Re: pf tag/tagging and packages from localhost
On Mon, Feb 25, 2008 at 03:25:24PM +1100, Darren Spiteri wrote: | That's an interesting and subtle use of PF tags, pity it's not in the PF doco. PF is not limited by what's in the documentation. It's just a tool and it's limited by your creative use of it. You can not expect all possible uses of the tools you use to be described in the docs, since some people think of really clever and creative ways to use it. The cool part is - you get to tap the knowledge of a part of the userbase by sending mail to misc@ if you don't know how to solve a problem. Someone may think of some cool solution that not even the developers thought of when they created the tool. Cheers, Paul 'WEiRD' de Weerd -- [++-]+++.+++[---].+++[+ +++-].++[-]+.--.[-] http://www.weirdnet.nl/
Re: anoncvs asking for password
On Sun, 24 Feb 2008 14:18:15 -0500 Chris Smith [EMAIL PROTECTED] wrote: On Sunday 24 February 2008, Constantine A. Murenin wrote: anoncvs.ca.openbsd.org is being rebuild, and currently asks for password. Also tried anoncvs1.usa.openbsd.org and anoncvs1.ca.openbsd.org (which apparently is the same host as anoncvs.ca.openbsd.org). Looks like waiting is the right idea. -- Chris Might this have something to do with it:? Begin forwarded message: Date: Sun, 24 Feb 2008 01:34:51 -0700 From: Theo de Raadt [EMAIL PROTECTED] To: Rumen Yotov [EMAIL PROTECTED] Cc: misc@openbsd.org Subject: Re: anoncvs.ca.openbsd.org - RSA host key has just been changed Anybody knows if the key really changed or not ? The fingerprint for the RSA key sent by the remote host is e0:9d:c4:c0:31:7d:84:ec:67:9c:a3:7a:70:54:eb:20. It did change. The machine was reinstalled from scratch, in fact.
Re: Watching the prgress of dd if=drive1 of=drive2
On Feb 23 12:15:21, Jon wrote: I'm using dd to clone a drive. How can I watch the progress of this or see the transfer rate in real time? You can use 'fstat -o' on the device file. Jan
Re: changing bash prompt escape sequences
On Feb 23 21:29:57, Jay Hart wrote: I use bash as my shell. I'm trying to set the bash prompt to display: ttyC1 [EMAIL PROTECTED] I've created a .bashrc in the users home directory (in this case root), and used the following line: PS1=\l [EMAIL PROTECTED] # When I login as root, or any other user for that matter, the default prompt is: -bash-3.2# the only way so far that I found to change the prompt is to type 'bash' at the prompt after login. This is ok, but I know that this should work the first time I login, without having to issue a standalone command. Read man bash again and pay extra attention to the INVOCATION section. When an interactive shell that is not a login shell is started, bash reads and executes commands from ~/.bashrc, if that file exists. This may be inhibited by using the --norc option. The --rcfile file option will force bash to read and execute commands from file instead of ~/.bashrc. See? An interactive shell that is not a login shell. The first shell is not the case, the second is. I've come to the conclusion that I need to modify another file within the /etc directory, but what? You don't need to change anything under /etc to make a modification for one given user. (BTW, you are not changing bash prompt escape sequences but changing the bash prompt string.) Jan
Re: pf tag/tagging and packages from localhost
On 2/25/08, Paul de Weerd [EMAIL PROTECTED] wrote: On Mon, Feb 25, 2008 at 03:25:24PM +1100, Darren Spiteri wrote: | That's an interesting and subtle use of PF tags, pity it's not in the PF doco. PF is not limited by what's in the documentation. It's just a tool and it's limited by your creative use of it. You can not expect all possible uses of the tools you use to be described in the docs, since some people think of really clever and creative ways to use it. Well I'm seeing some hints towards the many and varied uses of PF tags, but what are they?
Re: pf tag/tagging and packages from localhost
I tried it without success. I guess the user feature is for something different. A quote from pf.conf(5): This rule only applies to packets of sockets owned by the specified user. For outgoing connections initiated from the firewall, this is the user that opened the connection. For incoming connections to the firewall itself, this is the user that listens on the desti- nation port. My interpretation of this is that if I use your example policy: pass in inet proto tcp from any to any port 80 \ user FacilityDaemonID tag MYTAG \ keep state that it means that all incoming traffic to user FacilityDaemonID would be tagged with MYTAG. _But_ it wouldn't tag packets outgoing from the local user FacilityDaemonID. Nevertheless I really like this feature (thanks for the hint) and I use policies like this one: pass out quick on $ext_if inet proto udp from ($ext_if) \ to any port domain user root keep state This policy should only pass packets form localhost which I wanted to achieve. My other RDR/NAT/DMZ forwarding and whatever rules don't get touched my this rule. Best regards Stefan On Sun, 2008-02-24 at 12:18 -0500, scott wrote: RE: LOCAL HOSTS DON'T... You can use the user or group criteria to identify the facility/service (daemon) and tag their packets accordingly. # pass in inet proto tcp from any to any port 80 \ user FacilityDaemonID tag MYTAG \ keep state ... pass out ... tagged MYTAG # You may be able to further refine the any/any criteria. -Original Message- From: Stefan Schulze Frielinghaus [EMAIL PROTECTED] To: misc@openbsd.org Subject: pf tag/tagging and packages from localhost Date: Sat, 23 Feb 2008 19:59:54 +0100 Mailer: Evolution 2.12.3 (2.12.3-1.fc8) Delivered-To: [EMAIL PROTECTED] But that rule makes me a headache. I can't use tagged (or at least I don't know how to do it) because packets from localhost don't run through an input chain and I can't tag them.
Monitoring Battery...
Hello, Is there any way to monitor the charge left on the battery of a laptop? Like how much percentage of the battery charge is left to allow us to estimate how long it will work without connecting to a wall socket? I googled for monitoring battery openbsd but got nothing satisfactory. Best, ~Mayuresh
Re: Monitoring Battery...
On Mon, 25 Feb 2008, Mayuresh Kathe wrote: I googled for monitoring battery openbsd but got nothing satisfactory. apm(8) -- Antoine
Re: Monitoring Battery...
Op Mon, 25 Feb 2008 13:08:10 +0100 schreef Mayuresh Kathe [EMAIL PROTECTED]: Is there any way to monitor the charge left on the battery of a laptop? Like how much percentage of the battery charge is left to allow us to estimate how long it will work without connecting to a wall socket? I googled for monitoring battery openbsd but got nothing satisfactory. $ apropos power|grep '(8)' apm (8) - Advanced Power Management control program apmd (8) - Advanced Power Management monitor daemon -- Boudewijn Dijkstra Indes - IDS B.V. +31 345 545 535
Re: Monitoring Battery...
On Mon, Feb 25, 2008 at 5:45 PM, Antoine Jacoutot [EMAIL PROTECTED] wrote: On Mon, 25 Feb 2008, Mayuresh Kathe wrote: I googled for monitoring battery openbsd but got nothing satisfactory. apm(8) Thanks for that Antoine. I tried 'apm -b' to get the battery status, but it showed 255, which is 'unknown', is it because my laptop isn't properly supported? Is there anything I could do to help developers support it better? Best, ~Mayuresh
Re: Monitoring Battery...
On Mon, Feb 25, 2008 at 1:22 PM, Mayuresh Kathe [EMAIL PROTECTED] wrote: On Mon, Feb 25, 2008 at 5:45 PM, Antoine Jacoutot [EMAIL PROTECTED] wrote: On Mon, 25 Feb 2008, Mayuresh Kathe wrote: I googled for monitoring battery openbsd but got nothing satisfactory. apm(8) Thanks for that Antoine. I tried 'apm -b' to get the battery status, but it showed 255, which is 'unknown', is it because my laptop isn't properly supported? Is there anything I could do to help developers support it better? Best, ~Mayuresh If its an non-apm laptop you can check it via acpi. Use sysctl and check the hw section. There it was how many volts left. BR Dunceor
Re: Monitoring Battery...
Op Mon, 25 Feb 2008 13:22:24 +0100 schreef Mayuresh Kathe [EMAIL PROTECTED]: On Mon, Feb 25, 2008 at 5:45 PM, Antoine Jacoutot [EMAIL PROTECTED] wrote: On Mon, 25 Feb 2008, Mayuresh Kathe wrote: I googled for monitoring battery openbsd but got nothing satisfactory. apm(8) I tried 'apm -b' to get the battery status, but it showed 255, which is 'unknown', is it because my laptop isn't properly supported? $ if [ `dmesg|grep apm` ];then echo No.;else echo Yes.;fi -- Boudewijn Dijkstra Indes - IDS B.V. +31 345 545 535
Re: Monitoring Battery...
On Mon, Feb 25, 2008 at 6:25 PM, Karl Sjodahl - dunceor [EMAIL PROTECTED] wrote: On Mon, Feb 25, 2008 at 1:22 PM, Mayuresh Kathe [EMAIL PROTECTED] wrote: On Mon, Feb 25, 2008 at 5:45 PM, Antoine Jacoutot [EMAIL PROTECTED] wrote: On Mon, 25 Feb 2008, Mayuresh Kathe wrote: I googled for monitoring battery openbsd but got nothing satisfactory. apm(8) Thanks for that Antoine. I tried 'apm -b' to get the battery status, but it showed 255, which is 'unknown', is it because my laptop isn't properly supported? Is there anything I could do to help developers support it better? Best, ~Mayuresh If its an non-apm laptop you can check it via acpi. Use sysctl and check the hw section. There it was how many volts left. How do I check whether its a non-apm laptop? It's a ThinkPad R61i, dmesg below; OpenBSD 4.2 (GENERIC) #375: Tue Aug 28 10:38:44 MDT 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Pentium(R) Dual CPU T2310 @ 1.46GHz (GenuineIntel 686-class) 1.47 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,EST,TM2,CX16,xTPR real mem = 526667776 (502MB) avail mem = 501596160 (478MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 06/28/07, BIOS32 rev. 0 @ 0xfdca0, SMBIOS rev. 2.4 @ 0xe0010 (71 entries) bios0: vendor LENOVO version 7OET24WW (1.03 ) date 06/28/2007 bios0: LENOVO 8932A32 pcibios0 at bios0: rev 3.0 @ 0xfdc30/0x3d0 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfde80/304 (17 entries) pcibios0: bad IRQ table checksum pcibios0: PCI BIOS has 17 Interrupt Routing table entries pcibios0: no compatible PCI ICU found pcibios0: Warning, unable to fix up PCI interrupt routing pcibios0: PCI bus #22 is the last bus bios0: ROM list: 0xc/0x1! 0xd/0x1a00 0xd1a00/0x1000 0xe/0x1! acpi at mainbus0 not configured cpu0 at mainbus0 cpu0: unknown Enhanced SpeedStep CPU, msr 0x06130b2b06000613 cpu0: using only highest and lowest power states cpu0: Enhanced SpeedStep 800 MHz (1004 mV): speeds: 1467, 800 MHz pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82965GM MCH rev 0x0c vga1 at pci0 dev 2 function 0 Intel 82965GM Video rev 0x0c: aperture at 0xe000, size 0x800 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) Intel 82965GM Video rev 0x0c at pci0 dev 2 function 1 not configured uhci0 at pci0 dev 26 function 0 Intel 82801H USB rev 0x03: irq 11 uhci1 at pci0 dev 26 function 1 Intel 82801H USB rev 0x03: irq 11 ehci0 at pci0 dev 26 function 7 Intel 82801H USB rev 0x03: irq 11 ehci0: timed out waiting for BIOS usb0 at ehci0: USB revision 2.0 uhub0 at usb0: Intel EHCI root hub, rev 2.00/1.00, addr 1 azalia0 at pci0 dev 27 function 0 Intel 82801H HD Audio rev 0x03: irq 11 azalia0: host: High Definition Audio rev. 1.0 azalia0: codec: Conexant/0x5045 (rev. 1.0), HDA version 1.0 audio0 at azalia0 ppb0 at pci0 dev 28 function 0 Intel 82801H PCIE rev 0x03 pci1 at ppb0 bus 2 ppb1 at pci0 dev 28 function 1 Intel 82801H PCIE rev 0x03 pci2 at ppb1 bus 3 wpi0 at pci2 dev 0 function 0 Intel PRO/Wireless 3945ABG rev 0x02: irq 11, MoW1, address 00:1c:bf:2c:fd:aa ppb2 at pci0 dev 28 function 2 Intel 82801H PCIE rev 0x03 pci3 at ppb2 bus 4 bge0 at pci3 dev 0 function 0 Broadcom BCM5787M rev 0x02, BCM5754/5787 A2 (0xb002): irq 11, address 00:1a:6b:d4:c9:0e brgphy0 at bge0 phy 1: BCM5787 10/100/1000baseT PHY, rev. 0 ppb3 at pci0 dev 28 function 3 Intel 82801H PCIE rev 0x03 pci4 at ppb3 bus 5 ppb4 at pci0 dev 28 function 4 Intel 82801H PCIE rev 0x03 pci5 at ppb4 bus 13 uhci2 at pci0 dev 29 function 0 Intel 82801H USB rev 0x03: irq 10 uhci3 at pci0 dev 29 function 1 Intel 82801H USB rev 0x03: irq 11 uhci4 at pci0 dev 29 function 2 Intel 82801H USB rev 0x03: irq 11 ehci1 at pci0 dev 29 function 7 Intel 82801H USB rev 0x03: irq 11 ehci1: timed out waiting for BIOS usb1 at ehci1: USB revision 2.0 uhub1 at usb1: Intel EHCI root hub, rev 2.00/1.00, addr 1 ppb5 at pci0 dev 30 function 0 Intel 82801BAM Hub-to-PCI rev 0xf3 pci6 at ppb5 bus 21 cbb0 at pci6 dev 0 function 0 Ricoh 5C476 CardBus rev 0xba: irq 10 Ricoh 5C832 Firewire rev 0x04 at pci6 dev 0 function 1 not configured sdhc0 at pci6 dev 0 function 2 Ricoh 5C822 SD/MMC rev 0x21: irq 11 sdmmc0 at sdhc0 Ricoh 5C843 rev 0x11 at pci6 dev 0 function 3 not configured Ricoh 5C592 Memory Stick rev 0x11 at pci6 dev 0 function 4 not configured Ricoh 5C852 xD rev 0x11 at pci6 dev 0 function 5 not configured cardslot0 at cbb0 slot 0 flags 0 cardbus0 at cardslot0: bus 22 device 0 cacheline 0x0, lattimer 0xb0 pcmcia0 at cardslot0 ichpcib0 at pci0 dev 31 function 0 Intel 82801HBM LPC rev 0x03: PM disabled pciide0 at pci0 dev 31 function 1 Intel 82801HBM IDE rev 0x03: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility atapiscsi0 at
Cheaper car diagnostic, odometer correction, airbag, key copy equipment
Dear potential customer, garage / service owner: Please visit www.worldiagnostic.com for information about products you will possibly need for your work. If you don't find this information useful, please just delete this message. We ship directly from factory. We use DHL / UPS / TNT courier services with tracking numbers We accept Paypal, T/T and more payment options We offer online support for our customers. Worldiagnostic.com is not acting against original manufacturers and is respecting them very much. Tools listed in our website do not break copyrights, as they only are constructed and work similar to famous tools. Names are used for easier identifying only. Software is not sold together with tools. Thanks for understanding. Yours, Worldiagnostic.com team www.worldiagnostic.com [EMAIL PROTECTED] Skype ID: worldiagnostic We found your E-mail in public Internet resources.
Re: More questions on building a release with a read only source tree
* Don Jackson [EMAIL PROTECTED] [2008-02-24 23:27:31]: The FAQ describes two ways to build the kernel ( http://www.openbsd.org/faq/faq5.html#BldKernel ), # cd /usr/src/sys/arch/i386/conf # config GENERIC # cd ../compile/GENERIC # make clean make depend make or Variation on above process: Read-only source tree Sometimes, you may wish to ensure your /usr/src/sys directory remains untouched. This can be done by using the following process: $ cd /somewhere $ cp /usr/src/sys/arch/i386/conf/GENERIC . $ config -s /usr/src/sys -b . GENERIC $ make clean make depend make I would like make release to use the read only source tree variant above, how can I accomplish this? Right now, I see make release do: cd /home/4.2/src/etc/../sys/arch/amd64/conf config GENERIC Which is going to attempt to build the GENERIC kernel right there in my source tree. Also, I am having some other weird problem, due to the following logic in the Makefile.amd64 which contains: # source tree is located via $S relative to the compilation directory .ifndef S S!= cd ../../../..; pwd .endif AMD64= $S/arch/amd64 For some reason the above is setting my AMD64 to some weird path that is not correct on my system, namely: cd /home/4.2/src/etc/../sys/arch/amd64/conf config GENERIC GENERIC:13: cannot open ../../../../arch/amd64/conf/files.amd64 for reading: No such file or directory *** Error code 1 Stop in /home/4.2/src/etc (line 11 of etc.amd64/Makefile.inc). What is the point of the above, and how can I get the path correct for this build? Thanks, Don Why on earth are you bothering with this? Please don't tell me it's for security, because that would be inane. -- Travers Buda
Re: Monitoring Battery...
Mayuresh Kathe [EMAIL PROTECTED] writes: How do I check whether its a non-apm laptop? It's a ThinkPad R61i, dmesg below; in that case, sysctl hw should give something like [EMAIL PROTECTED]:~$ sysctl hw hw.machine=i386 hw.model=Genuine Intel(R) CPU T2400 @ 1.83GHz (GenuineIntel 686-class) hw.ncpu=2 hw.byteorder=1234 hw.pagesize=4096 hw.disknames=cd0,sd0 hw.diskcount=2 hw.sensors.acpitz0.temp0=51.05 degC (zone temperature) hw.sensors.acpitz1.temp0=51.05 degC (zone temperature) hw.sensors.acpibat0.volt0=10.80 VDC (voltage) hw.sensors.acpibat0.volt1=11.49 VDC (current voltage) hw.sensors.acpibat0.watthour0=30.11 Wh (last full capacity) hw.sensors.acpibat0.watthour1=1.50 Wh (warning capacity) hw.sensors.acpibat0.watthour2=0.20 Wh (low capacity) hw.sensors.acpibat0.watthour3=28.96 Wh (remaining capacity), OK hw.sensors.acpibat0.raw0=1 (battery discharging), OK hw.sensors.acpibat0.raw1=23985 (rate) hw.sensors.acpiac0.indicator0=Off (power supply) hw.sensors.cpu0.temp0=51.00 degC hw.sensors.aps0.temp0=38.00 degC hw.sensors.aps0.temp1=38.00 degC hw.sensors.aps0.indicator0=On (Keyboard Active) hw.sensors.aps0.indicator1=Off (Mouse Active) hw.sensors.aps0.indicator2=On (Lid Open) hw.sensors.aps0.raw0=512 (X_ACCEL) hw.sensors.aps0.raw1=503 (Y_ACCEL) hw.sensors.aps0.raw2=512 (X_VAR) hw.sensors.aps0.raw3=503 (Y_VAR) hw.cpuspeed=1829 hw.setperf=100 hw.vendor=LENOVO hw.product=946154G hw.version=ThinkPad R60 hw.serialno=L3B0887 hw.uuid=4e92a801-48ac-11cb-8704-ef6f55e83b86 hw.physmem=2145808384 hw.usermem=2145800192 notice the hw.sensors.acpibat0.* values. I haven't really looked for anything that shows those values live or in a graphical form, but that doesn't mean it doesn't exist or could not be easily ported from $elsewhere. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
The Insecurity output - improving the SNR
I have a cople of questions about the daily insecurity output. I have an anoncvs server, and as detailed in the docs, I set it up without a password. Every day, I get an email telling me: Checking the /etc/master.passwd file: Login anoncvs has no password. This is of course correct operation, and I appreciate the strong and valid argument that it is a good thing that I am told this. Certainly I would want to know if there were any other accounts with no password. However, as this is the only output from the security checks, it means that if I could block the output for the null-password check, for just this one account, then I would not normally get an insecurity report. This would mean that when I *did* get an insecurity report, it would mean that some other issue had arisen, and I should pay attention. As such, I ask is there a correct way to tell the system, for this one account, yes, I know, I'm okay with that, so that it will only email me if some other issue arises. If not, I will prefer to just keep having to read the same email every day, rather than reduce safety in some way. My other question is very similar. On a different server, every day I get a similar message: Checking the /etc/master.passwd file: Login si1entdave is off but still has a valid shell and alternate access files in home directory are still readable. Again, this is correct operation, and the system is as I would wish it. I have used vipw to stick a ! in my password hash field, so that the only ssh-enabled account can only be accessed using an ssh key, for better security. Once again, I would like to be able to specify in some way that yes, I know, only bother me when something I actually care about happens. As a workaround, is there a string I can put in the hash field that looks like a password hash, but cannot match any password? In both these things, I am looking to improve the Signal-to-Noise ratio of these emails, but I would rather keep the Noise than risk losing some Signal :-) Ta all, Si1entDave
Re: The Insecurity output - improving the SNR
Eep! it appears my mail client stopped wrapping part-way through my message. Apologies. SD
man dhcpd.interfaces ?
Hi I have some problems with my dhcp server, and is trying to debug the setup. I would like to have a subnet on each interface and therefore dhcpd to span both interfaces. For that purpose I use /etc/dhcpd.interfaces where i have: vr0 vr1 But i can't find a man page on this file so I can't see if it make a difference whether I write: vr0 vr1 or vr0 vr1 So my question is: Is there a difference ? Is it just me who can't find documentation on this ? BTW: I use openbsd 4.2 ;) Kind regards: Kasper Revsbech
Re: changing bash prompt escape sequences
Jay Hart escreveu: I use bash as my shell. I'm trying to set the bash prompt to display: ttyC1 [EMAIL PROTECTED] I've created a .bashrc in the users home directory (in this case root), and used the following line: PS1=\l [EMAIL PROTECTED] # When I login as root, or any other user for that matter, the default prompt is: -bash-3.2# the only way so far that I found to change the prompt is to type 'bash' at the prompt after login. This is ok, but I know that this should work the first time I login, without having to issue a standalone command. I've come to the conclusion that I need to modify another file within the /etc directory, but what? TIA, Jay I use the following /etc/profile that will provide a prompt for various shell's. Also set some nice variables: export MANPAGER=/usr/bin/less export SVN_EDITOR=/usr/local/bin/emacs export PKG_PATH=ftp://ftp.openbsd.org/pub/OpenBSD/4.2/packages/i386/; if [ $SHELL = /bin/pdksh ]; then PS1='! $ ' elif [ $SHELL = /bin/ksh ]; then PS1='[EMAIL PROTECTED]:\w\$ ' elif [ $SHELL = /bin/zsh ]; then PS1='[EMAIL PROTECTED]:%~%# ' elif [ $SHELL = /bin/ash ]; then PS1='$ ' else PS1='[EMAIL PROTECTED]:\w\$ ' fi I've used to change the root shell to bash in the past. This isn't as good as it sounds. I run into problems when upgrading. I prefer create a normal user with sudo privileges and this user having bash as shell. This is much better. My regards, -- Giancarlo Razzolini Linux User 172199 Red Hat Certified Engineer no:804006389722501 Moleque Sem Conteudo Numero #002 Slackware Current OpenBSD Stable Ubuntu 7.04 Feisty Fawn Snike Tecnologia em Informatica 4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85 [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: man dhcpd.interfaces ?
On 2008-02-25, Kasper Revsbech [EMAIL PROTECTED] wrote: I would like to have a subnet on each interface and therefore dhcpd to span both interfaces. For that purpose I use /etc/dhcpd.interfaces where i have: vr0 vr1 But i can't find a man page on this file so I can't see if it make a difference whether I write: vr0 vr1 or vr0 vr1 So my question is: Is there a difference ? No. And if you want dhcpd to run on every interface, you can just remove this file or leave it blank. Is it just me who can't find documentation on this ? It's mentioned in dhcp(8). What's logged? What's in /etc/dhcpd.conf?
Re: The Insecurity output - improving the SNR
Richard Wilson escreveu: I have a cople of questions about the daily insecurity output. I have an anoncvs server, and as detailed in the docs, I set it up without a password. Every day, I get an email telling me: Checking the /etc/master.passwd file: Login anoncvs has no password. This is of course correct operation, and I appreciate the strong and valid argument that it is a good thing that I am told this. Certainly I would want to know if there were any other accounts with no password. However, as this is the only output from the security checks, it means that if I could block the output for the null-password check, for just this one account, then I would not normally get an insecurity report. This would mean that when I *did* get an insecurity report, it would mean that some other issue had arisen, and I should pay attention. As such, I ask is there a correct way to tell the system, for this one account, yes, I know, I'm okay with that, so that it will only email me if some other issue arises. If not, I will prefer to just keep having to read the same email every day, rather than reduce safety in some way. My other question is very similar. On a different server, every day I get a similar message: Checking the /etc/master.passwd file: Login si1entdave is off but still has a valid shell and alternate access files in home directory are still readable. Again, this is correct operation, and the system is as I would wish it. I have used vipw to stick a ! in my password hash field, so that the only ssh-enabled account can only be accessed using an ssh key, for better security. Once again, I would like to be able to specify in some way that yes, I know, only bother me when something I actually care about happens. As a workaround, is there a string I can put in the hash field that looks like a password hash, but cannot match any password? In both these things, I am looking to improve the Signal-to-Noise ratio of these emails, but I would rather keep the Noise than risk losing some Signal :-) Ta all, Si1entDave First, you may edit the daily script (it's just a script) to accomplish what you are wanting. Secondly, to make a ssh user to only being able to login with a key, and not with a password, you have several options. One is disable password authentications completely, with the PasswordAuthentication no in the sshd_config, or could use the the Match directive to disable only for a user, group, host, etc. My regards, -- Giancarlo Razzolini Linux User 172199 Red Hat Certified Engineer no:804006389722501 Moleque Sem Conteudo Numero #002 Slackware Current OpenBSD Stable Ubuntu 7.04 Feisty Fawn Snike Tecnologia em Informatica 4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85 [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: PCI Gigabit card suggestion?
On Mon, Feb 25, 2008 at 11:48:27AM +1100, Sunnz wrote: Thanks for the suggestions guys, I'll be getting a DLink DGE-530T sk(4) tomorrow, will be how it goes! FWIW, I'm very satisfied with my two DGE-530Ts on OpenBSD (as reported at least once on this list earlier): skc1 at pci2 dev 9 function 0 D-Link Systems DGE-530T B1 rev 0x11, Yukon Lite (0x9): irq 4 sk1 at skc1 port A: address 00:17:9a:7b:c2:e8 skc2 at pci2 dev 10 function 0 D-Link Systems DGE-530T B1 rev 0x11, Yukon Lite (0x9): irq 7 sk2 at skc2 port A: address 00:17:9a:7b:c5:70 They are placed in my dormitory's gateway and have transmitted approx 155 TB since April 1, 2007 :-) (the day we started creating graphs with RRDtool etc.) Martin
Sun Creator 3D hardware wanted
Hi there, Have been discussing with oga@ the possibility of developing an accelerated creator 3d driver for OpenBSD/sparc64. Does anyone have any unwanted sun hardware with creator card which may be donated (to oga@, not me) for this purpose? An old ultra 10 for example. Thanks -- Best Regards Edd http://students.dec.bmth.ac.uk/ebarrett
Re: More questions on building a release with a read only source tree
On Mon, Feb 25, 2008 at 5:35 AM, Travers Buda [EMAIL PROTECTED] wrote:
Why on earth are you bothering with this? Please don't tell me
it's for security, because that would be inane.
I have a heterogeneous collection of machines on which I run OpenBSD,
both amd64 and i386.
I have separate build machines for each architecture.
I would vastly prefer to download the source once, put it on a local
NAS, and have each build machine build the release it needs.
In my experience, this doesn't work at all if the build processes
writes into the src tree itself, and historically I have had to keep a
virgin source tree, and copy to each build machine, which takes a
long time, and it is really kind of a pain to maintain the consistency
of 3 copies.
While choosing to avoid the use of the (inflammatory) word inane, I
find it curious that in following the proscribed procedure for
building a release, I have ALREADY built a new kernel for this
architecture (which is basically the first step before building
userland,
and then onto the release itself), (and in my case, I have already
built both the GENERIC and GENERIC.MP kernels), that the Makefile.inc
in /usr/src/etc/etc.amd64 goes ahead and does:
# $OpenBSD: Makefile.inc,v 1.7 2006/07/27 02:53:55 deraadt Exp $
.ifdef DESTDIR
snap_md: bsd bsd.mp bootblocks distrib
cp ${.CURDIR}/../sys/arch/amd64/compile/GENERIC/bsd \
${DESTDIR}/snapshot/bsd
cp ${.CURDIR}/../sys/arch/amd64/compile/GENERIC.MP/bsd \
${DESTDIR}/snapshot/bsd.mp
bsd:
cd ${.CURDIR}/../sys/arch/amd64/conf config GENERIC
cd ${.CURDIR}/../sys/arch/amd64/compile/GENERIC \
${MAKE} clean ${MAKE} depend exec ${MAKE}
bsd.mp:
cd ${.CURDIR}/../sys/arch/amd64/conf config GENERIC.MP
cd ${.CURDIR}/../sys/arch/amd64/compile/GENERIC.MP \
${MAKE} clean ${MAKE} depend exec ${MAKE}
bootblocks:
cp ${DESTDIR}/usr/mdec/pxeboot ${DESTDIR}/snapshot
cp ${DESTDIR}/usr/mdec/cdboot ${DESTDIR}/snapshot
cp ${DESTDIR}/usr/mdec/cdbr ${DESTDIR}/snapshot
.PHONY: bsd bsd.mp bootblocks
.endif # DESTDIR check
(I discovered this makefile AFTER I had sent my email last night)
Anyway, it looks like one possible solution to my question would be to
modify this file so that
the bsd and bsd.mp targets are either no-ops, or perform their make in
the previously generated kernel build directories,
and then to change the snap_md target to copy the resulting bsd files
out of these build directories, and not from the middle
of the source tree. Of course, I'll have to do this again for the the
comparable i386 Makefile.inc. It would be preferable if the makefile
would check an environment variable for the location of where it
should actually compile things (outside of the src tree!)
and do it there. If unset, the Makefile could continue to pollute the
source tree with its builds, if that is what you want.
Questions:
Is there any other way (a better way?) to do what I am looking for?
What other compiles does make release perform that involve writing
into the source tree?
Thanks!
Don
* Don Jackson [EMAIL PROTECTED] [2008-02-24 23:27:31]:
The FAQ describes two ways to build the kernel (
http://www.openbsd.org/faq/faq5.html#BldKernel ),
# cd /usr/src/sys/arch/i386/conf
# config GENERIC
# cd ../compile/GENERIC
# make clean make depend make
or
Variation on above process: Read-only source tree
Sometimes, you may wish to ensure your /usr/src/sys directory
remains untouched. This can be done by using the following process:
$ cd /somewhere
$ cp /usr/src/sys/arch/i386/conf/GENERIC .
$ config -s /usr/src/sys -b . GENERIC
$ make clean make depend make
I would like make release to use the read only source tree variant
above, how can I accomplish this?
Right now, I see make release do:
cd /home/4.2/src/etc/../sys/arch/amd64/conf config GENERIC
Which is going to attempt to build the GENERIC kernel right there in
my source tree.
Also, I am having some other weird problem, due to the following logic
in the Makefile.amd64 which contains:
# source tree is located via $S relative to the compilation directory
.ifndef S
S!= cd ../../../..; pwd
.endif
AMD64= $S/arch/amd64
For some reason the above is setting my AMD64 to some weird path that
is not correct on my system, namely:
cd /home/4.2/src/etc/../sys/arch/amd64/conf config GENERIC
GENERIC:13: cannot open ../../../../arch/amd64/conf/files.amd64
for reading: No such file or directory
*** Error code 1
Stop in /home/4.2/src/etc (line 11 of etc.amd64/Makefile.inc).
What is the point of the above, and how can I get the path correct for
this build?
Thanks,
Don
Re: More questions on building a release with a read only source tree
You want to read lndir(1). On Sun, Feb 24, 2008 at 11:27:31PM -0800, Don Jackson wrote: The FAQ describes two ways to build the kernel ( http://www.openbsd.org/faq/faq5.html#BldKernel ), # cd /usr/src/sys/arch/i386/conf # config GENERIC # cd ../compile/GENERIC # make clean make depend make or Variation on above process: Read-only source tree Sometimes, you may wish to ensure your /usr/src/sys directory remains untouched. This can be done by using the following process: $ cd /somewhere $ cp /usr/src/sys/arch/i386/conf/GENERIC . $ config -s /usr/src/sys -b . GENERIC $ make clean make depend make I would like make release to use the read only source tree variant above, how can I accomplish this? Right now, I see make release do: cd /home/4.2/src/etc/../sys/arch/amd64/conf config GENERIC Which is going to attempt to build the GENERIC kernel right there in my source tree. Also, I am having some other weird problem, due to the following logic in the Makefile.amd64 which contains: # source tree is located via $S relative to the compilation directory .ifndef S S!= cd ../../../..; pwd .endif AMD64= $S/arch/amd64 For some reason the above is setting my AMD64 to some weird path that is not correct on my system, namely: cd /home/4.2/src/etc/../sys/arch/amd64/conf config GENERIC GENERIC:13: cannot open ../../../../arch/amd64/conf/files.amd64 for reading: No such file or directory *** Error code 1 Stop in /home/4.2/src/etc (line 11 of etc.amd64/Makefile.inc). What is the point of the above, and how can I get the path correct for this build? Thanks, Don
Re: Sun Creator 3D hardware wanted
* Edd [EMAIL PROTECTED] [2008-02-25 15:10:53]: Hi there, Have been discussing with oga@ the possibility of developing an accelerated creator 3d driver for OpenBSD/sparc64. Does anyone have any unwanted sun hardware with creator card which may be donated (to oga@, not me) for this purpose? An old ultra 10 for example. Thanks -- Best Regards Edd http://students.dec.bmth.ac.uk/ebarrett I have a ultra 10 w/creator that I will ship in the 48 continental US. -- Travers Buda
Re: pf tag/tagging and packages from localhost
Well, you'll have to get the other params correct too (in/out and the real userId).I have the following... pass out quick log on outside inet proto tcp \ user proxy modulate state queue(Q0,Q7) And it works correctly at assigning the local ftp-proxy daemon's traffic, where proxy is its running userID, to its queue. /S -Original Message- From: Stefan Schulze Frielinghaus [EMAIL PROTECTED] To: scott [EMAIL PROTECTED] Cc: misc@openbsd.org Subject: Re: pf tag/tagging and packages from localhost Date: Mon, 25 Feb 2008 12:31:31 +0100 Mailer: Evolution 2.12.3 (2.12.3-1.fc8) Delivered-To: [EMAIL PROTECTED] I tried it without success. I guess the user feature is for something different. A quote from pf.conf(5): This rule only applies to packets of sockets owned by the specified user. For outgoing connections initiated from the firewall, this is the user that opened the connection. For incoming connections to the firewall itself, this is the user that listens on the desti- nation port. My interpretation of this is that if I use your example policy: pass in inet proto tcp from any to any port 80 \ user FacilityDaemonID tag MYTAG \ keep state that it means that all incoming traffic to user FacilityDaemonID would be tagged with MYTAG. _But_ it wouldn't tag packets outgoing from the local user FacilityDaemonID. Nevertheless I really like this feature (thanks for the hint) and I use policies like this one: pass out quick on $ext_if inet proto udp from ($ext_if) \ to any port domain user root keep state This policy should only pass packets form localhost which I wanted to achieve. My other RDR/NAT/DMZ forwarding and whatever rules don't get touched my this rule. Best regards Stefan On Sun, 2008-02-24 at 12:18 -0500, scott wrote: RE: LOCAL HOSTS DON'T... You can use the user or group criteria to identify the facility/service (daemon) and tag their packets accordingly. # pass in inet proto tcp from any to any port 80 \ user FacilityDaemonID tag MYTAG \ keep state ... pass out ... tagged MYTAG # You may be able to further refine the any/any criteria. -Original Message- From: Stefan Schulze Frielinghaus [EMAIL PROTECTED] To: misc@openbsd.org Subject: pf tag/tagging and packages from localhost Date: Sat, 23 Feb 2008 19:59:54 +0100 Mailer: Evolution 2.12.3 (2.12.3-1.fc8) Delivered-To: [EMAIL PROTECTED] But that rule makes me a headache. I can't use tagged (or at least I don't know how to do it) because packets from localhost don't run through an input chain and I can't tag them.
Re: Sun Creator 3D hardware wanted
Edd wrote: Hi there, Have been discussing with oga@ the possibility of developing an accelerated creator 3d driver for OpenBSD/sparc64. Does anyone have any unwanted sun hardware with creator card which may be donated (to oga@, not me) for this purpose? An old ultra 10 for example. I have an Ultra 10 (400MHz from an Ultra 5, 512MB or 1GB RAM) I haven't used in a while, so I could definitely donate it - I need to double check what the UPA cards I have for it are. -- Matthew Weigel hacker [EMAIL PROTECTED]
UMSMBUFSZ in sys/dev/usb/umsm.c ?
Hello misc@, I'm playing a lot with UMTS/CDMA devices in OpenBSD. Do anybody have any umsm devices or any other USB WAN devices on umsm for testing Subj parameter? Try to change UMSMBUFSZ to 4096 in sys/dev/usb/umsm.c ? Any changes/improvements in fact? For those, can you please share your results if it is possible? Please help test these! Thank you a lot, -- Sergey Prysiazhnyi
Re: OT: fully interconnect switches: interesting problem
On Sun, Feb 24, 2008 at 04:36:46PM -0800, Matthew Dempsky wrote: On 2/24/08, bofh [EMAIL PROTECTED] wrote: Probably broadcast storm. Fastest way to fix the problem - single connect your switches, and don't loop the last back to the first. He explained in his post that the multiple connections were to avoid single points of failure. But if the switches don't know how to handle this setup, then they'll go crazy. I don't know if these switches can be told how to handle this. Doug.
Re: Monitoring Battery...
Peter N. M. Hansteen writes: notice the hw.sensors.acpibat0.* values. I haven't really looked for anything that shows those values live or in a graphical form, but that doesn't mean it doesn't exist or could not be easily ported from $elsewhere. This is in systat(1).
Re: More questions on building a release with a read only source tree
* Don Jackson [EMAIL PROTECTED] [2008-02-25 07:24:45]:
On Mon, Feb 25, 2008 at 5:35 AM, Travers Buda [EMAIL PROTECTED] wrote:
Why on earth are you bothering with this? Please don't tell me
it's for security, because that would be inane.
I have a heterogeneous collection of machines on which I run OpenBSD,
both amd64 and i386.
I have separate build machines for each architecture.
I would vastly prefer to download the source once, put it on a local
NAS, and have each build machine build the release it needs.
In my experience, this doesn't work at all if the build processes
writes into the src tree itself, and historically I have had to keep a
virgin source tree, and copy to each build machine, which takes a
long time, and it is really kind of a pain to maintain the consistency
of 3 copies.
While choosing to avoid the use of the (inflammatory) word inane, I
find it curious that in following the proscribed procedure for
building a release, I have ALREADY built a new kernel for this
architecture (which is basically the first step before building
userland,
and then onto the release itself), (and in my case, I have already
built both the GENERIC and GENERIC.MP kernels), that the Makefile.inc
in /usr/src/etc/etc.amd64 goes ahead and does:
# $OpenBSD: Makefile.inc,v 1.7 2006/07/27 02:53:55 deraadt Exp $
.ifdef DESTDIR
snap_md: bsd bsd.mp bootblocks distrib
cp ${.CURDIR}/../sys/arch/amd64/compile/GENERIC/bsd \
${DESTDIR}/snapshot/bsd
cp ${.CURDIR}/../sys/arch/amd64/compile/GENERIC.MP/bsd \
${DESTDIR}/snapshot/bsd.mp
bsd:
cd ${.CURDIR}/../sys/arch/amd64/conf config GENERIC
cd ${.CURDIR}/../sys/arch/amd64/compile/GENERIC \
${MAKE} clean ${MAKE} depend exec ${MAKE}
bsd.mp:
cd ${.CURDIR}/../sys/arch/amd64/conf config GENERIC.MP
cd ${.CURDIR}/../sys/arch/amd64/compile/GENERIC.MP \
${MAKE} clean ${MAKE} depend exec ${MAKE}
bootblocks:
cp ${DESTDIR}/usr/mdec/pxeboot ${DESTDIR}/snapshot
cp ${DESTDIR}/usr/mdec/cdboot ${DESTDIR}/snapshot
cp ${DESTDIR}/usr/mdec/cdbr ${DESTDIR}/snapshot
.PHONY: bsd bsd.mp bootblocks
.endif # DESTDIR check
(I discovered this makefile AFTER I had sent my email last night)
Anyway, it looks like one possible solution to my question would be to
modify this file so that
the bsd and bsd.mp targets are either no-ops, or perform their make in
the previously generated kernel build directories,
and then to change the snap_md target to copy the resulting bsd files
out of these build directories, and not from the middle
of the source tree. Of course, I'll have to do this again for the the
comparable i386 Makefile.inc. It would be preferable if the makefile
would check an environment variable for the location of where it
should actually compile things (outside of the src tree!)
and do it there. If unset, the Makefile could continue to pollute the
source tree with its builds, if that is what you want.
Questions:
Is there any other way (a better way?) to do what I am looking for?
What other compiles does make release perform that involve writing
into the source tree?
Thanks!
Don
* Don Jackson [EMAIL PROTECTED] [2008-02-24 23:27:31]:
The FAQ describes two ways to build the kernel (
http://www.openbsd.org/faq/faq5.html#BldKernel ),
# cd /usr/src/sys/arch/i386/conf
# config GENERIC
# cd ../compile/GENERIC
# make clean make depend make
or
Variation on above process: Read-only source tree
Sometimes, you may wish to ensure your /usr/src/sys directory
remains untouched. This can be done by using the following process:
$ cd /somewhere
$ cp /usr/src/sys/arch/i386/conf/GENERIC .
$ config -s /usr/src/sys -b . GENERIC
$ make clean make depend make
I would like make release to use the read only source tree variant
above, how can I accomplish this?
Right now, I see make release do:
cd /home/4.2/src/etc/../sys/arch/amd64/conf config GENERIC
Which is going to attempt to build the GENERIC kernel right there in
my source tree.
Also, I am having some other weird problem, due to the following logic
in the Makefile.amd64 which contains:
# source tree is located via $S relative to the compilation
directory
.ifndef S
S!= cd ../../../..; pwd
.endif
AMD64= $S/arch/amd64
For some reason the above is setting my AMD64 to some weird path that
is not correct on my system, namely:
cd /home/4.2/src/etc/../sys/arch/amd64/conf config GENERIC
GENERIC:13: cannot open ../../../../arch/amd64/conf/files.amd64
for reading: No such file or directory
*** Error code 1
Re: Monitoring Battery...
Deanna Phillips [EMAIL PROTECTED] writes: notice the hw.sensors.acpibat0.* values. I haven't really looked for anything that shows those values live or in a graphical form, but that doesn't mean it doesn't exist or could not be easily ported from $elsewhere. This is in systat(1). and with that, a live display of those values in an xterm is about 7 seconds away by my clock. :) Thanks! -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: OpenBSD not booting on MacBook Pro v3.1 (Santa Rosa) (Core2Duo)
On Thu, Feb 14, 2008 at 3:54 PM, Tim Saueressig, thepixelz.com [EMAIL PROTECTED] wrote: - get paralles under osx or another openbsd box - install openbsd as usual - cvs up to current - build kernel + userland or take a snapshot - copy RAMDISK_CD to RAMDISK_CD.orig - copy the 4 lines in GENERIC.MP to your RAMDISK_CD without the include - enable all the acpi stuff in your ramdisk like in GENERIC - enable uhid* at uhidev? - read http://www.openbsd.org/faq/faq5.html#Release - build a release and burn the installiso this could take some time, be warned ;) regards tim Thank you Tim! I've managed to install OpenBSD 4.2 now following those steps. The bsd.rd from -current fails to boot however. I am not sure if this is due to the bug that has been reported as kernel/5653, because on my macbook booting the -current bsd.rd hangs at a line telling me that uhid* at uhidev? is not configured although I have attached uhid* at uhidev? in the RAMDISK_CD configuration file. The GENERIC.MP kernel from -currents boots fine though (without modification). I will stick with 4.2 for now and update to 4.3 when it's released manually (without using bsd.rd). My Atheros AR5418 wireless card is not supported in 4.2 and -current so I bought myself an Asus WL-167G USB2.0 WLAN Adapter that is working perfect thanks to the great driver (rum) written by Niall O'Higgins and Damien Bergamini! My NVIDIA GeForce 8600M GT graphics processor is not recognized by the kernel: vga1 at pci1 dev 0 function 0 vendor NVIDIA, unknown product 0x0407 rev 0xa, so I am forced to use the vesa driver. The performance of X is reasonable at a resolution of 1024x768 and depth 16. When using a resolution of 1440x900 (which is only possible with depth 24) X is unusable slow. But I am pretty satisfied with the performance of OpenBSD on my macbook pro anyway (the wlan adapter was not very expensive and I am not using X that much). Regards, Max.
Re: rtorrent + OpenBSD = freeze
Well this bug wont get fixed. That's what Theo said months ago... :) Yes. I found the thread where you bashed each other before I made my first post . I guess I'll go with FreeBSD or NetBSD instead. Daniel Each user OpenBSD looses is a lost for the whole project. That's my oppinion no matter if Theo or Henning do get nuts. It's sick that a personal difference affects users like you. Because that shouldn't happen at all... And I hope some day Theo transforms from the I don't care-Theo to a You piss me off you retard but I'll take a look anyway-Theo. Feel free to replace Theo with any developer wich dislikes me... Bugs just don't disappear if I shut up... Kind regards, Sebastian
OpenBSD as DNS Server - Benchmarked by ISC.. and it's well... :-(
The ISC made a benchmark of BIND on serval platforms. OpenBSD outperforms Windows but is the slowest (compared to Linux, fBSD, nBSD and Solaris!) of the other tested OSs. :-/ Well take a look for yourself (hopefully some devs read this! Speacily those who know how free() works!). http://new.isc.org/proj/dnsperf/OStest.html That's not just something related to the security first-credo. Kind regards, Sebastian
Re: OT: fully interconnect switches: interesting problem
On Feb 25, 2008, at 6:39 AM, Douglas A. Tutty wrote: But if the switches don't know how to handle this setup, then they'll go crazy. I don't know if these switches can be told how to handle this. They can. The Dell Powerconnect 2700 are basically rebranded Cisco switches running CatOS. Bang for buck, they're not bad.
Howto Pass googlebot on Webserver
Hi Misc@,
While testing my brandnew 4.3-beta AMD64.MP webserver, I apply a simple
pf.conf to let some connection in and all out. But something interesting
came out, pf actually blocks my webserver googlebot apps originated from
the server, which is strange since I use pass out all. So, I'm wondering
if anybody on Misc@ could help me out with this.
I appreciate any replies related to this.
Thanks,
Insan
A. pf.conf
ext_if=bge0
set skip on lo
set optimization aggressive
set ruleset-optimization basic
set block-policy drop
scrub in all
antispoof quick for { lo $ext_if }
block log all
pass quick on $ext_if inet proto tcp from any to $ext_if:0 port { http,
https, ssh } keep state
pass quick on $ext_if inet proto udp from abc.def.ghi.241 to $ext_if:0
port snmp
pass inet proto icmp from any to $ext_if:0
pass out log all
B. PFCTL -s rules
scrub in all fragment reassemble
block drop in quick on ! lo inet from 127.0.0.0/8 to any
block drop in quick on ! lo inet6 from ::1 to any
block drop in quick inet6 from ::1 to any
block drop in quick on lo0 inet6 from fe80::1 to any
block drop in quick on bge0 inet6 from fe80::21a:64ff:fe6e:a09a to any
block drop in quick inet from 127.0.0.1 to any
block drop in quick on ! bge0 inet from abc.def.ghi.240/28 to any
block drop in quick inet from abc.def.ghi.245 to any
block drop log all
pass quick on bge0 inet proto tcp from any to abc.def.ghi.245 port = www
flags S/SA keep state
pass quick on bge0 inet proto tcp from any to abc.def.ghi.245 port = https
flags S/SA keep state
pass quick on bge0 inet proto tcp from any to abc.def.ghi.245 port = ssh
flags S/SA keep state
pass quick on bge0 inet proto udp from abc.def.ghi.241 to abc.def.ghi.245
port = snmp keep state
pass inet proto icmp from any to abc.def.ghi.245 keep state
pass out log all flags S/SA keep state
C. From tcpdump -ettvi pflog0
1203958253.063557 rule 3/(match) [uid 0, pid 15307] block out on bge0:
abc.def.ghi.245.www crawl-66-249-72-103.googlebot.com.51771: [|tcp] (ttl
64, id 38177, len 1470
--
Using Opera's revolutionary e-mail client: http://www.opera.com/mail/
Re: Monitoring Battery...
This is how I do it; #!/bin/sh # # Script used for giving system information # Last modified: 27-01-2008 while : ; do cpuspeed0=$(sysctl -n hw.cpuspeed) cputempe0=$(sysctl -n hw.sensors.cpu0.temp0) systempe0=$(sysctl -n hw.sensors.acpitz0.temp0) battcapa0=$(sysctl -n hw.sensors.acpibat0.amphour3) battchar0=$(sysctl -n hw.sensors.acpibat0.raw0) if [ $cpuspeed1 != $cpuspeed0 ] || [ $cputempe1 != $cputempe0 ] || [ $systempe1 != $systempe0 ] || [ $battcapa1 != $battcapa0 ] || [ $battchar1 != $battchar0 ]; then cpuspeed1=$cpuspeed0 cputempe1=$cputempe0 systempe1=$systempe0 battcapa1=$battcapa0 battchar1=$battchar0 battcapa1=$(echo $battcapa0 | sed 's/ Ah (.*//') percentage=$(echo scale=2; $battcapa1*100/7.2 | bc) battinfo=$(echo $battchar0 | sed 's/.*(//' | sed 's/).*//') clear echo OpenBSD Kernel version: $(sysctl -n kern.version) echo echo System speed : $cpuspeed0 Mhz echo Processor temperature: $cputempe0 echo System temperature : $systempe0 echo Battery information : $percentage %, $battcapa1 Ah ($battinfo) fi sleep 10 done
How does (AMD64) OpenBSD SMP support compare to Debian (Stable)?
With something like: processor : 0 vendor_id : GenuineIntel cpu family : 15 model : 4 model name : Intel(R) Xeon(TM) CPU 3.00GHz stepping: 3 cpu MHz : 3000.180 cache size : 2048 KB physical id : 0 siblings: 2 core id : 0 cpu cores : 1 fpu : yes fpu_exception : yes cpuid level : 5 wp : yes flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm syscall lm constant_ts c pni monitor ds_cpl cid cx16 xtpr bogomips: 6004.81 clflush size: 64 cache_alignment : 128 address sizes : 36 bits physical, 48 bits virtual power management: processor : 1 vendor_id : GenuineIntel cpu family : 15 model : 4 model name : Intel(R) Xeon(TM) CPU 3.00GHz stepping: 3 cpu MHz : 3000.180 cache size : 2048 KB physical id : 3 siblings: 2 core id : 0 cpu cores : 1 fpu : yes fpu_exception : yes cpuid level : 5 wp : yes flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm syscall lm constant_ts c pni monitor ds_cpl cid cx16 xtpr bogomips: 6000.65 clflush size: 64 cache_alignment : 128 address sizes : 36 bits physical, 48 bits virtual power management: processor : 2 vendor_id : GenuineIntel cpu family : 15 model : 4 model name : Intel(R) Xeon(TM) CPU 3.00GHz stepping: 3 cpu MHz : 3000.180 cache size : 2048 KB physical id : 0 siblings: 2 core id : 0 cpu cores : 1 fpu : yes fpu_exception : yes cpuid level : 5 wp : yes flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm syscall lm constant_ts c pni monitor ds_cpl cid cx16 xtpr bogomips: 6000.90 clflush size: 64 cache_alignment : 128 address sizes : 36 bits physical, 48 bits virtual power management: processor : 3 vendor_id : GenuineIntel cpu family : 15 model : 4 model name : Intel(R) Xeon(TM) CPU 3.00GHz stepping: 3 cpu MHz : 3000.180 cache size : 2048 KB physical id : 3 siblings: 2 core id : 0 cpu cores : 1 fpu : yes fpu_exception : yes cpuid level : 5 wp : yes flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm syscall lm constant_ts c pni monitor ds_cpl cid cx16 xtpr bogomips: 6000.78 clflush size: 64 cache_alignment : 128 address sizes : 36 bits physical, 48 bits virtual power management:
Re: Monitoring Battery...
Peter N. M. Hansteen [EMAIL PROTECTED] wrote: notice the hw.sensors.acpibat0.* values. I haven't really looked for anything that shows those values live or in a graphical form, but that doesn't mean it doesn't exist or could not be easily ported from $elsewhere. ports/sysutils/xbatt: `xbatt' is an X11 client which displays a battery status of your notebook computer equipped with APM (Advanced Power Management) BIOS. The status displayed consists remaining battery life, an AC line status, and a charging status. -- Christian naddy Weisgerber [EMAIL PROTECTED]
Re: OpenBSD as DNS Server - Benchmarked by ISC.. and it's well... :-(
[EMAIL PROTECTED] writes: The ISC made a benchmark of BIND on serval platforms. OpenBSD outperforms Windows but is the slowest (compared to Linux, fBSD, nBSD and Solaris!) of the other tested OSs. :-/ If I read the version numbers correctly, they for reasons of their own stuck with a three to four month old OpenBSD 4.1 prerelease when something very close to 4.2 is likely to have been available. /If/ I read the version numbers correctly, that's very odd. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
ipsec.conf and ipsecctl
Dear list, I have a firewall and an ipsec.conf with 42 ike esp connections: ike esp from 192.168.100.0/24 to 192.168.129.0/24 peer my.firewall \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des group modp1024 \ psk mekmitasdigoat tag yet.another.connection ISAkmpd is started with the -K -T. I am talking to lots of Watchguard Fireboxes by the way. All connections are established and traffic flows over enc0, all seems good. However, when I try to reload ipsec.conf due to a rule change, either isakmpd dies with nothing in the logs whatsoever and/or my /var/log/daemon is filling up with messages like these: Feb 25 14:00:41 evo-access isakmpd[27974]: attribute_unacceptable: AUTHENTICATION_METHOD: got PRE_SHARED, expected RSA_SIG Feb 25 14:00:41 evo-access isakmpd[27974]: message_negotiate_sa: no compatible proposal found Feb 25 14:00:41 evo-access isakmpd[27974]: dropped message from some.ipsec.peer port 500 due to notification type NO_PROPOSAL_ CHOSEN I would like to be using something other than shared keys but the Watchguard boxes only support fancy things like that through a Watchguard System Manager which I'd like to avoid. So for the moment I am stuck with preshared keys. If I do ipsecctl -F and do a kill and restart of isakmpd the connections seem to be established succesfully again. Am I missing something obvious in reloading/adding connections to ipsec.conf ? Is a simple ipsecctl -f /etc/ipsec.conf sufficient when adding a rule or do I need to give isakmpd a SIGHUP? Thanks in advance, -- Michiel van der Kraats
Re: Monitoring Battery...
Peter N. M. Hansteen ha scritto: Mayuresh Kathe [EMAIL PROTECTED] writes: How do I check whether its a non-apm laptop? It's a ThinkPad R61i, dmesg below; in that case, sysctl hw should give something like [EMAIL PROTECTED]:~$ sysctl hw and if not exist hw.sensors and apm -b return 255 ? What we can do ? ( i think nothing) Francesco
kernel naming proposal
OpenBSD kernel support on some architectures (I'm familiar with i386 and amd64) includes both a uniprocessor and multiprocessor version of the kernel. Currently the uniprocessor kernel is named bsd and the multiprocessor kernel is named bsd.mp It seems to me that /bsd is currently overloaded to mean the default kernel to run and the uniprocessor version of the kernel. I propose that by default, the uniprocessor version of the kernel be named bsd.up, and that the install process arrange to have /bsd link to /bsd.up by default. Users who wanted to run the mp kernel could arrange to change this link in their install process (eg their install.site script) I'm know a hard link would work fine, but a symbolic link (if that would work, I don't know) would be more convenient for some of us, when we build new versions of GENERIC and GENERIC.MP, the install process for each of these would just replace /bsd.up and /bsd.mp respectively, and a symbolic link from /bsd to our chosen version of the kernel would remain. Thank you in advance for considering this proposal. Best regards, Don
Re: OpenBSD as DNS Server - Benchmarked by ISC.. and it's well... :-(
[EMAIL PROTECTED] wrote: The ISC made a benchmark of BIND on serval platforms. OpenBSD outperforms Windows but is the slowest (compared to Linux, fBSD, nBSD and Solaris!) of the other tested OSs. :-/ This is completely unsurprising, considering that BIND takes advantage of multiple processors (the test bed system has four cores) by using threads. It's essentially testing for things that OpenBSD doesn't do, so OpenBSD doesn't do well. What's really amazing is that of the operating systems which let BIND use all four cores, the performance varied from NetBSD having a 20% performance boost, to Linux which saw a 160% boost. That looks like the limiting factors (once you can spread BIND across all processors) are probably things like the ability of the network stack to process all those packets - something at which OpenBSD excels. -- Matthew Weigel hacker [EMAIL PROTECTED]
Re: kernel naming proposal
While I have no stake in this issue, I think as a user /bsd and /bsd.mp are fine. As a new user, I have to determine what the diff is between /bsd and /bsd.mp now, and if it was changed to /bsd.up and /bsd.mp, I'd still have to determine which was which. Am I missing something? Jay OpenBSD kernel support on some architectures (I'm familiar with i386 and amd64) includes both a uniprocessor and multiprocessor version of the kernel. Currently the uniprocessor kernel is named bsd and the multiprocessor kernel is named bsd.mp It seems to me that /bsd is currently overloaded to mean the default kernel to run and the uniprocessor version of the kernel. I propose that by default, the uniprocessor version of the kernel be named bsd.up, and that the install process arrange to have /bsd link to /bsd.up by default. Users who wanted to run the mp kernel could arrange to change this link in their install process (eg their install.site script) I'm know a hard link would work fine, but a symbolic link (if that would work, I don't know) would be more convenient for some of us, when we build new versions of GENERIC and GENERIC.MP, the install process for each of these would just replace /bsd.up and /bsd.mp respectively, and a symbolic link from /bsd to our chosen version of the kernel would remain. Thank you in advance for considering this proposal. Best regards, Don
Re: More questions on building a release with a read only source tree
On Mon, Feb 25, 2008 at 7:31 AM, Marco Peereboom [EMAIL PROTECTED] wrote: You want to read lndir(1). This is extremely helpful advice, thank you! I used lndir to create an architecture specific copy of my source tree, and successfully built a release within it. So, this is one way to do what I requested, and is a successful workaround. After I built my release, I checked the arch specific src tree for files that were not symbolic links, using: find . -type f -print All resulting found files were in the ./sys/arch/`machine`/compile directory tree. This leads me to believe that only the compile directory needs to be written to by the make release process. I find it inconsistent and less than optimal that the build of userland pretty much requires the use of a seperate obj directory BSDOBJDIR, the src tree is defined in BSDSRCDIR, and the release and dest directories required by make release are defined as RELEASEDIR and DESTDIR, and all these directories can be defined in distinct separate areas, but that the compile directory used by make release cannot be similarly defined in an alternate location than its default location within BSDSRCDIR. So, I have a gentle request/proposal that the compile directory used by the make release process be specified in some new environment variable (BSDCOMPILEDIR ?), if defined, that location is used as the base for compiling GENERIC, GENERIC.MP, etc, and if undefined, the existing default behavior would be followed. I can imagine that the lndir solution works great (and maybe better) for a certain class of developers/builders/users (maybe people that are constantly building versions of CURRENT?), but I believe that the class of OpenBSD users that follow STABLE and need to support multiple architectures would benefit from this seemingly small and straightforward change to the make release process. The lndir solution works, but is not perfect (just read about some of the caveats in the lndir man page) when things start to diverge between the two subtrees. My proposal above would eliminate the issues created by having link trees back to the virgin source. Best regards, Don Jackson On Sun, Feb 24, 2008 at 11:27:31PM -0800, Don Jackson wrote: The FAQ describes two ways to build the kernel ( http://www.openbsd.org/faq/faq5.html#BldKernel ), # cd /usr/src/sys/arch/i386/conf # config GENERIC # cd ../compile/GENERIC # make clean make depend make or Variation on above process: Read-only source tree Sometimes, you may wish to ensure your /usr/src/sys directory remains untouched. This can be done by using the following process: $ cd /somewhere $ cp /usr/src/sys/arch/i386/conf/GENERIC . $ config -s /usr/src/sys -b . GENERIC $ make clean make depend make I would like make release to use the read only source tree variant above, how can I accomplish this? Right now, I see make release do: cd /home/4.2/src/etc/../sys/arch/amd64/conf config GENERIC Which is going to attempt to build the GENERIC kernel right there in my source tree. Also, I am having some other weird problem, due to the following logic in the Makefile.amd64 which contains: # source tree is located via $S relative to the compilation directory .ifndef S S!= cd ../../../..; pwd .endif AMD64= $S/arch/amd64 For some reason the above is setting my AMD64 to some weird path that is not correct on my system, namely: cd /home/4.2/src/etc/../sys/arch/amd64/conf config GENERIC GENERIC:13: cannot open ../../../../arch/amd64/conf/files.amd64 for reading: No such file or directory *** Error code 1 Stop in /home/4.2/src/etc (line 11 of etc.amd64/Makefile.inc). What is the point of the above, and how can I get the path correct for this build? Thanks, Don
Re: Monitoring Battery...
raven [EMAIL PROTECTED] writes: and if not exist hw.sensors and apm -b return 255 ? What we can do ? ( i think nothing) dmesg and other data would help, but yes, you may have run into something that's not supported (yet) -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: kernel naming proposal
The issue is that when building and installing new kernels (eg, when a new security patch is released), it is not totally obvious to the (automated) build script what the file /bsd really is, is it the uniprocessor kernel, or a link to the multiprocessor kernel? If the latter, than blindly copying the new uniprocessor kenel to /bsd is probably not what you want to do. With my proposal, new kernels can be safely copied to /, since they have unique and distinct names. NB, I am NOT proposing different default behavior for installs. The uniprocessor kernel would be the one installed by default, the difference is that it would be named distinctly, and that /bsd would be some sort of link to the uniprocessor kernel. People can choose to install or not install the bsd.mp kernel, just as they do today, those who do can chose (or not) to change the link from /bsd to /bsd.mp . The only cost I currently see for my proposal is the cost of a link in /. At present, I see very little cost to my proposal, and reasonable benefit to some class of users. Perhaps someone on this list will come up with a really good reason why this a bad idea, but I haven't heard that reason yet. Best regards, Don On Mon, Feb 25, 2008 at 10:48 AM, Jay Hart [EMAIL PROTECTED] wrote: While I have no stake in this issue, I think as a user /bsd and /bsd.mp are fine. As a new user, I have to determine what the diff is between /bsd and /bsd.mp now, and if it was changed to /bsd.up and /bsd.mp, I'd still have to determine which was which. Am I missing something? Jay OpenBSD kernel support on some architectures (I'm familiar with i386 and amd64) includes both a uniprocessor and multiprocessor version of the kernel. Currently the uniprocessor kernel is named bsd and the multiprocessor kernel is named bsd.mp It seems to me that /bsd is currently overloaded to mean the default kernel to run and the uniprocessor version of the kernel. I propose that by default, the uniprocessor version of the kernel be named bsd.up, and that the install process arrange to have /bsd link to /bsd.up by default. Users who wanted to run the mp kernel could arrange to change this link in their install process (eg their install.site script) I'm know a hard link would work fine, but a symbolic link (if that would work, I don't know) would be more convenient for some of us, when we build new versions of GENERIC and GENERIC.MP, the install process for each of these would just replace /bsd.up and /bsd.mp respectively, and a symbolic link from /bsd to our chosen version of the kernel would remain. Thank you in advance for considering this proposal. Best regards, Don
Re: OpenBSD as DNS Server - Benchmarked by ISC.. and it's well... :-(
On 2/25/08, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: The ISC made a benchmark of BIND on serval platforms. OpenBSD outperforms Windows but is the slowest (compared to Linux, fBSD, nBSD and Solaris!) of the other tested OSs. :-/ Yeah, comparatively, OpenBSD's performance isn't so hot in that benchmark. But how many sites get even over 10,000 authoritative queries per second? Our network isn't huge (several million HTTP requests per day), but a brief look at our logs shows we get on the order of 30 queries per second across our two DNS servers. From their numbers, our DNS traffic could grow 1000 fold before that's the limiting factor. Do other sites have disproportionately more DNS traffic for their network size than this?
Re: kernel naming proposal
On 2/25/08, Don Jackson [EMAIL PROTECTED] wrote: Users who wanted to run the mp kernel could arrange to change this link in their install process (eg their install.site script) Or you can just run echo set image bsd.mp /etc/boot.conf after installation.
Re: Dynamic Routing - BGP + OSPF
On Fri, Feb 22, 2008 at 5:50 PM, Stuart Henderson [EMAIL PROTECTED] wrote: On 2008-02-23, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I noticed that the two firewalls do not forward there iBGP learned routes to one another. Is this intended/expected behavior? Yes, you should probably read up a bit about BGP, and why you need a full mesh of i-BGP speakers. I've reread thru some of my BGP resources. And I had a redistribute default configured in ospfd.conf on the routers, however I had problems with this setup as well when I unplugged the external link on the firewall but this could have been due to my pf configuration on the firewalls. Should I re-investigate this scenario? You mean, just OSPF and no BGP on the firewalls? That's probably worth another look. No, I'm actually running OSPF and BGP on all nodes, but I believe there to be a config issue somewhere along the line . Because of the expected BGP protocol behavior, Ill have to revert back to my original configuration with the redistribute default and begin troubleshooting why this was problematic for me. When I unplugged the eBGP link, the unplugged router was still distributing the default route. What i need it to do is stop redistributing the default when the eBGP link dies. Ill have to reread thru the manpages I suppose. Also how how quickly should traffic be rerouted with OSPF if a link dies? Depends on your timers, but 10sec is not unreasonable for OSPF. If you have to wait for BGP timers and session re-establishment that would take longer. I have default timers set, however the typical time for reconvergence is between 60-120 seconds, so I must be waiting on the BGP timers.
Re: kernel naming proposal
I propose that by default, the uniprocessor version of the kernel be named bsd.up, and that the install process arrange to have /bsd link to /bsd.up by default. Users who wanted to run the mp kernel could arrange to change this link in their install process (eg their install.site script) Don't want to say your proposal is good or bad, but I use another way to make life easy for me on multiprocessor machines. I keep a copy of all three kernels in / with the uniprocessor kernel renamed to bsd.sp (for single processor, might not be the perfect name, but I'm used to it). /bsd (the kernal in use, whichever it is) is a copy of one of them then, easy to identify by its file size. For me that's easier than with a link. I've changed the update/upgrade procedure just a bit for my own situation, and I have a few MB in spare in my root partition, so the additional file is no problem. Tas.
Re: kernel naming proposal
On Mon, Feb 25, 2008 at 11:06:18AM -0800, Don Jackson wrote: | The issue is that when building and installing new kernels (eg, when a | new security patch is released), it is not totally obvious to the | (automated) build script what the file /bsd really is, is it the | uniprocessor kernel, or a link to the multiprocessor kernel? | If the latter, than blindly copying the new uniprocessor kenel to /bsd | is probably not what you want to do. You may want to read up on boot.conf(5)*, paying extra special attention to the 'set image' option. bsd is UP, bsd.mp is MP. If you want to boot MP, boot bsd.mp. Do not rename bsd to bsd.mp. It gives rise to the confusion you're describing. Cheers, Paul 'WEiRD' de Weerd * Note that boot.conf is not available on all platforms. Other platforms (e.g. sparc64 or alpha) can set this via other means. | With my proposal, new kernels can be safely copied to /, since they | have unique and distinct names. | | NB, I am NOT proposing different default behavior for installs. The | uniprocessor kernel would be the one installed by default, | the difference is that it would be named distinctly, and that /bsd | would be some sort of link to the uniprocessor kernel. | People can choose to install or not install the bsd.mp kernel, just as | they do today, those who do can chose (or not) to change the link from | /bsd to /bsd.mp . | The only cost I currently see for my proposal is the cost of a link in /. | | At present, I see very little cost to my proposal, and reasonable | benefit to some class of users. | | Perhaps someone on this list will come up with a really good reason | why this a bad idea, but I haven't heard that reason yet. | | Best regards, | | Don | | | | | | | On Mon, Feb 25, 2008 at 10:48 AM, Jay Hart [EMAIL PROTECTED] wrote: | While I have no stake in this issue, I think as a user /bsd and /bsd.mp are | fine. As a new user, I have to determine what the diff is between /bsd and | /bsd.mp now, and if it was changed to /bsd.up and /bsd.mp, I'd still have to | determine which was which. | | Am I missing something? | | Jay | | | |OpenBSD kernel support on some architectures (I'm familiar with i386 |and amd64) includes both a uniprocessor and multiprocessor version of |the kernel. | |Currently the uniprocessor kernel is named bsd and the multiprocessor |kernel is named bsd.mp | |It seems to me that /bsd is currently overloaded to mean the default |kernel to run and the uniprocessor version of the kernel. | |I propose that by default, the uniprocessor version of the kernel be |named bsd.up, and that the install process |arrange to have /bsd link to /bsd.up by default. Users who wanted to |run the mp kernel could arrange to change this link in their install |process (eg their install.site script) | |I'm know a hard link would work fine, but a symbolic link (if that |would work, I don't know) would be more convenient for some of us, |when we build new versions of GENERIC and GENERIC.MP, the install |process for each of these would just replace /bsd.up and /bsd.mp |respectively, and a symbolic link from /bsd to our chosen version of |the kernel would remain. | |Thank you in advance for considering this proposal. | |Best regards, | |Don | -- [++-]+++.+++[---].+++[+ +++-].++[-]+.--.[-] http://www.weirdnet.nl/
Re: How does (AMD64) OpenBSD SMP support compare to Debian (Stable)?
On 2/25/08, Jon [EMAIL PROTECTED] wrote: With something like: [cat /proc/cpuinfo on a 4 x Xeon 3.0 GHz box running Linux] What exactly do you want to hear? OpenBSD has SMP support, and I've personally run it on a few machines with two dual-core amd64 processors without problems.
Re: kernel naming proposal
Matt and Paul, Thank you for the information about boot.conf, using that will enable me to keep the uniprocessor and multiprocessor versions of the kernel distinct. I think I was led astray initially by this comment in Section 8.12 in the FAQ: A separate SMP kernel, bsd.mp, is provided with the install file sets, which can be selected at install time. It is suggested that you test booting this kernel before renaming it to bsd to make it your default kernel. See: http://www.openbsd.org/faq/faq8.html#SMP Perhaps the FAQ should be modified to tell people to change boot.conf instead of renaming the kernel files, to prevent others from overloading /bsd and the default kernel. Thanks for your help! Don On Mon, Feb 25, 2008 at 11:25 AM, Matthew Dempsky [EMAIL PROTECTED] wrote: On 2/25/08, Don Jackson [EMAIL PROTECTED] wrote: Users who wanted to run the mp kernel could arrange to change this link in their install process (eg their install.site script) Or you can just run echo set image bsd.mp /etc/boot.conf after installation.
Re: kernel naming proposal
On 2/25/08, Tasmanian Devil [EMAIL PROTECTED] wrote: /bsd (the kernal in use, whichever it is) is a copy of one of them then, easy to identify by its file size. For me that's easier than with a link. Examining output of uname -v is probably even easier. :-)
Re: kernel naming proposal
On 2008-02-25, Paul de Weerd [EMAIL PROTECTED] wrote: bsd is UP, bsd.mp is MP. ..unless you did cd /sys/arch/$ARCH/compile/GENERIC.MP make install.
Re: rtorrent + OpenBSD = freeze
On 2/25/08, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Bugs just don't disappear if I shut up... No, but developers do disappear if you don't shut up.
Re: trunk failover without failing back to master port
On Sun, Feb 24, 2008 at 9:33 AM, Vijay Sankar [EMAIL PROTECTED] wrote: Good day, I have two interfaces -- nfe0 on switch0 and nfe1 on switch1 are part of trunk0. Trunk failover from nfe0 to nfe1 works very well. No problems if switch 0 goes offline -- traffic goes through switch1 flawlessly. Once switch0 comes back online, traffic is disrupted for about 30 seconds. I would like traffic to continue through switch1 after switch0 is back online (or at least have a delay of 30 or 45 seconds before failing back to the master) and don't know how to do this. Is this possible? Should I be using ifstated for this in addition to trunk? Please let me know of any clues to resolving this. Thanks very much, Vijay -- Vijay Sankar, M.Eng., P.Eng. President CEO ForeTell Technologies Limited 59 Flamingo Avenue, Winnipeg, MB Canada R3J 0X6 Phone: +1 204 885 9535, E-Mail: [EMAIL PROTECTED] Hi Vijay, I don't know if anyone responded to you on this but I am very curious to know myself as well... Personally, I haven't used trunk(4) too much yet so I might not be of much help. My guess would be either something with the rules (with regards to keeping state or finding a way to sync the states) unless that 30 seconds is normal??? But to me that seems odd to have that long of a disruption, 30 seconds, ouch. The other option you said was to delay it 30-45 seconds. For that, then I would personally think that ifstated would or could do the trick, but maybe someone else can give better feedback than me on this whole issue? Also, could it be caused by something with the switches layer 2 cache timeout period or something to that effect? Just a thought. Regards, Richard
Re: kernel naming proposal
bsd is UP, bsd.mp is MP. If you want to boot MP, boot bsd.mp. That seems to be even easier than my additional kernel file (my other posts in this thread). I'll try that with the next upgrade. Tas.
Re: kernel naming proposal
/bsd (the kernal in use, whichever it is) is a copy of one of them then, easy to identify by its file size. For me that's easier than with a link. Examining output of uname -v is probably even easier. :-) If I check which kernel my /bsd file is (during update/upgrade), then that's because I want to know with which one the machine will start the next time. uname -v can only tell me which one is running right now. ;-) Tas.
Re: trunk failover without failing back to master port
On February 25, 2008 01:46:04 pm Richard Daemon wrote: On Sun, Feb 24, 2008 at 9:33 AM, Vijay Sankar [EMAIL PROTECTED] wrote: Good day, I have two interfaces -- nfe0 on switch0 and nfe1 on switch1 are part of trunk0. Trunk failover from nfe0 to nfe1 works very well. No problems if switch 0 goes offline -- traffic goes through switch1 flawlessly. Once switch0 comes back online, traffic is disrupted for about 30 seconds. I would like traffic to continue through switch1 after switch0 is back online (or at least have a delay of 30 or 45 seconds before failing back to the master) and don't know how to do this. Is this possible? Should I be using ifstated for this in addition to trunk? Please let me know of any clues to resolving this. Thanks very much, Vijay Hi Vijay, I don't know if anyone responded to you on this but I am very curious to know myself as well... Personally, I haven't used trunk(4) too much yet so I might not be of much help. My guess would be either something with the rules (with regards to keeping state or finding a way to sync the states) unless that 30 seconds is normal??? But to me that seems odd to have that long of a disruption, 30 seconds, ouch. The other option you said was to delay it 30-45 seconds. For that, then I would personally think that ifstated would or could do the trick, but maybe someone else can give better feedback than me on this whole issue? Also, could it be caused by something with the switches layer 2 cache timeout period or something to that effect? Just a thought. Regards, Richard Thanks very much for your reply. The Cisco switches have STP enabled but not RSTP. Basically it looks like when a switch comes back on line, it takes close to 30s before the port is active (meaning orange light turning to green for the port) but as far as the NIC is concerned, as soon as it detects that the link is up, the master seems to want to take over from the active port. The problem I have is that people are comparing the NIC teaming on Windows Servers to OpenBSD's trunking. With teaming, there is no preference for either members of the team meaning when a switch comes back, they don't notice the disruption since the port doesn't fail back to the master. The IT guy has to manually do that if necessary. But with trunking since the master is always preferred for traffic, the 30s delay as a result of whatever is going on in the switch is noticed. Anyways, hopefully someone more knowledgeable than us will notice this thread and suggest something that I can try. At this moment, I don't know what is the right place to put my effort in. Thanks again, Vijay -- Vijay Sankar, M.Eng., P.Eng. ForeTell Technologies Limited 59 Flamingo Avenue, Winnipeg, MB Canada R3J 0X6 Phone: +1 204 885 9535, E-Mail: [EMAIL PROTECTED]
Re: How does (AMD64) OpenBSD SMP support compare to Debian (Stable)?
(Please include misc@openbsd.org in your reply so others can followup as well.) On 2/25/08, Jon [EMAIL PROTECTED] wrote: How good is the support? I want to know how well OpenBSD takes advantage of multiple processors compared to how well Linux does (running multi-threaded processes). OpenBSD's kernel uses a big lock architecture so only one processor can run kernel code at a time. On a 4 CPU machine can I expect lesser or greater performance than Linux? Lesser. But benchmark and see if it makes a difference for your use case. For our network, being able to handle 80,000 DNS queries per second per machine isn't a concern.
Re: Monitoring Battery...
On Mon, Feb 25, 2008 at 06:33:13PM +0530, Mayuresh Kathe wrote: On Mon, Feb 25, 2008 at 6:25 PM, Karl Sjodahl - dunceor [EMAIL PROTECTED] wrote: On Mon, Feb 25, 2008 at 1:22 PM, Mayuresh Kathe [EMAIL PROTECTED] wrote: On Mon, Feb 25, 2008 at 5:45 PM, Antoine Jacoutot [EMAIL PROTECTED] wrote: On Mon, 25 Feb 2008, Mayuresh Kathe wrote: I googled for monitoring battery openbsd but got nothing satisfactory. apm(8) Thanks for that Antoine. I tried 'apm -b' to get the battery status, but it showed 255, which is 'unknown', is it because my laptop isn't properly supported? Is there anything I could do to help developers support it better? Best, ~Mayuresh If its an non-apm laptop you can check it via acpi. Use sysctl and check the hw section. There it was how many volts left. How do I check whether its a non-apm laptop? It's a ThinkPad R61i, dmesg below; OpenBSD 4.2 (GENERIC) #375: Tue Aug 28 10:38:44 MDT 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Pentium(R) Dual CPU T2310 @ 1.46GHz (GenuineIntel 686-class) 1.47 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,EST,TM2,CX16,xTPR real mem = 526667776 (502MB) avail mem = 501596160 (478MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 06/28/07, BIOS32 rev. 0 @ 0xfdca0, SMBIOS rev. 2.4 @ 0xe0010 (71 entries) bios0: vendor LENOVO version 7OET24WW (1.03 ) date 06/28/2007 bios0: LENOVO 8932A32 pcibios0 at bios0: rev 3.0 @ 0xfdc30/0x3d0 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfde80/304 (17 entries) pcibios0: bad IRQ table checksum pcibios0: PCI BIOS has 17 Interrupt Routing table entries pcibios0: no compatible PCI ICU found pcibios0: Warning, unable to fix up PCI interrupt routing pcibios0: PCI bus #22 is the last bus bios0: ROM list: 0xc/0x1! 0xd/0x1a00 0xd1a00/0x1000 0xe/0x1! acpi at mainbus0 not configured ^^^ enable acpi in your kernel -- Bizarreness is the essence of the exotic.
Re: OpenBSD as DNS Server - Benchmarked by ISC.. and it's well... :-(
I told you before you should use linux. OpenBSD sucks. Dude.. wanna bitching again? You also just see the downsides of something, right? It was not supposed to show how much OpenBSD sucks! OpenBSD outperforms still a OS wich is leading in the world.. MS Windows! Even the IPv6-Part or the Network Stack are far from bein cute or perfect. And that's the impressiv thing here! Of course the ISC test was kinda technical with no real life enviroment at all but it may shows that OpeenBSD still outperforms commercial Software. And that's damn great and there's nothing to murn about! But it wouldn't hurt if you may take it as a little motivation to take a even closer look to the IP-Stack. You'll be suprised what you might find propably. *my personal oppinion so flame me privately* :) Kind regards, Sebastian
Re: rtorrent + OpenBSD = freeze
On Mon, Feb 25, 2008 at 05:52:26PM +0100, [EMAIL PROTECTED] wrote: Well this bug wont get fixed. That's what Theo said months ago... :) Yes. I found the thread where you bashed each other before I made my first post . I guess I'll go with FreeBSD or NetBSD instead. Daniel Each user OpenBSD looses is a lost for the whole project. no. if _you_ got lost, it would be a gain for the whole project and everyone involved. really, man, what's your purpose? to be annoying? to sling muck? seriously, have you actually contributed anything positive to OpenBSD, ever? It's sick that a personal difference affects users like you. Because that shouldn't happen at all... And I hope some day Theo transforms from the I don't care-Theo to a You piss me off you retard but I'll take a look anyway-Theo. Feel free to replace Theo with any developer wich dislikes me... huh? we all work on what interests us. you make people disinterested. you think that's bad, then quit being an annoying twit and quit making people disinterested. pretty easy, no? -- [EMAIL PROTECTED] SDF Public Access UNIX System - http://sdf.lonestar.org
MIAMI MUSIC CONFERENCE 2008 - PROMOTIONS / STAFFING / MODELS
Having trouble viewing this e-mail? please use this link ( http://app.mailworkz.com/email_view.asp?group_idno=1242137outgoing_idno=1255 573email_idno=3028605 ) . MG PROMOTIONS IS AN AGENCY WITH OVER 10 YEARS OF EXPERIENCE IN MARKETING, PROMOTIONS, AND SPECIAL EVENTS SERVICES INCLUDEGUERILLA MARKETINGSTREET PROMOTIONSPROMO MODELSDEMO MODELS HUMAN DIRECTIONALSPROMO SAMPLINGAND MORE PREVIOUS CLIENTSNIKE ID MOBILE TOURPREMIERE MAGAZINE @ SUNDANCE FILM FESTIVAL 2007 TRACK ENTERTAINMENT @ SUPERBOWL XLI CUERVO SAMPLING @ SUPERBOWL 39NBC / DEW ACTION SPORTS TOUR ORLANDO (2005 2006)HOT IMPORT NIGHTS MIAMI ORLANDO (2003 #8211; 2007)DUB SUPERSERIES TOURESQUIRE MAGAZINE / PERRY ELLISGLOBAL GATHERING MUSIC FESTIVALMOTOROCK CONCERT SERIES @ GRAND PRIX AMERICASR KELLY / JIVE RECORDS PROMO @ MTV VMA'SSIRIUS SATELLITE RADIOTOMMY HILFIGERAND MANY MORE FOR MORE INFORMATION ON OUR PROMOTIONS, CAMPAIGNS, AND SERVICES, OR TO REQUEST A QUOTE PLEASE CONTACT US CONTACT INFOMG PROMOTIONS 11824 DELFINA LANEORLANDO, FL 32827PHONE (866) 914-6683EMAIL [EMAIL PROTECTED] ( http://www.mg-promotions.com/ ) ( mailto:[EMAIL PROTECTED] ) WEB WWW.MG-PROMOTIONS.COM This email was sent to [EMAIL PROTECTED] Please Remove Me ( http://app.mailworkz.com/unsubscribe.asp?outgoing_idno=1255573e=3028605gId= 1242137 ) LUSH EVENTS | 11824 DELFINA LANE | Orlando | FL | 32827 | US
Re: How does (AMD64) OpenBSD SMP support compare to Debian (Stable)?
On Mon, Feb 25, 2008 at 09:31:59AM -0800, Jon wrote: With something like: processor : 0 model name : Intel(R) Xeon(TM) CPU 3.00GHz [x4] OpenBSD can handle multiple processors. However, OpenBSD does not use multiple CPUs for multiple threads at the moment (although that's being worked on). Thus, a processor-intensive threaded application (like MySQL under some workloads) might not utilize available resources as well as on Linux. There are other performance considerations, but they tend to be relatively minor - for most uses, OpenBSD and Linux perform similarly enough that performance should not be a reason to choose either. (And no, OpenBSD isn't always the slowest.) Joachim -- TFMotD: umbg (4) - Meinberg Funkuhren USB5131 timedelta sensor
Re: Big stack HUGE coredump
Date: Sat, 23 Feb 2008 13:58:55 +
From: Alexander Nasonov [EMAIL PROTECTED]
Hi,
If I set a core limit to unlimited and a stack limit to 32768,
then run a program with indefinite recursion, the system would
generate 8G coredump file.
Does the attached diff fix your problem?
Index: uvm_unix.c
===
RCS file: /cvs/src/sys/uvm/uvm_unix.c,v
retrieving revision 1.32
diff -u -p -r1.32 uvm_unix.c
--- uvm_unix.c 5 Jan 2008 00:36:13 - 1.32
+++ uvm_unix.c 25 Feb 2008 21:15:10 -
@@ -166,7 +166,7 @@ uvm_coredump(p, vp, cred, chdr)
struct vmspace *vm = p-p_vmspace;
vm_map_t map = vm-vm_map;
vm_map_entry_t entry;
- vaddr_t start, end;
+ vaddr_t start, end, top;
struct coreseg cseg;
off_t offset;
int flag, error = 0;
@@ -202,13 +202,17 @@ uvm_coredump(p, vp, cred, chdr)
#ifdef MACHINE_STACK_GROWS_UP
if (USRSTACK = start start (USRSTACK + MAXSSIZ)) {
- end = round_page(USRSTACK + ptoa(vm-vm_ssize));
+ top = round_page(USRSTACK + ptoa(vm-vm_ssize));
+ if (end top)
+ end = top;
+
if (start = end)
continue;
- start = USRSTACK;
#else
if (start = (vaddr_t)vm-vm_maxsaddr) {
- start = trunc_page(USRSTACK - ptoa(vm-vm_ssize));
+ top = trunc_page(USRSTACK - ptoa(vm-vm_ssize));
+ if (start top)
+ start = top;
if (start = end)
continue;
Re: Blackhole / reject routes
block quick from bad block quick to bad On 2/25/08, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Currently I'm blackholing and rejecting some traffic with route add -reject/-blackhole address 127.0.0.1; this works fine, but bounces all the rejected/blackholed traffic to the loopback interface. This behaviour is.. annoying, and possibly ineffecient. I'm probably searching for a null/blackhole/fake address/interface. I tried creating an unconfigred pseudo-device, slapping an IP address on it and routing it to there; it blackholes traffic effectively, but also blackholes traffic if you have a reject. What is a better way to reject/blackhole traffic in OpenBSD?
Re: man dhcpd.interfaces ?
Stuart Henderson skrev:
On 2008-02-25, Kasper Revsbech [EMAIL PROTECTED] wrote:
I would like to have a subnet on each interface and therefore dhcpd to
span both interfaces.
For that purpose I use /etc/dhcpd.interfaces where i have:
vr0
vr1
But i can't find a man page on this file so I can't see if it make a
difference whether I write:
vr0 vr1
or
vr0
vr1
So my question is:
Is there a difference ?
No. And if you want dhcpd to run on every interface, you can
just remove this file or leave it blank.
Is it just me who can't find documentation on this ?
It's mentioned in dhcp(8).
What's logged?
What's in /etc/dhcpd.conf?
The reason why I ask is because of a strange behaviour of my dhcpd
serer, or at lease my interfaces.
I run a Inet gateway on a soekris 5501
I have wan on vr0 with the following hostname file:
-
dhcp NONE NONE NONE
-
I would like to have a subnet on vr1 with the hostname file:
-
inet 192.168.3.1 255.255.255.0
I would like another subnet on vr2 with the following conf:
inet 192.168.2.1 255.255.255.0
My dhcpd.conf is as follows:
---
#Globals:
default-lease-time 600;
max-lease-time 600;
authoritative;
#Work subnet
subnet 192.168.3.0 netmask 255.255.255.0 {
option domain-name work.local;
option routers 192.168.3.1;
option domain-name-servers 212.xxx.xxx.xxx, 212.xxx.xxx.xxx; #removed
for privacy
range 192.168.3.50 192.168.3.200;
}
#employ subnet
subnet 192.168.2.0 netmask 255.255.255.0 {
option domain-name employs.local;
option routers 192.168.2.1;
option domain-name-servers 212.xxx..xxx, 212.xxx.xxx.xxx; #Removed
for privacy
range 192.168.2.50 192.168.2.200;
}
-
I use pf to handle the nat and some filtering my pf rules is as follows:
-
# Define the interfaceses and networks
wan_if=vr0
work_if=vr1
worknet = $work_if:network
employs_if=vr2
employsnet = $employs_if:network
Service containers
#Employes lan
tcp_services_employs = {ssh, domain, www, pop3, imap, imaps, auth,
https, pop3s}
udp_services_employs = {domain, imap, imaps}
icmp_types=echoreq
#work lan
Nat
#Remember to enable ip.forwarding in /etc/sysctl.conf
# Nat employs to the ext if
nat on $wan_if from $employsnet to any - ($wan_if)
#nat the work lan as well
nat on $wan_if from $worknet to any - ($wan_if)
Rules
## This machine ##
# This machine provides smb from worklan and ssh from any
#ssh
pass quick proto tcp to any port ssh
#SMB
#smbname port 137 tcp and udp
pass in on $work_if proto {tcp, udp} from $worknet to $work_if port 137
#nbdatagram
pass in on $work_if proto udp from $worknet to $work_if port 138
#nbsession
pass in on $work_if proto tcp from $worknet to $work_if port 139
#dhcp
pass in on {$work_if, $employs_if} proto udp from any to any port 67
#?\SMB
## Employes lan ##
#add icmp
#By befault close all in both directions
block in on $employs_if
#make access to wan by the defined serviceses make sure there is no
acees to the work_if
pass in on $employs_if proto tcp from $employsnet to !$worknet port
$tcp_services_employs
pass in on $employs_if proto udp from $employsnet to !$worknet port
$udp_services_employs
pass out on $wan_if proto tcp from $employsnet to $wan_if port
$tcp_services_employs
pass out on $wan_if proto udp from $employsnet to $wan_if port
$udp_services_employs
#open icmp on both interfaces but don't let them cross
pass in on $employs_if proto icmp from $employsnet to !$worknet
icmp-type $icmp_types
pass in on $work_if proto icmp from $worknet to !$employsnet icmp-type
$icmp_types
#let the work lan access all but the employ lan
pass in on $work_if from $worknet to !$employsnet
#we only control on the incoming
pass out on $wan_if
I have attached to windows xp clients by crossed cable one to each if
(vr and vr2)
The fun begins here, when i turn on and off the windows machines a
couple of times one of the can't obtain a IP. It actually brings down
the whole interface. I can't attach another BSD machine and run
dhclient. Even if I set my own ip-addr on the client and starts to ping
I can't reach the other machine. It dosn't even answer on arp on that if.
This is only solved by rebooting til gateway machine.
I have tried all combinations. like switching cables interfaces and so
on. But I can't relate it to one windows machine, or one interface on
the gateway, and it happens even thought I switch cables.
I don't get any messages in /var/log/daemons from the interface after it
is down but the one still working keeps renewing.
I don't get any warnings in dmesg
I just attach it in the bottom...
I am realy stuck. I have tried to disable pf before and after the
interface has gone down, but still the same. I even tried to take the
take the disk to my soekris 4801 and switched the interface names and so
on, but still the same...
BTW: I use openbsd 4.2 and I have removed the interfaces from
dhcpd.interfaces so it looks in the
Re: man dhcpd.interfaces ?
On Mon, 25 Feb 2008 15:43:55 +0100, Kasper Revsbech wrote: Hi I have some problems with my dhcp server, and is trying to debug the setup. I would like to have a subnet on each interface and therefore dhcpd to span both interfaces. For that purpose I use /etc/dhcpd.interfaces where i have: vr0 vr1 But i can't find a man page on this file so I can't see if it make a difference whether I write: vr0 vr1 or vr0 vr1 So my question is: Is there a difference ? NO Is it just me who can't find documentation on this ? NO but the file is self documenting. The supplied file says: # $OpenBSD: dhcpd.interfaces,v 1.1 1998/08/19 04:25:45 form Exp $ # # List of network interfaces served by dhcpd(8). # # ep0 # ed0 le0 # de1 That should tell you something. It is effectively a combination of your alternatives except that it deals with four interfaces. When I discovered that file I started using it and, because there was no man page I started writing one. The reason I stopped was because, whilst that file is itself very simple, the process by which it is used is complicated and unable to be used in a restart of dhcpd. For me dhcpd.interfaces is deprecated. It is simpler to use dhcpd_flags=if0 if1 which does not require the parsing that dhcpd.interfaces requires to allow its free format. Restarting still means entering the command and the list of interfaces e.g. #dhcpd if1 if2 but I don't know of many cases where more than a few ifs are used. Those users could script their command if it's too hard to do from memory. OK? BTW: I use openbsd 4.2 ;) Kind regards: Kasper Revsbech Replies to the list (if any) are sufficient, thanks. Rod/ /earth: write failed, file system is full cp: /earth/creatures: No space left on device
Re: trunk failover without failing back to master port
On 2008-02-25, Vijay Sankar [EMAIL PROTECTED] wrote: Thanks very much for your reply. The Cisco switches have STP enabled but not RSTP. Basically it looks like when a switch comes back on line, it takes close to 30s before the port is active (meaning orange light turning to green for the port) but as far as the NIC is concerned, as soon as it detects that the link is up, the master seems to want to take over from the active port. Can you get it set as an edge-port? (portfast in cisco-eze)
Serial console questions on i386 and amd64
I use serial consoles on all my OpenBSD servers for remote serial access to the machines, both during initial install via pxeboot, and later on in regular use after the install. I'm currently running either 4.2 or 4.1 on all my machines. The FAQ states: Only the first serial port (com0) is supported for console on amd64 and i386 http://www.openbsd.org/faq/faq7.html#SerCon Why is this the case? Why does OpenBSD care which serial port I use? Will it simply not work if I specify set tty com1 in /etc/boot.conf ? I ask because my servers of choice are made by Rackable Systems, and their default configuration is to route the serial port known to as com1 to a special RJ-45 connector, that also supports BIOS redirection, and even serial access to power cycle the machine. Having my OpenBSD servers use that for the console would be ideal. FYI, my Solaris10/x86 servers happily use that port for the console, and there is no need to turn off Continue Console Redirection after POST, as also recommend in the OpenBSD FAQ: Some BIOSs have an option to Continue Console Redirection after POST (Power On Self Test), this should be set to OFF, so the boot loader and the kernel can handle their own console. I'd very much appreciate any insight into these questions. Best regards, Don
Re: man dhcpd.interfaces ?
Kasper Revsbech wrote: I have attached to windows xp clients by crossed cable one to each if (vr and vr2) The fun begins here, when i turn on and off the windows machines a couple of times one of the can't obtain a IP. It actually brings down the whole interface. I can't attach another BSD machine and run dhclient. Even if I set my own ip-addr on the client and starts to ping I can't reach the other machine. It dosn't even answer on arp on that if. This is only solved by rebooting til gateway machine. I have tried all combinations. like switching cables interfaces and so on. But I can't relate it to one windows machine, or one interface on the gateway, and it happens even thought I switch cables. I don't get any messages in /var/log/daemons from the interface after it is down but the one still working keeps renewing. I don't get any warnings in dmesg I just attach it in the bottom... I am realy stuck. I have tried to disable pf before and after the interface has gone down, but still the same. I even tried to take the take the disk to my soekris 4801 and switched the interface names and so on, but still the same... I believe you are hitting a bug with vr, not sure if it's vr in general or just vr on the 5501. Try running 'ifconfig vr2 down' 'ifconfig vr2 up' and see if that fixes vr2. It may or may not have been fixed in -current, I haven't been following this issue. Related thread: http://kerneltrap.org/mailarchive/openbsd-misc/2007/10/12/336090 I ran into the same problem on a 5501 I was deploying, it could be triggered by simply unplugging and replugging the patch cable a few times, whatever vr interface it tried it on would be unusable, ifconfig down and up would fix it. I only needed two ports and couldn't risk this happening in the field, so I put a dual port intel card in to work around the problem.
ipsecctl and isakmpd
Dear list, I have a firewall and an ipsec.conf with 42 ike esp connections: ike esp from 192.168.100.0/24 to 192.168.129.0/24 peer my.firewall \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des group modp1024 \ psk mekmitasdigoat tag yet.another.connection ISAkmpd is started with the -K -T. I am talking to lots of Watchguard Fireboxes by the way. All connections are established and traffic flows over enc0, all seems good. However, when I try to reload ipsec.conf due to a rule change, either isakmpd dies with nothing in the logs whatsoever and/or my /var/log/daemon is filling up with messages like these: Feb 25 14:00:41 evo-access isakmpd[27974]: attribute_unacceptable: AUTHENTICATION_METHOD: got PRE_SHARED, expected RSA_SIG Feb 25 14:00:41 evo-access isakmpd[27974]: message_negotiate_sa: no compatible proposal found Feb 25 14:00:41 evo-access isakmpd[27974]: dropped message from some.ipsec.peer port 500 due to notification type NO_PROPOSAL_ CHOSEN I would like to be using something other than shared keys but the Watchguard boxes only support fancy things like that through a Watchguard System Manager which I'd like to avoid. So for the moment I am stuck with preshared keys. If I do ipsecctl -F and do a kill and restart of isakmpd the connections seem to be established succesfully again. Am I missing something obvious in reloading/adding connections to ipsec.conf ? Is a simple ipsecctl -f /etc/ipsec.conf sufficient when adding a rule or do I need to give isakmpd a SIGHUP? Thanks in advance, -- Michiel van der Kraats Backup Service / BackupStore
Intel PRO/1000MT (82546GB) Quad nic with huge packet delay and packet loss
Hello, I'm trying to build an OpenBSD pf cluster using 6 interfaces, 2 Intel 1000 onboard with chipset 82547GI, and a quad port Intel 1000 nic (PCI-X) with chipset 82546GB. Trying to ping the switch connected to one of the quad ports gives me the following terrible results: PING xx.xxx.xxx.xxx (xx.xxx.xxx.xxx): 56 data bytes (...) --- xx.xxx.xxx.xxx ping statistics --- 21 packets transmitted, 20 packets received, 4.8% packet loss round-trip min/avg/max/std-dev = 1.822/43.125/161.863/34.999 ms I have tried to change IRQ configuration and this is the best result I managed to get. I had even worst results, including a total machine lockup. I'm using OpenBSD 4.2 with all available patches. I have disabled stuff like USB, LPT and serial ports. It appears to be an IRQ conflict problem. The only thing that can't be changed at BIOS is onboard ethernet irqs! Is there any tweak I can try at kernel level to solve this ? Thanks, John Output of dmesg (using the stable kernel): OpenBSD 4.2 (GENERIC) #375: Tue Aug 28 10:38:44 MDT 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Pentium(R) 4 CPU 2.80GHz (GenuineIntel 686-class) 2.80 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,C NXT-ID,xTPR real mem = 4024909824 (3838MB) avail mem = 3913224192 (3731MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 07/27/04, BIOS32 rev. 0 @ 0xfb830, SMBIOS rev. 2.3 @ 0xf0800 (44 entries) bios0: vendor Phoenix Technologies, LTD version 6.00 PG date 07/27/2004 bios0: Supermicro P4SCT apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 70102 dobusy 1 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0xdf64 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfde60/224 (12 entries) pcibios0: PCI Exclusive IRQs: 3 4 7 9 11 pcibios0: PCI Interrupt Router at 000:31:0 (Intel 6300ESB LPC rev 0x00) pcibios0: PCI bus #4 is the last bus bios0: ROM list: 0xc/0x8000 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82875P Host rev 0x02 ppb0 at pci0 dev 3 function 0 Intel 82875P PCI-CSA rev 0x02 pci1 at ppb0 bus 1 em0 at pci1 dev 1 function 0 Intel PRO/1000CT (82547GI) rev 0x00: irq 7, address 00:30:48:80:af:64 ppb1 at pci0 dev 28 function 0 Intel 6300ESB PCIX rev 0x02 pci2 at ppb1 bus 2 ppb2 at pci2 dev 1 function 0 Pericom PI7C21P100 PCIX-PCIX rev 0x01 pci3 at ppb2 bus 3 em1 at pci3 dev 4 function 0 Intel PRO/1000MT QP (82546GB) rev 0x03: irq 11, address 00:1b:21:10:0e:2c em2 at pci3 dev 4 function 1 Intel PRO/1000MT QP (82546GB) rev 0x03: irq 4, address 00:1b:21:10:0e:2d em3 at pci3 dev 6 function 0 Intel PRO/1000MT QP (82546GB) rev 0x03: irq 7, address 00:1b:21:10:0e:2e em4 at pci3 dev 6 function 1 Intel PRO/1000MT QP (82546GB) rev 0x03: irq 3, address 00:1b:21:10:0e:2f Marvell 88SX5041 SATA rev 0x03 at pci2 dev 4 function 0 not configured ppb3 at pci0 dev 30 function 0 Intel 82801BA AGP rev 0x0a pci4 at ppb3 bus 4 vga1 at pci4 dev 9 function 0 ATI Rage XL rev 0x27 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) em5 at pci4 dev 10 function 0 Intel PRO/1000MT (82541GI) rev 0x00: irq 3, address 00:30:48:80:af:65 ichpcib0 at pci0 dev 31 function 0 Intel 6300ESB LPC rev 0x02: 24-bit timer at 3579545Hz pciide0 at pci0 dev 31 function 1 Intel 6300ESB IDE rev 0x02: DMA, channel 0 configured to compatibility, channel 1 configur ed to compatibility pciide0: channel 0 disabled (no drives) atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: TEAC, CD-224E, 1.9A SCSI0 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 pciide1 at pci0 dev 31 function 2 Intel 6300ESB SATA rev 0x02: DMA, channel 0 configured to native-PCI, channel 1 configured to native-PCI pciide1: using irq 7 for native-PCI interrupt wd0 at pciide1 channel 1 drive 0: HDS722525VLSA80 wd0: 16-sector PIO, LBA48, 238475MB, 488397168 sectors wd0(pciide1:1:0): using PIO mode 4, Ultra-DMA mode 5 ichiic0 at pci0 dev 31 function 3 Intel 6300ESB SMBus rev 0x02: irq 4 iic0 at ichiic0 isa0 at ichpcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 lm0 at isa0 port 0x290/8: W83627HF npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 biomask f7f5 netmask fffd ttymask pctr: user-level cycle counter enabled mtrr: Pentium Pro MTRR support dkcsum: wd0 matches BIOS drive 0x80 root on wd0a swap on wd0b dump on wd0b
soekris 5501 wierd vr(4)/maybe PHY problem (was Re: man dhcpd.interfaces ?)
On 2008-02-25, Kasper Revsbech [EMAIL PROTECTED] wrote: The reason why I ask is because of a strange behaviour of my dhcpd serer, or at lease my interfaces. I run a Inet gateway on a soekris 5501 The fun begins here, when i turn on and off the windows machines a couple of times one of the can't obtain a IP. It actually brings down the whole interface. I can't attach another BSD machine and run dhclient. Even if I set my own ip-addr on the client and starts to ping I can't reach the other machine. It dosn't even answer on arp on that if. This is only solved by rebooting til gateway machine. I've seen something that seems a bit like that on a 5501 here (no dhcp, just a bridge(4) of all the interfaces). I think it must be lower level than DHCP, more like vr(4) or the PHY. Link up, but frames not appearing on the interface. Actually I thought I had a broken board, but it seems a bit much of a coincidence if the same sort of thing happens to you too... It was nice that Soekris gave 5501 boards to speakers at eurobsdcon, but maybe they should also get some out to NIC driver developers (if they can find any that want them, that is ;-)
P2V with VMWare - ERR M
Hello I have an old box (3.6) which makes a lot of noise, so i like to virtualize it. I made an Image with acronis and converted it with vmware converter. When i start the virtual machine Loading... ERR M is shown. (dmesg at the bottom) I loaded cd36.iso as cdrom and at the boot prompt tried the following: machine boot hd0b - ERR M boot hd0a:/bsd - Invalid argument failed(22). will try /bsd also with hd0b, hd0c if i boot with the cd, select shell and run the following # mount /dev/sd0c /mnt i get Inappropriate filetype or format. also with /dev/sd0a - d If i run # cp /usr/mdec/boot /boot # /usr/mdec/installboot -v /boot /usr/mdec/biosboot sd0 i get the following output: -8-- boot: /boot proto: /usr/mdec/biosboot device: /dev/rsd0c /usr/mdec/biosboot: entry point 0 proto bootblock size 512 installboot: cross-device install -8-- but the error persists. Does anyone have an idea what i'm doing wrong? Other Openbsd machines which i installed from scratch to a virtual machine are running fine. Thank You Fabian Infos: 00 Virtual machine running in VMWare Server 2 Beta Ubuntu 7.10 as Host New Box infos unfortunately only as pictures New Box dmesg http://www.w3p.ch/tmpp/openbsd/dmesg.gif New Box fdisk http://www.w3p.ch/tmpp/openbsd/fdisk.gif New Box disklabel http://www.w3p.ch/tmpp/openbsd/disklabel.gif Old box dmesg (http://www.w3p.ch/tmpp/openbsd/dmesg.txt) -8-- OpenBSD 3.6-stable (GENERIC) #1: Sun Jun 12 16:14:49 CEST 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Pentium III (GenuineIntel 686-class) 592 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,F XSR,SSE real mem = 267948032 (261668K) avail mem = 237608960 (232040K) using 3296 buffers containing 13500416 bytes (13184K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(69) BIOS, date 02/29/00, BIOS32 rev. 0 @ 0xfd7d2 pcibios0 at bios0: rev 2.1 @ 0xfd7d0/0x830 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf00/224 (12 entries) pcibios0: PCI Exclusive IRQs: 9 pcibios0: PCI Interrupt Router at 000:15:0 (ServerWorks ROSB4 SouthBridge rev 0x00) pcibios0: PCI bus #0 is the last bus bios0: ROM list: 0xc/0x8000 0xc8000/0x800 0xc8800/0xc00 0xc9800/0x800 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 ServerWorks CNB20LE Host rev 0x05 pchb1 at pci0 dev 0 function 1 ServerWorks CNB20LE Host rev 0x05 pci1 at pchb1 bus 3 ppb0 at pci1 dev 2 function 0 Intel i960 RP PCI-PCI rev 0x05 pci2 at ppb0 bus 4 ami0 at pci1 dev 2 function 1 Intel 80960RP ATU rev 0x05: irq 11 HP 466/32b ami0: FW F.02.02, BIOS vB.02.01, 16MB RAM ami0: 1 channels, 16 targets, 1 logical drives scsibus0 at ami0: 8 targets sd0 at scsibus0 targ 0 lun 0: AMI, Host drive #00, SCSI2 0/direct fixed sd0: 17354MB, 2212 cyl, 255 head, 63 sec, 512 bytes/sec, 35540992 sec total xl0 at pci1 dev 5 function 0 3Com 3c905C 100Base-TX rev 0x78: irq 9xl0: reset didn't complete , address 00:0a:5e:50:fc:0b exphy0 at xl0 phy 24: 3Com internal media interface xl0: reset didn't complete siop0 at pci1 dev 6 function 0 Symbios Logic 53c896 rev 0x06: irq 5, using 8K of on-board RAM scsibus1 at siop0: 16 targets siop1 at pci1 dev 6 function 1 Symbios Logic 53c896 rev 0x06: irq 5, using 8K of on-board RAM scsibus2 at siop1: 16 targets st0 at scsibus2 targ 3 lun 0: HP, C1537A, L105 SCSI2 1/sequential removable st0: drive empty or not ready fxp0 at pci0 dev 4 function 0 Intel 82557 rev 0x08: irq 9, address 00:10:83:fc:c9:3d inphy0 at fxp0 phy 1: i82555 10/100 media interface, rev. 4 vga1 at pci0 dev 5 function 0 ATI Mach64 GY rev 0x7a wsdisplay0 at vga1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) pcib0 at pci0 dev 15 function 0 ServerWorks ROSB4 SouthBridge rev 0x4f pciide0 at pci0 dev 15 function 1 ServerWorks OSB4 IDE rev 0x00: DMA atapiscsi0 at pciide0 channel 0 drive 0 scsibus3 at atapiscsi0: 2 targets cd0 at scsibus3 targ 0 lun 0: ARTEC, WRR-4848, 1.00 SCSI0 5/cdrom removable cd0(pciide0:0:0): using PIO mode 4, DMA mode 2, Ultra-DMA mode 2 isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker sysbeep0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec biomask fd65 netmask ff65 ttymask ffe7 pctr: 686-class user-level performance counters enabled mtrr: Pentium Pro MTRR support dkcsum: sd0 matched BIOS disk 80 root on sd0a rootdev=0x400 rrootdev=0xd00 rawdev=0xd02 -8-- Old box fdisk
Re: Intel PRO/1000MT (82546GB) Quad nic with huge packet delay and packet loss
On 2008-02-25, openbsd firewall [EMAIL PROTECTED] wrote: I'm trying to build an OpenBSD pf cluster using 6 interfaces, 2 Intel 1000 onboard with chipset 82547GI, and a quad port Intel 1000 nic (PCI-X) with chipset 82546GB. Trying to ping the switch connected to one of the quad ports gives me the following terrible results: round-trip min/avg/max/std-dev = 1.822/43.125/161.863/34.999 ms First thing to try is 4.3-beta (in the snapshots dir on your local ftp.openbsd.org mirror).
VPN
Do any of you all have any experience setting up site to site vpn's using openBSD on one side and openwrt devices on the other? Does anyone know if this is possible? Thanks, Josh
PERC6 and PE1950
Hello all: I know this has been discussed here before but last I heard people continue to have issues with new PE1950. I'd like to have a positive confirmation that new mfi driver will support PERC6i from Marco or someone who actually has new 1.16 driver working with it before we make a purchase. Thank you, Stas. Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
Re: VPN
On Feb 25, 2008, at 5:40 PM, Joshua Smith wrote: Do any of you all have any experience setting up site to site vpn's using openBSD on one side and openwrt devices on the other? Does anyone know if this is possible? There are plenty of examples online for installing OpenVPN on OpenWrt. A quick openwrt openvpn google yielded the following. http://forum.openwrt.org/viewtopic.php?id=1800 http://martybugs.net/wireless/openwrt/openvpn.cgi http://p3f.gmxhome.de/OpenWRT/Configure-OpenVPN.html http://wiki.openwrt.org/openvpn --- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: OpenBSD as DNS Server - Benchmarked by ISC.. and it's well... :-(
Yeah, comparatively, OpenBSD's performance isn't so hot in that benchmark. But how many sites get even over 10,000 authoritative queries per second? Our network isn't huge (several million HTTP requests per day), but a brief look at our logs shows we get on the order of 30 queries per second across our two DNS servers. From their numbers, our DNS traffic could grow 1000 fold before that's the limiting factor. I agree with yo. My company it's one of the bigger in hosting business in my country (Spain), we offer DNS free services and the RRDs monitor shows aprox. 80-120 queries per second in each of the three DNS servers. Despite of that, the improvement of network stack in 4.2 version has been amazing. -- Thanks, Jordi Espasa Clofent
Re: man dhcpd.interfaces ?
Nick Gustas skrev: Kasper Revsbech wrote: I have attached to windows xp clients by crossed cable one to each if (vr and vr2) The fun begins here, when i turn on and off the windows machines a couple of times one of the can't obtain a IP. It actually brings down the whole interface. I can't attach another BSD machine and run dhclient. Even if I set my own ip-addr on the client and starts to ping I can't reach the other machine. It dosn't even answer on arp on that if. This is only solved by rebooting til gateway machine. I have tried all combinations. like switching cables interfaces and so on. But I can't relate it to one windows machine, or one interface on the gateway, and it happens even thought I switch cables. I don't get any messages in /var/log/daemons from the interface after it is down but the one still working keeps renewing. I don't get any warnings in dmesg I just attach it in the bottom... I am realy stuck. I have tried to disable pf before and after the interface has gone down, but still the same. I even tried to take the take the disk to my soekris 4801 and switched the interface names and so on, but still the same... I believe you are hitting a bug with vr, not sure if it's vr in general or just vr on the 5501. Try running 'ifconfig vr2 down' 'ifconfig vr2 up' and see if that fixes vr2. It may or may not have been fixed in -current, I haven't been following this issue. Related thread: http://kerneltrap.org/mailarchive/openbsd-misc/2007/10/12/336090 I ran into the same problem on a 5501 I was deploying, it could be triggered by simply unplugging and replugging the patch cable a few times, whatever vr interface it tried it on would be unusable, ifconfig down and up would fix it. I only needed two ports and couldn't risk this happening in the field, so I put a dual port intel card in to work around the problem. Exactly... The behaviour is the same, a de attached cable (Turned of machine) and then bang Anyone aware if this is fixed in current?
Re: PERC6 and PE1950
PERC 6/i support has been recently added by dlg@ He tested the PERC 6 code path and I verified that the PERC 5 was not affected. The bug that was floating around tech and misc has been resolved. In essence the firmware rejected a command even though it should not have done that. The current code re-issues the command to the firmware when that happens. krw@ wrote that fix. On Mon, Feb 25, 2008 at 01:52:56PM -0800, Stanislav Ovcharenko wrote: Hello all: I know this has been discussed here before but last I heard people continue to have issues with new PE1950. I'd like to have a positive confirmation that new mfi driver will support PERC6i from Marco or someone who actually has new 1.16 driver working with it before we make a purchase. Thank you, Stas. Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
Re: trunk failover without failing back to master port
On February 25, 2008 04:08:24 pm Stuart Henderson wrote: On 2008-02-25, Vijay Sankar [EMAIL PROTECTED] wrote: Thanks very much for your reply. The Cisco switches have STP enabled but not RSTP. Basically it looks like when a switch comes back on line, it takes close to 30s before the port is active (meaning orange light turning to green for the port) but as far as the NIC is concerned, as soon as it detects that the link is up, the master seems to want to take over from the active port. Can you get it set as an edge-port? (portfast in cisco-eze) Thanks very much, I will try to get that done ASAP and report back. -- Vijay Sankar, M.Eng., P.Eng. ForeTell Technologies Limited 59 Flamingo Avenue, Winnipeg, MB Canada R3J 0X6 Phone: +1 204 885 9535, E-Mail: [EMAIL PROTECTED]
Re: OpenBSD as DNS Server - Benchmarked by ISC.. and it's well... :-(
On Mon, Feb 25, 2008 at 09:34:34PM +0100, [EMAIL PROTECTED] wrote: I told you before you should use linux. OpenBSD sucks. Dude.. wanna bitching again? Sure. You also just see the downsides of something, right? Yes, your emails usually show the downside of your intelligence. It was not supposed to show how much OpenBSD sucks! OpenBSD outperforms still a OS wich is leading in the world.. MS Windows! Even the IPv6-Part or the Network Stack are far from bein cute or perfect. And that's the impressiv thing here! Of course the ISC test was kinda technical with no real life enviroment at all but it may shows that OpeenBSD still outperforms commercial Software. Nothing technical about it. I can not even begin to fathom who needs tens of thousands of DNS queries a second. No not even root servers need that. As usual your drivel does not add anything to this community. This performance test is not even remotely interesting. And that's damn great and there's nothing to murn about! I am mourning the fact that you use OpenBSD. But it wouldn't hurt if you may take it as a little motivation to take a even closer look to the IP-Stack. You'll be suprised what you might find propably. *my personal oppinion so flame me privately* :) I did, you on the other hand decided to copy misc on your reply. Kind regards, Sebastian
Re: man dhcpd.interfaces ?
On 2008-02-25, Kasper Revsbech [EMAIL PROTECTED] wrote: Anyone aware if this is fixed in current? It wasn't as of Feb/19.
pxeboot and tftpd questions
I try and always install my new OpenBSD (i386 and amd64) machines using pxeboot.
I have the basic process down cold, but I am looking for a bit more
flexibility, hence these questions.
In my environment, I have a mix of i386 and amd64 machines, and it is
conceivable that I would want to install different versions of OpenBSD
on new installs.
On my dhcpd server, I might have something like this:
host obbamd42 {
hardware ethernet 00:e0:81:45:df:d4;
fixed-address 1.2.3.4;
filename pxeboot-amd64-4.2;
}
If I take care to specify the correct filename here, dhcpd will return
the correct pxeboot file for the OS version and architecture of the
machine in questions, so far so good!
The question/problem is how can I specify a different bsd.rd file for
different installs?
The filename to be booted is obtained by requesting /etc/boot.conf
from the tftpd server, so if I could return a different boot.conf file
for different requests, I could change the
boot line to make sure the correct boot file is then requested.
On the tftp server, in /var/tftpboot, I have an etc directory,
containing a boot.conf file, which looks something like:
# cat boot.conf
set tty com0
stty com0 9600
boot bsd.rd
I'd like for the file to boot to vary depending on which machine is
asking. How can I do that?
One way I can imagine is to modify the pxeboot file to request
different boot.conf files,
for example,
pxeboot-amd64-4.2 requests /etc/boot-4.2-amd.conf
pxeboot-i386-4.1 requests/etc/boot-4.1-i386.conf
etc. Or, maybe even more flexibly, the pxeboot program would
determine the MAC address of the machine on which it is running, and
request a specific boot.conf file, eg
/etc/boot-00e08145dfd4.conf
And ideally, if it couldn't find a file like this on the tftpd server,
it would then just request the normal boot.conf file (to preserve
existing behavior)
I've begun looking through the source code for pxeboot, and I haven't
yet found where it requests the boot.conf file.
Can anyone out there point me to the right file in the source tree to
do what I want?
Or, I am always open to other ideas as to how I can accomplish my goals here.
If there were a cgi option to tftpd where one could compute the
response to a request dynamically, that would be another way to go.
I'd appreciate any tips/pointers/advice.
Best regards,
Don
HP Vectra VL - 450Mhz Pentium III. obsd 4.2 boots fine. snapshot 2/23 and 2/24 installs, but dies on booting
dmesg handtyped - testing my typing-fu
both bsd and bsd.mp dies
OpenBSD 4.3-beta (GENERIC.MP) #561: Sun Feb 24 15:12:13 MST 2008
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC.MP
cpu0: Intel Pentium III (GenuineIntel 686-class, 512KB L2 cache) 452 Mhz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXR,SSE
real mem = 267939840 (255MB)
avail mem = 251092992 (239MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 02/24/99, BIOS32 rev. 0 @ 0xfd78d,
SMBIOS rev. 2.2 @ 0xe8010 (57 entries)
bios0: vendor Phoenix Technologies Ltd. version HZ.01.01US date 02/24/99
bios0: Hewlett-Packard HP Vectra
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
acpi at bios0 function 0x0 not configured
pcibios0 at bios0: rev 2.1 @0xfd720/0x8e0
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf30/160 (8 entries)
pcibios0: PCI Interrupt Router at 000:04:0 (Intel 82371FB ISA rev 0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc/0x8000 0xc8000/0x800 0xe8000/0x1000!
cpu0 at mainbus0: (uniprocessor)
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 Intel 82443BX AGP rev 0x03
agp0 at pchb0: aperture at 0xf800, size 0x400
ppb0 at pci0 dev 1 function 0 Intel 82443BX AGP rev 0x03
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 Matrox MGA G200 AGP rev 0x03
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
piixpcib0 at pci0 dev 4 function 0 Intel 82371AB PIIX4 ISA rev 0x02
pciide0 at pci0 dev 4 function 1 Intel 82371AB IDE rev 0x01: DMA, channel
0 wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: WDC WD800JB-00JJA0
wd0: 16-sector PIO, LBA, 76319MB, 156301488 sectors
wd1 at pciide0 channel 0 drive 1: WDC WD800JB-00JJA0
wd1: 16-sector PIO, LBA, 76319MB, 156301488 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
wd1(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 disabled (no drives)
uhci0 at pci0 dev 4 function 2 Intel 82371AB USB rev 0x01: irq11
piixpm0 at pci0 dev 4 function 3 Intel 82371AB Power rev 0x02: SMI
iic0 at piixpm0
spdmem0 at iic0 addr 0x50: 128MB SDRAM non-parity PC100CL2
spdmem1 at iic0 addr 0x51: 128MB SDRAM non-parity PC133CL2
spdmem2 at iic0 addr 0x52: no decode method for Rambus memory
clcs0 at pci0 dev 6 function 0 Cirrus Logic CS4280/46xx CrystalClear rev
0x01: irq 10
ac97: codec id 0x43525903 (Cirrus Logic CS4297 rev 3)
ac97: codec features headphone, 18 bit DAC, 18 bit ADC, No 3D Stereo
fxp0 at pci0 dev 14 function 0 Intel 8255x rev 0x02, i82557: irq 11,
address 00:a0:c9:8c:d7:c0
inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 0
bwi0 at pci0 dev 16 function 0 Broadcom BCM4306 rev 0x02: irq 10Data
modified on freelist: word 0 of object 0xd0e68c00 size 0x28 previous type
free (0x0 != 0xefffeecc), address 00:1a:70:b2:6f:07
ahc0 at pci0 dev 18 function 0 Adaptec AHA-2940U rev 0x01: irq 5
scsibus0 at ahc0: 16 targets
cd0 at scsibus0 targ 0 lun 0: YAMAHA, CRW4260, 1.0q SCSI2 5/cdrom
removable
usb0 at uhci0: USB revision 1.0
uhub0 at usb0 Intel UHCI root hub rev 1.00/1.00 addr 1
uvm_fault(0xd07d5680, 0x0, 0, 1) - e
kernel: page fault trap, code=0
Stopped at config_search+0x31: movl0x4(%eax),%eax
config_search(0,d0e68fc0,d091ce80,d0e68fc0) at config_search+0x31
config_found_sm(d0e68fc0,d091ce80,d04a8178,0) at config_found_sm+0x1c
mainbus_attach(0,d0e68fc0,0,d81b5000,d091b334) at mainbus_attach+0x15c
config_attach(0,d078d574,0,0,0) at config_attach+0xfd
config_rootfound(d06d9c4b,0d091cf38,d047a602) at config_rootfound+0x27
cpu_configure(d0884a00,1,3,0,2) at cpu_configure+0x29
main(0,0,0,0,0) at main+0x39c
ddb{0}
--
http://www.glumbert.com/media/shift
http://www.youtube.com/watch?v=tGvHNNOLnCk
This officer's men seem to follow him merely out of idle curiosity. --
Sandhurst officer cadet evaluation.
Securing an environment of Windows platforms from abuse - external or
internal - is akin to trying to install sprinklers in a fireworks factory
where smoking on the job is permitted. -- Gene Spafford
learn french: http://www.youtube.com/watch?v=j1G-3laJJP0feature=related
Re: OpenBSD as DNS Server - Benchmarked by ISC.. and it's well... :-(
On Mon, Feb 25, 2008 at 05:07:15PM -0600, Marco Peereboom wrote: On Mon, Feb 25, 2008 at 09:34:34PM +0100, [EMAIL PROTECTED] wrote: I told you before you should use linux. OpenBSD sucks. Dude.. wanna bitching again? Sure. You also just see the downsides of something, right? Yes, your emails usually show the downside of your intelligence. Marco, I see three things from you (not in order of importance): (1) Harrassing people like sebastian who are only trolls. (2) Good code doing very useful things. (3) Pretty helpful responses to people about anything you've touched in (2) above. Thanks for all three! Keep it up! -- Darrin Chandler| Phoenix BSD User Group | MetaBUG [EMAIL PROTECTED] | http://phxbug.org/ | http://metabug.org/ http://www.stilyagin.com/ | Daemons in the Desert | Global BUG Federation
Re: P2V with VMWare - ERR M
Fabian Heusser wrote: Hello I have an old box (3.6) which makes a lot of noise, so i like to virtualize it. I made an Image with acronis and converted it with vmware converter. When i start the virtual machine Loading... ERR M is shown. (dmesg at the bottom) I loaded cd36.iso as cdrom and at the boot prompt tried the following: machine boot hd0b - ERR M I'm surprised you get THAT error, but it is a nonsense command. boot hd0a:/bsd - Invalid argument failed(22). will try /bsd also with hd0b, hd0c um. did you really think that /bsd might be on the b, c, or d partitions?? if i boot with the cd, select shell and run the following # mount /dev/sd0c /mnt i get Inappropriate filetype or format. also with /dev/sd0a - d I'd *hope* you can't mount sd0c like that. If i run # cp /usr/mdec/boot /boot # /usr/mdec/installboot -v /boot /usr/mdec/biosboot sd0 i get the following output: -8-- boot: /boot proto: /usr/mdec/biosboot device: /dev/rsd0c /usr/mdec/biosboot: entry point 0 proto bootblock size 512 installboot: cross-device install -8-- but the error persists. You couldn't read the file system, so you figured you would just run a utility to alter a random sector someplace on the disk. Did you notice the little error message? cross-device install??? Read the man page, read the FAQ, and think about that command. Does anyone have an idea what i'm doing wrong? Almost everything so far. You can't just type random commands without understanding what you are saying to the computer. What you are doing is very, very dangerous. If you want to get some idea what went wrong, boot a CD, and do a disklabel sd0 and fdisk sd0, see what that tells you. There was obviously something that went very wrong with your imaging transfer process, which doesn't surprise me, the process of migrating OpenBSD is so simple, it is hard to get anyone worried about making a special tool, 'specially since it wouldn't have this kind of flexibility. Quit using special tools, and use the OS. SIMPLE way: dump(8) each existing partition to a file, move the file, then restore(8) the files to the partitions of the new disk. Install your boot loader (PROPERLY this time), and done. And YES, I am being deliberately vague about how to do this. You need to spend some time with the man pages and the FAQ and thinking about how things work, not magic commands to type. The PROPER way of doing this, however, being this is a many year old, unmaintained install, is to build a new 4.2 or 4.3 system, install the apps, and transfer the data files. I'm guessing it is a screwed up system, or it would have been properly maintained and be running 4.2 now. So, why would you want to blindly migrate a mess to new hardware? Nick.
Re: More questions on building a release with a read only source tree
On Sun, Feb 24, 2008 at 11:27:31PM -0800, Don Jackson wrote: I would like make release to use [ a ] read only source tree I use lndir(1) to accomplish this. Check your source tree out somewhere else, and use lndir to make a 'copy' in /usr/src. Build from there, no other magic required.
Re: OpenBSD as DNS Server - Benchmarked by ISC.. and it's well... :-(
On Mon, Feb 25, 2008 at 12:34 PM, [EMAIL PROTECTED] wrote: But it wouldn't hurt if you may take it as a little motivation to take a even closer look to the IP-Stack. You'll be suprised what you might find propably. *my personal oppinion so flame me privately* :) ignoring the fact that these test is both old and completely useless - what you need to understand is that the developers and openbsd users as a whole have their own motivations to find their own surprises. please stop posting this crap to the list. there's only so low a SNR some of us can deal with, man.
Re: Serial console questions on i386 and amd64
Don Jackson wrote: I use serial consoles on all my OpenBSD servers for remote serial access to the machines, both during initial install via pxeboot, and later on in regular use after the install. I'm currently running either 4.2 or 4.1 on all my machines. The FAQ states: Only the first serial port (com0) is supported for console on amd64 and i386 http://www.openbsd.org/faq/faq7.html#SerCon Why is this the case? because that's the way the code was written... Why does OpenBSD care which serial port I use? because that's the way the code was written... Will it simply not work if I specify set tty com1 in /etc/boot.conf ? I certainly wouldn't plan on it working. Feel free to try. Don't whine if things work as advertised. Feel free to submit patches to make it work as you wish. BTW: it isn't as simple as you think to do it right, though if I remember right, it isn't too hard to make a custom kernel that will do what you want (i.e., do it wrong). I think I remember what the issue is, but anyone who can fix it would know not to trust my memory and would have no trouble testing it and finding out. I ask because my servers of choice are made by Rackable Systems, and their default configuration is to route the serial port known to as com1 to a special RJ-45 connector, that also supports BIOS redirection, and even serial access to power cycle the machine. Having my OpenBSD servers use that for the console would be ideal. FYI, my Solaris10/x86 servers happily use that port for the console, and there is no need to turn off Continue Console Redirection after POST, as also recommend in the OpenBSD FAQ: Some BIOSs have an option to Continue Console Redirection after POST (Power On Self Test), this should be set to OFF, so the boot loader and the kernel can handle their own console. I'd very much appreciate any insight into these questions. ok, you got ONE machine you are worried about. How many different machines with serial redirection did you test with Solaris10/x86? From what I have seen, OpenBSD runs out of the box on a whole lot more hardware than Solaris x86 (go ahead, try to get Solaris x86 running on a Dell PE1950 w a PERC5/i. Took me hours to find the files needed in a usable format (hint: the 1950 doesn't have an on-board floppy), and when I finally did, I found the first drives for this combination was not written by Dell or LSI or Sun, but by an *OpenBSD* developer! (and the posting I found that helped in getting this thing going was written by a contributor to the OpenBSD FAQ!) I'm giggling at the thought of a PERC6/i...) Sadly, there is NO standard for serial console redirection. The original PC and AT didn't support it, so it's a hack a lot of vendors have provided, and they each do it differently. We'd love to have a nice little system that did the hand-off from redirection to OS port nicely, but there is no known standard way to do this on every PC that supports console redirection. Nick.
OpenBSD 4.1 Strange Problem
Hello all respect network administrator, i have set up a openbsd gateway but the wireless connection(gateway) is not detected by client but before this is ok. Can see it widnows but now cannot. I don't know what wrong with it. I sure my configuration is ok because i didn't edit it. Another problem now is when oot up to process starting network, previously i did not need to enter ctrl + C to proceeed to DHCP request for rl0 but now i need that. I alos don't know what wrong. Third problem is from openbsd canno ping to LAN client ip but client can ping to openbsd. I try router add 176.16.10.11(destination) 176.16.10.1(gateway) return file exists. If this routing is exists, then should be no problem but who come cannot ping from openbsd to client. I hope you can help me out. becuase my hair has drop until no more hair. If you all need extra information or configuration, please let me know. A billion thanks for your help. -- Linux
