Re: PF + rsync trouble

[Chris C.]

On Thursday 15 February 2007 00:17, Darren Spruell wrote:
 On 2/14/07, Chris C. [EMAIL PROTECTED] wrote:
  On Wednesday 14 February 2007 21:59, Chris C. wrote:
   Hi
  
   I'm having issues with rsyncing ftp.rfc-editor.org through a PF
   firewall, other connections (also other rsync connections) work well.
  
   rsync -avz --delete ftp.rfc-editor.org::rfcs-text-only my-rfc-mirror
   receiving file list ... done
   ./
   rfc-index.xml
   ...
   rfc1591.txt
   rfc1592.txt
   nothing is going to happen... will timeout in a few minutes
   any suggestions? thanks!
 
  Have to reply to my own post...
  The rsync process completes on the gateway itself, but not on any device
  behind it.

 Enable debugging in PF and see if you get any error conditions in your
 kernel logs.

 # pfctl -x loud

 (set back to normal with 'pfctl -x urgent')

thanks, but that didn't help

I enabled debugging, added flags S/SA to all my rules and have block in log 
all / pass out log all rules.

/var/log/messages doesn't say anything except adding ospf 
tcpdump -n -e -ttt -i pflog0 also doesn't say anything special:
Feb 15 08:58:26.289011 rule 7/(match) pass out on pppoe0: 217.95.254.251.62376 
 128.9.176.20.873: [|tcp]

but rsync still aborts with:
rsync error: timeout in data send/receive (code 30) at io.c(171) 
[sender=2.6.8]
rsync: connection unexpectedly closed (168446 bytes received so far) 
[receiver]
rsync error: error in rsync protocol data stream (code 12) at io.c(453) 
[receiver=2.6.9]
_exit_cleanup(code=12, file=io.c, line=453): about to call exit(12)
rsync: connection unexpectedly closed (168446 bytes received so far) 
[generator]
rsync error: error in rsync protocol data stream (code 12) at io.c(453) 
[generator=2.6.9]
_exit_cleanup(code=12, file=io.c, line=453): about to call exit(12)


anything left I can do? My other rsyncs (e.g. gentoo-portage) still work very 
well.

both *40.tgz and *41.tgz in snapshots directory

[Peter N. M. Hansteen]

Fetching the latest i386 snapshot files I could not help noticing that
the snapshots directory contains a number of near duplicate archives
and .fs files with both *40.* and *41.* names, ie there are two
base*.tgz files:

-r--r--r--1 1114 1114 42403082 Feb 14 17:13 base40.tgz
-r--r--r--1 1114 1114 42401670 Feb 14 17:13 base41.tgz

and oddly enough the index.txt file lists a few of those near
duplicate file names as well.  The timestamps make me think that some
cpu cycles may have been wasted generating more archives than are
actually needed, but I assume it won't be long until this is corrected.

Which reminds me - People, the time to test snapshots is now.  If
you're not already routinely downloading and testing snapshots, now is
an excellent time to start.  Any feedback you generate and issues you
help resolve will help making 4.1 the greatest ever release.

-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
First, we kill all the spammers The Usenet Bard, Twice-forwarded tales
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: mediawiki on chroot

[Stuart Henderson]

On 2007/02/15 18:34, atstake atstake wrote:
 [error] PHP Warning:  Unknown:
 open(/tmp//sess_gmmltgdpemd3sutt31mrivba34, O_RDWR) failed: Permission
 denied (13) in Unknown on line 0

this refers to /var/www/tmp, check it exists and has appropriate
permissions.

Re: Nagios plugin for checking OpenBGPd-Peers

[Henning Brauer]

* Falk Brockerhoff - smartTERRA GmbH [EMAIL PROTECTED] [2007-02-14 22:24]:
 has anybody wrote a nagios plugin to check the presence of some 
 specified bgp-peers set up with openbgpd?

not that I am aware of; but I have kind of prepared it :)

the way to go is pbly:
-restricted control socket (bgpd -r)
-use bgpctl show summary terse (use restricted socket of course), this 
 is made to be easily parsable
-us a superserver like inetd to run the above on some weird port that 
 your firewall so only you nagios host(s) can reach it

rest is straightforward. could pbly also use nrpe on the router and 
have it run the above bgpctl command; I don't trust nagios + nrpe code 
too much tho (now, that was very nicely and diplomatic put, no?)

-- 
Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg  Amsterdam

Re: both *40.tgz and *41.tgz in snapshots directory

[Darren Spruell]

On 2/15/07, Peter N. M. Hansteen [EMAIL PROTECTED] wrote:

Fetching the latest i386 snapshot files I could not help noticing that
the snapshots directory contains a number of near duplicate archives
and .fs files with both *40.* and *41.* names, ie there are two
base*.tgz files:

-r--r--r--1 1114 1114 42403082 Feb 14 17:13 base40.tgz
-r--r--r--1 1114 1114 42401670 Feb 14 17:13 base41.tgz

and oddly enough the index.txt file lists a few of those near
duplicate file names as well.  The timestamps make me think that some
cpu cycles may have been wasted generating more archives than are
actually needed, but I assume it won't be long until this is corrected.


http://marc.theaimsgroup.com/?l=openbsd-portsm=117131955625737w=2

Happens 2x/year.

DS

Re: [Bulk] arpresolve: can't allocate llinfo

[Shane Lahey]

Hello Cory,

Thursday, February 15, 2007, 2:40:51 AM, you wrote:

 Hello all,

 My OpenBSD firewall is still randomly stopping routing packets and I 
 still can't figure out why. :-(

 I made the suggested patch to if_ether.c, ut now I just get the 
 following line in /var log messages:

 Feb 14 18:08:41 bytor /bsd: arpresolve: can't allocate llinfo for 
 192.168.1.1:no link address


 Symptoms: Firewall can ping the wifi router (to which ADSL modem is 
 attached), but pinging anything beyond it fails. If I try to traceroute
 to some place beyond the router, it doesn't show the router as the first
 hop. (If it can ping the router, shouldn't it show up a the first hop on
 a traceroute?). Even though the firewall can ping the router, it cannot
 ping my laptop, even though the route to both goes out ral0. The laptop
 cannot ping the firewall either. I know the router is still working 
 because my laptop can still access the internet through it once I reset
 the default gateway to the router instead of the firewall. IPv6 ssh 
 connections form the laptop to the firewall stay active.

 Things is, arp -a and route -n show -inet show extactly the same 
 thing whether the problem is currently in progress or everything is 
 working perfectly. No NICs accidentally have addresses on the wrong segment.

 I had routed running, but stopping it has made no difference.

 Anybody have any ideas?

 [EMAIL PROTECTED] 1:03:58 [9]/etc arp -a
 bytor (192.168.0.1) at 00:0e:0c:bc:38:9d on em1 static
 xanadu (192.168.0.2) at 00:0e:0c:b9:4d:ed on em1
 heechee.wireless (192.168.1.1) at 00:13:10:0e:0b:08 on ral0
 snowdog.wireless (192.168.1.3) at 00:12:17:60:fe:40 on ral0
 redbarchetta.wireless.fenris.cjb.net (192.168.1.191) at 
 00:18:de:20:4f:2e on ral0
 bytor (192.168.16.1) at 00:0e:0c:b9:50:74 on em0 static
 snowdog (192.168.16.2) at 00:15:f2:e8:7f:51 on em0

 [EMAIL PROTECTED] 1:04:03 [10]/etc route -n show -inet
 Routing tables

 Internet:
 Destination   GatewayFlagsRefs  UseMtu  Interface
 default   192.168.1.1UGS16   188916  -   ral0
 127.0.0.1 127.0.0.1  UH  2 6049  33224   lo0
 192.168.0/24  link#3 UC  20  -   em1
 192.168.0.1   00:0e:0c:bc:38:9d  UHLc9   996889  -   lo0
 192.168.0.2   00:0e:0c:b9:4d:ed  UHLc156064  -   em1
 192.168.1/24  link#4 UC  30  -   ral0
 192.168.1.1   00:13:10:0e:0b:08  UHLc2 3272  -   ral0
 192.168.1.3   00:12:17:60:fe:40  UHLc0  483  -   ral0
 192.168.1.191 00:18:de:20:4f:2e  UHLc0 4587  -   ral0
 192.168.2/24  link#1 UC  00  -   fxp0
 192.168.16/24 link#2 UC  20  -   em0
 192.168.16.1  00:0e:0c:b9:50:74  UHLc0   50  -   lo0
 192.168.16.2  00:15:f2:e8:7f:51  UHLc5   392664  -   em0

 [EMAIL PROTECTED] 1:04:13 [11]/etc cat hostname.ral0
 inet 192.168.1.2 255.255.255.0 192.168.1.255 nwid fenris nwkey
   0x0A18135EB54723927B64AB65BC
 inet6 alias 2001:05c0:92cf:1::c0a8:0102 64

 [EMAIL PROTECTED] 1:06:08 [12]/etc cat hostname.em0
 inet 192.168.16.1 255.255.255.0 192.168.16.255
 inet6 alias 2001:05c0:92cf:10::c0a8:1001 64

 [EMAIL PROTECTED] 1:06:18 [13]/etc cat hostname.em1
 inet 192.168.0.1 255.255.255.0 192.168.0.255
 inet6 alias 2001:05c0:92cf:0::c0a8:0001 64

 [EMAIL PROTECTED] 1:06:33 [14]/etc cat hostname.fxp0
 inet 192.168.2.1 255.255.255.0 192.168.2.255
 inet6 alias 2001:5c0:92cf:2::c0a8:0201 64

I had this issue before and it turned out to be a bad NIC.

-- 
Best regards,
 Shane

homepage: http://craz1.homelinux.com

Howto remove sendmail?

[Antonis Faragitakis]

Hi all,

I want to install postfix on my openbsd3.9 system and i was wondering
how can i remove sendmail, is there a standard procedure to do that?


thanks
Atn.

Re: Howto remove sendmail?

[Joel Dinel]

On 02/15/07 at 17:21, Antonis Faragitakis wrote:
Hi all,

I want to install postfix on my openbsd3.9 system and i was wondering
how can i remove sendmail, is there a standard procedure to do that?

Search the archives. This has been discussed to great lengths, multiple
times.

Re: Howto remove sendmail?

[Fred Crowson]

Antonis Faragitakis wrote:

Hi all,

I want to install postfix on my openbsd3.9 system and i was wondering
how can i remove sendmail, is there a standard procedure to do that?


thanks
Atn.


http://marc.theaimsgroup.com/?l=openbsd-miscw=2r=1s=sendmailq=b

might give some clues.

--
http://www.crowsons.net/puters/x41.php

Re: PF drops tcp packets from a machine with Gentoo linux kernel 2.6.18

[Tim Kuhlman]

On Wednesday 14 February 2007 1:29 pm, Stuart Henderson wrote:
 On 2007/02/14 11:47, Tim Kuhlman wrote:
  So what is happening? It seems to me that either pf is broken or his
  linux kernel is broken and pf is catching it. Any ideas as to which is
  the cause?

 Ruleset more likely. If you post it, people can make suggestions.
 Might be useful to capture a SYN with tcpdump and post any state entries
 relating to it, too (the relevant parts of pfctl -ss -v).

So my ruleset has some problems. I took some time to work through my rules and 
re-read the state tracking section of the pf faq (which by the way is well 
done, thanks). I found what I think are a couple of problems, I needed to 
have the flags S/SA so that it paid attention to the syn packet and for some 
reason I had the state policy globally set to if-bound rather than floating. 
When I change both of those a new problem appears, routing between my 
internal network and DMZ's doesn't work. 

The syn packet goes through and appears to create state but the Syn/Ack packet 
isn't let back through. I thought that was it created state one way it was 
supposed to allow it back the other. Surely I am missing something simple.

Here is the state as it appears with the new rules from a pfctl -vvss, I 
also attached a tcpdump capture from both interfaces on the router.

all tcp 10.10.10.150:49516 - 10.11.0.5:80   ESTABLISHED:SYN_SENT
   [573330559 + 16385](+3517130307) wscale 2  [3039928992 + 5840](+146001125) 
   wscale 0 age 00:00:02, expires in 00:00:28, 2:1 pkts, 116:64 bytes, rule 
   135 id: 45c74dc600234f51 creatorid: b3647a00

The router has 5 interfaces and 10 ip addresses associated with it so I will 
spare you the full ruleset but here are the ones that are relevant. I copied 
the rules as they are including the extra interfaces and such. 
$DMZ_production_if is the 10.11.0.0/24 network
$int_if is the 10.10.8.0/21 network

table int_net const { 10.10.8.0/21, 10.8.0.0/24, 172.16.1.0/24 }

pass in on { $int_if $vpn_if } proto {tcp udp icmp} from int_net to \
   { $DMZ_production_if:network, $DMZ_proto_if:network }

pass out on { $int_if $vpn_if $ext_if $dsl_if $DMZ_production_if 
$DMZ_proto_if } proto \
   {tcp udp icmp} flags S/SA modulate state

Thanks again.
-- 
Tim Kuhlman
Network Administrator
ColoradoVnet.com

[demime 1.01d removed an attachment of type application/octet-stream which had 
a name of dmz_production_if-side]

[demime 1.01d removed an attachment of type application/octet-stream which had 
a name of int_if-side]

Re: Howto remove sendmail?

[Antonis Faragitakis]

Thanks a lot guys


Atn.

Re: Howto remove sendmail?

[John Gould]

On Thu, 15 Feb 2007, Antonis Faragitakis wrote:


Hi all,

I want to install postfix on my openbsd3.9 system and i was wondering
how can i remove sendmail, is there a standard procedure to do that?


thanks
Atn.

Search the archive! This has been answered numerous times. You don't need 
to remove sendmail! Try 'man 8 mailwrapper'


Regards John.

Re: PF drops tcp packets from a machine with Gentoo linux kernel 2.6.18

[Tim Kuhlman]

Whoops, I forgot about attachments being stripped.
$ tcpdump -nr dmz_production_if-side -vv
reading from file dmz_production_if-side, link-type EN10MB (Ethernet)
16:32:15.627327 IP (tos 0x0, ttl  63, id 49423, offset 0, flags [DF], proto: 
TCP (6), length: 60) 10.10.10.150.57818  10.11.0.5.80: S, cksum 0x3bd9 
(correct), 4232982860:4232982860(0) win 5840 mss 1460,sackOK,timestamp 
712219763 0,nop,wscale 2
16:32:15.627423 IP (tos 0x0, ttl 128, id 22766, offset 0, flags [none], proto: 
TCP (6), length: 64) 10.11.0.5.80  10.10.10.150.57818: S, cksum 0x934f 
(correct), 49492280:49492280(0) ack 4232982861 win 16384 mss 1460,nop,wscale 
0,nop,nop,timestamp 0 0,nop,nop,sackOK
16:32:18.628278 IP (tos 0x0, ttl  63, id 49424, offset 0, flags [DF], proto: 
TCP (6), length: 60) 10.10.10.150.57818  10.11.0.5.80: S, cksum 0xcd5e 
(correct), 4232982860:4232982860(0) win 5840 mss 1460,sackOK,timestamp 
712220513 0,nop,wscale 2
16:32:18.833758 IP (tos 0x0, ttl 128, id 22768, offset 0, flags [none], proto: 
TCP (6), length: 64) 10.11.0.5.80  10.10.10.150.57818: S, cksum 0x934f 
(correct), 49492280:49492280(0) ack 4232982861 win 16384 mss 1460,nop,wscale 
0,nop,nop,timestamp 0 0,nop,nop,sackOK
16:32:24.628962 IP (tos 0x0, ttl  63, id 49425, offset 0, flags [DF], proto: 
TCP (6), length: 60) 10.10.10.150.57818  10.11.0.5.80: S, cksum 0xc782 
(correct), 4232982860:4232982860(0) win 5840 mss 1460,sackOK,timestamp 
71013 0,nop,wscale 2
16:32:28.130462 IP (tos 0x0, ttl 128, id 22769, offset 0, flags [none], proto: 
TCP (6), length: 64) 10.11.0.5.80  10.10.10.150.57818: S, cksum 0x934f 
(correct), 49492280:49492280(0) ack 4232982861 win 16384 mss 1460,nop,wscale 
0,nop,nop,timestamp 0 0,nop,nop,sackOK

$ tcpdump -nr int_if-side -vv host 10.11.0.5
reading from file int_if-side, link-type EN10MB (Ethernet)
16:32:15.627282 IP (tos 0x0, ttl  64, id 49423, offset 0, flags [DF], proto: 
TCP (6), length: 60) 10.10.10.150.57818  10.11.0.5.80: S, cksum 0xd7c2 
(correct), 875912572:875912572(0) win 5840 mss 1460,sackOK,timestamp 
712219763 0,nop,wscale 2
16:32:18.628245 IP (tos 0x0, ttl  64, id 49424, offset 0, flags [DF], proto: 
TCP (6), length: 60) 10.10.10.150.57818  10.11.0.5.80: S, cksum 0xd4d4 
(correct), 875912572:875912572(0) win 5840 mss 1460,sackOK,timestamp 
712220513 0,nop,wscale 2
16:32:24.628925 IP (tos 0x0, ttl  64, id 49425, offset 0, flags [DF], proto: 
TCP (6), length: 60) 10.10.10.150.57818  10.11.0.5.80: S, cksum 0xcef8 
(correct), 875912572:875912572(0) win 5840 mss 1460,sackOK,timestamp 
71013 0,nop,wscale 2


On Thursday 15 February 2007 9:07 am, Tim Kuhlman wrote:
 On Wednesday 14 February 2007 1:29 pm, Stuart Henderson wrote:
  On 2007/02/14 11:47, Tim Kuhlman wrote:
   So what is happening? It seems to me that either pf is broken or his
   linux kernel is broken and pf is catching it. Any ideas as to which is
   the cause?
 
  Ruleset more likely. If you post it, people can make suggestions.
  Might be useful to capture a SYN with tcpdump and post any state entries
  relating to it, too (the relevant parts of pfctl -ss -v).

 So my ruleset has some problems. I took some time to work through my rules
 and re-read the state tracking section of the pf faq (which by the way is
 well done, thanks). I found what I think are a couple of problems, I needed
 to have the flags S/SA so that it paid attention to the syn packet and for
 some reason I had the state policy globally set to if-bound rather than
 floating. When I change both of those a new problem appears, routing
 between my internal network and DMZ's doesn't work.

 The syn packet goes through and appears to create state but the Syn/Ack
 packet isn't let back through. I thought that was it created state one way
 it was supposed to allow it back the other. Surely I am missing something
 simple.

 Here is the state as it appears with the new rules from a pfctl -vvss, I
 also attached a tcpdump capture from both interfaces on the router.

 all tcp 10.10.10.150:49516 - 10.11.0.5:80   ESTABLISHED:SYN_SENT
[573330559 + 16385](+3517130307) wscale 2  [3039928992 +
 5840](+146001125) wscale 0 age 00:00:02, expires in 00:00:28, 2:1 pkts,
 116:64 bytes, rule 135 id: 45c74dc600234f51 creatorid: b3647a00

 The router has 5 interfaces and 10 ip addresses associated with it so I
 will spare you the full ruleset but here are the ones that are relevant. I
 copied the rules as they are including the extra interfaces and such.
 $DMZ_production_if is the 10.11.0.0/24 network
 $int_if is the 10.10.8.0/21 network

 table int_net const { 10.10.8.0/21, 10.8.0.0/24, 172.16.1.0/24 }

 pass in on { $int_if $vpn_if } proto {tcp udp icmp} from int_net to \
{ $DMZ_production_if:network, $DMZ_proto_if:network }

 pass out on { $int_if $vpn_if $ext_if $dsl_if $DMZ_production_if
 $DMZ_proto_if } proto \
{tcp udp icmp} flags S/SA modulate state

 Thanks again.

-- 
Tim Kuhlman
Network Administrator
ColoradoVnet.com

Re: pf route-to rdr

[Frans Haarman]

On 2/14/07, Frans Haarman [EMAIL PROTECTED] wrote:

when routing packets to another interface, is it then possible to do redirection
for those packets on the other interface ?

I am trying to:
- route subnets to a tunnel
- redirect the subnets to private ip

10.100.1.1  bge0 --- route-to --- tun0 --- rdr 10.100.1.1 - 192.168.1.1

I am seeing mostly

2007-02-14 15:29:43.043821 rule 1/0(match): pass out on tun0:
172.16.11.24  10.100.1.1: ICMP echo request, id 512, seq 20225,
length 40

So no rdr. Its probably supposed to work like this, but I lack some pf
understanding
I guess.. if someone could drop some hints it would be nice.

Test box is freebsd btw. If above setup will work on openbsd with
multiple routing tables, etc, etc, please let me know.



#Redirect 10.100.1.1 to CLIENT_A's 192.168.1.1
rdr on bge0 from any to 10.100.1.1 tag CLIENT_A - 192.168.1.1

#Do nat on CLIENT_A tunnel
nat on tun0 from any to 192.168.0.0/16 - tun0

#Pass packets for CLIENT_A to their tunnel
pass in log on bge0 route-to tun0 tagged CLIENT_A  keep state

This seems to work! I am quite happy with it.

Cheers,
Gr. FH

Re: dmesg and fdisk do not match about usb external disk

[jepael]

So is this also the reason why I cannot boot OpenBSD from a USB memory
stick? Because BIOS and OpenBSD use different geometries? Can I somehow
force OpenBSD to use the BIOS geometry on the USB disk? How?

- Jani


On Tue, Feb 13, 2007 at 12:07:57PM +0100, frantisek holop wrote:
 hmm, on Tue, Feb 13, 2007 at 08:56:24PM +1100, Shane J Pearson said that
  On 13/02/2007, at 8:18 PM, frantisek holop wrote:
 
  how am i (and fdisk) supposed to make partitions on CHS boundaries
  if instead of 19457/255/63 fdisk sees the disk as 152627/64/32?
 
  What is the point in trying to align to such boundaries, when the
  physical HDD does not have 255 or 64 heads and those numbers are
  faked due to working around legacy limitations?

 fdisk(8):

 CAVEATS
 Hand crafted disk layouts are highly error prone. MBR partitions

should

 start on a cylinder boundary (head 0, sector 1), except when

starting on

 track 0, (these should begin at head 1, sector 1). MBR partitions

should

  also end at cylinder boundaries.


 as far as i know most of the other OSs also align to boundaries.

 -f
 --
 the borg are coming!  quick!  try and look useless!


OpenBSD aligns to boundaries. It just makes up the boundaries, as do
other OS's.  It's unfortunate that all OS's don't make up the same
boundaries but until you can convince all OS developers to use the
same fake geometry you'll have to live with the current situation.

OpenBSD makes absolutely no effort to get 'real' geometry
information from USB attached disks. Too many such devices simply
freak out and stop working when asked this difficult question.
Others make up even more bizarre geometries than the one we use.

So OpenBSD uses 64*32, divides the number of sectors (which all
devices do provide) by this value to give a cylinder count, and
truncates the fractional cylinder. So up to 64*31 = 1984 sectors
will be 'wasted'.

Windows uses 255 * 63, so up to 255 * 62 = 15,810 sectors could be
'wasted'.

Interested parties can examine /usr/src/sys/scsi/sd.c, lines 1344
and 1453.

 Ken



__
Saunalahti Iso G - 50 Gigatavua nopeaa ja varmennettua verkkolevyd
tiedostoillesi. Kokeile ilmaiseksi!
http://isog.pp.fi

Re: PF drops tcp packets from a machine with Gentoo linux kernel 2.6.18

[Darren Spruell]

On 2/15/07, Tim Kuhlman [EMAIL PROTECTED] wrote:

So my ruleset has some problems. I took some time to work through my rules and
re-read the state tracking section of the pf faq (which by the way is well
done, thanks). I found what I think are a couple of problems, I needed to
have the flags S/SA so that it paid attention to the syn packet and for some
reason I had the state policy globally set to if-bound rather than floating.
When I change both of those a new problem appears, routing between my
internal network and DMZ's doesn't work.

The syn packet goes through and appears to create state but the Syn/Ack packet
isn't let back through. I thought that was it created state one way it was
supposed to allow it back the other. Surely I am missing something simple.

Here is the state as it appears with the new rules from a pfctl -vvss, I
also attached a tcpdump capture from both interfaces on the router.


Attachments are stripped by the listserv. Better to paste results in.


all tcp 10.10.10.150:49516 - 10.11.0.5:80   ESTABLISHED:SYN_SENT
   [573330559 + 16385](+3517130307) wscale 2  [3039928992 + 5840](+146001125)
   wscale 0 age 00:00:02, expires in 00:00:28, 2:1 pkts, 116:64 bytes, rule
   135 id: 45c74dc600234f51 creatorid: b3647a00

The router has 5 interfaces and 10 ip addresses associated with it so I will
spare you the full ruleset but here are the ones that are relevant. I copied
the rules as they are including the extra interfaces and such.
$DMZ_production_if is the 10.11.0.0/24 network
$int_if is the 10.10.8.0/21 network

table int_net const { 10.10.8.0/21, 10.8.0.0/24, 172.16.1.0/24 }

pass in on { $int_if $vpn_if } proto {tcp udp icmp} from int_net to \
   { $DMZ_production_if:network, $DMZ_proto_if:network }

pass out on { $int_if $vpn_if $ext_if $dsl_if $DMZ_production_if
$DMZ_proto_if } proto \
   {tcp udp icmp} flags S/SA modulate state


IMHO, it's confusing to cram as much logic as you are into this rule;
your traffic flows from one network to another follow distinct
directions and crossing of interfaces, yet you've got a bit of a
convoluted rule handling the 'pass out' for all of those flows on
different interfaces. For all I know, it might work fine, but just for
me it's confusing to piece it together and may be the cause of your
futz.

If you don't have traffic coming into your LAN from the DMZ, you could
simplify this by having simply a:

- pass in rule on your LAN interface allowing flows from the LAN into
the remote networks, with keep state and appropriate flags;
- pass out rule on your DMZ interface or whatever interfaces are
destinations from the LAN, with keep state and appropriate flags.

You need both; you need to have state built INBOUND on the INSIDE
interface so that return traffic out that interface passes statefully.
At the same time, you need state built OUTBOUND on the OUTSIDE
interface so that return traffic in that interface passes statefully.

Flavor as needed with similar, additional rules for connection flows
from the DMZ into the LAN or other networks, if any.

DS

Re: slow io operations on xSeries 336

[Jose Fragoso]

 can i see a dmesg as well? if you're running the machine as an
 amd64, can you try it again as an i386?

I am running as an i386

$ arch
OpenBSD.i386

The dmesg follows.

Thanks in advance.

Regards,

Jose

OpenBSD 4.0 (GENERIC.MP) #936: Sat Sep 16 19:27:28 MDT 2006
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC.MP
cpu0: Intel(R) Xeon(TM) CPU 3.20GHz (GenuineIntel 686-class) 3.21 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CF
LUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,CNXT-ID,CX16
real mem  = 1073094656 (1047944K)
avail mem = 970813440 (948060K)
using 4256 buffers containing 53755904 bytes (52496K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(00) BIOS, date 01/17/05, BIOS32 rev. 0 @ 0xfd721,
SMB
IOS rev. 2.3 @ 0xf602c (50 entries)
bios0: IBM eserver xSeries 336 -[883721U]-
pcibios0 at bios0: rev 2.1 @ 0xf/0x
pcibios0: PCI BIOS has 11 Interrupt Routing table entries
pcibios0: PCI Exclusive IRQs: 9 10 11 15
pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82801EB/ER LPC rev 0x00)
pcibios0: PCI bus #7 is the last bus
bios0: ROM list: 0xc/0xb000 0xcb000/0x4000
ipmi0 at mainbus0: version 1.5 interface KCS iobase 0xca8/8 spacing 4
mainbus0: Intel MP Specification (Version 1.4) (IBM ENSW X336 SMP)
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 200 MHz
mainbus0: bus 0 is type PCI
mainbus0: bus 1 is type PCI
mainbus0: bus 2 is type PCI
mainbus0: bus 3 is type PCI
mainbus0: bus 4 is type PCI
mainbus0: bus 5 is type PCI
mainbus0: bus 6 is type PCI
mainbus0: bus 7 is type PCI
mainbus0: bus 8 is type ISA
ioapic0 at mainbus0: apid 14 pa 0xfec0, version 20, 24 pins
ioapic1 at mainbus0: apid 13 pa 0xfec82000, version 20, 24 pins
ioapic2 at mainbus0: apid 12 pa 0xfec82400, version 20, 24 pins
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 Intel E7520 MCH rev 0x0a
Intel E7520 MCH ERR rev 0x0a at pci0 dev 0 function 1 not configured
ppb0 at pci0 dev 2 function 0 Intel MCH PCIE rev 0x0a
pci1 at ppb0 bus 2
ppb1 at pci0 dev 4 function 0 Intel MCH PCIE rev 0x0a
pci2 at ppb1 bus 3
ppb2 at pci2 dev 0 function 0 Intel PCIE-PCIE rev 0x09
pci3 at ppb2 bus 4
mpi0 at pci3 dev 1 function 0 Symbios Logic 53c1030 rev 0x08: apic 13 int 4
(i
rq 11)
scsibus0 at mpi0: 16 targets
sd0 at scsibus0 targ 0 lun 0: IBM-ESXS, MAW3300NC FN, C206 SCSI2 0/direct
fixe
d
sd0: 286102MB, 78753 cyl, 8 head, 930 sec, 512 bytes/sec, 585937500 sec total
safte0 at scsibus0 targ 8 lun 0: IBM, 25P3495a S320 1, 1 SCSI2 3/processor
fixe
d
mpi0: target 0 Sync at 160MHz width 16bit offset 127 QAS 0 DT 1 IU 1
ppb3 at pci2 dev 0 function 2 Intel PCIE-PCIE rev 0x09
pci4 at ppb3 bus 5
ppb4 at pci0 dev 6 function 0 Intel MCH PCIE rev 0x0a
pci5 at ppb4 bus 6
bge0 at pci5 dev 0 function 0 Broadcom BCM5721 rev 0x01, BCM5750 A1
(0x4001):
apic 14 int 16 (irq 11), address 00:0d:60:99:a3:b2
brgphy0 at bge0 phy 1: BCM5750 10/100/1000baseT PHY, rev. 0
ppb5 at pci0 dev 7 function 0 Intel MCH PCIE rev 0x0a
pci6 at ppb5 bus 7
bge1 at pci6 dev 0 function 0 Broadcom BCM5721 rev 0x01, BCM5750 A1
(0x4001):
apic 14 int 16 (irq 11), address 00:0d:60:99:a3:b3
brgphy1 at bge1 phy 1: BCM5750 10/100/1000baseT PHY, rev. 0
Intel E7525 MCH Configuration rev 0x0a at pci0 dev 8 function 0 not
configured
uhci0 at pci0 dev 29 function 0 Intel 82801EB/ER USB rev 0x02: apic 14 int
16
 (irq 11)
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
uhci1 at pci0 dev 29 function 1 Intel 82801EB/ER USB rev 0x02: apic 14 int
19
(irq 3)
usb1 at uhci1: USB revision 1.0
uhub1 at usb1
uhub1: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub1: 2 ports with 2 removable, self powered
ehci0 at pci0 dev 29 function 7 Intel 82801EB/ER USB2 rev 0x02: apic 14 int
23
 (irq 5)
usb2 at ehci0: USB revision 2.0
uhub2 at usb2
uhub2: Intel EHCI root hub, rev 2.00/1.00, addr 1
uhub2: 4 ports with 4 removable, self powered
ppb6 at pci0 dev 30 function 0 Intel 82801BA AGP rev 0xc2
pci7 at ppb6 bus 1
vga1 at pci7 dev 1 function 0 ATI Radeon VE QY rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
ichpcib0 at pci0 dev 31 function 0 Intel 82801EB/ER LPC rev 0x02
pciide0 at pci0 dev 31 function 2 Intel 82801EB SATA rev 0x02: DMA, channel
0
 configured to compatibility, channel 1 configured to compatibility
atapiscsi0 at pciide0 channel 0 drive 0
scsibus1 at atapiscsi0: 2 targets
cd0 at scsibus1 targ 0 lun 0: HL-DT-ST, DVD-ROM GDR8083N, 0L02 SCSI0 5/cdrom
r
emovable
cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
ichiic0 at pci0 dev 31 function 3 Intel 82801EB/ER SMBus rev 0x02: apic 14
int
 17 (irq 3)
iic0 at ichiic0: disabled to avoid ipmi0 interactions
isa0 at ichpcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, 

Re: PF drops tcp packets from a machine with Gentoo linux kernel 2.6.18

[Tim Kuhlman]

On Thursday 15 February 2007 10:12 am, Darren Spruell wrote:
 On 2/15/07, Tim Kuhlman [EMAIL PROTECTED] wrote:
  So my ruleset has some problems. I took some time to work through my
  rules and re-read the state tracking section of the pf faq (which by the
  way is well done, thanks). I found what I think are a couple of problems,
  I needed to have the flags S/SA so that it paid attention to the syn
  packet and for some reason I had the state policy globally set to
  if-bound rather than floating. When I change both of those a new problem
  appears, routing between my internal network and DMZ's doesn't work.
 
  The syn packet goes through and appears to create state but the Syn/Ack
  packet isn't let back through. I thought that was it created state one
  way it was supposed to allow it back the other. Surely I am missing
  something simple.
 
  Here is the state as it appears with the new rules from a pfctl -vvss,
  I also attached a tcpdump capture from both interfaces on the router.

 Attachments are stripped by the listserv. Better to paste results in.

  all tcp 10.10.10.150:49516 - 10.11.0.5:80   ESTABLISHED:SYN_SENT
 [573330559 + 16385](+3517130307) wscale 2  [3039928992 +
  5840](+146001125) wscale 0 age 00:00:02, expires in 00:00:28, 2:1 pkts,
  116:64 bytes, rule 135 id: 45c74dc600234f51 creatorid: b3647a00
 
  The router has 5 interfaces and 10 ip addresses associated with it so I
  will spare you the full ruleset but here are the ones that are relevant.
  I copied the rules as they are including the extra interfaces and such.
  $DMZ_production_if is the 10.11.0.0/24 network
  $int_if is the 10.10.8.0/21 network
 
  table int_net const { 10.10.8.0/21, 10.8.0.0/24, 172.16.1.0/24 }
 
  pass in on { $int_if $vpn_if } proto {tcp udp icmp} from int_net to \
 { $DMZ_production_if:network, $DMZ_proto_if:network }
 
  pass out on { $int_if $vpn_if $ext_if $dsl_if $DMZ_production_if
  $DMZ_proto_if } proto \
 {tcp udp icmp} flags S/SA modulate state

 IMHO, it's confusing to cram as much logic as you are into this rule;
 your traffic flows from one network to another follow distinct
 directions and crossing of interfaces, yet you've got a bit of a
 convoluted rule handling the 'pass out' for all of those flows on
 different interfaces. For all I know, it might work fine, but just for
 me it's confusing to piece it together and may be the cause of your
 futz.

 If you don't have traffic coming into your LAN from the DMZ, you could
 simplify this by having simply a:

 - pass in rule on your LAN interface allowing flows from the LAN into
 the remote networks, with keep state and appropriate flags;
 - pass out rule on your DMZ interface or whatever interfaces are
 destinations from the LAN, with keep state and appropriate flags.

 You need both; you need to have state built INBOUND on the INSIDE
 interface so that return traffic out that interface passes statefully.
 At the same time, you need state built OUTBOUND on the OUTSIDE
 interface so that return traffic in that interface passes statefully.

The above paragraph explains what my problem was. I was thinking that I simply 
needed the state built once and that pf would figure out both directions. I  
added state building on the appropriate pass in rules and it is working. This 
also solved the original issue of the one gentoo box getting its tcp packets 
dropped. I am going to go through my ruleset simplifying and auditing with 
this is mind. Thanks again for the help!


-- 
Tim Kuhlman
Network Administrator
ColoradoVnet.com

Re: Annoying problem with dnsmasq

[Markus Bergkvist]

See release notes on Dnsmasq 2.35
http://freshmeat.net/projects/dnsmasq/?branch_id=1991release_id=239661
OpenBSD-4.0 is due for release very soon and no version of dnsmasq 
prior to 2.35 will do DHCP on OpenBSD-4.0.


/Markus


Manuel Ravasio wrote:

Hello all.
I'm trying to set up a firewall/web-proxy/dns-proxy/dhcp-server box at
home, using a quite old i386-based pc (AMD k6-2 300, 256mb RAM, 2x10G
IDE disks) and OpenBSD 4.0.

OS installation, disk management, additional software installation and
configuration... everything went fine.
Problems started in configuring dnsmasq: I managed to make dns
forwarding work ( I really don't need anything more than standard
behaviour), then I created a DHCP range entry:

expand-hosts
domain=manuel.test
dhcp-range=192.168.2.100,192.168.2.200,255.255.255.0,1h

I chose to activate dnsmasq on the internal intercace only:

interface=pcn1

pcn1,'s IP address is fixed and compatible with the range specified:

# ifconfig pcn1
pcn1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
   lladdr 00:0c:29:af:4f:47
   media: Ethernet autoselect (autoselect)
   inet 192.168.2.11 netmask 0xff00 broadcast 192.168.2.255
   inet6 fe80::20c:29ff:feaf:4f47%pcn1 prefixlen 64 scopeid 0x2

I read that creating a dhcp-range entry in /etc/dnsmasq.conf makes
dnsmasq start the dhcp service automatically, but alas DHCP server
apparently doesn't work: linux and windows clients can't grab IP
addresses and other IP information, and netstat doesn't show anything
listening on port 67/68.

# ps -aux | grep dns
nobody   16166  0.0  0.3   520   648 ??  S 12:58PM0:00.00 dnsmasq

# netstat -an | grep tcp | grep -v tcp6
tcp0  0  127.0.0.1.53   *.*LISTEN
tcp0  0  192.168.2.11.53*.*LISTEN
tcp0  0  127.0.0.1.6010 *.*LISTEN
tcp0  0  192.168.2.11.22192.168.2.1.48605  
ESTABLISHED

tcp0  0  *.22   *.*LISTEN


What am I missing?

Thank you everybody for your kind help.

Byee,
Manuel

Re: Annoying problem with dnsmasq

[Jonathan Weiss]

Markus Bergkvist wrote:

See release notes on Dnsmasq 2.35
http://freshmeat.net/projects/dnsmasq/?branch_id=1991release_id=239661
OpenBSD-4.0 is due for release very soon and no version of dnsmasq 
prior to 2.35 will do DHCP on OpenBSD-4.0.


I'm working on an update of the port to 2.38

Jonathan

Re: Performance problems with bge under OpenBSD4.0/i386

[Pete Vickers]

Very Interesting.

On the switch I can set the port flow-control to on, off or  
desirable. The following is the blurb on those configuration options:



Gigabit Ethernet Flow Control Keyword Functions, Keywords : Function

receive on: The port uses flow control dictated by the neighbor port.

receive desired: The port uses flow control if the neighbor port uses  
it, and does not use flow control if the neighbor port does not use it.


receive off: The port does not use flow control, regardless of  
whether flow control is requested by the neighbor port.


send on: The port sends flow-control frames to the neighbor port.

send desired: The port sends flow-control frames to the neighbor port  
if the neighbor port asks to use flow control.


send off: The port does not send flow-control frames to the neighbor  
port.


However, irrespective of what I configure the port flow-control to on  
the switch (and then reboot the OpenBSD host, to be sure of correct  
interface initialisation) I cannot be ifconfig to report {tx|rx}pause.


Is this likely to be a driver problem, or is there some broken flash  
code on the bge NIC (which I could possible update) ?



/Pete

On 14. feb. 2007, at 22.42, Mark Kettenis wrote:


From: Pete Vickers [EMAIL PROTECTED]
Date: Wed, 14 Feb 2007 13:33:25 +0100

# ifconfig bge0
bge0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
 lladdr 00:17:a4:45:f5:25
 groups: egress
 media: Ethernet autoselect (1000baseT full-duplex)
 status: active
 inet6 fe80::217:a4ff:fe45:f525%bge0 prefixlen 64 scopeid 0x1
 inet x.x.x.x netmask 0xff00 broadcast x.x.x.x


This suggests flow control has *not* been negotiated.  With msk(4), I
get:

borodin$ ifconfig msk0
msk0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:16:cb:a2:87:67
groups: egress
media: Ethernet autoselect (1000baseT full- 
duplex,rxpause,txpause)

status: active
inet6 fe80::216:cbff:fea2:8767%msk0 prefixlen 64 scopeid 0x1
inet 192.168.0.17 netmask 0xff00 broadcast 192.168.0.255

Re: iwi unknown authentication state 1

[Mattieu Baptiste]

On 1/31/07, Greg Thomas [EMAIL PROTECTED] wrote:

I'm getting random unknown authentication state 1 and device
timeout messages with the built-in card on my T40.



Hi all,

I have similar problems with the iwi driver on my T43. I have the message :
iwi0: XXX too many rates (count=13, last=108)

And sometimes :
iwi0: fatal firmware error
and
iwi0: unknown authentication state 1

If I unplug the network cable, the trunk0 interface doesn't work
anymore (it doesn't switch to iwi). I like to have a trunk device with
bge and iwi as failover, but I saw the same without trunk.

The problem occurs with -current (not with 4.0).

Configuration details and dmesg follow :

[EMAIL PROTECTED]: ~ $ sudo ifconfig bge0 up
[EMAIL PROTECTED]: ~ $ sudo ifconfig iwi0 up nwid GOUTTEDELAINE chan 10
[EMAIL PROTECTED]: ~ $ sudo ifconfig trunk0 create
[EMAIL PROTECTED]: ~ $ sudo ifconfig trunk0 trunkproto failover trunkport
bge0 trunkport iwi0
[EMAIL PROTECTED]: ~ $ ifconfig
lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33224
   groups: lo
   inet 127.0.0.1 netmask 0xff00
   inet6 ::1 prefixlen 128
   inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
bge0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500
   lladdr 00:11:25:d3:54:2c
   trunk: trunkdev trunk0
   media: Ethernet autoselect (100baseTX full-duplex)
   status: active
   inet6 fe80::211:25ff:fed3:542c%bge0 prefixlen 64 scopeid 0x1
iwi0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500
   lladdr 00:11:25:d3:54:2c
   trunk: trunkdev trunk0
   groups: wlan
   media: IEEE802.11 autoselect
   status: no network
   ieee80211: nwid GOUTTEDELAINE chan 10 100dBm
   inet6 fe80::212:f0ff:fedc:3d69%iwi0 prefixlen 64 scopeid 0x2
pflog0: flags=141UP,RUNNING,PROMISC mtu 33224
enc0: flags=0 mtu 1536
trunk0: flags=8802BROADCAST,SIMPLEX,MULTICAST mtu 1500
   lladdr 00:11:25:d3:54:2c
   trunk: trunkproto failover
   trunkport iwi0
   trunkport bge0 master,active
   groups: trunk
   media: Ethernet autoselect
   status: active
[EMAIL PROTECTED]: ~ $ sudo ifconfig -M iwi0
**
(the antenna light blink)
**
[EMAIL PROTECTED]: ~ $ ifconfig
lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33224
   groups: lo
   inet 127.0.0.1 netmask 0xff00
   inet6 ::1 prefixlen 128
   inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
bge0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500
   lladdr 00:11:25:d3:54:2c
   trunk: trunkdev trunk0
   media: Ethernet autoselect (100baseTX full-duplex)
   status: active
   inet6 fe80::211:25ff:fed3:542c%bge0 prefixlen 64 scopeid 0x1
iwi0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500
   lladdr 00:11:25:d3:54:2c
   trunk: trunkdev trunk0
   groups: wlan
   media: IEEE802.11 autoselect
   status: active
   ieee80211: nwid GOUTTEDELAINE chan 10 bssid 00:09:5b:fe:0a:3a
87dB 100dBm
   inet6 fe80::212:f0ff:fedc:3d69%iwi0 prefixlen 64 scopeid 0x2
pflog0: flags=141UP,RUNNING,PROMISC mtu 33224
enc0: flags=0 mtu 1536
trunk0: flags=8802BROADCAST,SIMPLEX,MULTICAST mtu 1500
   lladdr 00:11:25:d3:54:2c
   trunk: trunkproto failover
   trunkport iwi0
   trunkport bge0 master,active
   groups: trunk
   media: Ethernet autoselect
   status: active
[EMAIL PROTECTED]: ~ $ sudo dhclient trunk0
DHCPREQUEST on trunk0 to 255.255.255.255 port 67
DHCPACK from 172.16.4.254
bound to 172.16.1.49 -- renewal in 86400 seconds.
**

OpenBSD 4.1-beta (GENERIC) #1371: Wed Feb 14 15:42:07 MST 2007
   [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Pentium(R) M processor 1.86GHz (GenuineIntel
686-class) 1.87 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,TM,SBF,EST,TM2
real mem  = 1072132096 (1047004K)
avail mem = 969854976 (947124K)
using 4256 buffers containing 53731328 bytes (52472K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+ BIOS, date 08/21/06, BIOS32 rev. 0 @
0xfd760, SMBIOS rev. 2.33 @ 0xe0010 (64 entries)
bios0: IBM 2668WEV
apm0 at bios0: Power Management spec V1.2
apm0: battery life expectancy 100%
apm0: AC on, battery charge high
apm0: flags 30102 dobusy 0 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xfd6f0/0x910
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdeb0/256 (14 entries)
pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82371FB ISA rev 0x00)
pcibios0: PCI bus #12 is the last bus
bios0: ROM list: 0xc/0x1 0xd/0x1600 0xd1800/0x1000
0xdc000/0x4000! 0xe/0x1
acpi at mainbus0 not configured
cpu0 at mainbus0
cpu0: Enhanced SpeedStep 1867 MHz (1308 mV): speeds: 1867, 1600, 1333,
1067, 800 MHz
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 Intel 82915GM/PM/GMS Host rev 0x03
ppb0 at pci0 dev 1 function 0 Intel 82915PM/GM PCIE 

Re: SIP on OpenBSD

[Daniel Polak]

 Original message from pedro la peu at 14-2-2007 2:37

On Tuesday 13 February 2007 21:04, Stuart Henderson wrote:
  

Anyone with a phone... there are numerous companies gatewaying
PSTNSIP in and out and some doing PSTNH323 and a few doing
PSTNIAX 



And a choice of ISDN (basic, pri) - SIP gateways. Much easier.

I Googled a bit and found this:
http://www.patton.com/products/pe_products.asp?category=45

Looks good for a small office installation and avoids a few problems you 
might run into with PCI cards.
If I'm not mistaken you could use a Patton (or any other brand) VoIP 
gateway to connect to the physical phonelines and use Asterisk running 
on OpenBSD to talk to the VoIP gateway using SIP.

I might actually give that a try.

Daniel

Re: Virtualisation on OpenBSD?

[Luca Corti]

On Wed, 2007-01-24 at 10:47 -0600, L. V. Lammert wrote:
 Much better to want on the Xen implementation, which in the works.
 Possibly at the Hackthon?

Apart from the mercurial repository there is little information on the
status of the XEN effort. There's this bsdtalk interview

http://ropersonline.com/openbsd/xen/

in which Cristoph Egger says he hopes to have OpenBSD XEN included in
4.1. This seems to be a rumor though, since I see no XEN related work in
the changelog. Also it is not clear if this refers just to DomU or to
Dom0 support too.

Anyone has fresh news?

ciao

Luca

Re: iwi unknown authentication state 1

[Jason Beaudoin]

I'd like to say this is amusing..but it really isn't. I too receive the same
kernel messages from my iwi interface, though on a Dell Inspiron 8600.

The variety I see:

  iwi0: fatal firmware error
  iwi0: unknown authentication state 1

This is among one of the many reasons [EMAIL PROTECTED] should be taken out of
existance.


Cheers,

Jason

3.9 clamav package broken?

[Peter]

I have a 3.9 system running clamav and freshclam chroot and I wanted to 
update clamav from 0.88.4 to 0.88.7.  So I...

i) stopped the clamd and freshclam daemons
ii) removed clamav package with pkg_delete
iii) installed the newer clamav with pkg_add

I then used ldd to locate what I need to put in my $CHROOT for clamd.  I 
was missing libclamav.so.2.0 so I copied it into $CHROOT.  I started 
clamd fine after using ldconfig.  But I encountered trouble when doing 
the same for freshclam:

$ ldd /usr/local/bin/freshclam
/usr/local/bin/freshclam:
StartEnd  Type Open Ref GrpRef Name
  exe  10   0  /usr/local/bin/freshclam
065c4000 265d9000 rlib 01   
0  /usr/local/lib/libclamav.so.2.0   ===
03e08000 23e12000 rlib 02   
0  /usr/local/lib/libcurl.so.3.3
09ee5000 29eed000 rlib 03   0  /usr/lib/libz.so.4.1
0e0d8000 2e106000 rlib 03   
0  /usr/lib/libcrypto.so.12.0
07fe 27feb000 rlib 03   0  /usr/lib/libssl.so.10.0
06782000 26788000 rlib 02   
0  /usr/local/lib/libgmp.so.6.3
09e54000 29e58000 rlib 02   
0  /usr/local/lib/libbz2.so.10.3
0a49b000 2a4a4000 rlib 01   
0  /usr/lib/libpthread.so.6.2
0fd6a000 2fd9b000 rlib 01   0  /usr/lib/libc.so.39.0
0cc84000 0cc84000 rtld 01   0  /usr/libexec/ld.so

When starting freshclam outside $CHROOT it works but it does not when 
starting it inside.  It asks for an outdated version of libclamav.so 
(1.9):

$ /usr/local/bin/freshclam -u root
ClamAV update process started at Thu Feb 15 17:52:28 2007
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.88.7 Recommended version: 0.90
DON'T PANIC! Read http://www.clamav.net/faq.html
main.cvd is up to date (version: 42, sigs: 83951, f-level: 10, builder: 
tkojm)
daily.cvd is up to date (version: 2578, sigs: 7844, f-level: 13, 
builder: sven)
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Current functionality level = 10, recommended = 13
DON'T PANIC! Read http://www.clamav.net/faq.html

# chroot -u amavisd /var/amavisd /usr/local/bin/freshclam -d
/usr/local/bin/freshclam: can't load library 'libclamav.so.1.19'

I used the same procedure on a 4.0 system with no such problem.

PM

Re: SIP on OpenBSD

[Daniel Ouellet]

I keep seeing the subject coming up.

Yes, a complete OpenBSD solution would be nice.

However only two persons offer some possible financial help to make this 
happen, but nothing concrete.


In any case, I put the wheel in motion to replace a commercial solution 
my business use, and I will do what I need to replace it. How long will 
it takes, well...


Time is not endless, free will is goodwill only and in limited 
resources, and money doesn't grow on trees either.


So, may be your $$$ help can speed things up more. But, real good talent 
for writing is properly is very rare, but welcome possibly.


So, fell free to contact me, but $$$ is really what's needed most in the 
end to speed up the progress and to get this off the ground to give it a 
life of it's own sooner then later.


Thanks

Daniel

PS: Disclaimer. Selfish needs prompt me to move ahead regardless.

PS2: I put many reference in the archive and on undeadly below.

http://www.undeadly.org/cgi?action=articlesid=20061014164008pid=4

http://marc.theaimsgroup.com/?l=openbsd-miscm=116362964024853w=2

http://marc.theaimsgroup.com/?l=openbsd-miscm=114454900209160w=2

http://marc.theaimsgroup.com/?l=openbsd-miscm=115092509307247w=2

http://marc.theaimsgroup.com/?l=openbsd-miscm=111506559314832w=2

site hosting on 2 internet connections

[Jacob Yocom-Piatt]

just got a 2nd connection with a better upload capacity and would like 
to use both connections to host a site i run. everything is currently 
served over a single connection that supplies netblock a.b.c.d/29 and 
terminates at the firewall.


i plan on connecting the 2nd connection that supplies netblock 
w.x.y.z/29 to the same firewall and, unless someone can point me towards 
a better option, changing the DNS for the site to point to an IP in the 
new netblock. if there are any gotchas about such a setup, please 
point me towards the relevant docs.


i've read about using the route-to to balance outbound connections in 
the pf address pools docs, but i don't see this being immediately 
helpful for hosting purposes since the inbound connections should come 
in on both netblocks in the case that the load is spread over the two 
connections.


cheers,
jake

--

squid , apache n PF

[sonjaya]

Dear all

I have machine running squid  n  apache at OBSD also set as
transparent proxy with pf .
Now i have limit who can use that proxy ( of course limit by ip in squid conf).
The problem show when ip non allow acces the proxy  access webserver
at  that machine proxy always  get denied.

int---proxy (192.168.0.8)-ip allow
int---proxy(192.168.0.7)-ip allow2

ipallow2 using gateway = 192.168.0.7
ipallow using gateway = 192.168.0.8

here my squid.conf
acl parno url_regex -i /usr/local/squid/etc/parno.txt
acl ipallow src /usr/local/squid/etc/ip-allow.txt
http_access deny parno
http_access allow  ipallow
http_access deny  all


then i change squid.conf  like this :
acl ipallow2 src /usr/local/squid/etc/ip-allow2.txt
acl parno url_regex -i /usr/local/squid/etc/parno.txt
acl ipallow src /usr/local/squid/etc/ip-allow.txt
http_access allow ipallow2
http_access deny parno
http_access allow  ipallow
http_access deny  all

with second squid.conf that is working , but another problem show ,
when ipallow2 change  ip gateway to 192.168.0.8 they can access
internet by proxy in 192.168.0.8.

so how to configure ipallow2 can access the webserver in 192.168.0.8
without allow ipallow2  using proxy when change the gateway to
192.168.0.8


-sonjaya-
htpp://sicute.blogspot.com

Re: site hosting on 2 internet connections

[Daniel Ouellet]

Jacob Yocom-Piatt wrote:
i've read about using the route-to to balance outbound connections in 
the pf address pools docs, but i don't see this being immediately 
helpful for hosting purposes since the inbound connections should come 
in on both netblocks in the case that the load is spread over the two 
connections.


Any why not. The outgoing is not relevant to your incoming. You request 
a URL that is pretty small in size, but your reply is the one that have 
all the content. Yes, you can do round robin for incoming, or use the 
most reliable one for incoming, etc. But you are concern about sending 
your traffic out from the hosting site and that's your load right there. 
Send it the way you see fit on your connection. Doesn't matter the path 
it takes to reach back the end users. Then balance your connections with 
PF the way you see fit.


There is nothing wrong with that. Use your most reliable for incoming, 
and split the outgoing on both.


Daniel

OpenBSD Wireless Router and Nintendo DS

[Brian]

I'm having trouble connecting to my OpenBSD wireless router with my
Nintendo DS handheld.  Here is some general information about my setup.

uname -a:
OpenBSD lordnikon.thehomerow.net 4.0 GENERIC#1107 i386

ifconfig ral0: 
ral0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu
1500
lladdr 00:30:4f:4c:0c:9b
media: IEEE802.11 autoselect hostap (autoselect mode 11b hostap)
status: active
ieee80211: nwid Mother2 chan 2 bssid 00:30:4f:4c:0c:9b nwkey not
displayed 100dBm
inet6 fe80::230:4fff:fe4c:c9b%ral0 prefixlen 64 scopeid 0x2
inet 10.0.0.1 netmask 0xff00 broadcast 10.0.0.255

The DS is giving me an Error Code: 51300 message when it tries to test
the connection.  I've found some forums that mention this might be a
problem with the DS not gracefully dropping to the 1-2 Mbps connection
rate that it requires (for some odd reason).

The available media options for ral0 to set 1 or 2 Mbps connection rates
are DS1 and DS2.  I've tried all combinations of these media options, no
mode setting, and mode 11b.  I tried 11b because there were also some
mentions of the DS not dropping to an 11b connection if 11g is present
too.

I've also tried specifying different channels for the wireless card.  I
tried 1, 11, and 12 with no success.

I was suggested to put the wireless card into mixed mode, but I'm not
exactly sure if there's a way to specify this, or this is what no mode
setting defaults to on a card that is capable of both 11b and 11g.

If anyone has any ideas, I would really appreciate it.  I've posted this
problem on two different forums and still haven't been able to solve it.
 Thanks!

-Brian

Figured I'd attach my dmesg for good measure...

OpenBSD 4.0 (GENERIC) #1107: Sat Sep 16 19:15:58 MDT 2006
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: AMD Sempron(tm) Processor 2500+ (AuthenticAMD 686-class, 256KB
L2 cache) 1.41 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3
real mem  = 468938752 (457948K)
avail mem = 419680256 (409844K)
using 4256 buffers containing 23547904 bytes (22996K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(00) BIOS, date 09/12/05, BIOS32 rev. 0 @
0xf0010, SMBIOS rev. 2.3 @ 0xf0530 (54 entries)
bios0: ASUSTeK Computer Inc. K8V-MX
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
apm0: flags 30102 dobusy 0 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xf/0x1
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf58b0/208 (11 entries)
pcibios0: PCI Interrupt Router at 000:17:0 (VIA VT8237 ISA rev 0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc/0x8200 0xc8800/0x1000
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 VIA K8M800 Host rev 0x00
pchb1 at pci0 dev 0 function 1 VIA K8M800 Host rev 0x00
pchb2 at pci0 dev 0 function 2 VIA K8M800 Host rev 0x00
pchb3 at pci0 dev 0 function 3 VIA K8M800 Host rev 0x00
pchb4 at pci0 dev 0 function 4 VIA K8M800 Host rev 0x00
pchb5 at pci0 dev 0 function 7 VIA K8M800 Host rev 0x00
ppb0 at pci0 dev 1 function 0 VIA K8HTB AGP rev 0x00
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 VIA S3 Unichrome PRO IGP rev 0x01:
aperture at 0xf400, size 0x1000
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
fxp0 at pci0 dev 11 function 0 Intel 8255x rev 0x08, i82559: irq 11,
address 00:02:b3:1d:32:81
inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 4
ral0 at pci0 dev 13 function 0 Ralink RT2661 rev 0x00: irq 5, address
00:30:4f:4c:0c:9b
ral0: MAC/BBP RT2661B, RF RT2529 (MIMO XR)
pciide0 at pci0 dev 15 function 0 VIA VT6420 SATA rev 0x80: DMA
pciide0: using irq 10 for native-PCI interrupt
pciide1 at pci0 dev 15 function 1 VIA VT82C571 IDE rev 0x06: ATA133,
channel 0 configured to compatibility, channel 1 configured to
compatibility
wd0 at pciide1 channel 0 drive 0: WDC WD800JB-00JJA0
wd0: 16-sector PIO, LBA, 76319MB, 156301488 sectors
wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 5
atapiscsi0 at pciide1 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: LITE-ON, COMBO SOHC-5236V, R$06 SCSI0
5/cdrom removable
cd0(pciide1:1:0): using PIO mode 4, Ultra-DMA mode 2
uhci0 at pci0 dev 16 function 0 VIA VT83C572 USB rev 0x81: irq 11
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: VIA UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
uhci1 at pci0 dev 16 function 1 VIA VT83C572 USB rev 0x81: irq 11
usb1 at uhci1: USB revision 1.0
uhub1 at usb1
uhub1: VIA UHCI root hub, rev 1.00/1.00, addr 1
uhub1: 2 ports with 2 removable, self powered
uhci2 at pci0 dev 16 function 2 VIA VT83C572 USB rev 0x81: irq 10
usb2 at uhci2: USB revision 1.0
uhub2 at usb2
uhub2: VIA UHCI root hub, rev 1.00/1.00, addr 1
uhub2: 2 ports with 2 removable, self powered
uhci3 at pci0 dev 16 function 3 VIA VT83C572 USB rev 0x81: irq 10
usb3 at uhci3: USB revision 1.0
uhub3 at usb3

FuzzyOCR on OpenBSD?

[Peter]

I'm looking for guidance in installing the FuzzyOCR SA plugin on OpenBSD 4.0.  
Has anyone done this?

Thanks in advance,

PM