Re: OpenBSD 4.4 httpd reverse proxy
Yes I'm sure ! It is a weird problem... In fact httpd does not proxy anything even with a successful compilation. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of disintx Sent: jeudi 6 novembre 2008 03:05 To: misc@openbsd.org Subject: Re: OpenBSD 4.4 httpd reverse proxy Are you certain that /var/www/proxy/ is writeable by the server? i.e. what is the owner/group of the directory and what are the permissions? Pc Nicolas wrote: Hi I try to reconfigure httpd on OpenBSD 4.4 to do reverse proxy as I did for years following this documentation : http://undeadly.org/cgi?action=article http://undeadly.org/cgi?action=articlesid=20040118105719 sid=20040118105719 I can't get it done. The only relevant message is in /var/www/logs/error_log (13)Permission denied: proxy: error creating cache file /var/www/proxy/tmpzjzsP11224 The permissions are the same as OpenBSD 4.3. I try chroot and no chroot (httpd -u). Any idea ? Thanks
Xorg: ABI mismatch
just updated latest Xorg. apart from the sync-to-vblank intel's issue no troubles at all at first glance but I start seeing this in the logs (excerpt) (II) LoadModule: record (II) Loading /usr/X11R6/lib/modules/extensions//librecord.so (II) Module record: vendor=X.Org Foundation compiled for 1.4.2, module version = 1.13.0 Module class: X.Org Server Extension ABI class: X.Org Server Extension, version 0.3 (EE) module ABI major version (0) doesn't match the server's version (1) (II) UnloadModule: record (II) Unloading /usr/X11R6/lib/modules/extensions//librecord.so (EE) Failed to load module record (module requirement mismatch, 0) (II) LoadModule: xtrap (II) Loading /usr/X11R6/lib/modules/extensions//libxtrap.so (II) Module xtrap: vendor=X.Org Foundation compiled for 1.4.2, module version = 1.0.0 Module class: X.Org Server Extension ABI class: X.Org Server Extension, version 0.3 (EE) module ABI major version (0) doesn't match the server's version (1) (II) UnloadModule: xtrap (II) Unloading /usr/X11R6/lib/modules/extensions//libxtrap.so (EE) Failed to load module xtrap (module requirement mismatch, 0) for taking away it I've temporary added Section ServerFlags OptionIgnoreABITrue EndSection -- see ya, giovanni
VPN Ipsec
Hello, I am trying to set up an ipsec vpn between two networks. But, I can't figure out why it doesn't work. I get some errors like (here on the malenfant gate, see network map below) : Plcy 30 keynote_cert_obtain: failed to open /etc/isakmpd/keynote//192.168.1.159/credentials Default rsa_sig_decode_hash: no public key found Default dropped message from $dugny_addr port 4500 due to notification type INVALID_ID_INFORMATION I don't understand why I have messages about keynote, because isakmpd is launched with the -K flag (and why 192.168.1.159 instead of $dugny_addr ?). And, I don't understand why it doesn't find the public key. I have correctly copied for each gate /etc/isakmpd/local.pub to the other gate at /etc/isakmpd/pubkeys/ipv4/gate_ip Here is my network map : { st_cyr_net : 192.168.2.0/24 } | xl1 : 192.168.2.1 [gate malenfant] Openbsd 4.4-current (as of 10/18) on the livebox's DMZ xl0 : 192.168.1.183 | 192.168.1.1 [adsl router/modem livebox] $st_cyr_addr @@@ @@@ Internet @@@ $dugny_addr [adsl router/modem livebox] 192.168.1.1 | xl0 : 192.168.1.159 [gate nemoto] Openbsd 4.4-release on the livebox's DMZ xl1 : 192.168.3.1 | { dugny_net : 192.168.3.0/24 } By DMZ I mean that all ports for tcp and udp are rediriged on the gate. I don't see why the liveboxes can be the problem, they redirect all the traffic. How nat on the liveboxes can cause troubles ? Because the two gates run a different version of OpenBSD ? I don't think so, however malenfant will be upgraded to 4.4-release tomorrow evening. My ipsec.confs : - on nemoto : st_cyr_net=192.168.2.0/24 dugny_net=192.168.3.0/24 st_cyr_addr=xx.xx.xx.xx ike esp tunnel from $dugny_net to $st_cyr_net peer $st_cyr_addr - on malenfant : st_cyr_net=192.168.2.0/24 dugny_net=192.168.3.0/24 dugny_addr=yy.yy.yy.yy ike esp tunnel from $st_cyr_net to $dugny_net peer $dugny_addr pf is correctly (I hope) configured on both gates with (here is a snippet from malenfant's pf.conf) : set skip on { lo enc0 } block in pass out pass in on $ext_if proto { tcp udp } \ from $dugny_addr to ($ext_if) port ipsec-nat-t pass in on $ext_if proto udp to ($ext_if) port isakmp My two enc0 interfaces are up. If you find my mistake(s), have ideas, or need more informations please tell me. Full configuration files and isakmpd log are available at : http://www.kalessin.fr/stuff/openbsd_ipsec.tar.gz Best Regards, Louis Opter.
Re: PF: very simple question...
Limaunion wrote: Hi, for some reason my OpenBSD 4.4 firewall is been able to negotiate dhcp request although there are no rules that allow this operation. Thanks everyone for the explanation, I wasn't sure what was wrong with my configuration. Now it's clear. Best regards. JC
Re: Duplicate incoming packets to multiple destinations using pf
Ok, Here are the first results I have set up loopback addresses with the same ip address on two receivers (for testing). (A.A.A.10) Each receiver has unique external ip adresses in the same subnet as the $nms_if First, I created this rule : pass in on $int_if dup-to ( $nms_if $nms_broadcastaddress ) proto udp from 10.10.10.1 to $receiverloopbackaddress port 162 # I have tried to make the macros self-explanatory, so I won't include their definitions here. The rule gets accepted, and expands to : pass in quick on bge1 dup-to (vlan4 A.A.A.15) inet proto udp from 10.10.10.1 to A.A.A.10 port = snmp-trap keep state # The subnet is /28, hence the broadcast is .15 on network 0. Although pf accepts the syntax, nothing happens when firing off a trap to A.A.A.10. If I replace $nms_broadcastaddress with one of the physical addresses (f.ex A.A.A.1 or A.A.A.2) I can see the trap coming from 10.10.10.1 and heading for A.A.A.10 on the receiver. Since dup-to a broadcast address doesn't seem to work (unless I am doing something completely wrong), I then need to specify multiple hosts, which is not supported. I can add a single address for the dup-to rule, but trying to add multiple hosts gives me a syntax error when trying to load the conf file. I tried ( { $nms_if $nms-a, $nms_if $nms-b } ) but apparently this is not supported (and syntax error is my bane). So, I am sort of back to square one... broadcast not supported and multiple individual receivers is not supported BTW, Please correct me if anyone has been successful at this, because I don't want to conclude on this unless it is correct. That leaves me with multicast, which is yet to be tried, however, I don't have much experience with this one, so testing may take a little longer... Cheers, Simon. On Wed Nov 5 17:12 , Damian Gerow sent: Good luck, and let the list know how this fares out. I'm sure you're not the only person who's run into this problem before, and I'm curious to see what works out for your setup. As for submitting a feature request... TBH, I don't know. I'm not sure if sendbug is appropriate for feature requests or not. Given the text under http://www.openbsd.org/report.html, it sounds like sendbug is appropriate for feature requests, but you may want to double-check that yourself. - Damian Simen Stavdal wrote: : : Hello again, : Ok, I think we are getting closer to a resolution. : I like the loopback solution (never thought of that), it should work : for udp at least since it is connection-less, and it would work for my : scenario and netflow alike. : Then you could add multiple loopbacks to subscribe to different snmp : traps. : Tomorrow I will test this, and I will let you know how I got on. : If one were to request a new features from the OBSD developers, how : would one go about it? : Regarding whether or not it is the right tool to use, I agree, should : be up to the developers, but I thought it would be a natural place, : since it can be combined with a lot of other features, : such as carp for redundancy etc, ...TBC... : Russell and Damian also suggested sending traps as multicast, which I : will give a try too. : So long, and thanks for all the help so far ! : Cheers, : Simon. : On Wed Nov 5 16:29 , Damian Gerow sent: : : Simen Stavdal wrote: : : Worth submitting a feature request? : : --- I looks like this would be the best solution --- : Sounds like you have your desired solution. So long as the OBSD : developers : accept your request as valid. : : --- The subject of my posting is Duplicating incoming packets to : : multiple destinations using pf --- : : --- And I never initially asked a closed question, but I did : state : : a scenario --- : Right, so I was led to believe that the context of your question : was limited : to re-mapping SNMP destinations. In other words, you had a specific : problem : on hand to solve, and that SNMP trap multiplexing was that problem. : : You have a piece of machinery. It's going to send traffic, to a : : given : : destination. However, this destination may be more than one : : machine. It : : may be two. It may be five. And the traffic may be single : : datagrams, or : : it may be a constant stream. Who knows. You don't want to update : : the : : source when this destination point changes, due to administrative : : overhead. : : So, you need an arbitrary resolution that is not : protocol-specific, : : that : : provides a single point of management (or otherwise incurs a very : : low : : administrative overhead), and where the client doesn't need to be : : modified. : : --- I wouldn't describe the scenario as arbitrary --- : Let's not argue over words. : You need a resolution that can be applied to any number of : situations. You : need a resolution that is sufficiently abstracted such that it : addresses : the root problem,
OpenBSD Remote Access Server
Hi Misc@, In a few days I'm going to start new RAS project, and I'd like to use OBSD as ppp/pppoe server. Has anyone ever done this before? I'm looking to manage ppp clients access and bandwidth using radius server, but I had limited experiences with ppp server and radius. If anyone willing to share their experiences, any enlignment and shed of light, would be much appreciated. Warm Regards, Insan -- insandotpraja(at)gmaildotcom
isakmpd routing woes
Hello, I have three /24 networks connected to each other through multihomed OpenBSD 4.0 servers using isakmpd(8). Recently, new point-to-point links have been installed between each of those networks on separate interfaces, and I would like to make it so traffic coming from/through specific (single) IPs in each of those networks reaches other specific single IPs in the other networks. Simply using route(8) was not enough, so I'm wondering if anyone knows if and how this can be done -- if this can still be done through isakmpd, great, but a way to bypass it so that the traffic can be redirected to the interfaces with the new links would also be enough. Thanks in advance! Carlos [ Please Cc replies to me if possible, as I'm not subscribed to the list. ]
Re: SSL error
--- Doug Milam [Wed, Nov 05, 2008 at 07:58:39PM -0800]: --- I've followed the SSL instructions in the FAQ, http://www.openbsd.org/faq/faq10.html#HTTPS, but I get the following error in Firefox (other browsers don't work either) SSL received a record that exceeded the maximum permissible length. (Error code: ssl_error_rx_record_too_long) PF allows connections to port 443, and the IfDefine segment of my httpd.conf is enabled to listen on this port. -DSSL is enabled in rc.conf.local what happens if you `openssl s_client -connect $your_ip:443` ? are you able to negotiate a connection then? are there any hints in the httpd logs? what version of OpenBSD? have you modified httpd's default config in any other way?
Re: PF: very simple question...
On 2008-11-06, Can Erkin Acar [EMAIL PROTECTED] wrote: Parsing raw network data, even from a file, provides an opportunity to inject incredible amounts of malicious input to the parser. That is also one reason we do not have ethereal/wireshark in ports. The last time I looked, they had a lot of parsers and an incredible amount of complex code tied to that stream of malicious input. wireshark now has support to run only the packet capture as a privileged user (by installing dumpcap setuid to a user with read access to /dev/bpf, typically root but can be another if you change permissions). the dissectors and UI are run as whichever user started it. unfortunately, they haven't gone as far as we did with tcpdump - wireshark's dissectors are run as the normal user starting it, not jailed in an unprivileged process. anyone considering running it should still take a lot of care...
HP DL180 hangs on boot
Hi! I have issues booting a HP ProLiant DL180 G5 (456830-421) [1] which I hope someone can shed some light on. [ While writing thie email I've done some more testing and realized that the behaviour is not really consistent, but what I describe below is a typical case ] 1. The machine takes loong pauses (usually two; sometimes more) while loading the kernel. - The first long pause is after entry point at ... line, and is about 90s. [noticed now that pressing any key on the keyboard makes it go on... interrupt issues?] - Second pause is after pckbd0 at isa0... and lasts approximately 3 to 5 minutes. Dunno if it means anything, but somewhere in between the pauses described first above, the machine beeps once. I get similar beeps when adding or removing an usb stick, so it might be related to usb. 2. Sometimes the machine shuts down and restarts slightly after the kernel is loaded (might have time to show the (I)nstall... prompt). I don't have serial console for now so I cannot tell exactly. A few times I have seen the capital letter F being printed out (gray on blue) prior to the reboot. disabling isa and pci seems to make it not hang but makes it rather unusable... :-d If the machine gets past loading and initializing the kernel without rebooting, it seems fine but all I've done so far is installing 4.4. The HP product id is 456830-421 with 1G RAM replaced by 4G (2+2) and a 250GB SATA drive. The machine has no proper raid AFAICT (ie no E200 or P400) but some (likely crappy) built-in semi-raid. Reinserting the original memory stick did not improve anything, nor did removing the harddrive. The diagnostics test showed no errors, but i'm running it now over the weekend. I'm going to try a firmware upgrade too. Any clues are appreciated. dmesg from after the succesful install (bsd.rd) follows. Thanks, Alexander [1] http://h10010.www1.hp.com/wwpc/uk/en/sm/WF06b/15351-15351-3328412-3328421-3328421-3580698-3673202.html == OpenBSD 4.4-current (RAMDISK_CD) #203: Sun Nov 2 13:41:35 MST 2008 [EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/RAMDISK_CD real mem = 3745857536 (3572MB) avail mem = 3635634176 (3467MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.5 @ 0xfc4b0 (65 entries) bios0: vendor HP version O19 date 08/20/2008 bios0: HP ProLiant DL180 G5 acpi0 at bios0: rev 2 acpi0: tables DSDT FACP APIC MCFG SPMI SLIC OEMB HPET SSDT EINJ BERT ERST HEST acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 1 (NPE2) acpiprt2 at acpi0: bus 2 (NPE3) acpiprt3 at acpi0: bus 3 (NPE4) acpiprt4 at acpi0: bus 5 (NPE6) acpiprt5 at acpi0: bus 10 (P0P1) acpiprt6 at acpi0: bus 9 (P0PE) acpiprt7 at acpi0: bus 8 (P0P3) acpiprt8 at acpi0: bus 7 (BCM_) cpu0 at mainbus0: (uniprocessor) cpu0: Intel(R) Xeon(R) CPU E5420 @ 2.50GHz, 2494.12 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,xTPR,NXE,LONG cpu0: 6MB 64b/line 16-way L2 cache pci0 at mainbus0 bus 0: configuration mode 1 pchb0 at pci0 dev 0 function 0 Intel 5100 Host rev 0x80 ppb0 at pci0 dev 2 function 0 Intel 5100 PCIE rev 0x80 pci1 at ppb0 bus 1 ppb1 at pci0 dev 3 function 0 Intel 5100 PCIE rev 0x80 pci2 at ppb1 bus 2 ppb2 at pci0 dev 4 function 0 Intel 5100 PCIE rev 0x80 pci3 at ppb2 bus 3 ppb3 at pci0 dev 5 function 0 Intel 5100 PCIE rev 0x80 pci4 at ppb3 bus 4 ppb4 at pci0 dev 6 function 0 Intel 5100 PCIE rev 0x80 pci5 at ppb4 bus 5 ppb5 at pci0 dev 7 function 0 Intel 5100 PCIE rev 0x80 pci6 at ppb5 bus 6 pchb1 at pci0 dev 16 function 0 Intel 5100 FSB rev 0x80 pchb2 at pci0 dev 16 function 1 Intel 5100 FSB rev 0x80 pchb3 at pci0 dev 16 function 2 Intel 5100 FSB rev 0x80 pchb4 at pci0 dev 17 function 0 Intel 5100 Reserved rev 0x80 pchb5 at pci0 dev 19 function 0 Intel 5100 Reserved rev 0x80 pchb6 at pci0 dev 21 function 0 Intel 5100 DDR rev 0x80 pchb7 at pci0 dev 22 function 0 Intel 5100 DDR rev 0x80 uhci0 at pci0 dev 26 function 0 Intel 82801I USB rev 0x02: irq 11 uhci1 at pci0 dev 26 function 1 Intel 82801I USB rev 0x02: irq 14 uhci2 at pci0 dev 26 function 2 Intel 82801I USB rev 0x02: irq 5 ehci0 at pci0 dev 26 function 7 Intel 82801I USB rev 0x02: irq 15 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1 ppb6 at pci0 dev 28 function 0 Intel 82801I PCIE rev 0x02: irq 11 pci7 at ppb6 bus 9 ppb7 at pci0 dev 28 function 4 Intel 82801I PCIE rev 0x02: irq 11 pci8 at ppb7 bus 8 vga1 at pci8 dev 0 function 0 Matrox MGA G200e (ServerEngines) rev 0x02 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) ppb8 at pci0 dev 28 function 5 Intel 82801I PCIE rev 0x02: irq 10 pci9 at ppb8 bus 7 bge0 at pci9 dev 0 function 0 Broadcom BCM5722 rev 0x00, BCM5755 C0 (0xa200): irq 10, address 00:22:64:42:1b:23 brgphy0 at bge0 phy 1: BCM5722 10/100/1000baseT PHY, rev. 0 uhci3 at pci0 dev 29 function 0 Intel 82801I USB rev 0x02: irq 7
Re: Xorg: ABI mismatch
Hi! On Thu, Nov 06, 2008 at 09:18:13AM +0100, giovanni wrote: just updated latest Xorg. apart from the sync-to-vblank intel's issue no troubles at all at first glance but I start seeing this in the logs (excerpt) [...] I have many more issues. For this issue, I regenerated the configuration file (X -configure), and use only the modules named in the generated configuration file. These are: Section Module Load dbe Load dri Load extmod Load glx Load freetype EndSection So GLcore, record, xtrap and type1 are gone from the previous config file. However, my previous fontpath additions won't work. If I keep them, I get this *fatal* error: Fatal server error: could not open default cursor font 'cursor' giving up. If I keep only the default font path, things work. My font path additions would be these: + #FontPath /usr/local/share/fonts/override/ + #FontPath /usr/local/openoffice/share/fonts/truetype + #FontPath /usr/local/share/fonts/ + #FontPath /usr/local/lib/metamail/fonts + #FontPath /usr/local/lib/X11/fonts/terminus/ + #FontPath /usr/local/lib/X11/fonts/freefont/ + #FontPath /usr/local/lib/X11/fonts/mscorefonts + #FontPath /usr/local/lib/X11/fonts/ecoliercourt + #FontPath /usr/local/lib/X11/fonts/artwiz-aleczapka All @fontdirs from ports (not even the complete list from all my installed packages, as I see now, after a grep '[EMAIL PROTECTED]' /var/db/pkg/*/+CONTENTS). Another issue is even more glitches in xterm (when I move it around, occasionally a line remains where it doesn't belong, until it's either overwritten by text or a full redraw is triggered; and sometimes the line between the scrollbar and the text pane wasn't seen; maybe both issues are gone after I recompiled xenocara myself, at least couldn't reproduce it today). The old glitch (text is garbled after switching the font using the Ctrl-Mouse3 menu) that has been there since the switch from XF4 to xenocara is still there (and it's not necessarily from xorg, as it's *not* there on Debian Linux, and it's not graphics card specific, because it *is* there on two OpenBSD boxen with different graphics cards). At least the issue with Greek fonts seems to be gone with the latest update. :-) Kind regards, Hannah.
Re: HP DL180 hangs on boot
I had some similar issue on the HP DL 120 G5. Solution is: desactivate the RAID controler in the BIOS. If you need the use some raid, use raidctl which is working again in version 4.4 -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Alexander Hall Envoyi : jeudi 6 novembre 2008 14:44 @ : misc@openbsd.org; [EMAIL PROTECTED] Objet : HP DL180 hangs on boot Hi! I have issues booting a HP ProLiant DL180 G5 (456830-421) [1] which I hope someone can shed some light on. [ While writing thie email I've done some more testing and realized that the behaviour is not really consistent, but what I describe below is a typical case ] 1. The machine takes loong pauses (usually two; sometimes more) while loading the kernel. - The first long pause is after entry point at ... line, and is about 90s. [noticed now that pressing any key on the keyboard makes it go on... interrupt issues?] - Second pause is after pckbd0 at isa0... and lasts approximately 3 to 5 minutes. Dunno if it means anything, but somewhere in between the pauses described first above, the machine beeps once. I get similar beeps when adding or removing an usb stick, so it might be related to usb. 2. Sometimes the machine shuts down and restarts slightly after the kernel is loaded (might have time to show the (I)nstall... prompt). I don't have serial console for now so I cannot tell exactly. A few times I have seen the capital letter F being printed out (gray on blue) prior to the reboot. disabling isa and pci seems to make it not hang but makes it rather unusable... :-d If the machine gets past loading and initializing the kernel without rebooting, it seems fine but all I've done so far is installing 4.4. The HP product id is 456830-421 with 1G RAM replaced by 4G (2+2) and a 250GB SATA drive. The machine has no proper raid AFAICT (ie no E200 or P400) but some (likely crappy) built-in semi-raid. Reinserting the original memory stick did not improve anything, nor did removing the harddrive. The diagnostics test showed no errors, but i'm running it now over the weekend. I'm going to try a firmware upgrade too. Any clues are appreciated. dmesg from after the succesful install (bsd.rd) follows. Thanks, Alexander [1] http://h10010.www1.hp.com/wwpc/uk/en/sm/WF06b/15351-15351-3328412-3328421-33 28421-3580698-3673202.html == OpenBSD 4.4-current (RAMDISK_CD) #203: Sun Nov 2 13:41:35 MST 2008 [EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/RAMDISK_CD real mem = 3745857536 (3572MB) avail mem = 3635634176 (3467MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.5 @ 0xfc4b0 (65 entries) bios0: vendor HP version O19 date 08/20/2008 bios0: HP ProLiant DL180 G5 acpi0 at bios0: rev 2 acpi0: tables DSDT FACP APIC MCFG SPMI SLIC OEMB HPET SSDT EINJ BERT ERST HEST acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 1 (NPE2) acpiprt2 at acpi0: bus 2 (NPE3) acpiprt3 at acpi0: bus 3 (NPE4) acpiprt4 at acpi0: bus 5 (NPE6) acpiprt5 at acpi0: bus 10 (P0P1) acpiprt6 at acpi0: bus 9 (P0PE) acpiprt7 at acpi0: bus 8 (P0P3) acpiprt8 at acpi0: bus 7 (BCM_) cpu0 at mainbus0: (uniprocessor) cpu0: Intel(R) Xeon(R) CPU E5420 @ 2.50GHz, 2494.12 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLU SH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX1 6,xTPR,NXE,LONG cpu0: 6MB 64b/line 16-way L2 cache pci0 at mainbus0 bus 0: configuration mode 1 pchb0 at pci0 dev 0 function 0 Intel 5100 Host rev 0x80 ppb0 at pci0 dev 2 function 0 Intel 5100 PCIE rev 0x80 pci1 at ppb0 bus 1 ppb1 at pci0 dev 3 function 0 Intel 5100 PCIE rev 0x80 pci2 at ppb1 bus 2 ppb2 at pci0 dev 4 function 0 Intel 5100 PCIE rev 0x80 pci3 at ppb2 bus 3 ppb3 at pci0 dev 5 function 0 Intel 5100 PCIE rev 0x80 pci4 at ppb3 bus 4 ppb4 at pci0 dev 6 function 0 Intel 5100 PCIE rev 0x80 pci5 at ppb4 bus 5 ppb5 at pci0 dev 7 function 0 Intel 5100 PCIE rev 0x80 pci6 at ppb5 bus 6 pchb1 at pci0 dev 16 function 0 Intel 5100 FSB rev 0x80 pchb2 at pci0 dev 16 function 1 Intel 5100 FSB rev 0x80 pchb3 at pci0 dev 16 function 2 Intel 5100 FSB rev 0x80 pchb4 at pci0 dev 17 function 0 Intel 5100 Reserved rev 0x80 pchb5 at pci0 dev 19 function 0 Intel 5100 Reserved rev 0x80 pchb6 at pci0 dev 21 function 0 Intel 5100 DDR rev 0x80 pchb7 at pci0 dev 22 function 0 Intel 5100 DDR rev 0x80 uhci0 at pci0 dev 26 function 0 Intel 82801I USB rev 0x02: irq 11 uhci1 at pci0 dev 26 function 1 Intel 82801I USB rev 0x02: irq 14 uhci2 at pci0 dev 26 function 2 Intel 82801I USB rev 0x02: irq 5 ehci0 at pci0 dev 26 function 7 Intel 82801I USB rev 0x02: irq 15 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1 ppb6 at pci0 dev 28 function 0 Intel 82801I PCIE rev 0x02: irq 11 pci7 at ppb6 bus 9 ppb7 at pci0 dev 28 function 4 Intel 82801I PCIE rev 0x02: irq 11 pci8 at ppb7 bus 8 vga1 at pci8 dev 0 function 0 Matrox MGA G200e
fjnews12-2008
FUNJET ASSOCIAZIONE SPORTIVA FUNJET www.funjet.it [EMAIL PROTECTED] FJNEWS 12/2008 Con la gara di Domenica 2 Novembre 2008, l'A.S.D. Funjet di Empoli chiude nel migliore dei modi una entusiasmante stagione agonistica. A Marina di Massa nell'ultima prova di Campionato Italiano Moto D'Acqua Endurance la Funjet si aggiudica altri 2 Titoli Nazionali, con Angelo Bertozzi (Massa) Campione Italiano categoria F2 4T e con Andrea Bergamo (Pordenone) Campione Italiano F1 2T, portanto a 4 i titoli Italiani vinti nel 2008. Ma h soprattutto il risultato di pubblico e di piloti, con ben 12 nuovi atleti che si sono avvicinati per la prima volta al nostro sport, partecipando a questo evento, rendendoci entusiasti e fiduciosi per la stagione 2009. Doveroso ringraziare l'Associazione Sportiva Balneare Paraflight, location della gara, ed in particolare Marco, Manoela, e Rocco per l'impegno e la grande disponibilit` organizzativa. Un ringraziamento h doveroso anche alla F.I.M. ed in particolare al Presidente della Commissione Moto D'Acqua, Luca Filiberti, che ha presenziato e collaborato alla buona riuscita della manifestazione. Da segnalare la vittoria della prova di Antonio D'Arma (Massa) giovane pilota di casa, che conquista il titolo di Vice Campione Italiano F1 2T 2008. 4_titoli Continuate a seguirci su www.funjet.it news anticipazioni risultati agonistici gossip e la nuova FUNJET TV funtube...e. www.motodacqua.eu dove h possibile trovare e scaricare le foto in forma originale alla massima definizione di tutte le gare e gli show Funjet. Le news di Funjet.it.Notizie e info dal mondo delle moto d'acqua.Questa news letter viene spedita a circa 15000 mail ai piloti, gli sponsor, testate giornalistiche, aziende del settore, partners, uffici marketing, agenzie pubblicitarie, uffici stampa, televisioni e radio. Le informazioni contenute nella presente comunicazione e relativi allegati possono essere copiati e ritrasmessi con qualsiasi mezzo di comunicazione purchi venga sempre citata la fonte. Per particolari esigenze e o collaborazioni contattare la redazione.
Re: Xorg: ABI mismatch
On Thu, Nov 06, 2008 at 09:18:13AM +0100, giovanni wrote: just updated latest Xorg. apart from the sync-to-vblank intel's issue no troubles at all at first glance but I start seeing this in the logs (excerpt) (II) LoadModule: record (II) Loading /usr/X11R6/lib/modules/extensions//librecord.so (II) Module record: vendor=X.Org Foundation compiled for 1.4.2, module version = 1.13.0 Module class: X.Org Server Extension ABI class: X.Org Server Extension, version 0.3 (EE) module ABI major version (0) doesn't match the server's version (1) (II) UnloadModule: record (II) Unloading /usr/X11R6/lib/modules/extensions//librecord.so (EE) Failed to load module record (module requirement mismatch, 0) (II) LoadModule: xtrap (II) Loading /usr/X11R6/lib/modules/extensions//libxtrap.so (II) Module xtrap: vendor=X.Org Foundation compiled for 1.4.2, module version = 1.0.0 Module class: X.Org Server Extension ABI class: X.Org Server Extension, version 0.3 (EE) module ABI major version (0) doesn't match the server's version (1) (II) UnloadModule: xtrap (II) Unloading /usr/X11R6/lib/modules/extensions//libxtrap.so (EE) Failed to load module xtrap (module requirement mismatch, 0) for taking away it I've temporary added You should instead have removed the record, and trap extension from you config. Those extensions aren't there anymore in the new xserver. -0- -- Support your local Search and Rescue unit -- get lost.
Re: Xorg: ABI mismatch
On Thu, Nov 6, 2008 at 3:35 PM, Owain Ainsworth [EMAIL PROTECTED] wrote: On Thu, Nov 06, 2008 at 09:18:13AM +0100, giovanni wrote: just updated latest Xorg. apart from the sync-to-vblank intel's issue no troubles at all at first glance but I start seeing this in the logs (excerpt) (II) LoadModule: record (II) Loading /usr/X11R6/lib/modules/extensions//librecord.so (II) Module record: vendor=X.Org Foundation compiled for 1.4.2, module version = 1.13.0 Module class: X.Org Server Extension ABI class: X.Org Server Extension, version 0.3 (EE) module ABI major version (0) doesn't match the server's version (1) (II) UnloadModule: record (II) Unloading /usr/X11R6/lib/modules/extensions//librecord.so (EE) Failed to load module record (module requirement mismatch, 0) (II) LoadModule: xtrap (II) Loading /usr/X11R6/lib/modules/extensions//libxtrap.so (II) Module xtrap: vendor=X.Org Foundation compiled for 1.4.2, module version = 1.0.0 Module class: X.Org Server Extension ABI class: X.Org Server Extension, version 0.3 (EE) module ABI major version (0) doesn't match the server's version (1) (II) UnloadModule: xtrap (II) Unloading /usr/X11R6/lib/modules/extensions//libxtrap.so (EE) Failed to load module xtrap (module requirement mismatch, 0) for taking away it I've temporary added You should instead have removed the record, and trap extension from you config. Those extensions aren't there anymore in the new xserver. I've just noted that in effect those extensions are no more present (so the ABI error was correct) ) _but_ Xorg -configure keeps on delivering those one in xorg.conf why? -0- -- Support your local Search and Rescue unit -- get lost. -- see ya, giovanni
Re: Xorg: ABI mismatch
Hi! On Thu, Nov 06, 2008 at 02:35:30PM +, Owain Ainsworth wrote: [...] (EE) Failed to load module record (module requirement mismatch, 0) (EE) Failed to load module xtrap (module requirement mismatch, 0) for taking away it I've temporary added You should instead have removed the record, and trap extension from you config. Those extensions aren't there anymore in the new xserver. Why the strange error message? For me that occurred even after I wiped /usr/X11R6 and reinstalled the x*.tgz tarballs. Why not something akin to No such file or directory? Kind regards, Hannah.
NAT + IPsec problem
Hello, I am trying to setup an IPsec connection. Here is the ipsec.conf : ike esp from 10.63.61.0/26 to 193.164.151.0/28 peer 193.164.151.35 \ main auth hmac-sha1 enc aes-256 \ quick auth hmac-sha1 enc aes-256 group modp1024 psk Tunnels go up well : flow esp in from 193.164.151.0/28 to 10.63.61.0/26 peer 193.164.151.35 srcid 212.99.28.26/32 dstid 10.3.2.2/32 type use flow esp out from 10.63.61.0/26 to 193.164.151.0/28 peer 193.164.151.35 srcid 212.99.28.26/32 dstid 10.3.2.2/32 type require esp tunnel from 193.164.151.35 to 212.99.28.26 spi 0x1fd5f292 auth hmac-sha1 enc aes esp tunnel from 212.99.28.26 to 193.164.151.35 spi 0xa0b3fc57 auth hmac-sha1 enc aes As my LAN is adressed using 10.31.0.0/16, I need to nat to 10.63.61.xxx before the tunnel. So I put this in my pf.conf : nat from 10.31.30.1 to 193.164.151.1 - 10.63.61.2 The problem is tha packets going from 10.31.30.1 to 193.164.151.1 don't go through the tunnel, they are going to the internet. Here is the pflog : Nov 06 15:16:16.932324 rule 532/(match) pass in on bge0: 10.31.30.1 193.164.151.1: icmp: echo request Nov 06 15:16:16.932362 rule 1/(match) block out on em0: 10.63.61.2 193.164.151.1: icmp: echo request - Packets are going out through em0 (my inet interface) instead of enc0 As pf doc says translation occurs before filtering, I don't understand why pf can see my real adress (10.31.30.1). And the most important : why outgoing packets -with good adresses- don't go through the tunnel ? Have I misconfigured something ? Thank you for your help -- Cordialement, Pierre BARDOU CSIM - Bureau 012 Midi Pyrénées Informatique Hospitalière 12 rue Michel Labrousse BP93668 F-31036 Toulouse CEDEX 1 Tél : 05 67 31 90 84 Fax : 05 34 61 51 00 Mail : [EMAIL PROTECTED] BEGIN:VCARD VERSION:2.1 N:Bardou;Pierre FN:BARDOU Pierre ADR;WORK:;B011 LABEL;WORK:B011 EMAIL;PREF;INTERNET:[EMAIL PROTECTED] REV:20070806T072621Z END:VCARD smime.p7s Description: S/MIME cryptographic signature
Re: trunk(4), VLANs and MTU problems
Okay, I've done some reading up on the code. It seems the em driver (in 4.4) have its HW VLAN tagging capability disabled, and thus I cannot use that. Seems some changes have been commited since, I tried (without much hope of it working :P) to backport this into 4.4, but failed totally as expected ;) Instead, I've modified my configuration to not use VLANs, since I'm only using 3 internal networks (previously 3 VLANs) from this router at this moment, and I got 4 ports, I managed to solve it anyway.. But it would still be nice to be able to do VLAN routing (together with trunk, I'll never push 1GBit right now, but I might want to later) in the future, since thats something I cannot do now. Anyone know how common this problem with blocked ICMP packets is? Anyone else had the same problem? Thanks Johan On Nov 4, 2008, at 14:08 , Johan Strvm wrote: Hi list I've just deployed two redundant OpenBSD 4.4's as main gateways for a network, and all in all its working great, as expected with OpenBSD :) Each box (HP DL320) have one Intel Quad GigE adapter each (82571EB), connected to a HP 2810-48 GigE switch. em0 and em1 are trunk0, and running the external link on top (Thus normal 1500 MTU) em2 and em3 are trunk1, and here I run a couple of VLAN's, and thus the MTU is 1496. The problems I'm having is this: When some mailservers (out of my control) tries to send email to our server (located on one of the VLANs), they connect all fine and performs SMTP handshake etc, but then when the get around to sending DATA followed by the actual mail, they start to using 1500b frames with the DF bit set. All fine in a normal env.. But for me, this of course fails, since my net can only handle 1496 bytes. As expected my box sends ICMP unreachable - need to frag (mtu 1496) to the remote server. This works fine and is respected in most cases, the package is retransmitted in smaller frames, but some sending servers seems to ignore my ICMP (firewalled away at their end? shouldnt be a problem here since other servers gets it and retransmits), and just keeps on sending 1500b packets.. And my box continues to drop em and returning ICMP unreach.. So, I started looking in to enabling jumbo frames on my local net (or at least make sure i can transmit 1500b on the VLANs), but it seems I've hit a stop at trunk, since from what I can tell I cannot get 1500b MTU there: if_trunk.c: ... case SIOCSIFMTU: if (ifr-ifr_mtu ETHERMTU) { error = EINVAL; break; } ifp-if_mtu = ifr-ifr_mtu; break; ETHERMTU is #defined as 1500 So... Dead end there? Is there any way to get 1500b MTU on a trunk somehow? Would it be possible to just hack if_trunk.c, and making sure the underlying interface are running at at least 1502 bytes? That would be enough for me.. That was what I first tried, changing the MTU of em2/3 to 1502 in order to allow space for the VLAN tag, hoping that the trunk interface would see this and change, but no. I guess someone here probably had this problem sometime, how have you solved it? I could of course try to get in touch with the admins of these servers but that is probably not the easiest task (the list of servers I got problems with includes big global unnamed companies). Thanks for any help, and many many thanks for the great OpenBSD 4.4 release! :) Johan
Re: isakmpd routing woes
-Urspr|ngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Carlos Laviola Gesendet: Donnerstag, 6. November 2008 13:34 An: misc@openbsd.org Betreff: isakmpd routing woes Hello, I have three /24 networks connected to each other through multihomed OpenBSD 4.0 servers using isakmpd(8). Recently, new point-to-point links have been installed between each of those networks on separate interfaces, and I would like to make it so traffic coming from/through specific (single) IPs in each of those networks reaches other specific single IPs in the other networks. Simply using route(8) was not enough, so I'm wondering if anyone knows if and how this can be done -- if this can still be done through isakmpd, great, but a way to bypass it so that the traffic can be redirected to the interfaces with the new links would also be enough. Thanks in advance! Carlos [ Please Cc replies to me if possible, as I'm not subscribed to the list. ] As far as I understand, the routes defined through isakmpd takes presidence over routes defined via route add command. But you can make isakmpd ignore specific ip addresses by adding bypass rules to your ipsec.conf like flow esp from a.b.c.0/24 to 10.105.60.100/32 type bypass would bypass the ipsec tunnel between a.b.c.0/24 and 10.105.60.0/24 if the target address is 10.150.60.100. Hope this helps Regards
Panic. ciss0: dead (HP ProLiant DL360 G5)
Hello, all! I've got panic with ciss0 on my HP ProLieant DL360 G5. Everything works fine about month or so till this day. I forgot to enable SNMP trap on iLO2, but anyway, don't know is there something interesting from Integrated Lights-Out. Before installing OpenBSD I've did hardware raid 1+0. Any ideas what's wrong with ciss? :) sec:~$ uname -a OpenBSD sec 4.2 SEC.MP#0 amd64 sec:~$ Is anyone got such problem? Thanks for any advice. On tty console: panic: ciss0: dead Starting stack trace... panic() at panic+0x136 ciss_heartbeat() at ciss_heartbeat+0x6a softclock() at softclock+0x22d softintr_dispatch() at softintr_dispatch+0x6a Xsoftclock() at Xsoftclock+0x2d --- interrupt --- end of kernel end trace frame: 0x2b0, count: 252 0: End of stack trace. syncing disks... Also dmesg.boot and kernel config. -- Denis Davydov [demime 1.01d removed an attachment of type application/octet-stream which had a name of SEC] [demime 1.01d removed an attachment of type application/octet-stream which had a name of SEC.MP] [demime 1.01d removed an attachment of type application/octet-stream which had a name of SEC] [demime 1.01d removed an attachment of type application/octet-stream which had a name of dmesg.boot]
Re: Panic. ciss0: dead (HP ProLiant DL360 G5)
PP0P2QP4PP2 PP5P=P8Q schrieb: Hello, all! I've got panic with ciss0 on my HP ProLieant DL360 G5. Everything works fine about month or so till this day. I forgot to enable SNMP trap on iLO2, but anyway, don't know is there something interesting from Integrated Lights-Out. Before installing OpenBSD I've did hardware raid 1+0. Any ideas what's wrong with ciss? :) sec:~$ uname -a OpenBSD sec 4.2 SEC.MP#0 amd64 sec:~$ Is anyone got such problem? Thanks for any advice. On tty console: panic: ciss0: dead Starting stack trace... panic() at panic+0x136 ciss_heartbeat() at ciss_heartbeat+0x6a softclock() at softclock+0x22d softintr_dispatch() at softintr_dispatch+0x6a Xsoftclock() at Xsoftclock+0x2d --- interrupt --- end of kernel end trace frame: 0x2b0, count: 252 0: End of stack trace. syncing disks... If this happens regulary I would say the card is trashed. Had the same error on one of our boxes. It got more frequently, sometimes not even getting over the fsck stage. We swapped the card and the box worked again. Also dmesg.boot and kernel config. -- Denis Davydov [demime 1.01d removed an attachment of type application/octet-stream which had a name of SEC] [demime 1.01d removed an attachment of type application/octet-stream which had a name of SEC.MP] [demime 1.01d removed an attachment of type application/octet-stream which had a name of SEC] [demime 1.01d removed an attachment of type application/octet-stream which had a name of dmesg.boot] Your attachments are being removed by the list server. Kind regards, Markus
Re: NAT + IPsec problem
-Urspr|ngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von BARDOU Pierre Gesendet: Donnerstag, 6. November 2008 15:30 An: misc@openbsd.org Cc: LOUIS Marc Betreff: NAT + IPsec problem Hello, I am trying to setup an IPsec connection. Here is the ipsec.conf : ike esp from 10.63.61.0/26 to 193.164.151.0/28 peer 193.164.151.35 \ main auth hmac-sha1 enc aes-256 \ quick auth hmac-sha1 enc aes-256 group modp1024 psk Tunnels go up well : flow esp in from 193.164.151.0/28 to 10.63.61.0/26 peer 193.164.151.35 srcid 212.99.28.26/32 dstid 10.3.2.2/32 type use flow esp out from 10.63.61.0/26 to 193.164.151.0/28 peer 193.164.151.35 srcid 212.99.28.26/32 dstid 10.3.2.2/32 type require esp tunnel from 193.164.151.35 to 212.99.28.26 spi 0x1fd5f292 auth hmac-sha1 enc aes esp tunnel from 212.99.28.26 to 193.164.151.35 spi 0xa0b3fc57 auth hmac-sha1 enc aes As my LAN is adressed using 10.31.0.0/16, I need to nat to 10.63.61.xxx before the tunnel. So I put this in my pf.conf : nat from 10.31.30.1 to 193.164.151.1 - 10.63.61.2 The problem is tha packets going from 10.31.30.1 to 193.164.151.1 don't go through the tunnel, they are going to the internet. Here is the pflog : Nov 06 15:16:16.932324 rule 532/(match) pass in on bge0: 10.31.30.1 193.164.151.1: icmp: echo request Nov 06 15:16:16.932362 rule 1/(match) block out on em0: 10.63.61.2 193.164.151.1: icmp: echo request - Packets are going out through em0 (my inet interface) instead of enc0 As pf doc says translation occurs before filtering, I don't understand why pf can see my real adress (10.31.30.1). And the most important : why outgoing packets -with good adresses- don't go through the tunnel ? Have I misconfigured something ? Thank you for your help -- Cordialement, Pierre BARDOU CSIM - Bureau 012 Midi Pyrinies Informatique Hospitalihre 12 rue Michel Labrousse BP93668 F-31036 Toulouse CEDEX 1 Til : 05 67 31 90 84 Fax : 05 34 61 51 00 Mail : [EMAIL PROTECTED] from openBSD ipsec manpage I ould guess that the decision, what flow to use is done before pf processes the packets. And as the original packets do not match the defined flows ( they are on a smaller subnet only ), the packets will go to the internet, and are not reconsidered for matching an ipsec flow after NAT has been done. I saw messages, where people have circumvented this by defining local ( lo ) interface, where the NAT can be done. Not exactly what you want do do, but might be provide some insight: http://fixunix.com/bsd/87865-nat-ipsec-openbsd-pf-isakmpd.html
openbsd fail2ban
Hi, I have noticed that people constantly try to brute force sshd on my openbsd box, on my server I use fail2ban to prevent this and wondered if there is a similar solution for openbsd. Regards, -- Charlie Clark Network Engineer Lemon Computing Ltd Unit 9 26-28 Priests Bridge London SW14 8TA UK Tel: +44 208 878 2138 Fax: +44 208 878 2163 Email: [EMAIL PROTECTED] Site: http://www.lemon-computing.com/ Lemon Computing is a limited company registered in England Wales under Company No. 03697052
Re: openbsd fail2ban
2008/11/6 Charlie Clark [EMAIL PROTECTED]: I have noticed that people constantly try to brute force sshd on my openbsd box, on my server I use fail2ban to prevent this and wondered if there is a similar solution for openbsd. Yes. RTFAQ. Best Martin
Re: openbsd fail2ban
-Urspr|ngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Charlie Clark Gesendet: Donnerstag, 6. November 2008 18:34 An: misc Betreff: openbsd fail2ban Hi, I have noticed that people constantly try to brute force sshd on my openbsd box, on my server I use fail2ban to prevent this and wondered if there is a similar solution for openbsd. Regards, -- Charlie Clark Network Engineer Lemon Computing Ltd Unit 9 26-28 Priests Bridge London SW14 8TA UK Tel: +44 208 878 2138 Fax: +44 208 878 2163 Email: [EMAIL PROTECTED] Site: http://www.lemon-computing.com/ Lemon Computing is a limited company registered in England Wales under Company No. 03697052 you can use pf, I think. Put something like this in your pf.conf: table ssh-bruteforce block drop in log quick from ssh-bruteforce to any pass in $log_pass_ext \ on $ext_if \ inet proto tcp \ from any\ to $ext_if port 22 \ flags S/SA \ keep state \ (max-src-conn-rate 3/30,overload ssh-bruteforce flush global) and pf will move offending source ip to the bruteforce table and subsequently drop these packet
Re: openbsd fail2ban
I've written a small program about 5 years ago. It was a daemon that implemented a service similar to port knocking but entirely in user level, calling pfctl by exec() system calls to insert/remove remote IP addresses in a pf table holding machines able to connect to the ssh daemon via port 22. It was a ugly hack but it worked for us. I shall have a backup copy somewhere on my powerbook at home... On Thu, Nov 6, 2008 at 3:33 PM, Charlie Clark [EMAIL PROTECTED] wrote: Hi, I have noticed that people constantly try to brute force sshd on my openbsd box, on my server I use fail2ban to prevent this and wondered if there is a similar solution for openbsd. Regards, -- Charlie Clark Network Engineer Lemon Computing Ltd Unit 9 26-28 Priests Bridge London SW14 8TA UK Tel: +44 208 878 2138 Fax: +44 208 878 2163 Email: [EMAIL PROTECTED] Site: http://www.lemon-computing.com/ Lemon Computing is a limited company registered in England Wales under Company No. 03697052
Intel D201GLY2 install failure, OpenBSD 4.4
I'm booting from CD as prelude to install, and during CD boot see (NOTE this is manually transcribed from the screen): : couldn't map interrupt sis0 at pci0 dev 4 function 0 SiS 900 10/100BaseTX rev 0x91pci_intr_map: bad interrupt line 19 : couldn't map interrupt pciide1 at pci0 dev 5 function 0 SiS 181 SATA rev 0x01: DMA pci_intr_map: bad interrupt line 17 pciide1: couldn't map native-PCI interrupt pci_intr_map: bad interrupt line 17 pciide1: couldn't map native-PCI interrupt ppb1 at pci0 dev 31 function 0 SiS PCI-PCI rev 0x00 pci2 at ppb1 bus 2 isa0 at pcib0 isadma0 at isa0 com0 at isa0 port 0x2f8/8 irq 4: ns 16550a, 16 byte fifo pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 biomask ffed netmask ffed ttymask rd0: fixed, 3800 blocks softraid at root root on rd0a swap on rd0b dump on rd0b erase ^?, werase ^W, kill ^U, intr ^C, status ^T (I)nstall, (U)pgrade or (S)hell? I choose install, accept defaults for terminal type, answer 'y' to Proceed with install? [no] and get: No disks found. # This system has a IDE CD-RW drive, and two SATA HDD's. After failing OpenBSD 4.4 install last week, I installed Debian stable on this system w/no problems. But I'd rather use OpenBSD so reporting this problem in hopes it can be fixed (mobo is a nice low-cost fanless mini-ITX, so could appeal to many). My web searches show this problem being reported occasionally in the past but none I saw no reports for this mobo with 4.4 release. I was hoping to include a dmesg via serial port capture (my box does not include a floppy), but boot set tty com0 switching console to com0 com0 console not present Web searches suggested I could mess with the BIOS to get around this problem, but the only BIOS setting for the serial port is enable/disable: I switched to disable mode with no change in results. FWIW, Jaime
Re: openbsd fail2ban
Hi Marcus, If you come across this program again would I be able to steal it off of you, it will implement it as suggested before using pf state table tracking but your program sounds very interesting and I would still like to see it. Thank you everyone for your answers. Thanks, Charlie Marcus Andree wrote: I've written a small program about 5 years ago. It was a daemon that implemented a service similar to port knocking but entirely in user level, calling pfctl by exec() system calls to insert/remove remote IP addresses in a pf table holding machines able to connect to the ssh daemon via port 22. It was a ugly hack but it worked for us. I shall have a backup copy somewhere on my powerbook at home... On Thu, Nov 6, 2008 at 3:33 PM, Charlie Clark [EMAIL PROTECTED] wrote: Hi, I have noticed that people constantly try to brute force sshd on my openbsd box, on my server I use fail2ban to prevent this and wondered if there is a similar solution for openbsd. Regards, -- Charlie Clark Network Engineer Lemon Computing Ltd Unit 9 26-28 Priests Bridge London SW14 8TA UK Tel: +44 208 878 2138 Fax: +44 208 878 2163 Email: [EMAIL PROTECTED] Site: http://www.lemon-computing.com/ Lemon Computing is a limited company registered in England Wales under Company No. 03697052 -- Charlie Clark Network Engineer Lemon Computing Ltd Unit 9 26-28 Priests Bridge London SW14 8TA UK Tel: +44 208 878 2138 Fax: +44 208 878 2163 Email: [EMAIL PROTECTED] Site: http://www.lemon-computing.com/ Lemon Computing is a limited company registered in England Wales under Company No. 03697052
Re: HP DL180 hangs on boot
Christophe Rioux wrote: I had some similar issue on the HP DL 120 G5. Solution is: desactivate the RAID controler in the BIOS. If you need the use some raid, use raidctl which is working again in version 4.4 This server has only some kind of built-in raid which I suppose is of the software-raid type. However it already was, and still is, disabled in the bios. The BIOS settings are: Compatible/IDE, Enhanced/IDE or Enhanced/RAID. I cannot swear I tested Enhanced/RAID but I wouldn't bet any money on that being the working combo... :-d I'm going to try upgrading the BIOS firmware (there was some update regarding newer intel CPUs; dont know if it applies to the Xeon E5420 but I suppose they wouldn't ship a machine with that processor with a non-working BIOS). Could be worth testing though. Anyway, thanks and don't hesitate to mention anything I might have missed. /Alexander
Re: openbsd fail2ban
On 17:33, Thu 06 Nov 08, Charlie Clark wrote: Hi, I have noticed that people constantly try to brute force sshd on my openbsd box, on my server I use fail2ban to prevent this and wondered if there is a similar solution for openbsd. Have a look at this section of the FAQ: http://www.openbsd.org/faq/pf/filter.html#stateopts What you are interested in is the sample using 'overload' and 'flush' -- Michiel van Baak [EMAIL PROTECTED] http://michiel.vanbaak.eu GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x71C946BD Why is it drug addicts and computer aficionados are both called users?
Re: openbsd fail2ban
You'd be free to do whatever you want with it. I'll see I can find the source. I'm pretty sure there's a copy on my old powerbook. It was written for linux and openbsd and we used for an ad-hoc authentication method to manage a remote machine over the unsecure internet. Never did any security auditing on the code, but I don't think there's anything wrong with it. There was one or two things that I'd like to have the time to implement, like privilege separation but that's all. But, as I said before, it is a ugly hack... :) On Thu, Nov 6, 2008 at 3:57 PM, Charlie Clark [EMAIL PROTECTED] wrote: Hi Marcus, If you come across this program again would I be able to steal it off of you, it will implement it as suggested before using pf state table tracking but your program sounds very interesting and I would still like to see it. Thank you everyone for your answers. Thanks, Charlie Marcus Andree wrote: I've written a small program about 5 years ago. It was a daemon that implemented a service similar to port knocking but entirely in user level, calling pfctl by exec() system calls to insert/remove remote IP addresses in a pf table holding machines able to connect to the ssh daemon via port 22. It was a ugly hack but it worked for us. I shall have a backup copy somewhere on my powerbook at home... On Thu, Nov 6, 2008 at 3:33 PM, Charlie Clark [EMAIL PROTECTED] wrote: Hi, I have noticed that people constantly try to brute force sshd on my openbsd box, on my server I use fail2ban to prevent this and wondered if there is a similar solution for openbsd. Regards, -- Charlie Clark Network Engineer Lemon Computing Ltd Unit 9 26-28 Priests Bridge London SW14 8TA UK Tel: +44 208 878 2138 Fax: +44 208 878 2163 Email: [EMAIL PROTECTED] Site: http://www.lemon-computing.com/ Lemon Computing is a limited company registered in England Wales under Company No. 03697052 -- Charlie Clark Network Engineer Lemon Computing Ltd Unit 9 26-28 Priests Bridge London SW14 8TA UK Tel: +44 208 878 2138 Fax: +44 208 878 2163 Email: [EMAIL PROTECTED] Site: http://www.lemon-computing.com/ Lemon Computing is a limited company registered in England Wales under Company No. 03697052
Re: openbsd fail2ban
2008/11/6, Charlie Clark [EMAIL PROTECTED]: Hi, I have noticed that people constantly try to brute force sshd on my openbsd box, on my server I use fail2ban to prevent this and wondered if there is a similar solution for openbsd. Have you tried sshguard?
Re: openbsd fail2ban
On Thu, Nov 06, 2008 at 05:33:41PM +, Charlie Clark wrote: I have noticed that people constantly try to brute force sshd on my openbsd box, on my server I use fail2ban to prevent this and wondered if there is a similar solution for openbsd. Yes, but why would you want to do that? It doesn't help in any real sense - weak passwords are still weak and may still fall to a distributed attack. and strong passwords or keys are pretty much impossible to guess anyway. Meanwhile, it's at least a little complex, takes some time to set up, and has nasty failure modes. Joachim
Re: openbsd fail2ban
If you're just tired of the noise, consider moving SSH to a different port. It provides no greater security but helps with some of the annoyance. -HKS On Thu, Nov 6, 2008 at 2:34 PM, Joachim Schipper [EMAIL PROTECTED] wrote: On Thu, Nov 06, 2008 at 05:33:41PM +, Charlie Clark wrote: I have noticed that people constantly try to brute force sshd on my openbsd box, on my server I use fail2ban to prevent this and wondered if there is a similar solution for openbsd. Yes, but why would you want to do that? It doesn't help in any real sense - weak passwords are still weak and may still fall to a distributed attack. and strong passwords or keys are pretty much impossible to guess anyway. Meanwhile, it's at least a little complex, takes some time to set up, and has nasty failure modes. Joachim
Re: Intel D201GLY2 install failure, OpenBSD 4.4
On Thu, Nov 6, 2008 at 11:49 AM, Jamie Cuesta [EMAIL PROTECTED] wrote: I was hoping to include a dmesg via serial port capture (my box does not include a floppy), but Use ftp.
Re: fps between 10/28 and 11/2 snapshots
On Wed, 5 Nov 2008 14:37:06 -0600 Neal Hogan [EMAIL PROTECTED] wrote: I've been running -current via snapshots and have had odd glxgears output between the 10/28 snap and 11/02 snap. Back on the 10/02 version I was getting 1000-1300 fps. On the 11/02 version I get 100-130 fps. It's not a huge deal for me at this point since I'm not too much of a gamer and have no need to watch movies on my laptop. I just found it odd and thought you'd like to know . . . on behalf of those who possess the above interests. While I have noticed the following on undeadly but must have missed it on the mailing lists: Mesa 7.2 defaults to sync-to-vblank for intel chips in an attempt to avoid tearing in the display. In this mode, OpenGL drawing is synchronised to the refresh rate of your monitor and thus is capped at that rate. If for some reason this bothers you, you may circumvent this by either setting 'vblank_mode=0' in your environment or use driconf (in ports) to configure this option. Might be relevant. http://undeadly.org/cgi?action=articlesid=20081104235706mode=expandedcount=4 // nick
Re: NAT + IPsec problem
This is something I have struggled myself and don't have a good solution to. I actually asked a similar question to yours couple days ago :-( http://marc.info/?l=openbsd-miscm=122530349320838w=2 Basically NATing stuff going through a VPN tunnel doesn't really work. I have followed the recipe from this post http://fixunix.com/bsd/87865-nat-ipsec-openbsd-pf-isakmpd.html however I was unsuccessful. I have currently resorted to using a HAproxy to proxy the traffic. Vladimir BARDOU Pierre wrote: Hello, I am trying to setup an IPsec connection. Here is the ipsec.conf : ike esp from 10.63.61.0/26 to 193.164.151.0/28 peer 193.164.151.35 \ main auth hmac-sha1 enc aes-256 \ quick auth hmac-sha1 enc aes-256 group modp1024 psk Tunnels go up well : flow esp in from 193.164.151.0/28 to 10.63.61.0/26 peer 193.164.151.35 srcid 212.99.28.26/32 dstid 10.3.2.2/32 type use flow esp out from 10.63.61.0/26 to 193.164.151.0/28 peer 193.164.151.35 srcid 212.99.28.26/32 dstid 10.3.2.2/32 type require esp tunnel from 193.164.151.35 to 212.99.28.26 spi 0x1fd5f292 auth hmac-sha1 enc aes esp tunnel from 212.99.28.26 to 193.164.151.35 spi 0xa0b3fc57 auth hmac-sha1 enc aes As my LAN is adressed using 10.31.0.0/16, I need to nat to 10.63.61.xxx before the tunnel. So I put this in my pf.conf : nat from 10.31.30.1 to 193.164.151.1 - 10.63.61.2 The problem is tha packets going from 10.31.30.1 to 193.164.151.1 don't go through the tunnel, they are going to the internet. Here is the pflog : Nov 06 15:16:16.932324 rule 532/(match) pass in on bge0: 10.31.30.1 193.164.151.1: icmp: echo request Nov 06 15:16:16.932362 rule 1/(match) block out on em0: 10.63.61.2 193.164.151.1: icmp: echo request - Packets are going out through em0 (my inet interface) instead of enc0 As pf doc says translation occurs before filtering, I don't understand why pf can see my real adress (10.31.30.1). And the most important : why outgoing packets -with good adresses- don't go through the tunnel ? Have I misconfigured something ? Thank you for your help -- Cordialement, Pierre BARDOU CSIM - Bureau 012 Midi PyrC)nC)es Informatique HospitaliC(re 12 rue Michel Labrousse BP93668 F-31036 Toulouse CEDEX 1 TC)l : 05 67 31 90 84 Fax : 05 34 61 51 00 Mail : [EMAIL PROTECTED]
no pg_dump?
I've installed postgresql client, server and contribs from packages on a new 4.4 OpenBSD machine and there is no pg_dump or pg_restore included that I can find. Where can I get these tools? --charlie -- Charles Farinella Appropriate Solutions, Inc. (www.AppropriateSolutions.com) [EMAIL PROTECTED] voice: 603.924.6079 fax: 603.924.8668
Re: dhcpd on 4.4 is problematic
On Wed, Nov 05, 2008 at 08:16:01AM -0500, Kenneth R Westerback wrote: On Wed, Nov 05, 2008 at 12:22:03PM +0800, Uwe Dippel wrote: Here is what Stuart requested. I hope the attachment goes through! 00f0: 0100: 6382 5363 3401 0035 c.Sc4..5 And that might be the problem. The DHCP overload option (#52, or hex 34) has the correct length (01) but a value of 0. This indicates no overload and Solaris is upset that the option is even there in this case. So much for trying to simplify the code by using a standard header. So this option needs to be overwritten with DHO_PAD if there is no overloading. This (untested) diff might help. Unfortunately I have no Solaris to test against and I'm off to work now. Test reports welcome, or better fixes. Ken Patch worksforme(tm) client: OpenSolaris 2008.05 server: 4.4-stable, both i386.
Re: VPN Ipsec
On Thu, Nov 6, 2008 at 9:39 AM, Louis Opter [EMAIL PROTECTED] wrote: Hello, I am trying to set up an ipsec vpn between two networks. But, I can't figure out why it doesn't work. I get some errors like (here on the malenfant gate, see network map below) : Plcy 30 keynote_cert_obtain: failed to open /etc/isakmpd/keynote//192.168.1.159/credentials Default rsa_sig_decode_hash: no public key found Default dropped message from $dugny_addr port 4500 due to notification type INVALID_ID_INFORMATION These messages typically mean that the identifiers used by the peers do not match. Try adding srcid foo and dstid bar on your ike esp tunnel lines: - on nemoto : st_cyr_net=192.168.2.0/24 dugny_net=192.168.3.0/24 st_cyr_addr=xx.xx.xx.xx ike esp tunnel from $dugny_net to $st_cyr_net peer $st_cyr_addr srcid nemoto dstid malenfant - on malenfant : st_cyr_net=192.168.2.0/24 dugny_net=192.168.3.0/24 dugny_addr=yy.yy.yy.yy ike esp tunnel from $st_cyr_net to $dugny_net peer $dugny_addr srcid malenfant dsitd nemoto Also, if your machine is multi-homed, you will probably want to specify local to remove any ambiguity with respect the source IP address that will be used in the outer (encapsulating) IP datagram. I don't understand why I have messages about keynote, because isakmpd is launched with the -K flag (and why 192.168.1.159 instead of $dugny_addr ?). And, I don't understand why it doesn't find the public key. I have correctly copied for each gate /etc/isakmpd/local.pub to the other gate at /etc/isakmpd/pubkeys/ipv4/gate_ip Here is my network map : { st_cyr_net : 192.168.2.0/24 } | xl1 : 192.168.2.1 [gate malenfant] Openbsd 4.4-current (as of 10/18) on the livebox's DMZ xl0 : 192.168.1.183 | 192.168.1.1 [adsl router/modem livebox] $st_cyr_addr @@@ @@@ Internet @@@ $dugny_addr [adsl router/modem livebox] 192.168.1.1 | xl0 : 192.168.1.159 [gate nemoto] Openbsd 4.4-release on the livebox's DMZ xl1 : 192.168.3.1 | { dugny_net : 192.168.3.0/24 } By DMZ I mean that all ports for tcp and udp are rediriged on the gate. I don't see why the liveboxes can be the problem, they redirect all the traffic. How nat on the liveboxes can cause troubles ? Because the two gates run a different version of OpenBSD ? I don't think so, however malenfant will be upgraded to 4.4-release tomorrow evening. My ipsec.confs : - on nemoto : st_cyr_net=192.168.2.0/24 dugny_net=192.168.3.0/24 st_cyr_addr=xx.xx.xx.xx ike esp tunnel from $dugny_net to $st_cyr_net peer $st_cyr_addr - on malenfant : st_cyr_net=192.168.2.0/24 dugny_net=192.168.3.0/24 dugny_addr=yy.yy.yy.yy ike esp tunnel from $st_cyr_net to $dugny_net peer $dugny_addr pf is correctly (I hope) configured on both gates with (here is a snippet from malenfant's pf.conf) : set skip on { lo enc0 } block in pass out pass in on $ext_if proto { tcp udp } \ from $dugny_addr to ($ext_if) port ipsec-nat-t pass in on $ext_if proto udp to ($ext_if) port isakmp My two enc0 interfaces are up. If you find my mistake(s), have ideas, or need more informations please tell me. Full configuration files and isakmpd log are available at : http://www.kalessin.fr/stuff/openbsd_ipsec.tar.gz Best Regards, Louis Opter. -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: no pg_dump?
On Thu, 6 Nov 2008, Charlie Farinella wrote: I've installed postgresql client, server and contribs from packages on a new 4.4 OpenBSD machine and there is no pg_dump or pg_restore included that I can find. Where can I get these tools? They should be under /usr/local/bin/ -- Antoine
Re: no pg_dump?
Le Thu, 6 Nov 2008 17:06:54 -0500, Charlie Farinella [EMAIL PROTECTED] a icrit : I've installed postgresql client, server and contribs from packages on a new 4.4 OpenBSD machine and there is no pg_dump or pg_restore included that I can find. Where can I get these tools? --charlie http://www.openbsd.org/4.4_packages/i386/postgresql-client-8.3.3.tgz-contents .html
Re: no pg_dump?
On Thursday 06 November 2008, Antoine Jacoutot wrote: On Thu, 6 Nov 2008, Charlie Farinella wrote: I've installed postgresql client, server and contribs from packages on a new 4.4 OpenBSD machine and there is no pg_dump or pg_restore included that I can find. Where can I get these tools? They should be under /usr/local/bin/ You would think, I know! I have psql, pg_ctl, pg_standby, pg_controldata, pg_resetxlog, pgbench, postgres, but no pg_dump, pg_dumpall, or pg_restore. pkg_info shows: postgresql-client-8.3.3 PostgreSQL RDBMS (client) postgresql-contrib-8.3.3 PostgreSQL RDBMS contributions postgresql-server-8.3.3 PostgreSQL RDBMS (server) I'm at a loss. --charlie -- Charles Farinella Appropriate Solutions, Inc. (www.AppropriateSolutions.com) [EMAIL PROTECTED] voice: 603.924.6079 fax: 603.924.8668
Re: no pg_dump?
On Thursday 06 November 2008, Pierre-Emmanuel Andri wrote: Le Thu, 6 Nov 2008 17:06:54 -0500, Charlie Farinella [EMAIL PROTECTED] a icrit : I've installed postgresql client, server and contribs from packages on a new 4.4 OpenBSD machine and there is no pg_dump or pg_restore included that I can find. Where can I get these tools? --charlie http://www.openbsd.org/4.4_packages/i386/postgresql-client-8.3.3.tgz-contents .html Thank you. I have everything on the list except: /usr/local/bin/pg_config /usr/local/bin/pg_dump /usr/local/bin/pg_dumpall /usr/local/bin/pg_restore I also have a live system with data in it, so shutting it down is an issue. What would you suggest I do? I can do pkg_delete on all installed PostgreSQL packages and start over I suppose, or build PostgreSQL from source. I ran pkg_add -u for the client package, but that didn't help. Charles Farinella Appropriate Solutions, Inc. (www.AppropriateSolutions.com) [EMAIL PROTECTED] voice: 603.924.6079 fax: 603.924.8668
Re: no pg_dump?
On 2008-11-06, Charlie Farinella [EMAIL PROTECTED] wrote: On Thursday 06 November 2008, Pierre-Emmanuel Andri wrote: Le Thu, 6 Nov 2008 17:06:54 -0500, Charlie Farinella [EMAIL PROTECTED] a icrit : I've installed postgresql client, server and contribs from packages on a new 4.4 OpenBSD machine and there is no pg_dump or pg_restore included that I can find. Where can I get these tools? --charlie http://www.openbsd.org/4.4_packages/i386/postgresql-client-8.3.3.tgz-contents .html Thank you. I have everything on the list except: /usr/local/bin/pg_config /usr/local/bin/pg_dump /usr/local/bin/pg_dumpall /usr/local/bin/pg_restore These are certainly in the 4.4-release i386 package. I also have a live system with data in it, so shutting it down is an issue. What would you suggest I do? I can do pkg_delete on all installed PostgreSQL packages and start over I suppose, or build PostgreSQL from source. I ran pkg_add -u for the client package, but that didn't help. you can try pkg_add -ri -F installed postgresql-client, but try and work out where they went...
Re: openbsd fail2ban
On 2008-11-06, Joachim Schipper [EMAIL PROTECTED] wrote: On Thu, Nov 06, 2008 at 05:33:41PM +, Charlie Clark wrote: I have noticed that people constantly try to brute force sshd on my openbsd box, on my server I use fail2ban to prevent this and wondered if there is a similar solution for openbsd. Yes, but why would you want to do that? It doesn't help in any real sense It helps reduce use of CPU and the /var/log disk. But so does the simpler block proto tcp to port ssh / pass proto tcp from ADMIN_NETS to port ssh.
Re: no pg_dump?
On Thu, Nov 06, 2008 at 05:53:17PM -0500, Charlie Farinella wrote: http://www.openbsd.org/4.4_packages/i386/postgresql-client-8.3.3.tgz-contents .html Thank you. I have everything on the list except: /usr/local/bin/pg_config /usr/local/bin/pg_dump /usr/local/bin/pg_dumpall /usr/local/bin/pg_restore This is odd. Did your machine crash or got a full filesystem during the update/install? Do the inode change times of the actually installed files (like /usr/local/bin/psql) match the time of your update/install? Is there any partial-* stuff in /var/db/pkg? Does pkg_delete -n -Fdependencies (and don't omit the `-n') complain about some missing files? Where do you get your packages from, i.e. what's your PKG_PATH? What would you suggest I do? I can do pkg_delete on all installed PostgreSQL packages and start over I suppose, or build PostgreSQL from source. I ran pkg_add -u for the client package, but that didn't help. Whatever happened to your system, you could (with a PKG_PATH pointing to a place with correct packages) probably go with pkg_add -r -Finstalled,update postgresql-client (I'm a little bit unsure, because the manpage specifies -Finstalled for update mode only, but IIRC, you can use it for enforcing `-r', too) Ciao, Kili
Re: no pg_dump?
On 2008-11-06, Matthias Kilian [EMAIL PROTECTED] wrote: On Thu, Nov 06, 2008 at 05:53:17PM -0500, Charlie Farinella wrote: http://www.openbsd.org/4.4_packages/i386/postgresql-client-8.3.3.tgz-contents .html Thank you. I have everything on the list except: /usr/local/bin/pg_config /usr/local/bin/pg_dump /usr/local/bin/pg_dumpall /usr/local/bin/pg_restore This is odd. Did your machine crash or got a full filesystem during the update/install? for softdep users, a crash shortly after installation would do it too.
Re: openbsd fail2ban
One more vote for sshguard, I use it here with success, just need to create a rule like: block in on $ext_if proto tcp from sshguard to any port ssh And run sshguard, it will get any host trying random passwords with no success to the sshguard table. Don't know it there are any alternative more openbsd focused. Alexander Polakov escreveu: 2008/11/6, Charlie Clark [EMAIL PROTECTED]: Hi, I have noticed that people constantly try to brute force sshd on my openbsd box, on my server I use fail2ban to prevent this and wondered if there is a similar solution for openbsd. Have you tried sshguard?
recommended disk layout for small web/mail/db server
Hi Folks. I'm setting a small web/mail/db server for sell web hosting, it run OpenBSD 4.4. I want to know the different view point about the disk layout for this purpose. I don't have sufficient resources for buying three separate machines (web/mail/db) at this time. I hope your advices.! --- --- ficovh - http://bsdguy.net In the beginning God created the heavens and the earth. Gen. 1:1
Re: no pg_dump?
On 2008-11-07, Stuart Henderson [EMAIL PROTECTED] wrote: On 2008-11-06, Matthias Kilian [EMAIL PROTECTED] wrote: On Thu, Nov 06, 2008 at 05:53:17PM -0500, Charlie Farinella wrote: http://www.openbsd.org/4.4_packages/i386/postgresql-client-8.3.3.tgz-contents .html Thank you. I have everything on the list except: /usr/local/bin/pg_config /usr/local/bin/pg_dump /usr/local/bin/pg_dumpall /usr/local/bin/pg_restore This is odd. Did your machine crash or got a full filesystem during the update/install? for softdep users, a crash shortly after installation would do it too. ehm, s/would/could/.
tap devices on bridge cannot connect
I am running Qemu with 2 virtual machines. I have put the tap devices into a bridge with a trunk interface, the trunk acts as a gateway, allowing a virtual network inside the host server which can nat to public IPs and be firewalled. For some reason the 2 vmhosts cannot communicate. they will arp each other up but not actually ping each other. THey are windows hosts. I have a site to site vpn back to my house which i can ping both vm hosts successfully from my house computer through the vpn. i can ping the trunk interface from the hosts as well. just not vmhost to vmhost. Any thoughts on why they can not ping each other? thank you Below is my pf.conf and output of ifconfig and brconfig # gorilla.sporkton.com # # See pf.conf(5) and /usr/share/pf for syntax and examples. # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1 # in /etc/sysctl.conf if packets are to be forwarded between interfaces. #NORMAL ORDER - see no set require-order rule #Macros #Tables #Options #Traffic Normalization (e.g. scrub) #Queueing #Translation (Various forms of NAT) #Packet Filtering ext_if=em0 vm_if=trunk0 gorilla=38.102.248.178 table ssh-attack persist table private const { 10/8, 172.16/12, 192.168/16 } set skip on {enc0, lo0} set block-policy drop scrub in on $ext_if all fragment reassemble no nat on $ext_if from private to private nat on $ext_if from private to any - ($ext_if:0) #--Default--# block in pass out pass in on $vm_if pass in on $ext_if proto tcp to $gorilla port ssh #--Custom--# pass in on $ext_if proto esp pass in on $ext_if proto udp to $gorilla port {isakmp, ipsec-nat-t} pass in on $ext_if proto {udp, tcp} to $gorilla port domain # ifconfig lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33208 groups: lo inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 em0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:14:22:b0:d8:d2 groups: egress media: Ethernet autoselect (100baseTX full-duplex) status: active inet 38.102.248.178 netmask 0xfff8 broadcast 38.102.248.183 inet6 fe80::214:22ff:feb0:d8d2%em0 prefixlen 64 scopeid 0x1 em1: flags=8802BROADCAST,SIMPLEX,MULTICAST mtu 1500 lladdr 00:14:22:b0:d8:d3 media: Ethernet autoselect (none) status: no carrier enc0: flags=0 mtu 1536 trunk0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:00:00:00:00 trunk: trunkproto roundrobin groups: trunk media: Ethernet autoselect status: no carrier inet 10.0.1.1 netmask 0xff00 broadcast 10.0.1.255 inet6 fe80::214:22ff:feb0:d8d2%trunk0 prefixlen 64 scopeid 0x5 pflog0: flags=141UP,RUNNING,PROMISC mtu 33208 groups: pflog tun0: flags=9942BROADCAST,RUNNING,PROMISC,SIMPLEX,LINK0,MULTICAST mtu 1500 lladdr 00:bd:be:64:87:01 groups: tun inet6 fe80::2bd:beff:fe64:8701%tun0 prefixlen 64 scopeid 0x8 bridge0: flags=41UP,RUNNING mtu 1500 groups: bridge tun1: flags=9942BROADCAST,RUNNING,PROMISC,SIMPLEX,LINK0,MULTICAST mtu 1500 lladdr 00:bd:3b:4f:63:02 groups: tun inet6 fe80::2bd:3bff:fe4f:6302%tun1 prefixlen 64 scopeid 0xb # brconfig bridge0: flags=41UP,RUNNING priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp trunk0 flags=3LEARNING,DISCOVER port 5 ifpriority 0 ifcost 0 tun1 flags=3LEARNING,DISCOVER port 11 ifpriority 0 ifcost 0 tun0 flags=3LEARNING,DISCOVER port 8 ifpriority 0 ifcost 0 Addresses (max cache: 100, timeout: 240): # -- -Lawrence
Re: trunk(4), VLANs and MTU problems
On 2008-11-06, Johan Strvm [EMAIL PROTECTED] wrote: Anyone know how common this problem with blocked ICMP packets is? Idiot firewall and router admins do it the world over. If you can work out who's filtering ICMP, you can attempt to apply a LART, but experience shows this is rarely successful :( PF scrub (max-mss, maybe no-df) can be a useful tool here...
Re: tap devices on bridge cannot connect
On 17:37:11 Nov 06, Lord Sporkton wrote: I am running Qemu with 2 virtual machines. I have put the tap devices into a bridge with a trunk interface, the trunk acts as a gateway, allowing a virtual network inside the host server which can nat to public IPs and be firewalled. For some reason the 2 vmhosts cannot communicate. they will arp each other up but not actually ping each other. THey are windows hosts. I have a site to site vpn back to my house which i can ping both vm hosts successfully from my house computer through the vpn. i can ping the trunk interface from the hosts as well. just not vmhost to vmhost. Any thoughts on why they can not ping each other? I think qemu has two modes for networking and only TCP proxying works. Not sure about UDP. But ping does not work. If you configure qemu to do 'real' networking then I believe ping will work. People more knowledgeable than me should comment any further. Thanks. -Girish
Re: Laptop keyboard pictures
On Thu, Oct 30, 2008 at 7:42 PM, Ted Unangst [EMAIL PROTECTED] wrote: Can people with these new tiny notebooks send me a nice high res (1k x 1k is good) pic showing the keyboard layout? Maybe with a quarter or euro to show scale? Off list of course. I'd like to make a gallery because the keyboard is critical and it's hard to find decent pics of the keyboard sometimes. http://ted.unangst.googlepages.com/laptopkeyboards If anyone has one of the Lenovo IdeaPad U110, I'm particularly interested. From the web photos, it seems they have moved the tilde.
Re: Laptop keyboard pictures
Heres a pic of a portion of the eee keyboard (excuse the crappy photo): http://www.copyandwaste.com/wp-content/uploads/2008/11/img_0055.jpg Not sure if this is completely useful... but here is a comparison on the size of the eee and an old fujitsu lifebook http://www.copyandwaste.com/2008/09/16/asus-netbook/ -a On Thu, Nov 6, 2008 at 10:45 PM, Ted Unangst [EMAIL PROTECTED] wrote: On Thu, Oct 30, 2008 at 7:42 PM, Ted Unangst [EMAIL PROTECTED] wrote: Can people with these new tiny notebooks send me a nice high res (1k x 1k is good) pic showing the keyboard layout? Maybe with a quarter or euro to show scale? Off list of course. I'd like to make a gallery because the keyboard is critical and it's hard to find decent pics of the keyboard sometimes. http://ted.unangst.googlepages.com/laptopkeyboards If anyone has one of the Lenovo IdeaPad U110, I'm particularly interested. From the web photos, it seems they have moved the tilde.
Re: recommended disk layout for small web/mail/db server
Thanks for the suggest, I thin begin with a 100GB hard disk, for managing users (web-mail-db) and allocate some dynamic web sites. I share the opinion about the split /var, in the past only /var/postgresql was split for me, is a good suggest /var/mail /var/mysql and /var/log Thanks and Best Regards. --- On Fri, 11/7/08, Mikel Lindsaar [EMAIL PROTECTED] wrote: From: Mikel Lindsaar [EMAIL PROTECTED] Subject: Re: recommended disk layout for small web/mail/db server To: [EMAIL PROTECTED] Date: Friday, November 7, 2008, 2:05 AM On Fri, Nov 7, 2008 at 11:33 AM, Francisco Valladolid Hdez. [EMAIL PROTECTED] wrote: I'm setting a small web/mail/db server for sell web hosting, it run OpenBSD 4.4. I want to know the different view point about the disk layout for this purpose. I don't have sufficient resources for buying three separate machines (web/mail/db) at this time. Depends on how big your hard drive is obviously, but here are some pointers: http://www.openbsd.org/faq/faq4.html#Disks Provides a good starting point for a 13G drive. It says: / 150M Swap 300M /tmp 120M /var 80M /usr 6G /home 4G Now, you say that you want to use mail, web and database. In OpenBSD, if you install from ports or packages, your data for the mail, ftp and database is going to be under the /var partition, in /var/www, /var/db and /var/mail. To begin with, you are probably best off just allocating more to /var. And in your case, I assume your drive is going to be a lot larger than 13Gb So just add more the /var partition, a bit more to the /usr partition. If you wanted to get really smart, you could add a /var/log parition and give it a few Gb, or split up /var/db, /var/mail and /var/www into separate partitions, but I think it is just overkill for what you want. By the time your server starts running out of space, you will know which apps are taking the room and will be able to migrate to a bigger and better configuration. Mikel -- http://lindsaar.net/ Rails, RSpec and Life blog
Re: Laptop keyboard pictures
On Fri, Nov 7, 2008 at 12:01 AM, Andrew Konkol [EMAIL PROTECTED] wrote: Not sure if this is completely useful... but here is a comparison on the size of the eee and an old fujitsu lifebook http://www.copyandwaste.com/2008/09/16/asus-netbook/ That's awesome, thanks. I loved my lifebook, and used it several years even after I had faster machines. That really puts the eee in perspective.
Re: HP DL180 hangs on boot
On 08-11-06 14.44, Alexander Hall wrote: Hi! I have issues booting a HP ProLiant DL180 G5 (456830-421) [1] which I hope someone can shed some light on. [ While writing thie email I've done some more testing and realized that the behaviour is not really consistent, but what I describe below is a typical case ] 1. The machine takes loong pauses (usually two; sometimes more) while loading the kernel. - The first long pause is after entry point at ... line, and is about 90s. [noticed now that pressing any key on the keyboard makes it go on... interrupt issues?] See if the BIOS have an option to disable 8042 Emulation. That cured the entry point hang for me on a DL140 G3 system. /Johan
Re: recommended disk layout for small web/mail/db server
Francisco Valladolid Hdez. wrote: I'm setting a small web/mail/db server for sell web hosting, it run OpenBSD 4.4. I want to know the different view point about the disk layout for this purpose. The partitioning depends on the usage. How much mail (# of messages and KB / message) do you expect to receive or stored ? How many GB of Web material do you plan to have? How many GB do you expect your databases to contain? Regards -Lars