Re: Unable to reach server in dmz. Whats wrong?
Abraham Al-Saleh wrote: On 1/10/06, Jonas Lindskog [EMAIL PROTECTED] wrote: Hello, We are using OpenBSD 3.8 as a firewall/router. We have two internal nets; one with workstations (NAT) and one DMZ with a single server. And thus we have three network interfaces installed in the router: one for the NAT, one for the DMZ and one for the external net. Our ISP has given us a range of IP adresses (the ones below are obfuscated ;)), which we cant change: Segment: 38.87.5.112 /28 net address: 38.87.5.112 gateway adress: 38.87.5.113 firewall: 38.87.5.114 fria fasta ip: 38.87.5.115-126 broadcast address:38.87.5.127 netmask: 255.255.255.240 I have set up the DMZ with net adress 38.87.5.120 Gateway: 38.87.5.121 Server: 38.87.5.122 netmask: 255.255.255.252 To ensure that routing worked properly I just entered pass (and nat of course) in the /etc/pf.conf file. I have no trouble connecting to the server at 38.87.5.122 from the internal net where nat-addresses are used, but for some reason I cant connect to the server from the outside. I thought it was a routing problem but when I entered a port redirect from the gateway (38.87.5.113) to the server at 38.87.5.122 for the ssh port I reached the server. I haven't got a clue whats wrong. Can anybody help to explain this or have an idea of a workaround (I dont want the port redirect)? Thanks in advance. /Jonas It would help if you attached your pf.conf, and relevant configuration files (hostname.if, for example) ok, finally :) this is how my pf.conf and interfaces look like. # 1. macros if_ext=fxp0 if_int=bce0 if_dmz=re0 if_lo=lo0 icmp_types = echoreq dmz_servers = {38.87.5.122} services = {22, 8080, 8081} internal_services ={2401} reserved= { 0.0.0.0/8, 10.0.0.0/8, 20.0.0.0/24 127.0.0.0/8, \ 169.254.0.0/16, 172.16.0.0/12, 192.0.2.0/24, 192.168.0.0/16, \ 224.0.0.0/3, 255.255.255.255} # 2. Tables # No tables are defined # 3. Options # What should we do with blocked traffic? drop or return. set block-policy return # we can only gather statistics on one interface at a time set loginterface $if_ext # 4. Packet normalization scrub in all # 5. Queueing is not done # 6. Adress translation # The internal network has NAT-adresses nat on $if_ext from $if_int:network to any - ($if_ext) # Redirecting ports # Port redirect to make ftp possible. See manual for OpenBSD rdr on $if_int proto tcp from any to any port 21 - 127.0.0.1 port 8021 # temporary redirects rdr on $if_ext proto tcp from any to any port 8080 - 38.87.5.122 port 8080 rdr on $if_ext proto tcp from any to any port 8081 - 38.87.5.122 port 8081 #rdr on $if_ext proto tcp from any to any port 22 - 38.87.5.122 port 22 # 7. Filtering #allow loopback # Block everything block all pass quick on if_lo all # Antispoof antispoof for { $if_lo, $if_ext, $if_int } # Allow traffic in on our ssh-deamon pass in log quick on $if_ext proto tcp from any to any port 22 flags S/SA keep state # Allow trafic to and from the internal interface # are the lines below the same as # pass quick on $if_int all pass in on $if_int from $if_int:network to any keep state pass out on $if_int from any to $if_int:network keep state # block all traffic from reserved nets to external interface block in quick on $if_ext from $reserved to any #allow pinging pass in on $if_ext inet proto icmp all icmp-type 8 code 0 keep state # Open ports 8080 and ssh to trused machines on the dmz pass in on $if_ext proto tcp from any to any port 8081 keep state pass in on $if_ext proto tcp from any to any port 8080 keep state #Allow active ftp pass in on $if_ext inet proto tcp from port 20 to ($if_ext) \ user proxy flags S/SA keep state # Users on the internal network is allowd to initate external contact pass out on $if_ext proto tcp all modulate state flags S/SA pass out on $if_ext proto {udp, icmp} all keep state # DMZ rules. As default we stop all traffic in to the dmz. # To open up a service we use port forwarding in the external if # to the specific server in the dmz block in on $if_dmz all pass out on $if_dmz proto tcp from any to any port $services flags S/SA keep state pass out on $if_dmz proto tcp from any to any port internal_services flags S/SA keep state pass in quick on $if_dmz proto tcp from $if_int to $dmz_servers port internal_services keep state #pf.conf ends here ### interfaces hostname.fxp0 #external interface inet 38.87.5.114 255.255.255.240 NONE # more hostname.bce0 #internal interface inet 192.168.97.254 255.255.255.0 NONE # more hostname.re0 # dmz inet 38.87.5.121 255.255.255.252 NONE
Re: windows - pf - inet - pf - ftpd [not working]
--- Urspr|ngliche Nachricht --- Von: Price, Joe [EMAIL PROTECTED] An: misc@openbsd.org Betreff: windows - pf - inet - pf - ftpd [not working] Datum: Thu, 19 Jan 2006 17:36:02 -0500 I have a problem that when a Windows client tries to connect to this ftp site, windows explorer returns 'The operation timed out'. The setup is, windows box behind a openbsd PF (NAT enabled) through the public internet to another openbsd PF (NAT enabled) which has a rdr rule to redirect to another openbsd machine behind it running ftpd. I'm assuming the problem exists on one of the firewalls, or both.. Is this something that ftp-proxy can fix? I know the ftp works because I can connect to it form the far end's openbsd box, just seems that I can't go through two NATs of PFs or something like that. Any help is appreciated. Thanks! Have you tried passive ftp-mode in Windows explorer: extras -internet options - extended Regards Stefan Kell
Re: Is it possible to run OpenBSD on ASRock 775TWINS-HDTV S775?
On 2006-01-19 18:49, Stuart Henderson wrote: CPU is fast enough that it wasn't horribly slow, but obviously not as good as it could be. anything else - in my case, the next fastest is a celeron 2ghz (my asrock board has an opteron 146). I haven't seen any reliability problems with it, but I haven't worked it harder than a few cvs pulls and 'make build's. [...] SuSE Linux seems to support the nic about the best. I don't see anything in FreeBSD cvsweb to indicate that their -current would be First, I would like to say I am really grateful for your answers here! Thanks a lot! I managed to install FBSD on the machine (failed with OBSD, NBSD, Debian, Knoppix and Trustix) which was good since I prefer a BSD on this compared to e.g. SuSE. Now I won't have to buy additional hardware for this one (but thanks again for your ideas on that area), but I am about to choose H/W for a server that _must_ run OpenBSD. Learning from the past, I am now checking the M/B spec. and compare them to http://www.openbsd.org/i386.html and http://www.openbsd.org/amd64.html. I have found 4 available motherboards (socket 754, so the amd64 port would be the best choice, I guess) at our provider, that might work; the southbridges/all-in-one chips in those are, respectively: * nVidia nForce 410 MCP * nVidia nForce3 250 * VIA 8237R * nVidia nForce4-4X In the OBSD hardware list, I find * NVIDIA nForce/nForce2/nForce2-400/nForce3/nForce3-250/nForce4 * VIA Technologies VT82C586/A/B, VT82C596A/B, VT82C686A/B, VT8231, VT8366, VT8233, VT8235, VT8237 Which one do you think would be the safest bet here? It would be good to be able to run the SATA disks, but perhaps the safest bet of them all is to get regular ATA ones? Regards, /Joakim -- http://www.df.lth.se/~jokke/
CVSync servers not syncing?
Hi, is there some problem with the main CVSync? It seems that at least some of the main CVSync servers don't sync since yesterday, about 21:00 GMT. I tried anoncvs{1,3}.usa.openbsd.org, cvsync.de.openbsd.org, cvsync.openbsd.se. Ciao, Kili
Re: OpenBSD VMWare image too popular
On 09/01/06, Shane J Pearson [EMAIL PROTECTED] wrote: Hello Julien, On 09/01/2006, at 7:26 PM, Julien Bonastre wrote: I can actually fully understand your disapproval at the idea of using a torrent to distribute this file, and I can also emphasise with your dislikening of trying to create some validation system for the image. But I don't disapprove of using BT for this. And I also don't disapprove of people using and enjoying that image. In fact, I think BT is great and is perfect for something that is large and popular. What I disapprove of, is seeing someone flaming someone else for a personal opinion. Especially when that someone being called an amateur is actually an OpenBSD developer. And Bob is not just some long-away-in-the-cvs-tree developer, but a system administrator of most official OpenBSD web-sites, www.openbsd.org being an example of what he hosts (if my observations are correct). Downloading OpenBSD in any form via BT is not for me. Unless of course the .torrent file, seed and checksums were from official OpenBSD sources. When I compare the checksum of the download, I want the source checksum to come from an authority. An email from Theo for example. Hasn't there been some research which shows that checksum collisions are entirely possible? :) Cheers, Constantine.
Re: OS FINGERPRINTS
http://www.openbsd.org/faq/pf/filter.html#osfp On 1/20/06, G.Stefan [EMAIL PROTECTED] wrote: What i have to do if i want to allow o n l y Windows OS to have acces on the internet ? I know that OS FINGERPRINTS can help me but how ?
Re: OS FINGERPRINTS
On Fri, Jan 20, 2006 at 04:37:53AM -0800, G.Stefan wrote: Hello misc, What i have to do if i want to allow o n l y Windows OS to have acces on the internet ? I know that OS FINGERPRINTS can help me but how ? From pf.conf(5), under OPERATING SYSTEM FINGERPRINTING: Passive OS Fingerprinting is a mechanism to inspect nuances of a TCP con- nection's initial SYN packet and guess at the host's operating system. Unfortunately these nuances are easily spoofed by an attacker so the fin- gerprint is not useful in making security decisions. But the fingerprint is typically accurate enough to make policy decisions upon. For more info, please see pf.conf(5), pf.os(5), pf(4), and the PF User's Guide -- http://www.OpenBSD.org/faq/pf/index.html
IBM admits that Puffy is the best defense!
Howdy, http://www-8.ibm.com/e-business/au/operations/businesses.shtml? ca=auhomepageme=odbmet=051209defence ; ) Shane
Re: CVSync servers not syncing?
On Fri, Jan 20, 2006 at 01:31:06PM +0100, Matthias Kilian wrote: Hi, is there some problem with the main CVSync? It seems that at least some of the main CVSync servers don't sync since yesterday, about 21:00 GMT. I tried anoncvs{1,3}.usa.openbsd.org, cvsync.de.openbsd.org, cvsync.openbsd.se. as far as i see, main machine( anoncvs1.ca.openbsd.org) has locked up ;) - Lukasz Sztachanski -- 0x058B7133 // 16AB 4EBC 29DA D92D 8DBE BC01 FC91 9EF7 058B 7133 http://szati.blogspot.com http://szati.entropy.pl
Re: OpenBSD 3.8 and IBM Blade HS20 boot CD
I've got exactly the same problem. It seems that BladeCenter have an unusual keyboard controller (switchable). I tried to boot with all floppy disk, with external keyboard (USB and PS/2), different BIOS settings and it never worked. I think the internal KVM is not hardware transparent. I'm not sure but I think that NetBSD/i386 2.0.2 didn't boot either (can't remember). Also, critical pieces of hardware are detected and configured : buses, cpu, ram, nic, scsi, video... It's raging to be blocked by... the keyboard !! Hope it will be supported some days... Best regards, Bruno. On 1/18/06, Martin R. Sxrensen [EMAIL PROTECTED] wrote: Hi... I hope that someone can help me, I'm new to OpenBSD and I'm trying to install 3.8 on a IBM blade server HS20 Then I try to boot from the install CD or floppy I get en error saying: pckbc_start: send error and then it stops. I have disable USB, but that didn't chance anything Sow please help !! Regards Martin Sxrensen
Re: OpenBSD 3.8, fxp, device timeout
Hi, for comparison I have a similar PC at the same provider and it works fine (I have fxp at irq 11 though, and use -current). Also I had used the original floppy image to install OpenBSD: wget ftp://ftp.de.openbsd.org/pub/snapshots/i386/floppy38.fs dd of=/dev/hda if=floppy38.fs bs=1k count=1440 Sven, are you sure your fxp is not working? Maybe just your network settings are wrong? Here are mine (stolen from Kili): /etc/hostname.fxp0: inet 81.169.186.XXX 255.255.255.255 NONE !route add 81.169.186.1 -link \$if: -interface /etc/mygate: 81.169.186.1 /etc/resolv.conf: lookup file bind nameserver 81.169.163.106 nameserver 81.169.163.104 Regards Alex PS: Here is my dmesg, works ok: OpenBSD 3.8-current (GENERIC) #0: Mon Jan 16 10:28:09 CET 2006 [EMAIL PROTECTED]:/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Celeron(R) CPU 2.40GHz (GenuineIntel 686-class) 2.40 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH, ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID real mem = 402169856 (392744K) avail mem = 359624704 (351196K) using 4278 buffers containing 20209664 bytes (19736K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(d0) BIOS, date 02/03/04, BIOS32 rev. 0 @ 0xfb330 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 70102 dobusy 1 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0xdf84 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfde90/240 (13 entries) pcibios0: PCI Exclusive IRQs: 5 9 10 11 12 pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82371SB ISA rev 0x00) pcibios0: PCI bus #2 is the last bus bios0: ROM list: 0xc/0x8000 0xc8000/0x1000 0xc9000/0x1000 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82845 Host rev 0x04 ppb0 at pci0 dev 1 function 0 Intel 82845 AGP rev 0x04 pci1 at ppb0 bus 1 ppb1 at pci0 dev 30 function 0 Intel 82801BA AGP rev 0x05 pci2 at ppb1 bus 2 fxp0 at pci2 dev 6 function 0 Intel 8255x rev 0x08, i82559: irq 11, address 00 :30:48:53:3c:96 inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 4 fxp1 at pci2 dev 7 function 0 Intel 8255x rev 0x08, i82559: irq 10, address 00 :30:48:53:3c:97 inphy1 at fxp1 phy 1: i82555 10/100 PHY, rev. 4 vga1 at pci2 dev 8 function 0 ATI Rage XL rev 0x27 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) ichpcib0 at pci0 dev 31 function 0 Intel 82801BA LPC rev 0x05 pciide0 at pci0 dev 31 function 1 Intel 82801BA IDE rev 0x05: DMA, channel 0 w ired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: IC35L060AVV207-0 wd0: 16-sector PIO, LBA48, 58644MB, 120103200 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 pciide0: channel 1 disabled (no drives) ichiic0 at pci0 dev 31 function 3 Intel 82801BA SMBus rev 0x05: irq 9 iic0 at ichiic0 isa0 at ichpcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 sysbeep0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 lm0 at isa0 port 0x290/8: W83627HF npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pccom0: console pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo biomask f365 netmask ff65 ttymask ffe7 pctr: user-level cycle counter enabled dkcsum: wd0 matches BIOS drive 0x80 root on wd0a rootdev=0x0 rrootdev=0x300 rawdev=0x302 arpresolve: unresolved and rt_expire == 0 On 1/20/06, Sven Wolf [EMAIL PROTECTED] wrote: I've a server at the German hoster Strato and I try to install OpenBSD 3.8 on this machine. But I always get a device timeout of the Intel Nic (because of a wrong irq assignment?) :( Here is the dmesg output: OpenBSD 3.8 (RAMDISK) #9: Tue Jan 17 18:24:51 CET 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/RAMDISK cpu0: Intel(R) Celeron(R) CPU 2.40GHz (GenuineIntel 686-class) 2.40 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH, ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID real mem = 536387584 (523816K) avail mem = 485179392 (473808K) using 4278 buffers containing 26923008 bytes (26292K) of memory mainbus0 (root) acpi0 at mainbus0: revision 0 attached acpitimer at acpi0 not configured acpi device at acpi0 from table DSDT not configured acpi device at acpi0 from table FACP not configured bios0 at mainbus0: AT/286+(c0) BIOS, date 05/27/03, BIOS32 rev. 0 @ 0xfb330 apm0 at bios0: Power Management spec V1.2 apm0: flags 70102 dobusy 1 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0xdf84 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfde90/240 (13 entries) pcibios0: PCI Exclusive IRQs: 5 10 11 12 pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82371SB ISA rev 0x00) pcibios0: PCI bus #2 is the last bus bios0: ROM list: 0xc/0x8000
[no subject]
Abraham Al-Saleh wrote: On 1/10/06, Jonas Lindskog [EMAIL PROTECTED] wrote: Hello, We are using OpenBSD 3.8 as a firewall/router. We have two internal nets; one with workstations (NAT) and one DMZ with a single server. And thus we have three network interfaces installed in the router: one for the NAT, one for the DMZ and one for the external net. Our ISP has given us a range of IP adresses (the ones below are obfuscated ;)), which we cant change: Segment: 38.87.5.112 /28 net address: 38.87.5.112 gateway adress: 38.87.5.113 firewall: 38.87.5.114 fria fasta ip: 38.87.5.115-126 broadcast address:38.87.5.127 netmask: 255.255.255.240 I have set up the DMZ with net adress 38.87.5.120 Gateway: 38.87.5.121 Server: 38.87.5.122 netmask: 255.255.255.252 To ensure that routing worked properly I just entered pass (and nat of course) in the /etc/pf.conf file. I have no trouble connecting to the server at 38.87.5.122 from the internal net where nat-addresses are used, but for some reason I cant connect to the server from the outside. I thought it was a routing problem but when I entered a port redirect from the gateway (38.87.5.113) to the server at 38.87.5.122 for the ssh port I reached the server. I haven't got a clue whats wrong. Can anybody help to explain this or have an idea of a workaround (I dont want the port redirect)? Thanks in advance. /Jonas It would help if you attached your pf.conf, and relevant configuration files (hostname.if, for example) ok, finally :) this is how my pf.conf and interfaces look like. # 1. macros if_ext=fxp0 if_int=bce0 if_dmz=re0 if_lo=lo0 icmp_types = echoreq dmz_servers = {38.87.5.122} services = {22, 8080, 8081} internal_services ={2401} reserved= { 0.0.0.0/8, 10.0.0.0/8, 20.0.0.0/24 127.0.0.0/8, \ 169.254.0.0/16, 172.16.0.0/12, 192.0.2.0/24, 192.168.0.0/16, \ 224.0.0.0/3, 255.255.255.255} # 2. Tables # No tables are defined # 3. Options # What should we do with blocked traffic? drop or return. set block-policy return # we can only gather statistics on one interface at a time set loginterface $if_ext # 4. Packet normalization scrub in all # 5. Queueing is not done # 6. Adress translation # The internal network has NAT-adresses nat on $if_ext from $if_int:network to any - ($if_ext) # Redirecting ports # Port redirect to make ftp possible. See manual for OpenBSD rdr on $if_int proto tcp from any to any port 21 - 127.0.0.1 port 8021 # temporary redirects rdr on $if_ext proto tcp from any to any port 8080 - 38.87.5.122 port 8080 rdr on $if_ext proto tcp from any to any port 8081 - 38.87.5.122 port 8081 #rdr on $if_ext proto tcp from any to any port 22 - 38.87.5.122 port 22 # 7. Filtering #allow loopback # Block everything block all pass quick on if_lo all # Antispoof antispoof for { $if_lo, $if_ext, $if_int } # Allow traffic in on our ssh-deamon pass in log quick on $if_ext proto tcp from any to any port 22 flags S/SA keep state # Allow trafic to and from the internal interface # are the lines below the same as # pass quick on $if_int all pass in on $if_int from $if_int:network to any keep state pass out on $if_int from any to $if_int:network keep state # block all traffic from reserved nets to external interface block in quick on $if_ext from $reserved to any #allow pinging pass in on $if_ext inet proto icmp all icmp-type 8 code 0 keep state # Open ports 8080 and ssh to trused machines on the dmz pass in on $if_ext proto tcp from any to any port 8081 keep state pass in on $if_ext proto tcp from any to any port 8080 keep state #Allow active ftp pass in on $if_ext inet proto tcp from port 20 to ($if_ext) \ user proxy flags S/SA keep state # Users on the internal network is allowd to initate external contact pass out on $if_ext proto tcp all modulate state flags S/SA pass out on $if_ext proto {udp, icmp} all keep state # DMZ rules. As default we stop all traffic in to the dmz. # To open up a service we use port forwarding in the external if # to the specific server in the dmz block in on $if_dmz all pass out on $if_dmz proto tcp from any to any port $services flags S/SA keep state pass out on $if_dmz proto tcp from any to any port internal_services flags S/SA keep state pass in quick on $if_dmz proto tcp from $if_int to $dmz_servers port internal_services keep state #pf.conf ends here ### interfaces hostname.fxp0 #external interface inet 38.87.5.114 255.255.255.240 NONE # more hostname.bce0 #internal interface inet 192.168.97.254 255.255.255.0 NONE # more hostname.re0 # dmz inet 38.87.5.121 255.255.255.252 NONE
Re: OpenBSD 3.8, fxp, device timeout
Hi Alex, I've written the floppy38.fs to my server via: wget -O- wget ftp://ftp.de.openbsd.org/pub/snapshots/i386/floppy38.fs /dev/hda (within the rescue system). I also tried some customized floppy-images (with custom kernel options) and it boots fine ;) But my problem is, that the fxp (dualport) nic has irq 12 assigned: fxp0 at pci2 dev 6 function 0 Intel 82557 rev 0x08, i82559: irq 12, address 00:30:48:52:c9:fc inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 4 fxp1 at pci2 dev 7 function 0 Intel 82557 rev 0x08, i82559: irq 12, address 00:30:48:52:c9:fd and on your server the nic has assigned irc 10 and 11: fxp0 at pci2 dev 6 function 0 Intel 8255x rev 0x08, i82559: irq 11, address 00:30:48:53:3c:96 inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 4 fxp1 at pci2 dev 7 function 0 Intel 8255x rev 0x08, i82559: irq 10, address 00:30:48:53:3c:97 and that's the problem :( I've the same problem like: http://readlist.com/lists/openbsd.org/misc/0/2302.html but option PCIBIOS_INTR_FIXUP_FORCE didn't resolve my problem :( Best regards, Sven Hi, for comparison I have a similar PC at the same provider and it works fine (I have fxp at irq 11 though, and use -current). Also I had used the original floppy image to install OpenBSD: wget ftp://ftp.de.openbsd.org/pub/snapshots/i386/floppy38.fs dd of=/dev/hda if=floppy38.fs bs=1k count=1440 Sven, are you sure your fxp is not working? Maybe just your network settings are wrong? Here are mine (stolen from Kili): /etc/hostname.fxp0: inet 81.169.186.XXX 255.255.255.255 NONE !route add 81.169.186.1 -link \$if: -interface /etc/mygate: 81.169.186.1 /etc/resolv.conf: lookup file bind nameserver 81.169.163.106 nameserver 81.169.163.104 Regards Alex PS: Here is my dmesg, works ok: OpenBSD 3.8-current (GENERIC) #0: Mon Jan 16 10:28:09 CET 2006 [EMAIL PROTECTED]:/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Celeron(R) CPU 2.40GHz (GenuineIntel 686-class) 2.40 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH, ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID real mem = 402169856 (392744K) avail mem = 359624704 (351196K) using 4278 buffers containing 20209664 bytes (19736K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(d0) BIOS, date 02/03/04, BIOS32 rev. 0 @ 0xfb330 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 70102 dobusy 1 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0xdf84 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfde90/240 (13 entries) pcibios0: PCI Exclusive IRQs: 5 9 10 11 12 pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82371SB ISA rev 0x00) pcibios0: PCI bus #2 is the last bus bios0: ROM list: 0xc/0x8000 0xc8000/0x1000 0xc9000/0x1000 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82845 Host rev 0x04 ppb0 at pci0 dev 1 function 0 Intel 82845 AGP rev 0x04 pci1 at ppb0 bus 1 ppb1 at pci0 dev 30 function 0 Intel 82801BA AGP rev 0x05 pci2 at ppb1 bus 2 fxp0 at pci2 dev 6 function 0 Intel 8255x rev 0x08, i82559: irq 11, address 00 :30:48:53:3c:96 inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 4 fxp1 at pci2 dev 7 function 0 Intel 8255x rev 0x08, i82559: irq 10, address 00 :30:48:53:3c:97 inphy1 at fxp1 phy 1: i82555 10/100 PHY, rev. 4 vga1 at pci2 dev 8 function 0 ATI Rage XL rev 0x27 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) ichpcib0 at pci0 dev 31 function 0 Intel 82801BA LPC rev 0x05 pciide0 at pci0 dev 31 function 1 Intel 82801BA IDE rev 0x05: DMA, channel 0 w ired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: IC35L060AVV207-0 wd0: 16-sector PIO, LBA48, 58644MB, 120103200 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 pciide0: channel 1 disabled (no drives) ichiic0 at pci0 dev 31 function 3 Intel 82801BA SMBus rev 0x05: irq 9 iic0 at ichiic0 isa0 at ichpcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 sysbeep0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 lm0 at isa0 port 0x290/8: W83627HF npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pccom0: console pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo biomask f365 netmask ff65 ttymask ffe7 pctr: user-level cycle counter enabled dkcsum: wd0 matches BIOS drive 0x80 root on wd0a rootdev=0x0 rrootdev=0x300 rawdev=0x302 arpresolve: unresolved and rt_expire == 0 On 1/20/06, Sven Wolf [EMAIL PROTECTED] wrote: I've a server at the German hoster Strato and I try to install OpenBSD 3.8 on this machine. But I always get a device timeout of the Intel Nic (because of a wrong irq
Re: connection to 3.8 box times out
On Thu, Jan 19, 2006 at 05:41:11PM -0600, Igor Vilensky wrote: Greetings, This is my first post. Apologies if not everything is pro forma. I hope someone might help me with this issue. Ssh session and pinging 3.8 Generic running on Compaq Deskpro SB time out after 800 to 2400 when not actively using the box. You get 'No route to Host' message in ping or ssh session freezes. The box is connected to 4 port Belkin KVM switch on video and keyboard, regular PS2 mouse is plugged in. Re-plugging mouse wakes up the session/ping and it works for a little while. Pressing keys on mouse makes no difference. Unplugging keyboard makes no difference, but connecting to Video and keyboard on KVM and hitting a key on a keyboard does wake up OpenBSD so that it responds again. Have you checked the BIOS for interesting options? This looks like the BIOS shuts down the machine or some such. Joachim
Ifstated question
Greetings, I'm trying to use ifstated to determine the state (up or down) of my two ISP connections. Currently I'm using ping, which I realize is imperfect, but I'm getting some odd transitions. For example, ISP2 is very unreliable and ifstated was in the ISP2down state. From there, based on the config below, it transitioned to the IPS1down state even though ISP2 was also down. I would have expected it to transition to the bothdown state. Any thoughts or pointers would be appreciated. -Steve S. --- /etc/ifstated.conf init-state bothup ISP1 = '( ping -q -c 1 -w 1 10.10.10.1 /dev/null every 15)' ISP2 = '( ping -q -c 1 -w 2 10.20.20.1 /dev/null every 15)' state bothup { init { run pfctl -a outbound -F rules -f /etc/pf.bothup.conf run mail -s 'FW1 says both ISPs up' root /dev/null } if ! $ISP1 set-state ISP1down if ! $ISP2 set-state ISP2down } state ISP1down { init { run pfctl -a outbound -F rules -f /etc/pf.ISP1down.conf run mail -s 'FW1 says ISP1 is down' root /dev/null } if $ISP1 set-state bothup if ! ($ISP1 || $ISP2) set-state bothdown if ! $ISP2 set-state ISP2down } state ISP2down { init { run pfctl -a outbound -F rules -f /etc/pf.ISP2down.conf run mail -s 'FW1 says ISP2 is down' root /dev/null } if ! ($ISP1 || $ISP2) set-state bothdown if ! $ISP1 set-state ISP1down if $ISP2 set-state bothup } state bothdown { init { run pfctl -a outbound -F rules run mail -s 'FW1 says ALL Internet is down' root /dev/null } if $ISP2 $ISP1 set-state bothup if $ISP1 set-state ISP2down if $ISP2 set-state ISP1down }
Re: OpenBSD 3.8, fxp, device timeout
Hi Alex again, in my opinion it's a nic problem and not a network settings problem, because i also have tried to obtain the network configuration via dhcp (like in the rescue system) with the same result - fxp0: device timeout Best regards, Sven Hi, for comparison I have a similar PC at the same provider and it works fine (I have fxp at irq 11 though, and use -current). Also I had used the original floppy image to install OpenBSD: wget ftp://ftp.de.openbsd.org/pub/snapshots/i386/floppy38.fs dd of=/dev/hda if=floppy38.fs bs=1k count=1440 Sven, are you sure your fxp is not working? Maybe just your network settings are wrong? Here are mine (stolen from Kili): /etc/hostname.fxp0: inet 81.169.186.XXX 255.255.255.255 NONE !route add 81.169.186.1 -link \$if: -interface /etc/mygate: 81.169.186.1 /etc/resolv.conf: lookup file bind nameserver 81.169.163.106 nameserver 81.169.163.104 Regards Alex PS: Here is my dmesg, works ok: OpenBSD 3.8-current (GENERIC) #0: Mon Jan 16 10:28:09 CET 2006 [EMAIL PROTECTED]:/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Celeron(R) CPU 2.40GHz (GenuineIntel 686-class) 2.40 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH, ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID real mem = 402169856 (392744K) avail mem = 359624704 (351196K) using 4278 buffers containing 20209664 bytes (19736K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(d0) BIOS, date 02/03/04, BIOS32 rev. 0 @ 0xfb330 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 70102 dobusy 1 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0xdf84 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfde90/240 (13 entries) pcibios0: PCI Exclusive IRQs: 5 9 10 11 12 pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82371SB ISA rev 0x00) pcibios0: PCI bus #2 is the last bus bios0: ROM list: 0xc/0x8000 0xc8000/0x1000 0xc9000/0x1000 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82845 Host rev 0x04 ppb0 at pci0 dev 1 function 0 Intel 82845 AGP rev 0x04 pci1 at ppb0 bus 1 ppb1 at pci0 dev 30 function 0 Intel 82801BA AGP rev 0x05 pci2 at ppb1 bus 2 fxp0 at pci2 dev 6 function 0 Intel 8255x rev 0x08, i82559: irq 11, address 00 :30:48:53:3c:96 inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 4 fxp1 at pci2 dev 7 function 0 Intel 8255x rev 0x08, i82559: irq 10, address 00 :30:48:53:3c:97 inphy1 at fxp1 phy 1: i82555 10/100 PHY, rev. 4 vga1 at pci2 dev 8 function 0 ATI Rage XL rev 0x27 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) ichpcib0 at pci0 dev 31 function 0 Intel 82801BA LPC rev 0x05 pciide0 at pci0 dev 31 function 1 Intel 82801BA IDE rev 0x05: DMA, channel 0 w ired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: IC35L060AVV207-0 wd0: 16-sector PIO, LBA48, 58644MB, 120103200 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 pciide0: channel 1 disabled (no drives) ichiic0 at pci0 dev 31 function 3 Intel 82801BA SMBus rev 0x05: irq 9 iic0 at ichiic0 isa0 at ichpcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 sysbeep0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 lm0 at isa0 port 0x290/8: W83627HF npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pccom0: console pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo biomask f365 netmask ff65 ttymask ffe7 pctr: user-level cycle counter enabled dkcsum: wd0 matches BIOS drive 0x80 root on wd0a rootdev=0x0 rrootdev=0x300 rawdev=0x302 arpresolve: unresolved and rt_expire == 0 On 1/20/06, Sven Wolf [EMAIL PROTECTED] wrote: I've a server at the German hoster Strato and I try to install OpenBSD 3.8 on this machine. But I always get a device timeout of the Intel Nic (because of a wrong irq assignment?) :( Here is the dmesg output: OpenBSD 3.8 (RAMDISK) #9: Tue Jan 17 18:24:51 CET 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/RAMDISK cpu0: Intel(R) Celeron(R) CPU 2.40GHz (GenuineIntel 686-class) 2.40 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH, ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID real mem = 536387584 (523816K) avail mem = 485179392 (473808K) using 4278 buffers containing 26923008 bytes (26292K) of memory mainbus0 (root) acpi0 at mainbus0: revision 0 attached acpitimer at acpi0 not configured acpi device at acpi0 from table DSDT not configured acpi device at acpi0 from table FACP not configured bios0 at mainbus0: AT/286+(c0) BIOS, date 05/27/03, BIOS32 rev. 0 @ 0xfb330 apm0 at bios0: Power Management
Re: CVSync servers not syncing?
Maybe because they are tagging it 3.9?
Re: CVSync servers not syncing?
On 1/20/06, Alexander Farber [EMAIL PROTECTED] wrote: Maybe because they are tagging it 3.9? Unless they decided to suddenly change how they release OpenBSD, they most certainly are not. 3.9 has JUST moved to beta yesterday (or 2 days ago, I forget) and trust me, you don't want to tag early beta code as release. Jason
beginner question about faq 10.2
Hi, FAQ 10.2 explains how to duplicate a filesystem. I would like to put that one-liner in a shell script to be run periodically through crontab. I mean, I would like: cd /SRC; dump 0f - . | (cd /DST; restore -rf - ) in a shell script. Whenever this script is run, I see an error message like: restore: cannot open /dev/tty: Device not configured My question is: Is there any way to do this dump/restore in a shell script without the use of a temporary filesystem? Thanks in advance Best regards, Josi -- ___ Play 100s of games for FREE! http://games.mail.com/
Re: beginner question about faq 10.2
On Fri, Jan 20, 2006 at 10:40:03AM -0500, Jose Fragoso wrote: Hi, FAQ 10.2 explains how to duplicate a filesystem. I would like to put that one-liner in a shell script to be run periodically through crontab. I mean, I would like: cd /SRC; dump 0f - . | (cd /DST; restore -rf - ) in a shell script. Whenever this script is run, I see an error message like: restore: cannot open /dev/tty: Device not configured imho, you can just ignore this message. However, sometimes dump tries to interactively ask (on the terminal) to change the tape; but cron(8) doesn't have a terminal. I'd suggest you to use the '-a' option of dump(8) to avoid this problem. My question is: Is there any way to do this dump/restore in a shell script without the use of a temporary filesystem? i don't think so. -- Alexandre
Re: windows - pf - inet - pf - ftpd [not working]
FYI, I am in passive mode. From: Price, Joe Sent: Thursday, January 19, 2006 5:36 PM To: 'misc@openbsd.org' Subject: windows - pf - inet - pf - ftpd [not working] I have a problem that when a Windows client tries to connect to this ftp site, windows explorer returns 'The operation timed out'. The setup is, windows box behind a openbsd PF (NAT enabled) through the public internet to another openbsd PF (NAT enabled) which has a rdr rule to redirect to another openbsd machine behind it running ftpd. I'm assuming the problem exists on one of the firewalls, or both.. Is this something that ftp-proxy can fix? I know the ftp works because I can connect to it form the far end's openbsd box, just seems that I can't go through two NATs of PFs or something like that. Any help is appreciated. Thanks!
Re: IBM admits that Puffy is the best defense!
On 1/20/06, Shane J Pearson [EMAIL PROTECTED] wrote: Howdy, http://www-8.ibm.com/e-business/au/operations/businesses.shtml? ca=auhomepageme=odbmet=051209defence ; ) Shane Hello, I think that ad is a negative connotation on puffy. rogern John 3:16
Re: beginner question about faq 10.2
Hi, FAQ 10.2 explains how to duplicate a filesystem. I would like to put that one-liner in a shell script to be run periodically through crontab. I mean, I would like: cd /SRC; dump 0f - . | (cd /DST; restore -rf - ) in a shell script. Whenever this script is run, I see an error message like: restore: cannot open /dev/tty: Device not configured My question is: Is there any way to do this dump/restore in a shell script without the use of a temporary filesystem? Thanks in advance Best regards, Josi Hmm quick look it looks like you should use dump -0af - but do some testing yourself .. Rm
Partition sizing
Hello. I'm playing with OpenBSD 3.8 and would like some comments/advice on partitioning. I have a 500MHz test machine, 256MB RAM, 4GB H/D, 100/1Gb intel ethernet card. Most of the examples show separate partitions for / /tmp /var /usr /home I want to run a mailsever (20 users), (spamassasin/clamav) mailing list server (20 lists), ftp and web servers, (maybe 100MB or so of data) adding them in and seeing how it handles the load. I was thinking of doing / = 500MB /tmp - 100MB /usr - 1GB /var - 1GB /home - 1.4GB or should I just have a root and home partitions ? I'm not really sure about the sizing for /tmp or /var so I want to be economical with the limited space. Opinions please. Thanks in advance. Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: Is it possible to run OpenBSD on ASRock 775TWINS-HDTV S775?
On Friday 20 January 2006 08:02, Stuart Henderson wrote: I'll defer to anyone that has one..! 8237_R_ isn't listed, though 8237 is. I don't know whether the difference is enough to stop it from working...VIA usually get recommended when the topic of amd64 boards comes up (you'll find a few posts in the archives about this). I think the only real difference between the 8237 and the 8237R is the ability to asynchronously clock the cpu bus and the AGP/PCI busses. Travers Buda
Re: Partition sizing
On Fri, Jan 20, 2006 at 10:29:51AM -0800, M... wrote: Hello. I'm playing with OpenBSD 3.8 and would like some comments/advice on partitioning. I have a 500MHz test machine, 256MB RAM, 4GB H/D, 100/1Gb intel ethernet card. Most of the examples show separate partitions for / /tmp /var /usr /home I want to run a mailsever (20 users), 20 users of text mail? 20 users of PDF scanned legal documents? (spamassasin/clamav) mailing list server (20 lists), ftp and web servers, (maybe 100MB or so of data) adding them in and seeing how it handles the load. I was thinking of doing / = 500MB too big. 150MB will do it VERY nicely. 200MB if you think I'm being too tight. 70M will do fine, too. :) /tmp - 100MB Paranoia makes me make that bigger, usually 200M, though I can't think of a reason why on your app. /usr - 1GB keep in mind, that's too small for building, but great for binaries. /var - 1GB sounds big... /home - 1.4GB sounds VERY big... What are you putting in /home? or should I just have a root and home partitions ? Not if you are planning on doing something other than testing. I'm not really sure about the sizing for /tmp or /var so I want to be economical with the limited space. Opinions please. Suggestion 1: Quit assuming your first install will be your last. Install, look around, see how it works, adjust, try again, adjust, try again. repeat until (done); Figure out your OWN needs, don't ask others. We don't know, and more importantly, it's your job/reputation on the line. Suggestion 2: Quit trying to allocate all your disk space. Leave some empty space at the end that you can move into if you need to. Make var and home 500M ea., leave a gig or so free, put /var at the end of allocated space, if you find out you made /var too small (most likely), growfs it. If you find /home is too small, move into the 1G space. Nick.
Re: Partition sizing
See FAQ 4.6. http://www.openbsd.org/faq/faq4.html#SpaceNeeded You forgot the swap partition. Also, your / is probably way overkill. I haven't run a production mail/list/ftp server, so I can't speak for the remaining estimates. --david On 1/20/06, M... [EMAIL PROTECTED] wrote: Hello. I'm playing with OpenBSD 3.8 and would like some comments/advice on partitioning. I have a 500MHz test machine, 256MB RAM, 4GB H/D, 100/1Gb intel ethernet card. Most of the examples show separate partitions for / /tmp /var /usr /home I want to run a mailsever (20 users), (spamassasin/clamav) mailing list server (20 lists), ftp and web servers, (maybe 100MB or so of data) adding them in and seeing how it handles the load. I was thinking of doing / = 500MB /tmp - 100MB /usr - 1GB /var - 1GB /home - 1.4GB or should I just have a root and home partitions ? I'm not really sure about the sizing for /tmp or /var so I want to be economical with the limited space. Opinions please. Thanks in advance. Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: OpenBSD for Sun Cobalt Qube3
I've done several RAQ2 installs, and have them in production as well. I have a RAQ3 but could not get it to run anything but linux. I have rebuilt it several times, but only succeeded with RH. I had to remove the HD for this install, and I assume you could get OBSD installed in the same way. I failed in my attempts to do so, but still think it could be done, maybe. I seem to recall having to use a specialized kernel in that box as well. In any case, moving the hd to another pc for install is the way to go. Good luck. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Ouellet Sent: Thursday, January 19, 2006 4:08 PM To: Wolfgang Kess Cc: misc@openbsd.org Subject: Re: OpenBSD for Sun Cobalt Qube3 Wolfgang Kess wrote: Hi, can you give me some advice how to install OpenBSD on a Sun Cobalt Qube 3, please? The Cube comes without cdrom or fd and no display I read about the PXE installation http://www.openbsd.org/faq/faq6.html#PXE What kind of installation method do you recommend? Regards Wolfgang The Cube outdated Linux dmesg: I don't think it would work at all as the Cobalt always had their own hardware handling stuff. Plus to load it, you need a restore CD. If you really want to play with this and see if that can even load, even if I think it would not, you can start by making your restore CD based on the instructions here: http://netbsd.org/Ports/cobalt/restorecd-howto.html I did work with Denis and Alex to test it on the Cobalt RaQ 2. So, that's only a starts, but you are really on your own. The thing is that for the Cobalt, after it is loaded, you rlogin in the box to finish the configuration, but that's because the kernel is design that way for that box. In this case it wouldn't work. Assuming you can ever get the box to netboot and that it would actually detect the hardware properly, then you would need to built a configuration that would make the box in a working state for you to then access it. Usually you can do this via the console, but again, I don't think it would work out of the box on the console, but the only way to know if to try it. I loaded NetBSD on plenty of Cobalt RaQ2 box http://openbsdsupport.org/netbsd/ But that's not going to do much for you in here. The Cobalt RaQ 2 is mips base and th4e RaQ 3 is i386 base. Good luck however. Would be nice to have it working in in, but I don't know.
Re: Partition sizing
On Fri, 20 Jan 2006 22:08:47 +0100 Matthias Kilian [EMAIL PROTECTED] wrote: What about /var/spool/mail or, for example, /var/spool/uucp? Yes, I may be oldfashioned, but IMHO the first filesystem that fills up is always /var. For my mail server, I created a /var/mail partition of 10 GB. It is currently about 40% full. We don't restrict mailbox size for our users, but if a mailbox is getting too full, we back it up, remove it, and notify the user how he can get a backup copy. So far, noone has ever asked for a backup copy. Eric Johnson
Re: Partition sizing
--- Nick Holland [EMAIL PROTECTED] wrote: Suggestion 2: Quit trying to allocate all your disk space. Leave some empty space at the end that you can move into if you need to. Make var and home 500M ea., leave a gig or so free, put /var at the end of allocated space, if you find out you made /var too small (most likely), growfs it. If you find /home is too small, move into the 1G space. Nick. Thanks to Nick and others, I have an update. I left out SWAP as well. / - 200MB /swap - 200MB ? /tmp - 200MB /usr - 1.5GB /home - 500MB /var - 500MB Rest spare for later. Oh, I'm going to use qmail and ezmlm for the mail and list server so email will be delivered into their home directory using Maildir. I know swap used to be 2x the memory, but does that still hold with 256MB RAM installed ? as opposed to years ago with 32MB or 64MB ? Thanks for the hints/suggestions Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
isakmpd ocsp lookups for revoked x509 certs ?
Hi all, Looking at seeing if there's any decent way of getting isakmpd to perform OCSP lookups to verify that a potential IPSec client's certificate is currently not revoked before allowing them to authenticate. I looked through the archives, and there was one link to someone's procedural guide to handling terminating employees (manually updating a CRL and distributing), and one link to a PDF that no longer exists. I'd like to roll out PKI for a network with quite a few VPN concentrators running OpenBSD and SonicWalls without completely losing my mind as far as handling revoked X509 certificates. man isakmpd.conf yields nothing, isakmpd.policy yields nothing obvious, nor does keynote If this is possible and I've missed it, please let me know your experience or any pointers on where to best RTFM. Thanks!
MRTG/RRD font size
Weird thing I can't seem to figure out... Is there a reason that the font sizes (and graphs themselves) on the graphs created via MRTG/RRD would be small and ugly due to using the pre-compiled package vs a compiled from source implementation of the RRDtool package? On a number of boxes (OpenBSD 3.5 to 3.8), I see this consistantly. For example, I have the pre-compiled package for the OS version for MRTG (ex: mrtg-2.10.13 on 3.5, mrtg-2.12.2 on 3.8). On one box I use the pre-compiled RRDtool package, rrdtool-1.0.49, and on another I use a compiled from source RRDtool (same version, rrdtool-1.0.49; I guess it doesn't change much from one to another). On the box that has the 'compiled from source' RRD, the graphs created have normal, easily read letters and numbers (the 'bits per second' thing on the left side of the graph, or the 10/20/30Mb/s levels, etc), but on the box with the package version of RRD, the letters are very tiny and squished together. Also, the graphs themselves seem to be larger, and/or seem to resize themselves based on the monitor size; on the box with the packaged RRD, they stay tiny regardless if the video card setting is 800x600 or 1280x1024. This is easily replicated across different hardware. There's not any diff I can see in regards to installed fonts. In fact, the box that has a pretty set of graphs has fewer installed font (and otherwise) packages. Here's some of the particulars: Box with pretty MRTG fonts and graphs: 1) OpenBSD 3.5 2) MRTG installed via package 3) RRDtool compiled locally (1.0.49) List of all pre-compiled installed packages: arping-1.07 ARP level ping utility bash-2.05b GNU Bourne Again Shell fping-2.2b1 quickly ping N hosts w/o flooding the network freetype-1.3.1p1free and portable TrueType font rendering engine gd-1.8.3graphics library for fast PNG creation gettext-0.10.40p1 GNU gettext jpeg-6b IJG's JPEG compression utilities libiconv-1.9.1 character set conversion library libnet-1.0.2a raw IP packet construction library login_ldap-3.3 provide ldap authentication type mrtg-2.10.13multi-router traffic grapher nmap-3.50-no_x11scan ports and fingerprint stack of network hosts ntp-4.1.74 network time protocol implementation openldap-client-2.1.27 Open source LDAP software (client) p5-Pod-Escapes-1.03 library to resolve perl Pod escape sequences p5-Pod-Simple-2.05 framework for parsing the Perl Pod format p5-SNMP_Session-0.99 provides rudimentary access to remote SNMP agents pcre-4.5perl-compatible regular expression library pftop-0.4 curses-based real time state and rule display for pf pine-4.58 program for Internet E-mail and News pktstat-1.7.3b network traffic viewer png-1.2.5p2 library for manipulating PNG images tacacs+-4.0.4ap0Cisco AAA protocol daemon ucd-snmp-4.2.6 extendible SNMP implementation wget-1.8.2 retrieve files from the 'net via HTTP and FTP Box with UGLY MRTG fonts and graphics: 1) OpenBSD 3.8 2) MRTG installed via package 3) RRDtool installed via package List of all pre-compiled installed packages: bash-3.0.16p1 GNU Bourne Again Shell cvsweb-2.0.6p1 WWW CGI script to browse CVS repository trees esound-0.2.34 sound library for Enlightenment expect-5.43.0 sophisticated scripter based on Tcl/Tk fping-2.2b1 quickly ping N hosts w/o flooding the network freetype-1.3.1p1free and portable TrueType font rendering engine gd-1.8.3graphics library for fast PNG creation gettext-0.10.40p3 GNU gettext glib-1.2.10p0 useful routines for C programming gtk+-1.2.10p3 General Toolkit for X11 GUI jpeg-6bp2 IJG's JPEG compression utilities libaudiofile-0.2.6 SGI audiofile library clone libiconv-1.9.2p1character set conversion library mozilla-firefox-1.0.6p3 redesign of Mozilla's browser component mozilla-thunderbird-1.0.6 redesign of the integrated Mozilla App-Suite mail component mrtg-2.12.2 multi-router traffic grapher mysql-client-4.0.24 multithreaded SQL database (client) nagios-2.0b4p0 host and service monitor nagios-plugins-1.4.1 nagios base plugins nagios-plugins-fping-1.4.1p0 fping plugin nagios-plugins-mysql-1.4.1p0 mysql plugin nagios-plugins-snmp-1.4.1p0 plugins using snmp nagios-web-2.0b4cgis and webpages for nagios ncftp-3.1.9 ftp replacement with advanced user interface net-snmp-5.1.3p0extendable SNMP implementation p5-Crypt-DES-2.03 interface to the DES encryption algorithm p5-Digest-HMAC-1.01 interface to HMAC Message-Digest Algorithms p5-Digest-SHA1-2.10 module to calculate SHA1 digests p5-Net-SNMP-4.0.3 Perl modules to access SNMP p5-Pod-Escapes-1.04 library to resolve perl Pod escape sequences p5-Pod-Simple-3.02 framework for parsing the Perl Pod format p5-SNMP_Session-1.07 provides rudimentary access to remote SNMP agents pine-4.63 program for Internet E-mail
Re: Partition sizing
Filesystem SizeUsed Avail Capacity Mounted on /dev/wd0a 118M 56.8M 55.5M51%/ /dev/wd0d 98.3M8.0K 93.4M 0%/tmp /dev/wd0e 490M 91.4M374M20%/var /dev/wd0f 49.4M1.5M 45.4M 3%/var/qmail /dev/wd0g 3.8G1.5G2.2G40%/usr /dev/wd0h 70.5G 64.3G2.7G96%/home # Han
Re: 3.8 panic on boot (rd0)
Leaving the history intact, following up below. An offlist reply suggested trying a more recent snapshot of -current. It also paniced in the same place. On Sat, 7 Jan 2006, Kenneth R Westerback wrote: On Sat, Jan 07, 2006 at 03:23:15PM -0500, Charles Sprickman wrote: Hello all, I have an older i386 pc that I've been using as my home firewall for some years now. It currently runs 3.3 and I was hoping to do an upgrade, so I did go ahead and buy the full CD set (impressive packaging, btw) after having trouble with boot floppies (marginal drive) and the boot CD ISO. However, the kernel panics every time I try and boot the 3.8 CD. I've also tried 3.7, 3.6 and 3.5 boot CDs that I downloaded from the OpenBSD ftp server. Hardware seems fine; I ran memtest86+ for a day and it did about 30 passes with no errors, I tried different CD-ROM drives, different IDE cables, removed all network cards, etc., but still it panics in the same place (right after rd0: fixed, 3800 blocks). CPU is an AMD K6-2-500 clocked down to 300 - temperature is fine (about 110F), mainboard is an old Epox. On the suggestion of a bsdforums.org user, I tried downloading bsd.rd and booting that from the 3.3 install, and that failed. I'm guessing it has something to do with the exec format changing; perhaps the old loader doesn't understand the new kernel exec format? rebooting... boot /bsd.rd booting hd0a:/bsd.rd: failed(79). will try /obsd boot ls bsd.rd -rwxr-xr-x 0,0 4658297 hd0a:bsd.rd boot ls obsd -rwxr-xr-x 0,0 2487309 hd0a:obsd boot ...snip... gw# cd / gw# file bsd.rd bsd.rd: ELF 32-bit LSB executable, Intel 80386, version 1, statically linked, not stripped gw# file obsd obsd: OpenBSD/i386 demand paged executable not stripped gw# I have this thing hooked up via serial now, so if someone can point me in the right direction (how to get a dump when booting from CD, how to look at that dump, etc.), I will gladly do so. I have also included the 3.3 dmesg below. Thanks, Charles _ I'd suggest trying a 3.8 snapshot as well, to make sure it hasn't already been fixed in -current. I grabbed a snapshot from 1/19 today and burned the mini cd boot iso. Same thing. Where do I go from here to troubleshoot this? It does panic, but I'm not sure how to get a dump when booting off of cd. Thanks, Charles latest boot messages follow, then the older boot messages from 3.8 are still intact below. boot booting cd0a:/3.9/i386/bsd.rd: 4429460+740764 [52+154592+141324]=0x5369c4 entry point at 0x100120 Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved. Copyright (c) 1995-2006 OpenBSD. All rights reserved. http://www.OpenBSD.org OpenBSD 3.9-beta (RAMDISK_CD) #1001: Thu Jan 19 12:49:57 MST 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/RAMDISK_CD cpu0: AMD-K6(tm) 3D processor (AuthenticAMD 586-class) 301 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,MCE,CX8,PGE,MMX real mem = 133799936 (130664K) avail mem = 116531200 (113800K) using 1658 buffers containing 6791168 bytes (6632K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(ee) BIOS, date 01/03/00, BIOS32 rev. 0 @ 0xfb390 apm0 at bios0: Power Management spec V1.2 apm0: flags 70102 dobusy 1 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0xb80c pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdde0/128 (6 entries) pcibios0: PCI Exclusive IRQs: 5 10 11 pcibios0: PCI Interrupt Router at 000:07:0 (VIA VT82C586 ISA rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0x8000 0xc8000/0x2000! cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 VIA VT82C598 PCI rev 0x04 ppb0 at pci0 dev 1 function 0 VIA VT82C598 AGP rev 0x00 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 ATI Rage Pro rev 0x5c wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) pcib0 at pci0 dev 7 function 0 VIA VT82C586 ISA rev 0x47 pciide0 at pci0 dev 7 function 1 VIA VT82C571 IDE rev 0x06: ATA33, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: Maxtor 72004 AP wd0: 32-sector PIO, LBA, 1916MB, 3924360 sectors wd0(pciide0:0:0): using PIO mode 4, DMA mode 2 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: SAMSUNG, CD-ROM SC-148F, F007 SCSI0 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 uhci0 at pci0 dev 7 function 2 VIA VT83C572 USB rev 0x02: irq 11 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered VIA VT82C586 Power rev 0x10 at pci0 dev 7 function 3 not configured sis0 at pci0 dev 17 function 0 NS DP83815 10/100 rev 0x00, DP83816A: irq 10, address 00:09:5b:22:4a:ee nsphyter0 at sis0 phy 0: DP83815 10/100 PHY, rev. 1 xl0 at pci0 dev 18 function 0 3Com 3c900 10Base-T rev 0x00: irq 5, address 00:a0:24:ce:11:02 isa0 at pcib0
Hotmail/MSN spamd spamtraps
Anyone out there using spamd seeing a *lot* of spam from valid hotmail/msn mail servers? Most of their outgoing servers are in my spamtrap blacklist from spamming some choice spamtrap addresses (5 year old, unpublished addresses that got ripped from address books, etc). Spamd logs show it's actually spam, and the servers really are hotmail/msn (CIDR, forward reverse DNS). I haven't had this problem with any of the other major providers, just hotmail/msn. Could botnets out there be gleaning hotmail account info and using it to send spam? That would get around the port 25 block many broadband providers are doing... Just found it curious. So far the attitude at my office is that the spam reduction is worth blacklisting hotmail. Spamd *ROCKS*! -- Darrin Chandler [EMAIL PROTECTED] http://www.stilyagin.com/
Re: Hotmail/MSN spamd spamtraps
On Fri, 20 Jan 2006, Darrin Chandler wrote: Anyone out there using spamd seeing a *lot* of spam from valid hotmail/msn mail servers? Most of their outgoing servers are in my spamtrap blacklist from spamming some choice spamtrap addresses (5 year old, unpublished addresses that got ripped from address books, etc). Spamd logs show it's actually spam, and the servers really are hotmail/msn (CIDR, forward reverse DNS). I haven't had this problem with any of the other major providers, just hotmail/msn. Yep - there are a TON of hotmail servers in our blacklists; haven't had anyone complain about not getting mail through, however from the hotmail users that we get email from. Lee
Re: Hotmail/MSN spamd spamtraps
On Fri, 20 Jan 2006 17:51:53 -0700 Darrin Chandler [EMAIL PROTECTED] wrote: Anyone out there using spamd seeing a *lot* of spam from valid hotmail/msn mail servers? Most of their outgoing servers are in my spamtrap blacklist from spamming some choice spamtrap addresses (5 year old, unpublished addresses that got ripped from address books, etc). Spamd logs show it's actually spam, and the servers really are hotmail/msn (CIDR, forward reverse DNS). I haven't had this problem with any of the other major providers, just hotmail/msn. Most of the spam I am seeing these days either comes from Hotmail (nearly all are Nigerian spams), through mailing lists such as the OpenBSD lists, or from accounts on other servers. Greylisting on my mail machine has cut down my spam load drastically. Plus, when a spam does get through, I typically blacklist the IP addresses originating the spam. For example, when someone spams through this list, I go through the headers to find the originating address and add the IP address (the entire /24 if it appears to be a dsl, cable, dialup, wireless, other address pool, or if there is no reverse lookup available) to the internal blacklist. As for the Hotmail spams, every once in a while I go through the headers in the ones I received that day and look for the X-Originating-IP header added by Hotmail. Then, I use that header to filter out anything comming from them using procmail. For example, we have recieved a number of Nigerian spams from hotmail originating in various 82.169.149/24 addresses and so the following is used to filter anything coming from them into a separate spam folder that the users can check if they wish for errors. :0 * ^Received:.*hotmail\.com * ^X-Originating-IP: \[82\.169\.149 user_imap_files/spam where user_imap_files is a directory in the users home directory. If they add user_imap_files as their imap directory in their mail client, then they can peruse their spam folder. A cron job on the first day of each month deletes the spam-lastmonth file from the directory, renames spam to spam-lastmonth, and creates a new spam file for them. To the best of my knowledge, we have never had a false positive on this check. Eric Johnson
LCD
Hello all, I know that is not a question for thist forum but, anyone here knows a serial controller or wathever to use with an old EPSON EG9007D-NS12 LCD Display? This will be very helpful for me!!! Thank's a lot Best regards -- Abragos Ricardo Lucas We have to stop been egoist and think more on ourselves.
Re: portmap daemon
Thanks for your feedbadk! I have some daemons that only comunicate by TCP. I would like to be able to make indirect call to the local portmap daemon for calling my tools. Reading the RFC 1831 says (in the context of indirect calls): the portmap comunicate with the remote program using UDP. Could i infere i may add support for indirect comunicate using TCP without violating the standard? I am worried, too, about the security implications this patch could open. 2006/1/19, Theo de Raadt [EMAIL PROTECTED]: I have been playing around with openbsd portmap. I am confused about the fact that if a program is registered above port 1024 any local user may remove it, right? Yes. Does it sound good from a security point of view? It's not that great, but unfortunately there is no solution to this problem. It is a bad design. I've spent a lot of time working on RPC, making it more secure. There are many other restrictions for safety in our RPC and portmap code, but there is no real solution to this.
Re: Partition sizing
M... wrote: ... I know swap used to be 2x the memory, but does that still hold with 256MB RAM installed ? as opposed to years ago with 32MB or 64MB ? That advice is as bogus now as it was then. The answer is, use what YOU need. Most of the time, if your system starts swapping, you are hurting. The Swap = 2x Physical rule makes a little sense if you have a LOT of applications loaded, but only a few are actually active at any one time, AND waiting for a swapped-out app to get reloaded into RAM and an inactive app to be swapped out is acceptable. That's an unusual situation for many, probably even most, systems. The other application I have found for swap is where one app will suddenly start demanding astronomical amounts of RAM for a brief moment, and the nature of the task is where it doesn't matter if it takes two minutes or twenty minutes. Usually, however, if you are running any kind of server and you expect swap, you need more RAM, not to be quibbling about swap sizes. Core dumps are saved to swap, but then, they get unloaded to /var on boot, so IF you care about this (and most people probably should not), you have to size several things appropriately...swap slightly bigger than physical RAM, and enough free space on /var to have at least one core dump, probably multiple. Nick.
Re: connection to 3.8 box times out
I don't believe BIOS is at fault. I could not find anything vaguely related in BIOS settings, plus, I booted machine with Knoppix boot cd and have been able to ping it for hours on end. Rather strange. On 1/20/06, Joachim Schipper [EMAIL PROTECTED] wrote: On Thu, Jan 19, 2006 at 05:41:11PM -0600, Igor Vilensky wrote: Greetings, This is my first post. Apologies if not everything is pro forma. I hope someone might help me with this issue. Ssh session and pinging 3.8 Generic running on Compaq Deskpro SB time out after 800 to 2400 when not actively using the box. You get 'No route to Host' message in ping or ssh session freezes. The box is connected to 4 port Belkin KVM switch on video and keyboard, regular PS2 mouse is plugged in. Re-plugging mouse wakes up the session/ping and it works for a little while. Pressing keys on mouse makes no difference. Unplugging keyboard makes no difference, but connecting to Video and keyboard on KVM and hitting a key on a keyboard does wake up OpenBSD so that it responds again. Have you checked the BIOS for interesting options? This looks like the BIOS shuts down the machine or some such. Joachim