/swap - 200MB ?
/tmp - 200MB
/usr - 1.5GB
/home - 500MB
/var - 500MB

Rest spare for later.  Oh, I'm going to use qmail and
ezmlm for the mail and list server so email will be
delivered into their home directory using  Maildir.

I know swap used to be 2x the memory, but does that
still hold with 256MB RAM installed ? as opposed to
years ago with 32MB or 64MB ?

Thanks for the hints/suggestions
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

isakmpd ocsp lookups for revoked x509 certs ?

[Thomas Hannan]

Hi all,

Looking at seeing if there's any decent way of getting isakmpd to 
perform OCSP lookups to verify that a potential IPSec client's 
certificate is currently not revoked before allowing them to authenticate.


I looked through the archives, and there was one link to someone's 
procedural guide to handling terminating employees (manually updating a 
CRL and distributing), and one link to a PDF that no longer exists. I'd 
like to roll out PKI for a network with quite a few VPN concentrators 
running OpenBSD and SonicWalls without completely losing my mind as far 
as handling revoked X509 certificates.


man isakmpd.conf yields nothing, isakmpd.policy yields nothing obvious, 
nor does keynote


If this is possible and I've missed it, please let me know your 
experience or any pointers on where to best RTFM.


Thanks!

MRTG/RRD font size

[Paul Connally]

Weird thing I can't seem to figure out...

Is there a reason that the font sizes (and graphs themselves) on the graphs
created via MRTG/RRD would be small and ugly due to using the pre-compiled
package vs a compiled from source implementation of the RRDtool package?

On a number of boxes (OpenBSD 3.5 to 3.8), I see this consistantly.  For
example, I have the pre-compiled package for the OS version for MRTG (ex:
mrtg-2.10.13 on 3.5, mrtg-2.12.2 on 3.8).  On one box I use the pre-compiled
RRDtool package, rrdtool-1.0.49, and on another I use a compiled from
source RRDtool (same version, rrdtool-1.0.49; I guess it doesn't change
much from one to another).  On the box that has the 'compiled from source'
RRD, the graphs created have normal, easily read letters and numbers (the
'bits per second' thing on the left side of the graph, or the 10/20/30Mb/s
levels, etc), but on the box with the package version of RRD, the letters
are very tiny and squished together.  Also, the graphs themselves seem to be
larger, and/or seem to resize themselves based on the monitor size; on the
box with the packaged RRD, they stay tiny regardless if the video card
setting is 800x600 or 1280x1024.

This is easily replicated across different hardware.

There's not any diff I can see in regards to installed fonts.  In fact,
the box that has a pretty set of graphs has fewer installed font (and
otherwise) packages.

Here's some of the particulars:

Box with pretty MRTG fonts and graphs:
1) OpenBSD 3.5
2) MRTG installed via package
3) RRDtool compiled locally (1.0.49)

List of all pre-compiled installed packages:
arping-1.07 ARP level ping utility
bash-2.05b  GNU Bourne Again Shell
fping-2.2b1 quickly ping N hosts w/o flooding the network
freetype-1.3.1p1free and portable TrueType font rendering engine
gd-1.8.3graphics library for fast PNG creation
gettext-0.10.40p1   GNU gettext
jpeg-6b IJG's JPEG compression utilities
libiconv-1.9.1  character set conversion library
libnet-1.0.2a   raw IP packet construction library
login_ldap-3.3  provide ldap authentication type
mrtg-2.10.13multi-router traffic grapher
nmap-3.50-no_x11scan ports and fingerprint stack of network hosts
ntp-4.1.74  network time protocol implementation
openldap-client-2.1.27 Open source LDAP software (client)
p5-Pod-Escapes-1.03 library to resolve perl Pod escape sequences
p5-Pod-Simple-2.05  framework for parsing the Perl Pod format
p5-SNMP_Session-0.99 provides rudimentary access to remote SNMP agents
pcre-4.5perl-compatible regular expression library
pftop-0.4   curses-based real time state and rule display for pf
pine-4.58   program for Internet E-mail and News
pktstat-1.7.3b  network traffic viewer
png-1.2.5p2 library for manipulating PNG images
tacacs+-4.0.4ap0Cisco AAA protocol daemon
ucd-snmp-4.2.6  extendible SNMP implementation
wget-1.8.2  retrieve files from the 'net via HTTP and FTP


Box with UGLY MRTG fonts and graphics:
1) OpenBSD 3.8
2) MRTG installed via package
3) RRDtool installed via package

List of all pre-compiled installed packages:
bash-3.0.16p1   GNU Bourne Again Shell
cvsweb-2.0.6p1  WWW CGI script to browse CVS repository trees
esound-0.2.34   sound library for Enlightenment
expect-5.43.0   sophisticated scripter based on Tcl/Tk
fping-2.2b1 quickly ping N hosts w/o flooding the network
freetype-1.3.1p1free and portable TrueType font rendering engine
gd-1.8.3graphics library for fast PNG creation
gettext-0.10.40p3   GNU gettext
glib-1.2.10p0   useful routines for C programming
gtk+-1.2.10p3   General Toolkit for X11 GUI
jpeg-6bp2   IJG's JPEG compression utilities
libaudiofile-0.2.6  SGI audiofile library clone
libiconv-1.9.2p1character set conversion library
mozilla-firefox-1.0.6p3 redesign of Mozilla's browser component
mozilla-thunderbird-1.0.6 redesign of the integrated Mozilla App-Suite mail
component
mrtg-2.12.2 multi-router traffic grapher
mysql-client-4.0.24 multithreaded SQL database (client)
nagios-2.0b4p0  host and service monitor
nagios-plugins-1.4.1 nagios base plugins
nagios-plugins-fping-1.4.1p0 fping plugin
nagios-plugins-mysql-1.4.1p0 mysql plugin
nagios-plugins-snmp-1.4.1p0 plugins using snmp
nagios-web-2.0b4cgis and webpages for nagios
ncftp-3.1.9 ftp replacement with advanced user interface
net-snmp-5.1.3p0extendable SNMP implementation
p5-Crypt-DES-2.03   interface to the DES encryption algorithm
p5-Digest-HMAC-1.01 interface to HMAC Message-Digest Algorithms
p5-Digest-SHA1-2.10 module to calculate SHA1 digests
p5-Net-SNMP-4.0.3   Perl modules to access SNMP
p5-Pod-Escapes-1.04 library to resolve perl Pod escape sequences
p5-Pod-Simple-3.02  framework for parsing the Perl Pod format
p5-SNMP_Session-1.07 provides rudimentary access to remote SNMP agents
pine-4.63   program for Internet E-mail 

Re: Partition sizing

[Han Boetes]

Filesystem SizeUsed   Avail Capacity  Mounted on
/dev/wd0a  118M   56.8M   55.5M51%/
/dev/wd0d 98.3M8.0K   93.4M 0%/tmp
/dev/wd0e  490M   91.4M374M20%/var
/dev/wd0f 49.4M1.5M   45.4M 3%/var/qmail
/dev/wd0g  3.8G1.5G2.2G40%/usr
/dev/wd0h 70.5G   64.3G2.7G96%/home



# Han

Re: 3.8 panic on boot (rd0)

[Charles Sprickman]

Leaving the history intact, following up below.  An offlist reply 
suggested trying a more recent snapshot of -current.  It also paniced in 
the same place.


On Sat, 7 Jan 2006, Kenneth R Westerback wrote:


On Sat, Jan 07, 2006 at 03:23:15PM -0500, Charles Sprickman wrote:

Hello all,

I have an older i386 pc that I've been using as my home firewall for some
years now.  It currently runs 3.3 and I was hoping to do an upgrade, so I
did go ahead and buy the full CD set (impressive packaging, btw) after
having trouble with boot floppies (marginal drive) and the boot CD ISO.

However, the kernel panics every time I try and boot the 3.8 CD.  I've
also tried 3.7, 3.6 and 3.5 boot CDs that I downloaded from the OpenBSD
ftp server.  Hardware seems fine; I ran memtest86+ for a day and it did
about 30 passes with no errors, I tried different CD-ROM drives, different
IDE cables, removed all network cards, etc., but still it panics in the
same place (right after rd0: fixed, 3800 blocks).  CPU is an AMD
K6-2-500 clocked down to 300 - temperature is fine (about 110F), mainboard
is an old Epox.

On the suggestion of a bsdforums.org user, I tried downloading bsd.rd and
booting that from the 3.3 install, and that failed.  I'm guessing it has
something to do with the exec format changing; perhaps the old loader
doesn't understand the new kernel exec format?

rebooting...
boot /bsd.rd
booting hd0a:/bsd.rd:  failed(79). will try /obsd
boot ls bsd.rd
-rwxr-xr-x 0,0  4658297 hd0a:bsd.rd
boot ls obsd
-rwxr-xr-x 0,0  2487309 hd0a:obsd
boot

...snip...

gw# cd /
gw# file bsd.rd
bsd.rd: ELF 32-bit LSB executable, Intel 80386, version 1, statically
linked, not stripped
gw# file obsd
obsd: OpenBSD/i386 demand paged executable not stripped
gw#

I have this thing hooked up via serial now, so if someone can point me in
the right direction (how to get a dump when booting from CD, how to look
at that dump, etc.), I will gladly do so.  I have also included the 3.3
dmesg below.

Thanks,

Charles

_


I'd suggest trying a 3.8 snapshot as well, to make sure it hasn't
already been fixed in -current.


I grabbed a snapshot from 1/19 today and burned the mini cd boot iso.

Same thing.  Where do I go from here to troubleshoot this?  It does panic, but 
I'm not sure how to get a dump when booting off of cd.


Thanks,

Charles

latest boot messages follow, then the older boot messages from 3.8 are still 
intact below.


boot
booting cd0a:/3.9/i386/bsd.rd: 4429460+740764 [52+154592+141324]=0x5369c4
entry point at 0x100120

Copyright (c) 1982, 1986, 1989, 1991, 1993
The Regents of the University of California.  All rights reserved.
Copyright (c) 1995-2006 OpenBSD. All rights reserved. http://www.OpenBSD.org

OpenBSD 3.9-beta (RAMDISK_CD) #1001: Thu Jan 19 12:49:57 MST 2006
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/RAMDISK_CD
cpu0: AMD-K6(tm) 3D processor (AuthenticAMD 586-class) 301 MHz
cpu0: FPU,V86,DE,PSE,TSC,MSR,MCE,CX8,PGE,MMX
real mem  = 133799936 (130664K)
avail mem = 116531200 (113800K)
using 1658 buffers containing 6791168 bytes (6632K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(ee) BIOS, date 01/03/00, BIOS32 rev. 0 @ 0xfb390
apm0 at bios0: Power Management spec V1.2
apm0: flags 70102 dobusy 1 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xf/0xb80c
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdde0/128 (6 entries)
pcibios0: PCI Exclusive IRQs: 5 10 11
pcibios0: PCI Interrupt Router at 000:07:0 (VIA VT82C586 ISA rev 0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc/0x8000 0xc8000/0x2000!
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 VIA VT82C598 PCI rev 0x04
ppb0 at pci0 dev 1 function 0 VIA VT82C598 AGP rev 0x00
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 ATI Rage Pro rev 0x5c
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
pcib0 at pci0 dev 7 function 0 VIA VT82C586 ISA rev 0x47
pciide0 at pci0 dev 7 function 1 VIA VT82C571 IDE rev 0x06: ATA33, channel 0 
configured to compatibility, channel 1 configured to compatibility

wd0 at pciide0 channel 0 drive 0: Maxtor 72004 AP
wd0: 32-sector PIO, LBA, 1916MB, 3924360 sectors
wd0(pciide0:0:0): using PIO mode 4, DMA mode 2
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: SAMSUNG, CD-ROM SC-148F, F007 SCSI0 5/cdrom 
removable

cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
uhci0 at pci0 dev 7 function 2 VIA VT83C572 USB rev 0x02: irq 11
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: VIA UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
VIA VT82C586 Power rev 0x10 at pci0 dev 7 function 3 not configured
sis0 at pci0 dev 17 function 0 NS DP83815 10/100 rev 0x00, DP83816A: irq 10, 
address 00:09:5b:22:4a:ee

nsphyter0 at sis0 phy 0: DP83815 10/100 PHY, rev. 1
xl0 at pci0 dev 18 function 0 3Com 3c900 10Base-T rev 0x00: irq 5, address 
00:a0:24:ce:11:02

isa0 at pcib0

Hotmail/MSN spamd spamtraps

[Darrin Chandler]

Anyone out there using spamd seeing a *lot* of spam from valid 
hotmail/msn mail servers? Most of their outgoing servers are in my 
spamtrap blacklist from spamming some choice spamtrap addresses (5 year 
old, unpublished addresses that got ripped from address books, etc). 
Spamd logs show it's actually spam, and the servers really are 
hotmail/msn (CIDR, forward  reverse DNS). I haven't had this problem 
with any of the other major providers, just hotmail/msn.


Could botnets out there be gleaning hotmail account info and using it to 
send spam? That would get around the port 25 block many broadband 
providers are doing...


Just found it curious. So far the attitude at my office is that the spam 
reduction is worth blacklisting hotmail. Spamd *ROCKS*!


--
Darrin Chandler
[EMAIL PROTECTED]
http://www.stilyagin.com/

Re: Hotmail/MSN spamd spamtraps

[L. V. Lammert]

On Fri, 20 Jan 2006, Darrin Chandler wrote:

 Anyone out there using spamd seeing a *lot* of spam from valid
 hotmail/msn mail servers? Most of their outgoing servers are in my
 spamtrap blacklist from spamming some choice spamtrap addresses (5 year
 old, unpublished addresses that got ripped from address books, etc).
 Spamd logs show it's actually spam, and the servers really are
 hotmail/msn (CIDR, forward  reverse DNS). I haven't had this problem
 with any of the other major providers, just hotmail/msn.

Yep - there are a TON of hotmail servers in our blacklists; haven't had
anyone complain about not getting mail through, however from the hotmail
users that we get email from.

Lee

Re: Hotmail/MSN spamd spamtraps

[Eric Johnson]

On Fri, 20 Jan 2006 17:51:53 -0700
Darrin Chandler [EMAIL PROTECTED] wrote:

 Anyone out there using spamd seeing a *lot* of spam from valid 
 hotmail/msn mail servers? Most of their outgoing servers are in my 
 spamtrap blacklist from spamming some choice spamtrap addresses (5
 year  old, unpublished addresses that got ripped from address books,
 etc).  Spamd logs show it's actually spam, and the servers really are 
 hotmail/msn (CIDR, forward  reverse DNS). I haven't had this problem 
 with any of the other major providers, just hotmail/msn.

Most of the spam I am seeing these days either comes from Hotmail
(nearly all are Nigerian spams), through mailing lists such as the
OpenBSD lists, or from  accounts on other servers.  

Greylisting on my mail machine has cut down my spam load drastically. 
Plus, when a spam does get through, I typically blacklist the IP
addresses originating the spam.

For example, when someone spams through this list, I go through the
headers to find the originating address and add the IP address (the
entire /24 if it appears to be a dsl, cable, dialup, wireless, other
address pool, or if there is no reverse lookup available) to the
internal blacklist.

As for the Hotmail spams, every once in a while I go through the headers
in the ones I received that day and look for the X-Originating-IP header
added by Hotmail.  Then, I use that header to filter out anything
comming from them using procmail.

For example, we have recieved a number of Nigerian spams from hotmail
originating in various 82.169.149/24 addresses and so the following is
used to filter anything coming from them into a separate spam folder
that the users can check if they wish for errors.

:0
* ^Received:.*hotmail\.com
* ^X-Originating-IP: \[82\.169\.149
user_imap_files/spam

where user_imap_files is a directory in the users home directory.  If
they add user_imap_files as their imap directory in their mail client,
then they can peruse their spam folder.  A cron job on the first day of
each month deletes the spam-lastmonth file from the directory, renames
spam to spam-lastmonth, and creates a new spam file for them.

To the best of my knowledge, we have never had a false positive on this
check.

Eric Johnson

LCD

[Ricardo Lucas]

Hello all,
I know that is not a question for thist forum but, anyone here knows a
serial controller or wathever to use with an old EPSON EG9007D-NS12 LCD
Display?
This will be very helpful for me!!!
Thank's a lot
Best regards

--
Abragos
Ricardo Lucas

We have to stop been egoist and think more on ourselves.

Re: portmap daemon

[Gustavo Rios]

Thanks for your feedbadk!

I have some daemons that only comunicate by TCP. I would like to be
able to make indirect call to the local portmap daemon for calling my
tools.

Reading the RFC 1831 says (in the context of indirect calls): the
portmap comunicate with the remote program using UDP.

Could i infere i may add support for indirect comunicate using TCP
without violating the standard?

I am worried, too, about the security implications this patch could open.


2006/1/19, Theo de Raadt [EMAIL PROTECTED]:
  I have been playing around with openbsd portmap. I am confused about
  the fact that if a program is registered above port 1024 any local
  user may remove it, right?

 Yes.

  Does it sound good from a security point of view?

 It's not that great, but unfortunately there is no solution to this
 problem.  It is a bad design.

 I've spent a lot of time working on RPC, making it more secure.  There
 are many other restrictions for safety in our RPC and portmap code,
 but there is no real solution to this.

Re: Partition sizing

[Nick Holland]

M... wrote:
...
 I know swap used to be 2x the memory, but does that
 still hold with 256MB RAM installed ? as opposed to
 years ago with 32MB or 64MB ?

That advice is as bogus now as it was then.

The answer is, use what YOU need.
Most of the time, if your system starts swapping, you are hurting.

The Swap = 2x Physical rule makes a little sense if you have a LOT of
applications loaded, but only a few are actually active at any one time,
AND waiting for a swapped-out app to get reloaded into RAM and an
inactive app to be swapped out is acceptable.  That's an unusual
situation for many, probably even most, systems.

The other application I have found for swap is where one app will
suddenly start demanding astronomical amounts of RAM for a brief moment,
and the nature of the task is where it doesn't matter if it takes two
minutes or twenty minutes.

Usually, however, if you are running any kind of server and you expect
swap, you need more RAM, not to be quibbling about swap sizes.

Core dumps are saved to swap, but then, they get unloaded to /var on
boot, so IF you care about this (and most people probably should not),
you have to size several things appropriately...swap slightly bigger
than physical RAM, and enough free space on /var to have at least one
core dump, probably multiple.

Nick.

Re: connection to 3.8 box times out

[Igor Vilensky]

I don't believe BIOS is at fault.  I could not find anything vaguely related
in BIOS settings, plus,
I booted machine with Knoppix boot cd and have been able to ping it for
hours on end.
Rather strange.

On 1/20/06, Joachim Schipper [EMAIL PROTECTED] wrote:

 On Thu, Jan 19, 2006 at 05:41:11PM -0600, Igor Vilensky wrote:
  Greetings,
 
  This is my first post. Apologies if not everything is pro forma.
 
  I hope someone might help me with this issue.
  Ssh session and pinging 3.8 Generic running on Compaq Deskpro SB time
 out
  after 800 to 2400 when not actively using the box.
  You get 'No route to Host' message in ping or ssh session freezes.
  The box is connected to 4 port Belkin KVM switch on video and keyboard,
  regular PS2 mouse is plugged in.
  Re-plugging mouse wakes up the session/ping and it works for a little
  while.  Pressing keys on mouse makes no difference.
  Unplugging keyboard makes no difference, but connecting to Video and
  keyboard on KVM and hitting a key on a keyboard
  does wake up  OpenBSD so that it responds again.

 Have you checked the BIOS for interesting options? This looks like the
 BIOS shuts down the machine or some such.

 Joachim